<TABLE width=500>
( L, E' {* I* E2 E" y<TBODY>4 m( b; r7 |+ q T2 {9 B
<TR>
. ~7 K- j! t/ Q% R, R+ n+ B% b/ b<TD><PRE>Method 01 " x% o4 f3 K, j) i
=========
" d; v. C# |- j, H" ?0 o* |8 r, ^, D5 i5 c; \, W2 b3 O- G4 Q
This method of detection of SoftICE (as well as the following one) is
+ L8 _5 q7 l/ p+ w& g8 Mused by the majority of packers/encryptors found on Internet.2 p+ d/ f9 ]9 l/ g3 n+ j6 X, B- J4 @/ ]
It seeks the signature of BoundsChecker in SoftICE8 V. M2 |; H e' ?. S* c8 E( V% A
) p- b( G+ V+ _4 s2 G8 N) }1 {6 | mov ebp, 04243484Bh ; 'BCHK'/ y4 v( l. y' d, h" Z9 X8 H8 Q
mov ax, 04h' }, v# g. `; Z( |* @5 \9 x( s
int 3 0 U2 y# b: Z; ]+ U7 @, j$ @
cmp al,4
2 `0 \- h; T j; s% S jnz SoftICE_Detected
0 T5 w5 l! G' s+ h: K$ K( n( t
, s) r5 j+ _+ T. N# `___________________________________________________________________________0 @+ ^$ {' v; j- I5 A
: K5 z! t! R9 @
Method 02
% Y. `6 M; ^2 d' a: F=========
+ Y! d/ ^" a9 V, F, q% ]' U
$ H ]3 s- r, n0 @Still a method very much used (perhaps the most frequent one). It is used
7 @7 F+ w, b, f) _) _, bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 \7 B _+ [8 B4 k, A3 n
or execute SoftICE commands...
4 _1 U+ D$ t0 |" Z& P0 c, qIt is also used to crash SoftICE and to force it to execute any commands
+ n4 A! A! t( g5 L+ I* q(HBOOT...) :-(( 2 s) H. \+ U# b
- Z, Y6 ]9 O/ E1 H1 WHere is a quick description:
& h0 `6 I: {8 w- W-AX = 0910h (Display string in SIce windows)* [1 T, B, q0 k4 o# F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& G+ Q. R; X+ U- I: k& [( z
-AX = 0912h (Get breakpoint infos)
+ G) Q4 m& m' `8 F0 ^-AX = 0913h (Set Sice breakpoints): @+ B8 X6 j. {' e0 M& r1 |$ k# B
-AX = 0914h (Remove SIce breakoints)9 j6 Y( M+ @' C$ \( S9 M
* t k0 {' A; C# P& U3 V0 p1 I+ bEach time you'll meet this trick, you'll see:4 n5 X4 |* x1 S/ t
-SI = 4647h2 ]0 Q4 h! t4 b/ J
-DI = 4A4Dh3 {5 a" `8 W' F/ _
Which are the 'magic values' used by SoftIce.0 y( y/ o# w/ \& E% i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 M* r1 I u: r1 q1 F6 k$ [
+ I3 N; o1 U# {Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 M( B2 U0 ?6 Y; z+ h# SEnvelope utility use to protect DOS applications:+ x; Y0 Z9 s1 B
+ u/ C3 i$ ~" ^' C7 o
+ D& q& i9 W N6 P4C19:0095 MOV AX,0911 ; execute command.0 L* {. ^" G6 ?+ @# z- ]- l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. x7 Z+ c7 Q q8 |* m4C19:009A MOV SI,4647 ; 1st magic value.: Z' g. L0 t/ t, Z
4C19:009D MOV DI,4A4D ; 2nd magic value.3 Q' n" O0 i6 U) O( \0 w0 p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
G! I2 G# G" Z& y6 K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 s2 w j Y7 @4C19:00A4 INC CX
" e' q# z- V* V. c6 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 @3 M2 C" ?9 r1 Z- t- e4C19:00A8 JB 0095 ; 6 different commands.9 O0 N0 a' U( o/ m3 U' M0 v) o8 z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ M7 D$ K: C u- S% g6 D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 |; y) U m4 u3 g$ \! p' ]: c
7 |6 w6 c; _" Y' C) D& o# \( b, a
The program will execute 6 different SIce commands located at ds:dx, which2 A8 j7 A% n) D1 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( C$ x6 d N4 P& t2 L
$ N8 x; j- s U3 n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% f8 N6 c9 Q, D
___________________________________________________________________________! W+ Y: ^+ e; i0 }; `. j
/ A4 p( ]) G6 t- U% z. d* q4 `. x
* ?* a; i+ f' o; h& n6 ~" mMethod 03* }. N8 @( ~; O
=========
5 B, k6 A, _& u4 R- ?) C( q3 t6 b* \6 Z2 V- T1 R# H/ d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ E5 I7 J+ }. M. g' y
(API Get entry point)
/ `) r% E8 s2 ]4 s" `; V" V
& {, \+ I# I. g7 u: E' p, l" E
4 r2 r% w* H8 Z2 F xor di,di% U: u6 O/ O7 B% w
mov es,di) A6 {; b: i; d& i* V
mov ax, 1684h 4 T7 A6 f1 |% y
mov bx, 0202h ; VxD ID of winice
, ?, D) L8 Y5 E# V i int 2Fh
) @9 h0 u& o+ n d# F3 i mov ax, es ; ES:DI -> VxD API entry point
% b+ s9 T5 p& n1 o1 ^, x4 o add ax, di
: T1 a8 C+ s* J- j; v test ax,ax' Q; S) l# s5 P$ N4 U$ h
jnz SoftICE_Detected! o8 F8 i" U' ?6 d0 k( X
% g" N4 {8 o$ o) e. Q' X7 M___________________________________________________________________________, @1 G+ p U* C0 v( Y. n2 }; v( s
' Z3 N8 |" a( o9 ~$ M- kMethod 049 Z! E) T3 H/ p/ F
=========
. k1 K5 s$ D3 E! f/ u z/ P) d. T z; m6 p1 h. C
Method identical to the preceding one except that it seeks the ID of SoftICE/ U" F* u" j9 f W5 I
GFX VxD.
( y! h: ]- x f
/ n# W3 R1 S2 z, m8 R3 `* s( D xor di,di
" ?" L' z* f& z } mov es,di% w* R5 X+ f( s- u6 o
mov ax, 1684h
d; q% |& ~0 I+ ^' K: Y6 U mov bx, 7a5Fh ; VxD ID of SIWVID5 }5 u0 j3 J% E
int 2fh! Y G. g0 \9 `6 w+ v' y* _5 {
mov ax, es ; ES:DI -> VxD API entry point8 G+ O# D) i2 S; S8 k# n5 Q8 \
add ax, di/ C9 l) m6 l1 B% Y- t
test ax,ax
/ e8 J- K4 H+ [1 @! a# p jnz SoftICE_Detected
' S% P, z E( v7 k3 i
8 F0 Q2 ?4 ^9 E2 v( r' D" q4 A__________________________________________________________________________
' P: O' \! Z; f9 \& d( L
4 Z; Y/ ?0 s" {* e! L" X
' l }! `& _1 s3 PMethod 05. _ j$ F+ a. i1 M9 Q; W
=========
2 m+ a) F& F) e J) n' O% F8 Y1 l# O8 x. J* u
Method seeking the 'magic number' 0F386h returned (in ax) by all system' a1 k5 x. v( a3 b$ x: W7 t" L' s
debugger. It calls the int 41h, function 4Fh.
3 O3 |; [) Z0 \There are several alternatives.
5 d. R: I9 p q) m& [/ x u- T5 A5 Y$ `7 j* |1 T! Q& s
The following one is the simplest:+ a3 L3 ~. r. ?% P# v% V" ]
' h6 T; O8 Q9 p g
mov ax,4fh* {' \5 S. r% H, C7 G+ i) e p# s+ [6 R( E
int 41h- y( {/ `4 p0 w9 Q5 i, Z
cmp ax, 0F386
7 V# C& ?' u3 h5 I+ o8 o& k jz SoftICE_detected
4 H+ U( I" y8 c$ E& F9 B7 y' B
5 y" d; p' [' r) V8 }8 L, U
. s0 ] E6 L& X7 Y4 jNext method as well as the following one are 2 examples from Stone's
2 y0 z3 p' C3 ~6 O, ?1 E9 j, q) b"stn-wid.zip" (www.cracking.net): Q; K5 I/ U1 ?
! Y5 F0 f6 t* x. |7 ^% D
mov bx, cs8 p. h9 I2 t, p$ D" N, @/ {
lea dx, int41handler2
6 T! y) k* h0 e% p/ ^% e! M# Y, f xchg dx, es:[41h*4]+ s9 a; F5 J; m& T6 Q
xchg bx, es:[41h*4+2]/ \ y4 |( p. p. J9 U, }1 z- O6 |
mov ax,4fh
" \% d, x1 }6 v/ g# I int 41h. H6 C3 U8 K$ v( p6 T' H7 {
xchg dx, es:[41h*4]" e# f9 s7 I f5 ~' h6 y
xchg bx, es:[41h*4+2] Z1 o" a3 M7 w! O: V" p; i8 I
cmp ax, 0f386h
4 [( q' H; K& p" k. j" | jz SoftICE_detected0 P; D# F* h0 d/ A) |/ M" R
+ t4 @* E0 o6 j9 B
int41handler2 PROC# j5 R- q1 G0 p( z: E; c5 A D" D& Z( Y
iret6 m* p' _( h+ {" A Z: {5 s
int41handler2 ENDP+ J& X0 _* V; |6 Z: ~
5 B' D- S+ `% ^5 g, j2 z/ [2 K) W$ D
_________________________________________________________________________& V# R5 n9 a" Y) H9 P* o8 n4 D
% o$ ~7 ]# Q5 d2 s. \
$ T% k* M0 S. w3 I# U0 d7 HMethod 06
$ G! `+ V) I/ B& x6 W=========
3 q" g0 v1 }" H* G% p. W P0 V3 x
* b; w( \$ b7 [2nd method similar to the preceding one but more difficult to detect:# } t" c4 \6 ~. U9 P( S- y
3 s* J% ]6 T& s
# }! s7 M) c/ b! ^* ]int41handler PROC
8 e% U6 K; O& A( d4 I mov cl,al
4 r+ y( g8 _0 J! {3 W iret5 [4 ?/ I0 a" [* [8 g
int41handler ENDP2 f Y5 N! {* S' B
/ `% W$ p! U! {% |6 I1 Z
; x$ a7 |5 ~8 @2 |3 g0 k- x$ v xor ax,ax
5 p- b" P9 e! d( v8 k mov es,ax# O" ~( K. }/ t; x5 r1 b" r* T
mov bx, cs' m4 n& M+ ?: t8 ~6 D! E% Y
lea dx, int41handler/ Y; H5 R v! U
xchg dx, es:[41h*4]
9 n# C' `/ q$ P+ i( } xchg bx, es:[41h*4+2]
" S" D4 ]5 j- ^5 |0 f) `% H1 I& { in al, 40h/ Y, r( k" U5 U1 [( \( J8 u
xor cx,cx- n5 e0 r* i: I7 | {, ^
int 41h
# Z3 j& w% ?0 @% U( U# ^ xchg dx, es:[41h*4]$ ~; p* L4 R' H4 b/ {
xchg bx, es:[41h*4+2]4 j7 `* B1 s* S) i$ b/ e
cmp cl,al
* R. l2 t9 {- Z7 _3 Y jnz SoftICE_detected
3 b( y) v/ U" o, H
2 j8 Q7 x4 \4 y! S0 W" f_________________________________________________________________________7 Q! E8 ?$ ]+ T- R {9 j" W; @: s
' a. W: C7 r3 Z0 m4 Q4 E* v+ u" DMethod 07
3 [" m v: d" h7 Q' N' D* Z! g$ o=========) @) f _- ~1 p: R
$ ?" N, i& s& E0 H7 K7 E
Method of detection of the WinICE handler in the int68h (V86)) x7 u# s7 w/ j2 H" i
: Z/ |1 S# }! a4 z$ f# D! _3 ~0 w mov ah,43h
1 ?# B" U( j n' {* _$ C int 68h
6 I) G( S P+ m. x% T0 Y1 C9 i cmp ax,0F386h+ R- h) e/ `7 J+ x6 `' _! M/ t
jz SoftICE_Detected+ ]& j/ o- U0 L! i8 ]+ B: i
( ]; l" c, N- @$ x7 E0 F' H, j4 H0 C" F8 _- q3 V+ {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 Z2 F" r" f; x3 N3 Z7 P9 l6 w: ?
app like this:. Q; [' p# F! c0 a, ~
7 E$ l/ D5 ]- Z0 Z% @( q8 R. z5 ^
BPX exec_int if ax==68, ]! c- N8 u; j9 h- V9 L
(function called is located at byte ptr [ebp+1Dh] and client eip is+ {5 {' O p# p0 T3 l0 T. B
located at [ebp+48h] for 32Bit apps)
& |* O0 _) V/ S5 B: V__________________________________________________________________________% E* r% G7 S/ Q7 Y j8 @$ i
9 f0 o) M) B( A q3 z- F b; E$ u$ Y: I: B9 w
Method 08" q5 U, @9 H2 A+ ? c
=========
7 N3 q Y6 _0 ~- d7 G4 E. M
) J- V. M% J- z6 m$ nIt is not a method of detection of SoftICE but a possibility to crash the/ v, d/ W& m9 `9 ~- x3 |( [
system by intercepting int 01h and int 03h and redirecting them to another6 L6 o% j* X9 A9 w- d- V, x
routine.9 u7 F6 ], Z6 U* }3 L. E1 U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" i) O- q% ?& U3 W" F" {9 @to the new routine to execute (hangs computer...)
# N2 R% X) v; h/ M, R- }- l
: M) Z* I( ]4 y6 Y u: z mov ah, 25h: G9 j) W& B/ ^! a
mov al, Int_Number (01h or 03h)2 _ z+ m0 c% I ^
mov dx, offset New_Int_Routine9 r7 {' R/ e, i
int 21h
{/ a. `9 A) C2 e$ _
. |* h: e( @: X+ M! w2 }2 t__________________________________________________________________________- O4 s5 O0 }6 x6 M' J% n! [
d4 L9 x6 Q. u$ _$ j7 J
Method 09
5 C) f) ~3 B w. @4 l7 P=========5 A- i' T) X4 _) |
, t" X2 h0 c9 x$ Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ T4 m i+ B: i, N& L
performed in ring0 (VxD or a ring3 app using the VxdCall).: e K: k" h% d" v2 O; W3 ~& d/ J' R
The Get_DDB service is used to determine whether or not a VxD is installed
) f, a: V O; e' |for the specified device and returns a Device Description Block (in ecx) for
5 j! d- z8 X7 f1 S0 d+ Ethat device if it is installed.* u. m A4 t- u0 p8 g" v4 Z# N
- L- H9 L. s0 b; U/ X- I6 C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& V6 E- e p, K2 v9 J3 w8 N# j9 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% ^: D' G( @7 T l2 j5 ~6 e* B* b
VMMCall Get_DDB$ @9 o7 g# C& _ w+ `! T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, O* M/ T2 \' f6 ]
, t4 R; H L- Z3 k5 _& M, g+ C! B
Note as well that you can easily detect this method with SoftICE:& K* }# F1 U) l4 P6 x& g
bpx Get_DDB if ax==0202 || ax==7a5fh
7 A9 T6 j3 R& L5 r1 Z9 S) F6 T) r+ v! p; E7 B0 w
__________________________________________________________________________: o( W' Q2 c8 O1 l
" V& q9 c. A$ y. p5 [Method 10
# y/ ]0 H$ a! S& U- ~" I7 G' e* Y=========
. L# W" \6 X; t: e: y& ]& f, E! a3 C- t9 k$ X8 A. g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 w0 O! ^6 ^. A" j4 ` SoftICE while the option is enable!!7 _5 R8 d1 ?+ h4 ^0 h- j
9 _2 W* l! C6 Q( x4 c
This trick is very efficient:; N3 Q9 L+ i/ f0 u4 q# m( h
by checking the Debug Registers, you can detect if SoftICE is loaded2 e$ b/ B4 g% K" N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ ^) \& A. q' j' m" ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- k( \ ?7 I+ \7 Gvalue (in ring0 only). Values can be manipulated and or changed as well
1 B+ K( ^4 u9 L L(clearing BPMs for instance)
' v, V% A; ]* v7 {$ `
$ k3 a7 g2 z2 Y/ V9 c; a5 X1 T__________________________________________________________________________
) [1 ^0 v9 K2 e h. h5 o, T- k' d' f: }
Method 11
1 u' \- @1 d% ~1 v; l=========
+ @/ i( e) o- {8 C9 l
t& @+ A7 Z3 o1 b( _+ NThis method is most known as 'MeltICE' because it has been freely distributed( C6 n# s L4 \4 g
via www.winfiles.com. However it was first used by NuMega people to allow
3 I( n1 Z% @* C2 F, MSymbol Loader to check if SoftICE was active or not (the code is located
9 S' d. Q, c; |: z+ Z" hinside nmtrans.dll).
0 ]2 W2 t9 D" |) A* E
8 D6 p0 h. r yThe way it works is very simple:) V3 |! F' p) N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 |/ S2 y/ L) qWinNT) with the CreateFileA API.
4 N% J9 s2 O$ ]4 c# g+ z) Z# J
- t; z* z6 N3 ~( xHere is a sample (checking for 'SICE'):
6 Q) g) t# _+ i b c$ e3 ]' H8 Z2 V% Z1 z# d8 S9 f2 {7 I
BOOL IsSoftIce95Loaded()- m8 S% B' X3 c4 N
{: b# L2 ? L- ^; h. n( C
HANDLE hFile; 1 _% u: M0 z6 [, q( I' y" l; N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. a) y5 Z$ n* Z: J FILE_SHARE_READ | FILE_SHARE_WRITE,. P/ C7 ~) h* B( a! [* }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 Y$ n N3 |& G/ D if( hFile != INVALID_HANDLE_VALUE )
: B; b4 o9 ]( k' ]; k {4 m$ K i' F. @2 `0 }5 r
CloseHandle(hFile);" @' r3 s+ h5 m
return TRUE;$ K' D. U# i c
}
: O7 a5 n; Z, T; a3 N0 N$ i return FALSE;
$ m1 ?" m) y( Q}' Q; ?9 o; J) ^0 c* e: P- x; Z
' G# Q# m" ?7 {) KAlthough this trick calls the CreateFileA function, don't even expect to be% o( T! ^, C4 K5 `9 c% B- d
able to intercept it by installing a IFS hook: it will not work, no way!
. ^% [) |' q0 |& o8 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% x2 G' m! a* {4 `" l5 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 @0 |, B8 h7 d+ K8 b4 {and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( Z* j$ e( T# \! Sfield.; Q0 f. C: W9 r5 F! T, m2 j6 ^" Q
In fact, its purpose is not to load/unload VxDs but only to send a 4 o! l z9 d) }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! R$ t; ]+ \- Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 G! w' y6 e/ k4 l- ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' h0 A& u$ N, }& ?" E; \0 J3 a; |
If the VxD is loaded, it will always clear eax and the Carry flag to allow) ~' i% Y7 Y: a+ d. [& n. i
its handle to be opened and then, will be detected.
5 `5 `. c! \9 v( ]8 ~7 C0 z% W- zYou can check that simply by hooking Winice.exe control proc entry point' {; b3 w% O8 J b
while running MeltICE.
" E6 o8 t% G6 D6 b: g- z: l
, l* _4 x9 N$ o. K5 D
% ^4 z' c, V' B, ~ 00401067: push 00402025 ; \\.\SICE- K1 L1 [' d( x# H' h) f3 J- E
0040106C: call CreateFileA
* n+ y, ]+ t! @4 N, C. @' `/ n+ V4 e 00401071: cmp eax,-001) e" i5 r+ m, C5 p
00401074: je 00401091: P# \6 \/ S- E" E
6 |' h) U3 @* o/ e/ B- K: G! G6 a5 N
There could be hundreds of BPX you could use to detect this trick.
) p, I& ^9 G3 W% q6 X) P-The most classical one is:
1 w6 R0 Y( X1 G+ ~, G8 m, v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& L6 b" r p' z! k! j
*(esp->4+4)=='NTIC'8 p5 t$ n. B. `- r$ c! `: D& I
8 V" |$ {5 j m3 h6 j: p
-The most exotic ones (could be very slooooow :-(% I! q4 K' i- K! _" `0 [9 u) L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : d- j4 V( H, `/ [0 m0 ^! `
;will break 3 times :-($ ~1 O$ F/ k# b2 f
% A ^3 n B. m' s' F; O
-or (a bit) faster:
# H3 S' {' i' k, [: _9 k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) o0 Q; I' m* A7 T
- E( ^ D) v' n- i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 C! v/ E& v% m8 g$ V+ _/ F" R ;will break 3 times :-(8 X0 o; V! A4 r# f1 P) E
! ?" H0 H9 B4 @8 ^' G0 s
-Much faster:: w# s1 v5 K4 j) q2 W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 |2 Y @& Z$ a2 ~% \# b
$ I% s' [( Q+ U, `( @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ f2 l) q/ _/ G. m/ O; Mfunction to do the same job:
1 z6 Z5 p, I( _. k
$ o- w7 u2 h* o& h* ~1 H5 Q push 00 ; OF_READ2 }( g( n9 f2 _6 s
mov eax,[00656634] ; '\\.\SICE',0
: j6 [5 S* x# @" m9 H push eax
9 ^# `+ E! y3 O3 c1 k9 ?9 Z call KERNEL32!_lopen
H6 J1 P; u* H5 d% ^/ K inc eax, Q T( F! a1 I
jnz 00650589 ; detected
8 O3 a' | ^+ ?2 O' H push 00 ; OF_READ
1 u% t& T7 I$ `) H mov eax,[00656638] ; '\\.\SICE'
# N; E8 A ]- L. {- k push eax, I+ v# i$ n4 z
call KERNEL32!_lopen
_9 O$ R3 X/ S" J- v inc eax- @, f. S5 U5 l! E' [
jz 006505ae ; not detected/ g4 A) _" s6 \/ o7 A: e
U" d' Y' V( }. x8 b& n& ?: ]/ ?9 }
" ?. A/ J8 b5 Y. n& `: n2 u2 G3 |" ?" J
__________________________________________________________________________1 }$ X, k8 y9 q$ N: R& r
2 j+ f& F1 q' D* eMethod 128 _' T1 e' t: d
=========
* |: e& ~# ^ ^2 d
9 ?) [: A# k, I; BThis trick is similar to int41h/4fh Debugger installation check (code 05- l9 I T+ q3 C6 B R3 I
& 06) but very limited because it's only available for Win95/98 (not NT)
8 \1 v. t0 v) e' L- Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: g* O, p( u. e; Q6 \/ y5 X
3 ^( V4 N0 W' s, ?, l( n
push 0000004fh ; function 4fh
( N. F+ P5 ^- c* h+ Z6 r. u) p/ U) B push 002a002ah ; high word specifies which VxD (VWIN32)
+ R, Z5 Y& \/ c! T! O6 u ; low word specifies which service$ M+ }) a! u0 X+ ~. l1 [
(VWIN32_Int41Dispatch)
' K- U1 @5 \5 P# S4 s call Kernel32!ORD_001 ; VxdCall# L$ y& |( D' K! M
cmp ax, 0f386h ; magic number returned by system debuggers7 J5 ]5 E+ [. c% E" Y1 f3 w& O
jz SoftICE_detected; @9 s0 P0 n" f0 X( A
; B# N8 g& V5 L
Here again, several ways to detect it:6 _+ L6 l- `2 R
" L/ r7 P. n! W) p
BPINT 41 if ax==4f
, l, r+ ^. H; T0 b
! l& B! O8 r7 r; }. C, h( o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. s7 t3 e+ w, O% l2 G$ Y( F; H1 V8 ]' x# y3 B* V* y+ o! I& J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' Y; c3 o0 M% d+ o$ a$ [' k
( x. k3 G& }/ r. t( X/ I) @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* ?$ z# ^" W8 C! @8 e1 l7 I
: C k4 z% b. \% {( x( [__________________________________________________________________________( s* d' L/ Z+ K1 }4 p8 t; Q, _! Z& P
7 b* e7 p9 }4 c' QMethod 13' e- s$ e. y6 z9 C3 ^6 {
=========3 t1 S) C0 m# G1 j; X! [ m
3 m) Z1 g$ L; e- CNot a real method of detection, but a good way to know if SoftICE is2 h0 g9 k2 ~! n8 W; U! N
installed on a computer and to locate its installation directory.% O$ j! u' a5 z+ Q+ ?5 ?
It is used by few softs which access the following registry keys (usually #2) :. B j6 m2 a1 b* Y; u' p
9 H: R* }* W4 E+ b4 X1 h" H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; S5 h7 F: K! W7 a6 K# i
\Uninstall\SoftICE
) b2 o! C* d) b% K. L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. @, R$ a, o$ q. ?& ^2 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 i+ j0 M/ a, v9 `/ x6 P\App Paths\Loader32.Exe0 ~2 w% h1 b6 W0 H% A1 [& z
$ Q6 ]& |5 H- y0 g/ W! `. N/ q4 a
9 S# v+ h7 ^# [! {; P& `Note that some nasty apps could then erase all files from SoftICE directory9 L) F6 q5 o3 U! e" l
(I faced that once :-(
- Z7 c+ F3 y. Z, l! w8 w* F7 ?& W$ P
Useful breakpoint to detect it:9 U2 @9 R1 N& d+ u
% i) e: O0 ?, B. H8 g8 D! L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 n6 ]5 Q0 d; q7 u
. K- ]4 c/ V# L* u B+ ^__________________________________________________________________________
* m0 |) X1 M/ Z) t9 ]9 ]
6 [8 w+ r* N+ Q# a) Y
6 \* Q+ R3 C) P1 k7 `4 N OMethod 14 + w+ N+ w+ ]" M
=========
! }/ j9 A. q4 y$ p$ h6 s9 f' r% ~& x! Q- Y& D$ B7 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; t" a& ~, E4 \. q
is to determines whether a debugger is running on your system (ring0 only).+ n1 j5 l f2 l9 j* ?* @, G
' x6 a* V1 J8 w VMMCall Test_Debug_Installed
. `) k1 c' z. E' G2 b" t je not_installed
% I3 }) i6 V$ O# a( ]; e' h) f4 o" @8 U
This service just checks a flag.
" t1 X0 }" H: l5 z+ N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡