<TABLE width=500>* u7 [/ f h5 k
<TBODY>- g2 M7 g, Z& o# q7 B; U8 H0 U- m
<TR>9 S W, [$ I, o! ^/ ?3 C
<TD><PRE>Method 01
: X( o0 H l/ o$ |) x$ k2 M) n=========& Q2 i0 _- I" D6 z
$ m1 N; b0 |) h+ [, d5 R# ]+ EThis method of detection of SoftICE (as well as the following one) is
( P% _- }$ U( T; T! {used by the majority of packers/encryptors found on Internet.
/ v7 {+ V+ {7 ]* B$ fIt seeks the signature of BoundsChecker in SoftICE- P5 n5 g$ `3 N" m
6 z1 Z- d% M* u3 R& \& @
mov ebp, 04243484Bh ; 'BCHK'" o) e" M- t' B9 K
mov ax, 04h
' B: C# O2 ~$ J5 D) \( e int 3 8 P0 I' O& L2 x W
cmp al,4
/ N6 S Y* `7 b8 @$ y jnz SoftICE_Detected
4 [. w. _4 I- h+ N7 Y
* ]8 w" j! g1 n___________________________________________________________________________6 X6 ]/ r0 x3 j( _4 X
7 \* S" V5 F6 i" f" z
Method 026 j( N: H4 O+ X: B. r/ ~$ \
=========
' M' h9 m5 U4 @& r7 [6 C9 Z
7 I; J/ w: k3 O0 C1 VStill a method very much used (perhaps the most frequent one). It is used2 m3 @) q9 [% T! _4 ^/ k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ [/ _/ q7 f4 a" N0 j6 m r1 g
or execute SoftICE commands...
; N5 [. y/ p8 L" R6 ^& s4 h* EIt is also used to crash SoftICE and to force it to execute any commands
4 z8 E+ o/ [( D, ^1 }2 x(HBOOT...) :-((
; }& t2 |6 @2 T5 a' T; q! O% g& d8 f' L2 n8 S
Here is a quick description:; o3 D& b4 _, O5 f$ {4 Y: X
-AX = 0910h (Display string in SIce windows)+ Y5 }( @& e5 b6 m( q1 \. `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! L% `- v; f1 w# r' O-AX = 0912h (Get breakpoint infos), J. C$ F: A2 V
-AX = 0913h (Set Sice breakpoints)
2 q: i. M5 d( @9 J-AX = 0914h (Remove SIce breakoints)! O3 ?) z% t" Y; w/ G1 Q
+ G& l" p4 Y+ V
Each time you'll meet this trick, you'll see:; J: m& ?7 M5 A. G
-SI = 4647h( `7 [+ P4 o, l- F3 [9 {9 M! T
-DI = 4A4Dh: z" {1 a7 I7 _
Which are the 'magic values' used by SoftIce.
* T3 W& W8 Z- J' mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 R n/ Y. h2 s2 d$ o2 y2 d$ K
, y" _; t! m9 I) ?4 y1 UHere is one example from the file "Haspinst.exe" which is the dongle HASP8 N: ?* j3 I% ~2 J% M) j
Envelope utility use to protect DOS applications:
( |/ y1 Q$ o9 ]9 M5 i) R& b( |8 {' u7 G2 H1 X/ }+ K4 ]( O; o' K! P
: m8 F) j+ V6 a3 z+ E* D6 _4C19:0095 MOV AX,0911 ; execute command.
, {; |6 P+ u3 A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' r8 [& |& g7 |% q
4C19:009A MOV SI,4647 ; 1st magic value.8 d' A; o2 ?' k) H
4C19:009D MOV DI,4A4D ; 2nd magic value.$ m/ |3 w5 I A" i- e+ L2 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ |( P3 O8 q$ f% h# ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ {' _7 _1 x9 _9 m' J I) L8 Z5 M
4C19:00A4 INC CX
5 l- c0 z5 D4 ?$ U( k, I. q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ X" w) U3 o, Q; [% G* G8 X
4C19:00A8 JB 0095 ; 6 different commands.
) _0 Y0 z" Y7 N! d4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 z' C9 q0 D' b$ Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). K8 Z0 s5 b$ g0 T: E# d
+ W3 s" c% p9 D& d9 F
The program will execute 6 different SIce commands located at ds:dx, which2 } T+ s6 d3 w& P6 F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% s+ M4 \0 h. _, n9 t, Y0 m3 U
! K3 n# m) J& g- K( \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: r4 U8 h& S' W9 r* Q8 |" n
___________________________________________________________________________7 F1 W8 n. a# u) ^' c+ z$ Z4 l/ ]
3 C) j7 N# p- d4 N+ q3 n
8 ?! u4 n% ~. r' HMethod 03
/ P8 `# W7 F% z" _' L=========& F7 e* E8 I* @+ r0 e3 E6 g0 s2 t
4 _( b1 |8 {- W7 Y6 G$ Y1 C) v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
k% b m3 m' F, y) ?' w(API Get entry point)1 x4 d$ O4 Z' Q5 Y
! i0 S2 I6 j& i9 { ~
; d3 y9 {, x! G/ n/ D1 t xor di,di) `4 I5 l7 p! W- @
mov es,di8 s/ W) ?( e* ]4 w4 P
mov ax, 1684h 8 X3 R7 F0 s8 `# M+ d2 C
mov bx, 0202h ; VxD ID of winice5 q2 e6 w- R# {8 e/ V& j5 S0 b
int 2Fh" N+ K9 Q# g; Z- K$ x* ]& q# S
mov ax, es ; ES:DI -> VxD API entry point+ {8 J4 ~$ h+ R
add ax, di' N E% ]/ } [- _
test ax,ax
8 r( O/ u; ^- \( i7 @9 i" H5 v jnz SoftICE_Detected" W" ?$ Q% k# c7 g( i$ n
9 ]0 b N0 b% Y
___________________________________________________________________________4 s+ w! T- l6 ~4 h% ^: Z7 v
. k7 |$ b6 v UMethod 04. i: \+ B" g* K8 p# J+ i7 w
=========# X$ j% {5 L H7 v3 H5 Y5 o1 ]
8 } ^9 n) S- T) n2 t# ?5 o& s6 t! nMethod identical to the preceding one except that it seeks the ID of SoftICE5 b' ^' N% {6 a3 T6 [$ a
GFX VxD.
. T4 D) X' v1 q B: O* S, f7 V0 Y8 g6 s
xor di,di
$ b% b( o; M7 t6 r4 X6 y+ s. @5 R mov es,di
8 N3 Z# f$ h4 A$ y* d6 O mov ax, 1684h
+ l( x U0 i8 B& c2 U3 b0 B mov bx, 7a5Fh ; VxD ID of SIWVID
5 M1 s; y3 h* y; d# z int 2fh
9 r" `/ }8 W- U! c+ [ mov ax, es ; ES:DI -> VxD API entry point
( Z0 u' i6 l. Q- I6 }' } add ax, di
" w' w, T- v+ `% @1 a W2 j8 L2 } test ax,ax
* G0 K* u& J5 b3 m jnz SoftICE_Detected& t2 g, B6 Y/ M4 F2 [" b
1 q2 H! b) c2 Q! z1 z! J6 Z
__________________________________________________________________________
. d1 p8 L6 j! }. P% @3 E$ L4 z* v1 H
1 |; i. ]) [$ {. R- G+ hMethod 05
8 h# n: Q0 b) H4 m7 g=========) B2 p; y# }2 y. d# |+ A0 K
+ x7 K/ O" g3 Y- eMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 V0 w2 I e% ^3 A8 o9 e
debugger. It calls the int 41h, function 4Fh.( k2 `4 t! ?+ h; j- Y* U
There are several alternatives.
: J0 s8 T' _) k! b8 B# @, }- j
2 d9 [" I+ E5 v% I* y* c9 BThe following one is the simplest:& p# k/ _' b. P
& T3 J) X6 _5 o$ m6 a3 E2 A mov ax,4fh
: y8 D8 w, b4 R: L5 j! { int 41h
7 B& j( `4 k( m. e- E' J cmp ax, 0F386
4 W# i$ B. c! P4 j jz SoftICE_detected
1 m- {- U4 W# M5 p9 T0 o, K/ F9 a0 X9 m) W
5 |, j6 Q4 }& P5 T! U! ~Next method as well as the following one are 2 examples from Stone's % V1 R% K3 e" R8 ~
"stn-wid.zip" (www.cracking.net):" N, u- Y5 ?% b( u, o# t
- M$ F0 Q0 f9 N$ H9 M mov bx, cs
+ j* |2 l, n8 F) z lea dx, int41handler2$ u+ \0 R! N4 [" u7 B
xchg dx, es:[41h*4]+ E* s8 v. H+ N
xchg bx, es:[41h*4+2]
A" l. u5 \: F mov ax,4fh
7 p- Y4 |% g8 ~' ^. b. w4 N int 41h
- ?" B4 ?& {6 W3 D9 J xchg dx, es:[41h*4]. I' c3 F8 u. F) y' E
xchg bx, es:[41h*4+2]! E+ Q( v! z0 R
cmp ax, 0f386h
* {# H7 r1 S5 t: z; A/ J* H jz SoftICE_detected
' v/ o; c/ ~! b$ F2 D& A- O
2 Y/ e# O* {/ \4 oint41handler2 PROC
/ u) Z6 I! q2 J% G iret0 W; v, E% w/ D. X; B% b$ f
int41handler2 ENDP$ E# Y: z3 E" a! |/ B- h
4 w) E0 Q$ ^8 p9 {; j$ X; s5 r8 x6 c+ l' K$ a0 ]0 g9 q8 Q
_________________________________________________________________________
/ @' Y* O3 p* m/ Z5 K: ?5 T: t% ~
* ^7 b" f G3 v$ ^3 M2 F9 k
5 Z9 T( j/ {: {+ X* DMethod 06$ K" V+ G4 V% y# r% z
=========
7 c9 y0 f9 J9 @. d' x/ Q
) @2 e) [' X6 X# O9 B7 W
0 i! [8 w; w0 I F% F. A/ w8 ^/ i2nd method similar to the preceding one but more difficult to detect:
9 O0 d5 |, |) {; _ ^, _) C" q% w5 a# B0 D
/ c) \8 I) H4 J8 Y0 q& q8 K) A: Y# qint41handler PROC
4 B/ Q+ T, X" ]7 S4 f3 k1 T1 m% q8 h# u `% p mov cl,al
- h4 _, @4 B3 Z( y iret
7 |. A' _# h" S# M H0 aint41handler ENDP
0 T: }$ P C7 e/ ?" Z! e5 L
3 Q: e1 l2 l: y8 `7 p+ k
+ Q$ ^! f! ^& u& Z- K$ R& \- e xor ax,ax
0 B- j; u: \" G/ J( d mov es,ax
! C, S2 `0 E: t1 n& y8 X mov bx, cs
6 L) _5 g; L. C1 _0 _/ O" I' v lea dx, int41handler
( b4 d7 `# k" T( Q- b( |- Q xchg dx, es:[41h*4]$ V- N* o3 Z! R; \# }0 A/ q
xchg bx, es:[41h*4+2]
+ {: e3 X; c7 X/ ]* \8 ? in al, 40h
$ v* c) m( n6 V xor cx,cx
" K- Y0 N( R3 J0 {: ?% }* ~& S int 41h- i$ B- x3 u" ^7 k: a( h
xchg dx, es:[41h*4]8 w! u) m/ A0 a7 ~
xchg bx, es:[41h*4+2]
5 c7 R. D4 \5 P/ d0 w$ t/ Y cmp cl,al6 u6 \* c. r7 C! ^
jnz SoftICE_detected* h2 a5 a# g3 ^9 a0 U5 x; v
8 B7 N: }, m( T' u/ W9 R
_________________________________________________________________________: F* |% `& u! Z l- V
& ^/ C0 m% K* J5 t+ }9 XMethod 07
0 d! O2 z* y# b4 E$ C: m( K=========
' t% H! Q3 h y- T& [% C7 U. i" A* W! O6 z% B' Q# T
Method of detection of the WinICE handler in the int68h (V86)
9 I& |$ g) X5 i- ?" `
. A" y# O2 `6 i mov ah,43h& Z2 ^7 N7 K% I n# s
int 68h9 C, f# {6 U% Z( C% c9 q4 ^
cmp ax,0F386h
; i4 ]) X9 e1 Y; ^$ D jz SoftICE_Detected
* U2 }1 |; z$ ?: ]8 }# U$ [ O2 m: X6 ?1 Z1 X
4 q2 i/ k1 E' a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& a1 L3 Y0 W% O4 ~8 q
app like this:8 M1 J1 f6 l) E2 H
7 R- ?6 g5 P0 ]8 J( g5 | BPX exec_int if ax==68- i% H6 _# E/ q; `* P
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 v4 b: s: l; M1 ]5 E; w2 T located at [ebp+48h] for 32Bit apps)5 v) N/ S9 m) `1 V/ K( U- i7 C. H
__________________________________________________________________________
9 }: {0 N, i' r6 d7 O4 y: X; E; X0 [0 z p1 T! u$ f2 W/ V
: u, R1 Q' }6 N7 n, uMethod 08( `7 r5 a* V# D# L$ P4 s. L w
=========1 P% f6 t; \- d5 v$ r
5 ^7 F- v1 K( N, o* QIt is not a method of detection of SoftICE but a possibility to crash the2 d5 a0 W O) E7 I
system by intercepting int 01h and int 03h and redirecting them to another; D1 G+ H- n& W1 Y% @; ~$ y$ u
routine.
3 ?; o d( n" ^! Q- G+ g$ Y; EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; ?" q8 H; i e9 l0 v5 B
to the new routine to execute (hangs computer...)3 R' j I/ L% y) W9 E* h! [
7 t+ t. B5 p/ G0 {4 u7 v
mov ah, 25h4 l! a$ n' J: M
mov al, Int_Number (01h or 03h)/ E6 V9 K$ O7 H1 K3 {! H
mov dx, offset New_Int_Routine
5 U- W& _$ f$ l2 d: b3 `8 v4 B3 o int 21h
( W Z5 E: q& {3 k7 m/ q, L3 s2 q7 ]% Y0 g3 ]% Y) ]" P0 H
__________________________________________________________________________" f* e* P# \$ _' S& l R- u
( H r- V2 p2 D. U- i0 @
Method 094 p) ~. z8 x$ [3 @$ O( h% f
=========
; f7 I; A0 {& D" C/ v% f' |$ U4 t8 o& H+ t ]0 `" h$ S+ v6 V: K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 O' p- U8 J9 ~% fperformed in ring0 (VxD or a ring3 app using the VxdCall).
: w# D! K k# R( G6 ~% L8 \The Get_DDB service is used to determine whether or not a VxD is installed" S& M+ w6 n$ U* J
for the specified device and returns a Device Description Block (in ecx) for
6 [3 y0 d: O) t" I% Lthat device if it is installed.* F" h! @/ D2 c( x: @4 K% O
1 {$ u7 M+ d% v7 i; [7 @4 v* v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 ?- m2 y t* N4 P: ]2 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& q8 M: a$ P1 D$ J- E7 X0 z1 G; k4 L
VMMCall Get_DDB. b. U- U9 a: ~" h& T, p5 u( p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 I: g0 O$ |$ ^3 {) C' ^( }2 ]7 D
3 S; r2 c& a, b* GNote as well that you can easily detect this method with SoftICE:$ _' |# ?3 Y% V8 k: {
bpx Get_DDB if ax==0202 || ax==7a5fh
, r4 b* V y1 T, A- ` m! X' h5 X$ W8 p) Q1 ~1 c: Z
__________________________________________________________________________
) j! u. y& ?, ]* ^. F Q; h
* R( D- X" o0 O/ l" [! aMethod 10
6 q8 N5 W8 E- h8 @' h( S/ P: S=========
( b( n; f* Q! V0 z1 N* z& p5 R1 \( G
/ ^; V; H' X1 P- x3 W) U$ M0 w=>Disable or clear breakpoints before using this feature. DO NOT trace with$ M' k: i3 w/ B) x/ M
SoftICE while the option is enable!!
' U# k& L6 r* {5 |* A. ?- x# o( {- v. h
This trick is very efficient:1 Z4 E! c: G. Z0 c2 ~) m
by checking the Debug Registers, you can detect if SoftICE is loaded
4 H! S5 H5 u: }3 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( C9 E! Y$ ?7 Q% Z- \/ Q1 ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ G% n2 f# ^$ J1 c, H1 |5 s+ g
value (in ring0 only). Values can be manipulated and or changed as well* G, \! h( w! ~1 r
(clearing BPMs for instance)
2 W8 M; V4 {: H. P' [# K( {9 L
7 }, h$ G# Z R3 v+ M9 J: K__________________________________________________________________________7 [! \4 T3 U6 j; T \
L/ c& r Y( w0 {% t' L4 t9 C* HMethod 11
+ h/ k: s* P# ?2 y' M% `' {; _=========
0 H5 w' T7 f/ [0 Y
6 \" q4 ^3 }4 P) Z' rThis method is most known as 'MeltICE' because it has been freely distributed: Z0 [7 m4 R5 `9 @2 w
via www.winfiles.com. However it was first used by NuMega people to allow7 Y8 o- L3 K/ D) p$ ?4 i1 B$ r8 L
Symbol Loader to check if SoftICE was active or not (the code is located) P& z+ q) ^% p
inside nmtrans.dll).! g/ f: E0 C, A) P6 `3 t ~- d( X
1 \, p' K: K6 A0 G8 E5 V( F* Y# xThe way it works is very simple:& J7 B( d+ m$ G$ z2 ^2 Q& r$ d" \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 s( z2 T5 K) Z7 U* v
WinNT) with the CreateFileA API.
. A% V$ K) R, G0 V ]- c: C4 B) c0 J, s) c
Here is a sample (checking for 'SICE'):# M: P9 N- n5 z! P( E$ W: A8 `
9 l( t* d( D& U9 r% y$ ZBOOL IsSoftIce95Loaded(): p+ [+ @4 F9 L/ |$ S: b; t7 ?
{5 F l" i2 F9 Q$ f/ Q3 q+ V
HANDLE hFile;
: y, t. `( N8 j; @$ M7 i* {# G- V ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 g- V2 r& v( E' Y% y
FILE_SHARE_READ | FILE_SHARE_WRITE,2 S% c! I5 P0 N- C$ {, \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 d0 c0 c7 M3 h7 T) Y* l if( hFile != INVALID_HANDLE_VALUE )- A+ P* d6 I, ~3 b6 h
{
- f2 p. G8 K# ^9 A9 A CloseHandle(hFile);
4 X6 i" F; U1 F" b! e return TRUE;. e+ a4 o c4 p4 d% C' P$ I3 F
}
/ r1 Y/ p/ G) L+ |5 k return FALSE;
% y! V7 X; j7 \$ @* L0 N}1 S3 U. l. ~- A3 F1 K" \/ d
7 |" _$ N, o( y) ]Although this trick calls the CreateFileA function, don't even expect to be
6 g" v& J3 _$ G/ x' b8 s6 l9 ]2 Nable to intercept it by installing a IFS hook: it will not work, no way!
0 t5 B, V, f) D) m4 DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ t% v. \8 g4 |3 }( w" q% d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 @$ a+ n& n) ^; {) ] [7 i- l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ Z7 y9 J+ ]: f! p, b+ U
field.! _: _2 c7 E, |9 n2 w& j
In fact, its purpose is not to load/unload VxDs but only to send a
5 m1 L0 ]$ p; tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% U ]2 l1 _' j3 I4 d6 ]1 A" |) q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* b' S! Y- q/ c/ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) A1 a% A A' \% r! R+ Y8 W4 D
If the VxD is loaded, it will always clear eax and the Carry flag to allow- b7 N8 ^6 n4 j; m/ g
its handle to be opened and then, will be detected.
R" T3 ^' Z4 n u. u2 Y) P* B' v$ NYou can check that simply by hooking Winice.exe control proc entry point
! ?* M) v. W# _/ h. [: I* {6 bwhile running MeltICE.: k, m7 E3 Q/ o8 P2 d1 R' k# V
$ d7 E; t- D: ^( r9 D; F; Q% h0 q; ^3 r5 Z7 l6 }( Z9 d% j
00401067: push 00402025 ; \\.\SICE" V) D( g8 v9 b; \# u
0040106C: call CreateFileA e' v) |* T! H, `2 s3 A O7 K9 d7 J
00401071: cmp eax,-0017 Y9 C1 h5 j [7 j ]% ]/ x8 F
00401074: je 00401091
5 j0 p. [ F, W; u9 [ i6 d+ L: Y1 l
" j4 H/ y" p1 f4 e, K8 n' tThere could be hundreds of BPX you could use to detect this trick.
% G* v) M4 H5 p* R-The most classical one is:! O! [. Q7 o8 Z( i+ H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
I1 } z: i r, q6 g, W *(esp->4+4)=='NTIC'1 _- y. l o8 p& ]# W& x5 S
* d" K- g; _2 E6 t6 r: N" \; F$ ]
-The most exotic ones (could be very slooooow :-(6 u" h+ Y$ d* ^& N1 ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 b1 M+ F8 i9 P
;will break 3 times :-(6 F8 R1 f+ }/ c/ q3 }. D
% ?7 B1 U0 V0 I+ I+ ~" {7 x-or (a bit) faster:
. t% k$ N+ v! z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 s9 V! _% c: U, l8 T& w& S: Q
0 X, \% K! D9 s% [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! _- b5 n8 I0 {( S" @0 G6 } ;will break 3 times :-(
# _; D: z! R- X0 A$ S4 Y3 c# e( x( \3 A$ j
-Much faster:& F- k. w1 T8 o. ?" I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 g* o. W! o) {. Q
" |8 F0 w, A! |, t k% T+ U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 J# M; T1 s6 `- w+ i, o* mfunction to do the same job:
7 X$ j/ A5 g- ?$ f* z; M5 S, @$ c1 h1 j& f& w, w
push 00 ; OF_READ
3 q$ w# y1 H! w& a mov eax,[00656634] ; '\\.\SICE',0 T1 `' A6 ?4 V @3 F* H4 j/ F7 e2 i3 |
push eax9 f/ R# G' k" w6 r5 U c; j& X
call KERNEL32!_lopen1 l- u& n% `2 Y. ^% S
inc eax
$ \4 D) O9 D5 _0 Y7 w$ `5 _# p jnz 00650589 ; detected6 D6 n- j7 u( h' R
push 00 ; OF_READ% n+ q( M! Q B" x
mov eax,[00656638] ; '\\.\SICE'
) P9 p. w* _/ X b, u push eax
7 I- y+ b0 t$ Y6 s" P7 { call KERNEL32!_lopen) V9 k% Z/ n t/ Y' J1 a* R
inc eax7 r! K2 X5 K. F/ S. W$ O) f
jz 006505ae ; not detected% Z& f* d* T- h/ _( G* n/ g% b4 _( \
( ~' `1 G( @) K6 z3 k1 Z6 o% z& i
0 \1 o3 T1 r2 l: K+ G__________________________________________________________________________
* ~/ L7 B+ @$ v2 A: e0 Y7 F8 A" |" Z, I' h+ l( m$ R( H
Method 12* E6 }: L. c, B6 B) F6 l2 S4 _2 \2 e
=========+ _- j8 Y$ x& H/ }
& ?6 \) C0 z3 O5 ~+ V( v; IThis trick is similar to int41h/4fh Debugger installation check (code 05
! h9 l. f5 C$ l: K& 06) but very limited because it's only available for Win95/98 (not NT)
. r2 ]3 `8 B6 z5 E- D0 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: R1 I6 N; x; d Q, Y) y
/ C6 L! K& b# g; _/ P% H/ M9 @ push 0000004fh ; function 4fh
0 u, @/ B# ?3 t( I+ u push 002a002ah ; high word specifies which VxD (VWIN32)0 A" e( a' l! G9 j
; low word specifies which service% p2 K. w7 ^, ]
(VWIN32_Int41Dispatch)
& a+ Y7 r. [ h+ y4 k call Kernel32!ORD_001 ; VxdCall
% T: L" c+ w3 m4 t6 h! L9 A+ T cmp ax, 0f386h ; magic number returned by system debuggers) Q( n y. R% f, F1 i3 N: i
jz SoftICE_detected9 c! D9 H) g% w' f, H
# i; j! f, w( y2 q( T* k( J' h% lHere again, several ways to detect it:" n i: z: d9 O4 K+ R* `: @
0 u* ~. I) y, V, M2 T
BPINT 41 if ax==4f
/ Q5 L/ E$ c5 g$ ~% S: }5 L7 N8 S5 Z$ Y! ~& j5 x; k7 h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 U+ {; S/ K C6 N; q
( S+ b: Y* v, @4 q7 Z& ?, w2 M! l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# {5 N3 t( Q# k: w% M9 R' b5 n2 h0 ]4 H0 b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ p- Q8 Y6 u3 V% m5 z# |( u' w
, @0 a/ r; j8 P1 m" ?* c
__________________________________________________________________________
" I+ P- {6 C4 n$ W
) l y5 L7 T/ O( P6 Q' }Method 13
$ q4 S& }/ M2 H! W/ E/ R% h=========
3 B3 D% T* j6 q: k3 V* S9 z2 U6 z4 K2 f" T8 U* D: E* z
Not a real method of detection, but a good way to know if SoftICE is; m/ l% }: T1 d/ T) J" ?
installed on a computer and to locate its installation directory.* w( s% c# H6 X: o- r
It is used by few softs which access the following registry keys (usually #2) :
2 w, q7 q# N8 {' C3 S: j& s$ n8 P( q( e- w( ~8 s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 i5 u5 _) M9 T% I\Uninstall\SoftICE
. N7 l# h8 \: a4 e0 y& T2 S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 V% p6 S1 q7 k8 g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- s2 L% P T0 \& d\App Paths\Loader32.Exe5 P2 ^* \( X; S' C- n) U. q7 K( j
( ]$ v7 B; c) Z% h0 {
0 J0 d* K9 F3 }
Note that some nasty apps could then erase all files from SoftICE directory9 Y7 z) W% A$ t
(I faced that once :-(
2 |7 s1 K: l( w5 g% N
4 t) L K9 {6 M6 G0 O; KUseful breakpoint to detect it:! b0 t2 V {* f' j
5 I0 p/ M0 M' Y! G6 N+ \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 {8 o4 R# Z& K/ ^ i
! E) @# B6 o# U' r* Z6 o
__________________________________________________________________________: q1 R% I7 |% _! \, Y
! z1 V* F& g$ u$ K- M
1 `% E4 d Y s4 YMethod 14
/ \+ X2 j+ E( T( _9 Y8 v: i=========0 z3 E" b% B& j" L
2 ~7 T) p: G+ k) d% f& P; W& w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ K( ?* ~& v v5 Q$ yis to determines whether a debugger is running on your system (ring0 only).
2 g# h3 L. ^" o4 `8 M5 O, P" D' y6 Q# W& \" J( t
VMMCall Test_Debug_Installed4 e4 q2 J0 I+ R8 M; K" Z4 @# W% m
je not_installed
x5 I$ _# Y! G
# l2 p( ?; w; v1 [; c1 NThis service just checks a flag.9 Q/ I/ i g C I6 J; D# n9 m) |+ p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡