<TABLE width=500>% i4 `7 p+ k- m; M2 D8 N
<TBODY>
( \/ M+ v0 k/ u4 R ^<TR>2 Q$ O) l) m; m) H3 G+ i8 T2 w
<TD><PRE>Method 01 - T! j% }0 ~1 R% S5 q5 M
=========
, ^! P6 ^* e! U! J( d! I/ e
6 R: i8 P* y* t% L2 iThis method of detection of SoftICE (as well as the following one) is. D. {5 J3 Q0 [. w% T
used by the majority of packers/encryptors found on Internet.
0 v! N" E8 u. W5 ~- G. Q3 tIt seeks the signature of BoundsChecker in SoftICE$ e1 c5 o z: Q2 R U4 u2 L# D
9 I2 V0 |( b. M8 Q F
mov ebp, 04243484Bh ; 'BCHK'
; G2 A" o" g8 t/ E5 L mov ax, 04h9 S9 m" d' m' H5 P- v0 `( N
int 3 - G" C* G& U3 c) P, s4 G
cmp al,4$ `2 U5 [+ ~6 Q: n# H' q% ~
jnz SoftICE_Detected! h. O; I/ V( Q+ _" D2 M
2 K' D2 R; o/ e7 v2 |! v___________________________________________________________________________9 H( x; L4 L( L1 k
/ c- ], z9 l- r! t6 U
Method 02
. J7 O; R. j; O, h1 d- f% F=========
: R: q- E* _+ R2 j1 y/ |1 M! |3 @, V( ]$ _2 I5 G
Still a method very much used (perhaps the most frequent one). It is used4 n% ?; e# O% W% B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! Y" @# T- ~, P" j5 ~/ C
or execute SoftICE commands...
7 n& X% @1 Z, ~% w: ?9 Q1 Q/ u1 gIt is also used to crash SoftICE and to force it to execute any commands
# B9 K; t! W8 {(HBOOT...) :-((
E5 \. h5 @$ Y$ D! p2 G/ j. {7 u% x5 ~
Here is a quick description:" |" |- U" d( N! {3 K
-AX = 0910h (Display string in SIce windows)) l; z1 L) i3 X9 k. V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 V- M) Y+ e# w' q
-AX = 0912h (Get breakpoint infos)
/ j' B" i; H* N D( X" y# G-AX = 0913h (Set Sice breakpoints)* t/ f( W7 l! E- a3 F! P3 i
-AX = 0914h (Remove SIce breakoints)* ]* R- n0 {% \. \
5 v! I+ H' C( A- Q b6 HEach time you'll meet this trick, you'll see:
3 T- S' p$ W0 w0 x-SI = 4647h
6 r! ]4 c) X+ P6 Z-DI = 4A4Dh; r4 W, l/ u* i) q9 U! ?) o* S
Which are the 'magic values' used by SoftIce.- G5 O# n j: j( X( A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# t' y) h, C6 d& L2 C
; S. w9 V0 w, |+ S
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ `8 C9 c9 | K8 H4 b8 h, U
Envelope utility use to protect DOS applications:9 v/ @% `9 G' ?5 G* d* S, |3 f- e2 p
, K0 |4 d5 }7 x/ ?1 D# S$ \
" ~) E* y# {" h, _( ]$ L" D9 x
4C19:0095 MOV AX,0911 ; execute command.
" n0 ^4 e$ Q3 r' Z/ m0 \& P4 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: g/ L6 A& e6 a' ^5 P+ Z" _. B4C19:009A MOV SI,4647 ; 1st magic value.3 P G: b$ \4 q; W8 [2 @9 z
4C19:009D MOV DI,4A4D ; 2nd magic value.: H4 A' J0 J' Y1 C; `' |4 X: h" c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; G9 Z+ `5 |; q3 m7 ]' f2 ]" \' ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' K, |* `+ [( q" t' S4C19:00A4 INC CX' L# l7 J. y% F6 q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ D r9 ^0 A4 X2 ?) s
4C19:00A8 JB 0095 ; 6 different commands.( y" m! B( s" f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. a# e% s. Z4 A% Z8 z% t# F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( o6 k# P- L# w
! n% I3 W5 n7 e0 v
The program will execute 6 different SIce commands located at ds:dx, which: ]0 H, o% m' G; U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ]1 ^ C; x- P9 F/ a
0 z( S( Q* y6 q( g& |, d, `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., ]. I! u- T# j3 {+ i
___________________________________________________________________________( t4 E% n% j5 ?$ a* k. K
2 Y% d' ]6 Y7 v( l- B& t' N
# {( C ~9 b8 w4 T2 p# J, oMethod 032 g$ ^0 g) K/ p: h
=========
/ ?5 [! d0 `% m z7 d# a! L) j8 Z1 [! X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& y( c: C& g( z, t5 O* D(API Get entry point)( z9 y, n( i/ l4 J
5 F' C& Q; D$ a7 ]; X
4 W, k' L8 e( L4 @ xor di,di" P8 T2 i w8 p' @
mov es,di5 ]; G( v1 ^* P3 ^$ [) w
mov ax, 1684h
+ j/ c" \6 _$ p5 Z3 ~: ]3 g mov bx, 0202h ; VxD ID of winice
0 A$ @$ R5 J* Y4 I$ L4 \' ]; j; v int 2Fh
: S' }3 I1 {7 f mov ax, es ; ES:DI -> VxD API entry point
! R V8 p! J" [" ?, e add ax, di" W2 G( w; {9 a, z* X' P5 Q& x
test ax,ax& i( ?8 G- ^- r
jnz SoftICE_Detected; \. E" q, J' S
- R/ V: w' n6 l$ b+ z8 ^
___________________________________________________________________________
3 e* c5 a* k3 F
) z N+ h; Z( H* s* e$ vMethod 04
- F" c5 t3 B# r7 u5 H=========
% B. a% \- G1 Y4 _0 j4 u) o' A3 [, r2 ?/ w9 k
Method identical to the preceding one except that it seeks the ID of SoftICE
" Z: D4 d) o5 p6 r, |* gGFX VxD.0 |5 u1 M7 v4 K, _3 G
% L/ d) y7 o* p; r: h9 U xor di,di7 L3 h) l, Y% z ?, m
mov es,di' A8 A; H) v/ B; A( B
mov ax, 1684h
' S8 ~1 k* n- \- _% p: U mov bx, 7a5Fh ; VxD ID of SIWVID6 i9 _' A9 ^# F, \8 H) v1 ~7 @
int 2fh# Y- ?8 N! E# {0 K
mov ax, es ; ES:DI -> VxD API entry point
* d; w H# y( l3 h' V4 l/ z add ax, di% E! P+ I: X0 d* J+ I5 o( N% W
test ax,ax
+ o/ u, c0 `! m" J' O jnz SoftICE_Detected2 n( x5 U/ ?4 e c$ Z( x
% o& J0 A) R5 M4 _0 ` Z* T9 |
__________________________________________________________________________) k: i! y6 ]/ k" t$ \$ {- C
6 }- c" Y7 o0 \/ m1 y: V; i# z! W5 H$ C6 t& X2 i+ T) b% b
Method 059 A) Z3 h' V9 K) ?! E
=========- z+ d: F7 r$ g4 ]: w! b- R1 T
) X/ O) |4 b% w8 Y4 v1 ]/ n
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 {; U: K6 K {2 g7 \0 c- C
debugger. It calls the int 41h, function 4Fh.# {! x; ?# S( {+ ?% _4 d
There are several alternatives. " Q7 y Q- r+ |4 b
' C1 H4 U1 Y% a/ l# [* h! gThe following one is the simplest:
$ j: v/ r, a2 T5 F/ y6 g
3 Z: T7 y+ X2 b4 l mov ax,4fh
3 e% P( i7 X Y8 M+ N6 Z5 l& r int 41h5 F8 m# e; c3 P7 _4 a6 V* m, o
cmp ax, 0F386
' E; T( j$ }8 b# a jz SoftICE_detected
+ q2 I, n* Q# h* d$ E
8 X# F; _/ z; w: Y4 U' k; }
: I: \$ m l8 r: k( I4 d7 f/ VNext method as well as the following one are 2 examples from Stone's
$ B* l9 c: D* i9 u"stn-wid.zip" (www.cracking.net):8 L, ]6 P2 R* h8 q' h. Y; Y' O; x A
7 E/ X* s, y) k5 ?. v$ A/ u1 V% }( V# y
mov bx, cs6 A4 F0 u1 Z+ b
lea dx, int41handler2
* D4 _9 b9 L; [, ]0 L xchg dx, es:[41h*4]
' F/ c9 [ i: s1 }6 v" R% K* b' l xchg bx, es:[41h*4+2]
5 W# P, U) h) V. r, b6 ~; D mov ax,4fh4 j. q9 j4 V, _. {0 k% D
int 41h1 W9 \: i" k' U5 @" z* @
xchg dx, es:[41h*4]1 `0 I2 }7 o! A) N, @' \
xchg bx, es:[41h*4+2]" V# v$ G) c8 f# r
cmp ax, 0f386h& |9 b7 a3 {& H& s: p
jz SoftICE_detected
2 q* z. U1 ^- a3 k' Y7 Q1 Z2 s5 c7 ~' h0 w3 _1 W0 l! v3 H* T
int41handler2 PROC
. q+ a6 X3 i. j8 ~: i1 u. j iret0 J, |% R) f* U3 f
int41handler2 ENDP
, Q1 i6 g0 ~$ [. W; ?+ |! T5 d2 `$ h: b8 N8 A1 M) Y& ?. L
+ x4 N5 {2 Y9 k$ a( a, o_________________________________________________________________________
( ?- @! e( J9 h9 m
) W% \4 V1 V, d ~1 L( D) B: d' S$ \/ d
Method 06
3 C& Q( Q, X! R4 s3 A" r=========0 h" p+ |6 {$ K$ G* E- D# C* d6 c' n( ^
2 \. r7 T- D0 D
1 n: i, ?$ X" \* w1 g4 c- A! r2nd method similar to the preceding one but more difficult to detect:6 J- w7 k9 j" N; X0 _2 J8 O' h! R
% }/ V# ]: E; {' g+ t+ m$ p$ d
8 @) N5 k% c# Y! `8 e1 |$ H4 xint41handler PROC0 z& o0 n0 A4 G1 b4 @
mov cl,al% z. F$ l% [/ M6 Q; x0 B
iret1 x3 \) O% \" g3 n) y4 A3 e
int41handler ENDP* p' f! S1 p( O' \
8 Y3 A) o' M/ n% o' r0 l
7 E* ?' q5 ~1 V& j. s9 ~ xor ax,ax
5 ?& H; j0 l0 H) v4 h! \% A mov es,ax
0 M5 h7 j9 c* L% s( y mov bx, cs! _( q' ~2 P2 w( Q
lea dx, int41handler% C8 D; M' j7 [6 M$ U _
xchg dx, es:[41h*4]
- m/ w6 ?! d) T7 [7 l9 U- D- c xchg bx, es:[41h*4+2]" D; I0 j" ~$ H( ^+ j; s! i
in al, 40h
% s8 e, A. I; I' O* X7 t xor cx,cx
; y6 m5 e9 a% A' M4 n. q' f int 41h
0 s1 q& O* K8 v7 f- w4 A xchg dx, es:[41h*4]
# z7 J6 |, X3 ] xchg bx, es:[41h*4+2]
- D s! L! j1 A cmp cl,al4 J$ [7 i( E8 Q; @& ]/ i
jnz SoftICE_detected
, }/ p6 b8 V1 \) U1 e4 O! p: f
_________________________________________________________________________
, N* i P) x X9 R1 Y/ Y5 j8 m
! Y6 }, A6 g7 O5 U% a% C0 A# m8 rMethod 07
' m+ `/ F; I: Q* Z0 D6 ~4 a=========
" h6 {2 f, s) X" U4 h5 B+ U+ h9 H2 X: |! ^9 w1 _, Y
Method of detection of the WinICE handler in the int68h (V86)
' H3 `, c, O0 U) f0 Q8 i6 x0 T' O0 e1 m7 R3 Q% Z: ^3 ^
mov ah,43h- `/ s: x- I, v e9 [; E. u
int 68h
# A! J* `% [% b) m( _% J; q cmp ax,0F386h
9 n& _5 O4 S! X, ? jz SoftICE_Detected
# g' F3 o4 @) ~# e1 `6 M
" Q5 }5 K; y, X7 j
' C9 \. ]6 c6 O, d1 I3 W# Q/ P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& }- U. t; ?7 g$ [. F
app like this:
, Z( F3 {! J o: k
: o( x, r: p- `8 W BPX exec_int if ax==68
6 t4 O6 W, t: B: I3 @$ u8 ? (function called is located at byte ptr [ebp+1Dh] and client eip is
# l& o+ n; }% ?! F3 |6 M! g, v# x located at [ebp+48h] for 32Bit apps)5 `$ b; q" r/ L. g7 E' p- G
__________________________________________________________________________
6 W1 x; s. B: e! l2 p* j7 T
3 S7 m8 {$ Q/ F! e; G( R
( X; D) n$ L) l6 ^4 wMethod 08
! |/ H4 X- F$ F8 j6 y$ I( W( h=========
, g; x! D: S, r9 d0 [7 E0 U- u# O+ e% l3 m8 e' C( e% R( J
It is not a method of detection of SoftICE but a possibility to crash the# T/ X# n3 S K1 A) p, d' h! n
system by intercepting int 01h and int 03h and redirecting them to another
% M2 `3 V* }: }! z J+ j \/ Troutine.$ u5 f9 L+ e4 a: V8 w0 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- G" n5 [0 @) u8 b" f, |8 X6 hto the new routine to execute (hangs computer...)
( r" l3 `' a$ A
8 }' D" L2 O0 W6 a8 d2 P mov ah, 25h o% }0 M; |2 h: ^3 I7 o! d
mov al, Int_Number (01h or 03h)9 E. r0 r3 i8 h2 H& y
mov dx, offset New_Int_Routine
* U- |1 R2 f9 R) @/ @ int 21h2 t' `8 ^0 x$ I: f! G) d% _2 ]
/ W# a9 A0 T- Y8 f1 @__________________________________________________________________________; `2 h7 Q7 o y, e4 l8 s- |* E
3 d1 R3 o! ^& ?3 S( w7 R: w* }Method 09' e! Y* h. o u/ F6 O/ I
=========
8 }4 b' O* ^, r1 a# Z
& s" v! M; y P3 T* N: }% SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 A) {0 t0 [, K3 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).- ^; w6 D6 r% H9 d9 X# {
The Get_DDB service is used to determine whether or not a VxD is installed
' W3 n) F$ G" S6 q ] {" I0 efor the specified device and returns a Device Description Block (in ecx) for
' _6 O- q9 K$ W. h' ?" Fthat device if it is installed.
7 l9 E) V" }3 J8 M, a1 K k$ ~& y" _0 N2 A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# o+ v6 P" X% R3 o/ V# W. z+ c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 S6 l* b Y' B; y' k0 o VMMCall Get_DDB: k: [- p" q+ Z- n( r$ a7 ]6 l- N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* m- t v6 h0 h# o4 e, `4 K$ L1 U1 G+ L1 g
Note as well that you can easily detect this method with SoftICE:
; }3 E2 M3 S' i: n$ o1 T& G6 g bpx Get_DDB if ax==0202 || ax==7a5fh
. E! N7 q, R. q6 l) q1 M+ e6 l2 H8 H# h6 I
__________________________________________________________________________
3 E) E/ d( ~3 C' h! o& S
) ]6 U ?2 W+ R4 P+ e2 wMethod 10
# j9 p: ? T9 X) D( k: T9 i" g=========
& {( `' Z6 [ \7 |9 F5 M& e. S* J/ f4 A. V# Y1 \- g
=>Disable or clear breakpoints before using this feature. DO NOT trace with% D8 X1 c) p( N2 a2 U; I
SoftICE while the option is enable!!
# B2 ?$ b& H0 l
4 \0 U5 z3 |# m ^0 r9 ]2 h4 d; p- hThis trick is very efficient: F: S$ B# A9 i% U4 f( X/ U
by checking the Debug Registers, you can detect if SoftICE is loaded
3 [ P9 h5 h8 n# b4 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ \7 @; i3 x S4 g2 e6 |, Q1 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% Z# _0 v0 K: F1 R, C* [value (in ring0 only). Values can be manipulated and or changed as well P/ K# r) \! L; ` |- {
(clearing BPMs for instance)% C5 Z) u& ]" a, H
6 M1 d& {3 P$ r% {1 N2 ?
__________________________________________________________________________
+ o9 e: n4 a( X% z& W8 |! J) g. ^7 k2 n; X8 `1 ]
Method 11
. M; z r' e, S0 G; p=========
, Y, A+ S; C! W8 r5 P. I5 r8 F3 L
3 g2 C2 C! M, N4 p8 uThis method is most known as 'MeltICE' because it has been freely distributed
5 {) d) W7 a2 `6 a: Gvia www.winfiles.com. However it was first used by NuMega people to allow8 x+ [9 d* ~+ @( _4 F K
Symbol Loader to check if SoftICE was active or not (the code is located
6 l: U# H1 q0 k& ~, A: q/ o- c# Tinside nmtrans.dll).6 S0 S2 v x$ u) ?- n6 s$ o
5 ^1 b$ |, ]. S$ I
The way it works is very simple:
% N7 t9 D. d& S+ dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 t0 {) t* u+ { `
WinNT) with the CreateFileA API.
: Z' F: \% N/ H+ ~, z% Q( t
: B, N, H# {: @, m7 F1 C8 ~ f' jHere is a sample (checking for 'SICE'):
1 p I7 _. a3 F
, E$ Y% u7 i1 L6 qBOOL IsSoftIce95Loaded()
' `1 r$ ^0 ?8 M( p( K/ {- v{
0 Y; y3 p ?4 x- C' {& p$ B# @ HANDLE hFile;
# Y9 R1 y1 I, g7 @: {) e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! l) @6 {7 G2 _: g0 ?( x
FILE_SHARE_READ | FILE_SHARE_WRITE,1 @* X; P3 t/ R1 j, R8 q6 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; x2 ?5 L# P [7 j' N0 j6 M \8 |
if( hFile != INVALID_HANDLE_VALUE )
; {6 g5 d& S. _ {5 `) i. f7 k* Y" J# {1 h( S1 j
CloseHandle(hFile);
7 z9 Z' w7 o& W( E" W1 b return TRUE;
* l( r+ _8 ?* f. ~ }$ J/ f, w! D1 g( s
return FALSE;* _) j6 u6 z1 Z% u' O$ Q. Y: n
}
$ K; Y& j" Y% r1 I/ X$ u; S: c6 x8 h( v7 M# U" N* V
Although this trick calls the CreateFileA function, don't even expect to be
$ @6 Z5 p" `5 C) Zable to intercept it by installing a IFS hook: it will not work, no way!8 s4 m5 ?. m$ c- C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 b, Q' Y; S: v$ l( `: Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) h. o k7 }' g( k( @4 V! _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 B9 m! \! ~. w9 O \- ^" @6 \4 |
field.5 Z# T- A% K% @# @4 K/ z
In fact, its purpose is not to load/unload VxDs but only to send a
1 Y% J) M2 j+ s- @* |( WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' J( A8 G% F0 h8 K5 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ^5 |! T4 a) j' N8 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m* k; D3 p1 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ B7 q- Q, H* |0 C5 Bits handle to be opened and then, will be detected., N5 o5 X3 V0 P$ J* T
You can check that simply by hooking Winice.exe control proc entry point2 t2 C4 [# j( l" K% C. y* j
while running MeltICE.* v/ e; R% n; N* N5 s4 u9 V
6 J4 {& c6 b0 O x! }: H9 [
% v& Q7 ^5 A- Q9 g) L 00401067: push 00402025 ; \\.\SICE0 [& D1 W( ?) e
0040106C: call CreateFileA, |; c, z- ~1 D$ u# c4 a$ }! u, P
00401071: cmp eax,-0019 Z0 G& L" i4 H
00401074: je 00401091
1 R+ M6 ~" |8 E. N6 y8 @# u" g
8 p5 |! t* n7 o+ ]8 ^4 A! |9 I( d# L% u
There could be hundreds of BPX you could use to detect this trick.+ a2 C, O, k/ B' R" G% x1 I% n
-The most classical one is:
. B D5 {; A* m+ M# Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 j# a8 V9 f( C8 J% _% |5 ^
*(esp->4+4)=='NTIC'
/ |* ]' g ?% E! i
6 w$ E' q) m3 W+ `0 O1 `0 I-The most exotic ones (could be very slooooow :-(
* g, L4 b' E2 H+ Y; r6 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" F1 L9 q1 f4 o. L: S ;will break 3 times :-(+ |7 B# C6 ]) t! Z
8 U9 l5 G( ]5 ]8 }: `5 L# r
-or (a bit) faster: 7 m; @3 z( F; b, Z4 z7 k. q6 X/ r2 i- \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ d5 b0 B$ b; W% T, d1 ~
) y; t, }* {+ W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* x6 g( _ I3 b& }! x9 q) L. t2 z) Q ;will break 3 times :-(
# G1 L! n% ?$ Y5 g; Y5 s* {% K9 ~* q# E6 r x
-Much faster:
4 Q- E E3 j, p+ u T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 Y7 Y$ ?# N }* j3 b% @
6 t+ T: D" O- t8 W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( R; N2 F0 Q% P4 p- B4 S" {
function to do the same job:4 o6 w) }% \, Q& O9 f0 A
2 [* Q; F Y% V' ^7 H- N9 q
push 00 ; OF_READ& ^+ t5 o5 v+ C. A; n
mov eax,[00656634] ; '\\.\SICE',0
" K6 U& T/ }- `, }% e push eax. ^' A- O( M- s! I/ _0 j
call KERNEL32!_lopen" d. {0 \" q( W1 p D+ q9 G+ g1 F/ j) [
inc eax
6 a" c+ u" n* H jnz 00650589 ; detected
, l' E1 |& v: O: c2 {) z push 00 ; OF_READ
0 ]6 Z4 n) v& m' ~" Y6 T$ z mov eax,[00656638] ; '\\.\SICE', p C0 B* g! f" W
push eax
& }' U/ [* n' J3 m" f call KERNEL32!_lopen
* u5 m7 @0 n8 s* a# j( p inc eax( P- J9 S1 _0 H& m1 b3 a* S* V$ m
jz 006505ae ; not detected! s/ {% F! V" X! a0 r5 P
) t/ E( |% O2 s: c' S0 y
3 k6 S) `: [% \0 H; P__________________________________________________________________________
( G. r! q7 G. b6 X
6 b7 A* y. s/ ~# m8 X: T2 ~/ WMethod 125 f" p* ~2 X! o; R5 h
=========
$ |. w* v- n; V8 k4 W2 Q
- P4 j9 j3 A& a; dThis trick is similar to int41h/4fh Debugger installation check (code 05
9 }( Q/ y9 l D& 06) but very limited because it's only available for Win95/98 (not NT)0 o3 o8 P B0 j5 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ R0 m% x4 o! Q. ~, w1 ~2 y
; z1 o4 |; Z6 g, ~
push 0000004fh ; function 4fh) T# ?/ U x7 c4 N
push 002a002ah ; high word specifies which VxD (VWIN32)
7 R% b# J( p/ [ o8 c/ G4 t* [ ; low word specifies which service
3 ?# Q5 D% r' {; j& i& Q! ^! e- A3 D (VWIN32_Int41Dispatch)) o8 C* d! o1 K0 i
call Kernel32!ORD_001 ; VxdCall
4 d: t# \+ }) z8 i% X' Y cmp ax, 0f386h ; magic number returned by system debuggers
! F. ]) \8 |, j* `" P jz SoftICE_detected, e/ r" b r) F
5 ?% ^# q7 {+ ]( vHere again, several ways to detect it:
# L4 `' P. k/ \) m# ~& F) G9 F: P6 f5 ]& j/ q/ z- l* Z& A2 f
BPINT 41 if ax==4f
$ t" h2 A% ^) ~. ~9 U
. U j4 X* U8 J/ [! t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; K% M- w; Z8 O# w# r* v" v" e. I3 {0 g5 [& |, M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) X/ r8 d8 n. ?* w
+ ?) v" P2 K- y$ [; R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, a% ^& v) E' ^, g
. H/ u1 {% V" o; n__________________________________________________________________________( @3 W9 _, t% Y/ i8 J: o9 m/ N
$ d( m9 i; B" Y* x9 JMethod 135 ~1 W$ Q$ D; ~
=========. F& X. j- u8 ?, J
; d s p4 ~$ \
Not a real method of detection, but a good way to know if SoftICE is
\* ?3 J+ l! P% `9 Binstalled on a computer and to locate its installation directory.1 O' U& U; ]0 D! A1 {
It is used by few softs which access the following registry keys (usually #2) :) v2 d% Y, N, N8 Q+ {8 q6 |
( g1 e3 V9 b! K' k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 X) _6 y0 e3 p' @ @9 Y
\Uninstall\SoftICE
2 y4 P' o0 Y! W8 a: [8 F1 E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: ]2 l) y& l D: u; M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 X9 N- _* g. s, V9 B\App Paths\Loader32.Exe/ o, b+ ]$ g8 K* ^8 Y# L& L3 P3 ?$ P
) f; J2 V( Q5 r. W& D6 f$ @ P9 x( A
Note that some nasty apps could then erase all files from SoftICE directory5 f4 [2 ~. D" }1 k* a& N$ D# }
(I faced that once :-(
/ _3 H, ^: {' _% {+ z1 m- T8 T. O! e \
Useful breakpoint to detect it:
3 Q. ~- R/ w% L, B7 d- O: ?) J; ^, _8 T9 p" x) Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& X) @4 `# f3 j8 C6 u( s. A2 n) k# v$ X4 ^, Z& q1 ]
__________________________________________________________________________
3 F0 d5 R! V8 q' Y' a
7 _. K4 Q" a) c$ e, |
) X3 Z- t" j' ^6 e |Method 14
) w8 o$ b' I, g( E6 [+ G=========/ M( F. R* B) e! p" u4 B# Q" ~
6 X1 O) _6 @; s( e! f: O& S( BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: i( k5 G6 B; A6 u; ?- ]is to determines whether a debugger is running on your system (ring0 only).
- h, V2 z' } y1 H' @+ ^* z n1 @" [/ [$ }$ U; }! S
VMMCall Test_Debug_Installed* H* Z2 |( ^9 l" I+ T
je not_installed
# r: p$ [6 Y! _; _3 O- W$ E) j/ N8 X- a. }0 j
This service just checks a flag., E6 X+ {: n+ t/ J9 ?; T2 F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡