<TABLE width=500>
d L' X5 A: c<TBODY>
2 p( e7 `$ w$ V& k7 P<TR> G9 |8 f& a1 ]/ j9 X6 U" A
<TD><PRE>Method 01
4 ^% J7 W, R( d, B+ I- V; c=========. Q1 [& A0 |5 f' a( D7 c
: S! K* ^0 }8 S% a& F4 ~
This method of detection of SoftICE (as well as the following one) is
0 M2 d2 `6 U% `+ r- }' uused by the majority of packers/encryptors found on Internet.
/ c6 [: |% G) e/ e! f5 vIt seeks the signature of BoundsChecker in SoftICE* N: m- R5 w5 C7 t3 j
; j9 o* g5 g( A k$ R mov ebp, 04243484Bh ; 'BCHK'
! h6 V% S( u! [; f. Z6 D mov ax, 04h
7 M& e- M( w! n4 O, k int 3 . t- c+ b7 C# `* H; k5 ]% r
cmp al,4
( R, Q" u% F2 r jnz SoftICE_Detected% H7 R0 z# S4 S* ]* P L$ n2 o, p
6 y; l' P1 I- J' C: U! p
___________________________________________________________________________: m" ~5 u9 i) v _
) f: c' I( e- n& y- B7 MMethod 02: k x4 `, j. \/ O" ?
=========/ w; o2 ?0 F2 p, b& C& h6 [" G$ Z
8 g/ q& |. }8 ^Still a method very much used (perhaps the most frequent one). It is used
! R# \0 Y+ `8 @/ E; e3 E w) Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 s# g4 ^0 M& `" c
or execute SoftICE commands...4 }$ D) E/ ?7 e: R% A# f
It is also used to crash SoftICE and to force it to execute any commands% I2 i+ y: x9 L% L* Y6 ?; L
(HBOOT...) :-((
5 A# D" l' l2 X+ z& m
5 Q* B! B+ E5 I7 v' h) ^' Z5 g. qHere is a quick description:8 b1 u3 U" g- A7 H2 t. M) M
-AX = 0910h (Display string in SIce windows)
' O$ ?% p T) |' g- J9 p F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 v+ `) s5 u4 O9 d- I
-AX = 0912h (Get breakpoint infos)
0 P) R8 N$ ^4 V3 m% q- ]6 W-AX = 0913h (Set Sice breakpoints)( H& o2 }5 B- W& J3 Q: b/ v! X! y
-AX = 0914h (Remove SIce breakoints)
) V: P$ }5 W& U# I0 v1 U
; P5 s b8 S7 H: nEach time you'll meet this trick, you'll see:
3 I) h% W/ d* ^-SI = 4647h
K6 b; ^5 Z/ [) J, T% O-DI = 4A4Dh- i4 R1 _9 f% @8 W0 F! a
Which are the 'magic values' used by SoftIce.
9 m- Q' p1 B1 {2 `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# f: a; U/ Y! i, r- |8 T
) T4 U- e9 r' d# w" J* @Here is one example from the file "Haspinst.exe" which is the dongle HASP9 p1 u V+ A \& F; l% l' }, x
Envelope utility use to protect DOS applications:1 i8 ]* [, B/ ~) y3 X2 l
0 J: A+ j( k+ L3 ~1 H
$ r" ?+ h" q6 c9 O# o B% E9 D4C19:0095 MOV AX,0911 ; execute command.
- C; n5 G% \6 F9 c( C4 T9 ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: k' [ @5 y2 N& ^ Q: l: O
4C19:009A MOV SI,4647 ; 1st magic value.
9 N( o: V7 P/ C2 |4C19:009D MOV DI,4A4D ; 2nd magic value.+ x$ V8 M" B5 }3 \$ ]+ q1 l8 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, D' j: a6 K, D: W/ L' ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 G _; i7 s% [) B# V
4C19:00A4 INC CX
2 E0 {6 t, R0 ?- ~; K, G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ J8 H0 l" U- P/ c, j3 C) b
4C19:00A8 JB 0095 ; 6 different commands.5 O9 W, k4 b3 F! c) b$ O2 U# R5 C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: v! J; D3 V' h# U+ z+ W; s6 U6 Z3 o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 y3 a/ e) l- M( m: u$ `" I) P! l* R* h1 ]# r" k, L# D5 P
The program will execute 6 different SIce commands located at ds:dx, which
8 ~4 C( p/ n# ?8 K4 z8 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 J* J# _: h: Q7 f1 |
6 B. ~4 n" I" X7 Z' j n& x' Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 g# w0 e% U% ~7 a; b___________________________________________________________________________* Z# U- m4 y# J3 W2 R% s) k$ h
4 b' C# T' o4 _/ j+ n+ q6 C o5 F9 T
Method 03
% c# M. G" u. Y3 W# M6 `6 {0 v=========! J; z4 U! Y3 V, C. H0 x% d# e
1 {0 ]+ R( T# R. `: k2 A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; Z/ q9 n. P- w4 v2 R(API Get entry point)0 S, M% U. [) W" n h c% c
: x1 y' |$ t) E/ z4 p; K
* }: \9 M* N8 L( v( I xor di,di
+ |* f/ Q( _; o9 Y$ F mov es,di. l% |2 `8 G9 V$ @9 t7 r
mov ax, 1684h # R- ~% b7 U& \/ _, q9 n
mov bx, 0202h ; VxD ID of winice) i% d. B6 G1 g8 c" H! k% p. z5 B# j
int 2Fh+ ~. g F) h2 C0 l9 m7 ^6 j5 p
mov ax, es ; ES:DI -> VxD API entry point' E1 Y& J2 ]) X2 H: @
add ax, di
1 X S5 k- e0 h( J6 r test ax,ax3 x" E+ I- a" A7 N
jnz SoftICE_Detected
1 q0 }( [* L$ X! s; Y7 v; A( k
___________________________________________________________________________% |6 e2 d+ A" A4 L) k
' V9 h! `+ v% U2 m; K
Method 041 ~4 D9 k7 o/ C" @$ ]
=========5 @) u' d' X8 }% F6 I
+ Y r0 L5 Y% K @Method identical to the preceding one except that it seeks the ID of SoftICE
+ U# H% D% l5 X, ~, i" E8 ]! y. MGFX VxD.
' r! O3 n! H2 G* B6 T1 q
9 q5 t) }/ i" d" k9 S8 _) a' u xor di,di* P. z: S, a* A/ H6 E
mov es,di- E1 R- ]+ U4 D
mov ax, 1684h 1 I1 j9 I7 U1 _+ X8 i
mov bx, 7a5Fh ; VxD ID of SIWVID
/ p( n$ ^4 A: m. L. k' a# h int 2fh
' m$ W! v, f6 v mov ax, es ; ES:DI -> VxD API entry point2 J7 r6 ^. {" L& S6 K. p% t# x7 H
add ax, di7 P0 R6 d, N# B- S9 ~7 ]
test ax,ax
2 j2 [/ ^ X' N, S% h) k jnz SoftICE_Detected1 ~5 e; m$ M" \$ {0 v! q: { w5 O
; B, c& D9 g ~9 J% \+ i6 K7 `__________________________________________________________________________
5 x' r* [5 U5 R u6 q" r1 K4 I y C4 @0 l0 s, S0 r& E
, d! [- t# W0 z/ j$ sMethod 05
" |2 Y( N4 A1 k& o9 T=========; K' e2 r1 _$ Y" m
3 ~" G8 w8 e7 `4 B) k( v4 W" V- b- v3 W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! x+ q. k$ u ddebugger. It calls the int 41h, function 4Fh.. R+ `% |8 y) U
There are several alternatives.
: t0 P3 Q2 b9 o+ Z
% Y, @: C* V9 a7 yThe following one is the simplest:
% q: q' L7 S3 p( V& g& U Q
* P1 X' d3 ?' i: N G% b. G mov ax,4fh
1 @, U2 L- P6 O$ D- e1 w int 41h; e8 s! _" Q) u6 K
cmp ax, 0F386
5 }7 T: D* x! W( g% ^ jz SoftICE_detected
% C* W7 q$ m, e+ C- E1 B' B
6 \2 D* T/ x6 I) [5 P0 N3 w" X6 S8 s& ?4 u
Next method as well as the following one are 2 examples from Stone's & H, p8 @+ U# |& I- G& D n' e
"stn-wid.zip" (www.cracking.net):. t) a% H! Y& a V
1 t3 Q- R* Y6 a6 w mov bx, cs# @2 Q( d* u" M3 [2 _% x# w
lea dx, int41handler29 K" ]# R% l3 O+ G
xchg dx, es:[41h*4]4 M7 f, g$ G& F
xchg bx, es:[41h*4+2]
3 I+ E7 T7 r L" `+ ^ k2 w mov ax,4fh, t. z' Z( q8 Y b3 X6 ~
int 41h
% p7 X; ^# D1 _+ U7 g9 X xchg dx, es:[41h*4]
2 R- T7 f( J' a- n; y- z" d xchg bx, es:[41h*4+2]+ ]0 R/ n6 |5 {5 v9 V+ o. l* P) L
cmp ax, 0f386h' R* V$ {& A: i d" V. F
jz SoftICE_detected- s. h; Y4 D$ ? V# U9 N) p
. J' \1 r1 W0 g- r5 }; Q' G8 _# ^int41handler2 PROC# J* `, k+ |2 L- N3 l9 K
iret
2 w: o9 k3 {" ~int41handler2 ENDP; ]7 Y {& Y4 ` ^& q0 k9 O
0 z: P% z& Q3 h2 s) F: c V _- C
) ]! @% T' C; ^' a6 S- Y+ ~( }( N7 {
_________________________________________________________________________$ E, m0 L% L0 U: _1 C
- m2 _# g! X$ w8 ^: N
. C1 ~& D Y: O, B' F1 HMethod 06
1 N' g2 S* x! h" V$ y=========
( a: o) d- `0 ]$ D) R8 u( J& ]9 r! e H- ^) Q
! i; {( d; U6 X# Q- h' t
2nd method similar to the preceding one but more difficult to detect:
& d6 ^ \. U& R% ?1 `9 U. z# V. [' y. m$ q" D
' I* c% C5 Z# L8 k, q! r4 u
int41handler PROC' Z: x% {/ u3 P" k" e. h
mov cl,al
! V/ p" A2 M! Q' T iret
q) A; J1 y6 p( @: }8 eint41handler ENDP0 a8 L) s4 G) P0 n# E
: X; i7 z/ _, y1 W
) W2 H5 N% r, y. Z; { xor ax,ax; p% _+ u6 B7 Y4 j3 L2 I
mov es,ax
- e: H) G& w2 j1 v7 |3 L9 n# X; |/ A& R mov bx, cs
) W: }5 `1 e8 C7 y- K lea dx, int41handler' [; y( \ E9 W e# d5 D: t. y
xchg dx, es:[41h*4]
. y- c, J# t$ r9 Q- o+ y xchg bx, es:[41h*4+2]
1 g! n$ d6 J8 v- e+ M+ h0 G. L in al, 40h
& s( S6 G/ z( b4 x5 Y; ]& c xor cx,cx8 c& l- s! T) {5 h
int 41h
3 A6 s4 z9 w/ I) J xchg dx, es:[41h*4]
# C8 M; g& B3 U/ S xchg bx, es:[41h*4+2]
4 k4 _( V' M7 `3 N$ f cmp cl,al I# G- b3 Z9 I# {
jnz SoftICE_detected. c& ]$ l% h. }! V' \1 Q
. j! L4 p2 U9 l M_________________________________________________________________________' G/ o; _$ E6 ?
. h' D, M% { I3 U6 a4 Z
Method 07- A# s" A% E$ [! q+ h# i+ _
=========
; o. k4 y4 m& P* D0 L, s
8 \7 n/ g2 E8 {# i6 KMethod of detection of the WinICE handler in the int68h (V86)
3 _" x- v; I! V! ]" w S
$ Z+ t/ Q6 }4 l- L1 K mov ah,43h
9 Z! j+ E+ i: [: o3 R$ I int 68h
: M: Y7 q% D% N. W& N) Q; G cmp ax,0F386h1 ?4 v c" b3 i8 ~4 {9 Z
jz SoftICE_Detected& N6 ?* M7 h2 a+ z+ x& G4 O9 q
) m# h* ]1 d6 r7 J
4 k' U- W2 h5 t* W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 Y/ |( _; e7 W( `
app like this:
8 W5 K; t! Z# |9 \+ ^5 ]& e
8 H( E. c5 J( X8 ~6 ` BPX exec_int if ax==68
8 B2 m4 e D: I7 { G4 Z. [8 M (function called is located at byte ptr [ebp+1Dh] and client eip is5 P# x/ \; A, m# {3 t7 {
located at [ebp+48h] for 32Bit apps)
: d% w, i* y! ^" U__________________________________________________________________________8 o1 A& X/ i7 i6 h
8 S, F: C4 d5 P0 r" l1 r: C/ F8 N! x6 ?+ j
Method 08! \$ V1 z2 ^' {8 a% t( s, z9 J
=========. m$ K3 {) r. V7 J& H. |& ^; ]
, S$ Q! g# m& k+ J$ z/ aIt is not a method of detection of SoftICE but a possibility to crash the& r. A: O$ g3 m6 U: x8 k
system by intercepting int 01h and int 03h and redirecting them to another* ` H1 [0 t" a: _
routine.* k3 {+ p r0 `0 g/ r! ], \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" W9 H1 X! X3 Y7 W: e
to the new routine to execute (hangs computer...)
. k) Y# ]! e T6 N0 [6 @* h) G* @% ^/ W; e+ o$ u! C
mov ah, 25h# Z9 x! G3 a0 v3 b
mov al, Int_Number (01h or 03h)
0 ~9 J$ z" @- X: O mov dx, offset New_Int_Routine, [: Q3 ~8 z. [+ F% b6 ]
int 21h. h5 z/ d* [1 O) s) H
7 _$ U# w. S' } O. ], m' o
__________________________________________________________________________. _. G3 a1 W! a6 h2 V6 V
4 L: ^4 S# ^ Y5 D/ O9 AMethod 09
, W4 |. ~+ g$ M=========
, ^$ w! V! b4 I' l1 P6 M3 w, J# m7 [- E- M- P0 _, L) L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ [* C( _$ X, M8 f7 R( m+ f' Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
- }" r3 u \2 X9 H. Z$ u2 FThe Get_DDB service is used to determine whether or not a VxD is installed1 ]" z* r0 H# a5 s1 _
for the specified device and returns a Device Description Block (in ecx) for
5 B% S( Y9 Y, Rthat device if it is installed.
; S( L. r' v8 x% Z0 u; Z/ H
N! |- d3 k3 ?( @6 s( F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% N9 ?) P+ U+ c$ K2 j9 W5 g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 F+ L& l6 ]6 \: [: u# N6 z9 A4 _ VMMCall Get_DDB9 o6 `. a1 f) I& B' m8 w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! U1 N( n# E* `/ v( ^$ F- ] E# `: Y* z& S
Note as well that you can easily detect this method with SoftICE:" N" ?$ P/ X2 q$ {' U( _
bpx Get_DDB if ax==0202 || ax==7a5fh
' V; I/ F6 V7 D% J+ e; I+ E
& q# @9 t1 a5 |3 S/ D6 X__________________________________________________________________________
% k8 }' x3 Y6 Y) i* m2 u8 r* i' `0 H1 t; ]# z/ A
Method 10
8 S# ^$ r" v( _=========
8 k2 g, R0 C( ^+ f! @
* X, x3 V( J; ?) Y Y( j' v. ~: \6 ^5 a=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ E0 B& w' y" n SoftICE while the option is enable!!
5 A% @3 K0 G7 [& e8 F
* l# z6 u. G9 N2 JThis trick is very efficient:
& z2 j5 U1 m* s3 ]by checking the Debug Registers, you can detect if SoftICE is loaded/ ?9 q3 L. x2 l1 {# h, c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- l. @9 ?/ H) Z. v$ w$ V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( o4 s: b: N: \6 T$ Xvalue (in ring0 only). Values can be manipulated and or changed as well, ?* n: B( f3 ]. g- \
(clearing BPMs for instance)- ]3 `! ^0 R! L1 S' |4 Z# t% x+ @
7 N) A; s+ f% q/ o$ F
__________________________________________________________________________
: b' R' R/ T6 _; r
- g+ G6 l8 h3 t, ?9 I' P2 XMethod 11
- L; e. R& h' l1 |! X2 e=========7 Z% |# a5 l7 _9 Z/ w/ v$ L
8 z, K; D. ?5 NThis method is most known as 'MeltICE' because it has been freely distributed
) ~7 ~0 B6 v. svia www.winfiles.com. However it was first used by NuMega people to allow
' r4 V, r+ \0 @; uSymbol Loader to check if SoftICE was active or not (the code is located' R2 m W4 L1 _; p5 d( s
inside nmtrans.dll)." N3 q: D \3 F5 R5 y W4 _
7 k7 f% b( y3 h
The way it works is very simple:
7 ?# ]( q# G% T+ W1 g- xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, ]* z- \' p2 x q6 H/ E2 dWinNT) with the CreateFileA API.
( h! S8 S6 Z! U
- J' W8 s1 T# D% [$ J' o0 S& eHere is a sample (checking for 'SICE'):6 y( r2 T' c: g8 B2 D# o
; h" e: Y* z1 b$ \
BOOL IsSoftIce95Loaded()
: k D. r9 S: B$ x! I K{4 h, {7 E# C+ y8 V1 B7 F9 T, f4 K& \
HANDLE hFile;
# {% p( {) M7 ?. j4 q; D H/ V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; U# }1 P+ ?( ]7 n* c5 q FILE_SHARE_READ | FILE_SHARE_WRITE,4 z6 }, [+ @! w- L" p; T5 O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 {8 U% [$ q H3 l! ^
if( hFile != INVALID_HANDLE_VALUE )' q' [- `4 o( f" h. m: _3 E4 g# Y" p; S
{2 v! j% L7 d V% K# i: Y6 e
CloseHandle(hFile);" L) N) m* f; K6 D5 F% `. ~3 z4 N
return TRUE;
, H7 K, P" y7 h& O" t }
. w) C! P5 B% I. |# V) P return FALSE;2 s# A4 F3 f2 r" w6 ?, G6 Q! S
}
! R: E1 Y! j$ x. x7 {
, J& T: p4 _( k% e- R! c( {Although this trick calls the CreateFileA function, don't even expect to be
, ~% Y$ j9 g! H. q0 Dable to intercept it by installing a IFS hook: it will not work, no way!
3 O8 ~8 _* J4 C2 c# x0 v7 CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ Q% W8 I" l" E; Y- v- L+ P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ b! T& w' R1 \ H/ band then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 e, h; }. ]$ @( Y" V1 |field.5 U6 P5 O! ~, ~" e4 [5 a- b5 U
In fact, its purpose is not to load/unload VxDs but only to send a
# O6 U0 ]: I! V# S' l; vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# E; V, ^; B& Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try% G G2 w& W8 l3 T5 X/ X; d& q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ ~$ X8 E2 ?7 L1 M, t0 aIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ ` X; x" K" M' k5 R1 {) O& D( i
its handle to be opened and then, will be detected.; h! K0 m- \2 j- j: J+ P
You can check that simply by hooking Winice.exe control proc entry point
) N* Q; N/ \% X& S% C6 ]while running MeltICE.0 L- \, D. X1 X8 B+ Z- ~4 k
/ V+ T. ^' \: E
& b# X% P) A* w2 Z
00401067: push 00402025 ; \\.\SICE
4 K1 s$ q- R3 `) |& j6 @ 0040106C: call CreateFileA- o$ H) S9 s; }+ b
00401071: cmp eax,-001
6 _- X- h: K/ P4 V# c6 i6 q 00401074: je 00401091" w' w8 T0 j" H& q% }) A- T: _
0 O4 n6 F, ?0 i" N8 w' S0 T7 O3 |( a
5 {0 @, P* u- C( [4 ]6 E2 p) ]There could be hundreds of BPX you could use to detect this trick.% } o7 X# k4 L0 F9 f- e+ h
-The most classical one is:" E* ~, V) l8 R6 c, W4 n* \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) X0 ^3 p1 Y3 A5 H6 I; D2 ]+ x/ ^ *(esp->4+4)=='NTIC'
' h3 f4 D' h( F% O _: N3 G
! y5 U) l0 ]3 U* L-The most exotic ones (could be very slooooow :-(
( d* {3 z/ z: d H) `& d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 j$ j! f: v' N2 T2 _ ;will break 3 times :-(. R1 |* u6 k' d3 |, ~
# q0 }* e" Q5 U
-or (a bit) faster: 7 N8 c0 U. y- j2 W: b; d, I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 T7 m/ J# l, O; E0 t' H5 C4 A! a
+ H& U3 p3 \5 X7 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 g1 }- @+ \* P) G0 i. D; }; A8 n9 w ;will break 3 times :-(
( y+ A& U }+ b% h( n5 m& v/ _! ?& l+ t* i$ ?# ^
-Much faster:6 \+ m7 z1 k" Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! c3 W1 z8 F# b# q- M& S
T& g+ m2 i! U8 ~' B; sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ u# w( N" B5 @/ kfunction to do the same job:
& H3 I2 L8 P) W; [2 B0 K4 D: i' ~2 t* q( I6 ~
push 00 ; OF_READ4 w& g% Q0 t1 ~& h7 u& v7 n6 Z
mov eax,[00656634] ; '\\.\SICE',06 i' `6 @. b5 y; J2 V/ a$ @
push eax
~( ?1 z2 t! l) D% p) b8 p call KERNEL32!_lopen% ^& C& D& |, \ o/ j; w+ k
inc eax& c- B! E( y0 K" `, U4 }' E1 Q
jnz 00650589 ; detected
) c6 H- r, ^2 T3 Q% {& x1 u4 V& l push 00 ; OF_READ
7 E( m+ c5 e& y8 I0 U$ B mov eax,[00656638] ; '\\.\SICE'
' c/ @5 ~4 x2 P push eax
# G3 X6 j) c4 X7 X% d5 W call KERNEL32!_lopen: s7 I6 h/ Z& t2 @
inc eax+ J/ ?! S+ ], F' O, ]9 g: Q! X a
jz 006505ae ; not detected; y! c" |# ]; d% w9 @
) n) |+ O7 w6 b- A M7 |% I# h3 i. [$ I8 C7 u
__________________________________________________________________________
8 H9 C8 f$ T' e7 f6 }+ E$ C1 \" Z. Z
# U* A# U! P/ P {* }1 W- QMethod 129 U5 L+ [ S( B, h# h/ V; g* ?3 [
=========
' E7 o7 b8 c1 `: |& {/ f* r
4 x" U! x2 A5 B2 t# R/ u- k# rThis trick is similar to int41h/4fh Debugger installation check (code 05$ b: e) S! `9 A) k* f6 M! y$ Q! |
& 06) but very limited because it's only available for Win95/98 (not NT)6 w8 a( l7 D& a' ?5 M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! T& p8 E- L; @
/ v3 B7 P$ V: U2 w push 0000004fh ; function 4fh/ t7 }) d8 {" _
push 002a002ah ; high word specifies which VxD (VWIN32)) Y2 L! X" |- n0 S
; low word specifies which service
2 ]+ f6 `" y5 X& o) i (VWIN32_Int41Dispatch)
1 R$ ^2 d6 M p$ k2 t call Kernel32!ORD_001 ; VxdCall
3 L+ n9 H- S9 c5 A4 }, v cmp ax, 0f386h ; magic number returned by system debuggers; P8 s: s( ?0 O3 L4 y
jz SoftICE_detected7 n7 Y# \6 L+ V7 D
3 ?1 H: P# B+ ]2 M
Here again, several ways to detect it:
# S+ b/ @1 g+ J6 C1 c p+ x6 J3 m9 M1 K( M! b# N
BPINT 41 if ax==4f' v8 W3 n+ a/ Z- y0 s# N2 i9 k6 b( c
9 i% l3 ~! e S d h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- c+ U' Y9 n6 ~( i( |# a) p/ q9 R. q- r/ N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& E7 r+ Z6 j8 k, g" `; E
4 v( C8 ~2 H6 i- ~8 D& g* o
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- B% f# k( U" Q& m: S4 U/ w
4 K$ D, G& D1 {$ D4 X0 T__________________________________________________________________________" K9 I5 U6 Q4 N, K; k
4 k. W6 u- I0 JMethod 13
5 i; A- | l* i2 U$ c5 I' e8 {1 J=========, `- t. t! a' I8 w, h* u$ F
* y# A- e3 K/ c( \$ H0 W
Not a real method of detection, but a good way to know if SoftICE is0 ~3 X# Y( e" K9 D; A: {
installed on a computer and to locate its installation directory.; N1 i) }. K* H T1 U
It is used by few softs which access the following registry keys (usually #2) :, X+ C: `# C# t' P
8 F* G8 U8 q6 [" E3 k4 i/ _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: o: `8 X( \2 g/ ]
\Uninstall\SoftICE& ^3 j& Y/ ~' p7 ?5 I4 u9 C$ |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ a5 k4 g5 t0 a) V B R, ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; G# m) G5 o" w- z
\App Paths\Loader32.Exe+ t( d9 d$ q0 g) z: ?3 q! B' L
1 ]. Z7 _0 t) S8 j% ^0 n
( @3 g* {( b, @5 n) | e3 xNote that some nasty apps could then erase all files from SoftICE directory
' s3 W% @9 c9 @6 e7 \8 K(I faced that once :-(
6 P8 \# Y# [, F7 ?0 z
8 q4 J/ a5 i& x: EUseful breakpoint to detect it:
8 y* ?1 H3 ?( k8 C3 j I8 N) B* e' M, ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% E5 x" R3 T8 s3 K0 J! l: K
/ @. E* { Z( @, s# e& [8 \7 T/ N
__________________________________________________________________________* G7 ]0 b% h# T& d$ A9 ]4 H/ ]
4 K- N9 B# C. p0 Y. h+ q, g8 ^' P& u- B5 X1 o* p. n
Method 14 ' {5 I7 A+ Y; o
=========2 B- h) Q0 x% M! ~& v$ W
' o2 C. a) j3 ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 O; d- t: }; {1 T( k8 O% T
is to determines whether a debugger is running on your system (ring0 only).! H2 R5 R: N0 f; c
0 `6 u7 ^2 \/ F0 j# a4 |% L: F/ J VMMCall Test_Debug_Installed, w8 Y' T3 O& m2 S5 }; B
je not_installed L! _: s# v1 ~/ {
. k v7 ]; [* A6 Q2 ]This service just checks a flag.
O; t& ~3 m# N( M( _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡