<TABLE width=500>
9 q, c" d7 j; \; j+ Z# G: U<TBODY>1 Q5 e/ q2 ?+ v6 I6 Y3 f7 C
<TR>
7 F0 O& v0 Z; u. q<TD><PRE>Method 01 % u$ w. n* X3 |( C, f" _
=========
! e7 L1 {6 _8 J: K9 J( ?: E4 I, V/ C* H3 S( S# v
This method of detection of SoftICE (as well as the following one) is
7 Y( M: U x" Y( q6 G0 u1 pused by the majority of packers/encryptors found on Internet.# F# v. B7 n: t9 h" |
It seeks the signature of BoundsChecker in SoftICE: R6 s/ \9 i/ S- R! j) z
" I2 E o1 @/ }% Q4 w
mov ebp, 04243484Bh ; 'BCHK'$ n# O3 j0 i+ [1 @8 D
mov ax, 04h
' x) q9 e8 Y) D, ^' n- S$ V int 3
/ Y% t0 g$ F& ]3 f9 e cmp al,4+ S" s. d1 m0 _& l
jnz SoftICE_Detected0 W* [' \ e- g0 _# A" Z! |4 l
6 @1 g8 }6 {7 m* L) {5 \___________________________________________________________________________+ K2 ]$ |8 \: \' ^( d5 w" _5 T/ _
5 n$ f! S6 h, Y/ S5 t# O' \1 R
Method 02
9 ]: H+ P. h# `=========- F' }4 p+ _3 Q( p- J. C$ I- G" m
" G& L. T; z5 m: h) p7 L2 W- t
Still a method very much used (perhaps the most frequent one). It is used
* t8 X" \0 M- V: b5 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; e/ M* w- y7 [1 R
or execute SoftICE commands...# G4 H( d6 K$ d5 y1 C
It is also used to crash SoftICE and to force it to execute any commands
4 @7 h. I" N; x0 } H! `(HBOOT...) :-(( 8 }% r0 K6 u. r0 t- I
' {, I: n8 X# r) J& m) k) h, }
Here is a quick description:( z. w; b2 i( n, O6 L$ S. n
-AX = 0910h (Display string in SIce windows)0 J. t: U' y2 |4 D4 Q; {1 V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); S4 g- P6 ~) v; P4 D$ l" ]+ B3 Y) B+ t
-AX = 0912h (Get breakpoint infos)1 x. c, M7 h. S. `+ ~, o
-AX = 0913h (Set Sice breakpoints)7 W+ [" f7 _/ V8 y! V. E) g
-AX = 0914h (Remove SIce breakoints)
) W* y! [7 a( x- O9 p9 ~
, z; ~4 V! m1 Q( a5 ~( \Each time you'll meet this trick, you'll see:
* s" C4 l; c+ _, v, h, w-SI = 4647h
& o2 `( e( v& Q& A* E7 M4 e& [-DI = 4A4Dh
" ` A# |# x Q( U' `Which are the 'magic values' used by SoftIce.
% q8 s) Q* H/ _. p3 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- M* P1 C/ w" O3 d3 C4 A: h
( P. d$ [5 c l$ c; t5 \! M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 V1 {3 n2 ]. e* p9 g1 e4 rEnvelope utility use to protect DOS applications:
7 F% ~$ R$ b# @# j7 J) ~" z
/ j9 ?: P+ Z4 N( q# M, {" j t' e4 T1 K9 A1 f4 E" z
4C19:0095 MOV AX,0911 ; execute command.
4 q, K# _/ {, g1 R; q1 R/ \! [# i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." t+ C. V1 f9 ~& ]3 B
4C19:009A MOV SI,4647 ; 1st magic value.
/ w( c0 U& s# c4C19:009D MOV DI,4A4D ; 2nd magic value.
* W+ ~+ ]* v, X$ }2 |. o9 A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 C0 a; Z4 o) T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ G# r& l/ w- O7 K! Y! m4C19:00A4 INC CX! z5 i$ e1 Z7 X7 [$ Y5 B* z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) W# l) r# R6 n+ @: u4C19:00A8 JB 0095 ; 6 different commands. z3 x, P) J5 _0 z( a! ~1 x% F+ h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( ~; @3 h3 S( P4C19:00AD MOV BX,SP ; Good_Guy go ahead :): q4 R5 I0 p# Q3 r+ ]
9 l, p# l' D8 @. Q& p7 \5 Q# _
The program will execute 6 different SIce commands located at ds:dx, which; W- k: x7 r- Z, i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% W( B1 [* y" w. Q6 H0 T8 k( w0 q2 `7 X7 |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. |* @$ A' O, W+ i9 u
___________________________________________________________________________
! `( l. Q. W T( } ?( D
1 _ Q2 W/ P" i7 S+ n0 l
9 t' s, y* U" v7 w( L( i) ~9 Z! R8 o7 EMethod 034 }- K8 M, H8 L# V9 Y- V
=========
0 ]/ \* I ?. H" ~ z s
, U: K9 X; G8 t. _5 q. W3 |& tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 X# L2 a1 b; Z% q4 ?
(API Get entry point)
: j- F' B% l3 f8 c / i( w/ [9 r8 T2 n+ U: f
. D1 j; i) Y. N9 G& F- s4 Z
xor di,di3 d1 t+ X( ]* `$ t3 B
mov es,di- S4 a% A/ v+ u$ y; o# f- m
mov ax, 1684h
, m' H3 z( H, }0 h, K) _ mov bx, 0202h ; VxD ID of winice
8 Y0 D# L9 t- e* [9 I3 Y8 E int 2Fh
- E5 j4 P# t9 Q) ^( v8 w J% \ mov ax, es ; ES:DI -> VxD API entry point8 h- y; @/ B8 Y' B
add ax, di
$ y2 R# p1 O6 g" O" f5 C$ b1 A test ax,ax
# {" \1 S8 S1 A) ]; P$ ~ jnz SoftICE_Detected" K- L; v5 c- m d# {
H9 {5 X. ~; i' V' ^- ]
___________________________________________________________________________
; N. V+ `# F9 g: O* e1 ~* W$ Q& n) j4 H" ]# s8 k
Method 047 v' N/ r4 U) f" e
=========
. y9 S( I- A9 h; s* |
E& b4 x2 L2 \8 H" u& V9 C; \+ KMethod identical to the preceding one except that it seeks the ID of SoftICE
" B, a {3 T' VGFX VxD.
. R6 e0 Q1 t" W* s! {* b6 ]
$ m3 C* h3 _0 }" }+ [1 q* j3 I xor di,di: W6 j+ r i8 Y/ d/ V0 Q8 L
mov es,di
' l1 ]* B# b% w- r. `: E4 ] mov ax, 1684h 7 k% G1 }8 \; ^
mov bx, 7a5Fh ; VxD ID of SIWVID3 P4 e9 B- Z8 r8 w: U
int 2fh0 H: N' q3 \1 p5 s
mov ax, es ; ES:DI -> VxD API entry point
7 _5 i9 p% a8 T7 L( W6 j add ax, di- X9 N# Q1 v3 _% Y
test ax,ax
1 s* X! S' U) C6 Y jnz SoftICE_Detected
6 g! k0 t+ X0 U- D# z% Y
5 N, a/ w1 I) L1 n__________________________________________________________________________ q7 c x5 k5 A' U$ t3 N- f/ ?4 ]
( D: E6 w3 L, S" j/ W# M5 X1 q& N ?9 q+ H
Method 05& |4 n g6 p0 {9 m* J* a& K
=========" ^1 c3 ?' X8 `) R* O
6 K) F) i" X) ?1 I/ H- g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
}$ F4 z6 _: m" i# g# y( wdebugger. It calls the int 41h, function 4Fh.5 g3 j& T5 I5 k) h: E( Y% D1 \
There are several alternatives. ; c3 Z$ N8 t3 c6 I1 H e9 h& w6 R! P. d
6 l- _- ~3 ~. L+ E+ _4 g/ a& ?3 RThe following one is the simplest:
4 x# t1 j. s) D3 x- N& I# [8 z: `. y& z) x: v9 O E
mov ax,4fh
& C' l j& _! i: a int 41h2 ]- j7 M4 K( }$ C
cmp ax, 0F386 I( m& o5 V1 L- \' x& C$ V
jz SoftICE_detected
! `! Q* o& r1 V) x, y( z8 R+ O: L
& c# E5 y4 K2 G& U3 t& u' t
+ ~. u, _, A4 m+ oNext method as well as the following one are 2 examples from Stone's
0 s2 Y! [4 B7 F9 i/ Z"stn-wid.zip" (www.cracking.net):0 c8 R! M) Q1 d8 z5 z% y* W$ O
$ N6 q2 K4 C3 O6 Z mov bx, cs
8 ^. m y( `* V lea dx, int41handler2, ~/ f2 H9 e* [) \; ?0 o
xchg dx, es:[41h*4]
% o9 s I+ R: k. R1 \ xchg bx, es:[41h*4+2]" F" A2 z6 A6 M, z, t9 z3 x6 g; [0 b
mov ax,4fh' z! H* i# `5 w* y- \
int 41h
9 p9 ]9 [+ O2 Y xchg dx, es:[41h*4]* f% p/ Z- F0 T' F9 G+ i
xchg bx, es:[41h*4+2]
2 k' O8 U8 o6 X; |5 |$ l cmp ax, 0f386h X# c+ E$ K# Z8 r0 F
jz SoftICE_detected! P1 Z# u9 T4 ^
2 L2 i& Z; `# ]4 z y Tint41handler2 PROC( Z/ k* p/ }. E2 ]
iret; Y: _3 D: ]! t( l" \% x$ @
int41handler2 ENDP
+ l; c) ^$ F4 D4 E7 d1 I5 P$ V: S* _- Q0 E: F
. Q/ Y* {; _( S% f
_________________________________________________________________________3 u* |" n& F* L- r/ G
$ V$ o) z* v# U$ `1 [" o
: Z' s6 J: c/ K7 z
Method 06: o# {. r! ^- p% A1 r# d
=========
/ N8 h- h9 ?( y8 a2 M9 M
2 G% p. g5 G; R. x" H+ [" z7 g! r. |$ E* f5 h7 |9 z5 B; D
2nd method similar to the preceding one but more difficult to detect:
5 O- r- U b4 d& ]) c0 x. G" D) g$ _4 V" O! v. P
3 B8 G0 C" b2 f5 nint41handler PROC+ l, c" }. @& k8 L7 ]2 L- y
mov cl,al) B0 ^9 c) d T
iret
' N, ^ N0 z, f9 S' d0 Fint41handler ENDP3 z5 I- O/ G9 H
5 \& M/ Y* `$ P, |) _0 h8 R7 _+ V: I9 S
xor ax,ax
; c6 }% ?+ }0 j( M' v. c mov es,ax
5 D c* \; T' B% H mov bx, cs. y2 ?) a( F3 u$ e. u
lea dx, int41handler; ~6 ^. L* h" R1 v) o2 d
xchg dx, es:[41h*4]
4 q3 p8 }) }) }! q4 r xchg bx, es:[41h*4+2]
2 S( @+ \7 M' B3 m- G2 U( u in al, 40h
2 n" n6 p/ j- I xor cx,cx" \! y# r- {9 J( [3 U6 T
int 41h
9 q% w$ @: C7 b& t xchg dx, es:[41h*4]& y" ?* n( G [( @) x
xchg bx, es:[41h*4+2]
3 c; }4 k4 S4 Q$ {0 a cmp cl,al
; ~, q7 \ q% T+ R t/ h- j jnz SoftICE_detected
t7 [& W& r1 o/ B# D2 {; G2 Z8 m. u7 P" M
_________________________________________________________________________
# k0 f4 t/ o8 C) p1 ^0 f3 J8 C/ V* @
( |' m/ C+ f: i$ ] X4 e& iMethod 07
# c, O. G& u+ M9 B9 e0 \* W. c6 e; N=========5 w3 |: l% x) [
$ `6 |5 k& D( j6 i; XMethod of detection of the WinICE handler in the int68h (V86)2 `' \4 W9 K" m/ V& b
+ U3 u* ^, _- L mov ah,43h6 ]+ e' [/ D1 m6 R
int 68h% W! @0 Y* ^' {: E9 I& ?3 d* z
cmp ax,0F386h
% U8 g' u" P4 g jz SoftICE_Detected
( s( M( I5 P/ k; `; P+ {1 c* w
) d- l( f8 A D/ X$ r8 h, D6 b' m: F- C5 T$ L: m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% N9 Q! h* n; ^5 _% Z- E) w/ s app like this:
5 g3 B$ v1 @2 z/ T
' v- V% b |; }" q BPX exec_int if ax==68
, O$ r* w! Q) e: S! v (function called is located at byte ptr [ebp+1Dh] and client eip is
( u3 m q6 Z* X* ` located at [ebp+48h] for 32Bit apps)
( ~/ ~0 P* O0 Z5 o2 v, M. J__________________________________________________________________________# F7 O0 b, O4 L2 ?( ?' ]
6 H2 G P1 H+ [
& W6 P: M M! f) S5 X3 _Method 08/ Q1 A/ O* ~3 A) E7 o
=========; i" c2 M' r/ v- n, }
' O/ f( Z) }4 |( M6 v7 v, vIt is not a method of detection of SoftICE but a possibility to crash the% ]8 Y( n: |6 L: A5 t" A$ w: l
system by intercepting int 01h and int 03h and redirecting them to another( V0 h4 ]7 n3 E% s8 ]
routine.
% |7 v% z( J1 I" f# }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 p4 N8 q4 y0 s" E+ ?
to the new routine to execute (hangs computer...)
* _9 w+ u& B* Q' U9 I" G5 {* M, f# F2 U* r1 i6 {8 C
mov ah, 25h6 Y0 U9 l# o- D4 c
mov al, Int_Number (01h or 03h)
! h- ?+ ~) R. P6 ^9 e G7 `* a7 ]( S mov dx, offset New_Int_Routine0 M7 W" x( y' m! T& ~" E# M/ Y9 j
int 21h0 i6 o* W; L: L
9 Q1 j% I( V+ H4 O
__________________________________________________________________________) T& b2 x* o1 J5 ?$ o
4 u8 C% W1 r! x# p
Method 09# ~2 Y6 k3 P/ J3 \
=========
4 o& h4 C. h. v0 m6 [; b
# ^2 J: ~/ x+ T4 B8 F; sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& E$ T% T6 R# _performed in ring0 (VxD or a ring3 app using the VxdCall).5 P4 |; V# L& T B7 M
The Get_DDB service is used to determine whether or not a VxD is installed2 U9 n) v4 a# ^
for the specified device and returns a Device Description Block (in ecx) for
! Q# T2 i8 H! s3 P. H8 [that device if it is installed.8 G4 a3 ]* Y7 P/ I
3 J0 l- }3 j. ^% S% F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 d5 Q5 ]4 b, Y: E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, \: w7 ?7 G8 j7 f- l+ Z4 s VMMCall Get_DDB
1 |' L9 [9 M A& D7 V1 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" a* y: d- t+ u+ r
$ {% K8 r( V" v) @ E" T
Note as well that you can easily detect this method with SoftICE:
* Q8 s4 \ R( d: B$ ~+ i( m$ K* I bpx Get_DDB if ax==0202 || ax==7a5fh/ p! h3 i; ^9 k. u# T3 j' b
5 M' M9 p6 B5 G9 z
__________________________________________________________________________- h' s8 X8 Q$ E R
+ x- H: I/ x! Z4 Q; D- |Method 10* p$ I# ^1 @1 d$ v% P. C5 R
=========. z$ d$ ?& [8 z! f0 i5 I
3 c" M B2 q( h) m0 h3 L" I; Y=>Disable or clear breakpoints before using this feature. DO NOT trace with3 E) j/ X9 E4 I. V( I( |, o
SoftICE while the option is enable!!
8 m: ~. t$ |9 [0 T# c5 f; M3 C
* z$ |% ?+ r8 R% A/ s' n& e0 qThis trick is very efficient:
% f2 ?4 t- J9 n+ Iby checking the Debug Registers, you can detect if SoftICE is loaded
8 c; W# T& g1 U5 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 }5 n' T3 h$ C3 P8 a$ lthere are some memory breakpoints set (dr0 to dr3) simply by reading their% z" ` D5 _$ U1 `! E8 p6 a6 |+ t
value (in ring0 only). Values can be manipulated and or changed as well" {$ K* C8 F. X U) H$ T
(clearing BPMs for instance)
9 n" B y2 C+ {! I! W# J8 e! N$ l: [+ k: k
__________________________________________________________________________
" ]3 y U; Q* N; Q( j. L& n! i
) z# P/ D k7 S5 |, l' O# |Method 11 n* X6 F/ |- H: r
=========
7 C; b% ], z% U0 d$ V
1 d& t0 B6 W P! xThis method is most known as 'MeltICE' because it has been freely distributed
X( i( R; I7 Q( [/ jvia www.winfiles.com. However it was first used by NuMega people to allow
( P2 y, Z+ e, O3 N7 zSymbol Loader to check if SoftICE was active or not (the code is located/ M, L% z1 c, A
inside nmtrans.dll).
/ k, `! O# j) @" q
. I9 u# _7 |. |/ xThe way it works is very simple:
4 x/ S0 h4 A5 Y8 c9 F/ vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for k1 h- f6 f2 N/ R* C
WinNT) with the CreateFileA API.2 r9 C' w) o$ F& [5 Z, o
g7 n, `# h+ s; \# [2 HHere is a sample (checking for 'SICE'):7 H' p/ [) X- Z3 M5 a j
* H7 ^. B0 n9 t7 z; I- j
BOOL IsSoftIce95Loaded()
/ {+ B6 p" |3 \8 J8 i{, ~+ M2 U5 U* H# j) D. A% W
HANDLE hFile; 8 J4 N& V/ K8 y5 N: \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( X# m( i) {4 |- T0 ` FILE_SHARE_READ | FILE_SHARE_WRITE, [! F- S1 E% |+ \8 c& d' ? R$ ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 ?# |; ~8 ]5 I2 P( n- V2 r
if( hFile != INVALID_HANDLE_VALUE )
' n8 t- L9 u0 s: I {
" a0 X" {1 |7 O: ^4 D) i CloseHandle(hFile);' K0 l4 Y; T, u$ S- v5 `' C- _
return TRUE;7 q" z+ K& k; {) w$ B7 A9 K
}" B/ W5 u" i# R- M. B
return FALSE;( a, x- C1 q8 X, k1 {) @& T# G
}
" y! O' ~4 s$ d; b/ u
9 k! |1 E( r* o; L; K o' T$ d( RAlthough this trick calls the CreateFileA function, don't even expect to be
) [4 O5 ]6 S J( z3 k" lable to intercept it by installing a IFS hook: it will not work, no way!
9 V& Y/ z1 q7 g) M) ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 I( ~/ n. [! Y4 y" G) U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 @, p' n+ p& \3 j- V- f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 r4 A( l- y4 G2 b0 B% R& \8 W
field.
[$ {4 R4 S- ^: `In fact, its purpose is not to load/unload VxDs but only to send a # e- v: Q% O" C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 |* [4 U# }& w+ B: D2 j, M- M) x8 Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try. b! I m! M7 p' S7 \! j8 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* i/ q4 Z! e, Z) V, o7 h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" M; U0 {$ j+ ]# q" L* cits handle to be opened and then, will be detected.8 G' o2 w1 A+ c$ \3 j g
You can check that simply by hooking Winice.exe control proc entry point
" C' k5 R+ ^% o2 G" k5 m" F wwhile running MeltICE.
. W* P: Z/ s3 x% b
. p1 f# Z, H' G$ H4 s+ R. g5 D! M2 {+ E, v
00401067: push 00402025 ; \\.\SICE
. `, J A, e: j3 v 0040106C: call CreateFileA
" X* p6 }9 V+ k( q! t 00401071: cmp eax,-0011 Z8 X- j$ Q6 t
00401074: je 004010914 D" b. q! v( g' ?1 U4 x
6 Q- n3 a1 s3 e, l6 G
- _$ S/ ~% e+ I+ m$ q9 [( q- s1 ?
There could be hundreds of BPX you could use to detect this trick., i- X6 a6 n2 j) n+ N
-The most classical one is:
8 r$ Q$ `4 o- K8 L( Y. |( } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& T0 C" i! ?( W* P F( h8 h *(esp->4+4)=='NTIC', {! f7 n8 t! e' I
" ?3 v" h5 L- Y q-The most exotic ones (could be very slooooow :-(' S& N9 ^. o& C5 A; p0 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- M( u+ o' F! b, C. ]8 I ;will break 3 times :-(/ n. S5 o1 N! O K4 I
& P; a3 G; {! j) i* ~1 Y! {
-or (a bit) faster:
2 b4 p4 u6 d7 F# c$ t5 r5 K) m# @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* Q8 S! G+ N( ]& r4 K+ z
% j7 i& b, q8 d: U3 {1 ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 k$ q! t" {* O" X- t& y+ V ;will break 3 times :-(
; q: |+ Z; e/ E; K0 E L+ J
1 _1 k2 m* Z/ _8 W-Much faster:
! m" K6 o5 y" i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') G- [- L ~! x9 d6 |
; G$ h' e6 f- N/ q" | T% q1 f& gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 t2 r, Y/ t0 m, y9 d; t2 R$ m" Afunction to do the same job:) R6 W$ T' O4 _$ J# f o) y. A
4 ^; g. p1 H; C+ \9 f6 x push 00 ; OF_READ2 ^$ { p6 G) }1 `$ m. ^! B
mov eax,[00656634] ; '\\.\SICE',0+ ?; Z U% S) X7 W3 V4 v# v
push eax
4 h6 f; N# F2 {9 e call KERNEL32!_lopen+ }7 k6 d( b/ Q. g6 i: D3 e5 Y
inc eax Q7 I% F. D6 q# V7 i; w
jnz 00650589 ; detected! u# R9 H6 b, G
push 00 ; OF_READ
6 o1 n! D9 j6 V" U mov eax,[00656638] ; '\\.\SICE'
6 T* Z1 C( k& @( @9 ]+ o; g push eax" ?+ E* Y) p( q- F) o* F
call KERNEL32!_lopen R( X- d, r$ L: x7 r
inc eax
" e3 }3 m) G3 @ jz 006505ae ; not detected
' {5 |4 ~2 f# x8 F! |
" b r/ _. Q; K g0 P1 n
5 n* I* d9 j/ M5 M4 l__________________________________________________________________________
3 o" n7 [; k+ _( `1 L! D
$ X* h4 q! b6 _9 N; FMethod 12
7 B3 H1 P8 T& c. U) ^2 ^. [* j=========$ [& \% u" e- K% \. u }
+ Z; _, t' R# |
This trick is similar to int41h/4fh Debugger installation check (code 054 r, v6 V8 x$ O+ Z4 k
& 06) but very limited because it's only available for Win95/98 (not NT)
! i# ]; ^: T7 ]9 I1 V. U; _2 |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! | w U$ k# d
8 ~8 P) q4 c% X push 0000004fh ; function 4fh0 ~: O) @ r( V0 x
push 002a002ah ; high word specifies which VxD (VWIN32)3 `: k! j9 N. S. H
; low word specifies which service
( Z. s$ I+ {6 L8 N. H" p" P" y (VWIN32_Int41Dispatch)
z" n7 G; ~1 j' t# n call Kernel32!ORD_001 ; VxdCall& B$ w1 ?: M/ J; Q, ~" m; r
cmp ax, 0f386h ; magic number returned by system debuggers
( e! N1 O2 z1 h7 a, K+ M; w jz SoftICE_detected @( ~1 I9 S. S/ w' P; Q
, J6 s ? v' w- z$ d+ _
Here again, several ways to detect it:
6 P( h/ [1 m! f* g$ l' C! Z, x7 S* L6 I s4 \. \, _' M
BPINT 41 if ax==4f0 u, t/ P# J: i: y& z
, {; q* e7 Y; p8 R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 G- R% b& ? W* U, r O; P! P
. w3 _; N% I+ F* g. E- T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# u5 h' g% t. ?% {9 `
! X. ^/ d2 u7 d. C9 |0 T3 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 z8 y6 n& l. |* o
s v( i6 a# q3 ?- p# ^6 Y5 Q: ~__________________________________________________________________________
8 |6 Z; v- B9 L; n- u4 N
; B& s9 Q0 W; x& m2 {: nMethod 13; Z! a7 r& j) x; Z( o" i
=========
' x; {. S# P r' E( @
, J/ c `% d$ J9 d. PNot a real method of detection, but a good way to know if SoftICE is
+ ]% Q& ?. d) b7 u3 t g4 vinstalled on a computer and to locate its installation directory.% [2 O2 F# h8 p {1 [' ^3 J
It is used by few softs which access the following registry keys (usually #2) :! a0 Z1 u/ a. l
2 `& O: `5 {" I# J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 z0 L2 d3 Z9 V( @% C" W\Uninstall\SoftICE( I o7 B7 |. ~2 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 f4 v8 o3 z2 f+ B2 D! p, F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ A' o# f( V; H
\App Paths\Loader32.Exe
# l. z5 ~# u' H% N3 X
! \+ Z7 w( I% K n4 D3 M% T/ t& z+ T+ X! D- f& W0 r4 E
Note that some nasty apps could then erase all files from SoftICE directory* }9 n' E; T" U4 M0 u7 W3 F/ ?. I
(I faced that once :-(
" W+ b% v V3 g& L8 }8 Q4 N5 X' U. ^
Useful breakpoint to detect it:* ]( c1 y6 L* I. R3 l8 ?
/ F3 w8 s3 H: |6 m2 U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' P% P9 c- f( j* w6 q
! n! `9 D3 i; ^, }; G- G0 j__________________________________________________________________________
4 k! ~$ E) A/ a2 e. d! x) T! q6 ]( r4 h9 M1 D# Y! c$ h
) x4 v a: {) w5 g' Z+ U3 q& A! WMethod 14 + L" g5 H1 ^- t2 |- K! `
=========2 d" @9 M$ F8 {- {
3 { g2 {/ k( w; P8 n1 t' [! s+ H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, j w/ [7 H, l0 u b5 x( q2 t) Tis to determines whether a debugger is running on your system (ring0 only).
, F; g' C' t- |/ i0 x9 H8 d
# t- k2 i& B" H# |6 K% J VMMCall Test_Debug_Installed% Q, `. o2 q/ l) m% d
je not_installed
$ h. c8 K- n8 m6 {( f3 r- |- T+ R" Z6 H: x$ h
This service just checks a flag.- p. C4 L8 I1 D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡