<TABLE width=500>
& P2 j: I/ A: E' J+ M) u<TBODY>
4 B# f9 ]) T' Y0 I<TR>
1 j+ `- X1 |3 Y: _- e<TD><PRE>Method 01
" f( Y, [) ~8 J$ l) w; }=========2 M# ] K0 n- R: n {' Q
5 Z- d: K. F0 y) T6 dThis method of detection of SoftICE (as well as the following one) is
. C' O7 P; R* j! x# @, L) wused by the majority of packers/encryptors found on Internet.
2 C! W5 f! m3 A3 VIt seeks the signature of BoundsChecker in SoftICE3 d* u& Z0 n! A, v/ k
' v8 B" C6 q& P" ^ g0 E1 H
mov ebp, 04243484Bh ; 'BCHK'
8 j8 C. Y1 L% P2 ~7 f mov ax, 04h
& i6 U \' X r, A int 3 3 b/ h+ X( Y/ ^1 c
cmp al,4
' J- t& C" V4 R$ e8 j9 I jnz SoftICE_Detected
8 @# c$ r2 a* i/ X) R, A$ F' h! |2 h6 ]6 W, `6 c# q
___________________________________________________________________________! s3 {. N* _/ Y, A% z
- P4 |& O4 n& P
Method 02; D$ D% f/ W2 m f$ i( f
=========
2 Y5 C) K# X0 d! o ?0 a
' ?8 O+ W) s9 k3 oStill a method very much used (perhaps the most frequent one). It is used
- r3 F: c$ W' j" wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( n3 p. [6 }/ d/ `or execute SoftICE commands...1 @ U8 W$ g& h& O
It is also used to crash SoftICE and to force it to execute any commands* Q- Z% T7 J; e+ _
(HBOOT...) :-((
9 A5 Y6 q# ?* J: E) n+ R) A7 x
9 _! S% G2 m) {! \, s6 `" BHere is a quick description:
9 P% L3 _, R( u: T- |& X' v-AX = 0910h (Display string in SIce windows)
0 x# ^8 R! g& t* L# W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). ~" y4 g" u5 V
-AX = 0912h (Get breakpoint infos)
, h% t0 m( b4 ~; F8 K- r-AX = 0913h (Set Sice breakpoints)
% }1 S& O! X% U7 W$ w" c$ x S-AX = 0914h (Remove SIce breakoints)
: y# I: \3 I2 p+ q+ E- [) V" a' D8 V: v4 U7 S
Each time you'll meet this trick, you'll see:" Z1 g2 W5 j+ B& b0 F0 o. e1 [! u
-SI = 4647h
. R3 Y8 D4 [4 N) d% C-DI = 4A4Dh' R" Y5 h& Y2 i& I6 x
Which are the 'magic values' used by SoftIce.3 J, x4 D8 F/ T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* p( [6 j. \$ `
. @. Y |6 h7 O, b+ Q4 {" yHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ }7 |! k2 R! N+ `. |Envelope utility use to protect DOS applications: Z- k+ S# t2 n/ q. F
: c. u1 _. ^3 _. L4 G6 B2 Y" v8 p' X S/ w- R
4C19:0095 MOV AX,0911 ; execute command.6 h1 l- K2 a0 v/ \" R" ]' ^ g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* U p8 w- ? q
4C19:009A MOV SI,4647 ; 1st magic value.8 Z- Z$ g) S) Y- ~3 _/ ~. i6 s
4C19:009D MOV DI,4A4D ; 2nd magic value.
% t4 I2 _1 ]4 T' ]3 z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 X* N6 }* M: @: I# V( E' k. _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) Y ]6 L/ d3 x
4C19:00A4 INC CX
( ~0 K, `0 Z% X1 I1 `* t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) H @: y! D( _- K w# X% m8 I4 h, j4C19:00A8 JB 0095 ; 6 different commands.' f( B" A2 C. `* F. o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 v1 T/ O) R$ N3 l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. j3 v- f. K) P8 q& d; Q! B
8 F% T4 L; }8 I. R& x! IThe program will execute 6 different SIce commands located at ds:dx, which$ D1 W6 ^8 C9 ]% }& C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# P3 L2 B [) m! u( M& Q8 v# l- N
6 [' B7 I+ u$ b$ v# d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 O# Q8 J, W- _: L___________________________________________________________________________
/ K7 O( l2 E: E8 z9 I) |+ B! p4 B) Y" c- l0 o- g* R/ q: Q
, s$ d- Y' R$ d+ d! `
Method 03
" ^" B! E5 D9 b% u0 I$ `. z=========; f W, }7 c5 I
7 R% l3 Z y8 j0 m4 \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 o" A3 H- [ \( r/ s: Q( p
(API Get entry point)7 a+ ]# |$ ~5 y# k: {
$ A- u6 \/ p% I$ W; ]( O0 r6 l. {
+ E# ?( h4 l' s( G. Z6 c
xor di,di
M: ? F+ }- [- g' R5 z& m mov es,di
+ u. A# ]% N4 L! {9 ?1 b! `9 c9 Z mov ax, 1684h - N2 `8 K4 x2 K
mov bx, 0202h ; VxD ID of winice
7 \* G: a0 z: O3 r( k int 2Fh
. k: e# k0 ^& H8 S" d) L& [# Z: e mov ax, es ; ES:DI -> VxD API entry point8 j& d+ g( ?% b1 }
add ax, di4 |" G% ^& A) ^3 N* p4 D
test ax,ax& E+ z$ V" ?# p/ s3 A: K7 F
jnz SoftICE_Detected" V- \1 q" b! [9 Z
4 |) h( g# D5 Y Y* {
___________________________________________________________________________2 ?$ F: r* F" }, b
- i5 ^! n9 _% o* B1 ?/ |, a* @Method 04
9 _' C7 C7 h. e=========
( p& |$ Q5 u8 B% U/ U- \. R. A
2 t% |7 M! s# U3 d' O1 T. T* aMethod identical to the preceding one except that it seeks the ID of SoftICE6 o3 A" A6 Y' h
GFX VxD.
7 o( T! v( f: [5 `) H7 ?
" y' }: |+ d3 ]' G3 q0 B6 p; a" R xor di,di
$ r W. F- _* X9 ?3 Y, d mov es,di
8 A6 S0 d; l$ z9 k4 D" c! T7 ` mov ax, 1684h $ W- P* d2 Z3 Q7 ^4 }1 f+ z
mov bx, 7a5Fh ; VxD ID of SIWVID. I B; r8 ?7 h; u: _2 x
int 2fh* a2 {$ O, \- J3 P4 }; W2 J* z/ l
mov ax, es ; ES:DI -> VxD API entry point; Z( W* W6 L. N! v& H" D& s3 b
add ax, di$ i" Z- v! \4 u8 l- B. S8 N
test ax,ax
. `8 J& l/ J* q, I0 F jnz SoftICE_Detected$ o. s' ?8 f. Y0 V* p
3 n$ T' c: {5 |5 X# W3 \__________________________________________________________________________
, ?' z7 I9 }2 U/ c8 ?' H( k s0 V$ h. O$ u3 |* ~8 U
/ P/ @9 Y( B) s) D$ l+ j; S
Method 05
8 M5 z, a- k; l$ {" J+ J% a=========
# a" k( v9 c4 i6 H) o5 G: w& X Y2 p2 }) v
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 h4 Q) [" v- @, K3 K
debugger. It calls the int 41h, function 4Fh.) t s/ e) }* D- J3 G0 d# t
There are several alternatives. 2 c9 c3 I+ `3 ?
1 ^1 [7 J: e0 j, @
The following one is the simplest:
8 n! E) u. }6 e5 _ t
z6 R' L& s4 o' A! E mov ax,4fh
1 R- P7 S1 V2 L' B int 41h
/ n, h% h: R0 e3 i cmp ax, 0F386- f% u4 s3 V. M+ X9 h6 r0 W- p# V
jz SoftICE_detected# A0 F; C! G) X; X
) h) d, [- g% {% d2 p; i* }7 r3 ~
: L% \$ ^) p) v4 J' {3 n4 ?- gNext method as well as the following one are 2 examples from Stone's . D3 P" A3 i: L9 X8 H
"stn-wid.zip" (www.cracking.net):
+ f; n/ B& i1 b( U4 C' `" A; d; S$ E8 Z1 m+ z
mov bx, cs& |$ K# ~$ t+ x7 n" @* ?: T
lea dx, int41handler2( }" @8 a7 I; e
xchg dx, es:[41h*4], G. t7 D! T3 s
xchg bx, es:[41h*4+2]
7 R& E1 `- q* `+ p% \2 D- C mov ax,4fh5 X- V- B1 @; N; T! B- ^- C
int 41h6 Q9 ]/ G. f' a7 V$ b1 ~' b
xchg dx, es:[41h*4]# D% C2 h& O+ F Z! {& Q
xchg bx, es:[41h*4+2]
2 c2 Z6 _) f/ J/ u cmp ax, 0f386h
2 J4 F( E! c* @5 A/ M jz SoftICE_detected
+ ~, x* `0 r& g" j k. E4 Y" U- n3 d; H2 [) m4 D3 b3 E
int41handler2 PROC
F J" Y3 Z+ k$ y7 p% _ iret
/ p% l1 w+ s- d5 b# A4 ?int41handler2 ENDP" I" I! m' y" H; s* U" y5 w
B! |: Z0 y/ e4 e
z- R6 Y) O/ H9 \_________________________________________________________________________
]0 F2 e! L; \
' I: ^ R y. O1 C
a" V. _* q5 T7 R$ NMethod 06
: D" q; D, ]9 z1 x=========1 N) Z7 l/ ? r, ]
! p; |' I, g1 S! H; Y; ~& C0 ]1 [) F
2nd method similar to the preceding one but more difficult to detect:
5 |1 y% k: ^2 F* `: n3 }& m, Z+ }; C4 k# E( T) L
# t; Y8 t' c! B% S+ V9 a
int41handler PROC
4 S* Z) [ ?+ o! ^* Q+ M! S mov cl,al5 A1 D' }1 k. r
iret+ r6 _/ [- C D) H4 Y9 ?
int41handler ENDP
( v$ Y# d: y$ @+ n3 Y! u6 V2 Y6 O9 ]6 D* w p: f2 D' {" j1 s! N! {5 f
" M7 K" X' w+ C2 o' R; @ s xor ax,ax# A! e6 Z" G1 ~# [1 i
mov es,ax! d3 R4 M0 Y, m
mov bx, cs, w- ]. h2 a0 H1 k
lea dx, int41handler
* \9 e6 b1 r# k. F- y$ i xchg dx, es:[41h*4]
, b+ o' F; q. @9 O xchg bx, es:[41h*4+2]/ v3 @; } z6 F# _0 ^/ x3 R* E8 q( H1 l
in al, 40h8 a2 |) O9 ^# V$ M0 d
xor cx,cx. Y/ i7 N4 |: D- L9 n! L+ W
int 41h' v( M4 Q7 ~+ \" i! L2 ~
xchg dx, es:[41h*4]
' `9 e9 H# i$ z1 i4 M& v xchg bx, es:[41h*4+2]. i8 q0 F: h4 p9 R: s6 B: f
cmp cl,al- I" t& [9 [* q3 l {+ G" [0 p
jnz SoftICE_detected4 N6 `+ ]' l! n' H. [+ R" S
4 V8 J/ `' P% |! T6 B
_________________________________________________________________________
/ H) U( p2 b t1 F; X
+ M' i0 k: }/ c% g% r' h! |$ |. nMethod 07+ C5 M& C: b! f. Y1 V5 W
=========
b0 ^1 t: p, R! G, f
- c4 z# C( W% t2 LMethod of detection of the WinICE handler in the int68h (V86)
b" p% N* q$ l5 D5 {* i
+ V% ?% g8 `6 N mov ah,43h+ @0 G) K. [0 ? ]# H1 d
int 68h4 J1 x$ q0 ?% V/ c9 o$ |
cmp ax,0F386h& r0 }3 E9 O& n( e# s2 c6 }
jz SoftICE_Detected
6 s/ L" ~+ J1 m A* B5 B
T6 F; H& C, s- B% ^1 u, J& X! F' Y# @' {: Z$ O9 ?0 v Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 g6 L, ~/ J) r) Q" H6 T app like this:
0 f' m( l* f9 k V7 A2 U
. S2 k( X0 f6 R& _ BPX exec_int if ax==680 p2 T0 R$ Z* j5 E& H! A% [
(function called is located at byte ptr [ebp+1Dh] and client eip is0 {+ L0 n5 r' A$ |; s# _' h
located at [ebp+48h] for 32Bit apps)
) S4 q: ^9 I; l1 J8 J8 }& j4 z2 {__________________________________________________________________________
. z$ C4 v3 Q/ Y6 N5 A- ? N* \' v
; n7 O+ J5 C; Y* `6 N# }6 @# V
. L( E$ L5 ]! xMethod 08
2 H# R4 h% k$ {6 E& ?8 I# T=========
2 @! v8 Q) f" ^1 M n1 E
$ H. U4 l7 H! ]! K. e( u8 U; gIt is not a method of detection of SoftICE but a possibility to crash the$ u( }. g5 z# ^: Y" s* @5 l& ]
system by intercepting int 01h and int 03h and redirecting them to another
0 ^' o; z9 I0 Z froutine.3 R+ s/ }, F: F& g; t* K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* m2 d; P: H2 C- vto the new routine to execute (hangs computer...)- r/ E5 Z. b+ w. @: ^4 E C
4 H2 c' c1 ~) @# C: L. H mov ah, 25h
+ {+ J3 Z: [; K J mov al, Int_Number (01h or 03h)
- ~- J5 E8 A& i, y mov dx, offset New_Int_Routine
( e2 Q5 z- S. S9 L. V int 21h
6 s: I" \; m( ^# Y. p) |7 ~( x* l; m9 \7 J, J0 ]- f$ R. X
__________________________________________________________________________# T& a2 n% t: f* T
$ a6 p2 r: M1 w
Method 09* y( \# s5 W; n/ `, r2 a
=========9 C4 y% ~! {. {0 z c
! k) C0 u v: a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 \5 o f. U8 z% ^. U5 N+ e
performed in ring0 (VxD or a ring3 app using the VxdCall).7 E$ H/ n6 M8 z. J' N
The Get_DDB service is used to determine whether or not a VxD is installed6 O: c( |2 d. }5 R' ~2 u8 J
for the specified device and returns a Device Description Block (in ecx) for7 G+ s1 c+ I ?8 b0 M
that device if it is installed.4 L* |2 e+ S/ F, q
, w6 e* Z7 I/ l y- U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% c0 K" K, Y& J( j0 e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 y5 M# P6 e6 _& J& M8 a, M' [9 B
VMMCall Get_DDB
- ?* v3 z- @6 p2 c: b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( S8 B5 I! [; R. Z3 N# b
* G V. S9 C% kNote as well that you can easily detect this method with SoftICE:
9 x' K7 v0 M! c+ J1 b/ G" a bpx Get_DDB if ax==0202 || ax==7a5fh1 P9 ~/ ^8 P- `( R# @" t
) `7 }5 L) j: C; q/ U
__________________________________________________________________________
$ F5 n0 C: @) o- S, Y
2 d' h5 i+ s$ k1 s lMethod 10
/ q0 g j( I" k# g8 Y; `=========
2 y3 |, D8 a9 k5 @
" k$ f, Y0 ?# I8 p* z=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 ~9 y7 |( b4 o( I; b! \/ T SoftICE while the option is enable!!9 D4 b0 w8 n/ K# K4 N3 L
_( \0 v/ D7 p0 X. D' H5 v! V- |8 M
This trick is very efficient:( H: w( b: Y$ M; t3 S" P
by checking the Debug Registers, you can detect if SoftICE is loaded+ W) ~7 Z8 M1 j/ v. q! M; b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ M* ]3 g$ Q7 N. u; C' Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 }# D3 I. J$ `/ ]( u& Gvalue (in ring0 only). Values can be manipulated and or changed as well( D" L' G( }. u9 x6 H0 B7 h
(clearing BPMs for instance)" Q' @. x; @! v
4 ]! c( F$ J# ~; s3 ~5 }9 G2 C- [__________________________________________________________________________
- d4 D5 z, D4 N: _, Y5 b: \$ r- W% z. Q7 Z
Method 117 O1 K+ f3 `9 Q# _ r1 t( U
=========
6 A5 p9 y! y2 ?0 Z' ] O; [* _ Q: _+ K! s
This method is most known as 'MeltICE' because it has been freely distributed3 C6 e" ^% V4 R0 j z
via www.winfiles.com. However it was first used by NuMega people to allow
- ]; }1 T& y- [" wSymbol Loader to check if SoftICE was active or not (the code is located
% I9 @& R$ `! ^0 ]inside nmtrans.dll).1 B4 q* e& G7 T) c8 E1 Y
$ U' E4 a0 v7 T- H* C7 X
The way it works is very simple:* n- r! ?. _- E* Y1 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! G% M0 h) L% b0 s0 [( EWinNT) with the CreateFileA API.
! F& U4 d) P# C5 _8 P
: @% n# h X9 y0 ]1 A* E2 p7 I4 G) s- D, WHere is a sample (checking for 'SICE'):" U8 w' s/ C% G/ | Z
1 w+ ?) S% r7 T2 i/ ~! O7 eBOOL IsSoftIce95Loaded()5 x% s7 e: Z: O0 [* t) y5 d |+ S3 T
{
L) F) q& U8 w, J1 ~) V/ ]" F5 S HANDLE hFile; " h1 N7 K ]1 @/ L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, A& k$ _& w" J* I) k- g
FILE_SHARE_READ | FILE_SHARE_WRITE,
- O2 k! w( e7 S$ M# C/ A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! |! F" n. g x% z! j% U( W+ Z/ D if( hFile != INVALID_HANDLE_VALUE )
0 D$ L+ V3 }( I' _8 `0 x {) Z/ o* {$ i7 U( h2 M; h
CloseHandle(hFile);4 {" I2 _1 c4 b9 K5 i
return TRUE;
# ?0 C) F* ^' J3 y+ z. ~ }4 `, r* I. Z- ]4 z1 g
return FALSE;
. W9 g$ P$ Q9 [& d}
- k5 L) {' K* W; g" Q# W2 k* `( r6 S! m9 U% Y8 G
Although this trick calls the CreateFileA function, don't even expect to be
. n4 V, K/ h1 B/ g, Y' R o) X6 _" sable to intercept it by installing a IFS hook: it will not work, no way!
9 a' J+ B5 d6 A3 E1 X- A! AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" @( j' y" @$ v* [& |5 A. Y; K6 ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 p5 F" ?1 F/ n, V% n2 Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ v1 w/ k7 y7 \; ?' g4 w9 ]; S
field.! q3 v% N$ v$ l3 {1 W. }+ ~
In fact, its purpose is not to load/unload VxDs but only to send a ( A. B4 ^/ W2 K4 N! O2 R4 T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. H$ a' [1 s3 ?% l6 }. eto the VxD Control_Dispatch proc (how the hell a shareware soft could try- r, n3 y0 `% l- U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! i3 f: m- w6 i1 V( e" Y$ M! |
If the VxD is loaded, it will always clear eax and the Carry flag to allow! t" q; E! Q/ E3 \! [
its handle to be opened and then, will be detected.
" J4 j+ U( r- |8 D2 Z; [1 vYou can check that simply by hooking Winice.exe control proc entry point9 p# Z! x' `) t% ^$ Y& C
while running MeltICE.+ w P0 g8 F! \
# B; [ S& ^& F; E1 T5 s: f" F5 a
2 R. o0 l, Z7 T- K6 f8 S* c ^' G 00401067: push 00402025 ; \\.\SICE$ s* X, c1 ~. G" d0 B- ]
0040106C: call CreateFileA( ]- ] Y2 z, ?* b) Q& O
00401071: cmp eax,-001: P- |! B4 b2 f- C8 C- N# W
00401074: je 00401091
9 h3 U2 H# L6 H& P- q, J, H2 W7 ^- P! Q- n6 @2 p8 Y8 T
, t B6 I. S' c" Z3 |) I5 D5 J
There could be hundreds of BPX you could use to detect this trick.
5 o# O7 W o" `$ ] m. q! N+ z-The most classical one is:
) ]/ Y, t; T! q9 P. j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 p/ ], K# B0 E1 |0 }3 G& U
*(esp->4+4)=='NTIC': E' _# S' K9 c( G v0 R% [
9 C# Q3 k! Q) W% P0 R7 i-The most exotic ones (could be very slooooow :-(
# }& `; M3 f! `( ^) y8 { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ r$ n; N+ M0 A ;will break 3 times :-(7 z/ G0 h' R) Y! a* K
& f8 g/ k0 M; r9 x7 ?! B8 o+ f7 ]% q
-or (a bit) faster: 8 p& c `5 q: N& ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ Q$ V) Q4 U1 a5 w* R9 H* T
! z I9 C; [0 [6 t9 a4 h- Q: Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; ]( l9 I1 F( Q+ s2 c( j$ V9 Q
;will break 3 times :-(& b9 Z1 |" l. b; s1 i# R0 c
, R4 z1 W) F( F1 x5 r7 j
-Much faster:
- s8 S+ D1 |+ t; c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& o$ y0 `+ q2 N8 p$ n! S% w: w `9 B
* w! F; y% ?5 A! U1 ^' z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 { q- @0 N6 J: q
function to do the same job:
# K2 U1 |% \/ u4 _' c% S |6 E- Q( @0 X* x
push 00 ; OF_READ
, E; S- w0 a6 D! i4 m9 w mov eax,[00656634] ; '\\.\SICE',04 v, V4 z( e& ]) T/ w
push eax
0 |0 l; ~; K$ _- `' @- _ call KERNEL32!_lopen8 J6 P: H2 e7 |! G' P
inc eax! C* X' z4 y {0 C
jnz 00650589 ; detected
' k, `3 E e7 X c0 q push 00 ; OF_READ
# B# w4 H! ]; N3 @ mov eax,[00656638] ; '\\.\SICE'
; O! }( ~% X# T0 x push eax% T+ l T/ E" S; M
call KERNEL32!_lopen
/ v3 O( F- I! ~! i inc eax% x1 F: a+ S" D. H
jz 006505ae ; not detected
: p! S9 }. G7 c3 N( w
/ `" ?. P/ E% ?
8 K& I* e& \" X" v, `7 D__________________________________________________________________________
; B1 f$ R* N6 i8 X B4 y
# i' G0 @" l- e. A$ d/ VMethod 12: S, i) i2 {7 `+ r( q) w+ u1 F
=========
# L1 r( X2 i/ M ]5 l/ \: `0 m7 r% Q7 }5 |
This trick is similar to int41h/4fh Debugger installation check (code 05
C% _* k1 V& D9 }5 p$ n& 06) but very limited because it's only available for Win95/98 (not NT)0 k1 D' [9 i \. r% X" U# N$ I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 J5 g8 z& P; o7 p: l
$ Y* F4 Z6 S$ | push 0000004fh ; function 4fh
r7 P9 L, E$ J( h# j3 d8 v3 N7 q push 002a002ah ; high word specifies which VxD (VWIN32)8 X" B, E: e& L# c7 c8 }
; low word specifies which service
% a1 n8 A, x. Z6 O- [# v) ~ (VWIN32_Int41Dispatch): `3 ^5 p* b8 W/ k' A6 | m
call Kernel32!ORD_001 ; VxdCall3 `# n- V6 E+ q9 g
cmp ax, 0f386h ; magic number returned by system debuggers5 w$ t) i3 D f/ d4 \
jz SoftICE_detected
2 y2 N+ x7 m' E0 r) v& N( Z) _) @+ ?- [3 c
Here again, several ways to detect it:
5 k% W; E. Y/ [/ T1 r& J2 b
3 D& D6 w1 u- f/ ~; E BPINT 41 if ax==4f# ]( B0 {. m0 G
9 c4 I# i& F- i% j) l+ K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 @! y |) {. D G/ w* y% X
8 x0 ^1 o d+ O' v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% M# R* M9 r" W6 a8 T
, q T" f# x3 Z1 n! x7 U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 }$ ?- }% H7 @! ?0 ?) e( ~
) q: U, T" ?; G' P% n5 ?__________________________________________________________________________4 a" _ [( f& |+ N9 i5 S' B& t
. R3 B3 U* N8 ]4 ?7 t% Q( b+ P! S
Method 13
+ i, O( h0 I, K7 Z# v7 n; e6 V=========
9 ]0 _6 \$ a' R$ |/ W0 J* s' Q
) ?8 Z: |( W6 a6 s, a! b" e& fNot a real method of detection, but a good way to know if SoftICE is
2 P, g: {' q3 S5 S% w) M5 m F+ ninstalled on a computer and to locate its installation directory.
# ~8 G6 Z( h1 _It is used by few softs which access the following registry keys (usually #2) :
! @5 L: @9 J4 c5 `4 T- M/ B9 [7 D+ |4 S: `( C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, q3 a/ z6 h7 m\Uninstall\SoftICE5 x5 }4 t$ a7 x7 V' r9 T% l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 C' ^: d0 u! L8 g5 x& l* x8 D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 p( Q, k" e/ Z# U% C
\App Paths\Loader32.Exe% @7 R2 Z2 Y8 p) {& g5 L J! b
& r7 q; n* Z+ @9 }: L2 D
0 J7 k0 M; B. ~$ I1 d1 @) KNote that some nasty apps could then erase all files from SoftICE directory
( A" h4 [( `$ G4 n* K+ ~1 p& P(I faced that once :-(
/ V) D V% P6 }0 L$ V
+ n* c8 a- P6 r2 v' }0 kUseful breakpoint to detect it:
4 Y9 j3 z( D" \. m
0 I5 V, o; }9 ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 H: q$ f6 }$ w* ]
. m% [ j! w4 E3 T1 N6 e0 e__________________________________________________________________________1 n) v7 q7 L% l. i
8 X% G- Z) [2 H% q
9 K) j: B& }2 c% S$ e4 I( \- A" t" pMethod 14 : x" n. o2 V* g) Q+ V s* X
=========$ q$ [: s+ V2 a; T
4 k( q! A9 ?* \) f/ p- k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ r2 h8 X% D5 Q( A9 Gis to determines whether a debugger is running on your system (ring0 only).2 {7 k4 ^7 {! q: ?
" S4 c" r3 E* {# x( u- w' M4 J VMMCall Test_Debug_Installed
$ r! _5 M, ?- N/ ^( ? je not_installed
# X7 {4 \* a& E
/ j9 a- C+ f$ j$ w! p3 ]2 r4 E, KThis service just checks a flag.
$ @9 X6 N- V5 _4 w* ?2 U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡