<TABLE width=500>
`2 @5 X& ]- v2 c+ t5 Q/ f<TBODY>) M3 p" i! n: g9 J/ C7 O
<TR>
! L, |/ n* T( g3 h4 x<TD><PRE>Method 01 / C( {/ K+ @+ c# q3 m( z5 g, {$ Z
=========
1 j: K& Z& H- E* ]0 c4 W" K
! r5 f" z5 q) \0 V$ wThis method of detection of SoftICE (as well as the following one) is
8 I3 q+ p. G# L2 ?used by the majority of packers/encryptors found on Internet.7 e- U. q: x5 t& H- _
It seeks the signature of BoundsChecker in SoftICE
% h2 ~. \- N. D3 D0 Q/ Y* _3 F
( k# k1 e! N* o5 w( {! ^ mov ebp, 04243484Bh ; 'BCHK'
) D7 U6 W- e- S8 z1 f mov ax, 04h
; A0 B6 h5 p) Z; Y int 3
9 E2 t: i$ L; b0 u7 j2 i cmp al,4 x. I3 T6 B0 }
jnz SoftICE_Detected
7 t) r. k) n5 c4 _5 [' k# W# N, N# L# t) W7 ]# ^
___________________________________________________________________________
- x3 _7 h- h( X0 t0 [9 |5 F
* \5 s) h" n' a& a, I" w. SMethod 02
- D& _4 q9 M' N5 Q=========: Y. t& h% [' L4 @) o/ l
0 }: B1 _ q7 d( E1 U8 s/ Z' p
Still a method very much used (perhaps the most frequent one). It is used
1 Z! u$ C7 i; i \# e; b" Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 N, ~* T- l. P
or execute SoftICE commands...
( ~% `! u/ R; q1 I9 L( V v1 QIt is also used to crash SoftICE and to force it to execute any commands' H7 o2 f1 P5 x. ?; E
(HBOOT...) :-((
; S7 c4 T+ h: W8 G- L' n
# D5 G. T6 s- e* x) {Here is a quick description:
; M1 n8 }+ d8 M. _-AX = 0910h (Display string in SIce windows)
. m" F+ u; ^5 j) L( i" ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 r6 f" J2 N* ?+ A8 n! P, r1 W-AX = 0912h (Get breakpoint infos)
4 X; y4 n; d' a0 o. W-AX = 0913h (Set Sice breakpoints)# U1 T' t/ O, D' Q' _' n
-AX = 0914h (Remove SIce breakoints)8 n z* H6 }; ?% }. C
* o0 c4 I @. _Each time you'll meet this trick, you'll see:
0 G y$ f1 ? J& e, w-SI = 4647h
: p" ?' p' l$ f" s4 X: i9 _-DI = 4A4Dh4 K+ u, L1 N7 v+ X, }7 E; H4 c( i
Which are the 'magic values' used by SoftIce.6 e$ y; _) }/ v& _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 p, r% a& o) k! y; _
) m4 y* j% ~) iHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 U: T8 P, a2 Q7 ]" ]3 HEnvelope utility use to protect DOS applications:
2 A% V, R2 f+ l e q3 S: n* V3 r& b- P: `4 n7 p3 r
) t f l1 d( J4C19:0095 MOV AX,0911 ; execute command.
0 n0 R! K% V6 _1 ]/ ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 X( o1 _) z6 Q% K% f
4C19:009A MOV SI,4647 ; 1st magic value.
8 J+ H) n' q% Z3 `$ W: V4C19:009D MOV DI,4A4D ; 2nd magic value.# a, k# C# c4 |+ s6 g9 d$ E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 Y; X- \& k* `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. s) D% u- x; L- ~1 V R& ~0 e4C19:00A4 INC CX- j9 o- t& u0 `% v1 ?9 ^( f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: J% P0 O0 p+ G" j4C19:00A8 JB 0095 ; 6 different commands.; o5 Y2 A6 j n& @# ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ d; H' P1 R9 y' v4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 r! G0 B+ @! b* w% Y: B# M
7 R+ A' K4 E4 l5 T% A6 B! A
The program will execute 6 different SIce commands located at ds:dx, which! c/ b' Y2 d3 \' z$ H: }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 F( D& ]/ x/ `. Y8 Z" x- Y2 C9 `2 C0 }# v l$ @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ N c D4 {! L; f3 q___________________________________________________________________________' |6 M7 o: ]- d3 H
% E" t8 a9 S& e4 N0 n D! w/ l) ?; \* W6 k
Method 03) ]" T/ B! {- b9 q+ L
=========
9 i4 ~( y1 \6 I# {4 l2 |1 A" L, c6 Q a% ^$ b% J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h r/ D: B2 z% E- h1 Y6 ~% g0 {
(API Get entry point)
% C% q8 r) D7 v& x4 j$ d " ^' u8 p5 z7 J V% N# g7 L
5 Y2 W* y* A7 `- o& }" W xor di,di1 r9 A0 E: S5 k! C$ n& B! \. X
mov es,di% Y$ H; l: c7 s- w6 h `: P$ b) v
mov ax, 1684h
- C+ {. D7 m' M; |5 ~ mov bx, 0202h ; VxD ID of winice! {: `0 O) z- k9 S6 t- t" j
int 2Fh
6 Z( s: _" K4 B3 L8 {& [ mov ax, es ; ES:DI -> VxD API entry point
- {# H! P+ ?/ {+ ]' M" I add ax, di
& e5 h# K r5 `- j test ax,ax
* c3 {0 e) X" j& \4 k" d jnz SoftICE_Detected
7 z0 L$ m! y5 [: a" Y+ k0 B4 m3 n) ~3 N
$ ~! ~" x9 O, b% |# i' a___________________________________________________________________________: s+ t- P+ \$ z) _6 Q* d
8 i! E; b. u8 ?0 F- ~) XMethod 04& q1 f' S3 u; k" X' o" Y( y
=========3 a7 k0 |! i, X/ Y
" V \% k) _( p# M! i8 ?8 ~' UMethod identical to the preceding one except that it seeks the ID of SoftICE
$ Z. {) N( F( T' P9 ^' l' P8 P! |GFX VxD.( A1 U0 `; D# _- Z5 }6 j/ a
" b2 k( r0 F- M xor di,di
# I1 q% Z- X) K) Q: k0 ~% v mov es,di
6 d. x0 }2 {) J/ H- b2 h mov ax, 1684h
$ \! l% [4 m" _+ b3 F mov bx, 7a5Fh ; VxD ID of SIWVID
9 o. Q$ R* u2 t- @& s! m int 2fh
" n; E, T$ N; d% E9 n# Y mov ax, es ; ES:DI -> VxD API entry point3 ^) f7 ?8 H5 @# I0 s
add ax, di
1 G+ s; o3 |. [: v, e: q# k9 R test ax,ax+ c; i/ }/ |# |% V# C
jnz SoftICE_Detected5 l$ d! @7 x* i8 |
A/ n5 h4 x/ N/ S__________________________________________________________________________
! h) x7 P/ M3 k: Q6 Q- X# n
# S% `& \" [ n& [* ^' T7 S( R7 }( ?5 p7 e; F3 _! o9 S6 g
Method 057 o" G9 r7 K! P& C; a8 x* L
=========4 l- V u5 c! ^! K6 g3 s
, J. k( @. J2 O, D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 K3 u" a( v4 Z- [ v+ k2 edebugger. It calls the int 41h, function 4Fh.
! p, T4 C: _; X c# YThere are several alternatives. + ^0 {4 O; y! u+ o9 ? q1 w) p
/ b, V! `7 X+ F7 k" I; HThe following one is the simplest:
/ ?+ i; n7 q& {" r) P
% Y) C( [0 u. Y7 n4 m, W mov ax,4fh% V9 Z3 N m F# m X, E' Y0 Z
int 41h
6 h: j/ Y0 o. [4 H4 `4 k cmp ax, 0F386+ j1 W: t# U% o& o2 w8 M3 n
jz SoftICE_detected6 J: R K# o6 l; |, _
* q- a* h: u, C1 R9 c- N! |' b& K7 t6 h; @& W: o& E1 R
Next method as well as the following one are 2 examples from Stone's 2 R {- b `; }6 ~
"stn-wid.zip" (www.cracking.net):
! S) G; D6 |5 ?; w8 |5 ^- q- H, C& V: q1 z5 X; E7 p9 a
mov bx, cs
+ K& Z7 Y3 H: I" I' S lea dx, int41handler24 X" n7 {6 V: R: l( w+ R! { W. d1 E
xchg dx, es:[41h*4]
$ `7 o! q/ \$ \ xchg bx, es:[41h*4+2]
6 R% F" }' O% k* M! v2 W9 J" _ mov ax,4fh
3 ~2 O: R1 m4 I, s( W int 41h
1 d, Y, f& b+ t* m. G) P xchg dx, es:[41h*4]/ n$ Q! N" f0 f( k
xchg bx, es:[41h*4+2]% X- Z5 F- F9 B) Q2 Q z
cmp ax, 0f386h- Y* a8 s3 } D0 K" G4 m! s
jz SoftICE_detected
4 g! R) q& t+ F* |1 n9 n
4 c' i: e- s) O. _2 |6 c: Hint41handler2 PROC7 w* h1 Z3 X' [; J0 ]7 e4 u* Y
iret0 {* X: i! L" m# U1 t2 D; e. ]
int41handler2 ENDP
( T! q9 ]: e1 v! _$ { L4 p6 w+ M! m3 l/ \3 a5 V' k/ t, K3 G7 h( y
; | e8 E0 i" d
_________________________________________________________________________, O4 `* ~ ^7 [+ p9 M
/ Q6 Z1 ` }( d$ r; \# o
* Y- i- V& y x0 i- B1 V
Method 069 R8 n4 e5 `# Q/ J `
=========
1 P6 n; e6 o" P% e' k, p G, q, Y+ t/ K N+ e+ D8 M0 J" Q3 m
! l n! w$ B/ w# {2nd method similar to the preceding one but more difficult to detect:8 @6 H3 o! e& Y% ~& I6 k# O1 o
: V# N5 B1 }) L, _6 j8 y) U
. z8 l0 v" n# r# Aint41handler PROC3 z+ p- q, U( k5 [$ T. x
mov cl,al
8 U' r0 A# {# `% d( P iret6 D( {5 X- o9 L/ v; }$ X3 K6 g
int41handler ENDP; G; B6 s) M8 X+ l) F9 `
* F) E, r, N- T$ U
7 O u5 Q5 \ I. d: c# U xor ax,ax4 j! Y. G; i% I3 s
mov es,ax2 q! Y+ e" [1 _+ R& z
mov bx, cs; _* L8 D) d" X/ B, p
lea dx, int41handler+ y, r9 z7 @' f5 L' s1 J7 |' R4 N
xchg dx, es:[41h*4]
& U- D0 ^1 I3 p5 p/ w9 m xchg bx, es:[41h*4+2]
" }1 g# B. P! U/ [. f3 R in al, 40h I( Q( y1 K) O2 d. [$ j5 \0 K3 K
xor cx,cx2 O+ r# |/ D% J2 k g9 j0 m n
int 41h
6 M0 `* G% t- q( b xchg dx, es:[41h*4]
+ `% L# Z; e5 Q5 h$ i# g# A xchg bx, es:[41h*4+2]
5 g3 c" F+ G8 H0 t4 r7 |& b* Q cmp cl,al/ n% I- W0 g- h
jnz SoftICE_detected
4 q8 g! a) {! X3 J- n! l" Z0 z, f- _+ l# Z& r4 r( [
_________________________________________________________________________
$ Y8 l G' Z+ J" T. h* g4 t0 O7 B- n1 @0 e& k6 {
Method 07
& T% Y1 z C: A0 d. h! q% z* a=========
4 v# c( {0 V9 r4 Z/ ?+ G2 U/ @0 u4 s9 h+ n) w
Method of detection of the WinICE handler in the int68h (V86)( L6 U6 J3 p1 w6 J6 B7 o t" Q6 B" g
( L& Q7 I6 k: D- `, M0 p# t" Q q
mov ah,43h
, D0 N$ _; ^$ O+ e0 G! z int 68h: \- F1 M |( }. ^: e2 g( P
cmp ax,0F386h) g% Z; ~' ~6 J* U4 v Y6 q g8 H* c
jz SoftICE_Detected. _4 D; h( g9 B
( B2 b# B/ p2 P7 @$ ]
8 _3 f9 [" ~( f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- E1 g+ Y: n9 r, i2 l
app like this:
+ `) B8 H1 ^: \' ~! K; T/ ?9 o4 ~! E; g
4 m7 C- h2 I. e& [6 l BPX exec_int if ax==68
4 E1 i: s2 m/ J! Z (function called is located at byte ptr [ebp+1Dh] and client eip is
& N' f; j9 o+ ?1 C( W located at [ebp+48h] for 32Bit apps)3 d# m$ B: r" G- P9 k; A6 e
__________________________________________________________________________
$ f/ J, `0 U2 x9 m" L6 u0 @+ R8 m* R: b \3 f( ^1 ~ O
8 O6 w- U+ z o; j
Method 08. B: ]5 N, X( T) N4 _0 h+ _
=========
) `8 U7 s6 ]5 }) E* ~" H: O( d* h S: e" o m b5 ?+ f, v
It is not a method of detection of SoftICE but a possibility to crash the2 i7 F* d; w- P: S% A$ q
system by intercepting int 01h and int 03h and redirecting them to another9 m; n" F% N1 }9 z* H2 A/ z
routine.' D. R( [% v# |- @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* {: ?4 @1 h' ]! k
to the new routine to execute (hangs computer...)
, |0 n+ F! Y, c, o7 i3 K5 |$ ^/ r% T
" R# x, A! E; v @' [ mov ah, 25h& _/ \8 J$ I9 o/ d
mov al, Int_Number (01h or 03h)3 q) M. \( z- Z/ M/ g* J( N5 z7 H! d
mov dx, offset New_Int_Routine
, k" c D9 d* _( ]" V int 21h
1 e; u" k) D5 t! H8 ~/ A) T& p/ r- b, c, d
__________________________________________________________________________
) ?& T/ W4 v6 q9 V5 L
) m7 E5 r, U# q4 ^% X# W! QMethod 09
+ ]0 V o n# l/ \' w=========
. T1 _/ k9 |. a7 l, l
g8 T$ w5 e. p h8 {5 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 k/ K+ ?3 s5 y! J- r( E' W; }performed in ring0 (VxD or a ring3 app using the VxdCall).5 l% [+ O8 b0 t) ?/ u
The Get_DDB service is used to determine whether or not a VxD is installed. G/ T, v# y" O: g9 Z
for the specified device and returns a Device Description Block (in ecx) for! q7 O0 s, Q( Z" V
that device if it is installed.# A$ t. I- [$ n, K' q K
; m: f/ }7 Z9 K5 O- ]4 E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 f. t7 Y8 y% ?' y9 d8 { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. t2 w4 E/ c9 e/ P$ B1 P. e VMMCall Get_DDB+ L. a% V( }" d* `" L1 o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" A8 r. `5 O/ t! j0 [$ Q
. C. B# i1 Y, n2 L0 UNote as well that you can easily detect this method with SoftICE:
9 g l' I6 ~$ k5 { bpx Get_DDB if ax==0202 || ax==7a5fh
2 V0 B l$ `' g! b# |
. C* z) l) J- [3 _9 g& g7 C) z5 t6 n__________________________________________________________________________
$ n/ D$ h5 f8 B3 X2 A: A% c+ w) L+ ^
Method 10
3 F% G5 H8 b- D2 J# }3 h2 {# V=========
9 M( `5 _0 K" b7 a3 ]- K9 F7 k6 H' U2 a1 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with b8 z2 s- q7 B9 ~+ R! G
SoftICE while the option is enable!!/ g3 m) H4 K- V/ ]5 O
, J6 u S: y& P1 D7 x/ H- V BThis trick is very efficient:
6 U/ R$ ?( k4 n* C4 Q! N; |& L; s% p& ?by checking the Debug Registers, you can detect if SoftICE is loaded( d. n8 M* I/ z7 S# J+ h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! i! a% C) v0 U: H) ^' _5 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
% x! m, ], Z: x/ O# ?5 }value (in ring0 only). Values can be manipulated and or changed as well
; J* t, o9 {5 _, Q(clearing BPMs for instance)- y+ N+ T. O7 \0 j
9 e, E' i- V) ~9 S( v+ q
__________________________________________________________________________
8 S q, G9 Z) C& n$ p- U1 i% ~. f: o: r& R2 `
Method 11+ Y; f, w! O5 f5 K3 f
=========1 R" u2 W) `+ k
" l2 a4 t6 M5 P4 h) H+ u
This method is most known as 'MeltICE' because it has been freely distributed
$ n" d) s2 l* C1 ~' q4 ? Ovia www.winfiles.com. However it was first used by NuMega people to allow0 n1 u9 R7 O. d6 G; u/ O
Symbol Loader to check if SoftICE was active or not (the code is located
& g" k3 i3 t# \! g9 @inside nmtrans.dll). e, o. }6 m, @0 Z; g
7 F3 G2 w- {1 N% @ ^2 pThe way it works is very simple:
7 h2 D; e4 N' I6 A' hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ y+ X/ y3 p( [% ^+ U0 j7 sWinNT) with the CreateFileA API.: u8 Z! q$ n! l& @' A i5 q
* C- W1 Z. U4 G v& D. E7 zHere is a sample (checking for 'SICE'):/ `- k. [2 L( P6 G$ x9 ~9 j a
2 ]2 G; \ e& E& H2 A
BOOL IsSoftIce95Loaded()4 f! n% Y& M f2 N: T- E
{
2 v" A8 q# [7 P6 p- |2 H HANDLE hFile;
+ d% b% o9 D: Q; q5 q. f" b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ T, h4 R* {! K7 x
FILE_SHARE_READ | FILE_SHARE_WRITE,
) _! H- d H% D) p; `( Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% p/ K6 a6 N; n( W4 ^) r' ^, s. z if( hFile != INVALID_HANDLE_VALUE )) T4 w6 B# l; V* V5 R: Y
{) R7 @& t3 s, y6 O) M. \0 T
CloseHandle(hFile);# s5 J. Q9 e2 u, v/ j" e* C# K
return TRUE;, K9 h. Z0 g% S3 d. l- w$ }2 m6 i
}5 ?: Y& z% ~7 u9 i
return FALSE;
9 `! J" y8 X2 i6 F* o( o. Q}5 A$ J: b& d1 r
# Q, e7 V$ O# n' k0 C* i# J5 J
Although this trick calls the CreateFileA function, don't even expect to be: t$ I0 J, K# N' z' e
able to intercept it by installing a IFS hook: it will not work, no way!& I0 i C) H3 y4 Z d$ g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& S7 I5 _2 g# _ H$ W3 I1 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ?8 Z3 x( [/ j( }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* ?* v8 s% p. _6 z3 Z8 `field." i+ ]# k* \9 \$ c. Q+ B8 x
In fact, its purpose is not to load/unload VxDs but only to send a / k# ^% `& p: d* O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 J" x3 M7 u( I, ~$ O; Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- P s* w: i0 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." C. P P! a n# \+ z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ p& {7 N- t1 b+ Q" A$ \5 Q: s$ cits handle to be opened and then, will be detected.) n6 \" h j- ~+ {$ D2 w
You can check that simply by hooking Winice.exe control proc entry point1 w0 v8 f0 `* d. U( U5 V$ g" b
while running MeltICE.
4 \& L4 E5 x8 i0 D F1 {' h
9 `) U) S: Q5 V9 S9 w% n8 ~0 @. F& Y4 I( H
00401067: push 00402025 ; \\.\SICE
! A+ `. Q& M! S" l0 | 0040106C: call CreateFileA) ]- W& {0 T$ R( ^
00401071: cmp eax,-001
$ a% i. D; B F( R 00401074: je 00401091
3 Z( X7 Y) R }: Q$ ?* C! J4 u9 X6 D5 y& \+ d
$ m# k% ?+ P; R8 @; \8 }
There could be hundreds of BPX you could use to detect this trick.
: d4 S9 e3 i2 b, k-The most classical one is:4 l* ` C8 d& E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" d0 U/ ^3 j: L& Z( [ *(esp->4+4)=='NTIC'
{" K0 k7 Q! c6 Q& ^: `3 n
2 V# _3 k# Y8 ]+ I, e; a9 G-The most exotic ones (could be very slooooow :-(
! `9 F6 y+ t. [+ P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / l# \4 _; R! _0 L3 t
;will break 3 times :-(
/ x6 d$ c$ ^+ G
4 n( G4 C0 w+ {$ j-or (a bit) faster:
, _' g; @! Z' Z: ]. E: `, D2 q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 ~. [8 S) X( P: Z1 { y4 N" G2 l+ l- s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ R/ h3 j% o4 D2 Z2 {# ^ ;will break 3 times :-(
8 p8 v! d) v. V
5 I- {+ j/ ^( S" M6 p-Much faster:# s2 [; |& q5 s( O3 S0 e9 f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- X/ B4 i' w$ g" s- Y& m j2 ?( Y# o: _6 I4 p1 R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 Q6 w5 X, }8 i( ~% u& P3 S$ b1 Vfunction to do the same job:6 a; r: J2 ^4 F- G/ `% ]8 }
$ R' `- ~! I5 F0 p push 00 ; OF_READ7 ~, E; K# Q& K8 ^
mov eax,[00656634] ; '\\.\SICE',0% t2 W' Z5 K! p3 p
push eax
4 t8 Z. T( ^6 T, ]7 |2 Z call KERNEL32!_lopen3 W% V' m* h, I/ Y
inc eax4 U" }2 B' U8 s! t0 h6 K
jnz 00650589 ; detected
" l% X& }+ B, M7 Z/ L push 00 ; OF_READ0 c2 B7 n/ E l. s% v8 g( v
mov eax,[00656638] ; '\\.\SICE'- A# f L @% I
push eax7 o' ^( ]6 b$ S9 C2 V0 |( H
call KERNEL32!_lopen3 m6 b* _- x* h; S
inc eax
/ I( o2 O j! l jz 006505ae ; not detected7 s6 z& k3 x9 B4 {8 Z) @* v2 m
# g( v6 W8 G: M2 s6 f( l' J" \
3 Y Z0 `4 C6 D* t- N__________________________________________________________________________0 `0 L9 b0 U* G! s8 O, s; h" X
/ G8 A' g! D' E. v) o1 x( wMethod 12
0 r, V' V+ _4 r# n2 f" Q=========; x8 p" O1 n! w
& {8 |( X) \6 E
This trick is similar to int41h/4fh Debugger installation check (code 05$ x. `) d% Q, U/ |* p
& 06) but very limited because it's only available for Win95/98 (not NT)8 W! @! W+ S" A1 H# _8 \# Y7 C' ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 S$ m4 f2 E6 d3 e
# q- |' ^& D, m+ {2 L2 E( ^' C- C% C/ K push 0000004fh ; function 4fh
: F- U6 f. t0 C% N push 002a002ah ; high word specifies which VxD (VWIN32)7 K8 P# E) W( h) O" w/ o8 h. `; h1 S
; low word specifies which service
- r# o6 y! @/ s7 x7 ]; K3 ?- R2 f (VWIN32_Int41Dispatch)& u* n- s2 F% T- G
call Kernel32!ORD_001 ; VxdCall" S1 |8 `7 E8 [. ~! r" W7 c
cmp ax, 0f386h ; magic number returned by system debuggers
2 g! z0 U# u5 x( ~ jz SoftICE_detected
# V. \5 r* `" i6 h e& Y. I& Y4 H. D
$ t3 f( O' n6 Q* KHere again, several ways to detect it:
& t ?3 ]3 l. r, @: j% a+ o8 g/ O- p
BPINT 41 if ax==4f
( B6 l% |) R3 j! c: B: @9 J' T+ N, W! N- Z& s7 w/ f9 u& h' b( s' ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; ?1 a- g+ M% p$ I8 {9 m v, r
* Q4 {" B% q, C. i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. n, j! W W! }1 t& i
* w3 L4 z4 l( ?8 U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# t1 Z2 I/ ~& T4 D3 q+ Z
: @- H( a0 U% N2 s# D8 v0 m/ Y$ b
__________________________________________________________________________2 f3 S& `6 w4 X" Y) y& |
8 c/ ]( y; d" [1 I+ c; oMethod 13
. @2 V9 @, [# L! B& ?=========9 ~9 [0 ? F2 [4 C: P$ }( e* c
1 L k) G- `' e! y
Not a real method of detection, but a good way to know if SoftICE is
8 T# \2 y$ F+ r; X" p0 T& \4 z% {' m" Zinstalled on a computer and to locate its installation directory.
3 d5 O: m: A2 m) q3 i- ZIt is used by few softs which access the following registry keys (usually #2) :" q X5 G2 N2 f5 ]
; r. k4 M, S6 i2 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# r: e% B8 W$ m! W: I7 q\Uninstall\SoftICE
, T; Q8 ~6 \7 Q4 l- ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) h+ |8 Y; Z8 d( n% P9 y& b8 {3 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& k) d0 R% K7 c% j2 n9 }8 D\App Paths\Loader32.Exe F6 Z" i5 q- h$ @' T: K- T
$ y! ?; d" ]* C
4 ^% `. A; _2 PNote that some nasty apps could then erase all files from SoftICE directory
+ ]9 |) E( ?$ Y( u4 B(I faced that once :-(8 w- w9 _$ b9 ^
+ ~" z( S' H6 c a0 @6 \* r+ x2 pUseful breakpoint to detect it:
8 @2 k9 Z) ?* _# q# _0 R$ V: c
* H4 N' F- ]$ Q/ A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 d$ T+ V$ M" U) n$ b" j5 B8 W3 c
* E% U2 ?5 z) r0 K__________________________________________________________________________' L4 Y9 v0 | P8 |& [& J5 f+ ]
- S' v" E ^3 N7 i$ h: C a- H
# p% g/ h9 z. G g& _ CMethod 14
5 }# j3 w7 }$ G=========( n( v3 [5 e2 T2 b8 p/ P) _
; e3 t3 j! M1 ~# {9 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. N8 R7 I2 x; D2 y2 t
is to determines whether a debugger is running on your system (ring0 only).
$ o: y% W; e% s( X" b
% s' @% \2 ~7 ` VMMCall Test_Debug_Installed
0 X! o" w. P# C( B4 \ je not_installed
$ ^* T4 Q3 v. H' M9 p: [
1 I6 o# V! n9 z- f; r9 E* }This service just checks a flag.
/ z% O( b* z! J1 [; T8 G! Y7 R% T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡