<TABLE width=500>
4 V' }/ _, \5 X' c8 W<TBODY>
3 l: g) m7 \7 S<TR>% j0 t; `& c! ]# `
<TD><PRE>Method 01 # s7 j5 D7 S9 W5 P+ O9 K
=========5 M% p" w0 p: {0 d, F$ r
: z* q4 d8 [/ @) f, Q: PThis method of detection of SoftICE (as well as the following one) is
* o# g- d( o1 p3 C4 e8 e& g, @used by the majority of packers/encryptors found on Internet.4 k4 F% u8 o: w5 c# G+ I
It seeks the signature of BoundsChecker in SoftICE
: W5 Q2 H1 q7 c) K
: q) Y* Q& T8 J5 m) C! F% \8 R mov ebp, 04243484Bh ; 'BCHK'9 R+ U) x+ l# h$ N9 a
mov ax, 04h
: Y( m7 r8 n$ I- ], p int 3 . K* I1 Y! ^" r5 Y
cmp al,4
: @6 c5 X& C' U7 t jnz SoftICE_Detected, W3 H p+ K- B2 p* o
- t- J5 X8 P$ h& k
___________________________________________________________________________
4 u4 g+ a" Q4 X' t" s* `
$ `# M, ?/ v) Y& n' V9 ~7 e8 j: OMethod 02
2 Y8 O0 j* T; B. k=========; k N; D1 v* E8 p/ f
; j) S- {: E: { [# E- `# x
Still a method very much used (perhaps the most frequent one). It is used
0 s, R$ i9 v7 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& z Q2 a9 c+ F2 Oor execute SoftICE commands...
& Y, X" ]9 J' wIt is also used to crash SoftICE and to force it to execute any commands
9 X7 ~1 d7 U( @/ j) _6 l ^' O9 p3 c(HBOOT...) :-(( " {$ B6 U4 c3 d% U: ^) r V$ B& M
/ t% f" K4 P( i0 e9 T3 ^) g6 v
Here is a quick description:1 x2 L, R0 h' y$ B0 e
-AX = 0910h (Display string in SIce windows)
& Q3 y) `5 I2 J! x( _' m* k' r8 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% Z" H% k. k2 D9 M: c
-AX = 0912h (Get breakpoint infos): W! |6 t' p/ |6 H1 U& r
-AX = 0913h (Set Sice breakpoints)
& v2 p+ L; U" e3 N" p5 J/ H( a-AX = 0914h (Remove SIce breakoints)
, @0 h5 [! M) ^
" }6 Z0 d* z3 i- j/ vEach time you'll meet this trick, you'll see:5 }" O" j3 }+ {! `
-SI = 4647h! b% v. G8 R6 G. K- T3 w. T
-DI = 4A4Dh
8 w0 I% L1 v. Y' w; Y) z# yWhich are the 'magic values' used by SoftIce.
8 S) H A$ p! x8 ?8 A" [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 T3 \9 k7 b0 m/ _! s# {
, H, g; U2 |! o3 ~5 e" ^0 pHere is one example from the file "Haspinst.exe" which is the dongle HASP
* h& B6 w5 h! X/ IEnvelope utility use to protect DOS applications:
$ H6 P/ s* T" W* z3 c: j9 ~ H. O) K0 R0 N- w2 q, k: R
( r9 Z; ^$ ~3 Z) S- L& U4C19:0095 MOV AX,0911 ; execute command.# ?2 S( b8 L0 L3 o+ D# m2 o4 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 M O* [+ Y8 s& _2 u& B4C19:009A MOV SI,4647 ; 1st magic value.; B% ?+ Q3 I! C7 L. x0 w
4C19:009D MOV DI,4A4D ; 2nd magic value.. |9 u7 V! s& f7 p* I! B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ H1 |8 u( K( J1 i$ ]2 ]- j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 s2 A% g) k& ]' x
4C19:00A4 INC CX6 u9 |' `& b# e/ q$ V& ~+ U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* n* {0 ^% O9 _. r' V1 W
4C19:00A8 JB 0095 ; 6 different commands.
! ?. P8 r0 D, {# g8 `/ H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 F! o8 ~* S7 w/ s$ J4 ?0 J% d& g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, U0 X6 s/ w( Y# b+ l' B/ C
& }5 ?2 }# _6 a, M4 @7 x. ]/ iThe program will execute 6 different SIce commands located at ds:dx, which
: V i" R) m0 a3 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' t0 V( E1 X0 }8 a" `/ x8 L) `5 B* U8 y* G$ t; o2 t# K `* N' z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% s3 x6 ]' b$ ^1 A4 \* A, y P6 h, Q! D___________________________________________________________________________; ~( h( U1 X# f
6 ~1 P; L! D& l& W' S
" a2 @5 X7 |) Q* \( w5 p7 z" k: d
Method 03( j5 k* ?* T' @
=========
4 S; x9 H% {0 @; r" k7 E3 P( J) g0 c# z0 @) D, _+ A, U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. g& U J0 D- Y5 ]
(API Get entry point)! I+ j6 K6 s* _! y$ z: {
; s; m6 \7 u! d7 r2 |3 v
; L8 R) A: I' N: R
xor di,di
7 p' D8 K; g4 }( f; r' [# F6 D mov es,di, i1 w4 t( U1 B5 [- ~7 j
mov ax, 1684h
9 {% W8 F9 |( Z9 {0 p$ k# m0 N mov bx, 0202h ; VxD ID of winice U- C' B6 O0 K5 Y! T5 _- ~
int 2Fh8 x0 A+ A2 S7 i
mov ax, es ; ES:DI -> VxD API entry point6 {) r# N: M3 e0 f; K
add ax, di/ K$ t# z" c( A2 x
test ax,ax. S( k/ a8 \1 y
jnz SoftICE_Detected( z( g) p8 e+ `8 t9 P6 V
( v1 [; h6 c5 V/ i
___________________________________________________________________________
; J+ p! A7 V0 X3 ]: C
6 e7 r$ i: S7 ^6 uMethod 04& H1 N5 k3 ~: R
=========2 M9 {% ]& r6 k
7 C# W6 B# |' m( IMethod identical to the preceding one except that it seeks the ID of SoftICE
9 p& E* |7 ~. D0 q/ @& {& w# UGFX VxD.
& D$ J# Z9 \9 `7 z# G5 a
0 `) f* C$ P. g& a: V5 P xor di,di
) f" F) L8 g* }) C; ]& D8 h mov es,di/ O/ K% [! T. l4 y
mov ax, 1684h " s% U8 k! y$ L' W5 f9 v7 m& }
mov bx, 7a5Fh ; VxD ID of SIWVID' Z: j0 T- A4 K' v9 l5 p
int 2fh0 J2 \2 G1 k2 T/ t% h3 X
mov ax, es ; ES:DI -> VxD API entry point( L, c* F+ i6 K1 J) g7 h
add ax, di& N0 Z3 j: Z q, k0 i, @9 v& W
test ax,ax
2 f5 u; c! O4 q( ]4 ]" E/ K jnz SoftICE_Detected
0 G/ p' ]( G( Y$ u9 T K9 G
7 \+ {) k/ W. ~8 q__________________________________________________________________________; ?8 D7 h1 w8 S% I- ?
1 |& f/ |# e B6 g
) Y. u/ L/ x0 a/ m3 r* I
Method 05
1 O4 w3 ]% A% D. P=========
8 p4 h) o2 H% K; D5 o* K7 m' a' g2 t8 e& f! s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( i& j8 m! j% U& i# @$ Udebugger. It calls the int 41h, function 4Fh./ @7 {% e, s4 l) b( ?' \
There are several alternatives.
1 W- L) q+ |5 O% t( N6 @8 Z
$ T5 |+ Z6 n/ i; }2 M& r0 {4 }! E G0 {The following one is the simplest:! P+ o% u" E% r0 L" {% N6 V
9 V- J) f6 s, h* y mov ax,4fh
" Q/ |" W& G* [1 o int 41h; F/ }; [* h3 L- U9 s8 m
cmp ax, 0F386
0 V! H7 d9 I: w& D# I; R+ l jz SoftICE_detected
( Z9 e- ^5 Y5 u8 V$ Y' y0 l
6 t9 S2 c. Y* B5 W0 P C( v* |! k" {0 k% Q3 J8 d' R; ]) D
Next method as well as the following one are 2 examples from Stone's ) l! D5 s) ^! v
"stn-wid.zip" (www.cracking.net):
* O: h, p: m& H4 N; V L% v+ c8 A' ^/ }" q- e% M. L/ k
mov bx, cs
' J3 g5 y: P8 W7 S. v3 r lea dx, int41handler22 M' A1 n3 ^; A3 ` @' t( S
xchg dx, es:[41h*4]1 O! _7 w9 Q' r
xchg bx, es:[41h*4+2]3 p9 c( t3 g l5 m7 v/ `
mov ax,4fh7 G& e4 i1 s; O ~# l' U
int 41h
0 S1 }4 N! P# B8 v, F xchg dx, es:[41h*4]
4 X- V2 S" C1 k1 ]- s xchg bx, es:[41h*4+2]
C [4 X7 i. e0 l5 O5 {) ]$ s cmp ax, 0f386h
$ L2 t6 v# j' g7 r6 ~+ V jz SoftICE_detected
" g; N+ P' J, t {- J
& o" u0 H0 A5 v9 m5 k2 K; M2 zint41handler2 PROC
8 O2 n% B( P! E iret( l7 l& y0 o z% d; t' a
int41handler2 ENDP
2 }# N1 c/ S7 X. a" ]8 Z$ r; I' F6 o: @+ M* z8 c& s7 B
( u6 B$ ^# Q/ a: Z& g( B
_________________________________________________________________________
9 a7 R+ K1 t& C; |/ @$ [, C1 C5 J5 N' C7 H4 Z7 u0 N7 L7 v& |
* p+ I2 H8 |; }' }Method 06
- `, C3 E9 H3 [/ L6 c4 E9 Q=========6 Y" H# U9 Q* f% j( x8 B, a
& f9 g9 {0 i7 x. ^& y |: {6 ]: h5 Z! ~3 t2 v7 s% o
2nd method similar to the preceding one but more difficult to detect:
9 \" h: o/ C( D' T4 z4 S5 U# z+ g: M3 A/ M
7 ?" w9 x/ W- ^/ \' r& E3 P
int41handler PROC$ d1 E6 S5 d/ ~& m
mov cl,al. F' @, b7 K# C( Q
iret
/ P1 K+ r- ]' X# M5 {int41handler ENDP0 h% Q/ z9 O+ W, m% U9 t6 W% U. I9 O
+ i( \1 ?1 C6 \* |. K
* y: ]% p8 _) O1 J: o J xor ax,ax C- N. v. l) y; o' v
mov es,ax
9 G9 F7 d/ \7 m mov bx, cs
* f% T% j# i& z lea dx, int41handler& ]" o1 C* [# m$ L2 j( @- p
xchg dx, es:[41h*4]& `! l7 G0 |! b" u
xchg bx, es:[41h*4+2]. A8 b( }8 o1 D' a
in al, 40h3 l7 z6 h1 |1 m7 g
xor cx,cx1 y7 U4 b G# ~4 s2 V+ v1 o% Z
int 41h) H+ M# P4 Y" o2 c( f8 ]
xchg dx, es:[41h*4]
6 d5 e. u$ ?$ S+ N8 K! J xchg bx, es:[41h*4+2]1 ^# N( ]# [, H; g% t" }
cmp cl,al2 R* `* x4 [& w5 j& X0 }/ R
jnz SoftICE_detected. L7 h$ O2 Q: M6 W7 j5 M
1 U. ~ T# q! s! X
_________________________________________________________________________! h: `: o; u! e3 F e) t* ]- j6 T
6 @2 X3 a |" c. p0 |, ?* a
Method 074 ?( M0 a8 O+ {( A. V
=========
+ ^% H. q8 B* N( v& ?: O
: F8 ?3 I) v. @# ?- k0 BMethod of detection of the WinICE handler in the int68h (V86)
9 s) x ^ |2 D& Q5 D& U- Y: I1 `- }0 B, K, G/ X, t! f
mov ah,43h( [( M* ~, Y: M0 r5 S% C5 a( A
int 68h
" I+ N2 E# X2 A- l8 f* b# b' t cmp ax,0F386h
2 i0 I5 s k, }/ N0 R; f: r( m jz SoftICE_Detected% G1 n9 v" y. M, @! L- R) X, a
; B1 L% H1 b2 p) Q
' G, z' y5 a0 M! h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, k1 U9 o# z4 H, X. R
app like this:- ?( W/ t4 T; Q: `" x/ r* E- y
$ t* T+ W$ ^0 Q- j BPX exec_int if ax==68
2 t ~$ |/ ^6 E- }# M) H8 _$ _ (function called is located at byte ptr [ebp+1Dh] and client eip is
, I* \! H- C" _* O2 d5 o7 x, J located at [ebp+48h] for 32Bit apps)# X U! N" H: r0 V% h; `
__________________________________________________________________________' x" M! \+ q$ e- G+ E1 {
3 ~, Q ?5 @1 q1 u; q \- c
. I- Q8 n5 t8 I* Z2 a) K# h9 r
Method 08
& r: a: s) F# W9 Z/ [=========
6 |6 {4 k0 T8 e6 ?( M% f9 c w& y% ~4 c" X! X" ^6 J
It is not a method of detection of SoftICE but a possibility to crash the
* @3 B# Y+ e5 Z, qsystem by intercepting int 01h and int 03h and redirecting them to another
7 f, r. Y5 x1 x# T7 W8 Y9 q7 \routine.
8 t4 H' ]6 k: B |, @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 ]2 B3 [7 c K* Jto the new routine to execute (hangs computer...)
, }% W: C+ }0 T) M( H- {' W T9 w1 l! r1 V4 g# s
mov ah, 25h
% B4 I5 s" A6 q+ u: F mov al, Int_Number (01h or 03h)" |# t6 R6 c1 a4 O: ~
mov dx, offset New_Int_Routine
) [2 ~* A$ d/ Q: r4 W int 21h/ K4 J' E& w; `8 f% x5 X
n' V- i. M) V: U; A* |5 d- \
__________________________________________________________________________
/ E1 G( J$ y* V
! ~( }2 P$ m; c( D# w6 JMethod 09
5 M8 U0 H2 K9 a7 F=========
" {9 d7 D/ I8 J; ~/ Y
: H- G' r" I% R% s0 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& K$ q$ U- R! Z! [4 w& e
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 V6 R9 y" W3 a# r; i) K) C2 AThe Get_DDB service is used to determine whether or not a VxD is installed1 _' L$ y/ q/ H8 K0 d8 S
for the specified device and returns a Device Description Block (in ecx) for
6 d) m: }/ R4 {: mthat device if it is installed.
& {, O1 v, k, N6 y" ?0 N
d$ l' G; P- m% K8 H7 L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID W) C) W3 i& @- I; ?$ I9 m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): z; P9 u8 {" n" o8 B! I
VMMCall Get_DDB
$ K1 G2 o- \" O' v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ O* Q8 h! d+ l) G6 i8 U& X
9 d' ~6 O) D. P; ?5 Y& C) x
Note as well that you can easily detect this method with SoftICE:
) R% y! l0 j# R0 l# I bpx Get_DDB if ax==0202 || ax==7a5fh
. M0 E8 {! `% X/ g& C% v! |
, c$ Z3 ?( U' n _) w( o: M& @# Q__________________________________________________________________________& w4 i$ N# W7 L9 U0 l* A+ r8 e+ ?- q( G
. N5 ?8 P: l) K* n* I$ l
Method 10
3 U# ^) k9 X$ w4 U x=========
: Q" J3 c- Y% a, z+ K' I; D7 `. S- n( y% m: N& `, P
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" C9 R1 [6 [/ `) V) n SoftICE while the option is enable!!" e6 x. s% V' S3 b: X
8 I% ~$ E' ^4 L9 a, ~: @This trick is very efficient:- }5 B3 u7 S* _$ {3 A
by checking the Debug Registers, you can detect if SoftICE is loaded4 ~$ t4 k% q( {# i- E. q/ A/ G! X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 l( v7 g: o8 F' r( s+ e3 L- k: I
there are some memory breakpoints set (dr0 to dr3) simply by reading their* E6 h7 z* q9 \; o* {$ p, l. `
value (in ring0 only). Values can be manipulated and or changed as well
& @- L5 c' R- [) ](clearing BPMs for instance)1 x: t6 k5 j! F- V' J$ j
# |8 j1 Z6 q4 ^, ?__________________________________________________________________________( [8 z" P, F8 x$ T
; U$ C, Y- K, i
Method 11
' g: B+ ]0 v6 l( n2 |1 Z=========8 N( h# Q% Y8 n, _' v2 W
) ~& e% t# B4 C1 x7 P/ y/ w; g3 F6 ^
This method is most known as 'MeltICE' because it has been freely distributed
5 H5 v, z2 t6 @& v) Gvia www.winfiles.com. However it was first used by NuMega people to allow, ^8 X }3 k$ D( n: s. t
Symbol Loader to check if SoftICE was active or not (the code is located
; _0 n" k. j2 j8 Y2 S. X+ o1 j$ E* \inside nmtrans.dll).+ e! Z7 o: N4 _
+ z' I. [- h- p2 T: EThe way it works is very simple:
3 U/ `% O+ ~$ fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; N) X& e9 q4 {) L! V/ |WinNT) with the CreateFileA API.9 p) o: n) f( g# M" Q
1 z+ X5 T |2 F( YHere is a sample (checking for 'SICE'):
$ w. ~0 B/ a9 j$ U# o( R1 v5 M' ?' W2 s7 s0 n9 U0 j7 b8 V9 }
BOOL IsSoftIce95Loaded()
0 A: T z V7 m+ Y J0 x/ P% y4 ^{
7 ^- o; w. O1 A ~ HANDLE hFile;
% q4 I3 Q, Q( ~; o& C3 Z; j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, [* k1 Y ~: J; J FILE_SHARE_READ | FILE_SHARE_WRITE,/ z% t/ K J9 k5 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ l0 K6 u5 h. D) ^6 P
if( hFile != INVALID_HANDLE_VALUE )
# x, ^6 ^ Z( V) e: i, R3 L) H. e {
7 d3 L. K& M6 q( [5 i" t0 \( O2 @ CloseHandle(hFile);8 `8 J9 a- X3 y0 x" b
return TRUE;
. z4 B& c4 K9 z; ~/ ^ }' l1 ~) B U6 f" }( z
return FALSE;+ [# f: B3 P% S' r2 C- {7 x
}* K- M. u0 x" u
% M# b& F2 K* }6 U9 gAlthough this trick calls the CreateFileA function, don't even expect to be# A6 F, m& C$ @
able to intercept it by installing a IFS hook: it will not work, no way!7 u9 U$ K3 u6 s& j6 w" `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 o* X/ {2 v# H4 fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
_" r" N7 E0 C, \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 l/ U+ c# `5 \* a; rfield.$ B( L8 A1 e! K4 n5 m
In fact, its purpose is not to load/unload VxDs but only to send a " J+ K2 _# i, C: Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& e' _2 z b0 q* E/ K9 E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* |; v# g. i- [+ l2 M* o6 n3 e% K0 Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 U% @( U5 O' [4 B) b9 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; a) L Q# m% B5 c# Sits handle to be opened and then, will be detected.
' M5 C) N/ a- uYou can check that simply by hooking Winice.exe control proc entry point- J, H* P1 p1 \& R- l6 m1 m' ~
while running MeltICE.5 s9 U& H+ @- {4 O
: H9 K- e8 e! _/ d* N. ~( n( y
1 }$ G" J/ O- w( W, F6 Q1 ^1 M 00401067: push 00402025 ; \\.\SICE4 A+ r% w3 O8 u, L. }: [
0040106C: call CreateFileA" ]2 Z9 @* U3 \" ^" m( K
00401071: cmp eax,-001; w" N- V# m1 P8 ^* `$ H
00401074: je 00401091
3 t6 O/ Y8 h, J! R1 w: p" C- w. ^0 y
+ h$ n% b7 b& B! L, a2 w
% r1 c) }/ z9 S' B' [There could be hundreds of BPX you could use to detect this trick.0 ?* p# V4 Z( f3 m' ^
-The most classical one is:
; ^/ ^ [ Z* c ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. w8 Q* c* x& p2 J$ f5 f6 B% l% J
*(esp->4+4)=='NTIC'
# x7 H, `! T @" f2 G7 h1 S. p3 R: T
-The most exotic ones (could be very slooooow :-(: ?% D0 h" S+ ?+ q* r$ x$ e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 R' W* O) G; ^3 x7 L/ l- f' \
;will break 3 times :-(( m3 D* r9 V0 x) D! J- |
, ~1 ~- S5 t0 H
-or (a bit) faster: ) N: J' g3 Y2 B$ B$ U" X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 r, X, ]: `* E; c5 U) F2 S' [( r3 l1 y- B1 u$ C7 V, j! p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* A5 b% N8 B7 E) M ;will break 3 times :-(9 n8 r% q" x% Y. n* X% j
' b+ a& V- m }: {
-Much faster:: L F, B- i! s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( D; O/ V. B5 U5 ?8 O1 }
, S* j# ~# U; Y2 q1 I- p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. [ j* @5 j* Zfunction to do the same job:3 j* Z* z" {* I; U0 t
0 b1 z- i7 O3 [1 o* q" t* T
push 00 ; OF_READ( b8 C* M, [" h- \# g* Q. w S; z
mov eax,[00656634] ; '\\.\SICE',0
u: z+ I$ y0 o6 y# X6 A5 Z7 j/ L push eax
$ X8 X* P' }2 d- h- [ call KERNEL32!_lopen
+ ]* J8 Z* m0 e z! I6 U inc eax1 A; G- N ~# D- y6 ~( l
jnz 00650589 ; detected4 }" l, ]8 s; A5 K3 N0 @8 \) t2 i
push 00 ; OF_READ
. {6 ?$ }0 t f7 o4 |3 p. Z mov eax,[00656638] ; '\\.\SICE'
% @. W! O- P7 f. g" b push eax
2 B; e' @8 V/ N& u( W# m2 A. Y7 h call KERNEL32!_lopen
$ a: m) S- j, \. h" q" O inc eax( o2 X; a0 X' }! `+ X i
jz 006505ae ; not detected
9 Q% D, F6 R3 w
( u7 u! M, g8 V5 q2 I7 Q$ F7 J3 k
__________________________________________________________________________5 k2 U) V* b2 L) r0 x5 y3 {
4 f4 d$ O5 ]9 ?+ w; d. b3 A. ^) tMethod 12
) u. r; W$ v6 i, s) h/ @=========
9 T5 W/ e) v3 I2 R% A! C0 Z5 X6 Z' h% L9 C/ S2 o x% k
This trick is similar to int41h/4fh Debugger installation check (code 05
0 U7 l) y+ |4 Y& [& a& 06) but very limited because it's only available for Win95/98 (not NT)
0 z2 J/ U7 H9 q$ l; w! _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# Y* ]3 r2 O, e" C0 y
/ T4 x7 _* _0 q- w& ~1 ]$ B5 `
push 0000004fh ; function 4fh" _) }- U% ]# n( Q- B! g: U
push 002a002ah ; high word specifies which VxD (VWIN32)6 }" b* U: W! T0 K* U
; low word specifies which service
# M# y! }" \" }$ N, }% { (VWIN32_Int41Dispatch)
2 x% y! f, D! F% ~ call Kernel32!ORD_001 ; VxdCall6 E+ m5 c8 L2 Y+ d
cmp ax, 0f386h ; magic number returned by system debuggers
, Q2 X/ w' {, u jz SoftICE_detected' p D, @! L" k. U, {9 ]1 D8 V
+ ~. J A5 C- s2 ?9 Y7 [! W8 Q1 M7 dHere again, several ways to detect it:
8 ]( ]+ @4 X* c( P3 p: v0 r
5 X: I0 r5 E7 S3 g BPINT 41 if ax==4f7 J6 C: e7 C1 G8 V
: u% b' _7 E; I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( A4 c: d' P1 d3 P, [6 J. p3 }& J$ y k7 x8 d3 N8 _+ c9 t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" d8 Z$ c, |) f5 c) w, |
, S8 e4 U/ O( p( Z; d. `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 ^1 u+ h) T$ N- p
: [2 h/ Q' I7 v& R3 {- }" t__________________________________________________________________________$ U! v# R9 ^# g' G7 B v
& u7 K# `2 E7 c' n9 @. v
Method 13
' a) n9 ?. [" V6 a, C$ O=========: g1 q$ U3 P! F7 ^2 F2 \9 M
. j' {" x9 t- N
Not a real method of detection, but a good way to know if SoftICE is: U$ J9 `' e; G2 Q9 m' t' K; b) F
installed on a computer and to locate its installation directory.& [. w' M& G9 M) T6 o" G
It is used by few softs which access the following registry keys (usually #2) :
# ~, z; X, R# X1 U- j; H9 Y
: I5 K! a+ V$ p8 {" m0 R/ l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" n1 }! R6 l9 ]\Uninstall\SoftICE! n2 j) j- m; R/ j( s. S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( E/ v, c+ U! m7 j0 Y/ H5 d* ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 X# S( j' P- S' e\App Paths\Loader32.Exe7 x8 T. _( v3 n8 F2 W, d* g4 k
. J, d; a6 O5 A8 u; \
+ o6 C+ }& B6 L6 P* wNote that some nasty apps could then erase all files from SoftICE directory
. p( v/ g; d, t, `1 O/ B# t(I faced that once :-(" ^/ x& V# U4 W
1 w1 E, q) {" E, R& Q. Q/ q9 N
Useful breakpoint to detect it:
* z. [" E. E4 N$ u! O
; s5 r. X7 d. k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! K6 S7 K* k3 d1 T% i$ b& @
4 Z/ ?7 u7 H6 R1 e5 T7 `__________________________________________________________________________! S! p( u, f# A3 y9 D' V+ `# a
, O6 I. `; K; k# C" K! [2 y" R( S5 I
7 F( `& O. D3 E. Q4 Q1 mMethod 14 $ \3 s* K% u3 o$ g
=========
. d& n- r9 H0 o' l4 p+ R& E
6 B1 H/ H @6 R2 V7 Z- LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( \5 b& t6 d- g9 j
is to determines whether a debugger is running on your system (ring0 only).
6 p1 U; Z( U- a3 `
# D% g( `. W. G$ m$ R VMMCall Test_Debug_Installed# q2 w* y" i, a0 c9 b# x- Y
je not_installed
* p+ l" W# B) \* n1 u2 L7 n
- G, u* K' \- N5 P% f9 f6 yThis service just checks a flag.
/ c' ?- |. ~$ Q/ q A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡