<TABLE width=500>
+ ?! J& |% P0 N! z* j/ T<TBODY> F% C( u0 E9 \2 ?* o! G+ u
<TR> d( {4 ]: @8 D! f: h9 ]
<TD><PRE>Method 01
8 Z) [" X0 T( t% Z a% Q; F=========+ i; T) o' t$ G2 j
7 E/ A+ Q6 \0 p/ XThis method of detection of SoftICE (as well as the following one) is7 ]0 k: O7 I# G/ ], P1 Y! @' s
used by the majority of packers/encryptors found on Internet.
v9 ~# I" D+ l4 V8 l( |It seeks the signature of BoundsChecker in SoftICE
: b+ P5 W1 R1 g1 ~& E7 Z6 V! H( I1 Q, C) J! S: T
mov ebp, 04243484Bh ; 'BCHK'! B4 W5 D/ b/ u
mov ax, 04h5 a) ~' R: O, j6 u. ]* k
int 3 5 r! R1 T1 B) k/ k( }" j2 L
cmp al,4; h1 G+ ~5 h+ |/ s" q
jnz SoftICE_Detected
. W0 D9 ~1 c5 f1 o
" Y! b. J0 E+ n& L s" G___________________________________________________________________________* l* F) {# A5 j Z. C* z, l
7 \" ?; y- t3 j1 F: m- ` H
Method 02! `0 i3 z6 Z4 Y9 \1 b% X
=========. ?! `" e, u5 o" e3 N3 J
2 }* m& U0 y/ h% j. [# p
Still a method very much used (perhaps the most frequent one). It is used0 l0 L# T% f8 h6 d2 C: r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 W" e; R# T5 F0 K; H U5 Z
or execute SoftICE commands...
x& Q% Z1 R9 t3 t% x, OIt is also used to crash SoftICE and to force it to execute any commands2 w- P$ B! g- K; g/ {. J. H
(HBOOT...) :-((
# t" V& R* S: V) O) R% b
. c' J7 I. S8 OHere is a quick description:& p3 ?2 p4 Y1 I F' x3 O
-AX = 0910h (Display string in SIce windows)
% s( q0 q. |7 \" z9 K/ ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* \8 i+ B2 C+ p0 F' O" E-AX = 0912h (Get breakpoint infos)- `$ O- _8 n- k; \
-AX = 0913h (Set Sice breakpoints)* a. k0 \; t' l( a. \
-AX = 0914h (Remove SIce breakoints)
/ h, j% [* \# M+ }+ n5 u1 i5 ~; B! }$ @ ^, z L0 s# x
Each time you'll meet this trick, you'll see:
! z3 P6 f* Y# x( u: O6 _/ V& V; b# S-SI = 4647h6 z; O K4 Q7 m: h6 x3 F C
-DI = 4A4Dh U* C$ _3 Z6 T; o! |
Which are the 'magic values' used by SoftIce.% R6 p* U, f' d1 m! ?* y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 z7 W5 v6 d' h- ~% e2 c
0 f ]/ F8 `1 n8 L# l' S8 K+ U
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' ~! m' B4 p% n( }4 f4 eEnvelope utility use to protect DOS applications:2 ? L# ]' E5 a$ B2 G" c
# ~6 O9 i, Y8 y' f2 R y
! b1 l2 f4 O# ^* w. T4C19:0095 MOV AX,0911 ; execute command.
3 E G9 T0 o- Y; C( x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 ?% |% s. H% ~3 u5 {
4C19:009A MOV SI,4647 ; 1st magic value.
. ?, \; K0 x* i2 C- n6 F' R4C19:009D MOV DI,4A4D ; 2nd magic value.+ a3 w; _- ~: H1 @3 b1 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ?0 N6 Z8 N+ T+ Y* I% r; i* Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
f3 L2 M4 S& T, S. d! ?$ J7 ?/ L- s4C19:00A4 INC CX( Z3 P' M! C0 l' `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# X) k+ y; b$ W8 {% H4 ~. _4C19:00A8 JB 0095 ; 6 different commands.
, F& L* T! K& J$ \4C19:00AA JMP 0002 ; Bad_Guy jmp back.* w/ T% @3 M; B1 i- S5 v1 X" i7 J* R# ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 p) U' F) {* f3 Y7 {! y
& P2 t0 g0 @+ u/ L" j) bThe program will execute 6 different SIce commands located at ds:dx, which. l# Q: I4 b! O N* L3 W" p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* B4 s `5 ^& j; n) N" d% k
/ V5 J& |* t. n4 s5 n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ Q9 ~3 i" t' i
___________________________________________________________________________
8 K0 G( n4 b# v
% k% R2 m+ n. R# e, [. m2 X: L" U' t6 q
Method 03, f, O. e7 ?, ^! |% o u
=========; `' V% b. B! T( }3 o* G R1 {9 f. B
% y- v, Q; E MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& d- [3 R; Z, g$ F. ?
(API Get entry point)
" c, J+ V( R+ m# R% E( J B& ~7 v B9 x, C" H: P) Y: I! ~7 Q! N
. o( e @; J- v9 D' g
xor di,di
8 X" y: y) `; X3 d5 O: Q( M mov es,di
/ N5 w0 ^0 o' \6 n+ I mov ax, 1684h
8 i" B/ A$ N2 ^" S) v0 J* T0 l mov bx, 0202h ; VxD ID of winice
: z- r/ s5 w/ W+ g# m. G6 u/ P- | int 2Fh
+ B, g9 s& D4 ?6 G, I mov ax, es ; ES:DI -> VxD API entry point
) j% P f8 g- q: z add ax, di
4 T2 u- h j6 l8 I) g$ R" D) I test ax,ax
3 M8 m% l; S- E( l7 z jnz SoftICE_Detected
0 f' e2 b- u. [" T( S4 D3 Q9 Z! b" D) S( G
___________________________________________________________________________, h5 c! |3 m0 R+ S& L
9 N, S3 ?( _; xMethod 04
! p5 q8 _% i: J( u4 k4 A2 `+ X=========
" B, I9 F# ?* F' X, q" M
$ @5 G+ r$ ^! `! C. f( h( @5 yMethod identical to the preceding one except that it seeks the ID of SoftICE8 s# {6 `7 T) [3 Y1 e+ _/ K4 ?
GFX VxD.
' e& f- R6 m4 n$ E1 D: a. Z; R" a5 W' k- s: X
xor di,di
& b! F4 d3 |4 B0 [ mov es,di+ E% ?, B; u0 s9 f! r3 E* c
mov ax, 1684h % G' g* L0 a- t9 l6 \, a- ]* F; U
mov bx, 7a5Fh ; VxD ID of SIWVID
0 U" o5 B- w- w6 X" c. T8 v) f int 2fh/ n' L& W& |* {3 B3 c
mov ax, es ; ES:DI -> VxD API entry point" ~; Z, u6 M) C b7 G& ~/ ~+ G
add ax, di
+ z4 ]4 U" ]! f4 r# u test ax,ax, ~9 s3 r! P. z$ R' T
jnz SoftICE_Detected% [0 I$ \( @' u$ I5 o2 M) n1 {
9 v; W. h4 N4 q__________________________________________________________________________+ w& A6 c$ W8 D1 V
9 a: U/ ]' K+ E H# }! E/ _# @, _" Y! b/ w% d
Method 05; h) w4 G2 k' u- v6 `
=========. q5 h+ x O. L, }0 l/ P) ~
% Q( r) L1 d5 `/ h/ w0 I. H. a: Z' | eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: X4 [: c9 I# ^) O0 |debugger. It calls the int 41h, function 4Fh.! U# F; m2 g- I) F
There are several alternatives.
. \7 v$ ^4 V2 X1 X2 b1 L! i% I+ g# a. ^6 V- k2 }2 P) d
The following one is the simplest:
$ P' O2 ?/ b. l8 M- y# I! f2 r* V; U
/ e* _% ~7 _0 y0 ?/ B mov ax,4fh
* ~( t1 b5 V z5 L, I' X' R int 41h6 B& Z8 N/ Q; f$ F' D
cmp ax, 0F386
9 d5 u I' L' d* o7 v+ ] jz SoftICE_detected
G! P+ _5 \1 w% n8 N% d; Z! y' P
1 T4 A0 @! [ P4 e, pNext method as well as the following one are 2 examples from Stone's 1 ?* N% a2 v7 s6 n' Y) E4 O
"stn-wid.zip" (www.cracking.net):
6 P5 d( q* W- F$ m' t0 _" p7 f
! f/ Z5 p0 ` U! M$ n mov bx, cs: W- @0 U% O9 v# V$ Q1 O( O* Y/ a
lea dx, int41handler2
0 d' ]# D$ r/ s: g+ N xchg dx, es:[41h*4]
% }: k( H0 k+ F) a xchg bx, es:[41h*4+2], o8 K7 q0 l1 }1 ~' Q9 G
mov ax,4fh
0 H) D1 A' l! ~$ c! G; E int 41h* s% \$ Q g+ w, U& ]
xchg dx, es:[41h*4]0 H4 r5 O' ~' N2 N5 e, w
xchg bx, es:[41h*4+2]
3 D& M- t( S) R! \+ B cmp ax, 0f386h+ Z$ ]1 f% Y3 C4 `2 n
jz SoftICE_detected* E. z5 o9 ]. B6 M
3 a' |/ ^: V. t- ]3 t/ Y; kint41handler2 PROC9 f- D N5 S# \
iret
8 ~$ \, D3 s, ~2 {/ |int41handler2 ENDP* H# z) B) l4 D3 k4 C
0 ]+ T6 P4 H6 }; J5 g2 s7 [
9 L' A5 A( k6 h2 u_________________________________________________________________________* s% j7 K2 m7 B0 s' r
( o* o6 Q5 G8 G: P: d# n! B. M
) H; g/ S$ @2 e! d
Method 06
' D3 l) E! R+ L! E6 k* _=========. N8 `* s# d7 i5 K( U) o
+ h& Y7 [1 T' J* U( B4 V4 i" ^( m4 V. z3 u( s" |1 p2 Q! X
2nd method similar to the preceding one but more difficult to detect:
/ G1 d. A' u, i3 K, S1 I3 m1 a7 p0 j" F6 `# v/ W
/ L) q* M/ I, V4 E* m; f+ @2 w
int41handler PROC) l9 L0 y9 o3 l* B: X" I) z
mov cl,al0 l* U7 q( p/ E- ] N9 T3 v! F4 X1 J
iret, g# L2 D! z$ O4 s* E
int41handler ENDP
! b+ x* t# r- u: W. K" A) M9 ]
+ e1 _. }: Q, `7 h; a+ c
+ q. S' x) c9 }5 R7 w xor ax,ax6 z: ~/ e, c! X, ^2 K, S) a
mov es,ax
" f8 B4 p5 a7 l1 U: g) ? mov bx, cs' i0 _' g2 C$ U+ O1 ^) ~7 b
lea dx, int41handler
" G( \0 W9 O0 G. S1 Y, } xchg dx, es:[41h*4]
b D4 g+ k0 Q9 l xchg bx, es:[41h*4+2]( ~- v# w0 Y( P( X2 h9 Y2 |! n; C
in al, 40h- z$ Q) J% q8 U6 }! I2 [
xor cx,cx V, \4 I! G) ?# \
int 41h' \! ~6 [! ?) @- v5 c% x& I
xchg dx, es:[41h*4]0 ?: \# Q( Q7 _' i7 q# L0 ?
xchg bx, es:[41h*4+2]9 o# k2 x; [* t9 Z
cmp cl,al, H: H8 _) c& Q+ q" W) B
jnz SoftICE_detected
! z3 R: F/ Y5 h! ]. Q* m
( p+ i; f) M1 I; \4 h: Q# h) D_________________________________________________________________________: r: m8 ]$ S6 s: S M* P
1 u6 M0 v4 K- C: I- O: ^5 EMethod 07! z |% {3 {# n. [' L) ~( w
=========- M# n# \7 d6 V: b5 n( |4 Y6 k* ~
6 }1 v$ Q7 g, q: e6 ~: j% D" d
Method of detection of the WinICE handler in the int68h (V86), \. d6 g6 _5 Y+ S7 {; H, Z/ [5 E
% @8 v: g, |8 J Z* z4 t
mov ah,43h3 t+ z6 P$ q* Y- d0 O- i5 _3 |/ J2 n
int 68h* n4 s' ^+ |: R$ `1 @# ]& U
cmp ax,0F386h) n# `* ]. v- v: {4 T& g( s* U
jz SoftICE_Detected
0 ? c& E/ l7 k, R7 \7 V# I
& f* Z) T& a) N4 I! Q7 m* f: S. W
# q& C/ u: h1 k+ q$ ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. _/ F* W, D7 x0 ?
app like this:+ {. r. V$ L7 R5 R3 T1 X* z$ P
* \4 z. _1 A" ~: h. m: |
BPX exec_int if ax==68$ H) D; X$ v% `$ _5 W2 y! \6 B
(function called is located at byte ptr [ebp+1Dh] and client eip is
]5 K7 U& G0 P A6 Z located at [ebp+48h] for 32Bit apps)- d0 V1 j2 Y; Q! A6 W1 W
__________________________________________________________________________) d/ X/ \+ O3 ^2 F8 Y
$ e: Z4 a4 l) |" S; O% @/ B+ T. i0 t7 l& f' X: I/ [
Method 08# D: y; n3 r: q a' Q- y. a2 b
=========& x7 w% a& t+ E2 V" ~$ t1 z" v- z
) U0 F4 |" r; b
It is not a method of detection of SoftICE but a possibility to crash the6 T# G. A1 X, _8 g
system by intercepting int 01h and int 03h and redirecting them to another
G, b7 q4 F6 ^" Eroutine.
9 l& T# ] w3 q) z; \/ _# U# OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" l- e/ O* N; F! Zto the new routine to execute (hangs computer...)
; v. j3 T: F: i7 _0 O
( S7 x3 H8 ~$ ]. i) S% a2 H, W) ` mov ah, 25h
0 Y5 _8 G& E9 D9 z mov al, Int_Number (01h or 03h)) Y4 x0 q; Y l, E [! i
mov dx, offset New_Int_Routine
& J0 C* V. @! _( H int 21h/ ~+ `1 \9 U i# @9 r6 `
* ]% a4 G8 M7 R__________________________________________________________________________
! B% ^( |, e3 W& E6 b9 w
8 O6 ^. i* S( `# c$ ]Method 09) r) L. Y* S: L; U, \$ C! L
=========3 ]4 [/ _9 u. d
4 h* J! j' A- g9 E9 ]. a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) P! s1 Z9 C/ Y2 G
performed in ring0 (VxD or a ring3 app using the VxdCall).2 x A+ b" U( x" E. n; A: K
The Get_DDB service is used to determine whether or not a VxD is installed! w3 }! e9 W) q0 u% N
for the specified device and returns a Device Description Block (in ecx) for, M% I8 x0 E! ] W$ f
that device if it is installed.
+ u: c! s1 J& z- \5 C- r! ]7 M" I. U/ ?; G5 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 W& t: ?& Z$ R) ^: W' _# A/ H5 t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); J6 i, F- _ `4 p( A; B$ {
VMMCall Get_DDB
, Q& S8 J; c4 C4 B, b: x8 | b& \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! \) M8 S3 g% Y# y5 [
$ W$ Z' n/ W% Z9 L S& [Note as well that you can easily detect this method with SoftICE:
1 ^& `- i7 y7 P5 ~1 P( q0 h bpx Get_DDB if ax==0202 || ax==7a5fh
- H2 F0 I9 O' d
3 H( p0 z/ o) @7 a, T__________________________________________________________________________
8 y& E1 f" d5 `' p2 n
( A8 D4 j# f( Q3 D% xMethod 107 @3 k; h2 U1 q
=========
. g4 Z2 z- h. h4 d5 S! [0 J: W" Z/ \+ m2 B- [2 ?3 S
=>Disable or clear breakpoints before using this feature. DO NOT trace with f9 r" t/ c& r# N- a
SoftICE while the option is enable!!
Z5 A* w" m) E/ p6 R% E
4 W$ C/ V. |1 B+ F1 @This trick is very efficient:5 h+ m- J% u4 \
by checking the Debug Registers, you can detect if SoftICE is loaded
; k1 H6 x7 h% Q& K+ f" Z* u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if T; `; X2 F$ G+ f9 |" I
there are some memory breakpoints set (dr0 to dr3) simply by reading their' C& E' V+ F- N
value (in ring0 only). Values can be manipulated and or changed as well$ I+ n: I. u% A) {/ C
(clearing BPMs for instance)
9 b/ [7 ^; v8 J+ b+ x1 I9 m% J2 o) e( t
__________________________________________________________________________6 j& u4 V: d% g! @+ r( O9 h0 T; W
7 }0 a" n: K; {; H8 J
Method 11: w$ B _9 A7 `$ S0 Y' [2 J
=========
, v$ y% d8 N; `: ~2 [6 i" {; f! ^. z; P9 U( L- G* X' d3 x
This method is most known as 'MeltICE' because it has been freely distributed. N$ _3 Z& A& U& n& F/ g8 d$ R
via www.winfiles.com. However it was first used by NuMega people to allow6 p+ r9 A& |$ B ~
Symbol Loader to check if SoftICE was active or not (the code is located: G( Z- p9 R+ Y: T: Y Q+ k/ \
inside nmtrans.dll).
3 f! U# ]" R6 `; [/ h: X
& @$ n! o z9 k) ?( J2 F1 TThe way it works is very simple:
8 a5 e, Z( l3 V, B7 f9 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 w* g! F3 _+ P1 }5 X ~; _
WinNT) with the CreateFileA API.. h; L0 h0 w7 q' e; F2 z
# u. [( ?# U4 yHere is a sample (checking for 'SICE'): K9 I+ \5 l: U7 n" M0 o
5 F: I" s4 f1 UBOOL IsSoftIce95Loaded()
7 T9 d/ J" M4 u7 U2 ?8 @& ^{4 O5 e) Z8 l" K. c& D6 V$ b! h
HANDLE hFile;
0 F2 _: c# v$ M1 i8 \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 y$ ^( Y% K% g; Z$ Y
FILE_SHARE_READ | FILE_SHARE_WRITE,' g# q0 T1 ~% W v# {9 J$ h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 \: X4 q, a! F y
if( hFile != INVALID_HANDLE_VALUE )
3 y) q7 x" @, u* y- J: X {
, `, R* Q0 K+ h( l, I E CloseHandle(hFile);- x* @) s: T+ D9 U
return TRUE;
) q8 f1 }, G! n/ J$ o& G" U" x }' @. E# ~+ z- ]* \% a4 [" S
return FALSE;
2 D3 [2 I! y9 a$ V- Y/ [}$ W4 ?4 z' J, x" U w- R# |7 L' e
+ i: W5 D+ g3 w0 t, x! n" {2 SAlthough this trick calls the CreateFileA function, don't even expect to be) L8 v H x, v' `- I/ b, d
able to intercept it by installing a IFS hook: it will not work, no way!( `2 ?& o9 X5 }+ ^1 b9 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; j% f/ l n J( n4 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 x: O% L% T& M/ S8 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 [; l/ G0 H+ O$ D( n9 D
field. }0 z+ y/ w7 @' z2 b
In fact, its purpose is not to load/unload VxDs but only to send a
/ R" G) u5 r- z' f7 I/ L" n2 B3 P- OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 Q2 m- a$ ~4 {+ S. ]3 e4 Q1 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
f y) j8 W( N( b& Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 a7 m% j0 P: v% G7 E0 [If the VxD is loaded, it will always clear eax and the Carry flag to allow8 r* ~: v; ~0 d1 o" m
its handle to be opened and then, will be detected.4 F ^! u" b* K* y% ^
You can check that simply by hooking Winice.exe control proc entry point* G( Y3 N7 J. r' X; Z
while running MeltICE.
% m3 \: r& s y; R B, g# y
3 e/ H" f4 m0 a! Z& x) ?. S+ _9 H+ I5 R* _, c* _) c
00401067: push 00402025 ; \\.\SICE
7 H7 D4 D8 q7 O: j8 X2 @" | 0040106C: call CreateFileA3 ^! h" a( J3 G: V
00401071: cmp eax,-001
; h3 e$ x! O0 H, L 00401074: je 00401091( m$ Z+ r5 I9 u3 @7 n, K, `
9 d l; V& ^9 H0 ^- R2 q! d( m# Y4 @4 f- L5 p6 `& Y4 ?
There could be hundreds of BPX you could use to detect this trick.
/ Y: K- R( X/ \. I-The most classical one is:6 U8 T! p7 {, ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- m7 U3 S! C2 d9 } *(esp->4+4)=='NTIC'2 ^% |' j3 S: {1 P x# s$ e
' b, w* M9 F2 g4 k( [
-The most exotic ones (could be very slooooow :-(# k3 o% I8 c) y. S; Q3 E( R! B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( c9 h: b- d6 X
;will break 3 times :-(. E' A" X. N- c* ]
3 z* H0 j- _, t
-or (a bit) faster:
& k4 B; A$ f, j/ a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 ~3 Z: k" C% u4 o, ?: [8 d* G: P$ d* W3 G& p1 Y9 l; y! _- B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 \9 H) i% ?2 b( Q2 s
;will break 3 times :-(
: ^( I- a3 j/ c( d) p, }! i. H$ b+ }+ Z$ E% J
-Much faster:
2 s8 C, {9 C: U/ ?; u2 G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 E. r8 N4 P" P0 i3 k& M+ J1 u8 @. J$ p( l) h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# I& M; P+ w$ V! k4 P1 Ufunction to do the same job:
; V: z* I# J6 L! u: A
4 @; [9 Q; i6 h; T* P2 x: u9 c& D push 00 ; OF_READ
8 |! `& m. }$ P( Y$ v7 O mov eax,[00656634] ; '\\.\SICE',0% y' u1 z: H3 g% S( v
push eax
0 R4 V6 g* ~2 `3 N% c) v call KERNEL32!_lopen6 n' ~' i: @0 [: {8 A2 R8 S* o5 v
inc eax
6 I* F/ g) s$ z( m7 S5 u: {/ h jnz 00650589 ; detected
* j1 y4 w( K$ I& K& e& L; h; l$ j4 b push 00 ; OF_READ) D" |; v9 D$ C' W$ B& f
mov eax,[00656638] ; '\\.\SICE'
+ O/ z/ G0 v) @1 b0 H+ g push eax& h7 R6 S2 k9 [" }
call KERNEL32!_lopen
! X$ Y2 Z) @3 ^4 o9 U' E inc eax
8 e3 N* q, ~/ A% v6 I; a: u: w jz 006505ae ; not detected4 `3 O4 \8 D4 K. N7 E3 Z% L
) j0 }7 V) } N. M
- F& ^- Q% s# T' c! L__________________________________________________________________________8 N" L5 E1 ?. o; Y; u/ o( d
/ `% Y# d* c! `' z2 ZMethod 12
6 ^3 }) `3 U1 o4 Z2 d: |. A+ G, B3 C=========/ S9 s9 f0 s0 m; m5 \ B: q- F
" \5 h3 ^4 r1 j4 s. g" F1 P3 R
This trick is similar to int41h/4fh Debugger installation check (code 05$ p. h" T# L4 o* }
& 06) but very limited because it's only available for Win95/98 (not NT)% z+ v" f ~5 V& I; T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ A3 D& w. s2 v" q$ ~
4 a3 ~8 w7 ^0 ]& J/ N
push 0000004fh ; function 4fh
7 C4 z& ]4 [: B k2 M push 002a002ah ; high word specifies which VxD (VWIN32)
1 j% ^* }( h! L ; low word specifies which service
8 k* G5 Z1 k- h, j, B: [! w9 f (VWIN32_Int41Dispatch): t- H0 f4 s3 T( d2 c: L
call Kernel32!ORD_001 ; VxdCall( i* o/ P% A- E% s+ C5 L" G7 Y7 K
cmp ax, 0f386h ; magic number returned by system debuggers
9 G) [# N: @$ b jz SoftICE_detected, d7 P- z/ X* v5 l; F5 p
4 E9 l- Z) o* k; x
Here again, several ways to detect it:( |5 @' ~! T* ]. j
" {2 I# N4 b5 f$ y `# S9 | BPINT 41 if ax==4f
' t0 ]& x: A* ?0 X8 }" h, ]4 t- o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. _2 M7 Y& x7 U1 @ L
+ ~0 D2 N' ]# S' q3 M, u) j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 z5 W# u X; Z8 {4 E" [" o1 J. i! H9 m/ C" e0 n# G. R# p/ Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, u3 B p& l$ z8 S j5 Y) ?6 R. h# Q1 `0 `! H5 Q
__________________________________________________________________________
3 g: S5 Y- V$ f8 D$ S% i
: ^; b# b0 ^" z) I1 u: @/ f* |Method 13
' A# |$ W5 s3 r=========% b- U" B7 i/ f" w* D
5 ~, @) R& a: t% q! |) l$ a
Not a real method of detection, but a good way to know if SoftICE is! ]5 ?0 g( |9 a* N) Y
installed on a computer and to locate its installation directory.
8 e4 Q( `! @, u. O: u" Z& N7 RIt is used by few softs which access the following registry keys (usually #2) :4 ~" V5 J+ g a! P
9 o1 i6 m/ w. v7 C& Q/ f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* n+ E, G5 ?4 c\Uninstall\SoftICE ^- j: \+ `. _! q, ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ J7 r! L8 i# h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 F: N( `8 C& A! G; i3 |\App Paths\Loader32.Exe. h. M) D2 T; O8 T; [! U
( S3 h7 g) b9 {
0 b& `. h6 z& \: n6 F4 d+ l! fNote that some nasty apps could then erase all files from SoftICE directory
( Y% V9 ?# ?, J( F z! H(I faced that once :-(. _- A1 ?- L: T C7 d/ T5 F8 w* L
5 t3 M) R5 T$ a. @4 |4 A8 iUseful breakpoint to detect it:# z. x) y, y* L
# j0 Z/ F1 [: `. P+ _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ F- b+ N3 W& [' c
# u, Q$ ~/ g) W1 R$ r6 S__________________________________________________________________________
) `: Q# E( l* A0 {( l6 a3 ^, y
0 y" s9 ^' f, E0 u; z( I# G
1 s1 r6 U. E" U8 ~6 \( o: TMethod 14
( D+ }, V1 Z9 r; n6 e* x=========
( I! W3 n1 M6 _2 n7 x& K% v; Y; k: d# S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 `0 ?0 N' C* p0 C) d
is to determines whether a debugger is running on your system (ring0 only).1 R; ?7 ~ t* }/ e. Q1 R: S, n
# V' f. t6 h J) ?% W) r- _9 P VMMCall Test_Debug_Installed) Z8 S, u8 d) d+ `
je not_installed
* o; R& S, y8 S: {
5 u5 x1 W) a8 s# OThis service just checks a flag.& A2 T" c! v, ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡