<TABLE width=500>+ D& m G0 b; W: X+ y
<TBODY>
2 @0 a7 Y$ s$ f2 l+ |; M<TR>6 S w3 h/ N" v; M8 u
<TD><PRE>Method 01 ) S' L5 e) `4 i- ?) Q% [
=========
% R& ^7 T |+ d; I; x: G; e/ a3 P! ?+ w4 k: W! n t& ^
This method of detection of SoftICE (as well as the following one) is8 g, Q! H$ ]1 n
used by the majority of packers/encryptors found on Internet.
" Y- d" G$ f* S* G8 T& wIt seeks the signature of BoundsChecker in SoftICE
* u% ^8 P: b: W# q# c* N% j
; w' S$ D! w( a& k mov ebp, 04243484Bh ; 'BCHK'! s) B; o( O# z7 t" t9 z
mov ax, 04h
. {8 G% g, R9 o$ Z9 N% }2 v int 3
7 H- P9 @% F8 I Z cmp al,4; v1 R; P% q0 [$ }/ D' J
jnz SoftICE_Detected
4 g7 M5 @# q6 u0 o' t( S: k: W+ [
" F3 K) x) H) Y___________________________________________________________________________5 x% Q* ^' }+ n) _/ F/ Q- |( I% U
9 H6 ^3 B- H- U9 ~! x |! GMethod 02- h% X; R) u2 x& @
=========; u. j# O7 S+ l* Y. D5 z B- E
% F& ~; _9 {# W- R+ n
Still a method very much used (perhaps the most frequent one). It is used
+ n% }! w( y* Q' k' Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints, d+ w- L: G6 j( v1 _$ P
or execute SoftICE commands...5 b2 Z2 o' A. k* C% {6 y
It is also used to crash SoftICE and to force it to execute any commands
& U7 b* Z) N/ _3 K2 B* c(HBOOT...) :-((
* L( M- I( I8 e/ r1 ~
, c% C2 |9 C- W" aHere is a quick description:4 N! G' F! Q1 f& W7 o
-AX = 0910h (Display string in SIce windows)3 y' \: z' N8 O8 W' T3 G3 F3 H4 T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- b2 g# {8 u* }- H-AX = 0912h (Get breakpoint infos)
8 k/ ?4 Z2 s/ r( F: P4 y' r-AX = 0913h (Set Sice breakpoints)
) L, c! a/ L+ v6 j-AX = 0914h (Remove SIce breakoints)2 Y5 t! r5 ?2 F0 q- t0 d
4 g- V/ L2 N% C" Q3 M& J
Each time you'll meet this trick, you'll see:7 }1 y- G: f# m6 `" v
-SI = 4647h6 M8 ]0 g7 E+ ?) `
-DI = 4A4Dh# T$ p% h9 C- \% r" |- V) d
Which are the 'magic values' used by SoftIce., ^6 ?7 k7 |# K9 y) Z( ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 U3 d/ D6 Y* o3 {% n( d
O$ w. z( Y+ L$ f8 n7 j' OHere is one example from the file "Haspinst.exe" which is the dongle HASP
* k9 w/ x1 d+ e- C5 @. I# XEnvelope utility use to protect DOS applications:
7 _- B% j$ e: G+ A5 l! g
+ A' [" w# o9 U+ K0 P, O% \; z* Z9 ~% \0 x9 I
4C19:0095 MOV AX,0911 ; execute command.
$ l% V' O6 t' }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 C, ~$ k; P" W' l& z3 m% w4C19:009A MOV SI,4647 ; 1st magic value.0 D% x: x5 [$ c: @- [$ Q) D
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 C' ]/ `/ |# j2 }+ i/ w4 y. ]% ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( O* K3 y) p# Y5 a! k% {8 a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 h4 U1 U! A, W+ v# N4C19:00A4 INC CX
; [2 T& I7 {; N$ B2 Q) Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. Y5 e2 I! I6 F# d) I
4C19:00A8 JB 0095 ; 6 different commands.+ U U5 Z. i$ K( t- }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 F, V1 H7 x2 e) d7 P; a) u8 b0 O, e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 t2 X! z% G4 c" G! _6 ?0 ~0 E; V2 o3 v% W* y+ J
The program will execute 6 different SIce commands located at ds:dx, which. W# r: x6 p+ k* [9 k v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 Q' V' N# s( t- R9 x
2 g& p. k! F5 A4 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( v6 N7 H8 v0 w& N___________________________________________________________________________) X0 W3 f# h: @0 [
3 ]6 K+ r1 v5 r6 q w4 U- @8 @6 k9 w- K
Method 03
- G1 J0 y+ T9 [1 K; B% S6 R=========* Y% r4 ?9 I' f( N( n' `# m# w
9 K5 F& S/ S( U* X: t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) |6 p$ Y/ c8 E8 _) Q(API Get entry point)0 ? p; e( ^+ A2 @$ x- b# t
' a4 O3 Z* t( g# t% F9 p
/ L; g$ Z% h9 e) t xor di,di
2 M, o U' o; k Z% ?+ Z) ~ mov es,di- y z: z! i" S( u. Z. d) H/ b
mov ax, 1684h I0 g: U7 T5 y- P8 u) a6 V
mov bx, 0202h ; VxD ID of winice5 G) s) ?( w; Z6 v
int 2Fh' w2 D, Z! e; B
mov ax, es ; ES:DI -> VxD API entry point
: L2 s4 ]' A3 o% x3 R/ F add ax, di
/ [; H# F9 j1 O( d9 L" d6 A+ r; D test ax,ax5 N7 |$ v. v- o ~* i- t! h
jnz SoftICE_Detected
( p$ ]/ E4 \) K/ k+ e
- P( w& L( s0 t/ _# i" z___________________________________________________________________________
# s1 A7 o. o! ^* x/ W1 C0 y! e2 L/ Y3 F0 L, C4 e
Method 04
1 u, k+ C7 ]& j0 K. w=========
: y7 Q: U. I% z5 g9 R
: N# A6 G7 e Q7 vMethod identical to the preceding one except that it seeks the ID of SoftICE
: `' G/ j( c9 z5 b0 [& N9 wGFX VxD.$ B. U V1 x4 e6 G- \2 C- h
* |% }6 b) C! c- j/ G8 Y4 d xor di,di6 ^5 Z! P w0 @4 u! M/ O
mov es,di3 _* N& _2 d4 S" t& q9 C
mov ax, 1684h 4 @+ `- I# K! H3 O
mov bx, 7a5Fh ; VxD ID of SIWVID
8 \' |4 g9 e3 \$ I+ d( E* v1 W int 2fh# @- j: j4 v' W, z' c F- D; X- h- J7 r
mov ax, es ; ES:DI -> VxD API entry point) @2 u; J5 o$ s& u4 S2 g4 G% l
add ax, di
' t1 w! C- o& I, h test ax,ax6 O' Q! j/ K2 S6 @- u& J# ?; `
jnz SoftICE_Detected# j1 A" Z% N. Q* J; [. y, P
8 [# O& ?6 J+ Z__________________________________________________________________________3 F9 U6 m0 N- l5 ^' {8 j; J) q
+ b7 Z& V! z4 Z. I" u2 Q! s$ ~
- G: @2 G7 a- o0 l2 c0 ?Method 05
- o3 ^$ J5 Y' d# d( o7 A5 o$ F=========/ o3 ^( L! T3 s9 ]( c+ }2 |. ~
; E5 H7 x4 w: A$ w; Q0 h0 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 P7 c# b( m' D6 T9 M6 ^+ r) @
debugger. It calls the int 41h, function 4Fh.
; \; I$ }$ h- E0 z1 q2 |% R9 sThere are several alternatives.
7 c$ m) R% X+ K& {; L6 e
* X: X9 W4 l3 R6 w; T! @3 X3 RThe following one is the simplest:; H; w$ c/ D% Y# U$ N! h+ n
7 N; R; f+ a1 A* C) y
mov ax,4fh
) h6 m5 K# W3 Y8 G& z int 41h
$ S5 `- S: k# A7 |( K cmp ax, 0F386
5 ^% I/ b9 i8 Y' @/ u jz SoftICE_detected3 P1 O" r- d- T' B v8 V) o
% J! m9 h) n i+ \8 O `0 O
( W1 c& W. G) w# Q; `
Next method as well as the following one are 2 examples from Stone's ! _" m( f' x' `0 `+ L9 M
"stn-wid.zip" (www.cracking.net):
8 w5 x* w: c X% G9 k0 y# N' E. w2 W% p+ t2 `* d0 C. h, v9 p) b
mov bx, cs
! o0 A0 V5 G' z! p+ \: F# f( \# h o lea dx, int41handler2
0 f2 V" U) d1 w4 X! _7 O# b. X xchg dx, es:[41h*4]6 W- c' x0 B$ h9 B# `
xchg bx, es:[41h*4+2]
$ I2 G' N% C; w# s, L. N' u mov ax,4fh' d9 o" S% t$ v
int 41h
1 ]" p r8 w# J( Z2 s( z, a: c xchg dx, es:[41h*4]
|1 J$ }' h" ~$ @ xchg bx, es:[41h*4+2]0 o% N% y9 f! [* q; V. r
cmp ax, 0f386h
, h' `4 _( R; r4 ?* H% U" Y jz SoftICE_detected1 J. Z6 Q# q" W, [7 A R$ N: b+ U$ H
# N" a7 }+ W. v2 Qint41handler2 PROC
4 d5 F0 U$ S0 D iret; E" _ {) m3 ^5 F# _
int41handler2 ENDP3 |/ I. D/ o1 l; ` v
+ C! U" P" b7 h4 f4 s2 h
: z0 _5 d$ y) Z
_________________________________________________________________________
* r2 G! O# L0 o G% m
! j1 W8 o" J2 y3 v, N* u, D7 W% j: J
Method 061 H* S9 L6 G: y. W4 [
=========' v5 t1 s# t& E/ K; H' e+ i
+ g# e; d' i- M" S( @
5 N# E' k% d2 h# D( }& W( h+ R' n2nd method similar to the preceding one but more difficult to detect:
8 w1 m# J% G) {" U" C1 |5 \; R% z8 H
( l5 A- {: E$ X) ?& G& p2 ]int41handler PROC
9 ] k3 r! z$ ]: Y- T, y3 j mov cl,al
) g9 W, X# J& z+ ^ iret
& b7 v6 R+ k. P* Iint41handler ENDP
8 W& |) d, x3 H
! ]+ X" Z3 p- J& p }4 ~( H4 ]- {. Q2 {. s/ t2 K7 h7 X
xor ax,ax
; x2 ^* h- M) N/ b5 E# K$ G3 _ mov es,ax6 D# r0 S3 g& H
mov bx, cs
( ^) u. D. R9 a lea dx, int41handler7 z# y, f# r$ A- M( Z1 x" n
xchg dx, es:[41h*4]( ?" l/ h' `) B$ m
xchg bx, es:[41h*4+2]3 h% }7 S7 j; r* K9 |6 ^
in al, 40h0 O) c J! v. ]) B0 R8 G4 M
xor cx,cx+ n4 }4 n: l/ {- u( z; m
int 41h
0 y) M2 y% [; y; m- q% j2 m xchg dx, es:[41h*4]
# s: V' R" ]' Y: d. ^9 d4 G" c+ A7 n xchg bx, es:[41h*4+2]
- i3 N8 ?' X, o% z6 Z5 I% ] cmp cl,al% C& G7 u5 F# k7 P
jnz SoftICE_detected
3 F+ E, a, Y5 r; |
5 k" Z! j* ], j9 P6 D1 q_________________________________________________________________________
. _8 l6 Q4 ?7 H8 n" r* l+ K( @; N: A8 x) P q1 z( B6 w5 H
Method 07; b! t! I3 _ C: Z( j1 H
=========
0 a- y6 c9 y# O: d( X3 Q# j4 S. }+ Y4 u) A4 |2 J' \! u, q
Method of detection of the WinICE handler in the int68h (V86)
5 K& |: H1 q# {5 s$ b
0 F! D3 d1 }8 x4 K0 i: @3 @ mov ah,43h
Y% `/ Y: @# m( ~* P+ F; h- x int 68h5 [8 h6 k/ Q) P$ O n
cmp ax,0F386h8 f- q4 g. Z8 e3 X4 ^, Z3 {3 E, H
jz SoftICE_Detected0 T: K$ Z, I8 v: v# b! ^' g0 ~
& W9 h" K8 y" y/ x [9 I' ]
7 U' L) B6 X4 h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) d ? w4 A! j% J! R
app like this:
' ~! R2 `" P! W2 Y, a. x: S* ~: e0 w$ r& C
BPX exec_int if ax==68# I9 u/ n2 h9 v) j4 v
(function called is located at byte ptr [ebp+1Dh] and client eip is" }6 X6 X! J. A9 f( W/ x
located at [ebp+48h] for 32Bit apps)
8 N5 j- R$ Z& w9 G) l$ r__________________________________________________________________________
6 K m3 u i" S4 m$ F. H( I: s) \8 u4 H& Z, f
! D9 l; Y7 k, r& S/ F6 S- D( C8 K: \
Method 08/ |. _. P0 Y' x' s; u0 ?5 C5 }
=========4 k& m' ^' W0 K2 l- q
% U4 C) b8 n1 J4 _
It is not a method of detection of SoftICE but a possibility to crash the+ d3 J5 f# g9 ?8 @
system by intercepting int 01h and int 03h and redirecting them to another2 m- z4 `' _% G7 `/ q) ^% T
routine.: j" S/ C, }. |4 G5 p2 M: _% _3 N! n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( g7 O: n4 c9 S9 cto the new routine to execute (hangs computer...)& K5 o$ S0 I9 ^1 q0 X
7 |6 @0 F+ q+ J8 p) ~7 b) ^; A
mov ah, 25h( P& f4 J' ~$ I' P: c6 g
mov al, Int_Number (01h or 03h) {# d, M9 N1 D) U
mov dx, offset New_Int_Routine x9 g* L; @8 m+ D7 Q( h
int 21h* a/ O/ A7 A1 n k' t! _/ z
6 W3 c' t( H- B9 q& _! A: L' b `__________________________________________________________________________
6 e q* k/ } O% P3 A% ]. j5 e
( `9 M0 d6 B" r I) S3 E& DMethod 09
6 u) w6 i8 [9 c& [=========9 N( G" S" ?$ ~6 G( h0 d
R( m) d4 Y2 ]0 c$ kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; O* Z, m( q1 b. N) C2 s2 F2 uperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 e1 S, t4 [2 Q- i8 ]The Get_DDB service is used to determine whether or not a VxD is installed1 C2 c; H$ v: K2 l' y
for the specified device and returns a Device Description Block (in ecx) for
: V% ?$ e' L1 U' M' M" g7 [1 I0 ^that device if it is installed.
( R' J1 Y+ h" k' j6 P9 w4 ~+ Z+ |4 P. A2 a: ]0 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ G. \ S' e6 P/ h5 d& N; S) E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* {$ y9 b8 b2 i* C+ E% H, U
VMMCall Get_DDB
3 w9 p8 Y8 N5 N) j m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed ]* {5 F% K6 ^# ~2 w2 }
; D' j1 t' B# ?
Note as well that you can easily detect this method with SoftICE:
* b$ A$ y# x$ b0 N- ~+ w bpx Get_DDB if ax==0202 || ax==7a5fh
+ I% J5 ~+ o/ q; |8 d5 s4 l l+ D! R
__________________________________________________________________________! x. `( @" I! D. ]: `
, \' J4 T( ?, |$ xMethod 10
& o4 u+ ~! D* T. j! U=========
' k. ?. A& w, m( Z3 Y+ b; G0 s* M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 K7 A A5 Z$ a8 j4 x SoftICE while the option is enable!!( W8 ]; |9 P6 h% s1 G
% `3 C/ X p( lThis trick is very efficient:' ^/ i+ Y9 T& Z. J( V$ q
by checking the Debug Registers, you can detect if SoftICE is loaded% ~9 s) z1 O+ y6 D b4 ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 S9 o. c3 ?. H) D. i! m2 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; i9 |! i' i: j7 Lvalue (in ring0 only). Values can be manipulated and or changed as well& @3 T' Q5 ?0 @8 j* F
(clearing BPMs for instance)8 b( n8 ~9 U$ o. H& f C9 X
2 r! o, K! P6 {/ W
__________________________________________________________________________
" P+ I/ @: L" j. v
3 }4 @: y: A4 V& zMethod 11/ a7 U: C) e9 ?
=========" t6 v1 o: b6 F
, Z# Q1 R E* _$ CThis method is most known as 'MeltICE' because it has been freely distributed
3 a3 m5 V- \2 f( k# q* E: ]' q7 Vvia www.winfiles.com. However it was first used by NuMega people to allow) c! [& w6 F Y- d/ E
Symbol Loader to check if SoftICE was active or not (the code is located5 O# R- N% T+ ?2 F& { F3 ?( T
inside nmtrans.dll).
: q* ?' {/ [, |8 e: Z9 S/ f, y0 w
The way it works is very simple:$ e& e9 n& q: H. Z7 h: Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 a2 \* h8 G& ~) f y
WinNT) with the CreateFileA API.
. W/ N5 i z2 T$ b' u2 t* ?- l. \7 z3 a, {- j* |! Y: V
Here is a sample (checking for 'SICE'):: Z! {) d% t$ ~7 ]8 @! U
& m4 m$ Y& X, x: B) s( z! {
BOOL IsSoftIce95Loaded()4 l* N' {; R( U" L
{$ h7 a- ]6 a! d) B5 ^
HANDLE hFile;
+ P( F0 z6 o+ z& {* ?: r# j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 C' {6 ]7 T1 A3 V; n5 k
FILE_SHARE_READ | FILE_SHARE_WRITE,8 R1 f8 S- Q5 T a! ?8 g6 x: n, f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) |' w ~; z+ X) n' x: R; A if( hFile != INVALID_HANDLE_VALUE )
0 n* |5 N' ]' \% b% V" |1 g {" b7 V+ O2 p/ N. ?# j
CloseHandle(hFile);
& z8 ` \+ y7 V& n3 i- O( v return TRUE;8 V0 T, `+ l3 G- x5 x G
}
4 h% e) I1 L! W& b. n& b return FALSE;6 a& i" u z8 {
}3 v, e# h" H* _; z
6 ^$ m1 u9 f4 q' S7 J7 Q% x
Although this trick calls the CreateFileA function, don't even expect to be
1 V6 C2 I2 _. C0 [able to intercept it by installing a IFS hook: it will not work, no way!% r' T0 w$ z/ Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: Q* T1 e) T$ N( tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 } U# M" D( ]3 x9 I5 j0 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 P+ k1 V' `9 e/ e" R8 `
field.
- f, w9 u+ P3 e4 FIn fact, its purpose is not to load/unload VxDs but only to send a . e) D' b0 q% l/ w, a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 |* L7 H- X5 F; I! ~; [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( t- T$ ~# ?" dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ A8 A- Z- `! z. |8 I1 t. RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 w% |' u1 d5 A7 l, d: u5 z3 eits handle to be opened and then, will be detected.
& r6 ~! p [2 I- P# P1 L7 Y \8 |% BYou can check that simply by hooking Winice.exe control proc entry point
# S9 B9 M' X2 U5 y0 O; g' |3 Awhile running MeltICE.' @$ u$ G6 u+ ^$ P W" k# M8 p* h
1 A6 b" \) C0 @6 }2 c. i/ B4 A
3 M7 v0 ?8 t9 n) p
00401067: push 00402025 ; \\.\SICE
7 @# g1 W. _9 I. {$ F2 {; z! T7 m) B; p 0040106C: call CreateFileA
( c3 N: R1 n7 p 00401071: cmp eax,-001) B% [, A, B( v& i1 d1 Y, ?
00401074: je 00401091+ Y" |3 x( V0 d& M$ p' @
) W8 i7 g( e5 S& X" J
+ {; m+ v; S2 _! n. \ P
There could be hundreds of BPX you could use to detect this trick.3 u! o1 A$ G& \& l7 q& P
-The most classical one is:
+ ^# K2 }( o3 q/ [. @ r0 f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. Q; U6 [8 s1 B4 m9 u- z9 d# u* X
*(esp->4+4)=='NTIC'
. ~" ^' v+ I' n- o: g
( s& U9 H, v- a, r3 ^' D7 o-The most exotic ones (could be very slooooow :-(" p g# f- E# s$ P: w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 l- s \: X; v! y: H ;will break 3 times :-(- C$ d: A( `- C. w4 t
$ Q0 W7 A9 J2 p7 I7 O7 i; A-or (a bit) faster:
; }# ^; X+ G4 {0 Z L h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 l, s1 w% S8 I) Z3 k. ~( N- @) K" q( T. \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 M6 s6 _) u. d9 }4 R* }
;will break 3 times :-(2 n+ r7 _4 {' Q( B
7 Z1 g9 h& g9 X: g% E7 A-Much faster:8 o2 C" t; g: m8 j( m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% T# B+ u# e; j8 s' ]
8 e$ H! x8 \/ ]# e6 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! y; b/ R4 j c# \ b
function to do the same job:; `/ U! g" _3 e: i6 c! {
9 N/ P" Z K0 W( e9 A- C
push 00 ; OF_READ3 ]( | D% r- L0 z' x
mov eax,[00656634] ; '\\.\SICE',0
" _0 \+ A. I8 V9 ]4 \ a push eax
5 ]1 I) ^* M% _# z) c call KERNEL32!_lopen
7 V" b; r! u4 a$ c2 `' F: p inc eax
# ~6 R% F6 p+ d3 a( I8 H7 v3 D jnz 00650589 ; detected
& P& c' n. f8 ?6 t" ~ push 00 ; OF_READ' U% o' Z% }( s# |3 P# \- ^; O7 ~- h
mov eax,[00656638] ; '\\.\SICE'8 I4 z$ j, h* h2 t
push eax
* y% X: E b+ D" v0 z; d n call KERNEL32!_lopen
( c* f5 j6 F5 h- \; ?0 F$ c inc eax
- M9 \/ G% |* f @, @ jz 006505ae ; not detected% O. \2 x9 S. \* x2 _& R8 D
) v. [/ `) G/ Y/ U3 W
7 w* j6 O& z" K__________________________________________________________________________
3 `# j% S$ n1 ]- C( m8 B
" o! ?* t" W, q% q- |Method 12
& P. I/ w7 ?: u; H7 d=========
! u; Z7 N5 [+ v1 D9 ~" @2 g+ Q5 p( ]8 m9 p% g, W7 s
This trick is similar to int41h/4fh Debugger installation check (code 05
" r4 Y4 g9 X5 g, c/ B6 s' I& 06) but very limited because it's only available for Win95/98 (not NT)
9 e0 ~! L2 i: A' y: F1 e! Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.# y$ {, G9 k+ P0 d
5 J5 ^% s; |! p6 q* r& q. k
push 0000004fh ; function 4fh* n6 t& A% ^* K
push 002a002ah ; high word specifies which VxD (VWIN32)
( S1 T4 S" J+ @7 b ; low word specifies which service
4 U0 \9 }& y( T4 y& d/ { m* V (VWIN32_Int41Dispatch)8 n2 m5 }% K' ?* v+ ~# r4 m8 t4 `9 y
call Kernel32!ORD_001 ; VxdCall
& D8 D! M' p# d0 P& G cmp ax, 0f386h ; magic number returned by system debuggers* V. A; M% c8 J6 h) t
jz SoftICE_detected
T3 |/ o6 ^. o! n6 |& K
1 x. o9 W( H% SHere again, several ways to detect it: P$ A3 }5 ^" Q; F
( _ J) u }, l0 u5 U' V BPINT 41 if ax==4f
8 T, @4 |$ ^9 e. n+ `6 @' \. k5 F4 P3 Q7 ~1 X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 V* k" |& H, P* s8 k* q: P/ y
* Y9 n5 [! ~+ L$ {* l3 U2 | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% A, F; ~' b( E3 j; c: h
" {% }) g& Z0 d2 _( T+ e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* a4 \ s L$ Z- L
3 k8 s4 F8 u; i2 ?9 T* m/ \__________________________________________________________________________: Y) d( `4 J0 i+ W/ T4 z4 \6 i* ^
, I+ d# x" G' F8 v5 f2 x, t yMethod 13
7 P+ J. L% C* O0 i=========
& R1 [0 w) _( Q) W# K7 m/ \! g3 n5 |3 |! @ M& V# i
Not a real method of detection, but a good way to know if SoftICE is
+ }* e" R7 Y$ dinstalled on a computer and to locate its installation directory.
) I8 C. `: b6 p( [It is used by few softs which access the following registry keys (usually #2) :
$ T8 E% w3 q& o( N
, Z5 r; B; b }9 D9 e. l" L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; U1 O( U7 p" `\Uninstall\SoftICE
- a) Q! v5 n! p( }1 z+ f: k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 q, n3 x' k% [: l9 X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 U0 p, ?; l8 @% i. G* k
\App Paths\Loader32.Exe) g' O% F- P+ r9 A) o7 Z# v
9 U- F1 K; n1 E3 O
# d; ]2 q6 }, d0 INote that some nasty apps could then erase all files from SoftICE directory% |; U9 z ?/ t2 b" T! X
(I faced that once :-(0 V6 B3 F( E3 L: g& b4 K9 w
3 ~' O2 [, q" _9 Z% z% E
Useful breakpoint to detect it:
4 B# s% Y6 g$ S6 F q: Y8 V. z/ G3 v* J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 w9 O( C5 r( X; o
4 B/ |! @# }% Z% _, u% F4 W
__________________________________________________________________________
4 T; D* D2 |" s. t1 d) w* ?5 B2 {- B& }7 m8 S, E' S+ q
( Z1 m% f7 |; E3 ?0 c) b. e' L6 fMethod 14 # V1 Y: q; F* o. h
=========$ Q6 o) K) Z' b! i
7 f* t. l" S, | r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 f1 `* F1 C1 c1 G5 s
is to determines whether a debugger is running on your system (ring0 only).) @( T, \( B8 O8 A$ m& R
) a0 s* _, q' N Y VMMCall Test_Debug_Installed4 p$ g! k. P$ y# u+ Y; R
je not_installed
( y% o1 m! p3 V, j9 }/ @& M
Z# g6 s. _& x! Y* I# {+ @This service just checks a flag.' W1 ^* Y& Q. V$ g( }5 q1 R3 m
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡