<TABLE width=500>1 \. {6 F+ R. Y( E2 _
<TBODY>) A- s2 R& V- J$ g- t- ?0 N- a
<TR>1 r( P5 K& ^; N' w& B6 v
<TD><PRE>Method 01
- h; h( s2 a# P+ r" V8 }=========) o+ v) ]1 W) C) I- X2 s" j( B
4 i$ T! H- M$ Z6 _8 S, Z3 H/ w
This method of detection of SoftICE (as well as the following one) is( ?+ @' |! e! z
used by the majority of packers/encryptors found on Internet." v. @8 H) e: h/ W+ ?
It seeks the signature of BoundsChecker in SoftICE
! Z( ^; a3 _" S4 @* k) O% S/ H/ x3 X5 ?
mov ebp, 04243484Bh ; 'BCHK'
( ~8 C9 N3 O' z' W4 ] mov ax, 04h
5 Y3 I$ q) A, }" I: d! u+ V' X int 3
' f' F2 A6 s8 E cmp al,4) |; T4 h/ [& s. s; ]- @0 r7 P
jnz SoftICE_Detected" y; z* C. u( ~7 V" z+ \; l6 J
8 f$ g. K7 |8 Y% Q" V' h
___________________________________________________________________________
2 P5 A$ j# N* Y; _
+ m! c. h0 P& `0 xMethod 02
e8 }. J1 l/ p. u; g* R========= ?. ?* r. O( K6 t& \
+ Y: V) K" k6 ]+ Y" }
Still a method very much used (perhaps the most frequent one). It is used! `- L1 c; n7 Q* C x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ U* G" z7 U. e7 b
or execute SoftICE commands...
" K4 u& [6 d4 ^* t2 _$ f* TIt is also used to crash SoftICE and to force it to execute any commands+ B* ~2 n( T" v/ H* h; ?
(HBOOT...) :-((
( S3 O( S+ p* A1 j, y# y' s- _, j/ l
: `# Y1 q, l* u" o! M) T- O* ~Here is a quick description:& [7 I3 \! ^' q, `6 \
-AX = 0910h (Display string in SIce windows), M8 P# v6 t9 ?, L# m {0 d/ k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; ?0 s- K% b3 H-AX = 0912h (Get breakpoint infos). V4 w+ f% {/ w9 A. Y! R4 [2 x
-AX = 0913h (Set Sice breakpoints)& ?. ?5 K( Y, G7 B9 |; u. Y# ?- f
-AX = 0914h (Remove SIce breakoints)- N$ K7 @& \ e9 b. I" y
% ^8 B: l3 U; N. Z( s. A5 Q! Z
Each time you'll meet this trick, you'll see:
: ^/ Q) w% u- c: O& V3 y7 c-SI = 4647h7 Y7 \# C$ q5 D: i% m5 y
-DI = 4A4Dh( O/ r, j" J7 A* l
Which are the 'magic values' used by SoftIce.8 r, V5 a) L( p" O$ H$ [6 Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! ?& H6 Y# B* L
6 Z6 w9 I c r; H' ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
; n! U# K T# hEnvelope utility use to protect DOS applications:& R8 c! H( P3 _( K8 v" m8 x
+ u' j. V% @( w( B2 T, T6 b
6 m# z! \# Y6 N
4C19:0095 MOV AX,0911 ; execute command.0 e2 c7 `2 J* x9 Z) v2 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 ^9 F% F/ q* u( n( Z9 J
4C19:009A MOV SI,4647 ; 1st magic value.
/ s8 N) C% f, M- S- t4C19:009D MOV DI,4A4D ; 2nd magic value.& z; v: @/ p3 }. N3 t6 S4 q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# `; E9 o5 Y7 ^5 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. C% I) H }$ h# U, p6 t |4C19:00A4 INC CX4 d' L/ K0 X" S$ L! l) S8 D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( P0 d- m, d& n4C19:00A8 JB 0095 ; 6 different commands.
) B8 o7 @3 |' X7 h- z: |, Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 Z0 v+ J- C P9 k" P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 O: C* a7 m7 L+ H: k
2 {/ Y' ]6 i, @$ J6 F E
The program will execute 6 different SIce commands located at ds:dx, which
: w" _$ I) O) B& J% _# Q8 r9 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! k! q( a2 l1 v
/ Q- N: [/ \( P! O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ t0 G3 ~/ ?5 G7 r. e! W9 t___________________________________________________________________________* [3 m0 o- v1 [; ]) D
1 U* o+ g5 u* j2 |, Q* A
, M/ V: r6 h7 o# B. c
Method 03
* x6 c. N! n' o0 u* ~=========
* k4 K& H! U( N$ ]) V }3 o. w7 f! F5 a4 M; h) j! H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' ]* G: C/ Q$ B9 u9 ^7 N3 F(API Get entry point), E4 X5 r5 ^7 ^5 t5 g
: j& s& y8 B" E( S, u8 y$ K/ C( t
0 s1 I4 ^$ R3 a0 S- b
xor di,di
5 d" D- L. g0 h$ ]5 [( W* [ mov es,di
4 S7 o# ]4 M/ f mov ax, 1684h
) l4 K/ R( T2 L1 V mov bx, 0202h ; VxD ID of winice7 u' Q# N" e V4 P8 V" q# x# {
int 2Fh
* b) A3 d- _& E6 A+ Z2 O: b0 o# ^ mov ax, es ; ES:DI -> VxD API entry point- l7 M2 c1 h( E ^0 a2 c
add ax, di8 c, J, |$ I$ ~, R. Z" `9 o* e& R& j+ n7 b
test ax,ax) q( c, f9 r: Q/ X
jnz SoftICE_Detected3 k6 O# y9 j. N% c
8 r9 }3 x+ l2 ^7 |9 o' A7 c; z___________________________________________________________________________
3 X' y2 V9 V# N7 M E
8 Y$ |. }' m- pMethod 04( e8 O( O: P4 u' P U
=========7 x9 h/ g8 x( H# `; S, ~- H
1 q: f1 C3 T0 V. zMethod identical to the preceding one except that it seeks the ID of SoftICE
! m$ d) s* `6 f% @( ]GFX VxD.
( f1 H2 `) S6 n8 t y: ]
1 H, h& r' t- V; _/ \' }* \ xor di,di6 V( D9 U9 I( B) J! p* s
mov es,di
" U- F; @, a |$ g% f2 _ mov ax, 1684h ' G7 ~3 H- _% g8 I, ^
mov bx, 7a5Fh ; VxD ID of SIWVID
" N/ O$ ^9 _1 W! u int 2fh
& l$ c, W! B- ?& W mov ax, es ; ES:DI -> VxD API entry point
$ O T5 c& \5 {( w! ^# D, _( @ add ax, di
$ b/ |. w! n+ j# D3 C" _2 M test ax,ax
8 |' B9 y& Y( Q2 ^, J jnz SoftICE_Detected- D; c+ s) i& F. v' J3 a) k$ ~
4 E& z# t" }1 U
__________________________________________________________________________
5 X" p& p6 y# ]9 H( m _0 D! ?0 |$ p& M, F
1 X2 H$ q. V6 M0 |: P( \6 L! U$ fMethod 05" P4 `" H: [! C2 k r0 q: G% Q2 z2 Z4 L
=========: a" G) u, S, m- T/ Y- J/ r
2 K( W. ]- x% I. o) n4 Y) Q3 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 {) P( k$ A* k
debugger. It calls the int 41h, function 4Fh.
/ v/ M4 w6 ]0 |! Q. ^ T9 DThere are several alternatives. : K( @* W# |* o, m2 D; G
; H) D* v7 L* IThe following one is the simplest:% g9 i% r T& \: q
* \* Y3 X f. x6 L# N mov ax,4fh; d+ z. l/ C8 M. g' `
int 41h& n6 x- v4 g4 s' w/ C
cmp ax, 0F3869 m6 j; n3 y% ^2 @7 _6 U" E
jz SoftICE_detected; U Y o9 a! o$ X& e0 \
. H+ x3 {! T) o8 a; N$ C' W; |* U: u7 S- c. O+ e
Next method as well as the following one are 2 examples from Stone's
$ y- _0 ^* \3 }- z6 A$ U0 Y- G"stn-wid.zip" (www.cracking.net):
$ B( B$ d5 x) A2 ?, X+ ~& ~* E8 H) ~
mov bx, cs2 S; T5 P/ l) r+ ~$ h& B4 Z% S" F+ |
lea dx, int41handler2! P2 a. F- v' @# q: M7 W
xchg dx, es:[41h*4]
( K: X% L9 t% l: t4 { xchg bx, es:[41h*4+2]6 }, i+ a2 p5 B) ^. @6 |- l g
mov ax,4fh' d# } Q$ P, F4 l
int 41h3 m4 p/ C/ D8 x J% t; t
xchg dx, es:[41h*4]
6 ?3 Z* v/ R" T$ O xchg bx, es:[41h*4+2]
9 `- A+ ?- s8 J3 I& y cmp ax, 0f386h
4 K4 v8 ]% ~! V$ ^6 h jz SoftICE_detected
) q$ e2 C) P% w: g2 y( s4 ^. k1 A z6 }
int41handler2 PROC
* M0 M" A7 b3 V. Y `5 U iret- j6 E% ^$ M5 `0 H5 u7 K! Y
int41handler2 ENDP6 X2 u, n4 p# W1 t. w
7 s! R2 W: c9 p$ } V; R) u9 ?3 A. e
& \6 ^8 @8 a4 D+ E2 P' ?9 y* _
_________________________________________________________________________: H3 m) K q& ?) a! g( J
% d1 u, U+ @1 l v
, S/ S, o$ D# o0 u3 DMethod 06
) d2 M. U8 F+ X9 i8 }- t=========' e4 D: h. I' N. w
; R2 a' t, s k0 j6 }1 F* f
4 x; D& W; y& n
2nd method similar to the preceding one but more difficult to detect:6 H4 K: T4 ]4 b7 b9 `3 z9 ]
9 ^: k G, E1 z% o$ S4 j# p6 p6 S1 R% @3 V
int41handler PROC6 h' s2 C+ R$ d. B+ o2 Z0 Q
mov cl,al% y) _$ }2 I7 D v1 h0 ^' O, ?
iret
; S+ a7 G: g* K3 |/ H, gint41handler ENDP
$ t1 ]7 _7 R6 s( f7 q5 n) B0 x& j1 D$ ]' d# W
8 A& R. s8 V. C! l& P" ]- e xor ax,ax6 J, O, m+ x+ c) ^
mov es,ax
: u. N- o7 _0 t% X' m mov bx, cs
3 Y. k# [* r# `/ f4 S9 | lea dx, int41handler
# w3 r- p3 E6 r7 x, }& i- C2 { xchg dx, es:[41h*4]
( p" V0 m+ n Q- L5 t5 G* z xchg bx, es:[41h*4+2]
7 K$ l: G+ s( N/ C( ^ in al, 40h# q9 E: ~& H7 C( j3 X* P. V/ @. g
xor cx,cx
# s" d- }+ M- a4 x. D, m2 d8 I/ N int 41h+ |6 b% T$ b2 @$ {) o9 z
xchg dx, es:[41h*4]: W/ S' [% A2 Q' D. V/ N+ M) x& h* a
xchg bx, es:[41h*4+2]
/ z$ d2 G/ C. ^+ ~3 {% g0 w% _0 H cmp cl,al
d6 m) f/ ~ V/ x8 _; K% \+ w jnz SoftICE_detected" e3 J' Z+ y- b5 B/ X! s9 _$ M
" o4 ^- J1 \6 ]; S2 a8 ]: j* ^+ z
_________________________________________________________________________
9 s, U1 t- ^( U( X: N! l7 f
3 p/ I6 n/ w+ p. b0 k9 T- l: DMethod 07: m0 a! g$ {* ^( T/ Q0 o2 u
=========
- M$ Y& p4 x- W ]6 R, |
- s$ q' e% R1 [' m0 [Method of detection of the WinICE handler in the int68h (V86)# Q+ N7 u; O2 ]- T+ }
* T2 V* {1 W5 z/ {( [# [
mov ah,43h0 d& u# w1 ]3 n+ ]* y
int 68h
( i$ [# l" w3 Z* K cmp ax,0F386h2 O4 G3 F9 n& |' K: m! |- L4 S
jz SoftICE_Detected: ~) Z5 F( N. h
& k7 E: {- l/ Z; h% q2 v8 _7 F' l l
4 ]+ W j5 M/ M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 n' B0 D& t8 d3 m7 u, Q
app like this:
) h) v- q1 z! |! X( i
# @# a0 W) p+ H5 S/ f. W BPX exec_int if ax==68
2 e2 P0 P' M. ~0 ?8 q; R- c5 \ (function called is located at byte ptr [ebp+1Dh] and client eip is
+ `0 }3 t: n# C5 W' ` located at [ebp+48h] for 32Bit apps)
+ o6 ?7 t* {+ _2 a__________________________________________________________________________
# D: l) r* `. z0 d. n' n- o2 ]( s6 g+ ?0 m
8 ]2 `1 x5 u% s! T
Method 08% W/ `3 i, U( E# C f9 r0 J
=========
/ `, U- ? x$ s, V
/ f3 T+ x: {3 }' J7 r6 YIt is not a method of detection of SoftICE but a possibility to crash the
! e: ~9 _/ o, f zsystem by intercepting int 01h and int 03h and redirecting them to another7 S! a! E5 J8 E% N7 u/ K
routine.
0 R2 L' P6 q" D: E; \* S! PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) u* _4 h6 Y3 F ]/ u
to the new routine to execute (hangs computer...)$ a8 x& e( C* y2 d: h7 i* |
9 G( \2 L* n, Q& {7 O- P
mov ah, 25h
7 o+ y1 l8 X* f mov al, Int_Number (01h or 03h)
7 f+ G+ Q: W/ J4 f mov dx, offset New_Int_Routine
3 y4 z" S5 C U4 j; c7 w# i6 e8 t: x int 21h
, h/ r9 I# ]8 e' [- h! K% @) b( S9 t3 ~- C
__________________________________________________________________________! O3 A' ~1 a( k2 x' j
; l: d, r" t& XMethod 09
2 M; O4 }. ?( [5 `8 k3 u) A" s=========
( x# G. b" w( m, i) H( E% H$ ^% u2 U% B- |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 g9 f9 I. R: y. _8 i' r) P1 aperformed in ring0 (VxD or a ring3 app using the VxdCall). O3 O, d4 U5 u$ n F4 J
The Get_DDB service is used to determine whether or not a VxD is installed% P! z; W# \; h* u, k% P0 q" E; s
for the specified device and returns a Device Description Block (in ecx) for% U* l6 R; `& M7 M& j+ J
that device if it is installed.
. }5 M, O e5 {& A% C" I- f$ a9 S
0 C6 u8 p& F2 N$ F! s3 R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" h* P. M! [/ F, M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* Q" n" z9 E2 M. b. w
VMMCall Get_DDB9 n: {* m* W) G. R3 }# A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* B4 L+ {0 s. }+ Q
& w5 _0 V- o' O5 b! X; Y" U1 [! ]Note as well that you can easily detect this method with SoftICE:; L L1 [) ^; d3 L# L5 [
bpx Get_DDB if ax==0202 || ax==7a5fh
, @% c$ s, ]) N/ D& X
' g: q4 r( E( F+ U" o4 R1 X; ~. G1 p__________________________________________________________________________% `4 o3 }* J$ z8 C0 h
: Y; V n. ?! \/ Y- b& NMethod 10
/ s4 B6 D( ?7 ?=========1 C) R5 s" P, q3 c1 v6 b7 ]
: L2 u7 Z+ R, m4 ~- D=>Disable or clear breakpoints before using this feature. DO NOT trace with
" ]7 p; r+ O t; p0 I( c SoftICE while the option is enable!!
, e( @; ~) e+ n" j. d! E; H- C: ~1 K7 g0 u1 J
This trick is very efficient:
2 ? m7 C" Q8 q' h8 Eby checking the Debug Registers, you can detect if SoftICE is loaded" @% y6 F) t+ ?- k) Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 P4 g% W& {- C* g/ Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 f( Y8 R7 S y! [9 `6 F$ kvalue (in ring0 only). Values can be manipulated and or changed as well' ]9 c3 i, I/ d( \$ G
(clearing BPMs for instance)
" Q2 D8 _( C* |$ I7 g, F; Y$ `
$ J5 s8 f0 l5 n0 @__________________________________________________________________________7 a5 t) a: [; M) |) b8 }& i( V
& v$ z9 b4 D0 W7 c+ G9 \
Method 11* r3 V* O2 K4 Z! j/ _
=========: A7 M5 u* g. z( |( t7 a8 r G
& X4 K, o' l' D6 DThis method is most known as 'MeltICE' because it has been freely distributed
7 m8 ?4 A& y ]. ^( Z6 Cvia www.winfiles.com. However it was first used by NuMega people to allow
4 A$ _0 U7 ~0 X* G8 V1 L4 \Symbol Loader to check if SoftICE was active or not (the code is located0 o; _6 K2 i# M
inside nmtrans.dll).+ H( X1 W7 ~* O/ `) U( |# E# w* b$ t
}- R6 I/ g( c
The way it works is very simple:3 p# I7 D% n1 D# X. m( n. R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 y8 X6 M5 W2 t2 @8 B( u7 }6 C; n/ A. T
WinNT) with the CreateFileA API.2 ^) T# Z9 q" O, H4 |. t" @* S
' |6 B+ y( L J7 v1 {Here is a sample (checking for 'SICE'):% Y: R7 Q2 T+ j: `2 F% M
, C! x/ V) T& D7 w E8 W! m) K
BOOL IsSoftIce95Loaded()9 \! ~8 p6 s, l4 @) g
{8 ~9 h; f% i# l( ^
HANDLE hFile; 8 o7 _: G; `* I1 D U6 I" q* B$ b; s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( A% t' O8 x' T4 K FILE_SHARE_READ | FILE_SHARE_WRITE,) X7 a9 t3 l6 C/ F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 T1 f% B2 j& k2 X, P7 {. Z ~ if( hFile != INVALID_HANDLE_VALUE ): e1 W. X9 }8 E+ l: f7 N0 G
{
* F* P* t3 s% D0 R CloseHandle(hFile);
) y1 w6 e& j* p return TRUE;+ m5 t6 W; d4 {( n
}
7 W0 B& q, ^: Y, ] return FALSE;
2 t6 X u. ^5 h}0 H4 X+ h# }" W) L% C
' o' d. e- o! x/ r$ B9 l! ^6 IAlthough this trick calls the CreateFileA function, don't even expect to be3 m8 U& y$ b! [! Z
able to intercept it by installing a IFS hook: it will not work, no way!
9 o1 k# k |' W& Z% d# DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ @5 h6 |/ H7 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 @# V/ l" g7 A# y7 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# u. i0 s- T2 ~
field. J, m4 B5 X6 s3 O
In fact, its purpose is not to load/unload VxDs but only to send a " ^5 F" D# y5 ~( k. ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 K" F0 h! J9 I; B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ C7 o( @; |' \# G: h: {2 @ w9 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& Q, {2 Q- z7 b! d9 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow t0 q, B+ [. _3 J+ _# c
its handle to be opened and then, will be detected.4 d$ \. F8 T8 o0 y* Y* d4 H
You can check that simply by hooking Winice.exe control proc entry point
; Q7 L' t4 |" p1 p6 Z& x, c5 Hwhile running MeltICE.
$ b# z$ L& b8 \9 d Y6 ]% @; ~% p0 |& k3 l% o' `& k5 F4 d* e
[7 g0 D" a& F; k
00401067: push 00402025 ; \\.\SICE
9 _( H+ X7 j/ s' F# h 0040106C: call CreateFileA2 z( W# a9 z$ f. B) Z8 q1 q
00401071: cmp eax,-001
+ ?0 U3 _/ l; j6 e6 h" y; g; C 00401074: je 00401091
4 M% m) D! z- Y. y2 ^$ L
- M' H! K2 G7 G" _. Q) |2 k p$ o1 E* C! D P% y2 t+ V- p
There could be hundreds of BPX you could use to detect this trick.9 B2 C2 u+ o; r4 x/ h
-The most classical one is:
, q: ^4 {+ @0 k) E; b( x7 ^4 g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& a+ k. n& R( i1 w* F/ U& ~) U6 t
*(esp->4+4)=='NTIC'
. v6 p, j. x9 G* ^+ Z2 T5 X6 Z) J
-The most exotic ones (could be very slooooow :-(0 c; ~7 G a# m( Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' r8 s5 i9 S; V) b* B. o: n
;will break 3 times :-(
3 Z4 {9 B) R6 J7 z3 j& F0 N# s, @. j6 ~2 W. v, }
-or (a bit) faster:
x7 p( ~! X( u, q8 E. ]/ e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ _" L: \8 P8 ]9 u6 l1 {/ D0 b ^
1 X+ i9 X0 q+ Z# N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, N2 B/ Y( M& L6 |8 w; U" E ;will break 3 times :-(8 G ~2 ?+ n; ~- d
# C1 d. |( `. Q+ k
-Much faster:
' h7 r- V+ z2 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; U% J- W* j6 q9 j3 ]7 y
4 i6 X( y7 s4 Q( w8 H8 C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 }' E4 O2 U$ R: l5 J
function to do the same job:
[6 O8 q/ R0 b9 q. d, R3 R
- l: _+ ?8 G, f J push 00 ; OF_READ
% o7 E4 d. w- N( ?/ ] mov eax,[00656634] ; '\\.\SICE',0
1 v ^; r6 ^# L! E' Z8 l1 e/ L push eax( [9 i6 I$ R5 A: F5 M4 D
call KERNEL32!_lopen
' Q& d# H+ S& u4 m6 H inc eax
5 b& n8 r' x5 u jnz 00650589 ; detected. \: C* k6 M8 D; P
push 00 ; OF_READ
3 L G" l) a9 W I* H& T1 h5 B mov eax,[00656638] ; '\\.\SICE'" m5 b5 [5 i8 R# o, q
push eax
1 F: v9 F5 J& z0 x call KERNEL32!_lopen& M* ~: u7 @. Q/ E' M# n
inc eax4 Q1 t" f0 }1 E g g9 J
jz 006505ae ; not detected: I1 ~! Q) e$ o9 M \6 Y
i8 n# a' ^2 w6 K! ]7 @
7 k! E( j, ~2 D. |7 k$ i. H
__________________________________________________________________________
7 i7 J n3 j; _1 m, }- R( c
* I9 M( H+ ]" k; |9 W/ \# cMethod 12% ]' _$ [. r. J# B2 E3 \
=========7 z- T+ k4 l/ n! i( F/ ?
0 V. ~% }5 K3 EThis trick is similar to int41h/4fh Debugger installation check (code 05
* m- |- ? _( Z! @* f2 ]: z) q& 06) but very limited because it's only available for Win95/98 (not NT)
* u( g! i7 M% }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 Z1 {( Z" a- h/ E; H- }! R
, J' }" b+ I) j' c. v; I7 B0 X push 0000004fh ; function 4fh3 r4 m. b9 u% r0 J1 z- U/ s
push 002a002ah ; high word specifies which VxD (VWIN32) A7 d8 E- ~2 ] O4 a
; low word specifies which service4 U+ h5 G! N" q( N4 E
(VWIN32_Int41Dispatch)
& t" P; e% l1 w: u& v call Kernel32!ORD_001 ; VxdCall
/ ^: d0 j# ^- [% U cmp ax, 0f386h ; magic number returned by system debuggers* x: }" l. _9 ]: q# h
jz SoftICE_detected
" ?6 H6 O# u5 D$ I# j. n
3 [/ f9 f7 ]) g" w6 yHere again, several ways to detect it:
6 }2 `! o& L5 I* m# ~: Z! X, a! b$ U! r' n& B! R5 X! d7 n
BPINT 41 if ax==4f
, ]" p# J1 L: y( @0 Y$ ?/ y4 U" Y- W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 }6 ?3 [0 T9 I! y) [3 n1 X5 E# N* i5 {: c2 h1 R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% M- ~* L5 s/ C+ c* P. V g w- j+ I& p, u; I! T7 o! A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# u- c. L) o! u" c! W4 V3 w
& ^1 y6 y# u5 o+ M
__________________________________________________________________________
9 L9 A/ P0 H ]0 F2 k( E. W1 ?" @6 h6 ]6 e! x+ A& g
Method 13. o' ^" g& [' C9 U1 z
=========
% s/ o- S$ e4 X& }9 U% u9 ~' h w6 m0 k) s: t% d
Not a real method of detection, but a good way to know if SoftICE is; w3 S7 i+ t A5 A
installed on a computer and to locate its installation directory.
, L' J) z/ t3 d& nIt is used by few softs which access the following registry keys (usually #2) :) q i/ T# w$ B6 {
@$ {( _$ N: t; [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* n# T) a; k+ L\Uninstall\SoftICE
' L& l) p. q& m* H0 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" {: o( l4 S- Y2 T3 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ]5 Y8 P- f2 f" Z0 F( r7 ` a
\App Paths\Loader32.Exe
7 o5 T* y' @; ^
- K) a9 V2 x. Z) ]9 E. L" Z. h- j6 G: f6 s$ o2 E, m
Note that some nasty apps could then erase all files from SoftICE directory+ L/ p0 F" Z1 A
(I faced that once :-(
' t p3 S) J; S3 u4 g6 N" q& P; Z. i- y
Useful breakpoint to detect it:! m: B9 O* l U! k9 W/ e4 Z' @
- M' x3 |/ }" r; _* A- g" H) H) d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* z! ?0 E t' K- W% h5 L$ h
0 |7 [6 n+ x8 R! |__________________________________________________________________________( o# P' G3 p0 A
! e9 h8 a6 y5 D) B& V
; @ \) }& O# u. c" [" D& T: NMethod 14 4 t j y* a% [7 B
=========
! s5 o: G4 v6 O0 Y2 {( k% P% F. ~! [$ y( A" U( L/ K: h% K$ }: [+ h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( d" t2 W* C3 }) Xis to determines whether a debugger is running on your system (ring0 only).
2 b7 y+ ]6 T, _* i% |) s( [0 f1 }8 w2 c% R3 S+ N+ C5 {
VMMCall Test_Debug_Installed' }: h6 s0 g2 K( S8 \
je not_installed
5 I+ d* l& Q! c+ d2 F7 y8 o" d3 F3 d5 R0 j2 h9 l
This service just checks a flag.
5 w( k+ Y% }' U: a1 m5 s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡