<TABLE width=500>
1 M1 M# @ Z) i1 g/ y<TBODY>2 y( e& k0 }& |6 E7 K+ A
<TR>
2 N2 z* G7 F# j* n+ L' f' c! O0 u<TD><PRE>Method 01
5 ~8 g: C* t: R1 D=========# F* j* ~9 I+ t, T$ y# q% Q0 P2 p
4 R B% `/ L- G8 ?. g" F7 [0 a9 DThis method of detection of SoftICE (as well as the following one) is
0 z) @( ?7 F, B1 X8 s) @. nused by the majority of packers/encryptors found on Internet.. ]/ H4 X0 T: `: h& q1 I5 x
It seeks the signature of BoundsChecker in SoftICE) j: b+ ?6 }! H3 B9 p$ C
" z* y& `% E. [* f
mov ebp, 04243484Bh ; 'BCHK'
! `' I9 T8 J+ k9 H( I mov ax, 04h$ B, Y2 N) j% b `/ d' {- [
int 3 ( V3 A3 p4 l( A, L) p/ K4 ]
cmp al,4( _3 F- ?2 Y6 g+ c8 q' L
jnz SoftICE_Detected) t3 z. U9 a' {$ T5 F/ I6 S4 G0 Y
6 ^" l; o' _# O- I# u
___________________________________________________________________________$ C, T p7 A/ x& ^. } B3 p
- F8 U7 f; x! q" C& ^Method 02$ {+ t- z* n/ ]3 `; J/ F
=========
9 H/ o9 E/ j" }( A7 Y7 W! o3 u$ b- D: x# W! @0 }+ [) Q
Still a method very much used (perhaps the most frequent one). It is used
" O2 K8 j- t) w2 M& N" eto get SoftICE 'Back Door commands' which gives infos on Breakpoints, k& \1 P1 k4 l, E
or execute SoftICE commands...
* `; h6 I- u k# i% U$ HIt is also used to crash SoftICE and to force it to execute any commands
{: x k% H- \% V- E(HBOOT...) :-(( 9 D3 d/ `4 w9 B/ s& x3 X
2 A( W) T" o1 B& p& U) `* `
Here is a quick description:
- `/ e( v% t* y% L-AX = 0910h (Display string in SIce windows)) g. B0 P6 B! x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 B) s6 `2 P! q2 R( u+ d6 W3 `-AX = 0912h (Get breakpoint infos)
* t/ O' N9 e* i6 j3 {-AX = 0913h (Set Sice breakpoints)- u G; A5 v, r9 a1 B& K! N
-AX = 0914h (Remove SIce breakoints)
( I. }7 L7 f1 I; D" C- O, K
: R0 M) d" ^8 V& xEach time you'll meet this trick, you'll see:- ^* M+ f/ B; \. h5 b8 R
-SI = 4647h
, T9 t [. @1 O6 k" ?' y-DI = 4A4Dh9 Q$ x( }. I- E# z9 }; W
Which are the 'magic values' used by SoftIce. ^8 i& y6 q9 ^' Z) K4 e% c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, m0 L+ s/ `2 Z. b
, ?9 m- J9 _# l. y* Y* ZHere is one example from the file "Haspinst.exe" which is the dongle HASP2 g6 t. _+ P$ h9 k( [& `) f
Envelope utility use to protect DOS applications:) D2 Y0 ?: j+ d% x$ K
" W' B7 s& u5 E* O; b* Q. ]( y( g7 |5 [- \+ q8 O
4C19:0095 MOV AX,0911 ; execute command.4 h9 C% }4 E3 q" @& a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ F6 t+ t) u- X: I' ^4C19:009A MOV SI,4647 ; 1st magic value.& u5 \* m; u, X; d5 v9 y
4C19:009D MOV DI,4A4D ; 2nd magic value.
Y) O* O0 M: b% \9 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ Y& n4 I6 P9 \6 h. V" B( z9 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 s1 N+ G; i2 J6 s4 K( m! I
4C19:00A4 INC CX
9 P' J q1 u) |6 Z: i7 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 ^" ?2 v, a" D" V; e/ U5 |" [9 ~
4C19:00A8 JB 0095 ; 6 different commands.8 ] l+ W, e$ _) y5 j& z; q' f6 J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 V* v6 x3 q) `* o; c5 v$ O8 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ _# C, A; o8 J! N: h, w/ W! a- \. P' s6 ~- x. w& b( L
The program will execute 6 different SIce commands located at ds:dx, which
5 G5 m: h& o5 J5 V/ gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% y" C6 d! }0 N7 G. x3 a/ q- X
2 |6 c) \8 o2 q1 n* q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 W& D& c5 E3 S; H, Z. Z___________________________________________________________________________
% |- V6 j! q1 e( ?- Z; g' M
& Q6 c6 C+ I" k3 k8 u
, D8 X% }! F$ {0 `Method 030 I( \) _4 }# z% v Q1 ^! J
=========3 O* W* v* o$ {3 T0 `. M1 X3 p
, ?$ H6 O- @1 @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; {7 }5 T' @2 a+ k+ K
(API Get entry point)% u; P7 _ `# j( O: F3 D' C
; w7 d; K7 w6 W" U. E% P4 G8 q* i" J6 z3 X6 f5 O
xor di,di: o0 P0 p1 t9 I3 e6 H% v% c2 y% p
mov es,di
' T% F3 V/ L* [0 }0 r" ^ mov ax, 1684h
% z+ d0 h- _4 j0 ^! _. I! g mov bx, 0202h ; VxD ID of winice
2 `& K' @" w9 g; F& l1 V& G int 2Fh" \+ G& k) @0 L. ?; f% p" a# \" }
mov ax, es ; ES:DI -> VxD API entry point4 X6 E; T$ F# v% L \' s5 W+ k
add ax, di
' B" t6 j7 }+ q test ax,ax
% W% n G8 H6 A4 ]. }6 C9 Q jnz SoftICE_Detected
5 L: Z( `, I8 p5 z! v
- ?% y) j* R5 E/ v4 `( a5 [& T# ]___________________________________________________________________________
7 U, X- k4 I; `& m5 F. I" j3 j7 ?( Q6 G6 t1 i$ E0 l, ~
Method 04# k+ }1 c$ }& H3 J4 @
=========$ W& m0 q0 V' {' p% Z
+ f; H* v# x* Q0 {# D+ P% I1 ` QMethod identical to the preceding one except that it seeks the ID of SoftICE8 w( L% K$ j; l0 A1 C
GFX VxD.
1 H# Q9 z. _ k% g( L* R
. Q- U: s" [# H* a xor di,di
/ }" r1 _9 E4 ]2 w) j5 J* K mov es,di
) v; A5 i2 m! F+ c( | mov ax, 1684h
* h- q+ y+ ~9 ^ l mov bx, 7a5Fh ; VxD ID of SIWVID
" k1 [( Y$ Y, D8 k int 2fh1 X( L' X9 }) P, r/ e
mov ax, es ; ES:DI -> VxD API entry point
* _; E3 v$ m! I add ax, di0 L! X; e! s0 q' g) H" I
test ax,ax
, \- b) t+ l; R+ l- g jnz SoftICE_Detected
6 N$ ~: s+ b9 s* U( {
4 i- l$ ~* r$ {5 E3 E% l__________________________________________________________________________
8 H. J% L/ k, t$ H8 K/ d4 A% [% g9 z7 t/ A( F4 X4 d& r* `9 ?# Q; X
/ ^2 O* L7 y" w8 [" ~' E! E% L v( RMethod 05. T i8 N+ k- N8 Y0 q& i
=========) i- i ~2 F( ~6 }7 ^
# J0 N8 E: J% s# V8 q) nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' n0 y: C: E! m- K/ F: Ldebugger. It calls the int 41h, function 4Fh.
4 h! z' u, a" c% k3 X0 R6 |There are several alternatives. ' n. W4 k1 Z8 k$ Y7 z- R# O
' `# N3 ~9 L$ k- R1 z% F7 v1 ?2 q
The following one is the simplest:
9 h/ g6 u0 e6 h& X2 o5 H- N: _( u, W/ K8 P1 I/ z7 k
mov ax,4fh" n: x- H* J7 y' S8 @: u- Q2 E. e3 g
int 41h
9 Z" B2 a5 N, v6 [ cmp ax, 0F386
3 l' v: g: n" Z jz SoftICE_detected
% `8 G7 |! E1 b( r" P: j
7 x- J$ u( C7 O/ A! x$ k
1 K( B0 @; V; i8 _" nNext method as well as the following one are 2 examples from Stone's
- d; H5 V( M9 ?- X& [- R$ K"stn-wid.zip" (www.cracking.net):2 F" V5 t$ ~) z6 ~: f
# L% Y3 ]* Y) r* H/ k& K
mov bx, cs
+ m! j* _. z" i$ ` lea dx, int41handler2
5 y7 C) r* {' n- k/ q7 ^8 O xchg dx, es:[41h*4]
; G2 R5 ]8 y6 v5 w; w* c xchg bx, es:[41h*4+2]
( l5 v& Q' W- H' t6 g& u1 n mov ax,4fh
& Q5 r/ K3 ] E; {6 k; Q int 41h: E" V g. C1 {; t& @+ \3 {
xchg dx, es:[41h*4]9 C7 [( P* Y; [) |* V: k5 ~" y
xchg bx, es:[41h*4+2]/ \( u+ A/ g) q/ e" T2 ]; [
cmp ax, 0f386h1 P& O: Q8 X% Q
jz SoftICE_detected5 T' a. `; M+ x9 z( C/ F
) r6 w2 I8 Q; p" P( x) g3 e2 ~
int41handler2 PROC
# H0 j1 Z9 R: ?: x iret+ e; r& r8 @) N% }* v
int41handler2 ENDP
. v# K8 O: V; T1 K) M3 q/ q! U! y% A @
& I0 \0 t z$ T& f+ J/ y: K
_________________________________________________________________________- F* D1 O, g) b
* s; Z, i4 |: F% T2 U. q
- Z. V; N# K3 x" W6 ?
Method 06
T4 ?1 ~5 q+ Q3 X4 u=========
- _3 F! u& w, n$ [+ Z: P+ G/ `- d( _, S8 u
# x3 p7 H+ a: }" M: S0 b2nd method similar to the preceding one but more difficult to detect:0 V+ A9 {. o; |4 Z0 e0 ^! E
4 ] L5 G% w7 H+ c% I
; }* Z" E- D- F( [$ Y+ s0 g2 b: y; E7 fint41handler PROC
3 {2 T2 ?- e& B mov cl,al
/ I8 m* [/ h, g4 D& B7 E& E( q iret4 o6 w7 O$ Z5 [5 Z5 f! x0 u$ v
int41handler ENDP7 {5 h7 W, q# ?
1 A+ ?9 L8 i# X' |3 I0 @
% o% k: S8 r/ _0 G xor ax,ax* }. j: a# `7 f6 C; c% k7 Z
mov es,ax
/ H" t. L1 ?: ^* C& `9 m mov bx, cs
Y+ Y9 K$ q8 O lea dx, int41handler
' A5 P$ N1 w- h6 ~ xchg dx, es:[41h*4]
% J4 v* a5 W5 s xchg bx, es:[41h*4+2]
) K+ Z! y' C# i! R. E in al, 40h }/ I2 A4 S$ o7 K- f" p7 h
xor cx,cx
; { ~) g9 Z$ G int 41h Y, \' k) ~; Q5 F! D6 c
xchg dx, es:[41h*4]7 Q$ ], }: t0 F$ F- n
xchg bx, es:[41h*4+2]
0 L4 }0 ~: m0 |2 W& m& I8 A, {/ T cmp cl,al
* H* m" c4 l) r6 B- S0 [( K, ^+ A jnz SoftICE_detected9 N2 V2 y' z y7 r3 |- D1 r
6 L* ?0 T' O( M" i/ \( x: ~9 B
_________________________________________________________________________
J a7 I9 O; l' o3 n7 w8 D2 I
e" W: J/ w ?; p t& pMethod 07
5 J- [* G/ X% f2 D0 z=========) r* K1 `8 H* [9 R0 V' o9 l0 ?
" ?3 g2 ?+ E% J# G
Method of detection of the WinICE handler in the int68h (V86)
' W c6 f( A R: N( }1 a) F2 p5 |. F8 a
mov ah,43h, c2 v8 a$ z) ?* C5 y9 ^
int 68h2 f: o+ @9 p$ i: u
cmp ax,0F386h
4 o8 G2 d$ Y3 m jz SoftICE_Detected# Z8 p: N1 [8 P G H& z6 E0 N" K3 h
$ h& N7 l- ~# Z- v. S
/ x R% S+ j) k$ G' h, b! M) T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 d. B& J/ I/ F: K. K6 ~8 N
app like this:4 P1 Z1 x+ z) x; k& P
7 D0 p( e) {. A/ y
BPX exec_int if ax==68+ I' d: Y9 K: B1 j; X1 J) y
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 Y( z6 o" y! Q, E located at [ebp+48h] for 32Bit apps)5 G; U0 k: t2 m) }+ I% G
__________________________________________________________________________
% z$ |( w4 e' |0 J! A% U' G
; j/ ~( o' F7 _. n: [2 k8 t7 m7 l+ f K# P
Method 08# y1 J9 L5 D* G/ Q. Q, m
=========
0 ]& t3 I; }* Y( i% `6 |* s- k/ e$ f8 L; ^% N$ z
It is not a method of detection of SoftICE but a possibility to crash the
/ _ {7 H( J: U. U+ m" S- qsystem by intercepting int 01h and int 03h and redirecting them to another
" X! ~8 V7 Q( Y" proutine.
4 a* E: } Q7 C. ]+ @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 e( f ~! `# v9 yto the new routine to execute (hangs computer...)! n7 z$ Q; V3 P# C6 E. r j0 f8 v
0 C" ]8 l0 y: }
mov ah, 25h
) H' h: S& S# w5 z5 ^8 b% G mov al, Int_Number (01h or 03h)
, G. V. v! O, F C/ X mov dx, offset New_Int_Routine
' _, k7 h# c" c2 \: p O7 [7 v int 21h
6 R+ M }% V. E; y" S5 e, t! \: }/ @0 m8 g( Z
__________________________________________________________________________
+ L5 ~; N: V2 |) m: }# }
1 N9 k/ d+ k, g" d% ~Method 092 d- v! v( p! y5 t" e. N! p3 U
=========/ H" K. D% }) B3 g/ @! C& K+ g% G
5 `9 f6 _; ^# C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 ]+ |) D& e8 H _) [( |
performed in ring0 (VxD or a ring3 app using the VxdCall).
* \8 a0 a/ a" w9 PThe Get_DDB service is used to determine whether or not a VxD is installed* \- B% ~% p; b/ t
for the specified device and returns a Device Description Block (in ecx) for4 |; e. N+ g8 O5 @! S1 b
that device if it is installed.
5 l. k5 {. x0 }$ w; a1 L9 }( ?. G2 z7 s8 C- r- k- v8 p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 S3 B A- T5 |; Y3 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): E: C; D8 b3 j8 w" Z2 m6 P
VMMCall Get_DDB; r7 c9 k+ `% X+ G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 p, u) T8 o3 a' c+ G G
f& ]9 Q3 B( `+ H' o+ C0 V, oNote as well that you can easily detect this method with SoftICE:. X$ z* ?$ ~8 @1 l* a( M
bpx Get_DDB if ax==0202 || ax==7a5fh) J; y5 t# Q6 u
! ^0 B9 U6 l* y* R
__________________________________________________________________________% x/ ^) t8 z( f+ w+ J. v2 w: H
: K. _ a" ]* g+ m. `Method 101 b r( {* T' m) h- z3 i9 m Q
=========
) v' t/ |' v, B: n& v4 n5 l& u6 E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# k6 I a/ f) g ]( s SoftICE while the option is enable!!
: I& q8 M9 ` H/ ~/ l/ A; p6 _2 V) a! N8 a
This trick is very efficient:
f" b$ I& C$ |# Jby checking the Debug Registers, you can detect if SoftICE is loaded
! _0 y& D- A! N+ O2 B5 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- ?- r0 \9 C& \5 o% p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 W m; G# d) x+ j8 M4 d# K! ~0 }value (in ring0 only). Values can be manipulated and or changed as well8 @& V$ G" L" w2 \3 e) u
(clearing BPMs for instance)% z8 j0 B3 p' [- B1 y j1 ^
a8 F+ B; l& d" _, R% B
__________________________________________________________________________/ Z: N% |" _6 M& c( w" u' N7 q
# i/ J0 p4 }+ s- n4 s" s8 M, @Method 11
& j3 ] B3 A+ q, J5 ^& r=========
3 p6 M0 g1 Z8 R( _" [. A) q+ S
' C' v! T8 h) S k2 ZThis method is most known as 'MeltICE' because it has been freely distributed7 V( U5 Z( _8 @
via www.winfiles.com. However it was first used by NuMega people to allow, Q; h+ f2 ~6 Y7 d w
Symbol Loader to check if SoftICE was active or not (the code is located
* c' W8 u& e: L }. r; pinside nmtrans.dll).$ @" k& }$ n9 u# T! R) ]/ `# s( |
q* H- r. H2 U0 m! M5 R
The way it works is very simple:
( E# K' p& |9 m9 d) |# B* OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ z4 ]! p2 ?2 Z# nWinNT) with the CreateFileA API.
: e4 J( a- D6 J7 ]1 H( T; n" t1 a* @
Here is a sample (checking for 'SICE'):/ h/ t! J0 _( y# O7 ?
. m7 q. z0 r( \! UBOOL IsSoftIce95Loaded()
( y2 {/ p" F) \) P* ?4 |{2 T$ j& h- u) {
HANDLE hFile; 4 g3 V8 p% ]3 }) M: Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# a {$ _% g& A: e$ S
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ y" M5 t5 _1 m7 T9 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: B$ A4 h- G0 h" S) I; J) K1 ]# M
if( hFile != INVALID_HANDLE_VALUE )
9 T' K3 H( N1 @ {
" f/ j# f: R$ b- Q2 P# @ CloseHandle(hFile);$ S* W v0 k7 B2 G p2 ?$ t
return TRUE;+ f5 a4 r0 l! l: S5 {
}, p" X P) K5 X. _. ?- v' e j/ R
return FALSE;
0 ]9 _. Z! A8 }2 ]9 m9 i1 D}! K& k5 I: U' P. s6 l
. I- @5 I( `7 k+ J% C1 \: s$ L
Although this trick calls the CreateFileA function, don't even expect to be
: y6 D1 c- A1 ^( Z7 ~ M! [able to intercept it by installing a IFS hook: it will not work, no way!
5 B. r3 j( U* e% y: bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, f8 B5 f* u& u mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 Y0 F/ X( ~% }4 j9 b$ A, l aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" L: ?3 A5 V! g7 \* {* m# p9 |% efield.; f* L* F2 t( `8 r* l. R, @- J
In fact, its purpose is not to load/unload VxDs but only to send a
3 \4 @! u. ]: L7 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; `+ l2 W) ?2 m$ Q- b zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- W( d7 ~) @% \* ^! u! pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 o' Y; t! M; |& ^/ V2 `7 a- vIf the VxD is loaded, it will always clear eax and the Carry flag to allow! F6 N% f3 N) Q$ Y% I
its handle to be opened and then, will be detected.
! |- i! y: C+ s7 ~/ y( `' xYou can check that simply by hooking Winice.exe control proc entry point
7 p( ~$ c D0 x3 F4 Ewhile running MeltICE.
6 k1 Q+ ?: V5 E+ _
6 y4 i; L1 O8 X& F$ }& b2 B8 ^7 f* |3 w D4 I) T
00401067: push 00402025 ; \\.\SICE$ N) } u4 D- a7 u5 _
0040106C: call CreateFileA, U1 \: [: W/ ~) O2 R) w
00401071: cmp eax,-0011 }! H( A2 v3 T/ R" X0 B/ y
00401074: je 00401091
8 a( b+ B8 S. v E
/ G; b1 h* `$ c0 v8 m4 K
' o2 D4 L. f6 R! w2 KThere could be hundreds of BPX you could use to detect this trick., L9 V7 ]* n: b* p
-The most classical one is:1 I: R5 u% H8 A/ B& `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ j3 m9 E+ h- R5 l5 C) |/ r *(esp->4+4)=='NTIC'4 ^) K. n1 ~) a% }4 b) [% f: F- W
/ q* a7 W4 V/ `, e1 F
-The most exotic ones (could be very slooooow :-(
5 u2 C$ B" _* e% Z2 B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 w. z! K# R; \- G
;will break 3 times :-(8 F! \) g: y5 {' ~
( D& @3 y: V+ ?
-or (a bit) faster: 7 A# `7 H9 [4 j, _; \5 `" k) a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! f* A6 H) b( a1 e8 B4 _3 o+ v" w2 q8 F9 p9 Y( o8 B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # F. h$ Z7 i3 E0 \* V$ u7 W
;will break 3 times :-(
9 L5 f, U- K& Z; w5 b5 G. t% y; p; `& k8 ]
-Much faster:% H5 ?. O" E8 r, S: W7 W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; Z% N; c/ C# q2 y9 _! S
) l- O( ~" D' W8 a; \, i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 v) K- l$ b7 V; zfunction to do the same job:
' d `3 I% g1 l# O) J
: m$ `, \2 W/ s$ v$ Y push 00 ; OF_READ: \$ N' O6 ?" B! r# G
mov eax,[00656634] ; '\\.\SICE',03 X+ J8 M& E# Q
push eax
% `0 n* j- G' a* V call KERNEL32!_lopen5 @; i' H* {+ i( ~
inc eax
/ @% j, h# Q& U jnz 00650589 ; detected
( X8 ]$ \& w0 b% m1 M push 00 ; OF_READ
) x' n& \& h( B- Z% }. H. h6 a mov eax,[00656638] ; '\\.\SICE'
& i/ L: C- H; q push eax
! \6 r) H1 l. [+ k call KERNEL32!_lopen J9 H/ q" D& T1 f
inc eax
: }/ D' @9 G$ C5 o, V jz 006505ae ; not detected
) e& ^) ^3 s/ W1 B) a$ I1 P; S/ I) M4 s
" `. {, q+ U$ W2 f: v% i__________________________________________________________________________
7 w$ B, j) [# M' i- O+ ]( d8 M) T i2 U5 E8 ~ J
Method 123 G- ~' _/ R5 _) ?; I8 b0 {
=========
/ ~7 {+ e. ~! ~2 K$ T
. s9 K& B, \& }0 U, V* m: BThis trick is similar to int41h/4fh Debugger installation check (code 055 w! R) ^" I- I
& 06) but very limited because it's only available for Win95/98 (not NT). f6 f/ `1 b. ]; o4 l& c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' a# J7 V- q9 v$ L- s! z7 {
8 ]: x. i5 z6 g6 ?0 f2 A/ j push 0000004fh ; function 4fh
1 P1 H9 t) h6 S2 o7 H push 002a002ah ; high word specifies which VxD (VWIN32)! T3 w9 k, x$ y
; low word specifies which service$ t; u" @7 u( o+ c
(VWIN32_Int41Dispatch)
) q" z0 z' E7 N6 I6 f- I call Kernel32!ORD_001 ; VxdCall% O& A- u7 v! c4 j
cmp ax, 0f386h ; magic number returned by system debuggers) y) h1 C; D4 w0 r) k Y
jz SoftICE_detected: _' w4 H' d. R ~, \+ m
- h7 M G! s& m' }& [( h! THere again, several ways to detect it:; k: s! e0 o# N4 J* K: @3 S
/ J! }& v( w, {" A" E
BPINT 41 if ax==4f' @" K7 P3 d) ~9 i
: [+ t. x* c$ Q* q5 r( |6 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- Y) ^8 ~' p+ ?0 O
7 D0 T" C* R4 C2 w( I7 L7 U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 V' M4 i# T" R$ U! ?% c u5 j0 }0 A9 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 f, w0 ], z* T; @2 L' `% b& z5 E$ z+ E/ q+ D, G( W
__________________________________________________________________________
) \. d0 ~. K6 W5 ], j6 X. }% B2 E/ C9 D8 P1 S
Method 137 c( C) o& G. _3 r9 ]. Q" g
=========
: V0 I! l# z i8 e: n; c$ N6 d# @( P0 _6 u1 S8 n1 `/ c+ ]- f
Not a real method of detection, but a good way to know if SoftICE is$ H5 @/ Z: u6 p- `8 A1 S
installed on a computer and to locate its installation directory.
0 N, m( C! n7 O! ?: ?8 QIt is used by few softs which access the following registry keys (usually #2) :
) | g# C' ?+ x! i. W# c! O( n5 ~ t0 W( u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 M( i3 v3 R0 t! d7 H\Uninstall\SoftICE& f; y2 \* }3 O( @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 |& n; w- M! T6 {# A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 \4 V3 K/ H! `% o3 \
\App Paths\Loader32.Exe; j0 |& A0 l( [# D
) m9 s4 }" J; ?9 z. O, i2 `: z, E
Note that some nasty apps could then erase all files from SoftICE directory
0 r* T F" K; k(I faced that once :-(
4 f8 n( ]8 q$ Y D% [% U; U/ ], K7 [2 e+ [ J
Useful breakpoint to detect it:
" T! [# M9 U! A4 \( N0 p0 u* e4 i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; p4 @ ]* i" L# i l1 D+ b
/ _" L: j0 c) M* u' k; @% D8 ?__________________________________________________________________________
$ Q6 L, Q6 ^* D( `
7 H' w% X! ]& p! Y# j: `
0 m* B. \" z. A5 q$ }3 R4 \0 SMethod 14
5 B# m n$ ]( F P( B' r=========
& B2 b4 H2 N# D: W' g7 J
9 Y$ g6 E9 K# O' A8 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ C$ d$ Q1 Q" a+ M* j0 b6 Gis to determines whether a debugger is running on your system (ring0 only).
. L# j1 w/ p* w+ w- N+ l1 v) L1 D1 p$ V5 n& _" F3 F
VMMCall Test_Debug_Installed' j$ l( w( b* k( e+ t0 a
je not_installed) s ^8 R+ Z2 Y- T* h
* N1 n F, ~; U$ P' X) h* lThis service just checks a flag.; t! n- ^" m$ Y) X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡