<TABLE width=500>
@# g# X/ [5 v$ n8 B<TBODY>7 D# S! `; a! Z
<TR>9 y- J: q9 ?+ x! \6 Z
<TD><PRE>Method 01 " N5 i# A; z8 J, D, T' x
=========
, \- v2 c8 D; d3 U8 h5 _" [& j
( } G7 Z! |) v& H% A( [- aThis method of detection of SoftICE (as well as the following one) is5 e5 a f- a9 [/ N$ i
used by the majority of packers/encryptors found on Internet.+ s1 w; ~6 H3 k+ l3 r
It seeks the signature of BoundsChecker in SoftICE$ V8 Q0 \% s$ a" Y1 I7 k0 d
0 [" m! h# n+ t+ T
mov ebp, 04243484Bh ; 'BCHK'
. I$ i8 j l! v/ @( e( G* i$ s% ^/ L mov ax, 04h+ O' D9 Z7 N6 C
int 3
. M4 D# X- R3 k5 D2 o _ cmp al,4
. x' Q4 C; f2 i! q: s* W: w jnz SoftICE_Detected! G6 c+ A, p6 B! {' `
* I' C W3 \* U+ `6 ?7 D- S
___________________________________________________________________________( h' {: A0 M$ }6 \
# U4 S; Y* w% [
Method 02; x' \% i* G0 C( T
=========7 Z5 Y, l# {; @# W/ o5 P
/ k6 f) P( C6 W/ ]! q1 YStill a method very much used (perhaps the most frequent one). It is used' j, ?# @4 Z7 j$ E2 g- B5 L, a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 x2 O+ ^& T) v8 g3 h
or execute SoftICE commands...
5 `) J( `6 s; VIt is also used to crash SoftICE and to force it to execute any commands
) b7 I( N4 A! a! A(HBOOT...) :-(( 7 u: {* Z8 ]; i+ Y$ q
1 q7 [" b: g/ m7 C; cHere is a quick description:6 v% ^4 D |- N4 D# k" L4 b( t
-AX = 0910h (Display string in SIce windows)% r1 i6 u, c; _" O, k g% f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ |# s: T- c% D1 h2 I-AX = 0912h (Get breakpoint infos)
: M& E% [0 O* r( F# X- B- T( d, X& `-AX = 0913h (Set Sice breakpoints)
7 Q! ~' \* L! j+ U% O# G-AX = 0914h (Remove SIce breakoints) Q; v8 e9 @5 F/ K# n0 e3 u1 X
: ]+ S) }* N* E/ i) `/ B4 qEach time you'll meet this trick, you'll see:
# j8 D* ?- V6 _+ J' q$ J4 \4 K-SI = 4647h9 N1 k1 v( ]3 _+ y4 y5 |5 q1 `
-DI = 4A4Dh
' d7 h# I2 ?3 O: L5 X |; F" tWhich are the 'magic values' used by SoftIce.
" a. F+ N' D( S& K) wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ V4 _; R' }4 d
A, l( {$ x# D6 o; ]" eHere is one example from the file "Haspinst.exe" which is the dongle HASP0 f2 ` U$ }) B/ J& K
Envelope utility use to protect DOS applications: x& d6 A* s3 z/ r+ {9 Q" C
- Y3 C) v; m2 C# u/ Q7 h4 R- K# ?$ E8 Z! s, p; j1 v
4C19:0095 MOV AX,0911 ; execute command.
. P1 w% @) U9 N0 R' k, e2 o* v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ G1 V% `8 w v# p s, A$ G4C19:009A MOV SI,4647 ; 1st magic value.
0 E6 \) e) p0 Z9 H: D1 p) r/ D6 E4C19:009D MOV DI,4A4D ; 2nd magic value.- x% J1 S9 ?- o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" [; G' s, o% `' L, R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ e' p- e( A9 Q/ g
4C19:00A4 INC CX" |6 p9 F# i) R% |" y1 m s" }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 ~7 c) \; H' r+ b4C19:00A8 JB 0095 ; 6 different commands.
2 I; L2 i/ B5 q3 |) J. u4 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ c- @0 l5 u' ^2 M4 s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! D6 P/ J6 ^8 U! K" j
. l- y$ p( K' X. t
The program will execute 6 different SIce commands located at ds:dx, which; k: ?$ h: e% U. z% R1 p0 [# ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 U' o) e0 ?* B+ \) }" v
2 D: d, q& S) B2 m6 p$ I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 I# g) J: ~& [7 V& S% X
___________________________________________________________________________+ e2 Q5 t$ R( Z
+ S) d3 P, J7 a
8 C& m' ^8 A4 P/ T( u% v/ e
Method 03 r3 H9 ] e# [
=========
3 d+ |" e' {3 q7 i$ q7 _* T( T, o q+ t: f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 k- h- a7 X/ ~4 f
(API Get entry point), V4 R# P1 t0 q8 J9 w* J: W
/ |. j' ^4 X E- ~3 x! r% `) Z' Q7 D- p1 ~; K
xor di,di7 L' F& A6 ~5 D
mov es,di: v5 g6 v1 b8 L( O) N
mov ax, 1684h
5 j& l; j9 }: I+ o+ q mov bx, 0202h ; VxD ID of winice$ Y1 ^( B* u0 ?7 Q* |6 v
int 2Fh
. l1 P: F* u- W7 C: j% ^; q mov ax, es ; ES:DI -> VxD API entry point/ m1 _/ {$ r5 N6 g
add ax, di3 n _' x* y) B# j# G
test ax,ax) R& |0 N1 u4 _- Q A8 L
jnz SoftICE_Detected
2 L H7 r9 o/ G9 Z% t$ }" j6 @" C. [6 W6 L3 c) l
___________________________________________________________________________
* Q& K! l) O8 ? a; g
% F$ p! Q! {) `4 }6 U( }Method 04
- z5 J% c: o+ W5 t. g( I( J=========# }6 X8 O1 X& C$ K
" y6 k' ?6 d3 _$ ]* T& y. g- w: y# wMethod identical to the preceding one except that it seeks the ID of SoftICE& j; @8 ]- Q; m; e/ m: v/ l9 M( z
GFX VxD.! C% E/ Q w# v6 {; ^* T- D
7 h7 H, I) A" K2 W* @ xor di,di4 Z' S5 K% d! y/ f5 L( C. C9 Y/ W& k
mov es,di
/ n* c2 }3 [/ j7 H4 S/ Q. J- I mov ax, 1684h # J" ]6 D9 ?, K2 A; F
mov bx, 7a5Fh ; VxD ID of SIWVID
: _1 D; ?8 s2 f: n4 |* y int 2fh
/ P9 |" o+ U$ K3 s mov ax, es ; ES:DI -> VxD API entry point! G% ]+ [6 l7 c% |3 N: M: u
add ax, di
# T; v# y- Z' V y test ax,ax
( ?& @6 n9 U6 H" r) s jnz SoftICE_Detected
% Y/ P% ~( f s- V; r! r* ^
% K4 n& S+ L4 J__________________________________________________________________________
b( e! O2 B- u0 p% |7 y( f
( N8 ~" i/ J# U+ K- ]
7 s( O) o' ~! S$ I$ [Method 05
: k* J3 d+ d) j+ y: [" J* j8 B=========- O; L) `* l" H, p3 |! ^' h" p
$ v6 @2 p) y, ^4 o" p5 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 F5 _7 B- K% K9 D! Z) q0 odebugger. It calls the int 41h, function 4Fh.
$ i8 |, i9 G5 `0 m8 d6 ]There are several alternatives. 4 T8 q# i2 M" H/ y) c3 D% y
6 j. v& M$ b x( g& mThe following one is the simplest:7 g% d; [! G" |: K, e( D0 b3 a
, I3 R( @$ P% u' B2 d: g4 Z4 h6 z
mov ax,4fh$ L+ ?. m+ t# D8 A7 f* H. ]
int 41h3 D. Z$ g1 G. o) a3 e
cmp ax, 0F386( G: @- S- B" X) n( j# S
jz SoftICE_detected
9 T8 Q. q; b& ]0 Y8 M1 m7 g' h+ t; O) s$ Y, m( M$ Z; z
, n0 M$ A, j; k: U4 U
Next method as well as the following one are 2 examples from Stone's . Q- a0 b3 c1 E
"stn-wid.zip" (www.cracking.net):( t4 w- |% Y* W' ]
; w. J6 ]' W1 z7 g1 q
mov bx, cs
0 y r. l$ c$ U- F. G6 m) U lea dx, int41handler2
8 i& H0 ]7 W8 f# p: x/ Z xchg dx, es:[41h*4]
* @- U4 ~: P% C% k3 R xchg bx, es:[41h*4+2]
@- r$ F( l% R- C; f1 ` mov ax,4fh, r( m& X z" V4 `/ z, N/ a: X
int 41h
; j' n0 L' h5 E& d' w xchg dx, es:[41h*4]
Z. j/ h5 T7 v1 K xchg bx, es:[41h*4+2]
# A: n8 c0 V7 n7 {9 E7 F cmp ax, 0f386h
9 Q1 G: E+ G. }6 \ jz SoftICE_detected3 O1 Q/ o# Q3 w; r1 B2 p0 i
7 ?" h5 c8 a1 k Hint41handler2 PROC& F( I& }3 T4 J" }# m
iret/ q3 f8 b( p1 _4 a
int41handler2 ENDP
( O) K3 m1 W' J Z% A0 @0 _" @* i; q( w1 L& z: g8 R
1 y9 o1 J# l w b) v_________________________________________________________________________
# U: V( Q/ j( D2 F0 z* Q' W
: h: L( I% E, I3 r4 X0 c% H- k+ I, |* b2 j; T/ x* S" K
Method 069 x q3 v! `, @, `6 Y
=========, F% R5 v' C6 K
7 m B( S) R3 ^% f! g+ r: T4 o+ v0 n t; a- @) v" O
2nd method similar to the preceding one but more difficult to detect:
- P0 i, j) `* ^! j
0 o8 t! t0 x, H* b/ s3 i/ K! ^) l4 \- l1 r/ e/ T
int41handler PROC1 }4 I* X+ k7 q$ X3 q% q8 J5 K# r
mov cl,al5 O6 k$ b* q9 E8 r9 a* u
iret- R' P2 O: `# m8 d7 u
int41handler ENDP$ ]5 \' ~9 o& y0 z& a: s1 n
! k9 W2 H- b9 R6 S& ?+ e+ q$ p5 z/ i' O- ~% L; K, [+ @7 i" J
xor ax,ax/ w+ H" y" e1 g6 `: V8 F' C2 m B
mov es,ax) Y' v: S7 ^: Z: n
mov bx, cs: V" ~0 T7 S0 G( }+ L
lea dx, int41handler
) W9 W/ Z4 c3 G+ t, C' W3 E xchg dx, es:[41h*4]
6 d; D7 o0 i. o6 \8 k xchg bx, es:[41h*4+2]
, F! e8 Z4 f1 j7 W in al, 40h
/ [! L: b1 R J# P xor cx,cx
: y) \0 J: b7 t5 U# q3 H! e9 } int 41h
' |- s; q6 c4 j, V) D- o' Z) x9 U xchg dx, es:[41h*4]
" j* R0 V( G4 p4 y/ \0 e" f, N+ @) o) T xchg bx, es:[41h*4+2]1 p) x F- u2 V
cmp cl,al
& o0 E" Z1 ~- `* w- {: y2 f jnz SoftICE_detected/ S( f. p" V+ x& m
9 U' d- K( b- v6 r: ^7 q$ l* _% Z_________________________________________________________________________9 D# b0 p/ U$ I
]# T/ i1 \3 C5 GMethod 07' u! {( b& N; N7 r+ l6 F
=========& H; @0 {+ M( C: ]; p
1 E" J" ]. ^! H0 w( v: b
Method of detection of the WinICE handler in the int68h (V86)
9 s! Y: j5 w ?; b2 P3 t) p! {* V; X' ?( Q! u! j4 J
mov ah,43h9 T; a* m5 t! H9 R8 Z6 r3 u
int 68h
. e: b4 \# T/ i cmp ax,0F386h. B: M' T5 |1 v0 z
jz SoftICE_Detected! g4 H) Z9 e+ I+ I' K: j) P7 |
$ r3 V3 h0 B; W
, H7 C2 a7 n9 \9 F8 }1 y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& T6 |( \) R2 @# A
app like this:
6 `( i+ Q) P' ~/ d- {
" L+ u' ?9 l6 r, E5 j, f BPX exec_int if ax==68
+ J5 K& }1 W3 Y (function called is located at byte ptr [ebp+1Dh] and client eip is- u0 W6 h8 q( u6 p' E5 x" O
located at [ebp+48h] for 32Bit apps)* u" b* j' Z, I. |, I& ]3 L8 [! B
__________________________________________________________________________: k1 e7 x# }6 S" L) ]3 M6 ^$ w
0 ~2 O( T% Y8 C p. o' m
9 w5 N) L, l0 o' ]/ x, a6 h! DMethod 08
# `: A ~3 {" t9 u) i0 J. @=========3 n A- d; W; E) `
$ e! [; |$ ?2 _, OIt is not a method of detection of SoftICE but a possibility to crash the
% p6 y ~* [3 q8 E# Psystem by intercepting int 01h and int 03h and redirecting them to another! ?2 W; f4 a6 k4 b4 Z7 i
routine.
5 _5 a2 U# J6 ~4 @. f$ UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 P' `6 y! f/ `4 @to the new routine to execute (hangs computer...)1 d+ `( e8 o2 @7 A. l: {
: K; H4 }5 l% e8 X A
mov ah, 25h
& Q- c, k9 Z6 o6 i- j7 K' ^ mov al, Int_Number (01h or 03h)
: s0 W- ~! q R mov dx, offset New_Int_Routine
$ t8 h1 J* o8 |' \5 {, F int 21h) _4 ~# Q' i/ P' P
3 E" y$ B$ R) `__________________________________________________________________________
/ m P6 x Q; ~4 O, E2 e, [0 n2 u- W# J5 l( ?
Method 09
7 [# w/ r: L% h" a- ^=========
% \" O" s% b& z% v! Y4 U% I$ T( Z# V) h- G4 h1 u5 |* I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, b$ v( b5 e8 d1 W5 i4 R7 n
performed in ring0 (VxD or a ring3 app using the VxdCall).: ~! t# h: {+ ~; h- c5 {
The Get_DDB service is used to determine whether or not a VxD is installed
. n1 c7 h' \( R- i3 f) sfor the specified device and returns a Device Description Block (in ecx) for
% D) Y ^* J! t$ J; l( a1 Fthat device if it is installed.2 _' q$ B3 s$ }% C6 m0 }* x% L, c5 v
7 |; \1 y, c% Z# q8 \) ~8 Y' \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& @8 ^3 z; I, v9 |( e, _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: R4 u% _! ^7 M" E: @: M VMMCall Get_DDB7 A! Z- n8 v6 O) p; q6 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ g& z( z( |0 e/ {( D6 \# v
& ~0 k, `9 I, R; |7 mNote as well that you can easily detect this method with SoftICE:: u6 e ~" j5 E! w
bpx Get_DDB if ax==0202 || ax==7a5fh
7 ~9 x2 Q4 k% D3 Q/ b- M& K
. j! W) k# t: k$ m+ X__________________________________________________________________________
% v% o4 Y$ ]; \5 C6 `; i! |
, |2 ~/ g; @/ qMethod 10% t. p4 o# }+ F7 K, o& K9 G0 g
=========9 h8 {% `! B: Z/ ~0 a
- s. f2 ]3 m4 e" @4 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with( q/ [ \5 Z/ q8 A% K, s# b5 z
SoftICE while the option is enable!!9 Q" v* j0 [2 I. ?) _) v
7 t3 @& |' C$ x, e3 S% c4 I" E/ \This trick is very efficient:) _ j5 J) V* ~
by checking the Debug Registers, you can detect if SoftICE is loaded
& V$ T6 e @+ Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 \% {/ u2 s" ~7 h& F* Z/ K0 P
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( p6 e8 |" F% Z8 f# K8 ], d6 pvalue (in ring0 only). Values can be manipulated and or changed as well
- l# [* D6 z/ x/ X& a2 h8 k(clearing BPMs for instance)7 \$ H( t6 G2 L# G
9 }9 X3 v$ v' ~6 u2 E' f2 B* j
__________________________________________________________________________0 m) S3 K+ A% u5 e9 @
$ p+ S: {$ g/ O7 n% x$ I
Method 11& c6 d/ d7 e1 F. ]
=========- b4 j' E' d# u! g; J. w, c
9 t6 ^+ ~9 O6 l. G8 h/ {3 _ pThis method is most known as 'MeltICE' because it has been freely distributed9 p1 g' d2 R! N2 E4 @9 A
via www.winfiles.com. However it was first used by NuMega people to allow; v% |( N# u% K& G2 n# H- t: X" ]
Symbol Loader to check if SoftICE was active or not (the code is located
& V) q7 i8 @/ M1 R1 @; P2 y' jinside nmtrans.dll).! b5 i. |7 D. w0 `$ v
" s" j% Z- F H6 f# x
The way it works is very simple:
/ k9 F9 [$ |$ S/ y( o2 Z4 g5 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: G0 a& l; d6 t2 M% xWinNT) with the CreateFileA API.+ N4 _, T' Y; H7 n
3 _: W( j3 C$ q# ^+ k
Here is a sample (checking for 'SICE'):
' U' {, ^0 e( m! v3 c
{1 H4 {! e0 gBOOL IsSoftIce95Loaded()5 `% q+ N0 U! R
{' `$ ]( |9 | ]$ g: Y
HANDLE hFile; # n: ^/ P8 @. |' B* @. `+ w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 w0 y5 `& k( A, t" A, z
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ y1 z* z/ E0 F+ j, [1 n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, _1 Y" B j+ u4 h* ?' ]7 Y
if( hFile != INVALID_HANDLE_VALUE )
4 P2 u/ P7 F; b5 ~, g {+ B' C+ D; \" |1 u8 ?" j- @4 n
CloseHandle(hFile);# ^. |) W5 I# l* P6 A
return TRUE;
1 y1 h" K6 `* i( P/ t( J }# f% X# O5 D6 J! I. I
return FALSE;
4 l" E9 Y- l0 S. s, N% I0 E}
: h* t1 l5 b- m: _7 r
$ {: c& Y) d! r( c6 mAlthough this trick calls the CreateFileA function, don't even expect to be
( x" P5 B% V" l1 Kable to intercept it by installing a IFS hook: it will not work, no way!
0 C7 U9 B4 g3 b- u' x) FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; P. H0 o/ |/ W0 O* m x. y; R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 z% q1 _, D2 i: rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 E: t6 @1 P$ \3 x8 z$ ?7 m" ifield.
/ W; [! p* Z dIn fact, its purpose is not to load/unload VxDs but only to send a
, H7 H2 W) `. f' V. N' _7 H& v! LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 w( q' i8 ?+ q6 p5 g% E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& Q) K' V) e$ d" |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# d+ k% b/ J8 J5 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 d# M- a4 x0 \9 Y: dits handle to be opened and then, will be detected.
3 n, w+ c% f, bYou can check that simply by hooking Winice.exe control proc entry point
) l' M) F5 O% v; q9 H2 Bwhile running MeltICE.; R+ Q2 c [3 y, S9 ^, n- o
/ k" T3 g9 \" ~
5 d2 q4 k3 d6 P$ K+ O& X9 Y+ `2 P! ~5 z
00401067: push 00402025 ; \\.\SICE" M; s" y7 u) i }- F
0040106C: call CreateFileA
/ O$ q) z0 q3 J' l% W: B3 I 00401071: cmp eax,-001
$ Z" |7 ?2 s) h; l% Q6 `& I 00401074: je 00401091
2 c. I9 x1 i7 ]7 ]+ `3 M9 R5 n, B0 Q8 z/ e$ P! M
7 z0 I5 z. B# G+ H4 @# TThere could be hundreds of BPX you could use to detect this trick.3 c+ E- W' Y" t0 M: {! \
-The most classical one is:
8 r. N' f8 y! W/ U7 ] j" } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* G+ e [7 P3 R; B5 M
*(esp->4+4)=='NTIC'
2 b& _5 K* {3 d* x! b" ?$ c4 W! g! N4 M2 i& L$ h/ ]' O$ X- c) |; P
-The most exotic ones (could be very slooooow :-( N# K+ [' ?, b- m4 z9 h2 C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / s& W O8 u$ g0 C2 f8 |& E
;will break 3 times :-(1 W# O6 C1 i( D9 S- s$ R, n8 d
! r. Q: Q6 u. C% f
-or (a bit) faster: . Q# u" u9 L+ n5 ~2 k6 v" J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 x" B" u3 V; Y0 g# G
& F1 P$ ]- A% s$ E+ b/ u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - J2 t% R! _2 c! }1 z
;will break 3 times :-(' i- E0 X% H _0 x+ M1 ^. W
8 C B. O+ H5 h1 m4 {2 B# n* e! j
-Much faster:
2 D$ M. Y3 a6 t3 b. b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', S- V- q4 w' {, C4 Y3 d7 M
9 S, d& }( W( k7 n K* y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! v2 I! H& Q3 y1 a/ Y, h" Lfunction to do the same job:
; Z2 d" g: C& L+ `% ^% ?; d/ x% W( m! k( J& S. s
push 00 ; OF_READ
! r6 z- `' e& K2 U) c0 q: a mov eax,[00656634] ; '\\.\SICE',0% P0 f: ?9 {+ d
push eax) q& Q- f) A ?+ o
call KERNEL32!_lopen$ W( l: _% f# X2 q( z
inc eax9 t, v l+ K! U
jnz 00650589 ; detected# P4 b9 l. ]6 M' T& B
push 00 ; OF_READ
U7 g# o) j( S: j: j F+ i mov eax,[00656638] ; '\\.\SICE'9 D/ s1 Z6 P2 ]3 G
push eax1 `! Z1 @9 V: j" s2 O! }# Y
call KERNEL32!_lopen j. K2 |6 e6 Z, e2 }" x( t
inc eax) `! k: c0 T, M$ ^6 W
jz 006505ae ; not detected
$ K2 f4 Z# O4 }" t! O W) I7 W) z# V0 e6 r" H! v4 p
+ v# b- [9 J6 ^" J- A5 s__________________________________________________________________________
8 f u& z: I) F* o- X1 }$ p h! D7 O+ Z: z# f- c; Q: G
Method 12
! _4 r N% T0 @# L& a% ^% I4 I4 @/ q/ n=========; N1 d8 c6 ^# C8 S
: x& C& J( o( F% Z; MThis trick is similar to int41h/4fh Debugger installation check (code 057 _0 P, x% X. p. M* I
& 06) but very limited because it's only available for Win95/98 (not NT)* A# P9 q X' C* ]* O. L5 A0 v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 Q0 `& \; ^* i
! w) i$ }( w+ i+ _% D: Q push 0000004fh ; function 4fh0 d+ z: t. T3 z5 p6 N Q, \
push 002a002ah ; high word specifies which VxD (VWIN32)' ~/ x, W! b$ Z" ~2 Q
; low word specifies which service
& N+ @$ p9 E; J& A' m0 V; z, o$ ~ (VWIN32_Int41Dispatch)' c2 {5 e( E. f" X1 ^& ~1 @
call Kernel32!ORD_001 ; VxdCall
- N; F0 t& x$ t cmp ax, 0f386h ; magic number returned by system debuggers
: x! Z0 H! A+ r- a J* t8 E1 i- T jz SoftICE_detected5 v5 v5 x: }8 S5 z- ~& Q
( X7 {- z# C6 d; W N, G4 H5 ^
Here again, several ways to detect it:5 v8 O. S: z+ p$ E& V
0 e* ]; t* r. V$ ?4 ]
BPINT 41 if ax==4f9 I# u, [0 b0 ~ P4 R9 ?7 h
% H4 s) v. |8 T; Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& X8 y2 d# ~2 y
! y' |9 A" ^) |. ~) t* |1 k( V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' y7 ^/ n# j; l" X6 f' W
. c3 M, b: B4 q; Z6 n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 T" l7 M& f7 g2 [0 h9 O1 ~4 \6 n! y* G
2 I! }* r7 O6 z0 V: c__________________________________________________________________________. f L0 w6 B9 a8 u* O% b) z
I" c) y! S4 n" _! S% hMethod 132 b8 P7 l1 q" H) B% A
=========
) y7 |5 [# {0 e# n! i$ i
; b& f& Q8 b& u6 D" T, @Not a real method of detection, but a good way to know if SoftICE is) w9 R5 C7 d6 _$ n. t5 k" u) I
installed on a computer and to locate its installation directory.
5 o7 }& s. U/ @9 {+ ~It is used by few softs which access the following registry keys (usually #2) :) z; e& m2 f8 D! Y2 O
4 p3 T: q: \; T6 U; s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" z# m8 f* y7 w3 z
\Uninstall\SoftICE
( J, Y$ S) [2 r" h6 e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ `0 M0 t# J O" T/ u% s/ }( _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
a3 x) e9 Y) s- }$ {1 }/ U\App Paths\Loader32.Exe0 f( g& y* L" G6 e9 [0 w+ F
& A) v! c$ h+ ?: X
( j* i; Z$ C- w4 j9 w4 qNote that some nasty apps could then erase all files from SoftICE directory
- c V" z4 ^6 m& W+ v. A(I faced that once :-(
& G. k3 b, n& x% [" Z; ]; G1 d) O; ~5 u8 o* l; _) |
Useful breakpoint to detect it:4 l5 J! N% c& a. z+ n
A( D7 T$ P0 ^3 f' c7 v9 p* R9 B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, l4 E& O$ @% N! b4 O
$ i, N# g( O& q2 f0 ^6 I' b9 T9 x__________________________________________________________________________# I* G+ _ M7 ?2 K# X9 j6 B0 n) A
5 `+ J! x2 i9 ^; d" i+ {! A
N% u: B9 n, M! K2 FMethod 14 4 u- n& |8 C% r" l+ c+ j
=========+ _& L( X: m( P. j" B6 D" D/ i
9 B3 H9 _# X( @- K7 G; Q3 o" d7 z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ {+ Z0 G+ l0 u( ]7 \" G
is to determines whether a debugger is running on your system (ring0 only).
% r' n; Z" z8 ^0 |4 _7 a4 J$ g6 C1 k' o3 x6 ]& P9 H4 J) L' ^
VMMCall Test_Debug_Installed9 ^2 E6 C' I! _
je not_installed
4 @3 o! v9 }: T+ t- t- ]" }! E* `! b. G. X" @' {& g
This service just checks a flag.
! A, \) U8 c" e5 Q3 D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡