<TABLE width=500>
0 O3 x Y! \' R<TBODY>% @: ~6 A$ m2 j3 H! f- [9 L
<TR>! W. {: L6 o1 t: F0 t, D
<TD><PRE>Method 01 6 I( d, q" l: Z
=========
8 j* V0 A9 I+ o$ O4 y) D) [/ F% U; ?6 t, j6 K
This method of detection of SoftICE (as well as the following one) is7 q4 T j- v' x6 [# h! c* O( y
used by the majority of packers/encryptors found on Internet.3 O" [, }0 M2 ?2 |' Y. M" q
It seeks the signature of BoundsChecker in SoftICE
7 \3 a1 e" ]. Z# R; ?: j" s- B! ]' {: q8 T3 K7 `3 S/ I# l
mov ebp, 04243484Bh ; 'BCHK'" f- y, N7 k1 J
mov ax, 04h
" S$ M- V4 g1 ?9 ~ int 3
! E/ ~" B& ^; Y& Y2 V) p7 i" \ cmp al,4( x- Y; F E% u9 b& B
jnz SoftICE_Detected
2 c0 x7 i) k& S. O0 U+ [ ~) T+ g' ?/ p4 _
___________________________________________________________________________
7 T( E) e4 A$ R. i0 E( D$ y
: p; R' i; n l6 u# @# |+ v8 j6 cMethod 02
. J' Z% @! m$ ?6 x9 `: Z% D3 \=========& d3 H" D7 ]. B; z* t
8 [2 Q8 o) ]+ A9 ^Still a method very much used (perhaps the most frequent one). It is used
) U2 z+ H" U8 I$ I- }0 X b2 Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# ^% a; @' K# l2 }; }
or execute SoftICE commands...$ b& A# T L2 I! s1 b4 i
It is also used to crash SoftICE and to force it to execute any commands
0 V9 m: p" m. T2 |! ` T4 p+ ]( F(HBOOT...) :-((
% J, G. Q l1 U9 U& W; ?1 j! H' \0 C; d
Here is a quick description:' s/ V, z+ v# z8 R& Z, s; D9 i" {) I6 U
-AX = 0910h (Display string in SIce windows)$ K8 C: i: W! r0 a0 O4 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% T" i6 v. D' y1 p
-AX = 0912h (Get breakpoint infos)
3 _. `; B/ b# V+ n-AX = 0913h (Set Sice breakpoints)
3 }) |/ P, _; b, x M q; n! [-AX = 0914h (Remove SIce breakoints)$ H8 r& ?* C- j9 @ L; s2 g1 K4 _+ t
[$ h; O2 C7 Z; h0 \Each time you'll meet this trick, you'll see:
# Y( O: I! A3 R4 ?# N-SI = 4647h
& d! ^/ Z6 R* }2 o$ g9 }-DI = 4A4Dh% I! }$ }; p: T$ t" k* W
Which are the 'magic values' used by SoftIce.! z% X. c) `- Y, U! d3 _* t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ ^4 o2 n% D2 a: r
9 T' i5 \, r- O& Q" Z( Z* u; O$ w: PHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 Z! D9 E0 S7 d# x% i; MEnvelope utility use to protect DOS applications:
3 S8 t. s) m( n$ G2 m
, Q5 U# k4 z6 t, V& H) I8 t
& i6 B) N* R2 C$ K' ?4C19:0095 MOV AX,0911 ; execute command.! N d9 N1 u' |0 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% ~0 R, Y5 z m' k
4C19:009A MOV SI,4647 ; 1st magic value.: H6 @& V3 d% b _, V
4C19:009D MOV DI,4A4D ; 2nd magic value.
, p$ \1 M, o: N* [: [2 b' n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' Y8 Z; L4 ?- Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! F/ O; B6 f. h1 w* r6 G$ j, ^' q4C19:00A4 INC CX
- S4 r3 R% y1 [, y3 S. u( Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! Q9 J/ I3 @0 k8 D9 M$ Q3 }) ]4C19:00A8 JB 0095 ; 6 different commands.2 x3 e) R# k3 `" w% E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" V2 S n; ?: Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) \2 Q7 l; y& t$ U! `% c4 _- l) A3 |$ G7 b T V' X+ ?+ l
The program will execute 6 different SIce commands located at ds:dx, which
3 s6 }& m8 F" V: Z2 ^7 Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 W5 ^/ I# C# S: O1 t/ b, \; f* U4 j" o& n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* b6 `" ?: w) \, a" U$ L
___________________________________________________________________________
5 l( J9 z. M5 W( z) ]3 J0 ^
6 A3 u# b0 {- o. Y. g& g/ G, ^% c. ~6 O c$ Z
Method 03
5 ~ e5 |3 `1 G0 q6 A=========! r q8 S( P8 ~. ~7 t; o
" Z5 w* F2 v2 d% f* DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- O: h1 ?+ \% X7 R' T(API Get entry point). @; T( U& F: O( m: _/ `
! B Y* Y$ J$ d: e9 e
5 o7 G. i9 C% d/ K' C
xor di,di
/ Q: ~1 l4 A: _: t! i mov es,di; Z8 N- a3 w8 B5 b2 `3 ^
mov ax, 1684h $ R* M& Z8 w0 O+ Y: O
mov bx, 0202h ; VxD ID of winice
- }) H1 T4 P; K$ ~/ v2 X, b8 X( g int 2Fh8 `! G- v4 G" r
mov ax, es ; ES:DI -> VxD API entry point# |( W% `% c5 ]- \" q6 ^$ G' x3 i
add ax, di
& D' B+ ~4 o [: j test ax,ax4 e7 K: ^6 Y( g8 K: R0 Y6 z
jnz SoftICE_Detected
2 Q& u' w- p1 x* c3 C4 ^
5 f) G" I% ]) q1 j) q___________________________________________________________________________9 v6 p+ l6 s a; P8 S0 {3 _" C( I
7 y' G) W4 d3 o1 q8 y' ~# T
Method 04
6 r6 T8 \) h. X! N; [=========4 c! o5 d) T4 Q1 E1 r% q
2 I% r8 E" i$ J3 H/ a
Method identical to the preceding one except that it seeks the ID of SoftICE
5 D4 \ q; j+ X4 R- p% B; rGFX VxD.
. s5 r7 Q) {# q2 c
# v! ]2 d/ H- l$ o& U. h1 \* ? xor di,di
* V3 F L, s- I3 B7 v( s1 b: D: c mov es,di; E0 {, V: ~) T; i9 E$ A
mov ax, 1684h & [4 j' E# U2 b3 N
mov bx, 7a5Fh ; VxD ID of SIWVID
8 [+ D1 F5 ?4 o F7 d# r int 2fh0 U: q" F6 ?( m" x/ |1 @8 e9 |
mov ax, es ; ES:DI -> VxD API entry point2 x0 U5 |- e1 S2 S
add ax, di
0 p& _& D* Q: q( @1 ]0 x; y test ax,ax
1 J, p- y0 F) [$ l7 S7 z jnz SoftICE_Detected
, ~* w$ f1 \* | G( E+ d# K5 ~: E2 n# M
__________________________________________________________________________6 ^! x; Z5 G$ d+ y& ]- z
8 v0 O2 u+ C* _/ }0 Q( _
- M/ a/ }5 P7 ?- u& u% rMethod 05, z' I2 K* h9 U/ N+ G" E8 T, r
=========3 i0 e9 L+ E" i+ L/ }+ D
- s: _) d6 q* Q9 i+ S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ g+ C1 j3 o; R) I7 Gdebugger. It calls the int 41h, function 4Fh.
0 u% V; k4 P- D+ {9 EThere are several alternatives.
+ A+ G! @6 I7 \; V3 j3 n+ |$ t. r& v: s8 V: _2 N+ D* {
The following one is the simplest:
$ j( I! T- G1 s* A
1 o9 u4 l3 b: C9 @/ } mov ax,4fh& w+ S& r8 g, m# b- p }
int 41h
. |# j( Y& L( Q2 H1 n" j$ A* ]0 z cmp ax, 0F3868 S0 l0 N, M, t. M Y0 O
jz SoftICE_detected
9 @) P. F% o7 e3 ^7 h
( b& J: O7 A- M
; w1 F. O; B! u% Y/ aNext method as well as the following one are 2 examples from Stone's + r5 K: ]; F# j' V
"stn-wid.zip" (www.cracking.net):+ Z, z% s7 |! f
; H3 E0 \; z6 R5 }, x: _% @ mov bx, cs
, i+ Y) ~% {; i, G) n8 p5 A/ S lea dx, int41handler2! W! }1 ^& {. P t& c
xchg dx, es:[41h*4]; o1 B* p- C: W0 U
xchg bx, es:[41h*4+2]% Z/ w0 O% L: z7 r
mov ax,4fh5 P* S; j% M0 |- F1 K6 b
int 41h
# w/ E7 d W8 B1 ^' k2 v xchg dx, es:[41h*4]) P* M2 R ?; g# H/ ^$ i7 b' D
xchg bx, es:[41h*4+2], {% l, O; ^9 H7 Z3 Q2 x! Z" ~3 N* P
cmp ax, 0f386h
5 L; o* `& w) ~5 ~' P jz SoftICE_detected
! a& l& U( o5 m. U- {6 X w# q1 m7 e% o4 f3 I$ \; G' |! d9 j4 v
int41handler2 PROC$ M) O* T1 T1 `" ]0 F- d+ R
iret; R. X' b; N' H8 O: y6 J2 I; n
int41handler2 ENDP
0 y* H8 ?4 }( p1 u% R3 p% Z* ?' T3 R: l9 X
4 R+ K7 J. a: R4 ^# _
_________________________________________________________________________+ }" T2 p% P% D7 X/ I
+ ?0 j6 J5 p) _5 v* j% N
0 z5 Y7 {' M u" G1 b- z ^Method 06
- {% t) Z9 l9 W! q; p=========
3 ]0 w" L* L( Y; K. m3 X. E# N1 s# k; G* S4 C7 z, ^0 w2 X
0 w$ {) l% b& _. f
2nd method similar to the preceding one but more difficult to detect:& J+ G% J1 \8 p
1 F( H3 R$ R1 y& y9 P- z$ B- P& N, H; q
int41handler PROC8 v& S8 @. x" M
mov cl,al
+ v2 n$ R8 {" f: S) n! n. a: z! R iret2 n, _. F- {( O R1 z" U8 {
int41handler ENDP4 Q( h/ j6 K% W1 I$ G- J6 {
8 D1 |/ G4 C3 ?: I( I! A5 z5 M
+ ]$ O# v" J( j- S xor ax,ax8 c) u, s9 @& I: {
mov es,ax% e: Y" i; j8 b% }2 [- N
mov bx, cs g8 b) u" r# \) R" h7 q
lea dx, int41handler& I/ J W6 x5 w# g% T) L) T
xchg dx, es:[41h*4]# ?( H4 z7 d0 y5 R( \ [
xchg bx, es:[41h*4+2] j& r* ^( x+ G3 Z% H+ N; @
in al, 40h
+ Y) V- e/ {7 C2 }) X xor cx,cx' U6 I1 k" e" d: B: C2 a: i" ?( Y
int 41h! O5 D9 I) s v O* d' G
xchg dx, es:[41h*4]
3 u3 ^; S; j+ W5 n xchg bx, es:[41h*4+2]& I1 B) x U- O* x* `
cmp cl,al
! N( @& h. J+ k2 M S jnz SoftICE_detected
8 E9 k8 Q. Z& N9 l9 R) V9 f0 Z9 v6 H4 b! w, K$ Q ]: O
_________________________________________________________________________, U# m% S+ o; m% R* ]
# _; H; s t% t7 H5 Y/ A9 P
Method 07
: D7 A" k& ?6 H& a9 R: \) G+ w=========
+ X3 P5 R% V+ S% T
& i: [" f; _5 g# H* S" w, l1 k9 H IMethod of detection of the WinICE handler in the int68h (V86)
* U6 a) U/ ^' |" Z
( z$ G( V$ ]- j5 R$ s. V mov ah,43h
E8 U/ a3 W; }8 }3 G4 s+ d3 \ int 68h
) F: L( v! T+ [0 s! E# } cmp ax,0F386h
/ x t1 N P3 l9 m9 f jz SoftICE_Detected
4 H! X3 Y/ z/ p+ H' x! n& t) ]
9 f3 f s( P4 I5 L$ G5 P2 c; h* R# ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ S! i+ _$ b; G: [
app like this:- o5 I5 ]3 c' V6 V
' t- i. F0 D: A1 m& C+ Q
BPX exec_int if ax==68
3 H+ c' E z' n (function called is located at byte ptr [ebp+1Dh] and client eip is6 _" M1 c. {8 N4 Q# A( \9 _* g' }
located at [ebp+48h] for 32Bit apps)$ _6 H8 O( T/ `$ y
__________________________________________________________________________
+ u5 q' _ g. ^) ]( ^* [
/ {, P6 a7 e1 h. m1 i P v
1 R) Q- f3 m: iMethod 089 [3 D. _: b4 v. t9 O
=========1 A' V* X; C# ?$ z
0 [- Q% h* e; Z) T3 ^) E; p
It is not a method of detection of SoftICE but a possibility to crash the
: }7 C4 W$ R1 msystem by intercepting int 01h and int 03h and redirecting them to another" I" ^2 d! Y$ t, q8 u% C; o3 |
routine.
5 }+ e# s; ^9 b% S# jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ R) h. q0 `6 k9 a
to the new routine to execute (hangs computer...)
b( L( u M p4 n4 G3 M9 H( f! _2 x4 \1 Z; r% G2 g2 p7 R
mov ah, 25h
# M- W* ^3 ^ K9 b9 t9 ?5 U: X mov al, Int_Number (01h or 03h)6 e/ @# r! F# G. L& q& X
mov dx, offset New_Int_Routine+ y/ Y0 o# W' V
int 21h
7 X% [1 u+ V* w4 [
/ L) \7 n! c; k% R/ O8 Q3 O0 m* ?__________________________________________________________________________
4 ]7 Z: L7 s- h" ~+ H- g" C+ `) D; t
Method 09+ M6 c4 R) H* _7 Z
=========
1 w; Y' ]: ~; H M0 |
; D" |0 \' ~. l/ B9 b9 H+ q5 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 K- k" X) c/ k4 X/ }- ]/ e
performed in ring0 (VxD or a ring3 app using the VxdCall).
: D& b S, h* a/ J5 j$ P' [The Get_DDB service is used to determine whether or not a VxD is installed; @0 K! A: h6 `7 y- a0 E0 H. A( m
for the specified device and returns a Device Description Block (in ecx) for
" [, {4 I8 O2 ^; R# B- r: o- [that device if it is installed.
# Z1 N. W( ^; I/ h+ z
" x: y+ _3 M6 E$ ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. Y$ G ~) L3 @+ s7 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& u# B+ X- i2 \8 o8 y" n3 [9 V+ W: P VMMCall Get_DDB
( B/ J& {8 x+ I2 @% R& y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# ?/ v- w* o& K0 u; W: y( \$ I7 A+ X, p2 D! X
Note as well that you can easily detect this method with SoftICE:
* C4 d: c/ C+ |$ l7 D `2 h0 c- H bpx Get_DDB if ax==0202 || ax==7a5fh8 h* ]; ]1 G' h$ I; r) P' S
5 j* a ?5 m4 b' Y+ D
__________________________________________________________________________
7 N2 o8 l# ]0 Q, X9 J; f5 T1 W0 s# u/ N1 ?. N8 e# d
Method 10; @; V5 \1 G1 a% @' j9 m
=========
0 N) h: u$ ?2 I% H% O# O0 |
: ], P% L1 y! E* |=>Disable or clear breakpoints before using this feature. DO NOT trace with K( M$ C3 b g- Z3 C& n9 g
SoftICE while the option is enable!!/ [$ [' {- d- P# L( T
- q( g( W# I6 |, {: B7 A
This trick is very efficient:! o2 |( G/ J/ Z5 u0 p
by checking the Debug Registers, you can detect if SoftICE is loaded# r5 \6 A: b. d7 H# N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; t& G/ Q% `0 n( Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' C/ ]! ^ n9 D3 ~! O, Kvalue (in ring0 only). Values can be manipulated and or changed as well
1 I' D+ Q" v S2 J2 \1 L3 \: ]7 v(clearing BPMs for instance)2 f9 X% p& e# Z9 D) P
- R2 B+ W+ |- d; h+ \__________________________________________________________________________/ s M4 G" S' j
: f1 g) {/ m2 r, z* [7 q
Method 11- o; t9 f) U+ z6 L2 P5 ~% \
=========3 C7 h+ n# J; f; p$ Q% {0 K
0 M; z( y% o2 _6 i8 D) j" YThis method is most known as 'MeltICE' because it has been freely distributed" M2 H* U1 I+ ?7 W; ^5 X, k
via www.winfiles.com. However it was first used by NuMega people to allow2 e, T/ N! I* S& H: ^
Symbol Loader to check if SoftICE was active or not (the code is located+ g& f8 v: Q- N; Z6 E3 }
inside nmtrans.dll).
5 ^( T, ~4 }" c: W6 d) L& s3 N7 p9 C
The way it works is very simple:
' o* A* D3 h) K( G! l3 a9 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 Q) ^& r1 i0 j6 J' C- `& O
WinNT) with the CreateFileA API.
x' [( a0 i4 O% \( l
7 o4 Y5 P2 _2 I; D% l! [8 p- h# w0 OHere is a sample (checking for 'SICE'):
. f1 s5 d3 d, ?; a( u4 o# }2 M1 E3 _: E0 }8 m
BOOL IsSoftIce95Loaded()
; W1 _4 r) W! C$ [5 f{" ^: X$ R2 j1 V0 `$ z* E! p
HANDLE hFile;
! g( i. A! V, ` H7 Q% E, F- S5 U' Z' V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 P/ \2 K, P" N( m FILE_SHARE_READ | FILE_SHARE_WRITE,8 n/ O0 @ h, X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- o) c8 K! N* P6 o4 f if( hFile != INVALID_HANDLE_VALUE )
/ E7 G9 d; i! D; L: ~ {9 H$ T' v: ^. M, M+ _$ b q, j
CloseHandle(hFile);9 `! B$ [- i2 N; `" f
return TRUE;
' y2 R `% U/ s f f% L }
0 h6 j3 v! F* j0 G/ O% l return FALSE;8 D; H5 L6 p8 I1 i
}
, M! D B: j4 b1 ]/ h! ?, S& g; A* j7 {& _& T/ D* u
Although this trick calls the CreateFileA function, don't even expect to be
+ e; i0 F# S* K! ]able to intercept it by installing a IFS hook: it will not work, no way!3 [) O# h1 f5 B9 v* S3 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: N- `/ d" r1 x! d& n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ Q5 p# `' ~* M* G! Z, ~! g' }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! F9 X' D: t. h$ Vfield.2 Y3 ? F' H0 i) n" i
In fact, its purpose is not to load/unload VxDs but only to send a
" v% C& t/ [4 ]& K0 {; Q6 ]' fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- Q9 @1 o/ c' j0 P' z3 ~, T, vto the VxD Control_Dispatch proc (how the hell a shareware soft could try. N0 l* w+ p9 n# N2 ?) G7 c4 b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 j/ ~# X. }+ N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) w6 \' ^5 I. a7 \$ i6 _its handle to be opened and then, will be detected.
4 @ e, N7 ]+ ?* x' s" sYou can check that simply by hooking Winice.exe control proc entry point
- S1 `* V! R( o+ o& vwhile running MeltICE. d1 B4 I7 e0 i
7 l8 Y! j1 a, J8 ^. f& j$ M
) o( c6 N+ @/ e) Z3 S( F1 p/ F. t 00401067: push 00402025 ; \\.\SICE
+ X0 Y* @. t7 J 0040106C: call CreateFileA; K# W/ I! T/ ]" b' ~
00401071: cmp eax,-001
2 Q7 H8 z8 H9 L% y5 ~: R1 k 00401074: je 004010916 r# Q$ v/ K- P- X
- z) w! v% H P; W+ S6 J9 P& z0 U
" V2 u! L( Y' T- p$ f# eThere could be hundreds of BPX you could use to detect this trick.) i/ G% d3 l) d. z
-The most classical one is:
: R ?1 X; H: V5 K) q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 a) r& c* U# r0 D
*(esp->4+4)=='NTIC'
% w$ w$ v) ^4 h# ^ Y4 v5 d% O2 k) ^( i: k& g* p1 {+ d7 a+ c- K
-The most exotic ones (could be very slooooow :-(
# w- e' m2 |, I/ g E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( {7 U* k: }; N. l3 J$ G
;will break 3 times :-(
7 ?) x6 g1 e. V. n! b4 b
1 M1 l# ]! g4 P+ A/ R1 @+ R-or (a bit) faster:
0 l% M P* t+ e# U7 m- D: ]2 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 k' L2 _# q8 ?' O% Z* p3 k0 ?+ {
/ S0 x5 n0 l# b) J8 T, x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + |# k, T6 M. v# S
;will break 3 times :-(
4 F( G7 G. Q6 d# P A$ L K$ n3 N4 k; O ?' A% c
-Much faster:
! z+ o7 x+ }3 t- V1 t# Y/ B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. F* T; b$ Y. H3 E
/ c; D& W1 M, T. W; yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) a! F! g% K! ~5 m; Q! V4 b
function to do the same job:% @" e" |8 m! i1 F
9 f* Y0 C" y3 F8 r" S ?7 b, R
push 00 ; OF_READ
3 Q+ V7 d% `7 d. n8 } mov eax,[00656634] ; '\\.\SICE',0$ i0 Z/ y$ F# u4 T9 N: k
push eax
# U) T- t! D1 x1 o call KERNEL32!_lopen
. t( J9 ]- z2 c% V/ [4 _- w inc eax
! {0 H w8 `3 v+ @& t" U jnz 00650589 ; detected* e+ K' G6 P" O0 j) ~* U! j
push 00 ; OF_READ
9 k8 W7 p w0 M0 V0 s% J* Q mov eax,[00656638] ; '\\.\SICE'. k- b1 G) l1 i+ l- w9 ~/ p1 b* T
push eax, n4 a$ ?# }# W7 x- e! q
call KERNEL32!_lopen
& S3 S' k- U4 f' h% |+ A% p9 F/ d inc eax9 e% z8 }7 u. z
jz 006505ae ; not detected* s/ m7 {; Z. {
5 n' O. S3 T- A" o
+ g" i: w5 \6 z; w__________________________________________________________________________! ?$ V9 Y+ z* I8 i( S/ Z' b
4 N& N# d4 ]4 M9 r. d" Q& e
Method 12. k6 l# D' Y7 `; A
=========
( U+ H; }6 {& _ |6 p) t8 p+ p
/ M1 M; x- W( oThis trick is similar to int41h/4fh Debugger installation check (code 05" J9 I* m$ s' o( d7 o8 W% s
& 06) but very limited because it's only available for Win95/98 (not NT). M( O3 s3 A1 l A( l$ N7 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ v7 i. d' v1 H T k/ O- b) ^7 o H2 t- P+ v. H: L$ o8 b( l6 O9 s& O( O% l5 \$ Y
push 0000004fh ; function 4fh" I p# i- o3 H* p/ V* e. w
push 002a002ah ; high word specifies which VxD (VWIN32)4 w) s" F. a5 ?# p6 s& }
; low word specifies which service
" U: A; K# ]. B (VWIN32_Int41Dispatch)
7 t' s9 j( |, d9 k' N$ C( h9 y, e call Kernel32!ORD_001 ; VxdCall
. q, V4 x4 ?/ f9 x. ~* V/ X3 T cmp ax, 0f386h ; magic number returned by system debuggers4 \- C& M9 Z+ c' B
jz SoftICE_detected
/ K& k; z5 F7 Y2 I2 E5 m+ h S# T/ l+ x' b9 L, Y" c" K
Here again, several ways to detect it:/ O; R: e: R X5 o9 Q
7 c+ V4 ~9 \6 S M
BPINT 41 if ax==4f
9 T4 X; ?) i8 C+ K' m7 Z2 L; b. C9 ^; E; Y: y8 @) w. ~' j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: e) n' A8 g J. J2 _, K
7 q1 H, r1 q; Q+ Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 ~/ Y7 W/ p$ T" Y" m5 c% I5 H4 h/ o
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% e, y9 m. l+ e( D5 V
j/ R* B. I& @( g
__________________________________________________________________________
( b R+ n8 y$ H! n
- z ^ U- m+ k0 w7 q" pMethod 13 Y7 C! e9 A% V* a5 B
=========
* x+ A3 y2 f. ]; b4 }. A
% A" J5 o9 s# BNot a real method of detection, but a good way to know if SoftICE is7 a x y8 Y3 H
installed on a computer and to locate its installation directory.
! w: r: j- g7 NIt is used by few softs which access the following registry keys (usually #2) :+ k) a O! K7 w( I7 y7 Y
& H0 `* u4 d& j# m* s2 T% |# I h8 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. P) }! J- X' v/ h7 V\Uninstall\SoftICE
( Z Z6 H% y4 u- u! t& b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- Y; D* l( k' [/ y: [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 \/ b c; H$ K8 A! w\App Paths\Loader32.Exe
% `& u$ C0 Y& O' g* o! P5 t/ @8 m u' A$ x
9 t) t; u: z+ `+ E" [* l5 U! Z
Note that some nasty apps could then erase all files from SoftICE directory! ^ n N5 y) N
(I faced that once :-(
. m) H& |2 \) ^+ p+ ~: J" `' G9 B* V& w; U$ _3 F
Useful breakpoint to detect it:
; W4 E- n/ a' j4 C" s
/ r% t* R* E5 H) M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% j) D2 |: l! T$ ~7 X
% `" L7 Y; D# Z$ \3 f0 X/ j* u__________________________________________________________________________
* t( M( ^% V. ^5 }" E2 V6 B+ T( N
- H7 V( D. ?4 \6 V" q' AMethod 14 9 n' ]+ B. c% P' D; p8 Q
=========' L, R9 z4 s0 G. v$ A, m {
\! [6 i2 g. H4 p$ W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose I, ?5 C% R, A* @6 A/ v
is to determines whether a debugger is running on your system (ring0 only).
/ Q3 u3 z+ W0 f7 ?0 b- h& M9 ]. o) w5 Y m3 \, S7 G; A8 n
VMMCall Test_Debug_Installed
z: |: `! p+ p9 x& q, ?0 w( Y. m) U& V je not_installed) \9 G! N) ]+ n2 D, `5 E# R
( _$ w2 N" n! {; h/ m+ V/ L
This service just checks a flag./ l: g- R! U$ P" d; X% I; @
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡