<TABLE width=500>
1 b) w7 I+ M* A; G/ Z l2 _<TBODY>: ~" W1 [ a8 s' y
<TR>; V4 b6 |4 T( }% J+ |0 g& J" ^/ n
<TD><PRE>Method 01
2 h6 F q. ?6 }& J% z2 n# d=========
! x! W H' |( r& H
. w, v. E/ u8 C5 e6 I P- e: XThis method of detection of SoftICE (as well as the following one) is% ~2 K0 O0 m; @ T2 K! f
used by the majority of packers/encryptors found on Internet.
. [" u% x$ B7 h( V3 P, m, SIt seeks the signature of BoundsChecker in SoftICE* y' G: }: i# ?$ L1 y) q
# o4 [& E) v1 R/ F+ z mov ebp, 04243484Bh ; 'BCHK'6 y# Q f; V" n
mov ax, 04h
" E4 l( j) f+ M3 l$ A; l int 3 2 ?4 O3 v5 U* z9 a- u2 J4 T7 R
cmp al,42 N/ _/ a% H X O
jnz SoftICE_Detected
, d6 r6 Q5 L4 ?5 ~$ [2 ?
$ s3 y: i6 e$ p! N___________________________________________________________________________! `) J* F* ~. f1 p
4 ?: t' v2 e, AMethod 02
. |* o+ B2 L/ [3 X=========/ f" \5 M1 D, Z9 D5 A
. J$ i8 e$ o; S% ^Still a method very much used (perhaps the most frequent one). It is used
) h) @+ n. W& }# e5 M, {$ Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ F) I2 F4 K6 i1 H
or execute SoftICE commands...
1 t& q5 `2 G% ~9 A3 r& bIt is also used to crash SoftICE and to force it to execute any commands2 w [0 c/ A7 \
(HBOOT...) :-((
: ^7 z+ }: A4 p/ w
3 Y8 E2 E/ u' e. a( `5 ZHere is a quick description:+ K, V! E6 I; g5 a6 x) z5 h
-AX = 0910h (Display string in SIce windows)
, a1 x8 c2 ~/ u0 D1 B C- l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# t0 @" O% ~. b0 w+ P+ s# K2 R-AX = 0912h (Get breakpoint infos)
7 G \+ w5 p. O8 _: }* O-AX = 0913h (Set Sice breakpoints)
6 y/ R( R0 g) i0 }( _0 f-AX = 0914h (Remove SIce breakoints)/ @/ ~% ^/ z- y6 [* _
' y6 q$ H+ N; }+ X0 V4 ~- wEach time you'll meet this trick, you'll see:
M+ ^( u5 G! ]" n-SI = 4647h8 X, K+ V4 }* i# Q
-DI = 4A4Dh5 b6 p8 |" l: K' B
Which are the 'magic values' used by SoftIce.
3 `' \/ m* E# `8 e8 o" AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 | T" t& T# @4 _9 P1 O' l( }$ t
- S$ z4 e- Y6 |2 ~& h; P" _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. D& Z( x9 ?" v* |1 _1 b i- vEnvelope utility use to protect DOS applications:3 a, X8 ]( H- R5 @6 f; I. m0 [
( U! \2 u2 A- Q& w& W
+ I* b, A3 R- y) @8 X) v4C19:0095 MOV AX,0911 ; execute command.# w* V; g# ` V( O. z1 b3 D. X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 ]3 f% P$ f: E' _; p; D* b6 F4C19:009A MOV SI,4647 ; 1st magic value.6 M# o; O, A: B) Z3 g
4C19:009D MOV DI,4A4D ; 2nd magic value.2 q% o. \$ e! b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); `0 ?1 ?, n2 r/ ~. d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 b- n% }3 l$ y( f7 Z. o
4C19:00A4 INC CX
; D; l! R* a$ r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% }$ d( k) b- \0 l' Z4 L
4C19:00A8 JB 0095 ; 6 different commands.7 i2 _3 f, Z: }: b8 L5 N, _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 G" H% N/ G* @* q+ }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Q' P' x( c* ?- L* E: F9 Z# R& q
; }+ r6 c6 k1 p3 W6 k9 E" XThe program will execute 6 different SIce commands located at ds:dx, which7 q9 ?* I6 S Z! l [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 N* l; e8 k3 [/ O, B* n& Q
" D$ _/ v2 L. B; z) o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 e) G, f1 Y/ \' ?, Y v; z
___________________________________________________________________________) x8 d. c* x% q* j' V0 ]) h
3 P, v1 |+ P {6 S) ^
1 e& c3 ?3 z, Z* k. ~$ VMethod 03+ Y# n- b$ e& V( x' Z }- S, `
=========8 y- N! q! F$ g+ b# u. P% `& U
) r3 ?( ^5 J% \ ~% ]: f) H, hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# a4 G, C9 W+ l3 J) l# o(API Get entry point)
1 w( ~! {6 Q# K) A& S
6 W/ u) K( [1 Z* k4 F( [: D; b) [' i
/ M4 u B. p' J% z6 Z6 Q- Q1 O xor di,di1 k) _4 U. C9 |* |& z8 h
mov es,di2 X$ g Y" R( [2 X8 J$ s
mov ax, 1684h 0 U9 s2 K! k+ ^" q* u
mov bx, 0202h ; VxD ID of winice
3 t" n: g7 X7 S; W3 D1 N4 j" T int 2Fh- x) h8 ?0 `- E3 ]+ }4 q8 }
mov ax, es ; ES:DI -> VxD API entry point
9 W0 _3 E/ q8 X0 c# ~6 k# s1 ? add ax, di
8 t) `/ c. B2 M test ax,ax
+ `6 M7 e0 \( L( w$ F jnz SoftICE_Detected
3 {" {; h, n; Y9 j4 Y# a8 e0 m) u2 H/ `8 }
___________________________________________________________________________
I3 Q' u% v6 u" j, M
9 y9 C8 P x# O; ?' ~Method 04
- b W5 W, i9 c( l- z& T. M7 V9 z=========6 V) O- a3 X2 { z+ w
N4 v7 C2 D+ t8 f' T( s
Method identical to the preceding one except that it seeks the ID of SoftICE7 g) m2 p: K7 B" c6 p
GFX VxD.
. |" s: A0 U- p. y( a j. p& }5 ]: D j, b# s. V/ {/ w
xor di,di
G) y# f" H! x- d9 B mov es,di
$ ]8 w; S3 P1 G' ~; D {2 |4 R mov ax, 1684h 7 |' t, k5 a! @" w
mov bx, 7a5Fh ; VxD ID of SIWVID
% X2 g3 H3 M$ x" R# f2 s int 2fh) S" |* a9 m" M! h
mov ax, es ; ES:DI -> VxD API entry point: V/ L6 x, ]6 K# j2 x ]. U
add ax, di
7 G$ _0 Y: ~4 E& Q+ C5 Y- z& A test ax,ax3 @! L: M6 a4 ~' q# Y$ t
jnz SoftICE_Detected
@' F8 U @* ~6 G9 Z: ?7 `8 u+ K" h) Z4 k9 x$ `
__________________________________________________________________________% F6 g6 Z1 g" x2 S" W
8 e' z8 B: _& `- Z* o0 J9 W) c
2 G1 o/ Y% N0 K* p4 x% p2 r* g/ @; OMethod 05( v p& t- } q8 [4 H/ E; j" _( u0 u+ O
=========
% y) S, b" U8 r& t5 U
8 R" {2 N+ f0 f* K5 Z- k5 ]8 B7 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, \- w' ~. `* m4 Ddebugger. It calls the int 41h, function 4Fh. E6 T z) s7 \ l9 G8 `: p
There are several alternatives. 9 F, M8 w. Y$ N8 x
6 X) F) ~5 W$ L% a* `! j5 K8 bThe following one is the simplest:
# ^/ I/ j2 {% @5 l2 P
% j, q. W, J8 P* \$ f- J mov ax,4fh, L/ g8 ]! d& h. O/ \
int 41h
% G/ n/ z. y* p4 u$ U9 i cmp ax, 0F386
/ `; C2 K& f1 Q3 { jz SoftICE_detected
) w, E6 l0 w8 b4 c, p
+ G5 D, d, m1 b/ ~4 h
. p/ m5 s, V8 l4 U' D5 C2 K, pNext method as well as the following one are 2 examples from Stone's
8 a$ Z8 o0 \4 [! Q; x"stn-wid.zip" (www.cracking.net):; Q; R0 W# T( `8 S5 y
* }0 i- P( G3 r mov bx, cs4 C# S# x* `3 N" X, w6 Q7 o- K$ u
lea dx, int41handler2
6 M6 f* t* t. h* [& o9 T xchg dx, es:[41h*4]
! ?: o! l& ^: P xchg bx, es:[41h*4+2]
. x* D: @9 u1 c9 B/ w& I mov ax,4fh
5 \5 n8 D' P9 W int 41h2 p6 \, N! Y& Q' t
xchg dx, es:[41h*4]
+ Y7 H0 _3 h8 U0 }, B3 p3 |7 a4 H; a xchg bx, es:[41h*4+2]
* p( g5 \5 r, d6 Q" j cmp ax, 0f386h% f7 D9 R. v4 v
jz SoftICE_detected0 w E1 z' ]* Q
( r# c: ?( Q! Z `+ N8 H. k- lint41handler2 PROC8 E5 h/ O/ Y2 X5 J" K
iret
% G! \: G# O" s& v x0 p8 Mint41handler2 ENDP* L& @6 \) A6 ]! u
- [- L5 l0 i+ ~4 F \% O+ I" \/ L; y; s
_________________________________________________________________________0 W7 l+ @ z( Q
* r' V$ P! z" i: w; s" n
& r5 x( K( R0 l' _3 @* jMethod 06, ~% _4 L) R+ q: h4 j" r- F2 s
=========
( s7 M0 W3 k7 `) b1 Z! {$ Y! w# u2 p2 H5 t+ S3 I/ Q" [) R$ j
8 D9 d, O% I2 G5 Y3 U
2nd method similar to the preceding one but more difficult to detect:
0 c- b! x9 U; f# d! z4 H# I& w. b5 c0 L/ E3 q$ H& X) Y- g
% G4 u4 H' Z. ^. j ?int41handler PROC
$ d7 w _" I2 Z! G+ T mov cl,al5 u- y }1 R/ U( i
iret$ S) c& C4 M. X: s, C$ g
int41handler ENDP8 `* i4 f2 L! a8 Z# h7 l$ }
/ p& W5 m( T( E/ P0 O0 Y
0 W: q. U" y. J6 ~ xor ax,ax
: {+ _# [) [$ u/ J6 Q$ r+ i mov es,ax K. {& c* V6 L
mov bx, cs
1 ^7 E# J1 L1 N: ~ lea dx, int41handler
6 O5 f# H# g7 i, Y$ S5 q xchg dx, es:[41h*4]4 c; D9 G3 p' `$ j8 }/ o
xchg bx, es:[41h*4+2]
, n5 w) z" Z* p! f8 y* \7 J in al, 40h8 O2 W' q. a' U8 Q0 U
xor cx,cx
- D8 N; r/ A6 j$ J. d, h* e int 41h1 }" t0 g- h7 h- k) c# q, n
xchg dx, es:[41h*4]
! ]& f% \# k# E: S5 V7 Z- Z* S xchg bx, es:[41h*4+2]! A0 p* J5 l& ~2 U* i
cmp cl,al% N5 g9 T6 b4 J- E% e9 w
jnz SoftICE_detected
0 x( D" _9 Z2 A. g# T4 Q
+ U" e( Y4 L3 d2 f) ?$ P_________________________________________________________________________! {3 z- x0 ~" O# t5 K
4 M+ U7 t7 [* [/ m( O( A
Method 07, ` K$ R' }8 D7 w V% N
=========
, q P3 \5 {( G$ s6 N6 t
4 a9 d6 y7 `3 vMethod of detection of the WinICE handler in the int68h (V86)
; g1 R* X5 |$ B" {, i r* f# S) p, ?9 p* c9 z# X, g8 U, I
mov ah,43h
' A# M9 p" }6 I, S- S8 Q7 H+ Y int 68h. a# W4 @: P, R+ O+ k$ i
cmp ax,0F386h" H! ]5 `2 q7 n8 J& z
jz SoftICE_Detected
9 ]' L/ Q' s% m5 d/ _' @& x% T! U/ \/ d3 M) t/ r8 h
+ G" J# K$ Q+ A0 f2 K- Q, t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( ^* a7 o) @, f app like this:) C2 I1 f, _, I
% T: S+ I, F! K' y. K
BPX exec_int if ax==681 w5 L2 O. K( b: W9 @$ x( [* M
(function called is located at byte ptr [ebp+1Dh] and client eip is& e3 [# l3 p9 U
located at [ebp+48h] for 32Bit apps)8 N$ q- C9 p. K% J/ W, E
__________________________________________________________________________
: c9 d* q( H( Q" Q$ g
, X2 V' H( i r& {) c7 E
- d) M% R" ?7 q e6 q4 X/ o" t5 QMethod 08
+ @; ~5 L# k$ x+ l$ \=========' l+ H( H) }9 `0 Y: V5 @4 T3 T
! ^( x9 Z0 q0 k9 w! R, pIt is not a method of detection of SoftICE but a possibility to crash the
% p0 X5 s" @7 i! t2 jsystem by intercepting int 01h and int 03h and redirecting them to another
3 g! A% G; v, B, P/ F; h% `routine.
h5 _$ m8 ^" w- A: ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 H# B( S( |9 O5 v0 I
to the new routine to execute (hangs computer...)
& ^. _4 D7 b: |2 Q3 f9 u, o6 g+ b- m
7 S5 q) s5 A) X8 N' {- g& [ mov ah, 25h
- ~& L2 Y7 r# H( F7 u mov al, Int_Number (01h or 03h)+ E: J n' T) B9 B
mov dx, offset New_Int_Routine4 y2 |+ [, F+ a% n. P
int 21h" _3 I8 m8 ?* p$ X+ t, q( S
1 x# Y$ ^/ X' \
__________________________________________________________________________; @7 _1 D6 @0 M, w1 Q, v- R
- G t& l' X2 w+ p
Method 095 d, g, M5 M- B$ M$ H5 O
=========
5 j9 ]* w2 o5 s2 o: V+ }. c4 d- z( q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" W, a, z5 C9 ^% q6 t" @performed in ring0 (VxD or a ring3 app using the VxdCall)., j" D5 C# X- \8 z. J% t
The Get_DDB service is used to determine whether or not a VxD is installed# K/ q4 R# q2 O' A. G& `5 ?
for the specified device and returns a Device Description Block (in ecx) for
4 j8 z2 T! U3 p! S8 L( t. v, ^that device if it is installed.$ p, t: t2 K% V5 V0 W5 {4 ?
+ [6 j- v( ?" ?! Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' h7 G- o( Z) R6 \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ R* L- |0 C: j# y1 c8 `3 U
VMMCall Get_DDB8 X- f* e1 C, |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* \ n: g* S1 _6 d: V$ W
! \3 Y" b# J' @* z% O/ A
Note as well that you can easily detect this method with SoftICE:* g. A- T# M0 Y1 U" c0 H( \9 \+ \
bpx Get_DDB if ax==0202 || ax==7a5fh
; f+ W) [) O7 M# F" q4 d; N- ^0 }3 K& f9 H* U
__________________________________________________________________________
1 ?" E: E/ ^$ M2 H0 P" K9 |4 y& D; M0 m' |5 M; \" v0 {: d/ W
Method 10" N% g* p# M* m% U
=========7 M7 g% r" a# y) G, S) ]5 g* M
0 h- p1 h% U& i( \
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; F5 n" u) k9 N) |; r" e% a% D SoftICE while the option is enable!!' \+ l4 t+ v1 Q$ [" t2 \ [ U
* M+ n( | P4 zThis trick is very efficient:
1 _9 ^+ O2 F" b4 Yby checking the Debug Registers, you can detect if SoftICE is loaded
. Y$ E7 ]) }$ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# B# H1 E7 g, S9 Z' g
there are some memory breakpoints set (dr0 to dr3) simply by reading their# n& R! m! v( v% U& S* e
value (in ring0 only). Values can be manipulated and or changed as well7 j% `$ G- y; d) ?5 J1 I9 \6 `
(clearing BPMs for instance)1 g0 t+ }/ T Z$ [" s: T
, Y3 w4 @. F( B* t. h4 _; R
__________________________________________________________________________
9 l' x' [5 A7 |$ S6 |2 X) k0 U
Method 11+ ]& \0 U( S, u9 ~. v w" E+ r4 K
=========2 {& u4 t& P* v1 J2 a# m) a: Q! S
5 f* \' ]6 \3 R1 C& q* D0 AThis method is most known as 'MeltICE' because it has been freely distributed
. K4 r+ x" j2 x; l7 J6 a, K: H- Kvia www.winfiles.com. However it was first used by NuMega people to allow. C: |2 W! F' W% w7 S: c b
Symbol Loader to check if SoftICE was active or not (the code is located
4 @9 S( F1 P* p7 S- Yinside nmtrans.dll).
, [! g+ \4 h* Q, B- J/ N' s# K( v4 r
The way it works is very simple:6 q; ` N/ S- [" s) f5 D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! V% G- _& A' \& x0 c4 m/ q
WinNT) with the CreateFileA API.* d4 Y# F& y" F( D1 C# X
& i9 N9 [- _4 x' K
Here is a sample (checking for 'SICE'):
; ?9 H3 V3 }( Y
" I/ ]( P/ z) j8 y$ q$ A# M" xBOOL IsSoftIce95Loaded()
3 J: R6 `' S. P{4 k/ p* ]: m8 D
HANDLE hFile; 7 v7 n7 ?$ ]. f- {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 S# \7 s& `& f FILE_SHARE_READ | FILE_SHARE_WRITE,& N ]) P+ A( a5 b. o$ j% L: m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ o; O0 l# n# ^! W' u5 n if( hFile != INVALID_HANDLE_VALUE )5 Y) V) @( V0 J8 g5 Z( |0 o+ I% L# j, w
{
0 s' [4 J6 r, e9 m! D CloseHandle(hFile);6 j% }; h: L% D7 ]' q
return TRUE;
3 Y* Q. `9 w- k- p }
( W6 J+ T% \4 r9 ^3 K1 i return FALSE;' H* v! v: g! R1 O1 Q3 k1 T0 N5 x
}1 d+ o, Q/ I) R/ X! J. }
" w' ]4 v$ o( t/ s6 u' }2 PAlthough this trick calls the CreateFileA function, don't even expect to be
: {# |. N: Z$ k9 K! x; Dable to intercept it by installing a IFS hook: it will not work, no way!/ ?* T, r$ [; w% \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ^1 e8 u3 y$ ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. z' K2 G) A- G! `# t' H6 v" Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 s% L) b7 k9 Afield.5 x! {$ B: }* f( b/ l& d1 ]
In fact, its purpose is not to load/unload VxDs but only to send a
$ V. f( k9 p! F+ ~' C, ]. ^; V3 ^3 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ?4 |" u. T2 y/ c. _9 E2 r. g9 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, O ]1 t/ b7 T! F! @6 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( T/ d" }6 Q- t5 J2 j2 Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 V7 T& U& ~; P: N1 Zits handle to be opened and then, will be detected.
, z& n/ Q) h- @2 b$ q+ g3 O3 s/ v1 DYou can check that simply by hooking Winice.exe control proc entry point2 t/ J: h3 S3 v
while running MeltICE.
5 ?1 b2 L- F" z9 ~
4 P$ A$ X9 i& `8 X" t1 r% B$ n7 A- y | W- \; B
00401067: push 00402025 ; \\.\SICE5 C! Z4 p/ k+ Z9 D
0040106C: call CreateFileA' @9 h s7 A/ m( Z! z0 [8 A: W
00401071: cmp eax,-0012 l1 }& w7 C4 c+ N1 W/ Y
00401074: je 004010911 `0 U: I4 P& h& U$ s3 D
1 j0 [; \+ O" h, m2 Z! B' e2 h+ E, ~ R7 @5 p% B. Q' f8 N( L
There could be hundreds of BPX you could use to detect this trick.* w' s9 F8 C4 X
-The most classical one is:) I/ l% e2 T: @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) i. x1 D' R+ p5 X *(esp->4+4)=='NTIC'1 t% F" b1 l3 o0 |
. g& c) c3 `$ [: z2 b8 w
-The most exotic ones (could be very slooooow :-() n2 h; G. a8 T/ L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : o1 S' v$ L e! s2 b5 P& Y
;will break 3 times :-( _6 l8 I4 p# p& I
2 u Q. w- s# ^! k& ^+ q& |+ x
-or (a bit) faster: - D% z8 d/ C3 N8 E! F3 T- |2 g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 \) v* w- _1 T3 s# t* P: j
: G5 ~! m& m8 m; j* U- P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 B& t* m/ Z5 y9 w! o f5 G; r; V/ h ;will break 3 times :-(3 Z6 u& R# y# d. y# N. V
" J; m6 g7 m* v9 A-Much faster:
* X/ {( y8 R0 M) u, j0 Z6 q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( \: ~* ^" O. o, L: R/ Y0 ^
6 J" H6 {$ f3 \+ q! B5 c' dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* i/ N' \$ t5 R8 b: ^8 j( l5 _function to do the same job:
" f- U) M% u1 e9 p4 U7 [
+ I3 V4 s6 u$ q7 n- C/ U8 Q* i push 00 ; OF_READ
! Z8 h/ o. ]. ~# N5 { mov eax,[00656634] ; '\\.\SICE',0# o- {) ]) g, w5 w4 D1 u" N( X: i
push eax
/ s# R7 W! Q% \/ F: z N! H call KERNEL32!_lopen/ N# a) I/ A& W
inc eax
/ c% c% D2 t' e- D' s0 X jnz 00650589 ; detected. G( p9 r* t9 G
push 00 ; OF_READ6 g: T) |0 ?) w3 s; X# V. S: h) S8 o
mov eax,[00656638] ; '\\.\SICE'7 j$ A B& r1 ]9 D4 m" {
push eax' `$ J* B4 s9 x& w
call KERNEL32!_lopen
- ~0 }3 }2 _, f" C- q( z: G4 Z1 r inc eax
* A o' k6 C$ y- K+ b% } jz 006505ae ; not detected
8 Z4 v, k q8 D/ W8 [2 W# ~ }: Z- s) o. o6 U9 ` @: u
) ~9 p& w. L& e4 {5 g__________________________________________________________________________ m' j+ }0 z7 ]
2 ]2 y' r. }6 Q' T' t5 g! ^: [! tMethod 123 O# a4 Q) c0 F) K4 [+ ?5 C# c
=========
6 \8 u* d9 z! d u+ V% C- N9 G, e! {
This trick is similar to int41h/4fh Debugger installation check (code 05/ [+ m' ?" J1 f) N$ Y! O9 s
& 06) but very limited because it's only available for Win95/98 (not NT)
+ b0 C, p6 Z/ Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo. E, x+ \/ G: [! m: |
$ I, f' G7 b& A! v" f8 z push 0000004fh ; function 4fh
, A( @& Q: C& g/ F" R$ W3 ` push 002a002ah ; high word specifies which VxD (VWIN32)7 m5 C( i2 y& b0 P4 V( n
; low word specifies which service" Y) i' M8 H) U
(VWIN32_Int41Dispatch)% h3 S" j% G5 ~) }, Y6 E! E
call Kernel32!ORD_001 ; VxdCall
. Y7 E0 k. l/ L1 s cmp ax, 0f386h ; magic number returned by system debuggers
* A7 m0 |3 a# G- s' X jz SoftICE_detected
8 {1 U- a% J/ q& U; `2 {6 J% l7 p& z
Here again, several ways to detect it:9 W; V4 [* A6 h9 ~/ _8 n
: v B& E1 c4 G2 J$ Z f BPINT 41 if ax==4f$ A6 D3 g0 o Y! d+ f
6 L0 e" R& l, H: b1 U5 _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# l: N: [/ n9 P/ o) E/ u8 P5 K$ ]$ ]8 W3 L# v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* F7 V0 y; _/ r, X$ S1 ]1 c4 D! E' V( y j6 W4 G0 r. }5 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- y# T; Q @ `( b( `# c& S& S
3 v7 x a7 _* G1 z- u0 P
__________________________________________________________________________+ `5 s4 J9 B0 }0 i6 d6 t! l( t- \9 x
2 v+ |+ v U/ X3 [; t3 W
Method 13
3 h$ X/ B6 A: \: O=========( W5 }/ Q/ B7 _0 s/ m
; s! K4 A8 H6 v0 CNot a real method of detection, but a good way to know if SoftICE is4 Q4 P/ ^, e3 f5 E% h
installed on a computer and to locate its installation directory.
" V6 J; K% @6 A$ Q5 \8 UIt is used by few softs which access the following registry keys (usually #2) :
& D2 @/ s: U2 Z7 J, B( Y! [ X+ W$ ]- p9 w4 M8 ?, P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! x8 |3 L( F* t8 {: T
\Uninstall\SoftICE
, M$ U6 Y+ v, J4 k7 q: t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ z0 g( g! Q5 E; q* O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 I3 T- h$ r" @1 H\App Paths\Loader32.Exe6 ^6 h* G9 B$ E8 R
* _+ z+ T, L/ Z* b9 G; A9 @) b" K2 o) ? F* z' \; M# u
Note that some nasty apps could then erase all files from SoftICE directory2 j% N! Q, g! n6 ^
(I faced that once :-(: G+ B3 f% V: p1 W9 j
2 w# G8 S# g7 _1 t+ V
Useful breakpoint to detect it:3 n5 C2 J+ s/ ]
/ u* E/ @% E7 C" g) G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% t7 p; {. A3 J) B8 P; r# r7 [) j9 e; |1 r u+ a
__________________________________________________________________________" w5 c5 ?$ @7 h5 w* \
8 `$ z" u: W5 N K! o% P5 T: l+ u/ ]8 u2 C7 B* C3 h$ y R `
Method 14 4 K( q2 f* Z5 J, {
=========; m3 w) g1 n$ R. K# |# b
0 F o/ g8 T+ I0 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 \2 U5 g k& u g$ a* W
is to determines whether a debugger is running on your system (ring0 only).% K" F* C) h) a
+ N- t* M g: V3 Z! r
VMMCall Test_Debug_Installed' A6 K3 v% O0 ~7 W
je not_installed% L6 q ~2 q/ m
5 ?' _8 p) N0 e. L5 {
This service just checks a flag.# J" T; E, J2 E" h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡