<TABLE width=500>0 J, n- d9 d& e
<TBODY>3 T& _, W7 M( O$ F/ x. k
<TR>) B) N) D" g: y0 I' t
<TD><PRE>Method 01
3 l" J9 V( U0 |, i=========% w/ ^' y) J* P
; h& g/ m+ A+ b: K) ?
This method of detection of SoftICE (as well as the following one) is; N3 H7 H' z, G) {3 W% ]- [7 ?
used by the majority of packers/encryptors found on Internet.* g. X/ l0 r$ V$ X& S
It seeks the signature of BoundsChecker in SoftICE
% Y4 q8 i# v5 C/ S3 J7 z' X6 a( A5 a' F
mov ebp, 04243484Bh ; 'BCHK'$ Z, Z: @' W' ^- @% f- C$ [9 k _* H
mov ax, 04h; O4 \3 Y0 \! { K9 ]% O$ _3 M4 R1 y
int 3 . z3 f# x" K9 r) e4 x: L' d
cmp al,4
i: u0 h: I6 _9 l. |! `! {) z( e jnz SoftICE_Detected
$ r* A! b' f; q% _; P% k! U
# q! ^6 R# s$ ` c; f___________________________________________________________________________6 T4 C4 c) j H
3 F1 a+ j+ \9 Z2 N% o; ` ]
Method 02
) k2 }6 o& v$ _% n; m" {/ v9 M=========5 R9 G/ t. S' r" P* k6 w
' E& h! h' G- DStill a method very much used (perhaps the most frequent one). It is used9 t! I: C8 ~0 q0 G, E" Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J# k+ z+ W- E9 e. m7 m q
or execute SoftICE commands...( N2 t& M5 V: _3 s5 @
It is also used to crash SoftICE and to force it to execute any commands
( P y& h5 A* g0 J(HBOOT...) :-(( - d1 ?8 v0 z" R& r! L6 Z. Q) y
5 I# T& h. ]9 C. v. }' aHere is a quick description:
5 }7 b5 p1 q& J/ P: z3 ^4 ]. s, g- y. @9 t-AX = 0910h (Display string in SIce windows)
" |% F/ r4 r% V1 g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 h" O# p$ y$ [' w1 l9 `3 u-AX = 0912h (Get breakpoint infos)
- w' W- ~! H g' R% }1 h( h3 \. S-AX = 0913h (Set Sice breakpoints)
/ [! E0 j& u; W! T% C7 e-AX = 0914h (Remove SIce breakoints)$ X3 F% d8 S% R) F" {9 p
0 o5 y* c6 B _- {: QEach time you'll meet this trick, you'll see:
# K5 H: B h, M0 Q2 L$ t3 t! E-SI = 4647h
0 a( l, o4 D% u5 x-DI = 4A4Dh/ [2 [( { S! o g! O1 z& H8 s4 x
Which are the 'magic values' used by SoftIce.
5 o t3 [2 h/ k- XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ?$ F0 Q4 `' ]; ~) G ^
$ W0 X: ~" h$ b' o p. y5 l6 D* E" D+ xHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 ^+ V( {% x/ c1 k: M2 U/ m9 BEnvelope utility use to protect DOS applications:
& F$ L" ^2 ^# T& G
! i& e5 D0 f, f! b/ C5 t7 B0 @+ H4 V _* z9 L/ i4 J" V
4C19:0095 MOV AX,0911 ; execute command.9 C4 S% Y5 \- X3 z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 T4 ^5 U5 |( _. ?; X8 Z9 S3 b
4C19:009A MOV SI,4647 ; 1st magic value.
, e2 r4 e- z9 d" v4C19:009D MOV DI,4A4D ; 2nd magic value.
! t# I7 l8 ?" a# I! u5 m5 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% c! D5 a9 b- E! |5 R) B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- {* u2 B9 e2 h, U1 W8 a4C19:00A4 INC CX @+ M% `' q1 s* ^4 Y% m- U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 A$ ~8 @/ Y) ~: o4C19:00A8 JB 0095 ; 6 different commands.
% h0 D" q8 c, A$ Q( M4C19:00AA JMP 0002 ; Bad_Guy jmp back. @9 N7 g$ P1 w6 Y1 T4 B9 |& l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& ]% p) g, X1 t; b: C( A: {5 Q
4 X6 [% e1 C% p% d2 n& r0 r# OThe program will execute 6 different SIce commands located at ds:dx, which8 ^* a7 v4 A0 j4 L! C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; j- M! n* J Z `2 O' c) R2 C X7 w1 v; d$ n6 [* ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; Y3 A" d0 k8 Y$ G+ w, S
___________________________________________________________________________; J5 M! g( R8 B7 @& Z f9 P" `. r* L4 X* w
! m# W( M$ F5 B
7 b7 G% h' D) {; I# F G' W
Method 03" M, }' o8 f" d/ Y
=========* C* {( } p2 X! u$ j* ]
7 h' a m* V3 D0 M6 O. dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 H* N! n3 a8 I& L(API Get entry point)5 z+ k$ t% N. q* o/ E
+ t7 X8 j2 f2 U0 P. N' g; d. `5 L% V6 |% _% A3 L
xor di,di1 X- s( i/ G- t& o" P% |
mov es,di
' g& o, k! ~& P& D mov ax, 1684h
( W: E: J" S h0 e; g" S) S mov bx, 0202h ; VxD ID of winice( W0 M, }! n# C6 u5 Y! G
int 2Fh+ ^7 r8 s. L- t6 U
mov ax, es ; ES:DI -> VxD API entry point4 c% @1 z. Q/ n
add ax, di
5 ~. d& b5 n" c! o$ U test ax,ax8 E# k$ _* C: W
jnz SoftICE_Detected( I% {+ W9 X. _/ @1 p- C% q
5 ~0 ]: h2 o2 L9 s: r* }
___________________________________________________________________________& L) a/ }4 j( K/ v' H7 O
+ [% L; p- C; l+ W1 |3 X, @5 QMethod 04
! V. v2 f* i9 [9 \, a s=========
5 q4 u; u2 Y0 s# \& [* y. w3 Q2 Y: n* b0 g0 c% d' A+ Z
Method identical to the preceding one except that it seeks the ID of SoftICE
5 p6 j) d3 e7 HGFX VxD.
1 ~# n8 H7 T0 s1 @* J: y4 V4 |# F* U
xor di,di+ g. Z3 L- Z7 O' p2 a9 V
mov es,di
2 C$ q3 y9 c- u8 p: L0 _ mov ax, 1684h V% i, U% U1 ^" K5 T. Y
mov bx, 7a5Fh ; VxD ID of SIWVID
& I8 J# [4 I* s% v int 2fh
6 p& `' d; I5 |- o mov ax, es ; ES:DI -> VxD API entry point
3 \" G0 _: _# A3 H4 j: f: D8 E add ax, di
/ J( \7 M4 e- F' |; _' d: \/ B4 V test ax,ax) {1 \/ p7 ? t1 k
jnz SoftICE_Detected5 G' ^9 O7 R1 L7 O+ R9 W5 n8 D0 S
: s6 s: c- _. s* }__________________________________________________________________________
9 w& v8 l6 R# A) J0 J
3 F4 U& L/ {/ L2 t' A0 Z9 t' B* M9 J, y0 r8 k6 z2 n9 o0 t
Method 05/ c% E+ R# N) c( W5 j8 w
=========; L" O4 }7 k* d- O* t
4 r. ^3 }# t. I# I8 M" m# a& I% @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, ?8 u# y% Q5 Q2 c" R3 L/ g. K- m: Ddebugger. It calls the int 41h, function 4Fh.
" y8 l& N5 r6 X! c, @There are several alternatives.
/ L/ X F# W6 k
& S: }- w H% v( }7 a+ rThe following one is the simplest:
! ~1 j) w' A* {2 e1 I# Z0 F2 D; q; M. Z* |+ n. E- [- K
mov ax,4fh
8 S4 c% z" k7 U5 n" d0 P int 41h
3 ]! r; b0 g" d+ E7 X3 X3 A4 A cmp ax, 0F3862 T; W7 {. B: A! E! M$ N/ F7 D- {
jz SoftICE_detected6 B5 X& Z1 R- U# A; u' D$ j0 B/ |
/ h: V# p- D) G1 y" {. j, k
$ k/ O; m, Y* V- d, j% @5 s oNext method as well as the following one are 2 examples from Stone's
) v4 A' Z- h2 }+ l( _1 @, K"stn-wid.zip" (www.cracking.net):5 s2 p, ?$ H* z6 O- H8 s0 I, g
1 ^. S, u% I& D, g1 i
mov bx, cs: Y9 p: n* v; |* M( p9 b
lea dx, int41handler2
3 K( z+ J0 a% P& Z0 P- X1 i0 B xchg dx, es:[41h*4]
2 W' I0 K3 [( N! m xchg bx, es:[41h*4+2]9 i& w" f" r# ~9 {' I
mov ax,4fh
% a+ x$ s# c, B7 p: g a int 41h% }: p: l/ w0 S7 O" B# ?
xchg dx, es:[41h*4]
3 w8 C" ~. g. @0 P3 C xchg bx, es:[41h*4+2]2 P* P5 C6 b5 H) l' C* y
cmp ax, 0f386h" W9 H7 n' M1 ?3 P( `- Q8 v
jz SoftICE_detected7 Q7 f1 H: Y% k% @& L
9 v4 z# x# {% l$ R# _' Yint41handler2 PROC
9 [ d4 T7 X y iret
s7 a. O) O0 s9 A. k8 ^9 t0 eint41handler2 ENDP
1 z) Z3 n) V( f" [& k" R4 \; e( c/ l: r
" v( A# W% b4 F
_________________________________________________________________________
& C) b8 W2 o4 `0 V$ G; F4 A: F8 M8 t: C
& [( w2 K$ H3 uMethod 06! g9 U0 u2 n8 r9 E: {- E Q* J3 Z# e
=========* J6 B- f1 s( I" H
# Y$ |. j) V1 e! v
/ x6 d2 P: |1 ~8 T. p+ w2nd method similar to the preceding one but more difficult to detect:8 v( O- X; ]' x7 K x
: X6 |2 ?4 f4 {: o" P
8 g. D2 ?# w5 z9 k1 yint41handler PROC
p- _! t; L1 K mov cl,al
/ d4 Y2 J7 m- T2 B9 k% ] iret" v- H( ^* H0 s6 X
int41handler ENDP$ S { f; Q: ~
* g ^4 O7 W: e
* R1 E. n7 k7 `+ N1 n: a# ^# p xor ax,ax1 @5 g1 v. f& k0 r8 G+ `7 }
mov es,ax+ u. ]+ o! O( d) I/ o
mov bx, cs
0 m9 \2 g) U, X+ b9 X lea dx, int41handler
! e) r: }7 K$ b6 S5 Z8 o N/ n- J xchg dx, es:[41h*4]' j0 T& D8 X2 S
xchg bx, es:[41h*4+2]
% a* H. `5 G. r0 ?' ?; G7 ]+ O7 B in al, 40h
2 A% N2 a* q! z' [( A& _2 m xor cx,cx3 R+ A5 R+ L0 J, D- s+ [
int 41h
7 H n* i v# W3 s# l0 U7 o# ~ xchg dx, es:[41h*4]; M2 @/ P8 `/ L& @+ E# v
xchg bx, es:[41h*4+2]
- T" I; [" T; X; a) K6 r3 T S0 B cmp cl,al8 k3 ^1 b' L: c V. `$ I# U
jnz SoftICE_detected+ p3 h; C/ }5 D# e
" ?- n" ]9 C% c7 p- b
_________________________________________________________________________; A- J- w) W$ Z4 `/ a: Q
( U/ Y$ g6 I" c1 K
Method 07% G" W3 R( A. z" y0 {! L3 k- L
=========
& u& a; X6 Z) ]# ]0 [
* A. i% F' p1 R& p# DMethod of detection of the WinICE handler in the int68h (V86)
$ F5 L- Q+ w0 G- ?' R' n
- z O+ u* y1 \ d. d- T/ j% ?& h. G mov ah,43h* l* s2 C: ]5 C) R8 O+ t3 ?
int 68h Q+ \0 {& i, D* a
cmp ax,0F386h5 U9 Z- A: C- J" B" E7 L
jz SoftICE_Detected- D2 U, a0 G+ f: o6 I4 i
t! s3 s; u( u4 C& w9 ?% z
3 b+ F" Y& r( A, e& }- h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 B n* q7 c$ A V3 I
app like this:
, ^" P+ v4 q( S8 C' @) G9 t1 e7 x; {. i' c5 ]- M
BPX exec_int if ax==68
: l% G( o9 y8 r (function called is located at byte ptr [ebp+1Dh] and client eip is
* s P' c) |3 E; w, }$ U located at [ebp+48h] for 32Bit apps)* N2 W: S2 y2 W. c* _# J/ J$ h
__________________________________________________________________________
% o7 E' k% A! X) T v
) }9 r# ?# _. M! }/ L v- l& U
; M$ l2 x4 f0 c# GMethod 08
+ ]! C: t$ @; a$ ~/ ~) a' l=========7 ^9 r) N. _2 I0 h! q
I( k& V3 o7 _$ c; z7 e# V" x
It is not a method of detection of SoftICE but a possibility to crash the' f# p% ~6 |* C H" x0 O8 E1 `
system by intercepting int 01h and int 03h and redirecting them to another) _6 t6 s; |( I% V+ I: g# Z
routine.4 ^- t/ o: b2 `, X# n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 [" ?0 c! s9 C4 I; H/ }( uto the new routine to execute (hangs computer...)+ y: @! p% u9 F9 D) B6 J
& Z: K& Z( P( x( z* q+ e1 o @- o mov ah, 25h
2 v& b3 L; g: n+ } mov al, Int_Number (01h or 03h)
: o3 R4 Y1 t' i mov dx, offset New_Int_Routine
2 B/ D6 u0 p4 M" _8 g, Y4 y6 F2 o int 21h6 B0 p3 G- |7 g
$ W$ Q) t' P! _: l
__________________________________________________________________________, J6 W I2 }+ B5 A6 l s5 q& s
' {; k$ j1 c8 ]' ]- r& L9 dMethod 09
5 g) D9 f- \: g; `=========
$ }8 K/ d) T1 y! O! s8 h& E9 P/ W$ s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ H9 L3 ?, r {& s& r" Z
performed in ring0 (VxD or a ring3 app using the VxdCall).& y& v$ ^0 Q6 V$ z! r# p& K+ N6 O
The Get_DDB service is used to determine whether or not a VxD is installed; X. t; e" C9 X- M6 X. o
for the specified device and returns a Device Description Block (in ecx) for
1 |( f' M2 X% p$ h$ I9 z+ Qthat device if it is installed." m5 A) U4 L4 ~# r
5 Y/ ~. V% ~# e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* f5 X; r' g: y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), h6 D" M" r3 D8 C$ }1 }
VMMCall Get_DDB6 T# p1 F, g$ O% K5 {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 r$ u) R& @0 |% z- _! L$ v: ?7 `8 R5 |, l7 w3 U
Note as well that you can easily detect this method with SoftICE:' b- @/ x: b9 j1 Z$ U
bpx Get_DDB if ax==0202 || ax==7a5fh5 y8 O3 {( V# }2 q
+ P( p; ~9 v' V: K2 j& Y__________________________________________________________________________
: ^; U0 Z! J4 [$ ^8 f; k% I5 |$ X! u- V5 d, B/ D
Method 10
; w. a; L. N3 Y" ~7 v: l=========( h X5 m- h* f0 a" w) P9 f; X
7 d, D/ t8 q) \9 j: U$ q* n
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ w2 h# ~# I9 Y1 e4 `
SoftICE while the option is enable!!
4 Y, O% [. _9 t% I
# q/ K6 C1 _( L; _, F: V1 xThis trick is very efficient:& L% u4 c8 j6 y2 z; [, a
by checking the Debug Registers, you can detect if SoftICE is loaded2 I" m% U6 g' w `$ F5 O" ^0 I2 e; A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 e3 |% |) }. `: ~/ Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 B# ~ f9 L( H4 }, g/ r+ D
value (in ring0 only). Values can be manipulated and or changed as well- x h& i$ T: e. Z5 ?- }2 z
(clearing BPMs for instance)) L) o& T) R O2 O" F# D3 A, i
: W N: x, u* l__________________________________________________________________________
& i R, b+ \4 W' y) X6 z% \% b% N6 |6 ~5 Y
Method 11
, Z" Z: W8 _( w$ T) W- {; M=========
8 A( D. o8 I L0 _- \! h8 F4 ] a+ X6 X2 B3 h
This method is most known as 'MeltICE' because it has been freely distributed8 x% j: [! k) H0 y
via www.winfiles.com. However it was first used by NuMega people to allow/ i: v! T; O/ v- }2 u7 u+ H v! i
Symbol Loader to check if SoftICE was active or not (the code is located
+ n) }- n7 G- T9 \inside nmtrans.dll).
0 R' } Q5 G" D
& `( @- Y4 s* v* Q% b, z% `The way it works is very simple:* p9 V2 I# m5 H8 ]1 e. l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' W- q+ I1 X5 R* l7 R. ]" ?; O
WinNT) with the CreateFileA API.
( w5 T8 x/ T$ P+ F* x9 {4 _# j
. n# @) B7 K$ t& w6 HHere is a sample (checking for 'SICE'):1 p) C) ~" Z" _+ e
: C* _/ F+ O2 H X, ~3 HBOOL IsSoftIce95Loaded()
, i7 V- k, E# p4 ~0 f! C( T{
% m0 U& N$ I4 d" S HANDLE hFile;
- b; v( ?. V& ~1 E4 [) A6 n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: u1 D, T. l3 F: _9 `1 Z FILE_SHARE_READ | FILE_SHARE_WRITE,& n D* Y: J, J& p9 l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 r2 n, a0 D% K5 c5 r G
if( hFile != INVALID_HANDLE_VALUE )
. a) ?3 e( x8 ^. d+ e% a* H5 L } {9 b# M! b5 B% d% l: _% m; J
CloseHandle(hFile);
: G+ Q- _# l; e+ Z$ }" o/ x return TRUE;/ _0 g7 j/ ^4 l; N! J/ V
}$ D. R5 }! K: h2 x+ u5 g
return FALSE;
# f; E1 {( j! Q! @2 U7 L}: n- Y+ V1 }1 | x3 I% C- U* U
/ b" K& t/ U: F: H2 M" ]8 v4 G& K1 r
Although this trick calls the CreateFileA function, don't even expect to be8 d6 |5 p2 Y( | m
able to intercept it by installing a IFS hook: it will not work, no way!# B8 b4 D+ Y C$ T5 t: A! A, J, j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" N. r/ I. q0 B! n2 |8 p" ~: x% y$ V$ ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- T6 E3 G1 @4 c7 Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 D. l8 g! V7 Q$ w# Q2 @5 c! ~field.
3 ]8 M* o0 V& dIn fact, its purpose is not to load/unload VxDs but only to send a - ?9 `, i: U+ u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). ]: A: a4 j5 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% r" P$ y$ Z! T1 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) D0 C& ~, J: oIf the VxD is loaded, it will always clear eax and the Carry flag to allow; x6 A4 H# I3 R8 h0 J' q0 ?! n
its handle to be opened and then, will be detected.
3 q* k1 a6 X, z6 O3 d0 [8 V' _& u' }You can check that simply by hooking Winice.exe control proc entry point
* t1 d9 B$ K3 {0 Ywhile running MeltICE.
7 }7 `/ Q1 b" \+ x" e" S3 }$ m) U+ ^4 f; z
( ^" R/ i" F: J0 Y3 v& @
00401067: push 00402025 ; \\.\SICE
$ [9 ^! F6 i9 L& }( W" `( P* i 0040106C: call CreateFileA
& V6 T/ I! @7 I+ f 00401071: cmp eax,-001
+ j1 ^+ C5 Q( i; S' Q 00401074: je 00401091 C: y/ F% M% V3 }; g% W
4 X2 V }# d8 p- ~* i
' g# z4 j4 }: t0 u! e5 \0 H. cThere could be hundreds of BPX you could use to detect this trick.
; w$ y! o3 G9 f" P' h" n, `-The most classical one is:
0 L, {: p0 x* m( Y; _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 }5 E! M) u4 D
*(esp->4+4)=='NTIC'
; V8 G& R+ ]1 S0 ]( C9 m0 v' t* T& U9 k: E* v
-The most exotic ones (could be very slooooow :-(
; V+ e6 W8 V8 A, a9 x G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- r4 y9 Q) V9 V# i( r9 t8 ?9 {( R: d ;will break 3 times :-(
9 w! P% B# n* R! i" y' Z: Q5 S' d1 P; `* ^" V
-or (a bit) faster:
3 u1 z/ R/ I! L1 I' l# L& ~$ f) {0 { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' @% j1 X: \4 h. U* Z
; d2 l% `7 j0 h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 S! y/ L& b* j8 p, B ;will break 3 times :-(( S8 m; T1 O; [
3 R0 s& K H; `- n-Much faster:, y0 Y! U) J1 k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 U: t. J3 c7 W& b v7 m8 {2 b+ e7 Q) ~ p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# X5 b3 ]0 L8 G8 s1 `" }
function to do the same job:8 g& \: S/ N- E% q( T' M
4 K \$ i n8 ?4 F. I
push 00 ; OF_READ
9 y" I' L. Q5 w. s$ ?7 }+ k! ]) ] mov eax,[00656634] ; '\\.\SICE',0
' {: b2 k% t) E: ^ push eax N. p7 E. X$ P( s0 G8 y! ~7 @# A
call KERNEL32!_lopen( d& Z6 g+ }' {. K: e1 D
inc eax
4 d+ F, E# q8 z jnz 00650589 ; detected
5 b7 a. J2 V/ O* d. k( b push 00 ; OF_READ. Q3 g2 u' a3 I+ g
mov eax,[00656638] ; '\\.\SICE'
. `8 M) n0 A- a: o. l push eax' p( \/ w3 e( N
call KERNEL32!_lopen
- H1 k! \6 ~8 v inc eax$ r3 V. i/ f% ?: G/ _; H
jz 006505ae ; not detected
; f. I8 h; @. j. `6 E
1 @. ~& @2 J @, m5 k2 L( p, _( L- M# R& i9 q# N. [' h- _
__________________________________________________________________________1 c9 f ]3 L) Q0 `
& t+ ?. Y5 I% j8 w- g9 G+ k9 O4 r3 F
Method 12: R/ I4 X" l4 g( h
=========, ~' r" L5 _7 ]) c) h8 Z
) a/ t6 a4 {9 u- y# D# R/ d! j
This trick is similar to int41h/4fh Debugger installation check (code 053 n3 _* H5 K) ^1 l' q* \* T$ P4 M
& 06) but very limited because it's only available for Win95/98 (not NT), k" R9 i" }* H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 Q% H z; a( I; H+ J% G6 q
5 V4 j. |7 X' c. L push 0000004fh ; function 4fh
# _% W+ `! {$ F6 _ push 002a002ah ; high word specifies which VxD (VWIN32)* z! e$ E3 u+ b" o4 b- k) }
; low word specifies which service
# s6 u2 d4 {; n (VWIN32_Int41Dispatch)# W! \6 L5 G% N- ?+ \
call Kernel32!ORD_001 ; VxdCall
/ @# r6 b4 `$ Y6 f% i4 g6 d cmp ax, 0f386h ; magic number returned by system debuggers
7 K' w) a# p; _ jz SoftICE_detected$ e; F3 W3 u, N( L
0 X$ \. Y, E$ r0 K4 B7 Q: {# R) aHere again, several ways to detect it:, B$ D O1 m( @& ~1 h: o& r
% b! [& R8 n& A7 h8 r
BPINT 41 if ax==4f! d: S& ^/ l& }5 \7 W
1 w6 B: H7 O+ {1 B$ V) R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" K0 T5 A5 o0 z* q' t$ |) R
7 E/ k" W2 ], a% L9 O7 H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ Z! S( c1 U* j: U4 R/ M1 y e+ p) N# r- Q5 S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ V% @4 j% e7 o/ k$ l! w \) m9 i; G! Q4 m# F5 L! r
__________________________________________________________________________
% b( O" g- Y, W# h# j. y+ ] b
# E- R/ b- W$ vMethod 13* q& a R7 K) M) ]8 P \4 s6 u( {
=========- B" \. x2 ^" X w
F: w) a3 ?, J) c( [; hNot a real method of detection, but a good way to know if SoftICE is
8 R) R' \4 v& ?0 c ], }4 Uinstalled on a computer and to locate its installation directory." Q+ d: c1 v& M6 p1 @& E
It is used by few softs which access the following registry keys (usually #2) :& V0 p3 a w" K8 j; i; u
( q7 ~" Y7 r j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. z; @' C- F; }8 ]\Uninstall\SoftICE
' q9 u4 ^7 {* A( Y: f9 p' q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 \3 i" b( s" g3 a+ {8 d1 V1 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ]0 @5 ~' _4 u7 O( A& e\App Paths\Loader32.Exe
3 `% `$ M* l. q G% Z
1 s, w0 ~" c/ p) h3 j! A
6 U. v1 P3 ~3 QNote that some nasty apps could then erase all files from SoftICE directory$ E% `% z! @2 Q4 `2 F
(I faced that once :-(
& I- m4 p( O& P4 R2 ^0 G6 |3 k
: y; V3 W) I) EUseful breakpoint to detect it: `" X! H; D! @' Q5 W
. X$ b3 Q8 ]0 m% r j# x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 T' F! N' d2 s+ a* `" L* S4 m: q3 m- V5 E9 g
__________________________________________________________________________
* n& q$ e7 J7 L$ {) q: R* @ U3 q( t* l1 v9 [
& E" z& g9 w) X4 K: O0 {3 TMethod 14
) v4 j2 t3 L+ v( W' [=========
$ n7 m1 D$ p, y, b* Y+ T
, M/ C0 k3 _ B+ o E8 u- E/ }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- a0 T/ }3 y- r5 c r; Z+ {( E# ois to determines whether a debugger is running on your system (ring0 only).
& `0 {0 W7 v, ?/ F4 i# _
~; N9 _& r" n* a$ f' f VMMCall Test_Debug_Installed
' s- h- X* n0 x* a je not_installed
2 ~" e4 A: m5 O# L# \( d/ w V
' }3 Q8 O& q% N; L- m, wThis service just checks a flag.& `' S6 K M" z4 w3 p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡