<TABLE width=500>/ E0 j" H* p# z+ S: m* ~
<TBODY>
) o3 E7 o- {) y# r$ n3 R<TR>
4 d7 k+ Y9 `4 Z5 O) |<TD><PRE>Method 01 2 t) H8 Z- j# C; `5 ]% h
=========
* h: r$ W) ^# A! ` X
- b6 I" A) V( A0 DThis method of detection of SoftICE (as well as the following one) is
' `& _. Y9 l; ?1 cused by the majority of packers/encryptors found on Internet.8 p$ R1 A% u6 o# |( Q
It seeks the signature of BoundsChecker in SoftICE
3 h0 Q) q4 \- o; k3 v) b& d1 G9 f5 E5 ]( S. V
mov ebp, 04243484Bh ; 'BCHK': e6 l3 F5 Q' K, H
mov ax, 04h0 H' a; d5 p4 ?8 |, w% v
int 3 % p! L( X* j, A! [5 E: P
cmp al,4) r+ P. r' h( O0 Q# _1 f" O5 j
jnz SoftICE_Detected
6 U: u6 n) C7 F3 x( W L6 c' @+ {2 I! F' ^ W; V
___________________________________________________________________________
" C7 ]' Q" b5 [7 u" n- d* `/ B9 t
) o" \ c+ n( ]% bMethod 02, U, `' d5 l- S
=========
" C+ B0 c# a' f7 A, j( G
+ k1 L" R. Z4 L0 P( i JStill a method very much used (perhaps the most frequent one). It is used
- b4 U; R8 r2 [1 f5 yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 U% c& B9 d' B# b# z
or execute SoftICE commands...- i- e1 u$ z* K: ^5 O+ l
It is also used to crash SoftICE and to force it to execute any commands
2 f: k: ?$ _; c( {3 |- P, W(HBOOT...) :-(( I0 p9 {2 g' L; R7 `) r c
# j. u4 ]. K9 Q& x! Y- t2 kHere is a quick description:
( F2 A- L- }# M7 n" H-AX = 0910h (Display string in SIce windows)
2 D$ K! ^! V0 O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* H! k* @/ B- A I6 d
-AX = 0912h (Get breakpoint infos)+ j$ B, a+ N+ m1 Y1 n# n
-AX = 0913h (Set Sice breakpoints)1 _/ H- I9 U5 W8 o, X. n
-AX = 0914h (Remove SIce breakoints)# A. D* X0 J% v# @8 B
- g) w o( i( @! [$ tEach time you'll meet this trick, you'll see:* |8 x: F* Y* I
-SI = 4647h
& G" D8 U* n8 Q# `1 V-DI = 4A4Dh% d( R: H. X9 F% F, t: L+ }% G
Which are the 'magic values' used by SoftIce.
2 z/ ^3 _- \! w$ |/ a8 G+ S+ d! XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 g/ \3 R9 x5 | p+ K
5 M# ]2 O, S4 [4 T' G
Here is one example from the file "Haspinst.exe" which is the dongle HASP; b" c! H; ]9 m# s) l' y0 R
Envelope utility use to protect DOS applications:0 w0 m4 ^9 }" e
. y' a$ ?7 I0 Y' f* R
. Z q4 O$ z1 U4 Y8 B4C19:0095 MOV AX,0911 ; execute command.' E6 W' Y6 T7 ]7 n! Q3 h+ q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 [$ D; K* e" N" D$ _+ X9 h; u4C19:009A MOV SI,4647 ; 1st magic value.
] p* [ u: X/ B4 {3 s! b4C19:009D MOV DI,4A4D ; 2nd magic value.3 q: T5 T0 p, l' M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). j1 U( v/ @* M& ]# d" ^3 X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ ^& h. w7 p2 D( s' I
4C19:00A4 INC CX3 p) T5 u1 f! e+ t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ _; E/ N6 ^. j5 s3 ]3 z6 P4C19:00A8 JB 0095 ; 6 different commands.
6 `9 i. p7 s% y; F* B2 M4C19:00AA JMP 0002 ; Bad_Guy jmp back.' c/ E+ ^, W( q; t6 a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
F" {2 {# C6 |, @) [% d0 Z1 d
3 U6 R6 e. @, y% C% y. w! RThe program will execute 6 different SIce commands located at ds:dx, which
3 z6 Z& v: y' w" h2 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 a, n: y9 u+ k: l2 r* {. G4 w
5 |4 {, V h; r' n- p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ G. @( w+ m9 G; x: n' K0 e___________________________________________________________________________
( Q" Y8 w+ f4 b0 ^) d% o0 W$ B _' S# o9 a: c% D4 {2 O& l; v
- G/ l; M* O: v7 |6 Z
Method 03
' [. W4 K3 i. h# {0 N; S7 }=========
, [' U i* U7 L! [2 j; _
4 \" \/ ~1 P, J8 f* x: u# z" L& ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 N% |- p, g, O4 b
(API Get entry point)0 ~) O, Q# \ J, H. P
2 I4 O- A2 P% U! w. T
, o& ?9 B% {- \: H xor di,di. D6 m4 D/ \6 P! n, t0 d- j/ P
mov es,di/ y. g! s$ R4 V; {
mov ax, 1684h 3 R. M! b9 ]6 f, x n
mov bx, 0202h ; VxD ID of winice
1 }* c: b; A* g int 2Fh2 `& k& Z0 r9 \$ b9 C# |* d9 d
mov ax, es ; ES:DI -> VxD API entry point, i* R) u/ a. k! j% }- Z! k
add ax, di
( W ]9 I: n; w test ax,ax
1 p$ n2 b% D: Q1 i jnz SoftICE_Detected
S \! B/ l9 S1 \) v
5 z; @& b5 G {# J___________________________________________________________________________% o8 P2 j9 R" B) Q- x
: u% O7 H2 ]$ b! r
Method 04
. g5 B0 V3 k% W( x3 m=========
8 h6 {' g6 B7 s6 B% ?2 d8 L5 k9 y$ ]. m
Method identical to the preceding one except that it seeks the ID of SoftICE
5 s; ]) I( f# E% Q" m) ]% Q, uGFX VxD.
% P1 g( V1 s" q6 w. g
e" t, V( `! H2 M9 H: _1 y7 v xor di,di5 E4 b! l& S3 A# K$ I; K
mov es,di( l3 _1 H5 w% I. D0 ~ j, G
mov ax, 1684h
1 T% W+ f e5 r5 Y2 ?4 f8 W mov bx, 7a5Fh ; VxD ID of SIWVID- x; H0 j# @3 {' |/ O( a. L
int 2fh" D+ g# b. \' U2 U
mov ax, es ; ES:DI -> VxD API entry point
/ t, F; L% Q: Z) ]7 {9 S: p add ax, di
9 Z$ Z2 M! Q$ R5 g X, a) L test ax,ax7 ]3 R/ {) i- {1 S5 L( |" k
jnz SoftICE_Detected
8 s# Q6 p- y3 C; m
4 b( f! ~* d4 O' o u__________________________________________________________________________
4 J- x* @- u6 q% j
- F7 _- N* i# v) C' {- K' P7 O, u- ~& X
Method 05
4 M+ Q; O/ x; H; K! W. \: o* B# H( V& X=========
. H: G* W1 s; E4 c3 Y
/ M9 C4 T! ~3 b6 ]9 sMethod seeking the 'magic number' 0F386h returned (in ax) by all system; H9 H, z: ~7 `7 a$ `7 w1 s/ s
debugger. It calls the int 41h, function 4Fh.
" c# q6 J6 K4 n+ j' uThere are several alternatives. ; ]$ G* S, k( c* D
* }2 a! Z) E- b; v9 K: \& kThe following one is the simplest:
9 O7 b! E F7 D9 ~) ^5 k4 }5 P7 W. c* [% z
mov ax,4fh# L/ u. ~! D! F* W8 ?
int 41h. t8 C% d2 F9 I$ b( Q& X/ r- F0 O
cmp ax, 0F386
. t0 d6 K& ~# E8 j7 @* B jz SoftICE_detected
9 |3 p9 D$ K6 l+ h' t7 v2 [0 X/ ?- b4 Y) y2 C$ i" L0 h+ z
1 C+ S; z+ e: jNext method as well as the following one are 2 examples from Stone's 8 ?0 L4 B* K3 u8 K1 f0 \
"stn-wid.zip" (www.cracking.net):
: e& R' b- v/ M" \- y4 y
* c* a: k" C0 V) k% \ mov bx, cs
$ A! |* r* P) |3 q2 i lea dx, int41handler2
l7 n+ z( H% Q/ Y+ H* T6 m, ^ xchg dx, es:[41h*4]) ]* D# b" R" ]' O7 b
xchg bx, es:[41h*4+2]' @* k* O: N9 `% ]
mov ax,4fh
: Y6 T7 y0 t3 Z7 J int 41h& m F% E6 l v8 k. c8 a. y
xchg dx, es:[41h*4]
. Y* I& E$ l4 ~, c0 j1 w& T xchg bx, es:[41h*4+2]7 J! g- p1 l, U: u( E" d
cmp ax, 0f386h5 l. A" E( g9 D: e6 v
jz SoftICE_detected
9 W& j% M6 z+ e; W' Y7 g6 B) `" \7 @( O# w/ k8 _
int41handler2 PROC) ~8 k. _& N! C+ j9 C( b, O7 @& P
iret
9 b2 G7 v' ]: ~6 F" k. j9 r9 {int41handler2 ENDP) X4 D* j) c/ L& ^- E# {% E
" [& P4 R! r! c, f
0 j2 e7 {, @9 m
_________________________________________________________________________
* n6 \3 I5 Y/ }) G- o/ f
" D& ]. R" S* B8 m P# d/ P9 \3 N1 z8 l% g; P: l# w9 M( F a
Method 06
5 r3 |2 O3 X" N& R% E" G3 B=========
- ~- R. l7 `9 ^* U, j" T2 X4 A( c) `* O1 a9 r! ~7 v) y4 Q
: N/ h7 J+ G: s# A8 w" n9 n2 }
2nd method similar to the preceding one but more difficult to detect:
5 s! W L+ ?2 s4 c" c
& \& J" Y" D& K# Z3 i6 k5 I, N# p; S" N4 g0 h" o
int41handler PROC4 i3 c7 I! m' w# j
mov cl,al! {% w/ _ n' B( G3 f7 S/ e
iret
1 P$ ]6 |5 q. J: c/ Kint41handler ENDP2 r" f& b0 @" M
6 H' J# u3 F. z n7 B, j# n9 W' w
1 Y. G% P- b( P% A7 i3 K* L' A, ?. [2 C xor ax,ax! A p& t1 s. C% _7 p
mov es,ax+ ?/ f w: X, w! c* I) h
mov bx, cs) t3 m1 s6 j: F7 T4 I
lea dx, int41handler
7 {9 g+ f" `5 ], F& ] xchg dx, es:[41h*4]& {3 L% j$ u/ o+ Q1 ]8 Z
xchg bx, es:[41h*4+2]
3 H/ ?. W8 Z* Z) } in al, 40h
1 N& Z) S: a5 t7 C) z; t) n# H xor cx,cx, f" ^9 `6 C ^1 `. p
int 41h
2 k( o( \# }6 i- J1 f2 [! E xchg dx, es:[41h*4]1 G, o/ I2 L1 G4 [7 F
xchg bx, es:[41h*4+2]
$ B& U* F, u( ~0 v. V cmp cl,al
# P0 x1 `1 ]$ K& f" e' w5 ~ jnz SoftICE_detected: \8 m Y Z! _1 b) h, `6 p9 _
+ ]1 F5 G4 S- |_________________________________________________________________________5 W( A' @3 ]5 O7 U
: F3 r; z) m5 F; d0 o& V! d, vMethod 07- t9 a$ O) o/ \ |) E9 c% j% k0 m
=========
' ^3 E ]- u5 ~
9 ]# \, ] n: Q2 N3 N+ M8 g+ QMethod of detection of the WinICE handler in the int68h (V86)
- [5 y9 h X' k+ h
3 \, i# L1 r p! p }5 s' h4 e+ M mov ah,43h! i0 }: c6 ?& {$ }( f
int 68h
" f6 `4 ]# Z& C- Y5 o1 d, R cmp ax,0F386h
$ Z& _$ b8 O2 [- n. C4 d jz SoftICE_Detected
4 |7 w0 C8 D. D5 U" ?; H7 n% ^7 V, s% F( p* t
' [0 K% |" o3 F( _7 `/ G- Y& o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* N% C! R7 L8 p' h app like this:$ k5 _1 ^2 d; w8 _, E$ r9 g" m
5 e+ [8 |! d# ~ BPX exec_int if ax==68
5 q0 N: S$ _9 w( M1 N* v (function called is located at byte ptr [ebp+1Dh] and client eip is
# S4 P; z1 {3 o0 P* P located at [ebp+48h] for 32Bit apps)( _5 E# m, m& W2 c i Y) A
__________________________________________________________________________0 o& z0 w9 l+ l: w/ p5 v# W) }2 ^5 J
& [" M7 K% Z) S3 C
2 r8 E2 C. s" g! F) C; _Method 08& }- i' y6 A' c( j2 t- n# C0 I
=========( [8 S Z+ f8 M; H- d
& B& b/ I: s2 r' h
It is not a method of detection of SoftICE but a possibility to crash the# d# p: A" h$ G/ k
system by intercepting int 01h and int 03h and redirecting them to another1 P7 A" w8 j$ s! k1 S% |
routine.) q9 N3 H2 Z' i/ {) N$ o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, u/ @' I# [* t5 c
to the new routine to execute (hangs computer...)+ r2 ]" L! Q9 m
) W! X* L. B0 h( r" l! y mov ah, 25h
. ~4 G3 u& l" E$ @5 G7 q; P mov al, Int_Number (01h or 03h)5 j F ~* m3 c* d( T
mov dx, offset New_Int_Routine
7 Z/ p) u) ?) ]4 U5 }7 c int 21h
* H# E5 M/ Y- ~! W i! n) ]8 _* y; g" o* ~
__________________________________________________________________________; F$ o8 ^( K: {2 e7 j& F% R/ w) s
; i4 n% j3 B! I% o/ e/ D" AMethod 09
" t5 [( S, _; O- h8 E7 Q=========1 c2 e ~5 f' J3 [8 ?" n
* T" }' d5 x N2 e, E% p6 Z5 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" H3 Y; d- i" K, d8 _performed in ring0 (VxD or a ring3 app using the VxdCall).
2 ?$ F/ a4 C a7 TThe Get_DDB service is used to determine whether or not a VxD is installed
) T1 Y8 |1 U+ }4 r% X; t* Lfor the specified device and returns a Device Description Block (in ecx) for/ ^( K% T4 u+ I! L; q: r8 K
that device if it is installed.
9 x7 {6 n( h1 E N% P5 T7 B3 j( N$ _" N. x D+ p. a N$ P7 e7 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 f0 f- H% O9 p( E5 i) U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' U. y( O* J2 W3 d4 A+ C# [9 W) r
VMMCall Get_DDB
- X* B0 `0 L- G* j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 N) F* M. X: k
/ f+ n" Q3 p7 @1 M+ |Note as well that you can easily detect this method with SoftICE:
; A- e. I4 x" D6 [ bpx Get_DDB if ax==0202 || ax==7a5fh: t: \1 d" T9 B/ q, q. i" D. j$ o: j
) K2 {: a. C3 z__________________________________________________________________________
3 @5 z- Y u# X% i- `
' x' X w8 _' A/ I5 u7 x5 O7 uMethod 10
* R% k# d3 r( W& D! l5 ^1 P=========
. v0 f% ~# |) s, {( K. R% r2 p6 Q* T' v. M0 ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 ?$ H0 [3 S: t1 }7 Z4 ~" T
SoftICE while the option is enable!!
+ t1 [, n4 T2 B3 Y- h6 j
# W8 s2 `/ o+ [/ AThis trick is very efficient:
: _, ^2 Y% m. E9 N6 I( O* tby checking the Debug Registers, you can detect if SoftICE is loaded% `! m; o+ [! }2 o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 ^7 F' a6 w1 ~, i0 ?: ?3 ?4 bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- t2 U7 M) G Nvalue (in ring0 only). Values can be manipulated and or changed as well
- R' n8 ^+ Q! _. v0 P# ](clearing BPMs for instance)) v' C* |6 j; y
! q! `4 h X/ a
__________________________________________________________________________% w6 R/ _# w. l. y
/ _' z2 J% S: T7 q$ l/ cMethod 11
9 x, m+ ?" G2 L& \=========+ C+ s' w U9 w9 [7 }; B, P
& u* M4 Y" B& m9 h$ aThis method is most known as 'MeltICE' because it has been freely distributed
7 B" C S& G0 e4 d1 dvia www.winfiles.com. However it was first used by NuMega people to allow& b1 d( h4 [& \/ h3 O ^' \0 W: ?
Symbol Loader to check if SoftICE was active or not (the code is located
/ U* _+ {9 h! e: \2 e- n' hinside nmtrans.dll)., k3 R5 |+ i5 t. e& M4 H$ a+ ?
( B5 G" g. A0 A: `; z/ ~6 U9 T
The way it works is very simple:
/ e* D$ g! b+ x2 z$ l. T% M; jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% W4 M& i" w" y. K
WinNT) with the CreateFileA API.
2 ?/ @0 i7 o+ Y' ^' e4 Q- ^* W8 o7 q7 \+ x$ x
Here is a sample (checking for 'SICE'):8 i1 n$ @! a" @8 [, d' B
& I U) A9 {/ p, m
BOOL IsSoftIce95Loaded()
, ^; W# P, u4 O- O4 T! s{
0 ? i" l8 U7 w1 R HANDLE hFile; # T/ Q U/ d0 ~) r9 N! I( k; h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( c/ |) F3 i. v4 c( r! [' R/ E3 X FILE_SHARE_READ | FILE_SHARE_WRITE,& O; C# f" s% P# W. x$ f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 y/ U$ U m$ s3 U. L% F if( hFile != INVALID_HANDLE_VALUE )
Z' \: I# ~1 h0 m5 I. v {, v( B, P- w8 }: b3 r7 L
CloseHandle(hFile);
- V0 u" V+ }8 A; j, |2 G return TRUE;
. v# a1 E9 C6 q4 V8 l4 V }
- {! e9 q3 e; p, T2 g2 \4 ?# B return FALSE;3 P3 N- S4 Y$ n
}
8 [1 P' ?2 ~2 E: D0 i7 X9 K4 v7 t* e9 V4 q' {5 k
Although this trick calls the CreateFileA function, don't even expect to be+ x q4 ]) n! F L$ r9 u5 K# _
able to intercept it by installing a IFS hook: it will not work, no way!
, N* C# q" g+ ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F' x2 }& u- S: b# q6 n' i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 e& K9 K9 F: e9 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 Y$ F' m' X# w* n, f/ Z) H5 ]field.6 y* q$ L$ A0 ] x
In fact, its purpose is not to load/unload VxDs but only to send a " z# ]5 y1 W; j( F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% Z9 G! X+ p6 H2 X# @0 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 h6 E7 L7 m* W+ lto load/unload a non-dynamically loadable driver such as SoftICE ;-).- b. n$ p! [8 p7 G9 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& I9 v, D- y' p& D* W8 U# o6 Sits handle to be opened and then, will be detected.
: q* M) Y& t$ y* o9 e. d& RYou can check that simply by hooking Winice.exe control proc entry point
3 m7 a' D! m: F. Y2 uwhile running MeltICE.+ l+ ?0 S$ W r+ ]9 E& T
1 S/ J0 n% z7 ]# X# ?" s# M3 O9 G, W
3 r9 R' R/ O$ p7 D3 V4 ?1 Q' `* u- e 00401067: push 00402025 ; \\.\SICE4 T. W) j& ?2 \, `/ W. r N& o
0040106C: call CreateFileA7 k5 \. [) S' {/ i" M: D; F; M9 G
00401071: cmp eax,-001
5 W* I. S4 K; W8 J 00401074: je 00401091
1 ^0 {# |5 H* x" ~4 j q; i% t) K6 `" S. M) m* ^( E* U5 u; ]. R
' d- P. a- E) m# |! @; E( X1 C P, k hThere could be hundreds of BPX you could use to detect this trick.
$ v9 Z/ M% a4 R' e9 Q0 N-The most classical one is:; [. y9 X) }4 ^% |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- z4 V) d q; B2 E5 Q2 Z *(esp->4+4)=='NTIC'
$ E! y" X# |1 ~7 l3 Q! @3 Y! x! L) z2 ]9 V
-The most exotic ones (could be very slooooow :-(: t* D- r' O9 t3 \" [7 k3 \! a' C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' ^/ N- z1 E% s: N; V% v ;will break 3 times :-(5 G x" n2 j1 v
0 s5 v0 O S6 J8 `1 M% Q-or (a bit) faster:
* c+ q' j$ _7 I3 O" L6 g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' `5 J5 E: K4 H8 s$ R5 Y
7 B+ D0 }, f( \' i- k6 s, V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . U( m1 H! `* u. s
;will break 3 times :-(2 c0 T( ]5 u) D: o( |
3 @$ y6 f9 }) D2 _7 y$ S4 I) Q-Much faster:
2 L* [7 g5 Z+ `5 F) N, h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 [2 h" `7 m: D) j( M* ~
3 G: M$ x% y; x: ~: [2 D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ \" X# f' `1 j0 Zfunction to do the same job:
: q( r+ e/ ]7 v* V6 D: e( B, \, G. E3 E3 J- e1 B( r/ g/ S
push 00 ; OF_READ. f8 I8 ]" V! i4 z& g
mov eax,[00656634] ; '\\.\SICE',0
* A# J3 _2 i! j5 B( I push eax' z2 }) A* W4 S
call KERNEL32!_lopen
* V5 a) I* J2 a& m% U! [, q! w) } inc eax
* E0 j0 r+ N! D. D- i jnz 00650589 ; detected1 I1 Z% C3 G5 R8 W1 ]5 y
push 00 ; OF_READ$ Z0 Z# S2 S. i4 r/ H
mov eax,[00656638] ; '\\.\SICE'( e. |( }8 [3 g( \+ u
push eax
( m" C% y' i8 I/ T% ^ call KERNEL32!_lopen
w) _! G5 T1 }* L" V$ R inc eax7 j; ]" D# ?, Z( J' d
jz 006505ae ; not detected
0 w k9 f4 V2 O5 ]: P& B4 k( v" }5 ?: P; ?
* P# a* ]& ~7 a
__________________________________________________________________________ G' w- R7 F# ~+ ~ @( }! V
4 F L4 s# h$ z/ x. M& C
Method 12
4 h& f+ r# N" n, Z: g5 U+ d=========0 ~; ?" ]) V' a
( l& m/ q1 @) A2 D+ @4 G$ s
This trick is similar to int41h/4fh Debugger installation check (code 05
* `! i! _) a2 v% R: v4 ^, T& 06) but very limited because it's only available for Win95/98 (not NT)
# B" K3 M( T1 z0 h, o6 s$ |8 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% H: y8 f$ p8 s1 o6 \
# k# J Q% W& `1 D9 i" r) } push 0000004fh ; function 4fh% P5 H6 A+ h6 ~$ J* L. q. o I
push 002a002ah ; high word specifies which VxD (VWIN32)4 C% G! A$ D9 [8 y" A
; low word specifies which service
, J! F2 T' D( o* t4 {) a (VWIN32_Int41Dispatch)
3 _5 M* \+ W7 }. a call Kernel32!ORD_001 ; VxdCall
% D+ J) o+ m0 h$ k cmp ax, 0f386h ; magic number returned by system debuggers
' u- ^, m& S( @ jz SoftICE_detected
$ A* B$ ^+ P( A# b& d, A! X, d7 E# b e6 m1 K+ ]; f
Here again, several ways to detect it:
+ H. g! q5 B' E! W
0 R# a* B* U5 h BPINT 41 if ax==4f
1 F2 q, S% Z E' t& H
4 m" a2 {) B3 z7 r c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! p" k% z* j) l& a
: [# S# Q v: S8 B" ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ `. | r+ B/ b& Z4 |# W7 I9 y' |
! ?& l4 m+ Y1 F$ \1 @2 e) H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" N* V: |/ d J3 Y3 P
r1 o* ^- Q, ^% O$ S$ X
__________________________________________________________________________
5 z! f. d$ N, T1 r1 ^4 S! j( j1 r# E* Q6 ]7 n1 {7 V
Method 13
" h1 M B9 x; }5 I9 U8 g7 n=========- U* y6 C# W0 `# q' a, I- n0 O
2 q+ [0 P J) H0 FNot a real method of detection, but a good way to know if SoftICE is% R# n3 ~6 b n5 v
installed on a computer and to locate its installation directory.; i/ D! u7 d+ o! W( C1 j# s
It is used by few softs which access the following registry keys (usually #2) :. {8 r. Y, [( P8 S' D [1 G3 D$ @
2 O" }1 i, H3 B/ X$ k- o1 C7 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( ]* p- k# A- O
\Uninstall\SoftICE/ X( O1 B, S* }2 {$ [7 q7 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ z$ M' W* p- W r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' Q- I! i' w! z4 L& i! G\App Paths\Loader32.Exe
$ q3 c" W( b! p. ~' |$ S% A9 t- g1 @1 p$ T. W9 O
5 Q7 T9 ^6 w2 x1 bNote that some nasty apps could then erase all files from SoftICE directory
\( F7 d3 F2 o3 X(I faced that once :-(
( b1 i* T4 d! {! k H, X1 U0 S2 |$ J1 V e9 _/ e
Useful breakpoint to detect it:! h# d# O1 c; x' Y1 W v- A/ ?
& Z+ C2 D' p( O& H8 W. u' k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* S; r% z" ]5 r/ c/ h9 C
, L) X/ @! l! ~+ [& s$ l
__________________________________________________________________________
3 [ ?9 L4 E3 w5 X! L8 f
5 Y$ ?) Q9 w/ X+ L: L; ?6 o( Z* u, |; s6 e6 ^
Method 14
0 ^% C% t/ {2 r* f$ A=========; S8 @2 D( K/ C$ ^9 j5 i
& |& Z$ r4 Q0 j! GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# i: V7 g- U+ _! E8 t t. l
is to determines whether a debugger is running on your system (ring0 only).
2 F: m+ v7 z S9 H, M; k6 w% Q* s1 R7 p N
VMMCall Test_Debug_Installed1 z! G9 P3 U2 h8 v# b2 O# J
je not_installed
7 W9 [4 J9 B$ h$ P) I
9 w* C2 x- e+ g& h# v9 NThis service just checks a flag.; W' E6 W2 N4 l1 }
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡