<TABLE width=500>/ @- }' R$ [8 i9 {% [+ e. e
<TBODY>
: d5 @2 h1 O) o' r+ ~<TR>
. a" }2 }, }9 _6 Q( S1 R$ ]<TD><PRE>Method 01 ! M( i( R7 p) Y$ `/ L1 E y8 s! M
=========( P" w- K4 j, q' `" @: ^
, l+ C$ Z/ e2 k, r* D) J( tThis method of detection of SoftICE (as well as the following one) is) S) o5 q5 f U1 u
used by the majority of packers/encryptors found on Internet.
8 W0 A6 O: y; A" x- RIt seeks the signature of BoundsChecker in SoftICE4 k0 r& W( H: F! v
" ^: z; E0 n0 t L# n
mov ebp, 04243484Bh ; 'BCHK'
7 T/ Q! u; x4 F4 o3 r4 c mov ax, 04h% n0 q& N5 B. N9 N" p1 ~3 K! x
int 3
6 u& B& O, F+ b# h+ e- `3 a0 s$ C cmp al,46 m' f6 X' F2 G$ _
jnz SoftICE_Detected
0 s3 V! A& o$ ]9 y9 h( n8 ~/ ?; q+ [) P- e6 X, u
___________________________________________________________________________
$ g6 J0 V9 u7 Z0 u T
6 y% M: p& g4 G) i; ^: K9 W/ |* LMethod 02. | L; I, r, X+ t
=========
7 {8 g S4 f' z. `4 U) ?
2 W8 B/ S# ?, _3 J+ q/ bStill a method very much used (perhaps the most frequent one). It is used+ q3 n1 b& U, O, d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 L& a) G# ?/ Z. S {" a6 g. [
or execute SoftICE commands...# P; ]& F$ n& _# R9 f
It is also used to crash SoftICE and to force it to execute any commands, Z; s, P) J- D2 _9 A; B& ~* g- i
(HBOOT...) :-((
6 Y+ v. ^+ L0 a2 }+ ?6 I0 [: f- T# J/ z8 s# n7 R
Here is a quick description:
$ w6 Z$ V6 j+ Q: Y) {( O: l, V0 s-AX = 0910h (Display string in SIce windows)) H. Y+ E/ w& ~" G' U1 J' X6 T' B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 u! \. B t( S q-AX = 0912h (Get breakpoint infos)
v8 ]4 R" C: t5 g6 ^+ s-AX = 0913h (Set Sice breakpoints)
& b, ]0 ^8 {: a6 R$ o! ]) g8 m-AX = 0914h (Remove SIce breakoints)
9 h' g5 c, G8 Q6 D. j% r' c4 {* M5 U! c: w: [$ f
Each time you'll meet this trick, you'll see:5 d% G! o; Y3 E; v" D4 Y
-SI = 4647h: M( n, E" H) f' B% x. E
-DI = 4A4Dh
& P+ N" H" Z8 I# ^9 m _' qWhich are the 'magic values' used by SoftIce.% G6 @. N! y$ F/ T/ F5 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; r) o+ D- r" L
$ r1 T/ L5 N! k/ A( h. ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 e; z z/ j1 J; w D! lEnvelope utility use to protect DOS applications:+ @# F/ o, d5 g {$ E" H0 f1 q
! M( M& B0 g- \: r. h
/ M/ ?: M+ ? h3 V5 ]) c0 m& ` l4C19:0095 MOV AX,0911 ; execute command." R3 P% A, F. t5 \4 Z/ p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 {# v. I8 R, P$ _- P# u4C19:009A MOV SI,4647 ; 1st magic value." S- ^ m/ D3 Y! ~
4C19:009D MOV DI,4A4D ; 2nd magic value." k, t5 }) y D7 V! A1 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- j+ Z5 }+ R, V. r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 |4 f: Q' Q. E H( I. C
4C19:00A4 INC CX
( h; u1 B! ]+ i u& m/ r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% h& _8 W4 [. F& q% T4C19:00A8 JB 0095 ; 6 different commands., K5 v3 ~! z. P- W9 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# ^( Z" J/ D& g. L- k2 s4C19:00AD MOV BX,SP ; Good_Guy go ahead :), R( O Q$ r/ M" u
/ h( ~. J, c6 i2 L3 X4 p8 J. [! mThe program will execute 6 different SIce commands located at ds:dx, which. P7 M: M. a; L6 I/ T& R5 F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, u2 F1 D5 g9 K4 b, T* y+ A. P( R! u
: N' T( }" c a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 {7 i( T* A+ z7 c9 ] i. l
___________________________________________________________________________ D, Z* u7 x0 ^" Q8 U, b
8 v( }4 ~9 U( V3 C: e! J
6 D+ B: i0 n3 Y" m; J
Method 03
3 u: Y2 _' i1 h8 ]% j; b; q- Z. T7 x=========
A8 Q- `6 e* u- b O* U) S
+ _/ D7 L D5 j. ]9 w; lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ F c, f9 n' W9 A" ^6 ] r0 N(API Get entry point)
+ X* o, ?( E. r! ^* ]" b$ b7 x 7 Y8 b' \! d6 ?6 K" \6 M
7 L$ |/ {9 P5 o. K) L( i3 j xor di,di
5 x9 v6 S5 z, @' T1 h mov es,di1 \, u% s+ u( [( `' a
mov ax, 1684h
/ V3 t& V. w( T. s8 N$ r" e mov bx, 0202h ; VxD ID of winice# X, r& T! Q9 Q/ k$ O% q
int 2Fh
& M$ T6 I4 l$ y- c mov ax, es ; ES:DI -> VxD API entry point
% m1 _+ i4 m h. c add ax, di
0 `" Q' M1 L6 |/ [8 z test ax,ax4 u! S# b/ e6 |, g9 O/ ^
jnz SoftICE_Detected
1 f4 A' v' z: t: h" m/ q# a( c! Y0 _1 U" N
___________________________________________________________________________
" e$ b# ? r. x5 i0 \4 z* |- O- k' W" x3 {4 ?$ m
Method 04- m3 h1 r7 D u( _- `3 k
=========
' [* B. ~7 W+ l1 h
) n" Q( a E2 q/ I+ G( s KMethod identical to the preceding one except that it seeks the ID of SoftICE) o Y c: H+ r8 E C5 f
GFX VxD.( o/ K* s4 n( t8 [
$ ^7 o0 V( A3 Q9 P o xor di,di
Z8 T9 V0 j$ f5 O; G- I i$ } mov es,di$ S+ E, H/ G" g. X' g& T5 a
mov ax, 1684h & b, m- q* o" z/ \7 M: p# w( X& b8 ]
mov bx, 7a5Fh ; VxD ID of SIWVID' `: h3 o( v& b. c! H/ @
int 2fh: q# [* x3 j5 _8 x
mov ax, es ; ES:DI -> VxD API entry point
, ]+ ^) W$ j( a# s: ?. b9 u add ax, di( X3 Z o9 @. p8 Q
test ax,ax4 r q: i9 C5 h7 T) L
jnz SoftICE_Detected) m* B6 O& n8 g# t& C
( u( g! l. {6 f, M/ A5 i
__________________________________________________________________________. s$ }! `( ^1 n
7 L% g- H; d' M, g4 g
+ o# y' t% T0 ~3 y/ Y/ iMethod 05" z+ n- D9 m Y1 u% h* w1 J/ |
=========
, |$ s9 [! B8 ?7 y2 z) ^
* t, y4 d |3 e. l3 ]4 ?0 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 ~) V }: X6 n) e7 A' W4 Adebugger. It calls the int 41h, function 4Fh.3 t3 I% V, T3 y0 E8 @6 @
There are several alternatives. 5 F% R# m5 R$ H' D7 I- D
5 r2 d; A6 g7 T0 X; p+ l3 U4 `
The following one is the simplest: x* r' e* B. N/ }
& b3 m3 c* y; l- F mov ax,4fh
8 X: d. j( ~/ M7 M0 ^ int 41h W/ t& S) f9 N- L4 M
cmp ax, 0F386
, ~6 T* m* f: l* f: B jz SoftICE_detected
0 N9 g5 m) w" k' `! A# {1 G
, I* U- I" @7 ?& g7 @5 z: w
; \( h8 L. t9 r3 V9 Y8 TNext method as well as the following one are 2 examples from Stone's
9 Q$ _) n) ?# o. m"stn-wid.zip" (www.cracking.net):, u0 h% d. p: X
/ Z4 W5 m* ?8 T( \) U mov bx, cs
l, |; R3 C0 b" f lea dx, int41handler2 F* i, [ Y4 f. G+ |4 B
xchg dx, es:[41h*4]
0 A7 Y2 u: E1 j9 M1 I: I xchg bx, es:[41h*4+2]
% f0 R" a3 |4 X. ~ mov ax,4fh
* L1 h+ ]) `$ {5 Q int 41h
. y, U' W! s5 B$ i c$ Z. @ xchg dx, es:[41h*4]
/ D! V) m6 L$ B9 s xchg bx, es:[41h*4+2]
/ Z3 [" ~9 J5 M1 x# H; b* @, K cmp ax, 0f386h
/ Y! n7 \3 G# v& q# ?6 X+ A& F jz SoftICE_detected
?( C( f5 M+ X5 k0 j
. L3 I1 t& H& ^9 dint41handler2 PROC) w7 I+ h& _( O+ D# P
iret! Z7 @0 U; v8 }) e. u" {# a% e
int41handler2 ENDP" B8 v7 \3 B% `' X5 D3 Q
1 o z. T( b9 q; Z4 i3 T D$ |4 Y" R! a# t
_________________________________________________________________________! X9 [; S' b& D
# g; ^+ V9 |0 d
9 R" w8 X* k; Z3 y* YMethod 06 y1 F* L" `/ ^; y
=========% e8 Z' |- @9 q7 D4 f
6 g8 ` G. V8 ?, t
5 G0 Z' J L0 ?" _2nd method similar to the preceding one but more difficult to detect:
. o* n( D. K6 z- L* ] x3 {) a0 p, m( A
" r+ x0 b! a' A8 n5 X
int41handler PROC
8 s2 |- A# F& b0 D! P mov cl,al
: G7 n0 ^" @7 ? iret
. v8 [& o& g, j; K& l. Vint41handler ENDP/ z8 y! Q# k# k1 u/ `/ \( \" N
0 v& m) l$ Y1 D* I
: j2 j3 ]% K/ x+ O) m xor ax,ax
& H# U' z" T: |" b) n' z mov es,ax
* F8 G$ \) W2 P6 o& W% t4 M mov bx, cs
3 d9 d9 L3 I0 \5 a- y& m/ A0 ]0 b lea dx, int41handler$ n8 s' `6 t! s6 X+ r
xchg dx, es:[41h*4]
: [/ v( |0 ]& \" i" X xchg bx, es:[41h*4+2]
" b! g S2 s" c2 w1 o# l* v in al, 40h
$ c0 d S$ p: p xor cx,cx3 }1 G9 Z2 a5 u% f1 C+ z9 E: A L' @ c
int 41h0 v+ V' k8 f& Y. b
xchg dx, es:[41h*4]% `& Y4 Y. E. X$ t& O& l# x
xchg bx, es:[41h*4+2]% T0 _* v5 d: h! j R7 |
cmp cl,al) U/ e. k6 N: `& m
jnz SoftICE_detected: P2 {$ [7 h6 V1 d6 @& J8 o* o% n
2 R) u8 w3 I1 ~1 u& |
_________________________________________________________________________
m3 \( b8 {, v' }6 }
/ b* H& S+ s7 T8 `4 \" S4 R4 tMethod 07+ E+ I% `7 S! u
=========
. v. u" H# C1 \4 M5 c6 a. K) a# a/ o% Z) s
Method of detection of the WinICE handler in the int68h (V86)
. @7 _3 `5 U9 x/ b& G0 o4 ~! s0 g* D; k) |0 B
mov ah,43h
8 q( j& d/ V: n9 r' x0 ?8 m. w int 68h
* r2 @! D( t- m8 v) C cmp ax,0F386h
7 p$ H! l# f$ C; u; A+ P: [ jz SoftICE_Detected
* N* f! i6 { C$ C0 _7 w1 ^( e- _% y* Q4 |
: m/ A8 X3 O7 O, c" F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- ]) y8 z/ y5 p
app like this:5 X! V# w+ k4 @3 |: j. t8 u+ c
8 \ F5 ?, Y% P+ ~: [* |7 v
BPX exec_int if ax==68
, ?' [3 B* S& L4 p f1 p# { (function called is located at byte ptr [ebp+1Dh] and client eip is
4 W5 m3 v" ]* I5 d) V5 j located at [ebp+48h] for 32Bit apps)* s4 }' N$ \0 \! P1 C9 F( g
__________________________________________________________________________! |8 N3 Y' W; E" @' s& H# N
& W4 O9 F' @7 e0 Y* q
- f" l, V0 ^! Z8 X+ hMethod 085 ]" S8 K( H/ j; \$ _; R
=========; `4 V; y5 c+ K9 s' n5 D
$ s% u" r$ R7 r0 HIt is not a method of detection of SoftICE but a possibility to crash the
, _" \/ V3 u; Q/ A# Y: asystem by intercepting int 01h and int 03h and redirecting them to another8 P" @ j# D N8 g
routine.0 q+ F! O7 N8 p+ O# f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 |4 n" O9 W4 {5 M) R* `0 b1 ito the new routine to execute (hangs computer...)5 o9 _6 U5 b% M; n
8 I5 v- i" E- U5 K \1 ? mov ah, 25h- l" l0 v" C0 n# T, `8 J: y
mov al, Int_Number (01h or 03h)
, h" |5 ~, E6 z, V. h, c mov dx, offset New_Int_Routine
% }, A, ^9 V0 L1 x9 ?3 [% h" m int 21h- d9 Q5 n9 i% T7 d! b
& o- e, \$ P* z$ E__________________________________________________________________________0 s8 A- e( H* r! T, x
. M; S3 C6 F! O% n" nMethod 09- c' O* `% [2 _. v) [1 J6 q$ i# G
=========
# u& U8 M1 X, Y/ V$ U1 e( e
" @. j$ v; T( l8 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 h' L) `& Y. w
performed in ring0 (VxD or a ring3 app using the VxdCall).
" y, m/ M! v' ~# g+ UThe Get_DDB service is used to determine whether or not a VxD is installed. ~$ c6 I: }6 o6 h% j
for the specified device and returns a Device Description Block (in ecx) for
" v7 ?! W9 m5 T+ c1 {; }that device if it is installed.3 D+ \5 o5 z0 `+ j# g; D I
/ E& z6 U# h8 B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% h; V7 ?3 ?# R: i: a$ p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 K; m& P: w) v: Y7 E& m& h; k, W VMMCall Get_DDB$ ?3 {* a6 ?# g7 J% f1 W& o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 a' M [" f7 X8 h
; U# L# Z& U {0 g/ r
Note as well that you can easily detect this method with SoftICE:
' f* w' K7 V' t0 x bpx Get_DDB if ax==0202 || ax==7a5fh
8 r$ y7 s9 G+ h# v* M4 S0 \, W7 [" Z2 O( V
__________________________________________________________________________2 D2 L# j/ |0 r* j; w# o- e
6 u( {% F7 n" ~( AMethod 10) ]* J5 m8 D, U# A$ H3 t0 x
=========6 v: i$ W! x; Y/ E5 V8 I9 k
+ T( o! n5 @; z" @! O% B7 P=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 B* h9 w: l, B2 H SoftICE while the option is enable!!6 A' ~2 p$ S) t; q9 `; V8 j
5 P1 v# }6 X3 N1 F5 M9 z; I7 XThis trick is very efficient:( I/ d4 R5 h. l L( y3 r. M
by checking the Debug Registers, you can detect if SoftICE is loaded" U! U+ | X. G. [; B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 Y% l1 P$ y2 {- B" S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ p, y0 B- {9 p& W* @# Fvalue (in ring0 only). Values can be manipulated and or changed as well) r" i/ \ e1 i+ ]2 V0 j
(clearing BPMs for instance)
" L2 U2 f a2 H$ W( Y1 _' `9 N. K2 Z8 X% M6 r% S( E
__________________________________________________________________________
, l u# g$ b, e& I+ X
5 a9 F. q0 ?9 |" X: \% x) WMethod 11
* Z6 m' S4 _% X8 ?# L. ? J+ {=========
8 R9 G: P. `$ }
2 [& [ L+ H4 EThis method is most known as 'MeltICE' because it has been freely distributed7 L: \, j3 F; {4 \! S7 ^4 V% _
via www.winfiles.com. However it was first used by NuMega people to allow
3 e: w8 ^# ]$ l: s& ZSymbol Loader to check if SoftICE was active or not (the code is located- T$ X. ]" ]+ f7 z/ _) F
inside nmtrans.dll).
/ j3 |! F/ ?7 [ D1 q/ f- d1 D2 ^) m$ s7 n9 K* N2 y
The way it works is very simple:
+ K1 x9 c, `3 m0 [1 g7 O2 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ D2 F! i. P6 N6 Z) f5 |
WinNT) with the CreateFileA API.- M! t; ~! ^. r
: J) l" R: N; \! g" o+ v1 y- QHere is a sample (checking for 'SICE'):
7 `) f2 d \( \8 k* d
b3 v* Q! k& M w6 F3 Y, o+ M6 x5 \BOOL IsSoftIce95Loaded()
) m2 b: K* z2 q: ~1 \: l/ J- E7 y{
# T0 ?, c+ R6 R* y, } HANDLE hFile;
9 o! ? l1 m! A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& \! O( g( _0 y1 J4 c7 x FILE_SHARE_READ | FILE_SHARE_WRITE,
) j* Q) \4 }* w! X; r/ g! ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 K, z* f" e' U; H: n5 z9 W
if( hFile != INVALID_HANDLE_VALUE )9 k+ ^7 r: I! Q* G1 R: @) Z: e/ ^
{0 e& |( |* A6 a1 J- R$ ^
CloseHandle(hFile);8 ]+ K- ~1 e2 a
return TRUE; R+ q# g$ B& O. m" }( C1 ]. W
}
6 ^! q: T( ]- m$ N7 f return FALSE;% g' T& S. [' b1 }2 C$ J
}4 t- z' c& N$ ^4 X1 k5 }
; [5 a3 M; T9 r/ J' d5 ]
Although this trick calls the CreateFileA function, don't even expect to be3 p, e" h9 I' u& X, U
able to intercept it by installing a IFS hook: it will not work, no way!
3 M: f. x5 j- s( l; C/ \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) H7 y; L2 ?' t' k; p% |* Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 w5 s6 c/ \) c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
p) H! k" ~: J. M% t" f/ Y$ yfield.' m4 ]9 K7 ~$ r8 m8 K! a6 ~& t% N1 P
In fact, its purpose is not to load/unload VxDs but only to send a , ^! @; S8 }$ E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 p: a' m- _) N6 f7 ~0 r! N+ Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try( Z1 y" t* E; Z9 o0 w2 ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
f* c, k* U" f& b& o# ]1 K$ U+ QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 i& n H5 C, r {7 Tits handle to be opened and then, will be detected.: X/ l$ x: E* m$ u4 N
You can check that simply by hooking Winice.exe control proc entry point
0 B; R! U& o( }3 Uwhile running MeltICE.
% R1 ^! e9 a( z, N8 k. p. C0 _! x4 Z; P# D! O' T4 W/ Q
! Y0 {6 z. z; L* S) k. ^
00401067: push 00402025 ; \\.\SICE% A) E0 ~# l5 _& H
0040106C: call CreateFileA
2 Q8 {2 ?# r. g6 O! y( Q 00401071: cmp eax,-001: m' W0 r" m5 R# C; \4 z
00401074: je 00401091
8 @ ^" P0 E# [, G; k) \8 \8 u+ Z& ]: t6 u5 H; f
+ d1 {" N5 Q! a* J: Q9 b# C9 l+ t
There could be hundreds of BPX you could use to detect this trick.
6 }, |2 o" @# z+ J# ^/ T-The most classical one is:$ R& Q N8 r' `, U( c) h7 Q2 r! \7 X
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" ~* X- @/ P# z% F. a8 p: O k *(esp->4+4)=='NTIC'# @, {+ y9 y6 Q( \
% D0 C' c' z/ H4 c/ m; S3 B-The most exotic ones (could be very slooooow :-(
' r% l5 F0 j. x3 U3 n; K; u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ {4 D+ S& N: G7 i1 k" p" {
;will break 3 times :-(, \, o, t0 c1 z8 u9 C+ n
& n1 l7 @4 ^! ^$ N5 c) n8 j
-or (a bit) faster:
- M+ g. l) J0 A5 C: @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); W. [$ f. G7 v( ?& v
5 A; D4 {& `- v0 r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * ^4 t, ]5 }# X# `
;will break 3 times :-(
5 }' X/ _$ l2 _- E* R7 C2 N3 W: a
7 z$ J; L s8 V/ {. O# e. R-Much faster:& h0 Q- x9 \* h0 Q H y5 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ d+ ]. {; a! b* r& B- L( t2 l! o7 K: D! c: e: p3 M. r; Y: l8 ?: L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: r) S8 |7 w0 C7 F3 F$ afunction to do the same job:. v& S3 t* D+ B% ]# V5 y. o+ `' B8 n
, h( L2 u& o8 a5 l push 00 ; OF_READ
3 V- `) z3 z3 A/ _ mov eax,[00656634] ; '\\.\SICE',0
6 @" `; A) }5 C+ T3 `0 m push eax
; w6 O% b8 p! E& p$ c call KERNEL32!_lopen
8 ~# w# v. v# Z9 i" \* F* ]9 d inc eax
; R+ ^0 E0 }2 _% y. o# j: ], H jnz 00650589 ; detected
+ W; W; E) w$ b. ] push 00 ; OF_READ
* [0 o. g, D& r0 ~8 [7 ]6 o mov eax,[00656638] ; '\\.\SICE'
% ?* k7 x8 ?$ }1 { push eax" d* B/ y1 Z ^* Y
call KERNEL32!_lopen
% A5 c. {5 r6 R inc eax
: y2 @& v! R5 d; K jz 006505ae ; not detected
: N( C/ F9 e* Q( E: ]. g
: |, r, K3 w( [, P( }3 \% w$ m& Q& g
__________________________________________________________________________# ]% K6 R) {. G K, N$ p( E
% {; w3 y4 C8 \
Method 12. h1 K& h3 w- S+ S
=========3 g; ?5 r \3 Z/ S
+ h! ]0 n% k, w) G2 IThis trick is similar to int41h/4fh Debugger installation check (code 05
# }2 N) ?# b4 n6 L8 E& 06) but very limited because it's only available for Win95/98 (not NT)
" u- X }8 B) O& S( m7 @) Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.- B" _5 Z/ q7 E$ Y+ D7 S
" Q( P; v& O7 s/ R7 G" g) ]* b9 p N
push 0000004fh ; function 4fh
/ Z% h% S7 M) K1 y' n, Y push 002a002ah ; high word specifies which VxD (VWIN32)
8 I( I. ?1 J, w4 @ ; low word specifies which service9 {1 A U# `8 B: F
(VWIN32_Int41Dispatch)# h: {# h+ P$ s; J: N/ ^
call Kernel32!ORD_001 ; VxdCall) s* I7 f+ x" { |4 L0 {
cmp ax, 0f386h ; magic number returned by system debuggers% t0 `+ F% ~0 x Z5 v6 ~( l$ r2 u; j/ a
jz SoftICE_detected' T- j6 t9 u' @. g- ]/ w/ A
3 M( q3 ^ D# E# n4 u/ BHere again, several ways to detect it:% e: G5 k ^( [/ q% c
$ [% [' f6 x; r BPINT 41 if ax==4f
+ y- U2 d4 ~$ u- Q: J% Q& h
* o, T0 H1 F( Y9 T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 _5 X: R+ b7 R; m1 \- Z
+ S6 {: y- {* l S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 X$ H$ D& i# A4 N8 v
2 y4 }- j: Q2 z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ B9 a! c7 c) e# H
- t/ j4 h9 c# o6 P6 Z6 |5 I$ g
__________________________________________________________________________
) N$ t: |; k: J/ e4 ]/ @4 G% a* `- ^, p; c
0 j' l2 c& f! J6 c( `' c% hMethod 137 I# s3 {( a1 A/ [
=========
6 n( J. a! ~6 X/ ?! h) E4 ]: @$ \, c7 `$ n" t6 e6 U
Not a real method of detection, but a good way to know if SoftICE is
1 O# D: i4 V0 m. V$ k4 Vinstalled on a computer and to locate its installation directory.+ F3 g6 z5 v# X) V |
It is used by few softs which access the following registry keys (usually #2) :# W) h- Y' L3 k* R4 i
- R! M, T/ b4 }( x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: t4 H- m& T$ y: r( t6 y) u
\Uninstall\SoftICE
$ A2 N: p, I9 o+ w% l" {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
E: t% v/ x) ?/ v! s1 |/ w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion ~9 u1 V2 @. s4 e/ H+ m1 O
\App Paths\Loader32.Exe, W/ k) w3 }% t& j8 A) n- V% T
1 D% [0 E3 {( {7 ]3 }
, M% P6 \0 T$ @3 B: S2 W4 u$ TNote that some nasty apps could then erase all files from SoftICE directory3 Q4 [' G8 C( V: m4 B
(I faced that once :-(
; V' x7 l" r4 R7 l* R$ C3 ? q1 M* }0 q2 Y
Useful breakpoint to detect it:) D v; W( ]! A$ I% d4 h. K
: i7 [( X8 i( u0 O/ i+ Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& \7 Y# E8 {/ b' h
4 C. l }. g4 q/ L* K* x9 k: ~" `0 z
__________________________________________________________________________
1 D9 M* T9 ~) l, |& U
/ ?, L& A, `2 c( ^ x) l1 w4 P. ~: H. S
Method 14 3 u) E m0 u. j7 _
=========5 B6 K; `; ~$ P& { K
3 c' u \. T( O9 f1 ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" T( i5 H9 c- Y# _; H- c& u/ Vis to determines whether a debugger is running on your system (ring0 only).' A' o; h. g7 j( z0 D* r4 l c
* m7 Y/ ~# T/ H8 ?+ t } VMMCall Test_Debug_Installed
- S6 Y; V4 T H; s2 P9 H0 V je not_installed
* D2 f/ b5 L5 c# G; c
9 }0 }0 v+ a, {7 | P( QThis service just checks a flag.
. P8 B7 v9 V9 H0 o</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡