<TABLE width=500>
" Z$ ~5 h" v- {" I* Q" ^+ s& F- w- I<TBODY>
7 T1 V3 h3 p8 h3 H$ }( R& E<TR>' I u8 k6 n8 ]( g4 ?+ @) I) w
<TD><PRE>Method 01 & x! I+ `: g4 {, F8 P5 a# ?
=========% c7 p i8 Q$ f4 S
' }! J- P+ x0 H( A6 U! x/ C6 CThis method of detection of SoftICE (as well as the following one) is% C3 A& W& S$ R0 v
used by the majority of packers/encryptors found on Internet.0 M) _6 |6 M! M$ }+ ^0 P
It seeks the signature of BoundsChecker in SoftICE
1 C& ^% C: g) m& ^+ s2 N: Z; o) E% _$ `# B+ e
mov ebp, 04243484Bh ; 'BCHK'# v; E, b, Q6 h* C9 G4 Q% w
mov ax, 04h2 n" d7 n# I$ I: H8 q3 J' j/ A: k
int 3 9 F+ I* E( t; F
cmp al,4- F4 j7 o9 Y' g, z; k5 o# O7 x
jnz SoftICE_Detected
7 B- t+ n0 u) d3 J" h0 Y& M$ O1 ]/ [8 q0 D% M
___________________________________________________________________________
2 d7 |7 d# w- y3 ?, P' g9 `/ t1 ?0 P$ n
Method 02' f3 `/ m% h$ I1 t
=========
: _! A: L, l% K* B+ _! O* p
6 y5 }/ X7 ^* K; [# f! sStill a method very much used (perhaps the most frequent one). It is used
5 f7 p6 ]9 Y! J- y- z8 P; g; Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J" I* ]( l" J; z1 R
or execute SoftICE commands...
$ q8 H+ L8 d$ l {: i, |: V7 SIt is also used to crash SoftICE and to force it to execute any commands
6 \8 p) }/ Y u" q' l: l(HBOOT...) :-(( / J7 U6 k2 C1 o! q+ @3 u
; T& ]! v4 \9 C; R4 i8 f
Here is a quick description:& g$ ^& V" v4 o
-AX = 0910h (Display string in SIce windows)+ B% z& b6 z4 w& w2 l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" b$ Y9 B e1 H7 }# _
-AX = 0912h (Get breakpoint infos)
9 Q) }; y$ p% _& ^-AX = 0913h (Set Sice breakpoints)6 {. o# F1 r' d1 G
-AX = 0914h (Remove SIce breakoints)
3 |! E4 Q* Z! P& c: d3 A& x& O" w
$ O7 k9 i5 L3 E. d3 J; J$ V: hEach time you'll meet this trick, you'll see:
5 P) `5 m: \3 x4 k5 _- S/ G7 w-SI = 4647h
) J3 a/ G( W! y$ @+ k# p# f6 N-DI = 4A4Dh
. Y8 A& J# o0 u, ?- | A: l1 T7 aWhich are the 'magic values' used by SoftIce.* h' W9 r5 h% d) h* U( a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 t5 D. J' ^/ L) a0 G7 g$ [9 D$ x3 u& L; X3 p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( X% H- N* f/ |0 Q `Envelope utility use to protect DOS applications:
: S! b6 t1 g# a
5 C6 q' n3 i- z! e5 {& N; V( Q% T. i$ s; h8 J$ ]
4C19:0095 MOV AX,0911 ; execute command.
# c# H; W5 A2 R* U1 R8 I6 D5 J* X( \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. \% k/ C0 p @" l& U$ L$ l4 F/ H; W
4C19:009A MOV SI,4647 ; 1st magic value.6 \; _7 j4 O. {- ^" l$ \0 E
4C19:009D MOV DI,4A4D ; 2nd magic value.
- i6 g K, Y$ G3 u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( p+ r- E( l6 [0 I9 O8 B; m$ d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 H- [" p: ~, ?' Z" G
4C19:00A4 INC CX
x- a) O" q- x0 Q* Z) u4 {! }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# l7 W4 d6 q, E% x+ Z- l) k/ r4C19:00A8 JB 0095 ; 6 different commands.
( N, S: N( e; W" `$ X3 K, }7 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) }( N$ Y8 Q( }3 M% O; t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' _4 x* |) [8 H4 t( y3 S; _4 S) {6 {7 t+ Y. M
The program will execute 6 different SIce commands located at ds:dx, which" ]$ q. u( ^; ], b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 N% v& t; O& m8 X/ Q A% i, P1 k5 W: }6 k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
\% p6 ?/ m9 s9 B$ G# K' F; \___________________________________________________________________________" X/ u! M; j* y2 r8 u
* G Z% T; o3 D% |( U) C8 K
) `4 [3 S) I7 F, R- L8 k
Method 030 z% c# }% j' w: v1 \
=========. U6 N, D9 T; u, m' J) U
8 ~/ a. G3 U8 MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# P, j- f" r8 q) ?% V
(API Get entry point)
' z6 [) Y: \, @ " j g% \! X) u& m d5 o. V1 Z8 z' N, T
3 l7 j U5 }/ I& P
xor di,di
" q2 }. ~+ Y. q5 V2 j, U7 r mov es,di& Q- h# ~9 l; ?* W; ^' h
mov ax, 1684h
5 Z) f5 ^8 D, @ mov bx, 0202h ; VxD ID of winice
: V8 j- t3 ?$ e P% u2 s int 2Fh5 Z- `- L3 P6 o& C; c
mov ax, es ; ES:DI -> VxD API entry point
" g2 t. N F1 ]7 ]- R add ax, di
7 y& _; Z" z* Z0 a) l; D test ax,ax
( n& [6 ?) x9 p2 B' I% U jnz SoftICE_Detected) Q- k& Q# a: ]7 n3 m9 ~0 Y' i
' c. P. H r% @+ z___________________________________________________________________________ L, X2 _) E. ~/ Q0 s
6 i( Y6 }$ @2 ]1 Z0 ]+ F
Method 04
* Q* {9 D1 q+ T+ R2 A=========
5 W4 E o5 W# W0 u3 h; \! ~9 q4 y$ Y; G7 r4 q' ?
Method identical to the preceding one except that it seeks the ID of SoftICE
; V' ?! r& W* `% e) AGFX VxD.
+ b$ p! @( b7 S. S
& w/ U! V7 c6 f- h1 x xor di,di
; m* ]0 O) H& P9 r( R8 R5 S, j mov es,di7 F& V7 t/ [( A2 s6 g, C
mov ax, 1684h & |: _ w9 e6 ~% j; Q
mov bx, 7a5Fh ; VxD ID of SIWVID
" s) j) M1 I1 ?2 }* ^ int 2fh' F% D! W/ K; g4 a4 Q8 V
mov ax, es ; ES:DI -> VxD API entry point: M9 z7 e" R& m' ~
add ax, di( K- |' A M" @) W* r' B
test ax,ax G8 c7 y" w+ k* i1 ^2 k
jnz SoftICE_Detected
, Z1 W1 b; i* T9 @1 T2 _- ^& `+ ~9 R9 P/ P7 ?! i& N
__________________________________________________________________________ J( a* F% R8 Y( |: T0 {0 |* @; I
" w/ K- v3 o7 t6 x# z8 C# ~% `4 ]) _' F
Method 05& ?! E0 h4 \$ e9 c
=========$ n2 P' e+ a7 ?" G
( [ [9 A k7 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 g# W: ?3 O G0 w8 Xdebugger. It calls the int 41h, function 4Fh.
N$ b( o" u1 I: M! fThere are several alternatives. 7 d9 S& {' R' s8 }) C
0 l! g& G9 h' c' b3 ?2 a, a+ sThe following one is the simplest:$ F& @9 U5 {; Y8 s* t8 N! E
/ |7 f \/ H0 q! ]! D
mov ax,4fh& }9 @* A# q& y. h2 c8 g8 S9 g
int 41h
& f' z) y& z/ d* C' h I3 q cmp ax, 0F386
$ |4 w( [7 V: b" V& E1 n( }% H: l jz SoftICE_detected8 @+ g2 I: R' @) a
$ ^0 d) k" f% H ? c
* M% T; S( a# @( t, sNext method as well as the following one are 2 examples from Stone's 2 m8 k0 t; z2 T( b1 g+ X
"stn-wid.zip" (www.cracking.net):; A2 G/ U, v' m4 ^0 J2 ]5 |- s
. i2 I9 O4 Y+ ~/ A5 s
mov bx, cs
# x9 F q- h$ Y lea dx, int41handler22 k9 m+ c8 o+ T4 m$ Y
xchg dx, es:[41h*4]' [9 [! a8 b' G: @
xchg bx, es:[41h*4+2]
! y5 D: v" _) D% S- l9 e- }# x mov ax,4fh/ s, }0 o+ i4 G2 l9 J- ]
int 41h
. {. W/ X5 s, R: p, ~- [1 ` xchg dx, es:[41h*4]
3 R. G- p! {3 t5 o. h xchg bx, es:[41h*4+2]
1 f# p8 }4 K8 h: ]# o cmp ax, 0f386h+ u) c! t3 W4 J
jz SoftICE_detected
, X7 k. B; L' w% g# o7 G3 X
0 v5 B/ Y/ Q4 ?5 Hint41handler2 PROC- ]! _) p0 l J, o5 y" u
iret* \! `& P1 _" E( d' H7 {
int41handler2 ENDP
# v5 l' b- b! K+ A* n3 @( n. D r! y. ` b+ g& |: ^
* B6 K- ~3 Q; N( s3 C! a! H/ a! @! X_________________________________________________________________________6 H: W( p, g" X. K
' C8 q8 A" f# K4 e
7 m" k. K$ c, g) t5 f8 sMethod 06. u% \6 m6 L/ n) m+ G# d
========= \9 y3 ? ]% S/ m. W
6 e+ `. _6 Q6 v6 r& \: N# _# h d3 O4 Z ~" M& O& y4 t
2nd method similar to the preceding one but more difficult to detect:
- D. e1 Q; W. x" `* O
4 Z) M6 s3 a$ ?0 l9 v/ u5 P
% e# [- A, t6 D! s9 W) Eint41handler PROC
1 S/ u; @1 v' T" }0 Y mov cl,al4 S7 H& X j' ^8 d) O% r; y
iret
9 j0 Y0 \. ]" x% M# f$ _int41handler ENDP
& [5 s+ m' N0 r$ D$ e; G3 J) y/ a4 B4 b" F+ v9 L
" \" b& E7 O3 a$ I# k: F( S xor ax,ax
* o0 W3 ~1 ~3 B* R, x# K mov es,ax% ? e) n6 t& u# X% J c* j% U
mov bx, cs
7 |1 d4 Q0 o7 m3 h lea dx, int41handler! M) @% b: q% n, g4 S
xchg dx, es:[41h*4]( k5 n9 D) B1 S* Y8 u
xchg bx, es:[41h*4+2]/ c2 z( j$ z2 `6 K( _! A
in al, 40h3 y1 ]( z c) d, @7 d9 i! N0 e0 _
xor cx,cx
; n" H5 L( X( I+ g+ j# m: [ int 41h
. d9 o% G1 U5 C8 Z8 R" s# Y xchg dx, es:[41h*4]) i1 b" ]7 Y1 E9 B) e8 l1 T6 R! @
xchg bx, es:[41h*4+2]
7 y- ?; ?+ Y" {6 F6 c# _, ~ cmp cl,al x( M" \5 y0 M, p5 {
jnz SoftICE_detected
% r- S3 \8 m. Z2 y6 o
8 k6 r: S! a; _# m" o! O_________________________________________________________________________; n5 \1 j9 R( t8 o# a, {% C
+ x1 ]) ?$ \1 tMethod 07
$ F5 U3 |. `) j+ s=========0 ^4 C: v$ u7 e- }0 N& H5 b
& a U4 N6 p$ x: }4 @# sMethod of detection of the WinICE handler in the int68h (V86)( p# R3 d& e1 ?$ O
# e6 }; o( ]7 P3 H5 |
mov ah,43h
' ^' [7 D8 P9 R( h. [6 h int 68h7 z( @9 y% o" h) }( a- p
cmp ax,0F386h4 z' K1 @9 N$ Y: L0 [
jz SoftICE_Detected
; v" i( D- q I2 j8 O. _
( Y) q" T6 N% Y) |6 A$ g+ q
4 g3 s1 m0 Q0 n# l; l7 [% d& u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% m. d2 x1 e( f, t& |- I5 t app like this:
9 D+ ^0 O& F8 b9 ~8 | V+ ~8 i
BPX exec_int if ax==68
& Q* u- ]# I& h5 [6 X0 `$ F) i (function called is located at byte ptr [ebp+1Dh] and client eip is
$ G0 y4 u- u7 d; |. z/ v' F/ v located at [ebp+48h] for 32Bit apps)1 \- C4 @* q& b& e# }% P
__________________________________________________________________________, c. P" k7 K4 n6 K4 g' t* E
$ ?. w \4 ?. ]; F
, S8 h4 J/ _' T
Method 08
) W% ~! A0 } l( ^9 [4 K$ W$ z e# ^=========
4 s! B; R, W+ Q. z# {; | Y
' B5 O- `3 [$ e2 O6 K7 ZIt is not a method of detection of SoftICE but a possibility to crash the
7 M: U0 P8 I" L5 M% p( m" j7 f6 ysystem by intercepting int 01h and int 03h and redirecting them to another* u8 a( ]. p2 h
routine.
3 A# t ]: i. m6 ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' @ T5 a& h$ {/ ^/ M6 X
to the new routine to execute (hangs computer...)0 b4 e+ _5 p: ]1 \9 D2 @" _
9 }& \; y+ a, S
mov ah, 25h
q& M1 v* z/ y5 W7 W9 j mov al, Int_Number (01h or 03h)
6 `# H# u2 @( x mov dx, offset New_Int_Routine
+ R% R! W+ ]- ]" u3 ^6 l int 21h! r/ f7 R! U. a
/ X1 y5 F3 A4 D- r# v U" c# V__________________________________________________________________________
/ Q' r; {. m7 u0 t6 g* r$ B5 F7 D6 @; r+ N% ^
Method 09
% x' m) s2 E P2 u=========" ?+ X$ p4 T8 ]
l- m+ F6 d/ @4 x+ K; p% U0 U8 ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 `6 {3 I- C- nperformed in ring0 (VxD or a ring3 app using the VxdCall).( S6 m6 U$ H% g% C
The Get_DDB service is used to determine whether or not a VxD is installed
/ K$ I/ C, h% {7 J5 ifor the specified device and returns a Device Description Block (in ecx) for7 h) }6 H5 }: R( o) T
that device if it is installed.
1 d0 s+ ^$ p9 v7 r! u7 P" C: l
0 {2 n9 Y9 h, I( |% |1 S2 q) e1 k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 c. R: X: u7 g6 e' J2 z( n/ \1 A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' ~& d1 Y/ s$ x$ V* B+ s VMMCall Get_DDB
9 I4 q+ v+ s. n9 Y3 W, r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 v- l. P# L8 R; G* n6 S" T9 r8 X9 A7 s1 v
Note as well that you can easily detect this method with SoftICE:
" H! m% Q' V" c, b bpx Get_DDB if ax==0202 || ax==7a5fh+ k4 e- k6 n/ \( L* {
# k* t1 I i& \3 k__________________________________________________________________________4 P8 ^# x( `* X; Z
; w9 J& ~* R* J, V; k. fMethod 103 [( l. @7 y: |: l+ A5 r% D
=========
* f+ o- `( @3 c6 I/ _, S4 M. M! p7 S/ N/ l3 z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* c0 A* P* w6 Z" Q. Y* q+ b/ p SoftICE while the option is enable!!
+ {6 y7 F8 v; f/ I
, i4 p0 A2 d' {% sThis trick is very efficient:$ e7 X! R) v. m- h1 P5 A( B
by checking the Debug Registers, you can detect if SoftICE is loaded6 l4 z$ |; @7 M# r6 @+ V( d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ \' A' B7 n0 f2 w& W6 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ P/ I& n- c$ A! Yvalue (in ring0 only). Values can be manipulated and or changed as well6 ]$ Y8 t4 s5 `
(clearing BPMs for instance)
4 E' D+ B9 Y% ~6 X: b0 [; m ^0 y1 J# l" }- C
__________________________________________________________________________
, b s Y+ F2 C+ S5 h( b1 m; P) N9 e! I5 d3 i* N/ ?( I; U" h- p
Method 11/ }6 ?6 K u6 Y3 P0 v! F. t3 P4 }
=========! [* L" t3 h: {# `/ f+ h
d$ Q1 F- ?1 l$ t+ y7 E& U# WThis method is most known as 'MeltICE' because it has been freely distributed
- R& _, D6 L8 Fvia www.winfiles.com. However it was first used by NuMega people to allow" e* Y3 G5 n/ o, p7 S6 [
Symbol Loader to check if SoftICE was active or not (the code is located) ?& _: y! h5 V+ I- H& @( p
inside nmtrans.dll).6 U- Z% P' _' L0 D4 C# a
5 e% a# M4 a- g
The way it works is very simple:) p a! M7 F' W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( {; P" Z9 D; ?+ c$ G7 i
WinNT) with the CreateFileA API.# t* ]' w1 M- V( g3 Q8 w. W' N z5 m
! V, L0 U$ C! Y% I0 Y+ c7 Y2 RHere is a sample (checking for 'SICE'):
9 ? O# [9 g2 m# [6 k
N. e- P: @ H: pBOOL IsSoftIce95Loaded()7 S, W# C& T8 L2 S! \
{
3 [# v5 W/ E' a' t+ w HANDLE hFile;
5 k- T. ?& N+ B4 n( p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! O- R8 S: @; \- m
FILE_SHARE_READ | FILE_SHARE_WRITE,
) m/ C3 D; a. \1 P6 Y" Q' J) o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 I9 X. G* j1 _8 O2 N8 s! U7 G
if( hFile != INVALID_HANDLE_VALUE )
/ y) T0 d% n7 c2 W6 o {
/ v& \# `- l+ `0 R# F2 ~ CloseHandle(hFile);
; |' i6 X+ H1 H3 k* m2 s0 T return TRUE;/ T- M( B# ?3 ]) J
}
+ x1 P8 U7 c7 N. O$ E% F" J6 a4 O* H3 ] return FALSE;
. `) H" k3 \7 q+ d" E0 v& G} ~/ `) w/ y" M- p: g9 J. ~
_4 r. s0 F: _) f Y4 f+ j6 ~' I
Although this trick calls the CreateFileA function, don't even expect to be& \8 J- k- y/ N
able to intercept it by installing a IFS hook: it will not work, no way!- d! _3 e6 `$ K; i& _# s; J7 l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! }5 M! ~- G$ _8 r, u. {6 H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( S8 H, t# Z! e3 _8 G0 [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) l8 z. } t* o- }% K3 D
field.9 t7 j% d8 }1 n
In fact, its purpose is not to load/unload VxDs but only to send a
5 B* Z3 P) l2 { P" c; ^- [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ `/ ?6 d; C2 h+ q1 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% t# `9 |8 }/ D! S6 I( oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 V ~6 G$ S y8 dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- V: E9 l! Q* }" I8 h3 p9 B: nits handle to be opened and then, will be detected.
0 I$ [8 S" W! CYou can check that simply by hooking Winice.exe control proc entry point
' c- v0 M5 O( z* Rwhile running MeltICE.* M1 B& U4 T. e" q& `- Z2 D
7 J8 N* J6 n$ H( U1 Q! j6 j
1 j4 t$ ]: J3 e3 q 00401067: push 00402025 ; \\.\SICE; Z# @/ T4 _ [0 {
0040106C: call CreateFileA t# U1 a$ `6 k- C6 X4 L
00401071: cmp eax,-001
9 J1 G. g; }0 x 00401074: je 00401091
1 s- Z; ^- `! o( c5 l8 h* ]0 D% g2 U1 l, P) W
3 ~9 Z: x' x8 c" h6 R) C M; dThere could be hundreds of BPX you could use to detect this trick.
4 L+ d1 e% S3 j4 I* h5 M-The most classical one is:$ C; n) a& M. \# B- A$ o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* R3 J# i" f# e! Y *(esp->4+4)=='NTIC'
' u: E0 H4 a4 l+ [
4 }7 A! b2 \5 Q* ~# ~-The most exotic ones (could be very slooooow :-(% j" m$ E j0 N+ O5 f: k( j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . C0 V8 ], U% w3 U3 L
;will break 3 times :-(
/ K" i/ `4 ~. M9 P$ A: A) N) N
. ?% f5 X1 C0 P-or (a bit) faster:
9 @1 w- a6 i! ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 z$ ]! |' n6 J2 W7 |, D# P
) s6 _5 m/ w" Z- e. c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & J7 Z/ W) C) M3 P2 k: ]; W
;will break 3 times :-(" X* k1 i+ x* w% @
6 D- w- [8 m7 K2 ?-Much faster:
! E$ X0 D$ J( J0 L* a! f- y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- ~9 Z! [1 y$ X* d6 ?& u
) `, }8 a; B6 n9 yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 U; L1 c- b: t/ g2 ^% e
function to do the same job:
3 \8 L6 R6 T/ ~8 b6 l5 W
& X: [$ ]6 l2 I; x) J% r push 00 ; OF_READ% k" v. ]+ ^% H. J( P
mov eax,[00656634] ; '\\.\SICE',00 _0 {# J2 _4 Z7 T/ d) m
push eax
$ B3 J9 |3 |$ ]* {) U, H& N9 W* L call KERNEL32!_lopen' C" m% G, C7 o0 n" ^
inc eax4 u5 c1 }( P1 j, y, z# w
jnz 00650589 ; detected0 h; m- U3 X, f: E
push 00 ; OF_READ' h6 o# p+ A6 g% c; L
mov eax,[00656638] ; '\\.\SICE'; _% \. F0 ?! ^; U+ x1 X
push eax! A% D) |4 A, {
call KERNEL32!_lopen
! f1 g- o, D; ]% s inc eax; a: R1 E- S8 u8 o
jz 006505ae ; not detected9 n) j- G, h4 H5 R1 R! C3 l4 @% B
1 \+ U& d1 F3 m$ J9 F" ]5 Y8 l- y# P
__________________________________________________________________________, U. A& A8 q. O6 i) g! q: r
3 H2 z: V. B+ `: l: m% d
Method 12$ U! y& q: e: d) J! _
=========
1 ]! r# V: k4 [; Z' o
6 f+ F0 l0 S8 J, Z. y1 tThis trick is similar to int41h/4fh Debugger installation check (code 05
- U& F; `: R( D5 w% a& 06) but very limited because it's only available for Win95/98 (not NT)
9 v' G# F5 `0 x+ @$ _1 _3 t9 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.& i; t. t6 q0 p
4 ~ L& A8 `( m' i; f) Q4 t
push 0000004fh ; function 4fh
# d) X3 \6 ^- c+ A6 r push 002a002ah ; high word specifies which VxD (VWIN32)
6 @9 G2 z% U/ [3 [7 e+ ] ; low word specifies which service
8 [. }; h# t1 h9 y; H6 _ (VWIN32_Int41Dispatch)
& I; `% Y) U' z' n* S" I( V0 t call Kernel32!ORD_001 ; VxdCall, J$ ]- v. I' A/ D( U1 k$ u" P S2 `
cmp ax, 0f386h ; magic number returned by system debuggers, l* J" U1 r2 C' j3 z- e
jz SoftICE_detected
; B% _" H! B& [4 X3 b4 r9 o- j% L, w5 h7 J- e. N
Here again, several ways to detect it:
) i8 d7 B. x& A3 e) b8 y. C" j0 M# V
BPINT 41 if ax==4f
) x" S! H3 K# L7 U5 H @7 R) N9 M/ m6 v ^! P# V; {# @* L. L5 w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" t$ y: S' x+ D, [. I* a/ y
! f7 W4 l* _3 B) q2 Z) S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. n$ q4 o( S3 e6 e+ [0 |
' u& R3 S+ P* }: y4 o& B/ ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* p+ V+ {1 n) ^; D" k) ?% X" z- w8 h; {
__________________________________________________________________________
# Q' b" L: p5 w) U4 v: G$ V5 K+ k
2 |2 v r, m- \* b8 yMethod 13
- o% n4 P: V6 r& c c; b& Y=========
/ Q* T9 }, D6 t2 ?2 |
' w( n, ?) d, }4 f% [9 fNot a real method of detection, but a good way to know if SoftICE is
: O3 K9 G5 \: O2 i; s& i# m# xinstalled on a computer and to locate its installation directory.% B$ u% d+ Q2 @0 o
It is used by few softs which access the following registry keys (usually #2) :
# F% v/ P% k. Z6 m0 s$ Q7 ~+ j6 S( d+ ?) ~% z* u9 j- E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 M' J3 G6 G2 N* A6 C! P
\Uninstall\SoftICE6 ^7 [0 _! T+ I- f8 \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 M5 T$ L4 Y& z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 P- z8 `1 b9 o7 t' J- T+ h
\App Paths\Loader32.Exe( g* \7 J. u: u# i2 A% V+ ~
# Z6 p: u* @+ U" l- k' a& p$ {
+ w( M+ V. j L. s7 r6 j, b- ~
Note that some nasty apps could then erase all files from SoftICE directory
z4 ?( Q% b. z* _# R(I faced that once :-(
$ E; H O' |8 N+ J4 f. P( T/ w
H% T9 J( S/ V+ u. GUseful breakpoint to detect it:
/ r4 x$ y6 e7 s1 a! b6 I$ E H! h, N" z0 b& O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 Z! ~7 ?1 J: I& G6 D" N' t$ h/ T, z/ K: ~$ E. F( I
__________________________________________________________________________
1 t8 m2 B: a9 ^1 h- O% C' \7 {; U- ]
- q# m* Y; d% g; \4 K$ e" M+ yMethod 14 + ?8 _9 J9 E" b$ _" @; u3 T4 |
=========) M! I* v% q, s
7 ?" ~7 l) Q$ u. L% J; T) MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 h. P4 m6 O2 V! C7 q \9 A) w
is to determines whether a debugger is running on your system (ring0 only)." f! O& L. S6 K0 p! @/ p* f( h/ h
+ x4 Y* G" c! W VMMCall Test_Debug_Installed
% c' L+ a" U+ `7 p5 U je not_installed; q( x8 a W$ r7 B' m# Z
" j( `) O5 I: l; C* f
This service just checks a flag.+ f) R5 S3 S7 R9 B/ D( z% D3 W7 M/ x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡