<TABLE width=500>
+ o- R) Y4 u# Q& |1 G, [<TBODY>4 w1 O7 K. c2 `" h- c# y
<TR>2 d% Q! \# \, l7 l
<TD><PRE>Method 01 - a! ?8 Q* }8 a r2 [
=========
) V$ L# o% O3 i8 S$ J9 L9 H t( H d+ y; P' `* }
This method of detection of SoftICE (as well as the following one) is
2 N- K; Y9 s5 C/ ] Z) {4 |9 wused by the majority of packers/encryptors found on Internet.
' Y# }' L. D# Y/ sIt seeks the signature of BoundsChecker in SoftICE
1 s! k x5 I" t. z( ]+ L U5 B0 n& B; ^; n( ]8 ]! ^
mov ebp, 04243484Bh ; 'BCHK'
2 D3 C% Q8 i+ x% _ mov ax, 04h
a: C, \9 W! d# C1 g7 | int 3 5 s7 Y' e; ~, N+ e- \; s I
cmp al,4
. t! D/ R* {) H/ f jnz SoftICE_Detected. k9 ~+ j$ H8 G; w' Q g, q
5 t. V* l6 F% w___________________________________________________________________________
; z& u# x0 [6 V [2 F5 v$ z& m& i7 L' q2 x6 i- t) v
Method 021 @; i4 b5 A( n0 N T, O8 ^2 ?0 l
=========
0 w1 \+ |- H* B) o( E( S p2 o |7 R6 `+ ~8 t0 k
Still a method very much used (perhaps the most frequent one). It is used
4 I' b O6 \, j- @* w: l; W' E1 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 D' B( g0 e) f8 por execute SoftICE commands...2 L; N" n' v5 r3 i
It is also used to crash SoftICE and to force it to execute any commands$ {! @, g: u8 M# X) n9 I
(HBOOT...) :-((
- F' U! x& r$ x4 u; _* ?! e
4 ]# z' ]1 B% T8 FHere is a quick description:. ^; C- K1 K% m6 Y9 V& M* W
-AX = 0910h (Display string in SIce windows)
( d6 ^" b5 ~% a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' h8 D& }: p- F1 C6 B+ g* ]5 x# N% e8 E0 S
-AX = 0912h (Get breakpoint infos)
( R2 i3 T8 g2 W6 \-AX = 0913h (Set Sice breakpoints)
+ U- T1 r: `( S$ x B-AX = 0914h (Remove SIce breakoints): e" @% W, ^# V7 _
a' h3 n* x/ X, Q
Each time you'll meet this trick, you'll see:
0 i& T, b c7 Z-SI = 4647h
5 H0 ]; |0 p# V) U* w$ m6 G-DI = 4A4Dh
# w# ]8 d: o& F9 b- ^) _: uWhich are the 'magic values' used by SoftIce.& @$ N6 l1 |" x$ `7 E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 G- z1 i* i) s
$ k# ]" L& w2 S* T( K L0 B* KHere is one example from the file "Haspinst.exe" which is the dongle HASP
' x) C$ }! s0 W+ b7 f9 a* B% UEnvelope utility use to protect DOS applications:1 R) U: [# k5 x& j7 d
" d% n E+ }: t
1 G" M8 t# i5 h$ y4 @4C19:0095 MOV AX,0911 ; execute command.
$ C; h! d& M2 v! f# b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 S# M& y! @, {3 I
4C19:009A MOV SI,4647 ; 1st magic value., J4 C& G- K9 j0 G& w, `
4C19:009D MOV DI,4A4D ; 2nd magic value." E% m0 V$ H- i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( ^+ p% E4 H1 H% o" {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 t+ G0 }( W5 T. c3 Z% t6 N4C19:00A4 INC CX5 w5 _- N& e- h) n: H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; F7 ^& ~1 h( Q( N
4C19:00A8 JB 0095 ; 6 different commands.
' e# u0 P9 n1 f4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 I( J5 y1 H' H) A! |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' D' O; {5 l4 b4 P3 j
( C/ R( r/ u+ ^! R1 S* iThe program will execute 6 different SIce commands located at ds:dx, which
2 E" t8 w0 `; k, z) S8 [5 Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- @! G0 w7 l3 L l, f
4 l/ [$ S! m" _0 p" I1 O: E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% r* ?! n1 i7 R: P; `3 o' e: U
___________________________________________________________________________
6 P4 L. O" e7 ~0 V+ Z, P! U" x. ^$ N; Z' M% ~1 ?0 K' O* K) l
5 A4 _! [# `. o4 M/ G
Method 03
N6 Q/ |4 P0 w6 @- K=========
/ ?& w) k1 W5 E" ]! f2 Q$ o" X4 B% v
/ A/ ]! a3 P6 mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 ]+ I5 Z. A @, W* H
(API Get entry point)
' Q) w) g A; A6 F- t0 _
% Z9 E: j* y; l6 }
' i& w' c0 k& y3 i- g xor di,di
: |+ e& Z$ D" c8 g1 C* N: `2 I0 y7 v mov es,di5 X; y2 X! D. Y+ p$ p$ Q$ s
mov ax, 1684h 9 n1 I6 Q5 `* {0 s4 w9 v9 c
mov bx, 0202h ; VxD ID of winice/ U9 C/ u# K7 h
int 2Fh& Z% {! \# c$ _9 Y
mov ax, es ; ES:DI -> VxD API entry point" \* b+ A" d- G) C ^
add ax, di
9 q1 @! ^2 ~9 M7 `# {. h test ax,ax& P3 D: h) V6 n" ~0 E1 k
jnz SoftICE_Detected2 W, e) \( ~# ]
) d3 g, F& h2 ?2 w* q___________________________________________________________________________5 J) P: T4 b) Q# _3 y! p7 u
+ ~2 W ~% Q+ O% G# B7 r# S
Method 04, u i, y9 i2 p# _& ?
=========& B J! K; [) w3 J1 @* }" |
1 x" w' E% t" p9 _" y9 q+ d+ \
Method identical to the preceding one except that it seeks the ID of SoftICE
- z6 n# I! l" |+ V. v0 Y- kGFX VxD.
. h2 j+ G0 m6 ]& [. {& N Q9 a6 E9 g6 @/ f% y# `! v6 C
xor di,di
) \' I* q+ X- J7 n mov es,di
5 f! H' u W s* E mov ax, 1684h , ~, u4 W1 R' l9 W+ r
mov bx, 7a5Fh ; VxD ID of SIWVID) P' t* S. A8 [/ |* y
int 2fh
6 w$ F* \' d7 W# r4 M4 \. j mov ax, es ; ES:DI -> VxD API entry point
7 p$ T- @) ], c! }/ h! n add ax, di# h: Q3 Q/ b' M! U- C t6 Q2 Z, x
test ax,ax- J, Y) M7 c6 c" x5 ~/ r: {
jnz SoftICE_Detected$ {) g _) Z0 ^ D5 z, k8 |" E
% t! D9 A# t1 @* ~8 P__________________________________________________________________________
- x, F* m6 e0 [) |. W+ |% Z: r$ p% E
; N j2 E' t/ F4 s, s( _. ~5 S2 Y7 V5 n3 Z1 n# p
Method 051 k# P4 }" T9 f6 r, k4 v
=========
, S% Y9 x; A$ f1 o' S7 W, {. L! `, ?5 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 @- }6 i6 f8 b& H9 i vdebugger. It calls the int 41h, function 4Fh.
2 [: Q" [' b' O. o" UThere are several alternatives.
2 a( {/ e* L' p6 Q: |' o" ?
! P7 ~5 `1 x4 `& b& i+ k9 ]% y. vThe following one is the simplest:; j! b4 W; R) G, c. ^
" l' {) b9 H% y9 V, O! E0 t
mov ax,4fh
6 r- t* Q& a! q) G1 E4 R int 41h8 K/ `4 V+ S5 y6 T% L6 V$ A
cmp ax, 0F386
! L l3 l' D1 b+ \- f7 G7 a1 k jz SoftICE_detected+ l) b7 [, P# W; F
6 t2 q+ o2 t( Z# `" u+ i
9 N- y# L$ C& w6 F6 a, ENext method as well as the following one are 2 examples from Stone's
, j: m0 x. J& f' v"stn-wid.zip" (www.cracking.net):
, {/ K# Q# T$ r8 D' } n, d/ L+ B
mov bx, cs
% V2 h1 ~$ \' I. o1 l lea dx, int41handler2
" B3 F+ H+ A/ Z2 J" I xchg dx, es:[41h*4]# [9 Y7 ]. [( _7 e
xchg bx, es:[41h*4+2]
/ o$ k: x) C5 z; W6 I1 | mov ax,4fh
3 x9 @8 c% r( y( j6 t int 41h# C6 h7 ^, `" w) c, X
xchg dx, es:[41h*4]
# Y" q: A' W2 a' [* b: x xchg bx, es:[41h*4+2]9 y* z5 m4 a; b- P3 s
cmp ax, 0f386h
7 z* y+ \; Y* p. f6 {( C& d8 x! H, S jz SoftICE_detected
% v7 Y' L* p1 ]
. g4 P1 y) e: p! k1 N- }/ U: \int41handler2 PROC1 w; O* @/ i9 d
iret8 I' q; @ Z8 R q C+ j" ?
int41handler2 ENDP
1 b. M& Q3 T V f+ n. c' r2 l7 n$ W, L' \7 I0 F
~8 l. Q; _" G0 m& Y_________________________________________________________________________" \* m6 ]/ _+ j$ K) v
+ P! u+ r5 U" }" b2 ?+ D# O" H6 |8 n: ]# A
Method 06
K4 H2 Y4 b6 h8 |7 M=========6 F$ ~6 ?( d: W& _3 S, b* a4 s
& a& A& h6 p* U, O
8 P: u7 ^ I8 V' F. V2nd method similar to the preceding one but more difficult to detect:( }) z7 i( X* P L- v
) X" N6 o( [# ^8 |, ?- y( c2 ?7 s- W7 V: f$ n% T4 Y
int41handler PROC
; {" m# r+ u3 r4 e* e$ ` A mov cl,al
+ d, {+ e' T, a: f. j iret
9 s. p9 I' Q8 U& u& H' |$ O9 ] s& ]int41handler ENDP
% P) B2 a; K' O; J" P* Z8 R# p3 G+ A! U
5 O, ?" e4 i4 ?: D$ o* w
xor ax,ax
7 k4 z7 h0 e& W8 [- i: S) \& h mov es,ax7 b- ~3 Y! v3 ?1 g7 a) t
mov bx, cs
7 t+ T/ F; Y3 h5 O! e! ~8 ? lea dx, int41handler
+ [2 @. B- M& _7 i, }/ d xchg dx, es:[41h*4]
& _' l9 t, f6 N) J! _0 ~0 Y xchg bx, es:[41h*4+2]9 A4 k- y6 L, \# p' X, g- I
in al, 40h
7 ~- ?/ {: l0 r: g4 F xor cx,cx
* ? X! F: S3 ?* s7 R! A4 Q2 _! ] int 41h
4 H4 \, f# j% J1 a2 l, z, z, U xchg dx, es:[41h*4]
) S3 e9 I8 s3 I7 I$ j3 { xchg bx, es:[41h*4+2]
: K |; @2 {. ~ cmp cl,al6 X0 o0 {+ E/ z# J2 w
jnz SoftICE_detected
- d0 f* C! w6 h' a+ N) E% Q5 L& ]% A. j! p" \
_________________________________________________________________________
# ]( ?$ z& M' ]6 l" t! t1 U! c5 g. }2 J6 v) j
Method 07; \5 k- m! l6 R' O
=========( ]8 p6 X8 Z) Y- _. ~, I$ ?9 f
& C: E# a8 e' l5 s# K7 q O# [
Method of detection of the WinICE handler in the int68h (V86)
: L1 l# D, K* }' b& p b l& b+ |; \2 K x* `( m
mov ah,43h" I6 L) P% ?7 k: Q: G O1 a
int 68h0 [5 F$ O J( d" a* }) U
cmp ax,0F386h4 R" p7 v& ]* u" ?! s
jz SoftICE_Detected5 f8 C% E8 X, C9 o
5 }% j5 W' N. T* @& d: g8 u: i4 h$ [/ ]
' B. R& i: i+ A& T4 l1 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit p+ Y, ~4 `/ R' }2 z7 M% f& y
app like this:' t% L0 o% J1 `/ _
- V; s: W2 ~% g2 f$ p, m BPX exec_int if ax==68( a6 A5 c/ _ F/ ?3 k7 e1 `+ H
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 j! X4 W$ o- k; ] \ c& Q3 d" O" _ |, M located at [ebp+48h] for 32Bit apps)5 e6 F, V* S8 d7 ^: a
__________________________________________________________________________9 ?% ~/ ~$ U0 ~+ P, g- ~7 o1 s
+ ?: o/ V8 U: _ ?2 c9 g9 X: n
/ {) s! k( X. i9 E- F' j7 A0 NMethod 08& K9 T9 y( M' k: i- _/ p
=========
1 p4 H/ A6 Q% k! M- O/ |9 \* y! {" z5 V. A$ u4 H( h) e/ Z
It is not a method of detection of SoftICE but a possibility to crash the4 C0 @/ t4 M* q. a
system by intercepting int 01h and int 03h and redirecting them to another
6 a# J/ y/ h; X( a3 Z: `routine.
$ e/ w( s: f8 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" {( I5 C& g! M6 pto the new routine to execute (hangs computer...)- S' V! W) P0 i+ G6 x6 n
! X. D h/ I. ~# {. @$ J mov ah, 25h) h5 y. c9 c0 y9 I9 q8 N
mov al, Int_Number (01h or 03h) U+ G3 C% ~' h# _# u, p( m
mov dx, offset New_Int_Routine
7 `" T8 y; C! T U9 H int 21h* E* u/ Y9 X) |& Y- x3 i- f
; a1 T1 e+ d7 S/ k1 U5 ?__________________________________________________________________________
5 {/ u* t1 M S+ h
3 ^ Q$ Q$ D2 aMethod 091 Z. I+ {" q9 I% u9 k/ Z
=========! y1 h! t& S: ~ a6 v0 e& J6 U0 D, r
~: _. R; B3 R/ I: L4 H" R1 r5 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only E& T0 b: J4 o0 x$ L6 J, H/ V3 L
performed in ring0 (VxD or a ring3 app using the VxdCall).6 Z3 P: y9 j% m7 t$ a0 B* q" ]+ g
The Get_DDB service is used to determine whether or not a VxD is installed
) U& e# B7 o5 `/ P8 [3 c) I" nfor the specified device and returns a Device Description Block (in ecx) for8 A0 q* Y' g5 ?, b+ E
that device if it is installed.% r. k+ X' ]) e& r8 A3 Y' _
; _( @ d) s. |" @" ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& r% _1 s0 T/ P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) P5 t6 I/ j8 R1 W VMMCall Get_DDB
$ d- C6 m2 F# e+ s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 B- Y" H7 c8 W' O) r0 C* }- d9 `) i( @: Y" M# G" M* M
Note as well that you can easily detect this method with SoftICE:
: S' p V5 k) A R bpx Get_DDB if ax==0202 || ax==7a5fh9 F& z) I1 F2 p/ X3 t5 r. P7 [
4 l8 G* b% s9 \7 p__________________________________________________________________________
; c8 Y u5 F2 M1 P( K5 m
3 W: J7 ]( f/ l+ F7 T% gMethod 10; x/ D4 B4 f+ k* b% x
=========2 V* z5 B" |- }2 Z: y, t% C
4 |+ d$ e9 b3 _' Y+ _/ M! u0 `=>Disable or clear breakpoints before using this feature. DO NOT trace with0 I+ |$ t! b3 p( h+ j
SoftICE while the option is enable!!+ W. c, l7 n9 r7 S0 F
( e/ ^9 d$ t9 @
This trick is very efficient:( i( z9 @6 X: s8 v
by checking the Debug Registers, you can detect if SoftICE is loaded# Q3 O& V8 w1 ?0 j- |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 P% i; h( B0 n" t/ Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their( \3 O _. E: ~! O9 E" ~
value (in ring0 only). Values can be manipulated and or changed as well, }4 E# G( O' [. `8 k5 O
(clearing BPMs for instance)! S' l9 L3 N2 H1 F/ ?0 `6 [* y
* M( P$ i* S2 R+ t__________________________________________________________________________# E1 N1 a* }) b6 a) v( F2 }5 @
3 Y8 C: F& N& p2 A I0 tMethod 11
. _$ I% E- |! k$ K1 n5 {/ r. r=========. z3 `: y5 M, g9 n
7 ~9 }/ R# c0 H
This method is most known as 'MeltICE' because it has been freely distributed7 n! o, Z- w [. l/ W" v* U/ Z3 B
via www.winfiles.com. However it was first used by NuMega people to allow& A E4 W6 Y8 L/ N% l& F1 g6 q
Symbol Loader to check if SoftICE was active or not (the code is located3 q9 i$ [1 f. y/ u% n5 e8 I
inside nmtrans.dll).
8 x6 g/ T, p9 b5 m
* A8 x1 `2 V3 b7 b4 V4 z' C0 _0 @The way it works is very simple:
6 X$ C% t2 O+ D5 y. a# pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ z! [# ~% a1 [0 B1 M* Z5 E/ \WinNT) with the CreateFileA API.4 l+ t( `- i$ J
3 U, ], S! ~8 p1 {2 F6 |/ m9 Q6 w
Here is a sample (checking for 'SICE'):
5 _. H5 i0 S2 Y- ^* t; A0 K: t+ |9 ~0 h7 p. P% r, ~
BOOL IsSoftIce95Loaded(), \* \* f5 f) W& }6 N$ g; K- H1 v
{8 z% p/ a; X( H, W3 |( N' H
HANDLE hFile; 0 \" ]" ]; J( D y: J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 ?+ Y9 J9 Q5 d0 M
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 r6 {& w8 V4 L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 ?. c6 e8 @/ w7 j; h6 r3 D) h if( hFile != INVALID_HANDLE_VALUE )
9 a T' |3 u4 A- _# e* e {3 \% i; t5 H6 Q D" U
CloseHandle(hFile);1 m! Y8 p7 g; W9 M: \
return TRUE;
: s* N; M& v( l }. ^! C& D9 L$ \- G7 B, @1 d7 i
return FALSE;4 K- c/ k' p# X: }
}/ N6 g+ f5 P7 E% y0 ]" n
1 b" M/ w' I" W( v5 m( k2 w( ~5 x
Although this trick calls the CreateFileA function, don't even expect to be1 F$ k2 [! I) m
able to intercept it by installing a IFS hook: it will not work, no way!
% h/ q2 V! M+ ]6 LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. Z. U" Q1 u+ V. J# W/ E' Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 {) C* e r" L7 a1 G2 l+ N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ N R1 S$ \1 C6 ^/ H6 w
field.
: P0 S1 R" Y+ nIn fact, its purpose is not to load/unload VxDs but only to send a
! i/ C; ~3 f: J! L) gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 {9 I! x8 N N8 i/ }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 r/ {; B. E! Z! K1 i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# ~1 V" g- f# I& w/ h2 }
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& Y9 K, b' B$ w# |4 ?its handle to be opened and then, will be detected./ ]; W& U( Q4 X$ r; l
You can check that simply by hooking Winice.exe control proc entry point
/ b' w8 p: T" R& Y, B2 X+ K6 vwhile running MeltICE.3 n" B7 [! R* {4 Q* p( P; H0 k
2 V- Y- b$ k- V) w
$ B5 f0 G/ e2 Y }- h2 H. \1 Z
00401067: push 00402025 ; \\.\SICE
$ l, q% ?$ [, @7 ]% N 0040106C: call CreateFileA" }# y9 l0 ~8 J+ p; y; u
00401071: cmp eax,-001
% H! `! y- U7 ^) c# J2 m C X8 E 00401074: je 00401091
1 h. _9 V5 ]- i+ M I' y- X5 y+ ~
# a/ p$ c% F5 i# y4 f! W+ C% Y3 z$ f; F, {# j; j
There could be hundreds of BPX you could use to detect this trick.
+ ~* x h, a7 g0 S6 X! o-The most classical one is:
* Q& n( b6 y& a1 `- ^# k9 V$ Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* y. F/ C1 a( ~' u) X *(esp->4+4)=='NTIC'
3 K* K! m4 U. Y5 D P" F
2 w+ y% `9 i. P( C" }-The most exotic ones (could be very slooooow :-(- K P8 N+ i" G+ F$ z. I' @# B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ ]$ L, ~( x! x, ] U& N
;will break 3 times :-(2 W; x p& _4 N# v+ D, H% |! a1 ?0 g
* s/ W+ Z, I# B! Z& m2 _8 u% G
-or (a bit) faster:
% d- t" E f- o; z! W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 V! \7 R% {; F9 b
m7 x3 V- W R* a) Y, T$ O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# Q: P0 x0 L- H8 P) I# b6 w$ x ;will break 3 times :-(: K, F. ], ^/ P D- ?5 U% x3 Z
1 o6 ]5 B- T1 B$ n, _+ ]7 i-Much faster:
: f0 j, a4 a4 Z! F( u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( b8 X7 ~. h4 [: \. e7 s4 E' m2 t* v# u. I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 z; B9 c" H# O% o& Sfunction to do the same job:. _8 Z9 z- U7 E; }9 P- C1 X
. A. L, N- B0 o! l G7 J% G+ i7 T2 o push 00 ; OF_READ& c3 d6 q) m7 r# |7 }- i
mov eax,[00656634] ; '\\.\SICE',0
" b8 H8 ~! P n. }2 H push eax4 A9 n' _4 y. K0 B
call KERNEL32!_lopen
+ Z3 V' ]/ g% F' _, U4 C; a9 f4 N inc eax5 u' O8 f+ `. m& N8 w. r
jnz 00650589 ; detected
, A2 g8 L7 ~& n6 Q push 00 ; OF_READ. [5 Q8 n7 S+ C& p' i, u! x
mov eax,[00656638] ; '\\.\SICE'8 x) H- `) H- N; G
push eax, {4 {9 d! b- d
call KERNEL32!_lopen
1 i! j4 `' `. {, h inc eax
# P& A: j3 c- d# w6 n" E! w jz 006505ae ; not detected: E! I3 _! X9 ]
t, V7 H* X9 L' P1 L7 {
f: M: n! I' h$ i__________________________________________________________________________' O+ s4 G) |+ T, I. t, ]# b
4 L: e8 ^1 n& o
Method 12( R- [3 U5 n9 }0 f9 W1 c* f
=========" @( w, n8 U. q$ i
5 b2 ^( }, o$ G z- V9 `5 U
This trick is similar to int41h/4fh Debugger installation check (code 05; D3 v# ^- h" I
& 06) but very limited because it's only available for Win95/98 (not NT) r9 L% D, |# |# E" M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 H+ f0 @+ e. W* |
! P6 `+ s$ d" }; A( Y; W
push 0000004fh ; function 4fh" W' b1 z. @) T! P$ Y3 ~
push 002a002ah ; high word specifies which VxD (VWIN32)
9 m$ M! x' o: b6 ^! f; x ; low word specifies which service7 {' S1 i+ S2 {( J& p% g
(VWIN32_Int41Dispatch)
. q9 R% x8 }3 s& ]" e" q call Kernel32!ORD_001 ; VxdCall
3 b/ [' {2 F. _& q! v8 p+ B cmp ax, 0f386h ; magic number returned by system debuggers$ Q& {$ F5 Z, @8 c5 U* p2 Z" }, c. \
jz SoftICE_detected
5 X3 p: {$ R; c o) r. [
9 U3 l$ U5 t$ ^ O. v' u) GHere again, several ways to detect it:: m2 U h6 j: ~( O Q" N
9 g4 P+ q3 N" q8 L c" { BPINT 41 if ax==4f6 i3 I) D! E# d# O$ B; F
, E/ o7 I# w* O9 B! V; Z1 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( M( l- \; P4 `/ h; m+ y
. `6 R$ q( O3 E* u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 o. ]) x; @# B2 H9 h
+ O" f, _* y0 Z1 m/ ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* N3 t6 n3 n5 L0 }- `% E4 P- K, m4 E6 [+ o8 F( o
__________________________________________________________________________
- T! h V$ {* X) n% Y' i8 n, g* P$ P/ n6 N' Y$ @* E
Method 13
. f$ b+ d8 b1 |% {7 x4 z& o=========, _6 c2 [/ S( N5 |, \* `! D
t# X* G. H, b% e5 pNot a real method of detection, but a good way to know if SoftICE is
( w2 m! P/ R( y! e! finstalled on a computer and to locate its installation directory.- g, H: K: s4 l* A$ q
It is used by few softs which access the following registry keys (usually #2) :
/ B! j) R% J+ _* k% j. _& c+ {! t2 a1 X, `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ L* z( ~+ c( h
\Uninstall\SoftICE7 @. |4 \" ?0 F. D) {" p$ I X3 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 p* J8 L3 C" z0 `4 W/ |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 X5 D: M5 b. }+ {( H\App Paths\Loader32.Exe0 Q( l8 i: m1 ?, K
; ]% `* A- b$ i# L6 ]) u: I* q; z' ?- g$ _. D
Note that some nasty apps could then erase all files from SoftICE directory
' N: K* f2 H6 u; B(I faced that once :-(
9 {; M) a4 B$ H+ @
( A# c; L) r' k; OUseful breakpoint to detect it:. E b! s( z8 q$ s0 c
7 @7 {3 V" R( |' K* V4 S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 n& y1 G% n" i; f+ {! s
" L/ a$ a4 A1 j
__________________________________________________________________________
) U( F7 G1 X5 X
% F/ C5 _: w+ O5 R; |3 m4 s
/ S/ {- b: k; e' c0 @1 T/ SMethod 14 0 R0 H' K6 }1 M& c9 W/ |
=========/ O2 e6 n3 t( B8 N, M T$ z V
0 Y+ |: x' B: {- Y& N( _9 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 M0 P3 P% z( O" I6 ^* Cis to determines whether a debugger is running on your system (ring0 only).3 a* H6 k& Y( B1 G" J% N5 u
: V" o( }/ d" Q1 f0 h) l1 e VMMCall Test_Debug_Installed' \- g6 l# Q# J# V. t/ o+ e
je not_installed* ]( W4 h' l( ~/ ?7 E
# t! `1 L$ V- A
This service just checks a flag.
4 r# W6 A& ~* J( Q. J</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡