<TABLE width=500>$ e9 W7 v' p& r* H
<TBODY>
8 R3 g }7 [, \<TR>9 `1 O* D; F/ H
<TD><PRE>Method 01 4 w D+ C5 g p6 T
=========! K! j, W5 `. O8 I
4 n" x+ u5 W5 U. HThis method of detection of SoftICE (as well as the following one) is, E* Q8 O% S [* ^) i
used by the majority of packers/encryptors found on Internet.
. u4 b3 ?8 V+ w$ ~- }5 D; xIt seeks the signature of BoundsChecker in SoftICE: U% n, N8 R* |; I' p5 U$ y0 X2 F$ e
( F) o# C! H9 D8 N8 A3 w( M
mov ebp, 04243484Bh ; 'BCHK'
6 V" k! p. C% V @, B7 r0 M& x mov ax, 04h
1 B. b% k( {6 c) `/ p& ] int 3
" h; ^( u3 u+ t+ X# w cmp al,4
/ r. I, Z4 _( P: o$ u8 t jnz SoftICE_Detected) j% ^+ e8 j% K! ]# ~- n" ?
5 k H; Q/ w; l; T }6 s4 F5 \
___________________________________________________________________________ r8 B0 q! t/ e
) O2 j& L$ v) i# N
Method 02. v9 Z( M) h3 K9 [* S
=========
7 P: q! G* }% |2 \: L+ K
* [2 o5 F6 m% \% F6 k2 F, C2 [+ ~Still a method very much used (perhaps the most frequent one). It is used( h/ u& s# K$ W0 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' ?9 ^" ^ z7 @$ N9 ~" R
or execute SoftICE commands...: s( e& w. [2 {# n
It is also used to crash SoftICE and to force it to execute any commands
+ x& W+ a; t; p* Y9 k(HBOOT...) :-((
3 U1 z" b$ H j& @
* K) u' s, r! c/ cHere is a quick description:
' C1 }. [/ m% q: S( K) S( s-AX = 0910h (Display string in SIce windows)
; ]. |. ]5 N, d# b) j0 B: S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- w7 H( X$ z! a8 T! s
-AX = 0912h (Get breakpoint infos)
+ c& w- O8 O4 h-AX = 0913h (Set Sice breakpoints)$ |; E' G$ j9 Y8 A. k1 @) J
-AX = 0914h (Remove SIce breakoints)
) b( W1 k9 I/ N! f9 F5 Y( m5 T' f4 ~. B! O& }( q m2 p
Each time you'll meet this trick, you'll see:
: z- ?) d l' b) x, h! \-SI = 4647h
0 V7 y/ K& A- Y8 | N& b3 Q, o-DI = 4A4Dh
* D$ v$ a$ A: K, x* cWhich are the 'magic values' used by SoftIce.
/ x% X% {7 J+ h7 O- G7 m) ^" {/ T$ hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' `; w7 ~! c% u# ?) d
; g' f9 F6 _6 _7 a
Here is one example from the file "Haspinst.exe" which is the dongle HASP( c: C9 a% J4 Z/ B. C+ ^
Envelope utility use to protect DOS applications:
! Q0 R) C4 R$ n/ Y3 \3 ?( f0 Q2 l: F: h3 A
( ], u$ c# ^; p E" f. `- w5 e- M4C19:0095 MOV AX,0911 ; execute command.2 X+ a/ f' ]4 A, j( p; [$ u y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 A3 v) ?# H/ O; O' R }! L2 w/ {) F# N4C19:009A MOV SI,4647 ; 1st magic value.
) S8 @5 C3 T" |# Z* h* O# \9 o4C19:009D MOV DI,4A4D ; 2nd magic value.
; d, H, Y7 T' z7 ? ^! Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ a4 }. W$ C4 v( X5 Q& D) h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 F$ m" w( y: q$ d( V: M4C19:00A4 INC CX
$ M9 r9 }8 N$ X+ I( }1 X/ @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 o8 h# g4 R: S4 e* M4C19:00A8 JB 0095 ; 6 different commands.: B9 u6 u" {: D/ n9 i& H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 U! Q8 A1 X' x) J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ E) S: `+ v/ @4 j0 P. b: G; [/ L5 r- K8 n0 `; [
The program will execute 6 different SIce commands located at ds:dx, which2 y7 m# R$ o0 n6 W# ]9 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 I3 \- Y* e3 J" o5 j+ x# ^# i+ J6 K+ y: e3 @" x6 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 B A; E7 _/ z- M3 @0 o- b# R___________________________________________________________________________9 m, _- | U1 J$ O* {
9 l( I% n) l- q1 _% L! b! m( w
3 S/ t& h+ N5 X; F6 ]9 W! S
Method 03
% o* l: O0 R0 ~=========
. w: j! N }7 h6 n8 h: k9 z4 i, O- a% F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" X! _/ G9 r# z
(API Get entry point). f- o# s( h7 |$ K, W% e! z) w/ G
( y/ Y Z. W- g) b
! f% k* d, Y; q" ~ xor di,di
7 P- M+ \2 b, t" b" m2 t# P% { mov es,di8 x6 c8 ^% P5 }
mov ax, 1684h : K# @/ U8 S) b
mov bx, 0202h ; VxD ID of winice U P) E( c- }' E
int 2Fh
! s8 e, J( n9 _% ^! F mov ax, es ; ES:DI -> VxD API entry point
2 f& H3 U( F$ w) ?# F) ~- Y add ax, di
* Y4 B1 V( W8 A& \& ~3 P test ax,ax
) S6 P4 W% E) N+ N jnz SoftICE_Detected
]" `8 p# ]" s# p* |( _2 ^; `3 R& e$ ^3 D; P
___________________________________________________________________________
) e' A/ l! ?& t5 M8 q0 S( c$ y
. K* s- K& o6 @Method 04; I8 m- p% k8 {/ k0 l. ?( A$ d2 Z
=========/ d7 n7 T# a) T' }
2 N* v8 K- `0 w" vMethod identical to the preceding one except that it seeks the ID of SoftICE" A# ]$ s" s+ b
GFX VxD.
% \$ {1 v8 k9 C" p5 Q; ^) G
+ x* Q4 y% Y3 ?- ?6 ~ xor di,di
6 c# a: V% m( y; k mov es,di
: Y- Z: D1 Y6 w# ]2 J mov ax, 1684h
+ R+ Q! B, m" l6 ~& S; u mov bx, 7a5Fh ; VxD ID of SIWVID( D! J, L! W# D
int 2fh
* }+ Q# j0 U. t7 | mov ax, es ; ES:DI -> VxD API entry point% W1 Z5 ?9 c! k
add ax, di
' W* H3 d: g* |3 B' _! d+ x test ax,ax
6 M# ^2 K) M3 `: h6 \/ H8 U% q7 m8 U" C jnz SoftICE_Detected
) r3 ?6 J7 Z1 B4 t* ?4 h. N, p L
3 p* K1 M6 M/ z x: K u& @__________________________________________________________________________# s" B+ A& V, O7 Z) }8 f( r
+ d) B* ]+ d6 F2 C( l/ ^6 Z- m/ T2 c9 f* N" W0 N S+ U) c7 j
Method 05$ _4 h& s; x9 D/ V* h5 c2 k. \: |
=========
2 W# f E$ ]9 }( |+ V! J: F6 c
: {! R* f7 g3 k% DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: _6 E5 y/ f( |) y8 p; o- z& kdebugger. It calls the int 41h, function 4Fh.
% t* ~# Q! B4 a, M# [There are several alternatives.
7 C$ l, i C, O0 |
: t0 }5 G" T$ ]+ m( TThe following one is the simplest:
; {' [6 }, N2 V9 L" s; Q3 |- O1 f- i) q# ` u( N: r
mov ax,4fh
0 N$ S+ X: m6 x& l% O. ? int 41h' {1 |; h, }- M7 _) ~+ h% _$ }
cmp ax, 0F386
. }0 E: a1 m5 D jz SoftICE_detected
$ u) b. {+ g+ N+ u @4 f$ R5 U/ ]3 Z: [% a0 U" e6 ]6 d& y" M5 o
, k8 A. G$ y$ b1 p1 k
Next method as well as the following one are 2 examples from Stone's
2 x! F3 U" b; k$ G- S! _"stn-wid.zip" (www.cracking.net):) o9 W7 b/ i1 h. j w8 M+ W
. y8 x3 |: e: ~) b7 S
mov bx, cs
9 T2 j5 a0 W) J1 [- G lea dx, int41handler2
8 l# v2 M) r4 ~$ ?7 I Y8 J xchg dx, es:[41h*4]
5 g& @ v6 x. R: T# ^) Y xchg bx, es:[41h*4+2]
* t; s" F% `8 a+ M0 ]" L2 j% u mov ax,4fh
( X7 X1 }% {) l6 Z5 Y t7 i. R* c int 41h
7 J4 A$ z) ]$ i8 a. ^7 @" \' B: P2 L xchg dx, es:[41h*4]
/ R: D) i; v* I xchg bx, es:[41h*4+2]
" V+ p1 `0 `4 h' w6 l0 \, L" C2 ?0 t/ Z cmp ax, 0f386h9 O3 e2 \( Q f4 U+ z+ w, m
jz SoftICE_detected- N* R' y, K/ K! E+ `2 k
+ R! a# D' U6 _% V3 X+ h
int41handler2 PROC
& }7 L1 t) ^6 O. D7 V& F7 t iret2 ]: t7 U' G) o: E; E
int41handler2 ENDP
/ z+ O# \. L5 a: t$ x9 p
: P/ t8 W! D/ X: M8 F+ P7 f# H) l- U+ A1 J" p
_________________________________________________________________________
4 E# V6 M, k7 w3 M; T, f" `5 s/ y' T# g
" w% Y- D* h: Y+ q+ g) ?$ I4 s! Q5 z* vMethod 06% g9 J# z2 n* g
=========0 \* V2 ?/ ^, E# m
1 B: m! d/ q* `1 X
2 g( i" P4 M: {7 b7 c2nd method similar to the preceding one but more difficult to detect:, P4 _6 d% R& `+ j I$ W" y
+ G# i# G9 X: F+ Y! [0 }
1 ~; l2 R! Z& j: Y) C3 M8 m# K8 bint41handler PROC/ o+ y) I, |( g& ~) z# P' S! j
mov cl,al8 i( s; Z( U9 f% w) {
iret# q+ J- L5 i0 l* ]* o
int41handler ENDP
1 c, ^4 c0 {' n' C5 S6 N, ^. L, z6 X1 S t+ w; Y
% j$ Q" m/ |- H% ~. D* x) x3 Y) M xor ax,ax
. g1 |2 E( s: o+ c mov es,ax, V+ C; Q: U) t- C" M; F! I2 N, }
mov bx, cs
$ E A, D0 `* ^$ r lea dx, int41handler
' ]+ u p) d4 Y, c( a: g; q! N; l$ C xchg dx, es:[41h*4]
- K/ x9 L" g. D, u: ] xchg bx, es:[41h*4+2]
) _9 Y4 c! y& r: A0 G3 m6 W in al, 40h
) @+ p( d. j2 X5 Z1 v xor cx,cx L! n- x9 v6 t1 W
int 41h- L! C1 l: r; l1 }! n- f S- q3 Y
xchg dx, es:[41h*4]
0 m0 a5 D* u( \% P xchg bx, es:[41h*4+2]8 _6 E' D8 n# p5 D7 S9 O
cmp cl,al7 H0 a: m7 u9 W h
jnz SoftICE_detected* z$ h! u' H! h7 S. E! c
( H* f6 b# {4 ]# h4 F+ j u
_________________________________________________________________________
! o @% }9 s6 [4 g( i" F8 H, q; ]$ n S9 [
Method 072 C/ v7 ~1 N$ g: t2 ^! h
=========
0 h) W% h; M4 @0 X1 t& U
0 U* |4 h+ k' X' ]8 dMethod of detection of the WinICE handler in the int68h (V86)9 Z3 r. p2 W5 d) k
9 f. N5 x* D, V! h mov ah,43h- G6 k$ w$ Q; [# x% g' P% s6 @
int 68h1 V. t) ~2 R! K7 e1 N1 d }
cmp ax,0F386h
& `4 g5 Z# C) w$ [% c7 q7 ` jz SoftICE_Detected
- B5 r# Z' I& o" z: z, ~% L/ `5 ~& C% K4 @
" ^8 T6 t, @6 e1 f( J9 q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( R- Q: j! J# H app like this:7 j, m; k7 l2 B( R# A8 P
5 i$ C# j0 E+ K% k; D% D- e/ E8 y% S BPX exec_int if ax==68( G- n: W$ c1 {$ f" |
(function called is located at byte ptr [ebp+1Dh] and client eip is
" z( Y7 v! N% e8 H( l located at [ebp+48h] for 32Bit apps)
" T8 z( @2 m1 ~" |% W5 @__________________________________________________________________________+ w ? \6 ~9 h7 s# j6 c9 f" h
1 }- E8 G* n5 Y: Y0 C
: Z. w6 I, V3 u* F/ f6 ^. l1 t+ ^, dMethod 08# e9 d3 D) v! ~, |4 W% G0 Q
=========8 s7 w& M) Z7 u0 H I1 p4 \
' F' V( A+ d% `It is not a method of detection of SoftICE but a possibility to crash the: q \# x0 u7 E( h$ M4 x
system by intercepting int 01h and int 03h and redirecting them to another
6 H, d v. ^1 Y0 }3 J0 vroutine.
" `5 S- `& {% _9 b6 {$ ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! s% ~( r6 E2 _7 O6 U# t% d/ `to the new routine to execute (hangs computer...)
0 u3 ^; }( X, O0 x8 s5 y) Z- ~6 b1 H8 i* `
mov ah, 25h
1 Z8 J- G' h/ ^ mov al, Int_Number (01h or 03h)
- x9 v2 {$ `6 \9 E# _0 Q mov dx, offset New_Int_Routine
. Q' M7 `, j, w# j2 [2 s7 | int 21h. h6 U; W& Z: l9 b' F( I
1 Z" P; D) z% B9 p; S' M- {2 I5 h, Z__________________________________________________________________________
* |5 v7 V% }# [% b2 m4 }
$ e0 H `" q4 O' q2 A5 t5 ^Method 09! m" y* E6 y/ ^1 S6 s- ]" j
=========
1 U; c1 `. T4 p+ B2 X) H/ e) M# i1 y" V- N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
V" @% W+ M: k# q+ d. cperformed in ring0 (VxD or a ring3 app using the VxdCall).5 M. ~% E/ \5 L1 H0 Y2 }) N/ @3 m
The Get_DDB service is used to determine whether or not a VxD is installed
3 A7 B! F% _1 f* d) T1 Vfor the specified device and returns a Device Description Block (in ecx) for
1 O9 q0 G! q# i' ithat device if it is installed.
9 W: g8 `- |- T. u! W0 f% ?! ~" g- ^( x4 |/ ]" z& ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. z( ]9 b# V7 O9 d+ m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 t1 K; {; f3 y% a$ h
VMMCall Get_DDB
5 z* l/ [$ Z2 U* Q1 F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 D" P# Q! g9 L
( H& Q6 u0 Y7 e, }' G5 c* i$ R! zNote as well that you can easily detect this method with SoftICE:
$ }" P, s6 u+ x bpx Get_DDB if ax==0202 || ax==7a5fh N% Q, C3 n/ q& \8 ^( b% K- b- n' Z- M$ H
$ j1 K. \- Z# c1 [# B__________________________________________________________________________9 }- N$ U, ~( V8 U' r/ O/ i4 Z. T
+ h1 R6 G8 s) y% l) B1 [* O5 }$ NMethod 10: X; W- E$ G7 R8 |) _( p# L
=========
; f6 P& T1 W7 j% N6 U$ F5 X9 p0 f |: T) x
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 b H, R) ^2 j( F9 [
SoftICE while the option is enable!!
4 k* _: R R- n- K: `$ z
% \1 z/ v7 f" `! BThis trick is very efficient:
y" W8 o+ ?0 n# J5 f( s/ hby checking the Debug Registers, you can detect if SoftICE is loaded# M. }3 n5 z9 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ ^; B2 A8 r: q* z$ R, p+ ithere are some memory breakpoints set (dr0 to dr3) simply by reading their/ A# Y; _* u8 N0 T7 g- P
value (in ring0 only). Values can be manipulated and or changed as well
, {% [1 d" V+ T5 H(clearing BPMs for instance): z- n# _% \ i4 ?1 ^
1 C6 |7 A/ R2 ] G$ V3 `& u
__________________________________________________________________________
; [- u, i8 D& x: v' n
0 p' ]/ p6 s) C+ ~Method 11# {/ @8 i- z: K( c
=========; r' S; n" Y4 w# E: [
2 k- {$ O5 M9 W+ ?. |This method is most known as 'MeltICE' because it has been freely distributed
n- Y6 u+ M, _6 m+ Z' I1 Hvia www.winfiles.com. However it was first used by NuMega people to allow
) B3 ^( w; N$ p8 X' K; G5 Z5 jSymbol Loader to check if SoftICE was active or not (the code is located& }* q$ n! Q0 |* ]' k% \+ T
inside nmtrans.dll).
4 }$ s8 ^( W, K/ t9 ^. [4 e, {. V' A2 H
The way it works is very simple:
0 J- e% J* d; M7 x5 A' Z. pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' S) ^( z+ w+ |$ j! b5 P& aWinNT) with the CreateFileA API.3 `7 Q% y. j$ ~' u
" N( J# ]. H4 {& h) A; A: Q/ k+ KHere is a sample (checking for 'SICE'):
2 P5 S. Q' |, d" k1 C( T/ T
/ F( Y0 W7 J. s8 G4 pBOOL IsSoftIce95Loaded()) K1 m- T {8 k4 x/ Z4 ]. v q p$ w
{& G3 b- G y* ^ [2 K2 |5 b; F
HANDLE hFile;
) E) M6 d u$ g# E. J9 j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 [4 s& ^& H0 T FILE_SHARE_READ | FILE_SHARE_WRITE,3 D7 e3 J/ O# B$ k4 F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 t% F8 `1 [' T$ G3 C/ K: { if( hFile != INVALID_HANDLE_VALUE )2 D, Y4 G4 j! ?, e
{
' ?' f& N ?! I5 J7 Q3 [8 } ?& T) G# i$ s CloseHandle(hFile);( N) V2 I2 f# @5 O
return TRUE;
( t% i2 f7 d( k }* Q+ X& I; O+ E, ^& A: w. e$ i( P
return FALSE;
3 s3 B' p J9 o, B0 s3 `}
7 z9 x2 x- T: k, t# D5 y. C$ j9 M E4 a# ?+ `
Although this trick calls the CreateFileA function, don't even expect to be6 j1 _6 M2 }. ?9 r6 n! A8 ~
able to intercept it by installing a IFS hook: it will not work, no way!, l# h; ?, k& L& |* Q9 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" l6 h$ X/ j) E, `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 t, J8 z7 b9 `8 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& H/ |4 p; k! u( {field.
7 S) j) Q# W- j( r- jIn fact, its purpose is not to load/unload VxDs but only to send a
6 ^8 W0 n) S- D: fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' s4 h: B V/ y3 b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- V# F3 i5 s! L. u6 D, tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ `! P7 q0 g5 o, f$ iIf the VxD is loaded, it will always clear eax and the Carry flag to allow, j2 ]' E$ K Q" e) L1 U; v# D% q
its handle to be opened and then, will be detected.
, W+ L6 a0 D. x7 q& Q! t/ j( @You can check that simply by hooking Winice.exe control proc entry point) C, H1 [2 E* [ K6 A. }+ \3 H
while running MeltICE. V. ~9 y4 v: r( Y; q% M
- _- w L" ]% p1 x) ?: @% q, [
, a( [3 Z o- m( t5 L% e9 a 00401067: push 00402025 ; \\.\SICE: x! ~0 ^, W4 L/ G0 f [
0040106C: call CreateFileA2 ~1 @! L2 D, A1 q0 d
00401071: cmp eax,-001
, X; \7 W8 r5 A 00401074: je 00401091
3 B* G6 Y& x$ @; t$ x f
7 D$ q& [) s V7 J1 J M! i
9 ^2 p5 z$ A& X; O& CThere could be hundreds of BPX you could use to detect this trick.
/ M: p. U4 r+ C G+ D# R/ V-The most classical one is:4 N5 W% h4 `: ~3 N6 ] L4 m i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% R- d4 s9 N. ~' L1 s
*(esp->4+4)=='NTIC'
1 T" w2 M5 }, l# T) O' v1 @5 _
9 P: P* z' Z% O' N! S-The most exotic ones (could be very slooooow :-(
8 a- D4 o! ^3 ^( Z; v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ E+ R4 D3 A, R# N0 V ;will break 3 times :-(
% o! g% A1 S7 S Q5 P7 C5 U4 r8 {" p% k" x5 F8 ?
-or (a bit) faster:
7 E4 _8 n' s: x" s2 R0 y8 g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 B1 J8 j0 A/ ~4 K N; h9 T
) H% h5 G5 x3 l+ f9 N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 p" Z$ x' y b ;will break 3 times :-(* x9 P! ?- ~) }. r* a
& g# g: O' I- t- ~; ~1 m8 S
-Much faster:
( R5 `8 m& p/ f2 u3 U7 R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; }2 q+ m6 i! ]' w/ \ s) O1 D0 s! ?5 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 C& R" F- |4 ?3 [# z( \+ }
function to do the same job:
) h; o0 K* n/ l& T: l$ m5 Y# i. v' j
push 00 ; OF_READ0 \* i( F" _" {; u1 [- ^6 Y
mov eax,[00656634] ; '\\.\SICE',0
- K m0 g& P$ } push eax8 h# S6 L" [# ^6 N* i
call KERNEL32!_lopen
' ^) P# b3 i: D* P7 O/ A+ @ inc eax6 [, ^$ O+ x$ P- E
jnz 00650589 ; detected
( F% c9 a; S/ N' | push 00 ; OF_READ
: Y# V. R- @! K1 k ^& | mov eax,[00656638] ; '\\.\SICE'
$ m& x9 e9 E, Q push eax
5 B4 A0 ^- D; r. q* S$ D+ n call KERNEL32!_lopen! J- M F$ C; {9 N. y7 m2 P
inc eax
" {4 x; i9 W9 k, b; }: E# [+ [8 u jz 006505ae ; not detected
8 f F4 r/ s; m9 o K4 B% S0 j$ V8 W' j+ l5 f0 S
5 T: I q* N6 j5 R6 w* Y8 }/ J
__________________________________________________________________________
" c- V' V. s, \! [6 }+ q* A7 [, O1 b+ p3 E% c) P
Method 12
2 {2 I. G7 m# ]8 {+ v ^=========& B+ W. T% S) \3 F* |
0 }" L( _; X0 t4 y' S/ c/ F
This trick is similar to int41h/4fh Debugger installation check (code 05- k( p E$ k! _( V/ N, m1 Z
& 06) but very limited because it's only available for Win95/98 (not NT)
$ D K, Y0 J i( ~% G5 E( ]& }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% J7 b8 V. e+ i! `
0 N5 b1 K" Y8 U! J/ _ push 0000004fh ; function 4fh7 t" u- s8 ] j! ?1 M& z
push 002a002ah ; high word specifies which VxD (VWIN32): }! j8 ^' R/ Q+ _8 G& k+ M
; low word specifies which service
8 C7 n* ?; U* n3 k! o0 x (VWIN32_Int41Dispatch)
$ R" G6 y" E O+ E) c3 r call Kernel32!ORD_001 ; VxdCall
* K3 Q# z$ g* I2 { cmp ax, 0f386h ; magic number returned by system debuggers1 c; z; d, i1 M( N
jz SoftICE_detected: r. e2 e, [, |. F+ b- I
; A$ j4 e# b: C" k8 B
Here again, several ways to detect it:6 b* a6 h" j0 U, q; U* ]$ a
7 f1 z: ^- ?8 v7 m
BPINT 41 if ax==4f
0 Y1 d g4 C5 L) F( K5 A6 r6 a$ q
9 I" h( b% N5 g- c G. K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 @0 o. W+ A) k, F
" E) w, H: s* p- B0 N+ `/ D/ K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 H6 ]4 b' Q6 s% P. N
" n$ b! r. }( I& j6 O5 B7 L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! b6 M, B: N& v
* a0 H' e/ Q# m3 d/ {7 V
__________________________________________________________________________
J, z. I) C9 ^) A6 @
- i* {3 R1 ~9 y3 [* P" O( [7 [Method 13
- k2 i2 R& h+ T& U=========
# m" Z3 j/ @1 b; }2 I# Z5 I- q: A, n. y
Not a real method of detection, but a good way to know if SoftICE is
( ^- E6 P& w7 r5 _& xinstalled on a computer and to locate its installation directory.
& E( h& {7 Y1 \( A; E" o, FIt is used by few softs which access the following registry keys (usually #2) :
/ a2 n4 |0 r- @" r! a: L! ]& W) A/ d6 `1 G: L3 R+ ]0 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 r2 j- n* V; w$ `) e9 G& |
\Uninstall\SoftICE
* D/ q" B6 m4 J( N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- l$ U+ E; Q) L, s. G" ^" d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- ^* O5 r, n7 M: |
\App Paths\Loader32.Exe( W7 h- `+ Y' k3 F2 M+ N
# z' |1 y/ o' v
; \; m3 z9 Q& T+ J7 `1 |Note that some nasty apps could then erase all files from SoftICE directory
0 F/ k5 }. P& x6 _+ y(I faced that once :-(
0 r' F8 i' `/ B9 m. w3 p" o4 X
# O" P0 v W) W9 v# K. w$ HUseful breakpoint to detect it:
2 }- E- u0 r! X# a1 ?" Z$ I- ]6 h* D) \0 ]. \6 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 B" M# P3 H/ T s- F
* a$ ~. a0 ~) ~: H& Y0 H" b' F4 E# a__________________________________________________________________________$ r' Q% Y3 Z2 s1 q
) i/ |+ P7 Z1 F k# b. c9 X9 @( q' f5 Y# ^! r
Method 14 - L3 w2 S4 L! W+ O H2 p
=========
4 ^* m4 g/ f6 R5 r& K8 p* O
' G* A4 H1 G3 k. J' t+ C @2 ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. R6 h6 K- z$ x' Z$ x
is to determines whether a debugger is running on your system (ring0 only).9 H' p* E4 y/ T5 i0 A& o% r
* k A( \6 a2 W; C( C- j; ~# A VMMCall Test_Debug_Installed
3 G; f5 K" L: R1 h3 Z je not_installed! n8 C" F8 U5 `7 g! D- i9 | |
+ K* N$ K' C0 a$ t4 F/ [This service just checks a flag.. J3 U+ V9 s- g( \2 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡