<TABLE width=500>2 Y$ G& O* b8 P% l- L1 [
<TBODY>; S" u4 [8 q7 c$ u$ m# z
<TR>
" Q) `" I. m) T& w, l- K8 A* |+ t0 ]- A<TD><PRE>Method 01 9 k/ H. `% j J0 ^5 G
=========/ [* X( R7 ^$ ]0 j! ~% ?9 H0 j
" a9 |% x; g. I& M. r" mThis method of detection of SoftICE (as well as the following one) is
' W) P5 x" c& n/ Jused by the majority of packers/encryptors found on Internet.
: m# l/ n$ G1 |6 |" T1 y2 kIt seeks the signature of BoundsChecker in SoftICE3 u% O* j, \. _& V+ _8 i( v
! `5 B* k- k P7 s( k+ k2 q9 H mov ebp, 04243484Bh ; 'BCHK', ^2 I2 Z2 t: K3 H F
mov ax, 04h8 T1 A1 V# ]0 m
int 3
8 n* {. O5 g; i$ |. k1 @ cmp al,4
4 v7 G+ L, [1 n$ c) @4 u, D0 c jnz SoftICE_Detected
, c8 _# `2 C' t! j" S% ^4 d1 s" X$ _6 f1 x) b; _) m
___________________________________________________________________________9 g) Q! I* p/ O: [3 h7 P$ B' |5 ]+ _
# ~; ]' Z* U9 h) q: ?; Z
Method 02
' c; [/ F9 m v' F9 {) U4 i=========7 U4 z8 ~4 c0 y, H
! ^6 g; ^0 ~4 A" r' s8 ]
Still a method very much used (perhaps the most frequent one). It is used6 \/ L0 z! o# P( w. B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; F% ?) K* ^+ \* }# e; U, B
or execute SoftICE commands...( h' Y8 q: q3 z1 T
It is also used to crash SoftICE and to force it to execute any commands
, t9 {8 W" \0 R5 W" m# G& }7 n. I/ Q(HBOOT...) :-((
! c( L7 s' W* |( w; v* ~8 B# ~3 m1 p% b" c
Here is a quick description:, P) Q) @# J) K+ a
-AX = 0910h (Display string in SIce windows)6 L8 S' _0 {6 A$ N+ v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) B4 G- m8 |* B6 p. n5 E5 e
-AX = 0912h (Get breakpoint infos)
4 U0 c& e# G0 ~$ K; N+ y-AX = 0913h (Set Sice breakpoints)0 \/ T! ^; |( a' z# a3 p
-AX = 0914h (Remove SIce breakoints)
6 G+ D" k% S/ [( k3 ^" Q
1 u' R5 ?8 `- o0 w% F, WEach time you'll meet this trick, you'll see:+ F9 f) q6 A" T, `) T
-SI = 4647h
1 L5 P! K& e4 Y, g# B-DI = 4A4Dh
/ \2 Z" w8 o1 g4 I/ V+ ~Which are the 'magic values' used by SoftIce.4 i9 K K# r. |0 H* d, ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* e5 {% M$ c# p5 k# \+ d$ l) F1 ]+ b
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ Z$ m# D$ Y& o8 [- l1 T' LEnvelope utility use to protect DOS applications:
6 s5 h( j' q1 y) s6 u6 z; o; u0 r" V& V8 e! n; p
" ^' j% E# g: @# e4C19:0095 MOV AX,0911 ; execute command.
0 F% Q) A2 Z6 \4 w+ n* V% Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! f; m9 a# b3 e+ k7 k5 [' N
4C19:009A MOV SI,4647 ; 1st magic value.
& r( ~& v$ U8 z; y' W4C19:009D MOV DI,4A4D ; 2nd magic value.
) j# p1 n: l1 x5 a G8 {, A. x0 Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 f# m! `2 Y% h( @4 ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 M' M6 O3 A, Q0 d0 o4C19:00A4 INC CX8 V$ N$ v2 J& q1 Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( H6 h5 c$ N& L6 i) |& H
4C19:00A8 JB 0095 ; 6 different commands.& @& K% H6 s% F8 W0 b' w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 K8 p' v6 b' ?4 u) m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 j- `* @6 ~+ u- H8 E2 U! r
; c, S2 `$ b. u6 G7 @1 e
The program will execute 6 different SIce commands located at ds:dx, which
. f0 ?5 x: v1 ~9 a% |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 o1 s9 a" S4 O) X1 k5 K8 J; X; f$ c& o5 @ X' h9 Z0 a9 h3 z O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 R Y H; s3 y7 y___________________________________________________________________________
1 P+ S% o A: `3 n# o' @9 ~% H3 m) z! O% ]+ h
3 q* g5 z, Q Y7 U2 W& P
Method 03 [" c6 f* `0 v9 }
=========
f# p6 V; X. f" F
8 O5 Q- c8 d0 D$ |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ ]. i9 h- z8 y, T/ _, n- W! A(API Get entry point)
1 z# C! Z$ ^! M) b; t6 m6 F' |. r
: T1 G9 @3 R) q
3 v5 x, J- {. A0 C$ \: I xor di,di7 U( S3 d: K. {4 z* |: m8 P! v. D! c
mov es,di
6 f8 J i+ `" d: ?: g# } mov ax, 1684h
3 w% V+ r- j* k9 F: s; ? mov bx, 0202h ; VxD ID of winice5 P- p5 u) e9 N9 _, V
int 2Fh( w9 l) y+ S: H: q0 r
mov ax, es ; ES:DI -> VxD API entry point
- g: d" |2 O0 t+ X add ax, di' q0 r) I# j2 i( ~8 f5 O$ H% y1 v
test ax,ax6 f Y- m5 A2 |" b7 l4 V
jnz SoftICE_Detected
h B9 H; ?+ G& d: Q7 \2 T) }% S" w
___________________________________________________________________________# \& C+ X: Q. g" E& c4 M
" p: B/ s' f4 G3 V7 N7 K9 _0 |! yMethod 04" s: `4 v0 E ?) N# |
=========- i* t2 k) l/ {
+ ^, U; V. h# X7 x OMethod identical to the preceding one except that it seeks the ID of SoftICE
4 L4 @) w0 o) S9 [! X! uGFX VxD.
. s1 V. P: [/ n R% Q F( W0 X( D1 D v7 A
xor di,di
! G. K1 \+ }* O( g9 w: f6 G mov es,di
: J5 I5 g+ G' K- s, a" G: n9 i( H6 \: C mov ax, 1684h " ~4 G9 c, H4 x B
mov bx, 7a5Fh ; VxD ID of SIWVID
8 l" L4 W. A& M, ^+ t- Z int 2fh
$ H- {# j: M4 ~# P, _$ M mov ax, es ; ES:DI -> VxD API entry point" [4 J1 o+ `$ J9 Y, {
add ax, di; [+ b5 R8 K9 W, S" p" J- H
test ax,ax
7 T/ z" V; Y- U. y2 M) c3 N# v jnz SoftICE_Detected
2 V; e' I" @& J7 n' i% J" b: f, M: {) w8 y
__________________________________________________________________________
! s/ l+ Y9 c) @* A: z, O. V+ R7 |* m$ k& n8 x" B, r, b- J. I
; W( ~1 }& ` X; R6 x) ]0 o2 i
Method 057 _6 J0 K! c4 l. e( u x0 \" P
=========
# L3 d0 W4 r! _" ?7 u- W" p
8 ], |; h' `0 }8 V. J$ jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 S' x, T7 a3 Y; F+ }% edebugger. It calls the int 41h, function 4Fh.0 s' ]& G5 P$ O9 H- N3 H! {
There are several alternatives.
W; t3 k( a" b2 |6 R: J' N
* c3 G( \& P3 d8 ~" AThe following one is the simplest:% W o: \/ ]! j) S
9 W/ O C. z: c" Q1 A
mov ax,4fh
% K5 I( W) i2 S% n) i; Y int 41h
2 z4 `+ P* r9 X" D1 d- S cmp ax, 0F386
& t+ N. E' p, F U" z0 i; l5 M. k jz SoftICE_detected# Y. z; A, G' j5 j. u! w
) {! P8 e7 V9 g7 x" [- i8 h
F7 Y9 N. J4 F& M c6 xNext method as well as the following one are 2 examples from Stone's
) ]5 s7 N0 x& B* F7 F"stn-wid.zip" (www.cracking.net):
R( n ]7 c: M9 Z+ f {0 b0 A: r% z2 j+ ~
mov bx, cs. f* M" v. r# Q$ g. t6 V# v
lea dx, int41handler2- X4 R9 u; N/ L8 }* N
xchg dx, es:[41h*4]
2 `" g3 |" Y3 d' h' Q xchg bx, es:[41h*4+2]
; U1 s% @( {5 H mov ax,4fh
1 Y8 a2 {' r, d1 |) q2 o int 41h* }0 {( ^- l a
xchg dx, es:[41h*4]
$ q3 h6 G6 j/ R% J xchg bx, es:[41h*4+2]
1 p; ~7 C( N8 i" Q cmp ax, 0f386h7 W& C9 O" c1 @2 C- f! x- k
jz SoftICE_detected& p& {) W1 z1 Z: U+ |% b( F6 Q/ _
% V3 ]- y! Z3 j
int41handler2 PROC
& Z' S* o+ N1 ` w" n" A iret5 v" i. V' J. n- P! V
int41handler2 ENDP0 v8 K* {" z! v" L/ I4 d* x9 L
. N; A! t2 D% O
. h' {4 i' U$ s! ^4 Y, |
_________________________________________________________________________
1 E [3 e" o& z2 R1 T
& @7 j% M0 H! V# D
: R1 x! l/ Q) mMethod 068 N+ M& g' _$ \$ {8 u
=========
8 `: X5 U" g4 X# k2 o) [; c/ r# Q" E
: C1 |0 A7 o' ]+ c3 t* U
2nd method similar to the preceding one but more difficult to detect:
* b5 ]( Y2 @/ D k8 m' G
8 m8 u2 L8 t6 K! x
+ R4 l: t, Z. P: n2 lint41handler PROC
% D2 D. b! E$ k mov cl,al- a: Y L* C6 y
iret7 c, {7 @, k8 V: I
int41handler ENDP4 B" C' O1 ~) p* {8 B' q
4 E( j- B/ F% g8 N$ L" P
2 ]1 E8 d" T' q6 v* Q6 L: a3 e* g xor ax,ax
6 o) K5 b! g4 c$ F3 ` mov es,ax; g6 y- U' S2 L% a9 z( q% Z
mov bx, cs6 X. [, D+ G+ o( W& Z
lea dx, int41handler
4 m* D& ~7 _9 F$ u. r+ G5 j xchg dx, es:[41h*4]0 _0 @: r7 x5 S
xchg bx, es:[41h*4+2]% x* J- P- N' q: X5 L: \6 {* T
in al, 40h- w0 q) v5 c8 W* j
xor cx,cx* L/ U- M- m% t& h- H8 C2 k' X
int 41h: G' O5 m1 [" W$ Q
xchg dx, es:[41h*4]
3 i* N0 [3 b" c' }8 m2 w6 S xchg bx, es:[41h*4+2]
5 T) l8 _2 g/ L1 R cmp cl,al4 c% [9 d5 c4 e- u* d& Q
jnz SoftICE_detected
$ W$ u8 V! b, J; }( P6 R d' ~( E$ _7 I% h4 | y
_________________________________________________________________________
0 n5 p+ K, ^" }0 E( k
! k$ K [: I0 Z4 w! U" Y- \1 q$ q: ?2 LMethod 072 r E) a* U& m, ?7 E& Z; F- ?
=========# q1 L/ |) Q0 j. r
2 x& M- l1 M0 y: L) @9 y+ `( o" z( O. r
Method of detection of the WinICE handler in the int68h (V86) D7 T2 I+ j! ]4 H. a, ]8 y
" U6 _3 |9 N0 d4 y+ i" a
mov ah,43h# a$ Z L0 R0 h2 B0 i
int 68h
i* K+ b$ G' Q* E$ } cmp ax,0F386h; N7 j! I! ]9 I! B# q5 A2 Q% ^9 p
jz SoftICE_Detected
/ N( ?% v5 L+ z5 t4 {, d
/ \4 {; ?# }' c6 I6 j) _+ |
+ K3 r5 X3 y& n1 u" s! \2 ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 T; w% H z2 |9 N; ^- u# g
app like this:
7 x1 H) m4 p% T2 G" Q" l( |7 [. y/ A9 u2 x$ L
BPX exec_int if ax==68
9 w1 q- ^6 ~* K4 _! ]9 P: N (function called is located at byte ptr [ebp+1Dh] and client eip is
& @ P, `! R# z) o/ Q, q- |% } located at [ebp+48h] for 32Bit apps)! g* m. {8 a( M- m. l1 x; r
__________________________________________________________________________% g z5 F' o9 h. \+ A$ E! H
; }2 L6 C0 P8 `* K3 P4 u h6 Q1 S) U$ s* i7 @4 V
Method 08
/ g4 B, K1 U9 X# O7 B! n* D6 J, y$ j=========% i" m! \9 a7 Q: d: _" d
! t% f# k# m9 f3 i% QIt is not a method of detection of SoftICE but a possibility to crash the
6 D7 `) f. t# N( rsystem by intercepting int 01h and int 03h and redirecting them to another
! | q( G/ g# n+ W! z" O% W7 m0 Z4 Mroutine.
h; y$ {; k$ R" T% G" k3 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' k; ^. g5 e. S5 X/ ]$ l
to the new routine to execute (hangs computer...)$ v, n: k* I, _$ l
! y+ s( Z, C) @9 K8 G% f
mov ah, 25h
$ C4 ^" s3 |# A0 e mov al, Int_Number (01h or 03h)! S& E7 ?1 t+ p. G& u8 r
mov dx, offset New_Int_Routine6 p9 y2 Z, B1 Z
int 21h; ?4 U5 W, J3 }, @4 [$ z
1 ^4 `( j: D( A9 q8 [* S. j% @
__________________________________________________________________________
: M6 }7 p) M& b d8 |5 [2 J
. G& @$ ?: Z( lMethod 099 l0 E v$ W7 }7 z( E4 i* y( X7 E
=========1 ]3 x5 ~8 F5 `! k$ L( x& h2 j
" C; ^% G' O( D* F; D: F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 n# X7 e7 C, x# ^) d" u; Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
& ^) u6 X E ?3 z1 o# \The Get_DDB service is used to determine whether or not a VxD is installed
% V9 `" @% v' v8 Hfor the specified device and returns a Device Description Block (in ecx) for
4 L. v( W! u. U( \/ D" z! wthat device if it is installed.
! B5 {1 j1 N" D8 }: {; \% ]. C7 A! A7 c; K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ c8 V, u2 d7 X I$ ^$ T/ }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. w, s" P6 Z; V3 f VMMCall Get_DDB
/ a! Y5 @" q- H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% B- J7 X) V9 z3 \5 l
& G( v4 O5 W2 w3 \
Note as well that you can easily detect this method with SoftICE:6 _5 Q0 K0 G8 F# @
bpx Get_DDB if ax==0202 || ax==7a5fh8 O' S" k A4 A2 u$ U7 @
. B. K0 p- p& V! v
__________________________________________________________________________" P( D3 ` |, L- k
7 z, P- a" Y' b/ k. P( T# VMethod 10
3 ^8 ?4 h9 Z9 X- P c=========
S0 Q2 ~5 R6 W8 l9 ?; e( o9 |% V
- m0 e i/ e& M; P=>Disable or clear breakpoints before using this feature. DO NOT trace with v9 ?! f, ?) h8 p5 G
SoftICE while the option is enable!!/ O0 g) {0 o1 T
0 j0 P {' g5 ]" A2 [5 P
This trick is very efficient:# |* E- H& {5 h- p) k- C
by checking the Debug Registers, you can detect if SoftICE is loaded
3 D! k+ _) [% q# L! s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 b0 _& f- m* u( v3 m2 _ i2 r7 i: i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# b, ]3 j/ X" |value (in ring0 only). Values can be manipulated and or changed as well
8 u3 K# q& l/ n1 h(clearing BPMs for instance)) r4 A) G1 _9 R+ y
9 J( b* C( A2 {7 m" n
__________________________________________________________________________- e4 S4 O, z* [9 a, t* W
4 P! @5 u/ W9 \3 B7 x, w0 IMethod 11
4 f* p! R/ f2 Q$ P: Y. [=========
: _5 d& _- \" f' P6 B9 L
u; X: b+ l) |" s0 M" MThis method is most known as 'MeltICE' because it has been freely distributed: o6 c& _* Q2 R" _3 M; R
via www.winfiles.com. However it was first used by NuMega people to allow
. V1 c7 l9 B: D F' M$ x/ h, LSymbol Loader to check if SoftICE was active or not (the code is located
6 h- o( o ^' H6 b/ {% k9 Rinside nmtrans.dll).! w$ E+ F. j$ D* D/ o( a
9 @* }0 P; f" |- }
The way it works is very simple:7 C8 U O* T4 [# z: z7 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# A$ S1 h/ _0 l) M# N1 ~2 ?5 gWinNT) with the CreateFileA API.9 H( m4 g+ u- z- o9 P; w) h
, v& @' d. c) b8 i" ?! L; p9 qHere is a sample (checking for 'SICE'):2 A) Q( L; ?, u9 P
3 x: x% A' k1 n; @BOOL IsSoftIce95Loaded()+ q, N" J) j/ |9 `: N
{
/ o+ K9 y, K3 I. @3 c! q HANDLE hFile;
' d1 r1 C P0 n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( B9 ?5 {% P9 } FILE_SHARE_READ | FILE_SHARE_WRITE,& G4 G5 A8 S* d$ q. W3 v$ H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; ]: i# }& i; I# v if( hFile != INVALID_HANDLE_VALUE )8 V$ c( `4 D* b7 `7 Z% {. D
{* B n) F, s: c+ E @0 Q" {/ r
CloseHandle(hFile);
) i" @2 S. v: }# p) B return TRUE;
( y, E4 k! j9 _8 m b5 N& U }
) m% i0 O a+ V return FALSE;
0 N/ @2 H7 J6 D. o8 t+ O}$ q9 k4 d9 s$ Y2 t3 U4 A& L
" G+ n' [% q4 e% w9 H. L; U
Although this trick calls the CreateFileA function, don't even expect to be0 u6 g; j0 v8 X* F
able to intercept it by installing a IFS hook: it will not work, no way!$ ?1 H4 B3 y6 p+ d' [& J$ }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" {' y8 J2 B% W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. d% r) t1 N# g4 U7 {1 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ V% @: ?! O6 Cfield.
A& ?+ H* N7 o9 aIn fact, its purpose is not to load/unload VxDs but only to send a 4 c) F: O. D2 i6 E4 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 G( c% [) I# l. k2 b3 @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ J4 u) D- ~- X! y2 r! Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 s1 d- j0 f) ~ e, C1 P% g/ ]. LIf the VxD is loaded, it will always clear eax and the Carry flag to allow; l; @& |4 l; K; O' V$ o* ~
its handle to be opened and then, will be detected. _% F! J# E/ y8 z) J! N( A/ e
You can check that simply by hooking Winice.exe control proc entry point
) c! X/ k- w, c4 u$ \while running MeltICE.! ^$ `1 I5 ]: n$ w5 {7 O# N9 ~
* Z* q. I1 ^6 o. i# p& @, V
" s# `" t; I) |0 F7 M/ S9 { 00401067: push 00402025 ; \\.\SICE/ Q- Q9 B4 k. h8 b
0040106C: call CreateFileA! {7 M. U, t1 s. y+ ^, P0 s( Q; o
00401071: cmp eax,-001
~( n5 W% ?" |5 A, z8 I2 ~% u& s 00401074: je 00401091
; A" @6 C! z* r0 `) C, K
8 l) @ |2 X" Z/ ^ }' O* L0 U! x" X1 E
There could be hundreds of BPX you could use to detect this trick.
6 R- o8 j# I3 D! |6 M1 M7 f-The most classical one is:- [1 Z# U- ]) s7 B+ l( ]3 h0 t# D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" c/ F" y s* X( `* F
*(esp->4+4)=='NTIC'4 |/ h+ D8 v+ l5 C( @! I7 B
$ x% l8 O( m- U0 [, K8 G. W) m
-The most exotic ones (could be very slooooow :-(
3 U5 \3 s, e' p. h$ e5 k# q; h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : I" K6 X9 m6 @ W/ Y$ m% E( b" X
;will break 3 times :-(6 @! p1 ]- h; u# B' ~3 ?
6 v* k% U8 @& p) s9 m0 D$ k
-or (a bit) faster:
. B3 Y- e& M& g) @' E+ n+ n$ F [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 {* N% q" g' h; J4 r3 y2 @) O; F
) i. g- Z2 Q1 X5 \) e! O7 n* l' ^5 g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! G0 V# O- f" b
;will break 3 times :-(* T& t# @8 P i. t$ _' b
( b" G- r: Y& {5 \: h- `1 A-Much faster:
# I( v, L d# T9 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 n0 i! ]3 u5 t% N# I
$ a1 a6 g1 D8 E1 I/ ^! F' k# @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& S% H0 t; C- o
function to do the same job:- Q \1 m* L2 d+ v k" R; a% b+ ~, |
& m Z" ^. ~, b/ ^! l push 00 ; OF_READ
+ i! ^) }, A Q& p mov eax,[00656634] ; '\\.\SICE',0
9 Z$ S% W+ Z/ f push eax
/ G. |5 N1 v& y) W. k call KERNEL32!_lopen
: k4 m7 \5 i) ~7 f8 X. F" d) j/ o inc eax" Q5 x: u% u$ h' v
jnz 00650589 ; detected$ |7 X, ~+ n. O8 i- M9 A: K% ~
push 00 ; OF_READ
8 b5 `; t$ q) @- s; R mov eax,[00656638] ; '\\.\SICE'
0 J/ T3 A( }6 m7 A8 y push eax1 R9 j* t; U, h3 Z% n: p
call KERNEL32!_lopen
5 [- r/ l& Y3 A. N# T1 F3 u+ G inc eax
+ i+ k: }0 T: B$ J1 L0 i: X# {4 R8 T jz 006505ae ; not detected
3 x8 {4 t5 [' K8 ^4 c4 r* u/ d) U- D( V3 W6 Z3 D1 j5 H
, \0 V& s/ q6 e+ D. a! }' p( G; b6 C__________________________________________________________________________- H+ U0 f" h- x+ _
/ `( X( O g8 N, P% v
Method 12
9 M, t8 I2 J; _+ v S% \) G=========
5 Y# ?$ c% o, R' ]
; g6 [8 ~8 u5 H" ~7 u! K4 EThis trick is similar to int41h/4fh Debugger installation check (code 05
0 B% |+ {( G: s" ]/ o& 06) but very limited because it's only available for Win95/98 (not NT)) B, X/ q; ^/ @1 V, g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" c5 T7 }# b# j! s, l d" c# T' t% R+ J# T5 a
push 0000004fh ; function 4fh
- O7 w' @6 e) a7 r. j5 O; g2 h+ J push 002a002ah ; high word specifies which VxD (VWIN32)6 l* n# H. R3 [9 j# q% R
; low word specifies which service
6 e& M$ P9 y- M( y (VWIN32_Int41Dispatch)' l$ z( w" T3 g. I
call Kernel32!ORD_001 ; VxdCall
. ], ~7 r- l( t6 i/ Z' o' b cmp ax, 0f386h ; magic number returned by system debuggers9 d7 | W8 \" |/ w
jz SoftICE_detected% @3 `. @9 _( f/ `5 `+ Z* Q/ T3 T
, n7 _/ O: s; k( B; UHere again, several ways to detect it:
$ \% I, o# K# g5 J& g: a. z* U; u E: y
BPINT 41 if ax==4f9 W; R. E: d0 A* q# Q
) v# d3 Y, c3 `% H. X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 V# v0 T2 z/ y5 X% H, x
9 v) d" w. N3 u( T# g% E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% t# x" |. N% ~
/ m" r) \! x7 `# |, \' C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ u G( _6 V7 L1 ]' F0 u( ^4 i$ j6 d s- H# |* X1 z s; K+ ~ g
__________________________________________________________________________; u" x7 o: w" F$ f- C A
, K4 Y h4 _( J8 NMethod 13
$ z7 j/ a+ g# W3 R V5 f=========- K3 h, o* ]5 r- n0 }. R( k l+ Y
2 L. r5 t3 {5 t& V% P
Not a real method of detection, but a good way to know if SoftICE is
, j; a# Y9 P5 ?3 v7 X0 l- Iinstalled on a computer and to locate its installation directory.
0 _; w% Z+ Z) O1 ]9 z, {" FIt is used by few softs which access the following registry keys (usually #2) :2 V" Z+ S2 b: u* z$ U0 k' U9 g
0 c+ W5 m9 i+ Q9 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 T; }% t7 u r6 T- l\Uninstall\SoftICE9 K$ V! m$ I- q4 c3 Q: l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ R( L6 G3 Z1 d% v2 c' Y& A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 M$ z e8 m7 K9 q* h5 _2 T2 H( w* |
\App Paths\Loader32.Exe O0 Q w- `! K# G; k
! z0 ~1 X, a9 }* E) X4 L
1 b8 \% w5 \: k+ m7 L) q, sNote that some nasty apps could then erase all files from SoftICE directory
Z$ m) X q |(I faced that once :-(
0 f" D. c1 }5 T' I3 j
; d. V- D2 ?( D2 @) i7 u, |Useful breakpoint to detect it:4 E/ E6 Q( p# S3 M" P
7 g& y/ n; `) v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ D3 {4 f7 E" Q7 u e
! c5 ]( O; p# O7 |
__________________________________________________________________________7 O4 s6 [3 p( m6 g
- w8 |: n1 Z. b5 n6 |! A* ?
V$ e/ ]6 X: v/ k( ZMethod 14 / [. v3 L* L- Z; V: k
=========/ J0 Q4 z) u6 c O7 X
. ~" X m& o' l8 J+ S8 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" Z# H; e3 c2 s+ D7 I8 Y
is to determines whether a debugger is running on your system (ring0 only).
2 ]7 A3 E& J$ P9 O7 |) n; V( \- [0 U2 M+ {+ q- W q: h/ ?
VMMCall Test_Debug_Installed* p% s' q3 }4 v' M, P& }
je not_installed% F E: L! t7 l H' B
2 ?& H2 O, i u8 b! F: o+ ~& BThis service just checks a flag.% ?9 y: q# I- ~" c# Q4 T. o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡