<TABLE width=500>
) g( U) o2 W7 X2 |4 |- b<TBODY>
0 q/ R6 D- t2 z9 b% f5 r& Q& A7 ?' l<TR>, M* e# ?: H% g4 |
<TD><PRE>Method 01
- w. G. z! H5 D- j$ _( @' f7 h=========2 A. T& {& j8 y4 Q* K# Y1 t) R
/ o: E% T# c5 S' e
This method of detection of SoftICE (as well as the following one) is5 A8 T3 K d# P/ U
used by the majority of packers/encryptors found on Internet.
/ Y6 m/ n5 V* N& M. ^- A' W0 hIt seeks the signature of BoundsChecker in SoftICE2 b4 `$ c) w4 n) W
6 A9 k+ f" b# u( x4 H/ Q
mov ebp, 04243484Bh ; 'BCHK'% a+ A {: P. o: W0 \
mov ax, 04h, w/ ~. u& N# ^7 J) ]
int 3
" \) }% t4 ~7 w cmp al,4
8 g; L( w% C& r/ }% `; D jnz SoftICE_Detected
: o9 Z1 c6 ^1 N0 z0 v4 ]5 B& N/ `
) G$ c4 ^) f# v5 W/ q___________________________________________________________________________
0 O l3 C: `$ A& O6 I" { H
9 |* H0 c# a# ~; h& x" EMethod 02
# V3 c) n- I4 `& k: e2 t=========
# H0 `% a- S% r- D4 l% ^# r
# u |: O4 `) X- KStill a method very much used (perhaps the most frequent one). It is used
' e! | q8 G1 L" \3 ]2 Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, {+ U9 o7 U sor execute SoftICE commands...% P# H5 C) t+ a7 I5 o: f
It is also used to crash SoftICE and to force it to execute any commands9 W2 b1 @% A( Z" `. _+ g/ h
(HBOOT...) :-(( 9 L" M# P8 u3 F1 _4 w& P( X8 E
2 Y1 `3 _) }3 W, ^1 |* w& qHere is a quick description:. V5 K$ }4 Z7 J
-AX = 0910h (Display string in SIce windows)
7 B2 C, C+ X# u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 N* ?- ^" O9 c8 g% F
-AX = 0912h (Get breakpoint infos)
2 i* W8 F3 `1 @+ { V0 u0 q. S$ h/ h-AX = 0913h (Set Sice breakpoints)
, C& G& n9 a) s: d, f" m& u-AX = 0914h (Remove SIce breakoints)/ J& @$ U% p. G2 |7 N1 X/ E7 ~
+ F- m, t$ E1 J: ?/ @$ ?$ Z9 AEach time you'll meet this trick, you'll see:+ ~( { _5 H: X% U. V/ q) M- ~
-SI = 4647h3 y, P0 j. A0 a- h2 L
-DI = 4A4Dh6 K# b# l) B+ R% r
Which are the 'magic values' used by SoftIce.) Q2 k% J- ~! T/ d5 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 T- ~3 ^3 A, A0 D! N3 W* s$ Q/ ~7 Z; O* h$ S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; d! H% y- r2 s8 @4 UEnvelope utility use to protect DOS applications:# h: g5 C$ P" r, ?1 w, v
! }, A( k$ b v2 f
9 t% E S$ a% d& K8 q4C19:0095 MOV AX,0911 ; execute command.# [' i* U, M& e1 Z/ Y @; V: s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., {& A: p! x8 a3 K' N! Q
4C19:009A MOV SI,4647 ; 1st magic value.! ~5 T- Y3 e8 ~! j' I
4C19:009D MOV DI,4A4D ; 2nd magic value.
. |* g4 }$ Y! I+ M7 j. y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 A7 R7 [) r3 A" j" H: E; C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 p) C3 t9 V/ V( H9 Z M1 y: L
4C19:00A4 INC CX$ \+ @3 J9 n! s+ @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 S+ b) a3 P& g Z9 {4C19:00A8 JB 0095 ; 6 different commands.
" G8 R1 G/ R. C# \. I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 O* d* w2 j: j3 L2 A/ Q9 i L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# j) h* M- N. B' e
5 D ]! ^( Q) e$ g* ?The program will execute 6 different SIce commands located at ds:dx, which
4 H" ^0 @' B" X: R4 T, Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- X" t! X) O9 G5 v' \( W3 A. a" ~
* C6 P- J1 I f, s8 ]4 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." @ ~: ] g* j
___________________________________________________________________________6 V; n3 v( V) M4 b5 a9 |' Z
0 c$ t5 ^; v' @3 E F5 D' N q+ a
4 t9 H8 E: p! @0 oMethod 03( \' o5 h! A9 Y+ i0 I
=========, {9 [2 e7 F+ }1 S0 M0 O
% ?6 D" M+ c; Y9 ~5 g* r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 |: z: c! c; m! Z(API Get entry point)" q2 S5 e5 ] w3 [2 \3 O5 `
; ^' h+ y* D1 A: h# x
5 ^0 G9 p# `8 T% o F+ C/ }6 [ xor di,di
+ u# i ?# Z" U* s mov es,di
* k9 u1 s- F y% J7 u, i mov ax, 1684h [8 Q3 F$ N" A9 ?9 i& _
mov bx, 0202h ; VxD ID of winice$ j4 n; f/ ^8 U4 O& t
int 2Fh: ^* w, I- [6 c% \7 L+ C8 R* H
mov ax, es ; ES:DI -> VxD API entry point5 d3 v8 g' }7 t! l( g0 w" z
add ax, di
' q/ F2 r; `9 w- x& a7 E test ax,ax4 A' P. w. R+ i# M$ F/ L0 t. j; E' M2 S
jnz SoftICE_Detected
/ k/ g6 {1 T% J6 r7 N
% W% l9 [5 s& M: c& w" w& g( a7 ^___________________________________________________________________________
7 o0 i, j: B% u3 h, T' w0 F e- t2 h( o- D+ I* D3 y
Method 04# K0 Q' e; f4 x5 s U2 l3 ]
=========
4 i8 B# ]# [# L0 F. ^1 n% \; K
4 i2 W# |* y/ V2 O$ z0 |Method identical to the preceding one except that it seeks the ID of SoftICE% c0 R( G( N6 U" i/ ?
GFX VxD.
, a" N/ [* \. I2 C/ U# S7 a# A+ K' n4 c. |
6 w) o9 b0 H# J! p+ _- v3 j9 i xor di,di8 x3 F6 f" T# b% T
mov es,di% x. G: f2 C' u1 p# A
mov ax, 1684h H3 m2 A. i' C8 [5 M8 V; g/ ^2 }) w
mov bx, 7a5Fh ; VxD ID of SIWVID- d; i' K4 I$ i4 q
int 2fh
?5 J! a1 g1 k( i mov ax, es ; ES:DI -> VxD API entry point
1 D% q- C1 A |7 m1 M% P' B add ax, di K( ]! e$ c. ^* Q5 }
test ax,ax3 o% w$ G% E2 l* {% S
jnz SoftICE_Detected
9 c1 {7 [. v" _" V K) c; r: U) [/ g7 z6 P
__________________________________________________________________________
x3 O* j% F" _/ m% O
( j+ t' c5 g1 k+ w- G
" V* z( U' w9 w) \& z& I+ b- UMethod 05" ?# `& ] N- X- ~: M
=========. }) D. K+ O- Q2 E! q. }) F; o
' l0 G9 L8 a5 e; v- rMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% X" F/ }+ U( @. ddebugger. It calls the int 41h, function 4Fh.
8 } L/ d9 H5 Y- G1 |There are several alternatives.
& [' J7 }0 r4 f" ~6 O; ]' @1 _
The following one is the simplest:- }" j; [& f) @+ d8 N
( Q0 E( y7 m! t# U; z% X' @8 r
mov ax,4fh8 ?3 q! @/ h& [4 ^ J9 t6 {
int 41h" S4 z( V' j! ` w5 H) w
cmp ax, 0F386( X ]" ~" c9 W+ p
jz SoftICE_detected5 V$ w& Z7 d6 I; Z6 ?/ i* s
2 ]/ o: N4 M! D; r# K
+ q: F+ `6 R4 ]* KNext method as well as the following one are 2 examples from Stone's
4 {& q- _7 \' ], w! i"stn-wid.zip" (www.cracking.net):
: i& V1 U6 r3 R: G6 }7 F9 u6 ~
mov bx, cs
% L4 k1 u$ p6 W2 p, i- h n: V; v lea dx, int41handler25 S5 R; ]3 G" u' k1 ^# P
xchg dx, es:[41h*4]- g& ^) s- s4 x) `+ u( J" d( w; |
xchg bx, es:[41h*4+2]$ q, s' k+ s% \3 W" @( q, t
mov ax,4fh2 V/ I6 R. W2 V/ @8 U$ `) S# {
int 41h9 B7 ]$ K$ u& W6 K" p( u' E
xchg dx, es:[41h*4]% u, j/ x, B0 I- C* _% k1 X
xchg bx, es:[41h*4+2]
( u* o0 o9 G4 p8 V* Z0 G4 r- X cmp ax, 0f386h/ `* x4 N( H& U& F. u4 @: u# o
jz SoftICE_detected( Q2 m9 F. ]/ p" ^% y
, }! K f6 }0 {1 Q& w' C
int41handler2 PROC2 S2 z7 d# j: {
iret
# A7 Q3 o6 t B. C2 [$ _, Zint41handler2 ENDP
8 \& n5 ^ g. V2 \$ I. I: _, ]& o g& F8 d' m
4 P- |: }1 C3 t_________________________________________________________________________
/ h5 M4 H7 q, b' L2 ^! k) S
/ l' k- _% A& [% v/ j+ g
8 s8 P! z# Z+ x6 V/ Y4 nMethod 06: o; g- K& H. M, R; A/ }: a9 i
=========2 ~3 S) [; b& u
) {3 Q8 v6 g) \" G! o6 _
9 i$ Q8 D! `5 M9 _2nd method similar to the preceding one but more difficult to detect:# t& q9 r B. }; T+ p
) @2 H; T- j8 ?& Y$ j; }+ \, o" d, K5 `2 v1 l) ]
int41handler PROC/ I& f5 L- D) G: {
mov cl,al
1 M& {. T8 g4 p: F iret) z* c* p" P6 Y2 a# M: j ?- g8 M
int41handler ENDP9 E6 E3 y2 Q6 L* f8 F, n# K8 E
, k8 k, U* W) Y4 M8 H& G9 }: O0 h' j' Q& g+ Q/ [4 W& U. q
xor ax,ax
: a6 Z( K7 s# D: `8 u( m: a# t mov es,ax% R; V6 |) K7 Z4 @& A+ E9 F
mov bx, cs( m: k: l. V' W/ N: O8 u
lea dx, int41handler& D8 D. E, l5 \- A
xchg dx, es:[41h*4]
$ m' D8 e. M0 C5 R0 y; g( B P4 V xchg bx, es:[41h*4+2]( Y1 ~1 Z3 B8 U/ `7 N- o! H$ u
in al, 40h
* w; {! p3 l* }& f- k xor cx,cx4 y1 J0 n' ?: p* c6 K# F1 `6 b: F/ ^" |
int 41h& s$ }: j$ h) @ T- I$ o. V. g
xchg dx, es:[41h*4]& r3 K. _; ~, T6 j
xchg bx, es:[41h*4+2]
2 k0 y# U7 s6 _& n6 r" f7 y2 Q cmp cl,al
4 T7 |% ]/ M2 K7 ?8 n jnz SoftICE_detected
% G& L( Y; I7 W% `8 I* B
& A5 v7 j5 B. y6 _* y7 i$ W_________________________________________________________________________
i# B/ w9 H/ f2 Q! d) J4 u
* S6 |. H) `8 i+ m) l8 bMethod 07/ B [ R! t# V# W6 R
=========
7 |0 g" _! y+ X8 t$ C2 _, f2 p0 G) o; y* ~
Method of detection of the WinICE handler in the int68h (V86)2 g% T8 p) A3 ?: |/ @8 _; |/ {+ W
' R1 |2 _1 Z c+ n1 B3 M
mov ah,43h- Z. ~! d% ?5 ]1 L9 k
int 68h
: n7 K1 M& X( Y+ Z3 ], o. \ cmp ax,0F386h) V1 ?, x! k9 Y. E: Q, c
jz SoftICE_Detected
. O1 N/ \2 ?! G* O3 P% m1 F5 p6 e. F6 _# B/ U2 i! ^
) K* b3 Z. Y ]. F; R8 g+ Q' n( Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% ] H( l' i6 q app like this:2 _3 n4 J6 X+ F9 H1 r* |
, _0 c2 \# ^# w2 p1 B9 K2 s1 b$ D. q BPX exec_int if ax==681 R( q8 V9 Q, f* b: @
(function called is located at byte ptr [ebp+1Dh] and client eip is- ?( I+ D- v% ]
located at [ebp+48h] for 32Bit apps)6 Y' u" z3 K! [+ ?
__________________________________________________________________________7 C! R% K6 F( y8 B
: p V9 G9 z+ ]- |
! S' |7 e) H9 d# oMethod 089 M1 p' `: W8 h' \
=========
4 R$ s! z" T. A% w4 z- U5 K3 r0 G" H1 y; x$ {2 G3 m7 E! G
It is not a method of detection of SoftICE but a possibility to crash the
4 j$ c2 V: S% ?0 h* q: Xsystem by intercepting int 01h and int 03h and redirecting them to another7 k5 g9 f; r8 \ Y
routine.
4 H- ^% E# d; i3 O n3 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. X' q1 W/ U, H+ [. c t W
to the new routine to execute (hangs computer...)& H! y, x+ [; G
) M9 r- }! n1 d- ~ d mov ah, 25h/ X) F5 g0 R5 s4 J& n7 a
mov al, Int_Number (01h or 03h)
5 _! r* c7 e. |; S+ | mov dx, offset New_Int_Routine
( U; R/ X' n; x! z5 n7 ` int 21h
; p5 r9 r2 b* i0 `# M7 t5 @0 G% @+ s8 e. R: |; i
__________________________________________________________________________
& ^0 |. P6 i+ @$ z$ s) t( b! E9 y7 V9 `6 f4 M
Method 09
/ e [$ {, H( Y=========
7 `& d$ ~' I: ~) O; ?/ s( U
) R6 Y+ k' |) J! w, D& H# V, nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 C/ m8 s( `& O4 y7 D) @performed in ring0 (VxD or a ring3 app using the VxdCall).
: T" D& [ S9 B1 p) @4 U) ?+ @The Get_DDB service is used to determine whether or not a VxD is installed
/ k) h9 u; q. K* n K4 ^# Ffor the specified device and returns a Device Description Block (in ecx) for
, C! ^/ n* i" Qthat device if it is installed.9 u' P7 M7 f& ]7 L
: @) B; U( Y6 a- T! d$ D( Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; a- O5 I( ~. N' O& M4 g7 t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 V" S; m! G4 R VMMCall Get_DDB+ t1 q3 v) V6 j/ Q% r# B3 B/ j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 z) r1 W6 Z- |8 J R; e& ^7 \: P& X# _# L4 W/ ]6 H5 y- L/ X
Note as well that you can easily detect this method with SoftICE:( E5 |% X: x+ m
bpx Get_DDB if ax==0202 || ax==7a5fh$ K; z8 N4 p `" ], [7 i& d' _/ n$ }& m
. i5 h3 W2 a# P* S7 U__________________________________________________________________________( g0 O; n' `: K( q3 f/ M4 Z! w
/ C8 L0 `2 g% T& f, G3 @
Method 10+ ?, |2 m6 n- \7 ^5 c6 l
=========$ g7 b/ ?: L3 M
4 {4 Y; e X$ @ J+ M0 N=>Disable or clear breakpoints before using this feature. DO NOT trace with0 [ |( Q0 U+ a- X2 \1 f$ J2 d4 ^
SoftICE while the option is enable!!
/ v* l B& y" X* s8 f; H4 N0 H' `# m- @' x' k% i! q
This trick is very efficient:# t, r3 c! e9 U/ d' p% I2 [
by checking the Debug Registers, you can detect if SoftICE is loaded
( |, r9 c1 n& r! U0 F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 @( H+ v% ~ g1 s8 G+ ~+ Y' s
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 O8 R' h2 a; q u" M L
value (in ring0 only). Values can be manipulated and or changed as well, j# M' N5 J5 X. j2 ]
(clearing BPMs for instance)
' p2 |9 O1 c4 o7 |
& Y+ ]9 C' o3 D7 [__________________________________________________________________________9 } G7 }7 z W; G: J( W
! d! e- F' O% N% U5 B( i
Method 11
) J; J' K4 \$ p( J9 x=========
/ m* _0 O z- \" Z* o& R
7 q D- V. m8 zThis method is most known as 'MeltICE' because it has been freely distributed6 z! E4 L0 K2 c' ?
via www.winfiles.com. However it was first used by NuMega people to allow
8 b& ] Y& ?$ t7 X' y9 A0 CSymbol Loader to check if SoftICE was active or not (the code is located
* w! a$ u5 H. z1 W; Z$ minside nmtrans.dll).
# t c$ z' Z% t4 R4 |1 o8 R+ @- O5 l& i! t( Y% |
The way it works is very simple:
4 Y# F7 R* k* L4 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" ?# [+ l: D0 U& H( w2 C! O7 ]. }
WinNT) with the CreateFileA API.
( g1 D0 @- D6 }3 @, U' A
S- G7 G, u, e2 THere is a sample (checking for 'SICE'):
" b" X/ X2 x6 t2 \8 t
* o% j8 I' C: J1 s* w" e7 NBOOL IsSoftIce95Loaded()
* z. |$ h' M6 Q+ j$ ~' F) K{
5 d( M* ?! r! ~0 g* S+ O HANDLE hFile;
6 w w/ J5 g1 ~" g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ t1 m% Q: E) ]' _ ~ FILE_SHARE_READ | FILE_SHARE_WRITE,5 ~( f8 ]) u, W2 l/ ^
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) N* p& h7 |4 f
if( hFile != INVALID_HANDLE_VALUE )7 c2 r# @& V1 t# W
{
% s9 x. } I) u2 O CloseHandle(hFile);
! e# i% m0 }$ U4 H" j* R return TRUE;( A! h- S) K* {2 x0 Y7 A' y
}
/ G1 L: T' I8 B4 K, g; ?- P return FALSE;
, |; G( T1 {6 R; \5 \5 O' M' b}
& }. X) l, h, m" \' A4 o6 p, L) h2 \0 F% L, W8 H7 c& }
Although this trick calls the CreateFileA function, don't even expect to be" \6 f' |. `' ^7 m2 B9 f; a( I
able to intercept it by installing a IFS hook: it will not work, no way!1 C2 Q/ ~7 R& o0 D+ u9 k9 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ F3 k! c X/ J, h f3 c6 g3 a) C" u2 Y8 tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 c4 g1 ^" T! W7 ^3 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 |' L* P! f( p ?$ t/ i. sfield., U) h2 ?8 C$ S5 T( K' F
In fact, its purpose is not to load/unload VxDs but only to send a / W* E9 a+ F, b% C& s7 D* G9 Y) _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 q7 z; Z- J: M, q- s, I6 ]9 x! ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 L8 r* C& r/ ]; l8 G- Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).! q5 R5 o+ T8 J, V8 }7 z; v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 Z4 `* q- M2 F% J3 q; Y2 R8 Tits handle to be opened and then, will be detected.8 b" C- m3 Z" Z7 N1 E# A# M0 M
You can check that simply by hooking Winice.exe control proc entry point
1 o& y) W" y7 B9 _- E$ K' x* [while running MeltICE.
7 G w) W6 p: N( F5 i: Y2 R6 s! V* I
' ?6 I' J; b1 F1 Y" Y- M" _5 x7 Q& x) l- y% P3 G
00401067: push 00402025 ; \\.\SICE. D$ l! A4 l `9 w, ?% d' V0 \4 A
0040106C: call CreateFileA
9 p0 z+ t) M6 n! [4 ~ 00401071: cmp eax,-001
% v; b8 S- I. o! R6 Y3 b5 x 00401074: je 00401091
% C& ?7 E5 I! |2 l- C6 ^; K6 n; h
: V5 n4 R- m/ F7 _5 F$ o/ j0 b8 {
% W- m# K0 b: v; x( _: r6 dThere could be hundreds of BPX you could use to detect this trick.
6 m) Z, B/ f5 s-The most classical one is:
' Z4 @" V2 T/ r: }8 s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, R) ]( c6 R; N5 d" b+ E8 i9 b
*(esp->4+4)=='NTIC'
6 Q( z# X8 X) B p6 B; o K+ q$ V4 ]+ a4 l4 n
-The most exotic ones (could be very slooooow :-(
3 W @7 v @3 v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! ]8 q% Z- K# z( H: j ;will break 3 times :-(' p' U( ]9 f5 s
# g- Q5 ] ?) [* z
-or (a bit) faster:
3 k3 A5 `# r( S8 V4 b+ A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# O7 t# V7 _6 @6 D( O$ u- }/ v
' U$ p4 l# z. j5 J5 Q" y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' R: G2 {2 r5 g9 u3 a( U
;will break 3 times :-(: Q* x- Q2 B9 Y: ]8 U+ N5 K9 A
3 w6 ]7 R- ^. ~ F2 P
-Much faster:
! o/ s y: L/ _" n! f2 e0 R, o- t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 \4 @2 f0 ~ ?- n) k
" [% p7 [2 J3 h3 L- }! {, H0 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: A3 ^6 W1 F7 T& L
function to do the same job:
. E, A/ A2 x5 B$ e) Q p$ V( q( o& J Y
push 00 ; OF_READ
% h3 t4 F; n& b/ l mov eax,[00656634] ; '\\.\SICE',0
2 G: v. z. N- L- |; N6 u push eax1 ?, R7 [& I C; ~3 V
call KERNEL32!_lopen
- y, w) B" o1 o M inc eax/ a/ I. E- H! P3 A! D W
jnz 00650589 ; detected) n0 B8 u% e" }$ G* S
push 00 ; OF_READ; z2 v s5 l" A4 _& S! \: o
mov eax,[00656638] ; '\\.\SICE'
; i( z' m' g1 u2 m- i push eax
8 C6 v/ R9 X5 l) `3 P$ e call KERNEL32!_lopen
b0 n, c# v+ F+ z( l" A inc eax7 x9 H8 S+ {8 L6 X
jz 006505ae ; not detected
3 [. L0 w0 X5 [, n4 v$ w8 ^# D/ G5 a0 K3 p, v
$ i# @/ b. o* M- U__________________________________________________________________________
3 ~" \/ d$ r6 }) p3 k: z- q/ I& M. S Y6 Q* e' @9 e4 U
Method 12
+ ^ n8 h: [7 z! ?' r) H=========
% C+ A1 b( ~ j' l9 X; @$ a
) d3 S7 ~* q2 ] o% rThis trick is similar to int41h/4fh Debugger installation check (code 05 u2 l7 I4 o+ _& b* @
& 06) but very limited because it's only available for Win95/98 (not NT)- Q" G' L6 h6 R7 F! u1 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ N. a: \6 x+ k+ f5 ?1 j
/ q, X' P+ @/ L& } [; C1 S6 ^ push 0000004fh ; function 4fh
. ?. x7 n: Q! A9 ^4 V push 002a002ah ; high word specifies which VxD (VWIN32)2 q$ o/ Z/ e( f# q- R
; low word specifies which service
# p( }# m! s# S9 J- ^, T; E/ q# C (VWIN32_Int41Dispatch)2 y1 e# h4 U( k
call Kernel32!ORD_001 ; VxdCall
* q; ? ^/ Y" k4 X2 u cmp ax, 0f386h ; magic number returned by system debuggers3 A/ k8 v' k3 G) |4 A: x+ b) x' m
jz SoftICE_detected
7 i! [' d& T) H- F
1 B* k6 I4 i; Q* Y+ t5 tHere again, several ways to detect it:
& v1 Z3 F; z9 v2 D, J ~2 f% l4 {5 T! Q+ w0 D7 k) ]% }: [& C
BPINT 41 if ax==4f; F; C8 b6 p* Z. @
5 G9 i7 R$ p% ?8 H8 z4 w% v8 ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 V, w+ j. [' \' W c2 d
: O0 d3 n9 k" [) w" N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! V$ @1 A& S* M6 r& V
% R' v- {" ?, G, b3 ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 c* Y5 |. i9 F$ t4 }1 J p& Q9 ~0 l
$ q+ G$ Q/ }$ {$ E__________________________________________________________________________
! B( F% u) Y( e/ R G! b7 e7 L5 K1 J' r" C5 T9 h, r# X
Method 13: x7 R9 w' p7 t6 H: j, Y2 X! `
=========, @4 z: ^. `) s# p! d
( w" ]& g( x) d4 @! R" L3 Q; O1 iNot a real method of detection, but a good way to know if SoftICE is
& ~& |; T, t+ E0 [# {5 X; u% `% T$ Einstalled on a computer and to locate its installation directory.% v" d, O2 {, L. l' T8 G4 o5 R* a
It is used by few softs which access the following registry keys (usually #2) :7 I1 \1 Q) G! B9 Q
( a; E8 g2 `) E) h# b5 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ l- b6 n$ R( k. ^: f
\Uninstall\SoftICE! P, A5 `( t9 ?( C) P& s2 F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 C6 B+ H* c7 m: ]) k( g4 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) D, F6 W# b: }" k# ]6 L0 Y4 r7 ^
\App Paths\Loader32.Exe
- z" j8 |: ~5 Q- l( g
# I5 @& h: O) H1 X6 S$ O, S; N8 n9 A8 K3 a6 u
Note that some nasty apps could then erase all files from SoftICE directory
. _4 F8 n0 C. V(I faced that once :-(
3 n, v0 z3 P+ K6 Q% J2 W, d% b- ^' v6 K! R% [
Useful breakpoint to detect it:
& k" V4 u- m7 Q9 y1 i4 J
9 E0 c0 W W0 ~8 \- ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- u+ I! M" I0 T
6 l5 ` i3 R8 B; e- G* A" q7 B__________________________________________________________________________' [7 T5 H9 m+ a8 U! ~
# O4 L" e2 t- _* U: R5 O, X
' @) R4 S2 z! h4 h( z: N7 WMethod 14 5 ]1 M( a3 `* L# l9 F& O
=========
) g- Z# e3 y+ B; N9 C- b O8 {' R1 v, m( W6 ]6 c5 ~( A3 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 ~: [1 `0 c( n& S, @% sis to determines whether a debugger is running on your system (ring0 only).
( k, M2 W! R$ ?6 J6 X b( Z4 u; ?% [' |) P% d& T
VMMCall Test_Debug_Installed
' c# {; v9 }$ V je not_installed& Y6 ~9 b% B: m# a$ l+ O
$ l! P# i3 H+ b, p6 E* f0 @
This service just checks a flag.1 N4 T! O, |+ W$ }; Z% q$ `0 L4 K! O8 P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡