<TABLE width=500>
5 S' H6 Q. _& `5 d" W0 O<TBODY>7 f( ^' q$ Z r: k6 ] h3 @
<TR>$ B6 f' I. m$ [* Z0 h" r0 O
<TD><PRE>Method 01
3 A" N6 W, i# r+ K2 N K=========4 g+ x+ v' x& s4 W2 X
1 w; b+ }3 t3 |( Q! I: c- x1 YThis method of detection of SoftICE (as well as the following one) is
) v6 K+ L |. H7 }used by the majority of packers/encryptors found on Internet.; I/ W- v! W* `" X0 u
It seeks the signature of BoundsChecker in SoftICE* r( `- L/ M' r
# ]% ?( J! ^3 G6 u1 ?1 b3 \, E mov ebp, 04243484Bh ; 'BCHK': B( W/ [: F f' _& V
mov ax, 04h2 d8 o5 T% s) i' }1 [8 ?: _% @
int 3
# w: \: v, g6 B. N cmp al,4! \/ _) j% _, N# O) A- _5 o
jnz SoftICE_Detected1 L) l% e5 w$ M& t4 ?% m" b" h
$ m6 ]/ j+ O# A# h: m' u: q Y
___________________________________________________________________________
7 e' J5 f; i5 |; K W6 z% g& H1 p/ y- V5 {! {3 @
Method 02' d" d; ] ]* d; w# D' `
=========( _9 Y7 v3 T+ m* \( L" ~
* [* M2 d) C0 H5 xStill a method very much used (perhaps the most frequent one). It is used
; y3 S: f5 E1 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' U, l" J+ ? f- S9 ]! |& r* R# [ ror execute SoftICE commands...0 W7 C8 C0 i; p/ d0 D
It is also used to crash SoftICE and to force it to execute any commands; J8 N, r3 s! x' |1 u# V* Q
(HBOOT...) :-((
5 k* l$ X' ^) D0 {* L( g& J- L. X! m9 H8 \' f8 L5 @! U5 M( A5 d8 C
Here is a quick description:
# G9 M4 e6 K2 Q& f& e7 t-AX = 0910h (Display string in SIce windows)
9 O5 n4 E* {# b, R7 ]9 m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) z& j( R# @* i# a7 ^! l, @1 A-AX = 0912h (Get breakpoint infos)
4 w- ?9 ?4 O- r% A- V* i9 T-AX = 0913h (Set Sice breakpoints)
6 E. q r* O; M& W/ K2 C" I e-AX = 0914h (Remove SIce breakoints)
# f4 O, r/ t5 ^0 a" [ A2 Z
1 T: p; b: P( W- ]Each time you'll meet this trick, you'll see:7 u# @8 q+ C7 ^. Z- I
-SI = 4647h
( E9 Q( F/ G C+ O1 U) [% J-DI = 4A4Dh
7 {: } z7 F/ A, G8 TWhich are the 'magic values' used by SoftIce.
# x# a l/ ], n, a- r" h* Q) c8 qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, b& ^+ G8 |% p" ?8 Y s! V, z. L4 U7 \: g" ~9 \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ P& B" B, W# ^! h- t' U( |, VEnvelope utility use to protect DOS applications:' L3 v6 z% b0 H8 N
+ k) {, R. Q8 b7 I+ A$ _, |+ _
^6 ^: Y" ?$ z; P, a/ F
4C19:0095 MOV AX,0911 ; execute command.
$ I/ g& \' m# V* p* D" i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ U! m; S a" }( W4C19:009A MOV SI,4647 ; 1st magic value.7 v ^" X. u1 o) Y$ T1 t! j
4C19:009D MOV DI,4A4D ; 2nd magic value.; A+ C6 d' z4 `1 ?# ^* A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 J) d1 v P( C1 q( E# B5 K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. @' i2 b" E5 _8 n% \4C19:00A4 INC CX
- S* c' K* x8 q% n) K1 ?/ F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. k: o7 {- v7 X, M4 C7 L* N5 t- J4C19:00A8 JB 0095 ; 6 different commands.
$ `5 U( m& P% }" P% W$ }4C19:00AA JMP 0002 ; Bad_Guy jmp back.' c# ?6 N& T! }$ f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& f m) w9 `9 ^/ R
* q6 p) V: {; q, |+ WThe program will execute 6 different SIce commands located at ds:dx, which. M( U! `* n. j" ?+ }$ F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 X0 v* q. [9 U) H3 X
Q- Z/ q3 z$ d' e& l. D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ i% W8 }3 a4 _+ J0 z! I6 f
___________________________________________________________________________. v6 g; x: G f
5 q: Y) p, a0 r9 ?( C6 B* a, _/ ^$ `+ n8 \# T; F0 {9 l
Method 03
1 k8 t5 ?2 _1 [& D' k" T! m=========4 R% O2 B; E# n$ C& t
! P6 L) p4 C! \# B- G' Q0 n1 WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 j( y+ Y" K: x$ l) c8 X( h1 S, G
(API Get entry point); O+ |, q/ P7 h* N+ \/ A
2 @& _9 @5 u* d) N# m8 r* W) w: z) T6 U2 U
xor di,di% P* t( a) O6 x( L
mov es,di
- U/ s) } u z. h mov ax, 1684h 1 p8 l8 W7 E6 @) ?# e
mov bx, 0202h ; VxD ID of winice% Q7 A( M! {! l, r( o; B, L% g/ d
int 2Fh% u( G7 X& @( ?; }# F2 O) H
mov ax, es ; ES:DI -> VxD API entry point6 I- F" V# T& Y. i6 F. _. v
add ax, di
5 q- @" X6 a; _0 h test ax,ax0 d( j7 q+ r( z
jnz SoftICE_Detected* w. e$ t0 s( E- w: k: o
% E( I) Q, F" \0 i1 e; w4 t___________________________________________________________________________
" G0 t& f: o% |8 f; ]2 m+ v- b
. C' N k" y! B( h6 Y7 c HMethod 04+ A* n4 d6 i8 o& H1 C0 y# p/ E' z3 A
=========( j5 W3 ?2 a5 L" k4 n1 W" A4 |# P; Q& T
. `" `/ \1 W! cMethod identical to the preceding one except that it seeks the ID of SoftICE
8 l0 X! O! N' t5 w- TGFX VxD.
$ B9 D4 [& k( [# ~: d1 R j- b. D* D! q ~% e( _! ^9 l
xor di,di! G5 w, L S9 X6 M
mov es,di
' J1 P! t0 p$ S [! l1 q- U mov ax, 1684h
8 X# }. i2 T* I0 I0 r mov bx, 7a5Fh ; VxD ID of SIWVID
6 C& J1 d7 R# W5 x% F5 U int 2fh; a$ ~* B/ x, A7 \' b) g' g9 Y9 }
mov ax, es ; ES:DI -> VxD API entry point
+ ~" w/ |0 G" {! ^. { add ax, di/ x2 h+ r' {* n* O0 l( v
test ax,ax
4 B! `0 {* i+ t/ i. v, W jnz SoftICE_Detected
5 V Y3 h7 R) f0 E* M! e$ l u& e; |! Y! A. E+ o
__________________________________________________________________________) \- S8 o0 H: J6 k3 E: G
/ p$ N+ n, u0 ]+ i6 u! {- Q4 F5 [7 D' c8 G I. q, ^3 o2 a! @
Method 05$ u0 q R, ^+ H) P; o/ v7 u z
=========
2 F0 h% @' G) o t5 H$ M: X& v) _' x7 z: N- j: A: M5 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system( x( }8 G# |% a6 i. O
debugger. It calls the int 41h, function 4Fh.
; ]1 a+ t( x& {. p1 T0 PThere are several alternatives.
) j: } `# J) s3 l5 G
1 U5 f3 i4 w+ q, j4 j# \The following one is the simplest:
# a1 Q# C" g, c' Q" s
, a! {/ m# k' \( q8 c# y mov ax,4fh9 f6 q. `: L) `2 |# s; @
int 41h1 b3 ~" A, v" }% K! ^
cmp ax, 0F386# g t1 z3 g+ d. \+ V+ [
jz SoftICE_detected
9 ` }( i' R3 q& C
" G& `9 w' m& E7 c& N
2 F8 Q; f- d7 ?# }* VNext method as well as the following one are 2 examples from Stone's
& D1 s: L0 D$ }0 G( Q* z; g"stn-wid.zip" (www.cracking.net):
$ H/ b: z7 F/ E X
% w7 N: m( H- K+ w mov bx, cs: J" u$ d" {* s: K
lea dx, int41handler2* @' A+ w7 k" @3 ~6 i1 t
xchg dx, es:[41h*4]8 I9 t. B, r3 x8 j/ Z+ V! L- P
xchg bx, es:[41h*4+2]' L( R, e* L8 C4 A. X) B5 ~
mov ax,4fh
9 u9 i( [( ]5 A& S2 p int 41h
+ D6 C# w8 x! U) X, J7 j xchg dx, es:[41h*4]" s" `& ^- t+ s; X: D/ C
xchg bx, es:[41h*4+2]* }9 I/ h ^+ ]: t1 i
cmp ax, 0f386h
& F9 E; U$ I8 c, S( c jz SoftICE_detected9 _: _4 D O4 }
2 m0 K2 r9 X8 ], N
int41handler2 PROC
% N* B) b& X- ?, q: Y( A; y: _ iret& b4 G+ c x1 G& J7 X. \" t- ^
int41handler2 ENDP
/ S" O! w: g' `9 [7 h6 d+ |! Z; c; U9 R) N, L$ K# p! p0 t5 ?. z/ Y
5 ^, X3 O. M+ I2 R" |! ]_________________________________________________________________________
1 n' Q8 @. l7 f% s# h/ d" }9 f# }7 G; V4 d1 g( o
; k# z$ s/ W R+ |4 H
Method 064 o- ~+ f' k% J" B; D7 d3 l5 m
========= b4 F* _( N, N
* D2 K3 G3 }; M
4 O5 Q7 ^2 w" b4 w/ g y2nd method similar to the preceding one but more difficult to detect:# `) k) }0 e0 _0 ]/ s# e7 N
( X7 O; I% P7 \8 Y& \2 w
, \3 C2 C! u; b2 m% eint41handler PROC: C& `* u T; \: n
mov cl,al2 R& K4 [( C% s/ W y
iret
! E2 R4 A7 S" y$ xint41handler ENDP
9 ?% u( t/ t8 D4 d- e; T. a$ y0 E/ J; u6 r
3 K9 _3 ?! Z! t) ?. o2 q xor ax,ax% v, \6 X- f* i2 c% k
mov es,ax/ F/ t- G/ A+ U& E
mov bx, cs3 O! ^0 {6 d) C; m+ S. ?+ W
lea dx, int41handler
: w0 [$ Y' i+ H1 U xchg dx, es:[41h*4]) k% x! n- f, D3 a
xchg bx, es:[41h*4+2]! B) G$ q( d) \9 Z
in al, 40h$ V. X6 j6 Y8 L. u+ k4 e( y) F" u
xor cx,cx* A& h' k( `: Q* [# ]/ }
int 41h J" `7 ?6 d! d n: R' e1 e
xchg dx, es:[41h*4]) P4 W \ T- N3 U
xchg bx, es:[41h*4+2]8 d" u' }( p# e R3 P5 _# D
cmp cl,al7 u, p. W# \8 p
jnz SoftICE_detected
% ]7 e: f7 f! \ U. U9 y u0 }% h- P% P% `- q
_________________________________________________________________________
1 t" `; A. ?, [+ m3 i$ g% F
2 ~0 v( C0 F) p; t' V Z; I5 FMethod 07
% F8 Z0 u' i) ~6 S. M: H- b p=========4 r7 V) Q; j# t: z' v& M9 R3 A
2 \/ Y* r! A3 k1 E7 @
Method of detection of the WinICE handler in the int68h (V86)
( B4 m# P7 ~$ P9 A s4 U( L! I/ S
7 ]( u2 L) g, V* T6 Y( g9 r mov ah,43h0 S) l3 ^* ?/ l4 O% b& ^
int 68h
) w6 p0 l, D7 O, Y3 M& C4 G' G* l- F) I cmp ax,0F386h3 g6 ~6 x: x8 j+ K
jz SoftICE_Detected+ u8 }: ~. |+ y) F, u |
* h; }$ x7 T4 v/ ]7 `, Y% ~! S9 B" O
* `0 m5 G' d) q' k0 \$ P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 m, D( l. W2 v) ^! f) e app like this:
$ E; H# [4 u1 K6 ?' v
' `( N" k, F6 E2 d% ~6 H# E4 R BPX exec_int if ax==68
- _) q$ n/ D8 ?! C' C/ f (function called is located at byte ptr [ebp+1Dh] and client eip is
9 `" B! I6 p, G& E located at [ebp+48h] for 32Bit apps)
5 B( f4 ?$ b. p0 B1 f# v8 L__________________________________________________________________________
; w8 F. {- s- V9 K) {& h
1 P. F7 _3 q4 o1 v0 ~
J9 a3 @1 e Y1 i+ DMethod 08# T7 G: G+ s0 ^8 \: A$ I
=========
5 x6 x) g' Q$ m
8 i: R( O2 W5 f m" \0 _$ d. g2 n) N4 ^It is not a method of detection of SoftICE but a possibility to crash the
& t* r* I$ O! Wsystem by intercepting int 01h and int 03h and redirecting them to another4 b; T A- C+ z% j0 q
routine., p# q$ }1 U1 t: j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ B1 b0 R* Z/ \6 Z* Tto the new routine to execute (hangs computer...)
4 E* g2 r+ s4 u8 D1 Q: T
4 ~$ B3 E4 \" v$ e; M8 { mov ah, 25h
) d0 M3 x8 h5 n ~2 u8 ^) | mov al, Int_Number (01h or 03h)# Q/ i, y0 }3 L2 K! l8 n' R
mov dx, offset New_Int_Routine
3 Z( j1 W# p) Z' s/ e int 21h' j6 }5 V3 U! L: Q1 l
9 F$ C/ X: i' d; l2 |
__________________________________________________________________________
6 {; [5 \6 ]' {) F: ^1 X7 I% _0 b8 j7 e! e9 y# y
Method 09+ U& Z {% P. S9 m8 e
=========
' B6 Q. W Y) [1 h& P) O D
9 K4 B/ F; H; \+ EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% F' M! e |1 y) Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 [! n5 j- T0 z0 z" D% v2 [: AThe Get_DDB service is used to determine whether or not a VxD is installed9 _8 n% x- K4 N+ X' X. n! P. |$ X1 l! s
for the specified device and returns a Device Description Block (in ecx) for* |$ t5 m$ H! |( q1 ~
that device if it is installed.
4 ~/ i& s. u% ]- B' |2 i- [- k5 g- ?1 O& x2 o, M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ d: Y- T! L: j7 L& C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 | ^$ b( c. w. j+ ~5 L7 N5 F! C( f VMMCall Get_DDB
! O3 |1 k+ X3 n2 S* }2 ?5 X1 C3 Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 l7 Z$ x+ O5 Q% Y0 `' d9 v
$ n9 r- ?' E/ f3 F b- c+ @2 z' b
Note as well that you can easily detect this method with SoftICE:
% u# p0 E; ^( p L bpx Get_DDB if ax==0202 || ax==7a5fh+ k6 F3 L8 O" r- `4 o* t6 D
$ a# U8 S0 U$ Y2 p: M p5 H2 b__________________________________________________________________________
' [; ^% z( s6 c* o8 K; [. Y# S D: F0 I B# L5 B
Method 10/ h: f! t6 D8 w3 I& y+ a0 h& Y/ O
=========6 n/ E5 G$ Q5 P: v" u# z- q
! t( K2 d S2 [3 s1 c=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ v) V* ? h3 { SoftICE while the option is enable!!
/ T# C8 a3 i$ f% C2 a
1 b/ u" E2 x- k, N& }9 CThis trick is very efficient:
9 d7 i; `( z2 Bby checking the Debug Registers, you can detect if SoftICE is loaded
+ l1 H" J9 R) W8 }4 x8 H+ ^7 W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, F5 V$ n3 S$ |6 ]there are some memory breakpoints set (dr0 to dr3) simply by reading their' ?6 y6 [& l, d
value (in ring0 only). Values can be manipulated and or changed as well" C- ^1 c5 m7 G8 I
(clearing BPMs for instance)
6 x9 y0 y7 k6 k s6 n7 s0 l
" ]! w, |0 T3 ]- l__________________________________________________________________________
2 o6 O& R- q' d1 G Q6 y" t9 X
7 k( d( c3 L5 m$ n2 [) U! _6 t g$ M& VMethod 11) Y9 k# M9 S6 N# X8 n A7 V, u3 G* ]; I
========= t5 ^1 n( r8 e) J1 K+ G4 L+ B
! D3 q/ m/ W) H# ^This method is most known as 'MeltICE' because it has been freely distributed3 Y/ A! I# a# n+ ~/ X
via www.winfiles.com. However it was first used by NuMega people to allow
& P9 D6 G2 b" `) wSymbol Loader to check if SoftICE was active or not (the code is located8 `% i4 r, e( \. Z U. x
inside nmtrans.dll).+ Q4 v( [: T# _4 _1 ]! N
* y+ j8 Z, f2 `
The way it works is very simple:
% e5 k. Q. J9 ]& |. {* k1 `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 @( R6 T2 j- W4 r1 i0 M4 |# y
WinNT) with the CreateFileA API.
+ G# f/ ?2 y. D1 }# ~0 r, F1 C, M9 L; h3 s& t
Here is a sample (checking for 'SICE'):$ w: D+ I* w; |: ?5 }
" A+ _4 v- u( [& c {! n& c
BOOL IsSoftIce95Loaded()
# f9 f& Q5 }8 r0 L{/ P3 r; j7 e) ?3 n$ m# V% ^
HANDLE hFile; ! T) r4 G. ?6 E/ M" G7 I8 m, `6 m, ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 M6 s$ E: ^0 T+ u
FILE_SHARE_READ | FILE_SHARE_WRITE,
- ~/ ~4 V0 w) Q% y/ K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ] i) Y9 L; X; ~3 g9 j! l& U if( hFile != INVALID_HANDLE_VALUE )
, U5 D: f- w$ ]! s {
o4 \* z i$ G# Y6 w+ O CloseHandle(hFile);/ l# c% B/ y. ~3 b7 A$ m ^/ e
return TRUE;
) u: Y" V% \6 i- R! a, R* V }1 C. O/ \) [, S! o5 |
return FALSE;
. P3 k6 |- V$ E# E} [' t' p: z) h; p- X
) O9 M' N+ w+ sAlthough this trick calls the CreateFileA function, don't even expect to be' q, {9 [& l% ~$ Z+ P' {2 F
able to intercept it by installing a IFS hook: it will not work, no way!8 Q/ e* ]$ f% w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 Y# a9 Q4 n: l; i' H; A+ w/ Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 {* P, ?' }) ?$ ]# i6 c- {: L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 q% l3 i9 S% e5 \0 O3 t
field.
4 X1 |4 }, ^$ l- r2 bIn fact, its purpose is not to load/unload VxDs but only to send a
- ]/ p& {; |6 a9 k$ _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) Q$ C8 Q% S1 C7 f8 J8 H$ W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 A: i% j4 e: m2 @/ k y' @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% b2 N$ b! z8 u" J/ _If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 ]8 W& b5 b* T: U$ a& eits handle to be opened and then, will be detected.' Y4 ]* Q: @0 a b+ X# [% Z
You can check that simply by hooking Winice.exe control proc entry point" C7 \1 [; H0 _ y
while running MeltICE.
, C8 L6 [: }8 o( h/ R
) E3 J4 ~; c* ~* w# B
; C* u1 J) |' I g8 E* C7 C 00401067: push 00402025 ; \\.\SICE3 N4 H2 P5 M' v! ]9 @ L9 k& i5 K
0040106C: call CreateFileA' c) {0 Q$ r9 v# ^' P
00401071: cmp eax,-001
" D6 a z8 X/ F 00401074: je 00401091
, P* }5 U8 N( w4 w1 w8 Z$ q5 q7 f2 q6 T# ]" z" _
; y4 k+ u9 \, c& M' W8 Q
There could be hundreds of BPX you could use to detect this trick.( B( X4 o( T* A7 n
-The most classical one is:+ P3 j: n4 Z |; w q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ G- e9 Y+ Y, p2 R *(esp->4+4)=='NTIC'
7 K2 S5 @( j& S; {2 l1 I7 e! n/ e6 M( A6 g' k6 X+ ?; L6 \
-The most exotic ones (could be very slooooow :-(+ I) ]6 y; p4 f% {7 W4 g- ~; J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & t7 E+ I1 r5 c* H4 ^
;will break 3 times :-(
- j+ O6 u% G7 u; M/ g
5 u& Y: s" h K E-or (a bit) faster: ' k; [, u& S# b2 [ ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: |: S; `8 @. s" N4 H* {
" ]$ e9 y$ x7 z+ a/ i5 t3 x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" Q1 E0 X' E1 f0 E7 m, O( I ;will break 3 times :-(
; i" u! @" P+ o$ t& ~! |8 Z/ l* N, S. P
-Much faster:
4 n6 R5 s* E- ?9 r: ^! R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' u- U+ ^, \' q4 R& ^' a) Y6 ^
* P$ D- c/ d5 J' E! O* lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% V }) g+ R1 V2 Y8 bfunction to do the same job:) w- D: N8 @5 Y, t$ d; H
9 w; q2 r1 ]$ k) B push 00 ; OF_READ
- G" Q9 ^# p% _' f mov eax,[00656634] ; '\\.\SICE',09 Q. ]2 p3 T- |7 i I! U
push eax1 h" F9 y! f) D
call KERNEL32!_lopen2 J1 f+ c _; G* \) R4 Q
inc eax% C$ U3 v. m5 G6 H+ {. `
jnz 00650589 ; detected
0 K; j9 N- ^! Y: t9 e; Q push 00 ; OF_READ) f% y6 k* T* {, o
mov eax,[00656638] ; '\\.\SICE'
# C2 S1 W2 K; J push eax/ Y4 o3 {# M; W
call KERNEL32!_lopen
. `) F7 r8 Z a8 g+ R inc eax+ R) W1 x# E: ?3 W3 \ M
jz 006505ae ; not detected9 N8 e) G6 }: b7 ?9 r. Y
! h& ~( \) s+ I+ x) ]# m
: O# X l' G/ E1 _, @2 ?) r( }__________________________________________________________________________* {/ J* z: Y" x9 y1 l
) _" i. I) @. A4 [7 M
Method 12
' ~) L" m2 Y( I) f; \2 [3 Z. j=========
- K1 t; B4 i y- ~& F) u% D: h( k6 B% p. O! J e5 r
This trick is similar to int41h/4fh Debugger installation check (code 05
: }% z$ C; l9 O) A9 q7 G- @& T& 06) but very limited because it's only available for Win95/98 (not NT)
$ b& E2 Q$ S) d8 G, Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. g6 t Y6 {4 }, Q
$ Q2 ]4 C( I# K6 o8 K/ z push 0000004fh ; function 4fh
/ N8 l' y! y0 P push 002a002ah ; high word specifies which VxD (VWIN32)/ @1 m7 I9 b% K! o2 p& X3 S$ H
; low word specifies which service' }8 D% S( q$ A/ S
(VWIN32_Int41Dispatch)
" P7 d" m2 B: d0 y- S! {7 E" F, \ call Kernel32!ORD_001 ; VxdCall
2 h' b1 z4 }% B Z$ M$ v cmp ax, 0f386h ; magic number returned by system debuggers
7 d; }0 u3 v% m/ ?& m0 f jz SoftICE_detected7 r+ P4 o3 i0 Q' G
+ Y1 c! R% Z" i! [' `( U4 Z+ X
Here again, several ways to detect it:6 U; H, j4 y( C/ _. v2 I% _8 a; ?# T
! F, j9 q. ^/ S# y I% } @( a" R
BPINT 41 if ax==4f
, H X1 h+ x- F7 \! Y8 t* w: X4 V( ~9 t* U w9 j q& n6 H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, |5 K3 D! m# T+ N" l, J- F4 S" O- r5 }# A0 C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ]1 p( p% o$ Y, [
T: H+ N) j9 b; R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% G' Q+ [! T% `" Z$ c2 A
4 H$ V2 V: R3 ?. ^$ q: j5 ?__________________________________________________________________________4 g' U& N2 x' g7 o7 o2 p
% [4 V( P4 F& e& ~4 Z3 ?9 k, P
Method 13
$ j- { i/ [8 F3 X. j: W=========
9 P4 [- S6 i8 U- Q7 t0 p2 C! ~6 _% R
Not a real method of detection, but a good way to know if SoftICE is% p1 T8 i% H( r: M* [
installed on a computer and to locate its installation directory.
- w3 ]1 a; m1 i7 X. U; m, s1 `It is used by few softs which access the following registry keys (usually #2) :
. ~/ b6 h4 W' q% Z) \9 l
0 E3 R J: K% f) L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: R) M) p8 m1 D! q) R0 S\Uninstall\SoftICE; O/ E6 S4 O% b# l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 c* W! B8 s9 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ D9 W0 M! N8 a" [' Q3 F6 J\App Paths\Loader32.Exe
! F$ E% C9 M3 A" g2 y1 F
k) M! ]; u7 {$ L% w4 ?
+ u2 v g- W& c3 H" ^1 INote that some nasty apps could then erase all files from SoftICE directory# @5 P6 c a% Q7 b' `
(I faced that once :-(
! O4 n1 F5 u5 C
/ j! ~+ `; _6 `- mUseful breakpoint to detect it:( R8 S, O0 u S
* w# o7 N @5 d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 z8 D" Z, U3 l. j9 N$ q0 L! l
4 v: C# D; W( C1 k" f( |& u0 d__________________________________________________________________________$ F/ ~# M* C# C
( r- t* d5 j/ X3 e, g
* S4 P, x- K" @' H$ n
Method 14 ( s% c4 l) ^& s$ t8 X- Z2 X
=========
) T9 l- [" J" E8 x4 `
) @- d# |# Q1 ~5 q# ]( m; UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 C, [7 O. v9 c2 pis to determines whether a debugger is running on your system (ring0 only).
; L4 M& k1 ?. a4 ~
' @8 l7 O& I) |" T) w/ }8 a VMMCall Test_Debug_Installed( U2 \% M. L9 N1 A5 E
je not_installed6 G# O2 r2 G; \1 U. G0 ?/ U
, F. V8 G5 w. e* H6 y; T5 l
This service just checks a flag.
F) ]1 G' M, B7 N: b6 c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡