<TABLE width=500>
) b; f f' J T<TBODY>
8 x8 X: ^; F6 P: y! A0 I8 A<TR>
( e) Z4 r% Q9 G" X) U<TD><PRE>Method 01
! {& w" ?+ e A6 W=========7 Z& Z* x! A: ]1 P( V' v
$ N1 g, M$ o8 u5 y! j
This method of detection of SoftICE (as well as the following one) is6 Z/ ?& j& o, D; ]1 e
used by the majority of packers/encryptors found on Internet.
- m( {+ s( y* d( }4 L( mIt seeks the signature of BoundsChecker in SoftICE7 l* Z) O' N. |
7 i* P- t: o9 n2 z4 M1 |7 |$ X
mov ebp, 04243484Bh ; 'BCHK'
" T j- y% E' c6 v' v" G mov ax, 04h
4 B& b) l/ W/ w, R) J( h int 3
# x6 L' y* @/ s1 K5 _ cmp al,4$ g5 |1 V1 z: p; b) P! P
jnz SoftICE_Detected2 Y4 P- \, ^) i5 ]' n& d8 ^, @
4 _1 o: l- \4 A6 M
___________________________________________________________________________
& m" z0 G5 `9 [0 h9 `1 k
9 Z9 S9 H$ K: P; I E) L! {$ vMethod 02 N) I& F! T8 k2 \( h: ?
=========
! y8 `; m- w$ R8 |4 o5 x7 G& e- G9 s7 b
Still a method very much used (perhaps the most frequent one). It is used/ z Z; i) @; K2 M/ l6 c# z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* H3 }8 b- S1 B E+ i& e& |3 Wor execute SoftICE commands...$ c9 g" J" r4 |0 D# K- t+ P
It is also used to crash SoftICE and to force it to execute any commands) ?3 L% O; f4 @0 Q# |
(HBOOT...) :-(( 5 B$ [& d' h7 X- e+ y7 k( z
' b5 }, ]( c% ^( g' M7 c B1 eHere is a quick description:
/ V+ K% m5 l1 V: t) a- E-AX = 0910h (Display string in SIce windows)
) H' ^5 l5 @1 J' ~5 f; |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) E) |" _+ e+ G1 \
-AX = 0912h (Get breakpoint infos)4 d+ m+ I V5 k9 r! z
-AX = 0913h (Set Sice breakpoints)2 l2 B" a+ G/ T& L8 X5 h
-AX = 0914h (Remove SIce breakoints)
2 \8 m7 y, a$ N( q) `& s" A& @. h1 C( o
Each time you'll meet this trick, you'll see:/ a) r( G8 z X; c
-SI = 4647h- W d- }$ O! k3 M! w$ |
-DI = 4A4Dh" U3 ]& g" t) b' M
Which are the 'magic values' used by SoftIce.
. p: l) u3 a7 a1 D( oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ @6 b1 l4 V9 d3 }# ^# M
6 K! T4 N5 V4 rHere is one example from the file "Haspinst.exe" which is the dongle HASP: d b6 z" w1 c2 k; M+ X/ Y3 _
Envelope utility use to protect DOS applications:8 j4 `' A& s2 @& ?
3 A7 t6 c7 _4 B9 K8 X* R
' B( o+ h3 ?5 b" Q: l" K
4C19:0095 MOV AX,0911 ; execute command./ Q9 V2 j# M2 j7 N, _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). S/ F7 t& z" u& J4 t" z
4C19:009A MOV SI,4647 ; 1st magic value.
8 a% K: n, S9 J8 S# L4C19:009D MOV DI,4A4D ; 2nd magic value.
3 Q7 J! i+ E5 d- F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
~6 ?! [* M+ r( z- G2 v3 }: q/ K2 |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 m7 k( M" j# Y9 u' A7 c1 w. W4C19:00A4 INC CX
- C3 P9 S& i* K4 M; n% G: D) }6 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 V2 G7 Z6 ~1 Y' k
4C19:00A8 JB 0095 ; 6 different commands.
4 ?, I* N& V4 w l( i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, ^) ~ N3 w2 M! A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 g# {: D. B0 B/ l W/ w8 g1 R/ e* ]% H1 ?. T! v2 x
The program will execute 6 different SIce commands located at ds:dx, which
1 X" I/ L2 x$ ?! x, {% ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ x. d* N* h* D* q r; l! P' ~' E: A7 P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 `" _6 ]5 A5 ?# w$ M' o8 V___________________________________________________________________________
' f8 `( k( b' Q. G9 M9 [$ G' [7 r$ z; F
1 b5 _) ^* u# D; v4 F# h2 U! w2 T! T8 x+ ?6 h1 P3 T( e D* n
Method 03
2 g! d1 W$ l8 }2 h, c=========
3 z/ O4 t# e. o- { p; H5 [# H8 Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) n; X% D: A, X+ T" A' k, J
(API Get entry point); i6 g4 |, }) Y0 M* {& |2 q l+ g: r
& ? |/ o5 x7 T. |0 F' A% v6 C
5 D# }' j1 [3 `1 E
xor di,di
$ d# r8 v9 O# w/ S: [# m1 E" { mov es,di
1 e% k* ~7 l1 o8 R" W0 g mov ax, 1684h
8 W( B5 }" B; g/ e2 q mov bx, 0202h ; VxD ID of winice
% c9 A8 H) J1 g: v& W1 q% O" P8 ~ int 2Fh
1 g6 [9 f( x% y! N$ @( n mov ax, es ; ES:DI -> VxD API entry point
- l% j! u& ^5 q: d0 j# k8 M add ax, di
- |- v& i5 k( [$ U$ f/ f1 h test ax,ax
. W& Y% g# T/ A: A/ v1 M jnz SoftICE_Detected
3 A2 S! ^4 J* [: y- G
5 T8 Q4 u+ ?8 z. d4 `) T" W___________________________________________________________________________" J L3 u$ d# S7 I
) Z7 i, C$ ^6 c5 b( E
Method 04
+ R9 ] {, T- o ]=========, [3 h, A0 c( w6 v* `
' N0 Q2 k4 M9 f3 VMethod identical to the preceding one except that it seeks the ID of SoftICE! d8 _$ J: d8 H. d
GFX VxD.3 @" Z7 s' S' ]& K9 z6 q5 o
( |& [9 t& v, _& c% X$ n- N xor di,di
7 z7 [+ I" O {, q% o, ]% ]( m mov es,di
6 @3 k Y3 V7 \ q( R4 v5 A mov ax, 1684h
3 f( F1 r; H; _5 t mov bx, 7a5Fh ; VxD ID of SIWVID& G6 t# l `! r% h% Z9 ^2 G) Q# ^
int 2fh
" c8 r e% Q8 q/ n/ w; j mov ax, es ; ES:DI -> VxD API entry point B0 c: [8 }& g( F6 ?
add ax, di9 u. I. C8 _- K( U
test ax,ax# C9 D$ c2 E+ X) f
jnz SoftICE_Detected* L0 N* N# f; b/ G! h4 z
/ K( g, J. U" q6 F" d8 h7 Q
__________________________________________________________________________
1 n) d t0 z/ Q! |7 q! e. F7 z7 l- ^
% ]7 ?. x+ @: q: `$ b# N
% t5 y. [8 t( }. L8 J X( K* V5 uMethod 05' X6 O" W! i1 m9 k e& V6 v
=========
3 y+ b: h2 C8 r6 P
. y) T& M6 }% M" aMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 L/ R& h& ]$ t% g" {: S% F
debugger. It calls the int 41h, function 4Fh.& i4 t; G$ |2 F2 z+ q/ `4 Q9 ~
There are several alternatives.
1 d- W/ V# y4 W e, T h9 K6 v+ p! r D! C& T8 g
The following one is the simplest:
4 P* q0 l) s7 S: ~+ |: t" q
- V. }5 U3 z. Q& e mov ax,4fh
0 c' R' e9 i$ c0 b; i/ d int 41h
* O! G8 A) x5 Y' m8 o5 s cmp ax, 0F386
5 e9 ?4 O8 M, _+ j, p. P. L jz SoftICE_detected0 `. B2 c0 W7 E
& P5 g) n4 k4 H3 a* |/ a
+ O0 W2 z, c7 `& x% a) P% V/ w x
Next method as well as the following one are 2 examples from Stone's / B* L4 x: o$ x- a! P
"stn-wid.zip" (www.cracking.net):
# _+ z+ Y/ T# [6 S1 I* A
9 K" I9 c% j D3 u5 u! u' r! o# x mov bx, cs; N& m# e) A, z& l; i ~
lea dx, int41handler2
; ?1 ~9 D) C% ]+ k9 V2 P' o1 d xchg dx, es:[41h*4]
7 Z3 e% M7 r( c xchg bx, es:[41h*4+2]
1 y' c6 S- u9 u$ y4 U mov ax,4fh
, ~) a( X; J5 w* E5 }) @ int 41h
! ?. [# A0 Q' F- A7 _ xchg dx, es:[41h*4]
; o9 Q( {1 G" b. _0 n- H' Q _" l xchg bx, es:[41h*4+2]
- ]; a+ _1 @& R6 p cmp ax, 0f386h8 K: w8 e5 c" O2 O
jz SoftICE_detected
7 c3 R6 e8 g7 r5 w m. I! w5 [7 b0 w$ @ V# s) m; _1 G7 { Z* s
int41handler2 PROC
8 S: ^. L8 }2 C+ ~+ F iret! d& w; p9 _3 z1 [ M5 `
int41handler2 ENDP) C( t. _0 p7 j+ Y5 k r
; T) G/ k, R4 R" [1 e9 g
7 L- o: Q' ^# U2 Y1 b
_________________________________________________________________________ g+ t! t8 U6 \- C3 {) r+ ~
: G/ F- e5 x, ^$ k5 a! ]
9 w* _9 \1 e s. EMethod 06
* a2 {! [9 K- y! j8 |+ k=========
' s G/ \5 T2 d6 f1 U7 E, q
# g, Y/ a7 k" o) P3 S# l" n
9 s1 Y- K/ |( @4 _& h$ o- L2nd method similar to the preceding one but more difficult to detect:9 F; @8 C7 r; D
& W$ [$ E8 t8 Q4 y# S- K
. n) ]$ L9 Y, X* r
int41handler PROC" ~) v' }& |. e6 L# G
mov cl,al2 ?( Y' f# G5 I2 u2 F
iret r a& c* @8 p# m# Z6 U7 E
int41handler ENDP% {+ L4 E7 m( U$ V" L9 _6 N
2 _6 ]( w" O- q( E: V- b- j. m5 J" a6 ]$ r
xor ax,ax
+ ~! G- W3 f9 e mov es,ax# Q: @1 f; n2 R4 k
mov bx, cs: D7 J# e/ S5 E4 s/ N6 [
lea dx, int41handler/ D B, P+ T1 v+ |6 w3 I' R
xchg dx, es:[41h*4]
* b- U) O# g' H8 Y; y7 P xchg bx, es:[41h*4+2]
$ n6 v& i4 e0 l! I in al, 40h+ d6 S6 _, Z) v3 G8 c# N: P% n) u
xor cx,cx
8 h9 V" ^% z& ?, R. L int 41h
& T+ l7 a2 N* j1 \3 E7 u1 G xchg dx, es:[41h*4]
3 C' o5 K+ p& l1 ] xchg bx, es:[41h*4+2]/ ?3 W$ O1 n" k/ p
cmp cl,al
- q1 Z9 }' p+ V+ P5 Q jnz SoftICE_detected
3 l0 A) A' j( X4 J/ o8 g7 t! ?" e3 _( d% X! U, `- z
_________________________________________________________________________
* g+ y+ |# |4 n/ J4 W' E9 {2 A* Y$ n
Method 07
4 b0 I( E( b0 K% s6 B( H=========) V8 F0 n# m! u$ S3 H
) L6 i# u& H3 v# H
Method of detection of the WinICE handler in the int68h (V86)
$ v7 {$ P2 x% T2 I) r& q, ~9 f% r" X$ ]+ o, X
mov ah,43h! ^& R9 c: e4 S, U* {7 R+ P
int 68h5 E+ w( E, q/ l; ?
cmp ax,0F386h
; |- o! @( C6 A4 \ a jz SoftICE_Detected
7 r1 K3 Y4 Y7 N4 S6 p
- f& U! |* j% u; Z& _) ~6 k8 V
3 ~ m/ }; T; o& G, x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 T. |! }4 b- ]- N* b app like this:
6 y# z" K' D- R0 l! T$ F7 y) C
4 h5 p, g: r; f BPX exec_int if ax==680 v3 h9 s1 ~0 M N" n
(function called is located at byte ptr [ebp+1Dh] and client eip is
. c* |8 [; _' A) @ located at [ebp+48h] for 32Bit apps)
$ X* u, P. Z# A& e- h: e__________________________________________________________________________
( `1 h' Q/ j- Y% ]& M; ?( o2 V9 k$ B* x$ X3 P9 {7 o$ ~
( Y' H7 @2 N/ z' e# W) @
Method 08
/ ? ^; L/ g! n' j=========
2 a- e& ~ w5 M p% X% G, p: I5 C A9 C1 P
It is not a method of detection of SoftICE but a possibility to crash the( A& P! }1 U4 \8 U: P$ z* W
system by intercepting int 01h and int 03h and redirecting them to another
4 H' M- { U& p( Z. ~0 `) ]' t Troutine.% |0 w# ?( l2 m! {9 b" W' q) \* r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points |0 K* @! m9 o% a& Q
to the new routine to execute (hangs computer...)4 E! V* e9 [, G' s8 M# [
+ C9 v( K/ ]7 Y( t* R mov ah, 25h3 f/ X) x- @9 C9 H6 ?
mov al, Int_Number (01h or 03h)
) Q8 N5 a/ S+ U2 B* y8 c; a mov dx, offset New_Int_Routine
! m7 L# Q* X8 f# E4 _ int 21h
" [3 W1 {3 m3 C4 g" \2 s1 y! f! m, `; Z0 ]. o1 y; I# c
__________________________________________________________________________
+ |9 }' V$ k' O9 V5 Z6 e8 M, w0 a# f5 T! H; `: t* k) c! \
Method 09
& }2 b9 W- c4 u! g2 m* y( U=========
) \$ [7 ^. B2 V% v! ?, V) H
9 \* R! ? Y. Q$ x; `- nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; V. k4 M( K' G5 G% |2 X7 `performed in ring0 (VxD or a ring3 app using the VxdCall).+ x' W0 W, Z7 c9 N; w; o
The Get_DDB service is used to determine whether or not a VxD is installed+ }/ Y. @3 f- c5 C( z
for the specified device and returns a Device Description Block (in ecx) for
" Z- j% m, A4 dthat device if it is installed.
' }7 A5 T: ^$ o% k1 x* T: i
0 g l* U0 c# t& J( S9 R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ D: p" F9 ?8 p) z/ R% v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 u& f6 L+ p I4 y- _( s VMMCall Get_DDB
1 z- e! Y9 i D( Q3 A( Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 j9 {* {2 v6 u5 a7 v" l! R: m8 F
( n1 N9 X/ y4 A6 Z% Z6 |- M- C1 G4 \Note as well that you can easily detect this method with SoftICE:! y% {" Q3 G, S# W9 R# ?! z3 c
bpx Get_DDB if ax==0202 || ax==7a5fh
5 o$ T5 B) J! J: A" _/ x: r3 ^# Q. y
+ H. v; `$ F( B__________________________________________________________________________$ X4 ^$ p) ^! R; s2 l! ?* g9 v
' v8 q3 V) o6 I5 i( y% o9 i" D4 @
Method 10 H& H* X. |! ]8 O: P9 z K
=========" N- d d4 d. ^6 l
! X- \+ p7 w5 r8 ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with- L3 \: [" }7 l$ L0 e, t# z
SoftICE while the option is enable!!
+ `- v! W$ Y$ M, m" L: k4 B% V. B7 x% y9 ^. s& T" n& n% K9 Y
This trick is very efficient:2 C+ V! Z' i& z& P/ o2 V4 k$ D; ?
by checking the Debug Registers, you can detect if SoftICE is loaded/ [+ P$ @& k" T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 I8 n( I* a4 |2 ? Y) \# J U2 y1 `) n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 i* ~5 k8 x3 D% ]# M7 r* [value (in ring0 only). Values can be manipulated and or changed as well8 W# X" R; _$ F' V `' h! l
(clearing BPMs for instance)
5 f; d8 ~4 R4 O* x
$ ^, D# L0 G; w' @__________________________________________________________________________$ O; I. r0 b8 S( `8 k
/ ~6 A7 g) O7 m8 Y7 M/ g0 s iMethod 115 N" ]; }$ q9 a5 U O) K d+ e
=========
8 G1 q9 T+ B3 s9 h' H$ N: o- M( i5 G5 f# c+ l5 m" y3 v
This method is most known as 'MeltICE' because it has been freely distributed
7 Y2 f% }% I; o; M6 Y, w \$ N+ gvia www.winfiles.com. However it was first used by NuMega people to allow
+ |/ o) V9 O+ S; mSymbol Loader to check if SoftICE was active or not (the code is located+ Q: I+ W b, r
inside nmtrans.dll).6 W- m) e/ U4 Y. u% |& H- d
' r# N9 B3 I- B- Q( m5 ~* MThe way it works is very simple:# m' k, Z& J. Y0 I5 @9 z* U' v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ `% x# m4 t6 x; m
WinNT) with the CreateFileA API.
, q! l0 g. ?; R, Y1 r+ s, e) j
$ G: y+ }& J: a3 Y7 B- j% ~Here is a sample (checking for 'SICE'):% x+ @. Y; m C4 J: s) [ H& ], A$ D8 }
. |5 c: l6 K% V8 q2 I9 t$ r2 ^, @
BOOL IsSoftIce95Loaded()& V1 n; h+ `* s4 ?( Z3 n( P
{, L! @* I; H! H& ~
HANDLE hFile; - N; b7 I! T0 M4 A# a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# D }! q3 e( I/ ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 E! u) S4 |0 S6 X+ U' W8 o. @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% G& {; j, k. a7 F$ T
if( hFile != INVALID_HANDLE_VALUE )
4 n/ J4 E. s! T$ b- S, @ { W$ R$ A0 y; n' R9 A
CloseHandle(hFile);& h3 Q) O" f# V6 m* q' j
return TRUE;
! m& O" c$ \' H" R. v' y2 g }) q# g8 Q0 V/ { ]
return FALSE;6 F1 I. O1 P2 C! o
}* A$ h3 W; \1 `' m
0 W( T0 F& N9 g' r: N. OAlthough this trick calls the CreateFileA function, don't even expect to be6 k5 T+ w8 [- {4 K! q- R
able to intercept it by installing a IFS hook: it will not work, no way!
( o; Y4 l# V5 I4 z8 X- ]' sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& S$ H; A, k! N. h+ Z% P# w$ f7 q5 zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% j+ y1 T( D: ^ {2 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ C* q1 g: F0 e4 i( O' Q/ [
field.
: t% {9 W2 w9 b* T+ p+ M+ }& M/ UIn fact, its purpose is not to load/unload VxDs but only to send a ( M2 \5 t* U3 K/ d$ @' Q- |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ^ T1 k. R8 @1 H; U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* q$ j$ c9 [) O2 j1 s8 S* l/ qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) l; D. g8 K& d2 i4 y% t% DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
h5 }! d; z1 sits handle to be opened and then, will be detected.% x; h- M9 \$ v2 ^; x% r3 @/ U. B& j
You can check that simply by hooking Winice.exe control proc entry point
2 Q1 x4 O- o, E4 G! o: H! g* [while running MeltICE.
r: ~% F/ F$ l: S% a* |
1 I8 f S2 u; {3 s3 }$ h Y6 K8 F) T
00401067: push 00402025 ; \\.\SICE! }0 T' ]' v) X/ f1 f8 `7 Z6 x
0040106C: call CreateFileA
, X# \3 v+ M9 V+ g: \ 00401071: cmp eax,-001
5 a" |+ j: u) Z8 x7 K c6 Z! i 00401074: je 00401091
6 N1 g) O |3 M: {; O4 u, ]" ^+ E3 E+ D F2 D! _7 `
+ r6 K- Q' P% ]1 k7 H9 z/ J& t9 ZThere could be hundreds of BPX you could use to detect this trick." i$ Q9 F# x- l. T; V' a$ R: ?
-The most classical one is:; m" g, L/ }* @3 L/ Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% k6 k& | n6 j# C
*(esp->4+4)=='NTIC'
! }/ t* J6 y* @% s% F; E
$ `: |4 M$ S* M# X-The most exotic ones (could be very slooooow :-(
- @ ~' J8 z } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 @: H9 c4 I/ c- @+ [; u
;will break 3 times :-(5 ]* p' q! Z0 J% @) K5 W y% l
' I+ \! |* n6 ?' K% l4 w" a-or (a bit) faster: - ]* N7 _/ D% D# B A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* |0 n7 j9 D3 i; s2 H+ |6 s
4 ~$ P2 t' G( V9 v( ] ?/ o7 q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! h- s9 k | v/ L3 [6 } ;will break 3 times :-(/ K. L. ?( y) {+ x5 Y
0 a) D/ r9 v! a9 a, z2 }
-Much faster:
' [2 E4 e+ [2 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- t, t4 G# d1 x1 t; w/ L8 r; `5 W6 S' E! A4 a! _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen ?4 f; T6 u8 U v4 p, h6 i! E
function to do the same job:$ X6 L: X) o% f; x: J
* m7 L1 Q2 `) F" X, ^7 G
push 00 ; OF_READ1 I2 W% H m& J+ V
mov eax,[00656634] ; '\\.\SICE',0
& h# k5 ]* w, o. ^ H% Z push eax
1 d5 o( s7 Y0 b0 l! c( f call KERNEL32!_lopen6 V V: C+ Z2 y) v; \
inc eax
8 h S% G$ B8 x Z" S$ i jnz 00650589 ; detected7 ^' b6 e: G6 V' i; k' a
push 00 ; OF_READ
4 B$ c) v# a! H2 R/ m mov eax,[00656638] ; '\\.\SICE'( d& l% C4 J# [5 s9 V
push eax
: Y/ l# D. S4 o8 ~% u" v' J call KERNEL32!_lopen
F5 a4 L/ M* d# F5 L7 ?0 u inc eax ^' S9 F+ ^9 R* i% s0 S
jz 006505ae ; not detected- @% s; }2 N- [9 l! c
4 S% L) f( Y) v3 } H
. T, `" R( |9 r__________________________________________________________________________! J2 q% e$ I& ?8 j/ a( j" T
" @% x( A' r4 G) ^5 V; B
Method 12/ W* d% Y" P& f* K+ H
=========" u2 P$ V k0 {
4 J( D( h9 d- m' m7 ]. V
This trick is similar to int41h/4fh Debugger installation check (code 05, s# j9 B- `9 n. L) B E1 Y
& 06) but very limited because it's only available for Win95/98 (not NT); z) x- Q) B5 J7 j/ W% i8 T+ r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) _1 K+ v' f: ^( E- E% n
5 E; ?) }) L8 y, j- Y9 V push 0000004fh ; function 4fh
/ E* a% ]5 g' E; J" j, d push 002a002ah ; high word specifies which VxD (VWIN32)
. S4 @- t0 e! U, m# p ; low word specifies which service
- S: `% A6 ], o* ` (VWIN32_Int41Dispatch)! T6 P" r0 ^. b: C
call Kernel32!ORD_001 ; VxdCall. c' X! G0 c1 |- P7 H* d2 f6 P# R
cmp ax, 0f386h ; magic number returned by system debuggers4 l$ _$ p3 e" x% m
jz SoftICE_detected: s* v5 m) w- N( Z( `- ^
' [ f9 p: X. x- tHere again, several ways to detect it:1 O, [$ _# s9 U# f
9 k0 Q& x+ H+ v3 l6 `
BPINT 41 if ax==4f
; i x( a# R/ B0 n2 k1 v+ t% p* \3 M$ O7 U- T$ L& I/ g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 ~- X/ d8 n" A/ y6 E' u& n. a
7 @ O9 P! P, J4 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! ` X( e0 }- _/ z1 \ \. G
% o4 z! k( x( R; Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. j, V9 s7 v/ K, \; [4 R
$ t+ w" s! f8 [$ N__________________________________________________________________________
" O% p) E0 y# d& R6 O
2 [- Q7 x& a0 f2 Y, \: H! O) iMethod 135 O6 v% |/ V) s, M; N# G
=========
) |* X% i# C- C% @' p. M( o3 a7 Q0 }' v% Y+ U9 }, U
Not a real method of detection, but a good way to know if SoftICE is
^. d( Q5 j0 \+ Rinstalled on a computer and to locate its installation directory.. i$ M1 Q& \9 U
It is used by few softs which access the following registry keys (usually #2) :8 z& c$ a9 |. N& d3 M: H5 N m
$ n$ _$ u( ]1 C: @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ s+ y/ I% `. k3 p
\Uninstall\SoftICE
$ v/ M2 h1 l/ v9 ?6 f& z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 H' \1 c3 x/ r# I" C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* y0 U% W5 a& g3 E8 Q\App Paths\Loader32.Exe5 `" U) o. w/ Y5 u3 h
1 s$ H0 [+ X3 _2 k. R7 B+ c& M9 U8 y
Note that some nasty apps could then erase all files from SoftICE directory
5 U0 Z. T0 J: |) C, u6 e' b(I faced that once :-(
: |" b. K$ x, W0 F- e% g N: ]2 N9 {0 v- @& g' l' \, O5 h* w+ c6 H
Useful breakpoint to detect it:
( A! k- \% s2 ^% L; U: T8 m1 p4 a( k9 z6 J& h' p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 P6 c1 J/ M4 q
* w* ~. m3 \! d0 `__________________________________________________________________________+ H# m$ \! e/ N8 ?
) I1 u, Q2 d* `0 L+ X
9 K* W- K! U; ?- S9 |& T9 a
Method 14 9 G1 k# d# b+ T
=========
8 Y/ l V4 _2 N; }3 {% V- C n
) g7 t9 W$ N# P; SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 I0 l. y4 @" u3 |/ }& b9 f
is to determines whether a debugger is running on your system (ring0 only).2 L: \' v1 d1 O9 G& }& A
$ I( x) r, I) L2 z9 H! x
VMMCall Test_Debug_Installed
2 W$ ~2 A) B3 Z, _$ \# g je not_installed2 C3 w$ P Z6 z' F' G# K- b, o
: A, _: m! m7 }: P3 e$ BThis service just checks a flag.
# i, J$ o: o% o4 C0 _% |% e1 k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡