<TABLE width=500>
# X$ X0 i! [+ n+ y<TBODY>
; z2 g$ K0 H r<TR>
5 j Q3 @5 X4 W<TD><PRE>Method 01 ( |+ @3 I6 c" \
=========
& g. N1 S* i2 ]1 F8 c9 n
* Z! v9 ^- q: p; |! d8 R' WThis method of detection of SoftICE (as well as the following one) is
6 _. C* t3 i# B/ bused by the majority of packers/encryptors found on Internet.+ \3 d$ a2 F% E
It seeks the signature of BoundsChecker in SoftICE
$ w2 i" i* H# Z, ?/ F: y- c6 `
* M& `4 [& `/ R mov ebp, 04243484Bh ; 'BCHK'
! m! B% H/ \. ~+ ^. X3 \( Z mov ax, 04h
& u( I1 V8 P: A! s4 ? int 3
) b6 m3 j! M; J cmp al,4
7 j9 I# M( x. L' y jnz SoftICE_Detected I# N5 f( I' B3 J
0 S: t& [4 \" \' N7 S( E. `
___________________________________________________________________________
5 ^" Q2 t5 {; H- E7 N. Z/ }" |1 q9 x$ \4 S- E
Method 02( g" I, C+ Y4 a% a& @
=========, ?4 Y2 l' A1 t |! E- Z
3 w* |6 c. y: [. \5 H# w4 I+ W$ GStill a method very much used (perhaps the most frequent one). It is used
; f3 B: s6 V- g- O& k3 \. N' ]7 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 A' H# j; x3 Q4 }& O
or execute SoftICE commands...$ y) g) R$ e6 C" K, A8 S# [, J
It is also used to crash SoftICE and to force it to execute any commands
3 v, b) I K. K6 Q0 ~+ n. C(HBOOT...) :-(( : m& j* U: X6 s% J2 C0 v
; _/ A) u6 e0 W J+ z8 EHere is a quick description:) m. L2 y+ r; C
-AX = 0910h (Display string in SIce windows)' a2 M4 v. H2 _4 {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( a7 M# K8 b; I' w- J: {* F6 f- T4 P-AX = 0912h (Get breakpoint infos). v3 {* u5 A5 {$ N' H7 `
-AX = 0913h (Set Sice breakpoints)- e$ ]+ v) E( [5 X
-AX = 0914h (Remove SIce breakoints)4 H# ^4 L. [9 @8 k1 o/ q1 W
9 L6 i; Q. T# H0 b. h2 Y( R
Each time you'll meet this trick, you'll see:) d* w+ O0 k# S+ J7 d+ l6 ^
-SI = 4647h l0 S# Y1 N" X V
-DI = 4A4Dh
8 o7 {# v1 b5 J! P1 B1 p( UWhich are the 'magic values' used by SoftIce.
$ @% Z- V3 V8 V5 I* }) HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& ~( ?: u0 j: N k% q( l- m! k; C1 n+ h& z, D* R2 k) p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; n0 E3 B- x {! X9 g& gEnvelope utility use to protect DOS applications:/ ]! k1 L; h5 l F7 d& R
) P% m0 q9 i6 n
- d( v. ~: y0 D" D" n
4C19:0095 MOV AX,0911 ; execute command., Z3 A6 E0 w& x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 u! j4 _ Y6 ` K2 R4 ]4C19:009A MOV SI,4647 ; 1st magic value.
; c$ }6 {+ Y3 G, B" D4C19:009D MOV DI,4A4D ; 2nd magic value.9 H8 P W- x- |. }5 G4 j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 @% Y: a/ j( A" y) o7 o+ p) ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 Z4 H; w( h$ R# F- ]6 v( b0 ]! C; O
4C19:00A4 INC CX" Z' W& T9 {# _/ @9 j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 u, v9 `) a1 A7 V& H: G8 w2 g1 E4C19:00A8 JB 0095 ; 6 different commands.
6 Q% }5 x' x* C/ `9 w J4C19:00AA JMP 0002 ; Bad_Guy jmp back.% T& ]& ?1 U# t4 k2 O( u. ?3 u) H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* K* l5 K; c- a$ E- x% Q& l. t
$ d/ ?( |# ^/ P1 g, { y1 o0 H' nThe program will execute 6 different SIce commands located at ds:dx, which
3 l* b' _5 R! j1 _$ b; H# V$ ^0 l, ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% H$ {& ~$ L3 e. }8 _6 b3 F
$ }3 W& Q E- R: }' E4 j' q4 Z9 z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 S% ~6 g, H1 f: Y8 w% b___________________________________________________________________________+ n! y/ v6 K4 h4 U7 k+ x
3 N; e- f% C0 L
8 i( K2 [% Q1 ]' P1 h; R- o z/ e
Method 033 b. p; g, Z) X0 C' T3 [/ ?/ `
=========6 e3 }/ B; g: o8 q! S+ I( U
: f. H% t* J z/ s* O$ s& t' fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- @# S% N4 v0 e% ^" G& \; V$ N
(API Get entry point)* B" l% ?& ?* q9 \8 Q$ {) ^# U; u
' W- T f, A! q5 f8 t
5 T/ w2 J% r& _6 h xor di,di& x, U5 O0 J$ l) z5 L. x
mov es,di
' y# v3 p& D% \ mov ax, 1684h & _! Q1 C @5 Z! K" K, }
mov bx, 0202h ; VxD ID of winice
1 T' x. I5 n6 c2 U! x4 z int 2Fh
" k, O& I7 |5 K; R7 D mov ax, es ; ES:DI -> VxD API entry point( i! V+ H) O; V( h
add ax, di9 A' ]0 m5 L: J4 V% G
test ax,ax# x: C. l- T( S7 g0 |2 J2 S5 y7 H
jnz SoftICE_Detected5 Q( B+ @% w* ]. t" ?; p# C
1 p6 w9 ]+ E* O4 c, J. J& m0 U___________________________________________________________________________
8 _2 _' U( v- r0 `( H; u5 H0 E+ Y: |) l+ N+ f% H/ W
Method 04
+ J9 n5 X4 X3 U% H6 t9 ?=========
/ s' c% z s+ B, D6 K
, p [' N0 C% F3 P9 ?Method identical to the preceding one except that it seeks the ID of SoftICE
& |5 ]& ?" a, q$ |/ E% r& T9 rGFX VxD.
: \3 x- k' y4 ?. [$ N# c6 W; t5 |8 w6 C: e4 _! r6 C9 s
xor di,di
& v+ t- [$ z( O$ J+ J* I0 v6 g9 w0 C5 | mov es,di
5 U2 m' z$ Q m2 c: { mov ax, 1684h
0 w. [" Z" ^# }* v3 X" b$ z1 t mov bx, 7a5Fh ; VxD ID of SIWVID
( S$ P6 E, ^4 {( t6 c int 2fh
7 x. X' A4 v6 {; u) G9 Q mov ax, es ; ES:DI -> VxD API entry point e! s( b& k6 a3 x) L3 _5 h* q
add ax, di0 t& \6 u+ U/ I) Q) V- u2 ]- N3 A* X
test ax,ax
& \# ]2 x4 [% Y: e4 L" Z jnz SoftICE_Detected) G( `8 h, s- l& f+ c. ?" T
5 C7 `2 t7 B! f' c__________________________________________________________________________4 i0 X; W( K# `3 X
: k f! K. B8 V; }+ z, M
; l0 M L) S) xMethod 05& V, @; d( c( m$ l
=========
* L4 {+ |, G! A. l6 u5 \# |1 V" h+ {# O- Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system- y* g6 C( U( X1 W5 Z6 I; g7 w
debugger. It calls the int 41h, function 4Fh.
) c" ^. {3 c6 O3 c1 DThere are several alternatives.
: o' g$ N7 \6 \# a/ f/ U' e; t4 a
4 ^; x8 R% Z' f' n6 vThe following one is the simplest:/ I9 c# u+ G! f7 [+ a* x! I4 k1 U7 n
: |: L, t+ N; o" ]9 Q0 { mov ax,4fh( i2 C2 N" o5 Z0 p/ U q
int 41h8 V7 O7 d9 Z/ T% \
cmp ax, 0F386
- N. K: _7 R( ~* n; y) J jz SoftICE_detected7 U' l9 k2 }% D- \% v$ S
6 L' v9 }) v5 s- B9 U* J* ?8 V8 h( i ~5 s! ^" @" p, H: N
Next method as well as the following one are 2 examples from Stone's
8 k4 Y# T5 D+ O- j: z: |, ~"stn-wid.zip" (www.cracking.net):" c9 z5 v2 Y8 C$ {7 T
0 `5 b: x7 l0 j
mov bx, cs
! o+ O1 N% K7 w& {6 E! }. c lea dx, int41handler2
% w" {' p6 c7 r3 K xchg dx, es:[41h*4]/ Y( D& z' r# G5 o9 ~: [/ ^
xchg bx, es:[41h*4+2]
( Y0 K. K1 b' N' u mov ax,4fh
+ R$ ] N7 v; f+ v. n int 41h
$ l4 X5 b% q* S. i! n @% ^# y' G xchg dx, es:[41h*4]
$ L0 A* w6 q0 j0 l4 Q' z; p2 o/ p xchg bx, es:[41h*4+2]# p% ~; y; b ]8 i6 p
cmp ax, 0f386h
6 Q! N! W$ O8 z0 m9 q( N7 U" t jz SoftICE_detected
" q! Z- c2 \2 A/ u* T
& H" w0 w) X. a- l% U% @1 aint41handler2 PROC' w; R7 S1 c, j: r U! C; L J
iret
$ t" }1 p# e# f1 mint41handler2 ENDP4 T, f, I/ `3 [1 M
: r9 e A5 h) ~% o# P5 P3 R6 q, X2 X/ I- U
_________________________________________________________________________3 O$ T: Z; ^* W0 d' ^8 X# V' g8 V
) [: q3 w3 u3 k8 K
# G( t. }# t% ^; _" h3 oMethod 06
8 j( t2 ]9 A& ~: N; L# k=========/ u$ y$ X% k. n) k/ k1 V% v
5 N D, b# E$ Z6 r( L
( w0 C& W! Y2 ]2nd method similar to the preceding one but more difficult to detect:% |5 e0 L0 |# h. T5 w
: }% H) c; M% _9 r0 x
# P1 I# ` V% j% {& o2 Y
int41handler PROC
! J. L# \: f$ f; n% K$ [2 ? mov cl,al
& ~% q5 y9 C% ^/ t& A iret9 d7 {0 _5 k8 S' z0 t
int41handler ENDP
; s+ W2 ?4 k; v5 i8 @9 i
; a6 d1 d( A4 M& g8 ]8 a) ?# N1 ]- D& A# z* ^' S
xor ax,ax
/ L( Z$ r" k- B0 Q/ @/ ^! Y* m; n. p2 @ mov es,ax
3 _; Z+ S5 m/ F/ n. I mov bx, cs1 J- Y1 r+ t+ ~& y) h
lea dx, int41handler' X6 M1 Z9 j* B9 ^5 h; g
xchg dx, es:[41h*4]
( |: p/ Q% C% b0 W xchg bx, es:[41h*4+2]6 J$ V+ P$ R; `5 j" b' [ i
in al, 40h3 v+ f3 }$ h% B4 w
xor cx,cx
" U' l7 f3 F0 }5 D int 41h5 R' A1 G# l6 C+ O! S
xchg dx, es:[41h*4]6 [! p2 R5 m' w7 G. I& \, u/ G
xchg bx, es:[41h*4+2]
S+ r! d( X& w" P6 I# `- ? cmp cl,al
( X1 F2 z7 \3 ? jnz SoftICE_detected5 K* X$ [) \4 G: F
0 F- ^( {* U6 z% h" C. ]7 x7 v7 b8 T
_________________________________________________________________________
3 W V1 P1 J% q6 G8 m$ p, @% ]4 R7 o. ?. g- d8 C* Z
Method 07
6 r9 l$ e; J5 H: ?7 w& Y' A' C8 _=========
" H9 w( i, e4 y9 Z
2 F- }) f' }" fMethod of detection of the WinICE handler in the int68h (V86)
u; F1 X2 P' ]4 b, b1 J; V/ l/ K/ I
mov ah,43h
. |8 B, _/ t- q4 H9 W! T int 68h3 J) |) R% G; y3 t$ g f2 d
cmp ax,0F386h! ~6 h! Q( X, U* g* d5 D
jz SoftICE_Detected8 S+ i; f3 ?+ X8 ~ A; X
2 t3 |% B. A' S' ]( h0 F
% n5 r Y8 a4 R9 v# _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 {% l/ F! e q9 m4 K* h. ]; U
app like this:; D/ X) f7 K' u0 x2 }# y" @
/ C. \! B% h w' A4 A7 b
BPX exec_int if ax==68
6 A' |: Y9 D/ w& P0 l% \& s (function called is located at byte ptr [ebp+1Dh] and client eip is
1 u/ r/ K7 e% o3 @2 s/ |2 d located at [ebp+48h] for 32Bit apps)
# ^4 d, h1 D0 I$ u+ E__________________________________________________________________________
: o! [6 K& H! r8 } v9 f. k8 I8 }* e2 t; P2 E5 y! i0 N7 X
% `; h- w8 I& l. x
Method 08
8 T& A. G$ R1 X; ?" ^=========
8 _) H! J2 s! a* ?$ O' Z3 I ^) j' s @" V; P, |/ ]+ s
It is not a method of detection of SoftICE but a possibility to crash the
- D) W; z7 L8 a" d( h; t' p, xsystem by intercepting int 01h and int 03h and redirecting them to another
0 L _" E$ B Z2 J7 Aroutine.% b. Y6 x* g4 M$ w. C" q/ K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 D- r9 C. h6 q" J/ W) U- x
to the new routine to execute (hangs computer...)
# Z3 O2 T- q6 k. m& x5 p- O
* _7 R' {4 b# N# i: x* H mov ah, 25h
- C/ |8 `/ m/ ?1 f/ j mov al, Int_Number (01h or 03h)
1 b( j$ W% d7 C; S mov dx, offset New_Int_Routine8 ~' Y* [' @' L% E& q
int 21h
; C& R, D: ~( W. B
( s" v, U3 c& w* d5 @2 F& n+ V2 f__________________________________________________________________________# l" [5 g. ^* y1 P6 }8 t. }
" k% Y7 W1 Q) O1 j; _ y+ K
Method 09
) f1 x% e" B+ G* R @=========1 O. D" ?7 e) a9 u
; d) @/ S5 j# ?& S1 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 d1 _- {: Q G/ ^! b
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 u: ?/ W, f$ qThe Get_DDB service is used to determine whether or not a VxD is installed$ M% K" y& N) X
for the specified device and returns a Device Description Block (in ecx) for
% o# I' I2 Z: L) A8 c& ~, Pthat device if it is installed.
4 V' W- @3 h, p+ I
- `, f5 {7 U" S8 o7 H5 ^& A- G$ E1 W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 m/ X G6 O1 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 Y, s: s' z5 h VMMCall Get_DDB0 G1 s, N. P! \3 {( H' x6 [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; \5 v c; \2 A6 G- c. b3 Z) p
$ [6 _+ }1 Q4 oNote as well that you can easily detect this method with SoftICE:! {4 N/ b& \0 K
bpx Get_DDB if ax==0202 || ax==7a5fh
$ e, W, m; L1 A0 I% a$ U
- `- ~3 V: D* t' B__________________________________________________________________________
, d3 G2 R3 Z$ y, V+ R: F$ V0 K2 u! F0 p- R* V/ u C* A/ j/ A1 S9 [
Method 10
7 H/ {. H8 L5 w=========) h* E; [* u8 I$ r* o: I
" h0 n2 S# H5 }8 ?. M=>Disable or clear breakpoints before using this feature. DO NOT trace with. k) c3 ~+ f0 t/ ]
SoftICE while the option is enable!!5 d: z" h& ~( f3 R
; M7 K2 a4 r8 N' l& i* D& ^3 J/ b! ~This trick is very efficient:+ d9 h/ }4 }! t" m. O- G
by checking the Debug Registers, you can detect if SoftICE is loaded$ ], f9 X/ a& ~1 X+ a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ F+ L7 `$ [$ l( ~' `
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ }- U& h* {$ t6 T& r( |' x
value (in ring0 only). Values can be manipulated and or changed as well
4 c+ |% ~2 Q* B$ @2 E% b(clearing BPMs for instance)6 x( ]& x$ \! u% U m
- }9 S$ X' k6 {/ C
__________________________________________________________________________
8 Z7 a7 d7 A" P4 r. W* z* J( K* |' h/ S. p- l9 f$ a$ {/ ]6 ^
Method 11) s4 j' b) L& B4 B8 S7 A
=========
+ d! \& [) Z, w0 B+ @$ w
' N% g# \1 w, W zThis method is most known as 'MeltICE' because it has been freely distributed) j" x z. I6 f0 w2 q: @5 w' J
via www.winfiles.com. However it was first used by NuMega people to allow
9 S2 b8 A/ G' C& F5 `) v0 p" aSymbol Loader to check if SoftICE was active or not (the code is located
: r( G: a! x' `7 m/ qinside nmtrans.dll).
1 Q9 b$ ?" Z. C; ?' y. p' |: L) D G0 u$ ^& x& u: o
The way it works is very simple:$ h2 ]) }4 J! S! Q* d* b' Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( U4 n, A4 ^" Z c. lWinNT) with the CreateFileA API.& H! A3 |; m- T: M
0 o6 o, h1 V" s" D& aHere is a sample (checking for 'SICE'):: Q |/ z$ ^' {3 ~' R
5 ^0 i$ Y% M3 \0 Q% j6 ]BOOL IsSoftIce95Loaded(); S; P# m+ g/ }
{; k7 h5 I" @/ |4 o2 ]" Y7 b
HANDLE hFile; 7 P& s* ?+ h; E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( Q: L4 ]! ~& L/ }2 x3 N
FILE_SHARE_READ | FILE_SHARE_WRITE,( M) S# Z1 Y2 L* A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& [! z( @% _, T: ?2 [
if( hFile != INVALID_HANDLE_VALUE )# b# r, U/ l* ?& n
{, ~; H; x- @6 A! c* ~
CloseHandle(hFile);6 ]6 ?9 }6 D- `0 T) w$ I
return TRUE;+ s6 ~! A+ v+ F
}$ e) N7 I: f/ _, V; t# U8 a
return FALSE;0 g% N6 b- G4 c) m" @
}0 s, P" U9 |0 D0 h
: U3 O: q/ `- n' i2 A; ^7 d
Although this trick calls the CreateFileA function, don't even expect to be
8 v" I, s* G4 p) O. p# S$ \. k: eable to intercept it by installing a IFS hook: it will not work, no way!
: z) s8 L2 h2 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% b+ A; d4 u/ H9 {9 b: U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 q4 P9 e0 t" Q! ]" _& u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: d3 R5 b8 y, F/ U& q3 a3 B
field.
* ]* I; Z; k7 i: Y& O) o% MIn fact, its purpose is not to load/unload VxDs but only to send a
% s! k5 n. Y4 W- O- v8 {0 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 T: ?2 h7 O/ K- M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 r+ p4 t9 v' g. m; X9 {8 U& ]- @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Z' Q+ u$ p) B( z+ _" c7 PIf the VxD is loaded, it will always clear eax and the Carry flag to allow2 R+ F! R4 ]) p/ T- {( M1 {
its handle to be opened and then, will be detected." ]* q; z4 E. N
You can check that simply by hooking Winice.exe control proc entry point
, @& g6 l! a% p: L: ~) L& Bwhile running MeltICE.
' |' J! W2 f) b/ ]1 A
_4 t T- s# Q/ X. Y8 r! N( `
$ f: }7 n$ F: V( Q, S2 n1 | 00401067: push 00402025 ; \\.\SICE
/ F) Y8 m8 I0 U3 h: B7 \7 U 0040106C: call CreateFileA) F$ {: p% Z7 n+ Q e
00401071: cmp eax,-001, T. V8 J4 H7 K9 f8 X! b5 y& G
00401074: je 00401091
( N7 l/ {% v2 n- r \
+ M: T! t9 \1 F, u5 H, }5 C$ |; T
There could be hundreds of BPX you could use to detect this trick.
0 |0 _9 _) m1 W8 Z2 d-The most classical one is:
' \6 z) E3 s. l4 y, q5 G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) m: O Z* p: Y0 N- |2 B& K *(esp->4+4)=='NTIC'
1 g8 u7 {" ~! Q: o+ U9 C \+ }) C4 Y! l$ p& t
-The most exotic ones (could be very slooooow :-(6 z, ~; z/ c8 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , _4 d7 a- f- c8 x9 \3 K
;will break 3 times :-(
. y$ p( n4 @' b# z7 @
E* P9 Z d7 J. X, w-or (a bit) faster: 9 U6 O% y2 x. A4 }4 ?# q7 J% c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 m4 r/ y0 n4 {+ i' W" H& F
, f1 {3 @* Z' H3 O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 Y8 I! s- I$ I8 _" L4 t
;will break 3 times :-(9 l( D! Z: z; d1 a, L
- S2 Q$ r: ?7 S) ?7 E4 T# O" X
-Much faster:
' a2 P3 @( `/ W8 L/ d! N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" |/ @/ Y- k; C8 @( }' W8 R! G+ g( D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 e3 `5 l6 g, k; ]: H
function to do the same job:
& w3 J5 q% J% R8 v$ u$ \" U0 y0 s7 z9 h0 `! \. l
push 00 ; OF_READ- }! p5 N7 X7 p7 D
mov eax,[00656634] ; '\\.\SICE',0
6 T* E% i( ]) T push eax& v7 L! _' w a, J2 ?' H, W+ i3 |
call KERNEL32!_lopen" h$ D5 `( n, y+ K5 R
inc eax
6 ]# @* s, g) ^0 g/ P- u" | jnz 00650589 ; detected% q0 D% ~0 K, h# R9 G
push 00 ; OF_READ
3 P. S8 m8 {7 l$ ?* k; z, t6 } mov eax,[00656638] ; '\\.\SICE'/ n, `- h, ^' g4 x6 Y. D8 Y6 s
push eax/ h8 p1 w4 H- O. M; l% Z
call KERNEL32!_lopen2 G3 z9 L+ Y, P
inc eax' E5 S# G/ U. e/ \6 W4 H$ K
jz 006505ae ; not detected. ]9 l7 c, D2 b8 a
% O% D; _6 z7 l% P4 k; r
9 \* e" j" m3 ^$ w6 x9 J9 j__________________________________________________________________________) ]( I9 ^* E7 X& n' e" C; [
0 C" q2 S" ^5 Q9 f9 \0 A
Method 12 a0 J3 x4 P' w. F1 |7 {" `
=========" N) H- G Z! a$ ]2 w4 A
0 ^9 j7 h) u, ?/ R5 ~) U, A
This trick is similar to int41h/4fh Debugger installation check (code 057 j9 D/ t. I1 {. S
& 06) but very limited because it's only available for Win95/98 (not NT)( j- ^& s8 h; L3 f8 f6 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( X2 O; o6 d& p! l) h7 @
6 L! g2 `5 Y! X& p6 l push 0000004fh ; function 4fh+ d# H9 e E0 |" C' m! c# x
push 002a002ah ; high word specifies which VxD (VWIN32)
: p- J+ J/ Q; |2 ` ; low word specifies which service
* [" K% l9 o# K' S- d; t, B (VWIN32_Int41Dispatch)' u% E0 ^! }; g9 z/ a/ ]
call Kernel32!ORD_001 ; VxdCall; O# C" Z! I, }; f3 l+ ` i& |/ }
cmp ax, 0f386h ; magic number returned by system debuggers; s' a) N- s$ K- E. W }+ G6 N) i
jz SoftICE_detected
$ X5 ~/ c6 U, V9 l7 U( ] {9 ~
2 f; x& J/ O6 R: L; N& d `% tHere again, several ways to detect it:& H* ^+ b! q; g$ B! K9 u
2 _% A4 i8 `* w7 Y9 K BPINT 41 if ax==4f
0 |3 Q3 `6 c; j* T: _4 z* ?1 @+ |8 {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 H: C6 V: {1 l) `9 X7 y, H# x$ N1 F) H* v3 f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; h5 _# `& f2 `3 P
* E2 ^5 r+ C: {" T, a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ ^ G T( k" F/ E
9 I, g, j0 q) Z7 ]$ L* B
__________________________________________________________________________
9 W; R- X, N1 C0 k8 a2 u- j" Z7 _
Method 13
9 a4 T8 J _" c/ `9 R3 }=========( D# R1 a6 ]8 A+ M5 X
. a; ^, r& u7 P' q6 f# }
Not a real method of detection, but a good way to know if SoftICE is
$ l( j8 l7 N4 p0 `6 N' P. m8 ]6 ninstalled on a computer and to locate its installation directory.
4 a3 q" H; _( i0 d1 _% ]1 uIt is used by few softs which access the following registry keys (usually #2) :# a3 p' \" I% X# |& G
8 J8 q+ j0 C! z$ m% w0 ^0 _# F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( a2 g, X* a9 F0 u4 q7 b\Uninstall\SoftICE" ?" e. _9 B) R, l+ ^6 B2 H) F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# {0 W* V# u. z1 |' b5 ^4 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- W) _$ E5 ~& d: ]6 j$ U. m0 X
\App Paths\Loader32.Exe& T" T0 Q6 u; e( o* L, a. A
/ z7 H4 x8 P8 o$ B9 o B
. s! A2 p8 t$ r: ~
Note that some nasty apps could then erase all files from SoftICE directory J! @% i7 y% ~
(I faced that once :-(
5 L! r1 x1 |; N+ L
8 {4 {! m* I0 Q. s: h6 J2 U9 FUseful breakpoint to detect it:: w: @4 e/ P. T3 x! ~# f
: E4 x/ v* a6 |* j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 S2 u4 @; r: ]! f; u
7 S& s2 R4 N) d0 E__________________________________________________________________________2 {2 X6 Y5 I* l# y% O
$ M5 c' q! Y1 i2 B$ |" b2 B+ p0 S* W6 s* d0 Q
Method 14
4 K8 Z( J5 |( E# n$ p=========1 U3 Q& C" T, Z5 K& e. ?, \2 S
% G) `& t; n$ T; ?& O& MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 d [2 x3 L/ u/ ?
is to determines whether a debugger is running on your system (ring0 only).# e* f4 A n' v8 P5 f/ ?; w
5 I& x* D; h5 q% P8 M3 ]! o
VMMCall Test_Debug_Installed( v# G" f& B1 ]9 z7 ]; }& e/ a
je not_installed6 J' f( B- b6 v: B$ G
' N- m7 O7 V* D2 z, \# m# E$ ~, RThis service just checks a flag." I* a m/ Z* k) v' O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡