<TABLE width=500>1 p' ]7 s. }- @" t7 r
<TBODY>
, E h! B( C; A" h9 w4 y<TR>
% Z" s2 F. E7 Z+ O; X<TD><PRE>Method 01
' R: \" A: G! e4 i8 ]7 e% w=========
8 N# E* j/ F5 J8 ~5 k
8 W% T' M+ \( Z* y# NThis method of detection of SoftICE (as well as the following one) is
* C0 t8 ?9 `& |+ |" tused by the majority of packers/encryptors found on Internet.# Z! Q1 L8 X; o( h" g
It seeks the signature of BoundsChecker in SoftICE7 ?* B! B3 T! e0 e' U" l' F: t' y4 P
2 Q, @1 c1 [" c4 n$ @
mov ebp, 04243484Bh ; 'BCHK'
) I8 A! e4 c9 ~- F C1 ~5 f3 C mov ax, 04h9 N5 f* }/ e# h0 `/ a
int 3
' E$ E3 H1 S6 m+ V6 I7 d' o. c5 D8 \ E cmp al,40 M: e6 ]6 w1 o6 ` V
jnz SoftICE_Detected
- Q& y% D4 x$ Z+ G. |) @. C( L2 @/ i+ v7 G+ e$ s6 Z
___________________________________________________________________________! e6 P+ [8 I7 C2 P4 @, b
- }9 `. e" p+ [Method 02, Q! e. p: {: X" u' F
=========$ k2 ~# Q# ?. q
: G- G/ O N6 G* a# R6 N
Still a method very much used (perhaps the most frequent one). It is used" ]3 J( `. x: _5 Z$ k5 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* U$ y8 s6 }6 z
or execute SoftICE commands...' T5 Q7 L5 w( H5 l1 `! }
It is also used to crash SoftICE and to force it to execute any commands
8 k3 S( C2 s1 Z: V2 w: q(HBOOT...) :-(( . O; E6 h/ V p
) g" {: D4 Y/ t4 i! A; ~: l
Here is a quick description:& E- S; u4 J2 Y6 i0 z
-AX = 0910h (Display string in SIce windows)7 ?% N, [, O A( g) @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. P+ O" a! s! u- C2 K* q% T* ?-AX = 0912h (Get breakpoint infos)
6 E L6 H1 C' l* U N% e8 T-AX = 0913h (Set Sice breakpoints)
! r4 x. h+ H! ?; e8 j6 N-AX = 0914h (Remove SIce breakoints)
& |7 L! B* w. F: N1 c6 a; n
- C/ h5 n+ |) V. c( h8 n0 Z9 w* P, IEach time you'll meet this trick, you'll see:
# y! {3 t9 O9 m# X B( H0 n- `-SI = 4647h
7 d6 u5 h5 G5 x0 }-DI = 4A4Dh1 S; b+ C* m# w* G9 R2 S6 @5 x7 m
Which are the 'magic values' used by SoftIce.- U# s& d. Q6 { e! U4 }: [) Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 _# r/ e$ j2 W K' T: m: e
+ P6 I% l9 N0 N. ?1 d1 ]- ]Here is one example from the file "Haspinst.exe" which is the dongle HASP# G- N( n5 R7 i
Envelope utility use to protect DOS applications:
z& U, ^$ U8 V$ L7 y: B# B! P1 N8 x0 K( a. i2 j4 Y. ]
! [' Y4 p- N( B
4C19:0095 MOV AX,0911 ; execute command.8 r; O5 P/ S1 j5 Y1 X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." D0 Q) d \ t7 }( N: R
4C19:009A MOV SI,4647 ; 1st magic value./ D8 i; g4 {3 x" d" Q2 { l1 N
4C19:009D MOV DI,4A4D ; 2nd magic value.
" L4 y9 j$ r+ ^& [7 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# R& l$ I) S- A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; a% Q8 e9 Z: Q2 Q6 p7 k( A4C19:00A4 INC CX/ r/ @) k& j* @- {$ j. W6 M; w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute ~, M6 ?' z6 r4 j3 J$ Y
4C19:00A8 JB 0095 ; 6 different commands.
, `6 p. y9 M2 i0 F& u" n/ d6 U4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 I# y, ^- [" ?- K f' c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, o2 R5 X" y9 ^. \8 t( [/ ^) Z# x7 K8 W- g% \& L6 T" G
The program will execute 6 different SIce commands located at ds:dx, which
0 a+ ^; c E: uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ c H+ e h; a9 [! y+ y
5 q7 ^, r" ~6 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." J* ~' a+ I- C5 @& s" K- }2 X
___________________________________________________________________________
4 c7 A6 j8 f% w. n4 ^. d2 Q! R( B3 }' p
6 {2 c8 o& H: @6 O. ?5 dMethod 032 c" a, q2 V0 p) x
=========+ [- B9 g, N" V# S; o; b! D8 B* f+ c/ x* o
5 z" E/ ?1 U0 N0 [1 \6 M) L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 x% T; t. y! c( |; |" i(API Get entry point)6 H3 x) X2 W# m
5 W' W" D0 a$ N# x5 T l9 @7 i5 p* t3 H4 C8 O2 g
xor di,di# n; A9 J1 m8 a! I( S" t" V$ ]& I
mov es,di
0 s# q$ w% ~' y! p* h mov ax, 1684h
- S3 ^) z7 h, V" h: [+ H mov bx, 0202h ; VxD ID of winice1 i4 \2 e$ F+ l' z. L. e( t
int 2Fh# ` C0 }8 c" l3 P% R6 K
mov ax, es ; ES:DI -> VxD API entry point. x6 Z" m3 j' _4 k
add ax, di
) @* [' Q% j A+ Y' X test ax,ax% F9 w/ ~. S# ?9 M" c8 O5 H
jnz SoftICE_Detected* v% c% [- l& o
: z2 T {: v) t+ U( F3 V! ]___________________________________________________________________________1 ^# D5 D8 \/ O f# U
, ~' s8 C) `( t" s3 \& Z" sMethod 04# S# u7 J) c! ^$ s p& b
=========0 T& Y$ P( M. F- ]
4 c( S# P1 a, Z) d5 s* s
Method identical to the preceding one except that it seeks the ID of SoftICE$ V. n4 [. t* U0 q# }6 r3 ~
GFX VxD.0 f. D4 I6 G. K& d2 n" w. P
: c* j R5 V0 X+ Z, t& e+ }
xor di,di) W8 M! q' v/ q3 R$ r! i
mov es,di7 J9 j) t0 U" t1 a3 C% V5 b
mov ax, 1684h
' D$ j) N! r8 y6 G mov bx, 7a5Fh ; VxD ID of SIWVID
9 o6 K b# L+ Z. B0 h& ^' W+ { int 2fh* q8 C* F3 {7 A" \& e3 A
mov ax, es ; ES:DI -> VxD API entry point
+ y" y- E8 w. T" D( D3 X add ax, di
7 f$ H7 { V( z( ~2 ?* z6 A, W5 U4 J test ax,ax
1 s: N$ \+ G1 h jnz SoftICE_Detected1 X K4 X" b+ S4 O0 F
) d# P" e5 X& H/ k__________________________________________________________________________
4 T; U- P' M; Y& F, E
8 q$ y" X/ \4 i" N- r q: d4 u. U9 V+ }# Q9 P
Method 055 X4 J. }: T9 Z. Y
=========
! V! W& d/ E# Q4 M6 @! N9 V) B* M; Z8 O. r4 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 n* ~0 r2 d% q+ k
debugger. It calls the int 41h, function 4Fh.! t. o! [0 Y ?$ u" c2 s# y% ~
There are several alternatives. ! l8 @% }: _$ O4 Q4 i$ @* J
0 S& x8 ]! b9 Y% B( w
The following one is the simplest:: A# ]* ]; B, ]. ? ^
9 Q4 ?; \) b8 U; x8 r mov ax,4fh7 U* `& s; R- p. @! E$ b
int 41h: T3 [& _0 c) s( g7 [
cmp ax, 0F386
" G% h: g$ X4 e# u; z+ {6 U jz SoftICE_detected L3 N8 N3 o( Q
8 ]+ E: Q4 Q2 @3 ~, R) M
& I; W5 q/ A. m% Q% |Next method as well as the following one are 2 examples from Stone's 4 z4 H+ y6 e1 C0 T% F
"stn-wid.zip" (www.cracking.net):
{; I7 n6 T6 C1 g- \4 b2 R, \( k$ F ?3 [/ k
mov bx, cs, S& Y" [0 f3 g; `" `+ F
lea dx, int41handler2
% f) r+ ]' \8 [1 R: g) R& Z/ ?4 B5 P xchg dx, es:[41h*4]" R! [3 R! v5 V& E0 X" C" U4 z
xchg bx, es:[41h*4+2]; m( U3 g! ?9 M# q; ?1 G% V9 n
mov ax,4fh
* o# j+ ~6 d2 m, ^; I int 41h( u- U8 E/ E* N4 S1 K
xchg dx, es:[41h*4]
% }' x- L) V7 _0 ^/ b8 I xchg bx, es:[41h*4+2]: E2 r- d% `5 F. S2 @) z
cmp ax, 0f386h
& _2 i- H* l. Z# U, L" ?- ` jz SoftICE_detected0 T3 E: q+ [( w: y }
/ Q8 P& ?# Q3 mint41handler2 PROC8 c# L1 t0 q$ I, i+ ]" `$ h4 ^
iret. b6 ~5 [% B0 R9 n1 [, s
int41handler2 ENDP% ~5 i v2 F6 Y! ]5 d
* |0 z) y9 R0 v3 B( ^
. ?( V$ i6 H# T2 q, j$ ?/ C3 Y9 E_________________________________________________________________________
7 O% \6 a5 d1 d3 ?2 l
& I$ F$ Z; S+ P- w v! x# B
# R/ k2 n3 Z6 _( I: ZMethod 06% N2 f# m; O+ Z" c$ P' Q0 ~$ G
=========2 g5 y! v e, g8 }1 D
& I- |9 S. j/ o: B/ X3 s
" Q1 ?' a% \% e* h" K" n8 b
2nd method similar to the preceding one but more difficult to detect:7 c; o) d) b* B8 h+ S/ J$ ^: r
7 m, E# ]1 O! b1 V8 a
' A0 s* p$ f* B8 O6 J
int41handler PROC
, j6 i# a( ~, _/ b2 G% Y. c mov cl,al& N' w X5 a8 M8 n; Z. f' N
iret1 I7 U5 ?2 ~# X1 C8 q; J
int41handler ENDP, |0 W: N; v+ c+ T. M( V" i9 ~
# |' ]( \0 H3 ~! ~# z7 r8 }6 Y5 U
% e7 a9 M. `9 x3 p# t xor ax,ax
. n" j M; l, ~, r5 u7 v- v6 K% n) Y mov es,ax# O- d( k2 }) V, G2 o
mov bx, cs" D; ]3 v! j x8 S" p
lea dx, int41handler
0 U- \- v3 D; L3 n. I+ V6 k xchg dx, es:[41h*4]
: }9 H1 v' e2 ]' a# O$ ^ xchg bx, es:[41h*4+2]: s) M+ R$ j4 T R
in al, 40h& i2 b! p& s7 r @5 M3 M& u9 }
xor cx,cx: d3 w/ A4 G. a
int 41h6 ?0 b' D: b0 ~$ z! {$ L4 K
xchg dx, es:[41h*4]; U% G" D, M, z4 H
xchg bx, es:[41h*4+2]# ?; V1 f) D4 I0 L
cmp cl,al
% ~ _2 P5 ~" ^9 ]4 q9 _ jnz SoftICE_detected" s0 @& j* U! R4 ]* N. g
' f2 G6 @. l v; H% f% ]
_________________________________________________________________________) x% j f1 Y, Q" Y
: {% E3 t, k8 E4 G6 vMethod 07' h/ ]; `* H6 X' H/ G$ ~ U0 M
=========+ ^, f/ f- A1 d: s
9 }8 V! T/ t/ ?+ g. V5 tMethod of detection of the WinICE handler in the int68h (V86), K/ L6 O7 P: z/ H
, J8 R4 m- F, W+ d% F
mov ah,43h
8 n' q/ a: @1 t2 _+ H& y% X5 J! y int 68h& e" Y$ o3 H6 j7 j% m
cmp ax,0F386h
. S1 x! k8 Z+ a( y jz SoftICE_Detected4 Q) B/ Z2 F+ \! U+ X( }' `9 p
2 T5 T5 h7 I( x9 A
# J, E/ x* ]. f+ r% A! p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ r' P9 A3 u7 \
app like this:& O; N# b+ C" E. m# N) s
+ R- O9 `+ j: Q5 F. N% ], K+ C+ U9 o
BPX exec_int if ax==68
- E, j0 ?) h, x. H% r0 E (function called is located at byte ptr [ebp+1Dh] and client eip is
- i! j; B8 J& |, \3 R located at [ebp+48h] for 32Bit apps)
2 g" u7 t* L8 z7 b# ?__________________________________________________________________________2 N- q$ }" r8 @5 L" W" u) Q8 [1 L
5 U6 u5 B) U0 S1 ~
6 v5 Q: Q1 o9 ~) g
Method 084 v/ F# f$ g2 T5 n! C; J! W! a% r
=========
9 T. m. r" V8 `& o$ Y
4 _# Q# m( e# t1 h& n- `0 S" i, BIt is not a method of detection of SoftICE but a possibility to crash the
0 I; q& p$ j+ d6 H0 Z1 Ksystem by intercepting int 01h and int 03h and redirecting them to another
+ e' Q4 z w6 P2 q' H! qroutine.
1 G8 B0 ]# k* O+ dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 a" F! M% w7 h/ ]to the new routine to execute (hangs computer...)- k+ U5 u1 B6 F( Z5 Z1 C4 a
. I8 m( F7 m. c' I mov ah, 25h T9 R9 T R/ I" `
mov al, Int_Number (01h or 03h)5 v* h. I) J2 X& V6 Y9 V
mov dx, offset New_Int_Routine
, G# O* o! F6 E! X) ~& _ e int 21h
0 I' l8 d. M9 s. S) `8 s
" i O' ~9 c; |: @" k0 v2 V/ [; x__________________________________________________________________________
% j, F5 B2 T# R1 K7 Y# ?, m0 S; Z
' B3 K6 B3 T* _Method 09
. k% ?! f5 i2 ^: f=========
9 x4 x. k2 j7 O; b
% t: n+ j+ U" ~9 S$ F2 ^# [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) n, H9 T4 W5 Y( J$ m) S& Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 N0 g8 F* R/ [# r6 {The Get_DDB service is used to determine whether or not a VxD is installed
* t3 y; p* @# h5 }9 t: O# Afor the specified device and returns a Device Description Block (in ecx) for
, b+ o: }1 a* K' athat device if it is installed.4 [, V( F* z, T& `5 b
+ B% L" M' g ^/ i T' X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 t$ u! l' V5 r, i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% i. s( p+ j" g/ n! O o1 ~% {% |
VMMCall Get_DDB+ L- G3 G6 C' C/ J0 n0 Q# t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& `/ F4 P; I4 w1 l1 Y) K0 G8 F
' y8 W- e: u. Z& I3 \) A- y, `
Note as well that you can easily detect this method with SoftICE:/ B' D3 l$ [2 Y5 G
bpx Get_DDB if ax==0202 || ax==7a5fh
) m" L7 ~/ L. Q8 m8 F7 {+ h- }
: W/ |, m% \* n! ~__________________________________________________________________________
5 D% A1 {2 d& E6 H+ K+ A
1 G; o2 k3 G- f$ j; b, a8 ?Method 10
& ~: v! j& C$ V# E" d0 v=========4 ^- i7 c9 q. Q* h
5 |( u& S6 m9 p4 {
=>Disable or clear breakpoints before using this feature. DO NOT trace with% Q% K/ n5 c' T9 w/ t7 H
SoftICE while the option is enable!!
7 l/ G& g8 R9 F" j, v2 C* @1 C0 ~* P: C( [' S* ]; y9 o, P" D
This trick is very efficient:7 V; G n/ K# [1 }4 T6 n
by checking the Debug Registers, you can detect if SoftICE is loaded. O' N- Q% J% d. @$ h. \! h( t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: k+ }! O2 m/ x) y2 [; ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 Y1 I: [+ y% k- U2 b, w7 f) E$ Q
value (in ring0 only). Values can be manipulated and or changed as well/ |- e$ M1 `$ [
(clearing BPMs for instance)8 h7 l2 ?& A5 x% K
! ~+ a. U" T8 ?- y9 j- E
__________________________________________________________________________
) F! ?( h' ^) i8 M+ {) I; q( G" [4 X! p( ?& k8 {, B
Method 11
4 _. o3 P8 W/ ~6 _=========8 ?$ R$ W& P8 Q- r
; y& O0 K& G$ @5 j3 R" w9 E
This method is most known as 'MeltICE' because it has been freely distributed! W+ f4 w- V1 D. a- `. |5 |
via www.winfiles.com. However it was first used by NuMega people to allow
, e/ T+ C4 O. d9 H+ ?$ { k! K1 ISymbol Loader to check if SoftICE was active or not (the code is located
6 h/ d+ V2 X5 Y' T: M2 I5 ]3 @. h2 Tinside nmtrans.dll).
( n- S/ y0 x( ?, c8 I- p! x J: D+ {0 G9 I
The way it works is very simple:
, R$ X/ j! k5 F- NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 z0 W h$ S1 [, p
WinNT) with the CreateFileA API.
& f: i, [1 ]2 f
, Q! f k9 x! N0 zHere is a sample (checking for 'SICE'):
, j0 x( i) I, `" h- h
, r% }! T$ A, h& x. j0 ~: W/ U& Q- @BOOL IsSoftIce95Loaded()5 R" R' l, k' W) k+ c9 U8 Q' r
{
* } l- L$ n+ i" J, T3 H HANDLE hFile; 7 a7 ?4 X _$ y" ?2 L, J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 I2 [: s3 f. L: Z9 z- P
FILE_SHARE_READ | FILE_SHARE_WRITE,
# x/ x8 t- a! i+ O: i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 l9 V( U! a0 @/ k* o5 B" ^ if( hFile != INVALID_HANDLE_VALUE )
# {( l. S7 ?# Q5 o, d# Z& A {
/ a8 r0 t- Y( \7 q CloseHandle(hFile);
1 Q- i# N& S2 p9 C& K5 d return TRUE;
4 J. ] ]$ ]/ L" X" A8 x/ `) t" S }2 Q9 ?9 |" I" ~. |
return FALSE;0 K# F; y( P, y
}, X9 b* a; J) r/ Z$ j2 t2 U; v
+ N0 ~ n1 h7 {& |
Although this trick calls the CreateFileA function, don't even expect to be3 v7 ^+ r, m* r3 M% n
able to intercept it by installing a IFS hook: it will not work, no way!/ e; d" [0 k/ O1 V; v& d/ ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) |/ @$ d5 A5 \. Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" V/ W4 e% C3 J; b4 x2 Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc# q3 n( }# K" h/ n/ Z
field.* B: j& t- R/ d8 q9 s
In fact, its purpose is not to load/unload VxDs but only to send a 5 |7 R$ F) [9 h! c; w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 ~5 J& k% V. [1 G A- ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 y/ {9 o" Y% `% e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 A- \- \6 s4 l: Q; u3 M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 t$ | w; O# x8 A$ {% g! b! p1 gits handle to be opened and then, will be detected.& v1 v1 D) g0 A4 l7 `
You can check that simply by hooking Winice.exe control proc entry point' C. d8 u, D. G0 v2 I
while running MeltICE.
9 i4 k; W) }5 A+ r5 _( S( _8 @" u; s9 g% [! |
2 y" I3 Q: k: Q 00401067: push 00402025 ; \\.\SICE2 v& `$ e/ {% B- B. R* v% Y
0040106C: call CreateFileA
7 S$ q i8 b8 J' J: X 00401071: cmp eax,-001
0 o4 S8 g5 n, X5 O7 g7 ]. T% j9 }8 T 00401074: je 004010915 Z7 o# A2 K3 L# N' |9 r9 ^; P
- Q4 n3 P, U% ^, U5 Q
- e3 K; N$ q2 GThere could be hundreds of BPX you could use to detect this trick.( {/ W7 V& y V6 {0 H
-The most classical one is:
* i7 |3 G1 Z( U4 D+ E0 C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( ]( J Y0 b; H5 i X" V! E* R *(esp->4+4)=='NTIC'
; S# L: d# Z1 U; V* |$ B* z- l0 G9 G' n; P/ a" F
-The most exotic ones (could be very slooooow :-(5 j4 l1 ]0 Z! n! I3 G( z4 O, H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 ~9 q4 \! X: p ;will break 3 times :-(3 }) L6 f3 ^2 X
% d. O0 f# m2 q' E& _; [0 R-or (a bit) faster:
- d! N" Z4 E5 ^' H0 f) H' R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: i% n4 w7 p. Y% w
5 g! ?5 i! v0 M( R9 D; L! w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 n* V1 E6 l6 I( O$ A6 k
;will break 3 times :-(4 j4 s, U/ A! t% |3 @( s
9 | P2 @1 h3 A) ^2 o- O( P: J-Much faster:' |- T0 z& V6 c+ B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% |( n9 ~; D4 T E( ~
c) \$ b9 _! J, kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 y' e8 E+ i# c1 V6 ^, J: _. Q# L
function to do the same job:3 ^" P" p: h. |
/ s0 ~% X% N, M. T* B4 M
push 00 ; OF_READ
" m: E P0 b" `; ^ mov eax,[00656634] ; '\\.\SICE',0
4 a9 b6 h' n+ r D/ k push eax
3 V" c4 @' F0 U! F; t1 ~ k, O# O call KERNEL32!_lopen; f% g- H2 E1 E5 Q
inc eax) A. k) H! D2 \! e4 O
jnz 00650589 ; detected
& Y/ a1 O3 f4 Z! I: { push 00 ; OF_READ. H& R( F3 k! Z7 _, G
mov eax,[00656638] ; '\\.\SICE'
6 P/ T& I* `: K push eax6 Z% \# K4 S6 @) h" q- H
call KERNEL32!_lopen
q3 C; q$ p4 W3 o8 O inc eax
- p2 \/ H' q2 L9 U1 ^. ?3 q) e jz 006505ae ; not detected: R7 u( c. ?3 s# d/ k
# b/ T0 w5 g+ j+ @
( g9 t/ V2 B9 z; m1 l' x__________________________________________________________________________
" I' B0 @* A8 }( E2 V# X9 k1 \6 X6 C
" z6 B$ v. R4 B+ I% F RMethod 12
' k# n" ^1 f$ g# J" p! j=========" I7 [( ^; G$ y6 |1 z; {) i
# _) u0 a! g) KThis trick is similar to int41h/4fh Debugger installation check (code 05
# G8 `( |9 N+ }# R z$ R n& 06) but very limited because it's only available for Win95/98 (not NT)
5 T: z( u! L' q0 c5 G) I/ ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo. }6 h' W2 W! O, S- s$ U' E% O7 R
0 `% x u% @' L$ ~3 V3 w6 H6 J push 0000004fh ; function 4fh! _9 J P4 ]# ]9 Q& a" M
push 002a002ah ; high word specifies which VxD (VWIN32), Q- l1 _; d, j& j9 r6 _
; low word specifies which service
# n( T% A5 t( T$ e+ L6 _$ b (VWIN32_Int41Dispatch)
; u7 N; e* v5 Y5 M2 p call Kernel32!ORD_001 ; VxdCall3 {" i' ?0 `' i' x) ^8 N- A
cmp ax, 0f386h ; magic number returned by system debuggers
3 P% O" ]7 |( F& U; ^/ p3 z jz SoftICE_detected
8 t \) p5 h9 l* E
; ~- B) v3 r7 X" B# |- L& s0 @Here again, several ways to detect it:& n) X) r) ~$ S" v# d8 b
- H& ?3 u( `4 l, ~ BPINT 41 if ax==4f+ X: ~; ], W0 \
: o0 W. _ |7 J3 k) K: _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ m5 H4 b: W/ k. c F3 |" R* H7 u8 q
! D& ^# x6 q3 t# O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% X% `0 v: q: ?
' [: `2 i, @) t# U# _1 O* J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# k: m. y3 r9 O5 U, w' n
& N2 E+ w0 ]2 W3 n, T8 Y# B! W0 K2 z__________________________________________________________________________( J) A; X6 J1 D) `8 S1 X3 T$ T
5 s. @/ I* `: I2 K- @
Method 13
- s; E3 J1 d: U' R& X3 w=========% i3 o2 V% b' ~" M) F# E, N
' T$ ]$ o6 A2 R& }+ WNot a real method of detection, but a good way to know if SoftICE is9 q* G6 T8 q& w) i8 v) R2 B4 q
installed on a computer and to locate its installation directory.7 e* Y0 x& V- v9 |" T, j9 |% W( {
It is used by few softs which access the following registry keys (usually #2) :
) u! r5 B3 C) t4 k
% T4 T% d/ w. w/ Y% I; E. z2 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- r0 g! W5 z) g: F, e/ ^* g# v\Uninstall\SoftICE
( u/ d Q, q9 K6 a9 V' k9 Z% Q! S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ F, U. ^ H( \5 K, e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 B8 b$ m$ r* Y& M
\App Paths\Loader32.Exe- ]0 o8 \5 H- l6 a1 W. z
2 l, ?8 g( i7 N$ M; k
; o. u/ H g; u9 iNote that some nasty apps could then erase all files from SoftICE directory
' E i1 ]( X% s$ q(I faced that once :-(
! T1 q& [0 Q+ [5 \5 |
$ b1 h9 E- m4 Y( B& }" dUseful breakpoint to detect it:
7 d1 p" x1 v1 L: S
* S" y: \" X- X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& |! H4 V; P2 `+ M, F5 y$ [
. p2 C9 ?6 t8 X& l4 J ~' ___________________________________________________________________________
: I/ E9 {" T. g2 q' c. e! i
) ~6 }) E1 }! [; E
8 t: y }5 g W% j* ^6 m: C, UMethod 14
( ~& @) ]! {% ]( i3 D=========/ C- p; ~/ ^' Y W) }+ ?
% d0 Y4 J x& \! Q8 s% L& T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- W' L3 ~: r, ~ v, I
is to determines whether a debugger is running on your system (ring0 only).
+ G" Q( Z/ R2 w$ B& P* f: a9 v0 }4 z3 V# c6 Y& Z& j* J
VMMCall Test_Debug_Installed$ ?: l% b3 I' x
je not_installed; K; ]3 t( R' W3 [' e1 m4 E
; N7 }; `2 K; R7 ~4 @+ ~; ZThis service just checks a flag.
+ q7 W; P$ N N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡