<TABLE width=500>8 _, r! R' l, A; ?, z* `$ h
<TBODY>
( R d! Z8 V$ R( g1 S<TR>5 w6 I* s; D- t' i
<TD><PRE>Method 01
' h& c$ y W2 c=========
3 ^! {( j2 I' b+ r0 b3 Q' H. o+ t$ K" B0 c
This method of detection of SoftICE (as well as the following one) is7 ?% x0 p8 s( f) h
used by the majority of packers/encryptors found on Internet.& p* ?* @4 a- i5 T* F9 G
It seeks the signature of BoundsChecker in SoftICE5 M: `2 U: d8 j! a# o @* d* m
J6 c/ I& G: v: @7 r mov ebp, 04243484Bh ; 'BCHK'
# i" ^3 [" W. G# s- [9 I6 @ mov ax, 04h- c7 w0 s* r/ c$ {
int 3 ( e5 Y. P( Y1 _0 D* b
cmp al,4
$ p3 I" G9 m' l! g+ s jnz SoftICE_Detected+ f/ O( o, L0 W0 P
! i1 r Y( V/ Z. T/ [3 Y0 s
___________________________________________________________________________8 u4 X0 \6 t. ?2 ?+ C" ^& R
& |3 U- D6 v$ W: @& }' e7 c6 LMethod 025 ]6 B7 v' |& e8 _) b& _2 T% _
=========
* `* P% j+ \4 V: e7 z2 F2 }- L8 |- s- Q2 Z. o- I9 z
Still a method very much used (perhaps the most frequent one). It is used
3 d5 X! t+ \4 ^0 X! Z/ u gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; M" ?2 m% ]3 L6 L$ C' @2 @2 ?or execute SoftICE commands...* f' b, p/ [" D5 j
It is also used to crash SoftICE and to force it to execute any commands
, d+ ~3 p2 h t1 t, x(HBOOT...) :-(( - k7 b6 Q. [" k7 c) x; h1 [
; ?4 l# s" C$ P, ~- Y8 H2 C+ `4 qHere is a quick description:
( ]& p) K7 ?( F0 t# n$ Z: A-AX = 0910h (Display string in SIce windows)
_ e$ H, I4 r: r& K, Y. N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" z- V5 s0 X3 ^! ~9 t' I d-AX = 0912h (Get breakpoint infos)7 C; f' [& W: ]- ]0 }, t" ?
-AX = 0913h (Set Sice breakpoints)5 h3 H) S! n/ \! r- g
-AX = 0914h (Remove SIce breakoints)
% k7 `- C J/ ^/ Y1 I$ ?- o0 n
# G: {5 {' x& S% ~6 t, i% u FEach time you'll meet this trick, you'll see:
+ r9 e1 L. `. {-SI = 4647h; }) z4 H$ L& h$ z; ?; t
-DI = 4A4Dh. a4 D* o$ X6 S1 u
Which are the 'magic values' used by SoftIce.- M3 I- P! V! l: { b$ o d7 }/ c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% \$ D7 Q& W* T+ v1 L- H
! I r) G3 ?5 i; m, ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; J0 |/ \1 p7 k' | N8 a% ^ C iEnvelope utility use to protect DOS applications:* P% \% g g! A
* r) @0 R7 y0 c8 f5 P: S& T" m: g [% c2 K' ~
4C19:0095 MOV AX,0911 ; execute command., n; P3 S" M( R( X# w% L7 `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 ] ~9 V4 V- E) i" I7 T4C19:009A MOV SI,4647 ; 1st magic value.- K* N" n# E0 y: C0 F6 L& t1 N
4C19:009D MOV DI,4A4D ; 2nd magic value.
: l0 k% N4 x: W% d8 h; v' H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 O8 s. w( d2 l7 w: a* `, m& d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: b# f. G! w: j4C19:00A4 INC CX( ~' k4 r/ D) u3 t3 f- \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 r |$ O* r ~. _5 l% @4C19:00A8 JB 0095 ; 6 different commands.. J! t& r |" p; a) v/ \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& Z! M5 M! Z. V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 S: X$ X7 q; [3 r) B1 w
$ H% ~- E+ Z3 j8 d2 R! u: m6 [1 [The program will execute 6 different SIce commands located at ds:dx, which
" ]0 p8 i, a$ q3 W, K: Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# L% [- N8 N2 Q& x& F% n6 L
: i. K: _* p& y2 B& F8 ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 q6 M- p- r: `7 p0 L8 Z6 g___________________________________________________________________________
1 P5 y7 L& W, K: r; {" ^" q! _* |4 M5 S4 ~( W3 J4 M
0 k$ \9 _5 {/ c
Method 03
/ D, _3 Q. t5 R3 j1 i' D* K=========
( z' V7 Y5 z% s
4 C1 e3 a. ?* [! K( d: VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h E# h0 U' e; E1 C1 A. B3 }
(API Get entry point). |( ^5 }; O2 b) X& o' m6 Y1 p
% |* d3 u9 `2 ?! V& e4 G9 N! Y F
5 m& |& |6 |$ Y1 D) \, A6 E# P
xor di,di$ S* ~6 u7 |& ~; {, p6 V& Y
mov es,di
3 f3 ^' h3 T! a) |5 c8 r mov ax, 1684h # ]1 X, T) _ D1 z
mov bx, 0202h ; VxD ID of winice [8 _) f1 X+ s5 l8 e9 P# R
int 2Fh
+ A2 E5 D7 D6 J) M9 { mov ax, es ; ES:DI -> VxD API entry point7 A' v$ M# A1 b8 d
add ax, di
6 F! S( k/ {6 U, y test ax,ax
) c; m8 S( c$ f9 j& A- R jnz SoftICE_Detected3 U6 C7 A# U5 s, {' @" q* }! E
( A/ c, j( l& @( x# g/ ]
___________________________________________________________________________) ?7 ~% ~) ], o1 B6 G
# W4 N4 C; }/ I
Method 04( R4 ~6 B" Q( Y) X: O" Z% k# d# t
=========
6 a) ]5 g+ Y- `! b I" d0 U4 z d! ?, p3 s9 S8 g
Method identical to the preceding one except that it seeks the ID of SoftICE
' t# i6 w4 y7 O: H. \3 H' r$ e" CGFX VxD.2 _( K- o' o9 n5 i9 R
/ I2 y( q2 Y/ P1 h xor di,di
/ }5 P1 @. U* y. B$ Z$ Q mov es,di
; j; b+ l) T' ?. d mov ax, 1684h
8 Y+ L# V' Y [+ N, q/ p mov bx, 7a5Fh ; VxD ID of SIWVID: F6 K9 B O- V
int 2fh# D+ ~6 l+ \ o8 Y) Q! v
mov ax, es ; ES:DI -> VxD API entry point6 R8 `. V6 B4 b F8 c
add ax, di
2 m9 u# h, m/ z: `6 m+ g5 ]0 \ test ax,ax" o9 {. L, V, {; R. J+ u1 i2 @
jnz SoftICE_Detected
! c8 z9 J1 C( r/ E3 \# [& u, ~
# T1 k3 _- n/ q7 g9 Q/ d__________________________________________________________________________+ Y! n6 O: u$ Y7 e& ] C: S4 U
! S9 }7 p1 ^0 N8 E1 C- J
) A. F# r* R, @8 W5 nMethod 05
# K) J8 q. E, X+ ]" d' m=========
; D) X) w. h4 G0 D; P+ x( T1 j; M a+ T a9 `/ ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, a( G5 D9 h$ A# |/ h e3 j3 adebugger. It calls the int 41h, function 4Fh.
& L4 d; B$ z2 [: _1 dThere are several alternatives.
; Q4 _# C& ~ P I% \$ O% J u/ l4 o7 A7 n
The following one is the simplest:
/ [% {: |) }# c) ]( ~/ b
% a. [ H( u$ V- P0 j- \% A! L mov ax,4fh
" c1 O% C( [9 F% p7 ] int 41h5 X/ _) S/ u# {7 k& U
cmp ax, 0F386! n5 `- ^+ L. g4 n
jz SoftICE_detected0 V- q+ Y! w2 M: ~! P/ Z& a
! `- `5 m& m1 W% Y( }
0 }/ t& S( W. m3 ^
Next method as well as the following one are 2 examples from Stone's
7 i6 Z( U c$ b6 T* e"stn-wid.zip" (www.cracking.net):
6 X6 ], l( a& a5 ^# R9 ?4 c
% P' Z/ e" P5 g9 @ mov bx, cs
* {. y$ k( J( R' l; A$ J lea dx, int41handler2
- T1 q4 K7 E7 ?& o. c; N xchg dx, es:[41h*4]
% [6 N5 z# h C xchg bx, es:[41h*4+2]0 W3 O$ \' w+ W7 ?- ^
mov ax,4fh
; J `7 N4 V: }- R6 A$ O int 41h1 `1 |0 Q( H0 k/ l
xchg dx, es:[41h*4]) Q: `9 y$ F& E4 B: y9 k. o
xchg bx, es:[41h*4+2]
$ v- K. i& U% l1 V cmp ax, 0f386h
& B/ Z# x& t7 ]5 \8 \' Y( _: k4 Q9 f. E jz SoftICE_detected
0 G- W: C4 _6 u9 h/ Z9 E, a! T. e: L" ?; G" i- z: W4 t& O) U
int41handler2 PROC8 a( K0 G; ^) p
iret
2 I- K* j8 N4 s Nint41handler2 ENDP
7 o- f: `7 d z7 x" T9 a' B$ }8 q& s V z; c+ ^
5 c. H3 ~8 ^1 w% {% T0 l8 v
_________________________________________________________________________
% C3 d! m9 C( [$ H6 A3 z0 J0 W
. T$ E( W9 } w8 A# Q$ d
9 d0 p# i/ D; n+ SMethod 06, }; U" d; v- q
=========
W7 D; j5 ?9 `' m1 h+ K5 m' Z5 A) r1 l8 l0 y0 c
% A4 p3 A" @% H2nd method similar to the preceding one but more difficult to detect:
) v+ o" b& R* h; V. y/ Q* X* d$ |/ k7 S% E8 \ s; E$ U
8 q% `' R4 H7 j. mint41handler PROC% Z" G) O! q) A. [' H% x
mov cl,al+ Y, P0 a" ^; y+ {9 B1 ]1 `
iret
- f9 Z: ~/ o3 i/ f6 Q% V9 s) Kint41handler ENDP( o% X( k a8 a" I$ K4 }& L6 [: i
5 H, G8 c9 M: Y& N3 w" Q
8 t% D* j. w, h" s" P5 R+ b i3 X
xor ax,ax
% K8 U; F0 S9 L. L9 D+ }& ]- ? mov es,ax9 r1 m, d. I/ }. H& c% h
mov bx, cs1 H3 ]: \9 f. D6 g7 s: X* a
lea dx, int41handler
" h/ ^" K1 y$ a$ v) x( z xchg dx, es:[41h*4]$ t$ z+ t3 G5 o
xchg bx, es:[41h*4+2]
$ K7 v8 b# y! m) Y in al, 40h" ]6 ]& i: [6 j1 T
xor cx,cx
" ]8 Y" `( O* ^ int 41h$ _& a* J: ^' w6 K1 i5 S* L
xchg dx, es:[41h*4]
9 d) Y$ D+ z0 k" w8 Q xchg bx, es:[41h*4+2]
' c( Q2 n7 H" R( E cmp cl,al
) n4 Q3 R6 a4 I% F+ L0 V* t jnz SoftICE_detected; s6 O7 ~" Y% [0 _) t. R* M0 j
; z+ F! x& P" H3 v, E_________________________________________________________________________7 `! E2 ~4 k) q6 |' Q. q
4 s% d2 _) g) l3 H) Z, EMethod 07* [$ f: J; c3 Y8 B; U; H
=========
" w6 P7 k# s! n7 L9 }+ P* W# z. h* [; S9 o& y; k
Method of detection of the WinICE handler in the int68h (V86)) {8 e: t F7 b' X
* d0 [/ I' B4 R+ f mov ah,43h
4 c: s& l8 D6 U- n6 h int 68h
$ a+ D6 g5 n/ ?/ j9 o! C6 g: | cmp ax,0F386h
. v8 J# U2 I8 e4 ?5 _. f. T, u jz SoftICE_Detected
- b# A% f4 o( e, j
7 Z' y, s& l+ F
/ O+ N: v8 V% A; o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. H" x6 J4 J: t4 b' s8 F' | app like this:
9 C5 K, Y* v: W" m- F5 m% Y5 t2 L9 q4 ?2 F) ^( |1 k6 C/ P# U
BPX exec_int if ax==68( ?" P" k+ B6 j. u7 Y; Z
(function called is located at byte ptr [ebp+1Dh] and client eip is% X# a0 [0 t% S j6 J. t
located at [ebp+48h] for 32Bit apps)0 k: ?( F4 D. b4 ?7 k' e
__________________________________________________________________________2 M. U% x- y" L* v) V
" t% [% n8 V4 |. i3 u
8 t: G: o# d: lMethod 08
- u+ O( J) I5 l$ e2 V8 ]1 b7 e0 N=========
' g7 t" [/ ]4 I1 s9 U
6 f- R0 M7 m7 P$ `% M: qIt is not a method of detection of SoftICE but a possibility to crash the# [3 x+ y- x r$ S$ k
system by intercepting int 01h and int 03h and redirecting them to another5 B9 _1 ]) k' r7 T+ _2 ^: d/ A
routine.2 x( G8 z5 {8 B. D5 x1 u3 N/ l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% e4 r( G/ G3 P0 [: |. L! @: J7 ?
to the new routine to execute (hangs computer...)" x9 P. F* C3 B
2 a8 V2 O5 C9 z( r
mov ah, 25h" p0 X9 \6 n! [
mov al, Int_Number (01h or 03h)- b4 K3 B c% I' R4 e
mov dx, offset New_Int_Routine, b/ p9 d- D2 ^. R3 v2 D' [
int 21h _1 r& h; \5 G2 K- \9 D1 X
* Q8 f$ ^* h* H7 d- M& V& W* Y2 r+ V__________________________________________________________________________
4 \7 _$ D& G8 i" ^$ l! P/ G G* ? H' @
! [) b, o1 X1 J) _1 l4 TMethod 098 m$ q4 t! R0 H5 _8 h" l ^
=========
1 E- V& m+ a; G& _% k$ n6 F! ]' Z$ T) O& w6 M0 }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 D6 z1 W+ |# c+ j+ C# _8 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
" a! K; c& s* R5 C/ r. w% ]& l8 V! JThe Get_DDB service is used to determine whether or not a VxD is installed
& s5 C! f1 v9 N% Gfor the specified device and returns a Device Description Block (in ecx) for2 n% o& z' J9 ~9 h
that device if it is installed.9 d! }& y6 H) ], r+ w
% B8 }6 j0 Y. }- d3 l" _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( H$ c7 m" r: j* G6 l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: R) Q1 M. B) g3 N VMMCall Get_DDB, y; i0 [9 I9 O, G7 @, m7 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) h0 F( I3 z$ K; s1 n- p/ r
' S! p& ]8 V" o+ ~Note as well that you can easily detect this method with SoftICE:
m; z( w x6 u! y, m$ N3 [! O4 d bpx Get_DDB if ax==0202 || ax==7a5fh; J# Q' D4 ~& J) U
7 Q8 V3 c. o, ^/ _
__________________________________________________________________________4 g" Y8 L( L9 s4 F9 K
( u; V5 j3 E, g' L
Method 10
0 Z6 G. y5 d: g, }* {=========6 E2 U) s# k% x, t- L) t7 o
( w8 O" ~" I6 h7 Z( h
=>Disable or clear breakpoints before using this feature. DO NOT trace with: k8 r$ I, p9 A
SoftICE while the option is enable!!
( D& d% J5 n4 E2 e0 \3 h, n. e$ _% V4 M, e" T+ c: }; ?
This trick is very efficient:9 z% U4 u4 y# W$ \. \ Q4 X1 |
by checking the Debug Registers, you can detect if SoftICE is loaded9 z0 L5 ~" ^; u+ `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if [+ S. T/ Z) c
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 U8 C" L B; u
value (in ring0 only). Values can be manipulated and or changed as well
, z% T) d/ w# P, x- y(clearing BPMs for instance)
7 H6 l% R" z2 t+ W
+ ?! R# M2 e7 ?& I/ s8 H__________________________________________________________________________4 {8 l+ Q a) `7 i/ b! W
! z# r2 X3 V( E. ]* r: l) e
Method 11% o J3 w- b$ m! J+ v0 s+ C
=========$ j" N/ e# X3 ?& c* Z# m; F
`, L" w6 L5 k5 u9 aThis method is most known as 'MeltICE' because it has been freely distributed% R* a/ }$ P5 I4 c$ e- J
via www.winfiles.com. However it was first used by NuMega people to allow0 N. y+ c0 ^( T- g+ `
Symbol Loader to check if SoftICE was active or not (the code is located
, _8 g% x# M( r4 t* F( P7 @inside nmtrans.dll).
: U2 {3 B' ^6 D: x+ u4 H. A9 |2 W) X/ {$ {, T; S, \2 L+ A
The way it works is very simple:# @5 D( O% z! ?8 Y6 H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) v# Q! m0 ]# T% \+ _" i# l3 K
WinNT) with the CreateFileA API.% ^5 p) L$ ^% w
+ p- B' z7 l' J! t: J2 P6 pHere is a sample (checking for 'SICE'):
% I" b& }. O- R6 _/ ]
4 M# D( P8 @4 f6 f# i- d, \BOOL IsSoftIce95Loaded()
5 z4 t% x3 ~6 b{
' |/ J4 j2 Q' r3 z" P0 [0 F- E HANDLE hFile; J4 i! o' i! C2 s5 k2 l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" i$ t7 y5 ^% [& M, H FILE_SHARE_READ | FILE_SHARE_WRITE,7 U3 {) F/ w0 L7 a7 H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 M) f% q1 g9 _ if( hFile != INVALID_HANDLE_VALUE )
% J: j1 a6 H: f( N {
5 ^8 V$ q. v: y CloseHandle(hFile);/ o# s: u9 ~: |- |8 _5 J0 M4 ^
return TRUE;
* X w/ o4 a4 H% M& M }
( h6 N6 X) m, O: S+ A' N- n return FALSE;2 ?; [$ P) Q1 v3 V- A4 D' n
}
f% C, U( T; e$ a6 [6 v4 q! m1 m: w# F1 J3 L, g
Although this trick calls the CreateFileA function, don't even expect to be' \+ q7 D3 h2 B2 v
able to intercept it by installing a IFS hook: it will not work, no way!
" V- ]* Y$ U$ Z2 e* ]8 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" L, F7 r7 r8 {6 b: dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 }( R @3 ], ~5 K Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! c8 y. {" m4 L: D7 W9 @field.3 j w {& J$ J: C
In fact, its purpose is not to load/unload VxDs but only to send a
- ~- C0 h0 ^! n3 E( G$ T- n! DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) `. L( Q0 T, ?$ @7 L* z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% m9 B8 H" p J* A$ m3 `% ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
; I, F7 f/ X& v# s6 u3 A& C" SIf the VxD is loaded, it will always clear eax and the Carry flag to allow& e: q% y- ]' G8 b* j( c- [
its handle to be opened and then, will be detected.% b7 S- M# S, x6 c6 H2 c4 o$ i% i
You can check that simply by hooking Winice.exe control proc entry point2 x/ a \% d" J% l
while running MeltICE.
9 ?/ U# w& \# G, a, K7 w" ^& Z6 |4 s# j- }# C& P* \
3 R$ w4 z+ p6 h6 W
00401067: push 00402025 ; \\.\SICE
! D( r: o7 C$ R" s1 b) Y 0040106C: call CreateFileA
/ o+ i0 h4 {3 H 00401071: cmp eax,-0018 a/ N- P3 C5 p" S
00401074: je 00401091
4 z% W6 @5 r4 \* e
0 _& i- i2 _1 d% }
) G5 h9 |( P0 ]% L" ?6 DThere could be hundreds of BPX you could use to detect this trick.
4 K3 Z0 G- p& G q/ ^* [-The most classical one is:+ r. n1 ?0 ]6 F1 D* t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* C/ Y% d0 p" `, h1 M* q% D *(esp->4+4)=='NTIC'
7 ^: {2 `/ d- ?! N, ]8 T% N$ G9 v; U% h) B
-The most exotic ones (could be very slooooow :-(9 t% q3 G2 J' b5 y! W8 Q& M3 e# N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' [& X7 F9 r+ P/ N1 E9 p- l
;will break 3 times :-(5 X1 n% i) ~, w [/ @& `* {7 x
: \7 x9 Q4 L# ]4 [$ f9 ^) [( [
-or (a bit) faster:
# i8 ^, o5 k4 w# x% a& C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 t! z" m, l! H5 |/ V0 `+ ~" ~
5 ]( ]( i4 w( X6 c4 j" V) e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 Q/ Y4 C9 _- Z4 u/ U- b" Y ;will break 3 times :-(+ ]# E4 c, A+ s7 l: q, X7 F5 c1 ~# p
3 l4 X( [ H5 U- x8 |4 v
-Much faster:( _* v4 Q0 g; R5 x( q) c5 h% H7 z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) x# X% {+ u# t, g& s+ Y2 a
6 g* c$ k: M8 C# x! r- w2 P0 j, hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' ?9 i! N7 J0 g
function to do the same job:$ h! w/ ^% I& G9 E" O
9 W- T8 P: p" B1 h0 F" [
push 00 ; OF_READ
, T; t7 {5 J% f+ b" D( c mov eax,[00656634] ; '\\.\SICE',0+ q8 ^1 v2 N- k! h
push eax- H3 [, z5 i3 O" |/ f# X9 v0 P
call KERNEL32!_lopen- M0 ^- g; U5 F. z
inc eax0 l8 N" M% c c+ `
jnz 00650589 ; detected
( l7 ~7 V! W( Y8 G! } push 00 ; OF_READ
! s6 o9 ^$ R& `7 e7 v mov eax,[00656638] ; '\\.\SICE'
" [0 C+ L% g, d' A- f8 s push eax9 |) j+ M' ?& d( m6 [
call KERNEL32!_lopen5 l1 z; R# F9 ]# U+ t% M$ [) U) m
inc eax* M! @4 H6 ?2 O. z7 U
jz 006505ae ; not detected
- V6 Y8 S0 m% a V0 {+ K3 P5 \7 `9 ` l! H X) ?
+ x- m- s( M% m8 A+ } u0 i; I
__________________________________________________________________________
w& Y, ?6 c9 A) j( L+ W" r" A& {' p9 N& k
Method 12' D% H! _7 E; t7 v1 a" w3 n" `/ Q
=========
" w. p/ |% n' _7 f& R1 y9 L5 q4 o4 a5 h" X4 y! R# w
This trick is similar to int41h/4fh Debugger installation check (code 057 r8 T% r" `- l' V, a. Z
& 06) but very limited because it's only available for Win95/98 (not NT)8 C3 V9 ~9 U4 v+ H8 L) E* G4 C# [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* i+ Y2 f" N! ~0 c8 q; F7 d, }+ M/ C8 D/ ?' O, J6 e
push 0000004fh ; function 4fh
7 m1 {0 H! ]2 ^ push 002a002ah ; high word specifies which VxD (VWIN32)1 e3 O* I9 F6 s9 r
; low word specifies which service
5 m1 l4 Y2 E& R3 q7 U3 h (VWIN32_Int41Dispatch)" ?0 _% p0 d* q! y+ ^
call Kernel32!ORD_001 ; VxdCall
$ L( ~: I9 T' J% K9 f cmp ax, 0f386h ; magic number returned by system debuggers& ]% F% Q O* i9 Z- d
jz SoftICE_detected
1 _: f! L$ u9 Q. H$ K5 f
h% r0 C, H4 k" _; LHere again, several ways to detect it:
! ]% q! y7 D- R1 E m" i# P5 l0 E+ G6 U; S/ W
BPINT 41 if ax==4f& Z8 ~% O* x8 M1 |* X' {8 L# [
5 M5 y3 @' j+ ?0 R! z* b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: h( O1 e: D% L( ^6 ?
0 g) L: [! V3 d3 d" P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ E L' x \4 H7 x
$ P- | s6 B+ i; f1 b j, v% U0 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 d8 \) u. D+ q4 G
5 {4 ~! n) l# s3 D9 M- e__________________________________________________________________________
2 R* ^& ^8 y5 }: s0 W" d
9 b4 r! ]3 W# a I! y6 K! UMethod 137 _4 R! ?( r9 B4 G/ A
=========
" W' F, E, t+ |$ Y9 }8 E! j7 z6 \/ P0 j8 g: b/ X( j
Not a real method of detection, but a good way to know if SoftICE is
* c8 \ E( r/ \" h4 ? }7 M9 H3 pinstalled on a computer and to locate its installation directory.
( j' v. p; E0 }' r( B CIt is used by few softs which access the following registry keys (usually #2) :+ B5 v) D6 O% i& w6 u% G
2 Z6 }0 }3 z% z( Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" d7 X$ g u+ Z8 T7 \* t
\Uninstall\SoftICE
W9 |+ S" o+ h- M1 t4 G( x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* F5 N1 D1 {) d' b5 i% o6 U; M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" S4 Y6 R, V+ z" K) O
\App Paths\Loader32.Exe% O2 M# ^0 ^* d6 T& F
3 k3 {5 j( G# o8 u
! Q2 I! w- D. r& h" ~; PNote that some nasty apps could then erase all files from SoftICE directory
9 [" {. h$ {( G1 j1 L% g: d8 ](I faced that once :-(, n n" V( _0 h0 `# ?
# P9 ~- j% y l
Useful breakpoint to detect it:" M7 K7 v, h! | F s
, v0 d( U) V2 E6 I. f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ S6 Z* Y$ p# H* K
, X2 C3 `( w$ L$ O! c) H__________________________________________________________________________4 Y: m; S; F, S: `& }9 ]9 ?9 j u
( m4 u$ `# s( B" b; W6 \4 H3 [
5 _3 @$ v& g, N& D5 f6 KMethod 14
3 Z8 o. f0 @9 d7 w=========9 X+ p2 R( z) p# ]* ?
1 x. z, b. y3 m& E+ \5 u& G4 _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ ]/ }# t; [# r- E) ]% L R1 Pis to determines whether a debugger is running on your system (ring0 only).
2 h/ v7 E1 c, g9 c! Z& \% T0 `1 i+ u' X2 y8 C
VMMCall Test_Debug_Installed
; A9 u4 S0 A6 J3 L je not_installed
) ]( V9 [" @& K$ w$ A4 V: o, x1 @( u1 u% s; \7 p4 r
This service just checks a flag.
5 H% f' M& F# m& h6 y! o</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡