<TABLE width=500>% A/ C8 V& E# P: N) Z! U* M6 _
<TBODY>% ?5 k; m( ?" E% x) T: f) Z
<TR>
* o. e6 Q0 s } r: l+ q) ?<TD><PRE>Method 01
# q+ t8 m0 K% |2 I+ Q% @9 g! j=========/ [! {5 u; g4 R% |0 h; T; k; \. l
3 `- G {! D9 ^This method of detection of SoftICE (as well as the following one) is
! \. |$ L6 I/ {3 S p& gused by the majority of packers/encryptors found on Internet.3 n) u3 ?+ o+ `
It seeks the signature of BoundsChecker in SoftICE! v( E: K/ f5 r
- @/ S* b* P" I0 S7 z" k1 O! \
mov ebp, 04243484Bh ; 'BCHK'
* ]2 H1 B0 l. f3 s& l& ]6 z* } mov ax, 04h
4 Q. S0 {4 L w3 _ int 3
2 l! q& t. Y1 x6 ^ cmp al,4
. x( R" ~+ |) A8 F$ p jnz SoftICE_Detected. Q7 p3 t: b- t6 h$ J# v5 X% O
& }2 l: t8 y1 K% f8 q9 X9 i
___________________________________________________________________________" k- I# f0 E' d: z5 ^: d' X4 W
& k9 ~6 c3 L5 w: z+ s# P$ T4 |2 w
Method 02
! k! ]3 d1 U5 v$ [! l$ s=========
. g4 H) j% o' J- T3 d
3 M2 ^) G# I9 `2 r0 L: bStill a method very much used (perhaps the most frequent one). It is used2 @8 |! b0 p* m/ k8 ~5 M+ d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ q" D0 s- V) G/ O5 r$ For execute SoftICE commands...1 f7 o3 z I3 W" U* k3 I c$ d6 i
It is also used to crash SoftICE and to force it to execute any commands
9 ~- N3 j! B8 t! F6 _0 s# V5 p(HBOOT...) :-(( 1 O+ k- W1 b8 R; }
; @; t! e! A" F8 }. a
Here is a quick description:1 |/ V' `% W9 u Q- D8 a/ n
-AX = 0910h (Display string in SIce windows); T5 w. j7 H/ A7 d+ H, a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 B9 B' k% D c0 f% l- E J# y-AX = 0912h (Get breakpoint infos): a7 U0 U7 v% @1 \0 k
-AX = 0913h (Set Sice breakpoints)
) W$ i2 p& Q+ n6 K% U3 @9 b# m }! i9 u-AX = 0914h (Remove SIce breakoints)$ n- U1 D$ K \, L9 J
# B- i! c& \( H: g, I) l8 mEach time you'll meet this trick, you'll see:$ o$ P( [: }. x/ T! ^
-SI = 4647h
5 B" `3 b" C+ t- d-DI = 4A4Dh# F( V- v4 O8 x1 Z5 b8 x- K
Which are the 'magic values' used by SoftIce.9 X( j& s# ?) H( j. i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* m. _, I/ l: x I/ U
9 B: C6 \8 L& I( \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ |2 y# g1 \$ x; C% J+ n( J2 ]Envelope utility use to protect DOS applications:
& o6 v7 k8 s5 Y# u+ K ?% o- k1 Z* R. u( a6 l
$ [: x" ^/ y- q
4C19:0095 MOV AX,0911 ; execute command.0 ]; _, p4 D5 A) C ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 j# I5 O7 z$ l# k5 v4C19:009A MOV SI,4647 ; 1st magic value.
8 X3 |2 s9 I9 ]* P& X B3 i# {& q ^& R4C19:009D MOV DI,4A4D ; 2nd magic value.# `/ x' W% T: A( e% R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 J- o( Y9 ^- D5 f, Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% b# d' X* O3 l; j, e5 J4C19:00A4 INC CX% }7 E# W9 R1 W0 U1 M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" W1 e0 C. y- V& O4C19:00A8 JB 0095 ; 6 different commands.
/ }* g4 ] X) U) y6 E4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 ^& W6 q: K+ ?5 r% n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; M& _/ g' \- K% q9 B# \* a; o1 s% M' S+ Q
The program will execute 6 different SIce commands located at ds:dx, which
$ W9 f5 h M! o. K! X% Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ \/ j$ N) K& P+ n
9 f5 _/ Q4 M1 r- {, j7 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 k: \6 I' f% I. ]___________________________________________________________________________- r/ \7 L: j5 U: H
& u2 _; w( i! x
/ Y9 e/ V( g4 TMethod 03
8 @: n2 t0 o) Z1 [0 U4 k4 A=========
O/ x- [# w- y6 ?- b1 Z5 x1 v1 P! ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' ~/ @8 R; o8 e) _# p0 r(API Get entry point)
2 k" ?& q& Z4 d- P
; T% \) S' p( ^% ?9 x$ K# ]& G4 ]( T J. p/ v( f& G0 L* W* K
xor di,di
2 I7 I9 m. A% t; e' x" @ mov es,di0 p! Z* M3 [1 ?/ ]( L, C) ?
mov ax, 1684h 7 S& c4 N- ]% M0 f1 w, z
mov bx, 0202h ; VxD ID of winice
$ ~# b( c" Q( h0 H) A7 {: r/ J int 2Fh
; F. w% I, |$ T& U$ r mov ax, es ; ES:DI -> VxD API entry point
" k" E, K" a% s5 O6 r add ax, di! f; |7 Q k2 z& g/ i
test ax,ax) H$ _8 j& _# e! a' w. _( o
jnz SoftICE_Detected) d2 L" G+ u5 `/ O" c
6 f ]9 g$ r8 m2 z: J
___________________________________________________________________________0 u: @9 r+ n9 M& S
+ ?& u" ~/ G8 X2 k5 M! `% Y
Method 04
4 s( D2 M2 k; L2 M% W8 [1 f/ F* E=========# [0 K4 c2 U+ p4 K
5 M- e7 Q4 z+ ]$ J" ?5 }% g0 t; aMethod identical to the preceding one except that it seeks the ID of SoftICE
/ |) \' c; M* o5 K4 H$ @! C7 sGFX VxD.
( h6 S6 |( q* [
* {# A" T' A3 a2 A4 i% |' \ xor di,di, v+ R9 [+ y% G* G" o6 I
mov es,di
|4 V' {' U, ~4 k+ H" @/ b' u4 X6 H& k, N mov ax, 1684h - a$ ?7 ?# V4 }/ c; X0 w6 L$ Z
mov bx, 7a5Fh ; VxD ID of SIWVID
3 }+ h* T9 o3 E5 _ int 2fh& y# M+ a( M9 a* [! B6 X0 i1 i
mov ax, es ; ES:DI -> VxD API entry point8 K$ G- s5 `" n e: S- ~7 A5 E% |
add ax, di
7 B0 q+ Y. l6 o& O( F/ N test ax,ax
) g2 O: Q7 ~7 v, J jnz SoftICE_Detected
$ F6 x4 x+ D% X# s9 [2 {
) D& r0 A3 Y- V, z2 w1 o+ C/ y( [__________________________________________________________________________
. E* a" K$ V8 p9 L- [4 l) Z& T8 M( R. L: R# Y
4 n" U* W! A! l& d7 `
Method 05
+ v; \7 w' ^7 q/ M, B7 J=========6 m1 {4 l$ O% @* E; e% M/ I3 S
8 g1 I; f% [9 w' S( ]! }Method seeking the 'magic number' 0F386h returned (in ax) by all system' |; _8 j; M$ i) E) \8 F0 }5 f
debugger. It calls the int 41h, function 4Fh.
" U, ]; v1 r# @ D3 l6 BThere are several alternatives. ) Z$ L# n5 u c3 _
. J! m9 ]3 Z; W" @: u7 l# l: N
The following one is the simplest:
: v1 t [3 W& K0 a; Q- i! I: H9 O+ n. O4 A5 s+ n
mov ax,4fh0 T' A9 Y) ^0 p) a' J! I
int 41h Z* H+ N2 d7 q" T0 V
cmp ax, 0F386
6 U! X- H, _6 B' W jz SoftICE_detected8 E( ], L9 L$ j" }4 a
- ?. [5 r6 b! {( Z, q6 a- u; u8 m$ T: W( `. W; f
Next method as well as the following one are 2 examples from Stone's
# z& H7 I' f f"stn-wid.zip" (www.cracking.net):
9 R3 ~2 r- L2 w) F
3 j5 ~. C2 @5 {4 l mov bx, cs; }/ P" H; y# o5 i( s; M& G
lea dx, int41handler2' `7 r& y. b0 S/ G5 X: h
xchg dx, es:[41h*4]
+ P* a7 Q4 ?' W7 f! `. ? xchg bx, es:[41h*4+2]
+ W. C5 o& y* o+ z2 t mov ax,4fh1 |! l7 y8 W! \% H" |* X
int 41h
1 X, i1 W: \3 A" Q @" ` xchg dx, es:[41h*4]+ I2 Z; y6 ^: E$ i/ m: t
xchg bx, es:[41h*4+2]2 U2 M0 u$ s/ A- z% Q3 g
cmp ax, 0f386h
7 r8 w, w( ]+ h3 q jz SoftICE_detected
0 h9 f1 W! `: ^9 p9 J3 W
% ]1 F# I- n0 t! D& Z8 I, pint41handler2 PROC
6 _' D/ u( m4 J8 V6 r8 | iret
, i" F [( T7 v; \8 D' j2 S, Wint41handler2 ENDP
; m: g. B, K3 W" g8 m0 o5 z
j5 y) b/ s8 i) Y# m7 B
# ?4 H( @/ h4 M) K_________________________________________________________________________
# m0 V6 S. A w" A" Z
+ y* ]# o' x& M$ j
* U: u( A0 q0 t6 v( ~. UMethod 06
- d% q% j" g& H7 i8 f% D) x=========
9 {, B2 R9 O7 ^5 ]7 O' s0 e" U
3 \! w3 W5 f6 Z( D9 ?/ i+ w- j+ k5 F8 S* k, k0 _- `
2nd method similar to the preceding one but more difficult to detect: }, c9 K# L' H5 F6 l( {% k
3 Z. g( J2 i- ~3 A$ o4 S4 \! _, s* U c/ m* T: ^5 k. C
int41handler PROC8 `# O5 {- @+ X# a4 D
mov cl,al9 K* [2 X+ [2 O- e
iret: U! x* W+ t9 e9 y" O* o
int41handler ENDP. Y3 N( X; ?& H* f
0 W3 b" `% E( p. D( I
/ s7 L3 X$ h% c0 Z+ _7 o/ m xor ax,ax9 P7 v4 }5 ^& I$ K, @
mov es,ax% v' {, ~! q" c" c
mov bx, cs- [" |9 E, C) m6 f0 q/ e4 t2 W
lea dx, int41handler, a% J2 F G- o% J
xchg dx, es:[41h*4]
4 h: Q' g, ~8 Y7 ^, ]5 \ B xchg bx, es:[41h*4+2]( `2 V7 K3 \% u! ~8 n+ `/ r/ j
in al, 40h
6 g/ n: e0 {0 V2 _6 ~0 h- P xor cx,cx b! m ^$ F/ o) W$ R+ X5 r
int 41h. ^& Y! t; [1 L7 n# t
xchg dx, es:[41h*4]
* ~9 T- s( H% o) k xchg bx, es:[41h*4+2]; T; i9 l, f2 m. y V. w: k# m
cmp cl,al
* y& F- ]4 `9 e7 T" e) c jnz SoftICE_detected; [0 g- M* a- @. M3 }0 q
- p8 m9 Q3 h2 d8 |. O_________________________________________________________________________
6 i: R5 `2 o' E2 D& _
/ G, U" _, C5 q( F- G0 XMethod 07
2 m L* P) q z/ D5 W=========# E7 U ^. I5 z6 p8 L4 V
0 v5 H0 C& M9 x. U9 u! a2 n2 K5 jMethod of detection of the WinICE handler in the int68h (V86)
7 V$ y" V ~. r6 q4 z _9 Z3 R6 x" h) L& X6 U
mov ah,43h7 p9 x) f6 @ [! C; \
int 68h
+ N2 z0 W* h2 p$ G% t# C cmp ax,0F386h4 ^0 E* \8 W# J! D- F
jz SoftICE_Detected
( E: S5 L( {- s' [
* s7 X9 t+ F3 M ^/ O" V9 D1 p, w, Z7 L9 `* Y( s1 ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; f( u' M; K( }2 y
app like this:# R* n& P: Y. E% c2 w
& Y! z* [. F* N3 f C& ] BPX exec_int if ax==68
: [4 i2 n5 b+ r1 J3 @) [& V (function called is located at byte ptr [ebp+1Dh] and client eip is
3 R8 u3 V0 @, V+ X6 x7 P/ m! P% @ h located at [ebp+48h] for 32Bit apps). {5 _$ G6 z0 r3 I3 J Y
__________________________________________________________________________
4 L; c# Q. Z6 O
3 u$ I; Q; F6 r0 R. o4 B' H
# e7 U( w! M9 WMethod 084 v! f* w; |$ Q2 q# s
=========7 m' Y+ z" h4 T2 T7 o
2 x* s3 ?: d' n$ n2 O
It is not a method of detection of SoftICE but a possibility to crash the3 u' Z5 I4 Z- Q( c: q8 I
system by intercepting int 01h and int 03h and redirecting them to another
5 a* i- a& H/ V$ H$ s" e0 k3 L% Xroutine., v9 l5 v, }" Z$ z# Y" [/ ?) q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ e' @2 V( H8 s! a) t, F! H
to the new routine to execute (hangs computer...)6 \# Q+ X& x. r" [& B' |4 m; I
0 V+ @& ~+ _- t/ P
mov ah, 25h8 b7 [0 S& u7 ^) }- }
mov al, Int_Number (01h or 03h)
" @, J4 X! L& ]- E8 u% b mov dx, offset New_Int_Routine+ t' V+ q0 P/ P# A: H0 k8 f
int 21h
0 x" M8 `, p/ m/ d
8 a: g: S, `, ^: ^4 r% W4 c6 h__________________________________________________________________________0 F) }' `" W* }2 ~
9 I& J, U$ R W( i. |0 Q& p" vMethod 09
9 x& h0 j8 e4 M5 l' q========= n; K0 O3 a- ] A6 I/ M0 y
, N3 ~ K8 @+ B c4 _! E2 u @" k A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ {, q& L& m7 D- c+ |performed in ring0 (VxD or a ring3 app using the VxdCall).
- [3 T9 f. w; v* QThe Get_DDB service is used to determine whether or not a VxD is installed
2 n2 e9 T9 B: X& Vfor the specified device and returns a Device Description Block (in ecx) for1 V. O, e g8 d
that device if it is installed.
$ _4 V6 x* n6 F6 Q1 K$ L3 U9 J# j+ t1 a/ y3 f, \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& K# b& J, ~ O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ ^/ F T5 u* S$ X VMMCall Get_DDB2 |+ ]" M9 q B/ Q6 Q$ ~; g* v7 c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- q9 u3 \& c7 Q* O' S6 }% a2 _( ]. _# M7 n8 k% k6 y, G
Note as well that you can easily detect this method with SoftICE:
- M8 c! _0 C! L, ` bpx Get_DDB if ax==0202 || ax==7a5fh9 [/ V6 f! e7 H: V* N/ L5 I k9 ~6 n$ G
A. X( l" R& w" t% {' L4 K5 w
__________________________________________________________________________
9 i8 \$ `7 x' r7 W3 E6 q C: H9 D/ J9 S' s# I
Method 10
7 m# Y, X* M; ]# Y) g( J# I=========
" c* U# o, o' |7 D7 `3 G' A# W$ O' C1 G( l! l$ c2 p1 t: ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' t1 N4 T7 ]) M$ K2 h& A# _- X, {& v SoftICE while the option is enable!!) M# i+ G* E* i, T+ w
( }$ v) K- E, T2 i8 _4 w9 _8 PThis trick is very efficient:- u: `( G5 B) h5 x5 i
by checking the Debug Registers, you can detect if SoftICE is loaded" x! e; Z% n- s: a" y, f% y; M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 R5 F7 _6 s! G2 i2 d# [ P9 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their% R9 V" E2 o* M) a
value (in ring0 only). Values can be manipulated and or changed as well- U6 `( h% t) c" }% d; B
(clearing BPMs for instance)7 q; l, u. Y# d9 x8 ~* X' F" m
8 u% @0 x. _: W
__________________________________________________________________________9 }4 p$ `! d* t8 _
6 B* P/ a! a2 G3 f( M: N( D
Method 11
$ Z8 ~( P+ V' I1 ~$ h=========
2 |4 S+ g- I: z
) ~, u- O0 f8 C! o; n4 V/ zThis method is most known as 'MeltICE' because it has been freely distributed7 Z# O1 g$ X4 o: h$ c6 v) r
via www.winfiles.com. However it was first used by NuMega people to allow% o# S. ?6 P" ~1 s
Symbol Loader to check if SoftICE was active or not (the code is located7 p$ C8 M6 Y7 `: A5 ]; Y' i
inside nmtrans.dll).
0 v/ P+ L; G* i7 j- z9 v# F4 E% d/ _; g9 \6 }
The way it works is very simple:/ n! a# f0 A% U/ q* W/ D7 A- L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ b. z6 E) f& a1 n7 c0 b7 TWinNT) with the CreateFileA API.# x. x/ H1 G5 ^4 D0 t V
7 N1 O# i1 I6 g. e* bHere is a sample (checking for 'SICE'):1 r1 f' r: Q) }1 h3 {4 l
+ z. a! u7 q0 s: u7 O1 W$ Z8 I! QBOOL IsSoftIce95Loaded()- E% w$ W( i, A6 `: M( u
{
7 K$ [4 F. K" I* a( y; }" T# i! x HANDLE hFile;
, U! |4 j. @( b0 _* s* Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& g/ c. }3 y D3 m. m% e FILE_SHARE_READ | FILE_SHARE_WRITE,
8 ^9 v( c9 G. a: c# A: @# Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ ?# O9 ]4 C* R p8 i* Z) X
if( hFile != INVALID_HANDLE_VALUE )
- P& `# q0 A4 y4 _% ]4 {: Z5 P% Z { _; G) l a6 d/ c; L4 ~' }7 H1 o
CloseHandle(hFile);
( w4 \4 Q, _# V* r7 V return TRUE;
& M. j4 m* _5 E/ E }
& q8 P: M9 _! b5 G; |" [& q return FALSE;, }% n, H* U& B" L. N$ E( B3 E
}* U( i! I: d: i
+ h! H. I% {' H* S" Q' [Although this trick calls the CreateFileA function, don't even expect to be
9 f: }9 }7 G+ ?* cable to intercept it by installing a IFS hook: it will not work, no way!' R2 F" b m( f8 b7 }+ k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 h5 P k% K* @! y2 i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 }6 h/ { ?) land then browse the DDB list until it find the VxD and its DDB_Control_Proc4 F3 u6 c" r; g4 f; w
field.! f7 D/ N5 J+ x" L7 Q+ D
In fact, its purpose is not to load/unload VxDs but only to send a * m* D/ R, K4 j6 @& { P0 v% x2 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 z3 J9 e; O3 x0 \8 @; J$ Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! W1 W/ q3 l( N4 h: ~9 t# Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 g1 j2 j# ]: V7 n& ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
) P$ j, D# I' d) D" L) t- ]its handle to be opened and then, will be detected.8 t0 {6 F: z2 S, L
You can check that simply by hooking Winice.exe control proc entry point. d$ `! X j* [. _2 f$ {! m3 G: V N8 M4 s
while running MeltICE.1 v3 [) }% \8 w0 ]
7 R. b1 T6 R3 h# a& v: k8 h! j, o: T
00401067: push 00402025 ; \\.\SICE0 D- N% e; ~7 U; Y# a
0040106C: call CreateFileA" L# l! |- p4 q6 F7 j( d) H
00401071: cmp eax,-001
/ N* U \! F E3 |3 k. b3 | 00401074: je 00401091" Q+ Y8 s6 D: V/ x$ Q$ K
! N% u7 j& H! ^- V
! D8 _1 H; Q) V3 E; E3 nThere could be hundreds of BPX you could use to detect this trick.5 i" @4 m* E. L# X4 v- _( {& M/ o- U
-The most classical one is:
* j' k5 d% i; s$ V, ]( } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; I: a7 J; ^9 b$ _! O0 e
*(esp->4+4)=='NTIC'( P1 N; A8 Q, l1 ?' |& y b
- ?2 ?6 V5 R f! G5 i: O
-The most exotic ones (could be very slooooow :-(
5 J6 p2 f& ]7 x/ \) _( {. Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , w& d0 e& R5 J6 f& L
;will break 3 times :-(5 E. }9 k# V R9 R$ e3 n" z7 y; ~
+ I+ C, X9 v5 n Z3 l( ^5 w/ D-or (a bit) faster:
3 B* j: P+ Y$ s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" l9 n) ~7 j4 D T) C0 D$ S9 L
8 S3 U* d% | M6 u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) X `5 t& [' \3 r7 y$ p* P ;will break 3 times :-(
) t+ a4 X2 Y' d; ~
# H7 B4 _& e/ M+ y& E/ y' ?, t3 N- h-Much faster:
; {) ~3 }3 ^2 P: w) I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 H# [& a5 K, ^; t2 i( U5 b6 e
6 G5 V$ f0 S* m/ w1 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 y) i* Z% E9 r4 k2 qfunction to do the same job:
; L: H& W% f L1 ]$ W
3 U# D2 C1 ^- o% r: ` push 00 ; OF_READ
{1 l7 }8 v3 _ mov eax,[00656634] ; '\\.\SICE',0
2 [! g: _; D5 z" c5 t" p; f push eax1 U/ b( B/ G# I; D2 p
call KERNEL32!_lopen
u* H7 D# W0 } inc eax
: c: \" Z2 V5 k jnz 00650589 ; detected
8 ^! L* K1 X4 h. y push 00 ; OF_READ
" `9 D3 s$ \) x) Z+ n! E mov eax,[00656638] ; '\\.\SICE'
& n v7 O+ s7 o! N( I push eax
; O5 u, @$ S5 D9 {6 t. |) N$ q( a ]6 O call KERNEL32!_lopen& f1 O3 n( t8 Q
inc eax
% X' ~( h+ I* E8 \$ q5 V% f jz 006505ae ; not detected
- R) y# c- l$ j0 e0 X) N& _4 c" ]/ ~2 s9 L7 E6 A: N
6 |- |; ^9 p0 Z9 x- _( d) q) ~& S__________________________________________________________________________
6 X$ K: j5 T/ | B" h
+ _0 Z' S [: G% ^+ ?& \! ?Method 12* m, s, m/ Z$ I+ F0 ^8 F: g4 K
=========
6 F; \ C: b' q: K& I# X# m" l& x3 \ S4 m# z' p7 c2 }7 \2 `
This trick is similar to int41h/4fh Debugger installation check (code 05" P/ N$ {: g! H* @) q g" V
& 06) but very limited because it's only available for Win95/98 (not NT)
5 i0 k& F2 b" K" xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 U4 S0 K: S7 F' d1 o2 A
8 e, v s3 h+ \8 d# ]: c push 0000004fh ; function 4fh+ ^* M% U! X8 I3 S* |
push 002a002ah ; high word specifies which VxD (VWIN32): N1 m' S6 ?8 V5 x
; low word specifies which service
2 K2 G+ m- _5 u# m8 m: f5 L (VWIN32_Int41Dispatch)8 a$ q$ Q+ S% O1 N0 s/ I
call Kernel32!ORD_001 ; VxdCall
8 }& S7 U0 o) _ cmp ax, 0f386h ; magic number returned by system debuggers
0 F( F5 C0 d0 J+ s; D jz SoftICE_detected
) ~" s1 Z( j* U4 n$ X! q
& H, X' g0 f% j' R0 V1 D& o5 AHere again, several ways to detect it:5 @8 g+ c" C( _, \
+ T T) X8 Q' s9 A3 p
BPINT 41 if ax==4f
; W5 z' ^" F4 [9 N/ d0 H: {+ j( t! A8 ]' j/ L+ z `( l5 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ Q1 g% a+ h# d5 k% |
3 A! P! c3 F0 f. { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 f5 V0 C/ a! K0 ~8 W
}. ]# U" I$ y# i8 k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( x/ Z/ e2 r7 h# C8 U$ j! ]: h9 l/ I
3 ]: d* A) W- s. i# r7 {7 m% p$ l__________________________________________________________________________$ O; j6 e0 y4 ^( J/ L
4 s7 |. y# P6 z5 h1 N
Method 138 _( m. w9 z- ^# ?( Y! o* j4 [
=========: Y; I0 c2 k; Y/ m. x5 U( B
0 k4 L7 T+ M. L/ |
Not a real method of detection, but a good way to know if SoftICE is* }7 u0 i* v6 \% ?/ }4 T
installed on a computer and to locate its installation directory.: l) V/ m1 c( ]. {' W, [
It is used by few softs which access the following registry keys (usually #2) :) D( f0 |! p9 N7 H$ P# o
_+ P7 G* p. g* b+ \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]5 Z: z+ @4 s) s2 K
\Uninstall\SoftICE
% o. N% F \ z2 s2 i6 D U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( ]. O7 R+ S) e' v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ ^6 C( ]) u2 @6 j( b; P" n\App Paths\Loader32.Exe- d% {* Y( m+ g8 B1 u
- K0 c. a4 y0 g9 J1 ^1 B% q, N" b) `# [
Note that some nasty apps could then erase all files from SoftICE directory
' D% O6 [! |" ~3 g3 |. T(I faced that once :-(
/ V% h9 S Q% r) A" F) }8 s2 |7 D
: y: Z3 P" l0 U3 k6 fUseful breakpoint to detect it:) A0 t; k! X; ]/ |
# E) T A1 G- c8 B8 m6 ~* i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% C( \) C3 u+ d( u
' t4 F$ A: i0 t. M
__________________________________________________________________________
8 l9 B5 w. g8 ?( A% f$ ~' x2 l, j! g- Y7 q, z
, N$ b8 w+ T+ Q3 C) dMethod 14
3 r/ P6 j1 }* i( x7 S/ t=========
+ t1 ]+ s/ B, s/ |- j2 d
: h1 B) B6 T/ t& ~3 ^6 p/ KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; C* T7 h, A+ l: z
is to determines whether a debugger is running on your system (ring0 only).4 _' p( x: Z( x; g7 N! \+ x
0 g: ]5 C, W3 q VMMCall Test_Debug_Installed( s8 M4 H" f" o/ Y- c2 q
je not_installed& e/ A" u1 M, x7 Z% G2 f& L
9 ~+ w) f4 R( V+ I, tThis service just checks a flag.7 a0 R- x9 ?2 M: k9 c% ?6 E8 x% n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡