<TABLE width=500>! x. I0 L3 j( z: o3 v2 F
<TBODY>
7 n7 l; b! M9 C- B; c/ R% B; @<TR>
8 [) {0 e6 z5 b8 T3 F) n4 M<TD><PRE>Method 01
7 A* w; ~& ^& g# r# G @" D" \=========0 Z( v3 g5 b; S
( z/ M3 K& S% t( t# V8 d7 nThis method of detection of SoftICE (as well as the following one) is G. k7 S/ m7 e2 V$ Z/ u
used by the majority of packers/encryptors found on Internet.* c& l% S. f$ v# j: X
It seeks the signature of BoundsChecker in SoftICE
% N" l7 {3 s( y6 Y# H. d
! b/ ?3 s6 ?# O- k& c3 B- S; z. j# ? mov ebp, 04243484Bh ; 'BCHK'+ L0 D/ p' ?4 g+ o
mov ax, 04h" Z8 [' Z% P6 X' d, F9 s% h
int 3 0 |% l# A1 n8 k J7 K
cmp al,4
; J' {8 G# i8 ?% r: o jnz SoftICE_Detected' q. C% l" S0 [+ @
* l: ?" P, R+ X d' a% L___________________________________________________________________________$ x# \' Q* v4 |
: {' F7 r3 O8 @+ k
Method 02
7 K! Q" T- w" ^4 I: Q=========* u/ z4 I9 q/ K$ T* F4 A
( o0 ~2 R6 t0 C
Still a method very much used (perhaps the most frequent one). It is used
- S4 R, i) e7 U+ Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ L+ w1 B# a' Q# @* ]
or execute SoftICE commands...7 {' k& y- [0 {1 m4 I) v+ V. ?
It is also used to crash SoftICE and to force it to execute any commands) m& N2 M. C4 K$ b- a5 a" ^3 e
(HBOOT...) :-(( 0 P& a P. |* B3 g
* k ~4 B9 K9 x6 U9 |, `; rHere is a quick description:6 t* P# j; l8 w2 l: W
-AX = 0910h (Display string in SIce windows)
, s& |" [; V1 l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); x. \: g$ h& t, |) n7 \3 O n3 y1 P& u9 R
-AX = 0912h (Get breakpoint infos)
; l P0 r# X( l) e6 Q" s$ F-AX = 0913h (Set Sice breakpoints) _; F0 G D2 |
-AX = 0914h (Remove SIce breakoints)4 [5 o8 v6 V3 E/ u9 {! R& K' [+ R
: ?" i* |- i/ Z7 SEach time you'll meet this trick, you'll see:# q' `" ? P- q
-SI = 4647h6 ^1 J- x& q: G3 z& c: `
-DI = 4A4Dh$ F0 F7 X" t) `/ P
Which are the 'magic values' used by SoftIce. P G% v8 X7 q8 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ ]" S6 L4 }+ q, }
8 o/ C5 G' l1 R$ a+ U
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ M. q0 J+ c, g
Envelope utility use to protect DOS applications:* L; ~3 [9 ~, o" P0 w' W
0 H# ]% f2 z8 z5 \) P
V3 X5 A8 @" n' e0 Z4C19:0095 MOV AX,0911 ; execute command.% v( T* s/ @7 R, y9 ^0 u; g" J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* d! x* l- }! k& W( i% u; z
4C19:009A MOV SI,4647 ; 1st magic value.. h1 g. J2 T; H3 x
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 P/ x( J) B D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ p7 J; C1 [; k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# k- B# \" E- T! r8 \2 c4C19:00A4 INC CX
- k3 Z; ]: z" u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: o1 w+ ~+ z; O; b5 F! V# J4C19:00A8 JB 0095 ; 6 different commands.& d8 q/ T# Z% G5 M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 j. ~1 M& U* M5 `$ Z8 @% s5 `( z! W; D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 a0 p- x# A* h$ p- |7 _, ^
- P- M9 n' O4 J. rThe program will execute 6 different SIce commands located at ds:dx, which
% V C) q9 c! Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 R: p ?* D- [1 }, ~
1 x/ L6 `. X5 M/ F. }8 K' \) i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ q& h* R+ v; H" @
___________________________________________________________________________
, B, A* I1 G4 \
, B4 [* Y) ?! ]$ ]% E+ p: l# M# g3 v8 R: z7 \
Method 03' A, Q C1 N2 G9 I D
=========! D+ Y4 a# p" u. ?7 H8 V0 N7 |
6 `" M- ^, N# L) z* e* t w/ Z; {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# u. [" H% N; @; p(API Get entry point) F5 H$ U, c3 t1 Y J! t( K
1 g" V) z4 Q3 D$ S
, R5 B& X9 w3 x) a xor di,di1 ^3 h# m9 k/ _% i/ o
mov es,di4 \5 k( s4 ?9 W( A% k
mov ax, 1684h ! y+ ~+ ~$ M P2 S, k6 P. Q
mov bx, 0202h ; VxD ID of winice# k1 G+ L# t* j5 _. B
int 2Fh
4 E7 @$ K5 P/ w4 [8 G5 ^) q9 ] mov ax, es ; ES:DI -> VxD API entry point
. d$ a* g: c% r add ax, di9 r, Z! M. t# d$ f `5 X4 D2 X2 ?
test ax,ax+ J2 M6 Q+ |/ X: O( b6 }+ M0 ^7 |
jnz SoftICE_Detected
+ s* p1 t5 Z9 h# b. B" t0 Y! @, [6 O6 V* d9 P& o6 L i/ }8 f% y
___________________________________________________________________________
! K2 Q* A/ c: F# P; K
$ b3 K* w9 G( _' b! @Method 04" T, D8 O* S* L0 s3 _: Q. _% l+ _: `
=========3 ^- w9 m9 a& C+ i2 y3 ~9 ^+ d- |
( O2 x" v& l: Q \8 H1 M/ ~; B
Method identical to the preceding one except that it seeks the ID of SoftICE
4 E6 r& t+ D1 }' z1 A# r$ I% DGFX VxD.
: N4 T' j0 _) q: b" s8 C$ w/ h2 x! f H
xor di,di0 i- I: S' u7 r2 s- ]
mov es,di
: u1 s. H0 A# @; N, s+ N3 Q- M) o mov ax, 1684h 6 H) {1 o/ H/ \9 \
mov bx, 7a5Fh ; VxD ID of SIWVID
; Z) \0 v% B" Q) c6 S# {, E4 z int 2fh
i. w' D0 o/ Q0 K [% m# L mov ax, es ; ES:DI -> VxD API entry point3 Q) @* N% h- K( {) T! F V; o
add ax, di
3 ?* U6 G8 Z3 B test ax,ax+ C$ w& E% h" X+ ^' k
jnz SoftICE_Detected% e" v; |* K1 Z9 i8 P/ l* [: _. K2 j
) r$ D* x9 N4 d__________________________________________________________________________& L/ a" i" S! C- c( h1 W' \2 F
9 Z" w; U3 U: P9 J6 D0 _' i3 H+ A3 O+ I: R6 `
Method 05
^1 L6 S( i2 y8 v F$ N! G8 B=========2 }0 f4 w/ W0 t% d! y+ h0 @
/ d$ ^/ ~1 M6 L3 j- v- Q @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 }% g1 I9 p5 M8 A6 ~3 c* v, Ddebugger. It calls the int 41h, function 4Fh./ l4 D0 m0 [/ ]9 D) @+ U
There are several alternatives. d6 }& B7 F5 t6 f
/ B' d. N2 J$ f& `, X* B7 Q) rThe following one is the simplest:4 h3 {8 ^& M( J4 ^) z9 y, a6 ~0 v
3 v4 `! \! k R3 C7 k3 V6 T mov ax,4fh+ i! z* ^8 l5 F3 V
int 41h
1 P8 Q6 H7 y+ G% t cmp ax, 0F386; i/ N) w& j$ |& {! J e1 C$ ]
jz SoftICE_detected
g# Y0 p+ { `" P4 V, c' O+ ^5 f1 C! i% c( I" l
5 q, ~2 E! ?* S9 vNext method as well as the following one are 2 examples from Stone's
s& b! k) ?: x1 r! e' N"stn-wid.zip" (www.cracking.net):
3 v1 M9 `# z5 {+ ?# c/ s9 o! Z( N
# a( V& D, a5 j' }8 f9 J$ ` mov bx, cs' |* M. v& o# Y2 l
lea dx, int41handler2. T& M A' |, ?% `; O
xchg dx, es:[41h*4]
# k3 f6 r( o7 g$ ] xchg bx, es:[41h*4+2]
6 {7 d, [* C6 p1 S5 p- j4 h5 O, t mov ax,4fh
4 M4 t: b! q n- H* o* t9 [9 j( O int 41h. Y8 _( ^% o1 T' k0 p! h
xchg dx, es:[41h*4]
2 |% F/ j% E( F$ `7 S8 w xchg bx, es:[41h*4+2]9 f- Y* J8 f# v9 M* |' B& D- T% \
cmp ax, 0f386h* V+ ^2 c5 `3 E
jz SoftICE_detected
3 i/ \% R% L% a- M
+ P5 H. m5 j: I; Zint41handler2 PROC
5 ~& ^* T0 S6 d5 ?! y9 M1 [! o, F iret
8 v" G6 M3 b( ~/ Iint41handler2 ENDP9 [/ _# d8 Z c$ B# k- L. D$ c
5 @0 f, g p% s6 C' G. H
+ U! E4 a4 \3 X3 j! K( g, r" S_________________________________________________________________________& C9 Z4 d; I- ?: _/ u
L0 c! e! B6 U/ f5 o7 P/ l. V, C) {
Method 067 D- F% w, Z4 d0 {8 u: b. T
=========1 B/ g" q+ H* O
' y: b% ]2 h( d0 @
9 r. L- a4 M& G6 C: P2nd method similar to the preceding one but more difficult to detect:- [* k. |, b8 Y& A/ v+ o
$ g; ?) Y3 F7 H/ v
# O/ r5 z& y# p; P, x* \" K# Cint41handler PROC
. q" F3 ~' i& j6 Q1 q mov cl,al
C. N; e: ^/ a3 b8 L iret
1 a3 w! B7 t3 O0 m. l1 uint41handler ENDP- W2 {. s" x% S7 q5 A, @, ~
3 |0 L# |" k9 W( z/ v
, F4 y6 w! R, }% t8 d1 t xor ax,ax) j% F3 i- d* k1 V# i
mov es,ax
4 |. p/ [: ]/ o( D& M mov bx, cs
# K. G7 J, z9 Q0 J9 h lea dx, int41handler4 A( O3 S4 {7 U( e+ x
xchg dx, es:[41h*4]
# B4 R) Q2 V% Z4 G. l xchg bx, es:[41h*4+2]
. \! J( o: \( J+ v" q in al, 40h
. x/ q1 D' C% X6 ]6 j xor cx,cx* R% _9 D# a' u. f4 d0 y, C
int 41h
) e y& o1 y7 D; l: f/ j xchg dx, es:[41h*4]' g A% {1 F: b u
xchg bx, es:[41h*4+2]0 d3 @) l( W0 W2 H3 J3 E# j$ j
cmp cl,al' B, w4 q( l: r0 F5 R' S8 Z, p6 q
jnz SoftICE_detected
' M4 K$ e/ |$ B
7 a; W7 n: g, u0 w W_________________________________________________________________________
: Z5 T. Q7 x( v0 a! H* m- ? P; N1 R. [7 l; `
Method 07
' H+ G2 l+ f& [=========4 E8 X3 ?: w. T8 d. e- `
" i4 b, l9 Q& |$ Y/ jMethod of detection of the WinICE handler in the int68h (V86) N. Y( J, F, ?2 N! j& G$ e
/ q4 o6 q# D7 @' c5 L9 r. W& b
mov ah,43h
0 F* Z' L' w! J6 u7 f int 68h/ m3 }2 `! {" ^0 y1 U3 _
cmp ax,0F386h
3 ?+ J+ o: j8 n- b& _' {# O jz SoftICE_Detected
* J! x2 F' R3 M0 }+ w9 W& N2 a+ ]# l. J/ I
6 v. k* z S& Z' K v& C( T( A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ t5 H2 F+ b+ w app like this:
5 ` F% J$ Q& X+ j' H! x3 x" B% q8 {# C4 G* | I' M
BPX exec_int if ax==68/ f" l' m- [4 s0 r
(function called is located at byte ptr [ebp+1Dh] and client eip is
, E' w; e" c& ?# G- t located at [ebp+48h] for 32Bit apps)+ L' x/ K( T# g' S+ P8 C e
__________________________________________________________________________
6 j. f- b; v% K) Y% R
. x* P }" ~6 [. ]- C9 B4 Z3 H: _
, q& K# I. W% p( n# j# d# IMethod 081 X: [, u+ r$ P/ `! l! X
=========1 G5 |% O" a1 [, r0 [: Q
6 O3 a; T* _3 x5 U6 q( ?It is not a method of detection of SoftICE but a possibility to crash the
2 I* R" y- P1 U& a Nsystem by intercepting int 01h and int 03h and redirecting them to another& v( C( p8 z+ H* l) O$ g
routine.
' C. ~( S6 T8 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! M6 J( z- q+ }8 m _* F. @# Lto the new routine to execute (hangs computer...)! W( _; m$ N$ G7 X8 a9 f
" r) q5 l, O0 _7 }0 T+ p1 S% l
mov ah, 25h
8 `2 [' X+ m1 G7 ] u3 C mov al, Int_Number (01h or 03h)$ H& p6 v7 D- b! ]7 T( I
mov dx, offset New_Int_Routine h' [. R. w+ S1 o9 [
int 21h% B/ M8 i/ j0 ^
' }: V# H' c* e__________________________________________________________________________, ]; b, u& }2 W. x2 a. g. k. A
! F) \9 F) {4 U9 e
Method 09
8 o1 y1 L! N" z, o: T+ u3 f=========9 [" }: O" t' q' S& a# ^! z
1 |( c6 U; J- q4 C# JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& v1 U1 ^% I3 h) x1 o' `) uperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 k& y* z, ]7 a) W/ c) Q4 {' rThe Get_DDB service is used to determine whether or not a VxD is installed: v J; G' ^, }8 C" `- u
for the specified device and returns a Device Description Block (in ecx) for7 K9 H% F1 @" U3 {8 s$ _
that device if it is installed.
- l# q) m8 v7 z" K; s5 }' U' L" T* }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 \3 T5 f0 R/ E9 y) p9 b1 a$ h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 [7 d4 X6 K7 Q5 t9 }! w
VMMCall Get_DDB/ j' V) D# O: ^, V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- L! m0 _2 M5 V0 o! L
# g* z: g9 I) v& f4 ANote as well that you can easily detect this method with SoftICE:
+ B# m/ X9 Q7 g) k1 |# V bpx Get_DDB if ax==0202 || ax==7a5fh$ M2 m3 z" ~8 s/ U7 R- m
2 \0 `" _, }% ?: ]$ ?; Y4 ?" x2 P% w
__________________________________________________________________________
7 m: e. O G- O$ J) ~( |' L" d& x8 a% C# F
Method 10
3 O8 Y |0 h# G _=========
% l0 y: M2 {2 V+ y& ^6 T
1 W* I; a) Q* P7 x( ^0 s=>Disable or clear breakpoints before using this feature. DO NOT trace with& ~# l( C, k4 b1 q. c: K
SoftICE while the option is enable!!5 \7 K. Q$ x4 x m( y/ k" n- P% c
+ d$ d, u* S* p
This trick is very efficient:
( z& b- U" Y. g q mby checking the Debug Registers, you can detect if SoftICE is loaded1 ]- D! s: |0 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 V( }% `% ] ^& N7 r' ]there are some memory breakpoints set (dr0 to dr3) simply by reading their* h3 E/ j. V9 {4 A% d( Z6 c+ |
value (in ring0 only). Values can be manipulated and or changed as well1 {# Q. G1 J+ Y+ U! ]9 S- J: m
(clearing BPMs for instance)4 w& Z8 [5 L; W) z# r& E
+ Q: y0 h& `* K! j; M; w
__________________________________________________________________________
( k6 v$ n7 o% K/ b+ Z4 o/ M/ {. c
: U( a2 ?) B( o) aMethod 117 @) |5 w }4 \9 [, X3 {- ^" H
=========9 t5 R. x$ L1 V, S3 B, b' ?
) N, U" o1 e! v9 f
This method is most known as 'MeltICE' because it has been freely distributed
2 B2 H: H, W( I' z. Pvia www.winfiles.com. However it was first used by NuMega people to allow6 T4 R, g# _9 ]
Symbol Loader to check if SoftICE was active or not (the code is located
# d! E5 h- b: n$ {$ m4 t+ m( Linside nmtrans.dll).
9 M1 f# G6 Y7 Z6 B3 }& v1 ~" x) w5 Z4 {
The way it works is very simple:$ X9 {0 ^& Z* i- ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
h' R2 w! Z6 F% @4 q# h2 e: I5 |WinNT) with the CreateFileA API.
& `6 `2 I" ]7 l: Q( h; p
8 w2 H4 S- B5 C# V4 E; g) |Here is a sample (checking for 'SICE'):
9 T v+ E7 Y4 C3 `" p# Q0 U ~5 \5 ?2 y5 w; Q7 ?( T
BOOL IsSoftIce95Loaded(); O# T1 O3 [/ w4 A' \4 ~
{& H7 t) t# q: [2 c3 ^: |7 p% _
HANDLE hFile;
: E- V! w/ K' [* B, V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 R' H8 t2 Y2 _9 Z% S. G8 V+ e1 F FILE_SHARE_READ | FILE_SHARE_WRITE,
* Y( e/ i& t# X4 z* b8 \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 @3 w$ H/ D% y if( hFile != INVALID_HANDLE_VALUE )- Q F- Z6 x" p7 n; t: }
{3 X. B: `) Q* I- H$ J
CloseHandle(hFile);& k8 @2 ]7 Z! {7 w/ k' p) |
return TRUE;
4 S) Z/ M; y1 F- v; X' v }
$ B- \& i, B0 ^( U7 e# D return FALSE;/ |( S8 t/ R8 i4 ^: }
}
" k* q6 W9 ?1 ~, ?, e
; e( d1 e8 ?$ i) p( F0 \Although this trick calls the CreateFileA function, don't even expect to be
1 q9 x8 O& L/ Q8 D* w7 @able to intercept it by installing a IFS hook: it will not work, no way!$ J& D5 `7 m0 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) e( W3 R2 Y$ L0 Y0 @! j* W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, r" e6 b" u, v( J8 h5 S# \$ v: Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ G2 \8 d# Z. j) {
field.
" v' ^ \) P# r$ VIn fact, its purpose is not to load/unload VxDs but only to send a
$ f6 { }4 J4 e& m' Q- Y" aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: d: l- V: y w2 ~ Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 `- e1 B0 c1 p9 h8 U" q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 P+ Z" a% X( t9 Z) N9 o _If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ N, r+ n' K- |3 ^) p9 Uits handle to be opened and then, will be detected.
$ @4 S2 A, ^ v% R" f* UYou can check that simply by hooking Winice.exe control proc entry point* ^ K+ R9 v" h- w! {0 o( W
while running MeltICE.
, i2 H8 M. {' m: X) j6 W$ p$ y- k3 ]3 {) z1 f/ l: V1 Z
6 \$ e( d) D0 d4 b A9 X( Q1 S! G 00401067: push 00402025 ; \\.\SICE
+ G" K8 ^* W4 G3 t! Y5 V: {2 M 0040106C: call CreateFileA
3 N3 h# T6 |, _$ T2 S 00401071: cmp eax,-001
, p$ X, v% W! y" O2 S 00401074: je 00401091
/ [7 i1 C, Y. B# l s9 Q: d0 K0 Y/ Z/ p
" s: d! O4 m0 x, M9 P8 E9 B7 L" [There could be hundreds of BPX you could use to detect this trick.
- r5 t* u8 \) l9 i- U7 ?-The most classical one is:
/ v9 M/ b& D: [5 b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* C7 O* m- N9 Y7 j' L' B *(esp->4+4)=='NTIC') ^1 q9 k# Z0 w, k6 O8 G
0 ~) ?# K! `- B9 m4 L- g-The most exotic ones (could be very slooooow :-(
) ^9 C a; s8 r3 D3 J5 ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 o0 a+ D; C5 G1 T" P8 V% V/ `
;will break 3 times :-(" ?+ K0 c4 N' x" Z0 k% r: |
* `+ P- R" a# b& B1 a- Z8 d
-or (a bit) faster:
: s7 p/ v& N! D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" z: I( v8 I9 ?) W4 E( J3 S. j4 J' F7 l" w3 {" C8 L( V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + N/ d! [& s2 A! l) i
;will break 3 times :-(3 Z+ @9 V4 M8 ~
/ y4 H% V! @$ i4 l4 X4 R( \) ?+ g% `6 U+ @-Much faster:5 t( T1 l7 T; `( n4 ]) ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 }9 l3 F0 {1 j, ~
, N! K: _ ^8 m/ e2 d/ f; qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ Q& Q j" U C% D
function to do the same job:! h2 [/ [4 t; z/ O7 c( g: s
1 J, ]4 s( `9 [# _ push 00 ; OF_READ( F+ t0 d( m. d$ N% T7 K, O$ ?
mov eax,[00656634] ; '\\.\SICE',0
2 h& Y: e/ w2 T1 B! O: x push eax o: [7 H* X( O8 i/ |% j7 L
call KERNEL32!_lopen6 j6 _" G3 b o5 h* O, j7 M
inc eax
, S9 [. r+ `* g+ S jnz 00650589 ; detected
K+ g y" }& u8 O, p2 ? push 00 ; OF_READ
' h6 Q: ~1 p$ v) Z5 b mov eax,[00656638] ; '\\.\SICE') _5 ~9 {8 F* M7 `5 E- ~3 j
push eax8 O* B4 C" f0 b
call KERNEL32!_lopen
, e R3 f; o- [& [ inc eax5 O" C: [+ X* y$ A
jz 006505ae ; not detected: ~; i8 o6 G& W" Y, s
1 J2 W9 @( f6 q$ x+ D! s2 n) X, ]
/ l# j) q1 [, K0 G$ d__________________________________________________________________________
1 R2 ~' p1 }0 G& }3 q5 i) a6 v; z6 j2 x4 \
Method 12
! f. f+ y; i! ~=========
- n/ |8 }# B u! V4 s( G1 X% I3 K) o! ?, u- S$ P* b# t
This trick is similar to int41h/4fh Debugger installation check (code 05
" O. N7 J7 a8 _$ z4 }& 06) but very limited because it's only available for Win95/98 (not NT) z. K: Z/ t+ \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 I+ p# N1 w5 U
8 e5 H1 @7 F9 ^) V! n push 0000004fh ; function 4fh
/ G7 ?1 P, S6 _( [- i5 N push 002a002ah ; high word specifies which VxD (VWIN32)& B1 Y0 g: I5 c- X% u6 |1 i
; low word specifies which service% m6 y/ \, D4 F# D
(VWIN32_Int41Dispatch)
$ ~: _7 G2 R) x) ?" r' ` call Kernel32!ORD_001 ; VxdCall. ]2 \! I+ e: I+ O* T
cmp ax, 0f386h ; magic number returned by system debuggers8 G' B4 y% E' ]* u! v
jz SoftICE_detected% n4 `# S* w0 C6 g8 M
4 Q- l# _& ?( t: \, z( AHere again, several ways to detect it:9 p% U) I/ _ d
$ ] t) i, F* ?1 g3 @, w
BPINT 41 if ax==4f
! K2 V( f/ O4 D6 Y5 p+ v# Z0 l Y/ H; U9 ?6 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 F4 E) J& M, H
3 g0 {% E) v$ p9 E$ _2 D* c; @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 @8 ^& T5 N. p
( h/ a# P0 `: B, F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( V4 | ^2 k# Z) K9 q# K* S
4 |6 @5 U3 r* ~0 M1 F: G
__________________________________________________________________________
; c, X" t9 e9 n- I5 n" j; w8 E
Method 13; N3 m( h; U+ a* q
=========
& l" P6 b6 O% n. i/ J
' A7 r8 q2 q; s- n/ t. S7 y6 ?Not a real method of detection, but a good way to know if SoftICE is
( C3 B, R5 Q* ~+ @installed on a computer and to locate its installation directory.
* Y3 l2 F8 Z& N0 W8 a+ A& i+ aIt is used by few softs which access the following registry keys (usually #2) :1 }" M: N- z$ P" t8 c- c) G- S: u
( f' L& }1 l3 e# c+ N- B3 I% ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# r2 {# t3 o/ Q3 d\Uninstall\SoftICE
* x ^$ X% q! i8 G* z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" r! @8 v# a% K; R6 ~' I% Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Y/ M6 v1 ]' h' q! Y* k\App Paths\Loader32.Exe
- x7 o; q' M' v7 X3 X) Y: T
' l! y3 T# `& t6 B$ [% M& l5 G+ Q, {* S# d
Note that some nasty apps could then erase all files from SoftICE directory
7 a9 F% Y9 g m) c1 X5 u5 x(I faced that once :-(2 X% b; ~% o0 B2 \
. i+ A0 M& z- n7 t, s ~: UUseful breakpoint to detect it:4 E9 R/ s, O' R. V" D! v: t
6 R" b+ }; ^1 \/ M9 Q9 n8 _% ~3 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& Q6 f$ }/ a2 m( X4 o0 g4 ]9 X) l+ B+ a6 [
__________________________________________________________________________
7 d; Q) R8 k: ^8 M2 h
; k9 r7 `' z: ~
3 f, S5 p) `, J( I& ]8 n. {Method 14
?( e! F+ J( z# H2 Y=========
5 A1 U( ?, N7 \+ I- }( u" D2 |6 K3 @, T! G; F. M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# D4 u |0 |# ], Pis to determines whether a debugger is running on your system (ring0 only).2 J$ ~3 r, c' u! J" r* u1 Q/ i
* q2 R4 d$ C) l# @9 @, ^ VMMCall Test_Debug_Installed* a! D0 ?; t |0 c( ^% r
je not_installed$ C& i, _! ~( U6 D5 B; l
* L2 O$ `+ B- V9 T& A: a8 OThis service just checks a flag.
4 q. i Q" P0 {, q9 r4 e$ s3 Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡