<TABLE width=500>/ d0 r4 ?4 ]0 _1 k0 \0 H c! J( ^
<TBODY>
3 u/ z1 O, ?0 f! I" d- x7 ?<TR>7 \; e ~0 m i9 D
<TD><PRE>Method 01 ' N1 V+ O m6 E
=========
7 }: I$ C& k3 ]& H7 m1 D2 K0 y
+ Y; D" S# j4 e, U9 {/ |# jThis method of detection of SoftICE (as well as the following one) is
3 E. x+ s8 N/ i$ q+ p- i6 g7 M' Fused by the majority of packers/encryptors found on Internet.$ u( l5 u0 _! V0 v$ L8 C! o
It seeks the signature of BoundsChecker in SoftICE
" }/ k2 i/ `5 {' [2 ^/ d; z/ h0 n9 z1 S- V
mov ebp, 04243484Bh ; 'BCHK'
2 Z- s. n% m: b! W5 Q mov ax, 04h' @2 }4 ~( i1 `& P
int 3
- L; k- `3 ~ k$ B cmp al,43 c( L @# a/ a4 Z; k
jnz SoftICE_Detected2 c! e6 R' w& a, q9 O$ S" P1 n
' T b' y# a1 `8 y* }2 Y9 N. B
___________________________________________________________________________ e; a7 q/ x( k
; I4 h' j+ K1 M* [, c8 O# rMethod 022 b4 K) a$ W, {, [/ ]+ n
=========
- G( o9 E8 h) C( [5 H0 {2 @
7 c$ G* ?0 P0 Z, M. xStill a method very much used (perhaps the most frequent one). It is used. V8 g7 W4 O7 A) e/ L. v; k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 o" l' y9 E& p
or execute SoftICE commands...9 a$ U/ \8 T; `6 g8 j
It is also used to crash SoftICE and to force it to execute any commands q- b& R& v& D- `5 i! s
(HBOOT...) :-((
9 e! [7 u! M5 H/ S+ J8 x
/ P* g8 y( r$ S5 ]Here is a quick description:! o& _5 t0 U! K9 H' j; G
-AX = 0910h (Display string in SIce windows)
) q3 {0 t/ h. J- g$ \1 x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( _' ^6 L7 L* _) w6 J) H2 D+ o-AX = 0912h (Get breakpoint infos)
` \) l6 ?: L% ~8 b, m+ ?! f; y-AX = 0913h (Set Sice breakpoints)/ _) R9 Q# v, d+ Z+ T
-AX = 0914h (Remove SIce breakoints)
- k' a; j' L" s5 Y" C0 B: O* u- [ ?7 [
Each time you'll meet this trick, you'll see:
% s; v* V9 `. W6 z# }3 x5 [-SI = 4647h' |5 i w3 A8 T) ^9 n
-DI = 4A4Dh9 B. x% y* ?3 e5 P
Which are the 'magic values' used by SoftIce.
, `1 h: L+ U) d; ]. BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* A. d/ A$ V, Q+ P$ j
9 x6 T4 V* ~4 v3 U: W/ K' SHere is one example from the file "Haspinst.exe" which is the dongle HASP
. W4 I0 v9 h" m, ~) VEnvelope utility use to protect DOS applications:4 r; R: L' V0 _) [: S3 z: m9 I( v
; |" t8 S: s/ ^2 M8 ?( n9 T
. Y! e8 ?5 m3 Z4C19:0095 MOV AX,0911 ; execute command.
) g4 J. p4 i; G% S8 z) K8 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& E0 Z& d0 d l4C19:009A MOV SI,4647 ; 1st magic value.2 S2 y# H3 B8 r9 v
4C19:009D MOV DI,4A4D ; 2nd magic value. B0 d7 q, l' c( N' b8 z$ \' e8 @" D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- O3 C) @. `6 l+ S7 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 c& `% x3 S/ f- X9 n* L
4C19:00A4 INC CX
7 [9 Q' [6 ?' P& {! h: B0 [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# i6 v5 o3 c0 Q4 A X8 u n8 ] a
4C19:00A8 JB 0095 ; 6 different commands.
/ R+ b& {6 ]/ [% N' Q; u$ z# l. R4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- o% v; x- ^, G l/ e8 n( L/ k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' R/ N4 V; y) U4 W2 ]: Q5 J0 j o# X; e+ v4 \2 I/ s
The program will execute 6 different SIce commands located at ds:dx, which
! k2 \- _; y- i" [6 a6 sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ k1 P* Y) x& o' U
, }- Q4 D( n, Y, |* P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# S' p: z) T7 ^ }; H! K" O, B. G
___________________________________________________________________________
6 {: R& m# P5 Q8 ?: ^! c: c' O$ K0 O- s# M9 b
\, ?2 G8 d- ~Method 03' L( k6 |% ~ }- G( U$ V3 d
=========
8 x& E# @( o: B# @; t# s+ F( Q- G7 a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& |8 k7 d" e0 o(API Get entry point)' A' O' ? V7 Q3 w3 e7 U' U
' A0 u1 U+ B j% ~
' F. z0 S% e7 @8 E7 P; | xor di,di# f0 X) ^$ K+ d6 a8 r
mov es,di' a2 ~6 V* B; k B
mov ax, 1684h 9 q! y0 X7 n' v) |5 j, c* e
mov bx, 0202h ; VxD ID of winice5 [5 o/ b1 M) O N% @& J
int 2Fh+ i1 ]5 D7 W* `% `6 K4 U) U- q
mov ax, es ; ES:DI -> VxD API entry point* I% A# F6 j! |+ S% I
add ax, di
* t" `3 c4 }1 g8 N6 s% a0 v test ax,ax
5 ?1 `1 u9 G3 @6 d jnz SoftICE_Detected
C$ g$ b% h/ z! s8 O# U
4 K. W$ W, e7 r; p& d+ |7 b0 f___________________________________________________________________________
4 F% w; H" y/ G; G+ h: E% r
$ y9 Z8 L; Y( F7 Q7 e- xMethod 04& H, x) u. h" n2 }( u& M
=========
. Q* \: w% n# X* E
% X/ R! O3 t# xMethod identical to the preceding one except that it seeks the ID of SoftICE* s. Z) e' S" F' U6 p+ Y" \
GFX VxD.' {" c3 m0 _6 r' K! c
$ b$ E% s4 r, h% T9 \+ Q+ J
xor di,di
: E, z+ S$ u2 r2 J0 U( { mov es,di
" |! Z, \) a; f mov ax, 1684h + ]* H% G8 n9 ?1 b* k; F& Y( s
mov bx, 7a5Fh ; VxD ID of SIWVID/ w0 m5 h8 k- s, P$ Y8 }) J
int 2fh
3 b) `$ ~5 |8 I! j3 Q mov ax, es ; ES:DI -> VxD API entry point
$ _' w9 t M) ~1 {; Z6 J* b add ax, di$ L2 W; X/ C T2 m( e& o+ C O9 h" g
test ax,ax
5 ?' F1 _5 _( _; @0 {( q" V- P jnz SoftICE_Detected
$ f2 I' `: }, Q2 r) A1 u, Z
) _7 K. M) v+ Q/ J4 x__________________________________________________________________________
7 e3 k+ N f# p3 r F8 g5 h+ E5 `$ [/ d: X1 O, \5 o. E$ W
5 Z9 p1 l2 S! u* q t
Method 05
0 V( w5 R# {( [% A5 y5 L+ ?% D=========
$ k. k' _; d3 ~ l# b+ e6 ?9 U* z- |1 B1 Q3 G( ~& D0 r
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; e8 U8 N4 d) S' W+ x" |3 K3 d- ldebugger. It calls the int 41h, function 4Fh. Y! N) Y0 X8 q8 Z( m
There are several alternatives. 3 j+ }, i: e. o; U; R
/ L: Y, H7 C; [4 K$ o9 \The following one is the simplest:3 B6 M0 V8 N4 C) L2 r, @
8 ^: K; C7 f" a9 u, N/ \ mov ax,4fh
. |* |: Y0 {3 P: \- E7 l- _1 x int 41h
4 W2 w1 m+ B* j( h$ I- [ cmp ax, 0F386- ~3 @! U) L# Q! Q- t( M9 s
jz SoftICE_detected
1 y7 d/ x+ y' Q H
1 [6 S: k* f) ]2 {
" l3 p: A$ s y- f2 hNext method as well as the following one are 2 examples from Stone's
. r% Q5 r1 \3 _+ r"stn-wid.zip" (www.cracking.net):
7 n0 U) i4 I! G% K0 f% |- X( y% M: d$ r
mov bx, cs
/ v- h& U& W" z/ U! V6 n5 V lea dx, int41handler2
; m0 m0 O2 J: U6 o: n( C$ d5 M xchg dx, es:[41h*4]
( q) w7 F) [# ?7 ~9 R; q$ ]# O5 g xchg bx, es:[41h*4+2]
/ t( F! t& a0 T mov ax,4fh! }6 N* c# ?" w. a
int 41h0 ]9 i! q1 _% k$ Q; y# a
xchg dx, es:[41h*4]$ s; }! a- q0 f5 [" y8 N
xchg bx, es:[41h*4+2]$ l' i( m1 p2 |% k/ i
cmp ax, 0f386h
1 F; X/ d2 ?- \ jz SoftICE_detected, F" H7 g$ m' S
, [4 i& x7 I: U! {. X8 c
int41handler2 PROC- r4 M, y! ]' V. P
iret
0 b/ u& O9 n5 ]; z) s }int41handler2 ENDP
2 K. y# d/ d* ^6 { O
. }" d! y% R2 w) ? h( p! U! N2 @ Q0 W# ]- i
_________________________________________________________________________
) D3 L7 B$ U5 b7 D2 T, r8 E! w; ?' t- A8 r* ]
5 z* }" H& r# v' [' QMethod 06) y, B' m& T* S) D9 e
=========
' J% j O) c) K6 p% @3 K# g
) w' k/ K5 }7 e! X3 @
$ j5 i4 @% F3 j% \( k! w2nd method similar to the preceding one but more difficult to detect:6 A( k$ Q9 c, Q8 g0 o* c6 K
- M, g6 s7 n6 [2 q: ^; G' c4 {1 H
4 r0 S4 M3 p6 a* hint41handler PROC, {/ b4 u9 _/ G9 i* |. T
mov cl,al( W$ A7 Y# P$ E) H) n, O" r
iret
# z; g9 @! j7 y8 tint41handler ENDP. F8 X1 R3 V" Y7 d" m& o' j
# t3 ~2 S# j! j! S; K* r X) M( V+ C# u g/ z1 x
xor ax,ax7 F! B M7 _& ?/ F; s
mov es,ax7 C8 D" J+ b# L9 h& R% s
mov bx, cs
( G+ P o; b: j5 g" }4 Y lea dx, int41handler
4 S' E" A8 `7 b7 n6 a: H- L xchg dx, es:[41h*4]/ g5 K! \. o( ]
xchg bx, es:[41h*4+2]
7 |( c$ I1 j3 v; a in al, 40h
! l- }! I* M* F4 z4 K5 b& ]4 ~: R xor cx,cx3 Q- O7 @7 y8 V7 I8 i. h/ l3 ^
int 41h
! o& K- a% m1 w' ]. \ xchg dx, es:[41h*4]
. R% Z( i- w+ |/ g xchg bx, es:[41h*4+2]
$ ^8 Q& j& S( V1 {1 k cmp cl,al* L. N8 x# X$ u; M1 J- ~' I. }
jnz SoftICE_detected1 S( g$ a. o' Q7 V2 u1 Y; k* q0 V
' y6 l& s/ k. s8 `0 V$ E0 J, Y_________________________________________________________________________; F$ V2 n! S/ v; A
3 h2 @. G+ g! g& X4 M7 }Method 07( H1 W! n3 c3 S. e1 j& \8 ` |/ {
=========
& P) ^4 |1 p. p! w( Y9 W6 g
' B: z" [4 f) u7 X2 XMethod of detection of the WinICE handler in the int68h (V86)) ~1 [$ B, y6 K/ B# R# n, Z
! j/ J5 u% V: X' E! R# D" c/ K# {2 s( u
mov ah,43h( h0 U% r' ~* s; W. M# f
int 68h, N8 @' m# |1 l% b3 F1 c+ x
cmp ax,0F386h& N n0 ~+ F! b4 N( {, Z
jz SoftICE_Detected1 i( D, q" s0 K/ o6 P/ H8 m
! H" U' t* j+ x* b6 j/ O( t H) A! t% F$ N G* C3 C2 v5 H# s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 `5 R' T+ J& P5 l2 Q3 Y, l/ _
app like this:
9 k8 R' o% v1 O0 I" i9 J
4 _! X# D/ \- W% \7 M BPX exec_int if ax==680 ]6 ] m/ Z9 d, Y) K0 a$ D" i
(function called is located at byte ptr [ebp+1Dh] and client eip is5 u; D, ]' q; O9 y3 j) g4 t
located at [ebp+48h] for 32Bit apps)
' U, q& U) f# o/ V; Q__________________________________________________________________________4 h$ s& w. U4 n
* B2 U; J: o4 B0 V) O3 q: C7 j. `
. j: P; A1 w: k0 J6 MMethod 080 |0 o G/ [8 y0 B9 t1 o
=========
9 y8 d1 `# `- h* }
3 M" E6 {4 K A; F/ TIt is not a method of detection of SoftICE but a possibility to crash the
. d* i9 c& d* O0 ~2 Ksystem by intercepting int 01h and int 03h and redirecting them to another
2 b' s- [/ Q7 I9 A$ zroutine.
- e# P* L4 W( Y, D N+ pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 t6 K" C% O* s8 q, i9 l: p7 g, S
to the new routine to execute (hangs computer...)) G1 D" q. s8 `- w
Q% Y& m4 }3 Y
mov ah, 25h; P" f; G7 K! i( S
mov al, Int_Number (01h or 03h)0 C/ p: ^5 X9 b z b: p
mov dx, offset New_Int_Routine5 \3 g2 L: ^& ?$ B
int 21h1 Q2 v7 n9 e0 ?' n
7 \0 Y+ B$ T. K4 g# P__________________________________________________________________________* c/ d) ~; I8 Y; Y! X6 l
+ P4 U# X, T( S0 q" mMethod 09
& o8 M. F4 G9 n' X- g=========
3 @' c6 w2 @3 l5 f) g/ f% d4 `* c6 T: u/ k( ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# n! d. \8 @' {; t. h* q8 U+ H3 h
performed in ring0 (VxD or a ring3 app using the VxdCall).3 B6 p: v. r( _( y. m0 G( Z0 m
The Get_DDB service is used to determine whether or not a VxD is installed, L2 W0 u% v7 f, M" k
for the specified device and returns a Device Description Block (in ecx) for/ W% J u" \0 ^8 ~- U$ y8 Z) A
that device if it is installed.
: |' K1 ]: z" ]/ h' c$ G* h; d6 v) z# A$ n! e2 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; B) w2 g2 ]6 ]" w5 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 X& N1 a2 s$ V, Y( |! f VMMCall Get_DDB
' ]/ U- b; j7 ?( Q) D4 @( i' ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: K. a$ o$ G9 T
" G$ r4 j! f8 gNote as well that you can easily detect this method with SoftICE:/ X+ H* H% W8 I9 S
bpx Get_DDB if ax==0202 || ax==7a5fh
, t$ z9 R7 m' h8 n6 R
( M0 \& Q% D3 e: p__________________________________________________________________________
& O' y& ^6 J* P! k# H% l/ q1 p7 d4 E B4 _
Method 10
: k9 C; P) f3 w- m# K4 t& g; E=========
7 L7 s% _& a! Y6 z9 x; v
4 \; E" N3 H9 w1 T=>Disable or clear breakpoints before using this feature. DO NOT trace with& E& Y# X% ~7 h! s+ E2 Q
SoftICE while the option is enable!!( i9 g4 F+ C" S- b$ J5 s2 P* |1 [6 H
- k' s( J: c, w
This trick is very efficient:
3 J6 ^7 r0 O3 W" y% }by checking the Debug Registers, you can detect if SoftICE is loaded
9 {2 q0 Y' i: w' p. ^6 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# n6 y& y+ w0 N% g
there are some memory breakpoints set (dr0 to dr3) simply by reading their' N- k* Y; G, J; O
value (in ring0 only). Values can be manipulated and or changed as well
4 D' S5 P) E2 }$ {) C1 R+ U9 j(clearing BPMs for instance)
' W1 X8 B [. }! G7 k5 N& X; r% _( }* h# Y* ?; i8 L, g
__________________________________________________________________________
1 e0 l0 y/ s" X7 h# {4 g) N, V
Z2 s. `. E1 h8 ]Method 114 E" _7 z2 O/ G3 a
=========' G" |; N& Y, Q( G' T* R0 r
& U( z( E4 @) T3 d9 z1 U0 O
This method is most known as 'MeltICE' because it has been freely distributed
+ q" { D. J y' N9 A( w2 \via www.winfiles.com. However it was first used by NuMega people to allow6 d7 p/ M8 e: j( r5 d0 V k! u5 x
Symbol Loader to check if SoftICE was active or not (the code is located) M& f c9 r- P, C" k% b( M- M
inside nmtrans.dll).
' Q7 [, ^! I- `4 v1 K% g3 E# D: F+ r+ |" X* h
The way it works is very simple:
; O6 R( y) ]& z" l2 L/ mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 U6 T0 Z) ?) v& t. |9 G' ^; ~( e9 ]WinNT) with the CreateFileA API.
q' X9 T9 L1 p
2 M7 F7 X! _" l2 f8 i5 VHere is a sample (checking for 'SICE'):5 i. R/ a4 A5 h
q" e. F$ f3 y. J- i" ZBOOL IsSoftIce95Loaded()
) |9 R' C2 Z3 k9 q9 J{
9 F0 y' P4 W1 Y+ C HANDLE hFile;
v# K8 K0 p ?+ a) { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# D0 k4 }! v/ Y" q- ^ FILE_SHARE_READ | FILE_SHARE_WRITE,9 @6 X: L& Y' d7 l8 l' G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# y6 G& | t( G6 R$ U3 ] if( hFile != INVALID_HANDLE_VALUE )$ u0 }. p$ h, V v+ m
{- Z! i* y; a7 d7 q
CloseHandle(hFile);, w( N7 [. }2 f4 |+ g
return TRUE;
4 H6 T1 r3 [' z; U6 e }/ {& a' P: P! i$ v
return FALSE;; T; i6 _( w- ]3 U
}+ f0 I& u0 {# [" H6 o' m
% x0 y# u8 f2 x5 p) u V3 i' {
Although this trick calls the CreateFileA function, don't even expect to be1 p- B& Y& f! @% R+ i- T: e4 h
able to intercept it by installing a IFS hook: it will not work, no way!% P: t( G5 u; n9 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- N' L2 V2 ^! L; A1 w5 m* p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) v) Y! |; W' `8 s6 W: o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ Z% O2 O+ ]( X4 E' b5 q
field.4 s7 j' |) A( a' x8 Y J
In fact, its purpose is not to load/unload VxDs but only to send a
$ X5 c; n8 _7 ^; q1 p+ SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& i9 @* N9 H8 @3 M3 ^( i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: m' O1 ~' G% N5 P. }9 T( U
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., C" C+ X# ?* a0 B C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 K5 Q# m4 I- |. Z# I! J# V& _its handle to be opened and then, will be detected.
: ^* w; E U/ h6 z! {/ A0 o4 q; lYou can check that simply by hooking Winice.exe control proc entry point1 [1 D L/ {' d- Y1 }
while running MeltICE.: B) J% \6 N! }, K. D( v4 i
7 ?( Z' A5 B% V
( }6 Y; T: W, R' _% n* e% E 00401067: push 00402025 ; \\.\SICE/ s& A! N$ Z- `$ Y# n. V8 Q3 g
0040106C: call CreateFileA
# @4 ~5 u* d r+ @) g( \ 00401071: cmp eax,-001 ^. t1 |; ~; L* L
00401074: je 00401091
' l) z: K- D$ V# S3 `5 v; \7 X" B1 e
" e4 i, n' E1 _/ x* w' o$ v! L7 H" l& ?5 k1 s
There could be hundreds of BPX you could use to detect this trick.2 [+ }- v0 j1 ~- F$ x" t- V% T
-The most classical one is:
2 E; g1 ]9 g! s$ l% @9 i" e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) B: W! W& y; ?7 H' @
*(esp->4+4)=='NTIC') I0 q( r! L) j1 u& k T
) D4 c" {, ]0 Z6 W( p8 v' b- b4 `
-The most exotic ones (could be very slooooow :-(
+ {7 |8 X0 j; P3 s3 g, o3 I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 H j9 j9 j+ B4 C8 i' q" Z1 q) q4 e
;will break 3 times :-(
( L1 U+ C7 ~% Q$ q, L, q4 H5 X% N, o) E7 g% ` a; A
-or (a bit) faster: ! }) a5 H/ [) s, i3 ^- ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# G0 r8 k' Y7 ]2 \/ R7 p: P. ]7 |0 z! J W7 `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! l; e( W$ h. ?( x. t, P8 a
;will break 3 times :-(
. N) u% c |4 M9 I! ^! P
5 }3 X$ W% n. p2 h- y$ I9 z-Much faster:# a. D- g7 X* A8 E$ i+ A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 P- v1 y: ^3 C" O
' a+ ?! E* \% P/ \* y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* H$ R0 s( s( lfunction to do the same job:4 K1 f7 ]" c' Y
" s- c4 |$ W( f4 a
push 00 ; OF_READ
4 g8 K" I6 W+ h( t% }, V$ J4 _9 Q mov eax,[00656634] ; '\\.\SICE',0% x6 ^0 {6 y( ]3 y0 | W |) K
push eax
& E4 Z) v( ?) T call KERNEL32!_lopen8 p' Z# j/ c0 E2 }# e4 Q
inc eax& C* g( Z n( h$ |( k# B
jnz 00650589 ; detected
) [1 j0 ?% r6 |. Y6 J! p push 00 ; OF_READ, q- }4 h: K! x" s6 C& [
mov eax,[00656638] ; '\\.\SICE', u/ i3 C6 s( h) E7 z+ y/ B
push eax. u! ~1 A& y& _7 }" s; N
call KERNEL32!_lopen2 n1 w8 N! I: y, y' q
inc eax6 Y7 ^3 X7 Z' _* Z3 }$ h
jz 006505ae ; not detected
+ m7 c, L" [. }3 {$ C H' D T% x3 `8 I" x
0 g) E- |. ^6 W% j4 d
__________________________________________________________________________, y* N$ S1 t' H5 }- Z( C9 B
6 d) K# x# j; q
Method 122 K) ~* g$ H6 f/ e/ s/ o% H
=========
) _1 M W* Y8 `+ F$ W1 q1 e) V( `% q2 n) R+ l% v8 z0 z; t1 p2 j
This trick is similar to int41h/4fh Debugger installation check (code 055 l- M, D2 I8 I8 S4 K
& 06) but very limited because it's only available for Win95/98 (not NT)% f Z6 w# x F0 F6 m: ^" D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 N# l# M6 t8 v1 G: k4 i$ l1 z) [4 m: X/ v: ^
push 0000004fh ; function 4fh
% O+ B* a8 r4 `. }+ Z push 002a002ah ; high word specifies which VxD (VWIN32)
4 Y0 `+ @, E% z9 ^7 F8 f% j. m ; low word specifies which service% d! ]; P5 k: T. }/ f: i. M* y0 Q7 o
(VWIN32_Int41Dispatch)- [7 k5 d+ D; j
call Kernel32!ORD_001 ; VxdCall
8 M2 ^( ]: P: \' l% M cmp ax, 0f386h ; magic number returned by system debuggers
' G, r; k5 o; S( P0 X jz SoftICE_detected
' G2 M* d% ^8 O; G1 H
' l; s" A1 i P' n7 Y: XHere again, several ways to detect it:. i$ |& o3 _8 X( p
4 Y3 Y- ?1 h: X4 X8 B BPINT 41 if ax==4f! M9 V2 g# ]5 C: {; X: } C& _
8 P. {* c/ g7 N3 j& ?* m- ~) Q$ v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) |- }! R1 ~- G& K
% ~9 l G+ P7 E5 s9 J5 |$ p i1 A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' e. h4 \' M1 s6 _* ]% }
7 w' |% [6 o( j# m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 H* J- Q. O+ z9 n* O' G: Z: f; N6 m5 g4 T* z& P9 h `
__________________________________________________________________________) Y: J {0 R1 C! g1 C& @
5 C; p- }6 I7 w* J/ v1 j3 u( ]Method 13
4 y- m& s7 i t7 k=========: g; }1 e5 y: [; ~5 c9 E, n
8 Y, B. ` a9 G. [% ?: y. C4 Z
Not a real method of detection, but a good way to know if SoftICE is
: I. B7 f1 W3 k7 W$ T2 |installed on a computer and to locate its installation directory.7 s4 M% r4 |4 }
It is used by few softs which access the following registry keys (usually #2) :7 s% Y/ F# H- I a
' B; Z: P# i" C \3 v P# j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) V, M! L( b: m\Uninstall\SoftICE
: `4 O6 q- t5 B8 E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 d; _ t) Y2 T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* f; h* T4 [" ]
\App Paths\Loader32.Exe( w! i3 H. |8 D: K/ d
* L- x* b" T! t8 p6 S3 o/ i
: I! r" b! q& T O) a1 h% c& F* cNote that some nasty apps could then erase all files from SoftICE directory
5 i$ a! m- A% h. e% y; {+ a$ ~8 N(I faced that once :-(
0 P3 e) F. z; Q5 t G2 f9 d: p8 e% o# ~3 s$ |0 c( D
Useful breakpoint to detect it:
3 ^- }8 h0 j6 j( @ d9 F( J
5 P4 c' \- C! W! Z A# J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% W- \: b0 V6 S$ F+ t3 S- K) S
: s+ o1 Q& {, U( ]; A. L__________________________________________________________________________
! n7 v4 k. t& k( u5 u4 u6 z0 `1 [7 A* m8 _% S- d" U$ ^+ i
( g( X3 d4 e% i' m
Method 14
& O! m9 }( {! ?$ I g% J=========) y# M3 X$ ^3 `; I
7 C) _- d2 h; _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" X! Q( i) v6 His to determines whether a debugger is running on your system (ring0 only).
/ {' w& w' U6 C" G
- l% h- A$ x: E7 {* X. k! y1 i VMMCall Test_Debug_Installed
5 ~6 |5 z: ^* P, D5 b' [ je not_installed
3 g" {5 W& e9 U/ \- p' N/ ]
+ s: |% J4 p: T; n$ aThis service just checks a flag.
+ R) a m1 M, o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡