<TABLE width=500>
2 ~ N1 G5 w' `& y<TBODY>6 z+ I0 R3 m Z& ~5 e: p- u* N
<TR>6 ?4 F4 I- g! [0 Q4 p! ^6 G
<TD><PRE>Method 01 - F2 g r/ P( G( @7 _6 V" Z2 |! x
=========
% ^( i3 l5 E2 E+ G' t
8 p2 O" `9 j+ p9 L' ~7 `This method of detection of SoftICE (as well as the following one) is
1 ^9 w) k- }+ }. r Y; [% C! Pused by the majority of packers/encryptors found on Internet.
- W* g3 z4 I }; \It seeks the signature of BoundsChecker in SoftICE8 p5 t& o( I7 u" |
8 R5 a W2 |3 s* E1 l0 | mov ebp, 04243484Bh ; 'BCHK'
- f) N. ?' k: W, v$ D, U! m0 ~ mov ax, 04h2 d- y5 `8 H4 M4 U, { U1 t( U, U
int 3 5 Q) }" X" W: Y
cmp al,4
9 i* P8 N8 K' B+ d( p5 Z% w4 [ jnz SoftICE_Detected! U1 {6 s9 O; S( m9 N! ]! `
! N. O; _8 e& f ?
___________________________________________________________________________5 d% _$ ^4 U9 p7 V- c1 P M& J
/ p- z+ R# e6 {Method 02
! W. f# m7 n& G=========
. O p0 R$ _, \8 Q5 a1 \4 W
+ O I: L! F% [+ P+ ~5 h0 A' SStill a method very much used (perhaps the most frequent one). It is used
; s# d2 s& @+ a' Z% }% U2 w7 T9 @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 k/ m. q' r8 B. J o/ h7 m3 b
or execute SoftICE commands...) ?3 M3 O0 Z3 v x) i2 r
It is also used to crash SoftICE and to force it to execute any commands
/ n9 q) F7 N$ j, {(HBOOT...) :-((
# ~" u5 `# I0 {; k$ @3 A
+ ~3 t4 I5 z9 z2 w: x$ jHere is a quick description:9 h7 R/ Y2 _( _, B) W: E# U
-AX = 0910h (Display string in SIce windows); r& V; o/ S1 j9 K6 B, ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ {4 C* `9 V& `8 n& {: l
-AX = 0912h (Get breakpoint infos)! g4 ^6 d8 r3 I8 M: Z# K5 `
-AX = 0913h (Set Sice breakpoints)% o. B7 \" O4 T
-AX = 0914h (Remove SIce breakoints)% i ]" v1 c0 k) `: ~1 U
# c& V, |) P3 B' j8 a2 H* h1 w( nEach time you'll meet this trick, you'll see:8 {2 H" Q! i# F" o% c0 M, B
-SI = 4647h
$ w$ K3 n1 p1 A' F-DI = 4A4Dh& o f( G, ]6 t. P! }
Which are the 'magic values' used by SoftIce.2 G4 I. _( m9 D, s! _" X# f5 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. x0 H1 ]9 }5 Y$ J, `$ ~
, e0 D+ Q7 U; O6 W& ^! THere is one example from the file "Haspinst.exe" which is the dongle HASP, b8 E; E- j% \: L) k. M
Envelope utility use to protect DOS applications:
5 {6 {. X( Z" J0 S% J5 ^2 l* o) W" w. E' {) x4 N* R4 Q- A. z( _
/ c" K0 C S3 _8 t* C4C19:0095 MOV AX,0911 ; execute command.0 `- v' S6 t# B& t1 I, \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ S; z% P, D9 I+ w- X0 g9 M
4C19:009A MOV SI,4647 ; 1st magic value./ I! Q2 ^$ c: T( G; G
4C19:009D MOV DI,4A4D ; 2nd magic value.: U( S$ a3 e8 L) I" \ t. C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) S, _+ |/ J: C$ ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ v- H$ l) u1 c$ W, j
4C19:00A4 INC CX; y" W9 J Y. Q9 |. R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 K8 t$ o) n: H0 w9 K4C19:00A8 JB 0095 ; 6 different commands.
9 k9 q* X$ p1 A4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 u0 y' V2 S/ F2 Z" a+ _5 a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- j2 s( [( l+ o( A- H
! W# W! e, \6 S$ v6 GThe program will execute 6 different SIce commands located at ds:dx, which C+ W/ [1 b7 \8 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& v# d6 x) j9 ?
" I+ _0 Y/ v/ [& N/ F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." L5 [, u( @0 { T- Y
___________________________________________________________________________
$ r) G6 ?: b6 E; S! ?$ s+ O& W0 h( n# p9 D* g# Y C
9 q- }( X# v, r& _. DMethod 030 a" _8 r# {! S$ i$ f4 a5 h
=========
6 M$ n( ]2 Z: j1 I8 o$ d2 ~! u, z! p `' q3 ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h l, w; x/ V5 @6 z1 T, L) j
(API Get entry point)
f5 y6 _1 |2 z/ R8 l& ]/ F! W4 V( \ 0 M- P% Z) t$ U8 E* B: p% t1 F
/ O! e" k; @5 q6 O
xor di,di
" _6 I' h9 S F g) t1 s mov es,di
% |$ `7 e1 f$ x5 p1 |& |0 m mov ax, 1684h
' H+ ~2 ]. `% H. J+ |1 ? mov bx, 0202h ; VxD ID of winice+ Z, n. @- o, q& L0 m
int 2Fh
1 A: X9 i# \" Y0 o' x mov ax, es ; ES:DI -> VxD API entry point* v- c( \% Z. b% _ y+ V% A; ~% R b
add ax, di# q: `. o* Y# N# |0 H
test ax,ax
! [% h9 ^* u" Y. b- |6 ^6 W0 n jnz SoftICE_Detected
- O9 W: t2 z/ K- l; y- z" ] `2 ?
___________________________________________________________________________ o. s. e: g0 m9 g7 y
7 T m' N$ w" L. C7 Y7 C
Method 044 U. N/ x6 n! m3 I+ s1 a' ^
=========4 V% ], v# Y! W7 Q
. I9 x3 g- \, \ m yMethod identical to the preceding one except that it seeks the ID of SoftICE6 T! j. _& D- k$ {4 W- v
GFX VxD.
5 Z. W2 ?- i" k' T! w6 R) a+ G' q( y2 v
xor di,di
* ^* w5 c7 x0 ?# J8 ~ mov es,di
" x$ e0 q. p& b' @# f mov ax, 1684h
( p, ]$ a8 u1 {2 \& S, {$ p5 S mov bx, 7a5Fh ; VxD ID of SIWVID
$ D D. Q: z) F! N/ v! m( j7 G l K int 2fh& ~! ] n2 b2 x; X% n
mov ax, es ; ES:DI -> VxD API entry point6 _2 T6 @+ J, `+ m( a. f
add ax, di
# |. { Z7 S c! V test ax,ax/ u% T1 X" u. X& {
jnz SoftICE_Detected9 d; w# d: p# k1 J
& K% k5 Y( F' m/ Z. I& O
__________________________________________________________________________
0 K: D3 T0 _, F: J1 O5 F( B/ U* C m& g# r* y& n
6 a9 `. q9 s `( ~/ z4 }Method 05+ ]- g9 D- n3 W; y+ Z# j Q
=========
. a" N2 z2 v0 n1 a
! k1 G) D1 [# H7 }6 @; bMethod seeking the 'magic number' 0F386h returned (in ax) by all system) W3 Q- c8 N8 g& X5 r6 p; A3 |
debugger. It calls the int 41h, function 4Fh.
: e2 u' p. `' O& ]- [1 tThere are several alternatives. ' J8 T+ F( J6 o J* T& i8 g; Y
3 w; M b( }& O! u$ N# G/ `: h, X3 x
The following one is the simplest:; q3 J4 ]* D4 j) D( X4 A, C
' l, T) s0 q$ ?3 }5 D3 E4 C3 b! ~; r mov ax,4fh
$ C* y" x/ l3 {6 F" k1 c int 41h* _9 ~: z: S l5 z- o' K) N, O
cmp ax, 0F3861 ~4 H2 Y: F% e+ Y, ]
jz SoftICE_detected1 M! K6 {+ o" t5 e$ ~
/ T3 P+ ^* x9 N R6 I" X$ m2 X7 L
Next method as well as the following one are 2 examples from Stone's ) v$ n3 e% u; U' |3 @+ p* S
"stn-wid.zip" (www.cracking.net):
$ ]( r7 T" W/ J
- f# m, N: G4 o! t; Y; q4 b4 |2 X mov bx, cs: T2 @8 X( }7 }1 i$ b1 N
lea dx, int41handler2
' @7 W% i1 ~, r0 W xchg dx, es:[41h*4]
) q6 m- v0 {8 F xchg bx, es:[41h*4+2]/ o% R! \. g" I/ c w5 l& c
mov ax,4fh
7 ~" R+ u5 r6 C1 m8 \0 D int 41h
; d( ^ n- p& A1 d; m6 X* ] xchg dx, es:[41h*4]
, X+ q( j& L0 O- [7 e% y9 R! h$ \ xchg bx, es:[41h*4+2]
1 f4 I6 ?' q8 k0 o2 Y6 Y1 B cmp ax, 0f386h5 ]8 ~, X! T: \# W: M
jz SoftICE_detected2 d% e# l2 ]) o. k7 i
1 m- b- E7 n Y% C; G+ Q6 Pint41handler2 PROC( c3 X# E6 i4 ^# C8 ]: ?" s7 Q- l
iret
/ a5 G0 S2 G) z3 Q7 Hint41handler2 ENDP
- T5 r4 {( s% z) w
: B/ i5 i( g3 t" f6 M3 R8 K. s* {/ q* I5 Z" E5 b$ N
_________________________________________________________________________
+ c7 _' p$ O; l
; l4 y2 B/ T; L
; W p/ |" e. Y9 \Method 06
3 s, N) S. E8 J) X3 ?4 q=========, r0 g. F1 T( Z2 e
D1 v6 R, {* s( v$ ^+ a ^$ L8 O( P3 B) l
2nd method similar to the preceding one but more difficult to detect:8 u% \5 T1 {3 s$ j1 B* O* w
; |5 K v1 I9 l6 e) x% h Q6 h# S
6 o: I9 w; E! }7 V; \0 g7 fint41handler PROC3 w1 |2 ^9 j+ g s2 }: t
mov cl,al
2 B$ M" _0 C9 Y iret
; @) Y( A, t+ m2 z( s( Yint41handler ENDP
2 J4 P8 G, ?8 H! J5 L2 ]+ \" T3 x& ?
* u* K. v9 f; {3 r8 P/ \0 G! w4 W0 P xor ax,ax
2 O$ w0 v y- S& z mov es,ax
+ |2 k, C0 y; x2 l( C1 j' j* k mov bx, cs
( J5 N+ G k( C' C, U! T lea dx, int41handler: X' c/ |% T: `2 C9 `
xchg dx, es:[41h*4]
2 ^# H; M2 F, O4 q xchg bx, es:[41h*4+2]
# T) D3 `8 D! V, p% i2 r5 i in al, 40h% q# F# _; z& U( G0 b
xor cx,cx
* l( n9 n; @( x) U4 f int 41h) O9 `8 T9 \/ {! o
xchg dx, es:[41h*4]
. j- k( V, n+ A xchg bx, es:[41h*4+2]$ ~" Y" d% [; y, V# |4 z* K$ u
cmp cl,al
7 ~. u9 n7 K6 c8 o+ h+ r0 H" G jnz SoftICE_detected
4 `1 |) O& D# e& t+ a6 E7 A3 L. \+ j( H/ d: J! n( D
_________________________________________________________________________5 o5 Y2 E( V0 d# b
' L+ V; q- t, |. D- t% I! B
Method 07
$ x/ e8 x9 {" U5 ?) _=========9 ^% O4 R7 |% ~" a& [
. N7 f* V" g* y" \& x5 i/ _4 vMethod of detection of the WinICE handler in the int68h (V86)* w, z7 v' a1 D: F$ a9 H
. |1 v h t7 w& k) c$ e- o mov ah,43h
8 ]' A8 y& _1 a9 W6 C; U& p int 68h9 |. F9 E2 T! ^
cmp ax,0F386h) ?9 O) Q3 \# a; f
jz SoftICE_Detected
0 L4 B& N: Y2 D4 b7 F1 B$ j4 G. Y' t3 J( ]. ]
1 {* Y/ K# v+ f G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 k, b+ }2 O+ }3 \4 { app like this:
, W, m6 B; |( J" s; w( y7 r0 [2 H
- m; b! }! m& Y8 {2 o J BPX exec_int if ax==68. E% g7 x+ V% G' W; t5 E, }
(function called is located at byte ptr [ebp+1Dh] and client eip is
s( A$ ^2 l3 h2 {4 v located at [ebp+48h] for 32Bit apps), x+ \, \ W5 B- A0 y1 Q
__________________________________________________________________________
% U- P3 R! a: v, j" [! w2 Q; R
. D# h8 t. q( }) L. D2 m$ v' ^ y; H) o J0 e7 _& r! \5 z* F
Method 08* y- P7 d6 g6 H1 J
=========7 h/ c7 z/ B. }7 b3 d6 X& B
8 e- G, B t- Z* a( UIt is not a method of detection of SoftICE but a possibility to crash the
; e0 x2 K; b( Y( j4 E0 d6 z+ {system by intercepting int 01h and int 03h and redirecting them to another
1 V2 ^: U* S& ^$ k- |+ Wroutine.
- p! ?9 i) ~0 Q* hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! y9 E( @. ?( H5 U! H3 Hto the new routine to execute (hangs computer...)
0 Y3 j# N; l, }; Z: l: r2 H6 B* q% q' \; {% y7 X
mov ah, 25h/ U6 b+ t$ G0 T# r3 R
mov al, Int_Number (01h or 03h)
3 y7 M; I$ i5 C; q$ w mov dx, offset New_Int_Routine
# `5 U D: R' |) x* b1 V& \ int 21h/ F; L/ G9 h4 a
7 t: S- a* B$ T# M8 ^* G__________________________________________________________________________
0 @: J5 X- {$ M/ g; @, s' K& n! G$ @
& G& O( `4 m" N, P4 N$ e% IMethod 094 m& ^; d$ k3 V J
=========$ |3 S: F8 K: `2 ]1 g z
. b) B$ h, M) t2 t7 p1 ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! U9 N& C9 h/ M7 E( u8 W, _
performed in ring0 (VxD or a ring3 app using the VxdCall).1 H/ [+ S; P& U
The Get_DDB service is used to determine whether or not a VxD is installed
3 Y$ a/ }# w Gfor the specified device and returns a Device Description Block (in ecx) for
4 S" H1 _, a- c" J0 ]( l6 M. _that device if it is installed.
1 D+ s! m& O/ }9 X4 q2 s: i& a5 f9 j) v2 z8 p7 G" S* H" T; k* i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 |7 R: ]6 ~" ]$ p3 n& | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 [& }0 j! X# O% |9 a
VMMCall Get_DDB
% h7 S% t0 o7 X- @6 ^) h1 V& C9 t# p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( V% J2 _* c" {/ y' |; b+ K2 ?
* M: V- E2 `- z _, n% [
Note as well that you can easily detect this method with SoftICE:
+ v: T8 g$ V2 y8 P; Z bpx Get_DDB if ax==0202 || ax==7a5fh
( k; J/ z1 ?+ C# r. m5 ]8 P" ], X9 m4 b
__________________________________________________________________________8 T" e2 } M7 D/ x
3 j8 ^& g2 L* Y( AMethod 108 X) }$ k! B" ~1 b7 Z5 X
=========$ N' P9 r. k, A+ K
i9 \' j: g3 F3 h1 z=>Disable or clear breakpoints before using this feature. DO NOT trace with) g$ {( h) ?: j) {- A$ b' ^5 h
SoftICE while the option is enable!!
+ v$ S2 F" x4 o v' X5 y* g. b$ p5 B* o: d
This trick is very efficient:
U) n0 Y# ~. Bby checking the Debug Registers, you can detect if SoftICE is loaded
5 \0 |1 S2 ~6 @6 k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ k; g, D |6 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 K! A2 W; y I. `9 K" r( \
value (in ring0 only). Values can be manipulated and or changed as well6 t; C& Y3 Z! F
(clearing BPMs for instance)- t: l$ D, n1 [# {7 A4 _
+ Z% K$ ^8 W6 g
__________________________________________________________________________+ J6 ^8 |7 z; F; c6 l
! F* i, s! V1 m6 R; E0 I
Method 11' {8 B* ~: l k. Y; b6 K* F
========= F3 J" y9 \; x9 t/ ?
7 z$ y/ X' t" f8 s2 L/ B0 {( ?
This method is most known as 'MeltICE' because it has been freely distributed
5 z* _- w5 l1 t' J% V/ G& dvia www.winfiles.com. However it was first used by NuMega people to allow
! e# B6 V4 s1 V+ ZSymbol Loader to check if SoftICE was active or not (the code is located
0 e/ u! v5 X6 ?6 r/ A. Rinside nmtrans.dll).2 I' Z( B# s9 y
8 ^& ]3 T9 z% K- K3 ?( e
The way it works is very simple:
0 \ @6 F z& E- s5 j; EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& v9 @% J% _* _7 s' f
WinNT) with the CreateFileA API.( R% e6 x& y# C0 \2 p5 e
" U0 E* A6 Y9 ^: E1 \5 p
Here is a sample (checking for 'SICE'):8 Y$ ?* O5 }2 w
' Q4 Z, m P2 v' ]/ Z" z; xBOOL IsSoftIce95Loaded()" z. L) U/ i- ~
{
9 h# C( l# ?+ a6 O+ ] HANDLE hFile;
& I( I, F8 U4 v4 |5 m2 ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. H/ Y1 ^/ _/ y0 E
FILE_SHARE_READ | FILE_SHARE_WRITE,5 j/ n8 E9 e, g& r7 p0 Q" q* ~. O ]( t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); B& f/ x8 U$ ~/ J9 Y/ _1 u4 Q
if( hFile != INVALID_HANDLE_VALUE )
9 C! N/ }3 t: l2 [7 d% m {
# h8 y0 h6 W% n CloseHandle(hFile);/ f3 S* J' `9 W+ z2 R T
return TRUE;$ Z- r( ~2 {+ O# `& r7 M/ O& [
}, ?, f" c/ C/ ]+ m% {/ e5 E: C# {
return FALSE;
: f; S V/ `# n" X( O}
% w( t. j6 V' X; c
; E0 E, L: a: {6 L, k( XAlthough this trick calls the CreateFileA function, don't even expect to be. B. d1 }) y/ E* Z7 \9 W
able to intercept it by installing a IFS hook: it will not work, no way!% w* j- | ^8 R$ D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ A z& R* V |" q5 g" x5 C" X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ O9 u8 i4 G* M) }8 B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 Q& j! I! n/ z5 E0 ?% ~
field.
3 F( L. E2 v% P& ?- gIn fact, its purpose is not to load/unload VxDs but only to send a : ]7 f. ^" b N7 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 x) u! j. j3 q: |/ b+ w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 g+ k; t, \0 C5 p* c8 [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# S9 a' y4 _! d- N5 a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& |, w/ D/ p5 N9 o; N0 z4 H6 ^its handle to be opened and then, will be detected.
% u* _( f- B- c7 E$ ^You can check that simply by hooking Winice.exe control proc entry point
6 |3 h9 ]# h9 d( o$ Ywhile running MeltICE.. f# ~/ `, P3 X% m9 r2 `
; G# z6 ^1 { a3 N9 a8 z3 H; j" b, z& t8 k U; l! t# y
00401067: push 00402025 ; \\.\SICE& R1 O0 L" A5 \4 B
0040106C: call CreateFileA
! [* j z. a: ] 00401071: cmp eax,-001
% o6 u- S* Y; ^5 Z7 }: X0 d 00401074: je 00401091( @/ d2 i9 H/ M
) s( V5 w* Q- t d" @ H( u% ]
$ ~* k. j B: r
There could be hundreds of BPX you could use to detect this trick.# w* Y7 i% g3 |9 T" ]
-The most classical one is:) h& O# O* g, w, u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ Y; ?9 ~; ~# Q$ h4 y2 L. Z! A* t *(esp->4+4)=='NTIC'7 S0 o0 S) H4 c; K6 @2 u" O) ]
. C2 ?5 b. R- M4 k9 H5 _ A2 B
-The most exotic ones (could be very slooooow :-(6 K, Z2 i3 c, m8 X% ?( @' n1 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- W; f: N/ m& N& {& J. Y! M) } ;will break 3 times :-(5 F% @* j. E4 ^
8 f- a! M& x) H8 @% }- {6 [6 Y& `-or (a bit) faster: @( p c+ f# p: _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( ]$ \& K' a/ s1 z, u& i! a! x \, Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' J7 o; ^8 f/ v% U1 ^0 i ;will break 3 times :-(3 c+ o3 y$ G+ `& F5 t$ ^7 V
. F6 m+ W+ H- v; l-Much faster:
5 `4 e" W C$ C' h, E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 R( n9 Y/ i/ B/ }$ p: `
, y! J1 M ^/ p4 HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 j' @# R \- Y/ w" p0 B
function to do the same job:
: L! ~# g5 @- t4 Y, b/ D8 @! i: W4 O6 P) D2 Q6 U
push 00 ; OF_READ4 {# _& l8 V% P7 w+ @1 u* v+ x
mov eax,[00656634] ; '\\.\SICE',0
; R" T0 i( c$ C5 ^: N5 Z* j push eax
. L3 t. A8 P7 N* Z9 X' E call KERNEL32!_lopen- U! e. p V% B$ U0 y1 @+ Q0 O+ L
inc eax
% W" B3 h1 R/ |' M( ^ jnz 00650589 ; detected3 V0 ~; v9 m% p3 J+ K# E
push 00 ; OF_READ) M/ G- f' | o0 c. S4 m
mov eax,[00656638] ; '\\.\SICE': G8 q; v7 p4 j8 M: ?
push eax; v0 z! Z" t! x, |$ |/ {
call KERNEL32!_lopen- g8 O2 s$ J, v* Z6 O
inc eax
' j: F$ c, l" M$ M G) } jz 006505ae ; not detected
C; F7 \$ a I" k! z; p; | B3 Z
& j7 `' V' \4 ?- q n- R3 ^. g5 y* a. D
__________________________________________________________________________. ^6 c6 O* ^ {- t& i2 ?, _: [
6 ]% R, x9 } t' m. _. j! A% kMethod 12
. ?+ W1 M/ e1 _- `- a! R \=========( Y& Z2 x7 e+ S9 H9 c, C" i) m
7 j7 [6 u6 J) R& c" h$ B% `This trick is similar to int41h/4fh Debugger installation check (code 05
) {* f* H. q& Z2 j7 R( T2 F& 06) but very limited because it's only available for Win95/98 (not NT)* E8 w# D4 t; _9 B: A( Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 A! I, P2 P9 X) r* B
' O% Y8 R2 _+ F/ d' J; J/ l: @
push 0000004fh ; function 4fh6 L% |' [/ u5 K* W4 n+ z
push 002a002ah ; high word specifies which VxD (VWIN32)% ~4 }+ z6 t( a5 p2 }# u* r! L6 O
; low word specifies which service# R( o! t: H& j1 _5 W, y% r" S
(VWIN32_Int41Dispatch)9 d% x' O) T( Q
call Kernel32!ORD_001 ; VxdCall+ r/ j6 `/ i1 V6 a% w
cmp ax, 0f386h ; magic number returned by system debuggers
* k) s d4 @1 ^* f3 n! y8 g jz SoftICE_detected
/ ~: _3 S/ {8 f2 `- c$ M& l+ r7 |% e; i( o- w
Here again, several ways to detect it:
- U) ?# E) E* [- p2 J: v, @2 p- [2 k8 ?. O0 T' u
BPINT 41 if ax==4f
3 k) o% {) h% {, y9 F1 t% Z
. c4 R8 u* C: m) a% n' ^2 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) x: F. |/ u, |/ f7 y: A' M* t( x0 J/ s5 R, X. v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 p R% m. A5 n) e D$ ]
5 C. }% Z, j% ~- p- Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% ]5 M+ @- M1 V; \# V# v; h5 K0 _; Q# }+ ?0 d& ]% G2 W/ t' K
__________________________________________________________________________
% w, h& ~) g. P7 `& h8 B9 Z1 U6 d
Method 13; U7 Z: a* }6 ]- T6 i
=========
. ^) H/ D) d z( [) V2 F
! u" F3 y6 o- INot a real method of detection, but a good way to know if SoftICE is
+ h0 Q- x. o" R( hinstalled on a computer and to locate its installation directory.4 {) [9 C* q3 N
It is used by few softs which access the following registry keys (usually #2) :
& {( q( {) { E7 b- T* v9 ]; N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 }! k, h( m: F a1 Z$ A2 p! G6 H
\Uninstall\SoftICE( h" Q7 _; f0 _+ G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! K# \: K9 a3 E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) E P5 v% W7 I3 ]+ b" a( v& i
\App Paths\Loader32.Exe
/ n$ M: a L/ `6 L6 [* R
: N* s" u+ p8 a3 m7 k! ?1 b
# b( n- X/ x7 U, u- ^1 VNote that some nasty apps could then erase all files from SoftICE directory& g" D! Y* X8 ]* T
(I faced that once :-(2 s5 g7 v. s9 Q
8 o- z8 L# ]# e) v' a9 H4 y
Useful breakpoint to detect it:1 E8 H5 s# {& ?9 P5 g# O& Q
$ [: _) M2 @3 i; w$ L& r& s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% U' i6 q' S4 n% A9 p" `
[0 x$ ]# @. o. e$ }1 D' v$ T. E9 d__________________________________________________________________________$ Y) I8 D, K2 K0 r# d, s
6 m6 v% y {2 O
1 C" g4 z$ e9 ~. Y4 qMethod 14 $ {6 K' H& ?% O6 P! _
=========
% n7 [* }, Z: C
o) v3 I2 M6 o6 h- N- b! H; XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, |+ T/ V: @4 j! `8 f+ v
is to determines whether a debugger is running on your system (ring0 only)." }1 y5 ]7 D/ x7 l) U
8 q: X* d9 I: L! q7 O1 m/ Z8 c VMMCall Test_Debug_Installed1 y4 `. Z" f' e$ M/ g$ x* g' j( _
je not_installed
" _% o8 M+ C7 ~% m) z3 \3 C9 R) Q
4 T8 E; J" G& _( {4 aThis service just checks a flag.
5 [# j8 z/ k) \! I0 \, G5 J</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡