<TABLE width=500>
# h2 V2 e {( C6 t/ D* [ |<TBODY>
6 @2 V4 y1 i8 H! l3 `3 T<TR>
3 c- K1 x& G0 k* w) Q( S<TD><PRE>Method 01
U0 ~% w8 M o" G8 l! ~7 G7 s=========+ d6 ]: `9 y/ i
: F" K( T+ m, j/ {% aThis method of detection of SoftICE (as well as the following one) is
- B/ e3 Z; x. `. ^0 Rused by the majority of packers/encryptors found on Internet.# ?: }1 Y, X2 l% K
It seeks the signature of BoundsChecker in SoftICE
) z& T$ Y* P9 j$ l# a3 r( T* o, X! D3 H; r, X) m0 C6 P7 }! ~1 P) ?
mov ebp, 04243484Bh ; 'BCHK'
) G4 C9 k. {/ z2 H* _- V mov ax, 04h/ j( v! t9 ~2 e
int 3
5 C( E" f$ \! B X cmp al,4
6 L( E4 m0 I1 X4 y' @- Y: L0 w jnz SoftICE_Detected& v% m6 Z6 j% x2 i+ Q! u4 \
) D! Z; ?, ]. s! Y/ g+ J___________________________________________________________________________
) \' w, N) C+ w# I' O
- l( z* f' S; }* s4 }5 T k* iMethod 02" i K4 `8 ~9 |0 Q
=========
' k# K6 I. H. ^: J" X0 w* k8 h0 [8 k. {- @+ C) q
Still a method very much used (perhaps the most frequent one). It is used
0 v( l$ L, h K" ^% jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 W. e o; r& V$ A
or execute SoftICE commands...; W0 m2 D; s6 i
It is also used to crash SoftICE and to force it to execute any commands
' d4 Q- B. N& j0 k1 ?(HBOOT...) :-((
5 W, Y; a" b! K+ ^" E5 O( D: H
Here is a quick description:* Z/ ^/ H# X8 c9 C* c0 w3 z
-AX = 0910h (Display string in SIce windows)6 s4 L- e+ O j7 q S% S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 q& B' Y' G( o8 s; i
-AX = 0912h (Get breakpoint infos)
+ X7 `) N6 b5 \) J0 q- o6 ]& C6 U) W-AX = 0913h (Set Sice breakpoints)
4 l1 H4 A9 ~7 S3 k' Y$ {2 p-AX = 0914h (Remove SIce breakoints)
5 y( ?0 ]% ?" @7 U9 M9 u+ r; R, y2 x; y
Each time you'll meet this trick, you'll see:
9 l; b) Z0 G0 b8 g7 X4 J: a+ L2 O-SI = 4647h; x! ^( H& t- j
-DI = 4A4Dh! p0 e8 d5 r; r( p! b }
Which are the 'magic values' used by SoftIce.
* @2 c2 V K! gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* u5 s, x8 i2 j
1 X& G% x4 e, qHere is one example from the file "Haspinst.exe" which is the dongle HASP, \& W4 _7 Y2 A" p
Envelope utility use to protect DOS applications:2 w" M3 `% ^( A; l
+ L! c; e2 W0 P, ~
, m/ j4 T( s# Q6 c3 T. m4C19:0095 MOV AX,0911 ; execute command.: M6 n0 { s# f. y, b( o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" g' ~+ _$ y* }( g9 ?+ j4C19:009A MOV SI,4647 ; 1st magic value.0 P+ ?/ |4 o+ x9 A
4C19:009D MOV DI,4A4D ; 2nd magic value.! v) L$ i; [! h0 g2 o* C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- y( t* z" @0 o; R* @, H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! p( s0 ]6 b+ d6 ~+ H& t5 ~8 G1 ?# G4C19:00A4 INC CX
' i# z# X5 R s' B0 h7 `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# D) e; A7 y( P- S1 T4C19:00A8 JB 0095 ; 6 different commands.$ n V4 ^( |7 A4 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 B. O. x& P, B) q( i, x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 @) x- Z8 s \6 T6 [5 } H* X* R8 q/ F3 b5 a: |- K& a+ D+ E
The program will execute 6 different SIce commands located at ds:dx, which
; W7 ]# `+ D& j$ w- O' ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. }1 x1 Y9 H/ m6 c6 c4 X) E
% P5 j7 @. W4 W2 [) x; ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# Q: ^0 W$ Q$ Z& Z3 p: W
___________________________________________________________________________
& C9 c0 j, [ k6 X X- w# F1 o' i+ s9 y' m
: }- m9 |" m! {7 ]1 N
Method 037 a$ h% H- `: |: R" i' E
=========$ a6 `5 o3 S* S4 o9 o, ~
% C, j: \$ E" V- }9 a+ L1 i- @0 YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; L/ n. Z$ f0 n' j(API Get entry point)
- H0 u7 t8 R% R; t 7 F0 E ]& s# V3 v1 c
7 Y5 A( n j- P5 ^1 V/ v xor di,di
8 v' k% [9 u: b mov es,di. d) a5 G/ b! `' i7 s w/ h- L5 i; N4 D
mov ax, 1684h . }# i. V. b* j E9 |% i
mov bx, 0202h ; VxD ID of winice
: J8 {! ^4 d6 ?; m( ^8 \( v int 2Fh2 e: M- ]( Q* C2 z! C" F
mov ax, es ; ES:DI -> VxD API entry point1 Q+ ^1 L7 k8 n1 @+ O3 I) f, D j
add ax, di8 z& W8 k7 ]9 a. I1 x `9 [
test ax,ax
7 c3 q. K- W; L1 |0 J U jnz SoftICE_Detected
, D, S2 T5 x3 f+ W* l5 c) t& _/ N2 Y: I6 A& v
___________________________________________________________________________- R" k2 s6 l) H% Q' T M' Q
+ j t! `% M; q* p( O/ a& tMethod 04
0 |3 O: l) t- |. M, t6 q+ a=========
3 y p8 [. Z) R' E: ]4 l
& O9 C+ M) P. g% f" a# f7 cMethod identical to the preceding one except that it seeks the ID of SoftICE
; k- { G9 H' q/ G1 _& SGFX VxD.2 X# H+ [ N) L, j) v4 L
1 `/ @7 J5 v( R7 |. S; N6 t xor di,di* c; S r: ]0 Q2 G. U* q: J7 p. q
mov es,di
% R) A* h+ y8 \ g/ g0 M: r mov ax, 1684h
7 A/ R( w/ @& H2 A! `# B* @" ?- ^ mov bx, 7a5Fh ; VxD ID of SIWVID6 ]. k, Z2 R& |8 F. i" T4 d5 u6 k6 E
int 2fh8 s; a% ~* D. S
mov ax, es ; ES:DI -> VxD API entry point
, m8 w& I" R& L- P# _ _( C6 A- Z add ax, di# ?7 j Y. S# N9 `8 |
test ax,ax. E6 v+ X! L( V, Y
jnz SoftICE_Detected$ D* c; S* I4 x
* b, C& e d6 C; a0 B3 h__________________________________________________________________________3 v, @6 A; A- l) Y
9 X9 @ E/ z3 o
, _0 w) n# o5 h* R: a9 QMethod 05( Y6 i0 }. C5 ^4 l" D
=========
, h1 l% r% v0 P% y8 p, r. G" F5 X4 `& L6 o. e, l; K5 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 L; Z2 O8 n; U3 t! ~/ g& v. Q
debugger. It calls the int 41h, function 4Fh.
9 y! ^9 A/ l; I& O% y8 W" TThere are several alternatives.
6 S: F% O3 X9 b' X' H1 \3 X) D+ P$ [ A0 p: U
The following one is the simplest:! V' v/ a3 P% a3 {3 e
8 ]" E% S$ Q, f mov ax,4fh5 z6 G" m/ P6 z" O
int 41h
# N) X# r* d( f3 W( N* O cmp ax, 0F386
8 ?1 S9 \$ _4 S& u$ Q5 o- a jz SoftICE_detected
; w- ^9 o$ f- [" H* n# o( l9 O
) Z* F8 y( Q2 H
# w) W: f3 f+ e3 S$ I. G, n J3 GNext method as well as the following one are 2 examples from Stone's
: D( ?+ U- Q8 G( o) x( K' w"stn-wid.zip" (www.cracking.net):) Y2 f0 A: X" G3 s8 m
5 u, M- @2 Y. w E/ m4 C mov bx, cs
& }+ @: x# r9 k) a6 T lea dx, int41handler2
; c9 f1 X/ L# k9 ` xchg dx, es:[41h*4]
% a: M# i# v2 {2 P) |: t xchg bx, es:[41h*4+2]! s0 w' J2 Q1 [$ F
mov ax,4fh
3 ]" a W- s$ v# o: [; } int 41h( e" z3 |. k. ]% _$ p2 L
xchg dx, es:[41h*4]
3 G0 G$ H% L8 Y- R$ q& H3 p xchg bx, es:[41h*4+2]
$ H7 ] e3 J4 r f: d cmp ax, 0f386h9 |! {8 f$ {4 d5 `# Q8 J
jz SoftICE_detected
; ?1 Q+ L+ k, I0 N, z+ j3 `" @& y, |1 \$ d! r
int41handler2 PROC* C+ b+ N2 m5 U
iret( E- O3 U) c5 Z$ h. z3 W. i, i
int41handler2 ENDP
8 @; ]0 n. |9 i9 H! L6 u6 B+ P7 G9 z
% ]9 J- d# D' a3 H) t
_________________________________________________________________________* a7 O0 v3 i) F1 L3 q9 b, w$ z2 }
2 C+ x0 T0 e, E, E1 J9 ?! n1 M1 h; ^. F0 _: W8 H' J2 ?
Method 06# M1 l0 q; t, K6 w/ A. D3 ?
=========
# j+ A7 i5 U, y, x
& q: ]: z1 K1 g9 | L7 B
+ H7 W% B& f7 Y2nd method similar to the preceding one but more difficult to detect:% M' W& _% Y0 e' |$ z; t6 X
) B" Y8 K' M2 b. |" p
7 ^+ l6 } y, M% t) Oint41handler PROC
7 D0 a3 p& `! f6 E- N4 o' A$ f/ ^1 o mov cl,al
* P) {; h. z5 |" a iret' Y, b e7 z; ^
int41handler ENDP
% A# _. ~2 D$ Z% h# R$ Q3 [" p5 e3 g" f5 Q6 b! ~: c
9 b: I+ E0 P. n* B0 y! h& N
xor ax,ax# O. P% \/ m0 r% J
mov es,ax
& j w R8 K- S: ^ mov bx, cs
' b4 Z, d) }$ C" `2 A7 I1 d4 ] lea dx, int41handler
2 u m- X' y& k( y" j Y% N1 Q; w! {5 S2 X xchg dx, es:[41h*4]5 z. z- A* j ]. w/ J
xchg bx, es:[41h*4+2]3 G( G# t2 i0 g2 n9 J" F8 ?
in al, 40h2 `: u& ^, g7 ?- L0 Z* ?9 Y& I
xor cx,cx, ] A( X' n+ |5 ~2 [9 X
int 41h
+ H$ b. ` u, [4 W" d2 S xchg dx, es:[41h*4]/ G* R8 z! ?; |% k6 ]. M
xchg bx, es:[41h*4+2]
# p9 W* F, n4 a5 C; F cmp cl,al X! N5 X* e% [- p# q0 ^
jnz SoftICE_detected
- X0 Z9 }8 Z5 u/ b* W N/ v1 @5 s9 L9 C" ^( j& P
_________________________________________________________________________' c: w! x) A1 \# G: D
8 N9 ^# j" M# v# z) ^9 ^Method 07
: L. C" n; _/ L! y' W) @1 e% H=========
4 k6 g6 z* b& f. B7 n9 B: g- e+ l/ x; o4 @9 w) w* m( l5 {+ f
Method of detection of the WinICE handler in the int68h (V86)! |1 L4 J5 k; E' i$ q4 x
c/ f/ y+ ~0 O; t r/ d, D mov ah,43h9 O% K: c% t2 Z$ P, H H: I/ r
int 68h' v b) x9 B7 K% ?5 k j; C5 P6 J5 d
cmp ax,0F386h
3 X) m$ z" C7 Q+ k6 c# U1 s jz SoftICE_Detected
( \5 e4 I, ^2 {
$ G6 N* A6 t" T% B% a3 ?, C
7 S: v6 R5 A2 v2 V/ b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ E3 v( u. f# A; y; g: \" w, { app like this:3 e9 s% u& t! g
! z" O6 ^1 @" h. T BPX exec_int if ax==68
* }( T/ r# B) |% G" \% L, l/ }0 T (function called is located at byte ptr [ebp+1Dh] and client eip is
) K1 {$ t1 h3 @- n6 A" w located at [ebp+48h] for 32Bit apps)! Z( [7 e9 O5 j% C" ^3 r. Q) v
__________________________________________________________________________
, [( J; O3 k' u
8 q, ^! O$ W8 L
0 W! i- O7 v% \# z4 v' N, E" gMethod 08
5 i. |& Q- G J: `0 I; P6 L=========7 s/ h9 ~' R4 W: D+ S
% O* v; u0 L( {1 W7 I) u. e5 @# @
It is not a method of detection of SoftICE but a possibility to crash the
' A. Z3 E8 }+ esystem by intercepting int 01h and int 03h and redirecting them to another
, g( R) @4 t T$ groutine.) o# D( k& e4 o9 i: R# I) A& b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) c7 D( s4 m! E4 _
to the new routine to execute (hangs computer...)0 I7 i- V9 R3 X+ K# v D# C
D8 _. G* r& i- K3 v* a/ Q/ z. e
mov ah, 25h
7 \3 s5 B( @3 c) c7 Y2 ^( c2 q" ^' c mov al, Int_Number (01h or 03h)
4 M' m1 t( j- ] mov dx, offset New_Int_Routine
. t$ Y4 O9 R9 k: n/ ?" k% e int 21h' s' U4 h( z) x8 j! L
3 l" t1 ?1 a3 z2 U" t: l6 I8 ?
__________________________________________________________________________% m& O8 R- r+ ~
; ?3 D9 T( P& h# w7 c0 h1 k" P
Method 09# h7 D w2 \3 u3 n p% n
=========
. L# N2 v% l/ q
9 {' ~" o; N# b& _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ [5 e% V4 Z1 wperformed in ring0 (VxD or a ring3 app using the VxdCall).
" a& [/ w. Q a; ~The Get_DDB service is used to determine whether or not a VxD is installed* {( v; M9 P. x5 L) |6 Y
for the specified device and returns a Device Description Block (in ecx) for. K# e8 W" L2 a9 Q' w0 J6 _
that device if it is installed., n+ }' w% t8 y h
* g- b+ X. q, _0 G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! R5 O+ N2 u$ x |/ F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# ]5 o8 w* }: b8 {7 S9 K$ D VMMCall Get_DDB
) E q1 o: N' p& }- K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ W, w. L( _2 }- \2 M$ g
( y$ q5 S1 ], g( ?4 R
Note as well that you can easily detect this method with SoftICE:
- g4 {3 b5 x; q/ q3 Z! P bpx Get_DDB if ax==0202 || ax==7a5fh
# ~0 a" O" g3 K0 Q% m3 p. _5 l
. L5 s. X, }# k2 q9 ~' S__________________________________________________________________________
; P* i6 s3 N) \4 h3 i. T# F* h" D. Q" M; @7 L2 t
Method 10! Z1 Q/ E3 c2 w/ ?+ N
=========
9 T& x) ~, K+ i9 L/ T
# s- i' b& V# Z- y, L$ z7 I3 U=>Disable or clear breakpoints before using this feature. DO NOT trace with
- b8 q* ~7 F8 a' r" a6 p; s SoftICE while the option is enable!!2 x% M& k2 Q& J+ E9 x' D$ j2 q
+ a: T6 X5 c4 L: C7 E! y8 j: O5 t# wThis trick is very efficient:. T9 w; Z+ f! p! S; O. @6 v
by checking the Debug Registers, you can detect if SoftICE is loaded
3 ]1 H$ M* U6 n9 i" E3 q, R H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 D, h+ y5 x9 e* Y$ a. }there are some memory breakpoints set (dr0 to dr3) simply by reading their
. k1 I8 q3 h; W* o. Rvalue (in ring0 only). Values can be manipulated and or changed as well. _5 m% \) N. ?. K5 D4 m% `/ N8 w- W
(clearing BPMs for instance)* z8 |& d. f( ^$ \
4 z/ X8 y% t4 h- Q
__________________________________________________________________________( g0 F6 x9 L: f: d) I9 ]
2 u6 S$ W1 m. u. }9 n" t
Method 11
7 q1 [2 q. j% {=========
0 V6 t9 J3 A- m8 r; b7 [. j |3 m' h+ x" @' I( Q
This method is most known as 'MeltICE' because it has been freely distributed8 f4 f- k0 d K. X% O. A6 c3 }
via www.winfiles.com. However it was first used by NuMega people to allow; b% p- q! \4 O+ g# R
Symbol Loader to check if SoftICE was active or not (the code is located" }9 ^2 o0 l. B& ~6 U, Q
inside nmtrans.dll).; x; m8 P9 d# G9 }7 f: s, B! r
# E1 G9 o! p$ h) Y# g- o2 {1 HThe way it works is very simple: Y* ~0 R# p7 I$ X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% d& T9 B& b3 [! V4 pWinNT) with the CreateFileA API.
: N" ~* P- u1 a: l9 s1 r: Z Y, \, z! ~5 J5 N
Here is a sample (checking for 'SICE'):
& G& D% n2 w0 X
9 \4 L' ~4 |" f2 z/ ^BOOL IsSoftIce95Loaded()
0 L) @) t$ I& \: `4 m+ G{ ?; Q) C5 b8 Q; l" N. @. t
HANDLE hFile;
# `$ j, Q' B P& }8 k3 A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; M; u) ?6 y9 O C$ M9 D FILE_SHARE_READ | FILE_SHARE_WRITE,/ w. d+ ]# }8 b) p$ Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' G& o& {1 r' s' K7 p
if( hFile != INVALID_HANDLE_VALUE )
- K I, K, y5 h9 ] {$ N, a$ ]- F+ D5 u3 d+ b
CloseHandle(hFile);
# S$ u2 ~+ U$ Q& M7 {" h return TRUE;
! U5 Q: }- O- U& R8 Q1 Y% U6 E }
, e+ c3 b8 v8 I2 r. J* q" o2 h return FALSE;
& j* d; ^# V. ~1 i5 y9 ?0 P6 J}( e; l, v' i( V7 `3 \# C
# }: y9 \" Q W5 U2 w: A" ^( V3 W
Although this trick calls the CreateFileA function, don't even expect to be0 O# `5 j$ x U" d! {
able to intercept it by installing a IFS hook: it will not work, no way!
( |( L0 a9 @% ~/ J4 UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* u' M, ?7 G3 ?. u/ X# T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* W/ ?7 I5 w5 @' s) [1 N- A/ W1 |5 s/ Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) r: q% v1 @2 o; B* w, qfield.7 @, w8 B2 A1 Y/ T, H) Q
In fact, its purpose is not to load/unload VxDs but only to send a
4 E5 X$ A( P! k, B& H1 PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 p9 Z! h! D+ j5 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ A# w& r& t# o, ~2 t; F, w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 x1 [: a# m& S& NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 u: C9 e2 C% D2 Z* {2 Vits handle to be opened and then, will be detected.7 r+ S9 c$ y- `2 `& k+ v3 `
You can check that simply by hooking Winice.exe control proc entry point3 f8 I- r2 h$ W) u: R3 l% m
while running MeltICE.
( t+ B( {. m2 @! A6 q+ m
! N1 i3 u4 T( C8 y1 U2 g Z' v/ H' \( ^: }! e8 r4 J; ~: ]7 Y
00401067: push 00402025 ; \\.\SICE
: s% i" o9 l& N- O 0040106C: call CreateFileA
8 ?# j, [/ u y* c! h 00401071: cmp eax,-0019 A; h8 ]! \0 }+ ?8 n
00401074: je 00401091
! y) H, a- G) l8 ^( x
# H# c& X* L$ L& q& A# C, }8 x6 p" M/ {
There could be hundreds of BPX you could use to detect this trick.+ x+ t( f6 e- o; A
-The most classical one is:7 x5 F9 B# j2 y8 C5 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# t# t6 d: J* P* q6 Y *(esp->4+4)=='NTIC'; ^. f3 N# q6 b% @0 C% @2 k5 F
* d: C N4 v& x1 o, o-The most exotic ones (could be very slooooow :-(, D- ?3 O% X/ b+ U7 D9 K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . [0 B6 [9 r3 |# A! J' r3 g* B, L
;will break 3 times :-(
# F9 ~4 G+ o9 ^( i: r0 O' [# h5 b/ j V. W2 r: f
-or (a bit) faster:
( U/ z( b% h G/ \: Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 P$ g5 w* D! L9 f h
9 x% e3 F4 E7 h, R5 i1 l& O0 f; m/ y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& g% \& Q. E" f3 M- ^' O, @ ;will break 3 times :-(
4 }& m* o# M7 D2 L9 a; |5 H8 ]7 _# H' g+ J5 U3 t1 E: b D
-Much faster:
! E/ M4 C( {3 {4 K! Y7 {1 P* B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; O% v8 U- ~* A2 w
7 A1 D4 ]5 Y: l- q7 C& UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 v" A6 d* e0 b1 c& V1 u' X
function to do the same job: t1 p; q1 h) r$ F
! z+ W Y4 Y0 n( U! H" m
push 00 ; OF_READ
, @ C$ p/ @+ Y9 c- n mov eax,[00656634] ; '\\.\SICE',07 r; [* y9 r" C0 a
push eax1 m9 X6 T! O2 k5 e) D' M: H5 o0 l
call KERNEL32!_lopen
" W+ Q8 L+ ^+ M7 m inc eax* M# u% |8 d, [# ?
jnz 00650589 ; detected
+ |( b9 g4 V, g! P) I2 n push 00 ; OF_READ
- ^. E: N; N: m) e& p- [4 ? mov eax,[00656638] ; '\\.\SICE'6 U6 W K; R$ g" F$ `8 k
push eax
! E' U! J# H" I+ f% K call KERNEL32!_lopen
8 D/ m" k, P# e. l; W2 i, D inc eax
8 d' F! C+ i+ v% \. I! y7 A3 ? jz 006505ae ; not detected
* V( @7 N$ G+ q# J3 P6 A6 H! q V+ I7 K
6 c' D/ H% a3 v4 F; f% {- [. Z, Y__________________________________________________________________________! Z, A) x. Q& v5 u
f% y) u1 R, Q; G: M# N2 w' B
Method 12% n& D7 M+ c$ B3 v5 v9 s
=========
4 l4 t. p& U4 s& ^/ R1 d9 ^( o) w5 R) Y: M9 m5 h8 J
This trick is similar to int41h/4fh Debugger installation check (code 05
/ c6 M4 `, G" h8 K& 06) but very limited because it's only available for Win95/98 (not NT)
, r- Q$ t4 J; x( X8 V: F& l) nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 M3 a! \3 A; Q$ S+ E
3 O. h8 v8 M( g9 K& ]% U0 B push 0000004fh ; function 4fh
r% i: r N$ N push 002a002ah ; high word specifies which VxD (VWIN32)+ P% v, J7 e4 A) p% y
; low word specifies which service
" h/ W( e3 i1 |' e! c; p (VWIN32_Int41Dispatch)
' y8 ~' E6 ?" V- d( x call Kernel32!ORD_001 ; VxdCall
* I/ R9 A" g, q cmp ax, 0f386h ; magic number returned by system debuggers
2 a% m) t9 I( \ jz SoftICE_detected# n$ I0 K1 k5 c* o
& o' L7 ?9 M0 f8 o
Here again, several ways to detect it:$ m0 j7 W; \' j
6 \; u3 P$ X; F BPINT 41 if ax==4f
% N1 ]' f. [4 U2 k1 F/ ^$ h. k: ]/ T5 N( M X8 \8 m$ V4 b/ i/ ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 ^/ W& V0 e3 B6 D$ T
# N; u8 o, Q" {2 G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, j6 }: v5 {! U/ f7 Z) s- w# \
# I# f5 _9 d S, K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( V6 J; m! T, y$ `4 @* @& B) w
( P, g' A4 P7 U__________________________________________________________________________. A; d2 `7 K' q+ F- Y2 `6 q
0 Q/ h; M5 _* D! m* GMethod 13
; m- }7 f; m) F# y* C=========
( u1 y1 B7 L @# y" I7 Z0 |4 N, e9 z# F! E/ n f
Not a real method of detection, but a good way to know if SoftICE is
$ J4 {8 f$ u1 @7 X, h3 K7 Z$ minstalled on a computer and to locate its installation directory.
/ h; S2 ?: \2 e8 nIt is used by few softs which access the following registry keys (usually #2) :; l$ C U5 ?. `2 r
% b' Z8 R) H8 O: v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- O1 H6 b4 ~$ R" I; B, E+ C0 d: _2 r
\Uninstall\SoftICE
2 z! @9 G+ ?% d) ^! c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 H$ q! [3 I$ w" O& v1 j' ]6 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; E0 ^4 O# p/ {# j\App Paths\Loader32.Exe3 F+ T! V) Q) h' ^) L0 G
/ K6 p a* {" v3 u+ ?) t7 [- |( x
/ I, r4 s6 ]8 ONote that some nasty apps could then erase all files from SoftICE directory0 j( E ]" b7 k
(I faced that once :-(1 d$ Q+ T @, [+ V9 ]! |& ?. d
" P3 D1 w5 N+ w6 r7 K$ K5 kUseful breakpoint to detect it:3 ] E% a; c+ k R6 F" b4 h+ ~* {
; I2 W& p P0 Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 E d- I5 a1 b, {
& {# F" Y; l, }__________________________________________________________________________
+ J; q+ N+ ^4 V. V' [& ]1 `, X/ ~& F8 I% ^" b" F3 G& L
; V2 R- y: [4 e* ~" z! b: Z. O5 RMethod 14
& I6 z3 P4 x9 Y( ^ ~2 c=========* y5 _2 |# f0 t* G, S; n
7 d: t8 D, b1 o/ N. Q, |5 ^$ nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, T5 x, ?5 a; }; Z, Lis to determines whether a debugger is running on your system (ring0 only).. Z5 O: ~. T9 r# Y6 ?. P
: |% S3 j$ E* ^ VMMCall Test_Debug_Installed0 e5 h6 J+ D/ @' c6 d
je not_installed
3 m0 q: H0 R; W3 X) N. g
4 ^# ]( `; X8 g) @/ ]6 h& iThis service just checks a flag., |6 F! y' a( @! N/ k6 _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡