<TABLE width=500>
' V2 ]4 J2 l" A$ w; o9 T9 U. s<TBODY>
2 c5 a2 J w$ _* k; \<TR>
6 q) }2 E/ t- S1 o5 @ ~$ y<TD><PRE>Method 01 % `5 J$ h; y# t4 k- J) j( B3 l: D
=========
5 L% O: e' {+ _' v) u! o8 D# ~ ]) A
This method of detection of SoftICE (as well as the following one) is
. I2 {) L5 b1 ~! r: Aused by the majority of packers/encryptors found on Internet.
, @1 Y) _9 x! `& p- u1 M5 fIt seeks the signature of BoundsChecker in SoftICE
! S# }2 r2 D8 b5 u6 Q* H
8 H. V& K9 F( F1 f2 \6 {& T mov ebp, 04243484Bh ; 'BCHK'
! J# d3 M8 a& D mov ax, 04h" H$ m; h- R [7 {: j K" w" ]
int 3 9 P, h$ e5 ^. d4 B! a% P
cmp al,4
/ f8 |) C: i8 ^! X jnz SoftICE_Detected
, \ b. M) z1 R7 N( _
3 h: R9 H1 l1 {* F- h___________________________________________________________________________. k* K9 `9 S/ j, {, W, L \
; s, Q* ?- W+ r) C1 W9 JMethod 027 @1 Z1 s, B5 g- _
=========
) Q; k0 p, w; Q! |
7 X* E9 D2 X3 j: I- n( W* }Still a method very much used (perhaps the most frequent one). It is used
$ y, }* c6 l Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: g2 \0 y7 J# ?or execute SoftICE commands...
( e5 Z! |7 Z. ]0 N1 gIt is also used to crash SoftICE and to force it to execute any commands5 F+ W1 n6 n" M1 f( H: q
(HBOOT...) :-(( * }0 C \' v7 c' I
4 s6 ]- g1 F: N2 ^# q
Here is a quick description:
, O+ A. x7 ^( R8 `-AX = 0910h (Display string in SIce windows)
+ t% K# x" u J! I$ ?2 k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ J N9 Y; t: t3 X-AX = 0912h (Get breakpoint infos)
5 \4 u( s6 `! @: S-AX = 0913h (Set Sice breakpoints)5 R7 h0 w9 }0 l5 l) t" M
-AX = 0914h (Remove SIce breakoints)
* |6 m4 [1 v1 Y* w; _! s$ r( h0 Z. C, k% U8 y6 {6 [
Each time you'll meet this trick, you'll see:
7 {5 \( d6 z8 H. S* c7 @/ k-SI = 4647h
) m3 g# g- v& O' o- o0 ]-DI = 4A4Dh! w' j4 Z- ?6 ]0 X5 |: y5 o, z
Which are the 'magic values' used by SoftIce.3 y9 Z! A/ m6 K+ S/ G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 ]: S, @+ s* E+ T( Y/ v
; L1 }5 N1 S/ ]! {: kHere is one example from the file "Haspinst.exe" which is the dongle HASP
. \& S7 {9 w5 ?2 u6 vEnvelope utility use to protect DOS applications:
: m* ^5 z' L! g. a$ K% i4 S3 F8 E5 W" S; h3 `
( V! N+ `3 O9 u2 o$ {4C19:0095 MOV AX,0911 ; execute command./ v9 ?9 i8 f$ ]$ x" b1 o, U0 {2 K% w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- n& n7 p0 y+ z
4C19:009A MOV SI,4647 ; 1st magic value.
: f% @5 B& x3 y4C19:009D MOV DI,4A4D ; 2nd magic value.
: h2 z4 w6 E5 ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 n2 J0 m( `3 i9 y9 v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* v% Q( \" E0 |, p: s$ f
4C19:00A4 INC CX
H( S0 R+ t1 Z% M9 U& n0 I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 d! e5 J/ @8 J. b' N# a
4C19:00A8 JB 0095 ; 6 different commands.0 ]" l1 p& i3 a5 ?& h3 b, h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ ] b9 x7 L7 A- S, F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ A, }( ]& t, @' g' O' D% J$ C0 M' [1 p3 }+ ^0 a+ U S
The program will execute 6 different SIce commands located at ds:dx, which) h* g" W* o1 y, t& t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 P- }2 P% Y, z9 E. _" A; v! H$ a+ D- O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 t$ J' d3 P; z- l# d
___________________________________________________________________________1 a4 H2 Z7 {% a! S4 y
) K8 b4 F" b, G9 V3 J U, a
4 \- F9 A l2 @+ A) ~Method 03 V! T' V/ x4 S y9 m1 i8 q
=========
$ a8 r: r8 }# I- o$ b! O
2 b; L1 e9 j7 \/ k$ P% A3 \/ R( WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; H1 C3 U( z# b- ]
(API Get entry point)% O1 h- a' B0 _: U1 q
1 C9 {) q( Q2 e7 Q2 s l4 |6 ~
8 Z* t9 |' z; k. O& c1 ? xor di,di
?6 l3 ~5 Q% b mov es,di9 |% R" O+ U( [0 z. P6 T
mov ax, 1684h
2 F+ b- y) V$ w# B* z9 u mov bx, 0202h ; VxD ID of winice v. D' I6 l4 I. c* R$ x
int 2Fh4 C1 G; C, j, X3 j9 K( [4 g$ o" }
mov ax, es ; ES:DI -> VxD API entry point& G4 w% P6 @' w; _. k6 o! y7 m
add ax, di
2 F6 v9 K7 N; R test ax,ax
5 g2 E0 I7 T' G: ?4 G1 r jnz SoftICE_Detected/ e: I( F* A( a2 A3 F% Y/ T+ }
6 R& G- n4 ?2 Z! z* r
___________________________________________________________________________
" T- `$ O5 o) H' U9 N( i8 X
+ ?1 A2 b' |" @' z# U& @ E. w8 XMethod 04% o' E3 ~. `' `7 b. |' \$ W1 h S4 f
=========
" ~$ U, q( d2 Q1 F- f+ o8 d8 L: ^5 i4 }, y3 ~* N- ^0 N
Method identical to the preceding one except that it seeks the ID of SoftICE
7 k& ?) ]% p, f5 w! jGFX VxD.
) T$ T* j+ O* i" F( V
- T% `1 ~3 P+ S3 y, b7 u xor di,di
1 W A% g* Q; w5 Q; l8 @ mov es,di
' ]9 l8 i# z6 a: y mov ax, 1684h
2 y# g8 q9 G: F mov bx, 7a5Fh ; VxD ID of SIWVID! u# H9 Z- ]) }) e3 i
int 2fh$ V: i z; d( d
mov ax, es ; ES:DI -> VxD API entry point
$ e3 a% C6 @& _. k2 m$ v; x( j. W: ^ add ax, di! Z0 m% D: ~; K/ Y
test ax,ax
f2 ^7 w2 v9 l( X! W# q jnz SoftICE_Detected
& ?* |( D% U, m" `+ z9 S# y& e' Z/ z/ u: @$ Q( w; |
__________________________________________________________________________
: w4 `9 ^! [. h
8 T' m2 n( L Y" k& R b4 P4 M3 B
6 k4 l8 C2 a! yMethod 052 |7 u3 {; o" x+ x' I9 _
=========
/ _8 V( q0 w# U' v" l/ H9 ~; b
2 M! M6 H4 a5 l7 X$ p9 A2 M; W# F2 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system {! a; X# {2 _0 }
debugger. It calls the int 41h, function 4Fh.
& c- \+ `8 }* r C/ G# M6 [* ]There are several alternatives. 4 G! s- [" L, Z" a
5 e9 Q- b5 g# o Z/ ?6 `
The following one is the simplest:
, c+ {5 C# V. ]8 r5 c
# p; i5 F3 q, ]" Q. n mov ax,4fh
: p, H1 J, t1 f5 V& y int 41h h2 D$ k( g' `
cmp ax, 0F386, L# d9 p" p0 d3 |% p0 T4 h" W
jz SoftICE_detected
6 g6 q8 p$ {1 A: D {
6 f( I8 i0 W+ q$ N% H! }! A( o
$ O3 a3 A* L% b. d; ~Next method as well as the following one are 2 examples from Stone's
' n- b' x; Q$ p, w p* w5 _"stn-wid.zip" (www.cracking.net):
/ x& }" i( Z- n. j X; m1 ^( l; G4 Z$ s4 y+ e0 f" c0 N
mov bx, cs
+ w* p" Y" d. p& a# a lea dx, int41handler2
! A5 O1 @, ?- h5 X xchg dx, es:[41h*4]) k9 S1 s5 Q7 U% t
xchg bx, es:[41h*4+2]6 B4 u j. J, t' x; g
mov ax,4fh
( K7 f& m. K0 f+ n6 e; l; \ int 41h
/ N4 f9 Z8 m# Q0 h xchg dx, es:[41h*4] g2 _& f, \# ?2 t! }
xchg bx, es:[41h*4+2]
6 v. S, v+ I* ^6 {$ F3 G& _% { cmp ax, 0f386h( D0 Q; z5 F' H$ j* n
jz SoftICE_detected0 H, r- l5 p1 q* n
' g/ A8 y- B& u" P0 ]: P% p: \3 pint41handler2 PROC
N4 z6 q }! s3 D% f1 T iret
3 P6 K" @& C% |' q& h7 @; W, w7 N5 ?int41handler2 ENDP. Z& G6 D! K6 D! R/ i
! V3 O' n: H9 p3 W1 I( _
3 ?& A9 k9 ]& g& ], h_________________________________________________________________________
* v7 M$ v, b: Q, }( E' Q$ a Y) n( ]$ T6 s3 G" ^
& \' b! Q" A4 U% w! ZMethod 06
# I& P6 V8 u; b# i0 \/ O, @=========" C8 A) }: ^* E
+ R6 U4 b4 j7 ~: ~
5 z: a, e6 c! Q8 ^9 n2nd method similar to the preceding one but more difficult to detect:
. A, O; }6 H7 c5 y* e+ P$ J
2 `1 z8 D3 e8 G) d9 G
: C, |. }, ^* g/ c5 _int41handler PROC* S" `9 h* Z# W- \4 t9 p/ B, C. ~
mov cl,al
( [3 s0 D: _; j, C7 p& B5 j iret; f* @ K8 A% Q7 c
int41handler ENDP
4 M6 F1 G) R/ K9 D+ |6 e" k
8 e, n2 }9 y2 N b* o2 R K7 B2 }- }$ M# ~% q( U, A' W
xor ax,ax
' B3 p/ T4 d3 g2 F mov es,ax
$ r. C2 v1 h! @2 {8 Q mov bx, cs
& w6 s3 h2 K& i! b4 T0 } lea dx, int41handler' C* Y! x. L! X- U7 R: P/ A8 m
xchg dx, es:[41h*4]; d& M, q( L8 p) @; o
xchg bx, es:[41h*4+2]2 U0 F; c; w. l; |5 O
in al, 40h
& g( p4 k& ~1 v' ] xor cx,cx
/ {: i, Z) C4 r" H( U, l1 { int 41h
# i3 N! ?$ q7 `6 i2 g2 O5 F xchg dx, es:[41h*4]
+ H- E$ |9 h( t xchg bx, es:[41h*4+2]
$ L! }1 n: o2 z cmp cl,al
- T: V9 Y, Z5 A' a! B; X8 K jnz SoftICE_detected
9 L. q! q% K- W+ p1 t" _) i9 \( _0 `0 m6 [8 l9 Y
_________________________________________________________________________
" Z) @ K1 h- O/ P% N) X b' c- a6 V/ k) O1 M1 E- S
Method 070 V6 O* _& A! }& c
=========
+ |0 _4 Z5 K+ z% ]
+ j) c/ I# Z8 ~) D/ xMethod of detection of the WinICE handler in the int68h (V86)
5 M* G3 _ [* x1 i4 Z1 n; V/ I
% U, W Y2 f) U+ Q mov ah,43h
7 I+ |! H- Q9 ~. F0 o) E6 N int 68h/ `8 M0 t" H3 l1 h$ \+ F$ W4 v
cmp ax,0F386h
& l5 U. W6 F6 c+ F: n9 g9 G jz SoftICE_Detected
3 U! K7 ]2 c5 }, W3 U9 G5 H; S0 z- @! [
$ O: x$ ^; D; r: t" j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ Q7 x% ~& v0 {$ {3 v# w0 l/ P app like this:
% \0 n9 _' M3 ?* [5 J- v" h, l! ]) W) d4 f! W) Q- O: A7 M
BPX exec_int if ax==68& V. l+ p# s$ j" S( R5 U* c# w
(function called is located at byte ptr [ebp+1Dh] and client eip is
( }* Q& I; v, q. {* C, d located at [ebp+48h] for 32Bit apps)
5 M3 O! |; _* D, J, j- G2 j__________________________________________________________________________
4 l! k8 \5 |2 l8 n
! M; ?' Y5 r% P. [4 A- u, \% H% D6 t& T4 W7 X
Method 08
5 f3 X7 j+ |5 _3 p% X/ I* C t& P=========
3 }; s2 V& `7 x, ?# [9 a& f8 o5 i8 b- N& B+ n$ A
It is not a method of detection of SoftICE but a possibility to crash the! h4 H9 f& g- J4 L2 B
system by intercepting int 01h and int 03h and redirecting them to another
9 E$ X: {* b* P3 q$ J& hroutine.
! @" m& h6 `1 I0 [/ u) }7 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: S% p' U+ Q0 [) g% V, S
to the new routine to execute (hangs computer...)' j: C+ ~3 Q1 l4 I3 N
# I, L1 S5 D0 q. g6 W% b
mov ah, 25h
, \# K/ U2 I2 B mov al, Int_Number (01h or 03h)
; E% J7 P G4 {$ E6 p mov dx, offset New_Int_Routine
, M0 `! i. K. C3 P9 n9 L- q! Y int 21h
0 T: g2 D( |5 y" e" W: _- R# n% R3 D1 P. r* Y6 ]' \* s) Z$ z5 K) O
__________________________________________________________________________
3 Z8 O% J# L5 k3 ?
* _8 r( J6 d2 yMethod 09
; Q' M6 a- G+ B6 U- r=========
% C% [; H+ Q; n( ?2 \4 v1 F7 }* t! C; n! z. E) J) r9 r8 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ c+ f" j, I i3 t, \' d4 _9 c
performed in ring0 (VxD or a ring3 app using the VxdCall).7 X0 X/ Y R2 D( n7 ^
The Get_DDB service is used to determine whether or not a VxD is installed" @% E6 \9 B& @; X" ~; w
for the specified device and returns a Device Description Block (in ecx) for
4 V [/ ?1 H5 |) h! [that device if it is installed.
3 ~1 {9 h% t0 B
2 M ^/ N. C7 ^! O7 |) _: E+ G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% K- F/ e+ P j: ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). U E2 c/ L% G/ C8 A2 H6 G, T
VMMCall Get_DDB
5 e7 s; {; I* t. r: K1 s. {4 T' \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 g3 \ j5 [& x2 u3 |- |, B
3 l5 w9 ^4 f% f. s0 c0 z0 aNote as well that you can easily detect this method with SoftICE:3 G% A- f9 r4 S; G/ F
bpx Get_DDB if ax==0202 || ax==7a5fh4 O. w8 L4 B. X; v+ \+ ?
) O P4 x/ C. \$ y# v4 D7 Q
__________________________________________________________________________. m( i) ?% {* Q% \
# l9 b' o3 n, j4 u4 o- [6 n" h, V5 J
Method 105 z$ B9 y) N* X3 D+ x
=========
6 Z9 ^2 G& N/ o6 |$ n
, {( H" n8 b4 h: t o" h7 l=>Disable or clear breakpoints before using this feature. DO NOT trace with7 r/ S; P# m/ e' G& n
SoftICE while the option is enable!!
, B4 G8 [2 R% f5 Q$ P- s+ v$ F' [" x1 [5 `: L
This trick is very efficient:
9 ~% `, X! w, k0 G. j; p# ~by checking the Debug Registers, you can detect if SoftICE is loaded
7 } a' @1 G& V* E1 x2 ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ ?+ I) s" D; H9 H
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* Q! s" r# X+ m# \$ |0 A. ]value (in ring0 only). Values can be manipulated and or changed as well
; @2 r! J# W! m. }6 K5 a(clearing BPMs for instance)
5 g2 |- E1 X8 ] Y" M- z9 t
3 g9 Q: y9 G& m2 Z__________________________________________________________________________1 T+ o4 x# ~2 t2 Y8 r
% Z+ f' I" B0 a0 a2 N. g9 _Method 11: b2 |% J- z# s: k5 D( p
=========
6 p3 F( k) Z' j
7 Y* G" R8 o8 f- M8 L- q: r& uThis method is most known as 'MeltICE' because it has been freely distributed# P5 b- q2 x f( }: @$ m- P% a
via www.winfiles.com. However it was first used by NuMega people to allow
% y- |! |5 m, s" \5 ySymbol Loader to check if SoftICE was active or not (the code is located) j/ F0 b2 p# c* s8 P% G
inside nmtrans.dll).3 [) ?2 z+ a. N9 B/ ~% b7 {# E2 D2 U
; J$ z, {6 C* B: M" c- ZThe way it works is very simple:
5 W% A0 \* n M$ X% ^- l& K' w, VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; a! R T; i" f' y" j" d& K2 ZWinNT) with the CreateFileA API.+ q. n* `3 G2 c- Q+ u e
( I$ C- r; j$ |' |6 m$ k
Here is a sample (checking for 'SICE'):
# K ~, g/ Y9 A+ q. D5 m9 i7 b1 t+ Z; J2 x2 p7 q5 I$ L
BOOL IsSoftIce95Loaded()
$ ]: x- ~) \4 p I5 c. H{
; z3 @( v- e% I3 x HANDLE hFile;
& n x5 i& \" r" ?: `4 @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. G8 R: X* X' `) F
FILE_SHARE_READ | FILE_SHARE_WRITE,
Z$ H) J4 f) l& P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 x/ s. t. ?7 {& `: C4 g# }% x
if( hFile != INVALID_HANDLE_VALUE )8 o* E9 \ o( z5 ]; t4 c
{
3 v- e( g; j% |, O CloseHandle(hFile);7 B( E& G7 f- s- F5 T& m* [
return TRUE;
B5 l" q2 a$ o3 j1 ^7 q }% \( l2 a8 ]' {$ {9 l
return FALSE;% L4 a/ ^: ^4 t
}
( _. [( g* C9 Z- ]2 B2 P" F
* O+ \- S. f% [' V. J/ _2 Z5 l& JAlthough this trick calls the CreateFileA function, don't even expect to be
" W' C5 M$ }4 b$ Aable to intercept it by installing a IFS hook: it will not work, no way!
8 ~) w9 w; a+ S2 f T, w5 ?# nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. S% o: y s, G# a) T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 a; G0 ~( P* h3 Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ F& I. B9 G7 \; h, l# {! S( e
field.5 ?: H9 s5 k* H' \8 F
In fact, its purpose is not to load/unload VxDs but only to send a
. t( y$ g+ \, c2 h) cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& c! |4 A3 A; d7 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try) O- G9 w) r7 J. w6 C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- j7 q) M1 Q& E% u. t+ MIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 _% _$ L9 \" |3 P) X+ X
its handle to be opened and then, will be detected.
' t' L5 h: d% [9 [0 P* l X& AYou can check that simply by hooking Winice.exe control proc entry point& U8 p# T5 h+ b* N& u
while running MeltICE.
% ]/ K3 p2 S9 `, g6 i( z, I# ], `0 B' c7 s$ Z* l4 V5 E
. X5 Q( @% R% R/ C) v9 w$ }
00401067: push 00402025 ; \\.\SICE, B7 {' F5 ]0 U0 E* e4 |; _; Q% V
0040106C: call CreateFileA1 Q. M8 P( n, a0 C" p- }
00401071: cmp eax,-001
* k0 ^2 [) V4 b% E- u2 M3 I 00401074: je 00401091
2 r. g& n4 Q: F% Y m) v1 y8 o5 O! p
" t7 w8 \5 b* g# m/ u% P4 E% x: I/ J8 {; o* s: I
There could be hundreds of BPX you could use to detect this trick.
8 Q1 T1 Z9 w+ m4 k1 r7 v% W-The most classical one is:
3 D0 n% ]- b$ ]; g+ i& {, | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
l& j1 M4 I+ k! c *(esp->4+4)=='NTIC'& u/ H' _' Z5 s' k" E6 \
: ~) V2 E. [* e- y9 [1 t& j% w-The most exotic ones (could be very slooooow :-(- a: _6 m. [" e9 H" E' `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / H! V1 I) q% a, H8 P$ |% w
;will break 3 times :-(
& P8 c2 N2 t/ k3 H+ `# l# u3 C- A! P1 J v- u9 s
-or (a bit) faster:
" w0 @( F/ y- c1 a; o8 Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ B; I8 K- _( G S0 v8 x. k0 M# E4 ~8 X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : F0 ^' O( e+ a! p) t
;will break 3 times :-() T( t8 M% O' W( C
) d, }0 L+ ]9 \2 `6 }& H
-Much faster:
0 c ^1 F% [* O. V" K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* I( {6 x% r' @8 o0 I$ K
; O8 K/ S, O, ]) h9 Y' N2 t0 _0 rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 V7 T2 Z0 h6 \7 D% |( r* N/ Vfunction to do the same job:
( F$ W& x! H1 m4 s! ~
2 P0 m8 H) }" O/ c7 E) [! ~ push 00 ; OF_READ& F* L$ X# g ]- N/ a. D/ ~$ i
mov eax,[00656634] ; '\\.\SICE',0
- I& L0 k8 Z& r0 U9 I push eax
! l8 I4 z. R& `) ]( I) A call KERNEL32!_lopen: U+ [; V9 O; r9 ]$ q
inc eax3 p1 |) j6 a J- T) m
jnz 00650589 ; detected
* m' a* ~: b) ?( [( E, f push 00 ; OF_READ2 W" R$ \; j# u/ W; o
mov eax,[00656638] ; '\\.\SICE'
9 c9 `! H3 f( x5 b) Y! }" K# s push eax+ b2 \7 `* {/ X5 \# ^ t9 r/ }! v
call KERNEL32!_lopen- g3 j& Z& x" E9 m
inc eax/ o% h% z- ^; ]! r2 v
jz 006505ae ; not detected
% D& k4 S. B2 n( L% e6 _3 H5 r k% y. q7 K
" c+ p: }4 ^6 ~# U# O6 f__________________________________________________________________________- q9 s. c% N* p8 Y V- n+ o! i. p
: u/ B) _) m/ o0 z: b DMethod 122 h" X7 n% D6 r7 s" Q
=========5 y. v: m: c! P6 ?. E! l0 r8 R4 Y
( |; j6 M4 D/ W! `, fThis trick is similar to int41h/4fh Debugger installation check (code 05" m6 f9 f+ h) k7 p' U; d0 {
& 06) but very limited because it's only available for Win95/98 (not NT)/ H1 h% D- r/ V) Y! W. J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 F* Q, ~6 F% [4 e4 v% o4 P
" O6 N$ ~9 Z; m' b push 0000004fh ; function 4fh
, y/ n0 N0 b! F push 002a002ah ; high word specifies which VxD (VWIN32)
8 i* N; S o' b ; low word specifies which service _$ W; n ^0 s' y& b+ W5 i/ C
(VWIN32_Int41Dispatch)
3 [5 Z: y- `/ g4 x( J; L call Kernel32!ORD_001 ; VxdCall4 r. A+ v+ u) y8 s g. h5 i
cmp ax, 0f386h ; magic number returned by system debuggers
1 n& z/ F: M, s9 D/ r' R jz SoftICE_detected
: [' d' Q3 o$ N3 N
% N; C6 D- W3 aHere again, several ways to detect it:
8 Z( E8 e9 u7 Q- f# {" u; t$ |9 }7 F6 [8 R. b
BPINT 41 if ax==4f
* K. x# A! S* O; r/ X6 U8 Q1 f) U' c) v; N) N; w) e7 x0 D, K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. ?; `* V) j: `# h/ ?
6 E5 r# T5 S3 P& k1 U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ g; y5 [. f/ w7 T2 r6 \; c; S3 [& d S) b/ M7 h. u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* l( R) y5 I: g+ r4 n
! y: M3 A6 X+ `4 F
__________________________________________________________________________1 }3 j" D5 s8 M3 g# C
, r9 _$ W+ K: R+ L& i. }Method 13
# o% b! f5 p2 `, n* H=========
1 Y4 h5 i& }- \! O/ \5 h3 P* i3 F: s
Not a real method of detection, but a good way to know if SoftICE is' L; l, k6 W* z8 Z4 b
installed on a computer and to locate its installation directory.
7 b% l9 v" F; S" c. E, H3 Q5 z; MIt is used by few softs which access the following registry keys (usually #2) :4 h1 B% @1 \# g4 M. }) ^
# f1 k) L7 e9 _# U" X( V# w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ _( D6 [( t! l' R8 R( J
\Uninstall\SoftICE
; }8 q' s: V* n# n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! T E7 D* \3 V) X$ r1 v6 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- s& k6 p1 g a, W. k, n7 a\App Paths\Loader32.Exe
+ l' E1 L5 o3 N2 C' i' l7 |- X" [' d6 W7 |( u
- B+ Z8 J2 w) [
Note that some nasty apps could then erase all files from SoftICE directory7 ^, f, |0 w9 F: a) G0 S2 w/ O
(I faced that once :-(
% `: ^0 S [* B) o9 e! u5 O+ ?2 e. o5 @
Useful breakpoint to detect it:
& E5 o. Z: x8 P9 D+ b- X
: q j: {7 h9 l4 z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' {0 R. ^3 |& E0 `2 `
8 _, [8 u7 b& @, y0 A( r
__________________________________________________________________________
1 ^ D) ~$ n5 _. F. D0 M$ b' Z& `3 h9 O% Z$ T3 X
7 L: P- K, r2 Q! R$ t+ pMethod 14
3 ^$ m2 p) y! ? F& h6 A=========
: }. K _0 f7 @) B2 f
( f' H& J7 M% i' b! _1 cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: \. v2 ]0 O1 s3 O. S1 S. ~8 U
is to determines whether a debugger is running on your system (ring0 only).
' X |; E2 E9 G0 c7 e3 W; y
1 r$ Y3 p) H5 K3 m/ r1 A% F: L [ VMMCall Test_Debug_Installed" ^: L4 ?8 f& |" J) P1 y
je not_installed
! T5 X* M2 F" X7 C. f- x. J- ?1 G; @$ {) ?* V
This service just checks a flag.. z/ f0 r+ s, `6 N5 {( g- U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡