<TABLE width=500>
9 C5 V' w" L. T Q<TBODY>3 \) k$ o1 N1 Q: r* ]3 A
<TR>
* w: G# ~: m) \4 y. H4 y! n. Z- X! ?<TD><PRE>Method 01 " W' g7 t4 U2 l' B1 u
=========1 N8 b9 j& m9 p% s- p7 s' T
* W4 t! c- ^# J& @: j
This method of detection of SoftICE (as well as the following one) is
7 E3 d% }3 o+ oused by the majority of packers/encryptors found on Internet.! O, a, r) v& s% P2 [' d* o
It seeks the signature of BoundsChecker in SoftICE
+ J4 S, L0 Z: `% t) S* S7 ~
. Q9 O" f1 v/ }8 v q, [- S mov ebp, 04243484Bh ; 'BCHK'
- {+ `5 F4 N' U5 L b$ c6 @& b mov ax, 04h4 f7 i0 T- Y9 K. A3 w! [& H$ \. |
int 3 V! Y; i/ L0 m3 _; s: [
cmp al,4
7 k3 A, h% J! ^4 f! B jnz SoftICE_Detected
9 j: A9 s, Z( Z3 Z8 W( O7 k3 e+ |" p. [0 o) I+ I+ X
___________________________________________________________________________
/ X$ B7 L4 i1 a7 F7 F4 d2 o5 s9 h7 `$ Y; K1 c
Method 027 W% ^& z# k. b: P- F
=========# S# A2 k/ l% T3 X: j
1 V6 e% n7 \1 o9 v1 P3 N# k3 MStill a method very much used (perhaps the most frequent one). It is used
N; K+ j7 z$ d4 T! sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 ^- h1 P0 m" J+ t" I1 o1 Q
or execute SoftICE commands...
! [2 G: n k& T eIt is also used to crash SoftICE and to force it to execute any commands S" d& e* u! j! A
(HBOOT...) :-(( + }4 ?- }1 s$ A( q
. F$ P7 q/ g% ]& l$ |5 |
Here is a quick description:4 u/ P6 }2 B) Q6 F7 z
-AX = 0910h (Display string in SIce windows)% |$ w" i" ?- Q* E- }) c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 U* ^. x- h) z8 w Z
-AX = 0912h (Get breakpoint infos)
# f% x T6 O1 z d1 _4 ^) c7 O; q-AX = 0913h (Set Sice breakpoints). ?# ?3 x1 k) P; G7 f8 T: ^, B
-AX = 0914h (Remove SIce breakoints)8 \8 P, ^! H5 C6 N
. m6 Y3 W2 K4 b Y* n( o4 IEach time you'll meet this trick, you'll see:
; A% Z' o) b: z; \5 z% J. Q* ~-SI = 4647h
; u4 z' p0 V( Y; T7 S-DI = 4A4Dh/ R; ~& ^* K$ O6 A; g: G B0 Z
Which are the 'magic values' used by SoftIce. ~* Q- u/ V# |: N( D) h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 n- W! r( D% t. |5 n1 `5 D2 `% @
$ K7 E" d$ `: |* A V: W' |/ {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 m' x; {2 |; {' O6 k) MEnvelope utility use to protect DOS applications:
2 T! r1 T) A7 d4 j/ a. o: r/ X$ c7 B }3 w( s4 O6 F3 Q: \4 z1 Z# i+ a
$ C, ^ U" m7 x9 h; n0 p+ _4C19:0095 MOV AX,0911 ; execute command.
6 X$ Y0 \% J) {$ Z9 M& k: h3 c" G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. X \% A1 Z9 R: r+ D/ G4C19:009A MOV SI,4647 ; 1st magic value.
, X" s" Q8 u4 K2 a" r; `4C19:009D MOV DI,4A4D ; 2nd magic value., ?+ J$ \7 S% A( ?+ F0 _8 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# L2 y- ?2 I9 q2 M5 U' n3 L) i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 E: w4 P" t1 ?7 F7 s, _; Q' Q4C19:00A4 INC CX2 Q! i1 v7 g1 a( v( ?% _" `1 {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute f6 a2 Y& ]( k! b8 U/ G
4C19:00A8 JB 0095 ; 6 different commands.
: A& B( z$ Y" @! a& K# ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( H7 w- f# B3 |: p9 Q% K$ J( h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 @2 Q- e; W% E5 k) u( |# t# n
d1 o; k- v. K; V4 Q0 |
The program will execute 6 different SIce commands located at ds:dx, which8 q4 Y8 r) H2 M$ J. w) g1 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 B' z' r7 H! e; A
4 [* l7 [. f# ?7 a/ V( T V0 t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: R- G d( Y% Q5 c8 r___________________________________________________________________________
- O' S1 w" t1 O, N( d' a$ v- m+ O: a0 j. u
8 A) k+ l* ^2 E# FMethod 03
7 ^+ r# y) e( ?2 D=========
: p, F; ]1 {: _' }9 g; q9 t1 M8 x* Z, b. q: A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ s8 f. j6 S L0 `1 L/ m- {
(API Get entry point)% ]5 g8 N: t) o j J
0 D+ e" M& ?0 ?) P# \2 s: s! @
xor di,di
0 K+ Z5 j% H8 a) { mov es,di
& W' c/ T# I1 h8 H8 \ mov ax, 1684h . Y& \0 e7 \7 p! W$ U% ?/ ?
mov bx, 0202h ; VxD ID of winice
5 I& h3 I" z+ I/ y$ |$ H int 2Fh2 l7 L+ ], e. f
mov ax, es ; ES:DI -> VxD API entry point
: T. l) k: a( w, X6 w add ax, di
2 Q& a! p5 \ r% h: Y' t test ax,ax
5 V$ B' Q" y, n, B( \0 J$ w jnz SoftICE_Detected2 b$ ?' s/ [8 M6 Q- Z6 M5 \/ o1 i
! c+ C) r/ y3 `5 r5 N$ E
___________________________________________________________________________- I* i. Q3 B( P
' z" l0 H/ q; d& v! tMethod 042 k0 v4 b; Z: {
=========0 `7 i' n, V9 M7 s9 ]) a/ B
( d9 c9 P( f3 Y' `( u* P
Method identical to the preceding one except that it seeks the ID of SoftICE; _4 V. O% w7 l# F. ?. ^
GFX VxD.) s- u! P r- w* \2 m- x& k. u
+ m4 t- ~7 {# H9 @% x! `# {7 @# l
xor di,di, R2 N0 i; q+ x2 o
mov es,di
$ u* g2 A6 h9 t, B; |# x; g mov ax, 1684h + b- `+ S* f' i6 H: ?0 e- V* `
mov bx, 7a5Fh ; VxD ID of SIWVID
1 u4 s E8 a$ ]$ @3 }+ U' G int 2fh
; H0 d# r! {6 j0 I/ ?. L mov ax, es ; ES:DI -> VxD API entry point
1 ^4 ^: J6 ~7 d x add ax, di2 P C* k8 E& w: X) W
test ax,ax
! R7 ?6 U- w. v1 Y' |* Q% \ jnz SoftICE_Detected
# I; z0 [* z! j4 l5 h
7 R' e9 `0 E9 y) U__________________________________________________________________________
, F4 A/ D# v8 a9 B. }
" d0 K' u! k& ^" ?
; I& D2 Q& l5 T; p9 CMethod 05/ c& i: ]4 S* L, L3 K
=========
7 i, ~ z( H$ D+ |$ @2 D8 ?$ B2 J+ H/ w6 i: a9 K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
q% x0 @' ]' d, b( B( h# Vdebugger. It calls the int 41h, function 4Fh.
0 |" D; a- M% i" h4 [There are several alternatives. , w0 G' @3 _) _7 O2 f2 G
" U0 R' {$ p& c* N/ DThe following one is the simplest:
+ U2 O& b% I7 P n! `
2 Q' j; | t0 x. N mov ax,4fh( N3 D5 d* P1 ^( \& V5 w/ ]
int 41h
5 z k/ r+ r' {( x" F cmp ax, 0F386
0 v0 {0 \) L4 I7 V, O& w( I jz SoftICE_detected
' M8 l$ E$ {6 [# n
( Y# v+ k5 ?9 N" O+ Z O3 @% i: ]) K5 a- Y
Next method as well as the following one are 2 examples from Stone's
# @" Y; C+ \) M I"stn-wid.zip" (www.cracking.net):, E( E* J4 l6 k# i- g0 m) K
7 a: X- A& k+ N5 z% H
mov bx, cs
8 P1 [' `- F7 t, z1 H; {, I1 U lea dx, int41handler2
# p$ f& i# s+ C) }2 E, \# X9 M; | xchg dx, es:[41h*4]/ w7 K7 V4 |1 S7 u* H( l
xchg bx, es:[41h*4+2]
$ A0 z3 V; O" ]; z( r mov ax,4fh1 `* H) \! {: a# u. `
int 41h
0 e5 d: ^: E% ?+ V9 }% d' B xchg dx, es:[41h*4]1 M z0 V4 w: P4 P0 a! O
xchg bx, es:[41h*4+2]2 V9 m1 I4 |' a- J) d) G
cmp ax, 0f386h
& l; @; K- x' ^; L jz SoftICE_detected e) z9 K9 a; D# [8 l1 P& X
9 |: Q! K n- H$ y. ~0 C- {int41handler2 PROC& V* i/ q7 r' r
iret
0 a; j8 ?, I8 ?) gint41handler2 ENDP! d, K6 s8 R; e0 V, {
" d- x, Y4 C% i# ^! F* p3 x
+ Q& G- p: ], j; E5 k
_________________________________________________________________________
& @9 b& N- ~$ \9 i
7 T0 o$ E: a6 k7 v, x. ]' `, I9 I% {/ s4 N* m
Method 06
# J! H0 V) o# r+ p! ~/ f u========= E% C3 o( {; H0 S1 F1 G* ^, L
4 S; B/ d' B5 Y" P1 X
5 C. n* Y8 _6 a7 {: \2nd method similar to the preceding one but more difficult to detect:" R, | R. {4 y) D& p
1 I, L: ~ {- t+ H& X3 ~9 X
* }- H* T2 d- i r0 Y, ]int41handler PROC
% k1 _& P4 M+ v7 A- @* x mov cl,al, m( O3 j7 t: ^7 J2 n. R$ U* z
iret
# _8 I/ A; r5 @0 e# p; Gint41handler ENDP; [, A4 ], Y1 @) c% f
% R: k0 Q" g9 P- _
) c; N; U, n( P& _ xor ax,ax( I9 i0 s4 L4 Z
mov es,ax$ ]% d' q. C, Z! M9 k* s
mov bx, cs: I, N: ?9 O, A" j5 r2 x- \
lea dx, int41handler/ p# _; s- f2 W: ^" E2 `! ?
xchg dx, es:[41h*4]& r. F: `: g2 G1 X+ u
xchg bx, es:[41h*4+2]
. e- _. Z! h9 q, e2 w in al, 40h! M. O* Z2 x5 e
xor cx,cx
V2 _5 H" [. Y H( J! `" |3 N/ f int 41h
7 P8 |; Y9 t J3 f6 m xchg dx, es:[41h*4]+ f7 @, a5 i- J1 @
xchg bx, es:[41h*4+2]' |. d6 M0 N' c. K
cmp cl,al
0 Z! \0 m6 r1 x) w& O! k+ U, h jnz SoftICE_detected$ Q# O2 F( \' g1 s# m6 D, I
B% e7 I) A8 E5 j- ]! Q_________________________________________________________________________; v1 K/ ~: R% h4 G* D5 u
% C& X7 b, T" M* m) ]Method 07: J \2 a* t! K0 T! y. w
=========
/ ^; Y% |! o" {
4 K% w5 m# O. W5 }& q: ]6 _# [. I, `Method of detection of the WinICE handler in the int68h (V86)1 {* I2 a7 j+ a1 X
: |% l+ Y( @) P$ \5 M5 ~( x1 h+ v. t mov ah,43h
( [- s# O4 }* s$ p) `4 e int 68h( B7 D1 K6 X: Q& j1 P
cmp ax,0F386h
6 ?8 w8 Z; P- A0 i5 ]0 u3 s jz SoftICE_Detected
M/ C- q$ L! Z) X: J" m
/ q5 }) i9 l, Z3 M- r1 B6 X
4 b) l+ A7 W% w L. V5 S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& @' W+ m) b* a% m& r$ [+ R
app like this:
; [: m a/ a% J0 }- E% l% z. l( V5 S o* v m7 }2 V7 ?
BPX exec_int if ax==68- S; E8 y7 w, n$ W4 ] b' ^1 q' B; t
(function called is located at byte ptr [ebp+1Dh] and client eip is: r1 I! X" ]9 o, c
located at [ebp+48h] for 32Bit apps)
& A/ A; P9 }) c# M' h: Y__________________________________________________________________________0 ]" R: O$ g& b& E% ^+ t9 N
+ A" J3 Q8 Z( L0 k% T. u' f
4 _$ v9 M3 \; f! C- u+ J2 r
Method 08
7 A! y6 i6 a% h3 h1 F/ x9 F3 J3 q=========! J, W" g& V; v5 K( Q1 I! b% r
! ~! x, h2 G6 w# g/ eIt is not a method of detection of SoftICE but a possibility to crash the
+ Y3 L* o0 W# Q* P, Gsystem by intercepting int 01h and int 03h and redirecting them to another
' F8 V; V# A& [! m) u8 lroutine.
# p' I7 T# y: c8 j, s4 L& q4 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) I& b4 }+ A, k/ k1 K
to the new routine to execute (hangs computer...)
% S; i' n# G/ m/ v5 ^0 G# m, E( x0 ^% \2 j
mov ah, 25h
# N0 ]0 F ^/ z8 S8 v5 r" t' w9 b mov al, Int_Number (01h or 03h)4 E& X- n! ^% ^ w+ Y- {
mov dx, offset New_Int_Routine
s$ v) f( o I0 Y int 21h
' t0 |% o# z u8 L |& O$ D% {* Z' g; l* X1 `
__________________________________________________________________________
& w4 D: @. T" T9 c; M. k/ F1 Q) [1 X# |- }. r5 ~. P
Method 09# O- y3 J& y( P) Q
=========
3 p- R% Z0 y1 I6 n
3 D+ `1 P$ z! U7 s u) ]2 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 m1 Q4 r* E0 `7 h3 x3 B
performed in ring0 (VxD or a ring3 app using the VxdCall).
, p4 W* s/ H$ [% W7 ` E* _$ jThe Get_DDB service is used to determine whether or not a VxD is installed/ {9 p3 _3 B/ f( \
for the specified device and returns a Device Description Block (in ecx) for' \; y! r; Y- Y* }( e* v
that device if it is installed.
- N" X+ p4 n) ^* \8 d
( ~, h( q7 @" A+ t2 n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 D8 P" G% g3 F7 ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# ?) G1 R6 i! p% }$ `6 _
VMMCall Get_DDB
5 W% M0 ]. {, m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 G% _' ~7 }3 C. k9 B
. K+ _$ _5 s9 Q9 dNote as well that you can easily detect this method with SoftICE:
% I- o- S5 Y( n' @# z+ o7 D3 x bpx Get_DDB if ax==0202 || ax==7a5fh
* d0 Y0 U" Z$ ?9 g5 Y2 H* l J7 L, b% A4 l+ F G
__________________________________________________________________________( J0 B6 \: X7 A9 p7 J1 X0 f# B9 b
" [ i, K6 W* y+ A" S/ [4 M7 b' TMethod 10( X7 y2 q4 Y3 }) u9 j
=========! I P$ @& r" y- d) X5 N5 P
6 S: V% o5 u& w& ~7 q=>Disable or clear breakpoints before using this feature. DO NOT trace with" A" i' A* o2 G+ ]
SoftICE while the option is enable!!
2 w+ L9 q. i& V( `* b4 K7 x& f/ p! c$ g3 B2 `* k* I5 t
This trick is very efficient:: d2 \ u% r8 s+ u
by checking the Debug Registers, you can detect if SoftICE is loaded$ E: h# ^2 r/ W! t- ] `% ?! L8 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 D7 @" T. L1 R% w W/ J2 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 M. S. v: W/ }# n* o, S- W9 Y7 v
value (in ring0 only). Values can be manipulated and or changed as well# N$ b* V0 V/ M" A
(clearing BPMs for instance)
" `- z9 x, @* z4 ?" W1 p- }4 I; z( H4 I# t6 X8 A+ N7 T
__________________________________________________________________________$ n. i1 m u. L- @
. U2 N- ?/ U: |5 I6 |Method 11
9 m6 E: O3 \4 _# ?8 r4 V9 [" {=========7 a9 ~+ J# _6 w6 O) _( B% y& K" K
5 G" J+ F5 a* I3 C4 r
This method is most known as 'MeltICE' because it has been freely distributed
% C: t! r3 ]0 lvia www.winfiles.com. However it was first used by NuMega people to allow' N+ v. |3 D+ H/ m* H6 y
Symbol Loader to check if SoftICE was active or not (the code is located
2 e' U" E* ]# n, v& ^inside nmtrans.dll).
+ r% r _5 ^$ Q, X% a# M5 Z
! U* r2 D/ L3 D& l) y! GThe way it works is very simple:) M0 O/ U/ O1 Q4 t- T3 w4 f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) e8 O6 C) P7 K, hWinNT) with the CreateFileA API.
7 F* D" c8 \2 n$ k( T7 |( f
* R( m. x3 c7 j, u+ s5 fHere is a sample (checking for 'SICE'):: l8 V& i5 F. o. V# y- i# f
4 L3 T: i& T2 V: ?0 m
BOOL IsSoftIce95Loaded()6 S6 |# f+ {8 K, x+ ?
{/ ~0 p- `$ n9 [' T
HANDLE hFile;
) B p( G, h X# y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) y9 N# q. a: U7 V! l" x _
FILE_SHARE_READ | FILE_SHARE_WRITE,+ E+ c1 e! }8 t& D- W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ Q: {* x! K) j, y/ j2 O
if( hFile != INVALID_HANDLE_VALUE )
; i- \4 G% S# Z {+ k: X: q( n, c; k$ N
CloseHandle(hFile);
, j( B+ \& U! _0 g( v3 m, g8 J& L return TRUE;
2 x) q7 t) ], I0 A1 [/ V }
. p: g/ \0 r4 j) x) ?4 L return FALSE;
- m( ?4 M ~; \7 |" P* c}' a% J0 ]; @( v: [: L# V
6 `; v: w( q# e
Although this trick calls the CreateFileA function, don't even expect to be
9 q, ^2 J/ ?+ V: c0 t3 Dable to intercept it by installing a IFS hook: it will not work, no way!! Y9 H' S: F/ u( b* t- {2 ]! y! l4 n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ~4 L8 E$ b/ j& p8 Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) e! N9 a; y" N2 I0 v6 j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) d% H9 N- t- b& \0 M9 g7 k
field.
: T1 ~, J' G- K/ ~0 V$ w. qIn fact, its purpose is not to load/unload VxDs but only to send a
( q+ j% p3 H4 z, H; t* W9 J4 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ W2 L- S# `& @: z+ e. M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( ~& k' j f; S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( q* g5 O: [# H/ h6 N1 X, I; hIf the VxD is loaded, it will always clear eax and the Carry flag to allow* x2 y" h2 M$ P" z( ?3 P+ G
its handle to be opened and then, will be detected.- Z( H( M/ f a2 s
You can check that simply by hooking Winice.exe control proc entry point: l. N; _. g U3 y. J
while running MeltICE. K6 L* o/ l2 U2 G
* I8 p: R- D( Q" F9 Z$ N
* B, v1 Z7 b* L, r7 H; V 00401067: push 00402025 ; \\.\SICE
9 s/ \- }% G7 b5 \ 0040106C: call CreateFileA2 N! {6 [/ N+ t) D/ A# _
00401071: cmp eax,-001
6 ]# ^1 U" P+ C, C( l a( e0 f8 A* b 00401074: je 00401091
6 j7 Q i6 Y1 J& J+ V
7 d/ `) `3 l' ~: P6 \& O
. E) p3 d0 @0 f- e& a& O/ OThere could be hundreds of BPX you could use to detect this trick.+ U2 o( O6 X: \# v, Y5 T+ M
-The most classical one is:
. e, o5 T6 O% X: @! P9 ]4 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. x _/ `, c* M) o2 z/ f6 G) f *(esp->4+4)=='NTIC'
/ {5 s; d# H, a( S+ u" ~# q J) _" o( u" S( ?* R6 ^/ x
-The most exotic ones (could be very slooooow :-(7 z+ g% W" n) w8 Q' c3 ?) x9 t* g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( W! q; h4 m/ z6 ? ;will break 3 times :-(
: X" u9 P- D( d+ |( w& z2 o( r0 c6 n" N; R t; c8 k
-or (a bit) faster:
( B) f5 p6 Z7 I. {; ? H3 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% K: {3 E* E5 v# f ~- u9 [
5 Q- `+ O7 i1 G; F" i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( B8 f- Y0 w; y5 ^3 y ;will break 3 times :-(0 R" q2 o' v) o5 k* g
# b* L' X, m! V1 ^$ s* ~-Much faster:* [5 h$ u0 |5 T) L! x/ C p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! e: }1 h1 s9 S0 j1 x' {
0 ~& P3 F% \! U3 m) lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ }/ c1 @$ K0 P3 H. s1 X8 ffunction to do the same job:' x J% N+ ?1 X0 {- L2 l
% T& O! w4 w3 p9 ^! e4 h3 U, l
push 00 ; OF_READ
! D; O- Z {7 `9 i: Y: p mov eax,[00656634] ; '\\.\SICE',0
5 \3 d8 K8 e4 y+ I1 D push eax
/ L4 X( v7 M$ W* l- t5 p6 A% s call KERNEL32!_lopen+ r! D3 ^, D" C$ S& @
inc eax
( I. k5 |* e* d' A& k jnz 00650589 ; detected
7 K6 a1 I, U) @6 P push 00 ; OF_READ! A$ a% D& G: d' }
mov eax,[00656638] ; '\\.\SICE'
) F) l: K' v/ g# J; a) l7 w push eax
8 f7 E% C6 H2 t1 L/ ^$ @! x, H call KERNEL32!_lopen
0 h5 u3 c! D% s1 u/ b: J7 Q; S inc eax: q$ h6 E* a5 F* T
jz 006505ae ; not detected
/ I# s0 [ u5 M3 [* g! Q8 l9 p% V f! {' g" T$ Z5 I
0 C( m8 ^9 f! J
__________________________________________________________________________( e7 Y: H5 g: \1 H+ G' v2 m; c1 C" Z
- C4 d2 j) i2 C' v
Method 120 }- \0 Y( z( w$ R
=========
/ J$ B! x+ W0 \8 ], N$ I1 [8 k$ x
+ D! w" ^" P, G& l/ V# ~. jThis trick is similar to int41h/4fh Debugger installation check (code 05
* ^0 ^* H$ Z, T. R6 y5 R& 06) but very limited because it's only available for Win95/98 (not NT)& B! @& U% t( E/ T4 M6 u; g7 k$ ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' I/ E$ h; r7 d5 H R+ C/ I* t
1 I/ y' Y3 r; ?( l/ i2 F push 0000004fh ; function 4fh. m! F6 }' L- R
push 002a002ah ; high word specifies which VxD (VWIN32)6 r b6 n/ C5 ?6 {3 H
; low word specifies which service0 I- N( P6 I/ |- C1 H, d
(VWIN32_Int41Dispatch)3 i3 G- N* N i6 W1 g: X4 w
call Kernel32!ORD_001 ; VxdCall
2 K+ j& `0 h) T8 j2 E1 y+ I cmp ax, 0f386h ; magic number returned by system debuggers* X! Q& a/ H1 n6 m
jz SoftICE_detected5 S5 l. W# z& e2 s: d
% o- S8 f) K# F3 V! pHere again, several ways to detect it:* `6 _) ~1 H+ L m# @
& b8 Y1 D1 u0 s. X
BPINT 41 if ax==4f
7 {5 R! ~: x0 C) u! I1 Q8 N: Z' _6 V @8 q6 q/ l" J/ \& |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* H' n* H# h( _( i; Q7 ]
) K; [& |9 @8 t1 i5 b! Z8 _/ I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 m: }. ~( q/ B) }3 ]
" w1 u9 ?8 B$ z( B( C; y9 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; i' Z/ N+ R8 A- W: s: c
% j4 g8 |6 R/ ?. S__________________________________________________________________________
5 N7 n( Y; T& @; U7 p4 ~# d" e- q
Method 13
. {4 k2 F) M V, F( X0 u=========/ y/ ^ p' Q" O3 m: g
5 q' t, g: k# |+ w/ m
Not a real method of detection, but a good way to know if SoftICE is
) H9 g0 R3 h: }$ {: ?3 s( Zinstalled on a computer and to locate its installation directory.) r: b+ R6 N( D3 Z" Y: D/ |
It is used by few softs which access the following registry keys (usually #2) :
) b3 P/ f% d3 b. @
0 n G$ F: O; F3 q4 ?' n4 n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion G+ Z# }# R# R3 ^4 J
\Uninstall\SoftICE
8 d, S6 `1 C1 l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 S' v+ s% i) n. q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 X! P0 } C7 i, |\App Paths\Loader32.Exe3 R0 t/ j3 U7 x! J& V
" Y1 z* n% T. M4 h. H [' ?% |' U# A& \6 j
Note that some nasty apps could then erase all files from SoftICE directory
+ o8 l! A" }7 @! h8 G0 m% V(I faced that once :-(
. g) k. n7 ~0 K0 y9 R
a$ T; M; r% Y/ ^; U: I4 rUseful breakpoint to detect it:) d) e) f! L }% ^: e2 c7 B
+ p0 ]6 m; c# v: u0 K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ F! I4 ?+ R: E8 z2 f8 L" ~2 U: C1 R4 j1 I
__________________________________________________________________________
, }! \ k5 \7 L; K8 d. u- t/ j7 t3 }% `
: u; Z" L* w+ ~/ a3 B' V* A
Method 14
% p, m* c7 K _! L=========& o* I5 e1 K) K6 D1 F5 a* x
, t" a0 T' L4 g5 r& w, D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 f( ]. }- e0 B0 {
is to determines whether a debugger is running on your system (ring0 only).
6 d3 i% ^& F) P' s- a0 n
3 U `8 W9 N: M3 W VMMCall Test_Debug_Installed
* E: o/ {; t. f" }5 s% Y8 ?- N) I1 u je not_installed
* _$ ~ U5 }" B3 e* C$ J
, b. B/ ^# F1 P' WThis service just checks a flag.
0 ^: C0 U* ?8 H. Z2 Z; v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡