<TABLE width=500>
8 y& p. @' p/ r<TBODY>
) g+ }( I( Z' I! v: \) }& N<TR>
" R5 Z) a( y% k+ \<TD><PRE>Method 01 / z! X5 a/ {' j8 L
=========
5 H4 E( K, G o$ [! _7 }0 U2 v
This method of detection of SoftICE (as well as the following one) is
% j& }% R. m. T' ?5 s1 bused by the majority of packers/encryptors found on Internet.2 L2 @% e1 h* ^' a
It seeks the signature of BoundsChecker in SoftICE
( N; M3 k$ ]( L' y3 |8 |
# ^* O# |; }9 O9 X, a7 A mov ebp, 04243484Bh ; 'BCHK'
) V+ } t7 P. j& b2 F mov ax, 04h5 g5 ^( [/ K0 \ U6 u- a
int 3
$ v6 |8 S' c) x5 E7 f W cmp al,4. Y* J' m2 r' [3 M
jnz SoftICE_Detected
# e9 b4 o. i' @2 `2 n8 `) C5 J$ K9 _3 M* S, i; a
___________________________________________________________________________
/ a/ U) J, o. k# i6 h7 D T# z9 ?
7 h3 T* O3 o5 v0 ?, a+ {' ^6 o8 `Method 02& Q; G& ]$ d, m7 y/ r" z! s
=========
' f2 J) S8 c$ y; Z
9 i8 n5 d, r! O2 A! |- Y; pStill a method very much used (perhaps the most frequent one). It is used
# P' _5 T b# J2 G( C/ D7 Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints," T/ |) v# v. Y5 O2 \8 F$ w- l4 ^
or execute SoftICE commands...8 t3 o9 Y; G }2 W) C' g h/ L
It is also used to crash SoftICE and to force it to execute any commands
7 M8 D8 Z i' a5 g- d8 a(HBOOT...) :-(( + _9 o3 b+ x" k- n0 I* j/ M. v7 J
' M" z1 ~0 W0 ?2 C) X8 V$ iHere is a quick description:0 n0 U1 z. u& M
-AX = 0910h (Display string in SIce windows)
& E8 |+ u' _4 N: i# R: q$ M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# F2 Y/ O" U& a% j% g* H/ P
-AX = 0912h (Get breakpoint infos)
- [8 J6 A5 _2 l5 ?3 k6 r-AX = 0913h (Set Sice breakpoints)
4 j# C* `/ t7 }+ t2 B) `-AX = 0914h (Remove SIce breakoints)% j7 }9 h, x9 }- y0 g
# ~$ w2 G% b1 S+ q$ |
Each time you'll meet this trick, you'll see:
6 s7 S2 q/ d# r' ?* I-SI = 4647h
% L! \" \, l! @+ d" y-DI = 4A4Dh
, ?9 _2 J! y/ g* k1 @Which are the 'magic values' used by SoftIce.
: e- G; Z l( T3 [3 I. p0 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- N0 Z7 |! S4 G7 d5 m6 |6 X$ A
) `3 O2 z2 D& L. N( C* {9 `: h% Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 H- @$ X; a& C5 h+ C$ b+ t3 DEnvelope utility use to protect DOS applications:. N2 l8 V$ q4 w" a! J* [
9 ]& M7 b O$ i+ ~/ J% [& z* P
# M" U8 x1 O/ @' v3 m9 ^2 W4C19:0095 MOV AX,0911 ; execute command.8 H2 L) t0 b: Y. }7 i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: w/ G4 h' R; }4C19:009A MOV SI,4647 ; 1st magic value.& B8 P: w' Q$ x# n* ^
4C19:009D MOV DI,4A4D ; 2nd magic value.; r# P6 d9 {" L8 L4 H1 E8 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- e* v0 L$ W7 g" k- _) G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 i# V( ^5 W! ~% u
4C19:00A4 INC CX" i4 F- n3 y7 i9 G/ `0 u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 n" G2 n% _- I) j& f4C19:00A8 JB 0095 ; 6 different commands.$ I; r5 i5 S% N3 i6 Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& B. x# `1 K; S3 N( R3 B' H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 S' Q' G4 s' h7 i; ]; g& d% W" A2 l! t2 v# ?
The program will execute 6 different SIce commands located at ds:dx, which/ Y: Y7 y! T# d/ {% \ Y# N- b" t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ |9 g/ ~) s9 r' A) m
( s4 `4 ?" Q4 U3 U9 B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 a( ^$ M% S) B: p1 J4 h___________________________________________________________________________! V: y( m1 \- W* ~( [8 _
% P1 \6 f+ N3 V3 j! D
" L8 A9 V& X8 x0 d+ J$ F. |
Method 031 p b |+ W w# R& F
=========
4 c3 x1 V3 F( T, c" Z7 K9 c8 w
1 @7 d/ E9 K9 _. k) p S1 j; S4 `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ T, W& o9 ]$ o) q9 M- n(API Get entry point)1 q1 N5 Q& N4 p% ^+ s! T
1 Q4 L- m. ~ ^4 v* @' `3 q
% l4 M3 e" g8 p" v- a9 w. ^9 \3 | xor di,di
* B: B4 \* b! q. u7 L" h mov es,di, o8 C# D/ w) V. h" p8 H
mov ax, 1684h
, E9 u9 g/ P |$ F I3 ~5 j mov bx, 0202h ; VxD ID of winice( }$ }/ H0 [+ Z% L6 J( {
int 2Fh5 p+ U2 O1 w \+ @
mov ax, es ; ES:DI -> VxD API entry point
* P: j2 d& P/ B) e# u add ax, di7 b; H, k, s4 u) g2 d4 }
test ax,ax
/ L+ `7 y1 `/ |' m, Z" H: R# d) L jnz SoftICE_Detected, _% v6 {) ] {2 q
! E% b7 o/ H8 ]3 u4 k T% L* m
___________________________________________________________________________$ S, g$ _2 g! S2 A. t; r$ w& d$ R
, L6 `) @2 J. `8 X% w$ {1 |Method 04/ O. z% {- W/ O7 @8 @
=========
: {$ |2 A$ S& Q, v& S5 |* R6 Y1 @6 e6 K/ K4 H
Method identical to the preceding one except that it seeks the ID of SoftICE
8 N( U# H! @% t7 J+ U1 }; WGFX VxD.
$ V# v4 I, T9 q3 {4 l Z1 }' e4 z0 e- b
xor di,di
* o! v2 T J* J* V/ Q* n mov es,di) i- \+ h6 X( g' V5 \0 B( m
mov ax, 1684h
( ?) \$ l, Z* ^7 J mov bx, 7a5Fh ; VxD ID of SIWVID: r' t ]2 L8 K' i
int 2fh1 r" U, P. `4 U1 f: p- R0 Z
mov ax, es ; ES:DI -> VxD API entry point9 H3 ?/ u2 O% b3 c$ D
add ax, di- E3 M* s: F! X5 t8 h
test ax,ax
0 }$ {9 M5 B1 f3 o: V% L, ] jnz SoftICE_Detected
+ o2 \' }5 i0 g5 i) D. ^* W/ R# Q
) U! `2 \+ v3 P& R' W: [& k__________________________________________________________________________8 z. f+ [! U: u0 J( |8 B# E6 N/ v
2 Z$ R; h5 E" l# R2 X
; D' c; i# q& D6 A+ K! N2 U. ?Method 05: b1 l, Z6 V0 u; y9 V+ o6 \
=========
: V9 v" C4 [8 T& e; }3 N; n
. F B) s2 m C5 TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' r* X% h) q) i7 V" ^' Rdebugger. It calls the int 41h, function 4Fh.9 c2 v: S( G6 A! e; n7 m, t* p' X
There are several alternatives.
$ W5 R8 L% d0 n! A* e8 _, |) Q+ r' r7 T" S1 T" ~, G+ K9 J
The following one is the simplest:
2 w+ @1 }0 e) `+ Q8 `, G: R' K% l
0 c; y6 K8 O' F3 t mov ax,4fh* H# q' W. j% u, \) i- p( \
int 41h
+ s5 r p' f/ ~9 M' u3 w0 p cmp ax, 0F386
; Q8 i- w7 Y2 a+ ?& N; N( U jz SoftICE_detected5 V6 g, S- d- s( i+ O3 D
. P, X+ {' a; p
. Y q/ l }+ f4 JNext method as well as the following one are 2 examples from Stone's 9 J3 n7 B* T- Z4 {& X1 \: m- o+ ?1 R
"stn-wid.zip" (www.cracking.net):
1 o$ x, l7 B. [) \" K& { O
, X" v+ U4 D1 i mov bx, cs
$ U% M; G& r9 Z) x0 p lea dx, int41handler2
9 d7 m6 g9 \! {$ [4 P xchg dx, es:[41h*4]
+ F( A; \9 g* k. i" A( E xchg bx, es:[41h*4+2]8 _" B0 i6 m8 S5 l
mov ax,4fh6 z% j" T# J* O0 m5 E) R% k
int 41h
# m# }+ f" s9 {$ S3 v xchg dx, es:[41h*4]
2 T& H" q9 E# P) X( l4 g xchg bx, es:[41h*4+2]- ~+ d! l2 \' I. j
cmp ax, 0f386h
7 J# ~1 ]: N& u# r0 V+ u jz SoftICE_detected
% \7 k/ B. g9 g1 Y U. i: F; y( l, D0 o# v" o: s. r9 u! h
int41handler2 PROC
" |6 x8 A9 p3 w# k( ]( U iret
( m( j! o1 H/ W# Q( H4 ?int41handler2 ENDP% N# W8 {0 T; s$ \9 |" R. `0 @
t' Y7 i/ J# Q. F( W1 b
4 }( B5 C8 Y/ l8 _/ E8 N" T( f_________________________________________________________________________
; N9 A S, L0 a* Z& n) D# C5 l
3 R' h, s, ^' R! u" f" q
( G/ {( ]+ i: v; jMethod 063 w$ t. F: b4 j0 Z2 e, U
=========
5 m* ^) q7 @- c5 l7 k+ r' V3 S- j! V
4 R: G( W: e. h( W& F! r: c# d$ |0 r! \$ r: W+ H
2nd method similar to the preceding one but more difficult to detect:
+ B) V+ W. |9 f1 y( K6 D6 N( t+ W: v+ v; P7 |% V/ R
2 ~1 R$ w8 A3 H+ N( f; Rint41handler PROC9 j6 b C x1 \) G0 n6 d$ s
mov cl,al
/ Y+ U2 T, @4 s iret
4 r/ V% K6 [( M( D+ K2 g/ O/ x; h; \int41handler ENDP( L3 b- P" a; k! W! p5 s& \" G
8 j8 n& i) n& v- m5 \$ d8 o
( t6 ~7 j5 o6 o- ]
xor ax,ax, X# ]; m+ k4 v. ?
mov es,ax
0 I- u0 l' A7 \3 T5 y* x mov bx, cs
# a( g% z2 y& Z2 I4 x lea dx, int41handler' {+ ]+ G' Q& K) _7 T$ U3 V+ t5 N* c
xchg dx, es:[41h*4]
, t4 v3 F: ]! C- Z" F( m" } xchg bx, es:[41h*4+2]
$ c: ^: k' l3 Z6 _ in al, 40h
( l, z: U2 g5 k# B9 X xor cx,cx8 T! o: J$ s0 Q3 B9 | x" { M
int 41h
- V" w, V; P! o8 u6 y xchg dx, es:[41h*4]/ {/ x# O' d0 s: M1 v' n
xchg bx, es:[41h*4+2]: |, Q" H `) I0 d: w
cmp cl,al9 e. U h9 B; [2 n# X
jnz SoftICE_detected" n/ ^ t, C" N: i' w2 y, H
/ r# `" t/ r8 H/ O; ]: p* J
_________________________________________________________________________
" Z$ f* r+ C4 W$ j4 Y- _
* u3 I2 t; M, X+ c# O6 [Method 079 @7 O3 g9 H& \1 b9 O' B
=========
" p3 z/ y( N* O- {( T% }6 J) ]9 b2 H; j( j" ]/ {
Method of detection of the WinICE handler in the int68h (V86)
2 n8 h$ H: k. I/ y
* P* k( Z$ V p4 Y mov ah,43h) s- M# K$ `) k) O" z
int 68h
; p" u$ K) W7 j8 L8 M( J cmp ax,0F386h
5 X* i* y1 D3 M- _" k. w jz SoftICE_Detected$ U% _" ~6 ~% o, A
& [8 V" n7 M7 c4 M6 K6 x7 ]
, A1 v( i& T! A- a8 Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 z1 r) z) }' ~) p9 \6 [4 n
app like this:( r$ t2 A8 }9 f5 H" ?5 |8 s" c
8 L, K8 O# ?) ? W& t
BPX exec_int if ax==68
& e; B6 K8 K0 ~7 P- a2 Y U' o (function called is located at byte ptr [ebp+1Dh] and client eip is$ R* O* h) `; Y3 ^
located at [ebp+48h] for 32Bit apps)
4 R; a5 G* w3 U t- C/ t__________________________________________________________________________4 F" p6 ?+ l8 R' z# T
7 G2 s7 p' k/ r3 x$ e2 N% U, T2 V3 {& j+ l D
Method 083 @$ J. x9 U: D
=========
: x* U# h$ v+ I8 |( z" _
+ Z7 c+ e$ R* d/ s4 `It is not a method of detection of SoftICE but a possibility to crash the; h0 t, j( C5 l6 R; l: K
system by intercepting int 01h and int 03h and redirecting them to another. e0 _; k, K* C I; F7 @
routine.
* S& {, f/ p& g* |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ Q" h* ^7 B/ S' Y8 v0 [* b
to the new routine to execute (hangs computer...)
3 b; j; N- T! K: k
% h* ^/ N9 o. C4 n mov ah, 25h7 B3 W0 k) X! }0 C/ o7 S- ~
mov al, Int_Number (01h or 03h)
- U) j/ s( y# w1 ?) ~' a mov dx, offset New_Int_Routine! x- B/ t z2 f0 D1 J% Z$ ?
int 21h" D- j& |$ b& h' _) ]
5 a- ^; R( B7 R2 p0 }9 A0 v2 {+ K% w
__________________________________________________________________________# E1 E8 l% ?& \8 K
{# E# K _: ?! m7 x3 pMethod 09) ]" Z0 Q1 c5 Y0 t0 c
=========: F9 d0 g" e' i, i, h. |
6 |# K/ y+ p* b) |0 |8 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 q: ?0 s& V! i2 P- X
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 V# k% ?5 C1 @1 eThe Get_DDB service is used to determine whether or not a VxD is installed4 t* `* S( t& l& L1 E6 ? O
for the specified device and returns a Device Description Block (in ecx) for/ B/ f8 m0 F" S" a- N% [; k3 W
that device if it is installed.5 k+ I! d* s0 b/ C
0 w1 x7 H" d; i6 |7 F( N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* n- v! N* p6 X6 X2 F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" V. s2 q" U4 Y7 |3 h4 O7 Z
VMMCall Get_DDB' U' F; i, P m6 ?" ?. r: o1 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 P3 }2 s: m. U& x5 |
4 Z9 E% T! ^' r$ c: T; E& \, zNote as well that you can easily detect this method with SoftICE:6 K( R# }; a! y4 Z% l% `; L
bpx Get_DDB if ax==0202 || ax==7a5fh/ t$ q F; G* @* v O% M# \9 Y
" N% s8 e4 e* i__________________________________________________________________________
* }0 ]& F C) [/ K+ D9 u
, u# t& a6 M f# oMethod 107 p7 @6 R9 t* n! M; J4 K
=========$ s# B1 G( x, b- y. B
1 u- @- V1 G6 w1 m=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 O- [; c2 `0 A& v SoftICE while the option is enable!!
) G) Q2 ^5 |0 y0 B+ G8 F+ V8 ^, L' B. a4 ?
This trick is very efficient:7 O1 ]7 ?$ K! B- m. b
by checking the Debug Registers, you can detect if SoftICE is loaded
5 u; _9 r/ ?' u' Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 p$ H5 v# T. y" L7 n* Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( h5 z8 S8 U) b; H0 Z8 F" |; ~' {value (in ring0 only). Values can be manipulated and or changed as well
) h) i" V8 C) s `6 u3 {6 r- ](clearing BPMs for instance)/ o; M! ?& U; i/ V/ |
$ s! E& `- y3 s1 k4 o6 W: z__________________________________________________________________________# t* Z2 @% Z4 j, N! [* h- p
) p0 X9 g! g, p& [8 a
Method 11
. U2 f" n/ d( c* p; L=========, [8 F0 O2 O; U# h
2 ^# w9 r+ P8 G6 I6 yThis method is most known as 'MeltICE' because it has been freely distributed4 u; C: ]0 U8 R1 I: Q% N3 }3 ~% X
via www.winfiles.com. However it was first used by NuMega people to allow
F- `. A% X8 @( y* hSymbol Loader to check if SoftICE was active or not (the code is located9 q! f1 d0 I, ]; I
inside nmtrans.dll).
" y1 C) L8 s g) x" P: i( R8 Q; i! ?% f% ]& d0 e6 b, @
The way it works is very simple:3 K( R# Z8 e+ r1 Y p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 \% U% n7 y5 ?+ S
WinNT) with the CreateFileA API.. R- ~& f O; a
6 H" ]: l! x* a. MHere is a sample (checking for 'SICE'):2 e: q! Z7 ^+ W0 g$ h: u
3 a6 Y3 c y/ l+ R6 K
BOOL IsSoftIce95Loaded()
; v) V# L' O: @, H7 h{) ^7 S h* m# k9 |# K
HANDLE hFile;
4 W' W4 S& C8 D" p, N# W3 a2 Z( L o7 Z7 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' a9 k4 I o! I9 t1 u. Y0 ^6 D, \
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 Y1 n7 d7 x( e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# s: C, } `8 @6 i
if( hFile != INVALID_HANDLE_VALUE )
" Y* R5 y* m( I' U- c {& z2 X) d% H9 d+ u' ^9 ^6 y
CloseHandle(hFile);. [# m7 D! I5 S
return TRUE;, ^8 F: K6 n4 b, }% l9 W& w, S
}4 R( U' G2 p5 J( S3 ~7 Z; l, l
return FALSE;! y: E8 i/ z/ E- _6 Q) c; X
}
5 s1 m! q# A8 R7 s1 }$ a/ i9 O# j/ V7 M- b/ C: U" E6 H* j
Although this trick calls the CreateFileA function, don't even expect to be
2 K* h3 x, p. n/ x4 y% L4 Fable to intercept it by installing a IFS hook: it will not work, no way!
3 k4 I4 f& l7 t, W# u5 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 d' p, ~3 h7 W) z+ S! f) P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! u- l! q. m: E7 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) Q! L0 o, e9 v5 K+ @* Bfield.
3 ]3 {3 v0 l& M8 a c! IIn fact, its purpose is not to load/unload VxDs but only to send a
1 L! l4 M; f0 X9 h" {4 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! A' q1 K% k. ]; O$ X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ r/ |, s' ?. x! x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 h3 A P7 |1 x4 E; D% j: c; ?If the VxD is loaded, it will always clear eax and the Carry flag to allow! d& w6 F0 t, b5 J: Z1 |& k# P
its handle to be opened and then, will be detected." o0 i! A7 X' W" ]- F8 Z$ ^) ?& ?+ R* E
You can check that simply by hooking Winice.exe control proc entry point; u* M) @' d1 ~ r# _2 J i
while running MeltICE.5 Z$ D( j/ c3 @: j& Z2 ?/ {
. U$ L; J( R: W8 C0 d
; j" b$ s1 }4 ?8 v 00401067: push 00402025 ; \\.\SICE
0 [7 @& C1 @, X2 v' v+ a( ~ 0040106C: call CreateFileA
" x2 |0 e% ]8 C8 \ 00401071: cmp eax,-001
( L8 y( b) \/ f; `" [) i/ q; z 00401074: je 00401091" F4 R. N" [% Y) t3 J: D& x
6 { e4 e$ ~0 |0 K4 U% v* j R- \* Y4 a" j3 c1 ~
There could be hundreds of BPX you could use to detect this trick., W/ r5 B+ C. |/ V' [
-The most classical one is:" ]7 Y& o( ?3 c' _& T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* O. E7 y; ?! g# n *(esp->4+4)=='NTIC'
2 d/ K: g2 M: O1 ^: b% l% C" p- w! l( u- h4 n4 _
-The most exotic ones (could be very slooooow :-(* \+ E5 ]) d6 y8 p$ h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 P0 [4 x% ^7 X1 H
;will break 3 times :-(5 `( X% w& |- X8 `. L
" q4 H5 b1 s4 z
-or (a bit) faster:
+ _2 a( D7 r1 a) n8 x$ B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ D/ q {$ M5 F6 s
4 _ k' F. p( f3 Q: y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + L+ J' ?4 w- a% G, y$ F
;will break 3 times :-() Y. X7 J- c6 x4 s, w; d
6 B# J3 o8 L5 {) n3 D-Much faster:
' _# e2 i$ s( D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 q$ z3 P' e- ]* J5 I4 ]" @
7 ]2 k9 o0 T/ |( N3 {: Z- G! U: WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# o7 S! }8 ~5 J# v/ e1 ?2 Jfunction to do the same job:4 t f$ c: h9 g* R& @3 O
1 o" _1 |0 M8 o- K$ s2 F) ^6 v, F push 00 ; OF_READ
8 C' ^1 _" [& i! V# B4 n6 [ mov eax,[00656634] ; '\\.\SICE',07 y# h6 r" Y! B
push eax9 F& k1 X1 `% @7 t
call KERNEL32!_lopen
( `. q* o0 G! X inc eax$ o+ M$ z3 P( M, F( s
jnz 00650589 ; detected
, g' m2 w- p# y, V; N* _# Z: i push 00 ; OF_READ+ T6 O2 S2 R- a9 C- B! v
mov eax,[00656638] ; '\\.\SICE'
3 i i0 Z6 {4 o* U* x `; k push eax% d# n6 o' R+ Z p7 g
call KERNEL32!_lopen2 `$ B9 }5 m+ b4 {# x( r
inc eax: D+ n) I9 r* \) j
jz 006505ae ; not detected
; F" h( D, J- t" P. I; ^; J& K _1 b6 _
* p) z8 M" y/ ~" E( o__________________________________________________________________________! z! U: ^+ s6 k% i
. T4 t6 V% f" I) _
Method 12: E' q" X" i* r/ N* k
=========
) {# I9 r3 j" }6 B4 A+ |- F0 S( a5 I" `" J3 `
This trick is similar to int41h/4fh Debugger installation check (code 05
- u( C0 {+ _7 O+ t& 06) but very limited because it's only available for Win95/98 (not NT)
4 L M' t' R" }# X }# Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: p; }& f" S6 {, U) `
* _$ R5 Y2 x* ^6 Q: q; K; ~ push 0000004fh ; function 4fh
0 x# m8 P( K1 E2 G9 p! w push 002a002ah ; high word specifies which VxD (VWIN32)
8 N. Q1 \5 [7 g; z2 i ; low word specifies which service: T( }& X! _+ a
(VWIN32_Int41Dispatch)
1 p& ?$ g+ I, q" Y& }9 C' \( ^/ c call Kernel32!ORD_001 ; VxdCall. K% b0 P7 h. Z
cmp ax, 0f386h ; magic number returned by system debuggers9 K4 e p$ Y& a
jz SoftICE_detected) Q- j0 O# U- _8 P- X5 i ^
; V# ^3 ] P, h4 f. m0 \7 \
Here again, several ways to detect it:1 A, `4 L& b3 a
1 t/ |5 c4 `3 V( j+ S BPINT 41 if ax==4f
" S1 g% ~9 M6 M9 F- M1 q, z
3 H4 `0 ]6 B" y, K) @' x% k1 L, G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# I. s3 t* g* C( H% A9 N2 f M$ @6 \ o! C P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- k/ B' M0 j* g4 ^9 a2 U' `
4 z1 T/ s! y8 y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 i: W2 i! d8 D2 u8 V* X/ s; T9 E5 F' a
__________________________________________________________________________. U- g2 Y7 W' P, k
! b3 x+ A( ]1 DMethod 134 E6 | ^5 A6 x8 l& F, o+ Y! h
=========
* P# {" `" y# Q
/ I+ {# V$ G7 J2 s& h" {' P" WNot a real method of detection, but a good way to know if SoftICE is
* c) ^: O J, linstalled on a computer and to locate its installation directory.
1 c1 a; N% E' p; HIt is used by few softs which access the following registry keys (usually #2) :
6 z! ^3 j9 e* B7 d- C* @* {5 [2 a; S- Y. y$ Y# ]9 f; }" }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 X) Q# X1 i5 Y9 m8 W\Uninstall\SoftICE
; i- `3 h( x# u$ \2 c* z2 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, m( { T8 E& B2 A- ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' \( \3 k3 |& @( V& Z/ B7 _# X& C\App Paths\Loader32.Exe
. h/ o, y$ `; _5 O
$ l! P! B$ b1 m: T' }' }* V* l6 o$ G
Note that some nasty apps could then erase all files from SoftICE directory( {- j' p3 _3 e0 P0 {
(I faced that once :-(
3 u5 c. X; e& P% f9 q, r2 B, p( Y" ?& J
Useful breakpoint to detect it:
! W5 p. p) i `. V0 S, n. h9 t2 h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ n9 f* s0 t9 F, Y% {! l: N
4 P5 b+ ^4 ~; ?8 u
__________________________________________________________________________7 O( ?. A" k$ z9 |( [7 D% ?$ k$ W! y* B3 t
& S( N6 [8 s2 x0 \3 }, R3 d! a% B, ^9 A3 q- \
Method 14 * h& s( f& r4 T* ~+ t, x( o
=========
$ J( d U' R2 b. B; z
/ r, B( s- w8 k4 l% ^+ gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& P Y& _' K) u
is to determines whether a debugger is running on your system (ring0 only).
( H, D3 ^0 u* V: |. S8 x& _6 t5 O) ~9 B, {, I( R
VMMCall Test_Debug_Installed; F( N# m2 r% V; _+ J4 I
je not_installed3 {4 L. D" _* M6 _
r' Y9 {6 X* d' E4 B" n' _$ b
This service just checks a flag.0 L/ h1 g" C1 S2 L7 M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡