<TABLE width=500>
S* [. F6 ?( `9 w<TBODY>, c, D- o1 O6 N; {
<TR>
6 j l4 b7 |% h<TD><PRE>Method 01
$ z+ {; j4 h. {/ y8 v1 \=========
! M" |7 d5 G# U
( G2 f& d# d) o4 K& ?& j: AThis method of detection of SoftICE (as well as the following one) is
/ m$ O1 P7 `' B: B$ g" n7 xused by the majority of packers/encryptors found on Internet.) }# e. e+ h3 A! Q r6 e" P( r: b
It seeks the signature of BoundsChecker in SoftICE$ v+ Q- J4 Z8 Z6 ^- m- Q+ X' N# {$ r
. ]6 S" R- I6 w/ E mov ebp, 04243484Bh ; 'BCHK'
I3 U; ^1 c3 u! K6 q4 n* }; N X mov ax, 04h
1 Q# ]9 ~+ Y2 W9 l! R# k int 3 3 w1 {2 b# A* _# J/ w
cmp al,4
9 p2 s) f) Z, b9 j2 k) a5 U jnz SoftICE_Detected6 \( P+ F; ]" S- `0 l9 p; N
& w1 A3 m/ t" c& i; O$ m
___________________________________________________________________________
% t5 p+ Z7 p" g4 P [
' v* a4 R* @, j) X' G! LMethod 02
6 `' e6 [- [& i3 O( b& C! B=========
! ?( g& {$ `) z! h. C; l3 s6 d1 h5 o, s Z( W/ {! O9 R2 E$ [
Still a method very much used (perhaps the most frequent one). It is used
1 \! ~6 B" N' c1 G) n9 h! _ Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 Z; h3 Y) P5 F% S+ o: sor execute SoftICE commands...
3 S M4 p6 c3 {& u* f& EIt is also used to crash SoftICE and to force it to execute any commands- x, F. V2 y: j" b: K( o' ?7 S; d
(HBOOT...) :-(( 2 l1 B5 a) s; n9 A
2 M4 L: l' |- M" D7 w7 C
Here is a quick description:
4 v+ K( {/ K5 ~! g/ M-AX = 0910h (Display string in SIce windows)
# w( Z- M& ^9 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& [9 b" o8 Z0 T$ Y
-AX = 0912h (Get breakpoint infos)
* P0 A% `/ x( o1 D5 `; s9 V-AX = 0913h (Set Sice breakpoints)1 k% U: i$ n8 n( M. D; B( H
-AX = 0914h (Remove SIce breakoints)0 s; D% p# D* _
- B8 K1 O1 g* k0 n/ g9 _3 @
Each time you'll meet this trick, you'll see:
- b0 g/ u" ]% D! ~ N; I-SI = 4647h
+ G% d; r5 g* E/ P-DI = 4A4Dh: Z0 v% k f3 D
Which are the 'magic values' used by SoftIce.
; ? g4 h9 M& _( [% u, uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 F2 G& j2 ^- c8 N3 Z: r0 R& ^4 M) K3 c) _3 b
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ G8 |& S; B- k$ D0 ~: Y
Envelope utility use to protect DOS applications:
! V3 m4 L& ]* g5 z$ r2 @
$ z4 x/ u. Z, a+ ]+ [9 d% `
0 z6 C: R# S3 M4C19:0095 MOV AX,0911 ; execute command.
$ _7 V+ ~! I* q2 [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 F/ G g" z: E3 b" c" }% m4C19:009A MOV SI,4647 ; 1st magic value.
6 Y$ [3 X' u3 ]0 e# ^" I6 T. }6 Y4C19:009D MOV DI,4A4D ; 2nd magic value." R# G. a- B* `6 {9 b( M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ T' R% A( T, \' ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 [) x" V( N. G, y% J3 Q4 y2 [
4C19:00A4 INC CX( G( n# ?' p6 S+ q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# D b* `8 E) h X4 Q, @
4C19:00A8 JB 0095 ; 6 different commands.( N& ~: B% M7 y1 j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 E3 _0 V. z5 w) ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( n6 w+ `9 ~$ h N, ~) r
: F4 v0 Z: V2 m+ q# t5 B( S* lThe program will execute 6 different SIce commands located at ds:dx, which; B# ?- }4 s2 R5 \, G1 l- l; w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# {# v# U& ]$ P9 w. p% r& y
( G+ M% ?7 d7 D9 M* v. m& h& p) M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! A# l4 g$ J% C; ?. ~$ w0 I! J, F
___________________________________________________________________________
/ i; u H S1 ]& f3 f/ O1 W1 N, y. X" R, E- _
$ L7 ~4 h- ~0 @: b
Method 03
+ g8 P* R& H l4 M% P8 T=========
0 ^( H$ ~; l- N
/ O, s' Z9 ]% i. v' k z- HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ [! t1 Y: ~& L3 x) ~& G; H" k(API Get entry point)
" x8 ?0 o" Y* a- [8 A* T M5 v& j" m7 N% o" y4 R
+ j( O" a1 P5 f5 o- m2 V; [4 i xor di,di
! u3 G. [' s; F) Y mov es,di
) z% S, _6 C, \" z; v6 b3 Q& J mov ax, 1684h " r3 _2 s" {, h4 D, W% S, Z
mov bx, 0202h ; VxD ID of winice: K( [( Q: ^0 m; b* p
int 2Fh
: n2 f) F C) I; {4 H( M% U, [ mov ax, es ; ES:DI -> VxD API entry point
4 c5 C) W, n! l9 l( x add ax, di8 J% R- c0 \( A& r: ~: q
test ax,ax
* \+ {7 l# `8 Q, p9 K. U3 n2 V( d jnz SoftICE_Detected+ s; c1 ?/ f) G' ^
* p2 k7 t* }' q___________________________________________________________________________+ V2 h I, }2 J2 X
9 C7 ^8 Z+ V G& _7 W% u, WMethod 04( Q* j6 Y* z. k/ e# {% q3 \
=========
Y# i- f" A; H+ r; T) C* H
/ }- ^3 I4 K: W# d9 c* I2 w0 yMethod identical to the preceding one except that it seeks the ID of SoftICE `8 i: E% }$ Z( H/ u9 z. `; i
GFX VxD.
$ l3 a. l6 T8 v8 j
i: |; l+ k- X, n5 U+ v xor di,di
4 {1 Y U( _' [2 U! D/ f mov es,di
. z @- m- h6 E' N* o' X mov ax, 1684h
" q) h6 }6 v7 N! M3 E: v7 a mov bx, 7a5Fh ; VxD ID of SIWVID
; T# S- D- A k b# [) }( I int 2fh+ @' |# S. l; @' x% a3 u' P. Z; ~
mov ax, es ; ES:DI -> VxD API entry point4 S& i+ o$ Q) w7 C, _+ z2 w
add ax, di
/ E& o" m& f' ^" s test ax,ax
, c, s9 S5 b/ t0 @ jnz SoftICE_Detected
, Y4 Y; o) o2 d- B7 k% `. L
) _" w: N9 f8 N; U4 @( q2 c9 y__________________________________________________________________________
6 v b+ N1 T! v* t! d
! I. ?, Q i* d2 W3 B% l- U( R
' x/ ?/ R" I4 z/ qMethod 05
7 \' v: R! S$ G$ A# Z$ O |=========
+ L5 u8 L5 y3 _1 W: Z0 W
2 N6 B8 Z# k/ ?) gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
J8 I+ q4 c' }& ^- ndebugger. It calls the int 41h, function 4Fh.
8 E* o9 M* W9 ^, y* E0 j4 F! V7 bThere are several alternatives. 6 w, z. ]* Q: C3 L2 x( m {+ D
7 j! I5 l: Y( r8 K1 C$ t
The following one is the simplest:
" \1 m( _) H4 R; v+ m! b8 N; B0 s8 Q& r7 c1 y9 a0 P
mov ax,4fh0 a0 `) R7 P: n- b8 u" g7 s( g
int 41h
# s2 k G' }4 u* s) x4 j cmp ax, 0F3861 @; N2 \9 B( k V+ G; x
jz SoftICE_detected
& }0 ^3 _" R, w
1 a& x& N- a3 N& M" a1 y6 K% J. Z1 k& d& g% O7 k
Next method as well as the following one are 2 examples from Stone's & Q0 h& @% Z9 [9 }0 b' E* N6 O
"stn-wid.zip" (www.cracking.net):2 z# }/ L9 W" ~
7 W9 |0 e8 B @- N mov bx, cs& [' z8 o% {$ J2 `/ o$ J& s
lea dx, int41handler2
2 s- v3 ]+ ~6 }6 t" g5 j) w0 R xchg dx, es:[41h*4]
h: l) g$ H" P4 Z- H0 N. f xchg bx, es:[41h*4+2]
& X7 b$ V3 d" N" C# n0 b& }) H mov ax,4fh
- [, b& m# e( S, e4 t int 41h7 `. I6 ?8 D% H, n1 k( E# ~2 M/ d
xchg dx, es:[41h*4]6 P) a' _ m5 l7 Z5 I
xchg bx, es:[41h*4+2]' V: W. v2 ~7 k! A& \
cmp ax, 0f386h0 H9 \' i e9 F9 S8 J3 A \
jz SoftICE_detected
( Q$ L/ `1 Q. E" t! J! x6 ^
2 M! C5 b; D( T; y( |; ?int41handler2 PROC, e: q. t+ I. r
iret
# d! |8 `$ c) M* q9 `/ |int41handler2 ENDP$ b9 B" T. j9 o1 ?2 p5 j1 V
; ?$ q) b- |1 p/ X# \/ U/ D( L
" k" h! H: w- x( @# U/ k# s_________________________________________________________________________
6 ^& e2 g5 K& Q1 G$ `4 ^
) z+ i- Z% w% l e/ J
7 Z5 U8 @4 `+ s+ aMethod 06+ I+ E3 Z2 g" z& v2 J+ q
=========
0 a. F& v9 [9 \6 e9 }; f1 \8 v+ A7 j6 F; V
6 h$ [8 D4 k5 H9 n2nd method similar to the preceding one but more difficult to detect:& M( ^1 G; n. P: ?( K$ _
& \4 E$ }/ G' U1 I& F5 U. t9 k( c. r' U4 d) G
int41handler PROC
1 x( L6 i. }7 [, Y mov cl,al, W$ \0 W8 V, [- W& G
iret
, n$ w$ n D. C4 _int41handler ENDP
1 C( H! z5 m; e K( E0 e2 M% T
4 Y0 r2 \, G. e- Y4 C3 B* t, \8 }" m. q& I5 ~, ~& k
xor ax,ax& P* P4 R" m1 l/ u7 O& U) A0 O
mov es,ax
( l0 {( L; _$ s/ ] mov bx, cs
1 s: P3 X/ U: ` v d lea dx, int41handler ]7 a, D5 \8 f4 G: X$ `) R# @
xchg dx, es:[41h*4]7 s0 D! _+ _! ~. o
xchg bx, es:[41h*4+2]2 |* ~& f/ S! b" i4 b2 q" E: M: F
in al, 40h4 g% Y/ F) C3 z
xor cx,cx
, O3 G U3 \. x: @$ e6 ^7 b int 41h- [3 h2 \- E ^! v# H4 m4 g, ?
xchg dx, es:[41h*4]
4 e. P$ y9 g. [1 C. l' Z xchg bx, es:[41h*4+2]
. g z2 r( p: o+ U P8 P cmp cl,al& [) x o, O2 G1 u( F2 f* Y" a
jnz SoftICE_detected2 a. Q: L- a) T6 c
% G* }7 Q+ {0 O5 F2 |_________________________________________________________________________
& z4 o. B% }' A! l& {/ G# l/ n! T2 a9 y- m. `: i1 U0 |7 |
Method 074 f; T: q+ E) b0 W
=========
8 I4 @+ X8 A6 q% i9 P
5 `0 W4 n7 ^2 [9 jMethod of detection of the WinICE handler in the int68h (V86)
$ X7 E) w6 m0 J
" D; K( p3 D4 Q- D7 ^ mov ah,43h
$ g1 v- C% F/ [ o9 u int 68h$ j! {4 [! v- [, f, x7 W
cmp ax,0F386h( Z& n ] K4 X6 x, ]
jz SoftICE_Detected
) b* Z+ {5 _6 L, q7 l# ?/ @) j! y v8 y6 a7 L
* F9 f6 f# N7 J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 m% z) w. r* z1 ~ app like this:) h+ v5 m7 G X4 }' K8 E T
+ n' ?; x) O E9 v* C" p3 {: f- I+ g BPX exec_int if ax==686 y, B$ k& U5 T0 r- ]$ m( f' R
(function called is located at byte ptr [ebp+1Dh] and client eip is( f) r, J5 j3 @0 ], e8 U% E
located at [ebp+48h] for 32Bit apps)) W. L: f& p. q) H0 {
__________________________________________________________________________3 I3 e, c: A# r: `
4 J6 I* R& Y) l, C
7 @5 [7 m6 O8 A9 c4 p8 l2 C I3 B8 o
Method 08
& g& q+ {- n& I: P=========0 f" B8 _1 i- @9 `: t0 v8 N
; Q3 t- e! g! f+ Q" S4 @It is not a method of detection of SoftICE but a possibility to crash the2 O) v# ]* o3 N/ J9 _
system by intercepting int 01h and int 03h and redirecting them to another
2 J6 o" N6 b) mroutine.
1 l c# Y: q& Q; v: [7 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ W5 W! E; D& r+ d% ^3 u" e0 vto the new routine to execute (hangs computer...)
" `1 T% J/ q* _0 Z8 P, d: p
0 M- t/ J. _5 u+ b mov ah, 25h' a7 ^* h- D( c
mov al, Int_Number (01h or 03h)
/ R: U) c5 h, p8 z% q5 ? mov dx, offset New_Int_Routine/ [* U/ _$ V5 G8 L0 T
int 21h3 Q3 M" d5 T+ B6 J/ k
# ?1 d Z) @" T+ h ~8 h" T2 E__________________________________________________________________________' b0 a1 Q: ?3 T
, {1 C6 Y7 O5 e, q: Z6 V3 ]+ ?+ b
Method 09
8 r' P9 _$ A7 r' P=========0 X* q9 ^& r/ W% J' m
' T! g1 N0 K4 l3 ]( MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 t; I6 Q9 F" S- m2 x% q
performed in ring0 (VxD or a ring3 app using the VxdCall).& i" F( X5 H# }6 a3 Z. b, n5 J
The Get_DDB service is used to determine whether or not a VxD is installed
* _ s, D+ e" ]* Mfor the specified device and returns a Device Description Block (in ecx) for
9 S* F' B) a2 o1 L' ]that device if it is installed.
& v) [1 R5 J! W: N) X! V j8 F7 M1 p; S. Z" R& H2 }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 u* Q% M( S J1 c g) A, @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ s7 S Y: G$ _
VMMCall Get_DDB+ O1 ?/ f' w3 V7 ^, C$ q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& t- M, R1 f- Q6 m% u. G/ _
- k3 s" S( F* t I0 Y* oNote as well that you can easily detect this method with SoftICE:
6 _( N7 p8 |7 d( \ K( P" d- n bpx Get_DDB if ax==0202 || ax==7a5fh
1 a: T2 U3 R! O! B; Q: @. d: w) B% G4 ]* A* _
__________________________________________________________________________
$ f1 m+ e0 s- L& `+ Y% R9 ?; o! c" B* F3 U# `
Method 10
( B( R1 s7 C8 {# s1 I4 l=========
9 S7 z7 Y8 b& U' ]4 }* p5 o5 J! H9 u3 G/ K% e( w$ V" X. A% T
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 `5 p+ k. X2 T, ~) w3 ?% S" W
SoftICE while the option is enable!!
1 S, T9 w4 \; \0 }+ S W4 O* i) r/ i( Q
This trick is very efficient:6 B8 |# ^- K( v, h4 {8 @0 x/ G
by checking the Debug Registers, you can detect if SoftICE is loaded6 k4 W* K: c6 V* q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. ~3 x' J3 S: J$ E; Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 @3 O+ Y( n% _. ^
value (in ring0 only). Values can be manipulated and or changed as well) I" P0 H$ C# p* Y, G( o$ {& |- o
(clearing BPMs for instance)
6 h+ d0 ^5 C7 n
6 `; c% {" |) Y; N$ ?& }# Q__________________________________________________________________________- g2 r5 o8 \8 u! y- {+ u3 ^# O
. k" W0 m1 U. X& c+ V' @
Method 11* F2 b3 ~( Z6 t5 K D! }6 i
=========
/ V" v5 z" Q" \8 S* D+ p) P2 o" h" k# }3 ^9 [# `( C2 d( D i/ Q- q2 o2 a
This method is most known as 'MeltICE' because it has been freely distributed
% ~5 ^* P% w7 E; Q0 r) Xvia www.winfiles.com. However it was first used by NuMega people to allow1 ^. Y) p$ B, O$ |! \$ i( b
Symbol Loader to check if SoftICE was active or not (the code is located3 Q K# p3 g0 q$ S
inside nmtrans.dll).
6 S& O) T# j5 ^) g; u' m9 J' ]$ z- t6 s$ ]$ I% N0 r; L
The way it works is very simple:2 @3 V- l: c3 F7 t6 H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 p- F3 }9 B" l* c* K3 q9 k: ]
WinNT) with the CreateFileA API.
$ F# f* q0 A/ f' y: _+ Q% G# s. K( d; v3 I7 z1 q Y, d
Here is a sample (checking for 'SICE'):
! W1 q$ o3 L+ W- y N$ \1 T' f q6 A( y5 l9 i I Z
BOOL IsSoftIce95Loaded()* N/ A2 }& V8 Q- i0 F1 l, ]
{
: Y! f+ f( |. V% R5 ~ HANDLE hFile;
( E) S; m! P- h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; T- @% E- B( a9 g
FILE_SHARE_READ | FILE_SHARE_WRITE,0 n0 e6 o1 ]4 x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 `- o1 q2 N5 X1 w+ W
if( hFile != INVALID_HANDLE_VALUE )3 x- A- @# h4 ^
{5 X* n$ `/ a1 u/ n
CloseHandle(hFile);
2 Q1 ~4 F# m0 p! B return TRUE;
2 n2 y8 g& z) d3 D5 x* [6 z+ o. X: z" U }! {& R1 g4 J* [& r0 E4 m7 n
return FALSE;
! H# e9 H! R) e& F& S) q7 |}
; B6 w2 p3 Z+ s) z% W
* d- B, T' Z9 aAlthough this trick calls the CreateFileA function, don't even expect to be) g% P }5 |! R+ A! f
able to intercept it by installing a IFS hook: it will not work, no way!2 L) A2 _# ~( Z: O+ q# x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 h2 f# X0 A6 c, ~5 y; Q! {7 c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 z) ]# c4 j$ I& A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 e( u7 `; ] N4 @" W& ~field.
- F- P1 e" C6 {% z4 L! k% mIn fact, its purpose is not to load/unload VxDs but only to send a . G+ E- u3 U, @( U0 c; D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) v% J1 V' M/ e1 S3 Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& Y: h9 g- W+ \: O* }/ uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
t6 G+ q# L4 `$ ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
, t$ j/ D2 Z- _1 Mits handle to be opened and then, will be detected.& Q {/ |! P. A/ X0 a; ^
You can check that simply by hooking Winice.exe control proc entry point* Y$ t' x6 ?7 D
while running MeltICE.
! j& X7 _, f" ?" d4 q2 l2 K0 p7 C4 T4 U, c
( [+ I4 `1 i2 o" t 00401067: push 00402025 ; \\.\SICE
. _$ K& f; T/ n( y* @7 a 0040106C: call CreateFileA
9 @; R/ B5 q, x( \( A* G 00401071: cmp eax,-001, E$ Z, p# s+ g: T9 i- |" `0 C
00401074: je 00401091
7 i. T: j) {* P4 c) U* i7 T! ^& b D, N
0 T" t0 h, w8 K( ^# b4 M5 b
There could be hundreds of BPX you could use to detect this trick.) s: H e$ r8 U
-The most classical one is: ]" J" G& z$ H# }( h6 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 X) n- M/ `6 j8 n *(esp->4+4)=='NTIC'
: I: _ b, I" F4 p5 h
' ^4 s+ E. p8 c0 `( G+ }+ J$ u-The most exotic ones (could be very slooooow :-(
. f, R F/ z! u. G( U" D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) H% L! p3 }+ X4 W; \ ;will break 3 times :-(
5 p$ k/ P9 |+ T3 G- I" b) X4 q; A3 ^/ t1 v( a. v' B8 i
-or (a bit) faster: # |; I1 D+ I1 q: s( ~0 D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* b' Y, w& j! u7 H# F
" a, T' P* ^1 M& N# X& w% @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
H' f1 Y# j% Y9 Q ;will break 3 times :-(2 s# b2 Y: X/ I" Z
' Z% k7 Q, B9 a0 S" ~5 i" x-Much faster:
' w. N; q, q6 e/ r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ y7 L \! M$ s* n+ K
" w! I2 m9 A: S s1 @4 k+ J9 ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen. N( B: j" w! r7 x0 o
function to do the same job:
! I! _6 k+ a' Y; z6 T# M2 c; l" ]5 g4 K# a# r0 A" |' D. G
push 00 ; OF_READ
1 J* l! @, |* o2 O ~ mov eax,[00656634] ; '\\.\SICE',0: J& {1 @% J" ^5 E- ?- }1 h: r8 E& Y
push eax7 e4 l# N+ u% e8 |( b
call KERNEL32!_lopen6 o, ]' U5 N W( @$ j9 `
inc eax
, k( Z0 b! I% A: m. G jnz 00650589 ; detected8 [1 @9 r! g# J" G8 `+ i k
push 00 ; OF_READ% J4 b. T- x8 z" V" N8 z2 e) L
mov eax,[00656638] ; '\\.\SICE'' s3 m! \, ^$ u p8 n- l
push eax
7 Q; o, U& L& n; O5 G0 @% ~+ f call KERNEL32!_lopen
* j' I% F& _0 T$ B inc eax9 U1 B: x. t% P2 d$ _
jz 006505ae ; not detected
. _4 r; K, M% E: `9 v7 U) q: o$ e( K9 k- h; C; E# E. s
4 U9 c2 \4 J6 |__________________________________________________________________________
) T# X6 \ O# P9 A2 G! N$ k& l1 t
! o5 ]7 s* @+ X! K# b- rMethod 12& \# Z6 Z0 \4 H5 Q
=========4 \- X5 o" s+ J
# J- I# ` L; o& K, NThis trick is similar to int41h/4fh Debugger installation check (code 05
" P% U0 m% y/ j6 I0 _& 06) but very limited because it's only available for Win95/98 (not NT)
* ?" ~" B6 U, A3 x* Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.# B' Y/ P+ g. i8 V9 }
( Q2 p3 U+ R, @* z8 Y4 O9 J7 O
push 0000004fh ; function 4fh
0 f& r) ^1 @% ]. @- ?6 i" H5 d push 002a002ah ; high word specifies which VxD (VWIN32)& c3 b& S7 E' c* u
; low word specifies which service5 J8 {% K. L- U3 c& `
(VWIN32_Int41Dispatch)3 L: u" |' }4 n5 w
call Kernel32!ORD_001 ; VxdCall3 s9 ?2 r' b; K* L3 P
cmp ax, 0f386h ; magic number returned by system debuggers y. j; X% D* ~5 n' n
jz SoftICE_detected; A" Y3 t5 C9 `4 U6 I, J1 s
/ N( N) R5 \9 F' p* P6 A
Here again, several ways to detect it:
5 n) s2 H. r: _, Z& g! c+ ^7 Q; u+ T& L& f4 Y. O1 {4 T+ v
BPINT 41 if ax==4f1 w' i* ?. j- u( d2 i* E: f! X$ H
. m3 `0 L6 ? \4 N. P" n$ r. |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 q* ~& K3 k/ q2 O4 D7 L1 I
. A( I% R4 P* a$ u9 Z, h8 r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 E7 v8 {9 s( B" ^+ J
3 p. j) ^/ E7 N7 P. m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 {3 v( G8 J; L4 s
' w5 P. @/ T+ S# ___________________________________________________________________________6 N5 t9 c& ?( n. t5 d
( y. _8 G/ I9 s4 D9 r% v9 o# cMethod 130 J8 `0 J$ E4 `
=========$ S4 i; H' F4 b& [- {# e
2 ]: K$ B! E) v0 _: G* q3 U- Q5 BNot a real method of detection, but a good way to know if SoftICE is
8 s8 f+ X. s3 t2 ^installed on a computer and to locate its installation directory.. P$ P& z- ^) J: |0 N
It is used by few softs which access the following registry keys (usually #2) :2 D f, R9 \% a; G( c
0 ?' ]3 |2 _# g3 G6 V+ B# g. ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% B8 S' r3 ]2 J$ i
\Uninstall\SoftICE: `2 A% S \% n6 p" f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- f$ a1 h( V4 b' T9 ?& p$ X/ O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 p9 P+ U* I$ Z [$ m! K\App Paths\Loader32.Exe; B) X& {- v- M" G% U
+ l2 {' M0 g2 ~8 u
; w, r$ P0 V$ m& u* a5 @Note that some nasty apps could then erase all files from SoftICE directory
: r8 P" O5 o/ U/ d D; C6 K! J! i(I faced that once :-(
. K# O) }" o( S# n1 ^. l
' @9 i: L3 g% z8 z+ tUseful breakpoint to detect it:
8 I% ?- X. d( J0 J& ]
! l9 K; C4 t" A: f6 L5 {7 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- [* B _! w3 [$ i( B* ~
+ O1 V: g+ }0 j U7 Z__________________________________________________________________________# [: Q7 q( x$ x* \
+ I$ O! b( c8 ~, f' o" g1 Z' Z' Z! H2 h2 r: r
Method 14 - j: d2 ?0 ?% S; J. L( u
=========4 W8 S* L7 U: Y6 ]
1 i( q5 u6 q+ iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 @2 y8 \& L0 i, N( a+ { g7 ]4 ]is to determines whether a debugger is running on your system (ring0 only).
& z" h1 s' V# `* G+ [. D& v6 S; C
VMMCall Test_Debug_Installed+ r5 B. ?- S! V% h, U! n
je not_installed
+ Z- f/ c! n) e6 l
( b; E0 W, S/ {2 c7 sThis service just checks a flag.
h0 V6 x9 u1 H0 Y @1 Z" s- ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡