<TABLE width=500>
# T* q# b9 R& D: K% ^" L4 t<TBODY>
9 X: Q$ t4 B6 ^. P" y, e<TR>/ c+ A/ O( x+ b3 _
<TD><PRE>Method 01
- @9 G3 s5 `% W V========= I; t1 ?* @$ c8 o; T
* u! X, H: _0 c! P: CThis method of detection of SoftICE (as well as the following one) is
! D3 J* E2 b7 R9 w- Cused by the majority of packers/encryptors found on Internet.! x2 U1 U& }) b7 Q/ g1 ]
It seeks the signature of BoundsChecker in SoftICE
0 B( W2 X- R" e* p
. a9 y: Z$ p6 m! @! g8 ?/ L q mov ebp, 04243484Bh ; 'BCHK'9 Z# U" i6 v; v# f
mov ax, 04h
/ A# }: i1 W, I- G3 H, b& u int 3 7 }! Q3 ~! M: a$ T! a
cmp al,4
9 o1 @/ {$ I6 L: ?) U) j$ u jnz SoftICE_Detected J! g ?" v2 N3 j. Q- p
" J! U3 {( _4 K$ V___________________________________________________________________________) m; y9 Y5 ?# @& D
# n4 U1 |6 \; L: f2 B J+ @Method 02
) C. @- P" ^' `=========% b3 b& L, n4 H. x2 y
) a y1 ^7 n9 K D# g7 |Still a method very much used (perhaps the most frequent one). It is used. {9 ~+ Z% ]) e5 s, F; g6 d' e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; I1 X& d; Z% for execute SoftICE commands...4 ^, u8 E2 P# L+ b6 U2 q5 K
It is also used to crash SoftICE and to force it to execute any commands
! S) J v7 F) R(HBOOT...) :-((
7 S; u) ~" y9 q8 X+ j( y8 A; U/ _$ S1 C3 V4 |1 t" A
Here is a quick description:5 J/ y. D b, ?, {0 x1 _, A
-AX = 0910h (Display string in SIce windows)
3 L/ Y! |! j2 W/ v, }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 q3 Y3 Z) F/ E9 V# b2 k" U. S( G
-AX = 0912h (Get breakpoint infos)2 J. @: l" f/ W) w# ^1 z, @- E' x
-AX = 0913h (Set Sice breakpoints)
( ~# F2 N2 I7 |' k/ u5 d( |-AX = 0914h (Remove SIce breakoints)
- K8 w, c; _& \# {: s4 y5 _/ S
6 H/ l; f; r/ a( S8 fEach time you'll meet this trick, you'll see:1 T$ \ b X" v0 e9 B8 \
-SI = 4647h
9 L ? d. E/ v-DI = 4A4Dh/ T! w; g5 z0 ^: ?
Which are the 'magic values' used by SoftIce.
; F0 S4 L$ ~; S; w. QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% I7 ~. Q" k3 T2 Q" Z% j+ V7 E2 N" m
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 I% q( n7 V6 T9 a
Envelope utility use to protect DOS applications:
, q% y! r& _2 C
" h9 w$ p9 t8 t6 P& w/ I
5 l3 h4 M2 y/ n. L4C19:0095 MOV AX,0911 ; execute command.
! U5 _& W8 Q3 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 a U7 W7 w" e/ k3 I4C19:009A MOV SI,4647 ; 1st magic value.
3 _+ h: w3 B0 f4C19:009D MOV DI,4A4D ; 2nd magic value.- L! c6 U) d; i2 C/ g2 _7 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) [# P- e7 Q' Z8 h9 A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" V$ J1 I. m; j# [$ g
4C19:00A4 INC CX
( j6 ?0 U7 Q: S+ {3 { I: ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 x2 I2 w) v5 f# ^/ W! U, x% }7 l4C19:00A8 JB 0095 ; 6 different commands.
3 [) B3 B( r6 u; ^' m8 Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" C! R5 C1 M* O! ?. |0 y$ J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 i9 ^" [ G5 }& N) s V# [/ z3 X: o) r# c8 D
The program will execute 6 different SIce commands located at ds:dx, which. T; S( P! a( f7 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' O5 T4 k% m4 V% _% P! B6 m7 l% f+ B& s$ M3 G) L# d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 b, J( K9 s( q: H
___________________________________________________________________________
1 x+ o1 H9 L# p7 W7 R
4 R( i* F3 D: p& L% u; }7 }7 t2 o6 Z4 V* f/ o# S* b
Method 03
* t, {2 D9 ?# `=========* Q: l, m9 G! l$ h6 Z- C
/ C3 W- G8 n/ U3 q) L9 T& uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" D+ G- G: k p9 ?7 e% z$ ?
(API Get entry point)* q, ^6 x& ^1 Z) a
$ W+ n3 ^: k$ D f& Z! b. r; ~" o
/ `7 L) q/ X$ Z3 R
xor di,di
# D9 O- F/ O8 e; u/ U mov es,di* u% Z- Q( c" Q7 K3 F2 a
mov ax, 1684h 0 v0 r2 ?4 W5 g1 y
mov bx, 0202h ; VxD ID of winice
7 f0 F0 R: C1 x; M5 [$ ], Y2 D int 2Fh
# t+ p2 V( Q3 z3 f _ mov ax, es ; ES:DI -> VxD API entry point6 T5 j5 U, i1 {5 C" z; [7 v
add ax, di _7 U' C" m6 p
test ax,ax# T; m; a( W/ m: V2 S; R$ |# V7 ~
jnz SoftICE_Detected1 z3 z/ K: p) z: c0 Q
' D0 E E- @+ [4 Y& B# x/ }0 u___________________________________________________________________________
3 O: d: ^7 E/ x3 p3 f. U, }: c! A
' i; p! P5 c6 s7 _: R0 c: m7 NMethod 04
+ [8 U. |7 R: F6 N% |! x2 H& x=========) W9 N9 l( A. y" b1 [" ~" e/ V
6 n* p9 r! D3 v- Y2 JMethod identical to the preceding one except that it seeks the ID of SoftICE7 p7 E& H4 G8 _9 ~4 G9 h
GFX VxD.; g* `9 E1 ~/ ~ g5 n" i
: g4 R5 t1 Y R4 U
xor di,di
" y6 d3 ^, C) ?- D* b0 ? mov es,di
) _6 F' H& H& `/ R0 L mov ax, 1684h
$ _; Y2 h9 @5 A; W+ H6 ` mov bx, 7a5Fh ; VxD ID of SIWVID
4 D( @+ e# v0 R! v int 2fh
4 w1 w; W3 m3 J0 L: v% [ mov ax, es ; ES:DI -> VxD API entry point/ D0 a) m9 r) N* J1 `" U: G
add ax, di# H0 q/ {7 R7 h+ \, p
test ax,ax- Z' @ P e' c* a
jnz SoftICE_Detected2 H5 u! _- _% e+ j) w
5 Q/ @' C0 v8 M8 d
__________________________________________________________________________
% I( k& w& o' b, A2 m* I& j5 |+ \5 t$ B9 f* t7 R- M
% Q9 q5 D" s* h: z. {7 x4 lMethod 058 I' Z: S5 E# H# x2 h
=========
, f. W+ @( d! Y7 O6 [/ z r: K9 p$ e" O* D' E8 V9 c+ ?* |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 v* z9 p, T7 X" ]9 `debugger. It calls the int 41h, function 4Fh.* m1 P) H. i) `9 t
There are several alternatives. ) F9 q9 g* r; H* t" s
" I6 G8 a3 P) X8 v8 s# QThe following one is the simplest:" b1 L; [5 ]& ?0 M1 J# Q! J
4 A; H. H' V! m1 t F6 c mov ax,4fh. Y& R5 J* ]- {( ^- k
int 41h h( F4 i. n$ [; M4 S# M
cmp ax, 0F386
" c& x* f; r, w: `( {6 l5 b9 H6 r jz SoftICE_detected
7 L/ D( ]8 P! @4 l2 r" D
8 C( j) u) K" v5 n5 ^1 Q T0 \% W1 A5 g
Next method as well as the following one are 2 examples from Stone's
# f5 A7 `! o7 w. m3 N"stn-wid.zip" (www.cracking.net):
v' u5 ^4 k) v* j1 w; ?: Z+ T1 y4 V
mov bx, cs
( j# e1 G- F7 B; M. R! ?( g lea dx, int41handler2
0 [( |5 f( s2 O& I! [7 l* ^: m xchg dx, es:[41h*4]
1 q, C" p7 R% X, E xchg bx, es:[41h*4+2]# T; o. V) ~8 j7 |3 F
mov ax,4fh4 K1 p# ]+ j) w
int 41h+ p a- u4 Z* Q5 D
xchg dx, es:[41h*4]
% R( j6 e2 Y. [ f xchg bx, es:[41h*4+2]0 ^; f @- `7 Q& l: ?& ?3 p" W: {
cmp ax, 0f386h
2 L G4 X- i# D' G3 p9 z u jz SoftICE_detected y, f% u! G7 e7 U
. ?5 h3 c& P5 S4 B) Q4 w
int41handler2 PROC5 X5 g! v8 p) Z( J" k4 r5 i
iret
, R- S+ d) U: A7 ] X/ r2 E+ S' Mint41handler2 ENDP
5 h. g7 i/ J: Z+ Y" J# l7 t6 Y: h' F; D: x1 g4 z
5 y5 _3 ?; M2 {0 |# R8 e" M& W- B_________________________________________________________________________
% V2 @2 W' U' x' I
! B1 _; d( r6 B6 H& k7 D c7 Y! |
# G% T5 S0 c& O0 c7 l1 d6 y8 OMethod 06
, K( Y& g7 K! e. K=========7 _9 V8 J+ u% Q8 A! e9 R
& @5 q% p$ L" J0 _1 U9 E" E% q1 K+ o; u! {& ?$ j
2nd method similar to the preceding one but more difficult to detect:
/ |% q/ }2 b; P7 x* Z$ `* `/ w, `8 }+ f
: x _! Y) t/ |. ?# D; u2 }1 c
int41handler PROC6 F H- V; i" K' u3 v, n
mov cl,al
0 q/ E& J5 d+ H; f: m' F+ u iret
7 R- q: e$ d/ j1 L) o p) k8 Y0 r7 ^int41handler ENDP
* Y5 I0 ?6 I+ O; d' L
; ]; ?) W* D& A h- B8 H0 |, Z
" D! h/ T8 u5 U0 R& z3 Q% t xor ax,ax
) Z; [' p& F! C, D. m9 Q mov es,ax
. w) t! `5 c8 S, m* k+ J8 m' U mov bx, cs |* R; k( s% C
lea dx, int41handler8 j" w" J- g$ p5 T$ f5 `0 f. d) w
xchg dx, es:[41h*4]
7 J" p+ y- U B: G xchg bx, es:[41h*4+2]
$ M) N A5 E" C. i) l5 E% R* a in al, 40h4 ~: g2 ^" {5 g! U, L
xor cx,cx
: b S6 m* d- l5 p int 41h
5 N |/ q0 P; W' I# V! P; `9 E2 o xchg dx, es:[41h*4]
8 X M' R$ V; Z5 |7 Y xchg bx, es:[41h*4+2]
4 V) G. B+ p+ c1 b: f& w cmp cl,al
* N3 ~2 ^$ h2 g) k* l, s- K1 z1 X: A jnz SoftICE_detected! h0 q/ X+ z: Y' U( g( i0 o
6 Y/ C! T0 E: n0 b7 `_________________________________________________________________________
b% G5 v* r a: L1 B
4 |7 }" w# [ a# {) m+ l/ j2 z% WMethod 07, T6 {: C! m6 A( j5 z
=========
' `0 c: j, Z) t% o3 p8 F1 M. E8 P/ Q { i) l) ?
Method of detection of the WinICE handler in the int68h (V86)) } T7 ?; q7 w, V3 y5 P+ R/ k
! u6 [% j9 j7 J2 V
mov ah,43h
0 f: ]) B. u! a% c int 68h1 z" \4 v7 ~) j& z8 p, ^* c, ^2 B4 R
cmp ax,0F386h
' j4 o( k+ x# @; r. @1 P jz SoftICE_Detected7 ?) [$ e6 d; N! ^% v
2 Q4 i" c- {, v9 m, o/ f$ S2 K( v
3 t0 A4 \( r$ T2 b9 Z* n0 A: @; w4 y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 x" P# f8 W; e" V6 {, i app like this:
; v- f& t' `" m9 O/ Y8 ~: e2 u. O$ b( ^5 a3 G- I2 T% Z* ~/ p9 C! L
BPX exec_int if ax==688 H6 Z0 u k! V* H
(function called is located at byte ptr [ebp+1Dh] and client eip is
|: Y N: V4 b$ g8 ^ located at [ebp+48h] for 32Bit apps)
2 N; L& h2 p/ ]; K__________________________________________________________________________
0 {& o8 i5 z' F$ h7 L
8 D- j4 i# s1 _ [
5 C3 H* C% G8 p0 x- `' n- lMethod 08
5 b: |, \7 W6 |9 j" H9 x8 ]=========
2 B5 R# ?$ }" A. }' ^0 @2 A9 A5 b$ q! ^8 x/ ^- k
It is not a method of detection of SoftICE but a possibility to crash the( z8 E* w. k/ s3 S# l" A) Q2 Z2 [
system by intercepting int 01h and int 03h and redirecting them to another7 _" d! z' h! P5 h1 X6 Y4 o( J& P
routine.0 @" y; j- ]5 {+ \! c! o r. }3 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! u& c1 M* t9 g5 R+ ]4 M* t
to the new routine to execute (hangs computer...)
" ^( L& C9 U8 r/ V4 T/ D+ m: u. v$ C8 O
/ j. e2 t8 b( r" |* Z mov ah, 25h3 }/ a3 I2 M0 l) J6 _
mov al, Int_Number (01h or 03h)
$ T, t" |5 n) m! U5 S mov dx, offset New_Int_Routine
( j# ^ I/ p- W3 H; T7 Z# Z2 { int 21h
" S/ Y% w' Y- m( s1 I% c2 f1 _# D+ N3 a
__________________________________________________________________________
6 `0 ?% a" H7 x; m) ^" @
" c y @6 C5 p5 p2 f, PMethod 09( d/ T6 D. f5 Z
=========2 K. C- ?* z0 n9 k
+ [" u- | C7 c$ _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 x5 L& a; E2 Q+ e! s$ l+ Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
, K7 S/ l& y0 z/ R J, C6 V$ ?The Get_DDB service is used to determine whether or not a VxD is installed3 r% e2 X+ Z) v! H6 g; [3 N
for the specified device and returns a Device Description Block (in ecx) for
/ f* _7 V" S; H& f1 l2 ithat device if it is installed.5 Z4 i( P2 o( t+ p+ B; m& W
& A4 ?% S5 i6 s: [( w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* e# E8 C X5 G2 [! K! d2 j' K2 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# {/ v, P$ K8 [3 S2 ^
VMMCall Get_DDB
# J- b7 v- ?) w' M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, H ^: A7 C m. \, {9 q+ |- u
" a- ~+ o, V0 KNote as well that you can easily detect this method with SoftICE:
2 k1 C4 i/ }4 W0 H) z' b% _ bpx Get_DDB if ax==0202 || ax==7a5fh1 d7 K8 T2 S8 M+ V* p0 ?" I! s
; L+ j7 o% _9 M' j- `& r8 r1 Z! t2 h__________________________________________________________________________
8 s( r. e6 E f: s: [
0 S0 t' u0 M0 y9 R2 Q% ^3 p! WMethod 10
6 A. y, M# @( o2 ^9 r) t=========
" Z! O9 j2 r; I, |* \! |9 ~2 z: z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ Q; P- x4 [$ F+ j i SoftICE while the option is enable!!
' L' ^/ O, v/ o* p$ Z1 m# q0 [/ U: ^3 x7 s s0 K
This trick is very efficient:
# o! s9 s/ t; z( Hby checking the Debug Registers, you can detect if SoftICE is loaded
7 w- [! o. V& G0 h& L5 M' f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# K' M" q6 k- I, n) Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ ~1 u2 a! G+ _* jvalue (in ring0 only). Values can be manipulated and or changed as well
6 `- G6 }" j& {, X; @) `2 _(clearing BPMs for instance). d5 @+ `. F- C U- N
+ d% i) H7 G! Y' }- c2 A__________________________________________________________________________
4 ^3 c, J1 f! E2 a& k- \) ]* }0 H5 B6 m, F7 T5 X
Method 11
! Y% }5 x5 i7 {( ]( o* G8 I=========
3 s( \" F1 X' g$ R% l5 h
( O+ D- W" A2 CThis method is most known as 'MeltICE' because it has been freely distributed8 b4 O9 g8 c3 ~$ x
via www.winfiles.com. However it was first used by NuMega people to allow+ i) w/ F: M) _: v+ y
Symbol Loader to check if SoftICE was active or not (the code is located X6 z2 k5 b& Z2 Y, J& e3 f
inside nmtrans.dll).2 f6 F2 M% I# s7 m$ N# L- G
2 B Y- f2 j0 `1 ]+ L: }# y( NThe way it works is very simple:
+ F a- b" E8 F! w/ |1 `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: ^/ P# J- _' Z5 J0 y2 aWinNT) with the CreateFileA API.
& ^" e# T% M) P5 _. S$ @1 T. c
8 F$ a6 U; `. E7 J& E. J+ WHere is a sample (checking for 'SICE'):
% Y+ \0 u) w4 x- h# D( u, A: _2 q4 a
BOOL IsSoftIce95Loaded()
2 v( Q: ~" H' U& f3 X% o- J{
' j; D. q+ W9 c7 H- W3 }4 p HANDLE hFile;
P! c: w6 c! W3 _; p9 \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& W0 [! H: }8 W( Q5 R) m4 l3 f
FILE_SHARE_READ | FILE_SHARE_WRITE,
) v& v" K- x# G7 l0 y2 a0 Q( h4 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& i) t5 a A* I, u" D1 W if( hFile != INVALID_HANDLE_VALUE )2 n" y1 n0 }- l. t
{
( ] y) w7 L* G$ j# X CloseHandle(hFile);) E5 Q# r1 Y3 m# J4 `2 @
return TRUE;3 K8 b7 H9 g3 l+ q* p5 X0 E
}: |9 ? p0 _7 E! C. `
return FALSE;4 j! A/ B @9 I! C2 ]" u
}: @6 J5 ~" W) Q1 i$ k! `: k' H
" N& \8 c0 e: A# ^, mAlthough this trick calls the CreateFileA function, don't even expect to be
% p' m9 v+ j7 ?; p! ^% M: T) Vable to intercept it by installing a IFS hook: it will not work, no way!
4 O; E, \! r3 @3 @: Q% qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 M: {' ^ `' p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! q7 y: y/ s$ x& c5 @$ N" Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 x/ L7 R5 b2 X1 l
field.2 ]1 e T: t0 A9 G
In fact, its purpose is not to load/unload VxDs but only to send a
( H/ U' ]( Z# a& hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 j! m* J- Q; }( K3 L3 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try- T: {3 ]' K5 `1 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 o* \6 _* X7 ]: Q6 s7 j6 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. ?2 r; X/ K: a5 X. Iits handle to be opened and then, will be detected., Y6 p' i( A; i: K: H
You can check that simply by hooking Winice.exe control proc entry point$ r Y( A7 l$ c+ f( ^6 S5 V
while running MeltICE.
8 A% [# c- y* _# b! b
# I( @# z( J S! o6 i0 W1 Z. x; x' m8 k# j
00401067: push 00402025 ; \\.\SICE, H# I% B6 G/ D0 @
0040106C: call CreateFileA
- ^9 w: G/ j, p+ [5 ?0 X0 Z/ F 00401071: cmp eax,-001. x; u( i! p. H% u! w- Y
00401074: je 004010918 I; I. Q( m! k+ f5 w4 x
8 ]/ [& D) v( P$ U
9 x) ?! @3 F. p- p Z+ w) SThere could be hundreds of BPX you could use to detect this trick.( I5 X- b: R& x: ?# E) k
-The most classical one is:
3 e+ C. m( a3 F6 I) ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- v4 y9 ?, _6 z; [ *(esp->4+4)=='NTIC'
- w; @9 p( `3 t* G! E- s. f. G% g+ o0 f% j& L$ ?. c
-The most exotic ones (could be very slooooow :-(7 s/ z# o, h$ \0 a. W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - \& S- C5 {5 v+ W
;will break 3 times :-(
4 `/ z# m/ b5 ]0 u% d" k7 I3 _/ t( X1 \; [
-or (a bit) faster:
0 P1 B6 S1 {6 L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( t9 R& U: |4 A" ]
3 [1 {' s6 d/ _+ _ d: t2 D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ f( w& a' A+ j# ]% [4 t8 M ;will break 3 times :-(/ ^3 U1 I; Q- l9 R0 x
. Q& |8 ~1 M: b-Much faster:
0 l$ t/ o1 [% a$ g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% w! m2 H' [' p" e9 ~, k5 R+ H
D: ~4 h$ b( L7 g4 ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 m* F8 ]" }8 _3 T. ~& Ffunction to do the same job:
8 v) R# g; X5 T# i/ N' c
1 M \# W) a* b8 A/ z" i% n( V4 M push 00 ; OF_READ
6 ^- N$ W9 v3 U9 N/ z mov eax,[00656634] ; '\\.\SICE',0
) S7 r2 O) F/ I8 Z7 V. l push eax
4 J& E8 C( _) ? B1 g call KERNEL32!_lopen6 X N' ]( x* ~ v) O$ a
inc eax
|8 R. `% h4 U9 V3 U; [9 ?1 h$ L jnz 00650589 ; detected; N5 x: }( L! g
push 00 ; OF_READ
% q, y3 N* j) @ mov eax,[00656638] ; '\\.\SICE'
+ z( O9 e' g. Y8 l3 n! j% ^ push eax
( R0 L' B/ [8 L+ R' ? d call KERNEL32!_lopen
* W2 Q' _1 U0 `. S9 S2 A inc eax e) f& c& ^( |2 S G
jz 006505ae ; not detected
: e# m; R ?9 l% f8 e. |% v6 | _5 d; q& k
4 v9 W0 {% l3 i0 I* ?4 x__________________________________________________________________________3 s0 Q5 S5 q$ a* N( W) ? G6 u$ M
# q2 i7 D; y8 b! D0 ZMethod 12% x. {2 j* R' w3 J% b
=========
/ Y5 p( ?8 B1 y$ Z% I! @4 \8 g5 M& S/ U d2 M+ D& w! |9 A
This trick is similar to int41h/4fh Debugger installation check (code 05% D/ e% q6 D$ Z% G( ^# }
& 06) but very limited because it's only available for Win95/98 (not NT)
2 @7 ~" l& j4 ?2 ~2 Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' S- v7 b! L- \+ {( I, \9 b& n- c9 u* ~" S: G7 n4 G1 K) F
push 0000004fh ; function 4fh+ r( T: p! D8 N) j* D g& _# B5 d
push 002a002ah ; high word specifies which VxD (VWIN32)0 y* v* Y! ]2 y4 `# F! s
; low word specifies which service. Q+ R+ W! V* i
(VWIN32_Int41Dispatch)
4 Y3 h* @) {/ T call Kernel32!ORD_001 ; VxdCall
, t3 t- \ h4 H& F4 y cmp ax, 0f386h ; magic number returned by system debuggers
9 B; w7 n% \5 H! ^" I- v jz SoftICE_detected
2 H- G0 S+ H' g9 U' h, I* B2 b1 F2 U
Here again, several ways to detect it:
$ @" L/ H' b8 N) H$ B i/ E
5 K* ^7 }7 y" E! r1 l BPINT 41 if ax==4f
( E0 V, U: G8 m2 s* \ W3 j1 F9 U! W, Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ ^, m+ b6 C- p/ q8 o3 Y0 l. r( e# H% q/ C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& N% F9 v' {. ]) s; q
7 ^. \8 w5 K2 w5 c8 u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 p- |8 m' @1 {# N7 T( P
+ \4 X0 H( g2 V& E& {* \. T, L__________________________________________________________________________
^' ]# |& r! |; X, f* o/ l. G# L5 I& R1 R
Method 13
9 {2 z2 y @( H! W+ A, M4 h=========
( e6 o0 Q: y% a {% i5 Z) x! ]; X& ^, m6 X
Not a real method of detection, but a good way to know if SoftICE is3 P- I" A0 @/ [2 @
installed on a computer and to locate its installation directory.
6 X& |* Y6 F, g5 NIt is used by few softs which access the following registry keys (usually #2) :
7 j+ c0 A: V" F, b
6 C4 M& ~9 h4 v) M0 _$ r3 [4 C- S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* S' ]3 n' o, R3 w2 D# G5 z\Uninstall\SoftICE
5 y- ~& E4 R N! L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 \4 K2 A2 ^6 V) I! o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ r2 U3 N' p9 j( y\App Paths\Loader32.Exe& I R$ {# L, e$ d
G9 S% r1 @( S, u1 [; } g4 @1 p1 ?+ ?: U: u
Note that some nasty apps could then erase all files from SoftICE directory/ ?! N+ w( {4 Z; S( y- r3 M6 F2 a
(I faced that once :-(- k( R% ~8 Z n* h
) e: ~- G* ^( h9 H
Useful breakpoint to detect it:" z+ r3 B0 W) F
+ p4 x0 o, o: J ^. B: E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 w8 g6 @1 O) u% _5 G
% l7 K8 j9 u1 @__________________________________________________________________________
$ ~: K' G1 ^1 B- W# S n6 U) s: W* K+ Q& n
5 Z3 P$ \# r# mMethod 14
' v! l9 @- u/ B4 T/ ~=========$ ^4 t8 Z: U, N% O+ [. z& x' R
% Z! r. p! _3 g( [: k/ Q6 Z" m5 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ T( u6 R6 i+ n5 H& j, l6 m) gis to determines whether a debugger is running on your system (ring0 only).5 q5 {# h) h: t: M1 a% y- z/ D
! n8 B' G+ H: Z% M. S
VMMCall Test_Debug_Installed- K6 P9 a+ p0 Z
je not_installed& q9 G/ `- Y( M" w
/ E: T" }2 y' B7 h( cThis service just checks a flag.
9 l5 U$ n* S0 t4 r' U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡