<TABLE width=500>! g2 Z: S1 I! H
<TBODY>
" Q3 q, O L# s# h5 N- d o) H<TR>$ n- r, ?2 N1 k7 \. C6 j& g2 ~; \
<TD><PRE>Method 01 2 E$ d8 V7 F( ^+ [# R/ {8 j
=========1 u, f2 R5 m4 N1 ~+ |7 a1 n* }
& t, ?- L- s) ^/ y9 b& G+ sThis method of detection of SoftICE (as well as the following one) is
. t7 @) j# i* Iused by the majority of packers/encryptors found on Internet.
+ L- M) d' M+ HIt seeks the signature of BoundsChecker in SoftICE
- A8 g: l+ |6 I @; h4 ]1 E
* m# Y7 |( L* D A% i+ [ mov ebp, 04243484Bh ; 'BCHK'
0 o* T5 v: i$ ~( q( z mov ax, 04h6 { u. |0 V; }5 H" g4 y$ k6 c! S3 R
int 3
. k( [1 d, r1 g/ U$ G1 J/ f# B2 Q cmp al,4 N% ^+ p, Y C& Z" Q- P. j& {3 e
jnz SoftICE_Detected
+ G- ?+ H4 s4 [1 U- b* j1 O q0 ?9 r2 V1 r' b- T6 e
___________________________________________________________________________
; h/ D( m' i6 D u7 P* q0 H$ K( G& S( ^8 j
Method 02
- b: Q: u) f3 H; b/ l0 [1 {6 ^$ U: `=========
& v; N" n7 ?4 D. ]) i- v# I
9 e% I4 V- u' @4 W8 ~8 O" CStill a method very much used (perhaps the most frequent one). It is used
- a' m. d! b2 q9 r$ Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 c! B) W& E5 j. X
or execute SoftICE commands...
% D$ Z$ K5 o+ _1 {8 b4 PIt is also used to crash SoftICE and to force it to execute any commands
. [7 b% s7 c) l( N/ x4 D+ l(HBOOT...) :-(( 3 K2 B! b' o" p' ^
9 c( B+ j# v: c6 b4 nHere is a quick description:
( X* y, J% A# v# _( N& I; d1 W-AX = 0910h (Display string in SIce windows)" f6 X( ~; {' I4 ~5 Q* s9 D. A/ o7 i' N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 M: E& E6 {& u y4 @0 m4 e* |
-AX = 0912h (Get breakpoint infos)
- S8 ]' N1 q. n4 U2 C$ ?4 ^6 l/ B1 F0 s-AX = 0913h (Set Sice breakpoints)( _# L# b1 q+ j* B
-AX = 0914h (Remove SIce breakoints)
- o! @5 h2 i, D% c$ `% f, H
, N$ {/ P5 M4 g+ ^Each time you'll meet this trick, you'll see:- n" Y6 N0 P4 Y d' C$ o I* a
-SI = 4647h
8 y; I4 G6 `* o7 e/ k-DI = 4A4Dh
0 s% k# @' l5 s9 p; J' \) M+ g1 \1 K! kWhich are the 'magic values' used by SoftIce.% q& Y0 H5 K# ` G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# f! d% L, a) [5 I2 {+ A8 D+ O9 f/ N5 r4 o( w
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 e* N. a3 k7 x0 d0 n! r- n$ ], l
Envelope utility use to protect DOS applications:& g, X$ V' x4 ]" J4 }4 o
6 r/ K4 t1 Y! I* _) T/ k/ A8 l5 V8 o
$ Q* p" v( ^. `* s
4C19:0095 MOV AX,0911 ; execute command.$ I) c4 [& d. D; c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 H# T h7 p& F8 B: d% ^" o5 h6 {4C19:009A MOV SI,4647 ; 1st magic value.
# B' V4 @0 Y: z, O4C19:009D MOV DI,4A4D ; 2nd magic value.
; j" k5 N7 {+ A2 q0 }. B; {2 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 v6 ]) \. ?( [& f( [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 w. O9 p4 C! f0 \# |7 m4C19:00A4 INC CX7 L3 V! M9 i! I$ [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( Q+ K |; _ }
4C19:00A8 JB 0095 ; 6 different commands.
, l- v0 r3 A$ O1 ~2 r. D$ X7 A4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 j; F6 j5 C/ _0 Z+ |2 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; [; l6 Z/ g: _2 F# L, u9 O1 b% {3 t, d, k- x1 [
The program will execute 6 different SIce commands located at ds:dx, which: U# ~4 C0 `% p0 g9 j6 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; }1 z+ J5 l0 S) Z- z2 n, H0 ^( y
8 R: ]" m) E5 V2 ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& C. b: f5 e9 P# B) Q___________________________________________________________________________
5 c1 T+ I1 n7 s; s s, N8 n: x! J" c. h
4 |4 @* b, C! @+ q6 Z
% a' L8 }8 B6 k2 b. v% K4 h7 pMethod 03
}- m3 u) b& p* `6 b$ Y* }=========
# ?; y1 o3 I1 Z1 w
! k- r; Z& ^' @9 Y `; G4 H" m7 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; M' K* A! a2 e9 ?: a" V# R' {, V N
(API Get entry point)3 Q7 @: _4 H3 x, F/ g3 v: k$ q
* A0 D7 P/ X9 K2 d) b
) K+ L3 G/ @- h5 |5 m# q4 g# ~1 H
xor di,di
, o5 L+ ^+ c1 T+ a( C8 Y$ ~1 I mov es,di. C4 F6 \4 W% `
mov ax, 1684h
% i2 j" k. w- K" L% [, Y* j" b2 I mov bx, 0202h ; VxD ID of winice
3 G+ h4 O+ T7 G* @9 u# F1 @* b int 2Fh) ~. o5 g3 f! ?5 {) i
mov ax, es ; ES:DI -> VxD API entry point! _" {; \, ]1 [' o2 {
add ax, di
* a5 E* i8 \& i3 \+ M test ax,ax2 h; i; c. ]7 b% `3 T
jnz SoftICE_Detected0 l; A/ |5 ^, J) b
: ^$ a; S. l- e( V___________________________________________________________________________
6 _" Z7 B* d1 {: v' I0 Q$ @8 D! [6 p* _! o$ ^3 Q
Method 04% T9 O. n/ q0 }+ |% B! G* ^
=========
8 x2 _* U# ]6 z C7 A2 @, N% T7 s) c
Method identical to the preceding one except that it seeks the ID of SoftICE) w4 p, D, ^$ V/ c3 O5 r8 Z
GFX VxD.
. l3 N, _" l6 j( r' S. G3 @) \2 f b# f. ^6 P( l
xor di,di
* o$ J% c* j( J$ }6 u* V6 v mov es,di
% O, c) W! U# \6 ?1 n mov ax, 1684h
: r- l8 i8 r3 ?$ X7 o* a: F% w mov bx, 7a5Fh ; VxD ID of SIWVID
A" p) @0 E! h3 J, N& ^ int 2fh) T; Z- M4 G6 E# Y8 w
mov ax, es ; ES:DI -> VxD API entry point
0 s4 E( g" ]" {5 C L5 V/ t/ d add ax, di0 L1 h! g6 o; @8 s! i. h
test ax,ax! |0 `7 A; K7 w4 @1 z: V2 N* ~5 h
jnz SoftICE_Detected
+ T0 J' U/ C) W: Y% `# i) {# K4 ~2 g5 w. {3 {
__________________________________________________________________________4 w* O5 x9 L2 r( p7 c+ U
, U" T7 a, H w1 B# b. c
' a& j% \& Q! ? EMethod 05
+ M; |/ y! n3 F' r* Q( c4 H$ \* e=========
& @* r1 Q' u2 q1 N" C( [( K* o1 E. h& A6 a. M$ g
Method seeking the 'magic number' 0F386h returned (in ax) by all system. w, R6 o: l$ @7 C( Q! b; U
debugger. It calls the int 41h, function 4Fh.
/ b# v7 [' O' vThere are several alternatives. . h& B j) j7 ^* i
& i3 o; H; z8 [1 f. X/ G% BThe following one is the simplest:2 u$ W" M% z# { H; O+ z
8 S4 T5 F6 l& m f1 i. t mov ax,4fh/ l1 s! c. v0 I! Y+ ^& P( K3 S
int 41h
, E `2 V3 H4 V* d- A0 `( A cmp ax, 0F386. |6 ]) o/ G1 D/ |9 p9 B
jz SoftICE_detected
: g% o7 i d- r7 l$ P8 z+ {9 t& z4 P. a& ?1 j2 X P
$ \0 c0 }* r# d, l7 iNext method as well as the following one are 2 examples from Stone's ' B+ z4 |% @3 X2 |, I5 R& ^
"stn-wid.zip" (www.cracking.net):
2 a5 W1 r# _1 E* p }7 N% f# K# x! o! K: ~7 r
mov bx, cs
- M- w% y t. m( M3 o, }! k lea dx, int41handler2% w0 s2 C! W& [' u" X) D- D) e B J
xchg dx, es:[41h*4]
# A0 |) o+ ]. v+ n1 _/ w* D xchg bx, es:[41h*4+2]
& @& z2 a- `! j+ E: _4 i mov ax,4fh
1 {2 G% |% y8 s int 41h2 o0 i& ~- h0 E$ S1 K# O6 ~
xchg dx, es:[41h*4]
/ W: b0 s7 a; _0 d) | xchg bx, es:[41h*4+2]
7 t6 l5 L( e% `; c- X cmp ax, 0f386h
' R- s" ?2 `' y1 w jz SoftICE_detected
, C) n1 W, f1 ]# J4 n0 b5 e/ R+ D3 }2 r
int41handler2 PROC- O3 e; [' t4 q9 q) x
iret0 D. x4 \# t# _4 T8 O! |* \7 i4 y
int41handler2 ENDP
: y- X. F8 Q1 |' A! l: M# u3 _. @+ A8 S
4 v" Z: A% V6 m I* ^
_________________________________________________________________________! O5 T5 T8 V. g6 C g! p% c5 ?
1 [4 a1 ?5 E X0 ]% |
N8 X$ z2 }4 r/ [3 a
Method 06, f p( s) V' e* T
=========
* J& n+ U. ^1 Z4 E" ?' c L; P% D8 }% c T7 c5 {$ d H6 H
+ `/ Y. g( J6 H2nd method similar to the preceding one but more difficult to detect:
6 \3 N0 q: N& p. N
0 c5 ~2 \% e/ `' w, j; i" O" E* Y4 r& b3 I; r. j; o
int41handler PROC
! v" S; j3 b) L3 W6 h8 M4 d7 L mov cl,al+ f6 R' s) g$ w u8 F+ J4 r6 i
iret
- Q9 u$ L3 M4 h3 e4 d" E+ mint41handler ENDP5 W8 S; C' E+ w7 n7 e0 S6 O- q6 @# U
8 ~' ~8 T- C! `8 @. m0 k& w! p s7 x0 t3 q* P3 y
xor ax,ax0 X" T5 }+ x* h1 C( z
mov es,ax
/ A+ x: s8 }: F4 |4 r( N, o mov bx, cs- N4 R# j& C) X' F6 Q
lea dx, int41handler
( ^4 @' q5 m! ~ w xchg dx, es:[41h*4]
- G- Q' J8 N* m {' V$ b1 _" ~ xchg bx, es:[41h*4+2]1 O% P/ m3 \2 v
in al, 40h$ M+ U- I+ j- U5 m5 }7 p2 d
xor cx,cx) @& |4 N: x$ |4 w" E
int 41h
! L. ?7 u/ \& h- a% f xchg dx, es:[41h*4]
8 o0 j, G/ [# _8 s: | xchg bx, es:[41h*4+2]2 f3 B! w. } ] W$ ^' W D
cmp cl,al
. C; q3 S2 [8 y% I% t$ U0 C9 i! T/ ? jnz SoftICE_detected
6 ?8 U( [6 X2 D( g3 G, R6 U: _; }; Z6 B0 m/ D. B0 l
_________________________________________________________________________+ t9 R2 N+ C6 v9 A
" b: O" k% b) u1 i8 Y: m
Method 070 R% V1 E8 F+ j1 p" v7 u
=========* v' z9 u" |4 x, h
0 [0 Q( I J m: I; ^* [
Method of detection of the WinICE handler in the int68h (V86)
6 j+ Z* n% [6 I. k2 n
8 g5 t$ P$ x/ } mov ah,43h$ O! C3 K3 S A @3 q
int 68h, D/ A% R9 Z" Z, f4 E& v5 l
cmp ax,0F386h
. {0 \% G3 m2 N/ A jz SoftICE_Detected8 h1 f* u- @2 T# X+ i) x: ~
8 t. P; k2 l* O8 `3 B8 ~' Y! a5 M( g5 n' K3 h& f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 ^' |/ a' [; |. `3 _2 ^: [3 ^/ P
app like this:5 S+ }( G# _1 ^" v* D$ q* s
8 g3 ]0 G1 _ D' i/ I7 @. ~, V BPX exec_int if ax==68
' E& P( S3 R8 [4 x) d, n" T/ V. V% w (function called is located at byte ptr [ebp+1Dh] and client eip is9 d6 r8 p% c5 `/ l
located at [ebp+48h] for 32Bit apps)
. ^4 B: J, |: C$ Q4 P( I/ k! k+ M0 B__________________________________________________________________________
6 }- G& p4 P" |" m# J* I! Q8 {0 t) X) D0 g9 }
- [7 r' l) m* o6 L' B4 v+ ^( l( N
Method 08
& R( }6 s: {- ^6 C& b=========
+ Q+ g, U/ H. _( G6 s: P9 i, g9 s
& W7 v3 }: i; L* r; P& m! \" oIt is not a method of detection of SoftICE but a possibility to crash the7 s/ c6 f# T u) w/ K
system by intercepting int 01h and int 03h and redirecting them to another
9 S5 L+ @0 ^) e5 L, Z7 ~routine.. y1 ]% L5 T2 s2 Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 w |- \2 s8 ` N( B
to the new routine to execute (hangs computer...)2 D1 p+ \* Z! z3 t2 B6 e
' _- |) M9 H, U2 w mov ah, 25h9 W- |: P$ q) n7 V4 n/ V$ p( G1 U
mov al, Int_Number (01h or 03h)7 f; n$ u7 W0 U3 }0 j
mov dx, offset New_Int_Routine
8 u6 [ \$ C0 b int 21h. D0 o/ S4 p" m9 T5 F
; o2 f. T i* y! v/ u
__________________________________________________________________________. G' ?, }% p" R1 S+ @4 H; Z
6 q- [. {. x3 {" U$ ^9 }$ @Method 099 S7 W# z$ } Z: [
=========
6 @8 g4 M( N# Q0 r& U% e, [) q5 p
) b. x$ ?' g6 |( d+ c: s" U% BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. i* o2 K7 e" lperformed in ring0 (VxD or a ring3 app using the VxdCall).- J6 ?) r' Q4 v3 E. D
The Get_DDB service is used to determine whether or not a VxD is installed
# t0 e4 c; g/ c% j1 k3 L+ _* Ofor the specified device and returns a Device Description Block (in ecx) for5 x( M' @* y$ ?3 R0 L' k$ E( q
that device if it is installed.
7 m' T4 ?9 k$ V8 v. T( o: e' w4 D. B/ j4 D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( f- m+ Z7 x7 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 G& x) W; z8 a3 ^& G, D
VMMCall Get_DDB
8 E7 r. j( M' f. r2 s4 P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: s3 [% p* ]: P' Y3 u4 [' @/ Y! S: p5 F1 ?/ P- c4 U- P5 c: W
Note as well that you can easily detect this method with SoftICE:
: F1 D7 z* R8 z bpx Get_DDB if ax==0202 || ax==7a5fh1 m7 B' @2 A, @$ z- x
, L6 s* Q. ]$ y- l__________________________________________________________________________
. N2 q# L- ]& [ `: |
2 o2 W) q7 w4 s9 J; m$ Y+ v. h9 jMethod 10! t+ m" o! s% Y) H' j+ G
=========
; u$ t. }, a) ? @; w: `
/ P/ J; j# Q s* Z! @3 u=>Disable or clear breakpoints before using this feature. DO NOT trace with
- D6 E. r% ^0 H b SoftICE while the option is enable!!
6 w3 q2 p! [7 _% K. d
4 h5 W2 @ Y; G0 YThis trick is very efficient:& e$ d+ X. k! M% D3 e' P2 _1 s+ B
by checking the Debug Registers, you can detect if SoftICE is loaded; P' U0 Y8 P2 @/ q: k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 L% q; ?! O) Q- V9 V8 P6 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) Y$ R" G8 G( M7 ?! ~8 Xvalue (in ring0 only). Values can be manipulated and or changed as well
- }) [9 i) A' Q, t( q3 u. h(clearing BPMs for instance)
& h: N9 m* M. f, X
+ x3 n7 |2 y( h6 s__________________________________________________________________________5 K% F5 t" ~/ s+ \3 @8 f
1 N# D, C& I* L2 @- U2 s
Method 11% }. `3 W( G( K3 O
=========9 V6 V, H' a6 O# P M% K* p# L
. H9 W3 v! n! a- h5 B8 Y5 WThis method is most known as 'MeltICE' because it has been freely distributed2 j3 P0 s8 [' R) @
via www.winfiles.com. However it was first used by NuMega people to allow7 |" \* ]1 D0 l% z" j. ^
Symbol Loader to check if SoftICE was active or not (the code is located
4 V9 S$ @: t% T1 cinside nmtrans.dll).
R& W( O* n: s' n, Z0 E
& t2 i t9 d7 H$ p: p- `& z( ~7 aThe way it works is very simple:( f, F3 E7 o" k% m1 u& G. s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) _. B2 W- H- ~( Z
WinNT) with the CreateFileA API.- X- T& @) a% _" R- V2 j
; m) b5 I6 @( O2 R3 qHere is a sample (checking for 'SICE'):
- P- c8 Q1 d4 Y6 l2 g
, _" D4 r& a# x; e. d% {$ BBOOL IsSoftIce95Loaded()
$ ?% H3 y2 D2 J& [; V! V$ f{
$ R( Z* A, T9 | HANDLE hFile;
% L7 I5 e% T+ o9 P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 L6 a) S) J& K, V( l9 _. G- G FILE_SHARE_READ | FILE_SHARE_WRITE,
% }* Q" d4 W+ J8 k' F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# g+ o5 v! L" _( Q
if( hFile != INVALID_HANDLE_VALUE )$ m+ m. T9 }1 H- p( a
{$ v; ?. i ?0 d( r i9 L% j
CloseHandle(hFile);9 }' W. d/ B) s* q+ d! F) M
return TRUE;
% N+ U! L0 m6 ]# _7 B7 Q0 \, u }
* f6 f2 A5 I, m return FALSE;
% o: V& P! d, P# I$ V4 {}
' D3 O1 F" m7 q( X1 ^+ y( q) w( Z( ]% f! r1 A @: a0 \4 y
Although this trick calls the CreateFileA function, don't even expect to be* D' K8 z, m* U; W H2 l2 z5 g
able to intercept it by installing a IFS hook: it will not work, no way!
0 P' ^( j R$ o6 P5 x6 AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% m! \+ K2 M/ l4 |6 i. n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' n/ W. b! o- {and then browse the DDB list until it find the VxD and its DDB_Control_Proc; P- `5 Z% D }! {/ `5 p$ e
field.
. D9 Y/ R) s2 w4 K. q8 tIn fact, its purpose is not to load/unload VxDs but only to send a ! Q) [% U7 D/ g1 }4 @/ ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) \( y* f$ ?' V% L2 T& H* [4 \" N9 {to the VxD Control_Dispatch proc (how the hell a shareware soft could try! }) f9 G; U4 s9 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& ]8 [! G3 V7 s( f7 T; tIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 w4 f* T6 s1 n6 A. [
its handle to be opened and then, will be detected.* J. ?$ {7 t" E; _" G' a
You can check that simply by hooking Winice.exe control proc entry point* ?: p6 j1 Q& l: L/ e" ]
while running MeltICE.
& h3 a* k. j1 Q3 A
+ {; W; O7 C( F2 w3 S, v# ] u4 C! x" ]& g# n {- C _* h1 U
00401067: push 00402025 ; \\.\SICE4 s! V6 \! l& z
0040106C: call CreateFileA+ t% S9 v/ v5 h
00401071: cmp eax,-0014 D9 z0 n7 ?7 a- U
00401074: je 00401091
1 `, i, N- x2 e% t( r1 T4 d# x/ O, @6 s
: V, O0 H- o" X! C U4 H1 T) }# _. Y, n+ G0 v% Z& j" [& h
There could be hundreds of BPX you could use to detect this trick.3 Y+ h( P5 E5 @: M2 S6 f2 V
-The most classical one is:3 `6 {; ?8 b/ l" J) w. u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* Q) V8 W0 n- A; Z
*(esp->4+4)=='NTIC') W- T+ V3 O( W) `, s
% z2 P5 W0 }+ Q8 K* d; }9 \3 P
-The most exotic ones (could be very slooooow :-(
- x4 K- S1 i: N0 [8 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 A5 A+ u% Y2 w" K$ C( T ;will break 3 times :-(# M& ~! Q; s: F0 b& m
, B r6 [& h" K- B2 O4 `; Z-or (a bit) faster: 4 f6 `6 j; C2 U- C, j" K: I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), J9 k- h7 t& g x9 Q$ _1 [/ y! M. U
7 ?; j! \8 p7 b* M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 V" ~% _# |$ s0 E' t6 c! w
;will break 3 times :-($ ^" k- J Z# g; {
: d; a+ h; C% M3 B-Much faster:1 @7 a" t' ~# f# i; X) S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ O3 h0 @2 A; L1 W4 g* ]0 j, G8 D1 q
+ D$ t, o) U0 b/ sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* S. C' J7 s4 T" `7 ~( j
function to do the same job:
6 O' b% Q" U# K7 {% ]) J, ~# Y/ H* k- {: w. b
push 00 ; OF_READ1 ]9 [) H+ F4 P3 m
mov eax,[00656634] ; '\\.\SICE',0
, f" f; l: P5 L& }3 _$ C$ F push eax t0 S5 ]$ u# s5 b* U/ |9 A/ F
call KERNEL32!_lopen9 J! @* c/ ]7 H8 z2 [0 E
inc eax
( X. m" d5 n# T jnz 00650589 ; detected
: o1 d" G; }1 h3 n- e2 p# v push 00 ; OF_READ6 X) E) z9 n5 _, u/ `* c r/ Q
mov eax,[00656638] ; '\\.\SICE'4 e1 Z& v( T2 M0 \
push eax% @ v; r3 m! `& {
call KERNEL32!_lopen I& k4 j8 N( D: e
inc eax
1 m% ]" J7 k; ^/ Z; f# J jz 006505ae ; not detected
% X) `4 G0 _) `8 R$ R- u7 W- v. r, f9 @0 B' M5 g% s8 P
' _* l4 J# E* A2 s8 v. _& m1 G) {1 x
__________________________________________________________________________1 r6 ^) F9 a( Q, ^
* i( {6 ], c' [5 V, v6 R
Method 12
# O: g7 Q& l. A% M% {$ Y4 y=========
$ `( S6 B( E; {3 M- M- G- I! b* m4 d5 g' c1 F" u+ }. S& E
This trick is similar to int41h/4fh Debugger installation check (code 05
9 f1 c; \' k/ h1 D( |& 06) but very limited because it's only available for Win95/98 (not NT)9 Y' R- d( b1 }6 Q2 }1 Z: L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) K3 d* c- M Y. s! q h1 z4 A7 }$ J/ S# {
push 0000004fh ; function 4fh
0 w4 x( P5 s3 C% L) N Y* ^. _ push 002a002ah ; high word specifies which VxD (VWIN32)* N5 F! n) M7 Y) j% c
; low word specifies which service
9 w1 ]7 k# u" S- B A5 [ (VWIN32_Int41Dispatch)
. G6 ~, p$ d7 J: s0 Z( v call Kernel32!ORD_001 ; VxdCall6 @6 }3 @. s. j! k2 n& c7 R3 g5 d6 ]
cmp ax, 0f386h ; magic number returned by system debuggers
" R. ]' v# ]3 P' A jz SoftICE_detected' I! B+ H6 V+ G' P) f6 T3 G& ]- o
; ]$ [9 \. q7 D3 Z$ Q
Here again, several ways to detect it:8 F. {2 g% t2 z' C
2 X' d0 F& g2 U$ Y% _. _
BPINT 41 if ax==4f" |8 Y, [! C6 ~
5 J1 J( U4 Z( U3 y# E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% q0 g. \- Z4 \4 F. T* t
' s1 V+ }1 L3 P- g% h; A, y. l* B; ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ [/ H0 I( N0 J; _$ B
) W7 @- D0 [8 B5 k0 e8 V( _ [- Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 t2 ]6 T4 a& L2 y4 e
7 l% p+ ^7 ~" i$ h% P7 g__________________________________________________________________________
" p4 ?6 y2 H: L/ k, E9 l% @5 \ F# W8 n6 ?/ Q+ A/ E/ G
Method 13
: _3 a' U/ k- h# k# w2 |" ~1 ~=========
- a! l+ v4 y0 A8 Y+ g
& b. r8 ?8 J, _* z# `1 BNot a real method of detection, but a good way to know if SoftICE is
7 g+ t- t. n* b4 zinstalled on a computer and to locate its installation directory.
0 U/ f6 E: ]+ C) u+ o1 H$ ^It is used by few softs which access the following registry keys (usually #2) :2 p- D& C6 c0 W* S2 z4 n" O; F
5 N0 e; _9 y4 s$ u3 C) L2 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: e( p2 a; v* g
\Uninstall\SoftICE% u& C/ [! U, x2 C8 Z$ W5 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 h: v9 n7 t. q% K4 H0 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& s6 q! ]$ ?# x8 ]3 l) a
\App Paths\Loader32.Exe* \/ e0 r( P4 y3 _9 S( ?( c. K( }
4 a9 p4 c" e( p* W5 _- Q+ t8 N2 F! v& H+ j. L
Note that some nasty apps could then erase all files from SoftICE directory
6 D+ v, p y$ H8 J& D(I faced that once :-(
( @( I1 B5 _7 R0 h8 q4 ~4 I" x: I/ W4 p# I
Useful breakpoint to detect it:' e) ?" _! S7 Q; }6 c1 _
( r8 R: O6 b/ A9 z, ~' b; M3 p, s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 W @% i: y2 U) d; x) v
2 D P3 B6 ^ {! a: T
__________________________________________________________________________# H2 W: l0 m( n7 F$ {" q+ H! m: J
& _+ |- F' R! e$ [9 i. M
) K2 \; E- s1 j) Z5 aMethod 14 & |8 k b; X0 @6 G" U
=========
& U3 c! r Q" z) a$ x2 w
$ G* {2 K1 P; _ m& j7 s6 W9 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( Y# Y* H6 a- n3 C+ Q" A* D1 S0 M
is to determines whether a debugger is running on your system (ring0 only).1 J4 z: n: h6 Z& y" l8 `& a) z
' R1 t* C' \5 O% E3 M% Z% n; ], _
VMMCall Test_Debug_Installed
# z. i8 D3 m$ D9 Z' D0 f0 c/ d, V3 z je not_installed
0 \% z! o. ]' @& T! s
3 O% y! I6 n! RThis service just checks a flag.+ T' x: Q- @9 B: h- _+ ?& v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡