<TABLE width=500>
. _& p( k" b' b) F& I* x' G<TBODY>
- ], P8 g( {* S<TR>
. U: P* s8 H8 u# P/ P<TD><PRE>Method 01
0 m" i6 y, ~% ~2 }=========
% v/ r y! y: P( }1 @5 Q6 e6 c( [6 ]8 }( n) D) q* I+ \0 d# b/ D; v& \! [
This method of detection of SoftICE (as well as the following one) is% k3 K2 x4 F+ J+ V! F7 @
used by the majority of packers/encryptors found on Internet.& }9 i6 ^% u" K- T& `# S
It seeks the signature of BoundsChecker in SoftICE
) R4 A$ e7 Q, C9 n9 p% d" h$ F# Q1 f; ]6 g6 [% m& B( l
mov ebp, 04243484Bh ; 'BCHK'
# C4 a/ E, {" o% ^+ K mov ax, 04h8 r7 {$ p3 e1 J8 \* J- E7 _! |
int 3
8 V2 J( H8 M$ y$ r! t4 D cmp al,4
) ~/ A% k2 |3 l3 ~% H& x" c jnz SoftICE_Detected
- N5 K8 x5 W0 Z5 l; m, Q/ f' Y" ]/ D% |
___________________________________________________________________________( | h6 v$ T! F
' [( I+ M6 f: L; O8 W, a
Method 02% ?# T$ ^( [. _4 _! y
=========
6 {! r f t2 M l, ?1 F5 J8 V7 ^2 H. V% t5 t
Still a method very much used (perhaps the most frequent one). It is used
3 Y. s- K1 C) P! R$ c" sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! X7 ?5 S! `2 D7 x5 B1 n
or execute SoftICE commands...
1 I( u: B0 ~- d r. G4 [) ?It is also used to crash SoftICE and to force it to execute any commands# S- r. J- S2 E0 H+ j4 W* E2 N
(HBOOT...) :-((
: s% F5 g' F0 M: ~' h# j
/ o1 u3 p1 V. K2 pHere is a quick description:* x1 @5 k# t2 n, m+ `0 ?
-AX = 0910h (Display string in SIce windows)( U8 ], u$ s; \+ {4 z: w; M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 y$ ]% d3 e, C+ J-AX = 0912h (Get breakpoint infos)& i4 p! ?# u1 B5 Z6 O1 D: o
-AX = 0913h (Set Sice breakpoints)
& q0 f7 \* b2 L8 j! u+ S& s- ]' W* |* V8 _-AX = 0914h (Remove SIce breakoints)5 w) z' W8 } H8 ^2 H3 ?
# O* c, V1 n6 y- c. _' A0 qEach time you'll meet this trick, you'll see:
5 o4 V% ?, i# f( e-SI = 4647h
% I, R' @: K0 T7 _9 o7 U-DI = 4A4Dh( G2 V3 T/ l/ t( X6 w. m
Which are the 'magic values' used by SoftIce.
8 g$ [8 T9 Z( w, M6 n% _4 YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 \7 S! t2 y+ O/ W6 R# R) F2 d* }1 H% t* J
Here is one example from the file "Haspinst.exe" which is the dongle HASP i8 S Q# C/ B% f
Envelope utility use to protect DOS applications:
+ G$ k. `; n0 s# X6 ^) y+ O( P z/ V- A' w. @# w5 O. s
& Y: w9 N# v8 k; q* X
4C19:0095 MOV AX,0911 ; execute command.
0 x5 ^7 O7 ]! L! c: @" s; o# x5 I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 H# y6 A4 \* Q/ \2 x4C19:009A MOV SI,4647 ; 1st magic value.
: b9 R( U% l1 B6 k* O( l0 @) h( T4C19:009D MOV DI,4A4D ; 2nd magic value.
/ W7 p, d4 I! d+ n9 f2 u* |# \& ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# r* g+ u& v) V, ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: _& o1 T" J4 ^6 x! g, |+ w: H4C19:00A4 INC CX
5 z& x. s4 w4 G6 S3 |2 Q( t) T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ g" y, Y' k# R$ w- L
4C19:00A8 JB 0095 ; 6 different commands.
$ b. z! B& H0 n/ L0 ~ O" @4C19:00AA JMP 0002 ; Bad_Guy jmp back.' K; o/ X+ u8 @$ u- Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 R; F" S$ C+ M6 B3 f+ s
" a: ^1 s* f, A/ T
The program will execute 6 different SIce commands located at ds:dx, which
6 O& E( q1 V! p: q \& Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 x8 |8 G/ E! h( F v, g q q3 {
* Q- D5 @/ G) W3 p# S: }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# _, h( r N9 p! a: j
___________________________________________________________________________
9 P& ?- a% d0 Z* l; R# [* C6 ]
$ K5 K, O: Z2 A" p% F }1 k! }4 {9 r9 i4 Y
Method 03
* R; ^5 R, o4 i8 }( [" z6 t=========
! f! A3 L- b9 {* k
" f, @. T" x$ A# I, i/ k1 ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( P7 b9 p+ f# e% Q1 I(API Get entry point)
8 n% S- n1 x3 N2 h: O3 A! o
# w, l$ T4 D# r4 r4 u) l& q) p6 Q: d7 e, p1 ^; }
xor di,di: J Y0 j2 ?6 G+ w! f% y
mov es,di
4 T% v6 I/ {9 U mov ax, 1684h 0 [/ {. {+ `3 E6 q0 [' Y6 G0 T
mov bx, 0202h ; VxD ID of winice+ t* N3 ]" b* K& ~8 H: K& V6 C7 K$ _
int 2Fh
+ G' J& E2 l! C9 M* } j" ?7 R) ^ mov ax, es ; ES:DI -> VxD API entry point
' K/ }* d6 y4 Z0 m add ax, di
! n' K+ v7 b8 _ test ax,ax
* i. L+ ?: j' h$ e4 ] jnz SoftICE_Detected
$ ^( _9 p3 n; y2 _+ ]( v( m
6 k: ~, E1 K' h l6 ]___________________________________________________________________________$ F; S8 E3 w4 M; k2 k
# |/ ~: r* w0 r2 _* k' C0 }) X! h
Method 04
2 y6 c: W5 y+ g5 U9 V=========
2 a# p5 L2 f) v4 Z( O* Q. d0 E. ~; |3 k6 g) Q4 g: b2 }
Method identical to the preceding one except that it seeks the ID of SoftICE5 S" I. `4 h9 m0 w
GFX VxD.
5 q. u6 j1 i0 T$ \6 g& Z. h; C' n. d: e- ~. X+ ^0 E
xor di,di
* B7 Y% H0 H$ s! } mov es,di4 v5 x' W; i$ O; o% S9 j
mov ax, 1684h " X& h4 r" ?! Y& p+ k5 X
mov bx, 7a5Fh ; VxD ID of SIWVID
; [# |4 o% h! O/ [- Z; G int 2fh# ?4 ?- |, l: T+ @6 t3 @; k
mov ax, es ; ES:DI -> VxD API entry point
6 t/ Z+ X2 l6 `6 F6 f+ K: R add ax, di% }% s) G0 M# s9 P! u( T! f
test ax,ax# T. q, [+ F: J: p; k5 r
jnz SoftICE_Detected
4 f; v# I& {8 c6 ^, Q* o2 g! u+ R1 k( q' W, S H5 e
__________________________________________________________________________
7 {! c0 C1 x4 |) v* Y, T8 t* t5 R6 V# z& H: K! a: s. N! F
+ L- q7 r' }& X- t6 t
Method 05' L: W9 i- A6 w
=========
% }6 z' { J1 r5 |" T9 f* G3 ] Z9 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system; X9 X3 _* }2 Q2 s/ r
debugger. It calls the int 41h, function 4Fh.
: Z. x1 s* I/ j) Y) P1 z0 s% _There are several alternatives.
9 ^9 T# [% l* [+ K- X
& c3 r0 Q9 b3 i0 }4 c$ m$ u4 cThe following one is the simplest:
1 Z, |2 g# o0 G, f% ?- {& y3 T2 s5 i
mov ax,4fh
" b1 j e8 f, u5 c' s5 r int 41h! S% T. J, H6 H$ W6 e
cmp ax, 0F386, T1 `4 L" ~5 g7 _
jz SoftICE_detected. [ Q1 N. K/ M; C; d. S
/ [6 r# h6 p S8 r, G) p: }. `
- z1 H7 Q& ~% V" cNext method as well as the following one are 2 examples from Stone's ( y5 J; F9 J1 i8 w% u' R/ |
"stn-wid.zip" (www.cracking.net):
/ E% J0 G1 ]/ y. R2 Z" [6 a- T) m% n. s- Y3 Z4 s. M$ h
mov bx, cs+ ~- U2 ~; H% `/ O7 g2 u
lea dx, int41handler2
$ s, ^6 }6 O# ~# P" o xchg dx, es:[41h*4] T o% d4 }5 I1 {* R
xchg bx, es:[41h*4+2]
; w& H7 X/ s/ E. `, G& G mov ax,4fh, \, T4 h- d4 e
int 41h, Z5 }) M7 c( g8 X$ l
xchg dx, es:[41h*4]1 X' `" }& S1 w
xchg bx, es:[41h*4+2]
& U# J+ {6 V* i9 e5 Q* ~$ }; Z cmp ax, 0f386h
, p* B4 ^( L1 m1 i- |4 [0 B+ }5 O jz SoftICE_detected5 x2 x3 D9 y3 b; S! T5 e
1 }$ L s" p5 A2 B5 }% Hint41handler2 PROC/ V* ?6 B' B# g& l' Q
iret
& c6 H: n9 l) ]0 e# \, Z3 D6 lint41handler2 ENDP8 g7 f3 J. b. M5 x) q9 \
A6 G0 H3 u2 ?! o6 X- ^
& L8 {& b5 w# t_________________________________________________________________________
6 w X; q! n: s D, C
" E: X" i7 U3 |4 ?( r) q. f. n" V2 W! k
Method 06/ b4 w7 f7 k+ P* \+ q2 x
=========0 w+ z. S4 j. V5 y7 [2 h1 P
: b% B, s. L, X/ {' a
& ~: j# L8 X _0 z2nd method similar to the preceding one but more difficult to detect:$ P, n1 b1 f, a3 @: z
( w! i1 |# }0 v( r F4 N" Z% a5 t! o5 M+ P
int41handler PROC
, |# U) K7 {: i6 u7 L5 t mov cl,al
) q( u9 q, S/ B' I iret% c4 g( ]# y- G
int41handler ENDP" t! g- f6 B! s, i% I9 U, N/ G
! a! K5 A0 F1 {1 d
3 y6 N1 I3 a7 s4 F$ ?) w xor ax,ax2 _0 Y- p2 n* \$ ^
mov es,ax3 V4 ]/ p2 N$ \" r6 g
mov bx, cs
8 w, i+ A, T2 D& U1 F6 c% \6 J lea dx, int41handler2 Z1 C! |; g5 @
xchg dx, es:[41h*4]0 w6 c0 d( e, q; X: D
xchg bx, es:[41h*4+2]
# r P8 x" ^ e in al, 40h
- w4 l& B" d# d+ @9 r( J8 [ xor cx,cx
0 O! s6 V! A# ~ int 41h; d4 Z* b/ j Q" z! O% Y% h
xchg dx, es:[41h*4]5 @( ^" T( O! q
xchg bx, es:[41h*4+2]5 |1 k$ ^& R! q3 |" w8 L
cmp cl,al
! H) _5 }6 S+ P9 N5 T jnz SoftICE_detected
7 U: F- G- m8 d' |( h2 W' ~: X: R! o9 [- H1 k* }
_________________________________________________________________________( w( \4 L8 V" d
! G+ k* k$ _9 {' W
Method 07
1 C0 u2 s) x7 l/ T: v4 q. x. i=========
& d3 ^6 p1 U/ e5 W' D
2 f& r8 P+ ?3 v% EMethod of detection of the WinICE handler in the int68h (V86)
# G" j/ L5 l( H6 _" @6 I' a ~# T8 u- a
9 S7 V0 ]4 x/ P- R6 E+ I! `* D1 v& i mov ah,43h
/ R2 N3 H! ?, Q3 k int 68h
9 e) m1 l$ z; Q( y$ v6 W cmp ax,0F386h
. R9 @3 \& `1 T jz SoftICE_Detected
' p' O# M/ H( ~; e8 e& B& Q9 [7 Q3 d% B; j3 D! I. Z
, G, d' R) I; E% `5 Z: l) y8 m$ q6 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 Y- u& s4 p% V$ _ app like this:
6 n/ l1 F8 r5 B- R, N" J) |3 O- ^
BPX exec_int if ax==68
3 J2 u2 Z9 l. H$ K" A2 [ (function called is located at byte ptr [ebp+1Dh] and client eip is3 ^# O9 `3 Y- p3 Y4 f! g9 L
located at [ebp+48h] for 32Bit apps)* N' u5 y J5 u, n7 z
__________________________________________________________________________
0 }! a4 @( v$ X+ D- c# X7 R* r& U3 N7 m$ t& p J& N
- T8 o5 j5 I5 g' C& b& LMethod 08
9 e9 @" d' R' n; p=========
4 C, m& L- Y, M; N }3 @, _" Q# z
, z4 s1 d5 e' W, jIt is not a method of detection of SoftICE but a possibility to crash the- J) I; T* u) w# K: ^. h# w
system by intercepting int 01h and int 03h and redirecting them to another& v" }- L3 q( T3 T
routine.
& {# c0 m" f% dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& u" N) L4 P/ J8 p' }9 E' u. Y; |
to the new routine to execute (hangs computer...)
8 o" u( g5 K5 [/ r% x1 ?$ U( r" E6 B& Q' E/ k a. p" U
mov ah, 25h+ i5 f0 ~) _9 `
mov al, Int_Number (01h or 03h)
% G9 D2 z& t( {, i+ `# M: ~6 ~ mov dx, offset New_Int_Routine% y, @/ g6 w/ T9 ?) t' L+ T
int 21h
/ S( r- W, n* _; Z7 Z3 x
0 ?; F e4 _0 `' l4 ]0 V3 t__________________________________________________________________________. w* P% D- p3 K* v L6 K0 T
+ g/ a! q; E. S: O2 l: p1 gMethod 09
: C5 m, L5 a- \) e% j=========
5 R l: n# E9 B# f; b( m/ z$ A3 {2 f3 T- S i( d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 ^, K( U5 Z% T ]& G g C0 C
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 W6 S+ H* _) y1 FThe Get_DDB service is used to determine whether or not a VxD is installed* u) E- _ M, ~. R3 k
for the specified device and returns a Device Description Block (in ecx) for
. R( y, e# `8 R3 o8 k% }that device if it is installed.3 ~* k0 w# a- C, y1 J, {) z" }
7 M1 o. W4 x3 ^# o; S7 A* B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. \2 i0 M" q/ i1 J% U& T. a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 [+ o" b& {8 u4 h. k2 _
VMMCall Get_DDB
7 h! \ }, ]& p! f+ M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- z Z" m6 o- X( m& S( A' B
l2 X& n1 ?9 A; c+ N! h
Note as well that you can easily detect this method with SoftICE:* h. k+ }: h( Z, E: _1 K" B
bpx Get_DDB if ax==0202 || ax==7a5fh
9 q! m+ O* S# [) }3 p
* \- \0 n/ ~+ p- I6 \__________________________________________________________________________; Z. Z; _) I+ m' D* C
$ `% S& c% W& A, l! AMethod 10
) K+ L) \7 {' B' z=========
9 M2 d0 y8 {1 z( b; b1 C% R- z5 ?9 n, P% p6 V+ w: M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ D& ?7 v5 A5 E8 k( _5 r SoftICE while the option is enable!!
. G' ?# s. G, e# i; G1 c
( z1 m2 T1 s# V# t5 V0 \This trick is very efficient:
3 K% l3 Y) l! h+ n- l, y$ R8 ~by checking the Debug Registers, you can detect if SoftICE is loaded
0 C! P1 P# W) H" w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 P4 @) z6 V5 Q8 `& s8 {* N; [
there are some memory breakpoints set (dr0 to dr3) simply by reading their& C9 V& G( @3 Y# f' b O
value (in ring0 only). Values can be manipulated and or changed as well
( X0 n/ k4 H* c$ t(clearing BPMs for instance)6 d+ u& W! u1 [7 p! E1 |+ y! ]
9 F8 e! C- B6 \1 @
__________________________________________________________________________: s1 b& C+ u- u1 S4 G5 ~
h: |/ }+ l$ _" @: p- E/ rMethod 11
* m k( I" z2 s" t: H2 k=========; p: o2 c" r4 x1 r# O; ^! g0 t
3 W# m' M3 w8 E" o$ HThis method is most known as 'MeltICE' because it has been freely distributed) K; L( \1 m, s
via www.winfiles.com. However it was first used by NuMega people to allow
4 p- {. |1 a0 eSymbol Loader to check if SoftICE was active or not (the code is located. [- S- ^, w' x: s
inside nmtrans.dll).4 U3 F" t' T9 f% X4 W# P
2 t8 l; t# l7 b4 X n
The way it works is very simple:3 c6 @0 e5 X+ A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' s2 ?- Q+ Y9 h- e) `WinNT) with the CreateFileA API.
- D% D% X$ v7 l" E x7 [, }' e3 C8 J! b. k. T, w
Here is a sample (checking for 'SICE'):
. ^ {+ R9 f. E8 Y! O* P! n" W
( j$ A2 e @* ?' @6 e7 @/ R1 fBOOL IsSoftIce95Loaded()
_: T) X8 [, z{8 d( L# o M4 z" W* s4 E/ g
HANDLE hFile;
6 m' s6 F. g. P; v( I6 q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" Y( u* p( D: i* r FILE_SHARE_READ | FILE_SHARE_WRITE,# e$ l! D* [1 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ _" _8 y" d5 ]7 E if( hFile != INVALID_HANDLE_VALUE ). H; v3 A+ u0 h4 S
{
6 R) z- @3 C& | ?5 O CloseHandle(hFile);' _8 F: I( {6 c% f4 k. r$ H6 M
return TRUE;( o- [6 X$ z! Q& `
}
; ]; p9 W1 O3 _- M: d- ~ return FALSE;
8 Q6 ~; k) Q; v; A- Z4 u5 X}& X4 A7 B2 G, P/ R
8 @- j5 ^5 n: ~: y; B8 x/ oAlthough this trick calls the CreateFileA function, don't even expect to be
4 F) b) ~9 e4 @/ Z: C2 Cable to intercept it by installing a IFS hook: it will not work, no way!
0 ^% R. ]8 K, X& N/ yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! b" Z9 G7 b; I# j# M/ `8 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ]9 U& R% ]( ]7 O+ j$ y! jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# X9 L0 O0 Y* i2 L% |, hfield.3 V9 u0 i" N5 P. K4 W
In fact, its purpose is not to load/unload VxDs but only to send a
' G% H8 S9 ]% L! u) l! ^0 U# E3 I- A1 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
^: I( Q8 [3 h- c. x. K, \to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 h: ?: a' J- l1 H! z! \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- v* G9 R" w% {, W8 B
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 _6 }4 d w6 K+ c7 `9 F! @
its handle to be opened and then, will be detected.
; ^& t2 x* a- l& V' `1 bYou can check that simply by hooking Winice.exe control proc entry point
' n4 R6 K& {. qwhile running MeltICE.
; ^( M7 I$ s# g( _8 x7 W
- h( ?7 u' A9 V3 T% D0 K9 U# v
4 k6 S, y. |( a' R. F' Z, g# d! ` 00401067: push 00402025 ; \\.\SICE/ C/ S- `2 y% N( w* v
0040106C: call CreateFileA
5 R8 L! x& o ~, t3 f; L' v/ [" H 00401071: cmp eax,-001
8 ~1 \' t% O9 f3 g2 i, K- N 00401074: je 004010917 c; w% T* H# _% r' ~
! H) j z7 c8 ]! g4 ]1 K: K
; [( G Z, h! JThere could be hundreds of BPX you could use to detect this trick.7 X5 Y4 c, I# }1 V
-The most classical one is:
% Y; R# h: }- A3 a" U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. X: L+ c$ M4 u *(esp->4+4)=='NTIC'
" a- z! \+ p6 h5 N8 h5 N0 Z6 M6 N& ]7 q! [
-The most exotic ones (could be very slooooow :-(
, p7 q- Z' C# ^+ v- A& c5 a, \; L) Z8 M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , V. L6 J% P- r9 s& X( M: z
;will break 3 times :-(
7 E9 @4 h# T, D; i7 \3 k6 M L
, _& g+ j3 k7 r9 c. M; @-or (a bit) faster:
& R; U1 ` w. @; X# y) _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 g; ~: f I5 ?5 H/ ^# O# L- q+ H G* A3 I; M0 X3 V. p3 ^% O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 d' \" a2 Z1 x2 ^4 t. \
;will break 3 times :-(; M. Q o. l4 k% d
5 U; e- ~" ?2 e+ O2 d6 @-Much faster:3 i6 ], }" ]( Z2 @1 y% P/ q( e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 b. N5 J8 p* O# w( v3 e, }8 H
, ^$ |& B1 d( m9 D! n' J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) x) O* K2 K( p. R" M. V
function to do the same job:
8 @9 u& ]/ L, |- i0 _# a; _3 z) ?' z2 n! t6 a: `
push 00 ; OF_READ
3 T2 [: h1 _9 O mov eax,[00656634] ; '\\.\SICE',0
8 b# G+ W0 ^: k ? push eax' {4 A8 s7 t' s3 |9 X8 \
call KERNEL32!_lopen
h; X9 E8 R3 [ inc eax
$ A5 C% `, N& D6 R! g' l. c jnz 00650589 ; detected' j8 U' H4 l! `. v- B. D: d
push 00 ; OF_READ# K* s7 Q H7 k% a3 m1 R. F E" G
mov eax,[00656638] ; '\\.\SICE'
% ^2 d$ U A0 n push eax0 T0 V a! G1 f" M
call KERNEL32!_lopen' Y) j3 F6 K8 m3 u4 j
inc eax
( ^% }3 Z5 U! W" x0 ` jz 006505ae ; not detected7 }) U+ m& a. X' s
$ F/ z) U% v9 T. n i
0 v. ^. T: l) V' P, `3 h, Z. r/ n__________________________________________________________________________5 k3 t, y0 w# ~- D+ A
. I& `! {% c! t( E& e
Method 12
9 o) k% D4 C( g% Y! k========= @8 E4 c8 Q' f6 h/ w; j
7 [3 H& b, ^8 F5 S6 z/ V. Y* o
This trick is similar to int41h/4fh Debugger installation check (code 05$ h2 Z2 e9 f. v/ D
& 06) but very limited because it's only available for Win95/98 (not NT)1 J+ Y+ L" V3 O+ @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& u) @; M/ ?0 U$ ~! y" J$ H+ e* }0 K; I
push 0000004fh ; function 4fh% ^! Y' W1 ~' T6 x5 ?+ R* y( j: J
push 002a002ah ; high word specifies which VxD (VWIN32): z# s" T. _' w3 }; _9 ~
; low word specifies which service
# E. v& U* _, Y- M (VWIN32_Int41Dispatch)
" r1 g1 R9 K3 Z* ?7 m$ O7 q7 O call Kernel32!ORD_001 ; VxdCall
! a2 X- X! Y% q$ ]# P cmp ax, 0f386h ; magic number returned by system debuggers
8 S/ t9 K) @8 t; M" h jz SoftICE_detected
( q$ Y0 M1 L# t- j% U, l1 ?! C* u, e3 [5 J2 ?
Here again, several ways to detect it:
# F* e: H& I3 @0 q1 e: ?/ U \! {# Y# f
BPINT 41 if ax==4f
* F( l0 W& H) S8 h4 i8 g/ \9 D# u# U0 i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- C; T1 y- B$ v: C1 ?! H' b2 [, p$ H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! S6 Y0 T; ~2 S/ M9 L N( {% h b1 N {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ R! B7 V& g' M
0 H/ r! M2 Y3 }) p
__________________________________________________________________________
4 r; j9 v+ D/ A+ t/ ]( _
, A2 _: f& }6 I" G9 gMethod 139 A* T; g! \# m4 p( m
=========; V& s1 F% ?% A9 f0 ?
6 t U/ f& Z9 K& u- r0 {Not a real method of detection, but a good way to know if SoftICE is
1 L1 F# D% K7 J' Cinstalled on a computer and to locate its installation directory.
0 I3 b* O4 B% @7 r* VIt is used by few softs which access the following registry keys (usually #2) :/ T9 {# Q: e1 m$ g" ]0 i
' w j' t6 V8 j1 F$ ? F% h) T4 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; L8 s' m+ \2 B4 s6 A\Uninstall\SoftICE
- X2 o2 Z% I. j2 z& V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 F* P; F0 V0 d( V3 g) }' I8 A2 t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# V" n* S# @" l! H/ e- k
\App Paths\Loader32.Exe
0 W2 k5 v( C7 a0 ?3 \) q- z. g9 P3 l* q) X# U4 [4 b: {$ y, I- Z1 f
7 g( r0 p, H3 ~1 a( T$ c
Note that some nasty apps could then erase all files from SoftICE directory
5 f. e& ]+ v u0 u(I faced that once :-() y; a1 s( C$ d) k
( n+ [, B* @- S
Useful breakpoint to detect it:
: s: ~$ q; c% S w7 Y+ j m8 {6 @
7 M2 \ F: i9 E! W2 X f7 o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 ~. z2 P4 e1 x. v$ T3 \/ G: p4 ~
9 \4 V9 G- g. K1 x6 ?
__________________________________________________________________________
, j1 ~9 S. x/ P: W6 r+ h3 b1 y" Q
2 C1 X+ X/ ]# ^* |4 p- w" i
Method 14
: ]$ T7 Z2 r& E=========
" G I0 a$ V& O' Z U) y( @8 ~& v
+ `) S3 P r4 V+ d% NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* [+ a5 [2 d, g! E; N( T- lis to determines whether a debugger is running on your system (ring0 only).; q1 G& U3 M: w( J, A/ t8 K
" y% ?3 X/ P3 l1 B/ |8 Y VMMCall Test_Debug_Installed5 M) T! K/ Y9 @4 \2 j9 a& f
je not_installed
3 @, J% V/ N4 y, R! l1 ~, R9 d) F g, Y+ K
This service just checks a flag.4 Y7 b1 r7 C# J7 D- h. S" u5 T
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡