<TABLE width=500>
% `! e$ y8 T. R3 f. v6 U$ Y& L0 _<TBODY>
: Z) d) D4 \% M% k% u<TR>9 U c# ?. T+ d
<TD><PRE>Method 01
$ G# M; B& N2 i# U4 A=========
! M( L; U# k: W7 C6 R- `" X G+ }* N5 U
This method of detection of SoftICE (as well as the following one) is
( x- k% I+ d& k; l) e2 L ^used by the majority of packers/encryptors found on Internet.% T0 F, p7 l% K+ w3 k9 T7 e z
It seeks the signature of BoundsChecker in SoftICE
$ E2 @2 S2 M' ]- R. O
6 S& {; [' M1 E \" V4 O mov ebp, 04243484Bh ; 'BCHK'6 ?! U9 N( N4 x' |1 J( A/ d
mov ax, 04h( u2 {% _2 [) i0 U0 Q* V3 X
int 3
b |$ l/ z, s, H' X% v cmp al,4
8 G. ^9 j3 _( b5 m# V! a5 O1 x5 D jnz SoftICE_Detected0 c" s' X$ h# Q4 T4 c7 r M
5 r# z9 T7 v9 W) w/ ~5 T8 K___________________________________________________________________________
" X; i* Z0 R! ?) ]# M [. O, h' S, g% K
Method 02" k- l0 _4 _& g: E% M3 H) d
=========7 B1 D" W& V/ L* T! m& I
, N0 R' p2 Y8 A7 e
Still a method very much used (perhaps the most frequent one). It is used @8 ^$ J( P2 ]& Q. b1 ~
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) L" s! p8 @* D% m8 E2 B) tor execute SoftICE commands...7 {. d' r: |1 w- J
It is also used to crash SoftICE and to force it to execute any commands
L0 I' l, _% T* I7 @& L(HBOOT...) :-((
$ q M$ ^, D/ a
7 v1 O6 L1 e6 \! k$ W- h, W% x% |* h3 {Here is a quick description:
1 A; L7 `# Z% ~2 Q% r0 |-AX = 0910h (Display string in SIce windows)
7 n7 i1 U+ f `; R, t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 s/ V$ {8 y! G$ R( V0 `$ x
-AX = 0912h (Get breakpoint infos)
% O+ V4 N: Z( t& @) b-AX = 0913h (Set Sice breakpoints)
5 W& H2 b7 a1 V8 ?-AX = 0914h (Remove SIce breakoints)
4 r3 ~$ O) M8 Z' n; l& x* T. }- z; g: N. f8 \1 H
Each time you'll meet this trick, you'll see:4 s5 u2 ~+ u, u7 k3 ?/ d. @3 x4 b
-SI = 4647h
; K: D3 t! @/ X9 [: G, k) p! f-DI = 4A4Dh
# l0 s% @1 ]$ `% T1 k# QWhich are the 'magic values' used by SoftIce.7 C$ S+ ^- M# e. W; a3 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) x2 y" A7 ?& b
8 i) C" x+ y+ |2 t0 nHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 I- J6 {$ T1 x7 mEnvelope utility use to protect DOS applications:
+ u% A' h4 ^0 K. V6 v4 ~) [, d, j: G- E4 x* T- h r0 i" Y) ^
( p! o! Z5 u% F0 A; B
4C19:0095 MOV AX,0911 ; execute command.
+ t# q! g5 j: a' H* ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." |) G2 L% F, G9 }+ ~% J
4C19:009A MOV SI,4647 ; 1st magic value.. f, g: `& D, j' v2 H
4C19:009D MOV DI,4A4D ; 2nd magic value.+ F; c: z$ Z& \5 t& ?$ ?/ H) H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) X; H; r8 q9 i Y) \* O- V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( z0 x. W; D5 Y
4C19:00A4 INC CX. _0 N$ U( ^) M9 D. A7 k) m" p5 p. a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 s) n7 M7 u- a4C19:00A8 JB 0095 ; 6 different commands.
* Q; e0 a" ~( g$ |3 W+ @0 Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# F- ~# c/ s1 ?0 X+ \% o1 j$ c8 z" t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 A( L1 _+ D: V, d, ]0 ?. U! p- {% A! M, c+ r/ w5 c* m7 p
The program will execute 6 different SIce commands located at ds:dx, which2 }1 v/ i, L+ S" D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. q* [# {* Y- q. {! m! Y; e% j
8 x/ j" b) `9 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* P7 m6 j" j2 a
___________________________________________________________________________
: Z+ i) J. V! @* p7 E, F
" H% m) M! e% |( H: ]( ?5 Q$ B3 h1 ?8 z/ t5 `: p$ b+ x' x
Method 03
! T8 r2 g8 _" G=========
2 X1 `% ^7 H& S. l6 f
$ Y2 j7 U, C; G9 K, f0 FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 {! h# U& l T7 I5 P& s. ?! X
(API Get entry point): L9 A4 K: B' I( m& }
5 o7 x& `; {: M8 E& Y
; S2 U4 c" m4 R5 k- t* U
xor di,di) S: V0 w, Q' O1 U) t
mov es,di
$ J! F. v6 n S$ P' b T mov ax, 1684h / W. R, S( Q; Q/ L! e9 J6 {
mov bx, 0202h ; VxD ID of winice
3 k: i9 ^0 ]# @5 ~ int 2Fh
" C; X) K- l6 e$ W mov ax, es ; ES:DI -> VxD API entry point, e6 _9 ~- |& q$ l+ G2 j
add ax, di7 x1 D. v" E$ ^0 F6 d& f9 k/ @
test ax,ax
% B m/ ~* g# H: R( g! ]; b jnz SoftICE_Detected
0 e F, h, @5 [/ `
, ]# [" P- @$ T' z: J5 \( H___________________________________________________________________________
& p6 Q5 G% c4 @) U8 k
/ l4 J* r0 A1 {; c, ^7 E3 j6 nMethod 04- j% f0 |1 t* u3 N3 m+ B
=========
9 x- {# M4 S u' n. a, K% a8 F; P" z
Method identical to the preceding one except that it seeks the ID of SoftICE
; V8 ~6 B% t ?& b, _$ m% X& aGFX VxD.
4 ~) E! L, |" A' \9 m8 T' |
5 m; b7 M9 V2 @) P& K xor di,di
$ R. Q' _; t0 p8 g) \ {: n mov es,di6 v* \- ?6 @: b. H6 V# G4 o: Q
mov ax, 1684h 9 m9 p# B: V. Q' ?
mov bx, 7a5Fh ; VxD ID of SIWVID; I" t1 R6 C8 }( F; c: z1 V
int 2fh0 P4 {, p6 L4 ^
mov ax, es ; ES:DI -> VxD API entry point
4 j3 p5 ]$ P7 @1 N3 b" A3 L add ax, di. z8 r# i6 v* p( }8 P
test ax,ax
! N' y2 Y! Q0 I& T$ v jnz SoftICE_Detected
* c( o: I; B; s1 I: O2 b+ `% Y: I
" A0 ~" [, W6 Y( a5 Y: Q__________________________________________________________________________9 A% G3 A3 r' K6 h
6 A* t( X Y1 j$ V9 l2 Y' e x8 }% | o
Method 051 c. z' b$ h3 }% d9 B" x- ]
=========
" e7 ] a2 C b0 X' e3 i0 m* {6 c. Y" |4 h( z% T) A4 u0 r; V& g
Method seeking the 'magic number' 0F386h returned (in ax) by all system& i! |' e0 h4 O2 k) M9 ?
debugger. It calls the int 41h, function 4Fh.8 n# T6 W2 Y# W' [( X5 j9 Z
There are several alternatives.
! g: k* J+ h* L1 G0 N* O/ K2 c5 |* _* `# \# p
The following one is the simplest:
& ^! \: { q- f6 N5 x" r$ R! w( X, K3 I" I0 v( h0 s, K/ e
mov ax,4fh
, t2 m, T( h* R4 m: x3 F& _4 Y) c int 41h# t9 D$ \! N, ^) A
cmp ax, 0F3869 i: U' a( Y; s7 f" r/ L/ j! `9 T# m
jz SoftICE_detected" n- R! e/ H; [1 s
L1 r$ i+ X, G9 i+ S6 C7 q1 h
; {) [$ o7 m+ [% D g4 d) jNext method as well as the following one are 2 examples from Stone's
7 P% D% `$ U' w( T"stn-wid.zip" (www.cracking.net):" b# i' ~/ I" N y5 `
- f5 t" B% ?4 G mov bx, cs
( g7 l. q! Q# G9 W1 u+ e lea dx, int41handler2
3 S8 B/ f& Q' T1 o6 E3 l xchg dx, es:[41h*4]5 [- A% a8 `; Y6 E- E$ @' w# v
xchg bx, es:[41h*4+2]5 X5 d% z/ E7 `- T6 ]
mov ax,4fh( ?" g0 J6 c9 o2 C$ I4 F' _5 h7 O
int 41h/ i" B' [* y+ {3 p9 a
xchg dx, es:[41h*4]
6 a4 W$ r& `0 x4 J' }, }: n xchg bx, es:[41h*4+2]) [8 J8 X% i( Z4 ~
cmp ax, 0f386h3 R/ u7 _2 N# ^8 M
jz SoftICE_detected
$ \9 Z8 E+ l8 @
( Q4 g7 }* N6 R4 cint41handler2 PROC
: J |# H- l0 q z" d- | iret
, h! q N% G% y# _int41handler2 ENDP
/ P7 M& N" j# ?& N7 s; Q7 J, H" T
6 n/ ?" w" B! k0 p) X9 w8 |7 i+ q7 A5 X& s6 X) X7 q4 \
_________________________________________________________________________
5 ?+ ?2 M7 _9 Q! h* }
7 h+ B; O; Q2 E$ A" y1 o8 e- \& h4 V. @$ I, o
Method 06
( A0 x& K" q- ^0 k. R2 I" o8 U=========
1 o1 ?% [/ J# f! Z
- ?2 M$ N; b2 b8 o+ f$ h3 A* l2 E# ^' `2 }5 D
2nd method similar to the preceding one but more difficult to detect:0 u7 C+ ^. H4 g/ k7 h4 Q
/ C _# @: D8 e' i) V8 C& u+ F
( I4 c/ [+ j& N bint41handler PROC
% R/ L8 q) r3 [ r% ^) M mov cl,al
" h. @9 t1 z3 w! s: c iret4 N0 O1 K" a! b& V/ g; Q
int41handler ENDP2 V. i2 U6 ?7 j# |
3 s5 h, M* ]* J% H, [& x% |+ b L
xor ax,ax' o h- x4 r3 Q U2 P
mov es,ax9 @7 b6 Z7 O9 G2 O5 ^/ K
mov bx, cs( M2 ]% m( l+ q' R8 o# \: a
lea dx, int41handler
: x* S2 J, C$ R' k/ a2 y xchg dx, es:[41h*4] ^) x0 j0 |6 u l6 S
xchg bx, es:[41h*4+2]; M p9 [0 A* g8 Y4 _5 t
in al, 40h5 s; n" r8 o$ H9 c4 V
xor cx,cx) _' o+ X% R" [# w" J6 W) i
int 41h
9 M( a+ c6 |! X8 [. c xchg dx, es:[41h*4]
" @( N1 z# ]6 l- O xchg bx, es:[41h*4+2] H3 B. a' {5 l% c, ^1 H3 A& x
cmp cl,al
; \) ?) F1 S2 w jnz SoftICE_detected
! R9 r5 K& ]. M# x8 y
8 O* k/ m$ x4 N: f1 }# |! H_________________________________________________________________________' o1 U) r4 J c/ ~5 d7 C5 A! K
9 F# a H2 m1 Q) c8 ]& w. K8 Q; {Method 07
. O3 G- Q- I* u* i=========
; m; h( k- E- h; _1 ^* T
1 H4 c% N0 ]+ zMethod of detection of the WinICE handler in the int68h (V86)
8 I$ s3 o7 r, D+ k [5 N4 T1 G x0 z. [5 |! x$ |4 [% l' \: g
mov ah,43h( C+ K `# q/ W
int 68h4 h$ f2 f' s* B9 P2 h$ J
cmp ax,0F386h2 ^7 X% S: @4 Q! i+ S. R. y
jz SoftICE_Detected
' b- v8 N( C3 A3 J) S8 c2 S' {% p+ E0 }
9 Y4 W) e! l6 |8 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: G+ R) c# K( ] app like this:
5 s$ L( Y: R6 S: S& G2 d& E8 @8 B
BPX exec_int if ax==68
7 d4 c4 ]: |! U' E# ] (function called is located at byte ptr [ebp+1Dh] and client eip is( E" W2 \+ d7 Z7 F1 F) _. R D
located at [ebp+48h] for 32Bit apps)9 P/ i$ |) N @; U( w: E
__________________________________________________________________________
( J+ {4 d8 t! L6 v; M+ Z
1 k( c% V4 R% _5 ~- D9 E; m1 X, x% J7 y
Method 08
s; |7 x1 c1 f* ~2 N) L- x# `=========; P J: B+ ^7 S' J% z3 w
0 W+ l' m$ \/ o* zIt is not a method of detection of SoftICE but a possibility to crash the% T0 n7 Q2 j- q6 B3 j
system by intercepting int 01h and int 03h and redirecting them to another
: d7 B2 o9 `& b7 o8 Broutine.& w) E( C6 S; e9 u/ h2 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ ^3 @7 }0 Q; f. t+ k! u5 b: x
to the new routine to execute (hangs computer...)
$ o% Y4 G5 s8 i5 x1 b: E! D: t( a. ]9 j. x
mov ah, 25h
: |* f6 T$ D0 t mov al, Int_Number (01h or 03h)
. v- d4 @- t. l8 f! A# B mov dx, offset New_Int_Routine
# r0 b: _$ I7 y0 R7 t; p$ } int 21h+ X3 B: P- s4 f* R& G h+ F+ U* m0 o
, h9 }* B4 [4 U2 g; C, D- e__________________________________________________________________________3 H7 R* ]* d4 P
; Q* o# @7 V' k3 E8 X9 jMethod 09
' }2 A' T/ U# I5 o9 q2 G4 D=========
8 M, [% s) i2 m+ b6 b5 x5 Z# G. Q- D6 x8 C! Y, I0 _0 ]0 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( J s! X2 E- R" |4 _& p4 R
performed in ring0 (VxD or a ring3 app using the VxdCall).3 d3 \' K9 z# L8 x! d& z. o+ W
The Get_DDB service is used to determine whether or not a VxD is installed R5 P' R6 _8 l6 \- ]# L4 `" a
for the specified device and returns a Device Description Block (in ecx) for
9 c) Z- M; C5 b7 z- X. I' |) r Xthat device if it is installed.; q7 w$ d. @, Y# o2 {4 W
8 D; u- @1 i3 u4 u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& K. b. |6 f' f) Y. A, v* @" C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 V3 j2 V+ e6 ]) | VMMCall Get_DDB
P ]2 x' e) H# Z& Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. o4 ~' U6 _2 v# g) W+ S
8 j6 b9 S7 C1 b) W! e/ f5 g
Note as well that you can easily detect this method with SoftICE:
3 {$ A* U0 r: |! \ bpx Get_DDB if ax==0202 || ax==7a5fh
7 }, D5 v8 u1 `7 i7 y0 E5 ~. z
! T5 U6 k/ k' ^2 c) z7 j__________________________________________________________________________
5 @6 S- q/ }. z/ R, u! [ W, J3 v; ]* @: b( F
Method 10
& `% R" Z/ C( } `( W% ]7 |=========9 g1 D0 n0 @2 G
2 H5 ^5 s( F" h2 Z' \. z4 L, @=>Disable or clear breakpoints before using this feature. DO NOT trace with
& A- d0 ~, P, j; P" u$ T+ R1 P9 y SoftICE while the option is enable!!
: G4 D( A+ T6 S& ^
# n. X/ _, p( B: i3 r; PThis trick is very efficient:, \# T$ K t+ B" w
by checking the Debug Registers, you can detect if SoftICE is loaded, ~/ e, M; L$ Z3 c' z3 e) v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% u0 W% g c- p! _2 ?there are some memory breakpoints set (dr0 to dr3) simply by reading their j6 A0 H+ |* c
value (in ring0 only). Values can be manipulated and or changed as well
$ b( [$ \0 C2 C" ]1 U(clearing BPMs for instance)( Y; F7 |' i* Y, V6 }- v- N
9 _* n' U5 S* m! s__________________________________________________________________________4 M S* C, s% n: O( p9 \
2 E( T. I, z+ r: Y8 tMethod 11
/ d" ]# f( M, p- g) _. Y! {& S# }=========
; W* v4 w% S0 Q+ \
: d1 W3 T# U* p% \9 {: O( sThis method is most known as 'MeltICE' because it has been freely distributed
0 w9 W6 b7 g- g# w& S- c5 e Avia www.winfiles.com. However it was first used by NuMega people to allow
( Z* O& ~; x& H y% BSymbol Loader to check if SoftICE was active or not (the code is located
: z$ J7 k' }) M5 _$ y! b, Uinside nmtrans.dll)." m; x) ^9 n$ v* d% O! T j" J
4 a. Q7 B9 C. {3 X3 M# j
The way it works is very simple:* X6 d$ j) {. d% n: B( Z2 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: I$ r* ] u E- t* P# cWinNT) with the CreateFileA API.$ K# _! z; U! |0 ?- d3 }
" I& b4 u# L/ b: O, Y. S, _
Here is a sample (checking for 'SICE'):+ z3 b, ~( D7 B) X; E1 H2 M
' J) ]' q& D, P1 Q; OBOOL IsSoftIce95Loaded()0 Q6 {- `1 ?% c% S( F" P
{
5 d. J9 Z1 D( ~) D& j HANDLE hFile;
; _. S' E' B" t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ v- Z/ r4 V* G; m7 r
FILE_SHARE_READ | FILE_SHARE_WRITE,9 n; G1 Z Y' G' c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# P0 G6 n& E1 n$ T( e if( hFile != INVALID_HANDLE_VALUE )
, e1 N7 X; L, b; k$ `9 w {. _- F0 {* ^' D& ~
CloseHandle(hFile);& i2 E, |' S. v! f) B$ j
return TRUE;5 |! b5 Z$ _4 v) T
}
) d3 I4 L6 b6 m( c5 s: Z/ ~* K return FALSE;: a# |% z+ C, |- ]
}' X9 w* S& x4 _" h
+ [, l9 ?4 N: C
Although this trick calls the CreateFileA function, don't even expect to be
; y; Y; ]- T0 X; Z& h6 gable to intercept it by installing a IFS hook: it will not work, no way!$ j4 c3 e; } V N ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 a! {- o6 s4 b2 X1 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: x- `* x/ q0 aand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 F7 \$ D% p. B7 Y2 S$ o
field.
. ]3 p7 F5 d4 Z+ MIn fact, its purpose is not to load/unload VxDs but only to send a
" U7 n/ F. X( P" |* |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 l l: `6 T) h8 K$ ?0 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 g* E0 _: G, j- ?6 T. E5 r* {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
x5 R' ?" a/ d7 I2 [+ E( p% mIf the VxD is loaded, it will always clear eax and the Carry flag to allow( E" q' \2 q; `; J0 N
its handle to be opened and then, will be detected.0 V5 ]# v% _! S9 E6 ^
You can check that simply by hooking Winice.exe control proc entry point
4 C5 ?: J" m2 T9 J5 F. `/ owhile running MeltICE.1 B+ J' W0 G& L+ W7 S K
/ Q, M! [' a, h# s/ h5 ^
+ }! l- [( h9 D* [5 H 00401067: push 00402025 ; \\.\SICE; P: S8 ]" m1 q+ S
0040106C: call CreateFileA( ]) N% Z: M8 e5 Q
00401071: cmp eax,-001
1 J- ?6 M% w; C5 b" \6 v 00401074: je 00401091
4 M1 h' A# O3 X7 y; i3 O- g; Z( I
8 ^5 i( M4 C4 S+ T2 Y. j; |# G! }
1 X9 G1 H" f5 Z, _4 N& e# a! F; w3 T) DThere could be hundreds of BPX you could use to detect this trick.
8 m0 k$ [( d. T6 Q-The most classical one is:) t( |+ o; j' `) y! a7 [0 b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: U8 e% ~' [+ o" ~8 l
*(esp->4+4)=='NTIC'
/ M5 R' ]% ~! n5 X5 C& R8 \* q* u$ x8 K0 O& A- Y2 @& f- a
-The most exotic ones (could be very slooooow :-(
' V; |! G. _7 O# u* N. E9 l( w1 k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 @# f* Z9 g' n2 h' J' P4 ?0 o
;will break 3 times :-(& w) b1 o3 |# s
" ]' Q K% X. u- U, Y
-or (a bit) faster: # S \, Y+ n$ |2 |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, ?8 [4 a! |" A, R2 w i3 R2 Y. A0 m: B% h# I1 R/ n: O9 L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 p# }0 C* \; o6 ` B: j8 L( _1 U
;will break 3 times :-(* Y s8 d7 B9 s; P
# ~) d) w! ?4 [; y. A' h-Much faster:
: H. y3 v- I% h. S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: O% f9 Q! q6 E% x& P! P* d( Z2 r3 h5 \, N+ F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( ]' c& K% V) U" F: \! \4 T
function to do the same job:
8 \* x- e: {2 y: n1 z ?" ^5 z* g
6 b* E. Q1 c' r) s A, G0 } push 00 ; OF_READ
/ w, F: n- K3 r" w mov eax,[00656634] ; '\\.\SICE',05 G0 c/ K0 J& u# {' e- n1 A& a8 |$ q
push eax
+ b: b) {' _" b7 ^' x6 [8 x, x/ r" \% s call KERNEL32!_lopen' R+ L; A+ @2 \/ p/ |* O1 [+ W2 m1 c! u
inc eax
/ b5 }3 O. h8 L( y3 } jnz 00650589 ; detected
$ v" N) g' f" j* O! ` push 00 ; OF_READ4 S8 |! n. s# x' c
mov eax,[00656638] ; '\\.\SICE'
. P! v) u( i, K6 I. q( n push eax
& f- y1 S' p6 U" o- F2 w call KERNEL32!_lopen
' R* ^/ a5 ]' L$ P1 ~ inc eax `- t8 V' {- R/ W8 l6 v3 @
jz 006505ae ; not detected
3 l u2 P* E8 w8 r, g) f5 c! T; H) x- ?# D
0 Z& B6 r! ?; v4 Z" X__________________________________________________________________________* m9 }+ D0 p$ }
0 `7 d9 c$ x" W2 p, x; t' UMethod 12
; k @% J1 Y7 ?. C=========
" C# K3 N5 g3 {' w$ H9 Z1 o
% m/ _/ H9 A$ \! {3 pThis trick is similar to int41h/4fh Debugger installation check (code 05
! ?8 i& w2 N+ u& a. z- R& 06) but very limited because it's only available for Win95/98 (not NT)
% x( O0 H; V# y. V" U# was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, w+ U/ z4 {$ [% \9 f. C h8 c3 m
, a0 u. S1 }% y# z8 c' v push 0000004fh ; function 4fh# ]% j7 u) S( s2 u' \; O1 \
push 002a002ah ; high word specifies which VxD (VWIN32)
& f8 L, y! l- n v# j% J! z ; low word specifies which service
Y- _3 t+ B* I- O2 ?3 j# ~+ } (VWIN32_Int41Dispatch); D1 y" d3 V6 X0 P( P, F1 D7 ~
call Kernel32!ORD_001 ; VxdCall
% \* S9 H; {$ ]# Y5 G) G, M cmp ax, 0f386h ; magic number returned by system debuggers
( H, r" D, b- s+ [9 p) _/ Y/ W jz SoftICE_detected' j( p" s) z6 p% |) M$ Q# D
; a x0 n% L6 A/ ~Here again, several ways to detect it:
+ F) l1 x- U9 m! H/ k) z" n9 _" p! k. W7 [6 `; c
BPINT 41 if ax==4f8 y e# x: T' O+ ^
9 N o6 d2 W$ g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& Z! ]8 t Z0 A5 ?8 u& `) R. f
2 s7 h' o. K) o" L( i" G) q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! O0 C4 a* o6 P/ K5 |* w9 `! N4 o# U( A# I5 T- b* O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ @" m' p4 }3 T0 ]
- ?1 Y) P, _/ R; u: j- M__________________________________________________________________________# O# B7 P, N O* D) r( x X
4 {2 n, J2 d; e1 T& J" ?Method 13
* G P. B6 l) s) O2 w=========' X- e. d; _, J% ~2 e8 w; t
7 I. w! q: R O8 v6 d% A
Not a real method of detection, but a good way to know if SoftICE is3 b+ t \6 ~4 P' u; L, J4 V
installed on a computer and to locate its installation directory.0 I; A/ [4 n8 `7 u! \
It is used by few softs which access the following registry keys (usually #2) :
& s8 L1 k2 j3 S; l5 @
4 m: u8 j( h* Q( V: I- v I4 b5 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, D. a y' j" A+ n7 g
\Uninstall\SoftICE
2 j3 U, y% K/ ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; Y/ N% Z4 m8 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion G- }. J$ Y Y0 G) Y# P
\App Paths\Loader32.Exe9 @/ w5 a* R. ]7 |+ z# P; g; o
% a8 [2 P7 h# V9 q1 I' B
2 p0 O" r/ n4 K; B
Note that some nasty apps could then erase all files from SoftICE directory
! L- K: p0 p8 o(I faced that once :-(
, g3 U( i0 k8 \! ]% F! f7 I5 b3 [6 F( Q
Useful breakpoint to detect it:
8 T0 ] W% Y% v! x7 x& c: O4 \- G' R) u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: }8 G5 k7 m; b9 R0 M, U5 X
- d* N( B' ^! v U__________________________________________________________________________- m: X7 d/ K' n9 T
5 l( r' d7 |, |$ R: \+ \8 H W8 k$ f5 e i4 f4 W1 r" s
Method 14
( F0 f t2 B# R8 i) j=========! u3 p& U' i6 R5 V
! _ b- d( Q; F" c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& Y! b7 w6 [ R3 n$ U( Y& ^" i% M$ q
is to determines whether a debugger is running on your system (ring0 only).
, _) r: O' {" j, V9 f
* L8 b4 ?# I- ]6 T) E VMMCall Test_Debug_Installed
; V$ Y7 b2 ?' R7 h9 v7 `5 _) ^/ u! Z je not_installed8 n' m7 P1 n j& {( O
7 c. x, M9 l: _. U/ k& i) T; f2 Y2 gThis service just checks a flag.+ c( n6 [ H/ b
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡