<TABLE width=500>
1 m0 s4 O3 Z, s# @# Y7 d# U<TBODY># X; }3 R9 |9 Z0 p
<TR>
P9 S2 j& e* d& F3 k: o# i9 i0 Z<TD><PRE>Method 01
" d; ~# B1 j5 V3 K9 Q, {=========
% Q8 A4 i6 I5 I3 |; T D* W7 t$ q/ B. C9 ~
This method of detection of SoftICE (as well as the following one) is
4 v/ t4 `2 [( d* a* _1 Z& gused by the majority of packers/encryptors found on Internet.2 b+ p. l, N9 J# D4 V0 Y- Q# k$ O
It seeks the signature of BoundsChecker in SoftICE z( `5 @/ I) u, R
8 m; ]2 ?6 j1 Y; ?
mov ebp, 04243484Bh ; 'BCHK' L! ~4 `7 R2 c2 }
mov ax, 04h
4 v: e) U1 z0 u0 {4 | int 3
' X8 f: {0 T2 b9 _0 b u- ? cmp al,4
o8 x9 c) \& z# Q; q jnz SoftICE_Detected
/ m q+ j0 w: |8 c" I+ C( @ o. Q: \) ]$ e3 w* A
___________________________________________________________________________5 ^" ] D5 a( F" g
0 m, |- b! \$ B* o! S: M9 m+ yMethod 02
; t: ?0 i2 F h( a Y1 |. d=========
0 K$ H! I5 I% z5 D3 v; C' `5 s$ P; l) K# N x4 `( Q/ Z# U% m9 l- t
Still a method very much used (perhaps the most frequent one). It is used; L; u% }1 j. X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 Z6 h4 Y5 W: V% q2 l4 Q4 C
or execute SoftICE commands...
- W0 N+ f8 ?# F( J+ e3 z) aIt is also used to crash SoftICE and to force it to execute any commands$ F p' E* M; U2 A
(HBOOT...) :-((
( p c9 W i& R0 {2 V' t) k3 f) S! c" z% |
Here is a quick description:
4 ]1 l9 B# R9 I( I% f: Q-AX = 0910h (Display string in SIce windows)
( I6 L" o+ O- p- f1 J9 f( i- a7 M; K! c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- b2 ?4 f2 s) | b9 Z- s0 X; |4 h+ @
-AX = 0912h (Get breakpoint infos)
+ ~3 h, ]4 z" h9 `* u: j- b-AX = 0913h (Set Sice breakpoints)8 [# l( f6 j" C: \/ M; G5 v
-AX = 0914h (Remove SIce breakoints)* M1 G0 L- E6 ?6 O8 i
$ M& g3 G# M4 r/ l. w& A" KEach time you'll meet this trick, you'll see:6 ^2 b1 I. ^5 V& m
-SI = 4647h
. A6 V0 A/ s7 \6 Z-DI = 4A4Dh
0 U2 ~) j/ p4 Q# m$ [Which are the 'magic values' used by SoftIce.- a& c- _5 x8 C7 J' ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 b7 h) k: X7 W& V. G5 I' }8 D
, M% X5 s# i$ x, }$ q l1 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP G% W# ^! S& a2 X' s: D$ V* r ^0 N4 U# Q
Envelope utility use to protect DOS applications:
; o6 Y/ x/ o8 }' ~1 m" P, @ v, a: e" F
6 }7 J8 r) c2 _+ n5 ?7 e- u
4C19:0095 MOV AX,0911 ; execute command.4 y% ~# D; F( A6 h5 j1 w+ @2 r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' P) L2 |7 L* M, e
4C19:009A MOV SI,4647 ; 1st magic value.
% ^& v" u- J7 H4C19:009D MOV DI,4A4D ; 2nd magic value.- c% c5 d: I5 A: C" R$ {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( T/ Y; ~- m( }; p! w) G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 a& |; G7 A$ i# h6 C
4C19:00A4 INC CX( [; Y" B* J8 d5 D5 b9 C4 w. ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. \( F- W% C/ `) T4C19:00A8 JB 0095 ; 6 different commands.
4 X- w' e2 z# c2 E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 b, X0 Q/ A2 Y3 j/ X; q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 o5 f2 W6 G* A, r
8 n* U8 k- h" _; LThe program will execute 6 different SIce commands located at ds:dx, which8 ?, x8 r2 V8 G4 q$ Y% Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) q5 a: ?' M, X
) K+ T* H5 I! S7 o8 f( D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 ?" N3 c( X4 A/ l
___________________________________________________________________________
0 s. {; a' l1 E/ s1 k% ?0 n8 o
v" e7 K) u6 C0 w& H- c) S& }3 E: r o8 I8 h
Method 03
/ a0 P8 d2 x. G# o! m+ {+ N=========
% M5 f3 z4 O& M4 d# {' E% [
$ Q# s [. N' |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 } Y! C- h. d9 s6 y6 U(API Get entry point)
: _& s' V+ t4 E' t( s) |1 L, ^* X
* n7 S: R2 k$ D. }) X% F7 i
+ C: {4 K4 n; D/ [ xor di,di% D3 |9 q" H% x0 P# H+ g; F% x' X
mov es,di
/ N0 y+ K0 V% c7 u; d, J mov ax, 1684h
# i3 R/ V7 a5 Q7 u J* |6 e, C5 F mov bx, 0202h ; VxD ID of winice
a2 L6 b( w5 Y+ |5 C9 n1 o. n int 2Fh
, P M# h5 U! n( E& K1 J* p6 B4 L3 H mov ax, es ; ES:DI -> VxD API entry point1 t4 _: |6 x7 r
add ax, di
% I: k3 z* Q" ^) o test ax,ax
+ o5 g! L# B* V# ]- ~6 n) q# k jnz SoftICE_Detected
+ ?3 D! K& J6 E% W! [6 i( }6 W4 q Y$ h. ~
___________________________________________________________________________( D( y; j3 `* I9 }; f
/ F4 R/ O4 ]5 F$ o% h. m( DMethod 04
: e G% W8 J1 C. F" q' X=========
" d/ {) r$ L( o% L1 i% i6 B
6 {' B3 u( ]" ~3 P) fMethod identical to the preceding one except that it seeks the ID of SoftICE$ K. @& q& A; {+ p2 \. H$ d
GFX VxD.# _2 b. Q3 y; A% [4 p4 h
+ @% C, C4 k$ C( H3 \# s7 f
xor di,di
. T- p& y# e7 O2 o mov es,di4 P6 ]8 V" {7 S9 F" W0 A3 n
mov ax, 1684h ( H; P1 _) x7 g! M) p* [
mov bx, 7a5Fh ; VxD ID of SIWVID) I4 C! `; ?$ ~! ]
int 2fh- Q6 o" b( T$ c7 A+ [
mov ax, es ; ES:DI -> VxD API entry point
& ~" [; r9 l6 V' i1 \ m* x9 _7 \) D add ax, di( l& a5 Z4 ^3 @9 p- J( E; Y
test ax,ax& L! g5 [8 ~( V, A0 D4 z5 s1 g
jnz SoftICE_Detected
1 P4 A( D' a$ z' l1 F) l* @" d9 W% a; R1 ?, g
__________________________________________________________________________+ }! B' o( z9 _
! a) |3 g, m& i# y- C/ V1 }7 T* }4 B
7 f0 W. u6 z$ ]/ {1 }# G* wMethod 05
* g/ ]4 {. Z' A/ ^% r=========& `1 {8 {: g0 l: {
& _$ i$ }2 j) f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ M ` C" @, ldebugger. It calls the int 41h, function 4Fh.
; Q, J4 ~5 S K4 U) KThere are several alternatives.
9 ~2 @6 o8 R1 t
: I6 h) u2 G/ F4 i2 n( |9 yThe following one is the simplest:
9 M" }$ r& \* E0 w1 w8 z1 b$ k: g' n/ T; a' N2 t1 u
mov ax,4fh% ~9 k5 J9 B$ z$ p, D. k$ W) F
int 41h) C7 M4 _8 p# @5 z( Z
cmp ax, 0F386
) Q+ [8 e; E" R6 U) F7 F jz SoftICE_detected
. Z* ?- ?$ P2 J: o
' v$ Z) Y" S& D# B- N. O" P/ O/ B8 `1 Y) E! e8 c* A* @9 [% \. j" q5 r
Next method as well as the following one are 2 examples from Stone's " q' j( Z! X% l3 N
"stn-wid.zip" (www.cracking.net):# s0 M) P8 r0 F# c5 R
" E0 X2 ?: P/ y8 n/ }. E6 @. K1 t mov bx, cs
y8 d2 i! t* m. V$ n lea dx, int41handler2
* {& D! c+ l' W! _ xchg dx, es:[41h*4]
: [5 N0 ^" |$ D. }* a1 {$ ? xchg bx, es:[41h*4+2], N+ R3 e3 w( R- L5 U: K
mov ax,4fh
; E/ G3 m, f' Y, u int 41h8 l. ]8 {* _3 |1 J0 M2 j: ?. p% q
xchg dx, es:[41h*4]! N8 j( f/ g5 ^
xchg bx, es:[41h*4+2]& c x$ \* X' D8 C2 k8 T
cmp ax, 0f386h
9 r; L# v& M! a jz SoftICE_detected
, k, i. @8 }6 ?. K, F& n0 e( a, \2 |, c" L" L
int41handler2 PROC# V+ s7 D( I5 C2 L
iret) u6 B# |7 i- F1 J; l' x2 _
int41handler2 ENDP
9 a9 l2 a( d3 J" U! i) l, |
# m1 }9 E& r2 r
: z) x2 a; k0 f) E f_________________________________________________________________________$ S. q/ W- P$ V& k+ s* ?
5 F# _4 H2 x+ G) o0 O" W
9 R0 b+ _" _6 @( }; r0 WMethod 06
8 o# u# E3 B" O+ A! l+ ]6 J4 W6 Q=========
1 o. f* p$ R1 v x. G; j" v# l2 \2 U( {; F) y
* w2 r" U) I1 y( ?% w
2nd method similar to the preceding one but more difficult to detect:
- D# k( ?( { P8 r. v o9 |& W s6 ?5 G4 E7 o+ l! l% x. m- Q0 S) z
+ w) d# [2 G7 v0 x, _( `: `! Zint41handler PROC
4 d, V: c$ _. f2 G! Y& V mov cl,al
( F, s' r+ @; T4 ?! g* c iret7 J8 m7 q' `) v$ P3 z( A3 L
int41handler ENDP
4 b" Q' c+ S( r; m' f# e0 l& @# K/ F1 f6 g7 D
, \9 v7 I" N+ G3 s
xor ax,ax
* ]$ v' I6 @0 }/ W9 t! S3 B3 T mov es,ax& L3 m; T; H- f' Q% |# @
mov bx, cs
* }! ~. f$ Q D+ m8 t9 H' q( W lea dx, int41handler8 N" t' m5 e! v4 R* f
xchg dx, es:[41h*4]
9 E1 l9 Z* f9 J* P0 [ xchg bx, es:[41h*4+2], ?5 I; q4 @1 `1 D3 `
in al, 40h, x& ~$ P+ P; q
xor cx,cx6 i% l _- [% |& j4 r1 |
int 41h
0 `" X. M P, i s5 N) R9 W xchg dx, es:[41h*4]
0 I1 h. i, n$ U/ A, K xchg bx, es:[41h*4+2]
! `/ d. k4 r% I; g# B, Q# n6 w* [ cmp cl,al2 F% S* q0 C; E4 [" T# \
jnz SoftICE_detected
7 T9 U$ K2 } x8 o2 V! a, b% w3 Y4 J! m$ Y. v( u, }1 D+ F1 b
_________________________________________________________________________: x3 S" e+ ^7 W
+ G( W3 \4 u% c* b# G
Method 077 t2 I2 c) I( F( V8 _" b
=========
2 |0 E/ I+ P6 d+ M' W; Y! I: Z2 F! S: w7 Y. t
Method of detection of the WinICE handler in the int68h (V86)( J! r. T7 [/ `' q! i3 e
4 `; G4 G+ i1 Y) b/ U mov ah,43h5 s4 P' F& b1 D
int 68h
' a7 h8 a$ H: c) k4 [ cmp ax,0F386h2 Z" b* @5 T8 ~% ]
jz SoftICE_Detected
6 q6 O9 o) [, \ e1 c1 `% @1 `# t) H0 ~8 l. m% B- Q
1 W. g! ]- n" A, E. E7 G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. w- j2 E, H3 `& z% C app like this:; z7 [1 @! ~% g6 R. [1 U9 B
9 v0 a. c' h$ Y) ]: M/ W( l" X1 ^
BPX exec_int if ax==682 a7 g$ y. V0 h }& k) G+ v- P" D
(function called is located at byte ptr [ebp+1Dh] and client eip is
( O3 x" M* {- R7 U, S/ y6 E located at [ebp+48h] for 32Bit apps)
* c, _1 u6 O* c, A4 {2 @__________________________________________________________________________5 g- n& C6 [# Y) j2 b
# s0 g1 K# c" v- H+ _/ V/ H, O5 E" \+ `' n
Method 082 n! ?: s5 D- K& a7 M
=========
5 s, }0 e( M6 f7 a4 z: B. v( b5 x! O4 _2 R$ c5 c0 H+ `8 G- n( ]3 M/ A
It is not a method of detection of SoftICE but a possibility to crash the4 C$ N1 |' b+ K" i# T- h) { d
system by intercepting int 01h and int 03h and redirecting them to another
& q; j' {3 y7 A$ U7 ~9 Proutine.( B; {# P# l- ^: M" h; {* G1 u" J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 B+ k G4 X; Z& z
to the new routine to execute (hangs computer...)4 r. k& \ o' C" m1 O2 ^" ^2 J
* _2 f4 N3 `4 _& a" U$ v mov ah, 25h
# {5 h7 T* W @) r% i0 A0 n. N! W mov al, Int_Number (01h or 03h)- S! D# V& h7 W
mov dx, offset New_Int_Routine
. ^3 G3 m) L/ W. G4 B int 21h
* X9 @$ o8 [7 K8 } I: M) t" ~9 V8 C$ i( z: L6 Q' D
__________________________________________________________________________0 W$ a. x, _2 a/ M
9 B- U5 b8 k, R2 d7 L2 ]: N V- q
Method 09) [1 @: Z) h2 b J% w, _! L8 b
=========& J5 ~6 y: I. z# F
& ?: H2 r; n8 _6 iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ {2 t' z" B5 N2 b* S% ~performed in ring0 (VxD or a ring3 app using the VxdCall).
( w8 Y: m# e. K; [& M9 \The Get_DDB service is used to determine whether or not a VxD is installed9 W0 X: h& h0 g, Y
for the specified device and returns a Device Description Block (in ecx) for
$ X/ ]- P& z8 p. J4 e: _. V" Ithat device if it is installed.
9 O) ] i6 g6 H8 `" b
2 P+ k5 F) P7 a+ I; j6 \+ d( M, } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& E" d Q- {' W; x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 h# |4 E+ _& x2 K VMMCall Get_DDB/ Y! J# K9 B. m1 ?6 H* }# \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 s2 U9 c! r: O. y
% [) B! Z0 z! T7 kNote as well that you can easily detect this method with SoftICE:" J$ z% Q0 Q7 \( s# Y
bpx Get_DDB if ax==0202 || ax==7a5fh% o3 }( u. ?. T' p6 r2 V
! |0 Q* m/ ~0 ]" c' l__________________________________________________________________________' i$ W0 b% g n! H9 s7 f0 p
: |2 V3 o4 M0 n
Method 10# A& W* Y" l m$ k/ P& _* [1 j
=========
0 t2 b1 @ K, n. y, T" b* j6 L
4 q7 @3 {4 |8 W$ N=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 h4 P9 q; d6 u' s8 S6 L9 S+ P. w SoftICE while the option is enable!!
y4 X4 q ^, r1 y/ R" o" b8 M4 K5 R4 V" H
This trick is very efficient:
! h* \$ F. A6 h- |$ h& r3 f" r3 Eby checking the Debug Registers, you can detect if SoftICE is loaded
, x# t- T( T8 e8 ~2 X7 Y: D& \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- T1 a9 j6 }. h& ?1 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 Z; s5 {% ~( T. A# }( O, Y+ zvalue (in ring0 only). Values can be manipulated and or changed as well6 f2 p7 ?" ]4 i
(clearing BPMs for instance)8 v# v! t' ]: ^ y5 F
, k: u5 z$ T1 \1 ]; U__________________________________________________________________________: k2 k, x$ P$ d! Y7 f5 t( R
+ s% Z5 \5 O- B# Z' yMethod 11
2 w; }# a* @* M% z4 J=========
1 m* o9 J2 R$ X8 I1 n
' j. }" X/ X4 a5 P' U1 EThis method is most known as 'MeltICE' because it has been freely distributed* D M2 Z; i& [" X4 E: M
via www.winfiles.com. However it was first used by NuMega people to allow& W1 ]; }& D) g' a0 d
Symbol Loader to check if SoftICE was active or not (the code is located5 D7 ?& l( v, Q M- o
inside nmtrans.dll).% E: N2 b6 W) B Q; Y [% O
( U" ?1 `4 s$ q4 `
The way it works is very simple:
8 e, R2 e2 @( }: D% s6 M! JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 j9 T# [5 F4 I( e' t# r3 j3 zWinNT) with the CreateFileA API. i, T! G3 S3 X
4 _9 \4 u# J% C' O
Here is a sample (checking for 'SICE'):* t1 t! W [4 }4 c: b8 N% |0 P
9 K0 n- e3 R" I- R( V$ u/ F
BOOL IsSoftIce95Loaded()! j8 G( h) p9 [3 B* f
{
% Q a0 f: J3 h8 [+ u6 c# s: k HANDLE hFile; ! C2 i4 V& R: x4 m3 p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, o6 J3 c2 _. n% r: t
FILE_SHARE_READ | FILE_SHARE_WRITE,1 @; r$ [9 G# V1 d+ K% b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 h' M! H% s' [( {! s. h9 [% c8 V
if( hFile != INVALID_HANDLE_VALUE )
" ` X- w( n! T {
2 y1 u* V9 L7 \8 d" t' u6 p CloseHandle(hFile);
: {- B; s2 F; E h1 u$ {' L0 a return TRUE;$ a! d. v% s. ]& B: G
}
' G7 X/ ^- z* t return FALSE;
1 T0 {+ z p& E8 T0 I; K( \}; S. {) v [- d2 K% D7 J* Z. d
, g* j/ c3 _7 g
Although this trick calls the CreateFileA function, don't even expect to be
4 c% ^8 N. @! D0 A1 Q# Eable to intercept it by installing a IFS hook: it will not work, no way! f9 K1 _ j/ n$ `( Q! f2 h2 p8 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ [' P! W! t) X6 Q! Q! F$ i/ b3 ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). O1 o, {, f, y7 p7 x& I2 X* f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 ?3 n) e* p, d, Qfield.
" F E, o3 c" ?3 U/ J ^; |8 SIn fact, its purpose is not to load/unload VxDs but only to send a " `6 @+ {8 r' L7 f8 F( } X7 L: P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): t& u0 L) {6 H( C# y: q j: a7 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( P/ R0 w0 A1 X3 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 f& j F* |9 |$ BIf the VxD is loaded, it will always clear eax and the Carry flag to allow; T8 ^4 J# v4 N: Z/ X1 ~1 x
its handle to be opened and then, will be detected.% v' A/ k8 C) y. R
You can check that simply by hooking Winice.exe control proc entry point
2 V6 s9 C! r6 n5 e3 \5 cwhile running MeltICE.6 V9 @0 p) z# [0 ^& q5 H
; d ?: E+ B$ q9 M I% l) x$ e I6 a2 e( o' Q
00401067: push 00402025 ; \\.\SICE0 G" x1 S- k" A! K! j
0040106C: call CreateFileA
3 i3 I3 f- s6 p! |& n3 \ 00401071: cmp eax,-001. ?8 p1 l3 N; f: s
00401074: je 00401091) _3 a$ `0 U2 u$ w8 q
7 h# D% b. N) o' _9 R( }/ ?5 h d5 I- S$ h( B0 ]
There could be hundreds of BPX you could use to detect this trick.- e7 K! f9 \; a% l9 G4 D7 C
-The most classical one is:
3 M7 V' f) H3 |7 P% _7 g5 k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. y, T R8 `1 a- D$ {4 E, y *(esp->4+4)=='NTIC'3 F6 p+ _! G- a# r
4 S0 o4 ^& Q- o" {, s-The most exotic ones (could be very slooooow :-(
. @# k- h2 ]+ m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 `& D* Z3 P2 w, p H4 Z ;will break 3 times :-(; a6 E0 ?( p; a" c) L( f8 b# n
# @, O$ O) {% S, i$ _
-or (a bit) faster:
. p: L D3 o0 b+ T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! x! e& O0 g0 f9 s. i7 l- K
! U" C% M# u. Y) N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 S1 e, H8 _& F* f) w
;will break 3 times :-(
- m) I' c5 ~, e6 T/ H% o& t" n# Y+ v* q) H. `8 l( j/ C7 j8 j5 n5 w
-Much faster:; P+ w% F |$ C, H- s/ W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* D5 l A" @6 J& s% T$ C7 L
' }7 r1 D9 v, eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" w' v' K3 j3 ~3 ]( q: v$ y6 m, N
function to do the same job:( ^9 f( \7 U1 M* h) ^
% m. l5 c$ `2 w5 ?; u! e% _ push 00 ; OF_READ
4 T3 t% i4 h$ n2 T mov eax,[00656634] ; '\\.\SICE',0
( k; d! j. U) S& h push eax
* d: Z4 G+ e% g% |- R call KERNEL32!_lopen
) k3 a: G7 K' q! |" |( [ inc eax
5 r: U1 O/ z3 F* v3 B# a jnz 00650589 ; detected' T n( B# A& Z% _! l; l7 u4 T) x H/ W
push 00 ; OF_READ. ]; E& F( @$ j$ l( Z: E
mov eax,[00656638] ; '\\.\SICE'
. v% V) A L3 b push eax
& H4 [2 k' a4 B) L; V2 n" s1 B call KERNEL32!_lopen- I3 x. k% m( b; y% ~# J
inc eax" v$ `/ J. Y: G) i* R x* ^ u
jz 006505ae ; not detected% o9 \' w; S/ D& L" m' ?
& z, P6 r, ]& e
1 k* y" {+ E2 }/ i
__________________________________________________________________________" B+ V# {8 p6 J" a4 ?
6 S. V1 @ i- R7 R$ E R% Z
Method 12% m/ ~. F- a- f9 l2 ^9 j. Z
=========2 i8 s9 v% l) E4 x7 f4 _: [
7 N/ _! C: j- e5 G
This trick is similar to int41h/4fh Debugger installation check (code 05& H9 O0 ?$ p/ ?
& 06) but very limited because it's only available for Win95/98 (not NT)1 g: @/ m% q6 _4 R3 N; F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 g5 t8 |' Y7 o# v" X
8 T6 S# \9 I, y$ r1 ^2 Y1 {7 | push 0000004fh ; function 4fh
# A3 J, L; X2 m2 s7 v" U push 002a002ah ; high word specifies which VxD (VWIN32)
. s9 S: Q& y$ X3 O5 k ; low word specifies which service% Q8 `& r+ j3 J# ~) q4 ?
(VWIN32_Int41Dispatch)! t/ B) G0 K+ l% G6 e& ^% f+ \
call Kernel32!ORD_001 ; VxdCall
) Y; R5 B/ e3 Z7 k cmp ax, 0f386h ; magic number returned by system debuggers
& _' v: {. V% p, D9 V6 h r5 K jz SoftICE_detected
# X5 ^! A0 V/ B i% }. h5 C' `( u2 G7 L1 M2 f: s% L
Here again, several ways to detect it:
4 a# }" N1 X) C% k- M, r5 F S7 l' W" w" e, D; C
BPINT 41 if ax==4f- b( d, ~- c7 P b& A
& u+ s& F1 O& {: x( L% B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! p, |7 @8 r; p8 U8 z# @
; U3 c5 b. N3 S3 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* v7 S6 N8 b* d' [5 m1 }6 ~, @% N# c) d
5 f! T& R O; ]; ]+ |! G3 i, I5 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- Q/ L3 P, ~( k- s3 r& m- h
, w! t$ g) [& E2 O$ Y( G$ b3 B__________________________________________________________________________
# o M2 r4 @1 I/ }( l& _1 M [
3 y- V x$ I: {, `0 tMethod 133 L- Q7 p7 {; Y+ s4 l. h
=========
& E- P: D# u( ]$ K \$ y& J h
+ y' {/ x9 O& W( w5 e6 PNot a real method of detection, but a good way to know if SoftICE is. L0 Z" R) i" R! Q
installed on a computer and to locate its installation directory.
/ L& U" ~: a3 E/ p* qIt is used by few softs which access the following registry keys (usually #2) :3 y- d7 i2 n: O4 v
" K/ `9 B# K' i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* G* W- T, U- v7 g4 P O& e% s
\Uninstall\SoftICE
8 e# R% X& f" p& R+ z5 x7 E7 w0 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 }4 U5 ~# A/ Q9 X2 ?; U8 F8 S. p$ P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ e" J* V! e r0 r9 P0 C" y- R\App Paths\Loader32.Exe
w& B1 p* y# u; J1 V
8 W' X* ~" @& d
: q9 A7 m/ ^5 a6 ~- L" e! ENote that some nasty apps could then erase all files from SoftICE directory
3 X% W Z; @& v$ R4 e: K(I faced that once :-(. V f D/ z9 m e: ~/ Y7 L
* C2 ^, S' e3 o z% PUseful breakpoint to detect it:
7 V& ^7 l5 d7 x0 t2 g" k0 j) A2 @& H2 F5 |9 ~) B6 l5 q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# t, `2 G8 _* D. W# [
8 |* G6 I; p& i$ e1 Z" k
__________________________________________________________________________
3 J8 U1 d+ r, `6 E7 |* N: u! E' j& V( w7 I/ v( \# [; k
! I: @' f$ X+ V& R5 E/ P5 w5 Q/ L
Method 14 9 W# E7 w9 Y, a+ i4 ?
=========9 Z- x/ L. x9 S- M1 h9 i/ l
) P( n5 O, K0 a" ^) M UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# i8 ]5 e4 C$ Pis to determines whether a debugger is running on your system (ring0 only).. Z5 i q0 [, N/ V( E
1 {& e/ W: w$ |6 k, l5 ` VMMCall Test_Debug_Installed
) p4 b" g( T7 Q7 r/ \9 D7 e. c je not_installed
" \# H& x8 l7 l0 Q, d, F4 L1 D% r% o" ]+ E. ?2 t7 w
This service just checks a flag.. H2 Q6 w3 G# g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡