<TABLE width=500>
" o4 p9 d$ o& e<TBODY>
7 o0 I6 t- O+ Y9 o! D<TR>4 \8 g0 y2 j! p: O. o
<TD><PRE>Method 01 , \# Z5 a( M& S+ N2 S
=========7 R; D4 O% P* n) r
/ r2 |5 }- z( i) s6 qThis method of detection of SoftICE (as well as the following one) is
5 e& z# L4 D8 v7 ~used by the majority of packers/encryptors found on Internet.
' U1 u7 d2 W& z6 N/ SIt seeks the signature of BoundsChecker in SoftICE% G. `+ k7 p5 y: Y
1 _/ |8 A9 i% [% C5 k/ S mov ebp, 04243484Bh ; 'BCHK'0 R" |# L3 p& S+ w* P
mov ax, 04h
9 T2 ]; d. o c! z int 3 ; Y3 o, ~" i" f* n5 R3 j Y
cmp al,4' W- j9 H2 Y9 m$ H
jnz SoftICE_Detected
3 V% E6 v% n8 \2 @! g( v. j' J4 `9 z
___________________________________________________________________________5 z6 A' \8 I3 D; H" q7 b
0 W* G( Q2 ]$ r1 yMethod 02
3 A6 V/ f* m1 l2 S=========/ u* Z% W+ \: y+ K6 S' ?
" G/ h, J; [/ y' D: f$ I$ Q9 C4 x/ `7 ^Still a method very much used (perhaps the most frequent one). It is used+ W0 P0 z, `' b- ]" R# r' G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 ]: o/ ?/ o) o) V0 Gor execute SoftICE commands...
1 l# B5 q& ?4 Y2 _: A& ]6 J, cIt is also used to crash SoftICE and to force it to execute any commands( W( u/ ]: d- n' T0 y& f* M
(HBOOT...) :-((
1 ~7 v9 N C3 a! q! ~
& K$ \+ ]- p2 u+ h9 j0 HHere is a quick description:
5 A0 G9 J4 w4 H8 z3 T1 n' ~-AX = 0910h (Display string in SIce windows)- F- U4 V9 z) H* b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 @7 v, P1 Q0 B$ w
-AX = 0912h (Get breakpoint infos)
& g% z6 Z) p2 @5 X: S-AX = 0913h (Set Sice breakpoints)
( V7 i' V/ I; ?0 m-AX = 0914h (Remove SIce breakoints)# r0 V* M7 H& C8 Q! `, v3 ~
8 n: Q7 k4 j; `! E X1 NEach time you'll meet this trick, you'll see:
4 ^- g9 }7 b4 g( `; i& e-SI = 4647h
5 v$ ]8 R5 d+ F/ X1 j3 F! E8 `-DI = 4A4Dh
v8 b) w, E, {' ~6 {9 aWhich are the 'magic values' used by SoftIce.
; V8 M+ y% E2 a5 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h. A& J2 t( V/ @* ~: u6 p% M
' u5 n/ ~- G8 [0 X7 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP' y& _" ~1 I$ I
Envelope utility use to protect DOS applications:$ c" i% s" a7 I
$ @' s7 V8 F5 D7 y, j
: X* G/ g3 W' F+ T8 L
4C19:0095 MOV AX,0911 ; execute command. m* X# w; I2 Y, F; Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( L6 X- @3 |+ j8 |9 n+ }2 Q' k% A4C19:009A MOV SI,4647 ; 1st magic value.
5 F$ \! M" {# E4C19:009D MOV DI,4A4D ; 2nd magic value.
$ ]0 A7 m. W3 s4 h' K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 Y/ D$ S! _ K- ]( ?' f# W% g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 g y6 |/ N* T3 ^6 k V3 f4C19:00A4 INC CX
) @. N( @% K' v9 I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- x j8 |4 m: c/ O4C19:00A8 JB 0095 ; 6 different commands.
. K3 z, e0 Q8 b, Q- I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 k- n' H7 p @6 _# ?! r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 m! U# _6 G3 N( J! C5 q
) H3 _- n, v* P9 b$ tThe program will execute 6 different SIce commands located at ds:dx, which
6 d! [9 \9 S. [; g& i4 i0 W, n: \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- P# R5 Y* ]% \1 o$ Q
7 P6 g# Q* s+ j: K5 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 Q G5 U3 N. J; f7 F___________________________________________________________________________
4 ]4 M; a' b: H; f
+ Q9 d0 w+ O0 Z T) i
- P1 N, ~5 @# R3 u8 h+ R: kMethod 03
u( ?9 F' W$ X=========
$ {' g% N$ W" a" T8 t* @3 r* l3 X+ i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 I' n. q) r9 g
(API Get entry point)
& l( Q/ R. i' L$ h% {7 C, p
& w2 e2 |/ g+ L( D9 `" p% e& S7 D- I8 i- I# m2 T! ^8 B
xor di,di5 `2 F4 U6 G9 I- x
mov es,di
L" r0 ?1 s6 J! Z7 m( X7 C mov ax, 1684h - W2 P. I$ r; \ d4 K( E$ S
mov bx, 0202h ; VxD ID of winice
d+ N) g) q! m) q% \& C7 N) ~ int 2Fh
: K# r; j$ i. O mov ax, es ; ES:DI -> VxD API entry point
N! ~; s" T- {8 _ add ax, di
+ o' P8 b0 R$ B; M- U8 N1 B+ G test ax,ax
! u: ^8 f& c: `7 y; V! `7 i+ G" W jnz SoftICE_Detected
- i- f6 P' D4 L9 T: g3 U% ]
" U( U z i* F___________________________________________________________________________
& E; F) K8 ]- y6 I2 l \5 `6 L1 F/ Q) z4 _$ ~2 m3 `
Method 044 Q+ ]0 ^; k3 R" I9 V. B
=========
- i6 |- P% D+ q$ j ?2 V
0 ~) q) M, q3 X6 eMethod identical to the preceding one except that it seeks the ID of SoftICE% \+ A- U% z% e0 U1 L1 k5 q- G' U
GFX VxD.9 K5 ?. P5 J" L6 C, s0 W6 ` Y
% F% t# E4 R4 D: A' n) @: W& y" K# g xor di,di
/ ?3 a7 f7 L7 |0 a: } mov es,di
/ O: d8 E& _6 B3 h" g" }4 I mov ax, 1684h " F% a ]7 y# h7 V5 t+ a( \
mov bx, 7a5Fh ; VxD ID of SIWVID
S4 K, T" p! Q int 2fh5 C& q a% {& D
mov ax, es ; ES:DI -> VxD API entry point
1 U9 L" P$ G- C7 _2 g8 \, C: ^2 i" t add ax, di
' f H. K/ C0 C( m# s5 D test ax,ax
; c- b: f1 v, A4 n# F. I, f jnz SoftICE_Detected
$ h. g% e9 V6 W, x. Z# c* a( e! T B3 Z; _4 u& \# p
__________________________________________________________________________
9 A9 v: ^9 }+ ~4 Y
6 `4 k& s. L2 t9 Z( _. B/ {8 V
5 E) J' f7 S# e+ u. b0 K0 ]Method 05# g# m- t w+ V* ^' r! {0 y
=========( p( |4 p8 f3 y) `
# `+ c/ J0 D, u! RMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# N- ^7 p9 }2 V* u! Qdebugger. It calls the int 41h, function 4Fh.7 W' i0 ^: m; H1 Z
There are several alternatives. : u' S8 ^7 ?" Q0 Q9 ?$ c0 U
" q1 ^4 R4 D' f- x: _) l
The following one is the simplest:. P! F9 Y0 ]+ [% D9 |2 h* y
9 k1 m6 M7 D0 J% Q; _( d
mov ax,4fh
3 O# j' T3 ^; K5 H int 41h
4 E% k- s, ?/ m4 S7 M! Y# G/ S cmp ax, 0F386
' @* y- \' L+ f/ E" C jz SoftICE_detected0 S7 @: F Q( [/ Z' X/ e) M
: g6 R% ?/ s6 g% `$ o c, M8 @- K3 |
& B5 Q. n8 ~9 H: Q9 DNext method as well as the following one are 2 examples from Stone's 2 E* c" ?2 A) z: L' v* L* s% W
"stn-wid.zip" (www.cracking.net):
2 @2 g& k! X! O2 B
' c* s1 V* w3 e7 G4 M% I2 [: V mov bx, cs* m* |$ k( X4 h) X+ q p# l; `
lea dx, int41handler2# A6 ~' K' G2 i/ s2 t3 d
xchg dx, es:[41h*4]
- z' m' `2 y/ w+ ~& U xchg bx, es:[41h*4+2]
. x; z6 Z/ N, m) \3 T( t mov ax,4fh
7 Q: @ g- ?8 f* S0 B, f; V5 j int 41h+ J8 Q0 P$ x, V$ [: g1 J; {6 N
xchg dx, es:[41h*4]
; S/ S* T( z3 T( x- Q8 F5 B xchg bx, es:[41h*4+2]
( y# J" ^* O( W cmp ax, 0f386h
$ l; P- v0 i: @8 \ jz SoftICE_detected
9 @; }; p% K X" e# N+ Y U" i. U, K/ T" l5 v! u0 T
int41handler2 PROC
1 t" w) i0 W' E8 K+ l( ]4 b iret/ R! a7 o# Y$ h/ F1 {; O
int41handler2 ENDP
, ^% A" j5 y; n1 g' c( o+ z
6 f2 J0 _+ y7 B5 a3 K& r% D
" m X3 @ l' ~7 G# s_________________________________________________________________________
+ x/ n6 f4 L' ~; ~: |" b! X. }
# H6 p) p1 D! q9 B% h3 l: ^
4 ]- r) |) J( hMethod 06' c2 ^9 G& l9 b2 O' p$ D0 E
=========( {, A1 f) w+ ^
' E3 D5 U3 F) R9 D& i3 y9 M5 }" M8 R" n
2nd method similar to the preceding one but more difficult to detect:
0 ]1 p+ E: q! ^+ d4 m- J+ |0 i7 f6 R; C4 o6 I& `
* d/ v! H* w3 z1 o3 G# P; |
int41handler PROC
9 E0 ~! ~( M d mov cl,al* d! P$ R" y) X7 c) G7 |9 m
iret v& Y: ^+ K: }( y! J
int41handler ENDP
3 u0 Y) x) k. T7 B7 K& s
2 g& ?+ d) l [
4 N' J, v6 }3 W; h& R xor ax,ax p& X7 x/ e m7 Q, u1 L3 w
mov es,ax2 J, M" @. n) ~5 |8 B
mov bx, cs! E: d+ b5 j9 `- T6 I' z B
lea dx, int41handler
9 t( ~9 `, y1 h+ o9 U4 S3 K xchg dx, es:[41h*4]
# ]2 v% V p# E- `3 Z xchg bx, es:[41h*4+2]& B7 E& r; A! g2 Z: B N: t
in al, 40h
( {1 X: y [& G9 X xor cx,cx# }2 i9 F5 @) O- s% m/ |. ^
int 41h
~4 o' @3 h6 o2 `( \6 L* |7 Z xchg dx, es:[41h*4]
* ~7 \3 j$ G; c& e5 F xchg bx, es:[41h*4+2]' I: |! }2 ?3 F7 J9 g4 t( k
cmp cl,al
2 a0 m2 w3 w" v' E% u+ ?& X jnz SoftICE_detected
- a, w/ X S: ^8 {; p8 P- R: z+ F& y+ e1 _
_________________________________________________________________________
8 D q' b2 ^: f* l2 |) t9 E o# T7 g1 C9 w+ a
Method 07, [0 p/ R* ~ E$ y7 a% a/ q5 f; ?) t
=========/ ?" W" {5 K! \, \) q* e3 R
$ Z: A {5 S( I0 A+ K0 m7 V
Method of detection of the WinICE handler in the int68h (V86)* H* B: f) }3 P2 M$ E
' W; \6 s6 g* ^4 @8 E0 d* A mov ah,43h
1 ~1 g1 s/ K* p" a int 68h
. n8 [+ z, R' S6 [$ \0 S cmp ax,0F386h
. ^3 f# A( K# k- E: `0 I jz SoftICE_Detected L4 {4 P+ v$ j% Q" I5 X; G
: F8 {) o/ _: w, |$ j! c
6 L0 _" b1 n. i7 j2 k6 d2 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! T3 [ Z1 [/ y t( p2 Z" I: f; b app like this:
& c9 k0 Q! c: E3 D9 l$ U+ \2 ?! f+ Z+ x4 v: m9 P0 a& ?4 X' }
BPX exec_int if ax==68* C& `% G9 V T( \6 K
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 _0 W" e3 s2 o" s3 S1 g located at [ebp+48h] for 32Bit apps)% \. b4 w, [, u$ G7 v+ t/ Q
__________________________________________________________________________7 A) i. v M1 O1 P7 r3 |
- g$ H. ]+ y# n$ G3 i1 m* _0 ^
/ _/ }1 W% }3 e# p
Method 089 Q7 _7 o/ U7 r/ z0 J
=========& S' _* X5 O! `, H2 I- o0 `
0 K' v9 }. G* ]( I8 sIt is not a method of detection of SoftICE but a possibility to crash the
. {) b! O3 F& ^9 ^! Jsystem by intercepting int 01h and int 03h and redirecting them to another
8 `2 i4 J/ e2 @' o6 V! s3 E% f$ C' K) Mroutine.
/ b& ~! C) U* e# G( b! P; ~8 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% Q6 J" d3 h8 p1 ~! }; B3 Q
to the new routine to execute (hangs computer...)5 r. R7 u3 I! u2 B* F2 @' J
3 B4 H& l* e) }! N
mov ah, 25h& K" ~4 O/ q: e! X$ ~ l. w
mov al, Int_Number (01h or 03h)
- k( @% @. p% h* s mov dx, offset New_Int_Routine- i5 v$ k( v! i0 {! d/ ^) c- S/ v) l
int 21h
! j- a6 Z7 r- t" N, _( B3 H0 u% Y' k! B. @
__________________________________________________________________________
! u V) W$ B8 p$ e6 J( r0 H; |. J+ _
Method 09
) a- \6 V, e$ r- g=========
4 ~# Q* R9 m i" z! U# O" J7 Q7 U) _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 h' K% h: z% F+ z* X' c9 y7 {* [ O$ _performed in ring0 (VxD or a ring3 app using the VxdCall).
- z' t; g* l1 H/ a" U9 DThe Get_DDB service is used to determine whether or not a VxD is installed, J2 U& V, [2 m( t( A2 h0 e# D2 `% [
for the specified device and returns a Device Description Block (in ecx) for
, a, R/ x/ e4 m* q4 tthat device if it is installed.( e) v+ Y5 {! D5 | r8 z
$ M8 C. K" l! e! I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- k2 W6 ?3 v8 f- w" k0 v- N* j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) L4 Y. k" }: k7 {( ~
VMMCall Get_DDB- g f/ G9 F; _# b; D# i; c0 L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 p% H5 G& L% ]% H9 ^
6 m$ n: I2 j/ I9 C) S% C2 f( U
Note as well that you can easily detect this method with SoftICE:' f l$ w% _; o% U" R
bpx Get_DDB if ax==0202 || ax==7a5fh$ n+ z. w/ o0 @3 ]1 ]
5 w' D. o+ _6 i" G0 j5 f* c
__________________________________________________________________________# t. X! A- U0 @
$ Y9 F1 H# L, ~! N% j* F
Method 10& x% w* \' G. k8 {# H
=========
: K/ p" M. t5 ~# ?3 h2 G6 A5 T! ]5 K" ], T- X; a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 j) ~7 H' o4 W. u SoftICE while the option is enable!!
$ Z. h U6 o- _$ v! a5 I1 r" o, T+ \( E: G3 I
This trick is very efficient: Y) r( ^3 ]: J) S1 O/ f o, R
by checking the Debug Registers, you can detect if SoftICE is loaded! o% k h G( d" _3 q- {! M( `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 d) `! W. e9 l+ Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their t3 g2 H# R1 E/ b& E T- R+ Z1 N
value (in ring0 only). Values can be manipulated and or changed as well
$ ]# r) N+ U' ?* s9 }0 r& d+ a2 q(clearing BPMs for instance). Z0 E5 ]! h# i
- _' K4 Z: C! p7 s6 Y0 |
__________________________________________________________________________3 |- s. z3 M- P3 l. k q
% M- J& Y- d$ C6 @3 y* fMethod 11
f( ?/ E, b+ h3 @=========9 R' i/ h+ o! A* f/ }
" u' g, N6 U' M
This method is most known as 'MeltICE' because it has been freely distributed$ O" W( x* O6 Q
via www.winfiles.com. However it was first used by NuMega people to allow" |8 M3 X9 b( e' S
Symbol Loader to check if SoftICE was active or not (the code is located" a1 }; G C& m5 i
inside nmtrans.dll).
1 M7 C& H4 l& u4 K/ }# Y( R$ H6 H- x9 q9 W
The way it works is very simple:' i% e' ~! M' i+ D% ^- K& n; I0 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 s& {% l) Y/ J. V+ T/ T4 ~WinNT) with the CreateFileA API. N' D: D7 S& r! ~9 j0 b$ b- ^9 }" ]
) f- T [* F5 q: T
Here is a sample (checking for 'SICE'):% l- K$ O; O. f( ` V, I) y; e3 K
& Z5 [" Q1 s0 w
BOOL IsSoftIce95Loaded()! @' W1 q( v/ ?0 r( H$ y! o0 v
{1 l, P& o1 z0 h; G( |9 N
HANDLE hFile; 3 o6 l& d, I2 v/ S* ~ j3 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ `4 O9 [; H# O- F
FILE_SHARE_READ | FILE_SHARE_WRITE,2 {4 G2 y" y8 ~* ?5 }+ E+ b6 w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
_4 B3 B! e" f. B: Q( [ if( hFile != INVALID_HANDLE_VALUE )2 l, b" `* @1 }7 h' ]$ r3 I) c- ?
{# p7 U: Z; Y! |$ @# I* O9 z
CloseHandle(hFile);# O/ p5 l6 J7 @' ?3 y
return TRUE;7 a$ o, Z; H" P, k" w2 e4 [5 `
}
# ^* b) y9 |' H% F return FALSE;
6 Y; B8 _8 v h0 C}9 }2 [6 {! J. c- w* L# a9 N u! M% g
+ u. t" |$ E. N( X. {Although this trick calls the CreateFileA function, don't even expect to be
, D: _3 f2 Z) ?% h5 [# Fable to intercept it by installing a IFS hook: it will not work, no way!. D- }" I' b2 e; F; X4 m h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. q6 Z3 p7 e: F# ~. T% |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 a$ P% k1 O7 P7 ^& H/ S4 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc# c) p/ H" c7 B% K4 G% f# G
field.
5 n1 a) j2 B- m3 x. h& tIn fact, its purpose is not to load/unload VxDs but only to send a . e7 A6 S9 {& x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; E! R$ _7 h7 x; T5 A& Z/ ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 Q5 q9 k* n: Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).* K/ b% e8 z' o3 p% p! m
If the VxD is loaded, it will always clear eax and the Carry flag to allow. U) j) N d: R0 r- k1 `3 N) a
its handle to be opened and then, will be detected. s# x1 C) Y9 }3 T% a0 o" n) }) \* T
You can check that simply by hooking Winice.exe control proc entry point
( p2 J6 V1 q& f. G5 f! h' Cwhile running MeltICE.
, g/ M$ C! i: ~8 k M4 ]+ `
5 D; |% A' @# Q* r) D
, {% D% _. W3 C# Z& O, R l/ a 00401067: push 00402025 ; \\.\SICE
7 j! n' |) x7 b& v 0040106C: call CreateFileA
. \# K) N. K# B: j$ M 00401071: cmp eax,-001/ \) c, \4 `6 V$ r5 g3 |, l
00401074: je 004010912 }$ ?/ s& O+ A1 n" c
- U4 ]0 r! i7 M0 P) e1 X, {* Z$ }
7 J: N) {' |$ b8 B; k3 Q' ?" q0 Y0 }
There could be hundreds of BPX you could use to detect this trick.
. r, \% B0 p+ ~-The most classical one is:7 H- ^( n% H$ B1 u0 n9 b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 J* O- s( h. ? *(esp->4+4)=='NTIC'
. c% W! m9 s; j5 v/ ]1 i) |: q5 d
-The most exotic ones (could be very slooooow :-(4 w+ L, n6 a: W9 ~* f4 F) G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 |5 g# \/ i! n' w
;will break 3 times :-(
* V2 K" @" o, ] J8 ?
. B6 B I3 K0 W( z/ Z! m-or (a bit) faster:
3 H( H, ?/ s" p' h" G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 C' |4 @4 V9 y- W, w$ s! I4 g; o
& d$ p9 ]4 m! v9 r' r7 T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) |, t0 q* L2 z4 i" o. w
;will break 3 times :-(
) A, [$ O* P: [6 k! R9 Z( w
$ M+ H9 I6 O' L; u" ^-Much faster:2 W% A" {7 d; `0 ^8 z* y, g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 q3 X: y/ N9 Z& @+ n1 g5 z5 H" t
4 f- u5 b( ~) l- ?& l# tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- j" s% G7 m6 N" a( P0 h/ m1 X
function to do the same job:
3 s+ M9 x' K8 ~0 @4 j# s4 M2 g* m% T& b7 n6 K. P
push 00 ; OF_READ% {- F6 R" i7 ~* E
mov eax,[00656634] ; '\\.\SICE',08 ?' z2 v) ~" P* F* v" x$ i8 l
push eax
# D$ w1 R w" H7 h- z" _0 X( w8 t call KERNEL32!_lopen
d3 y2 j+ I- h0 m: R inc eax6 p% N" \. V9 v' `5 t
jnz 00650589 ; detected
/ G0 B2 V* M# `2 X; i" y, i& r push 00 ; OF_READ5 d9 x7 J4 ~2 z8 ` u
mov eax,[00656638] ; '\\.\SICE'- w% D2 S. E1 V" l. `0 P) K, T/ v
push eax
* F- i% y- U% \3 D7 S" H# b call KERNEL32!_lopen
, w, n) _ f9 H inc eax. M! L/ q' ^( a1 U6 m
jz 006505ae ; not detected
, u& H: t6 n3 Q, i' I# |) V" u& M7 F, F3 e: u$ |" m9 ?
% `7 b* p, I: C1 C& o__________________________________________________________________________5 |7 ~7 G: V5 h: ]' _0 C0 n
- @8 @. z1 o$ t* y1 T/ S0 S9 k+ SMethod 12
- u* J& v1 _8 j. H5 P* r( p1 z" @=========
- D1 {& J* I; s( L8 P. u
3 @. H7 \0 j$ E: @9 P6 ? H3 BThis trick is similar to int41h/4fh Debugger installation check (code 055 ]: g, j7 g! O& p& I1 |! X0 y
& 06) but very limited because it's only available for Win95/98 (not NT)0 l3 q& @+ ~. E1 ]' ^' S$ h" Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# @8 l" o* s0 A. b! K
% [) Q( a# X- ^: g$ r
push 0000004fh ; function 4fh- G5 h7 L! }+ h. {* `# z7 b( B
push 002a002ah ; high word specifies which VxD (VWIN32)
$ A2 W) a$ ?0 p ; low word specifies which service( t5 N: w7 q0 O4 U. K% |$ [" m
(VWIN32_Int41Dispatch)
( z- _5 B x9 A call Kernel32!ORD_001 ; VxdCall4 U& r; x; v3 q0 X
cmp ax, 0f386h ; magic number returned by system debuggers) x/ _/ ~6 ^' X1 Z& g7 B
jz SoftICE_detected
9 l% L2 I6 Q7 G( K, c! ^
1 e7 A6 e& c1 T; w# NHere again, several ways to detect it:
& c V2 J% X l+ w
9 X- ?) n9 \( ]0 [) X/ z BPINT 41 if ax==4f
' b9 k+ Q, J, ^8 t) H+ n1 P, A1 U6 Y* L! x; a- x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& C0 ]# U4 d* @( u) t
/ g6 i: m7 N1 w, l# O) _+ f* b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: J0 ~ M+ \4 D4 u) q* P
5 h) r6 R0 }' \; B" } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( K' n6 A9 {% e
4 e [' o6 K8 { S _% r__________________________________________________________________________7 G; F" u; T: e' I
9 s# b* K9 x0 Q4 ^( ]5 K
Method 13
; N: h0 l! Z4 c+ U4 }1 j0 b=========
; E- N9 u! H2 A- s; s4 Q2 A# P' `
Not a real method of detection, but a good way to know if SoftICE is4 U0 t% r) \8 v. W
installed on a computer and to locate its installation directory.
! a+ }7 R2 h& E% P" f/ VIt is used by few softs which access the following registry keys (usually #2) :, K2 F. n1 i5 ~; l+ r) F
# W5 @2 l) a: f6 W" N! T+ i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s5 j% Y r, z$ V
\Uninstall\SoftICE1 T0 t9 p' v5 f; x1 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ {6 a8 q& k5 }9 ?" N# _% c7 F2 f& P9 ~7 s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. v2 Q9 ?7 O( j n3 r, K" y% _7 C
\App Paths\Loader32.Exe D- M) R/ Q6 ?+ Z
, l- z/ U- w3 d" g" B$ A
) ]9 ]3 P' V! ]3 h5 e! ANote that some nasty apps could then erase all files from SoftICE directory
_# N$ r0 k7 r7 t; m(I faced that once :-(
% T$ | o! m- J9 M$ x8 l
0 P) K6 \6 W D. G( V$ S( KUseful breakpoint to detect it:9 l' i% ?! Q. N+ a/ p! p: ~
7 g: Y/ _( s" O0 y2 e" K6 N+ f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% R( ~9 I( m1 a
# K/ x( t' K8 T- F
__________________________________________________________________________1 H& P; Z$ w- v9 m: }
9 a, }( y4 N) w" O4 @5 ^( |3 \
- ?5 x1 `; z: L& h' U- E7 G- z
Method 14
1 C& _$ ?' |2 }! m( j2 `$ {=========9 x5 o& b8 K6 C
/ E( Y. ?# F5 g& @: _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 T2 \% G' V* j) M
is to determines whether a debugger is running on your system (ring0 only).8 ]' s# w4 n6 y
, B" K* a; C' W. q1 l
VMMCall Test_Debug_Installed
5 b6 z# J% l0 J+ R+ q je not_installed
( Q* _0 Q z$ p4 `) F, j
# G8 F4 B; [# l$ O2 L0 Y# ^+ R; GThis service just checks a flag.
& A, ^& W, b& ?6 ^! r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡