<TABLE width=500>$ \0 M/ U" c: S8 ?7 W
<TBODY>
2 L: e) D- U7 S9 r/ d0 m<TR>
3 E9 n( v# ~- u# V7 O<TD><PRE>Method 01
" [2 u5 l; p# |6 f! y$ Z* Q9 z S=========* D) W, V. y" V0 @& Y
+ W6 N) P8 X4 K0 v$ V
This method of detection of SoftICE (as well as the following one) is- j* y- \' [) @1 b' \' o& J
used by the majority of packers/encryptors found on Internet.1 X6 Z# n7 b$ ^+ f
It seeks the signature of BoundsChecker in SoftICE6 v# m7 X f# X' q/ T
6 A- j# y3 n4 i mov ebp, 04243484Bh ; 'BCHK'
/ | H- Z1 u. C s4 b3 \( G- ` mov ax, 04h
8 C: W1 q7 D3 A3 \! R int 3
$ r$ y! o9 V% K2 ?+ W cmp al,41 U- }/ U4 u, ~4 V6 a* Z
jnz SoftICE_Detected' Y+ i8 V/ G6 X
( A6 L3 a5 P" z0 N; m6 h) l+ f___________________________________________________________________________( e& Q5 C- R- T, l
( ~- Y' O* R/ l. X7 c- ~& A: |. G5 s) s
Method 022 ?2 B! U+ T! }/ U# P% A3 i& c7 z$ K7 p
=========) Q5 @: M3 c* R! b& V5 x. o
: i2 F0 i/ O+ Y# T; SStill a method very much used (perhaps the most frequent one). It is used9 j& Z" y+ d: k+ L( K( k2 T$ Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 H- k4 z S' @4 d; X: g; E7 Dor execute SoftICE commands...& ^ r! R" C' P# Q
It is also used to crash SoftICE and to force it to execute any commands
4 c I: a! s1 K+ f I/ @/ w(HBOOT...) :-(( " N/ E t. {5 f1 T! x! p/ [
1 O* j% Y( ?% I+ k$ d* mHere is a quick description:4 Y3 U" D# L* i5 W
-AX = 0910h (Display string in SIce windows)8 p) d9 j3 h# X7 O8 x# W9 P2 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) M0 W' c( K0 Z$ e q-AX = 0912h (Get breakpoint infos)
& x5 v8 Q* @) e; ~7 x5 @+ L-AX = 0913h (Set Sice breakpoints)
$ S5 k9 ]# ?7 t( D7 o7 n+ W-AX = 0914h (Remove SIce breakoints), w* \5 x* [9 o- \$ O
4 Y$ i2 N& e' M, M/ hEach time you'll meet this trick, you'll see:! X% m7 X! W/ ?/ B% g" c% j% z
-SI = 4647h
# Y9 w, f1 C- z. u. _- f-DI = 4A4Dh
, x2 n7 ^5 ^! S$ e. g5 GWhich are the 'magic values' used by SoftIce.
' s4 A3 ^1 e% `: h/ iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' [: r. `2 |7 J; A" a, L* M T
: A$ y7 U/ x7 _( b X" n/ M
Here is one example from the file "Haspinst.exe" which is the dongle HASP: P$ B4 a' H( [. F6 F/ w* \/ u9 g
Envelope utility use to protect DOS applications:1 W8 H$ n+ Q" b3 N2 a g
& T# c3 D' F4 j# P R f
+ r z+ k" g: {: _7 T- T9 S z4C19:0095 MOV AX,0911 ; execute command.% c+ w- W2 B ~5 l- e; a9 j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 Q2 j) o# B! m8 n: w# x
4C19:009A MOV SI,4647 ; 1st magic value.
2 M- N3 ]8 M% P6 t4C19:009D MOV DI,4A4D ; 2nd magic value.) |/ z5 B: q* h+ M w' o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ ^5 f: h# M P! C" |5 `2 n; @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ _+ A( r8 T9 `9 F+ H& M* ? q
4C19:00A4 INC CX
7 W" [6 q M& E" `% H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 x; Z* V! K. q/ c) n
4C19:00A8 JB 0095 ; 6 different commands.
9 m' |/ }8 W6 A) x$ R+ o! k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ I0 l5 o1 P# o- C! |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. ?# m( l# L0 ^: `, l
9 `. T! `; g. I3 D3 _* jThe program will execute 6 different SIce commands located at ds:dx, which6 J: I, k' ^7 \5 r7 D6 }0 |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) h: J& l1 ]5 U, p- y$ J8 v
% c8 }- k Z: I9 F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' V, w- G, U) @/ c, B0 t___________________________________________________________________________
) T% X" Y2 S% L/ _8 T; a# |% N) l1 a+ M5 a! ~3 A
2 ?% `+ u2 D8 @! GMethod 03
3 y4 T$ Y6 N+ g2 S) Y=========
7 W1 T$ q8 E8 V2 M. J$ |8 G: H [6 N [" ^8 h& x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# {4 T( W. M3 p0 ~(API Get entry point)
# M; \1 J- F* d
' x) u/ Y! x. A. q0 r, j/ x
& C/ T% C/ w0 ]8 E xor di,di
7 l& F$ |. Z5 {9 { mov es,di: h3 D- w j: D! @. k C
mov ax, 1684h
) r+ w! ~' H3 U; z' e- z mov bx, 0202h ; VxD ID of winice8 @# ~) z4 B& X* P+ w7 }
int 2Fh
) W4 I, L- J, m0 k5 O2 \. I# F mov ax, es ; ES:DI -> VxD API entry point& d' z( [1 T( M4 K( T
add ax, di+ i1 r" l6 l) G" l4 f
test ax,ax
2 M+ \. k" Q1 a! w! V6 {+ A! k( u- w jnz SoftICE_Detected
H( v+ R( U4 v) e+ I' h" \' V9 b: L+ m! k7 z/ q
___________________________________________________________________________
( o; p, Y2 R/ m9 L R7 ]( J" `8 Z) W9 n S7 s( G
Method 04
& }2 ^! {5 R( g% S=========- E+ y: F; t; E- Y0 U0 {$ }
[0 B4 {2 Z. S! n
Method identical to the preceding one except that it seeks the ID of SoftICE4 }. S, b( e, Q7 V8 c
GFX VxD.& ]5 |, d9 s, h8 i$ n7 C
5 l8 w" @) E+ Q7 ^# a) |- x. }
xor di,di. u. a+ Y" ?/ _+ r
mov es,di
& G- ]# C; w; h6 S3 @ mov ax, 1684h : ]" l4 g4 z- |1 t' S
mov bx, 7a5Fh ; VxD ID of SIWVID
! k+ ~9 f- q& k4 ^, p int 2fh
) B7 _& [' ^* h9 U! a mov ax, es ; ES:DI -> VxD API entry point2 J; ~: r. t8 |) q b S
add ax, di Y9 e% [( l6 y+ C: c
test ax,ax4 f7 \+ {- r3 d& d, B& |
jnz SoftICE_Detected# y! k) s& i* ~/ p/ `7 h5 r3 \) E
- {2 N" ^/ f4 E% v P0 E @__________________________________________________________________________- \: Y3 q2 V' E3 Y% W3 s7 ?
) ^1 V8 y' ~. I4 a* q
& W1 ^/ }) E3 L2 Z. Q; u7 uMethod 05
1 m' x6 a/ U- y$ x=========$ B, j) v/ B. m8 j) r1 v: M
2 h6 a: |3 g% Z2 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 s! }+ g/ X, m7 ^/ u7 p
debugger. It calls the int 41h, function 4Fh.
9 B/ v ]3 o6 L8 |& B0 NThere are several alternatives.
- I9 P% G9 e) t) a: a
' `0 L" }4 Q4 @1 l* s, ?6 Q ~The following one is the simplest:8 Y" l, D; ]4 l: T( k8 O
- J7 d. J) C: E& J. b
mov ax,4fh
$ f$ E2 V/ x/ `" Z" \/ W9 H( R int 41h5 i; p4 d! [$ s4 }& J
cmp ax, 0F386
% a% V0 [3 Q( z/ O8 { jz SoftICE_detected
8 l+ n* N: N. i4 V% c$ X/ D7 @* |3 P( `; ]4 _9 x( E; f
1 }4 `, n _) z C9 X! G$ H$ m
Next method as well as the following one are 2 examples from Stone's . n" x, H& x8 p5 ^3 C
"stn-wid.zip" (www.cracking.net):$ a& m# F! a! R7 S* M; l9 g! z
& ?! t! E8 X: r; O mov bx, cs
$ O6 F* H2 Y% g+ |- A lea dx, int41handler2
2 K2 U3 T: @# |, h xchg dx, es:[41h*4]8 Y& O6 y6 \1 c% @. Z9 s0 s
xchg bx, es:[41h*4+2]! K( U7 B3 W# g
mov ax,4fh% I q# w# x! B! p x6 ~
int 41h
- T1 T7 ]; V, q xchg dx, es:[41h*4]
" H& B" o% L- v; O. \$ t xchg bx, es:[41h*4+2]
! M; l4 `6 Z( A% e n cmp ax, 0f386h8 R( J% \3 U" ~
jz SoftICE_detected
" O2 b' N4 D$ R3 O: d
$ ]" W7 J% b. U4 \# Mint41handler2 PROC
/ s: Q/ X! f; p4 o& y: f iret
/ l: k' Q. `2 h& b8 xint41handler2 ENDP3 S. b) y! H. l+ g& C9 V
9 m! S9 c2 C, D( T( L9 ?1 {" r2 Q" i5 y+ l9 R2 g
_________________________________________________________________________
: ?/ n0 Y; L# _: \: C# d3 S; ~ i- H- V
^! K0 C9 Z& {/ x& Y$ mMethod 06
# l! L. f3 e- i7 Y6 |=========
* U3 E1 u d0 k* n6 I- q4 ?7 P' C9 ^6 w, B0 k s# i
5 ^, z9 L9 |9 t8 D, x* q+ V k' u2nd method similar to the preceding one but more difficult to detect:8 D, u. z) w' f) D5 E. M
. i5 b! D6 v( b, w: E* q
- W: s) o0 o, c( z3 ]3 F! K
int41handler PROC- ]# U: s$ E0 n3 Q. k. o& b
mov cl,al7 V+ d6 ]/ ]0 \
iret5 @; Y B' {2 G1 G# X: U0 p& L
int41handler ENDP
0 R9 w6 q/ P6 Y! t1 f1 S$ a, T6 o4 t% G! m
: i; o3 G8 s6 X5 G+ Y5 x3 \ @4 i xor ax,ax8 ?& L0 J) E- z2 `- Y
mov es,ax
/ j; F! e. r. r! \4 L; O1 ^: S, d mov bx, cs
) `2 r0 p7 v9 O lea dx, int41handler
4 ?; Z; r: A: U8 g- l$ m xchg dx, es:[41h*4]
- a, r' V5 y5 O% i, } xchg bx, es:[41h*4+2]
# I3 P1 g3 d1 e) N in al, 40h" E' g6 I8 H: t* V- v
xor cx,cx
- P% m' h6 }1 i8 H) ~ int 41h
, O4 P* s9 k$ v+ Z. r8 ?, O xchg dx, es:[41h*4]
- j- g' _, U- D: N xchg bx, es:[41h*4+2]
& E3 N9 w) \ c: Q+ \: o; x" @ cmp cl,al0 y+ t! q. X+ I4 B8 s
jnz SoftICE_detected6 Z/ n& z1 |: ^1 Z, ]5 \
! O/ d8 a( L' L m/ D' n, o
_________________________________________________________________________
5 r# e4 X6 ~; T" @4 O& h1 o
) Y- [& l. \9 v- ~, E, {) o4 E YMethod 07 {4 D6 @- P0 C7 S( [" J' }( K
=========9 o# L" \% B" A4 n0 H. r2 e
, A+ D4 O: [2 V6 d k) O
Method of detection of the WinICE handler in the int68h (V86)
1 ~; Z3 k- E) _( H0 d
8 `1 J: ^4 j* y- R- S6 S mov ah,43h: {/ g G3 `7 W" N4 b1 Y. c, ~
int 68h
6 @! H. f: P5 x8 y( w cmp ax,0F386h7 g* |4 _' j- G5 C
jz SoftICE_Detected
* o3 f3 q! N' d, ^- ^5 B
" H, B, Z% Q, a2 n+ f( O/ O7 E/ {. }2 z: g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit a v" y) h" c3 r
app like this: M8 V3 e; s$ R% \( ~1 R/ V
4 N9 E/ a% C) W5 S: \ U3 d
BPX exec_int if ax==68
! ?" Q4 b5 A+ _ y+ d (function called is located at byte ptr [ebp+1Dh] and client eip is
/ y& C8 }9 V c- V located at [ebp+48h] for 32Bit apps)
) i( W8 k( p* V; Y; |. Z7 u__________________________________________________________________________5 y( T; d G% V+ X
1 d) |* D) w% _
/ t: T4 l: O Q
Method 08
4 N. }1 |& [1 \2 }& j, k$ H=========
: ]2 D" Y* w1 w z# w. a3 d2 f! s+ |. V
It is not a method of detection of SoftICE but a possibility to crash the
) w, m) k" r z! U* _$ z" psystem by intercepting int 01h and int 03h and redirecting them to another
& e R% A* Z& b2 S. y; v3 sroutine. l$ y3 V/ ~2 }- `; b4 U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 E+ V1 _" t' Z' O
to the new routine to execute (hangs computer...)
8 m: s4 n! M, T/ H9 a0 D% j# Y/ s" s3 X+ |) V& g- S
mov ah, 25h
4 K. a: w0 }/ S$ a; u1 j0 { mov al, Int_Number (01h or 03h)' b0 ?: T, [$ L0 l* n
mov dx, offset New_Int_Routine+ I- p* U$ A. i3 k. O7 {: j9 p
int 21h: B6 Y& t+ N& o4 {# W
! Y& D) P% q) r. ]/ Y) l* i__________________________________________________________________________
1 R/ _) _' D" `' m( U+ k, I: o5 S8 \; j( H6 V2 J! h6 L
Method 09
7 m& G9 ~) }4 n# F8 H4 s=========1 m) v" M: J! B
, W2 A O( {( X7 f, a+ rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, J; A7 m1 b! V% j" u8 H3 ^' Tperformed in ring0 (VxD or a ring3 app using the VxdCall).
. C& @7 C* e# fThe Get_DDB service is used to determine whether or not a VxD is installed
5 E6 m( d: c; Q5 o3 k( ?- d- C; qfor the specified device and returns a Device Description Block (in ecx) for- R( v; t) C- X% L: B
that device if it is installed.
% [* S# D2 j" h( n, G
5 T3 _+ i* x1 a# g! ^1 e4 X) `5 e; D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- d4 H M% ~, g T$ y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: t6 z, X% b6 O F" y/ S5 K VMMCall Get_DDB
' w; n K v- g4 R8 p. W" V: L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. _8 |/ P: c* o/ h% t0 _& `
# s) d' {6 h0 F9 W+ ] P9 pNote as well that you can easily detect this method with SoftICE:
$ k: H/ k; d0 O) G' B, ^8 v# p bpx Get_DDB if ax==0202 || ax==7a5fh# V; D+ T. x% @( Q
+ X) d @$ P, E3 q1 f7 }6 d* w6 @
__________________________________________________________________________% i; b" D1 }9 Q3 ^9 N5 ~
& E/ V* A$ n2 p& q+ ?: d$ LMethod 100 }* x' a* `5 h& q6 @
=========
0 O9 \! v1 ~& I1 H6 e+ c- A- ` V' y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) g5 ^4 P% p; L, y8 I# H3 d. Q/ Z SoftICE while the option is enable!!
; Z; W8 m; V$ e+ A/ f4 K4 c$ D0 e x8 A$ S
This trick is very efficient:
3 H( o& k6 Z* E7 S. h9 Uby checking the Debug Registers, you can detect if SoftICE is loaded9 K# [# \ ~: m( G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 ]* e# ~4 Y" [- a
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 N) ]4 e# j$ D
value (in ring0 only). Values can be manipulated and or changed as well1 }% [8 [! \5 m5 c# u- {1 s1 O& d. v, c
(clearing BPMs for instance)9 n( {' C# z% I
$ @ a3 ^1 H! Q5 s6 B' }, H- D( m' Y
__________________________________________________________________________
. P. y3 D0 B, p% L! E1 l$ o, K9 _& W4 S4 i6 w9 B# s% Q3 X( r5 h3 M
Method 11
+ u) u( [% L+ @6 a' F- ]=========
( b; r* E* H7 F6 V5 a, @" @6 d& s3 A8 H) n7 F# x, S, j2 @4 e1 D V
This method is most known as 'MeltICE' because it has been freely distributed
A( k0 U/ Q; _! U5 l2 P u) U/ B! evia www.winfiles.com. However it was first used by NuMega people to allow- B3 T9 O$ G' U: G: ]6 M5 b
Symbol Loader to check if SoftICE was active or not (the code is located
7 k/ ?4 T% j$ k% h0 Winside nmtrans.dll).! v, n# k& \: H1 g0 {
% F0 Y6 V7 Q& x) vThe way it works is very simple:8 v) e& @5 `- e4 A5 l) E5 z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ e7 ?8 p9 h. z& t1 R6 x: w9 ?
WinNT) with the CreateFileA API. k! D& \. H' m9 ^) E$ z9 L( ^
, G& r$ G# Y7 p" F' N
Here is a sample (checking for 'SICE'):
8 n( U( ]0 V5 U7 t, X8 T- B6 q s9 Y( t: V4 W; e
BOOL IsSoftIce95Loaded()
" u Q" d, ^. @' e0 t' }1 c/ ~{
" P- z* o0 Y4 |1 m1 t% ^ HANDLE hFile; ! I" A( k4 d; B/ R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 ]! U$ l$ l( U& B0 Z# i/ { FILE_SHARE_READ | FILE_SHARE_WRITE,$ M, n* ^2 y. r2 E& f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 v: {9 F( C- \
if( hFile != INVALID_HANDLE_VALUE )
4 X* T/ E8 J/ K( W6 R {' E9 k w6 T4 z8 K1 m5 [+ o
CloseHandle(hFile);+ F. X) |3 Q4 w& z6 |
return TRUE;
3 i' d4 m! O; v: o1 x) i0 w8 G }
' S/ [% l8 V. L8 o3 @. ~5 h0 Y return FALSE;
) r" [8 V$ u4 T2 |}6 O) t- b. l) Z" k3 q% t# I
2 f# D1 I) k/ X6 Y
Although this trick calls the CreateFileA function, don't even expect to be
: N; d6 N. Y1 L) @% u( [6 L0 jable to intercept it by installing a IFS hook: it will not work, no way!# q* x: H- ~# e1 C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ `6 C& x: q8 v6 V m7 E; Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( P, H2 f# s( C6 _" B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 J' q3 O/ [, n' {0 T Kfield.; C: M$ Q v( k( N/ f5 l
In fact, its purpose is not to load/unload VxDs but only to send a
: ~/ g/ T, ~# M. VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 c8 s- R6 Y) z( _8 M* @0 B+ Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try; m0 b( t" R7 x2 @: {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# G/ h8 W: ^1 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 U$ F# f7 h; u' a$ e
its handle to be opened and then, will be detected.
C: Y8 O) [ q, f8 K0 ~5 PYou can check that simply by hooking Winice.exe control proc entry point1 a* Z( d1 K8 o4 C$ w
while running MeltICE.
& u \. ^/ L, q0 q$ z0 O$ ~# ^% z) A! Z5 z9 a
& {6 C+ m- o1 ~" i! G
00401067: push 00402025 ; \\.\SICE# Z% h/ }0 \ C' A6 v* K, f; q- \
0040106C: call CreateFileA
0 u2 E h3 D9 }# I+ W/ q 00401071: cmp eax,-001( s8 Q# I$ E' f& p
00401074: je 00401091
) q$ @ r* D. l% g3 D, w' e; x! i- b- ~+ n& U m1 R+ K) M! ~% c
! _- V) Q& e$ I7 q. m6 cThere could be hundreds of BPX you could use to detect this trick.% g0 U2 Y8 a% |( _+ A3 E: k: \
-The most classical one is:
/ Y7 X. }: ]% z- u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% ?, O6 m1 E5 Y' |) D5 _
*(esp->4+4)=='NTIC'. C+ P4 C3 S$ g" a
( v" u9 m. Y! f+ E1 ~, T1 ~5 [/ `
-The most exotic ones (could be very slooooow :-(+ L+ H2 Y" @. O0 C! z7 \( b- ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 U5 g9 B) z. [$ v9 ^ ;will break 3 times :-(; Y( Q, K# w/ ?9 C- S
, T @1 U! S# ~9 o& p-or (a bit) faster: ) y4 M* Z, ]7 K9 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); {+ O! t0 |0 C! Q: x: A0 q
3 T, C$ g1 M+ T$ u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 T( I) t) W5 ~- G ;will break 3 times :-( X, [6 R$ \) _2 a4 G! ? @
}1 T% p& ?5 V. T- h3 R' n-Much faster:) U: C2 J K7 U5 B4 p9 z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' A% Y; k7 w$ {- s# G) V# ]3 F4 f% B
* C% Z" N" u& D, a0 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( A5 D3 I2 z0 Z6 h& O; N( a9 c
function to do the same job:
; ^2 L! C+ ~: J1 Q& T4 @! y5 e% O- g8 \5 D5 X
push 00 ; OF_READ
& \6 [1 I- C* T: F mov eax,[00656634] ; '\\.\SICE',0
6 t( j% q8 [8 D/ W push eax; j0 t, G% b) B8 }* ~
call KERNEL32!_lopen
* C; Y3 K6 n& P5 \9 W inc eax6 M& F1 ~! E' v, H3 r0 B m6 I
jnz 00650589 ; detected: t- a% [$ Q; I1 k& T. p- d
push 00 ; OF_READ/ D" f& H. H V; f
mov eax,[00656638] ; '\\.\SICE'
. S% R+ A) U) F) S" ~& Q push eax
) b, }& }! H0 ~. q call KERNEL32!_lopen
+ `7 B& g, `! j1 t' o/ J- l$ E. q; Q inc eax0 G- U& J& r k
jz 006505ae ; not detected( W: o* q) r; d
. m0 R( p; K$ `5 t: @
, D2 y+ b! D1 Z
__________________________________________________________________________
7 o0 X, X- c0 n% Y, n" D) r, o
' R) j9 q1 R: n8 ?9 d0 DMethod 12' k/ B# W& U( E
=========, I F' c- N" \" R5 z( ~
3 y# o" I) C& F$ p
This trick is similar to int41h/4fh Debugger installation check (code 05
2 G' z2 ]# m) q" ~5 ^& 06) but very limited because it's only available for Win95/98 (not NT)
& F4 p$ k8 v% Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo." f1 K) q" e8 Y! B3 e* y5 e
1 \3 ?8 f5 U9 i: F- U push 0000004fh ; function 4fh
& k7 W. }( T6 b: _" _ O& J push 002a002ah ; high word specifies which VxD (VWIN32)- S& Z7 b5 Y% N" I5 m4 o' t
; low word specifies which service1 f$ q$ i: s% o- y5 V& }4 ?1 K
(VWIN32_Int41Dispatch)
% [; c$ ~; e, ?: |; ?0 S& W call Kernel32!ORD_001 ; VxdCall
, W# `: \8 V a1 V) s D, z cmp ax, 0f386h ; magic number returned by system debuggers
( \$ p& ]! s9 j jz SoftICE_detected
! ^3 ]9 _4 N( X+ H: S$ E1 ], z' q& M; {: g
Here again, several ways to detect it:
4 o: J/ m$ v9 k& @4 A
v9 L8 c; a. ^$ k BPINT 41 if ax==4f% [, P& p' s* [* }
! A, u k) B$ _5 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, U* Z! F0 z9 s- D3 V* j1 ~% D) @1 ~: s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 l0 N/ Y8 `6 ^* @
4 K) ?4 V8 I$ T& L0 G8 B+ C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- p: _# m& q4 X
/ E: E8 Z7 z- g& n( g" S0 M
__________________________________________________________________________
( W0 C' G9 E5 f$ i
1 B4 | N2 e0 ~9 _' P% Q: MMethod 13 g5 W7 f4 ]7 [1 f+ H5 |. C# u3 B
=========
* [$ i9 f6 _7 n1 t& W6 c+ D- D9 l$ Z
Not a real method of detection, but a good way to know if SoftICE is* C. ^ K# I: L$ P; T( H. l" y
installed on a computer and to locate its installation directory./ J! s' L" Q9 b; L+ A
It is used by few softs which access the following registry keys (usually #2) :4 G- {: k3 X7 k' n4 X7 H* h- n
1 ~* J. m A0 n3 ?: y# O# u5 J& T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 K1 C3 n6 Z5 ~1 q
\Uninstall\SoftICE7 F: q# |: x2 j+ ?; p5 R- \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ ]7 c6 @8 D9 U9 X% J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 S/ e( V, B' ]2 ^5 \\App Paths\Loader32.Exe/ v S2 ^1 A' N' S# e
3 @: s7 I, t3 R- I4 O
! T% @5 U5 T0 D9 k3 J3 }5 E, pNote that some nasty apps could then erase all files from SoftICE directory
8 ]4 ]6 s" N+ [% J- r) w- E(I faced that once :-(
; x& ]0 x; O5 q: F ^$ g6 p1 y* X9 S7 h$ }: ~3 `5 q$ k
Useful breakpoint to detect it:
, ]8 m5 o/ s; x! n" Y4 o
+ _& h4 o. T+ C# D% w" e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! K- I( Q8 z( M" t4 r' p8 a$ y C6 U1 y) x$ X
__________________________________________________________________________# \: p7 K, S' m
1 {! H5 V" T, @. t& L# `% [' @
% a! T+ p' P1 j2 T9 zMethod 14
) p3 |4 y$ O5 B; v) B8 _=========
# ?* N1 Q- m* S+ A I% s- l
3 O! j6 g% Q C" V8 ]: Z2 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% k: J8 c; w2 S* v6 U( N+ Tis to determines whether a debugger is running on your system (ring0 only).
2 a6 U7 r: w. u' B: N# M4 q2 l
, z }. S* j' C1 x" x5 d VMMCall Test_Debug_Installed" |$ I" B; u! y+ b r
je not_installed
+ x) a8 W1 B( d1 d1 \1 o9 P3 C; s! ]# v, h9 N4 G7 ]. c. P1 j) m
This service just checks a flag.
- |' c1 q& Z! l( V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡