<TABLE width=500>' H6 V; t0 F' V$ z! J; J8 q
<TBODY>
* ]0 P; s* D- @, @5 d<TR>
$ V* X& ^" a* ^6 L# c( w& |6 g0 T, i<TD><PRE>Method 01
1 {0 h3 C+ V( S% d$ D1 G m. P$ p& U=========/ z! ~. q1 O6 }- ?& E# E% O
9 \! l5 S( b# |: K! L; RThis method of detection of SoftICE (as well as the following one) is
L6 U. r% q) Q8 q F+ N0 Gused by the majority of packers/encryptors found on Internet.
: e9 M9 Z( p0 [1 d8 B- r2 UIt seeks the signature of BoundsChecker in SoftICE0 M0 X) ]2 o! L4 z( t4 a
( G0 r- n8 X1 _- V; K0 c mov ebp, 04243484Bh ; 'BCHK'+ |7 `4 q+ u0 ]2 T y( w( `
mov ax, 04h& z: F" t: o, O
int 3 $ Y# V( f5 D% _9 w! B* {$ |
cmp al,4
" S) s5 q B$ W, u- d8 R+ `- s# o a" [2 Z jnz SoftICE_Detected% v# @; `7 i- o9 G5 U; }( k$ m
0 u! O; @( ^" P u- f, u# z
___________________________________________________________________________
. c7 f/ g; Q" @7 `" I2 b; V- H A# y, I K. C& ~6 f
Method 02
$ W/ O% a0 O [+ N8 D) n=========0 A! {- n k9 p$ a
4 r# u8 U1 }, Z8 E" Q2 }
Still a method very much used (perhaps the most frequent one). It is used
& A+ l. h4 X9 _) x8 A ]# yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- E* i& U3 l& @% c, _) K& V7 z4 _2 R
or execute SoftICE commands...
6 l) G' z" E( `4 m! fIt is also used to crash SoftICE and to force it to execute any commands' m0 l7 |: f9 L: n0 M
(HBOOT...) :-((
5 c" b5 ?. A7 B' y7 x
6 M* ^1 w q! P# hHere is a quick description: t0 F8 ]1 q& a1 j: R" o$ U
-AX = 0910h (Display string in SIce windows)
5 R5 y0 F( H- {4 Z! W% P* ~, T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( k7 k: @6 t' p3 i0 h# u; g
-AX = 0912h (Get breakpoint infos)
D5 k9 l$ h, a4 Y% {% H-AX = 0913h (Set Sice breakpoints)3 u' M# S+ Q% D' _, V% E1 S
-AX = 0914h (Remove SIce breakoints)0 y/ X; Z7 w1 C; K5 I# E
! y' n$ ]/ G+ z u& d& sEach time you'll meet this trick, you'll see:
3 t! p# s$ L% H" k9 ^7 T" [" `! a. q2 T2 k-SI = 4647h' V$ b2 `6 O" Q* R7 V( I
-DI = 4A4Dh
3 I: f: t* F3 Q3 DWhich are the 'magic values' used by SoftIce. d s1 M8 O- @: B4 x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' |+ `: J: O, z
7 Q6 \% H5 ?' J" `7 c& \Here is one example from the file "Haspinst.exe" which is the dongle HASP
. Q+ o+ \. L, O6 A- Y1 l$ j; XEnvelope utility use to protect DOS applications:
O3 l& }. w) m2 O9 @- f% R# Y1 g& F4 ]8 K: k& k% m2 E% B# ^; O
2 v0 }, [; Y% X7 d
4C19:0095 MOV AX,0911 ; execute command.
+ T0 e; a0 I/ e5 n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 z) q3 D: n- F% u9 x7 q( }
4C19:009A MOV SI,4647 ; 1st magic value./ M: r9 A6 M' v+ E5 G
4C19:009D MOV DI,4A4D ; 2nd magic value.: D# ~. y7 g5 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); W3 g1 Y& T8 H; N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; z& T0 C' |6 d, R8 L2 y0 B8 p- O4C19:00A4 INC CX- |- p, ?& g* s6 \1 t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: }; } D5 a( M( M4 x% Z1 g
4C19:00A8 JB 0095 ; 6 different commands.
% a5 ]& X8 X! f2 [% e. q, t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 P# x# x' z& @3 q4 ?9 R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 h7 o0 G/ ^% F
$ {7 a) m/ j8 x) g4 GThe program will execute 6 different SIce commands located at ds:dx, which; E2 T& V/ z+ M/ k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# m( [' d3 S+ ]* B4 u8 I, ]5 k# r: W* Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 v1 @$ @# Q1 K$ _5 v8 w___________________________________________________________________________
" M" b! J. q0 S% X' {5 P! }2 i
2 x! n) l \9 D& C$ m: q, C
7 B! }. f% X" m7 F7 s9 BMethod 03
_' P& t9 b0 S% T1 ^0 O=========$ }5 D& t! u& x0 f" I+ q: v
! O9 j; a5 X1 F T9 m* P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ u/ U5 N* E& r& `4 Z
(API Get entry point)
7 C' S6 v' l' ~9 y5 Z, v0 n
( \; r9 U! \8 V i, c9 @ E1 |' |' W( ^# E
xor di,di
3 |6 h: T; \- z ]6 v' u. }2 _5 z) V mov es,di s- P# w+ J1 _; V! o7 `2 M
mov ax, 1684h
0 i5 K! d7 f# z& T4 n h# M mov bx, 0202h ; VxD ID of winice$ f8 R7 s, g! a
int 2Fh" y* H* T* b( P O
mov ax, es ; ES:DI -> VxD API entry point7 d; B+ T/ [0 @8 d
add ax, di6 j2 s1 v6 l$ k3 _
test ax,ax$ O8 x# z- L& C7 \4 U" T
jnz SoftICE_Detected1 @+ m0 n+ X5 J
/ I# k# B5 y% x! }. b! x3 i: z
___________________________________________________________________________
3 ^9 K1 ^% i# ^ W; P: H
% w) ]: F" j7 XMethod 04
6 B* G& ?5 i% Q=========
3 G% I1 B4 S+ I) M" z% \3 e/ R* O b5 \2 d& v. Y, M
Method identical to the preceding one except that it seeks the ID of SoftICE/ p# a/ L9 B# u; j5 X- |1 i) r
GFX VxD.; T7 k7 f" F6 z) u+ S; q
2 ?+ c, p6 E$ V7 ]
xor di,di
/ N3 o4 z; c8 @3 O/ T+ b mov es,di& z6 G; P9 P* P6 e2 h7 x
mov ax, 1684h
) P! @1 u' O: p$ l7 Q3 Z mov bx, 7a5Fh ; VxD ID of SIWVID* V$ i" i9 U7 G- u2 P. W$ @& U# X1 z
int 2fh+ C: ~% x' @1 C- C& p
mov ax, es ; ES:DI -> VxD API entry point
6 W* n' Q% r: q# o- [ add ax, di1 ]$ F( D/ R2 g$ S9 f4 H
test ax,ax/ |7 n5 x5 I$ f( x5 q( _
jnz SoftICE_Detected; X1 Y4 ? r% f+ Y
2 u+ _5 N$ r3 Q4 E, U
__________________________________________________________________________( C9 {$ N# k+ A w- x$ H& _7 m
, G8 H( o: c k5 O
/ ^2 _$ B/ M" X, F) }7 w. E& c( f
Method 05
+ B s# e- E2 N=========
# b' U* y0 B" l) U) I( U- y. \- z0 Z5 K+ Z. d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 w, K9 E* m3 b6 v; r- gdebugger. It calls the int 41h, function 4Fh.% f# h. a) a d5 d
There are several alternatives. 9 d. v; `; T! p1 Z2 A; |$ {5 ?
6 L/ S7 x! J8 n; _3 z0 TThe following one is the simplest:/ R, x" J" r- q: C
" B( G, P9 N; m! R5 \# j mov ax,4fh
7 J( z& R; b8 W Z int 41h
2 S' M+ x! X- F' s cmp ax, 0F3865 h& q, C) o% P% D. W# j+ ^5 v
jz SoftICE_detected- Z+ [' ^9 x& n4 @ t& b' y, z
5 z: N, y* J- H% b/ ?7 F! `8 n1 ]
- c( O* q! N1 e2 k/ E3 b
Next method as well as the following one are 2 examples from Stone's
( q. y/ S) ]4 P1 x7 w) g"stn-wid.zip" (www.cracking.net):
: ~+ T N$ r/ d, F9 v4 H2 R7 O0 r, R6 Y
mov bx, cs- X. t; K/ z$ E, V0 \
lea dx, int41handler2* u9 t! s% P: u' s0 B) u
xchg dx, es:[41h*4]
5 m3 f/ ~' J6 h7 C" }$ ] xchg bx, es:[41h*4+2]
: e' C+ Z6 ~/ `7 ^% R7 B. H mov ax,4fh( [* |% Y% W+ L) Y+ K, w+ s* x: v
int 41h
[. K) i7 F* H xchg dx, es:[41h*4]
* R( W% M% @2 b% L& A) b xchg bx, es:[41h*4+2]8 d, F% d+ ], }! J8 Y( l
cmp ax, 0f386h
- m% O: m; Y0 ^$ a W jz SoftICE_detected
4 z* Q& y" G7 G2 ~" b, ]3 c! x( X. g0 i
int41handler2 PROC
: A5 W1 p6 K: Y7 a# L/ ^ iret' u1 a# [, o7 W2 i2 B
int41handler2 ENDP$ X' t+ @4 e; N2 a. l0 u. _0 I8 h. X
4 K' @/ R4 R% c
( ~" t2 S# I$ D. @) @
_________________________________________________________________________* \7 `+ A. m7 q/ D& s* O
8 A9 Z1 B( E& N/ r
/ d5 V4 o, V# ?* b) r/ {
Method 06% C" `& q. Y+ _3 Z7 y
=========1 P5 }; \9 i( ? y% x
) m, p) `% n3 ~) u/ J. j
5 r$ K1 _1 j5 G% y, u2nd method similar to the preceding one but more difficult to detect:
1 a" G: O) O0 R& Y+ N7 S" o% b+ \7 A9 m- g; P: r; I, S
: g! W+ b* N4 g6 ` y
int41handler PROC
. h+ F: T1 d1 d2 v8 ^% R mov cl,al
' r8 }# o8 B$ z) R* a! ~ iret2 _ z; f. }/ p. g3 f
int41handler ENDP* y! P# e1 J5 ]' X6 g
& t. H$ R& U8 N% j {0 p( Z
5 j0 Z8 e3 ~8 I- x+ h xor ax,ax; p5 x. M& r+ [
mov es,ax
. A- V2 l+ ?* F+ ~/ J mov bx, cs
8 |* _& Z6 f3 R lea dx, int41handler
1 Y. T5 R( M! g: u+ h" M xchg dx, es:[41h*4] K. C2 g7 x# B. h; r
xchg bx, es:[41h*4+2]/ c6 k2 n( G, N( Y. w3 m
in al, 40h
' v* E% S1 P* z. x xor cx,cx
+ X" z N( S9 O" t c; C int 41h' |. ]+ v: x9 F: y5 W
xchg dx, es:[41h*4]' I" w5 A& ?% H/ ?
xchg bx, es:[41h*4+2]% h$ H/ y$ U K/ `9 A! X
cmp cl,al" m" b7 g7 f/ `. q. ~6 ]
jnz SoftICE_detected6 Z; [" y" @4 D$ R9 P+ Q& M
/ p% K' |. \2 R& p. `_________________________________________________________________________) }/ @% f- @) a
3 v o' l0 N' J! W q% p, R% }: P
Method 07
/ b4 @, V4 Q3 j5 c; x/ d m& i7 p=========2 P) r! S$ `% S3 C4 B
. G. K/ Q% |8 Z5 iMethod of detection of the WinICE handler in the int68h (V86)
& G. e6 A# ~0 M+ V. c* o4 L$ r( X) B p, U) l
mov ah,43h
# o) B& [2 X0 G- J0 y& i int 68h
6 S$ [& C, Y7 j+ E/ s% E8 } cmp ax,0F386h
* f0 N A d% B+ F8 t7 D jz SoftICE_Detected
7 O: G, H3 M3 c+ c( p5 g& g7 ^
- v) z/ ~ o" i, y8 C2 O( N) I0 w3 A p, t* l& B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) J) m' L6 O) ^% l; N/ e app like this:
' A6 R0 b. j# g9 ?4 B2 J: H- [8 i
7 Z- i, n k. V2 S! n" G% ^% j. Z BPX exec_int if ax==68. j: w7 {3 `3 C/ f
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 `- U6 b0 M$ U R, N* F4 z7 ? located at [ebp+48h] for 32Bit apps)/ r+ r5 E6 T, i6 r% A
__________________________________________________________________________% R$ x/ I0 L' Y; u. ]
1 P& y% u! m* l: \* S; v& `
$ U$ l; o/ y- t. D8 @1 d# V# aMethod 08
$ H/ R. R+ h' M. b* e=========
* {2 d' ]: d! ~ e2 j: k5 m) I6 }/ H* N3 b5 o
It is not a method of detection of SoftICE but a possibility to crash the
3 \$ }4 M; S/ j0 H9 U: U3 vsystem by intercepting int 01h and int 03h and redirecting them to another
- l+ G" ]6 O4 O" Froutine.
$ m" C: p2 [. E0 E5 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; Q4 K5 G- A1 r. B, O+ z8 p. b
to the new routine to execute (hangs computer...)6 H) H7 Q8 w* {& k) o2 F9 u' z
5 j( [5 c2 C1 _7 p' H
mov ah, 25h& p1 w6 O* f/ ]6 w; L
mov al, Int_Number (01h or 03h)( s1 R {) t" G* Y3 |1 s5 j
mov dx, offset New_Int_Routine' h$ k4 K8 f2 v$ z$ c; Q) g
int 21h
4 c8 {& z. b% B! L% R% D3 f2 r" M) U9 q0 r) J0 e- x
__________________________________________________________________________% x% A, F8 g8 w3 N/ i7 t
. K' W S$ k; [& LMethod 09
) `0 B* U5 A; O. `3 h=========8 J1 u7 ]4 a+ Q$ g# a
9 V) P- K# ]# K# ?* o$ U% vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# k/ |3 d- a: T. ~4 j8 g$ xperformed in ring0 (VxD or a ring3 app using the VxdCall).
( ~8 r% a: \+ C `The Get_DDB service is used to determine whether or not a VxD is installed
% L8 O1 ^1 `4 c. G% A) B/ afor the specified device and returns a Device Description Block (in ecx) for) B+ R7 p/ L, _$ W/ P* b n$ l0 e
that device if it is installed.% u# b1 \; V+ U/ ] Z
5 ~( Y1 |) N u( Z. i0 R/ x5 J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 J, r$ g5 `$ O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) S; O* O Q/ F6 J' [' g9 K
VMMCall Get_DDB
5 l3 D: L. Y& t* x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ B$ o( l& K" D3 T$ K
2 \+ J5 ?' q" b( X# ?7 hNote as well that you can easily detect this method with SoftICE: u" C7 ^/ l/ Q
bpx Get_DDB if ax==0202 || ax==7a5fh
" p9 }" |0 J, G0 I' P
5 V1 j' r8 [" ~6 n k__________________________________________________________________________
7 A; ?* N) u8 `- `4 z$ ]/ {2 Q0 e/ M5 q* F9 b* G
Method 10
7 L' s& r/ w/ |- v4 r, q2 z=========
' b% @) x, G# o+ G$ S0 z I2 X8 w* i6 n6 o0 B5 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 r. O+ J( e+ ^ SoftICE while the option is enable!!+ O3 Z- z: t8 X8 C
& v/ L; @: D: X- _2 BThis trick is very efficient:
6 J/ d! X8 ~, ?4 F0 Tby checking the Debug Registers, you can detect if SoftICE is loaded, B# W0 A- Q+ a0 T U- F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 \. ?5 f' }; u
there are some memory breakpoints set (dr0 to dr3) simply by reading their& o1 F. H8 A/ M# ?
value (in ring0 only). Values can be manipulated and or changed as well
$ ~1 x( R- w" }1 I(clearing BPMs for instance)! t7 k4 G7 p* x* d
7 L1 d1 ]8 x& D0 ^# o
__________________________________________________________________________ {- Y2 A. c6 M: @% A' d$ @+ h6 t- e( p
1 d3 S" r% J$ N- O n$ \, P
Method 11
% d) f( |4 b/ {9 B+ a5 b, M; h=========
- e+ H0 Y, [! Q% O- V2 p9 G' i1 A- ]; u5 m& X& S% O ^( h9 h
This method is most known as 'MeltICE' because it has been freely distributed
4 [% Y9 Y7 M& Evia www.winfiles.com. However it was first used by NuMega people to allow# Y+ W( s1 f" S1 T
Symbol Loader to check if SoftICE was active or not (the code is located% b7 n* ]- O# n8 U
inside nmtrans.dll).$ x0 F# q' C9 r* d% f h2 K
- g* K/ I5 _3 I# j( }4 R# v" s
The way it works is very simple:
/ C- E7 c" S8 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 ^ ~. O: n. c; b+ P1 [WinNT) with the CreateFileA API.
- }' ]4 F; o C8 h5 w# }9 v/ ?5 G
& W% K1 Y# l5 k8 d' S7 b% G2 Q/ UHere is a sample (checking for 'SICE'):2 H n6 R" |! E t3 Q, z5 {
0 x$ |! C# A# }1 w# B% }BOOL IsSoftIce95Loaded()
0 Q' c+ c# X% P& E0 q{: U, W4 T# P* O; V. v5 @
HANDLE hFile;
0 S Q5 S: B' V/ a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 J# p ~8 G0 n1 L9 \6 T/ S( E. _+ P
FILE_SHARE_READ | FILE_SHARE_WRITE,( N7 i% T" j3 E! @$ i. T% K) u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 g( \( e/ o4 K- w K! }6 P; ? if( hFile != INVALID_HANDLE_VALUE ); D8 y$ _& ~: `; d6 C; F
{( A. [ Q0 G k0 {
CloseHandle(hFile);
X6 E% C- v# R1 [% q6 z/ g3 J return TRUE;
! G. t' W- x' B }
. Y$ m$ v! R. B- q$ E return FALSE;
/ q: O5 F4 h/ f) {& j0 R# [. W}
; f: D( ^, H2 \: r/ m: l: x, O, d# d; @ w! `. B. {5 R& {
Although this trick calls the CreateFileA function, don't even expect to be
! }' q& J( S9 i# Vable to intercept it by installing a IFS hook: it will not work, no way!9 ~2 V r! n' `- e" N9 Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" I! N& _/ X5 Z0 tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 u) |: } ]3 T3 x$ T# Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' [1 u5 o0 f, r1 ~6 Gfield.
, b* C2 E7 ~+ S$ R. g1 t% h# aIn fact, its purpose is not to load/unload VxDs but only to send a & ]7 ^7 H* A5 a* k2 |. v0 Z0 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! M- h5 \' \ J6 e9 s0 w$ E9 |& Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ x" t+ y1 R; ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 R4 L/ n5 N& t0 jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 [8 n3 t: ~ Z+ S0 Xits handle to be opened and then, will be detected.
. l1 k+ ^3 }$ ~4 d: \You can check that simply by hooking Winice.exe control proc entry point- s1 w8 B9 c$ w& j% Y1 U8 ^& b/ _/ H
while running MeltICE.
5 V3 p5 p2 o A- P' l0 J
8 w4 g- N; N6 a& _8 D. L4 j- M3 c: U& E/ |' U( ]% e
00401067: push 00402025 ; \\.\SICE
* p, V0 g- P E: m) a. Z3 Z 0040106C: call CreateFileA- O7 @2 Z/ `" Z' t3 {
00401071: cmp eax,-001
; G1 k6 V0 q5 V5 {5 B6 O3 S) R 00401074: je 00401091+ E6 [& \ |! e8 D
( b3 D) w# k# F Y+ O) s3 d9 `9 e) P/ e7 f" j9 h, ^
There could be hundreds of BPX you could use to detect this trick.
, s: b8 F! S. r' y' e6 u9 J-The most classical one is:5 j7 t0 O; g% p( r" @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! ]5 l3 f) \# N. H" N) X
*(esp->4+4)=='NTIC'
: m3 U: {) P% ^! u+ k
- Y9 }- _. H Z9 ^. V# `-The most exotic ones (could be very slooooow :-(# h" b, u8 G7 ?. s6 q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ D0 h6 J6 y6 h, y; D" O ;will break 3 times :-(5 f ?& u5 e" [, W
2 o9 z/ }+ s6 M" w w5 {/ x
-or (a bit) faster: 1 E+ g9 O6 S i+ O6 Q* R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 r0 w5 Z! b$ y& M0 S% }4 Y% ^# _' r% h- ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ n C7 f: I5 A( g; J+ e4 r. p* M
;will break 3 times :-(% |9 h, i; H2 J$ G! S' [
5 C. j/ S! @" o5 e6 U7 ]5 |. g$ B7 }2 X
-Much faster:
P7 U5 V4 |/ Z: w+ U3 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ Y! e: v+ h; c+ A
7 g" K% S9 @+ S( ?8 _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" G5 ^9 R; c5 n O
function to do the same job:
+ R9 {- y) ?9 |4 g! R) O) \& W T# A
push 00 ; OF_READ
7 J# {9 ]+ Q, R mov eax,[00656634] ; '\\.\SICE',0
, X9 ^ k( l5 b3 L2 _ push eax
' L) c, }0 I. t5 ] call KERNEL32!_lopen; g5 U% p/ `7 ^& Z }( [/ A
inc eax
4 r7 ~+ M5 @3 g jnz 00650589 ; detected. f5 m( L1 M2 u7 c
push 00 ; OF_READ
; C9 ~* N( F- J3 M mov eax,[00656638] ; '\\.\SICE'' k0 y) e- ^7 h" ?
push eax( u/ I) h" k4 r. D* H& d
call KERNEL32!_lopen% |0 h0 w% Z1 p6 S- |
inc eax, [0 V7 a0 r# i) [/ A: U9 |# o7 e
jz 006505ae ; not detected- q8 Q' w8 p8 j2 c0 S
! y' M0 E* Z, `% G" r1 u4 _% x# [; y
__________________________________________________________________________+ ^; ^5 ]: V& l( m; j4 E, y
7 I8 Q' S3 N6 L0 T, K
Method 12+ C' w2 _* c/ Z% s
=========
$ t6 w! I' ]' C+ i" B7 C, @7 @4 c4 M2 g- V, O
This trick is similar to int41h/4fh Debugger installation check (code 052 E r& R* g/ L; G6 m
& 06) but very limited because it's only available for Win95/98 (not NT)7 K' {- o5 \. o1 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) F) g' r; g- m* d8 e$ @" _
, V, u; @! s! e push 0000004fh ; function 4fh" t% X2 W& H7 n1 m- n6 ^8 k
push 002a002ah ; high word specifies which VxD (VWIN32)0 _$ D5 J' W' g, d9 [! r
; low word specifies which service
9 z2 E+ n. B2 x (VWIN32_Int41Dispatch)) c( M2 C, N M
call Kernel32!ORD_001 ; VxdCall$ V' b9 S5 Q6 u7 i$ W) e# t, b
cmp ax, 0f386h ; magic number returned by system debuggers0 r/ K3 P* U/ T- s
jz SoftICE_detected
' W. _' ^! b; e# I% k9 Q! ?3 W$ E/ l# D L( c
Here again, several ways to detect it:2 u0 s" }0 F. g a* F1 \$ H
8 T7 E4 H& C t$ }; d9 [5 U) B( P
BPINT 41 if ax==4f
+ g! r' r* j; y0 R7 C& o3 _) V6 z/ k$ y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 d8 Y3 v2 v1 H9 |3 ]. x* I
) c* P* R! d0 N2 x# t) f, Z- @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 |, u. {' |# I: B" \! {$ `
# T1 r* [, t) e& s" q$ S' \7 ~) G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' w; _- n0 |2 e1 @: D" }" F
$ O9 }5 W) G3 p+ z
__________________________________________________________________________
7 @5 d" r9 O) s
Y, v- n) j c0 GMethod 13* S/ V- m# \4 Q* N! C6 d
=========
! d6 H$ T/ K- w& o. y0 t7 T- C2 \" H
Not a real method of detection, but a good way to know if SoftICE is
; [, u6 U( t$ t5 kinstalled on a computer and to locate its installation directory.3 W' M( }1 P+ M1 K9 k3 x
It is used by few softs which access the following registry keys (usually #2) :1 {* T8 Y# |1 C/ S3 g. X
* u- B, q* i3 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) G+ [/ E, U; y
\Uninstall\SoftICE! z5 y1 q( K9 N1 H/ M# n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) V4 b$ S0 w% w o5 l8 y6 ?" q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; r3 O! ^ ^6 s% K( y\App Paths\Loader32.Exe
! P* ^- H/ X# L% h. k9 t
% M. M7 K r: Q% g
% X* ]# l4 B' ZNote that some nasty apps could then erase all files from SoftICE directory
0 _, n: o( Y* ]1 P- S; Z0 y; L(I faced that once :-(; Z' M8 M$ g% ]. ~
7 A1 J: S: E+ ~% R2 X: v- g" A
Useful breakpoint to detect it:) m% h7 f; z( B
7 ~* r0 h* ^# V+ F- a; Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( l/ Y# M! B9 p8 j! b
5 v# I5 `* Y( ^! j l
__________________________________________________________________________8 m7 g h+ f w( }
* S" g8 L1 ^; A8 b9 X+ {' O/ _2 g' a8 r0 t6 \4 N
Method 14
: \ O2 _7 F5 ]% `. I=========, D0 {: b& K) ^$ \2 K
" l8 ?: l! t( J4 }# N) ^, oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ D/ Q' |. S! O Kis to determines whether a debugger is running on your system (ring0 only).
. e; d. u/ J! R$ C( @( T8 i* f A+ J( E4 s1 w8 F
VMMCall Test_Debug_Installed
% o4 d) Z$ L$ o- y. e! N je not_installed
" K2 p) L( z( \) j: k8 ]9 ^) |9 B4 d1 ]; r# G- a
This service just checks a flag.
: U, d. r" b7 n% r</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡