<TABLE width=500>
X4 m& e* T6 _! h- ^! ~<TBODY>* Z" b: s7 x7 i4 E8 k& W
<TR>* \1 C+ w; H$ {8 ~9 `* o
<TD><PRE>Method 01 $ T+ a1 P8 r5 i7 |5 ^+ k3 U- \! s/ ?
=========: {9 G. J" C8 ^ n
`) }$ x# |8 A5 \& A) \1 y; x
This method of detection of SoftICE (as well as the following one) is# v- W3 A0 l8 o: q) T1 D( _
used by the majority of packers/encryptors found on Internet.* V5 R5 Y: {3 J5 @) P- x' e' A3 b: R! j
It seeks the signature of BoundsChecker in SoftICE- d! _1 I' S4 ~! t
9 {- L8 W1 Q b mov ebp, 04243484Bh ; 'BCHK') W! U1 m) A4 y, e
mov ax, 04h
$ H+ l8 B% l R1 O int 3
+ D5 r" L4 `9 U0 L3 Z/ f cmp al,4" D3 ]2 L0 L7 f4 U, `
jnz SoftICE_Detected; c1 x+ K/ V) f' O
' u& @: f2 i* I1 l: `* Y/ v- E+ B8 k
___________________________________________________________________________( G( t: e$ h8 U6 I' r6 o3 q
- }: l! Z. Q. X" n! i2 K
Method 024 i3 T% }2 C" E* W% q8 O6 X
=========$ l5 q+ f% J3 K0 M
& |+ ~/ P& P" ~+ m1 d4 n9 P% x
Still a method very much used (perhaps the most frequent one). It is used
# R1 H z u4 x$ U% sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! `7 A! ], t% Q: x
or execute SoftICE commands...
( B- h' ~: G' I, oIt is also used to crash SoftICE and to force it to execute any commands
% O) A+ Y5 ]: r0 A; X(HBOOT...) :-(( 9 f6 `& F' a: P& L" L
& p2 N; t2 i% [1 w# K$ o5 wHere is a quick description:
% M1 z2 G5 V; f1 S-AX = 0910h (Display string in SIce windows)* ~2 @9 i% h, D8 L% N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# Q( H3 Y9 D) s8 R$ t' l. k" g% b-AX = 0912h (Get breakpoint infos)) \1 D# D: O( |' Q! _& C$ h
-AX = 0913h (Set Sice breakpoints). H; M4 z: d8 c8 L4 ?' h& |' U1 {
-AX = 0914h (Remove SIce breakoints)
( K+ }+ G# X! o" y0 h* L
( d9 d+ c, Q2 V# {5 j/ |Each time you'll meet this trick, you'll see:2 Q7 m; F; N, H3 e9 x
-SI = 4647h
7 a0 ^ u/ z! u8 _4 T. {-DI = 4A4Dh
9 X* K) G* w1 F# m. f1 }* w4 Z/ TWhich are the 'magic values' used by SoftIce.
0 m/ A8 D2 Y# d% GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 D) A( D- }6 U
: L* B, x: `1 r' |3 G1 H
Here is one example from the file "Haspinst.exe" which is the dongle HASP! b* Q! o& p* t- m$ A3 Q
Envelope utility use to protect DOS applications:
" M! z. ^+ ~1 P, Z* ^. g: E8 |, g& y% N3 k1 o5 q
: H. ~, y' I+ M' t4C19:0095 MOV AX,0911 ; execute command.3 h4 G" X' b+ C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; i1 ]4 ~3 w% U" p# ~4 B2 V
4C19:009A MOV SI,4647 ; 1st magic value.
) b9 h: J: G# t/ u* O) @6 N4C19:009D MOV DI,4A4D ; 2nd magic value.) u B" C! h9 _1 l6 |+ m* f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 X; ?5 b* ]0 l# T3 ~8 V) j+ B; U$ E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 }# C$ e6 f. }5 Y* E$ f
4C19:00A4 INC CX
7 l# `! T8 q; g/ c4 y5 `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; L/ s5 q& y: l2 m8 m
4C19:00A8 JB 0095 ; 6 different commands.0 O; p, j: g) p7 M; o4 B+ P s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 A6 r3 k2 \3 C& I% U4C19:00AD MOV BX,SP ; Good_Guy go ahead :) [; ^/ _% Q+ `- d; [% u
2 d7 I9 x" j$ f5 GThe program will execute 6 different SIce commands located at ds:dx, which
$ m% M# I8 r$ G k5 x/ Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& P9 q# x& @. y! K; X3 N, y
3 |3 w7 r( N. I. K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' X3 \5 R1 B/ U/ L7 T2 y1 P6 T___________________________________________________________________________
+ t9 T9 o$ T! j0 a. A+ C" j- _2 H5 h) r0 Y, d# Z
2 _2 l3 _* I. l& O, D# t. j8 ]: l9 oMethod 03
( O3 m0 `- ]0 d1 X2 y=========9 J: P& a" K! D4 C7 A9 w1 O) v
# S4 t/ J- F5 r& D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! Z7 k: s* {# [+ ~% s) ]% c, @
(API Get entry point)- [+ v( v) I+ o5 M5 }
4 ?& f! ^; h8 R# h8 ~0 {$ f, b
) A) N( f5 _' Z xor di,di
: z! K* o3 d1 [( Q mov es,di
8 W: D$ k3 ?3 M/ W, ?- ~( Z mov ax, 1684h + q' s2 Z i4 a
mov bx, 0202h ; VxD ID of winice% @4 u2 E. k2 v U
int 2Fh
z0 t$ {9 W/ r, G3 I5 i mov ax, es ; ES:DI -> VxD API entry point$ ^" Z/ j2 Z, F* L, c3 w
add ax, di. n% m3 r3 a8 Y1 L2 B; E3 k
test ax,ax, c1 y3 q: i9 P W' Z
jnz SoftICE_Detected o6 S4 a5 x! ]1 l, k: x$ b
# X. B: L" h# V [$ V. B) G! V& N___________________________________________________________________________+ m9 ?4 g0 ~4 M) \$ d6 Y7 G Y) Z
8 R$ w& \, G# G5 e
Method 041 L/ |! {+ f% v8 [# e
=========
! @; e4 P" r; z! h8 j6 {8 j6 P# ?( h# a
Method identical to the preceding one except that it seeks the ID of SoftICE1 ?" R3 w6 ^, J4 V2 K( E W
GFX VxD.6 f; }$ E3 W% R1 u; s: Q9 m$ R
% U, u: C6 p/ U( A0 _" n- }, a xor di,di
* Y; c5 C! l$ R4 t mov es,di
2 ~' h7 j U; s) D, U" ~ mov ax, 1684h ) n' c. z$ i$ [8 j; Q# l
mov bx, 7a5Fh ; VxD ID of SIWVID, H. ~( y3 _. S
int 2fh, m6 M ~; {0 z6 q- }$ V8 J, G* m# t
mov ax, es ; ES:DI -> VxD API entry point. |8 p8 E, v2 k) ^' N
add ax, di
) L) {, L$ R# c1 _4 Z# b test ax,ax8 C- C6 Z, v# K' R6 `3 K* G
jnz SoftICE_Detected; Q7 U3 h% s! l+ n% K
. C" X2 q2 O' a) [__________________________________________________________________________
5 C ^5 D( o- K+ d$ v8 z6 D/ z/ b" ]
1 @* V/ Y) n! X2 E8 j
Method 05
+ M0 i" K# e$ O. Y1 n/ b=========2 Z) |; `! @ y5 Z- G
& d# ?( n$ n: t: Z1 W1 sMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 t+ k# H9 d7 Y* u: j3 j8 R" L
debugger. It calls the int 41h, function 4Fh.
8 X5 q+ K6 g/ U0 S4 N' N. nThere are several alternatives.
9 @2 p6 G9 x0 j$ y
$ K8 K' \7 {4 [/ J1 wThe following one is the simplest:
, y7 a8 {- c( t+ F7 u
}6 ^; d7 }% C2 a5 \8 M2 ]1 w5 [ K* \ mov ax,4fh4 ?0 _' N: {* H- x0 K- W! J
int 41h
% ~3 b6 j. r( }: ^7 O2 X+ m cmp ax, 0F386
* l6 g" V$ w. K' h4 U jz SoftICE_detected
# r' {( U( ] {# h( Q
2 g' l X @" W6 I0 X1 Y
i, t1 j$ v! M/ l2 UNext method as well as the following one are 2 examples from Stone's
1 U& j& W+ i6 W1 s/ I$ A6 L1 t2 H"stn-wid.zip" (www.cracking.net):# x. P- R2 _ \. @; J" V( a
4 l/ T0 {0 n3 _% u" |( ~
mov bx, cs
& h" U7 d& i; u- a; b3 a. s lea dx, int41handler23 [0 C- \$ F6 r+ O' o
xchg dx, es:[41h*4]; q, \" x5 U* O5 q/ m# }# R
xchg bx, es:[41h*4+2]
; P& M* U4 C$ r6 Q mov ax,4fh4 W* i8 z. x% @9 W, S% Y- l
int 41h
3 ^% V2 [( n" Q' B+ q: m xchg dx, es:[41h*4]3 S! I% Y9 h" S2 }4 O: b+ Y
xchg bx, es:[41h*4+2]; @+ ]' S$ i D: M. d
cmp ax, 0f386h g. v$ b: S9 T! J' d
jz SoftICE_detected1 q, b* Z; m% p7 c3 z
' g/ A% Z# ~0 u, J
int41handler2 PROC! g% O4 L" ?& C# R% `
iret
; |9 b' x5 E( |$ A, i5 sint41handler2 ENDP5 c$ K2 n! O7 }1 ?1 K" C
) q& u6 h. {5 {3 Q/ i% L3 G$ S9 @
8 R! J1 v7 h7 ^) y_________________________________________________________________________
6 p8 `; Z- n B0 o: A" F% c8 Y# e! k; K
3 @( \! P6 y; B% }* D' c- KMethod 06
% X& X% p- i* w" a, O5 R) V- a1 k=========
5 E* A3 k" o- ^# Q: r# i
7 b5 S3 h2 t1 N2 @. l0 S/ F% V; Q+ w- T$ u9 L0 E) ]6 U
2nd method similar to the preceding one but more difficult to detect: d2 s8 _8 F7 w( l: v
2 g) [8 X* k( R# d z/ O' b, V) d& ^4 ~$ |$ }& N6 O
int41handler PROC
- ^ i. X- F% p: R* H mov cl,al
$ W( C! s, l0 Y. y' t, v iret
$ \3 \' e! K+ ?, _9 A2 s2 oint41handler ENDP& ^- e# V! S7 h8 z; Z( d
. C6 Y0 f& a' }
T X4 n- R, B) U3 i1 Z xor ax,ax# V& s7 p! ]" l2 A0 d" H
mov es,ax" v! t0 w& o% O8 T5 L/ |5 k% V
mov bx, cs
* C5 o: ] P8 s- ^# ^/ E* ^ lea dx, int41handler! Q; v- z ]" {9 q% g* i
xchg dx, es:[41h*4]! R, J: S0 g8 ]/ f* L$ L- a
xchg bx, es:[41h*4+2]3 P* `0 r; T# L' g8 l* U: h+ E
in al, 40h7 |9 m" @: x6 _. Y
xor cx,cx* b% A7 Q. A& i* I* l0 x3 n
int 41h
. \$ [3 P* O) O6 i xchg dx, es:[41h*4]
% b) W: \. ~/ o- r6 q xchg bx, es:[41h*4+2]
) W, Q# @+ V6 t8 C/ w cmp cl,al
2 }1 {$ X/ N% a# }/ k1 C jnz SoftICE_detected
* t1 |: r; C l% g' U
# M, N$ A# [" X_________________________________________________________________________) w) ~9 c' j/ G5 ^4 U
# K0 O8 w. t2 G: E4 S T4 e4 |Method 07" z1 D! @4 ^/ X; ~* ~
=========& p4 t: Q! W& D$ D6 S: U4 q
9 ^0 E5 l* f4 F' ~- W, h: S/ N4 R
Method of detection of the WinICE handler in the int68h (V86)3 {* ^4 _9 s1 k2 X
, F1 T1 e. D& L# g& K/ p( w/ ]( H mov ah,43h4 a" A1 E6 {0 z- v# O) B: S
int 68h
, g" Z) t5 H% Q7 T cmp ax,0F386h
" b; e2 o0 p3 U' T6 k- y5 u jz SoftICE_Detected
1 y. M& R! E- ?) o5 F
0 o; N% u" X* |
5 S" M' f9 a+ t. t7 Z% R3 M2 D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 ?; ~% e& g' i3 k app like this:
) d) T1 o# B9 ? j2 ?. z
: ?9 v/ P. ?! _: A' U BPX exec_int if ax==68
/ v3 g) I" q% D6 z0 T (function called is located at byte ptr [ebp+1Dh] and client eip is6 a5 a& k' r5 c8 W
located at [ebp+48h] for 32Bit apps)* Y9 Q: R' N/ O
__________________________________________________________________________8 M4 a, s; V# ]6 ?) ^* b* _
/ [4 X' q7 @9 X c1 ?9 }( Y
( \$ I0 \$ i. Z( M+ vMethod 087 e# @2 k: p! L. i8 H: A8 K
=========
& S* E7 A+ V9 _. f3 }" y+ `- l+ E8 p7 r1 x
It is not a method of detection of SoftICE but a possibility to crash the* o, q9 S2 ~5 Q: t) ]
system by intercepting int 01h and int 03h and redirecting them to another. m; V9 g8 d( B( z
routine.2 i$ X$ O: i) z0 U- y Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 |6 R0 `% F5 ?to the new routine to execute (hangs computer...)0 y7 `$ ?" E. L& S& }3 ]8 F# b
/ S3 e3 \# }4 Q6 `0 r' C: q
mov ah, 25h
! s* p d' d' l, w8 _+ K mov al, Int_Number (01h or 03h)
; e" Q3 j8 J- X$ j$ u; w7 k mov dx, offset New_Int_Routine4 z- ~, d; l- D4 |+ l2 k3 @6 W
int 21h8 l0 B2 x% L6 s, g2 a$ l: Q
+ v7 x$ o4 H6 ?/ J
__________________________________________________________________________) T: V% n+ o! E5 t/ ^4 _. A; C
; {1 |1 {9 \- w4 A: T) LMethod 09
9 [2 h5 g0 v' m6 ?) T4 h=========
( c& Q A% [# t+ J: F, k% U4 q% _; {$ P2 \7 L6 [6 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 r Y3 U1 p8 ]: |: Q
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 @4 b" H. R5 Y0 CThe Get_DDB service is used to determine whether or not a VxD is installed# S: k* y0 y( |% ?
for the specified device and returns a Device Description Block (in ecx) for
) ?& r/ _& d& Y( \# K9 B9 bthat device if it is installed. Q6 ^4 ?6 x: }( p1 j
I; ^1 i7 o* P& k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 y4 Y; h) i {4 f- I" P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" u8 S5 b; j$ |1 X- ?8 _ VMMCall Get_DDB
# \: ~4 [, U, L+ C7 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 t0 L) k% R$ b' j% P; {6 o/ l
1 @ Z" ~( i0 l. m3 ^! v0 BNote as well that you can easily detect this method with SoftICE:
. g. n- ~; A- ~ bpx Get_DDB if ax==0202 || ax==7a5fh' x* T; p/ K. T! y; y, R3 K
4 J- k8 s c+ B7 _4 K& [
__________________________________________________________________________7 e3 P) _5 M- N, b7 p
1 |' a* n- L# y8 ?( Y- y% i: o. LMethod 10
$ H9 G1 |) y- M1 D) u, }2 \=========
. l+ s/ A* @+ ?* r2 E6 i: y0 E8 n( c- }& X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& g; D! l, q% i* k* g9 } SoftICE while the option is enable!! k2 @8 R! x! j7 \
) d4 ?9 P0 W8 Q. m( s2 jThis trick is very efficient:0 Y/ ~, p" X1 G: I
by checking the Debug Registers, you can detect if SoftICE is loaded0 t1 {1 N5 o7 _0 c( G; V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 y/ w" E+ R) i( Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 j& b' C0 K: B+ w, c/ p' O: gvalue (in ring0 only). Values can be manipulated and or changed as well( u! |. [. H! I+ K! ~
(clearing BPMs for instance)6 L% Z; d( `0 a- w
, y7 b: ^5 G2 M" ~__________________________________________________________________________
9 w4 Z; D9 j1 O) m6 u% I
; U9 x' ?7 ]; {4 k4 k/ _Method 11
' `7 i9 l: i( f=========: [8 N, W7 D* u+ c; M/ d: h
: _6 S0 P7 o0 r. F) E3 [. {; U6 R; TThis method is most known as 'MeltICE' because it has been freely distributed; K; g3 C/ b5 S* w. M$ N% G/ ?" f
via www.winfiles.com. However it was first used by NuMega people to allow5 o$ w9 C$ e$ [" a) U3 m4 N/ D: K
Symbol Loader to check if SoftICE was active or not (the code is located& Y5 E, V# R+ p( }9 ?0 p
inside nmtrans.dll).
! q: n& s0 b. Z7 ^5 L) Q9 [! a4 h1 t0 }. F+ D3 x( Q2 B3 J
The way it works is very simple:5 ~9 h$ `3 k1 I. M' j# o h) F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 O2 o: ?9 m8 m1 _- m$ ~WinNT) with the CreateFileA API.( e+ l4 d; V/ _& U
; S& E9 F7 K! i6 S- \4 m2 y& cHere is a sample (checking for 'SICE'):1 |* k$ |0 D$ H1 J
& I I& Y+ b$ y" A3 h) o$ GBOOL IsSoftIce95Loaded()) q, U; O; M& D* e2 K8 ]
{
2 D+ p4 p3 Y) |8 E$ Z9 s HANDLE hFile;
8 e+ C0 z& x l" t g1 \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; v& Q) X( X! h+ e FILE_SHARE_READ | FILE_SHARE_WRITE,
8 y) M% \+ G/ k7 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# S3 n J) Z( h; y, `4 n& u if( hFile != INVALID_HANDLE_VALUE ). F+ Z5 K/ ^! U3 o% B- u
{
' r& c; M5 U2 j% P1 F CloseHandle(hFile);( a7 S2 D; B C& r$ ]
return TRUE;
3 M/ A: y' l3 O$ U" Y+ l# a }% p# E [# V. ]* R) o
return FALSE;
' J3 P. t7 m' \7 Z2 L2 ~}
! X5 @+ y7 o) z9 r+ `9 N5 p, j; S: U h- `* T
Although this trick calls the CreateFileA function, don't even expect to be7 w, @+ Y# E; y Z. E
able to intercept it by installing a IFS hook: it will not work, no way!
) s. C! |9 N) ^' }! pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 x3 }7 ?. _$ R+ w6 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 f' Y' u! k4 K- B Q2 R/ h! q* O5 R9 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, X. r. |; e+ y! I, b! }field.( i l* o0 H$ A/ H
In fact, its purpose is not to load/unload VxDs but only to send a
. c6 k4 t r8 ?+ P. r NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# C4 G$ n) V h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; [! j# p- x( [- B; j( r) F0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 n( w8 T) x* h tIf the VxD is loaded, it will always clear eax and the Carry flag to allow L9 Q; k4 W( W6 L
its handle to be opened and then, will be detected.
) X3 c$ ?! W3 d5 DYou can check that simply by hooking Winice.exe control proc entry point
# z1 B5 b& [! `) o5 o1 Zwhile running MeltICE.
8 k0 I4 C4 r( t- m9 ]( y: B, c9 f
2 Z9 k; S4 n# f! e
00401067: push 00402025 ; \\.\SICE
' h- x, ~9 e9 B: f2 L D8 ]1 U 0040106C: call CreateFileA1 E3 f7 z1 `/ Q" c' K0 ^
00401071: cmp eax,-0017 A2 B9 ^# ^2 ~7 Y, L" Z+ t
00401074: je 00401091
9 ?3 u, I( x4 T' Z! v; F* w1 _% ?1 O% x: E" e4 V( @
) k/ }9 E* V, i0 Y) t
There could be hundreds of BPX you could use to detect this trick.
2 @! p9 J( A- k$ o3 n8 O-The most classical one is:
, a' V" c5 T* k' c Q6 ?1 t) B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 }% L1 v3 \# q' F *(esp->4+4)=='NTIC'
, C w: C3 f# `8 h0 f! m
8 a6 v; O3 Q5 w. g! v-The most exotic ones (could be very slooooow :-(
* ~1 r8 `& M. T* i* h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 p0 ^ ]2 R( f! V5 S
;will break 3 times :-(
, ?7 l M' Y5 @0 j2 ?) [
( s- S: C6 a: V& y' k$ Q. F-or (a bit) faster: 4 g5 ^( i0 b# |! T1 G2 {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# m# ]' |* Y9 E6 Z) r
- l% c& Y* i2 p* w$ l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% a: I+ l! @8 \: ~0 { ;will break 3 times :-(
. ]" F+ @) M% d& e- `# _ o; S
( B/ g' Q# }2 v2 v+ @-Much faster:
! ?: t2 _# y2 u# R; o: }5 n7 k" y5 r j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" a8 s% c1 |5 S5 {- L. I" a/ r
: s4 T! g1 S/ U( A0 P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. U* y6 A7 c( l. f; a$ N1 J
function to do the same job:
1 ]! H# ^3 f9 M {
2 A) l0 ?# \" W. H: E: p push 00 ; OF_READ) r/ m+ E F/ G) I& Y7 L8 O
mov eax,[00656634] ; '\\.\SICE',0
% o. E/ p& n; @9 l( L3 o9 k3 T push eax
( h9 ]% P1 z: Y2 B, [# _ call KERNEL32!_lopen5 p) m3 y+ P8 |9 f8 z& z7 o8 q
inc eax. k; w# l: F) E; ?0 A
jnz 00650589 ; detected
* c0 ]( a8 g" O, { g push 00 ; OF_READ
4 r m; c8 x3 w9 V* `* Y mov eax,[00656638] ; '\\.\SICE'; m6 ^) j! C9 Z% k
push eax
& Q/ o2 b: {, @9 z call KERNEL32!_lopen
6 q( {5 j! b& }5 z: [7 G- v! ^5 _& v inc eax# Q/ e. O3 M( W1 x8 a
jz 006505ae ; not detected3 y- `0 O) X6 K# O0 p5 K
" K! q# X2 U0 P- T) M: t* c& g$ ~+ O; F% M
__________________________________________________________________________
" v8 q; ~+ J3 J' W9 `* Z7 H3 b; @4 V1 J2 B' V
Method 12& i7 N& ^: `+ [4 y; N
=========& T% I2 d& x$ l
6 E( J% @, D9 s/ j, @4 q
This trick is similar to int41h/4fh Debugger installation check (code 05, ]) g' H; ~/ d( y% _' n
& 06) but very limited because it's only available for Win95/98 (not NT)) {" v& h& h' ~& c$ P$ ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ D; e) d1 \' Q; ?
- O* f( g1 E8 L& e, `3 N push 0000004fh ; function 4fh6 P5 i9 L+ n! { j/ {
push 002a002ah ; high word specifies which VxD (VWIN32)
; R* t' v4 D+ }6 n: x( c& v ; low word specifies which service' h2 y, g* i6 j$ k8 F
(VWIN32_Int41Dispatch)7 k! t; A4 t9 T! r6 Y+ `: g
call Kernel32!ORD_001 ; VxdCall% r, K* _# ?+ X* J
cmp ax, 0f386h ; magic number returned by system debuggers
9 |# k2 |3 n( X; S: V& K jz SoftICE_detected
( H& X& k, W( Q0 f
5 `3 S/ @- [$ f, c$ b G1 f- }; J+ |Here again, several ways to detect it:
" p; O% R: x5 z+ q5 k( }: \
w; }2 Q7 s0 c9 y) u, h BPINT 41 if ax==4f
3 I: [6 I0 @- S# `' O% f) Z& @- Z7 _' ]5 c& z) k' d J9 a" ^# [* s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* i& F( K# c& E9 h J2 x
% B$ j* C. k" i r5 L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ R ?/ n6 E' q5 \+ N2 I" K
# k! f; s; E( _) } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. q" e" f, _! {% ]/ i( K
; L/ N/ Q( t9 O ]__________________________________________________________________________+ Y" ]8 y; K5 G" l" K
4 E9 B) _/ Z- M' QMethod 13
5 a$ v7 H0 E: I T=========
6 t- M3 A: h) T& x. ?3 E& u9 h4 ]' S" f/ E1 ^
Not a real method of detection, but a good way to know if SoftICE is; ^9 B! i" D# |1 A! ^) h
installed on a computer and to locate its installation directory.
( q# ]' P- o# J7 @' j) l! p: w, @0 T% `. }It is used by few softs which access the following registry keys (usually #2) :
2 r. F: v& w- H
/ {8 \5 C( y1 D* T9 f' r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion F2 ^2 W0 H' L: [% K$ o3 r
\Uninstall\SoftICE
+ H0 c: M R$ I& E) l! E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 c0 c7 |% j; W/ W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 O0 a8 Z$ k" J\App Paths\Loader32.Exe; G2 r3 {# Q& K/ H
; i8 o8 n% D4 @' w
+ X# l" a' g% v" Z% VNote that some nasty apps could then erase all files from SoftICE directory3 ]7 V+ B# m# U* u3 V) ^
(I faced that once :-(( u# ~( `7 }- k: w7 f
- r( P" @ k A8 ]
Useful breakpoint to detect it:* n$ Q9 b3 P* p/ Z! m% `% F
+ S; q9 O& Y9 \2 S! t/ U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% A* G8 N% I! q* T J6 u
% U2 L* o: O% t__________________________________________________________________________2 C+ v- K5 T0 V: V
% M* d3 D ~1 n6 V# o
6 H. h0 c w. f& H6 ]' WMethod 14
( S0 m4 a$ J5 y4 i! x' S( ~=========) k g. l9 w+ j& H, y6 @" B- k- H9 z
% L7 O, }1 V$ R# t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- v5 X5 W7 j! @is to determines whether a debugger is running on your system (ring0 only).0 |4 S" L7 u" j. Y
& X# F; _ g+ |4 |5 d0 |
VMMCall Test_Debug_Installed
* U! G# Q i6 P3 }4 y je not_installed2 x5 X5 d2 d) p+ [0 G8 x- r5 Y9 a9 |
+ _1 {1 l# W4 ] T9 K
This service just checks a flag.+ y5 a" C/ J# G- W
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡