<TABLE width=500>
5 k. W5 |; Y+ v J<TBODY>
: U4 X) r+ r3 ?9 e; ?0 _<TR>3 C4 s- _( V' T+ \: h1 z$ E2 E- |
<TD><PRE>Method 01
- f6 R8 R" g+ o4 o8 d# u! `=========; i; ~% C' v" o6 X
: F/ C' m8 N. Z" e9 ?5 D0 \5 x
This method of detection of SoftICE (as well as the following one) is
/ P' _- d; _1 J! o5 Yused by the majority of packers/encryptors found on Internet.
! O) F- K7 Y2 o6 W/ D" h1 tIt seeks the signature of BoundsChecker in SoftICE+ V0 m2 O5 @8 ]; J( `: h1 O& C3 C
- {: E; ?$ [4 J% o# A mov ebp, 04243484Bh ; 'BCHK' _! M( Q4 [, C
mov ax, 04h
( p# b: [! X( N& b' X, N8 ~ int 3
$ [ ?% g0 N& C0 x o cmp al,4
" L# @6 y3 {% H( q% S a/ Y3 } jnz SoftICE_Detected/ E9 k6 t7 c9 b
) `/ Z4 O+ P9 \% ^% ^* W" ?6 o: X
___________________________________________________________________________
0 q% S, v' D9 f% `, Q" m; p7 Z' \: b) E. C* Z% k
Method 02
( V8 P- e3 i* ~% B- x$ P=========
M4 S, P& j# L" D$ O) M+ u/ K6 K0 A/ Z4 \) e% k
Still a method very much used (perhaps the most frequent one). It is used) Q9 q) A& x! j' v+ S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 z" X# b1 Q5 F6 I5 ~( D4 O/ z
or execute SoftICE commands...
# ?- g6 O4 y4 @It is also used to crash SoftICE and to force it to execute any commands
& c. N, b& Y8 I1 C" f! q" [" A3 @/ c: J(HBOOT...) :-((
v( }' O$ |. n$ z( A% ? c! J4 j+ F# ^
Here is a quick description:
4 {1 d& Y8 [8 H. |-AX = 0910h (Display string in SIce windows)% v8 b( E# V- M9 g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! s1 M+ q9 ^& R) M$ L( G& g
-AX = 0912h (Get breakpoint infos)1 T3 J6 `4 M6 i
-AX = 0913h (Set Sice breakpoints)
' D3 u1 t1 g" R6 u-AX = 0914h (Remove SIce breakoints)5 b0 |$ ^* C4 B; f3 L8 ?
6 I/ \. l* N- @! U) p7 jEach time you'll meet this trick, you'll see:
, ~1 Y# _3 u% ~/ e2 ?-SI = 4647h9 X( j. d9 Y, z/ l- A
-DI = 4A4Dh/ ?$ o. X7 }2 ^) k0 G
Which are the 'magic values' used by SoftIce.
) {# ~; _3 r+ ~ `) U: P9 d0 w8 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ r L @0 b; [# _# H, L% Y( _
, i- y3 f( a1 r$ N
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 S- w) y$ i# j6 u" n e2 i- ?
Envelope utility use to protect DOS applications:
3 U* |" h6 |! s! w" ~5 W: [ K) u3 F6 Y
' V9 w5 R @, n; W
4C19:0095 MOV AX,0911 ; execute command.
8 N( ]+ U9 ~( Q4 m8 `. s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 L4 T( X" k }) Z- ?5 K9 U4C19:009A MOV SI,4647 ; 1st magic value.9 l* _5 s/ _& ?9 ^$ U; ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
; g- x: `" T. w* l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 B' L, j) J* ^7 F# f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 @' n$ ?& n7 [5 E: r
4C19:00A4 INC CX
$ B5 i, J" D$ {% q! j9 I, i0 p4 e! Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. \0 ?8 _! E: V8 o" j- y7 d4C19:00A8 JB 0095 ; 6 different commands.% O3 k7 c! g% R3 x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ d6 k, b0 L/ X V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 }5 s% |: k6 ?3 p+ r N- [
% N/ H4 o; W5 b! d+ ~ {The program will execute 6 different SIce commands located at ds:dx, which4 K2 L& z! O3 B) A, f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 s2 g% U h$ |- X$ W3 J! }. A) ]6 O% {( h4 F% U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& X& m6 v( X' i- Z7 B$ o- r2 O. z___________________________________________________________________________! _, x7 n9 s3 T. J- n6 g$ n2 P6 X6 ^
; s* N0 I, z; L% \ H O
+ m d, N: u/ _8 |Method 03
3 d7 }/ C; P. w+ J% ?( u=========
_- ^9 s' ^- {& a3 P: b* X; d; r$ H6 O" j& J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- c: o; m& l: M. ?# ~
(API Get entry point)
, g" H: I6 ]# {; ~
$ E1 b8 @9 J9 I4 y6 V; a# u
4 C- N1 B4 A$ ]5 t t( N xor di,di. H: ^; N; {3 Z& m4 b+ G W
mov es,di
' }7 |8 A3 h" l c1 Y' w4 r mov ax, 1684h
/ j( Y; ]" u% F: a: B mov bx, 0202h ; VxD ID of winice' I+ ^$ [, a, U! C j" N
int 2Fh
: [6 K, w$ e+ Y- N3 I mov ax, es ; ES:DI -> VxD API entry point4 S2 b* P6 E" e: u' T
add ax, di/ c& }0 }9 d: Y; q& E9 A( N
test ax,ax- w& ~# P" y- |' _# C+ E% e6 {% [
jnz SoftICE_Detected6 U, x+ F8 w6 j2 I" m! D) t
% Q' ]6 w- S' R9 q! J9 K5 I6 h: G___________________________________________________________________________
d& F( r# T9 n$ Z& E( S; n) h9 C) k" w, G
Method 04' Y Q' t ]: ?9 I- G7 ^
=========( o2 {2 l: @) }7 i0 N5 Z* S
* R2 v7 k4 P/ t! f8 yMethod identical to the preceding one except that it seeks the ID of SoftICE
; G( u2 _0 C r9 x! m6 k: G: y( hGFX VxD.5 t- h4 D! |; K: j+ C
% t& s j0 G* ]; }" u% p' e
xor di,di+ }1 d. S) c6 r9 z4 m2 {8 l4 h0 ~" B
mov es,di
1 C) i; U1 [! Y& [) q+ B' a mov ax, 1684h , D! R9 p% v! a1 f s; ?' u
mov bx, 7a5Fh ; VxD ID of SIWVID
- |! ^* g+ D* E int 2fh
" T$ m7 U8 I: f @2 K: l mov ax, es ; ES:DI -> VxD API entry point
7 T0 V5 u+ j6 Z; T- z0 F. ^) Z add ax, di
9 H( I3 d8 l$ d% d test ax,ax
4 i/ O( n5 ^. e- s0 R. h jnz SoftICE_Detected
( V6 j! V, y5 e" C+ U4 y* C. K
: p4 T2 `" M+ A/ _, O {__________________________________________________________________________3 B o# E% u: U# S+ \: ]
- p) X% ^* D0 q% R; L+ [4 p
& y$ R3 h7 N2 X$ |- R: rMethod 05
+ S9 P1 e! g- c7 g: i, O2 j=========
( U6 F4 e' ]( b
: |: Q1 c8 `9 u1 ?6 x- PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; i0 [4 ~: Q+ Z3 Y; ~9 S T- ^debugger. It calls the int 41h, function 4Fh.
* A( a# X% r: q. D/ oThere are several alternatives.
& x) N1 O0 s, |& R+ ^
/ v: a- x$ |/ @) oThe following one is the simplest:
( M+ p9 b" y6 u9 Q6 _: s' ~8 M1 }5 s: I/ d$ U
mov ax,4fh0 x/ ]! _* d! r( O+ h
int 41h$ V) ^6 m- _7 ]8 b# {- w+ w
cmp ax, 0F386' |0 \7 i L5 p, D
jz SoftICE_detected" @" t+ b0 R: K6 j4 k5 r8 l7 w
6 \8 e7 n" x7 R6 k& o ~
) M! q; d" \6 { c- L' Y
Next method as well as the following one are 2 examples from Stone's $ y" ?5 T% t7 U
"stn-wid.zip" (www.cracking.net):) h3 B2 E) ], ^" j5 x& e+ g
2 C8 c( L7 e( _
mov bx, cs
% k) `2 I4 S0 s lea dx, int41handler2( C- W Z( a) w' b6 k
xchg dx, es:[41h*4]5 M) V$ S: B! [. W: z
xchg bx, es:[41h*4+2]- B: ^2 N5 g5 h9 Q* Q. [' O: w
mov ax,4fh
4 l. U# i! X* p4 u) ^) J, X int 41h H& O0 o6 h' V1 Y
xchg dx, es:[41h*4]
4 l5 g+ g' c6 d0 q" q9 G* ^ xchg bx, es:[41h*4+2]3 j6 X" q4 Q5 M" v7 c
cmp ax, 0f386h
! V8 E N' ]& i) o4 v jz SoftICE_detected
0 ~" R: p: W, C& m, ^
9 L; T: V" A# R8 }/ wint41handler2 PROC
; h& d, |1 R. N iret
, m/ ?5 B& R: J0 h: v j4 Aint41handler2 ENDP, H& H( ^8 T9 [5 n; ]% b4 k
% }" V# a" O. k+ H, f- [* Q! m9 Q( h' T$ Q0 N. g9 G
_________________________________________________________________________
: h0 @' w/ e% o1 Y" R
- P' x; T. Q; b1 F. t- V' e' _1 Z4 X+ m; O% ^3 E" j& O6 i; z' J
Method 06
0 T; n3 k$ T/ \5 o=========
! y) d% B. x2 @# v; H3 R5 E& D# I; S* W ~! L4 r" E
2 g) X' r7 V6 Y7 [, z$ \* N3 O
2nd method similar to the preceding one but more difficult to detect:
1 Y7 ]5 _& v5 T1 ^! k
/ C- Q6 U5 ^- ?4 J8 R
- j$ h) F: ?$ c9 A3 i8 b1 g+ hint41handler PROC
) B* ?9 w9 U4 F f mov cl,al
% R& L% B F' m0 ~! B) W iret: X X% A0 o+ b$ K+ k
int41handler ENDP
* N4 H% Z5 I0 Z3 b5 }1 q8 c ]4 k5 I3 Y( T2 \ X9 L
5 S9 H- u6 e/ g$ x7 O xor ax,ax, a! T+ x! g- n
mov es,ax
6 T( A& {$ i' }, Y$ C mov bx, cs9 C7 p0 }# }- f0 l( B
lea dx, int41handler4 \- V Z7 p* t/ |
xchg dx, es:[41h*4]
* {- \5 V/ N4 k1 J; ?8 q+ v. V' U xchg bx, es:[41h*4+2]
9 N V$ P) H( p7 u9 u$ o0 p2 Q in al, 40h
$ B. W: b6 o* Y$ `2 Z xor cx,cx
O7 `/ l/ h) p7 k; P int 41h! f* q2 r) K5 F, H% i6 U0 J
xchg dx, es:[41h*4]6 e9 @; ]/ A- j) W, }: i
xchg bx, es:[41h*4+2]( e. n: J2 w( k& D
cmp cl,al
8 I% S1 E5 R2 v) w jnz SoftICE_detected
2 t) n3 g' {' L. X& f, o- G
# _/ S* T( p* Y& ]1 L/ n_________________________________________________________________________& u1 H" \* c0 m1 a4 Q8 s6 Y
* R+ e$ z Y# vMethod 07 E c$ F8 X; b; q1 J& ]) ~/ ?. S' K
=========) d/ Z$ |3 U, C( c
- I6 Q# X3 R4 D( u/ M# o8 C7 y: v
Method of detection of the WinICE handler in the int68h (V86)
2 T$ d& `: S! [6 y& f9 G: k$ b8 @: M7 c# D
mov ah,43h
! h4 W) `3 |+ c v; ]8 o int 68h( y& p0 O! J' j g
cmp ax,0F386h
1 I* }& y1 Z5 T: r- n. J; D* G. @ jz SoftICE_Detected# Z. l3 A3 M n; G7 F1 o
8 ]1 d' s2 T1 C: \3 l# p
, I a2 u7 i% E4 A- Z3 v4 c3 E% T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) H, t+ X3 {& R8 _6 V3 P app like this:
# i+ d; m0 N8 S- g& b* E
2 E- W/ H$ T) T# \5 o+ J) ?$ E7 } BPX exec_int if ax==68' H) k7 t4 W$ x, W$ T% R. R' J
(function called is located at byte ptr [ebp+1Dh] and client eip is- N5 _4 _6 E0 u
located at [ebp+48h] for 32Bit apps)1 E9 \! J9 [0 ~/ s& p
__________________________________________________________________________
K/ w' f- V$ R% R: j8 M) C0 x. g, s6 c8 S2 I, Y& Z
( o1 [; C5 @8 y1 W8 bMethod 08
0 `0 O6 S6 B2 G0 t5 S=========
0 l3 y/ G9 ^+ }) h3 L7 ~4 i# D7 f& S: \
It is not a method of detection of SoftICE but a possibility to crash the# _# @# H% v6 Z! b( h' g% A/ ^* U# S
system by intercepting int 01h and int 03h and redirecting them to another t) w" b a5 J* c3 V! m$ f6 J
routine.
, r' [8 [) a+ k3 v# r: wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. k' C# L# S& w5 x5 f1 w
to the new routine to execute (hangs computer...)9 m* }5 x( ^, d; w( E# V9 P
- A6 w' ]. H- V7 U2 |) S mov ah, 25h: c; Y; t9 x: a: k5 C% e
mov al, Int_Number (01h or 03h)! p1 S& i4 q* F z0 J
mov dx, offset New_Int_Routine
1 V, V B. ], b& C5 y0 ?. _. a5 b int 21h* D" t- o' `9 E% |
% F3 w n6 n# Y7 s D__________________________________________________________________________3 N k( T+ F; u0 C/ q) C4 s8 s
( l u" Q! |1 x( [
Method 09
H; s- |, D; G=========. Q/ W2 R- d7 j
: U4 D+ w J' i7 Y v' k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& @" t- w: x! H8 o0 K2 R
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 t4 ^3 Z- o' h/ p5 B' PThe Get_DDB service is used to determine whether or not a VxD is installed M1 C* t; @5 |+ w$ U, A
for the specified device and returns a Device Description Block (in ecx) for
2 @5 E7 k8 ^7 \$ P- [3 Dthat device if it is installed.
% T! _' p0 d3 u1 b, p. ?' _* J7 D( m; O9 C7 n6 m/ M! \- _, Z. e, P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ `1 H2 f+ [6 \! ]" Z8 P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: I* i+ |; C; X; `: I- o VMMCall Get_DDB q1 R; l- n) O& P4 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 G' m7 _1 n2 {- C
3 h* g: _3 _7 I
Note as well that you can easily detect this method with SoftICE:
9 {/ i6 `( _ F: J6 N" c J bpx Get_DDB if ax==0202 || ax==7a5fh% o- ~% O( Q2 s6 J# I* b
7 U A0 A9 K! T__________________________________________________________________________
1 C( b2 r3 H* N' e& G# p8 v+ d0 ?* {6 t% l
Method 105 T; w* @+ \# b
=========2 {1 X4 s" v5 r/ ~, n
8 K9 Z; m8 L. Q$ Y=>Disable or clear breakpoints before using this feature. DO NOT trace with" a0 j% U4 p+ K
SoftICE while the option is enable!!( F8 L: y/ G+ T: Q0 a8 k
" f/ }5 R: g: f
This trick is very efficient:
- k/ ^$ O" C; E8 k, bby checking the Debug Registers, you can detect if SoftICE is loaded( r5 X0 k5 v2 M, p. L$ [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: W5 `8 k# L2 v( n: P- e
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ L' Y7 k' G: e6 d# Z& ?# D; K7 b
value (in ring0 only). Values can be manipulated and or changed as well
1 o4 r8 ]; [! R7 i/ V. D(clearing BPMs for instance), [7 w2 g4 j4 e% M# C
0 c. n: t, h! o) A__________________________________________________________________________3 N! _/ S; y v0 j+ l" _
! h8 H$ @* N" {" }; M6 B8 S6 N
Method 11
0 D h# Z" z, ?& L$ z=========& Y( ~) Z* U: L( x* l: f
' S8 D5 S- ^% }, Y
This method is most known as 'MeltICE' because it has been freely distributed# B2 [0 J) h; b; a8 }& k3 d
via www.winfiles.com. However it was first used by NuMega people to allow2 u7 {! G. j7 ?/ H% c
Symbol Loader to check if SoftICE was active or not (the code is located! D3 g- u8 k- f8 i( D
inside nmtrans.dll).# u0 Y: A( A F5 H) y
: k& F$ k9 E% h! h! Q+ I6 jThe way it works is very simple:' F) J& e' E0 d- M# A! ]- o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) x( p; |5 d# D0 x0 e* i8 s& u
WinNT) with the CreateFileA API.5 S, w" s2 F+ C- |0 u" v; F
5 U" f( r0 j# BHere is a sample (checking for 'SICE'):
7 b- N$ G* w; f; B4 O
/ d' \8 o; W0 X- {! PBOOL IsSoftIce95Loaded(), `. M3 G7 Z* O$ h8 B1 a1 o: K; S
{( E" A7 u& d- Z' G& s& U
HANDLE hFile;
; g! r3 R+ u) h' @5 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 v4 c3 f+ `( T8 r2 X. }6 | FILE_SHARE_READ | FILE_SHARE_WRITE,% {# \8 g1 r4 s* y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& S3 O& C: X4 |7 _ \5 C8 ]
if( hFile != INVALID_HANDLE_VALUE )
1 `4 D9 J& {! [8 l! S* b# G" D, q {- b7 x% X9 L# x; w) A l0 `
CloseHandle(hFile);$ d/ k0 K { O; P0 J5 F
return TRUE;
! j& J8 H5 |' T. B2 T! _- [, @ }
9 e8 m: ~( T5 w2 [ return FALSE;
" y6 U1 x, c4 Z ^8 ^}: F) \; J/ T. ^6 [+ ]( t* o, X
* T( C" k- m0 m
Although this trick calls the CreateFileA function, don't even expect to be0 I) A. [4 a! Y$ S% d
able to intercept it by installing a IFS hook: it will not work, no way!2 \! W, G3 b' p1 P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 i% O9 B! ~8 |3 `1 Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' {) [! C( V6 I @$ z5 |( Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; {' D+ x4 E: `+ U( p( Gfield.
! u7 J! w% J. f% z' y4 _ T5 HIn fact, its purpose is not to load/unload VxDs but only to send a
/ y5 x; b* H' W+ cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 _8 s+ D! A5 m. D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 U, {3 f- D1 G4 J# Bto load/unload a non-dynamically loadable driver such as SoftICE ;-)., h2 z. @, o; R% J, Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow' w7 N$ j; |* `: Z
its handle to be opened and then, will be detected.
- w2 Y+ J0 l0 g" D7 o% lYou can check that simply by hooking Winice.exe control proc entry point1 v1 s. p1 L0 C/ e$ p5 J+ n; h+ j. |4 ^
while running MeltICE.* f" Y: Y" t, `2 t3 q, K' f
0 s6 e( L9 E4 Q( _! Q5 n
6 L' |& `& Q5 F9 {9 s- Q. T 00401067: push 00402025 ; \\.\SICE' ?2 i5 Z5 P' l) f; I4 V
0040106C: call CreateFileA
z' c' t# o, H5 @! x. @ 00401071: cmp eax,-001: G) |+ z3 |; n) p! C8 B
00401074: je 00401091
% q* y& U( c# f1 B- K+ L) |
5 ~$ l" D. Z4 d) e4 _+ I8 i% ]4 A/ A' X" Y2 ]5 {0 M
There could be hundreds of BPX you could use to detect this trick.
1 w, F4 N3 p/ c% t# l: d-The most classical one is:
% T& [- v/ D& v& h! g% ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 h; {7 S/ @1 s- g& ]* a9 x
*(esp->4+4)=='NTIC'# z- {+ M. Q. }# \/ { y5 n
; I- `0 X, x" }: Y. Q( [
-The most exotic ones (could be very slooooow :-(( x/ U- A: ?! ]3 J- ~1 B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : m; O/ k7 j" Z/ Y5 U- p$ B
;will break 3 times :-(
I# [7 p2 c+ \) [# I
$ s# L* {2 k, C) o; B" e1 N! X-or (a bit) faster:
$ ^0 ]/ V( }' O) M0 v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ ?( L. ~ `% G& v1 F+ p! I% c
. Y. a4 y- Q* p$ Y- `4 B8 v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 R! l6 {5 E$ w/ Y/ v! J& v2 e$ B
;will break 3 times :-(4 Q7 C. R# c( H* i) q& X
8 M' G, [6 l N, x9 s; \6 ]9 f0 K
-Much faster:
; A9 H8 H! ~3 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 m) Q1 M, [- U6 [, P$ n' O) j
( b1 D* [) i. I3 D2 I4 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 F' ?! Y4 v& Q" I
function to do the same job:
/ B' L6 D% @7 n ?: ~7 [& s8 {) C6 p" W0 V- E5 a5 I
push 00 ; OF_READ
! V8 g) J2 @% H% H/ _% s: X+ ~ mov eax,[00656634] ; '\\.\SICE',0
$ Z' K0 e, J0 h/ c push eax
8 j& Q2 [- y! B# T6 V call KERNEL32!_lopen
2 M4 ]; `1 j* R& b" e1 O! b$ A inc eax6 j3 F5 V$ s0 q% F1 @* o- V ^
jnz 00650589 ; detected7 V) T8 d& e' c0 I# H2 B3 l9 R
push 00 ; OF_READ
X% s0 j* V! t$ [- n mov eax,[00656638] ; '\\.\SICE'
+ O) K$ R9 W9 E: O push eax4 {! Z* v' k; {9 U
call KERNEL32!_lopen% k% u- B! F: N8 h! c
inc eax
: Y; P' |) \ b0 g7 y( Y, l, t jz 006505ae ; not detected
4 [3 u; n% R& S/ a- }; j/ t1 T" _5 v2 q6 N# r
|8 c: F/ Y' Z$ Y0 A7 j T__________________________________________________________________________4 \4 j- x3 D0 k' b) P! U
0 P3 R7 g. w( a3 }) A1 MMethod 12, W w4 u8 ~% t
=========
, M% h) E; k" C4 a4 |% E4 W
4 P- C) K8 }* e6 o) TThis trick is similar to int41h/4fh Debugger installation check (code 05& y# L) ?3 m# b% p8 U, C
& 06) but very limited because it's only available for Win95/98 (not NT)
% b/ k; w* k% o3 N0 @! a) Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.! i7 V/ E/ }2 E5 n2 a
! a$ \. F( ]$ P* k push 0000004fh ; function 4fh( y% ?7 ^! D$ _, c
push 002a002ah ; high word specifies which VxD (VWIN32)
$ J# M0 O8 l* K ; low word specifies which service: \# k3 K- U6 D* R9 f* ]8 k* z( K% B. ~
(VWIN32_Int41Dispatch) O. |6 e3 y6 O% O* ^& j
call Kernel32!ORD_001 ; VxdCall
) W6 ~2 t- Q( U8 g2 }; B v cmp ax, 0f386h ; magic number returned by system debuggers
, K5 W) r+ D3 R/ k: [7 f+ f: V/ U jz SoftICE_detected- X7 K' p2 B+ k7 U
5 F9 y$ I5 u! a7 N
Here again, several ways to detect it:9 H5 V$ W: P& d; \3 F
! N$ f, W9 [7 I; n BPINT 41 if ax==4f
: Z7 ~ a0 j$ e* C" f- _3 d- v B7 N9 E, I" @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! A% d ?* \' m8 w. o
9 k7 r$ z8 R' O) @6 a# r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 B+ R. W9 a$ D* W8 x. z. x" @5 k
9 K3 i) J" Q! w" E! Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* @& u, L; K, [, G: N' W8 k% h
% x5 ?0 ?0 Z, n* \' t9 a$ |, P__________________________________________________________________________1 I. z1 I3 G, P/ `( M9 Z7 {- q; r+ c
5 I+ t. Q1 D/ {
Method 135 W/ N+ L9 H* \9 V& d p$ z5 k1 W" U
=========
& A [( t0 b4 U& X) ~# V( c1 i# U
7 w# |9 `2 @& oNot a real method of detection, but a good way to know if SoftICE is
# t# R1 Z* C2 Z1 e) |3 Z2 Y0 _installed on a computer and to locate its installation directory.
1 } K5 W% R- I' X3 n$ sIt is used by few softs which access the following registry keys (usually #2) :
0 Q# p$ f/ `2 K* c2 l) I
$ z/ S" |% W- k. |9 M, q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; e- B) d2 A5 H\Uninstall\SoftICE% `9 c7 S L& }/ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! P% g! X1 a: O/ q, D9 o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' p+ c1 Y, c% D! G5 o H8 b\App Paths\Loader32.Exe: f5 {' M( t4 f& O
" W. O' B7 }1 j! i
8 b# P8 s7 ^1 H. S9 w( RNote that some nasty apps could then erase all files from SoftICE directory
& R5 j a9 i3 t2 B- A: }(I faced that once :-() ]- ~! ^; y1 t
, X4 M# L. R; T0 | s Q. w$ _
Useful breakpoint to detect it:
. }0 ~- ?8 P, i7 M/ q& q
8 a' U! _( ^6 k$ y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 d; Y* b8 k" D q K
3 z1 i% n# H' t" |8 n9 M__________________________________________________________________________
# ]5 ~8 g! i0 F% j) d& R5 t# G0 o. W# r1 _3 t5 Z
' D. ]% F$ g" [- p: p' C% t3 HMethod 14 # \' b2 H2 T) V- @7 Q" U
=========4 p- w2 j2 a( w& u: F0 @! J- {( O
{2 D7 a5 _3 a2 j$ X+ z2 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ k% S9 [9 T3 T1 {3 pis to determines whether a debugger is running on your system (ring0 only).9 c9 i. h6 U" C4 d& B9 v
5 w/ ~. |( O% M. v/ x5 X- Y VMMCall Test_Debug_Installed
# ~: ^8 Z9 O: A& p je not_installed' q, J6 H- ]( T, o) i3 |
) _4 c+ A+ J# S( U3 r+ }5 d. a* BThis service just checks a flag.
/ \/ i! f w# M }+ X5 J, Q* ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡