<TABLE width=500>
( f3 G3 C5 a# f( s3 x6 y" e3 {7 @3 e<TBODY>
3 n% |+ Z6 E9 G2 ]' o2 O<TR>
& d8 u2 o6 {, t4 U5 ?# ~$ O<TD><PRE>Method 01 - ^# T6 y/ ]/ H) J
=========
: u* p* C1 H4 }& a( E& [* | C: \
This method of detection of SoftICE (as well as the following one) is
$ e' y [# |1 eused by the majority of packers/encryptors found on Internet.9 y- D: w) W/ U0 m9 w, `
It seeks the signature of BoundsChecker in SoftICE4 t; N/ h2 n m X+ y7 a
. h: ?! u. k: Z. Q1 t% M5 Y' G
mov ebp, 04243484Bh ; 'BCHK'
% a5 b8 h! M. p8 n9 v4 F. |) H" P mov ax, 04h
* @0 E& r: r1 R int 3
~, W/ a4 M6 U7 E8 O6 z) P% w cmp al,4
7 O4 S a. p, u! O jnz SoftICE_Detected/ i' u0 Y8 m4 @4 b5 ^& d7 [- a
: o5 }9 q; ]% \) z___________________________________________________________________________
3 D8 g, a _, t7 v S2 `
4 L A, G5 f: Q" A$ PMethod 02% J$ R0 P1 c2 [0 d! x
=========0 g; H1 a& ~5 B4 u
: i4 C- c, N7 B- o/ a" o' H
Still a method very much used (perhaps the most frequent one). It is used
- V# o# k; @! q- eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: z$ k- ?! c4 I7 `
or execute SoftICE commands...
7 Z4 Z6 k3 h# }$ yIt is also used to crash SoftICE and to force it to execute any commands
& R/ L/ a8 H" u2 a9 m1 R8 T' j(HBOOT...) :-((
0 s: f9 w' w3 o1 o7 P `/ [- }! }# I A4 I$ }& Y
Here is a quick description:# b, G4 ^2 Y; P' ~& J
-AX = 0910h (Display string in SIce windows)! b9 Q3 c5 c/ A! q/ S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! J3 D N2 n3 u$ G6 A
-AX = 0912h (Get breakpoint infos). y) U5 X# A9 e. D e7 W
-AX = 0913h (Set Sice breakpoints)6 @4 I# k* ^! U% m
-AX = 0914h (Remove SIce breakoints)' V$ c: w" U, _
. ^6 E- n- T9 `( xEach time you'll meet this trick, you'll see:! U8 V0 T6 F, y1 v5 Z" Z" d; q
-SI = 4647h0 [- A9 g- l: R9 N; d" I! U& X
-DI = 4A4Dh
0 _0 C1 y( P% S, fWhich are the 'magic values' used by SoftIce.) H+ F1 ]& C& y- L& ? F y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 |0 ]. H! ^1 q7 I( h
/ A' G( x+ r3 q: QHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 T' w) |. n TEnvelope utility use to protect DOS applications:
: E3 B a; [' R6 h6 l" x* V- k' f1 z: o! X
; b ]5 K6 W3 _ |1 ^
4C19:0095 MOV AX,0911 ; execute command.
+ r P! B' X+ M( d* K1 c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 G& e$ b1 l1 e9 B, a g4C19:009A MOV SI,4647 ; 1st magic value.! [ q% h. `, b5 D! y# L+ Y0 z
4C19:009D MOV DI,4A4D ; 2nd magic value.
) X( V" Y+ q: Z" |/ R# H# [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- ?7 m5 Q. G' m' T/ g" y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ f" f; {6 `+ d2 K$ u5 O5 [: p( N: g$ ]4C19:00A4 INC CX
' F% M7 D& }4 e! ?! G6 K3 S$ F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! ^( x* _( j- \, E6 }6 {7 W
4C19:00A8 JB 0095 ; 6 different commands.
) L- ^0 K9 y) Z4C19:00AA JMP 0002 ; Bad_Guy jmp back./ k9 s$ y2 \& O# I' e* G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ ^) d, E4 W0 ~
1 T9 M/ I8 b9 ]9 c* YThe program will execute 6 different SIce commands located at ds:dx, which
9 f5 g! c" r! ]+ Z% Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 N2 R R" w* G- c4 F5 x7 R. d/ V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: N" Y: g- H9 S, K" x: I) ^) R
___________________________________________________________________________
. c+ {; s: R- \# n. V5 e( I
% }' Q+ Y0 w X/ w
% i0 G8 ], c. k; W) W B2 L$ ^; GMethod 03* f( ~" M# Q& U
=========' ~7 H8 Y" b7 e3 O0 c
) \5 w# _3 s7 |6 e; |' z8 O, ?" D2 fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ f& h1 t* t* `/ D6 X0 j( B(API Get entry point)
$ t1 y, X6 e- n6 { 8 F3 [* ~* W& }# v: ~, i# f! c
- I- \6 ^4 O. z xor di,di2 Q4 y! X) w$ I3 i1 v1 u9 c/ T: k
mov es,di& D, \" R; q7 F4 h# |* s; M: }+ n* x: z
mov ax, 1684h
# O4 k/ i7 e! g! O' H% A mov bx, 0202h ; VxD ID of winice$ G- X- b2 O8 x3 ^6 \+ G% O
int 2Fh9 f. {; O7 M! C# y" @
mov ax, es ; ES:DI -> VxD API entry point
# q& F0 X9 \9 ~+ K) [ add ax, di
. G7 B& v- r. v+ t% ?6 W" ]4 F test ax,ax8 P& D$ v4 k" U9 [/ y1 {
jnz SoftICE_Detected
$ z- [2 v) ?5 t* u! o( Y2 v3 g
1 O. ]4 ~2 L; O5 ^) p3 ^' M___________________________________________________________________________
9 w' n, b; Y M
) O3 }! C% F; N R3 lMethod 041 a3 Y- e6 D& z
=========4 m2 a# e( W/ G2 t B" b1 {
e% h, v& H. l L) rMethod identical to the preceding one except that it seeks the ID of SoftICE
. P8 a2 H7 E5 _ k9 W7 iGFX VxD.* Q8 H$ u+ f/ w* J
- p% W( E; {: ^. D xor di,di
* O7 e, O) Q$ {7 V- q* ]+ k3 Z mov es,di
& j8 a. ~" c+ ?0 Z2 J Q3 ` mov ax, 1684h
, F Z! W/ d( W& R mov bx, 7a5Fh ; VxD ID of SIWVID9 }3 P; C& ]0 G1 b
int 2fh- _2 Y, z {: R+ U! q5 P
mov ax, es ; ES:DI -> VxD API entry point8 `$ O7 z! q+ A- Z9 @, r
add ax, di
$ F5 K, S! i H: K4 g3 l test ax,ax9 F2 F3 K# p2 K( A$ M5 W6 W& T |
jnz SoftICE_Detected: z- D3 u8 P9 Q
8 R+ {; C" q/ s3 H6 C__________________________________________________________________________+ r; X5 ?' T. h; G
" m* {- w/ k. ?' J( N$ q3 [! W/ V
7 Z( q4 u g1 A4 i8 p: q' a. HMethod 05
' ]; l% T3 B4 c, y& K=========2 c1 N, }, Z( _2 a. j7 e
; z) d* E5 r" H, k3 J+ AMethod seeking the 'magic number' 0F386h returned (in ax) by all system* c8 b( Y9 Z: U" t
debugger. It calls the int 41h, function 4Fh.
! N9 |% e% @8 t |There are several alternatives. ; Z9 \& E% {! ?8 X
7 Z: S: _! _5 q! y* t6 m7 m. {# NThe following one is the simplest:8 T1 }% `% {4 c, T8 Y
* K/ W3 G9 i6 C
mov ax,4fh
& l# T' T! J2 p# y% b. c int 41h
+ v; y7 ]1 u% O" h9 Z cmp ax, 0F386
4 n+ t1 D, k7 S: a9 p jz SoftICE_detected
$ l' ]' j1 y3 E8 L% X& f2 N, m. ?8 j8 }
, R8 i% s9 V0 G9 NNext method as well as the following one are 2 examples from Stone's
1 R1 `" x2 d7 N7 H+ l+ s"stn-wid.zip" (www.cracking.net):
. i/ G4 l' @; M' S |, B
. |3 Z3 O9 q! d5 p mov bx, cs
) t! P& C2 e I) v) p% @ lea dx, int41handler2
: x% o9 ]" I9 s: \/ s8 l xchg dx, es:[41h*4]
3 r" j7 ~2 ?5 z: `: J8 M2 v xchg bx, es:[41h*4+2]
: x8 `' Z( n; F: N, G9 ]* f mov ax,4fh
- k: n( z* L) v. Z, f% F+ s0 n int 41h3 l) p9 G: ?0 O. }0 F
xchg dx, es:[41h*4]
3 @0 M+ u8 q/ |8 P# l xchg bx, es:[41h*4+2]
# F( ]5 e0 y" A. G, m9 j cmp ax, 0f386h) j1 T4 h$ l9 w
jz SoftICE_detected
7 V$ P/ [1 g" X/ ~8 R7 e# T- i: P; W. C8 M% z+ ]. c* O2 x
int41handler2 PROC. \# O" g! e- J! W4 E7 t' e
iret. P) t+ J1 E) g$ G& Z8 E5 E9 `2 l
int41handler2 ENDP
9 ]" {/ y7 G, C0 c4 S" k) C
3 U% G# `7 h4 K f" O# Y% P6 ^- u- h8 A. ?( u; I; e$ K
_________________________________________________________________________4 k& W8 o* h4 U( S: e) J v
9 u% @) u' c l. a0 T) l7 q- f' Z% y1 O- W1 X' F b4 G/ ?0 W
Method 06
' t" m9 U# F% `6 \7 [" i( z/ C=========
" U; F9 Y- W8 x, y7 L, `
- l5 I( S7 l b/ J7 W3 ^3 |& E* N2 d7 [1 }5 q9 _) O2 J
2nd method similar to the preceding one but more difficult to detect:
5 c8 v* f5 V& x! }6 X9 C1 k" P+ E5 ]- G% }
# ?8 {4 b ^1 B6 i6 tint41handler PROC
) D5 V- {1 V; m q! s4 L mov cl,al
; }) X' p: j: g, y$ i iret7 u) I3 R* [6 g( d k0 ?8 H
int41handler ENDP+ I6 V( |( k. {. J& z) v# ^/ o( g
" D% _7 Q' n$ Y8 s% r
4 q c7 Q' m- _# K4 s xor ax,ax
4 v( j0 j$ W0 G7 C3 s1 C mov es,ax
, j: b7 w# o' j F6 w! \ mov bx, cs
4 Z+ ?/ R- ]: P$ n% \ lea dx, int41handler
\* K* k" n7 t2 P; X& [ U xchg dx, es:[41h*4]8 G& Q- H9 M# ]& E5 P) t
xchg bx, es:[41h*4+2]- ^. }" F' u- K ^& j
in al, 40h$ n6 l8 e5 M$ `
xor cx,cx
+ k9 u1 J9 [8 _7 H7 U: D/ R% c5 @3 M int 41h
) v) R1 C0 C1 ?$ ^7 E xchg dx, es:[41h*4]' R4 I5 f. B- M$ w5 b3 {8 c
xchg bx, es:[41h*4+2]
. B- `% F% b9 ~ cmp cl,al' S" T: ~+ @+ Q7 @; r: a
jnz SoftICE_detected
8 i: q# ~- K& b0 n3 [# _- m4 M9 R$ x$ D1 S
_________________________________________________________________________& U9 @2 g4 X- o7 X, J; X
/ U) I( j. l8 x ?" R, }Method 07
: h% P4 g0 {: d& h% q# h- B6 j7 ?=========
; T2 b$ M% a w" y5 S# e
$ T. |, t6 R: S" F7 DMethod of detection of the WinICE handler in the int68h (V86)& F9 v6 Q3 v- X2 d0 L. Z; {
" G! q* Z1 Z' }1 _4 o mov ah,43h2 K$ ?/ S" h7 A! Z$ ~( ~ s2 f0 S
int 68h
; w R/ l; u6 s) [! _ cmp ax,0F386h2 p4 r( H8 P+ f4 A5 F9 ~; m
jz SoftICE_Detected
3 e6 |' W& M0 x- v4 I" a `) _& N( p# M# ^/ ?, L2 ^
$ m& F* t, k; M9 F; r+ |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit g2 k2 ~/ Z( T; H# y
app like this:8 r7 L: k0 e5 I2 g
( e% `' S3 @$ Q. i0 n" D; c& M$ R BPX exec_int if ax==68
) F' g* q) `* Q (function called is located at byte ptr [ebp+1Dh] and client eip is
+ X( U/ x: B, S located at [ebp+48h] for 32Bit apps)
, |/ T8 M$ K" Q0 h# {! h% y__________________________________________________________________________
2 e8 i( j7 h% v+ I2 C- N, D3 ^* F/ t; s- I* L4 g
( Y0 P* ?! b4 y8 V6 K' C& G8 ]6 e2 C
Method 08
; _4 Q1 s( q R2 D- p=========1 ~% w- V4 p% [0 R
( g* C, t1 j0 v: P' g, `, }
It is not a method of detection of SoftICE but a possibility to crash the# c* W* e% t9 s+ U, e9 r' P* `
system by intercepting int 01h and int 03h and redirecting them to another
6 t4 \% O' O$ y& ?5 Z9 ]' } u2 ~& e. aroutine.8 G( X2 X( ?" z8 e5 ~: w$ d3 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& @( A/ c! k e/ z; l; ]% M4 o
to the new routine to execute (hangs computer...)2 z* S V! b: h0 n
2 u; O" y7 _6 q7 S
mov ah, 25h
& r0 M& R- g8 u- B/ _ mov al, Int_Number (01h or 03h)
! A4 [% b6 B7 [% j' Q# m mov dx, offset New_Int_Routine
; q( w( n( d" @ int 21h! K8 q: I1 t) b" _+ n
t+ o6 y- c$ n0 v, z
__________________________________________________________________________+ K% K8 ^2 y8 Z: A
3 b X8 i5 Y* i; X! J, P. \
Method 09
% j/ v$ J3 Q% B3 `, y=========
" q k9 C: q1 g8 g) ~* ?8 Q: l0 r) O8 @& Q5 z ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 Y8 ~* D& x+ ~; C1 A3 Y5 @5 f' f" Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
- R% D9 L |% G$ ?$ MThe Get_DDB service is used to determine whether or not a VxD is installed
3 O( g5 r4 m. a1 y* M! Jfor the specified device and returns a Device Description Block (in ecx) for
6 P7 d d6 E4 X {8 u% d' }that device if it is installed.
1 y; i- F* D& M0 w/ }' _/ S* \
! q; N/ G1 ^& ], z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" | O8 q- A3 y% s* P0 `- `8 ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 E( ~+ W1 I( t7 `* p% K8 h3 H VMMCall Get_DDB$ _- e9 ?' \8 |2 I! w, d: D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- W0 T% O0 S; D4 B! F& W
3 u1 O+ M' r- V. P$ P- U
Note as well that you can easily detect this method with SoftICE:
6 R, Y* p; w% G; r bpx Get_DDB if ax==0202 || ax==7a5fh* {3 R( U& K4 N7 I* N2 x3 v
2 Y3 n+ O5 Y8 H9 y0 A__________________________________________________________________________
* w7 K S- g- y' W G: U/ c% r! Q3 a" D6 G/ d
Method 10
8 H2 P$ L M% \; A& y. w=========
: v& S$ f; n4 T7 Z% ~+ r1 m* i1 ^9 c
=>Disable or clear breakpoints before using this feature. DO NOT trace with- {/ `5 {# ]/ ?9 k' N; x+ f/ G
SoftICE while the option is enable!!, b5 Q" Y5 G! Q; m% x5 c, T
2 N7 q* w' t+ XThis trick is very efficient:. @; j" m% }) B
by checking the Debug Registers, you can detect if SoftICE is loaded( R/ N0 T: I; A5 i% ?4 t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: v( L3 Z2 Z) e& Z; e5 e( mthere are some memory breakpoints set (dr0 to dr3) simply by reading their& d7 Y" `4 d9 N" d1 a
value (in ring0 only). Values can be manipulated and or changed as well
' E& C n1 K$ Y$ }3 j(clearing BPMs for instance)
1 |9 m+ h; W+ \( {
" I) U& Y1 m3 y, B; y! `7 J__________________________________________________________________________/ D+ I6 [; `- @: Y- U
E# b* H* F2 L: y( x0 j& `Method 11
6 p- B& K* n" ^9 D; N=========/ ]7 i5 p; r" l6 P( `. [' r+ C
* o- H8 ]/ U5 d+ }- s
This method is most known as 'MeltICE' because it has been freely distributed! |2 t) O( y% m" y: ]4 P
via www.winfiles.com. However it was first used by NuMega people to allow7 M. J& S/ }5 ?& }8 D7 H4 t( C
Symbol Loader to check if SoftICE was active or not (the code is located
, a2 [9 R$ @( z, }inside nmtrans.dll).7 G1 [3 }) N; w- h/ g- @
0 D. s% L( C$ K4 p1 E9 ~( v8 BThe way it works is very simple:
# p( a5 W$ v/ h$ u `5 e% @4 P* y- n8 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 w; s0 L' b" O% @8 I( x" N& v
WinNT) with the CreateFileA API.- C& B! p" ?: |+ }5 k7 n
. }4 h' ?7 q% Q( O5 R5 K
Here is a sample (checking for 'SICE'):
- R* b4 K4 Q3 q2 c1 u; Z1 `- r' v8 ?+ ?
BOOL IsSoftIce95Loaded(). c1 ]% {8 B9 S3 h: J
{
- r7 b! A2 j6 x4 e, n3 g HANDLE hFile; 1 f8 f, d. W1 h0 X4 q8 O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 M7 R* m; ^4 k7 j5 q3 C
FILE_SHARE_READ | FILE_SHARE_WRITE,* O" Z/ p l D$ g7 U5 e( q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' Y' n* [9 G6 _+ m# k# L. v
if( hFile != INVALID_HANDLE_VALUE )
& t. ?" S# w9 K7 l) W. ^ {: u/ c7 R' `& j! p% e
CloseHandle(hFile);; o$ v8 x% u7 Z: w4 E, p. f! A0 o
return TRUE;
3 K+ p |8 ~! C" X* E4 k' V }
& n( o2 @6 {3 M0 Q2 L* U1 U" K( U* e return FALSE;6 T* e$ Y# I$ ]7 C1 Z* G8 n
}
1 z4 j4 q, }) K7 |% g. ^4 `; J( U/ Z9 ?2 Z W
Although this trick calls the CreateFileA function, don't even expect to be v& L" h: @. m# ]$ v
able to intercept it by installing a IFS hook: it will not work, no way!" n" X& w9 j) R ?% ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ }$ o& a$ j7 g4 w9 h, ]7 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), }' Z9 v: j2 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, _. e0 h1 x. z' r* C5 T/ @6 e
field.! O$ L/ X3 m+ h) E2 ?( O
In fact, its purpose is not to load/unload VxDs but only to send a
' t4 F3 u/ ]6 B) W/ o. }" m" cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 p8 l" n P0 _to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 [4 B! l1 _' ?# r9 K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; p$ v& A {' i7 a0 w+ {
If the VxD is loaded, it will always clear eax and the Carry flag to allow! D' M+ j$ k V) o# O# ^4 q
its handle to be opened and then, will be detected.
! U; d# h% e: h, [$ n ], NYou can check that simply by hooking Winice.exe control proc entry point
2 ~9 ~/ y" ~- M- |' pwhile running MeltICE.
# _# `% ~$ }6 z3 U7 t! d, f5 P% [) u7 n1 G( s
! o/ e( J+ t/ p- x- S! x' B- R 00401067: push 00402025 ; \\.\SICE
6 C; \( q3 t6 H2 _. Y" H, F! N 0040106C: call CreateFileA3 C0 ^5 W1 \* M& Z/ U4 x0 c) x
00401071: cmp eax,-001: p$ K3 k! S/ i [
00401074: je 004010910 Q0 F9 ^$ v" _
, E2 T# S1 V3 k2 b* m5 [, [
% F4 K) U3 H0 ?7 }) s! J% @There could be hundreds of BPX you could use to detect this trick.- G1 ], F$ |+ V' S/ ^
-The most classical one is:
5 {! z' C: L w. G+ d, e) i1 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ m( Q- C$ y+ o z3 D/ @) c *(esp->4+4)=='NTIC', U0 I; Q4 ]4 K8 {6 S4 W
" I0 G( P S& \+ }6 `
-The most exotic ones (could be very slooooow :-(
! Z9 ]7 j6 t3 W) i8 G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. p, Y8 b' ?3 Z, R! H ;will break 3 times :-(* \ a# D1 x* o' M$ J
' q# M3 [, h+ O7 d5 [; d% q
-or (a bit) faster:
3 ^6 W, l. E3 g* J; a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- y% x4 W3 N' V) i1 z: b. [8 `" s2 y9 C* G4 V* D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' ?8 ]1 z& k. }/ Z- R% B. G8 ~& c
;will break 3 times :-(6 C$ Q/ h3 g! B# v
1 [% p* o3 j( M2 G4 |-Much faster:
, p0 L% F9 ?' `* n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( E3 d7 {1 O/ L6 B0 h" v& n1 M# o0 ]6 s! u% K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ b' Y; k. v% r* a* J5 Mfunction to do the same job:
0 g# b1 s5 {3 a+ q2 w; e& Z9 t _* l
/ z/ |( F% F9 \) w5 n push 00 ; OF_READ
3 ~4 W- r* M) q# G% a: ^# F% h) X7 j9 ~ mov eax,[00656634] ; '\\.\SICE',0# P; a& N: r% F/ f
push eax
% K" ?7 x7 `4 L- b8 d" m8 Q call KERNEL32!_lopen
3 [& Q+ `- [# v6 }# m, @$ k9 \ inc eax
: |- i! z4 D7 F/ B! P6 |: T jnz 00650589 ; detected
" p- r0 q" W; @0 V$ o& ? push 00 ; OF_READ
( ~! I$ q1 D' h0 i$ H mov eax,[00656638] ; '\\.\SICE'' \- U$ E6 W/ ]: C- v' d- A1 Z* Q/ I- @
push eax
. Q' R$ ?% H# P8 M call KERNEL32!_lopen
I- G, E" ]9 s0 ]8 Q$ P, T inc eax& T# S" g R& t7 U
jz 006505ae ; not detected
) x2 Z. w8 y( c/ h* `* X* m) A; h) [4 p* W! I
1 x! F" C/ r" x' ^__________________________________________________________________________0 R/ L \) P& ~( r# A: i. g
# N8 \8 N0 V9 U/ s5 e
Method 12+ r3 J) G9 ]& ?6 _# t7 A C9 x
=========3 D' c3 s4 z7 e8 ^! r. d5 ~! r
( T5 |3 D- O' E% R& H! |' B
This trick is similar to int41h/4fh Debugger installation check (code 05
8 [- e- l& |% [ d9 U9 z. @' t& 06) but very limited because it's only available for Win95/98 (not NT)4 ?1 q# X0 W/ a: M E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 H V( O+ I" ~; ]2 D2 I+ K
/ W# @1 R" V5 E# o0 o push 0000004fh ; function 4fh( Y: T* F V: E: J; O
push 002a002ah ; high word specifies which VxD (VWIN32)+ k2 b8 S' h. E. d* B
; low word specifies which service
& t# E' s; N2 s; D (VWIN32_Int41Dispatch)
8 @6 o+ ]' n2 B/ @; ] { call Kernel32!ORD_001 ; VxdCall
% J, E' w9 F5 W3 ` cmp ax, 0f386h ; magic number returned by system debuggers
4 M3 Y( u0 p( E3 N# b, k# m jz SoftICE_detected3 W9 `) w* h* C: X" j
8 q1 i7 D! x) D5 ?' ]Here again, several ways to detect it:
8 F% W0 n, Z, D# U7 ^5 [( W( |0 B( M3 r4 J% ]- e; u$ V! E
BPINT 41 if ax==4f0 Z; X2 Q/ c. E6 y& S* ?( w
/ S+ l% [- i9 c% f+ |9 J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ W, Q" x$ p% N# J/ [/ A
$ d" W8 d; v& m4 q; X& f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 v% J; V$ Q% k7 k: D6 `$ ]$ j# C& A: e L: G0 G3 `8 n+ j& a% ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 c* l5 X1 B1 G
" X% w, Y$ l; q; c
__________________________________________________________________________
7 ?- `( T$ P. L2 n2 O; N* ?9 k B: K m$ a, _) e! q
Method 13' v/ E( d3 M/ Y `/ k
=========/ \: l, m* j; l7 ?. h8 c
# c1 ?3 n4 F" z! u$ }0 _Not a real method of detection, but a good way to know if SoftICE is
9 |/ a1 J' Z, u3 W* f1 \- rinstalled on a computer and to locate its installation directory.
+ Y6 H; A5 R* N1 E1 Y% qIt is used by few softs which access the following registry keys (usually #2) :* ]# q! A7 _; t" {* a# g8 m% C6 C
0 i. @0 u1 D# y, X% i; b2 [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) c1 b! `8 B1 T M% f
\Uninstall\SoftICE" d" W5 X6 R' E$ B3 l' @* E7 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ y4 [9 K( _5 q0 g3 }0 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- \: |( i% ?# Q+ V y4 u* G\App Paths\Loader32.Exe( O6 z5 X/ _, c" q: _
% Q% @- B/ Z1 Q2 ?
% D1 M# N5 ]! o
Note that some nasty apps could then erase all files from SoftICE directory
' I3 k5 m5 t7 c d# t) w% D1 b% S0 l- E(I faced that once :-(
/ ?' E0 A; x% v0 f3 X3 I# v" i/ _2 @* L/ V/ h$ G. T5 e8 O
Useful breakpoint to detect it:
5 p" n$ N4 I. b' j8 H
' G) v( a0 \6 u: n2 S8 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. C; V, n' C( f
# z: P- N* u" [" R, Q__________________________________________________________________________4 H0 z; ]/ g' U5 v/ u K
; d# {% c& `) S% B# \
! ?- I) s! X2 nMethod 14 $ r! _" r) ~: j# v4 a# U$ f/ h
=========
9 W1 G; D8 b* a0 ~9 ? g. A0 ?2 Y4 D0 o+ B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- f+ T+ Y5 S* u2 V0 @* R
is to determines whether a debugger is running on your system (ring0 only)." C) C1 c5 x5 u9 x! C+ ~
2 P1 ~- q& X! F5 j VMMCall Test_Debug_Installed- m( A h0 u; f9 q9 j2 H
je not_installed+ u6 L! ^0 d6 ]* n. p# l
. c! R. F* t9 u& ~. u9 v
This service just checks a flag.
F: D% |2 d% ]) [; L( c9 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡