<TABLE width=500>
3 i' ]1 d9 }5 O4 J, r<TBODY>0 W- V: v( u- ?
<TR>! j0 Y( ~: ?" g6 c- A
<TD><PRE>Method 01
5 r" t% }, d- M- |) D=========. }2 G. n+ d5 m4 L+ i+ z
) _& o9 v- C" U7 C1 `
This method of detection of SoftICE (as well as the following one) is
# ` x" o/ a1 Pused by the majority of packers/encryptors found on Internet.
% c/ s: W# y* ~$ d' C" _ e9 iIt seeks the signature of BoundsChecker in SoftICE
) z1 ^. x# N1 Q2 e0 d x( \- ^% ^+ H' h" T8 T0 I
mov ebp, 04243484Bh ; 'BCHK'+ j0 v2 E+ ]% n G) \. f) B+ [2 m
mov ax, 04h1 I) L# ^4 O3 n; V1 D, H# m: M
int 3
6 }4 [8 K* Y, o% y' h cmp al,4
I& p% w6 g' D! H% v' w jnz SoftICE_Detected6 H8 _. c9 _3 n- M) u" W3 }
' D- O2 E9 c) d: C8 n; A___________________________________________________________________________4 s Q& a- v' g
% X# L5 A/ c+ ]8 l9 i: bMethod 021 W* @- p( F3 u, q/ X+ j. |( L3 Z2 P8 E
=========, g1 W3 T0 s; \* l) w1 Y% k
' A. U N B7 X z) i0 qStill a method very much used (perhaps the most frequent one). It is used3 ^& v8 ]: g% A5 I/ b8 v- G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," W- p0 M6 U6 B: m+ q
or execute SoftICE commands...
3 o/ O- g" U& M- `1 rIt is also used to crash SoftICE and to force it to execute any commands& P/ r. u$ W4 \, Q
(HBOOT...) :-((
" D0 J6 f( I) s" X! P+ F
3 B5 n" V6 z* KHere is a quick description:
- w1 i# ^" \5 K-AX = 0910h (Display string in SIce windows)
. w! V& @# y8 X3 L' I3 p$ _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 Z% w. o! G9 {
-AX = 0912h (Get breakpoint infos)' |) o# ]* K' t+ s1 g; F; q
-AX = 0913h (Set Sice breakpoints)- Z: I, b# _- _2 L0 G/ \
-AX = 0914h (Remove SIce breakoints)
U# f4 O6 g: E) d$ K# x1 {6 J4 }. ~7 y4 x1 i4 O( u' P
Each time you'll meet this trick, you'll see:( {8 ?- r% |+ t! R$ T
-SI = 4647h
" |" Q% @+ a+ F& y" }/ F) R-DI = 4A4Dh
9 C$ K) d( Q" r6 n: eWhich are the 'magic values' used by SoftIce.
0 o, c* d( j! ]: q, |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" U- n7 [9 Q, W; y. [- B! {6 O% H! B$ F, H4 q- h- `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. c. i" P3 W. K) rEnvelope utility use to protect DOS applications:: F' x S! s9 z& C! r0 p% s
W. b% \* q. _5 j
& q# e" Q2 f( n% z+ F+ r4C19:0095 MOV AX,0911 ; execute command.1 Z- E& n( e# Q2 f: F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, G0 t7 Z+ n8 n0 ~) ~6 P) b& }4C19:009A MOV SI,4647 ; 1st magic value.
2 X4 N! W% o$ T! [' F4C19:009D MOV DI,4A4D ; 2nd magic value.
$ |+ y+ t& R7 @0 @, D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& x4 a( @' W5 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, k6 r9 W, K# w4 h/ y# F/ T4C19:00A4 INC CX% r; h& Y/ T' V' X$ b) d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* d! m* p7 k: x- p: e( G! q
4C19:00A8 JB 0095 ; 6 different commands.
; Y* B ~" V1 T. B: Q2 {4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 e' O$ G( W( h: `' X8 F, D. ?! ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" ^1 w9 M% B }- F. D4 |8 V
6 ]( @6 o. r [7 E2 ~8 g7 j; z; |The program will execute 6 different SIce commands located at ds:dx, which: m- j4 {& Q. A% M, R$ u. ?7 }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( v2 P2 K3 |& q) Y1 l! ^( A
% S x2 \! ?1 {- z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. F- ?9 k# a' i6 |8 s& }/ M
___________________________________________________________________________) F5 M8 a/ J8 A8 A
8 Z+ @) k `- W9 ?9 X$ N+ V x0 z" m- b( Y8 [9 w
Method 03
" N9 j9 T7 [4 f8 f=========
5 o d7 _' e2 j) Z' G4 g7 M% r5 |: R! \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 F- c' `" V/ e" g* Z2 u8 {
(API Get entry point)8 e; ?' `1 a/ z# Z, Y' F
/ a D5 w1 d* [' u, w) x7 z: d( v% K6 ?1 v
xor di,di
2 S: Y9 ?/ t: {/ |& P mov es,di5 z |/ Q" N3 s' _
mov ax, 1684h % w7 y) q w6 l! R
mov bx, 0202h ; VxD ID of winice: E' K% N, L _* L& {2 K0 `) m0 ?
int 2Fh" `8 Q% [% ^, |) [4 r
mov ax, es ; ES:DI -> VxD API entry point
! R9 C) s( W A4 Z( E# R( u add ax, di0 q' k5 T$ A" \! c: N
test ax,ax
1 ~, S$ C7 ?7 D; E jnz SoftICE_Detected' j4 a8 k6 Y" Q* L; U/ v9 q: a* _& n! E
+ \- Y8 e3 w* l% W___________________________________________________________________________
( V7 H; o- s2 w* K: w! p8 p' z# Y/ }; ]4 g- p- |
Method 04
/ b S* S' m5 n7 v5 P7 o5 U* F=========: V4 u1 e9 u" h
/ u* o5 t' k4 }$ F4 R# p
Method identical to the preceding one except that it seeks the ID of SoftICE. }2 X1 ^- K) g4 E' @; k2 R3 x
GFX VxD., J7 V1 v8 C+ l' c
0 z/ b* L/ d0 i5 M9 H
xor di,di
6 X5 s( D5 E9 q' Q% D+ n- A1 t" } mov es,di
; ~; {% k2 v2 g. r mov ax, 1684h ; V8 h6 D. }! M# K
mov bx, 7a5Fh ; VxD ID of SIWVID: ~! ~: Z ]/ J6 R8 y9 q- f
int 2fh
' \! z# u6 e9 ^7 P- F# |$ N7 q3 I mov ax, es ; ES:DI -> VxD API entry point
9 T( d% v/ T! y$ l- f G/ l0 q) f add ax, di: x# ^0 B0 U5 h0 Z7 w. P9 l
test ax,ax, s; [: z" a) ]) Z
jnz SoftICE_Detected
2 Z- w/ z# A3 J- H0 R9 y
' e; W- J5 u; O8 [. M__________________________________________________________________________
6 r9 q# T: e8 ^4 g- [% Q! G3 B0 V3 z0 E/ a
7 y: S4 d O" t- h; W% j
Method 05- |/ ?2 a* s% T7 ]7 u
=========( p) x- m$ e/ U# y8 h5 _
1 w; P& b. Z% @8 n2 a k
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 \5 Q- c7 I& ]' F. S9 ]' c
debugger. It calls the int 41h, function 4Fh.4 N/ G5 e/ u$ {
There are several alternatives. $ p, @3 U" l% P8 ^
$ W. T6 j" x- C3 y8 [5 TThe following one is the simplest:! j3 C8 |3 E6 Y4 B& j2 C+ d
+ a+ Q7 [# M6 E( [, |$ ?, Y! o mov ax,4fh
! S1 ?- i6 Z, S! ^4 f2 V int 41h
8 T3 Y% e0 C4 N6 { cmp ax, 0F386
3 K( m! {* t6 O T3 T' d. H jz SoftICE_detected
/ A$ Z9 r, I3 w8 d" o) L% \# p: S+ ]5 |0 [8 g% ^: Y! T% s9 N6 K- B6 N' q
% C6 Y; k% u' {1 k; } t
Next method as well as the following one are 2 examples from Stone's 0 t3 l* k& x! ~& a1 _& G
"stn-wid.zip" (www.cracking.net):4 N4 W1 T5 S* B+ h5 \
2 X% N m! @8 d* R, O3 s mov bx, cs
3 e, @6 F$ L! H( R% B. w7 a9 {; _- B lea dx, int41handler2% k) ]9 B$ d0 \$ ~" U
xchg dx, es:[41h*4]
% x8 ~; [ y k xchg bx, es:[41h*4+2]
; Q2 @4 F/ q* g mov ax,4fh
& y0 a: h D* t4 L int 41h8 p$ t7 S9 }: ~$ X; s& f4 ~* w3 P
xchg dx, es:[41h*4]
$ w4 x/ j# L! L$ O; x) t xchg bx, es:[41h*4+2]
8 \! K/ M. U" d2 d2 \ cmp ax, 0f386h
4 o8 g2 R; P! }3 I3 W* ^8 p0 d jz SoftICE_detected
' _2 w4 R y" a: l5 B
7 Q8 ]: U: Y- j+ q$ F6 q4 J- iint41handler2 PROC
/ D( b* l0 e5 K6 c. V% T8 v iret
4 G+ k0 B# y: m5 W V# v3 jint41handler2 ENDP
9 ?' A2 `. B& n$ @! R. B
) Z2 i9 q2 L; Z- b/ a
, y7 K6 K6 N" [8 B( I7 P" R_________________________________________________________________________
! Y( X; K0 @8 z4 Y- v0 h+ {' u( }9 U- p; K, e9 e; m8 X; x9 V6 @
7 d, V3 k$ m7 v2 K* M( ] wMethod 068 Q7 ^9 O8 R! V/ {2 ]
=========
& V( n2 w x8 I* l1 k
, Z/ f0 z8 F/ _9 _/ X
7 {, N, G" G; ~) x' M6 X7 e) t2nd method similar to the preceding one but more difficult to detect:% n3 D9 a$ ^: P+ O$ k
4 b! v1 \- ~4 b* O
0 c4 _. f+ K5 n* ?int41handler PROC
7 H# o* ?+ m( L0 Y3 P9 n mov cl,al Q4 C! ~9 Z6 c7 |
iret
: Q. B* _ Z# N9 ]1 V [; b" vint41handler ENDP" Q9 [# a( w& ^$ _1 N
, t1 V! j' {( ?8 r
5 g& t& P1 W9 O
xor ax,ax3 L; ~6 P1 P4 t0 u! r, @, A$ w
mov es,ax/ r7 O! m9 R* _! ~% q7 z. q
mov bx, cs' L" Q( J" G; D' W; k" o4 ^7 i, h
lea dx, int41handler6 H. |$ P3 R! G
xchg dx, es:[41h*4]3 r' m: c' f8 e9 |2 D' s
xchg bx, es:[41h*4+2]
3 B* H- y" u. F, o in al, 40h0 |" k* K0 ^# ?$ b" V4 l8 n6 ^
xor cx,cx
, i. l4 P* v4 R I, @ int 41h" Z% U* {2 g6 |+ v+ R
xchg dx, es:[41h*4]
) z8 G3 Y* J8 s9 h P- m- l$ D xchg bx, es:[41h*4+2]
" j7 N& J r+ N$ f- M cmp cl,al
$ i4 B5 {/ o. I% C" F) J8 Z jnz SoftICE_detected
" n5 t/ c* C! c9 h$ B. E) h9 g- ? F9 G5 A1 N
_________________________________________________________________________ A9 m, r5 G, c; W4 h. v
7 T v i3 Q$ O- a5 B) ~$ @5 n
Method 07
$ l+ y* q& D w! K& ? |=========5 y- M' @/ ~/ @* V C, P* l ]
2 g1 \3 p5 v) h
Method of detection of the WinICE handler in the int68h (V86)
d; h4 T, l4 j# M
- c( { D! H4 p( E! j6 e9 z% _! W) _% U mov ah,43h
6 k" H, R4 U# i! Y$ b int 68h# @2 X1 x# {" k$ X: N
cmp ax,0F386h2 V& L; r) P! q
jz SoftICE_Detected
, h$ q, g$ `; X4 K. i4 x
* Q! I( v1 v, u3 l; |, b. g4 Z1 c; Q7 q* X$ E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: s; ^4 a; W7 ?3 A2 x% c
app like this:+ L. u' I& T q1 r: I
- _- a+ B' s4 [ BPX exec_int if ax==68
1 o5 p* U- `: o, ^8 J. C, D (function called is located at byte ptr [ebp+1Dh] and client eip is
* H$ |7 o+ X" Y" i: X6 e# b located at [ebp+48h] for 32Bit apps); ~* W/ n+ \8 R7 e
__________________________________________________________________________# u t4 u" ^- x4 }5 ]# n7 w
T" m6 L" y2 F" b. D0 i$ G
; k5 ?3 A1 G0 W7 _3 W3 VMethod 08% _9 H# U0 X8 ~$ B* Z/ ]
=========; c m$ t0 G5 v6 z% z) h2 x
" P! ?8 H2 ~% c
It is not a method of detection of SoftICE but a possibility to crash the
9 y X! W1 x* J$ Z! I9 Z; v. X2 Nsystem by intercepting int 01h and int 03h and redirecting them to another
2 B! w9 r v0 N S# v. R9 Oroutine.7 W( s9 s% X% F/ X$ D2 O1 F* ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* E/ M. h% ] d r, X" \' tto the new routine to execute (hangs computer...), V2 B- ^8 Q( K c( }
; R$ @% R9 l. o( ]& S$ r mov ah, 25h% f: t5 S' s* v4 p# `
mov al, Int_Number (01h or 03h)
* Z A1 N7 b9 u4 j! _8 c- Z- D: ^4 Y mov dx, offset New_Int_Routine
: h a, H$ S& w$ y int 21h. q3 h' [' x; c( Z; F
! c/ @1 N% q3 z0 |# i" `__________________________________________________________________________$ K7 E' F: w. q+ l# A9 K
% o5 ]2 h6 f! C( aMethod 09
: t( ^0 R& R1 [3 y8 m' K4 h( ]! j=========# \: x T' u9 O+ N
5 ]9 z6 M1 C0 n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ M; U, b3 H/ |2 I2 ^. b# e% t1 |performed in ring0 (VxD or a ring3 app using the VxdCall).
( p1 B+ M: G& E, n1 X0 UThe Get_DDB service is used to determine whether or not a VxD is installed
+ L3 }/ f- f4 @) j4 S- r4 e& |' qfor the specified device and returns a Device Description Block (in ecx) for
& |) Q( k a/ y2 P# Xthat device if it is installed.! f$ T7 l9 `2 `3 D4 k
& b; y' c# W2 ]: u) g. p) K& H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% |# D: I: H% X8 o2 R" Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% @ _- B" t; v; u( l VMMCall Get_DDB& A) N: q( W3 d" K Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 q, o7 X7 Z, L% a. Q& ]6 g7 b8 O7 v5 m3 I% F, z& }5 }; T
Note as well that you can easily detect this method with SoftICE:
) W0 L' n' j9 n1 L2 {( f bpx Get_DDB if ax==0202 || ax==7a5fh
: t0 [6 }3 {. }# V/ Y' h2 g4 C
( V! G9 S; }# K+ O2 R__________________________________________________________________________
' J# p$ K4 u1 ?' N6 y
. r' L$ O; |- T& u3 i3 z5 _( X4 YMethod 10
& @( C2 f4 I" e! E3 I9 ^% A8 U3 z7 u=========/ k, k' v% O5 d1 j
, {% S8 e* D, R" u# a, S=>Disable or clear breakpoints before using this feature. DO NOT trace with6 n( Z6 s# z8 t
SoftICE while the option is enable!!
. i; z6 ?7 b- e- p/ \. |, n$ Z8 e% i
This trick is very efficient:
0 y. N4 B6 i# X- ^" \by checking the Debug Registers, you can detect if SoftICE is loaded
, R& Y; @5 o6 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ @2 Z" Q5 I4 f% ?1 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% p5 P0 A) a5 l- @0 h' jvalue (in ring0 only). Values can be manipulated and or changed as well: l; A* N8 @5 Z" ~; L
(clearing BPMs for instance)
- P8 \2 k z b# O
7 x) C9 u! s" Y1 h. d! w# ?__________________________________________________________________________: u' E B9 Z* }2 I: ?# E! X7 A1 V1 p+ ^
6 m* m& u9 @7 }) \" T0 D
Method 113 v9 J7 j4 L" b2 l- }2 ]4 ?, R, m
=========$ V @2 \7 d9 p
) a" N* Q& o. k" `1 u" r- D
This method is most known as 'MeltICE' because it has been freely distributed5 L7 V7 A+ M) I& D, \& t
via www.winfiles.com. However it was first used by NuMega people to allow
9 s6 H N1 Q& b rSymbol Loader to check if SoftICE was active or not (the code is located
& Y6 l P' K, v* einside nmtrans.dll).
7 R$ C/ P6 I1 }. Q+ G0 j& D- P/ }. @5 b# D' O3 Q
The way it works is very simple:
& e3 s9 C# F9 Z2 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 O" ~* {- j# H8 ZWinNT) with the CreateFileA API.; O8 P8 j# w r5 ~. u8 \
& _$ S6 W% C% g* `
Here is a sample (checking for 'SICE'):
0 `/ G; c6 T& O8 E( k: N6 q9 v9 j9 w- f/ T; Y$ P {! p
BOOL IsSoftIce95Loaded()
* b" {% Q- Z; @: e{! O6 v; q) k7 j% S
HANDLE hFile; ( O0 G/ h' X- ? @+ l2 S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( h/ c% Y$ ^4 i) g; N4 k# y; e6 ?
FILE_SHARE_READ | FILE_SHARE_WRITE,/ Y/ q1 Z- |- r* b& z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' K# g) e# ?# ~. d. k( L* `
if( hFile != INVALID_HANDLE_VALUE )
1 l3 h$ N* d! L% H& E {
8 S8 Y9 ^9 P) H1 H) ^; | CloseHandle(hFile);( e" B8 a3 I4 X/ u
return TRUE;% ?8 a3 d9 B! y0 C# o, ?+ h
}
- x: {5 i9 n" }$ N; g! Q8 u1 e return FALSE;
A% N" w; f# A( A: H" t. H}1 h6 |' g" C1 m0 E- Q& j- X' X
0 f: }1 }9 ~8 r. r* D3 sAlthough this trick calls the CreateFileA function, don't even expect to be
4 {* P3 h/ ^9 W1 ]" y4 W' bable to intercept it by installing a IFS hook: it will not work, no way! o7 J1 e! N% r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. _; c9 M7 _% v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 h4 k' j" r+ \, W- dand then browse the DDB list until it find the VxD and its DDB_Control_Proc, `8 ]5 }; @ M' j* i
field.
0 E* B e: r: ?0 y! nIn fact, its purpose is not to load/unload VxDs but only to send a 4 ~6 P! `( ?4 o* n/ M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% K& ]# k' \9 p# R6 Y; R4 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) r3 U, u1 @. D6 C. f4 \to load/unload a non-dynamically loadable driver such as SoftICE ;-).# E& K! @% S ^% q5 _& z
If the VxD is loaded, it will always clear eax and the Carry flag to allow: O4 S, [0 _! @8 N2 l# d2 [3 @! y7 t
its handle to be opened and then, will be detected.) f5 W0 \" g3 C( h, e
You can check that simply by hooking Winice.exe control proc entry point- f2 y; L5 p; D) F7 B& C. f
while running MeltICE.$ q, t0 }# G: n! U# v. J
9 @7 I6 ?( Y9 w: G; \1 S- Q" T
. \# C; @+ w+ Z8 b2 u+ A 00401067: push 00402025 ; \\.\SICE# N" q) G3 X# C- v
0040106C: call CreateFileA0 v- d$ L; Y) b0 u$ Z/ o0 M7 {, h
00401071: cmp eax,-001- M4 G* `9 V4 H i6 W
00401074: je 00401091
$ ?: m" g3 \' a/ F6 k1 [) p: F
/ r& e7 K* b2 ^" u4 s( _( l4 b6 v ^ e0 c8 {# T/ x; {
There could be hundreds of BPX you could use to detect this trick.! }1 o" \0 g% D" i
-The most classical one is:( j" M8 _# C% ?9 V; b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 @* ^5 k2 h3 L& H5 ^, m *(esp->4+4)=='NTIC'' D! m Z: G% @& f* \
0 h! M$ n; n2 P+ \# g2 s-The most exotic ones (could be very slooooow :-(2 C d, s6 G) Q; m; X- |1 e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# L# @. Q( B. W) B ;will break 3 times :-(6 M7 V; c0 R/ I7 T
9 ^% ^/ K% b1 l
-or (a bit) faster: , w; q: ~! x( Y9 ?* u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 y3 V+ i0 X K: b& A2 w( q1 {, N6 b
$ G# u& n$ Q' Q5 }! E) {8 f, h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & |! O% x# n8 v, V! d- @
;will break 3 times :-(
' d7 r2 Q: S9 {7 l) Q. f2 d8 l7 `# A6 g% o3 C) z5 I9 D) R2 L
-Much faster:
3 _* L3 A1 D! N. a3 o$ ?3 W8 h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 |+ `9 F3 K& g- T$ x( R) @" D0 U- U) N: L6 }6 i7 r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 v% g4 y( q( w6 `" g8 Y' ]
function to do the same job:3 V. R. }6 W4 ~" [* p4 n) L7 m
' \1 q( c- i. [ push 00 ; OF_READ4 s6 R7 A8 X+ Q8 b2 Q3 P' }
mov eax,[00656634] ; '\\.\SICE',0( v! ]: b7 U5 c8 ]4 g1 e k8 s% F
push eax. V! T( F% D& T' }: a1 ?, }
call KERNEL32!_lopen
$ ]7 t9 t, q3 B* B) m' b0 t inc eax; c! \& w$ r( P1 Q2 K
jnz 00650589 ; detected0 o* W2 [9 ?$ N0 Z; D4 A& J
push 00 ; OF_READ" v- t% V2 E& k
mov eax,[00656638] ; '\\.\SICE'4 p" u* T0 D: }3 \
push eax7 }4 b; c- n. d: y; P
call KERNEL32!_lopen
/ \9 C1 a K. ` inc eax* T; U' U! D: V# m+ a/ v
jz 006505ae ; not detected5 X7 B. s# V1 d5 J% I$ j J9 ~
/ S$ ]8 A7 v/ @ ^
5 S$ r) p' c/ i2 C( l( f |
__________________________________________________________________________
' y& l: a6 M0 Q! z9 Z
! L6 o1 x8 ~2 n8 x% BMethod 129 o, _% i/ w$ y' y
=========6 X: e1 t2 |- u$ [. y3 `/ ?
; U! n6 F* h+ m% MThis trick is similar to int41h/4fh Debugger installation check (code 050 x& V* z) n6 \; V8 A
& 06) but very limited because it's only available for Win95/98 (not NT)* s$ t, [! @/ p% S' {0 R: E7 l. p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; X ~: C! K. Q. l& O& L
3 u: M% }: q7 |6 k# P push 0000004fh ; function 4fh) z) D+ r" a8 X. |! {
push 002a002ah ; high word specifies which VxD (VWIN32)+ O8 E O r0 ^) S. x
; low word specifies which service7 d5 x/ v/ c& f3 ]
(VWIN32_Int41Dispatch)
' i+ o* v1 i% s+ w5 u; {5 i call Kernel32!ORD_001 ; VxdCall, q1 q; j1 `2 r- L! y0 j+ d
cmp ax, 0f386h ; magic number returned by system debuggers
5 O- B( K4 R2 Q4 `0 q1 u. c3 C* c jz SoftICE_detected5 z4 d2 j! ]/ t8 I
" o" U$ V/ }/ Z3 @/ T. e# pHere again, several ways to detect it:
' I) ?+ Z' A& j" E0 f+ W E$ Z- M. u) ]6 l' _
BPINT 41 if ax==4f
$ f% N9 t/ i1 W/ ^# {/ E- w" k# R% O" A, l$ G3 q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 t+ Y) S8 Y* B9 n& H! U
1 P3 i% J+ Q: A# p5 U, V- |2 t) X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 D# x( u& X; t1 j3 p4 I1 V5 W8 {' ? S: q% V) l0 z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 S6 r5 y7 }: k& c G: c A
& L" q" A+ u6 _+ `5 d) Y__________________________________________________________________________3 b5 S: I$ M ~6 R) A8 t i5 S
3 c+ C; W$ [3 c$ [Method 13$ Q; {/ g3 N: o e; O7 k. H
=========* t# w p6 z; B i4 H
" m7 i) c& G2 n' b' Q+ P% P( I8 P6 pNot a real method of detection, but a good way to know if SoftICE is Y6 z+ R" Y5 A2 h. A: b
installed on a computer and to locate its installation directory.* t* F4 b7 {! A/ U# `( I$ y
It is used by few softs which access the following registry keys (usually #2) :; x* B3 _! U" i. w$ g1 l
, Z* E% `+ C% W# ^! y5 u: _" }; q& V5 Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ?) u) R1 @. E3 W# ?\Uninstall\SoftICE5 M1 p" P: H5 y+ }3 y6 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& N5 ^' [4 [$ U4 h. \5 D) n) x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' j5 n% `! W7 w2 d% \
\App Paths\Loader32.Exe7 b* B6 ~1 I% u/ F0 S
5 [7 l! S6 z2 ?
: T, {. C! b& `7 i4 B# g+ f" t
Note that some nasty apps could then erase all files from SoftICE directory
* y# m; C0 b: W, n. C' J ], R(I faced that once :-(% j- V1 S7 } n; I' P
* e/ n" y$ ?' L# v7 g0 l
Useful breakpoint to detect it:
2 _/ M- g5 v9 I. J m! Z- Z$ b4 O: n+ x3 v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 k. A u+ p2 C
0 O1 Y6 Q* ]+ T) y, }
__________________________________________________________________________
1 `) Z) |" u- J1 x9 W& v+ Z( H* S9 F9 Y* K- w- ?# Q$ @
1 E8 B/ d" z) o/ s) ^* o7 V3 U1 C5 UMethod 14
( ^/ u# l. e+ h# H: `; t9 ~4 n5 E7 w9 V=========
" a ~) G" I8 o! x
8 G7 W2 w, D9 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( R/ M" ?7 p+ Ris to determines whether a debugger is running on your system (ring0 only).
5 P. J C. J" q! Z
. `. e @* p4 a% n9 k. @( K9 ` VMMCall Test_Debug_Installed
$ ]( S3 f6 G T! Z& N5 S, s' y/ \8 N/ o je not_installed7 k! Y7 X! _; D8 @: l
" |' w! N, C: u& @ c8 |This service just checks a flag.
) V) M' ^0 w4 R2 n$ w) p+ ~: Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡