<TABLE width=500>
8 v# A& W# y4 D, L" ~' h<TBODY>
. c4 u2 M& e% ]& [. T: R. T: i<TR>
9 r) p' b7 m& x" I1 G7 O<TD><PRE>Method 01 8 ]! A# ]5 u3 z% a! J
=========
" {1 k& d6 ]- v7 @' A F) `0 t% {2 m) j, \* q; r
This method of detection of SoftICE (as well as the following one) is
* k K0 C" @! _: bused by the majority of packers/encryptors found on Internet.# P# x# q: p+ W. z
It seeks the signature of BoundsChecker in SoftICE8 c: ^' u, ^3 [- z' c3 G
: m5 |% w' U4 a: i# S5 @4 S: E mov ebp, 04243484Bh ; 'BCHK'
6 s. c+ m) I7 T# @" `" f- g mov ax, 04h; e! Q- V* e0 c* m4 u& X
int 3 ; D3 e1 A- r3 y3 B" T* N- s
cmp al,4
/ a" p4 z3 x/ U3 \- R' d+ W2 z2 T jnz SoftICE_Detected5 N6 B0 ^* }9 x }7 W
. T; k3 f( e8 ]/ s8 ?; J1 S
___________________________________________________________________________
4 M' s! U K# X, M: n) P; f
: L, x# M" {1 s, ?) O8 y j: d1 FMethod 02+ H# t% e5 m3 x9 u- ]. `' f
=========
! ^2 R- W" f. F; U0 b2 P; d- S. r. [" \) D# U$ h7 _
Still a method very much used (perhaps the most frequent one). It is used
0 a* M' L/ d9 F0 @& C" ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* p. K z \# L: z
or execute SoftICE commands...! f2 C! V4 Q$ X
It is also used to crash SoftICE and to force it to execute any commands# [3 ~% T& x6 z( K
(HBOOT...) :-((
' b9 _/ K2 B1 e3 _' ?7 h4 f
+ a3 G0 d6 _. W$ q0 OHere is a quick description:: V7 ^7 {8 g* U# W: u
-AX = 0910h (Display string in SIce windows). T4 z6 W" N5 d$ b2 h9 y7 [( o( P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ e6 S6 R8 j& |-AX = 0912h (Get breakpoint infos)
v5 T2 e/ D F" v. _5 j1 N-AX = 0913h (Set Sice breakpoints)
' g0 t; E2 K! Q9 y+ m$ h-AX = 0914h (Remove SIce breakoints). D' {+ W) g% ~) l8 i9 w
( Z! `' [8 x1 b& i5 C# O1 ^% z9 bEach time you'll meet this trick, you'll see:1 u7 ^* H# a4 A* C: V
-SI = 4647h
2 N# c; y2 e3 Q-DI = 4A4Dh- R7 t1 T9 d6 t. u
Which are the 'magic values' used by SoftIce." S! D" g4 g9 G9 c7 t* b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* B5 M" m+ Q! ]- D
+ e% B, T( N6 t& u* Z9 sHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 |* G* T" f' s( R- F9 m# MEnvelope utility use to protect DOS applications:- x( x1 J# I0 e( y! r& a* U
! u8 v' Q$ ?6 H$ r
: p% }% F; g9 v% A0 g
4C19:0095 MOV AX,0911 ; execute command.
" X9 N% \" H4 g+ B$ z; E8 m/ }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 c) r# D2 h- C. n( J
4C19:009A MOV SI,4647 ; 1st magic value." Z5 z- {8 C( Z$ p- j
4C19:009D MOV DI,4A4D ; 2nd magic value.7 P, h* [6 E3 b4 u9 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 j, A4 T- `1 C ]7 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 K$ g# H* e) S4 J4C19:00A4 INC CX
0 V7 c; o3 ^, J/ }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- l4 Y0 _& v- q
4C19:00A8 JB 0095 ; 6 different commands.
, `3 p* W q8 m: a+ D. h( L9 Y y" L4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 Q6 S0 L+ H& m5 ~. v3 s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" s2 C9 ?4 S: Z: G- v) A/ l
; r9 n' g) C2 J
The program will execute 6 different SIce commands located at ds:dx, which
; a) }( C; [; Y1 d: Z- R* Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 h7 d5 I: z c# \0 g Y( A
3 A# |1 Y7 T$ X. ]' j: N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 k) f/ ^3 c- ?2 s$ m
___________________________________________________________________________/ O2 d7 t7 q3 E. R6 @
) q/ M/ W% ~: W7 v3 \
3 O- Q: s4 P( g' E1 @
Method 03
- `" }( w0 w4 m=========+ H% r' G5 ~+ t: M* u3 z( k( ?8 o! ^
* R8 t' W+ U: P* Q' e9 |. w. T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. C( i1 h6 h3 n! w; L, s0 I(API Get entry point)
: U- `# U* ~" x! q + o, e" y! p1 q3 p% j$ W" t
$ U3 w! S, A# f$ E xor di,di1 {+ W1 B& z' t
mov es,di
% Z" Z3 s! @4 k: Q4 N- |8 U2 |, [ mov ax, 1684h 0 {& _5 A' Z; |0 J- P
mov bx, 0202h ; VxD ID of winice b$ ^# j0 g% o$ D/ N) `
int 2Fh
- `5 O/ A/ `- y; M# h7 y mov ax, es ; ES:DI -> VxD API entry point
( G/ V" @# f1 L, I6 g& s add ax, di0 F& u( r) r3 p8 p; |, B
test ax,ax( B/ p1 g8 {9 b5 h I5 y( k$ s. |
jnz SoftICE_Detected
! ]' \8 W7 k. I( M$ ~% S
- B% _( B% Z$ Z3 m7 b- {7 T___________________________________________________________________________/ N2 s' V6 \$ v" _$ h, S
4 \/ z/ a. v7 w$ gMethod 04
& Q; h* q @6 T, Q=========/ }5 _2 R- j7 U9 z: T; j5 U
/ o; u6 Y3 |8 L5 c
Method identical to the preceding one except that it seeks the ID of SoftICE7 w; d5 g! R& O( l5 G
GFX VxD.
; E' l; r% A9 j" Y' M; ^1 @
1 {8 ]% y( H7 a! [ xor di,di7 P2 W6 L" s3 X/ E
mov es,di
, m8 G1 u2 |) E4 l7 B: B: R mov ax, 1684h
- T9 V! G9 w' ~# l4 ] mov bx, 7a5Fh ; VxD ID of SIWVID$ O4 r$ z; M& o9 U/ G3 E
int 2fh. s/ [1 T0 v* P3 i- F4 N
mov ax, es ; ES:DI -> VxD API entry point6 z' e5 z. R) E3 c p P9 c( S" e
add ax, di
/ j, ^' T! s8 }/ j$ a test ax,ax3 B. v7 I+ _) a
jnz SoftICE_Detected
( B( d- ?/ L/ s. J5 K$ d2 J
3 Y$ q) }: w1 ~& l/ ^0 A__________________________________________________________________________7 E5 S9 H) `, C1 Z
% t& U) n$ o: M! E
1 B* M( G& p# x$ g! K8 q* OMethod 05
' n- O6 N2 v# t/ k5 P& q. ~# Z=========
% B8 M) }0 X' j3 ]) |1 d5 i9 O/ W, p9 s1 h, B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) M; G, d P0 T6 l: Pdebugger. It calls the int 41h, function 4Fh.0 b7 v) @' h$ C1 p1 p" b p, {& S
There are several alternatives. 5 X1 x+ {2 p9 m y: U D0 Q8 i/ c: O% a* S
* ~9 q3 L* ]3 d' J5 _The following one is the simplest:
9 i$ K8 N( m$ O. s- ]( ^6 Q
0 i9 W) ^: ~* B, _4 r F$ j, h, p mov ax,4fh
3 f9 A5 r# h; @6 y! \& Z int 41h- F' i# u8 D) \7 R/ H
cmp ax, 0F386
; I) z! V( Y9 Y/ R) V# o( X jz SoftICE_detected% x) m3 J: c, U# r7 n1 ]
% _- G: ?! \* W! i4 \: `. T% W! G% k2 M$ Y6 f' [. S! z
Next method as well as the following one are 2 examples from Stone's ) R B8 q' P6 [5 V& l
"stn-wid.zip" (www.cracking.net):* L- O& U. W$ t0 O8 j& D. H
* Y U. |' S3 a# \" A+ }0 l% Z
mov bx, cs
: n* }! ?% \( C y lea dx, int41handler2- ^, V( ]) f6 y, V3 i! |5 v: ?" ?
xchg dx, es:[41h*4]
4 K; W" X( G( ?, ~ xchg bx, es:[41h*4+2]8 `$ [+ |; {% [$ `8 Y7 m
mov ax,4fh S. z3 t6 q! o& K' }; R. X+ \4 n
int 41h) X" [1 X; _9 I$ e( G6 m5 @
xchg dx, es:[41h*4]0 W, _0 J5 S2 @6 h7 D l, E! {0 u
xchg bx, es:[41h*4+2]1 Z/ }0 S% G) b8 `
cmp ax, 0f386h
' D# S- d7 h+ [5 W8 Y" w! Y jz SoftICE_detected0 M: q+ ` v1 F: _7 V) d
9 M' e! B& I4 h$ C+ ^5 Q
int41handler2 PROC
% }* r7 C3 _2 J2 ? iret5 x/ W/ Z; a1 z9 [6 q
int41handler2 ENDP+ T+ e" A3 a0 i s+ W
9 v" w9 \$ j" f' r: D: N. |$ z+ O
+ B/ K& @+ k2 t% p) S- t' V/ m_________________________________________________________________________9 W: F) i! k$ s
- ^, E5 h: T" ]% v0 p; q
; P5 w! |9 @' s( X5 n9 [. xMethod 06
3 i+ H$ R) n0 ]' s; y=========
" s8 Y: i% U3 l+ U
" [. i: g. t" q4 Z* V" H. b& V! S+ u! L+ S
2nd method similar to the preceding one but more difficult to detect:
! J$ Z( X: L: Y( q) b
: @0 l) N, F1 s$ G
" v# M* q; j4 ?1 q" N4 v2 k. rint41handler PROC. v, {, b3 s X5 ]; v+ Q
mov cl,al# y3 x7 l1 t, ~' Y3 c, D3 A
iret
' n( C. E& a, l$ ~8 n @int41handler ENDP
' L# w4 U* |, u+ u2 Q
* w5 Q2 p+ X0 D* m! \/ _ `; a9 S. p) D) }0 z) J
xor ax,ax5 i1 I3 a$ T6 \
mov es,ax
$ V8 O0 e+ d. k# o7 o' }% z7 a3 P5 F mov bx, cs3 A$ A ^. [2 ]/ x$ a- U2 a
lea dx, int41handler
. y! J2 J1 B% c( X3 @3 n" F& f xchg dx, es:[41h*4]
- R: u& L$ b& U& K* j5 P/ j; u xchg bx, es:[41h*4+2]
' q& Q$ ?; w% D) R# c in al, 40h: V. Q8 L0 G; m+ ]; Z6 q
xor cx,cx
- Z5 d# L) N! |& X0 Q) u' B int 41h
5 f: r/ [, Y- ]3 G8 Q xchg dx, es:[41h*4]- Q, _$ y( ?# T2 Z
xchg bx, es:[41h*4+2]$ ^/ F& H8 ]+ ]& T% U: F
cmp cl,al
/ o4 i5 l* ^: D7 e jnz SoftICE_detected
' H3 D4 y: |( L `2 Q( M; n# D0 B2 V; r0 O* q# X& i( T* v& M5 l c
_________________________________________________________________________
+ i7 D8 u1 S# ~. Q, m
$ E3 W6 k7 c9 ]Method 07
2 Y$ B6 x5 A$ r! H4 I& G3 L; F+ [5 d=========
2 K) n+ Q l6 k. X; v% u
' R) J: \, Q) g B( m# V8 C0 B& [Method of detection of the WinICE handler in the int68h (V86)! ~3 P& p$ `( l- C: P, V
0 u x' s$ g2 ] mov ah,43h
) Q) L9 ~: }; F9 E s int 68h
3 N2 p/ P2 {- T5 w- [ cmp ax,0F386h; f0 `$ _9 P8 K [+ @9 E
jz SoftICE_Detected) d% H. A Q) b) d6 U
6 M$ P, o5 _' j# C0 d6 t; k( t5 L4 L
1 ]7 X' t/ Y3 b6 h( E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# V. u8 C) S) R" \ app like this:
i( F3 z& }' [- K& N# [5 l- S& G! S& x$ F7 F7 V
BPX exec_int if ax==68
3 x* A1 s' L. a0 [ (function called is located at byte ptr [ebp+1Dh] and client eip is* L6 M( G$ k' N6 D$ [
located at [ebp+48h] for 32Bit apps)
; g% m! e9 ^+ f& G__________________________________________________________________________
' T- R/ ?* [: Z! w! z) ]! \
% L a: m( P- h* }! {& N3 [! c$ I8 v: S% X6 ~
Method 081 d0 J q6 l; J( x. Q
========= i! c$ W! Z, ~% ~3 x- Z
& f9 {7 J0 x- B9 a2 T8 r ~) QIt is not a method of detection of SoftICE but a possibility to crash the
0 T) q5 G. S2 p! Z4 }* L3 u! Tsystem by intercepting int 01h and int 03h and redirecting them to another
& W2 h9 y/ h$ g4 `1 I3 Z8 Z5 q jroutine.* f; G: |* V% T8 N* l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points B* f0 J5 r* I N+ Y2 n1 n
to the new routine to execute (hangs computer...)
, y) ^4 D L. @0 i& G( k9 X4 A0 G
5 z- j; H4 `* P1 B3 f& g mov ah, 25h
8 F6 Y! B! L0 h! I# U& T mov al, Int_Number (01h or 03h)
4 ^% D0 T) f ^% k mov dx, offset New_Int_Routine
2 h, ]' \9 M/ h3 q) d$ Q int 21h' X5 F1 d1 D- f7 _1 x! }- |' S, Z
$ s1 b; J+ h2 a) [ q2 x' |__________________________________________________________________________! ]8 I* B% F3 g5 f, m
5 S9 G: q- A$ t$ ]7 @
Method 09
* t9 M3 i1 t9 J+ C=========
1 ?& M' J6 e2 y% J+ \0 l( P: {2 s$ ~9 n; _1 W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% s0 {( I0 n* H8 T5 f$ [
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 w+ ]/ O/ Z/ T `1 d, \The Get_DDB service is used to determine whether or not a VxD is installed
& b( o$ `- B4 e. Jfor the specified device and returns a Device Description Block (in ecx) for- V/ }: T4 Q$ g
that device if it is installed.3 Q2 Z. W9 B) [* Z+ a$ e
4 |0 o0 H: Z/ ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 f4 Q7 F' K! \( ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 z8 O& d" l* w9 H, |6 h; u k VMMCall Get_DDB
- A: _, i& \8 [7 `( C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 Y0 c3 R4 S. n$ m, V! {: y5 x8 p2 H1 O; [- T5 u, s
Note as well that you can easily detect this method with SoftICE:
! t4 M! F7 t9 [6 ` bpx Get_DDB if ax==0202 || ax==7a5fh
8 c: Z! O- l5 O3 t& g8 r7 ]
+ X3 i+ ?: z3 g+ n% _! f__________________________________________________________________________. f0 P6 h: Q" i$ _
) u! G" s0 n1 Z, G; ]$ K& ~
Method 10, v0 f) v, S% |% o3 d
=========
( t# ~; k y X/ }# b; j" c* q c
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 G- e5 U5 o. x; H
SoftICE while the option is enable!!
; F, W% {4 s7 Y' y6 p+ O) c
4 M1 D; v- x% b; P$ s3 `This trick is very efficient:
% L: D3 L$ k' o4 `( L* Lby checking the Debug Registers, you can detect if SoftICE is loaded7 j) Z4 u$ l& y9 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 |- b8 [- d0 A+ X+ l( Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 A7 {/ v' @8 v' |, m4 s3 N$ a$ G
value (in ring0 only). Values can be manipulated and or changed as well
$ z8 i+ K m$ d3 U# c: W; a(clearing BPMs for instance)
- x( F+ u& l; M$ j+ a* ~/ S6 j# O4 s1 r: m: d& c7 m
__________________________________________________________________________* Z, L: v( L0 ? n
/ N/ ~# _# @' P3 r1 v+ I" {
Method 11. h: t( o; _2 d, f( d0 Q
=========! [# t2 R/ D- K- M+ D
5 O. s( {7 G$ W8 s; E- l3 ]) [1 a" iThis method is most known as 'MeltICE' because it has been freely distributed G6 r- |; }: z" \, f- h
via www.winfiles.com. However it was first used by NuMega people to allow
$ x4 L8 z. k; `" g3 `: t/ aSymbol Loader to check if SoftICE was active or not (the code is located/ M w! G; |9 \& Y$ H |+ ?2 n
inside nmtrans.dll).
z- A0 s2 B& C! X' t# D [
. S# L+ X0 C' a' y+ KThe way it works is very simple:
4 U7 j0 I9 S: h6 n+ ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 g6 {4 {( l; t* X1 W! }, \7 ^WinNT) with the CreateFileA API.
5 Z6 w( w% f* F. v$ U& l! M; i, M& V4 l. D" |- z
Here is a sample (checking for 'SICE'):; T6 [( k; | B/ t' C7 N! o$ v' j
) |7 f/ {; z6 i: MBOOL IsSoftIce95Loaded()
. K+ ?( K7 ~; H! J- {7 T( r) E{
; s2 H' ]2 K: j+ _ P6 S# a& M HANDLE hFile;
! C5 W$ `- ^( P% `1 k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 d; l, }/ L" W6 O/ [& @ FILE_SHARE_READ | FILE_SHARE_WRITE,
! ^) d" u$ f; U) O" ?% K9 ]$ r. ]9 E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 f0 b1 x( @! B
if( hFile != INVALID_HANDLE_VALUE )
4 ?& [* Z' W8 u. v, d* m! L {
9 f1 } H- P5 k9 c; e3 G( ] CloseHandle(hFile);
4 V0 A% m0 f( k- ^. | return TRUE;
) o0 J1 Y1 }6 B. c } m* J3 r" W8 N( M6 R. R7 x, e
return FALSE;2 V* f& T7 V/ x$ {! m6 h
}
( T4 m h C5 i# Z$ w; C5 T% D4 c* p4 H k3 u; U
Although this trick calls the CreateFileA function, don't even expect to be
5 w* k8 o1 V+ y. oable to intercept it by installing a IFS hook: it will not work, no way!
4 A$ Z D% i+ ]! g# I$ _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; x9 c, K8 o" A+ C8 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 N) _1 U9 w: |' e0 _ l4 K! Q K! o* rand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 j8 [5 J2 h: ^5 y
field., O9 x, y7 f! ~ Y; g( j6 A9 `" ^
In fact, its purpose is not to load/unload VxDs but only to send a
0 |% _6 @+ c0 P9 S+ A5 b' Q T% nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 B& i U$ L1 }( }1 C1 E- @9 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# c" @+ B, j* {; u6 Z zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ I& Q; D. b W1 J. ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ m0 y9 D; ]6 I" p; [. Bits handle to be opened and then, will be detected.
: W P/ y! Q0 u7 yYou can check that simply by hooking Winice.exe control proc entry point
2 Y1 V; w" z& p6 Z3 _while running MeltICE.
( _' F; a& l7 _
( Y( i# |* [" q) r. D! v T! a" L" V. i3 V
00401067: push 00402025 ; \\.\SICE
0 x4 n' G$ M* b! G; ?8 A+ K 0040106C: call CreateFileA
) a. S2 s. v- w4 M 00401071: cmp eax,-0017 k# `. m) \2 f( v
00401074: je 00401091
! K/ @) F8 q+ d4 z* G: G% J
2 _0 ~$ _5 Z1 R5 L5 R
1 O% X4 v F! P0 _( B0 iThere could be hundreds of BPX you could use to detect this trick.) w1 O+ y: }9 V0 Z( q7 B5 b
-The most classical one is:7 H! A7 z! [( x9 V/ `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- X6 J) g+ W/ m! u6 Y. \$ ]) P
*(esp->4+4)=='NTIC'1 l% X1 ?5 M% j% F
; s- Y" T- e( F: z! o6 v
-The most exotic ones (could be very slooooow :-(
7 D9 Q( |! i4 H' U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! p' G" f' Z( v9 H ;will break 3 times :-(+ U v% Q/ j" j
! [- J; r# z! W8 ~9 [( c4 S" j) \& f: S
-or (a bit) faster:
) ~5 X8 d8 t) I% R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 ^$ {) J0 _4 L2 n) N4 \9 ]) a: X P; |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 C3 ]) A+ X8 V- _9 Q+ a* V* R! F ;will break 3 times :-(
! P6 a9 r/ ?4 P+ I- C7 d M7 p: y1 g! Y9 h5 x' J
-Much faster:
* J1 k. A" H3 p' _6 B6 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ f0 @; P2 z9 b0 I$ d; I
8 E; B* E) L* G- Q8 i& P) WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! N' z7 q0 l" C2 S6 i8 m9 N
function to do the same job:( b4 P- x3 t6 c
6 V) [1 B- |4 ?# I6 O: t' I) { push 00 ; OF_READ
( P4 _- s% L/ r7 S2 K$ j1 }- l7 b mov eax,[00656634] ; '\\.\SICE',0
, M4 ]1 P2 _4 C4 u+ B# Y9 Z push eax- P l2 H) t- O8 o( d$ R
call KERNEL32!_lopen: a6 _9 w5 X: u4 p; {1 g
inc eax, @7 ]8 r9 _4 }6 P2 Y; K$ K' ~
jnz 00650589 ; detected
+ B* N' g3 c! \$ g" d" V- f9 n push 00 ; OF_READ
3 S' A+ J4 A' K3 e* G7 ~- @ mov eax,[00656638] ; '\\.\SICE'
9 ?* i6 X8 [2 |' [' z8 w push eax4 E# M. V+ O5 L& {/ s& C* k
call KERNEL32!_lopen
4 {) }& I5 w { inc eax( j" n8 |. P; U! r' C/ l/ s# l7 x$ L
jz 006505ae ; not detected$ d2 q" F0 h3 w0 a. P. a
8 K0 x7 \: G& A) k W$ ?- B0 a. T( }5 j- p5 r( u2 x* f7 i
__________________________________________________________________________
) l- X, Q6 }7 ?2 o5 Q9 o4 b" M: [8 ]! u5 @6 z- _
Method 123 R5 N% y$ g0 ?( Y( f
========= z* S% ]. q: S/ T2 }
: u+ C% S$ w: z m0 S+ o% [9 n* }* G( yThis trick is similar to int41h/4fh Debugger installation check (code 05
0 R; F4 _4 F! V7 x1 ^# a" z& 06) but very limited because it's only available for Win95/98 (not NT)
$ g+ P/ F, l- R j" Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 z8 x' n- h% v
! B e- C$ X# ]. X- u h0 H4 M# N push 0000004fh ; function 4fh
5 U8 \7 a! W1 l( d+ A* b- z push 002a002ah ; high word specifies which VxD (VWIN32)
1 C2 f' v' d% v' K$ }: | ; low word specifies which service4 r4 T$ ]4 x( `2 [! Z% w
(VWIN32_Int41Dispatch)
8 c% p! \6 s" d: U call Kernel32!ORD_001 ; VxdCall& G8 [. p' n# h! N( m, U. N$ a
cmp ax, 0f386h ; magic number returned by system debuggers
8 S/ J, }7 l6 h g8 a1 @ jz SoftICE_detected
" k! d; g+ Q" j& M. A6 g* a4 m M8 r9 u% ]
Here again, several ways to detect it:
6 G* ]" P' U R. u- _0 D' e3 l0 T& b+ m& Q
BPINT 41 if ax==4f! {7 Q8 B; s- f8 h5 J/ V
( P- r& p% L; ^) b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' T! s! F3 z* w: S( _
4 A: t4 a3 k3 H( u. b/ Y2 D- L0 W, Z# O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 @% Q4 n7 F' T/ L! n7 Z' W j7 v* p" R% \; J3 k# h3 U7 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ U) u' \4 o% R. L( m7 E) g/ j* _! n+ h0 C7 a1 n" z8 |$ u
__________________________________________________________________________; M+ Z7 w! q0 z! A
2 p* v2 ?: W, G" f9 \# YMethod 13$ |; G5 N. I- l6 [
=========
( m# j( k9 [6 V) Q8 K0 d
! A0 m9 d- q+ w/ z+ YNot a real method of detection, but a good way to know if SoftICE is
U. @- Y& L. l5 ~7 i$ iinstalled on a computer and to locate its installation directory.$ }# r& C# w% T) H( Y+ z
It is used by few softs which access the following registry keys (usually #2) :) `/ f& W4 r! _7 U, d4 d3 S
5 G7 r6 k. S' ?, y, E1 N2 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& n- t5 P; [. ?0 L
\Uninstall\SoftICE! T" U" m6 i/ F6 B* r- U1 `& x1 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ o- b8 ]+ i. j$ u, ~( i! S, D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, H7 H& X: l0 C\App Paths\Loader32.Exe
/ E0 o: G$ {# r# j2 P4 {5 P7 `+ o2 q7 b
+ g. ^* x7 s4 U( J
Note that some nasty apps could then erase all files from SoftICE directory
8 n& Q; G, X' Q7 e(I faced that once :-(- J" k, F7 c n1 S. u
: N* x8 L P5 D% L$ _
Useful breakpoint to detect it:: v; s4 P& ]2 \& V# K# N) L
% F6 R. `( L2 U! t: m, _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- a, {+ c* p8 v* y! {8 S; B4 r' Y' V; w U% L& c4 Z) W
__________________________________________________________________________
, H; ~, l2 ~5 |7 q1 ^# R; Y; h i: u: u+ F4 b* t
9 [$ x2 D4 h) M1 W* c- @- j; C8 Q/ wMethod 14
# W6 n6 q9 W- o( {=========2 p! D5 {! z$ K
* Y. [( O! ^0 M0 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( D9 G, q, s* Tis to determines whether a debugger is running on your system (ring0 only).
% B- T4 T; A+ F) [4 k6 ?! }& G
: |, R {$ J+ N D VMMCall Test_Debug_Installed
+ J4 `9 k) Y; }, n5 T4 y je not_installed& W$ s& `, p) s6 Z) n
: T, p# f h, X% h8 |
This service just checks a flag.
4 Q9 a' _- G7 s' t8 q. I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡