<TABLE width=500>; T g: i) J3 v( e& V4 P
<TBODY>! ^" d/ Q7 z4 N
<TR>
) u [+ N( o+ v0 U& {5 [- k" J<TD><PRE>Method 01
, a+ f4 R; e& @- J) X, l" n=========# w0 h9 `+ h* O& B
0 g6 ~2 ?4 m! `
This method of detection of SoftICE (as well as the following one) is
; G7 A3 n. k" L! Bused by the majority of packers/encryptors found on Internet.+ W0 K# ~- e: x8 U$ z
It seeks the signature of BoundsChecker in SoftICE
& G4 V9 V4 U" z7 u% S( f0 I a6 P& t" n6 R: _- B
mov ebp, 04243484Bh ; 'BCHK'
7 f: O# V5 q4 a& c mov ax, 04h
; s! y; J7 |* E* b: C. `% U# v int 3
, |9 G2 w+ O7 M A cmp al,49 U: N4 k$ i9 q; x
jnz SoftICE_Detected
9 q+ J9 P% w$ X2 |2 @4 A' a& M7 c+ g/ I/ L, D& ` d% w0 Q# `3 E
___________________________________________________________________________9 P8 W9 d9 l5 Y- e Y
( s7 B- E5 n. ^0 W# x9 G! b& n% a
Method 02
5 m8 `( e k+ F: t- g6 h=========
3 M1 b# |( {0 v, ^' m8 a1 _3 A$ F U+ u* {% s
Still a method very much used (perhaps the most frequent one). It is used
K' K2 h" |- Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 r5 y% g& E; _
or execute SoftICE commands...0 ]5 U* l- e) n
It is also used to crash SoftICE and to force it to execute any commands4 h& H, N' E: ]0 {6 a
(HBOOT...) :-(( 9 s& E$ [$ u# R3 R. O5 `
! _0 s4 v7 ^! [' n& V1 A; mHere is a quick description:& ]9 D2 \' Z S% @+ S/ T+ V5 i/ c, g
-AX = 0910h (Display string in SIce windows)
9 o9 Q y' J6 v y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# s3 E# n$ J! J8 ~-AX = 0912h (Get breakpoint infos)
1 p& ~: o( O z7 Q& y! T-AX = 0913h (Set Sice breakpoints)
: F) ] Q# p- {# [- j5 L" G$ n-AX = 0914h (Remove SIce breakoints)! w# r) T+ ?: P3 O: P$ D
* E/ r+ L" C. \( r- C; ^5 ]4 M7 qEach time you'll meet this trick, you'll see:
& Q' u' A$ {5 u, P) {: n3 u0 {6 M-SI = 4647h
& M0 {9 J I! Y0 f4 m8 f' z-DI = 4A4Dh
# n v& u: v! u4 R0 S# b! X) n1 Z6 EWhich are the 'magic values' used by SoftIce.7 G; G! j% V, P% h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 v$ |! [# u( ~" P4 F3 o5 [' V4 [' ~/ O/ J7 @0 z
Here is one example from the file "Haspinst.exe" which is the dongle HASP; L& O+ W1 R0 s% _' M/ A: v
Envelope utility use to protect DOS applications:
6 P1 E p/ L7 o8 [3 P1 h* X
0 c! h! p3 @; e1 |9 w h D2 \5 O b% a/ C7 V
4C19:0095 MOV AX,0911 ; execute command.! `$ K: Z4 a4 O9 e1 y0 `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' B" j: I- j$ i$ @
4C19:009A MOV SI,4647 ; 1st magic value.
6 U/ \ }) b f! L, R7 D4C19:009D MOV DI,4A4D ; 2nd magic value.
- H6 d$ F6 K+ y z9 v* E& x+ M* f7 q/ d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! l: d4 B3 W- p6 u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ Y$ j5 ?, n! ]+ h, H: D* F4C19:00A4 INC CX
. e j) g0 `5 A) U- l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# R6 S- u; |$ e ^, i4C19:00A8 JB 0095 ; 6 different commands.
5 C. a3 E7 `' b+ E9 y3 I2 n1 g. @4C19:00AA JMP 0002 ; Bad_Guy jmp back.% S7 {& ^8 t- M- B3 L3 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* E& H& q( o" D4 J* M% q) _, r
; y$ P6 N# ]4 n# B1 Y j5 uThe program will execute 6 different SIce commands located at ds:dx, which
! U" e) m' A1 Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ }$ n& V, o( V6 ?& T
. y, W' j/ ~3 c% v$ s2 B/ ~& s6 d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., P/ M" u. D! g+ v
___________________________________________________________________________& l; W+ N3 ^2 G0 N
5 i1 ]( n. U P2 n3 Y) x) L' {
, P! C8 `. e% c* k( L- h
Method 03
- b" \) E5 I( e! @! l" u. x; }=========7 ?- C4 t2 h) I! \- v
) v' N5 T" {& R2 h% LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! Q8 N) H4 O3 q) Q
(API Get entry point)
! ^- X7 Q# u, `- f O$ M9 Y. g5 o1 X( N
$ S3 `/ J# m8 d* l
$ g% X2 M, A0 {1 u8 K8 @ xor di,di
3 f& M" C' @. p* `" t3 S mov es,di
; l5 q% E& N1 p" S4 L: h2 m mov ax, 1684h * s. Z1 _; Y* ^- T Q
mov bx, 0202h ; VxD ID of winice" D7 S" F8 @& e$ H! V. C
int 2Fh. c0 Z3 q9 b: q) z$ l3 L
mov ax, es ; ES:DI -> VxD API entry point
" T! ^& L P! B6 _ add ax, di
+ q9 Q! R5 }7 p! [5 X0 @ test ax,ax
% m4 z4 C3 A1 F9 q0 a! r6 ~ jnz SoftICE_Detected5 Y* Z% x% W6 d& ^
; }( e7 [! s, ?5 B___________________________________________________________________________" B( C/ D r% R! Y ^5 `0 z
/ f" Q7 z2 {- w, C" j: L5 F
Method 04
2 ]5 o3 d! Q4 `8 ?& y) ?* z' N=========* f U. D$ P: J l# _
# m- J6 s0 k- pMethod identical to the preceding one except that it seeks the ID of SoftICE1 _* g; p" a! O) B0 s% t
GFX VxD.& Y X f% k0 t
: t0 z6 q, Z0 q8 T' [% T; i xor di,di6 i+ ^/ X. y3 ?- }& C6 l
mov es,di
7 X z- m+ Y4 H9 a; m! r mov ax, 1684h ) @+ i9 ~) I; c: C
mov bx, 7a5Fh ; VxD ID of SIWVID
5 l; b4 K6 }& `! k( T int 2fh
4 m. k! P! l& r: S! t mov ax, es ; ES:DI -> VxD API entry point
3 E0 H: n3 p1 i8 ]% v2 Q add ax, di; ~+ h- q( n1 b2 t! E3 Y4 F7 o9 A' y1 i
test ax,ax
$ B! [! J0 r. y0 i) s7 V jnz SoftICE_Detected3 H: s" A" l5 M% X* k1 V/ C
$ `2 `4 C0 m. ~4 c" }
__________________________________________________________________________! N) z3 v9 i" o. t: q- J' _
6 M9 N5 n+ x5 F4 Y
4 _& l* Q, `; G D
Method 05
: J! n0 I8 a% Y) }7 s) A* l=========
1 X1 u- Z- k7 z+ E5 I) d& k! L2 D) x+ k- h5 \0 S; v( w' Y; \3 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; g! ^: J5 Q+ W) H n% F {% kdebugger. It calls the int 41h, function 4Fh.8 S: b$ B3 }, C3 _
There are several alternatives.
~3 p3 K( F& r, l
- E$ ]; T0 }, u7 d* d* wThe following one is the simplest:4 Y! ^3 a9 R' f
( B1 R+ t5 h, D+ W
mov ax,4fh
. |0 g8 y+ N9 ?$ Z* V4 e int 41h
" C/ v, H8 l2 O& c6 a4 R4 }' @ F$ H cmp ax, 0F386# Y6 ]2 V$ k" k6 s; y
jz SoftICE_detected& a% c( k/ e" d, J
; K/ H' c& h G4 @/ T
' [$ ~( T3 Q# Y+ J8 p, {+ L, lNext method as well as the following one are 2 examples from Stone's : v7 q6 S! J) A+ j
"stn-wid.zip" (www.cracking.net):
9 S, P; q# k3 K% C# m9 X: F! n- }; a; f/ D$ u$ {/ m
mov bx, cs2 c H) x- A" Z) @9 U o! q
lea dx, int41handler25 f0 ?* \) `7 I7 F7 b
xchg dx, es:[41h*4]1 ]9 Z0 N( {3 x, w4 C& e! L
xchg bx, es:[41h*4+2]
) k& D* k$ S4 a- d: e: `" H mov ax,4fh
" P+ R0 |& u% G5 @ int 41h9 ^$ N w! l7 y! f
xchg dx, es:[41h*4]
* I! M& r5 Z! c3 B& t7 [" ? xchg bx, es:[41h*4+2]2 y- q0 \+ Q% }. B" B
cmp ax, 0f386h& s' O1 g& S4 g: F8 }3 \* B/ m
jz SoftICE_detected
2 h6 w1 H0 n3 f3 @
- V7 `+ p( n7 K6 p* [" r# ?4 D, d$ wint41handler2 PROC
4 Z6 x0 V2 @5 F Y iret
Z. @1 Y( r/ A, u9 n# Dint41handler2 ENDP8 L( @' T- o' E4 X9 K2 {3 q
, V+ p. l s5 x# e
- d. P- N ~. r
_________________________________________________________________________
P; H1 a6 U' }' L4 M* {4 j( R4 g& s a2 \
8 S) V/ \3 }: b0 k
Method 060 x) d; ?/ w0 d
=========
/ \2 J4 z5 L& j2 F1 Q: ]: B) Y1 \/ O3 @- R$ _$ K: l$ |+ K, ?) ]
8 h N! u* n: n. i: S
2nd method similar to the preceding one but more difficult to detect:
; G5 e6 i, I4 r: ^3 z* g; |1 a! o$ q" j* K# N7 l, u
0 S g% w3 l+ D# i1 wint41handler PROC
( S$ F4 b* `/ o, R* Y, i- b+ ? mov cl,al. M' O+ ^0 P6 R( e) E. ?) t4 o9 [0 l
iret; v, `0 z7 H- ?1 }
int41handler ENDP
& P0 L( V4 v( U s% R f' W L" [/ s) E% ?+ D2 O, [, q
% l% I$ @* m" v, I3 V. ]# o3 s xor ax,ax
( i/ u- Y q0 k; X mov es,ax
3 C% f9 P5 G6 Q u- m& w( V4 W3 J5 k mov bx, cs0 g4 z& M0 p2 H
lea dx, int41handler
0 g! E" t) c4 b* @/ ]0 w. ^/ v xchg dx, es:[41h*4]
0 r2 e6 f# Q& P! K. g, L% U xchg bx, es:[41h*4+2]
* H6 V' e: a) m0 q- [ in al, 40h" T; L7 k7 I$ L ^7 g
xor cx,cx
; g5 g* t& q+ O/ [( } int 41h
. |6 A9 d: r% T xchg dx, es:[41h*4]
) g: P6 R7 k. w% R2 E4 O xchg bx, es:[41h*4+2]. y; g+ I0 G) E5 e$ P. P
cmp cl,al
1 d+ v% e* i6 S; x jnz SoftICE_detected% r1 Y$ d& ?4 s) n+ A! f7 e9 S
. t# Q8 \7 Z1 V A_________________________________________________________________________# ?9 d# i6 t, M9 ?
% Q% a8 @& Z3 a5 R$ \/ J, e0 w
Method 075 A( S% F6 e" h& ?$ Y$ Z3 ~( `0 B; y
=========
, B' `+ I; S9 J* K! ?6 c+ ]. j* L) c6 u/ D) q
Method of detection of the WinICE handler in the int68h (V86)
4 o- e$ \8 F; v D# k2 ?5 n. E: ~1 p
mov ah,43h
$ O- F. R2 C+ K) D; G2 @ int 68h3 x+ b: [$ o' |! D ^/ X
cmp ax,0F386h1 | f2 B$ j3 e( T0 O
jz SoftICE_Detected
! B, G4 |3 l, o" Q! \: D
7 Q8 K* @0 v. s1 O" S
/ |" p7 n. x0 Q; H1 @: t6 J# i3 ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 n6 T4 I( M# i/ ?( K8 g
app like this:. K6 a/ Y5 V/ m* A: V6 A3 A
+ h. v- Q/ o" ^- O) Y+ W7 I( {
BPX exec_int if ax==68+ A/ g' @6 v! I# p6 q5 Y; A) v
(function called is located at byte ptr [ebp+1Dh] and client eip is
- k3 o: h) s+ ]* R) f0 x located at [ebp+48h] for 32Bit apps)9 n3 f! a3 J/ v
__________________________________________________________________________, Q3 }* Q) J& }
( G* g5 V0 Q$ }) V7 O' k" V
" L' v- h) t& L5 c6 q! C* @Method 085 d. H0 i$ |; k+ v1 [
=========
6 Y2 }- R, O8 G" S- \8 R% y8 F: h9 ^$ b* M/ L ^. d( ^ L
It is not a method of detection of SoftICE but a possibility to crash the1 G0 I' X# M, O) O0 h& a8 |8 Q
system by intercepting int 01h and int 03h and redirecting them to another
. K, j2 _+ W- z5 L* j% F9 Qroutine.& C: w1 Z* @ m- Y; W- v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 |2 X0 n0 T% U) G9 t- b* R# w
to the new routine to execute (hangs computer...)* g* m! A+ @6 B3 Y" i
$ i) V) G1 z5 h4 p, f mov ah, 25h F% @, A- k) U! i" n
mov al, Int_Number (01h or 03h)
3 Z: }# z% G' t+ n3 @" s7 n, ~ mov dx, offset New_Int_Routine! m, y+ Q- r8 J1 T; ]- Q
int 21h9 U- J$ j2 }( M2 \* F. U" d) s( }
8 E( M. m- @# S__________________________________________________________________________4 h/ O, W; c' {; o' j* V' }2 v# s
" F$ j A9 [3 MMethod 09
: C- Y* ^8 G: L3 q. [+ x=========8 b5 F+ h+ ^+ f7 h6 i8 l8 Q
: ]2 ]; C7 {! h/ Q* q( F; _- B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 c L% x' n( U ^% h9 e6 q1 l% G+ b
performed in ring0 (VxD or a ring3 app using the VxdCall).
! S4 B" q7 s0 f; i1 tThe Get_DDB service is used to determine whether or not a VxD is installed
2 W/ Z6 b/ k4 R, ?$ J1 h- C! o6 Lfor the specified device and returns a Device Description Block (in ecx) for1 V: k h) P* r
that device if it is installed.3 I: ~: G1 r e; i7 C, K* @
# Q: M9 K) G& N% t6 l+ y6 s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& C% t1 d7 m$ P7 O3 n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( l: r: w9 i7 B6 j! n
VMMCall Get_DDB
" K- p" w2 ?6 G7 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 k. i, s/ B5 k- Q3 ?. } ?. R- E8 e$ ]( j4 C
Note as well that you can easily detect this method with SoftICE:. y/ v( e! u c) h% i2 t: L- f
bpx Get_DDB if ax==0202 || ax==7a5fh
, _! ]$ [! g# @+ p3 d4 r
- D9 ? Z/ \: I9 n4 V__________________________________________________________________________+ M: ?9 t U- {* [+ l' t# ?
3 v& e0 u/ Q* X) E0 u$ y* _
Method 10 O5 ^! Z. K3 Z6 h* E
=========
1 T* g$ t# @4 I: D: P3 K- C
0 u7 U* X. j& J+ _/ a6 x=>Disable or clear breakpoints before using this feature. DO NOT trace with
' _ A# J" u) R E SoftICE while the option is enable!!
' A3 l. R4 c- d P, j& h+ {$ P4 p. F' W
This trick is very efficient:
5 B9 c# y C3 Xby checking the Debug Registers, you can detect if SoftICE is loaded
. J' Z' X6 S2 H4 E$ P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: o1 m% L$ ~% @+ x6 F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 X! g1 c$ ~8 e: Y6 Kvalue (in ring0 only). Values can be manipulated and or changed as well& _' y; |- f. m0 |$ e- C
(clearing BPMs for instance)) i, G" r, R1 c- p/ Y; ?" f; l
1 j9 x: T9 I3 Q0 ^" h4 |' V9 P__________________________________________________________________________: P: @0 t! n+ U- C7 l
3 W% G4 O0 h4 C' E. o% {0 G. YMethod 11
. }) d3 O( R! I7 O" @=========
! F# b" c x* o, Z6 M9 u( `) W! a- W& p2 ~& [) I; X7 i0 p) C
This method is most known as 'MeltICE' because it has been freely distributed
8 C! P# k; O! g* n' T' ?! ]% v8 Jvia www.winfiles.com. However it was first used by NuMega people to allow4 g& ]. N: w# g+ M( J* w! [1 b
Symbol Loader to check if SoftICE was active or not (the code is located' \( I$ I& S! N- t6 ~! J
inside nmtrans.dll).+ z$ n0 w# K/ H6 M' \
: R$ B/ o/ j2 k8 ?0 I8 Y/ W) d
The way it works is very simple:: p7 x3 V S0 o6 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 f! R- ^8 l1 @WinNT) with the CreateFileA API.8 Z$ V3 h' _6 N+ _8 y6 L+ y- H: t
9 ], z. `; G& ^$ q6 @Here is a sample (checking for 'SICE'):
1 ~) z- J8 s' ~) p, M- r2 {( d$ N/ ^1 S+ l5 p" W% w+ M8 S
BOOL IsSoftIce95Loaded()
- K0 @/ o$ k0 r r" p( A" {{- A6 e; k, Q- N) w/ n
HANDLE hFile;
+ `& v! r B5 Q; V1 R- \2 D! c2 [0 U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 B; {& z3 A6 Q/ _
FILE_SHARE_READ | FILE_SHARE_WRITE,
% Z, e9 ~* k6 X3 i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 n! m5 s5 I' M. D f. p
if( hFile != INVALID_HANDLE_VALUE )) P7 L# V O3 z$ O( y& z
{4 P9 v5 C8 z+ J) n: Y' E3 y2 m
CloseHandle(hFile);
; Y+ q' u0 x( `/ [/ A* ~ return TRUE;" |/ q8 ?. j- S) s5 i) Z
}1 G9 g! j- _) m- t- ^* n
return FALSE;
- ^5 a9 I+ L1 s8 T0 H1 {}
# @+ P% N0 h0 C o
8 [8 s; v; [$ K; y4 c' ZAlthough this trick calls the CreateFileA function, don't even expect to be: H. i; X7 E2 @' ~8 U3 M
able to intercept it by installing a IFS hook: it will not work, no way!6 L( G! O& M" n. r! s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
c# B% |$ m1 @0 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). r+ o* m: u% k8 k3 Y" P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 Y$ {0 |- B" G% F# zfield.
$ x6 R# Y0 G' x7 a. n! r |8 SIn fact, its purpose is not to load/unload VxDs but only to send a
' q9 |- _6 V. F8 n+ aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 i3 r; T$ \' I) n0 P) I. s! N1 |( D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 t6 o1 r. k6 h+ u. b2 ]' @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 S3 ^' u% I: U
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 Q% z; M1 E9 O/ {0 q; M
its handle to be opened and then, will be detected.1 T7 H# f* x/ c2 @; Z
You can check that simply by hooking Winice.exe control proc entry point; x+ u: w' B& A' w x9 t
while running MeltICE.
& F( o# f$ i" Y+ Q) u0 ]2 @. p- g6 ?. Z
& F9 k+ N0 y$ m0 l
00401067: push 00402025 ; \\.\SICE. {. _! e7 ]& N
0040106C: call CreateFileA/ J. X$ g( e6 @) X; ^# y
00401071: cmp eax,-0018 N _+ m' g: \$ V
00401074: je 00401091, `" K4 ]* _3 ^& k. A& m% w- k% q
5 l$ O0 {# @: h& D+ c6 h8 x. {9 b' `
There could be hundreds of BPX you could use to detect this trick.8 q; N7 I5 q4 V1 F/ |+ K" v3 y- }
-The most classical one is:- _3 T( w+ b- B. `9 ~! Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
L1 H9 c4 f& e! c, Z M *(esp->4+4)=='NTIC'
' n F+ ~8 v% _; C5 }0 [3 \: H9 p. M
4 w5 w7 @ B9 N( |6 f-The most exotic ones (could be very slooooow :-(2 q0 H2 z' M" M6 B+ M+ U8 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# N# `4 l/ h. E ;will break 3 times :-(
! Z( t4 c! S* _1 b: {! @4 f- o6 \3 e7 Y2 O0 S& G* P
-or (a bit) faster: / ~/ A, {9 D/ r7 [3 _7 ^- X; ?" N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 z3 e( V1 G* O( ]$ B+ k
8 f5 ~. ~) J6 i7 x% g+ _5 }1 {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 L) c+ ]# \0 J* T% ] ;will break 3 times :-(
4 H7 k) {& C, g2 O, s0 d: f0 h8 i% M
-Much faster:" s u/ ~2 ]! v+ Y2 `' i/ ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 Q l2 R+ g4 M* q! I
+ v( H; s! W7 D0 b. G, {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 O2 L7 p5 [2 \! A1 S
function to do the same job:
" R0 {$ {3 { W- h1 D( e- Y8 _) z. [' [9 x" I1 k' i5 _3 G7 Y( @ p
push 00 ; OF_READ* @# A4 A# X' p3 g4 ?
mov eax,[00656634] ; '\\.\SICE',0- K* K9 v- f, F/ A: ?- g
push eax
! i4 |$ `2 |* i) N! ], O# Q call KERNEL32!_lopen8 `% B9 i2 b2 [2 m5 [& _
inc eax
6 |2 X. k2 T/ p8 s1 `, p/ Y jnz 00650589 ; detected
' V# T, c% w+ y push 00 ; OF_READ
2 c3 j6 [! Z8 o: ` mov eax,[00656638] ; '\\.\SICE'
! T1 I. ?6 p" ^/ U& |# I push eax) h e! \ o$ ?+ [( L* T
call KERNEL32!_lopen) n! B! v2 i/ v; ^5 G
inc eax
, o8 g8 m" L; S2 Q jz 006505ae ; not detected
, Y; M2 ^% j8 ~
- C( l. q9 u* x |4 a* o
% @: W& T( T7 q3 C( v6 I( {__________________________________________________________________________
2 b7 }7 |7 G' u4 P) k' u
& k" Q- @( t9 _Method 12( r, z) t# X- N M% `, h
=========2 Y. e% s- {% a) ]9 J' ]
: D3 g2 w7 e5 k9 B
This trick is similar to int41h/4fh Debugger installation check (code 05
4 R" s: h% Z! I& 06) but very limited because it's only available for Win95/98 (not NT)
- i7 |3 a4 h; f9 q: n* t- s! Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' t, {, c! c) f1 U( c" B- L( S
# z% J0 ^8 P9 e+ P( Z7 P push 0000004fh ; function 4fh. A( \" y; v u" ^: S' W
push 002a002ah ; high word specifies which VxD (VWIN32): v( f! V& @9 N1 a# W: [
; low word specifies which service( C0 o H) k, Y4 ~$ Y- G# z
(VWIN32_Int41Dispatch)+ u7 o9 ^! P& L1 X8 j) J/ i& j
call Kernel32!ORD_001 ; VxdCall( b$ j7 ^8 v" [1 c, y
cmp ax, 0f386h ; magic number returned by system debuggers" d; [, d& C( x4 L" S
jz SoftICE_detected# h% a W0 `# E9 S- |& ^3 v
' G) @6 X9 l1 C8 p U4 ]
Here again, several ways to detect it:2 t! }+ J/ p8 T
, O2 E' `! P3 @- f
BPINT 41 if ax==4f
! E& q8 e' K6 j# ]3 q: S6 T- n/ Q" O7 N. k4 F" o4 [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; L, c8 E: N( V) O- }' u0 p+ ^$ a+ P* s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 }8 [" c& U' V, o W2 E7 a3 W( L: O! o7 a- g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ I& j) q' S% k2 a0 K8 U+ w9 M$ I: V
__________________________________________________________________________
4 ?0 n8 [8 F- n R/ K) P/ A9 Y( m/ ?( X. q) e2 x! q6 d5 j
Method 13/ R2 n& X# x! F( I0 y3 l8 J; t
=========
6 L4 t& @: o. ]! v$ d. D* e0 E5 B+ A2 G, J
Not a real method of detection, but a good way to know if SoftICE is
( e+ j0 G- V. G2 Rinstalled on a computer and to locate its installation directory.
3 J9 X! M+ f, `: l: aIt is used by few softs which access the following registry keys (usually #2) :6 A& b- @9 j8 ]7 |
% V& s2 I* f i1 {; z ]6 L# ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 W* ?" h, r, q* B
\Uninstall\SoftICE8 ~0 ~# n1 w* C' N$ [4 R2 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 d6 U( ~1 i. o/ ^! z3 [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 W0 J7 G# ^% l7 t x+ q$ O\App Paths\Loader32.Exe) [* ^/ P6 l+ ^7 Z/ @
1 Q+ D" `) a0 \. z- S% O4 d- h* O5 a
Note that some nasty apps could then erase all files from SoftICE directory) n! G+ X" T! ?$ d$ {& ~
(I faced that once :-(
9 h& ?. l# J& N& H4 r. l) s% }% [8 ^& E$ a; ?$ x) y. C
Useful breakpoint to detect it:5 ` [% S1 Y( }* k, W
+ I; W* S& L- G, ?" ~2 F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ a. }+ [0 J) ]5 X C% |( l2 q. C! Q4 d: h5 ?$ h$ b2 q- s
__________________________________________________________________________% z- o! U# L% U" x; d9 D! E3 ~
A; a4 R9 J: o, u
4 f& F! p! Y% t2 B( w+ s0 dMethod 14 3 z$ m, L3 M0 I1 {0 u
=========
6 {- o W& b4 K; W6 ?$ C" A. V( T6 m# r3 b" r! Y! r5 S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 ~9 P: `! j4 q$ l/ ~
is to determines whether a debugger is running on your system (ring0 only).: @4 R4 ?: N; \1 B
% T* y3 H0 @4 I. ]- n: \+ h
VMMCall Test_Debug_Installed
2 t" W0 @6 `! X' N. j/ j% p( I je not_installed% }2 I% g, a$ e; X# G- }& `: ]
7 P. H7 W4 d0 A+ q" S9 g7 y/ \This service just checks a flag.
: ^& M4 L, m4 c% D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡