<TABLE width=500>$ ]" `1 k x7 R" ?& N+ J
<TBODY>7 u9 c7 [! i& @5 ]7 C
<TR>3 O8 P- p1 R# a3 C- x
<TD><PRE>Method 01
2 J5 D5 k" ]. W1 M# k0 B5 m=========% u1 S8 z; a" s: @
6 [1 i, B0 C3 p& X6 b
This method of detection of SoftICE (as well as the following one) is" |/ R; w L+ K" {1 J
used by the majority of packers/encryptors found on Internet." [) D$ a% ~" F
It seeks the signature of BoundsChecker in SoftICE
. a! Y0 g* Z+ X: B4 v% W* Z$ Y, n1 t3 ]; |( X* V% z- \9 c0 ?/ Q( [
mov ebp, 04243484Bh ; 'BCHK'' C5 X% f' m2 W7 |5 |
mov ax, 04h
& G' y* G. J& @5 \- }3 b int 3
. h' U: [0 _# L, N cmp al,44 l+ S% \6 b7 F) T
jnz SoftICE_Detected8 r2 x4 N" P* G# K; h2 k) a( k
& C2 ]! e y+ s8 [( ?! s
___________________________________________________________________________% |2 K# q0 e: x
6 D3 p8 X9 J/ _* UMethod 021 i& N( r- ^3 E
=========
1 ^: a V, }7 ` L! U/ v% W! l' `$ _
+ d( w/ e. e$ v3 E6 L9 JStill a method very much used (perhaps the most frequent one). It is used/ W; X" x, ?$ J1 X# R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! G, @8 D! x. h. I; T" ?: aor execute SoftICE commands...
# P9 t7 b2 O1 i8 N& oIt is also used to crash SoftICE and to force it to execute any commands
/ e( @1 `/ ~2 E% Z6 h6 Y) M7 X' v(HBOOT...) :-(( - ^( z e& D( u+ _6 N; |" O
8 N2 w" w' e( O$ u1 T3 ^! g' ]Here is a quick description:/ l3 V1 X" B X* q7 O3 u, O+ M
-AX = 0910h (Display string in SIce windows)
$ E7 Z5 W7 ?# J- S7 ]' E9 k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- o! I4 z8 A: j) h* O-AX = 0912h (Get breakpoint infos)
, _- q: q8 N; R; Z-AX = 0913h (Set Sice breakpoints)
7 J! l; M0 L! Q/ x* a- K0 c-AX = 0914h (Remove SIce breakoints)" e# ?* h3 ~; S; Y G" I2 _+ \
& K2 q0 R/ @6 t1 s) i; CEach time you'll meet this trick, you'll see:
0 [' b5 c7 b$ f$ ?! E0 d-SI = 4647h
* N. R2 R9 x) D" s8 N-DI = 4A4Dh
# O |3 h9 i( t; e: FWhich are the 'magic values' used by SoftIce.* g4 ~3 V7 v+ d" D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 p, s& b6 x7 H/ Q! ` J% B2 D" @0 u9 S
5 n4 s1 A9 O4 @# u! A2 z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. ] W0 \) o' {! o" g2 LEnvelope utility use to protect DOS applications:/ g S/ {" u& O# z
- O9 S. f2 _; v, ]9 K, b( W' w+ K2 b
4C19:0095 MOV AX,0911 ; execute command.7 a( y0 U# T& N0 r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 i4 g' N5 v$ i
4C19:009A MOV SI,4647 ; 1st magic value.' Y' t9 @' r* Z& b
4C19:009D MOV DI,4A4D ; 2nd magic value.4 [7 ?, n3 @6 p( ~3 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). c/ o6 o3 ? u1 }: G7 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# D: D% ^( B' Y+ B2 d5 E8 s) ~4C19:00A4 INC CX
; o3 g$ K. T g; _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 }: \# f# R" k( |! n! n2 r" \4C19:00A8 JB 0095 ; 6 different commands.
/ f. j0 T# E( T+ h c4C19:00AA JMP 0002 ; Bad_Guy jmp back.* |! ] r# _/ j/ x0 Z) E% D0 h: f g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# y4 m, L) m7 I6 O6 ?" Y1 Q' x
$ a8 ? U: ^0 L: C( B2 `
The program will execute 6 different SIce commands located at ds:dx, which
! F3 H# B6 {4 w; {+ Y% J9 e+ iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, z, |% n( P& s; k3 S7 H/ |
2 q7 I: w8 K1 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 y- S1 Z6 r ^. d
___________________________________________________________________________
2 x6 ^( \6 a% _5 o8 x& x
3 X) B( O, w2 V" X
0 N- ~' O6 G( ^1 i/ M; A" p1 SMethod 03. q6 ~, c7 w5 F+ b
=========
, ~1 L% m8 h1 q5 P9 \ e9 e( f1 j- y) {& c' Q7 u- m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ T7 ~: T3 y" c: S: D0 {
(API Get entry point)& I' U, ]0 Q: w/ i8 ]
7 I' j7 F1 w% y' w5 C% f- ]
$ n+ q1 }2 v9 `& C xor di,di% {9 m5 L& T% l8 W$ `
mov es,di& U" G. W% x; i& c
mov ax, 1684h
+ ~% v. W6 C' b/ i4 C mov bx, 0202h ; VxD ID of winice& E3 r1 Y' D4 ^1 ^! Q3 k
int 2Fh4 u7 Y( o5 j; i) O
mov ax, es ; ES:DI -> VxD API entry point
* ^) Y" x: e1 D U add ax, di q/ l" d2 |/ f# a
test ax,ax
$ b1 p4 F+ s8 y$ q: J: T+ X: r jnz SoftICE_Detected
* O& z; J6 i0 P3 M
* Z# e( ~4 h6 f___________________________________________________________________________ M1 J; o/ N& Y2 |8 g7 t; }
4 j; E6 q/ Y2 g# k5 gMethod 04
7 A4 X j2 I% R, t! M$ \=========" f, a9 u: L; }0 j( L
" n1 S% {' c9 U( c( w% o+ e" V0 V
Method identical to the preceding one except that it seeks the ID of SoftICE
7 T2 p' N$ G0 q& B: i& qGFX VxD.6 R3 b: s) x0 \0 ]
2 t- o. n4 `% h xor di,di
# v. B5 \3 s' z9 B mov es,di: {9 Z0 K+ \- l2 _! W- m3 I% d( @
mov ax, 1684h 7 d( W' y/ d: m' [" F' I4 Q
mov bx, 7a5Fh ; VxD ID of SIWVID5 Z8 b9 X9 Q1 y) a0 ]0 K, A {# B
int 2fh: c5 r; H+ c0 d5 ^0 y
mov ax, es ; ES:DI -> VxD API entry point
1 X+ T4 K- M+ t3 p+ I/ B8 A, V add ax, di
5 |: H+ A7 s. _; `4 ~ test ax,ax: |2 |, B, T3 |3 p* v4 K
jnz SoftICE_Detected7 X$ I& g' o; p' i, x. J+ T% L
, \0 y; u: l9 w% t0 j
__________________________________________________________________________
8 K$ A; A S+ [: H* Y4 ^+ U d9 ]( ^8 m6 Z2 _3 y# U2 Q
3 I3 [; {3 B+ n. p, j' Z* e% G+ E
Method 05
, [8 k5 _' _' M3 {3 K' D" _+ _=========1 P3 f6 D9 M* `- e6 E% x
. I- ` g7 K8 W% }1 R* x
Method seeking the 'magic number' 0F386h returned (in ax) by all system' e/ M- F& m# f9 Z4 e- q- i
debugger. It calls the int 41h, function 4Fh.
, i1 M2 F2 ~% ~1 X- ], ?& Y% ^There are several alternatives.
( B; c2 [/ C" k: S# O K/ l- s9 m1 S
The following one is the simplest:1 k" h; M" [% S4 i) ]: I. O) {( T `
) L$ Z2 |: z2 U6 Z mov ax,4fh
+ ~) j" {0 x7 g6 ?2 X int 41h( b* I, T/ l0 p3 t8 |
cmp ax, 0F386
- ^& U4 L. t9 H jz SoftICE_detected
5 p, _& u5 r# n, h: q, J$ C) A( H7 M3 D' I9 r
' g9 z; j" Z. z: Q9 v: E
Next method as well as the following one are 2 examples from Stone's 9 i* @# d! q R. y1 D1 J
"stn-wid.zip" (www.cracking.net):. e* i6 B3 L& s) f
2 [% G: Z$ t1 H* i# ^2 t! ~
mov bx, cs
- |# H$ l/ P3 ` X; f* C lea dx, int41handler2, @8 d2 R. a7 q/ Z0 |$ T
xchg dx, es:[41h*4]6 r; ]- V$ H/ G- `- n- v) J
xchg bx, es:[41h*4+2]: ^& J! o+ J' m( E5 ]( j& ?! V3 i
mov ax,4fh2 m$ t8 c' ~: n J+ R0 D$ E% t7 P
int 41h ~2 J9 N3 Q8 Y, y" K! P; S
xchg dx, es:[41h*4]( V1 ~9 m: R0 i* u( }" o4 b5 y
xchg bx, es:[41h*4+2]
! E( W* ]2 V& D M/ h8 m! J! O cmp ax, 0f386h
( D$ ]' K) |( C; \% a9 I, ~8 U jz SoftICE_detected3 o: R! S W- Z2 }5 ]$ x8 {
8 g" k/ T1 _; n+ V" h, S8 B/ ~int41handler2 PROC1 D1 `5 f* z9 `) z8 m& G
iret3 ^2 {, m3 [7 e
int41handler2 ENDP
f% ?, X% P: ], }6 m5 o
- A! G1 ^2 V8 c9 l6 N
! _ D4 K6 c5 `5 C% s: V/ R& \_________________________________________________________________________' Y% {4 l3 S9 ^2 [
# v8 B) l* [& V* B; ~2 e$ w' }9 d2 j
$ v; g4 B( @4 K" C( k0 Z
Method 06
! d% |7 y5 ^7 ~) t9 `=========
7 X: {6 z* d; F2 _& p9 }8 y: `& u% }
$ M2 |9 h3 E- t7 E- F2nd method similar to the preceding one but more difficult to detect:2 v( q8 ?- [ M: N' R+ s
! n' h/ x1 _' }' U% C
1 f* I% } Q: Kint41handler PROC
' R7 j! T6 R6 R3 M9 }# Z- @* m mov cl,al* D+ A( c! d' {, e) y- f
iret
1 F/ Z, o5 H9 ~6 e3 M; C; Cint41handler ENDP# z# D, P9 {$ c( [. i" |$ q
0 E+ A/ y" y& x! Y8 W- V5 j
& C$ c7 g3 C! V! i D" M
xor ax,ax2 B. I- M4 U o' x1 w+ M6 `1 h3 e
mov es,ax
! E _! W$ o2 }. g# h& j mov bx, cs3 Y* o! g8 O# |! I! y* ^# s5 ~
lea dx, int41handler/ D ~ C7 Q$ `' K+ g: G
xchg dx, es:[41h*4]
( y: `; \8 ]" T xchg bx, es:[41h*4+2]
6 |2 y! w4 K+ s. ?3 }9 k, f in al, 40h
4 C7 j, G) ~) f/ _# r xor cx,cx* ]0 g: T0 c) [ \+ n: i
int 41h. x# Z: E# M, l% c0 l
xchg dx, es:[41h*4]
A8 h4 ^8 C3 E0 d9 m xchg bx, es:[41h*4+2]
% v. F" H: w+ Z- u0 C% O; s; n7 ^) T cmp cl,al4 V. b/ k7 d/ X w x% `
jnz SoftICE_detected
/ f* J$ k% F2 w" f( t1 H S3 u) B n
_________________________________________________________________________
2 J9 [2 F b) _. }$ l& H: Y& d
5 V/ U: o( |+ n0 x% hMethod 07
8 e2 C) o: Q) R0 O" T=========" z- X+ t1 D. I, @4 I( _
1 W: T$ \) H, h1 T4 V" U# lMethod of detection of the WinICE handler in the int68h (V86)
1 n! W$ t# l' @& m0 M& k6 O0 I+ _+ L4 @5 N6 s. \+ p4 C& q1 n2 ?
mov ah,43h; r; z- f! Y- i. \- D* p
int 68h
6 F8 C% T0 Y5 G! w8 h cmp ax,0F386h+ x6 B A" K! F) y
jz SoftICE_Detected& k# v' @# ~ i) r
6 a) I1 I% u$ E% s- _. K
7 f5 r$ q3 T! O: d9 t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ o- k& q Y4 g2 u app like this:( n0 K3 Z% {5 L7 f. `
4 M) ~* d# }7 F4 Y3 Y BPX exec_int if ax==68
% o* ]1 @' j3 U (function called is located at byte ptr [ebp+1Dh] and client eip is
) y8 `+ e* X; Y7 @" } located at [ebp+48h] for 32Bit apps)
" W$ \4 k, `( O, Y__________________________________________________________________________# ]5 Z! o+ i3 x) O0 m! j" m
' B! M8 y4 T# R8 P5 f, N
! E: Y1 L/ f9 }9 E5 _+ K1 q, UMethod 08
3 `8 l! ?; `% t! p) ^=========: ~8 K) O/ v, m- T9 N" E) b
6 o% \; @' j! K0 h' s
It is not a method of detection of SoftICE but a possibility to crash the L# O. a$ X* H
system by intercepting int 01h and int 03h and redirecting them to another
- ^6 J% ]9 I ]9 d Z# O/ b W! Qroutine. f0 f4 X; ~/ S: e# p5 c- e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ L8 Z* e: u# \to the new routine to execute (hangs computer...)
1 Y9 {- V3 Q, O% d& S7 Q) f( u! p
+ d& x4 O8 t+ h! g; N$ }6 @ } mov ah, 25h s' Q' e$ B; r. c) a5 I
mov al, Int_Number (01h or 03h): L6 ~, Y& E6 h$ `/ ~( Z
mov dx, offset New_Int_Routine
3 o& i0 F* J& C" x1 l% @. a int 21h, {) [4 f, i5 L5 ^
& G2 Z# J3 q. t. {" L( c__________________________________________________________________________
: r' w1 T! n5 l* {; x" l) }1 ^+ V9 z6 b% ^% O) E* d8 u% j7 s* r
Method 099 K8 M8 v H$ S$ c7 `0 ~4 w9 m: o
=========( [+ n8 {' I1 f5 g4 x
9 q4 v6 @7 K6 b6 b8 Q6 A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% m+ Q& Z9 \' gperformed in ring0 (VxD or a ring3 app using the VxdCall).9 v- E* ~0 b! V, f% i- [6 ]( D- ?2 S- N
The Get_DDB service is used to determine whether or not a VxD is installed
7 ]8 D% ?$ a: s: C$ V0 I3 rfor the specified device and returns a Device Description Block (in ecx) for7 B( M+ k2 @* D- C
that device if it is installed.
4 y0 v- T, Z7 S; l( m
0 o+ o: K/ ^. g6 k7 ~" O! v9 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% [) I5 B" w) r: i: l7 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: r: _0 y+ s& A VMMCall Get_DDB
8 N' h/ b( z: F8 l- v, } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 i1 C( `+ R/ Q' S/ ?2 x/ i( ^+ Q9 D0 @+ X) d+ j
Note as well that you can easily detect this method with SoftICE:, ]3 B/ Z9 n$ m& ]7 d$ \2 E
bpx Get_DDB if ax==0202 || ax==7a5fh
- o# f% D9 K/ u8 v. l! a7 w( v! f% x+ g; q6 D
__________________________________________________________________________: ~$ U: O1 ^: u1 \7 c# s
- _' A' [$ y& P4 p8 D/ iMethod 10
, [" f2 Q0 ^' D8 z- o7 _=========: Q' c$ S+ L! j4 o0 c
. X! c3 k) r7 f1 _( W
=>Disable or clear breakpoints before using this feature. DO NOT trace with" c$ k3 o& g( O% G' G/ w1 h/ A; ?$ q
SoftICE while the option is enable!!
* y* c+ m) L1 q
3 m: z- B. _7 r, t9 t, CThis trick is very efficient:
, \( J; k0 p, X- tby checking the Debug Registers, you can detect if SoftICE is loaded K5 u& ?+ G. |7 p* [; c/ V) @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: |0 h" n6 N* R, O0 ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 L/ N; F0 _7 }# x( i0 x( m
value (in ring0 only). Values can be manipulated and or changed as well1 J( M' W# T/ ~
(clearing BPMs for instance)! Q. V: _) K! o+ @5 I
3 G8 @; `7 C+ |# B; I
__________________________________________________________________________
) G. _5 p) |6 L/ k7 a
/ k! } T) ~+ H' {Method 11
8 R/ {1 p, {* E( j) M=========' V& I" N$ B, k4 p" m2 v# Z7 B
, \+ |) q% w5 `0 [. E% Y/ SThis method is most known as 'MeltICE' because it has been freely distributed4 K# {& }/ ~4 w0 Z% M3 J
via www.winfiles.com. However it was first used by NuMega people to allow
5 b$ s: c: \ q9 D" q1 d0 @Symbol Loader to check if SoftICE was active or not (the code is located
3 D# b' e! w7 p" ?inside nmtrans.dll).) h5 F9 W' v4 v% S" t) M
% y/ U4 {& V6 R! B
The way it works is very simple:
- V3 l2 |+ }: v/ l7 bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# F3 `& [. Z% G$ J- C+ G
WinNT) with the CreateFileA API.
" U4 v* g5 p/ s) m) f' ~
0 x$ K3 [* F- H( N5 Y6 F) U6 }, [Here is a sample (checking for 'SICE'):
& H% I9 J" b7 M- p4 b% m L8 W
. k' N% h( [2 {8 bBOOL IsSoftIce95Loaded()
2 {+ n9 S, Z. T% p{
6 H- s+ @2 {2 J, T5 F5 k& f1 z HANDLE hFile; ) S2 r& y1 D: E6 V+ H; L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: G: ~ W+ c5 g1 L/ P' _3 \( j _ FILE_SHARE_READ | FILE_SHARE_WRITE,
5 `4 J6 }" X# H, i1 u$ h- @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 _; o# U* W8 u, K
if( hFile != INVALID_HANDLE_VALUE )
! F5 n+ }5 H7 s8 W {8 t. k9 r# H( k: E! G
CloseHandle(hFile);$ L- I( m0 \- I, g8 x
return TRUE; C% \- }7 B$ c h0 Q" y1 f
}
$ V; k$ r' e: Q2 P- d4 X. R, A return FALSE;
' Z' l' }' M E- R* d. a3 n* K}1 d. W1 w* y; A' t8 U* }
0 B. y+ q0 f: d# T8 TAlthough this trick calls the CreateFileA function, don't even expect to be; l# w* V! s7 ~& }4 }0 R
able to intercept it by installing a IFS hook: it will not work, no way!
4 {; @( \( }, |6 T( R( [5 Q+ j6 u0 PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. \9 ]8 d1 O, j! L8 V5 {3 ~( n4 {8 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 h! ~6 m% O% o& [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 m6 E/ w8 C+ J5 d6 K# F9 `field.) Q: E1 c& P9 \- U
In fact, its purpose is not to load/unload VxDs but only to send a
/ d3 X3 k- |) a( q% S2 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 [0 m5 U& X, q- d' Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" S6 b0 W, c0 A' P' Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 j! V$ m0 ^: D9 i+ x* ~! uIf the VxD is loaded, it will always clear eax and the Carry flag to allow! l9 q' u* i! q7 {
its handle to be opened and then, will be detected.
7 }: @! ~5 f6 r6 \& a& k, xYou can check that simply by hooking Winice.exe control proc entry point
6 v1 Y, r; k% t$ {1 ?while running MeltICE.4 V+ t/ T; ]" n9 b; ?
4 q( |: L/ ^* V9 d
( G5 u" @. K( u/ |! b; ]( @
00401067: push 00402025 ; \\.\SICE" L, {1 M" f/ ^6 F. f T* F3 @
0040106C: call CreateFileA
) C8 j; |8 }; P! x2 L$ b1 M$ }6 U 00401071: cmp eax,-0018 j. B% j' i# u6 I' V; @- w
00401074: je 00401091
7 K* Q& N1 t! _2 h' K2 Q; a9 K' Q4 R: G% }7 ?' H7 J2 z: x2 {
% S" W, J* o% V( k: bThere could be hundreds of BPX you could use to detect this trick.
* p" ]. }, a6 Q% o# Y, s3 P-The most classical one is:
# T6 t1 [+ \- x, h- { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ E% B, h2 v) C) C3 c- ` *(esp->4+4)=='NTIC'. C& G! Z/ |- C' S+ f' [+ ?
; L+ J1 U& X& G
-The most exotic ones (could be very slooooow :-(2 g5 x( a- L+ b+ |, A; Q$ m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! B, h( r( z+ y/ Q
;will break 3 times :-(
8 L: d; q5 p- `. D5 t) L% K4 {0 V$ N: ] z
-or (a bit) faster: 7 A V; [3 { x3 q# i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! F8 U5 _9 [) L6 b+ G4 ?
0 s7 G+ Y" C4 h) g1 C C8 k' s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " L! F2 \& f+ u9 P/ |
;will break 3 times :-(5 H, |( V) Y6 h6 N3 _, r" f: @
9 @. e) P5 x9 L6 l( u Z9 k$ r: K-Much faster:2 X! R7 i5 z/ a( ]( L; q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 J1 M l! V5 }4 ~* q+ t/ y' R" t$ c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 U) Q# ~6 D- s, t) H+ D
function to do the same job:. E6 V$ w6 _8 K* c* ^2 T" C; ]/ a- ^/ r
4 S; |) I% V. E' Z) q" [
push 00 ; OF_READ
Y3 I( t- m% s+ N# `' ~ mov eax,[00656634] ; '\\.\SICE',0
$ K2 t+ b8 P$ L+ N* |0 ? push eax
# K6 ?$ |+ H4 Q6 r( R" C7 l! j call KERNEL32!_lopen
' Q' T: ]3 f- D% ` inc eax5 k8 U3 _$ E, d) P7 K5 r
jnz 00650589 ; detected; k/ K9 ]* g1 t2 M) L. G. Y/ _6 N
push 00 ; OF_READ
: M' b% d2 T1 G3 e! z. M mov eax,[00656638] ; '\\.\SICE'# g# \9 j( W5 N: J) Y* W
push eax% S. i3 i9 ^( l5 k2 i
call KERNEL32!_lopen* l- f* ?' v9 M1 `3 X7 K
inc eax2 {/ T$ M' U4 P9 Q
jz 006505ae ; not detected
# l. ?- e/ x& }. j8 h" A, x! Y) I. ~' t9 [
9 h/ R8 h8 O, x! c( w2 n__________________________________________________________________________" X7 ?9 s5 t# \$ Y0 ?
F- |3 |! q4 l! q! Z& O( ]
Method 12
% T8 R& \6 T2 n/ m0 [% O=========
. E2 [2 ^2 M0 E% d6 L f9 y1 j% `4 R. |+ s9 Z
This trick is similar to int41h/4fh Debugger installation check (code 05- Q; Y. }! q- v/ j0 \6 S2 i
& 06) but very limited because it's only available for Win95/98 (not NT)3 R$ @$ K( m& ]/ i/ V% R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: I" C5 K+ K- {) D$ o' \5 u
8 K3 G# {" ^. c7 K$ Z3 Z* E push 0000004fh ; function 4fh2 Y7 K4 L3 ^3 c% E: X8 V
push 002a002ah ; high word specifies which VxD (VWIN32)% N1 g$ f" U! i6 Q! o# R: z/ v
; low word specifies which service6 K& i+ w! _, M1 W, e! S) l9 |2 A
(VWIN32_Int41Dispatch)
7 n* F& ?* X* O$ E, t call Kernel32!ORD_001 ; VxdCall
0 @2 L! @& r Z# `6 C9 M cmp ax, 0f386h ; magic number returned by system debuggers
& U1 B. k7 J: ]% g5 M% ^: G: m6 B jz SoftICE_detected
3 U6 h- p# ?& U' o0 t `3 g/ G8 _
Here again, several ways to detect it:1 b" F, V3 @8 R* C* u7 R
, V: `4 B6 r4 T. U6 Z BPINT 41 if ax==4f
$ `* W( a8 z3 W$ I$ ~) Y
5 _1 F7 G. U" O! Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% x$ o2 }% {# V
5 g) w2 [5 k/ W' Y2 [6 W8 W' x8 k" t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, N4 m6 c6 _& u' G7 P, D- a8 P B9 c" T9 Y1 {% V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) u3 q/ m1 V4 v( [& ^9 v$ x; A7 M2 V; E2 O& O1 o H
__________________________________________________________________________9 j6 X: ?, L1 Q2 a
" z: R/ ^+ q# `# }
Method 13
8 r/ S) Y! K1 k) r. f=========! O8 [+ [; A2 `/ x: |1 g
& z* V& s' J4 M1 F% |( f( ^6 Y( _Not a real method of detection, but a good way to know if SoftICE is
, r: O1 h& k: jinstalled on a computer and to locate its installation directory.
0 d; g( l8 i; A& [, u! {It is used by few softs which access the following registry keys (usually #2) :; z6 w1 u% D5 h2 A
1 F4 P8 I6 p8 w7 M7 ^1 v- i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; i2 a6 \: t7 \\Uninstall\SoftICE
; G2 {" F: Y! |7 o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 ]0 q' g: _* E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 z1 Q" S8 }+ n! w\App Paths\Loader32.Exe
8 D/ X0 @1 C) R) s+ ?7 g1 I% F8 O8 H# H( |/ y1 v# L
- i n. J9 j2 b3 [7 s# }
Note that some nasty apps could then erase all files from SoftICE directory5 x- e; R9 n R4 s! R [) @
(I faced that once :-(
( |' Q8 F: N0 Z! }
0 t) _! ?& v& q# z& K4 LUseful breakpoint to detect it:
1 C/ s+ N. I1 ?; z' M9 G9 ~1 S% O
# B+ ^5 z. w! H2 L, X/ w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* l: Q! I% A; L6 N( j3 C8 w* l
( L- {" y# d/ ]9 G9 s# k4 a+ j__________________________________________________________________________0 T7 \( @* W* I9 D: |/ p* `2 [: Y
9 Y, v1 a) W# }7 g1 q; e
" f) q0 {( H& L- T) v* |/ m
Method 14 5 l9 r y, z& W, ?+ Y
=========' R' Y$ E+ L% G. B/ W- k' ~$ w6 m
' b3 A: S4 B, g y3 J4 Z5 t7 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 p% F) [( I$ T6 r8 t. Nis to determines whether a debugger is running on your system (ring0 only).; i& E1 h' R" ~* T
5 @0 `4 @% V& l& N0 z# ` VMMCall Test_Debug_Installed2 }, F H: m' B/ e
je not_installed; \( X- v, [+ z* m7 w# I# g
: B9 O: a( K2 c$ g, e4 o r
This service just checks a flag.3 o' W' i3 Q$ ^" U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡