<TABLE width=500>9 ^- O& l7 u1 \0 S8 d4 c/ B: o
<TBODY>
4 J! |: Z6 N( M4 H<TR>
9 u6 ]" M+ c6 `2 r/ G6 {<TD><PRE>Method 01
% D: U5 w7 ]$ i=========1 b5 B. k, k9 S; i( V$ \
6 i" y! |& u: \- ^
This method of detection of SoftICE (as well as the following one) is
9 L5 l2 S' \7 ^9 G. V) @7 Q, ]used by the majority of packers/encryptors found on Internet.
7 x5 `; z L/ [It seeks the signature of BoundsChecker in SoftICE
! \& k! S. q2 t( L% r) c n# a: @1 i% }5 n
mov ebp, 04243484Bh ; 'BCHK'
$ m& [2 o' E9 k3 J mov ax, 04h2 l. b V* ~6 G* _" b
int 3
9 D7 Y2 u0 W8 Z% q/ c/ h- T cmp al,4$ M: ^. O+ t" Z/ y, k$ s0 _' C
jnz SoftICE_Detected
! ~5 F3 D- H* q( @. o5 c- {
# N. q! r2 j& R9 R C/ `___________________________________________________________________________
8 M% b; p5 _! O+ e& U! ]# y- r% l
, {3 _. K' |. e- I! pMethod 02) e1 ?4 d+ X7 {/ _' N' I8 a/ D9 ^
=========
% C3 Z+ j$ q! Q, y, Y9 \" I' |$ B4 z" A& I) y& Y
Still a method very much used (perhaps the most frequent one). It is used
' J! i; X! \ \+ y( M% k+ {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. E. o* U. x3 L' R: e2 D$ I
or execute SoftICE commands...
3 K1 Q! l# [/ r' x' c- p5 p" ?It is also used to crash SoftICE and to force it to execute any commands c6 E+ b4 M& O ~$ I& w8 F
(HBOOT...) :-((
6 L, U( H9 x- ]9 s) H/ @6 S$ x+ i1 k+ Q( I( \' I& o* t2 T
Here is a quick description:6 I5 ?+ m( h: n1 N# n
-AX = 0910h (Display string in SIce windows)2 K* L4 ]3 w( _9 D- r8 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 |, I. C {3 W% b' P# m$ d7 ~
-AX = 0912h (Get breakpoint infos)
( F6 ~8 T# Z8 b Q L-AX = 0913h (Set Sice breakpoints), P5 W, @1 ^- Z& ^5 X
-AX = 0914h (Remove SIce breakoints)$ q$ ?2 b1 j6 f; F0 I
. o, B2 W, K: K& a; TEach time you'll meet this trick, you'll see:* Q/ ^. M! ~) Y" O$ }
-SI = 4647h
( v7 f5 O$ }# F" ^9 D, i! l-DI = 4A4Dh7 h' A3 M3 d- O/ V# w- O, s& Q
Which are the 'magic values' used by SoftIce.# i! b( r+ h8 R; R+ h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 P! H6 i7 V# J: ^, e! A
$ X. ~/ ~) @2 ]8 b2 L2 |6 o& `" O5 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 h: e& L8 b: o" ~. y1 REnvelope utility use to protect DOS applications:8 B- n* k; a% ]% e5 ]5 U! w: p
Y7 [% h; ^. j& p5 ^7 {# c- P
7 C. l& F- D, a) `0 ]) ^" p4C19:0095 MOV AX,0911 ; execute command.
1 Z! f' E; ^' H" ?/ u% z4 G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ r) |" A9 H, c$ r" J
4C19:009A MOV SI,4647 ; 1st magic value.2 h" `) @/ }7 O& Z, Q6 x1 O* F
4C19:009D MOV DI,4A4D ; 2nd magic value.. @( y' p& [$ _6 U$ o8 g4 B; Z) l; }8 u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) n7 d- Y+ s% y1 Y; J0 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& r& ~* g) |' }+ S" h( V/ l4C19:00A4 INC CX
2 K$ H2 M+ z6 a1 i# b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; u/ U4 X& Z: Q/ e! L6 n5 P( c1 q
4C19:00A8 JB 0095 ; 6 different commands.
" \0 t3 V- ]! _3 i( v8 P4C19:00AA JMP 0002 ; Bad_Guy jmp back.' \! E. @. Z2 j% @, x/ }- a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- [# i) x) l% [ r" G
! s' M2 L- l4 O3 e2 Q. k; ?* Q
The program will execute 6 different SIce commands located at ds:dx, which
) @5 M' U' O9 i( Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( H; `5 E2 _& ]3 K
, b6 y5 c! |4 N% _4 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: N& T4 m+ k) V6 `- I___________________________________________________________________________
/ ^. k5 e) E4 a I0 c$ o3 B9 M3 V& {' F
& i; U1 y( S- Q' i& Y' i3 X
Method 037 I( a* k U6 e& w( R) \) H' @6 w
=========/ x6 ], J( N0 g* H( R. ]- U
& A. A" T* c. X/ x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% ~) a# t ?# i o7 z
(API Get entry point)
* R: J% q5 B% J6 z! k$ Z, s. h + c/ @0 W5 p' t
/ }( x, V6 j! m1 d8 q
xor di,di5 O9 ~/ {5 `3 _; g
mov es,di. j5 W5 N5 A/ a4 v4 m$ q
mov ax, 1684h
/ u) e! o [6 X! A- n2 v( ^2 C mov bx, 0202h ; VxD ID of winice
2 f" Z: R; n) Z! H$ n4 x$ p$ R int 2Fh
8 ^9 H( L8 e2 }8 E$ S mov ax, es ; ES:DI -> VxD API entry point
' A3 ?- K2 ^0 @ add ax, di9 B; G- ~$ h( q# R7 b
test ax,ax
! T0 N+ f/ A- G% y; e! `! } jnz SoftICE_Detected0 x$ m1 M& D' E& D! K; N( s3 C
# ^- N: }; Z+ b& K4 b! d6 H+ d
___________________________________________________________________________! \5 i3 H( f8 P8 \, a4 C
( o. w& S2 H; r7 Q- |, P$ C4 i; BMethod 04
: \3 O* E2 ~+ g3 P* \& F7 V=========5 n9 {1 k) p5 m7 M: V
% p; T7 A X- N5 h7 v
Method identical to the preceding one except that it seeks the ID of SoftICE |5 K0 K j+ f* W) ]! `. {) W0 G) L
GFX VxD.: {" F6 K* |& J- O R. a8 }, a2 J
3 p$ u0 A9 c4 K" t xor di,di' s9 P/ q' r0 S! N& k3 f7 @7 y
mov es,di
/ e* ?$ H" S1 A! [) G: |8 A mov ax, 1684h
/ d# r3 a# F9 Q! { mov bx, 7a5Fh ; VxD ID of SIWVID6 b) F7 x$ J; b8 y
int 2fh
f. A# F& b& F! e0 @ mov ax, es ; ES:DI -> VxD API entry point
# O5 k: r; k: T add ax, di) I/ R; N8 z0 c- M1 q; g5 ]
test ax,ax" `+ o8 {! g4 }5 N7 T
jnz SoftICE_Detected t' V/ w0 l2 e% j( r8 w0 v+ a
` ?4 Y/ D6 c( u
__________________________________________________________________________# Q: _( `% }" k8 B# a- }- Y
# _: ?9 m, z0 t# C* ?4 D1 s ?* C z* u; }; Q) c" ~
Method 05
3 v9 {; E; S* K M- M6 f; H=========
5 y5 O5 |, U$ E: E9 c) P" X) L9 a H& s0 n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 Y$ {! @$ ^& S( o2 ]$ vdebugger. It calls the int 41h, function 4Fh.. R7 S# B. {" s3 V# `& N
There are several alternatives. 8 s: D$ y. t1 w+ a, L
7 \; F7 ~$ ~$ h" q# n) g R" m' uThe following one is the simplest:- b. ]3 R7 X0 a N
4 g- n* @3 e' K ]1 |2 e5 C+ ~; W
mov ax,4fh
/ g3 ^) F _: Y8 ` int 41h( G% \3 T0 }+ E, v: [+ u+ f
cmp ax, 0F386
1 @4 l6 c4 j: w% \ z; | jz SoftICE_detected6 |2 l& X7 {( W& a
2 b4 G8 f& V! y, d" q6 M' U
! I) m" @$ Z! |3 c. m; S4 [4 HNext method as well as the following one are 2 examples from Stone's
' a+ ~1 N; S, b/ g8 w) Q"stn-wid.zip" (www.cracking.net):1 |1 D4 J4 M1 r5 r
1 \/ z" x( j' p
mov bx, cs
0 t) \ n* E/ f6 U1 r& b5 d lea dx, int41handler29 y. n" R# H! d- P: W$ ]4 p
xchg dx, es:[41h*4]- L4 W: ]4 ~" u/ R" b
xchg bx, es:[41h*4+2]& {% @( Y2 _7 z" `. I$ f
mov ax,4fh
$ t- V N1 c+ L2 J' e# k int 41h
3 f+ w" A9 ^( A* o% W) E5 S& [ z" t xchg dx, es:[41h*4]0 U% [' y- z! N5 o. E+ W
xchg bx, es:[41h*4+2]! D- D- s# x% u/ E- ~4 a. F6 R1 n
cmp ax, 0f386h
: K) t3 Y8 a" f6 u" |. z: N jz SoftICE_detected$ f: k0 R+ m W+ ^- W" o
0 N3 r, k4 n% A
int41handler2 PROC* T& y6 \* e# W8 _6 M( f2 m
iret
, g5 \3 W8 R0 z8 }) U" W. Kint41handler2 ENDP' R8 S+ J% I. b9 ?& g' t. T o" \
/ s& }7 h6 `% b& O! _
, {2 j2 @8 c' I; \' J! u6 __________________________________________________________________________& E! c/ W7 n N- Y
2 Z! P. m9 ^2 h" m5 w
9 T/ `( h0 f5 ?- l& z$ n
Method 068 j7 E9 b, r" n
=========
: i7 V, G' P+ n& u2 r! ~9 h# H% Y- w# ]7 Y- N0 u3 i7 M
1 P: U( s/ L) h Y( j
2nd method similar to the preceding one but more difficult to detect:
; y) p8 K# @! d4 [8 Z: G
) H4 D" C: [. u3 e, ?* s; T
; Z- i$ ]' b# W4 t. c- J! uint41handler PROC; [) h4 S- N3 w: W" \+ |+ |( l
mov cl,al$ A9 A9 r7 X6 x# z
iret9 |% h, Q0 s: f
int41handler ENDP4 C7 k L5 @& Z7 J% s' H
$ ?/ L O! W' F; [4 m& U' h) }/ P9 v
o( [: o) \1 ]; a( }" V xor ax,ax
3 N7 s( V+ z0 C# o/ m2 V! |, Q" ` mov es,ax
% \! Z/ W+ f/ g# u mov bx, cs
$ x* b% c5 m# s0 C7 @6 F lea dx, int41handler8 B A' K! |7 ?' V6 Y/ G& ^, e- [
xchg dx, es:[41h*4]
0 |$ x: S5 \5 w xchg bx, es:[41h*4+2]
% B' g( a) J! j/ z2 a2 h3 f in al, 40h1 U1 }( t! A3 p
xor cx,cx" {' T/ c W4 M4 N, i5 Q
int 41h
& o9 ]$ P& W6 `3 `8 @7 J& a1 R xchg dx, es:[41h*4]4 V& t; D3 z" B/ S ]
xchg bx, es:[41h*4+2]
$ ?5 r- T9 E/ _3 L3 R M cmp cl,al
4 K' z" _( w. E& `5 [ jnz SoftICE_detected9 z/ R6 }( W5 W9 m& {2 D
% q7 T6 M4 o: X8 n3 U* \
_________________________________________________________________________. v" P: V* T: ]& U' U
4 n& K5 W" Y9 \1 T1 tMethod 07
) z2 z& X4 Y( x" m/ v/ D# P=========
. P) S" W A. h2 A8 h8 x
! e5 h( V- d, w) E: X+ ~Method of detection of the WinICE handler in the int68h (V86)
. W) d. \* i( D4 }9 h& A x* V+ B; F$ H* o
mov ah,43h
0 h7 H/ o3 Y5 l f8 P1 v) \6 E. F int 68h7 d2 h Y) @) X- g, W
cmp ax,0F386h
4 o7 V: Z7 y7 e/ z8 H jz SoftICE_Detected
* U o9 M& x9 g+ Y1 J0 S1 N' X0 l3 i* g8 ^% _. m0 H& C
+ y: C# r! B8 D0 b- i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 b* S, Q \* f* J P app like this:
# v& ?) }( H" {. P! W0 ~- t" Y4 f8 q4 {: N4 L
BPX exec_int if ax==68; M. I$ |6 z5 R9 C
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 n8 V2 V0 K' i- N located at [ebp+48h] for 32Bit apps)
. n" V/ D2 P e" Q. }__________________________________________________________________________
! N3 D/ ^9 L& g2 F2 L: ^. Q; k
3 M4 }* C) `+ t, Z2 c- f1 M* o6 E1 C
Method 08
( f+ [- h6 V1 h, Z2 y% R=========1 O. s( I* o0 k7 ]* v: N* B
+ u" ?1 D# U* s0 b
It is not a method of detection of SoftICE but a possibility to crash the9 K" I+ V: B9 p C
system by intercepting int 01h and int 03h and redirecting them to another- H H' `- q* [: g5 @2 l' v
routine.5 o8 S: P3 {1 [; E! x& n# u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; n$ u+ [: S) o& h: ^4 G
to the new routine to execute (hangs computer...)
! X5 }! W2 z2 i7 S
, g H. L$ ?/ u& V mov ah, 25h1 [, f' S |. q! Q q- t
mov al, Int_Number (01h or 03h)
! y2 P8 X4 E$ a mov dx, offset New_Int_Routine
0 s3 j" l( K/ J( \9 }! l) M int 21h
" r- `9 m% S" Z5 ~
" g( j+ n t2 m5 W6 f__________________________________________________________________________1 V; B% _( s* k1 [& X
) D' T& }5 K+ }* a- P8 h7 w( K: I' P
Method 09
1 `/ ^. h4 @4 A+ Z' }7 G=========" ]1 W2 J- I+ i4 C* l6 X
8 M* S) a! Y% T$ s9 A7 z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& j' C0 A; D4 E) `- j
performed in ring0 (VxD or a ring3 app using the VxdCall).4 q0 m- c/ a2 X( |. B* D0 x0 w* g
The Get_DDB service is used to determine whether or not a VxD is installed4 e. L; B3 K# e( ^
for the specified device and returns a Device Description Block (in ecx) for
8 ]/ Z& `$ `+ t$ h- f( pthat device if it is installed.9 \( e3 q' z8 _1 O# i
, T2 n) H8 x# O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 D9 o! K. R# C: X! m/ C, \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 p: `. J B7 e# H: Y2 U. U
VMMCall Get_DDB
, N+ M6 K2 g$ ~8 ]* ^; j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: \) k1 s7 D/ N0 z1 k! a" L0 L% |7 |5 }4 Q( l) i
Note as well that you can easily detect this method with SoftICE:
1 B* E; r6 M2 K0 i6 f bpx Get_DDB if ax==0202 || ax==7a5fh
/ `. D# S4 |8 f. g! Z' n% [
" t% \" R1 ?/ O: c% S1 M) m. n__________________________________________________________________________
0 U5 n7 D0 G' ~
% u. z: P7 ]! l" `- T/ OMethod 10
; ?- G0 s( Z: m6 Y/ q% w, k=========
6 u1 p: m" P/ ^! L" T8 a0 u6 {, X' m4 x
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" T% J1 M4 O& [& p' B SoftICE while the option is enable!!# @8 ^3 P8 ~ B1 C5 d" q) U Q
4 T9 P, b% n) Z- L v' UThis trick is very efficient:$ `& h7 F9 q5 p* A9 P
by checking the Debug Registers, you can detect if SoftICE is loaded2 ~; y$ L- o! v% }9 t( R2 n! ~& `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 r1 d3 Q2 Z9 i1 x7 T
there are some memory breakpoints set (dr0 to dr3) simply by reading their% ?8 [# ]5 [8 L
value (in ring0 only). Values can be manipulated and or changed as well
9 D u# @! K ~3 j(clearing BPMs for instance)
: p3 J0 m# ?3 R; G# h
4 Y7 k# G1 w6 v) O- v0 F4 W__________________________________________________________________________) K! D0 l/ r3 [4 n
) b7 ^5 O4 u3 S5 B& Q& NMethod 11
$ r3 x: k$ Z' }1 n* ~! I8 o=========- x. u8 D: }6 U. M) B& r1 [! [
! x3 B: s. }2 c6 [* f/ x; E! aThis method is most known as 'MeltICE' because it has been freely distributed0 m& F7 c* ?* n7 y9 z% T
via www.winfiles.com. However it was first used by NuMega people to allow5 Y) o9 W7 I7 x; F6 X* Q6 }; }
Symbol Loader to check if SoftICE was active or not (the code is located
9 A/ F2 a$ D3 b0 P; qinside nmtrans.dll).* r9 K% N ?+ e& N
2 R9 O' o$ K* }* K
The way it works is very simple:" u. P) H! ~! x# D# Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# X/ R( [+ N2 G0 R9 b0 L9 Z4 {
WinNT) with the CreateFileA API.& E2 u7 y3 a1 a/ b6 D- E, R% h% h
( v9 E' w2 o/ v8 F& i& gHere is a sample (checking for 'SICE'):" R$ O* }2 b! h2 A* C% ~
" N$ U+ R$ W5 M4 L7 HBOOL IsSoftIce95Loaded()
0 Y' |) T* ?1 C, T! a; j( t+ \8 t{0 a) O+ G+ g7 F5 O/ O
HANDLE hFile;
: z; B. h2 Q1 D# R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 m* t7 ?/ @- w. ^
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 d( b# H/ G" U1 P. Z' ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 Z* Q% E% j( i+ p- p/ q( }$ ^+ [ if( hFile != INVALID_HANDLE_VALUE )
2 v) [; L. l; z( c. y% B {- Q& r- r) u# R5 j
CloseHandle(hFile);9 b+ S0 }9 Z8 X
return TRUE;
! X8 S5 Z: v3 u& E* k; \+ E% C }
. t$ v2 Q; F2 G5 Y return FALSE;1 \, h: R: p. Q
}% G1 K7 q4 s6 o+ z3 P
% c' F# L- G/ f2 n
Although this trick calls the CreateFileA function, don't even expect to be
[, c# o5 x4 |able to intercept it by installing a IFS hook: it will not work, no way!
* y4 t9 i- b3 o" V; b; EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- g9 o" H$ J7 |7 Y, P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 t" D* b- `' M' e# {7 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, p/ ]) c9 C! y" ]' ^+ O3 p+ cfield.
, Y, e' K' B8 w% m) MIn fact, its purpose is not to load/unload VxDs but only to send a 2 r Z" W& `3 l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* n0 F3 m: }+ ]4 u' H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 q2 |- N; O: |; Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 L* e9 p' F: ?1 [' O& F
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 D P" F( U+ y9 a) N! u8 A' X
its handle to be opened and then, will be detected.
: ]8 t5 L& L6 R6 F3 HYou can check that simply by hooking Winice.exe control proc entry point
5 P2 z4 ]' X5 j' gwhile running MeltICE.
3 S% D2 N& k x1 p9 c/ q- O5 g6 E2 P' m# w, a/ t# K
2 }1 K- x: p+ o5 j# x' U4 y; T 00401067: push 00402025 ; \\.\SICE
9 q6 O/ m/ _1 x% o 0040106C: call CreateFileA
1 N4 I( Y: |- }0 g* u: j& ^1 A 00401071: cmp eax,-001% H8 I N- [+ D
00401074: je 004010918 |/ f2 {2 M; @8 ^
p1 v* v+ a: J( S; m( Y. S" J+ F0 ^& a( w* ^) f9 I
There could be hundreds of BPX you could use to detect this trick.1 k8 h0 c# R$ E# ^2 l
-The most classical one is:
( a- B" f2 S! l. \ Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) |0 o1 C. d# N T *(esp->4+4)=='NTIC'* F# }2 X; |+ J b- n# a
% j ?* O$ w2 R. h& [0 `-The most exotic ones (could be very slooooow :-(6 n9 `4 b3 i3 A) y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 \; D* L- C5 \/ f' Q3 h) ]
;will break 3 times :-(
+ x+ h$ ?% h# i) X: v- Y1 b
1 N. X. }# F, S, b7 w3 l) q-or (a bit) faster: # B% t2 e1 O# N |- _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ B! f9 q, `2 K$ U+ K
4 S J* Y {9 b7 ^8 Q3 d9 S" E Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: T4 m! j6 R7 h' c( e& M0 m ;will break 3 times :-(2 A8 W" C+ L+ Y `
' O% `8 W+ c4 q, u4 h, r: {-Much faster:5 @3 h- U( w4 w( I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. R6 ]) A* I9 f4 k' Q7 I. G1 F3 x
5 W1 q+ K( j, \: K/ E4 n! FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) [8 E T. b) ?: ?% u! ]
function to do the same job:
$ ^# p6 b; m& l0 L. ^/ D- K9 I- ]$ ]* z4 S0 @
push 00 ; OF_READ: u& m4 f+ L& }* |
mov eax,[00656634] ; '\\.\SICE',0
9 j4 b& v4 P5 @. t* t* _$ }$ x. P- n push eax' o; T9 m' f. Z/ s" a
call KERNEL32!_lopen
$ K7 u+ J- J2 B# v inc eax& X5 h5 i# I% m
jnz 00650589 ; detected2 K- Y) T; ?( g1 @
push 00 ; OF_READ
0 Z0 m$ W8 u: t5 Y& l" D/ `& P mov eax,[00656638] ; '\\.\SICE'
' j' e6 S {" e2 c2 p: v1 j" \ push eax
& F e" J: y2 D3 F5 z \/ J& v: J+ S7 t call KERNEL32!_lopen
5 ~+ a- Z w5 p& H* Y0 S( I b inc eax
6 {" h' J7 q$ T1 e jz 006505ae ; not detected6 d& G, z2 M5 I; M4 Q
' G2 d4 E. C) |8 q& ]7 Y0 U; _, y' x9 `+ P' k7 A0 |- z! J
__________________________________________________________________________
: }: W6 ^" z" @% w% Y: g w% A7 ?- B6 f) D& G
Method 12
! _4 j. I1 `! a, E' }4 f=========$ s% ]5 D& z7 }6 s8 J" ^) U
; B1 r5 T$ ]& x% A: m; cThis trick is similar to int41h/4fh Debugger installation check (code 05
6 z* i8 p4 N9 q; ~7 g& 06) but very limited because it's only available for Win95/98 (not NT); w- S5 }/ _4 ?3 u$ \: X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; i7 J5 y4 B8 [, d+ H) |- i8 }' J9 r, x* ~6 z) w6 M
push 0000004fh ; function 4fh
* w, n/ @1 ?: c0 V# o push 002a002ah ; high word specifies which VxD (VWIN32)
) Z; @( }. ^+ Z ; low word specifies which service
$ x4 l' t7 d; O/ q (VWIN32_Int41Dispatch)( g7 s$ k7 Y0 y8 g5 A
call Kernel32!ORD_001 ; VxdCall
z5 ^- J9 `* J cmp ax, 0f386h ; magic number returned by system debuggers
% K5 ^- H. k! G- q" ]% r( V jz SoftICE_detected
/ N' ?7 a/ b! G# B! i. H9 a( n' v4 @2 w; E
Here again, several ways to detect it:! f, I4 W2 r6 h/ W
) [' W7 }* E2 j4 S3 p+ u BPINT 41 if ax==4f1 F0 N7 W5 u' `* L' O! C
$ U3 _+ P0 d, L* o6 m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ ]1 b( [% v) A1 W4 \) ~7 z. S+ m
3 V: u1 G/ L3 E' o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 L! Q: n' d5 Q6 U
' f7 r3 N: B; T2 N3 t8 W/ r! C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 q3 I+ v; {3 A* {
* N2 q- F7 V- `# ]1 k Q__________________________________________________________________________
8 }( M' R0 `; @' M, m- g/ U% T, ~
Method 13: `) \8 p. G2 x9 f
=========
) ^* l6 d; q, m% s
4 ~+ J. d8 ^# i7 vNot a real method of detection, but a good way to know if SoftICE is2 P- _/ \, e2 q) l8 {
installed on a computer and to locate its installation directory.
7 e. N! ~: j1 q& |0 UIt is used by few softs which access the following registry keys (usually #2) :
8 a4 \, z* Y% ]# _3 R
" N2 h$ P8 ?' p4 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" ?% F4 K9 Z! W5 i5 l" Y9 d
\Uninstall\SoftICE
: `) \1 n0 F8 ]4 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ X* m+ i2 Z! v7 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: }" l6 ~& F( ^; X
\App Paths\Loader32.Exe
5 x: W/ d" v) o: a
4 Y1 C/ u1 s* f/ c0 D8 H/ m4 s) ?7 X: W) P7 l
Note that some nasty apps could then erase all files from SoftICE directory4 j2 A$ d/ H- `! t; ]7 q1 E
(I faced that once :-(
2 {1 M0 p" E+ I" {$ c1 `/ u9 o
& K1 p* i- d) ^" Y. R" X- \4 DUseful breakpoint to detect it:3 k( ?$ H- W' L( f
& n2 {3 x5 X" {& p! ?# ]( A( n% Y4 ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; N/ T+ p. v, r; n
. z. H+ k+ @/ K/ \__________________________________________________________________________
7 O" P2 N3 a3 o9 u# r% n7 O4 J+ V1 d2 Q
4 N3 \3 v a5 ]9 q" U0 Z( {# {- y6 p" I, e6 W8 t4 B( c
Method 14 " j' _& h/ z- Y
=========
, w1 Z3 f! R3 }1 r2 v
% U# X/ l8 R; K% q0 w# S+ _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( e: m! n0 U1 L1 zis to determines whether a debugger is running on your system (ring0 only).
" S8 X' I+ ~1 e( R- N. d, P; M& T S( Y$ ~2 D0 v' x6 ?
VMMCall Test_Debug_Installed2 a* [" d( Y" q& ^/ F5 _
je not_installed' Y0 |, U. F1 u- x! E
, {2 U! `) u: @
This service just checks a flag.
0 k% z* G* I* _+ {1 S: R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡