<TABLE width=500>
8 t! f! d- C9 G8 D<TBODY># R& H. q) K+ h% J( N
<TR>3 }, W4 q: b- ?4 {" A) a! e/ P
<TD><PRE>Method 01 - I2 r8 V7 q; _! G0 X6 }& N* h
=========
- W) ^* T1 X: M; r) \! S( ^; D8 J. H& J/ b8 Y& b" D# T4 B
This method of detection of SoftICE (as well as the following one) is* \2 ` Q0 C2 `0 i
used by the majority of packers/encryptors found on Internet.% a+ I( Z# v' t0 w
It seeks the signature of BoundsChecker in SoftICE
' ^4 U$ f7 A4 B: D, ~7 }6 a+ h% [% M
2 L& S9 Y3 g0 [" \+ z A mov ebp, 04243484Bh ; 'BCHK'/ Z% o2 W- e; K5 K! r9 h# ?# `
mov ax, 04h
1 u) s6 o5 P/ G& @3 Y int 3
4 m8 u& v3 C" w5 x cmp al,40 x2 ^: O* V" k5 [+ Y
jnz SoftICE_Detected) a! ~* o- w0 o5 Y2 q
' }9 @* I! U# c4 A! }! k; |
___________________________________________________________________________- F' f {! h6 P7 d: x- d0 X. Y3 J
. t" I. H' F/ t' F: B
Method 02, V5 }' D3 q) v9 f5 x4 O
=========+ |1 W* m& O7 t' }) N9 K @% [% u) V
8 K; _! `+ q1 BStill a method very much used (perhaps the most frequent one). It is used
- _( l9 m" a) ^( m3 {$ T7 H) Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ t$ E9 t! |& b7 H9 d
or execute SoftICE commands...
9 a& P5 k: V4 r& I9 m e& @6 aIt is also used to crash SoftICE and to force it to execute any commands8 D7 C. B' x7 m/ x8 t c
(HBOOT...) :-((
5 F4 D+ v3 J. H8 Q6 ~0 C* Z9 d4 G2 k7 d) |
Here is a quick description:
3 I3 Q8 t/ r$ `* G) O/ U-AX = 0910h (Display string in SIce windows)
4 {5 w, s5 ]! P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" u0 h. o3 b& w+ @* c& x1 W8 v) C
-AX = 0912h (Get breakpoint infos)
% R/ U8 f0 {! p& r6 x* e-AX = 0913h (Set Sice breakpoints)
9 x% U4 H7 |/ v: B& u [7 T* Q-AX = 0914h (Remove SIce breakoints)
+ J) T, N& g% O! M6 n. u8 U# Q1 ?+ [" d; L7 x: F% c& K
Each time you'll meet this trick, you'll see:" f- E5 z7 n' D% ?, v: s! N
-SI = 4647h3 i" Y' ?0 V& B% j6 g$ B
-DI = 4A4Dh2 O% |( T/ i7 N3 M; Q0 D
Which are the 'magic values' used by SoftIce.
2 ~0 j- v9 k3 V0 P, t8 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 H$ `/ o5 ^- D, Q7 M9 G
& j* l- b/ |9 LHere is one example from the file "Haspinst.exe" which is the dongle HASP2 K; c( h1 h5 e( N
Envelope utility use to protect DOS applications:
, f! F; o" i1 f& M. g/ E# }4 P8 w2 h
- o2 i q% H9 c- Q4 V7 U' d4 P# f5 i% v! A
4C19:0095 MOV AX,0911 ; execute command.
" ^) T& [6 I0 A- @0 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; R4 O7 b. [: c9 v* c, N8 w
4C19:009A MOV SI,4647 ; 1st magic value." B2 A x# E; M. ?& W3 q4 t: n7 o
4C19:009D MOV DI,4A4D ; 2nd magic value.: p5 ~! i' t6 p3 p" c# X. ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) o+ Q( O. U8 {& E/ ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: u0 h3 ~* x! l$ i6 J# n- s
4C19:00A4 INC CX' y$ ?6 K! U5 L P2 L3 I* K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 p( V0 t7 J0 `. q
4C19:00A8 JB 0095 ; 6 different commands.
: z$ L) E$ T3 _: k% G" f' G4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 w! d) `4 _2 I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; f% i$ f: @$ ]7 W- |0 @
, d! p. ]7 C" A" J( u6 F+ nThe program will execute 6 different SIce commands located at ds:dx, which: S2 o. E0 h2 q E6 l) }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! j- R. r) [2 ?' f) L8 F
2 d, t$ k4 k( E0 F% A5 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 c$ ~% Y* m2 r. C9 P' z___________________________________________________________________________+ l# V% B) ] X" ^
$ A1 v) i( L) e9 _0 a+ r
# f7 b1 J7 K, n+ Q2 x8 D$ ^" }Method 03 s% N0 P" v1 [0 R! l
=========+ [8 B: P0 G; u4 A7 K" R. H
8 ?/ j! m6 t d5 v- H9 i! V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 ^0 t) Y, {. l! V* |
(API Get entry point) F0 m, ~; Y/ u6 j, Y
. K8 i* r( F1 @$ C% H! Y* M/ Q
2 B+ A" b7 N- T+ u
xor di,di6 c/ i* A" W6 n) w
mov es,di% y; C; `: w" u) _" v; i) B2 M w0 u
mov ax, 1684h
# }+ n) Y3 j* p A% z8 f/ y mov bx, 0202h ; VxD ID of winice+ {2 F! C% H: c4 c* ?6 F0 P
int 2Fh
2 E. |- T* W2 S; ]( w6 M mov ax, es ; ES:DI -> VxD API entry point
* J' b# @/ p9 F5 y2 j! v add ax, di
. x) H( L/ t3 ? a! A: a, a test ax,ax% l- H- g# z$ z* f5 c6 V+ p
jnz SoftICE_Detected# e8 S# F- S1 m
2 m. s5 b) Z' q2 m/ f; _2 G
___________________________________________________________________________
" m) u# o4 V$ R% ?* D
* w0 R6 N3 {( ?2 o0 r2 c+ NMethod 049 e# _3 F& s5 b
=========
( ^# c6 W" R, _& i b# u
2 t" G! l7 ~$ a, P- TMethod identical to the preceding one except that it seeks the ID of SoftICE
$ v8 p8 S9 J3 ?GFX VxD.
) s3 w2 v( u- ]! w9 N2 ?3 g! D, I+ _& X4 M* L2 ^
xor di,di1 Q( o) D x2 g# O# w. _
mov es,di0 _% Y4 v6 d( `5 C# U$ m
mov ax, 1684h 3 e: f: c' m! r5 r5 _8 a7 j2 u( h
mov bx, 7a5Fh ; VxD ID of SIWVID3 f' b- W. T+ E% l/ ~, r! H" e0 i
int 2fh( q5 |; [% E. a9 _, h% p
mov ax, es ; ES:DI -> VxD API entry point1 `) x! g) G) X- z2 U% H
add ax, di+ w, K! j4 f) H; j0 X8 e
test ax,ax4 }9 B% |2 x$ G" v
jnz SoftICE_Detected
, ?9 b! {3 T6 j p. _4 v1 h2 G) _% v/ J: ~
__________________________________________________________________________
% z1 ~/ q2 F4 _$ ?
% \! R ?/ i) E: u E. k
5 Z+ d7 c2 n" f1 n7 pMethod 05( w* U/ t" C4 [
=========, A1 C! g) `, \! H1 P9 q
$ {, {. G8 o9 F- n: ~ \
Method seeking the 'magic number' 0F386h returned (in ax) by all system u! L5 J8 i+ n/ o6 n
debugger. It calls the int 41h, function 4Fh.( G4 A: N) |# i' k! E
There are several alternatives.
5 _$ O% T) W4 O* s! W4 ?7 L+ ]. m* ^& F7 s3 s
The following one is the simplest:* e5 b: S) Y( X+ c
; W8 {) H' L! Z. i/ @; A9 J$ I! s$ l mov ax,4fh: F3 Y5 W$ _( N% v: P4 t' t$ ^: j
int 41h
% h. }! p: V1 e! U9 N* B8 h cmp ax, 0F386
# R( [' y& X+ H. E" T2 T1 r5 t jz SoftICE_detected
- h, }) n: `$ b9 b" C4 x5 v+ Y! e1 J' k" _: _' p+ I
8 v9 T7 H) d! Y8 N; \. I( i c
Next method as well as the following one are 2 examples from Stone's
( [$ @! y$ g0 [2 W+ I"stn-wid.zip" (www.cracking.net):
3 |7 J- n5 [ \' m$ S( a7 e/ p- J$ ~3 Y. r/ q* i
mov bx, cs
1 q& k) I1 [* U; X' g0 I) X9 z lea dx, int41handler23 V0 @; B" Y/ Z5 @( p! h: }& i
xchg dx, es:[41h*4] Y( H& w# r2 e
xchg bx, es:[41h*4+2]
* D) l: a8 o' }* s& E& Y mov ax,4fh
; B! e6 P. H) Q/ k. `5 E3 [4 F int 41h
- I2 C7 R% ^# u: }* U3 |7 K( }) H/ p xchg dx, es:[41h*4]+ R& t U: R( ]0 i/ x) H. u
xchg bx, es:[41h*4+2]* C- p3 [7 x5 j5 {3 F+ N
cmp ax, 0f386h% r3 |( R: N% t
jz SoftICE_detected
4 n6 L; l2 j+ R- W0 s
/ ]" w4 E `. e! M1 X; ~5 jint41handler2 PROC
5 Y( f i" A. e- ~# b% [3 v4 y iret: Y- I$ v- O2 x: s" |5 I
int41handler2 ENDP
! W7 b% B& V5 M. f
" ~2 O: [+ v9 D3 H" d' ]; [6 W
- b' v; B1 P. A5 D6 ^0 ?! v6 s_________________________________________________________________________) L( x. V" h+ a( f; Y; X
5 n! `) ]2 e8 p6 ~" _/ g. i4 k$ x' Q4 t, G4 n7 r/ p9 N
Method 06
+ K' i( n' G5 b. O=========( _! X8 e) y5 [' J$ d
3 v1 L) y" Q( ^- p/ ?
% X9 r; E/ L- b2nd method similar to the preceding one but more difficult to detect:, ~8 v1 e6 {$ s8 G6 Y
8 W( s5 C) u3 p; x- V' N
# y7 V1 ^. T; tint41handler PROC3 k& K- Q. E: b! L% g- U3 B
mov cl,al
6 J" t; B) W# \6 ]6 N iret
! |# R. m8 T4 l# ~! o: mint41handler ENDP
/ @6 M. C' H! @4 d7 _6 l* F* O# f7 E' }9 ?* Y2 Z$ M7 |. ]
5 h& m& I* u* ~0 D, D0 p# k U
xor ax,ax; ~7 g2 V* w! d1 R& y
mov es,ax
) v0 ]+ C5 x$ E# G% g1 Y mov bx, cs
) m, H% f; ~% o lea dx, int41handler& N. ]. O$ [% @$ e
xchg dx, es:[41h*4]
* }/ d8 ^# e* L7 s5 D8 U xchg bx, es:[41h*4+2]
4 w/ }* t0 ^; R" P7 G1 w, x in al, 40h. p3 Y8 S' `) _' P' Q) r- i+ I
xor cx,cx
' n$ ~& q3 M% p5 u/ t+ Q int 41h
& X3 ~0 B5 S+ q xchg dx, es:[41h*4]
; c' O( d# R3 y2 U1 J4 h xchg bx, es:[41h*4+2]
7 f+ Q8 P& P7 A9 X6 U0 L cmp cl,al
+ Y! X! |5 r X9 q U9 H- Q jnz SoftICE_detected
+ S7 A9 C6 H& ]: t- y5 ?7 e6 o8 y6 N3 M) Z; S3 h$ f: `2 {& g
_________________________________________________________________________
' ?& @$ d; v$ V) |
$ F: c% s" y5 e+ T1 qMethod 07$ z8 W& U l0 m# M$ x
=========
- ^9 U- ^; t7 A# L( W' [; E3 X" ~7 u
* `# D8 K! b* ^% c" xMethod of detection of the WinICE handler in the int68h (V86)) f9 W2 L+ ?# C0 T# {: r) y+ I
A- B( Y- H! R$ P) Z8 q
mov ah,43h
; W1 v; y2 y" i, ~/ N! | int 68h
9 w4 {% g; [) X! G1 W4 X& O cmp ax,0F386h
, u y7 V5 a9 m: P jz SoftICE_Detected
* t% d6 D @# J# n ~% b; o
! r- `. {* J: M# P- U* |8 l$ ]/ _
/ ]( }% V3 ]- a5 W! ]4 ]- @2 D/ c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 ^( m |& U- W/ S
app like this:. ^' q, y5 w( r& Y# R) Z
! D/ g3 J: }9 }$ W: u9 D d BPX exec_int if ax==68
, v& z! @) s, B) a) j: Y7 c# { (function called is located at byte ptr [ebp+1Dh] and client eip is
9 y+ H; z. M1 M9 P1 t located at [ebp+48h] for 32Bit apps)1 F6 M4 v' L- ^4 j
__________________________________________________________________________
' T' n0 B' T( a E
) X. M2 G4 X. l# t) G# a( i/ s4 I3 c
, z. f! L4 _$ a6 ], G" y6 e5 ?Method 08
! N" l' I; A/ D$ z. O' B' y- y=========
: v. m0 ?9 j7 F' l' W5 i) o8 a4 Y+ b7 E0 l
It is not a method of detection of SoftICE but a possibility to crash the
! I( } U" x% {+ psystem by intercepting int 01h and int 03h and redirecting them to another
. ~( Y5 l$ H' @4 B& |7 kroutine.
, V Z2 G( a/ \/ X, @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 ~& \0 C$ B+ P$ t4 i3 f/ d! uto the new routine to execute (hangs computer...)
t; M3 `- N+ a1 q% k4 R, `
* E& l: Q3 L4 V- { mov ah, 25h! i3 A' i! g; C! Q, {' [
mov al, Int_Number (01h or 03h). l. l/ X; \9 t$ g: d7 A) c% f
mov dx, offset New_Int_Routine$ @8 R9 E6 N5 p& i. p- W& Q
int 21h! v, V' X! r8 M7 Z# \) W4 N
; Q( D' J' ?) @( {+ z
__________________________________________________________________________
9 M- u- t7 c6 m! R; O, z+ R' Z) W, j. Y
Method 094 p0 J/ F1 m( f$ W- i' ]
=========' }) @! m: \& b$ A, N' l z
- j- v- R1 s x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: z6 m( y0 i: o; i' c4 Z6 F9 j
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ s0 B: [* E U9 O" P g! X% XThe Get_DDB service is used to determine whether or not a VxD is installed: ?5 u) l! F/ _# p- r& d
for the specified device and returns a Device Description Block (in ecx) for1 P; w% z: |- [- h
that device if it is installed.
0 n; R1 i' X4 N) U* x
4 f/ p' D4 ?- }% O" U! u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 U; X: m1 r* o2 b H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 l; {/ y- z) B, [ VMMCall Get_DDB" k T: D B/ B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 m" Q6 O# L6 H$ R7 i
/ X' `$ a( j; N2 `; HNote as well that you can easily detect this method with SoftICE:6 j# a7 u. V2 v4 r; i6 v
bpx Get_DDB if ax==0202 || ax==7a5fh
# t! [" K/ ^- Z/ A7 k7 p L/ x1 C* {7 }
__________________________________________________________________________
7 o3 C; Y9 h3 o: U9 w1 C! j) q- J
4 R- ^* C& u {2 zMethod 104 I- V3 }, x: }: Q
=========
/ u8 g0 {# {2 F; ?9 c% L+ X+ s3 S! E0 V# V, J( i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 q, F8 s1 I4 E/ b0 I SoftICE while the option is enable!!4 N! [, U! d# H6 o$ t; k
6 }0 t! ]) O3 {: o. ~8 | VThis trick is very efficient:9 D% U6 {/ F/ `6 i* j+ q5 }# ~
by checking the Debug Registers, you can detect if SoftICE is loaded6 D; j+ t& Q9 {" t6 h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
M, Z/ |/ f2 e& `; b- Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ R% }' R, s I' M" K4 `$ I6 }
value (in ring0 only). Values can be manipulated and or changed as well; K0 {) k; M/ H9 p" z. S% k
(clearing BPMs for instance)& d$ n) Z, _* R( w1 _. e
/ S& q, y @$ E+ S6 m- e5 ~
__________________________________________________________________________" {: S# P: {1 v# d2 _! T6 G! r
8 o0 i0 n2 X6 t7 m0 m
Method 11
: r' [6 ]/ [8 b4 X, o7 M=========. o5 }, B3 w/ f# H! d3 b0 ?5 c
% { a6 t# I* HThis method is most known as 'MeltICE' because it has been freely distributed
; i4 j$ B q) ^& B! J' Kvia www.winfiles.com. However it was first used by NuMega people to allow4 d+ K. c1 w' T
Symbol Loader to check if SoftICE was active or not (the code is located
' J3 p+ c4 U: E# E% x; Dinside nmtrans.dll).2 L% s9 M$ }' G+ J
( F. Z; |$ D9 D: }6 O
The way it works is very simple:
) ^, e) _4 J+ z$ l" {* [+ CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for d# [* m* n0 U1 i. l8 E
WinNT) with the CreateFileA API.' n d+ I0 \* l3 i) `
: r# d; a" j9 p/ `# }) J9 n. k
Here is a sample (checking for 'SICE'):( _6 ?- I* d* E1 Y
0 g$ \/ `" y. Z$ A8 u7 r1 E2 q
BOOL IsSoftIce95Loaded()
# g& @: R( R% L) W8 _{# M6 q; F" ~1 a- T7 F8 Q' P2 Y
HANDLE hFile; 2 \" U& p1 o; Q# V1 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- O3 e2 ]+ L# C: f5 T
FILE_SHARE_READ | FILE_SHARE_WRITE,! x) A! D" z- k( Z: ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& [5 h- L+ }7 t9 A( n B& o1 O, \ if( hFile != INVALID_HANDLE_VALUE ); k. r3 t% k |% `) G1 F) ^
{/ G1 Y; W- U4 F2 r' J
CloseHandle(hFile);
7 b, c& p- F/ _: f# G6 Z G! N0 x return TRUE;. U9 b# _" S0 \- T* u
}5 Q8 H7 g( A+ c% D" [
return FALSE;
) Y; k) f ~3 o}
5 D: }5 A! f9 M. W n1 D' D# Q! G0 A2 h3 }4 x
Although this trick calls the CreateFileA function, don't even expect to be% b; l3 ~2 [$ ~8 C+ h. G
able to intercept it by installing a IFS hook: it will not work, no way!5 h( E3 a/ _* {8 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 ? C) ~' ]0 n' E- r P+ u! m X% k) h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- p$ |' c1 w, |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ I O1 x$ ?2 U6 Xfield.) H. ?3 G; D$ r5 N( n: N1 ?; h+ l2 J3 k
In fact, its purpose is not to load/unload VxDs but only to send a
^& E$ ~/ z! e1 d( u0 tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( Y1 }' t h7 e# E( r2 i) Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ M7 J+ {+ s i, ^& r: J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, w& C7 U5 L4 ^9 T: [: YIf the VxD is loaded, it will always clear eax and the Carry flag to allow: r g0 k v7 | e/ W
its handle to be opened and then, will be detected.
5 t- e2 ]5 g! v" s% Z) KYou can check that simply by hooking Winice.exe control proc entry point
; b* M' d: G0 ~0 u& V8 [1 a# Gwhile running MeltICE.
) i. l2 T4 R2 ], c L7 k! @# w
$ {5 O* I+ x6 x6 c1 c0 C/ [1 M# m" H, R F* L9 p% Q
00401067: push 00402025 ; \\.\SICE8 D1 g# |( p7 Q- h) L8 K( s
0040106C: call CreateFileA9 t: f/ u j- }* K! F( g9 }
00401071: cmp eax,-001
! N. `( f* V5 s& `4 R 00401074: je 00401091
# f6 {9 ~! P' t9 o6 r; e
3 v: d. r. m' E+ j7 m6 h: t1 O" m5 ]3 o
There could be hundreds of BPX you could use to detect this trick.. ^% l @( J' n$ N, F
-The most classical one is:7 e2 q1 O6 D. E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& T5 A* y( n" V& n5 h' k
*(esp->4+4)=='NTIC'* E) f8 h3 c$ Z: l; K, O4 e
1 x2 G, ^) a7 z
-The most exotic ones (could be very slooooow :-(, L# Y2 C3 k- J. R3 f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & o! s; d/ ^3 P _. z
;will break 3 times :-(! Z W. q& t0 j" l: m
" b' y0 ]/ l5 G4 Y1 }- M
-or (a bit) faster:
; Y% B. F0 v$ `' U2 {- }: \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% R9 O3 E$ X9 h, k7 {6 M
1 F0 k2 M4 U) z2 a( Y+ z8 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : X3 J+ c* ?+ X$ P6 H9 N1 a
;will break 3 times :-(
. U5 ^4 S$ O& \$ `$ B7 i
* C v7 T+ s6 ~! n+ C-Much faster:
S! i; C3 Q7 W/ p# k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' H/ q5 Y; S! R2 }/ Z, d0 l
0 o0 u* I3 Z9 V, Z# oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ l! ?2 d, C8 Tfunction to do the same job:
9 F$ y9 B% f1 T7 L9 N1 a
$ y2 U. Q3 J9 u% ~) g3 n5 W push 00 ; OF_READ+ j6 i. g8 W( V6 ^
mov eax,[00656634] ; '\\.\SICE',0+ F% |2 ]9 F; v2 [+ ?; c9 [
push eax' o" D1 X0 a) }, h
call KERNEL32!_lopen
# ~2 G8 i7 I, R+ h inc eax2 N6 Z' O7 `- P. f' ~6 t, ~
jnz 00650589 ; detected
. L3 {4 J, x# {# R+ Y9 a- V push 00 ; OF_READ: A% z) o' S$ n& g( p5 ^6 }
mov eax,[00656638] ; '\\.\SICE'. Z% s1 R) C# s7 _# q1 @$ e1 U% O
push eax
7 y. o5 K# C2 |3 D7 i" f0 w call KERNEL32!_lopen
# \6 H. R/ v( [- h2 f0 q inc eax
# C. }/ R( W- ` jz 006505ae ; not detected. [$ P+ s8 p$ C! Z4 j4 T
/ J: J. u) X* o& n/ I
x. f( I# d% f( l! b. \0 `
__________________________________________________________________________& K; O" O4 J4 F& I2 w
8 d6 l) V7 {1 q1 i6 qMethod 12' j" z$ v @) J
=========
% f( K8 v3 _/ _/ C/ G6 E
6 M% l3 n' u( z5 Y( a0 S. N8 J1 v! uThis trick is similar to int41h/4fh Debugger installation check (code 05! k5 R5 g5 |0 J. }6 L
& 06) but very limited because it's only available for Win95/98 (not NT): v& s) J2 o7 i, v# d; n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 F, b$ I0 t% y9 F( Z
. f* @" }" @: f) j: Q) R
push 0000004fh ; function 4fh
& H) s/ X/ k/ x0 M6 n- | push 002a002ah ; high word specifies which VxD (VWIN32)
+ f J8 x \4 w3 Q i; n' T- I0 b: z* g ; low word specifies which service; j4 K7 Z) @: h
(VWIN32_Int41Dispatch)
' }- B0 k; @" z5 q call Kernel32!ORD_001 ; VxdCall
8 x( l3 a. B# Z$ }; B cmp ax, 0f386h ; magic number returned by system debuggers: V& ]! p' U8 n) R. Q( U( n- Q' u0 @* K
jz SoftICE_detected
5 o& \# v+ Z: w* z
$ {- W4 k/ R1 `. H+ r9 QHere again, several ways to detect it:- ~- e: k0 ?( x4 I
, ^5 m: I; e: l Z BPINT 41 if ax==4f# N/ n! O& j' G8 o$ V R0 h# F8 D
2 O5 A: T. n" b, h, K9 S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 i3 H9 A- `0 _2 N( W# G1 [' T# e t" H7 @ A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 m0 O0 J8 B; R) o3 A
4 X/ [' [ m8 e3 A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' C$ t* q) E. P- I" U# e
$ M% F; R9 X' k7 t, @
__________________________________________________________________________
/ Y8 Y/ d! U& S; f9 u% |% F, j) P* K" B; G6 ^
Method 13
, a( U5 C! P" \$ t$ a2 P4 N2 A=========
" [$ B; N; ~. l4 o9 a8 w# T9 ^% ^& R9 q6 G. u
Not a real method of detection, but a good way to know if SoftICE is5 w2 N5 q) k( B
installed on a computer and to locate its installation directory.
U6 L. E; M2 X6 kIt is used by few softs which access the following registry keys (usually #2) :
M0 Z) O |$ `8 U. d8 J: x2 V& z" C3 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 I! }% ]' Z" d" j% L\Uninstall\SoftICE
% l. C% o" Y3 P9 u5 y4 c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 W0 t# T8 s# f2 C; }3 [$ Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& X" B* p) }$ n; r" T* d1 O\App Paths\Loader32.Exe; L9 }" Q+ _2 j! }- ]+ \3 M
, h- N' u/ F2 z: t# N5 [* B
' ]/ |/ t3 j) t1 BNote that some nasty apps could then erase all files from SoftICE directory4 N) y2 q u. o0 N+ g" ]4 F2 i
(I faced that once :-(0 P3 S/ H$ b' W
* _/ a+ `7 F2 t: P! R8 s7 ^
Useful breakpoint to detect it:- t% G$ _" |" K! V4 ~4 d* o- I* `
0 J4 ] L' k9 R" W. w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': M& r2 r" x# |. m" B. w$ r& U9 t
2 s& B3 Y3 q8 ?3 D
__________________________________________________________________________) t5 z, U+ z2 t% v' E" U& B
! K. ~$ X% m9 @7 \
& Z3 ]9 ?6 s1 X1 n: I7 ~9 R
Method 14 ' k5 U0 {3 ~, W
=========
& C* E) P1 l. H% o/ ]- \
& W; h' S5 s/ XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: f. \# n% z1 h2 Dis to determines whether a debugger is running on your system (ring0 only).
3 P& Y9 T! K6 U+ T' }. x/ v; b! e; X7 d" W! ^8 k6 X
VMMCall Test_Debug_Installed; @0 l' M/ h1 W) d1 `( }; I2 p; P
je not_installed( u8 H2 q$ C3 T. c/ T
. ^8 B" b/ A4 N" x7 n+ t
This service just checks a flag.8 _# j$ C' N) d( M0 I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡