<TABLE width=500>
' E1 x& V; V$ X9 E, @, p<TBODY>
4 b* W0 T5 |- A+ }( b<TR>' n3 I. G; D2 A2 X* h& U$ W
<TD><PRE>Method 01 6 e& x% L! A" K5 K+ U
=========7 \; j5 U2 Y$ O% X4 y5 p! S& ?4 l1 U
6 ]7 \7 p- h. _6 @* ~7 ?3 V
This method of detection of SoftICE (as well as the following one) is' j" {- X7 U* c7 P
used by the majority of packers/encryptors found on Internet.3 D! u. Q/ k: B9 u5 n
It seeks the signature of BoundsChecker in SoftICE4 ^" M0 ^# u; M5 x+ }, T
l! V( ] a2 i* @/ Z; b p mov ebp, 04243484Bh ; 'BCHK'
8 L" Z- q7 O, B( K U; ~ mov ax, 04h
; U/ I" D7 k2 g. }3 @ int 3 $ z. ^' r3 r! A a# Q5 k
cmp al,4; |* w0 ?/ C: m: ]$ z% J' c* K
jnz SoftICE_Detected( o8 [! L i P
/ w( i) }* x4 H/ i/ a3 ~. I$ N___________________________________________________________________________
; O' U1 T+ J& H5 P o# }! h/ u t' u) T
Method 024 p3 \; P0 d5 v( R% p: P. Y
=========
2 s" r( q" P7 Z. q' h4 o& W1 G. \" r1 N# D5 g- d
Still a method very much used (perhaps the most frequent one). It is used
; T; T8 r# W9 r+ ~) Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# \# |+ P/ t/ e( i: Z4 ]; x
or execute SoftICE commands...
" S$ [/ c( a; C) \! v( D9 WIt is also used to crash SoftICE and to force it to execute any commands
) w0 J. K( I7 C ~4 Y, F# v(HBOOT...) :-(( , @* _8 s9 M: R$ u2 S/ G8 k
1 v7 ^2 P8 m7 c4 k) K6 N& D
Here is a quick description:6 e; H- q: w* ]# ^: @
-AX = 0910h (Display string in SIce windows)
& k3 }1 [* f" a+ r, \, j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); e* m- e2 A$ W4 Y
-AX = 0912h (Get breakpoint infos)2 c7 }* X) N& I8 f5 w/ @7 |
-AX = 0913h (Set Sice breakpoints)1 g0 F; T+ I+ M$ I- l2 J
-AX = 0914h (Remove SIce breakoints)* n% h+ u {% D1 x( T+ z
. c* W0 ]; |9 z" y1 ~
Each time you'll meet this trick, you'll see:1 ^3 B1 v6 X6 F0 l+ K
-SI = 4647h
+ I5 i w# y G5 g( x; O" V6 J-DI = 4A4Dh6 Z. b# ]. M: P$ J3 [" I
Which are the 'magic values' used by SoftIce.
8 ?& Z+ ? r: B- n1 d7 ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 ?5 f, N7 y7 L- i( d8 y* W& I& }) q# l
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( f& F! ^- Q: [6 kEnvelope utility use to protect DOS applications:& k0 c3 |9 v9 f5 u9 x7 M J
/ o2 f' Q5 a% ^5 X" B* E# w7 i" c9 H
4C19:0095 MOV AX,0911 ; execute command.7 T, [" @0 K7 n+ e9 [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: Q* g$ H9 S- u) Y6 K
4C19:009A MOV SI,4647 ; 1st magic value.8 x0 a w S Y! T
4C19:009D MOV DI,4A4D ; 2nd magic value.+ M5 o5 L) q4 P8 ?7 ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" i2 d0 O1 w" u+ w4 _& t4 S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& w, D+ ~ S: Q+ s% a6 k& i/ W4C19:00A4 INC CX
' y- o' R4 n, F$ d2 \# m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 U1 z5 m* R2 j) T( T9 K/ V$ d4C19:00A8 JB 0095 ; 6 different commands.; Y q6 O' h* ?& c. y" [) K6 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) l) s8 l$ t( B+ @$ G3 r+ h& r$ _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
[1 P1 Y, D5 ~" b
' j- w) t9 V! k& rThe program will execute 6 different SIce commands located at ds:dx, which
& U' N/ O% ?' R7 \* eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- f2 E; J( l3 \+ k2 ]* r. k+ D/ m0 @; h' v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 A) g+ _6 I- F/ \0 n- Y___________________________________________________________________________8 M; \5 `: G2 B/ V! W1 u. P; G
5 Z' o1 D8 Y4 F2 Y. U& |
3 B# o8 h+ J6 z) eMethod 03
, i! E4 b1 w" J) I* M7 e# e=========. d8 O4 W7 Z t
; T- v2 ~/ H* K } Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
@: `: q# d- `* x& \ o(API Get entry point)
' C. O0 x4 n$ e3 ~' v- p , r# u# A4 c5 f3 T
2 g3 n, @7 Q, L
xor di,di- d7 f. v* B2 h9 e
mov es,di$ Z& k$ K* |( Y2 g+ p" a5 n8 a
mov ax, 1684h
2 T! l; U8 X! B0 u+ r, n mov bx, 0202h ; VxD ID of winice
$ z9 }' p* q# u, s# l g4 \! p! n int 2Fh: v1 G; g. n+ ~+ _( _$ R( ^! P
mov ax, es ; ES:DI -> VxD API entry point
6 n5 j; t+ x6 e. c6 ~: t add ax, di3 I& m0 j; v/ R* ~
test ax,ax5 |; G5 _- ^. W! r5 ?
jnz SoftICE_Detected
: I( M9 U7 O) U/ d! _4 @1 E1 y4 I, q# o
___________________________________________________________________________
" K. Y; j! c9 S8 C8 t9 ^( d" a/ Y! Q. M3 C4 V0 V
Method 04' v# b; g% M: C$ j; y; b9 u
=========( \4 l2 z$ J$ Z3 [% x
* s4 d2 H# s* m2 V6 I" O
Method identical to the preceding one except that it seeks the ID of SoftICE9 o) Y0 `( [4 Q3 S
GFX VxD.! B! X# d' R( V% u; B; x1 d
l/ E6 g# V* b" _1 ?
xor di,di8 ^8 F- ]( W( W* O4 a3 d+ v, I
mov es,di+ y( \" ~* N2 Y6 i
mov ax, 1684h
& s+ w- p4 F- H* R0 b* r6 I$ s mov bx, 7a5Fh ; VxD ID of SIWVID
2 b0 A, Q5 X, @8 q" G$ S" S0 r9 W int 2fh1 Z* j* {: u* N9 y( W
mov ax, es ; ES:DI -> VxD API entry point
4 I1 y8 M" S) H$ A, {; L; j8 R add ax, di
7 H2 c+ a3 l* Q3 y0 N( i0 q' @ test ax,ax; S# L1 ~ x; {! T. Z* v
jnz SoftICE_Detected( S9 g {: J/ m+ B% Y/ {* Z/ y
8 {0 m: U1 I" x- ~# k" }" T: w
__________________________________________________________________________
# p. A; @+ d1 P" v/ Z: i
3 O: I2 v% y0 x( s
: x/ n3 V& p3 v" g' RMethod 056 A+ U: b1 ~* z$ e- S/ H7 z; o
=========
) |( r/ [4 U& |/ m5 N z& B) v/ r
Method seeking the 'magic number' 0F386h returned (in ax) by all system% G2 S: ^" V' P: \, w9 x
debugger. It calls the int 41h, function 4Fh.
: B. p9 }2 v6 y4 A r! Y7 ?There are several alternatives. ; g0 o- Z3 I* d7 ^2 E, d; R
. B6 W$ {7 h3 ]0 U! AThe following one is the simplest:
# `2 v" g% @) o" D- l. P' p7 d8 X6 x( | I. @8 M. x' [: Y
mov ax,4fh6 H2 }( `* @. a& E" t, ~- S
int 41h
! o. L, s- M w& k/ m7 _ cmp ax, 0F386" c3 ~: j7 R7 d: c! ^8 C* s
jz SoftICE_detected4 q- w6 Z( I) a# p
* z9 E# L, H) ^5 p: v0 `9 a- R- M4 p c, T0 \3 `7 M4 y" d6 P9 C- ]! t' ~
Next method as well as the following one are 2 examples from Stone's 2 w: l# x; q" h' l* m0 Q- q# J
"stn-wid.zip" (www.cracking.net):6 @3 W% }. ^0 A- j
( t4 [, L+ b* n+ l
mov bx, cs
. ~* {% q- J/ z% e* \5 r lea dx, int41handler2
+ A# M0 s# h l3 N4 \ xchg dx, es:[41h*4]3 ?& J ?" ` _5 _( q1 h+ d7 i
xchg bx, es:[41h*4+2]
# Z& T" @- [; B4 Y mov ax,4fh& Y. X- o5 `' B
int 41h
9 l g+ Q- {1 X3 H5 f xchg dx, es:[41h*4]
- {9 A5 a- |+ v4 o" `$ K xchg bx, es:[41h*4+2]( r3 J; L$ W; d$ s q2 f- `3 x
cmp ax, 0f386h
' I' R4 w) _' v3 n# m9 M$ s" T jz SoftICE_detected
- z0 i9 d5 w5 K$ s0 g
# N! L6 D4 t; Q% j( ~int41handler2 PROC
. h) o7 B) }8 c( u$ i" g& ~! D1 z/ S iret
& p4 M6 T6 `% D* W5 t6 Jint41handler2 ENDP
( _/ A3 p; ?6 b1 A$ @5 ~4 v
: P. `' E/ y3 [1 d+ ~5 |$ U0 f) x* I& n+ t
_________________________________________________________________________
/ M* J- u5 B9 R3 ^, w! K/ u* G/ p2 g; I5 M! \3 w4 P# `) v0 x) J
) h1 t7 n2 @. J6 V) s4 ]$ _Method 06
2 E6 z! q* l- t, R) E2 k4 D=========
+ _5 S2 h- e5 n+ C- q: D
1 p, v; r0 ^) z8 i9 G
9 N8 \( H; d; q2nd method similar to the preceding one but more difficult to detect:7 R! C6 ] ~3 X/ v4 H n
( P! s0 G2 y7 d; d1 q4 g4 m" n
. w: G2 }2 a! l$ s% ~- @2 e% k
int41handler PROC
9 Q6 h& K9 T; c1 k- ]/ a8 w, } mov cl,al
! _" k* W( p7 D. J- A5 J/ e iret6 M {5 m+ X7 l& S8 U7 d+ k: u
int41handler ENDP
+ k' z4 a9 B! I" ?0 Z- ^2 G) d; h- A
5 j9 h1 S% @, b3 p$ N
& g2 y3 R! Y: o; h8 P) g xor ax,ax
) e+ g# h! t& J mov es,ax- s" a7 I. m4 _ V/ ?5 V
mov bx, cs
+ W; y+ T+ @5 p& C9 y9 V; L. M! q lea dx, int41handler
. l, j1 L$ {/ Q9 R* k e5 e- H xchg dx, es:[41h*4]
$ Y* d; s5 W8 e' d xchg bx, es:[41h*4+2], `; ^/ u* |: c/ G2 Y8 [7 c: |* J
in al, 40h) W0 w7 g, P# E
xor cx,cx
8 P7 \; n9 M; I$ y int 41h
# P Y! ?' Q1 l" a+ B" }% E" _ xchg dx, es:[41h*4]' y+ c$ e2 Z: d; |7 m
xchg bx, es:[41h*4+2]
: `* _, s) Z7 ^% M cmp cl,al: \2 T! W: Q/ ?% X9 V" I3 M
jnz SoftICE_detected
% {( n. C" I( ]1 Y& Z8 @- f/ A; F6 d }
_________________________________________________________________________$ f4 R+ p- V# S }' ^
( K6 W( q& _& |9 lMethod 07
0 ]" g+ [8 _+ b# K/ Z=========
( U4 D Q8 c6 k
8 L6 t" J6 r% P5 x/ K: [Method of detection of the WinICE handler in the int68h (V86). p" Z+ X9 I4 u7 ]. ?+ B
8 s8 v, @; @% r) J6 q
mov ah,43h
" K: Z6 c- {1 @9 Q2 Z0 ?) A, F int 68h: q9 l3 u4 i6 |/ N$ m" ?
cmp ax,0F386h" V# _6 e+ J7 W4 k/ o
jz SoftICE_Detected
5 e1 |4 ~( |$ F2 ~4 H$ X( R! K' z: x$ v8 S) D/ a
7 _/ {' O- Q+ `! J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& Y) T, X0 q& I7 a N1 x; {( ~ app like this:8 u8 v# V. I3 H! i
. j1 I2 |! Z8 J BPX exec_int if ax==68
3 J' L8 @ }" Y( h' c (function called is located at byte ptr [ebp+1Dh] and client eip is6 n/ {4 z0 T8 [" i- L
located at [ebp+48h] for 32Bit apps)
% r. Y. h3 P" n: r+ v% p__________________________________________________________________________
" t! ^* t' i% r; g4 \4 F! e+ L+ a, Y
9 l0 }* T: Z, @: w1 X
Method 08& j0 m. F: v# L0 n: s/ q
=========
D1 B/ c& Z" C# q# H2 R6 V# d" C# q* \5 T. \
It is not a method of detection of SoftICE but a possibility to crash the
* u! H& }6 s, R. }+ A5 V1 jsystem by intercepting int 01h and int 03h and redirecting them to another
( K$ n% B; p# n; F- Aroutine. d: ~! B! z$ x) @# f' s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* i2 C8 k; L# R( Y& P( _
to the new routine to execute (hangs computer...)
# Y8 g/ x* d: ]. C. Q7 P8 A, i: e8 s8 E5 l0 j, z- o& g
mov ah, 25h" o# I% W' J: ^5 F! j
mov al, Int_Number (01h or 03h): d* t9 u2 h( I+ H$ V9 E9 s
mov dx, offset New_Int_Routine8 g% ^: u' h6 ?
int 21h' J0 i+ l/ ]* ^
- o- s) T5 {! y" n9 `1 V3 g
__________________________________________________________________________% X# ?$ m3 o& `# W* ^! d
2 L: R* E% b, |, v& ?Method 09
4 g" h1 o T2 ]=========8 C9 p+ ]9 e5 W6 h: G7 [" b
% A3 T# o8 B+ W* D' T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% [: c. m5 o) |, operformed in ring0 (VxD or a ring3 app using the VxdCall).1 F, i9 j- T3 A- N7 Y3 Y; h
The Get_DDB service is used to determine whether or not a VxD is installed
+ Y: R% t/ w3 C4 Lfor the specified device and returns a Device Description Block (in ecx) for
3 q6 X, o; o! d) E0 r/ X! h: ithat device if it is installed.$ r4 j* B5 L9 V* k
- @+ E/ Y8 T- r; Z, H7 w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# p& v; X3 [) T& l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( \8 H' [$ p5 f4 }7 L, g VMMCall Get_DDB
/ k Y6 R0 o$ X% p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, ~$ Q8 b/ @. F0 A5 f8 C; `4 f6 ^5 }* z w
Note as well that you can easily detect this method with SoftICE:
9 q1 i* W. _* d) W$ p8 P: A bpx Get_DDB if ax==0202 || ax==7a5fh& x) }' Q4 J6 s+ K* d8 w0 E
0 Q, V( H1 l ]& A3 {1 E1 r6 U
__________________________________________________________________________1 J/ f2 U' Y' J% ?3 }
' s" _7 E8 ~3 _- SMethod 10
* G q: q) O) g: V) g! f) l/ r' m=========6 {8 N/ D1 m, b: b/ [0 w6 u8 m, ~
8 \" Y( V) S" c l& g=>Disable or clear breakpoints before using this feature. DO NOT trace with
% h8 i" q1 v2 [, B1 D SoftICE while the option is enable!!8 F F4 i8 N" O. Z! j& @
! ]3 r: z6 V7 s) ]5 L$ |& u0 ^ }
This trick is very efficient:
8 `/ A8 k7 u; V& c! H! P l/ mby checking the Debug Registers, you can detect if SoftICE is loaded1 W& o. W% X3 C* E; ?0 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" T+ b- E; e0 e9 i# l4 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ @% M, V# p/ i! l1 u' s3 Wvalue (in ring0 only). Values can be manipulated and or changed as well/ M! {8 q j0 h
(clearing BPMs for instance)
3 b. p% T4 Q. u# x' S# ?$ F2 P
0 Y4 R% z6 M& ]5 ]: f__________________________________________________________________________
" K/ ]. k6 n7 n
( r T: ]3 V: lMethod 11. z L, M8 Q0 F
=========3 a/ K5 |2 T! V4 \5 s1 K
* Z+ M3 \; K4 z+ B5 J+ r; z3 I
This method is most known as 'MeltICE' because it has been freely distributed
0 _: u. r: F y: x. ~via www.winfiles.com. However it was first used by NuMega people to allow
! N! b, Y! {1 Y4 oSymbol Loader to check if SoftICE was active or not (the code is located8 P0 D3 T4 _1 \
inside nmtrans.dll).
0 O% `% I$ J. N- I) X% t) R7 n U( P+ x2 E
The way it works is very simple:+ Y9 s' G6 [. h5 f1 F2 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 C" Y B" Z9 i/ a! h b1 nWinNT) with the CreateFileA API.+ z0 S1 ^( k2 J' O0 V- i
! v4 L' F7 W1 T5 D* V5 _- {Here is a sample (checking for 'SICE'):7 B; B/ s. ~+ H
! N) N. f, q7 x) ]2 v4 q2 y2 S5 d% V8 pBOOL IsSoftIce95Loaded()
; O2 s: k. T$ T{5 n$ z# i% L/ {: R0 w
HANDLE hFile;
! | A& G/ q8 V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# D) y1 q8 N$ z3 K
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 Z7 ?; l2 ^: ?, ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) F& j! |/ i% L: c
if( hFile != INVALID_HANDLE_VALUE )# Z% [# v, L3 V! V5 R: [) B. b8 A
{# v# w' T* z9 ~7 M3 _7 y
CloseHandle(hFile);
8 z6 p- E5 C3 V. M7 `" r0 q" V5 I, R return TRUE;
2 V6 {. W# E' p7 O }
8 z7 D; [! M- g: x5 c. A9 A$ u return FALSE;/ n% Z7 Z: g8 c. K4 [: _9 S
}
$ ~* [( Q# X3 p6 v: z. l) X
- h$ w* N# A ?. Z; z) ?" |- x1 UAlthough this trick calls the CreateFileA function, don't even expect to be
" D2 K+ W( m9 B0 P4 `7 [3 j3 s7 ~able to intercept it by installing a IFS hook: it will not work, no way!
6 `* C" |2 t7 l z3 Q/ ]: eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* [% Y$ ^: D' Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* A: ~8 o; c: M' Z& C% a, fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, R; ^. R5 b1 V& C$ Bfield.
, v- r8 y. K# i; k+ S2 gIn fact, its purpose is not to load/unload VxDs but only to send a
* Z2 s6 L$ _; {9 n& ^3 u9 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 V7 G& Q7 [/ M0 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! I4 a! A2 `% J8 ^9 t, c' \- o; \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% k; t1 O" ~: y% B. j3 I- i: fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 c; C5 H5 H/ ?" v; mits handle to be opened and then, will be detected.
! g) K6 \! _& Q* x* n- DYou can check that simply by hooking Winice.exe control proc entry point
4 A9 }' t- B/ }* b. xwhile running MeltICE.
" S- D# O* M# Y7 K T( P' K( D' s) l% E
! c% q4 j9 [3 S) Q' ~
00401067: push 00402025 ; \\.\SICE
: }! Q: v4 i+ W1 B8 w$ Y 0040106C: call CreateFileA, V* c. }8 a# |3 ~& s) m: v
00401071: cmp eax,-0012 Z0 ?: M# ?* J# w
00401074: je 00401091; `# A; x: c' P p
6 m! H" _$ \( m3 t4 L$ F% ~# ~& P) i: e4 w
There could be hundreds of BPX you could use to detect this trick.
' E7 o. S/ t4 A2 B/ X4 Y-The most classical one is:: V2 r& \8 p; c4 X" w; K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ e6 K1 O, b9 v+ c: b) I9 h4 y
*(esp->4+4)=='NTIC'# n5 [# H* q0 G. @
! G) _7 j! m' q* u) [ f
-The most exotic ones (could be very slooooow :-(2 D2 \6 _# K2 s# r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" Z' w3 l; K7 ?: |/ H ;will break 3 times :-(# s% v! `% v6 p0 g" G
7 B+ ?5 d l* A! l' l
-or (a bit) faster: , y/ w$ K( p. y# N7 }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 F1 f5 P5 r. V. p2 e; e; _- p. j
0 ]% Y2 D- e: |# D" M5 h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * b6 m* M6 ~$ I% l' R
;will break 3 times :-(
% c' \/ A+ I- ~& G0 R3 v
2 ^5 I: Z0 W7 @% r-Much faster:4 {8 K! v4 U( |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! x) Q/ z5 ]2 Q- i. V, ~
( _+ V8 y1 J- K! S7 F4 s' `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ v6 [) l4 B& Y6 gfunction to do the same job:
+ ^. E7 S' U5 ^8 m. ~/ m0 |9 y+ g+ U% m/ y; C8 L
push 00 ; OF_READ
* P0 m* e0 ]' T% D8 C mov eax,[00656634] ; '\\.\SICE',0
% h1 g: B' u. X C' m push eax) G# {) @, _ p2 I! \( l7 a6 G% d
call KERNEL32!_lopen
7 a8 _6 `; n3 Z U& } inc eax; P; U, K+ ?8 R+ w" q- [9 |
jnz 00650589 ; detected
' \% N( ?/ [ c; s% h, I, z push 00 ; OF_READ
2 ]( ` D V5 Z1 I7 S$ _ mov eax,[00656638] ; '\\.\SICE': V7 N# R9 N; J5 e5 ^# g
push eax |2 q* A8 _! B6 X5 v
call KERNEL32!_lopen' c) X1 H: O' G! G; j7 x# ?& d
inc eax* }9 u' \* A' O8 @5 X
jz 006505ae ; not detected
/ N7 w, t! \- {( H* U; W
o6 M+ l2 x4 y3 G3 H1 @+ l. [, x6 {! F! f' @0 q8 \4 C& Y
__________________________________________________________________________0 d2 L( ^ V, P' U% [4 ?: B, b9 h
) ^4 S. q5 K6 \
Method 126 P1 O- n2 X. `. M3 E4 X, J
=========7 ^7 M; ^1 m7 o% a. ~1 j% E
" ]+ D3 X* s( u4 z* FThis trick is similar to int41h/4fh Debugger installation check (code 05, s5 M( f9 i* T) y/ _% H
& 06) but very limited because it's only available for Win95/98 (not NT)7 a/ M, q @! ~+ i! K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) V& k4 r7 S: L, L l3 Z1 [/ t# J
push 0000004fh ; function 4fh9 d8 u' t; O0 D1 c1 C J4 P: t1 o' \
push 002a002ah ; high word specifies which VxD (VWIN32)
. Z0 b1 M6 u6 S) k( s4 m ; low word specifies which service
. `) Q7 p9 t' x% Z" C (VWIN32_Int41Dispatch). [7 W2 ]$ [1 T1 ~" O* h# W( G
call Kernel32!ORD_001 ; VxdCall
. j0 X3 F" g' k7 b0 F) O cmp ax, 0f386h ; magic number returned by system debuggers
! x# m( K4 k4 V, S jz SoftICE_detected
1 S% S% B0 v2 \: i! A+ F: v' V% o$ Y' X& J5 x% Q( R/ i4 J
Here again, several ways to detect it:
4 \2 r( ^6 ~" Z- x1 y
, j/ U) H+ M; G3 X) M4 \# G BPINT 41 if ax==4f
1 A8 |- M7 F* ]+ s, |$ \8 C, U5 m. z; r3 Y v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 a# B% N. r) d6 z$ N
1 O$ W: E$ M q, z. C/ p5 ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 |# t: C4 J5 S7 R
+ ]& U/ Q- N; v% D+ J8 B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. ^: k1 W8 c' R- r8 w* e1 D
. @: A _3 `" I) a/ v, m, ^5 p* m__________________________________________________________________________# }9 w }* C- t
1 D" i2 X: ~! [' v$ E
Method 13
& K- W! x5 Y: p7 g' n0 y% X6 o=========
5 |/ e& v$ e* ]( d/ j! ]2 T, D1 q+ D
Not a real method of detection, but a good way to know if SoftICE is
8 G; G3 I/ n: A9 p: y0 }4 Binstalled on a computer and to locate its installation directory.
8 u3 a0 G, _5 d6 B. ~7 WIt is used by few softs which access the following registry keys (usually #2) :! d0 m9 r8 X$ Y
& n1 l. b4 p9 H. t-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; g6 ^; \: E8 G, y9 \
\Uninstall\SoftICE
. D9 Q4 d1 w0 K. B# d0 G/ ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' c3 _ m' Z2 p6 v3 F9 H+ h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 `5 e: `( |/ I. i9 M/ @ B
\App Paths\Loader32.Exe8 {4 G# y% v. s* m- J0 D, L6 l& d0 o
' E5 H% y x- [7 V- x
* A6 e* Y9 s( z" f* y
Note that some nasty apps could then erase all files from SoftICE directory) S6 o* l3 C c$ C
(I faced that once :-(. N0 a8 ~# \* {' P( Y: ?0 P
, w% g% Q0 T( V% A) q0 u" sUseful breakpoint to detect it:$ D, e0 x8 M/ v
7 b: N3 U" d) M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% q" h$ z. L4 f7 f1 w' V
8 J+ n) C. f1 }. w4 N6 i' A1 Z__________________________________________________________________________
% V! ]0 v. {2 o& G$ z$ W
- i5 g6 O, b( m0 W+ \9 k9 Q/ {7 @( Y
Method 14 7 g# g/ n! a) {8 @
=========- m" a2 N$ p8 h" E0 C' }2 x7 ?, N; h
3 B$ C2 `/ \1 U3 w4 K6 O: k; @& FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% k: q8 k5 U3 iis to determines whether a debugger is running on your system (ring0 only).3 k5 f! J" I0 h1 |8 l8 }: d
7 F- I6 O8 S( n# Q VMMCall Test_Debug_Installed
1 i4 N& t r5 x6 X2 g je not_installed" D* [8 x3 T' ~, X
8 ?7 w4 Q. [8 ^# a; C$ _
This service just checks a flag.% ]7 W1 h% M- b- v5 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡