<TABLE width=500>
* y3 b1 h* e' x" U' t<TBODY>- J8 L- g/ A' v2 @- [) S
<TR>1 o% a/ D) }7 p2 v7 v; {
<TD><PRE>Method 01
6 M* q2 `( s( k8 _) S, k=========/ J7 g$ I2 i" q7 Z( F U
: [: ~0 p0 Y' q r5 h E' q" S/ {
This method of detection of SoftICE (as well as the following one) is+ d! V* K8 V0 M! Q) V, p- S$ h
used by the majority of packers/encryptors found on Internet.
2 a; ^1 e% O4 S4 O8 eIt seeks the signature of BoundsChecker in SoftICE2 n* c0 k; s, s+ ^! n
; k8 L1 D9 P6 b, ^, x" N
mov ebp, 04243484Bh ; 'BCHK'
) Z+ f8 [+ i9 R mov ax, 04h
: R" o' F2 e2 Z* f, V int 3 0 ?0 N( }. U) g. n% O& o3 y
cmp al,45 ^# H( j. y6 t
jnz SoftICE_Detected
0 T; _' \! F2 |
4 j$ ]% s) I1 q; g! W___________________________________________________________________________
$ K3 b/ S& s* O$ j; P, i r3 k7 `, t$ f/ ?
Method 02( a- {+ t) y7 @: E, f- F& K
=========4 M1 E( j- o, H. b
' n: S3 ]1 U8 J3 R2 p6 `4 [
Still a method very much used (perhaps the most frequent one). It is used
. a$ k' ]+ b8 B% tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: ?' i% q* G- ~1 ^" _! Sor execute SoftICE commands...
" t i# X/ B5 |2 o1 P0 VIt is also used to crash SoftICE and to force it to execute any commands9 U# c4 H, R: u. M4 D
(HBOOT...) :-((
7 Q" T% k, y/ D
1 O$ {" c; N2 M5 J- t' jHere is a quick description:! N) U9 z% L7 c) Y0 X* h5 {. Q
-AX = 0910h (Display string in SIce windows)
2 x, v3 H+ r C% H7 l* ]3 T" W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). F# F" E) ^5 F4 ?6 }
-AX = 0912h (Get breakpoint infos)
: M' z, K+ C' ^-AX = 0913h (Set Sice breakpoints)7 X* n8 v: e B' G# s
-AX = 0914h (Remove SIce breakoints)* o. j! T9 ^) o' y+ ~
* E9 _5 B7 b% P8 e+ s8 }0 r! UEach time you'll meet this trick, you'll see:0 ?5 n4 H( H, e( Z e& H
-SI = 4647h
( z- u$ K2 _$ J+ T. J) X( N/ V-DI = 4A4Dh
4 w/ f& n, P& N" o- e" LWhich are the 'magic values' used by SoftIce.! ~' B6 L* R0 v3 N2 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 r2 h$ ~2 R9 e: I) n+ g* U! n& |. a, \+ W h$ X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# U4 h$ N) Y! O% l! `Envelope utility use to protect DOS applications:6 p8 a0 q3 T! Z+ B+ X7 _' ]
& g$ J7 L* E' `. h: H% V
5 q$ U9 C2 w( O; x9 ?
4C19:0095 MOV AX,0911 ; execute command.
' T! f4 |" x! P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! ]6 x! G( d8 U9 \5 N- Y4C19:009A MOV SI,4647 ; 1st magic value.( `9 J# t5 \/ H" v
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 l8 ^0 R* ?+ q( c" b; N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 d7 Y4 {4 B) ?! s+ B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 A$ S: }4 q. ?& {" n7 E
4C19:00A4 INC CX
8 u M, I) X# Q3 W. f ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 b$ |- o8 C, k2 M4C19:00A8 JB 0095 ; 6 different commands.. P; M9 s: N; P/ T$ B( l& X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: J6 c( E) h4 V) T: o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 N& [3 U* `, Z
. U5 v b, m8 v7 [
The program will execute 6 different SIce commands located at ds:dx, which
( p7 \2 ~! D: c( V; u# m2 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ r" y/ B9 l' B0 E
/ ^( H2 B6 [/ j! {* x) h1 j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 A" h) Y Y' j. G; l* I/ F___________________________________________________________________________ f' A6 T8 o$ N) }1 p0 q
: r3 ^+ _, y* v& D6 k' t$ @$ @0 J1 }3 P% P
Method 03, D) v: W/ }' R7 W% h1 u" h; s
=========
( O3 F+ Q8 w0 A% ?: V5 l( b7 A7 N$ T* @: K9 T( x/ _; R5 C* B# A2 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 I5 P: w0 m6 q6 N4 I. a, q(API Get entry point)
: I* q# U6 w# g$ P4 U
0 R& F s# P% S* L! R. r$ w2 x- G. T3 s; r+ h8 C6 W
xor di,di
, y$ ~% N1 D1 F& T$ F1 m% W mov es,di
7 F( I- e2 d: l# F- I$ i4 v mov ax, 1684h
# g4 J6 Y; Y! l) u, x mov bx, 0202h ; VxD ID of winice
( o6 v9 ^9 u: l' Y# i6 o P9 x int 2Fh
$ e8 H( C+ b9 X9 F/ i! G/ V mov ax, es ; ES:DI -> VxD API entry point
# `) p1 j+ H$ |& P, y7 w- c add ax, di# c/ J! n, |8 ~$ ^
test ax,ax
6 c1 G# F/ L4 i( D \; b. S! [ jnz SoftICE_Detected6 h+ y+ V+ A* ?6 y: o
2 I) R( }- G7 {( i& t___________________________________________________________________________
; {$ b F" E0 e7 h% ?2 h7 ^9 b4 e: y5 \/ M2 d4 R
Method 04) s0 \1 L9 D9 M% D1 T
=========. W7 v6 u1 p( r: N$ F, h
' o3 _5 A# A) K9 ?9 `" f& U* RMethod identical to the preceding one except that it seeks the ID of SoftICE
* R6 c8 `; a0 c7 qGFX VxD.
- d7 N; ^ m) h
$ m8 m5 N5 m- |) F) ^, @ xor di,di2 Y! R, z) U6 B1 j
mov es,di
; J: j8 K# k/ Q6 l: \ mov ax, 1684h
/ ^2 ^8 o! K5 e* K mov bx, 7a5Fh ; VxD ID of SIWVID2 @/ }& A2 t( }, \! N6 ]9 A
int 2fh
# M6 { Z) o2 u9 g3 P2 I- I- \ mov ax, es ; ES:DI -> VxD API entry point
8 l! T5 _0 j; n6 `. A) n+ m add ax, di
9 F1 N9 B$ L+ L2 P; W+ `! N test ax,ax
: f" ?2 {% m9 \, P3 [ jnz SoftICE_Detected
6 x; @- b3 I4 n! j
. c' _2 U# J/ J2 T: {__________________________________________________________________________: i5 ?9 D% o- o& {/ u, c& m) F+ X" a0 x
6 v5 e, a1 L$ E8 c7 l' x
^5 Z5 [. }+ g6 A4 e8 XMethod 05
. e/ l k8 e& o+ e0 d=========
8 J1 p8 m/ ^0 l1 @% j
, C& u k- K* K! S. K( bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# H; k% X1 `# V/ O. k: K0 |debugger. It calls the int 41h, function 4Fh., [, c+ u/ t9 g, p
There are several alternatives. . W4 ~: h; Z6 r) D% y
$ l; n. M( b+ k& [The following one is the simplest:2 y4 l8 d) y9 ^9 v
6 {' E& E, |" P mov ax,4fh' i- q, D8 A' U0 C1 Z/ r) G
int 41h8 U' T) a0 [" m
cmp ax, 0F386
0 V* o- }0 m7 |* } jz SoftICE_detected, W1 j2 ^$ F' W& h8 o1 u" l
$ s5 T h3 S' j1 p% R
5 k v8 _3 s8 VNext method as well as the following one are 2 examples from Stone's
# G4 r' p2 c; p3 [8 \/ D3 x1 }"stn-wid.zip" (www.cracking.net):
8 R8 Q6 L/ e" W# l. N0 }8 E
5 r2 B t1 U# g0 K mov bx, cs
4 u" @ c1 E. ? z3 e" t( O lea dx, int41handler2 n, F6 B' [0 P y U
xchg dx, es:[41h*4]
- b& p. b3 u! W5 j5 l; a xchg bx, es:[41h*4+2]
. E. D7 N: V9 l6 I1 e4 a" @ mov ax,4fh
1 O: p4 i; p- L& c int 41h; u5 h; \( Z5 p9 h: }6 ~4 f) c( t
xchg dx, es:[41h*4]
% P7 C# y% E! c7 h xchg bx, es:[41h*4+2]1 H) w( K# f* A6 \
cmp ax, 0f386h
2 y5 z1 ~# r i( }3 j; ^5 z: `) e jz SoftICE_detected
1 R' v) T+ W- P' y; V
" Y( L) T2 F! G% k9 z# H4 Vint41handler2 PROC8 P# A* Z7 `) H7 m+ g/ n6 V* _
iret
. W; u) ?% {9 M; p$ Q5 j/ P5 zint41handler2 ENDP9 J7 p" |9 ~7 L8 o& v
4 D9 q. F0 Q, l5 g+ n! M! J9 Q7 b8 @, v$ g; v. f9 [
_________________________________________________________________________
: _! p0 n# U7 V/ l" }: c
( `3 e9 \* |/ l2 j' [* C' R1 j5 {" K# S. b
Method 06
- n0 p+ g# k: B; A% ~========= Z) Q `4 ^ o
: o$ O3 D* @* ^6 i" n |7 H5 b
4 g% C$ }' m, b: M, z( C! P2nd method similar to the preceding one but more difficult to detect:
6 n, n, m2 d8 K2 D2 i
- z6 Z* r8 t4 X: S* G* a9 a1 c" U* j3 D1 ]; |! n* o0 o; ~
int41handler PROC. P! ` |5 z/ \. z9 \
mov cl,al
0 e) ^# E1 Z+ V4 c0 G iret; ]1 M4 y7 d4 R3 A$ l# ~
int41handler ENDP p* d" V: N) b
6 Y" Y4 U( Q8 W$ ~
: G8 \8 z* C( H1 \, s: l
xor ax,ax
8 ^2 \) R% ^! D0 U& J mov es,ax
! Z. _) p& Y+ B' R# t2 H Z mov bx, cs
0 G9 P! A g/ u lea dx, int41handler
5 b& C8 @$ T% g6 D4 f* f w- o9 m xchg dx, es:[41h*4]+ O3 a; p) k7 I6 D* ^* b) o
xchg bx, es:[41h*4+2]
3 g' L" E" J( _9 h. J8 v, | P* {- ~ in al, 40h
- Z% A8 J8 S% L6 b0 h4 c xor cx,cx; K" B( ]/ x. o
int 41h
2 I. D( |# Z( y! c& J3 m4 k xchg dx, es:[41h*4]
6 c R _" s; E. ]' S2 ?7 [) p9 I xchg bx, es:[41h*4+2]
1 ~. E! o2 z" E, s$ M$ K8 | cmp cl,al7 Q5 O3 C9 s) i! a R0 M
jnz SoftICE_detected, |" |# I' I! m A( b1 E! U- s
% d3 K' g7 t4 G# k. j# W
_________________________________________________________________________& k: C8 [' h( ?/ V% [- K; X* L
1 }" k3 ^& U- c3 t. D+ r: F2 cMethod 07. p7 O4 v. z+ k2 }6 W
=========
H" r& {; m/ T
4 B( O3 L& o# \ \* Y* J- LMethod of detection of the WinICE handler in the int68h (V86)
# L9 B& i' B- X; ?4 Y7 b v. J: Y, E! E2 B s! N# Q
mov ah,43h
' u+ N; H5 m" {3 @! C6 m! Q int 68h
1 x. P- q. c& u( ` cmp ax,0F386h: W; }9 j% P' o; h% v7 ]( c
jz SoftICE_Detected# o0 K, ~4 [* C; {6 t3 [! T
$ f. ?% ^ j! k" I6 U" u8 X3 T) n
- p# Q: A" w- v( _: F+ `8 F# q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& x1 C% L, B. L4 n, a( S
app like this:4 {/ ^. I; M! [* G5 p/ H3 j
4 S# \ r4 N, R
BPX exec_int if ax==689 N3 |1 N: ^" C2 {
(function called is located at byte ptr [ebp+1Dh] and client eip is e% U9 r2 t- C
located at [ebp+48h] for 32Bit apps)0 K% m' p# N! B$ L9 q2 P. n& b+ \
__________________________________________________________________________
$ T. x! U6 R' I# r3 M F6 h
+ k$ N! m6 C. L' f- C4 ]$ g2 P6 T/ h _% _- {/ U
Method 081 T t7 M6 _' \! @( I5 Q
=========4 {3 N, u% [# J; o% X) K7 E
( X% c; }2 j, Q; K0 y4 l2 K& m+ v. _& lIt is not a method of detection of SoftICE but a possibility to crash the
% T4 p: |' y8 \/ Isystem by intercepting int 01h and int 03h and redirecting them to another3 P0 m( W$ h4 |9 |: C: n, [/ v" u: k
routine.
/ g$ ~5 K, q3 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 ]0 C) f& G% _3 i' q9 x3 G; ito the new routine to execute (hangs computer...)
/ R9 T* i# X1 K: k6 v
+ L& b8 a) C0 m0 [7 g0 A/ f& u mov ah, 25h) `% D7 z4 J! v3 g1 H5 H7 V3 i* v8 E* l
mov al, Int_Number (01h or 03h)
1 ?# w; o5 a: w" o- L- S f$ { mov dx, offset New_Int_Routine( N$ \: K0 {. z# m/ O8 f
int 21h
, l5 A. Q2 g/ {- ~5 p$ Y; v/ E6 S: v4 O0 y3 F D t7 h
__________________________________________________________________________2 K, e. T( a: y% \6 N4 z; Z( i5 u1 D; H
: c0 S( L- _6 T6 d* a) i8 m' _. n
Method 09: g. s Z1 S. G9 I( A
=========' Q; `3 m- q$ k' |3 |
# f" v. U" L( v" @9 i. B6 [) h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* J4 T0 q. }, e: r; nperformed in ring0 (VxD or a ring3 app using the VxdCall).
( q0 ]+ t) f, A* h/ r* ~3 o# iThe Get_DDB service is used to determine whether or not a VxD is installed8 F/ F. c- k( u K+ f7 h
for the specified device and returns a Device Description Block (in ecx) for
7 t# q) g+ Z/ _, d8 ^that device if it is installed.
9 r+ v1 r4 f8 t" z& `* o5 h$ I/ [: F7 m% u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# m# A! b2 E _' W& c1 l# G* l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 ^' |) q7 ]! E+ S2 c; f VMMCall Get_DDB
! m- c! [! K' y% j r! m" K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 Q* r% @. i x2 @- b) D: P1 _ X5 W; k y
Note as well that you can easily detect this method with SoftICE:
7 ?" F5 m" ~' M# Q bpx Get_DDB if ax==0202 || ax==7a5fh
3 w5 S ^! G8 P/ @- {0 d E% u
+ C1 h( Z! B s! M9 \. s__________________________________________________________________________
; \; c7 y! a4 V4 X) N1 o
4 U( |! v- y3 C' e+ v1 q; @Method 10
! M2 Y' d% z: F0 ^0 B% P=========1 ?: B G1 i. b% J$ O. ?9 |$ s5 y7 f
+ m3 f% j0 g% j, g; C
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 [7 X) g1 G+ |5 J: t
SoftICE while the option is enable!!
) H j) V0 H* ^. Z' {- r- W+ H9 ]3 K. G4 J! l' c, {$ k/ |) k/ }
This trick is very efficient:
% P6 ~! o9 f- ?; r/ h. o* ]by checking the Debug Registers, you can detect if SoftICE is loaded
) }* H9 D* t5 A3 z' |. z7 S% o# M; f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& A8 X# w D* C) m6 }! v6 \; `there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 Y F: E2 M' v$ vvalue (in ring0 only). Values can be manipulated and or changed as well. M4 }+ m4 f5 X+ d! ^1 K' @
(clearing BPMs for instance)
+ C9 `0 R) c# Z* D& o; ~% {. A( h1 ]. |' I
__________________________________________________________________________$ z x, I8 r: y& c* S# m3 b8 m' V
6 m% q+ ~% |2 V
Method 11+ u; ?2 h7 |$ z$ c8 h8 m
=========6 C& {$ T, B7 v
8 H, L- ?5 e7 E: J: O6 @) V7 d7 O
This method is most known as 'MeltICE' because it has been freely distributed
+ O1 p$ m! ~4 r" H* w0 [3 wvia www.winfiles.com. However it was first used by NuMega people to allow
# v- h% I. i% D8 g% M8 R* pSymbol Loader to check if SoftICE was active or not (the code is located( Q. j' Y$ i0 _4 G" O4 R
inside nmtrans.dll).
5 Q0 V w1 e3 U' U0 f5 [8 d/ f" Y4 {; }. I" w
The way it works is very simple:& @) A) B2 B* Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( M$ u6 P0 ^% c9 Q* ^8 HWinNT) with the CreateFileA API.0 H$ T n& i& X+ M R
0 ]' t8 Z# m* {3 I8 ?# m. BHere is a sample (checking for 'SICE'):
+ I1 K8 n& q# I2 U2 g' W8 b
' L+ J" n! X: x$ I Y; ~+ s. ]BOOL IsSoftIce95Loaded()4 c6 g) r& o: _
{
2 ]/ p9 m7 a$ M HANDLE hFile; $ N% @; Z+ {5 G( I0 E9 I4 Y; P0 z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 ~1 a9 w& x+ C% I. R
FILE_SHARE_READ | FILE_SHARE_WRITE,
- m+ d/ c( `0 [* i7 ?/ T2 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" Y2 Q& a0 k$ O- }4 Y' j8 E
if( hFile != INVALID_HANDLE_VALUE )
" y o4 g: h/ L. e/ J* a5 z { F }5 H6 P" Q2 g, Y7 B- q: g; v$ h
CloseHandle(hFile);6 k+ [/ M+ d2 r
return TRUE;. x s5 K& \: {
} U( y' ]; X: M' `* i
return FALSE;
. h+ Q5 @/ C) v. L}
! ]' K& ?! h) e( e' H1 H9 B
& @( e' A" Q7 `3 {% rAlthough this trick calls the CreateFileA function, don't even expect to be- f' ]. z4 k7 a6 N3 I; Y
able to intercept it by installing a IFS hook: it will not work, no way!
8 R' g9 _. O# F' f, EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& S3 z3 J) \5 ~5 @( P1 s& O. B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: r1 i4 {% Q% z; }" y) q9 H6 \# ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. e! f4 A- h8 N2 v' ]4 E% Efield.
2 ^0 t; P( M3 g- ^8 `* X, \In fact, its purpose is not to load/unload VxDs but only to send a ( }2 j# m) p- G* O5 J& \, E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* X8 f; K2 m f8 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# i! S( d" B2 v' E7 jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ \9 ?8 h( a: @2 s3 P$ m2 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- l9 v( l/ Z$ ?9 Nits handle to be opened and then, will be detected.2 ?! s3 y. R; S* G- {, N
You can check that simply by hooking Winice.exe control proc entry point
, g- }4 I; A* t# `/ P5 F" Nwhile running MeltICE.
! B. h$ z8 ^! `" l" \ N M% B* N# ~3 X0 I% Y
) N z% h6 _+ |1 c! ^" E
00401067: push 00402025 ; \\.\SICE: }8 {& ?$ [3 e2 z
0040106C: call CreateFileA2 r S/ o" [. Z- s
00401071: cmp eax,-001+ x: O6 m8 {1 b5 V
00401074: je 00401091
* M% S" s+ r+ G4 A# e& ^! \7 Q
1 o6 I0 Q* `/ v; m* H5 Q$ n6 U Z. D9 e- ]. w
There could be hundreds of BPX you could use to detect this trick.
0 l. u1 C2 m" h: _-The most classical one is:2 R( {7 s4 ]/ H8 P. S# m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 _# d; x8 C2 G% o) i; k8 X
*(esp->4+4)=='NTIC'
3 k0 [9 g7 y B E; a: v( m) b0 P5 c3 D/ d3 J) B+ ^& P% v. W0 f
-The most exotic ones (could be very slooooow :-(
6 u, o7 ~* O+ y8 V$ h8 m% ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' w, A, x+ @( F
;will break 3 times :-(+ c' f' T7 R% a
6 y3 D9 @" W& B! Q4 q/ g-or (a bit) faster: 0 }# C! T& J7 F! t% b) y! X' Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# }' z9 `; O. u4 y( L, Y' h$ ]! S1 Y$ C, w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 W5 {6 R& Z, y$ @! `3 n
;will break 3 times :-(
3 _. E& Q+ _' U+ f1 d3 S. T) l: f9 ]
-Much faster:, W0 [8 b! e5 u( v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% H# `/ d1 a$ K) }2 l+ o8 G5 ^
7 r# c8 I( U3 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& s, E3 C4 j, |6 b) S
function to do the same job:& A: W! ^0 D& E: ]- j$ y
1 W$ W* P% O+ G s push 00 ; OF_READ
/ o4 q; d9 `8 I' V/ M& } mov eax,[00656634] ; '\\.\SICE',0# M" t. }, u. e5 o
push eax
( W4 `" ]5 f0 \: v+ ^ call KERNEL32!_lopen; }) U0 Z# }3 p+ w
inc eax, m( y: ?) X$ r' t- H! j! u& R: V
jnz 00650589 ; detected, G& V* f9 l+ i
push 00 ; OF_READ' p M+ y# q' f7 W/ B
mov eax,[00656638] ; '\\.\SICE'- h/ {% X- k4 u7 x6 h* ^4 Y1 g
push eax
% G7 R1 a4 U; p call KERNEL32!_lopen
: h* O J& a' t4 l; j v inc eax
- r% ]8 L2 g7 {5 Z" x jz 006505ae ; not detected
9 d2 E7 C) D: e5 s# w9 k8 O9 S& z: I! [# o
. T5 R8 b3 D4 ^6 x" h8 g% F% F__________________________________________________________________________+ X- O, Q$ u$ S! B3 c" _4 Q) U
4 N, _# o' }4 {3 {+ {7 d4 P$ u
Method 12
# H# X D% i/ \/ L! C8 ^=========4 k$ @( I, d+ V, A2 O6 [$ m
# e6 x, u: y& ~% P4 R2 aThis trick is similar to int41h/4fh Debugger installation check (code 05
! K+ R6 M+ O; Y5 J1 }2 t* b& 06) but very limited because it's only available for Win95/98 (not NT)
" p3 U! ^) \: ]3 |8 T2 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
d; r# Q w z8 Z" L
, s! I" ?- w- W3 L8 m& u# B" w push 0000004fh ; function 4fh
5 S. A' R% {2 z* \ push 002a002ah ; high word specifies which VxD (VWIN32)
$ t8 f) o* L: A ; low word specifies which service
: Q! o- l1 t/ c% y# k (VWIN32_Int41Dispatch)) s% Q' m' b! p6 W& {
call Kernel32!ORD_001 ; VxdCall/ q7 z! I# Y3 M# w
cmp ax, 0f386h ; magic number returned by system debuggers
7 F: h0 }# ~+ e1 B jz SoftICE_detected+ q0 b2 d' j; p: o5 d+ k1 f
% @3 y; N4 U/ t! _ x( JHere again, several ways to detect it:
- p1 l8 _* c: V- w# B( f' S( J
5 P( O) A, w$ P- s5 I$ u* {) Q9 c: U, [ BPINT 41 if ax==4f
; O. ~! R$ `) L6 n4 O6 E) g; R8 @$ c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( B0 k& h. g! B+ C* l# l* M0 t
b7 |/ m# l6 W& E+ ~9 s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 Z7 w$ G d+ G8 }6 `
# K$ S4 l/ Z% P* u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 ^" k5 m: }" K1 J0 h+ O+ B }6 G
; \' Q7 f; ^& _& L6 V- y
__________________________________________________________________________0 r: @: s$ `+ T5 u/ {
4 [1 X! {/ A2 Z a- b0 y9 lMethod 135 K' M4 t( i! h( w. x
=========9 O6 |. A/ \4 W1 ~5 [
% ], G( J q: q- n8 i
Not a real method of detection, but a good way to know if SoftICE is
2 N( {7 R3 {+ Y1 u* Uinstalled on a computer and to locate its installation directory.! @# f0 J z% p0 c( W
It is used by few softs which access the following registry keys (usually #2) :! x: Q- g* d( a5 W
+ C1 A5 d" t) z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; u2 }4 C! a3 Q- w
\Uninstall\SoftICE8 I) ^/ h1 B. y+ p% K8 Q; \2 i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* W. b% Q) a0 I5 g$ S6 o! p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 I6 |. O5 c5 l5 O
\App Paths\Loader32.Exe
, F# x; v' ^4 Z0 i$ v5 Q0 D. `/ W! t
0 l2 J/ ]0 M. j! I4 j3 [( BNote that some nasty apps could then erase all files from SoftICE directory& v2 u8 B5 D3 h- P8 F
(I faced that once :-(, z O& |) q+ Q$ m
: H; V/ H1 M s
Useful breakpoint to detect it:
* M- g y" F$ Y& O# Q6 k& J1 `+ l# P* j( g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ o* e+ n$ ?! f
4 Y! ~" j: h" s( i3 }: H, a__________________________________________________________________________
' A# m4 E, v* K9 o
+ P/ N/ T5 B5 l3 U) M
/ E1 p/ M' U2 H: pMethod 14
$ X3 j" r9 H. ^( i) ^" w0 A=========
# U" p4 j( L2 @4 i$ P6 K* s& p7 v8 U* e; }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ a8 a* s! H. y; a
is to determines whether a debugger is running on your system (ring0 only).
, |) m/ X! i/ j/ e! A/ S# V" J6 Z; ?- W+ I; ~) B
VMMCall Test_Debug_Installed
& ]2 w# ^* g4 q4 i) e; M( n je not_installed
7 g6 l3 s+ J% u; J" }% g9 r& f/ X
9 p; o4 _( \! b& o& BThis service just checks a flag.
5 T& J3 b5 P; X: ^, {: K. L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡