<TABLE width=500>- t& V f+ Q! Q5 j6 P- u
<TBODY>0 g0 c! U9 D8 F6 C& K( W
<TR>* A4 Y5 `9 q+ @: b! @7 Y' m
<TD><PRE>Method 01
- o8 e, O' I' y5 s: I=========% f9 L) ?0 O% O G! g2 e
+ d/ ~* a5 i5 y3 I; _
This method of detection of SoftICE (as well as the following one) is y! n9 m/ P3 D! z' r2 h% G; e
used by the majority of packers/encryptors found on Internet.
7 U5 d9 `. G+ {% _It seeks the signature of BoundsChecker in SoftICE6 m; }( K" D0 e( h
) L2 A, K. |5 @" S% N; F
mov ebp, 04243484Bh ; 'BCHK'" S# T( A# I: ^! q( m$ L% w
mov ax, 04h
' [- Y4 H4 [3 R* u2 d" Q% H0 t int 3
2 r- C" O0 J: O) e4 X cmp al,4 E$ Z) |: _4 f& P) Z; Q' @
jnz SoftICE_Detected! I/ S, t( F, E) O& h) a
, v X v$ L! k4 m! \7 S+ e
___________________________________________________________________________ [1 K) H7 O R+ E) D4 x; j5 S
) i* E( U5 U4 q) O' a* `9 B
Method 02; w7 |* O+ R. ]9 e& z$ n1 p
=========
) z% `$ d# d" m) v2 X3 }) a5 u) O' V& w
Still a method very much used (perhaps the most frequent one). It is used$ C( a( x7 e& f9 G' h# k' T5 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 B3 ~( g$ J" a0 v6 q" m) S+ ror execute SoftICE commands...1 C* k8 r2 Z J/ A3 f% k: ]4 D I
It is also used to crash SoftICE and to force it to execute any commands
! j7 P# X- I7 l) o9 d% a* a(HBOOT...) :-(( 3 s; x& x6 j4 ]% o
. W. ~3 S& t# N/ T! E4 ~4 m
Here is a quick description:
4 ~8 G' v& u- z( d$ C! v2 Z+ ~-AX = 0910h (Display string in SIce windows)
( i- a) w7 b- F% S5 F; o/ S( {6 ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 O$ O. ^' Y1 v. `5 l-AX = 0912h (Get breakpoint infos)
1 [4 k; p7 A: o6 q5 [" W-AX = 0913h (Set Sice breakpoints)
$ n, n+ w9 Z3 l9 N y-AX = 0914h (Remove SIce breakoints)
+ f/ h/ w( u* ?0 A* r7 N' f& C' E0 d! D" m' O" K
Each time you'll meet this trick, you'll see:
4 Z. P# _/ m) A) p, M$ j$ ]-SI = 4647h
: U0 }5 t b' Y% S; @* U! ?! |-DI = 4A4Dh; T7 @: D, ~7 D
Which are the 'magic values' used by SoftIce.* Y& U7 b; ~5 \& P' [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 v0 a; ?1 l" C. Q* F/ G- E1 L3 E4 \! M4 c" a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" i/ h; }1 J; Z6 }) v# y$ ]1 IEnvelope utility use to protect DOS applications:, X2 x5 d6 L) }9 U; [
) t. L/ h/ Y! s. i
+ g: z+ \$ U9 Y" s/ z: t3 w( Q Q2 [
4C19:0095 MOV AX,0911 ; execute command.
' C- D" \ A8 q; d2 A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 c) Y" q( _1 T6 n* o, P% C4C19:009A MOV SI,4647 ; 1st magic value.
! }. k. H) z& h: F6 N4C19:009D MOV DI,4A4D ; 2nd magic value.
, e! r: s4 I" U* O" @- Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# K1 D: b6 _) L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 V- C& r9 A5 V
4C19:00A4 INC CX
1 t% {* y$ O$ @, _. r9 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ v. E U$ \) g: p$ s4C19:00A8 JB 0095 ; 6 different commands.
0 n" \) I) ]- S- [) ?+ J4C19:00AA JMP 0002 ; Bad_Guy jmp back., T1 |; U! A6 E* N- k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" M5 S4 {$ ^( c" \* s1 d6 e& x
$ L2 s. j; y# O$ L0 y1 J
The program will execute 6 different SIce commands located at ds:dx, which
1 {7 j7 H, w& ]5 ]3 \# T; d& Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 ?( }+ Q, s/ f6 c7 _
% S* F, Q E e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; y6 T! A0 _4 ^$ Z ~ r___________________________________________________________________________
' n8 H6 z* P* I# H- L. g" r+ F; i8 [3 Y% Y9 v
, E. H {4 r) l4 U: {, J
Method 03
4 Y$ t2 _* t1 x4 G0 z=========
3 H* N! _( A2 ?' Q$ R' B% r7 M7 t5 Y$ x+ b' [+ ?; @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 l3 E0 e( m8 y6 g# g7 ?
(API Get entry point)
/ o8 X9 e2 E2 B8 v2 ~. ]
! A4 P, x9 r j- m) T _) J6 w& @3 o( @
xor di,di! d4 x- P6 M0 H! b: O3 x
mov es,di7 w4 R; d5 i; S1 R5 f$ }# T7 Y
mov ax, 1684h
/ m- p+ S( u4 b/ c3 L1 w" D3 V mov bx, 0202h ; VxD ID of winice. C/ V0 M5 f* Z6 y
int 2Fh5 Z J. M# @" X
mov ax, es ; ES:DI -> VxD API entry point
, K4 b% _$ O- O add ax, di
+ o8 C2 l; i2 k# x0 q) Q test ax,ax
% T! C" s b& H. ]" Z jnz SoftICE_Detected; G1 c" @; X$ V4 i# H W7 G1 ^
6 e# ]6 l) l8 O# r$ L9 p) n
___________________________________________________________________________
, e# S7 }5 o8 M. [) A2 M r! @* ^) i/ a% o3 x3 H u
Method 04
4 Q" e% N0 M0 e! m=========
2 Z4 |0 O) M2 c/ Z0 o9 g, j7 z2 T/ m4 }+ J
Method identical to the preceding one except that it seeks the ID of SoftICE
7 l$ ~* P, P0 E, r5 ^1 f9 i4 kGFX VxD.8 o R) g. i6 g5 @3 e x
& d' h7 G, n0 h- D
xor di,di8 T( h4 ?, L+ ]+ @) p
mov es,di
% Q9 d+ l' ^! n4 G mov ax, 1684h 8 z t' |5 j. L
mov bx, 7a5Fh ; VxD ID of SIWVID9 L; A* ]) X6 n3 a' ~
int 2fh( j3 a0 r, `# p" _' O- k
mov ax, es ; ES:DI -> VxD API entry point p4 N/ D6 u$ S5 N3 b* n
add ax, di4 p8 ^6 A# F. _) P/ }3 q) Q9 m
test ax,ax
1 ? Q# P% p5 q$ Y8 G jnz SoftICE_Detected
: A! g" z% g3 R ^0 a
; S/ o" S: e) P4 r/ d* {- R__________________________________________________________________________, K2 ?2 ^( N$ B0 e
% v x- D( F$ k1 l8 T+ c6 w
# l! P0 X" ^( c DMethod 05% A9 O2 H* \& V3 C
=========
4 T0 s- [. Q- E- x- q/ @$ m+ r
+ b1 z8 R2 O. a$ `Method seeking the 'magic number' 0F386h returned (in ax) by all system& h. u% b% n% n7 N$ {: o% E
debugger. It calls the int 41h, function 4Fh.
7 z+ g& L/ ?# ~2 |2 q/ D3 eThere are several alternatives. - @7 w9 a% u; b4 @
% E: n* }6 @8 u* KThe following one is the simplest:2 Z3 N7 H8 n5 L
2 ~' b0 g8 Q, d/ S, _ mov ax,4fh
; t" f6 \: m5 f( R, e int 41h( D5 v1 a+ T" p* r/ o, r+ A- g8 @
cmp ax, 0F386# m+ w' N. h1 C* z( \% \8 J/ K
jz SoftICE_detected
" Q5 K) q7 L' J6 n" h: v$ o( d0 K$ q( n# d. L, l0 m! m
% ~, b, i$ V$ s+ U& M: m- K1 Y
Next method as well as the following one are 2 examples from Stone's
( O& o# u. X- X: o"stn-wid.zip" (www.cracking.net):
! d& m/ S( R6 h* R3 U9 }- ?! [. b% W+ C
mov bx, cs
7 M* h/ l2 a3 S S. w/ [ C: F" O: W lea dx, int41handler28 F! b/ G$ ?# ^
xchg dx, es:[41h*4]# X2 @0 m, G8 [4 p/ z
xchg bx, es:[41h*4+2]
' x( v4 q7 ?1 \- m, u7 P mov ax,4fh
* v7 l) X: _0 o7 _ int 41h
' s: i0 ]( |! X: Z1 t xchg dx, es:[41h*4]
0 p* J* g# z2 v3 V5 M. F9 {4 Q xchg bx, es:[41h*4+2]
) e. |8 V: o8 o! P' a! { cmp ax, 0f386h( d/ L, V/ J4 k0 Y8 p
jz SoftICE_detected& s8 O2 |9 P8 A
+ ~- H' f; T2 A t+ M! U
int41handler2 PROC
# T, I: L3 @: W: t iret0 a% n0 `" C+ @+ g& W# M/ q9 F+ M
int41handler2 ENDP, b# l) _. {, c3 y, d- v
5 Z% u, L; P* G% e- _# F5 k/ T0 a$ [, E& A9 w3 o
_________________________________________________________________________; A/ G3 _& D* X2 s/ C* G
2 A: G, e% K# `( ^) W4 N
5 W+ S6 {; j) Q1 z8 g4 h; N
Method 06
5 S% ~- b2 H; n2 o1 D e=========
% H7 p: T( S3 R8 t# M1 b* t5 o1 ^4 d; A0 V4 L! |( Y
5 x' _. v* P/ H# K2 Z5 A$ ?' X, _& Y2nd method similar to the preceding one but more difficult to detect:5 M: v, @+ s. M; f; k' r6 k
7 b2 X, |# {/ y @ A/ ?# L
% x. ^3 D" M0 `: h0 @2 Kint41handler PROC
^! O% L3 G; j) {1 o mov cl,al2 t( _, B# f) ?( h8 Q
iret2 r, H! N" i, b9 T2 W1 C2 S6 ~
int41handler ENDP a0 F" w$ x9 l7 Q8 R
- M0 [# d% \& X& p! F+ Q( ]0 {# [
7 y+ }7 `6 @/ i* G& m2 T L xor ax,ax& t: S% {( V. A7 y, v
mov es,ax
: i1 w& S O: \' |* E' d, u mov bx, cs
/ E. g( F' _, M# J. [" v lea dx, int41handler1 q: O) E% O* A7 H7 x% ~9 f) e
xchg dx, es:[41h*4]; x0 [+ r5 [( l
xchg bx, es:[41h*4+2]
9 V& L6 I$ R9 i6 C0 { in al, 40h0 ^# @. N2 h5 |; q$ u) {/ I
xor cx,cx
+ S' ?; E# u0 z4 g& N6 l( d2 G int 41h* \* N( d9 R( {0 G
xchg dx, es:[41h*4]2 O# t, J3 M) N- E
xchg bx, es:[41h*4+2]8 n% ]8 |8 \# @& e, J# G
cmp cl,al; C6 a7 i8 y4 I) L/ j+ X" d
jnz SoftICE_detected
8 i( w: Y& |! l, c) Z/ a H" o7 Y
2 x$ Y9 e, X2 }6 f! V/ p! [2 __________________________________________________________________________4 n& G @% g% |
, _1 C. F0 r( v2 u
Method 07
5 a5 U; R$ a2 i: `0 C6 h7 W: {" Y=========5 Y# m4 F8 A7 t6 R5 G0 Z
) |4 H) u, ^$ ^Method of detection of the WinICE handler in the int68h (V86)
" V8 ~# }; p6 f! P! w, f7 c) S# a% I0 F5 V1 p
mov ah,43h
\" \1 N0 ] b! f ]2 E$ D r int 68h
: K$ v1 d% V% f3 G& o2 ~6 _ cmp ax,0F386h# c1 o9 C e& I; U; M$ Q
jz SoftICE_Detected( X* r4 g4 Z- b5 M8 B- A% |4 m
$ C c* A3 j5 H( U" F0 A: r) x' E
: h0 W3 j- d; B" e( @6 B3 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" E, J _; n( P: c app like this:/ M, i( T( i7 y% S! l
5 i' ^' W8 p. O3 G: A BPX exec_int if ax==681 K" W: S9 { M
(function called is located at byte ptr [ebp+1Dh] and client eip is4 Y2 M; H3 y' ?1 E3 Y( e8 a
located at [ebp+48h] for 32Bit apps)- S. | B: F- Z" F& {2 Y9 a
__________________________________________________________________________
' j$ f5 P* C# w- N1 g/ \! m
! \! J" G" a, ~) v* u: q: y
/ w9 i \ ?* x# x) V1 E1 j; ?Method 08
, e$ \: }$ p' W) N& ~5 W' H% |( x% ?=========3 o) [* J7 y$ ^4 @
5 G( ~ r8 U7 y' a3 x# u! sIt is not a method of detection of SoftICE but a possibility to crash the
7 b/ ?( p4 I7 Z# V! [. {system by intercepting int 01h and int 03h and redirecting them to another+ k, ^1 [" } q
routine.# R w0 V h2 g% ?9 c1 X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. @6 }7 H, y0 ]( R3 bto the new routine to execute (hangs computer...)& ~# h* D; \" E+ F% a/ p
4 G! a! L, G, j. j
mov ah, 25h
# ]+ s6 e* v; { mov al, Int_Number (01h or 03h), X2 }# k$ w% |1 j4 f/ [3 [
mov dx, offset New_Int_Routine
8 N9 A2 \) Z$ k' _. O$ C9 C int 21h
7 D% v! g* M$ y/ R4 x7 {' J. G" `- \9 z4 V1 T; o- a, V
__________________________________________________________________________
/ u+ r0 z: }7 D. q- P8 |8 ~$ m9 O w# J) ^0 i
Method 09$ v& i. S3 s7 q- o f/ v
=========
5 p7 p# b* W9 A& K
1 l n( ]1 J! {% p( ]3 @$ BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ z& ~, B% U( @. w+ H: Y, tperformed in ring0 (VxD or a ring3 app using the VxdCall).6 Z9 K, ]' F2 W7 E2 ?: W3 ]
The Get_DDB service is used to determine whether or not a VxD is installed- b+ R& k0 `4 }
for the specified device and returns a Device Description Block (in ecx) for
' p+ P9 X: k7 Fthat device if it is installed.: R" j0 L& s( w7 b& |! p, T
0 ~6 K. I" r& l# }! Y2 x' ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ ]& s2 o8 U0 C: f: C: y6 v6 J# k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); m% w' Y+ `; }$ N
VMMCall Get_DDB9 z+ {+ ]; \* y, p; Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ |1 m3 {+ d7 \) M, E
r2 z. C* W$ W& |; g1 z/ z. lNote as well that you can easily detect this method with SoftICE:* E' ?9 c0 ]8 ^4 ~" [4 H
bpx Get_DDB if ax==0202 || ax==7a5fh
2 c! G/ H1 a: ]% V$ P) Z% x
: ^' S2 l# |% X9 r+ ~__________________________________________________________________________( m- ^" A# n, {$ R
1 u% t" m A3 n$ e8 }; z
Method 10
d- g1 W+ v) Z, u=========% Y# |6 C9 X4 W s! a1 ^) Q
: n; T) x B% |) g7 ?8 s9 R
=>Disable or clear breakpoints before using this feature. DO NOT trace with- `* g R) |! I( v' y" {
SoftICE while the option is enable!!
& a) l6 w2 o1 V, ~/ ~
7 z7 i" N6 b0 s, EThis trick is very efficient:
* }4 ?) m1 w* I6 ?/ w& G# C) C" xby checking the Debug Registers, you can detect if SoftICE is loaded
" N1 t- x: W6 p1 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if J" H- ?+ s0 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their h, N' t, Z3 }) A6 M
value (in ring0 only). Values can be manipulated and or changed as well- O( k4 k9 V* @3 h/ [
(clearing BPMs for instance)
+ e* l+ M+ S4 P* L) y# n. [" F8 t5 f( W6 a( }( @
__________________________________________________________________________# o L9 W" L1 {: w! O
' y) i9 z/ i* v( }, g. m( [: a1 _Method 11
& @: p4 N4 v- z7 g=========1 C% a$ Y3 T7 ^2 m
6 J& s9 s6 H' y. g* N( f2 n
This method is most known as 'MeltICE' because it has been freely distributed
. m+ C0 q; x; d5 s' H: ]- |via www.winfiles.com. However it was first used by NuMega people to allow
0 q" ~. {; z+ V3 k& R7 ]Symbol Loader to check if SoftICE was active or not (the code is located
2 i& b# s6 M' ?# C9 S: V/ L% rinside nmtrans.dll).. T8 N/ t) t4 O0 ^
; Y5 M" X( W8 e, u0 aThe way it works is very simple:' d- g+ G9 p3 \6 n' Y& |- B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' e! ~) d0 e. Y* u5 w" }
WinNT) with the CreateFileA API.
; y1 O4 N+ H# C! i! X+ c
0 q& ~7 s+ O0 J9 p5 pHere is a sample (checking for 'SICE'):4 O7 G. A: m/ E
& c! U; s4 e, J% oBOOL IsSoftIce95Loaded()6 E; h8 z& a# ~( C8 |/ s* w
{: w) \6 ^ c3 ?/ I1 F4 h
HANDLE hFile;
5 |* I+ x$ m: L0 [7 E, g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, d, a/ o1 N4 U% M# O) O) s$ m
FILE_SHARE_READ | FILE_SHARE_WRITE,
' ]5 i8 K! q8 O' m, e. `& } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ H( f! k9 O- L' M9 V" ]9 P T
if( hFile != INVALID_HANDLE_VALUE ). Y/ V/ x; K8 d/ A6 \
{
% `2 ^5 F/ j A CloseHandle(hFile);! q6 Y5 P: M- p; y" d" G
return TRUE;3 F. h. ^* q: O# l2 R# M0 n9 ^
}% b! @. d# ^9 y4 V8 x4 s) n7 v5 i
return FALSE;
2 r4 w6 R3 v) B' O2 ?' ~# z ]: D7 Y}
7 A# L! x" z/ K7 M# \
# [1 w) Y4 j5 _4 I( CAlthough this trick calls the CreateFileA function, don't even expect to be5 c. O, I7 A, }$ s
able to intercept it by installing a IFS hook: it will not work, no way!# V* o' K3 n; J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 W; o5 W5 z3 }* B4 c/ ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 f0 U- t9 ]# f g% ^' V' W& S$ B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 B" r( Y3 a4 A5 o. B) q$ x
field.
& S- p' X D6 a" D5 X u3 Y3 qIn fact, its purpose is not to load/unload VxDs but only to send a ' @6 Z) T- N: @ l D! T3 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- M; z* ?6 K' C9 u! c. V7 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, n3 t) k( d7 n5 r* x7 G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- \( t' L8 l4 h2 o, Y* mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: T" `1 Q9 m* h1 o! a' sits handle to be opened and then, will be detected.' D5 [7 G1 G( C$ P1 p
You can check that simply by hooking Winice.exe control proc entry point
& x' W& C: z% q: k8 X) B D6 gwhile running MeltICE.# m/ {7 d( }. R0 V2 v
6 s2 D- \' s. w) r" R, k. Y+ Y/ p) S+ h3 _
00401067: push 00402025 ; \\.\SICE. I4 P0 l* n7 p3 \+ \3 H1 R# P
0040106C: call CreateFileA
4 h# q$ ^3 }3 h; S% K: f 00401071: cmp eax,-001% _- R# y) g9 z2 X+ A+ X
00401074: je 00401091: Z# R I0 U! Y$ U: {; g
) M( q- a$ j5 L+ R# m
( d* C1 [8 _% E5 y: c3 SThere could be hundreds of BPX you could use to detect this trick.
9 s5 P. i. H. _6 O# k-The most classical one is:2 b2 N# W4 |. B. p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, p8 H# @4 [ @; P, N+ P8 n, M *(esp->4+4)=='NTIC'- i: I' F4 v. _6 \, F( W
8 J( N) a5 T+ b, q6 L% ~* r% Y! ^-The most exotic ones (could be very slooooow :-(* k' M$ E3 {* q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
[$ r+ I5 V z& w% ?4 F6 @; | ;will break 3 times :-(* r( |7 h" Y5 Y) ?& z8 X, \, V
5 e3 g; a: Z" r- T5 W5 b- \-or (a bit) faster:
3 [0 g; X0 z( S% |% \$ F. ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ \' y9 d) O6 T' c# u$ K
" E+ @1 ^" c6 \4 _4 F% ?5 p; ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * |0 G; r( r0 w( N; U
;will break 3 times :-(
# k; O$ N' W; C1 W' W; x v/ {8 D' u6 G
+ I7 E" R7 ~) ^) p-Much faster:4 X! y4 b9 s! L9 c3 w2 |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: g& n [( E ~) A) p& O3 o' p/ {
; [# x2 [9 E5 Z: F+ ], d+ m% n' ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) u1 b( j. N0 | `$ Vfunction to do the same job:) g8 D2 {5 S1 L8 ?# I
4 J0 J% _4 g' d& G/ K [4 U& G push 00 ; OF_READ
: n1 O" d/ \8 P+ q2 g8 W mov eax,[00656634] ; '\\.\SICE',0* Q7 u- ~: v7 }
push eax
/ D6 U' U8 u9 O9 I call KERNEL32!_lopen k; L0 L& M. l5 G( U5 u: U
inc eax
; B9 L0 j' L+ Z6 r. i: A; N, g jnz 00650589 ; detected
Z4 h6 M C) T# J push 00 ; OF_READ
0 V4 K4 C7 U' u- ^! J mov eax,[00656638] ; '\\.\SICE'" b' e. `3 P5 k- Z7 L
push eax& N% {, F1 Y% ]% o
call KERNEL32!_lopen
2 z; b& {) @. k8 l7 L/ @8 y$ i inc eax0 A- e) n- G) _ y3 r
jz 006505ae ; not detected
/ y; G" i# Y s% m# T* w1 g( q0 Z+ K) M _8 `2 p; g
% W6 p" Y5 A1 U' H/ w8 B
__________________________________________________________________________9 B4 Z* p, T) f
/ r+ P* W( u; F: ]5 ZMethod 124 x( G3 r) i2 z7 D" d5 K# W
=========5 s% e+ q4 ~9 w0 c! _! ]
1 h8 E/ x5 Q2 wThis trick is similar to int41h/4fh Debugger installation check (code 05
% q& {% L' Q3 [" ^0 [' j& 06) but very limited because it's only available for Win95/98 (not NT)
- i7 l" X4 S6 l+ D/ n2 o gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; S$ a9 y" Y; k! r
8 u+ Q* u4 r( i" J7 R4 I
push 0000004fh ; function 4fh1 k) n6 u, {7 D
push 002a002ah ; high word specifies which VxD (VWIN32)5 u# U W- b) [2 `1 Y
; low word specifies which service$ M- l- U* W. `' D v
(VWIN32_Int41Dispatch)
$ A; F% U6 N, w* L call Kernel32!ORD_001 ; VxdCall O8 h# b! T2 I. J9 J
cmp ax, 0f386h ; magic number returned by system debuggers0 r' k i% M. q$ @+ p1 N; k3 e; c+ N
jz SoftICE_detected
9 W) b o0 {. U$ F
# R6 @2 P f# J3 L- Y, Q) u& z7 QHere again, several ways to detect it:' R. j% _* k, e# I7 _
% x' `5 l2 L1 d r, l3 ^ BPINT 41 if ax==4f0 A) e4 N+ M( T$ T' s3 y$ F/ R6 Z
, o' N2 \" M+ E+ f9 [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; I% N( L4 M5 X9 ?. j9 E
( h. j6 e1 H8 x7 {! q* \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 r8 M& `3 h5 ]) v: e' Q# J0 I
; y7 p/ Q N7 }: g+ s1 ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 U. r. S. x x+ i( m% C) m- R
r8 K7 a' s5 K+ H# s- N__________________________________________________________________________
7 B+ m- |- u3 _
- d- m6 z; E) Q8 |Method 13, f. k$ z% \+ h. D4 G$ T3 T0 s( F
=========) y S" Q4 F+ K, d H
) E N: P' m A$ v2 W. T- `2 ~
Not a real method of detection, but a good way to know if SoftICE is3 I# t, G5 ]. k2 N6 |8 [
installed on a computer and to locate its installation directory.
+ s' M( q' v5 Z" A) PIt is used by few softs which access the following registry keys (usually #2) :2 M1 R9 v9 N. V# T" y
2 N3 p5 V6 ~9 D+ |2 T, ^" `2 C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ U( S( _- z: {& s# y$ x: g
\Uninstall\SoftICE" \; w! m6 g* h; E$ s7 O. V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 B# a4 i' f B( T7 l6 l6 ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 N5 x, i \9 y+ l" o
\App Paths\Loader32.Exe: J1 s' B& H. w5 f* W- n* w# g
1 R: Q. u5 }; s/ r& ]
7 a0 F4 D) f2 V$ oNote that some nasty apps could then erase all files from SoftICE directory9 o1 j, o6 e( H! X! U* y4 G
(I faced that once :-(8 i2 B1 d# F" b/ ~. W
& |! }0 s/ p' j" X0 x9 _9 q
Useful breakpoint to detect it:2 j: X. }; A) H6 h. _7 ]$ g
' O5 F" |5 c. v9 v4 B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# N# z; y0 O. D" c0 {, t
0 i" v0 n ^! ^; B& [- [
__________________________________________________________________________. v/ j2 y5 d% z" M+ x" @* L
0 D( i$ S8 r- |/ f# N% W8 X; |2 L( O: [4 j
Method 14 ' K( {) d9 s' G1 Q
=========
# Y @; L4 K- ~0 ~
$ t4 B) v* k7 |. QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% v% t6 o) Q) u% _
is to determines whether a debugger is running on your system (ring0 only).+ I" P. Y' o# H! R+ p
" \0 `% u& ?) Q3 l VMMCall Test_Debug_Installed7 y4 b, X7 C. f
je not_installed7 R- }4 D) P% Z! T: E" ~; T; i
: R0 ]1 H9 |9 |$ z+ [( g$ n# s! aThis service just checks a flag. N c3 J' r2 ^" g6 C0 r# I6 m- N$ q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡