<TABLE width=500>
{0 |1 ^' T. b6 R% m5 O+ R+ f<TBODY>+ }9 g( ]' `5 b% y
<TR>
; D7 E# c; o+ l7 T<TD><PRE>Method 01
6 X3 l/ u! @# ?% F& `0 U" }=========& p2 l5 Y; u8 h, E2 x4 y) [
8 @' b8 j4 t; t" a7 P/ |6 UThis method of detection of SoftICE (as well as the following one) is
1 J& N' @. L% |used by the majority of packers/encryptors found on Internet.
# s0 X: L3 b/ A3 @/ Y( n# A1 w" i; ]It seeks the signature of BoundsChecker in SoftICE6 t9 z2 ]5 n! g0 B
0 w9 ]% p' _5 b# q
mov ebp, 04243484Bh ; 'BCHK'4 E( ?4 f a( L. o: B8 [
mov ax, 04h/ z" }( J. a$ n5 f1 i8 L
int 3 / Z0 ?" f* a7 N9 I/ N
cmp al,4$ m. e3 U6 w0 N6 w1 N7 j
jnz SoftICE_Detected% B9 K8 `% @$ X# o, J$ ~1 \
# D/ G+ ]# J4 Y6 Y: e; y___________________________________________________________________________6 Z" S8 y) a! ^
5 {, p, {" d; g {. b4 KMethod 02
- Z' `) J9 p! W) c=========
1 \) J6 n! R% v) Y6 a$ ^0 ^
0 s2 N; j9 C( C. b! x* pStill a method very much used (perhaps the most frequent one). It is used2 b. H' f% F$ H! ^/ o. j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 L6 A) `6 n* f7 o0 z, o% r% vor execute SoftICE commands...$ @6 q1 I5 s9 C5 m
It is also used to crash SoftICE and to force it to execute any commands
" Y _% V- ~& R$ l; _6 W(HBOOT...) :-((
4 _, x5 S/ d$ A0 u5 Y
& R9 W/ o# Q7 p# _* P' ]" |- ZHere is a quick description:* f8 u e7 E P: X
-AX = 0910h (Display string in SIce windows)
9 w. F J- K- e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# e, \) ?4 z# l
-AX = 0912h (Get breakpoint infos)
8 A* m( [* n! z0 Z- U-AX = 0913h (Set Sice breakpoints)
9 ?- R8 c3 X r, o-AX = 0914h (Remove SIce breakoints)
1 e/ U( ~7 [; i; b( m% Q
& S* w: s0 {; T& TEach time you'll meet this trick, you'll see:& r) ?* p _9 m% y. c0 S; o
-SI = 4647h3 x! s* k6 G$ W
-DI = 4A4Dh2 ?# i. z6 V g: ?6 Q) K* b$ d7 D
Which are the 'magic values' used by SoftIce.
# c" a* r' y- X5 z% Z4 S' ?3 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: E) ~1 U2 ~, j( P$ w& ^) l
$ r1 K; b* j4 t1 rHere is one example from the file "Haspinst.exe" which is the dongle HASP0 j- b. m4 W/ i" K6 _( @# Z
Envelope utility use to protect DOS applications:5 m9 @6 u& X* M! k7 s
, D( s1 J0 G, F' B
3 R8 D; U# ?; G1 Q" @: c4C19:0095 MOV AX,0911 ; execute command.3 K+ v2 D% Z5 d0 a. c+ j' F# f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& o: \7 I* J5 \. H4C19:009A MOV SI,4647 ; 1st magic value.
- \7 U2 Q6 i" Z3 ~6 P. g4C19:009D MOV DI,4A4D ; 2nd magic value.9 R: c% p7 ~) m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ ]$ t1 g9 q6 b& E8 ~) K' v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) [1 @7 c1 ^/ n* z
4C19:00A4 INC CX
: p% n$ B& a# ]9 G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% U& R+ |4 s6 v4C19:00A8 JB 0095 ; 6 different commands.
a" E' ] c" s0 u% H4C19:00AA JMP 0002 ; Bad_Guy jmp back./ \: u2 S$ s) O; s; S$ X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; [! t. d# e* y9 k8 P# y' G& j% k0 b' r8 X$ D# B
The program will execute 6 different SIce commands located at ds:dx, which: o+ c: }& J/ Z+ v$ x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 V* B T! u' H9 w8 b
Y' G" x& A7 F% v2 \9 P* A9 H3 _$ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( a7 c2 c' E* U: A' J
___________________________________________________________________________
* w* K. I4 D0 ^* D$ `9 m1 H3 U! k8 M9 E* Z. J C7 y: z2 T
6 w' A& \! F" C0 z2 ]" PMethod 03
) A) K s- u4 ]7 I" |; s=========% H' s4 X0 w2 ~; @4 `! Y2 K& ?9 E
; a; r% k8 Y4 E4 d* V+ q, BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 W: O9 M! B n( j6 w$ _5 w
(API Get entry point)/ M" U1 A2 Y y
$ U$ q' w1 X+ Z2 ]
% l+ X( A+ X. ]8 p3 l3 P
xor di,di' C: ^, H% y/ A5 x
mov es,di3 I* y. J/ t( h9 v- ~+ M
mov ax, 1684h ( R1 C9 |8 `4 `( c6 z# n
mov bx, 0202h ; VxD ID of winice
4 `7 S' y7 ]. `) d* _' m int 2Fh. B5 S& p, @6 i* t/ p, Y
mov ax, es ; ES:DI -> VxD API entry point8 b: V% Y, a- g) }- ^5 q- f
add ax, di
% A: e% X! M. \" i# k test ax,ax& J0 m) }0 @8 X1 i5 s3 {# A
jnz SoftICE_Detected
( p+ C; K {! C5 H6 L, E
D4 }6 T9 i6 L- S; f* N i- _; }- i___________________________________________________________________________' C4 K& _2 o: X& h
. |6 P; `# b& { K: RMethod 04% Q8 ~; d* @0 r8 k2 J1 P* ~7 b
=========: w% @0 z$ w+ m$ G: C
" Z3 c8 U- r: T3 P- f
Method identical to the preceding one except that it seeks the ID of SoftICE5 W/ ~- j7 i) j% c2 ?, Y( l2 `
GFX VxD.2 g5 k7 G% M$ Z; {3 O, L/ t
- b8 E8 m! ~2 b0 B+ S2 v5 r xor di,di: \. z b2 W2 E, @
mov es,di
0 Z3 M6 F p: I0 f$ U+ j# h mov ax, 1684h
4 y. W7 c) S; r# Y( t S9 Y# g mov bx, 7a5Fh ; VxD ID of SIWVID% q" h. I" k" W8 s9 r
int 2fh
* g* T- ]9 G7 N3 X. s mov ax, es ; ES:DI -> VxD API entry point. c q; b1 Z. d, x
add ax, di
: r) f8 O0 Y; }" c6 c test ax,ax& d' S7 @0 h% b" P
jnz SoftICE_Detected" S. I6 l2 G/ q. Y0 O
4 [8 \) g/ r' L& {
__________________________________________________________________________/ y0 M. ~! v: [% g
$ u% V: a0 x" K7 n5 j. ~0 u
1 R& r# `4 O% A6 ` d1 h# w: pMethod 05; g0 S( Q) h) Z2 ?
=========" J* j1 }* x& m) }# W
$ A6 _7 b) s& {- }6 }6 g' ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system- K' h" `9 f- |' i- G/ Q
debugger. It calls the int 41h, function 4Fh.
8 f0 q: ~& g9 N# P; T" zThere are several alternatives. 2 b1 f- Z: o9 S% ~' c& A+ R& p
) |+ C" o) ~+ k+ |0 v* ^3 O& f3 q4 g+ HThe following one is the simplest:/ _" G1 ]: Q4 ?
/ D0 k# x3 C6 q2 ] mov ax,4fh
) O6 I( k; F/ R" Z2 H int 41h
% d$ _' `9 _ V# E cmp ax, 0F386
^" z2 q2 R( P7 c8 U$ A- C jz SoftICE_detected
. e8 w) H! |' a0 {$ l" L
! p0 c4 a& g' A6 l- b4 _
* }# N! N1 c6 u$ U4 r: ZNext method as well as the following one are 2 examples from Stone's + L1 t+ L) I: \, c; e: C7 X
"stn-wid.zip" (www.cracking.net):
% C s3 p- r9 W1 r" M4 p6 `3 \. f- @# q9 Z
mov bx, cs
1 A" w0 {" w6 ~, Q% }# R lea dx, int41handler2: J# e0 ^$ b* Q& r$ i k) M- m
xchg dx, es:[41h*4]7 E7 Z+ }) R- K
xchg bx, es:[41h*4+2]! V2 v! {- h( W" U" H! f6 @# `9 T
mov ax,4fh* ^* B1 Z: ]4 k" t! t- ]- g% q. s G* f
int 41h. U& Q, ^9 W8 x! }
xchg dx, es:[41h*4]
+ K- y% E+ ?; `" } xchg bx, es:[41h*4+2]2 K1 K, i; p( r( ]
cmp ax, 0f386h/ d$ F: H( E3 ]: k
jz SoftICE_detected
8 R {8 ]6 ^. m" A. F( |2 K$ E9 l2 c* U, K8 G A
int41handler2 PROC7 C y6 n' l, K& f' v* W
iret
6 m9 b) L3 Y+ M1 U+ c; Y$ g6 g5 G% Qint41handler2 ENDP
% c0 a$ d8 A- _: k& Y* h5 t: d, F0 p$ t! h$ i" j) V6 d
/ }6 I Y5 I, C5 h8 W_________________________________________________________________________9 c2 a! i: o- F; }5 ?1 r2 Z" i7 V9 b
+ j0 E& c1 ^+ X7 Q: N- z! U1 U
$ t. h% J! }8 q5 i3 {Method 06
: a( l4 {7 j. N* j, n3 h" p+ @1 l. K=========
7 F: F0 m; c$ ?) z8 p' v6 N# y& A( \! f+ b8 y |. ^) n# J, o
9 `* e* a; m9 l$ [. }% d$ h
2nd method similar to the preceding one but more difficult to detect:
) j# l, V N8 @$ }' [; s4 l
: a: l4 X+ ]4 M' C- z8 R
4 k v# c- y8 X- H. zint41handler PROC
: o. _, q5 o% I3 V; K mov cl,al: X& u# ]2 {; h0 M1 g, b1 d
iret
^. u) l& m0 p7 _int41handler ENDP. C! N# X7 \- f z; o) L
/ z% A) ]2 `) }/ S# v
6 v' y# ]. w; N+ C7 `3 X$ ^" m+ N xor ax,ax& M7 }) D' R9 l! m$ X: B+ j
mov es,ax
' V5 q2 I8 }( z: B. z3 Q mov bx, cs
% }! P+ u& [! {# o1 H$ J5 y2 D lea dx, int41handler$ p K1 B. N' z2 V- l1 `+ c \
xchg dx, es:[41h*4]
, A! C* y/ v" U: H" q B& W3 r xchg bx, es:[41h*4+2]
' g8 c# R1 \ B: }( t7 K4 B in al, 40h7 O* @: v0 P3 N x6 O& @
xor cx,cx
8 E5 c& c) V3 q# Y% p1 w int 41h+ b0 n5 D0 z0 Z
xchg dx, es:[41h*4]
& h% N, P# V0 Z* g xchg bx, es:[41h*4+2]# s! f4 j- E! ^/ \0 v
cmp cl,al7 r+ F" a4 K5 b0 o8 k
jnz SoftICE_detected
- F0 @7 f% y0 |+ o" [1 i
0 h2 J3 ^( j! b' __________________________________________________________________________) e, r1 J8 ?; M& q
& A+ t3 _+ { F+ E
Method 07
& t9 r5 H. N5 S: c& U5 \=========
9 w; z3 l M9 S8 T' N( h3 x4 h* n( c; \' @& M/ U2 _3 P
Method of detection of the WinICE handler in the int68h (V86)
1 [. G( |7 P( {: w" r, y* O* Z$ [
& t& O1 t# h t1 K' d" E+ k* S5 r& | mov ah,43h
( ]( n6 J+ A, e$ ^- z( I) J int 68h
0 F# b6 T1 M: J6 g& t; Y cmp ax,0F386h
* X$ M8 s9 m" Y jz SoftICE_Detected
6 K. b2 F% b9 K. g" Y. c) N6 _4 C2 }* ` G9 @
% N1 l: u& h! S: T3 W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% P7 L$ A" Z/ o/ O4 I& c: l* _4 |
app like this:, X; _/ M0 K0 A# y; L& _5 g
/ f- z- d/ F- a' F& ]: E BPX exec_int if ax==68
- R$ s2 [+ U7 t5 F4 f (function called is located at byte ptr [ebp+1Dh] and client eip is$ X1 w; p0 u$ }0 T* j
located at [ebp+48h] for 32Bit apps)% K6 ?8 S1 p! T2 o; V
__________________________________________________________________________
+ d4 H4 {! G2 S9 }7 e/ x$ P) V) _" y. Y: Z A& C4 \' d$ d2 t
]! v7 `" M' E7 N" K
Method 082 K$ ^' C r5 M- ~7 [5 J
=========
+ a' U) G. D( R* P% _( A' h+ _( r7 \5 ~) K& |: @
It is not a method of detection of SoftICE but a possibility to crash the, c: S! \3 Q: |) i# Z7 c
system by intercepting int 01h and int 03h and redirecting them to another
+ h5 X0 H3 g5 t$ Q6 _routine.$ `- H1 {% C& @: d/ p! ^; B9 T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ T: y. }! b; }& k3 i& V
to the new routine to execute (hangs computer...)& V& j6 S/ t }; m
: |& `5 e4 G2 ^& t. a7 F
mov ah, 25h0 [- ~8 a1 N4 v5 q! k
mov al, Int_Number (01h or 03h)
. I9 t6 a- V; K% _+ b/ Q/ R mov dx, offset New_Int_Routine5 }3 Y m; {6 n. @
int 21h2 G1 M8 @7 k( D% @9 ~
' }& \/ e/ m6 o/ @
__________________________________________________________________________9 {3 B' w7 e8 N+ I" V" Q
: K5 k& D' h7 \7 U- e. eMethod 09
2 R$ S5 N2 j% p) K7 B=========6 i" V7 R3 _; D( \+ ^& Q
# O7 K v# b1 v5 S" c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" D# C! ^9 Q! B3 Q+ r3 x$ N" r
performed in ring0 (VxD or a ring3 app using the VxdCall).1 O$ J( g9 ~/ o- ^4 l
The Get_DDB service is used to determine whether or not a VxD is installed7 Z, N& Y3 Q: A/ m' p6 t
for the specified device and returns a Device Description Block (in ecx) for& Q. [9 f% ` X1 B/ a$ _$ x) y7 u" ~' J
that device if it is installed.
0 F' l8 t4 k- z6 Q# {5 A- r, @+ L) O7 u! K& z1 t- \ l% _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ `; w8 ~6 d+ Y) r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 W2 ~; M, O* ]3 o. ^0 y VMMCall Get_DDB" n. h. @- y5 }' U& E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" V. p5 {( k& e$ x! \% C- O9 Q4 g* y, k0 {4 Z6 K' b6 @
Note as well that you can easily detect this method with SoftICE:! t- W6 F; W2 h, R- ` s5 Q5 l# e2 g9 ]
bpx Get_DDB if ax==0202 || ax==7a5fh
* ?! a1 z0 q. A! {. ]$ g
7 |- P" g9 q8 r9 I* b) G4 ?__________________________________________________________________________) y! g n: i9 x B9 Q
# i, V" W9 O6 b z" V& L, [: `0 @' z9 u
Method 10
/ m# d1 {: y) Y5 D, e7 r=========
. x E& a6 O' o) S
/ o/ m0 C0 ^ [=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 q0 w7 e. N. Y; d( l/ Q SoftICE while the option is enable!!
$ X V. C. r. V0 a/ b, T: D: }0 c! O7 x* E( R; t4 r' Y1 B
This trick is very efficient:9 U. ^$ m" {7 {% T# q! p. w
by checking the Debug Registers, you can detect if SoftICE is loaded
; k! P6 ]1 ^) S, |; x3 g* D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# T7 M/ G" x3 {
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ W {( h6 `3 T Kvalue (in ring0 only). Values can be manipulated and or changed as well6 H$ i- o8 }: `8 ^+ E( F
(clearing BPMs for instance)
. j* J, L3 w) D4 D1 ~; c
2 |- _& b' |: i' w M% R5 b X__________________________________________________________________________- j; O: O1 I( F5 X. ~6 r0 F
7 G: S: N% P" a) {$ H% ?. r
Method 11
# M9 y1 l5 d3 _( z=========- W( A$ ?, _- @7 e1 o
\. w' @) A3 V& q+ K: z
This method is most known as 'MeltICE' because it has been freely distributed* _4 X9 g, u6 c( V
via www.winfiles.com. However it was first used by NuMega people to allow/ y0 i' |+ [, \2 b
Symbol Loader to check if SoftICE was active or not (the code is located- X: J% D8 k0 l4 \0 F5 z' n9 y- u. T
inside nmtrans.dll).+ G0 ^9 [* A8 R7 q+ ?
* ^, `+ G" \3 W
The way it works is very simple:/ d9 g7 h# Z- f0 l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& ]* H% \" W s) ^; b+ fWinNT) with the CreateFileA API.- ]* v' {! K3 E" t0 b' P8 U7 _$ v
2 V* O/ ]8 u5 L- R" {
Here is a sample (checking for 'SICE'):# y$ }9 w6 B- ~' i/ n: n- v
. e {9 G' ~4 \3 j
BOOL IsSoftIce95Loaded()( l. L' i" g6 ]4 J
{# O' i) b. K2 d& Q1 l% S
HANDLE hFile;
. T! Z2 t/ A( t' b* J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 [) g; J4 r# U
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ D6 y5 y% D( R4 o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 Q) V& J+ s. y4 e7 C5 a+ N+ i if( hFile != INVALID_HANDLE_VALUE )- [* d B! k& N- \3 L7 }
{8 Z: \+ \% |1 f7 d, M
CloseHandle(hFile);
0 v7 C5 W' q. S6 e K, N return TRUE;3 A4 b3 _# u/ e, ~8 y0 C9 U
}7 E3 x; c6 i( m3 t7 _- N/ |
return FALSE;& h/ @! G8 E, ?7 N/ U
}
, N0 i0 q$ ^+ T4 C* S v8 F! n! s0 J7 O
Although this trick calls the CreateFileA function, don't even expect to be9 v" }' G9 x; Z0 _3 r8 S* |8 n. A. }
able to intercept it by installing a IFS hook: it will not work, no way!( f) Y# E) C. i7 n; D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% l8 Y$ ]5 A7 n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). |! t K4 z6 k Q% D1 q( \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 ^0 E; j; A, T. F: S H; s
field.
* e; O! N# ?: N1 V" f" @, UIn fact, its purpose is not to load/unload VxDs but only to send a
% f# s. f+ b2 i8 H. e6 U& TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. o2 l8 v- X: oto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 N7 W+ t! u( s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; z7 W* i0 r" L6 [/ ~; {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 M) ~* y) A" v5 R6 F" u3 cits handle to be opened and then, will be detected.
& E6 l9 R$ f* g5 k5 [You can check that simply by hooking Winice.exe control proc entry point
$ C* D0 Y7 `8 r; T: rwhile running MeltICE. O$ _% V" a4 c. C- X% x4 X) c6 v
, q2 G7 t1 T, c+ E7 t7 b2 d+ f! d: f* @" ?6 N
00401067: push 00402025 ; \\.\SICE& Q" _% }+ `' `) M t r* _
0040106C: call CreateFileA
4 f+ m4 X* |; T* x/ P% o 00401071: cmp eax,-001
/ x4 V' k& l- V7 O2 q 00401074: je 00401091
, i9 H2 h; n) [ u7 \* x& f. l& F; u8 W; h+ i" h
: t9 o8 E- t0 q4 h3 L0 I
There could be hundreds of BPX you could use to detect this trick.! T3 {) i8 L/ s) @* z. o9 q. v
-The most classical one is:
1 q3 x1 Z% D% E! f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 ~2 h' ^0 H! _6 ^6 w *(esp->4+4)=='NTIC') M) n! X: U" M1 l/ H
, K$ [7 k3 b) q+ d- P8 e$ d8 R4 a-The most exotic ones (could be very slooooow :-(" _1 b2 o+ \$ [2 ^3 M! h; ~$ \4 M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) U: ?+ l+ t. i) q) I" s ;will break 3 times :-(* M2 k. H9 W) q X4 S8 F
7 \% ~3 J i/ l6 n-or (a bit) faster: 7 \% c& Y4 q2 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# {* n3 i0 s; I1 H
( @4 I" v5 ^1 G* U9 D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, j! n' u4 q0 z5 N- \2 I4 E ;will break 3 times :-($ H2 o/ S* F7 M
1 i/ h G, ^; M6 x5 v6 s& ]
-Much faster:
6 D# s$ r" H0 `3 D/ `* f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( t# e9 {1 v) V0 `) x5 ]6 w1 [" W
+ }! l' |0 M) W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) ]7 l8 r9 s6 C: Q6 A0 ffunction to do the same job:) d" k. T% ?! v: k/ X7 t* G; C
& E' K5 ]' z; h8 d+ |: i9 a8 d push 00 ; OF_READ
8 J% }2 C; ^ T2 D0 Y, s" x mov eax,[00656634] ; '\\.\SICE',0
# q4 t& C( {8 N push eax1 m# ~/ `3 l4 ^0 ]) r
call KERNEL32!_lopen! j0 k5 @! }- G, C7 K1 d8 W4 F
inc eax$ b3 B. w# s* e6 y/ C
jnz 00650589 ; detected4 x/ Y: H0 M4 V' |' {, g! Y
push 00 ; OF_READ9 d$ w% }: y2 H$ ?5 H" T
mov eax,[00656638] ; '\\.\SICE'- N/ b& S. O1 ]0 B V) _9 q
push eax" u7 ^" u& N1 e8 ]) W2 R- e) D
call KERNEL32!_lopen. g6 O8 R. z& r
inc eax/ I0 I" M' f* k! H
jz 006505ae ; not detected9 {# y' C( ~6 X- @/ j) U
( ~% L# h5 H4 J
0 U9 e0 G- p" t7 | s/ X__________________________________________________________________________
& L9 Q. i& N2 |' \7 C1 @
! P& Y- a9 X y. |5 r! F: Z, OMethod 12
7 m: T+ ]3 r: C4 e% Z. ]=========9 C: N; C9 m" T4 Z
# z0 S, \ K9 AThis trick is similar to int41h/4fh Debugger installation check (code 05
4 N# h0 h$ H8 p/ p" d f @( H& 06) but very limited because it's only available for Win95/98 (not NT)' m/ v" R* Q( b4 e# s% c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. y' U: Z1 l: z1 k& d. Y- V! c
5 W( J% A' A( s4 P push 0000004fh ; function 4fh$ H1 D/ [4 Z0 T' F R. q
push 002a002ah ; high word specifies which VxD (VWIN32)6 x* |& [7 z3 F$ a( ^7 o3 Q
; low word specifies which service& Y: X& c) P7 }# U; z' k, `
(VWIN32_Int41Dispatch)$ n& \7 x5 B9 x& C; l- c& [# u
call Kernel32!ORD_001 ; VxdCall# a* g$ H5 {6 R5 \+ m6 u
cmp ax, 0f386h ; magic number returned by system debuggers
& A& Z( M: a2 o! V7 s jz SoftICE_detected
. A# `/ k: N9 T# \1 W
6 ]3 {& ^3 n) cHere again, several ways to detect it:- V# R1 L8 V3 B I
% e. Q6 _, @5 m$ X BPINT 41 if ax==4f7 i& }0 ~+ x% n. o
2 J3 Q1 x8 k [$ k9 X8 A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 u; e4 X; B0 o5 ~& d: R
! [6 ?3 E1 P& Z- m, Y5 ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" y1 C$ n$ L, `1 k4 N% w" ~. k1 ` U9 k/ k2 U9 x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- @% B6 t6 M; F" N8 P
. K& \- b0 ~8 \3 V6 T" }% M; X__________________________________________________________________________
# W2 U7 v/ f0 B% A
: D0 I. x9 U) s8 O4 wMethod 13" b5 {7 I9 [6 V' x& Z) |$ t
=========
r/ p9 }; d- ]3 ^) R7 u/ b4 E% k' E
Not a real method of detection, but a good way to know if SoftICE is
' B# M: ?; o8 Z# ~! f# z6 vinstalled on a computer and to locate its installation directory.
# X: Q# _! T0 J% p6 O9 K* }It is used by few softs which access the following registry keys (usually #2) :8 k1 u$ o# u$ k
2 T) E/ x; V* ^$ k/ A' e$ G( M3 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ~8 z/ ~4 E1 z6 G& G4 \" u
\Uninstall\SoftICE- O! O8 k7 @7 h! U0 i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# A$ \; B7 c" S, @" B u& w3 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Q9 k5 v/ S; c$ {( p1 ?; }- _$ A, ~; J\App Paths\Loader32.Exe/ R# d% W- r& P, D3 w0 g+ p% x
, p9 U) j" [/ L! B# x% d5 I+ Q r
; {' y0 e/ D; o& _Note that some nasty apps could then erase all files from SoftICE directory: w+ ^% o" S) r7 k: H4 \
(I faced that once :-(5 q U2 d+ t$ T2 K: @
. { h8 @- v/ t+ M
Useful breakpoint to detect it:8 ~! B" o$ {4 q0 l( l! s
A. f+ I& Q! S& u$ c# } BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 R1 c \/ p1 D" g7 X+ u) S
) q" ^/ E* U9 L+ b8 v# ?__________________________________________________________________________
6 A7 N( S- [3 m6 d n# g
' Z$ r( _6 [) ?' `- ^& S% Q& }: J
* c, O N3 r* f8 b& n4 ]/ xMethod 14 ! v7 N& q2 b; c* }
=========3 R. Z: X1 \; B; @
. b- n. ^3 K+ W: [7 P/ S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% e* m' w) G( @; }8 ]& L
is to determines whether a debugger is running on your system (ring0 only).9 l( G. A0 c+ {2 x) M: a6 v' s
4 ] k( r3 P/ }' X5 r: h6 x) | VMMCall Test_Debug_Installed4 T4 A; O/ Q" e& Z
je not_installed
1 G: _/ G Q/ ?* H$ d+ c1 a
. f7 V3 } Q* a# b8 VThis service just checks a flag.0 \! t: \+ G, w! E6 Z" M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡