<TABLE width=500>. C5 W# a: H. G/ q7 b2 A; k
<TBODY>
( P0 g' Z' R" g T! u2 O3 w, d<TR>, M8 S* M+ Q# T& c5 f9 }
<TD><PRE>Method 01 + m% |3 H% e* y9 e
=========3 a/ M/ x/ m; J: D% }
% l, g0 D' H( Z% g
This method of detection of SoftICE (as well as the following one) is0 Y6 T7 \. M" m2 ?8 z+ ~* e- y# K
used by the majority of packers/encryptors found on Internet.) c- r- p2 _; \6 K3 h
It seeks the signature of BoundsChecker in SoftICE( b/ @- W' h5 A1 ^. P Y% F& u
5 k) v& Q. [; i
mov ebp, 04243484Bh ; 'BCHK'% U" C- s% ^, g; ^
mov ax, 04h2 J9 {, h: V) \. I& t3 R
int 3 . r% h% r: i/ t- o3 B4 S! i: X4 P
cmp al,4" i' I: I" Q# S3 G' ] N1 K, |
jnz SoftICE_Detected
& a7 D I z6 F% ~" f; `7 H3 x/ c p8 J6 g7 v: [
___________________________________________________________________________- T# l, m, A3 ^& A+ F
. s7 b' F4 z! p( ^Method 02% q2 R5 } O2 W. ]7 l3 V) X
=========
# l" ]+ H$ H( q3 }8 ^
! M6 \+ X2 B7 I J% y8 y* i& p! ^Still a method very much used (perhaps the most frequent one). It is used
) O, p2 }# R* H' w% a2 h- ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' l' O5 H3 J. k! a# {( q8 Z
or execute SoftICE commands... x& @( W8 \: o! P
It is also used to crash SoftICE and to force it to execute any commands% U0 A4 X: x- ?3 S5 Q" \5 U& P
(HBOOT...) :-((
9 @2 x6 m2 o I' P$ }. `9 Z$ G6 V q& M# w( M
Here is a quick description:% n! s8 b3 |' X
-AX = 0910h (Display string in SIce windows)4 n' J+ f/ H2 T( k! s$ `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 g4 U2 }; Q6 C/ \! z7 f-AX = 0912h (Get breakpoint infos)
; @( P# O/ \& j% c-AX = 0913h (Set Sice breakpoints)
) X/ V' _$ V. B! e$ d1 s-AX = 0914h (Remove SIce breakoints)
4 S: V% r6 _5 |; N) P- I1 t
8 l: @# E, l1 p& x0 c2 _Each time you'll meet this trick, you'll see:" c! q7 W- W4 P# s8 v$ h
-SI = 4647h
2 l N' y) R4 C, s7 ?-DI = 4A4Dh
& R, x! I2 t) y' J+ `% B: U6 yWhich are the 'magic values' used by SoftIce.
[8 C+ F+ Q. oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( `) N7 d. I" J7 ^8 y2 q1 m2 ^
0 p9 v& N: {! W. t2 r1 [Here is one example from the file "Haspinst.exe" which is the dongle HASP0 S! J" Y: C( X+ T. P
Envelope utility use to protect DOS applications: A$ s- `0 G8 W" j" _% L1 o& M0 C
( f3 s+ K R$ w m- e
) ?5 \: t' X9 p2 i# x4C19:0095 MOV AX,0911 ; execute command.
6 i% E! T1 {; Z! |/ k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 T' O0 E) }4 W/ D2 p; k, n) o
4C19:009A MOV SI,4647 ; 1st magic value.( x& f, v* l9 k' L2 X
4C19:009D MOV DI,4A4D ; 2nd magic value.& v! A8 L/ @9 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), }4 V/ U: G2 F6 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ c- r# p, c! x K
4C19:00A4 INC CX
. B- v- V# L G6 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 d) n. E0 {+ ]# k6 L3 w( p) [4C19:00A8 JB 0095 ; 6 different commands.% Q; F) |4 M+ F* c: _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ c/ }2 c- k, r4 D9 |. o& N/ j. g9 \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 C1 T$ Q* u8 o0 X. ~3 D4 w3 I7 N+ c( K! |
The program will execute 6 different SIce commands located at ds:dx, which. n7 v* Q+ N4 u& B. H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 y8 T) ]7 y9 Z' I
; ^: _# b! w0 n) Q& ]: y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 Q: y: A% v% e6 @% T5 s, P
___________________________________________________________________________
' d: o7 u1 L' l/ c; a9 p& G. K, A$ t1 d$ r# H- w# c; M, {% H
0 Y, q" L- e. |; f& y# Z% o; y: A
Method 03
# S z: n. \* x; i1 Y* e+ ~2 D" c=========6 m% M; k* W* I+ G
! x6 e9 Q) D' S' Y0 q; ?8 C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 i5 a; U, ~' L; V L8 T(API Get entry point); x) n, q/ A* T& ~* b3 u
6 ]$ Y, | e2 R
+ Q' O! I, f4 @/ r% x$ C xor di,di
7 O# ?% G( ~" O0 G8 j5 d7 E mov es,di' H9 q& V% B5 G- V5 s8 I2 Y
mov ax, 1684h
" u: `, x2 S5 J" Z+ F# I* z2 l! @ mov bx, 0202h ; VxD ID of winice4 i; ]( N7 B; p3 s5 W, A1 m3 x: ^( v
int 2Fh
@) Q9 |( t* h% ^% B* s: U mov ax, es ; ES:DI -> VxD API entry point
% A2 A5 s0 ^* _; L add ax, di
3 u5 ]- g! [( T8 V6 ~+ } test ax,ax
- W- X: i; y6 `" t3 r$ O. N5 [ jnz SoftICE_Detected
! y# I4 ?2 |6 C @3 z9 t/ Y& N1 B, H4 `! B( z
___________________________________________________________________________
- [- y) c5 j2 @6 O& q6 {! U/ j2 _' s) `1 M$ ^9 Q3 ?6 T7 B
Method 042 [2 T( G. @+ S3 j) {
=========8 q! E& L$ N! Q `, }' h9 F! p
' K% j3 o2 j0 |/ w8 G* Z
Method identical to the preceding one except that it seeks the ID of SoftICE
. d1 D& q* p$ k. E0 D5 f1 V+ Z" ^4 ^GFX VxD. U3 u1 W" K$ Q% C! B
6 n$ P& `% \) E w6 b* U2 i9 g! U xor di,di
! V4 K$ K8 n4 r1 @; f6 { mov es,di3 S4 `& G! C4 Z3 T P! c
mov ax, 1684h
9 v* _/ l) f/ E8 Q; ~7 z0 b- w mov bx, 7a5Fh ; VxD ID of SIWVID# h: M4 g3 j% f' j% s7 `# c
int 2fh4 f/ l N# H! h2 h
mov ax, es ; ES:DI -> VxD API entry point8 Q5 l1 D" @3 e: u/ ]
add ax, di G% L) A" J7 b4 E" S9 H' {) J
test ax,ax
; h9 H) U g9 K% {4 Z jnz SoftICE_Detected+ T4 r3 p/ a: j: Y% L0 j
; k6 u( a4 U5 m* u! k. Q! g* i' ~- J__________________________________________________________________________
( Y: p" \0 \" q9 s
# W; j# |2 f6 D' o7 W
+ @1 Z2 G) |, {, W1 e' kMethod 05
/ V1 r/ q9 ]2 a6 h& T5 K! j1 t% P=========
) F' ]- F4 e2 J' }. `( ] S1 w2 S" ]# m6 f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 q) m; X B6 F- rdebugger. It calls the int 41h, function 4Fh., B# J7 D7 ?) J3 {# S
There are several alternatives.
5 W+ n1 X: C# e$ K8 V* l$ e! I( i
1 R# f! @% ]3 F; M _The following one is the simplest:
5 L1 l: y4 S( |; W# ? c+ z# O n6 S" Z6 A2 @, J
mov ax,4fh( M; [$ E" c( b$ U. P$ c! A
int 41h
7 V8 v4 Y0 ^: H cmp ax, 0F386
- b4 H' f( H) t/ ? jz SoftICE_detected/ N7 K# s( Y' v: ~
" }1 T% G% c* H
$ [7 i1 o# `2 C$ u5 ANext method as well as the following one are 2 examples from Stone's 1 k) E7 K( p8 c) G. F
"stn-wid.zip" (www.cracking.net):5 H$ h% v1 I( c& ]0 g. X" x
" p8 W+ u. {# ]
mov bx, cs
5 y/ _ B' K8 k1 f- b+ k lea dx, int41handler26 r$ W/ R' A4 b' t: s0 }* X9 a
xchg dx, es:[41h*4]
; i6 J1 H, ~0 c+ m# |0 B9 g6 _8 i xchg bx, es:[41h*4+2]
. U! P6 r+ Q3 { mov ax,4fh
; h1 T7 V) D: N4 E1 \# \ int 41h
# P5 q" [* G" M6 M( u- S xchg dx, es:[41h*4]1 H" _% R- K+ ^, l. X
xchg bx, es:[41h*4+2]6 ]) O* _6 l# ]
cmp ax, 0f386h) R$ o3 m# ^& B; n9 w0 {
jz SoftICE_detected& U! H+ }/ |6 s/ Q' W. [; O
; Q @" x6 F+ ^2 h! C- o
int41handler2 PROC
, ^0 Y$ v) m0 V4 G iret
: M: a1 _) t; b+ d8 Q, s5 Lint41handler2 ENDP
4 D. {! |( A9 p" E2 m0 \; c: x( n6 x7 o" r* K! K( X) Y
( Q- o6 g+ Z) m! ~4 l8 z$ c9 S_________________________________________________________________________
* @& ~3 r$ E( |4 y3 e. f7 p- T2 t0 J& p( j2 T
: H$ `$ D. x b4 pMethod 06 ?3 I! z! S" |2 o! x8 o
=========
9 H. U) g' @1 W5 k, I0 j$ p- f1 f. `5 j
; u( K% ?$ ?: A8 y8 s* \
x- O, [" s& [% v. k1 x2nd method similar to the preceding one but more difficult to detect:
) ]" B. o, D- A! J/ D) X$ ~& R, W6 F5 }
& ~6 k2 f: \! _. Z2 ]
int41handler PROC7 s z: v6 a7 l
mov cl,al8 I/ N* n5 z9 i' f
iret5 ~: V+ t6 {- t# g
int41handler ENDP
8 W1 z8 p1 s7 [. B
# e! m. L# o4 J$ x: u
, y% [4 e( {, M8 @/ \+ R8 P- ~8 w3 Q xor ax,ax$ A7 m0 J; y, u1 ]4 w" ]* i% Z
mov es,ax! l, I% [1 n8 T4 _" q" F
mov bx, cs7 ?, K; y1 M0 U* U
lea dx, int41handler% M1 S0 n/ I8 y U8 s& I
xchg dx, es:[41h*4]
. S% p! E3 V' q xchg bx, es:[41h*4+2]
; G' m2 V7 h( o: _, z" w' h in al, 40h" B' H6 |1 V, ]
xor cx,cx
~4 ], ?; \: n6 _8 } int 41h
/ ~' s" G: z% G xchg dx, es:[41h*4], q) @% O; T U+ P1 o
xchg bx, es:[41h*4+2]/ ~' G+ {/ T' M6 Z1 _8 H
cmp cl,al& W9 c5 p7 i$ Y2 `; G1 h
jnz SoftICE_detected
$ K7 H4 y4 |$ r0 S- S! _% r2 u
7 c' j b# Z1 \. P) k6 S8 a% Z' a_________________________________________________________________________
6 I0 c- M3 D3 C x+ M3 Z& S* S+ w6 R2 f2 G- E# X l
Method 07$ b) v% u& m: V1 W
=========
% a: @) B3 L4 }5 c; C4 G' B6 F0 s
; J0 ~, C( \+ Z0 q3 DMethod of detection of the WinICE handler in the int68h (V86)
' F0 Q4 x* y3 y/ E- A# a
) [( M- g. ]6 U1 Z/ o6 V mov ah,43h
0 |0 R0 I4 P6 L; L6 _& g8 g" q int 68h
, X. D; c' ^* a! g$ ^" t" Q cmp ax,0F386h! l7 m# f% _! K* }! B) O
jz SoftICE_Detected
* @! ~) T- I0 Q- z3 V4 A/ S* l* `. l t9 e/ o+ a
3 l& z$ v: J/ Z+ w0 `4 F- p! K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. v# Y5 K/ k/ G7 b
app like this:, U0 d3 n& j! Y1 W. @7 @( J
) J! V# z- x0 z; O( J2 |
BPX exec_int if ax==68
6 d% }4 f! Y) H (function called is located at byte ptr [ebp+1Dh] and client eip is
x) M* h4 g/ Y. q located at [ebp+48h] for 32Bit apps)4 B1 H4 u7 C) P$ O" R) z" S
__________________________________________________________________________1 J/ f6 a' B& d t! |/ S ^
, c+ Q8 R. T2 \) b; t8 C6 H' V
; Y$ `6 `, c" O; a* r5 \
Method 08
9 ~9 Y# d4 x7 @- k8 C" u1 P=========
, z9 M. T: p% ~% }
: S4 o8 Q0 n+ i$ R! ?$ b7 wIt is not a method of detection of SoftICE but a possibility to crash the
$ ?/ s( S$ J5 N% D6 {- I7 A1 [system by intercepting int 01h and int 03h and redirecting them to another2 }7 i% [! a0 M5 Z( W
routine.6 H& h/ F4 |" H5 P8 K3 u. L( G5 a$ v9 i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* X% [2 |2 \/ q8 n
to the new routine to execute (hangs computer...)
2 g5 W6 k7 N" A" j
- T& b) p* T* o1 u mov ah, 25h- K; k) z( H% P4 q5 a0 A$ o, a, \
mov al, Int_Number (01h or 03h)! H _8 b) B) ?: D& @/ U* i+ r
mov dx, offset New_Int_Routine
- l/ q$ V5 _ Q- H$ ^ int 21h
% \7 o$ ^ v' ?
' z8 @/ `) w2 c: i$ a2 ]5 I__________________________________________________________________________$ c7 u) T/ i# e# ^8 a
8 S2 i6 [* P% m0 q+ n
Method 09
o+ T0 w$ ?# |! Q+ n=========* Q, D3 _9 F! y. {# b5 O6 e& |: o
& b& e- V+ u& Z9 m& m0 D n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: s9 | y0 ]: f5 p: b" N
performed in ring0 (VxD or a ring3 app using the VxdCall).
X8 g& c# w) hThe Get_DDB service is used to determine whether or not a VxD is installed( O+ R( d+ {9 E4 J, ~, N0 S
for the specified device and returns a Device Description Block (in ecx) for
2 Z7 _2 C. P) @& `3 M K1 Q0 zthat device if it is installed.( @/ E8 d: t. W# t0 a
7 ~" Y- T$ X3 a5 f( a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 \( G6 E! K* \& S0 e' R! a( l% { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) R: Z$ z+ Z! r! U4 w" L! D VMMCall Get_DDB: N. W) p6 W! x' i" B( N/ ?3 D$ e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 H* K M& }9 L1 s
/ ]1 b" B9 T# nNote as well that you can easily detect this method with SoftICE:0 D. G/ ]( k0 r; n- z s; Q
bpx Get_DDB if ax==0202 || ax==7a5fh) N- K8 s) Y* D
: G; z+ w! y; `" E: r
__________________________________________________________________________
! c, v$ a2 d# a# v! D: M+ T* ^( r, V7 M3 H& f
Method 10
y! V R' i, W, [- Z" ^=========
5 T* u/ F+ j# R8 F. L9 |3 U+ x7 c4 z$ G9 `+ j
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( o& S4 [" q* g3 w SoftICE while the option is enable!!
% u. [5 h. J3 H% v5 K
" L% c! B4 Y4 Z6 uThis trick is very efficient:
; R$ r+ }. T$ V, A5 ]! [by checking the Debug Registers, you can detect if SoftICE is loaded
1 ]4 M& Q9 y" V+ @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& g8 `- l8 ?" [+ B
there are some memory breakpoints set (dr0 to dr3) simply by reading their& }$ |* U! M1 O: Q* I
value (in ring0 only). Values can be manipulated and or changed as well; o1 G" A/ e" W# z9 f* o
(clearing BPMs for instance)6 X6 S3 _: {( x; I9 \
# x. f- s- P6 P: }/ t4 t& E. w__________________________________________________________________________
) ]! ~7 v4 f! E3 O( j1 j! s7 \/ W/ f- P* o
Method 11- r, W! I9 g. R* M# m* V1 y6 U
=========
; K6 l- A0 O3 q
7 G" j1 T' ]6 p- bThis method is most known as 'MeltICE' because it has been freely distributed+ c/ K$ i) `5 F* K1 u
via www.winfiles.com. However it was first used by NuMega people to allow
' o9 Y0 e6 K6 t1 lSymbol Loader to check if SoftICE was active or not (the code is located5 C* {/ J% U; C! w \: \1 {
inside nmtrans.dll).
' m% y6 j6 U& o% t/ d3 P3 _$ z
; ?0 t4 M8 X! @) {- k8 AThe way it works is very simple:
$ N, c% v7 X& d, I' f# B9 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& z. Y! x0 W& f
WinNT) with the CreateFileA API.9 J$ `0 j9 J% [1 x* o* F
n2 r3 i. N& r. v# {" c/ I7 m$ j; d+ w* A
Here is a sample (checking for 'SICE'):
. i; _1 g+ B6 C6 \& y2 E
8 i5 t% a% u& Z2 o1 kBOOL IsSoftIce95Loaded()& O6 E( H" b, r- b5 g" O8 S3 m
{- a- ~ V% ]; I4 p3 b" a! C
HANDLE hFile; 4 v! M% ^' Q: g' i% `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 A- j- o: R. M+ M, [ i
FILE_SHARE_READ | FILE_SHARE_WRITE,& s/ C) Z* P4 T( K4 b* {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ J% \& x" c* U4 x" d9 o# l5 c, { if( hFile != INVALID_HANDLE_VALUE )
! |( H# H2 ^5 v' J! k9 t# z6 ^8 T% B {
4 @; ^- N0 d+ w2 A CloseHandle(hFile);
+ [$ l1 Y1 p/ A% k6 |* b return TRUE;
2 Y' x' N& E& T, |! O6 P }3 l' b- ?. z; E( x* Z" l, K
return FALSE;
; y8 [1 K$ v/ O) A) h- b. x}
1 Y2 ?* R! J4 L V. F, T, L! j3 J* ~0 z
Although this trick calls the CreateFileA function, don't even expect to be
6 t3 Y# A- t- Y+ ^) y; nable to intercept it by installing a IFS hook: it will not work, no way!5 K0 w# P" T" y: A$ f: _# @3 W! }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 L. u4 O3 T# h* f3 [" ?4 J# E1 ^5 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ |% _) V6 p# H/ b% tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 f+ v( E! O! m) x8 Yfield.
4 E k7 l* p9 D4 [% i1 \In fact, its purpose is not to load/unload VxDs but only to send a
6 U, H$ i% y* s' O5 i, UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, V/ v0 }6 v% F: z' |to the VxD Control_Dispatch proc (how the hell a shareware soft could try' ^& c; N, }! x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% P/ B% R: ^. S2 m7 u V& M: |If the VxD is loaded, it will always clear eax and the Carry flag to allow
! _& _' ?% j2 \; Y- Uits handle to be opened and then, will be detected.
! ~; @* x7 b8 i1 y7 a' g( dYou can check that simply by hooking Winice.exe control proc entry point
+ J4 E( B" x2 r5 F4 H0 {( Iwhile running MeltICE.
" G! {1 o# [/ p8 W3 D- r
4 ^+ v h, c( o( V/ g2 G+ r' n; [7 _' @7 d7 e: g4 L- R
00401067: push 00402025 ; \\.\SICE
# Y" f$ d% x" G1 N 0040106C: call CreateFileA, N2 a3 e# c2 C
00401071: cmp eax,-001! z8 z# E1 L' U' k/ D6 P
00401074: je 00401091
( l) {$ _9 \& |& g8 J( E0 u9 j
& O3 w, g% J$ P6 a: t' I- i1 R s3 |' u1 }# B9 }* w
There could be hundreds of BPX you could use to detect this trick.$ s! W3 E4 q- A- k% S7 M% L- x/ A* `
-The most classical one is:. N9 p0 k! Z: l. J s5 a1 Z @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' ]5 W; e7 T* v4 V4 Y. J *(esp->4+4)=='NTIC'* X2 h; n% L" L( Q0 `
) B3 N' J8 t) ^+ i* n
-The most exotic ones (could be very slooooow :-(7 S& Y# N B; ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; g: S; H) a% [' `+ [8 E/ | ;will break 3 times :-(
+ W6 H/ L9 X- l; V. [/ Q7 J3 r
* p- t+ k" q: C/ F* k, i: {-or (a bit) faster:
1 J7 d' f9 T: N! o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 |" f1 ^: p, S9 g; M; t
8 Y$ m8 W# i! a; A$ p1 M, O/ ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) e7 k* R1 ?) N ;will break 3 times :-(
6 k$ `3 a0 [9 s b+ [5 \& k' K# ]8 u+ _
-Much faster:9 t# h4 W% p* w! b1 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# q, O' ~7 \7 ^
# C* `3 i8 \7 t4 ^ L( J9 ^& e' Z, VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 u, {8 q& W& H' i' I' m
function to do the same job:7 I- D/ \' w* m' z5 V
7 W& ?( V* v- V u5 E' ?
push 00 ; OF_READ
2 d5 G5 F5 H! s! N4 ^ mov eax,[00656634] ; '\\.\SICE',0
' r7 s" s6 K6 R) J6 R$ `% x4 o9 [, f push eax+ a) d8 m+ N1 c5 e6 t% \# r
call KERNEL32!_lopen
% Q- e6 B+ b3 u6 ~% { inc eax" V# ?% D+ v6 }, A3 Z. C
jnz 00650589 ; detected
/ d7 u+ F& J' F+ }1 P0 _( g6 J6 u push 00 ; OF_READ. u0 i2 u0 \0 X' ?
mov eax,[00656638] ; '\\.\SICE'
& D' Q' j3 [5 h+ A, J7 H { ]' ? push eax+ @3 C& ~% P$ z1 E' L& `& n
call KERNEL32!_lopen2 w9 c& B6 `* r' S) R% W2 g
inc eax
' {8 v# t+ W5 o7 D& Z) j& b7 i jz 006505ae ; not detected7 @9 \0 a: U E+ o" @1 d$ S
% Z# {% w: t4 t
8 n; O0 F0 ^. N4 X, s5 l
__________________________________________________________________________
1 p7 Z9 e2 G! c* M/ w
! L6 h, {4 F6 B7 W( NMethod 12
$ v5 p/ X) H) k) v* m=========
- b1 b9 n6 J7 f9 P# U; h( k# q2 O
8 n4 C) L5 d. X( M, T1 D0 U$ \# yThis trick is similar to int41h/4fh Debugger installation check (code 05: Y; M& J7 h8 b# [
& 06) but very limited because it's only available for Win95/98 (not NT)
' b+ d- m) i+ E2 b5 S: P+ _$ v7 o3 Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 E% R" C Y* l# s' K, D
' n3 X, j5 u, [9 n& N push 0000004fh ; function 4fh
; q: ]9 j) c6 R" U push 002a002ah ; high word specifies which VxD (VWIN32)
; E8 K. ^3 Z% n ; low word specifies which service
- Q C" A) J$ m (VWIN32_Int41Dispatch)* p3 y' v5 V" m& W9 g2 W
call Kernel32!ORD_001 ; VxdCall- `+ _+ g/ n' F; M4 [9 F
cmp ax, 0f386h ; magic number returned by system debuggers
. B$ a" e4 {+ R9 l6 C8 `2 W jz SoftICE_detected- g0 Q' u7 i. R
% ], B) }' X) v4 d2 _% Y1 _1 |Here again, several ways to detect it:" w/ t( M' C g9 |7 ^4 }1 D) b7 b
0 z3 k/ X/ @. z1 ~# p$ z BPINT 41 if ax==4f8 s: r4 D7 R0 T+ r
. A1 H# F5 [' l+ z4 W: [# e$ ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 m7 Y( w0 U7 r8 B3 T1 t
5 x: Z. _4 I# v/ W! M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ J7 ~- K! U8 X
& L* j5 ~( C1 K I x/ V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 L# Y7 G6 D6 e" h0 F* k1 [
: z$ d7 D% g4 v+ h__________________________________________________________________________' K" R% T+ P9 N3 ]" W! p
9 b9 ]( {) ?9 V1 c0 i9 ^Method 132 G$ |6 k0 {$ G" t- S1 i7 f; i
=========
/ _" ~! B- T. E8 O- t! o8 I/ w) u0 N1 E7 H( d3 R W
Not a real method of detection, but a good way to know if SoftICE is6 F1 ^9 Q0 j, H8 K5 Z+ }3 F$ B
installed on a computer and to locate its installation directory.; @1 W* F% Z4 L) s3 O0 @
It is used by few softs which access the following registry keys (usually #2) :
0 w' |5 n4 h: P8 c
1 L( V9 n5 |4 o/ `: F- T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 l: U7 ~1 f: p; U: N, A1 d' j\Uninstall\SoftICE* ]. w& y/ u( z1 A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) Q/ O3 w# _! w3 j/ z+ U; a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% Q ?( d) X% l
\App Paths\Loader32.Exe
* P2 R5 B4 s) y- R) ~
! G5 g& {) ]" f5 v
% S/ I9 C H6 K/ CNote that some nasty apps could then erase all files from SoftICE directory
& J, z Y6 I* C1 X3 N" ^(I faced that once :-(
+ x2 ~" K( |. |; U/ Y
B) h, J4 p$ C3 H* k% o* CUseful breakpoint to detect it:/ q e4 N$ p( a# F( P
" } t: W4 P! \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 W) y/ }, f; l4 j" {: _
0 M3 o* |- D: b7 W3 J2 p/ {1 f( o$ Q__________________________________________________________________________) E+ k" y! a" n7 f. r' k3 G, Q2 G
5 w; m1 }; l3 F3 {( ^) l, i9 f5 S4 h9 Y1 H0 I& S+ C2 b" p/ O
Method 14
" k" L: _! L! ?7 J=========
5 h* R* r( I& D2 A; C2 V7 ]0 ]5 u( A% @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, l: ^4 J" r1 _- R
is to determines whether a debugger is running on your system (ring0 only).; e7 N3 s* `& ~1 Z7 W
- Y+ c# @2 c3 c
VMMCall Test_Debug_Installed
. Y1 ?; w6 b9 @; T. U" @ H je not_installed
; {" n& W, S9 A2 x
7 c" k0 M+ I9 C; B/ J5 tThis service just checks a flag.0 y, q; q% G v4 _3 A
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡