<TABLE width=500>( Q$ u0 P/ y9 K0 ^# [- m0 z7 p1 e
<TBODY>5 S: ^/ R2 n9 f+ p
<TR>
& p5 n: ]" x( Q+ X7 T2 F1 T<TD><PRE>Method 01
! H' _$ O6 S! L6 K- T=========
8 O) T" h: G* t( C; W3 Z2 X8 ?( N, {+ v: b4 `- J' u* ?( y
This method of detection of SoftICE (as well as the following one) is# D, T; D0 M) j+ j; t( u" q
used by the majority of packers/encryptors found on Internet.5 R9 s+ @+ P- P h! F$ F/ A
It seeks the signature of BoundsChecker in SoftICE5 g+ M5 _; I+ z3 e6 X' \
- Z$ i* z' B- U7 A
mov ebp, 04243484Bh ; 'BCHK'
" H# x( a& L& D; Z! p) Y- A. J mov ax, 04h
7 V+ V. e) J- F6 D4 |* k int 3
3 q! b# a7 S# N7 a V3 [ cmp al,46 A- @ T7 L, a3 k9 q% V( L! ^" Z \
jnz SoftICE_Detected
2 G* E5 E. `5 r7 @3 n1 z) v6 }' @% C- m0 ~ F' b
___________________________________________________________________________# f% q2 _0 P% r% c' d7 U
- o! X( t+ e1 C
Method 02% J; |5 I" b R8 H- R
=========1 O+ V) o ?4 y) \
9 f$ k; N8 U t6 M" ZStill a method very much used (perhaps the most frequent one). It is used
3 ^) v( k5 \- P- Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ [( A, l0 t5 G7 ~7 g. O) V
or execute SoftICE commands...# D1 w; U1 N5 G9 r: E3 `" O
It is also used to crash SoftICE and to force it to execute any commands) Z U% a5 x% J+ T0 I* l6 {# T
(HBOOT...) :-((
. j* ]2 z% c7 t3 h* t V% p$ n' M g1 ~. l Z
Here is a quick description:
) R6 S4 ?' N8 D6 P" J-AX = 0910h (Display string in SIce windows)' C: U# w9 o' I" e) n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 B! b" s5 ~0 D6 Y7 L. c-AX = 0912h (Get breakpoint infos)3 Q/ s4 B" l$ U, s3 p
-AX = 0913h (Set Sice breakpoints)
* d( \5 G+ Y- j/ c-AX = 0914h (Remove SIce breakoints)* Y* k" L3 F5 x* c8 n; `' B# O
( a& V9 _$ t0 WEach time you'll meet this trick, you'll see: `' L1 C( P4 t/ M. Y
-SI = 4647h0 i' f, ]/ U& F, _+ } a
-DI = 4A4Dh( E2 j' C+ @6 f! z# V' K8 G
Which are the 'magic values' used by SoftIce.
) S/ W" A3 M6 q& x& a! ? |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 Z. V( n' J E f! H
% \& Q0 y! O8 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
, H) o( _1 f7 [# hEnvelope utility use to protect DOS applications:
9 O1 O k G* @* _7 C3 Q0 n$ q* c% U3 y$ h+ |8 _& E, l
, B' Y; ]9 L- o0 m2 g4C19:0095 MOV AX,0911 ; execute command.8 L9 {, Z8 }7 v$ {- ^; S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ X% Y2 K: W# K4C19:009A MOV SI,4647 ; 1st magic value.
2 _# n. C2 \4 ~7 @4C19:009D MOV DI,4A4D ; 2nd magic value.( ~8 v3 @' J0 W8 M9 ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( |# S) e3 z7 @2 f& _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! R$ q4 L7 L9 h$ Y1 a6 t2 k9 i k, a) R
4C19:00A4 INC CX2 u) n8 m; k6 b8 O4 l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 R4 S1 w, }& H' D) n4C19:00A8 JB 0095 ; 6 different commands.4 S. F* x( H! ]1 Y4 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: k% F6 \2 `9 C0 N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 M5 y) U* {- f F" {# e5 L! k
1 @+ x0 \- {% H1 L# k: v+ cThe program will execute 6 different SIce commands located at ds:dx, which7 y6 T/ [( i. P a' g6 i5 Z* r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 f6 ?4 H, `6 A, b# P
1 a- Y* M/ {0 W/ K2 N) p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( D# S3 \% d8 R& c3 ~2 Y0 ~: O___________________________________________________________________________
7 I/ i$ f7 n) y9 G/ t4 H3 D r# Q; y6 g
0 T/ p7 q' v- s7 }6 ~+ I$ n) u8 K" {- H' `! Z
Method 03$ I& X) Z' `4 P9 o" i$ D
=========$ u$ x6 o& w, q$ @+ x/ r1 d5 N( s$ H
7 K+ g( X; ]9 m6 Z2 YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ b; l! v' O! n, {(API Get entry point)0 U3 O$ c" c1 [& [# Y) J$ g
* t4 f% H( N) k: \+ M: ~: }7 j2 U$ b3 I
xor di,di0 T- A/ u" Q9 ^$ d1 ]
mov es,di8 N$ y% v1 L% R# z0 k
mov ax, 1684h & n* y6 I4 {- a6 ]
mov bx, 0202h ; VxD ID of winice ]: \0 D' ~: g0 a0 i2 u/ z
int 2Fh4 g9 S- ?9 ?' y* s" z: r
mov ax, es ; ES:DI -> VxD API entry point- K2 r0 e4 P; g
add ax, di
' u; ~! x" M6 w4 @' j( a test ax,ax
- s$ z* u# A! E% g2 m jnz SoftICE_Detected& i, {; I- a5 G+ u& e1 T1 e
# T; o' o0 Y" I t: \___________________________________________________________________________
8 m. T- _; ?+ ] G9 q: P+ I7 E9 B$ R( N" Z! H& Q' m, r) X4 x
Method 04. X7 D' _& O% ?% G* j& {
=========( \+ ^/ h$ B7 `' I) |
. }7 l# Q9 T& F: p' S9 q# e9 r% M) ~' T
Method identical to the preceding one except that it seeks the ID of SoftICE
5 y* z% }% ]/ z! R5 a" g( I {/ EGFX VxD.
- l# b- ]/ C! j% W5 A% Z# G& ^* x
" N K( p h, q+ K. [ xor di,di
% m' t$ ~/ \ Z7 L+ [5 R mov es,di
1 D+ x$ y$ x3 w; A7 G) {8 \ mov ax, 1684h
4 T& `" u4 m) d" q. p mov bx, 7a5Fh ; VxD ID of SIWVID
. g' h5 B* T" M2 f int 2fh
+ d O$ F9 ~6 R( f0 o$ u mov ax, es ; ES:DI -> VxD API entry point" r- @9 l3 {# Q( X" n! ?7 b
add ax, di& R; w8 F2 [- E* i. `% e
test ax,ax
8 j' n( {* u& y jnz SoftICE_Detected b- V3 K- b, _8 B! J! e- ~; |- m& f
8 L& v8 R( M3 Z0 F0 I1 T* Z$ E__________________________________________________________________________
* E+ ]& h1 [5 q: U7 x3 |/ D' F; x; U1 i& |* y1 {
8 n* ^5 N# \( \ E2 i0 vMethod 053 h h; L9 P5 V8 w5 V; N4 \! v
=========6 _0 J( i' l- n: T6 n- V
- V, f+ q) l; s4 |( lMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 L5 i5 ]0 T# t) k+ c4 P2 d% \: q
debugger. It calls the int 41h, function 4Fh.
/ B8 y$ X% F3 |, Y3 }9 H, Z" QThere are several alternatives. ; M5 p( O0 C6 M
# l( W) n: r$ O/ n/ ^9 s4 j
The following one is the simplest:
' C% k% u2 m( ]7 r6 p( l6 r: m2 r" K0 E3 T* f, o# h, `" x; x
mov ax,4fh+ Q& Y4 F# p. T! `3 e
int 41h. f; B$ J z2 n
cmp ax, 0F386
6 t# g$ y( r4 h1 W$ f1 [ jz SoftICE_detected, k9 m9 ]% W& f
( L s7 D. ~% a- V* Z5 z# n) Z6 E9 x$ i
Next method as well as the following one are 2 examples from Stone's + |* R, n |* E; A0 R: J
"stn-wid.zip" (www.cracking.net):# }) X( J8 h! R
- C1 p9 n- E2 b/ [/ _: d; R2 ^ mov bx, cs
% G" T, `: ~8 L3 Z, g lea dx, int41handler2- i1 c; u8 M5 f# l, T' k
xchg dx, es:[41h*4]1 @* ]% p1 @ \: ^
xchg bx, es:[41h*4+2]
, r& }2 E8 S; t( c mov ax,4fh2 S# ^+ a$ E& _# a
int 41h
( H7 P& S+ L) ]0 B9 u4 n xchg dx, es:[41h*4]) w) t5 `' E6 x% J
xchg bx, es:[41h*4+2]
0 W) z' M; Q) o$ W, n K$ G' D cmp ax, 0f386h" j4 \! p( ?# b/ m
jz SoftICE_detected
* E' S$ O/ F& v# V7 [/ f% z
) n5 u% n9 e& O7 [) k) Vint41handler2 PROC
% r" e6 \8 r6 }8 A7 d iret* ?2 |3 j9 K0 f) F$ b
int41handler2 ENDP3 R; D; U1 k# j/ W
8 d% \" V" K# h9 r! B7 n
& o9 W, H- k9 Q" s; S1 b_________________________________________________________________________
W) E7 @2 e( }, g
7 V: t. n# c# z/ g+ v" m) b& B6 f% ^1 c& s5 d- G
Method 06/ A9 n) y2 Z- K8 J' {* C; A
=========
: D+ ?. j2 d0 g5 @( G1 @7 V) `- ?8 y9 _8 A5 u
8 N: b# M& Q1 B* S. p; a: g6 u
2nd method similar to the preceding one but more difficult to detect:
) O1 Z& a+ `" f8 Y: j( w) b# L. F
0 P* A4 J2 @5 s, j$ r, t* |- Y# E- ~- s0 p4 O2 o0 w, ], g
int41handler PROC" \8 s. k! Y7 F3 D( \8 B- a
mov cl,al
3 x7 L1 {6 m$ M3 A- a iret
7 ~6 p% J4 U& Zint41handler ENDP" [; ~- E" i- T n8 ]2 M
/ ?$ x* v% w! H6 X
, V( R; p' ^8 h) N0 ~3 | xor ax,ax
. y( y8 ~' L0 W) o mov es,ax
) H' S" A: ^! [* c mov bx, cs2 M/ g% X& f( c& C( b8 t8 t4 D
lea dx, int41handler
0 K1 P8 p8 J/ m5 J: u& O k xchg dx, es:[41h*4]
; c8 G5 `8 r) U* a xchg bx, es:[41h*4+2]
, X5 Z) i' K7 w3 g3 a in al, 40h
9 z! G) r* N. x/ d3 K- @- [ xor cx,cx {1 V/ o% v" l* M
int 41h
# M6 O& F L6 o5 R- r N# O xchg dx, es:[41h*4]7 m5 Y, q8 D5 W2 \; m- l+ G: |
xchg bx, es:[41h*4+2]
1 p9 \* X4 D2 C6 \+ n' u0 W' P K cmp cl,al8 h% P% Z% P# `7 y( }
jnz SoftICE_detected N! H! w/ ^* d! L1 |. T/ H7 `$ F. H6 |8 K
/ I6 r! n/ o0 x) K7 i: g! }0 g0 Z
_________________________________________________________________________
* F: W! |$ K9 H4 s; X% B3 s. u8 b/ \2 Z# `; w" }5 |
Method 07
* j: }: e$ R/ M( o7 s9 w=========! j4 [$ M% ^+ e7 T6 G8 ^0 ~
6 i, y' C/ e2 s6 c7 B7 I" eMethod of detection of the WinICE handler in the int68h (V86)4 ?( j! f) i% M7 e( t1 D
& U9 a( `2 K3 m; G0 {& V( S
mov ah,43h$ t, l" ]+ l* F
int 68h
- ]" k; F4 C$ f# ~7 q4 F+ A cmp ax,0F386h
( y; f. ~; J" A2 R# v5 t* Q jz SoftICE_Detected
! l7 R+ y* t5 u
; j0 \# m5 |, E8 `/ V: Y% m/ ~; n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% b& B, h% J2 B# S$ q
app like this:
; y: s4 i. K- b# s! c# j& F1 J I2 y3 {
BPX exec_int if ax==684 _. f9 Y: C7 h, P/ c( p
(function called is located at byte ptr [ebp+1Dh] and client eip is4 y3 P5 `# Y d! t- y' ^) D0 x/ D( K
located at [ebp+48h] for 32Bit apps)
5 u1 ~# w9 r7 v Q6 g" H8 }__________________________________________________________________________
7 H$ Z0 @- [# x4 R% M5 y# Q
! Y7 J+ B0 f4 I" u4 ?) z
; ?3 C4 M8 U% |* NMethod 082 Q! A6 u3 v! k% J" G
=========) I' F1 R* f3 A: P* H! K
5 {9 s7 A, Y; K1 }) {$ T
It is not a method of detection of SoftICE but a possibility to crash the
% n, Q" C- `+ _( ?/ y Ysystem by intercepting int 01h and int 03h and redirecting them to another0 M' H+ ?% V* _9 S Q; O9 G: ~
routine.& z! o: o+ K' o" \8 G0 ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 M2 Q4 R P& D. a+ R# [
to the new routine to execute (hangs computer...)1 m) C! M& t2 L2 l; I# ?
) p/ k9 c% Y& m% H mov ah, 25h8 C& k) z0 W! Q6 ]
mov al, Int_Number (01h or 03h)
9 U5 G3 ?- e' p2 v" E. |* x mov dx, offset New_Int_Routine$ r* o; z8 W5 U% U: h4 D4 @: s( e
int 21h$ p4 g" h& c& c; J, N8 Y+ n# g7 b4 c' e
& J- _1 C' A8 }
__________________________________________________________________________
$ F2 J8 ?) p9 C) r# m r1 P. N
, C) q# |$ k# v, t3 XMethod 097 H) D: U6 v; P2 w; @9 c# u9 i
=========3 _/ r- t9 T) O& k( o: R
6 R2 T* @) ^: X; WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 W5 {; F9 E% S$ y2 C
performed in ring0 (VxD or a ring3 app using the VxdCall).
: E! S2 u1 y3 s- S+ bThe Get_DDB service is used to determine whether or not a VxD is installed- u, g0 h3 y; p8 c/ i# X8 C
for the specified device and returns a Device Description Block (in ecx) for
: I3 U% B/ _9 F# U+ `that device if it is installed.
1 Q* b# \5 v `# s/ D
3 q$ p$ J3 D! h' O, ?9 Y/ m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, y4 Q1 i a$ d6 I8 @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# r! Z" m! n6 S% n$ Z. @6 e VMMCall Get_DDB; U6 |6 O. k; M' W9 \8 p7 q" B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% [. x: ~4 ]: p- j) ~
# }# I; \) U0 f+ a% ?Note as well that you can easily detect this method with SoftICE:
; w9 v( j0 V0 c$ }: z& n1 O4 O4 M1 B bpx Get_DDB if ax==0202 || ax==7a5fh9 {/ w6 o; b& Q! j% `2 ~5 ^8 G
: x, {$ ^2 J5 d
__________________________________________________________________________+ u" k/ A, l) g
, n" e4 b. A% Q6 L) SMethod 10$ e1 k2 G1 w) b y) A
=========
$ B& F$ |/ a N, ^+ }
! M. L1 _4 {7 a. A=>Disable or clear breakpoints before using this feature. DO NOT trace with
# n0 x. x& ^) p; b7 h* h6 r SoftICE while the option is enable!!4 O# c3 g" \. p/ T7 P
% `+ F, |( [* b3 q) d2 pThis trick is very efficient:1 I6 u9 a' I7 }8 G
by checking the Debug Registers, you can detect if SoftICE is loaded# _ g5 z9 u7 u" M9 ~2 e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ m- L% t! Y5 i% r/ h. m2 Z/ l) y
there are some memory breakpoints set (dr0 to dr3) simply by reading their' U: i2 b: H: [( j, w7 x, L
value (in ring0 only). Values can be manipulated and or changed as well( s* k; N4 r0 m
(clearing BPMs for instance); r" X2 S! `4 v- p3 t- S; V( [8 b
; A/ D& W7 t/ {% \: o1 T__________________________________________________________________________5 _3 `" r/ Z9 o/ [% C
1 S/ B6 x$ B0 X+ k, q
Method 11( J, B& s5 e: `+ e8 V# s) k5 K& e
=========$ ?/ @$ ^+ q) r: u, @
1 P- k) `' ]$ G' o! k2 d
This method is most known as 'MeltICE' because it has been freely distributed0 h, t) U6 s5 E% X c* @; Y
via www.winfiles.com. However it was first used by NuMega people to allow
8 o6 J" {* ?) H, [1 S+ `, qSymbol Loader to check if SoftICE was active or not (the code is located& D# y; Z) t$ `. e, K6 Z2 |
inside nmtrans.dll).
k) R1 _8 e+ _. u
7 p( R& _1 l7 k# P' kThe way it works is very simple:6 q6 R% y l( V" S! u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: K5 F* c. {3 z3 M" i3 gWinNT) with the CreateFileA API.: X( K# s7 o1 X( W+ W
3 n5 a/ S2 a& XHere is a sample (checking for 'SICE'):; ~0 c# M" l+ G
' `% K+ ]4 `% a$ Q6 @0 JBOOL IsSoftIce95Loaded()" o& k* ^$ }& O7 h
{
! q/ ^ N1 {' G HANDLE hFile;
T' D( n ?8 J, ?! ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* J5 x& F0 a: b2 ? FILE_SHARE_READ | FILE_SHARE_WRITE,
" o U: o1 q; z, P _$ \* \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); [' t# m c; Q) x3 V% Y! h
if( hFile != INVALID_HANDLE_VALUE )
7 p4 V' g+ N0 O0 k. a+ o5 ]. j( _) Z {
5 {. N6 h3 k; i; ~ CloseHandle(hFile);7 r; [3 R% i6 s$ h9 [$ ~
return TRUE;
4 g8 i% f( @0 `# m9 j. o* c }: K7 U' u) R" T% I0 u& \
return FALSE;
. S; N- m) F" H" n+ Q}/ M; c1 @4 @* z8 X. V0 g
+ Z# Z0 x4 H/ K+ ~
Although this trick calls the CreateFileA function, don't even expect to be
' Q, b% R$ x" R: U# I+ c: wable to intercept it by installing a IFS hook: it will not work, no way!0 n6 C" p, n _: `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ T% n9 c1 v0 F' bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# z# s. |7 }+ \7 F+ A' i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ X+ ?; ~7 {* \- M; x9 gfield.
( j% w- ~7 R4 A% T+ c" ^: QIn fact, its purpose is not to load/unload VxDs but only to send a ' y/ w4 m. C0 T8 A
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 n5 Q6 `& \& x) q- [* C6 I) [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ _& j0 z% Q9 |# y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& |# Q6 F- \5 }$ {1 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* E4 r, B* h8 ^2 W- j; p0 Dits handle to be opened and then, will be detected.
3 P# u3 U' {1 L$ e/ t9 kYou can check that simply by hooking Winice.exe control proc entry point
; M: o# k; Q% p2 ~4 f8 kwhile running MeltICE.8 Y7 ~ M4 M' ^; c; J
8 j1 }( {0 V7 v$ P4 ~! j) m
6 }' }8 c9 C* d) |! l. @# X$ ?
00401067: push 00402025 ; \\.\SICE; ^8 ]# H5 w9 q2 N1 a" s+ z4 X
0040106C: call CreateFileA
2 R, R5 }! S4 J3 C 00401071: cmp eax,-001
5 i, D- [' T! {5 x 00401074: je 00401091. ?2 O ?% C4 q
' `" T3 O, _. r7 p1 e9 u1 f
) N1 _: f- J$ \8 @/ M
There could be hundreds of BPX you could use to detect this trick.2 B9 P/ w7 C; R7 k3 t* y# d3 ]
-The most classical one is:
2 i9 Z# i. L# g2 k' o$ w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 B% K7 L* X* t" o *(esp->4+4)=='NTIC'* g* _+ P5 D i1 z$ c
' e% Y0 B0 L, ~5 L" Y-The most exotic ones (could be very slooooow :-(
; y; G _4 p0 F1 g1 c3 e% { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, n8 t' a: }' }8 z4 G ;will break 3 times :-(
1 M% O/ ?" g" Z0 F9 ? z( [2 s8 j' T9 j5 D* _9 N, J
-or (a bit) faster: o) c) ~( O: Y) K7 C' o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 J' ?, @9 G& w8 ~+ W* r
' s; d! W/ p7 N' I+ S$ L9 t! r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( W5 g$ Z* t3 @
;will break 3 times :-(4 S3 A5 X' T: W5 T7 Q
) e$ ?% O# U' K/ x# b- F0 }, P) ~& M- G-Much faster:6 q! }2 \4 s9 g& E. _) k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& n9 C3 A5 z* o; [8 ~3 C3 [
' i% J/ ^3 g& {/ LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 U. y4 u. m0 [8 [* t1 D
function to do the same job:- }2 z& c. R, A. p Y" u
. D5 b+ d" ~0 l5 l* V/ l push 00 ; OF_READ7 c! Y# Y( {3 u, {* g+ t! `
mov eax,[00656634] ; '\\.\SICE',0
' K4 ]6 S5 D! ^: A( M8 ^1 W8 u push eax
& [0 o# J$ o, Y& L call KERNEL32!_lopen
+ c: t' D' c# x- i inc eax' {: o; s& V* M$ t9 B0 E
jnz 00650589 ; detected+ W* p1 G+ u; e7 F8 `$ \
push 00 ; OF_READ
8 m4 }8 r! U4 z) D# K2 V3 t mov eax,[00656638] ; '\\.\SICE'
3 Y( j1 [) v. N/ c push eax
" e7 s1 F) w/ @4 p& Z7 A call KERNEL32!_lopen
$ c% @3 C$ k0 w) E* e6 Z inc eax0 ~' B9 b {% B8 i4 v, n v% _
jz 006505ae ; not detected
9 r# G$ a/ s1 n4 P0 P% @+ y9 i; S% J
$ A: B/ ^4 j+ t4 _4 Q- s! b- h- N$ o, C- v( c2 d! U
__________________________________________________________________________1 l1 ]0 r6 K: Z8 v+ O5 K& X
& a; t- G$ O9 O# T4 j$ AMethod 12- ^# y+ y6 m# Q/ \$ k" ^
=========
/ e; K1 {7 }& Z' F* j/ T) b% G# K- H; n5 u0 H& D5 n$ E
This trick is similar to int41h/4fh Debugger installation check (code 05. U- e' \& U* R/ A, Y/ }: I; A
& 06) but very limited because it's only available for Win95/98 (not NT)6 j( p% k. u& _3 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# ?4 F3 D! Y% s2 |$ p; N
) r; m: G+ Z6 {1 Z push 0000004fh ; function 4fh
5 ^1 |( @8 q* ~; U/ ] push 002a002ah ; high word specifies which VxD (VWIN32)
4 a, L1 T# ]" F# L2 K) p) a ; low word specifies which service1 H( Y1 A% W( F5 Y
(VWIN32_Int41Dispatch); }% `- q9 k. w
call Kernel32!ORD_001 ; VxdCall
Z7 F8 W4 d, _: n& }1 o6 ~ cmp ax, 0f386h ; magic number returned by system debuggers
* x, c: f/ ^ [3 c jz SoftICE_detected
9 E9 [% ~3 \1 K- h- g% L! j
% S4 R' A7 e2 f" S, U0 w5 kHere again, several ways to detect it:
) h+ t, K& @/ ? \- g# ~
" t$ D# s( A+ q7 R BPINT 41 if ax==4f
1 R5 K) y( {4 ^( m$ e7 Y
) K' X9 B. n6 g& D: l9 l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% f7 Y, F! G9 u3 t/ [. R( q% }' Z& W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% a: C4 r- [8 [& u( c6 U. c
/ t- b. h, p y( j7 t) V- a9 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! l+ d0 O& ^- M; _" l [9 w" O- E4 z$ j
__________________________________________________________________________$ f- i5 R' X& ]0 o+ e! M& {9 e; ]5 F) L
0 N* q" z5 k! \0 J" b% z/ @
Method 133 W, A! k. }# m0 j6 \/ U' Y% z: Y) L
=========
( e0 E1 C; S0 |+ I; k1 Y" a! y6 T7 p3 }: E* q" X
Not a real method of detection, but a good way to know if SoftICE is
: H. N+ P& C p1 ninstalled on a computer and to locate its installation directory.! x+ _+ J o4 j$ i% h9 O
It is used by few softs which access the following registry keys (usually #2) :
' ^9 r: H! z- W# F5 j3 Z4 P6 L
+ t* t) O& t$ o8 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* c; `3 @- a- b\Uninstall\SoftICE( v6 L, n, y6 ^; X- G+ y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, p& G$ }; w1 g9 ^1 e* p2 j$ o6 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 }" ?- p/ r& ]9 `- b5 g8 v9 V% y( \
\App Paths\Loader32.Exe
% C$ O8 X/ @- T( I
. T6 L. @3 {8 c: S. v
; F U' z. |- r6 G* D( D. K& H PNote that some nasty apps could then erase all files from SoftICE directory' o8 n9 @3 Q" c, W
(I faced that once :-(- r" x4 q0 D8 p v& t. C3 w' W) C
/ ^! e1 ?6 X/ V+ R xUseful breakpoint to detect it:
8 f5 o; g3 U2 J _4 J% x$ N5 `" S; m
( W$ r" {( V: G4 n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. k% |3 E% p) O0 g! o0 O o
8 M- |: c' l$ N
__________________________________________________________________________
5 y- u' G- Z3 L* w2 [
' h7 s2 j/ A2 j. c& D$ p/ L9 |2 f) V0 F, I0 _
Method 14
& J, k( T* n e/ |=========0 Y6 \3 L7 ]0 j! p
6 ~ y. _ `1 r6 F9 ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, b! \% @9 l* H5 ^0 dis to determines whether a debugger is running on your system (ring0 only)./ Y; h+ o6 B6 }1 ?% a
9 u3 s* m" ]- T8 {
VMMCall Test_Debug_Installed7 ]0 b. ]1 w1 Z
je not_installed
4 @' I, N4 z0 @1 `& H
+ e; ]* q# ]+ n- s* e9 l5 mThis service just checks a flag.$ x s' l. L2 t2 d% o9 M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡