<TABLE width=500>4 E* s- Q- j% u5 @4 w: K
<TBODY>
3 P( H0 u- O' c; h/ W: J! Q' z<TR>
! Q% Y5 O* N) n% D: B<TD><PRE>Method 01 ; u* [! N O% B- y
=========
) t" \6 |) \' K( O9 j* _1 J( N
$ r; d* W2 M3 ?( D$ C; {This method of detection of SoftICE (as well as the following one) is
1 B6 i5 `' q Cused by the majority of packers/encryptors found on Internet.4 ~8 |, T8 i# e! S4 a
It seeks the signature of BoundsChecker in SoftICE- U" X: a% _+ N1 W2 H
8 |- P9 D. |- |1 @: j" A
mov ebp, 04243484Bh ; 'BCHK'6 X, Z; I! |+ M; r) C
mov ax, 04h( R% Z7 @* m. P* ]' B) a4 P
int 3 ( k9 X" Q6 j# w/ U2 W, b$ X
cmp al,4, @, d0 e5 W# n8 D
jnz SoftICE_Detected
8 o& [) c# b4 L% b) m: Y: L6 N3 Y
- V, ]% z9 c8 z' v# n) O___________________________________________________________________________5 R, Q: E5 i8 i" N( |( ^
, y. i6 {2 w5 f( v9 xMethod 02
0 [2 L; L8 o: E. R) J3 e* v r, S=========
2 {5 {7 |, f2 h8 | S7 o& g+ e |3 \0 o6 ?# Y- K+ F
Still a method very much used (perhaps the most frequent one). It is used
, @. L" E: h2 C2 y2 w. l% ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 W- o C; J7 @
or execute SoftICE commands...5 ~. ^. `, }* v: z
It is also used to crash SoftICE and to force it to execute any commands0 D+ l2 q8 q0 q; E. O, l: m% l
(HBOOT...) :-(( 2 B! u9 ` a6 ]1 C
7 D) w5 u# ^; D$ Q- @( L
Here is a quick description:
0 M; P0 n2 N, B0 e% |-AX = 0910h (Display string in SIce windows)' ]( E0 K6 Z* q7 Q( e3 v3 f0 a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 z7 L7 o( C+ N: X-AX = 0912h (Get breakpoint infos)
! C" i' f! E8 `$ O) C# L-AX = 0913h (Set Sice breakpoints)
' Y! u: w/ S8 g- l/ z V, r-AX = 0914h (Remove SIce breakoints)
( e# g9 {: M6 _% E$ S4 f$ n! D/ Y! e" M
Each time you'll meet this trick, you'll see:# v+ D! x1 l8 ^& A1 L2 i) v
-SI = 4647h8 ^ o" K" [% ]. G9 O+ N
-DI = 4A4Dh p( D# j( G& @4 P& }# j; C
Which are the 'magic values' used by SoftIce./ D# c: O6 ~. ]+ \1 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# g# P4 P& u+ n z
' _. e2 }# y) z9 d5 c! y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! `1 B( j' p( Q( c# H: Y L5 E7 e0 ^Envelope utility use to protect DOS applications:% U Z9 h" t3 ~+ x4 d+ W
: m6 Y2 ]: D' h( v, F7 p6 k
* i( v# J5 @3 J2 D* w& X2 k: q1 V
4C19:0095 MOV AX,0911 ; execute command.
3 J$ g' o b2 g4 g! F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 a$ n' u7 v# [ J- X0 V4C19:009A MOV SI,4647 ; 1st magic value.
9 ~: @" W$ o. i7 H9 t F: m4C19:009D MOV DI,4A4D ; 2nd magic value.* \' N) u% _. j0 a5 s( c0 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% |9 T4 O8 d' V4 t3 M$ c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, A9 y7 w% y+ F# w4C19:00A4 INC CX
4 I( o/ V% i9 w, I9 q( t0 b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 e/ g) p% p# |+ [
4C19:00A8 JB 0095 ; 6 different commands.3 J: q* T7 D, L& z9 g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: k: H! B* @+ K4 i% X2 Q. _; h$ [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 ^: K b/ n/ h) _/ x- D8 @" Z0 g! o0 u, |$ f K) V
The program will execute 6 different SIce commands located at ds:dx, which6 p% N! J7 w* m# L6 t( g* O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 N! B; I. U/ ~
. M6 H, L, s/ p7 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 J$ B" \1 k9 q2 m
___________________________________________________________________________
- z7 r* k+ u+ t) W' l& T2 N
( |" y1 `! c$ Z
! P1 C; m6 }! T% xMethod 033 o6 J, ]; V6 C; s
=========' m7 V+ `7 g+ S$ }7 j1 n2 T7 C9 j
1 k4 }$ [$ }2 q% ~7 H. I4 j, _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 n) F' k* a8 e$ x- P9 _0 O5 ?(API Get entry point)% z- r# F8 G: C( i8 }% b8 N3 ]$ `+ O
# r; u# N( A$ ^% e5 ]
2 h. X) P5 ?# B( T6 e xor di,di
, Z k8 |% N* i! F* j% r mov es,di
& f: F' b' L2 h) A( E mov ax, 1684h
/ q `) H- a/ _ mov bx, 0202h ; VxD ID of winice% [% u2 `9 W. c+ g
int 2Fh6 D" j2 Z3 `+ ]* s
mov ax, es ; ES:DI -> VxD API entry point, g1 [. Y2 q/ e. o6 L- a+ K) @; K
add ax, di& f; H! Q* v2 e0 \8 e' ?3 \
test ax,ax
}7 T/ N/ R9 g% G& F jnz SoftICE_Detected
' s: b& [1 Z( a @( [- }& R7 ^" Q5 ~3 L4 O5 O; ?5 R
___________________________________________________________________________
- D, ~1 [6 f6 f8 v4 D
2 y$ d% [+ T" A: k. Y1 @Method 049 f" M7 ? ^1 [$ I4 k2 M
=========9 Q4 k6 L+ [- M
& g0 o4 i1 ^0 {% J2 }4 {& |& g
Method identical to the preceding one except that it seeks the ID of SoftICE
6 z7 J3 |' H9 c$ m( f1 u# y: J! KGFX VxD.
6 h5 g7 I# i, R. V5 e/ E! x; p- C. a* l$ Z1 F% }$ e3 S
xor di,di
7 }- U' Y7 x2 p$ u mov es,di
+ u. A3 Q8 t5 D* G2 z( |+ R mov ax, 1684h
" g6 O, [: V' U, t4 a mov bx, 7a5Fh ; VxD ID of SIWVID2 o& Q, \( C8 u
int 2fh& A6 Q+ \, [8 @! e N" z
mov ax, es ; ES:DI -> VxD API entry point
$ ?( _( v. z+ c4 p add ax, di
: e; Z* G& d6 j! r9 k2 K0 e3 P test ax,ax
2 E% T! e& ~: Y, b; e8 ^ jnz SoftICE_Detected$ M3 J; x- k5 H9 t
$ x! D G/ w/ {3 g* k* Z__________________________________________________________________________
/ R7 r7 {6 ?9 s9 v, m2 m8 k) |1 y
# Z9 a3 d% u+ B2 S& P; eMethod 05
1 o- M) c0 T9 d; a- \& B" ]. }=========
+ I$ a+ p+ k5 F6 ?6 B8 l9 { Q9 N7 J' [; T& b3 G' {8 D% X
Method seeking the 'magic number' 0F386h returned (in ax) by all system) _! ?' {' x3 \) y- w- [2 F! R
debugger. It calls the int 41h, function 4Fh.3 Y: x U g2 R
There are several alternatives. 3 F( _( B7 l8 f! |9 u& }$ v
4 O& X+ o( d# h& b1 z9 o/ d7 u/ d( w. EThe following one is the simplest:
: C, X8 R( i6 q7 D
* F ] ]; t, D, D. m mov ax,4fh
4 L m5 C/ Q" p int 41h
' s" _5 j& p4 p' f cmp ax, 0F386- |) G" G4 i Y
jz SoftICE_detected
. E+ a% M0 V& K4 s1 c; m9 E2 y" r+ l6 B8 L0 Q
) X, t* O# I" c2 w7 R
Next method as well as the following one are 2 examples from Stone's
. i. ?5 z+ y% F9 o"stn-wid.zip" (www.cracking.net):) e$ C- W- [ f9 B
# [) S% r& R# f8 n mov bx, cs
' I% w/ x+ N }! J' f$ Z lea dx, int41handler2
% b E; ~1 r+ o& \1 }$ O& E+ V8 T+ h xchg dx, es:[41h*4]
6 z6 L6 l& R* `5 z7 _ xchg bx, es:[41h*4+2]
+ |; ~' a, p0 e2 y3 f mov ax,4fh
% r E$ q8 a. G- k3 n% I) ] int 41h
^" w9 E& }5 b8 Z! { xchg dx, es:[41h*4]; s1 w1 l# M) O g8 ?
xchg bx, es:[41h*4+2]- z6 Z3 C0 N5 B" W+ {- k
cmp ax, 0f386h8 L& s& O! f" j2 A9 A" v6 A& U T6 s
jz SoftICE_detected. U9 B$ Z, q. o9 V, y% a
. m c* L* J% u4 }int41handler2 PROC
! G h' h; }0 R" z4 F iret. o. {+ z6 J" b+ m* ~) C
int41handler2 ENDP
$ z9 S1 \ ~' ^+ @+ C* w+ Z
3 j( W" Q! o9 a/ S* i' Q6 T) ~0 l' u8 k7 j# O" K6 S' q
_________________________________________________________________________
( [9 V( X* c; K2 n5 T3 z1 ?; R
0 [; u7 w& |3 A# x( G: L8 D& q6 a' S; @) c6 g5 q1 C* q
Method 065 f4 L3 H1 R8 p, @/ g- o
=========. H6 b0 _- P0 C) ^7 _6 ~
/ B- b/ R8 t- t0 Q
: \2 {- A- U: F2 f# Z5 [2nd method similar to the preceding one but more difficult to detect:
2 ^3 W" I n( v. m! |; n C' N) t4 h* i* W! [
. X+ M8 L% q! Cint41handler PROC
/ X: y5 G- a" Z3 G5 p* N; n mov cl,al$ i L) U% \/ L( _: E! @; R9 _
iret
/ k$ B0 N! D1 m, Dint41handler ENDP
. V' m2 A- g P- x
$ d3 `% A+ i3 e! c! m5 H1 N- ^ W+ A& I' }6 _+ X. a9 ^3 N- m
xor ax,ax
$ \1 ~; u" f( o! Z7 v, O mov es,ax
, r+ |0 I& n5 ^ mov bx, cs9 H# G1 m- R6 q5 U& j- i# E' O5 Z
lea dx, int41handler9 z; X& [1 Q6 p' o6 y1 i ~
xchg dx, es:[41h*4]
& k$ { s2 E0 _( z" P6 x xchg bx, es:[41h*4+2], h5 {- i, w! l. w; C
in al, 40h( R; r% x0 Z5 p5 i% N
xor cx,cx; }+ G6 A& n. r, Q+ g, ^* @
int 41h
% G% V5 P( u, k0 T, \/ y: S$ l xchg dx, es:[41h*4]
- o/ g; Z& p+ g P xchg bx, es:[41h*4+2]
- F) Q+ p$ _4 \ cmp cl,al
* z( w, k& F7 q- F1 u6 ]; w jnz SoftICE_detected
" B8 Y4 Q9 f9 o6 Q
. a* K! @; }/ G! B2 V4 b_________________________________________________________________________
" U( R: I" B2 C b0 c$ b; D/ L% w" |8 m' h7 t
Method 07! N$ _' @+ O/ s, ? F7 F! I
=========2 H. O, ]. f2 Z9 |( r( }8 O4 d- x
- y" l! w* L4 T: B' t, O- l
Method of detection of the WinICE handler in the int68h (V86)
1 u! k! P# H3 Q% ], Q2 M6 u* L3 ?/ ?) o
mov ah,43h" H5 |# `, p% M, ]; n, b; w
int 68h6 I: m& E+ j: ~& r0 E
cmp ax,0F386h
. w" W4 a5 {/ W* F( @/ K jz SoftICE_Detected$ g0 f3 R* R ^2 r" G
1 i2 v( d/ }2 y! k6 Y9 Q
. M2 N1 ]; W* W$ s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 ?( |0 V4 ~( }8 [4 @7 g) T/ `! i
app like this:& ^2 j& x- }7 S! i& T
& O4 M! ~/ a5 i+ B5 ?; R/ i
BPX exec_int if ax==68
0 {- m+ o6 q2 ^2 @ K" S (function called is located at byte ptr [ebp+1Dh] and client eip is" J0 U- x6 ?5 F2 Q6 D8 t4 p4 c
located at [ebp+48h] for 32Bit apps)
7 p: q* \! }$ ?1 B8 I/ p4 g__________________________________________________________________________
3 }& N; A% n! S4 N+ c5 S% _& e7 ]% u: G, V0 h" Q
) i$ L; @% Q8 T6 ZMethod 08
+ E) K" K) o/ J. M! h+ b0 H=========
' C) C4 U5 b2 \. E1 z4 [
9 V, T8 W, U- h N: h$ h& qIt is not a method of detection of SoftICE but a possibility to crash the
# E. N% c, O& d$ A5 t; b& D4 I) bsystem by intercepting int 01h and int 03h and redirecting them to another
/ i1 W8 ^. n4 S$ o+ proutine.2 N' r& e+ w* {2 `. l. V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' J# B' t3 q/ q. @3 ]" pto the new routine to execute (hangs computer...)
5 l; S0 F- l. y, p! d7 h; W6 O" w7 y: p! L: z' P
mov ah, 25h
+ r0 _0 l3 D: V; Z mov al, Int_Number (01h or 03h)
( n( \9 X* D% {* X+ K% D mov dx, offset New_Int_Routine
, k2 Z- o3 M6 P9 l int 21h9 z/ ^. d- s* x2 p
( O$ b0 N5 r$ V% x- a& k! g! v+ V
__________________________________________________________________________
3 {5 o$ S @& A8 V4 H G( B2 p, F6 U# z
Method 09
9 v- K0 J; K) i2 V) \+ e=========# B0 {. v |: v3 ^' f5 @7 ^& F
2 ?. o5 D5 C: J/ Y' A1 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ e4 [; Q5 Z5 ~( O, F
performed in ring0 (VxD or a ring3 app using the VxdCall).& Z5 `2 c# J, g" g3 A4 ?
The Get_DDB service is used to determine whether or not a VxD is installed
! \/ ?: ?" q6 L+ k; {8 |for the specified device and returns a Device Description Block (in ecx) for
8 l$ b! A, P& |6 j# ]% uthat device if it is installed.
7 t6 T3 @" z5 x5 E% T" i. d j$ B$ p6 ?5 `! {; S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% x2 ]4 v/ G+ i7 k" u; z; S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" X! O, F( h3 B7 J( h
VMMCall Get_DDB
4 c& n* Y8 C! u1 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 t& F" Y( S5 q- T: t: y
! n; S: K* N2 O7 [% {1 g; w/ ANote as well that you can easily detect this method with SoftICE:
# D* d. ?+ d- O* i bpx Get_DDB if ax==0202 || ax==7a5fh
h6 v/ k1 k- I. J# E, K! |& A5 i( S( E% n( O& ~- M8 T9 e- U
__________________________________________________________________________
# |( ?1 U8 I3 @3 Y. b% n
) r# M$ z& g3 T$ p& MMethod 10
d; f7 |, M7 h=========& p! }+ @2 Q B5 f3 {! _ I
$ L/ m1 S- Z* b/ G! J4 {=>Disable or clear breakpoints before using this feature. DO NOT trace with
( h2 ]/ [+ F/ l SoftICE while the option is enable!!: s" H4 g! q# S [8 x
6 l/ G) H/ _. f; V o, J) FThis trick is very efficient:
7 s1 h. |' p/ K9 c: Q7 P% Iby checking the Debug Registers, you can detect if SoftICE is loaded1 V0 S7 b: i" T- g6 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 a% k: u( w3 ?: ~* U2 ~$ Q, O
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 u0 N6 y* L* r X# ?) svalue (in ring0 only). Values can be manipulated and or changed as well
" t8 f$ W1 d2 t* ^5 R(clearing BPMs for instance)
( b5 ^6 g" d4 t6 G. d4 [ s( |, @+ r) ~9 Q, E1 ?4 V0 g8 P- S2 Y
__________________________________________________________________________& N* z* D2 m1 r* G: z d9 ]
: e1 s, B6 K! f! |8 OMethod 110 W4 ]! [; C8 p; x
=========
( J" A0 N* P! r! U$ _% ^8 O5 i
3 O# e3 R2 z" m4 KThis method is most known as 'MeltICE' because it has been freely distributed
; W: A! t: M' I# r* `# U; k$ e' @via www.winfiles.com. However it was first used by NuMega people to allow# v# {. j. `+ s( t9 a4 c
Symbol Loader to check if SoftICE was active or not (the code is located
" F! d: \/ t, e* z; {inside nmtrans.dll).
" K3 X; v3 s. d3 A8 x
4 A/ n J: g2 q4 \+ N1 o4 ]' H0 @The way it works is very simple:8 v# J: g9 s) i( I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# i- } l& d3 q* L& W4 c
WinNT) with the CreateFileA API.1 J! d( J+ L- ^7 f
) P; o1 H& f- R0 u. b
Here is a sample (checking for 'SICE'):
) {3 Y% F+ ^$ ^2 i0 N
2 n! C9 Z$ j1 @* `1 A- nBOOL IsSoftIce95Loaded()0 }5 S) Q' U* r" F
{
; F- C' D; S1 \' E1 p0 G HANDLE hFile; # K( z1 @- q- M" P0 d& y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ Q J9 q8 [# C1 i( N4 N* c FILE_SHARE_READ | FILE_SHARE_WRITE,
- W4 J8 Q; c& @' i9 i3 \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) m1 [9 l- } A% L
if( hFile != INVALID_HANDLE_VALUE )
* D- L! W6 n3 E, H4 I2 g5 j {
" C4 q- O# T# I& z/ X CloseHandle(hFile);3 t% Z+ i$ e5 y
return TRUE;
$ K3 W, }/ v1 m6 Z8 o }* }) m, \- |% J$ O& E
return FALSE;6 {9 n- e9 r7 O( P8 G1 c5 |
}
3 ]1 k0 `' E+ G* ] z2 g, T5 ]+ Y
Although this trick calls the CreateFileA function, don't even expect to be2 V! S& x1 C6 \) @6 G+ B/ @; z% A+ r
able to intercept it by installing a IFS hook: it will not work, no way!8 o t+ \" w1 _) k7 a6 @! K+ ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' f5 }1 ]7 t) F/ {: c. dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. o2 h) b. n# s( |* q/ Q7 m7 Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 Y2 [5 _4 \& f, y# B5 _$ a
field.* ~$ ]2 n$ m- B2 s
In fact, its purpose is not to load/unload VxDs but only to send a
% S$ J1 d7 |) s; W" MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. R$ N3 y6 t% Z( v$ O }, R" Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ v: R, }0 j: M% c8 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& }5 `/ @! }9 o0 o* r- UIf the VxD is loaded, it will always clear eax and the Carry flag to allow! `* T7 y/ T1 D) X4 Z$ q
its handle to be opened and then, will be detected.# Z. J6 \! }! i+ f- k8 q
You can check that simply by hooking Winice.exe control proc entry point' q9 B* Q* Q8 A2 d5 E1 }
while running MeltICE.1 c- g+ d7 Z) m' a; {4 V
! k% t/ f5 [8 a) p& C8 w
1 z% \9 N7 n, G* j2 h+ T2 K$ Q4 o 00401067: push 00402025 ; \\.\SICE
* a5 h* w, T+ O* C: x& A7 S1 i! N0 i 0040106C: call CreateFileA8 K* e1 [" ]* W5 Q, ~ ]. e9 _5 C- W
00401071: cmp eax,-001
9 c. Z; b) s8 r) D. u 00401074: je 00401091; Q0 s. z0 G" D* f, w d4 P
" T, @$ S; S, i9 F
g1 x; z4 L) [
There could be hundreds of BPX you could use to detect this trick.. {) L; z8 C. B7 g* |
-The most classical one is:, m o7 W, e! x& T4 `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 K' d! A2 W2 x# N$ |& i. q& e *(esp->4+4)=='NTIC'- w; r7 q. ~+ T! `
/ A+ Q( J3 E( ?8 {& y5 A
-The most exotic ones (could be very slooooow :-(
9 N0 a% z6 g' y2 e9 q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 G5 I: w2 L& R1 ] ;will break 3 times :-(
6 T# ^0 R6 c2 e9 ?$ x4 P9 |" i$ Z0 ]# b; ?7 _9 _
-or (a bit) faster: 1 B4 X6 N' W* x9 C( [6 [3 Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 h5 }; g0 E3 n3 _" T5 E
& @! r1 W0 z( {9 T" T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! Z) [, {. _/ \ S6 K ;will break 3 times :-(7 J: }0 J! p* y2 {
. [' F. K: E: L; w' c
-Much faster:- _" h4 b3 W$ e6 j/ i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 W% b4 G8 e2 M# E& C/ Y
3 K0 N' |, ?3 X# r- ?" I' k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ i0 r& [2 K7 P- \/ D1 Y5 H2 \
function to do the same job:
3 U7 W |) M3 G, S& [' K; w) F9 j% {/ W5 Z
push 00 ; OF_READ2 S- r% h D% b/ {$ Y: f1 X
mov eax,[00656634] ; '\\.\SICE',0
) ]- c/ O" X# g push eax# B# t0 }' i0 t9 U: c: x# R
call KERNEL32!_lopen
4 u: g' s. X1 W" k3 l# m4 n# m1 i inc eax
) V2 a! e% q2 R7 u jnz 00650589 ; detected
0 p2 [0 ~; q, f$ G push 00 ; OF_READ
0 ]$ p# x% N6 h4 n( s mov eax,[00656638] ; '\\.\SICE'* F* @) Y- N# y; ?! m
push eax
+ V4 Y$ o! _+ \+ x' u9 c; H. F% A call KERNEL32!_lopen
$ D# ?, [# \( u2 K0 A; c inc eax* G0 Y: b+ Y& D, b! x: L( Z. U
jz 006505ae ; not detected! X& S; _( |: P+ A% d. E, M
; X" |! u1 T$ _/ D: R
; F' |& o9 Y8 X8 H; c__________________________________________________________________________0 \- X& Z4 p1 s
3 {2 P. j; D, f0 v1 s- \. s
Method 12
$ ]6 E a4 _# o=========
U6 k; e* X+ x, N7 r6 p* d
+ ]( Z1 X* w$ Q \This trick is similar to int41h/4fh Debugger installation check (code 05+ F& {$ ]9 U1 a( L
& 06) but very limited because it's only available for Win95/98 (not NT)
' t6 z' i; i. E$ A) ~0 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.: ^; L- Z! l/ J! P$ F
9 q1 F# I+ ]' E3 {# | push 0000004fh ; function 4fh
6 j( A% F; k' b push 002a002ah ; high word specifies which VxD (VWIN32)
: z7 C& Y: P# S5 p ; low word specifies which service8 ?/ a* [6 o8 F2 p% U, s3 ?$ Z* b2 r
(VWIN32_Int41Dispatch)2 P4 d. {/ |6 r1 X r/ n
call Kernel32!ORD_001 ; VxdCall+ ]- q- K% {0 Y& f. r9 B
cmp ax, 0f386h ; magic number returned by system debuggers: {( D- ~6 c) y% b
jz SoftICE_detected$ D/ T4 U) A e3 k& F( x1 f" e
" l. S2 P8 n: g! J. bHere again, several ways to detect it:
" R [" N8 f" T. S9 k
# h- c% q2 s8 m BPINT 41 if ax==4f7 R' o w+ `3 R8 u5 M+ l n
; B" S0 h3 P7 J9 ~* m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# l5 v; j5 `6 `8 h, C
9 T* h5 v+ Y- j) T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 Y! _0 o. x5 F1 {9 ]9 E3 f
' G5 J* u5 D8 M3 W g9 J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 P% Y9 [! ~1 u1 ` r- I9 F1 u7 M% T- S! @# u: d+ P/ y. P4 P
__________________________________________________________________________" }/ L, }8 t( F. d/ [& X* a
* L5 r5 e3 ]# T3 _( O- I; Y
Method 13
, J; d/ X! q$ d# I8 \5 T=========: L3 {# s) h2 P) x! u
& J- h- B. Z2 E/ f* A
Not a real method of detection, but a good way to know if SoftICE is8 g4 ?# Z) o6 O N* j/ W
installed on a computer and to locate its installation directory.0 ^" |) A1 R2 O4 x# E
It is used by few softs which access the following registry keys (usually #2) :
" x/ ^& m, u3 R0 V* L0 b4 B. C
0 \* Y7 `; V/ R% B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 B- ~% t5 u( f, Q\Uninstall\SoftICE
4 u. f$ d) e" y6 h5 V5 H* }+ ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; C$ m/ u' S1 I0 H' C- v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ W D9 [& s5 [4 J) Y8 e\App Paths\Loader32.Exe
, y; b0 A, \1 w7 R- w4 Y5 K
/ y9 n5 b6 r: X( B4 l9 A" R [$ g/ e3 r4 v' f
Note that some nasty apps could then erase all files from SoftICE directory7 r2 [) l! F9 U2 G
(I faced that once :-(
/ @# V6 Z9 `# L+ G; d) a$ O$ n& D* i, l4 t7 G
Useful breakpoint to detect it:# }! A% U7 X" M0 `% f% G
1 r: Y5 |& I7 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 g6 I. l" }" |3 Y$ l& l
0 H1 l& r( \) g U- P
__________________________________________________________________________
: f9 ?4 X% ~: z+ M; g
0 T4 m" Q5 C7 X; K
* d( n( c+ W$ BMethod 14 ( h" l' W+ R; n) Z
=========
5 e7 b w/ K5 z! Q1 X2 T0 J
5 o# s1 s/ S9 H$ g7 a4 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! [3 w) Q s- Pis to determines whether a debugger is running on your system (ring0 only).
\. t5 \+ {1 o5 a, a, N9 K7 Z7 ?4 y( j
VMMCall Test_Debug_Installed
: Y6 o( w& i( X |" @& t2 n* F( @) l je not_installed/ Y' T& A) l5 P- ]
0 N" W' T3 x N3 L! {' }This service just checks a flag.' ?; W- ]* \! G9 `* Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡