<TABLE width=500>: o! }* V% j% B/ y4 a: Z- T ^
<TBODY>/ A! z( i2 J& z8 h5 A0 H
<TR>) _! w; u. o* I1 \7 B# B8 H* z* T
<TD><PRE>Method 01 7 ? ]3 G) y8 K8 g. K1 B7 s p4 b
=========
; U" B+ G6 f9 m" n* Z# b* T- Y# E6 O9 ?; X
This method of detection of SoftICE (as well as the following one) is
5 f" g2 e! o) d5 ?* K9 Oused by the majority of packers/encryptors found on Internet.0 l% @ F$ L; R
It seeks the signature of BoundsChecker in SoftICE0 u6 m0 d1 p( [0 n8 N
}$ @8 a$ E" D; S mov ebp, 04243484Bh ; 'BCHK'& g- F! m2 Q: s' r$ A
mov ax, 04h
8 u* J" r8 ^+ ~" W int 3 - _- S7 F: q- p/ u# V1 l: }! U$ t8 o6 d
cmp al,4) N5 ]. }, A) ?8 L1 X
jnz SoftICE_Detected
" ]5 v( p. {) l( J' @" S. e7 D p) b0 x/ _2 K2 c7 s2 @$ I5 Z6 v3 K
___________________________________________________________________________
7 P5 S8 o: p, p' _3 M
9 K! f3 i# w6 F( x+ {+ \7 PMethod 025 u& W) `$ P* k( r: x) P, L
=========5 e( b" D/ h" Z* y$ T2 {
( H3 @4 d2 `! v+ N' aStill a method very much used (perhaps the most frequent one). It is used
1 k0 T/ A5 k: |2 h J' Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" x& [: \( t6 Z" ~% I4 l* z% Aor execute SoftICE commands...5 f$ Y% B4 G: B6 }6 }+ A K4 Q
It is also used to crash SoftICE and to force it to execute any commands
p8 w# u. ^, S) l2 f: T2 w(HBOOT...) :-((
* t& q. |( u% ~$ m
: A" ?! [4 s) h, M' \Here is a quick description:
! i# ^0 k+ Z- E2 t-AX = 0910h (Display string in SIce windows)9 P0 R1 E- b/ I8 N+ o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 R; h9 B; ~" Z, i8 u5 y
-AX = 0912h (Get breakpoint infos): Q$ H% z4 Q& C3 y
-AX = 0913h (Set Sice breakpoints)
6 X0 ?, Z9 }$ K7 Q' R1 ]-AX = 0914h (Remove SIce breakoints)
b5 Z! y, M- }% |! x# |% Z& _
. [7 @) n0 x) V4 G1 ?# lEach time you'll meet this trick, you'll see:
. B- S6 E) T" ?6 h! C3 ^-SI = 4647h
, S6 `' k0 F1 h& B0 Z3 q- R) H# p-DI = 4A4Dh4 g+ f! W6 ^3 f- m$ ?8 i% A3 J
Which are the 'magic values' used by SoftIce.0 G/ U, W; @( p. U$ S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; T0 D2 K2 w) Q- b
. X+ T+ G/ ~ u
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 N' v7 A0 ^6 Y. bEnvelope utility use to protect DOS applications:* |# X& d! h$ {
( j/ v0 O, r1 P8 Z
( d3 }9 B+ X, `8 f
4C19:0095 MOV AX,0911 ; execute command.
2 I. Z; Y) r' ^* r: H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% d3 T$ U$ l; w- P8 c% \6 C5 M
4C19:009A MOV SI,4647 ; 1st magic value.
- {# G. I" z0 ]$ ^4C19:009D MOV DI,4A4D ; 2nd magic value.2 g# L- F8 i M* O0 y; \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); D4 g8 [7 D O. a0 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& L4 f$ ?1 ~7 @" \1 M7 z4C19:00A4 INC CX/ S' H: Q/ ]( C) ^! }- a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 }! @1 B5 v+ |# T, u. ?% K4C19:00A8 JB 0095 ; 6 different commands.
s8 E6 p; }( w4 a+ y8 y4C19:00AA JMP 0002 ; Bad_Guy jmp back.. L. `7 M# j4 H7 X+ c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) p' F; ]% M$ C/ e/ E' L4 _
6 v' c2 X& q+ P2 J# A' x
The program will execute 6 different SIce commands located at ds:dx, which
7 z- f5 j% w t0 g/ K6 P/ _- G. Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" G* [+ p7 l7 ?( k* w. M
) v* U, A! ]. v% Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 B/ O9 Y/ J1 v/ G___________________________________________________________________________
# V" u m2 m, e! H3 B c5 e
7 ~, A& P- q7 F0 J. F
: F" M: ], Q7 o3 lMethod 03' U6 L/ p0 E+ Z# J! h
=========
* o+ W7 o, q( D, z( ?+ a( ?- Y
) Y! A5 ]* L; g; W* WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, D: f( S1 l0 |4 H4 C, [* L1 h- ?* \
(API Get entry point)
2 A" Q' ~+ L6 M; u0 ?
* k3 V! Z; t6 y9 Z8 Z3 ~+ E1 ?% D/ K6 }2 i9 b! |, v
xor di,di0 W* H# @8 l- S
mov es,di
6 C4 F7 `- B3 \1 D: B$ H mov ax, 1684h
- ~! n1 N" s9 J8 p$ U) k% l2 ? D mov bx, 0202h ; VxD ID of winice" V) }. B( _; D- M4 m( w/ u8 }" m5 @
int 2Fh2 ?3 i- l# A$ d5 Y
mov ax, es ; ES:DI -> VxD API entry point, R- _. L9 ^/ o `
add ax, di
, B4 R' e( ~7 P% b/ ^2 f- V/ d test ax,ax" M0 o7 b5 b" ?
jnz SoftICE_Detected
4 a$ n2 r. C6 j8 i. Y2 c
+ z3 f1 w$ c3 ^# g Y___________________________________________________________________________/ \5 u4 K6 u. z$ p
2 c) O1 N" \3 N" s) M
Method 040 j* n! _# U$ u( O$ l6 @7 r1 S6 ?
=========- M m3 z- W, B# ]5 R# \! r, r
6 r+ W* A, A1 z/ E+ u
Method identical to the preceding one except that it seeks the ID of SoftICE5 \9 r7 j* s% O# o. |
GFX VxD.
1 I2 o1 r0 }$ I% u4 i- F, C' M
( L2 C8 T8 m! r+ X: v xor di,di) w5 B D8 j3 O" N1 m
mov es,di
, v4 z3 @. [5 A- }/ b8 B$ q: N mov ax, 1684h 5 T; ~( q x; X* i
mov bx, 7a5Fh ; VxD ID of SIWVID
' Z" o' v) U: i; S int 2fh
3 O7 I( g4 R [1 P mov ax, es ; ES:DI -> VxD API entry point' r+ P5 k$ Q9 s* _/ F S1 _
add ax, di
. g* b9 \. v3 [0 @ test ax,ax$ k6 m' C0 i# R j" q, N; U2 Z% G
jnz SoftICE_Detected
b* z2 o; _: [, V" `9 T8 y6 X
k: ?2 B. e1 c__________________________________________________________________________" S, D K9 f. q" C
! K' s/ m7 T2 {: }& B4 l
' e7 ^2 d' N `Method 05
; w4 Q9 m% Z9 ?" g/ ?, Z=========5 r+ q7 r2 I! U+ R$ a6 y
& H( t" p' R ]5 d; w0 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" H- o; r: L9 L" ]5 adebugger. It calls the int 41h, function 4Fh.
2 ]( ~0 u$ {3 k9 A! e; A, eThere are several alternatives. 2 K& [+ f' \; P4 Z4 s
4 X5 q) E. p) f# gThe following one is the simplest:# c9 V. H7 B; r
/ j0 b& p: ?4 W. y0 W# k mov ax,4fh
! G4 ^$ p, G, g( U4 N- i0 A int 41h! ^8 `7 {* W, v9 V
cmp ax, 0F386
/ S; H1 C' m2 x: ^2 x& q0 N jz SoftICE_detected
; O; _% t0 r4 k
5 I" e/ g3 W9 b8 {$ X8 j( y! D8 }$ L+ z) y
Next method as well as the following one are 2 examples from Stone's # p Z, M# [8 B1 a7 Z- g; @- I- _8 \- |
"stn-wid.zip" (www.cracking.net):
: Z/ e& w% k! t$ r8 B' v+ h2 I& \& {* u. _1 i& Q. r$ z m
mov bx, cs0 ^- [, @. X* `; n/ N# G) k
lea dx, int41handler2
9 M# {0 j5 _- C xchg dx, es:[41h*4]& S8 U+ W9 Y7 x7 R
xchg bx, es:[41h*4+2]4 g$ J) Q) i4 n Z0 h
mov ax,4fh
0 x- q, `: f/ b: z6 i6 Y6 ] int 41h7 } v% r1 H% l4 K
xchg dx, es:[41h*4]
0 M/ R2 m+ p# ]$ k2 p& W* H& j+ S xchg bx, es:[41h*4+2]1 F! u; Y# I5 D, }% O" t
cmp ax, 0f386h
1 ?9 V- a7 ~* }, s, } k8 X# R jz SoftICE_detected: g! H% }6 N) V9 Y: q
' v5 g# H7 I# H, v8 ]
int41handler2 PROC( G0 j4 A# Q# z# h6 |( f. `
iret1 D: E |: f" M0 i# x1 u( M
int41handler2 ENDP
. b! `8 l+ ~7 R9 h6 j# l9 j; U# h: T3 b; K" B# r( R6 z& P Z
% j& }% c3 ?1 a, m$ f b! ]_________________________________________________________________________- Z A2 f' F* Y
$ R& o8 R/ H: P% r* j1 Q
- K. `" ] V9 s8 L7 { Y8 \; U# U% SMethod 06
1 t8 |7 `& u9 s C+ Z$ P=========
! R1 T' t2 n1 D6 |: s) f4 G' S' Y0 e* I. h9 R/ D- \" J
( Y' e4 H! ~+ t6 x3 n! { X7 [7 l( ^
2nd method similar to the preceding one but more difficult to detect:6 V/ z- Y$ [/ @. m L2 L
. f" M" d% _5 |! }. `8 P9 d( }. m! \0 b4 M+ M! Y
int41handler PROC- D( c. E/ F b# D
mov cl,al% p9 X. M6 h* n
iret; w5 [0 e) s$ G1 V3 X1 I% b- d
int41handler ENDP
: |( m" i8 e. d' g4 K
+ d, k# X$ }& z* I: W2 r- W/ k/ D8 j' Q/ T. ~' D
xor ax,ax
. y) Y- _, P2 i# p0 c4 g% D4 o mov es,ax
m3 w4 h5 M ~" }! C4 f" |2 u8 h mov bx, cs+ Q% B; k! [, o* K6 {
lea dx, int41handler% @+ Q; Z& H0 s0 G' \2 A
xchg dx, es:[41h*4]/ G, U5 s' f, G# d. r
xchg bx, es:[41h*4+2]
2 @' F9 a) w y% r4 Q% l8 j in al, 40h; }, E, n! H$ }& ~& H. b
xor cx,cx
( J" r+ T+ h( S+ L) ]$ H' P- c int 41h% f% z; i. e5 T1 ?/ \
xchg dx, es:[41h*4]
, {$ W+ c- ]! ?5 `9 K+ _/ U# l* e xchg bx, es:[41h*4+2]2 K5 v6 r$ ^7 r! h0 z2 {) d0 f
cmp cl,al6 D$ p2 s% H3 a3 e; i& R7 f( R+ p
jnz SoftICE_detected: l6 S7 F2 V) G6 X& S
2 b2 l/ o9 _! U1 O* K
_________________________________________________________________________
{, K2 S* A6 \, H7 C$ R7 h+ U t7 l0 ]1 ~& K; }/ _* @6 g
Method 07, O7 _" D" s5 T. P3 v9 J
=========0 p0 }" S- O: `. R& e
# ~( [( S) \: ~' c2 hMethod of detection of the WinICE handler in the int68h (V86): \: G: _7 M. I8 i- \( S
4 [2 k7 O& J( [1 D1 i) I: g mov ah,43h" l9 O$ I9 R& {% {
int 68h
2 p: i- h* i* n$ a cmp ax,0F386h( G! L1 L3 q" Z: m
jz SoftICE_Detected
+ a5 p* {. ~* O2 \! r( x% |9 b# G
; B5 H2 o( I3 g$ c2 Z' J; R h: q6 }; Z" \/ Q' I: u& h* { A. R1 C0 _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: X. \( w7 h* q% S; f! r6 E app like this:, |) f0 {6 K( q4 C$ C. `7 @
: A1 t U; h- p# a! B BPX exec_int if ax==68
; b5 n; C. x. ~! b- |+ _ (function called is located at byte ptr [ebp+1Dh] and client eip is
+ R5 M$ a ~! z* e- B' h located at [ebp+48h] for 32Bit apps)
: n: k) F& j- @. t" ]__________________________________________________________________________ ]/ y U3 u. m1 a" {+ o% ?! @
6 D* P3 [7 V- q( a" P
& H/ q/ v& W5 }& [6 J# N( z' SMethod 08
& e8 k% A V c1 p! O, ?$ t=========
2 \: C+ w& H, m( h. ^4 G" N0 @" |
: H# U8 T5 P. c K* R2 NIt is not a method of detection of SoftICE but a possibility to crash the: g( z/ t, P) F
system by intercepting int 01h and int 03h and redirecting them to another+ J' f+ r; n7 ~5 v
routine.
$ z0 D9 w. p2 H: UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 I' }9 Y! b# i f' s
to the new routine to execute (hangs computer...)$ G2 [9 X. R$ ~6 l9 o# u
" Q$ k- {: |/ G" W! {8 E- [' v mov ah, 25h
9 Z, H o, ]- J- O- H# [7 L mov al, Int_Number (01h or 03h)$ f2 i! w, P! j
mov dx, offset New_Int_Routine# _- T) U6 e) \* Z
int 21h
" U8 o5 t( @3 N& d! T5 |0 n" G* ^& w9 ~0 m
__________________________________________________________________________
8 `5 R! ~0 T+ W. m9 U1 y/ r; X, \
p. H# Q3 X( ]: _7 t w! l1 rMethod 09: ?6 ]+ z2 X) K. i# V+ i- R: R
=========1 K G, t3 `! T v! n" P Q
5 L9 _. M0 w5 C" A2 f w. h. C: GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# b" t5 @* \( Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
# P6 Q& F' G5 V5 BThe Get_DDB service is used to determine whether or not a VxD is installed# r* W1 b7 r' i6 S0 k
for the specified device and returns a Device Description Block (in ecx) for
; F' C3 b! r/ |0 x7 R; x. Ythat device if it is installed.
) x" Z7 z' |) z* ]3 ?! M S- I- }0 c, I3 m O+ w3 J9 y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: ]( _) K$ T+ \) c0 d6 k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) c4 h& b6 _5 L, _
VMMCall Get_DDB
4 |, @5 ^& Q9 z- f* g8 g/ l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. l4 z9 a8 q6 j+ z
' N: u* Y2 H9 x8 v% o0 nNote as well that you can easily detect this method with SoftICE:
9 U0 |) B% a. Q/ J0 x2 s bpx Get_DDB if ax==0202 || ax==7a5fh Z+ M& z# W8 u0 L$ m
2 f3 ?5 o7 ~& \& L1 a+ c7 N8 L1 d4 C
__________________________________________________________________________
8 ~% y2 d* D' \* w! g0 G
( d/ ]* x6 Q0 MMethod 10
! K! `9 k$ j7 J; v3 v) w) z* W+ U=========
0 h0 A1 b( |8 h! `, z1 Y0 D6 @5 |$ Y/ b5 E$ x2 f$ A! N: y7 F* o7 E R
=>Disable or clear breakpoints before using this feature. DO NOT trace with" a& h$ W: z N2 T2 a% s4 N
SoftICE while the option is enable!!
9 j9 i+ P3 H8 q; [+ |$ j: e$ g" B" _2 u# R& X6 a
This trick is very efficient:& ?/ r/ h; {, K) |' N% o7 I2 K* q
by checking the Debug Registers, you can detect if SoftICE is loaded
' ^% R6 b& M0 f, a6 ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. P/ L n( y8 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 G% B9 u" H3 x {- J+ C
value (in ring0 only). Values can be manipulated and or changed as well
3 {& S E* {* z! n, e(clearing BPMs for instance)3 F$ u4 x: V7 H9 Z4 g/ s
. d0 W+ m1 H# ?' f8 Q/ y- @ t0 C/ ?8 a__________________________________________________________________________
T9 v# s* s3 g5 c# `2 \* M7 p) @) ?
Method 11
4 G; B" {0 I7 U6 s# {& `=========3 z H5 q0 z/ j
3 m! m; w; Z: C1 J/ M0 f% I
This method is most known as 'MeltICE' because it has been freely distributed5 _# Y4 z7 m# ?) q5 J
via www.winfiles.com. However it was first used by NuMega people to allow
! U! k4 R+ Z$ S3 T+ E. b$ |Symbol Loader to check if SoftICE was active or not (the code is located; ]: I) b* F7 M% r
inside nmtrans.dll).' H6 C6 n2 M" a) I- L2 A- }4 j+ N
/ c4 o& {2 K3 w! H3 uThe way it works is very simple:4 B9 |1 O' w G" w# ?# P4 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" h/ M9 @1 w! L& Z2 _* R% eWinNT) with the CreateFileA API.! q, v4 ?- ?. `" \: o- j
3 p2 i+ T* M& Y3 J4 V4 i& L. h; t
Here is a sample (checking for 'SICE'):
$ o8 \+ A/ \3 V7 p: ]2 [/ E Q( i" L5 J' P
BOOL IsSoftIce95Loaded()0 O* E' m7 ~* m6 F4 y9 q. x
{
" d) J" |3 p2 M HANDLE hFile; ! B9 S1 Z4 j! ? F( r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( i' `) ]" _0 }5 w FILE_SHARE_READ | FILE_SHARE_WRITE,
$ b& q- m9 ?& _( ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- r' B* N( C% Z, G- S( `* g, I, c; E
if( hFile != INVALID_HANDLE_VALUE )
6 `% z3 T* P/ w& Z1 z {
% h6 Z! r1 M& V2 h5 m1 W/ ?1 `% S& l CloseHandle(hFile);
; k8 X+ w2 u J) r$ g" o return TRUE;
3 n# f2 x6 T. j1 p8 l4 [ }
0 e7 ?- B. O. D return FALSE;* h! {+ e6 W0 @: U
}
/ |9 G! o: A& W' I' e' C: ?
6 y" x2 h; z! R: EAlthough this trick calls the CreateFileA function, don't even expect to be
8 h2 s6 S: X: m8 ?. v# C5 mable to intercept it by installing a IFS hook: it will not work, no way!* X0 q6 {8 s9 s( @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 y" B! |+ Q4 W" p: Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 s" F5 M5 J, B& C4 c/ Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( S+ }! h+ s3 c4 N
field.
1 J* B* U( w/ ?; ?In fact, its purpose is not to load/unload VxDs but only to send a
3 S) C. \* Y$ [( o9 l1 G. tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 g9 _6 `4 A7 w/ k: O8 K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( f" y% m, V; o4 F+ q `! Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 S: O& _6 ?& h9 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 C- }! s; P% h: s3 M$ r3 q/ \its handle to be opened and then, will be detected.* L' O8 G$ }1 F% p M$ S: K) G
You can check that simply by hooking Winice.exe control proc entry point. j1 V& k1 {, x5 e$ |0 p1 q+ Y
while running MeltICE.
, W; ?3 I/ d6 z' V; ` c
0 h6 S8 x Z* j: ]8 d: Z/ c5 `/ d. j: P& d& z U
00401067: push 00402025 ; \\.\SICE
8 R9 g5 Q- _2 n 0040106C: call CreateFileA* e K0 Z+ w, y$ [: e
00401071: cmp eax,-001
) Q: z x5 D, @2 O 00401074: je 00401091
6 s: b1 Y9 K3 x2 u8 @ O
4 P/ N/ Z# f8 W& g, m
6 T9 ]3 p2 O; a: T. ]/ CThere could be hundreds of BPX you could use to detect this trick.3 u* k* _7 x$ z4 C/ `+ ?
-The most classical one is:7 V3 y- C1 H# P$ }: b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 W" I/ J- c! a' }( | *(esp->4+4)=='NTIC'
4 i3 D7 @* J0 l/ H3 P2 \1 V3 y$ ?" r4 k3 e# R( `0 m: W$ J
-The most exotic ones (could be very slooooow :-(2 j0 O1 X* w+ X: s& z4 s) e, T8 t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 X# a/ b/ H6 R ;will break 3 times :-(
% P3 Y& {4 W; ~( ^; H
. Q) T' t$ Q& a% O-or (a bit) faster: / j1 ?& e$ G& x- }$ P6 c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 R4 l* k" M8 R+ l, v$ t1 P
; G; C: g: W# n$ Z, }4 R0 d: k) U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! U3 y/ s" T- N4 W/ o; r( [
;will break 3 times :-(
$ f$ H( r/ G* W4 l/ P3 F2 n/ m2 }& a$ Z* _2 ]
-Much faster:, Y" Y3 w3 C* P. J; A" T+ R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 Z7 U$ l* O8 H4 u
# R& g, U( j9 | R6 Y0 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( u8 R- \' X0 ? y: Xfunction to do the same job:+ Q0 a3 m" B+ z; D9 m
n+ r7 u& x' ~! S! {' |
push 00 ; OF_READ& R V9 ?4 O& H2 W, g+ e
mov eax,[00656634] ; '\\.\SICE',0% Y: d. @( n/ D
push eax2 C' j( [5 v2 e5 }' ]1 h+ Y* D
call KERNEL32!_lopen
! W1 {! c; q( _0 D inc eax1 d1 c5 j9 A5 {7 u
jnz 00650589 ; detected% n3 C. ~9 _6 C1 E! v( k7 N
push 00 ; OF_READ
: a* ?: E4 ?3 W5 p3 l mov eax,[00656638] ; '\\.\SICE'% j) Y6 d6 |, e0 j, O8 U- t9 Z
push eax
* H3 B# R T! S) E5 g; b call KERNEL32!_lopen2 R: Z$ R9 F, i; O, N1 v4 e
inc eax# \$ ]/ Q, U; R9 l+ J0 V9 w! E
jz 006505ae ; not detected
# Z4 p) X! @4 b0 P r% i8 W4 n$ h, U6 i4 c
+ R' l2 y- U8 ^# H$ F7 ?
__________________________________________________________________________
/ u* g r& z4 o! h
, @6 [% A' A: oMethod 122 u/ G l `8 ` b4 S5 u
=========
+ y# t" H. K ~* Q8 L* Z
, O% U5 d' K+ ^2 qThis trick is similar to int41h/4fh Debugger installation check (code 059 y/ ]1 c2 i' T& x, P
& 06) but very limited because it's only available for Win95/98 (not NT)- d; ^, P' @" N% Q1 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' a+ ]0 p) O% y u5 m' b! x+ F6 Q% O R% @! u( g8 ]; t
push 0000004fh ; function 4fh; t. v4 V- o9 K$ N0 y
push 002a002ah ; high word specifies which VxD (VWIN32), t+ M( G' k7 v2 c+ G/ e/ K. n
; low word specifies which service' u7 N( n0 `. h0 t/ q/ P7 _6 X
(VWIN32_Int41Dispatch)
# ^2 K: |, N5 I1 |, V& ] call Kernel32!ORD_001 ; VxdCall
7 |4 m d+ C( @! C* x cmp ax, 0f386h ; magic number returned by system debuggers
% I( q9 T' @% [ jz SoftICE_detected7 P; w4 j. e. D5 D; ?
8 X9 L7 B: U; `: @: R' n& p- z
Here again, several ways to detect it:! J: r6 G0 o1 [ U* V
; j+ a4 j) h# q; j6 | BPINT 41 if ax==4f% X" i, U+ s T# j: b5 B5 a
) V$ x" z( c/ A! X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! o2 `" k# V' n8 b
3 {4 g4 y- f/ U7 Q. F$ ], E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 P' b- c) {; b7 R$ E/ s
) R3 j# Q" V) z1 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: n! G- P: g& |. J: t& e1 h) L l
) V9 F* U. t. x+ z- O9 a__________________________________________________________________________
# G2 |) l5 J1 ^" u3 i3 y6 @, m, _! l1 F
Method 13
- e, h7 H- E8 Y6 Z" t, R=========
( p; g8 ~8 O. o- @% K5 ]
2 k" W1 I2 \9 |: I* YNot a real method of detection, but a good way to know if SoftICE is
2 r, G* b% x6 D M' K" y- a1 a' N7 Ainstalled on a computer and to locate its installation directory./ [$ m" Y4 F% w
It is used by few softs which access the following registry keys (usually #2) :
4 s$ e; b# ~8 o$ X
) H( [) N7 n" }+ Z' l; G, u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 G+ @4 v6 V; M2 K4 Z5 Z) x, j% u
\Uninstall\SoftICE+ F& Z# c8 H- I2 X7 V; O" V. p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 }* T2 R) P# O1 ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ l1 P7 }4 Z2 f' l) j
\App Paths\Loader32.Exe8 x+ K9 g/ s9 S! H5 @9 U
& Y5 P2 h5 `- H" [
, L$ {' J% x$ \! @
Note that some nasty apps could then erase all files from SoftICE directory
& f d( O- x5 j) D" @* G(I faced that once :-(
: N9 R9 |# p- S* V2 y3 @4 j# s, D" L: u; l2 r
Useful breakpoint to detect it:: R* a' [9 _0 H+ g/ ^
1 ?& L n8 W, j9 v6 O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 ^( ~9 @4 b5 Y
' r- ]: D& X5 h$ I$ u$ ___________________________________________________________________________" Q- k2 z+ o$ K0 z4 o
' o% }6 C; q: o* _
: j" m$ T& L8 d( ]- uMethod 14 / f `9 x2 f' K
=========
; W- {) J8 k" J% J6 ^7 w/ {% `% S( ^# W. j5 w( O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 ~" D) K0 h6 |8 d9 Ris to determines whether a debugger is running on your system (ring0 only).+ |( C6 u! U, z1 a
8 }5 X' t- y8 f9 W% E
VMMCall Test_Debug_Installed
& I L( R+ f! A; A je not_installed
% G$ N1 ^* f, b8 c' k+ w% Z3 F4 |, S8 O# U5 y0 y7 ?
This service just checks a flag.
, V( }* C* `' ]- T. y; y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡