<TABLE width=500> F; l% G: s8 s+ S
<TBODY>5 E8 D) D0 p8 C1 y% ~- O
<TR>
3 l' Z& @6 O' c8 e' X, t$ Q<TD><PRE>Method 01 4 }& D$ t- p6 v( Q* ]6 ^4 U2 e
=========
. R) m' K% H0 y Q) f; _
* M6 t& P/ l1 dThis method of detection of SoftICE (as well as the following one) is0 w/ x+ T& P' a" {4 [( c1 }
used by the majority of packers/encryptors found on Internet. x0 ^5 k6 p; f- O! G& {
It seeks the signature of BoundsChecker in SoftICE
* M# v& d& E7 e0 \6 f( O2 Y5 {: \. Q" A' w( }
mov ebp, 04243484Bh ; 'BCHK': W7 a( V, A, ]& G, f* J0 t
mov ax, 04h
* L Z: D* T, r, O/ r/ r int 3 1 o B, @" A( ?0 o$ H/ s$ h0 k
cmp al,47 E( I& `0 b3 q
jnz SoftICE_Detected
( I7 ^7 O. g) _: ]2 v
& I6 v y+ X8 Z% p4 o3 @$ }8 H___________________________________________________________________________
- c. m# q0 ~, L- i, }$ h9 g$ Q' r( I
Method 02
7 D& { _* S$ t=========/ H& F; _2 \6 r
# X! u" h, [4 d1 q, w4 o8 Z7 [, JStill a method very much used (perhaps the most frequent one). It is used! m( f. ~" `4 T3 d3 _! p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( a/ i% O) [' _; O* i
or execute SoftICE commands...0 S8 v! {7 e$ `% r$ v0 z1 x& U
It is also used to crash SoftICE and to force it to execute any commands8 \1 Y9 \* s7 w: z
(HBOOT...) :-(( 1 ^% d: h( u' h$ x) U# G
% X* n: D6 \, v/ E
Here is a quick description:1 q4 T' q4 A9 U
-AX = 0910h (Display string in SIce windows)7 H* ^6 S& F' f* N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# V% i/ I$ Q6 A+ x' L
-AX = 0912h (Get breakpoint infos)
0 ~ Z. O# `5 F( {& f-AX = 0913h (Set Sice breakpoints)4 y2 Z6 Q# e1 o4 D; I
-AX = 0914h (Remove SIce breakoints)
* ]) M/ [# I$ U0 F+ C) i( {) ^6 u0 T* w k5 [2 X2 ~3 q5 J% R
Each time you'll meet this trick, you'll see:
! R( @2 c9 X4 Q3 C-SI = 4647h
9 L2 M* \- P, i9 ^$ U- J+ F+ }3 M-DI = 4A4Dh7 m' K0 K, `2 J4 M3 M2 j$ `
Which are the 'magic values' used by SoftIce.2 i9 j) {% Q+ P1 s9 ?4 ]8 j5 }% }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" N4 }; z/ |8 t3 [" E4 u& C# T% I* J* V/ D* q6 w/ Z% ~* K9 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& Y+ K$ [/ i* @ e b+ ~2 OEnvelope utility use to protect DOS applications:% o4 _: e" F# ?. V, ~6 u; f
! U( e; y( v4 c! Q y
+ M3 k0 U8 {9 ]- P2 A% P" j4C19:0095 MOV AX,0911 ; execute command.
" D: J" a+ V- @6 B! P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
W/ ]2 M2 M9 n# V/ |2 t3 ?4C19:009A MOV SI,4647 ; 1st magic value.
, Y! p Z4 c( V8 L$ v, D4C19:009D MOV DI,4A4D ; 2nd magic value.
/ C* o; N% a8 x+ @( R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ b/ P( w+ e" ~) M, G: ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 h" q8 v6 O( o1 l4C19:00A4 INC CX
/ k- N m/ V" B: |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute t3 J; w! P. Y8 v# u) }
4C19:00A8 JB 0095 ; 6 different commands.
% o( Q3 y1 H. i$ N4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 b4 ?) b5 \+ k9 B$ T. j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 Z7 s# ]9 z9 m# z3 x5 T
- P h( ]5 \6 M7 v) l; F" A4 {The program will execute 6 different SIce commands located at ds:dx, which: ^$ ]% x, |* J7 Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' N. \- d) `; r% o; S% _
. f% l Q$ G" [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ s; E6 @# }! a5 s
___________________________________________________________________________
/ W" U4 {; X6 U* |! \7 u$ Z% E3 L
/ M: }1 e) c) o9 L& I# d: A6 @$ ^& ?1 |; ?, Y+ ~6 T0 {
Method 03
# ?$ X2 D* y& I, K+ v- r! @=========, V2 Y' D9 |( r; S6 X: C
: y$ m5 b* {6 ^' E( Y% P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 k! h5 f N! \7 x7 I' s! k9 d
(API Get entry point) C% o) F6 s+ ?, W9 R
) ~; ]: V, @- m" `) l* a& x3 Q0 E! l- o) [( l
xor di,di' k) m5 e7 }1 h' J6 x7 \7 y7 b
mov es,di
1 V9 W" y. F: L, u mov ax, 1684h
6 m3 W, @* ?5 K mov bx, 0202h ; VxD ID of winice
% N3 ^$ X1 M4 h, W int 2Fh! ^! {+ J* O) O3 s
mov ax, es ; ES:DI -> VxD API entry point
; R+ P- y2 ^1 Z- V$ S0 b- Q add ax, di
- n2 L. I$ y, p8 W test ax,ax! `+ d% D3 b8 [) F4 F# C: X
jnz SoftICE_Detected1 t3 d# m5 w& c. _
+ ]% l6 q. j0 B0 k) N. F- s3 g
___________________________________________________________________________
4 s1 t5 H2 P" z7 @! d2 N6 r8 ^5 U$ S; {
Method 047 g7 {, a( m9 L4 ?+ _6 A
=========* @ [7 F$ U, j- \* t
$ @ h7 y! V2 Z: f8 D0 B; y
Method identical to the preceding one except that it seeks the ID of SoftICE
, P8 J/ D A0 q# EGFX VxD. ?4 E7 t" U1 M( d% R4 \
, n3 m) v0 \ D% ^1 r1 @+ m9 O( X2 y
xor di,di
: u F2 ]$ V% S; z, A. b mov es,di. \! i; ]5 S! _/ K- c1 u" d
mov ax, 1684h * H. @9 ]2 u' k$ N7 Z4 [
mov bx, 7a5Fh ; VxD ID of SIWVID0 S5 g5 ]. |; J( |2 \1 K: J
int 2fh c0 h/ F; W& o+ F1 E7 }
mov ax, es ; ES:DI -> VxD API entry point/ m4 B, ^$ V# ^7 R
add ax, di
7 j5 a O# J9 u/ A D) ^& Q0 f test ax,ax
% |- h# t- l+ P$ U9 Q# G jnz SoftICE_Detected, L5 T2 q4 O, [' n k
. M% M: O0 W9 J; O, F4 {0 Q
__________________________________________________________________________
( q+ u& ?- g6 o9 G, s( B' Q5 Z( Z9 ]+ j& P
$ S" e5 t! |% S9 I3 m$ S6 S
Method 05) z9 g5 { h7 \8 }% b
=========: p' X, y1 i" ~4 R- D( i+ g# P( ]) x
0 Z9 A i& C) h5 D: ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 [; _3 o2 s8 u* Ddebugger. It calls the int 41h, function 4Fh.* @& I* o$ K8 W/ x' n
There are several alternatives.
/ h' T j% V0 ]- B4 s$ d
- w7 Y: Y$ m) Y5 bThe following one is the simplest:' u4 B4 J5 U! A7 h" n$ Y
# z0 Q. Y% b+ M# R( G* W mov ax,4fh
, ~; _) P# Y) k4 B int 41h
: U( L1 Z" Y9 D1 D2 ^ cmp ax, 0F3869 q/ ], j% `% [% S6 c
jz SoftICE_detected
8 G/ ~0 Y6 B% l3 Z3 o [- D1 E' ^9 Z: y5 @3 R( P
' B7 ?! V, a' m- T
Next method as well as the following one are 2 examples from Stone's
]* f9 l# v) p* j* {0 Z3 ^"stn-wid.zip" (www.cracking.net):
N! A9 A' m, f' T9 k& {; _* r* K* U2 @9 [- X3 [# c; z/ }+ W
mov bx, cs7 |/ P a' E5 {# I, M9 ~: E
lea dx, int41handler2; @- O* Z) L+ o: X" z
xchg dx, es:[41h*4]
2 I5 Y' c! u' _ xchg bx, es:[41h*4+2]' w5 i5 v2 U" l! [* ^3 e" ?& @
mov ax,4fh
! I$ a& g* J" H0 ^% x int 41h. g F4 L7 Y/ J: R& G, o7 {+ O! q+ t
xchg dx, es:[41h*4]
2 i. C \9 I q; `9 |2 u9 {3 i xchg bx, es:[41h*4+2]4 L, V6 j( Q0 M7 E( D. @
cmp ax, 0f386h6 @- `) V8 K$ R( U' d
jz SoftICE_detected: o" ]8 o$ C4 P
1 u3 D0 J' W; `" V7 Vint41handler2 PROC
, ~' s( l$ f$ w/ m iret. [" }: J8 O: ?
int41handler2 ENDP
- {+ P3 s& {$ l4 o0 m
H1 m& F. O; l& @4 x2 d6 C& B( E' B P, E5 V$ _; n3 U
_________________________________________________________________________
, v! z, s: o5 E! A' k! u. u% g i2 u
) W, G$ u% g' ?3 f3 l4 RMethod 065 y) H8 ~; ~! R) g" N5 G8 O! a
=========
1 X3 b" X7 V& K: O: }
! F" G" S! o `* Z1 k [4 r7 J& h! }6 u( o/ S
2nd method similar to the preceding one but more difficult to detect:
; t" Y. T7 f* B7 J' e! i- }9 Y( O+ B8 C; h' ?+ x5 ~# o% t
7 h4 w4 M. F/ v) Z
int41handler PROC. f% N Q0 L% Y( @2 F7 V3 d" [
mov cl,al
, H( A0 Z$ n& L( Y1 Z iret
: b X' k1 N* |! H! a$ A2 Z1 s- qint41handler ENDP" F- I9 a! ]% |7 t) g i. F3 Q
8 i% _9 G0 a/ T9 N; Y" T+ f
- [- ]2 f4 ]" N0 Y$ e: r xor ax,ax
* {) {7 R( z8 l s) T8 T mov es,ax
, o6 P* I0 r5 W6 P mov bx, cs3 L/ T: B4 {5 W" t$ {* I
lea dx, int41handler. ~* @; A7 F' U) P. W3 T' Q3 k- o5 r
xchg dx, es:[41h*4]; R" ]; ?, I' g3 V' v- x& P& ^8 u
xchg bx, es:[41h*4+2]
* j( B* y. R, l4 g1 i0 d6 i in al, 40h! Y$ {4 j% {) t6 [8 P
xor cx,cx
; T) R: X+ W0 ^% X: p int 41h) a1 X" C% P- {) x& ]5 L
xchg dx, es:[41h*4]
5 W) Z' Y6 o: C0 Y1 m7 F8 c# X xchg bx, es:[41h*4+2]
/ O0 t+ B' Y# {' q, t5 l6 a cmp cl,al4 K- ]4 i+ P3 t2 F$ c1 Q. p
jnz SoftICE_detected- V4 c9 D+ m2 s% Y" b4 D1 x
W- q4 v# U- s2 Y: i" c. c8 U_________________________________________________________________________) i/ I' q: Y- C
$ p* l6 u- ?7 x9 k; CMethod 074 S& m/ k- t$ q; X
=========) L) ]( _1 n1 P5 T2 S+ l
* c8 l; e3 Y" B; a
Method of detection of the WinICE handler in the int68h (V86)
5 t, J1 M/ E. b- C# t/ ^1 g# W9 U; l% b" Q
mov ah,43h
* y ?% P0 e/ l( X1 p/ R int 68h8 J% `. M( b Z6 L; b7 `
cmp ax,0F386h' m" e& b5 q" X
jz SoftICE_Detected
+ N0 ~% h2 D: s' i/ f
* c J6 E$ L+ n" A* w
; Q9 z* B& H' ?1 }5 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ i0 O4 } A: w app like this:
% \: P0 q U. D* X6 I: v3 q d# T& r' B& r6 t( z* \1 ^7 Q
BPX exec_int if ax==689 Y8 ]: |9 u/ N2 T* |. Y
(function called is located at byte ptr [ebp+1Dh] and client eip is0 O; N9 `1 u4 r! }% w( _: C
located at [ebp+48h] for 32Bit apps)
1 A" Y9 g$ B1 n$ C0 S" e, a__________________________________________________________________________7 F. M+ \' }% |( ^# g* {
( L0 b, [3 i' V: F3 J/ c R
: z6 A8 p, F m2 Y; l. U P; Q
Method 08
' [% ]& M7 S3 ?8 z7 W9 M6 h3 `=========
; F/ J3 j" J V- P+ `2 b4 s) A
& c1 K: w9 q3 D. k7 a! eIt is not a method of detection of SoftICE but a possibility to crash the# F2 v) g/ T0 Y; |9 u% D1 p, q. W
system by intercepting int 01h and int 03h and redirecting them to another: Y( G( h w# V: O/ `8 s
routine.2 k( b9 B0 w2 k/ |8 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* r0 M+ ]0 C$ p# Q& d
to the new routine to execute (hangs computer...)
, w4 k0 e0 W, J% f( _! D& l7 a* e8 z' d8 E
mov ah, 25h
6 M5 `; e/ i& m5 _0 }1 v mov al, Int_Number (01h or 03h)7 q" N. j0 Z) E8 u! Z4 [' g
mov dx, offset New_Int_Routine4 o/ Y+ T- E. {9 _
int 21h
( G/ e2 d p# h
; G7 B3 N% }' k( M__________________________________________________________________________" I3 }' _5 u4 R+ A0 ~9 T* N
$ H: ?2 ~' b9 `1 b/ ?, o" o" @: eMethod 09# B- b7 e. ^% y- j
=========
1 y* h q* o v6 A: L* ?
# o3 m+ \0 \' |1 B _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 ?7 ^" s: X1 x7 A
performed in ring0 (VxD or a ring3 app using the VxdCall)." W: Z1 q2 M7 e6 |) K* b) x: L' T% y
The Get_DDB service is used to determine whether or not a VxD is installed
1 I) ]* e+ d# C4 K. q- {for the specified device and returns a Device Description Block (in ecx) for
& x) i5 N! U6 uthat device if it is installed.
+ E4 [, j5 ~6 ~6 V1 C# {4 p# [: {; E* G3 D; U. z: g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, L4 H9 e" u! m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ v( _% i# `1 x, @% s+ p VMMCall Get_DDB
$ X% B, i9 l7 ^- z1 t# \* [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) z1 C+ D" P+ @" e3 p4 B4 I' p* q8 E0 W! k( |* n
Note as well that you can easily detect this method with SoftICE:4 y5 b/ `4 j( a+ c9 B
bpx Get_DDB if ax==0202 || ax==7a5fh- C+ g8 s! f6 Z$ c" t! o2 _
# e( h( g+ M- d7 d6 d+ t' P. [
__________________________________________________________________________2 r, D2 b7 D g" V
7 D$ M4 f8 c. f1 v1 p0 qMethod 10! v) u! ~$ I |% p" ?2 w
=========4 }+ ~3 x3 {- c4 z
' _2 K P! _8 |) @& S7 x=>Disable or clear breakpoints before using this feature. DO NOT trace with
( T- A. F$ @# G6 Q) E( ]* C SoftICE while the option is enable!!
& a, \4 M& J& i0 s$ G
; |- R" H1 k0 X. T/ W$ YThis trick is very efficient:
, T M7 |' ]7 @by checking the Debug Registers, you can detect if SoftICE is loaded
) b( M7 Q& l% K8 M6 z) o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 Y2 Z% q. \/ U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- O6 k: L" I5 @$ F1 K! dvalue (in ring0 only). Values can be manipulated and or changed as well
8 n3 u6 `3 d; r! V: b% C(clearing BPMs for instance)) J( ~6 }* O7 P5 ~6 d# t6 Q
) a+ e; @8 p. D6 o0 q9 h3 A8 U__________________________________________________________________________
$ }7 ?4 P' L1 W" U. w' E y | O- W( N8 t- d5 z0 [" c
Method 11" p1 {. O( G$ b, C; r8 p& U* y8 L
=========) z3 W R# [1 Q! J4 \# q3 ^
5 z2 y- W: t* Q& B" H& ^This method is most known as 'MeltICE' because it has been freely distributed
9 b' {) M, e3 s2 ]1 |3 G, q1 Jvia www.winfiles.com. However it was first used by NuMega people to allow
4 L' k& W, l7 S* L1 D* E' NSymbol Loader to check if SoftICE was active or not (the code is located
& U! T6 t; ~/ E8 n3 Dinside nmtrans.dll).
3 Y+ W) Q& _' [5 b3 g8 V) K* Q0 w# z. d0 z( T+ Q$ I/ P
The way it works is very simple:
1 F9 @0 R0 n8 @0 X, M2 [9 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* Y' G4 b, y4 ` E
WinNT) with the CreateFileA API.: N7 x$ j& e N( G" }
. A- ] M( y+ K& m# S# S' aHere is a sample (checking for 'SICE'):
2 L5 z4 E2 v$ _
0 |' E4 z% g9 V: GBOOL IsSoftIce95Loaded()
V, L. q. e& ]+ N; J8 Y{
# u7 D1 E9 y; v( n' U HANDLE hFile;
2 C1 P# Q: x1 }4 C2 g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ ?" Z6 I% j+ T FILE_SHARE_READ | FILE_SHARE_WRITE,
( D5 E. L* q8 V$ J* [7 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 H9 F* a) `5 k9 k& \; N
if( hFile != INVALID_HANDLE_VALUE )
( N4 E7 t5 V1 s- P0 j3 u0 ^ {
/ ] E6 p$ m& v. l4 |( c7 s* c CloseHandle(hFile); J0 C% L. O$ y% ]5 X K$ o. B$ a
return TRUE;
: l) n5 F2 s% C1 Y) J0 k/ |( \+ H& q: o }8 ?5 J7 r2 I% d* S' H$ l
return FALSE;
3 J' [' M$ F4 H}# w3 W5 b) P: Y. W2 {
' I4 E9 X6 d. s9 S; H
Although this trick calls the CreateFileA function, don't even expect to be! T) O% F) Y; P/ T
able to intercept it by installing a IFS hook: it will not work, no way!
9 Y6 C( m( L* `8 `" D- P/ T9 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 d: j7 {8 O- n0 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# N! k: O D, n/ m9 G9 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# p3 @: [, l$ X& Q. Xfield.0 j/ T6 \. S+ z; ~
In fact, its purpose is not to load/unload VxDs but only to send a
; P5 |& d& u0 h3 @1 D0 }& I$ oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" i5 S$ M. `5 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 A& ]& h; P3 a+ w7 t- z3 fto load/unload a non-dynamically loadable driver such as SoftICE ;-).: T; H ?$ m) W9 }. j5 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 b" S& p3 I; l" v; A9 ?' A2 G
its handle to be opened and then, will be detected.
' B' g& V6 ?7 @6 U) |You can check that simply by hooking Winice.exe control proc entry point; G1 C2 M2 i) L9 F$ e0 N# o8 N" P9 x6 B
while running MeltICE." f4 ?" A$ w' D6 i
& f: k. {7 p, F! i! f. m* j8 O9 ] ^# Z% `0 Q" z1 b( L3 }+ q/ j
00401067: push 00402025 ; \\.\SICE
: q/ ?6 N1 ?0 y. q7 u3 A 0040106C: call CreateFileA4 Q+ J5 |! E2 h! b/ l+ C* s, }
00401071: cmp eax,-001) Z/ y$ g z% P- J
00401074: je 00401091
m; v+ A4 F6 ?$ }2 h6 @" x5 A$ X9 Y+ v {5 ?" V1 E7 f7 {* {
+ U. j' c& Q" O3 P' l
There could be hundreds of BPX you could use to detect this trick.( b( D3 |: e% i* j* j* l' s: m
-The most classical one is:; b- I, F7 z5 G" E3 s/ n5 s9 m! f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' h, @2 m# G# v) G7 e$ Q; H4 K" ~8 z, f
*(esp->4+4)=='NTIC'# D4 d, |( ]6 `9 j- F3 ?
5 ]" W: ?5 p. q+ b0 S- M- f( B: B-The most exotic ones (could be very slooooow :-(- w, G8 y; Y( y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ ]0 \ w6 A# w& w( B# l ;will break 3 times :-(5 V9 e' o1 `1 w5 C. G L7 X
# b& ^ X9 v0 I$ _8 k2 J0 C* M
-or (a bit) faster: * O7 E, v7 Q* l- A4 d8 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" q3 T. [5 A! j+ ]' J/ `6 i; L
e2 U& k) C+ a$ F } X) k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' s1 `) E2 {. U5 K$ z ;will break 3 times :-(
" X/ A8 Q, {2 V2 m
A% i1 P* k2 @% U8 K-Much faster:
; G0 A6 {* `9 j0 R) w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 v0 w" C3 l6 w3 d9 w9 |* N
8 t+ S! Y+ S7 w& Y O' u+ r" J% l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen l/ u# M" M9 B" A5 J( }
function to do the same job:
+ }; I# W8 @% I) c2 z8 B6 X9 j; z, I! L6 i+ [+ C( v3 e+ ?3 Y
push 00 ; OF_READ
! D; k, h+ Y+ z: m mov eax,[00656634] ; '\\.\SICE',06 ]' L4 p8 H, X8 k' X
push eax
" s; @' I0 J6 ~7 K7 h- ~ call KERNEL32!_lopen% {* o: F0 N/ o7 q/ ~4 d4 Q
inc eax
9 G( d* N5 O2 Z% u; e jnz 00650589 ; detected
. j. s4 u" m+ N* y push 00 ; OF_READ
, ]0 F6 }6 S8 H* S mov eax,[00656638] ; '\\.\SICE'; h, j5 p" d. u" I0 k0 i
push eax; A! Z; e- p5 X# s# J% b: w
call KERNEL32!_lopen
2 i* [- M0 a- l. q6 O6 E inc eax
6 \4 D: [4 w1 W jz 006505ae ; not detected7 [. K+ I8 w5 f) y0 D4 a: x8 l
' e/ A- B5 s i% R. R
. v! A' X* ^; X5 Z% q: D e__________________________________________________________________________
- |3 g! {; A/ @8 x0 v
. W1 j( j: l% P) G8 eMethod 128 d7 Y3 A# h& b) i1 G, y0 n
=========
% {5 \" J5 _8 O0 k1 C* |
0 m3 [4 H2 ?# J/ _This trick is similar to int41h/4fh Debugger installation check (code 05
8 n7 F' f) @3 Q4 e$ ~& G" l) h& 06) but very limited because it's only available for Win95/98 (not NT)9 J7 e- v, z& i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ z: c% e8 J7 m$ x5 n, D& Y5 }) O. l! ~5 d, L6 o& [ C
push 0000004fh ; function 4fh
% r" ?4 E9 r) Q3 e* G8 y# t push 002a002ah ; high word specifies which VxD (VWIN32)
2 b# z8 D5 R4 z# ?1 ^ ; low word specifies which service+ F/ o) d' p4 t
(VWIN32_Int41Dispatch)
- `- g; s# k/ _, K call Kernel32!ORD_001 ; VxdCall
) d- z" s. L; k4 {1 t cmp ax, 0f386h ; magic number returned by system debuggers2 C3 {9 S1 {$ ~( c: Y
jz SoftICE_detected9 p4 Y* F7 c1 f- O1 E$ L) }
4 ^* w8 i& h2 w8 SHere again, several ways to detect it:
, v9 J& V) e1 k' o
. r- a# W- a1 U0 U) Z; \ BPINT 41 if ax==4f" k2 @3 J% o; a! F
: M0 |2 x: v) P1 f# W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 W" O& Z$ w1 t/ X- W/ ^7 J/ q+ B: p/ G5 j4 Q* H; h8 V$ n$ p" s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 m& b% o! C$ m; l, ^6 a% s3 L+ u9 q: \9 V$ c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 l2 B8 A4 X$ ]# _
. q1 z( K o3 r! g* ~__________________________________________________________________________, r" Z: L6 f+ c! m8 F8 J
9 x% x' S1 W2 K6 zMethod 13
; }. k) N! q$ c/ z" Y. l=========4 S7 J5 V; O3 \6 E. R
: D& F7 P% h' ~% Q. SNot a real method of detection, but a good way to know if SoftICE is$ W/ z( u; j" ~7 z) S
installed on a computer and to locate its installation directory.) ~7 ]- U8 m/ p* H/ o, w
It is used by few softs which access the following registry keys (usually #2) :
2 c& m% \. h0 r( _
9 }& P W+ [& p f# S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% I- |7 s; C \( O9 u b5 e\Uninstall\SoftICE
! ?% I1 z2 C* n {6 [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 T% k2 z# ?7 o; Y4 r% Q- n7 x9 o- P% O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' g8 _( n" o( T8 [6 Z) x* m5 d
\App Paths\Loader32.Exe
; G7 G6 ^# Z/ g9 R! q7 @4 w; { l% y7 T) u4 p7 ?
3 u1 J! X( A5 o3 ^" [) h
Note that some nasty apps could then erase all files from SoftICE directory
. _1 M4 T/ V$ x# u(I faced that once :-(
3 l* e7 i& c' c1 Z" I5 c
1 ^, C5 i2 C3 {/ f3 ]Useful breakpoint to detect it:
8 x! |" Q* `+ `% ^* s' h- T7 X2 r+ ?1 w! {+ R, v6 m$ d! w' }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 u5 {8 o1 l( D3 x/ X+ G0 T" ^. G; e. F- [1 B" u5 g
__________________________________________________________________________; F' C4 _9 s8 U# B% N
( r8 D! J8 d y( _+ u O* I& ^
9 Q- X9 ^& P4 j: jMethod 14
3 V0 C) }- W/ v" I8 P8 w3 @=========8 F9 z; M+ t) A! a: Y, n
: c h. u! m1 R5 R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& j7 A) l" j+ j E2 [/ B1 Q4 K
is to determines whether a debugger is running on your system (ring0 only).$ U: [5 J* v5 G+ a! d5 M8 p5 E3 X2 P
5 Q) T2 d+ \4 E
VMMCall Test_Debug_Installed
+ L- d' u" Z4 j$ N je not_installed4 d) C6 G I. M' J. b
9 F* z$ W4 [% N# q/ n- L% s3 @9 KThis service just checks a flag.# l* V, _; ?+ ~2 P" m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡