<TABLE width=500>1 [7 a# {. o9 x/ U' o
<TBODY>2 E' N. y7 d2 k3 S
<TR>5 o- @* g' |3 i* ?
<TD><PRE>Method 01
% I4 N. ^7 x- C( g' o6 v0 a=========
" c. K; ~: s! u8 O I e' I X8 Z* m( Z5 s! L
This method of detection of SoftICE (as well as the following one) is
; m$ k# m. [- P) o# N" y" `used by the majority of packers/encryptors found on Internet.
# e" l4 I; |! qIt seeks the signature of BoundsChecker in SoftICE$ w$ Y$ J0 q" C8 k6 Z% m0 l" A+ z
5 Q# R/ Y/ d/ G3 o3 Y. R
mov ebp, 04243484Bh ; 'BCHK'6 E) O$ Q+ S( \6 h
mov ax, 04h- A' j+ b& V" Q9 V; o
int 3 5 D4 Y6 X9 k n: s$ C
cmp al,4
# V) m3 t) ]) N! Q. t4 I jnz SoftICE_Detected
^0 l. L n9 ]6 j& X/ x1 L, K% B- R& E( O k5 G
___________________________________________________________________________5 E" ?( D$ z4 Z; V
4 N3 B& B U- p
Method 02
3 ~7 ^( ~3 Q) d=========# [- \& d+ W4 I& ?4 m" c0 t+ Z2 y
" s) R0 r6 j% L- K1 M. z" W0 a
Still a method very much used (perhaps the most frequent one). It is used
$ O9 L9 a0 J, V; Q" O: L8 D" x8 |8 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 f, h% |9 a, f6 B1 R0 g2 q
or execute SoftICE commands...$ {* s9 {: v- f8 P; M8 ^
It is also used to crash SoftICE and to force it to execute any commands
- [; F# K8 E! U6 q! l/ Q& I7 ]) H(HBOOT...) :-((
9 k. X; k! @( H/ @6 g! R' @- d9 ~
Here is a quick description:# H8 v- m* H3 d; L6 _! i
-AX = 0910h (Display string in SIce windows). D* S I) J% R6 p* F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( I; W6 E4 m: Q) w0 H3 g; Q
-AX = 0912h (Get breakpoint infos)
3 H o5 G" v- w2 n/ e" {& N-AX = 0913h (Set Sice breakpoints)
7 z6 L$ X8 G, N9 _# d-AX = 0914h (Remove SIce breakoints)
: ^1 j8 [6 ?; [" [* I* n# e' ^5 E0 f) V" ]1 ?
Each time you'll meet this trick, you'll see:
& ?" t2 Z9 [- V4 p1 X5 [/ y. J+ Z-SI = 4647h
4 `' l3 N, H @-DI = 4A4Dh; r9 M' m# U4 F5 u
Which are the 'magic values' used by SoftIce.
% ]0 G! I6 A) r/ G* {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 ~7 f) ]& q& Z4 _' P$ K, ^; ]# A' R" k- ~# ]4 F, a0 x$ H' P
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 U! V8 C1 m! [; r& F
Envelope utility use to protect DOS applications:
, T: T+ Q3 ^6 m9 i) _2 c" j) P- }1 l. P- p5 t
, N) T" s1 J. B4C19:0095 MOV AX,0911 ; execute command.$ y3 r$ ~7 A# j6 V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' U/ W! `( d' {0 C% c! @4 q* l
4C19:009A MOV SI,4647 ; 1st magic value.5 c F- |' p2 E E
4C19:009D MOV DI,4A4D ; 2nd magic value.0 f5 D8 s3 S, u" q& [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 H6 |3 F# R' \7 c! C* |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* z" s. }% O* S: W* e) j
4C19:00A4 INC CX, [" }2 K- P9 \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! u3 f$ J" U ^
4C19:00A8 JB 0095 ; 6 different commands.1 _, Z1 E5 x" E8 }# O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ R$ V8 P9 v9 \; O+ d! P8 H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 b1 A+ G5 ?+ B& J# S ^" f; I
1 D/ K! Z7 S1 U% j1 a: ~% UThe program will execute 6 different SIce commands located at ds:dx, which3 Z" Y J& n1 J% k4 V: S+ V+ k; {/ ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% T1 I" C( [2 E8 X
% ~$ s+ V% i7 L; G% j1 ]9 g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 i( J: d) I% w3 W$ w; ?
___________________________________________________________________________
7 _; ^3 j4 `/ k5 W. ` U. _8 m5 S7 [' l/ b5 q1 O6 B
9 | G% f- P3 I7 C8 V, a
Method 03
8 L8 r) s! `/ ]1 f# {( H=========; ?6 l' D& b, Y& B6 n
! Q) a! x1 e" MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- |8 p/ |9 Q* J1 Z3 _' t(API Get entry point) S1 }# Z+ y, V ?7 Q2 o9 ]
3 c7 [4 L& r6 h# d! e( I% ]. X! K0 e, A5 F
xor di,di
+ |1 x* [9 x9 y" @& R. w mov es,di
! P9 O( K* G9 Q7 j N- A& X mov ax, 1684h
. e! d+ N% y2 h7 [2 w" N3 B mov bx, 0202h ; VxD ID of winice
, c1 R2 V# W, @+ U+ z6 \6 a$ @ int 2Fh. S+ |3 P/ V5 f( ?$ s3 E" G! A$ o" s, e
mov ax, es ; ES:DI -> VxD API entry point' Y! \3 a3 U7 a0 O `: ^9 Z
add ax, di
) B8 n# U1 W; o( x test ax,ax& @2 C" _3 S U$ F# ?: P- q$ p' }
jnz SoftICE_Detected
8 t, ?2 U) z7 A% B) U6 W' T% ]
& H/ \3 x9 H/ W- \8 u7 ____________________________________________________________________________$ d+ ]. U( ?# N3 T' B- e
% @4 W8 ]- t9 D: ^. q: OMethod 044 e5 g; m9 r& a8 P
=========
4 c7 e) k0 e ^: K) p2 n: A
" t* V' c$ d& {% X1 iMethod identical to the preceding one except that it seeks the ID of SoftICE/ } J; e! R+ h i
GFX VxD.9 l: |3 I" w4 |. o9 Z$ R# L* m
4 [; l! r1 B m2 j" ?7 |( }( [
xor di,di
9 I Y5 g7 U% l9 d mov es,di& Y( L) S) u6 o1 p) I
mov ax, 1684h
0 Y+ e, t( n1 I- a3 B$ P mov bx, 7a5Fh ; VxD ID of SIWVID4 [2 J" c; q( w
int 2fh
( |1 b- A: d7 A# p( P) l mov ax, es ; ES:DI -> VxD API entry point/ G) ], \6 N; h8 I; x9 B! |! U6 W
add ax, di- o0 s' C8 m) ^7 |
test ax,ax
2 v% t& S6 F! t; ^- j jnz SoftICE_Detected
; E: q% ^( R- j
+ o/ r- r9 d' E z4 X* ?& t( W9 p__________________________________________________________________________
2 ?. g0 w2 P* H) H$ x; z' P) n
% ^1 c$ F+ I+ A
0 U' k4 o# Q. Q8 o( |' F. `- KMethod 05
. U" X, m1 t+ V6 s( M& L=========
; y% j g# T2 P. y( S: x
: a/ l) I% e9 o* m, JMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ S) v! p# z+ f! u6 m
debugger. It calls the int 41h, function 4Fh.
2 k, L& \% A% u& T' t; j5 GThere are several alternatives.
+ _' p# L; E# M) k- i3 |
, R! K4 n e: c1 m" gThe following one is the simplest:
& G7 L# K( T7 {+ R( s3 W* j
! {5 x% q3 a9 i3 t mov ax,4fh
! j9 ~7 K3 w6 n; `4 c" K int 41h7 F' p! x+ ~# R* j. G$ T9 t9 D. @
cmp ax, 0F3869 A9 z; H& \" J- H: Y
jz SoftICE_detected/ ]1 z \' n% X* A. ?' h( ]" f
5 U# O# Q# V7 q2 |
2 H h- ?3 f% V& r& o- h2 y1 G
Next method as well as the following one are 2 examples from Stone's
3 a- B5 a. y) C* ^; D" o"stn-wid.zip" (www.cracking.net):" n7 f- N2 W: V# p2 Q, s
. R- X% E& ]/ e9 r1 e- R+ a( Y
mov bx, cs
0 Q) t X0 h# h @1 M7 W$ r lea dx, int41handler2
, W9 u7 ^8 ^; d- \" Y xchg dx, es:[41h*4]9 l$ |2 }$ G* I
xchg bx, es:[41h*4+2]! d, t8 p/ E8 p' i. V3 d
mov ax,4fh/ J9 r9 k* j$ v. x3 _' p/ J
int 41h
8 ^* Z4 l" b. J8 f% h3 Z- I( B9 f xchg dx, es:[41h*4]6 q# P6 Y0 o& x' C; [
xchg bx, es:[41h*4+2]2 T& W, I0 w6 \9 p: w6 Y
cmp ax, 0f386h2 z- q$ p- k' c+ M& K S) z$ Y
jz SoftICE_detected7 \! J* _- D9 h: |6 O! Y
2 g; x A8 P. }2 |+ Tint41handler2 PROC/ C- V/ U: ^1 M& J ^! U
iret
& ^$ V* \9 a0 ]1 { z4 S3 Hint41handler2 ENDP
' A7 M. l3 ~* {8 q9 j# i( ]4 U
4 h' Q$ m) y8 J: V" p9 B/ j8 j7 L8 h$ w; h: r& M. p
_________________________________________________________________________# }: v$ j2 Z i, ]2 |: S
7 W: a0 y$ e' d5 P- V. G( ]% o8 J, o, Z# Y
& J" C1 X" i1 G w) z
Method 063 f; h8 Z1 Z* L; B7 U: ?
=========0 P' H7 I" z1 Q! K w# P
- R. l1 F1 g7 q9 ~" j: W
2 _8 P% P4 v# X# i) p& B# G
2nd method similar to the preceding one but more difficult to detect:
3 y: @$ h% c3 d
) k5 Z% Y8 X6 x# a" q7 U/ Q% r4 C! ]3 W# m4 j6 J; q! s4 n
int41handler PROC- Q1 i3 j& m! @6 G" t* ^2 H
mov cl,al; L7 o/ e9 r9 ~- `
iret
& J6 d- O- a: T) S0 w5 Lint41handler ENDP# {0 p+ M: {% X; b w1 w
% J2 [7 K/ h, o% b' L4 m1 `* A$ [' ]
xor ax,ax
# P8 z1 d- c9 M% A# W0 u8 q" \ mov es,ax! W, t$ ?$ l% E6 L* y: m. ~
mov bx, cs
4 k. S( u A; O6 A; O0 U# t lea dx, int41handler
6 Y% r9 l- e2 g xchg dx, es:[41h*4]
8 B) ]7 D* Y( t1 f: Y xchg bx, es:[41h*4+2]
' m/ R) K: H0 r! l0 u: } in al, 40h
. n7 @3 V* D. ^ xor cx,cx7 E- e: a8 X& t7 I, q$ C
int 41h
, h; v$ a1 x" g xchg dx, es:[41h*4]
& F% e2 m5 v+ K$ G& s3 \ xchg bx, es:[41h*4+2]5 A& t. j, i- q8 u
cmp cl,al
) c% A1 o2 i* f. H$ v& s jnz SoftICE_detected/ e! ^, C5 p( P. x6 a
$ k. R- Q9 i5 U- B
_________________________________________________________________________1 [" @" Y# H& I* Z, v
& @1 V" m: w s* Q7 [
Method 07+ u& n; [# | v
=========7 [3 t4 ] ]$ R9 g
* p) v; X6 R. S4 s7 xMethod of detection of the WinICE handler in the int68h (V86)1 d! E' u& j. n/ I8 T W$ Z
2 [2 v. C7 P8 C+ d. H: X mov ah,43h0 y9 O1 s f* j( p; y
int 68h6 N3 B7 T/ A; M5 I/ U' p
cmp ax,0F386h0 G/ J+ c( c1 J) w6 E$ O
jz SoftICE_Detected
: s( p' X' v$ J7 L Y5 x" N
, Y2 s/ Y. N+ X0 @
! c; T/ P& K3 A) ]* d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ K9 q6 i0 ]* L9 S app like this:
) V# n4 K2 r8 h. k& |
0 [- X, r& m1 U; {( X BPX exec_int if ax==68" c3 a; e) ^: d. \ u8 J1 m8 ~ T
(function called is located at byte ptr [ebp+1Dh] and client eip is
' F* f+ V( @' k+ R5 C located at [ebp+48h] for 32Bit apps)/ F- S8 {/ N! j: D5 I/ q) U7 N
__________________________________________________________________________
! N$ I- s/ V* l$ x* b3 T. F0 i7 H. R0 ~# r P$ ]
8 |) w$ E" E2 w$ _Method 086 R; |( d9 l. g' i9 h( c- |
=========
( `$ x! i' O+ r r5 B& m
/ X. q& z; ]6 h) `! iIt is not a method of detection of SoftICE but a possibility to crash the+ X; t9 j! i2 G
system by intercepting int 01h and int 03h and redirecting them to another: ?* R& S$ L& x# ^4 d- z3 q
routine.
/ t+ U1 K* ]7 F6 d3 s( @, \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 x( ~' [" r" d4 s2 N$ I
to the new routine to execute (hangs computer...)% x8 x) Q4 w* s& U* w
+ z% v6 _: X8 k+ \
mov ah, 25h1 t. m" w. b8 K/ Z
mov al, Int_Number (01h or 03h), U4 E+ u* p. l# r: [+ b
mov dx, offset New_Int_Routine
: P' f7 {5 P. w- Z: i9 r0 V int 21h
3 F$ y( N) `1 ~- {2 h0 E
5 u4 j7 x# k& R__________________________________________________________________________+ n& ~* a/ J L! ?6 i
# i$ F% U: D5 w4 N/ ]& ]9 J
Method 09- Z4 @* H, V% Z r' G
=========5 m8 c! _* T+ |" F* z) m; G
7 A2 D; k5 { T- h+ j# L) zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 `& R8 q7 O$ k5 a0 f1 Y' u6 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).8 o$ a+ `7 c. Z" P# i& d
The Get_DDB service is used to determine whether or not a VxD is installed
1 S7 ]4 m7 R' Q" ^for the specified device and returns a Device Description Block (in ecx) for1 c n) D* |) g, x* {0 J
that device if it is installed.+ Y( l" H9 k; N) k% l$ u. p
1 t) [) D8 b! _* u5 @, K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID w' ?* X& C: r. b3 B9 q2 S2 S) o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% b/ J3 D" K9 u! o; ^/ I/ F" N$ r VMMCall Get_DDB
6 ? \9 }4 [8 F( [" O# ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 |3 g% L! U7 [1 ~: u. K8 e& |( x9 Q5 M3 u1 k$ Y) q1 E( d
Note as well that you can easily detect this method with SoftICE:7 F+ K# }5 J8 B5 n4 n2 V
bpx Get_DDB if ax==0202 || ax==7a5fh
% @ `4 q+ x7 N, X3 _8 A
/ ]5 j/ ]( B3 i__________________________________________________________________________: p' j' V- D, U/ ?& R
0 K& {) ~, g4 j6 B) F5 _Method 10, A6 Y$ v6 Y1 `4 k& w) ^+ d
=========
& ]; W* j, R- h( H+ O* m- M5 q X) b: I1 d( d6 O/ H
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 F) L( e& Y/ e6 x4 c3 O SoftICE while the option is enable!!3 i4 A$ U* a/ ?+ S
4 @, m3 e9 |9 L$ ?
This trick is very efficient:
) q7 E d- `$ N Aby checking the Debug Registers, you can detect if SoftICE is loaded' W' u" B9 N, K' Q3 J& h9 \! F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' `- e; u2 o. n8 Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
( u" e) J: I% Y2 ?: a. e2 mvalue (in ring0 only). Values can be manipulated and or changed as well
, F& s- y9 i/ l7 O(clearing BPMs for instance): ~$ f4 ]" N! j7 l3 X, c( ^+ c
# g! s& T+ R, p" j' F8 Q7 W, ^; o, N4 ^__________________________________________________________________________
2 P# V9 \( g: Z6 c& `8 ^- \& P/ ~8 v; h* p* R( x1 B0 _
Method 11+ c/ m' B# \. ~
=========
5 b' W/ Z4 U, @! [# F
& u6 ^( P: y) v, P& ^. PThis method is most known as 'MeltICE' because it has been freely distributed; p* z$ {# t0 m7 q" s3 M3 x
via www.winfiles.com. However it was first used by NuMega people to allow/ {1 q \$ r+ v+ A, v
Symbol Loader to check if SoftICE was active or not (the code is located: z3 X: ?, \2 y: E8 N( l
inside nmtrans.dll).
5 ]) o8 d7 g; g% V% p3 T/ F
6 j, F* ~, v, a7 n1 a1 tThe way it works is very simple:& T0 h7 o- |) x9 o% f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 L* Y6 J8 k) \: ^& t) rWinNT) with the CreateFileA API.) v2 k( L" U0 R5 h9 D s% Y
2 I$ i& R9 J/ T+ VHere is a sample (checking for 'SICE'):, _- y) c* A5 ?" [9 u' t Q
) ]) n9 y* o$ E& A) @) I+ @BOOL IsSoftIce95Loaded()
& Z7 H, B5 R! P* E# g/ H{
1 H- D6 u" i3 y8 ^. j HANDLE hFile;
- r& r- T/ K# G( V/ L5 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ F7 k) Z. j: k+ _' F
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 P8 L7 d8 t* g2 L9 z. h' q; q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 ~ ?( e% R7 G: k# L1 u$ P$ A if( hFile != INVALID_HANDLE_VALUE )
7 g, g! |. u5 X5 O1 U8 V0 j5 q( B: R { o. Y' p0 d. ]1 L" m* D5 `
CloseHandle(hFile);
8 W3 z2 m2 ~' b7 e1 f return TRUE;
1 B9 H7 c$ L4 D5 j% k9 | }
5 V; K$ O. E |, n4 R7 t2 O6 d return FALSE;
0 x! `0 t+ T0 e$ g}
5 m% }4 j ?2 L. H5 }* W+ L) z7 |5 h3 j% C u
Although this trick calls the CreateFileA function, don't even expect to be
7 D2 c) H' t; J! n) I% K2 Oable to intercept it by installing a IFS hook: it will not work, no way!
: Z4 q$ g" Z, T: K3 C: N# MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" J1 a2 y* ~3 f- W, \" B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. I9 f+ t0 g- }. U/ T, @" X0 cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: B9 }( q- k0 a) r* ]field.
N$ t3 V e; p' \In fact, its purpose is not to load/unload VxDs but only to send a 6 t$ a0 v4 X4 x5 D! g, k2 m, [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. A8 E3 z- E9 B' u' ~# B& S5 zto the VxD Control_Dispatch proc (how the hell a shareware soft could try# d+ D( q0 y/ Q1 P; \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 N; ]5 ^) b% J. J8 p5 b' xIf the VxD is loaded, it will always clear eax and the Carry flag to allow; J/ a2 n5 r0 l" U
its handle to be opened and then, will be detected.+ _8 \) w# R9 b6 x
You can check that simply by hooking Winice.exe control proc entry point
U6 Z/ t5 `# h: Owhile running MeltICE.5 n/ G! d3 z2 C& }) c' p
* h3 c/ T* v1 |: N
2 ~' F- S4 U! y2 Z$ p 00401067: push 00402025 ; \\.\SICE
- h; l6 [7 A5 r( s$ E 0040106C: call CreateFileA
& W' h0 [% U6 Z7 _: K4 Q: e 00401071: cmp eax,-001
8 q9 s& {' S0 z 00401074: je 00401091* }! A% r# H6 o: M, a- Z1 V
! }: K# J9 L1 r( X1 O; `! F& `. U8 i* o7 @
There could be hundreds of BPX you could use to detect this trick.% p- ^/ F( ?: A0 p
-The most classical one is:
+ `7 n. t* Y: X7 d! L1 G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& M) O$ ~* T. D) D8 {
*(esp->4+4)=='NTIC'
% F+ @% \! k6 g0 i3 D! ~7 F; F6 k' p8 U; [8 a! V: V: q: U$ w0 x
-The most exotic ones (could be very slooooow :-(
- \6 P3 i% |# [5 ]( h6 j& I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ {& u* R; D7 K, C( i: N ;will break 3 times :-(
9 ?1 U% p: @' @* n5 B r
, ?$ R% F, \3 v-or (a bit) faster: 6 V; Y2 \, ~0 h/ h: c6 O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ E* k8 }. E5 y/ d6 w# I
6 c7 |1 s" W) t: o& X# `. r! O' N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ V/ O4 R( L3 F2 `8 P ;will break 3 times :-(
+ M* R, K6 j w' k. }( B: m' x) U2 `3 J; O2 j
-Much faster:
/ S( Y+ x; q1 o1 l: S# o& Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 y. D+ s9 @( b7 z9 ~( Z: r# S: @- g4 f# y5 z9 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. a( O1 g" z8 N
function to do the same job:
" Z) {; i* _& q ~2 X- A! }; j6 z
2 y* ?% i7 \% L push 00 ; OF_READ; r: G; T6 s7 ^- P# C7 e
mov eax,[00656634] ; '\\.\SICE',04 D( d( A5 P) O3 G7 w* \6 k& e$ I
push eax
6 A: U5 j3 l: v) r5 K: ` call KERNEL32!_lopen2 k7 ~ ?% z# e5 }9 g9 R
inc eax
( D) m$ {( F$ h. a. L5 ^( q! l jnz 00650589 ; detected
4 b0 `" n" _0 u push 00 ; OF_READ' M% `- O* l" {2 x/ f7 Y
mov eax,[00656638] ; '\\.\SICE'
6 l# }8 m6 ?: o. J# l push eax
4 A' }* J k$ U7 {: F call KERNEL32!_lopen, T+ _, J$ c* f6 H4 w
inc eax3 N, T- F) c" j: v# n% b
jz 006505ae ; not detected
8 {* g) i" j: d o- m0 w2 E% _) e
P. ]- P: _/ ^* R( a+ N
__________________________________________________________________________
: I$ W$ J6 k+ E3 y0 ]! y0 m
: {: }2 i) g6 X" \Method 12
' e, J. U; s/ ]3 B& v8 x=========9 l# l! M4 u, i* a7 N5 e7 ?/ M. ?3 p
3 L: [9 `! o' a5 c& s5 J! x5 iThis trick is similar to int41h/4fh Debugger installation check (code 05
$ V. s& S8 s6 o( _. F& 06) but very limited because it's only available for Win95/98 (not NT)
" |4 X9 f& y3 D7 T1 |5 ]& Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- u& {7 t5 H6 w8 i {0 Y/ F, Y
! s) c9 B, U3 p push 0000004fh ; function 4fh
2 G4 V0 }& f* M. y) d, s: k) T. c3 J push 002a002ah ; high word specifies which VxD (VWIN32)- Y" z! ^+ o3 H0 K
; low word specifies which service/ W) ~2 Q6 J$ G
(VWIN32_Int41Dispatch) f8 W/ x/ w! x- {
call Kernel32!ORD_001 ; VxdCall
$ q' G3 B5 A/ U: e& v cmp ax, 0f386h ; magic number returned by system debuggers
2 K4 Q* }, h' \" N7 g, X9 [ jz SoftICE_detected: Y+ U7 Y3 X& Q6 L4 a
5 O+ `: K. t- @0 j
Here again, several ways to detect it:
1 {( Y* C" \/ F% i* o6 m
2 D+ P) L, E1 I+ O- Q! a, g# p7 s# P BPINT 41 if ax==4f" H1 M- f8 Q s
0 }; l: R3 E1 |0 m6 i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! t' u7 L" B- s0 v3 @% _
8 a9 n) j& I9 [; L# x/ } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* ]( q T* F: d: k T2 @0 N& ^
, X, y( P, I" O6 B9 n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ g* a/ H' _# D6 x$ i7 s9 f
+ w% E; o) l% X1 [__________________________________________________________________________ G n7 [- Q: W. V# M- F
. z; K. D: x3 i0 I" @, Z+ T6 p+ XMethod 13
S" u/ D7 O: N% ^/ K& d=========3 h: u( ]; x' k5 t' L" K9 c
6 U) g) q0 Z1 F, k$ g
Not a real method of detection, but a good way to know if SoftICE is/ Y/ f2 \8 h% d# @7 |: e
installed on a computer and to locate its installation directory." y% b7 a4 `; H3 o
It is used by few softs which access the following registry keys (usually #2) :
4 V4 |! S& s2 o' X
. o6 v* V7 P. R, q5 O* _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 j+ R6 }. K. m4 x
\Uninstall\SoftICE
0 k D) e) [1 M1 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, W* `/ H, R% @7 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. ?* b- y2 _0 O: ^9 t: m$ C. M
\App Paths\Loader32.Exe# G% O9 O9 B$ A; T* x
" S: ?9 C: }; g
# X1 k9 p6 u' F/ P d, P+ k
Note that some nasty apps could then erase all files from SoftICE directory k9 }. ^4 s6 o" M
(I faced that once :-(
( e# b8 X# T% e. ^+ `! o
& g4 i% j1 F8 H( |7 S& x2 dUseful breakpoint to detect it:
4 r1 U' X0 C1 ]7 G1 ^$ U( e f, s9 H0 E& l3 D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 `! r" [# C, ~$ \
3 V1 ~/ O5 M3 e' {0 D__________________________________________________________________________
4 P3 F; z. U, @+ z# |; e; }3 a! f9 ]! A* ]6 ^4 O9 g
5 ?0 \6 ~2 ^7 K" w1 h% F
Method 14
$ ^7 S/ n4 |& X# B=========7 `& p$ D* y' k. S' n
" P6 o! {, B( c; a- lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; x( e1 L B$ B8 t t3 pis to determines whether a debugger is running on your system (ring0 only)., `; v$ D2 q7 c' B
5 B* T! @; M3 i' c$ W D: Q VMMCall Test_Debug_Installed l% H& P9 K* W- r
je not_installed- I8 I- r" s8 U! f# w0 X) v
. D# B, e# J& `& f. d5 d9 L, mThis service just checks a flag.
; |, A+ }4 S" b+ Q- n: J; i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡