<TABLE width=500>
- s3 s6 T0 p; K% w<TBODY>7 u+ n* w! p. [( N
<TR>1 ]: D; m5 A5 j1 j- x5 Z
<TD><PRE>Method 01
( @/ G: i; H& K8 |3 D K=========
' t$ `( |1 M; V" v1 g) V9 K: c" r) S* X8 ]/ W4 F/ V
This method of detection of SoftICE (as well as the following one) is: \9 w0 R; u5 s; m. \+ v
used by the majority of packers/encryptors found on Internet.) t I: E6 G0 |
It seeks the signature of BoundsChecker in SoftICE3 o) \3 n) M, x" g8 \
( |$ J( d6 `2 F2 y- Y. ~& T) Q) R# v. R mov ebp, 04243484Bh ; 'BCHK'3 N" q ^8 L: J" i
mov ax, 04h
. i2 s; H1 a+ z5 s8 z# l. A int 3
% S) V! X# Z% O r; C- Q cmp al,4
] b2 D* C& Y8 \' J! V jnz SoftICE_Detected
6 `& x$ ^& e j7 G0 J8 |
- W+ y; Y4 K; I2 h___________________________________________________________________________
. p0 C& X, ?1 H+ w' U; V' u2 p- ^5 F! ~( L8 P3 R% G! c1 k6 t4 t$ S
Method 02
* i$ D9 z3 g4 | f# J8 s* v=========
+ o5 \# _# @/ Z% m. l- p) I
7 J! x$ Z* ~2 f, ZStill a method very much used (perhaps the most frequent one). It is used
+ O, j2 q& m' _/ w" u/ cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. o) {- C. Y1 S, o* a sor execute SoftICE commands...
! h$ _+ u" l- dIt is also used to crash SoftICE and to force it to execute any commands7 j- {0 J8 V8 r6 F% _6 K- N
(HBOOT...) :-((
' H7 j" C7 M. K( o! C X
4 O! a/ Q; L' A0 A' QHere is a quick description:) e; ~# Q* b' ?" t9 b! f- a, d# G" U
-AX = 0910h (Display string in SIce windows)
8 I2 p) ~* s- d! H3 c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 r0 ?% K7 o- A2 h' u! c* ` _& Q-AX = 0912h (Get breakpoint infos)
& j3 S5 R, z0 b-AX = 0913h (Set Sice breakpoints)
8 P! Y# G9 s, h-AX = 0914h (Remove SIce breakoints)4 `* \. t0 j& a5 V4 Z( z
: M7 N0 }& K1 P9 J, e1 A+ F
Each time you'll meet this trick, you'll see:
, Q! r/ ^' j' K# K) R* Y) u8 r. X& q# g-SI = 4647h
. o1 c8 [ D8 w' w. u-DI = 4A4Dh
8 J: }1 K+ k" l- z% c* IWhich are the 'magic values' used by SoftIce.
! V% W8 I2 z4 h4 ?, b/ WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( {; s5 N0 D0 g4 M
( @0 G: d* i9 J) C0 I, BHere is one example from the file "Haspinst.exe" which is the dongle HASP4 v! [2 }, r$ m$ I
Envelope utility use to protect DOS applications:
4 @; E# _- z" i0 m
1 }) ^# E2 R$ }) b; l- w' |7 Z) s" m: M' q, E" r- L) ~
4C19:0095 MOV AX,0911 ; execute command.
2 P! a$ m" c; e) a+ _6 a: y6 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 u9 \( s5 k$ f# i3 v N* M
4C19:009A MOV SI,4647 ; 1st magic value.
* V( k9 I/ x- x) A4C19:009D MOV DI,4A4D ; 2nd magic value.
: | l2 b: q! N {6 X2 Z6 s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. b- S( v s2 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# a3 `+ G+ [" I0 J) y2 i
4C19:00A4 INC CX
/ b) o. c2 l1 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% _( ~) c* h$ D. B4C19:00A8 JB 0095 ; 6 different commands.7 W6 o8 y `( O* b- [" r* N# b6 J- n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 i! }3 R) Z m) C& [( y4C19:00AD MOV BX,SP ; Good_Guy go ahead :) q$ A5 N1 D1 R( ]1 ^4 S
; l6 I' n& S: rThe program will execute 6 different SIce commands located at ds:dx, which
% M" _% n: p$ Z7 c- U' e" P1 Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% b/ p3 a; S0 h7 p1 O% R
& L+ Z1 w$ z% r( ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; X! N$ ^( v: N' ?+ D* o$ b. e
___________________________________________________________________________
1 S: K) E2 m: p! ^) }; Z$ G
2 _5 s' @0 Q/ w. j" A( B. w! c
% [2 B" t0 U/ FMethod 03: _! ^- u. l# j( \
=========" y% l& ]# |: E0 [+ b3 E. G( H
2 W0 r4 |8 f; i( xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) Y8 H- i1 {2 g" j* f/ K3 m
(API Get entry point)& ]2 e% U3 P v' o) j* o
. |7 @& \& s# T1 h, h1 K' G
G0 D3 P0 E4 R, u0 Q
xor di,di
6 M+ n/ n3 p( m9 n/ d& N8 N mov es,di
6 M3 c7 s5 ^* ^ mov ax, 1684h # t& L8 O- A: I A, }- s" ]" d
mov bx, 0202h ; VxD ID of winice; A$ r# Y4 v" K" z8 _% i
int 2Fh- S/ I- n+ c( ?/ { ~2 t. W
mov ax, es ; ES:DI -> VxD API entry point% K- U* e9 l' C/ H' L
add ax, di# h3 J. f2 e: s3 F* V8 J
test ax,ax7 I) H1 ^& {2 s: F
jnz SoftICE_Detected1 k, T$ F7 z2 Y; S# c k
" b4 U U1 l- f y: r___________________________________________________________________________
4 A( `' ?* f% N; Z1 V; T. n2 m" B3 \7 b R, P" \; S
Method 04
1 C9 p' S& F% i8 j=========
8 {, Y+ j1 ^; Z* Y
4 N7 q% V* O8 M2 TMethod identical to the preceding one except that it seeks the ID of SoftICE
% O2 M/ }% [6 P* pGFX VxD.
/ X6 L( H9 c6 d$ @% q! P8 c! a& {6 E0 D' [
xor di,di
7 q) J: b$ g- R0 n8 D! r0 r mov es,di
1 E" {/ T2 n2 m1 T8 b- s mov ax, 1684h
* Q" m2 o% t- p" e1 T& F" t mov bx, 7a5Fh ; VxD ID of SIWVID
1 N9 q; }& g9 P) x) [ int 2fh! x. Y3 m; N* I: L/ k$ H% l
mov ax, es ; ES:DI -> VxD API entry point0 e; a3 N1 T! S5 u; L0 ~, ~) i
add ax, di# H& K3 z/ l3 q$ F
test ax,ax
* k7 e. m# |, h) T jnz SoftICE_Detected/ x: p$ l3 ~' N& K" N9 a4 Y$ o
* K# C! t, u* }: [
__________________________________________________________________________ o+ B x J' D: w. j/ F* C
! t4 w! E8 X* J* Z/ {
& E; u# [4 W, c4 T* y# i/ G6 JMethod 05
+ i* o9 U* N! O, S) a/ U2 e=========
9 P: b( u. \6 f) s# M" c7 K& ?( L
- D5 C0 {) {# O" a. i' cMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 M7 X2 `) ^0 S1 T. y$ z
debugger. It calls the int 41h, function 4Fh.2 u- T. Z# ^( a! l# n6 T+ V* g
There are several alternatives.
; ]! l) @' G. E( B1 o$ F
# n0 q M9 l3 q6 u! |! } o" CThe following one is the simplest:5 @, k" I" \ L% b( V
" S6 I; R, Z: f U2 U0 |% c mov ax,4fh
9 s4 W7 G. N! x; \ int 41h
, C5 k( L& P" a/ y" a cmp ax, 0F3860 _) |( }- R y0 z
jz SoftICE_detected4 v' l( A& @. M4 o9 D5 h
" K* `( G+ ^9 w) E
, i+ q0 e+ _; U# h+ u4 GNext method as well as the following one are 2 examples from Stone's
% I( T+ |& ^6 ` |5 O0 U"stn-wid.zip" (www.cracking.net):6 [) L& t( m; l$ E0 d
# C0 E: D: U" ~6 u" b0 t mov bx, cs0 H' G2 K& ~- o$ I, G7 B" @
lea dx, int41handler2
% A7 U9 O8 Q. x8 Z# z0 R xchg dx, es:[41h*4]- W" k- M" `7 D# i+ H R
xchg bx, es:[41h*4+2]
# q. b0 v/ K( e5 d mov ax,4fh
6 _6 ]5 F* x( i+ V$ M int 41h
' o' j% W# h' P: m. s% d% ]$ {# l xchg dx, es:[41h*4]
8 V ^( w1 \5 s X9 K8 C xchg bx, es:[41h*4+2]
( L7 g3 }4 P8 F8 v/ V# ~5 W2 v cmp ax, 0f386h
$ d1 j+ r% M" {% Y# c. f$ G1 z jz SoftICE_detected
a2 R1 P9 _! C1 ]) C! u" a2 i& R* a) o$ d6 r0 k4 K. }( H
int41handler2 PROC
8 Z' R& \. t+ F7 E& I iret1 j+ X' C6 u% f8 _" E3 ~" e
int41handler2 ENDP
: d0 `8 v8 O( ]4 {, `& W9 G
E3 b" ?# k" w7 @5 ` j
: v* v& _; r% d l' C) l+ r2 l+ C_________________________________________________________________________
$ Z" b8 B# \9 ~/ g2 p/ ]3 [% X" t9 }" a, Y4 S5 v8 c! F2 ]' Z
4 [% c% t* q5 ^Method 068 K# Q% ^5 M# V- s: k
=========7 g6 [4 o* F: P$ L8 w! D
/ g, Y% b: r V9 D: ?" ` ?. Z7 {# x9 }9 P6 J3 a
2nd method similar to the preceding one but more difficult to detect:
- z9 }8 w' C, f+ R4 z/ l" Y6 z8 Q! a8 a! M
4 l0 ^2 f4 L: W0 Y) xint41handler PROC5 v7 ~7 J: j) E* n; q' Z
mov cl,al
# m0 H0 x6 e0 D- p; [ iret
8 ~- g4 D7 G( x+ i7 \2 Yint41handler ENDP
, h* c' _" [' C3 K( X; h0 n0 \: G1 Y0 r2 R+ O" ? p1 f+ R
6 ~: A) s( i1 w8 L% ^7 }+ A- k$ L; f xor ax,ax
. i; C+ C3 q! J mov es,ax
4 @" v9 Y4 I6 w) ^6 g mov bx, cs( P+ _4 t( {- }! L- }
lea dx, int41handler% k0 y( c6 N6 C' A& }3 _
xchg dx, es:[41h*4]
: B* ?; a) v# p/ w xchg bx, es:[41h*4+2]
( l# a( k2 n" K, H' C9 R" w0 O in al, 40h9 `& ^* o c+ {. m6 l8 O4 ~9 k) v
xor cx,cx7 E4 G. @! A9 d7 w P" H: S
int 41h
d$ E8 v* Q+ T4 k% u' E7 ~1 m xchg dx, es:[41h*4]# K4 C4 B6 o7 I/ f- ^
xchg bx, es:[41h*4+2]
3 }& _! Z8 O! U# k cmp cl,al
1 I# w" n$ U/ _ jnz SoftICE_detected
0 X1 X+ d, ]9 a: L, _ o8 Q5 E4 h1 t# m% t4 `9 {$ p% j1 j- t
_________________________________________________________________________! B) ^' `: \7 n- E/ U
0 y8 W5 L! |! X7 j/ i* F% GMethod 07
: D1 |& }% f6 H# r3 v) P8 g- {6 O=========
4 V, A' R# P. X1 B4 E i9 G6 L, r. U( P6 O% g( o$ `* o5 P# a; j8 O# H
Method of detection of the WinICE handler in the int68h (V86)6 I, G4 }) K3 A3 m4 n' j+ n1 ]/ E
% d E, E& u) ?" F: a
mov ah,43h
4 |3 ]/ m3 }. n- J int 68h% ]- h( d' U* R" k9 b3 w
cmp ax,0F386h5 p' d5 p, n; w2 l5 Q( w B
jz SoftICE_Detected6 |8 f8 B) n5 @, j1 U- O# D% n
/ I5 o4 v6 i8 g' b# u! L4 n; n3 `+ f u/ J8 p( N9 n1 H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 ^, g0 Z4 ~4 p) |6 D$ D: H app like this:
X, |3 @2 g/ |1 j
# f6 Y' D3 @+ a) ~1 ~* e3 L5 D BPX exec_int if ax==68) D3 ^- ?3 g8 e& R2 T9 ]% f- C# ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
W( G( n/ ]: n7 |/ s located at [ebp+48h] for 32Bit apps), D, w0 h4 m" k) q7 T4 k
__________________________________________________________________________: _, \) D' r" X( s0 K
* M% |0 |' n: f: ~* {1 m# L, D P. T+ I' j- _, M0 e
Method 08* R+ Q6 ^" [% C" m" _( K" V
=========+ m0 m2 v# \2 N! w( W* \; A
U4 q; z1 y; o, e
It is not a method of detection of SoftICE but a possibility to crash the
4 I O) X- u. asystem by intercepting int 01h and int 03h and redirecting them to another2 M3 I" J ^ a/ Y/ `" Y0 o# {6 A% ?
routine.
, w- e ~! e& l. h6 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. P5 }, Q- H/ z2 ito the new routine to execute (hangs computer...)
% [+ x! `; j T3 B$ v' w) _) Y D3 ]: c* ?
mov ah, 25h) M+ B! V. d7 J
mov al, Int_Number (01h or 03h)
7 Z9 k1 R9 I: @( @ mov dx, offset New_Int_Routine1 u5 R+ A# T- k3 o) y4 W v
int 21h
6 K5 f1 O" |# b. [, B) J' ?, o: {5 @7 i/ D" P$ i. i& W
__________________________________________________________________________
$ S' \1 K6 }3 j( ~% i" D2 ]" }9 X; i5 E( P
Method 09
6 @5 b. B8 {! ^) p=========. N8 r; w/ a$ U: \' U0 u
' `/ D) N9 z9 n$ N$ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 U' n& ^$ l* O. F1 N hperformed in ring0 (VxD or a ring3 app using the VxdCall).7 U5 f" T' O4 U1 |2 L A. t
The Get_DDB service is used to determine whether or not a VxD is installed; t6 y! j; X( i' k% e- F
for the specified device and returns a Device Description Block (in ecx) for
" `2 R$ I, ]0 n8 M6 ^5 s$ Hthat device if it is installed.3 j5 ?5 ^! R& o/ B8 R- q
, }2 z5 M' ^8 q, r5 S0 u+ y+ { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' |9 A- b1 e% W+ ^" B3 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 x% r2 ]& ]3 u
VMMCall Get_DDB
( Y0 A6 j8 s+ c! U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) }, v' S! @, g) @ p, W
6 U$ j7 W: }& I J- aNote as well that you can easily detect this method with SoftICE:
/ l# ?9 H, B; H4 m; } bpx Get_DDB if ax==0202 || ax==7a5fh
$ d" o! c# m M, Z. J) b+ z/ o
7 V( e( ?2 q2 |) R! s: M ^! y/ u__________________________________________________________________________* [3 D; o' ?3 g( L
1 Z3 E+ H, s+ m1 U, m; nMethod 101 j! M2 M* ~& A* U6 F! X9 q
=========
) ~6 W7 ]+ O" Z) }3 A5 h
# G" D" D" T2 F=>Disable or clear breakpoints before using this feature. DO NOT trace with" U* P$ n# H) M C" O0 Z: e( T" V
SoftICE while the option is enable!!9 _: a, o; U7 S% g
) o8 f' t6 n5 _0 L, s/ J4 y0 OThis trick is very efficient:& G* J8 @3 N9 y: }2 m
by checking the Debug Registers, you can detect if SoftICE is loaded4 e# u5 a7 U3 a: V2 x0 U: I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 [3 g- v$ R! s \/ i
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 m: i3 ?: p! {, f2 z. A
value (in ring0 only). Values can be manipulated and or changed as well0 x( Y' C" W/ |1 z4 J. |$ {
(clearing BPMs for instance)! K6 |4 g8 q) f7 J" f* f
7 f# M( m; i4 }3 n. X/ ~3 D/ w__________________________________________________________________________; T1 K0 q' N; F5 ~* w; X" {" U9 G
& v6 k3 B$ s% {0 ?; W& _* u" u
Method 11( l+ N7 ]& m) D# \/ k5 X
=========
# p9 @# X# E$ S" C/ a1 c0 C6 _* h5 c- S5 A1 }
This method is most known as 'MeltICE' because it has been freely distributed o* n* A7 h( J! d' ]
via www.winfiles.com. However it was first used by NuMega people to allow
) ^7 E" ^1 f/ t% |, y7 b. Z( \: I- SSymbol Loader to check if SoftICE was active or not (the code is located
) _$ u; @% H6 K- f) Uinside nmtrans.dll).3 x6 ^* ^9 P! {; [
; `$ E9 J* f0 w/ g1 {, f) XThe way it works is very simple:3 N- Z3 [$ A0 J, D& T0 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 Y* s% m5 R1 W8 N% u9 J( c8 K+ MWinNT) with the CreateFileA API., A/ i5 r% _" y$ |$ s
1 g. G5 s' f4 d. G
Here is a sample (checking for 'SICE'):6 ~0 ? o( W8 }% D$ d
7 Z4 t5 C& c! d7 x
BOOL IsSoftIce95Loaded()/ d3 J! G1 N$ S, W5 m- o
{7 \; [& q( G7 u [( I- [
HANDLE hFile;
+ V* h: ?" |0 H4 z8 B2 _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 W* T; c, a3 D6 D8 Q% l
FILE_SHARE_READ | FILE_SHARE_WRITE,2 A. u8 U8 i6 i$ g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' D1 u& o: Q3 h& i/ q
if( hFile != INVALID_HANDLE_VALUE )
% G( t5 U9 c/ @$ Q* e {# ~( O/ \& ]' A( m: r& q4 n
CloseHandle(hFile);
) L6 z* }( m/ V h return TRUE;
1 K. w+ Z$ V; H r! {" f/ M }
* G# h9 O8 l; {4 G! [- i return FALSE;- k$ e/ C5 d9 @1 _8 N9 e0 x6 f
}
$ u5 W6 J+ v* n& }3 C$ A' m4 G- y
6 A- u7 s4 _- V- }, l' L3 A6 UAlthough this trick calls the CreateFileA function, don't even expect to be: V/ x, L3 R: c
able to intercept it by installing a IFS hook: it will not work, no way!
1 Z: U5 V" R. g5 Z/ uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 c& }' \) {0 fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: T |& [8 h6 ~$ k5 }& m3 [* ?9 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 G8 N* P; i' j1 E# afield.6 s( P7 v. ]4 X( b: r$ k$ a, y
In fact, its purpose is not to load/unload VxDs but only to send a ( j4 h: {- u' K; c* ~/ t# S9 O5 c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 O$ `4 Y: j- r' J0 ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ]% T+ F. M o1 V' dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. ^% w0 O' |0 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow& Z# d& B3 c6 A3 D8 j
its handle to be opened and then, will be detected.* m0 ]7 E7 p9 o; `2 r
You can check that simply by hooking Winice.exe control proc entry point
* {2 {6 J% N" W' g- k$ Y2 J3 Cwhile running MeltICE.
$ s3 A2 Z- q+ u) D% E
% T% O( F4 i3 \4 m% D% n* T
) P( K, p2 `0 A 00401067: push 00402025 ; \\.\SICE/ {: {- R; Y) O2 ?9 P+ G0 o
0040106C: call CreateFileA, e; U* D, K" L1 d4 O
00401071: cmp eax,-001$ Z& o) n1 p9 \) q; m1 @
00401074: je 00401091
( N( G W/ a5 r6 u. t1 H) z' \- r* B8 i
( w- K6 @2 R/ U( I3 n9 @. y
There could be hundreds of BPX you could use to detect this trick.
! H, P: w+ w0 S-The most classical one is:- ?8 M* @, x* i' B" ~$ H" p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, `; [5 B1 B4 O( |, m
*(esp->4+4)=='NTIC'8 K4 c+ L' @5 Y
3 w4 C; d e* @% U- x% y7 G, _-The most exotic ones (could be very slooooow :-(
; L" T" n2 L+ }6 g1 D* {) B, X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# i+ U! x/ G4 Q' z9 h9 _0 i ;will break 3 times :-(
1 R; X$ l9 R8 r1 `' w% g+ e2 ^
. ]. {8 Z1 x0 F% b-or (a bit) faster:
V4 c, `1 b* ^3 d% l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ _$ Y: Z0 m8 T
: R f; E6 ^+ W/ X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) B4 s3 \3 r. o+ Z1 G7 h ;will break 3 times :-(* R1 g4 P& X0 h5 n" f$ R& {% V
5 ?2 w/ A# I- U: z
-Much faster: w# Q9 {3 q7 d2 L1 S1 U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 {. j; t! g& G8 S- Z+ j/ P
0 E6 j- f% O$ Q4 J- ~/ XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* c/ S; w5 u1 J6 N j% Q. a4 N7 Q/ J1 Xfunction to do the same job:& y$ A' ? Z( E% b0 }. m$ O
* Q# u+ V- | d& ]3 l6 N$ |- B push 00 ; OF_READ
9 N4 c8 k7 B7 C: o6 _6 K( k mov eax,[00656634] ; '\\.\SICE',0
$ G# C" z0 _- P( R push eax; U- n; y0 ]5 Q4 q" }' n. [( l, I
call KERNEL32!_lopen# u' a. d: C, _1 J; p# g
inc eax m6 I$ k/ m' v7 O, x8 x3 e
jnz 00650589 ; detected& l6 X' A1 d2 H; S( j8 n
push 00 ; OF_READ2 J$ a) B, _& W+ @9 Y1 i( n
mov eax,[00656638] ; '\\.\SICE'5 W3 J. S* ~* O; W) c4 ~- g
push eax
5 [% y @$ m% s) q- \7 G call KERNEL32!_lopen0 d; E# m) o" W: J
inc eax
: ?- b3 B: @' _2 O/ h! {# u jz 006505ae ; not detected
; U2 t, k( p- A# N; {2 }& a2 q/ H# g5 M
- {. n, `9 {$ Y7 T% M" Y__________________________________________________________________________
5 ]* M- T- M" j+ s7 e
, P2 N {( _8 A1 L# y! R1 {Method 12! R" w# l; s4 B$ E& h" Z
=========8 x: ]1 w1 }4 u
3 _# v( O1 ^! bThis trick is similar to int41h/4fh Debugger installation check (code 05$ _8 g- I# p- ]3 x
& 06) but very limited because it's only available for Win95/98 (not NT)
. F3 J8 u9 c$ A1 F4 d$ [- \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 S9 S/ Q, `0 p2 b( ?3 |' p1 F8 d$ _, ~+ S' V
push 0000004fh ; function 4fh. ]$ Z# x6 D0 Y% B; L2 g4 `
push 002a002ah ; high word specifies which VxD (VWIN32)
7 O% R! y% j' C9 Q ; low word specifies which service6 q* w+ n/ ]& L. w+ N* d
(VWIN32_Int41Dispatch)3 Y) ?; z9 s' v! a9 b+ Q" s1 a
call Kernel32!ORD_001 ; VxdCall' h* R# W2 a0 l/ g% D# @
cmp ax, 0f386h ; magic number returned by system debuggers, z m4 P- f5 n3 t
jz SoftICE_detected
7 }7 f7 y4 }# o$ o& U. j& }; h- j8 ?% U
Here again, several ways to detect it:
" H5 R' a: C& L5 S" i7 A' M: `- O. H
BPINT 41 if ax==4f
! o5 Y5 k0 ]4 d C, g {7 h$ ]6 h1 D2 T$ _5 j/ z2 D- O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- Y8 G; m+ o8 t* X8 i$ e. H7 z, q% ]% y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 K$ k: Q; k1 K R, o% M
5 B( K- \2 M9 H. L% l8 _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 o2 T. {3 l4 w; u$ T1 j$ E
* A9 R: _9 J4 A2 `0 Q, o__________________________________________________________________________7 h7 p T. g. F# C/ J/ T
9 i ~) Y; f" N* fMethod 13( [: ^3 y3 {+ G, U L
=========8 S; R5 ?3 I, l* e# b6 _$ ]0 B2 r! p3 B
4 C+ v7 l% [& G i6 }6 I4 _
Not a real method of detection, but a good way to know if SoftICE is
7 B# a) O+ ]: Y6 C1 Y% Pinstalled on a computer and to locate its installation directory." }8 d/ J, h0 t. g! Z) u
It is used by few softs which access the following registry keys (usually #2) :0 N4 s8 n) ]5 J' }' i( u% p$ l \+ \
5 {0 z+ N2 Y/ |+ L. G' I0 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 }" }6 ?( x5 S" [; p8 w3 T
\Uninstall\SoftICE
6 R/ y; w1 r5 J- n6 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 K4 h: v T7 c! \" P4 ^, z9 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 x- A2 w: u; Z6 I3 H( ]" v' {
\App Paths\Loader32.Exe
# O1 z3 D" L% c" E
0 s. k) a$ m L+ K. {
" c# Y0 G* X$ d4 [1 N+ aNote that some nasty apps could then erase all files from SoftICE directory. L7 M- e% Q5 N6 M- P5 r6 |
(I faced that once :-(
! V/ H9 X# |2 c! }( ]4 w4 s0 d: G: X7 g/ V
Useful breakpoint to detect it:
* t @2 e0 j9 X/ S( w' u) X8 t. P8 b, s6 w) M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% e9 r% w {8 I' \: p2 D: `( n. u0 {0 T! T; F* }' |6 R7 B8 r" K
__________________________________________________________________________
1 c m+ N% Y6 ?: x0 q! }9 ]0 g' n2 \2 G4 }& e- k0 C e
7 n7 b- R8 r7 Z* `
Method 14 $ ^9 h/ V7 M, v" s7 O
=========
# D) ?" Z- ^6 j* C6 t
& T8 W4 p2 g5 e) p1 H. R. y4 m6 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 F# |* ?! g' w. g( t) o
is to determines whether a debugger is running on your system (ring0 only).4 `$ G1 S! T0 \% _
0 X1 E( Z: G9 ?; U/ } VMMCall Test_Debug_Installed
" M. p- g* ^ v- P& O" Q% M: d je not_installed7 S% R$ Z, C% L/ g; e
# b. f0 o# F6 B' V$ E! R
This service just checks a flag.8 o2 g5 q3 d% ^9 J; ~ x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡