<TABLE width=500>
3 N( @: r) }: G$ T; T' J<TBODY>
5 i& o7 z% R5 }8 q: c1 ]' a<TR>
; b# S/ M, r4 z4 x9 B# M6 X<TD><PRE>Method 01
+ E% I/ N2 J' Q# ^=========
) `6 {4 u4 ^( c- G7 {
6 Z4 i2 h3 ^& H0 w) N) X3 FThis method of detection of SoftICE (as well as the following one) is
5 e! ]3 {7 y } B8 |2 A/ q7 gused by the majority of packers/encryptors found on Internet.! i8 S, G6 E/ c
It seeks the signature of BoundsChecker in SoftICE
. t x v8 U" @- t5 c' t f+ U/ v
mov ebp, 04243484Bh ; 'BCHK'0 }4 a9 H- S, x5 ?7 }" n
mov ax, 04h1 e( c* C6 p# j- e7 M5 |* O: s
int 3
2 g5 A) ?% E3 X0 _" _/ [; T0 L cmp al,4
1 i8 Q' _/ J6 \2 |2 H9 z3 ? jnz SoftICE_Detected
2 N. ^9 |0 D H% A, p# K& I" a6 k9 C- @# Z' } U! M
___________________________________________________________________________6 h, `% D" Z7 G7 }2 t
* m" p; B4 j( X4 ^5 d/ R
Method 02
6 q8 R" {# ?( w9 t' ^: ]3 _=========
8 p9 v4 U: V! U8 U, Z; j7 P0 |' T. n6 S; ?0 s4 q
Still a method very much used (perhaps the most frequent one). It is used* m" P5 Y0 X2 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 v" s$ {' h5 }+ h; q
or execute SoftICE commands... [+ k, p& D. P# q
It is also used to crash SoftICE and to force it to execute any commands
! N* W- b( a5 ~% K" I1 v0 C) g7 k(HBOOT...) :-(( ! q& }3 g; t+ Z' g5 P+ V
" d# O7 d3 b% n8 WHere is a quick description:0 d& \; t! F) Z; k# X. u. B
-AX = 0910h (Display string in SIce windows)* W" g. K# w8 Z, O* ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ _% |2 q5 a% P" H4 W, l-AX = 0912h (Get breakpoint infos)
* x s8 U4 w; S, ]# ^1 O-AX = 0913h (Set Sice breakpoints)
2 n2 H) P3 A9 K-AX = 0914h (Remove SIce breakoints)
: t/ D& d0 l/ g) E
+ Z& h. |1 a7 @7 O* S0 ~5 z& k8 h$ uEach time you'll meet this trick, you'll see:
8 a6 R3 q; V' J/ M1 v-SI = 4647h- F( T) I/ k- r3 U$ R& o
-DI = 4A4Dh i3 c! ^9 Q+ c( u1 \
Which are the 'magic values' used by SoftIce.
; w& b6 R, }) P! O& ^4 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( U8 `6 i6 }, P6 y' d) Z9 c1 {! v7 O& n7 z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 `3 m( s" k* p; m1 B3 V* `, \Envelope utility use to protect DOS applications:
4 W" w. c& u! ]" H: X1 m! Q: i& U' _4 }: B; ?' U' B
+ O& [7 m8 w2 u$ t" H; |. ?$ s3 j4C19:0095 MOV AX,0911 ; execute command.0 p" `. i; S5 }1 f( N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% O i6 e" Q- |
4C19:009A MOV SI,4647 ; 1st magic value.1 D2 X3 ?0 |4 I7 p1 [/ H. u3 d
4C19:009D MOV DI,4A4D ; 2nd magic value.
% q2 ^! l% P8 f& j6 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): l$ h# k' m/ E" h: q. l5 [# @ f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 Q, E7 k. K% e& T4C19:00A4 INC CX" w) n" _; ?& c# P" l5 [3 E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: ~0 L! C6 j5 F
4C19:00A8 JB 0095 ; 6 different commands.9 M! T5 S; A, i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( ^: X. y; k3 @! p: M" y* S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) H3 p. }& }) T/ J
4 |! O4 U( i! h/ sThe program will execute 6 different SIce commands located at ds:dx, which
" T" P/ } J( c* L0 Z& Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 q% p3 _, N% Y# A$ h
- s; r0 {, [( \/ F \4 S$ S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 u# N& B c& }" ?___________________________________________________________________________) ~5 q: B1 O0 w
2 r3 n( h: M7 O1 t5 h5 k! u- k
$ `- l* Y0 b6 B; _
Method 03
: @& j3 B7 R$ j9 D4 d _& `0 O=========5 h; `- l V# N: `# Q
; L) }" `5 d1 }5 l. R9 q2 R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 d/ ~; s( A, q0 l3 u
(API Get entry point)
. ` n. v4 o8 r; I, F' z
% P9 `5 k* W. A
+ E% H1 E; X+ L) g# ` J/ c+ f xor di,di) Q0 x6 [$ ^- Z
mov es,di
! ^- [7 w6 m: D- ? mov ax, 1684h
& ^6 }/ M- ]8 {& j mov bx, 0202h ; VxD ID of winice9 M- B z1 \2 h `- r- { ^
int 2Fh
# I7 u \, M$ t mov ax, es ; ES:DI -> VxD API entry point5 X- L+ O* |1 Q6 {' f H4 u* K
add ax, di) b1 h7 c# q1 u" d6 G% \
test ax,ax
" k. S" a0 X- U8 m# d7 B jnz SoftICE_Detected! v# R" U5 X! @6 \; i3 o# g
$ q% D# L8 Q+ G& |8 J7 o- S5 G1 ^
___________________________________________________________________________# G: |$ V, _; Q/ N; T& K: t
6 B, K! l0 `8 bMethod 04
( ^4 t6 H5 G( l! k4 m% Y% q, p=========
% z0 X8 D" v. B1 ?( X3 B2 H1 r: b4 P$ u9 c% ?
Method identical to the preceding one except that it seeks the ID of SoftICE8 o* n$ _4 }& H# n
GFX VxD.* R% I$ U9 d4 H
% n& F7 p4 M* f! s( N9 p& e xor di,di: S: _ a1 m# j& s, j
mov es,di
2 N4 ~) i# `0 w! _% | mov ax, 1684h
1 Y3 w& a% l% q0 z+ I mov bx, 7a5Fh ; VxD ID of SIWVID
3 }- ~* A1 F" {0 N& n int 2fh* K Q& ~$ ~, L' Y; b# t- N& g
mov ax, es ; ES:DI -> VxD API entry point4 N& z- [7 n) M% X
add ax, di! b. N# z" z' m' g% D$ ?
test ax,ax! c8 a+ I' q9 L6 j$ r; ?7 L
jnz SoftICE_Detected0 J4 ]. Z. A+ \0 K3 L
) C: }& I1 n7 `, \) y4 c" l; U. p
__________________________________________________________________________
: m" d9 d: W' I; F0 T' I" h: W7 r2 S
1 U U h4 U* j
Method 05) S! l# M+ F# O# `7 }
=========
$ V( c/ m; g- B/ ]7 ~- G) a8 V+ A
* U a: W. E$ fMethod seeking the 'magic number' 0F386h returned (in ax) by all system; I7 f4 k! K. u% W0 L( \
debugger. It calls the int 41h, function 4Fh.
/ G' h* Y8 s2 XThere are several alternatives.
4 k2 x& O$ x- B# Y
3 I( T5 U& n& O' M$ S; c' tThe following one is the simplest:6 E+ j2 Z$ v/ {: ]/ N
& q( L& e9 w M3 j j p0 m/ A mov ax,4fh
v8 M% u% {6 q% ]4 r( [" Q5 q int 41h+ r( y# ^" o4 S
cmp ax, 0F386% J; N5 h/ {+ M
jz SoftICE_detected
5 w5 \' C! y% C3 d( e0 I0 G' Q2 w' p5 [8 p% f
* _, n/ Y3 @2 Z
Next method as well as the following one are 2 examples from Stone's
9 R* }, ?% T4 r# l. S \/ b"stn-wid.zip" (www.cracking.net):+ d4 E4 v' |$ t" r
6 z/ F; T' z: Z2 @$ o mov bx, cs
1 g y& x" p3 T$ Y8 R" L, @- n4 l% x9 \ lea dx, int41handler2
; p" |4 l* N( H, T$ Z4 R6 s- j xchg dx, es:[41h*4]
; e& T+ v9 Q' t$ t, I xchg bx, es:[41h*4+2]
# e, p8 E. T: c' j* U* M1 @$ f mov ax,4fh
0 c1 }7 v; t1 G; q) z) G int 41h
" T% Q6 h5 n4 E# I xchg dx, es:[41h*4]- Y) o9 y% h7 v) W5 X
xchg bx, es:[41h*4+2]; G1 [ p+ B+ s& N7 \" O. J3 x
cmp ax, 0f386h
5 e0 u8 q) h9 v3 z) z jz SoftICE_detected. r Z) \- G" E7 F# ~
; W! H- K5 t1 o- f8 [int41handler2 PROC6 t. r, l2 ^5 `! y, R! M7 m; b2 h+ ^
iret
0 ]# \( ?: H9 w2 ]. Q0 _, x" Cint41handler2 ENDP& R7 ?5 ^& J- p4 e" m4 k
0 _4 {* [% U; {. U( c& a3 Q% i$ ]1 a3 I+ _7 T- s
_________________________________________________________________________ e3 n- a) ^: m7 ?% Z$ \1 y( l1 J
, W0 p G+ Z* W$ |% q- C5 m! H ]5 K0 F
Method 06
! X( V; Q5 @5 m5 K6 m3 _4 W=========# d- j0 F9 m" M5 w6 z" W
/ T5 |8 R1 v3 @: P7 G0 I" `/ m n- L9 R+ |) a3 u8 f0 L9 V
2nd method similar to the preceding one but more difficult to detect:
0 I- G4 `) j- z( U- D- i6 g7 d& v: C- r; ?9 f7 P8 U
( x% j, b8 N( D! M( P% w. mint41handler PROC( f" W5 ^ @9 i: O% G
mov cl,al
8 |. S0 ~# ?3 x iret# D2 L5 X2 k8 T4 H
int41handler ENDP
9 T' l T: E3 Z. ^2 x9 j+ Z5 l% M4 ]; W% ~3 V/ [6 Z0 w
0 J: X# |2 U6 i2 U6 c/ P& g& ~
xor ax,ax) v$ r6 w+ a0 b5 q
mov es,ax
5 B' [6 a: Q: D mov bx, cs
# q6 w. P, q+ ]3 V$ Z6 r lea dx, int41handler5 M ~( R7 T6 B" p% f
xchg dx, es:[41h*4]3 {- G5 ]9 |1 F3 T' e0 l
xchg bx, es:[41h*4+2]
3 R( [2 k: Q4 J+ [* p in al, 40h; P& `6 v- h* Z$ W
xor cx,cx4 M! j8 F0 O# c/ W' D5 }9 x* h+ T
int 41h. Z3 U& I- h. w" `4 S
xchg dx, es:[41h*4]4 W: j+ K! {9 M l( a; {& S
xchg bx, es:[41h*4+2]
4 k" y( ^- A+ {0 x- P cmp cl,al
8 N0 n2 f- |2 v3 q0 _% n jnz SoftICE_detected
7 r, u7 |" M+ `4 c. N |6 g9 q; S. ~8 M6 z1 K
_________________________________________________________________________# v; |; ~# l( Q% q
3 F$ C: @( x; ~/ H4 x VMethod 077 E" J1 h4 Q7 H4 }
=========% P0 U3 k3 ~1 c# [* n& Q
V# t1 A' X% [; t' X" E3 aMethod of detection of the WinICE handler in the int68h (V86)
/ R4 d$ n6 d5 }. a+ D0 n# _8 L8 r! ]" t& [
mov ah,43h
+ w% D g( c# c+ H6 S+ D( W4 ^ int 68h
: n9 u1 \" {3 \9 _+ Y4 ~$ r cmp ax,0F386h1 m! f9 A9 I: Y. I. y/ D
jz SoftICE_Detected( Q* h7 r& m* w9 `' ^9 v
7 h, l0 n9 E# ~4 ?. h2 Y8 H- r6 B
1 k6 k% q7 ?: Q, q; o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 Y' J$ T, M; G; J app like this:. `: q- y; d1 |& s" Z9 p, y
* ]2 H' ?9 I7 |; K9 c( q( S; w
BPX exec_int if ax==68# o$ [8 E* X* ]; i# N8 ~5 x
(function called is located at byte ptr [ebp+1Dh] and client eip is2 p# f/ o; {7 I2 P
located at [ebp+48h] for 32Bit apps)" h" z/ @4 z$ ]! ~: i
__________________________________________________________________________0 j( L- C5 c+ }1 ?! z, b- M$ Q& u
0 G. o8 O# Y8 w: r+ P% ^- C+ W" a) R4 X8 r2 U0 i
Method 089 j% I% j! f: O
=========
) Y2 {2 _0 V1 R$ R/ \
w6 P5 _& f5 K1 T- C0 v! K2 K" r fIt is not a method of detection of SoftICE but a possibility to crash the
0 B6 h$ ]' F, M% Q2 dsystem by intercepting int 01h and int 03h and redirecting them to another
* G8 n/ F$ W. E6 X# {0 Lroutine.
& f2 s; p8 I, {2 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: j( a2 j* {+ b7 T+ ~) _
to the new routine to execute (hangs computer...)
, T7 ?1 V4 a/ k* Y$ ]! R& ]2 j
; ]5 j! F/ I4 l* `- }/ p, i mov ah, 25h: }3 }! u5 [" R
mov al, Int_Number (01h or 03h)8 M8 a7 ~7 p) W$ p3 O- y
mov dx, offset New_Int_Routine7 v. w9 x% a0 O
int 21h
# k7 }2 D2 {+ A0 b+ t3 x! o2 T, X% a; t2 x' N
__________________________________________________________________________- X. Q) p1 n9 N7 g; |
& v& Z4 }4 D6 a- fMethod 09
8 T% ~. m% l6 N=========
) q/ p1 v. f7 ], e+ h* S
( q' [: {$ C G6 I6 J/ N9 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 J' y* J6 b: R4 L8 v4 J! h" A8 V
performed in ring0 (VxD or a ring3 app using the VxdCall).) m) y* }" o7 `1 ?4 O0 N
The Get_DDB service is used to determine whether or not a VxD is installed1 `+ C5 v0 w2 ?" x* Z a3 U8 @
for the specified device and returns a Device Description Block (in ecx) for- f* S# T- y+ p- ?
that device if it is installed.6 M0 h1 r( N: a' q R) o$ ^: I1 h( z
7 K, j# i1 w2 j k) e( ]" q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! T$ {6 ^ ? O$ c" v+ R- j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 c: F4 }0 z5 y9 T3 W$ t1 ] VMMCall Get_DDB
: i" N; J9 A. `2 i4 Q# Y/ m. M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( }+ J; N" U- {) B- f! W0 }" x; ]) k4 \+ N# n3 m/ q
Note as well that you can easily detect this method with SoftICE:' \- `' v7 s' m8 m5 G6 \- k
bpx Get_DDB if ax==0202 || ax==7a5fh8 J. P& u8 C8 V" J
9 c A# u3 o& o' P; C/ V% {9 h: D) X__________________________________________________________________________/ y/ }' T, e# ~& `0 a
) E1 Z) {( q! R; L6 Q
Method 10! Q- Y6 M. R0 a$ ~2 A' a
=========! D) b: ?/ B( W/ o" s$ f
- e2 [! p6 o9 [. z. D! O+ V# _=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 w' Y* E% s3 v! j5 o SoftICE while the option is enable!!0 l& \; O2 G* k t8 {
) T0 X0 @1 s; a3 d5 ~
This trick is very efficient:7 S/ r- x; I% |2 ~
by checking the Debug Registers, you can detect if SoftICE is loaded
# N5 j8 X4 O! U( x# K. {/ m/ g9 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: h( P$ L) \) C M L5 m+ Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their K6 q3 r: o4 P( m/ B) R+ o( {9 R
value (in ring0 only). Values can be manipulated and or changed as well
& b0 y( w3 N) K) d( t# b(clearing BPMs for instance)
( O" R3 k- d) L$ y. O* z& N/ p7 b6 {/ }% |2 `# A* I
__________________________________________________________________________
& p% f, @ h1 {
; M& ~0 E, {; @/ X4 k, i3 b2 uMethod 11' j, U5 w! T. K" a
=========
) h: r& n' c% m8 }8 L6 n/ a; e6 O' y5 j" Z5 K+ m% ?* T- g
This method is most known as 'MeltICE' because it has been freely distributed& F# S' `: z# P& m# i5 ^, S
via www.winfiles.com. However it was first used by NuMega people to allow
5 }- x# B! B$ }0 J6 _2 ]Symbol Loader to check if SoftICE was active or not (the code is located/ a% e3 Y2 _: X2 ^
inside nmtrans.dll).
9 z7 i) y) y# \, N/ O& i/ s% ^1 B: @% l/ D7 o& B$ N5 p
The way it works is very simple: p: D$ L: I6 i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" d" h1 U% @/ j$ h, K$ l6 h7 SWinNT) with the CreateFileA API.# T1 l; X! o; K9 Z+ u$ ~- z4 T
_6 a( \) }6 M) j2 h- F4 k+ k0 Y3 UHere is a sample (checking for 'SICE'):4 M* ]4 ]/ h( i* x+ X* z
: ?1 P2 k* \/ ]! t9 {9 `BOOL IsSoftIce95Loaded()( @$ ~- {/ Z/ H: ?7 g
{
: T; w2 v1 a) y5 q# [: w2 M HANDLE hFile;
/ i" s0 H% k( a X2 t9 G# R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, U5 @ j' b* k, q+ S# Q2 ~. c
FILE_SHARE_READ | FILE_SHARE_WRITE,
: X1 \' h6 N' q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& ~5 Z0 `# |9 L+ H if( hFile != INVALID_HANDLE_VALUE )8 q2 X# y( I U$ t! U
{ s) _; J- x# `+ I7 a: F
CloseHandle(hFile);0 m' }* d6 ]+ |9 d& R: g- K+ Y+ X
return TRUE;
8 i0 ~! \ D+ B3 A' i7 w }: @' [* m2 z/ l( C5 Q2 O
return FALSE;/ z, T q. G8 N& ^" F; S* e
}) c! C0 z E9 c4 h) h4 [' Y# v
: u, Q5 S' U6 r' Z0 m2 M v/ f$ l' q
Although this trick calls the CreateFileA function, don't even expect to be
8 z1 z% \: c9 a( A, C) Oable to intercept it by installing a IFS hook: it will not work, no way!
2 i2 O, ~9 N2 t% JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- H7 u: u: h! q! y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 e6 L2 S" Q# F9 `1 M+ y5 u# _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: D- K. v$ P5 ~! H& [' D' jfield.
# I8 \& [# s6 c% @; ?7 h3 CIn fact, its purpose is not to load/unload VxDs but only to send a
* |7 [' d$ {5 o, D- }9 z5 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 ? N o C6 C: [: u8 [2 ]) Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ s% }, X2 ]0 T& l- u1 o) Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ `, Z. N- D5 v6 Z, XIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; `& i- ?/ V7 C$ W/ Lits handle to be opened and then, will be detected.( ?1 l' l6 M7 j
You can check that simply by hooking Winice.exe control proc entry point
( V- W& [% F! r1 o8 q+ y Owhile running MeltICE.
# s- p3 l. F0 @/ \
+ }( z1 m6 h& c, O
9 A. F7 p2 y# [/ [# h) T 00401067: push 00402025 ; \\.\SICE( X8 l; h/ ~! w; h( K. t
0040106C: call CreateFileA7 \0 ~$ Z2 w; k
00401071: cmp eax,-001' ~- E& l' o1 b7 f( A4 @
00401074: je 00401091! Z! c d& h" h" I8 }
- P d+ |( N3 G
- ?+ Z. {; ~ d8 _% ZThere could be hundreds of BPX you could use to detect this trick.
& p& ^ K0 U4 o) e2 x-The most classical one is:' r% q/ z' Z, h" _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- {) Q# d. k; N0 D4 x
*(esp->4+4)=='NTIC'
9 D4 X0 J7 S: \2 F- Z+ e4 K. n
3 f( N) z: N2 r# O-The most exotic ones (could be very slooooow :-(; ?9 T+ w/ X' J. V! q' V7 [2 t. {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) c# ]& `: p% E5 Z
;will break 3 times :-(, ~4 t3 ]: v# k' V" z0 R" l- G. m
7 ^* V$ q: l, |5 G( P+ e f4 w
-or (a bit) faster: 6 I4 r3 a" c/ v1 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" Q [$ a) }7 t4 z4 k0 G0 `. @
. W4 D2 L; n$ ~8 `2 w0 m4 v* x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 h& x/ q( d D w. Q8 }% V0 S- [ ;will break 3 times :-(7 H7 C3 ?9 F' J! K! t( _4 ?
) w5 U) S6 S0 P-Much faster:
" U0 X1 |% |0 j3 |& x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. Y' s. V3 h6 [3 t/ E. U8 u
4 ]2 B# A8 b/ c) G# U, _9 U& d; D8 E, YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& d, G# g1 m" _. `function to do the same job:0 i* S' q5 u( m9 i" q a& D& F/ y: P
2 g; a0 h- ?1 j& L
push 00 ; OF_READ
. s6 m4 j9 f, L mov eax,[00656634] ; '\\.\SICE',08 J3 @! Q) o5 C. v! p9 n, f% e; p9 |; b
push eax
7 [( Q8 e {6 W3 n+ F6 X+ l# R- x call KERNEL32!_lopen/ S2 ~; y& `8 C% R0 e
inc eax: E6 r1 g; \! f( [" h; c$ y
jnz 00650589 ; detected
+ g+ J9 G4 x+ C push 00 ; OF_READ1 h$ |5 b: p; S
mov eax,[00656638] ; '\\.\SICE'
# G# Y7 u- F5 |6 } push eax
0 K# ?3 B& k3 ~" c6 r call KERNEL32!_lopen
& U( Y0 w. F5 q1 R9 Z% { inc eax5 p8 {0 S5 \. U
jz 006505ae ; not detected
7 R0 A# B. y Q6 f+ o& ^
# F8 ]2 A/ a2 j$ ?9 i, p$ w1 C |7 A$ T- F+ K
__________________________________________________________________________: b: c* U% V7 ]
$ c0 z, H9 p: j" }# A- G$ VMethod 12
6 ~4 a7 E( M8 E: s=========' @3 ~ r( x" ]7 V) ]
8 L7 l" @- q# ?8 A- ^; x' ~6 n& sThis trick is similar to int41h/4fh Debugger installation check (code 05
/ H/ P) h2 d, B% w6 }9 C* u1 M, D& 06) but very limited because it's only available for Win95/98 (not NT)
# ?5 Z4 ^. L' G2 V( ] Y7 d" xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 N% @# q' E. R2 U0 w9 |* A. G; M0 f$ X; H1 e0 X5 g, H
push 0000004fh ; function 4fh
% P! r( H) P/ h" G9 C push 002a002ah ; high word specifies which VxD (VWIN32)
8 j7 _7 g6 o4 r3 G% e+ P" ^4 y ; low word specifies which service
' x4 }$ M* j% `" b. W* I( N (VWIN32_Int41Dispatch)
: v, n0 ^3 W* N7 a2 `) E call Kernel32!ORD_001 ; VxdCall
% T8 x- l1 C4 P o$ l' M- p cmp ax, 0f386h ; magic number returned by system debuggers+ R* M- k3 ^( f; h
jz SoftICE_detected
0 d9 d. O- n% J* l! a8 S, y
q2 y7 \& H. W9 K$ \3 G( m0 l* YHere again, several ways to detect it:
# M/ ]8 ?; n7 Y% r; A% @! G8 w; ?5 ~
BPINT 41 if ax==4f
- B% ? w/ m0 G
9 I5 S0 L; \* e9 g* m8 S7 p# W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 v9 l5 ?7 Z4 _* o6 c
/ F7 A9 x( u: |8 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 a. |- y2 O+ W
% i5 S; I0 y; `" A/ ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; B; J( s4 w6 n5 v
X4 V0 K5 Y, d8 s; K__________________________________________________________________________, X! p3 {+ z( w. w$ M+ H1 @
. U: B- P1 l; q; ]+ ZMethod 135 r# V$ @1 R% S/ I5 A( K
=========
2 T6 q. g; V6 j t% K: P3 i- E, x" Y# w2 w
Not a real method of detection, but a good way to know if SoftICE is
8 _1 `$ O+ M. }0 Jinstalled on a computer and to locate its installation directory.; [+ M# k) L: g& _# ~8 ]$ {
It is used by few softs which access the following registry keys (usually #2) :
5 n' U5 G- |- \2 l- U |! C0 W! t9 k5 C+ |% N+ G! _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 j$ j8 k1 Q/ g+ ?: S" y
\Uninstall\SoftICE: X; v6 @* J7 ]* _$ k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& D1 c7 Y# k4 Q% R1 s/ H+ g/ y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ Y4 W6 u0 v# A& D, v# s$ \\App Paths\Loader32.Exe& N+ C( x5 a. T0 B# O" X
) i( L+ V6 z9 q& i+ i7 V9 @/ Y
, O* ~1 J2 g" H) K1 kNote that some nasty apps could then erase all files from SoftICE directory: c3 @) ^+ f# ~
(I faced that once :-(' l( x# M' |$ O* x' a
! H9 w2 A r4 m+ BUseful breakpoint to detect it:9 ~' ?! Y; @! Q/ k
+ d. n, I+ N, ?( L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" t2 T6 }4 u- }& V" _( @6 ]6 a: L& {1 l+ L
__________________________________________________________________________
4 `" |4 Z+ S, B1 j1 s; g) f; m3 X7 r6 w& P
9 V! T8 U) D; b: Z+ H5 ]Method 14
) v+ K7 [' _( R" V1 `, V0 a7 j=========' ?5 T- w" L1 v8 {
0 S) d h) o5 q1 o- nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 Z. b2 x( x3 D* W' f/ Xis to determines whether a debugger is running on your system (ring0 only).
* P) b1 a- S6 \0 ~" ?
9 x! q ]! m0 Q. a# @2 k$ W, } VMMCall Test_Debug_Installed8 i8 q, t0 H7 k" A. `' P2 _
je not_installed$ z: K$ K# G: ?! T! J3 V7 n
+ {9 H; v* g7 H/ f
This service just checks a flag.
' d) }( T1 J, h& X2 D4 T# ~" {5 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡