<TABLE width=500>/ U3 `, V! X/ J/ o* M
<TBODY>
$ f$ q8 z# |) t( m0 o<TR>" F( {6 C! b+ e" m
<TD><PRE>Method 01 ! Q1 Q3 @2 A$ A6 ^2 [1 t! d$ n
=========, j9 s' J& j5 A" h6 O' V
3 |& j* O( Q/ U. C0 o* N3 p
This method of detection of SoftICE (as well as the following one) is
5 E3 Y; y' N, d& Kused by the majority of packers/encryptors found on Internet.4 c7 q6 c2 Y9 u8 W% c$ A( g9 K/ U% Q5 D
It seeks the signature of BoundsChecker in SoftICE
9 i$ U# a5 d* }
- Z* |) }) L* o" [& N mov ebp, 04243484Bh ; 'BCHK'0 n6 v4 V% j* f9 B) {2 R: M& I
mov ax, 04h" }! K X3 U8 h! L& N* ]+ f: U
int 3
* h9 [: C2 _( {* ~! y: ^0 C cmp al,4+ Y2 w: L* f- j2 Z- @' ~
jnz SoftICE_Detected
+ m. j1 i$ D# Z: ~9 X6 a. |
% j9 V1 R( m# P+ A5 a3 P. a___________________________________________________________________________
# Q% h" f8 }. c' |; u; s1 i0 ?, ^
; J7 Z1 _: b$ `. b0 H1 y( M' eMethod 02
2 ]+ i( T0 a: p/ C=========
' ^; t7 W- M$ [4 @! Q
?" \$ \1 h* L9 rStill a method very much used (perhaps the most frequent one). It is used( e& E; K3 z, `0 e0 B0 T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' q% I0 S) D w6 ^9 I
or execute SoftICE commands...: ^5 @, C: t; [$ b$ N" u9 s0 K
It is also used to crash SoftICE and to force it to execute any commands% @8 @: d2 O! }) S* d: W* A6 H- |
(HBOOT...) :-(( 6 w6 I, S+ z9 t' d$ Y, _) R' a
8 l3 K( y8 [9 P; w) j4 J; _Here is a quick description:) }' ? o! F, _
-AX = 0910h (Display string in SIce windows)
1 O$ u% Q4 ^2 v }/ a7 _6 F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& I, ]( v5 Z) b& f& v
-AX = 0912h (Get breakpoint infos)
4 `* {2 ~) Y: h-AX = 0913h (Set Sice breakpoints)* b4 j: y& r' m+ p5 M+ t4 u$ x
-AX = 0914h (Remove SIce breakoints)3 @ v; k" Z! G! G! A, U
( B! k+ B4 y4 P0 N( |( Z5 w
Each time you'll meet this trick, you'll see:
9 [5 Y3 j+ c* T6 P3 t7 }6 q-SI = 4647h
2 B5 @6 w: W; M# E-DI = 4A4Dh; o; T8 z; N8 ?5 R) K; z
Which are the 'magic values' used by SoftIce.
: X& p) w( \7 q: _For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& ?/ K& R1 y% A
3 S" @4 U' L }4 \
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 R+ ~( Q; ? e3 c" }) H
Envelope utility use to protect DOS applications:' e9 K, j2 X$ ^' T, p9 R; C$ k
& m8 C( O0 d. Z) ]4 M1 x: ]& q2 n7 e$ u# u
4C19:0095 MOV AX,0911 ; execute command.! U' N; V2 c; G; f |6 S. J$ ]- ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 b* j7 A9 }4 H3 t4C19:009A MOV SI,4647 ; 1st magic value.1 t( }! ]( M4 C+ n6 O3 n8 M
4C19:009D MOV DI,4A4D ; 2nd magic value.6 a7 D" Y1 a8 i% E1 H4 Q# I* g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ {( _8 G, R1 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 h J/ z! x/ h1 F$ d1 p5 w
4C19:00A4 INC CX9 P V j) M" K6 {, ^( X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 j; K, J. P. s7 B) Q
4C19:00A8 JB 0095 ; 6 different commands.
: q8 i7 U. D& u7 a, _, q a4C19:00AA JMP 0002 ; Bad_Guy jmp back.# }' \4 g+ e( Z- `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' s9 q9 R' A3 p2 U% s
( E8 m/ ]- V7 X% S! r6 |The program will execute 6 different SIce commands located at ds:dx, which
3 v% K" P3 H$ u) Z L/ l1 c; Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 ~8 r& m4 y! D# F9 H
2 \9 X3 I h. g& x. `* T/ D% z/ d/ }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- _! u7 e1 o/ j1 E$ y___________________________________________________________________________
7 X( k1 |: R% u# T7 O: u; K
8 K+ w2 i5 _0 e: `8 C' E: T9 r( j* e7 p Z0 I3 }
Method 03, V. ], X" f2 P- Z$ R3 p( l
=========6 G- P. m7 o' d) ^9 X% S
! D0 c, l1 j* u+ U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 O2 h2 a! J/ O( h(API Get entry point)
" E, d9 P/ N0 Y, c9 Z
% o& ^5 J$ l- q/ `; M2 T9 B; r/ F) G6 i0 G
xor di,di& u# [0 J( n0 g8 U9 Y
mov es,di7 N- j% }. j- Q! H' K& ?
mov ax, 1684h . }* B* b- G. b( R" _+ L6 n
mov bx, 0202h ; VxD ID of winice4 ^5 T) L; ?1 l- j, z1 K5 g: I& M5 y
int 2Fh
9 }0 @' ^1 \1 U0 m. [ mov ax, es ; ES:DI -> VxD API entry point
+ h8 J2 B+ P) w add ax, di
# V0 R% n8 p) G4 J( t7 j. s test ax,ax& f* A) q# N/ y5 E0 [' ]' _3 ?
jnz SoftICE_Detected
9 c" h) R" V8 a
, S, n! |1 Z2 j# x# U5 l___________________________________________________________________________* B$ m% |# I* @7 i' L
8 a7 u1 {5 K) R0 I! i) r5 o( L1 Q. |
Method 04
7 U, A3 m' t- r9 i=========
% l. e" M- S; b' O7 \
) z2 N. Z2 B( a9 { |2 A. AMethod identical to the preceding one except that it seeks the ID of SoftICE
. c+ F" ]% ?1 S6 j+ m1 rGFX VxD.4 @) b& Z6 P" a9 ^1 G9 S
5 h' t4 _0 j* m/ ] xor di,di! u5 Z/ L o3 p; a" q) o$ [5 K
mov es,di
# b$ y# q- r _& t, q- V1 m5 Q& Y mov ax, 1684h * Y' r8 u0 L) l3 c9 ^9 w% D
mov bx, 7a5Fh ; VxD ID of SIWVID# V. ?' q0 ~3 x9 r9 H
int 2fh
" [7 p( x7 x) o/ d$ A4 h mov ax, es ; ES:DI -> VxD API entry point" e3 a: i8 R/ K* }! i# \
add ax, di l2 _) F) k& o9 t0 K; i
test ax,ax
) l4 m: q4 L. d jnz SoftICE_Detected
9 J# m. y& e; p' V. X, E' S, L4 u' Z4 p- p
__________________________________________________________________________7 Q$ u- P4 [) {. z+ X
1 D: z/ F" Z5 M" \; y9 |. _0 {
" ?8 M) F6 t" }; [$ \
Method 05
: S4 ]4 V# h- S: A========= u3 M& Y! W- a% `& D3 R" Z
9 y; D/ X6 ^: s& t7 @6 K% A
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, N% Z( y2 U$ Z6 q9 V4 K; H1 A+ Rdebugger. It calls the int 41h, function 4Fh.4 T/ ]) \' q6 m2 A
There are several alternatives. 9 [- `! J- ^% \7 h+ h! M
7 O% C! k" a! ]1 B& j
The following one is the simplest: V2 ~4 I( I! o6 @; o5 ]6 n2 W$ h6 C4 q
& r1 w4 q" ? C/ K) k: _+ R2 n
mov ax,4fh
S% i1 n( T) S int 41h
: i$ L$ ]8 d* U$ |; q2 O/ B: ? cmp ax, 0F386
) x. H/ j# I$ A9 f9 D* E5 H' p jz SoftICE_detected( N8 q I3 P: U8 p' Z. u; R# _+ F
" m f# q$ W( |9 z0 v' Z4 H, u' ~" r5 }
Next method as well as the following one are 2 examples from Stone's " G3 R1 L- K! |0 D( k# m B# K) s
"stn-wid.zip" (www.cracking.net):0 I2 ?1 n. @6 Q" v
/ a) I4 Z3 E+ {# ^) _
mov bx, cs1 v* J: s" S, z
lea dx, int41handler21 b/ g' l! {. [
xchg dx, es:[41h*4]
( U" q; q7 a+ o xchg bx, es:[41h*4+2]" F" Y; N. @" N
mov ax,4fh" v+ q1 r1 b: ? |( j2 ? a
int 41h& l- h( j' _9 L, V, o! H
xchg dx, es:[41h*4]4 ? s: ]# \7 Y& O; h! w
xchg bx, es:[41h*4+2]6 t% V- ^# b$ s5 m \
cmp ax, 0f386h& I* ]$ M2 f4 X6 y/ }% h! L4 z
jz SoftICE_detected
( p) R0 P# L+ |0 |$ P6 C/ n" U0 @/ v' C4 p
int41handler2 PROC- `/ s, o* Z+ ]' p
iret
; z3 n. a/ X7 q; Nint41handler2 ENDP
& g3 B+ S) \( _2 K: T
* s0 k. \: H2 O9 L6 G+ O1 ~' ]; s c4 ^7 e: c
_________________________________________________________________________; H c7 J9 }8 K4 o
7 W- W3 W" ?" I. D6 B& J: ^4 L8 U( q, N; N% U# y( Q( P. e( ^
Method 06
0 X! e# h- v8 s1 e* z6 H=========; K) D9 W: x' v' g( @
, z* T* S. `! [+ d* L* [6 s' \$ e3 l: W' e- R! n: M$ J
2nd method similar to the preceding one but more difficult to detect:
/ D- J# {9 Q1 C! y* H, f- j4 V. g' {
; l: x$ a, i* M2 P! \
int41handler PROC9 [+ o* J4 _ w: F" X
mov cl,al- M/ L' q3 i7 i/ ^ D7 g9 c/ C- x
iret# a1 C) A" E. D( U
int41handler ENDP- ]& E/ z/ a6 x& l# J
; g& ]% E' \1 q" W, A. S7 L! J& P: _; b& d
xor ax,ax8 m1 P% t+ q# p8 J5 b! }
mov es,ax
# G3 ]3 B2 i8 L- a/ d mov bx, cs
3 k: G9 _# L4 [) S" m5 {. S# X; g lea dx, int41handler
$ L1 T" ^: ^3 [4 m$ m+ { xchg dx, es:[41h*4]$ g5 {, B2 \! j2 n) O4 L, Q# M9 _
xchg bx, es:[41h*4+2]
0 S) s+ N+ @) q, L# m: U in al, 40h
" p, l$ o* T2 d xor cx,cx. O- C4 @: W2 { [% L6 \9 I1 C: I1 m
int 41h
" @& F2 }9 M/ @ xchg dx, es:[41h*4]
2 I' G4 `$ }! ^- m2 A- p9 m" q+ B6 O8 a xchg bx, es:[41h*4+2]
* v! n2 i% L4 X& ~- J* k& r0 W; [ cmp cl,al
8 J0 H! K0 s" {' E jnz SoftICE_detected5 A% x0 x) k- ~/ P; Z
8 S( u! W; ]) s6 x4 i6 V9 L; O
_________________________________________________________________________
: |& R1 ^3 C, B, B" i) R7 B
, Q/ A) S( m0 c4 PMethod 07) a [! i, n! i1 P( T
=========
( s" ^ W/ E L5 y0 p+ j; e' H$ [! N1 _/ ^: O( j4 R" J: B
Method of detection of the WinICE handler in the int68h (V86)
- \; R* w+ D( O0 |5 o! B, f
2 T+ c' z( A& }9 N' B mov ah,43h
$ x- q% g) f' ]5 d$ r$ v int 68h/ r8 o# y4 [8 _4 g" V- [' j: @
cmp ax,0F386h
5 l% E' j4 B0 U5 A jz SoftICE_Detected3 Z3 t( u: Z: R0 v+ t
" j- H" K5 O. @$ ^5 ?$ `
& |# P8 S2 w+ g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 n) S5 X. L/ K# i; e; v app like this:5 D8 Q) b- C) ^1 g
$ s6 G9 J* @6 L# g( J4 L+ e" J1 S BPX exec_int if ax==68
* \. Q, _$ J! W, S0 j (function called is located at byte ptr [ebp+1Dh] and client eip is
3 Y9 E Y0 |+ t4 | located at [ebp+48h] for 32Bit apps)$ f8 s# Y# B- j. |. C# B3 R; C
__________________________________________________________________________
?$ y/ v# b0 a" X5 H' P9 s$ e" s8 t: ^; i
" V$ S8 ~; @' F0 F! J2 rMethod 08
1 s: W! ?) v5 F7 L/ i=========
5 q4 _4 ~) w/ n# T2 f) ` H! W2 C- c* E; ^5 U4 ~
It is not a method of detection of SoftICE but a possibility to crash the
' f8 z3 M! K) i2 d" q0 R6 {system by intercepting int 01h and int 03h and redirecting them to another
/ O. _. h ]2 ~5 W# m- o% @3 xroutine.
) K: d6 T4 e; F3 V' v6 o" g3 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ G3 I* z$ A8 B: G1 zto the new routine to execute (hangs computer...)
; V, A7 S- W: Y9 P0 a, K6 q! U& ]+ N) m# V( y3 v
mov ah, 25h- Z/ Y" x1 b! L7 H; v
mov al, Int_Number (01h or 03h)$ h+ I& P+ b+ r. E- R. p4 l
mov dx, offset New_Int_Routine! N% l1 b2 [4 X7 S6 G2 W5 b
int 21h# p' W* _$ C* ~1 [+ c
7 E* c" G( Y9 `6 ?
__________________________________________________________________________7 |7 |( `/ u5 p$ a9 t9 k
9 ], z% X( ^8 ]0 a# g$ R M
Method 093 T& e' _ {% w$ g$ Y' s
=========
* ^/ b+ p" @# U/ _" E: m6 r
8 x$ b' V+ h2 k$ rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: |& K8 Q8 L6 [( t4 \& G
performed in ring0 (VxD or a ring3 app using the VxdCall).
( j% v* |) w, v6 a5 }6 C8 Z& j! }The Get_DDB service is used to determine whether or not a VxD is installed5 E- ?1 W, b) n
for the specified device and returns a Device Description Block (in ecx) for
- i2 v7 C0 |; Ethat device if it is installed. w$ v1 j$ T8 C/ T9 F4 a3 `$ m
; U1 z' P: a5 y1 ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 H7 h: {1 R$ [7 Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) P2 J/ t# F9 r: O3 D: ^( P( j
VMMCall Get_DDB3 }. u3 o' s8 o- d D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 I n7 b1 ]* ~' `* E5 T
3 S, e4 e0 ]1 d7 y+ QNote as well that you can easily detect this method with SoftICE:5 _# t" S6 J' `( D3 D2 o | F( Y& _
bpx Get_DDB if ax==0202 || ax==7a5fh, S* N) |" C1 G1 I! a
; N) b5 K: C/ h! {2 M
__________________________________________________________________________( r' I5 y* h" M3 b: a
- F4 |; x7 \! f$ O# h8 ?/ E
Method 10
2 d! w! ^2 E# K& B7 v2 C' r; {=========: i! d% x5 X r7 M
`4 B: [ g' Q- L, q0 g, \4 I4 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 n2 P( }, |9 f* @4 s1 X' c
SoftICE while the option is enable!!+ k: A; W! L8 T2 x) r# B" q
& c! `, o1 N) U! xThis trick is very efficient:3 L W0 N6 `+ J% @
by checking the Debug Registers, you can detect if SoftICE is loaded
' ~* l5 S' W$ l! x, e& k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" K, y$ ~1 i3 h# ithere are some memory breakpoints set (dr0 to dr3) simply by reading their- S- q" y9 ^- T! f0 b
value (in ring0 only). Values can be manipulated and or changed as well
* U4 x7 f1 ^; j v0 m: }(clearing BPMs for instance)
" G3 a' }6 z$ }# y0 ?! ^& ?+ x4 t9 ~5 V; ?. ^3 f/ \; m* q8 r" l( @
__________________________________________________________________________% @& V9 e7 A( z
6 c9 i0 [4 ]$ X) B3 m
Method 11
& F0 S- z4 D: E=========
, B9 J( F- ^: X6 d3 l! I0 O7 r2 o1 B( [8 R; Q
This method is most known as 'MeltICE' because it has been freely distributed
; r8 o# W" c% o3 Cvia www.winfiles.com. However it was first used by NuMega people to allow
" i' c: ]. D. BSymbol Loader to check if SoftICE was active or not (the code is located
6 A D6 J) T6 M4 d yinside nmtrans.dll).
8 O" t( o- k2 j! u& f
4 Q& r0 s. `8 r' @The way it works is very simple:
& E, Q: L; H5 {! q8 K+ _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. h' ]! n; E( L) R) p' BWinNT) with the CreateFileA API.$ }5 q- Y2 C" ^+ C7 ~
' z* x" Q) t0 _! a: Y( j* X" FHere is a sample (checking for 'SICE'):$ O+ n J; X# Y6 R% Y0 @
. G# o' ?( N8 b
BOOL IsSoftIce95Loaded()
2 a2 [/ k1 y8 S7 q2 [{
' O' |0 V# m# Q7 t HANDLE hFile; 6 C1 Q# A3 R: X. `; R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- E/ x' Q- K8 @ FILE_SHARE_READ | FILE_SHARE_WRITE,' `2 [1 B3 C1 e: M3 p' X5 K6 Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 W+ C L8 S8 i0 h if( hFile != INVALID_HANDLE_VALUE )
) M- J: }7 m! }( _( w) H' S {' w, A" O6 F% f6 I/ b
CloseHandle(hFile);7 F8 D, v, L: I$ @3 {( V2 L
return TRUE;2 u8 {( Y: o* z/ Q/ [: u3 Y
}
1 ~# a9 d. k) I; {7 x* k return FALSE;# L0 A- N# ?* Z$ \$ z
}
! b! @( s$ ]2 J8 {* @8 `0 i( g& A& ?2 X1 C5 x- z) s- `( w) \
Although this trick calls the CreateFileA function, don't even expect to be
* Q! h% s. l) S+ h, P7 Zable to intercept it by installing a IFS hook: it will not work, no way!. F- j6 a" m9 G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 Y5 A5 @* [6 I$ r- g4 \0 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* A; m' Z1 L% } D% I8 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 f4 H$ Z3 C1 b& z- vfield.6 `$ |' ?! k* @% Q
In fact, its purpose is not to load/unload VxDs but only to send a # c0 c* r" G" B/ p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ P- q y0 A+ s+ eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( `' D! ?( ]9 l {' v0 Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 B% ]/ O9 l. ^( p6 F8 k8 z5 \; T5 ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 Q+ h) h1 X @$ v' n7 \its handle to be opened and then, will be detected.
* \+ u5 L; j+ O2 g% w$ K5 Q+ pYou can check that simply by hooking Winice.exe control proc entry point# e2 E4 Y/ e& ]6 C
while running MeltICE.. S4 d) k( R' O
: f* b, j! Y+ i! S! C) B! U
8 _! ~! p8 C# u) x7 X9 ~4 X+ B
00401067: push 00402025 ; \\.\SICE F+ M7 i# h. A- O! X
0040106C: call CreateFileA# T6 \+ F2 \3 y9 i* s3 ^1 M% q+ c
00401071: cmp eax,-001
6 O* V% Y* e8 v' j) V 00401074: je 004010918 I! P+ d7 f! f& W
3 y; K. x# T6 s8 D" `: @
4 p5 `9 m |. R- X* x& tThere could be hundreds of BPX you could use to detect this trick.
# J7 i1 b) Y4 |+ w# |2 l+ \( [-The most classical one is: A( f" I6 C7 S \1 N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# X' I% P- w) g: c6 u2 k
*(esp->4+4)=='NTIC'1 e! x0 K5 `: z4 p9 v& R; d
& C3 i- T. `2 h9 H a- _% W( [+ |& {
-The most exotic ones (could be very slooooow :-(
: _" r& J* \- ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 \, \# Y6 H6 ~' t
;will break 3 times :-(5 g% v! a' W. ]1 q8 U2 f
( y! h3 C5 }% b& \-or (a bit) faster: B& s( J/ L! L+ N% s+ Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 p* s, v# R( i8 q& m* Q9 [5 v7 _
( q3 ]. y, t" p' m2 h4 S" _/ W0 T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; q# D+ B- `) F7 O' ^# s
;will break 3 times :-(
1 E2 X9 V, z- [3 f; G+ a; x+ l
/ z+ @3 H7 A/ k# m7 H-Much faster:
- _: Z7 N, z( f0 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 M1 l: V+ m( }9 ^$ Y5 r- L% v) I' z3 H& d+ ?; I& p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ M- u' J, E$ a/ @. ^function to do the same job:
+ v, b. D( U0 f- D3 x* i
/ L* `# R6 B9 d push 00 ; OF_READ* C0 B4 ~# c7 i2 g D6 k) ]% a$ p
mov eax,[00656634] ; '\\.\SICE',02 u3 \6 u* ~5 B' j' k
push eax
, L- b# T0 A- \( i s. p- { call KERNEL32!_lopen& C; g$ E0 h1 ]& ^& Q C& }
inc eax
, R0 g* \" D+ m4 [4 W jnz 00650589 ; detected% Z* f0 m# s: v% w3 Q% }. s' |% z" l
push 00 ; OF_READ
0 G% ]* n: P: B- `1 X1 }: d, @9 H mov eax,[00656638] ; '\\.\SICE'
L" z1 j; {0 s2 A6 j, D5 K# ~ push eax
0 `% q4 B8 \8 l' m call KERNEL32!_lopen/ H7 |- j: n9 Y @* r
inc eax
* S# E" H7 o% l4 W: N$ y# _ jz 006505ae ; not detected
' p& }% ]7 X( A5 Q2 R3 O' e
2 I2 o& t, o- M! u2 l$ l0 l! D: L, D, F" s$ o- l1 @+ @/ _1 b- n, b
__________________________________________________________________________- _! M- D6 m. ~$ R
6 ^1 n; L% W. ~2 B% G; lMethod 127 s( O# V; v7 `" x
=========& @) ]7 D) z6 w1 J8 a
; x: @6 }4 {+ f% h( B6 U/ Y0 R. V% `
This trick is similar to int41h/4fh Debugger installation check (code 056 i( @, v1 Z! e7 n
& 06) but very limited because it's only available for Win95/98 (not NT)2 N G( `, e) k6 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ H/ g9 y, X" [/ R) t& n
& e* u# E: r! F9 ]4 f
push 0000004fh ; function 4fh
7 ]0 g& x' G2 O0 K# Q push 002a002ah ; high word specifies which VxD (VWIN32)3 u ]2 [, W0 s0 I' \3 _" n7 x
; low word specifies which service
7 Q$ B- K7 F9 k/ y# _& I& v (VWIN32_Int41Dispatch)5 _/ m5 z) I: A: j9 ?% Q" t' e- k
call Kernel32!ORD_001 ; VxdCall) }2 u8 V D5 A
cmp ax, 0f386h ; magic number returned by system debuggers4 _3 x# ^- j' Y6 L1 D- `
jz SoftICE_detected
- H" a* f. K( i* H% U# T3 ?4 f' M$ H" e- {# x8 F( b
Here again, several ways to detect it:0 U0 I9 M4 X3 d% l1 I; B4 |' g
: u/ J1 m! ~, b, m BPINT 41 if ax==4f$ r7 u- m2 ~/ E0 c* s
: M7 m+ n5 R3 x) |+ l( T& c5 H8 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ V" C! R' D1 c2 }; L$ g) w' ?
. F. y- P+ ?, m8 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- w, O9 z' A x" a g
3 v# u, L8 o }; j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" o F" \( ]2 P8 Z
0 @8 W x+ s& C. {5 Q9 ]__________________________________________________________________________
% k) w' y) c# \0 e; b
7 \' Z, Z4 Z) V: p: n. k. FMethod 13+ H% @! Y7 X; t0 g
=========
0 k y/ C9 x4 ]6 r$ c4 K+ W5 Y0 f. P: P. \( q0 z" p
Not a real method of detection, but a good way to know if SoftICE is1 {: W E% p) K/ X
installed on a computer and to locate its installation directory.
4 v) p. ~# ]2 C/ l* CIt is used by few softs which access the following registry keys (usually #2) :
! v- N3 r$ F. D+ Z' ^
$ n! C' r( H' I0 Q! U+ e) h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% Q0 h/ ]* C) X3 h
\Uninstall\SoftICE
9 X. [6 i* h7 h$ o* ~2 F+ J( W1 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& X9 A; K; K8 z* j M2 a0 ?$ r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# f' M2 N! i( R8 M) u
\App Paths\Loader32.Exe
9 o) k3 r& |/ {* Y& v( T+ g
* w# P0 |& y3 N) e+ s2 ]( c' a7 X$ ~7 ^: T* m! w* p
Note that some nasty apps could then erase all files from SoftICE directory
4 z( H/ Q, N$ i: u7 P(I faced that once :-( ^; X/ W4 w8 f. R" n* q9 S* e
& _' h8 q9 k: J' l. m% c
Useful breakpoint to detect it:' {4 C# ~0 i9 f( r8 w
, r" r$ J1 Q8 o8 w5 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. W; d4 H; G; `1 N5 w
, I* [9 r- K. N* q__________________________________________________________________________
/ o( x* ~$ n" K) D! d3 g: ~' N; V7 x+ ?% x* c6 t& \! r
+ t2 A5 R, q0 l# a$ y- B% t9 a3 zMethod 14
& F9 w3 @% \& k/ w' n% T6 o1 G=========6 C" U {0 s r; H/ L% [8 C) G
8 e" f0 @- p( [! {! H# rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# E- R0 Z K0 V% x3 X
is to determines whether a debugger is running on your system (ring0 only).
) Y. _0 a6 z/ h! i; d/ D" | I, i
! _6 h: l4 {( Z2 t9 o VMMCall Test_Debug_Installed) t9 V1 a3 \5 R. y7 R& l" ^
je not_installed7 C% U- r( r0 j- [+ N1 a
! B" f) |1 B- g% @( o+ JThis service just checks a flag.
+ k/ l( Q$ F. o8 ]2 e) ~* |! b8 V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡