<TABLE width=500>2 B$ J! X1 G3 x9 G8 B
<TBODY>
6 r5 t1 q9 i5 l! U% K6 z<TR>
4 e( @9 D. ~7 n* D: g h<TD><PRE>Method 01
# B5 X) E6 Y7 K( j9 l=========
% \# \! j- Q" {+ r3 Y b6 I* ^" H( O- }$ i( E5 U* {
This method of detection of SoftICE (as well as the following one) is# y( O! }+ L! v5 t- |1 O0 }
used by the majority of packers/encryptors found on Internet.6 G% u: g) ^8 G
It seeks the signature of BoundsChecker in SoftICE+ Z* A; L' r/ U6 |
1 B4 t3 i: |. o) G( A mov ebp, 04243484Bh ; 'BCHK'
0 K4 b+ {8 b `; h! } mov ax, 04h
" B! N) _/ x! b& M int 3
8 x0 D( W6 @! e cmp al,4% ?& S; Y. x" K0 c8 ^& e
jnz SoftICE_Detected
# A; ` @% p" G4 t& z/ X
: w7 B6 ~7 y/ a( N8 s+ ]1 x \___________________________________________________________________________
7 }9 N* V. i: T; K) x) x, u* v
Method 029 R* [' q* s+ r1 ~9 C& j
=========8 W$ [, g# Z" h
( y. w: G8 m# E- H/ S
Still a method very much used (perhaps the most frequent one). It is used
" C+ ?3 X/ \& @0 h* Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ R- X4 a% d, G* B
or execute SoftICE commands...& ?* y/ R3 d6 I, b0 ]/ T _, d
It is also used to crash SoftICE and to force it to execute any commands& P/ `9 J: T: C% N8 V# V
(HBOOT...) :-(( 5 \" t2 R ^$ U# C {1 o& o
( _5 x2 ~5 j2 @6 A3 f) Q9 P1 zHere is a quick description:3 |" D4 D& K3 m+ M6 T6 x3 {, t6 d4 g
-AX = 0910h (Display string in SIce windows)+ s/ S2 M3 U- A: J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ u" n/ V+ R/ L& J4 \0 P# @7 j4 u-AX = 0912h (Get breakpoint infos)
Z4 ?, N9 y' f( G; t7 v% _-AX = 0913h (Set Sice breakpoints)
" F, _, L5 |. S! e-AX = 0914h (Remove SIce breakoints)
* z8 E, b0 g9 o" W
* f# g# V8 \5 o' d# lEach time you'll meet this trick, you'll see:9 _' n1 v) _( v( E2 G( w
-SI = 4647h
' ?+ X+ r, u8 n9 n7 Y' r-DI = 4A4Dh8 R5 }& i8 z% T1 P9 y9 v' C1 t
Which are the 'magic values' used by SoftIce./ [/ _5 Y h6 ]- v7 X; f+ I% Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! j. u6 w) T5 z! B
7 ?' {! V" g9 |' b9 @- O* q
Here is one example from the file "Haspinst.exe" which is the dongle HASP" b- i; c& {* |# x
Envelope utility use to protect DOS applications:9 d W0 C& c$ |- I# b* r' D
! n/ |, G% q. H6 F, p( Q% c3 O
1 ^ M' g6 A8 ~- u- D4C19:0095 MOV AX,0911 ; execute command.
+ G5 H$ n/ |) ], r5 K9 M% F, P$ _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& U+ S: N9 y/ T. x! _8 c6 V
4C19:009A MOV SI,4647 ; 1st magic value.
4 F: g: G1 @9 @; n5 j4C19:009D MOV DI,4A4D ; 2nd magic value.
0 ^3 P' s3 m9 c0 a9 e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: |2 Y3 R8 s+ X; z9 Z' ]' S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ B* q$ M5 y* Y. r4C19:00A4 INC CX: P" ]* b$ d( l' m, I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ }$ E6 |3 ?' Z6 @% S4C19:00A8 JB 0095 ; 6 different commands.
( J: R& g3 M" f8 m( C1 f; Q/ w0 I% }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* l1 C5 F6 R& B" k" l+ ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 ?0 F2 m' d q$ Z: ~
6 e8 R7 r9 ?6 W' Y1 bThe program will execute 6 different SIce commands located at ds:dx, which1 b; w, E" n# {6 ^* z) {0 c2 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. m ^8 B+ v) a2 {9 {2 F! l, [; p& x
" |& V4 t5 e. ?) m3 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 K. z& {5 e2 r. _
___________________________________________________________________________) L- ~% ?- J$ x7 {1 f! [
2 }4 h3 h) i+ F5 V, w/ b; j8 @, `8 s
% [$ n3 P2 @3 IMethod 03
; ^# L, E- q; ?: S=========
7 p: U9 a3 j& f" i+ L, @1 N N+ f% j; G8 H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' |: m) f7 C- U) C; u(API Get entry point)8 K! k) Y3 D# ?$ Z9 `4 h* p0 v
. d! K6 \+ N- [9 m0 B' y, J* n# y
6 v3 a' k5 x# Z+ G1 u xor di,di- n* _' d7 g! t( \9 |
mov es,di
& E2 v- V) k y0 K a: `% Q mov ax, 1684h 3 n& X7 |/ r0 u% j& Q
mov bx, 0202h ; VxD ID of winice
0 |9 ^0 I# f& W2 y# U: `! _ int 2Fh; H2 W) |9 [, A/ I$ O& y( X! c8 m
mov ax, es ; ES:DI -> VxD API entry point
' e, O- v# n5 t$ G# i: b add ax, di6 X$ i1 i* R6 Q( z
test ax,ax# S( i# r# S* b$ Q, X4 y
jnz SoftICE_Detected4 \7 R4 ]3 Z# t& Z8 `/ ~
! _1 T+ y# J) z5 S6 L# k2 a" f- ?
___________________________________________________________________________" |6 P$ A& V7 x+ }# C
# D# F2 Q) c" u; X) D7 NMethod 049 ~# V0 @4 b& C4 A: k
=========
* R/ `, L# Z! a A
* q6 Q @, o& `Method identical to the preceding one except that it seeks the ID of SoftICE1 {0 ^2 I: w4 |6 `! P! U0 e5 V
GFX VxD.& x# o: w; z# {' N$ Q
0 I/ b& q n }8 Z# f" \; D% v4 z xor di,di
' ~7 u1 P' g' ]) S) ~" q mov es,di" `9 h2 k; W7 m/ l
mov ax, 1684h
# Y, S" R8 A! V+ w' A1 c1 [9 Q mov bx, 7a5Fh ; VxD ID of SIWVID
2 U( l! U: e, K5 l- X- Y: n, U2 o int 2fh
- d" ]2 Q, S. B8 J% I mov ax, es ; ES:DI -> VxD API entry point
. Z% \* U; n2 L! y0 B0 ^- h add ax, di( [5 R. I9 c0 {" n2 ?* ]$ m
test ax,ax5 }: ^9 a0 F' J! ^
jnz SoftICE_Detected. [' H t. x0 a, {8 U" e. f, @% x- o
8 ?1 _3 v2 W" V2 R' v) Q
__________________________________________________________________________
0 }1 S9 U; U4 r5 s, V0 M; o7 S" T, G& h
' U; F/ s) q9 z a/ G& u' P
Method 05/ z) r/ A: Z6 ~- s
=========
5 P5 D7 H5 n7 U2 c! o4 P$ m3 k, O& G
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 [5 M g% l4 [! u. h
debugger. It calls the int 41h, function 4Fh.
$ n' ^4 `" B6 D( o" nThere are several alternatives. ' x/ K# W. K0 c& @; _
& p$ h* \, Q$ e4 Q
The following one is the simplest:
3 _2 u/ K8 T% D% p( d$ X( W
? i4 d! L: n+ D mov ax,4fh
$ Z% |* e: ^; `0 W4 z int 41h$ h! U P! G% I5 C
cmp ax, 0F386
- z! b, _( m: E( W* l% Q; S/ U jz SoftICE_detected/ Y$ U, `% l, C
# m; u$ E+ `8 G! w: R
( I3 ]* C7 s1 y6 t3 O1 MNext method as well as the following one are 2 examples from Stone's
% X# Q i: U6 U6 B' Z"stn-wid.zip" (www.cracking.net):8 Q( m( B6 w( ^, y# F
+ v6 @" p7 G6 ^4 \# W) o% \
mov bx, cs
3 I. C5 y+ T5 J; \9 [2 } lea dx, int41handler2
0 F3 r) W/ b4 Q$ I' n" x( u xchg dx, es:[41h*4]
1 `2 u4 V0 Q/ _% ~$ l6 F xchg bx, es:[41h*4+2]
2 p% A& L. D' m4 t9 }+ D mov ax,4fh
6 B8 v( z) J) a* w3 ~# y2 z int 41h
* \7 p6 c& S" j) {# H' C xchg dx, es:[41h*4]
0 s% S+ L2 g- ~1 E/ N+ N6 \ xchg bx, es:[41h*4+2]" I) Z5 [9 ~ W1 |5 r
cmp ax, 0f386h
6 D3 b+ X1 ^5 A4 \ jz SoftICE_detected; ]( {$ J- F. M D; r. f+ @
9 j4 f- e1 E9 \8 n+ O5 s! N4 gint41handler2 PROC6 g1 L' U4 g W2 i1 }! d
iret5 L+ D L: p( M
int41handler2 ENDP3 L0 h. I5 |! L. r! H
5 Z# N6 Q+ `: Q9 x8 q+ y$ j" h8 d3 z. T. n& W
_________________________________________________________________________
- m: n* q2 f0 S; o4 _8 D& L/ T4 y& B) a. B& L0 c+ w
' j+ P: _; A2 j! F8 BMethod 06
9 } ^, T$ B7 Q" Q=========
' l9 o' e' H# S' I4 U. ?
: _& d9 ?; S! C- W/ V1 I$ j `+ s1 \
0 t4 r) ~( S+ Y% F. {' @! S2nd method similar to the preceding one but more difficult to detect:4 X/ A; M, P- o4 P1 l: m
$ N, j* h7 e+ K$ g) Y, o p) X2 d0 @5 h% U3 n) ]1 [' h( O+ L
int41handler PROC
! i& t4 s: w1 k3 r% _' c! ] mov cl,al& r( G- t- e1 g e6 j
iret
7 ~/ l4 e3 y) p) d* [int41handler ENDP/ X- g3 Z# ?5 i7 t6 B, O
, N4 g$ c4 w+ c" D
6 e. }5 Y# S$ L R8 T xor ax,ax3 t- w$ q2 Q9 n
mov es,ax
1 m* Z' ^6 s* e8 S$ X7 W mov bx, cs2 z: ^9 g: M) z, [- _3 j
lea dx, int41handler/ ]9 Q! p" i; Z) @
xchg dx, es:[41h*4]
3 \2 c8 N8 f- A" R xchg bx, es:[41h*4+2]
9 P: \- D) v# v in al, 40h
7 j; P" o( ^1 Z xor cx,cx7 U; H' d8 F& u! K
int 41h
/ g6 m- r) ?8 f xchg dx, es:[41h*4]2 z1 y) y5 y4 B) y2 d
xchg bx, es:[41h*4+2]$ R2 ]3 l- D) @( C% h
cmp cl,al
1 G1 z+ s# h, T9 z1 b+ N+ ~" P jnz SoftICE_detected q( M0 A7 `: h
3 _- V2 ]6 \' c3 |
_________________________________________________________________________
, _( W( B2 |. \2 z0 M' \2 t1 y" @! c* a' R9 ~$ f
Method 07
Z" w5 I4 V+ a=========5 C U$ M- A" A/ _ e
9 K0 Q& k6 w! q9 }Method of detection of the WinICE handler in the int68h (V86)
* \1 v1 u4 H, w/ ^- p0 h! G& P& N% S0 a9 }4 h5 a
mov ah,43h1 Q( b h$ o( F3 K$ y; {% X
int 68h( _* C+ L4 ?/ Q8 \2 r. S
cmp ax,0F386h
; S6 O5 W2 T8 W jz SoftICE_Detected
: x$ S0 `5 c: I# |4 H" Q4 e- _/ k4 n8 W5 ?6 P4 Z
, A' e, U5 `! S/ ~/ C2 T9 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( N4 Q0 k) _' \5 J# R app like this:$ F0 G) D" Y& H6 B
. g: d* l4 d5 [2 d/ t% i
BPX exec_int if ax==689 v# C- S7 y' y7 q' U% d3 }2 i+ A
(function called is located at byte ptr [ebp+1Dh] and client eip is. Q/ L4 G, l: u( k, G0 H0 \, P8 N
located at [ebp+48h] for 32Bit apps)
; ]9 l! W/ ~) M% ]3 N( Q, w__________________________________________________________________________/ q, Z$ E- S( Y- b3 V1 e- D
: X: M3 g* s5 X1 k) T7 Z" O* t+ G2 z; Y7 {- ?; }9 E9 ^# F; ?2 ?
Method 085 }% J0 a4 [* w( [8 x' U
=========. ^( x: \& \/ b+ L g! h
5 ]1 E3 w' F. n+ m) O0 v: k$ T" \It is not a method of detection of SoftICE but a possibility to crash the
( y- i/ `! O3 A3 M6 j# M* Z; C1 Jsystem by intercepting int 01h and int 03h and redirecting them to another
8 \4 H. D5 K# @5 m* A j2 _3 F) }0 yroutine.
) f! Q1 S. }: e. S! r VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 D% c% `4 ^+ t" i" h1 X u1 U) y/ R! l
to the new routine to execute (hangs computer...)% O3 W. w! {* E+ b2 ~5 A: a# k
3 g- J) k+ \+ k3 r8 A* F) w+ ] mov ah, 25h
% w, P2 Y m/ ?+ ? mov al, Int_Number (01h or 03h)
0 ]7 N- j! B4 P# _1 n( t mov dx, offset New_Int_Routine
* S: s/ F# H9 w" x( K, h4 S/ k0 ^4 | int 21h
' Z1 J! R" o7 a; C7 ]
8 J, ?6 I1 i$ M__________________________________________________________________________/ Z! V }; Q! O; U1 w! u- ~
% {9 Q9 `) Z- ?9 c u0 _Method 09
$ T+ r7 y e6 Y/ l=========
3 y, n0 j$ e3 T, G% o" }, n
0 G, V0 r" s ]9 q e# H* `: ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- O' d0 {* m0 B( a; l, u$ Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
# j" i) \ l% Z6 b: s1 f6 pThe Get_DDB service is used to determine whether or not a VxD is installed- V0 R$ R3 l7 i2 o
for the specified device and returns a Device Description Block (in ecx) for8 n7 p( Q5 {; E) `# q! _' r
that device if it is installed.( v& ~) [7 c6 d% p' G. t g
1 O4 M* a* @) G# W: C/ c0 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 P3 ?' k- ?* B/ g$ V- x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 _, ], J, R5 X H5 y9 I. G VMMCall Get_DDB/ L# K C, \7 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" m7 ` n3 M; Z- i% ]* L! O4 ~
' v7 F+ D3 |1 [3 ^( @! e: DNote as well that you can easily detect this method with SoftICE:, w: h/ g8 R3 G, [6 P( e! Z& U3 ]
bpx Get_DDB if ax==0202 || ax==7a5fh: I$ D( c" v) ~5 O5 _% z. x
9 L- |# c0 z, k: x6 R! c__________________________________________________________________________
% U, T, u v) m1 g2 b3 k, P
/ P; G0 J s4 B8 \; L. o! dMethod 10/ \3 ?( I6 j7 M) T6 G: Z% s
=========- x' H* F9 m9 U% a$ x
7 ]% |" P7 q, Z7 f; I2 n
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# n7 U* s3 n+ ]/ ]; U* Y SoftICE while the option is enable!!
7 {& \4 I0 T; ^, t3 H( z, q" q2 q2 w) i; H
This trick is very efficient:+ j7 d$ e4 @$ u% Q) S! O' [
by checking the Debug Registers, you can detect if SoftICE is loaded9 x8 Y0 Z7 i. {) t( {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! m: `* ^! d& n7 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, O/ ]0 ?0 n$ ovalue (in ring0 only). Values can be manipulated and or changed as well
M9 g9 |. z- d(clearing BPMs for instance)1 c) {! m/ M, C5 y) J7 k. U
% b# h9 L9 c" @__________________________________________________________________________9 c# H+ L5 f0 e8 q9 t1 n! z
, x5 |0 v! L' z% l& u
Method 11 s5 Q4 M2 W. b2 z' F6 M
=========1 N- |( O* G) i& V& v
X; h* d1 J' U1 N) q+ @
This method is most known as 'MeltICE' because it has been freely distributed/ u' Y4 b+ V5 C! U0 p% P" B
via www.winfiles.com. However it was first used by NuMega people to allow
* H$ `: H) n! x" NSymbol Loader to check if SoftICE was active or not (the code is located+ g$ b; l" Q8 x( a& S) s
inside nmtrans.dll).
/ s& O2 t; ~8 X0 Q
3 q" V# D5 K! _4 B' G- lThe way it works is very simple:
6 D3 A- s$ f9 o7 g! y, bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for Z2 T3 P" i! m( S
WinNT) with the CreateFileA API.7 i8 n( E. b3 c6 ~
" z! x @9 p, _) n0 `, \
Here is a sample (checking for 'SICE'):
& m$ K% u8 M7 b+ o% D1 f( N2 m) r$ q) x
BOOL IsSoftIce95Loaded()
3 F6 u9 t8 P3 k" J3 Y- N{
% y; R/ U6 ]& C+ V1 E8 y HANDLE hFile; 1 G- ~7 W. V7 `# h j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& d! N7 r2 A9 _+ A5 Y' ~( l
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ L# L) \6 f$ I8 i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% e5 K8 A1 C% r/ q ~ s if( hFile != INVALID_HANDLE_VALUE )( H8 a" [" j: X! r5 Z( i; k2 o
{
: d" Q, x0 c) q' {7 u CloseHandle(hFile);
) K, {) s" i8 ` return TRUE;2 X0 Y6 ~& D; x0 \6 S- d1 B5 ~6 o4 r7 S
}
& X# g' ? ^/ z# Z return FALSE;
+ y J& q/ f; i' |+ g3 }. l, V; J) @}
4 x2 [6 Q, Y9 O3 C4 l! W
7 K. d: h( i+ h; u. Z8 e2 uAlthough this trick calls the CreateFileA function, don't even expect to be
& Z( h2 z3 P+ x1 E+ Yable to intercept it by installing a IFS hook: it will not work, no way!
+ I' \9 F d% S6 ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
M8 X. w1 C8 b+ N2 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 W- o0 o* m$ y. j, f& ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 j- [6 {- ~% N5 g" v6 t0 u+ h/ @; D, j
field.4 M* U, m3 ]9 j3 [) k5 Y
In fact, its purpose is not to load/unload VxDs but only to send a
0 `+ H& a8 [& d/ z XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 {5 S9 c/ U0 d- O$ h" U2 rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# p7 K; C* H# \8 }' e( J0 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, B8 ?& @( p) D. [If the VxD is loaded, it will always clear eax and the Carry flag to allow, [$ J1 r$ a- r' c, x8 H
its handle to be opened and then, will be detected.4 }/ B3 E" x4 a7 e+ m u
You can check that simply by hooking Winice.exe control proc entry point
8 U' @: b" x& q6 C8 i& e, p; O/ l Iwhile running MeltICE.
% |! B0 v8 ?2 f9 G n
3 L& q. n) X3 ~4 P4 x/ l9 t" F' t) P3 m" h
00401067: push 00402025 ; \\.\SICE
% G$ G6 L7 k2 w* x# s# _8 c 0040106C: call CreateFileA
8 L& |2 j$ B4 _4 t' H 00401071: cmp eax,-001
$ w2 z8 @3 d6 w) d' f5 | 00401074: je 00401091
4 z( e; Y+ |2 q) v; Z+ I
4 m3 g! W+ U$ @' w% P$ s
3 ^0 k3 b. H( NThere could be hundreds of BPX you could use to detect this trick.
4 ] Y+ t$ [/ ?6 u2 V# a9 t-The most classical one is:. K% R: {' V' i- `% U# \- a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ w% I. i' N& }! k- ?5 O |( i4 t5 S
*(esp->4+4)=='NTIC'
6 N3 D8 w: R3 K
$ y# _/ C3 _3 B1 G0 f% o) J-The most exotic ones (could be very slooooow :-(
2 f# o( y& I% U7 N: @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 I! @; P+ G: V& P- L y4 _7 c
;will break 3 times :-(
0 M0 _' s( b& z; z1 J! v8 s( Z, e7 F' Y
-or (a bit) faster:
- u' g; h/ j: D6 Y/ \+ m4 D5 D! Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ x- ]# z) t. s4 s: s$ c
2 Z1 `! ^8 J0 m6 q) R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, {- A) D: S& F9 F ;will break 3 times :-(& Z. K/ U. |, R# T
+ y* m3 H' T7 Y2 j/ f. ?
-Much faster:7 i" p0 U% M8 T% A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; @$ j8 e" h3 V: g
) ]& H$ F/ E2 ?$ S. N( T7 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# S4 Y/ F/ Z- h$ t) K4 b
function to do the same job:
( J1 _) {! [3 z
8 I- j7 v, ], f. u$ }6 Y push 00 ; OF_READ
6 t6 y( ^- l6 C8 D) j mov eax,[00656634] ; '\\.\SICE',0- Z( {# P8 y4 M5 m# C$ x
push eax+ _5 \5 l# J7 n" e+ w
call KERNEL32!_lopen- v" w5 j5 G! r0 A P
inc eax o9 W) L& U# u
jnz 00650589 ; detected4 `& u+ ?2 S6 A: A( `
push 00 ; OF_READ5 l" r( Q7 P# T5 d( M
mov eax,[00656638] ; '\\.\SICE'9 [" K! S6 u! a
push eax
% p- c# \$ N0 O call KERNEL32!_lopen
* \ k: \8 j$ J- v- d/ M inc eax- g: d% C( ]% j; G8 Z
jz 006505ae ; not detected
& Y4 G! p" L( k7 Q4 c/ ?- K s. Y- @6 _3 q; k* ~
9 w/ a" i5 t2 P5 s* @# S o; ^& M
__________________________________________________________________________
+ @+ S& }' p1 W- w" F' k7 f" g: r- x" V& a) W( k
Method 12. O9 @ J2 G6 w- m; M
=========
% H+ |9 p \5 @; V2 `8 H3 u0 i
' ~' [8 o+ A0 j( B; n5 Q% K( lThis trick is similar to int41h/4fh Debugger installation check (code 057 ?5 a# w( x8 i$ N5 I
& 06) but very limited because it's only available for Win95/98 (not NT)
8 X/ E7 j2 U4 Z% g" X5 J/ X4 Y; }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 L3 |- R0 z4 c9 u! S) c
" ]5 g4 G2 P0 D; \3 ^8 i G' `3 q5 k push 0000004fh ; function 4fh' O& h8 v4 R! _: g) n" l! T
push 002a002ah ; high word specifies which VxD (VWIN32)
% I# I5 x' U& m& E ; low word specifies which service
/ F: p! V% R6 J y4 o* b4 N (VWIN32_Int41Dispatch)
1 D+ B2 x. W3 w3 S! L' L call Kernel32!ORD_001 ; VxdCall
. N" c; }+ ]9 ~5 P# } cmp ax, 0f386h ; magic number returned by system debuggers
: S; t& ]2 G. @8 c1 `( v3 H3 U jz SoftICE_detected* ], m8 a; E4 [6 E# i5 I' r
( h* E2 \+ S0 |0 Y; u6 j( cHere again, several ways to detect it:3 a# s0 ]8 I) h8 E- R" J0 W k4 N
2 O# z6 B$ R$ C BPINT 41 if ax==4f
* D! \3 f; `2 i% l& ?8 L- x7 q* n: t [) g4 y/ _ Y5 G7 e) H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ n6 y! |& z$ }0 G% q3 D# x- Q* t* c6 N( b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 @8 ]/ L& \+ Z# H
/ ` g" t7 K8 m! t' Z( Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# |4 q0 w9 i6 `3 m5 K1 `9 W" B# g4 {) q$ N! ^6 k( O x
__________________________________________________________________________
6 u4 J) |9 a3 S% v- m2 Q8 v1 |! e1 A$ n, w' t+ R
Method 13
1 z U8 G4 G% u=========
! ~, `" o& u# l
6 F) y4 [% n5 P, [3 r& q* |8 c) aNot a real method of detection, but a good way to know if SoftICE is6 ~( e0 }# e' E- @' U
installed on a computer and to locate its installation directory.
$ q% _& P' M, b) \) q- kIt is used by few softs which access the following registry keys (usually #2) :
7 i B. q% l. i
4 c1 p/ W" p" U' p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# V+ p. A( t- ~- b( V. p\Uninstall\SoftICE" h/ J' ^7 a) ~3 E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 K, O! A* O/ _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# J# \/ {" u \# t T\App Paths\Loader32.Exe
6 ~5 s8 M6 W, a! Z8 I* @& |( V |- b0 n( I
% I/ n/ _& t& h' \! @Note that some nasty apps could then erase all files from SoftICE directory
% {0 _' R s' o# {. h(I faced that once :-(
; r+ q, d9 S0 K# F8 O' z/ l, {5 P. x; \* b6 _
Useful breakpoint to detect it:8 Y2 e Y: ~: @! n
0 u# ^& C( W3 t! P; c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. G* g# h# c8 B1 d9 O3 q
: |+ ^/ E. J! T' H# _
__________________________________________________________________________1 E8 l. D2 v1 r7 y3 r4 |
+ y2 L( y0 j; c* e" I" S( S
% |5 n( Q, ^4 \8 g2 }Method 14 " | I: ]+ t S T& K
=========
+ y9 ^8 z: P, F* L$ }/ e( q, }9 j4 o7 {3 P* I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" w) m0 J4 I6 H7 A! n6 \, k# o8 i, }is to determines whether a debugger is running on your system (ring0 only)., |$ S( R4 E8 S
2 N- [+ M( ?' \. j4 @ VMMCall Test_Debug_Installed3 j' @/ s9 E$ x1 n$ T# N
je not_installed7 J6 T( L, R8 k8 g% b
* ]* E* ?/ v- KThis service just checks a flag.
6 L5 a }. X$ Q+ }; P: [</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡