<TABLE width=500>
3 m+ ]5 k. C+ P* X<TBODY>0 C' ^) m9 B7 B/ z
<TR>) B' y% {' `+ G0 }5 ]
<TD><PRE>Method 01 ' _ ]) O6 g. a6 @& \
=========5 e% c: W& y! f* n- q& V3 ~
- G+ X. \/ p: h7 Y2 YThis method of detection of SoftICE (as well as the following one) is
# j7 j M0 r, |$ d: L6 Pused by the majority of packers/encryptors found on Internet.
3 C. `) ^* H' a/ ~4 h/ J8 C& ZIt seeks the signature of BoundsChecker in SoftICE+ Z/ u4 E2 B6 n: }3 I" z: y9 X
8 q7 w6 o1 J. ~: X# t9 K
mov ebp, 04243484Bh ; 'BCHK'
8 {+ x2 j7 |7 O B5 V2 h mov ax, 04h8 D. |0 f7 K4 p( h
int 3
$ i7 K9 w/ r1 z cmp al,4
9 w( N) Y7 m8 K& ^* i* l jnz SoftICE_Detected5 h/ ?* R# F( w: |. v- s9 v
* J ~$ p/ o; ]2 O+ ^
___________________________________________________________________________
. k2 y k7 M9 j: v# \9 w1 z. n% N3 ^( Y: c+ s
Method 02! j1 N' {( j& @- X* G# `
=========$ b O' O: P. ]5 ^* f0 M
& O* G+ u" n# c9 ]1 ]Still a method very much used (perhaps the most frequent one). It is used
; A( a: P4 `7 W9 ~; P! lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' q. D7 _9 F8 |9 n8 ^
or execute SoftICE commands...
U3 |- y$ ~- KIt is also used to crash SoftICE and to force it to execute any commands
6 [7 F j0 L3 b& K2 _(HBOOT...) :-((
/ L, J1 J' V9 l) a; M) m2 r
3 x! A0 P. ]0 R+ ~% f+ ]+ E* EHere is a quick description:" Y' W" f8 x) W; @5 M
-AX = 0910h (Display string in SIce windows)& j$ Y! B; a1 ?9 K4 n. O* s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 L! g$ E! x, u: P- E$ W
-AX = 0912h (Get breakpoint infos)
, Z* H0 A+ b( L4 q5 R5 L-AX = 0913h (Set Sice breakpoints)
4 a; H$ z' v. c' p. |* g4 f-AX = 0914h (Remove SIce breakoints)
K$ a, S" S' D' M- c( O6 t7 x% b6 P" K' Z7 n4 d: C- P
Each time you'll meet this trick, you'll see:
- y0 j1 f" L- }-SI = 4647h( Z; t1 p# Z; t" V
-DI = 4A4Dh8 h8 l6 U9 p, b
Which are the 'magic values' used by SoftIce.
" m9 A; \! t1 _. [* Y( u3 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 B3 R! P/ ^0 b( X) i! v
4 r6 M0 {$ c' c2 b( Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 [4 l! ?" Y' h0 ^8 pEnvelope utility use to protect DOS applications:
* ]- N# F% e( M2 ]& j8 `, Y
" U5 C- s; E, |. }) S3 {7 N `* A, G+ O- e# |5 c. m
4C19:0095 MOV AX,0911 ; execute command.. @. ~1 ~. x: N' ?: Y& A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- S4 [2 k# K: ?1 M' K/ o4C19:009A MOV SI,4647 ; 1st magic value.
* n$ ^5 v( l' [, ]/ S4C19:009D MOV DI,4A4D ; 2nd magic value.; C; `5 b7 B# M$ [6 ?0 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 F, m J& M$ x, A) T- o- O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% a" s' |1 }- V& s* u4C19:00A4 INC CX
. J; s0 O1 ~( S: \) ~5 s. t9 B* G& N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
}* i# |; g1 [1 u" n1 U5 Y4C19:00A8 JB 0095 ; 6 different commands.
3 B2 P& W0 I( Z% l4 [# S2 b4 K# X4C19:00AA JMP 0002 ; Bad_Guy jmp back." b) q* }: K/ x/ a. X8 a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% s1 \, B7 r+ r/ @, G1 l
H' U; S& C; m- P
The program will execute 6 different SIce commands located at ds:dx, which( s8 {" \4 [4 K; z8 w6 L5 H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ o" [) r% x: T8 @. Y7 @
& S/ g* _. F5 N& P6 f# k8 u7 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. e: m* S# \! B- L
___________________________________________________________________________
! ~6 S& R" K4 `0 O1 H" S; o) f7 U. m: s) G& G* l1 T& @; |9 o" s
, p: U8 b0 l6 s7 p4 [+ j- M0 Q
Method 03
, F" H$ S3 Z+ ?# Q9 l9 x=========. y& r% O/ k1 Z. j6 s5 [1 w
" i5 ?" u2 F+ F' C! D0 o0 _% z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ {- }8 Z2 H: R _2 e( v
(API Get entry point)
& t6 ], d7 Z* ]3 i! x0 e 0 d, |, y0 J6 x
" m+ g3 n" F/ d' ? xor di,di9 u" a" ~# K% i4 R# s5 V7 o# z
mov es,di
, {- q9 d' @# \( C% Z8 J3 H' |" b: v mov ax, 1684h / h" E9 \7 s8 n1 L3 J7 `7 l
mov bx, 0202h ; VxD ID of winice p; _% ~) t( i' L1 z2 d' P
int 2Fh
2 [' g2 h1 c- Q2 N1 j k' @ mov ax, es ; ES:DI -> VxD API entry point1 B# R1 y( L- i4 g8 K
add ax, di+ ]8 n" \* O, T1 G
test ax,ax
- i9 \$ K w: J; \7 E jnz SoftICE_Detected0 K) @) G a% |# s4 t
0 ?: @- w# |/ I/ G0 ~___________________________________________________________________________
' T5 l# f8 U4 c9 a8 @) c. L8 i5 K! f8 F. Z2 y, p( Y0 l
Method 04
- g' X a; n4 o: h3 z! s1 `=========- p3 y8 |( c. ~& e
: G, @8 N" O `
Method identical to the preceding one except that it seeks the ID of SoftICE
& d& v# x# D5 J3 n) n0 CGFX VxD.; R! |6 F2 T8 Q3 N9 j, P" S
! @) ^0 i/ i. T, \% ?! e
xor di,di
" V2 ^5 H0 g8 ` mov es,di
( Y/ u# ^, H& m! u# ] mov ax, 1684h
) ?% C h7 w9 J" F. R* A mov bx, 7a5Fh ; VxD ID of SIWVID w! y4 ^8 C3 ^ k) g& o, a. [' W7 p
int 2fh
3 J- T/ S+ w6 B- ?* r mov ax, es ; ES:DI -> VxD API entry point
+ ~) O* r+ a$ K& ` add ax, di6 w+ D/ y* A' X" Q) B8 p
test ax,ax& b% |* N T; O; Z. s# G- K
jnz SoftICE_Detected$ ?! g) j" }$ P! u2 Z; s, ]" ~4 }
$ a( d6 Y8 J7 m4 I- a. E__________________________________________________________________________
5 R2 S% U8 V) p7 P+ m- l3 J) Y! R [* n2 t1 A
" q: w! {: d% T& ?+ jMethod 05. {3 d& I X ]
=========& ]7 V6 Y: w: G6 D+ ^5 i- o
! H1 e: x P* r& J! {, d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( N" a) v5 F0 W2 l" }9 M* k1 U4 ~+ @debugger. It calls the int 41h, function 4Fh.
' B m8 ~+ N4 T" |7 U. K2 s1 q/ qThere are several alternatives. ! C8 E& _4 J0 o4 _$ e4 w: B/ c
" |" F0 f' e. O) gThe following one is the simplest:
5 P" l- c! U4 I' }* T( O5 B- R9 K
mov ax,4fh& Y% l, l9 M# V9 t* [
int 41h
$ G" }8 u, m4 }- ?2 [ cmp ax, 0F386, S2 ^2 `3 Z* s' J
jz SoftICE_detected
% Z! i6 b* S. }9 L K' w4 P9 y) k: x. b2 e# J- A8 E6 u
+ C8 n& \ `+ n- c6 T1 r
Next method as well as the following one are 2 examples from Stone's : J' T, g% b5 n) O
"stn-wid.zip" (www.cracking.net):
% @1 @, k' S! l' f: U1 X& e7 I) V( V4 D* Y- W5 s1 K7 T
mov bx, cs! W. F6 m9 w" P" U* y
lea dx, int41handler2
$ I" v. J. E- K9 x xchg dx, es:[41h*4]& B! U% n8 Q. k2 U
xchg bx, es:[41h*4+2]
; G) m/ a, ]& e5 J0 S mov ax,4fh
! k$ c6 m6 U, Y" ?2 s1 |/ t; E7 f int 41h- ?6 s# |# e6 d* L
xchg dx, es:[41h*4]4 @2 l2 T# Z3 L( I" |, F8 n' B
xchg bx, es:[41h*4+2]- |" M5 g2 v+ ^3 n. d' ^" z3 A
cmp ax, 0f386h5 _& _& M+ F' R& k" I, g
jz SoftICE_detected
) q; F5 \' `$ R" ?' G* H4 f
1 k9 |. @( t, \4 U2 v3 gint41handler2 PROC% [2 M( {3 K7 l8 ^
iret! \$ J- P* X' u
int41handler2 ENDP# V* ^$ H0 K- ]) f
8 P' i: u' i; ?! u7 Q8 Q; O3 h8 K
& L$ q4 W, h4 y8 J# t_________________________________________________________________________; J8 i$ C6 v M* W2 L
# b. w; x' c% _% V% e9 [# Y7 t4 v* n4 f" u; C
Method 06) S% ?: A6 j [* ^- U: V3 Y! f- \
=========
0 G3 Z8 s( l, }
; c. y- Z3 ?, e1 U6 x6 ]- k/ {" [4 y* b+ h# m: m
2nd method similar to the preceding one but more difficult to detect:4 j: p. s9 @% j3 @2 b3 e
/ c }" y3 Y) w( j& U `* a
! x) O% x7 n; D/ E
int41handler PROC
4 f' @& N% T; w5 a% r& j) G mov cl,al
$ y: a' \5 q# M- q iret
6 ?5 b0 Q% {- _$ `9 ~% [int41handler ENDP
* k E( H6 g6 O$ K/ _( t1 ]+ e/ I* I% m5 w. e; ^
* e$ A+ \: T' \" o5 K4 U& A3 [$ j xor ax,ax
. b7 l# g9 Z7 @, `$ }9 L" j6 w mov es,ax' T: N- Q7 s, l6 r- \4 m4 q# W" c4 G
mov bx, cs
0 X' g: c5 w4 C lea dx, int41handler
8 D& @! B0 l: v xchg dx, es:[41h*4]1 m7 _& H8 ~$ |& W8 ]/ T
xchg bx, es:[41h*4+2]) c) R8 Y6 R/ x/ k8 o C9 q
in al, 40h
0 r! c0 y" R! v4 t. y! j* X xor cx,cx, M/ f. x. V2 L$ K
int 41h- B5 Y6 {) N, l5 B3 j
xchg dx, es:[41h*4]* x e+ g, J7 H8 D7 n
xchg bx, es:[41h*4+2]
8 w/ ?" P: Q8 v Q2 f cmp cl,al
9 j4 F# e' w9 C. q, E# [1 j7 P5 P jnz SoftICE_detected
0 b/ Q9 o2 U+ n
! K$ K( D' w: X/ A* ^6 J7 o3 Z_________________________________________________________________________
& y& v9 j3 L! r' I+ r5 Q
4 {5 Y2 J" q2 p2 T( g5 o: fMethod 07
' i7 [; n; T6 e& I: v+ C6 T=========
2 N* P" E3 B; B( S+ {: N# P% B7 ^ e( V% m$ o
Method of detection of the WinICE handler in the int68h (V86)% b3 E H# h7 H0 }
/ [7 N) [1 ~; D- B: v7 G2 Z
mov ah,43h/ u' ^6 p0 P& Z- s/ M, ?# w
int 68h" c( D. ]0 o, \2 k5 d0 L4 X
cmp ax,0F386h; F- W7 }, B9 x) d# L" \
jz SoftICE_Detected( x+ J% H6 O3 l) J, \
$ y# W0 X$ ^( r0 ~2 h
; k8 k) }; }- s) a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! _4 k1 ?% [( S
app like this:
3 x$ f* l1 n& W# y T1 ^# d4 V! N. ^/ U6 P1 u
BPX exec_int if ax==68
6 D3 R* e% I. N" j7 T) @ (function called is located at byte ptr [ebp+1Dh] and client eip is
& u, Q" L# `" {7 q' T0 g' L0 } located at [ebp+48h] for 32Bit apps)
# m3 S9 ^& A0 @1 P! L: \/ [3 d__________________________________________________________________________
; v& H% C2 j* O; C! o
6 I1 L% B0 E( c. p* |2 {. `! K9 o1 i/ K7 c3 f1 W
Method 082 W9 X. g" Y: E k
=========& |) ^7 J9 w& x! U
/ \% a) n6 u# f6 Y& |" F% {) ZIt is not a method of detection of SoftICE but a possibility to crash the; E5 A8 B. D6 s, i+ z2 e' M
system by intercepting int 01h and int 03h and redirecting them to another; [& J7 ?+ c5 _7 @* P& U- W
routine.: N2 x" Q5 L- I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, |3 V4 X1 W) U. [/ Tto the new routine to execute (hangs computer...)
! ^2 S( _+ O" _% ^ ]) ?
) S' f. J- `1 m# H$ N" m2 V. R mov ah, 25h3 f1 V) i5 [* s! A) o: C8 T3 R
mov al, Int_Number (01h or 03h)
; W, w- _4 u( c* P: d* e1 a mov dx, offset New_Int_Routine0 s; C3 Q, L/ K5 R9 s( n# Z0 Y/ W
int 21h1 z+ p- l3 a+ I# m+ B
& H- r3 x& o1 }__________________________________________________________________________
1 b9 @# M- J! T* a. f6 {" V( V2 s& O6 @, I# v! ?
Method 09
, }% b( r# H# T3 `=========2 i8 k1 x& o8 D( f. G: x8 z
2 w& F) L/ k% M# G- B- wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. E* \, j/ _) f/ l6 ?5 b$ f( {
performed in ring0 (VxD or a ring3 app using the VxdCall).( C$ Y" J1 C N7 E$ x7 K
The Get_DDB service is used to determine whether or not a VxD is installed4 O; Z' B1 }+ H
for the specified device and returns a Device Description Block (in ecx) for
# h" R1 e8 d: k; _that device if it is installed. w8 _; k' u3 k! H% n
/ P- m, u! U5 Z2 d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ s2 G8 ~/ q& s0 K8 I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 t6 F& k8 o6 [ VMMCall Get_DDB5 }( Y2 C1 R3 c; \! L. r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ F1 Y$ X8 @+ k6 K' \! {4 E
. ]; G( `4 E% v5 d% {* _Note as well that you can easily detect this method with SoftICE:( u8 [% v" L% ^: [) ?: p
bpx Get_DDB if ax==0202 || ax==7a5fh, @. i- x+ b6 \. z; k! m0 ^
' a; i% c0 B" _$ E9 I5 Y
__________________________________________________________________________& {( v5 T* |( @, B. K, _
2 P4 a2 [3 g5 c( L* g) x+ q" XMethod 10: b1 z" n& k: Z: b6 t7 T
=========: L2 ]6 Z3 p/ k7 _+ w
! y8 Y( W# G6 Q0 @( J3 R% B: o) J=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 T& ~0 U9 c: I5 g' N" _; @5 G! V7 O SoftICE while the option is enable!!
1 V1 [+ r) M. X6 I
& _ _& R+ k2 _& A0 |: pThis trick is very efficient:
9 |+ _1 \5 \. ?; v# z" ?0 o8 C% fby checking the Debug Registers, you can detect if SoftICE is loaded
7 [+ l# `- r4 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 j9 b6 U5 h$ R) k. a* W( H
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 R/ J1 t+ J8 a) H2 V6 x, \. pvalue (in ring0 only). Values can be manipulated and or changed as well
* T# a7 I5 u/ e, a9 C' Z(clearing BPMs for instance)
/ N+ F4 F/ g% B, p6 p! l, M$ L* Q- O& X3 Y
__________________________________________________________________________
# _" r% b( }6 |7 A9 h! z; }6 r7 u/ ` k' ^
Method 11
! ?2 e( E: i5 _( h- i$ f=========
/ f3 e8 K4 f) Q+ g! u0 x) ?
# o, w. z: y7 k# O) _( f$ sThis method is most known as 'MeltICE' because it has been freely distributed; l6 B! d5 t7 ?; i" ?
via www.winfiles.com. However it was first used by NuMega people to allow
4 v1 t3 b4 O# G' I5 ZSymbol Loader to check if SoftICE was active or not (the code is located. O" t- {3 P5 [8 v: n! m
inside nmtrans.dll).
1 M3 J& i- V5 K5 c
9 ]2 e6 {4 r. Y* z; cThe way it works is very simple:
% W& W+ ~; o4 B% ?& }% TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- _/ Q, e% A: A4 k- fWinNT) with the CreateFileA API.. a; Z8 F0 j i" k1 _7 Q4 t% P
9 y/ ~$ m' i6 r0 G# }. a) Y4 g
Here is a sample (checking for 'SICE'):
1 K$ I: a# P/ p) _/ j
; z* k$ B' n$ A1 ^! i1 Z1 KBOOL IsSoftIce95Loaded()
' n2 E: t, \, W{& A; D( T7 d% }/ U7 b1 \
HANDLE hFile;
8 Y% R- E. E" f0 R8 @9 m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 U+ `) ?6 E1 \: h2 g, {/ W7 }# W
FILE_SHARE_READ | FILE_SHARE_WRITE,# b! h4 M& H& U/ h. b- }- M3 H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 X$ e6 ~) | x v9 [" y+ c
if( hFile != INVALID_HANDLE_VALUE )
+ J- c0 r) @7 ^* S w {
R9 _4 |& s! C0 o" A6 n CloseHandle(hFile);% W- i' E. M, O! y
return TRUE;
& c8 e4 ?. G T. g$ d5 q }
P) s3 z! f% ~% r9 I8 K1 \ return FALSE;
0 k0 X6 H1 _' U& @- Y8 j3 f}# ~! l2 ?, ?: q$ P3 X, Q
g5 n2 ]8 N9 g m# K/ A* ]: [Although this trick calls the CreateFileA function, don't even expect to be4 @$ F9 r7 ?5 r' U! e
able to intercept it by installing a IFS hook: it will not work, no way!
* q& q% F% q* r& {# lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
{1 m O, i/ n1 S' e; R1 G1 r: ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( ~7 m* W2 ^- s8 @& e6 u# D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 e% e/ R Z$ z. D
field.: N& f5 D8 e. s, D; H+ n
In fact, its purpose is not to load/unload VxDs but only to send a
' J1 g4 E& t6 I( }+ AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 r6 `5 [, q9 P3 F( I: Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% p: O$ a6 D; t! Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ @9 k1 B7 C7 m) q" JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& F/ Y# c& }1 B( r6 \) E; _its handle to be opened and then, will be detected.
+ }! c8 W9 c4 h9 c( N2 A( M2 nYou can check that simply by hooking Winice.exe control proc entry point! C( P) K; w- _- I; E' `
while running MeltICE.# g1 `% { B: a6 z4 i4 W$ D) z
7 X/ ^. ]# ?$ q! y; }1 |
- d) V3 J4 n. _1 b5 `
00401067: push 00402025 ; \\.\SICE4 b/ C+ S4 W6 q. y) D* k
0040106C: call CreateFileA+ U0 W/ y" D W: K1 s4 ?
00401071: cmp eax,-0018 b$ ?1 Z, o1 A3 A2 f( z( W
00401074: je 00401091
9 X4 y7 k; `" D, B/ x. h
/ s& j ] R% w6 w) ?6 R5 E1 O. r/ k1 B- C( T2 U- l
There could be hundreds of BPX you could use to detect this trick.
2 M, Z9 F) f, B* v2 W-The most classical one is:
4 a" [2 T3 n8 J. W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) s) P p6 V7 c/ X# A5 r' O' ?7 s *(esp->4+4)=='NTIC'
' [% D0 c: _! u( ?! o, V
) h i# ?9 _! I; J; S1 k2 K2 ?-The most exotic ones (could be very slooooow :-(+ w8 H) v& ^3 p. h$ Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' Z( t$ H9 c+ w3 V- i ;will break 3 times :-(
6 r+ U% L' ~* \" i. i: c
) g3 A, A0 q* H% T8 z-or (a bit) faster: & O: ?# g3 ~, }! ]/ \! g' C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: @* v0 |% m. a, g% N6 f
H7 I' j( x4 u F* o8 z1 ^/ \# N0 D' x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 Q6 L" D, n3 Y+ o3 W) ]' e ;will break 3 times :-(
8 M. F, `3 }! J% T: H) g
* S# n/ g+ F, C& P: n-Much faster:% ]; R- _0 a: z. I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 a* {& M& n/ a2 Z6 w8 F% ^* j
: m; J2 N9 z+ j7 y! DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! b, @' j+ g9 o* E) M
function to do the same job:
0 V" K: A C/ ]8 }+ R& h9 t* }& ^: Q
push 00 ; OF_READ
0 M; C2 }% l% e3 N5 i+ b4 ` mov eax,[00656634] ; '\\.\SICE',0
/ R4 u, L0 S1 r t( B- w push eax
. e& }3 {0 f: m2 O$ S8 k call KERNEL32!_lopen! Y9 C1 v) u8 D9 u
inc eax
% e# y) ~% L* h( W, }! k jnz 00650589 ; detected5 f6 q# H4 D! I1 m
push 00 ; OF_READ/ X! @1 m3 d. j/ E, ?8 E: b
mov eax,[00656638] ; '\\.\SICE'5 h) J4 t% G% \) O; D
push eax
{7 m) m" W& n3 o* _! n% \( b" n: l2 L1 u call KERNEL32!_lopen
* j, Z' |8 b* m/ g inc eax
7 O% ~) T* o# i4 X6 X; t jz 006505ae ; not detected
* I" c! P+ f m3 `* b i6 }
5 U# f6 D& y1 W/ ~' f
B# f C5 x/ V' c2 H__________________________________________________________________________
. P$ n2 o* K3 z. ?: r* `6 s2 f
& s2 I0 y. D }! MMethod 12 w# h& F$ `% u; _: p
=========
6 ]: |, v) C$ M9 q: s0 n# m3 U& a G1 S8 t5 H0 t: q3 T& S0 ?
This trick is similar to int41h/4fh Debugger installation check (code 056 L7 K1 ^/ K* p' k
& 06) but very limited because it's only available for Win95/98 (not NT)
+ X% J/ `" Z" H# c6 \) Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 v' E& @3 q% z* u3 A# H. Y" }/ {0 o. N
push 0000004fh ; function 4fh
! x7 Y4 G( t* Y push 002a002ah ; high word specifies which VxD (VWIN32)
; B' t: z! v& u" m0 B! n9 M ; low word specifies which service
! E! o# w, y( I# c5 T- T (VWIN32_Int41Dispatch)% K& i# L1 b# k7 m+ H: U; x
call Kernel32!ORD_001 ; VxdCall* Y; t4 p0 K3 k9 R! ]: M3 E
cmp ax, 0f386h ; magic number returned by system debuggers# H! s% t, K3 g, ^
jz SoftICE_detected) ^" {* Y/ j; n" }1 J- _
# L; z4 `; Q! A# G" |Here again, several ways to detect it:
% O7 I3 X ^% a, _' \$ {6 ]: e8 e0 X0 H$ v9 `6 N2 O
BPINT 41 if ax==4f
4 j+ u: R& L9 e+ R0 t: L1 P } ^# p/ h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ I2 K4 \' L" K0 i
' N% G6 c; K0 {/ I& V' z6 j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ?7 Y' p' U( n" a& }6 M5 Q8 D$ H/ h1 z# F' k- b1 z6 Z- C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- N! ^1 N# T* Y2 W, ?: M4 G
, g9 |" N% p$ v, g5 l__________________________________________________________________________3 I' q5 g U* U6 e$ [
3 a2 O8 z( ^/ Z5 w5 Y& Q8 oMethod 132 l6 ?" ^% l2 ^
=========6 p4 q; h3 x7 M! u
( |2 O0 t5 d1 d' r0 Y; y. Y
Not a real method of detection, but a good way to know if SoftICE is
/ `1 o. j7 F7 r1 T ~! oinstalled on a computer and to locate its installation directory.2 t4 ` N: {1 T3 d# Q
It is used by few softs which access the following registry keys (usually #2) :: J% I# S6 w- b
0 j* h; ]. q" l# p; h0 s7 D" s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# i4 E/ Q) d+ s6 D4 ?& G" d+ }\Uninstall\SoftICE
, W) z& |$ @& P% \) M0 E8 V0 |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
m% z* B9 j- `$ V2 w1 c/ P5 Q) l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' M( S& e" E) K: H% R2 q) d\App Paths\Loader32.Exe/ }! g' d9 a2 u; q, q
! p+ k! `* i6 C1 J0 E
0 v& p8 N- f' I" _8 I i# F" |. F
Note that some nasty apps could then erase all files from SoftICE directory
+ Z: [! B# o1 Z. R(I faced that once :-(6 n6 E% P: |- i" T
# G, p. k% v Q/ |. W4 k6 \Useful breakpoint to detect it:" ?7 j- Y6 w* w1 f
3 ^' o8 ]) S+ I' C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: \' Z2 \ ?0 f" M* D8 q s) {( E, w0 L
__________________________________________________________________________
5 y4 \; N3 x0 t7 C8 ]! z; }# e
6 G2 R4 o3 }8 b: V; g" ]; [$ x4 p7 v: q) n3 v5 m
Method 14
% p/ ?+ X* a9 H4 j# ]1 X e, {; ]=========
9 x6 V: L7 @; p$ ^
5 J6 ^, H& [5 i& k E5 a0 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' ^ j5 i" U* v* n
is to determines whether a debugger is running on your system (ring0 only).
" b0 n1 o0 c2 S
9 _ g' x# N( T' X: g4 w VMMCall Test_Debug_Installed4 q/ _6 U2 Q. E, i% Y5 Y4 W
je not_installed
8 h0 Z; i7 A/ u, ^3 y( I2 ^) n
( a( v |1 K& ]/ O: Q9 O+ J" b( n* LThis service just checks a flag.
! G3 Y9 i1 {( c+ f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡