<TABLE width=500>
, }/ q' f0 K0 V5 w6 L" D<TBODY>
6 V; @' ~% ^# @7 a0 y# H<TR>' e% T8 t6 z) b- U" _2 a c) z& a, C
<TD><PRE>Method 01 0 s3 x* P+ _6 h2 U3 D- t. v
=========
, v8 b0 o5 k9 A/ N/ T6 w3 I8 }1 F, R( ]( I
This method of detection of SoftICE (as well as the following one) is! Q& A" }* a# e, ?9 ^
used by the majority of packers/encryptors found on Internet.$ H6 y$ N4 } S6 D" L
It seeks the signature of BoundsChecker in SoftICE& V2 I0 k( j) v5 W' l7 c9 q
4 d* i# Y& j# G( m+ {
mov ebp, 04243484Bh ; 'BCHK'9 j* f$ C- B6 d% ^
mov ax, 04h0 U4 J% z- _0 c4 {( s5 b6 m( D
int 3
# J( U* x. I/ |6 @0 l; Q B# r6 Z cmp al,4; z3 {5 n4 L! k+ E
jnz SoftICE_Detected
! ~$ n2 W7 l. I5 F5 U( e
! j# W" T/ D2 Q( a6 k" y5 G___________________________________________________________________________+ r* f! @0 Y- m
6 C) O9 n4 H2 ~; W( ? W5 L% g: mMethod 02 D9 ^2 R" ~ y' t! l
=========" o- z4 d7 w, f8 Q' ]
# S4 e8 Y0 Y+ P" y( U2 }
Still a method very much used (perhaps the most frequent one). It is used
3 y+ F* G1 h9 r0 b: {# y' ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 u! L1 S y+ q' c) ?. lor execute SoftICE commands...
9 t" C6 c' e8 w5 |3 z( h8 c+ l+ LIt is also used to crash SoftICE and to force it to execute any commands
; m5 B1 e8 l' V& I( `: P(HBOOT...) :-((
+ S- F; J2 U6 S8 i: N9 X( Q- t5 ?5 Q! e# F5 X
Here is a quick description:
8 P: D: }1 ^* T3 L-AX = 0910h (Display string in SIce windows)
: ~. E' T/ l% k( e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 } I0 E/ f9 c! E. V
-AX = 0912h (Get breakpoint infos)
% D+ _3 `6 I7 g' f) p3 X' l, N-AX = 0913h (Set Sice breakpoints)
3 l5 E& @' G# H! S& L, W-AX = 0914h (Remove SIce breakoints)
% D0 p8 t. y4 V3 P# ?. z( Y
8 @1 g0 p" i+ OEach time you'll meet this trick, you'll see:
" A/ O& Y! D9 P6 {* g% s, ~: \-SI = 4647h$ T3 s5 a: c. z( I- ~/ I
-DI = 4A4Dh. W0 s# q/ t4 [$ G4 S U
Which are the 'magic values' used by SoftIce.
; C; x* \8 D' m ]$ u A! m# _; F6 n* I( iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ y% }: ^6 S8 ?' U5 y
: r/ D9 b' {8 q5 B3 r6 vHere is one example from the file "Haspinst.exe" which is the dongle HASP& A( [ y7 V/ Q' R9 S+ n+ ^
Envelope utility use to protect DOS applications:
+ F4 s; F+ h( j' Y o- f# M. c% x5 u. y* p3 I
$ [6 h" o5 \ A. c, p5 V8 L" ?
4C19:0095 MOV AX,0911 ; execute command.
# F* w6 K4 a3 O% ^' x% Z1 J( p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, \; u# y0 ]! T: N' z4C19:009A MOV SI,4647 ; 1st magic value.
8 u. Q4 F) G4 g) J g6 X" [9 C- x0 Z4C19:009D MOV DI,4A4D ; 2nd magic value.1 o* T2 Q9 V3 S! G9 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# n7 E: i0 _; n6 O e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ I7 f2 A* }0 u( p4C19:00A4 INC CX4 z3 e! W3 U& y9 w6 ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( F! C7 v) v/ b2 e1 X# z' B
4C19:00A8 JB 0095 ; 6 different commands.
6 g7 H6 i" W6 Z3 D4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 O$ c, h3 x3 x% \- X; j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ D! B7 k* P1 T8 `" _2 \4 N9 j
; E( R% b% G) y, b* [; |% m
The program will execute 6 different SIce commands located at ds:dx, which+ h5 ?0 Y& A0 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. a) u6 V' `4 c; L, l* ]
; I0 Z; R9 l1 s' }, O: X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- p/ F4 P8 S5 A( b4 g8 u* Z
___________________________________________________________________________
/ T, `% O9 \) X j/ c
$ s' P0 J: i0 E- v0 F K5 y; ?3 b
" u) U d) a9 `$ iMethod 03
6 _6 D! O: O/ V: [8 F=========
/ u7 H) |7 ?+ {4 i. c1 v: M5 a; ~& D! ~: I2 D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
f3 G2 g1 s" k7 v! e* T(API Get entry point)# h; Q. H7 a* |: V! {6 u4 D+ n
6 s, o5 a: ^4 `) W! I' R
: N5 F- m9 s ]6 u6 }1 F4 }
xor di,di+ W2 y; D5 ~: i z( E; K( t. s- m
mov es,di
" j4 V9 u2 T+ C mov ax, 1684h " s0 W( Z% S& s6 |* v6 l0 V1 V
mov bx, 0202h ; VxD ID of winice
3 p1 ?) L& W0 Y Y5 v+ p E int 2Fh
6 }" G% E# i+ @2 ]# s; t/ _ mov ax, es ; ES:DI -> VxD API entry point: Y! d+ H( k+ p8 V* ?* O, |9 [$ f
add ax, di8 y9 c! v6 m; [+ F
test ax,ax; e8 j a+ v" ] f, P
jnz SoftICE_Detected
7 Y& }" V: Z% j8 M c6 C" k0 z! v" V; s; s' ^( i
___________________________________________________________________________
% Y8 x, V9 L, L/ s9 Y0 K4 i7 o# H$ n) ^
Method 04" h4 ]( _- N) D/ ^$ d9 R
=========
$ M( g, a' x; f$ J- A" j1 t5 [% ?, q/ Q% d
Method identical to the preceding one except that it seeks the ID of SoftICE
* O9 K: ^- J1 I# Z: c$ cGFX VxD.
, ~, o- P9 W# w+ U; c/ Q, H* v Z! d$ Q9 a
xor di,di$ |) d% N: r! Q% I
mov es,di8 Z; i6 D2 i+ o) u2 j
mov ax, 1684h
8 N( p1 m5 |% t mov bx, 7a5Fh ; VxD ID of SIWVID
- @! t8 {0 A6 d( S int 2fh
' p& Z, E, y7 H! y. v mov ax, es ; ES:DI -> VxD API entry point) o2 W. A O$ y
add ax, di
! K; k7 l0 Y6 n0 n* l( E1 ]9 g' W test ax,ax
# }5 l4 \6 t. a4 n, W jnz SoftICE_Detected
) L5 H$ C8 o6 W" Z! e6 I: V7 G, A& Y; L: q' p8 p
__________________________________________________________________________
8 M7 ~" S6 }5 E6 f" T0 c; T5 I4 t1 d) R0 E) i
& ?5 `6 m8 R. B/ \, m. R( a
Method 05
# r" T2 M1 h5 H4 F3 Q=========# c( {. R6 Y) Q5 j
6 Z" D/ q4 A" Y& S1 V: A
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 s3 h- [ ]* t7 Q
debugger. It calls the int 41h, function 4Fh.
& p0 V e% l$ F% y7 w9 m& @/ c. s. BThere are several alternatives.
! l. M: h7 M, f( j+ E8 N$ |' U) `" \) C; I! Y! `8 f
The following one is the simplest:
, m. X* m) l0 o. N. x9 M: Z& ]/ r& H/ C% x
mov ax,4fh* }5 m$ [1 a9 a9 K% q
int 41h" ]& c% D: u1 x9 n9 S2 V! B8 }
cmp ax, 0F386
3 @' Z- H, o* L f# M) q jz SoftICE_detected
' O8 C6 n; v# \ K. I8 V3 |" i% G7 K9 r
- g# n7 N0 n( ?0 g* u" y8 t8 z
Next method as well as the following one are 2 examples from Stone's 6 m+ \) T" I9 O0 x% e
"stn-wid.zip" (www.cracking.net):
. i) { c1 I( f9 A' Q' Y' A
2 R$ ]2 A" l) Z2 d/ w mov bx, cs
+ o# g. w0 D& H# r; a lea dx, int41handler2+ V# r$ E9 g7 f* B
xchg dx, es:[41h*4]
' |% c5 f( e$ `% b xchg bx, es:[41h*4+2]
1 `' p, K6 e+ ]9 U9 K mov ax,4fh
- [" Q, X0 }- L& G) O! j int 41h
, N. \# k# }6 C xchg dx, es:[41h*4]
/ B8 o& g+ S: d' Q xchg bx, es:[41h*4+2]6 h+ U& g0 s0 L* |5 P; R5 f
cmp ax, 0f386h/ t9 l6 l9 Y" V
jz SoftICE_detected5 r: z# F1 c( l1 n7 o
6 M7 L5 Q+ Q' ] m3 z! g3 |
int41handler2 PROC" o8 I8 P" G; \; z, ~' |
iret* ]7 }* `! t& a( V3 w
int41handler2 ENDP
8 J$ {) i8 V2 u7 T: x+ u# h
# {8 Z5 C6 v2 H
1 }5 t8 i1 C1 e& N- Z2 L# {* k6 z_________________________________________________________________________
( E/ W1 L2 q! k; \
; J2 P; P3 m8 a* L* f9 r/ s- ?; G' D. N, j+ R) h; W
Method 06% k7 C% M% ^. r0 {( c
=========! y$ Z; W% ~6 Z) J/ I
3 X5 K( D* @6 N R6 I' a2 n/ d0 R) ?9 P! l' N' d
2nd method similar to the preceding one but more difficult to detect:& S# l# S1 _+ N8 N/ I1 V
! r, G2 h" X; [& ], G
8 T) n: C0 z- C5 @4 Y) P* X4 D! }
int41handler PROC
4 i) F' ~9 c$ h- S: {# P' ~: L mov cl,al: j9 ]+ c. J* ?& T
iret3 K/ K" Y5 u. I( R( @8 s* L
int41handler ENDP2 F7 k" f9 U1 c# s8 D: z
+ d V$ y0 V1 }" |3 H2 D" l D/ Z I- V. k0 P; t4 k
xor ax,ax1 }$ Q, k5 R' M4 ?! o6 `- @6 ^5 H; M
mov es,ax
9 ~" g; b: J7 y" X; A X mov bx, cs, i% |, [/ _& ]* i! B/ y/ J
lea dx, int41handler
! c5 c" s7 y, p) Q xchg dx, es:[41h*4]3 G9 `& z, y7 O: M2 C
xchg bx, es:[41h*4+2]9 j. G: S: J( f' T" O2 a: D/ T6 e
in al, 40h
: |+ ]4 G: k# y, n# R+ v+ g* O) C xor cx,cx3 N7 ~( Y7 Z9 ?; j$ N# _4 |/ k2 V& e
int 41h& i% h3 Y! K+ w/ Z* x
xchg dx, es:[41h*4]
1 R6 V( y- U- o+ }8 g) }4 Q xchg bx, es:[41h*4+2]
7 ]# T Z) W/ R cmp cl,al
6 j; ]9 ]( @& I) I8 C jnz SoftICE_detected
/ |9 ^, l$ H( Z- {
; X/ ^. X& `, j2 f$ F_________________________________________________________________________
" r: b6 C4 x8 Z& `: L" K+ J- t0 y% V- S7 u+ z" |8 O, b
Method 07+ @: e! P) p+ t' v! L/ u) M9 \
=========8 `1 P; Z: M: e4 ^
% h% j$ M4 d6 W) @Method of detection of the WinICE handler in the int68h (V86)
( _. }: E( N1 e0 G0 s+ K. I+ S/ @* X, X* b6 D3 P* _0 x
mov ah,43h% h9 N6 h6 O" L+ J) {
int 68h7 P* x$ D; Q. e" g
cmp ax,0F386h
- u! ]% @% d" n% _6 \ jz SoftICE_Detected
! D2 m# U9 N, g, `/ |+ [6 H6 j
: N( L8 d( W; b" u$ t% L# @
! M4 ]6 }% m& }+ L. b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ N; f" N# Y D) C5 ~2 d# D app like this:0 _" ^" q- `0 i7 E8 Y0 B
+ \) R% y! ]0 J x3 E$ O BPX exec_int if ax==68: ~/ j' {6 j0 y* [2 |7 A$ ~
(function called is located at byte ptr [ebp+1Dh] and client eip is1 b8 b- s7 ~" |2 p
located at [ebp+48h] for 32Bit apps)
- a. n8 ^9 ]9 Y" M6 V& e/ @0 u__________________________________________________________________________
w2 F' T$ o0 y* v! a: n4 t9 m; M( R* C) z2 ~
& R( g0 i2 d) a
Method 08
' P3 x: i% E8 O. d' R/ Q) m+ N=========
_# b# j3 a: n" m; O w) q: v
9 U6 b' B5 M0 Y# lIt is not a method of detection of SoftICE but a possibility to crash the9 E$ L4 [) M, Z3 x6 ?5 t
system by intercepting int 01h and int 03h and redirecting them to another
4 y' V) ^- A- L" B! Croutine.
1 x, W# D( A @% ~- x1 ~ OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 g' z6 [( m6 B4 q
to the new routine to execute (hangs computer...)2 U2 t; l& D; `9 l; T2 q
% R. c% F2 n- B+ U6 ] mov ah, 25h
- C! M. R7 I& _# t8 P) Z mov al, Int_Number (01h or 03h)) \& P1 K6 m. I! p: T) ?
mov dx, offset New_Int_Routine H/ Y/ o. Y6 z
int 21h
0 C- X; c. L- [" V: V# X2 Y, ~: S4 K4 i; \7 ]- w
__________________________________________________________________________5 I) R# u; m& i
6 w; A3 G& c& e: i2 Z
Method 093 O& t5 D. _. Y1 K
=========
: F; t5 v2 a* ~; n6 d/ y& h% x( J' l7 Z' I" V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ j% j/ o8 Z8 w7 q. Y2 h
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 d# |& Z0 D9 m3 sThe Get_DDB service is used to determine whether or not a VxD is installed
7 {) }3 u2 w/ Cfor the specified device and returns a Device Description Block (in ecx) for
) t, ^5 E3 I1 x9 c6 V4 f7 K. s9 ]that device if it is installed.
% M6 B3 T0 q0 m+ I" m# \ x
# j5 H0 e/ ^6 n) j3 B8 N9 Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 `8 ^2 a9 f! z8 `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): J! l- D. ^ e* ^- K
VMMCall Get_DDB" s* ]' f) d J& b7 ^2 t2 f0 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 V) p2 ~* |0 q; `2 c5 b
0 f: D* a5 ~$ B; M) MNote as well that you can easily detect this method with SoftICE:
Y2 ?& H" R& }5 t1 i, w* G bpx Get_DDB if ax==0202 || ax==7a5fh" }% X) B4 U" ~: p2 p
3 e: K. q; e6 |# u6 [( o/ @- {
__________________________________________________________________________' K3 J6 M. Z3 e" Q$ U% d1 j
( J# ]! v3 y* o" Z
Method 10$ }/ u' C* K v
=========
5 E5 A Y8 e9 `! V- f- s& V+ R$ O6 k2 R: ~- \- e2 l E1 Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with' `: T7 S+ y( v: ?7 w9 ^9 }8 P
SoftICE while the option is enable!!
% g% J6 z2 Q8 p8 P0 ~
% g2 W8 q( W/ `1 W& M7 @3 \/ GThis trick is very efficient:
6 A0 P, C; c9 ]2 l$ W, nby checking the Debug Registers, you can detect if SoftICE is loaded& r" \0 f9 R) O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 J: q6 y% p$ x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ F2 k ^5 r1 Bvalue (in ring0 only). Values can be manipulated and or changed as well- y& j0 O5 S! |" I
(clearing BPMs for instance)
$ h8 A! G/ e# E+ I6 m4 p9 V. W1 v% ]
__________________________________________________________________________
7 o+ t% B5 I; U. d1 \; M
/ o, [, \" _6 f* B; yMethod 112 K0 j, S% t$ B7 R8 q( [9 ^
=========) R" k( o! U# ~. n; v
( x3 \% e( T9 u2 X0 g, ^2 e4 mThis method is most known as 'MeltICE' because it has been freely distributed& }; }' \* b5 l& U$ G0 t# Q- ~
via www.winfiles.com. However it was first used by NuMega people to allow
4 L- _7 @* l9 H* S- ASymbol Loader to check if SoftICE was active or not (the code is located) a- D2 |' m" |. P! l
inside nmtrans.dll).0 Z& {" R: z! n4 V& v
9 d# \/ Y9 r4 @; s2 l
The way it works is very simple:
8 @5 s" \3 s$ Q! q/ ~5 _6 x$ LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% O( q% k5 q4 O" E6 q9 J/ _) w: x
WinNT) with the CreateFileA API.
1 m5 N* z! ]. u8 G4 i: J' [( H) z7 M* R+ ]+ ?0 ~3 _2 f- d
Here is a sample (checking for 'SICE'):
6 E4 B3 H3 X( @; Q- W& R: v, E
' H& f$ `) C$ [/ N: L( m8 gBOOL IsSoftIce95Loaded()" a2 V: ^$ @$ u/ x l! |& U0 A
{
: L# v- I) m. I; |% x) e! i HANDLE hFile; / t8 z0 o4 k4 r* C- p' \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# ^* i( r i6 g1 c% ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
/ q a8 V# E3 V, C1 o3 Q- w0 ?# \. b- ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 [6 {* q6 i) H: N
if( hFile != INVALID_HANDLE_VALUE )
& s0 C1 x) `( t1 Y {
* L: B+ o* V- J CloseHandle(hFile);9 v4 M l1 J5 g }, b
return TRUE;3 F! z% a0 ]) ^5 s
}6 l) F! h9 `# [) b* H6 ?
return FALSE;
, w4 {5 c0 g% `$ m( b+ F0 n}
: n$ k4 }4 x: S: z7 o! U! O5 r- Q7 p" c: r, Q0 ~
Although this trick calls the CreateFileA function, don't even expect to be) r+ p( o( b( M! Q1 c
able to intercept it by installing a IFS hook: it will not work, no way!
! `% U* d7 b, @4 c% y. G& UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& U* ]3 b9 B9 e. n* O' y# d8 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! t% N$ C" j8 s# f( H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% t! y4 V0 o2 z) p! P
field.
- r% R! R+ G( D; v- {8 g& vIn fact, its purpose is not to load/unload VxDs but only to send a ) s2 n/ N* Q( `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) c" M8 f% A/ n" z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try K B: x0 C2 u6 k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 r/ N4 j. d6 x( H0 }% jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, v! y; Y5 i, K. W: X7 N ?$ zits handle to be opened and then, will be detected.
: n5 r" a! K) N. R4 l1 F4 T5 [6 V4 `You can check that simply by hooking Winice.exe control proc entry point
9 K: d# t+ k( Y4 b3 C- iwhile running MeltICE.
, y I6 S( l8 p9 x4 Y5 v4 w/ o" l/ ]
' c& i# T3 T/ Z, Y4 R
5 C" Z, `8 g- v1 i) l3 m3 g% Y 00401067: push 00402025 ; \\.\SICE
4 U+ |# i6 s; E; f0 z3 v 0040106C: call CreateFileA5 L- i- c/ z5 q. C3 C4 C+ I
00401071: cmp eax,-001
3 b8 I4 L2 w9 y5 Z3 x A 00401074: je 00401091( j/ Z3 c" c/ i# K! ]1 c! n8 R- l
* O: `/ g1 b& J& `1 v. U m8 R: \- t
" U: |: ~2 N# J, I1 r$ s2 M. N
There could be hundreds of BPX you could use to detect this trick.' p+ S/ ?+ ^0 m! e$ s
-The most classical one is:. `1 A# M/ `. s* B3 m( g- X4 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) }& [& w8 j- E6 S: D- Y *(esp->4+4)=='NTIC'" T; W0 w$ S$ ]6 t
0 l/ c; H0 B) W
-The most exotic ones (could be very slooooow :-(
; c4 q8 a+ K1 J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , g- e; h' E, w
;will break 3 times :-(6 V! \1 x% t! W1 Y. j9 \4 m' ^
, U5 _. j0 U) M2 l7 q! a6 ]' t
-or (a bit) faster: ' G% F, W" ~" l9 q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ b' J8 k7 [/ j/ T1 w, F/ O* {. ^7 W" H0 T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 z. C. `' {( T |3 M ;will break 3 times :-(
- y0 s. k! u5 ], ?1 N* L/ A- ~: n! Z: {) k3 ^- a
-Much faster:
# U6 G; O2 Z* K6 H8 x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( O6 V8 R7 H% s! y4 O% `8 E8 d
, O7 n# u2 S6 T. k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- G+ ?& S" _# J, l# b! _- \
function to do the same job:% C& e& _4 G; T! D
3 H8 b8 f$ l/ l; H- N6 W push 00 ; OF_READ2 f6 U7 S0 Z5 r& G: \) J/ U
mov eax,[00656634] ; '\\.\SICE',0
! n, i- O- j8 w( U# ?. R# j push eax
1 N4 t$ w1 V/ B5 J! n& E% j call KERNEL32!_lopen
% ]) Z" }; \; ?9 X1 l; K) Z5 m( F, [ inc eax+ t$ {% o4 G7 @# g; `2 P
jnz 00650589 ; detected
/ D8 T6 k1 y3 @6 n( T0 _3 D push 00 ; OF_READ" K2 n- l( {9 {# c- H
mov eax,[00656638] ; '\\.\SICE'5 u+ n" F. Y- S4 U7 S: V" M2 Y
push eax% }" s' e/ |3 [& X5 l$ a2 j: W
call KERNEL32!_lopen- g6 [' _( E* Q3 G+ y0 }
inc eax0 ^! }! h. }! A
jz 006505ae ; not detected
% t }: E9 i. N! } R) y
4 S* u0 v+ m" W% Z a6 j* z5 [4 p8 x) ^; N
__________________________________________________________________________- `6 }' R. ^# S0 F5 k
8 k$ [$ F1 v# |
Method 12
4 M! u: W5 T9 r=========) M# V- l6 w, k+ T2 f+ m. B
9 ?4 L! [% F; \) l. \- TThis trick is similar to int41h/4fh Debugger installation check (code 05
; a, t# V" Q$ K2 g, @% G& 06) but very limited because it's only available for Win95/98 (not NT)2 f2 M8 u2 f: [" J+ x3 ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# r) r5 w2 D8 S) I b
* P) ^5 W$ ` c. X push 0000004fh ; function 4fh5 h: A, \( F3 ]# a `7 x
push 002a002ah ; high word specifies which VxD (VWIN32)
3 T( v* M& ^: [8 g ; low word specifies which service5 }3 C: k$ J& r0 M V
(VWIN32_Int41Dispatch)+ C" y: m8 a" ^
call Kernel32!ORD_001 ; VxdCall
) M' X8 L# J. C; B8 N1 z cmp ax, 0f386h ; magic number returned by system debuggers+ t0 @5 H6 x0 v
jz SoftICE_detected8 p, T. l) L P# x* x; e) x9 q/ k6 h: U
8 }- O6 F( X1 z; l; q
Here again, several ways to detect it:
L1 T. A+ {' a7 ^" @, R9 `; d" `0 }
. t2 [( g0 \9 K, ]4 I# e6 | BPINT 41 if ax==4f
$ c8 T; k2 M* `4 w A7 P6 b7 [% C2 X0 P( {/ l. z0 h, `# N1 Y K" R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 @! m: V' B8 W8 R. U% M' Y1 e& K
9 Y4 O7 d7 t, S- N) a1 }& @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' j2 A! X) ^( }1 G: C
# v* f9 [1 u q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 I. P% `: l% R1 p% t* x$ u. C+ C" R0 N0 g/ h; i% A+ i! w
__________________________________________________________________________ ]- \ F6 O- J0 C
9 _+ p+ u {9 }; H% B* z
Method 136 @% h8 I/ W- t0 O* u; |# c: I
=========
9 W. k3 f: F x ~ L
; V1 w7 m: Y4 L# { WNot a real method of detection, but a good way to know if SoftICE is
/ V, t# C( _; r1 linstalled on a computer and to locate its installation directory.
7 ?, k* R/ N- b. QIt is used by few softs which access the following registry keys (usually #2) :
. ^4 t2 M1 Q Z }* w
) f8 L7 ?% \; p* W9 k: T% t0 e8 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 M! g$ F6 |# {/ L3 Z8 B\Uninstall\SoftICE* @: k' e+ } b! g" B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# Q/ G' _6 c0 B: Z# y0 K$ y! R4 H0 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ X) p* O5 V2 l8 |$ @! w\App Paths\Loader32.Exe/ {) j3 _1 w3 f0 u/ H/ _0 a
4 g4 f% G4 R/ G m- T
7 ?0 _; u2 c: q. F; q1 xNote that some nasty apps could then erase all files from SoftICE directory9 _1 @# U) e; y! S; F# o# C
(I faced that once :-(
9 Y, u2 h) x' C0 Y0 x9 N3 x7 c
& d( X6 ], N2 k/ l) K, V+ b, F. ]6 bUseful breakpoint to detect it:
2 d5 R4 ^* N* ~
" |4 p0 ?5 m( y! k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% t% f* }( |7 z2 ]
3 u6 H5 e* r- y" j ___________________________________________________________________________# ^5 V4 _4 R j5 w$ R2 @: W' y
# |* z2 _; W) Y+ I
2 Y/ d: @, f$ E* m, ` f/ SMethod 14 % J# L6 O5 X/ S6 d/ C7 H
=========
9 x; _6 y: f; n. M8 x
: A+ F* S9 {& w/ U, m, v- |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 d0 C$ d1 E" r. X5 V" Z" \
is to determines whether a debugger is running on your system (ring0 only).4 J& G' L$ N+ r8 M3 V, X, f
' _8 @* T2 t2 ?9 f1 P; I
VMMCall Test_Debug_Installed
! w$ e& Y; V2 t1 O9 l je not_installed5 W' P A9 t& |' n/ }2 _
# R; Z% k1 N" jThis service just checks a flag.
- ]7 D* w! x* I% f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡