<TABLE width=500>
$ I0 L9 P9 p1 \1 g<TBODY>
v" O! _7 u2 J4 X5 J# p% k<TR>0 K( t* Z0 I, D
<TD><PRE>Method 01 - D; H. p9 t# V, N! y& u
=========) {* `) R' \; o2 j. J/ E/ E, `
* x9 ^/ Q. V% T' L
This method of detection of SoftICE (as well as the following one) is1 E1 k5 H; l) z' R3 H# U0 |
used by the majority of packers/encryptors found on Internet.. |& Y9 ?; o1 A) o+ c5 s7 ?+ B0 m
It seeks the signature of BoundsChecker in SoftICE% e U9 l% D% f9 G( A7 w
/ k$ b8 j9 A! c5 l K+ e, \) \8 }
mov ebp, 04243484Bh ; 'BCHK'
% S4 z. O! ~% p4 G3 f mov ax, 04h+ N- I, V5 a* B& t2 ?& ?! }: P) z
int 3
1 }% m( L! @0 g# ^. e cmp al,4
5 D- D: q, g& E* D2 v jnz SoftICE_Detected9 j$ [# H/ O; E$ u5 w- C8 R& ?2 K: _
8 o2 U ]; l! X1 i2 n9 ?. u; J, C
___________________________________________________________________________/ U/ y2 T4 h/ n1 B' U
* Z0 g* v. ?% S" K. s/ RMethod 02
2 ]$ Y& R' h4 s- t=========. |6 r2 E! R# G4 f& H z1 G
0 n. @: w1 h+ q& `! O" p& n, v
Still a method very much used (perhaps the most frequent one). It is used8 e Q+ e Y: D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, ^1 c1 K- P* B' S, \
or execute SoftICE commands...3 J& Q$ M5 C) t5 u+ \
It is also used to crash SoftICE and to force it to execute any commands
# }) e( S* y" L1 r2 a7 _6 f(HBOOT...) :-(( $ N. j$ ~. {, t
, ]& a f3 j3 J. Y, v' UHere is a quick description:$ c# x1 s& q, u h0 ]3 J9 ^
-AX = 0910h (Display string in SIce windows)
! P' r) L: N2 B2 |. J: \) f. v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 s* {9 |5 o% d: R5 t
-AX = 0912h (Get breakpoint infos)5 ~' e# I E8 @/ m; R1 L
-AX = 0913h (Set Sice breakpoints); J& d# Z' j( N7 v! \
-AX = 0914h (Remove SIce breakoints)% A6 c0 ^2 f: f7 @
6 C' F' @: s/ W S- d4 D& {Each time you'll meet this trick, you'll see:3 O$ y$ u9 X: Y1 |) Q! Y
-SI = 4647h% K$ B" y; w3 _
-DI = 4A4Dh3 d3 ]5 \3 I: Q
Which are the 'magic values' used by SoftIce.4 x8 X1 @9 n* J) n* I+ V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 d; }) g3 ?& E6 H
$ G; g6 `6 S: {& {/ V: V4 g, cHere is one example from the file "Haspinst.exe" which is the dongle HASP% u# D0 P0 I6 p: W- L
Envelope utility use to protect DOS applications:+ ~/ `1 Y! G7 _
' g4 G8 ?8 U" d4 s
, P' ?& ]' ]* U4C19:0095 MOV AX,0911 ; execute command.
- O4 }- a) T5 J: y& q* V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 V) K& H2 @9 w4 T8 W! ?+ t& ~2 v* I4C19:009A MOV SI,4647 ; 1st magic value.! G l( y$ ^0 Z3 u
4C19:009D MOV DI,4A4D ; 2nd magic value." J9 N3 ?& b& ]: d- a8 s9 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 x1 m1 g1 @" s7 b( F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 y# }8 c0 V: N) \' V; p4C19:00A4 INC CX
3 C0 T$ j" B, ~. z* B, _, t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ R7 F* j+ p3 [5 U$ V4C19:00A8 JB 0095 ; 6 different commands.& J$ e3 E4 @6 z! q, d- g7 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' Q5 n7 y/ ~! A1 O U1 e4 |1 M U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; e6 }, m4 m, g+ f; j6 ]$ D
% i, H: x, r* {; GThe program will execute 6 different SIce commands located at ds:dx, which
9 g" F1 z1 F- j3 [3 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ q4 J/ v( a9 `6 n8 f" h
2 \! u! a$ `8 q, X8 P- x' {( |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( F3 {4 b9 X$ @% l. I( Z0 e+ E
___________________________________________________________________________
+ p1 G; w2 I1 }/ [9 q4 C
% {5 S" p+ d3 e, m2 M$ F: O' M c7 H* }
2 P6 ]! v+ U1 ]) L% XMethod 03& t W0 m0 m! k0 _! {. ?- d
=========4 `6 L: R6 O) n, V4 U g7 i4 d8 G8 h
7 E# x7 G9 u* F1 e7 {( c, Q5 cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ C: B5 O' j( I* E2 b
(API Get entry point)
! B$ B8 o: R1 G+ y6 t" n
3 m3 l0 m7 C% o+ C0 M9 u P' ^- K! I0 F, m' h
xor di,di
: }( Z8 d$ y* F3 Q mov es,di4 d, ?+ K% [% k2 J2 L; p' K3 T
mov ax, 1684h + k' j3 g( {) }$ e+ Q, I$ `
mov bx, 0202h ; VxD ID of winice
# l# G+ A! Q/ g int 2Fh
0 Z- u1 v- g, H* P mov ax, es ; ES:DI -> VxD API entry point
: v w% {! [/ a; D, y& \3 O add ax, di
# o; Q1 W+ B0 p, r9 a9 y test ax,ax
" `, N1 t, n1 f' @ jnz SoftICE_Detected$ r6 q7 i* E7 c" v5 a5 J
/ T9 y) m* P( ]# y8 ~/ Z' C% Q
___________________________________________________________________________, x" a# j" {% _
* L1 s3 x: m w8 m, j$ N! Z3 @
Method 04
% K' p+ W: v0 Z1 w=========* `! Y. G+ w5 H( H* H
! U7 h; t% e, i6 J- g. i( S9 t6 q( RMethod identical to the preceding one except that it seeks the ID of SoftICE0 M1 p7 }6 h; W# y: t- r, i/ L
GFX VxD.0 J/ p! h6 ^# W( B% H8 g7 {* Q
% F/ X8 L% u; [2 Y: G" Y9 s xor di,di
) t$ Z! i7 `5 S5 f& p# C- ` mov es,di. L) v* [4 O5 x# T% w
mov ax, 1684h
& s! \4 m7 v+ D9 ~/ p( K mov bx, 7a5Fh ; VxD ID of SIWVID6 X0 q; y- I/ r$ v B& {
int 2fh
* \' z( v% _! f mov ax, es ; ES:DI -> VxD API entry point* Y( T: f! P# Q, H- E( _" i
add ax, di
. L- R9 o- B8 k0 E/ d) l+ D test ax,ax8 \% t6 Q3 t X I) t* J
jnz SoftICE_Detected5 u3 p; X2 y* E! I4 x
7 I. C9 q8 I9 A8 Y: p
__________________________________________________________________________: z$ F- T0 Q* [
- ~& ~- |; V/ o, N! l* |4 T9 G T
Method 05
, p S4 @8 M# Q=========
/ U# `9 G( M0 c& _) L2 I0 _3 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: E( u0 t" L3 S1 W3 R. n! G9 Rdebugger. It calls the int 41h, function 4Fh.
8 ~/ p3 v5 E$ R& Q# p2 g9 BThere are several alternatives. * R' j# x$ |. }- g) r
) e$ `4 ~/ @* e3 MThe following one is the simplest:
A' ^6 s8 g6 l: s( q1 l% t9 E
y8 `7 [7 ?4 c$ m5 t. R" j( @ mov ax,4fh
1 }* s9 P( u5 {1 ^# S int 41h
9 O/ D$ Y' _$ `) s0 l$ } cmp ax, 0F386( F h/ P5 o. T6 o G- y( t
jz SoftICE_detected) c0 _# ?( H& @
- o# M2 G8 S9 J/ G0 C! ]1 N' Q4 }: Z: R2 c; C5 @
Next method as well as the following one are 2 examples from Stone's 2 {% f* f" b/ Y3 I* r' X
"stn-wid.zip" (www.cracking.net): u" I5 G) G4 `; R. h. X
4 [* {: A/ q/ j. u) I# G
mov bx, cs& Y2 F% C R* [: j1 w
lea dx, int41handler2- s; G8 ]% n/ J( C/ _1 N0 S0 l$ L& h
xchg dx, es:[41h*4]
' V( R5 a' c5 d% \: Y) p$ j+ Z xchg bx, es:[41h*4+2]6 h |6 Z' d" T; h# Z
mov ax,4fh
3 A l" K n& B: I5 \, l- M int 41h6 S0 Z" G+ r# R$ o) T9 M1 A
xchg dx, es:[41h*4]) q' t; H- X/ R1 ~# ~8 a: ?
xchg bx, es:[41h*4+2]
' P2 _* O+ r& K& R! r cmp ax, 0f386h
; A A: Y; }( e. o0 A4 ` jz SoftICE_detected, n. B, @7 q- x% y
- z C+ G7 d+ r0 gint41handler2 PROC
9 [3 T/ o5 n8 @' o iret
- d$ m8 h: w* U. @, _% |5 T& ~int41handler2 ENDP
1 `0 y2 j% W8 u7 C' K/ V$ b# ?0 L. [
" w' {8 x: ?# e' U) X/ k9 v_________________________________________________________________________
/ L+ K- z; R) b: `; K9 Q& _6 P E- _+ l' W1 s; Y9 L
0 { Q+ I1 E* q, [) a2 B. X! }# s$ [
Method 062 E* h) m* Y# t: R5 \8 G
=========0 z9 ~3 B% ^" Y+ S' u3 q6 z* c
) }+ L+ ~4 Z4 g; J# L3 X7 R _
4 d0 a+ U5 W: [: a9 F) g! W2nd method similar to the preceding one but more difficult to detect:
2 M+ j: c, p1 j$ M% U5 \8 x9 N0 X$ Q
7 m6 T" r! G7 G Jint41handler PROC
7 [8 K6 C$ { Q' f6 j5 m' G) h mov cl,al
4 m, P& k( M# e. U iret0 x. X# d- }+ p
int41handler ENDP
0 v5 s' j: n: n1 P- a$ e) b2 ` h: e# d4 q3 I( Y4 w9 S4 k! q
g Z( S5 w% n$ `4 V# U
xor ax,ax P8 M# S+ ^, F. {
mov es,ax4 v& H( h1 ~. d6 l) j i. r
mov bx, cs
8 Z, f- i. P9 @ lea dx, int41handler
# R3 b! h* u' f' g" T; F2 _/ v xchg dx, es:[41h*4]
) W! y {: s$ Z) T# y4 x7 x xchg bx, es:[41h*4+2]
& [+ K) [4 C$ m0 }/ ~ in al, 40h) h1 `& @3 Z+ K# J
xor cx,cx
8 G7 U! s) @9 k) N! Q int 41h
& d( m* B; Y0 o$ G" m$ C! r5 b- C$ T xchg dx, es:[41h*4]
* d w3 y% ]' S* ]9 N+ ? xchg bx, es:[41h*4+2]- P+ v+ G. X* b) D
cmp cl,al; b- t) y; U2 S T5 w. S
jnz SoftICE_detected5 L" N. x y& }5 R2 g6 T6 T
; k" h5 @# e' `: V6 l0 }
_________________________________________________________________________
' B8 I6 q4 g2 b- a b% U: s9 ], S- }( H; I5 H
Method 07
* R6 r8 j# u6 _7 N3 t+ g=========+ U' h$ p6 A; `: y
; C, z5 I7 O' H) p- y8 t9 B. hMethod of detection of the WinICE handler in the int68h (V86)7 s3 [" E8 Q' D* B, i% g8 p
' A3 u5 E& v2 ]8 k: y
mov ah,43h
* P- C- E7 G% b. N4 S2 L int 68h
+ z/ U' m0 q; l0 N cmp ax,0F386h5 h( x+ M0 i) t1 [1 T4 z8 K
jz SoftICE_Detected3 t: V& j# X } F2 I
9 C* P6 l. s) b& m- Q! Z8 b
6 k5 g' g a: f$ _$ Y! ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 C' x6 U. M4 h+ V/ e7 J app like this:
! Z6 S& x+ \# K1 C; s% S3 x! w& `/ K* |
BPX exec_int if ax==68
+ H: J+ c8 H) Y7 \+ E7 s r: V (function called is located at byte ptr [ebp+1Dh] and client eip is
" w7 m5 c# U0 x located at [ebp+48h] for 32Bit apps)
4 u; k. _6 X7 S__________________________________________________________________________! R3 J9 _9 A5 ^) K, N! c8 N
% d* y* u# F E
6 o. P$ z% H3 c" y. w% P, u6 ^Method 08
: _, ?* i1 q' C=========
. [ V8 E6 B( p7 l8 ]! C4 w8 {; ^* T! g
It is not a method of detection of SoftICE but a possibility to crash the
+ ~1 n. B" l$ C8 B" B0 ^: l8 S5 Bsystem by intercepting int 01h and int 03h and redirecting them to another
( K* Z" y% i9 d( Kroutine.9 {5 M7 Q6 z! ~: ?9 _' r! F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ y1 [+ K& G$ X' E4 V/ }3 zto the new routine to execute (hangs computer...)8 ~" L/ h* x" K x
* F# z' f( h0 V4 z* v+ v9 \ mov ah, 25h
# c, u$ T1 g' F mov al, Int_Number (01h or 03h)& r- i( @2 Y2 n% G" |* P
mov dx, offset New_Int_Routine
. x7 N) [% O5 a5 w( Q int 21h
; P4 L! \- x# G1 T& i9 R/ f a/ _
__________________________________________________________________________8 P1 f9 `1 B$ H# Y# L! D* p
3 p9 T+ |' {1 Y8 d) nMethod 092 j4 t8 Y5 c" u" B! ?* M
=========
! g: l* q+ x8 e# {: g: T5 c* F) @) h+ A0 l/ Q( c- m/ K) A4 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ y( z B+ O* ]) h. Rperformed in ring0 (VxD or a ring3 app using the VxdCall).; Z1 U E" m1 l! L; ?2 B" O
The Get_DDB service is used to determine whether or not a VxD is installed
l1 g. j/ @7 m6 M3 Cfor the specified device and returns a Device Description Block (in ecx) for7 V* m( a6 \8 S- w8 a o
that device if it is installed.
/ m$ B4 G& ~. j, v7 ?& ?
( y( n" A3 {; g/ h% P4 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( E" E% B5 B9 @7 J( p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 T, d* J4 i. F s. a VMMCall Get_DDB: c" A Z9 i/ d6 d6 t' Z* ~' o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% D4 D4 z( X0 l+ M! ~' _( w
3 C: T. C6 r- w0 I sNote as well that you can easily detect this method with SoftICE:5 ^- i0 j9 C, p# r: l5 d' z' V6 ]
bpx Get_DDB if ax==0202 || ax==7a5fh* D' o$ x' _7 c: `8 `; \. E
5 t0 m2 u; L0 q/ y" u/ q/ M__________________________________________________________________________) W3 B% w6 M/ y' L
& ~, h: M8 |2 m, w+ R) SMethod 10/ v0 ^0 ]; t: z( T7 L/ h7 s
=========3 {5 C4 D" B2 e! H j7 g
" R9 Z& r" @% K/ u8 w=>Disable or clear breakpoints before using this feature. DO NOT trace with9 w% s: y C- T( i
SoftICE while the option is enable!!
- {/ f5 `* M& k8 C' _6 T7 h; @5 L6 W; ^+ v; p
This trick is very efficient:: M5 O3 S& V+ N" l
by checking the Debug Registers, you can detect if SoftICE is loaded }) I2 g& Q9 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 p3 \: D2 N, x' F J7 kthere are some memory breakpoints set (dr0 to dr3) simply by reading their& I7 G4 x0 v: h+ Z7 I; I( r0 s
value (in ring0 only). Values can be manipulated and or changed as well
$ {5 `& o) k* f h7 U(clearing BPMs for instance)
* |7 n1 z1 O; }! W9 b
( N- D: H8 t$ L+ a! F__________________________________________________________________________
9 s( q; J8 ]9 k% ^
3 B3 i2 U0 f1 Q6 S3 `5 b4 A7 Y1 GMethod 11
/ Q2 n3 ]: B: I" U) F=========
$ c5 C, T T' h! X3 _/ ~# s F- n9 K3 K9 |; i7 N$ A2 Z
This method is most known as 'MeltICE' because it has been freely distributed* p' D$ H/ }3 H) o% W$ I7 h& C
via www.winfiles.com. However it was first used by NuMega people to allow- R( z8 z- {: r, G1 }" `5 s h
Symbol Loader to check if SoftICE was active or not (the code is located% D, o8 F: ^3 C- K
inside nmtrans.dll).
1 ?4 [: c5 Z5 [0 Z _, V. @) s! R4 B7 n$ r2 o! o. {
The way it works is very simple:
6 ~! D) d: B5 T, ]/ H5 J$ |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# h5 ]% v; O0 F6 I U8 s. |0 l6 oWinNT) with the CreateFileA API.! c! H' P3 I) R- {
$ {2 K1 u3 o( ?* @) d$ _! QHere is a sample (checking for 'SICE'):9 S) g2 p% b; m; \( w
, e3 i; w: c& O2 C" R" p4 [9 }) y* O- z
BOOL IsSoftIce95Loaded()
% M8 k `8 d' r5 z8 L5 ~{
/ |. Q1 G- Q' E$ I; T+ G HANDLE hFile;
* w1 ~2 L' O/ G1 Q" ^5 H7 s% R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- _* Q0 d" t; Q4 l; ?1 T, K FILE_SHARE_READ | FILE_SHARE_WRITE,
/ O- `5 w& W* O) O' W2 Y" B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; u& U4 o& G) L0 n% |( a
if( hFile != INVALID_HANDLE_VALUE )
; K& K( ^+ [/ O5 L3 m. v5 \ {
; H, A! _. s V2 A3 {' `7 W CloseHandle(hFile);
$ ~4 E8 t1 M' N return TRUE;1 p( J! A( J& f5 v& |7 t( A
}
8 N+ Y" a2 ]2 i return FALSE;# Z6 h3 Y' e1 d6 `7 V; B( O
}
! X1 ]7 D& \# I! h9 m( ?. K* o% A; `( W3 d$ b0 t
Although this trick calls the CreateFileA function, don't even expect to be8 S/ a4 l9 W+ L8 v1 |8 P" V; l
able to intercept it by installing a IFS hook: it will not work, no way!
) P7 x3 S M- g9 Y9 PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- k0 v7 f- P% ^( E* B1 [# pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! s( Z3 H+ T* h$ m; `$ \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 I0 G( O4 [' H* o+ jfield.9 d9 v) l* W! V" B( Z5 n9 e1 J
In fact, its purpose is not to load/unload VxDs but only to send a
) r0 z) F3 V' [+ f2 O( C* K; X) J4 pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 w/ |# L( }% |! R) c* r: d. Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) v$ M- T0 Q: w( W8 B g5 pto load/unload a non-dynamically loadable driver such as SoftICE ;-). S' t3 i" D( z3 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! D8 t7 v. S! i! P+ L9 z. B% \# `its handle to be opened and then, will be detected.
& e. |; s, X; E/ l6 ~You can check that simply by hooking Winice.exe control proc entry point! Y8 r0 q" H- |+ K0 d) C( {4 N
while running MeltICE.& |8 e, {! k$ P: c4 V; G
5 g+ x# w5 c" ~) e8 ], t
( R' J8 e2 m/ C0 U& y7 [1 i
00401067: push 00402025 ; \\.\SICE
' j1 N- V @. t1 a 0040106C: call CreateFileA
9 B3 L; |* o; d) j u 00401071: cmp eax,-0019 {: R7 G6 J9 ^/ {9 A$ x0 M0 i
00401074: je 00401091; {' q5 ]0 K) F
! j4 T i8 C, A6 m: _' p: {
6 |6 S1 s' Z6 b7 [0 w- mThere could be hundreds of BPX you could use to detect this trick.% g: {6 u+ J9 y# M5 ?" d& D( }
-The most classical one is:
6 N7 q2 y6 ^% Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 B8 `" T8 Z% S& n$ a- n/ a
*(esp->4+4)=='NTIC'# W6 W" g2 [( G; t; ~6 u, X1 c+ G
. Z" B1 r0 I j/ }-The most exotic ones (could be very slooooow :-(
; Q1 H, g3 i! f* v6 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ^$ r% W6 P2 t' U: K6 J1 h. s& x! T
;will break 3 times :-(
$ h. H* O% `* c+ _2 c7 ~
) I5 l! f$ M$ j-or (a bit) faster: " R, @; L# J* Z+ m, p; l8 c! m h" I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 J% e& z6 Q9 i" K/ v$ v$ U
7 ^. G# z+ ~+ R( B2 C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 _8 o- v3 B, C; {, r( @. T9 c4 w% p9 ? ;will break 3 times :-(
3 ^0 r/ D/ V7 A3 C3 t e9 V* B( P6 M& M* i
-Much faster:) R* b0 T/ k# k8 \7 m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 z Y. R I! O9 \4 ?, M D
. W' H% a( n- D+ c6 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 n; O1 ^6 i/ R6 ^
function to do the same job:" w7 g i+ N0 p, G; P6 @9 g" e- k
0 \! X0 u' Q. T; W- B( I( [
push 00 ; OF_READ
- B- v: z% X5 w Q# B mov eax,[00656634] ; '\\.\SICE',0
2 Q. ~, i5 q/ m1 c7 ? push eax
* O" K; J8 X( @. k8 T Y5 \+ _ call KERNEL32!_lopen
- w/ V: k& l; e+ w4 y inc eax
4 R! L3 I0 j( u+ X9 w jnz 00650589 ; detected
: B5 e. k- R$ z; t: W1 v* A/ M# ? push 00 ; OF_READ
6 W% W: O/ T+ t$ [. I3 e mov eax,[00656638] ; '\\.\SICE'
% ~+ \- A1 u" G+ O push eax
2 Z, X: k4 v8 p' a6 _ call KERNEL32!_lopen& ]2 L/ j- _* d% y c
inc eax
+ ]* a3 u* ]) B& P jz 006505ae ; not detected9 I* H1 D% Z& l" M! V9 g5 k
8 k z8 R: D0 l7 j( j0 D) B3 A3 G
, y7 f, T6 {+ n! b* n3 p
__________________________________________________________________________
5 E6 j' B' g# J# q. v$ }) X
' K/ V' ~6 D' ^Method 127 ~8 v2 B# B# E2 z4 [9 Q
=========" |6 p1 w! t$ k; C! Z. K6 P5 w& S
5 C3 a0 {/ K+ B+ U/ i1 GThis trick is similar to int41h/4fh Debugger installation check (code 05
$ d/ f" X; S. \/ }5 K4 k' F2 X x3 X( e& 06) but very limited because it's only available for Win95/98 (not NT)
2 ~" G. P7 J! r3 h4 \7 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ s( c* A% P) R* D# I9 V" ~% B! E- o0 x6 f& u
push 0000004fh ; function 4fh
6 J @: g: S3 s2 z. h5 h push 002a002ah ; high word specifies which VxD (VWIN32)/ x: g0 T5 D( r7 G @
; low word specifies which service7 ]4 a$ a( f% q( S' p2 Y' I+ S# l
(VWIN32_Int41Dispatch)1 L) H4 V; ^; u
call Kernel32!ORD_001 ; VxdCall
: K) O% ?! T- n+ Z. p cmp ax, 0f386h ; magic number returned by system debuggers7 D) M/ x" \5 @8 d
jz SoftICE_detected9 c1 g/ m' q! A% h+ y
9 \1 D" g3 n: r$ N+ v' Y6 m
Here again, several ways to detect it:
% s% w% U- u1 v3 ~$ q5 l1 q, W' i8 I. w7 X6 D& O" m$ k* s; _0 r
BPINT 41 if ax==4f, H2 p0 T/ ^- `& X* D( I& S* o
; w: J" |" V8 \# K, O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 W( \0 T$ F3 y* o; S
9 A& Q8 w8 k7 {7 f3 t! ~+ T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 {2 F1 v/ I# m" j, E) O
# J: E5 T: e* d- L3 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 ^* A, G8 c. V2 w6 J' K$ L6 B7 m& F% a, l) f- G9 z: \% T% t
__________________________________________________________________________$ b q7 U1 r6 `2 c& g/ a. V
?: }8 s4 [3 H R
Method 13: ?" a t1 M/ V( V) o
=========( ]& t& O4 h( B$ n: p( n5 @
5 Y* F, _8 {0 F$ T5 s1 f( j8 f& HNot a real method of detection, but a good way to know if SoftICE is
( |5 K) }- x% A% ]4 e% ?installed on a computer and to locate its installation directory., |1 {- `; e7 M+ k
It is used by few softs which access the following registry keys (usually #2) :2 [( S( l. T/ H4 {3 l2 y
2 m6 m; o3 m5 o: k/ |0 R2 I& Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! W9 b0 y" D6 f% R
\Uninstall\SoftICE, ?9 k# [3 R! c5 N5 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: L! ~" Y0 A, N# m5 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 C& ]" x) M4 }/ I\App Paths\Loader32.Exe
' n+ [& D( u# n. y+ X: z/ w8 k8 l' x S) X: Q( M
4 d' R$ b/ Q2 x- R" h1 fNote that some nasty apps could then erase all files from SoftICE directory
( e: \, o- v. x) Z- o; N(I faced that once :-(6 @4 J! c% {1 R
6 V4 L: w1 ?) F- {1 ^/ i! s
Useful breakpoint to detect it:
- w$ M- N2 x7 l2 a- `' p$ Q) F+ |; S: _( l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 ^5 _6 _ H7 O& i1 w4 ^7 Y) |4 F2 z3 o
__________________________________________________________________________
: n* ?' D9 ]# }0 M2 q. N* C4 l- \8 G) ^: q
4 z+ L, @2 m7 p* cMethod 14 0 w$ S/ h0 `, J
=========$ L5 N [) l* y2 Q
" e4 f/ y' ]. X% ^% hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 p E7 x# ?$ Ris to determines whether a debugger is running on your system (ring0 only)./ r' W# C& m+ S# k9 F. F" L
, W) I0 s8 z, o# R, z9 \ VMMCall Test_Debug_Installed
: o7 E0 T. k; I0 n je not_installed, D9 [7 w4 h/ m* [) p
* d+ G& ]+ ], `/ g2 k
This service just checks a flag.( T: H: A3 ^" n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡