<TABLE width=500>
6 Y3 U. c2 k! i, F1 R0 o- g8 u<TBODY>
# d" ?3 e1 I. B8 Y$ a3 f) A0 W<TR>4 f9 d) s; l/ w5 `8 r9 |! d
<TD><PRE>Method 01
1 V! y# I3 h+ d2 ^+ W$ Y1 H# B=========, E$ @( b" N) s
- x o0 `& Q0 s' ^( v$ Y
This method of detection of SoftICE (as well as the following one) is
! p9 R9 M0 y+ `7 q% h" Uused by the majority of packers/encryptors found on Internet.* \$ f3 v) }0 b# q
It seeks the signature of BoundsChecker in SoftICE
4 k7 y7 a3 i% p* K
' {8 w* Q$ I2 K. R# ^( ? mov ebp, 04243484Bh ; 'BCHK'
; q$ A! B# S+ y$ D% P1 a I U mov ax, 04h! `/ N" p; a2 L; T k) k1 z7 ^* |# s f
int 3
0 e! }& m7 I3 |; [/ P5 `) h cmp al,4
; C, L+ Y; j( Z7 f; ?. r7 P jnz SoftICE_Detected
% _/ G* D. o! Z" c, c
8 J' E* j4 w) R___________________________________________________________________________9 c/ a+ X5 u. Y9 T
6 [ v! X- K* u3 a7 E& ^
Method 02
7 j8 t0 a9 B# | a* b=========
- M6 W2 [5 W u# G1 Q, ]' `5 o4 \0 c/ A
Still a method very much used (perhaps the most frequent one). It is used
, g8 O# J: v: C1 @9 \" Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" ^+ G! ?/ C( j6 l5 xor execute SoftICE commands...+ i4 p6 A _/ T1 r
It is also used to crash SoftICE and to force it to execute any commands; }1 C2 k N3 A' n
(HBOOT...) :-(( 9 G- f) g& @: N) c0 l( F
# T2 z) N, t! m4 Y GHere is a quick description:
% J7 ^6 x. {2 n0 f, B" f' _-AX = 0910h (Display string in SIce windows)
/ |- D; @5 Y% A R/ r. S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ y7 `1 e3 v- E/ n- w# f" B: D-AX = 0912h (Get breakpoint infos)6 N3 X: T/ r6 A, {6 o! h0 P
-AX = 0913h (Set Sice breakpoints)1 @; V0 d7 n2 A( ~! R; ^
-AX = 0914h (Remove SIce breakoints)
3 l# {1 \ V/ {, w4 C0 {* e6 x0 G2 \; K' b- U8 h& [$ x( y2 M
Each time you'll meet this trick, you'll see:" ^; J0 L$ c: y9 `1 A
-SI = 4647h& e% X K: B2 M6 U) i! ~* _& Y' Y* W
-DI = 4A4Dh
+ r+ A( ~& ~# a; v: ?. hWhich are the 'magic values' used by SoftIce.# x4 \3 v* C+ x' |! j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ I1 H7 e: R2 a8 F/ A$ p0 h J
9 c* x& ?: _1 xHere is one example from the file "Haspinst.exe" which is the dongle HASP
; c s0 D3 ]: V+ M' lEnvelope utility use to protect DOS applications:
, i# R2 h% d( S0 |" e
* U, f8 Q. L7 _: I! w5 a1 l" W8 K* z) z: d( D) D
4C19:0095 MOV AX,0911 ; execute command.# n* \& e- @7 C9 |+ j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- m0 _+ L( b1 i' q/ G1 S3 B2 v
4C19:009A MOV SI,4647 ; 1st magic value.
$ t! I" X! R6 G. e8 y4C19:009D MOV DI,4A4D ; 2nd magic value.
! d+ ~2 H, H* g) n# D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 y8 @& h$ I' ~: Y) c4 d5 @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ l x) s; `- n& Z; @8 E
4C19:00A4 INC CX/ H. ~- c6 B% i- \% |6 M7 ]* v5 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( E0 ]7 \* N4 n" @8 }4C19:00A8 JB 0095 ; 6 different commands.
L' o) H( Z. O4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 q* ~, z9 b: | W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. U* r+ l% r5 Q4 }9 d
* z! H3 O, W$ w2 u0 s9 Z$ [The program will execute 6 different SIce commands located at ds:dx, which/ X7 ]! T% ~' f) Y3 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 r1 g( E) r4 O6 F# A9 }) V7 ?$ s2 b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( m. h3 h/ |; _! Y" x) }- s) B, W
___________________________________________________________________________1 |, c) a! D! ~9 J& i0 K
. c$ m; p/ k+ T' |
: D! S# E: a( p& D/ |& ]0 [; jMethod 035 ?$ M! s. n6 F) B$ _0 G7 n
=========
, T- _' Q) ~1 q, _; N, ]) r9 ?' U1 ]! d0 s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* @; Q2 m9 A- b6 Z) c+ H(API Get entry point)& q6 S* M+ ` Q' u
/ o4 N T( Q8 q* R J0 x- o: n! l) u* _3 O) _. B
xor di,di$ e7 S; z0 K! [- r- v. M8 V9 q
mov es,di' H* O; A% A1 i6 F
mov ax, 1684h
. T/ a8 k1 J& Z9 [2 r" { mov bx, 0202h ; VxD ID of winice
0 Q0 P" L3 q2 b1 F/ F4 V int 2Fh. @0 Z5 _- i: }3 f
mov ax, es ; ES:DI -> VxD API entry point
% v& o" J9 b/ _8 `9 Z add ax, di2 Y& V; P9 a* u" W' d! }3 M
test ax,ax) ]0 |8 `4 L( h# O7 c) r: _" G/ ~
jnz SoftICE_Detected
' g3 i& f4 D& h' W
$ E* b$ @( p+ n3 a. b$ T___________________________________________________________________________: P( E* S0 M7 K/ g/ q
3 p# \7 K _3 l1 [5 d- t5 e7 i
Method 04% H3 m c/ q. S8 [
=========
0 r y% _1 p0 M: h; G" K2 v; N& [& l/ V! [% T! i
Method identical to the preceding one except that it seeks the ID of SoftICE
g+ g3 a! {% |: F; C& _& eGFX VxD.# X9 _3 I6 U, M a$ L3 \( Y
& `( v* L, l# q: Y6 k
xor di,di
9 @" y( K K* e2 D" t9 Z mov es,di/ \9 E! P* u. T& g6 u
mov ax, 1684h : Y3 x% ?/ x$ l% V: s- Y: V! d
mov bx, 7a5Fh ; VxD ID of SIWVID
! W" V0 A8 r4 S1 |* ?# Z int 2fh) Z, E. d+ n; g9 m' d) s
mov ax, es ; ES:DI -> VxD API entry point
* T$ C2 i' Z" L. a' C4 e, G }7 { add ax, di
+ s4 u! q' v' v9 g( D test ax,ax/ U* J7 D: I6 `6 T6 J! ^8 {
jnz SoftICE_Detected
! M$ W( f7 p |
* R# K: e# `# o% N. J__________________________________________________________________________
! Q+ | t0 S; m* Q
, V* d7 h0 q7 `- r! Q- |* ?9 ]" e% @0 U; r% p2 \3 ^
Method 05
& ?* h& V/ s7 b" C4 o. E& t=========* g% d' s: S7 _
+ L6 `* {; z6 Q" X* R3 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( A& L/ ^# k6 `5 H, H( fdebugger. It calls the int 41h, function 4Fh.
1 k8 J% x6 O1 u. JThere are several alternatives.
6 A: S. a% h' W$ m0 L$ y. f9 r. d& \. R! j4 D
The following one is the simplest:
! G4 I* R, V0 G) O
: A+ I7 T* Q# C( A K5 r# ]( F mov ax,4fh( s; B7 h7 b1 w; b5 f4 p
int 41h( [. R5 m: s/ b9 v' I
cmp ax, 0F386& {+ n/ {" i) B' p! o
jz SoftICE_detected
) p: Q- f, \+ O" }( ?; l: N) t. X( y8 }2 _ X' o+ U
% s! _# b- s' k' \+ T( u
Next method as well as the following one are 2 examples from Stone's ' S* V& f& t6 g
"stn-wid.zip" (www.cracking.net):
0 o% Y+ x! R/ ~3 x. s1 X5 V0 t' j4 v: o( k! F; b
mov bx, cs
+ Q0 X! P5 E0 I1 ~ B lea dx, int41handler2
2 i+ q m; z# Y2 a7 q9 G xchg dx, es:[41h*4]
5 Z" E6 p) T+ U xchg bx, es:[41h*4+2]* K% |: k, I+ U1 @+ T. O& @
mov ax,4fh& I, S6 D/ z4 \ v+ `
int 41h1 j+ [5 W8 o: T
xchg dx, es:[41h*4]
- Z% ]' s9 H; |# y$ n$ v' C xchg bx, es:[41h*4+2]
2 Q% g: O1 L: C+ u" s3 [ cmp ax, 0f386h; O- u, r: ^$ s, p; s# v
jz SoftICE_detected4 ^3 C. I. n: ]% U
) D; X. o7 W, g* E8 t4 V) n
int41handler2 PROC
! B7 l6 c1 X( L q! N3 e iret2 B: R* @" r2 l/ I' F
int41handler2 ENDP
7 ]) ^1 i2 v ]6 s, u
4 e3 R; D! t4 X* p4 O! L# u( @7 T+ m2 Y0 w
_________________________________________________________________________) V2 ?5 o& O: s8 H5 K$ }5 E
2 j0 V4 y, t0 x7 [8 E+ `0 i" S) w6 y) A8 S; A0 F" W
Method 06
9 z2 V% w2 w7 X2 _0 {( U* x=========
5 P7 x) @1 f- o: P4 K5 T' V0 \+ G, D
: Q3 E, K5 j. S P) g# h2nd method similar to the preceding one but more difficult to detect:
2 d& T! q* |+ y( {' i p1 b: M& Z- T: g: l& n
* c. f) j/ d& H5 ~8 \$ Iint41handler PROC: r9 _: |+ G5 a# k2 s" A8 P6 K
mov cl,al
) X, c5 }3 {! }# O |5 R iret* z% q/ B U: G8 Q9 c* r1 S4 H2 @1 K4 E
int41handler ENDP4 z* v9 e1 {9 m. P c* K) R
1 Q$ p* B, Y- y" U! j( c
/ x, N, |0 w- |2 s xor ax,ax8 @+ Z" a7 n4 G' o) L' b: \; f* Z4 G
mov es,ax
9 B' i* o9 E/ u5 I6 \ H% L, z+ h9 p9 ` mov bx, cs$ }0 e/ l/ ^ U- i5 E V, p1 h
lea dx, int41handler* Q% |5 m5 F- U+ w. p! j) x
xchg dx, es:[41h*4]
: B2 }& {; ^4 {0 w3 C! o* t4 T xchg bx, es:[41h*4+2]/ a- L8 Z/ I7 O) F
in al, 40h
) `* ?! J6 |5 J, f0 { xor cx,cx2 L5 \6 S- P8 j/ I* P1 A
int 41h. |/ _1 G5 y! m7 v0 \
xchg dx, es:[41h*4]
2 n& v) f8 N) f xchg bx, es:[41h*4+2] p) e5 q5 p4 `6 L
cmp cl,al
( s+ o% V0 @" Q3 S% K, l jnz SoftICE_detected# H% L, @+ |. G/ w3 x1 a/ X
, x: z# i A: r* K* `
_________________________________________________________________________
0 t; o2 N* `* n6 W0 s
* D9 p9 Y3 u0 gMethod 07
5 ?4 Z2 R& `2 ?$ P8 I3 e! F; }# z=========6 ~, q" {2 M+ [! ~' W8 V, k- y
1 N: m1 d9 d* b( Z
Method of detection of the WinICE handler in the int68h (V86)' c5 r4 E7 u6 }8 L$ @+ Y
) A# X0 i5 Q% P. n' W8 i' D* X mov ah,43h
3 I; p' _6 E9 P' R( D int 68h
8 W5 J+ _2 \7 c/ G1 M2 [! w1 g cmp ax,0F386h
2 I; j, K0 {0 R1 L* p( E jz SoftICE_Detected7 e8 J+ g, V2 z% e4 t
* z4 [, x1 E3 f) I/ H. Z; K% [3 k/ h! i7 {# F$ T* ?. h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 l: X3 e" O6 F2 O8 { j app like this:. P7 b# z: H" m7 e$ ?) u' Z: y o% w
& G& N) b8 ?3 l& q+ x l% Y BPX exec_int if ax==68! W5 j7 t5 c, w8 s" f: t
(function called is located at byte ptr [ebp+1Dh] and client eip is) e2 V* Q/ ^ ^/ u
located at [ebp+48h] for 32Bit apps)+ x( e9 N, K* l7 l+ ?* C: q" @) l
__________________________________________________________________________2 d3 x$ ~ Z: |, H- `8 x* ?
% @, ^0 O. M+ r, r+ {
1 _0 M: z$ e/ SMethod 08
* g; V$ i* `; t+ X( m1 C1 G=========5 J* u4 p/ f4 M, k) x5 E M
" T3 x: D8 ]+ v" T. s5 Z5 uIt is not a method of detection of SoftICE but a possibility to crash the
5 ^1 z+ Z# _0 O1 X1 i1 m" z8 lsystem by intercepting int 01h and int 03h and redirecting them to another
" g5 m- x6 z: Rroutine.
|2 ]# R8 z4 n* D) \+ Z: e9 L& `+ wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" b. P6 H9 g! c+ {+ F
to the new routine to execute (hangs computer...)
- y/ O4 ?3 l* s+ n y# e
$ ?) G9 V1 M; g9 ~" ?" U1 ^ I mov ah, 25h
7 S' n2 ~6 v# L1 h2 L mov al, Int_Number (01h or 03h)% N7 p t6 \& D: l4 R
mov dx, offset New_Int_Routine
! M( T. K1 F s7 F& F1 I int 21h
* X3 Q' @6 m/ F7 N
) I2 y0 q. K( W__________________________________________________________________________" P5 F: x8 Y/ z2 d, O
! S+ m4 R+ O- w, R' o! ^0 d: PMethod 09
, J1 X1 N5 w( r" T=========4 m7 v+ W8 A' [2 A7 n
- P u2 Z$ L0 J3 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ p* \; \" z3 s, k: B+ T" Y/ O
performed in ring0 (VxD or a ring3 app using the VxdCall).
# r' `& B; z9 R( lThe Get_DDB service is used to determine whether or not a VxD is installed4 u! o% I% W# m, Q* N
for the specified device and returns a Device Description Block (in ecx) for. c4 o* Y1 _! ~1 D4 |( T! l# w- k
that device if it is installed.
; X' W# l' d5 J. F: U6 `+ t' J& R* o- h% ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 _# v# U% B& j( c$ {( J: e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 ?: C; ]+ A9 ? VMMCall Get_DDB. t8 N E# p) C6 ^; D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 ~1 i' }! I3 `) W! z. f
' c# ?, R3 |" R' e; m( mNote as well that you can easily detect this method with SoftICE:" ]( p1 c" \' g
bpx Get_DDB if ax==0202 || ax==7a5fh: g. _) k# W! h0 O' a0 J4 P5 M5 ~
' ~6 p/ g) X Z& Q9 @
__________________________________________________________________________
( g3 d5 n8 x4 M* ]6 K f& P' I. _( q2 C! k7 T
Method 10
4 m& q" |/ }' N& B=========
& S6 `% ]" {8 y: Z) S3 X0 N2 k) k' \) |
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 F* Y, x# q4 g m
SoftICE while the option is enable!!! g& N$ w1 t0 F6 N2 A5 G
$ [$ ~1 Y I; G* ]- U9 o
This trick is very efficient:) Q% ?. G. w6 r4 y
by checking the Debug Registers, you can detect if SoftICE is loaded
A W R' N2 G7 s. e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ~+ }3 O& h7 r* y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; r, M' {. V& X9 Svalue (in ring0 only). Values can be manipulated and or changed as well
1 e m+ [$ y" n# l$ E2 z(clearing BPMs for instance)# H! j/ S2 {8 Z8 ~
' Z) H7 K, |* J. x, _
__________________________________________________________________________0 _& N* U3 C8 A5 I! m. B0 l) K
* B- _/ W' _" V8 F4 P) MMethod 117 A$ k6 z/ F% {# T( V I" l+ m
=========5 ^, g: d* q7 e- j" n4 q/ t. ]2 N0 f
5 H6 s* q) ?+ f" _6 {5 ]9 k
This method is most known as 'MeltICE' because it has been freely distributed
: B; J- \2 e5 c9 G* z! y c# ^6 n* |8 lvia www.winfiles.com. However it was first used by NuMega people to allow" z' g, O3 X, d1 h; f0 `
Symbol Loader to check if SoftICE was active or not (the code is located
' ?. I" l6 Z' Q. a2 X& b! Tinside nmtrans.dll).
3 j9 u* ]3 a; @6 D) l% J
4 E) K2 m' p' K* f& L/ L1 `/ ^& }The way it works is very simple:
" v) k+ ?/ I! A$ U, S3 y: EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' c9 F8 }% p' X5 \ j; gWinNT) with the CreateFileA API." g7 q3 F9 o/ q6 W5 }" I9 N5 n
! ?, h) K# f" C3 V0 J4 Z
Here is a sample (checking for 'SICE'):
( f: L+ f m2 _% j( |' ~
5 z3 U) @. z3 Y" |BOOL IsSoftIce95Loaded()
6 V. h1 \2 k! t" W& F* j. M% a. f7 }{7 U" R2 x* Z! B! v
HANDLE hFile; 0 Q0 I+ x5 i7 c. {, L7 b2 ^' H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 e0 J" B: U' a: L! h! M
FILE_SHARE_READ | FILE_SHARE_WRITE,. l8 n2 ~0 }5 I* p8 ^/ W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 @0 b' _4 B" \- o! t; t0 U if( hFile != INVALID_HANDLE_VALUE )! y" p, v: n9 }1 N E
{# K( M1 z# R/ C) g! L5 S
CloseHandle(hFile);) N! D4 M, Z ^7 ]$ z9 L
return TRUE;" G1 }+ _) n9 i' f
}
r; _3 D3 O8 Q5 s s: ]* } return FALSE;
4 ^. e) G* f2 @}9 v$ X" G, P, e L9 x: e
& G8 K" {! X0 I {3 T: o: U
Although this trick calls the CreateFileA function, don't even expect to be' }% f( R, U" G5 N8 z% P
able to intercept it by installing a IFS hook: it will not work, no way!0 q3 R S. z, m4 h' [) Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ h2 s$ f8 L- m. O* d- c5 V( K$ ^0 `: |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 n/ T; I$ A4 h2 J- @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: y9 K9 O- o- C6 ]- ifield.2 J- V" i7 k. S! h7 R. u
In fact, its purpose is not to load/unload VxDs but only to send a / r, X+ T& }4 J- B. Z& G+ _+ x5 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% p: R7 A3 j! R% X( Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( } P& O6 y) V" z# {. rto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ C% N( Z% Y5 S7 k, r
If the VxD is loaded, it will always clear eax and the Carry flag to allow( `% {) g! z, R2 l5 M& D
its handle to be opened and then, will be detected.5 C9 d2 j* ?8 L9 g
You can check that simply by hooking Winice.exe control proc entry point
8 ]# U1 W9 e, T5 D/ E( ]# Wwhile running MeltICE.
6 G' Z/ ?# S' Q" O: ^7 n. ?
N0 `& ^- q1 O/ R, X* U
0 f# E- G# M u8 l$ ?4 k2 Y 00401067: push 00402025 ; \\.\SICE
7 K D9 c5 c/ c' v- l# S K 0040106C: call CreateFileA
3 j# p8 e5 d5 n7 J5 s- g& m* K 00401071: cmp eax,-001
7 E1 U( J2 @% \( y6 ^" y) ]+ k 00401074: je 004010918 R* A) ? a+ t0 H! a' Q v
, w# z& I1 G6 I$ m, J2 N7 u+ h' m
/ c: {$ E# H) C. j, {
There could be hundreds of BPX you could use to detect this trick.
$ e5 Z0 w$ G! S7 Q; e" K' A3 F-The most classical one is:
' K" ^% X6 @5 G! ?9 k# d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 f' S0 u) P9 Q0 @( p
*(esp->4+4)=='NTIC'
. {3 K3 s M, F" x6 M- n8 V
) `% @' `2 J' k; k# M-The most exotic ones (could be very slooooow :-(
+ u1 Y3 ^; c3 d4 j+ R* g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 D, ~& l+ {5 A/ Z. I. R! h# Y
;will break 3 times :-(6 w3 [, c! f: U+ H9 Z
' ~& F+ F/ L U8 u6 a5 U( n
-or (a bit) faster:
) }6 \3 c9 `8 c( J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
q( R& r3 D; S' @0 z* Z& f+ w7 Z! R5 a6 D/ G/ r+ l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( S4 r4 x2 s: @" g. {7 C3 w ;will break 3 times :-(
2 K1 a' U* K: h( v1 e
% \5 K' A) b4 R-Much faster:
0 c* z# ?- [+ l; Q8 C. r6 _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ R: y' T+ j' Q& U7 s6 c6 }- |. A) ]. q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 X& l/ a! N% I: u9 `6 p& Q
function to do the same job:
% f+ M' m& C K, q2 h t/ I3 G
+ f! `* u/ \; p- R/ f push 00 ; OF_READ) T1 C6 J3 c9 f2 s" x
mov eax,[00656634] ; '\\.\SICE',0
5 t' |% P' B) C' L: v1 E5 u" v push eax
, n8 r1 ^7 @& ]5 |. F0 b call KERNEL32!_lopen
: D# ?) E1 `# ~5 a; Z inc eax
" n8 B; T' z, T+ z& b1 i jnz 00650589 ; detected
7 I9 Y# [. B# ?$ J- A push 00 ; OF_READ
% u6 J9 _/ I+ g3 t( c5 y5 R! l mov eax,[00656638] ; '\\.\SICE'
" q; D8 l; H( { ^" k push eax! T. V6 T) a* t4 a. d' H9 F
call KERNEL32!_lopen" m/ E0 _. s, t( D$ I1 a
inc eax5 D/ X" R) d8 S5 Y! @( v& I6 ?) s
jz 006505ae ; not detected
: n9 T$ |8 n* J8 r+ K" w% V# L; I$ [% X! g3 f
8 O4 o6 P8 \2 Z6 m6 i__________________________________________________________________________' ?( q9 Y# L. M. G9 Y1 b
& ~3 o0 L" ?9 ?1 Z4 W( K; @9 @Method 124 B) Q6 T; F+ s5 f
=========
+ l' u3 f) X$ O3 d2 F
" M K9 J: q- X$ gThis trick is similar to int41h/4fh Debugger installation check (code 05
4 o2 J z( M- Z5 l( J9 E& 06) but very limited because it's only available for Win95/98 (not NT)- K: p+ H* S& n0 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: @+ O+ _ u4 r. H
. F3 {% @5 R7 c; L$ a: ~4 u7 n' x- \ push 0000004fh ; function 4fh
" n) p2 v2 q, w7 W) J0 p' V push 002a002ah ; high word specifies which VxD (VWIN32)
/ U. z) M9 w: o, u2 r. h6 D ; low word specifies which service& F; d2 ?7 S: n- T, O/ _
(VWIN32_Int41Dispatch)7 W) W: W8 e& ?. x
call Kernel32!ORD_001 ; VxdCall
7 P: C. g( o( u( |: m; N( S/ i cmp ax, 0f386h ; magic number returned by system debuggers" C! p, s; e+ `+ b, k
jz SoftICE_detected" b1 i- x6 g3 M
j' P9 j6 q, d+ H- i: J' T
Here again, several ways to detect it:
+ T, ~$ |% F" z. s K% d. J, P1 q& I$ r9 ~, S
BPINT 41 if ax==4f$ M) K, Y1 J& `. z8 e/ s# i
- u) K' v: q1 b# V" Y; ` r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 V2 G- U; V5 w; x; x+ o) v/ m* U2 G- ^& g$ S* m' q) V0 u1 y2 T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* w- }) Q& ]1 F( {$ f8 i. P" m
" y6 D- m; ^; ^$ Q% r2 J3 `) Q6 z& J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, \5 |& J# A1 |) K+ S8 b
5 T0 z, O, S* ~; l5 b0 D* K3 K__________________________________________________________________________
4 h; \9 L+ C5 _. d8 c( h
7 w2 A) R, ]# M* T' [Method 13
6 T2 t4 H. a& D0 T, c! O=========
( g4 Q, E* s* Q6 I9 T( x3 q! k/ s1 D: m) ?5 Y- n' m8 U
Not a real method of detection, but a good way to know if SoftICE is
1 `2 X5 l- A; T+ K- t5 Jinstalled on a computer and to locate its installation directory. o/ K1 }) e: R7 J' v- r
It is used by few softs which access the following registry keys (usually #2) :
1 w; Q) v5 M% @+ n6 t/ a7 a" e+ \; n P& r) b( O) k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ~, r$ U8 c8 n7 q: H3 x\Uninstall\SoftICE
* w4 z7 P. i% j1 h7 [% R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 [& c+ J1 w/ \; @; y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: \! e( A+ L8 Y) ?+ s! t
\App Paths\Loader32.Exe
* r! L8 c3 t5 P
0 c! H+ R! `$ l; _! E8 S2 r5 x; a' \! P# P: Y9 C. M3 R
Note that some nasty apps could then erase all files from SoftICE directory2 M2 D$ ^3 k A3 ]! q0 r5 b7 E
(I faced that once :-(
- a& E0 `: W$ K/ D$ t& u% B$ e8 {$ K0 P9 |5 i
Useful breakpoint to detect it:$ F! t% a' }0 M
! F, {: Z. F2 c" Y9 f/ | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 R% j1 V) c1 r& E- w& l/ e0 Z
, S9 Q+ \& F O8 o B
__________________________________________________________________________
: ^) X- \# s( L; f* h8 u2 D4 c5 M8 d! P5 q3 L% I( p2 c7 \1 ]
1 X+ Y/ `9 V! S( S0 Q1 |# B5 [
Method 14
. @/ U n: U# L Z9 E! a7 d: x ?4 v4 l=========
, J" R; w9 l/ @) E& P2 Q% l6 U, U5 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose a$ F( Z! q$ s7 `. V
is to determines whether a debugger is running on your system (ring0 only).# F0 Z' {+ R& z( ? i
7 C- [4 l+ ~ z VMMCall Test_Debug_Installed
/ i1 a( ^' I2 ?% p je not_installed
7 L% M1 T' C0 ~( o
V6 Y4 V- T" Q4 x# g: V) O# hThis service just checks a flag.
! B6 u/ H( }% t3 H+ Z3 ]! w$ E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡