<TABLE width=500>3 d/ {7 q; m5 f
<TBODY>
9 i5 v Y% t* j* |3 l; S<TR>
, C: C5 J6 Y. N- w& y<TD><PRE>Method 01 ; K. z+ K, e- o; [2 X9 S) S! \
=========
9 d/ `$ `5 e6 B, h
) C) B; M) j8 aThis method of detection of SoftICE (as well as the following one) is3 n* K {+ `9 j2 I: w
used by the majority of packers/encryptors found on Internet.& V$ B2 n8 ]( C
It seeks the signature of BoundsChecker in SoftICE0 J% M: r ]) s9 H0 p
! t& Z3 G8 b# p
mov ebp, 04243484Bh ; 'BCHK'/ g. ?8 }; {. {- a: r
mov ax, 04h
# A# ~) D$ ]+ O- x: P int 3
- r d$ z6 y" U2 H3 i cmp al,4
0 ]4 B/ d8 }. }$ k; @9 R jnz SoftICE_Detected
" x5 N) V g5 S/ V* S% M2 G2 S6 R9 W7 S/ B5 A5 i% E, C5 \
___________________________________________________________________________+ f* T! c" _6 P7 T+ A
p1 u& @* {7 M% q# b p9 b
Method 025 p) R8 _7 @) s* U3 P8 ^6 y
=========' l- I8 s) E4 I
4 s9 p# Z) Q0 h9 E5 F; `& J) tStill a method very much used (perhaps the most frequent one). It is used/ W$ z) u3 z8 ]6 T$ `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& D7 O* E2 Q! d+ s* q" Y8 D8 I% oor execute SoftICE commands..., v5 M9 W3 P3 y) A ~9 c) e# `
It is also used to crash SoftICE and to force it to execute any commands
6 l+ G% f8 U% T0 F; q2 o3 a(HBOOT...) :-((
/ d @! K) q4 ^5 l) v
8 P" c1 W4 ^: i; b ]Here is a quick description:* w7 v2 ~) X: C* y
-AX = 0910h (Display string in SIce windows)
3 B* m/ O7 K1 Z {8 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) V' e) q6 w& G
-AX = 0912h (Get breakpoint infos)# j* D0 |# R$ n6 z" S$ i# f8 O1 _3 a
-AX = 0913h (Set Sice breakpoints)
2 _. F# C5 Y' v0 ?-AX = 0914h (Remove SIce breakoints)& W1 F1 N) v/ {; g$ q6 Y2 V
# B7 @% Z7 y' k% Y8 o
Each time you'll meet this trick, you'll see:
; M' O9 ]+ B! v1 K' o9 x-SI = 4647h8 E# ?. `0 v2 g% P8 ^4 ^! Y3 d6 i: N: T9 m
-DI = 4A4Dh
. v* \4 k& f* eWhich are the 'magic values' used by SoftIce.
) l3 v/ f3 Z- B; v" iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 Z1 e+ K9 ?4 b5 B4 ?" U
9 D* y2 s4 e6 {' {2 IHere is one example from the file "Haspinst.exe" which is the dongle HASP
; j2 j% x2 C( g g5 q" f. E- \8 xEnvelope utility use to protect DOS applications:
5 f3 T* D4 i6 B- T
$ [6 r8 A: t; R- }0 d4 b
; s$ e, a! v- N9 ?5 J/ H4C19:0095 MOV AX,0911 ; execute command.6 U2 D! W9 C8 M6 L; b7 h6 M) a: ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 }' e& L) {8 F9 H$ I4C19:009A MOV SI,4647 ; 1st magic value.* i$ P: j$ U- X/ @) k' z
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ V" `2 v+ h) T7 t0 w2 X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- n+ M9 G! Q% r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. K) g" b5 h. D3 q% I0 k/ `
4C19:00A4 INC CX
+ w) g4 {7 u4 D- i4 d. t4 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 h+ l4 e2 u0 |) h0 o
4C19:00A8 JB 0095 ; 6 different commands.9 O( @! D, v. P! h K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) a# V; G- l, m" A1 E8 L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). x+ B* {* q7 h& z5 g8 o
$ E8 I e- q* ?5 K' TThe program will execute 6 different SIce commands located at ds:dx, which
9 T* L- \! ~) e8 E. ~3 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 g S) O1 T2 S- ?/ j
6 n& A% ^6 Z6 V1 v z" X6 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 \2 ~7 {# {; `% s( i( u+ W, j5 e( y___________________________________________________________________________
5 U7 V6 S- R+ [2 }8 T
/ o- ~% \4 A$ e& w- H
9 P. f2 F. K: [$ WMethod 03
* x5 ?& _0 C! R$ z' U5 P( f/ Q=========
' S7 X' U3 j+ O* v2 Q$ }' c8 j0 \" z) H4 I4 D/ K3 Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" p/ D, w* F9 w% M(API Get entry point)/ `+ ?0 U U1 y+ {9 g
7 m5 L8 A- Y( k; u* K
) K% z. o; t4 N8 I3 A- F5 f& O
xor di,di
% [, K2 d* q( H+ N$ @1 d6 l, r mov es,di
. I* \+ v3 r7 Y5 j mov ax, 1684h
" Y0 d/ W0 K0 A" x3 o4 W6 Y mov bx, 0202h ; VxD ID of winice
/ m- A- k- z! { int 2Fh
8 b/ J( u7 n' d6 z+ E$ n [; K mov ax, es ; ES:DI -> VxD API entry point
% i1 y: p/ r. S4 `+ B$ ^ add ax, di
$ W9 L9 g1 [; O" K test ax,ax
+ m( u1 F- F7 j! K jnz SoftICE_Detected7 ?6 d7 T5 Y# M4 {2 J. L
2 l0 b5 G2 K# A3 B& c! ____________________________________________________________________________. j2 q( v+ y! }2 X% l1 S) t
+ k: W* h* E& ]3 J- N" j, j) v( a2 }
Method 04
* W' |- J; g$ M0 E7 |=========( U. x7 x) {, ?! Z l: ~0 x
4 R$ Q$ C! W) N8 M5 T7 m
Method identical to the preceding one except that it seeks the ID of SoftICE0 S. S( N) \) I5 ~# p9 g
GFX VxD.
. D2 g# S4 B% d. {8 Y: n3 p2 @1 W9 J' X( j+ I' ?
xor di,di6 {# y: Z) a) F9 t$ a2 N
mov es,di% G! ^; x; r4 s2 M
mov ax, 1684h
0 p3 X& k& {% S: i mov bx, 7a5Fh ; VxD ID of SIWVID# U4 ?- v0 t0 Z& ^
int 2fh9 ?% P. N8 z8 `$ o4 z& }0 ?+ O
mov ax, es ; ES:DI -> VxD API entry point M$ F" `. R* L' d
add ax, di) o9 G5 V5 S7 h' H
test ax,ax
2 ?- ~9 j1 [5 D% f% h2 u% u: c* w jnz SoftICE_Detected, K2 g6 Z( g8 }0 u9 c* m W
5 I8 [: K* ?0 w$ S
__________________________________________________________________________
r3 p0 I" f- S+ C( D' G! Q1 q
# V4 j; I, B d% h6 t$ I) X9 o" I( ], _9 `3 Z7 C
Method 05
9 M) I2 b+ y3 A# q, j" G8 V' o=========
% u+ C: [# O( `3 d$ w% E; ^/ y0 a2 q) {+ [" w9 L# ~; y+ k3 Q* F
Method seeking the 'magic number' 0F386h returned (in ax) by all system D5 m! n3 T. e; b
debugger. It calls the int 41h, function 4Fh.- c7 g& D4 g& b9 _, s( s
There are several alternatives. 1 a: G% |$ N; M8 V- Q, o
1 i7 \& a6 g* v2 @+ e! d. U. b
The following one is the simplest:
# H4 V; P7 ^1 N' ^/ r5 Q6 h6 P" F% {) e
mov ax,4fh; [& B' E6 k. I( \8 r
int 41h$ l! R; A/ [4 f4 u h
cmp ax, 0F386
1 ~0 g1 E% g- a) K jz SoftICE_detected* t8 Z% I' U9 d
2 O: I7 |7 D. G3 S, i& N4 H+ | w) b
Next method as well as the following one are 2 examples from Stone's + K4 T6 [; B/ T' ]7 \
"stn-wid.zip" (www.cracking.net):
7 v# x0 J. U- b* S
/ b& A$ Z: Q3 V F mov bx, cs
- g5 u, t- d/ V& L2 g/ S3 P0 u lea dx, int41handler2* E# m; m, L. y0 P* q: o! ?
xchg dx, es:[41h*4]
2 |5 V6 a& T- O( i xchg bx, es:[41h*4+2]7 f/ g% h% Q# T
mov ax,4fh, A* T" I* r W4 N7 U
int 41h
3 r$ v# {" Q1 Q" u0 O xchg dx, es:[41h*4]. {. e+ B: O5 ~: ~! [. Z3 g
xchg bx, es:[41h*4+2]
# b( f: J# r8 ~ cmp ax, 0f386h6 A' t% m+ d# P7 }! e
jz SoftICE_detected3 O5 H( m( f" q! b
$ K8 F4 f' ^ K3 }) i8 K! g
int41handler2 PROC
P7 \7 A+ }# f8 k) | iret
1 D. L* M2 n7 M) j8 ~int41handler2 ENDP' @+ F# w7 C4 e* E9 `2 r; A
) l$ b+ \+ i/ ]3 A" b9 M. D: n
0 k' U5 k& q/ a8 c5 J; k' @_________________________________________________________________________
9 }- w4 H: a1 E; [3 h
6 A, n3 a% ~, N3 h3 B( o/ O2 q; P6 z* X/ t5 O+ y
Method 066 J' m2 \4 S4 y1 A
=========
: R" a# u" Z w+ d7 L U' o% l, \5 z* k
) p, Y6 Z7 k7 i- o8 s2 n2nd method similar to the preceding one but more difficult to detect:! s: d; g" \+ g' `+ d* Q h- V
0 I! _4 E' a/ r# b7 L0 ^; X6 L% I
! s5 o) G# H0 l: ~- G* Cint41handler PROC* x6 E( y9 g* f- `# y& v& v) j& X
mov cl,al
$ x+ Q4 G: U& B5 e iret3 N3 I- u/ t2 X
int41handler ENDP
: T3 Z+ Z- G4 W- L
. \, O+ S- n$ M, K# `, Y+ v4 o( F, v+ m
xor ax,ax, l, K8 O2 R: @8 q
mov es,ax
, e: } j* ]: Z# E( B( Y# h mov bx, cs
5 ~5 i# Z8 `6 ?8 @- }8 n6 g7 h9 R lea dx, int41handler: n3 \& ?/ J1 l9 n2 H8 j8 k) W
xchg dx, es:[41h*4]
1 b) i! T- S) L- f4 ^ xchg bx, es:[41h*4+2]
- f" [8 o: d: J# | in al, 40h
6 N9 x9 D, a& k" g8 |$ q6 V% S3 `6 \ xor cx,cx
8 Y: X4 @. g6 a7 M; r5 e' R% o int 41h
" F( {3 }% x% O xchg dx, es:[41h*4]
3 y: D$ j: ~0 e( p xchg bx, es:[41h*4+2]& X- Y! p8 w2 | R8 D1 I
cmp cl,al( L- B8 t& L! ~* |6 r+ {
jnz SoftICE_detected/ }. l# p3 i* ]8 w/ |+ `0 w4 e
$ l0 x. D7 C0 [' u# [4 z' i5 F
_________________________________________________________________________- I0 @! F, p2 R6 d, q7 {
3 s! m) s( B% IMethod 07
0 w0 u/ _5 K0 I2 `4 d" F5 N% _=========
H( F2 h9 N% q- ^
4 l1 ^. ^2 E0 U9 _' ]$ HMethod of detection of the WinICE handler in the int68h (V86)+ L( h+ q7 j% h E
3 X- e8 O8 i) r( s
mov ah,43h
7 A% c. R% g# h4 i7 r/ ^ int 68h
. d) U1 B4 r# I! {6 e( L) a cmp ax,0F386h. b0 f, K J2 T* x7 g0 n
jz SoftICE_Detected0 P0 p# m9 Y1 ~4 T4 a2 o+ M4 @' R. z& Y
/ X9 d" G. I7 D' |* k; h1 K
* g3 p4 }3 f4 U( {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
|/ l M1 S& I- N8 K3 u m% U app like this: b/ ?6 `4 _ _& t+ A* }* z
- D5 i9 d1 x9 P/ N E
BPX exec_int if ax==68
4 f t0 O3 Y2 y& g- v (function called is located at byte ptr [ebp+1Dh] and client eip is
) I5 K. t, ?. Y" g4 W) s located at [ebp+48h] for 32Bit apps)
3 {, s! b" `; L/ T" `' u__________________________________________________________________________
2 m8 K( \3 n# ?! I; t M7 N6 J4 P4 Y7 x% q
7 o. ~+ j$ |) J6 B3 S) `Method 08
5 T1 H- @5 g8 S' ]$ g$ A% Y- D=========) P4 e. ?; E" K9 l
/ M+ ]: C- ^5 \! k/ v
It is not a method of detection of SoftICE but a possibility to crash the
7 u8 }) a+ L1 F8 }+ G; J% v6 z' Vsystem by intercepting int 01h and int 03h and redirecting them to another
6 Z2 E0 J% v( Rroutine.% v: w" W) y# N, m8 ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% M/ D8 t1 V! _8 l. _8 i3 m: U
to the new routine to execute (hangs computer...)5 B: M! g5 k! K5 w4 x6 S% a* ?* m
( a9 b" ?% ^5 N& c& s& H5 P mov ah, 25h
/ B v9 ]9 {. \. G mov al, Int_Number (01h or 03h)8 O& L2 ^% J/ R# O) I! i
mov dx, offset New_Int_Routine
4 F* m; P2 N" S1 G int 21h
1 J! s; O+ O$ N' E8 j" e/ Q6 k
3 x0 i* Y4 K1 J" H__________________________________________________________________________0 |0 o+ C4 s; {+ U: v( M, y
* j& S# H: V. i% a: X7 HMethod 09
0 I; [+ n& t7 c, y9 r# f$ q=========7 ^7 C: o' ]" b2 |$ i7 o, c
* K7 O9 i2 F8 G3 \. eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. l) H) w: g. C* y6 \; d; C
performed in ring0 (VxD or a ring3 app using the VxdCall).& R8 H j# Y( _# Z
The Get_DDB service is used to determine whether or not a VxD is installed2 x) f' P) E% {3 U# b
for the specified device and returns a Device Description Block (in ecx) for/ D, `$ U* r: G, v2 O
that device if it is installed.; h8 i( c; J+ ?7 B8 ?
* v+ x* }4 J- G% _1 U- h8 d' x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 N: R$ `+ `9 k- Z+ F4 q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* o( b1 i% J: K/ v% @4 } VMMCall Get_DDB, t8 s9 p1 r" L& s$ r4 t/ d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 ?% B8 U+ r+ v# e% i! w% b
7 X4 o! |+ g! [/ \0 K2 vNote as well that you can easily detect this method with SoftICE:
; s7 S7 k, N. e; ~, _# _ bpx Get_DDB if ax==0202 || ax==7a5fh. [& f( x8 y I& n( M
* O% ~2 Q) }0 x* Z( s__________________________________________________________________________
# @! g' U3 u) o# o
* L( X9 U' d: c AMethod 108 b. R) h% s; q
=========5 W! X$ l( E" u; L8 ^" z
/ J# }) e3 j$ o9 a# s- L) B=>Disable or clear breakpoints before using this feature. DO NOT trace with; g% g h4 Y3 _( z, B c7 l' B( w
SoftICE while the option is enable!!
# _' b' ~: x' X) g" C. ~# v) W" H
# K2 C- S$ \ E' I5 V/ @This trick is very efficient:
y! R A0 S' B% Z; q) y1 dby checking the Debug Registers, you can detect if SoftICE is loaded
9 m/ i' D! r2 g* c5 _% O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, n4 [; l+ q% v4 e7 |! n: lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ [* D3 w/ r5 A7 T( f5 z3 Ovalue (in ring0 only). Values can be manipulated and or changed as well
1 h1 z4 ^4 a2 p* `; j' G/ H+ T(clearing BPMs for instance)- ~& d, E5 h9 Z' \
# @; H* V, i- M L3 z__________________________________________________________________________
. E. k$ v3 u1 }1 F/ v$ V2 M1 v1 w
9 v3 @! e# F+ S6 E2 V3 Z) k3 u" \8 QMethod 11
9 s/ | h, e3 T' U=========
, S, S1 d" m: G+ p' |
7 ] h3 ^8 X; F, T$ SThis method is most known as 'MeltICE' because it has been freely distributed6 _! Z" I$ H7 k( T& N' u9 C- I, @
via www.winfiles.com. However it was first used by NuMega people to allow
5 I7 E+ d0 t& g/ }" k& c; M6 gSymbol Loader to check if SoftICE was active or not (the code is located# d/ \' c# h3 O) l2 |0 M) s
inside nmtrans.dll).7 d! P* J6 X/ M5 w* J% A
1 t! e2 ~3 | |7 T5 ~3 O
The way it works is very simple: O9 p: p5 N" E$ D* H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 S7 z; `: _: B* U1 xWinNT) with the CreateFileA API.& D5 d/ O% v, O1 Y/ i
' O, c. D j+ A1 _- SHere is a sample (checking for 'SICE'):
% }+ F& e1 o9 i }7 S, p/ W7 U7 J' y1 q( K2 H1 t: X( U
BOOL IsSoftIce95Loaded()* j0 p9 ?5 f& L( C# T$ _5 ]6 t
{
* T- B' D* s [7 I" | HANDLE hFile; & g6 }0 V% K& R. q9 \% z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- R3 t1 ]# U" Z5 v- v+ o$ U% s7 B: P
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 O, y" T3 n3 `% M, t7 L' l$ X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, |" @% y8 V2 Y: M/ d/ |( Z/ j
if( hFile != INVALID_HANDLE_VALUE )
) h7 r$ \' i# t: F1 A1 B- S {& O$ i5 w2 |) G1 @- ^8 T ?
CloseHandle(hFile);
) l! U/ |+ |; b) l! w return TRUE;
9 M1 q# o9 ^- v } F% D' a. Z) j
return FALSE;6 a3 V4 K1 x; E8 D8 F
}
9 \- ]0 l9 m" p& G/ { r# a" l& W+ h! }+ @! F* I3 x
Although this trick calls the CreateFileA function, don't even expect to be3 a0 N2 g: K7 Z, G$ |: E7 f
able to intercept it by installing a IFS hook: it will not work, no way!% z# ?* c& S& G$ \* K2 Q5 _, H. C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* y6 _, s3 h7 q3 C) e6 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 B. l# a9 i$ g. o& d8 vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ C- t% L/ t' I# e3 {9 @field.
9 Y- T, w6 H+ _ IIn fact, its purpose is not to load/unload VxDs but only to send a
( o7 T. b9 e! V& C+ p+ x! T: XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 `* n7 u, K: k5 a! U+ v; ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' i5 E! k: N s# ^, Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ G' I6 B4 W- E- h8 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; {0 w& C3 g* tits handle to be opened and then, will be detected.
( ^$ m. @ v# C9 D5 L% g" \3 eYou can check that simply by hooking Winice.exe control proc entry point
1 P/ K) f* i. N8 Zwhile running MeltICE.
" D+ Z8 b I, p5 r% J, z0 G, V. A5 H" c3 K) Q# ?- d. h- b' r
/ h2 d! @9 c" G4 n+ y 00401067: push 00402025 ; \\.\SICE- {$ c: [2 X! x* Y! f
0040106C: call CreateFileA* {3 G8 D9 d: S8 O
00401071: cmp eax,-001
* Z! L/ `0 }$ F+ a& v% _ 00401074: je 00401091- b/ _3 [. I: u
6 ]& L [" ?5 p' Z
0 q- e4 q& b; g6 v7 CThere could be hundreds of BPX you could use to detect this trick.
! _, m4 f; B2 B7 U. ~-The most classical one is:
( x3 T9 h2 `) [4 s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( |- T8 F5 |$ T1 P$ { *(esp->4+4)=='NTIC'4 Q0 f+ r+ D, t+ N/ e `" X
6 h" a% {3 B- {
-The most exotic ones (could be very slooooow :-(
/ p% }, @; P F1 N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( v9 S1 m5 y' I- b) q
;will break 3 times :-(
8 t' v8 \3 r; J% U6 I. z3 {. }! b' h& b- z5 Z( G5 w# P2 }
-or (a bit) faster: 7 ]' I: K/ a7 ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 s2 r( z3 p2 p1 U
$ T$ v: W+ H& N a" o4 g: c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ k, K& a3 b V4 c& x ;will break 3 times :-(" u6 x/ ^5 h; j! q9 f
# |0 f5 a% m% l) A' |) t3 I2 q# S/ J' @
-Much faster:' O2 e/ W/ n0 T$ v6 ]( g* w3 [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ Y9 _. a* K4 q& W, I6 K! \
% f" g' k- [$ X/ o( ?, KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 y; P' {, C" B$ m+ a
function to do the same job:$ S3 S; r5 @0 Q, p- b
1 g u* H4 \) K8 d, `
push 00 ; OF_READ
' |) j& e, j& P, c' x' Z mov eax,[00656634] ; '\\.\SICE',0
1 |0 ~6 s5 ^! O: H; t, S/ y push eax
6 z, u$ v/ M* B) ?$ t' M2 | call KERNEL32!_lopen
) J- u% g' z: e; N. w inc eax
( S! s0 }0 ~( D6 m5 u4 D, E jnz 00650589 ; detected
. o5 s! I6 h( ~: M. A! d push 00 ; OF_READ
9 y+ k3 q3 u% K4 P! a( k mov eax,[00656638] ; '\\.\SICE'4 O3 D& s! s+ p t% T' _3 ?
push eax0 Z. X$ ?/ E& @2 ?3 L8 P m- A
call KERNEL32!_lopen. t$ ^/ o. S7 R$ T r' P8 Y
inc eax; o/ x* I6 U% M7 d0 w
jz 006505ae ; not detected" ^( A7 [& Y2 ^, {0 h
6 n. W0 C( q7 d$ \9 e
) K; [. q+ y1 [1 h
__________________________________________________________________________
. t# C$ m) d* @* \' m* M) D- `# {5 M& y" y* E1 r
Method 125 _$ P8 \1 N8 M' S
=========
: E) Y7 z7 Y6 W' _: K$ n l0 Z
- [1 ^; X6 w# k5 mThis trick is similar to int41h/4fh Debugger installation check (code 05% s3 z: m- i7 L
& 06) but very limited because it's only available for Win95/98 (not NT)
6 ^" f* c# t1 Q' N# _( `4 Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* W4 K; s0 }7 Y0 X/ a% F9 P5 w( A' B. c5 N# ^, Q l
push 0000004fh ; function 4fh' X; a. F- P9 v/ s
push 002a002ah ; high word specifies which VxD (VWIN32)
& }7 h% I: I! ]) w0 A ; low word specifies which service
4 a' o6 l8 K+ K: C9 x# I (VWIN32_Int41Dispatch)
0 d) U( B6 F0 q. z$ |3 n call Kernel32!ORD_001 ; VxdCall
2 a) t2 F/ o$ E. k& P. D: V$ ~ cmp ax, 0f386h ; magic number returned by system debuggers, I" P. P$ q( m) l& N1 Z' J
jz SoftICE_detected, D- j* \6 v5 G5 s2 L
% {2 V% S7 S% u! s9 \& m5 c
Here again, several ways to detect it:. j- O) }6 O* w4 O M1 u# {. ]
. g2 ?2 \# I1 K. P* v0 ~& q! |
BPINT 41 if ax==4f
5 J2 a3 q9 |$ f, \3 S& u& t6 y" J( ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 f8 @" j9 Z/ b
( r" J$ J& T1 ?" [4 g4 O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 k* ?) H4 a2 Z+ x" E% V2 Z9 K% E
* ?, G% P% {& p. f1 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 \/ r* k% {/ o: ]* M( }2 w9 b
& i+ i& X' L8 h; G& Z% J6 d__________________________________________________________________________
+ i( C& C G& {; m0 r% B, U7 \. Y6 _8 c+ L3 G$ o$ R
Method 13
; C4 m7 w% A) B$ R8 W, A% m; s=========
, \2 v$ S0 e& ?
' `# }& p8 x9 k0 H- lNot a real method of detection, but a good way to know if SoftICE is* M/ [2 h7 V% H
installed on a computer and to locate its installation directory.
0 J1 Q; g* T; B# r* g# kIt is used by few softs which access the following registry keys (usually #2) :, ?! t- y3 {4 [+ A) ~
0 K& L8 j' ^) z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" X* @4 `. T3 L. m) [\Uninstall\SoftICE: v, n4 ]& l( w/ _# x( Y" X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" m' s# F1 }9 o# A; S' C% ]0 }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ l! a ~ v1 B\App Paths\Loader32.Exe
( u3 U, X; Z- M& G
/ j7 i! A- o: o* Q$ u1 X1 q( ?4 c5 R
Note that some nasty apps could then erase all files from SoftICE directory
0 F5 q( g% Q# y( f* Y0 U(I faced that once :-(
3 P: R- r) F% \" N9 K8 l; E
2 v9 R, x) y% Y; H6 CUseful breakpoint to detect it:
" F7 E9 h& P3 i) a
8 A" ]4 D7 v' I- o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 e$ K2 G9 j3 V# j F! U5 x7 \9 ?/ X; X& r7 a" b& d" C: S
__________________________________________________________________________
' L7 R; X* A5 H5 {8 t7 | f5 L6 a# @! i1 p# @+ t3 K$ r
- Y$ f# W4 I/ a0 G1 p
Method 14
0 _9 n" l D+ w% J9 `=========) M! E' U' J+ V3 h$ @0 G. Y! w
. b$ u- H3 S' d) j& qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ c3 J( N3 f+ F# Ois to determines whether a debugger is running on your system (ring0 only).6 l2 N' \- g, O( h" l- F& }1 W
' Z% {2 ?' ` L, x1 Z# B VMMCall Test_Debug_Installed" Q' U8 f, e& |' ~/ i
je not_installed8 X# B$ V1 w8 C( S# K
: {- Z3 g9 z$ _' C9 M& i, z% JThis service just checks a flag.6 c. d7 \7 c+ r6 p. M3 U) q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡