<TABLE width=500># e7 j* H. }. p8 h4 ^" T+ b
<TBODY>
7 V/ h8 S2 q9 w1 C* @. K<TR>
, h2 Y, q/ n" S/ ~! _5 l<TD><PRE>Method 01 r7 C, {0 |% }6 q' h! w
=========
9 J7 Y* b; r# V" Z5 ^& l4 B4 O, U
1 `7 d* g) J" E$ @This method of detection of SoftICE (as well as the following one) is
/ B+ m8 W( l0 _( H4 J% K1 n0 Sused by the majority of packers/encryptors found on Internet.3 u% S2 K. x) h0 d& c
It seeks the signature of BoundsChecker in SoftICE
2 H& q/ b& k' J9 n- S' x; T+ X5 K: ]* P
mov ebp, 04243484Bh ; 'BCHK'9 R, z. j+ F2 s5 m5 G) ~, b
mov ax, 04h
. P9 Q$ a; L7 A: r5 V, J6 Y; N int 3
: c8 `6 @; I. a. H8 [) j5 @# d# G cmp al,4
% C' [9 j) @0 v4 \: E1 \( }2 U jnz SoftICE_Detected+ ]( E9 R: y5 W5 C
6 d& ~! `4 T+ h! \# A9 I
___________________________________________________________________________& Z; w R, b+ H! G& _7 f
& [' e6 v, ]' S% O( X2 P
Method 02
4 R& R; D- N2 k7 k7 P2 D=========
; _ q2 V9 T" Q2 l v+ P% D
. @! H: D# i6 e& P; l3 OStill a method very much used (perhaps the most frequent one). It is used$ F+ e$ f2 r( x+ z# u" W: J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 u" s0 h' X) N7 i1 Y
or execute SoftICE commands...
- |7 I' ~' F8 Z$ wIt is also used to crash SoftICE and to force it to execute any commands7 R% x S% O; d; M8 L
(HBOOT...) :-((
8 _3 A8 _+ ?5 r2 g# ]1 @
% s# S: ]& s: F; I- F0 f3 oHere is a quick description:$ p" o: u' b/ _& L. ?
-AX = 0910h (Display string in SIce windows)
3 X/ A, O0 [0 N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 I6 `$ V9 S# c+ l4 z5 G
-AX = 0912h (Get breakpoint infos), r& m0 `1 s. d3 r& l1 o" _
-AX = 0913h (Set Sice breakpoints)
! B# j- @1 o/ S/ k' g& g-AX = 0914h (Remove SIce breakoints)5 }/ _4 d* K/ t: \; O# |5 j
/ H- d2 V6 [4 J* D) R# o
Each time you'll meet this trick, you'll see:% d& L x6 @; ~4 s
-SI = 4647h
. A& q& s5 Z8 {" f: I. d-DI = 4A4Dh
1 G+ F/ d; A; E& k4 Q( x! q, E2 m) xWhich are the 'magic values' used by SoftIce.( W' [& X! ?: {5 i7 {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 ?2 L/ j4 {: w; F8 }9 U# D+ V( Y" s
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 J: x( R: z X, }+ |; z
Envelope utility use to protect DOS applications:) E7 {& `; v5 ]2 v
" j/ |6 g4 j) @3 H' r+ `: q
$ ]6 c' @9 I+ A) s+ }& A
4C19:0095 MOV AX,0911 ; execute command.% s$ ^; H5 z/ E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; n1 ~: x5 q: y% [( S6 A' a. D
4C19:009A MOV SI,4647 ; 1st magic value.
3 x6 I* Z% p: W$ A3 v4C19:009D MOV DI,4A4D ; 2nd magic value.4 F3 L6 f' Y) r% k% U" @; k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 z% | V4 ^7 ]& m: ~ c: S$ X! U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 }; t9 L, ~+ V4C19:00A4 INC CX9 c8 `6 T0 n. g+ a) B4 z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: t0 ?$ `5 I a g! r7 S6 ?
4C19:00A8 JB 0095 ; 6 different commands.
+ j& K$ X7 W! _; y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, H6 U. k$ s, b. e& X% x, t0 D$ D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# p$ W K: n. b3 S
) W. l j1 [ W2 k! L; yThe program will execute 6 different SIce commands located at ds:dx, which3 t; y6 G% Z4 {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 h/ ~2 v- ?& v9 \+ G+ W5 Y
2 h" q1 w" c+ K1 j9 G/ O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." ~! A6 E5 k" P1 D+ E! q9 O
___________________________________________________________________________* @: }6 s2 c2 G# K. ]( P' r! p
1 C7 v, q+ e8 J# I& K+ V1 e, V! f$ O$ |9 F* W( G3 p2 }4 k# n
Method 03
, H Q6 U8 ?6 c; j( L! Y=========
k/ _6 C2 h& m+ F8 Z% W+ U* `# h% c$ ]1 ^& u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 d5 {; Q4 |# T(API Get entry point)
2 w# {0 I$ r6 H7 P3 l: l; ?5 e 2 c# w2 r% c" }
1 T0 V7 x) b2 {) L$ c& T xor di,di
; L6 z6 j" D8 d/ [# Q mov es,di$ d: T' V$ s+ @! ?" X& Q t
mov ax, 1684h
: ?& W8 @- L& Q: U mov bx, 0202h ; VxD ID of winice
# i5 ~4 d4 M! b int 2Fh
+ \: H" R) D; v8 _4 \ mov ax, es ; ES:DI -> VxD API entry point
: {9 V/ {: b+ {' O; [ add ax, di
% B& L+ F& O( \- ^5 j0 w+ L test ax,ax
! L! T8 }: C) x% i9 y9 H* v) ] jnz SoftICE_Detected/ \- l" Y4 r0 l L8 D; j+ J
7 b1 @# ~2 _7 _5 j4 t1 \7 p: P___________________________________________________________________________ |# z, s4 |% B0 _0 w$ c
! l+ J4 R i* `. V( R
Method 04
4 S$ L& Y; D% O+ h=========
& s6 X e- F6 g% @6 _7 T" z1 X6 w! l! F2 x
Method identical to the preceding one except that it seeks the ID of SoftICE& P$ Y8 u) e& U
GFX VxD.
, v" e4 B( b0 `1 ^0 ^. r) w; g% |
xor di,di
' c \5 [3 x, M2 ^" |9 h mov es,di
2 N/ o' R6 f+ G/ u mov ax, 1684h
% h& I$ t5 T4 Q6 G% ^! Y4 r mov bx, 7a5Fh ; VxD ID of SIWVID! [2 n& I. W6 M
int 2fh
+ {9 A7 D; F% C" E mov ax, es ; ES:DI -> VxD API entry point
/ k4 G" g, A- O" v/ g7 m% r add ax, di" m& ]. Q( { ?4 D5 Y6 C
test ax,ax' N* ^/ f; N7 X( ?! O" u
jnz SoftICE_Detected
( ~" a& n4 @/ g5 I. K" h( F- F) L& O* P+ N% j' i9 V- a* Q0 k0 ?
__________________________________________________________________________4 t6 f; T+ W: V! F/ a) @6 f- z
) T4 W# T0 z; Y* I
) p* ^1 o8 `3 @1 Y5 G! C' m& W
Method 052 q7 m. E' E6 s# ` e
=========9 C0 Z6 x8 c @7 N1 ]! q: T
9 }" H* _$ |8 s* ^; w. e( P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; Q5 e" P) V! D$ \# K* Q/ edebugger. It calls the int 41h, function 4Fh.: @% B+ w# \' A e3 b) \7 b$ D
There are several alternatives.
8 Y+ n, V* k9 }# y7 i
3 \; C# F0 B. d7 xThe following one is the simplest:; u6 n2 h' H; s# s
. c) M* H$ p: Q( N
mov ax,4fh
* k9 N2 m9 f. o1 i int 41h. f9 Z; P0 `3 K k+ j
cmp ax, 0F3862 j+ ~9 v( @2 \+ h9 E
jz SoftICE_detected2 C' Z/ F9 [" H' v
+ R7 g9 L; U6 Q" h0 g- Y+ }
, h2 l0 G7 t8 n0 s) N4 U" r
Next method as well as the following one are 2 examples from Stone's
1 \5 H. |- A2 m"stn-wid.zip" (www.cracking.net):- Z9 n- B9 {4 n2 K. j
6 Q' _0 G; Z$ Z4 o; @4 m# `7 `3 `+ X mov bx, cs, L: W) c q3 N: ?8 ~
lea dx, int41handler2. d; X, M" W! @
xchg dx, es:[41h*4]4 A. j/ x% b; X, \0 l
xchg bx, es:[41h*4+2]
7 F& L* g5 }! M2 m0 ^ mov ax,4fh
: Z3 A0 @7 h. c4 w) T9 h int 41h
i' O* b3 o4 s! V+ n4 f' e# v xchg dx, es:[41h*4]
$ M7 g! i& r0 _& P5 f( D xchg bx, es:[41h*4+2]' {# _! ]8 t8 E1 a* k9 _
cmp ax, 0f386h! |) W, T! u6 q1 o: `
jz SoftICE_detected
; j D4 u9 c7 X% O7 d$ Z9 h4 |' j8 t+ O- ?6 E, }
int41handler2 PROC% r7 F2 Z; R# g* A
iret7 A( D5 x, u" b
int41handler2 ENDP2 \8 _2 m$ A+ P2 u3 [- T5 ? C
7 e+ Z; G/ k- W
# A0 ~' H, \. f0 L( N& Q8 O: ]: z_________________________________________________________________________5 h2 I; d3 t8 B, ?$ k
! o" _& r8 ^9 K$ `
. _6 D6 L' G2 f' Z5 kMethod 068 ^5 M; [& \- W4 J- X( O t7 @
=========
/ U) C! E# H# c
9 I1 T) ?( n: n' E @5 v
/ h2 k; C+ a' j6 g2nd method similar to the preceding one but more difficult to detect:; J' m) e4 p: a& \
- x* D" a& X! B, E; ]0 u: I3 u% R9 q3 _& b9 ^! t
int41handler PROC
0 Q: o5 g4 x& M1 N- G mov cl,al
5 r0 e, {: l' V S5 m9 Z3 x: E4 N: P iret
4 W: D9 n$ F1 ~, f2 pint41handler ENDP! d/ [+ Y. p$ U: T" n' T6 H
# A$ L0 T# R4 n$ O
: V+ i% N8 R; e) a7 ] xor ax,ax
/ H7 J' V1 j7 r5 s, X mov es,ax
0 b; ^* C1 ^( @' V3 n6 M. Q3 V mov bx, cs& Z5 |2 A( m& [( X
lea dx, int41handler& i8 e. i: e7 ]0 J& s$ ?
xchg dx, es:[41h*4]8 Z$ m y8 h0 k+ j
xchg bx, es:[41h*4+2]
+ C7 x0 i( T+ X+ _8 J/ ?) A" v in al, 40h
# {+ f7 u( A- t* _6 ?. O xor cx,cx
6 [+ x& u. c9 j% O w+ s/ b7 d* Q: c int 41h
: j. {: l3 ^) O. U k$ L k& d- v xchg dx, es:[41h*4]
% K! i7 i! E/ | Z' ?2 P5 | xchg bx, es:[41h*4+2]6 f7 k( p3 l4 \# p2 Q- d) r7 G
cmp cl,al! C& I" J% Y+ x" N) s
jnz SoftICE_detected+ C5 u- ~ |. [
9 T v9 m, Y5 r8 H* i q
_________________________________________________________________________$ s! {5 B, U$ d# |
Z: E7 S# @+ F& Z }: _ K% ]Method 07
1 |& S3 A. _4 @: i# e5 l# e: ~=========7 v$ U6 T$ T/ T! l1 l
7 \( r* a6 a7 ]
Method of detection of the WinICE handler in the int68h (V86)6 }( v% y8 g) ]& M: V
# V3 [" y6 h% P5 l' z
mov ah,43h
0 q' M8 _5 y) ?: m$ k l7 I3 E int 68h' V2 i2 X" I7 Y' G
cmp ax,0F386h' H% ?. B# @: X8 m0 ^: K! V, {
jz SoftICE_Detected
) v3 I3 d- B0 U- C3 Y3 \" j
# A: b o6 C' B" S( O; }- p! h2 X4 x; @5 a+ g, P2 Z/ o, [! W' u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' A- S6 e' w, e( i' J app like this:/ p. J! O1 B! h5 ]8 E) M
1 e* Y: o; ?: A- i" y0 H
BPX exec_int if ax==68
b, g5 {4 W" R2 o (function called is located at byte ptr [ebp+1Dh] and client eip is; f5 Q. W& Z; z9 e$ F6 }3 X7 H8 F
located at [ebp+48h] for 32Bit apps)
+ h$ x9 q5 n2 m0 V/ t: k/ k2 g5 p* y__________________________________________________________________________
5 R( C; z+ R7 \% u" _& Q7 _+ P" Q% Z
2 O$ C$ f1 Y% ?% W5 ?3 t
Method 088 u% n `6 g- Y' ^
=========% b! A. R$ D( }% D% M2 e
2 \( q/ P0 N( ~
It is not a method of detection of SoftICE but a possibility to crash the# Y7 w8 k$ Y1 M; z
system by intercepting int 01h and int 03h and redirecting them to another: ~5 c. k3 n. F: ?! J6 V
routine.1 f8 J! N5 e# p/ g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% j8 i i7 K7 p, ~% M, |% M
to the new routine to execute (hangs computer...)
, T* d) ~2 D4 K' x- d' I) D" M3 A* w% p* O1 H; J% i
mov ah, 25h3 [& O' O/ z E. ^
mov al, Int_Number (01h or 03h)9 ?+ k& [! i6 f! q# N
mov dx, offset New_Int_Routine) p6 \- G6 q7 d3 h! h5 e
int 21h$ h) ?/ f" e# h
Q+ W6 P3 ~+ w n C7 ___________________________________________________________________________
0 o5 s4 F8 v1 Q" e' y4 g5 \; u
$ S4 }( s: a9 n1 ]7 a! H mMethod 09* W- e6 k. s) d
=========
- ?4 w3 R- a/ f) a0 J& L4 {1 J
+ Y/ \) y) D0 \$ p9 @) J8 R: A1 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; p$ F! _' U; F) V: d6 c9 Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 [! a! S/ L) ^2 R' l) t, J/ A1 B9 f: e; bThe Get_DDB service is used to determine whether or not a VxD is installed
8 S- a( Q7 Y5 G! Jfor the specified device and returns a Device Description Block (in ecx) for' K/ e. C$ I1 C0 w Q# S4 M
that device if it is installed.6 @" Q- w6 t* |4 d
' U& }. A0 l* g. [' p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 f/ C6 ^% E* A9 m3 g' V5 e2 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ h- s1 F$ W' d$ u- _, c6 v+ | VMMCall Get_DDB0 b* Q7 v8 Y+ I# d! X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 S Z2 L) T' v% T# z* @ H+ ?8 M! d7 L( H0 @; P$ Q
Note as well that you can easily detect this method with SoftICE:
; J+ z: n2 M# u& y. S+ m bpx Get_DDB if ax==0202 || ax==7a5fh
( r" T' }+ K# c u8 _) E2 G0 U- _9 Q8 }: U, [6 S0 i S3 j; `
__________________________________________________________________________
2 |! ]- A. U6 H+ g' u# r6 b( ]
- R+ x% X1 R. b6 k ~Method 10
l, D6 _: |) C, `8 t0 ]=========+ P# ^" {* V j, }: U
8 G3 T" U9 H: @3 O. _. ^; K=>Disable or clear breakpoints before using this feature. DO NOT trace with
: q u8 {! j# j( E6 m/ q8 N SoftICE while the option is enable!!
; E0 g* N. s) a/ r
- m& R) C# j) ~/ I7 n! E; oThis trick is very efficient:1 e, b* D( I5 D5 S
by checking the Debug Registers, you can detect if SoftICE is loaded
# h2 t7 i# U# O4 \( l2 M/ }4 e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ }: u' C4 `; }7 e$ V9 ]) i+ _there are some memory breakpoints set (dr0 to dr3) simply by reading their1 t$ Q- X3 D3 M+ S, B" N! u
value (in ring0 only). Values can be manipulated and or changed as well2 ^; l c2 l0 o: {& G9 H1 J, q
(clearing BPMs for instance). z- D0 y; G) ~3 }2 z- i; {
5 M- x! x: n- i/ e4 l
__________________________________________________________________________
$ h" j ^8 D' w/ }2 G8 Y' j0 O1 }+ k5 M" X) {% J
Method 11
. Z2 x' |: @7 i0 h=========# G, O, K( l2 J- }3 P( w/ `7 i6 g) G
* _7 i9 ^$ c) }. r9 w/ g* j
This method is most known as 'MeltICE' because it has been freely distributed7 j5 A) o; X! c& W$ M9 U
via www.winfiles.com. However it was first used by NuMega people to allow
7 w3 v5 K) }, R% J, V1 wSymbol Loader to check if SoftICE was active or not (the code is located
/ `/ _1 ^6 |) X9 jinside nmtrans.dll).
! S& Y1 d6 i4 B7 c+ C3 W/ M( R: `' x: W$ j: i" M
The way it works is very simple:
C! ^- Y6 N6 m8 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 W7 e- K& a3 T$ p% ]" WWinNT) with the CreateFileA API.
6 z1 o8 v2 j( C7 M7 a) r V5 h: I5 x0 Z: {& X
Here is a sample (checking for 'SICE'):# ]* D: c9 h! {2 N0 S" q- w
, f! E6 v8 k# c2 g/ P9 V* r M
BOOL IsSoftIce95Loaded()% g2 ^" x: W2 o3 s8 j
{& p) h0 ~, T9 @9 L; g7 r
HANDLE hFile;
+ r/ D I# @1 F9 T) H+ a9 J! s" S# \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 k3 y% l" V1 h# f FILE_SHARE_READ | FILE_SHARE_WRITE,$ W/ T8 t3 C3 j6 J. N" e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 l4 |+ e" w, i6 a0 o8 y1 t4 o- R+ N
if( hFile != INVALID_HANDLE_VALUE )
& u/ j5 `( n+ M+ q+ S {9 }) i4 [ c* E# i$ y& i# V: U
CloseHandle(hFile);+ q# S! ^- W# s: p
return TRUE;
# Y; ?* S/ v5 W: f6 O. A& l+ U* c! B }
5 ~$ k8 _' z% n8 S& u return FALSE;
7 w1 m2 l! j/ v- E4 B# ~; _}3 {. v' f- V! w, w2 K7 y. k+ c
, s7 o% q0 C! a+ U& l: M
Although this trick calls the CreateFileA function, don't even expect to be2 z" H: m# c$ b9 p. E
able to intercept it by installing a IFS hook: it will not work, no way!& g7 [* V3 e0 B& F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. ^+ E& e, _1 u9 ?/ c2 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ I. p7 ?4 R# y/ x6 }+ Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 M2 S$ `: e% H- Ufield.' b8 q% ^6 a% U# r" u
In fact, its purpose is not to load/unload VxDs but only to send a
% D' A/ y3 O1 u/ l3 t! N$ ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 @* v R! x9 X7 O6 p: x: [" }& i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 i9 ]) J/ M# l. H% G
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." Q1 v$ f. F9 h$ x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 U1 N0 I+ R z9 @; D% c; C+ }: r& b- n4 Sits handle to be opened and then, will be detected.8 ?2 x9 i, N/ q( y' H: _* u
You can check that simply by hooking Winice.exe control proc entry point
8 n- G2 [+ _5 Twhile running MeltICE./ B5 b4 |/ E- @
6 t/ j9 `+ D7 m5 c3 o f0 i
. e" ^# Y. t0 p n1 a, d 00401067: push 00402025 ; \\.\SICE* l9 G6 y: r$ C# _+ c; z3 U
0040106C: call CreateFileA
$ F, m' Y+ ^% @( E. f" ] 00401071: cmp eax,-001
' F( ?: g8 R- R5 B5 b$ } 00401074: je 00401091
6 r& O% r) O) H4 d7 ~0 ~# i ?' y" x) q6 S9 u7 q
: F/ }& O# S% j' }4 K* Z
There could be hundreds of BPX you could use to detect this trick.
; w, F% E+ ?; J# {3 H-The most classical one is:
* I( M1 |: ~* O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. d. \& _) H* S. C) q" k0 p q( j
*(esp->4+4)=='NTIC'4 L8 j2 w- H @9 _% a
$ P* f+ ?# T1 o2 |
-The most exotic ones (could be very slooooow :-() {* u0 v9 X9 L3 v: H5 Y6 m( K5 x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % B% C k: ]# h4 w/ S
;will break 3 times :-(
" R( x4 H* P5 H: A3 b) [ _4 C% Q; s% K
-or (a bit) faster: " E& R7 `$ u+ A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' H( G9 h5 S) ?; C: ^& w
5 A* ~8 I3 ^" B# D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# W9 |; r% ]# [4 V9 u, L% G6 D ;will break 3 times :-(9 Q1 h1 m) `" ^ F
7 N2 i5 ~: O) e; ?9 O8 E L, k( I-Much faster:4 z3 k6 F/ k. p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 v0 a, O5 t. Q3 F' F/ d& T5 ?- d
$ c; D3 [1 K4 b' @4 Z, H8 k e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
\, h" ?% j7 O2 Y, i/ ?, A- Qfunction to do the same job:) s4 `, g9 z- n6 y/ Y, H6 y
; s+ ~0 b' O$ n push 00 ; OF_READ+ F, g9 I0 |/ ^. ]' l( r# M
mov eax,[00656634] ; '\\.\SICE',0
7 n1 m" o0 A D+ O push eax* ~+ n. X: r3 J. G
call KERNEL32!_lopen9 \) r) ]( L2 m( }4 z5 p
inc eax9 ]) ?+ S' Y" F& w
jnz 00650589 ; detected
3 W& B: [/ N6 h8 K0 S push 00 ; OF_READ
@: C0 S B8 ~, m, d; S- a6 C mov eax,[00656638] ; '\\.\SICE'
& C" n. S% h# q6 L# ~ push eax a- u( Z q' o+ V, Y
call KERNEL32!_lopen: \( O% [8 m7 ^3 b. D+ ?& K
inc eax
( O, K' a5 e$ U+ z6 Z! ?( } jz 006505ae ; not detected
$ u% O7 v- d% t: ]2 ]' E( ?0 X
+ s" r$ \% \) W) h
! S: J5 `5 z/ ?4 i- |6 _) i) O__________________________________________________________________________1 k. a0 ^5 m) ?7 P) a- ` Z3 @8 W
( q5 ?, u- R6 A: W" Z
Method 12- I4 c5 t( m! G3 W, d" q( Z% N
=========- A" g5 h5 d5 A. [2 ?
7 O6 D' ~1 c( Y$ @8 m9 l& jThis trick is similar to int41h/4fh Debugger installation check (code 05
6 T3 r( s7 T; w6 w& 06) but very limited because it's only available for Win95/98 (not NT)0 b+ N$ l3 ]0 _) U$ n, \4 D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 v" {2 j! n% I9 n, o
, W7 j3 q; b% _) |4 g8 l
push 0000004fh ; function 4fh
' C) d3 q0 Z/ V7 M push 002a002ah ; high word specifies which VxD (VWIN32)/ D. l& v' N% Q* ]- q* I
; low word specifies which service
& z M1 E$ J: W' M (VWIN32_Int41Dispatch)6 d8 [: Q& L1 X
call Kernel32!ORD_001 ; VxdCall( O% ^9 }0 N) i
cmp ax, 0f386h ; magic number returned by system debuggers, ~; ?7 M C% T4 S2 e! e6 Y
jz SoftICE_detected
! i) }2 [2 p3 c5 B1 j+ W. Z4 j# O# g# i2 p' a8 r
Here again, several ways to detect it:7 e: Z5 x( _! u; b) w3 a
1 N4 s; y3 q: g+ X/ ~5 ^- T+ v
BPINT 41 if ax==4f- C9 f9 {- z: v4 a
# G) O1 _1 v( F" E& L' D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ O+ Q, Z) W/ }4 l; @ `9 n" R
! g8 ?# S0 H! h7 o! V/ D0 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* C+ p- O! e7 `, H4 n
7 P0 V( E6 H) k. | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 W2 b1 R6 n6 I; p M) l
8 J, G3 n4 M; `& }3 C4 ], i__________________________________________________________________________/ O H- j+ h3 R4 k3 a
5 H6 ~* x2 | s' _) t M& B* Z
Method 130 y8 ^( P* M6 }& g& `5 V" f
=========
9 m/ k: J+ Z8 R ^" ~& F S
' F( u2 M( \, ~3 _) ]Not a real method of detection, but a good way to know if SoftICE is3 ^. ?( \; n& q0 G' e
installed on a computer and to locate its installation directory.( S7 {1 t, n; u/ y
It is used by few softs which access the following registry keys (usually #2) :2 _1 \3 a+ I6 p+ J- D
1 A9 y" y* H8 Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 k8 l( F; p( ~\Uninstall\SoftICE2 u& }, Q( C; X/ ]6 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) \: D& b* Z S/ g( I$ N! G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- K$ [; N: I& b. U0 w. O' K1 M' o( h
\App Paths\Loader32.Exe# [4 c6 J+ O$ x4 l5 o; h$ I1 G
! E- e2 d( {* ~7 j2 j
( s0 l: n9 G% m$ M& o" \+ W
Note that some nasty apps could then erase all files from SoftICE directory
2 X/ U: C" r- q& o. R W3 q(I faced that once :-(
/ O: p) ~# r: [9 S7 P' Z8 o0 p6 R. O# y/ Q$ A7 j9 o2 m
Useful breakpoint to detect it:
% _7 P/ C! k3 P& T7 i3 @# P3 d& u6 A% e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ M, ^' d; g9 @8 {
& |6 W: F& ^' h3 m5 l9 a( V
__________________________________________________________________________
4 }% ]4 r7 D! s* ~ I
8 B' b u' J: {" B9 @+ b8 J( r9 C. G7 J! E( a% f- Q
Method 14
: k: _, d* l" J+ D5 ?# |; a=========& d5 r6 M3 V- |- e/ o
7 r' C+ d( m8 b W5 a1 `' q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& \( ]9 C! u( S4 N, bis to determines whether a debugger is running on your system (ring0 only).
2 @* b9 w: R; ?6 Z
) l P, H* [9 ~4 r! K( p+ s% m6 H VMMCall Test_Debug_Installed" u" r2 D7 R7 W7 Y9 t# z# J( u
je not_installed ?5 r2 d/ {9 D) f3 {
1 ~ K& N) {: ^% L- H1 h# S. |This service just checks a flag.
/ D }* H' u% r' V9 c" C1 m+ X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡