<TABLE width=500>) f5 x3 s5 t I& G S6 E
<TBODY>7 Q" m) c, v2 z7 e/ V2 B O
<TR>
' ~+ O; |& Y" t& q* {! O; D<TD><PRE>Method 01 % Q* y8 I/ S1 B; v4 \) H# `4 S0 ^5 o
=========
( x# @/ Q0 C0 |& _2 i$ Y9 b2 {$ T" z" c+ p8 d0 q, G
This method of detection of SoftICE (as well as the following one) is
! d# |( [- K0 a) W, Fused by the majority of packers/encryptors found on Internet.
% ]4 [' \2 w& P/ {5 ?/ i6 dIt seeks the signature of BoundsChecker in SoftICE
5 k/ F3 S1 \/ B4 t: H
5 ]$ t& D7 S; V" Q mov ebp, 04243484Bh ; 'BCHK'
4 T( }3 `# ]# \9 C mov ax, 04h
4 F0 i, S. g7 x! C" g int 3
' Y q& ]5 L S' u. _* p cmp al,4: x* d) J4 M( E8 p$ n$ {
jnz SoftICE_Detected
6 W& A$ s- t' m' C' M" }. I+ |: y3 X
___________________________________________________________________________. r4 y! K1 _0 { a+ ]- i3 V
1 r7 J1 @: t# {2 f' z) f! eMethod 02& M8 A1 y$ i: p# y' A& S
=========
: a+ S( p4 } H6 Y n0 a& `
* g4 K- h' J G+ a0 SStill a method very much used (perhaps the most frequent one). It is used. W( C9 J3 B4 g4 [, t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, v- n7 T$ X$ r. c" l3 h7 i+ b6 n& }
or execute SoftICE commands...1 x9 S* E' ?& F, j
It is also used to crash SoftICE and to force it to execute any commands; ^, n u) Z" G- L
(HBOOT...) :-((
; p+ _6 R( }; g, m4 }! i9 _: Q/ E# o7 @& I( t
Here is a quick description:
# x& _. w1 k# s4 E5 M% o) m-AX = 0910h (Display string in SIce windows)$ v( S, W3 Y" m; U5 L- h8 k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): v5 C& s- h& d! m* Z9 z' f
-AX = 0912h (Get breakpoint infos). {) T3 V/ A9 N# S' O
-AX = 0913h (Set Sice breakpoints)
9 ^0 y3 T; b: E: i, q-AX = 0914h (Remove SIce breakoints)
; ~2 ?% V5 n4 z% l: r& F3 F% i/ J3 b7 ?
Each time you'll meet this trick, you'll see:
7 i N2 q% k7 O+ n8 o-SI = 4647h
$ N" g/ ~2 G! G! F-DI = 4A4Dh
! a9 E" v6 w9 K! o* |Which are the 'magic values' used by SoftIce.
: }/ {% d* ?7 U+ ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& z( ?, {9 M) K. p4 U4 `- R. J/ a
8 _# |9 L7 E- }/ ?, uHere is one example from the file "Haspinst.exe" which is the dongle HASP
& j6 K; b9 e+ f s! LEnvelope utility use to protect DOS applications:$ G Y5 L0 b4 B- Y6 w" |; v, @: B3 e
: g+ R) ]. h5 {" U6 |- y' }# P$ v% M
4C19:0095 MOV AX,0911 ; execute command.7 W3 G( E6 Y0 p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 W6 m0 T. W* U- {5 ] s; O
4C19:009A MOV SI,4647 ; 1st magic value.- {9 X6 y( C5 A, \& U- A' A
4C19:009D MOV DI,4A4D ; 2nd magic value.4 T1 p& I3 M( U- ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! u+ M) \8 ~0 g( ?; H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- r7 a) g; Y i) K! M4 c
4C19:00A4 INC CX
( A. l" T' g& i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! ~; M) B5 s% i! X4C19:00A8 JB 0095 ; 6 different commands." I" \% S1 G$ W4 r* D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ l5 T2 Q5 s) ]0 Y, @2 P; I. J$ \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 g) M; }7 v, \0 X3 B+ i
7 B$ ^, V( e1 H# i' RThe program will execute 6 different SIce commands located at ds:dx, which& F* t9 A3 U. m; z! E3 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ u' u7 \5 ]% _
4 S1 k" @# \# w; q t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. p6 b1 e! c; T; F! t
___________________________________________________________________________
5 D* |+ f; S" R; w8 G
% h/ W) i" X2 y" x
1 s# [5 r R+ Y3 i- dMethod 03
6 O8 }+ H! S) |2 h- R7 a=========
# }: ]3 P, `$ f* B
) \* e9 |- }% b1 k9 \/ \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 j+ T+ x, }3 H, S" C7 [& k% X
(API Get entry point)
* f; O% d3 q* J6 k
- f# C8 d+ S/ Z: S$ k/ ` a1 s
3 l9 k! K$ ^# b5 R6 }4 w xor di,di
1 A9 y7 w) [; z. @9 D1 D H mov es,di( ~' r4 y( N1 h. f& M; h* L
mov ax, 1684h
" R/ m* \9 ]0 D mov bx, 0202h ; VxD ID of winice
. m& Z; v2 d$ G& ~- z3 |. Q, m int 2Fh
7 K8 [" a3 b4 a, j P) Q mov ax, es ; ES:DI -> VxD API entry point% K; b; l& h7 I8 y, H
add ax, di
, t, d0 I. a* @) ^2 w test ax,ax7 K5 c' `5 z1 A! Y# Y1 y( x9 u% H
jnz SoftICE_Detected
; x% D4 z) z. V! B+ Y+ [% a% ^0 \1 K( k' w3 T0 W4 }8 L* z7 B7 A7 R$ g5 Z
___________________________________________________________________________. H: o; I5 C/ J! T7 U6 a2 q" C
5 `# b; l% e8 s; A7 i) bMethod 04
% ]% \! v: Y3 k: S========= V( {, i+ T- N
) J5 c' G0 D9 v
Method identical to the preceding one except that it seeks the ID of SoftICE; ?2 U/ p; C) N
GFX VxD.
# m5 c% M0 ?2 H' r9 e& S! O. |- r* v* m8 G7 Z) G# E# X
xor di,di
0 W7 _! w8 F7 N* P" L, q3 v" X% W. i$ K mov es,di7 \9 e! h$ y: ?- Q/ S( _: i- s
mov ax, 1684h
% R, g: X, r |' R. b- N7 J mov bx, 7a5Fh ; VxD ID of SIWVID% F1 a! R& b9 X( D
int 2fh( Q7 M% O5 \# n- h) W, o. c3 ~
mov ax, es ; ES:DI -> VxD API entry point
$ F6 ~5 [, L$ {' k; n1 a add ax, di
8 X: C+ J! `% w4 c- [8 C8 V test ax,ax5 G2 A7 t: I+ _
jnz SoftICE_Detected1 I K5 }/ L( C4 I6 x# e
( X: ^7 K* s1 o1 d0 Y__________________________________________________________________________$ V6 u7 G$ t' g: Y5 Q: T3 g
' V% j& d7 G0 S' m7 ?* E5 O6 g
6 u1 M% _2 d% Z+ R& \
Method 05
, F( q* p$ e( C=========
, L! Z; x+ D' {1 B) I- d/ S# s. d; w: e- E7 [3 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 v- N" K/ c2 t X" b) r9 g* U+ B1 B
debugger. It calls the int 41h, function 4Fh.
9 T: e8 D l" n* ^% e$ C+ Q- {There are several alternatives.
0 G6 R) P) g% `3 W) z: ], x+ K4 Z% d' C0 p& D, D" _# X# Z
The following one is the simplest:
8 k; N; f" o! X( J4 b1 y
2 _6 L, ^$ i4 H) p( }8 f mov ax,4fh& F% E+ l2 x* |$ n+ h
int 41h! _) a- U; M( V) F% z; G
cmp ax, 0F386
9 Z& ?" _' w3 T4 ~. L! l- P+ E jz SoftICE_detected
% l$ J4 i# m9 F4 p m& y* F/ L$ b
' |) f& F& f4 v$ X! Y8 F! y9 n ]+ ^. v1 D/ e% m
Next method as well as the following one are 2 examples from Stone's 5 D9 H; Z& {& R* G x
"stn-wid.zip" (www.cracking.net):# H1 k4 Z3 T0 z7 G" B, ^4 E
- d( ?$ N" A( ? b, q9 o mov bx, cs$ ~$ C/ Q8 w- W* O
lea dx, int41handler24 ]! T) |6 F' U/ x
xchg dx, es:[41h*4]* ]0 I( ~* T" j3 g1 B$ b8 B$ K: G
xchg bx, es:[41h*4+2]3 d* Z5 T0 H! d) E
mov ax,4fh R: [% F6 X# O
int 41h
' E# X* l B& ^ xchg dx, es:[41h*4]5 F: }" S) _6 m5 f1 j# d. L% r+ S
xchg bx, es:[41h*4+2], L2 w! O9 ?+ r" X2 R, R# Y. v
cmp ax, 0f386h
1 p& Z: y8 M: i/ ?9 M6 n4 j jz SoftICE_detected/ Y/ \6 i' |7 w: `$ o# ^
B0 e' V* \8 m/ L
int41handler2 PROC0 g, P5 V" t0 m: c2 c$ N( `
iret7 n9 Q" _6 w* n. M# p; h8 r
int41handler2 ENDP
3 O' F7 K, U+ p9 q& z7 d2 y* g8 r3 M `$ K5 j
% m, N( l) D, M1 A
_________________________________________________________________________: `4 m) Y( m( S& v% p( F: j( O% o. t
+ E j$ @9 U ^
; P0 O4 d" A) n( k& Y- }: vMethod 06
* Z9 a+ F, ?# F: b9 I=========2 z2 x5 A! a' _: ~5 _; s6 ~
% r- y1 U( D" n0 W- I! E
5 J& u3 K3 c: y- G$ V4 V/ ^$ n M2nd method similar to the preceding one but more difficult to detect:9 H- g( {: y& W) m0 T3 ?2 k
% T. D! U0 ?( l
7 P x5 v/ A' [) Y1 [3 ?, n# Q1 I& t
int41handler PROC6 _7 Q T, I# N Y: B2 g% M4 W
mov cl,al
# S& C& r/ `$ L iret+ R* A. s1 ]3 {- ]0 h
int41handler ENDP
1 N4 H0 G8 l2 y/ A- q0 G* o! t
- N- d: L& V( ~) N- ?) W$ \6 y% O
xor ax,ax* ]/ f/ a5 k% p( Z% h0 N
mov es,ax! L; N" @* z+ g9 f
mov bx, cs; [% E) Y5 N2 c
lea dx, int41handler- z: A9 p f6 O3 o) F* _
xchg dx, es:[41h*4] h& w* b7 F- s
xchg bx, es:[41h*4+2]
% H' ^0 j& M/ B: H$ |3 v( \$ Y in al, 40h$ v, e8 f* c7 D4 v, Y J1 ]5 f
xor cx,cx
1 Y% M0 E/ i k# x3 P/ L% b int 41h, y4 A) g! v% ?* M, }- }
xchg dx, es:[41h*4]
& D4 u; a5 c! C& Q; Z. d xchg bx, es:[41h*4+2]
/ y& m8 L& u1 W0 H% w0 m* ^& d cmp cl,al3 Z, N* z5 ?# F3 S* p8 a
jnz SoftICE_detected
) W- L+ ^' \' A& ], _# I O1 X5 F( O3 O z4 I [9 ?, i2 N
_________________________________________________________________________7 C: A: `5 I; @% Y
% A( U# k$ V! d' p" x' AMethod 07# U* h& p8 d( t8 G& l4 O
=========
. x! {3 A" r% N( _" N( ^& w' d
0 r8 A, B) D+ T: C8 J$ TMethod of detection of the WinICE handler in the int68h (V86)( I9 z7 a1 Y; ?
5 m3 C9 m' Y+ P4 ]+ {
mov ah,43h
. Q: c; C y+ C int 68h
/ D; g6 A1 x2 m cmp ax,0F386h9 ]% U9 x, S% ?) _" C; Q
jz SoftICE_Detected- v- }6 u( S( }
' R8 o; m, N4 l% q9 x) s5 B
" J) _5 D* F; s/ f' k$ F- m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ `7 \! K: I6 w0 T5 _" p" S app like this:
, m2 K) [: i- S g# D; K
7 y8 ?. V) A C BPX exec_int if ax==68, C# L0 ]0 J8 H+ r% D; v: E, i; }' O
(function called is located at byte ptr [ebp+1Dh] and client eip is: i8 D# A/ F0 [- {
located at [ebp+48h] for 32Bit apps)3 H7 w: Q; N' d& c4 T9 y0 e
__________________________________________________________________________: ~% w. P( N4 q! o
3 r* f. n3 [% B8 W r
4 f1 f8 s0 n5 S, T. G$ FMethod 08
n, x+ V; X' z# ]6 \=========: n# V/ m1 L9 Q# m
4 A" Q6 x+ f7 H8 D, y9 t$ Y: t
It is not a method of detection of SoftICE but a possibility to crash the
- f* o9 H8 I! l+ Osystem by intercepting int 01h and int 03h and redirecting them to another
/ _$ i& d% B0 ~! M1 F7 j9 Troutine.
; U" c) H) y9 ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. \# c4 t4 n! D/ kto the new routine to execute (hangs computer...)% [3 k( H3 l( b* { J
5 M3 f% p( S- m" V0 k a7 L mov ah, 25h7 W9 r& `& s' s) b, N6 X/ s' M
mov al, Int_Number (01h or 03h)
, i" k* b3 H6 E8 |- E mov dx, offset New_Int_Routine5 f3 `2 a) M5 g
int 21h
- I* I T5 g( P) l( \( s8 U; p7 W% T3 G: A" A8 S
__________________________________________________________________________
+ f9 V; Y( n& a/ z3 R5 P' ?6 B' c9 T+ U
Method 091 m3 ^7 ^( H+ w, k1 N0 {: R. r- _
=========
, c7 V" t" `8 E+ l2 ^# N J( H+ X& s h( ?" G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 _( L3 B* A4 H, e% y2 O, X4 _performed in ring0 (VxD or a ring3 app using the VxdCall).6 m; a! n7 m, S$ Z! ^
The Get_DDB service is used to determine whether or not a VxD is installed
: R3 E0 t$ w+ X+ b" ^' g/ lfor the specified device and returns a Device Description Block (in ecx) for
7 ]8 u$ H3 _# v9 Ythat device if it is installed.5 J7 [7 r+ i- y" @1 U4 \
7 g, `4 Z1 }: N6 b8 i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 \4 ~6 ~- V) T8 w: h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- {: E* Z1 j- s( T( I- D& N. ^+ s
VMMCall Get_DDB1 {) ]" v. b. k9 D! T: S1 s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 Z7 d5 e5 _; u( ~ {! K1 X
# X% @% T& \5 C+ i: j
Note as well that you can easily detect this method with SoftICE:
, R- F6 p' C# V6 c! r0 H, q' |/ g bpx Get_DDB if ax==0202 || ax==7a5fh5 T) X Z, Q2 X N* W2 \
, Q. h7 q) x9 O6 Z$ o* y" q4 l
__________________________________________________________________________
3 b' ]0 L/ S2 a- K" T/ z; ~ i! \9 E
Method 10
+ A k. t9 C4 H4 E# ?7 n+ w+ h* U=========
# q- Z- z* `3 f: m% L
) \. t! Y7 G$ V, }- o/ |=>Disable or clear breakpoints before using this feature. DO NOT trace with: `( c: [) t; {+ i& x; u
SoftICE while the option is enable!! C2 ?: w/ O$ O9 t- L9 j4 |) Z
4 H _9 ]7 |9 F- e, n( i5 l
This trick is very efficient:
% `, E& X1 ~2 x* s3 _* _4 ]by checking the Debug Registers, you can detect if SoftICE is loaded6 D; G/ e/ Z x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- v6 o# v$ [6 L/ Q Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their! `& J3 _ k& G7 x3 e
value (in ring0 only). Values can be manipulated and or changed as well9 ?' D' |( i4 T+ b; o- u
(clearing BPMs for instance)( j2 g) S( o G2 z4 D) S2 `/ q: i
# @$ T1 l) W8 Y* {" b__________________________________________________________________________0 a) j( @7 j, `, R' H
: p3 P: V5 K; Z+ V+ w9 z, r+ z
Method 11
- B- t2 G& k q9 A2 [7 J, s, }1 O=========6 @. v6 {/ J! M% B( z& h- P$ {
+ D$ o$ |/ ]# T3 d+ Q
This method is most known as 'MeltICE' because it has been freely distributed
8 B' d: M( X! E" u- {* P* M% nvia www.winfiles.com. However it was first used by NuMega people to allow: s$ G1 l- ?0 P5 I% p" L+ Z- T
Symbol Loader to check if SoftICE was active or not (the code is located
. o6 g6 R" {9 j4 \' Z( e! P- g/ Pinside nmtrans.dll).
% a3 B5 G* c8 h! F" _$ ^9 P* G3 v* m' I h$ X" p+ }( y
The way it works is very simple:; _" l- m6 z6 L% b$ ?' @1 G5 [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) _9 h0 G) }0 G. ~' I; O$ y& M/ vWinNT) with the CreateFileA API.0 t$ a) M0 J2 x1 U: ]
, w8 ~" E& |. u7 R6 p$ S
Here is a sample (checking for 'SICE'):" P$ l* y2 I2 p7 C, |9 I1 [
6 L7 G7 O6 p7 V2 _( \
BOOL IsSoftIce95Loaded()
! N& R8 T+ E3 H) j0 @8 ]3 ~{
3 ?9 V9 s4 y$ k HANDLE hFile;
4 ~1 r- \# z2 N# Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; z' {7 R9 y+ g; e+ S
FILE_SHARE_READ | FILE_SHARE_WRITE,
. B7 ^( Y% h: p1 T# }- r! Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' G! F5 t" o# R5 T if( hFile != INVALID_HANDLE_VALUE )1 g8 f- e$ f% B- }- F; G
{1 u# V7 b9 C0 y; h
CloseHandle(hFile);
& {, p4 x1 A* y0 f return TRUE;8 R; j2 v/ @2 q8 ?& W
}
; r9 }4 k1 V' R/ i# Z8 G+ v return FALSE;
+ E& [/ T' s# y}* j0 y/ x: w" p, v! \% u9 [ B
1 i) O' ^ p. b, @2 z$ @
Although this trick calls the CreateFileA function, don't even expect to be1 a. Y* M$ g' w1 L% {1 b' ~8 R
able to intercept it by installing a IFS hook: it will not work, no way!3 }/ z6 D: i0 v e1 E( ]$ q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 | K7 t- P. j# `- A( f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: k1 V2 i% T8 T9 b5 y gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ U) ~. }/ d K, t$ M$ L1 H- Mfield.2 r- P" c' q9 X) Y3 a$ |. m
In fact, its purpose is not to load/unload VxDs but only to send a
( i$ }$ Z2 d6 G5 _$ }' _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: ?% o. ]2 N' ]: c/ _to the VxD Control_Dispatch proc (how the hell a shareware soft could try% u( m& k2 Q) l0 L) o/ \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" R* X8 U3 m1 @) MIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 `, j! A/ X3 _& r
its handle to be opened and then, will be detected.3 r) P9 N \3 `" h) H
You can check that simply by hooking Winice.exe control proc entry point- R" D: n0 z/ z' z8 K3 m
while running MeltICE.
4 D4 d# d& \ \. S: d9 r3 _% B% ]9 D5 g( V, H* T
2 I+ v6 x9 b) L) m: j9 v9 P$ k
00401067: push 00402025 ; \\.\SICE' @# k# v5 ]& ~: {# h- ^- p
0040106C: call CreateFileA8 c+ j: Z8 s- M9 C$ b, y
00401071: cmp eax,-001) w) z; t% V7 M$ w: a3 q" }5 m) T
00401074: je 004010914 ?- X8 |; y4 j2 L4 l1 R6 e
L. A1 A. `! T) |7 ]3 n$ C' h2 c
/ Q: y9 }6 Z5 y# v0 ]There could be hundreds of BPX you could use to detect this trick. l: @5 K+ H8 Z( h
-The most classical one is:4 ?: A' k5 `, K2 K9 Y; ^2 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. x+ ]; z1 i9 B
*(esp->4+4)=='NTIC'; K: s+ Y2 y9 Q: `, w: _& ^0 _1 U
' p, N. ?4 \7 p: C! u
-The most exotic ones (could be very slooooow :-(
) e, z. p* r# R/ z4 \* M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- H; g- R/ x1 `; O' I3 e$ U ;will break 3 times :-(% }$ F% }% I1 K& Y
4 @5 p- k6 D# S
-or (a bit) faster:
' a' D* z: B2 g8 ~, { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 z* k0 x1 ^) {$ C' R9 B2 L+ u& e
! X3 E6 ?8 U. C- o: X1 ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, u! V6 t( `7 ?( X0 g ;will break 3 times :-(
6 b' x. M7 N, N; O7 }. _0 f2 c7 K" z( e
-Much faster:: V* p+ w# [4 l9 r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& q0 ^$ m: e- V3 n" e' }+ F+ o5 ^9 ^& T8 \7 Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* v. n8 N* N2 ~& K! ~function to do the same job:+ y6 r1 g" o4 j7 _ N( L8 R$ K. R
1 F$ m v: R9 Q$ F
push 00 ; OF_READ# k. [, Z- C( C2 }1 w
mov eax,[00656634] ; '\\.\SICE',09 F9 x) b! l$ W3 `& u7 Q2 N
push eax4 \3 G2 ]7 m$ N0 a
call KERNEL32!_lopen& ?" c) Z3 L. n. q# N7 i
inc eax
2 H8 w, o8 Q1 j jnz 00650589 ; detected
5 E; M+ y6 x9 y# K push 00 ; OF_READ R: p/ ?2 A+ E1 K+ p! Y
mov eax,[00656638] ; '\\.\SICE', P* ~/ D; U* ?9 w
push eax* r& T/ K# t7 D
call KERNEL32!_lopen
% e; L3 o+ f& r7 c, `. o+ d. Q inc eax
: o& r3 K6 L4 f$ }5 S E. t jz 006505ae ; not detected3 O# i8 w a+ B# e, J g/ z
3 ?& P# X5 r4 e- L- Z4 Q8 K( I# k
) S" ]: p' z" W$ W0 P8 Q
__________________________________________________________________________
0 K" b( r' Y( g% j% E! ?
' J% \# r* O) K9 ^6 m# Y& d rMethod 12
4 O9 E4 B# r6 P" J=========
, l5 x# Q; y$ E# P! e
6 o+ z7 ^9 Z9 K4 Y+ ~; A9 c3 FThis trick is similar to int41h/4fh Debugger installation check (code 05
w( t" A% b3 U( O' [& 06) but very limited because it's only available for Win95/98 (not NT)
" s4 }" Q* |8 @( |; L, k7 p1 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 d# y( K; ?, l; x1 O$ \; I1 F2 B2 n r8 w: F1 `- x4 R
push 0000004fh ; function 4fh
' F1 ?6 u" l( X: `* h8 y4 L push 002a002ah ; high word specifies which VxD (VWIN32)$ ? \6 w+ M/ z- a2 k/ ]- R
; low word specifies which service
2 k; J9 a8 D) s (VWIN32_Int41Dispatch) e% L9 x: m+ f4 H- _1 K( n
call Kernel32!ORD_001 ; VxdCall
. q$ g8 \2 n) e" N5 w cmp ax, 0f386h ; magic number returned by system debuggers2 q1 l8 F! W( d3 B4 C, i+ l
jz SoftICE_detected
, s8 x5 R- {0 S/ P! N1 ?
- S" s* G. c6 THere again, several ways to detect it:
# O4 L Z6 {) W8 n
8 l3 Z! U8 i" X# O# ] BPINT 41 if ax==4f
+ Q- e" _& \6 B! Y" ^4 t9 \% ?! G, c5 U: ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 }' `. i* g' Z G
3 F, V) P( ~4 N7 D; | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 ?( \" d7 R0 X @
! f5 T- t: r, }' m ~8 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& A p3 t4 D; F/ y8 b
" d8 o! {9 K" f+ A. ^__________________________________________________________________________) D+ x9 \9 D s% z; b. S
8 s% C6 d5 n% O( [Method 13
( r: Z2 H' q( d3 h* G; E=========
) P( g! T8 R3 w* E
; j( g! n- H9 }9 @& w" [6 ^& P+ b6 i8 O8 SNot a real method of detection, but a good way to know if SoftICE is
k8 c* \" r. q9 Tinstalled on a computer and to locate its installation directory.
5 D' |1 D, b) m7 m, R) }It is used by few softs which access the following registry keys (usually #2) :
. B; o+ Y! e" u+ I; H% w$ d/ P) n: b+ I; p. v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, O' B7 \3 _- j0 G/ o+ m\Uninstall\SoftICE
) i& U/ I X0 g6 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! d" [0 r n: x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ]; j4 W8 l4 k$ N+ r6 p' ^* P
\App Paths\Loader32.Exe2 z9 d8 p& D- F& V! R& k
0 I& a, u) ]: ?* a+ |4 D+ K$ @9 e7 J6 a
Note that some nasty apps could then erase all files from SoftICE directory/ q f2 }1 p( a) D
(I faced that once :-(" ]# V6 I9 c" q2 u4 {8 A
0 }+ |+ H) q9 q8 VUseful breakpoint to detect it:
t0 L- d- f& g# E4 k# p* k
( O7 Z& W, c4 k$ P+ z2 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 n8 q4 _; ` Z7 l; }
$ J# x0 M6 w& ^. |# Y/ z- G4 E2 T$ Y__________________________________________________________________________
. G- c( R8 y2 f* ] g, B6 b8 U) U) F6 q5 I) A. M
# }% h9 i w4 N" D* xMethod 14
" ?1 |" t+ D" A( n% ^- w" g! `# T& h=========8 b3 s4 D0 B- E1 d' a, ? l4 r
: `4 R" P3 k8 }$ T4 }& jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ K+ q0 r6 G1 u
is to determines whether a debugger is running on your system (ring0 only).
2 v# l0 O: m* [0 Q( U; D
$ U2 f) k) [5 l7 d- } q4 J" g VMMCall Test_Debug_Installed
0 R! X" k4 E3 Z# n! \! D) z4 j je not_installed3 k- y {0 D- a% w
4 \) m$ \; L2 Q# C# I2 {. e' X4 wThis service just checks a flag.
1 }- i+ Z7 V. n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡