<TABLE width=500>1 X" t* }$ t* H) U/ b
<TBODY>
. i# p- b) F* q, X6 B0 `$ |0 s6 x<TR>
- G; d+ D0 U" ]6 c<TD><PRE>Method 01
! J$ w7 h6 o- X" R2 [$ p1 L$ l========= X4 N$ `9 |5 R' q
8 e% y% F n0 x5 n
This method of detection of SoftICE (as well as the following one) is
( A/ S" u7 k; j, ?( F0 t) Wused by the majority of packers/encryptors found on Internet.. d7 y V' F6 B, g$ R5 F
It seeks the signature of BoundsChecker in SoftICE4 \% v9 D b) W/ l3 Q
- N# q' v$ q, }! g- \
mov ebp, 04243484Bh ; 'BCHK'
( x) c4 r% m- T" Z7 c mov ax, 04h
6 D* ]. f& q0 W; A. t* [3 p int 3
4 ^; z3 a3 O+ i7 j cmp al,4
! m+ i$ B5 E& |; X jnz SoftICE_Detected
9 u6 _( s: x' P3 P3 ?% m/ D b: U2 ^9 T" a. @' l+ k' j
___________________________________________________________________________
+ }7 N/ D% V3 f3 Z
- ]. n t& y8 e( N- J. t/ P2 Y' AMethod 02
: R3 {) ~0 T: m=========
) l; o2 B8 q1 A- i( l8 d X7 y- B* z; ]% Y: n3 p
Still a method very much used (perhaps the most frequent one). It is used2 Q) `; [3 E( y/ L9 C. M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, P4 H" |: Z6 E$ X, A
or execute SoftICE commands...
/ E4 \# `& O) [* r# JIt is also used to crash SoftICE and to force it to execute any commands' h' Y. Q; j4 k9 E2 z. t- M
(HBOOT...) :-((
( }* X; |2 M( v" B7 B. v8 K
+ G) [' F" C% t0 `. A: d" BHere is a quick description:& `$ q1 k ?0 B4 |) |
-AX = 0910h (Display string in SIce windows)
2 a$ L& Y- @8 v* l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 b* C3 N' r+ y. u. i-AX = 0912h (Get breakpoint infos)
/ g1 t2 [! H' v-AX = 0913h (Set Sice breakpoints)1 N" ~" I. A5 G, T$ f1 w) U" @
-AX = 0914h (Remove SIce breakoints)
- C/ ~/ N1 I. t# L; Q M2 \! f# ], \6 x% w; ^3 x& }6 j0 ~
Each time you'll meet this trick, you'll see:+ n: b: z+ ?6 R: ~% ~3 h1 y) u- K
-SI = 4647h; Q7 g5 A( W( S% |( s
-DI = 4A4Dh C+ C2 R/ g9 e( F9 }1 X0 t' k& e7 G
Which are the 'magic values' used by SoftIce.
3 _8 k* o# d* g% D. m* gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# j0 m0 x& O* W3 g/ O& b4 N$ |
$ Y/ {2 @! K! v' m2 M/ Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 \/ ?" _% j: a1 L6 e2 o4 J4 {Envelope utility use to protect DOS applications:
% t3 O6 o' g6 x
6 U; U* P- U4 g9 u# [5 O! E* m8 e p9 L2 s. P4 ]
4C19:0095 MOV AX,0911 ; execute command.
4 V: j3 V$ y" }2 q1 h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! _% L% L5 M$ W4 b6 P
4C19:009A MOV SI,4647 ; 1st magic value.( A N3 R+ N" b
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 [0 \- H) ^$ V- x* {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 H6 E9 P) e# j6 q7 i" R5 ^) ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# A1 F4 I2 Y2 J6 m0 z1 F4C19:00A4 INC CX9 X& a5 f2 I. l7 }. K1 b$ M, t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' x( E8 w2 c: Q- N& q8 j! Z9 b [% e
4C19:00A8 JB 0095 ; 6 different commands.2 i' O0 y8 q. @! g5 w$ e
4C19:00AA JMP 0002 ; Bad_Guy jmp back." w, h6 B4 U! C" n4 X& n S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ h. r; _. {! O2 c! n$ A2 d9 s: m* T- {9 |2 F/ q- M
The program will execute 6 different SIce commands located at ds:dx, which8 U0 `" L) I1 S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
C9 z4 `) f% `- A( J7 g5 T! Q* l8 N, L! {+ b5 v# g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 {2 }! t1 r4 Z' D N: R: [0 \" C
___________________________________________________________________________
Y2 _2 D1 t9 i8 R1 p! K/ I- f' s- `+ z
/ Z7 _. n1 z# K8 R, AMethod 03% e! o- ]) ~$ e2 @
=========
9 T. `$ a5 c4 o6 G9 \7 Q5 c5 C: t; |: c3 W3 H+ M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 ~; W7 w' |9 d$ \% Q) P. m( `
(API Get entry point)- U+ X( i7 _# r) u- s/ U& ?
4 Q' y6 @6 P) ] B
& r- a" p, M# G8 j5 y- A. x# Y# w& g
xor di,di7 {' Q, k( `4 j: b
mov es,di
$ i% \. g0 ]8 O mov ax, 1684h 6 @& g9 a/ e3 C" w
mov bx, 0202h ; VxD ID of winice
7 K" G& m C6 @7 _: F1 Y int 2Fh
: n- k6 }1 K0 M& z mov ax, es ; ES:DI -> VxD API entry point
6 Y5 j1 G7 p. [; I add ax, di
5 v0 ~0 R. G8 L test ax,ax
- U; B. m# C. o- k3 }; x5 a' L( I; | jnz SoftICE_Detected0 x5 P2 k/ S1 i! G
2 L" d$ I' M; h3 F, X
___________________________________________________________________________" Q: J' [4 o# _) `+ M# O
$ o" i# T) d/ D2 PMethod 04
9 }3 Y8 X* e2 s/ s( E e=========
. U4 L; D* X' n: I2 r& B
* Q+ u* `9 o b# oMethod identical to the preceding one except that it seeks the ID of SoftICE
, j* ~$ T0 e% |/ H! R; iGFX VxD.
' E0 U8 }; o9 t! O7 c8 A3 ?" V1 S0 p0 d" I/ d- m) S
xor di,di& H, }; R& K& E* c" d8 c* @
mov es,di
, w3 [0 {8 u8 Z1 ^ C( j6 a mov ax, 1684h
6 V' u9 v% V9 {* d1 | mov bx, 7a5Fh ; VxD ID of SIWVID
5 d. _: H% s, G0 k$ j int 2fh4 x$ p3 e+ O5 {6 L3 V, M$ v; g
mov ax, es ; ES:DI -> VxD API entry point
5 v( Z, c+ ]$ C add ax, di5 r6 }' f# H# m2 e4 u# V$ O9 e
test ax,ax
+ c4 ], u% R- @* j" k# m/ m. s jnz SoftICE_Detected- w( [; Q: |* ]% h* \7 t
2 x% n: k5 j$ Z
__________________________________________________________________________
2 b6 G% D" N0 r( F$ t* u' v& C9 i0 g2 c5 D, l0 S- `) \
4 ^: w' o8 R" z+ E* j& H8 L, x3 GMethod 053 D0 E4 i) c; x- b; T
=========# X% e4 |8 E3 R% X+ j
( g# `7 ^/ T6 z6 t) YMethod seeking the 'magic number' 0F386h returned (in ax) by all system& g3 Y) |5 ^8 s; t
debugger. It calls the int 41h, function 4Fh.
( m/ y, l4 D1 F H; o* T Y- @There are several alternatives. / J5 G; _) b, v1 m O* ~
0 [; U3 k: t. b1 ]0 T1 EThe following one is the simplest:
7 L( T" P, e6 n/ ^" D" S4 G) s
3 j [# k2 x( e mov ax,4fh& D& B d( H/ [, N3 \8 U
int 41h) L4 s/ O0 q, _5 K2 e* _- j( q$ m
cmp ax, 0F386
" {+ V- e7 P7 R6 B jz SoftICE_detected
4 \5 F3 I- ~) _! `, I+ d+ V: u/ C: A2 K0 ~5 E* I* C9 }! M% N
6 i: o( }/ n) i1 H- U% F* j& N9 PNext method as well as the following one are 2 examples from Stone's * L5 i1 j1 @! M7 X# ]9 d0 j' w/ y
"stn-wid.zip" (www.cracking.net):
3 K5 A& i- L1 i& n
7 U4 ]" t: t' X' C: T mov bx, cs" s: d4 U# e* G- j% U0 t& A& n
lea dx, int41handler2- g# p: {; q k6 `! g. F! L6 n
xchg dx, es:[41h*4]( @: w! K' J* `
xchg bx, es:[41h*4+2]3 j* u! s3 d' A/ K4 G
mov ax,4fh
4 D8 v' A9 y6 e int 41h
- }: c' M( P) S4 V) u1 Z8 B2 V, z xchg dx, es:[41h*4]& r2 s/ Z+ w8 z# n6 F L/ k
xchg bx, es:[41h*4+2]# ?: Q" d7 A# I* T. Y
cmp ax, 0f386h
- i* Z' h# e5 y8 D jz SoftICE_detected
- @( e2 }7 v7 _% }+ _- C, ~0 G2 D7 d l. F! H$ k: j e$ V8 C
int41handler2 PROC1 k. R( Y7 R8 y F/ \8 y$ ^
iret
' l- a; _3 M% ?8 A, I+ Y4 Qint41handler2 ENDP3 U/ ~" K3 ]! C; H o5 g
$ d8 \9 B6 `4 K4 T: t( N8 E
" b& z7 }$ F1 o. F9 g4 P) @) v_________________________________________________________________________: ]8 V3 l3 M4 U" v
|" [+ I! e4 u8 h
i8 r9 B6 \. B+ U+ h% X& mMethod 06. \; L# ?2 L y/ P* V' c
=========
( b) F- B0 r; N, |) E& x9 G+ B7 ?# R$ u7 Q: p; m% U
7 U! T6 R! S2 P/ }
2nd method similar to the preceding one but more difficult to detect:
- n: Q' U7 e) y6 ^
: {# ]1 k, Z0 E' M6 d$ g$ \- S* z/ V* N" a W9 |- b4 o0 F% x
int41handler PROC
- I8 G; I9 o$ A mov cl,al
* t3 S# g; W* G iret7 Z* C8 s; G. Z) r# `6 i
int41handler ENDP
6 [: h9 L0 x! H& u4 l
, J8 y7 Y3 _4 J! s3 B4 R% J8 ]8 q: j6 U5 C
xor ax,ax
E6 ^' y0 L! E1 Q' P mov es,ax9 B# p; K$ w$ C2 @
mov bx, cs2 f1 T1 I4 I6 Q, i& |* j3 y E9 L
lea dx, int41handler" R; f# V4 Q! g( L
xchg dx, es:[41h*4]8 o: k% W/ a5 j. H
xchg bx, es:[41h*4+2]2 S$ F- i1 T0 J
in al, 40h
7 C$ M( E( z1 t1 J+ V3 B) Z) `" c xor cx,cx
4 t% O3 T+ Q) [ x! V" F int 41h
0 j1 t6 A" @$ m, M x. x xchg dx, es:[41h*4]
* H" ^$ C1 [: i) c' ]/ n xchg bx, es:[41h*4+2]
@6 _) o/ Z' L cmp cl,al
! D8 u" Q# x0 {7 u: A* {) w jnz SoftICE_detected
2 R: p9 `: }7 X& {' Z: _& v$ t
$ W+ \1 G4 f9 e* q% A, __________________________________________________________________________
5 q/ K: ^2 @. H0 [
9 [+ B% z2 e" T8 tMethod 07
) a5 H. ^( Y+ u/ ^=========7 s+ T5 d- W2 _' N/ r+ v6 x
: _$ a& F8 S( A2 L" `
Method of detection of the WinICE handler in the int68h (V86)) V1 S9 ]: E& n# |: ?
" i @' `! m* w) z( b
mov ah,43h, Z; u* G s% E4 y- V2 q
int 68h
^7 D& O9 O3 r cmp ax,0F386h5 X% `% J0 b. o- B6 J
jz SoftICE_Detected
% N1 D' m/ |2 p4 T) a" g' V# {6 B6 Z2 B; C- [
+ @4 T2 @% t$ G; T4 Z3 L. o$ P& c% l2 |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' n: C; }* @6 c1 P* u! w1 P: N
app like this:
( @ [2 T6 G( r' v& ?- h9 u0 O4 ~5 y
, B: I6 s9 B2 m, F5 z* ]4 s. y BPX exec_int if ax==68$ G! z& s2 l! n8 K2 d
(function called is located at byte ptr [ebp+1Dh] and client eip is/ y& ^& ]- |- J. ]4 x% Y
located at [ebp+48h] for 32Bit apps)0 w; ~, |1 s* ?, o6 @
__________________________________________________________________________
% ~6 l9 B1 ?5 Z. X7 {; j
8 _7 u) f' d6 G: r( L( W2 J
5 }9 ]* }0 L* s$ l9 p7 j6 t7 s: YMethod 08
$ V2 k5 r6 Q& }% P9 e1 l5 X5 V5 T$ q=========% L4 J2 K& S* Q* F# o' [
/ ]5 k; R9 Q- j. Z) o' `/ n2 p
It is not a method of detection of SoftICE but a possibility to crash the, g8 ?# g( @) ?, p
system by intercepting int 01h and int 03h and redirecting them to another
5 Q1 C7 C( C, @' a6 W7 V$ b% yroutine.
* X) y/ ]9 G) C% F1 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) P( n: |- v5 Q- uto the new routine to execute (hangs computer...)
6 W6 m* u/ r5 X2 |6 M. P' N+ i6 {- k( ^" t
mov ah, 25h, o) f7 l0 j+ ^) M
mov al, Int_Number (01h or 03h)
; J2 |1 R2 ^8 n$ `7 S/ X mov dx, offset New_Int_Routine+ i# A. q1 t7 x% F& \: y9 F' _
int 21h# i9 [! d1 L* N& s2 ~
; @' Z0 d% o8 e) ~- K__________________________________________________________________________; G/ w. D( P1 V8 h+ P8 @
; R4 `: s' e7 o R5 r# I9 m) H9 `6 ]Method 09
4 `3 f* I7 s/ R4 r$ Q% G=========) W {5 G( z5 h% ]! z
# s: h2 q3 Q* ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- q5 T: R! ^( C+ f! [4 I
performed in ring0 (VxD or a ring3 app using the VxdCall).# F/ P5 @. P( H! P- r) }1 V
The Get_DDB service is used to determine whether or not a VxD is installed
; H, \2 |7 ^! i' G& G+ afor the specified device and returns a Device Description Block (in ecx) for
3 [3 F l( L3 r& G1 B& s8 g1 [/ cthat device if it is installed.
9 L( D% F0 q* m2 d0 ^2 d8 F; A& |8 |, Y9 ?; [* @* q+ t4 J$ v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; W7 o6 } r/ Z; W. I7 V- v" g1 S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! u1 x. D+ i% U! [$ `1 g* g VMMCall Get_DDB
( f4 F' @6 X$ s/ b3 Q W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# M( C8 J. z- W
. ~- r4 M6 z: G. S7 L7 wNote as well that you can easily detect this method with SoftICE:1 V; X6 J0 |+ W& `! Q5 z
bpx Get_DDB if ax==0202 || ax==7a5fh. L- c4 N4 F/ Z* i' ^
1 E5 t M7 H$ M* M7 }
__________________________________________________________________________
- M( p# \2 P' u
* r. d/ W* g7 C9 Y, Q) UMethod 10
9 t/ u$ [; [4 c=========" v( {: Y+ l- W9 X n/ A& F
/ y8 y' a! m' K# K6 I=>Disable or clear breakpoints before using this feature. DO NOT trace with* ^5 D/ X/ Z8 v% Z0 ^- R( I
SoftICE while the option is enable!!( T. K1 t9 ^ Q: _
$ @* ^9 s2 k. ] _This trick is very efficient:4 h9 @. U K* q6 r
by checking the Debug Registers, you can detect if SoftICE is loaded
, w: W/ n6 a' d- X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" n. E; Y" w" u4 U: M6 y* D4 s+ E* Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 J1 N, e6 m) m! U0 \
value (in ring0 only). Values can be manipulated and or changed as well
1 V( x1 M! k2 o7 g# W(clearing BPMs for instance)
9 \5 |" Z2 x7 m. }/ @/ V& O5 W- U4 U, }2 b
__________________________________________________________________________7 s# p s7 @0 V2 g. t/ N
! L8 B7 C* d( U) \' A, k2 j( J9 sMethod 111 f; @) q& V" w! b5 z t
=========
; v* Z; p3 j* o: |4 Q4 Z0 y
* z. O( e9 @- s* Y/ QThis method is most known as 'MeltICE' because it has been freely distributed" ]6 n1 o: i6 T- T/ J0 x
via www.winfiles.com. However it was first used by NuMega people to allow' r2 S" k+ D( P- N* {
Symbol Loader to check if SoftICE was active or not (the code is located' ]+ w1 W6 l$ c3 e# t+ L6 C! u' f
inside nmtrans.dll).4 W; k' G5 @7 [
; a; d! I, q4 ?, `+ R
The way it works is very simple:
2 a/ V; C1 |) b0 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% h6 I+ x% p4 P( xWinNT) with the CreateFileA API.
+ S7 [/ { k( k* a. w: h/ z) p9 D5 Q1 n" z$ I% l& V
Here is a sample (checking for 'SICE'):- ?7 S' m0 r3 q# \* C# S/ Q
( J7 ?' t% @7 t: I' qBOOL IsSoftIce95Loaded()
/ h% \0 _6 Z; n+ l5 x6 h% b{
" x% U4 p! p! O: ~7 ]3 g& ` HANDLE hFile;
% J. i3 l, h# J2 Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 V9 U/ x: @1 \' W FILE_SHARE_READ | FILE_SHARE_WRITE,
& V% w$ i3 C- y- x+ ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. I3 O7 Z( q% N* V/ h
if( hFile != INVALID_HANDLE_VALUE )
" z- e% f. w( i9 |) V {$ k' l4 t4 \. i5 Z8 G$ `* ^
CloseHandle(hFile);3 h" W& r( T) Z- `0 h
return TRUE;! G* ~& u% B9 G) t2 A
}5 c- b7 S; n4 _
return FALSE;
' |5 K5 W6 R- c; J1 q}* ]: @- z; ^. U: t& _
. ~" G4 ?( E0 c. e
Although this trick calls the CreateFileA function, don't even expect to be6 z, {+ M: U! Y a6 o, j( Y
able to intercept it by installing a IFS hook: it will not work, no way!* X( Y/ Q& ]/ c$ G# t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 a6 y5 Z# \: U3 P l8 tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 F0 E: n4 i- j. x% v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 A u" G$ U6 s9 ifield.
7 m, g# z5 F* Y2 OIn fact, its purpose is not to load/unload VxDs but only to send a
0 i; a* q$ N9 a# r* t! \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ R) O+ }) h, Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ e& `5 `/ O, P1 R( _2 ]1 w9 t% Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 Y2 P+ n% O( \2 D3 a% HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ Q( z3 s% ]6 w' d% Mits handle to be opened and then, will be detected.
" t* k$ V. g$ T* A- _/ ^, W9 DYou can check that simply by hooking Winice.exe control proc entry point9 @0 s- `4 s- }1 |' h% o
while running MeltICE.! Q5 q. L) _" l0 A! w7 \
: e) `0 i& v8 l5 A0 S5 a
9 @2 a- j- k( K( f9 F7 G3 `9 i 00401067: push 00402025 ; \\.\SICE
{4 r1 K4 Z' v% p* M' W( d 0040106C: call CreateFileA. d7 [. [5 z9 |3 z
00401071: cmp eax,-001
3 _5 z/ q" X" C, A; } 00401074: je 00401091
0 ^9 r" V& Z. y2 I# r# h
) u. i/ ^+ g- k* d5 ]/ J5 }5 K, O( c, D
There could be hundreds of BPX you could use to detect this trick.
% h8 w0 m4 r. s-The most classical one is:
# a0 I: j) A h, F9 ?! ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& L2 j( ?+ D5 U' U9 z$ R3 l *(esp->4+4)=='NTIC'
9 p, i6 F4 a5 M* n( K9 C* I% k; w+ `
-The most exotic ones (could be very slooooow :-() g. H: q5 X6 L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 L0 Z& `0 V3 [0 L9 ~; p! ~0 Y8 p ;will break 3 times :-(
! t6 h( {! r, z' F6 ~9 q$ r: d. R7 Q5 c9 p( c, s
-or (a bit) faster: , e8 h, D9 R) N& \+ z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 o0 g3 L2 C3 L' P- O/ ]' U
/ q4 m* @, ?( \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) |9 n+ F! N' A- Z ;will break 3 times :-(
9 p7 f* m- u( V2 S# Z
6 r& O# O/ N" y# O4 ~) Z$ T-Much faster:0 e% f4 F0 t; t0 Q' I! ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! V9 t+ R9 H$ q( \ f! B
- `. w, k* e" _3 n Y2 B7 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 K2 r/ @% N" S% Jfunction to do the same job:4 W* Y' c4 E( c6 a1 F
! n% y. Y) Z7 m
push 00 ; OF_READ# e, j& u5 m0 T% j: V: C% Q1 D; k
mov eax,[00656634] ; '\\.\SICE',0& [$ {2 b3 ]5 V- s9 E
push eax
4 p3 Y+ C% D1 U- v: E call KERNEL32!_lopen+ G0 ]0 D% y& B$ t& y* x
inc eax
; W7 W! ^4 q' G% k9 W0 ]) Q+ M jnz 00650589 ; detected6 ?$ U V7 ^; t2 Y' W( G
push 00 ; OF_READ
3 p& Q' }- {5 a6 I6 O! F( s9 X, H7 q mov eax,[00656638] ; '\\.\SICE'" \7 z/ I8 j$ N' o" z3 f) [
push eax
0 W) s" T2 p$ k6 d2 N# Z call KERNEL32!_lopen8 o( V9 _: Q/ b+ M: \. W( A
inc eax/ Z' J2 `+ ~( f. r
jz 006505ae ; not detected2 i4 y0 p+ t( g* s
, T9 j: R' O* F
% e$ M+ p. t+ L M__________________________________________________________________________. D+ c* U/ }6 k4 J2 T
/ k' Y$ N/ g T) a8 d" {
Method 12
7 [/ E) z/ N6 P1 q* S3 m2 j% n" h=========
9 z* P) }: Z! z; O0 ?" a6 F2 v8 b" f- ~( i* I5 u3 k
This trick is similar to int41h/4fh Debugger installation check (code 05
R7 f" x- Q, w5 g5 G& 06) but very limited because it's only available for Win95/98 (not NT), U8 t: d5 U% u; r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 u. m4 S0 v6 \! u i
* y9 \3 [. V ~, N9 i' i$ O push 0000004fh ; function 4fh
3 G. S7 O' q6 N& A/ O push 002a002ah ; high word specifies which VxD (VWIN32)
# l3 k1 w% @( k' h6 J ; low word specifies which service3 z( w; {8 E9 |$ n9 W4 y
(VWIN32_Int41Dispatch) t+ L% n1 P3 W' A
call Kernel32!ORD_001 ; VxdCall
1 K. y. i* T7 F( Z3 j3 M cmp ax, 0f386h ; magic number returned by system debuggers3 o) T) }" X0 M! d& ~
jz SoftICE_detected2 p$ Y8 X' i3 t# N: S" E
, `. W" a2 K% J+ P$ t( s2 [& k
Here again, several ways to detect it:. \4 L3 t, O. T0 y
( L5 X+ k9 j4 S BPINT 41 if ax==4f
6 ?4 J0 }+ O2 I" m0 k0 l
}9 e. k! @0 B% F* Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( O% W0 T, Q) O6 r5 Q, f8 R
+ G0 Q* Q ?. v+ i' p. q+ Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) C; ~' w- e5 l& O7 M/ a' P7 `
! d" _ _ Y/ j. @8 g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 H1 a) ?2 B# ]8 V
0 H j/ |* z( R! ]8 M9 M2 q__________________________________________________________________________2 {' n+ B3 r+ d4 S4 {* R. O# ]( D
, S2 q) v; T) p2 Y5 ]5 D
Method 13( z1 Z" E$ B! s, G. |
=========
* D1 ]2 L. i0 s2 }, Z' [. g9 b/ V
Not a real method of detection, but a good way to know if SoftICE is
, d* a1 b) M% h3 Cinstalled on a computer and to locate its installation directory.* k( F; b K$ B8 A
It is used by few softs which access the following registry keys (usually #2) :
, I \) i4 F% x3 k2 H* d8 `2 t- x* P( c6 Z. Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 C, s4 {7 R* `! m) y0 h- u
\Uninstall\SoftICE
t2 T2 V2 D* j* d, a9 }1 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 w- r& t5 x5 E0 s) r, s. c# B* ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion F. e0 J8 g+ `
\App Paths\Loader32.Exe$ ]0 ^! R* J1 l- b+ f- i4 P
8 I% s& i' b% l+ Y, N2 ^% H1 L$ F% c" J+ x
Note that some nasty apps could then erase all files from SoftICE directory4 N# ^0 V) G& g( W# X% g
(I faced that once :-(' y- C, [" @5 I5 N6 C
0 u6 H" e. {6 g6 g; T4 {
Useful breakpoint to detect it:
8 m) U1 H7 A% j6 `( _- j" h) M" Z; ^# Z6 G" l9 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; c1 w0 K5 T1 G( i3 l* B/ h
9 E( B+ Q( b& s& j) `__________________________________________________________________________
% b8 ~) S' J+ n7 h: u* S
3 \- D7 T. Z: X
3 H$ c! F+ N0 l- vMethod 14 2 p8 M' x$ Y" G- A# Z% q/ G
=========
" u9 x) p# C: G1 i
: h6 r, c S! W, `5 q; `% E2 t- AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: [: M# f. a- i: E* c; t: q0 d8 n; \is to determines whether a debugger is running on your system (ring0 only).
4 x+ \2 A- z1 ?0 ]: X
3 S* l. z g5 A( H* B0 ` VMMCall Test_Debug_Installed4 |* U1 w# w# C5 I4 |
je not_installed
q# g: E2 N q- r" r8 j' y) ^' v
% h( `; w1 D [This service just checks a flag.
$ m- W0 \% Z1 e0 I* v: h3 B4 L+ r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡