<TABLE width=500>
. l3 N* t4 o& o P+ ?<TBODY> ^7 z: A# p9 ^6 m( a8 t
<TR> |8 J/ D; W! Z; J+ q* g
<TD><PRE>Method 01 " u/ ?% U' m- ^5 j+ y0 D0 P
=========
8 m4 U, Y0 r9 l$ T) C6 Z# T
( h: _9 A. |' g/ mThis method of detection of SoftICE (as well as the following one) is
! r# _0 ^! K8 Dused by the majority of packers/encryptors found on Internet.. q: R7 ? k, f5 v/ p
It seeks the signature of BoundsChecker in SoftICE" z( @, v# Y5 r- y
- B- u3 d# s& b" _1 V& p
mov ebp, 04243484Bh ; 'BCHK'" A6 C: }. u7 @, @# h' ]7 w
mov ax, 04h
1 F7 D/ u! o# X" r) X int 3 . z" S! H5 N y2 U) j
cmp al,4
7 N( B4 l, `* I jnz SoftICE_Detected. B# C0 V3 N% w5 y3 U; i" J
9 S& ^" e3 z; w/ z
___________________________________________________________________________
: r5 u8 U5 G( m* l5 b- k- T3 ]4 u& R) D4 F6 ~) f! Y
Method 02
1 K/ h1 W7 N1 |- ?0 V: r' U; \=========# K q) u2 G1 ~% U9 O
! X& ]6 ~5 T4 x0 r, o
Still a method very much used (perhaps the most frequent one). It is used
, K, ]3 F0 f- i9 f. ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ I- D) S% g8 Z: h* u1 z" B8 F g. c
or execute SoftICE commands... H% ]' V, C- |0 k
It is also used to crash SoftICE and to force it to execute any commands
( V5 u J! e. D(HBOOT...) :-((
2 L+ t6 V( a8 c2 n4 T1 z* E) ~: G
Here is a quick description:
5 s) e' H6 @9 d# ` E-AX = 0910h (Display string in SIce windows)' w+ N6 T% @3 m7 ^: T' x: K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 l" q/ r1 B- K9 L% `
-AX = 0912h (Get breakpoint infos)- o3 j i0 ]7 h1 _! f6 q8 A% C
-AX = 0913h (Set Sice breakpoints)
0 }8 E( g4 `( f8 ~! s/ H6 h3 H) N-AX = 0914h (Remove SIce breakoints)9 n" `/ [. F# c T* K. W3 W
. e# E. t) ^2 l+ `# A. n% N0 HEach time you'll meet this trick, you'll see:
3 Z0 T9 H* m( s0 H6 g0 g6 x-SI = 4647h
+ @( T# O0 q. x-DI = 4A4Dh# ]% A) \/ n+ s9 g! \1 }% @
Which are the 'magic values' used by SoftIce.2 U9 j; e k5 p% o1 K/ r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 J, l0 x8 O2 n; o
. Z2 A; {7 ~7 n9 Z( tHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ b& O0 |4 n% n* LEnvelope utility use to protect DOS applications:& i1 o& P4 K" _: ]: j/ I
u4 g: s2 H' g9 f
+ n- i; C7 `* s3 t4C19:0095 MOV AX,0911 ; execute command.; A$ R7 I, ]( k6 Z# W I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ h/ `6 ], ^/ W4C19:009A MOV SI,4647 ; 1st magic value.
: Y7 s/ \9 @2 g' l' z. f, m* J4 E. K4C19:009D MOV DI,4A4D ; 2nd magic value.
?1 V1 L5 f8 A* i) X$ X9 X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 Z+ A7 ^. k; Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 o( { }* [3 m4C19:00A4 INC CX
3 l# v$ B8 }) _ O1 @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ w9 ?* V/ E! r K4C19:00A8 JB 0095 ; 6 different commands.% _% s k0 ^" ~) n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 S" f$ X( r0 @. G( Y K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ j9 T7 K" Z1 ]5 |
( o4 w- d/ F$ |$ Z6 X$ J# X2 EThe program will execute 6 different SIce commands located at ds:dx, which. v' {' H) @2 s% W0 S8 w" O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% w0 x( w& H2 ?! J: Q
q; g) }( B( w: ~$ d9 j& U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., n/ G* |1 c/ J
___________________________________________________________________________4 t: Z- |5 p. y; Y6 j5 f8 ]0 S
- |! m5 N: S# b0 Y* a) }
( d) u& w- ^0 {! \Method 03
* ?1 U( g- K. y& L; T6 p=========
1 ^) I: j5 X- S) l9 \
; K% Z1 ~# q4 V7 s |2 T' _" Y" ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& ]; K9 i0 _8 S4 q {# J1 D(API Get entry point)8 O, o( T& k7 }# b- @- p0 H4 L; L8 }
0 [. l) W& G( Q$ J# e5 S
% [' l }6 R0 ^3 b6 d xor di,di
0 B( V8 V* T! d$ f mov es,di
. v- p: `5 J* M/ b mov ax, 1684h
( d, J* ]& G' \. @6 x: j7 Z+ f3 l mov bx, 0202h ; VxD ID of winice& [1 f0 R+ q7 ^. ]7 f" T4 F' l
int 2Fh
; \8 {5 F: v5 C3 e; q mov ax, es ; ES:DI -> VxD API entry point, f( l7 {8 r3 v4 v$ S- Y, r; y; b( ?5 a
add ax, di1 A O4 v. U+ Q& ]' s& y+ L4 {1 ?
test ax,ax- [5 J, E# A& T: @, _! @1 u5 N! v0 A
jnz SoftICE_Detected5 W) N' F# h3 I* R( ]7 O
7 f8 }( N4 }- A" N
___________________________________________________________________________
1 M3 `% F; W) }" ?/ \* c0 L
9 X3 Q+ ?! J: o0 s8 ]# i; DMethod 04
; n: o9 v! e$ y- v# A# o6 l% q=========0 B' ?4 P1 \4 W" _5 F# s* c
# D0 E. y# Y6 }/ x1 ~Method identical to the preceding one except that it seeks the ID of SoftICE
0 j* }" d4 {% m) {" |" ^$ q* {. U! kGFX VxD.; J. p* m0 B6 P' G/ Z, k; f* W: `
5 n/ u, }5 ?- o- { ~4 T2 Z& Y xor di,di
# }/ y: `+ a! J& ? mov es,di
$ J! Z6 U" k# J7 Y mov ax, 1684h
! U F6 g, R& S5 A/ j% Q mov bx, 7a5Fh ; VxD ID of SIWVID! N$ w. c3 [+ y
int 2fh
6 ]+ ~6 x# _3 ~ mov ax, es ; ES:DI -> VxD API entry point2 p. ]5 d# V3 H# o2 g9 D# @
add ax, di8 n$ O5 a3 t! v! q' ^1 I
test ax,ax& ^- X# Z% p5 y0 e0 y* e, H
jnz SoftICE_Detected
8 y; ]. a! s" h( r+ m
1 s6 S( }# f' z+ u__________________________________________________________________________
4 u6 B8 X) b% Q8 L: C
5 m$ l1 p* w" p
- k2 {% c" |: BMethod 054 |" l9 r; e# Q2 d& h# \9 D: w( ^
=========5 E3 e/ U+ O4 G8 C6 w
7 g! Z, c; E5 r5 J3 z% N) {. r( @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& T' i+ ^8 Y! {( x' Gdebugger. It calls the int 41h, function 4Fh.
/ x. c% ~' C5 f* Z) ]# d* BThere are several alternatives.
; }& E/ @4 z+ B+ f" X0 ~4 \) K: R1 H3 ~, q, t& m
The following one is the simplest:
5 J7 {; T* _8 Y( e) @
% q8 G3 s' j! w- ]/ ?7 ~% ~" Q mov ax,4fh
# i0 D9 @# l9 U int 41h+ M8 ]) c c3 m; n: R) V* ?* p, v d
cmp ax, 0F386
) u4 T5 u) `4 S3 d+ i jz SoftICE_detected
+ P1 q- p1 F( _* ^* Q; V$ M# \
( y9 v$ b! T+ p: g" ]; R3 F/ @7 Y/ Y5 X/ o5 X) t) M' |
Next method as well as the following one are 2 examples from Stone's % S, r, s$ J) _, W$ Z. r& V
"stn-wid.zip" (www.cracking.net):
" O! X7 u4 G1 t0 J# @9 E7 Z& F8 Q. k7 P, f
mov bx, cs
W; K2 L/ x4 Y- h8 P, M3 N( N lea dx, int41handler2
5 x- h4 r6 c2 C3 ^ xchg dx, es:[41h*4]& D7 I( @5 u- s9 g" z* E
xchg bx, es:[41h*4+2]
# O0 d, c( K' c& w; u k) A0 c- y% v mov ax,4fh) S0 ~* s) |' X z# W: H' z/ \
int 41h* n) j) ?8 `& T0 L& Y
xchg dx, es:[41h*4]+ m r. A7 l! w+ P% e! `9 ~
xchg bx, es:[41h*4+2]
1 n. ^. `$ v7 ?! G# ` cmp ax, 0f386h
' V# q" o7 Y# c7 G' @ jz SoftICE_detected* b' g, `( O b
' g8 c6 j3 v0 V. n( uint41handler2 PROC7 H, e0 H& h( M3 w" V
iret
. m5 E. b, E" `6 ]$ G4 T3 @int41handler2 ENDP
6 `, O3 F1 [- t2 k2 G6 h/ a5 \
, u: ?4 t$ g! B: u" L0 l2 k; E8 g. K/ M9 t2 L+ V( `4 }! x! |
_________________________________________________________________________+ W$ o: J+ k2 Q9 u# `; Y' Y; J9 r
3 L R% n3 k8 o1 d+ d2 l
( u' Z, P* S3 C; ~- l" B2 \7 |& _Method 06( p! l- h9 }" ]+ F3 M$ V
=========
T9 [4 H1 b0 b; h& r5 M# K2 k( ^4 x8 I* u# k
7 b4 O1 m& J2 T' U! J; A& j% A d
2nd method similar to the preceding one but more difficult to detect:
# W6 [% O% ~8 \( V. l1 x L% d: ^4 _0 f8 U U/ T- B. }& Y
) B E+ f& T9 }0 X( ~0 Z9 T
int41handler PROC2 S3 i% b$ y+ H- x F9 V& G+ `
mov cl,al* Y5 x- ?" F6 k7 M3 G
iret8 F7 c+ |, J) O* e# Q4 P1 G" ^
int41handler ENDP( f5 Y3 P- R9 V5 {4 Y8 l
: T! Y [+ o; n- N3 p
, B1 V4 P- V# W' u9 ~7 X; B# O
xor ax,ax5 F) e' l2 M9 H# g: y7 c) _" n
mov es,ax/ K) N# l4 W. m4 o* W
mov bx, cs- _/ ~# j0 I8 H1 {) k3 N$ x; R g5 j
lea dx, int41handler5 S' G T" T" Y X+ _
xchg dx, es:[41h*4]
" g3 j# T1 q. Z9 T* S) M+ l& g xchg bx, es:[41h*4+2]
" \7 ]* |0 C! [! f! h% `2 p6 W in al, 40h; I: r# x6 h+ E5 [" x r! A
xor cx,cx
+ E. d( V0 k5 Z) a3 z int 41h
% ?4 j# @. @1 b8 R6 V7 T% ?3 \ xchg dx, es:[41h*4]
/ \- ~& Z _- v4 z$ p S- C xchg bx, es:[41h*4+2]9 C: @' f' ?' \' e9 a+ ]
cmp cl,al
l3 I* ^: c% u1 _ jnz SoftICE_detected- R- b3 n1 D- S# ~ s/ ~" |
; `# ^# V" k# d( m) i! m
_________________________________________________________________________8 r/ ?9 T) P1 }$ T3 I
2 F) A& s' W1 P: w& C* bMethod 07% l: `; V6 \; }/ m
=========
z9 [/ k6 J9 X2 Z3 |) M1 G# ^, K, ]0 n
Method of detection of the WinICE handler in the int68h (V86)
$ N! Z; U! g! n4 M( ^: _
% P. o/ T: `3 n+ X mov ah,43h! U3 |2 f" Z. d; E
int 68h) n3 s0 j% H0 g' i9 d: f
cmp ax,0F386h6 d" A$ g1 ~8 c* ^
jz SoftICE_Detected
. a# z- X5 W S& n1 ]6 H% g! I+ E
* L- W3 E( S' B9 K/ Y9 ]# o$ L; L: V0 D& [" d* t$ G/ Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
K; Z J; H- c app like this:
. ]& }' V% Z" z! D" v# b& ?' C7 w+ T5 O4 a3 l5 [/ ^/ K
BPX exec_int if ax==68/ N, K5 g3 P" N7 I
(function called is located at byte ptr [ebp+1Dh] and client eip is8 q$ [! w9 e6 H' y4 H% }
located at [ebp+48h] for 32Bit apps)/ R; f) j3 D2 {# _- g" t. g! b* z+ x1 v
__________________________________________________________________________
6 |8 C k& [+ @1 q T
& c/ r5 n( \/ R1 `( V# e8 C
' R, p. r+ ]+ F0 P. EMethod 080 Z! H' u9 ~6 { O0 @( i/ P
=========+ v5 d w# f9 j, ?' m" P$ P
h# K! o8 J6 y. K5 t' ?It is not a method of detection of SoftICE but a possibility to crash the
# Y$ q& N- f- o* w$ ]system by intercepting int 01h and int 03h and redirecting them to another$ {+ Q Y$ ~' }2 u
routine.7 T- j5 Z$ F0 q. ]6 g) U( A6 j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& E; `& J7 M- N7 t6 Gto the new routine to execute (hangs computer...)+ F6 N: A* H k- M' ]! w) S% u f1 c
5 x' P2 I9 F2 m5 {2 F( @1 ^
mov ah, 25h
$ v4 ?! R( z9 p. ]0 _! q# k mov al, Int_Number (01h or 03h): g) N. r% _; s6 f- E* t
mov dx, offset New_Int_Routine. t0 o: _; m) W* v) `
int 21h
* i4 n r! t2 S, }$ Z0 n U* r* D- p" @5 y
__________________________________________________________________________5 _* t: w0 m- Z6 k, I
8 N4 O( `, h8 W8 KMethod 09& Y Q& v7 ]6 n
========= b- f4 n; j$ W# x( L
! {+ o! X" L( v" ~' n0 v1 o' w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. | |9 U( ?. L8 W2 R cperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ ]: _) ?3 Y! A. M$ z: F! kThe Get_DDB service is used to determine whether or not a VxD is installed
& T3 Z+ a4 ]' F' B7 y/ W/ \3 @for the specified device and returns a Device Description Block (in ecx) for9 J/ C- t3 [; `( u3 @
that device if it is installed.
( ~' S! p2 T* G! U* S. h8 l2 K' `0 |# l1 ]- H; l* I4 Y/ y; E+ Y9 v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* D# u, [) h* ?% ~2 f* W1 \. s6 W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ n/ v8 i) N* V5 ` VMMCall Get_DDB- {- M! C* z% ~. q8 |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 v5 c% k- @- L/ Z- d' B5 ~
: k6 U8 ^8 P3 U- m! x( |
Note as well that you can easily detect this method with SoftICE:, x+ ?* m3 Z% C( h, F. ~8 N
bpx Get_DDB if ax==0202 || ax==7a5fh
% A/ z3 m- H* O. h5 I. d
0 Y; q& o' Y7 ]4 k" ?+ @/ t__________________________________________________________________________
$ {5 E" a6 Z" b3 C f/ |! B; C9 z1 j3 G2 U: u
Method 10
6 k' F! o& z* j1 b=========
8 X/ d6 |! e) y# t7 ~/ k& V4 ]+ c+ @! Y9 v+ S
=>Disable or clear breakpoints before using this feature. DO NOT trace with) }" O' d0 R C
SoftICE while the option is enable!!* z: B" T* b" l3 d
( S. D& e8 ]! J4 L- `3 L: v5 [4 nThis trick is very efficient:
: @8 E# p, V/ \+ [by checking the Debug Registers, you can detect if SoftICE is loaded
! n* y4 W2 G0 y; r* A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' Q' H2 X4 @' I+ H! Q F( H3 N& G- Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
Z1 W' A* e. Cvalue (in ring0 only). Values can be manipulated and or changed as well
{, r# c2 X! o; {5 P& G0 z(clearing BPMs for instance)
. X% M H! F. p
. D1 m( U8 C6 t$ F0 H6 K__________________________________________________________________________
( V/ s- B- B: R3 ]3 v; |* T8 O* W& |/ `6 y4 |
Method 11
/ D/ {; P( r0 P4 r! W5 s( O* K, B+ i4 s=========2 ?/ }' m8 @2 O. k) F2 J* \0 V" y
6 @3 J1 |+ V0 C! j. I
This method is most known as 'MeltICE' because it has been freely distributed* ?/ G7 x2 N; \! x. y4 n
via www.winfiles.com. However it was first used by NuMega people to allow: }) S# O" ^% {4 D1 d
Symbol Loader to check if SoftICE was active or not (the code is located0 |$ t2 Q @9 ^ ]- y& Q8 q
inside nmtrans.dll).
o! F( k4 `! I$ r9 T: E
% v) a" A1 r" w& n, l# hThe way it works is very simple:6 W' @) p' P0 L+ D2 y- `. i s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ q* l d8 W* O3 _# ~) E( r* iWinNT) with the CreateFileA API., N3 A/ I; ~' }1 R
$ H$ x1 @( b& U2 B: k" D/ A
Here is a sample (checking for 'SICE'):
# p) y" k% z; l+ I4 y/ @" r- r
+ ~! _. u" R, S( O L5 s+ ]6 @BOOL IsSoftIce95Loaded()
" t6 \2 X4 q+ Z ?3 R; @& T/ [{7 e- R' N' f% d$ R; `/ v
HANDLE hFile; 0 U9 w" _) o. Y. B2 t8 B i; P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 [0 S! ]7 V2 _2 p FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ^- m1 P9 m2 g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 M: }* Y. X$ E/ E* E! Z1 Y* y
if( hFile != INVALID_HANDLE_VALUE )6 e) n# w' U5 e& W
{
) d" S: `8 Z% Q/ Q- L CloseHandle(hFile);9 {5 k/ f5 o# m0 J- H( G
return TRUE;
/ Q, t: A- e. U0 o6 c2 v9 p }" ?& T! C7 A: P7 @% k
return FALSE;
/ h2 H8 [6 c0 f8 b7 I( ~}
: P* E# h) |5 |" h( ~" Z. f+ i! ?0 ?8 h3 F' \7 z( r
Although this trick calls the CreateFileA function, don't even expect to be
3 ~5 ^: J4 Y% w, Table to intercept it by installing a IFS hook: it will not work, no way!% y/ y- I) I% N% G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 \1 w8 P- C6 U. Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ G4 L A' f6 [. S8 ~3 B2 B* A8 vand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ U& c F2 b- k. l. c+ Z3 y
field.* o1 {5 y) q& e" o6 x
In fact, its purpose is not to load/unload VxDs but only to send a
& K A% F1 L+ J, K) o2 K% WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, V' ~% l# _; G4 X' d6 o- k! Z' `, Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 I4 K9 k9 f: E4 I4 h( k3 d/ mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! B/ e. n" Y5 VIf the VxD is loaded, it will always clear eax and the Carry flag to allow( q V" i0 O) \) ?& ?; g( ?
its handle to be opened and then, will be detected.+ ]1 O0 r2 i9 H5 H
You can check that simply by hooking Winice.exe control proc entry point& o6 C+ m* n9 B% {& i) {
while running MeltICE.
1 g1 \$ [$ l, M* [9 K; F a2 r- d+ H& M
z1 y2 H1 r3 j7 s
00401067: push 00402025 ; \\.\SICE( M/ V* H9 y+ d
0040106C: call CreateFileA: c, V, K" j/ h" k0 h
00401071: cmp eax,-001
% e+ Z, S+ H3 R% R4 V3 W 00401074: je 00401091
: m% x& b4 q" N; Z$ ^' `) P( i6 o2 _ _& u+ j0 e# a; o
! q* k" i: J# h n0 g/ ?" BThere could be hundreds of BPX you could use to detect this trick.2 z% r- r- z9 p3 H
-The most classical one is:7 C; K) D0 q+ R9 p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 D+ C( \/ O4 I
*(esp->4+4)=='NTIC'# D+ z' Y3 h- V) R6 e$ U# B
6 ?) G* P0 d5 a( Y% z5 a-The most exotic ones (could be very slooooow :-(
: N, b& R" K8 ~4 m( r! p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 J7 P- t8 j2 N) o ;will break 3 times :-(
: a( j6 D: f) {( F
1 }. X9 Q7 o E$ K+ t8 Q-or (a bit) faster: 0 v0 q0 W+ v9 D0 F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 y* G/ s$ {: k$ w
) B; l- a* C- P+ j; [) Y; Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 k3 B/ Z+ h& K% i ;will break 3 times :-(
0 n5 b0 ] H0 s* E: V/ U. }% ~' N \+ g: _. L1 s z. b0 K
-Much faster:5 B M+ @( U% s" J" ?% V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 r9 C% Z- B: |4 W) u h% d% @$ M
# w* w. J. L# s9 R0 }% i" W& l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ R4 g2 u3 Y) I7 {
function to do the same job:
& b9 F: `( Y1 t/ X4 y
6 R! b& F" ^' |: ]" m% _! s push 00 ; OF_READ6 M" A, u5 V, v: C" Q
mov eax,[00656634] ; '\\.\SICE',00 G1 c* b% Y0 \9 b/ R: ~+ P7 \
push eax$ G7 I- ~8 Q8 {" V& F; h4 U
call KERNEL32!_lopen" G# o" [: w2 c& T
inc eax5 T# Z. w: J0 r
jnz 00650589 ; detected
: b5 k8 D6 U4 z2 U: ^' z" `5 `1 ?) b+ b4 c push 00 ; OF_READ
9 m, B* {7 N" E" I' z- m2 C- H mov eax,[00656638] ; '\\.\SICE'+ F% [. O3 T# M; L
push eax& d( E! H) h: P8 ]7 d: o
call KERNEL32!_lopen
# V0 P2 L$ t# G2 ^5 e inc eax, r* G9 A* I9 M: N
jz 006505ae ; not detected: \/ l( l, x/ K; {5 Q
, n* @) J, \* p, f: `1 {
$ V: [: j6 ~0 ]8 }
__________________________________________________________________________
8 M+ T8 k. K$ d- o6 \- s
- F9 Z8 e8 @3 m: N9 XMethod 129 c6 L/ P. f3 B/ H% |0 k
=========
) G' n7 b' q* Q; y( T5 r0 L7 f3 V2 X/ N
This trick is similar to int41h/4fh Debugger installation check (code 05
) }. I' w6 n* i* S. X1 L/ R: T: j9 p& 06) but very limited because it's only available for Win95/98 (not NT)
! ~2 @5 o1 q0 S% ^0 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 o. ?" N- L- E& ]9 z4 b! o W2 m: t& H3 O
push 0000004fh ; function 4fh) {0 T0 I% e7 }3 t# H2 h* l/ R
push 002a002ah ; high word specifies which VxD (VWIN32)
' ?. r( o. {& x: I2 h7 i ; low word specifies which service: x$ d0 s/ ]+ B* L" p% K; z
(VWIN32_Int41Dispatch)* o" E* C# M; v! f
call Kernel32!ORD_001 ; VxdCall
& l [" ~6 I; m& G5 X' H cmp ax, 0f386h ; magic number returned by system debuggers+ D& c1 T0 I3 {5 Q7 ]9 s% B* u! `9 r
jz SoftICE_detected
6 c$ ^+ A& Q, |5 J. U, _- r& t" c; u8 j8 k
Here again, several ways to detect it:
9 ~: n% X# D4 ^5 w g' j3 C9 D
% l9 g! n3 y1 N( B! W BPINT 41 if ax==4f
! w- p& N+ x3 Q. |, i$ h9 K. q% M( Y, `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 N4 N0 ]) g; u1 H% M3 B4 t0 o
9 V" w% o; v5 N8 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; ^0 _' Z/ k& y
3 M$ b# ~# w, e/ E# Z0 u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 p1 I5 k4 h1 [, k0 b1 _
3 V# b/ X' g# E4 _0 d9 C- n__________________________________________________________________________% Y" g! V3 c- P( Z! A4 {
. W ?- e3 |' X1 D/ @Method 13
3 [/ V) \% Y8 }/ t. a; ?- b) ]=========8 c4 ^ d' F; T# V$ J. _
6 m, I1 `6 l. M' kNot a real method of detection, but a good way to know if SoftICE is. Z* f$ C" w i8 N6 s- f/ W
installed on a computer and to locate its installation directory.1 k. T& ]( }3 U0 s( B
It is used by few softs which access the following registry keys (usually #2) :, f. b6 k" m( v; b3 }2 B9 h* |
1 p4 X6 E, g. s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 Z+ q" d, T- |% _' L! W6 }- [: L
\Uninstall\SoftICE
1 c ^9 g, a$ L/ s$ p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" `) o: z; g. D) x3 g2 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Z, C( q. r: i5 A\App Paths\Loader32.Exe& b( ^! g; a7 i
?* S; |4 l8 l/ i& [4 A5 v
% l' w+ V C3 W3 K, U2 f+ zNote that some nasty apps could then erase all files from SoftICE directory
" t0 G5 A- U0 |4 c& Z6 ~/ j(I faced that once :-(2 {6 ^: i7 J# y, C* Q' E3 c/ s5 q
% l. E: L! ], p# F) b& K: n! W
Useful breakpoint to detect it:
$ r8 r1 F& ^5 f; [# Z# `/ s! |2 h( ^5 {* D' {' O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' u: r% y' G) e) I
0 o6 j. {. a6 k; S6 J6 L' W__________________________________________________________________________, M% P S5 ?$ n9 K
0 f+ Z/ f2 f; ]1 ?+ J0 O, I% `: @; Z( S$ ?" j& q7 H
Method 14
$ V( W8 }( a6 t ]! O% l3 z/ c( n=========
2 ]. [, e2 {' {
( b! O1 J N/ K3 e8 o3 FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 Q- L5 `$ D& ]6 J
is to determines whether a debugger is running on your system (ring0 only).
7 j& s9 P# Q. h0 |7 i+ Z
$ Q9 n% z* C9 v% s3 r$ `9 J; ^7 f0 C VMMCall Test_Debug_Installed1 y* V( k* f7 C' t4 o
je not_installed! P$ h6 @6 t1 {$ [ z% S: L+ _
% j @& \* p# \& a
This service just checks a flag./ p! x, o) I- R% {
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡