<TABLE width=500>
3 \0 X- p/ v+ h7 Z/ E3 @8 _3 f<TBODY>6 U: P, j+ w0 P0 u% T$ H
<TR>
! I0 z5 g* a M }2 F8 {" H! n<TD><PRE>Method 01
3 d' I, s6 m7 R' A" {! }=========
& u G8 Z# m* g+ {" Y
+ b+ {8 _ d+ ^# y# y! WThis method of detection of SoftICE (as well as the following one) is# o0 R1 F" N6 n; _6 q- K: B- v
used by the majority of packers/encryptors found on Internet./ c& W. @7 C: o$ m Q8 J0 R+ u
It seeks the signature of BoundsChecker in SoftICE- R1 ]3 E" i5 M' x/ h" j; e, Y
, `7 \. t4 m; ]/ k9 B7 c, \/ F, p% U mov ebp, 04243484Bh ; 'BCHK'
2 A& b3 ]) R& v7 d. l2 q5 T, Z mov ax, 04h
+ f" }/ f: U- Y$ ]; O/ l8 s int 3 / ~' ~& q- q2 X: n2 b3 h0 G3 L/ S
cmp al,4" b6 Y) w0 Y4 e% J) i" q
jnz SoftICE_Detected6 y5 Z, W6 I, L* a+ N& j1 R% L0 X/ m
0 T5 T( l; @0 t, z/ V
___________________________________________________________________________3 G1 K. W# N( V: e- ^) e5 \
0 w! d5 @5 L; O/ j/ }/ L0 V" a) q: d: NMethod 024 U) o" V. g k
=========: m1 \ e2 [+ n4 l6 s
5 V" {* s6 r2 D$ d) ~Still a method very much used (perhaps the most frequent one). It is used
* }6 `) B& y) _9 r$ J" J- Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) i$ j3 q# D% P6 Lor execute SoftICE commands...# j1 Q# u9 ~: P8 ~& P
It is also used to crash SoftICE and to force it to execute any commands: s+ I3 P7 W6 C1 l& h* d% a/ ]
(HBOOT...) :-((
$ W, Q5 V" f9 ~4 }: f
4 q& |8 M" d. jHere is a quick description:% p' A0 `. b- N6 _2 Q c
-AX = 0910h (Display string in SIce windows)
1 y8 e* V) C7 z9 C% M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! ]% G0 j: V! C( ?3 s1 W$ Z# `-AX = 0912h (Get breakpoint infos)& S# Z+ C9 y0 |) {: N2 |; y
-AX = 0913h (Set Sice breakpoints)8 l5 a8 M8 [# t) r
-AX = 0914h (Remove SIce breakoints)
3 P# |+ T$ b, P1 P% a
7 v+ |$ n8 U3 T$ [ I4 I. z tEach time you'll meet this trick, you'll see:
, b8 o% K( a6 _/ t3 ^9 b-SI = 4647h2 G" x) q( m+ Z4 C
-DI = 4A4Dh
7 t* @* o) R9 [Which are the 'magic values' used by SoftIce.* f8 F8 b' k# h' \ b2 @: i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% h$ ?: X: {0 r( {0 a5 o" X7 c; B* d$ p" o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 |. W( P) M3 t" Q6 dEnvelope utility use to protect DOS applications:
7 }! _: X7 A$ ?3 z/ d# o8 Y5 q5 n7 \, f/ S4 u1 r: \8 S" S/ T
+ K+ G& c" U; M7 ~& a9 ?. \+ A
4C19:0095 MOV AX,0911 ; execute command.5 Z- N# l/ n0 n$ o$ E) F6 l4 e8 Y2 G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; G, i8 u0 Z; ]. k- {: H7 V
4C19:009A MOV SI,4647 ; 1st magic value.: K/ p* q" ~7 w5 f( m
4C19:009D MOV DI,4A4D ; 2nd magic value.
; B6 I+ M+ c" j9 _) b5 k: W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 @/ a- P7 C' H0 P( _2 z0 z; C: ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, ~: s/ y/ O3 }/ H# s- V4C19:00A4 INC CX) r& F1 D3 ?& H1 Q! U q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 f9 `" r T2 i' W
4C19:00A8 JB 0095 ; 6 different commands.
+ ^! V! z m, `& m) O7 Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 O! V$ B; z" k( `& i- J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 o8 G: i( \* w( o
* g/ {9 F7 m) N! l, h* d$ B3 JThe program will execute 6 different SIce commands located at ds:dx, which6 B% Q. x/ |6 ?3 p4 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: B: h x! C. w5 n; R6 ~4 S d
1 e1 P, G0 k. p0 H5 F1 i. b+ B6 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ _% l( v4 Z$ {8 n___________________________________________________________________________
0 r" G/ i! ?2 S9 [5 e1 X
" c: a+ y4 g1 E; {: \; `7 [& J
7 j" S* I1 V* C5 A+ ^; j' Y' K! GMethod 03. i: |) ]; k f: l) u
=========
7 P; _3 x, S( X1 Y# } t
4 [' e5 M8 j3 {( u8 mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# {2 {5 ~2 q; j6 m(API Get entry point)# a: r3 d& C/ s1 m9 F& d
/ ?7 |0 o9 M# l" V v
; y8 @6 A' [* C' e& R6 z3 B( m xor di,di, X) s5 `, p6 F
mov es,di; B# n4 y o9 e2 e7 v
mov ax, 1684h , O% H/ k: M4 O* O) x
mov bx, 0202h ; VxD ID of winice
/ T# q7 [( G2 Z0 S8 p8 ?! r4 M int 2Fh6 J( X- T1 h2 x. X; v" R
mov ax, es ; ES:DI -> VxD API entry point
) u+ B7 I; f3 e: t2 s add ax, di
/ m2 R0 K# K! B2 p G' r test ax,ax3 c- Z5 J' X+ {! N, }
jnz SoftICE_Detected( s% Y: [1 _* p% N& I8 f! N( B
5 a- z/ n$ ?, G& [% O4 ____________________________________________________________________________
! l: d) m$ K3 x. t, u( v6 A* M
' g3 m! e* S8 ]+ x1 a. b6 sMethod 04* ?+ n8 B6 B- B! t" A) m7 e7 H
=========1 L+ T7 a0 u" D' S2 b5 [
3 p" Z; c# u6 q# V
Method identical to the preceding one except that it seeks the ID of SoftICE
& R; \; b3 R/ ^6 N: [; x) dGFX VxD.
K# X& p. E9 G+ ?' i1 h' A
3 O' E! t* k" u1 B4 W* B xor di,di
; ]2 } o" J1 ~- R6 e8 l mov es,di; q3 p0 v9 F7 A: o- R
mov ax, 1684h : _5 _$ @, @: t9 W3 C
mov bx, 7a5Fh ; VxD ID of SIWVID( H% Y$ T% K. o7 q
int 2fh+ h6 `) ?! ^ K4 x' n' J: H
mov ax, es ; ES:DI -> VxD API entry point$ i) {& W' t# q
add ax, di
v% U6 y, d J4 B# ~: r( b test ax,ax" @9 l1 e1 G, O# y8 L
jnz SoftICE_Detected/ ?9 _, Q, }9 q$ e/ J7 @$ M
$ C: `4 C8 n' l% U: d7 T/ k6 r__________________________________________________________________________
0 b4 h3 `0 C" m( U' t# ]8 f
* R/ _, ]- x4 z7 @4 s+ j1 a' A2 B9 S/ u
Method 058 M7 k( `0 k% P) R+ B
=========
+ H' G% q8 S# P# a) k8 a$ Z2 S# q: ], p
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 m' m& W8 `: ^5 g. N; [; s
debugger. It calls the int 41h, function 4Fh.& q2 M5 M! e4 ]& H
There are several alternatives. ; A' ^3 m6 x8 j% p; U
& j5 g' j: O' |* DThe following one is the simplest:3 G, @ c5 g2 R6 t
4 x1 D: W f; }& E2 F ~
mov ax,4fh
0 C% b- E3 f6 J( H int 41h# l. Z% v3 N+ ?2 S6 n* u6 B
cmp ax, 0F386
2 ]9 n6 O4 o$ ?3 Y jz SoftICE_detected: T5 Z& x. F, Y' n
* @% D8 v4 a/ L6 _. }. {+ [- _0 {7 f$ L- t" r: Q" c
Next method as well as the following one are 2 examples from Stone's
8 J! l+ S+ h8 _/ ?! p! Q"stn-wid.zip" (www.cracking.net):
) ~7 _8 k0 F! o5 [- \- L6 g: X8 N% O
mov bx, cs- P9 e! ^$ o0 j; l3 x
lea dx, int41handler2
$ Z! Y+ _3 q( _% l6 A' Y xchg dx, es:[41h*4]
. y$ e7 f) U+ ^3 ? xchg bx, es:[41h*4+2]
) U/ ~; z' O$ ~' Q9 b& { mov ax,4fh
- ]$ |/ |5 d, z! \$ W6 k& O int 41h
- C/ q8 W6 Q1 q5 h( j xchg dx, es:[41h*4]" F0 x* q5 E7 V6 E. ]! {" X5 ^
xchg bx, es:[41h*4+2]
) O5 t0 C8 J+ t+ V v7 g cmp ax, 0f386h3 ]& {" `) x5 A4 q
jz SoftICE_detected
1 P+ H3 O7 @' J7 F3 x8 ~! x5 V( `4 [8 x
int41handler2 PROC
" Z) e. g# C% l S iret
; ~ u. O5 p+ h. N# vint41handler2 ENDP
) c1 U3 T5 ?5 l) V+ c
1 w) K/ _) ?5 d. _1 E e; Z2 f9 ^, D' q Y, W2 N
_________________________________________________________________________
9 W+ f' ~9 ~& j3 T7 k- ]% m- t! a- ~2 V% R# |' N4 {& F, \
4 ^2 ~7 F- c9 X' {. p7 e2 s
Method 06
% n6 `! Y; a0 W2 m; ~=========+ `& b: Z, A3 Y6 E2 D3 s' i
5 x- [ `+ U: a
6 _9 C- f t; _+ o2nd method similar to the preceding one but more difficult to detect:
9 B' Y6 z+ \% Z2 |" Y7 s! o: K0 F
6 [ Q( u8 T/ \1 n" V. O2 N; [' Z) M% j/ M l
int41handler PROC
$ ~( ]" S- p- Z- E6 f" ~; s- [ mov cl,al9 Z3 c8 R$ y$ b o, W# u4 E8 U
iret
# l! X3 i* I8 O; c- B0 R' ]" Wint41handler ENDP
" u) b! E2 H. p# D7 h8 Y% [
i, \* w" k& x e6 h0 u
' o9 U. N4 D% j# X xor ax,ax
0 ~0 k2 W7 u. Q( { mov es,ax
0 z' L# o# i0 s7 z2 x0 \ mov bx, cs
" `: N: K9 c( [6 M; @% ?" Q lea dx, int41handler
) T! _- V/ X: \0 p& f* r8 i) X xchg dx, es:[41h*4]. {- k" j7 W( v+ ?9 @: [
xchg bx, es:[41h*4+2]
% ], M2 x3 Z9 \3 \6 b' C in al, 40h
- G1 o) F- T1 c9 A: ` xor cx,cx# R4 i. P [7 x
int 41h. Q6 O6 d7 m6 M
xchg dx, es:[41h*4]" F0 {2 D: i4 K2 z2 z) l
xchg bx, es:[41h*4+2]
2 q; R7 c; X* I! i/ s5 }' `5 O cmp cl,al
( Z9 c. h3 P* h8 ~( p: l jnz SoftICE_detected
: p/ V# R$ o9 I, s, t( K; ^
' V' J- o- q5 l, ^. ^ R_________________________________________________________________________" {7 @8 Q1 `" k' O
( _/ u7 U1 v0 C9 k
Method 07
% Q4 U" w* q3 u G d- x- V3 ^+ G=========
" O3 K+ T6 ^" e4 U
V2 d/ m# X, m* G. P+ sMethod of detection of the WinICE handler in the int68h (V86)! T1 C1 R9 M! {" _5 H/ l
( a/ T$ H( N! R% a# @ mov ah,43h( H4 D7 f! \7 G
int 68h
3 `& J, |1 }& ] cmp ax,0F386h
/ _$ |! _& Z- B0 l8 E jz SoftICE_Detected4 K+ M! U/ d+ c$ z. I; w8 F
1 {& o* K; w" ?/ X$ Z) z5 t
' K4 w% {2 W( g1 v/ o& Y4 T& B8 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 |- G3 T, q9 R j [, O app like this:- _6 _, H- H# m5 p: o
6 S9 @7 W, u& O7 l) R BPX exec_int if ax==68; [7 S- Q3 F2 h3 k
(function called is located at byte ptr [ebp+1Dh] and client eip is: o! g4 }& j/ h+ n& l1 @
located at [ebp+48h] for 32Bit apps)( z# i6 _3 |/ a6 }2 f' ?3 u
__________________________________________________________________________; Q y. p* I1 Z
) p; P5 l, k2 z7 {& O
7 _* p& j" p0 |7 [. L6 o4 hMethod 08- l2 g$ G5 o" p* y# l- V. @
=========
; R- R- ~' u! C1 o, |% x8 e' I
k5 r5 m0 C) q# S1 ~It is not a method of detection of SoftICE but a possibility to crash the
. R& I0 M+ B7 f) D% [! L% U# W5 ssystem by intercepting int 01h and int 03h and redirecting them to another" k3 q- ]. Z2 q+ f4 G9 @; G3 _$ e
routine.
/ Q) t( Y9 V! R, ]2 I1 D* N7 Y6 i/ xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 n' v" r6 A$ u
to the new routine to execute (hangs computer...)
7 Z0 }. q. c6 O$ w
4 K; u6 x8 V. Z8 p3 E. w* r: R mov ah, 25h! Y! ]1 \" a& N q: x
mov al, Int_Number (01h or 03h); C( t* ?6 ]4 N6 }- p, U
mov dx, offset New_Int_Routine* w8 E& |; N7 H/ [ ^1 m
int 21h
1 k0 w! i5 t% [) E. D! \
% B( s8 }7 A" r+ c/ _( E4 ^__________________________________________________________________________
0 w; ~, M5 v6 c% y7 Z/ _# n) o. C5 [
Method 09 m2 Z1 h" Y2 R1 {6 @3 E L
=========7 h1 n5 y! {! l1 D4 Q5 J; t
" F% ^6 H' X, e' ^0 j2 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 N w, _# K" ?% z# o0 }& aperformed in ring0 (VxD or a ring3 app using the VxdCall).
* ]3 a( a. v: A% cThe Get_DDB service is used to determine whether or not a VxD is installed- b0 y8 Y6 o1 W$ {5 L# O1 R2 _
for the specified device and returns a Device Description Block (in ecx) for; S: Z: f) b3 G" Z3 O8 ?" g
that device if it is installed.
# B3 D! d) s( [. ~: H5 Y* j8 t/ O) M: C& U7 X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
[' K X2 v9 d9 o% L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% u1 V* u4 ^ s5 W) N VMMCall Get_DDB, Y D' `. I( r# k4 r" U3 F0 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* a; z$ \! D% O% w) `- w% A+ B5 M! t6 _+ V
Note as well that you can easily detect this method with SoftICE:
5 J3 d& J& x6 c9 a0 b5 }& c/ _9 u bpx Get_DDB if ax==0202 || ax==7a5fh
$ z; _6 o: b# F4 a5 P6 Z/ h" E
+ v0 B7 G3 s4 D" Y/ e7 a/ d__________________________________________________________________________- c/ x& I$ X. ~ K. Y7 K% o3 M
1 x: ?* c/ c, _$ g' A& ~2 t6 ?Method 10
6 P. _- I' D4 m2 N5 J* w=========8 ]+ y6 |) P( @+ e1 e3 p v5 y7 w* h
# h) c, j7 v$ j4 S- Q% D; i! j=>Disable or clear breakpoints before using this feature. DO NOT trace with
% \2 \! L5 i" R' ~. M6 n- |3 ^6 `$ | SoftICE while the option is enable!!6 ^$ e+ I% |! Z5 X# {6 G5 V: D
2 ~: e5 p+ }* P& ^, MThis trick is very efficient:. \7 u" D, S; E3 B" \
by checking the Debug Registers, you can detect if SoftICE is loaded1 T% I" X/ z. r3 H& G- ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ t8 i c# m+ u. w7 F: z! f, z
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ p; N2 q2 }$ g0 R% s
value (in ring0 only). Values can be manipulated and or changed as well
l& b0 W1 A x# b$ `(clearing BPMs for instance)
, |* i7 D0 K/ Y& S; F/ ]- N z. w6 z( w Y8 H* i
__________________________________________________________________________3 W, Q' z7 }# a/ A B' X
1 l5 @6 G8 |- I/ i; D3 T
Method 11
& T% e' U) l# z4 E" \3 J8 K+ {=========+ r: ~2 Y2 h- H4 D
8 y: F- R: t& P6 Y! g4 D9 ~
This method is most known as 'MeltICE' because it has been freely distributed. r0 e& c6 {3 D) d s. N; m, `& d( P
via www.winfiles.com. However it was first used by NuMega people to allow
+ o! t/ F" y7 p1 ^% \Symbol Loader to check if SoftICE was active or not (the code is located
2 J4 K2 A1 G- Z7 {2 f* `; yinside nmtrans.dll).% _2 W. k+ {& D. F% {' `# d, s N
}# ?! m4 f1 h3 y$ h. \/ M
The way it works is very simple:; e6 r- z( v: d2 t3 p. Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! J& J% I9 {% ?8 B
WinNT) with the CreateFileA API.
; e2 Q7 s2 G, q: U3 ^6 T) }2 w
- j2 n0 j5 x' z7 b! p, v1 U, F/ \Here is a sample (checking for 'SICE'):
' [) U( N8 @$ ^& }
6 [2 l5 _5 J0 K# r1 N! Y, ABOOL IsSoftIce95Loaded()8 V. b1 [$ \4 r+ i/ C
{3 A3 E* ` i" y* A
HANDLE hFile; ; u i6 M2 T9 w3 r h3 T. s. U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 v! q# b, t: P9 }+ h7 B2 Z
FILE_SHARE_READ | FILE_SHARE_WRITE,
# ~# D$ u8 }0 m5 m. i9 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ }: ~) u; Y: j9 q
if( hFile != INVALID_HANDLE_VALUE )6 G$ J, {' t/ i W& Z
{
1 V: M, |/ d! d" W) [ CloseHandle(hFile);8 c7 p$ I) i* b$ _. o/ ]" n
return TRUE;$ z' L K& y3 K: j2 Z! M0 M
}
/ {! z- S5 e" Y( [, g, H' E return FALSE;% M6 Q2 z% [# y! l
}
% z% b" o7 n3 f! z) o5 P, Z5 s5 m; ~ D0 Z! O' I; s
Although this trick calls the CreateFileA function, don't even expect to be
0 J9 W, |0 O1 N& A! oable to intercept it by installing a IFS hook: it will not work, no way!) s: b+ |% j5 w5 D m+ K2 r- `& [ D# O9 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 k% F# J. y/ ~* d, K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ x" u9 A; [4 {* v' l" A+ A Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc% t$ q7 [3 u4 V% o( D& _0 I
field.% D* P2 y2 v8 q4 N. Z4 @
In fact, its purpose is not to load/unload VxDs but only to send a
* P n; _1 \/ {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% b" v. D. n/ ]% Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 k* F9 a+ c2 P9 z1 l1 k1 a4 i% w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 J( D# _4 K8 jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# [- [2 d1 C! {; |; i5 ?its handle to be opened and then, will be detected.4 I Q1 c p' d: @7 X9 C
You can check that simply by hooking Winice.exe control proc entry point
8 I, c/ C( f5 ~( ?while running MeltICE.$ Y6 z6 `' d. m2 p t9 v
' P& F3 G+ I" X) Q+ w) D& |, T% g- c- `9 T9 J+ A
00401067: push 00402025 ; \\.\SICE
7 e5 y! J2 b8 U; A 0040106C: call CreateFileA
" Y6 a# ^! O2 j7 U7 T% U- A 00401071: cmp eax,-001( G( k( R5 e8 [2 o# e5 {8 r2 `
00401074: je 00401091
, a5 K3 L: V7 \1 [9 a# A
; v( s8 f- q3 E8 L- [2 O$ k+ J7 V8 y9 O* h
There could be hundreds of BPX you could use to detect this trick.
$ @3 j3 p2 Z0 Q3 V; c3 E-The most classical one is:
/ ^. e( T0 S& T4 n y: E3 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* N9 }/ t6 m7 u: G/ I% K. o5 |0 _ *(esp->4+4)=='NTIC'* \3 c0 w; b2 P s
6 N% D* c M1 }. i
-The most exotic ones (could be very slooooow :-(
- N% Z" q0 ]1 S8 G! h# n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 F2 v \1 @# w% a ;will break 3 times :-(
7 W, p& Q/ W$ X( I. \1 S0 g: D2 H$ S
-or (a bit) faster: . O' @- ?/ \2 x, I" [7 h! Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 t& G i* S# ?
$ B+ k4 \- k, ^: C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 E' i* K4 s% e5 O2 t
;will break 3 times :-(7 O2 o5 y f" m t, v
0 I5 X8 {' Y% X$ h5 O& J-Much faster:1 y/ a, g. y+ y: P4 `( t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- U6 f& u2 k; g, o* o) N/ m- B/ d. j
; t, V1 a" u8 a# M; K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. p8 C. @: M3 D0 J) Q( g
function to do the same job:
; T/ D3 f+ j/ ^3 G1 L; s$ e
2 Y, H( G1 o! |* R1 z1 _5 E4 Z push 00 ; OF_READ0 @1 X6 q5 U, Q1 D( o9 A7 {& S8 L( c
mov eax,[00656634] ; '\\.\SICE',0; B' Z6 ]1 Y8 |6 v
push eax0 D3 m; m" l8 G; n8 p& }
call KERNEL32!_lopen( ?& ?+ t- u9 B( c2 E
inc eax
7 y6 L1 N5 [5 } H" s. J9 f jnz 00650589 ; detected
: x; ^3 g8 w4 K1 `9 u push 00 ; OF_READ9 H1 F( U3 h" ?% R
mov eax,[00656638] ; '\\.\SICE': [$ b7 Y0 G" p5 O
push eax
/ x% ?3 M x V. O( B* S' m7 J8 ` call KERNEL32!_lopen U$ l; t. ~+ Y) X4 l
inc eax) g. _. m5 z i# g
jz 006505ae ; not detected
" l- w# o7 B* E4 U9 Y4 b6 `/ @0 C
( D8 G$ u5 M; o5 Q5 a* `7 ~2 {+ q+ T& X
__________________________________________________________________________
: t( m9 @& A* l/ d5 @* |9 n
B! `% _ F8 pMethod 12: M8 b0 E8 o' D
=========
' Z/ B0 Z8 F9 ?: @
+ z- L0 O$ S2 K5 BThis trick is similar to int41h/4fh Debugger installation check (code 05 I* D# z+ f7 E z o
& 06) but very limited because it's only available for Win95/98 (not NT)! C- J+ N7 ^* n. V# j+ ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ D3 _& R0 Y! F. l! |- C' p
3 Z. Q/ L: j" a: z B2 e push 0000004fh ; function 4fh
8 X( j O7 f, x% X push 002a002ah ; high word specifies which VxD (VWIN32)
5 v. { T7 j$ n7 F ; low word specifies which service
# ~9 Y1 x+ c) W9 j7 O. o (VWIN32_Int41Dispatch)
8 f( M j0 T9 t, c- g/ s3 @' l$ j% ~ call Kernel32!ORD_001 ; VxdCall
: a4 M* m5 Y3 ~0 i" Y' u cmp ax, 0f386h ; magic number returned by system debuggers
, f1 c; w0 n- J/ ` y4 K jz SoftICE_detected
- f! }& b, n5 _, E7 `( x+ M3 \- V, [+ T4 D
Here again, several ways to detect it:
, t! U8 g4 J3 S( V1 U4 \$ K% g2 e# x! w# R
BPINT 41 if ax==4f
2 Y) s4 Y- _, \6 @4 |5 i
; O+ F9 J3 E+ g: N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
a% k3 {6 s% r3 d9 x5 a. e: |9 }# P! `5 q& {& i4 d3 A1 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, O: _# p# u5 ] l$ q( w2 h
2 i" U5 @. a) [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 F0 W8 I8 Q7 {
7 M+ S& ^# G2 ^5 p3 r8 O" w__________________________________________________________________________
' |4 `) }2 z3 i0 H1 u' x' }5 X
& H3 R' f# W& A7 i1 v zMethod 13
" Y, @* |& `; c, b8 c1 f/ v- ^=========
6 Y3 k2 f3 q) N$ H3 ~5 K- n7 f1 ~/ @4 c; Q9 T
Not a real method of detection, but a good way to know if SoftICE is
: S8 u* M% p, z- X0 p& _installed on a computer and to locate its installation directory.$ k* e! e1 d& P, g# w/ O3 }
It is used by few softs which access the following registry keys (usually #2) :+ w8 A9 Y! w# U6 K9 ~
7 E. f4 }; X6 J, v& |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: o3 m0 W" ~- z6 a, O7 A- F\Uninstall\SoftICE
5 p7 D' ]7 t) `/ D& V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 m6 d* M$ I7 A" w! i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* F& e, l* e5 m4 f% d
\App Paths\Loader32.Exe
1 w- c# x' C. w3 W7 Y% M* | i" r4 Z. n3 s$ Y' ?% S3 K1 y8 U" L
$ R+ X, W6 y% g: w7 {9 W3 o) a
Note that some nasty apps could then erase all files from SoftICE directory
_3 h& T/ _' J5 [4 u(I faced that once :-(; k) B3 K( l; \5 v9 ? n$ c0 e6 d
9 y8 Y/ x& K: h+ f5 Y- S& T
Useful breakpoint to detect it:# M+ o2 d8 ?' y" P! Z
1 ^: ~: v6 u7 M5 B7 Q- L+ N' { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 K. L* _; p0 \& c& y, Q4 W8 z& ]1 r% b: \5 I( ^2 \+ e
__________________________________________________________________________# }7 u( q2 p$ z7 Q! z* Y# g, A
8 ]8 W Q5 h+ p8 `1 W: y; h' M1 c- q: y! p$ A( H$ S
Method 14 4 L) X$ `: ~% e0 B! Z9 W& u6 n
=========% U3 y P4 A" z
5 H* c1 `$ r" NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, A- f# R6 W% d' G0 D$ l
is to determines whether a debugger is running on your system (ring0 only).
9 X5 E: T& V p! B- C* u/ u: T2 m# \5 k6 e* j ]
VMMCall Test_Debug_Installed
: z0 C0 D- o. M" a je not_installed0 i9 L9 c- _- c( _% c' w2 k1 w
- K" C6 H- [1 I1 A& W" u3 b) \
This service just checks a flag.: y" y( \. h; D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡