<TABLE width=500>- Y4 x+ X2 b7 }* I V- |4 X3 w+ j
<TBODY>
4 m5 K# h. w! \1 G" D9 |<TR>8 n6 C& ^4 L9 x; R2 P
<TD><PRE>Method 01
S" q) z0 F2 Y+ N, i$ W=========
2 w* o5 S6 _$ O6 a- Z
. |. P5 m+ M; \3 _; S- R3 F% IThis method of detection of SoftICE (as well as the following one) is9 m6 ?* H# W/ p: C( Z. s
used by the majority of packers/encryptors found on Internet.: }* U7 l' h8 x4 t0 } l
It seeks the signature of BoundsChecker in SoftICE
. P" F% }- P- c( C. t/ S
: x8 B- g. t. }; p& d2 A# Y5 a mov ebp, 04243484Bh ; 'BCHK'
2 E5 j& W9 {9 J# h o, i mov ax, 04h
% c/ t1 S0 i" C [ u K. E; H int 3 6 ~* ^! b. }. b8 k9 e
cmp al,4- ?2 s+ W3 {2 T+ K2 I; X, c
jnz SoftICE_Detected
0 L3 M% W3 C7 r& w ~5 Z) L$ v9 r2 s# H" f3 _) h' e0 E
___________________________________________________________________________2 R$ N! T& E6 N0 @
) X3 {0 R+ g; @0 s; A _. W
Method 02
5 l2 X4 { H6 [ e& [8 ]=========, P) Y8 ~6 w6 D3 N3 {
# Z1 _: x1 u3 T: k0 i' I0 V8 |. AStill a method very much used (perhaps the most frequent one). It is used
( X: Q" K' E+ c! Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 f& R8 J$ Z, tor execute SoftICE commands...
* J0 V8 e0 {! k% LIt is also used to crash SoftICE and to force it to execute any commands6 l( r8 O1 J3 x! M
(HBOOT...) :-((
0 t+ `% k O7 M+ W0 a$ j
' O1 j6 \! {' L+ V3 aHere is a quick description:7 r0 A6 {2 L4 v
-AX = 0910h (Display string in SIce windows)
, c% b9 K5 D9 P L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# c- u0 T; t- h+ S$ z3 l3 Y-AX = 0912h (Get breakpoint infos)! M3 y7 K/ {8 |" ]1 I% @
-AX = 0913h (Set Sice breakpoints)
( X: o: {8 j8 U+ Q-AX = 0914h (Remove SIce breakoints)
1 O) k& q. x/ L& t4 A( Q: S0 v, {4 D1 _0 H
Each time you'll meet this trick, you'll see:
8 W5 p1 Z' T/ X/ j1 ] e, a-SI = 4647h
' R/ R* f& \' X; L( M-DI = 4A4Dh
1 L4 B, K9 `* wWhich are the 'magic values' used by SoftIce.
# J1 D7 v1 N9 r7 ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. B" N* j" s2 }& t) e
7 I2 {( j9 P! h6 j4 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP C' S, {9 B' O9 R! b' B$ l
Envelope utility use to protect DOS applications:$ v( M2 O3 b0 a: Q% W2 j+ U/ j
+ G! F% e" n* o! g/ ?
8 Y. w/ ?& {/ N4C19:0095 MOV AX,0911 ; execute command.
# | O7 `- j* I0 Q3 R& V* G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& A- r) R/ e4 c: h4 M" `& r
4C19:009A MOV SI,4647 ; 1st magic value.
( Z/ H/ r, b/ ~/ B+ @8 W1 L3 m, b4C19:009D MOV DI,4A4D ; 2nd magic value.! Q) c4 W5 \8 O3 U" G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( {3 r' q1 C) K' U+ I' i) l; r" h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 E$ ~: e5 J% Q9 W7 H
4C19:00A4 INC CX
( h7 f! C. F3 ]$ o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- o' C$ n V9 I) `9 J
4C19:00A8 JB 0095 ; 6 different commands.
0 x( f% Y! w* l* m" k4C19:00AA JMP 0002 ; Bad_Guy jmp back.- |% j+ k H: `4 E+ z+ o2 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" [. S: g) c% Y D3 A" f
8 M& J- I0 y' O) K( h
The program will execute 6 different SIce commands located at ds:dx, which, V8 @1 m" J. R1 K7 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* Q0 Z: |0 I/ p
' e! ]+ R# Z0 f$ |1 ~( }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 r/ X0 c0 K5 a
___________________________________________________________________________9 ~: t m% G3 K' S C) C. V
8 k8 @ l1 {& H( [) c# b% } s3 P3 G
Method 03
9 h! V: ~: M+ h=========
. N. Z7 H8 B7 I" u0 r4 [2 m! r! {0 n5 v$ K- T ?, N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- K5 Y( Y+ q; W2 R" u
(API Get entry point)" X6 F) I7 M5 w& M' R
# h5 L- G4 `; g/ @1 Z+ r6 N& N/ {7 m9 `# h9 Z* X
xor di,di4 f! L* q8 ~* N& C' M1 y$ h
mov es,di
2 N0 _6 q" l' l! ]# S( l mov ax, 1684h
7 r; u O5 t; `% m- s l* x ` mov bx, 0202h ; VxD ID of winice
: c; f4 g2 t; @& V8 A' m" u# `8 } int 2Fh
# t' I$ V N9 H B/ L# Z mov ax, es ; ES:DI -> VxD API entry point
9 S4 ?% G! n$ {1 m7 F add ax, di
: K; W: ?/ G2 p test ax,ax! O% v4 a3 b9 } P
jnz SoftICE_Detected9 e1 E, j' U% \, j
* W- f8 M9 Q' C1 j
___________________________________________________________________________
/ I" J0 z3 i! C3 p7 T7 K, f% \* [5 W' `8 s' O
Method 04
3 E, [5 _, G+ e2 {=========! `3 U# S6 s/ J1 k6 J- S9 {
, m2 p6 b2 E, \& P1 tMethod identical to the preceding one except that it seeks the ID of SoftICE
' G2 N4 K3 [9 D' t8 g1 qGFX VxD.
0 a7 Z* c4 j) Y7 b8 _6 U; I( j
( w! ]5 N) x/ E! X xor di,di s* }& x0 r( t5 A; [' A& Y
mov es,di2 g _ Z% E$ [3 J+ _; t/ E
mov ax, 1684h
, E) ?" ~. J% E7 L+ @) ^# L3 S) B mov bx, 7a5Fh ; VxD ID of SIWVID
9 c; M/ u$ R+ _' H) G2 X int 2fh; c) L1 S \0 I$ L1 |' {7 A' z
mov ax, es ; ES:DI -> VxD API entry point3 J* ?5 F6 f; |! j% U
add ax, di
8 W1 U8 r' I6 x" T7 `# i test ax,ax1 M5 q3 L& a* i' e6 X7 K& r
jnz SoftICE_Detected) e; U: y; G! {' M$ z+ U1 G
2 u8 c) r1 ~8 I( A+ ^
__________________________________________________________________________
* _$ y/ u+ t( {1 t$ T( c7 w
. G+ M" ?9 f! m4 g, O9 P8 o1 C4 t( p( R1 B6 G
Method 05
i5 A0 S+ y1 K3 y: O=========1 N3 }2 |( f5 Y" t
# v. _+ ?* U4 T: ?6 }Method seeking the 'magic number' 0F386h returned (in ax) by all system8 g1 H" n7 ]+ q5 N. v
debugger. It calls the int 41h, function 4Fh.
8 P4 s* k( V$ k- t- A+ R5 wThere are several alternatives. , B5 K: ~: c$ ]& Y( Y; b
8 v% u" j1 o$ ~The following one is the simplest:; N! V; H9 u' d5 w- j# U) e, n {% g
! T g! z# ^( z) n# u9 e% t
mov ax,4fh. N5 b, ]6 k: D- L. j4 W. p. x3 ? J! x
int 41h
% w/ U Q- G$ S Z; E5 b cmp ax, 0F3867 V; h$ d+ k1 h+ o7 _5 ~, u$ `/ }. t
jz SoftICE_detected
- c: U, ~" [0 ^2 p* Q
7 z' s' R& S6 k! f
8 w" L+ A4 ~1 |" fNext method as well as the following one are 2 examples from Stone's O& J# n7 a# y$ X) `
"stn-wid.zip" (www.cracking.net):( ^# ]! T; |3 V. ]0 H( p3 |- k
( y* e# W. r. v
mov bx, cs
4 \$ W) ^- w8 h {9 ] lea dx, int41handler2
/ u6 j% l- R- S, _$ o xchg dx, es:[41h*4]' F1 [) h( U# @
xchg bx, es:[41h*4+2]
8 m3 p( a/ v* {2 k; F2 G0 z8 R( Y: h mov ax,4fh1 e$ O3 o6 P0 {: u
int 41h8 z3 T) O. s6 Z1 [. w7 u
xchg dx, es:[41h*4]
/ p8 }& _! \$ H) V. x" v. o xchg bx, es:[41h*4+2]
+ b# \+ i$ g L9 w% |+ F# p3 f cmp ax, 0f386h. q# R/ m& i8 x H( Y
jz SoftICE_detected
: X& } ^9 F5 Q _' l( }+ a/ H7 t! ]/ M9 x" n" a% w
int41handler2 PROC. n$ y L# i; h+ C [8 U" S
iret; n1 R; e9 X F6 u& R& [) F
int41handler2 ENDP
, t5 d0 F3 X6 ~$ P5 V/ @5 ]2 ]3 F- z1 j: Q& h
* A+ c. v2 ` h3 [3 j* [. u
_________________________________________________________________________1 q% @- P% |% q' ^; A6 H6 m0 [ w
: m# R5 v0 w1 b
) c, ~" [ @! k
Method 060 y: F1 O" A: `1 r% ]! G
=========' F `- v' q+ `% e
7 h7 K+ @, ^0 C0 |- \; g. [) V( p7 |% S
2nd method similar to the preceding one but more difficult to detect:
9 M4 g6 t7 I7 b) ^7 p, a3 r5 S7 P F6 M; w- E9 I: {1 H
& b/ r* R( w2 T# Mint41handler PROC% A% b) O2 v+ x' Y: T$ D5 _. k' o) m8 b
mov cl,al/ k# N% G' ?. @& o7 I: m7 p5 O
iret
5 F. W; G+ \8 j' R! W0 w ]/ ^int41handler ENDP
7 q$ ~4 m# Y6 G. W& c( k& J6 d, `- ?) U* g( C$ b. g9 J
+ D/ j6 [+ ?2 A1 | xor ax,ax9 R R0 b t5 ^4 K
mov es,ax
E5 Q: B4 I9 \+ s& w! v5 o4 Q* _ mov bx, cs# Y9 P; u; a6 B9 ?; O8 p* O: J
lea dx, int41handler
$ k9 u7 ]4 r { O5 z! A/ | xchg dx, es:[41h*4]$ h) R, x' v7 ^3 [" f# A) t$ `
xchg bx, es:[41h*4+2]
( }6 u; n0 I3 D# q& Z! m; K* | in al, 40h8 d5 F2 F! H9 M2 a+ d
xor cx,cx+ K. |2 ?% W2 E4 n; d
int 41h
7 A l/ p6 Q3 k& d0 R9 h, M) d xchg dx, es:[41h*4]
( E+ o+ S+ l4 J& I# E xchg bx, es:[41h*4+2]+ K& r1 G2 _8 o1 I2 N$ `/ d
cmp cl,al
- s" r$ p. [+ d/ F jnz SoftICE_detected _* I* V( s, v5 S$ Z; K( h2 F$ l
( n+ |/ C O7 e_________________________________________________________________________
: U) a5 f2 N: \9 C0 Q% `1 \$ r! q. q. |0 W4 G+ A, S
Method 07+ F3 t- X( ^7 m7 O
=========: k# N( |, u, B- d r
- d' Y# \: c2 j6 T
Method of detection of the WinICE handler in the int68h (V86)
) Q2 c. ?6 o& G) s3 W1 p& q A& P8 T+ x
mov ah,43h
/ U @, a3 y: f: C" H int 68h# D8 E0 _+ S+ P/ `6 P2 u) j' ~
cmp ax,0F386h
4 K8 q, I6 W) J( V jz SoftICE_Detected/ M9 ]$ Q/ T2 U$ f7 ~" Q+ U
2 Q& ]; J- j+ B5 H2 P
6 U* _8 L# u4 S5 y! O4 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 X x8 b$ P6 h; G! r; y8 Z) V
app like this:5 h3 v% ^/ F7 H$ O! Z
5 T% W7 Y5 \) l M
BPX exec_int if ax==68
$ V1 W8 V, Y9 k' I9 B2 v (function called is located at byte ptr [ebp+1Dh] and client eip is
. [6 G+ x, K. u) S located at [ebp+48h] for 32Bit apps)! e- ]1 k# m1 X- x) L: z3 i3 j
__________________________________________________________________________
( k( e6 W B" N* P8 Y+ e H/ @
Z0 Y7 t- R4 X$ D6 t8 j. H2 i
9 v5 h( J# e, Q/ r9 T5 \Method 089 J! N0 _! @) n8 M
=========% C$ _" r: _/ Y4 d% Z/ `$ K
; G$ [+ m& J4 r: m, oIt is not a method of detection of SoftICE but a possibility to crash the
' W; s7 [8 |0 v: u: Hsystem by intercepting int 01h and int 03h and redirecting them to another$ Q Y' P! I7 @0 U+ R" Y/ j
routine.% p3 F! O; ^4 l9 U# Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 T) B& {, X* @) M
to the new routine to execute (hangs computer...)
3 P r+ o8 }3 z! w
0 V. f t7 q9 |( I. X, D mov ah, 25h1 O! h* _. M+ `. l5 b1 k6 F
mov al, Int_Number (01h or 03h)
9 Z) L5 c! Q$ V: _) j$ m' ^0 {+ i mov dx, offset New_Int_Routine
- C7 s7 W$ O% Q0 ?" Z: K! I; I9 R4 V) { int 21h
2 f1 d% n4 D9 ]7 w) K8 y( M: M; e E3 k* w1 o7 o
__________________________________________________________________________: t4 V% p0 P% l4 t. k
% R/ {; K8 l0 F8 {
Method 09
/ ?# C# s( ?2 p4 f1 O" C/ u========= {+ i7 Q' W# z' k& u
4 F4 A/ N' m3 Q- l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- l& S2 T% y8 c1 p5 j7 }. e
performed in ring0 (VxD or a ring3 app using the VxdCall).
[, y! r" {1 P3 }* x0 B( cThe Get_DDB service is used to determine whether or not a VxD is installed/ z7 Y! N: Q7 X5 S/ j; {
for the specified device and returns a Device Description Block (in ecx) for
, P: k* \. v) {6 y0 ethat device if it is installed./ E# q+ W" q0 M, l3 o @
' A t! [4 @. }- E' z1 F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' P! d9 v, c2 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, w/ N/ F) D) O( U6 ] VMMCall Get_DDB- N- f! ~! O& I: r: H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" Q5 j! }; s* y0 ~
8 F9 ~# n3 w, F8 s) B! }0 j
Note as well that you can easily detect this method with SoftICE:
$ Z' u& r3 E% f, D+ e2 a) i bpx Get_DDB if ax==0202 || ax==7a5fh
. x/ {1 i6 |7 ?$ u7 Y8 q4 D5 P* ?8 |& U3 T/ t- p( L% i+ q' y4 c
__________________________________________________________________________
8 ?$ p" y* H5 C9 [9 R8 H( f3 q7 x
+ U W& Z( V' ^4 ]* A2 N3 QMethod 10
9 U$ U% {) g" [! f: ?6 u=========
C/ F7 V8 |# @; d# M# `( I4 a
$ Q8 Y5 w' F6 c- g=>Disable or clear breakpoints before using this feature. DO NOT trace with0 o# `% o2 j1 ~) w& Q( b
SoftICE while the option is enable!!% \& ^: `( f) Y( a2 t
5 d5 U! Q* T% C/ X$ CThis trick is very efficient: ~! u5 M$ @; Z( U$ [
by checking the Debug Registers, you can detect if SoftICE is loaded
2 O4 a1 o5 a9 n5 K# m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 J5 X" p/ T# D2 K
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 Y- d( U/ R6 c4 w: P! Qvalue (in ring0 only). Values can be manipulated and or changed as well
) S& ]* V! p$ W e# I3 g(clearing BPMs for instance), m2 B5 K# m: f$ L* J- M# W
2 S: I. b, x; S1 h ]__________________________________________________________________________- {& H& h, Z5 q Z
) w u' l' _6 \; o; w6 uMethod 116 }3 v3 R9 O: W) f; S: S" A0 c. @
=========
# ^) \: o- R0 T- w6 Q+ Q( r* b' O8 X1 Y! |' T% L
This method is most known as 'MeltICE' because it has been freely distributed' `7 _! N! F4 A5 e0 x, U! T5 B
via www.winfiles.com. However it was first used by NuMega people to allow
) Q# W3 n' k. K+ f3 TSymbol Loader to check if SoftICE was active or not (the code is located
9 l$ T6 R; z; f9 Xinside nmtrans.dll).
& K' u* ?) W( T" ^. X5 i& q3 R1 R8 k5 @6 L# [
The way it works is very simple:' s5 e3 Q1 Q/ E" \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ k8 g. N: Y# {5 [( J3 f3 E& D
WinNT) with the CreateFileA API.
5 m* A# b0 p! B# K7 ~, m ?! z$ p3 B" \ T& S' D
Here is a sample (checking for 'SICE'):
: ?' D1 P8 `1 i$ y5 p
/ C2 D: R; N- |# s4 eBOOL IsSoftIce95Loaded()
( w- q f& A, u% M, f! y! `{% {6 r, F6 R+ D: X
HANDLE hFile;
, L# B/ |) [7 G$ N: m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ D9 D. c9 f0 i% M8 R
FILE_SHARE_READ | FILE_SHARE_WRITE,4 `6 j9 J8 g! r, t9 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* T# u$ j$ G8 [. X' M0 z9 ?% F if( hFile != INVALID_HANDLE_VALUE )" E5 N& Q) e) _, N7 V) o) o
{! z5 J- {4 e, E7 S
CloseHandle(hFile);; Y8 q9 c: B8 \% b5 t7 A9 z1 Z
return TRUE;( s2 Q3 r0 a) r/ L2 s; B
}
; u0 D# {8 \' ^7 ]* z return FALSE;
- }+ K. k) ~: {, t" w, }- g1 @+ ~2 D}& Y! S3 c6 H0 N7 |
, ^9 z6 S4 B* l7 `( qAlthough this trick calls the CreateFileA function, don't even expect to be1 J1 |3 B1 ]. Q! C0 _
able to intercept it by installing a IFS hook: it will not work, no way!* D% _4 @0 X3 j& I0 f T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 F7 w. A5 r3 U0 r% h- Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ~5 D* X F4 \9 V- H( [and then browse the DDB list until it find the VxD and its DDB_Control_Proc: z* X2 Y% m. {; A) p
field.
& x: G" `1 Z1 R" F' s* A5 KIn fact, its purpose is not to load/unload VxDs but only to send a ! v. a7 L! ^. |$ Q; K4 F9 D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# B, H$ n! d5 x8 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; G3 ?8 Z' u5 U/ f; I# U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, G4 D3 e+ |/ T! a+ f( lIf the VxD is loaded, it will always clear eax and the Carry flag to allow2 p! ]( P/ [. h- j, K0 i M
its handle to be opened and then, will be detected.' o1 R9 [& q9 K4 o' ]8 `2 U2 m: \4 i- }
You can check that simply by hooking Winice.exe control proc entry point6 t+ O) v, j" m; E9 L, ]: H
while running MeltICE.6 x+ J8 J0 }4 R$ C3 [5 s" C
* K M" U. v. K# S4 G9 M1 O8 u9 J$ n8 K1 C
00401067: push 00402025 ; \\.\SICE
& l! `% V/ s2 [8 t" S5 R 0040106C: call CreateFileA) t8 D" {, }, f) ~1 C# J' H% L
00401071: cmp eax,-001$ i0 E5 [7 v; N9 h0 W5 Q& m1 {% e; p
00401074: je 00401091
; L5 w* Q3 V+ t7 |
: P# z6 Q( | w4 V4 R+ F4 S: g4 }% o6 G% {8 F% C3 F+ c+ E* v" d
There could be hundreds of BPX you could use to detect this trick.$ Z4 D" n: H. q: g
-The most classical one is:
5 b5 r7 q! O" M$ ~ \& o. X2 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- d$ L1 G) V$ s *(esp->4+4)=='NTIC'
3 L$ c5 x* x: x
0 r3 y6 D* z3 m! j-The most exotic ones (could be very slooooow :-(
+ L! a, v. p& q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& H" J( C h9 r ;will break 3 times :-(
: Q! ?. O2 K7 k5 c% U$ w
0 Y3 l" N' n5 U; O0 s/ e% q2 w-or (a bit) faster: ' Z6 s) ]# L5 C/ G& p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); R2 P9 h, G/ x- Y3 `, j( _$ \3 l
; [' `) S) c8 B. _0 L; e6 y* Q% y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* _- g d/ V. V! X# @( O* F ;will break 3 times :-(
$ y! Y# O' \7 T7 ~; I
5 ]0 r" I) b" w3 l. q$ ? ]. d8 L-Much faster:
; M, G$ k8 l" d* n6 l2 t( R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' X+ O5 t; j/ h: X$ X7 e; `: z- J
! ?" B+ X1 t* h4 p2 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* S# D& y% X1 K$ a& `. l" J6 w3 Q
function to do the same job:
' s1 c ?) y) `, F( [
; t% n9 Q$ M! S" z/ a# b push 00 ; OF_READ
. i, {. @# C. n mov eax,[00656634] ; '\\.\SICE',0% m5 W9 V% S! a! a9 J
push eax N9 B+ s- t7 [* L# z/ X( K
call KERNEL32!_lopen
8 V9 ?# S. {) I6 | inc eax. r B7 [6 h V c+ w
jnz 00650589 ; detected
# O0 [. f7 U P6 n$ x# h/ p+ ]$ x push 00 ; OF_READ
/ i: _& p- K% v7 l$ j& }: `3 _& | mov eax,[00656638] ; '\\.\SICE'
+ E$ j9 [& \ n( `- ~3 k6 ~# M* e push eax
! T' I C S* }6 [" p call KERNEL32!_lopen" D# [/ {, x2 `$ f
inc eax
1 Y6 y' N& K' K9 N jz 006505ae ; not detected5 M( A/ {3 b# `
( E9 ~& Q. s" \" G& R. S2 f% G" J, t e- z; E% h
__________________________________________________________________________
0 Z5 k8 ?. K2 ]# m6 T
; h X, }0 Q3 A, ~Method 128 ~8 ^7 W5 E! _ `
=========
0 J3 V$ Z" m |
6 c* A- W% S; HThis trick is similar to int41h/4fh Debugger installation check (code 05- w! G. L: l& V l# U2 X
& 06) but very limited because it's only available for Win95/98 (not NT)
0 ^8 d: Y2 h2 h9 e7 Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# ]: e7 N: B- j9 L) I) U
2 Y0 F$ L: T+ o$ u8 U push 0000004fh ; function 4fh
+ E) H% i" @$ U2 y push 002a002ah ; high word specifies which VxD (VWIN32)
. Q' d2 r1 J% F9 X" ] ; low word specifies which service4 w: o: Y/ g9 ~: e" [
(VWIN32_Int41Dispatch)
5 E4 \, x3 ]6 l/ D call Kernel32!ORD_001 ; VxdCall- d. \# m3 x! c. E# {2 k$ f1 J ]
cmp ax, 0f386h ; magic number returned by system debuggers
7 r' `; c- D: t6 } jz SoftICE_detected
" v4 T' Z. B; N" R! Q( _, A) v
5 R, d: e* S5 y$ M0 oHere again, several ways to detect it:
0 G7 K/ ?$ F( q/ M6 S Z- B3 L9 r. @: y% ?0 u% a: Q$ g4 X; h6 n
BPINT 41 if ax==4f
/ `/ T P! Y2 l5 Q% P" O8 M0 k' H9 W- i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, R. w$ Z! W( E: b* n- U1 p
6 W, y1 \8 B3 s. r: Z$ k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ c9 G5 h" g y, f: [! o
3 I& B+ ^/ P! {( d, O/ L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 r6 f3 o7 N6 z G \, K' Q7 R7 V/ n1 B$ W7 V
__________________________________________________________________________& E" c/ s3 G" W0 V6 i, [5 U
/ r! b/ _; R" h: Y' L8 D, C* G, g
Method 13
& B' d1 w& Y( l! u' m4 P: m* P* y=========
; M& K Q4 M% s+ r
$ H* d! h$ H8 R& {# bNot a real method of detection, but a good way to know if SoftICE is
" q" u I [. sinstalled on a computer and to locate its installation directory.
1 f- A3 D. A+ O& H" K( `+ RIt is used by few softs which access the following registry keys (usually #2) :. G8 F" j" `" p2 o0 v
5 I8 S4 ~+ g U9 U' j7 l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ A- l9 N" b$ C8 E; K$ }6 h
\Uninstall\SoftICE
- E( P6 Q8 A8 U6 d) B, z/ i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 ~+ O0 k0 A- \$ g+ S; {4 F% `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! e1 H( v* ], R9 k" w: K\App Paths\Loader32.Exe( C: Z, k* K% z2 T' e
" T' T" F8 i2 h& F# l1 U7 j6 _
1 K7 Z+ v( R" ^( i, C' p3 b
Note that some nasty apps could then erase all files from SoftICE directory* V/ m) n- r9 A T$ ?* K% E
(I faced that once :-(
/ W0 J" F5 J! C2 Y: x# ^- b8 l1 g
$ k+ K1 W' Q$ j3 Z3 D# SUseful breakpoint to detect it:7 Z6 I& W, R3 O4 d8 X! a9 \
u) @4 u% u/ d0 f9 ~+ E" o$ f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) P( [0 H% t8 y6 z/ m% ^, M. S7 N) ]
9 o1 W! S8 ?, l__________________________________________________________________________0 B' H; W9 s; F7 ]1 e
! W7 |9 C. V: _
{5 w& o3 b- pMethod 14
2 V+ L: j- ^ \' O& m0 u$ Q=========
. @3 J( }) | @0 w8 |' t2 j* j4 D; |
% l1 `5 k) J: e2 `! [: q8 yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 ~' N1 A' i* g1 Lis to determines whether a debugger is running on your system (ring0 only).1 ~+ }: }& _/ e' w9 x
( \3 K% x' ?) k4 \" ^% Y5 P
VMMCall Test_Debug_Installed
7 C# E% `- P- }+ L2 V4 d' n je not_installed
5 G0 B- z0 ~9 a* t {% m0 U2 d4 ]/ T8 u3 [5 y# n g3 y
This service just checks a flag.5 u8 q: K/ U- H4 O6 i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡