<TABLE width=500>
2 x, Z' Z2 \$ {$ _2 I- z<TBODY>
1 z* N1 ^- G( ?: |( |<TR>/ }0 W5 c6 o* c x# J
<TD><PRE>Method 01
; b) L" J" J5 C========= l2 m4 l, K/ j
& D$ s/ ]) p2 kThis method of detection of SoftICE (as well as the following one) is5 a4 i% e, E3 J! a& i
used by the majority of packers/encryptors found on Internet.0 w# l9 u) G$ ?- }9 s+ s
It seeks the signature of BoundsChecker in SoftICE9 M3 F4 A- ]5 f1 S
1 r3 `' m, t; H0 \1 Y/ u
mov ebp, 04243484Bh ; 'BCHK') f- s. ^( K0 j& q
mov ax, 04h' c! U7 k) t$ f$ x5 P; h
int 3
# P6 A# C8 I, v: t. n6 n3 [2 u cmp al,4
4 p. E1 U8 W9 E- O jnz SoftICE_Detected
6 Y- _5 z$ g6 E; M/ s
+ y3 n1 e C: A, P* U___________________________________________________________________________
4 h J& _& E e# z9 K8 E6 d8 R, C- k- q* A- t, Z: J1 G4 o3 N
Method 02" b( T" q q# T1 e# h, C0 a
=========
4 z8 k, {0 q! L$ O" ?/ }! p3 k; ?( M4 d% L1 n* W
Still a method very much used (perhaps the most frequent one). It is used: Q4 g$ U. r6 z# w- K* w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 H L. Q3 H- d$ s. j4 hor execute SoftICE commands...2 |. g5 q( d' `$ P0 n* w
It is also used to crash SoftICE and to force it to execute any commands3 J! b2 a& F2 y. t5 O* O: Q# p
(HBOOT...) :-(( + ?9 {& X, w/ b6 ~- h
9 |. R Y# D% T/ X8 r9 PHere is a quick description:
& |2 d! x9 Q; [8 ?-AX = 0910h (Display string in SIce windows)
. x* _/ o& w, ?, F. S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- q) Z* M- K8 D" |. W) T; H-AX = 0912h (Get breakpoint infos)
- @. }* A6 ^- A-AX = 0913h (Set Sice breakpoints)
2 _" \# t7 Z( |: E# [+ a5 k-AX = 0914h (Remove SIce breakoints)
x7 J- C* @4 W6 j5 y9 C/ x$ v+ f4 {8 w+ a. ~- F0 h% b
Each time you'll meet this trick, you'll see:
7 X8 p1 f% I/ U! m9 {& {+ U/ v0 C1 e- K-SI = 4647h
% Q$ [) K7 q- e0 J/ m$ A. C# Y3 O) j/ {+ h-DI = 4A4Dh8 T; l) ^& W2 S) @! q
Which are the 'magic values' used by SoftIce.1 u+ x" L5 n8 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 I5 x- B, c5 J" X R V
- k& m j- {5 S+ BHere is one example from the file "Haspinst.exe" which is the dongle HASP- w; t8 ]- m5 q6 o( n h4 e
Envelope utility use to protect DOS applications:' z/ q% g) l! [! h# ], X
! k) r9 Z6 y$ o* h
" o1 \. ~3 c' o5 y4 C
4C19:0095 MOV AX,0911 ; execute command.2 H# K6 |; i. r; q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* _4 v% M& ?5 T* V4C19:009A MOV SI,4647 ; 1st magic value.' i+ M% ?7 Q0 z$ [4 a
4C19:009D MOV DI,4A4D ; 2nd magic value.' d) h0 r4 {6 h7 M" _4 S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* T( S3 a" B1 _% Q" i! v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 R; T2 @: e1 p( b! Y4 g+ o4C19:00A4 INC CX0 c7 E g9 J: Z! \" @, {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 J3 k, A" V) [9 C) c4C19:00A8 JB 0095 ; 6 different commands.+ ?+ i- ~2 E; A$ M8 v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" ^3 A& C& d+ l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 P8 g# F! y3 {
4 C+ a) V# K8 ~+ B2 [( eThe program will execute 6 different SIce commands located at ds:dx, which
% e5 m8 s+ U9 _+ z3 q3 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% \% \ L' j7 @! B: i9 w
* C, w/ d+ y+ T) v& Z/ D) K9 q+ r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ @6 d. S: B! v- c0 @
___________________________________________________________________________
. F' ~; V( E; I5 ?$ n
+ R( y# R H8 s3 C0 i
0 k8 a: i& M: ?; _- {2 E1 r' V: XMethod 03
+ |& f2 I4 U) j5 G2 h8 Q=========
# b% n) A' ], D* Q" a; R X. N5 z {3 C4 n/ h8 K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ i: P- Z7 p8 t, K Z- u
(API Get entry point)
2 N5 [0 W( H7 d1 u) w6 X
8 g' X& p+ C! E( {( u/ k
. e. m3 S& x5 e1 O; D4 G) P9 h6 ? xor di,di
' d) C8 v+ y# X/ B" X mov es,di5 @5 s; U& F, @$ d
mov ax, 1684h
9 W; p4 N# M5 H: |: l mov bx, 0202h ; VxD ID of winice
/ ^# }. z" N( ?4 d) f+ y/ z int 2Fh
$ X; r5 N' R$ _- e mov ax, es ; ES:DI -> VxD API entry point
. ~) A1 |& v. [6 R add ax, di
# I( H" r% {7 P1 d/ ` test ax,ax
; ? p' O6 |$ }5 r( @: O jnz SoftICE_Detected2 }, w1 B, J9 m! R' M
/ c% V4 c `5 G' ~7 |1 F___________________________________________________________________________
3 c. z/ l$ ?* T/ v* u& b6 Z0 d' t- \/ N$ g
Method 04
' z& T9 O9 ?8 h) ^3 c9 ]=========% C K- D8 j( E5 h% c% O
B5 i" C# `6 e- B5 U9 V. vMethod identical to the preceding one except that it seeks the ID of SoftICE; j) ?" d1 j3 y( D9 n' S
GFX VxD.
5 p \* E4 o$ Z. E/ M. n+ J6 h" j+ s6 t* J
xor di,di
' N( x* T* G% W$ S mov es,di! x: ]# X; q, C* _7 ]% E/ [( `( I
mov ax, 1684h
m# P9 A! r$ A mov bx, 7a5Fh ; VxD ID of SIWVID! Y% S d" @% z4 t0 R7 A
int 2fh# x- Y# z y4 _+ G4 @/ Z1 A
mov ax, es ; ES:DI -> VxD API entry point( L# N2 C: U1 U8 r0 M6 P8 B. Y
add ax, di% { s9 e& B9 R7 Z' ~7 Y/ p+ ~
test ax,ax' R/ { Q4 t2 [! {7 e
jnz SoftICE_Detected3 B# F0 O0 _5 J S2 l! t
' ^- ]4 ]# L. U: l__________________________________________________________________________
- J' E/ P3 n! b+ W$ a
$ y/ j: ]( |8 n6 @, t5 L5 i$ U! M1 K
Method 05
# C4 y( G; a+ e; ]- M=========
l# {2 s$ c, J: }: Z
5 J- k6 i; P1 I4 ?) M4 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 V+ U! s4 n8 [6 G
debugger. It calls the int 41h, function 4Fh.
% n0 E( T1 W$ j/ K6 v/ I. K8 xThere are several alternatives.
9 P! n- r9 J- T) Y; \/ Y# a) C" J# p' c0 t; h4 Y- ?. @
The following one is the simplest:
7 H/ d# }% {# N; P5 }2 H J7 C- e% ?
mov ax,4fh; v0 e/ d1 T+ _+ r, a
int 41h. S& c+ e" Q* ~: x7 i1 l
cmp ax, 0F386
! S" D: W: r7 q7 K3 r- } jz SoftICE_detected
( E, L3 F' ~/ q( s* K0 A- }: u+ B2 K8 E- V- |1 D8 v- M- u
; q8 q) ?; l2 I6 |, K8 h( M& L
Next method as well as the following one are 2 examples from Stone's
3 D. W l9 R& w8 M' ~"stn-wid.zip" (www.cracking.net):/ W6 X0 b2 V9 i& N
8 a4 n; q/ h+ T) X( z mov bx, cs- H. I) s( q* n# c" D% G3 {
lea dx, int41handler2
$ w. ?8 o4 x: R: h+ E xchg dx, es:[41h*4], ]- n9 e3 I2 E0 J/ x7 P; r
xchg bx, es:[41h*4+2]3 F7 e4 ? _( h! f8 M
mov ax,4fh
2 j8 c$ r1 J& P2 m4 F5 e9 g% e* k int 41h) j4 l8 s/ S' W: ]
xchg dx, es:[41h*4]
* e1 Q/ p& [$ Q# T% i# { xchg bx, es:[41h*4+2]- _# d, f0 B0 m0 f2 a2 |3 |
cmp ax, 0f386h
; e- S( a: w& K jz SoftICE_detected9 c: b( J. R. {9 o- l3 Y, a" m+ @
: y4 J6 d' b7 j) @int41handler2 PROC
6 ?% j" z8 r0 h+ |# I" z+ F iret
$ c/ z4 I3 j6 Q; b$ q% s. o/ uint41handler2 ENDP# T9 {. M" O( U9 L+ C# g. h/ l
. P0 P9 {# @7 ^% R, n
+ S8 |/ {% b2 A& x1 C
_________________________________________________________________________/ @/ ?; {6 Q% H% g M
1 }3 d& }* v/ p0 X, [+ S% N" i9 ]0 \! h, F: {; r% n( ^
Method 06
/ |6 a4 S# ^. _% W8 z$ p8 D=========, n% Z# t: f$ j
9 {% {; u5 Z& [6 ?5 c
7 T) f* V0 M3 k, m8 \
2nd method similar to the preceding one but more difficult to detect:8 o0 Q9 b6 u" R# i" a6 I4 _
, S8 O7 W' V) L1 @- D& h" [8 \
+ e7 b* z+ A" tint41handler PROC
4 l) [. [) H6 e, J/ Q5 _0 a! Y8 H( o8 f mov cl,al
6 N1 ]- l$ G2 n) ?* U1 c iret U2 N1 |1 U6 h/ b+ {$ K3 n
int41handler ENDP2 `; _' Y! Z) r4 l1 k3 q
, Z A2 _# `- e! Z0 n
' g; \4 M+ `* V2 v
xor ax,ax+ i1 e9 J' K- I* |
mov es,ax' I4 x$ B! g, x5 a% T7 u6 ~
mov bx, cs
8 G+ O5 p: N( |# ^0 p" W @$ q lea dx, int41handler2 k$ t0 A# g. F: Z8 e4 x; ~ ]
xchg dx, es:[41h*4]
3 z; t) }( y3 n( R4 p9 g. G xchg bx, es:[41h*4+2]5 Z+ e2 E+ e0 p% p
in al, 40h
, e( s! b( A$ G0 P- ~ xor cx,cx+ P4 y0 s( V4 p5 Q6 n% C
int 41h
2 i9 C; c" Y& E5 G+ p xchg dx, es:[41h*4]
: v* a, C! W$ y xchg bx, es:[41h*4+2]
8 X2 ^) Q! S/ J0 _ cmp cl,al
# j. z6 R" V' ~, Q, f jnz SoftICE_detected
( g9 h2 Y1 w5 p4 S0 N5 M0 G3 J" m- j
_________________________________________________________________________5 c$ e: l8 q7 G' A6 e
/ W! l3 w9 k8 `0 a- @, `3 kMethod 07
1 X2 `$ w( q3 P3 ^=========
! g5 K; M9 E0 U% S4 Q' u: q& @1 p; @3 [, P9 ^0 }( K6 k4 S2 H
Method of detection of the WinICE handler in the int68h (V86)( Q _. s3 w8 n' O% [
/ y- S6 Z4 n: L1 B; P7 ^ mov ah,43h
' ^, b& G2 M( ]& b ? int 68h3 g* \! y5 I& E( \" @
cmp ax,0F386h
4 l, |4 L+ l7 ?4 [' G! g; ~2 ]- { jz SoftICE_Detected
* F; Z3 n- A0 f- l% l. n7 ~/ A4 T* r! i( w3 t, E' |) n
. t4 [( h: q. N/ i; _8 O% W$ x; D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) ?! \: u7 [( u5 x7 ^; L
app like this:
; P4 @+ ^2 {. d: y1 Z+ m
/ O, ^. g; m5 i8 k+ \, T8 p BPX exec_int if ax==68
& s' ]* X. l5 u7 @- @- T9 M (function called is located at byte ptr [ebp+1Dh] and client eip is
7 i6 X& H3 Q0 P- U located at [ebp+48h] for 32Bit apps)4 P! n3 M+ J- T% ]9 @& I9 O
__________________________________________________________________________
`6 l# [& _3 d n' Z8 O& q5 N3 V% q3 B6 n( f0 X( f; N
; }, z2 j: ]1 o R! C. [
Method 088 v& Y8 `# O6 ]7 I2 P
=========/ g! Q2 A9 N4 [; W$ ?" g
# }+ l! S4 G, V% |2 e5 c
It is not a method of detection of SoftICE but a possibility to crash the
B8 h4 @: y; I1 I, G3 T! W0 Xsystem by intercepting int 01h and int 03h and redirecting them to another0 Z3 D* i4 S! T( z, m
routine.5 p1 F9 r2 |7 y1 B4 c! r" Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. d( ~) ]7 b9 p- o4 ~5 _* J
to the new routine to execute (hangs computer...)
& O! [4 K( K% @% T- q7 R' [1 F, M4 ?1 L9 m2 I- |3 _+ z4 b" \
mov ah, 25h! Z1 ]7 j9 [) u+ B' S
mov al, Int_Number (01h or 03h)
& y% j( O4 E( k5 ]+ {; [) t mov dx, offset New_Int_Routine
& A O6 y; o3 X' r. P1 F int 21h* @2 p$ X3 `- i. M2 U: W
; }8 r( r; d( d3 P
__________________________________________________________________________0 B+ E {- M5 t5 d5 a
. w Y) }+ { R' ]$ B9 a
Method 09
$ ^; T. P" {4 h$ m5 q+ M& C5 Z" ~1 ]=========4 ^) b) O- j, k0 x( }5 O
* n( v! c8 E, l9 @. H: I [) v8 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. ~. k: J2 r& V/ {
performed in ring0 (VxD or a ring3 app using the VxdCall).) w. g( ~) P4 x' q- J
The Get_DDB service is used to determine whether or not a VxD is installed
6 R( S5 i; W) H, t) f) f& o4 W; vfor the specified device and returns a Device Description Block (in ecx) for: [$ I1 L8 u0 e e1 b4 p0 W( R; A
that device if it is installed." R: X& {+ `0 ?4 Z
- e) \6 w1 D- w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 ^ m8 D& t) ]# E) h+ ^) Z* q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! W1 t. W* C) t
VMMCall Get_DDB
: l5 w e9 t9 c0 V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* z1 s6 c: X5 _1 [3 q5 I' q
, m+ Q$ s5 O% g; C( l! PNote as well that you can easily detect this method with SoftICE:
% ^5 \% B/ k, b bpx Get_DDB if ax==0202 || ax==7a5fh; {- g/ a: \! j/ j8 l6 k( e
, c; d% c8 Z. |4 c9 T; [ q__________________________________________________________________________; _% M. l4 b% H
; h* \1 s4 {9 Q" t7 v3 r3 N9 x3 N' X
Method 10
7 O( P0 g: o% s: p3 m7 g=========: g1 x! U$ E8 ~; s4 D, ^1 A
% L& v( A, D# s
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ l: z( N% e8 u, A( h
SoftICE while the option is enable!!0 k- X% G! H* a
# V; x2 B- b- j% s N6 T7 `, ~
This trick is very efficient:* g5 ~- C5 J \6 J, B3 N1 r
by checking the Debug Registers, you can detect if SoftICE is loaded
5 ^& g* {0 K' L7 @ k v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 G( y( T4 {* g4 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their; g) s- H8 _' l. E D! U6 b E( L) w
value (in ring0 only). Values can be manipulated and or changed as well7 r& D/ F- z! R4 ~5 R" G
(clearing BPMs for instance)7 Y+ l2 @/ L, i Q' Z
* ?$ q5 c0 E, k: h0 S! M
__________________________________________________________________________
) g" K+ q% D5 a n& k
5 @6 W/ P9 R( O, z4 nMethod 11
2 r; @* V' G6 T! [0 ]=========
6 j- _' T! o9 K3 E* \6 I% B
9 c) d/ B \. i5 ]. CThis method is most known as 'MeltICE' because it has been freely distributed
2 c5 }5 N% h. |+ ?via www.winfiles.com. However it was first used by NuMega people to allow
8 N# X& z. x9 h1 }Symbol Loader to check if SoftICE was active or not (the code is located* g! i( J9 Y& L: V) `) X4 a# e3 J0 W. L
inside nmtrans.dll).
}7 j/ s/ p* y2 M2 L1 w( \
) }9 U" ]% X) q* e2 ZThe way it works is very simple:
$ W* D: q* D# C6 E1 j4 j# nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 Z4 r6 @5 ]5 Z, u- p9 f4 H
WinNT) with the CreateFileA API.
9 r# n$ i: }; i& L9 W& F$ d8 F. V( c- q. O
Here is a sample (checking for 'SICE'):
) X3 U, i9 F3 O0 R% R o8 v. v) W
* U k5 y" I2 Q/ Y3 v; ~6 S1 CBOOL IsSoftIce95Loaded()0 i: m( ]3 X2 D) @/ X6 C
{
, l P% W* w5 I* A HANDLE hFile;
/ O/ J+ e# B/ a! ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 l9 F& [+ G( @
FILE_SHARE_READ | FILE_SHARE_WRITE,. W% c; I6 H9 Q* v: R5 ~, ? e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 G! I& D0 {% z% V if( hFile != INVALID_HANDLE_VALUE )
* P s( a* z8 F( B4 q6 X! Q {5 F! P! M' N9 s- W/ o7 ]1 w
CloseHandle(hFile);! n9 S! b4 B% C; K+ H
return TRUE;
* B; k. G! U: D+ @6 ]' l; Q }
* }: |. r# T' ~( Y' ~' @( B3 C1 E return FALSE;2 x/ t1 u. L% h7 C a! o8 p. N+ k
}
7 y+ S( ?5 Q+ u7 l. Y( Y
6 Y6 g7 G: {6 A* s. zAlthough this trick calls the CreateFileA function, don't even expect to be
# \( @6 \+ @: M) G4 c6 F: D4 dable to intercept it by installing a IFS hook: it will not work, no way!5 I" ]: \: x' x% W& ?# {' G1 _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; E4 N% E% C# F0 V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: Q& a7 ]0 Q( y+ Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ q$ c( l# O D! W
field.
X. C1 F5 [- ~In fact, its purpose is not to load/unload VxDs but only to send a 6 k6 B B9 ~% a# m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 P# d* K4 o; H% J3 X- Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 ~3 K! k( V6 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).) ]+ y% g% ^: C! ]. X
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 {) _. x/ v! M
its handle to be opened and then, will be detected.
4 {3 f+ Q. m- j+ [7 Z5 J8 v+ o0 I# cYou can check that simply by hooking Winice.exe control proc entry point
5 l! B( A9 v, I1 A' A5 f+ rwhile running MeltICE.
& f$ O! ^% n% n2 r: p0 e% o/ f! O( v8 L C: W
. l7 j2 m( j% A. r: _: O 00401067: push 00402025 ; \\.\SICE& g1 W2 U- m' B7 w
0040106C: call CreateFileA
" \5 Y. p5 g! Z: h- E; `9 U8 Z 00401071: cmp eax,-001$ b, ^! C: ^0 f% V0 f
00401074: je 00401091
4 u) g! z* J9 R. I5 D" ]" U' g6 V4 J0 L! [2 k1 J/ w
! o5 ?& @* J4 B+ |" t7 ]There could be hundreds of BPX you could use to detect this trick.
& @$ y' E/ @0 G+ j Z8 q-The most classical one is:
0 B. W0 F( K8 u, a# f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 [/ A! I- {! y8 P1 J5 X( K4 q$ l
*(esp->4+4)=='NTIC'
' X$ w; C* n, u: z4 b
7 |" s7 X! i* _) R-The most exotic ones (could be very slooooow :-(, U+ C: O! ^1 V9 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; i3 ?9 R; V1 r H3 Y2 U
;will break 3 times :-(
2 U# m# G+ R' z0 M% T+ ]/ [2 v+ A) V9 C
-or (a bit) faster: : a1 X' Q1 j9 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ u+ L( @$ E. D, T9 _0 ]. [) R' e
! K; R- `* B7 ~: Q: y0 k& y: E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 J( z6 n8 e' ]1 i" }5 Q) W# k/ @0 Z ;will break 3 times :-(
6 I( A; @" r* E* L& n6 A3 c9 V. `3 P0 |8 V
-Much faster:6 N" @4 `3 U/ P; @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 E2 W1 F. x) N e% r8 j1 ^- |
l/ F( Y* |( e+ D% \4 F' j+ x0 v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. `( U$ M* V6 L
function to do the same job:
* j u8 d9 \" K* ]6 ]( Q! q; g' I9 o/ y
push 00 ; OF_READ) Q3 C- z3 D% e7 n; Q
mov eax,[00656634] ; '\\.\SICE',0
! ]5 Y; \( t& p7 r2 E push eax i; a0 ]- i2 \2 q9 g& q$ l1 ?" T
call KERNEL32!_lopen4 z1 S/ N: k$ S; [; ?* o# P
inc eax) M& w; s- K* n% a, T9 e/ u1 R
jnz 00650589 ; detected
% L# ? X, N- _" e( F; ` push 00 ; OF_READ
. F# p3 z& M. X I$ C/ |9 q' K mov eax,[00656638] ; '\\.\SICE'
5 N* x9 r& Z2 r* K5 ^ push eax
, e1 _' q& H# k; Z" K9 } call KERNEL32!_lopen) ]" D( | Y* }. e
inc eax5 l& |8 e4 N( S, J
jz 006505ae ; not detected
5 h5 Q- O% V& G: d6 }) l% l$ m. Z# w$ r/ i) L% R
+ B( p1 d9 ~! e9 j: |2 p9 s) j& h$ m
__________________________________________________________________________
5 U& I$ s. c! b* R5 ~# K. {
, i4 }7 [; F1 P! J. @3 QMethod 12
3 S( [8 F/ x" l+ K, n, Y2 _# l9 _* d' ^=========+ L1 F5 Z3 E! [
' W$ G# L. y$ r6 n$ q. T
This trick is similar to int41h/4fh Debugger installation check (code 059 l% [& T6 P8 j9 K! r. C
& 06) but very limited because it's only available for Win95/98 (not NT)
9 l" [+ c4 ? _, k" Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* n& u7 w" T0 u0 v5 l: H. X# e3 W6 v- D
push 0000004fh ; function 4fh
. k3 l1 ~' O9 x6 f$ T! ~% p* f. A push 002a002ah ; high word specifies which VxD (VWIN32)1 k; w8 N1 d6 |: Q3 ~
; low word specifies which service. k6 ~4 Q% F- }+ c1 O( Z' [$ E
(VWIN32_Int41Dispatch) s m% c. v1 J* f u4 C% m' f
call Kernel32!ORD_001 ; VxdCall
. U: l$ r8 w U! ^5 P0 n* g1 J cmp ax, 0f386h ; magic number returned by system debuggers8 O. d0 z- L: @" |2 o
jz SoftICE_detected
1 q ]3 r( ?5 p# M0 y& g( Q; t$ S1 o% r8 C
Here again, several ways to detect it: L" Q) Y: P, W. g. i: \6 h( {# I
' B/ F3 U5 @* w' _' A+ W
BPINT 41 if ax==4f" A4 ?# Q2 w4 l* t6 O) _
' N& j! w1 ~' M# J( W* _6 v+ v$ Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 i% ^4 A. C B) K0 a7 _/ E; T [! J
- ?8 D& W, ~2 @/ v5 y$ L Y7 y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: y8 o3 x. s8 S8 }+ j8 D% A$ h. R5 Z( M2 M/ o( x0 Y6 G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 M5 j4 A( H+ a9 s' l/ m
" M* l0 k1 J1 ^: b! {3 g__________________________________________________________________________
0 {3 u, O3 X* T! r2 A
, G8 m; Y, [5 n1 e4 W. qMethod 13
1 c5 q8 e0 |. R6 m8 R=========
% u t, `" \" W0 v" Y, H' e3 o# X4 C5 Z! O1 b/ r o
Not a real method of detection, but a good way to know if SoftICE is. I C# X1 ^* c( f& H; `
installed on a computer and to locate its installation directory.+ ~; l% l9 P% S$ i
It is used by few softs which access the following registry keys (usually #2) :
# E$ |0 S4 V, j6 E% \4 R0 W! ?* Y* C( ]! m6 @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) I3 ?0 c6 Y) ?# \
\Uninstall\SoftICE# K9 T) A6 N3 V9 J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ I! ?" K# c% i2 F. o8 N: R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 W* Z9 y( s$ z4 H+ d\App Paths\Loader32.Exe: A0 Z/ C- ` J: z) N! s
4 C* w; O# h3 ]; |8 S: } r& N& k, {. k8 U& S4 g
Note that some nasty apps could then erase all files from SoftICE directory
) M ]2 \, e& v$ v: _4 g$ v(I faced that once :-(, v% E- Y9 s. {1 k, v5 i3 I+ M3 R
# O9 w, q8 X/ r8 @* S' NUseful breakpoint to detect it:' l+ f. g# y- N' D3 `
4 ^7 _7 `1 q$ J$ e/ S6 F. u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( ^! L4 ^/ F: q W7 X
1 v |. }0 r, }
__________________________________________________________________________8 Y6 Q; Q$ [2 `/ R; N0 @+ {
6 I* a5 ^9 h9 q' I- i0 J/ D# i# N) E, |! R
Method 14
5 _8 j& Y; }: C+ p2 j: m=========
, R! P. s* J' B' t$ |. A& S9 D: P4 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, \5 ~( s5 m2 K1 \is to determines whether a debugger is running on your system (ring0 only).* `' _* z9 d5 }/ W- i4 X0 ?* K% n
6 r8 g1 K4 D" D
VMMCall Test_Debug_Installed
+ T5 o# a0 ?6 S5 l+ A' p) G; f je not_installed
5 R9 B8 D* D7 N k) F8 e) ^5 ^9 \# q% W# m5 e5 Y' p
This service just checks a flag.
( K; \* b& l( v' S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡