<TABLE width=500>" T0 S' K) u% l- J& u; h! j
<TBODY>
) H: k) t" g' r7 g5 q<TR>
# R8 S; V* g8 [/ r% c<TD><PRE>Method 01
; n+ q$ O; o* L! v: q" m" a8 N6 e=========' R- p; |0 C; i) K0 ~$ K, R
$ R# C* E X* n5 \This method of detection of SoftICE (as well as the following one) is
0 Q3 C: t6 d7 {used by the majority of packers/encryptors found on Internet.
. I& u# l1 I& `* I' K; X, jIt seeks the signature of BoundsChecker in SoftICE
- M7 y9 t& r& Q- }; H& x2 A
8 C0 ^+ V4 [$ k2 F( M: m mov ebp, 04243484Bh ; 'BCHK'
' q. I+ J8 ~, x# [- y) U$ |* z mov ax, 04h
# X: Q2 ]% v# U4 C7 P9 N( [# O+ i int 3
/ p# M5 e% @1 d- s' ^ J) @ cmp al,4
9 v5 I* u- | j' u jnz SoftICE_Detected
7 O- n0 s4 N& p6 R
, f* ^; T+ J/ |# f% F___________________________________________________________________________( @, ~7 b% |7 l
: T. D1 h, X& n- }8 K$ p$ M2 L) p
Method 02* f; T. P8 Y! {+ t w
=========/ L1 Q) R$ t, l8 l
: m" e* F6 a( f% C2 MStill a method very much used (perhaps the most frequent one). It is used% {4 x$ W5 V! K1 L: Y. `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 U- e( K) d: u% s& P2 _
or execute SoftICE commands...0 b Y9 O$ P$ X9 H; |5 a
It is also used to crash SoftICE and to force it to execute any commands
0 E5 K% [+ o$ [(HBOOT...) :-((
! { I5 ~8 y4 w
3 \* R6 W- ~# x2 x3 ?$ q9 T+ IHere is a quick description:
) B* X( K$ W. }9 }. S6 ^# n-AX = 0910h (Display string in SIce windows)
) g! l! ?/ U n1 L% p/ K, A3 {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! r* u6 C: E( i1 D% ^
-AX = 0912h (Get breakpoint infos)% z+ S* c1 @5 ^" V
-AX = 0913h (Set Sice breakpoints)
1 N7 s/ w$ a9 y0 f! N5 z-AX = 0914h (Remove SIce breakoints)) G# X# @& Z! }* z" k
" L7 a( m* o a$ z* ~
Each time you'll meet this trick, you'll see:
) _0 X6 m4 G7 D: s-SI = 4647h( X* k5 b+ ?9 \1 o5 Q
-DI = 4A4Dh4 i* t1 d* i9 G$ n8 Y$ l
Which are the 'magic values' used by SoftIce.
! `3 P+ A/ Y1 T3 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ k2 o% J% Y3 M' @6 }
- _( b, D2 p" r5 e# t& n% S7 p1 wHere is one example from the file "Haspinst.exe" which is the dongle HASP
( L/ ?9 e% h) O3 f" J4 S9 B1 K' eEnvelope utility use to protect DOS applications:
( @/ r. T- w. L. c
7 j, j+ T$ w" [
; f( @2 z+ U$ u, F6 x6 a6 S- P4C19:0095 MOV AX,0911 ; execute command.
8 L% Z2 D# ?+ [" x. D. o' l. Y2 I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' P, `# }: z) ^3 J
4C19:009A MOV SI,4647 ; 1st magic value.
; @1 p2 a- G1 ?7 d5 [! E R2 r4C19:009D MOV DI,4A4D ; 2nd magic value.! I/ X. Q; ?4 i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 E4 I% Y& m& p+ s8 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' Y' C! ^$ T; m, R: Z4C19:00A4 INC CX' k( C( K3 Y' v; t9 L$ @% ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 A4 ^: ^6 { w; g
4C19:00A8 JB 0095 ; 6 different commands.6 Q* M& M4 Q7 j1 k; O" l% G B
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ X9 {( q! b2 R# f% P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* U& A0 L9 w8 { t* J* g
+ |- ~0 I) N: Z d1 g AThe program will execute 6 different SIce commands located at ds:dx, which
) X! i5 @+ `2 r+ s. u/ k- P6 f5 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 a; _% m( b: b1 X
+ B+ V c- w0 K7 Z9 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" ?7 l6 [: L' c; a3 |7 `___________________________________________________________________________
4 E7 S$ w8 g; c# h% ]' D9 y; c7 q- a4 D( W
) F; [' J5 N: s2 c2 M, y, H% e
Method 03
3 G4 r Q8 a8 \7 p$ j6 {+ F=========3 N7 w, ~) M; E0 z; E
9 e/ B! t/ n8 c, GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ X/ D1 y V. n: j
(API Get entry point)- ^6 a! V% ^( W# P/ m7 m2 n
# k1 l+ Y' {6 n/ w5 O7 L3 X$ ^" M2 b- |$ o9 r3 A! {- O/ p( F4 O
xor di,di# l( M4 |2 T7 p8 F
mov es,di
1 P. G" G! r8 i7 v# y! ]' | H mov ax, 1684h X! g2 K' v. C9 u9 o
mov bx, 0202h ; VxD ID of winice6 u) N7 @* p" C
int 2Fh
9 R0 K- [5 @, p7 t7 L: Y9 i mov ax, es ; ES:DI -> VxD API entry point3 n& l4 Y, q( ]% ~- L; v
add ax, di/ m) b2 x1 H# d3 F6 Y x
test ax,ax
4 Q2 z/ k- C9 C: Y( A$ o# ?+ k2 Y jnz SoftICE_Detected5 `: ]) B% I9 x, T. d! A' u6 y
5 n# s( l8 g; N* Z
___________________________________________________________________________
8 L; H0 z. n/ S3 T2 d+ a" \. w" x! n9 S" G: [" O
Method 044 ~8 O/ S* I% Z0 X8 K
=========
/ T: C3 i9 Q, R) S/ J3 ?' T/ o2 ?8 g0 Q1 a; q
Method identical to the preceding one except that it seeks the ID of SoftICE
2 Y3 y$ h, N. t w: O1 H, N. ]GFX VxD.5 w a$ D2 [4 }. m
( ]5 z, n3 r4 }/ Y3 k xor di,di5 ]! E1 g; {5 V$ \
mov es,di8 g Y3 ^6 `7 J7 J$ c& S
mov ax, 1684h
% I% e: V! ]: [4 A0 j mov bx, 7a5Fh ; VxD ID of SIWVID7 I A% N( L- n( g
int 2fh
7 ?2 ?8 z* A7 ?' y% V. _ mov ax, es ; ES:DI -> VxD API entry point* Q& U _$ ~- x! k0 F2 O
add ax, di/ q* ]2 v( X( V/ q/ n- w/ c2 ?
test ax,ax u' M1 q4 o2 R9 |
jnz SoftICE_Detected6 r7 l5 B. j* L' E- h- Z9 |/ _( G
( _- ^0 c2 y: S7 p+ u
__________________________________________________________________________0 w. a' d+ b+ ^1 p2 e" V2 d
* `! M0 l. O' Z4 h, U- p
4 U8 h! o! n# v+ p1 ]- u. c3 uMethod 05& _+ j3 }6 y' D. Z6 Y- D( m+ W
=========
7 U. h5 A6 E4 O. u; L4 B' ]% x" a# k( N+ p _6 G+ S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 _1 }/ X& G2 P% n' ~/ w1 xdebugger. It calls the int 41h, function 4Fh.
$ G4 q- B/ |% a/ _There are several alternatives.
8 }' X2 |- j/ x+ k% S, N" J/ r! a' F: q0 E
The following one is the simplest:
~) }3 ?+ `. q+ `( x
. c7 {2 e; j9 ]- ?& R mov ax,4fh
& s U! d5 l; P+ u: H+ B2 J int 41h
f$ l$ W) T3 _9 J0 U6 U" X; Z( c cmp ax, 0F386' ]2 C2 W2 C. y @7 n
jz SoftICE_detected
2 [; y$ m9 y6 l
: I+ a5 A: }, Q* T9 P$ J$ X
& @) ?; L% z5 ^( {) I0 F5 W. _( t$ R" eNext method as well as the following one are 2 examples from Stone's
7 t( a/ \7 I q( m1 Q5 k"stn-wid.zip" (www.cracking.net):; I( n8 v$ E: p r, u7 s& q
1 l2 w4 W$ L/ c- \
mov bx, cs* w+ X+ }4 B8 A; H4 z: L
lea dx, int41handler2
8 |( ~/ }7 J3 j% r: F; T5 l" ~# X xchg dx, es:[41h*4]$ O0 S5 L3 d( B; G8 {: B/ r% v
xchg bx, es:[41h*4+2]2 W8 [5 X7 P2 N& i1 ^
mov ax,4fh
/ `2 w8 G) h. d int 41h" Y1 F, }9 A, s; ?2 u8 C" Y% |
xchg dx, es:[41h*4]5 b4 @. p2 q+ r4 i9 R
xchg bx, es:[41h*4+2]
% d% w; F9 A/ t0 v& i3 l5 J cmp ax, 0f386h
# e/ s' A# R. @ b" L jz SoftICE_detected D- f1 g$ ?0 V
0 M6 C/ I- P- t# [$ p" v
int41handler2 PROC
, O; p' X" K: ~. u iret6 D5 y# Z2 a! C- G
int41handler2 ENDP
+ w. p% W, r. m) q9 q5 v2 S0 u# J* L9 l% N5 T. E& d
; L( P3 h( B: F: |4 f_________________________________________________________________________7 P3 P. j& u8 F" G3 I7 @
9 h' k1 r% t5 F5 ^/ V; T5 n' f$ L! K
% \4 P; B" x0 g3 {( H
Method 06
1 P) Y- {+ o1 w J, W! @=========
) z8 [0 W1 k3 t' _& Z. |) s( X, @% m: X* h. p
2 t$ Q0 j" V, G# e& p, @2nd method similar to the preceding one but more difficult to detect:6 F/ N1 B0 E% \4 D
, f/ u. G7 L4 x. f
8 F( C9 A7 C$ W# s% T X3 m7 wint41handler PROC
1 w/ p3 a. m2 ~6 Q" |+ z) b) ~, h2 I mov cl,al
( ~1 O& @4 j. q" }) \0 B) A iret
/ v3 f2 {: ~9 R2 u# Lint41handler ENDP
( R& c3 F# a/ x3 f* {6 o: ^! I+ E* j5 R0 x5 Z7 N+ c
6 X$ o4 d( I7 H7 e
xor ax,ax
' j' P3 b" A) {# [3 H, M: h" u mov es,ax
6 T0 j: D0 K( N1 u mov bx, cs2 S" }7 ]3 ]# }' X
lea dx, int41handler
, _# ~& t9 w% {( i6 a xchg dx, es:[41h*4]/ e$ g3 _. e0 G; T* `
xchg bx, es:[41h*4+2]2 g# P; ?" v2 d8 j8 S
in al, 40h
( O9 ?! _; b, V3 F1 K; B* _& i, L xor cx,cx
* b) I- F! F4 K' k' l int 41h
5 _: d8 D6 \. z; B/ }8 b xchg dx, es:[41h*4]' ]1 c E. S# _+ x
xchg bx, es:[41h*4+2]
+ j( l0 P6 Y# t cmp cl,al$ ~2 z, w! g, j6 P, ~2 m
jnz SoftICE_detected
$ H) d' {0 P; P/ L: {$ m! t; n) y e
9 _- ^. s) S$ L/ l$ |! b' A_________________________________________________________________________& }) \: W( o8 W H4 }9 i
6 s0 N6 U2 r# \# `: u
Method 07
7 N3 w! z6 y2 m=========# y J: c: F/ b; c j2 U
, ~6 h+ a; U! N* N2 v& a
Method of detection of the WinICE handler in the int68h (V86)
( L1 ^; c5 { j2 k5 e" v z
; w. a' B( g) n5 c mov ah,43h
: C% v9 P' C+ F+ I$ G- u int 68h
1 G' N" M# j- @1 p. X) Q cmp ax,0F386h- w6 n7 }* o' P" D T" w; {/ p0 ]
jz SoftICE_Detected
8 F B+ x9 a* s) c% ^0 B
\) I8 l- a/ z% \& K2 O3 L1 T8 i8 b0 v6 H; k: e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 B7 t* d5 _& F# b+ X. p- l {, z app like this:
' h8 ?, K& ~/ o4 R0 b0 O( v/ Y3 j$ V& A5 K, @2 [5 ^+ N
BPX exec_int if ax==68) T9 V8 s, C& h# l
(function called is located at byte ptr [ebp+1Dh] and client eip is
* [2 G# G6 u" D: [1 Z# y located at [ebp+48h] for 32Bit apps)* Q& t9 f& j5 `4 K% l
__________________________________________________________________________
/ i7 x" v7 @( p( m: U: E6 |7 X$ r9 C* E P9 g* g6 s# E2 t
2 w- m+ l Q& l4 n, E) ^) `: `
Method 081 @ |. I4 a0 X2 n3 B, K) y
=========$ h! _3 T; r0 H4 J: R
& B Y8 z3 h# `1 tIt is not a method of detection of SoftICE but a possibility to crash the
/ _3 n' u/ Z E6 @( a4 [system by intercepting int 01h and int 03h and redirecting them to another
+ o3 i( F! x; ~& S5 h. A1 }& m E0 Uroutine.
3 x; c6 a: C1 Y0 Y* ^% PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 p0 ~7 I3 l! G- Q
to the new routine to execute (hangs computer...)9 E8 S1 o5 N X
6 {% \9 a# D# E$ e, k- U mov ah, 25h
0 g1 Y" D+ _( K% G8 f& Y5 L W mov al, Int_Number (01h or 03h)
( d: } @ B/ Y& n! u/ i @ mov dx, offset New_Int_Routine
- ^5 W, s$ Q& X5 p' z2 H5 K2 r int 21h9 b9 T5 l! Y0 h3 }* }
F% h8 Z8 ?3 b' v# |9 V# n4 G+ K__________________________________________________________________________
0 B9 @( J8 h3 ~0 U, f
C( \8 _( W% ~$ |$ l1 ~! h5 ?& OMethod 096 J5 t! I% K( I" Q
=========6 e) ~) c p- @' @( {
1 E0 M- G) W; @0 N" Z* _3 \- d. L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 W7 h- U0 f+ g! I+ o" d
performed in ring0 (VxD or a ring3 app using the VxdCall).; u b3 `1 J7 t" u6 \: Y- Z
The Get_DDB service is used to determine whether or not a VxD is installed; L: n- K0 Q% @. e) b
for the specified device and returns a Device Description Block (in ecx) for
) y: {9 J, x( T+ Othat device if it is installed.
9 i: g$ t- U% q2 {2 p! k' K. b e( {2 k2 R. D: N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 ~/ _! W+ E) u3 X$ I; _6 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): `; H8 d5 Y; ~& l
VMMCall Get_DDB
+ q0 E$ V; K0 R2 i7 j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% H( G: Z! R7 O6 d6 V+ Q4 L2 a
/ y8 B9 U7 ]' M9 [2 v7 f ]Note as well that you can easily detect this method with SoftICE:
Q5 C" P. I; C$ } bpx Get_DDB if ax==0202 || ax==7a5fh, p8 {) |! A& |4 ]. C/ o# Q
' u/ M- B8 ? F3 v' a& O6 i__________________________________________________________________________
5 F" W" f( v W$ y
8 x+ M3 b* b1 r4 uMethod 10
/ F6 b3 F7 b7 [# ]- T) n=========
2 F( B$ f" }( y/ C7 |; P+ R/ p* P$ V- ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 r" N4 g: ]% y. F8 ~ m- q
SoftICE while the option is enable!!
% n5 Q5 O- \6 U; L1 }9 w
' a' F: `5 g4 k" H0 qThis trick is very efficient:
- p1 {9 W, b; I+ Pby checking the Debug Registers, you can detect if SoftICE is loaded8 c' E& g9 s! b5 Q! b4 ~# x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 r* J0 O) n5 G, e0 h/ k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 w# l0 j5 J" ]2 _0 s- r" s1 g2 pvalue (in ring0 only). Values can be manipulated and or changed as well
" r" `+ o7 J5 N" A" \7 X(clearing BPMs for instance)
3 q9 r+ F0 \% Q: `" n2 g' W$ b5 f. [; i, l- T& N
__________________________________________________________________________" c0 c" }8 W* y# h
9 t0 p, w, @8 g' t5 L
Method 113 e. v$ J! e% b
=========
2 B9 T2 c/ V# t" F* q5 c; @) T% g: E8 U9 D7 k3 ~
This method is most known as 'MeltICE' because it has been freely distributed
4 S$ W. ~! B# J3 ]+ jvia www.winfiles.com. However it was first used by NuMega people to allow( z8 a$ K4 y/ A6 \# w3 @) d6 j
Symbol Loader to check if SoftICE was active or not (the code is located
^5 _. K/ h, N( ^inside nmtrans.dll).
# t1 W2 d% s# v( F. i1 x, e
, j/ I4 C- Q, F% u; BThe way it works is very simple:* Q2 L6 r' ?6 c& G. h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ l+ p# U8 ]) g/ Y8 N; C9 yWinNT) with the CreateFileA API.! ^8 ~ J' c& b# Z f
" o9 z/ h( z7 Z: dHere is a sample (checking for 'SICE'):
3 v. {" l( D+ W- b' C, D F% Z' [% ?0 X b) N! z1 v6 L
BOOL IsSoftIce95Loaded()' e) K4 l+ ?/ t6 V7 O8 ^
{
3 @" G. \: o7 P8 l: X, e- R HANDLE hFile; / t+ L. g& O6 x3 t$ T( G5 ]* h8 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- {! @ Z" _: w# {& y" J
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 Z0 |" M% _1 e' H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; a9 F- `. O6 ^: f0 w7 ~4 Z
if( hFile != INVALID_HANDLE_VALUE )
7 W3 { R/ r9 S0 T# T {: S; O8 ~/ R/ i9 H* `
CloseHandle(hFile);! N& m% [# b" ?1 p
return TRUE;2 j* R7 d/ p9 N) f; i& z
}
1 b( u7 z' }; ?/ m9 \ return FALSE;
) |! s5 T, F" x/ i}
8 e4 o" N$ X9 T/ \7 ]1 ^7 {! r
; C0 t7 g) [/ B$ v4 S2 dAlthough this trick calls the CreateFileA function, don't even expect to be- M s- N( z$ n. ]0 Y( ?4 Y
able to intercept it by installing a IFS hook: it will not work, no way!; q1 y7 B2 G- P5 ^) y% P/ Q) I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* A; u" C" H0 |5 T# m1 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): O9 F/ f& y. q+ B0 x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& z6 F+ w; f% }* ~& q" | Y" jfield.( t- Y/ R7 N( I( W/ }6 I- D
In fact, its purpose is not to load/unload VxDs but only to send a ! K# R+ X5 i9 d4 ~, \- p% O5 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. b5 ?- _/ B7 T s; qto the VxD Control_Dispatch proc (how the hell a shareware soft could try, g/ [2 U! j4 |6 G+ ]- v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, l8 L+ O6 {8 @, g' R r+ xIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 ^" F/ S2 C1 B/ L* X- @8 j4 Iits handle to be opened and then, will be detected.1 k1 D5 P- H9 b9 x' Y3 {. Z
You can check that simply by hooking Winice.exe control proc entry point9 X) F2 E- c# s* p6 {) o% q6 E
while running MeltICE.
, ]. o4 a& f+ X' r4 c+ }
* Z" E* O# y" g7 R8 K
3 z1 _6 j y0 f+ p6 H: a0 m 00401067: push 00402025 ; \\.\SICE
* v7 L _- x8 `4 R3 @0 L! W 0040106C: call CreateFileA
) t; Q/ _4 U2 }- t 00401071: cmp eax,-001
. U. Q, r1 v5 H; n 00401074: je 00401091
3 k5 e4 N& R6 t! x; q+ F
1 ~* B8 ~3 J$ Y; Y! u' W1 I* L/ z+ r0 m E; F4 u6 B3 ]
There could be hundreds of BPX you could use to detect this trick.
& _# Z0 ~7 j9 V$ U+ S, K-The most classical one is:
1 R: g" V# f8 M5 e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 q" C- I a- }6 ]0 { *(esp->4+4)=='NTIC'
2 _. ?. h4 `# [. w& T7 n9 Q# j' l' I; X3 ~; l7 W
-The most exotic ones (could be very slooooow :-(
3 ] {6 `0 |' U3 U! p) p$ O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 h( h( c) N( n. n, D3 V+ _ ;will break 3 times :-(- H( x& D4 x4 k; S. ~9 j# Y
: L3 j$ G7 L. k$ h
-or (a bit) faster: ) D; `2 p+ z' D- e+ f1 h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
r' Z; z; n2 N3 s) o
+ o: a3 w. |* F, U$ n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * U' c. P* @0 H5 U
;will break 3 times :-($ i0 p* g/ o! M" R
9 E# [& w2 {- [) Y; I; Z7 B
-Much faster:
$ v e) y: m* v4 }! ^$ | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ g _# x- `: u- Y4 G
' d0 _ m3 G6 W5 M# ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
x; ]$ E; }. R/ zfunction to do the same job:2 m L6 X. \( @% P
8 E% I& g8 h4 k: N8 h# z push 00 ; OF_READ
8 w- L" G1 [ T% v8 |2 D; ~. m5 C/ g mov eax,[00656634] ; '\\.\SICE',0
2 X' |1 h: U9 C" R* R! v/ Z# c push eax
) v6 V5 {5 q# i. l call KERNEL32!_lopen
; u1 I' B4 E7 X$ O- h" G# `2 l inc eax
L0 t4 p, T* y3 ^4 J jnz 00650589 ; detected) U. Q' a+ }$ P$ v
push 00 ; OF_READ/ v( k" s$ V4 t5 X6 ~
mov eax,[00656638] ; '\\.\SICE'& G& i k! V, K @/ {& [6 f( ~1 y+ w7 U
push eax
! [3 [' t" f. k6 i" j7 O8 M1 [' X- v: o call KERNEL32!_lopen# c, `# C# g1 h7 k1 o5 [
inc eax
; F$ N4 e: G# `+ a jz 006505ae ; not detected
5 J) @9 ~' B: y1 [. d( k3 ~
2 A" W: M+ _# G( l$ O- N3 d0 e% n& d/ ~0 O' R) x$ K3 Q
__________________________________________________________________________, ~' d! K+ q% n4 Y, _1 `. a
# L( g3 q" i, p3 o
Method 12
8 W! n/ D/ G; p% |/ h, t/ }' D8 P4 V=========
6 e4 i* S4 l4 F+ R! N1 L) v: E0 D0 r
This trick is similar to int41h/4fh Debugger installation check (code 05+ K0 F5 j' y8 N" x- G6 d7 V
& 06) but very limited because it's only available for Win95/98 (not NT)" X0 H6 f4 r/ N4 Z5 T1 f J ? e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 Y/ S* c! z& {) y: t# i0 y
2 _$ s: M# l, j, {! ~8 t) c push 0000004fh ; function 4fh5 y' ?: Q- ]9 s8 E: U5 w' H/ o
push 002a002ah ; high word specifies which VxD (VWIN32)
+ k! h4 V8 s- S. h7 _2 o2 J- Y& J ; low word specifies which service
Z K0 r- V) d$ }1 K (VWIN32_Int41Dispatch)
& y. f; Z* U/ U6 Z. j7 i4 l' {/ m call Kernel32!ORD_001 ; VxdCall
/ Z8 A) `$ V. P. h* k* a" l0 W cmp ax, 0f386h ; magic number returned by system debuggers0 J$ G8 j! c, z6 J3 i6 X) w
jz SoftICE_detected
( F* e3 J2 J3 k( t& V! A: c# n$ p+ l" Y) b" {) ?8 n# c
Here again, several ways to detect it:
& x5 c4 t1 s2 W [7 y
1 S, O+ @6 G. q# L BPINT 41 if ax==4f
, a" B# g' `* v: Z0 F& n% G1 S
! B* W: M' j# b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( W7 Q: q" u. r, I) Q# v/ s
) T4 f4 C# {) v! [$ Q6 _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 T: |1 N: L: r5 `/ c0 s. j
5 ^. u$ u% u9 P% r J4 A) { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% Z! E0 ^ W6 {% _8 M& {+ C+ o
% H; E( R! G7 S/ B! d6 v
__________________________________________________________________________
( Z4 \0 O; T8 P- z
- S7 R1 A0 X7 f0 i3 B$ d# RMethod 13
- o8 L, h0 \1 d0 L6 T+ s=========- X( R9 x& w, t9 L& m
/ O/ R8 p/ r/ b; y6 l( f( v. c
Not a real method of detection, but a good way to know if SoftICE is
6 V( f0 r' N) C' p. Winstalled on a computer and to locate its installation directory.% b' v( R! c/ J- n! J1 g
It is used by few softs which access the following registry keys (usually #2) :
& X; H# h$ G& X, [7 n; u9 a1 i
; d6 H3 K+ l( z0 _. n, j) Q! R+ P/ `* L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& O( e T |8 }4 a9 p. g! L- ?
\Uninstall\SoftICE2 o! k. B/ I, y3 u# M, _8 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, d3 y! @9 t t5 [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" _" ^( B% M/ m' `- D
\App Paths\Loader32.Exe* Q9 C" J$ p9 b* e$ I0 _
+ u" l O/ K0 E8 W7 a! i8 T/ o* G6 {- J0 r( q
Note that some nasty apps could then erase all files from SoftICE directory! K3 b& {, ]1 h7 H+ H
(I faced that once :-(
2 V, l6 B' C; c% D% @9 U. l3 l/ a% y9 b
Useful breakpoint to detect it:
' W$ D/ l& `; ^8 J" u) ] U6 \
* B& R$ d+ A! w6 G) t$ W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& b& F& `- [! B% @1 R
4 d+ r) _; Z% M9 [% S0 B__________________________________________________________________________& i6 F9 @( p. N; K9 r
7 W9 N6 G+ @+ d$ C! {. d0 b/ K
, w% x) P L% m6 S7 VMethod 14 : O. a) J/ E: G6 m' X
=========
3 g2 s: K7 f/ p$ j$ N7 E- j6 v* K( ?. s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ U7 }2 J8 c4 b. X& F& ~
is to determines whether a debugger is running on your system (ring0 only).
" p9 e @- W9 C' O: f6 b0 f. q: ]! V% F9 ~' V7 q% q) \# \
VMMCall Test_Debug_Installed' G/ {1 V0 h9 F6 P; y
je not_installed
# G' w" e' B7 ?; b2 l( ^. \+ e9 D9 ?. q' V& J4 m
This service just checks a flag.
2 Z" J' X" Y9 Z i" Q o2 ?: F</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡