<TABLE width=500>
6 J- i% {0 H+ h7 e2 [<TBODY>/ R+ V# C- k1 b8 M0 h$ h O
<TR>0 D2 m( {+ M% L5 ]& K8 S
<TD><PRE>Method 01
. W. K- F \( T* R8 l1 H- i% Y=========
9 z. \4 b6 v& k# |4 c) K' ~- o# U4 ~7 ~# U& T
This method of detection of SoftICE (as well as the following one) is
1 t( G* I- p c% e+ r4 dused by the majority of packers/encryptors found on Internet.
0 e" r3 l+ f: OIt seeks the signature of BoundsChecker in SoftICE+ w d( ]# F- L& F$ Z6 E5 ?, V) l `
7 Y- K) P- m. @
mov ebp, 04243484Bh ; 'BCHK'- f$ O- o! t, O" X
mov ax, 04h/ u5 r9 x5 N" G: F# r
int 3
' l( x$ `# t4 w cmp al,4
& b' Y9 V2 Z3 \- U+ `9 P% `! n jnz SoftICE_Detected9 W. K- h( a* [! k; ]2 |
' D) ?" T; I$ A' m
___________________________________________________________________________& C0 C; j2 A9 i! `7 c# Q! @
$ ]6 c. f0 ]# D3 U. k( v
Method 02. a: a& `2 `- a5 n. w
=========- z* X! f/ d) d' z( Z. [- V4 q
! a3 _0 k1 }: E7 S3 `- MStill a method very much used (perhaps the most frequent one). It is used9 p2 E! K! H/ M4 w' _, M* I( Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
x! Z: \- I+ w) n$ Nor execute SoftICE commands...
* ?9 r( A( q# J6 M& q7 FIt is also used to crash SoftICE and to force it to execute any commands6 t4 A9 i+ N* D" z) W4 }& D
(HBOOT...) :-(( 9 X) F6 X4 g% q8 T- m0 W7 d4 ~
; `# F: J+ e* g$ y) v6 c1 {
Here is a quick description:: ^3 o+ l# S9 R. ^
-AX = 0910h (Display string in SIce windows)
2 R1 I* z4 e# ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 F) ~6 Z( y7 Y3 \
-AX = 0912h (Get breakpoint infos)2 J7 ]/ `+ Y9 j; S9 D. R
-AX = 0913h (Set Sice breakpoints)' p0 ~3 A" J5 r" |( ~
-AX = 0914h (Remove SIce breakoints)- w! `, _8 F; ~. h: M0 z$ F+ @
0 G: j1 ^. @: N' F! @$ h
Each time you'll meet this trick, you'll see:/ r. \9 j* P3 S. h N
-SI = 4647h
. i* t) O! w3 V: _0 S, {-DI = 4A4Dh
0 l2 u' y/ p: cWhich are the 'magic values' used by SoftIce.& X+ |5 b/ A: Z1 M" ^4 C! n+ u% U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% L+ g" k5 [; y8 x6 U& ]1 [
$ H/ r( @: J( G. J
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 O( m, Y1 U, z0 T+ M' e/ [2 w# REnvelope utility use to protect DOS applications:# j3 C0 Q3 S' z6 s g, A" s" g
1 g( F- a, @( I% W+ c2 T
& h) C1 c' F, f' T! p4C19:0095 MOV AX,0911 ; execute command.
; b! _: L2 @% X' W+ f9 S1 [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% S% _# C# S7 H. W' O7 B$ }% N7 X
4C19:009A MOV SI,4647 ; 1st magic value.
+ P0 N+ U: @2 V) u5 G4C19:009D MOV DI,4A4D ; 2nd magic value.
" x7 K8 s( C- F* [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% C) y [3 c7 t0 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) k1 f, A9 T$ ?. l
4C19:00A4 INC CX7 F& v1 U) B- j4 W n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 {2 t" @! p" X/ u9 N
4C19:00A8 JB 0095 ; 6 different commands.
: @ F7 P1 f& _: E' _( S4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; d: O( \* k' B7 _. M# u5 r- e+ E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ y. u- g, d2 k
$ Q4 _9 g9 r% o# l6 h @4 j, N2 nThe program will execute 6 different SIce commands located at ds:dx, which
5 a s* K- ?4 _3 _( Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ ?0 p/ A' F4 v$ S# J* I, \# o
: O. s6 g8 H+ k' o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ M3 f6 u; H8 v6 B$ z
___________________________________________________________________________
5 g/ P3 Z% i6 l: \8 ~+ N& ^7 P8 T# h6 S2 ]
- M; h; C2 N& O& q4 i3 O& _) a; n
Method 038 v- O3 A1 X2 \5 R- L" D3 K3 O
=========6 q- ]$ v1 I8 [
' p9 G/ T* u+ [6 Q: t* K; {: k4 L8 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 y1 @8 c0 P* `, i
(API Get entry point)
+ x* h, Q1 U d j8 F3 f * ?0 Z7 {% e5 `
8 Y, r; O0 ^/ z+ u3 O; f
xor di,di
8 B) K, T$ \: ~' H' D/ z mov es,di
& u2 F7 _. z$ O mov ax, 1684h 0 g1 S$ d5 G- y0 a4 |. |( Z/ v
mov bx, 0202h ; VxD ID of winice
' _2 a& S; g3 x G int 2Fh' m1 [, \. m, T6 `; l2 S
mov ax, es ; ES:DI -> VxD API entry point
6 R5 g; G* N$ Z) S, n$ P add ax, di! Z. m, Y1 O* \! _, x
test ax,ax
( ^1 a7 C$ B; Y/ N' I/ L jnz SoftICE_Detected( }& L$ f+ X# M% ?) C9 J5 _ ^9 D$ U0 M
+ k' D1 X0 x& V___________________________________________________________________________
0 i, `4 u" H" b
; ~! W* {* x8 U2 w# B! sMethod 04/ R/ T& U. X; p: ]1 [, J
=========
V# [, Q3 l; n( V& e! C' p9 Z6 h5 y* D
Method identical to the preceding one except that it seeks the ID of SoftICE# ^- p+ I0 X2 Z
GFX VxD.
' C+ q/ N, M( H* S0 x* m: Q
U( z* u* l( e- e9 L( r. B5 ` xor di,di
5 W8 T; E1 T! h5 y* D3 W mov es,di
* i# h7 @# D: ~+ D$ Y, e+ s mov ax, 1684h * D( X5 x- \7 O4 Y" v8 F$ F
mov bx, 7a5Fh ; VxD ID of SIWVID# ?6 H, G; v& t) x7 r
int 2fh- L8 l& E7 C, J. X( p+ z2 P4 v
mov ax, es ; ES:DI -> VxD API entry point% C) {1 s/ |% [% h
add ax, di
) W0 Z6 r/ x; s. p& F test ax,ax
8 h( F7 e( C9 K jnz SoftICE_Detected
" i5 `- {# P Y. U4 o5 T( m" p
! U- s- e8 I% y0 l; k& c! c__________________________________________________________________________
0 N* X: D9 ?. C: Q9 I8 e ?0 u) y U2 z$ d" T3 [ r2 ~
9 G8 @8 _0 A$ r1 i- W/ f
Method 05
, g4 B K4 d5 g [: C9 ~( _========= c6 {8 d) X# F8 U
- E$ u+ ^$ O- G x; X1 G
Method seeking the 'magic number' 0F386h returned (in ax) by all system% s _" n' a& V+ W* j) A
debugger. It calls the int 41h, function 4Fh.
" e8 h5 q8 U: O _! l2 \7 WThere are several alternatives. * ^+ B+ M1 V/ ~! C' i1 E+ r+ C, W
. w7 t# D4 X! x5 j2 ~$ f" rThe following one is the simplest:
9 w& D$ O$ r+ @) Z, t: J3 l4 u/ l9 C( ~4 y
mov ax,4fh
- v$ p! }) q: R4 L. g/ V int 41h
- V$ Y- {' x: W6 u1 Q cmp ax, 0F386
6 q* z% C* X! } Y3 N" j) R jz SoftICE_detected4 k* F |0 l6 W/ J( Y4 [3 n0 ^
, P8 |8 ?* \7 s2 s5 i9 z7 n8 C2 k' q* o" g# w
Next method as well as the following one are 2 examples from Stone's : d9 H! P% y, F) a* L
"stn-wid.zip" (www.cracking.net):
" s0 U7 E4 ^1 M ^, D1 ~# w8 |; a
% u9 C& e9 O" F2 _7 `5 h mov bx, cs
/ r2 y; r* g/ P; d, F1 A lea dx, int41handler2, j- M" `4 Z1 Q- Z {8 c
xchg dx, es:[41h*4]: I$ D# S' K) m) ~9 [# A; h
xchg bx, es:[41h*4+2]! V/ y+ V O4 k% X P2 O" @% m
mov ax,4fh; ~% ~/ V, F# J
int 41h
m7 O0 w s3 O8 [0 w xchg dx, es:[41h*4]
, `" I- N- \! q2 u xchg bx, es:[41h*4+2]
6 u) |7 y' P5 d6 P o cmp ax, 0f386h6 E/ [6 r( m6 H! n* n, c) d
jz SoftICE_detected! a: ^/ p q3 g ?, Q' }
' `- }) z; V+ J$ u3 hint41handler2 PROC2 l8 v2 ]( ~# f2 X2 G5 O; _
iret2 l4 C6 a* _+ a* N& ?% G2 f
int41handler2 ENDP+ }7 i b# W3 A
4 j7 S D3 d3 l% H/ k" b7 [0 ~0 g4 T5 a$ f6 \
_________________________________________________________________________. r6 D8 s7 F8 j! V; }$ Z
8 d) g0 j. R5 J4 Z/ x% N; O. K
' o x5 U, l7 o" c1 {3 L' V& MMethod 06
7 z7 t* n/ R9 N- J& T( ~=========; W- V' X0 p A) y+ b% G' |
$ \" f6 n$ z: E1 r
@* F3 ~4 ?5 U* t& ?7 _
2nd method similar to the preceding one but more difficult to detect:% e- j# d* _ k k2 c3 ?- b
% m5 b+ C( V- V& V2 V: N, w. m' K
$ z6 w( ?+ d8 }7 cint41handler PROC
. E/ G8 E2 K" ^$ m( [ mov cl,al
7 i; [- L. O; L9 F0 |+ | iret
* @' o4 z4 [2 d% M- Y1 F5 xint41handler ENDP
2 _. v4 Z2 L5 c& _3 c( N3 c% ]& U$ B1 a A3 q) D- Z4 L
. }) j2 u3 n( i8 E, d5 W5 x/ I" Y
xor ax,ax" I2 i) p" R: Z, Q: ]3 L+ h/ P" s
mov es,ax: T4 ]8 w9 X1 d0 }
mov bx, cs
$ n$ A S- Y* O6 c; m# O7 _' M0 N lea dx, int41handler
- g* k# [6 t* F! p$ e xchg dx, es:[41h*4]
9 l% E5 p0 t ^0 ?8 R xchg bx, es:[41h*4+2]
: i* @1 N, z) n in al, 40h" Z8 b( a3 E* l( G b
xor cx,cx
/ a# w' W" T3 n8 C" w+ R/ [! \ int 41h
2 w: y! k/ z9 z, n xchg dx, es:[41h*4]8 k: b9 |; y& X2 E
xchg bx, es:[41h*4+2]# j* m8 c1 L- I& c
cmp cl,al+ x6 f0 w0 W6 {2 s4 O0 o* S+ W
jnz SoftICE_detected# R: E/ r1 z0 a" _& B: C9 H8 W% v1 Q7 n
2 F- K" t) ?+ ?' c' }
_________________________________________________________________________5 O$ g4 o$ s. D; j% T9 |3 u( ~( d
. k. Y; J& D/ p* NMethod 07- u8 L4 D' i2 [0 l" `
=========
7 H8 S2 E' H z! n% {' p t: t, S# Z o3 v+ ^
Method of detection of the WinICE handler in the int68h (V86)5 H# R1 U( [ n; V! Z; [: _
' @7 V0 m y! P7 o' { mov ah,43h
_7 J6 w% z% I& R9 @' F& _3 T* E int 68h3 w* @. i4 k- b' i7 g, p' p/ Q
cmp ax,0F386h
$ f# F4 W$ }9 E1 Z2 }* n jz SoftICE_Detected
$ d/ A3 P6 `3 Y" ?( k
+ M9 W. s2 `; x7 r2 [4 _. b
' |$ G3 j' ~3 {; F4 X1 x# U: z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 Y1 k& ?: u! m% b- G. a, r2 [
app like this:
- D# j) u+ c# n6 S+ K6 p' v7 E. \" d& W
BPX exec_int if ax==68. l0 ~2 r) ?6 H* M$ A, @2 {
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 D/ Y7 f" N& k/ {$ ` located at [ebp+48h] for 32Bit apps)
: T/ B6 L, l [( b- R& d/ X. f- j6 t9 l__________________________________________________________________________
% i9 s& i! o. D, J& A6 t# ]4 k2 u% l4 c
# {4 q& }5 i4 `2 i8 P8 ~. F. d/ L
Method 08' S% B) H6 I2 W7 J' d
=========
5 F$ I( F* d! D M6 y N
C( y: V+ w0 X9 ~6 CIt is not a method of detection of SoftICE but a possibility to crash the
* u, ~/ I& t- w0 x( p5 Zsystem by intercepting int 01h and int 03h and redirecting them to another
7 @, f0 l6 }6 g( P2 p+ Z1 }6 Broutine.
: j) o' G b0 V5 `/ A2 ]/ DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! S1 | @4 c/ h
to the new routine to execute (hangs computer...)
4 G8 J. x) M, N' l: f
0 B+ Q1 \, [0 E8 L8 H; k. I mov ah, 25h
; z; T& P. ?8 l, H* F- I- e2 `& Z mov al, Int_Number (01h or 03h)
3 P! G) U! m; N: Y+ s! c$ v mov dx, offset New_Int_Routine
) Q2 O1 o; i2 s7 Z int 21h
! Z! p3 B+ ~0 E
# ~0 Y. l. I1 R* c__________________________________________________________________________
( [% A, m" u) A) b" p) A8 z3 M$ `" d$ |: Y% s. c
Method 09
& V( `; l0 a! @! C- B6 I( `& J8 K k=========5 @- c6 Z p1 r. s
2 m2 o- P& O! O* U6 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 o: Q7 R$ X: c6 C) N' ^, c- } qperformed in ring0 (VxD or a ring3 app using the VxdCall).% [. {6 ~9 x4 ]
The Get_DDB service is used to determine whether or not a VxD is installed) h9 u: D" |7 a6 I+ k: E! F" u
for the specified device and returns a Device Description Block (in ecx) for/ ^ B% d4 j& H8 P7 g+ Z
that device if it is installed.
2 K1 c+ e5 m% |- O& d
& A& a. [( N9 @8 ]+ g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- D; l4 H* O5 @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ A9 Y2 u# E. _
VMMCall Get_DDB: T) q5 n$ \1 \, ^: E0 c* P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 R2 D+ X8 L$ g8 ^9 V% F
+ A2 Y$ j% x5 R0 k: F1 z- q# kNote as well that you can easily detect this method with SoftICE:( m- f4 c/ _* |' v
bpx Get_DDB if ax==0202 || ax==7a5fh
, a) R; I2 B; o/ \1 {" f5 I" i. W% }& q5 _
__________________________________________________________________________$ }7 R5 V* K! J7 i" ]5 {9 V+ q
3 B, r8 y& j# e; K! o/ c
Method 104 r! q3 W# s0 W/ \# `+ C) P6 S
=========
5 L! V/ B5 r/ S2 F/ ^
) ?' [& D- X4 H; q |=>Disable or clear breakpoints before using this feature. DO NOT trace with! V8 H+ M# c8 c" ]
SoftICE while the option is enable!!
" Q4 D: ~4 P% F. ]3 g7 H' b
) x6 M9 m) c5 J7 f4 kThis trick is very efficient:
& d5 ~% q, d: Y. K; Sby checking the Debug Registers, you can detect if SoftICE is loaded
5 \5 z( m& U5 W3 w& V8 [" G* ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; z4 x1 R% @% ^+ `! ^9 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: M" U9 {6 H/ O5 J8 P$ M0 P, ^value (in ring0 only). Values can be manipulated and or changed as well b& t) q( \" @* [) M |8 Q
(clearing BPMs for instance)4 J* B# B1 l( w" n
* L( |: `' N- T& v, P__________________________________________________________________________
4 F0 l0 n+ f9 f: U# o& h
4 A5 Y$ m7 z( K3 j w3 j9 zMethod 11' k7 d) X0 h( q! d
=========
% c% u, {0 g9 R; O' {1 k0 F5 h" ]* t6 U$ ^3 B7 g/ N
This method is most known as 'MeltICE' because it has been freely distributed
I( y0 L; _" d' R2 ]via www.winfiles.com. However it was first used by NuMega people to allow7 m# _ F/ s, C, h$ h# K
Symbol Loader to check if SoftICE was active or not (the code is located
. d3 L8 e: E7 O% i" J$ ainside nmtrans.dll).
! g& G ?/ D+ e
& L0 E3 n3 c& b% \& v1 ^The way it works is very simple:
& p5 w! l2 U2 w3 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 ]6 `1 j! D- a3 @' M. @0 QWinNT) with the CreateFileA API.* S8 Z, {; Q: j- w( [( R O
. H3 _- `# ]5 I3 q; r6 h! O
Here is a sample (checking for 'SICE'):
# ?4 H& t+ \3 U& z" M0 o9 F2 R- `9 U# z3 u# e6 Z6 n& K
BOOL IsSoftIce95Loaded()
% g6 O' ~3 b- k{
8 u' Y3 _+ z$ K6 V HANDLE hFile;
+ V7 B: Y5 K, c! E6 \' o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( G! \+ j; E1 _8 h- A5 N z
FILE_SHARE_READ | FILE_SHARE_WRITE,, d9 V) x0 W* P4 V% m" U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' Y) E S2 k1 `* S& _- A! O
if( hFile != INVALID_HANDLE_VALUE )7 h9 O) J9 k! e; T! y% `
{" m) c7 S4 ]3 U$ B& v
CloseHandle(hFile);# n# z3 w5 D) L& y: \+ E
return TRUE;
( [* k" N' I* Q1 ~# |; ]% u }9 a# k3 i- Y# Z. w$ Z9 g2 x
return FALSE;- f, h) i# r" x3 g# S
}
$ z. }3 W9 A4 K1 S/ Y& U
1 k- z1 Q: n( l: IAlthough this trick calls the CreateFileA function, don't even expect to be1 M! D7 e8 x# h. O6 A/ t F
able to intercept it by installing a IFS hook: it will not work, no way!6 S, J# g8 }( ]! M% M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' S$ u. f0 s* a8 P" W0 \. n; mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ y* `4 K5 X9 E0 `: Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& O C% @1 `4 Z3 T- }: L$ Q- U3 Wfield.! N3 u: x! R3 i b6 h9 c& ~$ v
In fact, its purpose is not to load/unload VxDs but only to send a
6 f8 ?1 ~" _( I( ?4 V9 N* `7 ~" iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% y+ k8 Q* }* [% ]: Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 A# a) o/ _3 b# Q& zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: |. {) y0 d8 L- q9 \% z9 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow& p, Q* x; ~$ V% {9 Y
its handle to be opened and then, will be detected.
8 V. n6 z( v9 OYou can check that simply by hooking Winice.exe control proc entry point
; M6 W" K* P+ q- Qwhile running MeltICE.
: a/ O' o: m [3 p+ j8 @$ N' w+ M9 P8 T$ j! A- ?- b! u
( O3 q# [. d! j* q" M( b 00401067: push 00402025 ; \\.\SICE
0 b* `7 g4 r O2 n3 b3 A$ \ 0040106C: call CreateFileA+ z# `( [1 K/ B. q# s( X9 v" m
00401071: cmp eax,-001* V5 G/ X9 M) W5 C0 I0 ^
00401074: je 00401091
/ f; s* O7 |& K$ E9 n& H' N: L4 O$ K, }% }% x3 X5 j
1 v! `- k( |% |+ g. i7 u& W
There could be hundreds of BPX you could use to detect this trick.
8 \1 S0 Y8 s& v8 r' [( R% x! D-The most classical one is:. i: _5 f$ ^0 L3 i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 b6 C# N/ r. Q4 L6 | ?& k *(esp->4+4)=='NTIC'
9 d$ X/ y% N" X' ~+ n+ ^# g$ }
* F; Z7 e. |! }7 j/ e4 l% d E-The most exotic ones (could be very slooooow :-(
' `' C) b* W# y6 ` X4 g5 T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 Q. D T5 |3 V$ g7 T' L
;will break 3 times :-(
# j7 r7 G" F8 v0 ]$ j1 ?0 v: r+ E& V/ k
-or (a bit) faster: 4 \& O6 X2 s# I$ ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 S2 Q1 k' d: \) Y& m& j! E8 G" d; }; `: O# P3 @1 K/ Z4 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 D' C% X' t: p( l1 `' E
;will break 3 times :-(+ z$ `! s( X" U( u
$ i* O1 Z" O% Z4 a
-Much faster:
0 t/ v$ [3 S/ A/ Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( l+ v# U% N6 f% O% X$ q( M7 s! g4 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; J6 H9 l7 [ _3 X7 b6 e5 P6 e( Afunction to do the same job: q: Y! [" M0 e f8 Z( d K3 Y' W1 H
) l( H5 V/ o7 f. p
push 00 ; OF_READ
. p8 R7 o G& ~3 B' p- n! o. K mov eax,[00656634] ; '\\.\SICE',0; D$ k1 j1 u8 E4 H" w" ^
push eax
4 ^, o( d6 x$ z$ N, L call KERNEL32!_lopen. w. M* [+ ^0 K& V7 [8 ?# l
inc eax7 ^6 `+ d; H/ m# L: H: J. h( e2 `9 }
jnz 00650589 ; detected
, {0 p# S# a& _! g push 00 ; OF_READ
4 H) S4 J2 Z5 r& h- I mov eax,[00656638] ; '\\.\SICE'
8 @7 W* q* H8 [4 k' y0 W8 Y3 d push eax
3 ]( w- j9 k# n; k call KERNEL32!_lopen
7 e8 ^$ H3 D( P/ S& M9 z; c inc eax
P6 j" a1 b* x- g- V+ H& { A jz 006505ae ; not detected
6 M' I0 A" u1 K4 {' B7 p* v& N& W4 r, v
" _4 x7 [. M& J! e4 ~8 e3 K+ V
__________________________________________________________________________ G4 ]* n0 \; t L3 {. K1 }; T
7 A# L6 ` z+ I. C R/ E/ v1 rMethod 12% t( \0 v! l4 T: E: k
=========
0 q- p* @. W* Q4 D2 E- k3 C3 _) o$ {4 q
This trick is similar to int41h/4fh Debugger installation check (code 052 {( d5 T5 T B; ^) {
& 06) but very limited because it's only available for Win95/98 (not NT)4 V6 _% Y* t0 W, U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, v1 ~! ~# \4 P0 t& l, @ p3 d; K' [( R# A
push 0000004fh ; function 4fh
# Y1 E( r+ {4 x- ^6 }8 s push 002a002ah ; high word specifies which VxD (VWIN32)
9 P9 l& `; Y4 s: `- |" K& o- i ; low word specifies which service% E% K9 s6 S% J1 {
(VWIN32_Int41Dispatch)
& p% _% F+ r+ ^% Q4 |7 E7 D call Kernel32!ORD_001 ; VxdCall
; s! m9 u. B) E- F! l! s cmp ax, 0f386h ; magic number returned by system debuggers
( H0 B) ?6 s4 _* {/ { jz SoftICE_detected
! ~+ L: t" i& Q5 f9 t4 p5 g: I1 x
" v$ w( t3 Q5 r% _5 a2 `Here again, several ways to detect it:
) ]3 Z8 l' i$ S3 \( h$ h3 q# k3 P& y% I3 E9 q' p1 B- m
BPINT 41 if ax==4f
! f1 D& V; B; x; b" s& d) H! [& Z0 i* Q' Z' e3 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! @9 B# B" E- T, f. o+ o4 j, s
+ n/ W. A) s+ X* w. w7 Q6 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* @/ x$ u$ Z2 ~- N! d# F
. ?0 j' L8 ~2 C# t9 A4 s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ s+ p4 w9 E1 U8 q
: G# \; I$ k3 |__________________________________________________________________________: z: O1 s! `( C( j' e5 {) K( b' h
+ ~8 P$ N; x( y! X% P) t6 mMethod 13! m& e7 w ~5 T1 u7 k- C
=========
! Y+ M- V- c/ Y, @
" w1 I. U0 C1 ENot a real method of detection, but a good way to know if SoftICE is
. }' v" F( J/ } qinstalled on a computer and to locate its installation directory.0 [3 {( T' g H' d: W# J
It is used by few softs which access the following registry keys (usually #2) :9 j6 s" N' D- r- a/ X
8 i! M3 s; c/ i: M& [- l* e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 A/ @3 S/ L1 D& |+ w
\Uninstall\SoftICE! m7 }# ~/ f5 l, b( j2 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 x5 u5 E4 d( j$ m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" |4 m5 s! u) |4 q: v\App Paths\Loader32.Exe* E- |( S% w' `
' \& K |7 [; P
# @2 C. }, K' Q+ H* C* ?& R( V6 |
Note that some nasty apps could then erase all files from SoftICE directory
# R& Z) ~; y: J% ? C4 O(I faced that once :-(0 D) M. ^) u4 N" {7 L# g9 U
* @: X4 t5 i4 ]1 j# x
Useful breakpoint to detect it:
1 h! E& L8 O q: n+ S. w) z7 q+ r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& x1 X8 _ E! U3 t5 w- _- b- x
K+ G( u" U5 `1 G1 L
__________________________________________________________________________
. _) T8 B# b! n
: _" t; H* Q H( y- g0 k1 d1 Z# W- a) ]& N4 O, ~7 [) i
Method 14 O! h8 M2 K! g$ y4 m4 W y
=========9 B3 t' s8 U' Q! X' I8 C0 w M
; R1 O7 q0 R" F' S2 P! rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# e; q( k2 ~3 d* F# ^, d. O
is to determines whether a debugger is running on your system (ring0 only).) C/ p S& n0 ~1 _
3 X v5 o$ i2 ^& Q- I VMMCall Test_Debug_Installed
: m0 J, D( ^" T7 O+ V je not_installed# v( m0 e: d$ g
; `( Y* _! z9 t# J
This service just checks a flag.
7 K; P1 u, y4 S' W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡