<TABLE width=500>6 A8 P' `7 k$ _0 Z7 h& n8 k
<TBODY>4 u$ U* U0 `1 ]3 n
<TR>3 ~4 m" ?9 X4 ]$ f/ e1 J7 V \3 D7 @
<TD><PRE>Method 01
$ ~* h% E& z& v% N% [1 `8 j c* v. N=========1 |/ A& {, [6 V& r
! n- _5 i* b. t+ P9 G7 o; Q3 xThis method of detection of SoftICE (as well as the following one) is
: S6 c' h" }* B; c* O0 h/ I7 B4 sused by the majority of packers/encryptors found on Internet.1 f, m+ m( W( ~. P' k
It seeks the signature of BoundsChecker in SoftICE
: P! s6 R8 R; P, E$ @ u+ L
( o% r: ~* l8 d& [9 l1 h mov ebp, 04243484Bh ; 'BCHK'
0 w+ g7 [5 M0 Q( X' d# } mov ax, 04h
8 E' L: \( A0 ?% Z) z5 C1 s int 3
( j# g8 ^( ^- `4 `& } cmp al,41 H9 T8 \6 x# X9 a
jnz SoftICE_Detected
# `) h0 t6 x. ^$ a" ^
* R9 ]- T' C9 m, c4 A* w___________________________________________________________________________2 Z3 \0 i# c N) U1 M) c; W6 X7 h
' m! u. i, E* q4 \Method 02
, w% n K: \1 j4 B- M=========! E* Y$ l; h6 \: T, R, O; n
2 z$ y& @" h. [. b7 v/ IStill a method very much used (perhaps the most frequent one). It is used) F. c! C* A% ^( V4 C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, N% i) V. D3 F1 g- X
or execute SoftICE commands...
/ N/ n! v' w/ W: p! lIt is also used to crash SoftICE and to force it to execute any commands
|" j: W3 a! W& P(HBOOT...) :-(( N. d+ ]2 Q! [0 N
1 J+ U* C8 @* E2 V8 h. g
Here is a quick description:% _% k6 Z! @7 t5 E8 X2 }! D' [
-AX = 0910h (Display string in SIce windows)
. Q2 X6 i6 ?# r8 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' U2 P7 P, W; n$ S ~) _9 `5 J7 s1 b
-AX = 0912h (Get breakpoint infos)7 j: t! b7 U( \5 Q h* Z
-AX = 0913h (Set Sice breakpoints); P7 E s! n) ]: H/ O9 o. e
-AX = 0914h (Remove SIce breakoints)* X, t. I p% g, ]) ^/ S7 @
2 c: N* D0 g0 n, w$ N1 q0 I
Each time you'll meet this trick, you'll see:4 r( q0 t. I# M( Z
-SI = 4647h
' K) e# J" J5 v [6 y-DI = 4A4Dh
5 Z' l. |5 R* ?Which are the 'magic values' used by SoftIce.
& E( h* {5 {9 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. a% S- L; V! W
% v9 m7 j( j& B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 v% V) J9 E# O3 yEnvelope utility use to protect DOS applications:8 `+ \; n5 T$ F$ G# K
6 Y9 u% h! s; U- B+ K3 O
2 I8 S" E% l# }1 a& W) K) H4C19:0095 MOV AX,0911 ; execute command.6 q& b* K2 S: ^$ O0 k% B$ L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 J/ ~7 f4 ^" S0 I# O+ z7 e. y
4C19:009A MOV SI,4647 ; 1st magic value.
f7 O- S- [5 c8 M4C19:009D MOV DI,4A4D ; 2nd magic value.1 f8 K- F: Y4 d) \9 k& \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ x1 q0 d+ u- o: \! q2 q+ i* A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) `/ g8 W7 Z* {6 ?4 `+ ]4C19:00A4 INC CX1 _/ N; l5 Q! M2 @9 k8 q8 E% T) T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" B |. y+ H- o3 y4 X
4C19:00A8 JB 0095 ; 6 different commands.0 Z$ }% \! P/ x, W; I8 D5 L& {
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ R( F3 ~, x3 N) O' Y+ b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 Y* E7 Z% T; ?% _) d" c' i
1 H8 ?; j: T) J2 V, X+ xThe program will execute 6 different SIce commands located at ds:dx, which4 z" M" B9 G; `8 A G0 F% R: C) w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
x# e7 V; j/ F+ o1 ]7 ?) i& M( @, S0 F1 K' X, j" d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- G4 g+ B6 j7 t+ g6 ~! C# T4 P___________________________________________________________________________
8 }8 D9 V$ Y" w
4 M7 q! j/ C1 Z ~" a2 W3 B \" e- k3 X: k! W
Method 03
7 l: z+ S( ~2 [- f1 m=========3 c( m! f: g4 e, i7 V
. P2 L9 ^8 _- P: ]' H7 gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& c) `6 T, _4 [" E" K
(API Get entry point)& Q, X$ j4 m5 a. C
" f0 Y/ @, J1 Z9 O* x y
! L& f2 p8 x" e0 V: E' n1 W# D3 j
xor di,di3 a. r6 ?' D; W9 b
mov es,di
; k+ u$ S% m- ]: H# ~4 Z mov ax, 1684h 9 O- P) u# c0 O- ?: t' T7 c2 d
mov bx, 0202h ; VxD ID of winice, |- [6 C1 u: X3 L5 x' z
int 2Fh7 y2 W5 y3 m* G: M7 ^6 Y! I+ n) j1 k
mov ax, es ; ES:DI -> VxD API entry point4 F' M- n @0 ]. ~6 s
add ax, di- A8 l/ V+ z0 ?4 e8 y! B
test ax,ax
7 D2 D. Z7 O7 m0 p3 ?% `0 n. { jnz SoftICE_Detected
0 I& O7 D* ]" L5 o
. N4 Z1 `2 I$ A# b3 d0 h4 R- z6 |- b___________________________________________________________________________
9 k& F! I7 A" o- Y5 |
/ Z( A7 u* k# D$ {4 O, P9 GMethod 040 r# U6 h0 k) d1 B" G1 v- Z1 H" A
=========
# j0 O/ C9 w; I$ W2 @- K0 j, U$ y' B+ E* N0 `
Method identical to the preceding one except that it seeks the ID of SoftICE
- X, y+ |/ u S/ t$ v+ f& [ W/ OGFX VxD.( P! X/ M b$ I5 I2 P: N
7 V$ V& G6 D' V ~8 R/ a9 J
xor di,di/ q8 Q8 n( x9 U8 c" n
mov es,di
0 j+ Y6 x2 A2 T5 _- j* r' S1 S mov ax, 1684h 0 v- t; I( z& X" p; E
mov bx, 7a5Fh ; VxD ID of SIWVID r7 [- i6 q* b5 O# D
int 2fh
) T- M1 M/ @$ n5 z+ e7 c/ f mov ax, es ; ES:DI -> VxD API entry point+ a6 y. e4 h/ \7 b
add ax, di( G" ~" g z* q/ T+ A+ E
test ax,ax" t. F% e. t, j& v4 A! R4 W
jnz SoftICE_Detected+ H( J# K% S8 ^5 h( l
- K1 E" U9 I4 _' T7 Q
__________________________________________________________________________
7 Y" G( u; z% e8 B) U
9 w; {% d, \5 p+ {( f' y1 L% n& B# [8 E. j+ m
Method 05
A- i' f2 ~8 A4 U- a ]6 Q=========
# E- W; A0 ?" p/ f& K) T6 `
( ~, m/ Z& j6 \8 F; M3 }6 k, H7 E8 ?Method seeking the 'magic number' 0F386h returned (in ax) by all system, C- V: g& c$ c( u( {1 I) R
debugger. It calls the int 41h, function 4Fh.
' l# s9 {; P/ n# |% dThere are several alternatives.
* L6 q; U2 F$ r8 [$ z2 }& a
1 r/ \8 N6 F& n+ yThe following one is the simplest:
9 Y/ ]1 d. z% g' y2 ^' `
( E5 T4 h2 \% S mov ax,4fh
3 [# e0 ^& N3 @% r# @ int 41h
4 I6 t6 G3 E3 z# N cmp ax, 0F386- n6 Y2 t. A3 X! D$ |/ O; R8 M
jz SoftICE_detected
3 j: A" p3 c! I) D3 h) B
, }' w# y; ^7 s+ a1 t+ }- h' z% `6 L7 V5 L2 o" ]- ^
Next method as well as the following one are 2 examples from Stone's
% f" m. \( i( X5 R"stn-wid.zip" (www.cracking.net):* W* G1 t' y) g+ X, K1 m% T1 l
6 c* z7 `0 U9 {' |7 T mov bx, cs
* _/ f- [& j6 I/ E4 l lea dx, int41handler2# D0 `3 ]1 p% P; X. P- z
xchg dx, es:[41h*4]0 w6 \! o x& `5 ]/ }
xchg bx, es:[41h*4+2]
) j1 H% a7 r1 O: n$ k mov ax,4fh
* L8 ?% Y# u( z: x int 41h
1 u$ u6 l9 G" J4 _/ J+ Y; O G) @ xchg dx, es:[41h*4]' i3 c0 _3 d2 n2 w* ]
xchg bx, es:[41h*4+2]
- f K+ U# U0 U+ G! N, e2 z4 d cmp ax, 0f386h. a' E& o( ^4 G$ x8 S
jz SoftICE_detected
& r/ Z# q8 Y% \7 V. F4 ~2 p/ I, ^, R
int41handler2 PROC
) H0 p* f. y1 y8 H6 B iret
" H+ M8 z, k" O$ q5 T) u) w! lint41handler2 ENDP% l; V' f* I, a/ l
3 v4 f& t4 y9 d1 c9 j! i
* \; n! ~4 a. k" O_________________________________________________________________________3 r! K1 N6 q) T+ Q5 n
) X* i; h0 ]. `
( \" |1 ?6 w9 U( Y- P" \
Method 06
4 v8 o, l9 o+ }9 y! V=========5 \5 v3 h- w+ o0 G" ^1 u) @% T: i$ Y
# m$ Q2 `& }3 v0 a# b) A, F
9 _7 y/ P) f: `/ {2 U5 w2nd method similar to the preceding one but more difficult to detect:) J& r: F4 ?- P6 o. S
; _% `# Q- Y! G p5 z3 O2 y- \9 w# {+ U: ?' S. b
int41handler PROC
8 H" Z: _# |% Z y- p4 T# u mov cl,al
) z9 @0 L4 e# n, |4 U! ]8 } iret' G6 ~$ W# Q* Z$ \, C7 m- z
int41handler ENDP4 \$ @9 E$ D# I' n% S7 t* r
' |+ n5 a" H$ C4 ^, u* E6 D2 R# {/ W6 ^2 E
xor ax,ax
! |3 h0 _8 X: D7 t5 K- V mov es,ax
5 I1 [+ \) p8 n7 j2 ?9 V- W3 p0 n mov bx, cs
' U8 N& Z. `/ v lea dx, int41handler5 m0 \9 ~8 }- I, M- ~/ [ O0 U8 }
xchg dx, es:[41h*4]
" ?! M n1 L0 k9 X4 \2 G" V xchg bx, es:[41h*4+2]7 p: F% s! ?2 Z+ P! q# E; X c
in al, 40h
! A' m/ J4 k3 ?6 s xor cx,cx
: {2 x; o& V6 i }3 d int 41h1 F3 T& V1 H7 G/ h! d# x$ s
xchg dx, es:[41h*4]$ J/ i/ A& u' y9 }/ r7 h- L1 x" Y; k
xchg bx, es:[41h*4+2]: }4 l+ B5 L, o3 ]
cmp cl,al
. _$ o! n, C# E3 T( w jnz SoftICE_detected
, n3 l) U) ~3 e0 e, v( \' c5 z4 e; F, i
_________________________________________________________________________3 Q9 ^0 }- b6 E- I4 ]
& h, L! K7 g9 Z0 k/ AMethod 07# o( C" R8 i N( f+ D! F# v
=========$ T6 J2 h c! I- `* z
' a) J6 j7 {3 I0 S* S$ P
Method of detection of the WinICE handler in the int68h (V86), e5 _; f6 _- g1 v
5 V: ^( \8 j0 w+ L- s+ W mov ah,43h
( ^! R7 M) E7 z7 Z8 x int 68h
$ a' l ^1 H$ U cmp ax,0F386h
# b$ j3 [, [0 E; m3 c" H jz SoftICE_Detected3 i; d6 [3 W, A& s# w$ e# R
0 `, \4 t# b+ m3 H* z) X9 e; a% s n
9 e5 d+ a3 Z: R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ q+ F7 r9 M6 A app like this: C: r# E" R- |0 m! \
5 W1 G& G1 J, V4 n* u, g
BPX exec_int if ax==68
. ^1 W( V* a! @; q (function called is located at byte ptr [ebp+1Dh] and client eip is
' Z: K) ?1 f" U located at [ebp+48h] for 32Bit apps)
$ d3 [+ n0 g+ L. y, e__________________________________________________________________________7 B- V+ s3 Q6 H! W! E) x
: h# v; y* ^$ X2 s: X2 o) n* U" `* I3 }/ M0 r
Method 08* G) e1 q# x# w) R
=========
( q i5 |4 x! k2 |! w* t
2 m" }; O5 g) `) Q3 @4 M, vIt is not a method of detection of SoftICE but a possibility to crash the
; q& `: K" t; s# `$ ]system by intercepting int 01h and int 03h and redirecting them to another' o) u( x4 b$ ?7 K
routine.9 s: C2 V d d' A) D9 O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: w$ f" {% l# Mto the new routine to execute (hangs computer...)" }* H+ d# y8 N' {+ Q3 C* b6 w- @
7 V$ m3 o/ `; o( v' U( o- s, X mov ah, 25h
& B0 m! h: z% x& ^' W) d9 Q mov al, Int_Number (01h or 03h), w- Y# I3 K h
mov dx, offset New_Int_Routine+ d0 T. `8 V0 V0 ~! q% Q
int 21h
& m& T, R! h3 f! U
5 R* }2 y# M; y1 w/ R! E__________________________________________________________________________
$ B" H$ y3 U: f
6 w$ \4 z- @' R L- [; S# qMethod 09) M; \( @6 Z2 {5 Y$ U( y7 c. U
=========
$ |! ~) p& D! l2 v+ [+ b
, I6 F& y( i) u9 o7 j, IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* |) r: B' J0 nperformed in ring0 (VxD or a ring3 app using the VxdCall).$ c/ ~ b' M& l
The Get_DDB service is used to determine whether or not a VxD is installed
- l0 n/ {1 x3 ^2 L2 J- qfor the specified device and returns a Device Description Block (in ecx) for
2 [4 q* K& u/ b$ ]4 v; r6 c! L+ Bthat device if it is installed.
0 k' T I$ ^1 N; p. i3 ^3 s3 q5 L6 _7 ^7 d5 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 Y1 J# n1 Z4 P/ j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): ?- Q; y* p) h/ C) ^8 }" f
VMMCall Get_DDB
! y4 F' K# V; n* \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% Z1 X. X" B( X2 w0 r6 t& D) L
" |# u" |1 W( }9 W, H8 d! G$ f
Note as well that you can easily detect this method with SoftICE:
+ _6 F) j) E' q4 K$ W bpx Get_DDB if ax==0202 || ax==7a5fh y! L$ i8 m7 N
% ^* }- X4 m/ n) Q0 |: u0 u. [__________________________________________________________________________
6 E9 G! G: B1 H# }7 c1 r8 t
6 i4 Q5 r$ _% t4 G LMethod 10/ w9 D! p; W# n0 I4 d5 b0 T4 }
=========
' H8 _- C1 i" N( T
+ @+ \' F5 l# n2 I=>Disable or clear breakpoints before using this feature. DO NOT trace with+ a: a4 V3 |* t/ o- ^
SoftICE while the option is enable!!, E* h, A, \2 u( \5 ]3 @9 H
" I, }$ _7 x" j/ O) o
This trick is very efficient:7 K- L+ z+ }2 K
by checking the Debug Registers, you can detect if SoftICE is loaded
! I* |0 n. n. D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 u) g. L5 E2 e* |
there are some memory breakpoints set (dr0 to dr3) simply by reading their( m! o1 U1 ~4 K* _0 d* ~
value (in ring0 only). Values can be manipulated and or changed as well* m* R- [- ]$ Z
(clearing BPMs for instance)
0 s" V' T- F1 L
9 f$ Y: c2 L; T6 w8 a5 H% a__________________________________________________________________________! e% B+ R D( c2 M y. k3 v
$ w6 E: n9 E2 w5 P
Method 11
3 h8 i' Y4 g# h$ d1 \. O6 V' r=========
! B! }5 L% ~4 F# q0 `
3 D, X" s- i2 t c. F& lThis method is most known as 'MeltICE' because it has been freely distributed& C% F& j+ J' `8 s# `/ Y. H
via www.winfiles.com. However it was first used by NuMega people to allow8 n1 H: r& P* x# H- W. r0 U# k
Symbol Loader to check if SoftICE was active or not (the code is located$ K1 c3 b% \( C& q% L u; x
inside nmtrans.dll).
. C6 K! X8 E; e, ^, M
7 A0 A) {; [2 N+ m8 O$ gThe way it works is very simple:# n6 E% q4 x8 R, x* k) ]1 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! t x7 ]' D( T0 y9 a
WinNT) with the CreateFileA API.( `: B7 ?/ y* t9 V( P% h
9 X4 K: }8 h1 G, k2 W$ @Here is a sample (checking for 'SICE'):2 r* \0 j4 `5 m
+ S6 d" d4 r8 q2 c" u
BOOL IsSoftIce95Loaded() B/ p( R$ m+ h: `0 t
{
h# w7 q0 A# l8 W: y0 s+ T9 G HANDLE hFile;
' J& N. s; B& k8 A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! M8 P, D+ v( R( J- H FILE_SHARE_READ | FILE_SHARE_WRITE,' u2 |; ?# |- ~/ l2 d/ K M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* ^) f5 S. ? c. W
if( hFile != INVALID_HANDLE_VALUE )
$ u" B) O' }9 \! x# y* l! `5 o {, j8 w1 o" z0 y! Y8 J, X) |' M
CloseHandle(hFile);+ r( ]7 p1 W; h: |. ^1 s: Y y
return TRUE;6 ~8 v/ t+ l! |! `) u
}( R: A+ T% T% z0 ]
return FALSE;! v e) s( M- y( c" H( z0 ^1 w
}* V; q3 X" \% j7 H! ]
+ _# O) A6 d4 Y/ s5 a8 j3 l' TAlthough this trick calls the CreateFileA function, don't even expect to be
+ L; C0 E, G( c. lable to intercept it by installing a IFS hook: it will not work, no way!
! Z7 r: [8 m# o: v" yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" `5 N- A. u3 i8 K2 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 v1 r0 y2 f% u/ j J7 h8 L5 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 e. Y3 D# R4 l6 k6 b, Ifield.
4 z) ~$ t' }2 w: _2 ` UIn fact, its purpose is not to load/unload VxDs but only to send a
- F' C5 |- Y- T+ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ A, ]4 J- d1 j$ n% K" L/ ?3 D& Y# y; \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
?! y* D" m7 W! @. ato load/unload a non-dynamically loadable driver such as SoftICE ;-).% K7 G% r$ H8 d8 _+ T; z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ s" H1 K0 H, Y4 O1 f6 S3 Pits handle to be opened and then, will be detected.4 U3 K9 C3 Q2 J: ~
You can check that simply by hooking Winice.exe control proc entry point
' X9 ^, b! ]6 m* Y" p4 A7 C9 C$ mwhile running MeltICE.) E8 f# \6 V6 f1 u
; x% i( A8 o2 f( q- Y& [" j/ \0 O. l1 O9 b
00401067: push 00402025 ; \\.\SICE
. [ F( u2 j. \: [ 0040106C: call CreateFileA
! h' G! \+ S; k- j' K- u 00401071: cmp eax,-001
6 W$ B8 n. U' y; o: B( \) K2 ? 00401074: je 004010917 p2 p$ S( O- m, P) E; R7 k' m; \
6 n/ s2 |; u1 v; p
1 f/ |, g i# J+ z' ^" P$ |There could be hundreds of BPX you could use to detect this trick.
3 v4 i1 ]$ `* P/ u1 `-The most classical one is:6 ~2 S5 x# q/ j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 ^7 Z/ u+ q8 f$ i *(esp->4+4)=='NTIC'
4 R- j' U' o0 D6 _7 g# ^9 o
# W4 N' E+ I/ g" Z-The most exotic ones (could be very slooooow :-(
) F) r+ {2 H! k. \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 W$ V, X6 L3 Z+ X6 I2 d4 i ;will break 3 times :-(6 h1 G) u7 u# K9 Z" G) g
' x6 e# z. I+ |" k
-or (a bit) faster: 4 ]' _5 n2 S& U H# C7 a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) E d3 J9 Q* o$ L- @8 m
' A5 A. C4 R4 }& ~& Z @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - z' V1 s! N1 `; x2 J, V6 b8 |$ l
;will break 3 times :-(& s0 v! j7 P& y& l4 J
( e9 ]. Q) l% p% R; s-Much faster:
% J# l& i" h# W z& r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" V3 w- Q8 @: h" }2 A
2 v5 D7 Q1 k6 \3 w- n: J) q( pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# C: F0 B/ C% [: T2 Y/ l' Ffunction to do the same job:; _0 T% b4 b; }# p0 V7 G
; |% y5 L# @# F& y! h0 D
push 00 ; OF_READ
' ^8 }2 H2 B7 P& [. C" }0 B6 x mov eax,[00656634] ; '\\.\SICE',0
8 r3 M% R* s0 l7 E- C; o push eax
2 U3 _6 `/ T. `3 `: D- R+ v call KERNEL32!_lopen* a ^1 w5 v8 u7 @& A
inc eax8 u8 \7 m5 m B9 b9 ]; E
jnz 00650589 ; detected7 C% N, X% } y; d- F2 U
push 00 ; OF_READ1 ]8 i& N5 l7 H1 T
mov eax,[00656638] ; '\\.\SICE'
. S \# b$ a- r, \% f push eax7 n$ @/ C8 F% l3 G6 x7 E4 p- T; D
call KERNEL32!_lopen, l0 p2 Q( ~8 C8 c
inc eax, [' q: n6 g) u/ L8 L+ K6 x
jz 006505ae ; not detected6 X+ K4 w1 q3 J( O7 n
v+ q9 X! e8 h2 N- o
* i( X# c/ a" s* g7 n" q__________________________________________________________________________
* j( F' w2 }: A; R J6 ?; P
( j( b7 D: T1 N1 S5 IMethod 12
t5 ?" B+ W+ u C$ t4 i, v+ e=========
~9 T: C4 r# h; q! F9 Q. h/ X: y( o4 t/ E9 h3 N5 ?
This trick is similar to int41h/4fh Debugger installation check (code 05' c4 V, e; J! i( O
& 06) but very limited because it's only available for Win95/98 (not NT)! c3 N) g( s, Z% R, Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 b/ Q' m/ J! V
$ v- \* R4 Q7 K% } push 0000004fh ; function 4fh$ R! N# X1 c( p% B7 {, U0 J
push 002a002ah ; high word specifies which VxD (VWIN32)
+ w4 ?3 H% d) B: [8 S) Z& ~ ; low word specifies which service/ d4 B( l! Q8 P6 m2 W
(VWIN32_Int41Dispatch) |* o, n5 a$ b8 {9 a
call Kernel32!ORD_001 ; VxdCall0 C% H4 c6 G b/ s5 Q' }$ d
cmp ax, 0f386h ; magic number returned by system debuggers
2 x: D7 k* h4 h; ~2 \: K, a: n) v9 { jz SoftICE_detected6 e! I% v3 b0 Y, |3 D+ S! U
+ ^' a. z: }" A* i6 q1 |
Here again, several ways to detect it:
# H7 J# T6 ~# K7 h) e# t. o( l2 R
$ B: ?. [% ^9 [8 Q. v BPINT 41 if ax==4f l" [7 u# a3 I
# X/ s3 l) G8 w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' r4 M& v" {& S+ ?+ z2 z9 k0 P v' w6 m0 u6 F% I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ b; c& i" }2 f; W7 V
" _, F, r4 N/ g! `$ I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 p( p) B7 e2 j) e5 z# {1 N
5 ^& J1 ]& R9 I" v, N- Z9 a
__________________________________________________________________________4 j }, g9 N9 h/ v0 \3 G
4 K' K% j" b% q1 y' A
Method 13; P( g; a Q$ O# s2 E6 l
=========
0 `' n/ f& m. o4 u5 A9 A: |- Y
5 c5 \* e0 K( [7 `1 ~2 ?Not a real method of detection, but a good way to know if SoftICE is W' L/ h: L2 k7 n8 Q. _" W' Q- t: s
installed on a computer and to locate its installation directory.2 p- I, Y( y8 B! m' V
It is used by few softs which access the following registry keys (usually #2) :
0 t4 R& D- y9 [: J
5 E2 n6 o% q- }& ~; M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& A1 k9 }* J6 V\Uninstall\SoftICE
& ]( I6 d" l! z' m. J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) K% o" E( K7 t$ j' Z- a6 V+ J( s! ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 J2 x2 k: f3 h+ c" m
\App Paths\Loader32.Exe# u8 U* q2 h6 a; F: L9 r0 l1 x
& z0 D5 t7 b7 ~0 w7 J+ c" @
6 n7 W3 G. u1 `! M% [# @
Note that some nasty apps could then erase all files from SoftICE directory! J# U7 O: @- i5 Z# C. ^& E' D0 u5 r
(I faced that once :-(
3 d% Q) C0 F3 n2 H- u2 @5 O
; D$ L- K, M8 b$ _, s( |Useful breakpoint to detect it:3 z+ m; k! p( H0 H4 P
; {2 O5 K5 n/ x0 W/ s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ f: n( u/ X/ a+ A+ Y4 G: e4 u6 T& @
__________________________________________________________________________
' q5 g( J' Q# p t e
/ F( ^6 I$ q# H& k) q% R" n& u
8 r) z t5 D' ]) L' b0 @Method 14 7 _( e0 q c, a6 z
=========0 K5 K. i4 p! v% Y" j
1 x$ z8 l5 k* O) w4 K8 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 M; c' D* ^' V6 t& @ f
is to determines whether a debugger is running on your system (ring0 only).' W0 U, t Q! E' e
# T. l7 F9 s+ A v& @" _ VMMCall Test_Debug_Installed# v( u+ D$ x" I. F3 ^
je not_installed! r1 B: l7 r& V4 E! L& S
0 s4 l& Z) j8 `
This service just checks a flag. ^- T/ Z m! a$ E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡