<TABLE width=500>
7 E5 U' _1 @; Q4 F<TBODY>& {0 v9 |% o4 }4 i3 h: }! j6 n, \
<TR>
* x$ }1 [- w* k2 h- m2 z% d; @<TD><PRE>Method 01
9 I" r/ O! e" J9 f/ {. t+ G=========& k% |2 t1 t2 k" {1 x; j
3 O: Q' X0 E$ k& @( f1 J
This method of detection of SoftICE (as well as the following one) is
& X& C9 ? B! q: cused by the majority of packers/encryptors found on Internet.% m+ f6 ?) g6 Q, Z' U
It seeks the signature of BoundsChecker in SoftICE1 M* R# O' w3 K
7 s) B& C; }, n2 \, P- C
mov ebp, 04243484Bh ; 'BCHK'4 M! C$ ^! u& j* g4 f( M. Q
mov ax, 04h
' s- H T/ p$ r. O1 } int 3
0 \/ s. S; d: t1 S2 N cmp al,4
& w" n: d2 E/ @0 d jnz SoftICE_Detected7 O9 _' E* W2 w0 \2 z- p" P
0 h3 _4 b+ p0 I$ ~! G3 f5 k
___________________________________________________________________________
( @" F$ e o2 i1 K$ D) z y$ J3 r! I2 {8 @6 v2 K
Method 02& W1 H8 Y5 J z* g/ u
=========
! r f4 b6 [ P; y+ s. ~( Y$ q J
' v, S, b5 J# w+ j0 nStill a method very much used (perhaps the most frequent one). It is used& y) @& [- |1 X) `5 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 z+ `3 Z2 i/ q! E; M# uor execute SoftICE commands...2 r, R1 w$ s9 X9 R
It is also used to crash SoftICE and to force it to execute any commands. ^8 t# g' D+ z @0 H; |( `
(HBOOT...) :-(( 0 i, t3 Y! b7 d, ?7 w0 M
7 Q. X d; N. ^2 Z0 o L6 _Here is a quick description:1 ?* _0 [& ~* a# R! }, l d
-AX = 0910h (Display string in SIce windows)" x5 E( Q" R: g% D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& A& T; n5 B( b-AX = 0912h (Get breakpoint infos), j0 G, q3 Z$ `, u" h
-AX = 0913h (Set Sice breakpoints)
' q# V5 Y. o+ b4 s( D-AX = 0914h (Remove SIce breakoints)
1 g0 S+ u" r8 [& E
/ w5 {+ c( i. h/ a. M0 Y, vEach time you'll meet this trick, you'll see:
& @, j4 W+ f1 n. V2 ]3 n-SI = 4647h
( X+ G# p0 B- o3 A$ E3 v8 j. B0 F-DI = 4A4Dh0 a0 @+ @; b; l# @. f4 o
Which are the 'magic values' used by SoftIce.
6 s4 t0 F }% b! Z' e7 l tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 d2 f X5 a4 {2 E) q+ Y" i; E- W- b6 }
Here is one example from the file "Haspinst.exe" which is the dongle HASP. V2 R- E) g j& s4 {
Envelope utility use to protect DOS applications:+ o e* L, o+ j. H9 Z R# Q" x) }6 z6 ?
- P; p7 I% V9 F$ f# G
. X9 A. v8 s: p- r1 t% Y' e
4C19:0095 MOV AX,0911 ; execute command.
8 m* `: A. b: L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% y4 D* G1 o; N/ o1 `" {
4C19:009A MOV SI,4647 ; 1st magic value.7 ~2 m# P4 K% v0 G8 I& ]* j
4C19:009D MOV DI,4A4D ; 2nd magic value.% B" J% R7 b7 r. [# [' M6 y9 `$ J, I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( I0 K; n. J! P5 y3 B3 A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 B+ W8 i, A2 z6 l0 W5 W4C19:00A4 INC CX' S0 o1 t1 s4 H* Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* t- J1 A1 m1 I m* P2 M4C19:00A8 JB 0095 ; 6 different commands.1 K; e* e* Q7 y2 I' {, k2 d' d3 ^. G. o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 O4 z; X4 m' t5 P; D) M' F% `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. p+ Y" |9 \$ m" P9 b+ a/ Y
9 V1 E5 R6 r8 V, @1 i9 e. _( g# uThe program will execute 6 different SIce commands located at ds:dx, which7 t% ~4 o+ x4 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' d3 m I. s0 g( T2 E l
, X) A& N# b: G8 K- h5 H& U* ^5 k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 K/ t! j% y: Z___________________________________________________________________________
3 ]+ K8 F( z" x! J* r1 `! A- a) I' f7 k; I8 q' z" C" k
2 L& p' J% a! `+ }4 J6 ]
Method 03+ h1 k! k$ X6 W9 O1 {
=========0 ]( c7 G% w6 X* Q8 J5 s7 f0 C
; k- s- V+ ]8 t! g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& D1 @+ I0 h! |" j% o# f5 W
(API Get entry point)
0 P7 f% V: `( w9 N 3 O' ^* e' Z/ A; Q5 L7 B* ~
$ d( t, [) M' E% y# Q9 k
xor di,di# x- o {# ^& |$ E
mov es,di
4 W% A$ @5 c+ I+ s/ R; D mov ax, 1684h
9 J; v+ E& l) N4 N; Z8 a mov bx, 0202h ; VxD ID of winice
* A2 D! G% ?/ w; K( _, X int 2Fh
# o! t: q& R% O! K. x2 d; J mov ax, es ; ES:DI -> VxD API entry point
+ |" h# f; ~6 g$ o( m add ax, di n* M8 _* @0 [& H9 D
test ax,ax
* Q6 W6 f* r6 L jnz SoftICE_Detected
" O4 z* h& _3 ]% H: C( ?5 l2 E" d2 ^' ~8 ?, J
___________________________________________________________________________* ^ o9 D# v Z7 Z- w/ m
1 \" J7 ~" [' i1 r3 JMethod 04
3 v2 O/ w5 C( r=========" A9 J6 _) v9 i) ]% |4 R- \' A( |
, J/ `" K8 C7 yMethod identical to the preceding one except that it seeks the ID of SoftICE% @+ n6 f* R) ]' R) Q. X4 j
GFX VxD.
2 C* d" n0 D: ~" K4 G$ w3 R+ q1 E$ S
xor di,di. ?% c9 {/ z8 J/ A# I$ S& A
mov es,di+ b7 Z' t; ~! M; O. e$ ]- E
mov ax, 1684h # n0 q! J4 v2 |7 |9 G+ b' Y
mov bx, 7a5Fh ; VxD ID of SIWVID
5 r/ L- Z) V& a7 o int 2fh" J- M$ {; |. ^
mov ax, es ; ES:DI -> VxD API entry point
! ~' o) l' T- y$ w/ V& C add ax, di' u/ `( G. B$ q1 k8 L% q6 {$ i
test ax,ax
; P8 _- }6 L2 {- d8 h. z jnz SoftICE_Detected/ {& S; T' r E- X* m; y8 e
0 Q; J0 x# p& Z ]# U__________________________________________________________________________
# M1 ]0 Y6 T- X) Q0 D1 ^/ ~$ K+ c* [- x. v7 D, R; J8 Q& x. g
) s- v5 c4 z7 W, I4 @/ m8 l
Method 05
E; p6 @ ^* C6 f4 V% S3 S$ T) D=========6 B8 A0 b- k; l, q" {$ r# }
5 r1 n- O* b3 `8 u2 Y( i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 x" a: {4 L Y6 y4 z: l/ Adebugger. It calls the int 41h, function 4Fh., H7 u- Y( J" Q4 V0 L
There are several alternatives. ) g* J) [5 s9 u/ j6 E! G4 f# }
' _! @5 [7 l7 q; _
The following one is the simplest:
& n) z! h% [! @4 X! H1 j3 ^
) B3 i$ i* X: e& v' `) ^' P mov ax,4fh( I6 W- D4 |2 |' B- T
int 41h; t/ ^/ Z9 k9 q7 h6 n& L) B4 j
cmp ax, 0F386
+ O3 q+ H* P; c jz SoftICE_detected
& R7 ^ L/ F; C5 W, M% S5 d& S/ s7 l# i: y$ Q; Z% W
' @7 o9 G% _" H' h/ e* YNext method as well as the following one are 2 examples from Stone's & R; c9 _2 K! X9 G+ O: F& d) w
"stn-wid.zip" (www.cracking.net):* R3 f% T/ g( x( a3 _$ h0 I- p
6 q8 ?9 n( v5 Q q9 B: x mov bx, cs: w. c0 L t/ N ~$ P, S1 M
lea dx, int41handler2, x+ C' S- ?- ^! Q& g" ~6 x
xchg dx, es:[41h*4]- n8 R' N' l6 ]! d7 o) L
xchg bx, es:[41h*4+2]
|4 J/ h/ R; { q2 B# M mov ax,4fh
e: k9 h( U5 Z& A2 x int 41h, Q7 y5 ]) h+ S
xchg dx, es:[41h*4]* H! V: ^; {8 P: U' I
xchg bx, es:[41h*4+2]
9 }& r* `% N& Q" F$ { cmp ax, 0f386h1 M9 b& J* u. |. _2 W0 O# ~' C( |, }
jz SoftICE_detected2 c7 m& R/ q7 M
J, Z. C/ ^) F; W& h1 U
int41handler2 PROC
1 e \8 E& W4 M: j+ Z iret
0 W/ L7 _# D8 c$ P% hint41handler2 ENDP
$ p* u: M% F! ]0 e. L' `3 n0 E4 J" g9 K8 P; x: U+ B9 ]) v5 v; ]& A, E
( [) Z1 z5 j9 J1 a/ B
_________________________________________________________________________
: d e$ a5 a2 c$ [8 t. n% Q9 R0 m. R- a4 l9 Z; K. C
2 e+ d7 i. k0 }9 w: z' FMethod 06
& l" w6 L4 V f$ ~2 x=========
8 l" g, m9 g" p5 ]% U0 v. z' H1 C4 e9 ^* I5 s( m8 m# a- b
4 P2 p: y6 r6 A7 G& O
2nd method similar to the preceding one but more difficult to detect:
K- Q+ [% V$ }* {9 l+ E3 U
' q' B" V' F: f, S& K" y- c0 X7 U( Z1 T3 U$ }& x
int41handler PROC! A5 J9 T q' P- J3 M" c3 o6 v4 T
mov cl,al
# _- {3 F* `1 Z1 A4 M0 B iret
! x( b7 G0 {# ^int41handler ENDP# a$ f& I' k5 M( E2 R
' E# q/ l; ^! L7 @ e) Z
( d6 x( Q$ t( A( t+ n6 Y; K! n, f xor ax,ax
( y4 D/ p2 h0 j! ?$ ]" B& b mov es,ax* m) j1 |; j1 o) k L
mov bx, cs" E: ?6 Q4 s; z' I2 S
lea dx, int41handler
; Q, E0 Y- Y( s+ e& V+ d' w; z1 R xchg dx, es:[41h*4]
p7 v$ e: W- Q. R: h3 N xchg bx, es:[41h*4+2]
' \8 R5 U( }" P; S6 x- R in al, 40h
9 g* t$ g8 x, I" s xor cx,cx
( y! I5 Y( Z+ l% I int 41h% b0 J2 p" O# t+ q+ X7 R
xchg dx, es:[41h*4]9 H0 G1 q3 X% ~/ K" {; K
xchg bx, es:[41h*4+2]- Q; t2 N9 r9 ^6 {! {7 L4 r
cmp cl,al8 {2 t4 r7 R3 i( h ^
jnz SoftICE_detected
# N$ @2 \* t6 J' k' ]" C! O5 v! q; B5 N- @& {+ b
_________________________________________________________________________& ^$ f" Z6 d, J/ v& c) h+ N: \9 o: {
# \$ R9 g; Z2 EMethod 071 h3 U4 P7 ^' \7 Q+ ^$ ^' D
=========
6 ]0 H( p" o. k4 ~3 v0 q% \' {2 Q* i9 \: T) z+ F
Method of detection of the WinICE handler in the int68h (V86)
2 y* F& k7 F7 P0 i. X% @" y
* [' O/ j- Z3 Q8 [2 Q1 o- ?0 r; j mov ah,43h
; v! j& H) v: K M int 68h9 a8 N4 L$ T" u% H
cmp ax,0F386h
: D1 _% z3 v' O$ t. c' o& V jz SoftICE_Detected
$ T8 L: u% ^- X
7 h+ m- m6 V, X' a# A7 i% g7 W6 g: n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ n) V# G& C& x) l8 [ app like this:; f7 L2 k9 H: N6 n$ C' G, V- d2 N
, Q8 Q% l1 X0 p; y. \! w% N
BPX exec_int if ax==68
- q- |# k% \+ f4 i$ m (function called is located at byte ptr [ebp+1Dh] and client eip is
0 m, {/ m+ e. a, {& h located at [ebp+48h] for 32Bit apps)
1 l3 J7 ]5 r+ t4 Y0 J, z__________________________________________________________________________
2 _( u! P; X! z( L5 D Y" \6 c2 {. K9 y
' u' n. N1 B+ Q+ m; e) ^, w: tMethod 08
5 h/ D0 o( `' }' `: l, i% u========= V9 U; z( O* ^, j. d9 r6 h$ i
$ g! ?; W) K x3 Z5 R
It is not a method of detection of SoftICE but a possibility to crash the
! T! t% `0 ~6 g: ^* @2 B- ^system by intercepting int 01h and int 03h and redirecting them to another7 A- ]1 f% y5 \$ f* O3 e
routine.6 i! M# M3 Y' E! [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# k% v5 S* g( w2 Z- K5 L
to the new routine to execute (hangs computer...)
7 D0 y- Z8 Z& k( Z* m4 X" x. i3 K3 L$ W7 x
mov ah, 25h3 C I3 @. Q% e; `6 Z
mov al, Int_Number (01h or 03h)7 A9 H9 x1 c# W0 v. r9 t' _8 Z
mov dx, offset New_Int_Routine
. m+ D* K3 I# B ]9 y& w4 i int 21h
, [/ B/ [1 m( U2 }3 j- a5 ~6 E4 _
1 D, I" t/ u% _+ `; s__________________________________________________________________________
& p5 F& P" [' f6 Y4 l# ?) n& Y, o: U2 R9 Q" ^8 D
Method 09: {/ V3 ?' K, _$ w" q. R9 {% H
=========
( m- _& C) }5 t( }- O" Z! Q- X
9 }& X/ i9 ~; c) E1 w0 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 \2 `+ O3 h2 F; Tperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 {+ W% h$ x7 O. Y5 pThe Get_DDB service is used to determine whether or not a VxD is installed& O& B. s( b, u6 i8 N
for the specified device and returns a Device Description Block (in ecx) for6 K1 P) l, g! @
that device if it is installed./ O( M( O0 k2 T& \6 w. b/ \7 d
; F6 s/ d) Q. [7 z8 f; D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* [- P9 _5 J. u: O8 m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ F9 A- ~; P, O) \: J$ b9 [
VMMCall Get_DDB! e* U" F3 C9 R' A1 x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed @0 N, H5 e! v4 J/ q; ?$ \& `
, T8 l5 z: B$ ^& e" ?
Note as well that you can easily detect this method with SoftICE:# N1 O( n' h6 g
bpx Get_DDB if ax==0202 || ax==7a5fh
# L- Z# F i6 _: J! @: }8 N$ Q) c1 b* X5 H' Y5 L. M
__________________________________________________________________________
$ M! R; W4 A1 m& Z* c
6 h5 y+ t5 N% ^3 nMethod 10
9 ?3 v" u% ]8 X4 G* X: t, e' c=========
8 P( W) i! I6 E- n2 }- \
: m5 D) j; Y' ]1 y/ C=>Disable or clear breakpoints before using this feature. DO NOT trace with: V6 ]# w1 Y$ I6 Q
SoftICE while the option is enable!!; p4 a2 y( l8 P8 L- Y" `- y
; A1 k. O$ \6 U" i7 l+ I5 GThis trick is very efficient:- n9 K' `8 j% a5 U$ k
by checking the Debug Registers, you can detect if SoftICE is loaded
7 w/ e. u4 L9 j* t! }8 }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' D" V# D+ M8 q% {( U! n
there are some memory breakpoints set (dr0 to dr3) simply by reading their; T3 Y) N+ X; B# v# \+ l5 s
value (in ring0 only). Values can be manipulated and or changed as well3 I/ H% `% S9 e4 s( i2 t
(clearing BPMs for instance)
. T% r& z% x) W2 N% Y" ~# O" i: O$ \1 P8 d* C
__________________________________________________________________________( \8 ^# f* W; t3 l
* e" O) U9 E7 B; A5 ]) _Method 118 v) A& F( i5 p8 s; |% J/ Z
=========1 ]* \6 o0 `" @% r3 w2 _1 C* T3 u
6 ?, u1 w" c( }) Y# aThis method is most known as 'MeltICE' because it has been freely distributed( G& ]# g- s! D
via www.winfiles.com. However it was first used by NuMega people to allow
$ E9 Q2 c& _3 q F: uSymbol Loader to check if SoftICE was active or not (the code is located
t! k) v/ o$ M( o' F# Z& u8 kinside nmtrans.dll).
" }/ M% L5 q& j" R# K/ \) }) m# d* s" d( A5 [
The way it works is very simple:
+ B+ \) r- T2 `1 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& }& {, z0 Z6 ^9 H8 P" Q" s- z
WinNT) with the CreateFileA API.% [2 L5 z7 a4 i% L" R. |7 v. l
) ]; s4 J+ ^' E; D3 _4 S0 c( BHere is a sample (checking for 'SICE'):
+ x0 K* b8 `/ r' R) G' }/ Q5 l6 W; M
BOOL IsSoftIce95Loaded()0 i- d e7 ]1 C) ?
{
& J0 ^8 _7 y. B Q% l% y HANDLE hFile;
$ ^$ X8 ^- p7 r( k9 z2 s" G9 d5 d9 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* E) Z3 _. H( C
FILE_SHARE_READ | FILE_SHARE_WRITE,
' r V, c1 Y b* E6 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 E6 b z: a7 h( Z1 e) R9 n" j+ J
if( hFile != INVALID_HANDLE_VALUE )- b9 N" Z0 u& D e0 o0 @" H
{
: h! m5 o" @( y8 ^9 u2 C CloseHandle(hFile);
* ~- k. v+ }! J3 h return TRUE;1 q3 O) P) U6 D. t' s/ e5 N$ F
}$ N+ `4 `# W/ e& P
return FALSE;8 J ^/ c! m" n
}5 r( w, P6 E2 N4 f; U6 d5 g9 X
: a, J5 K6 D8 P, d: k
Although this trick calls the CreateFileA function, don't even expect to be; j/ c- z& H, q8 Q' P
able to intercept it by installing a IFS hook: it will not work, no way!
6 w- S0 a& x$ c4 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 k ^$ w% e: A% I8 @$ ^: X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. d: m4 H* O3 F* s# Y {9 k9 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 g3 ^' V% i% sfield.! w) k+ I9 Q3 R* T1 o
In fact, its purpose is not to load/unload VxDs but only to send a % m: ]& w7 f( Y8 D7 Q; G( J, X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 {% m. K4 C* O# hto the VxD Control_Dispatch proc (how the hell a shareware soft could try, h. V5 Q4 f {9 ]2 D, u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, k1 x( M1 T" y9 n. \- ]8 vIf the VxD is loaded, it will always clear eax and the Carry flag to allow& t& ^$ a4 D- O7 v" ]' [6 V9 Y" Y
its handle to be opened and then, will be detected.6 Z1 ^' I, l( P* ^* S
You can check that simply by hooking Winice.exe control proc entry point
0 N6 j; o1 v4 M( V- kwhile running MeltICE.' m- N: o8 Q% p. `
" r& U* r: I9 B$ p1 u O" B) Z. n* c7 H# a# ^6 n# V
00401067: push 00402025 ; \\.\SICE
5 K: g* O6 r6 G$ m, j 0040106C: call CreateFileA
6 C: R% y5 o z% B x 00401071: cmp eax,-001
& @7 w. ?: Z3 r- ~ 00401074: je 00401091
; z. H/ J9 f! y- T: q! ~* X# X1 D! M) }8 M3 }0 H
$ b D/ t1 {$ S9 B: G9 d
There could be hundreds of BPX you could use to detect this trick.
( I+ b- ~' O. M( ~* G-The most classical one is:
d( o/ N$ y' r' r! Y+ w% I& Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) s( M; }: v# v& _
*(esp->4+4)=='NTIC'
, P, q" S% A. ]
, _# M8 Q o- r; T-The most exotic ones (could be very slooooow :-(
% a$ S7 K# K( r5 X$ ^3 p8 u9 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / P5 d; I$ x! ^! A" m
;will break 3 times :-(& r* l) m! J, }. {; K
: p' c- N* L* }1 m
-or (a bit) faster: 2 x7 b9 R! X, l3 V+ {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 ?& ~, W' L8 g0 V; r
* p4 P- q5 D: A5 E( W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) q0 x8 ?& c' v: t0 {2 ?6 \
;will break 3 times :-(/ U' e/ C* }! [5 E0 m
! v W/ S6 b2 }( ` o2 ^& K1 p-Much faster:
3 Q9 n4 a+ z5 _+ A' v1 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! T" ^" x' [% p% `6 D, S
& }2 V1 S! b: G: l6 Y* D, T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) b0 P& ]9 U/ `% g/ u/ B7 Y6 g1 V' m( Ofunction to do the same job:
0 E7 Z7 d# [9 d- o* _# z" W( \ r# W, T
$ T) B, r5 i* I/ \ m; {& l9 J2 G push 00 ; OF_READ C: f& {7 J ?( M; p
mov eax,[00656634] ; '\\.\SICE',0* E* F W7 I7 R: b _
push eax
, G; Z) H* n. m: J# G% {0 f call KERNEL32!_lopen
+ L) v: H+ r3 ~6 E/ X inc eax
% Z4 a2 {; v8 i2 V2 j; o jnz 00650589 ; detected7 V% T' o9 x. j D |- `+ s
push 00 ; OF_READ1 G% ~, K; W1 r1 o% w4 e
mov eax,[00656638] ; '\\.\SICE'6 Q9 q% x R& [' P& G5 j3 ~( J
push eax% s9 A! k- J( H" V
call KERNEL32!_lopen$ J/ q% B2 R& F/ j
inc eax" [% n4 S) ]3 \0 V# }
jz 006505ae ; not detected8 T1 U$ p0 ^1 r0 L& N1 q" |
8 e1 G- N7 r4 b& U. h2 D _9 ~' e q% w6 o! b6 E! f4 E0 B' B
__________________________________________________________________________
2 `$ ]8 l$ I" C0 H% ]7 y1 z2 p, l* `, L# v. G
Method 12
, S, g9 l3 ?. m4 N+ [=========
Q+ \+ b$ r! s# L; K4 n$ R/ J+ e1 l
2 @6 R3 ^% `' w3 _- A/ R8 T9 gThis trick is similar to int41h/4fh Debugger installation check (code 05
( x# t& ]5 } ^0 a$ g) Z) g3 o& 06) but very limited because it's only available for Win95/98 (not NT)
6 K5 [4 a0 W' Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 q3 E! d& _9 W4 m+ k# m
: q4 t4 L, |( Y6 _2 n) z+ y& ]# H" p5 h push 0000004fh ; function 4fh" {0 o3 n, e: z0 j3 A
push 002a002ah ; high word specifies which VxD (VWIN32)2 O! V# F( \8 ]! E: _# S- d
; low word specifies which service" w9 }, R( ]) p% A! E) C7 q- j
(VWIN32_Int41Dispatch)8 |/ W6 ]$ z1 j% a8 A
call Kernel32!ORD_001 ; VxdCall/ f( h. N$ J( r/ q& y
cmp ax, 0f386h ; magic number returned by system debuggers
; P+ v7 E" H" o9 v- O8 j jz SoftICE_detected
3 T- ?7 G# l: K$ C k' Y, C+ k! s# q8 e( v
Here again, several ways to detect it:, g$ ?! I6 J- C% M: z( m/ a( G* x
$ [9 F% |! U0 a
BPINT 41 if ax==4f7 g1 `* f, p. o8 g; e/ t6 d
3 |! H, g6 K _. `3 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* G# b) M% ?" Z
v, f: Z' t5 {! M8 K+ ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ \1 _* A/ _1 s' w a: b* E6 m
3 L# r. _. C. J6 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 L9 n# ^, R7 o4 p; G2 N/ j
( E) I9 T$ {3 r& N0 j* J. S- m' j__________________________________________________________________________
/ @9 A( F, A. a. P9 N3 M
2 |% L" ?, n! ?+ lMethod 13' x% O* P( |* \7 _3 r
=========, w& M6 E0 s7 o& u+ J
9 Y6 `8 K2 Q- i6 H8 w( e& FNot a real method of detection, but a good way to know if SoftICE is/ p" Y$ B( L( j* O! g
installed on a computer and to locate its installation directory.
8 i! C- I- P9 x' s: D7 P% TIt is used by few softs which access the following registry keys (usually #2) :6 r t8 a# j- l8 s, w2 |
; |. d. ], d" v& R, b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) c; a: D* o5 q3 c
\Uninstall\SoftICE( T: N3 y# W/ ~ f0 [ {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 O$ Y* } S: i) N6 ]/ d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 A, e* W) Z% i9 P, s$ N3 C; d
\App Paths\Loader32.Exe& q3 U4 L7 D/ n8 h% n
- d& B* V# R" u: y' y" C; i/ Y
) U1 f. } B, T; H2 }4 aNote that some nasty apps could then erase all files from SoftICE directory
) y1 `5 A, y; G1 k(I faced that once :-(
" ?% Y" ~" N$ H G4 @0 l2 M/ b! l; o5 A. ^# Y/ R$ y
Useful breakpoint to detect it:/ ]5 b [2 h/ D* H6 n* a: ^
7 u/ x+ q) x# _# @7 X/ S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ N2 H& e! u- y. y+ V
# `- a6 F* F- r/ l__________________________________________________________________________+ W& p# Y) g9 f1 n& Z
6 o, x F! C3 c2 \* e) l8 S8 A' G
Method 14
% A4 ~1 } K2 X/ w- x. }8 b- ~=========
: [1 H* l8 N* D9 n r+ G% l3 g/ r3 G$ I0 u2 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ I) _+ S0 U; q9 l( C! U
is to determines whether a debugger is running on your system (ring0 only).
1 t/ R# \# Q0 h# s
# C! D S* \7 H! h# |8 ^' i2 S( y. ^ VMMCall Test_Debug_Installed
5 ~7 p9 e4 T* V je not_installed
2 }5 [) k3 {. l
+ ?! M/ p6 E0 i# [6 y. AThis service just checks a flag.
. H2 Q( F2 j1 n m* L; ~' i; O</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡