<TABLE width=500>
1 N" j/ N }7 n$ w; _% a/ ~<TBODY>
2 W+ ?# s: I7 w, J: }- I<TR>
* z! ?) M1 t( `1 d2 m' d6 F<TD><PRE>Method 01 : W/ R/ b; o0 S2 N" c! o- F
=========- A' i* F. ]' J1 J: M- f2 L
% j9 u% r4 ~; u9 r# u- y" k0 ?
This method of detection of SoftICE (as well as the following one) is
' V' R- g5 }; ?" T; t: }used by the majority of packers/encryptors found on Internet.
$ u6 u# E3 _ }* |- \/ tIt seeks the signature of BoundsChecker in SoftICE
! H/ `; q* J$ U# k& Z* H7 `6 Y! [0 u% P8 c7 `# p7 p' _ Z+ O
mov ebp, 04243484Bh ; 'BCHK'
, ]* R6 A3 o& ^3 g% a! t8 h) V& f mov ax, 04h
2 S* ]1 D$ B$ N% ^4 o int 3
. Q4 A/ E% k- g" V, ? cmp al,4
7 w! {8 Q, V" z/ \- q$ ^/ J jnz SoftICE_Detected! ]! r: A" ]7 s2 f' m
, E% _* l! H; F& n4 [( @! T
___________________________________________________________________________: a) P+ j6 X) p) b
- X9 L1 ~! b \7 aMethod 02( K7 \8 p X# D3 G# w
=========6 m0 V: R3 F: j2 C3 L- `. z1 \
0 i- P$ }; i& i) ]7 M, S
Still a method very much used (perhaps the most frequent one). It is used O( {, `4 r7 I" V( P6 d0 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 F1 c' r' {0 X, T, vor execute SoftICE commands...5 S; M# D1 S- O: P$ v' i/ ]
It is also used to crash SoftICE and to force it to execute any commands
4 S/ h, G) o% O0 r(HBOOT...) :-((
6 ^0 f& R9 d4 U! v3 i x l: o$ |8 a7 U2 v5 O4 H) c& C' M1 z
Here is a quick description:+ n5 |! s/ c' O" I# ^6 N
-AX = 0910h (Display string in SIce windows)
/ i3 F. }% v* v. H4 D7 i& O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% G( t* l( V* C$ N/ z
-AX = 0912h (Get breakpoint infos)8 K1 i Y( u6 _$ d9 F- w0 i1 w
-AX = 0913h (Set Sice breakpoints)7 A. ~ }3 J3 V* P
-AX = 0914h (Remove SIce breakoints)
! J& N+ @# s5 S- O. d# _
3 F0 t0 X2 A& R$ n1 t5 r& tEach time you'll meet this trick, you'll see:% I7 u. q$ X! g# L* S& D6 q
-SI = 4647h
9 _+ R0 X8 H' Q* t# d( X-DI = 4A4Dh; `# B' O! ~ G' m/ b
Which are the 'magic values' used by SoftIce.. O3 X& g0 o2 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 D' f) O/ W3 h# |2 u r
: o0 E* q# I" s, `Here is one example from the file "Haspinst.exe" which is the dongle HASP
' W w) v0 T# ?: y% xEnvelope utility use to protect DOS applications:3 P- I& v' {- ]3 o! D: U9 V
1 b4 G; A1 @5 s3 z) ?5 F# b; Y' J* D: g1 f: F
4C19:0095 MOV AX,0911 ; execute command.
5 G: y$ e" _6 H* L+ @/ C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: K4 Z& V6 d9 `- G. f# r1 w, m0 ^
4C19:009A MOV SI,4647 ; 1st magic value.
: p. L# |0 q) k. m6 M4C19:009D MOV DI,4A4D ; 2nd magic value.
/ [# b( y7 }' Z6 p0 B6 G. ^3 L/ l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ [5 Q( O! U! O% w- k8 T" a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 Q1 }! E6 G) }! n6 a4C19:00A4 INC CX$ Q" j. U& x; p" o/ x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 g: e1 A% G& ], S6 }4C19:00A8 JB 0095 ; 6 different commands.* y+ r) K# I4 V) T( Q# S0 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 K" U8 e. N3 A5 w! T B/ @ A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! B( C- V/ e% L" {& ?9 |+ Q# P- [2 X
) w; C8 h: e d' s9 dThe program will execute 6 different SIce commands located at ds:dx, which1 l# c& Y w. J$ {1 H3 @. o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ `) |8 \" s9 L5 b. ^) l0 H- C2 o( q
7 s% [6 D* O6 l5 h: c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* u9 h6 p; H( k___________________________________________________________________________( e! u# T% U7 o7 Z0 [
$ f4 b' v" } V& @$ K% a
7 ^) C6 F& Z" e
Method 030 W. U6 u8 `; ]0 M, J3 M9 A/ i
=========0 ^3 y: g1 N7 j7 P5 M1 H& y2 G
! t7 C0 W' m3 A# k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 f# \3 a* p) V+ E(API Get entry point)
- H1 m3 P- `+ y$ ^) e2 s9 e
9 j9 V3 ?1 @$ G* `9 s6 r% D: R' l1 k2 a; E" q' T0 S
xor di,di
_; o+ G4 G% w. D! g @/ O mov es,di0 }4 C* N s8 S' \- `; r! E
mov ax, 1684h ' ]4 ~7 ?' d4 d8 q3 T) B
mov bx, 0202h ; VxD ID of winice7 U c+ I9 F2 K! {6 g1 b
int 2Fh5 g2 M, [7 U! s0 D7 i3 _1 |
mov ax, es ; ES:DI -> VxD API entry point- r0 c$ v7 e0 D2 Q
add ax, di
5 h! w! }* K. v8 X test ax,ax
& O9 _% _" M `- c# C8 Y jnz SoftICE_Detected
% I$ e% k# Z: \" |! q5 e5 }
6 s$ a* l) d1 `# r: |___________________________________________________________________________
a" l4 S) ~ K$ r, T. [0 q% p' H% s; ]3 `3 q8 [; R
Method 04
0 H6 I5 r; p4 i=========
/ @, @/ |% J2 P) R6 x: f) j# O7 m9 A% |0 @# Y0 X. I5 u" V- r3 O
Method identical to the preceding one except that it seeks the ID of SoftICE1 I' a1 O ]$ J/ k
GFX VxD.
. a5 g9 f$ A5 Z9 \6 @, [* c8 Y
" ?1 X# W4 j6 O. j" y5 T xor di,di$ L0 M9 k- D3 K5 j+ Q1 q
mov es,di& \4 `6 s- Y7 m7 }" v
mov ax, 1684h
' }- j; m" }1 S8 d( O T8 S( L# m4 @' E+ H mov bx, 7a5Fh ; VxD ID of SIWVID
6 O" N7 l# D% Z; R2 C, ^ int 2fh
( m2 p' T/ M; a mov ax, es ; ES:DI -> VxD API entry point+ b4 {! |, u2 d0 |
add ax, di
7 {& G; @. S* o4 s* B test ax,ax
$ l( O1 V8 e8 H7 x jnz SoftICE_Detected
2 z( ]6 b% j; U. q0 J7 v
2 l: [: ?2 U3 w0 d& A& \__________________________________________________________________________6 J9 C5 [: q9 W# q
, F$ n- `% H C+ y4 [, Q
9 k' B9 I6 P7 m7 R, `% hMethod 05% g4 N1 N) q6 m" U0 T @
=========6 ^8 n# T" l. p+ W& v: V
# d" N" l$ W# D5 [1 OMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ I4 J% q, T/ \6 D; ?
debugger. It calls the int 41h, function 4Fh.
. \: Y' n0 C$ y. X7 xThere are several alternatives. " e6 ~! T h) a" o# \- u
$ p1 |0 U; F6 e6 D% P! gThe following one is the simplest:
% {0 |6 V. X( s* V/ O6 M& [2 @3 D7 D1 c/ ^ B/ D, D
mov ax,4fh" r- A) i2 h; }; I4 ?& l7 D( t
int 41h q; e$ v" _7 M2 h' B5 G N
cmp ax, 0F386. K. \1 b7 E: a) v( r
jz SoftICE_detected! ?" \' D: b6 b8 ?
6 x! A* ]' {* O& U/ ~
! i7 X2 Z% C9 r
Next method as well as the following one are 2 examples from Stone's ) x5 S; F M# K' ~! O
"stn-wid.zip" (www.cracking.net):3 T5 h+ E2 D$ t7 `
G/ P; i" `' {* A7 J& D
mov bx, cs
" U1 Z+ y3 a$ i lea dx, int41handler2
1 h- j7 v: k, p' B' J xchg dx, es:[41h*4]3 h& t- e a, G# I
xchg bx, es:[41h*4+2]% v0 I9 q2 B( \6 \
mov ax,4fh$ }% b; _. X3 Q' _2 O; T1 p
int 41h, F8 r7 i3 g+ c) d% E% g6 s3 j+ i# S# J$ w
xchg dx, es:[41h*4]
8 D8 ^" w( l% y8 i6 t xchg bx, es:[41h*4+2]
% p, d* t% N& t4 a cmp ax, 0f386h& W! q* G2 X" X. ~5 u- S* |1 H1 `* F/ N
jz SoftICE_detected
; e: G1 c t9 w! V5 J* t- G
0 R5 G9 ?& l1 A+ U+ fint41handler2 PROC
9 `1 L& U+ j' A# D* O/ P6 ]$ p- D iret4 p) ]) J+ n) ~! @/ z: y: A7 f) x
int41handler2 ENDP
7 e0 i4 b0 P o0 Y! T6 S& e+ z/ x
# S, d' J) R0 Y8 ]8 s1 y$ j1 D
) }0 W5 s [+ r, ]6 e7 _/ ^5 A_________________________________________________________________________
+ G/ g* ]% F7 T6 N- j5 a1 x) K
$ B7 ^$ `+ Z1 ?. Q3 M! B
& j8 F- v: M% t EMethod 06
3 b O7 ^$ U# H! C; i" G# S========= | d7 D7 x- M w
3 A U. M* P/ I1 P# j, ]: ]- Z( Q
; P A7 }# E& P& H0 h& D3 ], Y2nd method similar to the preceding one but more difficult to detect:
# R2 l2 J4 |3 V2 z! c5 ?+ _& W
) D' T; _. E# H" x+ f
# I8 J- M. p" V3 D. }int41handler PROC. T5 @5 f. Z8 W+ P
mov cl,al
( @6 v8 Z8 o+ k, [% O8 ^9 \ iret& s9 r1 w# P9 {& v1 F! S" N( E1 M
int41handler ENDP
. u' v0 ` U0 F* @! N, ~" J) [0 Y7 n) a/ f6 ?: h/ d
/ K5 X3 G1 K& ~ xor ax,ax
3 {, Y3 B! t% x$ N2 F mov es,ax0 n# y+ A$ e5 a$ r. g
mov bx, cs( v! ~0 h; Q% F7 i- W
lea dx, int41handler k) F5 D1 U! J, L
xchg dx, es:[41h*4]
. n. t3 m& L8 @' i j3 _ xchg bx, es:[41h*4+2]
( T8 J/ J( r. ~( M3 \2 B in al, 40h" _9 U# x5 f* h3 p# t1 U7 b
xor cx,cx9 O) `7 }3 P7 ^/ o) U% N8 K% Y* _, E6 J
int 41h7 F2 _/ ?7 n8 t# y# e$ b
xchg dx, es:[41h*4]) O2 j/ P0 e! @& z5 L y
xchg bx, es:[41h*4+2], a8 k4 r' s( }
cmp cl,al; m9 j( ]4 K7 w
jnz SoftICE_detected
# \5 r1 R8 A+ I t3 k/ [5 E4 A( N" v3 r7 a- {7 l/ |$ _
_________________________________________________________________________
2 }/ R: L' {; B# }3 ^8 h7 s
/ v; `0 x1 m9 e0 cMethod 07
; D! f- w9 `3 Z! W=========
# X) x6 e8 {2 O+ x. a
/ z, L1 ?0 F3 `+ [Method of detection of the WinICE handler in the int68h (V86)8 X) a/ S" s2 B1 ?7 W8 o4 c5 `3 O
! Q- j% Z5 V+ }% h6 ` y) G
mov ah,43h0 X$ S. Z" C z6 j" l1 T; b8 ^0 M
int 68h
* N+ G5 J: x5 H0 J. w cmp ax,0F386h5 }9 |( _6 D5 M, i3 I+ @
jz SoftICE_Detected2 V+ h, ? Q5 x) @5 n
5 S% j# I2 d2 V& t
5 g- Z& n" J* O- g3 F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit G! G* Q, `/ r w) d
app like this:
! {2 A M: v7 X- K, F6 K# y8 M0 P, n! H, Y: W- S0 K
BPX exec_int if ax==68: G# F0 ? E5 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
! @- j: K& K9 a' D% h located at [ebp+48h] for 32Bit apps)# H4 F0 I7 U' B y* s5 i, V" v H
__________________________________________________________________________
/ n+ e2 ^5 v; L+ w
1 m2 s0 P* H% U! M% [1 R" \* p4 O8 ]% s, c4 g# C# H# s- C2 w/ Z
Method 08
0 ~$ r3 B% }, x" e+ l% K=========
& ~3 |( E" n7 A6 {* u' B& L, v" T
& v# J8 N9 d4 U5 K* wIt is not a method of detection of SoftICE but a possibility to crash the; w# k6 v' R! K: F8 e
system by intercepting int 01h and int 03h and redirecting them to another/ {! ~0 d9 |. D$ w4 F( Q
routine.
/ p1 H; J. @# ?6 K' aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" y W0 j9 y7 @* i8 x5 J. j7 ~
to the new routine to execute (hangs computer...)1 v/ X% U9 F! d6 C
' D( K" U" Q3 Q3 o2 A7 ~& b mov ah, 25h2 w6 _. t. b% \0 @, [0 k/ ^/ K
mov al, Int_Number (01h or 03h)
. N) O6 }) n: ]" ]6 L E" Z mov dx, offset New_Int_Routine, ~! V6 O/ h+ K1 F. _' ^
int 21h. [* a- H# H6 @& {
9 k# S7 l7 j8 P* ]& D
__________________________________________________________________________
0 D. Q) J" V% m6 H# c7 I3 L B( o+ O6 o' W3 }$ H
Method 095 N/ }# \, G1 K
=========
) Y4 u- k0 t0 _9 R2 B' D0 v+ k& }8 s" R s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 j" m+ C; `; S- F9 c3 T# {performed in ring0 (VxD or a ring3 app using the VxdCall).' U) S4 q0 ]" [# h3 q
The Get_DDB service is used to determine whether or not a VxD is installed/ s& h% x1 v* j4 ]
for the specified device and returns a Device Description Block (in ecx) for
9 C( m. {1 ?6 d2 \that device if it is installed.
$ E0 ?& l" {- S8 ^1 Z* q
3 r. F. ~7 g/ x4 |, r, ^* j& f3 p2 V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 I& k/ A8 J3 L" |8 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" w& D( A) z0 D P2 f
VMMCall Get_DDB
' q8 L; p8 q+ Q: t% g! G4 B/ U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; v. b/ e( b; ?# z" J9 T( }
' W/ p5 D! O( P- d
Note as well that you can easily detect this method with SoftICE:
4 D9 ?7 ]' O4 Y, i! Y bpx Get_DDB if ax==0202 || ax==7a5fh
& f6 I0 k$ Y+ [
7 M, {) p8 f8 M, K0 }% H! z__________________________________________________________________________
; L6 D9 L) s z6 X$ ~. w+ z* @. f9 F; ]: [( J
Method 10
5 `8 r7 E" |$ M9 |. B=========
, r3 w s8 m: `8 Q5 C( d( h
7 T6 E& n; g5 W- ?7 e' Y=>Disable or clear breakpoints before using this feature. DO NOT trace with/ }; [4 r: q* @' D" `- U) c
SoftICE while the option is enable!!. `0 c+ R8 G1 b/ t) c+ l7 ?2 n
& _2 N* G _& d8 b: a8 i5 \This trick is very efficient:
& v1 U1 U( b8 T! w0 M) G6 ^by checking the Debug Registers, you can detect if SoftICE is loaded. v1 f% w% n. d3 W F- S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 O1 j2 R+ e0 T8 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their. p" K( } m" g2 y
value (in ring0 only). Values can be manipulated and or changed as well9 c7 N0 m y4 X8 ^5 }- U6 J: ?/ O
(clearing BPMs for instance)
3 |/ R1 w* f) l" v$ B( n
# l& y6 C2 G7 [$ w2 s0 b" ___________________________________________________________________________# y; Y' r* k. {7 Z9 g: N2 H
9 H8 ] j; E5 _% e7 e3 e; YMethod 11* K* C6 e6 k2 i7 u& @' y7 K
=========
. y7 h% Z: J4 @" j7 g! B6 M" y
+ b# m ~. O* z8 }: T' Y* XThis method is most known as 'MeltICE' because it has been freely distributed, Z% c; }) S2 K, p" { W
via www.winfiles.com. However it was first used by NuMega people to allow2 n& b7 ?( _$ D+ A
Symbol Loader to check if SoftICE was active or not (the code is located9 T9 j q# B7 {
inside nmtrans.dll).
2 \) m! K, F( u1 x4 [1 I
/ S" x( a' [" }The way it works is very simple:4 [ s' B6 u8 T9 d6 F" v" m% t' a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 s; R: d+ A& x+ l' PWinNT) with the CreateFileA API.
s. }6 c G% c* a7 O3 B% `9 q$ I4 e) r1 y, X3 ?: M
Here is a sample (checking for 'SICE'):
# o R E# ?7 s1 M; D1 G8 D( n' G( I8 @0 b6 @: z7 n* E9 L. `
BOOL IsSoftIce95Loaded(), O( W8 d% e9 f0 o
{8 E8 o, j: ]2 H- d9 F7 h( _
HANDLE hFile;
0 ]3 C& }- f8 M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 i2 O, z! B% W3 ^/ g' E# c
FILE_SHARE_READ | FILE_SHARE_WRITE,7 M3 O) Q4 u1 S, `, m# B0 w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: A- j d5 u, @" W d if( hFile != INVALID_HANDLE_VALUE )) E6 d- M7 M5 y/ L
{0 K) C. e) d, L4 j
CloseHandle(hFile);7 V+ N; y8 R* n6 D1 j9 ]" W8 l' F
return TRUE;
Q' [# c8 C1 }8 t+ \, _ }
3 @% f! j$ G" K+ G, q return FALSE;
- C8 }! j; \) G}0 u! D5 ~ E9 q. K
! V5 @$ M5 l5 P: Q4 k" M1 }
Although this trick calls the CreateFileA function, don't even expect to be% K+ [8 u5 R7 N( w! [" _, X1 d0 n
able to intercept it by installing a IFS hook: it will not work, no way!
: t) T9 D! X! M7 ?$ MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 E/ ]7 P& H. I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ D% d. h1 T" d4 p3 J' J$ {and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 {3 w0 @$ @0 Q2 @
field.
! o z3 ?: g8 @In fact, its purpose is not to load/unload VxDs but only to send a
- z% ^$ O9 R5 UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# P4 _0 @& g' D$ U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ o3 [% m7 ^8 Q* l" x' {% E* j( n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 o* T9 y& E4 Q0 s' B5 ? T% LIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 ]* {% M$ l, X4 t" S1 V8 \7 L
its handle to be opened and then, will be detected.
( ]. f I8 Y0 J: }+ D. H! gYou can check that simply by hooking Winice.exe control proc entry point& D% S$ i. h1 R. F* C; {+ q6 A
while running MeltICE.& F2 E2 x. C- @2 P. k$ v3 E
5 ?0 D) G2 Q& z ^3 t5 o# e# A% W
2 O* f: T& N. F: r 00401067: push 00402025 ; \\.\SICE6 ~, e: I+ S# N# U6 t+ X" x
0040106C: call CreateFileA& w- \" R% z# G' X1 O- E
00401071: cmp eax,-001
8 K4 m5 Y% S9 D: l& N7 d e* `& c 00401074: je 004010911 w7 ?2 n% ^" K
3 F7 C0 Z! \% H: t) P2 Z! o/ }
5 X$ S1 q/ e6 w U; `# U4 i
There could be hundreds of BPX you could use to detect this trick.
+ A2 ]$ x* `6 |4 E9 J$ T% u-The most classical one is:
9 a$ U: x! q3 Q+ z9 G$ R+ C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 \- B- q1 q# s3 q3 C3 d9 e
*(esp->4+4)=='NTIC'
2 y3 A3 F, I c. s3 u. Q. a5 v) P9 A6 J$ D& t. M# G; H- b6 _( S2 N; Z
-The most exotic ones (could be very slooooow :-() x8 C% H6 A# c/ o! a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ E g. d- Z2 K, @: {- I ;will break 3 times :-(0 Z- o- U' |9 w
: Z3 S! s) B* X6 c/ ~: _' K' L
-or (a bit) faster: 2 W- y0 _+ d4 l5 p" j+ W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% l5 E7 E; b$ `
R! w6 u3 R0 V+ E6 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, y. ^* q! t* y7 r6 x5 D) x ;will break 3 times :-(8 n4 O/ Y" G2 |* p% {( M3 |3 ?- n. V
) j/ I3 A# ~ f* I$ w% f" R
-Much faster:& `1 N- }" X3 K/ j' Y0 g' \; y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- d( M. U0 d; S9 w* g. X
% e, V3 f; m! \. g! `2 y, WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen r- N! j* Z' o, d+ u4 F
function to do the same job:# H, u* L0 m0 I5 J) _) r
1 ]; ]4 A" N6 K7 b' N# N
push 00 ; OF_READ8 o5 `3 [% Y$ |* N& M' L
mov eax,[00656634] ; '\\.\SICE',0
+ Y" A7 \: z7 m( i7 P' `3 u" f, y push eax
8 [% u& T w$ h call KERNEL32!_lopen$ ^3 c/ z9 Q, f8 Q
inc eax
% i7 O w% A' @3 s; a9 `, G jnz 00650589 ; detected: z1 Z1 P3 c& V6 d3 M7 q3 r
push 00 ; OF_READ. ?' s* P5 D4 u! s
mov eax,[00656638] ; '\\.\SICE'
7 u W! ` S, e3 a push eax" y% Q; {3 l9 a8 g; W$ E
call KERNEL32!_lopen
2 R: j1 o2 R. O. f/ i inc eax1 O, ~- b3 ?8 o/ }& |- X5 v
jz 006505ae ; not detected
) ?$ r7 ]" T, J1 D$ j# x0 v
; J: ?! P$ F, f8 i' ~, l
8 W, ~' w, g m/ K& L3 F, m__________________________________________________________________________
9 f6 P7 m X1 M6 O" Y4 s8 K4 u/ _6 p/ R# s5 f$ ?7 F' q
Method 12
0 Y+ G1 b0 h( F6 Q" [ {=========/ y) y: Y6 k# j. f4 ?
- G" I; H. D _4 O
This trick is similar to int41h/4fh Debugger installation check (code 056 C" z# B5 ?0 w! d8 ^4 w3 c% k
& 06) but very limited because it's only available for Win95/98 (not NT)
+ t1 q& s2 r$ gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 {& |5 W8 s5 ^/ p. B1 M. H/ E8 M8 Y9 z. J* j" r& `- |# h
push 0000004fh ; function 4fh- e7 k6 Y6 w9 x8 a7 I
push 002a002ah ; high word specifies which VxD (VWIN32) U- {/ L2 L7 h1 U3 L; E
; low word specifies which service$ `- f6 w; T" m1 z
(VWIN32_Int41Dispatch)% K* c+ F) P( S7 u, _- W7 E% w( V+ p6 |5 I
call Kernel32!ORD_001 ; VxdCall5 x l. D+ [$ n! R6 a: v
cmp ax, 0f386h ; magic number returned by system debuggers
* ]; M1 i6 v/ C5 ] jz SoftICE_detected
- L0 ]+ p r8 j3 m z( S) B* G% `* j" e2 c% [
Here again, several ways to detect it:. U4 q: V; b( U+ i% T5 v: e3 n
6 Z% q" ` o1 _
BPINT 41 if ax==4f
' Q7 F5 k, j8 l) i
H5 O4 J0 t' D% {- v$ t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ B( D6 @6 T# b# O0 ?- ?) |/ U
. {0 z+ D+ W6 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; }" P$ z) o# ]: G- T
2 Z9 x9 M! w. _) E3 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( D/ f& m7 a6 M. Y
% P1 g/ z e. w__________________________________________________________________________7 i9 O; i( ?8 c: T
6 d; B& F+ n% FMethod 13
/ v: Y) l) l) M1 A=========1 A5 h6 }; V. ^$ i0 W( b
5 E% w# Y9 {0 T5 H ~5 F) Z9 ?) J
Not a real method of detection, but a good way to know if SoftICE is! I3 c9 J1 R7 v$ W8 I! Q; ]
installed on a computer and to locate its installation directory.- {, u* c) l ?# x
It is used by few softs which access the following registry keys (usually #2) :) t1 S( g# L# q
4 o2 l& c0 y; ?5 V: t; X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Z% I P- ?3 T' G* ?% P" D* G( N
\Uninstall\SoftICE9 i* E* ~3 @' H+ e6 b$ m, L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, L1 a! L' N! w7 C6 M$ m Q+ [6 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 H% R3 c3 S \& N/ q
\App Paths\Loader32.Exe
/ J7 V) J% f5 F4 Y: h' _+ R2 s' e% k5 X4 }
' |. x" @& `' T) pNote that some nasty apps could then erase all files from SoftICE directory
+ m$ l, G- y% r(I faced that once :-(
8 M; N/ S- b2 F I8 [9 S7 o: X! Y. n L- Y' m
Useful breakpoint to detect it:$ c0 y% U. h' a7 b9 \) s) Y" |
# D) u) V7 L- ?2 g! G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 Y& Y( P, ~ T
8 H6 n. x, J& k! v9 }" y__________________________________________________________________________; j2 b3 Y+ w: h+ f; e! p1 q; X
7 f3 z, U! c; y' T% U3 B6 u3 i0 ? e( r5 y8 w Q. |4 W/ Q0 {
Method 14
5 U- q5 l; j% I=========
. N" z& u* H! M1 I7 ]8 B
6 K9 _$ G, _3 t: _0 SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
i9 P( V( I+ d- q6 A- I* E3 uis to determines whether a debugger is running on your system (ring0 only).
, \5 \$ H+ ^6 u, p+ E' y4 O7 u. e6 b9 R+ ?4 D
VMMCall Test_Debug_Installed3 }9 R( j9 G) e* |0 j
je not_installed
% f& v' Y2 q( @- c! g1 G
3 _+ {+ o9 M' V% C" tThis service just checks a flag.
& K3 L$ E$ Z% s" {3 y6 i0 f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡