<TABLE width=500>/ C3 ]4 [" B( Q( O7 H0 h1 K
<TBODY>
; P T; z$ ?% _8 z* J6 G7 u9 y<TR>
: m4 V0 r# F% B' h* G7 I<TD><PRE>Method 01 ) q% P* g; l/ Y( q: C& q; { y
=========6 M" j/ a! `6 J+ \' d& t2 f
" y- Z; _5 n$ l' B SThis method of detection of SoftICE (as well as the following one) is2 R6 Y) s' \8 a; e
used by the majority of packers/encryptors found on Internet.1 R- V- u9 y; J; ~/ c+ {. U
It seeks the signature of BoundsChecker in SoftICE
' U+ C% s) Q l$ d! y. O: `
) t' I( H# r" f7 x9 g D mov ebp, 04243484Bh ; 'BCHK'# E/ a5 k- |5 B0 }# ~
mov ax, 04h1 E- a) T/ g2 y8 `1 o. G
int 3
7 T; A* }, v: v; ?* C cmp al,4
. a/ K4 T9 i6 D. c jnz SoftICE_Detected* a, h0 _, Q7 B @1 E9 b5 Y0 U
( L) H* N8 h* r+ r; E___________________________________________________________________________
+ `& l0 I, C7 T- H/ g
) [/ g4 d, x* sMethod 024 X* J# ` X9 [; r2 p
=========4 q; G) a) f+ B+ W$ ^
/ I' O$ P( G+ J+ H8 l
Still a method very much used (perhaps the most frequent one). It is used
; c4 m/ @$ t+ }% t) b/ Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 {1 t$ z4 F' z) z/ n7 Uor execute SoftICE commands...' r1 i; n% k" G7 L0 P
It is also used to crash SoftICE and to force it to execute any commands
' U5 ^; b$ g( y b(HBOOT...) :-(( + I9 V) ~' L9 b3 V/ H
3 y/ m8 X1 w3 H4 {" b0 ~
Here is a quick description:
4 B& _3 s# L4 q3 N3 M; k-AX = 0910h (Display string in SIce windows)
; H5 v) f3 y/ Y& }2 [$ M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& t, @# ]0 S9 \+ T6 @3 g
-AX = 0912h (Get breakpoint infos)
0 B& E, L3 B( _5 u1 |-AX = 0913h (Set Sice breakpoints)! C( Q2 e) ~& X2 _1 y* o* o
-AX = 0914h (Remove SIce breakoints)$ y+ g" g8 `/ S7 e2 n% B1 r0 [2 h7 y
! Y& Q: Z+ y, Q. V0 U
Each time you'll meet this trick, you'll see:# y( _$ R; `( q. @
-SI = 4647h
6 n( I* `: B3 t9 w-DI = 4A4Dh. ?9 m, W. w" u0 l" h" `" Z9 G! E
Which are the 'magic values' used by SoftIce.! [7 I5 w- M- Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) Z5 o: J o. K$ A( w l' b
* I) G# ]# {, N; C' q: {+ a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& I5 k Q, I6 P- NEnvelope utility use to protect DOS applications:
0 I- G. T! G: [$ r1 C+ d, x. T. W/ E& h1 ~) ^1 l
9 z, q9 R( Y. |" H" i( [4C19:0095 MOV AX,0911 ; execute command.6 E; u; j6 {! y9 m" c/ s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" J% _1 Z4 }: r6 S$ b4C19:009A MOV SI,4647 ; 1st magic value. p4 K9 J/ d" D: q. A" H
4C19:009D MOV DI,4A4D ; 2nd magic value.# T3 T- k5 L {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 ^; G+ N# X: Z$ _7 v- n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% E) {, Y& n% N( H0 n) v/ w4C19:00A4 INC CX
$ W: Q& Q- o5 s5 l: j' F# a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' v2 ]* N9 l- F* A$ w0 w4 I0 v
4C19:00A8 JB 0095 ; 6 different commands.0 f4 {! U7 |" B4 `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 x, p$ z/ ]; `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% R. M* p; `+ E+ \) [/ B8 Q
, c, c7 E% k1 v$ C0 SThe program will execute 6 different SIce commands located at ds:dx, which8 c) Y/ o' K* W2 Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' k' R5 g6 W3 T
8 l5 k! j' e& X( J0 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ G4 P2 e) j5 @( K. X___________________________________________________________________________+ h. i& h& f8 n+ r
/ d! O( Y) m, ?9 W7 v4 T. G5 ~/ r4 G y, A
Method 03
+ I4 z d0 C" h1 ~; [0 y- ?( @=========6 I; ~9 U/ H' }; P$ g$ u9 t: Z
/ @9 r* f9 k8 y: }, HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! d- B, q9 l! L- w(API Get entry point)2 [5 I. _% e2 f, C, i! ~' W6 s( Z* h
1 j4 y2 p! y+ G" P$ _/ ?: p
$ F, i3 ^6 a* j, V& E xor di,di# ~6 ~6 q+ a+ X/ [) D
mov es,di9 Z0 s6 t; p h% N8 G+ N. c
mov ax, 1684h
* v! |/ k8 p, ^; J mov bx, 0202h ; VxD ID of winice, ?' h7 O0 K0 x Z; v
int 2Fh
" o2 \5 k9 Z1 Z& W$ h8 G2 z mov ax, es ; ES:DI -> VxD API entry point( D/ H. ?- R, c! @1 X: ?
add ax, di! I: [3 L3 P6 V( ^3 R, m$ c
test ax,ax( S; v' r! \# X) [! i, P# L
jnz SoftICE_Detected
* Y8 z" Z! C9 k: G% b
/ R9 V( E% E$ |___________________________________________________________________________/ q, l* o# t. P; K5 p) X
1 A; }" [) J3 I, c1 l+ IMethod 04$ H3 a3 `- C1 S2 h, j
=========
- V5 D7 h1 C$ s& d4 Y" `3 m* D0 o" y5 |0 W5 I
Method identical to the preceding one except that it seeks the ID of SoftICE
/ d2 ^* T* Q( b/ k7 G- _3 u: cGFX VxD.
! ~- A8 @/ D: o2 m% ]3 ], m3 a% m4 g2 j4 w$ p Q1 O
xor di,di
L0 }) L, D4 h3 y mov es,di
2 f! ] K5 E' e5 c mov ax, 1684h # ^" l: c& n W* x7 P& _( d
mov bx, 7a5Fh ; VxD ID of SIWVID
* f( d ?, F- P8 ^& R int 2fh/ _: i. o5 h% D3 A' C
mov ax, es ; ES:DI -> VxD API entry point7 Q4 S1 `2 u% p h. v/ x
add ax, di: o* S( Y2 B' a: u; v
test ax,ax
2 n" r: {, f T% J+ ?- x$ p P+ ~# o jnz SoftICE_Detected
2 L# Q1 Z. S7 P( h8 ~8 D7 t- F4 l0 F* C5 b8 ]; a6 d
__________________________________________________________________________
2 H! b0 Q: ^6 H5 U
4 J; y V0 d% v& R0 [' |; I# f2 S- I
5 @9 b" e& _9 [) HMethod 05
! \. V! Y$ I7 ~- v! `: S# @; T+ r=========
& l% X) B' N4 o. w# X1 E/ q7 u/ e$ |! Q5 G# `0 D* `
Method seeking the 'magic number' 0F386h returned (in ax) by all system# c. ]* w+ ^) {8 r
debugger. It calls the int 41h, function 4Fh.
3 G0 O7 ]/ ~6 e2 ~, }There are several alternatives.
4 M' ~5 l2 M. l3 E7 Y1 j
& f4 u. R, I+ FThe following one is the simplest:# c. }6 K8 J/ Y% s- K
2 f6 c3 \/ v# m0 B
mov ax,4fh' h* W. e0 {, K) _' g
int 41h( Y" J- G. ?7 C1 a1 N
cmp ax, 0F386: v. p- A- I; ]: H$ I3 j( X
jz SoftICE_detected6 H+ a+ t8 t* x3 T
# a/ s' X6 F8 B+ q. C8 B
5 u3 F3 k u3 G
Next method as well as the following one are 2 examples from Stone's $ S. U; T8 O0 p
"stn-wid.zip" (www.cracking.net):
6 u' Q% X, S' G2 J0 N$ _& n% M' I, q; R
mov bx, cs
5 Y, L& s2 \ |, x, v! L* Z3 ^ p lea dx, int41handler2
( @1 g# f7 F8 U" l/ F+ O' q. O xchg dx, es:[41h*4]
! Z& h# K& U4 @! n% M6 N xchg bx, es:[41h*4+2]- l/ B, y; v6 h1 z. ]! _ Q& g
mov ax,4fh* @( R% i+ d. @* o; x2 D4 R, R
int 41h
) e" r# o+ w7 Z o* \ xchg dx, es:[41h*4]
9 C$ `: @7 O; k- Q. R$ A% B xchg bx, es:[41h*4+2]+ M2 p0 s$ m3 }; z7 ?) h
cmp ax, 0f386h
8 R- m- ~8 @" j. c% W jz SoftICE_detected3 C" I4 L% c+ Q* f5 q3 u
& ~4 |& w6 n: r2 G5 S! fint41handler2 PROC4 Z. f- f1 F$ r/ N
iret$ O, |- i) @5 _' z7 \. @$ h
int41handler2 ENDP
& Y6 [" h5 o7 N
4 ~4 u3 Y/ p; W* _
: w) j! j, U$ s: C1 t. w_________________________________________________________________________) W2 D# E" V" O
( a; b/ N' o5 j |
9 \4 [2 L" [& p1 d" s: MMethod 06
0 x0 c! t/ W7 D7 U6 }9 u: d=========+ q8 R/ T" l" _( f6 s
5 K7 J, W+ }* v- h" c% P N
4 V% m* ?/ b! S( y/ N! [
2nd method similar to the preceding one but more difficult to detect:! {' O0 T! K. X1 ] v. r7 l7 F
; H% W' N0 I7 ]* q3 D" f2 y" N
& I) z9 Q& s4 m3 Gint41handler PROC- ~! Z" }7 ]7 i6 q5 k
mov cl,al
, E' S5 O& I! R1 F @8 x iret
( t5 F* q* C& F1 \int41handler ENDP- _; Q; N1 |( n
4 K! ?5 v6 G/ l
. ~+ I$ [) v1 d7 e: A T xor ax,ax' e; V3 c. J5 N" M! t
mov es,ax; ?8 g4 \' e+ S2 @; n* V3 I7 L0 G
mov bx, cs
5 s0 z+ }5 ^/ L$ R9 V/ Z lea dx, int41handler( V$ S) a4 c' Q! D* H6 w, m( a
xchg dx, es:[41h*4]5 J$ I) P9 e1 i6 l
xchg bx, es:[41h*4+2]
2 M) [5 p. A2 W, Z. Y V0 w0 [0 M in al, 40h
6 }( F* a0 u/ V1 _ xor cx,cx
! O8 f5 k: \6 g0 O, H, M int 41h$ Z: q9 [8 e" ?) N& _3 i
xchg dx, es:[41h*4]0 s( Y# e6 G# p+ N; w
xchg bx, es:[41h*4+2]7 X; ^+ M" }: w! s/ U+ }' s& S
cmp cl,al6 O- D0 B* B- |9 j
jnz SoftICE_detected
+ C( u- |- W, p
( c8 E( l- c N9 R5 @& i_________________________________________________________________________
: J: m5 m! X0 ?; {! I
3 h8 H/ `+ S9 s QMethod 07
7 A$ U1 k6 h# ^& B! R% B) i: |=========
/ O& g9 Y+ t9 N
( y. J* { m# n# I# i) {5 t( Y$ wMethod of detection of the WinICE handler in the int68h (V86)& X! }1 a* [, O8 }8 k
$ H4 u I6 u( g
mov ah,43h2 V3 V. ^3 C' n
int 68h
0 W2 k* j9 i, a7 T% v5 e1 D5 r8 [8 L cmp ax,0F386h$ N5 [& K1 L1 S4 D4 u4 J5 x
jz SoftICE_Detected; a/ A: v# p' y9 ]2 D
/ y" B- R, {- H
+ Z R2 G4 k. T; x9 L7 ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ M, Z0 {4 g. T app like this:1 Q4 {% Y: N2 e0 \ d3 a! a' f& W
2 S8 h3 N+ U+ s6 w# ^9 o BPX exec_int if ax==68 A1 c) s6 S) x9 P6 c
(function called is located at byte ptr [ebp+1Dh] and client eip is* s* g& H5 g9 U8 H: o) F
located at [ebp+48h] for 32Bit apps)! G! V4 I# n3 ^$ T. W4 M) T
__________________________________________________________________________
5 p+ K/ f+ g; q8 q5 W$ v v9 k% e3 `& e4 M. T4 U4 L7 g8 _
/ v) R3 A7 B1 ^, Q
Method 08
+ L! D% D9 f+ i2 Y) P7 e8 |+ `+ C# [=========* _0 Q) P/ X" a4 {2 O) s
4 G1 n5 q: R. N2 D2 |$ i0 O- i
It is not a method of detection of SoftICE but a possibility to crash the! l3 a! k# m3 Q, l- B
system by intercepting int 01h and int 03h and redirecting them to another
$ _7 I7 O- ?- Q( o, sroutine." j( N; r4 o9 |/ \$ g; E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 I6 |2 ~0 Z4 |; G. l
to the new routine to execute (hangs computer...): L: {$ f/ d0 `( \: D
, x2 z$ b! `( X. t4 Z& I7 l mov ah, 25h
- N( ?7 k" A9 e& L$ L; d mov al, Int_Number (01h or 03h)3 v* e2 Y8 H. v+ k
mov dx, offset New_Int_Routine- b0 h0 }8 ~6 b9 y( U$ o
int 21h
! W# O5 C9 o7 S+ {: o: G6 d* j( Q( q; o; i$ E
__________________________________________________________________________! h5 X) y9 g% s) x6 b: _' S
2 X9 R" J' m3 T! s [: KMethod 09& H# L9 t. k6 |+ ]
=========
, R/ x2 M3 J) b0 Q0 Y
/ k H2 o o, K& F4 kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' Y: `1 w/ n& B) P1 M
performed in ring0 (VxD or a ring3 app using the VxdCall)." J) C4 y0 R R" u8 L: }7 \8 |
The Get_DDB service is used to determine whether or not a VxD is installed
3 l& H; [) N/ T7 j( P# }for the specified device and returns a Device Description Block (in ecx) for' }9 {6 ~1 J5 T D) Z0 f
that device if it is installed.5 T* E6 ^, ~1 e4 G# u& Y T
! o! ~5 P; B" d1 B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( P& O& ^6 n/ b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 |+ ~, C4 J4 T- p! v VMMCall Get_DDB
4 ^- F2 b4 j+ Z; C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ ?, ^8 x) G+ x2 W$ Q
9 S# w2 w% @" Q7 ^
Note as well that you can easily detect this method with SoftICE:9 a6 Q2 V; G& A9 o7 [
bpx Get_DDB if ax==0202 || ax==7a5fh1 @! m0 y2 c# p" o4 u4 V! B
: |. \/ S) N+ c( N8 a2 [2 Q__________________________________________________________________________5 l6 w3 U C' w& \3 K
5 o. r9 T6 I+ {0 ?; G% i: w6 ]6 ^" W
Method 10
) P- D6 ?, T5 X=========
5 p2 u8 P7 u+ ]4 N5 ]; U9 D( x1 j' C8 n+ C v1 ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with% |, D3 V6 Q# Z' ^0 u3 ?
SoftICE while the option is enable!!! L6 E# Q1 H5 T p2 Q
. [% U3 i$ e/ ]" u5 L* e+ z
This trick is very efficient:
+ R! E% q. l0 }3 q2 ]2 E* u7 X) _5 uby checking the Debug Registers, you can detect if SoftICE is loaded
7 Z' B* |9 V( ]2 D9 X! s: }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& G& Y# c1 ]+ F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( I/ n6 r" d9 b; u" e* E- Y' nvalue (in ring0 only). Values can be manipulated and or changed as well! p/ ]' m) l- D) u
(clearing BPMs for instance)" A* n2 W( i+ N1 O3 w
1 P* x% v) ]4 W9 _) A/ ^# ?6 G__________________________________________________________________________
& |0 {* N# r8 U* } T+ P. H$ }$ V( t1 g0 @! t/ t4 l1 n
Method 11# g; f! a9 t4 I0 Z3 g3 N. q2 L
=========( ~( [" S/ X, d3 L
: [6 B& |9 _9 [: X5 [" c* BThis method is most known as 'MeltICE' because it has been freely distributed2 x& |$ B% H2 e- D& n" R
via www.winfiles.com. However it was first used by NuMega people to allow" }" s# N# S6 K7 {
Symbol Loader to check if SoftICE was active or not (the code is located
7 g5 r3 Z4 H1 g3 e# y5 v* E' Jinside nmtrans.dll).4 D: W- [, C( w- @* x
% Y& z8 Y# H4 B- N- pThe way it works is very simple:
" ^ W$ f1 S. s, GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! Z% I0 h* t) Q# S( |! ZWinNT) with the CreateFileA API., i( e" `: x7 {; X1 F2 Y
2 a0 \8 i, b. ` f) t5 Y) ]
Here is a sample (checking for 'SICE'):$ K8 D. ~2 |7 Q2 {2 |1 \3 ]8 s
) c7 ]: d M2 `1 i* K/ v# s
BOOL IsSoftIce95Loaded()
4 e* k3 R5 `7 ^9 B$ v9 U$ W( S# W{
$ o* L- ^ F& w! ? HANDLE hFile;
" S6 X1 H" G: K0 O( ~2 t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- W( G, r w6 f$ P FILE_SHARE_READ | FILE_SHARE_WRITE,3 E, }& n+ ]1 u& @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! c# O a6 u/ A# V1 y8 h/ ]0 l
if( hFile != INVALID_HANDLE_VALUE )
5 O# M* W$ [) u9 D4 c) M# w& W0 @ {& J! L$ w5 E& E/ a8 G0 c! @# m
CloseHandle(hFile);
- I. [- X! j2 U return TRUE;
* b* Z9 k K' H1 X6 x }
% ~. |( @+ T" |; g1 F. d7 ^; f return FALSE;: B) l9 a, `8 ]! o# r
}
# ~) k# D( I7 H& Y; }) B% k2 s! }5 ^2 W1 n5 f0 Z
Although this trick calls the CreateFileA function, don't even expect to be+ H* p% ^5 ]( b- ^3 p% c, X8 `/ R
able to intercept it by installing a IFS hook: it will not work, no way!
9 z3 R9 D% |; M0 U0 x) F1 M! mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% ~3 w: ~$ z1 b5 Y" A/ lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ F. V3 q U, j g" ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) {( C3 D! P/ N1 {3 i9 ^field." S) W0 I! r' g+ }2 A' v- t0 w: g! ^
In fact, its purpose is not to load/unload VxDs but only to send a
; _" \. z" S( C' q# JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! J1 ~# p3 a v: x5 l1 q+ t) cto the VxD Control_Dispatch proc (how the hell a shareware soft could try; O0 ?- w* O4 F6 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 k/ Z, B( S2 j+ n) j: q( J, l
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 H! v: q& W3 S2 pits handle to be opened and then, will be detected.
n8 y% @- j+ [: q) c/ NYou can check that simply by hooking Winice.exe control proc entry point1 \' T9 g* h, A9 }4 M
while running MeltICE.5 v W6 ?! g! @5 [1 E
, R( z5 e0 i- |' [6 P6 U
; ~. _6 e* `" P, b 00401067: push 00402025 ; \\.\SICE
5 `* [6 a7 _5 B0 f4 s 0040106C: call CreateFileA- Q0 m- S& z& ?3 [! l
00401071: cmp eax,-001* }* t5 B. g; t6 n( ]
00401074: je 00401091
& G" m; l+ S3 z8 C, t6 a- N1 y9 ~& Z5 o. ?% [+ v% o1 m9 I" j
% B) \1 Q) h8 ?# O# ~3 X
There could be hundreds of BPX you could use to detect this trick.7 p0 W( I/ y( @, S
-The most classical one is:$ Q. ]; G$ O7 ^# x: I: V. ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' ^; E$ W# q5 K. n
*(esp->4+4)=='NTIC'
0 D) ?% ?9 C/ p8 Q. s t& X$ M
7 j! _: o8 }. {; O3 `-The most exotic ones (could be very slooooow :-(
' B5 n" x, {8 J u) ^6 N- Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. R; e! M/ T* o. e3 g ;will break 3 times :-(
T% R0 M) t5 u5 O; H; s; F L- A: c7 F. F d0 G) H9 d
-or (a bit) faster:
) W& ]1 @% k; |7 d# m- W0 W BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), |) [9 j7 L( Y
+ O, q8 Z+ b/ D$ z7 }) W. c Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 d) e' v! w9 O' [$ U
;will break 3 times :-(# o9 ~: ]5 N$ M, R' D
" _ e# _1 V" u6 g( j-Much faster:
( H8 k5 I+ K3 U0 D( w, J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* ^+ T8 V+ [1 w; f4 ?% R( m- l
; ~+ Z$ w3 p# O1 d$ sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 I8 U6 i: E1 B) Z% d7 V
function to do the same job:# S) Z: V6 U, x& M! T
, _! B3 K2 I: {2 I
push 00 ; OF_READ/ K; w* |7 u4 m# Q
mov eax,[00656634] ; '\\.\SICE',0
0 y% Z: a6 A) l5 I/ g) ?+ D9 A% L/ R push eax$ B, i# k- D4 t3 m
call KERNEL32!_lopen8 q6 E: t& g, z p- c$ _, Y
inc eax
) a+ ]8 U9 F. X* h+ q4 u+ B7 o# R+ k jnz 00650589 ; detected$ c- \/ t/ B5 }% N- _7 g: b
push 00 ; OF_READ( c( p8 k- ~/ M5 x
mov eax,[00656638] ; '\\.\SICE'& S% E6 v- g0 {9 ~
push eax
* j/ P# v4 h, G/ _, s I call KERNEL32!_lopen
' b; d2 j% P8 V; j# o4 Y9 L) M' { inc eax. N0 m# i k. p' o$ e# z
jz 006505ae ; not detected6 Z* r3 W) ^# t' M) D4 t9 K
& m7 O" w+ `# J: t8 J6 p0 A. M% v
__________________________________________________________________________8 \% Y% v* a8 ~& B; T& ^
" \/ i: K- d6 H8 J( Z: {0 w: \3 j* l
Method 12' c. ^* Q) b: P2 _( {# a) g7 I7 f
=========
/ m ~) z, J& l b' }
4 R- x8 q& p% _0 N7 TThis trick is similar to int41h/4fh Debugger installation check (code 05
5 D y* f, m5 }& 06) but very limited because it's only available for Win95/98 (not NT)# h- D P" Z6 S3 T1 n3 M0 Y% E8 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% x8 N5 z0 L! K3 O5 p$ e0 }! D
' Q# t0 [( X7 h" }. U0 \( L) B# M
push 0000004fh ; function 4fh
' [; {; ^' L- H1 {3 m# V. t# ^+ T push 002a002ah ; high word specifies which VxD (VWIN32)3 a: [1 y0 S4 j' t6 n, s3 o
; low word specifies which service3 `0 G* z" Z7 C2 R' u! \
(VWIN32_Int41Dispatch)
0 e- S F U* _( V2 g call Kernel32!ORD_001 ; VxdCall+ ?) M. b( ~. ^1 P$ x
cmp ax, 0f386h ; magic number returned by system debuggers2 R) w8 L- v9 Y# F5 E4 k8 Z
jz SoftICE_detected+ \+ Z9 V* Q8 W. h$ O( b- q
: d; r4 I8 k# ~, @5 d# EHere again, several ways to detect it:8 W: G+ P% E3 W! d
) n2 w% @8 m: W0 `/ k- I
BPINT 41 if ax==4f Y# X* d& q* f* J% e
' s( p2 a. u/ } `4 o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) T+ N3 U! M% R, v2 t) F0 g
6 e0 Z" l' j3 B; ^( K% f$ G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 C, x' B" ]6 Q# `: }
+ q5 u8 r' L0 H- x" T2 }: O4 t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- v+ z% n: x- O, T$ M
. _$ [. k( C' u+ F__________________________________________________________________________4 j' T9 [$ V; l, e( T8 D# A& f
, ]* ^6 Q, |/ xMethod 13" S# s1 e/ [( ?7 g( `! p6 h# S
========= j1 Q! k' g/ R; e0 E' J5 u$ n- O
5 U! p; i& }8 ~( M1 m
Not a real method of detection, but a good way to know if SoftICE is
" B7 c( S/ {) r5 O8 l% Yinstalled on a computer and to locate its installation directory.7 f* I9 X, p9 r
It is used by few softs which access the following registry keys (usually #2) :
$ u# e4 H, \3 R0 i4 k' P' q' o) Q- l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; D. z# |4 n: Z; f- q L
\Uninstall\SoftICE3 Z* L4 R. h' G! p2 p% b- b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 Z- S! J8 u6 j- w1 n/ j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ E3 G6 w, x: |: A* D
\App Paths\Loader32.Exe
" x8 M; E! M+ Q: R$ N
' a- S+ V4 f. D+ f2 M, V5 n( Y( X; a# x1 f( l; w8 f
Note that some nasty apps could then erase all files from SoftICE directory: S. S' a8 M3 ~. {* ~1 \. {2 u7 k
(I faced that once :-(
9 j+ t$ v% c6 c# p6 u0 f8 z4 `/ l$ Z4 a( ?. m" h( i
Useful breakpoint to detect it:
6 [- b1 G. i2 U# |8 p1 _2 ?, _* ^& I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& c* ^9 [ c. n c5 Q; ?6 X
7 x9 y# c! }; K: ?! v__________________________________________________________________________
& c6 ~4 e* ^3 N, p- U, w/ c C, w. P: O0 g7 ]
: I8 w! U5 R" r! k) GMethod 14 ( u: p1 k* B; n! n
=========
# [' a: H, n6 Y& E' d( b0 w. ], a7 g& v; j# g4 [2 ]7 y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! r3 T/ u0 R5 m. C+ h3 Ris to determines whether a debugger is running on your system (ring0 only).$ M4 L) y& T X; j& S
' V- y: \) [) w7 F4 }8 @- S1 d
VMMCall Test_Debug_Installed Y& l! _' j+ u; w
je not_installed+ c7 x/ S! R. B- T7 G- C
, i# L9 D+ }, n' d. VThis service just checks a flag. a# E: ^- `: ^* y) q. N' C
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡