<TABLE width=500>
. q T ]* o2 y/ Z<TBODY>
3 P2 ?9 m) j3 v! h- c<TR>
2 Z5 Z7 J3 o- [: m<TD><PRE>Method 01
+ I4 ^2 {# l6 ?, F2 w=========
" P1 y3 P8 U, q, _) C7 ]) \+ `! [$ h ], R# r% n
This method of detection of SoftICE (as well as the following one) is
4 d0 G$ Z3 h; `+ J1 z+ bused by the majority of packers/encryptors found on Internet.
- X3 z( G. r. L' g2 |( j+ `It seeks the signature of BoundsChecker in SoftICE# L' h% [6 n, s+ W( V- p
- ]) |! |" u: w/ u5 d( B. O mov ebp, 04243484Bh ; 'BCHK') |& G' M3 W2 `0 S" Y3 i. [$ s
mov ax, 04h
, ?$ B. c9 o8 W3 S int 3 * q q) z& X3 T& m6 S1 @/ i7 E# c; Y
cmp al,49 }$ E3 `% F7 |1 v: u
jnz SoftICE_Detected1 O4 A# Z$ y3 v2 p: U! i2 @
, i- `5 L# G# b; q0 f___________________________________________________________________________7 I1 ^: t3 M+ L- q9 }
# f1 h: [- n9 T- T9 r' ^Method 02
) E# ^, ]3 Y2 K=========/ b. C1 z2 i0 j3 ^1 F) d& v; Q
. [/ |5 s8 G% Q, p$ q' h& [ IStill a method very much used (perhaps the most frequent one). It is used7 o9 v, @+ C: y* e2 }! J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* D; I: c0 h; w+ X: sor execute SoftICE commands...
# H( i& Y9 t% ?, uIt is also used to crash SoftICE and to force it to execute any commands( g, C# E0 s9 p: i; C
(HBOOT...) :-((
8 O1 q5 r' d" E) E9 c+ S) w# A% c" v0 z
Here is a quick description:! E+ H0 f* C: v" o
-AX = 0910h (Display string in SIce windows)' h& W; H! x1 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" R1 O# O; L4 [& v) q
-AX = 0912h (Get breakpoint infos): T8 I2 T' O2 X' y. }2 o
-AX = 0913h (Set Sice breakpoints)9 x: m: A. b- n+ G. |) z) c
-AX = 0914h (Remove SIce breakoints)4 j0 Q" Q! {6 |; v. ?; p6 W% Y
4 w$ A" O: d3 W5 P; W, K
Each time you'll meet this trick, you'll see:* T5 y2 {& }7 l9 _" |. }
-SI = 4647h
- A/ q; |, C4 o# o7 n% t-DI = 4A4Dh
! b% X r; Q" D5 `' S5 gWhich are the 'magic values' used by SoftIce.9 g0 ]& x) u( T |: J' O3 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: j5 n3 R! j) O- D. Q. c) b0 v, B4 @! Z4 V6 V7 a n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( Q( p4 L/ Z! z, k3 P1 z1 MEnvelope utility use to protect DOS applications:
9 |# C, @( y8 _
# C8 y. X" r2 j0 Q# C) ~6 P+ g$ x7 j! m# n2 g* A
4C19:0095 MOV AX,0911 ; execute command.
6 C' U* o! z- M* _: n! N4 d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ _& s' L9 L, ~9 f* j$ t" `1 q4C19:009A MOV SI,4647 ; 1st magic value.7 \3 c; E- U/ j. D1 k3 w' R3 e
4C19:009D MOV DI,4A4D ; 2nd magic value.
; ~) ?$ \% V6 d6 Y2 C N0 T$ E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 V' c2 N% p4 _3 w3 x) y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 e; ^2 r2 I7 m0 R6 y, B
4C19:00A4 INC CX
: ~" `2 p! y# _; g8 _6 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 D3 |4 D: U8 y: `( a5 c% x4 Q4C19:00A8 JB 0095 ; 6 different commands.
! y6 }% A- O, d# D4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 s- S2 G/ j9 n% L. N- z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" b& ~# w I7 G+ q8 L8 \8 f) k. q- @5 `
The program will execute 6 different SIce commands located at ds:dx, which
. i6 x+ f z9 N: {1 k/ _! |( Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: j c$ b& D5 ]" {6 y1 |3 w r" f* R8 @# j& r0 E6 e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 ?; o+ k$ n. M+ V7 Q8 [/ a" R___________________________________________________________________________) A ~4 h( e( F1 F* H0 o! _
+ Y/ [- u! ]4 y) X* b
! V" o. y, E6 g: W: k9 O
Method 03. ?2 ~( N2 y4 ?6 y/ f7 I5 D
=========
: ~/ S8 M. S' @! D4 D5 e+ D% P, B1 _/ u: [1 ?' s, }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ F. g/ z: @ B, a
(API Get entry point)" y$ O- V# Z. s& |1 e- F! r
2 `: r# d' ?2 M% d
' T/ _1 C- W# k% y, Q8 c( G xor di,di
5 J5 y3 {% }9 ^' x C. w mov es,di
. H3 ~& T. l M, I$ T2 B& q( x mov ax, 1684h + W9 |3 z, L( W' v9 O6 p* `
mov bx, 0202h ; VxD ID of winice5 ^' Z) W9 k& [9 _: S3 u9 P$ Z: C
int 2Fh
0 W! I( U; H, X) c" L8 P4 W1 y5 v mov ax, es ; ES:DI -> VxD API entry point
$ @7 [; ]/ N% @/ M% @5 b add ax, di
1 J. _& y% J& }8 O. z4 I6 a8 z test ax,ax, I" G1 ]- Y2 T: l; A f
jnz SoftICE_Detected, Y( e5 p2 j8 u2 Y" |' r% y+ F
2 s! a7 ?% j7 p' M, u6 _$ x+ n
___________________________________________________________________________
( T: h4 m' U& S( j- R
, j8 c Y2 f; Q/ wMethod 04
$ d5 f9 y+ Y( _: E=========
8 O8 R; t; Q4 t P- \
a8 Z' s. l, Y7 U/ a EMethod identical to the preceding one except that it seeks the ID of SoftICE
5 r; J$ @- C+ K$ M' \ M1 m6 x9 \GFX VxD.
7 Q7 G" |0 k( r+ l9 @
4 }- W i4 @; C xor di,di+ X9 B1 V6 Z" x. P t, e- B
mov es,di9 e- x+ |) ~. d
mov ax, 1684h . Y: B3 Q+ i. X8 v
mov bx, 7a5Fh ; VxD ID of SIWVID
o8 I/ f* K) ]7 Z7 x int 2fh
- ~5 p8 j/ g& |9 p8 @ mov ax, es ; ES:DI -> VxD API entry point
" c0 J& A9 D4 ?* \+ \, y add ax, di$ C- i' c2 Q0 s, X" A9 Y [
test ax,ax
4 H# U4 `0 E4 U jnz SoftICE_Detected
1 B- H* f% ^! U9 L2 o/ m2 p" m" `8 M2 B
__________________________________________________________________________% s8 N8 s Z9 |1 {6 E) Y! y
' D4 b- f1 s1 [) A$ v( S* ?: j9 N! X8 F+ W s$ Z/ N, d+ {
Method 05
4 z, o- E B( Z; F=========( ~' M& s8 K; R% C
! n" |; G- A( a2 D2 P; A
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- L6 b& B1 j: Jdebugger. It calls the int 41h, function 4Fh.
$ J$ L5 K2 `: t3 \, X0 N' G6 iThere are several alternatives.
% q! D, G. o. A- K
0 ?5 y3 J% ?8 RThe following one is the simplest:
3 c0 d5 f u9 e( e$ Q0 H4 R
) s) h, E: L5 Y+ E: f mov ax,4fh8 H- k% h" u' N' W' w, [
int 41h, P: ]2 A1 |2 T
cmp ax, 0F386
/ I2 ~! a* X2 t) I jz SoftICE_detected
9 ]# K$ H& @$ _. h. |: t! t
+ c+ {# u( b G2 V
5 P; e% H4 N$ S" yNext method as well as the following one are 2 examples from Stone's
: U" h; t5 D1 I% [) I C/ |6 s"stn-wid.zip" (www.cracking.net):6 {; t) o! I7 M* D& f; K* y8 a
0 F; ~+ r7 t; S, j mov bx, cs
7 S8 [# r# S( N' ^8 J0 ~ lea dx, int41handler2
. D' S* i7 P( p& r xchg dx, es:[41h*4]) z# h! Z$ J( D$ [2 I* ^
xchg bx, es:[41h*4+2]2 W; x& L8 R5 Y" @5 ]: F
mov ax,4fh
9 b- _7 z$ [! o( B int 41h
0 k0 |$ a# r9 i* [8 T% \3 t' P/ z7 k xchg dx, es:[41h*4]
- @5 g% X3 K$ M* |$ P- S4 R, _ xchg bx, es:[41h*4+2] @- a0 K% R$ s, e! [2 }5 b
cmp ax, 0f386h( T; ^1 S, @9 g
jz SoftICE_detected# s( o7 w: Q1 D/ S, D# K
1 C) M9 L$ |; V0 r! V1 @int41handler2 PROC5 q }+ z1 x" t( Y
iret' @ A: h% C, u( M2 w0 q
int41handler2 ENDP9 L# V4 g# |: D- H; g: H S
2 d+ R4 q, H' u% A: [- s8 I8 T* I# {) \
_________________________________________________________________________2 \/ s) h' J" |* h+ Z: K3 N: |
* {) E8 n9 @3 p7 t6 ], Y3 E6 n' }) g
6 K' T: I# S3 iMethod 06
' f/ T" j6 l5 M, Q=========
/ c& D, e1 S5 \2 v8 F- m
. ?1 T# S# O4 Q1 M. d
* i) O" o* x# O, q2nd method similar to the preceding one but more difficult to detect:
4 _- S/ Q, \# Y
- K6 s8 D, V" ~" u
8 j6 E7 ~6 c5 j, m2 K4 [int41handler PROC- d6 b+ I4 b2 M7 p, e+ d+ l! Y
mov cl,al
7 |- e9 [9 j; Y; p* c iret
) v- |% v3 ~8 T7 w( tint41handler ENDP
" r A5 t2 Y; z& t
( _/ }/ @9 s/ @; }* k1 }5 _. N- @7 O/ X' L1 I
xor ax,ax
% q* z( U3 N. o( E; H* j mov es,ax( E) Z0 \9 Q' J+ U6 L* e7 h4 n
mov bx, cs# N# X2 L0 \$ Q
lea dx, int41handler7 p% t% J# P1 a* N8 B# x! v. ]" q
xchg dx, es:[41h*4]
+ [- C8 R6 T( ~$ C- T; D, D* V0 Z xchg bx, es:[41h*4+2]' c" r/ C/ m L$ b
in al, 40h
7 F7 N W: x |- \, q9 z xor cx,cx( T' [3 S) `# x( Q' e. q$ E1 p
int 41h
; ~4 G7 E- u' N5 _0 b' r xchg dx, es:[41h*4]* @( u& {! {( u- r
xchg bx, es:[41h*4+2]
. k3 f1 C' C8 j0 [5 y N- V" I+ P cmp cl,al
: j$ |- o/ S7 t5 F- V jnz SoftICE_detected
/ h3 n* K+ p0 \, k" G) ?
' L+ O' J$ i- R0 _+ k2 o! a_________________________________________________________________________0 w: c' k! ?& k0 x7 F2 O9 H
' Y3 }7 |, ]( s/ W0 y6 pMethod 073 V. c# C0 M+ d+ ~, ]
=========: b$ B k+ d% u4 S, R3 G* I# U7 m
- U" |: a2 V: o) j1 CMethod of detection of the WinICE handler in the int68h (V86)
g! J9 S8 z+ F2 P1 ^5 d5 K+ K8 @. m7 ^( P
mov ah,43h: @; K/ E+ ^- @. x6 c/ d/ o1 A
int 68h/ w8 l( T3 s5 y P% j* E* |3 T
cmp ax,0F386h
$ Y5 V/ J& f- _. A8 S jz SoftICE_Detected
9 {; @ c7 l6 f
$ u9 W% L/ n+ O& _2 ^: c$ F1 Q B5 A- c! E7 c' g; k* j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
e7 v' C+ _* r, a" y: g app like this:
8 o& B$ `) }# m2 N
0 S E. M. y6 U q BPX exec_int if ax==68
5 T. X+ y; P9 n& h2 p (function called is located at byte ptr [ebp+1Dh] and client eip is0 L4 L) E$ X+ s
located at [ebp+48h] for 32Bit apps)
' I: X9 ?) U7 D; A__________________________________________________________________________
' y* }! h6 x# r! K8 x* v! e9 u! Q/ [3 B* I6 z3 C
* `* u* N" K& s/ N2 G0 L, ?0 a5 kMethod 08' e7 R% S7 N2 m# f+ n# f% ?
=========
: d' Y# C# L$ ]4 C
, \( i9 K8 Y9 B6 D) H7 r+ A' f$ bIt is not a method of detection of SoftICE but a possibility to crash the
- @% `) y) d* t2 H5 psystem by intercepting int 01h and int 03h and redirecting them to another
. C$ n, F* X& Proutine.
+ Y5 F. y$ Q; R0 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* d" E' }% \% M$ b
to the new routine to execute (hangs computer...)% E: z' l: W0 }+ x
c: S8 j, V) O$ W8 v) k
mov ah, 25h
! @% K* L. w! y5 o+ [( r mov al, Int_Number (01h or 03h)) ^" Q0 ^# ]4 A& b. r7 ~2 J
mov dx, offset New_Int_Routine4 Z$ r1 r* Z- z
int 21h$ l! e5 V4 N3 L$ F/ h
$ `3 g) K0 v7 l, c__________________________________________________________________________4 G. M8 A# Y. c& W! v2 G7 a
7 c* f9 q# F8 C ^1 q% RMethod 09
% K' T; z, \ s! I2 u=========
" O+ P! w' |$ m9 d6 a) v( P! P- B/ y* n# H; ?0 W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 A- x9 ~# Y1 U+ ~9 |% \performed in ring0 (VxD or a ring3 app using the VxdCall)./ T. h9 q1 j1 X
The Get_DDB service is used to determine whether or not a VxD is installed
1 |! ]6 A6 i+ [1 L7 A4 b8 y" L6 c/ J; ^for the specified device and returns a Device Description Block (in ecx) for
& X/ Z9 {6 ?: Q8 [4 n6 R) J7 e1 g' othat device if it is installed.
7 X6 o. ~; v6 l; `# @& |
/ G: e' T' `# N4 s! D) I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 e9 r- V4 X) I& \7 I. g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( t8 R) \( T" V$ ]* c( ?
VMMCall Get_DDB' D3 g6 R7 d! e, y2 l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. c" C( K6 s3 Z( C1 T. K. @
c* B$ w# K" s4 FNote as well that you can easily detect this method with SoftICE:! a2 d# b. q, z, R
bpx Get_DDB if ax==0202 || ax==7a5fh% U2 s* L: c2 y" j) o' O' }
4 }' H* \6 I/ s' K* h
__________________________________________________________________________
1 _6 ]; C/ l+ V7 U: A0 s- L& ?6 O/ f8 u
Method 105 q* P) V( ^9 N0 Z% x W0 V
=========
9 b; w$ J) u* a! \ p7 H$ J' R' P6 F! D! ^ u5 `/ K: H4 L
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 A* m- p/ z9 P( Z2 q; S
SoftICE while the option is enable!!( g1 A. ^( @' r: Q p, F
% Q2 i6 V+ n1 `% B" q5 XThis trick is very efficient:8 n+ e# Q+ p* e8 T: P& L
by checking the Debug Registers, you can detect if SoftICE is loaded) p$ R: r/ u& j2 u8 K9 Y+ x1 w) H' Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. j3 x; C! _) m# m. z! {
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ E* |2 M' q3 n, Xvalue (in ring0 only). Values can be manipulated and or changed as well- h9 B% L! P+ t! \; t6 K
(clearing BPMs for instance)
: H2 B T/ N( Y/ T) v- B' a! O* c$ V
__________________________________________________________________________
) A7 R+ H$ F# F+ p
8 D) ?- T+ u2 X0 |/ jMethod 11
/ _6 @$ _# J" v8 x5 m; s3 j/ Z=========" ]2 l$ Q) `9 J3 [; O6 g, k
( U) w2 g+ w& ?. ^# Y
This method is most known as 'MeltICE' because it has been freely distributed2 G7 Q/ ~6 }& g
via www.winfiles.com. However it was first used by NuMega people to allow
- F; ~7 b# E" V; T5 v6 U7 V& NSymbol Loader to check if SoftICE was active or not (the code is located
: n* u4 f) @6 @1 Kinside nmtrans.dll)./ o* h: v& }# S2 x) I9 }0 A+ h! }
2 ^+ l h: h" R+ Q3 aThe way it works is very simple:
3 o6 j9 j( e4 ]2 Y' H6 P, OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 w+ z* b U: O3 k/ b- B0 U% WWinNT) with the CreateFileA API.. |* s8 K7 Y! `+ s8 }
5 G" A+ [' ~6 m8 V0 A. CHere is a sample (checking for 'SICE'):- H+ B* Q3 I* Z& W" Z6 T0 ^: ?
* x" @" Z* v' J
BOOL IsSoftIce95Loaded()
3 f! ]1 r( B9 k% n{: B$ E$ E# y9 b
HANDLE hFile;
$ b2 ?: O! O. w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 M* [- p; n% T u
FILE_SHARE_READ | FILE_SHARE_WRITE,- c8 E5 E: H% N2 o! w+ N2 L$ r+ K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! L9 B6 Y( l( u2 q! ], T# T
if( hFile != INVALID_HANDLE_VALUE )
9 Q1 g: x u4 e1 k% s. {. P {
) Y4 P3 k; T- p& c; P2 d Q7 X CloseHandle(hFile);
& v1 X: o+ T. a7 n return TRUE;
1 W$ e9 p1 @3 \, f& @" d' w- e; s8 c }
3 Y7 g5 p6 n- h3 t$ g return FALSE;
6 o" S8 I* y- E; a7 P1 k}
0 a, G7 o D( @9 B0 Q+ E( N* U4 E
; ~ O) ] k1 U, W9 WAlthough this trick calls the CreateFileA function, don't even expect to be
/ A5 m8 g& J7 f& c7 Oable to intercept it by installing a IFS hook: it will not work, no way!2 z7 M2 @9 u) V Y5 X7 g* }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 Q8 u4 U3 [6 P6 z6 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# k# N% E7 q5 |. {" wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( c( [& b* m* o- K9 g4 ffield.$ }& z' i* T# W8 j8 H- ~
In fact, its purpose is not to load/unload VxDs but only to send a
( k/ k( v- n7 F4 o9 [. fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. v( P& p7 y. g- _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 Q2 t: p* e/ Z( u; D8 _" b2 j! j' Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& d- m2 y* C6 i( kIf the VxD is loaded, it will always clear eax and the Carry flag to allow# R0 g2 C3 q" Z k! L: i/ O; G" i
its handle to be opened and then, will be detected.$ x. H G# f3 T( o
You can check that simply by hooking Winice.exe control proc entry point
3 p) h* C7 k$ Kwhile running MeltICE.+ B* c$ D" n; ?$ D3 q) \
9 |4 }9 ]5 L: H0 x
3 s$ T# x1 m3 ]' I 00401067: push 00402025 ; \\.\SICE
; k# C0 l+ Z* q% v8 a 0040106C: call CreateFileA; Z8 e! g1 U0 g5 b" i7 v5 A
00401071: cmp eax,-001
3 `: |) d- y4 p. B% g4 ?' ^$ C 00401074: je 00401091
1 \" {* D' g! p/ `% [" A
: ^, D0 A0 D/ ]2 j$ g; s) Z4 P& G G/ D, K* Q/ K
There could be hundreds of BPX you could use to detect this trick.
8 l; C$ { i" M, c( S, B1 E-The most classical one is:
+ v$ I5 Y* U6 l; i! ?; i2 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 Q; v2 V) C9 @( ` B: `0 X+ J# P% f *(esp->4+4)=='NTIC'
# g0 C* [+ N0 B' \. R/ B% U1 b7 l5 `5 l1 @5 X9 q
-The most exotic ones (could be very slooooow :-($ \* ?% V& O+ b' b- a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
L, l) E4 U& b- W6 X) k4 H ;will break 3 times :-(
. M: r& h, U H- q9 U3 A4 E
2 a# z7 C6 S7 O# l m7 f-or (a bit) faster: 6 J. ]4 P3 }. }5 Q7 s) i( x& B7 K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ o1 c" ^1 Q- h1 T# l/ P* L
/ m: a9 u+ k' t! ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # @3 _9 x f+ y1 t- V+ U; P& \! L
;will break 3 times :-(# ?# O9 y4 O! T
: E7 q9 m& S7 F: |2 O5 _-Much faster:
- _9 h9 B7 B" d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 w+ D' r7 e( u: n; P
, v, j3 a- U$ t4 I4 @( A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, D, I( R/ l% N9 a% P3 R5 c: G
function to do the same job:
2 v: G: T z; I7 `! J7 Z9 Q9 w0 W8 ?& z1 f
push 00 ; OF_READ1 {' `) V, J- \% B$ `3 H, R0 `* x( Y
mov eax,[00656634] ; '\\.\SICE',0
" w0 o* ]% F' t1 ?2 Q+ v: O push eax4 t0 M- w+ A4 ?& e/ R8 ^
call KERNEL32!_lopen
4 u1 u* K! Z6 b; T inc eax& T! O$ Z, l, i1 ~+ h; k6 C, ?
jnz 00650589 ; detected
8 v" R) j0 V) b L/ o push 00 ; OF_READ
* O, P& _8 ]2 R+ |& u/ D8 X8 ^8 o0 n mov eax,[00656638] ; '\\.\SICE'" z. N) d) h3 [: F
push eax
$ ?% k3 d7 v- H2 X4 q- w$ m3 \% s call KERNEL32!_lopen
4 E0 g- b1 E( W9 v$ \% o& s$ _ inc eax$ ~& {! l! S5 S: c
jz 006505ae ; not detected
6 L+ w9 ]- d8 _( b- ~7 E) c, ?1 c; \
5 K- r* j* E+ R! G* {- a6 m
3 C8 \+ t) w6 ]) J; a1 C__________________________________________________________________________- w8 L% v: {8 v4 ?- E0 e
8 w3 \5 _$ w* \$ f- cMethod 12) H2 i9 V4 c& B! j
=========
: R+ @% a) V6 }5 q$ i5 V; U( @) d4 K6 q1 ~/ a; M
This trick is similar to int41h/4fh Debugger installation check (code 059 a) Y4 ]! ~ F6 f1 z: c4 y5 D
& 06) but very limited because it's only available for Win95/98 (not NT)% ^& m6 n" Q# Y% Q- `% x9 _2 X. e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' z" ~' H7 X2 v! A9 M' \% q# i
0 m& q2 q0 |% P
push 0000004fh ; function 4fh; K# b3 n, c; x1 l8 l
push 002a002ah ; high word specifies which VxD (VWIN32)
4 ~8 K$ v0 N8 L* L7 H* Y ; low word specifies which service
Z% y. p) S5 v! s (VWIN32_Int41Dispatch)4 @7 H' o4 a+ c( x! x
call Kernel32!ORD_001 ; VxdCall9 t9 N$ M+ _4 h6 Q4 a8 G
cmp ax, 0f386h ; magic number returned by system debuggers
. w5 @) o/ y( g, [ x* |9 N! v% H jz SoftICE_detected
* X1 M' O, X( T+ k' A7 B; h+ w$ \+ g
& k P, _: J, N% f$ u3 NHere again, several ways to detect it:
& B9 m3 L' q; A: ^* H" e9 s( r, G' D- J$ L
BPINT 41 if ax==4f
+ x2 g4 h5 d9 g, c) P
$ @2 G: i$ {8 e7 S; s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ k5 c" M: c7 w; l" L% p, F6 E/ \
( q* |6 W z' l% W4 ^& |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 d2 W4 g# o8 S3 d6 H. k: A5 F; I
: V4 R4 x3 ~# Q3 j9 L$ a+ Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 v9 _7 Q4 \ w1 F* L
( R% t ]1 H! b: _, Y: _
__________________________________________________________________________
1 g& t: @! S7 d
7 \, Z% y \- j/ n6 d4 V8 h. i& YMethod 13
6 J$ w' f, d- U2 I=========1 y- J* M) o: ]* o4 F# }
, T- `7 [2 q8 A; H5 P1 [" O- j1 d
Not a real method of detection, but a good way to know if SoftICE is
4 j. a7 N. p: o4 K `: Cinstalled on a computer and to locate its installation directory.
0 V0 }# }7 ~; g2 AIt is used by few softs which access the following registry keys (usually #2) :
1 M/ u9 ] G" ^, E4 t' |- P0 r' J2 ]0 k# |4 N. I7 h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- T6 M' l8 i: H/ V. y1 o
\Uninstall\SoftICE6 B( u7 q0 k8 ^3 \9 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 d6 O9 L3 ~* c" i0 J6 h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion l$ E3 E1 i8 r8 r. }9 g6 F
\App Paths\Loader32.Exe. ^ m* @( a; S8 E
+ D- b6 F8 S4 H6 x9 v( x6 Y
. G* T* X0 ]" Y. V$ ZNote that some nasty apps could then erase all files from SoftICE directory, g) z1 X* H2 k! Y7 m; M
(I faced that once :-(! p3 i. w5 ^; x; r
3 @3 W! f n. D6 g/ i3 x
Useful breakpoint to detect it:& x% K# q3 M! |7 r; r
# W( V, c$ @4 `* s" I9 C* k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% u* l3 d7 m. r- ~7 i3 ?+ a' N
" w) V& v6 m. H, a7 ]__________________________________________________________________________
! r$ B& |# H0 }( _' C6 ^; t4 e1 `
9 n" S- }4 a0 {' v4 X1 B
, I! `& d# O5 d; S* xMethod 14 ) N$ x3 i' z/ V8 f7 K8 X! V
=========; y$ v1 V- P ]1 P" D& l7 ]; }$ r0 \
9 F2 `! c# X, d% lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 z0 W, h, w6 i$ qis to determines whether a debugger is running on your system (ring0 only).
" E( B5 p3 N- c( n7 `
' w; n8 C6 ?# b1 a: Y) d) P; G3 Y VMMCall Test_Debug_Installed: ~" N2 Y, [/ t6 S9 l# }; z
je not_installed
. Z. p7 G( J: G- t, g" D
5 z# W, j0 q1 y4 z6 f; M) GThis service just checks a flag.5 v* V4 s% r5 T* `" M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡