<TABLE width=500>1 G$ u8 h4 L: z( c! z$ a1 ?* f
<TBODY>0 o) U' K6 w: q8 q, J- H0 D
<TR>
) k, x) h! x8 d<TD><PRE>Method 01
( D8 {% g! U( h" n* [* q=========/ @5 j' F: U9 d* E% }. I+ A
- Q' x8 h9 U4 A' W/ t4 u
This method of detection of SoftICE (as well as the following one) is0 w' e$ }* @: z' ]0 f; w
used by the majority of packers/encryptors found on Internet.& r0 t6 r2 e0 t( }
It seeks the signature of BoundsChecker in SoftICE
4 `' e) K; B1 N9 C& B4 b7 Z! q4 L* u8 t
mov ebp, 04243484Bh ; 'BCHK'8 _# b' n. U3 i( A
mov ax, 04h
( l9 Y( Y0 X: o% a* N$ m int 3
' Y* Y) B3 w. G# `7 f; R$ r; A cmp al,40 Z9 {+ h" q. ~& T6 L! R: g0 l
jnz SoftICE_Detected' c9 N* Z& L0 x# q! W* Q) T0 F
( y3 C5 I/ A* ^; }
___________________________________________________________________________% \/ `- D& B& X: s6 _( o2 T/ G5 K9 d
( c6 ^- [2 C# n, G* uMethod 02
2 M- \% F1 ?* K( L* n' z=========
' c( \: c3 v" H' V Y: N* p: g8 W" i# t5 F2 O% d9 j9 b1 ~
Still a method very much used (perhaps the most frequent one). It is used
. W$ ~0 Z( f1 Q/ e3 r5 i' J. Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints, b n/ o& V4 }' K
or execute SoftICE commands...
- @' x' l, Z: B7 }* o" [1 c( |It is also used to crash SoftICE and to force it to execute any commands3 N1 V! g4 Y& H# F3 k2 S" g0 J
(HBOOT...) :-((
+ [% l' Q \: H2 d7 j- t/ l0 T7 w% \8 e6 K( x0 n" d
Here is a quick description:' W1 N4 E! G0 E- w) p, N
-AX = 0910h (Display string in SIce windows)
4 h& \) B# @6 l0 Q$ p( |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ]" i% e% R. C+ B8 P3 D
-AX = 0912h (Get breakpoint infos)
6 A2 I1 M/ ?! _0 D-AX = 0913h (Set Sice breakpoints)& F% W, N2 G. }0 c
-AX = 0914h (Remove SIce breakoints)
5 d3 p$ M' g% R2 `* f7 S& w* K+ r+ s: `6 A! B% T
Each time you'll meet this trick, you'll see:7 v3 a. D9 v( J
-SI = 4647h* L% p/ y" l" S5 o' [( _4 ]# b
-DI = 4A4Dh, T' D- w( g. C+ ^
Which are the 'magic values' used by SoftIce.3 G$ L: b5 t8 I, ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' l5 M9 {3 ~! o1 c# Y% |$ R& x" {
; C3 l/ \( v5 ?$ t7 B. u0 i- ^6 s4 ?/ t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& n4 d: W- t5 C) B9 G* WEnvelope utility use to protect DOS applications:
1 ]+ I( l7 C$ b6 i0 P0 w% i2 R% d! {/ H0 _8 X( ]" f4 ^, M7 k
5 L$ h! Q: C$ u2 @3 S$ g
4C19:0095 MOV AX,0911 ; execute command.. ?( s+ y8 ~# o" R {, W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% r$ k% a' O' K6 |8 s$ y+ B
4C19:009A MOV SI,4647 ; 1st magic value.
" d. c0 Y" d8 t: E- l4C19:009D MOV DI,4A4D ; 2nd magic value.7 Q8 K3 j/ ]! t I7 N$ M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
z- y9 g6 f. O: @. E# q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" q$ z& l, y9 Y2 u& X7 S3 h
4C19:00A4 INC CX7 U x1 M/ G, F S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# m( I9 Z5 ]. }) [
4C19:00A8 JB 0095 ; 6 different commands.
3 t! A# X8 }' H4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 f+ g f, r9 a' M0 C2 C3 l- d& v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); L' q7 u2 m2 Y2 w! a* N
" m' S9 M4 s$ }0 F- u6 ]The program will execute 6 different SIce commands located at ds:dx, which
% x$ U5 @/ k! }5 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 n0 O2 a+ T* I. _& @3 e/ G& T/ h2 n! ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( l$ C& A; v8 a- Z+ ~8 r
___________________________________________________________________________
- S7 W' A2 }3 z; p& m1 O- L/ s5 Q2 U# |6 P: ^# {; J& ^6 w
7 }0 Q# W/ M% Y; b8 S+ ]Method 037 n/ j) B2 d! ^0 y8 G; D' V
=========
* }1 u, O8 f& w! L; y4 U3 v N- `
/ a' X9 b7 E+ C# l7 i# hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ Y6 c6 ~( v; x6 `9 O- n
(API Get entry point), J; ~6 @1 d1 w ]
7 `8 {1 k* D/ ^- O& A
. Y3 H# y& a9 b3 A0 c8 c) | a$ U) w xor di,di5 I* d! m4 f4 [( ~4 n
mov es,di' p+ w7 g1 l( k0 J+ s3 M& c
mov ax, 1684h
8 p6 `7 G, n( O mov bx, 0202h ; VxD ID of winice
$ q6 [9 b% P! F0 F& o4 a- P/ E int 2Fh- [- [6 P5 i5 _" I q# y+ O; T8 r
mov ax, es ; ES:DI -> VxD API entry point
" L. i1 Y0 j/ j' |# D' V add ax, di0 V) x$ i; E" N8 ]2 a3 X
test ax,ax/ ~3 Z' ]( w" [5 V9 k5 s9 b
jnz SoftICE_Detected
, \6 p/ t1 B& I; e# _- G" e
[/ M4 L) K/ V___________________________________________________________________________! X& C% L& E( V7 b- f) S* H
2 i2 ]9 n* f) [, e; U2 o$ OMethod 044 e- v& A. J) o' g* P6 V5 w' i
=========
- X2 X) k6 g, Z/ u7 `; F x! b8 M) ]1 ]3 B* e. N. p
Method identical to the preceding one except that it seeks the ID of SoftICE* U2 b6 a4 i6 ?( ~( |6 ]
GFX VxD.
1 r2 h) V7 G' k$ A6 A: r
& ?2 P5 ^9 L! }4 N xor di,di
& m( Y- B: t5 i' |0 x. h5 Q mov es,di( r0 K! q4 D Z( o6 x. } M
mov ax, 1684h & n" m4 U+ `8 ~5 [
mov bx, 7a5Fh ; VxD ID of SIWVID
4 k8 ~( f! D) n- S/ _ L int 2fh9 t7 D$ H: J# F7 l4 m j* o
mov ax, es ; ES:DI -> VxD API entry point1 q- {% P" b% E D$ C" ]7 v
add ax, di
) \$ a: W' G- C0 Z4 F: } test ax,ax
) m# m6 v7 g5 ]7 Q' q+ H/ J jnz SoftICE_Detected* B" B! t. c3 S; x" J% X
; h0 h$ `* G5 r) \4 ?3 |4 ], @2 ~
__________________________________________________________________________) ^7 Z+ n/ b9 L% @, t/ N) G
( g& Q2 D- ]1 N/ G( n: s$ \# q% W& z( u. c+ k6 C8 U) r% a
Method 051 w8 @3 o; O& I2 [& d+ }4 U D
=========: |7 b# y1 T9 y$ W2 f' p
6 K9 g/ \) W2 D. a! Q* E+ kMethod seeking the 'magic number' 0F386h returned (in ax) by all system% a0 k$ B6 _) l! s1 X* e
debugger. It calls the int 41h, function 4Fh.
6 S8 ^& n5 ?$ V, a" mThere are several alternatives. 7 ]/ h t2 b! |# k1 ~* x
1 r0 ^ c C% e2 h& b, {The following one is the simplest:* x9 s) D' G% j4 E( F0 Z
/ j& w9 Z T( r8 [9 W0 q. J
mov ax,4fh
, g4 I" ?) _" i int 41h j$ e4 C) L; o2 z4 l% |3 x$ N
cmp ax, 0F3866 f% u! n7 a5 W3 n8 U- z2 [7 p8 I
jz SoftICE_detected
/ ~$ k f! R2 G8 c" N; v: c8 [# o( ?# B6 n$ p: S- [6 C& B
8 X8 [# t. e5 Z: t
Next method as well as the following one are 2 examples from Stone's
7 V( T2 `2 f- y4 |; M& T3 ]"stn-wid.zip" (www.cracking.net):" |4 {" P" ?$ y3 d1 J5 i
0 j; F$ c5 I7 s0 \
mov bx, cs$ [/ C9 J2 t: ^& O9 x
lea dx, int41handler2
1 |9 p7 d( }1 E u* g xchg dx, es:[41h*4]
7 t. \0 d- j, Q$ @ xchg bx, es:[41h*4+2], Q: {. X+ p3 X( n _; A. c- ?1 Z
mov ax,4fh Y9 t4 Z4 G$ t, `
int 41h% R% n8 K: `8 o$ P9 `8 B+ ~8 x
xchg dx, es:[41h*4]% I) _8 A3 @+ S/ g9 O0 L3 u
xchg bx, es:[41h*4+2]
" k! E1 O' X, D- v cmp ax, 0f386h
3 a' Y8 o+ ?/ z+ `4 H jz SoftICE_detected
/ }2 [; Z, ~) c3 r0 A: V$ |- S+ }7 l5 C! w* a, I2 H
int41handler2 PROC6 N/ v( Y+ F& D- X, Y* U3 S
iret
?% s0 E; C# O' k- ]9 Bint41handler2 ENDP# ]0 z. }( x2 ~" u* A! u
/ _9 f7 W& s: V: }7 a; V1 ]0 w+ J
. f7 e; P9 n# }3 X) R' d' ]8 {1 W: v. a_________________________________________________________________________
/ o$ Q/ S- w! K+ l5 F' J# N1 I2 I4 _' _$ H! r: @$ m" {
& _2 K$ \0 P$ GMethod 06
' p; F& @' z# _( ^# h0 F7 o=========
2 h9 f: @6 E5 `8 r5 n' _2 \2 U" D% }6 X" T2 M, b8 J, ^3 }
% l; u; ]! ^, X
2nd method similar to the preceding one but more difficult to detect:, }' M( `! U/ b
, l# P$ W1 V$ J @- S5 V! }
7 X' A! \1 z/ L Q8 Dint41handler PROC
4 [! {2 B9 [+ t, a' f mov cl,al
+ m, j2 g8 S7 z) Q% c P iret$ V: ^3 q! @+ U, E) P7 n, {, c- n
int41handler ENDP
, W0 g$ g4 T9 C0 i+ _$ k7 h7 ], X0 v4 M0 { Z) P
8 {+ ?, X( c) K2 g) d xor ax,ax# L: P; H4 h5 S+ k
mov es,ax" S: e$ d; i: Q8 D( e
mov bx, cs6 c7 L5 R' J' @' w: f" U
lea dx, int41handler
0 @/ B0 o$ J- S& T7 B0 |9 G xchg dx, es:[41h*4]
( s$ f* y" l! n1 @ o a xchg bx, es:[41h*4+2]% m6 r, E0 n) W( E
in al, 40h$ ~" A) c7 |6 Q* l1 U. O
xor cx,cx
3 S% R9 r& A. e int 41h& R6 W- q9 \0 b
xchg dx, es:[41h*4]
% f g/ n0 \/ a, W0 T% N xchg bx, es:[41h*4+2]( @. V/ a3 g2 d$ f
cmp cl,al
+ `; t3 w6 b% c9 X- @( Q' p jnz SoftICE_detected
5 }: ]" W0 q5 G" r' j; b" }' S4 {3 `) u; t& ^3 o% u1 i
_________________________________________________________________________& a3 S9 V+ f( \4 T4 A& ^
, C) N Y( u% J& H' CMethod 072 ^# x7 C* L. q0 Z* C/ V
=========
5 Z# ?" ]# f* ^+ w2 t4 Y; `8 A% m$ x3 f' [
Method of detection of the WinICE handler in the int68h (V86)/ T" L2 m7 \' ~/ Y9 M
+ M# N# N1 g' k+ m2 }0 w mov ah,43h5 }2 Z4 f0 e* V* V
int 68h
' Y1 O- g1 P% M j. O$ X, } cmp ax,0F386h
! R& j5 [+ o; F jz SoftICE_Detected
, Q6 K7 V+ a! \: t4 x+ A8 z( ~2 q4 z
3 Y. x( h0 A' O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 c$ y' e! V: A
app like this:
1 j- z6 \( Z( M* q2 A& v+ D% D& v) ~# S% Q) G. h6 ]
BPX exec_int if ax==68
4 ^3 u8 H6 r, w' k) r* l$ q (function called is located at byte ptr [ebp+1Dh] and client eip is3 E9 x+ e1 X3 v. E. X
located at [ebp+48h] for 32Bit apps)- d/ P. D6 S z$ j+ I+ a
__________________________________________________________________________( w8 y- U% L" Z2 u3 h9 I
* o {6 P% H4 [. f' n* T, [' H5 v7 G' q8 o T/ E, I& v
Method 08
/ Y! S+ t! i2 [- M=========$ }8 H- P0 [" ~* b& D( }% v
" x0 k. Z* s o) m! v
It is not a method of detection of SoftICE but a possibility to crash the1 M- `/ [' {! f6 ]# d4 n
system by intercepting int 01h and int 03h and redirecting them to another
; j6 p- L- A+ I K5 p' g& Froutine.
7 Q! I2 p ^( x c9 S/ \+ mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; e% ?9 T$ T( t1 ~( P: c
to the new routine to execute (hangs computer...)) J, s$ c0 b5 ]. F& q) Z4 {
' R# Q) t: P. X' p* Y. B5 y( b" n
mov ah, 25h/ Z' G& i% \8 x
mov al, Int_Number (01h or 03h)5 {0 D. {5 O) |) f8 q4 r
mov dx, offset New_Int_Routine0 s; b9 {1 F( s! N+ @7 m
int 21h
) r, u) Y$ S8 X' P5 B" z+ M8 Z. G$ f3 u" u- }6 e9 B7 _! p
__________________________________________________________________________$ }' `. l$ G4 F. A4 a" z5 r
9 {/ O0 q* ~/ ?% |6 E# SMethod 09
' L1 n% `/ U2 w! X" N) a=========
v6 Z6 i/ M8 j9 T0 A* y: D4 }
/ c. x) A7 q# A C3 O3 F- u. e. tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) Q, M; u6 `$ Q$ zperformed in ring0 (VxD or a ring3 app using the VxdCall).) I% P" }$ E+ w9 \
The Get_DDB service is used to determine whether or not a VxD is installed4 ^& ^0 v) V/ A9 q
for the specified device and returns a Device Description Block (in ecx) for0 o( E2 l' S: ] w1 o
that device if it is installed.
2 d5 R; C% F. ?: y. P7 O
/ Y/ m4 T" n1 D& i* O/ |! L6 [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ]8 G0 m5 P: M! z7 `' c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* F3 ~( x' J9 C& v7 W
VMMCall Get_DDB# g/ c% r! r) g6 c8 ^+ N" n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 q0 ~1 \& l0 R2 B8 A1 |% o5 f% d
Note as well that you can easily detect this method with SoftICE:
0 ]1 g, O f3 k7 ^8 [* l bpx Get_DDB if ax==0202 || ax==7a5fh
* Y# W5 m1 I$ G o) ~: ]# N% g( q! r. ]' p; f4 |
__________________________________________________________________________
9 g {* O8 j+ p! Y
\; C3 _% ~7 ~$ ~: L/ b" gMethod 10$ K# }, K! v! ~9 b. J4 ?# E7 j2 C
=========7 L! N% ?" K' w/ J$ d
+ @* X. E! h6 ~9 D6 K4 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 q3 ~; q. e! O$ \4 |) L9 n
SoftICE while the option is enable!!
& W/ Y" F/ I" ^# g" c- A4 g" x0 F& a. I7 W v; d! c6 t2 D- c
This trick is very efficient:
; Q/ O5 d- q8 |/ J; Nby checking the Debug Registers, you can detect if SoftICE is loaded; a0 N! `+ L' D( C) g/ g/ j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* q; E/ ~# o4 u& H _3 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ q& T& p6 ^3 I r5 Q) b
value (in ring0 only). Values can be manipulated and or changed as well7 y, i+ |' |- K6 w# c' }; M) O/ T
(clearing BPMs for instance)
5 f- ~0 ~, P @; ^/ u; W/ ?9 L7 Y' n$ ?
__________________________________________________________________________
1 ~% V; D0 }6 L0 D2 ^. D1 C# t3 c) m( Z6 t* u4 i& j/ x
Method 11
: N9 Z1 |9 n; k8 J0 A=========9 W' r: i2 G$ c( y8 n( N$ N4 L& w
2 X( v z# ^- I9 d# W$ zThis method is most known as 'MeltICE' because it has been freely distributed
; {! ^+ b# m" e5 G$ P1 Mvia www.winfiles.com. However it was first used by NuMega people to allow
. e0 ^( R+ O. p. RSymbol Loader to check if SoftICE was active or not (the code is located1 [9 G' t9 v8 u" e% r6 Q: Z
inside nmtrans.dll).
; ^ j$ ?0 e2 W6 C9 @
2 S: }* j0 j: T3 d6 }; bThe way it works is very simple:
. k6 | R7 I; }( q, p/ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 u' P4 O5 {6 _# J" N1 dWinNT) with the CreateFileA API.
! {3 B5 h l& `: v
1 P+ W! H G! V& [3 B+ A8 h1 [Here is a sample (checking for 'SICE'):
6 ?& q- G# ] \$ T8 s i1 _( q8 W6 Q
BOOL IsSoftIce95Loaded()& _0 a& U" g ?4 j6 I! x
{
4 ?9 U& [& n% V$ c, n3 _. g HANDLE hFile; 5 w9 I, R2 w2 `$ c( V2 g! u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# p" v. n6 K: Z2 N! S _
FILE_SHARE_READ | FILE_SHARE_WRITE,
! [7 R5 b* ?9 n1 l* W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( Z1 F% F6 L0 A3 E3 r% Z0 S if( hFile != INVALID_HANDLE_VALUE )1 {: B# s2 `3 _. o) K& l
{+ }4 n% a0 X4 d( _: Q! X
CloseHandle(hFile);
* W! ]& @& E" s. ^( Y return TRUE;: {1 j. j6 v* y9 g: A6 k
}
6 u% R4 b2 W! n$ v- @: }9 t2 `6 B) e return FALSE;. B% R4 @5 i) M
}- x$ j8 ~4 x4 P4 e6 M8 l
' u3 Q7 [2 _3 ` U* e4 S5 \
Although this trick calls the CreateFileA function, don't even expect to be) ^3 P6 a! c7 t1 l/ k1 [
able to intercept it by installing a IFS hook: it will not work, no way! T* \. K: O0 v' g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* |7 R: \; G: @: Q }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" y1 ~( \3 f- P( c& J% ^% qand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ }* p( C6 a0 Z, S2 U
field.
7 s2 ~. _$ y+ i: x- F0 JIn fact, its purpose is not to load/unload VxDs but only to send a
1 |, z/ k6 w6 A$ k, k. dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- P! n0 y [$ a; c: s* }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! ]7 W' ^2 Q. p( `/ hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" G6 N' n: ]: |3 t$ G# ~0 q4 H* m& GIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 f) q- Z/ q( ]: _# Z
its handle to be opened and then, will be detected., N# s4 L3 [4 |% Y1 W
You can check that simply by hooking Winice.exe control proc entry point
6 M* s; ?/ \5 {5 L) Pwhile running MeltICE.# s2 V; t. {. C( b5 Y% `% X
# i% \3 t4 ~4 Q9 |! u* I( e+ T
- W3 I$ M8 ^, D" b$ x
00401067: push 00402025 ; \\.\SICE1 Z+ E1 e7 X) K% C
0040106C: call CreateFileA
% a" Z; j$ R, L8 _( s3 \ 00401071: cmp eax,-001; `- `- h0 J2 L7 G8 K
00401074: je 00401091
1 l+ z$ R# N0 @( n& O, N! E" x( @5 F/ k6 U
J( E5 d' g- Q% Q- v9 _
There could be hundreds of BPX you could use to detect this trick.! L5 L) C7 }5 \0 E. O% d% y
-The most classical one is:
2 k/ ~& k' {: Q# M5 x, M c7 l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ @/ k. M- X/ e- F# c *(esp->4+4)=='NTIC': U8 |* W) T4 e! u
8 v9 z7 ~* X) F; ? t" S
-The most exotic ones (could be very slooooow :-(
$ R) U! ~0 [1 X! ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 ~: {" @9 h7 Z1 e \0 x* g" ? ;will break 3 times :-(
6 Y/ T' B7 v' e+ @" _: C
% ~3 ~, y0 X2 F A& |-or (a bit) faster:
1 m! n! H$ u' q) P* o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: O C8 s, y! k$ I! x( Y
, l( U; M" \& E A, K. \1 q1 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % E: T& S6 y% T$ s p6 h- W
;will break 3 times :-(
6 P4 e9 i6 x7 h$ M$ J* s4 q1 e/ @0 X' T. R" B+ ?- y1 r
-Much faster:
; x0 o& k* R5 g& M! q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 `' K n( h8 ?% ^9 I% Y% t
, T& f& n. Q3 c% HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 \1 T- `# G# f& `4 U2 e
function to do the same job:( D1 M7 o4 r7 n7 s; B
/ {3 Y6 a6 {, Z0 Q" x1 A6 M7 r push 00 ; OF_READ; V- \# X# G- W$ H
mov eax,[00656634] ; '\\.\SICE',0+ V, Z* G( L% G
push eax3 P: u; R' C) j* t! P
call KERNEL32!_lopen* s! A& ~6 A" n' G8 c/ R5 d6 B* i
inc eax
! @: [* l$ L4 H( T2 |. H: x jnz 00650589 ; detected
# r/ q G5 I+ ~0 G push 00 ; OF_READ
2 X. w4 J, U- I C' z' b mov eax,[00656638] ; '\\.\SICE'/ `5 T2 t9 Y7 e& v" |2 G# `
push eax" A% e$ M8 R0 ?0 j" b3 x8 w& Z6 _
call KERNEL32!_lopen$ r) a' d$ k. i/ u0 z
inc eax
: T9 W) z1 b/ f& u0 D) J' y jz 006505ae ; not detected
4 b! } u `# W( [/ C3 L8 \$ w! k4 s
* f; G% Q! l# J) T9 i
__________________________________________________________________________+ N6 V( p! o2 ^' h% j" j( y p
4 |0 P o0 J1 k9 k7 l. mMethod 12# w. j! ~) P' }4 x/ Y. _
=========6 B v9 u+ V6 _9 o
7 Q( G/ b+ e' J# d: t2 U6 v* {This trick is similar to int41h/4fh Debugger installation check (code 050 C, c+ T& f4 o2 W" K7 K w1 l0 J
& 06) but very limited because it's only available for Win95/98 (not NT)
' m/ K; w& f/ U, \8 g6 ~2 A# Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ W, b8 L2 ]9 c6 z
' U1 w, p& a; X! N push 0000004fh ; function 4fh1 O9 T% J( c8 U M- _- i5 K6 M
push 002a002ah ; high word specifies which VxD (VWIN32)
# }/ k9 y1 S7 |$ D6 z+ B' J$ Q$ k ; low word specifies which service
# h# H) l5 Q" Q( m- B (VWIN32_Int41Dispatch)
; }+ M0 o/ C6 ]( ^ call Kernel32!ORD_001 ; VxdCall0 \; q5 E- N! [1 Q! l. {$ j7 `6 g
cmp ax, 0f386h ; magic number returned by system debuggers: Z7 h1 n5 m, q. E8 E: ]3 D
jz SoftICE_detected
9 U* B8 ]! o8 ?% u v
% b" X3 K( u+ R7 c" k2 M" e, }Here again, several ways to detect it:$ P! Z h9 z3 t, i# g0 o" } n
0 P% S* n: U0 v+ V BPINT 41 if ax==4f
, l! y8 K, ?6 r
8 n5 h! u" F" K9 S7 ?4 m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. S, V" q0 v( \- d
: x- E" d* v z0 S8 S3 j1 r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( F9 T4 k2 l( {
0 E# n. C9 k. t0 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" F' v. q" }# d6 I9 H2 _2 j) X/ |* ?
1 k0 m% y0 W$ \# r__________________________________________________________________________/ M( m: @) v! }7 n6 V; z
4 @+ E0 ~! Z. b+ l4 h( p0 t/ k
Method 13
& X8 I6 o5 ~9 J* f! }=========
. ^- L6 ~$ D# [. P9 x2 S5 l1 `" s1 E- g
Not a real method of detection, but a good way to know if SoftICE is
& }1 n4 O; n& o2 q' a3 pinstalled on a computer and to locate its installation directory.+ |! g3 k+ i9 Z# P/ v$ x1 Y/ d
It is used by few softs which access the following registry keys (usually #2) :
3 z- t v' j+ Q/ B; @2 b7 `: r' M: z" z$ r" }! {# W) C5 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 x" c I1 d3 V
\Uninstall\SoftICE
n5 @. f4 \1 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ }% |1 i6 R3 {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) @- [' P# W! A \
\App Paths\Loader32.Exe: `. J, i3 N9 o4 M! z
0 [7 H' a1 P7 \% u& f, u9 K- b) h
Note that some nasty apps could then erase all files from SoftICE directory
* ^$ D( C; c! W9 |(I faced that once :-(
% P" F! v" g* T% L
6 m) F8 b! e9 r$ eUseful breakpoint to detect it:6 Z$ A6 a' P$ {3 \/ E- L% _
. [" A7 p m6 [* N* I: | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' _8 ~' I n l; B: C8 g
( \% Z" u! ^6 O6 a2 | Z__________________________________________________________________________
6 S9 H$ w8 i0 s% [$ J- H" X1 |( S! m; E5 M8 C& c
& N8 ?8 H- o- V1 j% ]: z& I
Method 14
; ~& }) ^2 \7 D: ~- k1 u6 z=========2 r6 x* T% i: ]) Q
3 z3 |7 J7 Q2 t0 W/ v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% V6 F- C# ^0 K7 e+ ?is to determines whether a debugger is running on your system (ring0 only).
# K" s r8 e7 a) d$ G3 }6 Q& N( I' z0 ]( w1 ], b5 N
VMMCall Test_Debug_Installed6 S3 F( [% n1 @8 o2 Q! o
je not_installed
1 F4 U9 n4 A/ O _, X& ?# P, E, S$ w8 b
This service just checks a flag.) U1 D( d& B+ a2 y* Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡