<TABLE width=500>6 g A% f+ e0 ^
<TBODY>2 |% o7 N( s, a. [- J
<TR>
k! q9 B% F7 `" p9 a5 ]. t$ G<TD><PRE>Method 01 6 I8 t/ D" a! k) x
=========
, w" m1 a# O/ B& D6 n; @9 z9 _3 R6 M) z
This method of detection of SoftICE (as well as the following one) is' ?5 S2 r; M2 f7 j/ q% N# k3 k; D
used by the majority of packers/encryptors found on Internet.5 k- E8 ^3 u( k: u# ]7 ?
It seeks the signature of BoundsChecker in SoftICE
+ k) u. R$ O& @4 b# N* d1 Y
4 S9 |! J/ D- L* x mov ebp, 04243484Bh ; 'BCHK'( g1 u& N3 ~# x5 ~' c6 x' o
mov ax, 04h
* r% c; B0 b5 S! u. @ int 3
! K% K* z& z z0 p- t4 a5 e cmp al,4
% v" B) j- A' L: e( |4 A4 I jnz SoftICE_Detected2 l$ ]: L6 U, w, s$ Z- x6 q( {
; f: |$ K6 R, i. A" X, P$ w* F8 Z# t___________________________________________________________________________1 p( {! G# x% A) k- N1 k" N
; T9 \, e8 L% q$ W: ~
Method 026 p# \$ I% K* G- }9 v9 n Z6 v
=========( X8 S9 k+ W5 b) y; v4 s
2 q; C0 V& H* R9 t. _5 q- S+ sStill a method very much used (perhaps the most frequent one). It is used+ ~! L5 e9 \: X; L9 `. q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# C1 Y% ~. a" k, j
or execute SoftICE commands...
0 L D4 S+ k6 p/ {! sIt is also used to crash SoftICE and to force it to execute any commands$ k4 u. |% x ^: X) A/ j/ g
(HBOOT...) :-(( 1 m' }) h9 w3 Q; |# v. X1 H) j3 Y v( H
" [8 I9 \+ z) ]8 DHere is a quick description:4 w9 u: f) @) O7 |. Y8 Y
-AX = 0910h (Display string in SIce windows)
* ]% r7 B0 k+ v/ Y( G4 j5 J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 ~5 p: y/ K8 E0 @- _
-AX = 0912h (Get breakpoint infos)
! x5 D' G; F: m* ^/ }) r-AX = 0913h (Set Sice breakpoints)
( [3 S E& o, @-AX = 0914h (Remove SIce breakoints)6 d C/ M; i* G8 ?: Y
/ t7 a5 i5 M& K& F3 n5 `Each time you'll meet this trick, you'll see:
1 V1 n* |$ x/ l-SI = 4647h
: S* L: A' K7 N: I-DI = 4A4Dh
/ ]+ p, f; d- y+ G5 `$ kWhich are the 'magic values' used by SoftIce.% \7 Y) u, O& @6 k S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: T. s; z$ ]& u. x* Z4 }% [: G' \8 f5 n0 N" L$ J" o" i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
Z& k; A: W$ v3 e1 S& PEnvelope utility use to protect DOS applications:9 \+ A. w z: _8 Z6 u& r
, ^8 b2 _) A0 B7 H8 c- H3 q! S( K) v
2 B2 _0 J+ l! u8 B: S4C19:0095 MOV AX,0911 ; execute command.7 O" c; x1 J4 L9 X! x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# u8 {7 P8 X, a; [
4C19:009A MOV SI,4647 ; 1st magic value.
, A$ f& k: P3 s& L/ s/ L' ], z) D( q/ \4C19:009D MOV DI,4A4D ; 2nd magic value." O. Y/ w6 q/ G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! n# y" ?$ Z7 H% }# ^0 @& p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) L) T8 a' M" h0 z4C19:00A4 INC CX
/ R' }9 S4 i4 l* v, E$ @8 Z: O% t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% l1 K" V. R- s( w
4C19:00A8 JB 0095 ; 6 different commands.
3 Y, \/ c6 u: L4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. f3 ~: ^3 v& | y2 p U4C19:00AD MOV BX,SP ; Good_Guy go ahead :): l- W0 k6 m4 r9 |$ s/ D2 @
$ `: S2 e, H, L1 n7 T
The program will execute 6 different SIce commands located at ds:dx, which
$ `4 b" n B J% H9 _8 P, U5 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 [# d+ L/ ^0 p" L* l: ?
I+ ?, E8 k% _2 Y! j1 m+ ?4 `7 U5 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- x. ^3 D/ |5 _% _8 b0 q% {: O
___________________________________________________________________________4 [4 U5 L. U5 D- D/ z
8 ~6 G0 K, M; b. U+ F
& v- e; x6 @' q$ V) H7 lMethod 032 v" V6 ?8 {- G/ d% F# A. p" }+ F+ L! `4 J0 [
=========
6 [8 k2 x; D- B5 u) u; w- ^5 W2 b
. k5 o0 U) x( S; s( ^$ w$ e7 GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 H! x3 i. O. t8 x( e
(API Get entry point)
8 ?3 U, v! Q" p! K! r
$ j0 I' y$ h3 _. ]( V4 i
4 ]3 M/ ]' o; ?% v6 F; I% P+ V% n xor di,di. Z+ i/ _/ d2 r. k9 ^
mov es,di, K+ c$ O( h1 s: ]3 o! ]0 O
mov ax, 1684h
3 K% M6 Z5 v/ n" s7 w mov bx, 0202h ; VxD ID of winice
1 j+ i% b/ k) J int 2Fh
7 o7 c+ P- e+ w! T! q/ l mov ax, es ; ES:DI -> VxD API entry point1 M1 B+ |* [) Z
add ax, di
+ |) O, W' M) f, X" j! z test ax,ax
2 V# }& h' L* _- g jnz SoftICE_Detected# c3 f4 k' ~! A4 v+ [: n
, d" H( |1 Y# y+ W" n) o7 ~
___________________________________________________________________________6 {# t1 A4 E) @1 v: W) a
+ }" r9 n B# T4 j6 fMethod 04/ v! h1 T8 ^4 R
=========
3 W3 e# L0 E; l/ {
7 A) B; X% [9 O6 E5 d( W$ \Method identical to the preceding one except that it seeks the ID of SoftICE) M9 S/ Z) |/ @5 `' H& x
GFX VxD.
S* a" d K; x% `/ t
; V0 M7 o ~0 Q xor di,di$ i: d/ [: c T' e5 K
mov es,di! d! q- V9 ?7 t6 ~) J5 v. N
mov ax, 1684h ; | G. @; w4 J) m( j
mov bx, 7a5Fh ; VxD ID of SIWVID/ E' e' m# [* ?1 ?
int 2fh
V1 a5 w+ N1 t1 w) e mov ax, es ; ES:DI -> VxD API entry point4 g: N! e$ |$ Z/ f! n/ {8 h( |
add ax, di* r2 E# C) {4 S' q
test ax,ax
! O# B9 Q. |) k* K) h jnz SoftICE_Detected
0 V, o8 e2 f* p/ w9 r; g
) C' D* x% \- i. \" ^) Q% ~9 U* X. h__________________________________________________________________________' F( A9 s3 S) H `. B3 m! V$ c% E
# ^- @# F w! M) F
; s# |4 c0 [% g7 i0 q; c7 @Method 05
! T1 [* u$ x1 V' M=========
9 R0 a, p$ S% I) v* f. z6 n' B; o l9 q0 o2 k \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, s/ M4 h( |: t& l# n. Udebugger. It calls the int 41h, function 4Fh.
7 p; [, y& s: l4 s- B: ^) ~There are several alternatives.
' q1 ~/ ?; d4 J, K
! S2 h b) v% f! y. j& qThe following one is the simplest:
: T- ~# t7 R& P) f5 O4 z0 p
* }: m8 Y' E% I, b4 J mov ax,4fh+ _7 j# ]4 O) h# j: ~. c5 e$ u
int 41h; b4 @% Y: X! M* R8 p& X6 z
cmp ax, 0F386$ v& f* {8 `3 V( i8 `3 X
jz SoftICE_detected
8 W5 d0 P/ `$ S; ^" E4 e& Z! u$ i: _9 M1 h* D0 I/ v8 A
; U2 m. }5 ^5 ^ o& WNext method as well as the following one are 2 examples from Stone's
# A$ b: k- ^9 G"stn-wid.zip" (www.cracking.net):% G8 o1 |3 E1 C/ N4 h9 s/ P! ~6 L
* G) o. F0 F; \/ @! Z' l
mov bx, cs
' t$ b. u/ t8 u- g2 w lea dx, int41handler2/ V6 K, z" G/ r% T: g
xchg dx, es:[41h*4]# w6 C) x5 X# \( i% S5 L
xchg bx, es:[41h*4+2]8 [; a, h- e( i1 T3 x
mov ax,4fh- I. p" U$ l6 h! _, X
int 41h
0 J5 \7 `8 m" U( z. Z xchg dx, es:[41h*4], i0 W7 I# j5 M: E6 |3 F
xchg bx, es:[41h*4+2]
. g8 ]% V( v8 i/ B# `1 l cmp ax, 0f386h
, o, u: A; d3 | jz SoftICE_detected
8 K) P7 f! p( r# Q1 a% ^# U5 y
$ j9 P- P4 j$ }3 o; Z& Jint41handler2 PROC
( K2 b" G3 J b6 p& e iret
; F4 U3 w2 f- C# K" Oint41handler2 ENDP. u$ v( }; C2 u7 R d- V8 f
1 D# Y ], B# }: b3 I- a" H" d
" G5 a7 q4 |0 z; E' ]/ s u
_________________________________________________________________________% O [, q7 i, h) [/ z
7 _& N2 @+ W% U y& A/ o2 |( O
3 d: ?5 j3 e; F
Method 06
/ I' ^/ W, D! i" D=========
& ]7 b g% D7 z* @# B5 X
* y1 m% M1 Y2 F" X" Y, a8 E$ @* y: W/ U( L1 A$ r* o/ C
2nd method similar to the preceding one but more difficult to detect:
3 L. ~2 c: C' D. x* ~2 {# A3 d' X0 G% l- ]! |" r
2 O8 X( n: c! k* @3 x* rint41handler PROC+ b2 I' G( H% r7 j+ ~
mov cl,al
) Y9 r3 u' ^: H iret. Y3 g ^4 k4 d7 U' V" I5 f r% L
int41handler ENDP! r' ~1 w: y: ]- k& ]
E1 f/ } ] L0 Y2 r7 h: |7 Y6 g$ T L& X: r# _/ d
xor ax,ax
! E( V$ F9 G+ J, @) B mov es,ax
& X( z: x* g. i* L$ Z mov bx, cs
' ^+ R, o! O' N) |5 F lea dx, int41handler7 m7 W* \0 W- Y& y0 a+ I! ]; W
xchg dx, es:[41h*4]
$ Z4 C5 L; S7 V/ \& L' R xchg bx, es:[41h*4+2]* r7 x( y# X4 M% d2 s$ E8 L
in al, 40h% l2 J P* c1 F7 J' O
xor cx,cx
" Y$ ]/ Z. ~: M- w int 41h6 k' A) V& D! d6 I J# V
xchg dx, es:[41h*4], b: Z' @) m# F
xchg bx, es:[41h*4+2]4 o+ i @; D0 s8 l
cmp cl,al
& q. G0 e$ I$ `! _2 h; v jnz SoftICE_detected' d! E& [; Z* E) u$ B" }
, T4 `. A( ~; k_________________________________________________________________________, N" x% f- y% L" H+ X3 ^/ Z
: ], \- p) x( t$ y+ E3 kMethod 07
) B- N% z3 x7 D3 t=========
% d" b( a0 ?9 l2 Y& C4 I3 _' f4 ^5 a# g2 F/ [* K/ |! p* K3 c, E
Method of detection of the WinICE handler in the int68h (V86)7 I( [; }# ]5 A4 j* l" v1 _
8 V1 \0 E5 t' b6 f( _5 y8 ^# N; E
mov ah,43h; H g, [6 D' [) N j( h/ [+ E6 v" C
int 68h9 {7 `7 S6 k2 }* W z: \
cmp ax,0F386h: S+ ]5 ^! y8 ^. ?4 c% A
jz SoftICE_Detected8 I" C" x/ Q3 _. m$ D
: P4 o8 v% x; ]3 z3 t! m! ?0 U3 w+ O. i9 w7 K r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ C% [/ e0 Y/ C* u% T2 v. d app like this:
4 F5 a: M: h' n0 i2 \+ h. D: N3 o$ P
/ N# _. z& J" r( G1 u1 \8 [2 Q, Z BPX exec_int if ax==68
& q6 z6 `# J2 M9 Y. n7 ? (function called is located at byte ptr [ebp+1Dh] and client eip is' n; x" i+ |9 |$ F9 o7 n
located at [ebp+48h] for 32Bit apps)9 D$ f S, b2 r! ~! u1 M- {$ M0 v
__________________________________________________________________________) c' n$ S* `' z6 g$ v5 I' I
9 b& O2 o) M+ `) z) I) r5 m' A+ n4 v
3 X1 L# O5 E! ?6 ]% X4 [1 p
Method 08
* ?$ s- q+ l6 z: D1 c. }2 @=========
5 ?8 f% N/ @0 X6 K, t) s
8 c7 v+ T0 s) P+ o( P% J& \It is not a method of detection of SoftICE but a possibility to crash the
8 x5 b; G. J4 F8 H" ~system by intercepting int 01h and int 03h and redirecting them to another
4 c7 I( [! M7 i; C) k% Eroutine.% J" U$ V; p8 Q( K* |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) Q7 y" U" S- c7 ]0 j: s0 W/ oto the new routine to execute (hangs computer...)
6 G6 J% L! @. C; b# ^2 R
* Y8 G C# v. c4 w. J6 ]; @ mov ah, 25h
4 l2 y1 G4 D7 {5 d! R8 v! c mov al, Int_Number (01h or 03h)* z$ V: R5 [) G! U, N
mov dx, offset New_Int_Routine
* q, j# [9 w" i5 z( F- g int 21h6 l5 S/ K: V+ H) v$ l o
) w% @ I8 s: V: s. S' v4 x
__________________________________________________________________________9 Z: s9 U2 F) K8 z1 x$ v
/ p& N) ~8 h) R3 e7 @
Method 09, e" P' X6 ^& W/ v) i
=========
0 R @9 ]$ f, j7 Z. d7 t* |
8 V8 K% @# u8 J" ~' g. eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( ~* e; W7 Z) l H: P& n, F9 y( c
performed in ring0 (VxD or a ring3 app using the VxdCall).6 E8 Z; c- @: T- j2 \% T0 q" h
The Get_DDB service is used to determine whether or not a VxD is installed
. N1 O9 H; m u$ S7 Cfor the specified device and returns a Device Description Block (in ecx) for
( t$ U" M/ {: L6 k, y" gthat device if it is installed.
* u/ [& R( Z6 T! e2 b) I4 M2 L$ g: g' e) v9 _4 s& u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- T% b( p; a x' q3 T* I; _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( t+ g& ^- J: _: p. O1 H
VMMCall Get_DDB: Y: Z7 f3 a: M! j8 ]9 D# k8 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 p2 L% J3 T/ f, G
Y$ M* l6 w T5 F, _5 LNote as well that you can easily detect this method with SoftICE:7 N0 D( w3 ^! O4 [. c. o
bpx Get_DDB if ax==0202 || ax==7a5fh1 Z" |1 r+ q: ]
% u6 O- \; C: K6 o+ x__________________________________________________________________________
$ ?* B7 |( N b8 L2 ~) K; G
0 o" T! s0 M2 g6 B2 z# rMethod 10% _) A H3 i( @4 V5 }# Z2 ?
=========# _! [) S* j* _3 X, W
5 r3 Y; X5 R/ p2 F5 a [8 Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 j7 x7 s' {1 A/ U' P4 j" Y SoftICE while the option is enable!!
- ], L0 N4 p& G4 Z
6 B( {5 f% G* J5 f! r+ mThis trick is very efficient:
" T7 Z$ e0 I( r1 Eby checking the Debug Registers, you can detect if SoftICE is loaded
: Q2 i; z9 ^, {5 y$ H, p1 w7 i' v D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 V! r5 }. v. i# V- o
there are some memory breakpoints set (dr0 to dr3) simply by reading their- [; O5 w7 e- O U
value (in ring0 only). Values can be manipulated and or changed as well
! S9 [3 D0 ]# R" t# ](clearing BPMs for instance)
1 y2 L6 I: d+ m6 F! J- e, b( ]
( ?0 q+ B$ r/ N) H# K* |__________________________________________________________________________- G8 A! B o& ]/ D$ s
3 M8 H" T. p. S! r, S
Method 11
' ]$ z+ c/ E4 @=========
2 d2 q# N/ f0 b" z( J1 O# n5 I$ g8 H4 q. t& C
This method is most known as 'MeltICE' because it has been freely distributed: @% H- T/ u' e- d
via www.winfiles.com. However it was first used by NuMega people to allow: s: I4 D w, _2 z
Symbol Loader to check if SoftICE was active or not (the code is located
7 |! ^) ?7 ~, s9 finside nmtrans.dll).. p4 |3 J, V% A, g+ p! H
) ^- l0 e% Z: J8 \
The way it works is very simple:$ n7 A3 _5 W) e* y: {: ^- B/ J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 w4 e; o6 {: P6 D* x8 R& EWinNT) with the CreateFileA API.
2 F S' _1 T! ^+ U$ o
P3 T5 W2 t0 B3 LHere is a sample (checking for 'SICE'):
& N4 c+ v" o# Q/ J) C! c4 c+ L) y/ O D* u
BOOL IsSoftIce95Loaded()( O" [4 y w4 k
{& ~* h) g+ p X" F% v8 ^) w l
HANDLE hFile;
; u( K: s5 j4 C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 C4 g6 H, H3 K8 v
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 D8 `: s6 O% v" F( l; p; _# L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 f" N k# n* w( d# p }5 {. q+ q
if( hFile != INVALID_HANDLE_VALUE ) c% ~: h( J. j# k8 X
{
8 Z/ T+ I$ M$ d5 J! Q) }: ^; d CloseHandle(hFile);- ^" |) v& g2 k3 L" Z4 j# I
return TRUE;' S& |# I3 p: R; h: |5 G
}8 o- I$ C4 J5 V) G$ w: D% ?; F0 z
return FALSE;
, _: L3 {; n Y/ |8 ~; `& q& I. O}
) l, W* ~6 w% X' Z8 ~, T( Z4 K3 U% s. B- P3 N" d4 y1 E
Although this trick calls the CreateFileA function, don't even expect to be
/ i0 D' l6 k1 o6 Pable to intercept it by installing a IFS hook: it will not work, no way!6 a u% i" Y8 f' X) n3 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ f$ ^/ y4 g/ \. ? a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% N) Z" I3 F6 E' _1 M0 b& p, d+ ]& ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; T1 J- o4 ?& V. A6 o4 i
field.
$ H& V, K# q1 o( c4 J8 `. l/ TIn fact, its purpose is not to load/unload VxDs but only to send a / D3 S) R8 b v' z5 Z" S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) ]* G) Y# o A, F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" Z0 ?# B% L' d5 d6 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 s7 ^7 H7 l- v' T9 A5 k2 G; _If the VxD is loaded, it will always clear eax and the Carry flag to allow+ P$ ?, Y2 Y3 `% c& B% H3 Z
its handle to be opened and then, will be detected.
/ z* A% a1 S9 j; `You can check that simply by hooking Winice.exe control proc entry point1 e$ \9 I9 g3 l* a2 {
while running MeltICE.
9 G+ Y# [0 x' j( I3 `% ~$ E" b/ G
" f. @* f D0 j% n9 v3 A9 A 00401067: push 00402025 ; \\.\SICE
! c, ]) R6 {$ y- R) A$ S2 U: x8 d 0040106C: call CreateFileA
g q7 O( h0 C- U8 M$ B0 n% A: f 00401071: cmp eax,-001
3 k" B4 o' r8 q 00401074: je 00401091
2 o% f0 w4 r* z0 T) Z2 H* q4 J8 ]2 Y* y2 d1 u: {$ g+ E) L1 D
) ]& L9 y9 Z$ Z/ \There could be hundreds of BPX you could use to detect this trick.% [$ k& f3 z5 y0 l( V, c" A U
-The most classical one is:% E" a5 F) x. I c: s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, r7 b+ _4 D; Z
*(esp->4+4)=='NTIC'$ [. R+ o4 D$ g2 {! {
' @/ {$ c1 z$ d1 N-The most exotic ones (could be very slooooow :-(
- f. ^- B: e8 Z+ u! S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 G0 O! B1 D/ y8 `1 M ;will break 3 times :-(* [3 S* t, V9 j1 B z7 }
2 Q6 \ f u& l-or (a bit) faster: % g H# \# h8 D- L" v* W! w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- s' j0 ?& X8 q( }) @% k: U+ w. {' S
& q( q$ |5 Q' _3 Z; o% E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : k* `0 G6 I5 F; n6 T3 F/ |7 w% d/ r
;will break 3 times :-(" F4 i# L: P! e
4 R8 d, q; r) m {3 f# p3 |6 J( p& a
-Much faster:$ `' T( j& Y0 }0 _& p5 h5 J4 H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! H% d% R8 C; x, Q( E ^: |8 ` c9 j2 i. _8 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; _0 R- ]) ?" xfunction to do the same job:: o: `4 D' a+ x0 h/ s1 [/ a
7 q' u% y1 E0 J4 D% a push 00 ; OF_READ
4 H8 v& f% j1 K( i4 m7 y/ ^8 [ mov eax,[00656634] ; '\\.\SICE',0
/ G# I, k, O" ]; i push eax
, A+ w! X" }: \3 ~ call KERNEL32!_lopen' k$ V, K9 |$ p1 G7 \' n& x+ g( Q
inc eax
) @% F1 ?4 J0 E: Q' s; @9 @ jnz 00650589 ; detected
! r& }: Z6 V* D! y. V6 L3 o0 b push 00 ; OF_READ6 T8 N) {( O+ o& q. R; t
mov eax,[00656638] ; '\\.\SICE'9 B& K H w6 U
push eax
- r' a6 |+ K' `2 ^ call KERNEL32!_lopen
( m# M3 C& W& p8 c% O8 Z F! `4 p w4 x inc eax
* k& i' W5 v3 Q9 u. T P y% Z jz 006505ae ; not detected
; a9 @1 X7 E! }! m9 t ~1 K2 J: N3 _. L* u9 B, P. ]
m3 ~6 x% x/ t1 ~
__________________________________________________________________________0 T7 e/ h/ `/ _/ U, i
1 g: K. R3 O T
Method 12" L) v& A; n, d7 v0 @
=========
( ?/ v( K1 r9 }1 B2 \; u; s/ T' f \9 y9 c; p7 p1 v! ?
This trick is similar to int41h/4fh Debugger installation check (code 05
, n$ r* X& J* G6 G& 06) but very limited because it's only available for Win95/98 (not NT)& y; z- r* s& e) u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ y/ R/ k& X1 B
/ m* M+ s6 w4 Z) i( j, {6 c push 0000004fh ; function 4fh
& \. j, P% ~) N+ F/ N, B! Y- d push 002a002ah ; high word specifies which VxD (VWIN32)
. ?/ R& G: r- J2 X ; low word specifies which service
* G& H3 N# v4 q- K5 b (VWIN32_Int41Dispatch)8 D5 \( d" B# G( p
call Kernel32!ORD_001 ; VxdCall5 n* f. g! r s, C3 I7 K, H
cmp ax, 0f386h ; magic number returned by system debuggers
% l* l3 g0 Y* ]2 Z. p jz SoftICE_detected
8 }2 \8 X: }" G, |3 f+ w7 Z- ]! Z
. \$ Y% P- F& O4 }; f# fHere again, several ways to detect it:
% _( `: }. K' z; [( w8 n- H1 n7 H, {6 g6 W2 H# F
BPINT 41 if ax==4f
) h4 x9 ?, F1 b) H" T3 ^/ ^* U8 n: J2 r6 }% W J; |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 M: A# G+ Q( z* _) ]" B
% [; k1 F8 \; M2 [2 Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 R( d, z5 x: p& ?1 s4 f* J
' F- V8 N5 Q9 B3 C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 s* D+ {& z9 w
' h* z% Y/ b o; A__________________________________________________________________________
( s q- _3 s$ Y6 e3 P& n5 Z H3 b! m4 z7 o& t
Method 13
. \0 v' x' T, ]. p=========
& J+ ?" W. v& A- Q/ s% v4 s5 Y$ |8 t5 K% y6 [; g! B
Not a real method of detection, but a good way to know if SoftICE is& y r) u+ ~; y2 S% x' O% t
installed on a computer and to locate its installation directory.: j& m, D7 R$ {- k
It is used by few softs which access the following registry keys (usually #2) :
( N0 G- S5 M" t6 M- _' x6 u+ E* l5 H" S" B4 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! X! A: L- w0 s0 R& v\Uninstall\SoftICE
8 d! Y" X v7 D3 V* X- g' y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% M+ s% ^. a+ u+ v6 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# B$ R% R6 c2 F& C& }, O( }\App Paths\Loader32.Exe0 ?* Z+ I1 N" R: A$ \/ z8 `! Q
5 j2 {/ w- a9 b; n3 `# t4 E$ z. G# E4 `
Note that some nasty apps could then erase all files from SoftICE directory% j8 n9 Y, x7 H
(I faced that once :-(. T; E8 g. F3 @9 [! }" I
7 x# E6 Q9 u4 | G) s# YUseful breakpoint to detect it:
: c7 Z' H, f5 J" v. f8 R U0 O8 I
4 G5 A( h8 R( ~$ W! N* O5 u+ y9 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', M. F5 h2 ~ F2 }
; t3 S% A/ O/ c__________________________________________________________________________
5 I ~& }- `5 l1 Z' h% D2 R8 m& l$ e+ m0 U2 e& u7 {# i k, Q
) I% _' B) ^! ^- tMethod 14 . w2 P& u! b7 B# c8 A
=========' ]$ c1 i& }, |: [/ Y7 m: M: l5 @2 Y
0 g2 q& }4 H) ^0 pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" {3 y; I6 E, I3 W5 f- A: mis to determines whether a debugger is running on your system (ring0 only).
' d5 A. ^- T) m5 s; E
5 O3 n5 @. O% B0 P1 S! } VMMCall Test_Debug_Installed& G4 L+ }/ e e; m6 v; X2 |
je not_installed# |! K: u4 Z4 A4 r _6 O3 y' }
2 |% o. U: q! g. O% J; ^+ H* G0 e
This service just checks a flag.9 y3 P) g8 n7 S3 A( ]: Z0 H. U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡