<TABLE width=500>
/ p- f$ c; ]$ a: y<TBODY>
4 \" H3 b) M+ ]; ~% F<TR>* K* l! P8 |+ a. W5 ~' N7 s
<TD><PRE>Method 01
' `$ K9 O; U; v3 ~8 X% R/ R=========) j# Z; E! q, `! V8 V7 K$ t; ?+ M
$ R7 E5 l* `6 o% |* f8 a- P' eThis method of detection of SoftICE (as well as the following one) is1 v1 h6 o; ]3 ?7 {6 B
used by the majority of packers/encryptors found on Internet.+ E8 S8 R+ `9 A1 V. ]6 L' [
It seeks the signature of BoundsChecker in SoftICE
4 J: b/ t- F7 [* h( B. h: W8 V2 m2 f0 h4 S# o" P
mov ebp, 04243484Bh ; 'BCHK'
1 r6 ^. V6 Q3 T" u: _2 m7 u mov ax, 04h/ ^! z* P$ _7 B$ L/ D' _
int 3 $ [" ^# s6 w8 D( J
cmp al,4
$ f1 G! ?2 \# b2 z jnz SoftICE_Detected
9 i' u3 e9 M+ s1 ?/ u- z: M2 c7 G
___________________________________________________________________________
D( c9 j7 y; x% d4 |, Q
: n$ h4 Q* s. ~3 e+ O. w9 ?5 \Method 02
) Y- ?) i$ V' B( X, u. _=========
9 G7 a) t+ V% T% K, s8 s \8 x: K; B2 Q( `8 q- p. l# J
Still a method very much used (perhaps the most frequent one). It is used
) _6 q. G! P: s# E+ q( K. n; R0 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* f- F( `, \3 E+ C0 a6 e. d
or execute SoftICE commands...4 n8 Z9 _* a: ?' D
It is also used to crash SoftICE and to force it to execute any commands# ^2 S' h6 b+ {; ?9 b8 x/ c
(HBOOT...) :-((
% [( N5 V5 X( F/ h: t W
1 d- t E0 a: ]* ]# ?Here is a quick description:: t+ g8 \+ P( J& f
-AX = 0910h (Display string in SIce windows)
1 G. T2 j1 j3 Y; O1 S( n( ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 V9 y- Q3 F5 _: Z& I-AX = 0912h (Get breakpoint infos)
+ G" a' Q. M Y# j# U-AX = 0913h (Set Sice breakpoints)6 U$ K1 p5 V+ L$ Q0 n
-AX = 0914h (Remove SIce breakoints)
( `$ p) e: ~$ F0 |% D4 l8 q% g- r/ ?1 r* x& V
Each time you'll meet this trick, you'll see:, K, u' ^5 q3 }2 i4 u) V- \
-SI = 4647h B, C2 J/ D& B. Q
-DI = 4A4Dh2 V: Q0 b/ [1 U4 E, \ N
Which are the 'magic values' used by SoftIce.1 }. t: H7 `& M7 E3 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 j( O2 b$ w- k& @, M( ^( \
9 L: U: i. ^) W# _Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ C; t4 s8 R4 [Envelope utility use to protect DOS applications:) n1 L- A5 J8 T, n
9 P4 H; _" c0 g# I- w$ ?% z' {2 e
9 Z( _% i- x4 t/ x4C19:0095 MOV AX,0911 ; execute command.3 D6 d) s& ^ C# t- {& {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 K$ u! i! v* H Y7 S8 s: k4C19:009A MOV SI,4647 ; 1st magic value.
2 P6 _4 x5 u% e' g, O, Z4C19:009D MOV DI,4A4D ; 2nd magic value.
% z! t' l" K2 T' l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; V/ |6 U0 |$ I; x9 {0 c, I7 I" f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 f+ F7 j9 }( @, } R3 {4 w4C19:00A4 INC CX0 N" e* K0 d8 V2 _$ ~) c8 f- I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 o F1 P$ Y0 [- E. \( B! Y
4C19:00A8 JB 0095 ; 6 different commands.7 ?2 G4 l: R* Z! [4 v4 V W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ R5 `' y: ~' r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ w, f+ q- X/ J$ F' w/ ~
! J$ y e3 b6 |, H
The program will execute 6 different SIce commands located at ds:dx, which4 j4 _) ?& B4 H; j0 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! r* |: k% Z* H
$ z5 D- [& X, h+ {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# |9 T. @' t( S0 P" S___________________________________________________________________________3 Q% t# u) `; J& s
7 Z/ L1 W1 m; }+ K v
) _3 a1 N+ S% T7 ]
Method 03) p! u. L f2 y; O
=========. M. S5 X# R& s. @, ^
( ]) z; |, f" Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 t- h R7 l2 [0 q7 I$ X% g
(API Get entry point)
4 x" {/ F: e c1 B % o$ I( {& F7 O- y* J1 R
) F& V' Z, u4 A xor di,di, ]& Q0 g6 V3 b- b! j
mov es,di
{( D/ U9 ]7 z- [" f6 K mov ax, 1684h " j2 ]2 H+ x( G7 v( b# Z8 E7 Y7 ~
mov bx, 0202h ; VxD ID of winice" Z; s: I+ }9 W7 k) ?# p
int 2Fh
" K5 ^) g9 b4 `, j# @3 `6 e/ M x9 F mov ax, es ; ES:DI -> VxD API entry point
9 b0 c" Z7 p$ y& K" I* w! f add ax, di" R! }! B) {) S$ U: H* T k; x
test ax,ax
0 a! s' \$ m6 j9 N) E. z f+ p jnz SoftICE_Detected
; C$ S+ s" G5 V3 q/ d3 _. }
5 t7 c# ?( h3 T" f0 ^___________________________________________________________________________
7 N, p/ x+ g6 Y1 Z; U; j+ k+ F. E+ u! u4 U
Method 04( F7 q) u) P4 q
=========8 s( Y- R/ T$ }/ D% H
, x! I( K3 b" QMethod identical to the preceding one except that it seeks the ID of SoftICE2 r+ G% U8 B/ G& B3 B8 T
GFX VxD.2 Q& |) v% f% j4 \$ C8 r1 E8 K
1 W2 A6 A( _2 l
xor di,di
0 H% O( L9 [* T) v/ o# |7 M mov es,di
9 Z! ^. N0 u7 s8 ?0 m a mov ax, 1684h
( M8 C( ~! Q3 y- y8 l mov bx, 7a5Fh ; VxD ID of SIWVID
; I* A( z1 i3 {( t0 i- c int 2fh
2 Z0 }* C- w' ~ mov ax, es ; ES:DI -> VxD API entry point5 C. W' b0 i! N/ X4 w: H
add ax, di1 V" k, _% \+ Q
test ax,ax
9 r+ H4 n- X F jnz SoftICE_Detected
4 P; L0 Z7 w1 S% y( m
, m( [; g R9 I# ~__________________________________________________________________________8 x+ O2 U: i. l. i5 ~" Q \# W
% H0 Y) i- _3 M! ?
( i9 p" i0 }3 KMethod 05: H) ~7 L m& O ~, |
=========
8 |9 T( ~$ o/ _$ _1 E/ u2 k5 n- B) S2 T2 C7 ?! @% p5 t, o2 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ f! T. M& j ^debugger. It calls the int 41h, function 4Fh.
: o6 f. }; h8 {, HThere are several alternatives.
# h9 C, ~5 W! t% F% b1 P- G9 }
5 h P O- b$ _8 ?/ j7 _The following one is the simplest:2 \4 q6 ?2 n; E" W3 F# V6 f
" r2 u" N% B4 Z) v& A4 n8 N
mov ax,4fh3 ?" Y* f! ?/ T- A8 @
int 41h$ f5 z! r8 T3 g# I
cmp ax, 0F386
. N5 B- M. F2 y jz SoftICE_detected
5 H0 ^5 @6 _+ E4 A) R! S0 Q B' u" u4 l, R0 K9 z
- ~7 B% A" p5 N$ o5 T5 WNext method as well as the following one are 2 examples from Stone's 2 ^& v) v! Y* v9 O0 N1 x
"stn-wid.zip" (www.cracking.net):
* `0 D! |# t& e
P0 e( n! d7 |/ ^* K% Q mov bx, cs
9 q9 w; x5 y D' |5 D! S lea dx, int41handler2
8 `0 S4 ?( U g) l+ n' h* C xchg dx, es:[41h*4]' S7 y6 I0 y* E/ n' I' f
xchg bx, es:[41h*4+2]
- s5 e1 k+ C2 g/ z mov ax,4fh6 M/ h6 I; i* ~+ B! c
int 41h
" l$ q/ A8 x4 H& K- }1 C5 j5 p: e+ W xchg dx, es:[41h*4]
& T2 z# A( W/ z. K xchg bx, es:[41h*4+2]
" D- V0 G7 d5 i! O* ?% X6 ^ cmp ax, 0f386h
0 C B" h7 `# _& I, u# w) \ jz SoftICE_detected& M) K7 b6 |% L' @6 C
6 P( h. R# h% O0 S; u+ D# d1 j- @8 Tint41handler2 PROC* \2 S* u. L. a
iret
, B+ V6 p5 v8 B1 m% |7 mint41handler2 ENDP; v+ z+ S, c5 } q/ F' G7 ~. D
2 O- {; B" {4 G; d1 T
- w9 A9 c. N# Y D3 ?- n& F_________________________________________________________________________8 M6 [7 c! [# w: z' K4 r J
/ @1 g$ B6 K' Y
4 v f1 u# v F2 o( @4 Q) c4 jMethod 06
* u1 ^, }+ }1 M5 m2 N" M. I=========0 V7 Y9 Z/ c V8 O7 T; A d
+ g7 P# Y/ o! ]- O% e3 ]! R
$ {5 g, H/ u/ y2nd method similar to the preceding one but more difficult to detect:6 Q; G ]& G( W
+ e# a7 K. Y- \2 Y2 R, r% [
% s/ t8 m% l. z. Z% Yint41handler PROC) y( y( p) A: f& j; c4 C6 B
mov cl,al4 J$ c1 k' y7 t M3 x6 `( d# K
iret
6 d; f9 I# y/ B; M: kint41handler ENDP
3 B3 v; o- D- s) d0 C( t9 a; o2 z6 i. F" t7 }
- f. S1 Y% m) S' Q& L xor ax,ax5 R: E8 ?8 ]0 r# K5 C$ d; B* D
mov es,ax
7 _' `5 ~( V1 m9 l$ [ mov bx, cs5 D: S$ E/ h0 J9 [5 B
lea dx, int41handler) E n5 L# _; b3 v' a3 A- A
xchg dx, es:[41h*4]
* ]/ }+ C$ v& Z9 h O xchg bx, es:[41h*4+2]' j3 W% }- S# s# l- B; m+ K; ^( s
in al, 40h
6 ?0 e7 V9 ] Q7 A& A! [( w& W xor cx,cx
& j$ t6 e8 W# X int 41h* @1 H: ?* y# c$ J: ^
xchg dx, es:[41h*4]/ }2 X2 y$ H0 Z6 u
xchg bx, es:[41h*4+2]
8 \8 A0 l3 R' w. D& r cmp cl,al% @5 j& p/ C" o- O
jnz SoftICE_detected
: v3 ^5 C3 }* \& t( _) y* ?$ U9 m6 t# f' X
_________________________________________________________________________
8 B/ d# l# t3 z, E: O# k
- v3 f$ l& ]. `7 ~4 z9 F3 uMethod 07! n# ~ {2 t- p2 O
=========
& g# g0 t" p2 j, I% O/ J4 \- ^. A& u; e
Method of detection of the WinICE handler in the int68h (V86), y( d2 P9 k$ X2 F! Y/ r* ^) E, C& @: k
7 c" a. f2 k8 o. G
mov ah,43h4 r1 _8 ^7 E% }
int 68h
( M9 _6 V+ L5 N6 ^2 W1 G cmp ax,0F386h
7 c: ?+ a0 V# w2 z" } jz SoftICE_Detected$ v" g+ c5 {- \
9 b5 M% y* R9 N- r9 W4 y
3 a) M- b4 [+ W# \0 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% p2 P3 x/ r8 a) ^; X app like this:
% q6 ~( C" z+ r+ p) x) r/ r: }- D: \( X9 h$ z' [
BPX exec_int if ax==68
/ M9 l) J8 \8 S6 K+ ]( w) Y (function called is located at byte ptr [ebp+1Dh] and client eip is
5 {6 j6 I- d3 N# u; { located at [ebp+48h] for 32Bit apps)4 g) J" [. i9 N* K% n" G! t7 u8 ^
__________________________________________________________________________2 q$ k5 E |2 C# E
; z% [' \ ]7 E
- h# x$ B, c! P: ?- _8 MMethod 088 Q8 T" _' y6 i$ o/ U4 I6 n" J
=========+ }+ `1 g/ o4 `, p& f4 \1 D
* q0 u8 f* b9 JIt is not a method of detection of SoftICE but a possibility to crash the0 j$ y, R p/ i& E4 S" N. M
system by intercepting int 01h and int 03h and redirecting them to another& } ~$ P5 z/ P3 L! h5 ~$ r
routine.
- l: R9 T) m% I1 u7 b6 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! U9 w2 f9 I3 H5 B0 G5 L1 c; d/ A
to the new routine to execute (hangs computer...)
$ Q( _ I# H+ t0 ^( t! Z
% }0 N! Y3 d' W5 |7 g/ T" L mov ah, 25h
( i3 q' q4 m* K- c) r4 U' | mov al, Int_Number (01h or 03h)
+ h5 d0 s' T# k& ]# E mov dx, offset New_Int_Routine5 W2 _% u: D, [% w7 R
int 21h$ ^5 X" A6 |7 e N+ k' j
8 ~1 d c) W7 L3 O' r& p3 Q
__________________________________________________________________________: F' o T0 } L1 Z2 t T5 { U
9 ^% A/ Q( q5 H$ y3 d6 g/ ]1 |Method 09+ h* Q8 R8 ?( {% b/ f' ], N
=========
' D% O. w+ g2 h
0 L+ `3 C- P: X a `0 n0 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ K' _1 l( R% Q3 Q5 L% j: M
performed in ring0 (VxD or a ring3 app using the VxdCall).
) [% _: a0 \" c# m8 aThe Get_DDB service is used to determine whether or not a VxD is installed( E/ i) U4 d4 b+ a8 ^' A
for the specified device and returns a Device Description Block (in ecx) for ?8 _( t, r3 O; ^2 K8 H
that device if it is installed.
' @ B8 [8 \" J4 D5 p) Y2 P! h, Z$ B: P7 i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 X7 T8 l2 Z- {& |+ T* B- D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; z6 O& T5 F ~- L' ^5 s' j3 l) C VMMCall Get_DDB
0 A/ y$ E' S3 D: o E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) h3 M5 \4 o7 s5 ]" S. N: I( z x
/ A6 {# b9 y; HNote as well that you can easily detect this method with SoftICE:
& X/ o# s9 I! e1 a1 f! H bpx Get_DDB if ax==0202 || ax==7a5fh8 G( \9 s7 z6 h1 P0 ]$ c2 _
& A l Z/ q# c$ I O
__________________________________________________________________________
5 k& W( K) `7 B" |9 \* Z! p* @
1 ]( n* ~$ A5 t7 M5 ]* hMethod 107 s8 a6 i) B( J h6 _2 p& B
=========6 m% [2 q8 _3 ]8 @& x
. P0 q$ n- x% _3 b8 q+ y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ q7 `3 s: e" t4 h$ G SoftICE while the option is enable!!
' T& m7 y* m+ h2 X0 i6 E8 D8 N2 Y8 W" i3 V* `% |1 M7 `# J( G* R
This trick is very efficient:
5 M" c, _5 I4 W" @0 jby checking the Debug Registers, you can detect if SoftICE is loaded
% C V* [# H/ }( W4 b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 r2 K1 \6 z2 K( K2 i u4 w# ^' jthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 j2 q- t5 K" I. t4 e
value (in ring0 only). Values can be manipulated and or changed as well
& [" o+ t5 u$ x; G( S(clearing BPMs for instance)
4 L; J% m6 B0 x5 p" i0 ]
$ [5 D- g6 y m9 z3 x" m0 E/ V__________________________________________________________________________
) e+ M. @" m1 E) R/ ~7 l, ^/ q) s5 y: d: `, ~
Method 11
" Z: v- s$ ~: ?=========
" L7 `6 o$ X+ b( i0 a. o3 N# q% g( ~) i/ D! K# c6 b
This method is most known as 'MeltICE' because it has been freely distributed5 f1 @/ M# f3 [2 L
via www.winfiles.com. However it was first used by NuMega people to allow
. C1 K7 D8 R% K7 A Z) l3 ]- K, ?Symbol Loader to check if SoftICE was active or not (the code is located
5 J6 @! W. o/ r- H0 oinside nmtrans.dll).
9 j6 o$ V! {' y
; Q2 }; F1 ]% |8 r; W, t, fThe way it works is very simple:; W5 N- J- D0 P: Q, o6 T% L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 q* a, N1 _3 c7 b' B bWinNT) with the CreateFileA API.
( J" D+ \) i e
7 ^- y6 r3 R/ [$ D* B' \& v/ k% DHere is a sample (checking for 'SICE'):. Y3 ~& [6 m; g; v, Q/ Q0 e2 s
- N- R# V! }) c8 ^0 A
BOOL IsSoftIce95Loaded()
! r# d( i% T5 K. d; {- \2 p& A{# f2 j, m4 J$ b$ j$ Q& P
HANDLE hFile; $ w5 x$ m3 C a1 p, y) i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; o% m; `- q4 `
FILE_SHARE_READ | FILE_SHARE_WRITE,
- A$ i; H$ R; o$ Q; G' t$ j+ \( f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 n" F% H- z% }8 N+ V if( hFile != INVALID_HANDLE_VALUE )- o. Y0 f4 k/ f' O: q
{
; @4 [5 l7 w' b I4 W/ h CloseHandle(hFile);
8 M0 N! j& P) `- x) c8 t7 H6 w return TRUE;
/ ]) `& c2 o; A; D9 l# s* N# G; I }
9 L! g% d3 }9 P; X0 |# V3 O0 k# W return FALSE;
+ c. r' f' k* h; v9 Z2 w}
$ v, B, @1 ^/ Q( ^0 A6 w
& Z" C7 W9 W1 h& z* ~8 |( D5 R2 mAlthough this trick calls the CreateFileA function, don't even expect to be
" @& N4 `& y$ p+ o- w x3 T! eable to intercept it by installing a IFS hook: it will not work, no way!
3 ~- X, _2 @: ^$ O8 J4 c. I" gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 Q/ ]# o$ o( C; {, c/ ?6 L$ }( T5 rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 P, o* ]" X% `+ x# G: n& q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* ^* z g8 N9 d( ] Gfield.* I6 N% s' N+ ^! v; Y5 l" r
In fact, its purpose is not to load/unload VxDs but only to send a / B/ B O, D/ [+ X( a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! }6 j/ R* Y& f+ e+ ^9 Y6 t4 |/ ^0 B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
Q5 @1 ~6 \" C6 e) V7 }- }& Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. ?2 c' [( m- k6 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 Y: J; U1 y( ]& v; d& W8 u3 K" B! @its handle to be opened and then, will be detected.
8 Y% b2 @4 `/ @/ u+ X' s7 m; K6 DYou can check that simply by hooking Winice.exe control proc entry point/ t! z$ I$ q4 B) z2 r0 K4 P; H+ D
while running MeltICE.3 F9 t7 [9 N, q, Z
% N* M) k) L8 x `
$ g2 |0 P4 e( r& e 00401067: push 00402025 ; \\.\SICE+ c4 B% g, s1 H4 B( C! b
0040106C: call CreateFileA- M0 Y: W# d$ h4 |* D$ y& f! O8 g
00401071: cmp eax,-001
5 Y5 G& }( C& s& s& }+ K 00401074: je 00401091
; i2 X/ h3 [, G$ U2 G6 ]) h. K O2 b1 e _3 S0 n, R
2 l) c$ }) O b2 h* x
There could be hundreds of BPX you could use to detect this trick.
& ~" ~" W3 Q; E, b3 `: |0 t-The most classical one is:) e) L8 S* d" b6 Q" b+ n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) N% f* m: e' E2 Q' ` *(esp->4+4)=='NTIC'
- f& |- }! H1 p* N* z; @
* T( H& ]0 w% x( ` K# q. m-The most exotic ones (could be very slooooow :-(
6 K8 V" x$ w9 N& [1 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : C% l+ d0 v/ n/ Z2 m1 l# U
;will break 3 times :-(9 ^" b/ U% Z$ I9 g. r! h
) m. ~" i* \( z% |) R0 C
-or (a bit) faster: 2 ?& U' F* ]5 v3 X/ h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), L* \+ ^/ u, j3 D6 Z2 N0 M* r
5 P) \* x5 S3 [0 t8 S: O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + N/ p6 Z0 j, G1 ?8 N
;will break 3 times :-(7 H6 c; E9 e: I7 N) _+ x
. k9 g* G/ Z9 N; g
-Much faster:6 w* @/ R- P. e0 |5 A/ B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( P: \6 A- n' v6 g
' `$ `: l1 y, CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 u9 j+ i% n% {5 wfunction to do the same job:
/ q* ~( t1 B% W0 R& _* i- m
) b" O- x7 ^& w, O2 c) e1 v: R- ` push 00 ; OF_READ% _3 I& W8 E r" O9 u: Y
mov eax,[00656634] ; '\\.\SICE',0
1 U. [! H" ]( k+ I. E push eax6 K' w2 p! j/ e
call KERNEL32!_lopen% ^3 H9 z' k1 V; b2 z1 I
inc eax
. F9 ]% c H, v7 Z; @; N jnz 00650589 ; detected
) ]4 E. T9 ^1 o) q6 x0 y push 00 ; OF_READ0 [8 ?' L0 U9 H6 H; m6 D! x
mov eax,[00656638] ; '\\.\SICE'
+ w0 h; ?. b4 A( C# _0 M: U5 ?7 F: @ push eax
" `( O6 V2 ?$ n* ~5 }, `+ I call KERNEL32!_lopen1 U$ o% g' J+ H5 l
inc eax b* l6 G% @$ [( V3 ^. K8 y
jz 006505ae ; not detected) l8 D5 {9 {$ }# [
3 G6 n9 m% s# T8 a/ C% Z4 b, {/ u- q, u- @3 [; d
__________________________________________________________________________4 h, b% e, @; Q6 r5 O2 H" h
' Y+ e% |( K% Z; K @Method 12
7 e; J2 ^6 q+ X9 m0 w$ u r=========
{" O* G4 e; g4 I& m! y) @& l. w+ r
1 B8 q* q% q& N5 l( `& QThis trick is similar to int41h/4fh Debugger installation check (code 059 H: H" `/ F. U! ]$ k
& 06) but very limited because it's only available for Win95/98 (not NT)
! N" R# ^8 T das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# H9 s: v/ \# F! E7 a
6 q4 W# u2 Z9 A$ ^ push 0000004fh ; function 4fh& L( S2 e" J } [6 e
push 002a002ah ; high word specifies which VxD (VWIN32)
7 X" W( E7 i4 {1 T9 B ; low word specifies which service
9 F5 e @2 W2 |9 _9 j# K; Y (VWIN32_Int41Dispatch)
$ o5 Q# Q0 |; @3 j( [ call Kernel32!ORD_001 ; VxdCall8 N" ?5 h' D6 E7 N
cmp ax, 0f386h ; magic number returned by system debuggers" R' L/ ^* w X5 p0 r
jz SoftICE_detected$ `3 w- _1 q6 H; L ?
, N+ y! g; b2 cHere again, several ways to detect it:: s2 v. [5 a, r. v& G( P% H
( R) Q0 ]% ^7 C$ ]
BPINT 41 if ax==4f
+ K3 K/ k: s; J" |( c0 z. L+ m
3 J; e7 K( T7 Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* Y1 j3 V& }+ \9 e0 }/ U
7 ?" K# b1 D5 u- w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 P# Q* u; j" X( a! Q" d; ~( j
7 l' p% ~% c0 s4 q6 P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( @8 _: a# O7 Y! @
3 e4 ~( ]$ j" u1 g
__________________________________________________________________________
, r7 N4 A" e, j5 z$ d W" w0 x% F( R+ I) H" I1 K
Method 13! S# o5 m; A8 z! m
=========1 m6 h9 m( Z' o9 I# b* V, A- ]
5 [% h4 a2 [& i. a# C6 tNot a real method of detection, but a good way to know if SoftICE is
. }7 @: J4 i" j. J, Q7 c8 I* {installed on a computer and to locate its installation directory." H& b! t4 v+ A O" x7 s
It is used by few softs which access the following registry keys (usually #2) :9 p8 s- u! z9 }4 a
3 {7 d- w, V0 T- v6 F- z2 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- W8 e* n j/ G* w' B8 s" T4 i
\Uninstall\SoftICE$ I- p0 `4 x3 y+ i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; }7 i: R. C' ?9 V$ d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 p: a: @, s" C1 [4 N$ ? e7 n3 y\App Paths\Loader32.Exe
0 Y! w5 T5 _! _$ I; i
0 o/ g: f# G$ }9 _ G3 r+ e7 k/ L7 M. w9 U: S- ~
Note that some nasty apps could then erase all files from SoftICE directory
1 s/ W. G$ K% L) q5 @/ M: k; l(I faced that once :-(
2 J- p v ?! ?3 T, J
7 S& l i) Z' z& O( Q' b* kUseful breakpoint to detect it:1 T& C/ g; F3 K& U/ ~
( g2 w* f2 N2 ~' i* d. V W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 q6 p4 X" c5 [5 K" ?6 l
& }6 P" `# `, m# w9 A! |
__________________________________________________________________________! ~# S$ i- o3 |. L; j) G
8 n! l- q$ |- R- e2 `5 D. U+ ~/ E
1 t/ @4 ?$ B0 Y) QMethod 14 ( @/ E) k1 l. a x1 E- z
=========
9 P `/ L1 |+ X/ i0 d
1 `. a9 z8 w6 Q0 R+ vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# a0 b; }. R% d( z; ^
is to determines whether a debugger is running on your system (ring0 only).+ }8 v$ ~" y* B% Y
6 j+ J& A8 m7 i" [7 W VMMCall Test_Debug_Installed
$ R+ T) _7 l& W; o je not_installed
: ]4 V: ^8 q" R6 S6 N- h8 t8 n, u! b( U- ]3 l
This service just checks a flag.
; M* ^) t' b4 A3 ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡