<TABLE width=500>
% ?8 c; g8 v# X. R! h0 ^- e<TBODY>5 X) u0 m8 ^6 e+ i* A
<TR>
! p& U; p8 H, T/ p+ b<TD><PRE>Method 01 : J4 P) f( \1 I& S& B, f
=========6 G6 ~" k1 t, o' K# {
. L$ k- q$ d& H# n( PThis method of detection of SoftICE (as well as the following one) is
. u( m2 b/ Q5 Z7 _7 U, Hused by the majority of packers/encryptors found on Internet.
$ H7 i p5 g. f* l2 YIt seeks the signature of BoundsChecker in SoftICE
8 e/ w5 }6 U( ~
" [# Z: t9 z4 d mov ebp, 04243484Bh ; 'BCHK'& a& _% N( C8 ^6 w2 `& Q4 P. z, N
mov ax, 04h% R6 w0 F H: k+ G8 J f, j
int 3 2 ]1 U8 z4 V! G1 S4 C
cmp al,4
+ W! _' G# R, o8 o, H+ ]# s; W jnz SoftICE_Detected7 B' T" _0 l+ T# ^
: [0 w* T k/ P" e& v___________________________________________________________________________
b$ U) w' f. E( Q9 g) q! H9 A, Z' ]3 I7 |) {; S
Method 02
! i9 z9 e5 a# w4 p, r=========
8 K4 k z7 L+ V$ f! z* ?# w+ i! N! [3 o. ?
Still a method very much used (perhaps the most frequent one). It is used! M- e7 q' U1 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: o3 r# h7 Y: f- V. {
or execute SoftICE commands...
$ \3 U7 r6 |/ u' XIt is also used to crash SoftICE and to force it to execute any commands1 p. b& Y9 P A) h% M# {# a
(HBOOT...) :-((
# p F: A' K: G! S# i% L4 y6 R& Y% {
Here is a quick description:
0 z6 a" S$ f. K) G `$ x4 R* }/ d-AX = 0910h (Display string in SIce windows)! s8 g3 i$ d5 Z/ m, l3 u! Y ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! {% e, z# J5 p7 \; Q
-AX = 0912h (Get breakpoint infos) y( Y- ^/ c) y y
-AX = 0913h (Set Sice breakpoints)
9 I* E2 W; t+ g% J-AX = 0914h (Remove SIce breakoints)
" R1 H) I7 B$ s7 c4 A1 B5 ]4 U* E. Z8 z
Each time you'll meet this trick, you'll see:
( B6 X' y0 J6 O# p-SI = 4647h
/ R+ y0 n9 r6 H% j6 }-DI = 4A4Dh$ s/ f- U9 v" a: Q) Y2 R, M6 {) h9 j3 l
Which are the 'magic values' used by SoftIce.
5 H& f! b; `% GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) _$ }0 E H( P8 R( l v+ I) k$ w( ?. f5 N) t
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 J6 }5 Q& C1 A: V& w
Envelope utility use to protect DOS applications:
, r2 U( j7 I* `1 x/ L2 ~# L8 F4 Y" e; f1 v$ E
+ z/ M1 h& \, A
4C19:0095 MOV AX,0911 ; execute command.
) \7 G E i ^. F9 Q# G+ t" B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! e' H2 N7 C9 F( K9 h. `2 a) @& @
4C19:009A MOV SI,4647 ; 1st magic value.
( G& ^/ ?7 W/ o; t- n3 p4C19:009D MOV DI,4A4D ; 2nd magic value.
. I Q3 R# u" d3 z- _$ I( X, H4 L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 D6 q$ w' l7 }5 J& {8 ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; Z. _; u9 L/ s) y, i$ @
4C19:00A4 INC CX3 N6 v4 Z0 G9 J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# u. _4 Y5 b1 N: ~$ C7 t
4C19:00A8 JB 0095 ; 6 different commands." i! c% ~/ Q4 e! O" E0 ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; Q6 h, J. j5 {- }% L3 p! n; p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 G, c4 N( _+ n/ i5 Q
* y6 d, m. ^, c: WThe program will execute 6 different SIce commands located at ds:dx, which
; L6 Z7 ~ g3 J4 @5 T) ~" r9 a& \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 D* j* n9 B# L6 |0 g2 o5 d/ V
: L! V7 o" g5 d8 i8 C" o% y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
]8 e6 \$ {) ^* b0 m___________________________________________________________________________$ l0 K* ]& v f0 ?5 L
$ E0 P- K* R& u0 u
1 Q9 j+ W. Y$ j, }$ I, lMethod 03: `$ J, H8 }/ U
=========
$ }7 ?' h! ~& {! x. Y
# v( r& z/ u( o1 WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 a, p0 q; `: h2 M1 D& c& [0 c ]
(API Get entry point)* i6 f' F m% C# p& W6 _" f
4 ^* @+ q6 W. ?5 {9 p9 O! \0 O2 s0 B- a* A0 T" k1 L% k
xor di,di
4 z4 [6 |9 s/ H mov es,di$ ~6 V- S2 @. p( }# ^
mov ax, 1684h / Z- k( X/ F' B0 x& J
mov bx, 0202h ; VxD ID of winice( u5 m0 G- y+ t6 g
int 2Fh
' [9 \: a( r. W+ n( r mov ax, es ; ES:DI -> VxD API entry point8 v4 g3 s u, ~3 U7 W; h; o2 l
add ax, di
7 u6 S( B& k3 X. k test ax,ax
/ {7 x2 V/ R0 s; I( B jnz SoftICE_Detected4 {+ `% q8 E6 L1 R' X
3 E' V6 q. L6 g% l6 m" n& O
___________________________________________________________________________+ `6 { C7 I# G2 p) f: h0 `3 q
& r" @- f3 {( U7 z
Method 04
" t; C% @2 I1 e. p/ V* Z+ R4 V=========* q2 k- z1 x: A# r+ r5 T' Z
2 v; ~( u; T4 i0 n+ Q6 h& }
Method identical to the preceding one except that it seeks the ID of SoftICE( Q) z# J6 X5 P+ t6 ]9 c( d3 {
GFX VxD.
+ P9 U2 D# N# J+ ~0 J8 h w% W6 f0 d6 x+ W2 u6 N- u
xor di,di6 n& k1 W U& x! p) W
mov es,di- W9 m$ C% p6 J, ?
mov ax, 1684h % `+ q9 k, u7 W" @/ D- K
mov bx, 7a5Fh ; VxD ID of SIWVID
3 v: \9 d' V/ Y) V& N8 D1 {' [2 { int 2fh: K" T. t: P3 X8 @& f1 Q) Q
mov ax, es ; ES:DI -> VxD API entry point
% g) c5 l w/ M! } add ax, di
: v2 r. J: F0 ?: X test ax,ax
5 |# A& r* V+ L, R jnz SoftICE_Detected
: a/ J5 K( ^: M' ?+ Q- o8 b/ A |! Z& t& u; N: `8 X
__________________________________________________________________________
) o8 W# b/ ~# m& b4 w4 V1 k: |0 E$ j. c3 [
, n; |# k7 Y, H3 i# h3 C# G
Method 05. \+ m, w8 G4 n+ K1 x% v& B: x
=========: Q# t. K- S3 [5 b t
. j0 Q' E* ]* A0 Y- k+ pMethod seeking the 'magic number' 0F386h returned (in ax) by all system# h7 O( T7 |" u- B
debugger. It calls the int 41h, function 4Fh.
& W. q x& ^0 o6 }There are several alternatives.
0 w2 O- L$ x1 Z s9 g/ w; n
6 ^1 s- k( v/ GThe following one is the simplest:
: i/ I) D9 K a
* q' V3 L) ?/ P! U( D mov ax,4fh
7 Y3 l- S; D+ ~2 y, [% `+ n int 41h4 ?( Y) [7 L# u8 `5 z, U! V2 \
cmp ax, 0F386
6 }! U2 l7 l7 P) o+ k jz SoftICE_detected
1 Z0 y/ y8 x6 f" W, Z4 L; E- W2 o3 M- L
4 O! f- ]( D1 e, s9 Q X+ F% UNext method as well as the following one are 2 examples from Stone's $ C$ e4 O) t& [9 I
"stn-wid.zip" (www.cracking.net):
( ?) r4 y$ i2 i B8 [* I" x4 }8 T0 ^# d$ a: P
mov bx, cs( \0 ?7 z$ K2 u' ^; J- @+ n7 i" |
lea dx, int41handler2: C9 d7 G2 l6 s. P
xchg dx, es:[41h*4]! X" D/ P/ I0 H1 S, U/ z
xchg bx, es:[41h*4+2]
2 P9 h1 m3 g% U7 ^+ [ mov ax,4fh2 A$ n1 ~6 Q3 Y) {/ Q
int 41h6 G: q& {6 Z* p+ I0 [
xchg dx, es:[41h*4]
& ~ N, ^3 h2 ]# `! h xchg bx, es:[41h*4+2]
& [8 W8 G% }8 S8 V: g5 J/ P cmp ax, 0f386h
- b" V/ T6 ?% z4 M8 U jz SoftICE_detected& ~4 n& c5 M+ I& n9 |; Q
* ^: J A' l$ P S cint41handler2 PROC$ n" d6 u- v# @0 s) f" R
iret: h2 a/ Z) t# v* K8 d
int41handler2 ENDP8 f' N7 S1 g# j4 k
' y0 P6 u a1 `9 h7 d/ A
2 v; L: j- O3 x' d& ^
_________________________________________________________________________
$ e5 i. o# g$ z2 I O: O2 T- b2 ?0 w' B
5 {+ b; } ]8 B+ o
Method 06
8 Q/ I/ Q# t$ M( c( p% y2 T" O8 b=========/ y. V) i% s% S+ a, V% e" P
2 b: W) j0 { S$ ^! g3 o" c0 D
; d2 K* E0 i' a$ u3 n2 a2nd method similar to the preceding one but more difficult to detect:
; U0 w; b2 F2 h& x
+ ?% A9 u4 W" z3 k+ I, d
: H9 ?( X8 R( X+ f! q1 uint41handler PROC7 F) {! m: ?9 Y% @, P
mov cl,al
. @) W" c1 ^+ h. m0 Z, r* k: _ iret
8 g7 m) `0 w ~& b/ e) c/ P9 t) zint41handler ENDP8 Z9 `3 v+ D; Y7 B" e) _- O2 @
5 V+ n5 i$ n5 O' R7 u$ q* R8 T e5 [: O
& l5 w; }' o' k$ v4 r1 O0 \* h
xor ax,ax
" b% i r' j$ @/ C5 j3 w mov es,ax
: F/ s6 r) h. V* ]! R$ L mov bx, cs
+ r" G* l' |. v' Z% b! j6 { lea dx, int41handler6 ]& e' J& F J9 E, ^+ K
xchg dx, es:[41h*4]
1 d. y( h: P% I5 S1 g" ` xchg bx, es:[41h*4+2]
4 K4 k0 p# v2 J2 l in al, 40h5 d! v/ a. I- |1 B
xor cx,cx5 Q9 f0 b8 I1 s \, A8 v; X- [
int 41h9 P2 ^3 M: w! i
xchg dx, es:[41h*4]2 @7 j- Y7 C) n! l1 d# N; k( k3 ]
xchg bx, es:[41h*4+2]+ h9 O1 b N" J+ b8 I
cmp cl,al/ F1 n5 z7 ?5 M2 k0 ~1 W" y7 d- V
jnz SoftICE_detected
# V) M1 u5 G7 v T: b
0 \, R: n. ?0 ~$ E- V_________________________________________________________________________
& u/ A- s7 R6 @3 ]
/ ~. R4 k& p1 d$ CMethod 07
7 r- j9 G3 A# o9 i' z=========' |/ _, g. {6 C& ~0 l$ T
& F2 p F8 U" q) V5 R
Method of detection of the WinICE handler in the int68h (V86)0 g3 m: q3 R: q+ g, m
2 M- ^" }7 a3 d$ g mov ah,43h: y. @2 N0 p$ c
int 68h- D& F# G, H6 n. Z; E8 ?" W
cmp ax,0F386h, h9 x9 X/ o1 E6 ^* u: w- N
jz SoftICE_Detected M% ^) _; O# V; z* W
) c/ a! Z9 g) V4 r+ R8 C/ r& R# n' L2 q8 Q0 h' n E& k% N7 W& S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 g; F, O+ u6 x6 M& q+ n6 U7 H app like this:) i9 u# N4 f* e a
4 M1 j! g( _5 l/ }5 `+ I
BPX exec_int if ax==68
1 y- n0 q# D2 o; b9 V (function called is located at byte ptr [ebp+1Dh] and client eip is4 |5 f3 b& a- a& B# v
located at [ebp+48h] for 32Bit apps)1 @3 {; h& ]- ?+ T. D3 C% o
__________________________________________________________________________, y1 X* M g9 r! v0 T
" y, K! X# ~2 J, U
6 t' d- H7 |, f" F8 H
Method 08
. t% `9 u, W' ]9 J+ l" b" P) T6 p7 J=========
# p; z2 V8 H4 ]+ ^, x& |' u9 t2 [6 q
It is not a method of detection of SoftICE but a possibility to crash the6 F/ V T" I+ P: Y' x$ h
system by intercepting int 01h and int 03h and redirecting them to another! \0 u; d, B8 n2 q H$ h% n+ ~
routine.
0 }' i% q9 D4 A. s2 g% y% n+ NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 v. q6 r4 z: x/ S4 X! D$ N" F
to the new routine to execute (hangs computer...); v1 o4 J: V& j( N8 a! x- V
9 c; @4 k/ h" |7 s9 ]' ~
mov ah, 25h9 @" A' K/ `9 l3 p6 Y' N5 I
mov al, Int_Number (01h or 03h)
( Q0 s, C4 C% F0 u" w mov dx, offset New_Int_Routine# ~) g1 ?% f( N( G0 _
int 21h
$ A! ~ v2 y& M$ K- v) n$ m: h6 Z: G6 ?& A
__________________________________________________________________________
+ A7 {" l4 C* h9 I- o8 G( F
6 h# |# Q/ j1 s- iMethod 09
& v9 T% [6 {9 ^0 y' I' I=========
5 ^7 v# `, N& f5 A1 N/ x- Z8 I2 o- s$ {2 r: A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% t" w! ~6 V a/ j) x. N0 {* |
performed in ring0 (VxD or a ring3 app using the VxdCall).
' P; F8 e; \5 ^9 oThe Get_DDB service is used to determine whether or not a VxD is installed
0 K# S1 q" g" K, Vfor the specified device and returns a Device Description Block (in ecx) for
8 w; V1 I4 i8 ?' D# j v% Y1 X, F# o: sthat device if it is installed.; ]5 }5 |! N* `/ h' Z# o$ i
* {7 J2 p9 |, J9 w) n- L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' m+ W) D+ f$ H+ C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' f9 i- n4 x: g% g" g8 h VMMCall Get_DDB
/ H5 m$ q; P# \& L' j7 T6 l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
o) z, @! s+ p# ^( l7 F
' J* o a1 o, r1 w; I; P7 |! HNote as well that you can easily detect this method with SoftICE:" w Z8 M2 n4 b7 z
bpx Get_DDB if ax==0202 || ax==7a5fh# k8 l- z% S5 c2 F. {# d
, A8 y! Z- k% H$ e0 I' ` g__________________________________________________________________________" J5 m3 a8 m) N5 |
1 u* T N$ [$ O$ _/ a/ GMethod 10
3 e+ Q. q* F+ [0 L& u0 b& d=========
/ _9 R: y" u0 Z+ [0 S- q
/ B/ F* K m3 _# z3 b1 q; M=>Disable or clear breakpoints before using this feature. DO NOT trace with% I* m6 l2 q9 S/ X) G6 u4 o
SoftICE while the option is enable!!
: f0 R3 n( m6 |& s0 R7 z; g+ z
4 d! ~1 L/ Q7 _4 _9 |! MThis trick is very efficient:
- ~) m3 e% W, C5 n( C P+ Mby checking the Debug Registers, you can detect if SoftICE is loaded/ K$ {+ F( @) i( E6 H" g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& ?) h1 d% E4 c0 k6 [there are some memory breakpoints set (dr0 to dr3) simply by reading their
* a1 Z2 u6 T1 ~( _- }7 y2 Uvalue (in ring0 only). Values can be manipulated and or changed as well
, w1 x% K, X- w/ z* t(clearing BPMs for instance); d- g+ t" z8 d' U' y) U" s
5 q2 p% y5 J, h: ]* x' V% c3 K f__________________________________________________________________________, _ E( l c& r1 |% _
! m) _+ l6 n. g! }
Method 11
) W2 m4 U. n( }9 X/ m0 p3 Z, e=========4 R0 u+ a; z; v J* S4 X: i
$ C# U6 v0 `' AThis method is most known as 'MeltICE' because it has been freely distributed, ^. a8 [% O) ~" [" H. P. B: r
via www.winfiles.com. However it was first used by NuMega people to allow& N X' j2 a+ K+ p- L4 d' f6 a
Symbol Loader to check if SoftICE was active or not (the code is located
' D/ r& |8 ?* x% @/ Sinside nmtrans.dll).
0 O0 D9 s5 `$ y- _4 X1 ~, a$ `; g2 b. E. c* b; N1 F
The way it works is very simple:7 |' O8 A, w& M- ^" b+ b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 j: Z+ n) \$ O; y1 h! ^. U) b
WinNT) with the CreateFileA API.$ U; S' z6 c6 l$ T* D2 R8 R1 @ N
" N$ w5 _4 |3 H; l$ _( lHere is a sample (checking for 'SICE'):7 n! W; [0 H" r. l: D9 X
( z \4 P/ {, X9 Q4 I. F7 d+ f; ~BOOL IsSoftIce95Loaded()
" p |7 `# I3 _{
7 X9 {, B! G5 S K _ HANDLE hFile; G$ H) a$ H2 s! e! m% V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ V; i& _3 X% C% p: p j
FILE_SHARE_READ | FILE_SHARE_WRITE,
' w& s4 h, |/ `# u* d3 I' N* F! d( Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ t9 a" O0 ^& v1 M- ^( L if( hFile != INVALID_HANDLE_VALUE )
b- K3 e* r2 T) ~5 H {
+ F* D# y: T) c9 S( P! m, { CloseHandle(hFile);9 x1 D$ Q( w/ {; Y; d
return TRUE;
+ j, ^3 N4 ]) I9 k& l4 }( B }
& L. r9 c! e4 F" k4 N- L return FALSE;
2 F7 P, q# H! ?4 c0 o% k}4 W# }( L8 z( L" |1 x" _
4 l e5 F( t e. w) H
Although this trick calls the CreateFileA function, don't even expect to be
7 a7 S2 w1 X8 s+ J! \/ ^ ]able to intercept it by installing a IFS hook: it will not work, no way!. r2 P; E- E( v# n1 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 [; ^5 O* s' o0 F3 `6 }( }7 r; S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); B2 o0 F1 @4 B p- A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ f- [; |' v5 r( v1 u1 ufield." N2 s! v* j+ f0 o
In fact, its purpose is not to load/unload VxDs but only to send a
, D0 T( @" a( n# oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* m) q6 I4 n. A- `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% G8 @6 [! h: C* F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 [2 g+ x5 ]( F' n8 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) M' {6 S, h8 w' o2 s3 L5 H; bits handle to be opened and then, will be detected. K8 M. V5 T* U1 R, h
You can check that simply by hooking Winice.exe control proc entry point9 ^. [2 Q3 n7 _8 _3 K3 u8 C
while running MeltICE.
5 U9 H M# r# D- D C! p/ @, M2 N
( I3 z# K7 D' b2 I+ x. }2 m 00401067: push 00402025 ; \\.\SICE4 H) s1 |, t7 {& U8 E0 u9 X
0040106C: call CreateFileA
# V" `, f& E3 w* k 00401071: cmp eax,-0012 o& R, G$ s: w1 ?4 m+ z8 J, o
00401074: je 00401091
* _; ]2 F" [8 a7 P4 n+ B; K- n! A3 G( B0 T* r* V" P0 Y
3 V8 I4 k, w8 I; E4 _, U5 `There could be hundreds of BPX you could use to detect this trick.9 k7 a0 C$ L& m
-The most classical one is:. N- |7 d7 j, D7 J9 T! w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 P: b5 T7 P4 g3 D$ Y$ Y7 I
*(esp->4+4)=='NTIC'" [( o# d% h" p
9 z& B" r+ l, p, t& E4 k0 G1 I5 _-The most exotic ones (could be very slooooow :-(4 V N# T, P6 x7 d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , h+ M4 i( C4 t& _' L8 K9 d
;will break 3 times :-(, }% {3 G, B) h6 W! b8 o( [. r3 l0 P
7 p8 h5 C- t/ e* Z) Z7 e4 Y
-or (a bit) faster:
x, p; t. }! Y5 \2 e# J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% y1 q# ]" |/ X6 K, Y& G
/ H4 |- [/ B: x1 J8 Z2 c* D( j) `; \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + o, X7 R, j4 p1 @. `0 R9 s
;will break 3 times :-(
/ {" R9 |, i1 F
' Y/ k8 O* K- x' ?6 ^/ h-Much faster:
7 a$ ~+ i2 q, j# _7 {, Z" V$ ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( [9 Q+ V8 ?5 Z! P, [3 c" Y, g# W# {# m8 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 P8 c# ^8 X+ J
function to do the same job:* C9 a3 ^( @; B& P# z6 P
8 ^! Y. h) g' u. Y6 L' D
push 00 ; OF_READ5 }4 H; V* S2 x9 b7 c
mov eax,[00656634] ; '\\.\SICE',0, {, A$ b9 V# U% x, H
push eax
. b6 _7 W T5 j7 g call KERNEL32!_lopen
, ^3 [+ W" p9 ]& { inc eax
6 ^2 L3 {4 o1 x2 q jnz 00650589 ; detected; q) L8 K" s6 j0 S) I; y
push 00 ; OF_READ
+ j( g3 q4 G! d) t# P: E mov eax,[00656638] ; '\\.\SICE'
; a( a$ Z$ J/ r3 p( j0 d push eax; Z" o6 r/ q: l
call KERNEL32!_lopen! |8 `5 d1 c: b+ i
inc eax& E6 s7 Y- T: C4 v
jz 006505ae ; not detected
) y: Y8 v8 ?+ F7 A/ O3 s
* c8 S/ B. m8 Z" w$ t w6 V6 u ]9 g; d! ~ j
__________________________________________________________________________
8 G+ |2 |9 B, w
- {0 U3 G# M6 Q+ Z) d9 [* QMethod 12
& `- T. H b3 y=========" u3 _' N& {1 T4 ^- W! J
# y' Z7 n3 t6 G: ]! n0 XThis trick is similar to int41h/4fh Debugger installation check (code 056 V- R9 w2 P) n! x: k. a% D
& 06) but very limited because it's only available for Win95/98 (not NT)
+ \6 N9 t5 E# }1 Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 F. r# G/ R+ @. d7 E* I, T
3 V3 Y) w( E& D' a- B. Q
push 0000004fh ; function 4fh
9 y( n" x6 k7 r1 Y7 s" T7 G push 002a002ah ; high word specifies which VxD (VWIN32)
$ D' Y% w! w( t6 r4 ~: _: ` ; low word specifies which service" a8 k8 i7 k: V- D+ v; m! T
(VWIN32_Int41Dispatch)
h) m/ B8 q4 `- V1 q call Kernel32!ORD_001 ; VxdCall
- M8 m0 P( v v& U cmp ax, 0f386h ; magic number returned by system debuggers( M, @6 A3 B, l! m [: I
jz SoftICE_detected
( r5 ?4 k) N$ Z
8 S3 b4 p# r# D1 FHere again, several ways to detect it:
3 q9 V* ]# C5 \5 a" H$ Z& h
$ `3 H6 h- n7 p6 Y4 y( a BPINT 41 if ax==4f
6 {6 o& z6 F5 K2 P3 d( x, `
0 m5 B5 y) d6 K3 e: {$ _7 A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( i& m. c8 r$ q6 L+ A
1 L* m& V8 \2 P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" S5 j: z# K5 n' c) t d
' a1 D9 K' y2 x5 X3 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' K: h3 z$ l5 \0 s0 u
3 F9 Y0 ]$ T0 N; J. M; |
__________________________________________________________________________
8 N7 h) Z# u- \2 W& Q% X. s# o/ d
; C4 n9 U1 v9 `8 {5 b8 Q" kMethod 132 S; i& y' `* O$ W' A2 w' \1 [% R! u
=========
! x2 A6 s* A- P
( u4 a' |( J: A0 O8 r0 BNot a real method of detection, but a good way to know if SoftICE is" l" L% p8 U+ Z6 q3 O. V
installed on a computer and to locate its installation directory.
* c2 U! r, L; T9 s# g/ aIt is used by few softs which access the following registry keys (usually #2) : c1 q) V' X: O
6 A; e" `+ f. x/ E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- }/ a9 F, B, a5 d5 t\Uninstall\SoftICE* m! f# K2 w- T8 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 Q& ]7 b2 X/ p4 X7 d7 \0 c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- m: H0 {' L, A\App Paths\Loader32.Exe
! |4 B: h7 U, ^8 [3 i
* q. ^9 c. n2 h3 G4 B" \( c
/ J% S. X) z. k5 LNote that some nasty apps could then erase all files from SoftICE directory" x0 `' M; R0 O& @2 ^
(I faced that once :-(& ^% q3 w w$ p- a7 j
& d! \' B* d8 j1 I: V" v0 I9 _Useful breakpoint to detect it: W1 {9 ]# I, q7 }* i; z
/ W) P$ N, `/ K4 Y/ v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 C) T) |, h+ |7 a
6 `1 k! L$ p! R+ j1 R__________________________________________________________________________
2 K4 @6 j( u% B) N% G9 i6 R* ?9 h$ @/ [. b6 n3 ]0 C' u f, N. R
}' T$ Z% {6 k
Method 14 Z4 C y! y8 p
=========
S9 R! a) R$ ^! K, V& R, O: g- ?# H. P. w4 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ j1 @+ p6 Y) V8 k: s- v3 O1 eis to determines whether a debugger is running on your system (ring0 only).
# N/ o0 U/ ^; F: y8 a! J" [+ n& N2 f$ q
VMMCall Test_Debug_Installed
9 }2 r/ Z" [7 d' }+ ]) [6 `4 [% Q7 C je not_installed
# q8 @* v1 P, s& G; V* S, @. u& I0 t) F& b
This service just checks a flag.3 \2 a7 S, M5 `' C7 b5 x: i$ D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡