<TABLE width=500>
$ x6 P3 |: t0 |: t& ?<TBODY>
- B( q8 U" M7 i7 E( X8 J* i<TR>9 X# T$ D2 {8 e7 G1 S& {, F! }
<TD><PRE>Method 01 4 h9 R; ] j' k: h: o1 b* k7 K
=========
5 [6 Y4 D6 s4 f' F/ j. { A- d" p5 c# u+ z/ j6 s. M5 w/ S! Y
This method of detection of SoftICE (as well as the following one) is4 i5 M- f# W9 j5 {# E1 f& B* d
used by the majority of packers/encryptors found on Internet.3 E7 l) D& H+ z6 K! P$ t, X
It seeks the signature of BoundsChecker in SoftICE z6 Q" ^7 F! C) m( g) _
% I/ d8 V! D+ O& X* S/ F* o- D mov ebp, 04243484Bh ; 'BCHK'7 F" H' ^: U7 m. W* e5 U# m& h
mov ax, 04h
8 a2 H" ~, K* B4 Z) |: f i3 G int 3 / ~! E* H" f0 K5 j/ b) }* o5 g
cmp al,4
0 S5 n* Q4 r% z0 W jnz SoftICE_Detected
' Q1 T7 T9 b+ c- t- e F& ?9 | [: T; t
___________________________________________________________________________
' k! @7 h0 f" i! R
2 I+ D8 y" B aMethod 02* S* q# V) g6 @$ H! m4 W
=========
3 d+ l1 C( T3 a/ ]4 p
; [( l- u$ l5 ZStill a method very much used (perhaps the most frequent one). It is used) G, P2 F( u7 {7 i, [& g5 [4 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
t9 E% E: ~$ X/ q* Por execute SoftICE commands... Z/ ?3 @% R9 p" O. ~# b Y
It is also used to crash SoftICE and to force it to execute any commands
. {: \4 \+ j' w }7 \(HBOOT...) :-(( & c, s- H1 N: Q. v5 ? a
X3 Y. C; C# ^" kHere is a quick description:" l N$ o7 d6 F; p6 e+ y5 R
-AX = 0910h (Display string in SIce windows)
) F! n) p3 N/ P6 h |! ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 V4 V% a) w( e/ h# |-AX = 0912h (Get breakpoint infos)
R$ [; x( F# q5 R6 f) E; G-AX = 0913h (Set Sice breakpoints)
2 j* r! h$ R+ R-AX = 0914h (Remove SIce breakoints) B- Q: m+ D4 P
7 h; o' p" ~, X% iEach time you'll meet this trick, you'll see:
3 J1 u% p! t8 j, _* L-SI = 4647h, [. i- B. W+ r! y& D
-DI = 4A4Dh
7 ?. I2 L. B7 `7 |! Q7 x7 RWhich are the 'magic values' used by SoftIce.& ^5 _2 Z$ i3 {1 Z* c1 J+ |! ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ W) ~9 x, R" }( b+ K
6 j/ `1 `+ \5 z+ T& _Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 l5 a5 D0 F- n6 C2 KEnvelope utility use to protect DOS applications:
: c* ~0 D5 Z. R t
% |5 @+ g" ^1 ?6 E W- s+ B6 ?4 b+ ~+ i2 q+ g, p9 \
4C19:0095 MOV AX,0911 ; execute command. @7 t3 j! F4 k/ L$ F6 A0 R a3 n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" \+ q8 c" T7 o. L! K! a1 G0 n4C19:009A MOV SI,4647 ; 1st magic value.
! @, C, p K9 [4 I5 [$ ]! [1 V4C19:009D MOV DI,4A4D ; 2nd magic value.- o4 Q- F+ `, ?8 C7 J% A% q" s2 W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% W8 ?/ H z5 C2 ^, f7 I4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 ^8 j# I) ^ J: o, u& p4 T8 i
4C19:00A4 INC CX
4 E1 {, M9 y+ j! D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! u, h; b$ y& h5 b8 l/ A
4C19:00A8 JB 0095 ; 6 different commands.! d$ H) o4 O5 \* e1 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# G, {+ `: C- ^; P( e; M% X8 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ Q' q& P& e' x3 t6 G* T, _
: q* i" Z: V7 F) ]The program will execute 6 different SIce commands located at ds:dx, which
" D L! W5 W1 C2 `$ ]' nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 m- t2 B. g0 p L: w7 y6 ?( n! B6 W& H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 P0 \! e% P8 h- X7 W- n0 Y9 ?
___________________________________________________________________________
3 W% K7 `! ^# t" F' N4 w8 u
9 A1 { ?: g* m7 e; B' F; Y5 r( T% e7 S0 X# l; @
Method 03
9 g. f! {* m- r7 M) m6 D' X=========
; k3 A9 e# P& E! ~- G# L, J+ {* Z# \4 E1 _/ k+ O7 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; o V0 r+ V. W4 z# R$ j
(API Get entry point)
- h, h9 M8 h- @) n9 e# K/ ~
C* ]: w! s% O7 q' k4 t7 m0 ~
* w- e1 x" V, b' a8 h+ K9 @% r xor di,di& |" O4 m6 \- B" `& A
mov es,di5 T& c2 d* I* R
mov ax, 1684h 5 e; K" j. Q6 q
mov bx, 0202h ; VxD ID of winice
2 ?: |; {& I! P1 b! l int 2Fh
d+ `( |+ Y5 X3 L mov ax, es ; ES:DI -> VxD API entry point
1 I- L7 Q1 N3 P add ax, di
1 S) N, c0 }* `6 c4 I test ax,ax
* Y f/ ]6 x" Y0 g7 S jnz SoftICE_Detected: ~! i* k; G! Q/ s
+ @ }# a" |8 @9 G, O___________________________________________________________________________; z! i: O: C6 ?- u9 h3 n7 c) W! M
' T2 N$ m" \6 v8 m/ jMethod 045 T6 M7 E: j& D9 t3 d7 P( U
=========; P* g( F0 b+ ?$ M
2 w0 C) y9 Q U: X+ _( X3 N, M% L
Method identical to the preceding one except that it seeks the ID of SoftICE
0 H( q8 m# d- L. K; {: q/ ^9 sGFX VxD.
' U4 D9 T/ w8 {$ Q' Q$ S0 Z7 f( {: L0 E
xor di,di
, K# ]4 T. f" m1 X7 V/ { mov es,di
; V/ x7 S1 P u$ x, I2 Y mov ax, 1684h
- R3 W( {) b: C# H; Z4 P mov bx, 7a5Fh ; VxD ID of SIWVID1 v6 g: T* Y7 n8 P+ ^
int 2fh* Y# f8 k6 a- T; z, ?+ O( [
mov ax, es ; ES:DI -> VxD API entry point
}) Z5 U/ f' G @ N( T" S- j add ax, di: R0 Z* f% b4 y0 E
test ax,ax
8 ~1 D1 V5 ?2 r8 Z/ d* ] jnz SoftICE_Detected5 e, ~- U) l+ u# k! v6 F* L' U
; f* t7 G) {+ N$ V: b) d/ Y__________________________________________________________________________
4 C$ q; Z6 k @4 t# n9 S9 n
?/ M7 U! M' w! C
" I! y0 V. n+ M1 N+ XMethod 05
2 |5 o" [7 J: C* D( k( [=========% t; @; {. g* e1 ~* e9 N5 r
4 o/ B% V [4 A r" {: N8 T3 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, w' h0 Y3 S1 s& C( Idebugger. It calls the int 41h, function 4Fh.
! B+ D$ k7 M' ~0 p$ F% Q0 RThere are several alternatives.
& p$ t. I3 T0 V) }8 H/ f2 i, u9 R: b# I ?
The following one is the simplest:
8 a# U# y- k0 X# K6 d& T6 {
" [5 ~4 ^' r4 o, d$ x mov ax,4fh
6 ~( s$ t- k; v2 t# ?4 ]( G: E8 [% H int 41h
2 m" ~9 c! ]6 u) |- X/ _8 { cmp ax, 0F386/ |0 i* l& K& ]& r- K# n8 q
jz SoftICE_detected0 }; L* z9 ~' Y6 i) a% m' P
& k% { u: e: I, O) s* D5 v6 ~9 ?6 t
( s$ @1 J! P8 v5 J5 \3 t1 ~; a
Next method as well as the following one are 2 examples from Stone's
X j( Y* X( \% Z8 h1 Q3 P0 M"stn-wid.zip" (www.cracking.net):( B) j& }6 O) Z7 U% N5 k' ^
! E0 ~( @) R8 D/ i1 E
mov bx, cs
/ e' ^6 x8 j5 P6 Y; c; `; ` lea dx, int41handler2% H" k% V1 J( x* {" p+ o
xchg dx, es:[41h*4]" F" T5 y! x, r- N% x
xchg bx, es:[41h*4+2]
' W+ t* R+ D2 G2 |8 a mov ax,4fh) R/ N# T7 T' T% ?; F5 E b- g
int 41h
2 F2 u' X: q' e0 P8 l7 @ xchg dx, es:[41h*4]
3 s; L5 E. e3 p& W* Q$ U9 s" y5 B xchg bx, es:[41h*4+2]% F: g* |% T1 u; ^. {. z* r) r! E
cmp ax, 0f386h
' `. w8 [) d( m. j jz SoftICE_detected
, h! O8 } K. o, S$ [ u' z7 R/ P, Z2 O: l6 Z, ?- }
int41handler2 PROC
( H) K1 S6 G; x* i% C iret
: {2 A( u2 O+ Z# dint41handler2 ENDP2 a& h) H. K! N1 |& [
- X1 X; q2 k- x
' p! _. K" l4 \ p ]_________________________________________________________________________4 s/ s0 {5 F2 y5 Y
C; X! ^* D8 V9 y1 `
8 ]' N1 A/ {' K) BMethod 06
/ g- \& b' G. D, ^- s& _& \& m=========' F9 E* }- m4 U
$ D2 a* _7 m5 t: v) G8 ~3 o, K# n3 O% G3 O1 r0 f5 R7 j$ e6 o
2nd method similar to the preceding one but more difficult to detect:
; k1 p5 m3 ]; l+ f5 T# m# G8 I. f, W: o5 t- ]; q& R+ D0 i
) J& T+ r6 w, |
int41handler PROC
/ Y. j/ ^) {: ~. `% Y- Q mov cl,al
* e8 ?$ W% X6 {. q8 Z/ f iret) J. S. P1 R, K6 I. S
int41handler ENDP
+ J' U8 ]# {9 t \+ U* b3 u* V+ @8 M, J4 y* G( Q9 i& Y
+ s3 g! Y: @* G7 w4 P; w2 t xor ax,ax
- ]6 I( C- x% P* p+ P mov es,ax( v/ o, {2 P7 Y/ e
mov bx, cs) b/ V: e9 q U& ^+ o8 f0 }3 R# _; L
lea dx, int41handler ]# ~" l: x5 v: G
xchg dx, es:[41h*4]
! {3 q2 x6 V f+ n9 O4 u xchg bx, es:[41h*4+2]& {4 ^! g* V- \4 N4 X
in al, 40h3 Q' m: v! R* W# f- d" J
xor cx,cx
- I0 j4 w, I% ?/ G/ @ int 41h
8 G1 _: U& ?; h$ e- A xchg dx, es:[41h*4]2 M4 P, o8 L S3 C
xchg bx, es:[41h*4+2]; J. {! z$ F- m. O8 ~
cmp cl,al
h$ c9 `! [7 j' ~9 d jnz SoftICE_detected
! A* P5 }5 q# U+ Y, \2 `" x+ ]& Q$ f6 g0 t3 Y
_________________________________________________________________________
. N3 Y# Z! s: C# u o8 N0 d9 u7 P2 O2 P- S* f2 J8 z* a* a
Method 079 V4 q5 Q% W8 |. x$ ?0 }( o5 Q
=========. z2 t! C0 Z. H P$ D& U/ V
, A. z6 ^9 m8 F0 [- `! D: R7 p* F
Method of detection of the WinICE handler in the int68h (V86)1 k% }" v E! u$ B
; J0 q( ~4 b- _% r7 Q
mov ah,43h* u# b W$ E/ H5 k7 R3 d5 @$ X
int 68h
# ]: P. |* \; L" g/ s cmp ax,0F386h9 l3 p+ U- T1 d) c4 d; ]: C
jz SoftICE_Detected) t" q) t& ?6 } U$ X8 `
" J3 i/ Z2 b+ }+ _/ K
1 c6 A* Z6 @- M! t* ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 v' g4 S" n V) p' e
app like this:
& P9 }& d! ?2 \, K7 O! l
- K! _0 w0 ^. n$ K/ _ BPX exec_int if ax==68& E7 }2 `: j- e& u
(function called is located at byte ptr [ebp+1Dh] and client eip is# M7 D) l& r+ E) ~0 ]& q
located at [ebp+48h] for 32Bit apps)
. b6 |% c6 o: v8 B6 ~: e v__________________________________________________________________________: @4 A* g: }, }# @: ^
/ W" Z) X7 C$ h& G5 q6 L
7 k9 v! }6 ?$ e$ z' V- FMethod 083 n. m4 I( n1 C- F* j7 u
=========
# J. s: t9 g7 e" W
" R7 T8 n Y9 d0 F, V# I: DIt is not a method of detection of SoftICE but a possibility to crash the
' r2 S! J! L8 W# }0 v$ Ssystem by intercepting int 01h and int 03h and redirecting them to another$ m; f" M; N! K! R! g+ c
routine.. e; n& |3 J; P: Z- N9 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 {; m; `/ V" `4 Q* d% mto the new routine to execute (hangs computer...)
% E: j! c$ k5 ~3 f
) B1 P# _2 C3 S" d/ r( k y o mov ah, 25h6 Z. K9 G# P. n: j6 {5 l1 w5 U# g0 k
mov al, Int_Number (01h or 03h). w# b* O: A0 y* v. F- [. u
mov dx, offset New_Int_Routine
% {: x- x% L ~8 m5 X9 n# z int 21h' j: I, Q7 M( v( B5 u, H# n
+ o _. F' `* [6 q7 e- y/ m__________________________________________________________________________
/ R3 F- @% C3 o e. t$ L' h8 l5 |
Method 09& D( E, d0 g G" a! x1 F J) t
=========4 ^5 y/ q* C: O' o$ a9 A
7 \ v3 I& r l3 q0 C) N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 d$ C4 H/ Z. J" q
performed in ring0 (VxD or a ring3 app using the VxdCall).7 L1 f( E+ y4 A: t, w; ~
The Get_DDB service is used to determine whether or not a VxD is installed) }$ l0 t0 W- b7 g% `; e; N2 K
for the specified device and returns a Device Description Block (in ecx) for2 U- V. D5 \3 V( A }
that device if it is installed.) }, g; c; v3 L6 W! j; J
& P; P6 J x: f+ n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- X: F: R1 \# u; C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& N8 d6 {' y e4 G7 }
VMMCall Get_DDB; c0 D0 \1 D6 D6 h5 ?9 |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. }1 s K2 P5 G
, ^* K4 G2 O- P; ?! K: @Note as well that you can easily detect this method with SoftICE:
5 ?! k' P. i; A6 z: p1 t bpx Get_DDB if ax==0202 || ax==7a5fh& X" K! h9 |, q8 X1 [( n, c2 _7 t
+ k5 Q I% L: h: t H6 q1 P# S: E Y
__________________________________________________________________________
( _4 b1 q% i, @ R3 G
1 c" [7 d+ s1 QMethod 10
$ N8 E9 G% \4 i2 `+ k=========
/ J) a+ u9 o, z* g8 z3 k" A
: m0 f1 i- L! Z6 @! W0 s=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 B( {+ e! o( `5 }& z+ n SoftICE while the option is enable!!$ ]9 r# }4 X" V/ V# k1 t/ x. `" [
1 O) b. |. g5 Z% H, y7 [
This trick is very efficient:( ]( K% E! m& E7 s; s% x
by checking the Debug Registers, you can detect if SoftICE is loaded: E) h4 e- _( g: V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 E9 H( @6 f: Y0 T0 v$ v3 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 @' i/ K5 R8 F4 v% @value (in ring0 only). Values can be manipulated and or changed as well$ i/ R3 j& Z4 C
(clearing BPMs for instance); d* t4 F& H; g1 x% E- @
. w; ?1 @+ L$ e) i& r* L8 O__________________________________________________________________________2 L( \& n/ e% x" s, c" a
r; A( K* W& J* V- q( A
Method 11
: m% n* g' V% W9 b) M=========# r2 r* Q9 h5 f+ K. J1 O! F& m3 i
$ H' J8 H" V$ I
This method is most known as 'MeltICE' because it has been freely distributed; @* ~ S5 \# E; [
via www.winfiles.com. However it was first used by NuMega people to allow/ v( ^/ l; I. B
Symbol Loader to check if SoftICE was active or not (the code is located
1 H) {1 G- d# H4 W- k: Pinside nmtrans.dll).
# L% Z# x( Z* O. d. D2 }4 t" [
* n( l( E# ^- u1 q) A8 lThe way it works is very simple:! s+ G$ j: X' u% M/ I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% b+ _, a" x* O6 G' F$ k/ ZWinNT) with the CreateFileA API.
* l8 o: z4 l; u6 w/ a W2 v6 ? {( @1 F
7 a# y- d' d0 K- I: c/ y9 V. @Here is a sample (checking for 'SICE'):
# s/ } N6 q z% r1 U) p2 g7 F+ E. Z
- \$ V0 a/ k+ L: d8 b; n% O& zBOOL IsSoftIce95Loaded(), h) [7 l2 _) w \4 X
{
4 {7 K4 a- {& {0 _2 l HANDLE hFile; 5 P& K% Z; a) }8 J2 D+ }& Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& @4 X2 Z9 z* ^$ {$ y( l1 u6 Z# e FILE_SHARE_READ | FILE_SHARE_WRITE,; m# |# k. }3 g: x( m; N# ~5 n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ A& k$ p# B# u0 V8 g5 `4 L if( hFile != INVALID_HANDLE_VALUE )
% F1 d0 U# X9 i3 \4 f; s5 }: [! j {6 m: k0 Y. x& W5 i; a5 R l
CloseHandle(hFile);; F2 h5 z5 Q7 O( q" z- l
return TRUE;8 s5 P# O+ `* z3 z; k/ c0 T
}: z! O) ]1 t9 d8 q+ n7 x/ O
return FALSE;
9 Y$ H# B2 K/ Z}
7 m* z$ ]# N+ J1 Q' n$ |% j7 X0 H) i# _* f) ?+ E, X
Although this trick calls the CreateFileA function, don't even expect to be
5 D: Z3 c. _) }# U0 uable to intercept it by installing a IFS hook: it will not work, no way!
( ~- w4 V& K2 ~. S* yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# a$ H+ C+ X; d4 f& d5 \* P6 U1 e: kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 L! f2 u* g0 M1 n3 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- I) I) L5 W* Y# r, Dfield.
" a/ u8 D& r$ k# g9 p9 Z+ OIn fact, its purpose is not to load/unload VxDs but only to send a
+ a3 L8 u8 E2 NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( a O3 j {! S, d" V" O7 ?) wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
K W! r L8 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ M8 G: |6 G8 r/ I* d p$ G5 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow: _6 H' ]/ A" C$ Z5 H4 r0 p
its handle to be opened and then, will be detected.
1 E$ J; N' M) D/ fYou can check that simply by hooking Winice.exe control proc entry point
; I) S! s1 @6 R" I5 x9 Lwhile running MeltICE.! q; I( A& f) \
: M& q* N& y& O* [! P6 i# t
$ d; y5 [- _/ a' t5 l, R 00401067: push 00402025 ; \\.\SICE- R) B, n+ K2 t. V( S
0040106C: call CreateFileA/ v5 Z1 ^5 |, J# h* B9 h0 G
00401071: cmp eax,-001
/ x ~+ W2 c/ u6 Y 00401074: je 00401091
' d! Z; I- S: a2 @& T7 X' Q: l' q' [0 F
- [# Z7 B3 ~+ y( L ~
There could be hundreds of BPX you could use to detect this trick.
+ i- U1 I' |- ~9 D7 M' i-The most classical one is:
- v' B$ ]4 Z9 F- F$ a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: D g v' v+ s' G5 \ _! G* A *(esp->4+4)=='NTIC'
, Y D+ O0 \% Y: ~
* \$ H1 O, ?8 b6 G-The most exotic ones (could be very slooooow :-(
' y4 v% I' x8 U& I/ V4 d8 R, O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 ?1 ^; z: G9 U4 _' ?
;will break 3 times :-(
1 r J D8 t2 o1 b# T6 A
. y; F7 T9 b# B( u7 l-or (a bit) faster: - H( S( K% C2 F# x/ k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 P. v) l! j8 o4 X. N: G
; q' D( W; z% V8 F$ {, a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - `* E! r- Q5 T n3 t5 s/ s P! L
;will break 3 times :-(% n- c' m, s$ O4 w
* l0 n' V l6 E* R
-Much faster:& s8 y! H+ R) b& O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# P9 s1 M+ V+ F. k' e% X/ J3 _' D$ D h( }: K5 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) `. B- ]. \: d; f! D& a2 j. rfunction to do the same job:3 B4 R9 L" ~' f3 W8 i
- d8 s% k1 l+ ]- m1 o$ A push 00 ; OF_READ( \% a& @+ V' _
mov eax,[00656634] ; '\\.\SICE',0
3 P: ]" D9 E; r push eax5 Z. J+ ]: W5 X1 ^- h/ ?! J) [; ]! O! U
call KERNEL32!_lopen4 t+ t! y3 Y, g- t" a
inc eax
$ M' T& x3 `1 i# n+ Q jnz 00650589 ; detected# k K' A1 Y! S
push 00 ; OF_READ/ }' l3 T: d% ]% _$ r& X" s
mov eax,[00656638] ; '\\.\SICE'$ Q \0 K Y8 b8 O1 _! q% Y
push eax
2 V% P$ w1 `3 I* {$ { call KERNEL32!_lopen
5 j/ X4 n+ j; _$ }6 w1 w inc eax
5 P" `! P4 {$ M9 f- \( R jz 006505ae ; not detected
+ i$ e& B4 w3 K( n* U" N Y, O* b! P! g# B# l
- w* ? m7 V( n7 O__________________________________________________________________________
# e p! d9 ` b+ o N! [+ l5 q
, p2 O: i5 p3 R; G* r @Method 12
& j: `- H9 r# `! I- Z" [=========8 ?0 J# X) `6 E- l; W/ v5 ^4 B9 C' _
8 ^, ?; P' K; S7 D( ]1 @3 N
This trick is similar to int41h/4fh Debugger installation check (code 05
[6 H3 q. M0 c7 B& 06) but very limited because it's only available for Win95/98 (not NT)# A; `- V0 C9 [3 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 f) f4 o" ~: F$ n/ g' S V1 R/ m# N0 E- ?8 M* s, ~
push 0000004fh ; function 4fh
: q" y+ ?, A( _. z6 f push 002a002ah ; high word specifies which VxD (VWIN32)) _ e6 T- w/ g' x3 x
; low word specifies which service
# E- ]$ w' s" E: V" }4 \) s (VWIN32_Int41Dispatch)" X9 E1 g# E/ G$ p1 E8 t
call Kernel32!ORD_001 ; VxdCall
/ N% \% O* a9 e cmp ax, 0f386h ; magic number returned by system debuggers L- g1 l: c8 q- X
jz SoftICE_detected
" T; B6 }: B. M; ?! `: d6 W. @# q5 s' V/ _ B: x
Here again, several ways to detect it:% T! |7 L4 b4 ^7 D* Q( e
& M7 `; S8 }# [& A BPINT 41 if ax==4f$ |6 M9 d/ R# j d+ t/ z) l
% I @( T7 z, b+ x* x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( m* f; G& r3 z% H9 x; |2 M0 h
& m4 G% @2 V0 g* O2 ~( i1 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& i) G& z! u3 z7 H1 N
& |0 u8 @/ @+ E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, M2 l' ?1 V P1 n1 Q
- c9 g6 G, h3 a. Y3 @' o. a__________________________________________________________________________- V, G z* w3 B5 E1 j( E. B
% f, f7 q/ W: B. H0 R" t8 wMethod 136 n# z# _2 t1 r# R2 ?
=========& l; K1 v# t% |6 N0 @2 Z+ `
. f4 u5 O- f d [2 E6 U9 Z" XNot a real method of detection, but a good way to know if SoftICE is6 K" v7 Q9 k. J. w. e$ p6 X
installed on a computer and to locate its installation directory.
. E! I: o- ]( S0 e+ mIt is used by few softs which access the following registry keys (usually #2) :7 `: B# E8 F5 Y! i7 i3 ?5 l$ t
, D, k1 P/ c' V2 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 x' d/ H2 A2 q! x: Q
\Uninstall\SoftICE
( n% O# l! E* i3 r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% M7 ^- d1 l/ w/ G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 Y8 ]6 r5 q) o. c* g
\App Paths\Loader32.Exe+ `/ H0 U* c3 o- g4 T
2 E! e' c5 L( m O, r* G
8 a, ]; z0 c3 V4 @Note that some nasty apps could then erase all files from SoftICE directory
6 v8 |: M2 _- H* p2 w: k% l) p(I faced that once :-(5 Q6 H! q! w4 e, r( g
' Z$ M0 Q$ x0 G1 u/ z- j2 r# O F; y
Useful breakpoint to detect it:, z, C7 H8 o4 G C
0 I. h4 c5 v# v& `) q% o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ p+ {7 Y5 E( z
8 V' Z+ ?- j, s: t0 X__________________________________________________________________________
; c* v% s( r; V2 {
. Q, b4 \; N. z5 s4 E( r/ v$ o# [' J, j) P6 g
Method 14
' D- _) K4 l. r; T5 R: s=========
7 Z7 H- }# [- j0 ?5 O
1 Z& w" h. i; { l. _. X9 i( PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 U& ?+ q+ }6 [. c1 D
is to determines whether a debugger is running on your system (ring0 only).% O$ m- L, o6 Z
$ W1 e' [+ v' s6 k2 P l" `
VMMCall Test_Debug_Installed" n3 k" I$ w7 ] i4 M
je not_installed- H* U0 f/ S5 Q
) A" V/ p' M; o6 h+ A G+ ^4 O' V
This service just checks a flag.# y+ {! K( i0 p2 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡