<TABLE width=500>
" H0 ]& `% X. ?7 \<TBODY>
' }% Q- @- T/ d+ `3 |; ]<TR>
9 N V9 q4 Z- p<TD><PRE>Method 01
& I0 v7 H' I& O=========3 V& {* L; n* G: l( i& T& A
5 N O6 J: S$ z$ t
This method of detection of SoftICE (as well as the following one) is
9 a, v* v9 z, Y& H# M) r; {used by the majority of packers/encryptors found on Internet.% @: W/ \& j6 f" n
It seeks the signature of BoundsChecker in SoftICE' |" j7 P$ t6 v
2 U0 p( o8 B6 \0 ` Q1 I# l% J mov ebp, 04243484Bh ; 'BCHK'5 n8 M. W# N) w* \* n
mov ax, 04h
: A. ~3 l0 Y" q- G- H$ [! }3 t int 3
" Q# @% L0 C0 [7 T8 Q; P cmp al,4
: C w: _" f/ b, f) F) ` jnz SoftICE_Detected
# o- ^& X7 G7 B. G1 b$ @
+ J$ D9 f s0 v# U___________________________________________________________________________4 J) {6 Z2 l! A' ]2 r
3 x: i5 _) i) w% X& M/ o% n& y' \Method 02
f% g/ }* V8 z1 y5 t) q=========
- `9 s- E% p8 ]/ j2 p$ k. v
: n% U, j2 i1 [# t) I( O! c) AStill a method very much used (perhaps the most frequent one). It is used
/ K& o9 l" @% ]- m% Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 M3 Z4 @4 x) [1 x0 @2 j3 [
or execute SoftICE commands...+ e% N) Q A+ q
It is also used to crash SoftICE and to force it to execute any commands
# K, d. S1 L. ^(HBOOT...) :-((
- l/ ~ V4 ^3 U5 F) ~6 v" _' k' k6 \7 ~' H
Here is a quick description:$ n5 V, y6 U8 M; G( |% Q
-AX = 0910h (Display string in SIce windows)
) g8 M0 j4 M9 s$ d g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# S; i( W C" D9 h-AX = 0912h (Get breakpoint infos)8 e" j+ t' \ p/ p3 b. O5 c$ }+ j
-AX = 0913h (Set Sice breakpoints)# ?% C+ T% n" Z/ x! b% G, h% ^8 v) K
-AX = 0914h (Remove SIce breakoints). e" Y( y$ r$ B; b0 q3 K5 M
& {/ K8 x: R1 G9 i1 [5 s- r6 I) r
Each time you'll meet this trick, you'll see:
^( h9 S( Q& i( L1 X. E0 n# _( W-SI = 4647h
6 a0 H7 S; n8 p6 u2 x-DI = 4A4Dh
" A9 u, f2 v* X4 S* I3 z! n8 sWhich are the 'magic values' used by SoftIce.
" `; p2 w2 `* G* F. K# T0 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; d2 U) F, X4 r4 A
& [5 F6 H9 s6 T7 O" G# I& |9 L! CHere is one example from the file "Haspinst.exe" which is the dongle HASP
) }0 L' ]; C* j' n9 AEnvelope utility use to protect DOS applications:
7 G d# m. E9 q
0 R: A: r) i2 l: B) E1 E& j1 r
! c, G5 ~" W( s3 u( t6 b4C19:0095 MOV AX,0911 ; execute command.: M; r" ~* w- m2 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( q1 N3 A j b# z; c4 ^" W
4C19:009A MOV SI,4647 ; 1st magic value.' ]+ H- U7 n: g
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 P) q0 B+ D' q" ]. o" w9 \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): i+ m% L% N* S$ k$ n) I/ K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 [, O0 ^) m8 ]) @" H1 M% p
4C19:00A4 INC CX3 g8 c+ y+ ?3 z" S; J3 O- v2 @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 k% w: `/ c, v7 k8 }4C19:00A8 JB 0095 ; 6 different commands.4 w: ~- o, T+ \0 l+ `( ]& C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 K7 S3 i/ y c6 G B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 C% o' Q8 \3 H. G1 d
% v* Y! n- J7 ]( a/ [7 v- x: g
The program will execute 6 different SIce commands located at ds:dx, which
: Q- X9 a8 t, n. J8 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 P) Z$ T# Z+ z8 t
: G2 N4 b6 r _$ [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ l1 @, ^, @4 L___________________________________________________________________________# t( H6 z4 f6 ]+ U
6 c' _/ N+ U0 q A
" Y/ V9 N1 y* |& n) G+ V, o
Method 03
. `0 L+ n5 I" I=========. Q: ^6 T0 J {
" a( c5 u$ u1 z/ ]* i% mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 E4 G9 n7 {8 i/ h/ K
(API Get entry point)4 ^ K+ T4 k1 Y6 A7 K
6 r" P8 F" v( p- K8 U6 v1 Y
) l; |) D% [* Y7 Z0 B* w& \
xor di,di
% ]. j7 F1 t) X) W7 g6 y% E mov es,di
0 z9 t9 E/ {! P; D6 z/ s, [% d mov ax, 1684h
8 Y' r7 p* d" H: T5 I mov bx, 0202h ; VxD ID of winice
, o8 k5 O: K" w+ |9 \# m& ] int 2Fh
2 d- L# p2 G" |. [" F: R mov ax, es ; ES:DI -> VxD API entry point
4 B( N% c/ R j0 f2 x add ax, di
/ `' k \5 e% ~1 ?: S6 n test ax,ax; ^! Z5 S: g* ~) e5 v* F
jnz SoftICE_Detected
$ H- r. O' H3 D8 ^$ A* D# X, w- R8 L% L. z. y
___________________________________________________________________________
$ k& `2 S$ F' \6 z [6 p
) E$ y* d8 M! ?+ w* b) R, Q" @Method 04
& Z( ], q6 A7 H/ D t=========2 d! v% M* W8 ?% C2 s( O7 J
9 \9 C, p3 i% w" S$ s2 K# ?7 YMethod identical to the preceding one except that it seeks the ID of SoftICE G) K8 H% K% W- B. K2 T
GFX VxD.* q. U6 i- D4 T; }1 f X
. o8 ` y) h( `5 Z0 e( H" P
xor di,di% G3 d: G% `0 ]+ Q/ c8 ]
mov es,di
+ k4 z: y" ~( Z) T v' _5 k( r2 r mov ax, 1684h ' g$ G5 E9 _! s5 s, v5 e
mov bx, 7a5Fh ; VxD ID of SIWVID
9 F# E# _6 c$ m1 C) ^) U int 2fh1 p& w: }, Y( o, E" L% v* v
mov ax, es ; ES:DI -> VxD API entry point
/ d }" Q8 ?+ s4 i% q/ D add ax, di
$ c1 V# ~ n0 h6 J V6 Y. k test ax,ax2 [/ l/ H$ F( c5 G
jnz SoftICE_Detected
- H/ j* a: \. g9 Y; N9 U% H2 E6 z8 Y1 k5 }3 W
__________________________________________________________________________
/ N& @0 n6 E/ I* @4 U& w0 G
& S" W, G: O; A; Q0 r" e5 F$ z0 g& u& y) n" h" }8 [1 [
Method 05; Z) [4 A, o7 U, }, s3 w8 e/ k
=========
. O$ P: g2 ^- \7 |
, x* V5 c, l/ LMethod seeking the 'magic number' 0F386h returned (in ax) by all system) _4 V: {( J( _4 P
debugger. It calls the int 41h, function 4Fh.+ R! e' f$ D, r+ h' b; l' l8 b
There are several alternatives.
" t, q# Z! H2 V) a0 I: g/ r+ Z+ j, w1 S+ X
The following one is the simplest:# s4 h. y! {" K- Z! b7 p
: z9 q: R& s* {; x9 L( y
mov ax,4fh
7 z0 G* d0 U) W ~0 L8 \ int 41h
4 \( w% K# O7 \0 X9 N cmp ax, 0F3867 {2 S- E \) k. ^: K5 \
jz SoftICE_detected
7 }& f4 ]4 D7 z6 D9 L/ f$ g! C+ H) T
+ N3 K: w1 u$ u" C5 `4 I A! P5 sNext method as well as the following one are 2 examples from Stone's + Q& }1 h; J8 Q# ~6 Q2 g
"stn-wid.zip" (www.cracking.net):
; G1 f: w+ D' O( G4 S) K; e8 x/ u* `# o0 Y. d# k, W0 t, |
mov bx, cs
+ o; G6 f% K% |% \( |+ g lea dx, int41handler2
4 _4 [# a1 a, @, r xchg dx, es:[41h*4]
' L5 w! F; Y1 M) g; ~7 A xchg bx, es:[41h*4+2]' E `5 l; K" F5 m. R
mov ax,4fh
b# m. q) x& u( Y: G l int 41h
' o" _& U; }- w4 Q7 S xchg dx, es:[41h*4]
7 Z! ^1 w% ?! i+ N xchg bx, es:[41h*4+2]
: H. y1 f( w) Y3 [& O2 v* e cmp ax, 0f386h
% v- R' U. G7 j; ^# ~% M jz SoftICE_detected
" q6 h! |1 r! e7 o& ]3 M0 I1 m6 a' G3 W8 U! Y% i, T
int41handler2 PROC
+ w O1 k0 W7 t: D' U iret
+ V" ^1 m( }# s1 @3 s, C& H, Sint41handler2 ENDP0 N H1 [/ R5 A% p4 m" I! P1 q0 `
0 ^2 N5 C5 Y9 v+ ]. C. m6 s
0 G% ?. A5 {6 U4 \" o8 M_________________________________________________________________________6 d1 Z+ ?9 N! o& E; U
o- |' _5 ]& S! c
; b" [8 w) m! L) ~2 E- fMethod 06
! ?# g& ]) M1 D1 B=========, w, r0 n& d/ Z
+ E3 P' T8 e [! s; K
9 k) K4 M3 n9 p" }- K) }# @0 J2nd method similar to the preceding one but more difficult to detect:8 j# @: N# s( D3 z
7 w* j0 |: `: r8 ~* @6 k- _
8 Z( j- x" m* iint41handler PROC" B8 }8 l1 \/ E" ^ `
mov cl,al
" v' M: O: ?6 X$ U$ r! i; N iret
4 C1 [" B& N9 X9 p3 J4 Cint41handler ENDP
2 c- _* {5 G/ p' ~& {4 L
. l* F- \ M/ v* n* [6 @
. F' T X x7 X/ T" E! W4 _ xor ax,ax
H0 z9 e& l" N1 u1 f& w2 ^ mov es,ax
8 D% n7 A% V- P8 y, n mov bx, cs
* q$ @1 F: J3 \) n9 t& B9 U. e lea dx, int41handler* b5 M4 t/ T, `0 v
xchg dx, es:[41h*4], ^8 b/ g f; z* d. o9 p9 `
xchg bx, es:[41h*4+2]
2 Y5 t$ v$ M6 E6 {- G, ~8 m in al, 40h
4 b: F: I- q# ^& M" a1 f: b xor cx,cx
}6 z0 x d' R/ z8 U int 41h
7 S" s: j1 N2 L: y xchg dx, es:[41h*4]- l, O* H8 e: S. \: {) {2 Q( ^3 z
xchg bx, es:[41h*4+2]" q0 k F& [8 |( n! [% F' J. U
cmp cl,al
9 t" t9 G3 d8 G* f# A jnz SoftICE_detected: z9 d7 g% _3 {7 I
* u! P6 P: w5 y7 ~1 g_________________________________________________________________________; @5 U$ E, v/ z: g3 F# S
8 f, b$ v0 c) c; v2 g6 BMethod 07( v- K* V& G9 u3 Z0 x
=========
# M: Z/ G! k- B4 ]4 X* v5 N9 |' d* q" y/ I
Method of detection of the WinICE handler in the int68h (V86)0 V) d- W+ ^; e( M- ~
2 b8 U5 {, X2 H! F/ {# {7 Z! U mov ah,43h
5 @7 [ D! |; A. k int 68h
; I7 a+ s# H" \: M( L, e: F cmp ax,0F386h
& x6 x8 h2 a# ^- ]5 g k- ?( l jz SoftICE_Detected8 \' }2 ]/ h5 |
4 \2 o# R2 O) }4 y4 p5 J
7 M9 p) {0 D/ }1 @7 n6 {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ K+ z4 G9 }5 {9 @! N
app like this:
+ ~& \7 Z$ [ M, F$ h7 ?& {4 |9 Z9 Q6 ?3 G0 O1 ]' }( M
BPX exec_int if ax==68! A6 f! a# U, s+ v2 K& V7 z
(function called is located at byte ptr [ebp+1Dh] and client eip is
) j V; s2 Z: Y8 ^) _. N8 Y located at [ebp+48h] for 32Bit apps)
# P' h o1 E+ K* t- B__________________________________________________________________________
/ M: o$ l" S1 F: p: }4 g1 w
: A! W5 ?4 H9 G% o. J
) o3 ^- b7 _+ s( q! J! HMethod 08
. Y; J6 g" v. t# |" i! | Q=========+ M- C9 T+ N7 a8 P" o
* Y. z* l4 n J4 ?- g( ?It is not a method of detection of SoftICE but a possibility to crash the/ v; T% [. n/ W/ ?" n. Y8 v, v
system by intercepting int 01h and int 03h and redirecting them to another9 L; M4 Z: _) J
routine.
- l. [ t# h# H8 [8 j" O6 r) XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. ~9 m1 ~/ z4 \5 W
to the new routine to execute (hangs computer...)7 }8 r# @% T5 g' k' k* Z
/ R6 g: |* I* A, T
mov ah, 25h+ g- x$ s. K V! s* h& T
mov al, Int_Number (01h or 03h)6 V3 z Q; C( g3 ^7 a9 [: V
mov dx, offset New_Int_Routine
8 n. x4 x/ b5 h! r int 21h+ { z" E/ W+ T, \! W( [7 E Z, Q9 g
( E" \. w& x) i8 ^, |
__________________________________________________________________________
; ^8 a( F( x6 _" h' M/ Z% G m0 T* j7 o/ ]. S" \. }0 v% w3 o
Method 09* n3 e3 V k7 L4 Z6 u' V
=========
# j! c' O E* ^! B7 }- g2 Z* e% W# F0 R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* c6 h# y* z2 R. z, fperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 t8 N/ L" \/ C1 x% A0 H/ z% [3 YThe Get_DDB service is used to determine whether or not a VxD is installed' @1 V4 K4 f" H& `, ]
for the specified device and returns a Device Description Block (in ecx) for
' c# i, s( b# w% V+ u) a/ e. q6 vthat device if it is installed.( `) [$ w8 G5 V( I
0 [+ ?- u1 x: M i7 ^% S- D& F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 T4 a H o8 L- c% Q# [9 ?1 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) P( i" \/ K/ V; M. x6 P. c2 n
VMMCall Get_DDB
' y. K0 H8 s8 d' z; V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 B. E A1 J5 w8 a# _6 c q9 s" r8 {( f6 _$ B8 @2 a0 [
Note as well that you can easily detect this method with SoftICE:
# Y. Z0 L5 B' q$ X! [& l0 V bpx Get_DDB if ax==0202 || ax==7a5fh0 p4 w) A/ S% p& H! Z7 c' ~( x
. g ~9 Q$ h3 `: y
__________________________________________________________________________ C7 r8 |/ ] F3 ~ W2 A( W3 b
, S A7 M8 n3 e2 D) e+ b. EMethod 102 n6 I9 f0 T) l3 B* U
=========
X8 v& d) w) y( k7 W9 V& x) k
' \: h2 W5 y5 L) W+ a; l0 Y7 j=>Disable or clear breakpoints before using this feature. DO NOT trace with/ T2 o6 u n$ g; m4 f" \
SoftICE while the option is enable!!- Y; {9 b- S; k) E% L% V
8 X4 H) {8 D0 a+ U9 O
This trick is very efficient:
8 J+ U8 B( W0 O2 Hby checking the Debug Registers, you can detect if SoftICE is loaded# Q; g3 X* _9 K1 _/ O/ @+ L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 |9 ^" K, i( @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 E9 Z& K2 v2 x" E/ Avalue (in ring0 only). Values can be manipulated and or changed as well3 l4 Z9 y. w- q& E+ u
(clearing BPMs for instance)
) D- F! E/ u8 |* k y7 P. B
* t0 Y' V" S( p4 J__________________________________________________________________________
5 j9 p) n4 c3 i! T" J- @2 k$ j' L/ k Z1 x# X
Method 11/ R/ i) O( X- Z' I8 a1 ~
=========
" Z. \: B$ q4 ?8 e: f A, f* @# m& `2 j* C
This method is most known as 'MeltICE' because it has been freely distributed) f1 A8 _5 J, S6 w7 M
via www.winfiles.com. However it was first used by NuMega people to allow
6 S$ `2 |& t& j" G! cSymbol Loader to check if SoftICE was active or not (the code is located# P6 C6 Q2 `6 r1 C4 g
inside nmtrans.dll).9 W" d; g" ~6 B2 w) o7 Y
8 D0 y: C0 a7 }- {0 s+ i
The way it works is very simple:
9 K# Z+ C" [' _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. @2 m+ L& e- \/ CWinNT) with the CreateFileA API.. p5 L9 s8 Z$ d8 I1 ]( w" T5 [
9 r. ?7 [% d" F9 w5 \' xHere is a sample (checking for 'SICE'):4 `. k5 T1 d) I8 r: N O1 X. W' p
/ @- z5 U' T4 q" v4 Z
BOOL IsSoftIce95Loaded()
6 ?' W) _3 f) g+ v6 G+ E{
) N1 J, G: W: ~# A% l% P HANDLE hFile; ) K6 h; A1 x1 D' A6 C2 C. y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! U% \/ [1 |# C. D7 P
FILE_SHARE_READ | FILE_SHARE_WRITE,$ x+ i* B. J0 M) d3 j7 v! n8 _8 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 n Z' h6 }# s1 N. o) B if( hFile != INVALID_HANDLE_VALUE )
" w: p5 g7 Z( I+ E' v {# t+ h) D# \" Z, S6 c$ G7 [/ p* q
CloseHandle(hFile);
1 v! e$ j: O1 X4 A- ^: m. v7 D return TRUE;! B" i, b4 E2 v R. P6 q8 z
}
4 t5 ]% P1 R# A7 _# p% V* R return FALSE;
1 P% N# y, ]6 d' |7 F" ^- B}
* g# i0 G! _$ R* H) I0 r. I) B' o2 @1 X, B2 u
Although this trick calls the CreateFileA function, don't even expect to be8 e. ]. X6 _: Y- o& F3 G
able to intercept it by installing a IFS hook: it will not work, no way!( ]! i8 h( I. u2 ]# E4 V9 F9 T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- X) \2 W' Y( T5 T% M9 g7 ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); w+ b8 Q, X e# D n, ~. u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 B0 h% K! v) [8 X1 G/ Nfield.
) X; b5 k' k0 F, G" _' q/ VIn fact, its purpose is not to load/unload VxDs but only to send a
) M1 E6 F" t; K: r; HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! E5 l* a2 v/ K' ~0 j$ ?7 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: L) W& m, c7 A# R/ f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 R0 l) x% Z+ l( k! m. ^% f. S- @
If the VxD is loaded, it will always clear eax and the Carry flag to allow& j& g. B3 N5 @' L
its handle to be opened and then, will be detected.. @! P) k) \( k5 i1 b
You can check that simply by hooking Winice.exe control proc entry point' i6 w |% [/ c' f. h3 Y# o9 T6 V
while running MeltICE.
# w0 v" T7 S" v7 `7 a& }
9 m% o5 e9 u. |1 w
1 m' _2 b8 C" z" _2 V 00401067: push 00402025 ; \\.\SICE2 ]6 }* U2 S) }2 |) p& C
0040106C: call CreateFileA X0 w* V: g2 _
00401071: cmp eax,-001
) ?7 m f- @$ n# O3 ]+ M 00401074: je 00401091
1 s* b7 [" E5 B1 _6 { R y4 n/ y, z0 D- D- l7 [ R
" `3 C- I% m0 @+ hThere could be hundreds of BPX you could use to detect this trick.
' H1 d! D0 B% N0 k+ ~+ w% L+ W-The most classical one is:
1 s) O8 f* O5 H( d7 f2 m/ b# s' J; ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. F/ Y4 K- }7 Q! U& x$ I *(esp->4+4)=='NTIC'3 W R! A) M" k: [% b' w
4 S, m, B% g1 _; t# M-The most exotic ones (could be very slooooow :-(
3 v5 C5 S! D/ t& n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 R0 N/ n: z( G9 W8 ~5 j# i2 c5 W) G ;will break 3 times :-(# R0 d0 I$ O- J" c) k, F
2 Y. B, o9 R8 ?( N9 U* G# c
-or (a bit) faster:
; Z/ r2 q1 Q A r E! n, b( x, A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 ?; l m7 l8 \/ B- y. E/ Q
, o8 G& W! O9 D/ O- s+ w! d2 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 ~& {! I2 T, v4 P0 W# b" M+ w9 O ;will break 3 times :-() J/ H3 T& k, E+ q K8 f1 S; Z
: G6 ^) M# u K% u* M6 u
-Much faster:
* ~6 w$ c5 e. I$ A5 I' f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 Y6 ~5 e# K- F& m& Z' i
6 e8 b" w/ `# s: E" HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 I( H ]# u1 q9 i3 |, x9 yfunction to do the same job:# Y: @2 z6 b% S; W, T
! c" I: q [& i, r8 K! e/ Y push 00 ; OF_READ
: b6 G- W5 b; Y. ?. O mov eax,[00656634] ; '\\.\SICE',0
/ s& C2 g4 s, R$ p: {2 U% B push eax
- S/ I1 C' d- _$ M! z( ^! }0 B call KERNEL32!_lopen
. x! g m0 d" @+ p& a inc eax
$ K9 C) G$ W% R3 ^) H jnz 00650589 ; detected
! @1 m* F' C# A push 00 ; OF_READ
; W) c7 T* j# x/ ? mov eax,[00656638] ; '\\.\SICE'
6 V7 Z9 Z; ~+ O: b# {6 {- l ^0 G push eax( y' f, z* J9 [: X T; H( P
call KERNEL32!_lopen
, S# d' G9 o" C5 ?' l6 ~ inc eax
: n6 H6 }1 k% A8 S; E3 N/ V jz 006505ae ; not detected( f% A5 y1 ?( S
3 S5 `" ?9 d# k1 B6 A# ^5 h. U
' N$ a, S" }2 i; j" K__________________________________________________________________________3 u3 {6 J& z3 V* P7 Z) O7 m( p i! B$ u. @
) l- Z& Z$ S/ Q5 y% `5 Y5 M8 ZMethod 12
6 f8 F' _; r. V=========) {4 n) u( H$ y& @# x
1 K- {! S& q( t6 uThis trick is similar to int41h/4fh Debugger installation check (code 05" {/ z/ l W9 y/ ~8 C4 Y/ G0 x
& 06) but very limited because it's only available for Win95/98 (not NT)" j6 n0 Y: I- l- a- N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) S% w4 O+ h5 D# U
. C# F/ ~. V1 t$ n push 0000004fh ; function 4fh
- v# U. B$ X$ j" n* b2 J5 } push 002a002ah ; high word specifies which VxD (VWIN32)
7 x2 w- [! N% D* Z ; low word specifies which service
]8 u3 | h. N (VWIN32_Int41Dispatch)
3 J" B8 s* c! m* l call Kernel32!ORD_001 ; VxdCall2 B. S% t6 A- Q- V
cmp ax, 0f386h ; magic number returned by system debuggers
: z5 A9 E6 u9 c) W8 H. E, N jz SoftICE_detected5 s9 G8 J4 o4 H5 n# L3 z# ~
. Q" P# N% t5 ]1 S9 `: X6 \: W7 Z' I
Here again, several ways to detect it:4 s0 `' |* D! }- i0 Z
: _6 J) o9 |: ~! ~
BPINT 41 if ax==4f
+ C) l# W W" k9 a' Z# ?. s) J$ l8 }: U* @$ U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 H! J7 d% S2 k% X' \
& ?* _) G& l% p2 w# s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 N u" O2 x* ^4 o& k- A% y
, `% n$ b8 O2 ]& y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 n+ H2 u$ W# u0 z5 {( u& ] D. a
: A6 v3 f9 o# ^/ S
__________________________________________________________________________" |, K! `- V) }; J/ |
; Y/ B- Z8 K# x8 u' @
Method 13
# r e# Y. p l1 l. W& l=========0 [! w% o" p" z
" W& T6 P P7 u& [7 s' X
Not a real method of detection, but a good way to know if SoftICE is
2 B5 t; n5 B: r) t @$ finstalled on a computer and to locate its installation directory.& _" y5 d3 e- G+ E# d1 c- X. l
It is used by few softs which access the following registry keys (usually #2) :
) |1 H3 {$ J* A4 z* F* {# R5 j2 S( O9 h: T1 `. D' b. |; M4 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# l5 c' ^: R. \, r3 r\Uninstall\SoftICE
3 P) i# u6 N# V1 X+ u7 z* m; l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 c& z; R! ]) u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' Z/ v5 T! M9 v3 h1 L7 T\App Paths\Loader32.Exe
' E8 o4 c; s/ L! i
: M9 w9 {9 X8 m6 o7 \9 e) u3 c0 c5 f8 U2 N! R& W
Note that some nasty apps could then erase all files from SoftICE directory. l# \" t& Z# q( T7 A0 a6 m
(I faced that once :-(
% ~: x- @4 A2 k' Z1 w
2 o& [1 b# V7 i& Y6 rUseful breakpoint to detect it:
- ], {, u+ K1 o W; w1 i" P k2 \' a
$ M' m' }$ b2 B {/ B/ [1 H BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ B$ S& W$ a3 X# } a! h$ H3 m7 C
8 n, U) R K% f! S__________________________________________________________________________+ @, x% i* [ J! E, j' D) s
1 o$ T9 E+ k1 a5 V9 ]
6 {; v9 Q4 Y2 j1 X6 \Method 14 ) p. d D( w+ Q" R e2 j' B: W
=========
: `! N& I o' _& C! N9 ~- S/ [' H7 J, x/ H3 ?! c6 u( V% H2 E; R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. z% L% l6 f/ ~; h# }. b+ E+ u
is to determines whether a debugger is running on your system (ring0 only).' W% d; ] d+ W5 d) q" b- M4 ~7 C
7 ]. `" n/ z$ h% q, w, x' X VMMCall Test_Debug_Installed
/ U; C# x7 j# ]' r je not_installed
1 ?( h; O! n* ~: V1 Z k- c& P6 D. Z' M4 m+ L$ l3 n
This service just checks a flag.( @" F5 R( J9 R+ J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡