<TABLE width=500>* c& a9 R& z' P& }
<TBODY>+ u& {' U" x7 L
<TR># @3 V0 ]; O/ E4 e; w
<TD><PRE>Method 01 ! @& k. V1 L! p$ N; n- v
=========
& g3 b7 f/ s4 y" {' }( q8 i* S" V8 o' k# X4 F$ x, P1 _
This method of detection of SoftICE (as well as the following one) is
$ `1 V S# Q4 n6 x. f3 Qused by the majority of packers/encryptors found on Internet.
6 v* }- Z9 \) \$ \0 s4 AIt seeks the signature of BoundsChecker in SoftICE( D. w) q6 ], i9 q" X2 c
# k$ f% u4 | b' t
mov ebp, 04243484Bh ; 'BCHK'
* p7 R7 D, t, x& P& B! y# k mov ax, 04h' X7 _: b6 {/ v, `: ]: h
int 3 / X0 T! O G; S! o+ d" m
cmp al,4; d9 q ]+ ~5 D$ y/ Y5 W/ B( P% Z( Z
jnz SoftICE_Detected$ K4 b! l% }0 u# Z
8 |4 l# _ e+ j2 z2 g$ C___________________________________________________________________________ g$ n6 L! h+ a
7 z( T6 z% R) \9 tMethod 02$ O. ^& L$ s* s3 r5 z0 I& V
=========$ b" `2 ^$ } g
- }; d( {* a& i Y8 D
Still a method very much used (perhaps the most frequent one). It is used# J1 W6 j4 V) m3 k* X/ u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' E2 B0 T }" P# e3 }) Zor execute SoftICE commands...9 b# G; i* u+ L+ T$ c
It is also used to crash SoftICE and to force it to execute any commands
# L o+ N9 _9 y8 |. y( `(HBOOT...) :-(( U: g% y/ k& G+ w, i# V" P! `
6 @. J# M$ ^' {' @Here is a quick description:& h. q/ D7 K% a3 X: A
-AX = 0910h (Display string in SIce windows)9 s( r/ r% T( [. y; g$ f% y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, B; O, O6 A! E( G, ]-AX = 0912h (Get breakpoint infos)* A' C$ e1 T% n0 t5 i) X l
-AX = 0913h (Set Sice breakpoints)
5 T% |6 n8 O( q8 w' y% k, r" z0 Z$ S-AX = 0914h (Remove SIce breakoints)
$ H9 j; P' {# }: b! \/ Y" A X
2 k K4 c$ y0 W, n; A, n* ^Each time you'll meet this trick, you'll see:
2 k8 ?3 |# _3 |- [-SI = 4647h
! ^# `( i9 ]6 k, G% }-DI = 4A4Dh# `3 a& m5 f% l: m$ U
Which are the 'magic values' used by SoftIce.3 {9 Q1 x- r) U* ?& j- j2 u& v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; Y+ L- P! V1 Y: G* M
3 N) ]) W- U: Y. B9 xHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 {1 ?$ f3 A" i+ k( yEnvelope utility use to protect DOS applications:
- J& @& K& L: e4 z3 D3 X3 \
! Y* S% v z9 h( \
2 e$ f5 @7 H+ q$ ^* g9 ?3 S! A4C19:0095 MOV AX,0911 ; execute command.
7 X. {. g4 E. A; B' L( f1 V. E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 q& w& r0 H1 L4 Z. r& ~( h4C19:009A MOV SI,4647 ; 1st magic value.
2 _4 H; ]' [% s8 {4 y! ]4C19:009D MOV DI,4A4D ; 2nd magic value.% _' O# n+ A2 u4 R; S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 z; b* Y, p5 V. k) b; T" g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" @: f3 u# Y7 L7 Q$ W/ r+ `/ z$ U
4C19:00A4 INC CX4 W; ~+ r3 K) c2 R0 a k! x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, N- b! m5 j! n4 v( `* t R
4C19:00A8 JB 0095 ; 6 different commands.
& C; T7 D) v. f- H' i4 F4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 c8 u: T1 U+ }8 {* y/ f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( t: X% Z, z d6 A$ I5 l& o3 v5 W
C2 i" _+ m' x" LThe program will execute 6 different SIce commands located at ds:dx, which
- I. h( T+ E; T0 m4 F3 D# bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% X, q- q& I9 G% G! X, P% w+ z( ~% r' o6 E- K; @4 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., h/ J* {6 _' D( t
___________________________________________________________________________4 a# L" S, \! ^& F$ `: B( A
7 \4 T6 L+ \" z; f, I
; B: }" |# L5 g/ H1 W8 j) ^, bMethod 03
7 v1 v& j5 E; Y0 c5 H' [1 m+ E=========, [8 E% p S' t
3 |6 d: C x3 K4 L$ H; S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 U& o" O4 L: _" X: N1 [2 H/ R(API Get entry point). }" S4 ]4 U# _ H- ^7 A
0 L! q i: `6 ?5 k% L# L, t( k: o. ? e0 q0 \
xor di,di
2 `: U2 b# J+ P+ @& W: i% ]- _$ b mov es,di( a9 K6 V4 O9 Z2 K6 r5 a& u
mov ax, 1684h
3 g! j' d& i8 m mov bx, 0202h ; VxD ID of winice. T- e2 t9 W$ G; W- J8 j/ t1 o
int 2Fh" c7 |8 C; [( Z) e$ R
mov ax, es ; ES:DI -> VxD API entry point: E* Z9 ?- c& j# K
add ax, di/ n! N, r% l( U/ m
test ax,ax& d8 ?: W7 }6 l6 T% A" k+ r
jnz SoftICE_Detected) n5 a. ^5 K+ u* K
6 P7 {( t7 s/ N6 T' U4 M8 m) g, Z& y___________________________________________________________________________
7 ~0 A0 e9 J, m& V) {4 D/ _/ O5 h/ I5 Y' G/ F
Method 049 k9 v! @% f: Z2 M) z& e. Y/ X5 z
=========/ A) H0 V; ]1 q M$ Y2 |
' ], L! j& b9 d1 f1 p( g- U' c
Method identical to the preceding one except that it seeks the ID of SoftICE
s7 i2 E$ o; w" \: vGFX VxD.2 C2 Y! ^ I$ s% w3 n7 }
0 O/ k% w3 Z @! T* U- }/ N' R0 l xor di,di9 ?, m8 r3 v4 F
mov es,di
# i& s' _6 r+ n9 V; s8 w1 A mov ax, 1684h
) G& v5 O3 W* u2 y5 d# g' u# Q3 a0 @ mov bx, 7a5Fh ; VxD ID of SIWVID5 q- q. w" X2 [6 O# U/ [
int 2fh% n; K8 \. Q' J& s: M' K
mov ax, es ; ES:DI -> VxD API entry point
* h* h! c) P$ b3 e( F9 E, Y3 o5 r add ax, di
: Q/ I$ x- V+ V4 v3 b* ~8 p test ax,ax
* y2 }+ p) Q! E. i8 b7 ?! G. g/ K. v4 R jnz SoftICE_Detected2 I; a- {& t6 S+ f$ C; z
: r& P! Z$ Z8 H& D+ ?__________________________________________________________________________
3 O2 W% s# D1 p2 K4 e4 r9 I
8 S( Z7 R' D! `# A/ ?
# Y- W6 X/ `. V) I) Q# g! a# R9 Z# KMethod 05
) |, v4 u& o4 e/ ]4 t- J0 \- f" Q=========) E, E( b) G7 O) ~9 l2 Y8 Q& Q
0 A+ y2 i+ T& t6 s* T0 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% }: ^0 w6 e( l5 F$ [/ Ldebugger. It calls the int 41h, function 4Fh.
: x0 q" U( w: lThere are several alternatives. L- X8 \ R% q
& v. T/ E0 f2 W& D1 L) p& {- Q
The following one is the simplest:% B3 g! h2 I/ G3 k; M
7 e8 }+ c8 h$ y4 A- r mov ax,4fh
& J' ^% U* K% Z* h4 X2 Y/ M int 41h4 h9 F B0 r4 @1 @
cmp ax, 0F386
& q, C$ @1 l& q& B. G, @, h jz SoftICE_detected9 i t5 B+ p1 ], N( i; S/ D2 Y
8 s0 S* k$ t& \# T& h
9 R* [3 ]; J4 {* `Next method as well as the following one are 2 examples from Stone's
, \5 R& o/ \ J8 b# r"stn-wid.zip" (www.cracking.net):7 v$ t5 d- D1 B) Y; J
- _5 n1 |! I0 K' |
mov bx, cs
, s7 `3 |9 n# B! j, h- o lea dx, int41handler2( A/ ]( z/ S3 l0 X$ }* r6 g/ R
xchg dx, es:[41h*4]2 w& g. h4 ?* t8 \% r3 } l( ~% ]
xchg bx, es:[41h*4+2]
. _% f0 T1 z1 X+ v mov ax,4fh
! E' X$ N8 k9 ?6 r) Z) k int 41h9 H+ E/ C* B/ Q0 j8 Z& v8 K8 p
xchg dx, es:[41h*4]
. M T- U, R; ^& H' ?) s) } xchg bx, es:[41h*4+2]
2 S$ v, i- o/ n' B" t1 l cmp ax, 0f386h
7 o3 E' a5 S; Q) C7 ^ jz SoftICE_detected- N, A3 J" U1 o) J
, ~) O7 S- R3 j8 w) S& Gint41handler2 PROC
- G+ [. }( }1 A3 S iret& v# c. ^: X5 b. @# Y
int41handler2 ENDP
( f( d' w" ?( G" Q) Y
: i3 `( P! ^- U4 W8 L- w5 |
5 b- W' d7 u$ T; s6 v ` \_________________________________________________________________________9 o; D# t6 h4 z
$ m! N8 Q' ~5 U& G# {
T2 |& X1 X3 DMethod 06
2 e ~ R! N3 z8 u6 D0 u6 Z) |/ T3 j=========
* I) V& L- Z. c: U. L: C+ }+ F
) G4 }8 g; t. e& w# H3 ]/ g" F$ {# P- t& J" r& b# L; ~
2nd method similar to the preceding one but more difficult to detect:
3 B4 |6 ~4 J* l) P3 X, K
4 l5 }- b0 ], l" \
/ ?7 K) l1 o0 k; H- O2 Q, E+ l9 Kint41handler PROC+ @+ ^/ H/ d5 C$ x' f
mov cl,al
0 o: K6 b3 T. f+ b, N- s$ C" H iret
g1 n x" @' d) I8 }4 Hint41handler ENDP. p' @! U7 c* z0 E
% M; D% L* U+ R) C e o
6 K: ^( A2 Z- w! D xor ax,ax3 R7 e# z. S' I$ P) i# ~( [9 z
mov es,ax
v/ r% t f# O3 R( S mov bx, cs0 Z% e6 Z# s5 a8 [1 Q
lea dx, int41handler/ r6 M, j. r; Z1 I6 C9 z
xchg dx, es:[41h*4]+ r0 E& g" o0 J, N K/ V d$ G* G
xchg bx, es:[41h*4+2]
8 ?# n0 Z# e$ F7 {& k' S in al, 40h
; M. g _( w, H. b# L1 n L xor cx,cx
7 J5 a N9 c5 Z9 a, _ int 41h
2 s% i0 D( Y! `8 t d A/ f# s" E xchg dx, es:[41h*4]) l; r$ [2 t4 i' Y9 t# G
xchg bx, es:[41h*4+2]
( u# ^0 ^- ^% c cmp cl,al/ Q2 E8 C5 g/ S/ n
jnz SoftICE_detected
0 Z$ U% o) |/ K8 q1 {* Y; i0 O) K& R+ O+ f" m) M9 q+ s. Q0 R
_________________________________________________________________________
% V% S& y$ N4 b3 D) O7 N" [6 K4 K: d! d$ W9 L5 j' k5 u/ d
Method 07! V; R* b! x. |7 F! q4 C' t" l
=========
3 O/ [. J) I0 Y6 E6 T+ ^) v) I$ n6 \( W F5 P* O& L
Method of detection of the WinICE handler in the int68h (V86), j- V7 j2 _% W1 D# m
* _: l7 b3 ~, t3 r7 I5 {/ d mov ah,43h
/ B, y& L+ |1 X" T int 68h
+ l7 J7 R7 y9 q- y+ I0 L cmp ax,0F386h
% e8 _' H) o+ o1 z- h) L3 Q jz SoftICE_Detected2 g/ M% f) @1 n( A h* P" q
5 e: \; W+ z* M: g! \0 |) w8 k O& D- m1 L0 E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" y+ Z0 H% j, F: D app like this:3 u: |& d9 F# y8 r$ r
" I9 \7 J- ]' V" O
BPX exec_int if ax==68
1 p ?. @( I7 ~$ X6 \ (function called is located at byte ptr [ebp+1Dh] and client eip is- X4 a! Q# B: o4 m3 p# e: b6 D
located at [ebp+48h] for 32Bit apps)
* M! }: R0 d0 B F o* h__________________________________________________________________________
' I7 g: I% H9 F% T/ f& _# `' Y
7 P5 s2 ]: T' l( x/ ^, u& ^+ _
+ a2 N/ D$ N# G6 U* Z2 |+ k* X( ^Method 08! o. w9 G6 A# ]6 j8 R6 C
=========
" H) U) C/ m' ^- ]% z8 T5 [: W `* b3 G9 h' ^ j! ?
It is not a method of detection of SoftICE but a possibility to crash the
+ h& V) T5 v* L& \+ y4 g7 ~system by intercepting int 01h and int 03h and redirecting them to another% R7 a+ r% r* P: s5 M
routine.
- p2 _: W& X( S0 ?7 ? d' @( `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ N$ u7 B. u, z: {7 F
to the new routine to execute (hangs computer...)
3 g2 r- B; J4 g* n3 y2 {* \" L5 z( `1 D0 ]8 A$ r: @
mov ah, 25h2 E9 P( ^( J) ]4 W) }: w
mov al, Int_Number (01h or 03h)+ N/ b1 ?( {1 ^4 _- S0 E
mov dx, offset New_Int_Routine
/ y& O) ]. K& A int 21h6 q8 T. S/ h# U9 p. J$ x
# _0 c+ N" ]: x4 T" r! }__________________________________________________________________________
) P# y# @5 |* G; l% H( x, S |2 I% L4 X/ P( l0 D" @- F/ Z# `
Method 09
. ]& Q* O4 S. K2 y3 Q# R1 {=========% l7 [/ \) s) N) M e+ l6 C8 L) y+ M
: S5 a: C+ F$ P+ F) v& J' RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, m* j9 b' w5 _& `performed in ring0 (VxD or a ring3 app using the VxdCall).. H, u* u3 I( H/ w4 p2 M' s
The Get_DDB service is used to determine whether or not a VxD is installed
+ ]1 z# `' b* B, }: G- Ofor the specified device and returns a Device Description Block (in ecx) for0 }; x u# C8 S H5 T- P! E
that device if it is installed.. G1 s! _6 Q- A" s7 p; E G
. x9 y. \ j M. ~! N, c& k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID _" n! m7 Q1 g/ x% i* d) F# }- O; f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 h2 _" a2 V! Z ?: E VMMCall Get_DDB
# w( A* f1 J* { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ B' a" A: p$ i1 p6 w
* u- h. T( I, O$ w7 K% Z d5 C" p( ]Note as well that you can easily detect this method with SoftICE:
9 ^) ^- m' `6 s4 u bpx Get_DDB if ax==0202 || ax==7a5fh+ ~" j4 F; f3 F0 b0 e
" |3 i. b4 s3 w, ?__________________________________________________________________________
9 x* T* U ~/ V2 g! ?5 t$ L* Y4 [) [" v
Method 10
& \6 [, f/ A: x9 L7 M. c) ~=========3 x% Z2 u6 Y4 _2 Y" X9 D( ?" c
0 K9 _/ e r/ _. _3 \
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ p {! [8 M+ T4 c7 c) s& w
SoftICE while the option is enable!!1 @- H1 D0 j( s+ z( {
! j! D, X' g6 N: u# ~7 Z
This trick is very efficient:
0 U% ~3 ^6 F }5 @6 {' g1 `1 @6 ]by checking the Debug Registers, you can detect if SoftICE is loaded
& J% {/ s- j6 H) ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 _( l1 B |0 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ D& O2 |6 t8 g+ k0 U! h
value (in ring0 only). Values can be manipulated and or changed as well0 j& i0 @ t: g; P% }- n
(clearing BPMs for instance)
z5 e( e( x2 N
1 Q- b& C. s1 a1 \* [__________________________________________________________________________9 h; e+ i( o* L: R
" e7 B3 u9 F. e0 P V; EMethod 11
' y- U- c4 B& t! O* d e1 C=========
5 E3 { {& [ S: \- n* m A' T$ U6 d+ F' J! W( n
This method is most known as 'MeltICE' because it has been freely distributed9 G2 U( \2 |# o+ Z
via www.winfiles.com. However it was first used by NuMega people to allow/ b$ y. S: {0 Y `! o; ]
Symbol Loader to check if SoftICE was active or not (the code is located
3 O Z; S9 Z! H, r. b, `inside nmtrans.dll).
$ B! @: D A% L- R1 {' k# ]" l [0 D0 q! K# |) Z, T
The way it works is very simple:
, ^. v! m4 Q3 W- XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 X* ?/ {( s% Z0 Q8 J5 ]' I
WinNT) with the CreateFileA API.
; }- |5 ~2 a/ }8 C4 R( H! C
) |6 R" [7 K- }1 r) T; T/ u8 SHere is a sample (checking for 'SICE'):
' U% A7 S% k, F# |# {3 ~1 L7 v4 N
' h" R3 ]8 O2 K/ Q+ B& W0 p4 mBOOL IsSoftIce95Loaded()9 U# Y$ r1 M! N- o) [5 X% @
{; T' M6 T. W3 S$ C
HANDLE hFile; ' _. O, K( l9 ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ \% o5 W( r1 \9 W* u7 ^6 v FILE_SHARE_READ | FILE_SHARE_WRITE,' ?8 L9 {% k& M3 f4 E# |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! b7 F3 V6 _; o% K3 P4 a
if( hFile != INVALID_HANDLE_VALUE )
& s- E9 M1 G6 ^1 X* q/ o4 O3 A1 M {
/ ?' h+ Z- v( h; I5 [$ v; c CloseHandle(hFile);9 ]1 f9 P) T6 y: }" f
return TRUE;
4 d% d9 e* i6 L. }7 B: ` y7 I }
! z( B7 V+ w/ [' K( l+ r4 V; m# O return FALSE;' ?9 h# E4 {2 D3 S }0 o
}' v- S7 J6 V! U0 e
: t6 a7 i9 @2 H$ G$ c. b
Although this trick calls the CreateFileA function, don't even expect to be0 j5 T) \; E' \% J
able to intercept it by installing a IFS hook: it will not work, no way!
. d5 Q5 h8 [/ m: k" O% P1 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 x1 U2 j/ d+ s' L* s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 |5 [" E V& v0 S. v! P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" S2 i' L2 z6 T8 mfield.
8 M$ s: \5 R/ g$ K. @' WIn fact, its purpose is not to load/unload VxDs but only to send a * T6 z1 L+ f: G, j+ j% U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( m' f) v( }' \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 L' t4 ~7 g8 D# F. Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- V3 w7 J! A, |, |" yIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 c1 n( R# S' j* T
its handle to be opened and then, will be detected.
3 y7 D* b. J6 X! W5 lYou can check that simply by hooking Winice.exe control proc entry point
: u/ M: N& u J" Zwhile running MeltICE.( \3 w. o3 T. d
/ ^$ w2 n! U4 d$ ]6 o
1 H5 b# t) Y% G/ d 00401067: push 00402025 ; \\.\SICE
A! T$ ]) Y7 O8 Q) I) u 0040106C: call CreateFileA$ ~8 C- m5 i1 O3 n
00401071: cmp eax,-001
( r$ H7 T$ k5 A8 L H3 a/ U( C1 X3 `5 h 00401074: je 00401091
# |6 C& K% L- {
' c. X3 `0 w7 K1 p. p2 H7 S; _# s; I+ a
There could be hundreds of BPX you could use to detect this trick.( J! Y$ ?& B9 l7 ]
-The most classical one is:
6 B6 b/ D$ Q; N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 D; Q+ [* s6 m; E, y& f
*(esp->4+4)=='NTIC'$ C# k# d e U* ]4 k; \' E
c, S0 I( {! l& _; o$ H
-The most exotic ones (could be very slooooow :-(
- z- \* j0 z0 }' @+ o% \- ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 Z2 F# z. J% T: v
;will break 3 times :-(
9 [; n) y1 ^8 B0 M1 v* p1 W/ W! z# q* Q8 B) L
-or (a bit) faster: 9 r4 ]. G. l( U2 G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 L1 K, N' Y) o+ J0 h4 r+ S B3 s( L9 w$ C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# A; L9 `0 a' {0 k$ J+ A ;will break 3 times :-(
) ]6 G7 Q0 E2 y" g0 B9 q% S" f% H0 D8 z' D4 ^
-Much faster:
5 J* S: ~" z$ x1 N' h) R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; J. P7 O% Q- }) e6 S* I- e8 G# d8 p- }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 N; e& F6 W/ [9 K$ ]function to do the same job:( N, R9 l8 Q: b! x1 U; v$ ]
a# {& D% D) w+ |2 `- P push 00 ; OF_READ
; L* r1 ^" w/ C s. q0 d: I mov eax,[00656634] ; '\\.\SICE',07 [) ]( q) G% w" {! [" Q3 ^
push eax# w# Z" G9 x- q: ?& \$ q2 E \
call KERNEL32!_lopen G$ ~* d2 d( x" Q' U6 J
inc eax7 @' q7 C4 K. `7 n! r5 T) \. o" d
jnz 00650589 ; detected( V3 W& ~ c8 ^1 J' l8 C) j
push 00 ; OF_READ
3 L2 k7 M/ @; B/ B: p mov eax,[00656638] ; '\\.\SICE'
9 Q) X. N' c8 M push eax( O0 X- q1 U4 F/ G6 h' B* m3 z
call KERNEL32!_lopen1 t. M9 Y, A; a! X+ G
inc eax9 V8 U! A( X$ {
jz 006505ae ; not detected* I' t/ m+ d$ |: o. v! v
* Z0 J) g b9 Y7 @- B
9 ^& ]7 u- } J& E4 r. l__________________________________________________________________________
( w, Q0 j$ L: K$ P4 g/ V. r! v) s! w- r
Method 12* Z6 q! E2 J6 @5 j% s
=========, R2 f: O0 t5 W; k5 Q; N
/ G6 F) c. \# u6 `; U
This trick is similar to int41h/4fh Debugger installation check (code 059 o, @# b2 I& P6 c$ r
& 06) but very limited because it's only available for Win95/98 (not NT): ]' Q& N0 r8 o: {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ d3 b! Q! ], `- v' @. i
0 k% ]) Y% V7 u$ m, U push 0000004fh ; function 4fh
1 t$ u& Q/ ^* x push 002a002ah ; high word specifies which VxD (VWIN32)# K9 T* u! d! H! O$ r N7 m1 B
; low word specifies which service' E) o- w+ M- M' k2 T! ]* @
(VWIN32_Int41Dispatch)
% M. H) Z5 _: S* A' B( Y call Kernel32!ORD_001 ; VxdCall
) g) b/ N- E; l, o cmp ax, 0f386h ; magic number returned by system debuggers) K7 E. J* C9 R% f; |9 d7 T
jz SoftICE_detected
. E! D4 ^( e' W" A
$ o k# r" q; {) Q5 B% xHere again, several ways to detect it:
% B) j' n7 U$ `1 H7 F% g4 O; B) g2 L' H% ?, y
BPINT 41 if ax==4f0 A( i9 n4 t8 R4 m; t/ U
8 b7 l+ i9 R; \) R( Z+ t t) Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 [+ J7 ], ~; Y, E2 p
8 w7 @$ g) z6 u* Y( e0 j5 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' _6 b* ^- e- C' I9 D4 G2 z2 R2 C8 k
" q! V$ V* t/ ^! i, q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 x- a, ] R0 V/ E7 _& |" ~$ O' L i4 W' X
__________________________________________________________________________; Y0 |5 V: `7 q5 a( y: r
- A, Q- q0 y) _. l; `; t
Method 13# E V/ V. A0 G( P
=========& ]. s P9 _4 m; d4 t" @7 v8 S" P
# v5 e1 `- |- i, F. n6 D
Not a real method of detection, but a good way to know if SoftICE is
/ g6 e- {5 M, A! Einstalled on a computer and to locate its installation directory.: d; J2 j6 x' D- f1 b
It is used by few softs which access the following registry keys (usually #2) :
/ U" t/ m J, `- t( w% G, t; c. P# r* h) j B, R2 z+ J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% U0 F- l* \* B5 `6 o4 q6 c& C\Uninstall\SoftICE+ J+ X! }- X/ O( ^0 s u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% ]: U* a0 E4 U( A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 `9 z# }; r" F\App Paths\Loader32.Exe* `: p" `% W( L: b7 O
9 f$ S. \$ e1 ?
! l; p9 ?! l0 A7 l2 {" _0 k' z7 V
Note that some nasty apps could then erase all files from SoftICE directory
* y$ \! O5 `) s(I faced that once :-(
$ w* H# @6 _' B- @0 F2 e& [& L; l$ s& K4 V% e% K1 P
Useful breakpoint to detect it:
$ I2 x0 L" v; u6 u9 b
( D! g; y# }9 P4 f% N! e4 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 e8 p# M2 F3 I3 B' F1 l) {$ a
) t! M! @' J" k' ___________________________________________________________________________* d, h' ~- {# ~! G9 l8 o( S- P
) W8 I" f& X: s G4 @
+ }. K' Y; z: ?' I
Method 14 $ d0 L" s ^! T3 g) a/ V
=========9 n+ R/ E- H7 A( N( D/ q0 P5 V% A8 L) O
1 ?9 I% B0 P; X: O# ]- U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 g" O; E+ Y+ j
is to determines whether a debugger is running on your system (ring0 only).
3 \# R: s' A; y3 d5 p& q/ S
! A2 y5 a7 \9 y1 R: u% j VMMCall Test_Debug_Installed+ R: \6 \' Q) c' Q! N8 G
je not_installed9 t6 N7 n& G }7 T/ |) m" p+ N
) o( G" @; l9 p6 k3 p
This service just checks a flag.
) H; ^; X: T* C' N4 |</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡