<TABLE width=500>" [- P/ O/ a5 s9 V6 X" B2 K$ _
<TBODY>! E8 @1 H* T# k& L+ e( j( }
<TR>) g$ M" G& B5 T$ I" _
<TD><PRE>Method 01 ; P( e& a5 U Z$ B+ s# S9 O$ o9 m
=========, P0 B' Y, S" ~4 G2 J, N
" ~ Q/ w$ L4 @( _& n
This method of detection of SoftICE (as well as the following one) is
6 S) P6 Q" ~6 c$ ?3 n5 Yused by the majority of packers/encryptors found on Internet.
: a" x. q; U# F9 [/ H0 lIt seeks the signature of BoundsChecker in SoftICE
6 o8 B4 p' e: H9 H' \1 q" n8 i
) h0 b5 o2 z' U6 U2 [ mov ebp, 04243484Bh ; 'BCHK'( ^9 E+ {, ?" Q) O
mov ax, 04h2 W0 T: j2 N" S8 Z$ T- B$ E( M* _
int 3
" ]) N- ^* r- `+ i: ]& x cmp al,4- f' _# t3 [0 `% { u# O$ j
jnz SoftICE_Detected
* g* w1 y8 Y0 R6 E+ U% R; h9 Q& b9 C5 Y6 W7 ^; g# N
___________________________________________________________________________
* u6 |+ Y$ L1 ~- W V
4 Q6 `9 J& v! O2 ~Method 02
' w- o: \* v$ P1 R; I0 }, c* T$ W=========
& p ]. C# i# _* a" y/ r% K1 _4 C3 K: O1 D" v7 ^, j! k$ N
Still a method very much used (perhaps the most frequent one). It is used% c8 E' ~% x- U4 V) k3 c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," l9 {1 ~$ r- R; U8 ?% x$ g
or execute SoftICE commands...9 |* z) p) E2 ?- t
It is also used to crash SoftICE and to force it to execute any commands
6 @* l7 J! T( w; S- ^. I2 c* w(HBOOT...) :-((
4 i! P$ C# E4 `: D3 o
2 h- e% z8 ~1 B5 qHere is a quick description:
) B# j9 E1 P* j2 z-AX = 0910h (Display string in SIce windows)
# J% G: J+ T# c% Z3 Q$ A- \! n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 x! d! }* F0 O) C# |
-AX = 0912h (Get breakpoint infos)
& Q2 w3 ]$ N$ L) k% O! ~-AX = 0913h (Set Sice breakpoints)! q+ s R0 |: c. n
-AX = 0914h (Remove SIce breakoints)
: ~5 K1 t0 g4 V* X9 F
& M/ C+ ~% a- |2 | dEach time you'll meet this trick, you'll see:1 I: t( z+ l" k: {3 V3 o# q
-SI = 4647h
- [. b* F) c8 I8 m) S-DI = 4A4Dh9 P2 Q- i0 }+ z. u# k; h
Which are the 'magic values' used by SoftIce.
2 s; @3 z" E0 \" ~, yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' h8 O- h* c- _0 d' U5 O4 R) y* P# Q" ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- s. x% I- r" t6 {; a% {( PEnvelope utility use to protect DOS applications:: P' Y7 W$ o6 }/ _$ U' b8 K
$ C7 e8 t" r* F
1 l, S A: P q9 d. s+ Y4C19:0095 MOV AX,0911 ; execute command.; J* m, _9 `5 e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 A- C( q( \# A
4C19:009A MOV SI,4647 ; 1st magic value.5 T# u8 l1 K5 Y1 |: V3 s* F
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 D3 \7 l% H, ]: U+ h: V* A4 ?: X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). x4 z0 z+ T) | r8 Y2 `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* }2 Q' J4 C* r) N- l) O+ q$ A
4C19:00A4 INC CX
5 {8 s, ~2 {2 f- ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" |" f" Y0 [' ^- l5 n+ }' f
4C19:00A8 JB 0095 ; 6 different commands.
9 F, T; c: |. l+ o& O: b1 X2 D4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 D0 K* G7 s! T5 G+ O V F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 G* B9 O/ g% h4 B" A
* T# [; ?# V0 R% L* r
The program will execute 6 different SIce commands located at ds:dx, which; N* f! V. T/ z1 V/ r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, L0 E4 w5 A" r7 U& \* ?: `
' e! {% ?) U5 E$ q7 f) c- |0 o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 z! c. x5 z$ r! B- k# l' g( t1 f___________________________________________________________________________
0 q! |( N( F1 r6 B o& P& `
" `; Y! h) A7 Q! \2 I6 Y8 V. \0 J7 w) J5 z, w, t9 k6 ^8 e" |
Method 03
8 s# A; o8 h) Q=========* S; o1 e% I5 |+ o+ P7 }& N/ i
/ x2 }1 D3 C+ E7 a7 V+ ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; V) V! P- u4 Q4 U
(API Get entry point)5 \& F( O% t0 a- s0 s3 ?3 N( ~
( M4 X: D% t0 D2 {8 r- p
; }! c4 K$ l2 E2 F xor di,di
|1 y; b4 h8 M+ ?$ I mov es,di
5 u7 q# G! w1 C+ ?4 j mov ax, 1684h 3 `: A+ o: z3 D+ @$ o6 A2 n
mov bx, 0202h ; VxD ID of winice! P: p4 [; v" V# z
int 2Fh
% z4 e; F0 O% x mov ax, es ; ES:DI -> VxD API entry point
, Z4 _& |# S( j" u! c) V# I add ax, di
+ O- }/ V& ?2 m test ax,ax
) h& C0 z5 m8 D3 j4 { jnz SoftICE_Detected& U9 T# v6 o1 X$ X+ c2 P5 [
- _; C& q& q3 f
___________________________________________________________________________0 l- J( e& h" X6 d; Z& c% J* H
( k2 _3 O3 d, C M# i& n" ]' LMethod 04
+ p6 L& t+ q+ E9 [% o=========2 t: Z! O% x% V+ J T4 D1 f
8 c4 D( v6 }1 Q5 r
Method identical to the preceding one except that it seeks the ID of SoftICE" t2 K2 ~; l+ {
GFX VxD.
% l3 Y: v$ |' G% j! Q2 d- N2 c6 {/ _
xor di,di
! `8 x; q* H( f5 O' | F mov es,di7 X3 {! e- I9 ^. r" i; u2 e
mov ax, 1684h % Z+ i# ^# \; @' S' t0 ~
mov bx, 7a5Fh ; VxD ID of SIWVID6 j8 m+ z0 Y! |0 _. ~
int 2fh2 K, x5 q2 y) E) F# n I' S7 u
mov ax, es ; ES:DI -> VxD API entry point
$ M: H/ k: Q" T( s add ax, di
7 x t' Y7 l1 Z# N- I% ?7 z7 `4 R test ax,ax8 K2 Z( }. u1 K- C" K! L5 } }
jnz SoftICE_Detected
+ v. e0 o$ i) X8 x& S& K! B3 ^! }
' u9 J8 h4 U; D! @# s6 x( J__________________________________________________________________________3 u# C( Z3 s7 |! |
5 k3 D: ]+ r5 C0 b1 v7 s
4 ?# t3 w: D: p: E# D# I
Method 05 n6 v- g. N0 w; o
=========; i/ D# [5 v8 O( G) m1 ]6 x9 U
- R, R+ L$ `2 K8 W3 k$ N4 G/ W. W
Method seeking the 'magic number' 0F386h returned (in ax) by all system, ~4 n" m) N! h3 }
debugger. It calls the int 41h, function 4Fh.
, Y+ s, n: O" QThere are several alternatives. # S8 z T! C" k% r/ o
2 T0 r4 ]4 p2 V( E7 `* kThe following one is the simplest:% S' n* ?# C( Y% ?& r
F/ d/ }2 q$ J4 b
mov ax,4fh- B) b7 t; h G& f
int 41h5 u% U; `0 {' A. c. `
cmp ax, 0F3865 `, b7 E8 T+ \* M R
jz SoftICE_detected. J( Q; R) ], {! d# q, {6 f* H
4 {' N) Z5 P* o. G; v7 `5 M, b
: }. p4 N4 k* y1 ~# wNext method as well as the following one are 2 examples from Stone's
1 Y6 [. m1 d6 x. s8 O"stn-wid.zip" (www.cracking.net):
: j1 b' J5 H' p6 b2 x
+ f. J) _+ K: |5 o5 p& q9 O( l mov bx, cs8 J' b* d4 C6 i' g7 y" m7 P' w
lea dx, int41handler24 K7 m9 f( \" T
xchg dx, es:[41h*4]: T T+ |0 e) Q! s+ |7 E/ T
xchg bx, es:[41h*4+2]9 @) b# j4 U4 N& X+ X5 `
mov ax,4fh
" O# I) H% Y) u4 X U4 w0 p int 41h% [' }( {9 x1 @+ D% e! p
xchg dx, es:[41h*4]. p. [9 Z$ n8 p# L* u5 `; t
xchg bx, es:[41h*4+2]
6 n- R8 R+ K2 Y! V5 O cmp ax, 0f386h
/ L% t# Y% [+ h: ]+ r jz SoftICE_detected
- V; ^4 f1 r8 V) x) M1 C& J) g) D' w0 d5 }2 t& @5 ]& u! T
int41handler2 PROC
) n2 r7 S$ _; t. |9 y/ [4 W iret
% R7 a8 m# P( J& ~6 M2 d$ uint41handler2 ENDP6 s8 J4 C; m' e0 O5 \$ ~% V
5 c* V/ N7 P5 T5 q* V# n: S" i5 K' S
2 m, c5 h' [! F$ \
_________________________________________________________________________
1 G, v2 g8 m+ v5 z0 ]
0 e; W7 h6 i) J! i6 Y+ j3 H& t' Q& z8 B
Method 06
$ v6 N: o3 X6 [) [7 F) N=========
( J% |, J) _6 F( u* Q
/ G5 l8 H. x9 {0 X+ H$ [
+ T1 Q0 W, f! F9 z2nd method similar to the preceding one but more difficult to detect:! W3 F: G# Q& T/ z' l+ e. w* w
F& T% a# D! ?/ d& `
# |# b8 z! H) Y/ J6 {int41handler PROC
+ M- Y+ i# G* A: r8 {) W2 c mov cl,al
~) {1 p/ d; w+ q) C+ |' L. g iret# }# K+ K4 U v, j( y5 S
int41handler ENDP- E" G: Y: d# a
7 ?) j. W5 [" M3 q S- y, A8 c7 `) H
xor ax,ax* F n, D5 u' R5 j+ o2 {
mov es,ax
$ Z( p5 `; z1 N mov bx, cs5 d( B7 {. K- t6 g, \0 @ v1 J' A
lea dx, int41handler7 n7 \. ~1 p- k) }9 e4 x8 k* J
xchg dx, es:[41h*4], s3 V% D$ E3 X" u5 P
xchg bx, es:[41h*4+2]# E5 g- y" \3 h+ O
in al, 40h
( N) K. E3 w, ]( X5 P& J2 n( @ xor cx,cx
( J1 |* h; C/ l' Y int 41h
: Y% h9 T; D( o2 s* Z xchg dx, es:[41h*4], ^8 r& n% c7 R# f
xchg bx, es:[41h*4+2]0 h- I, I, x. m
cmp cl,al
1 _; A( t4 k" i' `) E7 [# ~$ Q6 F0 a* | jnz SoftICE_detected1 @7 P8 e' r% k+ I6 O
% K5 R! M/ j) q_________________________________________________________________________9 o! y/ [* ]$ p% O4 P
+ X& {" F2 l: C( \; \2 f) HMethod 07% T# D+ b! a6 ]; S, P
=========+ p; b- b# l+ F
$ z8 T2 d$ f R4 [' q' aMethod of detection of the WinICE handler in the int68h (V86), c& k/ }2 p K7 V% b
$ Q6 u9 h) D: Q k
mov ah,43h2 I6 w8 p* {1 b; g- e: d3 Y3 g, M
int 68h
; D) i) R* a% b; ?4 i# L- \ cmp ax,0F386h) B( A2 b6 d3 ~# \7 I& A
jz SoftICE_Detected
7 ~, n. C0 d" ?' A
/ n7 ]4 {; _$ f2 k$ G
1 }1 q$ N% q Z4 p6 `% I( t6 R' f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit A% S4 J# P# `2 l
app like this:5 L$ [+ _$ K M; C* Q- `0 m
/ E+ H# O& s7 [% E9 v" L3 {5 b BPX exec_int if ax==68
# t$ ?' N* z" ?" \( \' x# | (function called is located at byte ptr [ebp+1Dh] and client eip is
+ C0 b! Y2 L$ G located at [ebp+48h] for 32Bit apps)
7 u, ^/ O6 s' P: Z8 Y__________________________________________________________________________
: ~) c3 B' [0 m/ o3 t! q- D k. ?7 V( H. i, J3 ]2 Q
F, k1 R3 A" u8 S: ]8 z0 m
Method 08
% S6 N% r8 v3 R4 I- I1 B=========9 ~! m1 j E# ~! ?$ V1 S
# j/ j5 m% h3 I1 p8 o* fIt is not a method of detection of SoftICE but a possibility to crash the
, D3 B% u+ B( x$ W9 |system by intercepting int 01h and int 03h and redirecting them to another7 \% t* G2 d/ c) C. P$ j
routine." h* w* Q9 s/ K' L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; p" g) _# m- L' U8 \7 j! ^3 n
to the new routine to execute (hangs computer...)
% f0 o0 B- g% d7 ~/ [: y. O' c
% n x6 i$ k% V5 O1 a3 B mov ah, 25h
; |7 O# q7 M1 h5 m mov al, Int_Number (01h or 03h)
* g1 l* E; U' ^1 T' Z& U" u2 A mov dx, offset New_Int_Routine
8 _+ G- W* w4 t5 [* u: S0 d int 21h7 S2 Z1 V2 v7 S7 y" M& P4 F! P
S. k) B% F( o( N9 s, { ?, D__________________________________________________________________________
( g3 f1 m5 c. o. f2 |8 k8 H0 b/ U7 g% W5 T5 Q; c( s/ N8 N! z
Method 09! T6 r D0 s( Q, p) T2 I
=========
9 X' ^# x8 D$ R8 F4 g9 t$ F5 R6 J) o* x; R& R( J) @# R5 e! y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( ~, l5 W" q) ]9 zperformed in ring0 (VxD or a ring3 app using the VxdCall).
X4 H6 E) @7 i# ^The Get_DDB service is used to determine whether or not a VxD is installed
* b7 L3 y" H& ?. ffor the specified device and returns a Device Description Block (in ecx) for) l, P( Y5 w0 J( t6 {6 ?9 U
that device if it is installed.5 P, [) x& h ^5 B- }5 D8 M
, [ @/ Z, W1 C1 [1 ]1 M- i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 w, [" x* {6 ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 K; z# I5 E- D8 Q: _0 S
VMMCall Get_DDB0 @3 @; @8 I7 V* ?+ k' e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# ~8 d5 J; l9 }( t$ q
% T! P9 G, Z/ C$ o V7 I
Note as well that you can easily detect this method with SoftICE:
% \ ?0 k- N6 J# E& d' D7 { bpx Get_DDB if ax==0202 || ax==7a5fh/ f) F' b9 p$ v. G$ K
& b; P( _" K y: v
__________________________________________________________________________
$ t8 u5 `6 v# C+ D: q( M9 F$ [1 K. N% z( O2 k" k' M' ?' s
Method 10; j; z2 m# L- C2 E& z: W9 R
=========* v: F1 E( d D% o$ z' c: L
0 `- ~% w. z0 K+ \7 o
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 t) y& S: H! g+ e5 x) r2 M8 ~ SoftICE while the option is enable!!
$ z, I7 Z/ p7 y# A4 P9 u& V' t% h* D/ H2 m E! \9 G$ M
This trick is very efficient:
6 D6 h5 @' X4 A- Fby checking the Debug Registers, you can detect if SoftICE is loaded
- Q' ?: ^2 h( \/ r; ~, X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" b2 E2 b% M' J9 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 o% |0 m2 t8 rvalue (in ring0 only). Values can be manipulated and or changed as well+ K2 ?' C4 X: N& a4 N& x5 j. F
(clearing BPMs for instance)6 J' r- ]6 [" f' x8 L6 _
. N3 e, f9 O' p! [
__________________________________________________________________________
% w& i/ ~6 T* t! u. A7 O3 K5 w5 T7 A1 H& B
Method 11$ y3 u; j0 e1 r* H7 f6 O
=========
8 M8 z" y, L: n" k, I9 D( A- X A
6 F, {- n3 y% ]* j, r' r/ j* |This method is most known as 'MeltICE' because it has been freely distributed
7 o7 ^" J# l% I. [' Zvia www.winfiles.com. However it was first used by NuMega people to allow# D& b, |* Y% a. p H. ~8 j+ _ `# K
Symbol Loader to check if SoftICE was active or not (the code is located; L5 N+ Z8 H0 Q, U' J. t8 _2 }& {
inside nmtrans.dll).
+ p5 F/ F9 g& g: C- e- j c) d" s6 q
The way it works is very simple:
/ }, U$ ~; P/ z$ c- c$ x; e# l% m5 NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 P0 o! d; j( d5 hWinNT) with the CreateFileA API.
- y0 O5 t1 ~8 b* f( S( M4 I- k, D" I3 ~
. S0 o( ~5 n& q V6 A' f5 FHere is a sample (checking for 'SICE'):
, t; m9 c6 ?4 @4 ~6 ]7 Q; m9 J1 Q$ e i5 n) @
BOOL IsSoftIce95Loaded()
/ y' ]0 ]% o+ l{" u/ v2 p: W2 Y0 n$ O" t, b
HANDLE hFile;
# z. E! `4 r/ G, n1 [3 S7 k$ M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ \# M3 W w* }" t+ ^0 ]$ R3 m
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 f# }! @& Y. _% h3 ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 {' x! t3 j7 W- m2 H& B' Q5 \' I1 j if( hFile != INVALID_HANDLE_VALUE )+ d8 s( e1 c% E3 r: H0 @
{. B% ]' k2 U G) f+ g
CloseHandle(hFile);% [2 t' C; L4 m# M% l0 |
return TRUE;9 {0 q9 E) k2 n' e% O$ y
}
$ L; Z$ q$ m4 t3 X5 p return FALSE;; O7 I1 |# n5 \' S0 {* ]* a
}
8 ?3 p/ z7 k3 o7 m% q
( e$ L9 ]% Y4 e# IAlthough this trick calls the CreateFileA function, don't even expect to be, b3 |7 u: f( F: i0 b0 v& ]
able to intercept it by installing a IFS hook: it will not work, no way!
4 k6 U. ^" b# X' d7 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ b8 G% n# I( b% D% L% t+ b' w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ L0 T, b1 d$ E, E/ J T1 P: xand then browse the DDB list until it find the VxD and its DDB_Control_Proc) Z+ l! l$ m! [: q6 ]
field.9 c& `/ j+ L! X0 }$ Q
In fact, its purpose is not to load/unload VxDs but only to send a 0 C/ t3 F+ O3 g- ?! E% K6 A
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 D+ B* ?+ y3 {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 d4 p: H' | V0 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 q8 J" g4 l% s* |+ B
If the VxD is loaded, it will always clear eax and the Carry flag to allow N& X/ ~9 ^2 @$ P9 l
its handle to be opened and then, will be detected.* K% l* ?$ ?8 ~0 m! h7 d
You can check that simply by hooking Winice.exe control proc entry point" G. ~- I( L* j3 b! P2 z/ ]' d" `* a
while running MeltICE.# v( ~. U, B9 `8 u4 E+ B
0 W. S* G# A, ]; e
1 u4 K, n: i# z! w
00401067: push 00402025 ; \\.\SICE
! a! y% T( A1 }; d5 I- l6 ] 0040106C: call CreateFileA$ K2 o0 a' B9 p+ w
00401071: cmp eax,-0013 o; v* Y$ S* D6 |, U% a a
00401074: je 00401091/ J" X; n3 o$ t) N6 @( o! R
: Y- o+ `. i" m- p1 U3 K0 C, O0 ~% ]1 }* y# Q& Z. B
There could be hundreds of BPX you could use to detect this trick.
4 E" {- ]1 \, t-The most classical one is:
/ i+ G' D. w/ T. C8 Y: B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || ]7 J% r/ F3 s$ F
*(esp->4+4)=='NTIC'
# o t9 B: B' I1 f7 {$ e2 u3 L& y) O2 L, r0 z# q
-The most exotic ones (could be very slooooow :-(
/ R& j" X. F; R6 A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( I" ]- v$ C- a; m3 c
;will break 3 times :-(
1 F3 W2 Q, ^* n7 U. ]: B9 {
$ E3 |5 u/ u9 V0 q-or (a bit) faster: ) B2 H3 k4 U- `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' ~* p) ]6 ~- t/ H
, @# X' u. K, r6 w. { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; o/ r* \# A f& S3 ?5 S8 r' S6 @
;will break 3 times :-(
: N) T# V6 m$ O% C& v/ l# N# w/ L" E+ v+ p# T! ?8 g5 D% ]4 d8 r
-Much faster:2 w# P9 G0 Q5 M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' ~7 r2 r$ T, K7 K+ E
" r8 y0 ~1 P; I) l8 pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- O p7 E! @2 [# o" h9 x; Xfunction to do the same job:# N! t5 H4 L: e8 T9 ^7 z
( z# q7 [% z2 o3 [
push 00 ; OF_READ( c+ l9 r1 j$ n: q7 S
mov eax,[00656634] ; '\\.\SICE',0
8 u: T! R+ ^0 q: l" j3 y/ Z push eax8 P! y& ~: y @& w
call KERNEL32!_lopen
' r8 d2 V) A' _ a# k3 ^$ H0 V inc eax6 J& f8 t1 v* T7 ?7 q
jnz 00650589 ; detected
- h8 B, K5 U( L: c8 h9 F: `+ l push 00 ; OF_READ7 Q; p" T% q- R, P0 P3 y
mov eax,[00656638] ; '\\.\SICE'
3 Q/ Q# S, k. s1 ? push eax
. w! U) X0 ]( ]$ D" M/ [. e Y call KERNEL32!_lopen
) L, u C7 T ~! n" S inc eax' @$ C: M6 r1 b
jz 006505ae ; not detected
3 d; H9 J% I. q$ ~9 Z9 [ g
$ m9 ~* s+ A4 i$ a+ ?
. _ Y- X+ g7 c" ~- f# r3 N4 [" g__________________________________________________________________________
: S1 W4 u8 X; v1 _
% j$ H7 @! ^& Y% F7 V/ oMethod 12
0 ~9 R+ R0 j$ u h=========
j; q" l2 ^5 [4 a1 p& N
- ~5 [! ^) C! }This trick is similar to int41h/4fh Debugger installation check (code 05# ]6 m+ e6 o. R+ m
& 06) but very limited because it's only available for Win95/98 (not NT)
2 e% t0 o2 Y' }. G" o& j; m: I0 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ ~: l+ C- L9 {; ~8 m
" [* X5 Z. `6 e" Y/ o$ n push 0000004fh ; function 4fh
* L, H2 [& l& e push 002a002ah ; high word specifies which VxD (VWIN32)& W: t+ j7 Z1 k" n. c8 X
; low word specifies which service
, J$ C: B& R) e+ C4 x- f2 s (VWIN32_Int41Dispatch)! {5 J$ r+ @: o! f! Y
call Kernel32!ORD_001 ; VxdCall
! l4 a, M ~- Z- ^ cmp ax, 0f386h ; magic number returned by system debuggers
, O. { g; I& V/ p; _ jz SoftICE_detected
3 ^& ?! r- `# Y5 A" u: o1 N" _- e+ q* f; U7 C1 G+ c- v1 m1 A
Here again, several ways to detect it:* N% Z0 K5 T9 {' y3 O0 d" D; S
- p9 [/ {! n- e4 @3 @
BPINT 41 if ax==4f
. M, A4 V- b' D3 C4 X
# ^( {; ?3 m% Z" G: Q" U/ g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* D" P2 y( Y6 Y0 S, [# J* @& V6 ]7 K0 \: K. l* w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 ^2 S& s$ I" i# T1 K
2 [ S. ?# d0 v1 e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! l) c2 O8 Z7 _( d
( s0 L$ u$ s, d& c6 {) ^/ F__________________________________________________________________________6 S1 a# _8 A# j: L4 ?/ N P t
8 l" @$ z$ Q8 t; NMethod 13
+ y6 c1 W: A; F E+ m2 L0 L3 y( l=========
% w0 U. p) c' M) H2 [7 S* y5 Y& f& l1 C2 N' z7 z, X3 ?
Not a real method of detection, but a good way to know if SoftICE is
( \3 w1 |1 Q/ ^installed on a computer and to locate its installation directory.
/ {4 o3 r+ K0 Z9 j: h( q8 L) sIt is used by few softs which access the following registry keys (usually #2) :
& A) O5 \" u* A- x# _' ^# B: a
4 T e6 ^: t* n' T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 D# d0 f8 ^2 H3 h; O\Uninstall\SoftICE/ f3 }! a5 D! V% k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
z1 y6 D9 \6 l& ?9 W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]4 `1 e& {" ^
\App Paths\Loader32.Exe
- @, t+ _) D8 ^1 J8 [% |1 t3 `( s) q ^5 R Q: q
0 k! A" k7 Z O o, [
Note that some nasty apps could then erase all files from SoftICE directory
" {5 z* t. ~$ E. s(I faced that once :-( e. D# h2 O& {! E5 u, V
% b2 J0 J: a; _- d# A* w1 ~
Useful breakpoint to detect it: k) B8 K3 u* U
, B/ k8 N- }9 T) p, Y8 x/ e+ o; W: l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& a) S+ ^! b& H% B
1 d1 k* Q* O# N5 R. b4 H; \$ L3 k__________________________________________________________________________
* o& m6 e& g# @" `0 e0 ^ E* L& q9 z
8 @9 _( L, y/ W4 D) E: H LMethod 14 $ y) V8 d. w8 V) ]$ t5 n; O: R1 l
=========- U' p% u/ x! v+ w6 v
" _2 v: y$ W. {$ v$ l# l& i4 H8 t ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" L! v3 {: Q" i1 E; D. G7 @/ Q) L
is to determines whether a debugger is running on your system (ring0 only).+ F+ N* L0 ?+ e+ F. o
0 i- f' z, Z5 s% t
VMMCall Test_Debug_Installed/ a* a/ O) w8 f4 o
je not_installed
% j1 e& X h% N6 K7 A- A! U( j5 p. V6 S
. \0 Z! o& i0 F( Q4 dThis service just checks a flag./ T/ o. r. p' P8 U+ I, s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡