<TABLE width=500>
1 F# f2 _" |' I. ~; c* R5 Q<TBODY>" {1 [; I+ j, [3 @0 y
<TR>
% d# a# L6 M: ~& m5 H0 r% E<TD><PRE>Method 01 , x7 O. G6 ~0 ~" e7 X
=========( \& {4 t, x* U5 T' T- C, |9 I
8 h9 N6 }- v0 [: n( {$ F6 e aThis method of detection of SoftICE (as well as the following one) is* N3 k: T( o, u L; o
used by the majority of packers/encryptors found on Internet.
/ E( f; N- U, g' FIt seeks the signature of BoundsChecker in SoftICE8 b* _4 D9 D9 E1 v( n8 d" G
& y2 f$ q* @+ Q- w g$ @! G mov ebp, 04243484Bh ; 'BCHK'
6 y( f& ?1 _+ [/ F" ^* c mov ax, 04h
3 @2 {( x' f0 Y7 A0 g/ a2 }4 H& [ int 3 , o' c V s9 k" C O7 Z! J3 F
cmp al,4
5 r- O4 S, G9 t3 k: a% Y jnz SoftICE_Detected
, c! ]- a4 g$ T# D- d2 Y4 [' B% P/ [" t& L& q m2 y s9 `
___________________________________________________________________________0 [6 Z" l* Y! K- G
2 ~0 g# L9 p1 Q5 m! O, u' u
Method 02' a5 b |8 g: H0 i9 {! x7 t9 R
=========: {0 \, M1 u! `3 E; a( N( u
1 m) V3 S# }9 v8 J; y$ YStill a method very much used (perhaps the most frequent one). It is used, c( @ S6 k0 J. {1 c5 v/ W& X6 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; f4 A; s# r4 e& T7 O, W8 Nor execute SoftICE commands...
- V2 { G' K J/ lIt is also used to crash SoftICE and to force it to execute any commands
6 I) n2 b& y4 F0 P( S(HBOOT...) :-((
9 ?& s$ v$ J& }9 [: e
" O* v' h0 Q0 {Here is a quick description:* f$ C! r8 _; ~
-AX = 0910h (Display string in SIce windows)8 V. M. s- B* C$ {- j, a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; z* g$ w* h9 {- X7 I$ {-AX = 0912h (Get breakpoint infos)5 y M3 k% ?/ v4 ]3 X" e3 z [4 |
-AX = 0913h (Set Sice breakpoints)1 r+ F9 J) p N3 y9 u
-AX = 0914h (Remove SIce breakoints)$ E4 P# M' }9 I
( s) K% v. |- A7 ^7 h+ X; u
Each time you'll meet this trick, you'll see:
1 d. L4 l: ~* z3 c" k3 o-SI = 4647h
# e# I, v; I) E9 H-DI = 4A4Dh- N0 j3 _# V# ~2 V1 n/ B
Which are the 'magic values' used by SoftIce.! [ `/ I) A x% ]5 `5 F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 X# ]# S5 O! H* J% C$ `5 h
8 r9 S, A9 d! |2 u, H) c+ KHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 c& t; i4 j" p8 p* k3 X W7 fEnvelope utility use to protect DOS applications:
' e0 @% [# @ D9 w5 @4 D
' j$ a8 f# u W7 k) g$ K+ K
* m+ Y" B7 Q& R; `4C19:0095 MOV AX,0911 ; execute command.( ?; L2 z6 p' i7 A8 d" k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 \) u% s2 F- r
4C19:009A MOV SI,4647 ; 1st magic value.
; x. m& U; r5 \, P4C19:009D MOV DI,4A4D ; 2nd magic value.
5 T7 V3 _# z; ]0 i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ^4 c8 i# _/ l% ~3 G( K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' Z3 B& L8 t0 E% P/ A4C19:00A4 INC CX5 b% W5 P; |! ^- {9 Q- m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) B4 t" [% P2 k8 x! s
4C19:00A8 JB 0095 ; 6 different commands.
' b: N3 v# r+ ^, P) c! t& ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.* e" p6 d: T: @0 h1 s& @2 |: y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 X: O. R5 [8 ]6 k+ I7 c' t0 F0 [$ a
+ z6 L# M' X8 vThe program will execute 6 different SIce commands located at ds:dx, which
6 x3 m) V: }+ \( zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., R) a1 y9 k" j( ^
. T; Q# Z3 p) U! C$ R# y/ _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 ]& B2 p' R* K
___________________________________________________________________________
' H X0 I2 ^. V0 {/ t
0 s. h4 j2 S$ @/ n" M8 L6 o+ N4 H# K% P- [2 i7 z
Method 03) J) X% ^2 y; L
========= I7 H2 G7 G* u8 B4 M5 ~3 O: g
1 Z5 f2 Q9 }. U0 wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 D: ]$ N" ?$ J& a7 R0 n(API Get entry point)
6 M9 j5 o- @$ O# D+ u% g 3 C! `: T4 ?) A, D
2 J1 N# M6 r$ a4 d$ z' P, a xor di,di: V+ w% m, l9 N. Y# W
mov es,di6 t! q2 {: T. [3 \4 S- j
mov ax, 1684h : |! U7 o2 E0 z+ N, w
mov bx, 0202h ; VxD ID of winice
* o7 o4 T. o* ^% d! V int 2Fh
9 R1 ~$ y$ R& [& I% K& Q; q" G mov ax, es ; ES:DI -> VxD API entry point
- |% y" j# E8 C# J) T; `1 b; c add ax, di
4 S, P% S! L( P/ b r# { test ax,ax
: T) S& M0 ~# K) R2 M1 u# ?' i jnz SoftICE_Detected G- _0 C+ ?6 F% k/ h# y
4 |5 |0 M3 E! k4 W/ q6 I7 z# Z___________________________________________________________________________
) S) c( a& r2 ?: b# e, A: b+ n/ K7 w- b. @0 F
Method 04
) Z' n, ?. Q0 f( v' V=========
9 X& F t1 W* h( ~% m3 R& ^$ [7 i9 J6 O6 ~6 Y) k
Method identical to the preceding one except that it seeks the ID of SoftICE" J T# @3 F9 p+ `
GFX VxD.
0 n5 X x) s* O! h- S) M2 F# F8 ?0 c
xor di,di a+ q! }, R. V4 a+ S5 W- l
mov es,di
4 p2 G& V! ^# | mov ax, 1684h
( e0 @$ e" e- R/ M5 [2 ] mov bx, 7a5Fh ; VxD ID of SIWVID& d. O3 }* w" Y4 s' B
int 2fh4 s( g) o4 k& n) T5 F
mov ax, es ; ES:DI -> VxD API entry point
7 w1 s2 {7 F2 E0 q8 v* \4 | add ax, di
! o4 f+ S( A& X5 d3 G/ E test ax,ax
' q! b7 |) {9 x# p' o jnz SoftICE_Detected! j0 d# P/ _; U
6 B0 P' X4 d. r; _1 T; i__________________________________________________________________________7 C0 J* |2 c Y) u
: v4 ]) J% x- A0 Q
4 w C3 M2 Z3 @/ X; z0 h; X$ gMethod 053 O! x# i' R0 _- y
=========3 M, z3 q" h4 [
6 W: D7 P! R' J5 T' k+ |" m! DMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 F7 Q* o! A/ [8 K2 J2 y+ O* ~# q
debugger. It calls the int 41h, function 4Fh.
$ ~8 ~2 T) J A, B. k5 S' zThere are several alternatives. ( v! ?. w6 k; g
! K8 ]2 Z5 ` @% _: vThe following one is the simplest:# e* B; `9 I% T! f
J V7 v8 i1 d5 r% y mov ax,4fh
. b V2 M0 q( P int 41h, }' }4 D( D! J! U7 p9 i% r. u2 a2 \9 n
cmp ax, 0F3868 i2 h2 I$ a! K( E, \2 p
jz SoftICE_detected. T, m* F+ }% i/ J+ i! m( L1 }
" s: ?; p1 _- f0 j2 c9 Y0 V+ [
1 d" p) v. w% J! E- ENext method as well as the following one are 2 examples from Stone's
5 h8 H( z, o7 N5 d- K( Q! o# H"stn-wid.zip" (www.cracking.net):
) ~8 V8 E% V9 g
3 D2 }9 x: U7 f mov bx, cs
, R" H1 L$ } Z) c: u+ U' m8 c" j lea dx, int41handler25 s1 v5 M- m, J/ ~3 T
xchg dx, es:[41h*4]
6 n# ^# r+ d) P# P0 Y/ u% z$ ^ xchg bx, es:[41h*4+2]* d* Q3 I2 _) a/ |8 ?- Y
mov ax,4fh
; Y; ?7 H9 u! a, y6 j int 41h
6 F0 J i5 b$ | xchg dx, es:[41h*4]6 i% G9 j/ {" N9 Y i! Y0 Q
xchg bx, es:[41h*4+2]$ G1 \- M* X6 H
cmp ax, 0f386h, W1 A( t3 N, i. J( Q
jz SoftICE_detected
# M# S4 I! B& q4 K* J/ r+ u% g0 W2 x8 S
int41handler2 PROC
4 k, F4 ~" ^: g/ s iret
% H4 ]/ }% y8 j6 Fint41handler2 ENDP
( n: I* F% c n; U7 V
. ?, B9 k; q4 I0 {; `3 \* c
# R) H2 I$ C( ?' K_________________________________________________________________________
9 B! f0 I9 u( Q: E6 h+ p
% K3 n: A3 S/ q q) N6 |2 J2 o
; l- R$ ?- r9 ]' C" x% kMethod 06
2 h, s9 ?& c i/ F! J" {/ ?=========1 _+ L* d6 q7 o8 W: U9 M
, e K. R% y# R6 }& v" E2 f3 }) M
$ y8 J, w2 B* M+ V* m: s2nd method similar to the preceding one but more difficult to detect:
4 B+ j% y- H- P9 Q7 |) O: |5 d
4 g7 ^' M! u* {/ T! U- B! I( _$ c. P* j, a* Q
int41handler PROC* i2 Q/ [. V1 C3 I
mov cl,al
6 a) _: C* e2 a x2 R% m4 e iret& p" L( Q( U6 _' b: e
int41handler ENDP
4 p: k, V4 y- t) ^7 g. k& \$ L. H: ]" y F' x( W% W
9 u3 R9 Y* e0 t. w xor ax,ax0 F4 [7 B, c, G0 r
mov es,ax. s% C U9 S4 r+ E
mov bx, cs+ t* K+ K. L |; v* v& m
lea dx, int41handler
+ t5 Y/ h% q! C& Y, U xchg dx, es:[41h*4]3 v- h& d1 W( Q9 o% S
xchg bx, es:[41h*4+2] {% K' p3 t( a; b( R, q# ?7 h5 F
in al, 40h
) o) w* ]$ v. i4 X' C( w xor cx,cx
( P' u% p7 j0 t' S: W" @+ U int 41h
# C& j) O4 {/ V! R& V" | xchg dx, es:[41h*4]
' R4 j" R4 h8 f+ N6 v( v6 @1 ` xchg bx, es:[41h*4+2]" }* y& i( u3 D7 }! o5 |) d9 y' Y
cmp cl,al' P, s$ p6 S0 K) X ]4 r
jnz SoftICE_detected
) l6 g, u/ J& z5 c; L9 t
0 [( A) @: u* N/ X7 i% b_________________________________________________________________________* T2 Y, T: d1 B9 ^+ B! T+ t0 Z
; E3 c# g5 Z1 r, w. [1 g
Method 07; J: U' l8 a: |0 t
=========
3 w/ t7 y$ G, K# R* A+ `* k- c' O0 p2 W# e" i. g
Method of detection of the WinICE handler in the int68h (V86)
2 [- X1 u- v( U. L
# Z# C: Y# A3 I# p( ^3 x& S mov ah,43h
' H. n: h0 Y/ K& M$ P. ]$ b6 u int 68h
- Q8 D0 C: \9 G2 Z4 b) d- {3 T cmp ax,0F386h
; b% p) k# u5 h jz SoftICE_Detected5 s( k' x6 h$ E3 f- D4 v, P
. n+ a: _/ W8 F" e5 D8 m
6 n+ v" B8 Z6 ?. a( _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- u: }' H5 R& \2 j$ S* b app like this:. G$ o, U7 p7 y7 E& A
& c# \% D# R* n9 f& I4 t @ BPX exec_int if ax==68+ S$ n3 e: s9 P( v* ~
(function called is located at byte ptr [ebp+1Dh] and client eip is% f8 q* Y) a N% d- U" Q
located at [ebp+48h] for 32Bit apps)
" L( d/ d8 _1 g! h+ B3 o8 Y& Z P% T__________________________________________________________________________- A9 j0 d3 |) O
. B0 h2 Z8 |6 l4 G8 S1 m" @6 Y
9 w+ ^# d- ] {% Q1 c* @Method 08
- m" d: J0 X6 ~3 Y* h- H. I=========
& W3 g% {5 e/ c
0 A) h7 F: S5 A- x6 L& z# S1 xIt is not a method of detection of SoftICE but a possibility to crash the/ B. h: H( y% B+ f0 }
system by intercepting int 01h and int 03h and redirecting them to another
( j% O/ r% a- [routine.
( d% O* T# H j; QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 x, c# ?4 p1 V4 I+ j* x" x) h0 x3 Q
to the new routine to execute (hangs computer...)
1 ?) ^/ ]; j3 o9 D T2 x2 y9 q5 j- C" M, W+ D5 l. E& m/ n/ J4 G3 ?
mov ah, 25h R/ i v) e$ }
mov al, Int_Number (01h or 03h)
* C. D/ u/ @$ l+ O, E4 _! i _ mov dx, offset New_Int_Routine
9 K8 Z) E( H+ {, r2 m int 21h
( w2 P5 e; V, z% U9 F# p3 U; @% |9 Q! l! @# Z* ^5 N
__________________________________________________________________________0 {) Z# p( p3 X# M! J& X& Y) E
1 j, [" @9 D6 o5 `; ]+ IMethod 09
( J% R1 q- V, ]& d& O=========0 |4 ]# `$ ]1 y* L# R
r3 _2 M* Q$ ~% `5 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 I5 [8 Y* s: }1 ?1 [# \
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 a2 Q# ^( y4 }; Z# uThe Get_DDB service is used to determine whether or not a VxD is installed+ @+ ^" m' w6 ]5 B) F% H4 y
for the specified device and returns a Device Description Block (in ecx) for
4 Z' e, ?9 J7 r& _' X' u4 l. \' |$ t0 Jthat device if it is installed.2 s- J8 l9 a& ^2 Y8 o
8 l5 K9 s" ~: l2 X/ z. M7 S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ o( [4 u# R/ P- V6 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* ?; A8 W* |0 s1 |
VMMCall Get_DDB
+ ?4 _9 R% n% Y% I% \/ s2 Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 f4 Y7 e) {2 W0 Q- u, ]2 `
" J8 a( _) t& s
Note as well that you can easily detect this method with SoftICE:
' Q8 ~5 X. A% l5 F, v. j bpx Get_DDB if ax==0202 || ax==7a5fh
8 b* m* }4 R% Z. B. N9 S
0 p2 W, Q9 f4 G( B3 k0 s$ J__________________________________________________________________________5 |3 O% s, Y% r+ _' a+ v
5 e! Y& `2 X/ C' T- N
Method 10) ]% V7 ^# D# t! B" X! O6 ^) q9 l0 b
=========
' ?3 t3 K9 _" `) Q( t
7 u. Q4 @ s* @=>Disable or clear breakpoints before using this feature. DO NOT trace with8 w% U" g8 M! R3 i, {2 Q
SoftICE while the option is enable!!& e, @) M0 T/ b2 m; n
1 y/ f$ I2 b. E7 V2 A q i
This trick is very efficient:" l0 H, o- J! L5 o9 ?
by checking the Debug Registers, you can detect if SoftICE is loaded0 V# Z: K# v" ~7 G4 F# U% z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 l- ?; s0 F0 D. Y9 ?there are some memory breakpoints set (dr0 to dr3) simply by reading their, G: e: K. ]; ?4 d2 j
value (in ring0 only). Values can be manipulated and or changed as well P* f& V# H4 v9 D( z) J' O
(clearing BPMs for instance). j3 q( g! H/ Z$ r) X0 H4 i4 B
- ~8 Q7 r2 C, `: E/ z
__________________________________________________________________________
, U2 s6 l5 C! o9 M
( D4 R* e2 q" E, d) \' B$ UMethod 11
. H/ [1 d% L5 `3 m2 t0 j=========) T) ~; n$ c" O3 H+ ^
' G3 }( Y/ p' f0 G" y# G8 K
This method is most known as 'MeltICE' because it has been freely distributed" i9 i9 |# x/ o- x$ C; I( ]. @! p
via www.winfiles.com. However it was first used by NuMega people to allow7 ?# f! A" P- `+ t: }/ u
Symbol Loader to check if SoftICE was active or not (the code is located+ Z5 \' g" [, a
inside nmtrans.dll).- H0 d; `# Q& |& G
( O. C! O1 |- P: ?0 p1 DThe way it works is very simple:
' z* M$ R |1 A$ ^, J6 M& p6 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) B8 q- K! [0 R8 z; s0 t" Z( t
WinNT) with the CreateFileA API.$ X7 w: V- A! W$ }9 |% m: L
+ h2 N; k; L9 g2 E; ]Here is a sample (checking for 'SICE'):3 g' G/ L- K9 u3 q+ B
* E1 X6 I$ J, v) D7 N- MBOOL IsSoftIce95Loaded()
3 ^( v, l" P# n' }3 b: X{
; I6 j! K" j5 k: o/ P$ { HANDLE hFile; " l7 V+ ^5 @: B0 ^5 c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 @2 S6 D ]( \' k8 B0 b
FILE_SHARE_READ | FILE_SHARE_WRITE,
* C& H4 `; A& P. n: B# V5 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 c; t, e" \4 U0 N
if( hFile != INVALID_HANDLE_VALUE )
3 L" |7 f0 q; X" J7 D2 m {
' T% N u0 n1 S, x8 q( c CloseHandle(hFile);
/ O1 |5 ?5 o3 X/ D return TRUE;
+ r6 ^+ A7 i& |1 U8 b, ^, S } _4 P: Y! ~+ |, [5 y5 W6 z! g
return FALSE;
" B. f% K( W! ~5 u}
* _) C m. S* p. g* w" e
{) @, `* U, E+ D- o# p7 A. I; H) f: eAlthough this trick calls the CreateFileA function, don't even expect to be+ y6 c& L0 d* E% t4 z1 c* A4 y$ s
able to intercept it by installing a IFS hook: it will not work, no way!/ G9 r7 ?5 K+ X( a/ t1 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! ]& M, v9 x6 X( N9 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ W: r, ]$ q+ ]% f! L1 [4 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! @' X, u* ?5 a( ifield.
4 X1 \/ l! i" \! I+ P3 PIn fact, its purpose is not to load/unload VxDs but only to send a
+ s& ~$ y8 J& ]' p" e2 F0 FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( a1 L$ s& o! {2 ?& ]- @* c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, N3 \5 U+ S6 C6 S1 n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. {; v G3 F0 r" l* jIf the VxD is loaded, it will always clear eax and the Carry flag to allow: J5 u" F, ]; }$ Y5 U
its handle to be opened and then, will be detected.: {. V4 s. i/ s$ `$ y
You can check that simply by hooking Winice.exe control proc entry point& Q! V; ^- b D7 {8 l6 Y) g7 C
while running MeltICE.! Y7 E6 Z! s V1 A: j+ w- ^
6 y @# G! n: q! Z1 v! k$ b$ {- h/ x( D
00401067: push 00402025 ; \\.\SICE, A( _# w, S3 H2 Z% O
0040106C: call CreateFileA
( s, g) s, c/ g# }+ ` 00401071: cmp eax,-001. H, Q1 O2 h3 c. y" c4 n* U2 H
00401074: je 004010918 s. l5 Z( @! E. R* a+ n
+ I+ ]; h9 i2 \5 o& A
/ X. p" s; G/ W0 P8 ^: h( HThere could be hundreds of BPX you could use to detect this trick.& j9 H; K2 i+ E- C. O% N8 Q+ X
-The most classical one is:
% Y# y: V0 d, x6 g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) M& ]2 a+ ]6 O- X% _6 X5 @
*(esp->4+4)=='NTIC'0 ^- W) E2 M7 h* ~
8 W% M% c- E$ ^# w-The most exotic ones (could be very slooooow :-(' Q* N& |5 g3 z+ h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ a1 B- ^# y( s% r. Q% t ;will break 3 times :-(
! A, Z ~0 ~3 k, q6 K5 l; x; @; v- d) q- Y3 F. J% E
-or (a bit) faster: 0 b: F* O& `" x9 p: M( M& E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ D# F& t) T$ L A8 f8 C& X
% T a; r5 `. q6 L' a3 `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' I$ Y/ t( G- `0 C+ |
;will break 3 times :-(
4 V' a5 p! K0 z8 x8 v/ {* ^* ^) u" i3 c, \- U! b: T6 \7 t2 e% u* Y
-Much faster:
E" `1 i# l, U- e* B: L7 T/ l6 X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ a, I2 P% B1 h- y+ D+ F6 L
- `2 Z- C! ?8 A/ W- f6 `* sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ t J5 b) C& [3 Z% x
function to do the same job:
0 u& J7 r. R" M: u& V- H: c C7 j7 l0 A7 j% I# i3 g- q
push 00 ; OF_READ, U% M& ^- F. G4 Y) @
mov eax,[00656634] ; '\\.\SICE',0/ G5 C L: p( L" t- ]8 b
push eax
( j! ~( B. @. X; c a; H call KERNEL32!_lopen
4 b$ Y/ A6 F: z' | inc eax8 y/ X' A1 [ q& `* ~* d8 ^
jnz 00650589 ; detected
+ J6 X, w1 `; n4 l" I push 00 ; OF_READ
% e" B- m( b. h9 @ mov eax,[00656638] ; '\\.\SICE'/ {9 z4 C$ V6 N9 t8 B9 O" a
push eax
; `8 U, z# H7 w: v" { call KERNEL32!_lopen! y7 O1 S# G F/ ~; A
inc eax% m( z, _. t: f; ^
jz 006505ae ; not detected
* X5 B$ X% S2 u6 E9 S" v7 P
5 t7 ~/ p; ~- c8 U
0 S* F# i9 F& y. O8 o3 F8 a. w__________________________________________________________________________1 O8 F& X6 H/ A% O+ y1 c
$ c/ N! i5 c n$ G& @6 x; J: u
Method 12# U5 X' n$ g8 n. m3 S- e9 V
=========- B! o1 p! @& {" Y# p) i
: a0 R9 t7 j6 y, OThis trick is similar to int41h/4fh Debugger installation check (code 05
7 O+ X. E6 v" K. ?- P+ ?" L. A& 06) but very limited because it's only available for Win95/98 (not NT)
. D$ p8 o+ o8 X* aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 Y' L: t% d- z: _/ C- M9 ^( X$ X2 J ? _ F
push 0000004fh ; function 4fh& Q. N0 t$ h; h- a' x. i( i7 I
push 002a002ah ; high word specifies which VxD (VWIN32)3 z. d/ I" V& P4 O' }
; low word specifies which service' Q7 ^. N5 X& N) o- L0 f6 K$ D
(VWIN32_Int41Dispatch)% g% b( a3 M5 N/ m2 F
call Kernel32!ORD_001 ; VxdCall9 \3 J5 f0 `9 U, P; |! A5 I
cmp ax, 0f386h ; magic number returned by system debuggers
! I: Z% N. a( a: l& u jz SoftICE_detected7 G" G' O2 [' V0 Q
G. q0 E9 |/ [3 [. a% R
Here again, several ways to detect it:+ Q5 A9 f8 u; L# s! p2 X6 E- a
: }5 ~( t' d' X; X
BPINT 41 if ax==4f) t0 `* k2 U1 k. _6 n M
) h7 a! w% u b) l/ [; F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
u8 @! k& S. u
5 j( l" r# B6 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% ^2 E L6 w+ O- X7 I3 m' h8 l f7 g+ m9 y n9 R2 X! k$ w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. ~8 I. O9 b# U2 W; n6 n8 H
- e6 Q% L( c) X__________________________________________________________________________
, b2 g, i' v' Q7 Q. r/ @
' \. h2 B P( ?2 oMethod 131 d: Z) `, i: F6 j* U% c
=========) L* \7 s$ z% `2 N x: {0 c, v* K
% |& Q! l, g* c; e1 i! A8 U/ a" L
Not a real method of detection, but a good way to know if SoftICE is2 d' h' F" t9 \
installed on a computer and to locate its installation directory.4 [6 Z3 i; a8 Y; X
It is used by few softs which access the following registry keys (usually #2) :
r, b1 ]" B4 R1 r. C- m" l
) Y6 v4 u6 V6 [4 H+ {0 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 i, R9 C6 @2 M: O
\Uninstall\SoftICE- r! q8 B3 l6 s; W( u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- ?* v8 }( g$ C6 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& K- g) u8 F: z' _' }2 {2 M% F\App Paths\Loader32.Exe
& r% }- C I+ O+ [0 V0 C
: [' p' P5 B0 x' V
& t, h9 [8 G7 H I# h( b4 H0 aNote that some nasty apps could then erase all files from SoftICE directory* ]' Q' G' H6 _2 c \) C V
(I faced that once :-(( ^/ y: h% F/ d
0 E& Q$ H7 ?6 g3 ]
Useful breakpoint to detect it:9 V1 L) e% m$ i# |/ y$ y9 }/ }
A- k7 y) U* F! S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ ]' `) T x0 B+ t" }- U( e6 A. H3 T& A7 ^" v7 z
__________________________________________________________________________: ~4 h- C3 ~2 W8 y/ ~, J. R
5 S" i" {0 Y! r/ y8 L5 _7 q6 r
3 F, p9 A% I1 b# RMethod 14 9 }* k8 Z4 d/ A/ X/ `
=========; i: j) I2 c4 C: S4 _2 F: Z. G
9 K6 p8 ~' p) VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 v% Z9 o# t8 E5 Sis to determines whether a debugger is running on your system (ring0 only)., G$ @2 o( f- \& `7 D+ ?" |1 y/ q
4 p( M" \: ]8 B7 `% J. T VMMCall Test_Debug_Installed
_( j$ c* l) V je not_installed
, H+ j, ?/ j6 |3 ^1 W- G' N3 L3 i* T, n S" K1 m x8 e. i1 w
This service just checks a flag.
1 ^% G! w0 ] m6 k) u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡