<TABLE width=500>2 S) m9 F3 g$ j2 u) h. F
<TBODY>6 F" @2 [ o+ E8 }# H5 ^% F; T% ?+ ?
<TR>9 k7 ?, a# S" f6 r, i8 W
<TD><PRE>Method 01
8 v: R ^, w6 ?, U4 w=========
! R0 `( o- H u; n
# D# D' N/ x, G. Z/ j' E% zThis method of detection of SoftICE (as well as the following one) is
* _2 P' O4 i: W' p0 \used by the majority of packers/encryptors found on Internet.
) y ~3 i' f8 }$ n9 [; jIt seeks the signature of BoundsChecker in SoftICE- p# S' }( W# R% ]' L- o! I/ d
6 G' Y& T$ K% L7 `6 `# I+ M" X& T( \ mov ebp, 04243484Bh ; 'BCHK'
. {+ B% W/ \+ I! X$ j0 R mov ax, 04h! q4 C3 a* U. v
int 3
8 ^/ S. c* m" a8 |( { cmp al,4
0 T' A, F3 J* I8 f# v& U$ r( G. i jnz SoftICE_Detected
& r; D/ e1 g, ^8 a/ S! K
% L3 P s% b2 C. s+ E3 R7 E___________________________________________________________________________
& p1 v" l8 X# L8 x# R
* G9 m5 {- W3 GMethod 02
7 j, s' o* b8 K' ~( {; `=========
7 t5 P# S4 @' u4 ^8 F2 ]' v$ u& F/ K. ]& y
Still a method very much used (perhaps the most frequent one). It is used
" { E3 x `6 g/ d8 U! P2 Z2 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- D! C) K( v) Z- }
or execute SoftICE commands...
, {* e4 }+ @* s0 r8 R0 |It is also used to crash SoftICE and to force it to execute any commands, q* g3 W' g3 m, O$ m
(HBOOT...) :-((
- l& X& K# |, n
( A& b0 R+ X) h- u, W# i) ZHere is a quick description:# i. i3 L) d& a4 ^" d
-AX = 0910h (Display string in SIce windows)$ G; `, c0 ?3 Z/ X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, ^/ P+ V% _3 A9 p0 ~+ r-AX = 0912h (Get breakpoint infos)5 y* [+ B1 g' d, ~ c) a
-AX = 0913h (Set Sice breakpoints)0 G0 C* a9 A! U! F: E
-AX = 0914h (Remove SIce breakoints)
+ y, ?; x$ t& l5 u z) [0 t+ L0 Y& b, w0 A% a4 `, x5 l
Each time you'll meet this trick, you'll see:
4 i; u( O6 J5 D-SI = 4647h
3 C) s) N+ N9 a-DI = 4A4Dh2 ~7 m3 A; z5 `5 Z" w
Which are the 'magic values' used by SoftIce.3 M1 F0 B, G: i. I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 {) q. r. {' m9 S2 F4 \. Q& i. e, B% Y
- ]& Z# ?9 |0 Z {/ R& DHere is one example from the file "Haspinst.exe" which is the dongle HASP* j: p$ X5 s6 U$ X) Q M
Envelope utility use to protect DOS applications:
M3 a8 j A# p* S* @4 v! \. l' X; Y% T0 g5 N3 R& q" n# ]
' y/ Y2 u9 u! G$ P8 x3 E
4C19:0095 MOV AX,0911 ; execute command.' [: f: L# ?$ x) H7 z* `8 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 F: P4 l/ ], z6 s- b4 j& S4C19:009A MOV SI,4647 ; 1st magic value.% t) A$ y! d9 d
4C19:009D MOV DI,4A4D ; 2nd magic value.& h) Y0 g8 m$ \: R) w/ F& B6 O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! Y- _/ S. _( D7 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! h0 Q9 `# m+ @9 U: L" l. ]( \3 f4C19:00A4 INC CX
1 `5 s* m3 y5 c/ ]( p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* H0 F( y+ Y9 @8 a3 o' C+ u) b4C19:00A8 JB 0095 ; 6 different commands.
+ k; L6 ~3 m: w2 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 M0 m$ B6 a0 r5 ?% t5 @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 Q: O8 T! q4 y2 e/ Q E
$ y6 R# \: x; p' k3 [/ n0 Q5 @8 W
The program will execute 6 different SIce commands located at ds:dx, which$ o1 D& b8 Q5 t" Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- n! g% Y# k' G4 o' x3 j% O2 A7 j* X
+ @1 N8 \) b, y- _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& \9 u. Z( C4 o6 f___________________________________________________________________________4 n+ ~% p2 W ?. F( I- J- G) j
4 N2 h c: Z# w( P9 p+ b. r4 g" U/ H- |4 W. h% J
Method 03$ d6 T/ q& i& s6 Y8 J
=========% Q! g% a/ C( X D
0 p" p* X$ [6 p' R9 }6 T2 H+ d N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 U O" d3 Z+ _
(API Get entry point)$ r1 y0 {) f+ p }( i* {
2 E% V" a/ `" q: h8 J( m/ e0 [3 P: U/ }( G6 T: q
xor di,di5 D/ O' n( N+ q j
mov es,di
4 ^, X! S6 @# ?* r" G mov ax, 1684h y' {5 b# o$ H% z- M0 `
mov bx, 0202h ; VxD ID of winice! d+ v" `- }6 p$ i6 t, ~6 P! R
int 2Fh% O+ v" g [% |+ t9 Q$ l, ^. V
mov ax, es ; ES:DI -> VxD API entry point
' |% q+ Z' D$ p* S% V add ax, di* ~2 d0 g! r3 L9 _* Z: [. j
test ax,ax
* g# `& d) _' l jnz SoftICE_Detected" p- P8 z" t' ^/ o) A: P7 t7 y! l
5 `0 ]6 o) j- {___________________________________________________________________________
9 `. p% ?5 H$ x! K
1 Y3 m" F3 y, D' {' ]; p/ i" h$ G' UMethod 04$ J) g! P0 T$ d# e
=========
# q" p8 D# a6 A8 `9 R @
2 _6 r& r: T. D. h+ P$ t7 dMethod identical to the preceding one except that it seeks the ID of SoftICE
' a; L6 Z' W) [5 h) @0 R2 }4 H/ u2 MGFX VxD.
; W( K* J. K3 ~& G1 h% T) p0 f' P, r0 l7 K$ k1 E
xor di,di9 F: V! u+ u, c( H! n
mov es,di
. Z8 q6 I4 d' G: I. i3 ^ mov ax, 1684h ( N9 a, P% w L; }8 Y
mov bx, 7a5Fh ; VxD ID of SIWVID
0 o8 E& Y+ `7 ~0 ~( P8 j2 K int 2fh
1 f* F* A5 G7 B6 O5 I mov ax, es ; ES:DI -> VxD API entry point
9 x' K& r( A0 O/ @4 T add ax, di3 W. Q( X- `; [8 h L( d6 O7 z
test ax,ax
, A5 z* m6 }6 B6 T jnz SoftICE_Detected* O! H% M. W9 m: `% ~
0 z, ~1 H. ?" g q__________________________________________________________________________$ ~% j4 x; e$ y- A* @
/ ~1 c' Z) s) H" R
" e5 ]. } Y$ K- i8 s2 p' b( S. ~
Method 054 ?1 Q" R. O7 w% l- z
=========4 c3 B3 J. i3 x+ \0 ?3 R
8 _5 i$ x7 X% Q- a5 z
Method seeking the 'magic number' 0F386h returned (in ax) by all system; q1 G6 o$ d' H# U+ v( X
debugger. It calls the int 41h, function 4Fh.9 d* i) s5 E$ j6 Q% m5 y
There are several alternatives. 9 {5 Q% d$ A% T; ?6 i* n
% x! L( t' s4 K& O, P* a$ r
The following one is the simplest:' o. v* Y* q' F0 A ^
, Y3 L3 d! r# e- O mov ax,4fh7 i, ^* H4 p" m' J
int 41h/ x. w8 Z- y, P- C! Y. G8 S& ?# a+ }
cmp ax, 0F386( s' y$ Z0 [: h M, `
jz SoftICE_detected( M' T7 J7 A! W; Z* |4 r6 |( a' @ S
5 t( T5 q4 J. T" O8 o
& v* m) `$ a5 _+ M( ~
Next method as well as the following one are 2 examples from Stone's
+ C) I- f0 d7 [: g( g$ o"stn-wid.zip" (www.cracking.net):
! J% h: X: {+ \0 h! f8 |5 S" Z* d0 F& p0 C
mov bx, cs
0 P; x" D9 T3 _* I( C lea dx, int41handler2
6 q# }' ~+ K" N5 X5 n. Z xchg dx, es:[41h*4]
2 h/ U" L: b" T5 @# F+ ~- q xchg bx, es:[41h*4+2]. t& e# F* S" S9 ?7 h" |
mov ax,4fh. X0 E2 t( C, q/ T
int 41h
4 A+ ~# H* s$ x8 o* u; } m xchg dx, es:[41h*4]
9 f( u& _% P- c4 N xchg bx, es:[41h*4+2]
n* p5 Z+ S6 l3 D6 [* \ cmp ax, 0f386h
# K6 f6 h8 f1 I' P$ w _ jz SoftICE_detected
; A ~ f- d& g# n# s" P
8 o% y- P1 ~; Y3 w8 e" Iint41handler2 PROC" P+ H) v$ N" v6 v' m: v$ a1 d9 z
iret0 f Q1 w& g! R
int41handler2 ENDP
9 ^3 Y# D- O- Q* o( l5 H+ U( R5 C) x& j
9 g" h# F1 c8 P* I8 Y
_________________________________________________________________________
^+ m2 i% f W: |+ A
7 B' }% P4 ~1 k- j) H; J* ?8 {
% h, n* l3 s; m: dMethod 06
; T% N7 L9 V! E Q" j4 P4 b=========
9 S, q+ ` |2 o$ g' Y# t. B, X3 d
% r. q, k# E0 \: A) J6 X
, {1 e7 s; ?2 c9 C/ G7 M) ^2nd method similar to the preceding one but more difficult to detect:
: Z$ A% z$ p( L: o" y
" p3 b r8 a" Z+ x. U! J. y
; v7 l( |& @+ j5 g% S( r( O' Tint41handler PROC1 F L B! p+ d2 l
mov cl,al
$ c+ ?# i' x6 c0 R) _3 C% k7 U$ i iret
+ \7 O6 z6 \: h! J Qint41handler ENDP1 W6 r- e1 w9 ]" x* z
% T5 ?6 l0 c7 @6 p ^
% b5 ^0 L; D0 R+ P' d xor ax,ax: o3 G/ O2 |) l" u" F8 m1 J
mov es,ax
3 o& s& N* t& G5 g; r mov bx, cs
I7 T- B" u8 t- H" C! o lea dx, int41handler
+ J7 m% \' V8 k4 x, O3 o v( j xchg dx, es:[41h*4]/ e/ l N B% y$ C/ b
xchg bx, es:[41h*4+2]+ j' d! V% N' P: [) I% A
in al, 40h: w, O! U/ W* b/ x" E
xor cx,cx
) C8 ?( U0 Q" ]+ i; J$ Z- Z int 41h
% D+ u1 Z' _$ |* l xchg dx, es:[41h*4]
$ G5 P2 _. h2 x! K8 v/ r2 m1 _ xchg bx, es:[41h*4+2]
7 B9 d: n8 `9 @, F# x& ^ cmp cl,al
3 l# o( u5 {& ?1 r5 A# s jnz SoftICE_detected
2 ~6 B- B+ Q" E* R9 t
- N& d: C( E$ V' Z_________________________________________________________________________
m: R9 v! ~9 w" [; x3 e0 |
: u+ ^5 D( N8 k% o$ c4 r& @+ D* |Method 071 R% h. C8 W7 s2 N5 S: P; @
=========
; V* n) u& `$ ^8 y2 ?$ m& s4 N) m: t
7 r! b- u3 J8 N: l. [* NMethod of detection of the WinICE handler in the int68h (V86): x( b: j# g$ n- o [$ O4 D$ f2 @
, t/ c, U& l2 |# ]6 S8 b mov ah,43h5 f% j( E8 Z% @
int 68h. V" h' h3 @1 [2 [
cmp ax,0F386h) d% Z3 V* t' t, r7 L9 B7 Y
jz SoftICE_Detected2 ]+ I, I/ ]2 W4 z9 Y
& j+ q3 {& ?% x, m1 q8 a5 z
4 R; {6 M1 ?; N. Z% ?0 e=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 _; O( T N g7 X; D app like this:
# T. I7 Q" z) P4 p; q7 I. i8 ?6 Y+ S/ { l/ [ l1 c. }
BPX exec_int if ax==685 m+ k4 Q1 [% i" x P
(function called is located at byte ptr [ebp+1Dh] and client eip is
- o1 {4 f( e, R" p, c located at [ebp+48h] for 32Bit apps); B( U+ |2 R1 w
__________________________________________________________________________/ a: P( l) n/ n' a* Y, {
# w; ]3 y( K0 o" |& N6 y$ f; j1 }4 |. q8 q- l$ K
Method 082 k& M- j7 n' V6 { \! s( }, i
=========8 [5 y. ?% ^+ E8 d# t
0 f4 R, B( N$ G+ i* o) PIt is not a method of detection of SoftICE but a possibility to crash the
) N3 m v$ h/ a1 Fsystem by intercepting int 01h and int 03h and redirecting them to another
* L. D$ I3 R o& }7 e# Froutine.9 x/ M6 L; i, K5 v2 m$ y, P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 P: z" p! E S; T6 b, N* l
to the new routine to execute (hangs computer...), {: {" V( [3 q' s% x9 w
6 F B9 B% V1 \
mov ah, 25h; H5 h* e0 x/ n- n+ b" ]# s
mov al, Int_Number (01h or 03h) Z! p0 F0 V; N4 d
mov dx, offset New_Int_Routine6 h: m" D0 e1 \0 s8 T- s
int 21h' o" m7 ]1 w" \; \- }
" N% ~: o K- C* ^. A__________________________________________________________________________ S e: ]$ R( h* \8 k3 m* r1 y( y
9 B) P1 y' |" |+ d: o
Method 09# I) Z& {" `6 u9 d2 ]
=========, J/ Z* V/ R7 [2 h8 ~
( [. @- ^" v! u$ zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% a: t+ j5 D# c& |* S3 W
performed in ring0 (VxD or a ring3 app using the VxdCall).
( n, q$ C8 _4 G! \' m; k Z+ X9 Z' |The Get_DDB service is used to determine whether or not a VxD is installed5 [6 }1 J6 K3 Q- F. s
for the specified device and returns a Device Description Block (in ecx) for
7 d M; A, P; gthat device if it is installed.6 w$ u2 a+ w) A) S
( y5 J9 v0 {! [( l5 f9 i+ g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ Y3 {* ~( t& j7 q4 y8 Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- v K( z* K* |3 y% S) B VMMCall Get_DDB
( M0 f( _3 c. ]8 w) A1 a) z; G1 C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 v6 o! k, W: k5 o) X
* l% Z' A# k) }( gNote as well that you can easily detect this method with SoftICE:5 z4 C n4 X& u9 I- N3 G
bpx Get_DDB if ax==0202 || ax==7a5fh
' n/ L6 w/ s- H, y6 z6 z) d+ M! D2 V3 ]: R8 L! _
__________________________________________________________________________8 ]! N' r! J7 B/ d/ X7 q% s9 {4 d& V
* n1 o4 T8 e% b
Method 10' Z8 b+ {0 S/ z4 Q
=========
; Y$ y3 D& {- W/ X$ |( Z
8 A/ ~7 i' u/ m6 z2 n8 e=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 E5 a9 ]7 b+ |' l# F+ p: ? SoftICE while the option is enable!!
l1 P+ Z( X9 p4 O( t( s: `5 r& ]- R W2 H- ?- I
This trick is very efficient:
, J- L9 p% R9 qby checking the Debug Registers, you can detect if SoftICE is loaded
O8 E' \9 r- G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- p* B; [8 h) hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. i, P) t P$ s% Bvalue (in ring0 only). Values can be manipulated and or changed as well
# f S4 b# V; ?5 z, {# R3 D(clearing BPMs for instance)
: _: y* H. ?' X2 r' Z1 A* b$ Y; h8 k. B0 Y
__________________________________________________________________________/ f/ _, _2 F( q& e& o. s
* A$ K" m O; P, }Method 11$ d9 ?* a) W/ l; E/ g" D, B
=========/ X. H" `8 q5 v
" ?4 B1 ]- u Y, ]0 i! P5 _
This method is most known as 'MeltICE' because it has been freely distributed
2 |! Y+ |, M: H$ d& Avia www.winfiles.com. However it was first used by NuMega people to allow
) j$ F' X7 n0 O: a* ?7 P* BSymbol Loader to check if SoftICE was active or not (the code is located
# G3 J5 K8 }& T" [( O* U# Zinside nmtrans.dll).' m$ O5 v- x& {" i* R
2 Y8 D" P! d; R/ `% h6 ~1 T' s( JThe way it works is very simple:
Z. w. ]) j0 i. q/ \9 e7 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# z: h- b8 [3 n0 j5 A* R7 x K
WinNT) with the CreateFileA API.9 j/ F2 N3 w2 G/ E
: g, N' I! w2 }9 S, m9 I) D9 EHere is a sample (checking for 'SICE'):
6 Z: q7 `+ } }& ~4 ^; D& I& i4 h
+ V- q. e( V9 D" {4 F& F% |BOOL IsSoftIce95Loaded()
( ?7 s+ l- k& R8 I7 ^0 |) E{+ e, d( T$ t2 W- g: g! _
HANDLE hFile; ! b+ O" w/ z# o; Y% V6 F- y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" ^* W5 c4 x& X2 x0 a FILE_SHARE_READ | FILE_SHARE_WRITE,+ `. O# I2 H( B! J' Z( S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) k+ C+ s2 o* K* a/ c' T if( hFile != INVALID_HANDLE_VALUE )
+ ?3 {7 ~7 d5 P( I! J( F1 B: O$ w {
4 p/ l, L1 L, S, \) \* L- c6 q CloseHandle(hFile);
7 ]9 ]$ X( x& z8 `; D return TRUE;: y2 S) N- t$ |8 t( Y
}
! E1 r$ @. t( t* J m! o( D2 P return FALSE;
5 e: X- v" M, }2 z4 v}; i% S6 ]# n5 z F3 D
7 N: x; s T8 W2 K( t( WAlthough this trick calls the CreateFileA function, don't even expect to be- J: U5 Z* q" Y( k/ j+ g/ r2 j2 `% u
able to intercept it by installing a IFS hook: it will not work, no way!
% G5 [: K2 U RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) E8 ~4 b( J7 K% {0 \8 q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# n0 ?* A* o9 w7 K+ d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc V$ O+ Y) ]# Y( B. w' J
field.
B H$ X c, h3 `( }- F( IIn fact, its purpose is not to load/unload VxDs but only to send a
. P* G& D! C2 K: @2 I! X" q' mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# q1 p" j/ h& q. [. J1 \4 P2 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ _4 y! ^/ |) W1 N$ R/ O' g( }! }1 n1 zto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ v4 L4 V/ ~8 ~1 y9 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 [$ z+ B" D! z7 i/ j- w; C
its handle to be opened and then, will be detected.+ I2 G4 n1 |: e* T
You can check that simply by hooking Winice.exe control proc entry point
4 p& }- O5 D; r owhile running MeltICE.
* w/ B( b- ~! E6 K6 e) J0 S1 _9 ^5 y: K/ P4 i9 w; k# L# V
9 R- J# U7 }/ s" l
00401067: push 00402025 ; \\.\SICE
' Q1 z+ J" R' W3 B; m, [ 0040106C: call CreateFileA
% `) N. Q2 i- c$ _$ O" ]9 t2 F4 U 00401071: cmp eax,-001
/ e) ^! C: I" [4 H0 e+ i 00401074: je 00401091
9 B$ p5 g! F x2 a
# n! H, w2 U# r$ v" U+ S, v
! u+ ?5 \$ J( v2 p9 yThere could be hundreds of BPX you could use to detect this trick.
# x' A7 Y% y# S-The most classical one is:
- P5 E2 n4 `1 z- B7 |5 O& s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || g7 U0 z& I. E# u3 _- z
*(esp->4+4)=='NTIC'
& l& S' _9 S0 O& o$ u4 J9 C% X
* Q7 S I' g) ~- s1 A8 M-The most exotic ones (could be very slooooow :-(
# J/ L- C9 t- m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # l/ h( A: e4 j! y
;will break 3 times :-(. u1 i1 i' T& Q4 b2 X. u
0 [; `; w# Y& W$ q8 u
-or (a bit) faster:
# l) {- D; l+ z$ p6 I1 n BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). r8 d3 ~" ^0 b) A; ]& E) b/ @" _
_$ n! G1 M* g4 V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 E3 \$ | E4 b, F. w ;will break 3 times :-(
2 c* s" b2 _ O& S, ~9 r% N7 e7 U% l2 ]+ ^6 G, m: `7 j2 b$ c% u3 S. @
-Much faster:
; s3 g2 |4 G- M7 ~$ ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% y* r r) [( e9 k
, y# i* z6 J! u0 JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 [+ V6 H9 L. S2 F4 ]" e
function to do the same job:
. r) M0 b. K. M a/ B% |3 |8 K. ?8 [
3 f: ~# j1 {4 [+ M/ X push 00 ; OF_READ; Q9 A3 i$ A% ^- h$ c
mov eax,[00656634] ; '\\.\SICE',0+ q5 x. v9 Z& {+ M0 @+ [6 K
push eax6 K. ?( Q5 T4 C) ^
call KERNEL32!_lopen
0 n3 h, w- d! e( [ inc eax' I; l! v, u* c: d1 h% E
jnz 00650589 ; detected
# l7 A; f4 w0 u/ [1 X2 U. ^+ J push 00 ; OF_READ5 H$ P( o. L, t8 N0 o% ]' d/ C
mov eax,[00656638] ; '\\.\SICE'
- z+ f; ] z0 Z0 J' ~- h' X push eax+ e1 z0 e( E+ Z9 E f0 F6 K
call KERNEL32!_lopen! i) W. b2 p/ U% {. r' a: [7 k
inc eax
; D8 Q' M) W$ {. v6 H( t1 W jz 006505ae ; not detected
' A1 O) ^7 D I1 F- X* a
+ R. `% I; x/ ^, E: m3 G2 ?$ U8 {# G3 V! f' C
__________________________________________________________________________
3 F y+ E. P* J
4 L6 Q* u' L: \' RMethod 129 m$ a; i, C: A# e I q
=========+ _' c F+ A5 D( x( r; D
0 |' L! w/ U$ \ J. B
This trick is similar to int41h/4fh Debugger installation check (code 05+ l# u8 K! U- g; P% h" L; ] o, l8 K
& 06) but very limited because it's only available for Win95/98 (not NT)1 @5 U( \5 H) C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ P' Y$ [$ ?- F. }( E
4 h+ s% y+ y! a% k$ x2 R push 0000004fh ; function 4fh; b* @: h: j& n/ v1 r
push 002a002ah ; high word specifies which VxD (VWIN32)
* W- E/ `) k" H: z2 `# h ; low word specifies which service
* `+ A& q& f/ \: o (VWIN32_Int41Dispatch)- I, { {( o. T& f e
call Kernel32!ORD_001 ; VxdCall
- B4 f) G3 a/ }+ L" I- y; q# g8 A cmp ax, 0f386h ; magic number returned by system debuggers
8 a1 c1 Z% {% ^% I9 Z1 `. x L0 f jz SoftICE_detected7 K9 Q5 U2 X# m9 B; {. M
1 ]' I& J& ]5 h! g6 ~, |& P Y$ S
Here again, several ways to detect it:
. V& |9 h. t9 Z4 V- m* m# w& F& ~8 |6 K. J
BPINT 41 if ax==4f. e) \& y0 H; ~+ A
4 u9 `. U; B& R1 X( b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 |, r; V$ a+ M" Y1 |( _+ r
* A: w. |" q$ Y' x% I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 [; d4 v* T4 g9 |: r! `: T( W7 x4 K* u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: q M7 j9 [0 }2 e: B' F: T, I& Z2 O
# |3 a; P2 y+ A, Q__________________________________________________________________________
9 C8 S$ k" x$ z" r! g6 [; J
5 W: d- k' _( {0 C3 FMethod 13* q2 Y0 {; B4 a9 f* Y
=========
8 _9 ^$ Z' Z& H/ e& S$ p4 S1 Y% _5 J
Not a real method of detection, but a good way to know if SoftICE is
Q& f5 M! w B& u- ]7 oinstalled on a computer and to locate its installation directory., N' g8 k& D4 ^/ |" M
It is used by few softs which access the following registry keys (usually #2) :
" ?% r/ ~# n* ?' q& o
( t, A/ g2 l- `. o1 s- U! P9 Y, g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ g& f. k0 G5 |3 L4 C- Q/ R) b) L
\Uninstall\SoftICE- D. b0 r: s; I) z( k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# T) i4 \4 x# N$ H, I8 U! a9 y# |. I0 b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ |9 q. s, F7 y. b\App Paths\Loader32.Exe$ |$ V+ d, Q$ u2 {2 R: U% W/ L
" O# Z, e( T9 z/ f- w6 b+ _6 J0 @; x P8 X, m' K6 P8 W% U* C
Note that some nasty apps could then erase all files from SoftICE directory
; N! Y1 y6 v5 ~) `(I faced that once :-(
' }. r# e/ T3 b4 k7 b4 G( c4 h1 O' x/ u6 ^; G: ]
Useful breakpoint to detect it:
1 @" ?1 S0 B. \# k7 K
9 i2 C H" k: Z* i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' w4 ~3 ~- A+ ^ X
0 N& {9 ?2 ?0 i
__________________________________________________________________________/ w4 B+ g6 A, R$ i S
/ ^0 q3 p. N$ K, Y
# W6 v4 X' |/ X) T
Method 14 ; _$ T8 M7 I: i% Q
=========: I8 S4 ]% V7 {$ y- r) m+ b) O9 o# }
" U7 ^6 u5 T" Z% d9 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ b* Z4 {8 h, p( U
is to determines whether a debugger is running on your system (ring0 only).
8 g5 `% A) Q) j! R
$ ?5 K U4 n$ |0 e- J5 D: K VMMCall Test_Debug_Installed4 m8 y1 W. W$ {& i2 T
je not_installed! n: `* w6 b2 R5 p
% E- `7 ^% E9 `: Q- f: I2 w: v
This service just checks a flag.
# S: |& y6 `/ ? ?7 F6 N+ u* ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡