<TABLE width=500>5 l6 {' k) A. }( B2 ~# e
<TBODY>
2 y5 X3 `+ M* i<TR>& H( @. B1 v- v* |1 [5 s7 J
<TD><PRE>Method 01
2 p1 @& b B6 y! u+ ]( Q: f& M) z' M=========
: L! T4 F& [6 P; C) S9 i5 a6 [) k
5 |: `' m2 I- Q; G( X/ }This method of detection of SoftICE (as well as the following one) is
. {/ k4 F; p r$ o, sused by the majority of packers/encryptors found on Internet.
; l/ o4 u& U. D5 V3 M9 ?It seeks the signature of BoundsChecker in SoftICE) U% D# [* M0 u# Z5 O8 b x s
4 }" X3 a6 i' _. D# h5 t' T mov ebp, 04243484Bh ; 'BCHK'7 N* Z' _" r0 ?
mov ax, 04h
$ \, w$ F4 C+ B4 ?8 l/ I int 3
7 w. D( E( ^( ?$ K! ~5 U- C3 B# W cmp al,4
0 g2 I( d" d* ]5 F' ^ jnz SoftICE_Detected
/ b# @, n1 ]0 B$ {4 f1 i, N, R, M# T6 @5 `9 }
___________________________________________________________________________4 L6 ^; `' u# A( ^/ G0 T& q
9 B) W8 @/ A+ g u# H. Z" |Method 02
7 Z; b) O1 G4 J) ?+ v }* f=========' f2 X/ S f; P
% x1 V1 z, T3 ]
Still a method very much used (perhaps the most frequent one). It is used; ]( ]# ]4 m X" O: i7 I& y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ ^: r5 Y& p% ~ P) ^; Qor execute SoftICE commands...3 ~$ Y9 c" o1 P" {) g% o7 ^
It is also used to crash SoftICE and to force it to execute any commands/ J7 `+ f* K& E' J5 ^# o- F
(HBOOT...) :-(( + w6 C0 Z$ H- k/ O
0 h5 T. B8 ?& u0 M" J# `
Here is a quick description:
/ f9 K: R4 u6 W, l' z t- v0 s-AX = 0910h (Display string in SIce windows), M& g* u3 e2 z, U: [, R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- B8 S9 h8 N3 o9 F" }
-AX = 0912h (Get breakpoint infos)8 m) J( W4 p- r4 o* ?( I ?, @5 [+ v
-AX = 0913h (Set Sice breakpoints); ^3 u$ y, v F8 P. d& X/ G4 W
-AX = 0914h (Remove SIce breakoints)' e* O5 c( N" Q' U1 H& K7 ~" [% k1 Y
* z& s w; e7 B: F9 y3 \) y5 DEach time you'll meet this trick, you'll see:
7 ^! v" J* ^: U( |-SI = 4647h
" U# |/ @& W" Q-DI = 4A4Dh
- j+ d; X" Q5 k! f4 _Which are the 'magic values' used by SoftIce.5 q2 y& x' y! `4 F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ a+ e: v F; D; a& v* A" x$ ?
5 {$ Q) n% W$ N' g8 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
: V6 B( G: }- `, oEnvelope utility use to protect DOS applications:
" X) o- ^7 ]1 X! }1 K6 W
5 B3 M) Y, \% z$ U( P& P
5 @4 p' N9 w* c* e" i4C19:0095 MOV AX,0911 ; execute command.4 ?, ^$ Z, T H. A: f/ w7 O; R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 A9 }& R7 L b+ k/ F( \4C19:009A MOV SI,4647 ; 1st magic value.
3 v4 }: `7 ]# P* S: m- z4C19:009D MOV DI,4A4D ; 2nd magic value.
) h' t( r2 e6 k. Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 ~& w- B2 n* I. h5 C. f |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. l# O# ]! Y5 A( D2 q' I4 b: o4C19:00A4 INC CX
- ?, }$ @* S( [* {& _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: C! n# I3 I$ N% A1 S8 T% y
4C19:00A8 JB 0095 ; 6 different commands.% W5 W: ?4 x$ @$ d$ y6 I b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! p; y2 S$ W* V4 v0 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! n# ]8 N3 ?: U: y+ v8 e
2 x$ K7 L. J9 {" M2 L8 v2 l* L
The program will execute 6 different SIce commands located at ds:dx, which
1 h+ x+ B; F' z4 W8 W) b, iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' Y+ T) q8 k0 a' J3 q, I6 v8 J
& Y0 S5 a1 V0 _6 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) |( J6 V1 m# c$ m$ O9 ?3 n* o___________________________________________________________________________
8 i1 c& O; [) g2 a8 T/ j8 B
- W. D; u! V8 I; x" ~! c% D/ I) u0 p5 O/ }5 T# O
Method 03
* @+ A& x4 Z. |+ x* B- V+ D1 v=========
! S0 m' @) ~2 H3 S& O- a( l; n, x3 X& j0 f1 e& a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# @$ p& O* v( w( z(API Get entry point)
! R6 |6 O) D' B
8 e8 _$ M: _" r% |) J
: W- b" \, Q" P) w' O4 L6 v: M% z, D4 w. b xor di,di
. j9 x1 q4 h8 K2 Y) d" _& B+ @ mov es,di
% k4 q- `& L, }' h6 ] F5 p mov ax, 1684h
1 ]- o3 m; L9 R2 { mov bx, 0202h ; VxD ID of winice n2 Q4 U3 K# u3 k
int 2Fh
. g* o2 `( w7 N8 ]) O4 { mov ax, es ; ES:DI -> VxD API entry point
! x0 d( N/ O1 {2 } add ax, di4 p* v+ v7 b. M9 j% w. j: k$ v
test ax,ax% C) ~/ ]: ~ E4 A* G# p
jnz SoftICE_Detected$ {1 I5 O/ ]" p2 R
( @: b& o( o4 s6 P___________________________________________________________________________
& L* R; s8 Y/ p5 Y
3 o- n( x, P* O4 E; \5 bMethod 04( t3 ]. a H* m3 A6 C
=========7 S, i! Z8 O# q) g2 T) w- t' [( V2 d
' c: m. }0 o E% \2 W2 K& eMethod identical to the preceding one except that it seeks the ID of SoftICE* G- N, O: E H. \
GFX VxD.+ ^# {& C" u. H, q5 z5 N
3 x7 M" m& f6 X. h) b+ Z" b) h xor di,di7 h' d, D9 N- _
mov es,di
) h! ~5 S! C0 V& ~ mov ax, 1684h
' N# N, S3 C. k& _# ~# W1 y$ \ mov bx, 7a5Fh ; VxD ID of SIWVID
7 m0 ]/ X4 q. p3 q$ n( W$ ]7 W int 2fh
Y& d' I, M& x8 z( G mov ax, es ; ES:DI -> VxD API entry point2 A8 B% J1 A9 o6 p
add ax, di
/ q o* ^9 O6 C: E0 z6 U& r test ax,ax
5 S, L, c# S5 F( }/ X, C8 g3 M jnz SoftICE_Detected! m8 \; N/ F6 b6 x
/ F, b) @1 r6 M! K; a__________________________________________________________________________
0 K4 n* y2 d8 j0 F* T- M1 C- _" X$ K. X1 c* R
+ k+ }+ \# X6 C# A
Method 05( ^/ F# H1 b0 r: f
=========
7 v: l+ _1 y- ^
8 e+ s" m+ ~( H) F1 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 l1 o: m/ T* G1 c# E
debugger. It calls the int 41h, function 4Fh.0 C0 D: A6 }( ]8 ^7 ^0 `2 Y
There are several alternatives. 6 V3 @2 A! b: d/ z: z0 q
0 S8 ~2 j& f: K( a/ E, ?The following one is the simplest:
% y- m) q% x. g* J0 I9 a3 s2 f, Y' [" I; i' i# r I
mov ax,4fh
7 p5 Q, s( G+ t. Q# s int 41h
! d. V7 Q2 b. {: F- q cmp ax, 0F386' f( h* y0 A* T/ T+ s
jz SoftICE_detected. q* ^( C4 u1 S
0 M, N1 p( X% A; ?; n9 s
8 \1 |; T+ C! z5 ], P0 E9 lNext method as well as the following one are 2 examples from Stone's 7 S( P( V" R2 w2 O
"stn-wid.zip" (www.cracking.net):
0 g% _) k: n' B+ K% s& f5 w6 D: M1 g8 x9 \0 E4 k& G
mov bx, cs
) ~+ i7 O( P" P" V! {- l4 ` lea dx, int41handler21 E8 S6 H' e# B5 L3 N5 i. G
xchg dx, es:[41h*4]
9 s5 { N8 v/ B& K8 m xchg bx, es:[41h*4+2]
: W' R' I. I: z3 r* u mov ax,4fh" X( } X* f5 @( E# b; p
int 41h2 A; |9 O& F- q6 y4 S
xchg dx, es:[41h*4]* N4 J" [; D. y6 E
xchg bx, es:[41h*4+2]$ U; a% G$ d2 V# V9 [
cmp ax, 0f386h& `' Y9 B8 V- g" N
jz SoftICE_detected. }" @) C" H5 X1 m* H6 M7 K/ \1 t
, Z# S5 `: M7 I
int41handler2 PROC, V& S/ i3 g, i) M2 W' o4 x2 C
iret! Q* I/ O( W9 h- w1 k; Q) F
int41handler2 ENDP e/ I0 ~! B" X W
( O2 i. S% \, e O4 h1 ]1 x, w. p
7 f# C. }5 W7 n7 q/ f" G_________________________________________________________________________
y2 O3 T, Y! ?7 `. U/ p6 c/ Q! e1 u0 v4 b; }* K
8 z& ^" N7 X" U, }' m
Method 06
" |4 A/ t0 j2 f% }) ?# h=========
& ^1 E+ S$ V) m7 w( b& D5 G$ c
% F! ^- q: c- b) r+ F7 j! [2 m2 B, N& ]- z& v7 R' P2 Z, n, [! N& @
2nd method similar to the preceding one but more difficult to detect:. F' W) G. e1 v( Z- ]5 s
+ W9 }( V0 H; @( V9 P0 ^) C5 N! q( X/ ^( E- m# N2 b
int41handler PROC3 S5 ^# m& u) U
mov cl,al
1 h5 X% ~0 @/ r w8 ~9 B iret
3 J A: ^4 t% Z% v& ` |int41handler ENDP8 @8 }1 l. C/ L! ?" f
n* d( ?- n$ v) Z2 \) o
v7 k$ X* ]& m6 Z& b xor ax,ax
4 L2 @) F, e0 J3 ~4 ]+ s mov es,ax
9 c. X/ K/ }* ? mov bx, cs' v; [: l, E" r: s
lea dx, int41handler V2 I* Q) R- [% S# N0 G
xchg dx, es:[41h*4]) H! x { L3 t$ @/ E2 Z
xchg bx, es:[41h*4+2]
1 Q( J$ c ~( u- ~ in al, 40h
* l, _6 z6 a$ } xor cx,cx `- @; C: `( H& T3 P: v
int 41h5 d( r5 E7 V; O- ^# @5 P- Z
xchg dx, es:[41h*4]
) [$ g( ]2 S2 j3 d$ B xchg bx, es:[41h*4+2]6 @+ I! Q9 v. R/ k/ @
cmp cl,al
" w- _3 o" N, g jnz SoftICE_detected
- _7 Y/ ^# I% u. h) J# y9 h' e: Y6 c! h& X* \3 Q
_________________________________________________________________________ m6 v' @$ u3 g* p
2 }$ B% v) a/ `1 |/ A# o; _
Method 07
1 t# ]( f+ l9 M* I/ J' u3 |=========! Q5 l P( N" |! }! X* Q
9 n4 S/ l- n R. }- T+ M7 J) [
Method of detection of the WinICE handler in the int68h (V86)2 Q; S- v0 z/ _- ^
) V/ s% M# A, e6 C
mov ah,43h3 N# V: ^$ I+ M, n' Q, p- O& A# R
int 68h! U0 E) r5 q' s; o+ ^; P/ z
cmp ax,0F386h+ g. _( G" W) \
jz SoftICE_Detected
( T' U/ H- P+ m- Z3 T8 E* \0 v F9 a% d _9 m3 [, q! m. e5 B/ \1 c
$ f0 m2 x" F E$ N& `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 @$ }& y' d, v. H4 F
app like this:
+ O7 E- `. F1 u' A; ?! n$ p6 c9 k& V [( T3 [/ x6 V1 u
BPX exec_int if ax==683 R- f+ }+ e6 f m
(function called is located at byte ptr [ebp+1Dh] and client eip is
& p6 d8 g8 U H3 p located at [ebp+48h] for 32Bit apps)7 t- [. ?8 X; w2 F
__________________________________________________________________________- h. Z0 F; g/ Z3 o! b1 x
( P* i* ~( q d7 k
0 Y- a# @0 w) J" v3 I* d& I. WMethod 08; G! G" K( \6 H
=========
- V2 M& M1 D% Z8 w6 x- f5 n# J
) b v2 w0 Z! d( t! RIt is not a method of detection of SoftICE but a possibility to crash the
j& ?" p6 h! M! B+ f7 J# {; s% z; {system by intercepting int 01h and int 03h and redirecting them to another
5 v) W7 [! D3 }routine.
U4 O8 c) P' q l+ LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 q C# t. I3 S4 f+ ^8 `9 Q/ jto the new routine to execute (hangs computer...)
5 I( K7 I b# m h* ~
& J3 Y7 v3 U2 g% p* \" K# { mov ah, 25h H5 d1 X D. W* F8 ^2 X- t4 R
mov al, Int_Number (01h or 03h)" |( M4 W- S# q& [
mov dx, offset New_Int_Routine
7 C3 d9 d# p+ N" C ` int 21h
. o+ A" V; O5 z* k% n* A; j% R1 V b% y9 \0 g, V( R( s
__________________________________________________________________________6 G' x5 X/ [" L( U; B
3 v% R- j; L/ G# T$ O3 `; E, ^Method 09
' x% w6 O. o) R" l=========
6 a: G8 K7 E/ C* N3 m( V0 C2 I! Z( D( ~" `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 W& K4 U) ^4 @
performed in ring0 (VxD or a ring3 app using the VxdCall).- T/ {- z& v. Q
The Get_DDB service is used to determine whether or not a VxD is installed
* W6 r( } g: Gfor the specified device and returns a Device Description Block (in ecx) for
1 ~& I/ E" y, E8 |) h1 Tthat device if it is installed.- c3 B) B: z: N, ^9 A; O: h
' p4 d3 B1 h) h9 w; w' g/ S. A# L5 Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& h: w# Q/ G2 o- p9 v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ w2 i/ o' y+ \& W
VMMCall Get_DDB' q. K/ [* I% R8 F# @6 s$ M) l+ |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 _6 E8 T% `; l0 W1 u/ j
# Q+ g& E3 j9 u, X9 {0 r9 bNote as well that you can easily detect this method with SoftICE:
; x& p' G7 X6 e bpx Get_DDB if ax==0202 || ax==7a5fh1 ? U% i& E% A3 ^! { \1 y
' s) K- ^& H. S0 P: X1 j4 }
__________________________________________________________________________; t% D% e9 J0 N; ~( k
+ F/ _% b+ o) ?6 ^Method 10
! \$ B% q* L7 Y- j2 e p! E=========
2 W' t. [3 F9 K3 u% x4 n6 {
& i2 J) u, t+ l$ o M' R' y& l=>Disable or clear breakpoints before using this feature. DO NOT trace with& S! y1 M: _; o; |# k
SoftICE while the option is enable!!
7 I- S/ C( S4 r8 n7 K$ P. a) t _8 S
% n# S: X& I' c% a+ N- PThis trick is very efficient:$ j- q* e% k x6 U; J+ f. O
by checking the Debug Registers, you can detect if SoftICE is loaded
# {$ x$ K; i( l! S0 ^* `' d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' Q5 }# k& N0 _, o& Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their- o% `% M- s' ~0 I
value (in ring0 only). Values can be manipulated and or changed as well# i% q* |1 R2 h; k, w. O& ^2 ?
(clearing BPMs for instance)9 O4 ^4 Z% P$ @4 @! ?
# q: O R: B# I6 U4 Z1 e# X__________________________________________________________________________
! \- a( \9 I9 H+ c5 R! X: Z" J2 C2 G0 B: l& }9 Z
Method 11; i/ V5 p' @1 \/ _ ?6 ~* u' `3 u
=========
7 M; G3 |, Y0 W& E% u. f
! x5 @! h0 @6 }% }& k5 I7 kThis method is most known as 'MeltICE' because it has been freely distributed: R7 c L1 E$ c: i2 Y9 q0 l, v3 Q
via www.winfiles.com. However it was first used by NuMega people to allow- Z1 |4 R) _+ v1 |
Symbol Loader to check if SoftICE was active or not (the code is located
5 l" S2 s/ V& B% w6 Vinside nmtrans.dll).4 }9 T( B5 ?: \9 y& L6 d
8 r0 M( B6 y( G, I+ K9 E
The way it works is very simple:& g+ \* {; \, \' t9 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) ]7 T- ?, m$ |3 g8 y
WinNT) with the CreateFileA API.1 Q, {: H* v. e, `
" R" w/ p8 f- h4 D( qHere is a sample (checking for 'SICE'):5 x/ L y* v1 T. B" Y
/ Z+ A0 t+ ~2 X' x B4 Z uBOOL IsSoftIce95Loaded()
/ b5 T) V% \2 F' l: i4 v{
4 ^( k% t: J i1 N$ p, j HANDLE hFile;
, l2 G3 n _1 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ I0 | Z2 \5 |& a FILE_SHARE_READ | FILE_SHARE_WRITE,
3 a8 J4 x! t! s- N: K2 x% L' I5 O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 _+ x$ Q" @2 L5 b3 t/ b6 e' k if( hFile != INVALID_HANDLE_VALUE )5 i; _) C3 |3 u6 w/ g$ M, E6 g4 Q0 p
{- i" C) e0 m: ]+ w* n( f5 R
CloseHandle(hFile);' V7 f0 P0 ^5 Q A: s9 w+ R, y
return TRUE;( _! g& [2 V# x0 M0 g3 A8 q1 z
}
; Q' ~- I5 V8 p) a return FALSE;
/ X. j( ?& K3 r# n. u) C}
6 e% m# \; Y7 Q" L( o3 c/ ~; f& A
$ c* I5 p* T2 K* GAlthough this trick calls the CreateFileA function, don't even expect to be! Z: }0 O+ c7 e6 Z+ r
able to intercept it by installing a IFS hook: it will not work, no way!
6 R, X6 N6 D d( Q) O8 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' w5 G C3 l. X& h" i( ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# t- E& L3 s) n7 e2 i4 M' c' Y1 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) F4 F3 B; b. }" u F" Q# l' efield.
2 |' r5 z' U. s" _3 s& wIn fact, its purpose is not to load/unload VxDs but only to send a
* ^" Q, r3 V# G2 DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 W, R& g: p! E/ F6 mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& t2 k$ X7 X. u o( N* U- sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! O+ l1 t0 x* r. ]8 N3 ?0 j( S- oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; \& [7 @# m" A0 q, N* gits handle to be opened and then, will be detected.
5 w0 d9 W- h* G! g0 R+ bYou can check that simply by hooking Winice.exe control proc entry point; S, \/ \( i# ?' S4 \
while running MeltICE.6 m. u- R7 x' X( X# h" _: z( C. r
1 K! s0 A& Q! J& j" H) q" H# O, S" n* Y- a7 d
00401067: push 00402025 ; \\.\SICE/ m6 `7 a( S: U$ T0 \, N
0040106C: call CreateFileA! \" W/ A* f( e* `9 ~/ _6 _
00401071: cmp eax,-001( M( g. T! i5 v, Q
00401074: je 00401091
3 ^- p6 r/ ^+ R# R3 q, r1 [6 ~1 Y* r! o6 J: P9 y+ X
2 S; c, h. M" H- V9 B0 `There could be hundreds of BPX you could use to detect this trick.
6 T3 u0 V2 J# m. C. v) I7 F-The most classical one is:
( M0 x8 b$ }' H; l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- M' J- F8 i/ ~7 R" O1 h, d& f
*(esp->4+4)=='NTIC'
0 |; c) ^" \* @8 z
0 h' p7 I# n$ [ J. O k4 h; n-The most exotic ones (could be very slooooow :-(
7 R, y2 q1 c3 f, y7 U {! | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) R+ _( s/ q7 N ;will break 3 times :-(
& J, `# o' k E, t8 x9 M0 \6 T- @- B# I9 O" q" }3 O
-or (a bit) faster: $ e& F: [5 Q3 Z6 o; E6 g8 G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 a9 L" g' s. i! b2 i3 H5 s$ V4 v' i7 u4 E' {' y9 i8 G* z5 V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * Q, V3 X) g- N0 i& j0 K3 @9 |
;will break 3 times :-(
) h9 P3 D0 V/ I* z0 i2 A2 c0 u& `' ~
-Much faster:5 M0 K) ]) s' [" N5 a3 Y, h" H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' F$ r8 c& O% K9 B) w T9 b9 O
: { S2 C" i) ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ Q" ]9 D2 i2 w' n1 Yfunction to do the same job:
# j) S& N5 H% n% b& ^; F) u0 X" \9 j$ T. M4 _7 v
push 00 ; OF_READ7 L: t6 `. F* _3 l8 \* w v
mov eax,[00656634] ; '\\.\SICE',0
/ q. t9 x! V' c2 ]0 }6 L7 V push eax
# l5 P) k t+ _, Q' d call KERNEL32!_lopen" M+ `9 m8 N& N
inc eax1 V& a/ J8 V8 R9 y2 z4 h4 T* z
jnz 00650589 ; detected* k. d1 V7 Y( ]
push 00 ; OF_READ
- }. S3 x7 j6 L1 m' ^ mov eax,[00656638] ; '\\.\SICE'
9 H) z: [1 g- p' S! G push eax( c, H+ a7 \, L3 o" \5 I6 y
call KERNEL32!_lopen
4 K3 s3 W1 C9 b inc eax
, i' ]0 j; C# a% k jz 006505ae ; not detected
( J7 [1 z- }! s1 U' S
; E) U- I8 d9 ^2 X9 Z7 a- T) z5 g+ `! P5 M p
__________________________________________________________________________
' x; `6 v/ W5 `2 y) m$ h1 y& J, M5 e0 @& ]4 P
Method 12% s4 u' K$ d$ \3 u5 N
=========9 I2 R: v7 n4 n( t. [" y& M- G: F
5 {6 H( t5 ]/ k kThis trick is similar to int41h/4fh Debugger installation check (code 05* R6 g' f- r5 n4 x) n
& 06) but very limited because it's only available for Win95/98 (not NT)
! G0 f. |1 p6 t. c0 g ]. ]/ {# Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 R! b _1 E+ z' f8 ?4 j
( Q* B0 A" P- }: G7 R% F push 0000004fh ; function 4fh% Y3 {7 T, A' X2 N6 v3 f+ q5 j
push 002a002ah ; high word specifies which VxD (VWIN32)% d7 D6 P7 n) r) k; O& } c) z6 ?7 {
; low word specifies which service
; k8 D' G8 }- F [# x; { (VWIN32_Int41Dispatch)
. P: B3 l& m. U& r call Kernel32!ORD_001 ; VxdCall! ^' G0 |! N/ k i
cmp ax, 0f386h ; magic number returned by system debuggers; z( e5 ?: z9 A T* p- n0 {% _6 c
jz SoftICE_detected1 B' [; L! P+ v' J+ j
+ @6 t8 S2 C/ mHere again, several ways to detect it:
3 ]* C. P& C2 `& {$ H3 J5 X; v# R6 U* R9 b4 l. l F# X& `
BPINT 41 if ax==4f
# c, w: O3 z3 R1 n. Q1 n3 Y Y* S; \6 s r- S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) ]& n% H+ z0 Q2 g/ D* V/ r
6 ^8 G$ a, D; E" p: D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, D4 r- _6 X* I; M- ~4 `( Z% b0 e; a" t- Q J- B2 ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# Q* L( Y, Q) n: d( G2 u5 U. e1 |
: F% _7 T9 w9 i* d. x* O) g__________________________________________________________________________
7 u3 h6 M/ B4 A* ^- V" ?% n3 g7 v
, }# b* N( t$ k5 i( j3 a7 LMethod 13
8 J. o3 X; _0 ?" _=========/ S4 v% a; E, c. v& K
& r6 d" O# |. j H1 D
Not a real method of detection, but a good way to know if SoftICE is
! V% r$ p* K3 ~0 a" O) jinstalled on a computer and to locate its installation directory.0 D6 E5 G( h' r4 _. O5 g4 O" R# @
It is used by few softs which access the following registry keys (usually #2) :
, s# ]+ T s0 v- P/ O+ K& k/ Z; \! J4 m% [$ ]+ ~5 |( f6 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. L' _0 G7 G# j- U% t/ C% n6 i
\Uninstall\SoftICE6 A( b7 e+ K5 T! P: m' N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 K: T8 J3 t n# J V$ u& ? d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ U/ v6 `3 _' v7 P# M$ p\App Paths\Loader32.Exe5 K( F' I3 {* ]: ]! S5 i* G
5 S) A7 L- D$ k( ^% Q2 h
- m/ i |4 V, g' x, r. o
Note that some nasty apps could then erase all files from SoftICE directory
& y7 p8 G+ [" a+ a1 S" t(I faced that once :-(; T( p0 N$ N: S, a$ W
' B+ l& p" ]! l' b$ f
Useful breakpoint to detect it:3 Q$ C/ F& M+ L/ K2 J$ o" Z. v
- }( X. J; ]" j) U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- P- k- y& o2 ^3 {+ ?# [3 h: Z( w, X7 X+ m4 U+ R# y& C
__________________________________________________________________________
9 P y/ L3 j- O! K) T6 A9 [1 g
* K& T/ o8 g+ q, j; M; A( G9 u
2 J+ c6 J; f. ?0 bMethod 14
t* d8 y$ n0 L: T) P9 I/ i=========
( J) j/ F9 A: ^0 e
+ }; H- }/ r2 Y ?3 W' j5 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 V$ r) U8 _' l s& j
is to determines whether a debugger is running on your system (ring0 only).
7 N- `" S" a9 t6 r! A* X, D$ s2 Q
VMMCall Test_Debug_Installed) Q# D: d3 w& @: \; L
je not_installed3 |( S3 a( \; M
* g* U9 _# q. D7 c% W+ `
This service just checks a flag.
, o9 ?7 `" U: b" U8 u0 y2 [/ L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡