<TABLE width=500>* t5 u- A, x4 x7 G. \
<TBODY>; h% S$ Q: r! I! C& p7 z; `! M, p! N
<TR>
, `4 e: u5 G: }" X# E% O<TD><PRE>Method 01 : E2 k- m7 _ z2 t( J0 G- t
=========
( b% X- i [* U8 q
. k2 E# G+ w$ \This method of detection of SoftICE (as well as the following one) is
3 Q& M% g) y7 N" |# u1 Q! }: Tused by the majority of packers/encryptors found on Internet.6 I& M/ C. l/ W$ Q4 P8 k
It seeks the signature of BoundsChecker in SoftICE, K3 P2 u0 O8 D# v1 D, O4 n
$ b! I+ D+ @6 r) ~& i( l! O" V5 h
mov ebp, 04243484Bh ; 'BCHK'4 Q: w) K: K ~) F! l, o3 ]
mov ax, 04h+ v/ l- M4 R# M) W
int 3 3 U7 w( k/ G3 t) T3 E
cmp al,4
5 L, N) B* l# f7 ?+ H jnz SoftICE_Detected
! `4 U v$ `9 W2 k7 y$ [
+ H- E4 x# K2 F [+ u___________________________________________________________________________5 ]$ [% \- a6 C# S' V
$ b3 h1 }) C# n7 B! `* R$ ^" QMethod 02
7 {. [: _( s; e( ^8 Y( b=========1 r9 n. x$ H3 P
Y/ F+ c) a& u7 @/ y# ~8 o1 `
Still a method very much used (perhaps the most frequent one). It is used: F5 |6 Y7 q& w3 a5 ?, P0 I) K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 K* M6 {# P* F) }1 X2 s0 y5 nor execute SoftICE commands...
" Z; b7 O% V. H( f! M k; e# bIt is also used to crash SoftICE and to force it to execute any commands L5 x1 u# g+ v% A6 c" k! W( c
(HBOOT...) :-((
0 Z4 J+ x K5 {4 R+ V# v2 z
& m, \. P \" N- m4 i) _Here is a quick description:
* C4 J7 J9 }& O-AX = 0910h (Display string in SIce windows)
- y3 l/ W& O8 M7 m/ o' t1 ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* C% I4 B# {& V7 @-AX = 0912h (Get breakpoint infos)
9 f4 s7 t& E$ ]; [-AX = 0913h (Set Sice breakpoints)% B7 @5 d }' u% q) Q8 \9 M
-AX = 0914h (Remove SIce breakoints)
! A" y+ j! n* ]( o* z" _( @" _8 j
/ h: ^! E# T- p$ A% B: ?% XEach time you'll meet this trick, you'll see:; c1 W1 t% ^2 X0 ]
-SI = 4647h1 ]9 i9 O) }; b
-DI = 4A4Dh
6 G) f0 z: W4 \, H8 rWhich are the 'magic values' used by SoftIce.1 O" ^# \7 V Q3 i6 W; d. |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." e. N* b# D7 X, S# ^! Y
* w8 m; N0 k* T$ W% a" Y: J
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 M. m* l6 p: VEnvelope utility use to protect DOS applications:
; N: ~4 o- i4 u: x. C: O- G+ n$ a& ~$ o8 v6 g# @
% l5 U: m' ~0 I6 M7 k
4C19:0095 MOV AX,0911 ; execute command.
2 k$ f# n. s% _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% X/ v3 r3 g# B5 n
4C19:009A MOV SI,4647 ; 1st magic value.$ Z* \) ?" n; w' p4 Y A* `+ \/ S( \
4C19:009D MOV DI,4A4D ; 2nd magic value.) ~5 I2 F/ P' ?* ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ p3 i5 y m% F, b/ ]8 h% M( g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
s2 E8 i2 J# L q4C19:00A4 INC CX" b4 Q2 ]; }. L. e# Z* X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 I( O' ]: V$ m+ u* h
4C19:00A8 JB 0095 ; 6 different commands.) O$ r. _% A+ O& j# z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& ?" g0 B5 w0 a M& ]8 u7 b4 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 M# Z, v) p/ x& ~5 W
; O! e1 Q9 S7 E4 t5 S# T3 F' QThe program will execute 6 different SIce commands located at ds:dx, which0 m1 z0 G: Z/ @6 R& |2 u9 J( z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. ^9 S+ H$ @- R( q4 C. Z1 `) O1 V
" M, U1 _+ W8 {( q" G) B0 B* K( s, }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ Z" n" }5 A; G% A$ F; l/ R% f7 V6 F; a
___________________________________________________________________________; x( x1 j/ K4 i; w
" g3 ` L4 W# ]2 i, d# \
# c2 w1 T) g- U% Z3 _( G. sMethod 032 w+ x$ r" Q+ x
=========
0 g, F8 H# h S$ f W$ v! h
) ]* D/ b3 M; p1 h, k) k5 N' SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ J& f2 H- z' i9 [. B: x
(API Get entry point)
2 c6 k( {3 B# S8 N$ R
" n& C7 C. B" c: J, b& ]" g0 T
- {% d: }' M, y0 @6 T- R xor di,di
* V# l: c0 g* b: b' ? mov es,di
" T, @; _. O7 r- r mov ax, 1684h ! G+ b ~! c* g8 g
mov bx, 0202h ; VxD ID of winice
5 Q+ a/ j# p8 l int 2Fh
( y/ I9 w) W c4 y, ^' }& q+ B" G mov ax, es ; ES:DI -> VxD API entry point
- j' X S1 R- ]; v1 j: o5 Y4 ] add ax, di
( X8 c& H; P$ B& D+ k8 E4 u* {" ^ test ax,ax
! [3 Y7 T! Q5 A* z jnz SoftICE_Detected1 ], o/ s# U* D
0 W0 n0 Y4 Q# z. B, D, ?6 K
___________________________________________________________________________# c5 F- Z6 s, E9 |+ u$ v
' ?+ }! g9 y5 N" {' r3 G7 PMethod 047 E. q5 A* L8 [7 q0 \" X) n- P# m
=========
' F. N# _" ?3 q0 d9 N8 |
% I% b+ A* E) n& W, Z; `7 H2 rMethod identical to the preceding one except that it seeks the ID of SoftICE& d- c& V0 V4 b7 d4 s& S$ z& l6 O
GFX VxD.. f' {/ M6 d) l+ @: O7 z7 Q# Q
' W. \4 h t0 m xor di,di
1 L o% M8 |3 K4 N2 w1 p mov es,di
: R8 A7 g$ d7 B. \4 e mov ax, 1684h
+ W; V& t/ D, q+ ] mov bx, 7a5Fh ; VxD ID of SIWVID
P! H3 e6 J6 G int 2fh
; ]2 m; `' _! u) A: v* M6 w mov ax, es ; ES:DI -> VxD API entry point9 S" w1 o8 A* S9 C: p! e* K% e
add ax, di; x7 O0 F M! p/ ~/ ]
test ax,ax( \3 H K( { e$ S' P, a0 N8 [2 X
jnz SoftICE_Detected- ]- m- ?. h1 V
* {7 X3 }4 Z0 G6 j8 S( c) M
__________________________________________________________________________
5 E( b' J$ e5 R* h t; ^
6 U& E# T6 s% h
0 V& S/ q( e0 XMethod 057 f7 s/ ?* w1 S1 Z5 Y/ p7 }
=========
# t$ P2 ?% ?& n3 i& Z6 _9 w2 C' I7 ~0 _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 O1 t$ i2 z) ?) B# `0 |1 gdebugger. It calls the int 41h, function 4Fh.! p2 r, L" }4 ]6 G Y0 _9 S# {
There are several alternatives.
: k7 _/ j5 Y) g- X; F) W( M( T2 s* a) v3 r. v" u
The following one is the simplest:
1 M ~& s" m8 ?8 V+ |, n0 y% r) |, ^
mov ax,4fh4 x8 |$ \9 I( t% Q' v
int 41h6 E! N% F& q( L0 _+ x
cmp ax, 0F386
8 n" A) L @( P! P( F* O jz SoftICE_detected
7 H7 q. [$ O9 _ C; s
+ Z5 u# k6 {6 D$ \+ e% b U2 ~/ H! V# T! ` ~
Next method as well as the following one are 2 examples from Stone's ' W4 J, ^+ w d! S7 m& X8 E
"stn-wid.zip" (www.cracking.net):( `" J, t6 E" A
; V/ l& q2 p P C0 E; I* z
mov bx, cs
9 H5 b V# H* [7 _% ~; { lea dx, int41handler2* L! U7 h3 z" E8 I3 M' p
xchg dx, es:[41h*4]
. R* @' l0 a3 \ l3 ?) i8 r xchg bx, es:[41h*4+2]; k' `/ j0 u. e; J: O. \! Q
mov ax,4fh+ \* N8 t9 o' e0 u" I
int 41h1 N9 }7 v; d& b" T7 s
xchg dx, es:[41h*4]
; @, Z D7 Y# x" R( Q xchg bx, es:[41h*4+2]& n! o+ E% j4 u3 i3 ]
cmp ax, 0f386h) [3 V) }; h- Q8 a6 l% u4 h' ~ a
jz SoftICE_detected4 [, m% ~7 |: b. W
: i3 F2 p) _+ w# a8 h4 E
int41handler2 PROC
" G$ I- ?8 L3 h4 }& f iret* x6 g: Y( ?3 C- x
int41handler2 ENDP* N& ~% v8 M" S# [ _
/ K; c A0 Y s' Y# b* N$ V( ]: l* J+ h" y" A( _
_________________________________________________________________________
: b5 H- R* _; |. g
+ z1 ~3 u7 i2 R; T0 _7 x+ y2 Z' ^" J
Method 06
/ {% H4 I: [2 H2 R=========0 l6 F8 C7 j+ Z" l) |
) P/ u, Q# n. p" u/ J2 S& T
! f4 J5 Q' M$ X4 J0 G* z2nd method similar to the preceding one but more difficult to detect:
6 c. @* B) K' n5 P0 F
7 ^( }6 |) x+ i$ W9 ]& e6 X
* D- S: T4 j- U( c( H+ Y9 cint41handler PROC) Q' e) v5 H$ ?/ ~$ T
mov cl,al( S1 |/ B' e# \* |
iret
9 M. a% o4 r1 U0 E. D1 `$ a6 mint41handler ENDP
0 T3 F; ] J4 w2 a& L
7 d3 P2 E" H/ v( |2 T( G6 K3 |+ W+ O- D0 ^9 U1 _+ g I
xor ax,ax1 N$ L8 h6 x: H" J
mov es,ax
8 L* c4 }0 v( h- Y3 B mov bx, cs% b2 r/ h- _" f
lea dx, int41handler ]9 Z) b* r0 }. [8 `* N
xchg dx, es:[41h*4]. b( w1 b/ W' }
xchg bx, es:[41h*4+2]( K3 C) z, ]8 x, E6 J& j- N
in al, 40h. Q* o7 U. L( S7 G0 e" i
xor cx,cx/ C' \' r% Y" U8 X! m6 v
int 41h
1 Y- @: L, F0 E a5 [2 q( Y" G xchg dx, es:[41h*4]
1 k0 m- q. T- v xchg bx, es:[41h*4+2]8 a9 o3 k/ C! w% b3 r$ d( K
cmp cl,al- }: q3 O/ i( R" x1 D. x
jnz SoftICE_detected
6 ^; @( x# X+ ]4 @" N0 k( \0 M. m' v3 A9 M3 K( W8 i
_________________________________________________________________________1 V3 } Z: z- H9 y6 i: Y' U$ A
. m& m8 s# _- W0 S+ sMethod 07( m. Q3 a' w5 `: _% O/ y
=========5 O1 D) r5 x& o R
: D0 f! w, F& S' C3 _. _
Method of detection of the WinICE handler in the int68h (V86)
# ^" e% O$ a1 C* E9 D; D8 h
4 r. u' {9 x" Y" D9 s0 ^ mov ah,43h
7 d( }& G. w0 M8 i/ j) ]* `6 i int 68h2 D. m2 I$ E9 m+ X( \* y8 ^# A, f
cmp ax,0F386h
0 }/ A" `% w& m8 a; d- C5 G4 d+ ] jz SoftICE_Detected2 i0 H( i* g. N
) k) ]3 h- z: ~& X2 j
' |2 X1 B* N$ w& e) s- ?! w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 N, ^8 z$ r7 w a( q app like this:
6 T) s/ u# ?% S6 t" `3 M F3 m
1 q0 w; `- d. S: f BPX exec_int if ax==68% ?: M- I8 ?6 Y% P3 u4 b& S
(function called is located at byte ptr [ebp+1Dh] and client eip is
( }; X1 w* E0 j located at [ebp+48h] for 32Bit apps)
* q7 B/ t6 x" @7 g2 ?- G__________________________________________________________________________% V( _5 `+ z: v) ?
; O" C4 h l+ j7 g( T
, z# ^/ K# e6 ]& [' YMethod 08
1 q$ c& L6 {, _! \- w=========3 E" v; v0 A" `8 |# r6 D; e9 V5 _
! @% I' Z/ _" L' I: }4 y: n
It is not a method of detection of SoftICE but a possibility to crash the
3 U8 }3 {: {7 G' Asystem by intercepting int 01h and int 03h and redirecting them to another% Y! @( B" n3 D& w5 ]
routine." I( l4 F. p- p- B: ?6 O2 N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* p5 |) y2 p+ f; ?7 [
to the new routine to execute (hangs computer...): O' ]5 a1 W; a4 p6 x
& K3 C; b7 ^ w- }9 B mov ah, 25h
- p+ ~" _5 Y& Z" ~/ \% ~. Z2 J2 j* v8 j mov al, Int_Number (01h or 03h). K, M; j9 w/ ?
mov dx, offset New_Int_Routine: w! R: I3 p) |. y9 m5 q1 `8 f
int 21h
5 ]: |9 `2 s/ T, T, `4 A x
4 T( ]% ?6 j: x7 z" x__________________________________________________________________________
$ p' ^$ X5 B) j0 q9 ~6 n& K; w3 F- o% W9 k5 `4 I: r8 h
Method 09# x( @$ E! H* @: Q8 o
=========
" j8 c) l3 X! l: A1 Y% R, c+ ^0 R* p. G) c+ V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ^: Q3 y- O2 O6 T; E+ `* d: Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
% {% d5 L2 O" P, w! m/ AThe Get_DDB service is used to determine whether or not a VxD is installed( F4 S! V( f8 K: f/ M
for the specified device and returns a Device Description Block (in ecx) for
2 K) X; j: Z+ ?- ]that device if it is installed.
" d* `* ]7 t: k
) A* I- r! L) P3 Z* Y* a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ e& k Y ^- O9 u3 S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 R0 Y& W+ s* a/ @ VMMCall Get_DDB
! w" _2 {* O+ l L2 [" B- T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 K9 V" p5 R: E! v; F# O4 X9 C0 v( u% h7 i( L7 o( K
Note as well that you can easily detect this method with SoftICE:
: B! h- z; D) R# t# q bpx Get_DDB if ax==0202 || ax==7a5fh
$ ~0 ]# s% a0 x" G X5 I9 e8 j, ` l% Q9 v7 N. Z
__________________________________________________________________________6 L& d: e6 q/ b; ^
7 q# R' ~: W [2 c4 a" B* LMethod 101 |) E: h, o2 b0 u4 V9 ~" F" ?" Z
=========$ m) A3 \ H5 R
4 R9 J5 x3 X, M4 F- E; N=>Disable or clear breakpoints before using this feature. DO NOT trace with6 o0 r1 ^3 N9 |2 A0 `0 s
SoftICE while the option is enable!!( C9 a' ~8 u8 e8 {4 ~8 j
$ h& L- y _4 i! G% ^/ n3 w+ e9 e% l
This trick is very efficient:
- O) z& Y" M' a/ H* x& i" F, t' w$ tby checking the Debug Registers, you can detect if SoftICE is loaded* \6 ~1 V% e: a* Y1 ]* g1 r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 t8 R/ ?9 ~% _1 a) v6 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their; q% `2 i- o2 G
value (in ring0 only). Values can be manipulated and or changed as well6 C. p, ?' G( g S# I
(clearing BPMs for instance)
: h9 B E2 Z6 q& u; Q( A3 i3 b- [+ q( g" A; c
__________________________________________________________________________+ L6 ] l7 H' Q1 w
7 a! g: ?( N# K2 t
Method 11& M7 {+ ?" c5 ~$ _5 L0 j
=========# } `# }1 A: K( i$ A$ d
- q; N* L% ^% D) U* v
This method is most known as 'MeltICE' because it has been freely distributed6 g/ C' l3 o0 o% ~" j
via www.winfiles.com. However it was first used by NuMega people to allow
0 X, N; B# }" w1 {8 a! ESymbol Loader to check if SoftICE was active or not (the code is located
4 n/ v0 X1 s0 f) N9 y* X6 a; {inside nmtrans.dll).& x; W3 a7 w& u8 o1 ?
6 f7 }- j/ L" n! ~( N; P* y: F5 Z# u' b
The way it works is very simple:: |9 j+ d, W' S4 `: Y8 s! p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! }8 O1 M' N, k p5 ~0 I8 n
WinNT) with the CreateFileA API.
2 p; ]) l/ e/ s/ U1 Z& M1 ~0 |9 o6 o8 C5 {3 R+ a
Here is a sample (checking for 'SICE'):5 ?+ F* ~5 |5 K( _8 d1 Q) F4 E
3 j2 C- A* Q- r- u; v
BOOL IsSoftIce95Loaded()
3 p- ]. A8 ]$ x5 @0 x( T' }% f{9 j) G6 N1 s1 ^- D8 W
HANDLE hFile;
" l- p: U; \' ?3 v. [/ Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, |5 Z$ w. a) ] FILE_SHARE_READ | FILE_SHARE_WRITE,
4 H' a& ^' d) F" ?* \& j3 S1 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; g) c6 G" s5 }! r
if( hFile != INVALID_HANDLE_VALUE )- U; K2 W6 C& R: _3 C/ `
{
! M2 U, m" d* J CloseHandle(hFile);
5 a' [& ?5 n. O, J# A return TRUE;: w& A r+ H4 l$ s
}- H' E5 V& D& h$ N+ y/ K
return FALSE;
' Z8 }! N2 H7 x) Q; u' H! ?}
, b0 `/ v- T; }7 N
, d5 d9 x9 K4 \ ]0 p/ e6 AAlthough this trick calls the CreateFileA function, don't even expect to be- `9 T1 d3 V% ~7 ~3 L* n
able to intercept it by installing a IFS hook: it will not work, no way!
+ ~7 Z0 Z5 o6 F% h$ b" jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. T' `( e* M4 p6 D# Z$ A1 Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); |7 i% o/ s7 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. T% l) b7 ~- `1 @5 [9 Qfield.2 {* h/ S) ]7 j+ u" @* y E
In fact, its purpose is not to load/unload VxDs but only to send a 6 s. I! @& ~+ f* f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; p5 ?4 H$ A# s! d+ b6 j$ Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 ^; b: z2 E1 g' H8 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 _5 P+ I2 S% M5 F9 a, h2 |If the VxD is loaded, it will always clear eax and the Carry flag to allow, e) g$ F# w ?% f `. a
its handle to be opened and then, will be detected.
, t5 y% L1 m7 V" u. UYou can check that simply by hooking Winice.exe control proc entry point5 B! w8 m$ r, F7 e
while running MeltICE.( G9 s0 R6 g2 b/ O, S4 n. \
: d" M3 Z9 I- @+ b* _" c- d
5 R4 e* g- q( T0 u
00401067: push 00402025 ; \\.\SICE6 b/ z5 t5 l6 a7 C" I7 ~" u/ j
0040106C: call CreateFileA
1 U& d4 g; o/ j! S2 b5 v 00401071: cmp eax,-0017 W4 H7 W& W. M$ K1 ~3 P7 [
00401074: je 00401091
5 x4 t0 h" e& z
$ O& _# _) G' H- X" J; S& _( u( X1 I& ~" D" K$ Y
There could be hundreds of BPX you could use to detect this trick. A$ _, c' W/ F9 v, Y+ ]
-The most classical one is:
+ M p+ ~8 N1 ^" i! `7 H: z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" ^9 O* ?* g: {3 R+ [6 k *(esp->4+4)=='NTIC', h' J% I1 _& q& [& S# T# d
4 @ C- b) _ q% A K-The most exotic ones (could be very slooooow :-(/ S7 C% i' k- W3 i0 X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * o$ R7 Q# i; A" H
;will break 3 times :-(
) k8 x$ J9 m E" b, |4 c* C8 [1 J# m7 s: L; _ ^, i4 c! I
-or (a bit) faster: 9 U$ b+ S4 G' t% p1 V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 }' `; [7 k7 r1 h5 k4 y" @6 A& Q7 T/ Y+ x+ i+ H u2 b. V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # c9 B# D6 N- I+ {
;will break 3 times :-(
) F9 z3 l) F" w% _2 h* c
; Y' J. Z U* @$ F-Much faster:4 z: v' m! P0 F1 D7 y. X5 R' M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' [: o+ K* h# p0 z0 l/ h; p, H4 u
: G- B2 S. b% A3 MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' [2 c3 D. {7 t# X+ X' ]function to do the same job:$ @5 M! Q0 G) @, F
4 B0 U$ C$ {4 H& K# T
push 00 ; OF_READ
. H; @# ~# y6 Q. _ mov eax,[00656634] ; '\\.\SICE',05 N1 {/ Q! ]% F9 E+ i: `) |
push eax$ H7 ]$ t( u0 Y& W& b* P3 N# x. ` k& C
call KERNEL32!_lopen
) f/ L6 p- _' X# x inc eax
. t& V1 q* n, c2 A& V ~1 g jnz 00650589 ; detected
8 ~8 N+ o+ I$ I+ p push 00 ; OF_READ6 g8 |, n4 y$ ]* f7 h6 C
mov eax,[00656638] ; '\\.\SICE'
/ }6 r" l" q' p push eax
+ Z' ]; r7 T6 e+ L, o3 m call KERNEL32!_lopen
) q- j7 e% `2 K2 u2 g2 c+ N, d+ k; ^ inc eax+ e( w4 X4 n8 X2 |1 M: w% O
jz 006505ae ; not detected; u. @; }2 d" p& @" x$ i( v# J
- s* b( Y# ~1 Y" ~" t. R
+ k$ v \: d+ _6 N _# ^
__________________________________________________________________________
* J. m8 V% x% Q: O. U
! M. J) X, ` O5 }1 }6 @$ V9 a; T- m. T4 eMethod 12
$ S8 m' t1 R. N+ w: q=========& v5 S& E' R! |6 b. p$ o
' d* |( o: ^9 k+ |' VThis trick is similar to int41h/4fh Debugger installation check (code 05( q1 {) n' R0 x7 w$ _
& 06) but very limited because it's only available for Win95/98 (not NT)
# H: P2 O( i2 }9 Q E2 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 u6 N ?# Y& F" m3 _/ N% n# k
push 0000004fh ; function 4fh' N8 K6 ~+ Z( @1 ~+ x
push 002a002ah ; high word specifies which VxD (VWIN32)( H# `* C/ E2 g/ k# `3 d6 y+ }
; low word specifies which service
. [8 C# M4 M1 ?) Z. t, g4 Y7 d (VWIN32_Int41Dispatch)
2 q5 Z( L+ T) q' d call Kernel32!ORD_001 ; VxdCall1 D9 p. ~( o. l6 W9 U# N: x% V# `
cmp ax, 0f386h ; magic number returned by system debuggers
, e) G( O5 Q! N( o2 j5 `; B jz SoftICE_detected0 j1 e6 ~' S* A" e+ l
5 v* u# P# a& }Here again, several ways to detect it:
p; b/ I0 w/ W/ E1 O) ]8 i; X5 }" V' y
BPINT 41 if ax==4f1 Q, R2 j6 O2 R7 ?
2 Z* _; r q' l5 x, Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( I2 H4 n! e v8 w& l5 G: O$ n( N5 q0 M+ Y+ _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 d* H- ^% D! t! ~+ e% j0 n
B6 m; p$ B; y9 ^8 V- S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' S7 e: Y+ U' e& `
4 r1 a' i( r6 L9 O
__________________________________________________________________________
' i# }7 E; g' M; J4 M* V
/ z' t: m( ]5 P' `! S8 iMethod 13
B. ~* M/ v. {0 D; O/ `=========
, ]% e8 y6 ^1 O" R* H
0 i6 [' c% u% Z. x! m+ ^3 dNot a real method of detection, but a good way to know if SoftICE is( ]5 C! `$ s5 ?( Y
installed on a computer and to locate its installation directory.) O7 [1 ]; `5 P8 [" C8 X
It is used by few softs which access the following registry keys (usually #2) :5 _# k5 y" |) C
. r: i/ n( u$ x- y/ @* W2 P6 L$ M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- T T4 `- j* U) b/ C/ Q3 I\Uninstall\SoftICE
. [+ n* ?. k6 D0 y3 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 k2 P; \# E: s& s9 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 H- L3 l1 g0 b* v9 C6 P
\App Paths\Loader32.Exe
- n; q% h+ C8 p1 q4 ] K/ f; w; e& |( c
0 ~& D8 o4 p: B! FNote that some nasty apps could then erase all files from SoftICE directory
1 d" s6 C6 ~* p* w& D' @. C(I faced that once :-(3 v; t) D" f! h/ N- W. u. V) d
+ ` I; u3 S2 v a' X0 }" ?Useful breakpoint to detect it:
6 U4 Y8 Y1 x# R" O1 r" j
$ W" K/ b) P, r$ k. t! C2 i B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, b9 \+ S' R& _" u
5 q3 W9 b& y) J; L0 ^1 ?__________________________________________________________________________
B9 i! i# ~/ Y
& \3 Z7 T) O0 D1 `" m# ]& t( f0 n( F- ?8 ]. Y2 F( c
Method 14 , D8 U$ t0 m) b" c# [
=========$ s6 Q2 _! U N+ g3 Z
7 O) y, j7 K6 a/ G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ ~0 j- b+ p9 v) Fis to determines whether a debugger is running on your system (ring0 only).
% c0 @3 Y7 Y y8 W; g7 ?
7 c9 I9 V" w; O; { VMMCall Test_Debug_Installed3 n9 y# r, H6 \* i A
je not_installed* d, H% Q* c% c1 l! U1 ^6 o( K
5 b O# u% c1 M( t' \
This service just checks a flag.
* U$ o$ F. Z' ?1 C5 @2 {5 y0 ^; S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡