<TABLE width=500>
& X# u+ F6 p6 c+ U* t8 }<TBODY>' r& T# E# R) h: N6 k7 ?
<TR>
- ^' ]8 v7 H6 [1 f) \8 F$ r0 P<TD><PRE>Method 01 7 x4 ]- s5 }* A9 o! a2 ]' ]
=========! P" R& @3 U! c" O9 ^
# X8 C, P) x& r! d, V( [
This method of detection of SoftICE (as well as the following one) is2 o. @" C3 w- q/ S# h+ O/ [- b
used by the majority of packers/encryptors found on Internet.* p* f b+ d0 `" k& ^
It seeks the signature of BoundsChecker in SoftICE
7 s. c U8 H! L3 c; b7 Z( a
2 |% Z* t$ m9 }% q mov ebp, 04243484Bh ; 'BCHK'0 g( q7 w6 A2 j4 b' w% U. }8 ]
mov ax, 04h( H; H4 r" J' A v
int 3 % W0 d# G7 C+ Z& E0 X
cmp al,4
, P5 O4 K( ]( C* j! f jnz SoftICE_Detected
+ s1 K! c2 q2 B5 n' c/ `
; I7 n9 W& i9 U L; q2 x: L___________________________________________________________________________
; E. a# _- }+ l9 F* p/ A* s3 y
7 T- E4 O6 q2 H' R- Z" U- R/ lMethod 02/ J. s+ K7 a0 V" g8 v0 ~9 L% W
=========
6 f- D+ c6 X) O9 h7 ?
y& J1 F" l! Q+ ^( K" m+ V- ]Still a method very much used (perhaps the most frequent one). It is used4 ]. A1 _1 K- w+ Y" x' e6 d: g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ w4 z2 t/ n3 {' dor execute SoftICE commands...2 g0 u9 V3 w2 y/ Y
It is also used to crash SoftICE and to force it to execute any commands6 h" X: h8 U6 o( n1 i
(HBOOT...) :-((
2 \' K1 @% t1 t, X' Q/ s* Y% u X3 X$ p. s
Here is a quick description:6 U+ B+ `! W+ _" i! d# u* n, ?
-AX = 0910h (Display string in SIce windows)5 ?9 `$ j2 j9 m5 h' n, I3 W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
M$ Z v; p( @-AX = 0912h (Get breakpoint infos)
# [+ o. I+ T: U+ u- } m-AX = 0913h (Set Sice breakpoints)
: z& |, d6 v8 S% E4 |" y-AX = 0914h (Remove SIce breakoints)
; v9 J7 Y6 p" F' ^. e/ k8 t' v) S& M. C) S+ Z9 C
Each time you'll meet this trick, you'll see:( T: |# D, q5 J( |
-SI = 4647h
, ~: L; S. u8 H! F8 Q5 O-DI = 4A4Dh7 X4 u3 _2 I0 l
Which are the 'magic values' used by SoftIce.$ D% G- k1 K9 D! H: x+ ^0 w6 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* ^3 i/ @ q6 n7 o! R
$ Z1 b: o* n) r, b( v
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 V N' M, q" e8 JEnvelope utility use to protect DOS applications:
8 R. ~1 ?2 w+ ?# I7 i' Q# v# h7 R1 ~" a9 o6 w
' h k r. O1 ~1 J2 {2 |; V% L& a
4C19:0095 MOV AX,0911 ; execute command.0 I. o: t& w$ }' V, _8 k' F9 S# {) }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- N( k! t+ a7 r7 w) N
4C19:009A MOV SI,4647 ; 1st magic value.
. ]4 c/ T% C q' Q9 n4C19:009D MOV DI,4A4D ; 2nd magic value.
: x& `/ K& b+ a" P' q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): n' s+ q% g1 h6 y2 w7 d3 l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ Y4 F' h# {$ \, N& g4C19:00A4 INC CX6 H* C- w% ]( e0 L+ C8 W/ q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- ~6 ^' I3 v0 D- d! C4C19:00A8 JB 0095 ; 6 different commands.; |: K& N4 b0 Y& u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& g2 Y' B- I- V! s2 }; f4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 n1 w" a+ K8 O2 d9 U4 a& w8 h9 L: j' G! H6 `9 m. M: `/ d6 i
The program will execute 6 different SIce commands located at ds:dx, which" ]1 S5 M5 z* }2 S2 F5 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 f5 `) G' s! q2 H
8 T& i" C6 x" Z" }. U+ L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& B# T9 `% J) \' t
___________________________________________________________________________
4 i) h1 m6 v1 u+ o/ _ n& u* V7 c# Y* v4 q/ |
4 C# s) b8 U# v" l, Q5 w* H* E
Method 03
* w+ A: { F# n2 E/ ^' w=========
C0 q- o& f4 u. |9 O- l6 |9 S
Y. X# t7 N5 k. sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" }) |& R) K. I \% S(API Get entry point)+ y) \" k3 a9 Q
' B4 V9 I& h; e' t( k5 ^+ w0 K- ~1 K! Y2 Z, s2 n( S. Z
xor di,di4 k+ E \ s% L1 K5 A. V( @
mov es,di6 w* [ w9 C4 H0 V) {
mov ax, 1684h : M, |2 V# A& u# ]$ T
mov bx, 0202h ; VxD ID of winice. `; K/ a& k1 ~$ S7 w& X
int 2Fh
; K- b5 h% f# B) e. Q9 t. | mov ax, es ; ES:DI -> VxD API entry point
8 P+ j R& I8 X0 A) A add ax, di
; W$ F a+ |$ ]9 J7 E8 A/ ?, p test ax,ax
+ C! I/ j$ V Z7 s; C. F! H$ b; y2 H4 r jnz SoftICE_Detected( E* D/ R9 o T5 {- ^. U0 u& {, w8 H
0 n, S. x Z" D6 d9 d___________________________________________________________________________& j5 j4 M; t: P9 C0 T2 a
! L @2 B- A: e# X4 d+ `
Method 04
& `2 E4 ~; o5 a=========
. n. s% J' j i: F% W* e3 ]5 U5 o( L/ E3 I+ ?
Method identical to the preceding one except that it seeks the ID of SoftICE) W# A! i% \8 U8 S/ E
GFX VxD.. [! M5 [. u, u5 ]$ ^; ?
. V; G! ]. r3 L' M! t( A) C! ^0 ]/ n6 E/ I* ?
xor di,di
) y! b' f6 y5 g* U& z) o& Q mov es,di
! J4 Y8 v4 i$ C* y- M' d mov ax, 1684h
2 m5 T& S* ] b8 U1 y0 M! L mov bx, 7a5Fh ; VxD ID of SIWVID
2 E; z9 p0 ~. E! M# q6 K int 2fh
" r! D. Z' y) i \* r mov ax, es ; ES:DI -> VxD API entry point* M6 J: i/ t7 u' y) G
add ax, di. ^% [- o( e( D4 F. K
test ax,ax. S6 n5 [8 U/ ]* X, M% _! X; F( g) c0 x
jnz SoftICE_Detected) N: v1 |. t1 {$ i8 @, O) R- `
! |% s$ J2 ^( a7 Z! F& i' h
__________________________________________________________________________; i- s ~; \4 [" }
2 m5 ?& d% O3 Y- G* I* \% \5 _, n/ K9 ~) J( s5 l9 E" Z- ^! O
Method 05
1 T `* D7 `8 A9 G=========
. A6 a: o3 @# K$ b5 u: T4 M$ S' x" o) q- V3 \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ S @! r( G/ t) s9 `debugger. It calls the int 41h, function 4Fh.5 T2 u3 Y# [. c: E( Q
There are several alternatives. # ^- H( O: D# j! `
+ w9 ~6 ^8 h4 g( ~% _The following one is the simplest:1 j6 t7 p2 [, k. ?) h
! S9 ?& r" X4 ]6 u% _
mov ax,4fh
3 u9 u2 u4 N/ W) v+ Z int 41h, E1 Y$ a, t+ I) ^( I( H# v
cmp ax, 0F3863 m$ |) B3 ^5 G0 o+ X
jz SoftICE_detected
! g* D0 }! |% r! c' d7 i# _
7 j m. c+ Z. C: w6 z
" d& W4 h0 C& RNext method as well as the following one are 2 examples from Stone's
" H8 k( `7 p1 Q0 k9 P r"stn-wid.zip" (www.cracking.net):
9 x: d- y9 B( m9 a; K! P/ c" L5 d( I
mov bx, cs
3 S, t; t7 N9 `0 U lea dx, int41handler2( X9 z) _8 d4 B, K
xchg dx, es:[41h*4]& i z% l0 t7 Y) M5 j( N D
xchg bx, es:[41h*4+2]8 R% r( q8 t0 [* p! Q* B U
mov ax,4fh
/ g, a- A$ Z( {5 I4 I2 l4 b9 ~ int 41h
0 p+ A4 L7 n" E# W/ g: p5 |" z xchg dx, es:[41h*4]. }% m, ?0 E1 ^, l" Y! D1 C! b
xchg bx, es:[41h*4+2]1 `6 U2 a. W' @, E
cmp ax, 0f386h1 V: p% \3 O7 s2 q" Q5 _% f
jz SoftICE_detected
r- {2 j* P* a2 y% f) O' M, p @3 F/ g
int41handler2 PROC1 d W+ z2 b' h1 P. N7 W
iret
7 d6 b- {% l: S' j0 iint41handler2 ENDP' N1 S5 A2 t: _- _# p8 ?4 I; H; _5 _
- L6 A" y" g/ Q4 @1 H i& `
4 r& p. w% |# Y9 w/ T; K
_________________________________________________________________________6 p0 j9 }4 m7 [! m: x4 W
8 k2 J+ v, x6 D& X$ ^% s1 O& e/ @
+ A& h: u! }, U; t; \
Method 06
7 v- V" N/ G2 s( Q=========
7 M2 x9 z) |9 |" ~3 ]6 }+ f+ ], N: F& {2 Y1 ]+ c- N" r1 L
" l+ H7 a6 |. `! T1 w) }
2nd method similar to the preceding one but more difficult to detect:
: _3 N1 `# t# Y0 P4 M0 v( m R( r, W* j
) v. G! f9 V n4 X i* S1 y6 [' Vint41handler PROC
' v2 B- I! \# J- s0 l. b mov cl,al* I6 ~- h, N8 }9 P7 k7 ^& |
iret7 b p% D$ C% }' V7 {& n
int41handler ENDP
3 N0 K# E2 l" Z4 p0 c8 V! K' _2 Q0 ^# u- Z+ P6 @8 X
* l* m3 G& i0 D( B J/ h xor ax,ax0 s9 \6 i3 e: C4 i# {
mov es,ax
" k! S9 U+ f5 [9 h3 k mov bx, cs6 x% X; t2 e& d" t( `5 D8 v$ Q
lea dx, int41handler% r5 h: p! @ V' f, H$ s6 T6 f* R
xchg dx, es:[41h*4]
% }8 J& X3 a$ K4 y xchg bx, es:[41h*4+2]. @! e( V; w4 I( {1 [$ [3 T
in al, 40h
/ T& \# _$ k% h1 _- t6 | xor cx,cx
" }1 ^" l( i8 H( V. q/ w int 41h( `2 `) A7 x& _7 z: \3 K" `! c
xchg dx, es:[41h*4]
/ V% T/ M; F: X* D9 { xchg bx, es:[41h*4+2]9 y0 F- K* |0 R8 w
cmp cl,al
1 y4 B$ C6 }. d" n* m jnz SoftICE_detected' d. W5 b Q' F j8 w9 T- u6 `+ P$ i
6 W6 @ J$ G8 I3 [ c" V: Z$ D_________________________________________________________________________- f) ~5 M8 z8 W4 ?' g
/ M% c" q' P, ~8 m3 @Method 078 g5 i3 F' p, A& U! c% t! u
=========6 f. C2 T; T" o, L4 S( F+ w
2 a8 b8 P% B: v* h/ J& O: {$ rMethod of detection of the WinICE handler in the int68h (V86) y: v9 J$ C5 e* {' I# _
, a" L& N/ ~. o! x7 h5 v mov ah,43h
; k0 f$ N! A) @; Y' A$ ~ int 68h
* t" c( V4 F; {7 p: x cmp ax,0F386h
0 i; L) w. j( o7 u, H+ \$ k" F jz SoftICE_Detected1 D5 a+ D' |% c. p9 Y# P, X1 l
0 U& ]5 o4 ]3 [# K7 }0 E
8 |6 f0 Y1 x/ ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ z2 r) _( Q/ b3 q( d
app like this:% P/ P, r( r5 C% f5 @) `
: r8 l4 t2 c' L( F8 ?/ B9 X
BPX exec_int if ax==68, w& i5 }6 W$ T V" n2 L v
(function called is located at byte ptr [ebp+1Dh] and client eip is! i U# l% Y# ]5 s" ~; W
located at [ebp+48h] for 32Bit apps), O3 [ {% x) q/ G5 m( d0 Q! k
__________________________________________________________________________5 y8 W& Z5 m7 x4 [( \* Z7 f
, X+ H5 P9 ?9 P
& Q6 |+ k/ T) a5 P1 ?" ^0 T
Method 08- B. k% n E$ X/ l( k! K
=========
$ j; c( x2 c' \# G3 K
" I" j5 Y. k; _( Z# N- c1 C3 }It is not a method of detection of SoftICE but a possibility to crash the
! b. G3 X) K c& N6 Csystem by intercepting int 01h and int 03h and redirecting them to another
. v2 v" ] \& \routine.4 `5 B: v1 @! @6 h" i/ m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 E: S3 z% d% Cto the new routine to execute (hangs computer...)/ Y, [) L$ F, c
0 W+ r/ p6 O+ S8 R3 a; r
mov ah, 25h
) z B8 C# F" f0 Q r mov al, Int_Number (01h or 03h)
9 I: `) P5 {! i) b I3 O/ g b1 }# C mov dx, offset New_Int_Routine0 q7 {) D% A r2 \# M8 h6 Y2 p& V
int 21h+ D, m7 k$ O$ |. b
2 j& E4 p4 }5 @! R6 E. _ J1 ?
__________________________________________________________________________ e" e- a( G) F6 q/ v8 k6 t
6 J: @* p$ W& S9 V. h0 @0 iMethod 09/ P+ l1 G, p$ ` G
=========) g0 H: \9 _; E- H3 R
' f- s* h) t) r6 M! Y" \9 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 w" ~# D( n# U iperformed in ring0 (VxD or a ring3 app using the VxdCall).& r( C2 H8 ^7 V+ l" B
The Get_DDB service is used to determine whether or not a VxD is installed
1 v# d2 p7 o, @9 Y8 J, K; rfor the specified device and returns a Device Description Block (in ecx) for
/ E9 o/ a" i7 athat device if it is installed.3 E& K5 B7 S6 y x
5 @/ }- |( P7 D$ W) p6 I; X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) x, H/ i3 E8 v2 w# W% M, X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 k, v0 `3 E' e9 c, t2 |$ i/ u# F
VMMCall Get_DDB2 q& b) s4 a/ {5 T5 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 Q3 @( }6 v! M& {& Y
5 e- ]: [, k0 S6 y% `Note as well that you can easily detect this method with SoftICE:
/ q. j7 d2 d8 K bpx Get_DDB if ax==0202 || ax==7a5fh v3 x- ~; l; s& R4 Q; _8 n7 b/ G
9 q9 \2 U' ]/ b8 t# ~+ n__________________________________________________________________________
, i4 P9 b/ Q/ ~: b! e5 Z: z
% z- _; [$ X$ |+ m: lMethod 10
2 ~. E D1 _! G/ _0 `=========
d2 V1 i1 i# X- ^, p) M5 l
" b. C4 M- v* y: K2 e=>Disable or clear breakpoints before using this feature. DO NOT trace with0 O5 v/ X* l% w; F" Y( f5 A
SoftICE while the option is enable!!) T" c; v1 W; p% d a
$ O" A+ D+ L, XThis trick is very efficient: ^# a" o8 H' |* w# Z2 t* d6 n6 n
by checking the Debug Registers, you can detect if SoftICE is loaded
' N) D, U+ Z L! B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' |' Q5 x" f3 }" |, _there are some memory breakpoints set (dr0 to dr3) simply by reading their S2 I3 p; q% y5 i
value (in ring0 only). Values can be manipulated and or changed as well7 a% L, u2 C3 s. m4 ?1 u
(clearing BPMs for instance)
9 ?3 t" I* S% y& F. Y2 O: D0 t0 g; n T d& O: p& F* \
__________________________________________________________________________
, l$ b- p: e0 j2 Q3 A+ c; X6 P0 A9 I8 e3 F# H
Method 118 X/ u( V: Q9 O H; u) C# E
=========( A* A9 p- l9 x' m3 z) [8 {
* L3 G0 Z+ j& H3 o
This method is most known as 'MeltICE' because it has been freely distributed# \. J. \8 _: V, n* u4 B" L& T4 A
via www.winfiles.com. However it was first used by NuMega people to allow2 h; }$ g5 u7 Q
Symbol Loader to check if SoftICE was active or not (the code is located1 [3 e1 v1 H1 Q% s3 L# }* q" n
inside nmtrans.dll).
2 n$ ^, g8 n4 E9 S/ c# F3 n: V! b" {. ~3 D- ^
The way it works is very simple:8 l! l5 x2 J; |8 O5 o+ q, k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# Y+ b2 C" p0 r. {: Y0 M; aWinNT) with the CreateFileA API.
7 @$ @$ Z$ Q9 y0 _( e, R9 n3 p' \% F! ]9 F& D4 I: k7 F$ n
Here is a sample (checking for 'SICE'):
# {+ p1 a/ @5 |& T) Y" s
% \8 I$ \2 ^ ] N7 [BOOL IsSoftIce95Loaded()% U9 l4 e, N) o' c! _- E
{
- O# d" a! h9 i$ Q) a9 \7 ? HANDLE hFile;
- G9 {! K5 J- v( Q1 t' i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 }# w, L7 f' \: B5 t3 K FILE_SHARE_READ | FILE_SHARE_WRITE,( s* j6 c9 P3 \6 X" j7 T" V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 p9 E( _# y: U: O, ]) C
if( hFile != INVALID_HANDLE_VALUE )
4 Z P& E7 N5 z+ V {7 |& _6 l7 o3 U! O, n6 M q
CloseHandle(hFile);
" \/ U; E1 A- U p return TRUE;
; e' K) s8 w! J6 ]- p: a7 t }
R# y' m: J% r0 ]9 H" } return FALSE; r( ^+ M! P( O5 a, X U @) c1 a
}0 m- ~9 {; e) q \/ T
/ r2 W' T5 L: t6 c2 @
Although this trick calls the CreateFileA function, don't even expect to be
4 _! Y# m f4 n/ Y4 @5 _% H: j, D. lable to intercept it by installing a IFS hook: it will not work, no way!
4 ]/ b; K: f0 `: CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; O8 G* B6 X E7 y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 X1 F3 u$ y6 Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc- |( @8 n w: r% W2 W6 ]8 m
field.9 k( N" a. R1 Z2 A* f
In fact, its purpose is not to load/unload VxDs but only to send a $ `) ^7 t8 ~! T8 ? A& Y: y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
R. F1 T" T2 I; Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 E' ~1 O- r/ N3 w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ d. p* q1 v7 i9 I$ Y* O
If the VxD is loaded, it will always clear eax and the Carry flag to allow' E! x3 \5 ^/ e; z! H
its handle to be opened and then, will be detected. T- O" a/ z! H# b" S1 l0 G
You can check that simply by hooking Winice.exe control proc entry point) w7 L9 w$ j8 a* O3 |
while running MeltICE.' z+ P$ T2 d& D
* d I! F W( ]. n$ Y2 C8 T5 g9 W A7 Y) U. X9 t
00401067: push 00402025 ; \\.\SICE
( c2 z! C& @/ i$ _ 0040106C: call CreateFileA
N3 j& q3 y' P, ? e 00401071: cmp eax,-0015 Q# G3 V# |2 d4 k7 f
00401074: je 004010916 ^- z2 x! s- w2 Z9 |6 |
$ v: @. n) y: F d9 o
: s. r3 @. l6 f( H
There could be hundreds of BPX you could use to detect this trick.
. c1 O; o; ~ z9 ~+ b-The most classical one is:1 [0 B. `5 `; Y6 z) n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ I/ R" I/ X# N1 M3 } Q1 ~
*(esp->4+4)=='NTIC'
7 J) X% o- g/ P. \& v. p) C# ?+ g E2 |: v: k
-The most exotic ones (could be very slooooow :-(
2 u$ Y8 l# B0 c8 H) G, }; U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : Q# e, x3 I& K* e. M6 e
;will break 3 times :-(
+ {) ~4 t2 q1 i* d5 ^
) P* C9 {9 L8 k" Y-or (a bit) faster:
2 @$ m! `$ Q; s' g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* d; ~5 S+ k B, B9 x+ r# t6 X
7 |5 V) I8 x* A' N) M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' R4 p" W. L! i0 M
;will break 3 times :-( e* f' d6 o- H( D( ]+ g; z2 y- {
$ G. T* _0 M' Z8 ~% k" ?' G
-Much faster:
0 d$ H/ { }1 Y! ?! \# g H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ ~3 t& G4 o8 G$ i9 L! `. ?. B+ N
" ^( ?, }( Z1 l# R* o5 y2 b2 u2 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 @- r" w; j' f3 L5 J
function to do the same job:
) O! g5 i! _) {( n2 G" x) Q" i; h/ F/ |1 E0 H1 {
push 00 ; OF_READ, E. U% e8 _% C3 @
mov eax,[00656634] ; '\\.\SICE',0# s5 h6 D$ r# P$ d6 n. I0 l3 `5 ^
push eax
* t" \: U2 V* j$ K call KERNEL32!_lopen
* V! F) k$ C1 G& M; q# j inc eax/ ^0 t& t; o% r! P4 d
jnz 00650589 ; detected4 |% o# e5 V7 N7 T; l% e6 N
push 00 ; OF_READ
4 M9 t1 ]1 y. E K$ M7 f, j0 z mov eax,[00656638] ; '\\.\SICE'5 n) Q3 f2 {+ l2 ]0 c
push eax. g6 \2 l6 X& ]+ t
call KERNEL32!_lopen0 Q1 d5 ?- S0 S+ `6 ?
inc eax F8 z r+ h: y! u
jz 006505ae ; not detected5 I8 J( ]# I% z4 x4 i
0 u. ?6 J- m6 X
2 X% _& }8 o4 L7 n__________________________________________________________________________
. w2 j! d9 ?- r0 y- A1 q8 @" P3 B: s! p* _7 y, O
Method 120 h* q3 }% l( |( t$ Z! {
=========" P5 z! w# t5 C* D- k# y. c
8 q9 Z1 a2 J- j9 Y/ B7 V% N5 m* g
This trick is similar to int41h/4fh Debugger installation check (code 05
- _4 B P1 s, E1 y9 S$ X6 n6 L. H& 06) but very limited because it's only available for Win95/98 (not NT)
4 t; E* v0 n( E) Y2 ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' ?9 v* b2 V8 Y& a( F6 k* ~, l8 A* y" v! O0 y( X3 s
push 0000004fh ; function 4fh& f' ~/ W' s9 x1 M9 O; h
push 002a002ah ; high word specifies which VxD (VWIN32)
+ _# P7 r* g) | ; low word specifies which service
3 g/ h7 W5 K5 S6 M9 ? (VWIN32_Int41Dispatch)
& X5 M6 ?) {/ G3 v' R call Kernel32!ORD_001 ; VxdCall
) E7 F' o% E% X. r! z, j- q cmp ax, 0f386h ; magic number returned by system debuggers. o z. w* O% }! O7 o, P
jz SoftICE_detected5 H8 A8 S% E: T9 S) L$ X
9 w4 N! S# x4 w; J# B! w$ XHere again, several ways to detect it:) M! d+ E7 m ^/ B
3 t- y, ?* b7 U
BPINT 41 if ax==4f6 c4 {2 x! a8 J/ `. W/ p9 e$ r
1 L4 f h# d6 C" o6 [' ?5 A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 ~+ v: T0 A2 y+ n* d7 J! W! K
# q% J8 R- u* i# V) [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 K5 e$ {4 y3 w$ c) y! y2 i) r
, {8 U9 u: j D% s8 |/ L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 _4 G1 n9 Q$ V7 e C( ]) t2 N/ {) [- }$ |# M$ t: U
__________________________________________________________________________9 E" ]0 H+ {9 o- d" a
# l2 A5 |8 A4 o
Method 133 @# S* }, d; b4 Z2 o
=========
# R. p; q+ A7 |3 O
} v+ `6 W% g# Q- kNot a real method of detection, but a good way to know if SoftICE is
' Y& p7 j. g5 einstalled on a computer and to locate its installation directory.
7 O, C3 w/ `3 N0 l1 y$ D' kIt is used by few softs which access the following registry keys (usually #2) :
) A/ Q5 N) r, o' W4 E. C) t0 }6 U# F7 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 s5 ~# x5 o/ [3 S; L ~4 j1 l) a5 o
\Uninstall\SoftICE
4 k& v8 M7 @, s) }: a, N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 w: q! V7 T/ F% c: i/ e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 e; A' E4 p9 P4 k+ O4 v. O
\App Paths\Loader32.Exe
- @; }* v3 \4 E/ g
v) L( l) ]- z& W# ^' h
9 X2 N2 A, K1 c6 [; aNote that some nasty apps could then erase all files from SoftICE directory
' q7 F7 n- C, x7 A* N(I faced that once :-(& Q, V- |1 X) M$ Q4 @
3 ]; c& K- U3 P* f' j' |) V8 ]
Useful breakpoint to detect it:- h, g" |3 c3 S$ R5 |
) v1 P8 R( b8 H1 y. W4 H: D4 [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 ~/ ^* q7 r9 a [
7 G. f; R% \; I) e+ v, T( T__________________________________________________________________________
8 l, H+ E0 d) G8 L; k' O. t$ f$ X: Z9 t1 N0 w! Y0 a" u2 x
3 D1 J% R* G) L' ?2 dMethod 14
4 T& r3 }# ?, H5 s=========
! B! j. f! v4 t o9 i; G: N6 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 B2 \+ L8 s) j3 g# U" S" _
is to determines whether a debugger is running on your system (ring0 only).
/ c' ~5 w+ @; O2 b) Z2 ~
9 P" U$ `' b: \. G# f4 n VMMCall Test_Debug_Installed- a( N" X! M; \; g2 X/ Y
je not_installed6 e& n1 M$ Y0 G8 f, Z
1 i) z" P' H! R- B8 qThis service just checks a flag.1 Y7 Q7 E& s! m K3 p3 |) O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡