<TABLE width=500>
, i9 `8 p2 a$ q5 O( p, g<TBODY>
4 Z' r; M6 g6 A+ }+ p9 p<TR>$ h) E; h- o. @8 c, E/ j, u
<TD><PRE>Method 01 ) B% t, }! Y0 z0 D1 h! z1 D$ f4 y
=========
+ p: ~5 i) a/ c. R* O' {) q! g' s9 }" C6 X3 L) D' M
This method of detection of SoftICE (as well as the following one) is
, i4 M7 s! G% q: eused by the majority of packers/encryptors found on Internet.7 x k6 J% P/ n0 a
It seeks the signature of BoundsChecker in SoftICE) o" R; U0 X2 ~; N7 {2 P
* J. ?* y0 A3 ]+ k3 {
mov ebp, 04243484Bh ; 'BCHK'
4 j3 {4 o1 X; t* G& @ mov ax, 04h# O, G7 _4 T# q/ {
int 3 * [/ F& g8 a& L$ |/ z, o
cmp al,4" h$ z, Q+ U/ e1 }; w
jnz SoftICE_Detected4 j8 B' J% g# b7 c0 X2 c
' @4 ~/ A" R' ~. C& q: c+ g' ~___________________________________________________________________________
7 |1 o6 ~" e d5 A# B
; {( [7 L" \ [; m, y' W9 [Method 02
2 r# x5 _5 C$ Z' s=========
+ T& @4 E9 T2 q+ u- T2 e
0 Z2 X6 [3 }0 ?Still a method very much used (perhaps the most frequent one). It is used
& i; A( c. r1 C5 _3 [) Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 y6 h) m: x/ Wor execute SoftICE commands...
' g8 G( b% @* S7 L& TIt is also used to crash SoftICE and to force it to execute any commands
/ K, Y. h8 d0 j8 ^: `(HBOOT...) :-(( 0 `; d: v0 D5 a9 Z( l& m Q
2 A; R/ r, K' d& ?6 p8 i0 g+ U0 K
Here is a quick description:6 ]3 n. _/ E X
-AX = 0910h (Display string in SIce windows)
! Y# P2 [" n R0 c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- {8 y$ u7 |3 c- k4 U" e-AX = 0912h (Get breakpoint infos)$ K4 x M- t5 a6 s+ n, Y. l
-AX = 0913h (Set Sice breakpoints)- p4 K5 k" M# R* _8 j% R a6 m
-AX = 0914h (Remove SIce breakoints)
( Y8 r9 B% {1 G, Z2 _* c& N' p% R: U5 A, D1 Z
Each time you'll meet this trick, you'll see:( F$ \7 V$ q0 o
-SI = 4647h, @9 i+ Q/ S5 { c; y" k
-DI = 4A4Dh
. d# f9 A9 s# Q9 P: e6 E, _( mWhich are the 'magic values' used by SoftIce.
5 X0 i5 b( I7 V% @( ?9 ^7 ?# o7 M1 v; ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 W' G- o# X+ u {/ s- ~
% }, \: [, T) pHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 r j8 i9 E/ oEnvelope utility use to protect DOS applications:$ Z2 t3 K6 q) y2 ]. Q
' B4 D- |' o9 ]% Y8 x# P& l5 J
, H2 s3 p M$ t5 E' n2 m, p: c0 |4C19:0095 MOV AX,0911 ; execute command.# w* F# U- r) F" @% C3 x1 l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# Z# n6 F O/ m
4C19:009A MOV SI,4647 ; 1st magic value.9 f$ Y0 y1 U( ]+ n
4C19:009D MOV DI,4A4D ; 2nd magic value.0 l" [0 ]: j+ K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! D1 a$ l3 O( z3 r* ^( \4 w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" ~8 H/ ~9 i. n \. ^+ w
4C19:00A4 INC CX/ e- r! c) g8 C) C) w. V+ M" @7 O8 `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' D. e/ \, e# ]* r( `4 d: a% R4 x
4C19:00A8 JB 0095 ; 6 different commands.! g+ v' l, n9 s5 _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ y3 ^/ \% q) o8 r- Z0 T* n Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# N9 w& m+ V6 g6 l* x2 ]5 Q% V
8 z" m0 o: s& M( M( v# \* F
The program will execute 6 different SIce commands located at ds:dx, which
% O3 o% n' d2 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 l7 N" B H' _
# I) P# V4 c6 _ L2 k0 t( l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# I' O! a, ~8 W. {' V___________________________________________________________________________' u0 h* g7 J8 {( o6 Y
+ \0 m: I, m6 ~: Y
- E8 L3 j1 e" i' e% l) _7 bMethod 03
& g" e" N% ^/ S. ?5 c1 S=========2 m5 \6 b3 e o7 [- C, q
8 A) y" A( o$ @! s0 g& u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 g, R) H8 ]1 A* Q3 h5 [2 M& c
(API Get entry point)
5 J4 P1 c; v9 _: E. }# j
4 O+ S, s$ L0 M! I* _
1 ]4 B, O2 J2 U& \2 g' b# s# u xor di,di
; N4 R5 _6 {* z mov es,di
) ?( \' \. X: A2 a( k r& { mov ax, 1684h
) e8 ]: F6 U( \$ N mov bx, 0202h ; VxD ID of winice# p3 E a6 A8 {
int 2Fh
1 s2 w( D+ V2 g% o! A% S mov ax, es ; ES:DI -> VxD API entry point
5 w8 o2 ?7 [1 c+ s% X add ax, di7 j+ @3 n; m) U- E
test ax,ax/ q, I/ D" k1 A5 e0 o% `8 M/ ^
jnz SoftICE_Detected
8 B" v K6 B# a( G0 B: k; B; |, b
___________________________________________________________________________' V& g6 r6 A( W! {
+ {4 Q/ @( B" H5 e5 |7 G7 dMethod 048 K( j- }+ @0 I3 S4 z6 Z1 A6 I# s% c
=========
2 u; I. q# q: }% m0 G+ O
X& R' I6 N5 T! r; Q# pMethod identical to the preceding one except that it seeks the ID of SoftICE
( w$ ?" z8 U& s! G+ D5 @' sGFX VxD.+ y2 s! F7 l3 h, h1 d! ?4 R
# |, ]1 u8 P& P4 h* A! \7 S xor di,di3 }4 X# Y4 I2 F" n' Q* {
mov es,di
( ~0 S2 w1 C( u' ^ k' j mov ax, 1684h 6 s5 Z) D3 Z4 i W% ^7 x
mov bx, 7a5Fh ; VxD ID of SIWVID
7 p s, D# j) t+ M- C int 2fh* L8 B0 J* C& M- B- n: N
mov ax, es ; ES:DI -> VxD API entry point
! k' l+ N$ u, d0 P add ax, di
& {: D1 J9 D) @5 Z4 w7 _3 ? test ax,ax3 y8 K" o7 b7 A Z; |( ?
jnz SoftICE_Detected
8 v& o" Q$ T \; @1 z( |" d6 T- T# _# Q3 { d) D* a
__________________________________________________________________________
7 C& d. O: G* C; d2 ^, U) U, ~6 k$ D/ f0 i
% ^& X' _1 @1 [2 \3 T" V2 q0 ^
Method 053 \: {. V( W* d5 v
=========9 w( p# ?0 `8 R8 q; ^
$ z4 D2 R" P* e6 i- `Method seeking the 'magic number' 0F386h returned (in ax) by all system
' N: F5 e/ r/ e, D6 ]/ pdebugger. It calls the int 41h, function 4Fh." g |9 {6 y4 R; ^
There are several alternatives.
- x( l6 S5 E" Y& t6 F1 b: @0 }9 k- S) y9 @+ ^# P* w& U8 ~6 }6 Y4 S/ Q5 i
The following one is the simplest:( ?# J# R' j( ]& w+ E# k
$ _, {9 J- _2 X6 g4 Q
mov ax,4fh! h- ^' q y6 o# t
int 41h- N' g1 i0 c9 k, ^$ T" _
cmp ax, 0F386
- e' h8 B9 V7 b0 b$ J( `# T jz SoftICE_detected8 J3 u2 `! v; X# {" p8 `1 `
3 U9 m* u* k$ a$ e9 Y6 m# j
4 H+ C2 P3 n. x+ Y; A
Next method as well as the following one are 2 examples from Stone's
3 h- f: J1 ^: o( e- [; a"stn-wid.zip" (www.cracking.net):& u# I& c* R- \2 h
' m; V* f: \0 D4 R/ ^ mov bx, cs
5 ~; m: E9 F% q% h% h: ^3 ^2 F lea dx, int41handler2& W6 V8 q, \8 c2 ^9 w
xchg dx, es:[41h*4]
. i6 B- U$ h+ O% T- g- T+ W( v xchg bx, es:[41h*4+2]
- n) |5 ]% y% N( s7 v8 y/ b0 g mov ax,4fh, P$ q \0 r! P+ y
int 41h/ O1 Q' p+ L6 U' x( l7 C
xchg dx, es:[41h*4]
+ v% d3 _8 k' H H xchg bx, es:[41h*4+2]
9 ?* m4 r7 R* x1 V) _8 E cmp ax, 0f386h
3 z i8 e1 O6 F% | jz SoftICE_detected3 f" ^6 a7 K" U0 a0 B1 o( C
1 l- E* u7 I3 f( ?; w
int41handler2 PROC+ S( b( q2 G9 \7 i
iret
3 C+ a0 Z. w2 a0 M2 J, \) J, K' Pint41handler2 ENDP
& q3 i! ^) s4 |! t1 N9 r$ m
| h: h: I! c! t ]6 z* ?- k+ E
' T& g9 Z2 r2 j9 [/ c* o9 s0 I6 z_________________________________________________________________________2 M1 X- D4 Z" W1 L
5 D# I% Y, ~7 i& @. v0 j9 P
4 L7 z- P5 H% }$ m; E) WMethod 06
' p5 N. S' F I/ S5 ]' W6 A) `' F$ R=========. z& C; ~+ d8 \/ g. c3 b- `
* S, Q8 C5 T1 h' V! q( I" @
* p3 ^7 L: K% J9 _. u; M" ~2nd method similar to the preceding one but more difficult to detect:# t2 H5 g4 ^* L0 ^- H, ?- [
; L, I E8 T' E, s
# _. D8 a9 C o% W. [
int41handler PROC, J, H+ A4 n1 l4 |2 D( X
mov cl,al
; M0 J. `' O- D" b# T iret) c; U6 J' ]* E5 Y
int41handler ENDP) c/ ^! `( N& T" s! y
* B1 P8 _7 l( k c0 j+ u
. q0 f3 W+ z/ H7 L$ @/ \& {% C xor ax,ax
( J/ I9 B, f N! G mov es,ax3 W; d0 i) t- Q! p
mov bx, cs
3 U, V" z# i9 s6 C/ B/ |2 M7 o3 u2 O lea dx, int41handler) K$ r, ^- d% T& [) m7 l) h6 F
xchg dx, es:[41h*4]( T$ y( I& `0 J% O8 J% l' v9 ~
xchg bx, es:[41h*4+2]
5 p" V2 `; |. A: B$ G$ Z+ a7 j. k in al, 40h
# o6 a) m, Q" ?4 P6 r" v/ o! J xor cx,cx1 G) o) E- y; |
int 41h7 t! x7 N) m# n- A
xchg dx, es:[41h*4]% R1 Q, o5 M/ C/ ^9 H" o+ z
xchg bx, es:[41h*4+2]
' C8 k4 {; I& k5 m D& e+ ^ cmp cl,al- F, _4 k" |: i7 M+ H4 V) k; x% T
jnz SoftICE_detected3 I) H: f- C3 l$ M
/ j' \7 v- x3 t5 N( M# V9 l
_________________________________________________________________________
9 M) O$ S# S6 {, M. p" d) p$ K- ^. |9 o4 p* d( H0 g
Method 079 B4 ^4 ]4 c2 b% ]
=========- D1 r7 E4 h5 ]: |- |5 ?: ~( u
; e `! W% }( B! \* \1 m
Method of detection of the WinICE handler in the int68h (V86)8 g# G/ l8 o" S
0 o; n7 J' K% n! v mov ah,43h
* d5 K: {6 p5 H1 L# V: | int 68h2 O$ |, s! Z& G5 P6 ^7 d. N1 I
cmp ax,0F386h+ ~1 j1 Y6 L4 y5 a8 x ^* q
jz SoftICE_Detected
6 b0 x' Z$ ~6 `" t/ Y% L; ~2 b0 @
! |, m" C6 M5 a1 v9 I/ ?% i: `* j" V3 @, f% C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% d$ F6 @9 a( w9 p, v+ t0 ^ app like this:% x- r* U0 S! B, X- ?
2 m w5 p( s' _/ U& ]
BPX exec_int if ax==68
5 |' W6 {# L& I' u (function called is located at byte ptr [ebp+1Dh] and client eip is- ]6 `) z" d; W7 `5 m( S9 |1 n
located at [ebp+48h] for 32Bit apps)
6 q* }8 y6 ?9 y__________________________________________________________________________ g& X+ I' {! ?, S |, }
7 q: V# D4 b- Q. o9 B+ K2 H5 P @6 T, F, }3 o5 s8 m7 e: k
Method 08
/ K4 S& k. i8 L=========
! ~1 A' O' O6 a. h8 ^( Q: f9 T' m H |% t+ E; U: F
It is not a method of detection of SoftICE but a possibility to crash the
0 H5 o7 \$ C& I3 f1 Ysystem by intercepting int 01h and int 03h and redirecting them to another
, l( f; f2 a1 w% m. Jroutine.( y: k# _! [! }& F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% z) M& p5 L' m8 M" Bto the new routine to execute (hangs computer...)) W. d4 C) r$ {" Q6 F, v
) W0 t4 |9 E, s9 z: k$ n' |
mov ah, 25h
* p9 D5 Q( }3 C, [$ i mov al, Int_Number (01h or 03h); E' m2 E& M6 Z9 }5 Y' y1 R
mov dx, offset New_Int_Routine X! h3 d# A0 y3 B9 S& k
int 21h
3 V3 G; a) C2 d$ M( ^8 ]
+ _# M" J) a( m. K. i) F# {__________________________________________________________________________& [4 W' L0 u) l+ [$ }
4 Q* E, Z4 Y1 J6 R4 h3 hMethod 09
7 h8 ^; X& p, f" I& F: P=========6 a+ S, D: F. M
+ x( X; X: B0 C. vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: r ~! Q' i5 m, F; @( Hperformed in ring0 (VxD or a ring3 app using the VxdCall)., P$ o; J& I6 S, B: o
The Get_DDB service is used to determine whether or not a VxD is installed+ Q! G) g9 n5 q
for the specified device and returns a Device Description Block (in ecx) for
7 \( I$ x: u4 M0 n- u; y( zthat device if it is installed.
. a4 O5 |( ?) L( P! {# ]: r+ V) y9 Z7 k3 d+ E+ z E: D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 h0 s1 {* ^0 J+ D& {0 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). d7 X1 G" q: _) l! U2 m
VMMCall Get_DDB7 Y0 a% b, C3 p7 [. f/ W) b( G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: k; A# F- r$ ~4 `" m% _* [
5 E U; S* ?+ z- q: e$ F+ H
Note as well that you can easily detect this method with SoftICE:
h$ f- k6 A) w: L5 ~ bpx Get_DDB if ax==0202 || ax==7a5fh# J+ P. S7 a5 Z7 b' j- ?! v# p
! ]! q, c3 `' ~1 v* r9 ~# }
__________________________________________________________________________9 |6 J9 K! A- ~8 ^: P
. s6 n7 }( W+ f$ W0 d. B$ q
Method 10
! n) N- D( E$ [# ^- x/ p+ [=========, ?3 r. A) A! C* p9 K6 g# U
9 g4 { F: J9 g. Y7 Z1 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
; {: x5 Z, ~3 }5 n, H0 T* o SoftICE while the option is enable!!
# q. t& _# ?. D* T
. H0 d: t( u1 |: h7 d; jThis trick is very efficient: R/ c% ]) z. {6 u
by checking the Debug Registers, you can detect if SoftICE is loaded
& m7 \! s9 `% r, O# n; A7 _- u/ c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( ?, i: P' H! ]6 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: x7 S; M4 r% \2 x, @value (in ring0 only). Values can be manipulated and or changed as well2 ^) B0 O+ \3 d# d# K8 ^2 X
(clearing BPMs for instance)
& ^7 [5 a7 W5 ^# n t7 X
- s: O9 \9 k/ P7 l: V/ i__________________________________________________________________________
1 S$ ]& C/ {/ S" `1 Z; T) N z) f1 c+ r9 `: o: s% { O c% Y' w
Method 11! n. J1 e- ?0 c5 q
=========
: k$ w$ c' V' b* u% n* I1 b# A
2 G1 ^# E% o, z+ [4 a0 XThis method is most known as 'MeltICE' because it has been freely distributed! ^; F9 e' z, I6 o' _+ J
via www.winfiles.com. However it was first used by NuMega people to allow
4 ? n# K3 ]' T+ jSymbol Loader to check if SoftICE was active or not (the code is located4 J* T# }! _7 ?5 }
inside nmtrans.dll).
5 q& v$ i3 l; U1 I- h8 |" W7 f
The way it works is very simple:2 T! u! ]/ H9 j5 A) c% D( q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: h3 I% M( L; O- o' h
WinNT) with the CreateFileA API.
4 c* z* I: o/ J# O* t1 l/ p' ]' Q+ j7 G8 M; q; Z; [: r6 `
Here is a sample (checking for 'SICE'):( w; b. i) f) u S# H* {
# G6 I, d, o/ U: p4 JBOOL IsSoftIce95Loaded()
" R9 G) Q5 n0 D$ [! d{; R4 q& S) O6 V1 R7 s# Z7 p
HANDLE hFile; 2 c2 m; f. O! C: g1 [8 Z3 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& [' |: {2 X X$ n
FILE_SHARE_READ | FILE_SHARE_WRITE,7 L0 A0 z5 m9 v. M: c) t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 d6 H& C4 y! b5 z* U$ U- | if( hFile != INVALID_HANDLE_VALUE )
9 N" i3 T; d- o" z {
* I- e/ b$ v- c; G3 b2 ^: U+ ` CloseHandle(hFile);
( P' d* q9 h0 E# | return TRUE;1 K. T4 I( p! z& B V# c3 i% {
}
* @1 Q1 t: i) [" i, {! i& y* d return FALSE;( f. J& x0 _" f5 Y' X0 X
}
6 Y, ~4 |' y" t6 y+ Q) G7 s, _0 L4 l, f2 R" o
Although this trick calls the CreateFileA function, don't even expect to be
- \3 m* A, @8 w7 e9 f5 ~% c) Zable to intercept it by installing a IFS hook: it will not work, no way!( h/ D$ u3 ]8 V$ c+ k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" ]- o# y" V2 b$ q* T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' n3 ]2 q& g: I land then browse the DDB list until it find the VxD and its DDB_Control_Proc
" e5 z A# x( |3 n s3 Cfield.; E' Q. n% ?& {' m0 \
In fact, its purpose is not to load/unload VxDs but only to send a 8 a. k- Z N7 Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 B/ w& t, h: Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" E# [; U: d1 oto load/unload a non-dynamically loadable driver such as SoftICE ;-)." o* }: j' l/ i# n+ m3 w8 t
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" _; X9 u& ?; D9 F% R1 Hits handle to be opened and then, will be detected.
8 \+ J; `: s% J8 _; u6 MYou can check that simply by hooking Winice.exe control proc entry point
% z4 w! ?, e8 X9 D! O! \while running MeltICE.: V- p% Q* ?* c$ M
2 F# A( h" ?3 Z$ q" H
' u: e# g1 ^' d4 q 00401067: push 00402025 ; \\.\SICE
/ ?: b9 o5 z" X6 p0 c 0040106C: call CreateFileA
3 P }& Q2 S5 X; U! a( J" @$ _ W 00401071: cmp eax,-001
3 @ p! u. ]2 N a" C 00401074: je 00401091
: `5 X S8 l, U6 I- F) @. n# J/ ^- F8 F7 }% w+ x1 z
6 h! c6 C! F( c- l
There could be hundreds of BPX you could use to detect this trick.6 X3 P6 `) S. L/ r, n! o! f
-The most classical one is:- ` t4 Y& O! F, U) r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 H. g; X; ^4 t- j9 I8 t8 c *(esp->4+4)=='NTIC'4 A1 j* a: W7 m2 I% `4 Q# b8 ^; _
5 D) ~: w( \" o' P C-The most exotic ones (could be very slooooow :-(& ^* J: d7 Q; M4 R) |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' K5 _$ l: [# Z. W6 x/ F
;will break 3 times :-(5 j0 X, @3 p; Q
* Q+ m# e3 C2 C$ N
-or (a bit) faster: * ~" u5 `2 T+ d- u- {6 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' R+ a. P4 Y+ `+ H) g+ I0 u
; L: V; L! G/ b( X3 O( ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # `7 Y; m' Z8 Y( `, \! s/ j
;will break 3 times :-(9 R# q3 d' [- L. o/ P
1 y$ @; P& _0 k* o-Much faster:2 e5 B2 h% r+ ^2 S* x+ H" G" Z: e. J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; ~: B6 Y( v/ ~- ~! @: _
5 o* h% b; q4 L' b$ t3 V3 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, _, q7 ~. a( s' ?/ Hfunction to do the same job:8 i; {) d8 _9 H ?" a' G5 P7 F$ m3 A0 R
% Y. X9 R6 }3 b: ~ push 00 ; OF_READ0 U9 Y. u, @- R' A8 [
mov eax,[00656634] ; '\\.\SICE',0
2 G+ O# j# W# A" Y0 m4 I; P push eax# L2 `8 H( S, v. L+ H: }$ c' W& F
call KERNEL32!_lopen
& D! D+ L2 _6 G, W( H# @* h inc eax; Y4 }) ^3 x; c5 {3 c% H; K
jnz 00650589 ; detected1 s/ I% i1 p; H" N
push 00 ; OF_READ) w4 { q- q; }- o
mov eax,[00656638] ; '\\.\SICE'
8 g' D6 k& x6 m6 m' C- i3 W' | push eax
3 a# A) J- V' }, L/ g: }0 t9 A) e call KERNEL32!_lopen/ t& Q9 A. L) U3 z9 c% r* i
inc eax% w+ |4 \2 a# `% V
jz 006505ae ; not detected- r: H! k' w6 m. n% p x$ x/ l
, _0 D l/ [6 t0 T) H. Y5 G) B" b6 @! _. X6 L" {4 S) |6 b# b$ N
__________________________________________________________________________
2 C1 s. H! m: U" T N
+ q: R3 `/ F [- a3 o& z' AMethod 12* O. |( c' K; L: j
=========
. D# T6 M: L' R5 w2 V* `6 A0 l% l0 a7 X0 |$ M$ P* q& }
This trick is similar to int41h/4fh Debugger installation check (code 05: B0 o4 \ m& l, h7 g8 S
& 06) but very limited because it's only available for Win95/98 (not NT)
9 O9 ?3 k0 }( ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 W* l/ ~/ B @" t! Z6 P7 o. a+ y" {- Y3 G7 H% w% c
push 0000004fh ; function 4fh
5 L0 m' C. D' N; h- x7 M push 002a002ah ; high word specifies which VxD (VWIN32)* T5 \3 K# w: @9 [0 R6 p; h
; low word specifies which service
2 _5 q* s6 Z5 ^( o, n! g6 o (VWIN32_Int41Dispatch)
! w. v) m+ R3 j, R0 _" D: x call Kernel32!ORD_001 ; VxdCall' q. E0 U4 T# b; K0 e" K L" L
cmp ax, 0f386h ; magic number returned by system debuggers& Y+ r) U2 |% J! A
jz SoftICE_detected
8 E) X' x8 N- Q: n8 ^' l
1 x# _6 R5 n7 L5 XHere again, several ways to detect it:
7 J4 X% t' V0 T3 S5 \9 D
/ ~/ A0 @" M/ T% u BPINT 41 if ax==4f
( _1 _- o- y5 `+ v4 G7 R4 x2 W3 F7 l+ p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; G) X* ~4 z- e! _5 ~! X4 B
$ r0 u% B9 D; Z) M7 | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 ^8 S: G+ H) j2 h! U% i5 O' A3 e
5 S9 z/ v, c8 w# w$ E* T% j2 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: [! c& p, v4 m0 B# D; y% K: w6 H% s- q7 I- u# m& W% W4 s
__________________________________________________________________________
# Q" x. y+ t" y8 K) ^& Q0 H
+ K" @2 X: H7 S7 u. E. e0 Y4 ~Method 13
( Q3 V& i% ~2 Q=========
; U( L9 }) ~% _7 h; j( h/ v3 Z& U: O8 G- q
Not a real method of detection, but a good way to know if SoftICE is) @$ i# F6 {) A' ?1 }3 t
installed on a computer and to locate its installation directory.
4 j# s: W, ^; \) P( q# g- }It is used by few softs which access the following registry keys (usually #2) :
" v- o/ P, i7 h) p
8 O4 q2 A Q! i* d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- a$ C# s5 U& ]2 C\Uninstall\SoftICE4 c# ~) f" a1 J" \& B! U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! _0 `6 u% |# p& H) ~* x& A4 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' b! i- e/ }9 ~0 x5 J7 \\App Paths\Loader32.Exe; z! n- H9 P+ |- [7 k& Q
! O3 u$ Z7 b. G1 b* ?' o7 w
) P6 G. W. p3 nNote that some nasty apps could then erase all files from SoftICE directory8 K, y* n, V6 l) W0 E; Q. S
(I faced that once :-(7 E& W+ |$ y7 j! D, K
# |, B @8 _3 P; U$ GUseful breakpoint to detect it:" f4 M5 n2 ^. P
Z: n9 Z1 X) w) o/ k" j/ E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ D1 G5 o. @, B9 {0 x& S
- a3 }) S) {/ H0 _2 R__________________________________________________________________________
1 `$ [+ K4 h( B$ y9 A8 m3 Z5 x' n' x$ N) x3 n
) w: z8 i9 i t3 ^' n
Method 14
9 C! N/ Q3 t0 m# L, ~! j) W=========
. n. q' H& I1 o4 q7 @7 u4 V: L. O3 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 x7 f9 @# E, D: P" y1 ois to determines whether a debugger is running on your system (ring0 only).
% m$ {: [: j0 T, S' U. X S# a/ E/ s0 o3 N. m+ U; |* ~
VMMCall Test_Debug_Installed
9 k% L1 }- H2 N je not_installed
; F' c/ s8 g2 l2 i0 W. I5 s/ ~% i& c2 @
This service just checks a flag.0 {) L% X* J5 R, y& ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡