<TABLE width=500>- y5 l+ f( j: F0 [- c+ R
<TBODY>
8 y& I$ K: s a( p, U<TR>- ~1 ^7 X. O* f; `4 G( n* M+ i
<TD><PRE>Method 01 ) t$ S) b& H5 Y7 f8 L
=========" S5 q0 r% t$ P& A# G
+ \) l9 D3 l) `7 ^" j
This method of detection of SoftICE (as well as the following one) is! b0 x R2 G7 b
used by the majority of packers/encryptors found on Internet.
3 B3 t) R4 z K2 p7 V% H+ M$ ]! FIt seeks the signature of BoundsChecker in SoftICE
( c9 V M$ i, g: E) ], l
0 _/ s7 w' M& n mov ebp, 04243484Bh ; 'BCHK'/ M& i) X; K( R
mov ax, 04h
; {9 D4 `+ @" O% { int 3 8 `0 Z1 W- T7 n) \, F# J
cmp al,4 L- r5 O7 Q# C) l
jnz SoftICE_Detected! z+ ^+ ]8 Q( z0 O9 b, x
+ o8 a6 M5 @0 J R
___________________________________________________________________________
: k; x9 U, O6 G
! h! U$ L$ u6 ~Method 02
# l% P# u a4 ^+ A/ H6 q# h8 `========= c- D: e% d3 L J5 p' j/ n( u& N: }4 k
- W7 v. n' W9 q; N5 S
Still a method very much used (perhaps the most frequent one). It is used
% D3 E. c4 c$ b" b6 `/ K6 l4 h: | kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# x' F6 K$ e8 I3 n6 Qor execute SoftICE commands...8 \; [; a+ t# d! g, W6 }2 a" ~7 `
It is also used to crash SoftICE and to force it to execute any commands
7 O" V& j( R/ _6 D* |7 C0 M(HBOOT...) :-(( ' K) g6 n$ J/ R5 L
; {- A# h7 W' @- u6 P7 |# B
Here is a quick description:, u2 q6 T. b* A
-AX = 0910h (Display string in SIce windows)
# u$ \" b% h9 x; [$ Q" O& s: [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
h) N+ U6 S& W3 y- y3 F( j-AX = 0912h (Get breakpoint infos)
: J) f R6 ?* g/ O7 m! C# @6 c-AX = 0913h (Set Sice breakpoints)
" m C1 r# v7 S& \8 b) @" J+ K5 u-AX = 0914h (Remove SIce breakoints) P) @+ j: l5 N
/ b7 p; y/ f+ R4 N/ w! A4 t
Each time you'll meet this trick, you'll see:
% H0 f* Z" R$ f1 V! ]4 K7 ~-SI = 4647h/ o0 U2 P2 a0 L& F) p7 _ D
-DI = 4A4Dh
& }7 @$ k( z: e \9 U4 dWhich are the 'magic values' used by SoftIce.# c0 ]' f/ ^" J ]: \% K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 I! `' o2 x. ?, D# Q& V
) e9 F, Q# _ s2 U- q# s% VHere is one example from the file "Haspinst.exe" which is the dongle HASP T5 r. I2 F0 L5 c
Envelope utility use to protect DOS applications:0 x0 D9 ^2 \2 T3 w$ M5 Q" u
, R) I3 ^# z9 U4 i$ i9 K( Q' N
/ O) E1 o3 Q: h F E4C19:0095 MOV AX,0911 ; execute command.7 p# p* n4 Z* X% p b' u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 ?, q$ ]3 x+ U( }2 t" P1 c$ e
4C19:009A MOV SI,4647 ; 1st magic value.% `& a" Q! Q/ q3 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 Z5 K6 z5 y7 k/ t6 Y+ X5 u/ Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 v! X; m0 o2 q; i# w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 o8 }8 A7 ^& ^) G% _6 u4 R& c4C19:00A4 INC CX9 m2 o8 e2 {& Y L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 C+ o) x7 z- i! f) g' n3 i$ p
4C19:00A8 JB 0095 ; 6 different commands.5 A6 F! i/ B- [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) q% R$ V( \; Q: U& q/ w* M3 s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- `. _% N! G/ ~0 N6 T
+ A" S: y$ C, ?1 yThe program will execute 6 different SIce commands located at ds:dx, which
# y* j9 G+ j6 v9 H0 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 i/ l1 |( n9 E0 t
$ k; i0 l1 I4 {. f ?9 E W$ }! E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 [/ H& i, B i% Y$ c3 \8 V
___________________________________________________________________________
% d* W) t: X" v e
2 F9 r- x3 e5 O0 u9 N+ u9 k7 u) K
Method 03% d0 {5 R. L9 n* e9 V
=========1 R$ h8 {9 ]3 {
5 W8 f E% X: }, `, y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- F% V9 i% S1 a, n* j7 G+ S. A
(API Get entry point)/ F) |& |4 B" R7 I" e! U, }: }0 I
, u# n( {, U) D" Z4 m
2 E4 v# e: { P: J
xor di,di
7 B! J8 Z& n' m: ]$ \ mov es,di
. @ l1 i$ D& t! d/ ?- o mov ax, 1684h
/ ?+ U- Z z* k T! {. R e mov bx, 0202h ; VxD ID of winice
$ I8 M# X3 ?2 M$ G$ p- S int 2Fh
: @! R7 q" z. M+ O9 N2 f mov ax, es ; ES:DI -> VxD API entry point
' `$ L5 z% K5 W; {( U, T1 T5 g9 z add ax, di% ^5 Y) C3 C9 Y5 x2 L' U' T) C
test ax,ax
% b! |8 n2 j( k- l) f jnz SoftICE_Detected) I2 ?5 {# b8 V+ X1 B( q
* R% {! c# _0 Q0 H; e ^
___________________________________________________________________________8 ~- T" g7 v9 v7 j$ N8 n
4 `- {! C8 m8 jMethod 04
0 O4 C( A1 K" s& v- m: Z=========
8 w9 o4 _1 n7 @' S
3 M1 ]7 p6 _: E x+ a8 B; dMethod identical to the preceding one except that it seeks the ID of SoftICE' e) P- w2 K9 x' }; x# x5 N2 ^
GFX VxD.
7 j- I R- o4 k5 a4 u8 r% {$ y, U0 K$ ^
xor di,di
9 q% n f; u0 ]5 | mov es,di
8 E+ {1 X1 W- ? mov ax, 1684h " Q3 N0 L% e3 v' |3 R8 l
mov bx, 7a5Fh ; VxD ID of SIWVID
. s6 H" C, {8 g) u1 A int 2fh
4 `4 B6 {5 W7 d7 u) \ mov ax, es ; ES:DI -> VxD API entry point/ p; j. z P$ i: q( l% L* ?* J
add ax, di, P8 q+ i8 P" Z! T/ [
test ax,ax
: L! f1 U# r- Y9 c' { u: N jnz SoftICE_Detected
7 G" R" Y( }- V" Z; ]8 I0 Z4 {
) `- W) O3 \6 t l8 K__________________________________________________________________________
8 j" O! S7 R( {0 \9 |# P% S0 ^1 }$ i6 Z, [ F" Q. O
* Q3 A3 Q9 \4 |+ k
Method 05
9 c7 e$ S/ o7 y8 h Q2 h4 F2 Z) j5 f=========
1 W2 R# z( H& L9 d o3 W
) n4 B5 Y% s% M4 P! O& C5 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% p+ [0 m6 }% G1 f$ i* u, Gdebugger. It calls the int 41h, function 4Fh.
+ Y! F" a+ D9 V4 b% p& X4 ]There are several alternatives.
- F) ]! _4 M/ n+ t. U
9 B" o4 P7 r3 c+ E" L0 f; mThe following one is the simplest:* N5 `8 _* V2 U* T; o+ Q
, @1 ~. |3 m( e) R
mov ax,4fh
# |/ e& f5 u: x' ^1 {) @: i int 41h% Q+ L# \5 t3 U" c ]% ]
cmp ax, 0F386
2 y0 j+ ~% t! ]) O! u; u jz SoftICE_detected9 |. H4 `, D( j9 B" h) u
! |# l4 }. d) k/ X. t! x1 k* L$ Q7 b6 M. ]( s% D/ x
Next method as well as the following one are 2 examples from Stone's & X5 J! x3 N W2 z6 P
"stn-wid.zip" (www.cracking.net):$ C: Q! B/ F2 k e
+ g7 ~" Q" i. W* |8 V mov bx, cs7 m3 ~7 G7 X. t# ~3 u
lea dx, int41handler2
+ U6 A# `2 j+ @7 s/ w: \ xchg dx, es:[41h*4]
r# O' ]" x; e8 g8 K xchg bx, es:[41h*4+2]5 x1 a& k% z j. D( c3 N
mov ax,4fh$ `+ B2 O% O1 p, Q6 c% v1 }; e
int 41h: P. }1 X5 R' w* D& D: l# y
xchg dx, es:[41h*4]* o. I* ^7 g' p. h6 I9 p1 }& m
xchg bx, es:[41h*4+2]1 Q: n; X' H+ f. E" Y* S- b0 t2 S
cmp ax, 0f386h3 d; c/ H) B+ }! r7 P
jz SoftICE_detected3 v, _) G4 p* @+ C6 ~2 ]3 F) y
6 |0 ~8 I- c; D1 R" zint41handler2 PROC4 i! M4 X* r2 Y* u, V( J
iret
}- V4 P( r( ]* R& U: E& z+ Uint41handler2 ENDP
, _, M9 T* Z& o3 L1 f5 J' j$ ?$ Q
7 a# Z% @% X# `5 r% Y" S$ ~1 P4 A4 P, l* y3 T
_________________________________________________________________________ z3 {. y" u$ I: j! r
; r3 o8 P0 {' Q2 [8 L' k
; |" A) \ i" |3 ?: V2 k
Method 06/ J3 _) i! n3 \( @
=========, ?- D8 H8 l% U: X. p6 M+ |9 j
0 B% n9 `) p# C* E* W- p( r
7 [+ \9 h; w; d) [! f* V; ?2nd method similar to the preceding one but more difficult to detect:
, o# R: [" Z( r% x* ^$ u
% z3 u8 `. I4 C0 \
$ i5 }' R6 n \1 Yint41handler PROC) ^1 r- v7 ]2 n8 }7 j9 S9 R9 {
mov cl,al
: ?- k6 j( V% \5 f2 A. t$ ? iret
$ o4 H$ a& ?! C. _. E6 j% aint41handler ENDP
+ @3 a" z7 f! m7 h- m- Y# B6 X
8 ^! E' _! C" p* t7 S% [ |- s+ `) K H& U. H
xor ax,ax
2 t$ i! H+ O" [. X/ r2 n9 r mov es,ax
. F! z* p, m# s0 d mov bx, cs$ p, f% K9 {, j- C5 k
lea dx, int41handler. T3 T) d& e. f0 A
xchg dx, es:[41h*4]1 ], q3 |6 ~( a4 s- E# z9 k
xchg bx, es:[41h*4+2]
6 B! Y% Y* m# p4 s9 `6 Y in al, 40h( P( T" J' I& l/ {7 r
xor cx,cx/ ] ^3 d' n8 I
int 41h8 j b7 c1 z5 q1 R; d( z0 b6 o3 b( [
xchg dx, es:[41h*4]
# Y7 F: i' R2 J( m xchg bx, es:[41h*4+2]) N8 _( }: C# {# y
cmp cl,al
3 r( N4 E$ L" U+ S" u jnz SoftICE_detected
+ ^; x c/ @' u4 s! G
$ x( f s3 R- G, k1 L, E: C_________________________________________________________________________
8 f7 E, p. |* I$ L. {1 n$ x0 r. k* a' {
Method 071 j) B& O! t$ p& H' m1 h
=========
4 l- a+ W; B* B) O6 u% b0 q6 N4 R6 R
1 z# c1 {) y y( g7 ^Method of detection of the WinICE handler in the int68h (V86) t5 r8 | B6 O- C% g# G
, f/ S9 y8 ^+ k0 r, d7 Q' U: o mov ah,43h0 S; L" g, g5 P! H* P; }. ], [* {
int 68h1 {, ?# W% K$ `& K1 `5 B
cmp ax,0F386h
' r, v! |& k) K+ k& A jz SoftICE_Detected
' |+ r. C% }9 \
% u" y5 U- K6 q# ]. h7 ? w/ }# C, D. e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- t* i' M( M/ w! c1 B# _. c: i9 g
app like this:$ }; u1 x5 I( c
) L" o2 ]6 e, e) Q. ~+ X$ v
BPX exec_int if ax==68+ E& S/ s0 N: K- n
(function called is located at byte ptr [ebp+1Dh] and client eip is
& ]! s( Z. \; B7 @$ S7 K- W located at [ebp+48h] for 32Bit apps)
& O' W; a. q: L5 n__________________________________________________________________________3 N0 T0 e6 c5 c9 T, V |
, `/ V, a" k6 g- Q/ Z: }7 ^6 ^
6 o3 b3 X9 N/ ^8 Y6 f2 {% B
Method 08
% C" t k! z- g=========
& e1 {% `$ D+ t9 m1 d9 I$ X8 W3 p
8 I T6 Q J R! |( W2 ]- U lIt is not a method of detection of SoftICE but a possibility to crash the
I V. ], p9 x3 ^% k# ]$ Ysystem by intercepting int 01h and int 03h and redirecting them to another! t( C* u7 K9 D: Z6 r
routine.! S* }" A' s+ p% }8 S: G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, L5 T- G; g: J& ]
to the new routine to execute (hangs computer...)$ h! H- {' C% |; M& I& ?8 A
$ P+ O$ p4 A& x4 ~! h# y mov ah, 25h3 W% n. ?9 |$ I4 w
mov al, Int_Number (01h or 03h)+ V0 R9 M) Z0 C' n: h
mov dx, offset New_Int_Routine5 ]# ]" I/ ~8 K; @2 P& ]1 X
int 21h
5 U3 r: Y2 U; Q, {
6 t, w( |0 L$ J- ~9 t/ [/ S0 M8 {__________________________________________________________________________
2 S5 ]2 r( N/ ~8 a; K6 M
) E8 T) a- g# I! L. AMethod 09
6 @ [0 F; E. J+ v* A=========
. w' f X! H6 e4 s, q r" O6 W# I: o: z2 U$ @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; g2 O2 t5 I) |4 x/ H, l
performed in ring0 (VxD or a ring3 app using the VxdCall).: H/ T5 y! w x
The Get_DDB service is used to determine whether or not a VxD is installed
' h1 C9 w1 r$ Q. S, {4 Jfor the specified device and returns a Device Description Block (in ecx) for1 ^' }; t A2 Y9 i
that device if it is installed., i- M! V% Q7 d5 ?
6 g9 m: X% A+ e- ]: P! W; |3 { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" z1 \6 E6 R* V H5 P; x' v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 ?2 k) H3 G3 z* L! b* k
VMMCall Get_DDB0 X/ \5 W1 x) c: G; d) B& I; E8 v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. [9 ^% @9 z4 y! F" X
4 Y' k% a' a/ z* Y' N2 t( I
Note as well that you can easily detect this method with SoftICE:
8 I( G, w6 [9 S9 x ^7 Y% X bpx Get_DDB if ax==0202 || ax==7a5fh" t- u. b, d; s# L+ W. h
0 A- f$ I# w6 p5 D/ t. c! b3 x__________________________________________________________________________5 M& A% }. z: C$ }4 X
' e7 @9 d) F/ X! B. U
Method 10
6 U( P0 B* y& D6 c% m=========
: G/ S( t3 E2 w- p" E" L" U; r" g9 @1 M% a
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 K# M2 I) c/ d0 t" F9 G! q+ l% w- M5 }
SoftICE while the option is enable!!7 _3 r* `1 E* H& m, r- P4 E
, c7 X2 ~* }" S" A( ]
This trick is very efficient:% \" _' ^! o$ Y$ \! M* j: D% p8 W
by checking the Debug Registers, you can detect if SoftICE is loaded
- c0 p+ _+ z7 J/ p! g( _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, Z: Q% H( T4 _' x o/ y
there are some memory breakpoints set (dr0 to dr3) simply by reading their; Y& l3 v G4 j
value (in ring0 only). Values can be manipulated and or changed as well
z1 W) a/ ` @2 N- _! _+ x(clearing BPMs for instance)
) Z3 x$ M, `& @; f6 J
3 ], E! D: v7 p- m3 R6 E- [__________________________________________________________________________
5 v4 a' Z- w; N7 |8 s/ ]3 W, k! K. X. r6 P. w7 E
Method 11
( v3 O& f7 q) `' n) A=========
/ P8 k9 _! t) O* q: Q1 K
" a5 c& l8 Z* MThis method is most known as 'MeltICE' because it has been freely distributed
$ ]- q H7 Z6 H& V- ]via www.winfiles.com. However it was first used by NuMega people to allow
' i d+ N. \, w4 jSymbol Loader to check if SoftICE was active or not (the code is located
( j. K) Q- E5 P9 H# ~" ?inside nmtrans.dll).
) J5 B3 G) ?1 m+ @7 T
+ W" C4 r0 _+ d7 J$ U) [0 g+ OThe way it works is very simple:
. _- v- K! k; _" z' X3 _/ V* BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- B T* C K8 y @8 ~0 T7 V7 i4 H* @WinNT) with the CreateFileA API.7 ~ A- G4 i5 G2 s$ S( v0 w Z
+ `, X: x) U9 S' g
Here is a sample (checking for 'SICE'):
$ O. N: C: {! w9 W! e% L* o: L& P+ ]3 B. s
BOOL IsSoftIce95Loaded()- j' b7 e" n3 u& ^, X" Q+ r
{" Q/ I! }2 Z1 C% Z* U
HANDLE hFile;
, u& f [8 U7 ~6 P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ C& D7 a& x" }4 _0 e* K6 e FILE_SHARE_READ | FILE_SHARE_WRITE,: H; I. @! S3 b5 r2 [% \0 i; v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ] c; o; c$ e3 Y1 f
if( hFile != INVALID_HANDLE_VALUE )% ?+ d* ]& v/ I5 u4 `* j9 U) _; K! f
{
4 l4 E. `3 B1 d CloseHandle(hFile);
/ M, L/ J/ q2 y" k' O& z return TRUE;: c/ f+ E: `" v' V m5 x/ u9 {
}$ m/ D6 ^1 U$ r+ B8 C3 G/ f8 B
return FALSE;4 W* N6 }- a' }
}/ V$ ]( C1 ^- l! x
# r; O D- w& x7 ^: J$ B4 e( TAlthough this trick calls the CreateFileA function, don't even expect to be1 c6 A% V1 I( A6 [" R
able to intercept it by installing a IFS hook: it will not work, no way!
0 k G! y- f! w6 A/ m" _9 IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: B' D! G+ [; D* o* [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), G6 A3 d T8 X( c& o3 J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 b; `8 ]. V n& s" \2 F" H
field.
, _2 a9 h, D0 | O, L; bIn fact, its purpose is not to load/unload VxDs but only to send a % X% S2 ]5 `, T, r$ R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
I$ P* [! F% c9 h7 v6 z& C3 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try- @* {" k$ n0 s+ z& I* \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) j, ^2 M# M1 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, _- Q& s7 Y( T2 ]its handle to be opened and then, will be detected.
- X% {0 f% P c. PYou can check that simply by hooking Winice.exe control proc entry point
* k2 m3 O- y9 U. ^5 h, ^' a* ^0 Bwhile running MeltICE.
: @9 g3 G* w/ S4 X( O' J, X, }" t1 K( t* j! k4 Z
4 t$ F' C& w" Y; i6 E5 K! V 00401067: push 00402025 ; \\.\SICE
P( }6 t" L+ L7 i8 u- ?2 ]2 y 0040106C: call CreateFileA
; N0 ~ ?! q7 u' s- I 00401071: cmp eax,-001
/ v! W* } o) s, p' p+ w) O 00401074: je 00401091
' X6 p9 ^, s, \: ^: I* [ U# w# k% C" Y7 q
% c1 Z* j5 X; E8 `6 d! lThere could be hundreds of BPX you could use to detect this trick.5 J T: T+ H X9 T7 A
-The most classical one is:
' N @: I+ x9 T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# c* z' M- j, `7 R
*(esp->4+4)=='NTIC'9 A; O% c9 D+ ~0 ]& S0 Z/ M. {
0 c, J( d# S$ Y0 [1 |) e8 J-The most exotic ones (could be very slooooow :-(
/ _2 Q8 q8 \- r5 O. j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; w/ C) |( l! T# x1 S, x
;will break 3 times :-(/ m. ]$ i& T0 u3 l u2 ^) y7 Y
9 k5 ?/ n5 C" S" l* [; h
-or (a bit) faster:
! c& H, @. {' |9 ?- K" \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& ^! N: h7 q. u
- h: a1 }* O( w. i6 E) T2 D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # Z! ]2 l- r9 D5 h
;will break 3 times :-(
/ g, W& b1 `1 b- K5 e* B/ A' s( j* @2 f3 \: E- G% w
-Much faster:, {* U8 {- d! P/ H4 ?' l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: M/ I! ]/ ]( J: x! t2 N7 M. o+ R
- x _3 f* \4 @! XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! L: s8 H5 a4 _ Y# B* F
function to do the same job:1 o, L- ]6 |* \
) e8 ?6 C, R0 A6 [3 R2 G+ B8 o
push 00 ; OF_READ
! @/ |: \) C* u1 I! ~ mov eax,[00656634] ; '\\.\SICE',03 ~6 S8 e+ o" [1 X
push eax
! o1 V- a( p& ~8 y2 m) n Z! Q call KERNEL32!_lopen6 w' w2 j! I$ ] f4 H; W. w
inc eax: o3 i: F9 V1 {: y+ q
jnz 00650589 ; detected4 h- x: f/ {% Z. B
push 00 ; OF_READ- L2 p6 P# J' n5 T/ O% V
mov eax,[00656638] ; '\\.\SICE'
4 L7 z ]) z/ H! i6 U. @ push eax; Y' x% A4 h6 k9 a
call KERNEL32!_lopen
# W: c6 Y2 [/ e3 c& B! u inc eax$ M2 `9 Z" V8 i
jz 006505ae ; not detected' g5 G' D D" P9 m% a
3 k/ l% @" ^0 {* q; \: |% T
# N; B5 x# y6 W* D0 |9 k$ p% S+ L% t! `6 v
__________________________________________________________________________
, F, |) \3 D: ]$ p' D
, t2 k2 P: k- L3 D; l, g3 }8 WMethod 12: x0 }( T/ ^: N! s& X% [& r
=========% E+ M! L1 T0 |# b/ @
# `, z: M t! ?1 ^0 S
This trick is similar to int41h/4fh Debugger installation check (code 052 i3 S g# t& ?9 f
& 06) but very limited because it's only available for Win95/98 (not NT)
$ B( j3 v, t1 ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. r! z+ {" O# g n
) m3 ]8 u# @8 i9 ~ }, R! E6 ~ R push 0000004fh ; function 4fh( q5 D6 K4 w, [4 N$ C5 m4 l6 X5 y
push 002a002ah ; high word specifies which VxD (VWIN32)
+ \: t! y6 c% t1 h ; low word specifies which service q1 g* G) l% e# A) p- ]" m
(VWIN32_Int41Dispatch)% S5 V; `7 k& ~0 b/ n( E
call Kernel32!ORD_001 ; VxdCall, n) `. ~+ l p/ h9 A# k* ?1 T
cmp ax, 0f386h ; magic number returned by system debuggers
4 f8 z2 {7 z# n" \ V( k2 u jz SoftICE_detected
: D! d7 r* ?- p6 I* a# ^! r3 {5 H3 [8 b' ^
Here again, several ways to detect it:( S5 |( D+ `6 L
1 @$ _ }- M6 I$ A; u/ @
BPINT 41 if ax==4f" e( {6 |9 ]+ [. g2 e
0 w0 j' m2 P: F" f* T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 @" a9 A2 f% L6 Q+ `2 R5 o
* j- t h# u% e% f) T, b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( T) Q4 u2 M% I% c" T3 K1 F
8 h7 V" `2 E% T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ W( n- F1 p2 D; \% f8 _7 }( |1 b
6 w( c0 g6 R0 p. p" H! i/ \6 G
__________________________________________________________________________
: v0 l, ]1 \/ \2 {* p
/ i) O1 M- Z, [* @. n) h9 x: Q# NMethod 139 ?8 t: M; x: Q
=========
0 ~, r) l) B2 i: ~6 C; t+ d/ y: p" i! d
Not a real method of detection, but a good way to know if SoftICE is
# {9 n' j) x' I# }( E- Hinstalled on a computer and to locate its installation directory.
3 i7 K( A% D2 _/ ~It is used by few softs which access the following registry keys (usually #2) :4 P9 S4 j3 r2 V8 \$ ]! j9 h
0 e- M6 z2 q, v- Y X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! f+ b* O4 i7 l& q" [% n
\Uninstall\SoftICE; N: C; x9 p/ A M' C/ b, l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 L0 q# P/ u* Y$ f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ b/ _( h: s+ A0 {) g3 y+ k2 e
\App Paths\Loader32.Exe
; @" ~8 m- r3 e% ?+ @' h7 K/ W' P `$ g% w% K( b
/ Z/ {9 a' v/ a z/ MNote that some nasty apps could then erase all files from SoftICE directory5 @! t# ~* y% S* p/ i( C/ U
(I faced that once :-(
8 s. y1 x) U! t, `1 ^
8 h( \) E" Z: j) |* xUseful breakpoint to detect it:& @; r }8 E" j( S8 U
: p9 w! f7 c( x# d) h5 C3 B/ E1 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 H d/ \8 E7 }
. s* F7 G9 c- |8 m) [# X: y
__________________________________________________________________________; c+ K- O% l; U/ @
: J0 m' I' U8 s- ~
, j! f i# o& [& M6 P# y0 j8 M2 vMethod 14
, O5 @' X" t$ \, K=========) `! ^7 Q6 b, k; L# W5 g
& Q; S4 [8 u$ l, z+ ?. `2 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; D/ A1 m1 n+ _is to determines whether a debugger is running on your system (ring0 only).
, ?. [) \+ b6 H
3 ^$ x* h- |" \+ z" n VMMCall Test_Debug_Installed
9 j6 `& Z4 U! r9 N) m je not_installed, G' D! w& b. Y1 ?! b+ X, c
: ~' z) v2 h( N3 V. t2 v
This service just checks a flag.; g! e$ Q! s! f* D2 j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡