<TABLE width=500>& q' E( ?0 Q2 ?' j6 m
<TBODY>
( L: E, O+ Y8 e<TR>
8 I) n% C7 h9 }<TD><PRE>Method 01
7 \+ a2 ]6 O4 d$ m" s5 ~) l) V=========& _! G, _* k9 @3 c1 Y. e; F3 D9 X
8 z# F, O0 e# J- }This method of detection of SoftICE (as well as the following one) is
o/ z% l0 P" ?- _2 F: o/ `used by the majority of packers/encryptors found on Internet.) I" P0 p* ~( b6 S# L+ f- t- w
It seeks the signature of BoundsChecker in SoftICE
; c! U6 K% G: _' i7 N+ o
7 g0 T* Z( D0 D! X6 | mov ebp, 04243484Bh ; 'BCHK'
* g) M& ~2 F9 e m mov ax, 04h
1 e1 n* s e, g9 s1 J9 S int 3 . M" |5 d5 ?) N
cmp al,4
+ ^5 v; n) _9 A K+ w% M jnz SoftICE_Detected
3 q, t* V3 ]. u3 e$ Z- E7 q) F' l9 P8 }7 B: b; v3 N7 x
___________________________________________________________________________
/ e, M: L9 h" j, P- U% b2 Z
8 ^9 H0 Z+ e+ [+ JMethod 02
1 T0 B2 ^% V2 u) E=========( s, Z Y, x8 D: H
- j- u Y2 X# \* S2 N2 f0 A
Still a method very much used (perhaps the most frequent one). It is used
9 A$ C3 p" C+ `, kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
j9 V1 o c4 @+ V9 r+ l# k9 Sor execute SoftICE commands...
: M5 p; v8 a) X2 y/ o4 g- b# `It is also used to crash SoftICE and to force it to execute any commands8 V& i8 B9 p1 ?/ k: ]
(HBOOT...) :-(( ' d$ F: d; @& ]2 A* D( f( v
- \# W% y- r" V
Here is a quick description:
' C. a3 K1 A/ C. L-AX = 0910h (Display string in SIce windows)
4 S. j P$ S$ [0 m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& j# B% O2 U6 d-AX = 0912h (Get breakpoint infos)
; n. \+ c/ N9 c( @9 r e-AX = 0913h (Set Sice breakpoints)
- f9 @- z2 R& s r% W% K-AX = 0914h (Remove SIce breakoints)
% ^' u/ B' p) y. O1 ]. ?: Q0 C/ Y) h' m0 o9 O) d
Each time you'll meet this trick, you'll see:% J/ L# I% `. r% l
-SI = 4647h
" G. V+ M! S6 i2 Z6 j-DI = 4A4Dh
8 O1 d& ~' l( j& VWhich are the 'magic values' used by SoftIce.) U3 }% B: m& \+ C6 M6 y4 j8 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" s6 \- G" B, i. c9 e! |8 ^+ W0 g, L- F# I0 I0 Z% T
Here is one example from the file "Haspinst.exe" which is the dongle HASP' H4 D, z' y! K1 c* w
Envelope utility use to protect DOS applications:8 w: p6 N2 L+ ]" n+ T
0 h/ B9 q$ y$ `/ @+ {* k8 x
7 f7 {$ {7 z5 R- O& V4C19:0095 MOV AX,0911 ; execute command.6 E% a# O& ?7 G; Q; r6 _, A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: h6 Y8 t' K$ v5 c% g4C19:009A MOV SI,4647 ; 1st magic value.+ o6 V, G5 ]5 A! {7 J! J' S' J
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 ], s4 r9 J* L; f) S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: v' [' i" H; \. V) H1 H# u' z- `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" p/ ]6 p# Y7 E% k% z% S; Y% [( ~4C19:00A4 INC CX1 c$ w( o0 O0 w+ U$ U" \" |1 s$ `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( w) |4 c" g7 c! L
4C19:00A8 JB 0095 ; 6 different commands.4 M. i+ |" P0 F q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 k& t/ }5 Y$ J [* V1 j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; w- _5 b1 r, i7 y
2 o) L' r4 U- Z2 g# A. jThe program will execute 6 different SIce commands located at ds:dx, which/ J8 p" R5 Q3 u3 g |! T |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 \( H" j; U& ]3 b/ M8 S
8 w: g! r! ]8 A& v# V0 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: H& Q) s2 R* P1 u) s9 t, q3 ?0 ~___________________________________________________________________________; i6 S& Y2 g" q
" a9 n# ]5 J# p k% p, `; ~( c5 y& U
, N0 P0 j0 r6 ~4 |" I' L( |
Method 033 a0 l4 h; ? |! n% q) |
=========; S& o6 y N$ M6 [' x
7 r9 Y6 P. e8 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- ^- D, u/ Z- M; }9 Z* M6 ^
(API Get entry point)
8 G7 Z+ [/ S4 G \3 B7 u" R 0 h3 `1 p& R( J; K, Y( A+ I" }
) u3 m1 F( P+ f9 [) r0 a& F ] xor di,di
0 q+ a D' \- w$ _ \. } mov es,di# r C4 O5 Y P6 b4 Y) ]
mov ax, 1684h ; F. h0 ]8 \7 o( q. `1 r
mov bx, 0202h ; VxD ID of winice
$ g7 l$ T& p4 \! k int 2Fh& t9 w+ O2 C7 }4 ]/ i
mov ax, es ; ES:DI -> VxD API entry point
0 }- D5 H1 C0 f add ax, di
9 t1 ]" z k! }, V3 K* z test ax,ax
- e8 r9 y1 n4 I9 b2 m jnz SoftICE_Detected
# ^5 G; [; \8 d2 i3 D: A% L" L. T9 u' m8 }( Y' R
___________________________________________________________________________
# j' G; a3 S# P' O. s& R9 i' t
+ T7 B) A3 o- h3 A; ]1 y" ^/ PMethod 04' E( }, ]2 g& ^
=========
* K$ l6 f0 I! [0 D. C1 }
' E4 G+ f0 W0 aMethod identical to the preceding one except that it seeks the ID of SoftICE
5 J4 r3 y. U# s9 UGFX VxD.
2 v% ?2 d/ l* w4 ]8 } s N
! k3 H! O! v0 B( n" v xor di,di1 z. S2 F; u' g) @% d
mov es,di
1 q# M/ O9 ^6 g mov ax, 1684h * o! H, Y. f: S& a
mov bx, 7a5Fh ; VxD ID of SIWVID
# n) t, I, E m6 k! {1 I; D& A int 2fh' G- }2 w8 B, P! j. l
mov ax, es ; ES:DI -> VxD API entry point
7 w! Y. T0 @& z' i4 n' e add ax, di# E* n# k& a/ o
test ax,ax
. G+ z- b% V4 ^% x* M! f jnz SoftICE_Detected
2 b( t! ~4 Q5 B' ]0 n/ ]; a( w' L4 U/ S1 {9 Y/ Z
__________________________________________________________________________+ R- G$ y( D+ i# H9 u, M3 ~$ B' J
4 m9 i% O- r( P( j/ ^, C
1 s" ?7 O) N1 n3 kMethod 05
% j$ N' J, b# N3 Y3 t# c2 [6 `1 i=========/ X4 N+ e4 q# v5 _2 s' `! c4 w
! u: q- `8 @, x; L: N# qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 B: T- _) e r. gdebugger. It calls the int 41h, function 4Fh.
3 [6 x6 C3 D$ K: Y5 RThere are several alternatives. . [$ a$ N& t0 S
) N% H1 q1 F) N5 U& I& P7 R) w% EThe following one is the simplest:* d- d' v5 u" f* b2 |+ D, R
2 _+ q; A& g, F+ y
mov ax,4fh
4 ^5 g! T2 M9 a" P; Q; S2 y int 41h
. R& ^8 i( V" {# O, s" u3 A* ^ cmp ax, 0F386
. d$ h+ F2 L, G; k jz SoftICE_detected
3 H2 @4 e5 y+ K) P1 L5 ?# r# `0 h+ Y; p8 y% u/ F$ Z0 b
: l! ?5 d* X& N# p/ a
Next method as well as the following one are 2 examples from Stone's 4 U$ U" Z/ w3 a& [
"stn-wid.zip" (www.cracking.net):
$ n3 F5 o E$ @5 F% [2 [
1 u0 Z0 H; s( U+ d# U, C mov bx, cs7 `& k3 R/ i: e% M( J2 }8 }
lea dx, int41handler2
0 W0 M& z4 F8 n, K xchg dx, es:[41h*4]- R( L Q/ b( V5 ]+ \4 u
xchg bx, es:[41h*4+2]
" s3 V3 |. g4 y. {7 _ mov ax,4fh
3 J/ u" A# ^* a% Q2 O! R" g int 41h
- ]+ T; I: h: B3 _9 w, e xchg dx, es:[41h*4]
! Y" K6 m/ \* B+ L7 R6 I xchg bx, es:[41h*4+2]
; Q, ^7 G% q( J! `4 t- c7 j0 |8 ~ cmp ax, 0f386h
$ V7 S3 U% c' ^: N) r% k s jz SoftICE_detected, [+ w% y" y8 T2 X
9 B# g0 A! b7 ~& w% E& {int41handler2 PROC
2 f0 C4 W4 z: J) f iret. B" T% n+ c( ^% B
int41handler2 ENDP0 W" Q! n" n7 ?. `+ `/ K, i
8 L D, b$ i" [# N) g' h& K2 l `4 d0 K& n1 N( q7 C
_________________________________________________________________________6 e' N. I5 _3 v/ @+ M
+ j/ ^: j8 z: E+ n6 n, ~: `7 V( i& b
1 J5 u! }& w8 m: Z! }
Method 06( W& {1 c8 t, G) S9 @" u" t
=========/ E0 a4 F* ]5 H$ w- \* H
" z Y. A/ g* u$ `1 M. ^# B: y
e, V: t1 @" V, `# F) ]
2nd method similar to the preceding one but more difficult to detect:
8 w/ V# |8 G1 g* U1 ~# l" g {
6 @* K9 S. e7 D8 _5 K: ^6 f9 `
% [2 }; ^% J" x; P6 a8 kint41handler PROC1 s" ?/ i6 s2 s' R3 a% t
mov cl,al
2 i3 \" Z5 q: t, m$ d7 T7 G# x% n, v iret% Q: |5 Y, `! {6 Y$ |5 w. e" v
int41handler ENDP
6 A, A0 h5 q! E! ~' G8 V5 z+ M2 q+ X7 E
u3 v/ z2 {. n( @7 V6 J- c
xor ax,ax' @) M# l# t, w7 `: u! B g& S' H
mov es,ax3 k: f/ G/ W- [& H" t( D
mov bx, cs2 J! N: B" q3 P+ f4 x% a
lea dx, int41handler
" m& \2 k8 L& Y0 T Q xchg dx, es:[41h*4]
e5 T8 Z! _& v xchg bx, es:[41h*4+2]/ Z+ u2 X/ n4 ]/ Q: u6 U
in al, 40h9 r4 @) d' D7 ?" F: U* t
xor cx,cx
3 ^: e |. W2 _ int 41h
* d8 ?9 E% U+ v/ X xchg dx, es:[41h*4]6 ^* z. W9 P- c9 m' |1 x4 e, O
xchg bx, es:[41h*4+2]! [7 i" I- D: E' T" c* L$ @# O( e
cmp cl,al8 d2 P/ T8 y+ A
jnz SoftICE_detected
( }+ w5 M7 M% a) w2 }- v d9 ^, a4 G8 D+ [+ U A3 Z; x
_________________________________________________________________________5 o1 Z+ q" O! e/ Z6 f T! h
, D! N' w- X0 K" K/ R9 WMethod 07
- [2 c. O" M/ `8 U1 b=========9 e }$ {: y9 ~6 R7 r
4 z, R7 F+ h$ m5 N, d9 H4 h5 }Method of detection of the WinICE handler in the int68h (V86)% o% ]7 C. Z/ f
4 ^9 w8 i8 e( _$ V1 q1 m: L mov ah,43h4 _/ U, s3 A5 N5 z. e7 v3 f* c
int 68h
0 N: U5 K( X4 p) x6 T3 }, u cmp ax,0F386h% `: c8 w* x, @- y' o/ u
jz SoftICE_Detected. E5 N4 `, h9 ~* L4 ~: ^" s8 ?
: _& ]) _, H. ~5 ?0 `3 l; ~) h& h
# ~8 w% l* Z; z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit t# N( t$ u. y( [( p
app like this:
F; s( N6 W: p8 r. P( R* |
, Q2 D$ W+ {9 p: Q, m6 _ BPX exec_int if ax==686 V9 o8 r* e( p9 {9 A4 Z
(function called is located at byte ptr [ebp+1Dh] and client eip is# {7 R6 Y5 Q7 s C3 t; J
located at [ebp+48h] for 32Bit apps)
8 h" M$ ^* z, v4 k' K( d8 A__________________________________________________________________________% l. l) L2 V% q, j1 W4 ]
- t3 C* c' S/ S2 B
- Z8 n! W% I) G( AMethod 085 ]9 a5 o7 Y# E% U
=========
' i' g) N! B8 C" p* j; K$ C: r! }' a' q; h5 v; {0 }( H
It is not a method of detection of SoftICE but a possibility to crash the
8 J; c% c5 Q: k( Tsystem by intercepting int 01h and int 03h and redirecting them to another
$ j8 G4 s; C5 Z0 ]- @/ Q: ~9 croutine.
9 f" l5 x) x( tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 K1 J _( D8 K X
to the new routine to execute (hangs computer...)
a" j" f# Q1 X* M3 C! r" a+ `- w
( G& b6 z% Q' s4 v5 Z! V. n! u mov ah, 25h o' N y/ ?- {7 E, F, N) t
mov al, Int_Number (01h or 03h)
: b* z l. h) V6 ]& U# ] mov dx, offset New_Int_Routine# a$ l0 V* G/ s* \' G& ~3 c/ H }
int 21h
6 C4 a* l8 ]6 Y. \
! G" l# f7 {0 o" M/ S4 j__________________________________________________________________________3 L) Q. s5 t$ g7 z
. t7 o' p& G/ B+ F5 H' n
Method 090 s/ j+ u2 B! j1 W" s1 U: e: o, d
=========* i7 {8 F4 u, @$ c# s/ J
3 U5 j7 r7 [" @0 }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 R. J' _/ A# a% U
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 {9 L y' m% k; [0 y, K* gThe Get_DDB service is used to determine whether or not a VxD is installed& r9 Q4 \2 @7 b% }7 i
for the specified device and returns a Device Description Block (in ecx) for
# r ?! L5 H8 pthat device if it is installed.
& C N; P& J3 Y, A4 m1 g
/ [8 K; [5 x. t9 [4 [. K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# N7 B! L( i5 ^4 `( z: M4 ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ i) q3 x# E& H3 _5 k VMMCall Get_DDB
% S w) r) w6 q! D9 X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 l- f/ w# _2 x' N8 J) A5 ?6 n1 V+ I7 F0 z2 B
Note as well that you can easily detect this method with SoftICE:
* `4 H7 {5 B1 |4 ] bpx Get_DDB if ax==0202 || ax==7a5fh* u& [ b! S$ m. `0 ^
0 r9 W" e1 }- p1 X4 y8 I__________________________________________________________________________
6 ]: r6 `! `# {+ Z8 g5 W0 H9 P( K3 j2 r+ M) O6 A
Method 101 C+ l* c1 M7 A7 n" L$ @ I+ q
=========
' t$ J# ?2 c( U% c, Y- K: z+ n( @8 Q8 E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
f7 L; \5 y7 L) b: R. \ SoftICE while the option is enable!!
9 e9 H. d( ]3 e' c9 E8 K( i# p0 B0 h) a" O/ t
This trick is very efficient:) o; h5 p) h. Y) s7 d7 J; f3 r5 a
by checking the Debug Registers, you can detect if SoftICE is loaded3 n8 G" Y& z! ]/ I3 h/ N' J% `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' s( I9 _- u" e3 R' S) V A9 }there are some memory breakpoints set (dr0 to dr3) simply by reading their" c r; }2 [7 q& D
value (in ring0 only). Values can be manipulated and or changed as well# L$ `! g, V% g5 ~4 Z( s8 m2 o
(clearing BPMs for instance)
: z; I, h5 m2 `7 r9 i O! W/ ~% E7 ^$ X. q) j
__________________________________________________________________________
N2 @6 f1 b! E: P* H- H+ m- Q
2 M: K- F% b s( rMethod 11; k) p) h ~ a8 I: Q( X, }
=========+ B( |! N2 U8 R7 U2 h6 \ s
+ E; `/ U( b+ J( y
This method is most known as 'MeltICE' because it has been freely distributed7 R' {' |1 f/ i5 J& H9 m/ B
via www.winfiles.com. However it was first used by NuMega people to allow
+ s7 |! D6 M5 i- W6 I m/ I% bSymbol Loader to check if SoftICE was active or not (the code is located
2 j5 | A5 R$ F) |inside nmtrans.dll).4 r5 H- g/ @/ Z. Y
0 x6 Z, p6 V$ z: H$ [The way it works is very simple:
, R; H3 x8 S! N3 e$ DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 W- j. F; b% o( M. |5 d. Q. T0 l
WinNT) with the CreateFileA API.3 L7 F0 ]" A! b/ K; z
! ?4 q* Z( h5 d# P9 D& M' IHere is a sample (checking for 'SICE'):
: i$ @- w: a7 S& f) H+ M, i. {1 A6 z) }4 a& D3 C: w" a
BOOL IsSoftIce95Loaded()+ a; |# F) u/ H5 @, v
{- S5 w' U4 }! L5 A4 B! z
HANDLE hFile;
7 |- x( c4 `$ @" e" b9 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- G7 J1 y0 {/ @$ }2 z' M: v
FILE_SHARE_READ | FILE_SHARE_WRITE,
( l v& w1 j9 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
?6 d k/ [4 a; T9 ^ if( hFile != INVALID_HANDLE_VALUE )' P* R' m1 j7 h* I8 N. ]6 k
{! n! `# P3 G; ^
CloseHandle(hFile);
+ P% \+ i' I5 Z0 ~ return TRUE;+ n, Z' x$ z5 f# c& y0 {7 z
}$ Y% Y* K' u9 t- F+ d; k
return FALSE;' N. g6 A3 p- ~! T9 c
}, f% M8 J$ @1 h6 L
+ V6 u) T# A& W) O9 h. xAlthough this trick calls the CreateFileA function, don't even expect to be
7 d/ s; v! N6 d& Xable to intercept it by installing a IFS hook: it will not work, no way!" Y2 V" ]: O# K$ [7 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 R8 P9 E8 m3 F$ x2 {; }1 h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& \% k1 `: v: N! [- vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 U' p0 o6 N9 u2 `field.: z/ e8 z7 c' ]/ I$ S0 H
In fact, its purpose is not to load/unload VxDs but only to send a
% ~# P0 ~6 [( C+ ^( Q* ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ h! V. ~- |, ]+ c2 ~8 C* k+ w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 t3 Q3 Z& W9 s3 n" b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* d3 d" Y8 o- H! d
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ F/ {, i' ]4 B- u, r5 z
its handle to be opened and then, will be detected.: ` D* ^, S8 k9 I4 Z6 t
You can check that simply by hooking Winice.exe control proc entry point) H6 b+ k( o5 C" |4 S
while running MeltICE.
* c' ]+ ^9 N( O* u3 F
+ L2 N" x1 \& u2 b
9 j8 Y5 w+ x5 P 00401067: push 00402025 ; \\.\SICE
?" J8 {7 O' n0 X) ]" u 0040106C: call CreateFileA
, z) B- Z: F- f( l) n 00401071: cmp eax,-001; d8 Q S: g! _" j9 ?6 ~0 L7 D" D
00401074: je 004010911 I0 e4 H1 P, y$ }
p \( ?8 Y7 E$ O! v+ R5 b0 A+ z
5 H) ^5 ~4 |, }5 S- k5 s8 i8 uThere could be hundreds of BPX you could use to detect this trick.
4 G2 ?! U: E8 n) J; g& H% ]7 M/ e-The most classical one is:9 p' I; f6 v5 Q5 M0 o; w9 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 l7 f' J# @! M- z$ {" x: R" d
*(esp->4+4)=='NTIC'
) q5 _9 P+ F5 b X9 u. W- e& s) G! X% R7 j( y; X$ n: P
-The most exotic ones (could be very slooooow :-(
) O6 f9 ^' t& c i% P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' }2 y2 V2 e. ]6 m7 K* a ;will break 3 times :-(
- F3 E0 P5 ~& Z3 v) B6 M8 @8 s. @5 s) l/ A# |, p
-or (a bit) faster: P3 A- _! `0 T4 Y j L& }/ s! k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% v* P W- M* X) J: o
: D* i% I4 u2 H, R: J# d5 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* X! i3 \3 j0 b$ [/ H1 l" }& J9 b ;will break 3 times :-(
P4 w1 i& e7 F$ E2 x! I, g# ?" Y6 H* J
-Much faster:
: f4 c( U, D: `9 P" x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 N, ~" U) ?, ^3 t
0 h) N$ r$ y# Z" X* M1 P3 ~6 }- V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, S4 T5 q5 `) ]; x/ d5 W
function to do the same job:
% d1 I! F7 x% n. m6 b) Q) F
P6 [0 H8 s; P4 L push 00 ; OF_READ
5 f3 L- D9 Z3 ~0 H1 f" c mov eax,[00656634] ; '\\.\SICE',0
; o P n! P. B% s push eax
L/ P4 J$ W# O+ d call KERNEL32!_lopen3 }; O) A; E- Y( q, h& A
inc eax) q! D( m' ]8 W0 ?8 o
jnz 00650589 ; detected
* Q5 k3 H9 C0 F push 00 ; OF_READ
8 Y) D. f8 M: @% ]3 c b mov eax,[00656638] ; '\\.\SICE'
2 Y7 }2 W4 G7 R- q4 f' q! u$ y push eax! Q: G' l" `9 O! Y: @9 D8 N, G1 m
call KERNEL32!_lopen
; j) V/ h# z$ _) v6 u: a* S5 ]# t( Z( \& B inc eax
$ S, i4 L6 R$ w3 E+ h jz 006505ae ; not detected, \3 q. B" Y( Z. t+ O6 C2 u7 m
9 L( n' b1 B; |6 a' C# g: X( b+ a6 \5 R! q* n
__________________________________________________________________________* X( B; @' E& Y3 A# k+ ^
# R! M8 |, _) ^
Method 128 E' D9 l8 F( x) }8 _1 b$ q
=========
7 X6 l y0 h3 `5 y
+ D( B3 r0 h8 P/ CThis trick is similar to int41h/4fh Debugger installation check (code 05
1 E1 i0 w, n% H+ i% ^& 06) but very limited because it's only available for Win95/98 (not NT)
: e4 P. p5 }8 J! W4 Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 Q3 D+ d T* K8 X+ P6 ?. s
$ T' x- J4 i J! X% y- R
push 0000004fh ; function 4fh- }3 T4 D3 [+ f% P" S
push 002a002ah ; high word specifies which VxD (VWIN32)
/ r( z9 H- m1 R$ l3 B ; low word specifies which service3 D) c0 ]( B. F2 [$ H! _
(VWIN32_Int41Dispatch)3 I! Y5 J9 ~/ @$ s* W
call Kernel32!ORD_001 ; VxdCall
4 f# I4 T0 M3 V6 S' k) L cmp ax, 0f386h ; magic number returned by system debuggers5 u. u0 [- ~+ t: N" j! c
jz SoftICE_detected/ t& v4 V; Y5 f* `) {4 W
4 `' g; [3 x, ?+ C4 P+ y
Here again, several ways to detect it:& R+ T- n3 Y4 M( X u$ H7 q
8 L- X6 l- d4 w5 S BPINT 41 if ax==4f, |* }' W3 d- @( V8 n! s# z
: Q+ `2 }2 y0 ` a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ f' z7 o6 u; t. C% H
8 i" X* i6 i1 n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 G+ ^' b* N# j1 T2 m' C: G7 l( C9 z8 h U! o+ X. D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: o7 I r% k; H7 O, J e- d% k% o# M, ~( }' w* k
__________________________________________________________________________
; h: \! j H) \4 T& T/ o- ]& q7 N9 t7 Y3 Q* |7 {( R
Method 13
5 W7 ~. M, G0 j: A3 t+ k=========5 r2 {9 A/ z9 J) k* p( T6 a$ @
+ P( O$ H! R# L$ V. O# `Not a real method of detection, but a good way to know if SoftICE is$ `1 \ }5 z" Y! B- ]* I2 i. i
installed on a computer and to locate its installation directory.
8 t# I: A* a. }. YIt is used by few softs which access the following registry keys (usually #2) :
5 {) |) l5 q" u, x \6 A. Q" x) a j& r. x$ }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" l- B8 {, N2 b% k\Uninstall\SoftICE4 \( l, @0 L0 A+ l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 L9 |9 h3 x: q) x: t; t; B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 }- D3 p! Z+ x* w7 W( U3 p
\App Paths\Loader32.Exe& C+ I: l+ |& p' v$ x
0 W4 c2 ]8 u1 n% C) I% q1 f+ H! {
* q$ c9 f4 t+ d' t tNote that some nasty apps could then erase all files from SoftICE directory- t9 m# X- T+ V9 T0 I' m& a" q
(I faced that once :-(
. `; p0 K8 U: H3 ^3 ^; c$ T* q( f) l' f' i5 m" }
Useful breakpoint to detect it:. A" s( a U) k! w
0 r: q; h5 s y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- H: F% b J: E- I
2 B: k9 E& i3 |( _8 r6 V
__________________________________________________________________________
8 {) X9 j: q: }1 h- R' F, n2 n8 p9 A$ X& C9 [
" ^8 a. Y+ Y U. w* X' \" P
Method 14 % ]/ V$ s* U; A* b! x6 F9 x
=========
: _; z6 N3 R' v B0 D1 _2 W, n; u7 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! }" t) [" Y1 J+ x6 j6 `, T2 gis to determines whether a debugger is running on your system (ring0 only).
! U' O4 I2 W9 s1 ]% ]0 p* Z$ U h t2 H1 M3 Y
VMMCall Test_Debug_Installed9 A* o9 W: y" V, L/ L& X) O
je not_installed5 \( j6 U5 _7 ^- Q1 S
$ r9 r, t/ ~7 |; e; {
This service just checks a flag.! L+ p, t+ w/ p4 J2 n Y: F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡