<TABLE width=500>9 B+ A, Y; @: h7 A: _ x
<TBODY>3 _# n& Y. u6 h% ~/ M _4 R8 L
<TR>( u& Y! m) m K. H W5 s6 h0 E
<TD><PRE>Method 01
, m2 R$ i: w6 q ?0 }: R7 ~4 q=========
3 H- G9 L$ X0 m. d: A, K
" K6 x- E- a6 k% }* qThis method of detection of SoftICE (as well as the following one) is% y1 K0 A% H4 X2 \
used by the majority of packers/encryptors found on Internet.
- p1 G- r0 ?( C+ E) e- i9 IIt seeks the signature of BoundsChecker in SoftICE9 _8 ^/ {! v$ @ B, y, G
; n% P% J( n; U$ O. Q4 |- I& K
mov ebp, 04243484Bh ; 'BCHK'0 [6 h* }! F6 u# i7 \4 T* N) ^8 {
mov ax, 04h
0 B- Z% D9 U% g9 O; ]& L+ F int 3 $ D" Y- [/ N- l( V( I% l& T! d |
cmp al,4% B" A: V5 u0 K. U0 A* O3 k
jnz SoftICE_Detected. p" p, |7 Z9 J. g9 `
! s/ ?- h! }" w$ Y
___________________________________________________________________________$ ]$ M* Z$ ^( y9 t, F8 Z, Y
, B. m: L8 f. O; Z% X6 H
Method 02$ \* e% F9 w) X: \- H+ E
=========3 x/ f3 X0 [2 W- i
% _: U% h, A: Y1 }3 k
Still a method very much used (perhaps the most frequent one). It is used
6 Z/ L0 q# D) A0 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ ~9 ^& Z" \2 @, K
or execute SoftICE commands...% h+ |0 ]7 @% r! f5 Q: ]/ U8 q
It is also used to crash SoftICE and to force it to execute any commands
& W9 Y1 |. c2 K+ m(HBOOT...) :-((
* j* S9 h/ Y+ T
" C# h/ P. G' y! K: k( } M. uHere is a quick description:
( ?0 b4 j6 v$ a, ?! [$ S& h-AX = 0910h (Display string in SIce windows)( {- V4 f' Q3 t3 C7 g+ ?; i( X! J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, Y5 g% o0 B: U4 D' q1 M-AX = 0912h (Get breakpoint infos)0 P6 v9 ]; F0 U2 y3 O
-AX = 0913h (Set Sice breakpoints)8 n" E! c0 P3 |7 A& T/ o
-AX = 0914h (Remove SIce breakoints)% x; [2 ^; x8 L, Q C: C
( w) V& p# q) @ b1 s( r1 w0 h# ?Each time you'll meet this trick, you'll see:3 ]% L v7 G' n$ p6 `, l, P
-SI = 4647h7 A$ I: J( T$ g0 g% z8 y% o- m
-DI = 4A4Dh/ T+ ~& b7 _ v2 I! y7 Q0 P
Which are the 'magic values' used by SoftIce.
% h6 f3 K6 r$ \* c& ^% uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) z* k( V6 U7 H" T; l- |/ m
/ {# ~1 e! Y6 h+ n1 iHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 j& B7 u+ d! I8 @* z& ~& |+ EEnvelope utility use to protect DOS applications:, |( ?; ^- ?( I; N& T
+ J3 X$ s, z3 n7 L- o
: x8 Z; o: {4 s/ Q4C19:0095 MOV AX,0911 ; execute command.
6 p7 M$ t, O! @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 x+ s' p; }5 ~" A: Y! I) @
4C19:009A MOV SI,4647 ; 1st magic value.
0 K4 J6 T% L2 B7 q+ {! `- ^1 Q4C19:009D MOV DI,4A4D ; 2nd magic value.: s# I' k' a9 s" q' O* [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* M6 D. }& ~1 K/ D3 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 a5 n5 B$ B* o' g, W" ~4C19:00A4 INC CX1 h8 y# K, L- g, R, T9 {6 K7 b5 J- l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! A* J% M- ]" u4C19:00A8 JB 0095 ; 6 different commands.: Y6 g$ M; ^+ Q5 V" Z: |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, i4 t1 E$ o% M3 s, U! F7 ^; J& o% Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 ?0 \3 _1 K5 z i: i2 t* p9 s2 ^& Y9 [
The program will execute 6 different SIce commands located at ds:dx, which
% T- ^5 H( g3 I& b; Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# b7 }0 o# q; p5 R$ g
) ?% T- U0 K0 M! [" u2 H5 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% m7 i3 D6 f( l! r1 q _; x___________________________________________________________________________$ G4 a) @' O$ Y- n
) g; S! p4 O& {) B8 r1 e# f0 `# S& I+ C6 H, e( ?# K
Method 03
& S1 p' k1 Y" Q5 Y. R0 Y8 m+ E=========5 c8 I, u2 S* G2 e3 B
2 _6 U8 H, p% h7 @' b# ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% A' U7 |! @' U
(API Get entry point)( E) m0 e$ g7 E+ }" y4 {/ o) W" A3 r
9 B- Y1 x# X: C) X7 G6 I" o4 q6 t/ Z; M2 u5 M* l+ V
xor di,di
: t! L5 j0 v2 @$ @ mov es,di/ {6 T2 b) D; c9 o) M' P% F
mov ax, 1684h
# N2 M% I3 g) g mov bx, 0202h ; VxD ID of winice
0 n$ L7 U/ H q int 2Fh# u; N) C8 R# N6 Q* M/ _' H h
mov ax, es ; ES:DI -> VxD API entry point7 \0 l% A, q: h2 N
add ax, di' M4 `4 l- f* l: a5 u
test ax,ax
& g) j. \, F7 ?$ }3 n; b( U jnz SoftICE_Detected
, E8 a: P# B$ v+ I2 ^
% P' P4 D }2 h5 S% e# M___________________________________________________________________________
- o- J. [( n0 Q" O' _& P; C* x# ^+ K* r8 L! o6 }, b
Method 043 A5 O9 B' y: ~
=========
( y; K4 C+ c4 a' x1 j0 w9 E6 s1 x! k E; c6 h" @. L
Method identical to the preceding one except that it seeks the ID of SoftICE8 t% `9 k% ]$ T; N4 M: v& U
GFX VxD.0 u+ q4 j6 |0 T( `. O
7 e1 Z a: P. Q. r8 ^ xor di,di9 W" Q1 o9 }9 G
mov es,di
5 [: L% l' c: L0 u1 k) [ mov ax, 1684h
) Q ?7 a! l. }* K8 L8 b mov bx, 7a5Fh ; VxD ID of SIWVID
' ^# Z0 C. _: w9 c8 T7 J int 2fh
: j2 ?4 U% G* T# s1 R mov ax, es ; ES:DI -> VxD API entry point3 H- W5 B! d( Q4 s
add ax, di' o+ |) l, r) y" _ i- i& F# ~+ p
test ax,ax
7 ^( `5 ?; w4 G2 N0 }8 d jnz SoftICE_Detected
$ T* n5 Q% q( N9 Y% c- F9 Q) V6 i! G6 t* L* [$ q# T
__________________________________________________________________________
% z6 y$ Q3 c# d9 ]1 Y8 [' Z) t" E6 Q$ M7 l
& ~8 i/ U, f/ y% Z
Method 05
" Z5 w M- R& z" Y$ s/ K=========
+ m. v6 b9 i4 n0 C7 D) f$ c6 ^2 V5 {6 v1 i7 c/ p$ r( x0 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system* @) Y, S2 P0 e: b) k S* s
debugger. It calls the int 41h, function 4Fh.& q$ R% E' _: l! a6 ?& p8 s/ V: ~
There are several alternatives. 3 [* u4 T. t7 X( v7 D3 ], V& k
8 r# K" D9 o9 B9 {/ N. T' n
The following one is the simplest:0 x- G* o$ X" H" A
5 I9 ~- n' J k$ i* f& R- {! r
mov ax,4fh1 a' b" c! d, a5 ~7 r
int 41h* g8 X: C( E- Y( t7 C
cmp ax, 0F386: z* A4 n0 V0 x+ K, j* f
jz SoftICE_detected
4 N& A* u$ j/ ]! N) G* `# @8 ?2 \- J2 W9 E# I( R
3 k! C7 `) c( X) } `7 i; ]0 G* e3 s" bNext method as well as the following one are 2 examples from Stone's 8 L; V! f& V7 P0 d1 c7 s2 W- |$ x
"stn-wid.zip" (www.cracking.net):
* a3 z W. l- Q! V1 T$ ^/ ?* @7 \+ c4 k$ S# D1 o
mov bx, cs
& D1 ~1 d0 Y# L lea dx, int41handler2
/ Y% `+ _. ?- ?/ ^1 P# U( S xchg dx, es:[41h*4] a9 z; F8 T2 s! g! k- D
xchg bx, es:[41h*4+2]6 k2 y! F! |. e1 C7 ~! n
mov ax,4fh8 S% V, s, O2 S6 H& x
int 41h
! P; P! Q( g4 \% T9 R xchg dx, es:[41h*4]0 E" V( |; D( a3 M
xchg bx, es:[41h*4+2]
) G$ N; \3 o X4 Y1 B6 T% F cmp ax, 0f386h
) s9 i2 S8 O/ n2 ?% X jz SoftICE_detected
% _% F. ^/ q0 H2 N8 e! s/ n' B$ D) K A
int41handler2 PROC9 S" z8 C% e/ I, r+ W
iret; P. r7 Z7 q: A8 o
int41handler2 ENDP
8 l, y" N# X& L7 A- y: Q- i! C; ?+ I+ e: f& N8 [% n0 z8 x
: B9 r$ s J, z$ {' j9 e8 ~+ e_________________________________________________________________________/ r! G" a0 D; P* C* d8 t1 e
! {+ o* B% K5 ~, A
; a- x2 r3 J7 k) yMethod 06
6 [7 P0 \2 i% U=========
1 f8 A' S- }* k% T l6 ^0 ~" `! A/ ]1 [8 g
; p$ y, `( X# _% ]. ?$ p* ? a. B
2nd method similar to the preceding one but more difficult to detect:
]' j) ~8 ^ S1 A7 d
& V- ]6 z' o/ Y6 S s' s- m& Y
' @/ i! P9 q$ C. i3 W( H$ Pint41handler PROC+ m0 ~/ j% Q6 L* z# t/ C
mov cl,al
' G1 K! W- ]: H) C+ u1 e& t% G iret
" M$ Q+ z8 |. f# T9 f! m+ Nint41handler ENDP
( I) }& E9 c) p" ~' \
9 ?/ q4 p5 ?( n* [- G
" D. E# J9 A/ }; ^) x xor ax,ax( E# E; X7 R0 p U+ D0 K
mov es,ax5 C) ]9 K$ _% f
mov bx, cs
@% N) B# X+ f4 x lea dx, int41handler4 _" v! C; @ D& k2 T
xchg dx, es:[41h*4]) Q7 P' q4 [( [
xchg bx, es:[41h*4+2]$ `# a) P1 ? N6 T# H
in al, 40h
& {6 b6 a+ _+ U- } x, K9 h+ b xor cx,cx* v4 g7 g+ Y# A
int 41h$ X9 g3 Y6 P' Q3 Z- a5 M
xchg dx, es:[41h*4]" {9 Q+ C) Z' L
xchg bx, es:[41h*4+2]" L3 B) z0 H" n+ X% A
cmp cl,al2 u- F7 i+ L% I( l$ Z' ]
jnz SoftICE_detected
0 H( ^+ W! c3 W( T( k9 R1 N9 {1 K& x$ l8 ~1 ^/ c6 ?
_________________________________________________________________________5 g& R/ Q. m# F( ?3 J
: l/ F- ^, T: l: b; d3 f& zMethod 07
5 z* s& _' ]! [=========3 w( Q8 C1 k2 {' f- q
{* c' Z; R+ U( ^( {
Method of detection of the WinICE handler in the int68h (V86). L: J% T5 Q- [; V ~
! t. P6 A( V7 D& Y' ~3 Z mov ah,43h! F! ?2 r! ?% J3 y/ Q
int 68h+ O: C9 s* V$ V: C
cmp ax,0F386h; O0 ~9 ?( A% P% o. Y9 l
jz SoftICE_Detected
9 X4 |1 S6 i- P/ H4 [5 a, ?. l8 h3 {1 a0 A$ P8 X: [: d6 B
3 K7 d6 U( m; d! z7 J/ q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; g: K* t9 ?0 s! k0 M2 d3 ^: B% x2 K app like this:7 ^2 M/ f% m& S, K1 s! V
/ |# v# ^7 Z# a0 s BPX exec_int if ax==68 Z% @; Y# ]& I% G% b; {2 d r) G
(function called is located at byte ptr [ebp+1Dh] and client eip is
z! _/ [! r6 C! s located at [ebp+48h] for 32Bit apps)( e: z( a, m8 v* Y
__________________________________________________________________________
: k& n6 _' r- ?) j" D. `, R; f% i# U' I/ U% D- V: T- ~% E" b3 F
; m% o6 n7 t8 L/ KMethod 08
+ ?0 g7 M+ u: h3 r) A/ o=========5 x/ Z1 k7 R% M& L
8 e; D/ l. s7 c. M6 j5 o! V; _
It is not a method of detection of SoftICE but a possibility to crash the) ^9 e; R& h' p0 H2 |, R
system by intercepting int 01h and int 03h and redirecting them to another
) y4 d& g4 _( G- Z( x# Lroutine.
1 G9 z/ P% O, |* }, S( x3 U5 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 ^; t \+ z# V" K( b3 bto the new routine to execute (hangs computer...)
- p% B% S) e: X" f1 Q
+ Z N0 M2 j2 y mov ah, 25h
9 p& r$ A. K* _ mov al, Int_Number (01h or 03h)
6 G& W" ~. q4 p% [ mov dx, offset New_Int_Routine
/ a+ j- P% i$ g+ v; P int 21h
! c( o" n& N U i) [& n, t* x0 ^' }" l. g
__________________________________________________________________________; U( W8 G- I: T g h4 ]# Y' S0 X. x
E# N/ |0 Z0 l7 K6 z; B
Method 09
* ?7 ?/ u5 _* e z=========0 `8 O+ y3 F4 A7 N7 n
6 f- }7 P1 q3 v( j0 B+ GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 _' K( \) w' S8 n4 q1 z; m+ f; d- Qperformed in ring0 (VxD or a ring3 app using the VxdCall).' ?) z5 e. F/ ]+ Q' s
The Get_DDB service is used to determine whether or not a VxD is installed+ j' V! R% A( T) [- G
for the specified device and returns a Device Description Block (in ecx) for
3 k! i# N c1 V9 g" wthat device if it is installed.+ C3 J- A3 C0 P: M/ B( H9 }) E& b
$ i. F- d9 I E; |; q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 B7 ^- Y- B1 C7 O4 A" u$ n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' G- u- y5 V1 w5 B* U4 b
VMMCall Get_DDB
6 ]$ I- c7 ]& U% y3 K H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, M/ e* c3 d3 x2 d& P4 K$ q# }. o) r1 g' |1 c* x
Note as well that you can easily detect this method with SoftICE:& A5 g- K4 Q2 g+ X
bpx Get_DDB if ax==0202 || ax==7a5fh
% N- O4 i1 C( J6 p o
3 u; N" v% [4 ?9 s3 G/ ] p/ {& @__________________________________________________________________________/ g: N0 z- l9 x/ f7 B3 y `8 }
' ^& T3 B$ x7 C! G* k) JMethod 10
! b l, }' W3 k8 |( O1 w% _) b========= p" o: i" `6 r+ W' Q. I* J
0 X: c/ V: O5 Q) s0 ~, j8 c+ n
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% F/ }" \ ~7 @% R. B SoftICE while the option is enable!!
6 D) z! P& m& P. ]
6 B$ _( ?' x. O; qThis trick is very efficient:
$ O. G% U- I/ M2 w8 Iby checking the Debug Registers, you can detect if SoftICE is loaded
e& Y1 a* K9 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 C# D1 p' @/ z) gthere are some memory breakpoints set (dr0 to dr3) simply by reading their, O. Q* _$ m7 m( y% W7 l1 h
value (in ring0 only). Values can be manipulated and or changed as well
+ O3 [( K! s1 O6 i& }" Y" s, ^: J(clearing BPMs for instance)
! f$ M9 g& b G$ n J2 S" t$ F" c: v- {. c1 _, W
__________________________________________________________________________2 ^2 I: u3 M: Q5 D$ s
1 ]4 D# @& Z4 U9 @2 M; J2 b
Method 11/ g5 N# a5 ~; P* T- U. s
=========1 Q0 f2 w' ]2 w9 v. R* Q
) C* N2 Z @! K4 }; |
This method is most known as 'MeltICE' because it has been freely distributed
% |( w ~; _9 m* ~/ L) Yvia www.winfiles.com. However it was first used by NuMega people to allow: A! f7 u5 {4 B. k0 K1 J0 O
Symbol Loader to check if SoftICE was active or not (the code is located1 n" K+ D5 N1 I' v+ f9 C1 t/ P r
inside nmtrans.dll).
! v& h; @) A- {5 _' i9 J
" Q! N' O1 q7 @9 c$ `1 O1 \The way it works is very simple:
, R3 b$ g. x/ f9 n) G$ D( {2 UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! d" R. c$ N7 y
WinNT) with the CreateFileA API.
7 F$ E& ?* x* h5 N3 b7 H0 v7 s+ a3 H
Here is a sample (checking for 'SICE'):
0 H& G$ I6 S. V* o4 E$ N+ z' v# H4 \$ f* }% @) w6 X6 M$ U2 U* y' d
BOOL IsSoftIce95Loaded()7 r, i; i0 n4 E; U$ O; f
{; Z2 `3 x. [# ^" H. J* ~
HANDLE hFile;
8 M3 t' n* M9 r9 ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( x- D2 n- z- h1 L" h2 y5 {7 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,! k" r' `: D& e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 o/ f. }% K' ]! s8 n: M if( hFile != INVALID_HANDLE_VALUE )
- h6 O9 }+ g7 O/ I, Q) c3 X {
" l5 `, i" B) _* t' V# Q6 y" | CloseHandle(hFile);# r, Z+ P o4 I% Z3 ?7 ~3 W
return TRUE;
0 C4 d9 M8 T' } q; X( O }' l: J( C( j p" B
return FALSE;
" j' _( ]" A% t! Y, F4 O6 |}
' Z2 W: I0 v7 z u8 I! K8 x/ K) D' x2 u# ]
Although this trick calls the CreateFileA function, don't even expect to be% w: |0 P2 |% d- k
able to intercept it by installing a IFS hook: it will not work, no way!' @9 S9 B$ d* E8 j5 t4 ~3 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) K# n* r" ]) l6 S, a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- v' D. P) T* z8 ~" e! U& e- }" P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% L/ ]2 I' p+ Q* X! d# T! P, Cfield.& \3 D0 {9 Z9 a3 }0 i
In fact, its purpose is not to load/unload VxDs but only to send a 5 Z: J( {' A, S' ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& Q- r# x0 B7 ^; ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 ^3 G: J. y3 N/ Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 B; _6 V u7 f: t$ i7 uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 ?* T9 f+ l; y7 w9 H+ H; Mits handle to be opened and then, will be detected.) [# G& q+ S: I2 I0 _. w2 C
You can check that simply by hooking Winice.exe control proc entry point, n/ _6 F; `1 i, N2 ^
while running MeltICE.; C$ n3 t' n# q1 C0 x, {' W
9 ~2 T6 P: _# l1 r4 i& ]7 T) F
$ @1 o+ x, p4 F5 o! z! ? a4 O 00401067: push 00402025 ; \\.\SICE& U$ |8 `, T9 ~0 s: o# G
0040106C: call CreateFileA
g/ ]8 o" Y6 Q0 u6 R8 M 00401071: cmp eax,-001
% K3 M. L6 D' o 00401074: je 004010912 x" J4 g( i1 a5 o
% |+ x4 ~& W+ p# L& b' C& p
3 ^4 [" I+ N* V) |2 n5 v9 m
There could be hundreds of BPX you could use to detect this trick.
) A2 R0 K3 J# B+ Y* Z-The most classical one is:2 a" l) q( X' H& Q7 p4 N4 M: n. t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% v6 B4 j0 v' p" N *(esp->4+4)=='NTIC'7 d9 { i$ O1 l% M8 S* ?$ O
2 ~7 {2 Q: |0 a$ j g
-The most exotic ones (could be very slooooow :-(
0 K! u; d% ~& `- `! s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 m5 a. i/ ^+ d) b( `9 K2 w
;will break 3 times :-(. Z6 x1 A; a8 Z2 I3 }, |, X1 O
" r; C `+ w3 p) D+ A-or (a bit) faster: * `9 e' w7 q! j7 G n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 J( s: _+ a a2 ?2 U$ b& h0 t5 z
y9 r8 v' H0 f: H$ a& o) Y1 M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 ^% d1 Y/ L# }- o6 H3 K& |
;will break 3 times :-(+ a$ C2 C, S* b6 u$ W
- h6 N/ `+ R. f* q/ k+ p7 {
-Much faster:* `0 |$ z+ o1 n2 k, `5 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: ?2 j* G H" E" F- [) w6 b4 \# v N" n/ n) s' M) N. W0 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 [" V# _7 i* t( d- u! z' Z
function to do the same job:0 k5 T1 C* }( q- w2 ]$ F" T- c
7 C' H) z# T8 P7 \2 |* m7 f push 00 ; OF_READ; M- F0 `8 I0 W: I3 B
mov eax,[00656634] ; '\\.\SICE',0
8 P7 ?4 t2 T# J push eax1 |+ m3 n% F0 z; j5 M. I
call KERNEL32!_lopen$ o2 P! M" X6 b, \9 ?8 U
inc eax
. k! v9 q- ]0 |( m3 D/ r; y& B& S! p jnz 00650589 ; detected$ v! A% t& N( A. }; P( m
push 00 ; OF_READ
/ @7 H6 G5 `1 v' _ mov eax,[00656638] ; '\\.\SICE'
# m9 }9 ^% w7 P: [6 ~ push eax
0 G3 I# O; @3 F! K+ D call KERNEL32!_lopen' L5 h$ ~) |5 S% j/ @2 w
inc eax
2 _! G, k7 Q( W# p& ?: D4 S jz 006505ae ; not detected
+ C |8 P# R0 u' `& e
# H* j7 X# U. z V2 \5 I+ ^' W4 ~( U7 T, @
__________________________________________________________________________
- n! d- c" T2 Z; L: d; L+ h
1 I5 r0 n9 \+ N2 d, d' CMethod 12
. @1 P( @' ~1 |" H9 J3 h* \( t=========
. ?& r, ~* i; ^9 ]0 v
$ K: p# f5 ?- y4 \* HThis trick is similar to int41h/4fh Debugger installation check (code 05
: }$ g" H8 H4 X3 F6 i6 O- W9 F2 |& 06) but very limited because it's only available for Win95/98 (not NT)
. c9 \: ]+ a3 C. r, B ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% F* t6 I! G6 g
6 u) g3 `: m4 b, i! {) A push 0000004fh ; function 4fh
- D$ U' c2 V! Z) [2 A& G push 002a002ah ; high word specifies which VxD (VWIN32)
) }% L+ o$ e. C ; low word specifies which service; t! s, J2 i6 y
(VWIN32_Int41Dispatch)
4 e% B M4 a+ m$ x7 U' i call Kernel32!ORD_001 ; VxdCall
( O4 ?3 H% W) I3 t* i1 } cmp ax, 0f386h ; magic number returned by system debuggers- |6 q8 {$ P0 d, Z, U/ H% _. z
jz SoftICE_detected: u8 p- t( W: s" {- r5 s* V
" {* ^5 _* l1 z4 D* y9 xHere again, several ways to detect it:
5 b/ _2 j; j2 \7 u( T& E" U6 o8 n: X+ B7 P# O# f7 Z Q1 c: _0 d
BPINT 41 if ax==4f
$ c7 @ e) x! D+ l: N. }& k( n1 S0 M" Z, R+ K3 y! m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 m5 s4 z; l; ~
: @, Q3 V7 z/ Q R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( v+ |3 v1 }- _$ }9 Q1 }) r4 w; g9 C' p9 I- P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 i; h5 @- B0 F, g2 P
/ R) |+ B/ O1 C4 `6 O
__________________________________________________________________________3 R# J9 s( ?5 B
% o8 U6 g7 F! M+ w" N" @5 B
Method 135 I K' F9 S2 t) w* K
=========7 R: z6 }9 N" t8 g) V3 c1 \
+ {/ s; y; ~# n! h/ }* V- Q
Not a real method of detection, but a good way to know if SoftICE is8 L! d: s: M8 q7 l) ?: ^: B' P
installed on a computer and to locate its installation directory.
" Z7 D0 y. g. H( x+ cIt is used by few softs which access the following registry keys (usually #2) :
" m& d) H% q3 Y$ k& s" O4 J- `2 W( ^4 r$ Y9 Q! }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 m R9 r3 r4 ? E\Uninstall\SoftICE9 X4 t; G+ g& t% a. t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 K- p3 e* T4 c8 S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& v1 c. F Z; X9 i' w6 s7 v\App Paths\Loader32.Exe0 P. ^: I4 W9 K' G
- @; q; Y* O8 ]/ o, o! y9 h" C8 u2 x& j% u$ R3 O
Note that some nasty apps could then erase all files from SoftICE directory8 z! N9 j o1 Y! V$ Q- ^/ D, b# {
(I faced that once :-(% Y( F7 u- Y/ y6 p% q& m6 n
/ H1 S: o( q! t! S% Y
Useful breakpoint to detect it:
; [, F' r0 q# m5 y' O: k: P" r# J5 ~, [8 x5 @5 l# A% [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' S1 V @ v+ F" y; o0 ^
/ k5 A% a) K0 K9 x% N9 K" a__________________________________________________________________________
5 E, c. C* Y# `, S; u! ^1 {- m! g$ L+ M
) o. V; ?" V& D# G' r- l- W* B/ ^+ B
Method 14 - |" S% z. _! v# p" K2 Z8 W7 x/ u# E
=========2 g, z+ M8 q5 A: ]
/ y) L/ o% V& s0 p* F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; w3 O, ]* \! T* Sis to determines whether a debugger is running on your system (ring0 only).- ^+ V- j# t! ~- e) K
" W5 R' y6 g0 d! r% W, _
VMMCall Test_Debug_Installed
4 G1 ^4 N+ b6 M- s7 Z. r* _9 F je not_installed8 }) X) ^( A, V. e+ g
0 E2 F) G1 ?$ n2 Q9 `: X3 XThis service just checks a flag.& a8 L# ^4 X9 y2 z, O. K9 l, w5 [( B! p% I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡