<TABLE width=500>
0 l# g! ~7 E( w<TBODY>/ p; w0 j0 S8 l, G3 t
<TR>1 C# D7 n7 j7 {+ Q7 y2 k3 j- B+ r
<TD><PRE>Method 01
( t/ l' z5 @; v/ I) ?========= k9 j, ]6 _, y0 ]! T
& t" |, i# r6 O
This method of detection of SoftICE (as well as the following one) is/ M% s1 a; N4 f- w ?1 i
used by the majority of packers/encryptors found on Internet., A" A2 S% h) ~4 B. e: t" U9 L( R
It seeks the signature of BoundsChecker in SoftICE- h4 E' D' B; t& _
) J) ^4 U% a5 \' }7 T U
mov ebp, 04243484Bh ; 'BCHK'
$ h8 U+ Y" o" u/ V# }4 c+ T; h" C mov ax, 04h
: P# U K$ V) H6 f3 t$ u8 M+ n int 3 9 @8 F" y" j8 U- Y1 t6 n! f# R) X
cmp al,4) G9 [( n. \! F0 u- B7 ^
jnz SoftICE_Detected
7 l; y3 H1 R, [, G. F7 \: ?- |+ x. q- w7 o/ V T2 T: F) {+ n
___________________________________________________________________________
Q% z5 O2 [" W* E8 [$ Y# w2 f3 ]! K. n" l
Method 02" h5 X7 \3 v# Y) e
=========5 V- s5 i. D" w4 v9 R, E
( H3 R6 Z, q: x; Y& i5 {
Still a method very much used (perhaps the most frequent one). It is used. |6 d: {6 A. Z. L: p) c# @( u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! t8 h5 p& {+ p* V; d
or execute SoftICE commands...
' t; W' Z5 Z: l8 }0 v# hIt is also used to crash SoftICE and to force it to execute any commands
1 Z; Y$ o* o. Y(HBOOT...) :-(( ) S9 E1 A/ q0 o, o# y9 `$ r
% C, E6 k, W# c8 f' ]% tHere is a quick description:% c4 H# d. b% b
-AX = 0910h (Display string in SIce windows)* x9 g4 q- w7 k; _. @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" u' H. c! C/ A* b# y-AX = 0912h (Get breakpoint infos)) R1 o3 A5 T; k% ]
-AX = 0913h (Set Sice breakpoints)+ |+ g0 k9 Q# I4 u0 S$ ~
-AX = 0914h (Remove SIce breakoints)
" J0 X+ |+ n8 s, v1 e6 J! Z9 M" q
" v8 |- s$ Z, R5 q3 {Each time you'll meet this trick, you'll see:( S5 C. q9 @: U! A0 S6 k
-SI = 4647h3 v: M/ B, J) ~
-DI = 4A4Dh
{2 l3 V6 X+ d( D F4 N$ n8 o0 kWhich are the 'magic values' used by SoftIce.9 y& A7 D& c% i8 D, M: S9 A: T. |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: T4 w2 e2 {2 l2 s& p! I/ H& U
9 h. a, L& v# @; rHere is one example from the file "Haspinst.exe" which is the dongle HASP( |( F# p% o, I' R0 T, w
Envelope utility use to protect DOS applications:) y) g9 d1 ]( S* B p
+ C: s5 K. z" n$ r
+ J$ S. w7 V, [" x% S/ c% {; O) S1 d
4C19:0095 MOV AX,0911 ; execute command.
; z8 G! {. E; W5 A5 e6 C4 k4 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' l9 q# L, n! o3 w& a8 ~) _2 y4 m$ @- [4C19:009A MOV SI,4647 ; 1st magic value.9 }" y2 X$ ?0 \4 R
4C19:009D MOV DI,4A4D ; 2nd magic value.
& y5 v3 q% ^8 k1 M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
}4 u$ [8 N1 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ g: s/ V3 J* Q3 q4 l% r$ q3 L4C19:00A4 INC CX
% ^+ f- D- y0 m h+ q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ s8 B5 x G, Y, F3 \/ p% c0 X0 D4C19:00A8 JB 0095 ; 6 different commands.* a4 U9 m+ b' B2 R2 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* P% P W! { W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" o, Y x8 m2 s! T# a1 k) V0 }% y( X& ^+ {" p: E
The program will execute 6 different SIce commands located at ds:dx, which
/ M, y. ] [+ q s7 lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: {$ j4 z: k' U2 G" K
8 L9 R$ r; y( v0 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ V5 D* p6 k) M) G5 F' _
___________________________________________________________________________
( o1 ]' Z w0 u" j3 C! k) q& B+ c; [* x& c+ `9 s$ s9 B* B
8 `3 J# s ]7 {
Method 03
' v% C. T0 `/ F' I( @8 K5 g5 G=========
" Y# ^" u; j j6 [: {
& L6 |& p) d2 z' `. ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 k& G6 L7 v" p# Q(API Get entry point)7 z f8 m; p7 G; W( o! C
T& r7 R# c) \: A0 ~
: s x) w8 O$ U, M. b xor di,di6 u; T' l$ {) j) X4 E7 ~: `
mov es,di
. P( e5 z( B3 g+ z" C3 B, l& _ mov ax, 1684h
7 z: G7 h2 Y% F5 @) f- Q mov bx, 0202h ; VxD ID of winice4 m5 K6 U2 R. X2 P% M' N) N
int 2Fh
/ ]/ A% j7 D& o# A e( ? mov ax, es ; ES:DI -> VxD API entry point: j# V* g5 e( l" t
add ax, di
9 ~. Z9 a" z. L( h6 H/ A" ~ test ax,ax
& k, B5 F w- o( z/ U* C7 u jnz SoftICE_Detected
$ q8 Y A' \0 A6 b! t* m7 ^8 u# v% m
2 c" j+ T, @" }( ^___________________________________________________________________________5 ?, P- j- R4 S! c% s( j# w/ c
' ` e3 ^6 v% F: QMethod 04
6 Q$ a; Q6 l+ [4 B: b5 b=========
8 C5 l L* N7 \0 H, q/ j
0 S# [6 w& B7 {Method identical to the preceding one except that it seeks the ID of SoftICE" H8 L/ i2 I8 I9 f
GFX VxD.% ?! p8 z; d5 l+ H8 Y
6 q; w% p2 B1 o# G! M F( c# E xor di,di
: @% a" H4 I! X+ b+ r mov es,di$ p0 ?3 e4 c5 D G
mov ax, 1684h 9 i' j+ S; a. k, h( j/ ~0 F; T
mov bx, 7a5Fh ; VxD ID of SIWVID( ]- T P$ B! l% u0 f G
int 2fh- Z: g8 {: b n% { R C
mov ax, es ; ES:DI -> VxD API entry point
3 A" U2 L2 \% r add ax, di
5 p0 i0 W& L$ E# n2 I test ax,ax
& m# Y& `% V0 E1 j jnz SoftICE_Detected
7 D* z0 [6 q# x1 ^$ T
: B0 m8 c' y; f. e( P& U/ h) Z" z# U__________________________________________________________________________: Y* d+ U" D5 y+ v& o7 z$ L
9 H$ u. l7 d3 D. D
0 q8 p3 L. ?9 q* xMethod 05
) M6 k; d; l" r=========
" ~3 A6 V: _5 K9 E$ h7 }& e! t" l, P7 Q' ^' u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ _" K/ O! T" Z2 Ldebugger. It calls the int 41h, function 4Fh.
' }7 n) |& {8 s3 G: T2 sThere are several alternatives.
9 w6 Y+ F e/ d. B& k) W
) r) L; C/ i) T, a" z% n, GThe following one is the simplest:
$ L+ h+ g+ b& h) e- D( I1 Z9 ]
' Y% j. _; X! B+ a4 K mov ax,4fh
; D4 u6 y# D! V# `% Q int 41h
5 N0 O3 D1 r) ?2 ]: _! K8 L cmp ax, 0F386( _4 [- @% @$ C, `1 ?
jz SoftICE_detected
. ? ]0 O$ c. P# E$ b% J7 ^8 H. Y: N" Y5 |8 |$ y! ?! x
: O3 A, |# ^, S. A0 KNext method as well as the following one are 2 examples from Stone's # O* i4 v6 G: D) w2 z* h" @) f! R. J% D
"stn-wid.zip" (www.cracking.net):
8 h" v8 ^9 R* u% { w+ Y8 p* B& V( q% q4 c
mov bx, cs9 H) F3 f E/ c
lea dx, int41handler2" ~+ w) l- g) [2 ?9 s+ Y
xchg dx, es:[41h*4]
% u W1 l4 o2 @* p xchg bx, es:[41h*4+2]/ q8 F( x0 D a. t6 c
mov ax,4fh
+ u0 f# ?2 v# L5 H* X int 41h
+ D- p% R: v9 t+ T2 A xchg dx, es:[41h*4]% M( R! S [0 p. W4 @0 }: O
xchg bx, es:[41h*4+2]
" o. d% i* k) N: H/ }/ S+ ? cmp ax, 0f386h0 H5 s9 b4 h7 l, x
jz SoftICE_detected+ j6 W9 r9 N( [
4 s8 G% J& e9 Q* |8 M- B' h( P
int41handler2 PROC
; h6 ]" i4 |9 v# N6 d iret
. W3 {3 P- X1 {$ W% u) i( jint41handler2 ENDP- s6 I' s* p5 E
* }' t4 X6 f1 g2 |5 Y
* R' k/ o9 o: P0 r9 Y$ {
_________________________________________________________________________! B2 q: L5 v O. e5 Z$ S: n. ]) r
6 m1 j; y& J: i8 ?$ V6 F# j" |
7 y/ o1 v: Q4 `$ qMethod 066 d; N6 L; k$ ]5 g" h3 |& G
=========" ] Z4 d" r# f) q
( b) ]3 J3 z: y
3 ~$ Q+ Z' @9 k) C$ x& @
2nd method similar to the preceding one but more difficult to detect:
: M( _; @8 _' l5 l: C' N1 K5 _; l# z u6 v
+ r. L2 Z9 t1 V9 c4 y% D8 N- N6 l
int41handler PROC
; g* @2 i9 v, C' p9 T( M mov cl,al
/ k+ ?# C1 u) x; ` iret" e/ v& G; I2 X3 ~
int41handler ENDP) h. @# I- n" ]) K$ p1 N$ M7 Q
6 n/ K8 b# o) I3 B3 M
% X( u1 ?5 U; |
xor ax,ax
: Z! i) r S7 u, l mov es,ax: b6 e w* [( J# p3 p
mov bx, cs
; Z* |$ |7 \( ?& p) B9 X, S( A lea dx, int41handler
8 t: |1 |) X, L1 H% i xchg dx, es:[41h*4] G4 }4 d; r7 B0 T: k
xchg bx, es:[41h*4+2]
0 E) n; e: P3 |! i& [3 B4 { in al, 40h
; Q: \& v& p3 w% w7 b xor cx,cx
8 r, c$ i3 C/ s! M7 |$ [ int 41h) C% |1 r* W+ b. d0 J- A
xchg dx, es:[41h*4]7 k) b* z8 T0 q+ p# l7 }) b8 h. x
xchg bx, es:[41h*4+2]; B# _9 k0 P2 U
cmp cl,al
1 d$ d6 V: A: V/ o! @1 J1 q" V9 k jnz SoftICE_detected
% a) c" [1 I2 V" }; @7 }; n
& [* H5 F4 ]) B1 {' Q, J1 g_________________________________________________________________________; P+ K7 {# v& A$ h9 o5 ^/ R
/ C; ?, M. {+ G& T) @) r" `
Method 07; V) Y' L" C! C0 g5 M5 @
=========
$ d6 y9 k$ k0 T1 Z9 ?5 y* e! l: l; P1 `/ G: I5 ^7 f' Q
Method of detection of the WinICE handler in the int68h (V86)* C7 ?; S% X* B: S& j' [
9 F2 p& c9 t0 l- V( M$ o3 _
mov ah,43h9 q' |* x8 X) b4 [. m
int 68h
) |" r# M% T1 q3 }+ W- _) `$ v: d2 z cmp ax,0F386h
( \, r7 P1 Y% D$ |5 s jz SoftICE_Detected1 Y4 ~' I/ H, o* h: \
" ]; j4 B5 w& ?9 }) S
$ g ~9 v9 i; }1 V9 M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 ?5 z; _# P+ y o: @3 \
app like this:
$ m& z+ B$ I X- |6 g8 u. a% h9 m, b4 Z
BPX exec_int if ax==68
( T$ a4 [' x3 F7 d3 p0 _ (function called is located at byte ptr [ebp+1Dh] and client eip is4 T% B2 ]+ S- s/ c" C: [# s
located at [ebp+48h] for 32Bit apps)# \& c+ P& @2 v1 |' T$ V
__________________________________________________________________________
9 a7 D2 A9 U/ z. v3 {/ _4 `
8 l) G. ]" s+ r9 e/ c' |- B
8 {" W$ f3 s$ r' {/ e3 vMethod 084 |0 c; p7 }% m P4 Z1 u& X. L
=========
9 L: {. r5 W( L1 W& X: M
# ]8 j3 q- J, K3 cIt is not a method of detection of SoftICE but a possibility to crash the& K3 y0 @6 W) u$ ]6 x" u& o! m
system by intercepting int 01h and int 03h and redirecting them to another5 ?! p* i1 `7 P6 ~; z% C6 p) h3 T' Y
routine.4 C# y5 P/ _$ H5 K6 I" U8 w* r; ~5 x/ s1 T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 }1 h7 |3 Q- K" F. `+ G; R7 n% \. w
to the new routine to execute (hangs computer...); _ {2 L1 M2 z- a% }- e; d
3 n; ~" O* i+ K# d% N" B4 @ }: M
mov ah, 25h
' c3 ]& h2 b* ? mov al, Int_Number (01h or 03h)- E- ~" M1 G8 \ l9 s
mov dx, offset New_Int_Routine
3 M- r/ ^! C! [: A, C* q! a int 21h0 X7 s! `& W! X3 C L5 L
% I; l; l; J- k' Q6 c/ I# n% N4 s
__________________________________________________________________________ Z8 n6 i5 t6 v0 F6 a& |! M
, \, `* w! L8 l- y4 e2 G" e
Method 094 g3 Z( o, ^# h/ U
=========
' T! o+ ]# I, c$ M0 f9 P t
; y& U' o& i8 \, k: Y# s, YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 o0 C1 Y4 ~' a+ E+ o% O
performed in ring0 (VxD or a ring3 app using the VxdCall).
! @9 K6 H; Y: \, O4 qThe Get_DDB service is used to determine whether or not a VxD is installed
+ i% J/ `, c2 ?- Efor the specified device and returns a Device Description Block (in ecx) for
* u3 z5 S7 {+ \8 T q. tthat device if it is installed.
9 u9 I: e2 F C9 U
3 K) W/ `" f# ?3 C2 u8 l+ D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ S& A6 ~# y6 o9 p+ _# ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ w5 |, \5 v5 b- X
VMMCall Get_DDB
3 H8 Q1 x5 u2 S0 a% b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 i' w6 w' ~# d" l
' m4 w% {4 V& \5 dNote as well that you can easily detect this method with SoftICE:
& Q/ J6 j. P! A+ f8 i" }0 J9 e bpx Get_DDB if ax==0202 || ax==7a5fh
$ D, q8 N* j+ n, ?# j( y) k! u1 P2 }- W5 A
__________________________________________________________________________
3 p$ D# F" x8 d% x2 E. ^8 O2 K. Q$ [% T+ `3 y
Method 10
* q4 N' K3 H$ f$ P4 }=========& O( ^- Z. E4 v: ` i
6 z. H, N& o; i5 V6 B/ I
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 x w9 z0 @ E2 u! ^
SoftICE while the option is enable!!
4 N8 A3 @ Z3 A4 m. I
+ A) V# Z+ x1 ^# l% uThis trick is very efficient:
8 m u9 @( ^2 o# \by checking the Debug Registers, you can detect if SoftICE is loaded
4 p% x9 g0 B" M/ g4 a! X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 E3 g! b$ k/ |8 v! m' X
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 n0 P0 H( \8 s& F7 L6 q0 w3 X
value (in ring0 only). Values can be manipulated and or changed as well
+ o5 c- W- ^3 b5 F5 b, s4 M(clearing BPMs for instance)
9 h- Y8 |) h2 X; n9 I7 Z* V# W# L7 d3 W: R& P; M8 L, h
__________________________________________________________________________, c. l2 N$ j8 D) D0 m% q
' L7 r5 d. p7 ?& }
Method 11
4 y/ s( ]0 \; \4 M=========
$ R' {- y4 h7 d% p
* Z+ H1 T$ T; b: M$ M1 JThis method is most known as 'MeltICE' because it has been freely distributed9 M9 O6 T+ W0 g$ Q% f' i" @' K8 n
via www.winfiles.com. However it was first used by NuMega people to allow+ [$ z* \1 }# K, C0 U3 `1 O- Y
Symbol Loader to check if SoftICE was active or not (the code is located
% N5 h' N. m- z( A; iinside nmtrans.dll).$ ~* B ~3 W* ]: j \+ ^$ C
* z9 W6 ]! d1 a* ~5 k6 U
The way it works is very simple:- F0 p7 K+ r. E: s- V2 s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; ~5 u$ e4 M$ L' O" sWinNT) with the CreateFileA API.
j" s M8 q: S& v% H' k
/ q: f+ r; E7 Z9 o9 W+ |Here is a sample (checking for 'SICE'):
+ e: K- T9 R i' U/ {, j% [' J3 L5 l
BOOL IsSoftIce95Loaded()
# Q2 V7 D y, B; }{
8 {; m; p# i7 p7 k; i$ H3 t HANDLE hFile;
: r7 B- K. n, _- t0 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& k$ I3 d! x* S/ G* g) o3 d: `, P
FILE_SHARE_READ | FILE_SHARE_WRITE,1 `4 F' b+ O. v! l7 E9 u+ F' K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. Z& k6 g) y( @ ~3 m3 { if( hFile != INVALID_HANDLE_VALUE )
2 t; C# G }+ N, g) o {- @4 k- F \- m1 |" R
CloseHandle(hFile);
2 v/ H7 d9 K1 Q# y$ R1 @9 D return TRUE;
s" h% I# Q' o/ V5 D }
* M# M# `, y% z' U# N) r return FALSE;; L% X8 Y9 z4 f6 [
}$ ^$ a0 u9 S5 x, ]
$ L- D, a) O2 m/ v6 i# ?1 j: o! NAlthough this trick calls the CreateFileA function, don't even expect to be
! b1 G+ Z; _2 A) U( cable to intercept it by installing a IFS hook: it will not work, no way!7 }$ ^% L$ O9 v2 E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' {/ L9 ?9 X7 B) G$ c5 uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# f$ D u# V3 B$ C3 L" _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 {5 h( l* {+ o' ~2 i# ?/ [field.
% l$ L- z1 u$ G9 @# X# J# Y' LIn fact, its purpose is not to load/unload VxDs but only to send a , W, O y4 N' g& [& u# c: @' P- [7 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! f0 R& M0 I4 t% L0 r$ pto the VxD Control_Dispatch proc (how the hell a shareware soft could try& B: u$ {% c3 k+ W! G+ y) m7 F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 ?( M$ f9 g7 C- o- FIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 o M3 ^; D2 c5 Y4 w' a0 Z8 _
its handle to be opened and then, will be detected.( N- `9 D0 n5 a5 I, J. G& N0 h X/ c
You can check that simply by hooking Winice.exe control proc entry point! U$ f. D3 s9 S2 J: E0 e$ ?+ y
while running MeltICE.4 s4 e+ I1 T/ C0 }
1 g/ `4 u/ M) [0 X4 F4 }" L; I) ~1 }
00401067: push 00402025 ; \\.\SICE7 P L5 y8 F2 D
0040106C: call CreateFileA
0 O8 E7 z' Y! B9 p 00401071: cmp eax,-001- i- x6 G, C- d7 H
00401074: je 00401091
/ X0 E: ^7 t& q3 t
) p$ T% v) i3 x6 `& l
$ Q6 V/ s$ @; k* J2 w7 M( L+ wThere could be hundreds of BPX you could use to detect this trick.7 w7 N. ~1 u! R/ p
-The most classical one is:/ P4 ~8 Y+ U) y8 m/ K8 n `% M1 Y' S* w; B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 `, _! \7 f/ s *(esp->4+4)=='NTIC'9 z8 |8 B1 `& W0 Q: @% @
b6 V' ]( a. W0 _ i
-The most exotic ones (could be very slooooow :-(5 c/ e4 a, x c. `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + B$ N* c1 A- e- }
;will break 3 times :-(
1 D9 z6 [2 c5 I1 g5 [9 A/ h
7 s: i1 h. i* r8 f/ h! f9 i4 A, v-or (a bit) faster: 4 _8 Z# M. J9 D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 G( C# g( z$ `1 E M7 b
* L" }, G4 k: P! F( b5 h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" `. i) p9 z$ {5 G* O9 P ;will break 3 times :-(
& x$ d) d" h; v
( @# w6 A7 G( r8 Q! P& p1 E2 p5 k-Much faster:
! @+ m5 [* F. B5 e+ N% G( ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# p# A8 A0 S" N; c( K
+ e$ I8 n( ]% n* H) Z- BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 x9 V4 ^4 ]% g& S8 r" A, e% f
function to do the same job:
" V# w8 @. R/ k3 F
7 i: A- E7 o- m. d( W" Y2 ~ push 00 ; OF_READ
% b- Z4 D; F9 H3 B& Z. d0 M8 D mov eax,[00656634] ; '\\.\SICE',0
3 I# k/ W/ G+ a1 k$ Y' u push eax
4 B( e# O# \8 n& }* h3 \ call KERNEL32!_lopen' O# U) K! ?8 Q+ @$ R4 k- H+ I/ I
inc eax
, r- [) t: z) i1 k8 G4 C jnz 00650589 ; detected. }" {: g/ \5 A
push 00 ; OF_READ1 x6 u# d M6 I* @" E
mov eax,[00656638] ; '\\.\SICE'
: K3 ~4 j& D& C" o7 B push eax
3 D# {& P& B7 [' w call KERNEL32!_lopen
" V4 \5 L$ r( f; Y inc eax: T) l& r/ [' q- n, t0 A5 j
jz 006505ae ; not detected
. p* V& n; n+ N' }" p4 G) r' L+ x+ r& T
+ w% i( ]1 L9 u: ~0 R__________________________________________________________________________9 O, T! K+ s- a+ Z+ M6 x
5 i2 b! D7 N7 Q7 _! [
Method 12
^ P$ y2 x1 Z3 ^+ G5 g=========' ]4 x; a1 J+ P
! E+ N2 s' \1 H( M. `% b0 O& jThis trick is similar to int41h/4fh Debugger installation check (code 05
4 w" d/ `3 d& n9 b7 v( B" m1 e& 06) but very limited because it's only available for Win95/98 (not NT)3 h2 o. }, _! a; ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 H. a% _! _! q: a1 @5 \7 c5 q* n2 ]( T. F
push 0000004fh ; function 4fh
# R7 P/ \) J, r. g q push 002a002ah ; high word specifies which VxD (VWIN32)
. ~9 E. j9 P, o$ }" B# }; J9 K ; low word specifies which service+ w% z9 h$ n+ a/ x$ U+ o
(VWIN32_Int41Dispatch)
% I, \. `; F% i/ m" N/ X( h/ k call Kernel32!ORD_001 ; VxdCall
5 l/ V; m7 K8 X6 u @' Y cmp ax, 0f386h ; magic number returned by system debuggers
~& l* q. O( @, ~0 { i* O: C jz SoftICE_detected: X0 m; M" u, t" M
; _4 \- r( X: t$ {2 bHere again, several ways to detect it:4 p; d7 L& K% J& m
( X8 U7 O9 R+ t
BPINT 41 if ax==4f8 ~8 x6 \& O9 [, _0 u& C" s
! J, J( Q* Y6 _3 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
x" e. N0 |, i0 m/ B$ i7 E) }/ w: Z. M- K, B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ^/ ?. d" U9 K2 g/ ?) s7 L1 o1 ~) A0 i) O: J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! y2 Z, I, ]/ `" U* d' h# Z; j5 U& P
& u$ o! h! q; M' b
__________________________________________________________________________# _) B& V! M- U
. k' _& N6 q6 _' ^5 J0 U* i2 Y
Method 13
7 b" \5 e. n( V) h=========
8 I* o( \4 X" q: j8 \ g. `* N% f' n# l
Not a real method of detection, but a good way to know if SoftICE is
: `& ~/ o. ]$ D% u& vinstalled on a computer and to locate its installation directory.# Q& R+ F: ` H7 S5 [( W- S' c; v
It is used by few softs which access the following registry keys (usually #2) :8 b9 b/ V1 D$ @0 f; G0 R/ u! U
" S$ N! n6 t; f5 q* X% X* V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 {, w! |# N/ A. \- L! ^- N- \
\Uninstall\SoftICE9 K p7 ]. ?* V5 V6 d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' \* a( o7 H! A. L; a) Q) |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# k4 E/ z& s% g+ M" z& K\App Paths\Loader32.Exe
0 y1 l8 }6 W# h( l' t+ Z6 W5 S7 b
; t% T8 h7 ~, v+ W: k6 W2 q4 n) R _6 z. y
Note that some nasty apps could then erase all files from SoftICE directory
; `( P& \6 D8 ?5 B* w. l(I faced that once :-(' a5 U" {! H; w- S
$ ~8 b1 D7 @4 J, s; L0 t. W, Y# n
Useful breakpoint to detect it:% _" T$ K( R- d% V/ K
* ?% i6 @* a g4 L8 D, K: P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; M; B% h* ~ v
/ W1 K- f1 G% P# ~& l# i
__________________________________________________________________________
+ w! k& W! d7 b+ X
1 O0 z0 b: Z* s
; {7 A8 E$ o, J) |' qMethod 14
0 w" v& r' K! {9 L=========
0 ]. C" x6 j* _- E4 E* A/ q& e/ W0 l1 `5 {- K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. P' i E2 j# v [is to determines whether a debugger is running on your system (ring0 only).
+ N6 i1 a8 i& ?; L+ I9 ^( b9 v/ J* ^) R! S4 A" I' X9 z+ O
VMMCall Test_Debug_Installed
' o; h2 D- X4 g( v! W/ _" Z je not_installed
* i/ I/ m2 |! \( w, j6 J7 L5 ?1 ~& B% I: h* ~/ V
This service just checks a flag.- S* F ~3 M; ~/ b
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡