<TABLE width=500>
8 K1 G3 J# F Z/ X1 d7 ~+ f/ Q<TBODY>
- } {2 p# E) `3 z$ Y# ]<TR>5 P1 D o: T7 B, n# H6 ^/ Y
<TD><PRE>Method 01 & ~# A+ W* }2 ^. i
=========
: J! [0 z( Y* B3 m8 K) _9 D) n2 l& U% [1 o9 e& `" u; l
This method of detection of SoftICE (as well as the following one) is" W& E$ {4 F. w% N
used by the majority of packers/encryptors found on Internet.! ]8 @5 {$ d& \# T; Y" U+ @
It seeks the signature of BoundsChecker in SoftICE6 l7 U2 p* l! C7 w2 M. }& i# N
# j2 E( e8 p$ l$ Z/ o7 E% y/ C
mov ebp, 04243484Bh ; 'BCHK'
7 p3 \ X, o$ |0 Y4 R" `0 B mov ax, 04h
1 g3 |8 T. A! [' B& F( o& x$ \ int 3 ) N t. x! c- N2 Q8 d9 m6 i
cmp al,4
0 ]2 q3 w6 J6 O/ f% m, O jnz SoftICE_Detected
; J# W5 R% m& Q+ t& O3 x5 x Y+ q1 v! i( h
___________________________________________________________________________7 @3 H9 I+ ^4 o
8 ?' B3 F+ C4 V7 Q
Method 024 @& ^8 t' m; U& C, _% ? t) w
=========; }; c9 b- S2 m$ b( q
5 K9 r% r! {2 g) ~$ n' F C# W
Still a method very much used (perhaps the most frequent one). It is used
/ O& \# J( f: F( V: ]: P6 E0 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 Z$ p4 ]2 v9 P9 l; Q
or execute SoftICE commands...6 M. N2 M7 D/ h+ P: H4 q2 z+ k
It is also used to crash SoftICE and to force it to execute any commands3 m+ H1 C, M3 I- I q+ _7 c( o
(HBOOT...) :-((
* @, `" z" Y3 F1 w
0 k) w7 J6 Q8 s% {Here is a quick description:
9 G6 e. u6 o) X& U5 A3 L* S-AX = 0910h (Display string in SIce windows)7 b6 r, g$ `: ?8 j* L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 h3 w H7 h8 C8 f1 n3 x( _
-AX = 0912h (Get breakpoint infos)
: r% v$ p0 s" Q+ b$ k-AX = 0913h (Set Sice breakpoints)
" a' c+ S8 `' @+ Z% m- h-AX = 0914h (Remove SIce breakoints)4 M: B; N- I+ x* p
, C, q: J3 t" w2 P5 c; N0 ]4 t+ i
Each time you'll meet this trick, you'll see:
" \* I$ U9 ?6 s5 W1 z5 x-SI = 4647h( M2 z9 F9 G8 w! y
-DI = 4A4Dh) P5 V' _- b1 T u9 ^1 o! t
Which are the 'magic values' used by SoftIce.
& h e( M* f3 M; \( iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: G1 E' b9 {3 `: T) z
! Z6 |* ]7 g0 XHere is one example from the file "Haspinst.exe" which is the dongle HASP) N, l+ r h' r, f$ v
Envelope utility use to protect DOS applications:: D O! A' j; [4 _& A
! R" s$ A1 K% k4 t/ [" Y. w- ~" F2 K& J/ l+ }
4C19:0095 MOV AX,0911 ; execute command.0 N0 ]8 Z( I) k N* E6 g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: d6 z; O7 Q. P
4C19:009A MOV SI,4647 ; 1st magic value.
4 C# h; H& B+ @4C19:009D MOV DI,4A4D ; 2nd magic value.
& W6 l' O- e" {) V( N3 B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 a8 a8 c3 S% w9 p" y# k6 ^8 b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 ~2 w2 F3 B4 R4C19:00A4 INC CX
; a5 q& m/ ?( h1 G: ~% u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! k; C8 k9 @, G
4C19:00A8 JB 0095 ; 6 different commands.
2 Y2 z; C# S$ T# y' h6 F" \4C19:00AA JMP 0002 ; Bad_Guy jmp back.. p6 s5 L4 Z" L" C A1 m1 r9 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) Y5 d) R9 m' T
, y& f6 ]! \6 O' `( B5 A; q v7 mThe program will execute 6 different SIce commands located at ds:dx, which
/ {# R: b$ F! [; M) a) U" ^1 c# @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 c% a- d# b: ? g, F" z- a7 u6 ^6 W) c4 s4 T; {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' ^# N, x) j/ A( {+ T___________________________________________________________________________" i1 z+ D) b1 ?
4 G$ M( }1 P! c7 k
0 |$ I9 E$ _0 q* E
Method 03& T+ N9 d. M5 _# g; ~4 E. u$ m# h8 I& u' T
=========
! H% m: M7 O+ C3 N) p+ d& f
5 U. i+ J! R9 f$ hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 J+ V" A* s; P% U2 {0 U(API Get entry point)7 n u* I- G- J, G3 J) v8 C
- ~8 C3 I# ^5 d4 d9 I! A( {( D
4 y6 [3 L' x' ^- t/ k' [- {7 [
xor di,di( x% I% V/ X' ?
mov es,di
/ ^; I w' f* ^ d6 d mov ax, 1684h & p/ w$ l; r- H
mov bx, 0202h ; VxD ID of winice
) y S" l2 {1 m1 P3 P int 2Fh! v) `% Q! o) w: v6 P4 M" j
mov ax, es ; ES:DI -> VxD API entry point, [/ L& \4 z: a
add ax, di8 { G, [+ ]+ t0 ~" a6 A r' Q2 D
test ax,ax& z6 Q- n- S0 ^5 s: o* H7 k3 o
jnz SoftICE_Detected
+ L3 f6 [2 j7 H) k; p: q4 L: @: ^$ w" E+ I/ C/ \
___________________________________________________________________________
5 n3 ~# G0 {& s% a7 [ s' i) @2 U- Q9 P) p8 \: h1 A
Method 04
4 L0 I- P+ m* I6 p' o7 p8 S$ x" ?=========
% N# O$ `# r% u7 w- M, n2 \# Q+ Y' E6 w4 \( F8 P8 K, a
Method identical to the preceding one except that it seeks the ID of SoftICE
; o% d4 B" g! b- U+ QGFX VxD.
# Z4 a5 w" K& {6 d4 D8 g: g/ f+ C
7 T) z" H4 S& o; D xor di,di3 J9 y/ R1 q) G
mov es,di5 J5 R) y* i& ~+ ~: M' m
mov ax, 1684h
$ ^8 T6 Z# g& t4 h* k5 V6 ]7 | mov bx, 7a5Fh ; VxD ID of SIWVID1 Y2 ]! S! {- ]: }8 _/ p& b/ T
int 2fh' c7 m" q X1 B) N5 W
mov ax, es ; ES:DI -> VxD API entry point$ ~8 O/ b# F7 b
add ax, di
: `7 [7 G% i ^3 h( P test ax,ax
( R" x0 R" ]4 A jnz SoftICE_Detected
' A |$ e E" d! \" z \: ~, q0 n, u5 [; m K% [
__________________________________________________________________________$ a! o0 Q& f$ Q! \
! N9 r1 t: k7 \0 z0 n2 s7 k7 [
$ X h( v- t( b1 f4 I% w- s" j9 t( y2 }
Method 05" U I8 d5 S# X0 J
=========
4 j) z" J7 w2 w& w
# W4 H; h* l4 Y4 E% XMethod seeking the 'magic number' 0F386h returned (in ax) by all system @+ j( O9 O1 `. u5 D( x( @9 R
debugger. It calls the int 41h, function 4Fh.
$ f7 G7 r1 y4 y, Y7 AThere are several alternatives.
5 }+ M$ _% ^- p: }8 S( r: g9 l- m2 s! ~* J% |
The following one is the simplest:1 L6 B- q3 ~9 B* y* B
z ]' N0 j. D mov ax,4fh
$ A2 }0 O; N- s* L' j int 41h+ E' V! t) K$ b
cmp ax, 0F3862 u4 D+ [# ?; Z6 s$ E5 k a4 }
jz SoftICE_detected
5 M4 b3 v" g- m2 F0 ^2 l
# j- q1 _9 i: b' S) c5 k7 R" Z5 B# h% ?
Next method as well as the following one are 2 examples from Stone's ' u( l" |5 H+ Y8 j$ S
"stn-wid.zip" (www.cracking.net):* A7 i& r) [ m" y- R
+ c1 k* `* Q1 D# M mov bx, cs _2 W: E( Q, y3 t& P2 L+ a
lea dx, int41handler2* m, k' g4 g$ F5 ~
xchg dx, es:[41h*4]
4 \7 w0 ~! x( U- H$ A$ o1 k xchg bx, es:[41h*4+2]4 L* c6 k/ i0 \6 f6 y$ e" W
mov ax,4fh% {7 c+ T m/ J! i0 _) A$ W
int 41h
# L5 B6 h$ w& ^- E1 w xchg dx, es:[41h*4]
$ F' S+ ~# G1 T- ? xchg bx, es:[41h*4+2]
7 w6 y) Q* K8 j' K cmp ax, 0f386h
, F& A3 E0 ]9 G* E: O jz SoftICE_detected
( v2 J; Q2 ?6 d* `2 A; a
7 h- s% Y% I! I7 ] s' Z2 r& wint41handler2 PROC v3 z) g8 n; R; u/ [
iret+ S( g! y; t" R% K
int41handler2 ENDP
) n% }3 D0 R/ O' }% s% \- o6 r. i& N9 I0 \; A3 c/ a$ H3 {* D
& s+ t5 A s9 `9 Y" i_________________________________________________________________________" F. O- Y. w C t3 C
4 p/ s3 D. h |( T$ K9 x9 I
, Y' f8 f* W. A" j+ Z! kMethod 06
1 W- W: f7 Q0 ~=========' L1 c6 V# J( ]3 z& g* j6 X
$ L7 ^. q8 l0 }3 c& J ~7 w
( z' U2 b1 t' s9 \2nd method similar to the preceding one but more difficult to detect:3 W& Y9 J' M! W
8 t4 `4 h, x5 e% ?
) B$ u6 o$ I) X3 C; j3 N. dint41handler PROC
3 r1 e1 ~/ T% o8 V+ f mov cl,al3 W0 B# ?8 R' Y
iret
+ v* y5 `/ L. G e+ C+ |8 t5 eint41handler ENDP9 m7 B' M* P [: S( E1 p5 @
+ y- Y3 v! L( L, f9 Q% _/ g! B5 a1 ]
xor ax,ax
6 x% k6 K ?* j8 B0 J9 N& F& ? mov es,ax
! ~3 ~$ a$ R+ a) Y/ [. i. \: b mov bx, cs
# t, s' t2 t% I M! i: D lea dx, int41handler
$ j: |, {( y! c3 X6 A1 p4 Z3 b xchg dx, es:[41h*4]
# s; K4 a& [6 N& S2 t$ }& | xchg bx, es:[41h*4+2]
5 Y1 e- \3 l6 \4 R& N$ H" { in al, 40h- Z7 N9 T( K+ x" |( W2 r
xor cx,cx n- V5 B l+ ~0 ]6 N- _/ A2 }. H
int 41h
* U: {" Q6 R0 Y1 }: }( h xchg dx, es:[41h*4]
! v3 Y1 D/ h$ n0 X xchg bx, es:[41h*4+2]. c: t( O; ]! W) D/ E( f
cmp cl,al& L: |/ x* ?5 Q& T6 k3 M4 `# J2 ?' ~
jnz SoftICE_detected; B7 ?) d! X5 `. U5 \9 @' u
; W) [$ m6 K* w7 H4 A4 {+ f8 S
_________________________________________________________________________
, j9 }& w: u, U* C0 ?7 ], I; @& C& b
8 w' s R7 I, }4 }Method 07
$ E& X. u. Z5 ~7 R: |=========
7 k$ u5 y- c$ N# q9 i, {! n5 y4 H( @7 o, T
Method of detection of the WinICE handler in the int68h (V86)
: ?# n! A4 W1 A/ F* [+ q* e0 E3 w& W0 a+ X1 W& `. H: g
mov ah,43h
2 `, T. t2 g+ V/ h6 P5 H$ A) K int 68h. m" b8 }5 M* V/ w# [* f( m: o
cmp ax,0F386h
9 `2 E# d/ E& k# V jz SoftICE_Detected. c, a/ R" c# F, `( n" h
$ N9 t2 i) F7 m, z/ Y
% I. z8 _. u$ G, j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" d, m' z9 c4 ~# ^1 O' Q+ d1 u app like this:6 |4 p: x5 }6 F: d# ?- b7 Q
" k' A& b) w4 Z" U6 O7 m3 P: [
BPX exec_int if ax==682 J0 [6 G, m8 }9 o" s
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 s$ L4 a+ v+ h2 }# Y located at [ebp+48h] for 32Bit apps)! T$ \. T+ F1 J# Z6 x; `
__________________________________________________________________________- O0 I9 p* i% n: L
3 m: R# F3 ]) B* H6 T4 }. a8 V- d
( c4 m8 E9 D9 ]1 B" M
Method 08
% o( O$ x c9 L, w ^+ E=========0 E5 R) t' z3 G. }' A
1 N0 k _4 s7 cIt is not a method of detection of SoftICE but a possibility to crash the
' |8 C) F3 @. v+ W2 p* ~, S) v4 Isystem by intercepting int 01h and int 03h and redirecting them to another: f2 W. y, h4 d0 B+ l' [5 }
routine.
" _* B p4 A( ?# VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, G9 P( n6 w- y& s2 Z3 g7 e* h+ Tto the new routine to execute (hangs computer...); z* J7 ]6 j1 G" ?! E, Q
* ]6 N/ @2 [0 U, I o1 g# G! \
mov ah, 25h3 T* p2 o3 |4 B/ i* z3 x% S
mov al, Int_Number (01h or 03h)
. J* i5 T. o+ F& [7 W mov dx, offset New_Int_Routine# _: U6 \) {; L& z( j
int 21h
6 v" z% r8 m! _& J, [- x
3 d( j* x" q j* }: {0 B__________________________________________________________________________
; D0 v4 A$ W% _3 N S2 m5 A4 Y& z4 [' V8 l! z, ^1 Q# ^
Method 09% c% J% F; t, S( R6 B
=========" k1 f9 |3 G, P: h
1 z, S+ i0 M5 |4 Y, z4 m8 V: S5 | nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ A+ ~& g1 w0 z* F7 Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
) Y; [ ?: J( A1 X+ X) ^The Get_DDB service is used to determine whether or not a VxD is installed% [( n3 p( D% B/ g8 r* `* @9 |
for the specified device and returns a Device Description Block (in ecx) for# D' g2 X9 f. g& B( ?7 M
that device if it is installed.
/ |8 W" q" V6 D, _5 u p4 V+ L
k9 d; l {$ r+ G# x3 E7 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ [3 N/ o q8 a' r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) u- d! l/ u; D VMMCall Get_DDB
" b d% e& E: k% ?- H6 O2 i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. `7 I5 Q6 n7 |/ p
/ i4 A" T- ^8 {* t2 [/ ]0 S3 ~: q9 mNote as well that you can easily detect this method with SoftICE:7 ~/ Q; i# D7 @9 V
bpx Get_DDB if ax==0202 || ax==7a5fh: O( p3 A$ H" w& P* M) b0 I0 d9 P
9 U5 N: g9 w7 o F7 `# m
__________________________________________________________________________
; }& X' \5 K, A: W5 ]5 U( |. C" O8 _9 {* @( t5 w+ ~' a
Method 10
H% t& G, ~# L" G; `% l9 i=========
1 X0 t; T, o7 m: J* i
2 ]/ ~* c- H- [8 l \=>Disable or clear breakpoints before using this feature. DO NOT trace with
( ~9 E0 r1 p- F0 o SoftICE while the option is enable!!: b0 t4 n- U9 q" u! w' w
! D" B1 I) e# F. K- N4 x
This trick is very efficient:" k# ^ y9 l B2 [* y( C
by checking the Debug Registers, you can detect if SoftICE is loaded% k5 A! B7 D0 |0 a ]+ p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 A! k1 C) z, O# S
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 i( f) I( r6 q" U" Y
value (in ring0 only). Values can be manipulated and or changed as well7 U. z4 q G0 ^0 `/ m) f* t
(clearing BPMs for instance), r, o/ X5 ~* c" J6 _8 L
( l7 z" J+ a) Z# S
__________________________________________________________________________# f5 x+ u- Z/ H0 h2 Y
' P( N+ X% v! J/ e$ e
Method 11* ^( |, P( R, Q! l' V+ S
=========5 A/ H1 n4 J7 F
4 ]( b6 J4 b- C/ b' ~
This method is most known as 'MeltICE' because it has been freely distributed
( f% q9 |% ]7 \+ X& ~via www.winfiles.com. However it was first used by NuMega people to allow
# k d, |6 ^/ ]Symbol Loader to check if SoftICE was active or not (the code is located. G8 u" J, K& B% I& X
inside nmtrans.dll).
9 d# e! Y0 s* J V4 y1 f1 Q
0 i6 A% l3 N1 S/ R! y8 OThe way it works is very simple:
! {; |5 Q3 C6 X$ u1 {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* \% k1 u* t9 m5 Q) ^WinNT) with the CreateFileA API.
% o' `/ q$ s# r" D8 h# F3 r# ~+ l4 X/ r& [4 L$ w
Here is a sample (checking for 'SICE'):
& t0 T7 m5 m2 E- z+ q1 s3 n% i
$ I0 F- ?( G: DBOOL IsSoftIce95Loaded()
$ ~: @; Z: J) u3 m( i7 p{
! z5 H6 F2 J. ?, h5 M% w8 S* e$ R HANDLE hFile;
: O/ g4 o" L6 `! H8 w8 c- @4 n3 I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, q5 S5 d/ ?3 J$ i2 c' f: O
FILE_SHARE_READ | FILE_SHARE_WRITE,7 \$ _8 D) R, B% n7 a" |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
^9 a) s5 ~ Z% _* c5 J if( hFile != INVALID_HANDLE_VALUE )
; s6 s* Z! F$ `, W& U( C* J( V {
+ ]. z- H# E) n5 ]& k CloseHandle(hFile);
" E6 B" t1 u6 f/ V return TRUE;
+ L5 j- O* o1 c) z! M7 a$ A }) O* t1 ?1 u- J1 n# r) D
return FALSE;" s- p1 E$ W% C" [, q7 P; ^
}
7 ^, l' I% z0 O/ X- E9 q4 C! {5 f/ k+ N1 d' l
Although this trick calls the CreateFileA function, don't even expect to be
( l3 `+ Q6 u6 M0 w! S/ |. H! ~able to intercept it by installing a IFS hook: it will not work, no way!
Z- _1 ~. s5 r/ @In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. H* Y8 C i d3 j: Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 }+ Q* ?& |: r2 Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 g6 h8 c8 o# z( S# A! |field.4 n T$ s# o. `4 g3 ?
In fact, its purpose is not to load/unload VxDs but only to send a
3 u w G- m, L5 ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 w5 U& v5 ^, A6 Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 f* z9 m; M! D" Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( o. O+ o) T3 [0 d! kIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 h* L2 N$ ^' R, Z
its handle to be opened and then, will be detected.
. @9 X9 Y- x& {1 a' ?, y& G! m9 rYou can check that simply by hooking Winice.exe control proc entry point
0 C7 z6 X9 x% @( Twhile running MeltICE.
1 }4 i4 K1 Z# G
1 u, W8 T/ _5 t( b2 }+ w& d8 E; v- X6 n2 u' O G6 k1 Z
00401067: push 00402025 ; \\.\SICE
6 ?1 J: w: R, C1 \ 0040106C: call CreateFileA9 Y+ g% A" e# J$ E+ r3 k
00401071: cmp eax,-001
: g3 R! l! Q7 L' K3 m* {6 o 00401074: je 00401091
" r, H2 A+ G3 T. S/ L$ j& a
( H1 v8 t% q7 ]% ]8 t
' |9 a" N V% N6 E, N7 K$ IThere could be hundreds of BPX you could use to detect this trick.4 T( Y8 @% D9 m4 B% _
-The most classical one is:
, v. G6 @9 W8 m! R- A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ Z5 j& V5 p4 s *(esp->4+4)=='NTIC'
3 N; K* V8 a7 E: U8 I- P+ j% B6 L* o5 ?7 _
-The most exotic ones (could be very slooooow :-(* K! q4 h: k& S/ ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - K' w! ^* d$ J
;will break 3 times :-(
. [; t1 n; N: d6 f T _. S, W/ i! ^ O- h
-or (a bit) faster:
: e5 t" R8 Q* H& M7 C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 q( l# w' Y- ^# Q+ Z. K8 F% A- H! Q7 w$ U2 X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 Z+ v) q1 O3 H; X6 {) M! K ;will break 3 times :-(
) P! i) q8 l) \* r' o7 _, { U6 J5 e0 Y- M
-Much faster:( U8 w$ k2 ] @+ {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! C1 Q' B q! g" m3 H: R8 C1 z4 ?# Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 E# K: v% N% p# q, T$ p
function to do the same job:# F& a0 @8 @+ R' u
3 h" H! D. X4 K9 g
push 00 ; OF_READ: m& V) e, v1 U0 ]# D- b, A
mov eax,[00656634] ; '\\.\SICE',0! v: T- d( s( p) N& R/ h: x
push eax
' Y3 V8 u+ E' Y& Z9 `$ { call KERNEL32!_lopen' M H) D+ Z2 N" y7 }1 |7 T; y
inc eax
% V; f6 h8 G/ e, f. _' O5 R8 d jnz 00650589 ; detected
' O' h6 x3 V8 A; q3 J m, M( ]0 g push 00 ; OF_READ8 I5 b5 e* Q h( U, M* J; ~! F( Y/ o
mov eax,[00656638] ; '\\.\SICE'
; g) G0 u; T6 {+ r7 E push eax
; `* g" j/ V6 \7 G6 Y2 b call KERNEL32!_lopen
* Q" T! I9 h: K7 d+ m inc eax
! Z& E7 r5 }& ~6 ]: \& F jz 006505ae ; not detected
; L, Q$ F1 x7 B, S2 n. D. V2 m2 X g- H0 e. ^, U
8 X. I4 r# ?0 y0 l; R d2 F* n
__________________________________________________________________________6 E/ a# K/ W& N/ N7 P1 i3 h n
- ~+ Y: N! H. cMethod 126 a3 ^/ f" z; r% Y5 e
=========
! _0 F. u, p( d( }# |8 \
3 k U: z8 f# p% M9 }This trick is similar to int41h/4fh Debugger installation check (code 05. Y S; S' q& t4 F; D' a
& 06) but very limited because it's only available for Win95/98 (not NT)
$ ~- j2 X# l& M4 R; kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; t9 l" x1 S5 Q" e8 V/ m
8 r, [, F5 U$ `' \8 ^
push 0000004fh ; function 4fh+ m# p, ^1 i" ?
push 002a002ah ; high word specifies which VxD (VWIN32)
% ]7 \* B/ a3 s# i6 Z/ g+ O ; low word specifies which service0 m5 E( V* w0 a' g" U( M
(VWIN32_Int41Dispatch)( y/ W- g/ U) {" I2 I/ e, U" }
call Kernel32!ORD_001 ; VxdCall6 O! C9 U& z; C2 q, J5 X9 |
cmp ax, 0f386h ; magic number returned by system debuggers
9 }0 h# ]; j- Y" E jz SoftICE_detected
: S. f5 l" k7 o) Q2 b
* K" L7 S( n- h& V6 zHere again, several ways to detect it:* Z. y: L5 `1 Y. W1 o! c* S' T
) m4 k# V: l/ s( c2 a7 q
BPINT 41 if ax==4f
+ ]) G8 g& k5 Z
3 U- ?6 ^% j8 z) G) w% e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
i0 |, w) R" L3 w; c. I/ f
! b1 D: T+ x4 b, r- W* S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( V- M1 s5 ]/ b6 N2 ~7 O6 ?# `# H7 e- F- s; a) r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: Y9 \# D! U2 a" {- A8 @1 q( P: z7 f( }6 I
__________________________________________________________________________
: v& j" o' H) B- U' Q% L/ Z4 ?4 V( t
Method 13% q+ c$ \' S& X1 W2 f
=========. f0 f# M/ J i9 ?# q8 t( |
* \1 j" i4 b! T( J( H! v- ]8 q
Not a real method of detection, but a good way to know if SoftICE is( R+ ^; Z/ e g" \, X+ M
installed on a computer and to locate its installation directory.
' v2 {* T9 y0 s% T& A; I8 HIt is used by few softs which access the following registry keys (usually #2) :
6 f ~2 H; t( W W% V; d
0 V$ \( w9 A4 h! _; o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 Y6 M$ v: U$ Z1 u\Uninstall\SoftICE
+ Y) \$ o3 Y% J, T7 \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 Y; ^" \* a* l7 `+ Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' A. D9 | z; |8 r
\App Paths\Loader32.Exe) @; R. V2 u1 Z! c$ L8 d$ m, ~
: g- D' I$ m: k5 {5 b" X" z* a5 v. I1 j1 @ q* @. w
Note that some nasty apps could then erase all files from SoftICE directory/ J) M& T" ]" O, q/ _# k! \
(I faced that once :-(9 `8 @4 e; P; @" s0 j5 f
. _7 K Y, l- B$ E6 B- NUseful breakpoint to detect it:
; X) Q) Y8 ]. S9 ]3 `7 ~, Z" W& M2 [: Z& u' y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ V( k& _! H5 a6 \0 R
0 X2 X7 w+ F n Y9 w" }__________________________________________________________________________
* A" W8 h9 V% ~0 j9 M2 Y" a
3 M; j& |5 v/ {- u, m8 @9 T& U* z
9 {" A" b, W" DMethod 14 + c! y# Q& g" u, w
=========4 y. K% z" H, ] V" T* w" [
) R% P. T9 Y) a6 @- s+ O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 }3 u1 |4 l& H; o
is to determines whether a debugger is running on your system (ring0 only).. X) k3 h5 r, Z& p; J; k6 N
! j, U: t& W( |' X, K B
VMMCall Test_Debug_Installed
& d9 r0 u% p$ D& w$ n9 s# D7 `' J je not_installed! T9 S ]' K. m2 {$ c, d
7 r- f! J' g% R( _
This service just checks a flag.2 q5 ]0 `: L* a) r$ |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡