<TABLE width=500>4 t2 B& {, \1 u2 g. N W- x
<TBODY>
. K% z% y8 w W/ T<TR>- j' w! Q0 W3 w; G1 C: l8 x/ R8 m
<TD><PRE>Method 01
2 \1 d5 _1 c7 S+ y=========; ]. g' C9 M; ?
! B" M5 ~/ Y, C3 D/ a1 \
This method of detection of SoftICE (as well as the following one) is
' W* ? z" d) P2 Q4 g! a' fused by the majority of packers/encryptors found on Internet. W# g% V' \5 G7 l
It seeks the signature of BoundsChecker in SoftICE7 G6 } S" f- r2 X. G
2 l) B% }% y+ n( b) V' D mov ebp, 04243484Bh ; 'BCHK') |$ ^% N" _2 \" |# Y
mov ax, 04h
# y9 \2 H4 E Z( O6 y, x! N; S" M int 3
5 m2 ]* i% R- A& C0 A cmp al,4
" @ [" {; N4 G/ t# G1 e8 d1 y jnz SoftICE_Detected
4 p; {; |+ o# m' r3 f
1 b8 d! G ~. s. v___________________________________________________________________________$ H! n& ]5 u0 U: n: B. E8 `6 d3 y4 X
+ @' t9 |; A1 l, |; h* J+ `Method 02
( \4 W3 Q5 ]" m U K=========- O' d+ k: ^# d/ D" e# }4 ~! Y
3 ^/ h- i- Y. E- N6 e# qStill a method very much used (perhaps the most frequent one). It is used
2 @! [6 ]6 s% H( S( E3 b' `: ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ F8 A! u) o8 y0 Z7 Xor execute SoftICE commands...& p: r6 {; ?, J# S5 C7 B5 D
It is also used to crash SoftICE and to force it to execute any commands
0 L: }* }- V% T8 C(HBOOT...) :-(( 4 F, F2 K7 K6 S0 X7 s
9 F1 Q6 u, L5 R; K# X3 F5 `- bHere is a quick description:1 P v* r5 b3 t6 ^; U5 @4 W
-AX = 0910h (Display string in SIce windows)
* f2 h' v9 S* ^$ O E) z( H" r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' G) S K1 o3 _6 L-AX = 0912h (Get breakpoint infos)+ J4 h- ^4 }7 ]% a( z" s
-AX = 0913h (Set Sice breakpoints)/ j; I7 c7 S, r2 z6 M' c
-AX = 0914h (Remove SIce breakoints)1 R" \5 q3 U' A" x$ w
' Q* [5 A/ H, k! @9 P) wEach time you'll meet this trick, you'll see:& z+ x3 u; v6 z( g( K
-SI = 4647h
% Q( J+ X& p# Z! ^-DI = 4A4Dh& s" i+ E2 e& D1 U ~# ?3 A7 a
Which are the 'magic values' used by SoftIce.
% m8 b4 K' i- Y1 A/ q2 t3 q9 `) j. i6 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" x: i8 N+ l' r! r. j& s8 \5 Z# ~9 A/ T/ |% Q$ M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ t6 b1 A$ I* M1 SEnvelope utility use to protect DOS applications:
: k6 E# ]- ~, [1 M. f3 F! B4 r5 G! _
- I1 o4 F f9 l1 d2 f) d( R
! v) N& u# p4 y( l! h) S4C19:0095 MOV AX,0911 ; execute command.1 Z2 N6 q( W( ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 _1 O) O) R5 E7 S+ Q
4C19:009A MOV SI,4647 ; 1st magic value.
3 }% E) r1 I i8 W4C19:009D MOV DI,4A4D ; 2nd magic value.5 V8 A% i- B9 S( `1 G9 l% V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 d8 A+ F" O6 P1 u" `3 N: a4 S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 |& Q. X/ R" ~. ~! }( p
4C19:00A4 INC CX: V: n2 H, e* a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& Y. r2 s/ Z+ s3 c$ w, k8 t1 S* w4C19:00A8 JB 0095 ; 6 different commands.* b# Q) {( p+ {* z$ X+ r6 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 k0 v1 ?) E* v% S: Q7 z9 f4 X4 C% e: p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! O6 |2 o3 L9 }9 }( C& D9 k
Q( R' {5 ]2 B0 I2 M+ E9 o' MThe program will execute 6 different SIce commands located at ds:dx, which
O' m: v+ K# c1 j% O) r4 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 L3 @( s% g0 k/ R* V3 M
* N# l9 g9 W" d% ` ]9 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 [6 A3 s* s0 d0 q% U8 ]
___________________________________________________________________________9 }8 A: y! s- V: O/ W
" o, N9 A' g% q! J2 O, P0 M
: N U; X2 `6 {2 N7 V4 BMethod 03
) o9 B2 @% Y# ?. _/ s( M7 h=========5 K4 K& [3 p7 q2 ^8 Z
1 E% W/ e1 k' r5 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, L6 E/ [- z1 n0 a4 |, G4 h(API Get entry point)' [; k9 v$ y# Y4 O
1 ?9 M6 ~+ F4 ?. w3 Z7 k) H
0 W4 p8 d# y3 c8 r xor di,di3 j) w/ [. d+ R5 @( s. S
mov es,di* E, Q7 e' Z" Z9 y' y X* {. h
mov ax, 1684h 6 i; A2 {5 o& T0 b% ?+ g6 `+ o
mov bx, 0202h ; VxD ID of winice
( }- ^+ `( e: p+ o int 2Fh
% Z9 M' ?8 Y/ v8 k# [' `) n mov ax, es ; ES:DI -> VxD API entry point' S! K9 j* l# h/ D5 }. r0 ?: `
add ax, di3 g! k% w" \5 P& C9 h
test ax,ax
* g6 G9 \- x5 _5 K. { jnz SoftICE_Detected
$ ~9 {# c, A7 H/ G4 E) d, z f+ a% H8 I) |2 [, V1 a
___________________________________________________________________________( @3 M' f; @: B w& H) `9 w
$ P0 Y- p h( Y y
Method 04. O3 f0 W! p( F, V
=========$ I; V2 I: P9 w. L5 F
" K' \3 F8 h7 i8 Q# ~/ W$ }
Method identical to the preceding one except that it seeks the ID of SoftICE/ S5 z4 h' e5 _. Y
GFX VxD.
5 y( @/ i% U8 w, F7 U6 G
5 ]" {1 q$ f. `, ?# a+ ~ xor di,di
8 W. c' Q" B- [& x' V1 Q1 {# y mov es,di
% [: N& C1 C9 t% F& ~" P mov ax, 1684h
) Q0 d P8 `0 v2 K# X6 G mov bx, 7a5Fh ; VxD ID of SIWVID* q: ?- S! p7 i1 w7 j' j
int 2fh
F2 E1 s8 H* | mov ax, es ; ES:DI -> VxD API entry point
2 x* ]/ v( F$ s add ax, di6 J% _& t5 @$ p: R
test ax,ax4 b- }3 d7 M. A# o( `( ~: w8 T
jnz SoftICE_Detected J$ i1 E- `7 Z6 T/ F
8 H1 N" J. v" V" h. s
__________________________________________________________________________6 X2 {) Q, ?$ P w o/ y+ p$ h
. k/ B( `0 j4 I# x! \5 O% M# C t X) n
Method 05" V6 {3 Q* `; a1 N) T
=========
?$ @3 H$ m+ L* c3 j- K# Z* f$ f- u; r. T3 d8 ^( l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# ^/ U+ A$ { H8 e7 r$ Zdebugger. It calls the int 41h, function 4Fh.( T7 ^ y8 @: u# H, i- P3 \
There are several alternatives. : Y; g( t8 @/ Q# ]
, B5 c3 g: G3 D* t' iThe following one is the simplest:
; |5 G" [: |$ s4 I$ X, t# L6 `
: d* `, E" C! g! O7 q1 W, w! r: X& L mov ax,4fh% G* Z; l! K( z1 n
int 41h: N- d' I9 }5 `' ]
cmp ax, 0F386( [8 R1 K& } a1 s" J
jz SoftICE_detected; [+ [( V+ F! N7 p( z
+ _5 E( Z: Z% l/ o$ n0 E/ A" b
/ {0 n0 t/ L0 q! r) u' c- F
Next method as well as the following one are 2 examples from Stone's 5 \& y6 m; w: A. ]* B7 u$ o. q
"stn-wid.zip" (www.cracking.net):7 Q) p4 K6 ^7 r& g1 u; W
, E! B( W U' S1 U: d# e; H' z
mov bx, cs$ s$ {) ?5 E2 E! J. w
lea dx, int41handler2
. B5 z& @* v# M6 J% |& L: }* O xchg dx, es:[41h*4]9 f3 R4 ?1 A b. i/ r" o9 g9 u
xchg bx, es:[41h*4+2]
; Q; U) W$ }& y6 B2 m mov ax,4fh
, l2 H9 ~6 m0 m2 o int 41h8 b3 t7 d4 \# ?+ E! ?& c
xchg dx, es:[41h*4]
M: P6 t7 r" i1 \6 L0 s7 g. F xchg bx, es:[41h*4+2]
/ @* d& {$ m9 j' L( {/ u cmp ax, 0f386h8 I& ~9 u+ @* @: V) `. P
jz SoftICE_detected
9 V9 q2 u$ R3 O6 n$ z2 q/ X
E# n. |+ Q9 dint41handler2 PROC! R% D4 ^9 |7 k5 K" l; j
iret
% \3 e7 u% i" t9 K* a' m3 l) N! x) S+ yint41handler2 ENDP
% W& r( ?2 ~& T+ ]$ U$ ^
1 n N; g: P' X9 m# C0 y+ p" g0 d! M: q1 Y
_________________________________________________________________________
' J0 x2 `2 R$ h+ ]2 d8 a! W9 x _+ g- z* F. m4 O- x! S
8 c( w& }/ b0 e
Method 064 f" K8 d: ^ C$ ~
=========
/ L5 T* e2 n; E6 J# {! K$ U; l5 F% R+ U
7 r Q- Z R) |
2nd method similar to the preceding one but more difficult to detect:
& m: E% x- x3 j" s1 Z( R
. @- b7 L" g; Y% w9 p; N
' b& r# \/ W7 [/ K+ uint41handler PROC
' f+ Z) J$ h% z' O1 q* m, a+ \) j mov cl,al/ N9 A" ~& b. L, Q0 `1 X F
iret( }. o. H' T: {1 d K2 ~
int41handler ENDP: x- [ `& F- C4 x% ]" I
6 ~- V8 e# z E+ W8 @5 k: B
3 H, L- f! X6 U+ g5 g xor ax,ax. {! S; b1 W9 Q4 h+ J/ k1 ~
mov es,ax
4 @" s5 w8 R" J" b; Q0 a6 | mov bx, cs
: d( Z5 ~; h! N) D+ J0 G* Q% @ lea dx, int41handler
( c& i) v* X- u: y x5 W xchg dx, es:[41h*4]4 ]1 B) r" c6 e! W7 b
xchg bx, es:[41h*4+2]' ^& F, q& E4 g
in al, 40h+ x0 j1 e" B g' t2 V6 J9 v
xor cx,cx- I& J8 ? E4 y2 E! z4 v
int 41h! N8 i* c, ]2 s K
xchg dx, es:[41h*4]8 ^4 U, h% g! e3 x# ?# ?
xchg bx, es:[41h*4+2]0 b9 A9 G- A$ ]8 A& ?+ w# B! b
cmp cl,al$ }' H7 l6 D+ U @
jnz SoftICE_detected
# C+ e) p8 r% y6 A9 W! g# ~- J Z' N) |9 W& v9 E
_________________________________________________________________________
' B/ U% r: a! l. r8 V1 U# C( q' B" I3 U k( g4 E+ ~* n
Method 07
6 [. J& D4 ~. o=========
8 @* {% E6 {8 Y" p6 m! x
& E: r8 X7 B& N2 u. l1 RMethod of detection of the WinICE handler in the int68h (V86)5 I( T" _! |2 M: \/ @& a
$ K) t4 |' I9 q" i
mov ah,43h
W8 q# Q, w* V* M int 68h E8 d* j* ^" ^" G% _* ^
cmp ax,0F386h
$ u! H$ {. L- E$ y8 i, c jz SoftICE_Detected
( `5 w7 y) G6 O3 o0 y
5 e9 U3 f0 q( @" H
4 A0 F. w/ s3 P1 L! g! P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. ^ M2 F0 F5 Q3 @- X
app like this:. [% T1 c: ^# R9 a, b
- G; i/ h k5 L/ j. n2 G# @
BPX exec_int if ax==68
% @0 [; [; x5 R9 `4 `/ z (function called is located at byte ptr [ebp+1Dh] and client eip is) Q. w9 m. ?# w+ B& r
located at [ebp+48h] for 32Bit apps)
; x# y' }1 u c" L__________________________________________________________________________
, _" a, h3 ? M
2 F, D+ E/ W) ?$ a& G- [4 @) I# c, y" C, G/ k
Method 08
) T+ h& }$ L7 F$ d1 \+ g- N=========5 w& b# x+ Y( U. j
- h" f3 [* Y: B9 y* a" m; a
It is not a method of detection of SoftICE but a possibility to crash the- N& T1 V; V+ {$ s6 L& R& W. ~
system by intercepting int 01h and int 03h and redirecting them to another. l0 ?( v; s3 H4 P' f: c
routine.
3 z+ b3 }: X4 N4 J- I( z; NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. w3 j2 ~+ q' h6 ]7 f( F. C
to the new routine to execute (hangs computer...)) U( {; v K% O) U
# o2 V& W% k4 Q) j5 n
mov ah, 25h4 Z% O5 f8 N6 P# }% |# A) A, {
mov al, Int_Number (01h or 03h)
4 s$ {4 w* m/ Y2 a. O! ] mov dx, offset New_Int_Routine* a' i* q7 b; s& C( H1 l
int 21h0 M) |2 k0 m1 @* M W
$ U% C6 ^. m$ ^8 \6 D+ N__________________________________________________________________________, Z4 p6 a+ l+ G0 W: L/ m# b$ W
" A+ f2 B6 C' B+ bMethod 09
& U% b5 {9 W& Q* v2 v9 o- D5 ^=========
' n j8 G6 I1 B2 j0 r& \
: y5 ~3 P4 j- X6 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 C- W: U X' L+ }8 D5 K7 operformed in ring0 (VxD or a ring3 app using the VxdCall).
- z. U+ [8 R4 m; `$ S( gThe Get_DDB service is used to determine whether or not a VxD is installed
9 C, G/ @ Z. m8 L, B9 vfor the specified device and returns a Device Description Block (in ecx) for
/ r, [2 v' \) [that device if it is installed.) T. e4 |: `7 {* r/ y* v6 S8 s
9 P1 G! {# E6 D8 X5 h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- J+ t( p% j4 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 ^& m5 P, O/ k0 c, E+ l VMMCall Get_DDB! \& l4 t, X8 `) u$ o: J# A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- k+ ^. B0 l5 T$ Q8 {- @ P
6 P/ R% n x, O: xNote as well that you can easily detect this method with SoftICE:
! q. F/ A: z. N2 U: n2 Y bpx Get_DDB if ax==0202 || ax==7a5fh
) u( ?6 z" ~2 i% Y% ~8 X; [
0 h9 v& y. j3 P4 m R, p1 {. h- O__________________________________________________________________________
+ l& D9 [6 ^) H0 M' Y
4 `: W3 a/ i4 b7 c$ e% fMethod 10
& F* ~& ~1 t9 K& u=========4 t& ^3 V- y6 n" J# ?$ t
1 A* v' h: ]. u# N$ S1 T9 G9 _=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 d8 r$ B, `2 v, u% _ SoftICE while the option is enable!!2 ]% X9 B8 C- z) M3 M" L" B# E
$ g; ^) s* l6 w, H
This trick is very efficient:* T* N; `' y$ R! |& i) s
by checking the Debug Registers, you can detect if SoftICE is loaded
1 F$ s6 t3 A4 V. Q5 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 D% i9 ?# I! K* ?' x0 ^0 w) @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 m$ H$ O( w8 V0 f. i, n dvalue (in ring0 only). Values can be manipulated and or changed as well
" U% a6 M. q$ c9 y4 g(clearing BPMs for instance)
0 F9 T% R" \/ u8 t. M9 M0 P) ?3 a0 W0 J' Z' \; h0 c
__________________________________________________________________________
3 v0 n4 @. X1 ]1 R% f) X, ]: b+ B% ?) Y9 n5 l7 @
Method 11
! f" i0 b [7 m6 M4 J( ^- d0 \=========
! I7 q2 k9 R+ I
* r- z$ i* I8 S, @This method is most known as 'MeltICE' because it has been freely distributed
! n2 a/ H- d4 D* {3 q. R0 y* ?via www.winfiles.com. However it was first used by NuMega people to allow o( c5 h$ H8 t
Symbol Loader to check if SoftICE was active or not (the code is located
# @/ T+ H/ {8 M6 z6 Yinside nmtrans.dll).
' D+ r) ?6 l9 W! F, D I7 r6 L7 }3 i
The way it works is very simple:) f! |: }/ @5 i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 ~. W0 _# B4 `. Z. R5 L
WinNT) with the CreateFileA API.
: R( J( f" G7 y& D& x0 e0 K8 `* r, I( f
Here is a sample (checking for 'SICE'):0 Y7 u6 D' g. s2 ]
! }/ _+ J ?% x! o9 C' nBOOL IsSoftIce95Loaded()
; a; G& q- L- c: G{
, g4 B" G5 o5 P HANDLE hFile;
. D3 h. V5 b" |; Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 Y" i3 P0 M8 M! w3 o% ?
FILE_SHARE_READ | FILE_SHARE_WRITE,; T. v0 a6 ]$ z- Z% |: r" o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" @3 S+ l) g* [- O7 C
if( hFile != INVALID_HANDLE_VALUE )
- r& D6 Y6 y- j' {4 a' l6 ~( t' \ {. o t% \' W1 G" J- k9 c
CloseHandle(hFile);0 E- t ?) |3 n; I q3 \
return TRUE;3 y, {& U. G h7 B9 d5 {1 j* u
}. b% R N2 {0 [2 M
return FALSE;
4 x8 `& T% s2 O5 v- I/ e! l}
$ z" K1 }0 \( k( Z2 m! r
- }, W6 D6 i6 b3 o) H( vAlthough this trick calls the CreateFileA function, don't even expect to be2 m& d1 S6 |# s# `+ R
able to intercept it by installing a IFS hook: it will not work, no way!0 i* w% _8 q& w" o: ]9 k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 ^& \3 l: ?. v: `; [6 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- @$ d2 I. V* O8 y' Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ C/ E* y. a4 ?
field., }/ e# V7 j8 W9 W0 [6 T _
In fact, its purpose is not to load/unload VxDs but only to send a / I( G5 P0 `4 q9 E$ {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# q9 Q% s& X$ Y% U- vto the VxD Control_Dispatch proc (how the hell a shareware soft could try% a% o; A: Y# T h1 p1 F0 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. C9 c' z6 _4 S9 R! `4 YIf the VxD is loaded, it will always clear eax and the Carry flag to allow% V! p, Y8 r3 x# _; C, ~: m
its handle to be opened and then, will be detected.
5 O7 s L2 ?( k: D; QYou can check that simply by hooking Winice.exe control proc entry point
9 d$ c5 a* _2 ^3 Swhile running MeltICE.
$ ]- y% w* K) w, A! B: H! {' S% ^) A5 W3 \) } N
0 ]: S1 n7 \0 U4 p. }8 u; @3 g 00401067: push 00402025 ; \\.\SICE
( C, \% h0 s( I0 L 0040106C: call CreateFileA
$ N" g1 m5 ?0 y, R 00401071: cmp eax,-001: ~5 V8 o; Y6 {" {# F
00401074: je 00401091) P$ x, V/ |2 J9 C$ p
" M; u# u7 V6 {" w9 a$ N
/ T2 |. c4 m5 {: ]0 S% R. [( f
There could be hundreds of BPX you could use to detect this trick.. H9 J: ?4 Y9 C5 m L1 h3 h
-The most classical one is: U/ i1 P, e1 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! w, g" ^0 i$ F# m *(esp->4+4)=='NTIC'
, N( L5 ]+ _" g( R: F* }9 o+ S; ?6 |2 V% q2 t
-The most exotic ones (could be very slooooow :-(( q, j) M4 \# F0 L- U" T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( A2 K$ S8 ]( a8 ?6 ? ;will break 3 times :-(: @6 }5 d1 W* |6 h% d& l) e8 K7 O) E6 e
9 \$ a* L8 h/ O( E% x0 N! _0 d
-or (a bit) faster: : M. A0 i% I' Y' A }2 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 S; F2 r4 K e0 y/ P. O
9 N; m0 x% ?' }! A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
H; G9 R& o" e: A ;will break 3 times :-(: S" f% w: T( l8 d' I
( p8 Q2 a% s. v# y$ Y! f
-Much faster:! {% y' R2 ^6 f7 b0 x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': B* A& u6 W. |" l9 f/ L/ Y% ^- y. w: [
' Y& t7 X; [2 a0 M# j& [: s. I# P+ iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ D! Z1 I3 s. }5 N
function to do the same job:
1 c- @ c& [! `* `
* s) h# F2 s; u1 F( Q- @) n& r push 00 ; OF_READ
( q! W7 c. D. `7 r1 |* t mov eax,[00656634] ; '\\.\SICE',0
' D% M+ c! H) F2 t push eax
8 X, W$ G$ I; m0 x! K- ? call KERNEL32!_lopen
9 n8 b5 ]1 ?/ [% U- r& I( S inc eax
8 e N1 ^, \( r% t% m; k jnz 00650589 ; detected
! F$ @$ d% _# `$ w$ t push 00 ; OF_READ: M9 [! n0 ?. } M/ Y
mov eax,[00656638] ; '\\.\SICE'0 n$ |' e3 Y& h! u! N2 K
push eax) p0 ^0 @* W/ Q: y* e
call KERNEL32!_lopen
, L0 d) N$ g. p4 W$ h inc eax' }+ \* N, C0 z4 q7 F
jz 006505ae ; not detected( @! [; h: ^0 x! a: Y
* f% e; a) Y9 r' I
$ `1 r1 L! {7 w- V6 O0 h__________________________________________________________________________, @: @6 L0 A9 T5 O
9 }* s# X! {6 S! I
Method 125 ?$ o1 t7 a4 W4 X5 M. h
=========: j% _0 |& z9 L1 \! [# T0 ?
( W2 c7 V$ K' B7 p | B
This trick is similar to int41h/4fh Debugger installation check (code 05& \- n9 B2 X4 j# v, ^# t$ H4 I
& 06) but very limited because it's only available for Win95/98 (not NT)* e$ l+ O6 ]* _9 @2 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 O4 [. u0 m. D: U+ G9 p+ A
1 @2 z2 ~" T6 c% M' {7 X' j push 0000004fh ; function 4fh
4 I7 E9 {: g s' T push 002a002ah ; high word specifies which VxD (VWIN32)
0 D/ z1 Y& i7 H: T; }1 L ; low word specifies which service5 Q0 F1 r$ w+ r; _* K9 ]* S
(VWIN32_Int41Dispatch) x; n; J1 g! Q1 A' c0 O
call Kernel32!ORD_001 ; VxdCall
& s- V% G) \9 g, b& v cmp ax, 0f386h ; magic number returned by system debuggers# T7 r5 M1 W( c2 A* E4 \8 `
jz SoftICE_detected; _4 W( W. ]5 V4 R
0 e$ N0 f" z6 t
Here again, several ways to detect it:' J/ z% i8 O1 D4 a
; V+ U \/ N% L/ y* o0 y BPINT 41 if ax==4f: j: y$ h2 V" x3 e- S+ d
; I1 r- {9 S: _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 y3 z7 F4 j2 D, f- W$ ?
, p9 B) J9 Q. p% i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! W% t. x5 W) K0 _( C
* ~# t a$ g( {9 c' O9 y5 ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* g+ C; \1 a8 d% J# m
. A5 j4 S# S* F- x__________________________________________________________________________
k; u G# P) ^- Y) G* I0 g% u, R2 ^/ ~/ s* C9 _
Method 13; D6 z3 {# d0 e+ h/ ?
=========
' v$ ~* P* s8 }0 x6 M" `8 }. w, Y. t
Not a real method of detection, but a good way to know if SoftICE is; a( J3 ~- @' L; u4 P' @ b
installed on a computer and to locate its installation directory.
1 P& o- G" J; D# d, nIt is used by few softs which access the following registry keys (usually #2) :
^$ N+ H" o4 J0 {) o. L5 s: L% h' E2 ~ ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) x% z! Z$ m( C
\Uninstall\SoftICE1 k) G- M# I9 V0 R! J% R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% t4 `) b! l5 Y8 m6 S+ ]+ a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- d' \$ u+ Z* q& B\App Paths\Loader32.Exe" N3 X7 z+ X0 c) a$ }/ n. n
/ L) B g; e- _; G- \- @# \0 ?
* h6 D' t( L% ~& V3 V) }/ B/ o
Note that some nasty apps could then erase all files from SoftICE directory2 D$ q; k) a8 @# e$ \% C; `1 C
(I faced that once :-(
* L R c! r _5 s& B5 |! K5 \" }1 o- P/ T" Q4 V
Useful breakpoint to detect it:' C8 G2 Z: K# c* Y% t
% [4 s' a o6 r" a3 \6 B R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ D& Z( U3 l5 J, {8 c
7 k0 Y( ~( ^6 W__________________________________________________________________________
8 D$ R8 F( a" B* u
6 ?* Y" _! u5 f
9 U0 X- J% {2 S# x! r7 IMethod 14 1 F7 @! s" V7 Y/ [5 j
=========
s- ^) D) ]# W& T7 v/ Z$ k6 B7 ^" q6 l) c( @0 {1 ?2 }. Z8 T+ n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- V4 {% D* O+ S0 c: [: [' xis to determines whether a debugger is running on your system (ring0 only).. c7 q' [5 Y: g, G Q
# o" u! l) y- [" S! x6 P/ K6 e VMMCall Test_Debug_Installed
% r j/ G/ V& X+ p9 L0 Q* L e je not_installed# Y2 S0 v M z% q
8 }6 @( ]+ _2 uThis service just checks a flag.4 ^5 H, s& W, c' F0 N* q) y$ _. s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡