<TABLE width=500>' g$ |+ x4 `- ~+ `; F
<TBODY>4 A: K* {8 X# F5 W: J6 b+ e/ D4 x0 C
<TR>6 V2 Y$ Y! E- d
<TD><PRE>Method 01 % _3 ~7 b! n4 t) P* Q! I. ~( `" Q
=========
1 G. }" r2 N( b9 E: R* L8 H/ N! p' \6 ?9 M8 s
This method of detection of SoftICE (as well as the following one) is
8 ]1 m* n8 P1 w# L& C& gused by the majority of packers/encryptors found on Internet.
U q# U% P$ R& d( ZIt seeks the signature of BoundsChecker in SoftICE
4 n3 ?/ x3 k. k$ c5 w% E! K
9 A. N/ C( A3 d# j mov ebp, 04243484Bh ; 'BCHK'4 A# N0 D6 s( O, } y
mov ax, 04h
) j2 h& B) K' V7 `. V int 3 + ^( X4 g& n* k3 p9 C( _
cmp al,4# a( q a8 h- J
jnz SoftICE_Detected4 s# ]7 P$ [# r. W
4 s- U" g, \) [( u2 I A- E___________________________________________________________________________8 }, ^) m3 b+ g& v; R
7 n: @1 V% ^" @, N: ]
Method 02 e, |3 D/ L# z; T; a' L8 J& u: \; {
=========
% P2 r: B' l4 K! Q( q. {: r B6 g/ W5 Z& Q, ^+ H8 q
Still a method very much used (perhaps the most frequent one). It is used# Z: L1 |0 g, [! k3 Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 `. | p5 G1 N& s5 f$ V5 c9 Sor execute SoftICE commands...) i) i( n4 Z2 v' U1 P
It is also used to crash SoftICE and to force it to execute any commands
. X! b" g! Q {; h. H- j% A(HBOOT...) :-(( $ ~ ^; U8 i, Q2 x0 i6 x+ J
5 s- n/ V3 Y7 m6 [ z
Here is a quick description:! M, |+ F) K* U8 H$ A( s, [
-AX = 0910h (Display string in SIce windows)
" w! j4 k" {* ^! w( f+ x; L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& ~( E& C4 v9 o% a
-AX = 0912h (Get breakpoint infos)
$ j- `& L- |7 ?4 t: z) E' Y% i5 Q3 T5 j-AX = 0913h (Set Sice breakpoints)5 H% s7 i& T2 f: z9 Z, D+ A, D. V' \
-AX = 0914h (Remove SIce breakoints) T9 ? h6 T4 a: V; T
- ~0 }8 S- b+ L4 c, H5 {1 Z0 @/ i
Each time you'll meet this trick, you'll see:: `$ J% e1 I' J5 Q
-SI = 4647h+ o( M& {* g" q" M. w" r/ f% F
-DI = 4A4Dh
$ O( o$ ]9 P% ?5 ?; @Which are the 'magic values' used by SoftIce.* D( \% w. p6 C6 c4 A- T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- Z) ]9 |/ f' \/ L6 I
' {# C" g! ]4 K) A7 IHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 Z" Q- a! |# N/ y9 R- dEnvelope utility use to protect DOS applications:2 B& @4 O& h8 N
" ~. ~7 f/ p1 T% O! q/ Z, H* o4 z. A
4C19:0095 MOV AX,0911 ; execute command.+ _, }9 Z6 F' v6 I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 Q4 [5 r# N& H5 m6 c' \+ d
4C19:009A MOV SI,4647 ; 1st magic value.! W9 y( r% W$ M' b% B
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 L6 g' [+ S7 n0 y2 I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% z1 Z* j* }- W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute V4 l' D2 H- A. U5 E
4C19:00A4 INC CX
" `8 y a" n% p: c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: o. F- f2 s4 D {9 c7 @4 F
4C19:00A8 JB 0095 ; 6 different commands.) e7 @9 \: H) _0 c* L2 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% U$ R8 R. @1 q8 a- I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, @: ?. Z( h! w) t& b+ a' @1 S0 q: d' A6 n
The program will execute 6 different SIce commands located at ds:dx, which
7 n' d) e0 Q2 ^' [8 ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' V* x( x$ ~! E, I0 S! Z) `8 U
) ^& Q' A9 x- T; C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 n6 i5 W. u) l2 d
___________________________________________________________________________
+ G$ ?; q' i% K
2 T9 r2 y+ X; _& w ]0 m( V1 f8 R7 \7 O; @* b: g c
Method 03
# D% o+ t1 t; X=========
, v, j0 {: K" J+ N3 x6 p7 ]* F8 Y! o5 O+ e6 Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. [3 T% i3 u2 x, i% {2 P
(API Get entry point)2 F( o" X; Z7 `* ^6 S
1 i, u$ d3 u% F$ D7 z. K/ Q. N/ D1 |6 J, ?' t5 S, ?. F- `
xor di,di2 `, o8 J" _* v4 c% J6 |
mov es,di1 b# o! E; j6 F) q% e( w# D
mov ax, 1684h
: @; ^+ V4 b0 q# e mov bx, 0202h ; VxD ID of winice
9 H- U7 `8 \4 ~6 ?6 h( c- P3 \! g- z int 2Fh
& w Q) t* a; g; L/ f* A mov ax, es ; ES:DI -> VxD API entry point* ?/ q$ q) u' G) c
add ax, di D$ `% k8 O) b0 v2 A
test ax,ax
2 ?( o/ \6 D2 V9 y3 Q jnz SoftICE_Detected
% |2 y" z* I O0 y/ C
2 F3 v, a+ U3 Q( W___________________________________________________________________________0 p1 r/ J1 _ m3 Y0 P+ o7 C# H8 i
$ B! Q2 Q( `. u4 D: N7 B5 n7 P9 fMethod 04, R: b3 y, C' X
=========
/ x% J6 B$ a4 i! F4 [$ N/ |! c4 f/ _! I
Method identical to the preceding one except that it seeks the ID of SoftICE& T; W% z1 }2 `9 T
GFX VxD.
: j9 V) [/ I: i+ p# R/ k& v$ l2 p& g J$ s5 O- n- _
xor di,di
1 M* K7 H( U' z: x0 _. y) b1 R; v mov es,di" ^* |2 ]) S P8 U7 {
mov ax, 1684h
5 w' ]; F6 J( c7 E: m* V. Q mov bx, 7a5Fh ; VxD ID of SIWVID, r* w" y3 C0 U$ X$ Q" g6 a9 B3 a
int 2fh z% J' w8 X- S$ h, ]
mov ax, es ; ES:DI -> VxD API entry point
7 B$ W& Z- N4 I2 r6 j5 E4 w4 H add ax, di0 W; _$ _) f% q) A$ z2 T7 h/ H
test ax,ax$ r0 {# M1 }" N- m
jnz SoftICE_Detected+ R- @( X% }% L$ r- h; q) E
; t8 @: _/ l1 j7 G V__________________________________________________________________________
5 _3 j& h/ [5 R5 ]/ F% e. H
* r( j5 `" e, a* T7 M1 ]; u+ U6 w7 R
0 ? i' T2 t0 o9 z w& s! r- eMethod 059 {% _4 A* {" J- T0 \ U. i" d" j
=========- u, t8 L" C$ L' Z7 x' l& l0 H) x
: n( M$ g3 ^. S0 J* X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" B& ~- L8 G! {/ }debugger. It calls the int 41h, function 4Fh.
0 e+ f8 o4 O5 WThere are several alternatives. ( q( o2 U; C/ }# a% @6 y
+ i7 G: g* f; N" ?5 t
The following one is the simplest:5 v8 `7 G, O4 n j1 R
6 j) r& M9 W9 d( m- H; a8 ^/ v
mov ax,4fh3 ~3 [* b' N# ?/ P: l& j6 ?6 U9 s
int 41h
& h+ U( b+ v% v! l3 d3 Q cmp ax, 0F3868 {8 o% p: z: D* t. n
jz SoftICE_detected
, @9 ~# U4 z* N0 i6 R+ A% P' T, K- ~
' h& F( r" [6 D4 w$ s- S
! s1 Z" c& G7 PNext method as well as the following one are 2 examples from Stone's
/ [, x% h: {: y T: K"stn-wid.zip" (www.cracking.net):' ^* b" D$ R% _ p3 ]; o
3 D2 q! s' h5 P7 b" a
mov bx, cs! d) J) @, V! N0 I
lea dx, int41handler2
: u6 k3 O5 \; r! Y* V- P6 i! |2 H xchg dx, es:[41h*4]! S4 s& M+ v7 `
xchg bx, es:[41h*4+2]4 [, G) f- O/ F6 {/ n# m
mov ax,4fh
. I; K3 ]- R; |& |/ t int 41h
0 e/ a0 G$ N3 E C; \ xchg dx, es:[41h*4]
- G' k+ K L; ~& y9 P xchg bx, es:[41h*4+2]$ v8 z m/ T: ]4 A8 S( \$ G
cmp ax, 0f386h
/ ?9 X- t# \: Z: n* b- [3 [ jz SoftICE_detected
, [# Y5 n* _* r* _
_8 V! U e: [0 O( G. S# R9 V. bint41handler2 PROC, @" [6 o$ I1 M) g1 z' d
iret
2 w+ K2 O; E' k! v7 }int41handler2 ENDP/ A: O5 m6 N4 V0 E, d
3 @4 H& k5 @# ` M# E8 N; P' n% h0 S
_________________________________________________________________________$ R* t, t1 T" d/ ]) [ Y, U8 z2 n5 y
0 P# v& _2 I# ~1 K" F/ B" S
+ @5 j% Q5 R+ o6 n3 k
Method 06( @4 ] w5 M' _
=========
4 w! D6 V5 k$ _0 L& o( q7 C; u* H4 l% d% k0 |$ l9 E" f& r2 E8 m
" X/ d$ I" y: R; B: }; G. d
2nd method similar to the preceding one but more difficult to detect:
0 x2 o" @8 ]. y/ }' |6 a( ~% o( [7 e- _: L
" T1 Z3 H1 c% w8 _9 S" l) i3 gint41handler PROC; g5 M2 A# |) J# ^) ?. _7 l' V
mov cl,al0 V1 R6 L$ f H5 ]) ?' M$ k
iret" ]: g* w; _0 C
int41handler ENDP
: g3 s! b/ ~' g" b' x$ d$ C! }& V+ q- B/ Q% T) u2 I8 b
/ ~+ Y6 K! e; a9 [; X
xor ax,ax
! ~4 D9 D V: U1 t# e! s9 z3 ] mov es,ax
U! ^7 v0 v: Q) ?6 A p mov bx, cs. \' W$ U+ g% U) P+ L
lea dx, int41handler
+ {6 V8 ~/ B8 k+ _/ U; G# H xchg dx, es:[41h*4]
) u. |& o i! Y' Q/ j- q, J0 F xchg bx, es:[41h*4+2]
+ p6 ?5 E7 ~ }. s3 f in al, 40h
: i3 g7 E; ?* J; `/ A ]6 B1 ` xor cx,cx
+ _5 N4 o. V2 C! z; s2 P int 41h: \- Q4 N B' q, @
xchg dx, es:[41h*4]
6 T m" w6 k" \! `& Q f4 L xchg bx, es:[41h*4+2]# \1 i" k6 \9 `% N" D
cmp cl,al
2 J& K0 j q! Y5 F% \ jnz SoftICE_detected
$ I$ @. P$ o, K* V- l
0 ? l3 t# D( S) S_________________________________________________________________________
3 `; j7 m/ i, T: M& R
I x0 d0 t* B3 m' S* M2 H. MMethod 07( Q5 a0 @ H C7 Y1 ]* `$ r/ G0 h
=========( g! R4 \0 q. u2 K6 K
8 b: B1 {9 L+ A9 G
Method of detection of the WinICE handler in the int68h (V86)
4 J. u. h7 W* `8 g$ v2 F" E* t0 W. _' L S% A f% o
mov ah,43h
( m& Q! H2 |- t0 j! j int 68h
! n! _+ t) `! [4 a6 o3 f! T$ L( F cmp ax,0F386h; s, C# e; T2 v+ j4 C: l5 x3 y# L+ e
jz SoftICE_Detected, a' }% w2 e0 R/ @
2 e0 L7 b4 h9 {8 c2 P% g5 M/ v3 o5 ?7 e( A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( R. O: }8 N0 U, p- h app like this:
8 f$ M; b, D, p; S0 z7 \) k2 q, \$ N! h! V. y, {
BPX exec_int if ax==68
; Y. j. K. T) B! S" M (function called is located at byte ptr [ebp+1Dh] and client eip is
4 o+ p( J8 Y- C located at [ebp+48h] for 32Bit apps)* F+ b- C0 \: b% y# q* R; n& x4 i9 S
__________________________________________________________________________
4 f m3 e4 m4 x3 e+ ]0 ]/ f1 h+ G! S6 K: U! X
x1 ?; ~, U8 y3 a2 G& W4 @
Method 08; \' c3 s* H% [% i( b
=========
, s! V% A6 G! t4 a! J* | H% W( Z2 v- H) v: m
It is not a method of detection of SoftICE but a possibility to crash the
7 [; g6 w9 a1 [5 F& b4 H j# Esystem by intercepting int 01h and int 03h and redirecting them to another7 K! u9 W5 M! e( F) |8 K4 s& E
routine.
/ K9 J$ q( t4 J SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% d. d" p8 k. R* ]9 w! fto the new routine to execute (hangs computer...)3 z3 ^: k S* B& T6 ?' b! Q0 A
4 P! z3 G2 [7 O* {4 L mov ah, 25h
8 s& z+ S( L5 v; X1 G# u. C mov al, Int_Number (01h or 03h), ?; n7 u0 D7 W: T2 K
mov dx, offset New_Int_Routine# L5 n6 I6 u. S
int 21h
# ?7 r5 L( t. a, I7 G5 h1 Q2 N' V1 b2 q/ n: w
__________________________________________________________________________# s! ~2 e* U k, F" ^. x
! ?3 r6 C6 A/ A! ~$ a- m- fMethod 090 O/ j4 s+ [6 Z7 Q: Q
=========
W; a5 y6 [. E' ]- U0 `/ ~% J
1 D1 i# e+ ?/ N& KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; B) e. V$ F3 W- i r' h6 ^performed in ring0 (VxD or a ring3 app using the VxdCall).1 c. a \! e& \+ p& ~3 `8 @
The Get_DDB service is used to determine whether or not a VxD is installed7 b$ f4 D L! h" x
for the specified device and returns a Device Description Block (in ecx) for
2 O* N8 B. o, P% o) U0 _0 kthat device if it is installed.
; u1 J; |' f$ y9 p! k5 n7 y! R
* [/ w$ @3 j5 ^; e% V, T" h# O" j6 V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: x; ^ m j' F1 q7 E) V1 d4 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 u6 V& c0 ~- z2 I5 I/ u' r VMMCall Get_DDB
r0 y1 [+ ~) H$ G; ^! M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ w3 m8 T, l7 V6 w2 w5 q: ~
3 X/ N6 F; \8 Q) E. N- ?7 {! d
Note as well that you can easily detect this method with SoftICE:
7 N* v" _; X8 x: u) ^ bpx Get_DDB if ax==0202 || ax==7a5fh* V, Y9 v& [" H" V p; R
$ e- J- ]9 n% Z2 t__________________________________________________________________________: G* }1 @# C# N! W
# b% C* e6 U; ]3 m6 S( c) ?
Method 105 V+ @4 k$ p, M! r- h$ r! X N
=========
# O( ]# H% g) Z1 D; h! J6 `, s8 ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. A) {" ?- B+ Y; H1 R4 [ SoftICE while the option is enable!!
& ^- ]) m4 Z6 j; i* c, I8 A9 H/ P
This trick is very efficient:5 S1 C3 f- d& z( B# ?
by checking the Debug Registers, you can detect if SoftICE is loaded" e' F6 L5 i9 G; Y+ Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* A* u/ k# Z; o1 g+ Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 Z$ Z( {9 }: o1 q% P" O4 Z1 u. v
value (in ring0 only). Values can be manipulated and or changed as well
+ R& o9 V" y/ i(clearing BPMs for instance)" i9 o2 N/ k4 G' Z3 E* R2 _- i; Q
5 G: z4 M6 `& j/ `: D* U
__________________________________________________________________________6 J& L" {/ K2 d7 D' l! G% R
G \2 M* \/ @
Method 11
x$ s0 Y s; K3 n; m4 [3 _1 l0 M( W=========
' _. @0 |; T) N: `" S2 P7 Q: s
) ]% K, R A' [2 p& ~: V" kThis method is most known as 'MeltICE' because it has been freely distributed" N1 f4 |; k- E# d
via www.winfiles.com. However it was first used by NuMega people to allow& m- T* L% K% T
Symbol Loader to check if SoftICE was active or not (the code is located
, |8 W3 M, {) C/ G- L* n$ Jinside nmtrans.dll). D" d8 S. D9 Z. ?- C
* A7 }1 j6 _' U2 ^5 `: o6 C' S
The way it works is very simple:8 \& U$ A: T- k' R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 l& `5 |7 R. i; G# g
WinNT) with the CreateFileA API.
2 @* L& h1 z+ \9 W ~& b! v
# _, x7 y' C6 EHere is a sample (checking for 'SICE'):9 U3 i$ M' n5 I
4 k! U& z! P4 Z' Q
BOOL IsSoftIce95Loaded()' x8 `, j7 B" j$ Y" |
{
( X: U! i9 m2 a# C! K HANDLE hFile; : Y- f2 M( b) f- I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 G% S9 E# k/ S+ p4 ]7 D FILE_SHARE_READ | FILE_SHARE_WRITE, B- N. B) K. k( K; Q1 d- |" [1 w2 k7 C6 v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' I4 B2 X- { t0 P( d, {! [7 [
if( hFile != INVALID_HANDLE_VALUE ): U9 O1 d# }( P5 A' q' I; R
{
4 z. C5 y+ n8 H( _$ M1 X0 c& x CloseHandle(hFile);9 i9 z0 e: }1 R# B- Q6 n9 T8 O
return TRUE;, B+ {5 }7 v* ~. a2 z' }/ c
}
4 M9 N* Z6 m3 W7 l" B) Z D0 L# { return FALSE;, T9 G* L! F0 W4 F3 E; z
}% s, c6 Z, J9 `& Q7 R
) t. c1 @& s+ A3 L4 f8 |2 x; {7 x
Although this trick calls the CreateFileA function, don't even expect to be2 D. Z; y( W* C: f; a9 k, @
able to intercept it by installing a IFS hook: it will not work, no way!1 W* x0 V$ K' s, N% z: L5 m8 K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) b; y5 S- ?( h5 {/ Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) H& y0 \% j) q% \7 [; zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) S% u) \) L$ n9 T5 g% ^% i; Sfield.
5 S+ X3 F A% U' z: X' fIn fact, its purpose is not to load/unload VxDs but only to send a
! c, }* G* W1 Q- A8 m" h! w+ fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); [% G. r1 D. p0 W2 p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; _! S1 {- y# J3 Q$ z1 L9 r) q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" {! J) @9 T4 [ p) ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& V" |& u" R" O: j7 Oits handle to be opened and then, will be detected.
3 d s0 ~- ~' C3 {. SYou can check that simply by hooking Winice.exe control proc entry point
& Q7 ~; \8 A" f) S: o8 a' {while running MeltICE.0 V8 v3 s/ P. _( m
9 G8 r/ v0 X$ c; F% m8 @% J1 z7 Q) d: @4 s
00401067: push 00402025 ; \\.\SICE, x$ W' j4 y* m( ~3 c, ]2 r0 |
0040106C: call CreateFileA# t3 W' a F! b4 {5 x5 U) p1 F
00401071: cmp eax,-001, r* k+ k8 w( p; `1 B- x
00401074: je 00401091/ j) U) g9 s3 H) S: [
2 r6 y0 O7 j2 ]# `4 N. @+ L
! Y C' b. ~9 WThere could be hundreds of BPX you could use to detect this trick.: R( d% @! K# p6 ^- w
-The most classical one is:
$ u. }3 G& X( i5 y( C9 N z: b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* S3 q5 x8 L3 A7 v) Z# K1 @
*(esp->4+4)=='NTIC'0 F8 R" X _1 F& ` z
; z7 h7 s2 h) |' Q) Q6 J-The most exotic ones (could be very slooooow :-(, h$ L! z# S# Y7 @8 o: ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( }8 H. C" K3 ^. z+ r
;will break 3 times :-(
4 L3 T! J2 u/ J& J9 {
- y' ^" @; U. m A5 _-or (a bit) faster: 5 S' |3 K7 w0 x) c8 E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') }$ s7 Q2 [* t* Y& F
/ J& n& P% Q+ A, ^$ @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 |0 D8 ^; s( n' w4 z ;will break 3 times :-(
1 k6 i+ P2 t& u, a8 O. [
$ r8 @% k: s! R% S$ G0 ~-Much faster:
0 Q4 x# j6 B6 o3 ^8 c( J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 ]5 u9 s9 m* k/ r% C2 s/ [
3 S j# j& i4 l3 ^# d* D1 F3 X% D* mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ X! ~% A7 W/ A* I- |, x) {function to do the same job:( ]( K$ U, L& `5 [$ `' a
0 z" Y6 F/ w* w( b' {8 H( C7 k
push 00 ; OF_READ* o: {5 R/ _& u! U# t' e
mov eax,[00656634] ; '\\.\SICE',0
; Y/ H9 v3 a! e# k. {& |/ u4 v# W1 Q push eax
5 A/ _; w( n s, b* |1 W call KERNEL32!_lopen
1 K3 L/ z: K- k+ d- `1 v1 v: H inc eax
; y3 D1 A8 s( l# y, W jnz 00650589 ; detected
) A8 r" ?: ^$ M8 h$ e. i push 00 ; OF_READ% _ Y7 Q% L/ f& Q1 s6 t8 {
mov eax,[00656638] ; '\\.\SICE'
7 y+ K7 f- T; V& R. V) R push eax$ A j$ C4 ^& T* u
call KERNEL32!_lopen
2 [' \& D$ D: t( X) L: U inc eax% x* O( z L( d$ r* a. g% ?
jz 006505ae ; not detected
- @, o& E( Y. f+ B' E/ T5 X' X) C+ U% ]
; P: @( f0 X& j6 h
__________________________________________________________________________
. ~; Z: X5 _% F$ E
! M$ }( F( \5 q1 K W+ B. E1 QMethod 12( x( Q3 L9 Q) I7 Z( g4 a. F' j
=========1 ]& W: B" n2 X; u/ Y
- j( H# C! V6 l) Y. O" g
This trick is similar to int41h/4fh Debugger installation check (code 05
P& W$ T4 j ]2 U3 S! L! s, k& 06) but very limited because it's only available for Win95/98 (not NT)4 m4 E9 `$ h9 _; z( R2 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." L( R9 ?! h6 ?' u3 z. h& z
& j Q. Y, O/ b push 0000004fh ; function 4fh8 U/ D; W$ k2 u& e) \0 P
push 002a002ah ; high word specifies which VxD (VWIN32)/ X: z. w: `" z8 i* j& |
; low word specifies which service8 K& Y {% m& s! e1 m* B0 x
(VWIN32_Int41Dispatch)
V6 [2 C5 y( W call Kernel32!ORD_001 ; VxdCall
, q: V* `6 m6 f) i) R$ d$ M* w cmp ax, 0f386h ; magic number returned by system debuggers
7 }/ X4 ]( p# h: S1 X# k jz SoftICE_detected3 K& |' q: S# P2 Q5 }& M
# n D6 h0 E# e& D4 N! {/ ^
Here again, several ways to detect it:
+ Z; A* f; F$ w% u" G6 E
8 o# u8 k0 o6 j! M9 s BPINT 41 if ax==4f3 g6 p& c K# c# C; x
( b3 A. Q% S% n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# p9 w! @7 `# a6 Z# l* Y- n2 o! O0 A- b9 @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; H- ]1 N9 d) L. w3 ]5 F( Y
0 d `( N" Z' d$ C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ P* K1 [! v% s5 ^1 `* N) a+ k7 ^+ k
) d6 f4 U. q: |# z: u6 A- I8 Y0 O# t! ^* K
__________________________________________________________________________' S+ _ q7 q P" C* U& t
8 S# ?4 ]: ~7 nMethod 13
4 \" u( r6 f* \% P" Q) x1 p0 @=========
. F+ i( i2 E. t2 `- d9 J8 M9 f/ Q
( N6 {8 z$ K, `* C: }9 u3 zNot a real method of detection, but a good way to know if SoftICE is
8 Z" E% F4 r' A. g5 }installed on a computer and to locate its installation directory.
0 y$ Y5 S3 M1 E* y# yIt is used by few softs which access the following registry keys (usually #2) :! a) u+ t1 c, I( ~7 W" E3 q
6 _! e. \: L! Y/ e' C9 |/ y$ x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! I: a! i' | q. Q) J+ f% e- i
\Uninstall\SoftICE
/ T6 Y9 T+ _3 E& f) k& o& S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) {* Q ?$ ~8 R; h ?9 P/ _" [( S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 ~# P$ g% e4 v+ a6 ^
\App Paths\Loader32.Exe
: e3 e' M3 K5 }- W
# O" n, x) Z; n e: a C w; V- e+ C/ p. S Y- z* m% b: P
Note that some nasty apps could then erase all files from SoftICE directory( \ a& B( q' s# |! I7 ~( ~$ d
(I faced that once :-(# Y7 P1 f! H: I7 q
5 z! `; ?% n% h; _
Useful breakpoint to detect it:
- U* {( k3 Z! r- E9 U
# r0 y. o* q2 I1 T) \) P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 B: {* E: K' _. j; N1 b
5 Q1 a6 A. r! x& v, @1 }2 q8 o7 G__________________________________________________________________________" j7 `6 {7 _7 L1 j
) ~( U. ?2 Q+ ]! F y
8 `1 [" n9 ]3 |$ NMethod 14 . K& Q2 C6 t# ^5 ~$ C; P n
=========1 c2 x `4 o' Z6 m4 M7 x
9 ]$ E, y; Y8 K4 ~7 {4 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! k; Z" D9 `: T- V, v! U
is to determines whether a debugger is running on your system (ring0 only).( D- C9 M2 c, c* d9 ^4 ^
' v$ @# L. q9 E! N VMMCall Test_Debug_Installed
) T. P8 U8 Z( X! Q& m3 d/ ?: J je not_installed% S! |: H2 ~1 d: @
% Y- Q5 Q3 R7 RThis service just checks a flag.+ H& b A; Q! V& `% G( Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡