<TABLE width=500>
- i4 e4 ?0 \+ ?3 p<TBODY>) Y7 y! k" M& p/ o; V6 n
<TR>2 w' ` l1 e$ G$ m3 l/ Q8 e. r; j
<TD><PRE>Method 01
" Y9 G9 l" [: o4 C& G- D' h=========# y0 w E' _& y% B+ D& z
1 O9 \- G0 ~7 L$ [( s9 B$ _& A9 e6 x
This method of detection of SoftICE (as well as the following one) is
; t, \, X' Q2 _0 e: ^used by the majority of packers/encryptors found on Internet.
: C5 U6 ?* V6 H6 |& p* U) b/ zIt seeks the signature of BoundsChecker in SoftICE" a/ a8 R" }) b1 F3 h" r
s7 o5 i5 J+ e3 _' H& H0 g; N mov ebp, 04243484Bh ; 'BCHK'
4 H; e) H' y. m% A3 N I7 P/ I) X. r mov ax, 04h# ]( ]3 p$ s9 X6 T; e3 I
int 3
2 N" B* r; J1 C9 U/ _7 T) ]/ p: V/ K cmp al,46 R2 R1 ?) [1 M0 ?/ u
jnz SoftICE_Detected6 C9 V) @0 l |% e# z' Y3 [4 h! w% w
I j3 j [# l/ O1 t( E3 s
___________________________________________________________________________2 d/ c3 v6 k+ }$ h/ d' [- d
6 n9 ~( E5 A6 W7 U4 p& s. VMethod 02; ?+ t j T9 T# V. C+ e$ y( H
=========3 x( ?/ t7 ^ q. N# N
5 E& w1 [% _- e4 ~Still a method very much used (perhaps the most frequent one). It is used! |& z; F) L b& Y2 U* O* X$ ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# P8 v2 M$ T Cor execute SoftICE commands...
5 N- u# C; N# Y, D% uIt is also used to crash SoftICE and to force it to execute any commands
1 K: T/ J4 J0 y/ w( W; \(HBOOT...) :-((
2 B5 @# F) r. w3 J4 }; I3 d1 N% S- b% h% z
Here is a quick description:1 M" k9 o$ D5 S
-AX = 0910h (Display string in SIce windows)
: b! H0 R D" v; y& V/ D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 [* I, A; f# S0 Q
-AX = 0912h (Get breakpoint infos)
& c: O! d7 @7 {$ \* }% A-AX = 0913h (Set Sice breakpoints)4 M+ k7 x8 q7 i# G
-AX = 0914h (Remove SIce breakoints)+ G0 B1 w0 s$ E6 j$ Q
. W- d. g& Q- I1 b
Each time you'll meet this trick, you'll see:
0 s# g& m8 S( e( e% [-SI = 4647h4 Y: L. G9 z# r+ B# C8 m7 G( y
-DI = 4A4Dh& W' D+ d8 ^, }/ H
Which are the 'magic values' used by SoftIce.
+ h5 ]( l/ ~, L ~8 Z, H, BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 T! S# c5 T0 X( x% q
z( U; ^* ~6 @" X" {, t* ~Here is one example from the file "Haspinst.exe" which is the dongle HASP3 |; H& S+ F- `" v% D3 P' o
Envelope utility use to protect DOS applications:( `1 ?8 O( g- c- ~* `/ \2 b
, M3 a1 r: r/ \7 }
N% @- A) _( [- V9 U/ E4C19:0095 MOV AX,0911 ; execute command.: V1 ^ k4 G W" f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( Y Y" S) H9 e; [
4C19:009A MOV SI,4647 ; 1st magic value.
- k% @6 `3 h" ?/ D; e% {3 M$ f4C19:009D MOV DI,4A4D ; 2nd magic value.# u7 B2 W; I O# w" s! A/ f; g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' j8 |; ^" l6 ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' _1 L, V, ?# I% A3 b. C0 ^5 r: J4C19:00A4 INC CX
/ W; N/ W: L, R8 ?6 Y9 T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' \- `8 r4 u0 \: ?2 a2 E
4C19:00A8 JB 0095 ; 6 different commands.1 K! \+ c& y4 f" k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 ?! D9 R6 @, G- i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 q2 Z/ V) ^6 \0 f& |& P9 T! J3 d+ N7 ?# d- Z, k6 H* S
The program will execute 6 different SIce commands located at ds:dx, which
1 m) G! p' s9 w0 c5 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- N0 W$ ~9 s4 I# T" l
3 F9 A6 o- Q) t: r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( }; o, G9 r: o7 d$ p( k___________________________________________________________________________9 |# I% U+ q* |, T
, z9 D6 p3 U+ t( u; B
{. s9 y1 n% t: U: e) g1 [/ iMethod 03
/ Q. y+ |* Z' j/ \6 c2 S9 ^; |=========
3 H- g+ e3 i* {
" J2 W4 Z+ m/ N6 H, {5 U- ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) P1 v3 M1 q9 E7 G8 z(API Get entry point)- W- S; ^9 }: r+ M" ~
- m( D! t* I ~' X' _, w+ \9 V# y4 {5 h+ ?
xor di,di
. E! k: m0 D3 g6 l: X mov es,di# w4 m6 @( k) m: ?8 o' Z5 h
mov ax, 1684h 3 M6 Q* Q- n( ]* ]
mov bx, 0202h ; VxD ID of winice
2 V! Q$ Z' n$ a4 ?: t M4 F$ [7 c int 2Fh f, t* L3 A/ ]7 s9 v4 x8 W) M; @
mov ax, es ; ES:DI -> VxD API entry point
) ?6 W" U# `$ S add ax, di7 P$ _% F, n, ^
test ax,ax
; w4 w4 O! J9 u l' }9 [+ a# F! g jnz SoftICE_Detected
0 X2 U7 m% J$ z. `* i. A$ P, [: @9 }. |$ E
___________________________________________________________________________% v8 h# F* v5 S4 r) D. z+ |
5 k F9 B# p" u6 ~Method 04
. Q9 v( j R3 }% c; I3 V% ]( f=========) I o4 n A' g
) G+ a( @, z0 x, v, hMethod identical to the preceding one except that it seeks the ID of SoftICE. i( p# L m0 x* ]" _) l: {
GFX VxD.1 I- w' c) |/ E. J% M( h
: \: X r3 \/ \- Z& _6 w
xor di,di
6 R. C" T: f8 ?; H! l; D+ b2 k mov es,di
2 E. q5 v- ~( G# I mov ax, 1684h ^* l2 x3 t! G& q i3 B
mov bx, 7a5Fh ; VxD ID of SIWVID- a$ G7 ]8 J/ x. y; @4 d! t: n
int 2fh
7 K6 x" y! N9 M% p0 ]8 ?4 ^ mov ax, es ; ES:DI -> VxD API entry point; J5 b9 R3 N& i; ~: N
add ax, di" [/ Y4 o/ Y) p
test ax,ax
0 G& z$ y; g- u7 ]0 @+ u* J: ^! E# w jnz SoftICE_Detected1 B, K+ j7 ]# v" @: m2 c( K5 U
5 l9 }1 r2 K) g8 E1 u
__________________________________________________________________________! E v$ N* g. c% L1 D+ k, Q
- y2 o& C3 |+ ^, ?/ u" q4 u# A3 S: I# X7 h; U
Method 05 s* j+ C) D6 f7 @* J' Y# X
=========2 h) O# Y; s; f6 P8 w5 R. d/ r; g
! A1 a- ]% V( E% z" [Method seeking the 'magic number' 0F386h returned (in ax) by all system# k2 M( l+ j h1 ]" |% z& a7 k
debugger. It calls the int 41h, function 4Fh.: R5 q% X, ]3 b0 @) C
There are several alternatives.
9 N. S4 W; P0 G
1 h0 s6 q M& I; x" G0 i2 `0 I9 UThe following one is the simplest:8 C' f( [2 K% V
2 {" m" L6 O. V# O mov ax,4fh2 I' x) N3 k7 v. [# `+ M( E
int 41h
1 k1 _' E, A2 ]4 Q cmp ax, 0F386
+ M9 a/ z$ x" _& ]9 O jz SoftICE_detected9 a) ~9 \: X# n' V
9 V) r8 ~ j' n5 U8 N# [) d* s, T0 s
Next method as well as the following one are 2 examples from Stone's ; d2 e2 R5 K6 k; l3 B5 `3 W
"stn-wid.zip" (www.cracking.net):: f+ r" z( v4 s5 V( @1 V
7 ?# y2 I `; t8 K* d mov bx, cs
: Z- R# a* a2 R0 D% a lea dx, int41handler2
$ ^$ N4 u8 f4 f4 t- y xchg dx, es:[41h*4]! r1 N. |) V2 O, c' @0 `. P
xchg bx, es:[41h*4+2]
# p& l' U ~/ q7 A, M6 x1 C mov ax,4fh9 ]( x) ]( d9 G. \! g
int 41h C! C0 C) [/ P* I5 a2 _
xchg dx, es:[41h*4]
' S: Q; U2 `1 t% ~2 R, {8 g xchg bx, es:[41h*4+2]
' q' `1 X# \5 B# X1 g# | cmp ax, 0f386h) K5 j; l, T& H' f- n
jz SoftICE_detected
( @* H2 C) N) C8 \' m0 Q8 `' [9 ^5 s4 N1 w/ s2 J8 C* N, Q& U+ _2 z
int41handler2 PROC8 C/ W8 M' W) |" N4 a
iret
2 p, D2 Q# f p0 H# R" V. nint41handler2 ENDP
U8 p2 q8 Q' o2 f6 R# ~# C# H
9 G) ^$ ~4 q/ C+ g+ D7 q7 V; G1 W% ^# I) R8 Y
_________________________________________________________________________
" u0 x! f$ W& @+ X! S7 T2 V* G& e5 `) R- a
- n! v& g, J% ~8 vMethod 06+ |2 l5 h6 N( Y2 G" R
=========8 Y7 K1 y. d8 {& u
0 @* Q/ C9 P1 ~ j& a( }9 e1 |, x4 T( \& K7 B5 q/ I; G6 j6 H8 M
2nd method similar to the preceding one but more difficult to detect:5 ]( |. G/ @$ T6 i4 ~' z
8 a5 v' e5 Y7 p2 [& ~
# t6 s' X" I7 ]2 L9 w7 S6 {* r& hint41handler PROC1 n6 s, a. {6 z6 k( f1 a, |" b
mov cl,al$ l. U B6 Z* _. r" R! K4 }
iret
' s5 {1 ] l9 d$ e2 Eint41handler ENDP
6 Z' G7 \: t, Q0 k8 |6 ^$ \- a+ Q, ?. U' E7 S, m4 _- S9 d& [0 y9 h
, ^' j1 X8 B( p6 B# L F
xor ax,ax
: t1 O) p& o/ k( l- o$ r1 ?1 r9 p mov es,ax
% o: d+ {4 c' C5 ~9 Y mov bx, cs- z7 X% v& _4 l! o) q
lea dx, int41handler
4 `! ^% i! P( \% x p" F- b K xchg dx, es:[41h*4]
% @) o: x- P& Z# Q xchg bx, es:[41h*4+2]
4 [$ I6 _. ?: Z& G. {6 J& A$ w in al, 40h
. n& W! I: f. n( g! r' l: ^1 o/ d xor cx,cx
+ W# R1 W9 E; X, ?- C: Y v& f int 41h' Y& E( D. W! f8 G. j4 E) Y
xchg dx, es:[41h*4]
+ d( Y6 M% H) y8 R! `7 d* E xchg bx, es:[41h*4+2]" ~' g, [7 o8 W. L* A4 ^
cmp cl,al: C: u9 s6 j$ X$ R( r* |$ Q
jnz SoftICE_detected, ~" ]9 ~! }! J. n4 L' @ S' z
; o. k: @- y! s3 ~
_________________________________________________________________________
. q5 F5 y j1 N& n0 G0 t. P0 N5 ^0 I* ?
Method 07$ v9 u# L: F; T- O5 l
=========
+ w6 ~1 k4 q& e2 ]. p) V& k* t e
Method of detection of the WinICE handler in the int68h (V86)
$ r4 n+ e9 Y+ ?. b1 Y2 D4 K9 X
0 b1 f- z$ o# m4 F: \8 U1 O% _ mov ah,43h
w0 I' p: G+ J- E int 68h
# Y% J* K1 g! F6 z M* A cmp ax,0F386h$ P# {) @/ H* |9 u6 A8 Y
jz SoftICE_Detected
3 x* j4 A: I' R4 d6 k( D& t) o+ C) [, f6 U
9 r1 i, k- } E+ h/ g2 Y' Q& u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, F: T$ ], H& \/ \
app like this:$ f3 k0 q* D- R% }" t* z: K. g }" t
# x3 _: k$ A4 g+ `
BPX exec_int if ax==682 j9 X2 s$ _( g$ \( P9 j
(function called is located at byte ptr [ebp+1Dh] and client eip is' m# r* @- A- x& P) q5 M6 _
located at [ebp+48h] for 32Bit apps)
& |* v8 t8 S5 h__________________________________________________________________________* e6 Y' X3 b* X& \
* w7 {$ s- ?5 r1 m1 u
0 V6 Y! H0 K' M# @4 {: _. S7 iMethod 08
2 ^! Z1 w2 D6 @; m: Q5 D, z9 v=========6 B% E( Y) T; v" P# p {
8 _/ `7 I0 P) S7 B# e# a. {6 e$ oIt is not a method of detection of SoftICE but a possibility to crash the
9 U- \+ X7 D, w- u/ ~' Y3 V+ osystem by intercepting int 01h and int 03h and redirecting them to another5 H' }2 z# ~* `) m( f* \' {
routine.8 u a4 M) R+ h* K8 Z6 g" u; b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& |! t* H" Y9 X' S5 E5 ?1 @
to the new routine to execute (hangs computer...)
Y" \- n7 _- p ~$ U* c4 H; i* o j( n3 }3 U
mov ah, 25h' o: _# K4 M8 ^+ t
mov al, Int_Number (01h or 03h)5 D b- V3 o( i8 N
mov dx, offset New_Int_Routine# d* Y) R+ S2 U: N# V+ I. \# b" K+ r
int 21h
7 n D V4 n y1 i- }7 L q4 ~3 p, C. J4 A) w
__________________________________________________________________________
5 A5 n( n6 m* F. Z
0 l4 b" A" I) L% [ e6 H4 SMethod 09/ D+ u- r7 a$ J' p+ x3 n! ?$ h
=========- {3 r f4 \8 a6 B) [( q- o( _" f5 A
% [& g5 F6 v0 r0 j- L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; f& j7 e: }# wperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 i/ }/ y% Z, D- y' H. e7 e+ RThe Get_DDB service is used to determine whether or not a VxD is installed9 V7 _5 R1 k4 E2 j; \ I
for the specified device and returns a Device Description Block (in ecx) for/ C1 E8 _1 c c- i7 P
that device if it is installed.
8 B( d1 M, S5 P; I/ { K" W! C7 ]9 z B
- u% }; ]& P" v* Q) e7 K- x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ N3 O$ F$ R3 T+ H+ `# l4 R: A$ g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 Y. h; F0 X% j
VMMCall Get_DDB
! _) y$ N: C- d: m' D- r/ e" g" B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 A" g" w2 P* s* m/ z2 O0 {: v( p1 g
6 t7 w6 @6 c" z
Note as well that you can easily detect this method with SoftICE:: ~6 O0 E! U6 G0 R6 w; P
bpx Get_DDB if ax==0202 || ax==7a5fh' Z6 F A% }( E6 A3 Y
& C. p$ D8 w3 b* a( |) n# Q: {
__________________________________________________________________________
1 U' O$ I4 Q# M5 P3 X Z2 S5 ^/ c$ |4 `
Method 10" H* s- T, t& J, L7 V" O* T+ ]+ y
=========
" }0 F# o- |! D
) a6 c% t3 k5 I$ r( i=>Disable or clear breakpoints before using this feature. DO NOT trace with3 L; j. e$ l, G, J
SoftICE while the option is enable!!* W; q! U- K/ b0 _: \* b4 D, g" p
' y$ {! G# T4 u' b6 `6 qThis trick is very efficient:2 m8 |4 @$ w( T2 D% v. C
by checking the Debug Registers, you can detect if SoftICE is loaded
* ]$ @! a3 q4 Q2 L; w: H( g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& i( K. |+ y8 E# B1 Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! O/ p7 g$ s( L8 k1 z7 M! jvalue (in ring0 only). Values can be manipulated and or changed as well% A, ^" T! \3 X( g" m
(clearing BPMs for instance)
$ z& _! l- k" V9 v0 `& G6 X i8 s- d, U- Y& L1 ]
__________________________________________________________________________
" ?6 H# A- F& V( J
' I0 i$ Z# {' t. q2 fMethod 11
. a1 a3 t3 `6 N=========# j1 T% C. d$ o
6 {" X: N c0 p0 ~This method is most known as 'MeltICE' because it has been freely distributed
$ e0 S X. I& r! Nvia www.winfiles.com. However it was first used by NuMega people to allow
+ l# k' i9 A: O+ ]Symbol Loader to check if SoftICE was active or not (the code is located9 L& a* Q+ v2 ]$ m8 M4 [/ F9 @
inside nmtrans.dll).. Q+ d5 P9 F- k; B* G. M r" Y B
3 S" Y& t4 y5 O/ o( `7 F
The way it works is very simple:
% w i+ t2 r% A0 c& zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 O/ G2 q" e2 R6 uWinNT) with the CreateFileA API.& T; I' t1 n- {% _( Q
$ O. d+ {8 v. H
Here is a sample (checking for 'SICE'):. o8 g$ n& L% f# A0 `7 U
3 C5 A# x7 r0 f* ^# _$ zBOOL IsSoftIce95Loaded()7 C/ M2 f8 I E0 S7 I! y
{
) M% g6 G0 s$ X; J* N' } HANDLE hFile; + D) r% v; `4 B) j/ k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ j, b4 T# j6 ^7 ^8 F1 n FILE_SHARE_READ | FILE_SHARE_WRITE,5 q3 j& Y5 M/ p4 d3 @. J d5 c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 }4 h. F% n I
if( hFile != INVALID_HANDLE_VALUE )
. G4 J1 ?# Z6 C8 X! V0 t7 l {1 @$ G! O& f1 I( L$ ?
CloseHandle(hFile);
1 l6 N1 ~4 Q, m0 a' e+ n, o return TRUE;( |* D4 C% I* y" l
}
: a5 X7 G% l1 m ]( h return FALSE;! o; X! K! q( F$ N& [" F* d1 M
}, k9 M7 |8 j. a& `
! K9 {9 Z/ e! g9 G# dAlthough this trick calls the CreateFileA function, don't even expect to be* q& v2 M( c' I0 j
able to intercept it by installing a IFS hook: it will not work, no way!. F1 K; \, {4 K+ V6 s3 }( ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 {9 }5 m6 ?0 L* b, [% ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 X: A" H+ [9 z1 l. [7 b0 Z+ [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* }1 Y# `+ ?3 t" \ I* Ofield.
8 ~' e! r4 S' z$ ^In fact, its purpose is not to load/unload VxDs but only to send a
4 G' _: Z$ H, c e8 lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: l# ~7 m# B4 z$ [1 ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
" x( {+ W% h9 A+ ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& }" Z, [! S( d+ {' `If the VxD is loaded, it will always clear eax and the Carry flag to allow- N: b- `, A5 Z/ B. G) a
its handle to be opened and then, will be detected." `3 u: w$ [3 x( F" y2 V
You can check that simply by hooking Winice.exe control proc entry point
. d: I: t, V2 ^) a. wwhile running MeltICE.% m% A8 B9 I4 v4 [* ^$ y
' v' A0 z' {% V( e/ P5 s7 I0 }# I& C" k3 K
00401067: push 00402025 ; \\.\SICE
& h8 l: P/ |5 k# D1 O; q; g 0040106C: call CreateFileA! y0 _; u. ^9 d9 {0 n
00401071: cmp eax,-001
! @+ w# X2 L' J 00401074: je 004010913 J8 Y4 ]8 @2 O# J2 a# z& d& c7 F
, D; V& _# N6 G4 ~ f- A3 V4 o2 h8 H
. u7 P# h& b7 `. A- dThere could be hundreds of BPX you could use to detect this trick.
9 F1 V3 j# ?9 Y* N! w-The most classical one is:
9 d+ n0 i6 A3 p5 y/ G( X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 ~" v* I7 R4 @) a *(esp->4+4)=='NTIC'
$ g. [9 R. U5 n! g8 Y t' q
' w: H- b+ L G. S2 P. j* }! n; l8 b-The most exotic ones (could be very slooooow :-(; A. W% u4 V1 G' W$ w- B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* g) u D: G9 g! z7 p ;will break 3 times :-(' Y9 _9 y B# O& A) i
! G. O/ ^4 X! A, ?0 C
-or (a bit) faster:
& Z$ s" ]0 N" n% u" ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ }0 j4 @2 x# E1 D2 u9 w2 z0 t2 x. V4 H# U" e) S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . i2 l% S) \3 s$ ]8 b
;will break 3 times :-(" m. M1 G. @( e5 S' M @) J. j: {( d
) V: c$ Z, N9 c-Much faster:3 u) \% n4 ?& r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' ?1 i% |; D! n; A6 D* E
+ G% c! ?' o; vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! ]9 n7 k. L' r+ P6 ?function to do the same job:8 H/ g6 f5 _$ c4 O1 l6 c
{' U6 c! m( ~ U; {3 t* v push 00 ; OF_READ) z1 P7 @& D0 ]- V/ w4 d
mov eax,[00656634] ; '\\.\SICE',09 |: X9 A. ~3 w/ C0 l# u
push eax+ H3 t( s- @9 M" J9 Q ]
call KERNEL32!_lopen8 `% j4 A2 q. Q: [, K8 Y! p5 K
inc eax
( p& \) m! h0 B( M# h jnz 00650589 ; detected/ w7 ?; p: @! W4 o. l( E
push 00 ; OF_READ
" h! G9 |- m' H4 h9 S0 q mov eax,[00656638] ; '\\.\SICE'$ E. p) Z$ S5 E; I( J. \: h
push eax8 [# A1 {3 v9 F o1 O! d
call KERNEL32!_lopen
4 e: e+ c& Y# O3 x% c8 b/ A/ n inc eax+ A( C4 H/ H2 [$ }/ b; w A8 }
jz 006505ae ; not detected- C* }( x: q# \) K1 h( }$ x; B
o4 t E, ?- e; P" b
- Y+ \# g7 j; L- G, b) s- ?6 j__________________________________________________________________________
3 d; o h6 R4 ?+ G3 x' P+ L8 C8 h7 r, h9 V' K) Y
Method 120 K! h+ w# ^. e4 K, X3 P [
=========
) e; k8 y$ F# o$ y5 j: }$ d A
# v7 c4 u) {' [7 H y7 \This trick is similar to int41h/4fh Debugger installation check (code 055 Q1 ^( o0 }: \
& 06) but very limited because it's only available for Win95/98 (not NT)
2 V2 R% [7 z/ \ F# Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! @7 ^6 m9 l% v: f, g6 B+ G9 G5 ]8 Z9 n1 i9 d; L
push 0000004fh ; function 4fh
3 e2 I* \8 z" V. R) W6 L push 002a002ah ; high word specifies which VxD (VWIN32) s- f# v' C4 U
; low word specifies which service
2 V0 ]/ Z* {+ F% N" n9 v (VWIN32_Int41Dispatch)
7 F% _$ e( G$ n0 F! K; e- g call Kernel32!ORD_001 ; VxdCall
* ?0 M9 N Q N' j* \ cmp ax, 0f386h ; magic number returned by system debuggers
3 Q* x) ]/ X; E6 U jz SoftICE_detected/ o- Z+ s I: M! i
; r3 T4 f% f* p: g% P+ z
Here again, several ways to detect it:8 ^) ^! T& {+ n/ M; l" v
" a9 Y% s4 x9 x+ I% V* ] BPINT 41 if ax==4f
9 ^7 b% J, g1 l1 c; @9 `- C2 `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' u. B- k( p: y' h0 z) F# C4 |
" H$ S9 ]* K/ Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
Y8 p/ t1 W1 `5 l, i5 A( b4 m' ~& b' t( C8 e% x" D: b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% Y1 D% f$ k( |, S, p# c
5 Y' U# t( O2 V! a3 Y) q- T__________________________________________________________________________3 a9 y2 B+ X0 t
# D% i# z7 U8 T1 M1 `
Method 13
5 u- k' B8 z8 U- B=========
, y1 E6 t+ i) o& m# Y+ ?, g \9 \9 l1 Y* B! x2 d" A8 r/ _2 j
Not a real method of detection, but a good way to know if SoftICE is
3 T- ?+ t" i s. a% J7 t* G5 ]3 Dinstalled on a computer and to locate its installation directory.
9 x6 Z S- W$ ^* I1 ]) wIt is used by few softs which access the following registry keys (usually #2) :" |% ^" \ \) Z4 X2 Z# \- w) l9 s) P
# C. E1 W I5 |1 n' B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ r/ x/ h) A% a9 K, I) I H
\Uninstall\SoftICE
/ d; V: t4 V3 o" a5 [/ }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& N+ l k( I" y6 G- }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" q3 S, P8 M J6 \) e6 o
\App Paths\Loader32.Exe
# h$ J+ B* u( [) Q! G1 U" [4 Q5 C* r. P& @4 D
: B9 ^) c2 u8 Y$ _1 N, n- sNote that some nasty apps could then erase all files from SoftICE directory
; ~( b; x( {; \* u(I faced that once :-(6 j; E* m3 c( l: x
9 I4 U& [) O0 w. PUseful breakpoint to detect it:
& o9 [4 q# H2 H" O9 B! Q' Y' K& F& e# z+ q# ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 _% e3 {, U3 q% {
& _$ k4 r) p9 a3 g" Q# o' U1 y
__________________________________________________________________________
0 c. o- o4 e1 h$ S3 e( _; U1 Q8 v7 C' o# C1 t
! x6 L+ q! {, o9 g8 a. d3 x
Method 14 , R) G+ i4 J! _# Y' Q$ p; ~& e) K
=========
2 W1 z. G. h0 h3 `
4 W @: [5 t' R: OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" J) e- j" ]5 w; o2 R$ Nis to determines whether a debugger is running on your system (ring0 only).) n; _: i& k3 |! |& h% G& Y
2 J# K) ~4 F- W VMMCall Test_Debug_Installed5 z+ H* o/ V( L1 T5 N$ V! p) c
je not_installed& P( M. l& ^4 {
( ~. _: T' w4 |& B; m, U2 }, S
This service just checks a flag.
5 Q8 R$ `# W4 U3 k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡