<TABLE width=500>
6 x* l, ^8 v+ u4 l1 ]<TBODY>* F. O! W( m! e; w- _ [7 x3 E
<TR>5 J8 [9 t( H# h7 Y
<TD><PRE>Method 01 s6 n# n$ P. P& w# q# U
=========" `( B) Q. M% V% R: ~
8 M5 w# b( V/ f/ P, {% HThis method of detection of SoftICE (as well as the following one) is+ E' S1 h. \+ G3 I1 H z% T
used by the majority of packers/encryptors found on Internet.
$ B2 v# I! L3 l# T& O' S1 oIt seeks the signature of BoundsChecker in SoftICE" O, {& U9 e( h( B/ f
' r" @( [# c: t/ o$ i
mov ebp, 04243484Bh ; 'BCHK'
; a0 @% J* c, ?0 D0 @7 J5 Y! { mov ax, 04h
; @# t$ e1 D" s8 }: z int 3 % ^" O! Z* r( {7 Y0 j* x
cmp al,4
& j9 x' I+ V9 O# T; `! w$ R/ V jnz SoftICE_Detected7 E* v4 h- ~! q8 k
u7 [+ ^: B( J |% b0 R- m___________________________________________________________________________
$ d- w ^; r/ i0 S K9 \
+ z G0 F* L! d2 Q4 }Method 02: O! l" J; Y! o- Y! W' l9 {
=========+ ^6 v9 j' f' @9 c8 B9 m
9 k/ G# }2 t( D7 \; V9 HStill a method very much used (perhaps the most frequent one). It is used& G$ j$ r) a+ y' t" E9 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 h, Z0 F6 |/ s8 I3 x6 }1 W9 d3 Y
or execute SoftICE commands...1 f4 }. |* ]9 E. B
It is also used to crash SoftICE and to force it to execute any commands1 l2 x0 C% _# b
(HBOOT...) :-(( ! B0 E" {% @( Y( M
( y9 \, l' }1 B/ |8 {2 E2 FHere is a quick description:
+ t% n; F3 N8 ~1 ^6 g% j: l( @2 O& I-AX = 0910h (Display string in SIce windows)0 ]- G& g- r: d9 H4 ?. X Q# t% A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): T4 ^6 k: E! a4 s4 I: C+ f
-AX = 0912h (Get breakpoint infos)- S% ^7 i9 N! z( ^2 |
-AX = 0913h (Set Sice breakpoints)
' D; ^$ r- j* m3 Z# O* ~-AX = 0914h (Remove SIce breakoints)
5 W9 O, N7 X$ b7 P
( \, S; V1 G( cEach time you'll meet this trick, you'll see:
3 o L) I* ` V' s: ^-SI = 4647h$ I% }! ?! Q1 b# L! k2 Y& a7 \
-DI = 4A4Dh" N8 w# R8 M; l( C& _
Which are the 'magic values' used by SoftIce. {8 K) S- `* j! F0 @1 A" h4 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* F3 | q( ?, |/ ~, p4 ~# h& c- F( D7 x; W% {3 x3 h6 k+ R- s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 U: I1 {! f) p" U+ H0 ~& ]; nEnvelope utility use to protect DOS applications:, `, z, c9 I( |* b+ w
' J7 c! M: h7 ?5 ]( a( d+ [1 Q1 {- X3 w8 B! Q# @4 }
4C19:0095 MOV AX,0911 ; execute command.# F$ [3 v/ k5 v1 `: n$ ?# Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 B% {1 W K: z' x
4C19:009A MOV SI,4647 ; 1st magic value.
4 `, F1 M& X1 j) c p0 q0 ]9 B+ h4C19:009D MOV DI,4A4D ; 2nd magic value.1 W: K% P5 c' `- w4 G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 \# ~6 r$ b; Q/ F8 u/ N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 R" J* j+ y$ E/ Z( |2 P4C19:00A4 INC CX
7 z% e( E) a( [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( O2 c$ t V! r9 H+ v4C19:00A8 JB 0095 ; 6 different commands.5 h, t: Z7 H7 b$ y4 q3 g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# c1 v( Z: V1 q9 O6 \4 ^" g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% F% W" V; |( v I1 F5 W3 c% E4 a/ E3 ?
The program will execute 6 different SIce commands located at ds:dx, which
( F% F' Y, u" t4 @7 s+ U& Z+ _2 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 X' ~( w. U4 [2 C
& C, B3 @9 k0 A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& t7 h1 m) d! c___________________________________________________________________________' ^% r7 y; N4 k; I" p. d- J: {
+ S& b p9 m3 v5 A5 C' Z) c" b7 d0 z/ \7 U+ o, R' ]8 L# L1 z: ?
Method 03
3 |# C' h, ]( d. _& Z" {7 F( f=========8 Y" s( X7 c5 w* y1 J
) m1 N* y+ J. p+ Y# c5 @# dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 W* S1 G0 T- Z) u. a(API Get entry point)
, s C* Q% r. ]/ \! l+ k
: I/ b# ]2 T0 ^: |9 A- o+ m3 n1 a# [2 ~2 E/ c; s5 M
xor di,di
5 u+ v% q; W4 E$ K9 Q+ z/ c mov es,di/ p1 K" ]8 _8 z) m4 l% Q# O( ]; G
mov ax, 1684h : u& q' L S6 b" h- B4 g$ J
mov bx, 0202h ; VxD ID of winice4 W1 v" Q. {* }
int 2Fh
3 T" U% _& ~3 {, Z' U( u) z1 j mov ax, es ; ES:DI -> VxD API entry point
7 |: }3 P) f- s3 k2 | add ax, di4 O# N4 G& v0 P7 n1 Z! a) }' ~
test ax,ax% s4 s8 Z% i: K) {) Y
jnz SoftICE_Detected& v6 O: P9 A9 M% j- g8 {
" O; T) W2 K( D% s- r3 ^
___________________________________________________________________________
& d c1 M# z2 B; o, W4 m, \2 `' |! {( X
Method 04. S5 g$ O, q8 ]. H9 M- I( T
=========
. ]' u$ i: @1 U4 t% f1 C
8 t. e* D/ ?( Q: q# qMethod identical to the preceding one except that it seeks the ID of SoftICE
/ B- \2 j9 n$ X2 `8 HGFX VxD.
/ j0 E5 M# d, ~( H( [ r4 B! B( Q/ g) [' |
xor di,di
! o0 Z9 b# S0 P! b mov es,di3 Q; Q8 d; k- I8 b! B. |3 a8 B* N) ~/ a
mov ax, 1684h
5 o/ c2 `! i1 ?& E' O- i' F I mov bx, 7a5Fh ; VxD ID of SIWVID
8 v. z4 _2 C/ e7 _9 t' i' l int 2fh
?, y" s8 b' ? z5 q7 \( Y0 V mov ax, es ; ES:DI -> VxD API entry point
6 k0 Z+ b8 S! r" |/ ?- A% G2 S add ax, di. \2 T8 u0 q s( B+ ^- e$ Q+ ^
test ax,ax
/ ~, S" M, v; p7 S7 b+ P jnz SoftICE_Detected
6 t( [! z3 ]( w0 t; Z
) C R* P) L0 O% F# q# o/ }__________________________________________________________________________1 ~# n6 G( r) ~, v3 _
3 Y& C; k9 t4 Y' v
4 l) y$ r. C4 B0 \8 `) e2 G: _% C
Method 05
9 V. x/ N3 g" K6 y=========! J/ \- Y) F* m% r/ k
$ P: U' T3 ?& A. N) d1 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system, v: z3 a( |4 S; |: g" t/ [: d2 ?7 j
debugger. It calls the int 41h, function 4Fh.
1 T! Z8 g) S) s9 r) D8 ?5 O7 SThere are several alternatives. & n) q% u9 N! F0 ]# u2 O' Q9 ^
1 x6 {2 ?+ @* G) U& [; b3 M- K
The following one is the simplest:
h& `4 }( B5 w6 o: Y+ B2 J: E( ~. s6 f, h& w6 y
mov ax,4fh
. v/ G6 N J- K3 y6 P int 41h
; c; I1 c4 |/ Q, h2 x8 F cmp ax, 0F386
! ~4 N- I8 L3 K jz SoftICE_detected
9 V5 {7 l" W; D3 B
8 c2 M7 R+ K! P/ ]) V& \. g' t/ \$ n/ D' v" X* \7 z
Next method as well as the following one are 2 examples from Stone's f. G: ~* O+ ^& h* ?# G: ~: L4 O
"stn-wid.zip" (www.cracking.net):
- ^6 \1 n! f4 l7 |6 p
# e3 a6 s1 N6 h3 r) i" ^ mov bx, cs
j9 }1 V1 X I7 F6 L' H lea dx, int41handler2! W( D; N3 x/ z1 g' a5 ~; i
xchg dx, es:[41h*4]- I$ z* @) |0 K# o/ n
xchg bx, es:[41h*4+2]: p7 f) y# O: q7 b
mov ax,4fh. A$ \$ R9 s+ M! U
int 41h
7 B) J2 z6 c7 m xchg dx, es:[41h*4] D7 h" l* q5 C$ u/ S
xchg bx, es:[41h*4+2]
/ W8 c6 x* A. R5 H0 F4 o cmp ax, 0f386h4 M9 N% D! Q$ {6 z( N) f
jz SoftICE_detected
& R& r( s4 ?6 T2 U' l; I5 v% |0 `8 \+ v A1 c: E
int41handler2 PROC
5 y4 {6 }: z$ M$ J0 c5 h6 ?/ ]9 F iret
( x* p$ \' C+ N. oint41handler2 ENDP* c' @$ J% ^ ~: |& ?- B
1 r2 ? M' ^+ y% ^* d m( Y2 }) Z2 s
7 l' Z- i, p; L_________________________________________________________________________: Q% B, Q: ~( B; h
0 P- W$ I# q0 s( A
7 Q6 G4 e1 g, Y
Method 06
" l0 [+ ^% J ]9 A+ j=========/ C8 I- v; g- \2 B+ f9 V) Z
( H% _9 B1 ^% U6 d6 E0 U
6 _- @2 B( d" K& u x- H2nd method similar to the preceding one but more difficult to detect:, N; H) k( T8 r3 y" F) R
: S3 z) |( [8 d# L
" W+ r' U6 P) m. I$ u
int41handler PROC
# J1 `) R( d; W: |# F mov cl,al, I2 W8 n0 l9 _% p0 z
iret
1 ]; y$ T6 V$ t* Kint41handler ENDP
3 Y* n4 G$ a5 d! q4 l
3 }+ b) w; |( S
1 N' T7 {3 r: K4 L; n+ j5 { xor ax,ax
" y8 u( C @5 g9 E. i* S mov es,ax
! t3 G8 x: @9 M! ~% G) a mov bx, cs
6 a3 A0 L! f1 O; w lea dx, int41handler
8 y/ f7 ?7 H' W1 \% b8 J xchg dx, es:[41h*4]
. i' u ]) P$ |4 N. O, G% h u xchg bx, es:[41h*4+2]$ G( e6 N- W& K$ H+ V/ s; E
in al, 40h
' L; Y) C, K7 E: E* h xor cx,cx
: [% s; [; N0 i7 C$ X3 ] int 41h) R$ t Q5 w9 M* ?$ u
xchg dx, es:[41h*4]/ _' D {- {3 F2 W$ p% V& m2 @! |
xchg bx, es:[41h*4+2]# p& H# J* o4 J' P0 {& D2 y/ I
cmp cl,al
5 C, w" }! \! | jnz SoftICE_detected& A9 V0 o, e( w6 Z' ?7 ~, u
, V5 k6 P3 R) [" G
_________________________________________________________________________
& R3 |, ?" u0 }6 d9 F9 n Z( Q' s# Z: `- z4 V' c
Method 07& w8 t& [5 d* h6 [
=========* \1 X" G6 w9 ]: x- Z0 X4 C
9 p ]" ]2 Y; jMethod of detection of the WinICE handler in the int68h (V86)
5 G1 |" I, t$ s7 A
, l9 H( A6 {" d% |& x! k2 E mov ah,43h3 y& R+ f" ?& {
int 68h3 E9 R Q9 ^9 j' n9 F9 X
cmp ax,0F386h
5 V `3 q* m0 D; x( k3 f jz SoftICE_Detected
' m* ]$ _/ z& p2 R D# T. o6 x
$ k% Q2 X& W3 I& j9 v, d9 x7 k
% X( K, s5 r3 q2 M/ y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 y) K, f z8 l
app like this:9 U1 \2 s, Q! B p
) {) i- H# v: G8 ?
BPX exec_int if ax==681 b! Z- d, W% W B* b
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ q. H/ d- ^& ^1 r located at [ebp+48h] for 32Bit apps)" h" Z! h. y0 E
__________________________________________________________________________
" R# R/ Y( k# O8 U* C1 @+ S% _) ]1 w2 b7 d
7 f) P1 A! M5 b. h3 z, a$ |
Method 08
/ f6 Z k/ Q3 H4 w/ k3 V" P=========+ b( ?: e0 B1 U
1 f: z t' K( o: RIt is not a method of detection of SoftICE but a possibility to crash the* H* Q" H# N3 p! t ~4 s3 w$ a" v
system by intercepting int 01h and int 03h and redirecting them to another& O* A8 q/ Y6 H: b1 }1 J, {
routine.
6 ? X# t% b( e" y) ?3 F0 xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 D6 W+ o/ I3 X. h; Vto the new routine to execute (hangs computer...): A8 y( y! [, M2 _. z
6 [+ t$ U! w2 o1 ~( y( C5 E# W5 k
mov ah, 25h2 W9 e/ Y4 ^- i& J9 o
mov al, Int_Number (01h or 03h)
' p/ O4 R7 k) ]& p+ |* @ mov dx, offset New_Int_Routine
; l; K9 P0 ^' X7 \2 I) u int 21h
: I) k% {9 h r) \* s
5 v3 r' y7 s j, v I0 {__________________________________________________________________________% z# U, e7 k& h- C* `2 T8 I8 X
3 H$ O* J: M# G2 e* T& VMethod 09
1 H& P6 K: X& D) g1 [5 b$ m=========0 |- F+ t8 k* K, a& e( X
6 D, o1 k! B4 d6 x" }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" K; }# h3 q# dperformed in ring0 (VxD or a ring3 app using the VxdCall)., b/ p4 g% u* l# G8 p( W
The Get_DDB service is used to determine whether or not a VxD is installed
8 n5 v) S1 G$ Y. m+ e; }# Efor the specified device and returns a Device Description Block (in ecx) for2 m1 V' K: i1 J
that device if it is installed.
% \" v9 y$ c; y7 B4 p+ n; y# J/ i: f( f; E3 Y4 ^% U) z" d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 R' j0 j( m( q7 a8 K* R% W' @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 C5 F% F: w3 i" n6 P4 y VMMCall Get_DDB. c7 L. [- W- W! i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 p- g8 l, N v: |1 N3 ?8 v
. A% W* x1 u- _" k" q$ {# v
Note as well that you can easily detect this method with SoftICE:2 Y" n4 R# M' ]8 J% P- I" S; Q
bpx Get_DDB if ax==0202 || ax==7a5fh# l5 v' T" G9 g' G$ y
" u1 U+ g: m. `__________________________________________________________________________( q1 v E6 P; r# I. u T! g- h
) ~7 X# l' C3 Y; ^& |. PMethod 10
0 L& A( M3 ^2 R( x) @& K3 D3 [=========
# B- q& s) d& q" `) @
4 B( n5 U3 V4 `5 T2 T {+ G j6 p=>Disable or clear breakpoints before using this feature. DO NOT trace with4 R, v% {7 S' i' k7 k. \& E
SoftICE while the option is enable!!3 R0 D% F' M, g* E( n5 b
3 F# x$ F! F1 A% p3 K) x# L
This trick is very efficient:7 R0 P0 J) s4 G0 i/ o1 Q4 }
by checking the Debug Registers, you can detect if SoftICE is loaded) x; P) K3 c) v0 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 v7 b: O4 j4 O$ U F& Y. d% \ q! e ithere are some memory breakpoints set (dr0 to dr3) simply by reading their3 m. J; U( z% p& O* e2 o! `
value (in ring0 only). Values can be manipulated and or changed as well
# S. j0 n- z) }' b0 ^; ]. ^(clearing BPMs for instance)$ g+ u- d. C( H0 W- F6 h
. R; n8 z. h% j+ E9 A* T__________________________________________________________________________
% ]4 r. y' Z3 Z% W6 K4 Z8 b
2 M- B3 \8 h; ]2 C8 [2 fMethod 11
" r' l, E2 B! j6 E* q4 c! E6 D=========
1 i w/ @; U6 G- \* ]
9 J% [ b# ~% o) N9 mThis method is most known as 'MeltICE' because it has been freely distributed. K! l9 A5 f" `) i3 T
via www.winfiles.com. However it was first used by NuMega people to allow* |# V1 n. @3 O) b$ O+ n/ S
Symbol Loader to check if SoftICE was active or not (the code is located, n8 \# W9 ]" ? H
inside nmtrans.dll).
2 j) R c8 N: E* m) m
) J1 |! Z+ {$ hThe way it works is very simple:
: H/ _* R' T# u# \% ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 W% w; I, J( [' Q1 R2 `6 i. U' u; H
WinNT) with the CreateFileA API.' x' s# F- p/ x9 q B+ j
& Q- u& r# @ z: L$ g5 ?Here is a sample (checking for 'SICE'):
6 `* r9 e. m, l" k0 I# ?" g m2 L. H. E; c- j* t9 K- i
BOOL IsSoftIce95Loaded()
" G3 O; v3 ]# A9 P{4 F8 T2 @ H6 Q& w9 w: y
HANDLE hFile; - d* O6 C$ h( X. F, d& q+ p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 z7 E! X) o" C t+ O- b
FILE_SHARE_READ | FILE_SHARE_WRITE,7 E6 c4 V, R/ |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( p. s' P) i2 q7 z, {
if( hFile != INVALID_HANDLE_VALUE )
6 g6 o- w) q" e% i; r1 _ {
, O& [! Z2 [# U$ A3 n CloseHandle(hFile);9 q2 ^/ i( t( L4 i4 |8 J" f
return TRUE;
: F7 ]7 P& n* v, z6 `- Q/ ] }/ f3 e8 q2 J1 Z
return FALSE;5 u. u$ w; `+ E' h
}3 q& L. s) s/ y" f: ]2 N* h2 W- B
: A; S9 |0 s7 r! l3 eAlthough this trick calls the CreateFileA function, don't even expect to be
3 {: b4 k4 I) J2 e! I& u5 c8 zable to intercept it by installing a IFS hook: it will not work, no way!
9 ~8 d0 X% k# bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 A$ h2 E3 C: b& a) p, _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% p$ }4 y2 i1 x9 ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! v% U* |4 x$ J: r% a% ]field.( d3 }$ U9 B- Y$ s; {# c! w/ o3 i
In fact, its purpose is not to load/unload VxDs but only to send a
- E( M4 }4 f! ^" U' L! vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, S2 g* I& I2 w" k" f! Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 Q) Q4 }1 {5 u3 w; bto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ L" P$ p1 s- S! e
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 ~9 v" y* v3 L# f$ f% e
its handle to be opened and then, will be detected.8 A! U, s& m9 `4 @8 V: t+ Z4 S" A6 x
You can check that simply by hooking Winice.exe control proc entry point
4 H" u' g- e& {( A* e) b4 Owhile running MeltICE.
0 f- R5 C& x8 ]2 ] b- u u( Q( E7 e( E# _( G* A
* X" s/ H E6 r* }- B
00401067: push 00402025 ; \\.\SICE# O; V8 n; ^: n" l% K( G i
0040106C: call CreateFileA
( |+ Q' M9 M6 b* U# C* l 00401071: cmp eax,-0010 \4 y, y: m, `6 T7 i. [
00401074: je 00401091
; I' P: G" R& `4 W& \; Q3 _0 \* ]
& P# n, P6 m& X" B# m- o9 E3 _, C2 b3 n5 g% X* r7 _9 r
There could be hundreds of BPX you could use to detect this trick.
0 {: Q: t. }$ v" U9 r4 S-The most classical one is:
5 D0 s# n3 g i9 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" Z2 t4 U+ S1 b& y5 e( K
*(esp->4+4)=='NTIC'
3 h/ j) E3 }0 j# F \0 |0 C
$ J- U( h L/ D3 a" K9 _+ {-The most exotic ones (could be very slooooow :-(
p! o* ^- {. N$ c$ f' u7 D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' s( K# i, x0 D, P3 q5 j) Q; q ;will break 3 times :-( z: u9 P: ]" A" Q, m# o; ]
1 z* n+ x. ~" Y1 v& v- Z-or (a bit) faster: # B9 b/ ^/ J# b- ]' }3 r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& O0 ^) Z8 m7 U9 E
/ d9 y- ?! [/ b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 ~5 o5 h s) W" ]- x3 ^
;will break 3 times :-(
' K. B+ {& y, ]$ ~7 \% `9 x3 ]: _' Z9 g' u* ^3 \( C- [
-Much faster:4 y H& K$ c |% |+ Y4 i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# B* a$ |, u8 F% `& a0 u5 A# S9 c. t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' i! n4 l. o% N% Cfunction to do the same job:
. {2 \5 {" i: a; Z( Q; l& J
$ j9 ^3 C$ L4 ^' U5 |% F& q4 |( C push 00 ; OF_READ
: ?' G+ d. \* b) n' ?& F1 j: m mov eax,[00656634] ; '\\.\SICE',0
1 l4 e( |* T" j$ M, ]! Q$ z push eax* m. }* L5 X) A0 L: a: p: G7 N
call KERNEL32!_lopen
. ^, {4 d! k- v inc eax
8 K; R$ Y" D" Q. `- @3 q: b jnz 00650589 ; detected- {5 q- H0 @2 s8 C% `8 b
push 00 ; OF_READ
" ~+ q0 F0 ~& l5 P) y1 n& d mov eax,[00656638] ; '\\.\SICE'
5 Y0 N) d0 x: t$ U8 ` push eax3 i3 s6 E' h0 V: p1 n8 @% n' c
call KERNEL32!_lopen, H7 Q8 t G, [1 P* C+ ~0 N! i; Q# r [
inc eax' D( @. \$ h0 g. O8 K
jz 006505ae ; not detected
/ Z% b" Z* I" T' n$ z- s! Z) p" q
+ J9 f a, q( E" U+ J1 W& l9 w) A
__________________________________________________________________________
- |3 Y5 {7 i/ D" L, M U* z' f" e4 I& Q% |) x+ s- s1 ]2 r5 w4 K
Method 122 E- m2 E& X% g/ G
=========
/ e, f( ~! D( e& C1 _, D0 g. h/ S; t& A+ q( A* f
This trick is similar to int41h/4fh Debugger installation check (code 05
+ x0 ~ \, a( q9 D* `4 a& 06) but very limited because it's only available for Win95/98 (not NT)
7 c8 ?' O- J n0 A2 u8 s1 Q* C2 Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- O7 r+ h- J; \9 s/ J2 [: W: Q
4 S8 Z- |1 N. i push 0000004fh ; function 4fh* Z4 D- f: j. z" `8 n. h, t
push 002a002ah ; high word specifies which VxD (VWIN32)
8 ]; g& j0 ?1 n, b3 i2 C7 i | ; low word specifies which service1 J) ^3 u4 [8 y" {0 ~
(VWIN32_Int41Dispatch)+ @( G" G$ h+ K+ W2 Y1 z
call Kernel32!ORD_001 ; VxdCall
" L, G1 ~, h) y+ `8 {! B cmp ax, 0f386h ; magic number returned by system debuggers
+ [" _, U$ e+ r6 I: P% U jz SoftICE_detected/ d. N- M. U! |# j/ x
% ~ q9 Q* W! |" s8 NHere again, several ways to detect it:* z8 f* Q. A1 v1 J
2 w; m4 u+ B% I. A# F9 a/ v( R BPINT 41 if ax==4f3 g# {' w% b3 b/ J
7 n5 ]. a+ m( C) M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, ^: S1 R. V% c$ K Y q( Z! V
* z! ]+ Q) H8 S- s) V ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ r( V1 o% X& I* t. P
9 S8 w) O" z9 q# L4 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 Z' K5 q& {1 B! a, F
) R; x* ?6 }* z% Y__________________________________________________________________________
: g% [4 @9 f; B9 L9 r, b9 K+ O7 R# T( X; ~( C
Method 13
( I( L w7 i% ]; Y* u( g1 Y: l=========3 o4 @- b! _3 u2 \. M; }" c7 E
; x, A: g8 `% B$ d2 V! |/ mNot a real method of detection, but a good way to know if SoftICE is
; I" l$ U, f3 R7 k, i0 oinstalled on a computer and to locate its installation directory.
- r" T }2 ]6 x" i4 i! B$ D3 @It is used by few softs which access the following registry keys (usually #2) :
2 D7 u: F3 w) H4 D) ^
3 q2 ]' {- ~4 D2 s+ [6 l0 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) n% s8 e2 o" {+ \
\Uninstall\SoftICE8 W* K8 {* Y( u) f9 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, t7 `) d _; X4 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ?7 ^. l" @- H. l! H
\App Paths\Loader32.Exe) A* [+ a% U- j; a
7 s' o+ x/ f- c. O+ t
/ j) j8 d. l9 V7 d0 X# M+ d/ C
Note that some nasty apps could then erase all files from SoftICE directory
3 i6 r3 b) @1 O(I faced that once :-(
& B+ a+ l7 c" E. z! L9 c- P3 P4 ~5 D3 u8 d1 s2 d, {1 G
Useful breakpoint to detect it:7 N, W4 u0 q( W4 \9 C
5 g0 n- V5 u1 o/ A% V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- n5 s. F$ j; i; A6 E" u. y
+ V) z. j. a! g/ ?__________________________________________________________________________( L3 B3 V/ @8 o% ?% Y7 \; I
+ J! I5 v6 R* |& x# y' l
' ^- j) c! z6 U3 J. GMethod 14
9 f/ |; W6 o$ w% `; W+ z4 t2 }=========
0 i5 f5 ?8 l$ i% m* C, l" j+ z) I8 ^: y$ ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: R$ t' W4 }7 ^. S/ bis to determines whether a debugger is running on your system (ring0 only).
" r, [8 X; e$ d
6 B* l) L0 |5 Z2 }$ [) w VMMCall Test_Debug_Installed& K# J, [% }2 J2 o4 i
je not_installed
' v0 ?5 z" C& T9 h
( O: c5 }+ [0 A5 L/ Q7 ~This service just checks a flag.
1 C+ h1 @' v$ S: W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡