<TABLE width=500>* W! d& G/ I' _" F4 ^% C/ V
<TBODY>4 t0 b$ E$ _4 a1 e. ]3 e
<TR>
1 `/ p8 ~3 p% i: A. e<TD><PRE>Method 01
- P( `* ]: R# k \( O2 T=========
/ x4 |& ~; S/ X8 X" c) q5 s
4 G" A3 E1 C5 Z& P0 B2 s XThis method of detection of SoftICE (as well as the following one) is
2 p) r q/ K+ {, ]used by the majority of packers/encryptors found on Internet.
* t" s4 t8 v3 s$ T, _- b6 SIt seeks the signature of BoundsChecker in SoftICE9 J6 ~: D) X) t$ @/ z
1 M6 e+ B y6 X6 O6 \
mov ebp, 04243484Bh ; 'BCHK'
5 L2 s" j( D& n+ S% |$ @5 N( e mov ax, 04h" m0 k2 ^8 B0 t$ K* z& u
int 3
. R0 T, r8 j$ D, R+ u) \2 D8 Z cmp al,4) w8 i6 t, _' ? t: {2 f2 t
jnz SoftICE_Detected" Y9 W8 j2 O8 c7 B9 J
3 a* O3 ]7 F, G a- R; r9 b6 k& t___________________________________________________________________________, G9 f( ^7 \- Y! M. e* x. [
1 y. ?( u. s# V+ S+ f6 M$ s( zMethod 02; Y K9 j/ k" ]
=========8 {* U% c3 _( x6 }9 k
T0 b; I, Q; HStill a method very much used (perhaps the most frequent one). It is used% n5 A. _7 H! `0 Z$ ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. i2 _7 Y+ ?# Kor execute SoftICE commands.... D* }# S; ~7 J! F' A$ g* F
It is also used to crash SoftICE and to force it to execute any commands
$ R/ B4 I& |- ?" a1 ]; v(HBOOT...) :-(( . {; Y' A6 j: x$ r& c8 Y
1 X6 S! X3 i1 E: u; \+ E( P$ V
Here is a quick description:) o7 c1 n7 y* D2 N4 G! u, u+ b
-AX = 0910h (Display string in SIce windows)% @ A+ q5 ?( c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" ]. M; G" `7 z0 x& e-AX = 0912h (Get breakpoint infos)
" ^" k& q9 D" J/ M-AX = 0913h (Set Sice breakpoints)
& n" M5 D/ s( b- [$ A-AX = 0914h (Remove SIce breakoints)
! c7 }1 U+ ~1 H* {- ^) e* k! n5 o. { ]
Each time you'll meet this trick, you'll see:9 N( R) e( y+ f- ?7 W6 y2 ~4 g
-SI = 4647h6 Z* Q- [3 ~7 w5 m& i
-DI = 4A4Dh+ }4 T6 b+ k d! B- U/ M
Which are the 'magic values' used by SoftIce./ l$ I! C8 E7 K$ k2 c8 S- j# \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: D* _* U7 l7 Z, v5 p4 d4 _3 x2 Z
& x$ U2 X& g. l6 O4 PHere is one example from the file "Haspinst.exe" which is the dongle HASP
( Y* g$ k9 D) `- F' WEnvelope utility use to protect DOS applications:0 n: Y2 o4 o$ P3 N+ R+ K
& _# L% |6 H; \# U+ _
* f6 u+ e1 `* O4C19:0095 MOV AX,0911 ; execute command.
- a9 E% S: {# Q. p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ q7 T5 v2 F8 D: T2 k1 ^: Q1 c; w# X
4C19:009A MOV SI,4647 ; 1st magic value.! \4 g3 P# r9 J+ B5 p
4C19:009D MOV DI,4A4D ; 2nd magic value.8 n- m0 G3 o- p, ?8 }/ I- e; p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 |. N4 w( `+ F1 i$ w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 ^4 K* A$ c: P3 Z; f- u! o
4C19:00A4 INC CX G6 w. i: }8 ~0 |4 W, U" F; A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" S$ l2 }) r/ z' t( Z/ N; W4C19:00A8 JB 0095 ; 6 different commands.
# E! H$ ~% i5 i% p0 Z+ a, O$ M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' c% w8 s+ z: {& ?& Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 k" d, Y) w I5 y0 k/ _
5 n/ D& U4 ^* H) J
The program will execute 6 different SIce commands located at ds:dx, which1 l* M! y O- w. `) u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# A8 Q! D3 U2 q/ l( S' D: G% \7 w3 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 ^8 o* F- ]/ \, N___________________________________________________________________________
1 T: j2 c! z2 u: }3 k* \& Z( f8 N t2 K* ^
: I' d$ D# E- ]! v' C9 \- vMethod 03
2 j- p$ N6 ^* [=========
6 n: } o8 ^; S: O) X
/ o3 u7 n8 q5 _% D1 Z( E1 \* a- FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; G6 @1 P) z' k$ S$ c+ s(API Get entry point)
# F6 Q9 g/ D# }* M7 t: T3 H" Y 2 G8 y1 {9 P7 [% T5 J2 ^* e+ z
$ C* N) R7 h1 V) O4 L9 w' c" M xor di,di
* R( F* E, D( Z3 D8 d. ]4 s mov es,di- E5 A- M9 C. M z( e3 d3 o
mov ax, 1684h _/ s! y: R& p( p; N0 i3 z
mov bx, 0202h ; VxD ID of winice
$ R# u6 W2 k8 Z/ Y7 U, s% D int 2Fh3 E( A6 J! Y7 v* n3 m
mov ax, es ; ES:DI -> VxD API entry point
! z( {& g \# \) i+ T) a" a( G add ax, di
9 `+ w0 l( M0 A6 D test ax,ax- J+ [2 T+ M4 y/ ?3 Z/ R: [9 [5 Z
jnz SoftICE_Detected L9 S) |: U2 a
~+ g. t5 L! w3 i( j6 T- I1 v___________________________________________________________________________# Y( c% ]( C+ x6 ^$ P" ]$ c; E, N
5 H- l6 a0 a. t2 S F8 q. O9 o2 M( ]
Method 04
& H) O y8 r0 F; \=========
7 D h/ y" v/ ~7 ^; {$ j
+ x* j- K H+ |2 s0 L6 ^Method identical to the preceding one except that it seeks the ID of SoftICE
* |5 F6 l" {1 l: m' ]+ qGFX VxD.6 V: l! ]7 n7 W8 P& L; E
" U3 Y( T+ v* T6 y
xor di,di
. C0 r) ]3 R+ y. q- p" I0 l( ` mov es,di+ G, c5 I \$ Y! f7 I
mov ax, 1684h
0 j9 a! ]! f6 X4 m: U3 m mov bx, 7a5Fh ; VxD ID of SIWVID
! n" u* ?& y4 T9 ~) E int 2fh
& x: y) c0 \& _3 f mov ax, es ; ES:DI -> VxD API entry point
- y$ U$ d2 y& n1 U add ax, di- c. j, M2 X5 A" d0 n
test ax,ax$ u& g2 [' H. i: K& S' m
jnz SoftICE_Detected
* k0 A' d9 B$ r9 B0 S4 y/ z( h0 Y* x
" U# K& U2 U! @* f; z/ T__________________________________________________________________________
9 f0 n) E; o8 ~4 g. U+ t
+ k+ h" I4 q+ i% ] T1 H! \/ y' ?9 A6 K P+ q! l3 z" x# h
Method 05% H/ @. x$ {4 [2 h! [4 V" q; Y
=========
3 k7 L+ d( M! e+ P0 M# B; d! x3 {$ s
Method seeking the 'magic number' 0F386h returned (in ax) by all system& d; U# }0 e9 H
debugger. It calls the int 41h, function 4Fh.3 K: Z0 w9 U; z& b
There are several alternatives. R& i1 r/ t% i; ~- o( ^
) }$ D. p% J7 p4 n
The following one is the simplest:- t" w7 S& C4 x& f
- b: v+ G# n1 u8 D2 W* g& E mov ax,4fh
2 f4 Z, s* \) E# N2 n int 41h: U* M* y5 j7 b4 L& x
cmp ax, 0F386
; ], {$ q! P8 R. [ jz SoftICE_detected
6 t% h/ x1 @6 L) V1 _; s
( T% I( i; U& a
6 Y# P$ Z8 ~- cNext method as well as the following one are 2 examples from Stone's 7 t3 E1 D( T2 r' t- Q S) q7 |
"stn-wid.zip" (www.cracking.net):
7 R' \7 a& S+ d; }# Q
* y* c& t! j6 [5 G# W3 u0 [" S mov bx, cs
8 M5 ]7 y+ ]3 ~% v+ b lea dx, int41handler2
& b* b# T6 ^6 E- p M( g8 B: @ xchg dx, es:[41h*4]7 N ^. |" B" @6 d, K
xchg bx, es:[41h*4+2]: e7 u4 F9 P2 G' _
mov ax,4fh j: q, l8 q/ ]6 Q) P8 `( Z
int 41h" ~+ N( P3 `1 _! t0 |- ]
xchg dx, es:[41h*4]
$ H. Q5 R' o- c- ?2 @- p+ k xchg bx, es:[41h*4+2]
( C# n& B6 R( S B cmp ax, 0f386h
. u N- J/ U$ x& w jz SoftICE_detected
& a. n. ?2 j3 _# @6 f$ z
" p, A" t, D$ r mint41handler2 PROC
" D, w* M! r$ Q% u. D G iret+ D p$ \/ e' ~& N2 n% L+ P/ v
int41handler2 ENDP7 \( X v; D- T' B4 g0 o
' b+ I* M% ~4 t5 k/ E5 V3 B
$ U1 s$ ^+ p- k; _$ {+ Y_________________________________________________________________________
3 ?4 l/ H& {, N9 ^( b
+ d% [6 W* X4 \! y+ b. x$ w9 Z' q- j( h
Method 06
: a) ?4 @9 ?5 [ w=========1 |1 \' t0 ?; U! \1 n$ d0 q: {
. U7 P x+ ^7 F# `# g+ @8 f0 A9 i! j7 i
; @; `& I2 F3 E& A5 h: t( [) d2nd method similar to the preceding one but more difficult to detect:% n3 I0 R) w4 D( m6 G
. e7 X. X8 I: _2 Q; Z" k
7 \5 ? p/ r# Cint41handler PROC
4 }8 v3 W3 Y$ S mov cl,al7 y7 r6 }" W: r1 r+ {4 b& h% k
iret0 ]! ^8 k3 `* j
int41handler ENDP; n* ?4 {3 C# x" F% b# N0 ^8 Y
* E& B$ @" E9 F& I6 O( ]3 K" y& b4 b. b% ^& Z
xor ax,ax
) j q, p' @6 ]- y3 b' q' u6 k mov es,ax
, B. a# a* ?, f Z mov bx, cs J+ J+ W2 ^! ~
lea dx, int41handler
' p+ R. Q& `6 s( Y! | xchg dx, es:[41h*4]7 B* E- Q, m ], ~
xchg bx, es:[41h*4+2]' D6 X* }: j% E; H
in al, 40h
' S' [9 `+ Y' ~ xor cx,cx- l0 d6 {# [; q
int 41h0 e5 W1 r" o) t0 R( C9 U3 O
xchg dx, es:[41h*4]+ ^+ k) k' w* C ?7 ` ^
xchg bx, es:[41h*4+2]
" z6 o1 s' n4 w T" n4 T# y* G( M cmp cl,al
4 s* |9 T0 A" l6 `1 ] jnz SoftICE_detected' B6 r9 n) k3 {# i
, h: E. |9 V) ]0 y& o8 Z- h
_________________________________________________________________________
# A o) s) a% q& k8 [
) Z6 J; _( u$ x, x6 H7 X, ^Method 07
- b& \! L+ B6 P=========5 E9 g) n- ~& g. j! p; ?8 K
5 a, _* j* ~" d: sMethod of detection of the WinICE handler in the int68h (V86)# p' e( N% x1 a- }; U/ V
- n! Y, L/ P ?) g! C6 j8 [6 ?' k5 J mov ah,43h
' Y9 t \0 L X0 g* @5 R# P$ n# w int 68h
# N" l9 V* m# X) g cmp ax,0F386h# F, G7 A, |* _0 v+ C
jz SoftICE_Detected
* n( `; U9 W p) [8 t8 e/ y9 c6 I0 k
& f! |: V6 Q6 u. E" T: b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 s# O) N* a" P+ u+ U7 o; I, n
app like this:( S9 }1 y0 F v8 [9 L1 N; s
4 L4 `# s* \" |! S
BPX exec_int if ax==681 Z0 d' ]3 r4 `# A- \3 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 Z, u# C0 A" e+ }* z j$ x" A. T& q located at [ebp+48h] for 32Bit apps)
% f, F) f2 M3 i7 R$ h__________________________________________________________________________
6 M! y% a. L, S7 E/ W- C
5 Q p2 z' O) V* s& [& V3 \, P2 H$ e* e- f
Method 08
! a- j* }, c, |6 h=========+ Z/ R p! ?. U, Z: C, _: _
2 N. q3 f# x! [9 F
It is not a method of detection of SoftICE but a possibility to crash the
. E: R2 b3 c! u, \0 ?5 z, g6 lsystem by intercepting int 01h and int 03h and redirecting them to another
. t9 J" ^4 D1 [: Uroutine.. l" F5 G9 m3 l4 Z% s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 Q) X3 A2 c& O9 ^: x8 h0 W* mto the new routine to execute (hangs computer...)
9 C' F' `! i( P8 A# W
. W8 d" G3 G% X" v6 T! s) U) X) ] mov ah, 25h9 U6 t- Y5 g, T) @. o4 _
mov al, Int_Number (01h or 03h)
+ p/ K1 z) [$ k mov dx, offset New_Int_Routine
5 v9 B- {; [4 p8 K" O* g int 21h6 N) f" {/ k6 x; T1 T: G6 W5 l
5 T, h- E/ q$ c" h. C" s. ___________________________________________________________________________
6 T) u0 y, T# _% d6 Y
8 d W3 \7 q) ^# KMethod 09
7 c& t1 e: C7 p! I T- |1 {=========
/ R+ w$ P5 H$ @: Z" x" @# Y% \% a4 Q! S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 w, O% f1 ~2 @$ U
performed in ring0 (VxD or a ring3 app using the VxdCall).9 Q9 A+ e" z7 N
The Get_DDB service is used to determine whether or not a VxD is installed
+ D5 p- A {1 Q! e) Ofor the specified device and returns a Device Description Block (in ecx) for
- T# W( |. d( X/ R; R9 lthat device if it is installed.
4 r' ]0 Z2 m* l& c O: U
) ] J: Q: E6 |4 v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 k/ Q7 ?) [6 I z+ a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ \; T. Q5 H9 @' N
VMMCall Get_DDB
$ Y9 L! N& I+ y8 l e# b p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( Q) @( Q& |* o( N, L7 v+ D+ @) g3 y( S0 u4 j
Note as well that you can easily detect this method with SoftICE:
# h4 y" U6 ^& U bpx Get_DDB if ax==0202 || ax==7a5fh
2 k6 A& @+ w# }( X2 _" G" a
6 c ?: S/ l) L. A- j+ n& v9 q1 @__________________________________________________________________________! _5 ]: Y' ^, k; _ {7 N
+ ~* ^0 j* a2 ~, j6 A; s
Method 10' z) l3 \; b9 k! V. k( U
=========
- H1 a0 Z- t* [, E6 d, L# Z. U5 ]8 u+ q6 b. N7 J8 N4 Z6 M% i
=>Disable or clear breakpoints before using this feature. DO NOT trace with' c% S1 e$ z( k$ [$ z Q7 l8 Y0 s8 q$ D
SoftICE while the option is enable!!
& E( @7 B2 ?1 [& r" ~3 Q+ b( k- u9 U* v) F
This trick is very efficient:
1 N. z2 n/ a& @5 [; J$ g% tby checking the Debug Registers, you can detect if SoftICE is loaded
) P+ b+ A) F! H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ O& s; S1 b) r; e q
there are some memory breakpoints set (dr0 to dr3) simply by reading their, R8 s$ ^/ S! S! ^( j% t- Z# ]
value (in ring0 only). Values can be manipulated and or changed as well
' l q6 n" F3 k% {(clearing BPMs for instance)# g' \& |" r' y- A3 P6 Q
7 _ I! _$ x' Q" \
__________________________________________________________________________( m( _$ V ?3 |. W# X- }# \9 p6 z
) m4 k5 W+ e. }; D; uMethod 11" I+ C5 a+ P- L
=========
t: f0 q3 ]; {+ i3 o' I0 d0 R) l& I2 I. L$ t/ T1 T
This method is most known as 'MeltICE' because it has been freely distributed/ {* H7 c0 n: R7 \
via www.winfiles.com. However it was first used by NuMega people to allow9 v y6 j# C5 Y. K
Symbol Loader to check if SoftICE was active or not (the code is located, W2 j+ D/ M5 k# S
inside nmtrans.dll).
" u' J4 p" v) t& F$ N2 w; {( n( Z1 G& Q5 Q! ]+ a
The way it works is very simple:
8 a i. Z% s5 m4 @' I8 O: \( @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
}1 S( k, ?5 S+ B; y' A! O% AWinNT) with the CreateFileA API.5 [) B: r- n7 F7 ^2 }$ g5 X7 I
) p1 |4 t" ]. ]$ \1 e
Here is a sample (checking for 'SICE'):& p& g8 W9 K% J# ^# V, ~6 B
& ~% y" T% v9 Y# ?: Q/ d6 u- b
BOOL IsSoftIce95Loaded()
4 x8 _7 | i2 I, {1 S1 p* g" k8 _{0 W" D$ Q7 V0 ]4 D1 N6 A
HANDLE hFile;
% b, I7 V4 P% N* \- [! _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 K& B4 |: E/ V0 i6 K FILE_SHARE_READ | FILE_SHARE_WRITE,
! D5 `9 @ A* ~. Y& v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; K& K' F/ A. y+ v- u- U* w5 h
if( hFile != INVALID_HANDLE_VALUE )
$ `0 P6 Y: O2 H/ } {; I$ ^0 d' _1 s% o
CloseHandle(hFile);3 `2 O% g V+ j9 ]. b+ `
return TRUE;
, Z d' q0 J& C" o2 |( t+ k1 f6 J, t' u }. d4 B# W3 _, ?$ ?, t
return FALSE;
( k2 t$ f$ P2 [" ]3 c( Z! g2 b8 Y}
0 a, ]# m! r4 o$ x0 _
8 B H9 U5 z0 b8 B; qAlthough this trick calls the CreateFileA function, don't even expect to be
3 V7 S7 K. a% I+ M6 Aable to intercept it by installing a IFS hook: it will not work, no way!7 U3 M' q7 I+ b3 N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( ^4 c: J. B9 k* f; o" t7 w$ P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 A* B' I4 y' x( y4 z8 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 w( s& F3 r. H# ~ K( k% afield.0 V& R) ~) R7 m6 o
In fact, its purpose is not to load/unload VxDs but only to send a
7 s/ S: q9 k0 ~% aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; Q9 X8 G% e; e- I, p+ }4 K3 [to the VxD Control_Dispatch proc (how the hell a shareware soft could try' Y/ `4 j# b; T* N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! h3 Q5 d* k# v8 J1 b
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 B& T3 Y3 ~+ r; U6 [its handle to be opened and then, will be detected.
9 S! z6 W' }9 a% ^ SYou can check that simply by hooking Winice.exe control proc entry point @8 A3 m1 z) b: K1 }& }5 |
while running MeltICE.! y( d; b7 k. D% ?8 U3 {+ C& ^1 i) Y
+ e4 F" o" H9 L
& X- \. R; t9 W3 u. m 00401067: push 00402025 ; \\.\SICE
) @9 s) ]+ M. @ 0040106C: call CreateFileA7 K' y6 |; [5 T) E `- E
00401071: cmp eax,-001* _8 o5 F( k: z, W
00401074: je 00401091
6 K( G4 p/ r( Z6 u" |% [: n' r/ ~
6 n9 p! t$ j J
0 h9 \# j: C! Y1 l" zThere could be hundreds of BPX you could use to detect this trick.8 v& o" ^! U* u* [4 f' r
-The most classical one is:
) q: N7 @1 h: T# r7 n% ?* O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 W9 R# \5 B+ O/ N" M7 V *(esp->4+4)=='NTIC'/ P# v9 n# L% f9 D+ X$ _% a/ W+ _
% ?4 h l$ Y( v! o) S) N
-The most exotic ones (could be very slooooow :-(
9 j" k" X! i3 p7 b: O' L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 C( ?( ~5 c" e5 t) a1 K' s7 p ;will break 3 times :-(
; @+ R$ a. r& v9 `- e% u/ g; F0 T# t/ t8 I& o
-or (a bit) faster:
7 X' y9 m# I2 B4 W- O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 R- y* s3 ?; H+ o' V- H# M8 [0 C- f. D4 o4 B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 `+ W, m( g: ^4 e& C7 u- ^8 p ;will break 3 times :-(
! X$ s, q$ y' D& I+ r0 u7 e/ I# R7 S; ^4 l+ }
-Much faster:" Y+ E" f1 k* `$ m! P, w+ w* ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 s+ a2 g% } w
9 k/ @! J# ~( F4 c7 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 ]9 d: [0 @+ m. `0 ~
function to do the same job:, z! h0 s! h3 f6 A9 [
" ^+ r* Y6 q0 c: n% C% {4 d5 } push 00 ; OF_READ
) J. M+ c0 U+ [7 j& j mov eax,[00656634] ; '\\.\SICE',0
0 A) u; Q q, o6 U3 H% n, h4 D push eax" K4 C7 n& R8 X+ |( l
call KERNEL32!_lopen4 b6 X. |2 X0 N0 t& b
inc eax/ n/ {$ ~, t2 `0 M0 H
jnz 00650589 ; detected
* |+ S7 [5 _0 d* |* ~' @ push 00 ; OF_READ6 a# v: G- X# B6 c$ V
mov eax,[00656638] ; '\\.\SICE'& ?8 h" v) l6 e1 N0 N3 @3 w; u
push eax
2 y0 Q) X' V6 R! L* r. w4 Q+ P call KERNEL32!_lopen. w/ F- i3 U% f1 B4 y, i& s
inc eax( k7 V: E( \8 ?2 w1 k, t6 e
jz 006505ae ; not detected* ~5 r" P! a; ?. q0 L/ N z
8 b6 T& B5 w& d' ^' i! B7 R: S8 Q- Y$ Z; A. K, p
__________________________________________________________________________# \& E2 l0 F; g' S
# o) ]' z0 q1 \, w
Method 12; h$ v3 o3 ]$ r# o. b5 q
=========4 O7 N# H0 l6 R) n% _0 A- }
A. m$ R5 k$ X) l5 \( ] R. hThis trick is similar to int41h/4fh Debugger installation check (code 05: ?% A! u* e! o, a8 F8 r
& 06) but very limited because it's only available for Win95/98 (not NT)
) E3 w% p p: X- j/ Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 d* L& i, u3 a
+ `/ u ^7 v) a1 R* a+ W push 0000004fh ; function 4fh
& m* c2 M+ [. d; \) c1 { push 002a002ah ; high word specifies which VxD (VWIN32)% e. V6 y# F7 J/ r6 @) ~
; low word specifies which service
' @! ^1 A7 e8 k' d0 j" S (VWIN32_Int41Dispatch)- q1 J8 ^# |6 O
call Kernel32!ORD_001 ; VxdCall) X0 D; x, U8 e h
cmp ax, 0f386h ; magic number returned by system debuggers
& V# ^; y, ~4 t( L jz SoftICE_detected
Z; ~7 m0 j1 A5 W5 l: H
0 I0 L) {$ K) g" Z* c, Z ~Here again, several ways to detect it:/ Q' I6 j( d8 x( E) g
. D1 D! F" |: R+ O( i$ _, ~ BPINT 41 if ax==4f
% v4 ~, o# W' H- R8 \7 H
, s+ b8 f7 W7 i' p! y; p+ s0 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
a+ |) F. Q, t7 T9 N# {! q. u1 ^5 w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 y% o2 V* x2 y0 h, s4 c3 ^. y
7 W- C# ]/ q1 ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 z h4 a, n b0 c T# {0 D2 ~+ Q2 V6 b. S7 P
__________________________________________________________________________
: K9 a$ R: e# e: U& a g2 a" I- a1 B
Method 13
. Z; [, W+ Z+ r2 u& u' o. x7 s=========
# g7 w( u. H2 }; @5 V" {3 k
% b5 c: g( I- x$ M% I1 {3 A; \Not a real method of detection, but a good way to know if SoftICE is; l: E0 Z6 Z# C; @" W1 W
installed on a computer and to locate its installation directory.+ n2 d" n% e) y: L
It is used by few softs which access the following registry keys (usually #2) :! f' ]$ K1 u) r' E) ^7 F
# x, r: K' ]+ W# D5 x9 B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 T5 j9 G+ ]* Z4 C
\Uninstall\SoftICE
5 k0 a' u1 B1 O% k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) F; f# p0 t: ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 L! p6 K1 v2 H. K
\App Paths\Loader32.Exe
1 z3 @/ G- d6 b# @7 G( d8 p7 `+ }. n& A" m+ H; G( ]- D8 C: \" x
0 ]6 z3 p3 i0 o
Note that some nasty apps could then erase all files from SoftICE directory! i& L0 z& J1 F# }
(I faced that once :-(/ h0 N& X7 J' j% c
! B4 O1 G) g) X
Useful breakpoint to detect it:! t) Y: T: g- R8 f
0 ^+ K4 y! F! |) \; v& C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 j3 M$ w; O: A9 |: p3 l
% p* M( f( \) {__________________________________________________________________________9 Z" E; N' m( |8 q- S
+ `5 ?/ g' `4 S9 W- g- g$ S5 P% R5 o0 Z
Method 14
- M4 ]3 z- L; z( L, v" }( \=========
5 v* K- Y, |2 U' j
9 l" o# _0 o+ D9 q) j) n: i+ WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! r+ `' [5 L! l8 Ris to determines whether a debugger is running on your system (ring0 only).' k# Y9 K" L+ }
: E' ]6 B. ?2 h3 T
VMMCall Test_Debug_Installed: P0 {" V- ~/ h! f
je not_installed
* L; b8 q* a6 L5 v! N/ x X9 x8 f) c4 M$ n' v: |$ B
This service just checks a flag.
" n) `5 o7 Z. W3 d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡