<TABLE width=500>
9 {- F7 [5 Y2 t1 L- ~<TBODY>2 g# v' _+ w5 B9 P( q
<TR>$ O$ I9 F- _& _! Y0 e- Q$ r
<TD><PRE>Method 01 . G) Z) `- t+ I) t$ Y
=========- W% M$ n& n3 [' u. X
9 o$ t6 `5 G2 B% Y- x1 RThis method of detection of SoftICE (as well as the following one) is
; I, d* q& j/ l% R. l1 ]& M% ]0 qused by the majority of packers/encryptors found on Internet.5 ?$ U& l C( h$ ~. Q6 Z1 g; T
It seeks the signature of BoundsChecker in SoftICE
+ i8 O$ `+ V: ]* m/ C3 t
# c' s6 p1 S$ W8 L: F- F. V# ^6 p mov ebp, 04243484Bh ; 'BCHK'! |$ e2 i* C/ M, R8 Q
mov ax, 04h
9 R! ^; t* B, x, d2 L( d int 3 7 E+ M( n, `" S5 Z/ U
cmp al,4$ v; r+ B7 a8 o( K. n5 [% z. e/ C
jnz SoftICE_Detected" U2 S1 W. j$ C v/ a" E
8 k& j: U! W0 [! N( X9 P5 s" L' {___________________________________________________________________________+ X: n1 J3 T( ?9 o G8 q
( G& g2 `$ a. E& K! @, T6 N9 aMethod 02
: E- r. s) m1 F=========
. K, y# s* l. `& U/ k: `, R+ E9 U2 T; e# s: v+ M
Still a method very much used (perhaps the most frequent one). It is used
0 I3 V- K d$ G9 u- p3 M+ u- t& bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: }: j+ W6 Q T% Uor execute SoftICE commands...
, y( U4 ^. j: I YIt is also used to crash SoftICE and to force it to execute any commands
5 W) y& S b5 H(HBOOT...) :-(( & h( a5 \7 ?- b1 {
9 x2 q5 s+ g7 P }3 E) ]% a9 `% H: r9 Y
Here is a quick description:, Y" |9 _* ~) @* V
-AX = 0910h (Display string in SIce windows)9 @# D: p+ p- }2 o2 T& V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! g/ U8 R5 |+ y: I4 _7 R% T, Y4 s+ ~-AX = 0912h (Get breakpoint infos)0 u0 n* x; s, n S# A! z
-AX = 0913h (Set Sice breakpoints)
/ H8 [2 q2 K/ V8 v* m2 l-AX = 0914h (Remove SIce breakoints); |4 {! f6 p0 d5 w7 o
" ]5 R5 O/ B YEach time you'll meet this trick, you'll see:4 k5 h% E2 Q2 H/ v, n" F
-SI = 4647h0 _$ f( q' ?! U/ R
-DI = 4A4Dh, m; f# e& g; [, G8 X- k; Q
Which are the 'magic values' used by SoftIce.& s. K/ W1 [# X$ r; o9 ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 X9 j8 a. p4 Z
4 U: _' D! j9 L F# tHere is one example from the file "Haspinst.exe" which is the dongle HASP( H D' o4 ^ Z$ M
Envelope utility use to protect DOS applications:" F! t5 m6 m4 S7 E+ y- w: o& y. t
0 `9 ]5 W2 y) Q+ d: c* l# p
- U$ `+ w% U% R1 {4C19:0095 MOV AX,0911 ; execute command.; e2 J" p2 c$ E( A* W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! ^6 d- C3 [: o! {- Y
4C19:009A MOV SI,4647 ; 1st magic value.
- w* _- D1 o" Y1 b4 K/ U' g4C19:009D MOV DI,4A4D ; 2nd magic value.
: y9 R' W4 D6 X% g0 C2 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& \9 \1 ^: y+ y) h6 Q* G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! |9 M4 ~6 _; j) |4C19:00A4 INC CX
6 k+ f& \2 D. m& z9 G7 P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- y) j5 k% N; T5 O5 {5 ~- U- V3 W5 Z2 y4C19:00A8 JB 0095 ; 6 different commands.- d. K, U# O5 j3 m6 c( z$ k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 A% N2 _: c* ~$ l, k N* x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 j& ^5 b. ^4 L' i* r. o6 m3 ?4 I, s* F, o& I/ c# I) K7 F. ?
The program will execute 6 different SIce commands located at ds:dx, which
* V: T' V3 J% o! {8 b hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) h8 R$ V" L/ \# s9 [! _4 R: t
" v8 j3 d+ A( z- q' \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 p; T K" M9 V% n1 l___________________________________________________________________________
3 ~5 V _$ y7 l) H9 E* x( z& ^! X) {* k
/ \% `! G# C" [; w) I' O& DMethod 03
% k) W+ f% E( u! u7 O$ M! R=========
! H3 \7 ?, @. N1 ? q8 f0 g, g! @9 A! p o; S/ c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% O) h) o+ ]( C3 _7 K- S9 u(API Get entry point)& C8 h3 S( ^: F2 Y% u
% T+ Y( f/ ` l5 k% @ G5 G# [7 w# `
xor di,di
9 I% l( P: s) Q; `) J# N1 R mov es,di2 n) F D5 A2 V1 r2 K& Y. S( O
mov ax, 1684h * @9 g+ h' Z9 R2 {
mov bx, 0202h ; VxD ID of winice9 H3 P0 l8 h( J+ L6 R: ^. }
int 2Fh9 M- b( L, y7 g/ K
mov ax, es ; ES:DI -> VxD API entry point
, i4 K1 r/ w% v1 a3 w, G add ax, di
- P* t7 |2 F" D3 z, a test ax,ax" N) h& P( r1 U K7 ]
jnz SoftICE_Detected
! F- A8 G/ x9 y- k: _
& f$ r. ]/ U# n7 P e___________________________________________________________________________
+ Z7 J2 M j8 k3 n1 B* U" R( q5 }. X7 b) R
Method 04
3 }9 D# C- C! E- z2 e9 T=========, e% {$ F! p$ F- j
2 M) `) ~ l$ g) e2 d9 K7 g1 |Method identical to the preceding one except that it seeks the ID of SoftICE- G$ W9 U/ `, L9 h5 _* o
GFX VxD.
) d& B+ T J0 e" x) N+ o8 @
0 L% s f2 d; ~: f( l' B' ^$ R+ F xor di,di% s. C/ p8 H/ j9 T3 B: c9 V5 l
mov es,di% k! S. ]! D A# G0 Y3 _
mov ax, 1684h
) N0 j6 ~- C4 U, x' p, ` mov bx, 7a5Fh ; VxD ID of SIWVID
3 H3 q% N, m) [& W6 R( A" u2 C int 2fh
2 B7 o ^4 s8 Q- q3 ~2 ], o7 E mov ax, es ; ES:DI -> VxD API entry point) K* |4 L8 P( O% n1 i7 r
add ax, di
& y! d9 ?0 C% e t# C. i1 G test ax,ax, @" J& ?+ B4 A U g" f( D
jnz SoftICE_Detected( S/ b( V4 l C5 l7 E7 B
" Y* D0 a* X% W3 r1 p Q__________________________________________________________________________
. N: ~4 G0 l, O, P! L% f/ J5 m0 U
5 ^4 _ {1 F R: h0 Z0 o, G5 b6 w F" Q' W2 [1 n6 O3 ]1 g# C6 U& B
Method 05
) Z& U5 P2 D6 J' _' J=========
7 J4 v, m M& r; L j/ W* ~5 |3 q1 A8 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ o2 k. s# p$ H( K* Y4 Xdebugger. It calls the int 41h, function 4Fh.
6 X( m5 N. I( l0 E1 zThere are several alternatives. ' t& H' a* |4 I; {
, ]7 B- M2 Z8 h0 Y" P; a9 p5 MThe following one is the simplest:# l3 f. O: w& d P4 k
6 x ]( r$ C1 q4 F) `. f& k mov ax,4fh6 i8 `- E5 S4 t- \% |3 \% O1 w
int 41h
; E+ N7 c4 Q6 O cmp ax, 0F386
% G* A, H9 c! U5 a% l jz SoftICE_detected% Q: D& ^5 i9 |5 H& ]
9 f5 I: ^/ n3 s7 ?+ q. i9 y' B6 ^. s5 G! {
Next method as well as the following one are 2 examples from Stone's , ?. n3 y2 b2 b; b. y8 L* N
"stn-wid.zip" (www.cracking.net):) I& l) [5 R. Z% n( B
4 m. `& u: {* B- n! D8 }
mov bx, cs( M9 p4 C( y/ Y7 S: O: m
lea dx, int41handler2
; Y. Y2 i4 V, w xchg dx, es:[41h*4]& ]/ M- j! n( `) R" m
xchg bx, es:[41h*4+2]
3 i0 v- w: g1 v2 Y9 U( L+ e mov ax,4fh
1 s$ q$ f& u/ n0 V; ^1 ` int 41h
$ [0 h- P8 x4 A* J0 \% H xchg dx, es:[41h*4]
. \% ]6 ^! e+ V1 |8 E. j( ?; ^ xchg bx, es:[41h*4+2]
$ _9 L* A) m c, }. p; ` cmp ax, 0f386h0 J3 U. G0 K, p: x2 r! `0 E
jz SoftICE_detected9 D3 Y+ k4 O( [# X+ p8 N& X
, y6 k" I; d$ _7 ?/ Y& cint41handler2 PROC7 L0 L; l/ b) m4 d- O0 d5 @5 p+ S5 |
iret
) w% W! P( e( P3 cint41handler2 ENDP' d0 _% |" F0 I
0 G# ?' x6 @& P h8 B- L3 [. q) y
- Z: e$ @* B0 L- `+ c2 t1 K- ?
_________________________________________________________________________
( T& ? o- c! R1 t
5 E) _+ a2 ~9 E8 m% ?& m( [. n2 F1 D( q
Method 06
1 G/ d# w* F1 ?$ F7 D) T3 E=========3 y9 O8 g1 j( e; T
. y" n" x; c' W x q: g6 W( S' G/ U* f/ F& ]& n) y" i
2nd method similar to the preceding one but more difficult to detect:
8 f1 c+ U, T& P% E5 I9 v
; C3 j3 T2 x0 N- F" j9 e' H/ _: B+ E
; C0 A" R& t9 y6 g D- `! `9 rint41handler PROC7 h4 B; s) |$ M K
mov cl,al. [- u% R4 M) z$ p
iret! T% Y2 n, y# L/ \$ W6 e
int41handler ENDP; a! X/ u8 z3 f) Z" ~& c
& i( h# b& W2 Q: N
6 `" ` ]" ~' F0 }5 J
xor ax,ax# l# M* X& ]& ]% h* @- Z4 H9 F# l
mov es,ax% c! C& K; d% g9 H
mov bx, cs
$ x5 a8 D6 \- s, W6 j: t lea dx, int41handler
7 | K8 i- l( R* V6 I+ p' p xchg dx, es:[41h*4]% O0 C( q, |/ |$ l0 O6 l; g: `3 U
xchg bx, es:[41h*4+2], J3 K ?; T) w
in al, 40h
0 E$ u8 i; W: L* f7 [- h xor cx,cx
6 a) r' b2 `( Y. A5 q' f1 r int 41h J3 m# B! y1 O6 F0 ~9 H0 \& v, K
xchg dx, es:[41h*4]3 N% }$ r+ p; L0 F
xchg bx, es:[41h*4+2]- c i- \% j* w3 k% w
cmp cl,al
7 ^7 K1 o) r9 Z# @7 d- b jnz SoftICE_detected8 T: V( k8 g) t* d* Z% ~9 X
3 X" f3 y, O+ ]' x" __________________________________________________________________________8 P( I4 E6 N" R
7 C, j8 J7 e$ {1 F" T2 q
Method 071 M6 ^" l- B) @7 U+ l) l4 _, L! [
=========
' B" X' j" {" I+ q5 d4 F5 }- C3 h1 ?8 n1 B' J" }$ | w
Method of detection of the WinICE handler in the int68h (V86)
E. |+ A9 g0 J, F9 N+ _
* B2 j4 G- ?+ R+ ^ mov ah,43h
4 Y1 ]8 U! m: p9 N% N. u# E2 `1 D- B int 68h
9 q6 v4 D4 N w) `/ r cmp ax,0F386h
9 T6 X9 E4 x; u1 y jz SoftICE_Detected
* H J5 p S' o d- @$ ?; z u% i5 s9 O- f5 V5 [: v4 [# P
' V1 @9 E) R! \# P, D& K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' A9 r l9 ?3 }" Y6 W x3 Q
app like this:
. d2 Y3 j$ b9 }' O2 w; g
' i) H1 J9 B* }: x F BPX exec_int if ax==68
4 ]4 H7 W2 K, e; W (function called is located at byte ptr [ebp+1Dh] and client eip is) l4 b# L0 R) ~2 t& n$ b
located at [ebp+48h] for 32Bit apps)& _6 _% i$ o5 v4 J" t- D t9 `
__________________________________________________________________________
( P5 F. K+ v4 @8 n/ v1 C# k, p8 l& N& H
* M* ]5 g" m8 d' a j
Method 08/ T* {2 E, \' M6 x c3 L& X
========= h% Q- {2 q0 U2 G
$ L4 m! E* h$ g3 g( G- [
It is not a method of detection of SoftICE but a possibility to crash the1 r: d) q' H6 F3 v- w. v# P
system by intercepting int 01h and int 03h and redirecting them to another
" D: @" H! g+ q/ I4 L& J4 kroutine.: ~, q; Z+ M' a" Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 Z2 a4 Y% _4 {: E" V! kto the new routine to execute (hangs computer...)
1 L9 y3 N' L/ V# n( T4 z' x# x7 {$ G- r2 Z3 d2 `8 X- X7 V
mov ah, 25h
% K$ o2 ~, e/ ` mov al, Int_Number (01h or 03h)
. y) R! {: B$ h mov dx, offset New_Int_Routine5 c; r* E, h) n w: e; x
int 21h5 Z) e- u6 Q/ F- Z/ I% A. B
/ Y/ U, r6 B8 x; M
__________________________________________________________________________) F' m% s, a) W, r2 s* v
8 ?8 B6 E0 X' w6 K/ M0 V1 f& R
Method 09
! c3 j; Z1 x" ?$ ~$ j=========& }& ?6 a- V' E/ f! X7 q
! N; L9 j% ]) L I/ \2 Q9 T! V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% p! C5 ~; ~, ?9 s v; U$ j4 L5 z
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 X/ [! w- E6 \' S+ }, RThe Get_DDB service is used to determine whether or not a VxD is installed6 ]. _ G6 K8 b# A0 M8 B
for the specified device and returns a Device Description Block (in ecx) for9 j& j! l; X! t0 l1 |
that device if it is installed.
8 K* u- T( Y* B8 Q
! U( O; l2 V( I# q" ~1 g8 B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ _, T& J. K6 M5 R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) h) k; B) Y9 W
VMMCall Get_DDB9 V+ [; V3 r. F( E2 M2 r$ C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) ^' P5 U' Z- C& G
( q; i9 o2 w" U1 C! ~' FNote as well that you can easily detect this method with SoftICE:
3 Q& j- r( ]: r+ H- \6 | bpx Get_DDB if ax==0202 || ax==7a5fh
* p9 V9 y/ O: F/ X7 n& Y+ B ~: J1 }2 D) E& f- v6 D( R/ L. w+ g8 D
__________________________________________________________________________" W1 G$ @6 V. ]# U" j7 F5 a+ U
' f, ]- y9 ]( H: JMethod 106 q5 X# ^3 e. p. ]% z/ C2 I! H9 b( X
=========
5 d2 f' f! M' B- `: f: {" J! ~: U! D u( x2 V# A! I
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" @$ m/ \, @' O( h* d SoftICE while the option is enable!!5 l2 b' K- F& y9 h3 p4 s7 P
2 d" h5 O6 i" u. v+ \2 y7 D/ W
This trick is very efficient:
$ T' R. u! @# {$ |1 qby checking the Debug Registers, you can detect if SoftICE is loaded
" F" s3 Z4 `! o! V% h5 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* ^0 T( V- ]% q# A z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* @; S4 b5 v5 Z0 Dvalue (in ring0 only). Values can be manipulated and or changed as well
6 ]! z- d. u; U% o; \3 m(clearing BPMs for instance)' D& e% G# I- h) {* C7 ~/ E( o
9 O$ U2 k1 o P, N, ___________________________________________________________________________
8 L- D. F v/ P" x+ D$ Z
. Z: W$ m; b& ~% f% o* K% |8 }6 @Method 11
, t/ @- v4 p' U2 ?% Z! @, }( N=========3 j6 X" I3 t5 g
: m) s+ Y. h& J9 R9 e/ h: X; Z
This method is most known as 'MeltICE' because it has been freely distributed
0 ^: M( e7 z. A# Bvia www.winfiles.com. However it was first used by NuMega people to allow
3 a1 b: o/ O/ C. g: BSymbol Loader to check if SoftICE was active or not (the code is located+ J4 W( O, u; C! w
inside nmtrans.dll).
- i3 T4 v+ F( s* [) L; M8 V9 X9 b
The way it works is very simple:
* q% h* M, P3 B# x* W( tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& b$ q0 F# w7 R! D$ S" Z, _
WinNT) with the CreateFileA API." u- I$ H# |/ ?1 P" y. x
7 d: i2 i- }( t% ~6 @/ hHere is a sample (checking for 'SICE'):- K1 o$ F5 G/ M2 A; N! j8 a ?
7 q3 `0 I# w. i0 Z) l6 g* _) g) }4 A
BOOL IsSoftIce95Loaded()- @6 W1 \$ R) ~, f, W
{
- E- H/ C% B( h8 w HANDLE hFile;
# R/ M3 D* p- [4 F9 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- u# n3 A2 z- P5 B6 P+ o
FILE_SHARE_READ | FILE_SHARE_WRITE,
; J$ c1 g& V3 A+ I; g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. A" A7 r' R* j; L; t
if( hFile != INVALID_HANDLE_VALUE )& V+ Z! l6 z0 i* t6 H
{
0 C4 r4 _% {6 i CloseHandle(hFile);$ z, p- L3 Z3 {7 X3 B
return TRUE;. V0 l+ ]9 W; C( b% S5 T* `
}
, b6 x3 l7 P* q. M0 ^ return FALSE;
9 g. Y3 ~* w7 d2 p0 @& ]& W}3 Y r4 s, n4 F3 f& u
?, H7 v5 f3 Q$ \& C5 t
Although this trick calls the CreateFileA function, don't even expect to be) N* w% T8 s. |) {- D
able to intercept it by installing a IFS hook: it will not work, no way!
! l! l1 ?, ?+ X3 v ^% TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, `" u; F% G' G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( A! p5 B/ M; B' o* Q* C* l' eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 `- [3 C% R+ ?4 n" Lfield.( H5 F# G& N5 D
In fact, its purpose is not to load/unload VxDs but only to send a # W' t, a# \# t5 \) m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 P% a* p3 \' [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" _, W5 O; I6 U4 `! n5 o6 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).. M8 K& |5 O( X% G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- S8 @" t( x, k. D6 g$ y- vits handle to be opened and then, will be detected.4 t4 G- ^2 I& z! T" v& a
You can check that simply by hooking Winice.exe control proc entry point
( ~# e- {- E* ^while running MeltICE.* d1 g! M: `! m, ]& B% z: b
' {2 i8 k: `" V' b( r! r4 z
# {. G3 W; H. O/ g
00401067: push 00402025 ; \\.\SICE7 w' M3 f$ n, p; X' _$ I
0040106C: call CreateFileA, s; |+ G$ M$ k [1 \& [# t" j' F8 ~# ?
00401071: cmp eax,-001
3 W6 m7 C" {( Y+ o! p 00401074: je 00401091% |9 C9 G: O) o
. I/ Q m' {( `3 ]6 w5 x
. U, J0 w1 L/ RThere could be hundreds of BPX you could use to detect this trick.* z0 Q: m8 b- \) x
-The most classical one is:
9 H8 W9 I) U) p5 f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% o; Z+ e! d1 R, ?
*(esp->4+4)=='NTIC'' ]7 R% x& L' x0 g4 T' }/ k% y& t
8 D% L" z7 Y3 ^7 u8 ?
-The most exotic ones (could be very slooooow :-(( l4 b& Z( R/ z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , p! ] A7 h" m2 _
;will break 3 times :-(
% [/ A/ }6 W( H' S1 q, D
1 s5 P4 E7 h0 L* i9 v-or (a bit) faster:
( m" F9 w {2 H$ d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ `3 Z. _$ \$ o9 n/ p# W, e
2 ?" ~; S. I H* b, o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* n. j0 l+ a' D2 t+ S ;will break 3 times :-(4 v& }2 _* u. Y2 G' D
6 f) p6 i: S0 Y0 f& h% C-Much faster:1 Z; }+ [0 _% S/ u# _( ]# p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ w; q9 A: ] c) @3 }( J" J8 r/ a' Q! r% R) z7 h Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 X: W+ u7 k8 Jfunction to do the same job:
4 C2 e0 @$ t1 D8 u3 \9 \* L4 V( K4 E6 K! J: m7 D/ s% N, [
push 00 ; OF_READ
0 i) f- @( }; n* o( c, P mov eax,[00656634] ; '\\.\SICE',0
) Y; Y1 Z- z5 B1 Q$ b push eax
3 L0 a; z- c/ i$ F& u/ { call KERNEL32!_lopen
1 H9 n' s7 o7 o/ M inc eax& W' h! V8 U. w9 y4 c8 K* P5 b
jnz 00650589 ; detected: i& u/ e7 \0 ?( E* ?) J
push 00 ; OF_READ" C) v1 g* J# z5 i* ]1 s6 ]
mov eax,[00656638] ; '\\.\SICE'
. M5 z, ^- U+ v+ T; E) y3 ?3 _ push eax/ z! e/ @" n& \4 G% p; V' ?% U
call KERNEL32!_lopen
: ~. ~+ }- Z' F inc eax
# r* ^& G" e3 [ K9 V jz 006505ae ; not detected
# B' W9 L) H) S) O+ H- F/ [4 o8 D, r+ H; W
, b2 B+ p4 B n
__________________________________________________________________________* i4 s. G8 I" e6 X+ w
& s& P; E' S" ^* O! w/ y1 ~Method 12
' Z p+ x+ B1 V+ G* n5 e=========0 t: i5 j7 u7 \7 l
( \0 [* |: ^6 i: l* D0 X# }, b
This trick is similar to int41h/4fh Debugger installation check (code 05
$ M# Y: B e9 E& 06) but very limited because it's only available for Win95/98 (not NT)* X$ T1 F/ ?+ e# x/ O, [4 v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. N4 u' z" V' d) E
. o$ \- [5 F& K# ?% }9 D% S push 0000004fh ; function 4fh
: z$ j- G% h0 i! y6 m push 002a002ah ; high word specifies which VxD (VWIN32)
/ f* d0 l6 w3 { ; low word specifies which service* N" }& x; }( a6 B
(VWIN32_Int41Dispatch)% }7 Q$ X2 q& R# H& U- o$ t
call Kernel32!ORD_001 ; VxdCall
7 C$ x9 I3 ^% a8 c2 [/ X( W+ { cmp ax, 0f386h ; magic number returned by system debuggers3 d8 B9 i4 u1 x# q
jz SoftICE_detected- Y0 y( N6 }/ A3 d+ j
9 \4 p# p/ T; w% kHere again, several ways to detect it:
0 X9 W( H" L5 P4 m3 Q) C g! W- t. E7 ` |
BPINT 41 if ax==4f
2 i8 w+ s# M: _3 [8 u6 x y( `7 Z/ ]9 P3 d5 b( U4 ^ F& q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" M1 ]6 I& Q) H6 X' J, z4 W, W
3 k- G6 R! U0 v' G6 ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 K4 e( T! ~1 `( V/ D# u' O
+ y# w4 D O. z$ }4 j& b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 u# A6 Y4 D- E) g
, z6 N/ M R, G' Y__________________________________________________________________________/ R3 i% [7 r) f, w4 `. f6 k
, e8 p, c; T1 P& c' A8 ]Method 13
2 o0 o6 N1 O6 P9 F=========
& \3 {% o ^8 i
% V/ Y. k, @& y6 L) f' K& mNot a real method of detection, but a good way to know if SoftICE is+ v A# ?/ S/ G+ p0 M6 Q! x' w
installed on a computer and to locate its installation directory.
$ |, Q9 S0 k0 G: t$ K7 YIt is used by few softs which access the following registry keys (usually #2) :0 `$ u! }# g; q0 r* g, v
4 q( u4 r6 I0 u# R7 v- a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' u' @4 F: m- ]9 p) W. T$ i
\Uninstall\SoftICE( E9 f7 @" t( Z& e4 S; i2 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 ?: @/ P) t/ }+ y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# Y0 p4 }% h* E, q# P) K\App Paths\Loader32.Exe
: [9 J* A& t; l' p, R1 Y3 i1 {) r* g u T Z. K
! S: w; D, e# t: n- T: Q9 m
Note that some nasty apps could then erase all files from SoftICE directory* _2 j/ ^* y y* S/ ]
(I faced that once :-(
2 Q' ?- I! I4 R0 U5 H, o) \4 ^) o7 G" w& l
Useful breakpoint to detect it:2 L( R# @4 ]( V) X: j
8 y0 U( \: I/ I6 C+ ?2 ?" H8 x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') V# f0 [- ^, f: k& X
e8 I0 O5 j7 [- c
__________________________________________________________________________
9 p$ O9 n3 D* y+ N7 g6 K6 i
* |! y0 X# N5 }2 e$ c3 r1 A6 G8 G9 `) \; m: E1 b* k
Method 14 - t# ]% ]8 I N- R* @. {/ \
=========7 L; U$ {# F" @- o
5 Y' c! L' J* ? {" L+ J/ f5 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ o9 y5 F3 S; Z
is to determines whether a debugger is running on your system (ring0 only).' u, Q5 y5 {2 W. [/ E$ Z3 y4 s6 _: N
% N' p5 H! ^" K) V
VMMCall Test_Debug_Installed
: k3 Q- H+ q+ C5 I0 N5 t je not_installed
3 H' T$ w+ t5 Z2 M- c- v$ Y3 x8 p6 x
This service just checks a flag.
6 \! e0 y9 d3 l! j( _( c( k! J- k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡