<TABLE width=500>" M4 o3 F/ ?6 O4 s; M9 b
<TBODY>
* h* O4 ?3 U& D# F: }/ g& p( o<TR>
0 J& y9 b/ c3 e8 i9 d/ B( J<TD><PRE>Method 01 , e: ~/ T) k3 C2 P: W+ o6 L
=========
- ^( x: ?# B( a3 l* a- b- w
, x/ p4 T- W; W( b9 gThis method of detection of SoftICE (as well as the following one) is2 |: ~7 R& G6 D, g
used by the majority of packers/encryptors found on Internet.7 L' e$ i5 u O# V& A3 {
It seeks the signature of BoundsChecker in SoftICE/ |: B Q" N" f @9 `
& Y$ _* G! r8 r5 H8 P, N, C- W
mov ebp, 04243484Bh ; 'BCHK'
) o% J& C% m4 U0 }% p mov ax, 04h$ I( M, B- p% }+ d+ T$ d r
int 3 ' F9 B3 p* U' l; B
cmp al,4
7 ]* P' e; _' Q+ T jnz SoftICE_Detected( N7 R, `& ~( M9 w' o' Q6 a, D
- P ?6 Q& M# S6 ~- q2 r5 `+ _4 P- y
___________________________________________________________________________
+ R# D" t: i2 \( x$ a; e
9 B1 [5 R4 h0 T3 r! \Method 02, x$ ]2 c- K5 l" V1 h( T7 j
=========, p5 x* }( i, L/ W1 L0 j! c) Y
E" q) p' L' u" ]( @6 \Still a method very much used (perhaps the most frequent one). It is used3 z. t2 q* Z8 _3 S9 t( ?$ T/ x1 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 q: [! R3 ^" w* G
or execute SoftICE commands...) Z# ]* B+ K- ?8 ]0 e
It is also used to crash SoftICE and to force it to execute any commands2 O3 S. U9 y4 m; ~- n4 n7 x
(HBOOT...) :-((
' M9 ?" y9 ]* A$ k& T; e# S l% G1 B$ @3 ^0 z0 X; z3 X. v9 D" d
Here is a quick description:; H9 [* o( `" k
-AX = 0910h (Display string in SIce windows)
* D& N7 A9 ?9 ^9 t6 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 {. N7 C6 i0 u! `. e9 C* w-AX = 0912h (Get breakpoint infos)
& T) @2 I) O8 a0 J-AX = 0913h (Set Sice breakpoints)
9 m. N, m$ ~1 c-AX = 0914h (Remove SIce breakoints)8 i. {. i$ D+ S" f& S! ^
: U; H( l, |' W: E
Each time you'll meet this trick, you'll see:
1 S' `4 v3 U( f9 \2 _* R-SI = 4647h$ t, T3 i4 ]6 t# F
-DI = 4A4Dh
% s; x# W$ K9 rWhich are the 'magic values' used by SoftIce.. W6 K% e( ]2 ~: M9 E; }0 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ I5 H7 v- q: k/ y( D9 ?. _( |7 E) F: S. U! E0 \- ?. _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 _/ A$ g+ z1 y! M0 s) X6 }+ oEnvelope utility use to protect DOS applications:
- f+ v& |( }9 X6 x9 T- H/ u
4 v3 Y2 F$ r+ s# z/ H5 d) n, z
7 r& m1 ~6 P/ ^* o- _5 j" @4C19:0095 MOV AX,0911 ; execute command.
; a& c% S! j( O# l! ^- p7 W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! n1 K+ g1 j m- P
4C19:009A MOV SI,4647 ; 1st magic value.
5 H' f8 O+ W# E) H- Y# m2 k4C19:009D MOV DI,4A4D ; 2nd magic value.
5 T+ C8 N! X8 F; R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ R# w3 j6 Q# s( b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ U+ M) ~% s4 _2 w
4C19:00A4 INC CX& l; B. V) V/ ^# j; ?, p4 a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' K* p# r( I+ ?2 R
4C19:00A8 JB 0095 ; 6 different commands.
5 [6 Y0 v, K6 w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, I6 {4 ]1 { t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 h# o. J! U# r- t" h; V, |! F5 x8 [9 K I8 N' u
The program will execute 6 different SIce commands located at ds:dx, which
3 t; L3 C6 W3 g4 y: _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 s( F( `! b3 N) z) O" N
4 u; T4 {% x, O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* ` @# t, u/ r& k. L6 C- o
___________________________________________________________________________" a3 X# J( u& V8 U6 O) b7 v7 l
% e e; R4 E o5 a+ [- q$ Q7 X2 A$ @. K1 ~5 s7 |$ u& T' ?
Method 03* [8 [5 c2 v, G
=========* j" ], V' T+ y u& e
3 O# K+ U4 t* F0 Y) ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* A5 f+ W4 A; k3 G2 v$ q$ l(API Get entry point)
' k! J0 r1 |! t; g M- g9 k' |7 Z- r" ]7 [; _- D
' u/ ? Z s3 u: {$ [! T6 a
xor di,di
4 u2 M0 i6 O2 @2 K6 g; U2 ^& H1 M mov es,di
( ~* T3 b/ ~5 R" f( g2 C( m4 R mov ax, 1684h & s( B! i2 `! q5 r( W9 Z
mov bx, 0202h ; VxD ID of winice
/ e7 V% `! j7 q9 v2 H( R int 2Fh3 Z+ x8 A, ]3 C- l+ j8 d2 W
mov ax, es ; ES:DI -> VxD API entry point/ Y) A+ R/ I- R
add ax, di2 A# E. q1 f0 s5 s1 q9 \- P
test ax,ax4 V" s7 G' i, c4 y" F6 x
jnz SoftICE_Detected
" o( ]$ q p. `7 I5 N7 J/ t* J1 a, n' k$ U3 V0 X% O; D1 D
___________________________________________________________________________
% `& [4 T! d6 H8 t7 l2 `: i
2 Q, E# C9 V4 N* ^Method 040 _! r9 R9 A/ p2 @( Q
=========
8 H3 d& k: R/ D8 |
; W# H6 Z+ ^1 ]" }' Y1 eMethod identical to the preceding one except that it seeks the ID of SoftICE
1 |% b' n) R2 I" AGFX VxD.
3 {$ D8 K: u8 u; D5 K4 U" t. f& a( P9 Y* B( G$ }% J+ }
xor di,di# O! G2 i- v8 o/ b. v' B, z8 _
mov es,di
+ H# j. R/ { B4 x( h% ` mov ax, 1684h
4 ~6 |3 R9 A; ]) ~! }0 K mov bx, 7a5Fh ; VxD ID of SIWVID
9 ~5 T1 u" F; j! d int 2fh
# B7 Q* J1 q1 S0 _, @4 ?) N mov ax, es ; ES:DI -> VxD API entry point
% I" @! |3 P; H ~/ z: [3 p add ax, di# D$ d, J2 [& d/ P! a9 g' u
test ax,ax
" U9 R/ c# M* O% Y3 ?) N jnz SoftICE_Detected$ A# z9 q( w1 T! S: `* ?- ?, j
% V5 d" ]. w2 V6 k, n, ], a__________________________________________________________________________
) j4 f( O0 T% ]9 ~1 p; K0 Q# i/ q4 d+ @' q" G
5 R. j7 ^) ?* [* g y _
Method 05* M) T, v; w" H5 k& z
=========0 d- C7 N4 \% t* O, h# z
8 E; V3 S2 Y0 e# z& I6 @Method seeking the 'magic number' 0F386h returned (in ax) by all system8 n7 H# L( b3 O. X
debugger. It calls the int 41h, function 4Fh.
' N a; H# k% O, Z( N/ l1 }1 kThere are several alternatives.
0 q6 O4 v' {! b. p1 P* b+ U4 M' Q
The following one is the simplest:
# h8 Z y `0 f. ^, V$ e+ S7 c: W8 ~
; a m: N: F: c% O1 T `2 I" j7 b mov ax,4fh
( {7 _% F* M$ E7 n) X" A int 41h0 l5 i3 x4 v5 O# J
cmp ax, 0F386
+ T A: {4 |! H4 e2 A+ |) C) p- v jz SoftICE_detected
+ i- y. f3 Y5 L+ |; j- ]7 m
# }; Y2 A8 ?* E; w: E6 O
j1 o/ K1 K8 j! `, f5 [Next method as well as the following one are 2 examples from Stone's
5 {( j$ y; B+ Q' G2 c; g9 ?5 U"stn-wid.zip" (www.cracking.net):3 d3 R) h- T {
8 i8 l; r6 N* |- s) E/ {/ p mov bx, cs
" a3 S% u3 o* B# [8 ` lea dx, int41handler2
' W) O6 ]! {, b. i xchg dx, es:[41h*4]( K5 } ]1 `! a
xchg bx, es:[41h*4+2]1 s4 u6 e+ T; O" h8 O
mov ax,4fh% u3 s q* S/ D* q+ J
int 41h
4 @1 }" }$ d5 S. ]5 p) O xchg dx, es:[41h*4]
" J- ?/ z$ G3 z% h xchg bx, es:[41h*4+2]- A2 l. [7 l3 ]5 P* t
cmp ax, 0f386h: ^" M+ ]9 P) B( N3 m9 |6 T7 ]
jz SoftICE_detected/ h& g, X. R; v( c: P" u# e
! q7 O0 o7 X$ q1 c* m" M, W
int41handler2 PROC
1 ^# B2 _: o7 c4 r4 B5 D iret$ E4 }8 [% d4 x* q4 u9 J
int41handler2 ENDP
8 K! a& _* I- O5 b, ]
2 h# A5 K# \5 A$ C% h4 c7 \9 @! o2 m# r F
_________________________________________________________________________
) G+ x6 k J. b" W; x; S2 F1 K# i$ }: F% j* Q! b& K- e/ ~
, N6 W- p' g! a& X7 T& e
Method 06 l4 u. U6 s* e7 ~6 R
=========
; k% T# b" Z* @. i7 }* e+ K- u s; v) x6 ^1 m5 \1 i
; ?( X- ?' A9 G) h! K
2nd method similar to the preceding one but more difficult to detect:0 f5 J6 N8 X- P+ [: d
& L. z% C' S$ {6 {1 L1 E
! g* O% e+ M$ s* R3 n ^int41handler PROC
( P) C% r1 p) G3 \' ` Y mov cl,al
. t8 O) n! g2 t' { iret3 A6 L, @- r1 D/ F- z" j, @8 `: r5 f4 g
int41handler ENDP
9 P9 k. ?( v& N$ n7 T- u9 r) D. A [% r% R
" ^9 j: Y5 D4 s5 n
xor ax,ax+ i) E% u5 b K% ^4 q
mov es,ax/ U- y$ N, ^ m6 b
mov bx, cs- q' G8 n) X: {0 _. }* b9 K: d1 j" s/ h
lea dx, int41handler
( J5 `9 L2 ?) e( v5 E xchg dx, es:[41h*4]
4 `8 }. g d M( i xchg bx, es:[41h*4+2]
4 R/ t" f9 i# O, p in al, 40h6 l4 O" A4 q" d( [+ Y' v) O! f% C
xor cx,cx
5 ?: R- r+ l; S" x int 41h8 X! w. {2 I( q- m) R3 }8 q; R
xchg dx, es:[41h*4], }3 m5 T6 k7 [5 d8 Y) Q
xchg bx, es:[41h*4+2]- ~% _: t& G, R [
cmp cl,al0 g' Q4 ?" u/ e1 W# f' E7 c# h9 l' M
jnz SoftICE_detected
9 {% H2 ~5 c) _$ |: r. R3 i4 E6 S6 p6 Z/ R! D7 h
_________________________________________________________________________
$ n% q5 G$ i. H
, X2 h& v: O0 w# J& c; S% i. j( x# ]Method 071 d* E* h' u7 Q; [# ?- Q8 D
=========
6 M9 e0 ^+ I% P" n) ?9 ?; G$ R3 K; R' u' Q/ a; G7 A
Method of detection of the WinICE handler in the int68h (V86): x3 V6 V$ }6 ?% \$ ]
0 R0 x z- m9 h& L mov ah,43h" \# c# Q. r" c+ E! m
int 68h/ I$ U/ T* d; V5 I: H
cmp ax,0F386h4 `. W1 Q3 N& C" F5 Y! H
jz SoftICE_Detected' X& Q# n, a6 @$ s9 V
1 u9 b$ \) c8 R, O' h6 E. @
" ?) z6 G4 d6 r- k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& [# J2 d$ T, c! [; v
app like this:
( w3 u1 Q6 t4 b* e- B, k0 f% ^8 {. g" x! ` Y) }; @
BPX exec_int if ax==688 z$ K0 h ? |: I# g5 M
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 @% V* V& P0 i/ f$ G located at [ebp+48h] for 32Bit apps)5 n. d7 W K8 w
__________________________________________________________________________
/ U1 \2 G' ?5 I D: [$ D" U+ [* R0 ], W. S; v2 R, g1 b! N
8 a6 l3 k: d8 m r
Method 08
: _! e9 N0 ~9 [+ X=========$ L' [, ^6 i3 ^0 S5 ~9 h' d* o
8 Q' E2 s- G* j x5 f+ W
It is not a method of detection of SoftICE but a possibility to crash the9 Q5 ~, E# J- w9 r# M: U/ j7 y
system by intercepting int 01h and int 03h and redirecting them to another
4 f: }, y0 f [routine., x, p& Q6 n) R7 U6 `$ X/ p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 ]! m* ]5 \7 }. `
to the new routine to execute (hangs computer...)3 f- A1 P; {4 h
, e# D; z; ^) U& G; H) x mov ah, 25h
2 z9 D" Z& `9 O- f9 H" @& N4 b. x mov al, Int_Number (01h or 03h)
/ V3 _/ y) N7 N; x mov dx, offset New_Int_Routine
+ T; d4 f' H& s8 n+ n5 ^- c6 p int 21h( W3 z% F ^5 y
/ g( }& R, L2 y# a/ r9 ~: Y/ o) h" W__________________________________________________________________________+ K8 w& i* V3 t: S, X
3 e6 U& u8 `6 w2 r. l# ?5 D
Method 09
" h; X. ]9 j/ q' L3 a- x=========
. {4 m6 k9 f5 g8 t/ Q
: s, U, P: s) O% r3 t8 }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) v* a5 ~5 I- `( Q) f% d
performed in ring0 (VxD or a ring3 app using the VxdCall).
; h$ G, A/ Q: t: @2 kThe Get_DDB service is used to determine whether or not a VxD is installed
f/ X- V+ u) @: }/ g$ Yfor the specified device and returns a Device Description Block (in ecx) for `% C1 M" ?* ^4 K! C2 [2 }
that device if it is installed.
- w" P+ o5 t( V) e( L/ M U8 n4 K) i( }% t8 Y0 p7 C5 Q6 D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( N6 n* E) {- t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 b5 X- @9 I9 i. q2 H
VMMCall Get_DDB* i4 r: f- v6 o1 m, O& g9 _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& A" |1 ?# o7 j/ ^$ z' b+ a2 Y1 ?4 [6 s# J; H6 S
Note as well that you can easily detect this method with SoftICE:8 h" ]* C- h5 D- F
bpx Get_DDB if ax==0202 || ax==7a5fh
7 i: H' z2 t3 ]3 a( B2 N; t
( J3 D, G' O6 X8 m1 Q__________________________________________________________________________
% h9 ^2 z- P! ?0 f. i) j4 ?
: Z1 w: S" d4 i9 X' vMethod 10$ L3 m, o# {- U. u2 R# l* F
=========' q1 ^4 ^0 v8 f; |" o) L" f
5 M" r+ h0 [) a2 L0 |) l4 t
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 i g5 _! N2 Y1 q- H
SoftICE while the option is enable!!+ E! t* T* N( R. c
! y' @" Z8 M; U9 T) l0 @This trick is very efficient:
/ t" Y' w/ r+ \0 q+ gby checking the Debug Registers, you can detect if SoftICE is loaded
' J" X& D6 x; ~' ]: t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& q) `; x }" c& J% E$ Y; m- R) @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 K# l+ y$ c7 H$ Z7 d: p. E: a" jvalue (in ring0 only). Values can be manipulated and or changed as well
: X# @4 ]' ?+ V; @/ j: J- V. O5 U(clearing BPMs for instance)
+ w( m# U$ n; ]8 ?. ^8 o2 v
0 ^2 s3 t& }& N__________________________________________________________________________. e" s; F" ^) j F/ f
. d$ u* m, f' K. j; s6 mMethod 11
7 N; q! F% b. _" J/ u0 h=========
8 M: g- l" }+ o( s2 K/ v G a
3 J. L7 J8 ^4 d- u6 IThis method is most known as 'MeltICE' because it has been freely distributed! C3 `1 I! M# i: R; }
via www.winfiles.com. However it was first used by NuMega people to allow
2 N+ n* q/ a( X5 V, o6 DSymbol Loader to check if SoftICE was active or not (the code is located
5 y8 ]' T: i/ Y' Q& L# _9 [inside nmtrans.dll).
$ U( F) Z4 a6 p& {
: [7 k9 C3 {9 B0 n, }The way it works is very simple:/ x1 ?9 j* }, V9 S r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 l* Q6 q4 N# p7 _* C7 B: k' Z
WinNT) with the CreateFileA API.
" Q+ u* |8 V, M3 O' @7 q2 I: W9 X/ [( i1 u. a9 H9 G8 c
Here is a sample (checking for 'SICE'):$ t U2 I1 }8 r; P* J0 r* D
! A8 [% n& \4 D; N6 Q% TBOOL IsSoftIce95Loaded(); V9 m O' E- O Y7 P5 s
{& s! j- x" E$ ]. }( E" i- r. X
HANDLE hFile; - R5 N! j l( J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% Z2 U2 ~- U2 W; |
FILE_SHARE_READ | FILE_SHARE_WRITE,9 L, f) G8 Y7 S, O/ s& L2 Y" q$ ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# }. Z V! ?8 ^- }: d9 f3 V if( hFile != INVALID_HANDLE_VALUE )! H7 O2 I5 }! n+ N/ v
{: ]) C( ~ [) ]" d/ L
CloseHandle(hFile);
/ B3 A" Q, p2 i0 L! w return TRUE;
y8 W0 R+ m4 d H }
9 s, b6 Z1 e2 ^7 B5 Q) v return FALSE;! v3 X: Z, ^ y+ u: y5 h
}
) o, O7 G% s% M6 Z) g) b2 V
" p+ F3 X( O6 \- b- HAlthough this trick calls the CreateFileA function, don't even expect to be7 L0 e% ]6 D6 I" U
able to intercept it by installing a IFS hook: it will not work, no way!4 q, ?! u& K6 h2 }8 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& x9 Y) X8 [) \9 r/ K0 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 j7 |3 X+ |3 A- c- |7 Y" Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc, E. ~% w3 | p. e/ i, M) y
field.
" }* Q4 u# ?: T) FIn fact, its purpose is not to load/unload VxDs but only to send a / {5 x% ~" M d& s+ z8 k) { W5 i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ O8 R' \7 e) @' U9 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; i B5 k2 Z0 |$ f4 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 \& i. m9 n: H1 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow. I" a: l) S$ B) o
its handle to be opened and then, will be detected.# x- F, E6 X( i. k2 _! N0 f
You can check that simply by hooking Winice.exe control proc entry point* |1 H) b4 K8 p: q0 ~2 R- H
while running MeltICE.! E" d& c% J2 n( w
7 `# M! A/ `4 }! P1 }# O4 Q" R1 s" I3 u! m4 b6 B+ _4 v3 `" P# {& `
00401067: push 00402025 ; \\.\SICE
; O' D7 C; P. d5 E 0040106C: call CreateFileA
: d5 G1 ^1 N4 M8 }, T" i- r 00401071: cmp eax,-001
% t# V2 V# S- m7 H. R g 00401074: je 004010914 b& ?# ?7 Z+ H: E/ P3 p2 A+ y( W
- a" C& o/ F/ m1 Y& O; T
2 _8 t: v3 o- `/ q( z, [
There could be hundreds of BPX you could use to detect this trick.6 n6 P$ h( \( W& q" u' Z
-The most classical one is:
8 P% }* U2 `* G5 s d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# C( M0 t0 V& h, Y$ \
*(esp->4+4)=='NTIC'
. {; Q/ @2 w2 H7 k+ m
$ s6 g. B4 T: G s' H! `3 i-The most exotic ones (could be very slooooow :-(
, J- F6 l$ m# f* t% ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : {5 h) h: T& K3 O. n7 g+ k4 G! N
;will break 3 times :-(
+ P( t' C4 l* g; N5 b) |5 [/ U! F% `3 \5 T0 O
-or (a bit) faster: % |" |0 B, b( i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 S6 ~' g) }( `- b2 T& w+ V. O* N+ ^/ U$ {1 o1 U, o) P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 m! C" P; k9 |4 ]& K% h ;will break 3 times :-(
+ y. \! v& [, K! p2 I
4 n2 x. k. r3 ^- D( s-Much faster:
! U) Y, Q2 ]5 o- X: W$ n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 ]" y* `2 k7 f( k
( N2 Q( `/ l! ]; G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' Y' @) k- Q+ }. [5 o- p& m" {9 ^
function to do the same job:$ b8 m8 t! X ~
# U5 z: @6 ]9 |8 g4 Z push 00 ; OF_READ [1 j) x8 E1 i4 Q/ F& K
mov eax,[00656634] ; '\\.\SICE',01 d8 ~5 J5 A4 U/ b7 j, ^6 G
push eax9 K2 x; Z, e1 p$ t; l8 }! ~; c
call KERNEL32!_lopen
2 C2 T$ Q9 R! X; b inc eax/ t U3 z/ V+ ]
jnz 00650589 ; detected) Q# `8 [- c' p0 ?' i
push 00 ; OF_READ2 z8 }# h% J4 [3 }
mov eax,[00656638] ; '\\.\SICE'
3 q2 h8 c# }8 q. M2 j/ H+ e( k push eax
0 Y) p- @0 G; r$ X" O% d2 M call KERNEL32!_lopen
8 v) z; C- V7 }! L! Z3 g inc eax! d1 R* [. G- n( ?6 t9 l K
jz 006505ae ; not detected/ k# I9 k% d6 a% P4 R+ `
% U2 O3 j9 G6 v% i$ X$ b' c
/ E/ D- K, v- o+ e
__________________________________________________________________________' C* f2 l/ q! k3 p) B
4 c. V3 H i3 a/ qMethod 12: W8 J, f4 m3 P# _% Q9 v) a
=========
5 y# }- n ] M/ A- \9 U8 J
5 W' s3 A/ r4 s3 H& VThis trick is similar to int41h/4fh Debugger installation check (code 05( B7 Y: j+ e# a8 U
& 06) but very limited because it's only available for Win95/98 (not NT)- j; f# Z, Y# C4 \, ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ?( @2 b; x3 n/ p P8 z4 X$ C9 o, z
push 0000004fh ; function 4fh
) A; \* P& \, Y) j push 002a002ah ; high word specifies which VxD (VWIN32)
1 u4 M4 f/ w* w# z ; low word specifies which service2 G0 f2 C$ `6 c; L
(VWIN32_Int41Dispatch)
2 Q3 l9 Z- j7 s/ x: Y- j call Kernel32!ORD_001 ; VxdCall
) q2 Y' g- x. p* Z cmp ax, 0f386h ; magic number returned by system debuggers, m( i a% s$ b3 Q
jz SoftICE_detected
|0 I) c2 h0 ~9 {+ T8 j |3 Q0 q/ K9 P3 h0 ]: L7 k2 T
Here again, several ways to detect it:+ {# _8 l" {( d; a) b# h& r
6 {0 B9 X0 s2 j
BPINT 41 if ax==4f
) E' ^7 \# u& X9 v, n# D9 o! M: c, U& n* o0 Q5 C0 `$ M2 N5 f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 w) |/ h$ Q, `6 |, w7 X( \+ s/ F* h$ V- O& @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% y) j N5 }9 g4 m0 j. K* [+ Z; {4 o0 H3 v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) ?9 }) p$ {" `+ ~
) U& Q5 ?& P' J+ i2 }__________________________________________________________________________4 O$ n3 j6 ^1 Q7 \! |
3 O4 ~, p$ L& A! XMethod 13
( o1 D9 x' Z1 X$ V5 S/ p* H4 w4 _$ y=========
& W/ }2 P( e5 a4 I2 ^
2 @: r# D7 [8 e* F7 mNot a real method of detection, but a good way to know if SoftICE is
4 c% z# }( }+ l6 Ginstalled on a computer and to locate its installation directory./ V; x! o" H7 J$ I- G: C) ^4 U
It is used by few softs which access the following registry keys (usually #2) :
( k* u& B9 T. f% }/ W2 |, U; g( V
1 ^7 d& p4 E5 \( x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 u' z! w; |; z. L\Uninstall\SoftICE
# b- o3 F+ \3 B p$ g' f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 {) A7 N2 d7 R) t. N( Y0 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 x! ?/ t' I( w) [) n& [
\App Paths\Loader32.Exe* I6 ~) J) s% @6 H, B
. a6 u* M" i9 X1 y
" R) D2 U" H/ q0 vNote that some nasty apps could then erase all files from SoftICE directory# }- E8 B9 Y7 v% f! n" A B% t: W# ~
(I faced that once :-(
7 Z* X# u& \) S( a; m1 O& Z3 z. t# p8 r! w
Useful breakpoint to detect it:
& k$ s# D% H- E! K) X
1 x1 G" H. w5 r: W4 o7 u# Y7 L5 n+ a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% o- L" ~* W0 w
- s2 b8 @, ~# {
__________________________________________________________________________' [" _# x& r/ S1 R
; {4 Y4 ?% C) v& {5 ~* l
) d; Q% T# p0 S, t
Method 14
8 v D0 r- J3 b! z=========% W* I9 R% u" w% O& X
& O' H- G- k! B! x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 y, b& G) n' N4 w- kis to determines whether a debugger is running on your system (ring0 only).
9 @+ H. x+ j" H' L
" M& p A, w7 U& e: B3 C- x VMMCall Test_Debug_Installed6 p4 {8 e% i0 ~ I4 d! l; i5 b
je not_installed
- l) g* v( I% D( O) S! w- q! U" r) j& p/ M' o P4 \
This service just checks a flag./ Y5 G. B1 Q6 Z- j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡