<TABLE width=500>& Z- a; y: T% r, x0 e) ~! }
<TBODY>% m B. W+ C* C" `3 C) } I* ^
<TR>4 Z' _- O6 E& ?! E3 N( ]9 G
<TD><PRE>Method 01 6 t# v) O1 V( i
=========
4 H" V7 U3 `8 g. B0 L/ D9 D9 b3 G! c6 h' I* M+ p( x7 [+ M
This method of detection of SoftICE (as well as the following one) is6 k9 Q- i: ]2 D) Q
used by the majority of packers/encryptors found on Internet.
@: G2 X7 F. M2 }) E* O: y$ iIt seeks the signature of BoundsChecker in SoftICE* ^6 h0 Y, v5 O& S8 T1 [& x
. X g' r2 E7 |4 ^# C% Q mov ebp, 04243484Bh ; 'BCHK'5 T, Z$ p3 e* t6 y6 W
mov ax, 04h- E5 d0 e; W3 K" l! n
int 3
) N7 l E6 \* a$ J. i cmp al,4
0 |0 q, n9 Y U) g2 Z$ I jnz SoftICE_Detected
" ~' o' o$ \( T- v) W3 Q: C5 |4 Q( V4 H
___________________________________________________________________________
( w, l5 T( Q! F4 Z: P( H1 p# {, W+ E, _ I/ [
Method 02' a* ]3 c3 R" m6 w, b
=========
6 T6 [) U/ N* a0 v
6 u# ~& b& |; V! E' S) L( IStill a method very much used (perhaps the most frequent one). It is used
3 [% o/ V* {4 S0 H8 [: ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) q6 S" Y& _' p+ r' z" L
or execute SoftICE commands...) y v9 I) M7 Q9 C3 ?' R
It is also used to crash SoftICE and to force it to execute any commands
3 ]1 I" O! k* i: s$ w9 ~(HBOOT...) :-((
: y' M: O- l8 ~3 O v- [% B6 ?/ p" r) s" p. s& o
Here is a quick description:' f# r/ | K- [9 H$ D6 U: `# [
-AX = 0910h (Display string in SIce windows)
^2 V% ~- e } T+ h) P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ I$ n6 X D! l- x9 H$ m! ^-AX = 0912h (Get breakpoint infos)$ L7 O2 w1 C: `) C' n* z( G
-AX = 0913h (Set Sice breakpoints)
- J* Y2 {5 q6 }5 `8 w-AX = 0914h (Remove SIce breakoints)
; B o5 k' M% k q
- U2 X, m9 ^% E6 KEach time you'll meet this trick, you'll see:( h R2 q( h2 q
-SI = 4647h& ?% o" N( N' }; ^. A
-DI = 4A4Dh7 D: l( w0 m+ R3 q+ T5 U
Which are the 'magic values' used by SoftIce.; L- J; C j; V2 K8 M( v' p0 _) {% b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% j0 M3 y2 a$ d0 D$ k2 P0 S5 y6 |8 n+ ~; ?! g/ ]3 N
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 Q E) x7 t9 k0 d
Envelope utility use to protect DOS applications:" z/ c$ G0 s( S; L/ d7 d. ?5 M
* `9 z! Q6 r, D3 r# {) b+ }. F* j& s- ?6 }0 b" R/ t
4C19:0095 MOV AX,0911 ; execute command.
, s+ Z) {5 B" j3 h6 s) B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). g/ e, h8 s. [
4C19:009A MOV SI,4647 ; 1st magic value.2 \! c! r: N) g& i. U" O/ q
4C19:009D MOV DI,4A4D ; 2nd magic value.) k Q- m8 ~) }9 S, f2 m9 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 c4 W; n5 E9 ?& _, q( R v$ r1 _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ o- G f- W2 L, @. }5 h# ^* C
4C19:00A4 INC CX
1 W n8 n. h) T' D% r j$ b- x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" b% @# z6 r* _) V( G! ~4C19:00A8 JB 0095 ; 6 different commands.
; K' U- b9 M/ e) G6 w. g# W7 B$ N4C19:00AA JMP 0002 ; Bad_Guy jmp back., k% ]8 i8 p, w! V4 @& }+ i# K4 ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! N* y. T) O: c! p' V
2 y* H, h% X T7 b# n; HThe program will execute 6 different SIce commands located at ds:dx, which
K8 B9 B8 ?6 ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 R! F4 K) d" `# l1 @0 n' o6 M1 S$ `3 A7 J7 M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. _& m2 g% i# I D. W___________________________________________________________________________
* p* Y# e% v+ h; d) E5 B" \
7 S. p" t; u8 Q& U7 K5 [- E
# Q5 @$ u& m# K' T4 a1 @8 LMethod 037 E$ V/ U1 n P: f6 \6 ?
=========
- W# i6 @! [) D6 ]7 {
' ?# f2 e% ?& T7 j0 U' cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ | \0 C1 ^; c( d
(API Get entry point)2 `+ i1 j2 z- A; f
, X6 F7 v9 F8 Y$ p: L' c3 B! p+ `( ]4 v* ^$ R; d4 c
xor di,di
7 e' k2 n# ?& o! u mov es,di9 b; p3 A* G% N7 D8 y$ g( M! A
mov ax, 1684h 1 i8 z+ {! W4 b6 b1 ?
mov bx, 0202h ; VxD ID of winice
# c4 o2 W; z5 U5 w int 2Fh
- m: G; O; x$ E5 A3 E' r7 U* A/ Q mov ax, es ; ES:DI -> VxD API entry point
+ X i& b! ^! A, D% \ add ax, di& g% _* i( v2 f3 P; R, Z
test ax,ax
+ u6 b; W) h2 |0 M- R" W# ? jnz SoftICE_Detected& z; U* O. l' s6 l. p
% t% Z9 q; v0 F) D, W: l
___________________________________________________________________________
( \# O$ Q6 j" r* H+ \, }; q
2 q; m; ]6 d6 ^ A* `9 eMethod 04! ^ t3 n+ j# N! B; o' d3 b$ K8 V
=========4 g& S5 Y+ j2 S* q! D j
# V/ P3 f, G5 R7 I6 [$ j3 t- Z
Method identical to the preceding one except that it seeks the ID of SoftICE5 T. y6 K2 z, V; o. N8 f5 N* E
GFX VxD.8 h) g& U* j- Q3 G9 I/ g
5 [ q$ v# m8 {) {, c xor di,di
4 [, X( O7 K$ m: `) j0 B mov es,di
+ L# u/ i; g* @! I: o$ n8 k* q mov ax, 1684h ; B$ ^* q( m9 {! |
mov bx, 7a5Fh ; VxD ID of SIWVID
3 |4 h1 i. I( v# J; G1 x% F' x9 U int 2fh$ l% G$ S; l7 f0 e- D4 X
mov ax, es ; ES:DI -> VxD API entry point
9 x, P9 p( y( ]$ z9 Y7 f+ g1 ? add ax, di
' l1 G8 v4 s2 C r, N, v$ A& N test ax,ax
" B7 J# z, ] N jnz SoftICE_Detected
7 z8 j2 {/ o0 Y6 r$ X7 \1 c& E5 {8 W) `! Q, `- U" ~3 T6 H) ?
__________________________________________________________________________
9 p( b9 s4 \9 o& p6 T+ Q6 x0 @/ N8 ^' G l5 T1 \# t; Q4 _
2 q4 [$ r# \' v& R) vMethod 05 C' N2 E$ }+ ]: D, g4 g2 r# @. o
=========7 @* W9 ^: \3 `& t
7 X/ v; E- u% {0 Y& s9 _# U
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 L, D; K7 n* h6 F8 ~+ p7 k# R
debugger. It calls the int 41h, function 4Fh.5 Y2 x* d. R5 N% G+ `
There are several alternatives.
# D5 I% M( M+ h+ h) ?) {6 e. Q; u: ?/ j* K4 E% v: K
The following one is the simplest:( r& g& k3 o- K
`! ^+ E4 C0 N' d- ^5 `
mov ax,4fh' ~ c5 c/ ?9 ~7 {
int 41h
* H4 [5 h; p7 p* W) r cmp ax, 0F386
6 r4 K: [1 F7 Z8 \ jz SoftICE_detected2 v' m1 U! `" w. j8 S @
. L! b+ w% A6 n: a+ e- c4 X
f$ O" Q4 v6 [3 U) S* I/ G; K6 l# kNext method as well as the following one are 2 examples from Stone's
: i! G, t2 I+ N M"stn-wid.zip" (www.cracking.net):
, G2 Q0 C3 I7 p: f- f+ d
2 n& t8 H( E3 }7 l" N mov bx, cs2 \ T) J3 b: @) X+ h2 Z- C3 ~
lea dx, int41handler28 Q7 u" h$ K$ t& I& l
xchg dx, es:[41h*4]
5 }/ l$ h& r, Y7 Q8 _4 ` xchg bx, es:[41h*4+2]
0 @: Z; A1 A( | mov ax,4fh0 ^0 W. C" d4 }' a
int 41h
$ p. d6 \3 O' y S2 \ _8 n xchg dx, es:[41h*4]9 z: `& a2 ^3 h. |1 ^% `& E8 V
xchg bx, es:[41h*4+2]8 ?( X5 [4 {( c$ e* G; G
cmp ax, 0f386h$ _1 |3 E% X( n# q
jz SoftICE_detected0 Y8 r B: b+ V- F+ q0 m6 S
+ \7 t; `0 a" i8 ~5 Z2 `( G4 j! Cint41handler2 PROC
* f: B& i. l; C9 [ iret
. J* }! G+ I; w# n a5 B/ Oint41handler2 ENDP; n- V m* C5 H& l; X$ }( _$ ?. t: u$ p5 N
$ n( S8 f Z) |1 T5 k, y0 J4 e2 h/ \2 ^+ Y8 T6 ]' F
_________________________________________________________________________: C4 Q A0 v6 v/ X9 Q9 v6 [
6 u4 f& t1 @; Z$ U" b2 b
" {* r9 ]* Z/ I8 A7 O# F2 dMethod 06' F: k9 v4 ^4 H; m
=========* W: w9 ~+ n; e9 w+ d
. ?7 n6 {5 f$ O' B
% g$ [ F/ J2 l# T* r2nd method similar to the preceding one but more difficult to detect:
# Z6 }4 {( z# D4 Q. i3 h) I O O5 ^) Z/ ^( s/ \5 h1 G. R
: ~2 D0 u7 [' j0 [' ~1 b! Y
int41handler PROC
o) j: w3 i) v) p, u G$ m) U& e mov cl,al A1 N; e8 c9 q7 ?/ k5 ]" O
iret
" t2 X0 |1 R6 b. Y4 [3 m% T& }3 r$ w: R6 |int41handler ENDP- ]: S. s1 M: g% b% ?4 I" j/ v
# J& p8 @! N- g: q5 L; [0 b: i1 N9 I
xor ax,ax
, d' V$ o0 T( v; I% M. L0 g mov es,ax
v- x0 X' b: u. T" x$ Z% N mov bx, cs/ z9 A7 k1 G) B2 e4 P: x, b" b+ \
lea dx, int41handler
" c1 `/ c& @5 W! d" f. X D xchg dx, es:[41h*4]1 ]* z, q* p! d! d# o" @$ b
xchg bx, es:[41h*4+2]5 I6 B! r) B5 Y7 q$ L$ R+ E
in al, 40h% H% z. x0 ]- P
xor cx,cx
1 N& R2 U% c& q( s% Y7 t8 x int 41h
2 ? m# B [" c* f xchg dx, es:[41h*4]
( ?6 p1 W6 [+ R. v" O; u xchg bx, es:[41h*4+2]: u/ j* w4 A2 D5 ]# ~% O
cmp cl,al
2 `. g2 c9 t+ m" }. G jnz SoftICE_detected& |) J2 e, n- r+ _3 ?
5 b: {* B" e: v) `4 g- w* b
_________________________________________________________________________$ w: s' p' \7 p( @: f
/ `1 N% r/ v( r% X
Method 07
" o( Y; m! W- C4 W' X' e% V=========
2 ^* l* Q O C
" P- w2 ]5 u5 @8 j# ?Method of detection of the WinICE handler in the int68h (V86)
8 [3 W8 W$ G% Q+ C; Y- c( F, k
) P" A/ L7 O7 _' R8 w! o5 F mov ah,43h
# Z: Q% b! g) n m* P; E int 68h8 s( e( C& r5 `4 T/ `" z% a
cmp ax,0F386h1 h0 F/ v- o7 H8 g: f) q6 w' R+ y
jz SoftICE_Detected
! o `( J3 A2 j, q" G! ]" w4 N0 ^$ s+ \2 l$ G, W* u
. \6 f9 h* L9 u9 r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- |9 y( X& g1 |0 _ app like this:
$ G# \1 x. ]8 S( {: K' t* g, v: {/ s( M1 o. U9 e, `
BPX exec_int if ax==68
/ s, H$ {( Z5 T$ T7 x( O( `+ O# h. D (function called is located at byte ptr [ebp+1Dh] and client eip is& d7 f3 t+ a4 Y' J. }& d" Q, M
located at [ebp+48h] for 32Bit apps)4 X9 y* G, b+ p3 i5 m# c
__________________________________________________________________________' m1 Z( m+ j9 O9 D# B3 R
( u% q! _9 x' M! A ^; f/ [0 s/ o6 ]" k$ h/ R9 x! g
Method 089 A4 Z) e1 f1 v& J6 |4 U, E9 J
=========" d- U, S- U1 D& G [
: z) B+ Z3 ]# n: G3 T1 Z p
It is not a method of detection of SoftICE but a possibility to crash the
0 i2 r, q$ B$ W4 i1 F( |; D1 g% qsystem by intercepting int 01h and int 03h and redirecting them to another* w( w5 p" ?0 p2 }4 L( V& |" t* q
routine.) Y/ D, s# H. b/ I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ M: m. J1 ~3 Z3 C! t/ _' Q( ^% ^to the new routine to execute (hangs computer...): I: d) D8 _+ x9 v7 d
0 G! u! a* y' F
mov ah, 25h! J' l2 T1 K& y5 Y8 A# h
mov al, Int_Number (01h or 03h)" V5 z& }( n- C$ V2 O& _: |5 e' m
mov dx, offset New_Int_Routine
: Z: b7 x$ e5 a( x6 r+ B; Z/ @ int 21h
: Q0 z: ]; ^. D. h9 N: h: r1 |/ R7 P% J5 s. t/ H1 m% |+ g
__________________________________________________________________________
2 I: I6 @2 r7 C$ n( `/ Y5 c( F. R* J3 W7 Z) D" f5 ~! F
Method 09* k, `3 n8 U0 o6 R& T0 u/ A2 {
=========
: g) e1 y1 ~( ^& W1 z& w8 F! c1 j' E: B1 ] Q, W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 [. D1 b, S, U' O3 Y Lperformed in ring0 (VxD or a ring3 app using the VxdCall).
" C& x4 S. r# _* V$ i- I1 [, `0 z0 V* YThe Get_DDB service is used to determine whether or not a VxD is installed
: {) F1 }$ l$ J7 j" Efor the specified device and returns a Device Description Block (in ecx) for
6 T- b$ ~. P: H* X1 N8 }8 wthat device if it is installed.
% l6 s2 b& d* v: s7 R) w
2 B/ R% F# J5 c) q, n7 G, ?* D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, L- K! A4 r7 @' D% S! ^* _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 z8 E4 c* d; v0 T VMMCall Get_DDB) a8 Y) U2 \2 f4 L: U! ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) T A' F8 N" I5 G' ~* | ]6 T2 W) U- O' z: U( U
Note as well that you can easily detect this method with SoftICE:
/ v: ~; u4 A! l. t bpx Get_DDB if ax==0202 || ax==7a5fh
( X( O+ P9 D$ F2 L+ n
$ Q* ?- p2 V& s__________________________________________________________________________; F$ \4 R1 j, r8 |# o& J) ?
' v$ u9 P3 R5 ^/ h- f
Method 10
: b, k7 P6 g" q1 g: n=========
, X( |. k2 ]1 M3 X/ m: }9 s/ t
0 k7 B5 W2 t) G! s=>Disable or clear breakpoints before using this feature. DO NOT trace with N. f2 \( |' B9 g
SoftICE while the option is enable!!# J5 @$ M" M) |7 E; i3 b! c" X' k
6 d* F/ p' x$ [) V, O5 n1 O7 GThis trick is very efficient:9 |2 X1 h! p7 k) W$ V) A" h6 j- I% D
by checking the Debug Registers, you can detect if SoftICE is loaded
7 s3 L' O! r. Y* h6 ~ O: q9 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: b1 z# ]2 h# @
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 _3 P4 U5 w* F. L
value (in ring0 only). Values can be manipulated and or changed as well' a. v2 U _* G0 V
(clearing BPMs for instance)1 S4 U4 c6 X; Z8 J( q2 r9 x
+ X3 c3 i) G2 M6 G+ ~__________________________________________________________________________
1 t9 `% X; a; a' ]/ g- E: x& E1 I5 ^, j: s9 K, s
Method 114 Z3 \ L: v* f+ R; c- ]
=========% @# I; f; H% J
5 L. S: q4 [ a3 ?) z* }5 [
This method is most known as 'MeltICE' because it has been freely distributed
& b& C( e4 X4 Y/ A) h: `: Ovia www.winfiles.com. However it was first used by NuMega people to allow2 |0 Z9 }5 {$ x( b U
Symbol Loader to check if SoftICE was active or not (the code is located
{8 s% R4 w& c* b2 ]& H" uinside nmtrans.dll).) I' s7 c+ v. K8 E( ?" b
! n& F% Z& R7 s# @! E1 X; }" f
The way it works is very simple:6 i7 x! n; v. A: f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) [ X. g7 X l& ^! ^WinNT) with the CreateFileA API.
5 t, H) D, c/ i% b Q7 i4 v: q* p& {( w
Here is a sample (checking for 'SICE'):) `' m- _: P2 W" ]% D8 S. S
4 z! l' y" }, m- M6 UBOOL IsSoftIce95Loaded()1 \! G: Q1 ?1 H% B# {: x
{
$ c6 j* y$ F! F+ v0 R; u: ] HANDLE hFile; $ H" `+ z! g. s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 l* b7 k' Z' z' ~0 c1 W
FILE_SHARE_READ | FILE_SHARE_WRITE,3 b2 o( B4 n$ G4 T5 B- a0 _( a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. U! w; N1 v7 f2 \6 N2 j0 u! k
if( hFile != INVALID_HANDLE_VALUE )
9 Z7 J3 Y, f9 W- i {
" U+ S) |5 V0 w( r# I$ C CloseHandle(hFile);
# w& m- h5 m9 o/ e. S; o3 j1 [ return TRUE;
7 {; Q1 \1 R0 A8 o V" D# L }) y$ o5 Z/ Q! B3 c" q7 M8 W
return FALSE;; P/ R2 g6 A& F4 Z+ l$ c) h
}
4 q8 I! J0 y+ ~
5 \0 ]5 ~3 l% NAlthough this trick calls the CreateFileA function, don't even expect to be& H. F0 N* w4 l( e: A0 V: G
able to intercept it by installing a IFS hook: it will not work, no way!
" Z' A' O+ C! [5 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. R3 f# {2 r; I$ i5 E) l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ b! `3 ?. L) G8 X/ g1 C! P" C. Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; Q+ O5 T% l( v0 z. k" Jfield.
% k4 p& W7 O& y) q% z6 ZIn fact, its purpose is not to load/unload VxDs but only to send a
+ c5 r1 a# h# [$ p- T+ s" `. xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 v7 m) d1 g* ?0 }) _, X- Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try: M( s- j. A4 O' ?( c& }0 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# l3 S' q3 |1 Y' j- S# E
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ q, h0 Q$ [( C" W8 _& R" Rits handle to be opened and then, will be detected.
5 ?4 B9 Z4 x( ]3 j6 q; W/ ?( r DYou can check that simply by hooking Winice.exe control proc entry point, }; U, C7 ]5 J
while running MeltICE.2 X+ k# R# K: O: A9 l4 E* y8 y
& d8 y) m- `5 d! W7 d
. |. v" K; b/ C) A, w9 c
00401067: push 00402025 ; \\.\SICE
+ K; R! [! L- c( d8 ?$ a+ y* B9 |* } 0040106C: call CreateFileA
/ T! X+ H' B* _: @% ` 00401071: cmp eax,-001% l- ~5 O" g9 j* G5 P8 h
00401074: je 00401091
+ |: `, R8 ^% _, @' l$ q" l: m5 Y7 i" Z
2 K ?6 ~* q+ I; `There could be hundreds of BPX you could use to detect this trick.
/ d# U6 b: |/ M: x-The most classical one is:
4 u, c$ v7 d6 Z v4 \2 j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ r% w3 _0 t& L+ X2 M *(esp->4+4)=='NTIC'* I* M1 j0 w6 C3 j4 S5 z0 z
' ?6 a3 i7 g1 C! k, e
-The most exotic ones (could be very slooooow :-(* _# }2 E4 }6 _' \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 h2 \! x9 N0 r2 N& q1 p9 r" N ;will break 3 times :-(
* [& I* d6 r0 x3 O) i3 V8 m; c* ~- O$ m# h3 e# u
-or (a bit) faster:
0 F7 ]7 R; U' D1 k. h* ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 E! w4 Y5 u- ]# r0 Q5 }( J
/ S( Z( X! c" N7 {, p. T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( d( ^2 B1 i% U1 E7 f; C ;will break 3 times :-(- e% V8 F9 I |7 U
$ U I9 K' t( i3 [-Much faster:
( M5 Y/ r% \8 k5 D( g: U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 Q. S+ O" D. z/ Z9 B- _* \9 T4 M! N. k3 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ l7 q) A, j- i+ ^% K; _3 \function to do the same job:
& x5 l) v7 n9 ^1 r s5 U& N; I
2 N! H/ a5 \- Q- O push 00 ; OF_READ
9 }, m, z6 i1 Z& O$ M) q. _ mov eax,[00656634] ; '\\.\SICE',0
! T+ ]3 a' o/ _, T7 X push eax
5 q0 X' I3 B8 }6 f* G call KERNEL32!_lopen
) ?2 F' S! Q1 s" H2 t2 N0 p inc eax
5 L1 r. p% I! E: p; F% I8 [ jnz 00650589 ; detected
- z; v3 d" x5 m! Z push 00 ; OF_READ* K% |- t5 \& `4 N1 ]* n3 b
mov eax,[00656638] ; '\\.\SICE'; j" R2 [% ~/ u* I+ s
push eax
4 {& t& d. X" Y1 Z( a5 q' x8 B call KERNEL32!_lopen4 @ B: K4 Y, H) b
inc eax/ L/ A, B! d) `" P, U8 U
jz 006505ae ; not detected; T5 x' v S' g. a" M, j
2 E$ [ _) ^ E S% L2 z6 c6 T
: b3 X5 |. W) ?* r3 \8 k
__________________________________________________________________________
4 y" E1 c3 G- Z% Z9 D8 L6 I5 z. @4 k$ a5 V# p$ X' _& p6 u/ d
Method 12
. K" ~5 H4 P" e' ]=========) |/ E0 p X" ]# z
$ h* _+ M) Y* J5 g5 {
This trick is similar to int41h/4fh Debugger installation check (code 05
6 m/ ~1 r. a" U* D5 ?- e% d$ f& 06) but very limited because it's only available for Win95/98 (not NT)8 C1 _$ w' }/ e% V: K6 e6 s6 ^# e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 N5 f' v7 D- S+ | y8 {, Q4 d
- ~% j; U! C( j4 C
push 0000004fh ; function 4fh
' e- J4 g% b9 I push 002a002ah ; high word specifies which VxD (VWIN32)
% Z8 t9 n2 R* E* j! ]; R* f; {2 G ; low word specifies which service! }+ j' I' f" q# J- x- p2 Y( N$ S2 s
(VWIN32_Int41Dispatch)
# v8 M3 w: @( L2 ?$ X4 a; r \" P' _6 r3 \ call Kernel32!ORD_001 ; VxdCall! q$ r5 }2 P4 v* ~
cmp ax, 0f386h ; magic number returned by system debuggers
0 n( O" \7 O- l- p( N jz SoftICE_detected9 q) U& u: p7 l/ F; @
1 t% t% A) Z1 P
Here again, several ways to detect it:8 g" [+ K# d/ _6 x/ K F% @
7 v) ~, a# |: {: y: Z& o; S
BPINT 41 if ax==4f
; i2 y+ E, _, `6 T! Y4 P1 T X+ \2 S0 ^0 @, A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" ~) N# @3 I. j3 c1 C1 r. R9 o2 k S |; Q+ z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 ~* j" A+ d& i) G1 {. ~0 s. \) n( ^, L, i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& E# U: ^3 Z* Q6 Z* X0 s* O! Q, t7 t8 b) C
__________________________________________________________________________/ I3 ~" F3 e7 O+ X+ T' }
& d9 R4 v8 q8 l& W& M
Method 13
, b+ T. K& c, t7 M) j# T* G3 e M3 n=========
* S% ]7 s: H% i$ s: ~1 {; O/ g6 R. O; q. l
Not a real method of detection, but a good way to know if SoftICE is0 e% H7 k. V; \9 P5 S; o
installed on a computer and to locate its installation directory.
' w' x, V- ?. Y+ A/ ^, \9 {" r: DIt is used by few softs which access the following registry keys (usually #2) :
. t) ?# E ^. S2 R f
9 s% G8 E& k; O0 A o7 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 o! t9 ^) N( _* B
\Uninstall\SoftICE
h& s( S6 v) l; x$ L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 z+ t% `2 }8 u% O9 F3 @: Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 |' Z- O* ^2 [4 Z8 V\App Paths\Loader32.Exe9 \. q9 M9 d! T3 W0 Q4 v) m
+ {* U$ [: q+ R* u& K# d5 m6 j
5 f0 _' K; k3 U# b. RNote that some nasty apps could then erase all files from SoftICE directory
+ Y+ w2 `$ |4 r, x(I faced that once :-(/ }- H6 a0 q2 }5 h9 G/ z
1 g$ N+ f' W b. L+ M0 U& Q- eUseful breakpoint to detect it:) R8 p6 m3 A7 Y' U1 f0 n& P
{, D3 A. V- g/ _. a/ I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& N c/ q! ]. e, w& N+ O" h [1 r/ r
__________________________________________________________________________1 \. O! W) s6 P9 d6 V' e9 r& X3 V
: e, }5 }; g) n% {! i
: I5 U: ]7 y0 U" T2 |7 qMethod 14 * A( d0 [" o' l! o. g. i
=========
! P9 O& ]& y2 w2 B: f8 B$ F% a! t$ R" G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 e( ~' l" J2 L8 C* l( iis to determines whether a debugger is running on your system (ring0 only).
8 Y9 z7 H9 D# V1 Z$ p5 y
3 x9 Q! R9 }4 t7 d+ E2 X VMMCall Test_Debug_Installed
4 ~- l P ^4 q" A je not_installed
7 ^) S5 q8 k5 Y/ N! |0 W2 z6 M. ~# r; M ~6 Z# r/ \! l! ?
This service just checks a flag.
/ F9 C) i, Y8 r) S; K% S1 w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡