<TABLE width=500>* V+ S" O; A! Z5 t* M. J# j; X
<TBODY>% O% T' Y1 s. K4 f1 h. {4 E5 T
<TR>
) ^% L: K& {5 J |' j9 ~+ T4 w<TD><PRE>Method 01
* x. V' a- D, h/ L: Z# G" `=========
9 D3 N @2 z! F2 u$ M4 T; h
. a: C) U p% R5 |0 E! ^0 ?& [This method of detection of SoftICE (as well as the following one) is2 i y1 I* m* U' A7 R+ _. v
used by the majority of packers/encryptors found on Internet.
2 R* ~* o L9 i5 M4 L3 ?' [It seeks the signature of BoundsChecker in SoftICE4 Z1 `' h: i( C4 h3 X
2 m; j' |3 f! H2 U- ?: l' q* O+ K
mov ebp, 04243484Bh ; 'BCHK'
: s* q- B' |( r: H0 F3 o mov ax, 04h& E/ s9 L' l* [' T C5 k( I
int 3 $ ^4 d& n M" P. s9 h" e+ w
cmp al,4; p$ _9 l; q7 N7 A" C
jnz SoftICE_Detected2 g0 \- W* B6 \1 R: R" H4 x
) Y7 n% g& d/ B- u___________________________________________________________________________
, @9 E- m# g0 Y, L4 i$ D
7 ^0 Q, [- m, @, D2 xMethod 022 j9 Y: X) i( e/ E% h' a
=========5 \* S8 e8 K1 S
( T0 R: z3 [- o( p. m6 t: H
Still a method very much used (perhaps the most frequent one). It is used
- ^6 x2 M3 X' s# n7 g8 gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 U) S5 w" p/ a! x3 r8 u# S' gor execute SoftICE commands...4 G" W' q6 q& K0 m. x
It is also used to crash SoftICE and to force it to execute any commands, x$ u* y6 d+ \- w4 x: O% W5 w* y. k
(HBOOT...) :-(( ( f) q* }" L, @3 i9 E9 w- v2 i
9 H1 Z7 y3 N% O3 hHere is a quick description:
& R: r: U& R Y3 X$ s$ A) T-AX = 0910h (Display string in SIce windows)
, X+ F; D, S/ J, b/ D F, Z0 i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). r5 O; o) g6 s9 ?* `, D" Q
-AX = 0912h (Get breakpoint infos)- G$ C0 ?4 y& j x }
-AX = 0913h (Set Sice breakpoints)
+ r) A8 M3 y9 l3 r-AX = 0914h (Remove SIce breakoints)5 @8 Y8 S3 X6 m* P
, o% |% H( [. jEach time you'll meet this trick, you'll see:9 [1 J/ v( S3 f9 O) S; r1 C
-SI = 4647h
- x' g t3 F" [2 O# j3 w$ c( L2 I- A( b-DI = 4A4Dh$ y- {1 i6 q$ s, \; s, v
Which are the 'magic values' used by SoftIce.' g8 l5 _4 b2 t% f# g- K4 l# m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 Y/ g( M, H# F" ~( y
) n7 y: s/ k8 ? Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) |0 J. m9 J1 U1 F8 {$ _' mEnvelope utility use to protect DOS applications:; L* r2 ]& }9 v W9 h
# |/ U; h& v9 d; y7 T9 ]+ p0 U9 e* E1 [
4C19:0095 MOV AX,0911 ; execute command.
; _0 s8 \3 B& V* o& R" P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 n# \9 x8 w0 y# p" ?$ A
4C19:009A MOV SI,4647 ; 1st magic value.
1 j# \: H2 K3 _. z/ N4C19:009D MOV DI,4A4D ; 2nd magic value.
8 E! y* j: H; K k) `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# r" Q: P7 b; A* ?0 C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 v) m5 R& s7 r6 E2 Q4C19:00A4 INC CX1 [% n, B' m+ P, W! B, Y! d5 T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) O3 k* G* I3 `/ ?" g0 J4C19:00A8 JB 0095 ; 6 different commands.
- t; j& [/ L0 \8 g4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 t, Q7 A) p) T" o$ g: ~5 y: D: E4C19:00AD MOV BX,SP ; Good_Guy go ahead :) |# r% d9 L0 }) `9 L; e- D2 f% d
, ]+ F3 ~+ a8 W# w' y
The program will execute 6 different SIce commands located at ds:dx, which0 A# \ `6 k% M9 X4 S( _; l+ K U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 X, E& J, O8 E2 Q+ ?
: q1 {6 j6 i+ g5 r1 a6 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 s5 `: p1 v$ D" x& s- o___________________________________________________________________________& Y3 N7 \& f0 Y5 J" q. h3 B k6 w
0 A) s7 ?1 q# i
4 C# o8 V9 Y! T+ w$ J; O# VMethod 03# l9 Y5 P; Q2 D2 p. _9 Y
=========. ^& i9 T& V- `2 W/ ^% G" h2 \, j
. U$ c: A( x( k" |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 z" c' t* b9 ?( |; G5 N
(API Get entry point)9 b4 d* A" W0 \" \
$ a& W1 ]/ ^5 J
3 D5 O4 M6 j0 d) G+ g
xor di,di8 j' J6 M4 @3 O& N) X" m4 G+ u6 O
mov es,di/ B4 d* {% {0 m# ~
mov ax, 1684h
! z+ P" V+ D" P; ~ t mov bx, 0202h ; VxD ID of winice
: W) M. N6 I3 f+ e1 l9 H int 2Fh
8 f! A( L; {$ \$ ~) G mov ax, es ; ES:DI -> VxD API entry point; i+ s8 [4 q- v- i% t2 j# A
add ax, di
8 ^7 S8 w* m$ K7 H% c9 T) C test ax,ax6 V% D- `0 U8 X& Q9 H
jnz SoftICE_Detected& f: |6 e+ x/ W! j7 d# e! c
6 C- S; [' w6 j___________________________________________________________________________
4 [7 s; d7 N8 S0 u/ ^! Q. {* l* z, Y& |
Method 04
, Q v) G2 E5 l9 k=========
: G) Z' B+ E2 g) L8 k0 ? I4 K6 U3 e) t+ j6 G) w" R
Method identical to the preceding one except that it seeks the ID of SoftICE; l1 J7 A7 }& j, _2 T+ b+ a+ |9 |6 Y
GFX VxD.& S4 Q1 G; j1 x8 U
% |* M$ p3 E; H j xor di,di
1 a+ v$ ] A' d5 X( y, A4 q mov es,di
1 U- {1 ]1 d+ {* ]! m mov ax, 1684h + E. p8 P, r i( \
mov bx, 7a5Fh ; VxD ID of SIWVID$ d- ~( D* I8 e& a4 R& S
int 2fh
* v6 r6 N z1 E# X mov ax, es ; ES:DI -> VxD API entry point
, S# t' K, d) C1 D+ } add ax, di" S r9 ?- D0 ?" |9 Z6 K2 e1 j
test ax,ax
' N- Y1 L0 ^" z$ J. q0 t C) S jnz SoftICE_Detected
. @" j: W' z, Z, m% q
! E. _' W O8 U! z! ^* [& K__________________________________________________________________________
5 G/ m% c' X; a' R- {, V# P0 X5 T; H5 Z$ r- i' ]
0 |. t+ S' \- A d: p' X; @
Method 05
1 r( ?" G3 m; Z=========8 k; x0 j4 s& j9 N1 [7 X' g
& ]4 W2 M1 `) \3 YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" O, P- r Z; mdebugger. It calls the int 41h, function 4Fh.% A" l8 J- D! i% i( I
There are several alternatives. 5 x2 x- a, n/ U0 W7 |
' T+ z, U3 g- \3 g: M, [4 CThe following one is the simplest:; e1 ]) {& q- ~- z: D
. ^- @5 M: l5 F, Y6 G, k
mov ax,4fh' ^. J8 E3 U7 }/ n- G# r3 D
int 41h
% @# g, H0 v( P7 X9 m cmp ax, 0F386
) O3 M2 V2 [! b% |7 \7 @$ u% l" A P jz SoftICE_detected# Z+ B/ k, Z3 Y5 t) |5 p; P
% V/ D) t) U8 ]! V
9 X5 `: H5 N% ENext method as well as the following one are 2 examples from Stone's W% p3 Z5 [ ^0 K3 q2 `2 c' ?
"stn-wid.zip" (www.cracking.net):
1 @. ?2 U9 ]/ u! m, i
& S0 J4 B; m6 E0 D' f mov bx, cs
: u2 s' P/ l$ ?1 _- R, U f5 E lea dx, int41handler2: h9 ?8 h8 d) @' }' _
xchg dx, es:[41h*4]: _% U5 q9 m0 n( E e, S
xchg bx, es:[41h*4+2]
; i* Z# ^# q: H$ U mov ax,4fh; ?8 X4 r1 A( m2 k
int 41h4 V* F# A; G- E& v6 r W
xchg dx, es:[41h*4]
# H+ W' K8 G$ k1 @- f xchg bx, es:[41h*4+2]( W# | N) X# w2 `! r
cmp ax, 0f386h
" R! ?& X9 R$ n jz SoftICE_detected
* o! }+ @# S" Z; L3 p( Q: F1 I! n& k9 |& Z7 J9 G
int41handler2 PROC
7 h( X% N: H6 E5 z4 c iret
5 x! B, O9 R9 ~/ w/ Iint41handler2 ENDP
5 ]* Z& x. I1 K; C4 w. n$ H% g6 q& j8 s( `$ O
u( ]5 E0 q- E
_________________________________________________________________________
2 a- ?( u) H: T8 r; M7 |) T5 i' d4 d! T
8 N) n2 w. P4 d
Method 06* k- P3 `+ m7 h* s; G: J3 i
=========
9 e* p4 W* c& I# X3 ?* t
" A& Y- {' O R! b0 ^, N1 W, A. h# h; C. L8 s- Y. M0 _
2nd method similar to the preceding one but more difficult to detect:
: g, U# Y' i/ R7 x
" A) F0 Y* ?# T; U* Q3 I" X4 {
4 v5 R- m+ R, [int41handler PROC
1 e l% C: A* B t9 _3 b4 Z5 | mov cl,al
0 b! z" y. ~! f+ w3 I7 o iret
2 J' @) A2 k! {% j/ G& `int41handler ENDP3 h3 z6 l1 T1 a/ r
2 D A6 d4 ?& r( |; H
4 l/ S5 }/ F( K6 G" P xor ax,ax, j. [$ B1 l% U T) M6 q
mov es,ax
0 }& w8 q, y4 c0 q mov bx, cs& z7 O9 ]' ]4 K3 m9 P# L9 T
lea dx, int41handler% o3 A" }9 t @# R
xchg dx, es:[41h*4]. l' T. u3 ]; {/ l
xchg bx, es:[41h*4+2]
, ~* e9 S" y3 x# ]* y! ?2 |$ m8 j! d in al, 40h5 D' h# ]. ]; n+ V' t/ S
xor cx,cx; K9 R* A: C- ~6 a
int 41h
! Y% V% P, i6 m/ @% v' b" } xchg dx, es:[41h*4]
4 @* e U& c6 V& e! h' D2 o/ ` xchg bx, es:[41h*4+2]
' p. Z$ v+ N! E8 i: H cmp cl,al
2 {" Q# o) l% R+ l6 M jnz SoftICE_detected! o1 \" z8 p8 e% d: h7 h- B
2 C* r: o+ k. W/ F# p5 N
_________________________________________________________________________( R3 k. z4 O6 ~; q/ ]. e/ h
8 S$ z0 Q Z, R" D8 ]. {" c; o
Method 07
' Y6 p0 `" B) ?=========
; L2 S T$ j' V V7 s b, r& S3 R9 S3 ]3 z
, N1 h+ ]4 K) }5 MMethod of detection of the WinICE handler in the int68h (V86)1 T' e* T$ Y! K0 q- s1 A
. _8 M/ `" j: d* y mov ah,43h
5 ?. p7 r, j! k7 c) C int 68h! V/ Y1 m }- D6 c7 ~ `8 r
cmp ax,0F386h
1 K9 _4 S2 G" t jz SoftICE_Detected; Q- M6 A8 |! T2 l
, ^: A7 \0 p: g; o) D8 j1 C D
" m# S- J2 ?+ u% ~! D% \& g0 Q! s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 f1 ~& f7 p5 l. r! }/ M app like this:* k! u) }2 M; i' E6 ]* n* Y5 o
) \+ Y) y9 J1 O: e9 X BPX exec_int if ax==68) t2 j" c* y2 X. j6 @ C2 N5 p
(function called is located at byte ptr [ebp+1Dh] and client eip is( c; k: @- n7 z! m. o* {
located at [ebp+48h] for 32Bit apps)
l% M' D# r$ [* d+ i__________________________________________________________________________, Q6 I1 s# S) r) u, l
% h# J* c% V( E3 f
3 Z8 f5 }+ n3 R2 }( i- rMethod 08
- X8 B5 p5 m/ r, T+ B=========
3 r" N7 V; \" X# f1 u6 ~5 J; M* n0 W. k$ D
It is not a method of detection of SoftICE but a possibility to crash the4 q3 L4 y4 V7 ` i7 F/ E+ D K( B
system by intercepting int 01h and int 03h and redirecting them to another
( ~3 U6 [5 W+ e9 R+ Y. qroutine.
, B2 B, b {/ o5 T5 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 Q. u$ w/ j; x8 x( B9 ?7 N
to the new routine to execute (hangs computer...)
* E% V2 _7 D# R2 S
/ Y6 f- N' J" H0 \1 l3 o0 C& L mov ah, 25h" d" p$ f' F* f) L2 i" w
mov al, Int_Number (01h or 03h)
5 Q: w$ a; g9 V" L- s; V. \! b% w mov dx, offset New_Int_Routine
7 B) [* T% B- [# p( u3 R& j X# V int 21h+ H% e- c7 n* c: S
3 g$ V: a! C4 L- [$ w3 J__________________________________________________________________________
: A% i5 j2 A6 K
$ S3 {! c- w$ `$ M' l$ w$ `, FMethod 09& t1 B. V6 H9 o* I6 x8 r+ U* \
=========
6 m8 Y' U" J: h$ t! f- L0 |4 o, k& G% u0 C. |, S2 c7 w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 d4 B$ ^, R* l8 N+ O8 J" S2 \performed in ring0 (VxD or a ring3 app using the VxdCall).
- }# |! s y# ~; k: iThe Get_DDB service is used to determine whether or not a VxD is installed
& m/ y+ G: E& A( ufor the specified device and returns a Device Description Block (in ecx) for) q% C: e, ~, P$ v# h1 q2 r; ?
that device if it is installed.$ ~6 J' F- V: W# |
2 Q( R; T4 {" v' Q# Z4 U# n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 n! u' s( y7 D+ z0 s' E1 l8 H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 B# v6 r$ o, u3 A) [ r# w0 c
VMMCall Get_DDB2 V9 ]; X8 u2 r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 M$ o. l! s4 n' I) e6 s9 j+ P3 T: f |* y, ]; S
Note as well that you can easily detect this method with SoftICE:
- w4 L! v3 a5 q7 y+ ?4 ^ bpx Get_DDB if ax==0202 || ax==7a5fh3 `5 _! c# f! b3 M% P, O+ `
9 U$ [- ^; L" g* c' x6 ?, ^( m# ^, X* O7 n__________________________________________________________________________" a) s" s* }, Y3 Q3 e
, w s, N1 [+ O# j, l9 I( `; O
Method 10: l3 L* n7 I+ i9 |5 _3 _
=========
9 N0 H& I' i/ N+ f/ E2 E$ w0 S& }/ z# a* ] b) ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
V7 n. \/ m# | SoftICE while the option is enable!! V2 q% f1 ] e$ {2 A4 F8 x1 A; l& h
0 V" `6 a4 ^* @9 X2 TThis trick is very efficient:6 t' S8 ~* Y |0 \, v# I0 x
by checking the Debug Registers, you can detect if SoftICE is loaded
# G! h, z; B2 D6 s# e9 s5 x: }- V: [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 t! z/ z: M/ f- ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their- d. J$ V$ K) _+ x5 h9 c
value (in ring0 only). Values can be manipulated and or changed as well& a: _6 w1 U: B& S0 X* n
(clearing BPMs for instance); w% P7 y$ l" b+ l: r1 S
" V, t) ]9 A0 }# T: h__________________________________________________________________________. a0 m( Z# L4 q: E) {$ r6 J9 o0 t* z
% J, ^8 n3 ?9 U& \Method 11% o/ h" ^4 l9 }
=========
: E% g" [! t* ^$ A! ~( q0 Z& b5 N2 _" G" V9 `
This method is most known as 'MeltICE' because it has been freely distributed1 Q0 X0 ] W0 M3 c6 ]
via www.winfiles.com. However it was first used by NuMega people to allow7 G$ h7 I4 Y- `1 n
Symbol Loader to check if SoftICE was active or not (the code is located
( C- g8 c$ t: M3 H" @( H$ ~& Xinside nmtrans.dll).
- `9 K/ Y7 S x. R6 z5 u7 O2 s H0 [: B+ \
The way it works is very simple:' s" E' E7 \0 X6 h5 Q3 ~* P3 R" ]9 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ M! _' V8 b! `3 A- w: m$ ?WinNT) with the CreateFileA API.2 d6 f0 c$ y9 N: y
- R. D) m5 S& _1 r1 z1 K
Here is a sample (checking for 'SICE'):' V& }; f5 q8 |* S
/ y# t" `. ]$ V$ M, UBOOL IsSoftIce95Loaded()
) w" F1 ^" ?8 Z' x! ^4 L{7 m3 a* [( L: _ y- n2 E! R. k
HANDLE hFile;
# Z; y3 t! N/ J+ j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. q$ i, p! C+ p: b X# k FILE_SHARE_READ | FILE_SHARE_WRITE,
3 Z! e1 g: d& d- X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 Z: @3 F0 U, U& z if( hFile != INVALID_HANDLE_VALUE )
: L+ w9 ?# O; @9 Y- D1 I {
7 X0 G3 B' h2 z8 I2 C9 A CloseHandle(hFile);
9 O7 Y2 V% D; ~ return TRUE;2 {( R) S9 t; b5 `
}3 L+ C+ D! `9 l
return FALSE;+ `" C5 ]. N; h$ z
}
* P6 W" u% G( Q: F$ s1 _7 M- F* [! [, p2 b$ U
Although this trick calls the CreateFileA function, don't even expect to be
2 ~9 ?# d# E3 e7 Rable to intercept it by installing a IFS hook: it will not work, no way!
. X D3 c6 f ?" g" N9 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; d$ Y% P- V$ \& K, Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 X/ {. J6 ^* O: a9 }2 X( u; ^2 e. d3 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 _$ |2 t4 V, m6 d9 t. C/ Sfield.
' G# [/ B# k8 rIn fact, its purpose is not to load/unload VxDs but only to send a ' v; ?/ W4 z" m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, q0 k! S7 t7 `2 Z+ P. f% G4 [7 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ m7 f! [+ d6 ?+ Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).# T9 `( {1 `# _% G3 a& |; N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 R9 w9 @9 r% M7 d9 z" Y4 l3 Nits handle to be opened and then, will be detected.8 B/ N5 z& y5 R+ u; s2 J& P
You can check that simply by hooking Winice.exe control proc entry point+ T6 r$ }; U/ {
while running MeltICE.
. \: _; z, B ]1 T* {
% t8 g# B* [$ P! E
4 x5 ~& x( Y/ e6 `$ T1 H; } 00401067: push 00402025 ; \\.\SICE
- N5 J! }; I8 j$ ~7 i 0040106C: call CreateFileA
8 Q, I$ p, j/ V" |! y% o* o* b 00401071: cmp eax,-001+ E; X; c* \9 X) I+ A4 Q
00401074: je 00401091" ~3 `8 v& H+ s4 z: f( G, j
+ D9 {$ M3 s3 d9 a" R
: G) b) n* t, b0 G zThere could be hundreds of BPX you could use to detect this trick.
* _: i6 t6 j+ s4 @" Z# p-The most classical one is:! @, L( F. e/ w, S" k# p: Q7 u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% e$ m3 J( |, m: M7 l+ r
*(esp->4+4)=='NTIC'
W5 M. |, L+ N( E2 ?6 ~/ E
2 p3 P) v9 J3 a- h-The most exotic ones (could be very slooooow :-(
$ ^+ L; A6 l2 X" G. s1 ]$ U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- j' ^/ e- Q' n, K; g! j( E ;will break 3 times :-(# j; |/ q) G# [* z# \
* J1 \1 g# ]- h. V& z' T-or (a bit) faster:
$ k. R$ \% L& j$ T# ^& A& u4 j: } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 y+ {8 t" @* y
& t0 v" r! K8 `, K- e2 i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 @) v( ?( |9 o0 Z. `
;will break 3 times :-(
9 i$ R1 K. c. S, C+ p4 l
; q; t+ `, D+ U' |5 |7 a9 L- U-Much faster:
: z2 s0 p1 o+ u2 _: ~& I8 G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ I( Q; J q' c) q
& r7 {/ V- F) s- H" F! a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 V) g. w$ _! }# R' T, C3 V9 efunction to do the same job:
+ n3 v5 j# |* h) D0 h8 ^9 H0 H( k; f# \4 m4 O; {" s E
push 00 ; OF_READ
$ Y/ `( G# H& O mov eax,[00656634] ; '\\.\SICE',0, t) Y$ a+ e8 O$ M
push eax
8 @' ?7 s& o" q$ _( p& S3 k9 | call KERNEL32!_lopen9 K- y5 f* Y M6 R0 C2 m
inc eax5 R: }1 N9 t) i5 W- {2 J
jnz 00650589 ; detected
7 B9 f1 U! U# u) [1 ? push 00 ; OF_READ
; |8 u# H0 `) A/ l mov eax,[00656638] ; '\\.\SICE'
7 W9 ^. _9 q0 \4 R3 O" X push eax6 I7 Y- M1 V! |' @* ? F. d5 E+ O
call KERNEL32!_lopen
% S" F1 A$ c* B. f9 L3 @6 D inc eax' V4 ~( ~$ Q O: S6 g2 s) E
jz 006505ae ; not detected2 Y: A1 |6 e# n% v1 ?6 Y
; M4 z. Y8 k0 z( P6 k
. [* v" k1 F6 o
__________________________________________________________________________! n+ S" x* ~) c( i I9 ^" h
9 T2 G0 d- C* k& a3 bMethod 12
5 p% i8 ^3 A N8 ^=========& X& V4 Y9 ?# w; `& a
5 ^7 X2 ?% A" h# s. a, {3 w
This trick is similar to int41h/4fh Debugger installation check (code 05
) G% [1 _! B4 c7 P; T& 06) but very limited because it's only available for Win95/98 (not NT) f( N$ O, [$ }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) E7 d" R! w. d+ K. D4 D0 I* i; n, M: f: C' ?0 `
push 0000004fh ; function 4fh+ y, s9 @2 t6 V( o$ N) K
push 002a002ah ; high word specifies which VxD (VWIN32)
1 }% L2 C+ Y+ k/ c# I ; low word specifies which service/ L% o( L+ R" g
(VWIN32_Int41Dispatch)
) n/ h8 `) a; G; @. z* T( f call Kernel32!ORD_001 ; VxdCall! X, ?2 J- b* r* {9 t! A
cmp ax, 0f386h ; magic number returned by system debuggers
% a- x' u2 g7 L. D jz SoftICE_detected
" y2 k9 T% F' T
. P! ]5 x3 Q& FHere again, several ways to detect it:
& D' \5 G) j$ K# o
: L* j+ G/ h; a BPINT 41 if ax==4f
$ l( n. ]( t( \! e- P- @6 { p5 ]0 p! E0 F3 i' Q& ?% y8 `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) w; F' |6 p! S1 c @; V
8 P& c0 [, J4 q* s& ^. n; O: w; d% p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# i# O& q7 T$ J- v# T* ^' y7 d! ]8 \; T
3 Z% i2 P( M9 g! m2 S' {# T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ n' F8 f/ Y4 g; N& t; ?' g
6 J \# J; h/ z' E
__________________________________________________________________________: x% O5 M6 ?4 k$ X$ n! L* i6 ^7 R
8 d& b# r* }2 j+ }; zMethod 13
/ G$ P) I2 E% `' [7 u: p=========, Y0 i5 L9 O) j, w/ n {
- ]; l7 o7 P. I9 t* c5 mNot a real method of detection, but a good way to know if SoftICE is
: P$ _& g- w& l/ `* R* Rinstalled on a computer and to locate its installation directory.
; n: Z/ t7 i( |( y$ ?' U$ S4 @It is used by few softs which access the following registry keys (usually #2) :
3 g# j9 `' z2 Q' b6 M+ ~; P) k
8 ]3 I9 i# n# R7 ?' z9 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& F4 L" o6 H( M( W' d& M+ U\Uninstall\SoftICE. v( [5 V; y- ^+ h% p! H+ {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ q [* L& e4 [* U$ w {$ C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 I) a+ f* n- [/ c
\App Paths\Loader32.Exe
- q" m; m) p( X Q; ^5 c
) a& i Y& u! r1 \3 E. j' o
2 W9 B' B' @& n Q YNote that some nasty apps could then erase all files from SoftICE directory/ ]/ i8 L* m( f" V A& g9 p
(I faced that once :-(
) o2 {) F, z, A6 o8 Z [4 \2 [2 K, B/ P3 @
Useful breakpoint to detect it:1 R1 p9 [& k9 t% ^( k2 B
$ T4 n5 G1 r. n& m' G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ o! V M6 a: R% |7 z, [) {3 ^- O+ R
* S( M' `( A2 ?) t' d__________________________________________________________________________
% ]5 T3 i" n! ]' ~/ \; N, n' ?5 B" J+ C" T; @$ ?2 c- }8 [9 _2 `# [
+ S: i& |) y1 Z% d- U nMethod 14
! I* |* ^$ p r' ^=========
6 g! D1 C% i8 n8 \, n3 P: ^8 {, P9 [5 }2 N& \! Q# U2 v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose X: I( \; y B6 {& d4 r, Y- o
is to determines whether a debugger is running on your system (ring0 only).
2 [3 H0 d2 z* M. W- N
/ }, {( l, `$ I+ o) h5 _ VMMCall Test_Debug_Installed2 e$ }/ s7 I. {# ?& S
je not_installed+ a I# @# f X4 P C
) h" d8 d( ?: y/ v' iThis service just checks a flag.
M: t- D8 X% O1 Q/ z) F7 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡