<TABLE width=500>
2 p, @$ }* Z6 i* e/ `6 h; i<TBODY>+ t) C' l% w8 R7 X8 [
<TR>: K3 b- B( U* x" |. ^
<TD><PRE>Method 01 . O8 |6 ]1 w! X; `; }2 L
=========4 {2 [& S) i* q- s" }9 I
$ O1 D% t; `9 C8 b+ _This method of detection of SoftICE (as well as the following one) is
$ X9 ?; ]$ r5 u( E9 fused by the majority of packers/encryptors found on Internet.0 t3 y- K6 z$ E
It seeks the signature of BoundsChecker in SoftICE+ }, A8 U' |% f1 z2 H' P$ ]$ e
* ^) ~1 U0 U. Z- ]" [% n% M. ?7 E mov ebp, 04243484Bh ; 'BCHK'$ ^2 y8 E4 G+ }" `; B7 f
mov ax, 04h" z1 D6 g6 O6 W8 Z; h+ B" {8 z) c. L" ^
int 3
- @- P( q1 s4 @* a cmp al,40 i: ? j( t, x9 x
jnz SoftICE_Detected+ u0 i, p" r! B0 m$ o
. ]# q0 C: Q- |___________________________________________________________________________
0 ~# y8 B6 C3 J; P4 N6 s+ S6 H( o7 _- v
Method 02
x8 u' a8 G/ N=========# d6 ]& G: [6 ?7 s8 c
! A1 z4 y6 l' X3 }, M% n. D
Still a method very much used (perhaps the most frequent one). It is used1 M$ N4 r* A3 d) y! h7 [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 N! L, v1 i! r
or execute SoftICE commands...5 D- U$ J7 F+ ?* l% }# T4 n
It is also used to crash SoftICE and to force it to execute any commands
" S0 x0 K% N0 x3 l/ e7 u3 _; _2 [& K4 @(HBOOT...) :-((
3 O& Z, ~+ y, n1 D4 Y5 I. e2 A1 m/ Q: C. [8 ]& \- f6 o# i
Here is a quick description:. e4 I" |5 W2 N5 U* w
-AX = 0910h (Display string in SIce windows)+ W+ u7 Y" }1 E; t3 U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" U9 r2 n9 ? G8 D; ~-AX = 0912h (Get breakpoint infos)& P, l! t6 Y" P% ~- V
-AX = 0913h (Set Sice breakpoints)
' q7 ^# h- T( Q, t-AX = 0914h (Remove SIce breakoints)
6 l! s8 L' Q3 M0 f, i4 D- Q' z9 x
6 t) s0 l' ~5 `2 ~Each time you'll meet this trick, you'll see:
0 ~- v7 ]" x; g7 ]$ L6 P-SI = 4647h
: j2 i* F P5 }! l-DI = 4A4Dh
- a0 V& @5 g- D+ E% a+ PWhich are the 'magic values' used by SoftIce.8 o/ U% z U5 Z) K) o( w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' h, N4 t( ~* o5 d- n
8 Y- r- o T; x# c7 {5 V: g$ g, z* W7 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 o% q1 e/ N: l! Y8 T( B
Envelope utility use to protect DOS applications:" n, c( y) a# w G* m9 M
) r9 W" d5 l" r" \( \9 A) t6 f$ |" S/ U$ O
4C19:0095 MOV AX,0911 ; execute command.
) ^* V5 J# \$ [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) e' ^* W3 f8 _' z' G, H6 E: r4C19:009A MOV SI,4647 ; 1st magic value.
4 W, f, e8 b8 \ n4C19:009D MOV DI,4A4D ; 2nd magic value.
}: S* {8 b2 Z. D5 N- j1 Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ T6 c! u, m0 q( `+ `! s* _- l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 h! e: ]0 L2 ~$ J$ ~; B1 d4C19:00A4 INC CX- q+ H" o G' M$ e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ Y/ a8 G8 |0 [& e1 k1 O2 B i
4C19:00A8 JB 0095 ; 6 different commands.
( k! H& n$ o# J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; K$ ]. w; Y1 ^' c! n( d2 `8 R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 J& B+ {) N+ K# o7 d/ k8 o9 g1 b
$ ]* u6 L% k e; a, }6 h/ e' ]The program will execute 6 different SIce commands located at ds:dx, which- G* a* a( w" L3 n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: |1 X! c: Q/ G2 j+ I% L4 t7 w
5 d$ Y+ A4 M# B7 _; n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 c( m& z P2 R \% O6 \) q___________________________________________________________________________* |- P/ S: Z" r; V8 W% i
; I# r7 s4 ]' Z% |' H9 }4 t, W# j0 \7 E. e) M+ a8 B9 }" i8 r( H# K
Method 031 g. C. D% X& M* |9 `- R5 Y
=========
8 Q) W9 a3 q( v: [$ n$ ^5 r
# j( z) E* x8 z. E CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 j8 h% M% n0 K) f6 |1 p* [
(API Get entry point)2 L7 T2 X' a; Z( F
9 g' ?. q( T4 W- n- U- _& l
3 g1 A# d; B3 Z G9 x xor di,di
6 r/ u2 c7 m' V, a! S( D mov es,di
0 u) F! s5 u x" G0 U! o6 _: Q mov ax, 1684h 8 O4 [9 c+ D+ M$ _1 g4 s- { C
mov bx, 0202h ; VxD ID of winice
3 G4 z6 `% {* z' M" y; h$ i int 2Fh
; q& T: J% ]/ ]0 G- y mov ax, es ; ES:DI -> VxD API entry point* G5 y: r. M& e* G+ {# S/ F# {0 d, j, [
add ax, di2 ]5 @& _' M4 x! P
test ax,ax% ^* N4 F+ b/ I* f R& a
jnz SoftICE_Detected" o* D/ A* Y# @. X) w: b5 j9 k/ U
2 c" m5 H8 ?6 [" i, D8 n2 H8 I; p5 }$ o___________________________________________________________________________
+ p2 U: R& j: N
3 ~! J# e+ Z9 xMethod 041 V5 r, x6 d# }# M1 m8 x {
=========
3 E* Y& f8 u( x) e$ D: S) w0 h, y y( H( {* G3 x% g7 W4 J
Method identical to the preceding one except that it seeks the ID of SoftICE% B6 O6 H2 y8 Q4 O
GFX VxD." ] j) q- R: j1 X
8 h& l1 U$ O5 A6 | xor di,di( X) l4 |2 {8 P2 W9 i
mov es,di7 v0 y0 Y3 f/ J: |! @; y$ I$ F
mov ax, 1684h
3 L( s" C1 x. r: ?7 o mov bx, 7a5Fh ; VxD ID of SIWVID% r6 _* R3 m) V- X$ Z: _
int 2fh
) d+ Z2 E5 k9 Y) V. {: ` mov ax, es ; ES:DI -> VxD API entry point% Y- \$ U6 d5 I1 O' O* Z2 u
add ax, di9 }! Z4 Q. G G# u9 v0 X% ?
test ax,ax
" z. ?/ k/ g; K jnz SoftICE_Detected& R4 s1 R% S1 s7 m
5 a. p x! i7 f8 x__________________________________________________________________________5 c. G2 Q: c; k4 r1 m
- P2 W+ _0 [6 f: Q- P
. ~ `2 h' r; O, {* V) \# yMethod 05! ?' {- h% L, {/ r7 @* w1 G
=========3 \- p7 d) V, q6 g" j. R# M7 h
$ d5 ]. D, z4 Q1 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 I1 _! c! x. X, Pdebugger. It calls the int 41h, function 4Fh.5 a! K3 K: B' n" _4 ?: }
There are several alternatives. ^* p1 V1 U0 k. E" u3 V5 s0 v( L
. k+ I* D* D& w: i8 o
The following one is the simplest:
9 I$ f/ z" C0 n. x O' l6 ]0 t7 a8 G8 o# I0 o, B6 o8 b- F9 C
mov ax,4fh' q" Q" t6 [ F1 {. a2 r+ g
int 41h
j& c6 n% q* e% @! P5 ` cmp ax, 0F386
0 D$ J' u1 U1 s9 M7 K jz SoftICE_detected
+ v) D9 Z0 Q1 X8 _4 E/ d9 g/ H' z& W6 Y
" Y5 M& K% G* Q2 F; Z
Next method as well as the following one are 2 examples from Stone's
2 i f: T E; C8 Y5 ^6 q, Q. A( ]"stn-wid.zip" (www.cracking.net):
i# |9 ]8 p! L6 @( I0 u q7 A) p& n) ]
mov bx, cs
4 d; V! U6 R! r# R lea dx, int41handler2
9 i/ d6 n5 }* U9 O9 o+ p$ S xchg dx, es:[41h*4]- U0 [5 i9 l! O+ F( Q
xchg bx, es:[41h*4+2]
3 h9 ~% \3 b3 t6 f- j/ g- T7 y7 }9 s mov ax,4fh1 Q" Z6 p$ k7 T9 l$ d
int 41h
8 ] Y( P' M4 D xchg dx, es:[41h*4]
8 F1 ^$ M! C# Y! Y xchg bx, es:[41h*4+2]2 C! j# C' l( K, S2 n" J
cmp ax, 0f386h0 \' n) R q5 U: u; O0 H
jz SoftICE_detected: M! l9 D" q) r5 D
: Z6 _3 F7 ]' m
int41handler2 PROC# K H# ^/ o% ^
iret& o3 e( s/ s) O; t) T. K* S( g' X
int41handler2 ENDP+ Q) d0 v3 W9 P8 d6 M
8 W6 u- b/ N; b3 b' ^$ x. g4 n
: ~& A. g4 D0 v/ o) P
_________________________________________________________________________
- Z& e0 n2 W r9 h, |5 w1 x+ Q
0 s R |! W) w# O1 |" C, S, d) m$ f0 g9 [
Method 06& ~2 M6 W! g X J* B' |
=========# H3 k9 N* ~8 C
`+ \7 G: `: a# F8 A& \* s) ~6 Y; k- n% Q8 c
2nd method similar to the preceding one but more difficult to detect:
. r6 C2 C' R3 U2 u7 h# D0 E; f( U) d
0 R) o$ t5 E5 \: k6 sint41handler PROC8 |8 r$ p; ^' `. W6 N" W
mov cl,al- ~6 G2 ^# m2 H. J4 h# u
iret
3 q7 f7 h4 N* n5 S* K4 gint41handler ENDP
# ]& {, R. M5 e* `$ \" c1 o. q m; V/ V% U% G6 \$ e% ^
5 m8 L) F. v, S3 o% ~/ s xor ax,ax: s' H# K# y9 v% s
mov es,ax5 w& f7 j7 l6 f7 ?* p. K
mov bx, cs
3 i9 Q8 G3 |0 H6 ?3 `- i lea dx, int41handler* ~8 @1 O3 d; Y7 M" ]# |0 \+ h
xchg dx, es:[41h*4]
1 }5 K j$ K2 {' x' H* {* c" P xchg bx, es:[41h*4+2]1 i% l; m( T/ u" s6 r" h
in al, 40h
3 @* x7 g5 y. }6 {/ L' j1 x1 N xor cx,cx; H* {5 {. _8 _2 Z' R
int 41h
8 k b( J, [' e) n; F6 b xchg dx, es:[41h*4]$ U% S1 K( l/ v$ R% Q: n, l
xchg bx, es:[41h*4+2]* ?5 R' z3 v& c5 S! R1 k5 ?6 V
cmp cl,al. `) e$ e4 ?0 q3 d
jnz SoftICE_detected" H8 O" b8 a k% y8 ~% d" o
9 n4 o% E0 k$ P3 r7 w* m; y_________________________________________________________________________
) Y6 K# o8 f7 C2 Y; Z4 s# Q4 Q, q
% y2 [% V2 h% O4 O$ |Method 07
8 i0 L4 X- ?" B2 J( O=========
" }; d, O7 r6 Z q2 w
8 b! V# R( S# J( w, n! bMethod of detection of the WinICE handler in the int68h (V86)
; Z; z2 Y. ^+ f8 V( f" L/ N2 A! e+ d5 c/ ~& y( L5 m0 y
mov ah,43h0 q: @7 c( P$ [
int 68h( \9 e: v# m; L4 j: v/ t- ]
cmp ax,0F386h
, H4 N) z# [% P0 c jz SoftICE_Detected6 | t3 L5 C! N' ^1 \! H
6 p, H' m2 X, I9 R
1 R( k {0 }; `! ^. S9 H9 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( Z7 ^; e% r Y6 y5 E app like this:
8 q- F9 T: G B' S+ C" R" [; L$ Z; E9 J% l% \! B
BPX exec_int if ax==689 c' r6 W, \- `. x, Y' p N1 f s- ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
( o4 |) v& k8 \2 d" Z8 F located at [ebp+48h] for 32Bit apps)
0 c. v6 b( v2 ?; u2 U__________________________________________________________________________
+ Y0 K, t1 j# A) ~8 n2 ^9 p$ D( E2 [2 l7 H& [( i% L/ K# Z/ \
# h6 j6 c5 x6 @2 M7 S
Method 08" E& I# Y Q y9 Z6 d" [* U
=========4 F9 @/ \8 s* s- k
) @8 J% F) l3 A" p# P
It is not a method of detection of SoftICE but a possibility to crash the
5 W8 i1 \3 r; R* f' h; o9 V9 jsystem by intercepting int 01h and int 03h and redirecting them to another
& Q- ]" }8 }; q: f+ p% {1 t% ~routine.
) @+ l" ?, Y: q& B2 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ g4 t' K5 P& Q3 a# |) k9 mto the new routine to execute (hangs computer...)) C$ v' _5 b' U
. s# O+ ~ D' t$ k8 `. `
mov ah, 25h
+ E6 }% e8 D9 r mov al, Int_Number (01h or 03h)
! C" @1 c J7 h9 X( ` mov dx, offset New_Int_Routine J7 {/ v2 r) w: u, A. [+ R
int 21h- F! c# R) b2 S: K9 q5 N- F" p+ L
" Q( W5 A/ B7 i- g9 z& |__________________________________________________________________________4 T8 @7 w6 a; ~& h1 `2 [
5 ^; d1 g7 s& V" m3 x5 y c1 IMethod 09) Z1 t; p% H* h: r
=========8 L) t# |% |& \7 i& a& d
' |1 C7 y0 K( v5 c) m. i& _3 X- \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# f% S3 a% [2 l Y1 X7 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
: h% z9 G6 W5 [/ t( UThe Get_DDB service is used to determine whether or not a VxD is installed9 g5 {$ R9 c& R
for the specified device and returns a Device Description Block (in ecx) for; N$ g8 e L- q! S s( d3 I
that device if it is installed.0 ?1 C% A9 U9 B3 \( z- O, b: t
1 c. t8 G/ @# T! c# |# t: I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" k2 D" k4 A: \9 B% f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# f- Z6 {% X/ D# b9 v
VMMCall Get_DDB6 t* R" ?( |* Z5 T; {6 E/ P3 I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# @: t8 B& ~/ D, d6 @( g$ O: ~* I$ x
+ ?5 S9 ~+ t- }8 ?( FNote as well that you can easily detect this method with SoftICE:& }; E+ K3 V4 [4 L8 q5 j
bpx Get_DDB if ax==0202 || ax==7a5fh; j; [2 L! q2 K, k
5 f8 ^( T( X6 d' Y+ Q0 B__________________________________________________________________________
+ X% L1 G" ~- A K' G) \
( N* f3 G9 q- R1 x1 a' N1 WMethod 10
/ ?3 o8 U2 J: f! w0 @) J=========/ \, m9 o. B/ ~5 M- q; Q
5 D$ m3 Q; C" c3 U$ V' V6 A=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 r. l( L% ~2 \! B: g- K2 B SoftICE while the option is enable!!
8 u3 X$ K4 x% J" T% q- ?- k" Z, ^( h( d3 Q+ Q& G" f( b
This trick is very efficient:
2 _/ K: J, H4 c+ s9 {1 ?by checking the Debug Registers, you can detect if SoftICE is loaded
: x- s- j* X- t: Q6 g- ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& q( Z# `7 M& D1 Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their- {3 Z. ~+ _6 i' \" s, A
value (in ring0 only). Values can be manipulated and or changed as well: @' h! ^& r: B$ s( b0 o
(clearing BPMs for instance)9 r* t# y; q+ X. X9 {. B
2 K. I& d1 h/ i* S__________________________________________________________________________
* i2 a1 ^6 k$ @/ H/ j" _8 O1 m
e5 s4 p/ [6 l X$ d# HMethod 11
, [0 W+ j- D& F; i/ `" g) ]=========; g% Z% t% o: m8 B# e! K
0 `4 G0 Y1 I! D) _
This method is most known as 'MeltICE' because it has been freely distributed
6 v+ ?$ s6 ]2 j" K3 l* G* v rvia www.winfiles.com. However it was first used by NuMega people to allow
$ g! t& `3 U6 v" K' ~# _! z" GSymbol Loader to check if SoftICE was active or not (the code is located
4 f7 B4 ]2 X2 {inside nmtrans.dll).
8 q+ _/ F$ g# O# K4 L9 } V- N$ \
' B; a* G# c6 X6 bThe way it works is very simple:& }9 J/ Z# Y" T& v6 V2 [' I4 }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ b% J8 D- a; N* aWinNT) with the CreateFileA API.
4 E2 Q( R0 s) M& p" T
; o6 i* s4 h. e) f$ aHere is a sample (checking for 'SICE'):; u' O1 b. K5 \
) d: U$ K& [& a" _BOOL IsSoftIce95Loaded()/ q6 |7 e( X2 k* j" H
{
! J* H/ D9 K& M2 Q- I8 _3 p HANDLE hFile;
: p! N6 `1 C7 i4 o7 k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! N" ^: K1 `( d8 ]& o& ~2 P- D FILE_SHARE_READ | FILE_SHARE_WRITE,
, P+ S. e8 q; n$ b' C9 t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# v/ P# L' F: z) Z; B/ R! D
if( hFile != INVALID_HANDLE_VALUE )
) W h+ a* C2 I8 {- j# f! K {
0 b; T$ i8 K9 d' v CloseHandle(hFile);8 x6 t8 F9 C* b; Y0 P9 K
return TRUE;
8 s1 J5 ?$ F6 V* g) \ }% Z' F+ I- a+ ^$ m( r! b
return FALSE;
3 m6 z* R- \8 N4 i! M: q! q0 o}5 k" ?# m# B, R7 x' _ n- |
! W2 z! W" }3 f
Although this trick calls the CreateFileA function, don't even expect to be, u" q0 \+ g* ]4 u
able to intercept it by installing a IFS hook: it will not work, no way!+ C3 O$ ^- v7 D, Z8 b ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( d0 v! x) s3 h- E$ O2 [/ K7 N2 l& hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" p6 a& k- H5 p' z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% t; w6 A5 g7 \
field.
- a5 S8 i, u& ?: JIn fact, its purpose is not to load/unload VxDs but only to send a
& T2 m( Y5 G6 m) F C3 A7 T, F6 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 [! ]) J, J; Q9 e+ ^% n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try k2 Z, z8 j3 L, y% j3 _4 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 @) c: W# R4 R( y& [9 |6 P- bIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 h% ]/ W' _4 S
its handle to be opened and then, will be detected.3 {! F% N# V" q3 U0 G z# t; g
You can check that simply by hooking Winice.exe control proc entry point, A; o* j" t3 R2 k2 b4 E* @
while running MeltICE.( L% J+ D y4 }( b$ v1 x
. ?. n3 P% P9 ], C: }5 P! k5 m( P: y5 o B/ o
00401067: push 00402025 ; \\.\SICE
, \- O& _: t$ w6 g- N 0040106C: call CreateFileA
R8 ]7 M, l2 t3 z5 {: r 00401071: cmp eax,-001, M) U" ~' y4 i. q. k: B4 K
00401074: je 00401091
/ h6 k2 r. `! e/ _9 y+ `1 z; q t+ |* ^2 l
+ i2 P4 D" X* g9 `+ R
There could be hundreds of BPX you could use to detect this trick.
) u( _! `, l3 ^: z! Y( |; C( t3 w-The most classical one is:6 P1 X3 M o. y$ Z: J$ v" Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 h4 J+ w K+ h7 J/ C
*(esp->4+4)=='NTIC'1 P. v7 j7 s0 b! c9 J" u
% _% H* Q" j6 u) \
-The most exotic ones (could be very slooooow :-(
% Z* j6 D6 r0 ^& M6 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
N9 y G& Z% J; l ;will break 3 times :-(1 E$ y+ Y" |8 o4 n0 v4 g0 P
4 J0 c/ t( b2 j. F
-or (a bit) faster:
' J2 L6 a$ `! W7 n# R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& N. V/ I3 }$ c3 Z6 ^) ~
7 J/ C. Q2 y6 e8 S a$ R) W) X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & L8 R! c8 P b
;will break 3 times :-(- k# s" q- m8 Q' ], m
% d6 U0 A3 \+ k/ O+ u-Much faster:' X2 W- \8 ?9 d" V/ G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 r B# r* {0 I' r
9 [- i/ Y/ Z( r, w5 P x+ NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: U. r; A2 R2 N Sfunction to do the same job:. Q# i- l6 k$ Z% X0 d; D
+ V" l" Z: p. w# N push 00 ; OF_READ
; T5 L- J4 `$ I, k( R mov eax,[00656634] ; '\\.\SICE',0; y! I4 i& t& O6 D. b$ Z
push eax
2 G1 D7 w$ X( ]. i call KERNEL32!_lopen4 T8 s3 d; I$ P/ J# S
inc eax
" J9 y+ ~& ~) K# t+ f jnz 00650589 ; detected( d6 H$ W' K2 U. U9 i# A
push 00 ; OF_READ% p; Q) V5 f2 g! ^
mov eax,[00656638] ; '\\.\SICE'
A M5 [# t2 O0 F push eax
# o: ]- J9 c6 e4 P; J7 j call KERNEL32!_lopen
1 N, Q8 p" C1 t0 [7 V; M0 R inc eax6 Z+ |) D5 n# v- T2 f6 m
jz 006505ae ; not detected
% F' n4 W* m: x; Q
$ N1 U1 @" j1 s3 C; `: b+ o+ k* e8 C: _' c2 l; _. s1 @# C: H" N, R
__________________________________________________________________________5 P& ^- R+ {* s" u
& R: i6 h0 u7 x V; P# X8 V$ mMethod 12
& q& W) k% W1 g, W" b=========- N2 H# n, Z& ^2 f0 H* P b5 f
- h. H) [3 [4 q( e. CThis trick is similar to int41h/4fh Debugger installation check (code 05
0 d4 {( ?" [: |5 q$ s# T/ ?, e4 }& 06) but very limited because it's only available for Win95/98 (not NT)* }" B* s- B# J. x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% e' j* F/ K# I. U1 J; e! S& P' B
# j% a7 h7 I" l. Q0 c& d) I. l! g6 w push 0000004fh ; function 4fh
6 ~9 s8 v! f; [ push 002a002ah ; high word specifies which VxD (VWIN32)
7 `4 T" e/ b! m: e. H2 }4 C) d ; low word specifies which service `7 j% [, z! ~9 }, h# I
(VWIN32_Int41Dispatch)5 K& E/ o4 ?: j# n' @( N
call Kernel32!ORD_001 ; VxdCall
& A5 _+ ]2 g& _' M6 _4 { cmp ax, 0f386h ; magic number returned by system debuggers
( n- T+ B+ Y e$ i7 _9 ] jz SoftICE_detected
9 d" o( |2 O! N6 p: X& F) Y- [1 E6 N: O: D H9 b! K
Here again, several ways to detect it:, \+ U( N2 I* }8 d' p1 V
& Z# r7 K. ?! K g
BPINT 41 if ax==4f; q4 u+ K/ s, t4 Q6 D8 m( [+ }
" a7 b) y/ t: l' \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 J4 `; Z$ [/ X$ h; `, x
; d+ |# U `: Z1 s' ~7 m5 Q& g" T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 d! ~9 f& \4 l1 s$ x. h9 g9 `
+ ~& J- V$ B* q, e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 X+ [% n" K8 p, U+ T
; A+ p2 f/ U4 l
__________________________________________________________________________+ O1 h( z1 h. I0 L) A
$ M c W" x$ _% R; u1 O
Method 13
5 F) {" r+ K& D y2 i% V=========. B( @. A# j; L
& c3 ?' h% l r" D8 q$ [5 SNot a real method of detection, but a good way to know if SoftICE is
! g5 |+ y+ o6 e; C. V9 R0 uinstalled on a computer and to locate its installation directory." `4 L B- H, L4 d6 c8 e7 h0 j& v' j
It is used by few softs which access the following registry keys (usually #2) :
( d2 D" y9 N, ~+ Q7 \
" M. c: ` T! p" G1 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ X0 C& X; c) `& o: l
\Uninstall\SoftICE+ u- d1 C% Z- l1 ?. {0 T% |$ V0 A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 w9 N1 J; U9 e2 \& u7 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ~ |; T$ [5 [& p1 L: m* n9 V
\App Paths\Loader32.Exe$ e0 D# U k$ P0 ]& @
% s0 o0 b z, W8 F. h3 F4 J3 I( [& ]0 \
, Z+ p7 U6 H: v; N! {. n" nNote that some nasty apps could then erase all files from SoftICE directory: B# f4 {7 m7 T2 l5 t6 t) b
(I faced that once :-(
$ M4 M* l( o& L- `; C
) g3 T* B! S1 WUseful breakpoint to detect it:
2 _7 b# k5 e2 c* G1 Y1 [, \" r+ a$ L( c5 w% N0 v2 ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', c, `% L4 ?1 ~4 I, z/ i/ }: `
9 `5 K3 H2 c# ]
__________________________________________________________________________4 l6 q! d5 L- |1 }' f: r; b! v9 U) R
1 J2 N! j7 |( K9 z" R" d. G; L" m
Method 14
) y: y1 \* p5 z8 v5 `=========# Y9 J2 r6 u* n* M$ q6 h2 y" c
2 ^4 O$ n# O; m/ C: {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% D( r( R, ~. }/ A( }is to determines whether a debugger is running on your system (ring0 only).
5 @/ I* l" Y ^, w
& z! h7 `5 `7 Y/ |( p VMMCall Test_Debug_Installed
; M+ Q3 g, q% L( ~: o8 n# ? je not_installed
8 j. g9 g/ r) {% ]6 I6 [5 i
Q4 \: \+ b. x: f0 @4 V. HThis service just checks a flag. v) N, d6 ]1 r- ^' V- w: R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡