<TABLE width=500>7 u6 f" X# [* r. H T+ J
<TBODY>) e7 C; _! t9 h" P$ m
<TR>$ q( X" J* {( f6 _4 r5 ~6 q* w
<TD><PRE>Method 01
* N& |) X( O9 h=========
$ \ \' y$ P. O2 F
9 {7 d3 _* o4 k3 P& WThis method of detection of SoftICE (as well as the following one) is
6 E/ i: Y. v5 X8 A5 b& Zused by the majority of packers/encryptors found on Internet.
) ^0 R3 x2 y5 {+ sIt seeks the signature of BoundsChecker in SoftICE
, ?. ^0 U, v8 E* L# z1 O
& ^( O- j- M. q1 x$ o4 V mov ebp, 04243484Bh ; 'BCHK'% r9 ~; O+ J$ V/ s
mov ax, 04h- N5 C2 J$ r( |$ k7 K- e+ A
int 3 ) H/ v) z' [! e4 {) V5 Z5 H% s
cmp al,4% ?3 P2 _6 z$ k6 J' p o' s
jnz SoftICE_Detected
6 X6 h E' m" U6 p9 c- h& `
G0 \6 n; O' z1 s___________________________________________________________________________
5 V' D" k& |# P4 Z- @% G9 s
" j. c' H6 k3 v# p; x0 QMethod 02, H5 ^5 y# j6 u Q8 ~! S4 W
=========
, a, _6 R# P, M) E, d! p8 X! V$ h0 `1 b! N+ v* P- W, i( Z
Still a method very much used (perhaps the most frequent one). It is used
6 Z( f4 s+ F! b" G1 r8 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 x5 G. K6 q2 J1 \" M/ ~' B. Tor execute SoftICE commands...
% u" c7 O6 R9 [2 mIt is also used to crash SoftICE and to force it to execute any commands% d7 u0 |$ ?% i9 `
(HBOOT...) :-((
3 n# X) }* I0 O/ _. z& K) ]1 Y) y! C% q9 n L, Q
Here is a quick description:
4 Q9 P, M3 _& @. K7 t1 y7 L-AX = 0910h (Display string in SIce windows)4 U7 i& U: s+ n1 H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& ]* m2 H" `& P-AX = 0912h (Get breakpoint infos)
& l8 F7 r K- I# |-AX = 0913h (Set Sice breakpoints), a B" S" {- j
-AX = 0914h (Remove SIce breakoints)3 C) R9 ], p; {- ~: d. x5 p
, G/ q, y8 r. J, C" ]) l7 W# KEach time you'll meet this trick, you'll see:) d8 }7 q# N! I! V( ?% J
-SI = 4647h! V5 b: t4 b5 T2 z& V
-DI = 4A4Dh
% s4 L0 t+ @. cWhich are the 'magic values' used by SoftIce.
5 | i; x0 t+ Y! U6 j6 \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& k* ]/ u3 Y! K+ m, _
* `* `% n% m! h Q( ]Here is one example from the file "Haspinst.exe" which is the dongle HASP5 @- p( a, w* S% p; h$ U
Envelope utility use to protect DOS applications:
1 \3 _ Z+ ^7 b U/ x
" ?9 [% \7 |! i: } J
j' T9 t5 U0 Y' Q) Y9 I4C19:0095 MOV AX,0911 ; execute command.
, W' O# }8 d: n, P2 p4 J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; h7 s7 Y2 e+ J4 ~, ~" S4C19:009A MOV SI,4647 ; 1st magic value.
+ E* e, n: N* `$ F4C19:009D MOV DI,4A4D ; 2nd magic value.3 T! l3 _7 N L; R/ v" V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ t0 m. v* n1 S7 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& h; T$ x7 l0 q# Y
4C19:00A4 INC CX
+ ^3 d4 b: W' h7 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 @0 L4 m6 o5 G! H4C19:00A8 JB 0095 ; 6 different commands.6 i7 ?; L3 e7 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 [+ ]9 t+ _2 w2 `. K! L1 U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! k! z" u r+ d0 d3 ?
. R3 ~( |- E1 u5 P4 w9 g" c, cThe program will execute 6 different SIce commands located at ds:dx, which" S) H @1 R9 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, w, s8 Q' \4 ]2 _" d# F
" y( t, f' l& Y, @9 p4 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 j7 W/ d: }; a+ c( R) g% ]$ Q
___________________________________________________________________________( R. p) i; t8 _+ b) J, X
6 H1 v1 e( ~- y
( q" ?9 D; c% W, R& LMethod 03
. Y7 z5 V% M% m5 u8 X=========
: Y: Y2 R0 x/ n7 C8 e3 H: f( n' [. ~5 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 H& E T5 S$ B' W
(API Get entry point)
6 D( U0 [/ L* W$ R8 d1 u$ n
. P0 v: K5 O+ |% D$ w) j
- j9 p5 u* i1 i1 _ ]1 V8 F2 E; [ xor di,di
* ?8 ?) n7 {0 _ mov es,di) h$ X# g4 i$ T
mov ax, 1684h - Q! J! l6 d0 j1 U3 X) r; h. ^; }
mov bx, 0202h ; VxD ID of winice# z3 r( i1 P# Z# D3 s- v* S
int 2Fh
$ l$ k+ |5 T$ N6 ]' `8 N% ~ mov ax, es ; ES:DI -> VxD API entry point* L+ x- g$ K: u% i! L
add ax, di
2 w6 |5 \$ v# [& C" J# @ test ax,ax
/ }& w9 E. C( X L* ] jnz SoftICE_Detected& a7 f. Q! i7 z8 L* ^
: M; _8 C2 R7 }* V# x
___________________________________________________________________________) j* p; A0 T/ J" ^" C. C D% J4 V
/ [6 Y# Q- N* G1 o/ |0 F( iMethod 04, u$ b2 w6 W' U
=========( M7 L5 I0 x' r0 h3 O% k- D
8 S7 n1 W$ h! T( v: e: B/ T
Method identical to the preceding one except that it seeks the ID of SoftICE
- b- K& O# Z) t* f+ ~$ Z& GGFX VxD.
1 a+ [) O1 s; N. N+ F% n1 I, f- K3 S3 P- C! E
xor di,di6 j7 l8 N7 p4 }4 F$ c
mov es,di) q2 R/ S6 M! l3 v2 P3 o
mov ax, 1684h 6 J' l# h* Z: K
mov bx, 7a5Fh ; VxD ID of SIWVID2 S& e/ v3 r2 q1 u0 \- D+ k
int 2fh
* l/ w0 \& X( }( j3 I$ X+ j mov ax, es ; ES:DI -> VxD API entry point
2 \. j7 k: O: P" A T# j) `8 i add ax, di: f C7 ^5 D7 y& O
test ax,ax$ d2 A& h2 {; m$ S. q1 x
jnz SoftICE_Detected4 j7 b6 b' }) Q# o/ w! |1 `! a/ R, i
7 n3 S% Y( S# ^& S# a* Z- f& ^0 B. s
__________________________________________________________________________) c1 `0 ?. ?2 i
, w- F! a# Q% `* D- x5 h
: u, G& }! F& u7 s: U9 N
Method 05
- _4 I( ^+ M& ]7 b6 }( w7 j* [4 s=========
9 N) n# }$ {% m& ~+ R ?3 [+ x1 Z' T3 l( K& n. K
Method seeking the 'magic number' 0F386h returned (in ax) by all system: i. v& h4 |6 [2 u+ H& w$ }( Y0 `
debugger. It calls the int 41h, function 4Fh.
( [/ h, m2 ^ w! f9 `There are several alternatives.
9 Y; r* s% l6 |- L$ r# u0 k/ D+ h4 [
j$ x/ A- c4 x0 s! i. ~2 N: |The following one is the simplest:+ O( V g4 k" g: Z0 { V
' F" M, r7 Z$ S' r! G+ d8 q& J& M. s
mov ax,4fh
3 @1 Y) {/ ]4 ]3 U1 T int 41h
4 r, S5 c1 K* q$ p cmp ax, 0F386& y' z% d [# }+ Q3 Y
jz SoftICE_detected* h b+ Z8 `" v& _, z6 _8 H( \& Y+ T( A
+ q9 i7 S6 |( d8 z( o9 |$ I
: j0 j) [# i3 z- s4 ]Next method as well as the following one are 2 examples from Stone's 7 q. k% D, R- R0 q1 y0 [
"stn-wid.zip" (www.cracking.net):7 X( q$ [& U2 c
3 G3 L" Y% D1 x, q5 R! A4 w4 K
mov bx, cs
4 S4 J7 i' x- @3 |% M" f8 n: a lea dx, int41handler2
1 |: ~$ D0 o) p- R xchg dx, es:[41h*4]
Y! W0 [$ [, D2 l6 ` xchg bx, es:[41h*4+2], u* }0 T& R; P/ i
mov ax,4fh
" ^" ^$ v5 ?6 d int 41h; d8 M2 ]( \ Q; B
xchg dx, es:[41h*4]; |$ n1 S1 |* y& @3 H' j) z
xchg bx, es:[41h*4+2]* ^, |% ?+ w- A+ @9 e1 W5 q& H, L
cmp ax, 0f386h6 q/ l. m; g; J6 P! o: x5 V6 \
jz SoftICE_detected8 V) @7 `; h6 G; J; X8 T8 m7 u) L- e
/ M( j( k F Jint41handler2 PROC& G4 |% b# r. u1 Y3 p
iret
( @4 t7 C5 Y/ |( s& O" x3 A6 yint41handler2 ENDP9 Z; S7 ?& K5 n0 {# v9 o g) o( a
' p( h! h6 y1 }" M. I, e6 I X" E3 S3 E6 w" k
_________________________________________________________________________: \( ~! ~6 u- j
5 s3 R& d; P, w/ J" b0 y0 z* ^& C2 }( k
Method 06' q1 Y: m, H x# c- t* a+ V$ G
=========) s( ]3 y4 q* f3 k3 M+ N
& P! K4 E# r) ~. {9 B+ C
- @- e$ Y" O0 @" L2nd method similar to the preceding one but more difficult to detect:0 X& u: X d0 b7 D0 B& x; K0 z
% I/ X( n$ f, K9 r! j
3 H% W! q) w( B' m2 R- d
int41handler PROC
: u& z9 q0 R* v7 S7 G5 ] mov cl,al
" x6 n d* |7 B iret' W7 O3 S( J! w$ B, M$ w
int41handler ENDP7 a7 h6 X! D& z; e. r" _; e
; J: s7 e7 J, U- K5 k- N+ B4 c
3 {) c/ ?1 O" Q9 f U& t8 C" c/ w xor ax,ax3 N2 |8 \/ G, K8 I7 k5 s; X: |
mov es,ax6 I8 h2 v- A2 C1 R+ A
mov bx, cs
4 Q" `+ w5 i. \3 I- F1 E; C" M lea dx, int41handler
5 S0 k# n( l5 o+ h# ]& } xchg dx, es:[41h*4]
) Z' y0 _1 Y/ j1 z! x. q' _ xchg bx, es:[41h*4+2]/ `; a$ g& }- b! \0 y
in al, 40h
. C* v0 z. m# P7 C4 h: D xor cx,cx% L! X& H9 y: a# x* t
int 41h) }/ c# |( @' a# z* R
xchg dx, es:[41h*4]/ X' d6 {! U2 H4 J# }$ e
xchg bx, es:[41h*4+2]
6 G* w5 ^+ ^7 F9 U cmp cl,al L+ P1 C n h) V- x5 I3 E' h* a
jnz SoftICE_detected, b, S! S4 H/ S+ C
9 j" u7 x" E3 o/ n0 o( h* y* _
_________________________________________________________________________! j9 a& N. O# [/ d( V1 Z" w
# q4 u( ]0 s1 I9 }
Method 07
# m% Z \* Y' U=========4 ^2 @ a8 E7 r2 y* }. V$ M
' U7 a+ ]- O5 q) O) Z( e8 W; a
Method of detection of the WinICE handler in the int68h (V86)
3 u% B9 Z J0 N3 y5 z3 p. S) b
& k: y/ R* [. i4 D6 q+ }: c1 y mov ah,43h
5 z T: k5 M% L" }( I* d6 q+ i int 68h
1 z% B7 p P1 G2 U } cmp ax,0F386h
6 s3 V0 {4 u5 h2 \2 b8 t* Z& ^' { jz SoftICE_Detected
# X* E2 X9 A) y! x% M2 m: V! r/ _- `- f% l+ A; f
% y8 X$ ~5 _# e, T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: \+ Z. s F8 M. [! Z app like this:5 t `4 J( d7 T! U
! o) S3 L6 o9 E C$ E BPX exec_int if ax==68) Y' I0 }) l. V! G5 J+ [
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 Z- h2 Y8 z$ D4 I. D& X0 ] located at [ebp+48h] for 32Bit apps)
6 W' B3 Q4 _. S' Y8 t__________________________________________________________________________9 W: E# O3 Q& V; v3 [
' y# D9 o+ F/ V4 k& Y5 @2 U) u& C
6 u) U7 A+ E! x' G T# E* ?
Method 08
/ b5 n4 S6 g4 _# m=========# E% A- p, [* h
' y4 U4 K4 d% d1 z Q7 p7 oIt is not a method of detection of SoftICE but a possibility to crash the
3 y" }3 Q+ c4 s( _3 gsystem by intercepting int 01h and int 03h and redirecting them to another; H" |- D8 _$ r9 n
routine.- x% n# C5 ^' k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 C; \2 l( B9 Q% F$ \7 Wto the new routine to execute (hangs computer...)
* m5 y( U5 i% \8 B3 A! U$ s) p1 S; z7 \% ^7 N: _ M7 R" m; k0 N
mov ah, 25h$ x. q7 ?" X( N, r
mov al, Int_Number (01h or 03h)
- {: p- ^, ?$ D4 Q mov dx, offset New_Int_Routine
* I0 P5 }2 h, G8 Z- W2 F int 21h! T7 C. e" C& Z- N
0 ~3 G2 w3 t* h. O; X) L: _: k! p__________________________________________________________________________, L: } E8 z4 t% O: W% R' m4 W
! ~7 @ t" L% X) w! Q% H) [Method 09. ~: Z+ s8 w& T6 c- u1 W5 ] r! d0 l
=========" t! Q# s5 U0 d
j3 v9 Z8 O( i; `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! E' y3 Q1 T# _; ^ F6 K; ~performed in ring0 (VxD or a ring3 app using the VxdCall).
7 F }" ^0 ]6 S' F7 pThe Get_DDB service is used to determine whether or not a VxD is installed
3 Y6 |, v& {( n, x* hfor the specified device and returns a Device Description Block (in ecx) for
/ H' ]- a8 v5 mthat device if it is installed.
! g) l2 N$ m. u8 q9 ]9 C3 Q1 n, @4 i+ @& r! Z6 P8 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 d0 m4 I* D$ f6 u; i, J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% a6 h4 x% g6 j8 u% v5 g VMMCall Get_DDB2 k4 {( d7 i1 Q* n: O" N, x7 ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- P( H, l4 u2 |4 z2 C' o$ c
1 A* O" @6 z6 Q: y' f4 W3 aNote as well that you can easily detect this method with SoftICE:
, _" ], _) ~- @# j3 N/ w bpx Get_DDB if ax==0202 || ax==7a5fh
0 ]8 e3 B$ F& A# P9 ]( q
- G. N6 g0 O" k$ k8 h6 h$ S5 E__________________________________________________________________________3 s0 [0 ?- F' C e d0 d9 ^
" G9 m( ~ `2 F
Method 103 d# D+ d- q" p' h* D
=========7 T- n6 Y6 g: s9 n) T: n
- x2 u) c- u0 X& x+ I=>Disable or clear breakpoints before using this feature. DO NOT trace with/ N: y4 h) n h4 g( o
SoftICE while the option is enable!!
* I% Y2 c8 Z' F. r" M, v3 J4 x4 ]; z6 l5 l3 T; T& P* w
This trick is very efficient:
; A* G3 t F, f3 tby checking the Debug Registers, you can detect if SoftICE is loaded b& Y( a$ | E3 C" G2 Y3 O- U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' r& [9 w3 k8 M. u7 W1 k/ `* Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; ^. p1 V3 M4 s8 Lvalue (in ring0 only). Values can be manipulated and or changed as well1 H' p9 _7 i4 }3 ?1 g: v0 X* i' j, t' g
(clearing BPMs for instance)
3 q7 Q/ F$ X# ?* n+ n2 Y% `) C+ z& @
* B5 c8 e( P! @0 H2 G; l__________________________________________________________________________ R& z% R' l; P
/ ^, [; F* H) K4 Y3 F. @9 J0 z/ W2 }Method 11 m9 @, r' U' n. q$ A, p
=========* @: T. a0 C$ h3 Q( i- {
- \" t( ?, ^0 g" n
This method is most known as 'MeltICE' because it has been freely distributed
: `. L8 N" E1 v3 B0 Z3 ]& F) \, Y1 vvia www.winfiles.com. However it was first used by NuMega people to allow
2 Z+ w0 m1 c1 Z% G$ k1 MSymbol Loader to check if SoftICE was active or not (the code is located
7 p- C3 L) z7 O: Q7 P* v$ Minside nmtrans.dll).5 _! @4 S! ?" `' e8 m! C/ q
0 s7 f8 U/ H: s; {" Q. [The way it works is very simple:: J( r" [" h ]' z6 [$ G- x/ t8 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! R; N5 a6 \- z) ]/ cWinNT) with the CreateFileA API.
5 [2 Q6 S N& N8 \, X6 \ }/ v3 t1 J L, N$ d. o/ B2 B( }) E
Here is a sample (checking for 'SICE'):
+ y: s' ^1 X4 a+ P: [5 Q+ Y: L' c; B! b8 g0 ?* V
BOOL IsSoftIce95Loaded()
# D, k8 o; b+ b* a' N. a6 [7 B{
7 x1 s7 O" I) v9 T0 h HANDLE hFile; . J9 _, E7 Z- H" n0 f% b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 l6 R! J& U+ x& @& @/ N7 {' G
FILE_SHARE_READ | FILE_SHARE_WRITE,
d9 K# @& O% s K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. @& x8 F" F+ G2 w if( hFile != INVALID_HANDLE_VALUE )
8 f! F1 Y8 ?. Q$ } {, ?& j U4 T" p, z6 z
CloseHandle(hFile);9 t l( W/ |. s# c" f, a. o
return TRUE;
% \6 U: F) d9 }5 i+ C2 L }
8 ~" Y# B( d7 \8 Q! g$ s return FALSE;
& ~+ Q% o$ ?. H; Y! q. H}" b4 {& j. t$ N3 q7 z. [: |
# {! E/ N) L3 G2 z5 {, bAlthough this trick calls the CreateFileA function, don't even expect to be
5 m" p" R. |& e {' n; gable to intercept it by installing a IFS hook: it will not work, no way!
1 o5 r% @" w, S( t- } ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F- r3 q+ o1 D, M$ R6 n2 F4 x7 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# b" I5 T' n& N: v4 J- ~4 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# F- a5 p# ~/ H4 |% d2 o* _
field.
$ _5 Q! g% l% `& ^" uIn fact, its purpose is not to load/unload VxDs but only to send a : g) X3 V4 D2 K' B' a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 K$ W1 r0 L4 U/ P/ T$ W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- `2 s+ c- B8 [7 {9 y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- q% o9 b# ^) U- ~6 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow. S# d4 k# M' V( I$ }* j
its handle to be opened and then, will be detected.
: Q. z+ J; \7 }( u# _$ pYou can check that simply by hooking Winice.exe control proc entry point
: J/ k, l' }0 xwhile running MeltICE.
9 B) P8 `) h* C! U3 e7 j, `: d" D' A6 J6 Y
$ `) |' p- h$ v% }4 Z 00401067: push 00402025 ; \\.\SICE
E t) y! o' A* A7 k 0040106C: call CreateFileA- q2 i. M& M% G! e4 f
00401071: cmp eax,-001
1 m7 T Y$ ?2 w 00401074: je 00401091
4 u2 g/ C- u5 k3 [) E& f- N5 l! D
4 p% \& g( R0 O* [" w
# Y6 l- [* ?2 B) P7 @There could be hundreds of BPX you could use to detect this trick.
. b# P, L2 Q! Y3 j3 H-The most classical one is:$ w' o @/ X/ Z6 E$ R8 Q; m% ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ v9 L6 O- A6 Y, [ j) u7 U+ l& M *(esp->4+4)=='NTIC'
+ d( |# \+ i' x$ C7 ^9 l- q. i5 v) S1 z$ B8 g3 ?
-The most exotic ones (could be very slooooow :-() \& W$ P. C) k; p0 b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 ?( e9 I3 c% H3 v; M ;will break 3 times :-(+ W% X# O1 G# {: x" F& ?
0 N3 ^$ i" ]# B3 a: {! a e: y
-or (a bit) faster: $ K' A$ _! x5 ]+ G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 a) }5 T% e" D
1 W6 ?2 F. s1 i7 ^3 ] s0 Y# K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' u! }* B s" m ;will break 3 times :-(/ ^6 N* J% Y# o7 k F9 h5 Q b
4 g2 p B4 F2 K-Much faster:% Z9 p% N6 Z( x* Z0 T3 p E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% U! b8 @+ w% n1 b, X
7 @" F( a3 s$ l' V8 ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 E4 Y- c( F* T* V! A
function to do the same job:' |3 K5 z# p z% F. X# p8 ^
h& x3 I' [8 F6 |* _' _ push 00 ; OF_READ
% d' H ?) U) `: q! N mov eax,[00656634] ; '\\.\SICE',0
+ k; \0 o, y( L @ G- H; f5 ] push eax& @$ D; s$ z& n1 R* R$ O
call KERNEL32!_lopen
+ i. w7 ^. X. h. ^1 f x inc eax
- O% s6 `5 C3 {8 z4 g jnz 00650589 ; detected
0 H' }6 K1 G# ^" }! J( b push 00 ; OF_READ: y n7 h# \9 V1 a( y
mov eax,[00656638] ; '\\.\SICE'
2 f) T1 x4 l8 f3 P. s) z) E; I5 T ] push eax
5 N: V$ d- N5 o" W+ m4 l call KERNEL32!_lopen4 {/ b6 c) W6 C! m# R
inc eax0 ]5 h8 r7 v8 d8 V- |' A: O
jz 006505ae ; not detected: x. D3 n3 x& U. R) V, D; a, z! N5 w
. Z) u2 v9 ^7 a4 N4 ~- A5 G1 E1 h' c& e4 M9 b
__________________________________________________________________________
& R0 m5 B3 u9 s+ M2 k. s3 U) K# J9 g
6 [, S3 v2 }% N" X. gMethod 12
2 B3 Q6 y7 K% q=========5 \9 \7 T R1 b% w
8 H+ w N' B" ]! S& k6 |This trick is similar to int41h/4fh Debugger installation check (code 05$ A. u) d9 @$ Q b0 c$ T
& 06) but very limited because it's only available for Win95/98 (not NT); C; L# b; g+ ?$ O$ I( ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& |+ ^4 y0 C& B- l. H" e" }) c8 K
7 g( Q8 ]3 {. ^" _. ^3 W1 d3 @
push 0000004fh ; function 4fh
- `9 K# M( O" {4 ?# R' z7 y push 002a002ah ; high word specifies which VxD (VWIN32): b3 ?3 M/ D- x
; low word specifies which service' d4 r5 J! u4 M# a
(VWIN32_Int41Dispatch)8 S8 C9 A% F! b* k5 ]: v
call Kernel32!ORD_001 ; VxdCall
; z& D- ^- C3 g* l' Q T* I) U cmp ax, 0f386h ; magic number returned by system debuggers" L7 c3 q8 D5 l+ Q( q9 N) F5 Q
jz SoftICE_detected/ c4 {" Y# k& h/ c
0 A4 t& @! F/ Q: K q
Here again, several ways to detect it:
* \4 Z: [3 k" g% f/ I. {! Y: j/ C* K' V
BPINT 41 if ax==4f2 E8 E9 ?; {2 ?8 T# T: B# O6 u
3 ~5 V1 _6 d; @8 r" N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: l( y" R8 U% @+ P! q% o1 j0 r: f' F5 {9 m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 u1 T$ t/ V8 i( e7 u
8 p, w! W. C1 C/ ~: s, q4 ?; { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" C; ]3 C% Y& O& g5 k& X. C" {
__________________________________________________________________________
. D( k9 u) b3 F& D1 R( w6 e
o B& ^' l; ^1 n, n1 X/ ?Method 13/ I/ K' x$ }; p, j& E# b
=========# h1 I8 V9 U1 i6 r0 S
! Y1 J& f) M$ x* d( t( L4 T
Not a real method of detection, but a good way to know if SoftICE is
! Q7 c) f# ]4 R; W* a0 M. ]3 @9 x0 kinstalled on a computer and to locate its installation directory.' h% W$ R$ c% j* h4 D
It is used by few softs which access the following registry keys (usually #2) :
/ o: ^ {; g$ g, T; ~+ [' }/ j
* f+ A% c# K b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( n0 ^1 M' r B9 l' d
\Uninstall\SoftICE
3 B( n7 d* w% s4 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" Y. n/ J7 @$ d( c! H0 ~5 c @. H$ _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 K4 u9 {7 j( q0 g\App Paths\Loader32.Exe
7 `( B0 o: _. F, _; R
; g7 S1 o+ A! v( p/ p; e2 a7 a4 ]$ u% g' n1 Q
Note that some nasty apps could then erase all files from SoftICE directory8 l' h4 j8 s" e
(I faced that once :-(
7 c% l1 K: R' t3 d. s9 F
( j7 t* l5 \$ k5 E* B6 QUseful breakpoint to detect it:
( R' F# r6 ?' L* S3 w1 ^4 v* c( S0 B! G" r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) p3 N7 h2 ~% C
7 m# ^. j. s2 K' c' S2 ~ [: Q# ^__________________________________________________________________________
& B" H {6 B, K6 p9 Q% T
8 i" J9 l: E( w& g5 @' G* z3 z. X$ o/ X, s
Method 14
) M" X2 f: ]. O! c/ Y=========
1 Z- D8 V3 o1 G/ _# N! b/ Y; x
0 x# X9 M6 J& s- u! N. `4 Z& b: ~; UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* i7 |7 b" q+ G' D4 V4 A; d. @. ris to determines whether a debugger is running on your system (ring0 only).
: I0 G7 M2 G7 l: d0 r7 A6 j1 {# x
2 Y1 O4 h- d: E7 h ` VMMCall Test_Debug_Installed4 C* Y& S6 @: D
je not_installed) c8 a L% H1 u& e
8 C8 w( q. F' D7 {0 B
This service just checks a flag.3 A$ R& A7 i0 w9 J+ ~$ N$ B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡