<TABLE width=500>
6 l4 d6 F$ n9 S$ h<TBODY>7 K9 l0 s6 _/ ], n
<TR>
8 c- ^; f" D3 N+ F8 i6 _6 e<TD><PRE>Method 01
1 {, E: m% N# u+ ?9 B=========2 R& {' L1 @" |+ S, A
; `& i) X% _0 e) x
This method of detection of SoftICE (as well as the following one) is
$ k. O& K0 s* U) X/ X3 q; {# Tused by the majority of packers/encryptors found on Internet.
6 _* M. G2 E; E% Y' p# OIt seeks the signature of BoundsChecker in SoftICE
, }1 u4 i! l( j) d( i
G+ c: D& Q; j. \0 L7 s N mov ebp, 04243484Bh ; 'BCHK'
: a0 O6 ] f: z6 Y4 e4 b1 q mov ax, 04h: h' X* a# V" {4 a; z \2 m
int 3
* _6 g5 m) x4 ^; L+ M cmp al,48 O: ]. N& z! N
jnz SoftICE_Detected
( U' l2 @9 E. A- V8 k* q- b! |0 [- d# a9 ^2 N
___________________________________________________________________________% ]0 R' q, V0 p' `* ?0 h. ?
! g" D1 d5 o6 d5 C$ g0 t! aMethod 02, Y) V0 Y9 Z# h2 C8 s2 B$ U
=========- G7 C0 }+ N& e: ~" B; c" r
' r, ?5 ~( I2 U# f' q) c I XStill a method very much used (perhaps the most frequent one). It is used
6 D' A* `/ N. P2 @# fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 p1 T s3 [+ S/ g* Z
or execute SoftICE commands...
6 B7 N7 ]& [$ e3 l3 D. }( E7 W9 @It is also used to crash SoftICE and to force it to execute any commands
6 C. {7 K5 B7 I( `: r; r(HBOOT...) :-((
3 t5 o! v8 h& _3 n0 Z. R; z+ C3 f. | q
Here is a quick description:% F# N1 ~7 T0 L; w* F+ {5 a) l, ?" p
-AX = 0910h (Display string in SIce windows)
9 M# e0 y& {0 c* P$ N/ [9 N$ C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): V* i- V5 m& _2 R1 M+ N
-AX = 0912h (Get breakpoint infos)& s3 H' s& ^) K
-AX = 0913h (Set Sice breakpoints)4 g5 i/ c# u3 D- |8 [5 @# N3 M- n
-AX = 0914h (Remove SIce breakoints)
* _6 e3 D% u& N3 G" ^8 a# U6 ]1 Q0 z. X0 e) D2 Y8 g0 z
Each time you'll meet this trick, you'll see:. v$ \& G/ N. ^5 q: s7 H- ^
-SI = 4647h, T+ B. d/ n5 u
-DI = 4A4Dh
" N+ w6 p n7 R& zWhich are the 'magic values' used by SoftIce.
+ S4 ^. y. n8 gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ^8 H- _9 c1 q2 q
/ O# c* C4 _7 ?; ^+ W* iHere is one example from the file "Haspinst.exe" which is the dongle HASP2 v/ l; l! ^% G& T5 a8 H$ ~& s
Envelope utility use to protect DOS applications:
! ^' X1 V( m& `. K; q& S) P1 r' d5 U
0 O, ?) v/ k0 l" @
4C19:0095 MOV AX,0911 ; execute command.
# m# Z* _9 U, `. a) }- y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& {) p8 [ _( h: n4C19:009A MOV SI,4647 ; 1st magic value.3 s6 n7 q4 E, T7 B, n0 g
4C19:009D MOV DI,4A4D ; 2nd magic value.; D( s. u) x* x+ D/ j* |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ i0 s0 s' l0 c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 @+ u7 V5 x4 n2 S7 n/ i7 y4C19:00A4 INC CX. R+ M7 ~% V" ]+ ~- ^; _" ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, g) G! b: z+ a- b* Y, D# K3 g7 V" G" q4C19:00A8 JB 0095 ; 6 different commands.5 O- [) U7 H' _4 h$ v) o. g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Y0 F! b6 n% r5 M- J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). P+ k- @7 b# |. E5 D/ A# K. }" r
: }$ [6 q. h, z7 d( s, i1 dThe program will execute 6 different SIce commands located at ds:dx, which7 f6 M# e/ b* I5 f4 @, C `( N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* ^$ l- p7 I6 d) ~" w; R5 \/ Y, K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" a( _9 w6 `. Y: b7 O" g' T3 d___________________________________________________________________________
9 d1 E, d! q" a) J( `& D8 Y/ ?9 l) B% s l
: p: L3 S, ~. `Method 03# ~- E/ E; m# U( A
=========' O( ]# O' ]: C
4 Z7 E* g/ }8 h1 }0 ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 i) i9 Y8 T+ m# W
(API Get entry point)
9 }) x/ H. v ~) s% } + j6 q% Z) x: S6 m5 D
. H4 @+ h" w4 M/ |; M xor di,di) n# d% M D/ V" e
mov es,di
+ f% ^' y {! A4 e- S* a, y/ V mov ax, 1684h , t- M3 b# S" T/ x: C& s2 V9 s2 M
mov bx, 0202h ; VxD ID of winice
0 O( [0 ~9 v/ T int 2Fh
& F; G/ q! M1 k5 u# X6 w mov ax, es ; ES:DI -> VxD API entry point! z" T4 D+ [; O0 O
add ax, di0 q6 \* o; ], u- I6 x# |8 m6 V" U& s/ l
test ax,ax
2 D) Y3 w: x1 I jnz SoftICE_Detected
3 S) Z8 p$ w# G4 r, u9 e& S% Y; S; q9 |1 x2 G) x5 e
___________________________________________________________________________
4 M( B. i# k3 X7 g* H( w g
8 @: Y a$ c# p, D- a9 oMethod 049 s* Q2 |3 a4 G7 J% j* X
=========0 @+ B9 i9 d8 o6 E
+ }: ]( ^3 ^( d8 F+ k" ]3 kMethod identical to the preceding one except that it seeks the ID of SoftICE9 n# p& [' t: i
GFX VxD.
# J0 Q. o4 {7 @( X9 ]: \
" Y: G/ t0 b5 S( a xor di,di
; l) b ~+ o- I8 l" V mov es,di
% j) R( C5 \# _ mov ax, 1684h
! @; X* L. m* e- v% s3 Z mov bx, 7a5Fh ; VxD ID of SIWVID; e) f7 {8 X1 ^9 A7 ~1 L
int 2fh
" o" `0 ^- B1 J" @7 v& r7 G) ~ mov ax, es ; ES:DI -> VxD API entry point
, m Q! h. T: R: w3 h( A add ax, di
# L# A! v8 [% h% U' z test ax,ax
. U5 k4 r' X+ d+ u- o- S7 H jnz SoftICE_Detected- L& I) z% U$ a7 Q3 L) T+ x
0 W& P( j" p4 i$ t% G
__________________________________________________________________________/ e: D, a8 W4 ~
+ m5 x8 \0 N/ Y4 `8 O- W4 d5 s U1 m/ {
Method 05
9 S3 I" u7 @( L& N o=========
) V. }. A" {8 o' k& q9 x
K6 |( ?; X$ O6 i5 t# sMethod seeking the 'magic number' 0F386h returned (in ax) by all system: g0 d* T; Z4 t2 I8 c- ^8 W
debugger. It calls the int 41h, function 4Fh.9 @: J* ^; r: `/ T9 Z
There are several alternatives.
5 @% C! Y. L* Y$ Q2 C: W0 m1 Q/ D7 j
The following one is the simplest:
/ J6 t6 G6 b8 [9 x6 l
* @/ t: [' f0 `! S, D0 u4 x5 F mov ax,4fh, n4 }2 w0 w( B7 @, i* j) P
int 41h
5 _7 a+ f$ y" n. V( ^% p9 `1 }1 U cmp ax, 0F386
5 Y: F. o; {& I. a7 y g9 u h& P5 ~/ k jz SoftICE_detected( Z- H5 k4 P( X1 X& P' Q8 n' U
' s) \) o$ ?4 c1 x" N
2 M/ f! W2 d% |, b' e
Next method as well as the following one are 2 examples from Stone's
! O% Z6 L( x' v/ O6 f6 ^) Z& G"stn-wid.zip" (www.cracking.net):2 t* t* I" x7 r6 q7 [ ^
0 \; Z4 {* R* G% [6 h1 u/ ^
mov bx, cs4 g* F" c5 m4 t3 ]) x$ n9 b7 ]$ ~
lea dx, int41handler2- `- z- B1 X- c: h4 h- ]& s1 u/ m
xchg dx, es:[41h*4]
) r$ H+ `0 t6 n- V xchg bx, es:[41h*4+2]6 `+ c& d. P: u* C' @% i
mov ax,4fh
( A% [" W' q+ a& G7 a) Y int 41h5 C6 [4 T) j( s! w
xchg dx, es:[41h*4]8 n0 L7 i( L+ |. ^. e
xchg bx, es:[41h*4+2]
2 z6 ^' ^* J6 C: ]0 ?9 _$ G S0 u$ L cmp ax, 0f386h \1 t# J8 ]0 M
jz SoftICE_detected
7 z q1 Z! J: O% p' r: t# ^+ e; T$ Q
/ j7 p" f$ _) c, I1 P" n0 G1 jint41handler2 PROC! n5 E& i+ g4 c* M) `! Z4 W
iret/ A+ \, v: |- S- t9 {: R
int41handler2 ENDP% d a1 O% z; q, s) a- ?
1 Z9 A4 ^9 x* p7 V
. P' v( ?. X; i/ R1 B5 c6 a
_________________________________________________________________________
1 J9 W9 o( r; {% y4 D' q+ k. C! t8 ]( q
. v9 Y- C% t+ j
Method 06& a5 n$ s4 {& y$ E/ g
=========
! _$ k% h& M( s: {; z; S9 q* |; T7 G" m1 ~$ c6 e/ q
: t4 ^0 h% g* {3 i, O) j
2nd method similar to the preceding one but more difficult to detect:. {8 q5 A4 V8 b- Y) _" L
" x/ [4 t7 ~. ]+ f8 ^3 V
, ]0 |( {( P8 L; \& Q. p0 sint41handler PROC! d. b7 K1 Z" ]) O0 S7 P
mov cl,al
) m- y* V" x- m9 V2 ^9 j9 G iret* o$ [2 o+ Q) V, N1 |4 `- l, K) U
int41handler ENDP
8 B2 X* r% O% n6 |" _2 t T. z
- t8 K# d3 c; l" @, f% K
* `( X' n4 E5 s6 P% k# E- B xor ax,ax
/ ~# v& S! H C! {- C mov es,ax
5 Z" M I1 J2 f2 ^8 J; l; Y mov bx, cs0 t# _" W5 a3 A: k( h* L
lea dx, int41handler
5 D7 c9 o) f7 } xchg dx, es:[41h*4]
" t6 U4 ]' Z% C0 C1 A xchg bx, es:[41h*4+2]" [. t8 S z, a4 r/ N9 A+ `& B
in al, 40h
( s6 S/ i1 C4 {/ I xor cx,cx
# W$ [2 I9 {0 K' P& D3 p int 41h
3 Q- u1 a2 E6 b0 s xchg dx, es:[41h*4]- c$ ?- e3 b- K) r: i# }
xchg bx, es:[41h*4+2]
3 `3 i8 A# R# u" y4 y cmp cl,al3 H5 X4 y( }3 V- E
jnz SoftICE_detected
* K: L+ x% z w+ Q- Z' Q1 m1 N: q. B9 s
_________________________________________________________________________; e7 M3 j2 q5 P: @! ?
( E$ j5 |9 |7 e& v9 i& i
Method 07
; H* A* b& H2 G$ d" j7 |=========
; k6 S% Z, p+ |7 d
, L* K7 \! `% C5 D- ?% cMethod of detection of the WinICE handler in the int68h (V86)% u5 u6 z$ j: f. E
% w* n( L3 Q+ ~ G
mov ah,43h$ I; J! @& A4 W: i( _& K
int 68h6 Y r6 a; j' g, C! F
cmp ax,0F386h% X1 |% H$ p( ?$ t- ~+ h6 O% W
jz SoftICE_Detected9 r5 Q6 ~, k5 j, E: c3 [6 R) v0 \
. H! X* r. p3 y* D6 ~
' ^, S9 D8 C6 }1 W4 @5 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( [+ {4 a: W* |& P6 n app like this:# }/ l- i, _, b7 ~( \
1 P1 E) S2 v; U8 n7 }" k
BPX exec_int if ax==68' G& x' p [0 e9 G
(function called is located at byte ptr [ebp+1Dh] and client eip is+ t& D# ~' P6 @% s: ~* o3 j9 `
located at [ebp+48h] for 32Bit apps)
m3 |- _; ]; R4 m9 ` p__________________________________________________________________________
" k4 G; ~3 i8 X2 b/ M
. Z& h0 ]# @( f% G! C2 @ e5 u1 p: h8 a) Y
Method 08, r, @7 y8 B0 Y' v
=========" Y7 r* n: l9 f$ s, Q) h, y
( t: o' [8 S! c* C- F; r7 z0 Z
It is not a method of detection of SoftICE but a possibility to crash the8 z# R X4 B; E6 D0 \% u
system by intercepting int 01h and int 03h and redirecting them to another
4 U9 l# j) H# J9 ?' w1 _, Droutine.
- F$ o/ z1 k# Z2 n, J. Z: [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) ]% c- V4 @# t( N$ k9 yto the new routine to execute (hangs computer...)
+ R9 _: E: T* w' f ~- h6 S, X% o/ {- o( R$ w
mov ah, 25h
6 G1 a A# n3 H mov al, Int_Number (01h or 03h)9 Y& M1 f; `$ x; R
mov dx, offset New_Int_Routine$ W* X" B8 }2 H
int 21h! c6 K( B% D- q7 Y3 i) R4 t+ i
! ]; u. ]) B3 C% w1 J; e1 G: Z__________________________________________________________________________# r! l) \. S0 i
& w" I a3 G7 B j3 J: X2 iMethod 09
# I0 r2 U: B3 A4 L=========
: Z$ e" H# l6 X T3 |# E1 S" }& T2 Q; ^ o6 x* T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% I- B) O2 h$ e1 s# ~8 _3 u4 Vperformed in ring0 (VxD or a ring3 app using the VxdCall).8 B/ H" [$ \5 l" |) W. l' I% z$ w
The Get_DDB service is used to determine whether or not a VxD is installed
5 R( W, P& h; ? I% ]for the specified device and returns a Device Description Block (in ecx) for
, ~: d1 i- q- T* n9 W9 athat device if it is installed.
* F8 {' i9 \' @% Q: C; } ~# c& v& o o5 m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 F# m M3 n/ c: N4 j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ |- `. H O V9 v V
VMMCall Get_DDB
: }, X1 f; I2 z: B( K. | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 m S9 w% G, {; j- G
8 ]* f/ ]) F! y( k2 W9 s/ e* j6 }Note as well that you can easily detect this method with SoftICE:! x3 k; o0 Z) r% M
bpx Get_DDB if ax==0202 || ax==7a5fh
7 X1 S* M: F0 I1 j* ] [% ^1 z4 N2 }# P5 l
__________________________________________________________________________* C% s. p3 {! U, N0 K* E
/ x$ n& O% W; V3 J8 e
Method 10
- M; G6 T9 }( T4 z" |& @+ l8 I=========+ l- |% m( L9 D: g0 \- C
7 ?: w4 q* ~- I$ Y$ @=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 R# p- O; R, l7 |3 J+ ]: J- ~ SoftICE while the option is enable!!
3 ~% s. A! g6 m* S$ k. [9 g
- d. D" ~ S2 ]0 k2 E" l4 nThis trick is very efficient:! ^9 V( z9 h! V5 |( I$ v# X
by checking the Debug Registers, you can detect if SoftICE is loaded
4 o- f% {7 e+ T/ x. M" R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 L6 U& m6 ]. U' }; kthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 ^: Y( h2 _/ u* o) Q# k2 F( g: W
value (in ring0 only). Values can be manipulated and or changed as well Y+ {) m7 [! x% r3 v; b; C
(clearing BPMs for instance)
7 \" N9 |' T1 `- V$ \- Y* b
" w7 s- j4 b+ u# p__________________________________________________________________________6 K$ \7 w% O0 L2 e6 B* U
" ]" R. W# }; r: h6 cMethod 11
: `' R% l. ?) e. [8 G- p=========
; I7 s" @" n, w4 p9 }: ?' U, e) b) t- L0 G* J3 p) n
This method is most known as 'MeltICE' because it has been freely distributed
- B# v7 H; d Xvia www.winfiles.com. However it was first used by NuMega people to allow2 {7 Y, |# I/ K& ]# q, n" W- T
Symbol Loader to check if SoftICE was active or not (the code is located
5 ` [5 a9 f3 g6 b, qinside nmtrans.dll).
9 ?! d; k* f, B q- i2 {: [# Y0 [7 k2 g: f w" V
The way it works is very simple:4 N5 A6 w5 ~) J- _9 r. C3 f" W9 r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& s \1 [4 _1 wWinNT) with the CreateFileA API.# W6 K& n0 t0 E1 q5 S- \) x
$ _ P; L! X3 k: m. m/ G; c
Here is a sample (checking for 'SICE'):( S& x+ z5 L, b3 b
3 L" y: r# t0 H' X- h; N8 QBOOL IsSoftIce95Loaded()
3 V( Y1 y* X/ l{
' G3 g9 A5 z$ w* _( a HANDLE hFile; + }& f7 d5 O3 k4 ]- W1 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ k2 R z) U8 y+ h FILE_SHARE_READ | FILE_SHARE_WRITE,
9 W) ~' C6 S, C! P& w6 u5 o/ \% Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 r" W J6 t& I$ E2 I& U9 u if( hFile != INVALID_HANDLE_VALUE )
" u5 A$ ? ~# A7 [8 T2 w* E. j6 c* [3 y {
- Y; d( n! _1 h: |+ R, j; t2 O CloseHandle(hFile);
. t0 ]7 C- h9 n6 q/ I1 x7 _ return TRUE;
- `4 q' B) W0 D! J% o }
5 R( Z" M" @6 f# ]/ F9 J- I return FALSE;
$ M/ M3 P# c' Q4 S7 Z5 f" d4 w}4 D" ?* s7 l( F0 ~7 u1 \, { S
1 D9 H( N: V9 W5 c+ RAlthough this trick calls the CreateFileA function, don't even expect to be% o8 Y5 J6 p7 w5 \9 t8 x" Q" X
able to intercept it by installing a IFS hook: it will not work, no way!
8 \1 u1 x, Z8 }% r1 U2 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) J, O2 r2 y% ?( F/ T2 w: Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ X! ^6 m2 x: m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ ?% ?/ r. _0 i( x1 R/ @0 u" v# Xfield.' h& @, b7 c# x2 Q3 E/ ]; H7 q# l
In fact, its purpose is not to load/unload VxDs but only to send a ! g* u. K& r4 }% C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ i- X5 x8 Q4 v% }6 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- B- k. s5 J- n2 F5 N1 d8 e1 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 _0 o# _! |+ O/ g9 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow' }/ v7 h" Q* {9 L0 e4 ^$ ?. {' O) ]
its handle to be opened and then, will be detected.1 ]- ~( |% g' O# w3 @" [4 J
You can check that simply by hooking Winice.exe control proc entry point c$ n3 f$ ~6 l( i0 L
while running MeltICE.
1 J$ k- D0 z" ^) X' C
6 C; h3 d, p; K2 a* I5 c$ K
% ?/ V4 k* e2 r6 N; \ 00401067: push 00402025 ; \\.\SICE
7 d& N% V$ I+ X+ z# Y- x6 u 0040106C: call CreateFileA+ _' ]- S! z; Z9 k
00401071: cmp eax,-001
V+ ^; N# R2 I1 H/ I. e$ ^* | 00401074: je 00401091! z8 a" ~9 u c$ V9 X
, M. P/ }2 J% Q V
& v I& Y. p+ J e5 v. Z* S+ P! `There could be hundreds of BPX you could use to detect this trick.: P7 @' q4 J3 S3 P, _: H V3 ~, a9 f
-The most classical one is:
' \# x6 F* N6 p8 u( A" m, I, q$ M0 r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ j; c* _/ i* F6 [+ G *(esp->4+4)=='NTIC'7 Z1 u# w r" J$ W6 }. h/ D, ?0 u4 S
# x% O" q4 n8 i. m G! M5 G
-The most exotic ones (could be very slooooow :-(
, H0 N2 k/ G5 ]8 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 v5 L3 G' n& I5 y! r- V/ \3 e ;will break 3 times :-(6 z$ m# ^) y1 p
2 q. q5 m6 ^3 c# t8 C* E0 k( M-or (a bit) faster: 8 e8 I; B. I$ r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 B2 y2 i9 b" C3 U/ Z& C# g0 J" U4 d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & F6 c3 f3 [( b0 ]8 W2 g
;will break 3 times :-(
F- v6 n& y+ \9 S9 w
- S; r8 S, B* F-Much faster:# W& I$ A: a6 I, I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" e9 n4 s2 }, d2 i/ F+ \# E# u# `5 k- g ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ _( C( c7 z) Q( R& mfunction to do the same job:
8 b4 q" z/ l0 p. y9 x* V% y: H
( G8 Y. e" x# j! x' m4 J$ A push 00 ; OF_READ3 c! G/ a! `5 ^1 l0 e
mov eax,[00656634] ; '\\.\SICE',0
- `$ g( i# ^7 C$ y! |5 P3 G push eax/ @4 q H# H) S; ^+ S' q8 r6 \
call KERNEL32!_lopen
i8 g) M8 E' ^9 n4 ]- v+ f inc eax
7 y- B4 @" k6 R- ?; Z( \7 Y$ `# A' j jnz 00650589 ; detected7 e5 U+ n5 Q# k. C
push 00 ; OF_READ
0 f8 s& s% R P0 M! j& \ mov eax,[00656638] ; '\\.\SICE'
* Z7 h6 o; r* M3 \, U push eax
; t8 _- N) x3 o4 Q( U' ~* i) G call KERNEL32!_lopen
& t* @3 K% e" d( j inc eax
$ O, H3 r" K( e: E/ z jz 006505ae ; not detected' U, Q2 \$ H) w' ^
- ?9 R0 h& z7 t+ |% [9 F& K
5 H- E% G3 ?* ^- H__________________________________________________________________________
0 m* [9 M4 s) F5 t
- @! {7 X6 E3 v4 t2 |7 P8 CMethod 12
6 Y& V# n% _/ u1 W7 v; s, }# T=========, _9 A' U! j- o; l R6 X5 G: q' L
% ^0 E- m: l7 a* N
This trick is similar to int41h/4fh Debugger installation check (code 055 E2 _+ X8 o \3 j; H, }
& 06) but very limited because it's only available for Win95/98 (not NT)4 \- {$ S) _2 v2 |, H2 I* L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ h! F. M" z. y: b+ e( G( U: L0 s1 K) A" k" E# U
push 0000004fh ; function 4fh/ X# R1 M" `& f9 P/ }
push 002a002ah ; high word specifies which VxD (VWIN32)
* d) R: F9 l4 [/ n ; low word specifies which service
& y9 |( |0 ^: Z' d! E (VWIN32_Int41Dispatch); L6 A5 i% T! A% o4 d
call Kernel32!ORD_001 ; VxdCall
( t6 t$ C& q4 M1 n. G7 w+ ` M cmp ax, 0f386h ; magic number returned by system debuggers% m. p! v3 [" I) S& Y0 ^
jz SoftICE_detected* @8 Z/ Q1 Q3 c: o# E+ |4 r
! A; I. z7 _ |3 E
Here again, several ways to detect it:
8 E8 A J6 Z7 r- J% y3 f$ m+ U) l
- a U0 G8 ]0 O0 w) c! \2 { BPINT 41 if ax==4f
1 c2 |' `- Y; B- s/ {) c
. } G ]& f, h @( [4 H- s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 c" B6 q2 r" [( f0 y: O% d
: v, x& X1 J n+ j9 Z) ]: l3 G& Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" O) t; ^' g/ V2 G/ L
( J% u; p% D4 n& \- b8 e t" j o) a$ h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 l$ i4 A' z Y; E; j8 r
7 M k( L* ]( I0 N9 h__________________________________________________________________________! p/ O! y' J' b5 F5 o3 `1 Y
" [. X) e! k8 i: b$ ?( _- `
Method 13 I3 F& b/ `# U. K2 O0 G4 {; ^# W
=========
/ V$ \7 _$ t1 j9 i# Q8 m' q2 f: {9 u2 s6 h! x& `/ g
Not a real method of detection, but a good way to know if SoftICE is
7 @4 X& I' h# c: t" oinstalled on a computer and to locate its installation directory.* X4 w j" H7 E( [* Z7 s4 i9 c
It is used by few softs which access the following registry keys (usually #2) :
5 x" F& D! s% q) @
z2 B7 x/ ^: A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' O8 Z% ]" s$ X2 X- a- X* ?, G' _\Uninstall\SoftICE
9 F. x1 j9 s2 D6 z; l6 B: R; V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! _( m, m$ T' |& f6 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ S+ Z( ], s4 p& b\App Paths\Loader32.Exe" R ~% |8 M) }! r
& c+ w; g/ y3 V b( d, }4 F7 w3 `. ^0 c
Note that some nasty apps could then erase all files from SoftICE directory7 W5 u' c7 U% e/ k* v# ~5 B
(I faced that once :-(7 A# X( d" h% G6 ^/ t
/ T) @7 |- x5 y0 j2 ZUseful breakpoint to detect it:
- N$ K6 P4 R# A/ \, g6 H# K, n* `- U# A+ K5 a1 K- s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# y; ]4 Z' `. P+ @5 P) K
& i+ S* n' u) H5 \__________________________________________________________________________
2 Y5 q6 d9 Z0 f- W7 ~5 S, u- T: V' ?, v( _2 o( i0 H
$ I3 l$ }9 L8 g: B4 kMethod 14
2 z& g e L! e$ ^; V% e=========. o; U- R( V7 r/ {7 v5 g4 ]
9 W" Q4 R& B4 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# v" N' s# G4 }is to determines whether a debugger is running on your system (ring0 only).
4 t4 Q) w, Z' o" V5 J. A- M7 {( ~$ \1 \! u
VMMCall Test_Debug_Installed
6 v$ U8 k* T, U6 r' I" B" g je not_installed
& V: T* @/ i' |3 u/ g2 E4 l8 \7 l Z
- M3 e/ z5 H) C0 k! X+ dThis service just checks a flag.* b H: C# }8 y1 u3 k, L. L; k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡