<TABLE width=500>& s; `9 v, s3 E" E0 u
<TBODY>' g4 L1 ?3 x& f, ]
<TR>! h& e9 C% x3 r* T1 q
<TD><PRE>Method 01
0 @* g, _& @! J=========: A7 a8 l: f# k3 O( M8 }5 G Q
- m, Q" r3 `* b4 [ q9 p) S' kThis method of detection of SoftICE (as well as the following one) is- J A( I& @1 x( ~1 S9 G
used by the majority of packers/encryptors found on Internet." |$ v8 ~2 o# U8 K# _2 l
It seeks the signature of BoundsChecker in SoftICE
* H3 T% r+ X5 d, G- p5 p1 K, v5 ]( R6 ~& V$ K3 q {6 J1 |
mov ebp, 04243484Bh ; 'BCHK'
* V& K2 ?% P. X+ n mov ax, 04h
c' _& b$ j; y int 3
1 w) S+ w* X! ?0 k cmp al,4& {+ a! e8 `3 w7 z
jnz SoftICE_Detected
, W; Z, J% j5 [7 Z- i G
- j, B& h* l% B- m$ Y& ~7 C___________________________________________________________________________5 M" y, v, y, G6 X, X
* B3 k8 X) R% |* J8 E
Method 022 |9 R" A+ @$ W! z! o, J
=========
! j. X# M' I. k& U+ x& J% H+ L- h8 `# {& X8 t) s5 g8 m" M; p
Still a method very much used (perhaps the most frequent one). It is used
. @" {/ D* t6 zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, B O/ i& t/ @4 ~
or execute SoftICE commands...# H0 s& \8 n* p8 I4 E$ S
It is also used to crash SoftICE and to force it to execute any commands# q6 S7 U4 H1 Z. p; S5 r
(HBOOT...) :-(( 4 @. ^; `( l. A( D! p
+ e, h1 Z3 f8 C+ e
Here is a quick description:
: Y( A* O. P, ]; `* E; d( Y3 h% m9 ~0 [-AX = 0910h (Display string in SIce windows)
$ i. Z, u% W' d) f5 F' K) r9 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- X3 x8 s1 `2 Y-AX = 0912h (Get breakpoint infos)
% U) I1 y, p8 ^5 k j* m-AX = 0913h (Set Sice breakpoints)
& ]- e$ Y: R4 i. @# F0 P4 ^- W2 J5 M-AX = 0914h (Remove SIce breakoints)& ~3 i3 z$ W. y6 x. |$ r
- ?$ ~) h, V+ T. Y+ h X& A, CEach time you'll meet this trick, you'll see:
! C' b( q$ \9 C0 a6 H( p-SI = 4647h
- P3 h. n2 ?( p) z7 [& S, B-DI = 4A4Dh4 i ^8 i3 z$ r' j, Z% b7 j
Which are the 'magic values' used by SoftIce.
6 Y+ r: ^6 \6 m qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 y% D0 x! _- ~2 t
! k' I% h6 ?0 @. N S1 K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 O1 S/ j% M3 D1 JEnvelope utility use to protect DOS applications:2 k4 q: [: w9 J% f
4 V6 U, v P* a' u
( g7 u& c6 }* M4C19:0095 MOV AX,0911 ; execute command.. y3 M& P4 ^2 h9 D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* B. t4 O, y3 v9 K5 l1 v( F4 G( t7 i4C19:009A MOV SI,4647 ; 1st magic value./ T6 S' h* Y' C
4C19:009D MOV DI,4A4D ; 2nd magic value.5 l T3 @6 X3 J5 N$ x8 a: s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' k+ k/ k- K# X& d- a! t" G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) s( l7 _: E' N) ^2 k$ z
4C19:00A4 INC CX+ A8 D! H: i6 d2 M8 ^) r. y& W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 z8 ^6 w* _% U: \0 H. j& ]" J% ]- E4C19:00A8 JB 0095 ; 6 different commands.
T7 t7 t5 Z |0 b6 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 Z& V* D$ |2 d9 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), |4 J" O) F) P
- j, Z. v; }0 ]' N
The program will execute 6 different SIce commands located at ds:dx, which% C+ m: B# ^ {7 ]# E, t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 Y/ _0 H7 ?4 y& N7 l
7 B3 H9 G3 j/ f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ I7 C3 E! k8 h, d
___________________________________________________________________________9 q. }$ [' p7 n7 y1 I' N' y% C; r! u
: M/ x9 K& X" h9 P
- J+ R( S& {& ]0 W0 pMethod 03, f9 @9 K" ~& b; i: v
=========
9 G: x, C/ a: l/ G; @
- ^4 T( s' \3 Y* yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h @$ R! |& R' \* l8 F( ?
(API Get entry point)- n9 E2 ^7 V, p6 `* P
7 i- L8 m! S5 x/ `+ {
& o, w: L" G6 p& o2 X
xor di,di
4 g- ^, t- \% w mov es,di' I0 `6 {& O2 \) }5 \
mov ax, 1684h ) x$ q9 ~9 K& G4 Q7 W& I8 `
mov bx, 0202h ; VxD ID of winice
" I F$ b2 H z# Z0 f: U/ G int 2Fh
6 n& K/ F2 b! I ^ p mov ax, es ; ES:DI -> VxD API entry point
+ B( j7 J* Y2 W. s4 H* Q6 R+ e7 V add ax, di
- o% n- b& \6 H5 \# W, Y test ax,ax
N+ Y' t' J. P' X) F9 a! J jnz SoftICE_Detected
8 ?& J- e A: d6 i
% H% \' i8 o' R) o# Z___________________________________________________________________________
S6 I% V9 _9 I& S
9 b/ p. l1 J% T- d. z0 NMethod 04* y3 [9 O* _. r b& h( X( I
=========( z1 k z6 b& k2 Z
S$ B+ k) M0 YMethod identical to the preceding one except that it seeks the ID of SoftICE
9 ~2 o6 B6 |) b- TGFX VxD.; e- h9 j* Q. i/ Z; Y
. _1 e$ b1 z3 {' z xor di,di
- |% T8 {4 i$ r4 y/ z& p+ W mov es,di
" l, r- s7 y# S( r9 |2 P mov ax, 1684h $ ], b! [2 j4 E$ ]* }5 P, z
mov bx, 7a5Fh ; VxD ID of SIWVID
; V8 d- W' \# h' \; N int 2fh
1 r7 E' w" | \% L0 [1 t6 a: _% @0 X mov ax, es ; ES:DI -> VxD API entry point
4 w. E/ W7 r d add ax, di7 Q" ]0 U% b+ r |( U1 l: o
test ax,ax
# F5 c, O" c) w/ T# @ jnz SoftICE_Detected
, j7 f8 ]# k$ W5 o, K S/ t* \3 \8 Y- Q Q! R
__________________________________________________________________________5 H# W- W- X& ]$ {4 b. b/ O) X* T
9 ^; w1 o' p2 ?6 U3 d) H0 P: V, s6 c
# Q5 s& E9 t: a4 C$ I: dMethod 05
9 z. Q4 }% a7 ?4 H5 \=========8 z6 J1 i$ q3 ^( r) a+ j' I
, [7 r7 |) c) }$ d5 \% A4 c& x/ |Method seeking the 'magic number' 0F386h returned (in ax) by all system% B" }) o y4 h" G1 y: h% @
debugger. It calls the int 41h, function 4Fh.' {( d t0 y) ]: b ?' L$ Y3 |
There are several alternatives.
9 O( k! A6 Y( [. T5 K1 D3 ^2 |* }+ H1 N& v" S8 H
The following one is the simplest:
, V2 Z* z+ a: I4 I% J4 T
4 y; ]/ D. x! T! u1 j+ m mov ax,4fh* P0 H% G: P3 \( G2 |8 O+ \# `
int 41h( I0 F5 O/ o* i
cmp ax, 0F386
, w* e8 v2 N6 [+ ^5 A- u jz SoftICE_detected8 |$ I& [( {- _% k! V, n
) ?+ q! {$ s) G
% R$ s- i% N) QNext method as well as the following one are 2 examples from Stone's 0 u( v3 j: F+ Q: E3 ` Y q4 D
"stn-wid.zip" (www.cracking.net):8 u5 {+ W. {3 x5 ~! V" j# x) v2 ~0 j5 H
4 U& Y; V% ]1 J0 |0 W' J' }" k5 v mov bx, cs
+ a4 m; u* ?2 H l v$ ^0 a6 n lea dx, int41handler2" [; I+ q% `4 K, A
xchg dx, es:[41h*4]! W6 B" x c( Z$ [5 \
xchg bx, es:[41h*4+2]+ L, |) q- x" t% N) x
mov ax,4fh
+ n4 t' i- E& [- I0 e/ _ int 41h3 {* z; q! L J' a' q
xchg dx, es:[41h*4]
+ L9 Y4 z8 N- ` xchg bx, es:[41h*4+2]
6 l" ?, n; }: t% i4 ]3 r cmp ax, 0f386h9 q) u) J, N" X' t# _
jz SoftICE_detected" y2 Z% x# ~/ N1 H4 }% c: N- `
0 L' P& P0 `6 ^( t5 w; nint41handler2 PROC; ?# _' L0 b o$ }2 m3 V. | C
iret
& y5 o- P- V# ~. J# ?int41handler2 ENDP8 x! ]! x. y4 A1 f4 x% r; `8 O0 L& ?7 \
: @ t& Z, |+ R6 F! \. D; k
v/ y5 M4 i# K1 J3 z7 o_________________________________________________________________________! a5 K9 {' q1 i' e U
: h$ |2 X. V; x3 _
8 ~% a2 I2 t' b% O! PMethod 06) f4 c( U6 C6 ^3 P+ v
=========8 I- E: x+ D D4 k) F4 |0 o- v6 J! k
' }& N4 Q" E& d2 `* { U9 u; n6 h6 N9 X8 V( g; C: A; A8 s
2nd method similar to the preceding one but more difficult to detect: b' S' h! f) c/ { j
0 z& h! u/ U# C, `) m7 ~7 \- E
9 S* H5 r" K. L' Z
int41handler PROC
% s2 _' G) F4 W9 n0 E0 h! g U mov cl,al8 a& E% w! ~$ u# }- @( D6 p
iret5 ]8 c _* [# u! U) T8 [
int41handler ENDP* A; ~5 t3 V) A; | P" @% H
$ `! T) E6 E+ N* Y) c+ \2 C, Z
j3 |0 O& L. _ \2 k7 { xor ax,ax
6 `& a1 b5 V( p6 | W7 H mov es,ax5 N3 \, O5 A% j9 C, n7 u( t# h# e
mov bx, cs0 Q/ ?; r4 z5 U4 |1 o' Y
lea dx, int41handler
; ?4 J* \& |2 X0 A ^ xchg dx, es:[41h*4]
1 m8 ]8 q+ }) K# E/ r, m, Z* W1 X xchg bx, es:[41h*4+2]
9 m$ G/ a# T2 l0 s% `% ?7 N in al, 40h0 M( s" m3 |: A4 t2 A/ c' j7 O
xor cx,cx
4 q3 ]* x. B( r int 41h# U+ f W. N2 |, y# p
xchg dx, es:[41h*4]0 Z. i: m S1 J, R, e6 [: B8 ~% t
xchg bx, es:[41h*4+2]) I( f' n* b9 G9 {
cmp cl,al( ~6 }5 B {6 z' K" Z5 O$ y$ B# V$ C
jnz SoftICE_detected
. T# `! V. \2 c; U" N& Z+ @' E5 X6 t1 g0 \+ r
_________________________________________________________________________
# _; N$ K2 f0 p% B% u! e( G6 y! g
Method 07
% K/ o. Y( ^$ }* d=========
5 ?8 f, \( O0 `5 [' e0 r
/ [# b8 d3 P+ FMethod of detection of the WinICE handler in the int68h (V86)0 B a" i \5 T4 u
) r0 d& W0 t& m O' r {! x+ d8 x
mov ah,43h- u7 g" d T& m, A& D7 `: q
int 68h
, T+ N& I) A3 [ cmp ax,0F386h
: e+ i3 v; w& ^. Y, U3 S6 N$ D/ m jz SoftICE_Detected
' C- H q0 l' R& w! R. V$ l6 p; ?) p1 G3 W. s6 U8 j. u: h! m
4 g% k; \/ a T. y+ `7 x+ u3 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 A" p+ S6 c+ v app like this:6 o' i# U* d [
; d8 O6 j* N% b! _0 F8 j' T% E BPX exec_int if ax==68
% u& _/ e. C. S5 ] (function called is located at byte ptr [ebp+1Dh] and client eip is
5 C w2 G) K$ u8 J located at [ebp+48h] for 32Bit apps)
3 }/ u4 M k2 v2 k C& u1 @__________________________________________________________________________
$ C0 s% M1 i" t
/ {1 }0 [2 g% h8 b5 H2 p2 ~5 |% b8 M: U6 T0 ?
Method 08/ Q3 T. r8 ~6 W& S- u9 r/ i" {# w
=========
. F: w5 J2 M2 p$ b* V! @ p4 v7 l; s' K/ n- K
It is not a method of detection of SoftICE but a possibility to crash the
( ^, [% s) g8 J0 F8 hsystem by intercepting int 01h and int 03h and redirecting them to another
& v) z" I! l# V+ [8 troutine.0 N2 S- A3 |0 V; [- f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. C% h8 T' Z3 {" mto the new routine to execute (hangs computer...)" Q- T! | ~, z/ v, i. b1 Q
1 {, R0 o" K0 g mov ah, 25h2 K$ g4 W& m2 K+ z3 X
mov al, Int_Number (01h or 03h)
7 t$ g) i G: v6 ^9 X8 \/ y/ D& Q6 y mov dx, offset New_Int_Routine
" y5 P6 Q7 ^& t" J% S" c W% p int 21h
1 M; d5 Z. d0 H- t* b1 L8 H B" g) X3 c6 [/ c) e; n& M
__________________________________________________________________________
A4 n/ N' }7 Q3 S' V. } v, l: |5 r0 }
Method 09; i8 \: o# W& ~( K" K* r" K5 Q
=========
6 U+ Q# S0 ^7 F- p8 x1 t: }: y! O1 S M' d0 i. T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: ~) |/ w( ^0 S2 r) ?" nperformed in ring0 (VxD or a ring3 app using the VxdCall).
. |7 g y( P; F! D+ B+ gThe Get_DDB service is used to determine whether or not a VxD is installed$ f7 t+ `8 h" L2 Z2 m8 T
for the specified device and returns a Device Description Block (in ecx) for
& e8 x$ ], L% }% K6 Bthat device if it is installed.
) Y3 Q8 r" Y) N6 ?& ~6 ~7 c
( A }6 S) V+ ~0 w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. R4 n) t+ G ~' @8 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 ] Y7 ?8 \: j0 s4 S VMMCall Get_DDB5 `6 I7 T6 j3 [" K- [7 b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 K/ N4 P6 T6 t2 A$ t" A
- D4 }4 F, O9 ^) f+ U7 P G; W& R
Note as well that you can easily detect this method with SoftICE:
( U# z! o9 F, M+ W& f6 ~7 U! Z2 X bpx Get_DDB if ax==0202 || ax==7a5fh
4 ?$ _6 E5 {1 y6 ~3 _+ g& }" i& F& @7 k/ w+ I
__________________________________________________________________________* ~* x4 O. ] S0 A- ]. ~
, N% f# d% N b- s0 T1 z' jMethod 10
4 ]3 ?) g) Z6 d, N/ c=========
6 L2 W" w3 n1 K) C! [1 h* R- } d- T; E. v2 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 P- x2 _3 f- K& Y7 U. |3 ] SoftICE while the option is enable!!
3 ] s7 x$ V+ D j5 A9 {
! k" ?( J J. E+ O* q0 KThis trick is very efficient:
. Y" h* |* X3 J' oby checking the Debug Registers, you can detect if SoftICE is loaded
4 m' K- a% ~7 n- u3 |/ n/ [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ E% \4 G8 h1 e$ L0 \& l- ?there are some memory breakpoints set (dr0 to dr3) simply by reading their5 f E/ E, @& y2 v- r/ c0 L$ D5 \+ T
value (in ring0 only). Values can be manipulated and or changed as well
4 X$ R: q4 Z+ @: o5 X(clearing BPMs for instance)
* x) a& p! M2 B) b& Q( _. i4 H# T) V R" J' ~2 u
__________________________________________________________________________9 C2 P* U- H: L+ m
1 t' x9 n7 U2 X# Y! {Method 11
w. d7 p; S( u' s. `$ k ?" G=========& {% c$ l/ r( p# p b
2 C. S; K# j$ r$ J: S) I, b6 rThis method is most known as 'MeltICE' because it has been freely distributed
7 x. v; U# m1 ?via www.winfiles.com. However it was first used by NuMega people to allow
! G3 ?0 }: r8 D& Q1 x- ?9 HSymbol Loader to check if SoftICE was active or not (the code is located
+ w) b H+ ^3 l e9 o9 C& kinside nmtrans.dll).
6 j' O5 ?8 q, A d# }7 u( b
5 Z" D- l# R1 _) |5 OThe way it works is very simple:6 {( c$ E2 S! [, G% O" s Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 y$ t/ X! i8 D
WinNT) with the CreateFileA API.1 w% ~" S# b' O
% \! O; c8 f u9 q) U; u# n
Here is a sample (checking for 'SICE'):$ [! o P( a$ l' j; V
/ f$ d6 p- t* V6 }5 a) f9 B
BOOL IsSoftIce95Loaded()
+ G, S. c3 Q) \. P9 W0 v{
2 M. [$ O4 c$ t' E g4 l HANDLE hFile;
; M5 L; M9 [: V! j% } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 `* v. H& I8 [! Y! }# T( I5 Z FILE_SHARE_READ | FILE_SHARE_WRITE,0 b w) q6 _! n- m- G: M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% ^/ M+ X; e \ if( hFile != INVALID_HANDLE_VALUE )7 O \, v+ b8 [/ O. q0 S
{( Y U, s" p4 [. g) p, A1 ~
CloseHandle(hFile);% T8 w+ l2 \+ C! Y% E* a
return TRUE;
! Y! N+ I& b5 b+ m+ K }
( L- Q* i1 g. M$ \6 S8 V return FALSE;/ ] [( B* N0 _6 m/ N
}' r" h! y. x8 N
( ^, S0 p2 M* n) }8 }3 }2 l) m0 J8 p
Although this trick calls the CreateFileA function, don't even expect to be) ?, }) ^8 I7 ^+ }" S
able to intercept it by installing a IFS hook: it will not work, no way!, u3 }' i4 e( m0 | C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
L: c4 t% y3 Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); `7 K0 u! T( p! c9 y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 y2 U# i, |. I6 A7 a: ]+ }5 E0 j* S
field." x/ j# U+ `9 E, H' B! t! `9 Y* F
In fact, its purpose is not to load/unload VxDs but only to send a
: H) Z& D* C$ J; P, _% z) Z/ TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 B. F! y7 x" u! N$ ` n' X K. {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
J1 p. Y% Q( W3 r9 p$ |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 t- m; _$ u4 X0 b/ SIf the VxD is loaded, it will always clear eax and the Carry flag to allow# P* s5 Y3 v* ^; c
its handle to be opened and then, will be detected.
' f& w4 M3 F, j) p+ HYou can check that simply by hooking Winice.exe control proc entry point8 y2 w2 ]1 N) f9 r. |6 ^/ F. \
while running MeltICE.
7 c) [7 ~) c, O& f* B
& Z+ M1 `: T, X6 z2 o
$ ^* v c6 J& s. X 00401067: push 00402025 ; \\.\SICE
' ]4 V& I/ e5 { u2 S- j# D. h 0040106C: call CreateFileA5 W( ~, z1 d3 N- ]3 n Q5 S/ V
00401071: cmp eax,-001- e; _+ o f) r- @7 y& j; s% {
00401074: je 00401091' [' Z% L* t7 r" m; J( j
0 K8 j, J+ f8 \3 o, ^2 u8 ^
7 Q; P, w9 a& u: v( K3 V+ [
There could be hundreds of BPX you could use to detect this trick.
% A+ W8 c$ v6 V+ v0 r' e9 K-The most classical one is:
' ?0 E3 z8 x/ ~3 i" ^ a5 Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 q8 O. I1 s3 z3 b8 ]) P" I *(esp->4+4)=='NTIC'( u/ Y- Q$ ?% `0 u3 ^, o- x' D
. B( \- R6 j: r" ~4 f/ J' y% l. \; @-The most exotic ones (could be very slooooow :-(6 N2 a4 T# v/ Z/ s1 F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 F; j! ~) P/ G. n ;will break 3 times :-(, \8 F8 w$ t# |( O# k$ }* b* _
5 j) N7 @% G' V/ S: R4 w5 O0 t& z
-or (a bit) faster: / y: {) Z& Q0 F6 U# a _9 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' ~% }0 f- B4 r9 g
q I3 v! a3 o, X: \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & h3 s9 g8 c6 n5 ?" `* v
;will break 3 times :-(- t$ m% W* {( j9 K2 R
7 B* w7 ]! O$ ` a# b-Much faster:/ {: I9 _, Y2 }" m' g. }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; P4 ?7 h/ K7 o* T, b
9 i+ l( t( D0 O2 L+ U8 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! _; Z+ y5 z5 v' }: Y: y
function to do the same job:
* ^. ]$ ]0 z2 K" V4 p* z+ S5 i& X# ?, Z. O: K$ A' S) q% t, W
push 00 ; OF_READ
3 p. I6 ^! a, W* | mov eax,[00656634] ; '\\.\SICE',0
, k4 x. c; A W3 ?5 l push eax
9 E6 m7 D1 G' j5 _) z+ h% }* ?0 n call KERNEL32!_lopen
4 x, G1 b3 }* n% q3 a6 s+ D inc eax
% ?; I$ z+ W9 j( e5 l1 K2 N jnz 00650589 ; detected+ E) y- ~1 D6 ~- [2 a- B$ b
push 00 ; OF_READ8 T6 K7 i2 ~$ [5 e# S+ J# ^) s
mov eax,[00656638] ; '\\.\SICE'
# c5 s) h B b- I push eax/ X; Z7 N, U7 a0 ~" Y, K& ]
call KERNEL32!_lopen
; m1 s( A/ J( H- d# _+ l: X, [9 t inc eax
) U$ {' ~1 r2 K; C8 q7 `9 K+ L$ z jz 006505ae ; not detected6 k- h* R Y: Y$ B$ \- ]
) _5 J& V& V9 M! J
% P1 v2 @3 d. E__________________________________________________________________________
4 w- Y T: f" Y* s2 e# d! ]4 Z$ A! m) c$ W3 T/ m$ {
Method 12, H$ r H' d+ B1 e
=========
8 e; U3 a' g* W; g( I& {6 w* k2 f1 c5 v9 v4 D5 V
This trick is similar to int41h/4fh Debugger installation check (code 05
8 D$ M2 @# l2 l5 u G/ r1 ^& 06) but very limited because it's only available for Win95/98 (not NT)2 x$ n! O! \/ b- O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 t9 f9 E ^0 @% [
4 Q2 ^' z4 Q# Q0 X$ ?& M) ]
push 0000004fh ; function 4fh
9 k( y7 h2 w% d y push 002a002ah ; high word specifies which VxD (VWIN32)
: H+ w( ]% a( g8 p( a' B ; low word specifies which service& e, m; v( u! H, E, d9 h4 `. A
(VWIN32_Int41Dispatch)
/ i7 v P1 j9 a& i$ P call Kernel32!ORD_001 ; VxdCall
/ {2 `) s" R! q+ i7 z8 Y cmp ax, 0f386h ; magic number returned by system debuggers5 X# ~/ e9 A1 Q4 s8 _6 m' E
jz SoftICE_detected
* l! A& n" S: m0 J' s" x
$ y% u' w3 k8 `* V0 jHere again, several ways to detect it:
' G7 G) H0 z( J: a% x) }# x/ k
3 S/ ?* e& D8 n, u% i BPINT 41 if ax==4f
6 s1 j6 h8 \. B( n8 g0 A- x. G! s* I* e' P6 m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
]4 d/ |: ^: e. r: R0 ~
: p$ M$ I6 M. s) J1 z# _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 v5 n2 o' j9 X
" B( D3 G- ]- U9 {- ], Z1 T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 I) V1 K2 e4 F
# P' w: ~8 |4 i o. g( f7 r
__________________________________________________________________________& _; g7 f) k; |$ P1 I& w" C! X
. ~/ l1 D; h! _$ ]+ {( S8 V( [; S
Method 13' B) a6 B" z! H
=========- T7 v. Z3 d* ~$ k [, ^$ M: c
9 k0 r; [# i) Z/ h3 H/ s
Not a real method of detection, but a good way to know if SoftICE is% n M0 |. _5 a* y. i7 }
installed on a computer and to locate its installation directory.
. Q) X5 U) i5 C) T) c" ]It is used by few softs which access the following registry keys (usually #2) :
5 K2 Q5 t7 P/ T! [/ {/ B
: ]7 [1 t+ j. g# ~, E- }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 i, f% p3 W5 w' m4 }\Uninstall\SoftICE2 \% \0 a* {# B/ [4 d7 y2 T" S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 \# x1 B1 ?3 y2 J1 W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( g) m8 V: n4 a
\App Paths\Loader32.Exe- t& c% q5 B" M- B1 w) }
- E! b2 m2 V- a* p1 P/ T7 L' m" R7 N: W3 P& P
Note that some nasty apps could then erase all files from SoftICE directory/ t( }& \; ~1 ]8 Y h) K. H2 n
(I faced that once :-(
8 S2 D" q2 t- _5 |
4 O( X( C% }& |7 ^" eUseful breakpoint to detect it:
0 E2 J3 d! o7 N8 u. f) r
! I+ e7 H' R3 x! `9 Y7 N* y' o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 A2 N0 b2 D" m9 r4 W" E8 \7 @6 O4 p' f' T& Y1 b
__________________________________________________________________________- c2 K- \$ \/ X! l# L9 `* B
9 r$ T4 o- [( ]3 K0 |' Z; s3 R+ e# p
% H2 C* C; l; F$ a8 m# A9 W0 BMethod 14 2 r. u( E# u+ h8 H) n
=========: b) V2 ~9 l. @, C1 p
i- D3 q& Q; j d$ C# N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
C N1 N% e/ u+ S5 [is to determines whether a debugger is running on your system (ring0 only).
2 E6 d# s' Q/ `$ \7 j8 ^) ?1 a7 X2 d' _: B
VMMCall Test_Debug_Installed! r) Q' y5 M6 u5 {/ @
je not_installed( s" u( @$ I$ d7 Z
4 P4 `5 o# p& e9 _, oThis service just checks a flag.
2 [/ w3 S3 [8 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡