<TABLE width=500>
9 S* `6 ]; L9 p7 p7 s<TBODY>
0 j' N+ ` {' n4 `( I7 X<TR>
% x8 |; d$ b2 t/ H/ G# s& J4 X<TD><PRE>Method 01 9 ?1 P* Q% z8 I1 Y# ?! z
=========
' x. A0 j& U2 X: q* K6 W' A% G0 C! p) T$ O; s$ ~+ [' N" r
This method of detection of SoftICE (as well as the following one) is2 O2 K% r% n P7 S5 r9 N7 j
used by the majority of packers/encryptors found on Internet.- I3 p( G+ @( \4 n! F
It seeks the signature of BoundsChecker in SoftICE' w% l: q) e2 U G+ H6 o
" K# ?1 o9 [: I# f
mov ebp, 04243484Bh ; 'BCHK'
% A6 |. l; Y- _3 W+ k- ` mov ax, 04h9 V9 @" z: `2 x! P, X3 m
int 3
' ~2 y, \2 a( z- a9 f& U6 h' ~ cmp al,4+ x' O4 A# T' u7 D6 P$ `
jnz SoftICE_Detected
1 b6 m. K$ U# R7 M& s1 f1 y& J8 `" a5 G6 l! r# ]
___________________________________________________________________________8 _. o5 K9 L- y! ^$ i; H9 B! k: s
' v+ t4 g6 P6 h
Method 02 n2 C; [ T3 U/ C
=========
- o2 B$ `* m6 @) V5 ^+ t+ G1 E3 R; X2 m- ~0 v9 }: M
Still a method very much used (perhaps the most frequent one). It is used
* A, X; z3 f5 E, H* ?) d) Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 w& W. Z7 P& I4 u# W. Dor execute SoftICE commands...
+ P$ T% Z) A5 _: MIt is also used to crash SoftICE and to force it to execute any commands
8 V5 L1 y/ a# S(HBOOT...) :-((
& X* w" z# [. K W$ H, a8 a; d/ c. s5 L( z2 \4 i, Y/ w4 g5 g
Here is a quick description:
: D4 m4 ]$ M2 ~! T% L-AX = 0910h (Display string in SIce windows)
8 C8 p# [5 W: Z/ N$ x" I, T) i. E9 B; v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 h) v! Y, O+ W
-AX = 0912h (Get breakpoint infos)
/ z4 Q& {/ o) C& P+ i-AX = 0913h (Set Sice breakpoints)
* ^& R" W0 Q4 X2 E. P0 [4 a) {-AX = 0914h (Remove SIce breakoints)9 `5 z$ U. S# V
- j0 l! c; m$ y5 I' C6 I; u
Each time you'll meet this trick, you'll see: P- v+ F; I" p$ x) ^$ F
-SI = 4647h
; e) G/ U. s! D8 J8 D5 m-DI = 4A4Dh+ T! o1 w4 o5 w2 k8 G$ P9 c5 R
Which are the 'magic values' used by SoftIce.
- Z4 B! @' c( t0 G4 E' LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# j, t2 ?$ E0 b5 n8 a# k/ {, S; q) U: ^# } K, `' [6 X/ w1 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 x; `% T: s$ d, k, }$ u9 ~
Envelope utility use to protect DOS applications:% s9 J4 f4 L1 @; B! s
: r0 m# G6 G: r2 S" j
* _3 {% `& O' H# I; d4C19:0095 MOV AX,0911 ; execute command.
9 F1 S7 O/ [, E/ S. \& K$ F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ F3 @( J9 x1 h2 s2 ~! Z. P: d7 p
4C19:009A MOV SI,4647 ; 1st magic value.
' Q9 c2 a' N% I2 ]5 R4C19:009D MOV DI,4A4D ; 2nd magic value.
" c* A c4 l+ Y& F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ N9 ~5 b, b% c, ~: C7 J9 ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ F4 e8 p7 z& ?3 G. C
4C19:00A4 INC CX' L& a) j; e5 h) v# K& w3 U; K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. L4 l% s# e& ?( [/ v3 K% o
4C19:00A8 JB 0095 ; 6 different commands.! O% [( f" ^5 C7 m# O5 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% ~5 R5 s2 H6 G! e" k' N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: h0 `# X# F* S
& c5 @4 K- A" W0 T! M, _) ZThe program will execute 6 different SIce commands located at ds:dx, which3 Y8 i3 y5 Z% k! i5 k) ^! ]% B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' f( |1 c2 {/ }- n$ R
# K# \+ H- Z5 R! a/ s) O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. J5 b* F" K$ P; @6 M7 l, N
___________________________________________________________________________
- g/ S# i8 M1 B0 J( P- ~" F# F$ i6 w4 [0 c' s& G2 e
: d" P' [; l( g; T
Method 03
9 K( m3 Y7 p$ J7 m" [6 Y=========
( E) Z, |7 ~6 I0 C4 Y# c7 R4 Y; t0 j
% D3 \: _0 F5 Q0 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ s$ r. x( _9 G! E+ X! h/ \(API Get entry point)
1 O3 y0 ]/ r5 r! d
E& \2 [) ^+ C; L) F: g- Z, i$ K! q1 X; D5 H/ X2 g
xor di,di
; T3 n7 E# ^3 h+ R, ` mov es,di
/ c! [; C2 J( e; g4 ~6 |' ` mov ax, 1684h 1 U2 T7 F U4 C/ d1 @4 \+ y1 z
mov bx, 0202h ; VxD ID of winice) {8 A( {. K: ~2 _7 R% L! I1 g
int 2Fh
7 g4 m9 J7 q& h mov ax, es ; ES:DI -> VxD API entry point
' e" L! T5 Y, l* Z3 D add ax, di
' O' d$ X- {( ^- l( e test ax,ax
3 [# d# D& O8 w- {' o; @& s jnz SoftICE_Detected& d5 x4 g8 f$ {1 t+ Q& j8 C2 ]
8 }( W2 |; w" E: `___________________________________________________________________________
: K8 x8 Y0 f8 d
4 I( g4 ~" ]) n5 f E" Y. q8 h/ pMethod 04
% K5 ~, R+ x0 D. x# d=========2 t0 }' J9 Q! G3 R; M8 z, l' K
Z3 {& ?- t( |6 i$ M1 |5 ~
Method identical to the preceding one except that it seeks the ID of SoftICE
& h. E4 r+ K7 o- x5 ?3 ^GFX VxD.3 @% ]. ~3 x; [/ O5 I
) M) Q) U& |+ n0 v' ?
xor di,di" c& L1 r% }; `: u
mov es,di
& w: U$ B) z5 q* s) ~. i. b3 G; B7 d mov ax, 1684h
6 a6 r, K5 c: t% u9 B( P mov bx, 7a5Fh ; VxD ID of SIWVID" Z r0 B5 {* `1 e0 E( H7 \0 w
int 2fh
X4 g v6 |" H5 _3 I mov ax, es ; ES:DI -> VxD API entry point- a4 y3 l' r# \. E$ e
add ax, di# j, Y7 `( D: |* t+ G& a
test ax,ax5 m2 r1 H3 W7 ~% \- v
jnz SoftICE_Detected
- J; u7 q& o- O# C4 N9 S2 x) {" z* m
) L5 n1 H8 C+ L2 j__________________________________________________________________________) [, ^( A; a. j) P' Y6 }
$ J, Q5 @' X2 R" t+ \ ]
: Y8 x, ^ e7 y) B4 y1 z/ ~
Method 05 K: s' }8 i6 v, [
=========& y' i0 k% q! s4 M" N( q- F
' w) T0 \5 _! j+ g) ?# w2 N1 qMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 h7 P( ?% e, s" _6 y5 F- \3 O0 x' V
debugger. It calls the int 41h, function 4Fh.6 ]6 b( u7 }" D7 B& c6 \
There are several alternatives.
, `! S3 z! z# j% J
- w; B. C) }; e m* E( |2 b4 oThe following one is the simplest:
J' u+ h' |: m d# B! H
6 _$ c: n. _, |. X- e, s mov ax,4fh0 t& r5 h( f; X' {3 _
int 41h
& g! `3 `7 i: H/ ~" i+ k: p cmp ax, 0F386
# Y" O/ `2 \! p X# Y jz SoftICE_detected, I% e G) D( U/ h/ t0 }, L1 f
( J* n1 m( H9 ?7 k. c' A$ a' m R& x1 c* y
Next method as well as the following one are 2 examples from Stone's 0 F4 x" `2 y$ H3 [/ ?5 n$ V/ m8 x
"stn-wid.zip" (www.cracking.net):
. M. `9 g; k5 F& b/ [4 ?1 \+ f& U* I. @% [8 n
mov bx, cs
# h0 y3 _8 I$ ?; x' } lea dx, int41handler26 X- Z/ K1 ?, d9 W/ `
xchg dx, es:[41h*4]
" j" a% ]6 ?9 O xchg bx, es:[41h*4+2]
" {6 m/ m. z* m- ^) P mov ax,4fh' ] c. g% M8 Y0 l
int 41h
7 f9 V3 ?# e2 l: _" L9 o xchg dx, es:[41h*4]/ b y6 d# B( a( c& Y
xchg bx, es:[41h*4+2]
0 X5 O7 F- k5 u+ A8 t cmp ax, 0f386h% e$ m+ J" J' S0 ` Z. k% V
jz SoftICE_detected
/ b( \+ s8 Y* I# Z# l* b5 X& |$ p7 N3 M
int41handler2 PROC2 G) H. x2 N* m! k# w
iret
8 T6 [* I5 i% J& [& D& g& t$ ^int41handler2 ENDP
9 L0 I3 d( C2 A' E) E0 K5 |: p3 S; V0 }% h* @0 D
. _% H* d9 j. __________________________________________________________________________8 k) s# z1 h s4 p) J
2 c/ d5 d, _! J3 r9 F! x% o, T. c) s- l- t
Method 06
/ M: W& `$ _* }3 I) l4 \- k0 X' K=========% C* s4 p, M" K# M! j2 J8 A
4 W+ l% f0 w1 A' L' C+ {' _* @8 |9 _1 G# X6 m8 |! E& p; u' O/ j C
2nd method similar to the preceding one but more difficult to detect:
/ i1 f$ Y: b i1 C/ @+ B+ ?3 g/ d8 G/ ?4 q0 A$ @$ U5 u7 q
" ?( t, c8 y- U! x" C- v. Bint41handler PROC* l! Q* J) ^- T5 I; q. J9 e* {
mov cl,al
' d( B0 [( P# M iret4 V; y5 I' ]4 l* b4 Y
int41handler ENDP
. M! G' f w8 C/ _6 a
* R2 O' F% N- S7 b0 H& o, `* g" h+ Q6 ~3 X
xor ax,ax
' m% I7 ? L L/ S, f mov es,ax/ E0 ?1 Q2 a/ P% ^! v* u
mov bx, cs
9 o/ U! l4 r6 E# m# L2 I lea dx, int41handler
5 ~$ A$ F, j7 \1 _ xchg dx, es:[41h*4]+ P# J2 X4 t) X# s8 Q% n6 D9 E# a
xchg bx, es:[41h*4+2]! x9 q( h, Q6 ?8 ~: z! Y
in al, 40h2 ]; N2 X1 q9 A7 Q: X# Y
xor cx,cx
U& k" V6 L3 L- a int 41h6 J# r1 q% ]! ]1 S: Z5 |
xchg dx, es:[41h*4]
9 ` B/ F) F. N4 Q3 g8 W xchg bx, es:[41h*4+2]
- \8 W% `2 d: E, j% ?9 o" ^1 @1 b% Z cmp cl,al5 r* Y3 Z2 Y% \8 y. B$ |+ W
jnz SoftICE_detected
$ Y/ r, b9 n5 q" Y0 b* t
. H$ O; N2 a) A6 x" R_________________________________________________________________________$ t2 ?5 |) ]) P5 Y, e3 W8 l
& N2 X1 g7 c+ Y7 G
Method 07: C' j" v' L" r4 Q6 b1 `- y
=========
. p7 j' l& f- R" U* [5 C
! G' K7 a) {* nMethod of detection of the WinICE handler in the int68h (V86)
' U& p! b2 |. [ j
! u1 {' x2 \+ f. T7 n mov ah,43h
' A j2 H5 l" d8 {8 o# S4 F& }$ o int 68h
& B" W& C7 E( O9 c9 h4 Z cmp ax,0F386h
/ \2 I9 p/ g, v+ v' e0 l+ k jz SoftICE_Detected0 U F) e. K) C( Q# w
y" ]% r" e* t( u, d: K
! h" Q- v$ R" V- T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 A$ H1 ?) B9 w/ A app like this:
) x# L8 |/ t: A6 G- p+ z2 H0 w) ?# G9 b& F
BPX exec_int if ax==689 N' K7 K0 ~+ ] i
(function called is located at byte ptr [ebp+1Dh] and client eip is
; V# N8 C: Q9 C+ p, p9 h3 n0 ]- _ located at [ebp+48h] for 32Bit apps)
( `0 y& X# r' F1 S, a* A# I__________________________________________________________________________* F4 D4 Q5 G, l. u8 x
7 j* c% D. q1 \
' H2 }5 }3 O2 M( K$ k+ bMethod 08
8 W/ Z( ?% [) b4 `, }) E# J=========: n5 N) z) z$ g) m
4 \6 \( b% e3 `! K" Z9 |6 Y, [% g
It is not a method of detection of SoftICE but a possibility to crash the
% U9 R3 a; S, l+ v$ Hsystem by intercepting int 01h and int 03h and redirecting them to another" y: e0 S2 _' i0 K7 g% i6 K
routine.# o" \$ a5 F, M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# H7 R! w' D X* J0 F* vto the new routine to execute (hangs computer...)2 v* @8 H2 Y2 F1 K5 q
5 m% d. ~7 u) x. ] mov ah, 25h
* b9 ~0 `+ R, \ mov al, Int_Number (01h or 03h)
' {% o Y( }2 Q' e mov dx, offset New_Int_Routine
2 P* r0 D( z( G% T2 [ int 21h
: m' ~! ]* `9 P4 H7 C" t Q! H* H
2 N) I8 i3 r5 |- R& b. h$ |__________________________________________________________________________
& H9 f* y8 T) w1 y, @1 O1 y7 }' J; F0 z0 y
Method 09! v1 v& E3 W9 {
=========
2 S/ s$ w1 |' C% X& W0 c: i" Y: r) J4 \' F# V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 p& n2 o; `" b+ u: s+ pperformed in ring0 (VxD or a ring3 app using the VxdCall).& X# D" h' |$ n7 o1 F7 @) p' _3 s
The Get_DDB service is used to determine whether or not a VxD is installed* {# a) H% O E. a; q: j
for the specified device and returns a Device Description Block (in ecx) for; @ [. Y7 V9 L: j) c" F
that device if it is installed.9 X- a4 ^. N4 |, x8 B
4 Z& u! y! ^- N" r: t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 u5 I1 d" \ U0 f( c5 _7 @" \9 ~- E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! K) \3 S2 |! ?8 D
VMMCall Get_DDB# p! r+ Y, y9 ^) x$ V6 E& i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" |3 P/ B1 d, P, N& }$ W+ |' i) T1 W u& k3 \% g2 J
Note as well that you can easily detect this method with SoftICE:
2 [, N# w/ E, j$ O# ^. \ bpx Get_DDB if ax==0202 || ax==7a5fh8 c: P) d5 I7 S- y# ]$ e1 }# Y
H' h3 \7 U5 F% b8 }
__________________________________________________________________________
) T& ]8 X2 |4 l) l3 O: J5 \
- a f" g/ o2 R% i8 {Method 10
, S3 f# H7 s1 R5 M+ s=========" F6 V+ a& w, T0 T4 @0 P
* g7 G! M8 G* E- k7 X6 z
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 Z7 A; a+ s: r5 V
SoftICE while the option is enable!!
5 N; O7 ?8 ^/ d3 W' Q- l) _2 W, d9 o( A* M% J; J9 Q
This trick is very efficient:6 J$ \/ q3 u2 R$ l+ B6 w
by checking the Debug Registers, you can detect if SoftICE is loaded
( w" y+ q$ b! U5 ]/ D7 v3 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: D$ k4 @& d/ wthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 F: d: i6 E3 B
value (in ring0 only). Values can be manipulated and or changed as well
- Z! Y" I, z$ G l(clearing BPMs for instance)6 ^; r$ R. z2 F* d3 R
) Z: M) x3 J' ~* F& N* U__________________________________________________________________________
% F4 y0 K5 w3 e' y# y- V2 C$ \ I: G- M- j8 g
Method 115 T7 B5 o* A& v1 e
=========
5 j7 v9 Z& _8 e4 O- Q; K7 z3 u5 ^& T2 q: p4 q ^; @
This method is most known as 'MeltICE' because it has been freely distributed
* a7 V7 p& R x$ P$ \9 avia www.winfiles.com. However it was first used by NuMega people to allow
1 \- i) }# v$ f7 ]Symbol Loader to check if SoftICE was active or not (the code is located/ S1 z4 e3 T9 ?
inside nmtrans.dll).
" N7 Q' F+ n! g' ~# N( Z
/ T% S3 r& i# QThe way it works is very simple:
3 _2 ?5 {9 P- L- _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ I4 ~) N4 c( SWinNT) with the CreateFileA API.
! T9 _# A! k6 P2 m- H7 O2 m
2 L% ^6 r$ H/ b! ~; R2 sHere is a sample (checking for 'SICE'):/ ~: L" A# W# M! Q- L% [
. p ?0 U6 P% L Z, L# l7 I. [
BOOL IsSoftIce95Loaded()
) m8 H k. D4 W* x$ E1 v{
& N, P ^6 k! J HANDLE hFile; 1 S' |7 m; c! Q; }: G; X" u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: H- e' k0 l8 K5 @4 h. x, L/ ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
- S+ i5 W4 J- K |' b, J/ F d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, k, ]2 Z$ w& }5 W/ z if( hFile != INVALID_HANDLE_VALUE )
3 p! L8 e* @9 i% c; i {6 R% X) w l. }$ x L2 o/ z5 r( u, v
CloseHandle(hFile);
, q; X! ]1 e- c- g# A: K return TRUE;
1 f/ G' R9 h7 E7 Y2 Q9 {1 L9 U }
A& D5 W& X- M, q6 b0 p7 ^ return FALSE;( i" B+ Z' X" _
}& G: v1 s9 j: F
: C, }' w9 I y/ t9 R+ x3 I: V
Although this trick calls the CreateFileA function, don't even expect to be
8 L9 s' @3 }8 c: Mable to intercept it by installing a IFS hook: it will not work, no way!
) @! \, }+ V# K0 ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( w/ Q3 o V8 a/ iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 A( X1 I4 q4 k: k o% Z1 Z& Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* |7 O% Y3 k# o U! Ofield.
7 ?( n2 @0 R F# P' g6 ]2 JIn fact, its purpose is not to load/unload VxDs but only to send a - T! V$ s9 }4 p7 H+ q1 B9 p9 J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 a7 R7 `$ T' |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ ~. X: I, g/ g y6 ~( y, [to load/unload a non-dynamically loadable driver such as SoftICE ;-).( c6 B) W: F& }" C f! g4 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 W$ g8 M1 u' j6 Q/ h& s' \
its handle to be opened and then, will be detected.
5 f4 V+ E0 k/ k2 G& zYou can check that simply by hooking Winice.exe control proc entry point
; A2 H7 `# e$ y+ s, u" Kwhile running MeltICE.
5 ^% r# h# ~& {1 O% I9 m3 _5 e6 ?" p0 p) D5 e) l' P
S0 ?( S, v1 j
00401067: push 00402025 ; \\.\SICE
) C& b6 U* _: F' X 0040106C: call CreateFileA
1 }/ e8 H! X- h. m 00401071: cmp eax,-001& x9 o& B1 S8 F3 Y( g) b1 K
00401074: je 00401091
, Z$ h$ ]7 s5 x2 ]6 b7 A) _4 E; s. ~* b9 g
@3 w6 ^1 l! @8 l, ~There could be hundreds of BPX you could use to detect this trick.( A$ }( C% y* ^5 {1 ]9 y
-The most classical one is:! J: l5 P9 l9 F2 b8 K" _$ Q( l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 @ U* D. g4 U# B3 L
*(esp->4+4)=='NTIC'* _( J. i* L' s
& E/ }, H9 L& V! ]" D+ R* \' P; h6 o-The most exotic ones (could be very slooooow :-(
& I+ h' M$ W. M/ }! t9 Y2 }" P3 Z. ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 l+ |1 X# A& L& o( F' |3 x ;will break 3 times :-(5 q1 n8 Q J! T. H
1 g+ G/ F9 }' e, G6 t7 U-or (a bit) faster: ( O* J3 i6 [* e" t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 L+ q1 a9 o. p0 p
! ?) d8 d, c9 }2 V+ ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( {# ^2 R2 g& H+ c ;will break 3 times :-(3 l! h0 ]0 N- c: x
! p6 ], r1 e! M' m8 t
-Much faster:0 K) n0 `+ b6 C: z- z7 y8 i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# C" n: M. k4 C0 I K Q+ m7 T9 {& H( @8 l/ \- K: v) g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; X) l8 K( r: @, y- A6 b
function to do the same job:
- b7 e* A/ Q( s% ~0 o. {, S) k" G- B# Y
push 00 ; OF_READ/ G1 G7 |; ]. A& o+ }
mov eax,[00656634] ; '\\.\SICE',0) h3 ?2 ?0 c' h3 A4 P& {: B
push eax
1 ^6 l. ]# _7 J4 `$ o call KERNEL32!_lopen
+ N9 z7 B8 l6 i0 W3 x; A- } inc eax+ {0 J2 Z* q3 [# ?) ~
jnz 00650589 ; detected
" X5 E3 k, P0 O' ]7 F; O/ H' v: y5 Z push 00 ; OF_READ, F6 D5 b, {- e9 q* q( _' |: F
mov eax,[00656638] ; '\\.\SICE'
# b# B5 m# f. u" U/ H7 U' m push eax; d$ w5 k3 Q: u0 o7 Z
call KERNEL32!_lopen2 W2 [& z0 o2 z* p3 i6 j1 N. s
inc eax
* I$ F0 v! X1 m jz 006505ae ; not detected: @% ~3 j6 | d; }% H
) Z* S6 ~8 O* h) P' E8 r
( i' c! z" ]1 d, B' F
__________________________________________________________________________ W0 _+ [8 O8 y" P8 n
2 s+ O4 k0 v$ m" i+ o. i, L
Method 12. b6 y2 v) {% O" z0 N, {0 C6 r
=========0 G- w P+ l* r
- ~7 G5 l2 _# oThis trick is similar to int41h/4fh Debugger installation check (code 05- y7 R5 m' g* M- n% u
& 06) but very limited because it's only available for Win95/98 (not NT)& z' i) G; E4 e+ b7 Q& u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 @# L1 @% E0 [% \0 J9 `1 E
3 k8 i9 a& b3 p6 i) O
push 0000004fh ; function 4fh% q# `) i( [/ y
push 002a002ah ; high word specifies which VxD (VWIN32)
* b' s. U1 B7 V) k1 R9 u* | ; low word specifies which service
+ m2 }( f4 r. K" K5 } (VWIN32_Int41Dispatch)" I, G' C8 z. i8 [
call Kernel32!ORD_001 ; VxdCall' v& W# X; Q- e
cmp ax, 0f386h ; magic number returned by system debuggers
( J$ ~) X% P( n jz SoftICE_detected
* q6 `) c* E6 u5 I }: u' a' r% A9 ?5 z f) I! z
Here again, several ways to detect it:
6 v- C; X) l( y$ z' F
6 I! l& D1 L: `6 ~ BPINT 41 if ax==4f, d t: C8 r& z( C$ k
. W6 O2 F6 r3 h) t" P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 A" _* f# V, m& B, t1 M, d; {4 V' ^8 i3 n: w7 ] T- O+ D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; s" n! o- X0 D2 \
& w( _$ b$ `2 e* r) R: p- T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" f S) u, M% O
$ {/ ~! T! E7 |! r- S- J, ___________________________________________________________________________
3 S3 ]/ O- ^; A5 k" c9 g `
1 | G( Q+ B" x K1 a) W8 NMethod 13; y0 v: \, E0 Y) k) g
=========' H6 F. i( L$ r9 A/ q0 j
3 r3 J, y) z" |& c9 dNot a real method of detection, but a good way to know if SoftICE is
# z, ]/ g; X" y# \ i( sinstalled on a computer and to locate its installation directory.1 ^" H( @1 ?5 g4 n1 }, o- E
It is used by few softs which access the following registry keys (usually #2) :( L0 Y9 s& ^ R& _. F# O
6 R9 E1 t J: @$ r. T$ @6 x M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# u7 R4 n7 |# C\Uninstall\SoftICE
1 h5 p. ? _# x% r( m0 J. C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 ^, X5 e* b* s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% A& A J1 N" \2 X. A0 [/ N( l\App Paths\Loader32.Exe, A" d6 d! l' N0 D! N
. _! f9 W$ t% B7 Z8 Z9 z! Q6 i$ U" x5 I
Note that some nasty apps could then erase all files from SoftICE directory$ n1 M7 o& c) H+ i
(I faced that once :-(
% \2 A: Z3 }0 S, w% \
" q5 U3 k0 D i4 u+ y' U: \Useful breakpoint to detect it:: @. w: @" n: [7 D- }9 d1 G
! K8 H G. s$ u/ H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 W1 |4 {. e9 Y; m% J# e* n
, e1 v/ }, N& q5 I__________________________________________________________________________' j: A) y8 r9 ]8 A
% {% _3 E Y$ B
, O. w5 S7 j$ X
Method 14
* H# o, K! H" ?/ z) V% K y5 s1 G( v========= F, g, D8 @& ~) p) W. Y1 o; y
" p7 t# ` M( q& @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ N; m6 [. [+ W2 y
is to determines whether a debugger is running on your system (ring0 only).
) |% U" M% _1 r. ^ p$ }
0 c+ m n/ g4 S$ d l VMMCall Test_Debug_Installed
2 Z) g& ?( R/ s je not_installed
1 h* m5 q& b u4 q4 Q
, _* R( a' A; SThis service just checks a flag.
6 O+ Y( q1 P; q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡