<TABLE width=500> g# H! O: ^: {( i6 p( z
<TBODY>: G( \- T- n# A& E/ @' V: A% j0 F# [
<TR>8 v1 a% x! f) r: d8 ?; \9 ~2 j8 [) K
<TD><PRE>Method 01
, h+ N' p: M+ x9 t% v=========
7 |" L2 \* w1 ]. G+ `" w
; `% Y- W& j$ S' t! L9 Y( ^This method of detection of SoftICE (as well as the following one) is' w& {- K/ A. ~$ }' t# O
used by the majority of packers/encryptors found on Internet.
! g. l+ I3 a1 n9 Q9 q! C3 s$ ~' CIt seeks the signature of BoundsChecker in SoftICE
- \. q: t3 X. P2 B5 ?5 X d1 G% S: c2 @2 E1 @
mov ebp, 04243484Bh ; 'BCHK'3 t9 K: v4 o3 k! g v9 T( N$ x8 k5 y
mov ax, 04h
8 o9 F' L: A6 H) c3 i& P int 3
& [# I% e+ ^. E) `' y cmp al,4
3 N) n( _. e$ R jnz SoftICE_Detected
! D/ }6 M$ X+ S5 M5 r7 ?
5 `3 |* W/ v6 E0 O& U( v( w___________________________________________________________________________
. |- D( `4 t% B8 W3 O; H" K* G: R1 v* e6 Z/ H
Method 02
& G1 ~/ q5 S0 x7 a+ Y' u* r=========6 h! A4 _6 E. U) A Y1 J! m
: I! _/ j' s( |3 @% t
Still a method very much used (perhaps the most frequent one). It is used
9 u7 j( O" B0 I1 z/ l1 {+ {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
~! z# K; L' W- B! i( o. uor execute SoftICE commands...
1 _. W# n! W: y9 yIt is also used to crash SoftICE and to force it to execute any commands
8 j4 Q% O3 {: i5 n# u# I(HBOOT...) :-(( ' S7 B E3 C2 |$ }# b6 w
) u/ }+ Q" X0 E9 q: X) }- }Here is a quick description: R+ a1 q1 l( r0 S
-AX = 0910h (Display string in SIce windows)
- S0 O+ j5 k3 J# y/ B- b0 F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' M* O: P( m3 V v-AX = 0912h (Get breakpoint infos)3 E9 H; N0 {. h* Y- q- T& A$ A E4 Y
-AX = 0913h (Set Sice breakpoints)
0 W' t3 E7 t0 g-AX = 0914h (Remove SIce breakoints)
/ i( V- b$ [+ b, [* ]; y8 l
' u; X/ L3 `" ^1 v: o4 XEach time you'll meet this trick, you'll see:. W @, V0 T; b2 `4 D$ Z- k% G
-SI = 4647h
7 {8 `5 w0 z0 c P7 l( ?-DI = 4A4Dh2 r3 D7 c$ p! Q1 [' ^
Which are the 'magic values' used by SoftIce.
! y+ ^9 i1 I; T- v; r C5 h* i2 _+ H" rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 W& d% F0 K5 A: h7 }, \
5 L/ O; ^, E B( u7 UHere is one example from the file "Haspinst.exe" which is the dongle HASP* z6 u3 v: ^- e7 G3 b1 [
Envelope utility use to protect DOS applications:8 ]% D$ n U7 y+ v; @% _9 v$ G% y/ R
. r% u. i' j7 E3 ]) z" l7 i9 r, R) f
4C19:0095 MOV AX,0911 ; execute command.! N9 W- {8 B' g# [4 q. D. r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ ?9 i. t3 L6 W; s3 a5 r) ^4C19:009A MOV SI,4647 ; 1st magic value.
) _" H% R2 G2 U( t# Q& V% P4C19:009D MOV DI,4A4D ; 2nd magic value.' k- B% P% g; u2 r& r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 z+ k% f1 _/ J4 d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 u- T. v) Z6 R( x
4C19:00A4 INC CX7 I ?" F l) p% l1 d0 v3 \! I) T! `' R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 U& |- n- y$ E0 w4 }# |6 |4C19:00A8 JB 0095 ; 6 different commands.
0 B" s4 M& n- t, k3 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ q" T) k- D+ s# b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' ~$ c% G# q7 c8 x1 |$ v: b l9 g# H
/ R4 ^$ x, o7 X: c. E qThe program will execute 6 different SIce commands located at ds:dx, which
4 |2 h3 E4 V& P; [. oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 @& U% O4 r9 ]" \+ R8 R. l
/ E( {$ J* d' s5 l0 a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ V1 Z c! c: v; H' L- c( j
___________________________________________________________________________
9 m! Z4 W! l3 M
* l4 R6 v$ C& N& p* @, {
/ ^# f) P6 ~/ ZMethod 03
0 R% m5 v2 p; L=========0 ~9 r+ s. T. d
/ a( u- f9 |5 B! P5 w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; l& d5 X, W4 N d' K
(API Get entry point)
9 ^' d Z( u0 G0 B/ X2 G, [" L 6 R. y8 I6 [1 O+ Z7 K. Z: ^
; e7 d+ e. E) K1 q
xor di,di% q* K$ K- j2 w1 e
mov es,di
. e8 h# `& `" I' Y1 t& A; q. U mov ax, 1684h
, U, [) Z1 N+ y* B mov bx, 0202h ; VxD ID of winice0 q: X) x6 \* S
int 2Fh
, P3 i9 s M$ v0 j0 y mov ax, es ; ES:DI -> VxD API entry point1 L" U$ s( c$ M `3 ~- v4 f* F
add ax, di
, z4 \& g* U8 H+ C/ x+ T* V test ax,ax
' P' [6 V4 i& {; }. g1 A2 H jnz SoftICE_Detected
) ^4 A' q1 S' v- Q& g' @8 W9 n) F; N/ P" Q; `
___________________________________________________________________________! z( o e7 s$ a; ?6 ?1 c
7 Z- S0 e5 u/ V4 o& kMethod 04
( M: ~0 ^9 q' m=========
6 `: m9 m5 z0 H7 \2 X+ N4 h! u; q+ b% ~: x
Method identical to the preceding one except that it seeks the ID of SoftICE$ F4 k4 r% U. C$ @9 ^
GFX VxD.
: ~; f# k' B" `! ~7 o) `2 @( t" F
& G0 Z) M" j0 d xor di,di) I6 x8 j2 V7 C% F6 P$ O
mov es,di
8 r/ n' ]! d& @1 ` mov ax, 1684h
6 i7 I! o# t1 a mov bx, 7a5Fh ; VxD ID of SIWVID* ~: q% i2 E1 s& M
int 2fh+ W% ~, F& S$ \3 f' u
mov ax, es ; ES:DI -> VxD API entry point
2 e- ]* {2 N3 G9 A( X) F! d add ax, di; ]# Z' \5 u5 P' o. j0 ?
test ax,ax
5 z% e% \! {3 ]2 A( V! P2 S: b jnz SoftICE_Detected. o2 v7 I: X2 @8 @; t
. d$ O8 j/ m/ m) H__________________________________________________________________________
, u7 ~' U X& c) [7 C4 k9 a' d9 C1 G! H( `5 o
8 q: d/ ?2 B N! q- {Method 05
& z; Q! z6 l# T6 r1 a. D. W I# t+ C=========
; O- \' p) P; D; _+ H. ?
- S6 m1 |+ \6 `3 K( `Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 X. d, R# y$ X1 Gdebugger. It calls the int 41h, function 4Fh.
# O3 I6 t, a0 ~5 XThere are several alternatives.
H4 G- W& \2 N. x% ^3 j$ L
5 z% |, v) O1 g! y( `9 gThe following one is the simplest:5 _/ {& \# W) L" n
$ c! R6 L9 D$ S! e
mov ax,4fh0 L. F5 }2 Q* N
int 41h
7 H( z4 |& {3 j- w cmp ax, 0F386, h" S5 u6 r. _% B; y/ P \+ h4 E
jz SoftICE_detected, o3 q$ u( V, u* l: r2 A9 u
) w, N/ V5 j! L+ v: _# U
0 H- m5 P) H; ?# lNext method as well as the following one are 2 examples from Stone's
% G8 _1 ^! L* U& z6 j, A% l# ^"stn-wid.zip" (www.cracking.net):
' o# d1 h |$ E, }! h9 f- Z/ |8 p- f( E
mov bx, cs
0 `) s0 k9 c# M% S9 Z& t. a lea dx, int41handler2 ^: Z+ ~, s6 v0 T* n2 q! ~
xchg dx, es:[41h*4]
2 Y( v W c3 J2 W& ` xchg bx, es:[41h*4+2]9 z9 p6 X: a) K8 L
mov ax,4fh
: l8 W% @8 ]. H6 s6 ]% x; }; @ int 41h$ s- t4 \* a( K( `# v$ u
xchg dx, es:[41h*4]8 C4 B& H D: [- [- o$ ~
xchg bx, es:[41h*4+2]* Q' l' g8 ]' g1 A2 w* O
cmp ax, 0f386h
0 R) I- H# G' @# X8 y ~2 H jz SoftICE_detected
3 p! { ~8 Z. w6 n) v6 ^2 k- D3 e( x7 J/ N! R7 q
int41handler2 PROC
/ D8 X/ f" z6 Z" C2 E1 k iret
* Q9 d! ]7 q5 gint41handler2 ENDP5 k! j! C6 }6 } S, G
N6 X) Q, m5 ?: M
* f: n2 J* [. `4 c_________________________________________________________________________. `* `& W& L1 G! J* `* Q
7 r/ |- }' Q' K( U
* @& [; K# j- @+ fMethod 067 A/ h5 l+ b" d Z( D6 ]
=========
# E5 \. h. |& B; }5 Y. g$ x& H1 ^& ?5 C
! x* [8 C+ T3 `! x
2nd method similar to the preceding one but more difficult to detect:7 {/ J5 o$ z( `0 `8 P
: G9 @" Z: b$ [
8 ~; s" S8 L( s* ?int41handler PROC6 O L; m% u: S8 T' \# }! O
mov cl,al
0 `8 K* q. B# _: T' |( C4 Z' R6 l8 p iret
/ c8 X2 P- ~8 o7 ~3 p. L; c1 }+ ]int41handler ENDP+ B. s u$ _. y6 J2 r
3 e9 j( n& V% G% L, z6 n
& z8 h+ w) ^3 I2 M* s0 H
xor ax,ax" a* ?+ p3 w" b# g) R/ D4 M9 N
mov es,ax; e2 G+ A/ U5 ~) \
mov bx, cs
" N% { R% z9 _0 S3 \, J lea dx, int41handler
2 c2 H0 K% ^! m5 W xchg dx, es:[41h*4]
( i( E* C! o1 R M xchg bx, es:[41h*4+2]8 E( z. i" U; F; g; g
in al, 40h6 j% |5 [: [; v1 R4 s4 O% B
xor cx,cx
( N$ ]. t% ?9 p& q/ `. U- J7 Y int 41h% \5 L! d+ x% U0 g) h% W
xchg dx, es:[41h*4]- ]) o6 o9 y0 g+ ^9 ^
xchg bx, es:[41h*4+2]% a, J9 S7 y7 d0 w1 x
cmp cl,al' b4 F6 w( ~: [* f8 C
jnz SoftICE_detected
5 w) k; E0 p4 O# q2 ]
. H) h: s$ o! j2 C. s* N" K: S_________________________________________________________________________
( @* o7 D; k/ c! G; u, P' X P- T3 @: t8 ?8 ]
Method 07
2 g X3 V* Z3 V7 ~=========
- ~8 ?0 Z8 ^/ R2 T2 I2 F8 Z8 m: H- f! L) \7 b+ v4 K% l1 I
Method of detection of the WinICE handler in the int68h (V86)& Z6 C3 r, H6 V# l
; N; ~! i% f0 I Y1 J5 p; }8 I% r( u mov ah,43h3 {: C: w6 I1 n/ \/ ^
int 68h
1 z, M- v" |5 z9 W# e cmp ax,0F386h
3 b' Q+ N: V$ l% | jz SoftICE_Detected
9 z# u$ ], }! ]1 @; j0 C6 d4 H5 O1 J" r; @
2 g/ R$ c, B+ Q, P$ |% _$ U; O9 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ l5 O4 n; ]. J x4 n
app like this:
+ `9 s3 y* x$ `
2 }$ Z4 o7 K" H. m( \ {% a( A2 C BPX exec_int if ax==68
! Z! B' N( n& X+ X% u: B( x9 w) ^+ f# e (function called is located at byte ptr [ebp+1Dh] and client eip is
/ W# V2 W0 A( r0 ]. V1 ]% T+ Y located at [ebp+48h] for 32Bit apps)
/ I+ V) ]. r2 w__________________________________________________________________________& s% R {$ U' N4 @) d/ l1 B; s/ F
Q0 s. D- u6 K" d1 `6 B* n$ J# ~
5 e$ Q. ^* n/ c
Method 086 [* {! t6 W7 c. a/ d5 l) \
=========/ S" m8 Y0 S1 e/ e; C
3 a* R! R$ D# x# lIt is not a method of detection of SoftICE but a possibility to crash the
1 L0 c3 q- F0 E- ]; n; `system by intercepting int 01h and int 03h and redirecting them to another. |+ w9 R& Q6 M! _1 q2 m
routine.
/ w6 h V' {6 I5 wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. T& F# U' y+ H4 }8 }
to the new routine to execute (hangs computer...)
" F7 _: q0 _* \/ H4 ?$ B0 [( c: i8 j9 \( [7 g& N5 a
mov ah, 25h
9 O& V" W) I2 o mov al, Int_Number (01h or 03h)3 @+ x( [. r$ u7 f4 H
mov dx, offset New_Int_Routine2 ~( D3 z1 e z' [. i# L; V
int 21h8 T& h! v3 h) R1 t$ N4 u' n
6 N2 F, n' C0 N+ d, ?+ J: X__________________________________________________________________________; E- h! _8 V5 U& d$ u6 b
2 Y9 M1 W5 N* E' @' jMethod 096 W5 Q7 v- q, Y
=========
2 a O' z8 H! Y2 y/ d x; J; b" H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( J5 @. w# v Operformed in ring0 (VxD or a ring3 app using the VxdCall).# L$ R$ q7 F0 c
The Get_DDB service is used to determine whether or not a VxD is installed
; q; Y. ?1 l# e! [* W7 V( ?for the specified device and returns a Device Description Block (in ecx) for
: M- A6 B" \0 Q6 h! R+ tthat device if it is installed.
* x1 _/ w5 t8 @ Z$ m
% Y. e7 [3 v! T5 ]& U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 `" b% n" A7 J+ I" e9 {* c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% V7 H% m1 g/ z
VMMCall Get_DDB
+ p! j& c* m) n( m( A, a$ D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, C8 G- p v9 P
8 `8 ]& Y& |1 E% S ^
Note as well that you can easily detect this method with SoftICE:8 |' ^# e8 z# `0 ~5 l3 Q* l# s7 ~
bpx Get_DDB if ax==0202 || ax==7a5fh5 V7 \/ b# S( U% k5 E
9 M9 y% P6 [6 s& R__________________________________________________________________________! ?8 ?! _: V# D+ S6 ~6 ~3 I1 [
) {+ ^# T8 A2 V7 q+ s% I2 ]: ]9 Z) ]
Method 10
. V& c) I$ V8 D=========! c2 Q4 p6 m6 w( ]% q
4 _; N$ w3 m* `! e0 f% |4 y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& w0 @5 k, D. L7 v$ ` SoftICE while the option is enable!!; n( T: {/ N6 ~+ f- P+ h
6 a' _ f& R+ l) m9 n: R2 w) X; pThis trick is very efficient:7 ^1 q# W; Y3 M9 H& i8 S* |; a) L& |! ~
by checking the Debug Registers, you can detect if SoftICE is loaded
9 c8 k3 {& X2 ]) j" H- p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, p- i5 ^) c* @8 i! j
there are some memory breakpoints set (dr0 to dr3) simply by reading their% ?; w) B& o0 J8 x5 z2 L: P. `4 n
value (in ring0 only). Values can be manipulated and or changed as well9 H) f. g' [1 ?2 v E7 K' ]( A
(clearing BPMs for instance)
/ {+ H( ~+ {8 G; j9 @/ J! ^ {) ^, s6 r
__________________________________________________________________________! O' U. x" P9 d5 ~( ^1 k- V
* L* L; U+ `) n, u' k! }Method 11
6 h8 `; R: q# _=========, C( b9 _6 }+ \0 n: ^
& @- @. ~* ]% Z* }. ^" E& r% C
This method is most known as 'MeltICE' because it has been freely distributed
1 }7 n5 c- d1 G ~* Q0 fvia www.winfiles.com. However it was first used by NuMega people to allow1 `! I. `- _2 e/ s. s6 i, W3 f
Symbol Loader to check if SoftICE was active or not (the code is located
9 s; U, J; ?2 y: S o' c! binside nmtrans.dll).
: p8 g6 ]2 s+ V; W/ m8 Q# V4 l0 j$ k. }1 v6 m( c' s& R1 I6 ^- {
The way it works is very simple:
0 J2 {! U( l$ YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% m9 z+ |/ K2 U6 C1 e% R( A3 g
WinNT) with the CreateFileA API.
# c" {# @0 X) K5 y) F( v# C; N, ] ^4 S! i+ R s) X- b
Here is a sample (checking for 'SICE'):4 z+ u- h7 G& C- E' ?
; Z+ s' I( a8 p) Q7 z# H7 G @
BOOL IsSoftIce95Loaded()
' { a* ^( z5 V: m/ ?/ z$ Y{
) Y& Q8 N- s. k; z" {( w HANDLE hFile;
# }& g. w; Y: a1 A/ L$ L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 u, k9 [% y% G2 T. y/ r
FILE_SHARE_READ | FILE_SHARE_WRITE,$ t2 ~& Z4 X. x2 }% M: x$ o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ z6 D5 A* M B2 o. r if( hFile != INVALID_HANDLE_VALUE )
% z0 f2 x6 w( V) P" m+ V {
& c, B; U% z' k) M; W; @/ X CloseHandle(hFile);
1 V5 K" e3 @2 l. H0 f9 @ return TRUE;
( T) K3 E3 Q% w7 V+ U }
4 ]' y* a- [! [/ f3 A6 `; \ return FALSE;
1 l# ~# d% Q H# R2 Q' a5 R. Y6 I) Z}
2 ?) L7 a5 b u: q8 |
" P, V, H- t( c) y" ~: |6 {Although this trick calls the CreateFileA function, don't even expect to be
/ Z) N# @/ f% C, ~ table to intercept it by installing a IFS hook: it will not work, no way!
0 q5 q8 S; ~# X6 ]4 E$ WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 Z; n: O: l5 K! i2 b' @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): ~$ ~6 f; d/ U6 n2 }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! [1 O) F+ l5 E( D( T" \
field.8 _" A G. P8 L1 a5 x9 U; E( X! r
In fact, its purpose is not to load/unload VxDs but only to send a 0 x+ I1 i/ n7 Q2 ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 M1 z2 H- l h* {& K6 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 j& T: g0 m8 E/ o- `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 s; r" B8 K1 T" j# r. r: h- kIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 W9 l- I/ Z* P( v0 ]7 M
its handle to be opened and then, will be detected.
c; O; L i/ y) O& dYou can check that simply by hooking Winice.exe control proc entry point
8 j! Z1 Y1 U% c) \while running MeltICE.9 y2 t2 r$ C' z+ ^' P
# ~ o: v( e ?6 F/ {# w8 [% u2 l+ G a. l, p$ G0 y
00401067: push 00402025 ; \\.\SICE
/ A, h Y! Y% y) h) _ L 0040106C: call CreateFileA
4 U2 P+ ?3 @2 @2 H- n& @ 00401071: cmp eax,-001+ Q5 _) ~. M1 Y* T
00401074: je 00401091
9 m3 u% ]) ]" l. w- A. @% ^% v) a& `( z
* P" `1 M! {! Q$ u; z. W, K
There could be hundreds of BPX you could use to detect this trick.7 T2 V# r( i( [' a# `3 x
-The most classical one is:% C+ M7 b- m: k% u/ d! {! J; z: n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! W& }5 d! A) R *(esp->4+4)=='NTIC'* C3 k R- C/ k. p9 s2 b3 J* K, h
. ^6 }& ?8 _9 t& X- x8 S
-The most exotic ones (could be very slooooow :-(
9 h0 S$ \ w- M+ l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 _9 P, h/ R1 r3 [1 J4 G6 a3 i ;will break 3 times :-(% Q* C0 w, a- G6 f4 I4 y0 `
1 O% c5 J( c! j0 H r
-or (a bit) faster: 6 W* r# s' [0 f/ T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 E. y( e( T% C4 a* W6 I; ]
% Y: i- x2 i) f5 L) Z0 k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* s5 r8 P6 J" s2 f( z, B) Y7 ` ;will break 3 times :-(
9 Y# t( y5 e8 u3 C/ S, F F' b
" E) T$ U# Z1 s! J5 p! g# R-Much faster:8 ~3 \ ^/ T1 U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 R) p5 \* z0 D$ h" m
: t! Y, R. _( T0 n* x/ k/ xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
W P$ _' L$ R1 @& H% W+ V% H9 ]function to do the same job:
' \3 e0 u2 L. B
8 v* l' t9 \. J y4 Z/ s0 P, A u6 ` push 00 ; OF_READ
5 ~ Y9 n% \. H; D) i4 T5 q mov eax,[00656634] ; '\\.\SICE',0
3 t# M+ \; z' Q" M& B push eax3 ?# G! \4 k1 ^2 F& n
call KERNEL32!_lopen
3 p. Z3 @6 J4 S) M( Z, Y inc eax
: Q# [2 K# H% k: C2 Z! W jnz 00650589 ; detected- h j% W" A, N: H% `$ C6 J7 H
push 00 ; OF_READ5 t0 ^/ f3 b" ^
mov eax,[00656638] ; '\\.\SICE'
) ?9 S6 E1 Q# { push eax
- | i) {9 C3 S4 ? call KERNEL32!_lopen, h' [3 f- w3 y6 M
inc eax
5 i3 L) o+ L. r! h1 n; \ jz 006505ae ; not detected
" ^7 a. Z4 t/ A9 s: {2 u8 A
& d6 s: z5 v" D; x# o
2 G. I- F4 p1 c, T- p* R8 [! x; {__________________________________________________________________________: @# k' B8 J) @: A( @
. G7 ]; V, w' `! t5 y2 {Method 12
5 e( e/ y' s7 s, C" z- y& O=========
$ A/ L6 @* C0 B8 z6 R5 X5 p( e0 ], C( k0 C5 e3 E- G# f
This trick is similar to int41h/4fh Debugger installation check (code 05
# J2 e: j4 M4 ]( L+ H0 C8 {& 06) but very limited because it's only available for Win95/98 (not NT)2 Z- Z& v7 [2 ?6 a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. K1 a" T' n* O. }6 g2 O! }
7 T7 a7 [3 `; q1 w1 D, i" m, @" Z6 s push 0000004fh ; function 4fh. d& D! S( {8 |9 s9 w& w6 n
push 002a002ah ; high word specifies which VxD (VWIN32)
. p% U- Q" z/ k! S& q ; low word specifies which service3 V1 ~0 h7 r" N: t5 {& E
(VWIN32_Int41Dispatch)
; o' L# {( e/ U' X call Kernel32!ORD_001 ; VxdCall
Z' D4 g7 a( q \ R t/ H3 N$ n cmp ax, 0f386h ; magic number returned by system debuggers n% l1 f' z& H0 J
jz SoftICE_detected7 Z' H/ w! ^5 P$ P- P$ u9 N
( v! i$ m1 |+ ?% kHere again, several ways to detect it:; E0 f6 h& d- k
: j* a3 p1 ~7 H. Y3 \( p BPINT 41 if ax==4f+ r7 ]! O* Q- _& | ?6 A$ Y0 a
7 W/ u$ }; Z7 I3 m3 {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" {% }# K/ L; A( z- j7 t; ~ Z. C' s8 x: H8 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 s9 B0 X: A( \! G2 ~5 D" g3 k# a
n; m. {& W: l$ D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' R% n$ y+ d, Q; v
7 k) s) R+ w% }6 Q3 y6 ?__________________________________________________________________________
# _- T# ?/ H, z; Y: r: {6 O6 ?
/ M2 x7 v$ y; X5 @9 o+ X$ Q1 qMethod 136 k3 S' F# o8 `5 q8 a4 j
=========4 Z/ \' d* ]+ ]# @+ {+ U
' F: E& S# q. B& E0 L0 }
Not a real method of detection, but a good way to know if SoftICE is! N G- h! G% _( C# ~1 \3 {
installed on a computer and to locate its installation directory.) ^ V) t7 ?& ]
It is used by few softs which access the following registry keys (usually #2) :5 g! i- ?5 b7 t; X; }
( j' j, e& P) i4 l+ {, Y4 D# M! V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& W u5 R2 }" ]8 T
\Uninstall\SoftICE
- p9 Q. F* y) |1 ~/ x# C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ V: }) i2 K1 }+ k9 n: E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" e- Y5 v) I r+ E B
\App Paths\Loader32.Exe
6 m. N, B( @/ c7 E5 I6 @2 M" r6 b2 _, E
, I8 H8 |5 h4 E4 S* Q% Y
Note that some nasty apps could then erase all files from SoftICE directory2 w, E, `0 B: P2 _ y
(I faced that once :-(; ~, \& z8 y1 }4 h. K$ l0 x
% ~3 Q- z6 H+ Q8 ]/ L( V& d& q" w
Useful breakpoint to detect it:# Z) {8 p# b. c0 Z
9 s. f' S% V& _* y+ G* c- S" G1 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" i! K! p4 J1 ?& f
, d q" i, x% F# e__________________________________________________________________________
B3 r% M- U4 |1 Z7 Z$ M
, L, Z, C% P" G; T2 R* Y/ `
0 s C9 H. ~/ S$ AMethod 14
7 _8 ~5 z& H. ~/ |# X( ?=========
& ?+ `3 G1 n @
7 ^3 {% F9 S. e( [: W; {5 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ F6 x! w3 V! ^" I
is to determines whether a debugger is running on your system (ring0 only). [1 e4 G+ z3 G
' Y0 v* p/ U! u! M! z
VMMCall Test_Debug_Installed9 Y9 q6 {6 W) H0 S, c9 Y# v
je not_installed
3 t' u- `: k6 V$ b% _ a0 j9 M. H# c, O; Q
This service just checks a flag.# r! @9 t5 H# q: `
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡