<TABLE width=500>
# _7 ?+ B1 S& O4 v<TBODY>! C2 }- C5 n5 X
<TR>
, q! q, b, g9 K) T7 f% v& F<TD><PRE>Method 01 6 |0 F" r- u* O$ p* }1 g
=========. y' O: M+ t! c7 g1 N3 a$ }
4 [; r# b X: ~4 D, DThis method of detection of SoftICE (as well as the following one) is; w- Z. d$ I# q! c l) R
used by the majority of packers/encryptors found on Internet.
0 Y/ z6 ?' A5 V) K( PIt seeks the signature of BoundsChecker in SoftICE
) ~9 v; A N+ f. m& Y$ A3 U! w& G! c7 J$ k/ B) R
mov ebp, 04243484Bh ; 'BCHK'
) L; f5 }5 ~4 g! n) t, Y mov ax, 04h
& z3 H8 g- u: @9 p" j8 E$ z5 N$ O4 X int 3 , |% D& c! x1 y a, w
cmp al,4
, P; T$ E# ?+ J: k jnz SoftICE_Detected
5 I, I) f. ~. y/ [1 d1 s K! t' y/ O3 B7 u! I: g8 U4 c
___________________________________________________________________________
# L/ c, d' f6 W5 Y9 ~1 T5 p# ? g
! j* U+ }. `2 bMethod 027 Y8 c0 @2 Y0 S$ q
=========" v" l; u% k4 j2 r
) G" G& k9 q8 }' s# y7 v8 D
Still a method very much used (perhaps the most frequent one). It is used
# l& C- ~! c# w: X& v4 M7 h/ W3 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& s; H. q$ b0 Q/ cor execute SoftICE commands...
, f ~$ Q: E0 a. q) O }It is also used to crash SoftICE and to force it to execute any commands
/ ? L: Q; V; q. d9 f, y2 K2 ?(HBOOT...) :-(( % r8 {$ g7 m: d/ ]. K( @
3 f% j, r5 V# D1 K* G
Here is a quick description:8 [% N: {- u1 p; D% W$ d( s
-AX = 0910h (Display string in SIce windows)
. H0 O+ Z4 _: s& ^, x7 U' U; v! R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( M) m5 E# p& l6 u: [0 l-AX = 0912h (Get breakpoint infos)5 d9 o7 {! G6 F: t% ^
-AX = 0913h (Set Sice breakpoints)! Z2 y1 k# r7 y$ z2 o# m+ }6 h% Q
-AX = 0914h (Remove SIce breakoints)
$ C a* o# C$ m- y0 @
9 |0 {1 q/ f1 A/ r" ^5 D; Z, yEach time you'll meet this trick, you'll see:8 t( M& F5 Q- q% C3 h; U
-SI = 4647h- k: d. G" Y* g2 u) F. n8 ^/ e/ E
-DI = 4A4Dh
8 B y& V' S. n: IWhich are the 'magic values' used by SoftIce.; U2 [0 e" |- |1 a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ S( ^/ i% e( `3 F
_" [/ b1 E3 q* k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- {8 e' y E% i( a) G6 \: F9 KEnvelope utility use to protect DOS applications:
* Y H- U: ~* k3 R- q4 D2 w3 \4 [# ], R+ m* E1 f V5 Y
8 z4 S4 T2 H. O6 |
4C19:0095 MOV AX,0911 ; execute command.; z- I" z- o1 |& A6 {+ X4 j* j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 e, S$ M4 e' h5 W, V5 @) I7 T8 a4C19:009A MOV SI,4647 ; 1st magic value.; @ u% j& z& w( r
4C19:009D MOV DI,4A4D ; 2nd magic value.7 C7 n4 ^( ~5 V) }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 ~* h: _- a( p8 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 a u3 i3 J% r) h# D: I
4C19:00A4 INC CX7 w, n* J) {4 {5 J% l; ?) _2 h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 J! T$ A8 x5 ~0 ]. Z( F4C19:00A8 JB 0095 ; 6 different commands.
- R5 K7 D1 G/ ^2 q+ z: \4C19:00AA JMP 0002 ; Bad_Guy jmp back.- L; s$ u- G$ ^. v/ o$ V0 n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 G. T. n! R# u2 o6 L9 V9 P3 G& N8 C9 K5 o/ \
The program will execute 6 different SIce commands located at ds:dx, which Z. H/ |; T. ^* {- F- j8 e$ ?( ?, x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 ^5 X# e3 g7 Q0 Q5 x1 Q3 p1 F" u2 g x& y% x/ M" N' \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 U# g% b+ ~$ a. u___________________________________________________________________________- a4 s1 @2 Y! J9 I% \
( o8 _ s; D( k+ E6 \% l. M7 t" Z9 f8 r! Y7 F8 a
Method 03
( T! Y) _/ a! k4 r=========7 s) x. V5 L" z9 A7 a& n2 C, J
- _) g* J8 R. V' nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 r" r3 v* D: C/ l" J
(API Get entry point)
6 t9 i+ m% q' C1 {( W9 p : I- a6 x# ~) @7 I0 E7 E
0 a& G6 u5 ]/ \8 Q: _& G
xor di,di! a$ o7 y( b% u. b
mov es,di
, X2 |6 b; m: z mov ax, 1684h
# H$ p5 u! K8 \8 d. n/ P mov bx, 0202h ; VxD ID of winice
3 s# _$ O0 A. S8 V F int 2Fh
0 z4 x# ^# ]3 u- V mov ax, es ; ES:DI -> VxD API entry point2 H5 ?6 f5 C: n7 q3 w/ o# G
add ax, di& q1 P* {) U$ y+ O$ H- w% f( U
test ax,ax
8 n+ D) G" K! l- m$ g) C jnz SoftICE_Detected) W) R5 X, t e* J
- I+ _/ e+ B( z1 r, r9 |9 T
___________________________________________________________________________
8 f6 a! s* [5 P" L5 ]
! _( I0 {0 ]" c1 D6 D7 SMethod 046 L$ O7 n+ |5 h, o/ l$ ]
=========+ A+ K$ s: b: [! N, C% z
+ v5 k' {1 a* s. c L& {" Q
Method identical to the preceding one except that it seeks the ID of SoftICE; c: s/ p; U0 w) U
GFX VxD.
; W# H) l' I; v9 v. D7 D2 f- R0 K9 u& v6 K5 \$ K8 @. L+ d0 @; o
xor di,di, d" q- m/ ]! ]$ t$ K" \1 j
mov es,di
3 T8 y' _8 `7 M. D1 z9 N! R% g6 e mov ax, 1684h ! y5 f5 \7 j; N6 W4 u5 z
mov bx, 7a5Fh ; VxD ID of SIWVID. |1 P7 k) B- ?5 J
int 2fh6 P! e: W; B7 G3 E" n7 g' Z" ]4 p
mov ax, es ; ES:DI -> VxD API entry point
6 q$ L2 x( @% z; j7 C: J# F) B add ax, di8 [! Q8 C; d5 x* h4 y- P9 J7 t- b
test ax,ax
( k2 l7 _4 m; u- B, x jnz SoftICE_Detected! c" ]* D& Y/ m" L. K( y
8 ]5 C5 K0 f7 B* q/ c__________________________________________________________________________ H! d: \2 A! S; B" u! ], }4 g( y7 \
" ?4 H; n$ Y6 S# v! e& w
2 R V' ~2 N( g7 EMethod 05
8 x3 ~+ H+ ^ w, r=========
9 Q4 o% |- S' u( f! d
7 f6 `) A1 E4 J! e, S* x, U2 M1 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system5 P; R% } @# l2 }0 o% k
debugger. It calls the int 41h, function 4Fh.
9 v: g0 o: w9 `. IThere are several alternatives.
+ w/ F) W( D, C' z" M0 a' b2 c* i7 Y1 {' C' {( i% D
The following one is the simplest:# f& }- ~: L+ K& O5 p) p; Y" ?4 K
% X5 ?+ \) _0 [7 B6 D0 B/ B
mov ax,4fh! t6 y8 X6 @: w4 ~4 i
int 41h
( P' e* ]! j* ? _5 [ cmp ax, 0F386
( M# M! D" l9 d! p9 U& w jz SoftICE_detected( `5 K' t1 S0 D
. m8 j7 Z4 C: l/ q A0 ?/ C2 z$ y. V/ `8 c1 s) g
Next method as well as the following one are 2 examples from Stone's 0 b/ x$ ~4 I* d$ P0 ^+ T" A: I/ P2 o
"stn-wid.zip" (www.cracking.net):1 d4 F2 a u/ N [ Y* J
5 d R, Q7 `8 p5 H$ E' e4 r mov bx, cs% B% D% N3 {% P* l. ?
lea dx, int41handler2
: G" r9 D1 g& X% n/ A xchg dx, es:[41h*4]' |$ }8 E' z! D, V3 Y# [7 D
xchg bx, es:[41h*4+2]
/ Z z* `7 J- O% Z; Y) o! M0 Q mov ax,4fh
5 L# G7 v9 M% i5 ^2 R& ] int 41h
! K! [2 n; I! V0 l/ e- v9 E xchg dx, es:[41h*4]; z6 E) M& S; n# o0 j
xchg bx, es:[41h*4+2]0 @+ t7 R7 w0 i
cmp ax, 0f386h
0 x/ F, C/ L3 k/ Q, T jz SoftICE_detected
- }1 k3 @% B) ?$ ` D2 t+ P2 |% |8 [) r T
int41handler2 PROC
) ~2 s8 Y7 ^0 |, X. A( N iret
0 L V+ Q* I- m; m+ Mint41handler2 ENDP
1 }- `' \/ F# K8 R7 L" a; k6 B! ^1 }) a6 [6 [5 U) i7 X4 S
4 d" z, k4 B _9 ~: y+ c
_________________________________________________________________________
) R) @# u/ J, s$ q' j9 G& i) m; \8 f2 i1 n
5 {3 ~, Y9 ]2 J: x, ~$ Q6 c2 ^6 nMethod 06
. @) |: }: J. F7 u* ]0 ~9 E=========, k9 W" F0 G9 v- ?# z8 A3 O
- e: _5 u! O! Q# g) v; G3 y. {& p0 a+ P" T. b
2nd method similar to the preceding one but more difficult to detect:* ?) m }. t, o2 x' ^+ o( N
7 o7 t9 ]4 K9 g2 H6 g, h+ e7 f' | g. L1 X+ I5 w" x1 k0 j3 Z+ S& ^
int41handler PROC. {" y" V8 T7 ?, D& s, M o/ [0 l
mov cl,al
1 x' V3 ~6 k# [1 l, u: X x# T iret
6 s3 p' Q+ w' c1 \int41handler ENDP* ]$ J% G- l6 v8 J3 w/ u& C
6 d) v% L8 W6 }, K- b6 m
. [* }8 J/ w( M, O
xor ax,ax1 G) U/ E) r. G0 c! \
mov es,ax
/ c$ r6 y% ?: W5 Q/ Q+ T mov bx, cs
$ A% a' H7 ]9 _ lea dx, int41handler3 J) ~4 _- O3 \% F4 m, e8 ]
xchg dx, es:[41h*4]8 G% j6 u9 B3 U. W2 R/ G
xchg bx, es:[41h*4+2]8 c1 ?5 _; h+ L6 q
in al, 40h
# {0 B/ n- K: Y; W2 M/ \5 | xor cx,cx
% S5 r" s6 t, ^6 \- b* S int 41h; }$ w2 k+ B; {
xchg dx, es:[41h*4]6 ~- g4 @ S# \, U2 L# h
xchg bx, es:[41h*4+2]
, J# Q9 y' z5 u' {9 N) s* k cmp cl,al/ [* d6 A$ A4 K( @! m" I9 }
jnz SoftICE_detected
y6 b( c3 i: f6 i3 x9 q1 z/ Z4 U8 R* l2 `4 @9 i
_________________________________________________________________________" \" W" X& D" [+ y, j4 D
, \! {0 g. U R! JMethod 07
+ e) p. @' I% V4 D# N=========- `% S. Y; }* @. V
) h' ^1 U5 Z7 l* D; j# e
Method of detection of the WinICE handler in the int68h (V86)0 _9 H4 b& G& C
9 K/ ?0 s& H$ q6 [, p6 a mov ah,43h
( B; S9 n' O% { V# g int 68h) [) j3 z5 k2 K5 u' \9 ~- v. |; c
cmp ax,0F386h
' c- w2 D, U( ]5 f% Q jz SoftICE_Detected/ o, |+ O9 @- E7 L: M8 Z6 L
/ w$ |2 t' G9 Q- u- v6 y" l
% o: S0 `. s6 j2 a! ~7 S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ^" d0 g* D2 P; [3 O b
app like this:
1 Y- d5 ] P* z. L
9 C3 K, m, G/ H6 J+ P) v B+ o, Y BPX exec_int if ax==68. ?( B2 _2 t' M0 D" }7 a
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 X! p* U$ C. j0 I7 b) Z located at [ebp+48h] for 32Bit apps)
/ w/ l6 k' ?% V3 J; | n__________________________________________________________________________
% [- Z' T( R* ~" M# I
6 J3 y8 Y% m; s0 d. o- h& J( p7 e; L1 ^& p* M( T8 x+ q
Method 08
: S; U z R- N" t=========9 H$ N, k5 ^/ b, R9 ~9 {* p- P
7 @2 C; c4 U% u) i# SIt is not a method of detection of SoftICE but a possibility to crash the
! O! C# o# F! [* hsystem by intercepting int 01h and int 03h and redirecting them to another5 ~3 q3 |2 _! |6 X9 r
routine.7 i. h3 t( S' Y+ e* G7 q/ O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 _, }5 z3 k8 b( {to the new routine to execute (hangs computer...)
( t* [3 o! Y0 X5 s7 n( l- U% ~1 L6 i* N; ^, q
mov ah, 25h
: f3 e1 W* m! s/ O/ ] mov al, Int_Number (01h or 03h)
2 |: V0 y5 n) ^: m mov dx, offset New_Int_Routine
, O# s# \: `" ?2 M- c int 21h
# h+ P i# [+ A7 B
( [, N3 y& Y/ R0 H x3 |__________________________________________________________________________8 `5 w: Y/ `% @& j; T' I
3 D" { q' u* C4 _' ~2 f% z
Method 09
0 Y! B/ _4 {" p* F; t=========
. N4 Z% B; k1 L! X* M$ u4 a+ N6 O7 X, `7 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. ~' V0 m8 Z+ B, r0 |performed in ring0 (VxD or a ring3 app using the VxdCall).
% S1 A$ d; R( [9 U% s% RThe Get_DDB service is used to determine whether or not a VxD is installed
% {% ~( Y3 Z, H* n: s: qfor the specified device and returns a Device Description Block (in ecx) for$ J) k7 B- w1 V7 `
that device if it is installed.
' i8 r. J: W$ S( j1 I" @4 Y
* k3 `9 a( r6 w4 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& n5 U! b: G, |& e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; _4 N& i/ d+ Y% u# H. g7 B VMMCall Get_DDB3 e+ n1 ]) M. G6 ~& j2 E/ b% o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; R7 N3 f$ G! ~' J) _: u
& n9 v5 c: g# w6 S( H
Note as well that you can easily detect this method with SoftICE:- q' v8 h8 a7 u, u! ]: q
bpx Get_DDB if ax==0202 || ax==7a5fh) {/ a0 |1 J% G1 N6 r
; D; o7 V9 `3 W' O& M__________________________________________________________________________3 \4 m/ ?, k( j: h( s
/ B: S3 ~, x, P5 g5 o2 J
Method 10 t4 e, R" `" \! g3 {
=========) `" v2 ~. ?& g! {: n* m1 v
0 P: U. u* {) M% W" Q& K5 {' U=>Disable or clear breakpoints before using this feature. DO NOT trace with6 ]+ H9 Y: |9 S" w; S @' B! |
SoftICE while the option is enable!!2 u/ G8 T1 q P( y
/ |! g5 T' J5 [8 p' V9 _1 PThis trick is very efficient:* r2 M V- \* u4 n: P0 x4 {
by checking the Debug Registers, you can detect if SoftICE is loaded
7 x2 A( u% C" y4 W% `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 N( O+ a! ?0 }' i& ]) ?& l- u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% o1 b3 D4 J$ ^0 M0 Q2 fvalue (in ring0 only). Values can be manipulated and or changed as well- i3 {6 o8 R6 L
(clearing BPMs for instance)
+ R4 N7 ~' n. B' _
" P2 m7 x; R M9 L, g2 q__________________________________________________________________________
' W: Z1 `( k B4 v0 m: D# k9 c4 S7 L3 e
Method 11) q0 u; l: y7 d; _0 ^5 X
=========
; A X1 s6 X# V0 t! h& @) O& m% p5 g! {; z' F
This method is most known as 'MeltICE' because it has been freely distributed1 f' a8 Q/ q- t, j F
via www.winfiles.com. However it was first used by NuMega people to allow( H) O$ o2 _" g9 l
Symbol Loader to check if SoftICE was active or not (the code is located' \) s ? H" T! J T( b
inside nmtrans.dll).
; C+ s% w) T$ z
. @" I& H1 V5 y; GThe way it works is very simple:' K$ W. V/ C5 \! i1 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& w1 E% D x# D' t9 @8 x
WinNT) with the CreateFileA API.5 m+ `) i4 ~ ^. @- O4 [4 z
: v4 D3 O0 s( s/ ^" b$ }8 ^Here is a sample (checking for 'SICE'):
1 s3 {- M, [1 A- Y- T
- U9 Y X) m* Z i; e+ iBOOL IsSoftIce95Loaded()
8 l4 s) L! q! a5 b7 u- @ R/ i7 x{2 |. C; V8 U" |. ^
HANDLE hFile;
+ r2 s. P* D5 P* X- x) f* E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) W3 l# Q* [( ?2 W, Q0 j FILE_SHARE_READ | FILE_SHARE_WRITE,' E! g, U9 c: e: u9 W v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 {7 u0 F% N% n
if( hFile != INVALID_HANDLE_VALUE )
. S4 ]8 }1 K$ J \7 c {0 J; Y/ s6 L. x' F) D6 q2 R
CloseHandle(hFile);
2 P6 }! _+ b6 I3 H) D6 z return TRUE;1 q3 h$ X- {+ ?/ T" z" g- q$ t; T. O2 a; F* c
}
: i4 T6 j4 r9 g: b; | return FALSE;
- n: m. S* b7 Q4 A1 f}! Q a, M1 f+ N ~& R; x
, D, G$ O% D5 F* D. `' D+ T# R
Although this trick calls the CreateFileA function, don't even expect to be
/ Y( q. J! N: G: a$ C1 U4 a; Oable to intercept it by installing a IFS hook: it will not work, no way!' K: Z; d5 z$ l2 O, }+ W) `8 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: R1 E, ^8 q, T: u( `$ E7 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) V$ N6 b* Z1 x4 s1 L9 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; q% j4 z) N; m6 I: j7 a K6 F$ zfield.4 c- E X- _+ M2 O9 m. Y! v7 A
In fact, its purpose is not to load/unload VxDs but only to send a
- G1 o9 S3 x& i, S" j. a1 C8 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" `5 Q+ a$ g7 r1 \5 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: b v+ a0 }, Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 K' |, ~: O8 ^( z+ e2 w5 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow; r/ Z# X3 x5 H
its handle to be opened and then, will be detected.
2 U1 g: h8 M% J5 J2 {You can check that simply by hooking Winice.exe control proc entry point/ W/ l% Q7 U* a9 H+ z6 A; n) ?: w# d
while running MeltICE.
/ p. Z( L7 E" P! m7 w
, h2 l x5 h. u* G x+ S2 U' n4 F; [0 b# T: f
00401067: push 00402025 ; \\.\SICE3 w( S8 L' {5 Y
0040106C: call CreateFileA
8 x/ }) U; f' x8 t3 S0 b/ ?9 g) R 00401071: cmp eax,-001
" ]7 m4 }; S. n/ N% f 00401074: je 00401091
. p4 J% Z" i$ w E; A! O& {' w/ c# Z/ ]9 p
( x3 I) Q' p Z
There could be hundreds of BPX you could use to detect this trick.
+ X' n7 p+ r! T h' O-The most classical one is:
$ R) r) r; o3 b7 T" Z8 S: D- q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) r- t8 m# H7 {4 j
*(esp->4+4)=='NTIC'+ R7 H7 O1 c/ Z, F. Q% L
' W: c2 T7 A0 z9 J& Z-The most exotic ones (could be very slooooow :-($ l9 l* H; K$ s: s( e; w% Y7 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 ^& U/ x0 R; n7 I* f( |6 W: k ;will break 3 times :-(& |- {* G) \* Z
2 A8 j: O" C M4 I7 O( s5 Z! B' \& F
-or (a bit) faster: R+ c9 j/ c. ~0 f* {5 n) `- k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ ?6 z: z# B8 D7 }5 g6 l* D v/ l- Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 G6 h9 H* F6 ]( X# ]' K6 T
;will break 3 times :-(
7 }; l5 O: W% j5 i- F7 y+ ^" }7 t9 U7 W% m: e) _8 h- h A% y
-Much faster:
9 P% A/ |: c& m4 L, e% c% p3 j( H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 E. |0 G( `9 S
$ F( z5 R4 x1 a7 q) H* O- }- zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% H) Z0 o2 a# ~function to do the same job:
. M6 T' k7 |0 S. p( m
3 f2 ^' Y+ q* A! G) w push 00 ; OF_READ
; Z3 E" K* y& Y6 L# r mov eax,[00656634] ; '\\.\SICE',0
/ b/ o, G( `, j/ p7 u/ C push eax
- n0 F( H" B" C5 |6 N6 [, f& T call KERNEL32!_lopen
: s2 b( v* o( R. x( V' n inc eax* Q- F$ A: C2 _( v. x
jnz 00650589 ; detected
; {8 ]: M: l8 O push 00 ; OF_READ9 j% ?% i5 j' c/ P# V3 L
mov eax,[00656638] ; '\\.\SICE'
; Q1 r- U5 y1 Z( l push eax# w4 W! [0 p* U6 b- r1 j/ m' I8 p
call KERNEL32!_lopen
. a! s0 x( R2 R/ _ inc eax
% l% |: u) Q6 P/ c3 y7 m$ X+ w jz 006505ae ; not detected
" E* K5 v' W. m' B" x' }' c8 m1 ?0 B
( Q. x0 ~- p$ \7 x. R1 U1 Z& W2 }6 o- Q- J
__________________________________________________________________________
! \6 }7 i6 S9 T, F
; Z7 d$ ^' j5 l# {Method 12! D% E8 j. {( l8 `
=========) v$ w- i- J$ Z" K' N
6 a1 v' e! G7 o9 I! y/ oThis trick is similar to int41h/4fh Debugger installation check (code 05
. {% V! a' k! h& 06) but very limited because it's only available for Win95/98 (not NT)
, A' P. H$ Q: m4 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.' j+ B7 `5 {3 K* f/ i
. Z5 Q# ?, g3 Y4 i9 Z5 D push 0000004fh ; function 4fh
' w6 c# }2 N: t4 J) @! C* U! Q push 002a002ah ; high word specifies which VxD (VWIN32)8 X$ j; @9 i* i9 }1 X
; low word specifies which service
3 V2 k; ]% i( z/ r# k2 ] (VWIN32_Int41Dispatch)8 s( \8 }5 E4 ^( i
call Kernel32!ORD_001 ; VxdCall
+ H) M$ G* V; q$ f1 v# R cmp ax, 0f386h ; magic number returned by system debuggers
/ h' K0 B0 e2 k0 r2 l2 b0 O jz SoftICE_detected1 H7 t! ~& a2 W# a
8 h3 ?# `4 i9 D( g% @3 o. s) r
Here again, several ways to detect it:# a. W' y8 v/ i! F- [2 f* q3 ~, ^. D2 r
7 V2 W. a+ ]) o" Z( J; b* D# b BPINT 41 if ax==4f
$ `1 ?# p |* f' |* ~& r. K
; o; @6 ~" q R* C6 `- l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* Q( b: g$ I4 V8 ^: [
' r6 r* a3 u+ V Y: z. e" x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 z, X. i4 _& y6 ~8 G% k* b3 Y( \1 X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" ?; P! A, g/ H9 i* V3 w1 W j
' U0 T$ p& N9 w, R0 t
__________________________________________________________________________
8 v- A8 z, E/ R, {, p
3 F0 e' [" C$ q5 N+ VMethod 13# ]/ Y6 z- L9 t; w9 o. f
=========% D6 x* P; H. Z, P k
5 s2 g2 y% y1 z& @* ONot a real method of detection, but a good way to know if SoftICE is
" J7 u% t5 v% p6 Z0 W8 B2 u! }installed on a computer and to locate its installation directory.0 J3 L& S9 ?8 | ]
It is used by few softs which access the following registry keys (usually #2) :+ _) Z& P4 W/ r4 [" k$ D9 x
! D$ I4 x8 v' s1 D, j# w2 V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 G) p( o8 b; H& K& {; R# q) f6 Y\Uninstall\SoftICE
8 ?. v1 `' a7 y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- h0 a0 O6 O2 D; i6 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 w) p* z- t1 r8 R3 f/ R: u! ]: o! O
\App Paths\Loader32.Exe- ~" D3 j4 R; u0 k
5 U, P$ k" x3 c8 [. h7 G f; z4 F, L% s* B. P1 m* M/ v- k
Note that some nasty apps could then erase all files from SoftICE directory/ w. {: q/ o$ K1 X/ |
(I faced that once :-(
- i7 ^0 ^6 C J7 Z( L- F* v6 h# M5 i) f! S' u3 V4 w
Useful breakpoint to detect it:3 g; h& g( \( l
9 N# ~! k* A- r, G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# o/ \! w0 }' P: j& X0 @7 W2 {% b( V, \: c$ v7 S
__________________________________________________________________________6 B0 s8 c8 O; Y: L% W% L
- G1 R0 }7 w* s$ \8 m& x$ ]0 ?: q& Q9 e# q
Method 14 2 a, {3 n9 X) g6 `( R0 D& K
=========
8 T/ L2 I3 H7 a9 H8 K5 `$ G- W8 \$ s1 v+ O. j* F R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- V& t9 x; N! ~( K% O8 j3 |is to determines whether a debugger is running on your system (ring0 only).8 e5 _4 {4 M: D8 }
1 i8 x' |' ~& r% V VMMCall Test_Debug_Installed+ h2 W6 e* ?! |6 p( Q6 t( f" r9 m
je not_installed3 V, W; @. {6 V1 Q/ w! }
! [( }2 f0 ^5 s& gThis service just checks a flag.& G) ~* l& \1 D# z: D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡