<TABLE width=500>6 Q. q. a/ }2 a6 b6 X
<TBODY>
3 k- w% V/ U) I1 b6 E. ?<TR>3 Y2 [( O$ a! d' C& X: d# N3 T8 P
<TD><PRE>Method 01
~9 w+ K" c4 G=========
2 B0 y6 ]9 D' s; [* k4 Y
# D3 Z. q: z; @ n3 ?This method of detection of SoftICE (as well as the following one) is7 ^% g7 M+ H @ e) F U6 X6 g) @
used by the majority of packers/encryptors found on Internet.0 G3 C6 f, u* K/ ?( W
It seeks the signature of BoundsChecker in SoftICE
& l7 r% ?: k5 ]# Z h: t7 K2 p! [( g
mov ebp, 04243484Bh ; 'BCHK'' Y* f( _. [2 l6 @8 Q+ r* p. Q R
mov ax, 04h7 J3 @/ F* W) n4 h. S. C3 P( }
int 3
- r" `/ m S9 c. p2 k9 H cmp al,4
# m/ B9 F2 |8 ]' P( F# C jnz SoftICE_Detected4 I9 k* d- r& {
5 H. H! e# m2 k. H3 P2 H9 V
___________________________________________________________________________( S8 a0 }* O0 e- R! U9 l
$ o9 F4 G6 m0 @3 \
Method 02
7 \+ Z) y# L: h- W6 I6 l=========7 v' u/ [! {* w3 x0 j
% r n O5 |) @/ U+ r, M: ^0 P) jStill a method very much used (perhaps the most frequent one). It is used( p4 X, a+ D( v- o, P" r( G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- j( O# o c' V# C$ D( y
or execute SoftICE commands...# f0 s+ }- |1 X, y' t
It is also used to crash SoftICE and to force it to execute any commands5 N: U# J1 ` b; a% z& m( m. q9 e2 ~
(HBOOT...) :-(( * l7 {4 Q7 c; Q: G2 G5 I; W. B
+ f* Z8 T+ l: m. ~& W& j
Here is a quick description:
9 o. w) b+ `# ?: O8 s-AX = 0910h (Display string in SIce windows)
- a2 g# p" E1 y- p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- I: b- X+ x" u; N5 I; l7 z. a-AX = 0912h (Get breakpoint infos)0 y& i1 A b r5 v& x/ h
-AX = 0913h (Set Sice breakpoints)$ W3 @# h: t$ Q9 `! f8 _& i. q
-AX = 0914h (Remove SIce breakoints)( P# _ v0 U" U9 n j R7 F4 N& d
2 }! \% T1 W- f" ]: p8 t
Each time you'll meet this trick, you'll see:/ Z! F0 m% i4 b4 F
-SI = 4647h# Y; y1 y* s- j! C( `) T3 _1 D
-DI = 4A4Dh
2 I) r% D$ L( N+ ^Which are the 'magic values' used by SoftIce.
1 B/ ?9 \6 k, p' D* ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 G2 S, \/ @! I/ X2 I% K
; X3 W3 {, ^% }4 C5 _# o9 zHere is one example from the file "Haspinst.exe" which is the dongle HASP
. n1 X# t9 d- x1 O' TEnvelope utility use to protect DOS applications:( Q3 v( i. z' e) F! _
: ?8 l) ]5 K, `1 J" l
6 Q0 B4 {% a& K, z9 e; J
4C19:0095 MOV AX,0911 ; execute command.
( h+ d2 x4 y4 V9 ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
b2 y- S- Z, I- t+ I3 y: a4C19:009A MOV SI,4647 ; 1st magic value.8 q- e1 @! U4 c( Z! Z
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 l4 A2 z" A% H9 ~" D& @" C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ R: G$ l) i. {* Q t. n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* I* a: I; o$ K6 D7 u4C19:00A4 INC CX9 W5 r7 @! Y& W3 G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 z$ U+ b1 c5 l! s3 z) ~4C19:00A8 JB 0095 ; 6 different commands.
% M, r% _6 @; h4C19:00AA JMP 0002 ; Bad_Guy jmp back./ d' c: N Z9 Q" o! o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! ^# p2 v* x# F7 i, r5 t1 U
* W) w9 E, j7 m0 H% c3 }6 u% o) z0 g
The program will execute 6 different SIce commands located at ds:dx, which& Q- X1 E3 S( o" \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 F t1 w1 M5 N4 s
+ E- J& ^/ J' z' A6 G# H; q/ r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. Y) a& h" |& E% F9 U4 X
___________________________________________________________________________' C' F* b( O: @/ z- E) g5 R7 z7 `0 y
! F$ T# D' f# `% T) |
* ~& X8 f+ j* |Method 03. D; J8 s2 Z, ]
=========
! d: V. ~% O3 t- E/ h
, R9 ?* v i2 j& ]; kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' P+ G6 T: k$ A6 k. t0 N
(API Get entry point)
9 E/ h; G M; b* V* A& N
6 E. L, x) D# Q: {* }$ {3 f: d: X+ B, h1 F* u' t5 l7 E
xor di,di: U. ^: Y- B* [+ W2 g- }
mov es,di5 M( h1 B9 w7 s7 U& V- T7 o6 J
mov ax, 1684h
5 q4 O/ y% [+ Y4 F mov bx, 0202h ; VxD ID of winice, N3 u8 ]( i5 X0 ?! g1 u
int 2Fh$ I% @# B3 H9 H4 N+ |6 x
mov ax, es ; ES:DI -> VxD API entry point
( S0 `2 Z/ e; B& H. y add ax, di
& C" a5 y4 b. q2 X) v- G. d test ax,ax) w1 E4 q2 A0 c7 J
jnz SoftICE_Detected
# x" O. W% | }: u3 ]- W+ o) x7 y
q g, S0 _: R" P$ d2 }, u___________________________________________________________________________
; b: d; [2 m$ q! Q
6 O g+ Z6 |) u3 X. `# [( JMethod 04
7 }3 ?; s, h6 R3 t=========, c" a5 J4 S0 n9 K h1 u9 `$ g
, N) Z. m/ p7 jMethod identical to the preceding one except that it seeks the ID of SoftICE" U1 P" ~ e7 l8 m9 [
GFX VxD.
$ y( d0 D; y+ L' ]8 L6 [) D, ~
9 P# r7 w; L# I0 s4 ^6 n+ o8 \ xor di,di/ T5 o/ ]; K: c4 ?3 K7 V
mov es,di3 x6 a! o' V4 A7 I* B
mov ax, 1684h
0 C# k: T) c W2 m* g7 h mov bx, 7a5Fh ; VxD ID of SIWVID) n7 h! i# B' z
int 2fh
1 d, ~2 z) C: L4 u9 B$ n mov ax, es ; ES:DI -> VxD API entry point0 e+ U% \: X0 e# a
add ax, di
6 z3 V9 G7 L a6 C9 F# i6 b: F$ @ test ax,ax7 I- o7 m" S1 Q! c: N
jnz SoftICE_Detected
; r& R- I7 Y8 n2 W. h* t1 r1 n" @- c3 {/ h, |3 n. e! Z
__________________________________________________________________________$ |/ n3 T- H" o5 [; }" V# @& h
2 x7 T, N* X7 W/ R' y2 n
+ X5 c5 r" \/ q+ n! Q' o+ t' oMethod 05
: x0 r. Y1 @- y. O3 G2 Y" ]" B=========1 }8 I, q k' [$ N: P
) `, M( _( Z' N4 w( mMethod seeking the 'magic number' 0F386h returned (in ax) by all system- H S, t$ f, @" ]4 \$ Z
debugger. It calls the int 41h, function 4Fh.
8 j3 h! p2 `" k+ E2 PThere are several alternatives. & L8 Y5 E& E* ]9 Q1 P& ~' m2 b
+ a2 N9 _) _6 A
The following one is the simplest:; I. u( c8 v3 L% e
2 _ \9 }4 X: r# Z3 I7 o { mov ax,4fh9 d/ [2 f. Q( z/ [
int 41h
# M* n/ s: m( N6 B) E cmp ax, 0F386
. h- u6 }6 ^$ x- `1 d2 w jz SoftICE_detected) @+ [* b0 l5 {+ ?( K* \: }
! N, |2 y" Q1 s! ]$ @
' J) q/ m( M1 h8 d
Next method as well as the following one are 2 examples from Stone's % ~1 G, W p5 f; m& T- @) U! f% \; b
"stn-wid.zip" (www.cracking.net):
p. |7 d+ p7 V0 l2 S4 X j8 p: G; D, i) d, ~' _: R4 h; g' s
mov bx, cs0 X1 t7 i& W3 e& M3 o% v. w+ I
lea dx, int41handler2
! C8 k7 p4 A) b0 x xchg dx, es:[41h*4]' ^* E* J. V% d' y/ v# a. m! b
xchg bx, es:[41h*4+2]1 x. Y- ?* ~ k: c2 i2 _
mov ax,4fh
( ]# V! R1 s0 {& X% d1 _ int 41h
- [/ ]0 |& C; J: r0 a xchg dx, es:[41h*4]
8 `/ o+ H' b* c' i ` xchg bx, es:[41h*4+2]! }9 V/ \9 I1 ?
cmp ax, 0f386h3 w3 {" \ x8 R$ |) e" }
jz SoftICE_detected
. D; r, o- N0 h. c- |2 M" i% S0 R$ u/ a
int41handler2 PROC6 D' u# \" p4 M2 O' F
iret
( V8 S: w7 E9 J+ V* e3 gint41handler2 ENDP# H8 O' f6 A! b( D% L; ~
! ]2 C) ?. F* v& D3 E
5 J' H/ u$ l% ^; n7 t
_________________________________________________________________________
" |, D' j& H: Q- L# @4 Q! M* y
, \! `+ L. v! @6 ?; O6 _5 {" }9 C
Method 061 \' \8 D* n5 n' q: G: X
=========
, ^+ N# S1 C( c
- g" N2 O% i. f- d( ^" ~+ m) ?: T: _) q: }$ Y0 Q' t5 O$ Z; D6 |- ^
2nd method similar to the preceding one but more difficult to detect:
0 @! q' G2 o0 f! c2 ~5 b& ~. ?1 S2 R% F( v6 [9 w! k7 l
$ H% D6 n3 ?3 U2 L' s
int41handler PROC$ _. Z8 @4 H. \0 ?3 D" g7 D
mov cl,al( r8 Q- [3 a* U! H
iret/ B: g8 F2 q- x2 `" |
int41handler ENDP& I: l0 K7 B2 q8 \2 I! K4 L
# c& j! @# H4 s$ ~: o* W u) D) e9 `# l2 s7 P& m7 p
xor ax,ax* l1 h ?) X7 O0 W$ h. l
mov es,ax
; O" ]' O+ \, Z$ \- h7 A3 d) r3 m mov bx, cs- b* b4 ~- G# N3 M m6 E6 _
lea dx, int41handler
/ Q$ W% N$ H$ w2 ~: T3 `2 ]- F xchg dx, es:[41h*4], E q$ q/ h9 b9 b
xchg bx, es:[41h*4+2]
) {0 Q9 f: j+ y7 X# \$ F' V m in al, 40h
2 ~9 W9 r: D; F xor cx,cx$ }9 p: `- w" j B( V
int 41h
E0 [ ]0 Y; ?- b xchg dx, es:[41h*4]$ B; Q+ }; C X r
xchg bx, es:[41h*4+2]
8 O' p0 _- W4 o9 F. p cmp cl,al
6 L) b6 e' W+ T7 \: f jnz SoftICE_detected
% r, h- V0 u. i& n7 r! I; W4 y) T2 c* B" K9 T6 t# D8 @
_________________________________________________________________________
5 ?6 M) o3 R9 i; n K& c6 F( L
5 H y5 W5 J1 e4 J) [Method 07
3 I2 d4 F1 P/ X5 |; l=========3 y' q8 N0 Y, r- y1 Y6 J) n+ z" g) E& Q
$ M+ A, e# P1 F2 E6 n" IMethod of detection of the WinICE handler in the int68h (V86)
! }8 K) _0 \4 B# {3 Z, \
( A% m: P$ l5 S1 X7 A mov ah,43h
, @6 v$ ^" A3 s2 Q V* H+ V- N int 68h8 X& ?: g# z: v% ?/ L9 I
cmp ax,0F386h
" u/ I' f' {4 |0 ` jz SoftICE_Detected8 s; z& r1 i ~5 G8 U- u }6 {
4 Z% D: @( i- u# G- P: b, Z2 t5 x4 _! [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% C& z q3 y G5 Y4 c4 |
app like this:
7 J% E4 K- S; [: f, |. f# }- M' D r6 [( g
BPX exec_int if ax==687 ?* K. x& s( D0 W
(function called is located at byte ptr [ebp+1Dh] and client eip is+ s7 `8 ?, i/ `, o
located at [ebp+48h] for 32Bit apps)! {+ s% k4 J3 F5 a
__________________________________________________________________________# ~- Q. X. o( Q/ p( d( O
. E8 a# Y9 y4 t7 H+ E2 N& V. s& e# a& v! Q/ _$ j
Method 08; V! L& c, O9 ]7 l+ e6 b; i
=========; \2 @$ ^# B& `2 C; o; j. c
# w. L, p& b/ Y& M1 U
It is not a method of detection of SoftICE but a possibility to crash the
6 v" R% n) d% X2 h% t9 h1 b$ zsystem by intercepting int 01h and int 03h and redirecting them to another4 B' X/ X0 D0 l; m' p- h
routine.
9 i9 k. t4 g8 z& qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 m' x `" k- R7 O8 Tto the new routine to execute (hangs computer...)6 w4 z1 S+ _0 Q6 w4 _
, |6 t$ I7 o6 ~% |+ \
mov ah, 25h
" n/ z$ x# W8 b5 i- Z: e mov al, Int_Number (01h or 03h)* \, E0 s( Q) s+ Z( s
mov dx, offset New_Int_Routine0 Y' h% p0 u% t
int 21h1 n; ~( }! s6 L6 l( f5 ~8 r3 w
. h( Y/ L1 u/ B& |__________________________________________________________________________
: S& I' ^' _1 l$ ^6 H. o* Q8 {
' N; u' u. H+ \4 {# l! t1 MMethod 09% f5 B% e$ P. K! `: d; ~; {( ?
=========
0 B- ?4 x) ~6 f/ F2 z1 c) Z: z: l/ v; R m$ l! Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 u, l# F) L! \% F V$ r6 M3 g u
performed in ring0 (VxD or a ring3 app using the VxdCall). `1 V" t; m5 l6 y5 t9 O
The Get_DDB service is used to determine whether or not a VxD is installed
! u6 B* j ] ?9 b: Jfor the specified device and returns a Device Description Block (in ecx) for7 J# \8 S1 m) e5 ~4 E/ U& k6 J
that device if it is installed.
u: @- L* R4 c/ I/ d4 H/ W; n2 Y6 z2 r. b1 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 s; }$ }4 y; Y1 v. f# q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ \8 ?, S( S6 _7 e4 y8 j2 r; t' Y( i# ` VMMCall Get_DDB
9 x9 E; X( n! h: ^" `1 @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" ^+ r9 t/ o `. t) z
8 T# G! S9 Q* `
Note as well that you can easily detect this method with SoftICE:$ e8 p1 P' l4 d( J C5 B
bpx Get_DDB if ax==0202 || ax==7a5fh) n, \! w+ W* L! u; {# N
) m' Y& R. @) t) m
__________________________________________________________________________
& _. Z6 s1 ?3 h" k+ X+ @. ]. E" L% ~3 T8 t1 z5 L3 P6 |
Method 10; L% `/ n" K0 L$ }8 i# @9 A
=========& c8 A0 V$ U0 g
- t1 u- R4 r& [6 i3 r% L
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 p- a8 ]9 {3 B1 a SoftICE while the option is enable!!/ G/ i: \' F+ m0 z+ ?
o! Z7 F6 x! Y6 N- g/ E
This trick is very efficient:
3 g" l7 o' X$ _0 `! p$ u+ Iby checking the Debug Registers, you can detect if SoftICE is loaded; [3 D+ s# C' E, ^+ p1 t2 |" _+ B( ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; N1 t) b' {4 k% Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( y9 X, B. T$ ]: a, ?value (in ring0 only). Values can be manipulated and or changed as well! N* l( y' \% \* z6 U8 M5 b& T- |
(clearing BPMs for instance)) V; ~- I/ }# X" X, }
4 _8 m4 ^! O, o5 N
__________________________________________________________________________
* |$ Q4 m5 i. o ]/ h# h2 a- P C/ \3 |. P, T7 I$ k+ B2 \( G+ j
Method 11
: T d" T$ [/ z2 ]0 \=========
- q. g* o) O1 t/ B
3 Q9 {6 o+ q1 r# t- {5 hThis method is most known as 'MeltICE' because it has been freely distributed+ e9 d' [9 H2 {. ]0 O) v
via www.winfiles.com. However it was first used by NuMega people to allow$ Q0 L: E0 ?- q7 K* [- P9 d% @
Symbol Loader to check if SoftICE was active or not (the code is located5 x! G% F0 J9 g* O
inside nmtrans.dll).
0 n! j9 g8 T9 d% d6 y
% ^- ?# \! F1 e0 N9 sThe way it works is very simple:
9 I" C6 m3 u4 \1 J! D# ^7 C6 [& e) }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& R3 z" F9 k) v
WinNT) with the CreateFileA API.
: x" k' x# Z- j7 H
, P: v7 C8 E; X: A- E; m0 p0 I9 @Here is a sample (checking for 'SICE'):+ |9 Q7 m6 z& r ^
7 v+ k: I; \) W& q9 B
BOOL IsSoftIce95Loaded()
$ j5 H! V+ ~( D- w* k. `# C{
5 T: c, _' M) [1 E HANDLE hFile; 8 Y& K" q1 P- ]4 S8 r5 M) B: _+ d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ T! X! S R9 G h) Z FILE_SHARE_READ | FILE_SHARE_WRITE,0 P( v' I, V& N4 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 r4 a" b7 r' y! [7 a, Z( S& x
if( hFile != INVALID_HANDLE_VALUE )
. `! K/ @+ e, ?. U8 n {! Z; {+ K6 J1 t1 D
CloseHandle(hFile);
/ \) {' v( P) e return TRUE;
( Y& N+ ~9 U' T+ }, y/ t& s }
& g) U% b% N) S" G; c8 t5 n6 B" n return FALSE;
! o" H0 X* \1 k. l, J}$ ?5 c. a' i9 c& V" H
* Q3 y) Z* j5 F {
Although this trick calls the CreateFileA function, don't even expect to be `* g8 S: O+ V$ O p4 N+ O
able to intercept it by installing a IFS hook: it will not work, no way!
; ^0 o2 J S1 h2 nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 H3 y k1 [) q2 N% s, Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); y A5 z: q; r1 m6 e& Z. j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( F0 `0 _$ I4 t+ C- f1 {9 a
field.
% U# q$ x( ?3 {In fact, its purpose is not to load/unload VxDs but only to send a * w' z3 {4 ], a- X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# B% L3 A, J4 N3 S3 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try! g" O3 v. z; M* I- s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 D; ], ~9 C. MIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- Q6 u# o) o t$ Lits handle to be opened and then, will be detected.
# f6 ^2 X# r6 P) Z/ \You can check that simply by hooking Winice.exe control proc entry point/ u, U; Y" c; ~* H* X
while running MeltICE.
$ i) ^' a% X, C: a* w$ p) ? ?, G: D2 z, i
4 S0 f X' ^: [ W" ?* ]9 d4 Y# a8 i 00401067: push 00402025 ; \\.\SICE
' I7 Q) ^ [7 n9 Z5 p" C 0040106C: call CreateFileA
9 ?* G& p0 b9 V: v& s+ W+ i0 r4 q 00401071: cmp eax,-001
5 k. e: ^. [$ t: S 00401074: je 00401091
1 n. R6 [4 B! T. _$ \5 c9 k* y! ]3 a$ v3 `+ U, T* k
( _7 |- [) v: [0 d( x# r' O, eThere could be hundreds of BPX you could use to detect this trick.- [& z+ S" U1 O7 h, s" r' z
-The most classical one is:
0 S8 @3 A0 K( d) X" w) P S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 g% c* `+ h# M0 ^& H# E( t
*(esp->4+4)=='NTIC'
* {7 y( g4 B; `7 i; K* n, n. S- U2 L
-The most exotic ones (could be very slooooow :-(
! X. m' ~) d" z% s( [/ E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 v+ e, N; v0 k4 R
;will break 3 times :-(- n; S$ w$ I: ^# ]3 ]. `+ x1 `
2 U/ b+ x i8 F' ~' Q. w
-or (a bit) faster: " z- U/ @0 h: |8 \' A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 L6 `% s! \+ J) v! E+ V' C, ~
. Y$ h( H/ L7 L. _* g* Q4 i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& Z7 p! ^+ r+ [& N ;will break 3 times :-(
) x* j2 A! g/ d% s; q. R: D# i) [. y! o' Y& ^% A5 T
-Much faster:
8 _5 Q! R* @; C7 R" ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') O {) a4 T& ^* v M
( G3 R# q! W" h, _8 a a: O3 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; T s* n' k# \$ {- ], Y" L, o0 N; ofunction to do the same job:
$ z4 s4 x! e+ i. ?# j+ a- b8 y6 Y! K5 m8 s M
push 00 ; OF_READ4 f2 k. p8 j1 M% y
mov eax,[00656634] ; '\\.\SICE',0( m6 c# {7 W# G( \7 q
push eax7 e$ d# L; ` F
call KERNEL32!_lopen) D' l( O9 f4 O" k$ }# `
inc eax$ M0 y- l& V! y- Q Y8 W& }
jnz 00650589 ; detected, ~' @9 R9 l( r( e2 o. [' j7 x: ]
push 00 ; OF_READ; l# z0 @% f" E, f- V1 v
mov eax,[00656638] ; '\\.\SICE': `1 ~& m2 C% Q* m+ f1 K$ Y6 w
push eax5 a: B9 Y) x( P
call KERNEL32!_lopen( s! K0 N7 n9 I
inc eax5 s! _% O4 { ^* m* N
jz 006505ae ; not detected
5 t1 Z& n( a7 B- |) B. a# \4 ]9 G/ B1 [1 i/ P# ~1 }# [
^- i7 u( B& j5 r0 m0 g__________________________________________________________________________- O* X4 g# Y0 C
& `# m* \" E/ @% z2 t2 O9 RMethod 12) \2 n2 t j$ n0 @6 Y! j) S
=========
4 L# \) v; \& ~( a: B/ n* C. ~; g
/ ~1 d- {. L+ n( F G2 eThis trick is similar to int41h/4fh Debugger installation check (code 05
9 h. {8 \" i1 b" P. [& 06) but very limited because it's only available for Win95/98 (not NT)5 Q4 }" } `# v0 m% B7 _% J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 z2 F7 u0 z% t; u- [
) y% p' {# s- p& Z2 P" \# N7 f' q
push 0000004fh ; function 4fh7 s2 @3 N& f$ ?9 X& n: B
push 002a002ah ; high word specifies which VxD (VWIN32)0 `# E5 G# u, k: p; n' {$ G& b
; low word specifies which service
* \# }$ V) E8 ]5 j' z/ e' T (VWIN32_Int41Dispatch)
9 B( Z5 e: D$ Y! y6 W, Q8 S1 [ call Kernel32!ORD_001 ; VxdCall
. O$ _' E9 J! `& V3 s cmp ax, 0f386h ; magic number returned by system debuggers
$ |% W6 E" c1 `+ H0 O0 G jz SoftICE_detected7 e" Z7 ^; Y6 K. i
7 o# Z6 X/ c0 Q3 v. B6 p
Here again, several ways to detect it:" f- P0 O: m5 B) v; y: Q$ o. f, i+ t, [
1 l: `3 O$ q4 o. n' ]6 s6 n
BPINT 41 if ax==4f
( h+ m0 y0 I$ @. {; y, q+ m
+ @; h* b7 [$ r$ V+ l6 a+ F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 @6 Y' Z( J0 V9 q2 T7 D3 P) O% h! O3 ?7 M, y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" z( R) y4 r& O
" F7 y% w* Y9 q6 s( u- ~; K% @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( K6 @. P9 l( p' A! Q# s( Y" Z* Z- L* ]) g
__________________________________________________________________________
- e; t$ L3 t/ @# C/ y9 ]- A% X4 t) {, n+ m1 _/ @, q
Method 135 y6 ]/ m, s* u3 L, f5 g# x
========= l* d8 ~# A. v5 U& r. T; [
7 T( j7 d- e9 W5 Q
Not a real method of detection, but a good way to know if SoftICE is
, y9 ?# j$ `- {" A) v; W$ Qinstalled on a computer and to locate its installation directory.
0 J2 x' A1 q0 S* `" }) p& xIt is used by few softs which access the following registry keys (usually #2) :/ F! b, T4 e0 f- R! d' e
! C9 u3 Z0 {9 s" G5 X0 e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 m+ D* M3 K0 r0 D
\Uninstall\SoftICE/ f L8 L5 C! b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: w1 R+ A& N: Z+ D. a k. A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. @- Z, A) w: P. c8 R
\App Paths\Loader32.Exe
, j5 n# F% W9 ]
4 Q. e% ~* W3 f9 l# S5 i* g c! a9 g" F( i7 p
Note that some nasty apps could then erase all files from SoftICE directory! ~- m1 \- I6 ?9 c
(I faced that once :-(3 p4 G( ?& _; R: J* M: d1 _
, {5 @- B9 h& C, z
Useful breakpoint to detect it:
4 D+ q/ H& V7 N+ q6 s
% E, c; P; `; z9 l3 b0 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 O r8 D0 G3 s" H; U
# u5 M# E2 y0 g) H__________________________________________________________________________
9 A( D; l! y' y1 b4 h
% s) x0 Y& _1 X8 q6 p
+ j3 S) ]5 J6 `% H/ O% Y- D0 ^Method 14
3 v/ O J7 Q! L5 ~8 T" V; d=========
g0 R; k F3 v+ S- R6 [3 L) d8 z0 ~- z, U4 n# u& G) t9 `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! Y, c+ ^3 f0 o! A# {% e: }2 O
is to determines whether a debugger is running on your system (ring0 only).
Q% K5 ?# v$ x/ x' q, v/ e9 S/ B/ I; o
VMMCall Test_Debug_Installed
) s2 y+ d* }' w8 E4 \! k je not_installed, A9 ~/ c! @# L |$ X/ ?0 n4 I
5 `& y7 Z0 ~3 |; o" oThis service just checks a flag.
9 z* p7 _" g% h) [' p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡