<TABLE width=500>
: h- u" B) Q5 o% `, o' z<TBODY>. [5 |- a7 k; X9 u8 N( y# C
<TR>
+ G% W, ^) j: m7 J. k<TD><PRE>Method 01 ' k+ K8 J8 l) J+ m& f- G4 I
=========& a$ h4 j/ S, z4 @8 S) y5 H
6 z( U7 l* ~5 Q- o- M9 X
This method of detection of SoftICE (as well as the following one) is+ b6 p7 w; {4 u( v9 l
used by the majority of packers/encryptors found on Internet.
/ D2 E6 h( y4 B* u0 l$ gIt seeks the signature of BoundsChecker in SoftICE& @8 j4 ?9 R! u8 j' V
7 ^, W( ?, l( t3 S) r4 T mov ebp, 04243484Bh ; 'BCHK'
% D* e w _/ ]2 V- z0 C9 e mov ax, 04h3 d8 h& `7 J! T+ N5 u* J$ Y# U7 K* G8 o
int 3 % q" ^/ V g9 ^( F: J3 `9 n
cmp al,4
5 n/ R2 r' p4 Z/ M5 w jnz SoftICE_Detected
0 J0 A4 A! e; s
! P( c, z6 {; ~; h8 \___________________________________________________________________________: q7 O* n7 L3 ?5 P) I
R* T1 K1 N, w! CMethod 02
( `0 V$ C7 y2 d( P, Q! w: [=========
( S* a7 y/ Z6 _ a/ g% [/ b- X
# F' T% I' k2 `6 [, g) K7 TStill a method very much used (perhaps the most frequent one). It is used
. A: g% P$ [% K9 e) Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 p2 G" t4 v. ~! eor execute SoftICE commands...7 p9 N( O, O' G- T
It is also used to crash SoftICE and to force it to execute any commands
" ]/ v. ]3 G+ H7 P r# m8 p% @9 S _(HBOOT...) :-((
6 e/ X- y$ Y" Z+ P* x* R! {0 V! G
Here is a quick description:
0 u4 I( U9 ?( g! W-AX = 0910h (Display string in SIce windows)
9 e& U& i+ Z6 H3 m5 V# s8 ^4 R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! A3 K+ Z `& {2 J! ^" [. t) }$ n% s-AX = 0912h (Get breakpoint infos)3 i, x# v& n7 Q X3 P: z
-AX = 0913h (Set Sice breakpoints); a7 M" I0 L5 R5 |- t
-AX = 0914h (Remove SIce breakoints)/ m$ {2 A! U, n& t9 h" P$ H* j: C3 b
+ p: J6 ]4 W; b) a5 w* S
Each time you'll meet this trick, you'll see:, v( v+ e5 G: A) T: F, c p0 ?
-SI = 4647h$ v) T& I# {; r$ N. N: [( W) D
-DI = 4A4Dh
( o, h' i" I+ `' tWhich are the 'magic values' used by SoftIce.' N/ z5 H! j7 `7 y2 {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' u: f+ J% c3 r- t. w5 a. J3 v
& H6 w' m! x0 _" E- x7 t3 |Here is one example from the file "Haspinst.exe" which is the dongle HASP0 e3 d$ A `0 c
Envelope utility use to protect DOS applications:0 w! }& Q, K8 `
8 y& k+ O% F1 X* c, U/ g8 x3 z4 p
; n) ~# D8 {4 r4C19:0095 MOV AX,0911 ; execute command.
+ [8 U. r9 Z% r4 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ f O* R! ]5 k3 H- s% k, c: E! m+ s5 o4C19:009A MOV SI,4647 ; 1st magic value.0 T* B' Q/ R2 }
4C19:009D MOV DI,4A4D ; 2nd magic value.& l' I: l# w7 l+ n# q0 @; J9 P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ t0 q& }8 Q) r0 y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 ?) s/ {" k1 Y! L, Y
4C19:00A4 INC CX
: l4 p! n: b+ v+ z+ |/ j9 s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 v" x; g! u, }: p2 c3 F4C19:00A8 JB 0095 ; 6 different commands.
6 h2 Z) Q# {$ r! t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* E+ |4 D* Z( F* U/ U' o" j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ {% n% c8 q% X! ^ J9 n( ^9 z
' r0 o8 D' W4 f1 P- \The program will execute 6 different SIce commands located at ds:dx, which% u/ {6 H( Y& W% ?) _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 `8 j/ f$ g* Q, |8 w# d
0 I* ]0 i! K8 O& t: @. i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- a5 I1 E j( g$ j
___________________________________________________________________________
. k/ o( M" ~- d/ Z& }0 W; J5 v% i# r# Y
; E1 W: j/ C% G) Z# ^ v3 w: i' s8 M/ j D$ h( P. T
Method 03. v) U* Y8 E! R1 Q% U
=========
' a; |2 e, e2 d# _; h
$ E* L- V- k8 N+ d y8 _8 ]# Z4 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* ?- Y0 d5 [( d9 c(API Get entry point)
7 b) B( {, I* Z, R& X# q9 C
7 P- f2 Q: T# B; w6 l5 \, Q0 c n
) W( ^: i% u2 L- r- r e xor di,di
' V3 t# v. n- \4 b+ G p mov es,di6 \6 L2 l, b1 k$ [3 E' `
mov ax, 1684h - Y* z6 [( W% R. d4 W. x" ^. L1 e
mov bx, 0202h ; VxD ID of winice
) G0 c9 K- a5 P$ l ` int 2Fh2 R' u# Y5 ]+ h0 z* u1 ~$ C
mov ax, es ; ES:DI -> VxD API entry point
( M1 z+ {" @- `1 u add ax, di9 l1 _2 J6 w% R
test ax,ax, v y0 z9 ]# }& Y, }% s1 l
jnz SoftICE_Detected
9 o1 B9 l, ~0 t7 p0 J, k
3 r7 V b; g3 H& n, r___________________________________________________________________________
' Z v4 H& f! P
; r6 _0 ~% h% e0 Q1 zMethod 04
/ h, l* V% V5 @5 h0 [5 {# `========= @6 }, x" b5 C4 \
8 N9 L( x2 i' T. d
Method identical to the preceding one except that it seeks the ID of SoftICE
8 s. S, g! ?0 Z) NGFX VxD.8 U3 o! V( V, X/ J) @
5 B- f/ H6 o0 c6 Q& Y+ {* M xor di,di; p: E2 ?, D' o& {2 @! V$ }
mov es,di( }1 k! b& |3 A& d( F; S1 O/ x6 |
mov ax, 1684h
* O. b) V8 A- h7 ]4 l" @/ X mov bx, 7a5Fh ; VxD ID of SIWVID
' v m, j% a6 e6 V/ X& d! C% j% [ int 2fh
! A- x- z) L& D3 T0 q mov ax, es ; ES:DI -> VxD API entry point
0 q. b+ W' t3 k% x, }, D1 G& H add ax, di5 C5 F3 B; P2 S' o* v# F& H
test ax,ax
! b: Q% F, z! \/ _6 O& _& V+ I$ V/ o& t/ ` jnz SoftICE_Detected
9 W8 R G3 b+ S' d$ Y4 m0 n( Y" M0 G2 f. N+ n! {" o
__________________________________________________________________________
( e0 y7 a) F* V+ X2 Q# A8 j; F' D9 W8 m
( d v) R6 M% o$ u+ r) D) @Method 05. h* K, M$ G) x1 p4 @: U6 t" n
=========
' ]0 C4 W( t' R- U
* z8 f3 E& X3 {3 [* VMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: [7 N7 o! P# s% Ddebugger. It calls the int 41h, function 4Fh.
$ J9 m) h0 S* Q* w5 r% ?There are several alternatives. + ^& F: J% A" @3 \
+ A9 i) V {( O- j# k0 N* a$ M
The following one is the simplest:
3 Z! B/ f: _ d# p5 t
0 N. y& ~& J" ?; [ mov ax,4fh
2 n$ [+ F9 g3 A- M! J6 \' ~ int 41h7 H% Z T7 Y) w+ k" E
cmp ax, 0F386+ Y9 ~% n' J- o9 }$ _' D
jz SoftICE_detected( a8 W: a" U u/ J; P
9 H8 g6 r3 P4 {8 [
6 ]/ g7 H& M! A# E( FNext method as well as the following one are 2 examples from Stone's 9 M" Q( u& e/ Z( P. p7 ]
"stn-wid.zip" (www.cracking.net):
8 }# B1 Z/ c% b7 x3 p& u
' k3 K+ K) U) k/ w# U" } mov bx, cs8 U6 |, B' |! a$ V0 B% V; I+ K! k
lea dx, int41handler2
s1 p- ~1 k+ l1 f0 F xchg dx, es:[41h*4]
I `! I" M8 b+ H4 z% S- | xchg bx, es:[41h*4+2]
- O2 B# E+ R1 } mov ax,4fh2 I+ j" j, p8 U
int 41h
" J. |% n0 h+ b, ? X: |# g xchg dx, es:[41h*4]( G# X. V+ e2 q( J6 s2 g7 y% u
xchg bx, es:[41h*4+2], t( E% x. w7 J% X( i
cmp ax, 0f386h
2 F% v) b% V3 K V/ s jz SoftICE_detected
& c$ y% o4 t7 `* v0 w5 h' O& g- x- r- r4 v7 H1 z2 P! T5 o
int41handler2 PROC0 x. p1 W! A6 H: z8 v3 L% L
iret% D' s( w& p+ W0 c4 o$ l
int41handler2 ENDP
" z" t, W9 k( l5 K- v, t- d4 K9 B2 W8 D, v% P. \* b3 s
+ _6 A [- _/ z0 D6 v R: X2 m_________________________________________________________________________
7 b7 p: A6 [( T* o: v- M( t: _9 |2 ^: u: d5 l, E6 G1 T- M2 h6 O
# Y% U3 J9 t) [ kMethod 06
8 v$ I( V( M6 z- l/ E# D( g$ A# t=========
, O& q& s9 t7 j( O/ \- o' w4 m' i f# A1 \# k7 }+ p6 B
5 U" }$ J, a. K6 v% f2 f2nd method similar to the preceding one but more difficult to detect:
2 U ^0 b* c+ c! C6 V6 t! E* @+ T1 M& g
A' Y5 A/ B* j( ^+ b/ {5 o5 `5 O9 c
5 J; W# _* i, p( k9 Hint41handler PROC5 K* ^0 d7 Z. P3 M+ S- a4 e" k
mov cl,al$ P$ s" L" ?$ v q* N- E6 L5 S5 x# K _
iret
0 p+ z7 A+ E/ B& Wint41handler ENDP
" X0 Y7 x- p3 o4 _( o
1 O! }* N1 p8 M { d8 q8 ]3 B7 @6 Y9 F9 X; V
xor ax,ax( |% a" \3 E) |! V3 a+ w! K
mov es,ax
J, G: f5 t. S6 b. p mov bx, cs
" \7 A& C4 X- h1 u2 [, K$ R' h lea dx, int41handler
+ l; k2 @# A+ D1 m! u( N, t) a xchg dx, es:[41h*4]
, p% _" t( I$ b$ ]' F5 {' N xchg bx, es:[41h*4+2]
/ N- _) J5 y5 a! h( x J/ }% u! k in al, 40h
; b* x; I% V2 B. {2 O k4 c) q3 u) Q xor cx,cx4 D' k' F: G9 ~7 b! U/ f5 I1 e1 @
int 41h5 Q( f6 D/ }0 z2 y
xchg dx, es:[41h*4]( _/ L4 K T- k. Q" e; J
xchg bx, es:[41h*4+2]
3 V, E1 i. \) l) l* K9 @: b cmp cl,al' w# p5 n6 W0 H+ y0 {
jnz SoftICE_detected
! u4 R, Q! e. S) Q0 V% O: ?7 R c- t5 l
_________________________________________________________________________; i$ T. s+ g, K u( ]8 c
3 K- a. s: G/ Q+ h7 a9 |* }
Method 071 T3 {" `+ \* z u
=========
/ j. r3 Q& Q, J3 O* L) N* V
8 y- N4 r7 N @+ _& c( g( kMethod of detection of the WinICE handler in the int68h (V86)
) T$ |4 s! L: ~/ x+ F0 T% ~9 D! ?( Q
/ K4 s; `# L4 D5 w2 x+ C5 ] mov ah,43h
) E, s' c9 }; H9 y) A int 68h7 T/ m b, _; K9 H' I: p
cmp ax,0F386h
7 p# {, V2 s. P* l5 \, [2 q; A jz SoftICE_Detected
- @2 N0 S4 O7 H) ^- O' H
, e3 s5 p+ C; r% q* c8 |, d2 H) {$ h& `5 d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& N- \& I g; ^& E
app like this:
& x3 `4 @( L! z3 D6 A4 v- s5 N: w& v) P3 ~
BPX exec_int if ax==68& S9 Z+ j' H4 e* }1 q5 S+ w8 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
% Y9 P: }4 x' J4 E located at [ebp+48h] for 32Bit apps)% r- k" T5 O, _# s' u4 v7 o! g2 O
__________________________________________________________________________$ O* C w; l1 ^; v8 @& i) C
. K8 `& W/ f. K$ E
$ ?) Q( X! o5 U7 sMethod 089 s( p& ^& B6 w3 s k8 J
=========1 n5 N$ a% v" k1 ^) p' p
2 g5 @ Z9 K; R* o% bIt is not a method of detection of SoftICE but a possibility to crash the
4 ^# k) E* ]( n* p. x6 |, usystem by intercepting int 01h and int 03h and redirecting them to another
7 ^+ {5 F- z7 X" G. G troutine.
9 z! ~. P( H9 i6 S+ @1 X& j9 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ ]7 `! A5 K! ^, `- f
to the new routine to execute (hangs computer...)$ J& O, g" z( S$ u) ]3 \
. S- \* K% Z/ p' y mov ah, 25h ]. ^) h) s8 i% D( _9 H
mov al, Int_Number (01h or 03h)/ g% e' ?- M& W! u
mov dx, offset New_Int_Routine# g/ B2 [' k1 M) V/ e3 B5 v
int 21h
7 p" m8 l( K" w. b5 S5 s( r7 C! e# t7 S+ ~
__________________________________________________________________________( \6 X }) u; x
' G- v! W& U4 A- N) h$ MMethod 09( \( f1 d6 `* T; P2 h
=========
- I3 ^- G+ o+ Y w( o- a9 V$ g M
: G0 g" h* `" S* ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; @; O& H% A8 i4 p. V+ w
performed in ring0 (VxD or a ring3 app using the VxdCall).! w8 e( C M/ L' L
The Get_DDB service is used to determine whether or not a VxD is installed/ Z! l( | U+ o
for the specified device and returns a Device Description Block (in ecx) for, Q8 a6 H: e% p/ }$ H( `0 Q# R
that device if it is installed.
, Z' X' Q! q Y+ Y
% F* E4 c1 D0 F* v* a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 }! H( Q: s( C( _8 X5 X8 P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). ]$ l6 n) B( o& j/ N
VMMCall Get_DDB9 x4 g5 e& k3 n+ U; s' J2 ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. {+ K3 W+ P q* l9 S! o
1 y) N/ e/ V3 }7 j4 E d
Note as well that you can easily detect this method with SoftICE:
8 W* x$ {. F9 P bpx Get_DDB if ax==0202 || ax==7a5fh$ v" P% W, B2 y. A4 {
8 I8 n# q9 S6 c( Z$ P4 v3 _8 x5 ^
__________________________________________________________________________
! ?% [9 [9 C( A) q' Y
# h; u$ }& @6 FMethod 10
# S3 o M* f" z# t=========. E9 H8 R. x5 B' U0 A
/ c6 x4 M1 D' N- x1 C
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 k4 @& q; I# X( ^
SoftICE while the option is enable!!3 c" m( H7 u4 k! d
l; r2 {& o! |8 G( H
This trick is very efficient:6 o$ L; _7 @4 c: I6 J: L
by checking the Debug Registers, you can detect if SoftICE is loaded* _; R8 [4 l" F6 U- ^- D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ I" b8 t% r( H8 n& N5 O. I
there are some memory breakpoints set (dr0 to dr3) simply by reading their m' Z d7 \3 a' z1 o; t
value (in ring0 only). Values can be manipulated and or changed as well& ]) d+ V2 o5 G2 H
(clearing BPMs for instance)
' V6 {5 p) r8 e# R; C* v* H% F! E' _0 o$ y1 `4 O
__________________________________________________________________________
. I4 D' G( c9 y9 X
( z4 x3 u# Y1 ?' E: ^; t- rMethod 11+ I: {3 ]! @4 g" e$ Q8 g
=========
2 {' \3 W% r8 p. N) t2 V8 R& v2 ~; t& i
This method is most known as 'MeltICE' because it has been freely distributed1 z: V( E3 E" y4 k* H! o
via www.winfiles.com. However it was first used by NuMega people to allow- N2 v/ l9 p' Y1 J. f: F
Symbol Loader to check if SoftICE was active or not (the code is located! Q: ^. J$ }3 V* Z4 u
inside nmtrans.dll).
6 ?. W; w/ v d m' J* \2 [/ H5 B; F& p" {8 t: \
The way it works is very simple:
2 h/ N* ]- E* s9 t' d- wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( B: `' C& ? Y# hWinNT) with the CreateFileA API./ E0 x* m* {. B0 n* D, P( G) Y
2 x& \$ s* H2 r$ u6 W' p
Here is a sample (checking for 'SICE'):
3 W- X) }( p, w1 w- \
2 c: U( L) h rBOOL IsSoftIce95Loaded()+ \0 X" P- a+ L% ~/ y
{
& K3 s2 h0 X0 K; K* Q2 S6 e1 l2 ` HANDLE hFile;
8 A0 z5 v4 L# W; I9 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 P3 m* a( h3 }& r: y. C FILE_SHARE_READ | FILE_SHARE_WRITE, k0 `. s, Z+ h$ q: R) p( f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); J0 h+ r) |* L Z5 o
if( hFile != INVALID_HANDLE_VALUE )- t6 B/ q+ t! s+ P' A$ D* {
{
. z7 [1 y9 `6 j8 J; Y8 [$ U7 h CloseHandle(hFile);
* M' d" `' }- _7 O8 t return TRUE;
4 D% h0 w" A: Z7 L }
/ t2 [& c$ _' Q" U return FALSE;
6 P, F; t+ w. T7 I}
3 F' }+ p) |0 i4 H+ k( _" x& ]! g( i- a1 }0 p
Although this trick calls the CreateFileA function, don't even expect to be( n- T6 K$ n! b2 B
able to intercept it by installing a IFS hook: it will not work, no way!$ }' {/ e' D5 S: P$ W; Z) v' G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 K) _" E2 }" P1 J3 B4 H5 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 B* N6 j& z, v' H% C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! }0 l4 x8 E+ ffield.7 h" _6 A: Z. g: b% k6 M: R- ]1 p
In fact, its purpose is not to load/unload VxDs but only to send a
4 ^* l! h1 W0 D6 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 Q- U9 J1 v' tto the VxD Control_Dispatch proc (how the hell a shareware soft could try( Z' H8 v R8 v4 R3 l# z3 m: D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 F) x9 D/ s1 d
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 F0 ~4 U5 t2 O Z8 g7 }- Iits handle to be opened and then, will be detected.
9 n# [- r- L' B) H5 J9 aYou can check that simply by hooking Winice.exe control proc entry point
& T: }" G9 ^$ Hwhile running MeltICE.; k+ O' q2 E) T2 O/ b: h0 p
: D9 G; L+ a' C9 t$ [* f
; X6 a* s) T3 r7 i/ i 00401067: push 00402025 ; \\.\SICE1 C6 v k) ~7 s" i/ J
0040106C: call CreateFileA* O! h& K h3 j4 N+ L
00401071: cmp eax,-001
. s* T. A7 \1 v: e- k- I' n5 X) d 00401074: je 004010910 S+ P+ u- L9 i$ K4 v/ V2 b
) }: Y+ v! z6 z/ A9 w: G' F
3 v4 N$ b6 P6 \5 X' u3 r) d3 s
There could be hundreds of BPX you could use to detect this trick.
4 r/ |3 M1 K. G" ^, a-The most classical one is:
: f; h5 \0 T. \! _% }: { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 G' Z% ?, A- e+ b' z2 x *(esp->4+4)=='NTIC'8 ?% h' I# Z) E* [0 {
7 s- A( M0 ~1 Y( d, O4 ?
-The most exotic ones (could be very slooooow :-(
- v+ M; N. k# p, m& d3 [5 i0 w3 n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - c% a$ E; h" k% A9 ~& C) m6 W% E
;will break 3 times :-(
9 z) W1 J4 t8 S/ k( n2 B* q7 ]$ W2 I4 U/ g, {% [
-or (a bit) faster: 1 y- M0 ~ s0 H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 R" C7 G. j; y
, r7 |1 i- T7 g& N4 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 L S5 }1 \ N' x9 h8 U7 N c. `* n
;will break 3 times :-(
+ ~ M, P _! [+ {$ [; r* I" X1 B. ?3 E) o8 {
-Much faster:
" L# A8 t4 E ?8 N: r5 E9 w5 ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- D, _" v( k: o1 P3 v7 \
! z; K# |. y/ p* A uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( E1 S# K) V9 q: x0 o1 o1 r: ~
function to do the same job:
) g' r. U' U/ {8 q* s# h; ]0 }( [
push 00 ; OF_READ
5 d o( Q6 M& Z+ @ i$ [9 a mov eax,[00656634] ; '\\.\SICE',0' z @. U; S ?7 Z1 [9 x3 ]7 e
push eax+ m& o+ \2 f; {) E; b
call KERNEL32!_lopen
, W( p- g+ L7 P9 ~) M+ i( u inc eax
. z4 }* f, W$ C/ ?: { jnz 00650589 ; detected! ~+ y$ Q6 J ^* \3 u
push 00 ; OF_READ
4 { r5 j' L) |! _ mov eax,[00656638] ; '\\.\SICE'
. A* M# M7 A9 ~. {6 l! G push eax% T5 a4 K* }* s
call KERNEL32!_lopen0 q% h) g. }- q+ O& \: z& p' {
inc eax$ |( o" d$ }4 n9 [; x5 M
jz 006505ae ; not detected
$ N: N, s& S- }' i5 r
% {2 r- `- v, i& F# @# @
3 h* l2 I" e; q# m$ ]7 A9 ]__________________________________________________________________________# o" }3 F; H9 l8 I2 T" R
- C0 O+ \" `9 o+ i5 h2 NMethod 12
# P. X: M" u% i) Y$ Z# b=========
$ _% e3 E8 {. g3 [; _" z) J0 O/ I3 O& W0 {
This trick is similar to int41h/4fh Debugger installation check (code 05
1 v$ R. p! B& {4 L" v& 06) but very limited because it's only available for Win95/98 (not NT)
- f9 _& L/ x% r9 b" oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 S; a* C& U8 n- S! U
0 l, h) V, G) ~ push 0000004fh ; function 4fh
2 V. t# G$ a% @2 l4 }& P push 002a002ah ; high word specifies which VxD (VWIN32)1 ~7 N( M) Q9 Q0 T7 ]% P6 d
; low word specifies which service
4 [, R/ D$ L9 Y* Y$ T3 Q (VWIN32_Int41Dispatch)' E% k$ }8 ^2 V4 t! n. R
call Kernel32!ORD_001 ; VxdCall
+ r$ a" } v! D2 p cmp ax, 0f386h ; magic number returned by system debuggers
7 r% G& \) P- B jz SoftICE_detected
9 z3 V2 ~' Q0 r" ]9 x7 T8 t: l8 Z6 j/ G
Here again, several ways to detect it:; { `: z8 G! A+ ~! r3 }- e
" x4 w" W) \* o' z7 h/ p BPINT 41 if ax==4f
: x; R. ?( @, e3 I! o( T n+ D7 I9 L: K: y4 l8 E* {+ Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ T0 V; A! D8 ^( L" k
9 {4 b8 l6 X9 B% j5 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 |+ f: [3 P& |' W, O/ d2 M1 j' e7 v2 C3 q( X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) U+ S/ T3 F- t( O& R# F$ x
( W2 o; f% n& U& ?( T7 e) f& M. h__________________________________________________________________________
7 l& j; c& [! U# |
6 P# O: y/ w+ @! o- C: O" v8 uMethod 13, z# V' x- v: U! f" c
=========
& [9 o9 p( [4 G$ j
Y- Z! {" {6 I& f6 ?* Z) G" ZNot a real method of detection, but a good way to know if SoftICE is
6 v0 `4 I* Y/ X0 Z9 Linstalled on a computer and to locate its installation directory.
8 [, H* F# n1 z8 LIt is used by few softs which access the following registry keys (usually #2) :2 e1 {3 ~- |( O8 E$ S
: ~7 w2 o! s0 F6 N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% r; i- E; e4 O" I6 L* b
\Uninstall\SoftICE
% a' t- I+ M3 Q! t/ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE p S' {/ ?% i* P! R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% s2 K2 r4 T+ C4 t p- a\App Paths\Loader32.Exe
* E' b# u6 \4 R2 z. c$ c" B w8 a! W9 ]
+ e0 v* K! Q A0 TNote that some nasty apps could then erase all files from SoftICE directory
$ ]' ?5 g' F* `+ `* M* F# Y1 T; x(I faced that once :-(
0 E1 g- A! l9 a8 s5 Z
0 g7 C: t& H4 b/ _# L6 kUseful breakpoint to detect it:
2 G+ p- s5 o1 i8 x- Q7 y$ T$ D; l$ F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* R% v( o9 U4 x8 }" q
: r$ f+ L* Z- F__________________________________________________________________________
" t. }7 w9 P! l* ?! G% A( v
$ m% N; t2 }6 M6 Z9 g# \
: ^1 H+ ?# r; @ K1 L5 J1 ~Method 14
9 L$ J2 @* o, u& n=========
E# W" P. G& w4 t. B
1 I6 ^5 h- e5 P7 h& dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( O4 o3 G: ^8 C$ I
is to determines whether a debugger is running on your system (ring0 only).0 i* u) u, X F. K2 r9 i
' D/ l$ h4 D3 y9 F VMMCall Test_Debug_Installed8 }) |9 c! e% U/ t' R& n
je not_installed
, `$ s5 ]3 y! y( M1 s6 k
5 n2 r5 {' ]1 I( n. OThis service just checks a flag.
6 E) @! o3 ^; v9 Z4 b8 S: E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡