<TABLE width=500>
! ~) S) O( t7 W<TBODY>
5 I5 R* X2 t, @! w<TR>
2 C, \; ?, T5 R3 N* Z<TD><PRE>Method 01 0 x+ j0 X# N0 p8 g# b8 Z* @
=========
4 I3 M. P5 ?# O& {- @$ ^1 v& \& {6 l( ]* Q9 o% O
This method of detection of SoftICE (as well as the following one) is
; |% m! r% z# {+ p- l1 y' [2 oused by the majority of packers/encryptors found on Internet.* p r# x* {/ [8 ]0 g6 X& c0 h
It seeks the signature of BoundsChecker in SoftICE
. W! I9 o+ r2 M; q; v7 e$ D! Q7 j3 x& [2 z% a: Q
mov ebp, 04243484Bh ; 'BCHK') n5 f5 W/ m; a' V
mov ax, 04h
' u+ D) H3 e$ o$ v3 ] int 3 4 U; F: Y- B- a/ }
cmp al,4
4 z; s: m- P' b7 x1 Z; C4 m jnz SoftICE_Detected
& B6 ~: T3 g" q. R5 B3 P2 B4 B1 D* o' {: w* E
___________________________________________________________________________
; P; U9 t9 o1 X- `
9 J8 u- o4 _5 K9 \* h: \6 L xMethod 02, k$ I7 x5 x" o6 |1 u$ \! l
=========: T$ p- [$ h* X s
) l- P0 w- Y& y e
Still a method very much used (perhaps the most frequent one). It is used
: |0 Q" r+ q& Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 S: D O7 d' t
or execute SoftICE commands...* `% o6 I! a! D' o) y1 T9 Y$ U9 K
It is also used to crash SoftICE and to force it to execute any commands7 ^' E4 x& L& R- u, X A
(HBOOT...) :-(( 0 I: l1 }/ K' _! K
) y. b/ n. g$ V) w9 S/ r
Here is a quick description:
. |/ v6 X% f' j9 e* Y-AX = 0910h (Display string in SIce windows)5 B( C' M N+ N$ t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: j2 `9 G6 F0 t5 R' n- {" S-AX = 0912h (Get breakpoint infos)/ r: |1 M' q; {+ d
-AX = 0913h (Set Sice breakpoints)
" z0 n4 I3 M9 i# |; y d, F-AX = 0914h (Remove SIce breakoints)" Q! Y) m1 P/ y- c! ~
: Y9 f5 \/ b y/ iEach time you'll meet this trick, you'll see:, P/ ~9 u/ t4 W$ f: v" R7 @# F
-SI = 4647h& P- Y: e/ E7 a) g) u" Z2 G) o8 p% F
-DI = 4A4Dh
2 Q; {9 A1 F3 _ xWhich are the 'magic values' used by SoftIce.5 |) p r, Z6 v0 R$ v& V; j/ b. Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 p( @6 u# N( r4 m. L5 P
( W9 o( {- w! r9 l" J8 f0 a+ G
Here is one example from the file "Haspinst.exe" which is the dongle HASP o4 j6 o/ s2 o3 M. y
Envelope utility use to protect DOS applications:
. f3 |" _. H4 p
" ]6 {+ s; T" B9 Q0 j/ W' }$ ? m
4C19:0095 MOV AX,0911 ; execute command.
) F: H% P% q7 i; o. B, b! f+ L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 |( ]) D# D! L1 ~7 s8 g; f
4C19:009A MOV SI,4647 ; 1st magic value.
3 m. o2 F8 v- |) O* B2 b3 Y4C19:009D MOV DI,4A4D ; 2nd magic value.
* _2 G9 T2 J4 G0 }: ~3 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 ^, X- l; L1 g; h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 P1 Z4 O3 n" x" @" C2 E5 X, F
4C19:00A4 INC CX
( o4 J6 E) C$ ?# A5 b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# A* `8 _% a7 j" B4C19:00A8 JB 0095 ; 6 different commands.: L3 z& t# i1 p/ k4 ^' L O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 q1 [# N" l1 {5 D0 e" y9 n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" h0 k. B8 R; z7 [/ K! ]
# T3 O4 j* J/ y U2 i. ~The program will execute 6 different SIce commands located at ds:dx, which: j# \% L9 r! C. \) T, \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ @, V0 b4 w* p9 v# Y
4 W& k9 \% z! d7 {- R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ Q! O: |' j/ r0 L- T0 U. d2 Z* h, @# v
___________________________________________________________________________1 m( r- \& v9 W* a# W
0 Y- Q. ~" g1 `/ ]0 _
) B) S* [3 O4 s# i: bMethod 03
/ K* q: r& z4 {* x( v=========
& ^/ `/ }3 E! e( t8 \9 Y# K
+ I+ {" F' Y X1 FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' t* X3 p/ b1 x(API Get entry point)
$ n: Q; R, H, j9 q3 ]8 _ 4 K" K4 W; X) g2 B# z/ a- x+ T' `
! X$ Z! H( o0 I- g xor di,di
5 i" i i \2 j C) u4 a mov es,di6 H% ^+ b$ M) a" h7 |: V: ^' u
mov ax, 1684h 9 E1 Q* a: I0 R% ], `
mov bx, 0202h ; VxD ID of winice1 [% A( s% L7 l" n* {0 }% `! U& t
int 2Fh4 G0 L1 j( h5 |5 P$ U- ]
mov ax, es ; ES:DI -> VxD API entry point3 s* s! v. n, l1 }
add ax, di
6 y* N4 @% }# r& ^6 U test ax,ax
0 g8 C! L+ T" w jnz SoftICE_Detected1 V+ \. T2 D/ H+ i4 J
5 u7 G, V$ M' L: ~) f7 M G___________________________________________________________________________
. p2 j' d0 W* j" ]% U/ z- d B1 N R9 P( h& T- I
Method 04
0 H" z; e3 Q$ n) F9 t2 v=========
% C3 d7 Q$ i4 t" s3 u5 e f M5 \6 r1 w2 j s
Method identical to the preceding one except that it seeks the ID of SoftICE5 m4 E$ x0 I: G, `3 m/ ^
GFX VxD.) w5 s; A! w7 u6 j% Q [
" W; i0 F" e1 A u& ^4 o xor di,di3 @+ R& `0 l8 X# m* B
mov es,di. u" D5 {; s7 F) t: V/ j
mov ax, 1684h
p' \6 l. n! h2 K8 j1 i0 j mov bx, 7a5Fh ; VxD ID of SIWVID
. x* U- G) t# y( x int 2fh% R0 t+ v+ \% L, x- o* {# n6 Z* a
mov ax, es ; ES:DI -> VxD API entry point. J/ C* {5 h1 m6 V6 Y
add ax, di
& Z; y0 O7 A$ f test ax,ax* j1 T2 O+ w6 g
jnz SoftICE_Detected
. g+ u; `7 x/ u: Z6 e- X& _2 P3 W
__________________________________________________________________________
. N2 u- I1 E7 k2 u/ R0 ]+ Y2 e4 N
+ n T! @) s1 _, ]( `0 R7 X" E- UMethod 05* L' h d) r' v2 j6 {6 |
=========, G, D( F! C# X$ ?% C
4 E3 [7 Y8 _3 u4 D, Q+ j* O
Method seeking the 'magic number' 0F386h returned (in ax) by all system: T# x; h% K) n" Q1 l. m
debugger. It calls the int 41h, function 4Fh.
" o9 H7 X2 O. ~There are several alternatives. 3 g0 B3 @, p7 H3 N7 a
# d1 {& @& e. a3 \; U! e- eThe following one is the simplest: J) y6 P2 I7 d
# n8 ]9 o1 b- T+ ^) a mov ax,4fh
+ ?" p" z* O- p1 H' |) U5 T9 | int 41h
3 T) r/ a: q- l: S4 n cmp ax, 0F386
! l6 J1 o3 }5 v jz SoftICE_detected8 N0 Q7 {4 }9 v4 l6 [0 n& a
4 t Q1 ~( C" h
! A1 [* i7 S4 o4 @ u" {$ p7 X) w. X
Next method as well as the following one are 2 examples from Stone's % ]& r9 U' l" E% }9 C( m
"stn-wid.zip" (www.cracking.net):
- ]. A8 ^* [, t: [+ p( b* x
: b3 b' J5 q6 n, l! D8 Y; d mov bx, cs3 p% W! l/ w& s
lea dx, int41handler2" f8 n% j7 X5 c2 F
xchg dx, es:[41h*4]
% Y' Y0 k; g* s0 o, u3 K xchg bx, es:[41h*4+2]$ J2 g/ g4 N" i% R- U% e' v( Q- j( K
mov ax,4fh
7 p- J/ ~* h' [& Z1 ~) o int 41h
4 q, A9 b& O! p5 L* b3 ^" \: f* w xchg dx, es:[41h*4]
4 h6 H0 a1 U. h4 w xchg bx, es:[41h*4+2]
+ D! h1 [! n6 I2 ] cmp ax, 0f386h
$ p+ e# Z) U/ }: C2 j jz SoftICE_detected
& ?+ @4 ^( }, e u- K5 k- U% G4 P4 U# b: d d: u1 l( E, |
int41handler2 PROC- U/ z4 T# W7 T5 ^& E3 v. c
iret
/ [; V$ N3 u! d9 s# xint41handler2 ENDP
* ~2 r" {6 K% Q* @2 p' ~9 A7 {8 F# d0 v# K; Y: D
/ l; c! _0 w- J6 L5 ^( |- R_________________________________________________________________________
- A Z7 A- K* ?3 A1 @& ^" e
3 ^( s9 t! n. P6 y' r
4 Z5 \1 [+ |+ x& N+ X. V; n9 r4 PMethod 06
4 O0 _1 Z( N M. \, u6 M5 v/ [=========+ D6 t' K+ }" E* n6 M) Z
0 t3 e% [( K2 N" a* q. p
' ]7 k( i$ G! g# I3 u2nd method similar to the preceding one but more difficult to detect:
' X+ d. t1 F% b+ ~ V& [- F
' R5 |" w. D- ?3 ?5 V5 U$ Y6 v. C. s9 K$ f' v! Y7 R
int41handler PROC( _! L) q E: f- f) ?+ U; Y
mov cl,al$ |5 h+ u1 _9 j/ ^; F' `% P, Y$ M
iret- W1 f& `/ {6 c6 s1 f( `) b. D# ?7 ~
int41handler ENDP
$ \4 W8 L1 F/ x& @% a/ K# w' ^: z# F5 [" r
3 e2 Y2 \ Z6 Q& ]7 g( \5 l/ q8 q
xor ax,ax
, O/ P, a* c/ U g, v mov es,ax
' |1 y8 {2 ]% G$ M, H# {$ m( e mov bx, cs" U" e' K) W2 Q, Z2 a7 d
lea dx, int41handler
$ y# }' F' d/ l* X5 Z$ T" a xchg dx, es:[41h*4]% a+ Z% I+ s( b k. H
xchg bx, es:[41h*4+2]
- ?& ?2 F9 s! W* E8 G' |/ V in al, 40h
6 f, O0 y# ^: K A! E5 L xor cx,cx
5 ~# @. I3 S+ Y# J+ [3 [ int 41h
% w9 @7 ]; U( m( Y, Z xchg dx, es:[41h*4]
. Q7 w+ Y. E' G% j xchg bx, es:[41h*4+2]
3 n% |' L( ^: W3 k+ x: _5 Z0 W2 M. U# T cmp cl,al
* J# {, J5 J4 V8 Q$ X% T p: d3 w jnz SoftICE_detected
! k/ V9 |% R" j/ u- M7 ~: U+ y, z, p7 F7 b
_________________________________________________________________________
2 F6 P E, }5 e! e! ^9 ]
8 w* }, P( [* W5 |, d1 t/ @9 mMethod 07
( o7 Q* Q1 R# t* `; b+ {( Q: a=========
& K# j5 G9 k( g- k- a
0 t+ x$ l3 h5 Q) S/ eMethod of detection of the WinICE handler in the int68h (V86); l9 Z! F8 m7 l+ d' S* g3 K
5 W9 a0 B. d& ?+ u- ]' X, I* G
mov ah,43h
9 t7 f5 E2 }, Q+ X( n9 k; x int 68h
- k- `: w4 x- c6 O$ i' `' s3 p0 K cmp ax,0F386h* Q$ a7 S a: Q2 J, x+ V" d8 q
jz SoftICE_Detected
& c5 d4 o/ W6 Y! a( [3 [ s4 o5 t/ p1 C+ u6 `1 f1 ~2 D, u7 \( O( R
' _+ N% A, X8 r: p0 P! s) l! q: O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: {7 A- c4 m( e- b6 ^& V7 M
app like this:
6 f7 Q. j. T- }6 o' S2 s. F
# a! V& P9 Y {* i/ b BPX exec_int if ax==68
; K% L0 D3 u0 [4 } (function called is located at byte ptr [ebp+1Dh] and client eip is
* P! H/ O% z8 L3 b/ S located at [ebp+48h] for 32Bit apps): v% E2 l; L3 ^9 O
__________________________________________________________________________
, r' w# A3 |* y3 Z! Y" w& U' c6 z& l- K
% R1 {: T* M. h! w- E
Method 089 R: ]4 Y: C5 R, c# J. }
=========) r" c! t. d- z- g# S
3 x" ?0 c5 L9 H/ I1 @- d" w& m1 h- G
It is not a method of detection of SoftICE but a possibility to crash the
3 L/ { @* e# M6 k1 fsystem by intercepting int 01h and int 03h and redirecting them to another
3 Z! x# ?5 d$ D4 p3 y# x/ j Y2 oroutine.. J. ]8 _6 U/ M% k! s# x( U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ `2 f! [2 A( D% J8 ~
to the new routine to execute (hangs computer...)4 v5 P# D3 ]) F) s
2 E/ `: B. ?# R5 \3 j mov ah, 25h
& M1 @: Y( W% k- t mov al, Int_Number (01h or 03h)
$ f9 X+ A* _4 u6 Q* I3 S& r8 F" a- X mov dx, offset New_Int_Routine: [" }+ r7 a; s$ S
int 21h
0 f; I& `4 B! ^4 {9 C! Y& c- b. [. k0 t7 q; T& S
__________________________________________________________________________
8 x7 r6 K( M, Q+ |! M. a" R& w
/ p# C: f( a* ^5 o$ {# o- BMethod 09
" I* y: c% |& ~& U5 {# u=========
l7 k, N8 Y: w6 N% c& n& z. g
0 T& G; y% i3 C: o5 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 O% S; M) j4 L3 C$ V' _0 T
performed in ring0 (VxD or a ring3 app using the VxdCall).( B+ Y- S; r( u" w/ `8 p% p
The Get_DDB service is used to determine whether or not a VxD is installed* v5 D3 E5 b" B" V3 {/ u) P, H$ q
for the specified device and returns a Device Description Block (in ecx) for
. d0 _9 k4 i# p( @# ~2 K& kthat device if it is installed.
$ x) K- D# n/ f
8 D7 K0 c; o% q" y ^& \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# u- @0 R1 z) B- j, a8 i C% U/ l; u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 o, A) J3 ~) A( _
VMMCall Get_DDB
, A& B1 H( c" M [: w& ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, j7 @9 P& F% l5 W; e3 U, d: v9 u+ e2 R% A8 ?6 Q y i$ S9 |- W- A
Note as well that you can easily detect this method with SoftICE:1 G- P3 T2 Z3 u+ v
bpx Get_DDB if ax==0202 || ax==7a5fh
6 q N" x1 W, _. E9 n: U M( V: U: t- I2 D. m+ o
__________________________________________________________________________
# Q% {( Q0 h& v! ], o9 B. B: Q6 }: u4 F
/ F) y: v. ^9 {+ }2 e3 FMethod 10; Y* _) N7 t& r, `/ g; W" K
=========' g+ U1 b4 A# N S+ F# x
, a, q9 _4 E' }6 m9 @=>Disable or clear breakpoints before using this feature. DO NOT trace with1 i0 S! ]; v# J+ {2 b% J
SoftICE while the option is enable!!$ |4 a' W9 q% e) B& l9 U/ h6 ]
3 D+ V; L* {& I tThis trick is very efficient:
7 S( |: }- B( i R9 R8 [by checking the Debug Registers, you can detect if SoftICE is loaded
/ A0 }+ ?; p9 N& d" D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' h* S( V& I2 w* E2 w* hthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 Q s9 ]% ~, R% P) R3 k
value (in ring0 only). Values can be manipulated and or changed as well
! c! ~% e$ \3 s3 D" T1 F(clearing BPMs for instance)
8 m, Q* W+ W5 u/ {4 m+ U+ Z, q& M0 {0 R2 G4 D& d3 `
__________________________________________________________________________
( m8 @( X# s2 m( n" |# E5 T5 | A. _0 V+ b; Z! E! t+ r% }
Method 11! z1 A' B, ^, ]/ c/ R6 s; Q% F
=========: S$ B8 i2 w: }; W9 s6 k) m
; g" K. D/ g2 U% X, ~8 O# ]: I
This method is most known as 'MeltICE' because it has been freely distributed
$ R/ E2 F' W3 T8 c" M6 x% }via www.winfiles.com. However it was first used by NuMega people to allow
4 N; N- p i9 v2 ~Symbol Loader to check if SoftICE was active or not (the code is located+ M8 m' B) v5 T2 E9 L
inside nmtrans.dll).
" x3 p' l j$ ~ o1 b' P6 `- V4 k1 N' b2 p& N& j$ d5 c1 M# N
The way it works is very simple:
b( b- j! t. p8 I: Z3 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 M0 V, W! h" ]/ t' qWinNT) with the CreateFileA API.5 K/ f' r) }) t& A) @: I& }
% q0 A+ m& f5 ]5 c/ g" I" q
Here is a sample (checking for 'SICE'):6 H" e1 ?* P# }0 K; l/ Q
6 W# {% W3 y7 Q8 B& m) D2 n( l- }BOOL IsSoftIce95Loaded()4 Y/ |+ g& e- I
{
6 J' l3 z* l& V HANDLE hFile; % E: f- t0 y* M' y" z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. M0 X1 V) z( A' |: u7 H FILE_SHARE_READ | FILE_SHARE_WRITE,) n+ U) a. T. @2 t% J1 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! x# A( i( K7 o/ {+ t
if( hFile != INVALID_HANDLE_VALUE )
- x; {$ x: X, V! x8 P W {
( W) @9 O8 t- `' B. ^: b CloseHandle(hFile);
! q; s. |# l7 y. x. m, i" S return TRUE;
: B" n- Z! G( E3 ]. V }: x# a8 X6 V ]; {5 a
return FALSE;/ w" w3 z# Z/ ^; G, r8 ~
}; b4 B# q/ O; e3 B& I
) n1 \( B3 Q; S0 `2 E$ L
Although this trick calls the CreateFileA function, don't even expect to be
+ G6 J$ L$ u; P7 _ l* F. g; hable to intercept it by installing a IFS hook: it will not work, no way!, Q# m/ q# C0 o9 O, {0 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 A- D/ w. L% X, Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- C4 |; s- K2 H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 I6 |4 m0 J4 h& T; d
field.* @: Z$ L0 q. C( }1 g
In fact, its purpose is not to load/unload VxDs but only to send a * }, Z" P8 R- t( H! d" o8 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 C- G* A4 S! @to the VxD Control_Dispatch proc (how the hell a shareware soft could try& i$ x+ O8 ?- l y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 U# G h" v/ G( F% k+ e1 Z4 z4 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 O! h( g( ]$ K5 |9 e# @; yits handle to be opened and then, will be detected.
+ g8 a: e) m2 h$ _5 k$ p& wYou can check that simply by hooking Winice.exe control proc entry point
9 ~- }: E1 v" Nwhile running MeltICE.5 x" n, a- w" O+ |. I" x& J, B# u9 W
9 O' \ ^8 S' E# n. V, i2 T3 [! l
7 z: t& X% I# {6 z4 f) z 00401067: push 00402025 ; \\.\SICE$ d2 R J' {$ X8 Z7 Z, y& q f& {
0040106C: call CreateFileA2 y, y3 K: j' V' V7 m
00401071: cmp eax,-001& F& _8 {3 r3 V3 M
00401074: je 00401091# t1 f( L) C. @1 }2 P9 r
! @4 l0 e* Y, H; a( A5 }
, k, a0 c( z) Q7 a9 ?' ]
There could be hundreds of BPX you could use to detect this trick.0 d2 P! P) Y. ?8 Y
-The most classical one is:
9 _( B# y, J% K5 ]" y: H0 P! o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 T6 |; @6 ^/ T/ P5 T7 l2 u *(esp->4+4)=='NTIC'; _" Y! l+ a2 J8 q( Y; f
! C1 b1 E, A$ ?0 |# c
-The most exotic ones (could be very slooooow :-(
; E! t; b! B) s; I6 f2 ^. T% c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( d3 Y5 E) m# M+ J
;will break 3 times :-(' M5 b3 q8 p& M8 A# R
4 b6 D# Z& z* Y+ w! o-or (a bit) faster:
- I0 p8 @/ D" R+ J6 G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( x/ T8 g# Q6 e9 `3 P% s( x% Z, P: \# K8 W! X6 i0 @3 a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 }$ f* f" e" f/ e g2 C( \
;will break 3 times :-(; T' _8 ~6 Z# r+ [+ H
1 K$ p& f$ u) @( n6 H7 u) R( d-Much faster:7 e) c: r5 s# P- }& R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' S2 d* E' d( e' N! `) Q
5 z) `! [/ {0 s( m: K: tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ x/ `& [( `0 R) G+ }function to do the same job:
) v% g. F2 L, `. [7 y3 }& H& ?; b* N" V2 e- v- h# C1 j
push 00 ; OF_READ
% m) |6 ?! H3 N9 G mov eax,[00656634] ; '\\.\SICE',0- e: W7 D6 O) z$ o
push eax; b: Z; \$ A' S9 |$ P$ ?2 K. m
call KERNEL32!_lopen
6 \. z6 a( j# O; e inc eax
h% c/ J/ X; g3 q0 G: W jnz 00650589 ; detected
( D- [/ T$ q1 K& | push 00 ; OF_READ* Q6 H+ j. Q9 H7 K9 `- P% z( k3 j" c
mov eax,[00656638] ; '\\.\SICE'
/ ]% y, ^6 [: }, c( V* t0 s- I push eax- _6 P; u8 v/ i
call KERNEL32!_lopen
( Y: K4 l' ^0 d$ h: Y4 n2 ~6 v inc eax
" d$ d3 g2 I. Z0 \& E8 g jz 006505ae ; not detected
5 ~7 z, Q; T" k, m' |( x+ Z- t0 w! D) h, S
' d, \; ]# T/ @; R1 e4 w2 D' `
__________________________________________________________________________+ T+ y5 t- r; `7 y& [7 u
# k: U9 K- X' y6 i. e
Method 129 B1 C) N; N' E8 ]0 K
=========) E7 }0 h& X# L
1 a) _) m) {5 L- p( xThis trick is similar to int41h/4fh Debugger installation check (code 05
% g1 c+ O; ~2 O& 06) but very limited because it's only available for Win95/98 (not NT)
H- ~ i% ^) \) cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) ]& M( B4 ^3 h l- y# W& J9 u
" _: c4 |0 N) W- x$ ]" s% K1 Z; N' k( D push 0000004fh ; function 4fh+ [2 R0 G' E& X/ w
push 002a002ah ; high word specifies which VxD (VWIN32)
( z# K! U8 Z! Q, A ; low word specifies which service
, X6 l- E' G; ?) Y* a (VWIN32_Int41Dispatch)+ u0 I# G- \, M
call Kernel32!ORD_001 ; VxdCall9 L r% l0 y W( _& g, T2 h
cmp ax, 0f386h ; magic number returned by system debuggers. B# o. J% g7 H' [9 J6 k9 [
jz SoftICE_detected
0 L& K" t) s$ M
5 X; {& I. G/ `% a" IHere again, several ways to detect it:) V2 @- [5 Y8 {8 |
& O5 L9 Z- g# a$ h3 e
BPINT 41 if ax==4f% n' w2 I- |; x- p* x' y8 l0 ]
$ S8 r8 t! c( R! z9 q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ P. S j9 m5 C
1 @6 F5 O: a, F* _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 p( D$ f& c6 @# l* R! H
1 z! r# w' y; r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 e' g: h9 e7 u% E' e
, A. t2 y: y9 i8 F3 y- h/ ?__________________________________________________________________________# ?4 ^8 l; q8 @/ T5 P
- E b S2 k8 x- q `" ^2 k$ bMethod 13
: k% r' X- q) Y9 F3 F6 \=========
3 A# w9 ^1 y/ l/ w. y
% x! R4 f L6 ?7 \Not a real method of detection, but a good way to know if SoftICE is
, F2 J3 l9 A N. S2 ]+ tinstalled on a computer and to locate its installation directory.( \+ K# f- L# j# v- _* e5 v
It is used by few softs which access the following registry keys (usually #2) :
, t" \$ V9 m1 Q2 q: j: g3 \# Q5 u9 l# D4 u" l* A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 w3 ~ o2 @5 Y6 {\Uninstall\SoftICE6 v. N0 n: `% M. m' B6 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* G: @% D& H% j' |' H" |4 f1 S! c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. T: h; a8 Y+ M* ?7 S) N\App Paths\Loader32.Exe
5 Y6 Q% v6 k3 v, t' j% [; q6 g# |+ i' X5 ?$ d, r
* f' m) z- M, w0 Y5 s* T# B
Note that some nasty apps could then erase all files from SoftICE directory
^' Q: ~& a0 `(I faced that once :-( T7 r, X; @1 m! y( z- ?
8 ]) e' D5 m4 w* f# {! ZUseful breakpoint to detect it:
1 [. ~8 m; F, A; U
: v* o) }% r6 O7 l+ [- n1 R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 e( E+ ~# Z. p6 x3 ^$ s {
& h' q5 y9 O/ K9 n; s5 I3 t" b__________________________________________________________________________, I9 ` o+ R9 Z H1 r: E. I; r0 p
T e7 J" w" |- x
4 j. K' Q( g3 ^3 d7 ]
Method 14 ( p0 Z4 {3 J7 S! ?* S0 D; F
=========8 b" n5 ? A( n: W' H" A, R
& W. T+ }/ ?! K' G4 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ \7 `: x2 L3 L. x+ O* Y; Q0 |" D. lis to determines whether a debugger is running on your system (ring0 only).
& n+ h* n8 A* i4 q! w v) ?4 ]$ i+ X
VMMCall Test_Debug_Installed
7 F/ @6 w% f5 Y ? je not_installed. a2 {9 Z/ J7 S7 N2 j
( L) t' p$ n# i; ^; D# @This service just checks a flag.
, f9 G, @& l1 h& t6 G( |8 N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡