<TABLE width=500>
$ p" \* f( q8 O+ S$ l3 x/ ~% t: d<TBODY>
5 D8 g7 M6 ?+ X' _/ G# t, k1 g5 K<TR>
7 N1 |+ |7 R6 A# R<TD><PRE>Method 01 ! o/ ~, L: O5 u
=========) ]/ ~ w s. h) e7 j- ~" b9 s
0 m7 X ^% [4 n+ `This method of detection of SoftICE (as well as the following one) is
) v8 {7 s" A. m7 _. uused by the majority of packers/encryptors found on Internet.
4 @5 B1 _2 O$ [+ n- r8 @: d4 [It seeks the signature of BoundsChecker in SoftICE9 v6 F0 B: p- R9 l5 _2 K
6 S- e6 Q* {& E& H6 w
mov ebp, 04243484Bh ; 'BCHK') N' g$ B. v& a/ l. T6 _
mov ax, 04h
0 J7 C7 l& j3 w; V2 q [: `& n int 3
4 v1 O/ k; P$ X4 k cmp al,4
& |" h/ F; M( l& p! o8 u5 @+ G' e jnz SoftICE_Detected
8 K* b8 v; o/ M: D3 Y, o3 z& ]* [9 ^5 A# X2 b. a7 ]
___________________________________________________________________________3 N" o7 o3 I" C2 }, s; g- P6 C2 N1 e' l
7 C8 c$ W: k3 I
Method 024 D- S4 d+ P$ p$ @! z; [: B
=========% m8 E$ j/ x' [5 m/ B* V. t' I
8 O- e& j5 f9 h- F: {& ~) W! E
Still a method very much used (perhaps the most frequent one). It is used
{0 u7 j: q# K, [to get SoftICE 'Back Door commands' which gives infos on Breakpoints," e6 `- e( \6 r7 \' q
or execute SoftICE commands...* `+ }3 @! g+ ^4 u
It is also used to crash SoftICE and to force it to execute any commands
5 z9 k) E. h2 U/ c4 T(HBOOT...) :-((
, F: t2 ^2 n% R8 j: Z) S i; [- f% z" w) d
Here is a quick description:( o4 b7 s7 \- H. O# L
-AX = 0910h (Display string in SIce windows)# W; O8 C# h$ q) d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 G" Y, r. |' Q-AX = 0912h (Get breakpoint infos)
; \' G2 e @' J0 E-AX = 0913h (Set Sice breakpoints)* j. m+ _! {; k( A9 v
-AX = 0914h (Remove SIce breakoints)
v; ^" c4 o4 U! {8 M8 m8 N: u! f& y) U
Each time you'll meet this trick, you'll see:
6 x* \# v+ B4 j L* a-SI = 4647h/ ^ t# j0 S: G2 T$ \8 u: m$ t
-DI = 4A4Dh8 I# K0 _2 U7 x, y8 A
Which are the 'magic values' used by SoftIce.2 T' X, h; k& x" |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
d% P) b1 z7 ^' C0 @3 }
- K X% G5 N& E% G+ h q; cHere is one example from the file "Haspinst.exe" which is the dongle HASP
* N3 B" @ A' k2 q# a( L6 E1 XEnvelope utility use to protect DOS applications:( P( J" c5 N3 K% a3 `
# C8 Z& @! @2 B2 t9 \& D9 B
( M1 b& F7 A- U8 C, k4C19:0095 MOV AX,0911 ; execute command.
% b+ ^" g$ ^- l# b& |# H- c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 o, I- K" P& A5 w! O: f, R
4C19:009A MOV SI,4647 ; 1st magic value.
" d" C1 V: T$ G; V, [4C19:009D MOV DI,4A4D ; 2nd magic value.
+ n$ V7 r! N$ A7 @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. V1 T* ] ?" d3 N" M) L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 Y0 T$ E+ y. @. v, s8 u/ R7 k4C19:00A4 INC CX5 `5 k" n# v9 c- R( p1 u5 p# X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% b) j* I* d2 h0 b+ h4C19:00A8 JB 0095 ; 6 different commands.
& D$ a8 ^ f0 ?+ y7 E4C19:00AA JMP 0002 ; Bad_Guy jmp back.) \8 X) v- j7 P: `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* V" N2 X# f8 U- i' p2 U( Q& W
. B. Y* f1 A9 Y4 b
The program will execute 6 different SIce commands located at ds:dx, which
3 T* E* t! [2 ~9 S; K0 F8 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 J. O# N, x# Y$ V0 z& u h- I7 w/ c6 |! C5 | U* Q0 i- r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' {* e5 i( f5 K( c' W- ?/ t3 V
___________________________________________________________________________
. a& N; C8 A# T& m; g1 E( v7 n% G1 C/ e0 ?' E! e# i
/ I. V# `9 d, x m9 z* OMethod 03+ e3 v: U3 H6 w, H& V$ l0 y6 D% H
=========" {( E" U p/ @$ v
& F- }# p7 a O" v! r% p! c% a- U# x6 MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 j7 N* N& J) C(API Get entry point)3 }# v5 V V( f7 k% e
* O/ P7 [+ F( `4 F
& N" y& q- r/ p4 @: }! h' m
xor di,di
! f) E+ s* |. k- z0 C3 D2 s mov es,di+ |! W) V0 h$ ^- U @5 G/ V
mov ax, 1684h j, s$ H7 A; |. I) v4 j- ~8 P5 @) g
mov bx, 0202h ; VxD ID of winice. X/ k6 j* E% |2 Y& y+ b+ P
int 2Fh% g4 Z: }/ m( B, p
mov ax, es ; ES:DI -> VxD API entry point( a2 S+ ?0 F$ u% T5 m& r0 E/ M
add ax, di8 W+ i, d# p: }3 j
test ax,ax- ^5 G" u, y8 r3 p' i- _# x Q
jnz SoftICE_Detected) {4 U3 T+ @' h) [9 Q. S
) e* _9 r# f5 v* B3 x, r___________________________________________________________________________
! i" l( Z: p! a- W$ g' Q" `, Q# m8 _
Method 04
" O8 z/ q2 v2 G0 |1 i6 _=========
% O8 r: M) j" M% G$ @
5 k( f9 m, w! {7 b; I! G2 m0 W9 ~Method identical to the preceding one except that it seeks the ID of SoftICE7 A5 e7 x* d+ | o* F& G: s
GFX VxD.
. B6 w* U" O, U4 q: ?4 F
, D5 _, R" |* a6 s xor di,di
" G8 t( C) r: L+ w4 E0 b mov es,di3 P. @8 I0 C5 Z3 l# Q" M8 E
mov ax, 1684h
- m, C" s7 S7 V9 Q0 y- D% P mov bx, 7a5Fh ; VxD ID of SIWVID$ Y8 T2 I0 E" m
int 2fh
$ [; f. f* f# f5 n; f: L mov ax, es ; ES:DI -> VxD API entry point4 O( o. x7 z C3 C
add ax, di
, O/ X' l+ g& @9 L2 }$ H% }3 ]( j test ax,ax
1 I: N7 e/ Z. h6 l" A! k5 P4 s jnz SoftICE_Detected
) R1 k9 k ]1 S' {, k: s4 _( {) f* M& Y8 b5 k* h
__________________________________________________________________________
* m: F, s, ~1 F# b3 N: J
8 t; y) Q/ R {) d: k! X9 U! N) D- X, |5 }# Q- d& L5 ~5 |$ s/ B
Method 05! C: Q+ g+ O% v U& M$ j
=========
, v9 t% D8 d3 Q( z. D3 ~$ U& {( V8 k# d' }; u% x1 i5 t5 A
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 E( R3 X) @% A
debugger. It calls the int 41h, function 4Fh.
8 M I' Z7 v% y3 z. v# ]/ e* ~$ ^There are several alternatives. 9 ~# j7 `; |) ~. H
/ e3 ?: H/ l7 F m! S1 ~& OThe following one is the simplest:5 X- F. d! ~6 M& u
8 { ^( Q( \* s7 C7 N
mov ax,4fh
2 a2 q) w" @: O C int 41h: K" M. {" m) G, q; U: N* S
cmp ax, 0F386" _% G& Z z9 {
jz SoftICE_detected
9 x8 w3 u+ N8 p; c( X% V4 C1 s4 g; x& M- g; y
' o8 C) `+ p3 o! n' Z- RNext method as well as the following one are 2 examples from Stone's ! m" R B0 r2 b1 _' b s; v9 w
"stn-wid.zip" (www.cracking.net):8 l5 S/ B0 v2 o# @( a
6 [ a, L- S5 P. t# @2 z- p mov bx, cs
! a$ C! g2 {/ o! S6 ~4 M lea dx, int41handler2
% _# _& k: O: | xchg dx, es:[41h*4]" ]% e# J/ G( u6 ^: A) }$ J
xchg bx, es:[41h*4+2]: }+ L9 `4 B" Z1 W
mov ax,4fh
' J' b% t0 N# |1 m( h( | int 41h$ R) h* `! L7 H. d" {
xchg dx, es:[41h*4]) |7 U! U8 v$ B) b+ z! b
xchg bx, es:[41h*4+2], m* c/ i* A3 I" o: h( y0 [& e( H
cmp ax, 0f386h
1 \- p8 d. O/ I) z( O$ T* @! v4 K( b jz SoftICE_detected
3 m& | O s' [+ c/ `. f5 `8 \' _: o6 U) D' M
int41handler2 PROC% l: y+ G: `6 P/ L1 t6 W# D. w
iret8 w0 z' u- z: {/ t$ R
int41handler2 ENDP
' h% b" ?7 f+ h& S- q/ |! s( N
& w- [: Q6 n! |7 ?0 Z- G, @( k% t" ~& i/ N4 {; X& {7 @+ M
_________________________________________________________________________, K: m& m, m+ O6 T: O" g# c
- |+ ]' S" C1 U- F' G/ n# v b1 B: P7 Y4 w% }0 F- p, \
Method 06
/ t2 ?+ s! H. Z3 b/ E2 K=========% h7 f! T7 j$ C) Z. ~! s
f# m* h5 I4 I9 m' V8 y$ H4 l! R
# F. T1 n5 A* x0 r2 s' n2nd method similar to the preceding one but more difficult to detect:
! U+ q# P% B% ?/ A% t$ c9 `* Y
6 Q9 L/ c! X2 N' }3 c% t% }: o* T( q/ P5 `$ k4 Y& u, N
int41handler PROC) y5 o' l% u( ^$ P) J
mov cl,al
" M3 E( r2 ?3 ^. s) x# ~ W' c6 i: c iret6 A# D; w0 r' w' [
int41handler ENDP
+ b& x* q+ }6 _9 ?& F+ p- |0 c( a6 s- _ [7 x8 A" @- F2 l: |
) S) [: c8 h! q8 M/ S1 a& y K' B" { xor ax,ax
|+ o+ ~8 t0 o" r2 F. B6 I, S$ y* T W mov es,ax! \- g8 L! g# r7 P8 U6 ?
mov bx, cs4 u* ~; m7 W5 T" _5 y4 z1 L
lea dx, int41handler
7 H" i( L0 q5 p! p7 w5 |# o! K xchg dx, es:[41h*4]
% K/ o a3 X2 L+ q x0 H/ L xchg bx, es:[41h*4+2]
+ X5 L0 s/ {) h* _ in al, 40h: X i: ]- N, E1 z
xor cx,cx6 L; r7 V$ Q7 a
int 41h
1 }* q& _( ^( P+ {6 q1 U0 \2 z6 T* r- k xchg dx, es:[41h*4]" \* K3 G/ ]% }7 T8 ^+ ~& F9 L4 r
xchg bx, es:[41h*4+2]1 V) d. j! U4 s7 Y/ B) ?% p; ]
cmp cl,al
# f8 K3 U& B# f3 }+ W7 P jnz SoftICE_detected& c7 ]2 z- _! Q8 L2 b% c* ^
' p/ G) a! l; ^( L* o5 e9 m_________________________________________________________________________
* @7 M; I, u. x; K j5 T, ^
4 `. u6 e7 U6 S1 GMethod 07
" T- U9 U; E$ J& W; I5 d! d=========
/ K+ p$ R- {( n3 i
3 ~; y& O. v. [$ m; q* U& S% a8 oMethod of detection of the WinICE handler in the int68h (V86)9 h4 m" V# @3 _# ]1 j. M7 G0 W! P
, T; \7 i+ v, t1 ^% {. A
mov ah,43h# X5 V0 J, m1 g
int 68h
) Y H2 I t: J/ Y# w' F9 U n2 l cmp ax,0F386h2 v7 y6 v/ k2 [/ W# R$ ]5 e
jz SoftICE_Detected
( T" W8 [) j L1 v- B" Z. x5 u d9 j5 E
& b: D8 Z0 }* G& ~/ E/ M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. r" Z0 k! } h8 Y9 z
app like this:) Q$ T. `* s5 \% o5 F+ D1 U
1 _4 M; y6 G! N! A
BPX exec_int if ax==680 G1 }* h1 z0 Q+ M) x
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 q4 `2 I; @, ^& V q* o; t located at [ebp+48h] for 32Bit apps)
+ y& g8 h7 `3 P0 i: s1 x7 Q__________________________________________________________________________4 W1 `5 u- F ?! M& M* g
* m# ^: }0 y- q; J7 G( u' h! S9 k, A, Q' b4 s& S
Method 08
! n% ^1 Z8 k% ?=========9 h; [5 Z% Z b
) q8 \3 u* q: B, P: yIt is not a method of detection of SoftICE but a possibility to crash the; x7 F3 F1 L+ `- l: M
system by intercepting int 01h and int 03h and redirecting them to another" Z4 T) p, r7 S; d$ h
routine.
9 {7 K( G: Z6 G+ YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, v' V9 Y2 v/ @4 C! }/ [3 [) Dto the new routine to execute (hangs computer...)
& r" p4 z2 m5 b4 Q+ Z" q; L4 I1 K& q, [: ^, o
mov ah, 25h
, ^/ @0 F$ P5 r mov al, Int_Number (01h or 03h)
3 A* ? `5 y) r2 g mov dx, offset New_Int_Routine/ B1 B6 o5 @) \" y8 V+ E3 Z
int 21h
8 n- A! Y: V0 X; B! G& }( U9 D( h( X h c
__________________________________________________________________________& {! ?, q$ P/ m$ P4 t! Q
( y5 c8 M+ W: QMethod 09
+ w% R0 X: M* i/ G0 E1 w1 {=========
* T- r: q1 l: d4 F v* h
0 T9 s3 M6 G8 v. UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only g3 d+ a+ F" r- Q/ K
performed in ring0 (VxD or a ring3 app using the VxdCall).1 H$ @5 Z! _4 y# ~5 E/ |+ o
The Get_DDB service is used to determine whether or not a VxD is installed j4 R$ A/ ?7 d+ e' `) _
for the specified device and returns a Device Description Block (in ecx) for
& }; C& ^$ C0 M0 y+ H0 T* I0 b, |that device if it is installed.
& r) U' S6 E0 t9 g3 Y6 }, |" Q* e" j- E% A9 I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; E1 G: I' G: t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) A" F# y9 a4 |0 U4 y! y. E1 t
VMMCall Get_DDB+ g0 n& S. X4 |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 @) l5 g7 j4 _
}0 |+ Z8 v4 I4 Z
Note as well that you can easily detect this method with SoftICE:
/ j1 N0 }" s8 _ @' f bpx Get_DDB if ax==0202 || ax==7a5fh# ^* V) o: ?/ ?
- |( K6 y" t! ?5 C3 [__________________________________________________________________________
b6 X/ }- p+ g7 I
: z& g9 V4 Q9 Q8 p8 _# UMethod 10 V- [' W0 C, r x$ }
=========) q. T {8 D0 V( p; p
) j! A, Z5 ]' ^9 F. u0 D. {7 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 J# s8 h+ S. m SoftICE while the option is enable!!
6 a( G$ t% { F# E, z2 ~- Q d1 t5 X+ X8 |/ r9 } `
This trick is very efficient:7 M( [4 q$ m, \% K g) p% {3 @" y
by checking the Debug Registers, you can detect if SoftICE is loaded
/ j9 ~8 x1 E% S7 u6 Z" }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 E/ m# R+ X8 f/ K# T! D9 Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
# K7 P) s. d. M- @9 q* v+ Pvalue (in ring0 only). Values can be manipulated and or changed as well
( N! {9 Y P: H( B( E(clearing BPMs for instance)% G7 b$ L0 b- {1 F& n
* x* D8 J& m+ s
__________________________________________________________________________: [8 D- X2 d! Y" P
6 Y$ O6 g" E! rMethod 11
% I0 S4 W |/ g% Y7 A2 K- ~. ~- l=========
h, L3 S* c7 L5 f1 v% a; r7 l, t* z& ~( @& k- ~
This method is most known as 'MeltICE' because it has been freely distributed% c( W' u: E7 k" H, Z3 T, `
via www.winfiles.com. However it was first used by NuMega people to allow4 \9 c* y b" W( _4 U, f8 s: [+ c
Symbol Loader to check if SoftICE was active or not (the code is located
+ U. ^0 {/ w {inside nmtrans.dll).' Q' a; ^: C, N( P$ q3 J3 Z/ b! x
6 m: l. b. K6 c6 a$ ], \The way it works is very simple:( s6 x, k$ w7 L3 a+ c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 b1 W* E1 {1 i+ f" O3 o/ ^
WinNT) with the CreateFileA API.
/ `9 t$ |6 `" t0 v8 E/ J: C6 X# ?0 B% b6 {
Here is a sample (checking for 'SICE'):
, O/ M6 d* V2 _ m
8 c& T! [6 D" O$ YBOOL IsSoftIce95Loaded()
) }3 ]+ ?/ g- A& o( J{
8 Q5 `; j7 ^# l% v% b. ]" c HANDLE hFile;
! c3 u3 J" _0 y2 d' X; ~+ f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* c8 ?) Y6 C2 @+ f FILE_SHARE_READ | FILE_SHARE_WRITE,
$ I8 p8 k# t. g: J C6 v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% X3 X8 H2 j6 _: w* V3 b& k! {: a) x if( hFile != INVALID_HANDLE_VALUE )
3 ^$ i* {1 A0 W { p, x7 B! q) }
CloseHandle(hFile);
5 m+ T) n. A: @' U+ a% b return TRUE;
7 X- f$ Q5 ?8 t3 f, o8 j, E4 h }+ T+ @1 N! {+ `; R! x4 n2 ^
return FALSE;
% ]- j5 f& K5 x3 L9 c& R) n}" B8 n! U8 E$ c/ p/ `0 N# V6 U
& G) X, U; t" x
Although this trick calls the CreateFileA function, don't even expect to be: ] |7 m0 M8 C6 R( k* X
able to intercept it by installing a IFS hook: it will not work, no way!
% k' f: e0 t, d, V5 [3 t. SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ o5 j/ [# E9 F2 `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& n! M5 f6 @' M5 v- T1 ^0 oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* k; b/ s$ m" v8 }3 w& @! x5 Afield.9 x. o' w5 X+ d7 d$ ~# \+ }
In fact, its purpose is not to load/unload VxDs but only to send a / d: X N/ h: Z; ]6 e9 }7 d, S8 O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ l2 x- J: T. g) q$ p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 L" @8 E4 | D# N) S/ V6 |! `, G
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." }: g. H' [& f: F% n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 o: V# A Q' _2 m2 C, |' @its handle to be opened and then, will be detected.
& ^3 D9 t- S+ O8 H4 T! cYou can check that simply by hooking Winice.exe control proc entry point. V/ G9 {/ B# H8 v) r: d3 q, O
while running MeltICE.3 l9 D, }; b- C. C, I. v4 g0 {( o9 k
9 j& y, Q. @# {
' }6 o! R# J" Y4 K5 t$ W 00401067: push 00402025 ; \\.\SICE
; U& z' `- f8 Q* G; }. P) @0 Y/ n 0040106C: call CreateFileA# p. k+ r' d4 w8 \: X' t# d/ z
00401071: cmp eax,-0019 |3 J' w: L( \: j. |
00401074: je 00401091
1 \+ h8 S5 s- ^! w+ Y; [: r# Y# T5 o7 |, s
7 o3 W6 @0 V+ c# F( i- _- HThere could be hundreds of BPX you could use to detect this trick.$ s/ s7 E/ F5 p! D
-The most classical one is:
3 e1 L4 s7 X$ N8 e) B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 i+ D8 A8 ], ?' b u/ T
*(esp->4+4)=='NTIC'
% o- r W9 o0 a/ y! {! e$ b0 D
; j) W: j) }0 x! r0 a-The most exotic ones (could be very slooooow :-(
3 L( N# y' p1 k5 {' ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' d8 d+ ]& ~: _ O+ d ;will break 3 times :-(
1 Q$ }' `* X+ V! l, ~3 l
8 Y# ^- C, O1 p+ x; D( ?-or (a bit) faster:
, }; f: \- _$ C5 K/ `" V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& o+ k* C8 Z1 i0 O6 ^3 D {$ r. Q: p5 o. G" `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ p- ~) i! J; c5 G) D1 }
;will break 3 times :-(( x) c" I! W& N9 F0 U
" N; c3 w2 d. H* i
-Much faster:
. M/ _1 o* ?5 _; e% q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. u1 i: H: |0 I
) Q7 }: \7 d8 f, `/ b! B( i/ S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 G/ X3 m" l9 n5 \! ?
function to do the same job:
' i, N4 c5 [" T3 } M g, j" z5 E! F1 D1 U. [2 |* {
push 00 ; OF_READ9 D) ^8 V2 Q$ b/ z
mov eax,[00656634] ; '\\.\SICE',0) O4 y8 {& g% P& v# R; N
push eax3 v8 F3 k0 j7 ]- i' O
call KERNEL32!_lopen8 I' m+ d$ L5 p+ W
inc eax
$ g! ~8 M! G# E$ K% | jnz 00650589 ; detected3 K% W8 T& S f! d, e
push 00 ; OF_READ
# N) G' _) v7 I6 Y" b' ~, w mov eax,[00656638] ; '\\.\SICE'
& t( A2 @9 V+ ]0 P4 y5 t. t7 F push eax# g) C; T. K1 @
call KERNEL32!_lopen( Y% r2 @; n. a5 t3 J! F$ @5 A
inc eax
. `* c& n; p# _9 b. Q jz 006505ae ; not detected
% f; f; V1 s/ g8 I
& S9 t1 D1 A( S; f1 v0 D/ k
" x! T; Z+ M7 {- S__________________________________________________________________________
) n9 `, I- t3 y
8 d7 n5 H5 S1 ^" I" bMethod 122 L B7 V& ~6 `, z5 }$ E5 J
=========. t* i* X, ?6 Z' e
2 A! N( H- u3 g5 ]2 ], E' YThis trick is similar to int41h/4fh Debugger installation check (code 05
6 Y1 n5 o* k+ L& 06) but very limited because it's only available for Win95/98 (not NT)
$ @: J q* \% J Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ f1 R* s* O6 N- ^9 Z
( I) ^8 c7 X9 V; {7 V- C. [ push 0000004fh ; function 4fh
( b# B8 \) v3 _3 b( P) X3 M7 A f push 002a002ah ; high word specifies which VxD (VWIN32)% t3 C) r5 D! c" j; m' l# g
; low word specifies which service
* C- j: N7 e; ~ H: y (VWIN32_Int41Dispatch)
# i# I; K' X6 o5 |9 a call Kernel32!ORD_001 ; VxdCall- Q# d9 a3 a3 ?! W4 t& b0 y* o
cmp ax, 0f386h ; magic number returned by system debuggers
* F8 }5 N. ~( a9 j jz SoftICE_detected2 S) s& F& e+ ~
; D. m- f3 z' H! o- u* ~* v
Here again, several ways to detect it:3 D5 r1 ]0 R# J
6 `, v: k4 ^6 D" D) b% A3 W& ~
BPINT 41 if ax==4f
7 Y2 ]5 }! h9 T5 N y5 ?# F+ {" t9 X/ ~! m- n/ x# D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 ^5 v. y1 a5 W u7 H. u- j) P
' D' C/ V( c8 V$ G9 v+ J# s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ P d; w8 y4 S- o0 ~
" J- N2 x8 v+ S5 h; }- x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 p; o, x8 s- l& M9 }7 a# a
0 _; k7 ^9 r0 `+ p. k0 J__________________________________________________________________________& r- f! c& I8 }6 P' }" U- b
/ h; {% G2 ~# ~1 WMethod 13
9 a4 @. o; H: h% ~=========4 S# }) `! A, v, T) N3 n
O) h3 j0 S$ ~! a8 g# LNot a real method of detection, but a good way to know if SoftICE is
; Z4 T- L9 g/ zinstalled on a computer and to locate its installation directory.' v, ?& J9 \* o! M/ {3 g% G! j: K
It is used by few softs which access the following registry keys (usually #2) :+ B/ X, H! ^- f3 F" `8 i- m6 L/ F
& f$ U8 j, s- N# @- ^ Z- q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% M' V$ }" f, u X\Uninstall\SoftICE: T9 u0 g# I3 ~, t& C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. C7 E) j; P( r) |7 ]# v7 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 V( B6 Z3 n, v) a
\App Paths\Loader32.Exe
# ~9 w ^7 D$ L! T! d8 `
2 ^$ M: u, r0 I6 M4 e1 F- Z+ w+ r1 U% x; T# p; p5 P; _
Note that some nasty apps could then erase all files from SoftICE directory7 J; t6 W t) N/ H* ?! J) ^# E
(I faced that once :-(- ?" l1 _7 U( X0 Q7 n, r: O
* V, K2 i" ]) p1 H, @# R; B
Useful breakpoint to detect it:( S1 C) b9 s: L; i3 w
a$ |$ [2 l! s8 E$ O7 }! c6 @/ q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' g% v5 m& q9 ^$ ^7 {
# j; p$ l3 Q F$ j% p3 Y__________________________________________________________________________0 |8 ?' v2 I* j$ v! i
- i3 V+ U) V" x4 O; E
) P4 b: \1 f. v* f- F! V" R( PMethod 14
) M' J' R0 G5 m; L, J, M1 I" W=========" I+ S( ^9 z5 R" X1 F( |3 N$ f
; b4 {* H ?' N: f; N8 fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 w" r9 I7 ~; [1 X
is to determines whether a debugger is running on your system (ring0 only).) s, f& B4 y. m4 Y" a- D( _8 G& C
7 v! B3 G7 |" v4 C1 }
VMMCall Test_Debug_Installed
; R$ p, M) ?: b9 ^8 F" z( J4 x/ c$ ` je not_installed
& _- R/ m, | F+ ?8 W. A# ~7 ~
: \, `, w( d- t* ?+ S# FThis service just checks a flag.3 O- R9 v) l" q# k1 `" C/ V/ V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡