<TABLE width=500>
+ T2 Y; U( A7 n<TBODY>* r; g$ [; S; v1 H5 Q
<TR>
- G' J0 I+ e8 U; Q- N" |2 W<TD><PRE>Method 01
. V# F+ Y0 y6 z+ ^* B=========$ k5 W; U$ Q7 o1 i% o5 k) Y
+ I5 f5 u7 Z2 J7 h( m8 _8 e& U+ zThis method of detection of SoftICE (as well as the following one) is
. ?' A/ S1 W* A; Z9 eused by the majority of packers/encryptors found on Internet.+ K# m& M! V' p. n
It seeks the signature of BoundsChecker in SoftICE( P6 O' ]. e2 Y+ @
* q4 X1 ~6 R3 S, a- m" f
mov ebp, 04243484Bh ; 'BCHK'
' Y; m& J2 ~( r4 M2 i- g mov ax, 04h5 ^& o3 M+ d0 D: |/ ]
int 3
0 |7 U% B! k$ d- |0 q: `0 s+ u4 |- G; X cmp al,4
# f# m- { n) \ jnz SoftICE_Detected7 Y2 N! F; J% G+ [6 p" I
0 Z* G( g+ A* i' d9 [( n
___________________________________________________________________________& a( h; u P5 ]" i
2 \+ h8 Y$ b8 R" Y; ~& O
Method 02: v) S; x1 R7 n4 {
=========
}: a; B- A2 e2 k) Y
! D, ]" J: E, i5 X% D9 t; V8 e; e$ uStill a method very much used (perhaps the most frequent one). It is used
( b1 j0 z. _. i3 C+ L/ ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 s M$ Z6 b* C# j5 Sor execute SoftICE commands...# K+ m: K5 y/ s/ C
It is also used to crash SoftICE and to force it to execute any commands
$ o' @/ W& ~* B8 _(HBOOT...) :-((
, R, [8 I3 l. }% y1 P6 u, ?8 f) e. F1 ]; _( _. C4 I$ ~
Here is a quick description:3 @$ a5 Z( j/ ~9 y6 X3 V
-AX = 0910h (Display string in SIce windows)
9 K$ m- _0 D# J# r8 [/ L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 f. I( @4 V8 N3 w* u-AX = 0912h (Get breakpoint infos)* C: p6 I) v P+ [
-AX = 0913h (Set Sice breakpoints)+ L+ Z2 a: j. y$ |- z
-AX = 0914h (Remove SIce breakoints)
& n' l4 j& N7 Z% F, H2 |; M. U6 F/ c2 r2 @# j
Each time you'll meet this trick, you'll see:
1 H j4 Y$ S& }! k: q+ ^, ?-SI = 4647h
C/ Y6 N- ?/ s6 D- b-DI = 4A4Dh! D4 \; _% I. z( p1 V
Which are the 'magic values' used by SoftIce.8 U! K5 F: Q4 m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! M. H$ H5 w/ V! @$ B- C2 s: k
0 O- @- z5 ~6 Y. h! A$ _; R+ RHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 }2 T! ^5 x& `6 y7 s) f7 GEnvelope utility use to protect DOS applications:
( G- D- W) f/ w. j V1 d
9 b+ F. D) ~+ B! y, X
% I( N' ^5 j+ U- ?% H6 p4C19:0095 MOV AX,0911 ; execute command.# p" g* }+ n$ X+ [$ o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 K8 ^/ u3 x' s( J. Q/ k5 P" Y3 U5 {
4C19:009A MOV SI,4647 ; 1st magic value.: c- j, C) b! I1 t( x! U
4C19:009D MOV DI,4A4D ; 2nd magic value.* B; O! V7 ?0 ]6 U$ a1 i" I5 }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. f7 |7 E7 a- @; d+ U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- A/ x9 t+ E1 U! f B6 B4C19:00A4 INC CX
9 ?! u; M' d; |3 m# G& i! M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: E* h9 h7 s c+ C" J# E0 e4C19:00A8 JB 0095 ; 6 different commands.
4 }# A8 c$ l5 k4C19:00AA JMP 0002 ; Bad_Guy jmp back.* `% T$ x3 Y8 r$ h I! H* h) N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 r2 z! i* X3 {" ?. k6 @
; `# a6 P9 ?$ L o% U) o% x8 M
The program will execute 6 different SIce commands located at ds:dx, which
: o! f7 F( R- K! f+ c& j& Z! lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 T. S- l& e$ j8 d2 b& H, u% T6 u7 x
7 R3 @: L9 s; ?0 G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 a# F. l8 J4 L8 M! {; ]$ F5 L
___________________________________________________________________________% L7 o- u; a8 t, q( R
5 k& S* d0 J& O8 Q# ?' R
# d2 f9 a% f: p+ I. V) x) x
Method 03' S' T8 x" g4 c# Q2 n
=========
/ Q& N8 ^+ F8 _/ E! w2 ]" k0 I( j" ?0 V1 k- I$ y1 w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 x% H" a4 T4 x+ _2 S7 ~
(API Get entry point)6 c1 f g& y8 [( ], y* C) l
K" {, [( h/ M( r1 H& b4 t) A7 c1 U, E) a6 D
xor di,di1 @ A& _) M0 T4 d( m _. ` W7 N
mov es,di( X- H& B8 W6 W2 p1 x+ U; E, r
mov ax, 1684h
) K+ Z z* e- p5 q* U mov bx, 0202h ; VxD ID of winice1 p* g" I% |' f( V! k9 C
int 2Fh
. V6 E" H9 H6 d mov ax, es ; ES:DI -> VxD API entry point
) T( j- q# T; E" k3 D. H( t add ax, di. z) R) \1 N" W& h
test ax,ax; L( B% U9 ]( W& H' f: V }
jnz SoftICE_Detected
/ w+ l$ n) @+ S* N1 d* C
6 j$ @5 v0 x5 @1 d( P g5 y* N___________________________________________________________________________
" t3 Q/ B% D$ C8 m& K/ |) m6 G" ~/ `0 e
Method 04$ j$ z3 |5 ?& U' k7 \
=========
) m# |8 u% N. k
% c& O! P5 }/ U. i1 SMethod identical to the preceding one except that it seeks the ID of SoftICE4 t9 U$ O. @, ^, o6 m8 s
GFX VxD.
3 A9 g, m; \( ~) ~. y
- U2 v6 y: T) j) c0 q4 f- z xor di,di
% f" ?2 @; N5 ~: M1 c$ m; j( [2 x mov es,di# E% x. u( F4 j8 o5 H9 y
mov ax, 1684h
9 J9 d# G9 K6 K, {0 F* j5 \ mov bx, 7a5Fh ; VxD ID of SIWVID* d6 d6 d9 N4 c4 Q* v! z9 I
int 2fh! b$ @# z3 Y9 b; I
mov ax, es ; ES:DI -> VxD API entry point' {$ `" Z" r. a0 g
add ax, di0 p/ |* X5 F \
test ax,ax
5 m1 u3 a) Y, E: v jnz SoftICE_Detected! u& o2 \& u5 f+ A
; @5 y& @ c; [3 d
__________________________________________________________________________# E* f& j( c/ z: r% c" i
+ O; g( [ j& }8 o' i8 D
! c+ j8 n2 K$ Y5 O, U( x3 j* MMethod 05
' _, X# c U# }0 D3 k; Z- o=========9 Q: i% e# n- f9 O
" v* O" a+ [6 |4 t: oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) J3 h+ R' X' K1 Y, @debugger. It calls the int 41h, function 4Fh.
$ R, u/ _/ e5 U7 s iThere are several alternatives.
7 u3 z& Y4 H# k' P$ Q
# `# B! S i# G/ D. `1 F AThe following one is the simplest:
0 s( X" n* {: |; E: U
9 ] c6 x8 h0 o) F' Y, H2 @& O mov ax,4fh
# V2 O" I% u7 F6 p int 41h
' \3 H! Y( F- H( @$ a1 H$ I/ Q5 L cmp ax, 0F386
" `0 I* x# \, P! s6 R jz SoftICE_detected
5 [* g/ M, a: n# ^- E, s9 A2 t( i( B/ d; p; |& Z. a
9 u; y8 T( g' u4 E8 w" g3 ONext method as well as the following one are 2 examples from Stone's 4 J% j9 m L A/ K7 d
"stn-wid.zip" (www.cracking.net):4 y& i F# I0 s0 P3 H; s& D
& Z% t( A; k2 U$ d) B* }. W5 D! Y mov bx, cs& }- y# y; P1 U% N
lea dx, int41handler2
/ \: }" j6 s' z4 a1 L6 g xchg dx, es:[41h*4]# r4 V' `, @+ v ]* {+ ?
xchg bx, es:[41h*4+2]7 k# F4 x2 \3 j! l) f8 {
mov ax,4fh
" v0 z8 J& c* e/ y3 @ int 41h
' I0 {& j9 L0 @# ]+ Q! a4 [ xchg dx, es:[41h*4] R: y3 B& q; Q8 x. o
xchg bx, es:[41h*4+2]9 g) h* C! G5 d$ s8 w- B" y
cmp ax, 0f386h
9 \! M2 J) P0 q jz SoftICE_detected: g, T: \# ]4 f0 q+ `
. e# C# U& S: D8 Tint41handler2 PROC; V; ~% d: o8 }( g
iret+ a! [7 H3 U+ m# o- n0 v6 ]
int41handler2 ENDP
) U3 D( H5 D3 B2 L2 i" W/ z$ p/ \# E8 Y3 A( n0 T0 T/ w7 r+ U0 y
" i2 L, T: o# J8 d_________________________________________________________________________8 Q6 z0 A4 m; t( H1 F
: X* C% ?8 ]7 K+ ?" s; z5 a9 t% T E) a. i) @: w* y4 N
Method 06
( E4 F+ _+ H% }' B0 o1 `7 q7 O+ N=========
8 G8 _# ^2 n R9 |! f# O! w8 C# o, u1 t2 a$ e9 j( E
+ \) U4 f& ^1 p; s$ r( Q2nd method similar to the preceding one but more difficult to detect:" S. q# @5 A5 O x# c
( C: {9 v$ J* Q9 T* h$ ]
) S4 e, h1 k- }. Wint41handler PROC
# R, D% O; P. ^1 @! M& U- U0 r1 _ mov cl,al
! F9 w: {- b) L" A' e4 Y iret r8 y: S" u; u2 r f
int41handler ENDP
: v3 Z) n9 g3 H! ^$ U
, S4 E- m3 v. b% p" _' ?( T- G; F
; d& S0 F7 _0 N. | xor ax,ax/ |: ~4 [, c# ]2 _
mov es,ax
" J9 `' L7 ^: b6 \2 K mov bx, cs
2 ]: `( u1 J4 f2 B2 F lea dx, int41handler! Q9 P2 z& J, D2 Q- t
xchg dx, es:[41h*4]
# u; n% n& [5 ^0 E- V) g" c, Z xchg bx, es:[41h*4+2]
( C. P. m" A. X+ R/ d in al, 40h$ N p9 s. j* l0 e' C* x$ Q& P+ h
xor cx,cx. _$ {/ ?: E0 d9 p$ m6 M. C5 l
int 41h; R$ S9 [2 w; i' P
xchg dx, es:[41h*4]
) z7 i/ \! D, G0 Z; n6 a- ~) f xchg bx, es:[41h*4+2]* _; `+ @) i. _: O0 ^' G, y
cmp cl,al
3 @9 m$ E( n4 H B$ K6 a) |: ]: p. P& ] jnz SoftICE_detected. E* z1 Y/ g) X# Z9 s! T. v
/ K$ a5 ?- |2 ~/ k; [
_________________________________________________________________________- Q" b, I/ M* h: E: }9 m" E# g
* \" }0 w( B9 U& g& e- m7 R/ w$ C% r
Method 074 X# G! h6 Z6 [5 H9 }+ G3 m( s
=========
; j: \& |" C' s+ ~- s3 q
9 h# C, X( x, IMethod of detection of the WinICE handler in the int68h (V86)
9 v. B7 A- K" u/ u2 d$ X1 v7 V- U* @; `, b
mov ah,43h. s! Q! \# `3 F8 X8 q% j: s+ D1 \
int 68h
6 M# @ k6 Z: U6 B cmp ax,0F386h- m% ^3 P1 G) p5 [6 T J8 b5 S
jz SoftICE_Detected" j) A+ D- B" L# }) k8 ^
5 e' K! J; R Z0 A% d7 q9 e# Y' R, U3 |4 j0 G6 o3 Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ?3 C- |& D; s* c& O8 e, A5 C" M' c
app like this:. A) [ ?1 k. Z8 n' Y+ F% `
5 f A9 ]9 M! J5 N7 B BPX exec_int if ax==68. i# f5 G1 [' d5 I- r4 X9 g+ q
(function called is located at byte ptr [ebp+1Dh] and client eip is
]0 r1 m: }" s% L located at [ebp+48h] for 32Bit apps)# ~/ s5 X( v3 G9 C: \# P
__________________________________________________________________________) Q& Y2 ?1 D. I8 U* f
; r3 U6 l9 c' i
3 h' ~4 c y) J* Z' \& P- ^ g
Method 08" Y1 K4 R* u* k2 o$ J% Y& E
=========
. n3 h/ [, b& D8 s$ X4 C8 L0 x$ b0 Y) Y# P1 u* }; J0 E' B2 u2 P. Z
It is not a method of detection of SoftICE but a possibility to crash the
0 d' O. P. k$ P4 g, r7 m" Hsystem by intercepting int 01h and int 03h and redirecting them to another
1 k3 I7 F& `$ _0 Uroutine.: Y h. Z2 y, Y4 Z" Q6 j3 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 _. S& A. Z; g- h" |. ` ?
to the new routine to execute (hangs computer...)
& y; c( q" r8 `1 o0 S/ N
4 }4 c* u/ _, f- g y& D mov ah, 25h7 w! h2 i2 c. Z# F" S2 U
mov al, Int_Number (01h or 03h)
% [2 ~) @9 `3 Z8 I0 ?* N+ j X5 Q mov dx, offset New_Int_Routine) _% c& g1 W+ K; [9 l6 K
int 21h/ v2 H' j( a+ i( ]
7 E) D* |+ Q; U( {3 E6 [6 |! y5 [__________________________________________________________________________) G# ~5 {# z0 V/ D1 n; k. w
, k" p- ?3 l8 _4 a- h
Method 09
# j x/ R8 w. Q7 p" \$ f y=========( }# `, @9 z1 ^6 f! U
. f# J( A* z B- M( t) [' b2 ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. c8 C" G0 q' B6 N; nperformed in ring0 (VxD or a ring3 app using the VxdCall)." W2 ^5 j7 ~' H9 J9 G- \( l
The Get_DDB service is used to determine whether or not a VxD is installed6 K5 H: [; f* F, Q% O* V2 ]
for the specified device and returns a Device Description Block (in ecx) for
2 ^3 v, A/ [5 y, z4 _that device if it is installed.
& Y7 ]4 \ {: X3 |2 Y
5 I# m6 r; {+ O: \( Q7 s& B1 V/ O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& @3 T- @ c) f6 h- }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# ^; I% X; s- v, j# t6 T1 s VMMCall Get_DDB3 q; Z% [) V1 f; n: l2 ~: i2 n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" G5 A" D$ c5 _ i/ H. c- V9 Y+ s
) b: o7 c( d) B* f! M9 aNote as well that you can easily detect this method with SoftICE:
/ d5 y( K1 e4 @, U. R4 K bpx Get_DDB if ax==0202 || ax==7a5fh
7 v% L; P5 ?7 Y" |( K4 l- \) c; ^" h: R6 L# q0 {( b# s" X& ?
__________________________________________________________________________
9 Y* A& G* m- C7 ^8 g+ t" U! w C$ z* E
Method 10
! r2 k( U* `/ _% j% J=========
/ M, }4 f2 Q: l0 h2 b9 l
9 |$ F' [3 @! R+ e% Y# n=>Disable or clear breakpoints before using this feature. DO NOT trace with" Z& j+ [+ k: A/ t9 E
SoftICE while the option is enable!!6 n5 q: c2 `# X" q. V
* f N$ R' q1 |/ b! S# \% v: wThis trick is very efficient:
: ?9 E. W2 t7 Dby checking the Debug Registers, you can detect if SoftICE is loaded) d0 G& P# D1 k5 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; Z9 v+ c0 l) F( V+ sthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 b7 Z& D5 B% O' o3 R% U
value (in ring0 only). Values can be manipulated and or changed as well
S% Q) C6 k: [1 u(clearing BPMs for instance)
! o6 V% Y' k7 a; ^- n, e7 F5 J$ `
__________________________________________________________________________# l5 R3 B1 G& h$ Q, t8 T: F, r' j2 y, h3 D
0 c$ A/ V# M' X( t: G1 NMethod 11( p2 z8 z/ \/ n" P3 L) @2 q
=========
# f$ J/ T2 N" c1 e" _$ S4 O" S4 \+ P A* M
This method is most known as 'MeltICE' because it has been freely distributed
% X' V. `/ x: J% ~2 A& Jvia www.winfiles.com. However it was first used by NuMega people to allow
, y9 _: ^$ G. g* @/ gSymbol Loader to check if SoftICE was active or not (the code is located" @: ?* Y3 m% \8 ^! H9 R& w
inside nmtrans.dll).# @) l& N8 ]1 y; L4 c& s
7 O1 O! P4 Q+ c- B1 H$ B! k- s# h
The way it works is very simple:
! Z. a T; B+ @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! w$ ^+ U2 T$ R" [
WinNT) with the CreateFileA API.
% ~& N2 n. P% l$ D. n
; n* L+ S2 d4 x) R3 SHere is a sample (checking for 'SICE'):
# t; r. l/ \) C& o* W3 |6 b
, Y4 n! O9 H1 b: G; ~1 {3 {BOOL IsSoftIce95Loaded()) K/ D9 [/ g; w+ G1 k7 J
{
5 B0 L7 t6 E2 G" Q; ~1 ~- y8 ^ HANDLE hFile; * Z% r; x3 V1 t# j5 g. _+ ? K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- u. w }3 K; [5 b4 t* c
FILE_SHARE_READ | FILE_SHARE_WRITE,: w2 _8 k( L9 M; [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 y( A5 t8 T' q4 b, U u% x% o( E7 p
if( hFile != INVALID_HANDLE_VALUE )" W6 h& Z- M9 i+ S! s& }
{% H5 S+ \$ D8 G" y o9 p5 _
CloseHandle(hFile);
, F0 e" J, P$ _( p& v# t return TRUE;
* x" w2 N& I) |% G/ n O- Z2 T }/ _ P& K2 P* K' {& A% _' B3 o0 u
return FALSE;- _2 U- @0 u9 g p! C# o6 {
}
7 [0 m2 B9 X! A8 t. ~& ]1 o2 W$ F7 m. _* v- X3 _
Although this trick calls the CreateFileA function, don't even expect to be
- w2 [* W. v% ]2 xable to intercept it by installing a IFS hook: it will not work, no way!
" u5 `1 E; h7 z. mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 A! I! e1 ?; @: b5 k: ~8 P- Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ }7 p* q M/ J+ h5 l C1 [ S; r1 B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 b, H, X3 q8 \9 Dfield./ v$ d s! N7 W/ O1 d
In fact, its purpose is not to load/unload VxDs but only to send a ) T1 x' s5 p/ y+ b6 J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, J- p; z# D3 c4 J/ E1 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 N( u) d4 B& M* wto load/unload a non-dynamically loadable driver such as SoftICE ;-).( Q) W+ @" ~ Z& g! w: o% ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: e& D+ s4 L1 R6 Z5 Hits handle to be opened and then, will be detected.
' G5 e1 i# \ o) i" }/ uYou can check that simply by hooking Winice.exe control proc entry point
- j" B0 V! y9 f/ o: c0 Z8 c) Qwhile running MeltICE.: u; K9 I( P I- z" y' |
2 A# G& w B! ^6 S$ E3 N/ e
* h( k) R2 I- U1 T
00401067: push 00402025 ; \\.\SICE, g( C$ J4 X1 U$ p
0040106C: call CreateFileA, g5 o: v; b3 w1 \5 W; N8 U3 ^ V R
00401071: cmp eax,-001& K& l8 e4 ?; t8 H5 ?
00401074: je 00401091+ l. |1 W9 F# ^2 r( ~
, W" n7 U' S. ~6 \ \/ p1 l) p1 `4 R3 H/ \+ ?. Q' p( N- D w" W* s2 t
There could be hundreds of BPX you could use to detect this trick.
- M& _- ~$ t' _4 Z7 q-The most classical one is:
l0 k9 a* @6 l" ~6 B+ n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' `/ T3 { a" m; h& V8 ]
*(esp->4+4)=='NTIC'5 y% Y7 S9 [" H5 [" J! q
* p5 R, q" M5 G/ T) B! Y5 D-The most exotic ones (could be very slooooow :-(8 r$ W. ^4 W, i' F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ d! R& k( E! h+ h ;will break 3 times :-(& \0 `" R7 k# `& j6 ~3 m" U
5 C: P! K% y7 X: [8 y-or (a bit) faster:
# \6 g$ w: o7 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 F, D( j4 ~" f" J2 ~4 U
! A3 A% V" x9 u7 G; v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ G5 y) S' l: ]' r; k. F ;will break 3 times :-(# W. j: B @. _4 B, N8 c2 m7 w) V
6 q2 o% S& z3 N; L" Q7 Z4 d! d-Much faster:4 ~% T6 L7 R4 i4 ~$ n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" ^* `& v9 A: k
- Y! B8 X! H6 m: INote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 O8 C& t1 q3 L S9 ~6 F
function to do the same job:
( I( m3 K0 ?; E. ], Q
, z9 a% F. r( d5 p- p push 00 ; OF_READ4 {( q% h6 s# r; f- d% z# ^
mov eax,[00656634] ; '\\.\SICE',0
; S" d& Z' O9 B# |' X push eax
. O- X4 E/ u- k7 v8 r$ F+ n call KERNEL32!_lopen, e- S! W# `: s: D# S5 | ?
inc eax! z# K; R8 y K( f; a) [ C
jnz 00650589 ; detected
5 ~* `% {& K! v push 00 ; OF_READ
: P! }( z+ v" r0 m& [ mov eax,[00656638] ; '\\.\SICE'
) D- P: n0 ]8 C9 i8 d4 L push eax
6 |. C/ d1 p5 F: X0 R/ [1 T% v call KERNEL32!_lopen2 ]2 |% g6 A, _7 p
inc eax v$ e& g0 M$ X
jz 006505ae ; not detected
2 ]4 G$ c; L" C8 g2 r- ?+ S+ N9 Z/ ~
9 K. j# a1 J7 `) Z4 ^; b
__________________________________________________________________________6 {' J M4 @3 O6 x* ^
; @6 l! }1 ]: N# x4 t1 X3 }, L6 kMethod 12
& b6 `+ _' V$ z; K9 B=========8 a1 D3 Z( h) D* V2 R& K/ x
/ {7 W: T& o% m, V' J4 G2 s& F
This trick is similar to int41h/4fh Debugger installation check (code 05
0 z6 k/ x' o! A& 06) but very limited because it's only available for Win95/98 (not NT)
/ j( Q1 W; t# \& z4 p) Y! [* has it uses the VxDCall backdoor. This detection was found in Bleem Demo.( D4 c" H# |+ r% Z W# U
, O' @7 X; {- H. t
push 0000004fh ; function 4fh& |8 e+ |6 H, G
push 002a002ah ; high word specifies which VxD (VWIN32)$ O3 M" s4 l. C+ p# z0 `9 \' S
; low word specifies which service
0 _/ M c4 ?4 L+ o (VWIN32_Int41Dispatch)
% R. o \' _' R" d7 f0 ^3 y# }/ Z8 ] call Kernel32!ORD_001 ; VxdCall- Q& N4 N0 E& |7 k7 t! ?
cmp ax, 0f386h ; magic number returned by system debuggers& c# {. R; E% @' y
jz SoftICE_detected$ ]0 |+ L8 O1 f. ]# K* o2 @1 F
% x$ J) J0 A0 V$ ~# W, j
Here again, several ways to detect it:. ^8 E- G( S" G( m
4 c. {) C! @# Z4 E8 \
BPINT 41 if ax==4f0 T. ]7 C5 t0 U( T8 H6 z6 b
3 A) N) f) F$ z/ Q' J, F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ N0 x$ m6 f$ g1 C
+ x' b) E3 p x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( v9 \* l1 S0 ^% K8 s$ z& `) u& u2 [ C: \
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 v- U4 X. z8 Z
2 e" O7 P {3 Y" i1 i- Q( `6 A__________________________________________________________________________ O' r% ]) U: X/ ]) _# ^& d
* Y) e1 m% P& \: n0 G$ ?1 o( `6 x
Method 13
: U, i6 |2 Z! L=========; m6 p" W, n. O9 v
) t/ w* K7 x5 u5 @* ONot a real method of detection, but a good way to know if SoftICE is
, Z/ _2 S* }( ?installed on a computer and to locate its installation directory.9 Z9 {% Q+ t& `( i% I9 n9 x
It is used by few softs which access the following registry keys (usually #2) :7 _7 j7 N* o+ e: q
: k4 p) }( \9 Q: ~7 t5 h8 O) P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 h' l. ~9 u* D; f2 I\Uninstall\SoftICE& I+ [: c6 H" _9 D! A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 e- @! H2 V! r5 I3 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- | S# j7 Y# h+ X9 H: C7 j$ X\App Paths\Loader32.Exe
% Q/ _- y% o$ a" x( ]0 r/ ]/ {- {, n" e$ X
/ C1 r6 k4 e" ?& D) kNote that some nasty apps could then erase all files from SoftICE directory$ N5 J8 Z) B( N" V
(I faced that once :-(8 @& [' m6 M2 }" ]- i
& E& h; R) ~% S0 ]
Useful breakpoint to detect it:
9 [- G, I( h0 c, n" ?( _" W5 L& b
% Y0 {/ F5 e8 n! p+ `# e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 x* T8 m N8 a7 J5 M
7 q( P: R. q% w& ^* L% H+ g__________________________________________________________________________7 H, l8 J# \ [/ Q7 o) [% o
5 @) B c: }% s1 r8 o, V4 _. ]4 ?+ J/ k$ o7 V
Method 14
7 E6 u+ K: P8 I" k z=========6 B1 L& g- C5 ]7 A
+ X. c) B: Q9 z& s' p% p5 c* GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: Y# G7 k' ^' ~/ ~0 H
is to determines whether a debugger is running on your system (ring0 only)./ R9 ]7 c2 p2 m. N9 }# v
6 e( h) }& d, v& y1 Z* Z- u. | VMMCall Test_Debug_Installed* E! T" t, [- ?( ^' {( T
je not_installed
/ G0 f0 w0 { S1 F' }+ B8 f& l0 J! p% l
This service just checks a flag.
' f% [* A p0 `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡