<TABLE width=500>" q0 g4 N6 Z$ @+ ?' V# Q
<TBODY>7 A- H% M" s* `( J; j) k- p
<TR>
% u( U) J. u0 |7 b1 ~- z<TD><PRE>Method 01
7 v3 a2 O9 o) N5 q=========
2 j" d$ }6 \ A: t P3 _1 ~2 a( [) r9 q. ~3 j3 g
This method of detection of SoftICE (as well as the following one) is; p6 f5 h2 P6 L: ~0 h( b; P
used by the majority of packers/encryptors found on Internet.
( K5 r1 n. } I' eIt seeks the signature of BoundsChecker in SoftICE" }" k0 F! A# x2 V3 _# m7 `5 ^
& N: [# b I$ @2 ?" |, q mov ebp, 04243484Bh ; 'BCHK'0 k3 R% X6 Y2 ?" J/ b v" ^
mov ax, 04h2 b% C8 ^' d/ [& \5 ^( F/ \: _# g9 B
int 3
q$ T8 R* {0 e1 a( N cmp al,4, w1 d( N2 `- }( [; |7 L1 B S
jnz SoftICE_Detected& v6 h8 S& }$ `) M
9 o6 J" b/ ] C___________________________________________________________________________
9 h* U) j7 T+ `1 d! K( J% p0 R0 G. i) t+ V. _' M5 e
Method 027 Y; W. Z* s( V. s
=========
# E& l6 v5 A* Q7 B& g% c9 t4 _3 c) }6 B, N
Still a method very much used (perhaps the most frequent one). It is used
G0 e f( b$ q0 z' k, E! q+ Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ R* g6 `, m c2 u
or execute SoftICE commands...: B( ]' n# \3 ]/ b5 ^* a E
It is also used to crash SoftICE and to force it to execute any commands
" D/ o; n6 g: ~7 ?& U+ U8 B(HBOOT...) :-((
( Q1 Z$ B7 Y; |) C8 X5 B+ H$ t
5 Y1 w' Z7 j1 _9 T2 lHere is a quick description:" M% m# |7 N4 C$ |; N- y+ N
-AX = 0910h (Display string in SIce windows), n( |% N- t6 l! C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 ~) ]& B4 X( A L. c6 _" I5 O
-AX = 0912h (Get breakpoint infos)
' v: a8 ?$ l! v# q6 ]-AX = 0913h (Set Sice breakpoints). c8 K9 R4 X/ g. @$ a+ H& _+ w
-AX = 0914h (Remove SIce breakoints)- i% c8 v& f/ U. w3 c! Y% M5 E
( Q2 {1 { L* X Z
Each time you'll meet this trick, you'll see:
! Z& R4 C2 S7 J0 q& G# _4 w-SI = 4647h k8 Q# b6 B9 \ O
-DI = 4A4Dh
- r: k$ z- G$ S# h4 k5 U9 Z) CWhich are the 'magic values' used by SoftIce.3 d+ _* `6 m3 M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 O4 L# T* Y; L3 |. {: t6 {! J, n. l/ w6 K- G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; U, |* F( U2 t" VEnvelope utility use to protect DOS applications:
^3 g( ]2 y: C6 o9 ~
: m/ Q) A: g& @0 L* a3 w1 B& S" n& _ v" C
4C19:0095 MOV AX,0911 ; execute command.
; ~+ y" G$ @' Y, p6 h7 s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- r3 _% E/ T, O2 ]: ]: t V% [, o4C19:009A MOV SI,4647 ; 1st magic value.! G( E1 r2 W8 E- f! v" n' A2 f
4C19:009D MOV DI,4A4D ; 2nd magic value.. {" q j6 O( }& v
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% o% f. l" T8 r# o {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 ^! d p6 H3 x" D( ?/ C4 t
4C19:00A4 INC CX
4 R; p0 O6 I# l; d& k5 D) P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 I, M6 f+ b, U9 T" V4C19:00A8 JB 0095 ; 6 different commands.
3 T1 a4 u4 B2 f: m2 ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ m& o" h7 `1 ?- p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) d" L' y" `9 k
9 U" V3 i8 I4 {! }9 _4 cThe program will execute 6 different SIce commands located at ds:dx, which
" z; h4 ^6 p, I$ hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 o% d7 c4 _4 W' j# z- q: g6 L- n+ w4 s3 R9 G( |- R; s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) s' ?, X* I' ~
___________________________________________________________________________
1 `9 ~: R: \- h& f) F7 y2 L9 D+ @) F' s
# t! d' H8 L1 M( H% w0 uMethod 03' b$ A" `# W: w) W8 A1 V& E# e
=========
5 P/ n6 m9 }* x2 x
7 L( w& }2 k. r; S3 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 i/ i/ T+ q+ P# o& Q4 N
(API Get entry point)8 S6 X# W) W4 [; v: o# E; ?- O) [
/ v: n! l' N4 F
# X1 j$ {7 K2 C xor di,di
3 r# M( V6 s9 h! p2 u9 @4 L& t J5 I mov es,di
. ]* H, x# X8 ~& ^, I2 _ j mov ax, 1684h
" @. ?" Z, f* F- J) d1 H( R$ x" a6 o mov bx, 0202h ; VxD ID of winice
, o2 z0 T3 Q9 }2 i2 p% B int 2Fh% g/ ?$ F. u, B
mov ax, es ; ES:DI -> VxD API entry point
4 q, J& h9 y# N" t8 V add ax, di4 N9 a3 h5 c6 |* [8 C! m
test ax,ax
. u. L% P0 D/ o8 V" n jnz SoftICE_Detected& x4 r& F3 I& Q' J5 K. k
. y$ @& N4 X6 }9 v+ V1 I7 U
___________________________________________________________________________
. f C+ M4 n* L9 {. t* R4 O
- T8 L j$ e7 {% x1 a& E* tMethod 04, |, L7 @; |0 J
=========1 P$ d" w- C H$ I1 o
! t$ p6 G7 i; I, x/ {
Method identical to the preceding one except that it seeks the ID of SoftICE
9 `+ ~ O4 i' w9 \% rGFX VxD.
9 @* T, ^# i( U- d
# g- p) ]9 z1 ^* K0 E xor di,di
1 p1 `4 x/ c2 o" F% o mov es,di
[$ K# m. @3 f; O5 U$ i: X0 d mov ax, 1684h * S$ R; R& V4 ^$ F' Y+ z( u* Z8 t
mov bx, 7a5Fh ; VxD ID of SIWVID
5 z! p% q; h" y w int 2fh! z2 J. D2 }3 _' k* n G6 U1 D: _
mov ax, es ; ES:DI -> VxD API entry point, [! c; S5 ~# A2 \* ]
add ax, di9 e8 c, F4 J' u; ^4 ~
test ax,ax
1 q2 Z6 u' V$ s$ Y% k( O( ^ jnz SoftICE_Detected8 w4 O% @0 n/ [/ a. C
( ? x, @2 X; i
__________________________________________________________________________
+ W& `1 ?, t/ N; x& V; M+ g7 ?) V" G- J9 B& A- m4 x. k
- D6 h" Z' Y( m* }Method 05) C l8 r7 i2 z9 Z# X" h
=========; {3 F0 R0 r5 ~" `" a1 ]
9 ~" G8 n0 Y- L2 y' D+ Z1 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ \. O4 x" Z: B y
debugger. It calls the int 41h, function 4Fh. @, ?2 |' f) v! m" F1 c6 r
There are several alternatives.
6 m' ?% |' c7 Z9 T' S, J* ~+ |9 ^. a5 x" Y) H
The following one is the simplest:" F/ e0 A0 C/ V( h
2 k" |! ]/ [( a4 R2 V mov ax,4fh
3 |; {4 M2 R6 T3 ? int 41h
( C: X4 t y/ F% \ cmp ax, 0F386
9 y: O! z# W/ W4 K, |6 @ jz SoftICE_detected
' f1 W* N- V' k; S2 [, C8 C; I( X0 T/ i; T
g& R! H( }9 {0 n% d
Next method as well as the following one are 2 examples from Stone's
+ {8 ?1 L7 b$ o. x5 F' O1 D"stn-wid.zip" (www.cracking.net):
7 B8 M# s4 i: A0 j% k, p$ n" o. I8 A% v7 s L2 \( V/ e
mov bx, cs
# _; w" [! T7 a1 } B lea dx, int41handler2
3 C g5 E0 q* i" \0 ]* d% l, [ xchg dx, es:[41h*4]$ ~& I# I0 } K) K
xchg bx, es:[41h*4+2]
/ F& G+ D# N: _+ e7 q mov ax,4fh
: J3 U3 r2 v! g( m int 41h/ R# @; {3 u( X) f% _) |6 j
xchg dx, es:[41h*4]
, m* N2 Y4 C9 C3 i6 y+ `* x xchg bx, es:[41h*4+2]
+ l6 L! K5 I2 U# `1 n; { cmp ax, 0f386h
/ S: [# E4 `" T- z, _) A1 z jz SoftICE_detected$ g T/ P# I$ F6 ]. B+ \) n9 T
5 a0 [% u1 `, {: c
int41handler2 PROC; w+ M' m6 P3 m1 ^# i( j" B
iret
5 w# B$ X9 g9 g6 S5 B, h" Hint41handler2 ENDP) k5 a. y% t& V. t& q$ H) q
3 m) _2 |* A8 P5 A1 o2 [4 K4 s0 Z( n- T& L4 k4 w1 ?4 p/ h E1 g
_________________________________________________________________________- z) M7 K% a( l4 \1 k
7 T5 t7 v* D. \( ?/ j0 A
/ o2 k3 z% ] B# Y
Method 06* D9 `" ^; R; f% T- ^+ P
=========
1 x0 G# V7 }3 n* `- d8 L1 D
- ?4 _ k+ M% ?7 d% P4 E4 ^ h8 x
2nd method similar to the preceding one but more difficult to detect:
+ K5 b8 f2 U6 c8 _" z# N( L3 c& ~1 n' \9 f! U9 Z8 K0 P& ]4 F8 S
' o) z5 }( }2 l5 g5 }2 Q/ D; y) J0 h, J
int41handler PROC7 p1 u; r- G: w1 i% ]
mov cl,al8 }6 G% f& f; r6 f! I
iret% G( y2 a6 q/ n ?
int41handler ENDP4 ~4 s3 `% V: v! T4 ~9 k( B+ m
h: f' Z8 U( u) M4 y/ y
' M. n! n* T/ X* d# l" M
xor ax,ax% P& q$ s; q) J) E# V/ J. k
mov es,ax
+ T6 [ v E" g" v mov bx, cs
- O6 v3 {6 |4 i% O8 z+ M! S5 u lea dx, int41handler" `$ L. p7 D$ G5 [ B2 ^6 c$ }+ N* p# q
xchg dx, es:[41h*4]/ U U& Z, Q6 z- i$ Y% ]
xchg bx, es:[41h*4+2]
' X5 `" I( E0 X) @. U in al, 40h1 r4 e o) v2 c+ v
xor cx,cx
M6 ?" G I* z& Q$ s int 41h
7 @8 r3 _) @) s# g% g% }" O xchg dx, es:[41h*4]
; N: ]7 A$ Y# N: f xchg bx, es:[41h*4+2]7 H7 E5 s. Z' `7 h% [7 T
cmp cl,al
% V# P8 ]0 l: D- ^( ? jnz SoftICE_detected
1 E `. q$ O3 U0 v: B* o$ G8 `2 t) l' W3 P% k3 v# e0 L
_________________________________________________________________________
" X( D( l- P1 B8 x, p# [; e8 n; q$ T1 v+ k$ ^7 _
Method 07# u. V$ ]& Z Z g- v' d* K
=========
' R0 T& Q2 }- W6 L# Y, u, [) f; f+ s6 O7 a& ]; [6 I2 Q
Method of detection of the WinICE handler in the int68h (V86)
E0 u7 i: X2 R9 w. v# z# U! T8 Q- _
1 H; D- i( q) }9 X mov ah,43h0 s& K3 U1 D8 o! w2 K% s: I" F
int 68h* {/ C' q( O: P& K: W# |6 b o
cmp ax,0F386h
# T$ \# x' O& P! P5 X2 x' d, a jz SoftICE_Detected
; }# r) J% r) G9 R' W" d/ ^( i4 s% t
5 q$ p' ^4 T) f9 Z2 h9 k. y! p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# R7 x" L3 Z6 F, }* Z: c; O6 g app like this:
" x! u8 {4 |' q, v0 }# r r; k0 p3 Z9 D ?
BPX exec_int if ax==68
' [ N" ^( d( h- f5 J5 W (function called is located at byte ptr [ebp+1Dh] and client eip is
$ j5 i$ F" l9 ^$ \ located at [ebp+48h] for 32Bit apps)
0 |# J1 `9 e8 j6 W! c& e4 D! x__________________________________________________________________________7 D* {) X0 @/ a3 h4 g _# l6 T
9 }2 P: k1 k5 z# f. r- V% H
6 e' M& ]! Z( i+ F! @: qMethod 08
\8 F$ {2 C1 B3 j$ h) F=========/ A; @( {9 x1 \- }- j: s
. I* q2 V& ]3 v- ZIt is not a method of detection of SoftICE but a possibility to crash the
; W9 X# ^8 q1 ^system by intercepting int 01h and int 03h and redirecting them to another
/ i ?9 a9 I# V! k% l( Broutine.
- ?2 h* o: k1 U8 d7 V* K. e |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# l( a0 y9 a" r" h- m7 O% Oto the new routine to execute (hangs computer...)
, O ^3 b1 ? S3 z) R7 R9 O+ g, u, b! i
1 O% F: P& [% [" X- J) \) \ mov ah, 25h
7 N! i8 p8 D5 ] mov al, Int_Number (01h or 03h)4 {' p1 x$ _( |1 n: L1 J2 x7 X
mov dx, offset New_Int_Routine
: A* H2 z6 X5 k% o int 21h1 E" A: n3 V# @' Z" k- ^: }1 k
x- ?: i$ k4 p9 D2 h__________________________________________________________________________0 G( R3 y3 |4 P
6 T, B% ]. c, W) r6 Z6 P4 \
Method 095 c H' x/ M% h% [9 n; R8 z; `
=========
; X7 X6 R) ]6 ^4 F. H) E4 z* S3 |" i4 T) T& X' Q/ p* `$ y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" T: h4 v8 o( |2 O6 I6 {performed in ring0 (VxD or a ring3 app using the VxdCall).
% m C, m. i F( a, c6 o/ qThe Get_DDB service is used to determine whether or not a VxD is installed
" h# j- j' @5 Y3 ]1 n* y- Nfor the specified device and returns a Device Description Block (in ecx) for
1 Y/ [1 E6 p4 p) F( ^8 J7 y' mthat device if it is installed.9 \% H" t" p3 n! y4 G4 A
@% P" T( H+ k' |' x0 i& d+ z5 w( r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 p7 W1 E0 Z! }# {3 [5 G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& C* m' g8 s2 j3 Q8 w4 r/ }, G VMMCall Get_DDB
. y6 h0 g4 c9 _% T0 b8 O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) t9 t( h; M+ J- R7 r: G3 V3 g: V+ u! d; {/ l' P
Note as well that you can easily detect this method with SoftICE:
# ~5 i- V7 u9 \7 |4 r5 ~& ~" k bpx Get_DDB if ax==0202 || ax==7a5fh
_' y* g5 {3 H7 E* q; U! i) p* Y% `: K% b5 A5 T7 X
__________________________________________________________________________) I F( c1 N& {- Q7 d8 N! _# a
5 m- j8 l% o8 A0 u% p* YMethod 10
1 D6 }, N7 y' b) B8 Q=========" r1 Y& p$ R& P
$ ~; e7 Y) q4 h+ [=>Disable or clear breakpoints before using this feature. DO NOT trace with3 B1 V; z, q/ S! h" e' x
SoftICE while the option is enable!!
( |% D/ D+ w) x- Z
1 |9 b5 K4 W0 q& U3 f$ }This trick is very efficient:( X% C/ H9 k* C, L G
by checking the Debug Registers, you can detect if SoftICE is loaded3 {5 i D4 ]- `# S% H/ S4 P6 ]7 Z4 R0 z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 I! ~, e- U0 v% z6 N' p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# k+ U4 ^) ~) x! F/ Vvalue (in ring0 only). Values can be manipulated and or changed as well: J* i! Y9 ^3 S e4 }$ |3 J8 C6 C
(clearing BPMs for instance)
( y' O. G/ i/ Q& ^3 _! P( Z
& f: X: [3 g& N4 q% a6 h& [__________________________________________________________________________2 J2 a$ z7 M* [ d/ i. I% T
, u: A! _6 D3 ~$ bMethod 11
5 p* S* O# c% c) @, G2 t/ X8 d=========
' _3 n1 K0 J: {0 }/ ?3 Z8 n8 I& L5 h4 O" @* a
This method is most known as 'MeltICE' because it has been freely distributed* J/ S: Q( b' F7 W2 V! ?; {
via www.winfiles.com. However it was first used by NuMega people to allow$ y) H" h8 u7 r( k- \$ R
Symbol Loader to check if SoftICE was active or not (the code is located! H8 R. u- Q1 q, G
inside nmtrans.dll).# ]* `' ^0 S' k' ^# t
7 s2 E9 v( ?! K* X1 s3 m
The way it works is very simple:
3 g! ^% z/ ], w R! d" fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! G' |, m5 x( H8 h5 q3 B4 WWinNT) with the CreateFileA API.1 e. Z K# X. g0 u2 V
" y+ Q* k, X, ^# C3 D7 _
Here is a sample (checking for 'SICE'):, ^! \: e \# p* B! H
* K( X) Z2 u! { Z6 K' ?BOOL IsSoftIce95Loaded()" I: `; x9 ]% r$ ?* A
{
: s: D, g; t- A6 c7 `: l* Q/ H HANDLE hFile; 3 D$ O1 n- s4 w# W# U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ T" d+ B# o& F7 S1 ^
FILE_SHARE_READ | FILE_SHARE_WRITE,* E# D1 ^1 c; E8 G c% [! e/ [* d; C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 P* b9 F" Y# U, I8 F! Z7 ~
if( hFile != INVALID_HANDLE_VALUE )3 B$ z' r8 b4 W$ O4 X2 q1 p* \
{) g! Y# \0 D/ U& E$ i) g" A( ^
CloseHandle(hFile);7 m- y, N5 H6 {2 P
return TRUE;: e! s+ l3 G9 Y5 V
}; d5 G6 a2 `4 f5 h+ p0 {+ o1 |8 D
return FALSE;) L6 m, z( ^# @3 B
}
N9 |- o L% {) _
. _0 T. w4 _9 |Although this trick calls the CreateFileA function, don't even expect to be" e! s0 V, N) E, t; Y. ?
able to intercept it by installing a IFS hook: it will not work, no way!3 g! b$ B, R$ z: W. ?$ }; i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( O1 D# l" @6 ^9 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), B, ]5 A6 K3 |. B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc |' a s0 E. s9 {
field.
3 b& z" P' ~4 |% H, D$ LIn fact, its purpose is not to load/unload VxDs but only to send a
0 a7 |5 H2 w# u: Z$ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 y! o0 Q) u$ U' Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
Z3 L5 o! e7 o! p: P( H" i1 [to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ s r& ^& `# W% b5 VIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" J3 m' i8 u0 k& u# ^its handle to be opened and then, will be detected.( \& g" N( M% X5 W1 p: a$ V8 \) E
You can check that simply by hooking Winice.exe control proc entry point
6 b4 C2 L4 l2 o& c* dwhile running MeltICE.
# S& I) p( P; G% N& r6 i
5 f. n1 M! D6 K" L
! `- K. z" @0 i8 x/ x0 q/ { 00401067: push 00402025 ; \\.\SICE g& O, X/ y7 r
0040106C: call CreateFileA8 `: ?+ s9 ^3 o# E
00401071: cmp eax,-001
0 K! L: L0 ?! p# d' H2 @% k0 r 00401074: je 00401091' P' ?' V! T/ ~" k2 u8 G
3 B5 |5 `4 M2 l6 f/ l: B% X
# g D: c0 x2 `' |. m0 [1 FThere could be hundreds of BPX you could use to detect this trick.
8 }; a* ] s" v+ k-The most classical one is:
) v P- A: N7 O# A* V$ @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 W/ P5 S) d+ ^ *(esp->4+4)=='NTIC'
( K' Z0 F1 f6 Q+ `% S
' M8 E0 N5 [, v+ ^2 F-The most exotic ones (could be very slooooow :-(+ M" M0 ^4 S$ b8 ?. g G/ c9 ~; `0 \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( w7 ?4 {/ k% T5 Q
;will break 3 times :-(
' P$ k. Q: o7 Q7 A% z7 V2 b; t* l8 c& w$ ~7 p
-or (a bit) faster: # X5 \( ~0 j7 E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 P! C, H1 v7 d! \" x2 Z+ g+ {" J: z. {3 a9 j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 v. P6 S& q+ h4 X5 I. ~" B ;will break 3 times :-(2 g2 D( c7 l3 a
' a$ a2 U6 O- V) w& G7 i) v3 V-Much faster:; X) m; T! _; y' O# O* L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 f" t; e$ j: Z6 `+ f4 I" A
& Y9 V" }3 x8 \% ^# j* fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& |/ P* K7 K6 C5 |function to do the same job:8 I" j9 c: h& C7 K$ i1 m# d
. @* T8 P# N- C& N" u) E4 Z8 ^ push 00 ; OF_READ
) W: p% G! i. W+ B, B' d" X mov eax,[00656634] ; '\\.\SICE',0; V1 x3 M/ x8 D" f- E# I
push eax
$ [$ ?% L% V' R0 @6 U+ A call KERNEL32!_lopen
5 L8 m8 U" A. v inc eax' c/ D; |! S8 i$ E- Y8 e# h3 A. \
jnz 00650589 ; detected
0 O: N/ l/ g2 B1 ^+ g9 W/ i push 00 ; OF_READ2 E. M- e# J$ W& x
mov eax,[00656638] ; '\\.\SICE'7 ^, i2 m% J9 C: i) W" `1 c0 P: a
push eax
5 U) C8 O# ~" w9 [6 ^ call KERNEL32!_lopen2 l# m- A6 V$ q
inc eax
9 @( o4 Y! x* N; [1 \$ s jz 006505ae ; not detected
& b/ O4 T# `" V9 o7 q9 P7 a2 i. ^$ r4 b+ p$ t
, I" X& E8 l: N9 X, {: l7 B
__________________________________________________________________________
0 P8 u7 q O2 L3 N: u$ b( @% u, P' i9 [6 [ T
Method 129 k1 f z( O, `& ~/ o3 a9 k3 j
=========) F5 [+ d7 e% ^6 P: V! F9 [
% D: X1 Z; N( e: oThis trick is similar to int41h/4fh Debugger installation check (code 057 Y7 W: C; g7 K8 X& ~6 D" f
& 06) but very limited because it's only available for Win95/98 (not NT)' p' {7 `2 ]8 r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( Q& v1 L4 o$ z4 Q7 |
! I2 R$ ^6 O- C/ ]5 W push 0000004fh ; function 4fh' V' I$ C. N8 X4 C' s
push 002a002ah ; high word specifies which VxD (VWIN32)
) `: z" f+ y) h# U1 O ; low word specifies which service
5 o' ~5 p- j+ z" \ (VWIN32_Int41Dispatch)' j7 Q1 f# g" s
call Kernel32!ORD_001 ; VxdCall
- [. P- u ?2 }2 G% t6 W: n6 y: I4 u V cmp ax, 0f386h ; magic number returned by system debuggers
" M5 Q/ w h, J$ l$ L: I0 R jz SoftICE_detected J" `4 s, T# }) ~- ~) c9 u* ]
; c) C5 ]' S, h* @+ z' l* y5 ]Here again, several ways to detect it:# L! q7 @4 H) ?# o( Y- z5 W' R
9 Q0 ^: V. C2 T$ P BPINT 41 if ax==4f) L7 K' V' {! Q- b' {6 x9 [
5 S; o2 [6 A; L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ p- b9 m0 Z- p3 M
% |/ d; M9 H0 {4 E, d9 y) Z7 A4 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& U' q! W) C! t! h4 E$ T
: K, o: W+ P* y$ B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, I' M( k+ `3 j
5 A$ s- P* x* N9 I, ]__________________________________________________________________________
]1 R* d5 U* t- _2 O* T$ ?
) v" M$ W( Q* A) `* @+ GMethod 13
5 L2 w. u, ~+ v( Y6 E" } z2 Y8 |=========
5 G9 \/ W4 g) ]2 X2 t& r6 T7 d: }
Not a real method of detection, but a good way to know if SoftICE is6 `7 y, R) E) }. ^. U: y
installed on a computer and to locate its installation directory.9 r h R$ k# S8 n) h4 |; ^6 l4 z8 M
It is used by few softs which access the following registry keys (usually #2) :% f# L, z# C2 ]4 [& l0 Z
" ^/ X3 p6 I: p; M; T9 B/ l) R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion i5 X6 m& z& ~0 D# }% i
\Uninstall\SoftICE3 M6 q+ T1 q8 ?9 I" w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( \7 d# D2 X9 C f' B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 y9 y' H( N! A) ?0 j% q( X
\App Paths\Loader32.Exe( A Z# E0 p, D4 g. n
) c, F& F w) w1 p, \* q0 r" z$ |
- ?3 m: ]; E5 D. E+ q
Note that some nasty apps could then erase all files from SoftICE directory5 S& T) w& i/ K
(I faced that once :-(
5 ^3 n' G; x3 J8 _- s9 s. b7 ^4 d- ~; p9 F
Useful breakpoint to detect it:
7 z. a' ~! y5 s9 @/ y; o& ?1 F& Z6 y0 I8 x' B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* {7 {1 R1 U$ f' M! Y- h) @( D* G: \) Q' ^9 B! y* Q4 C# p
__________________________________________________________________________
; o6 h+ n- ]: a1 o
# v+ d2 @: Z' x3 C4 p- t) }' f% D2 g8 ?1 B( d* C
Method 14 ~9 u% ? Q. X$ W) W" A& D5 q4 k
=========( v! U& V; P" ~$ w% ^8 h
# p0 E) }+ f" P6 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; k1 ?0 Q' m6 @6 @, ?/ B9 Z& zis to determines whether a debugger is running on your system (ring0 only).
5 G T0 N. `( e1 I) R$ l, V8 J9 `" T# O% x7 ?
VMMCall Test_Debug_Installed
$ g$ M$ w5 ^( C. y6 ~* i- ^ je not_installed/ a6 Q( o* Q7 p( F! n+ Z
8 M2 l0 i) w6 i
This service just checks a flag.4 C3 z1 C' q- [7 l* m/ G# r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡