<TABLE width=500>
1 T/ [) M( y$ P" \<TBODY>& C' Q& @( m) O5 [" |0 } q
<TR>; C" ^0 m. ?& Y- h4 j/ m$ b' ]) q
<TD><PRE>Method 01 9 |/ i# g( K6 A8 `( g5 a
=========
' m9 _8 M6 y, D7 m* `5 |6 ^4 u/ M5 y3 d4 t$ {
This method of detection of SoftICE (as well as the following one) is6 E- W8 u ]: q) i4 }5 \
used by the majority of packers/encryptors found on Internet.
# A& R# P! ]# [ z" TIt seeks the signature of BoundsChecker in SoftICE; B0 v% e$ |* P
! g% F0 L: z, V* C$ g
mov ebp, 04243484Bh ; 'BCHK'" H2 n* U2 l( C4 L! i
mov ax, 04h
7 q- H/ V9 z) D; I2 B' l int 3 6 [! ]$ G2 m" n/ Y9 c% I( x
cmp al,4
1 R( F+ ~! ?8 A. x& w- z jnz SoftICE_Detected
: b1 O; \6 d: F/ ]4 R/ i. O( m+ r5 f6 }8 x) P
___________________________________________________________________________/ j3 h7 V4 Q' ~& ]3 M
* c2 J( [. u# b' KMethod 02
/ n1 y! P( d" `=========
, K, C' n1 F* m w; B R3 p9 Z+ V5 P& r! G; o
Still a method very much used (perhaps the most frequent one). It is used' x8 `2 L' h- U$ K' U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 E5 G8 n& y7 J# t; J U' C5 Y( | Kor execute SoftICE commands...
) a6 z1 z' ~. w4 Q! h hIt is also used to crash SoftICE and to force it to execute any commands2 K. |# q- ]5 x/ x6 I. E4 v! x2 M
(HBOOT...) :-((
# h5 F5 X+ G6 n6 Y, r. q$ H& U8 ^! A" `
Here is a quick description:1 Y8 x0 u: {6 @ ?# G( T
-AX = 0910h (Display string in SIce windows)9 z+ F4 q0 \) q5 y- k, f) ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& o6 D& C0 y6 D7 ?2 G1 s
-AX = 0912h (Get breakpoint infos)
( s a5 O. M$ Q/ |$ p-AX = 0913h (Set Sice breakpoints)- Q' L6 F7 r, e7 c+ }
-AX = 0914h (Remove SIce breakoints)/ u6 m$ H# m- l' w' J `- z
$ B9 c- Q$ |( p) D4 @Each time you'll meet this trick, you'll see:* L/ P* \7 A& p% K; _( i9 ]
-SI = 4647h
6 {2 \8 c* R7 S% |$ Z0 d4 |-DI = 4A4Dh
7 B4 z' j! N1 ^# R" DWhich are the 'magic values' used by SoftIce." L; i5 a7 D7 h1 J- o! X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ @4 v7 p3 }" R" L+ R7 q+ j
( f; b& }# g" |Here is one example from the file "Haspinst.exe" which is the dongle HASP" D8 ] N, c& T. g
Envelope utility use to protect DOS applications:
7 Z* j7 [* U: R- B* r: I0 J- z: A* o2 {3 S) j1 D1 B
3 r" t* e" c& `; R0 C4 m9 D
4C19:0095 MOV AX,0911 ; execute command.2 k$ P' i' X; Y+ w5 P! n; P1 P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ _$ a) M8 q, _# Z. j" J4 \( H
4C19:009A MOV SI,4647 ; 1st magic value.
& U3 h, L) {6 q) E; |0 E2 I% ^4C19:009D MOV DI,4A4D ; 2nd magic value.7 A# T; V' l h3 \+ \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! G+ q# k3 m0 D! O' H4 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( T! H+ V& A/ ]# O
4C19:00A4 INC CX
7 m0 g Q8 ]% n( c# [0 \/ ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 ^' d2 p4 R6 q4C19:00A8 JB 0095 ; 6 different commands.
' x: n, A! f ^- \4C19:00AA JMP 0002 ; Bad_Guy jmp back., }# e& i0 g, G: G% f' z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ [3 C. `8 Y* D
4 P: a+ A( g# q( ^1 A/ d* H
The program will execute 6 different SIce commands located at ds:dx, which
, l! g& P8 x9 [3 e4 q6 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% n& J! i* u$ K
# z( y. z0 D0 w$ v, h! X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 y" e6 K F6 T) [9 u2 }
___________________________________________________________________________
9 ?$ i% f6 V: J: R; }1 _9 Q7 {3 S: K# ]4 k
7 C% }6 D' |+ Q+ h6 l) ~
1 Y+ V- o. D: I# B7 gMethod 03
- r7 ?0 Z% W8 w3 S=========" X1 j) Z" B, \- b7 v4 B9 ^1 U: Q
# L& f$ }( X n0 t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 F& ]: ]. r9 ^; f& M(API Get entry point)
+ u) U) |# y ]/ d: l# h" [
. q1 u4 R& r# R& V% \ t+ z
Z, S. ~: p6 x xor di,di
8 {( s0 i: \- f q, w4 n5 E mov es,di7 V7 R4 T) s4 l, ?9 H9 p0 O4 Y
mov ax, 1684h
3 y* R B, R6 }6 |1 ^6 M mov bx, 0202h ; VxD ID of winice
O/ A4 t% J: W2 ` u; D, | int 2Fh5 Q! T' Q8 p2 ?) o8 c2 Y
mov ax, es ; ES:DI -> VxD API entry point
" @3 c) }, |) P+ {+ Q5 d& q" m add ax, di/ x/ d4 l2 ]# l
test ax,ax
; f- H0 R) \* T7 x jnz SoftICE_Detected& a1 c- v- X, D2 I2 m, h9 i
" Y# p" U0 J; g; N+ h9 z* I4 P5 v___________________________________________________________________________# M" `( _ N1 B8 n* T
* ~, `8 U1 v' n/ C/ p& d8 x
Method 04
, Y7 w3 }6 b! A$ b& P9 S/ I=========9 q3 O" a% ?% @9 u
" D+ i- i v" ^( b1 M: ]$ M( j( Q8 @Method identical to the preceding one except that it seeks the ID of SoftICE
7 c% X6 |7 \' h" L( B3 ^GFX VxD.
+ f: U: V. e$ x! ]
1 `0 ?6 a/ M8 F4 F0 ]* r xor di,di' x( k, t! O5 t' s
mov es,di
: K; |4 j/ f& D4 T( \6 C2 ` mov ax, 1684h 2 ~7 T, H% n$ E4 _5 J1 o$ }
mov bx, 7a5Fh ; VxD ID of SIWVID7 l. X3 @9 J- u) {
int 2fh3 A) _- @- A6 @
mov ax, es ; ES:DI -> VxD API entry point
1 q m3 w" g, L+ x; `* g/ c add ax, di
( v, q# k7 J! F0 X+ X6 T( Q+ M9 g2 z test ax,ax4 k8 }% `! P3 L L/ U. R
jnz SoftICE_Detected
4 G, j" O; D& ~) F0 N* T1 z% S$ N% y2 ]- m
__________________________________________________________________________ H. s3 T5 j* _# B9 w
9 a9 t! z+ q' f$ t9 S. p, E
6 \& M6 s+ E! q6 tMethod 05& Z! N" Y/ ?8 a9 ?
=========
: Z/ D5 B @+ O7 X: h% {! g5 _ [( J3 D- c
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 w8 u+ L- t; K7 m; I/ H; R9 t
debugger. It calls the int 41h, function 4Fh.
! k# a* S: t3 i, h xThere are several alternatives. ) D+ F* q" r/ O3 D
7 s2 p4 H) ?" q& ], cThe following one is the simplest:& [3 T4 C$ k" v5 j6 O
, Z+ N6 J2 l% r# |0 X+ i9 c
mov ax,4fh& I$ @ \8 P5 w! o! Z4 g1 w* K0 A7 G
int 41h$ ?* P7 ?8 R+ I( J5 Y
cmp ax, 0F386
# k( R4 p' c, j9 |9 @4 [$ l jz SoftICE_detected
}& k: ?1 ~8 x# p5 t+ c
! @4 ^, M& L) d& C+ t
: v: _, T! ?$ I. C7 LNext method as well as the following one are 2 examples from Stone's 9 W0 G$ n# g+ \ s0 Q
"stn-wid.zip" (www.cracking.net):( N3 }& }, A2 q6 p( g; v8 g
$ p" R9 j) u* T7 u
mov bx, cs
% a8 ]- Q6 C( @* O3 X2 |- R lea dx, int41handler2
, w1 h0 c' F9 s; g: w xchg dx, es:[41h*4]
9 k" [, _/ S% z. H xchg bx, es:[41h*4+2]$ `4 \; n1 C! h9 Z# l
mov ax,4fh
" L8 W6 P z" B5 A) i int 41h
. k+ O) P) Z, D9 `2 @8 p) |4 q/ A$ e xchg dx, es:[41h*4] N) V& Z! n; S' M7 C p
xchg bx, es:[41h*4+2]7 l/ [; f `9 N [: k* X
cmp ax, 0f386h1 U, Y9 K( A( l
jz SoftICE_detected6 U2 m/ g! Q& i5 m
D0 P9 H6 p7 A8 d/ C9 yint41handler2 PROC8 k2 b% x% c- P- o' C% K
iret& r; }9 e4 M+ p2 h: X0 a( X, @
int41handler2 ENDP1 V7 k3 _# p6 n+ y1 l
$ L( Y! O g i! y) q
( s! a5 h+ n( l8 L_________________________________________________________________________
* E3 i4 d- ]; n* ~" [
7 }$ I {1 k8 [, h$ m6 D& B
: s+ `% r1 s: mMethod 06
3 P# c6 x2 u* }3 {7 m=========
/ j4 C+ F _0 [% ~2 w( j" Y$ _: z9 C- ?9 `5 q0 N/ c
, O S& @3 y9 J) ^
2nd method similar to the preceding one but more difficult to detect:
( f0 N% U8 ^* J6 M2 `/ D4 T
; K# n4 B% g' l( o8 g& P+ b% v0 I$ w( }
int41handler PROC
" c+ j( ? a5 t7 H9 ~ mov cl,al
: P1 s# n2 v! [( |3 b3 x iret
/ E- |2 n- O8 {1 zint41handler ENDP
8 p# g z, x8 U( |. w0 m, @# L) H6 t0 p# Q
0 i/ e( K* x- j; t- B: {$ d xor ax,ax# h- z3 x, ^) p' k/ S! l! _! ]
mov es,ax' \! X# J. f- L& R! I; `! C q
mov bx, cs
7 Z# g9 \+ O2 O+ v2 t& P8 |; T& Z lea dx, int41handler
! c0 F, a4 K' { xchg dx, es:[41h*4]
+ Y% v& ], n# k. e+ q6 x# D xchg bx, es:[41h*4+2]% q$ \6 A6 W) C, C7 R' W4 j* w7 X+ }1 s
in al, 40h; i" e: t) c+ i
xor cx,cx
9 q6 \- h4 r) s: } int 41h
" M$ [, p% f1 M+ L/ B+ F/ d xchg dx, es:[41h*4]
9 A" c* u G7 T/ D7 Z5 c$ M+ x xchg bx, es:[41h*4+2]) ~' B: }" f4 f) ^
cmp cl,al
7 o: c( K9 }# z# [ jnz SoftICE_detected& o9 ~2 \+ v l
^, K+ [) _: m9 {5 q' m) D
_________________________________________________________________________% d% Z3 ?4 Y, A/ d: H5 b4 N
1 x# P4 c4 n) r
Method 07. L1 w) c5 Z+ x9 @9 Y- q* l: s
=========% r7 _8 x O' ~! }0 x
, m, b% K- T F3 j
Method of detection of the WinICE handler in the int68h (V86)1 V& x: U3 P. d T
, O* O1 m$ W, I7 u& b1 h, y6 X% T mov ah,43h, G& _5 B# D3 Q/ {4 c% d! |
int 68h
4 o. G2 d# L, H cmp ax,0F386h
- t6 o% d2 i' f0 G jz SoftICE_Detected v0 g# S5 A& o A ^
% Z( q( `1 U4 m9 |; h w
, \/ w9 e+ N3 s: O6 P8 B2 l) M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 B7 Z( ^5 d5 L) o app like this:
& c; g% }; c# q* c8 K: |( X5 O5 B o% n+ [( M% L
BPX exec_int if ax==68
9 q- j! `- M7 i, L P% b! p& \ (function called is located at byte ptr [ebp+1Dh] and client eip is/ B; M8 `- B9 |% H* A
located at [ebp+48h] for 32Bit apps)
6 b2 T, B# r7 s$ Y__________________________________________________________________________
$ }' u. d0 ^, T* b% d; \! m% |6 W; S% Z! l
( }! m! |' \7 w- h+ b
Method 08
/ R N" e, H+ i1 ~5 ?' ] @=========4 h9 K+ e6 H. e4 D5 u
5 t# R/ j/ V) w4 H5 y6 X, k V. RIt is not a method of detection of SoftICE but a possibility to crash the
0 T: b" @ [; j6 tsystem by intercepting int 01h and int 03h and redirecting them to another
- X" W {) `9 z" Wroutine.* r. G- Q' \9 `: J) u4 m0 U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 n0 ~9 @9 V0 T" h% k1 _3 Fto the new routine to execute (hangs computer...)! x1 Q7 E l/ f1 w9 M0 Y- |+ S! c
" f) Z- X% W' r mov ah, 25h
" i$ ]+ u, Q4 x: p6 t mov al, Int_Number (01h or 03h)
* A, ^4 ~5 x2 z2 L: T$ k mov dx, offset New_Int_Routine
. _5 p7 o: |8 X/ n int 21h
4 y$ i+ P. L1 u& K1 ^( j+ z) F) h( Z" w" B9 Z8 S+ S a
__________________________________________________________________________8 H. e$ Z2 P. P
$ d3 ~9 T9 L, X) C; aMethod 09
* q/ }# U7 m" ]3 l4 V4 z& t2 S4 o=========( q; [4 `$ F; S( n! Q
0 u6 ~7 o" \. G' O, v2 M6 R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 s& A+ d. v$ f& a4 N: c( s( cperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 e" f; O) L7 p. g8 U9 mThe Get_DDB service is used to determine whether or not a VxD is installed
9 v5 _6 W% S- e: {for the specified device and returns a Device Description Block (in ecx) for
, s9 W& ]4 a. @. _( C' fthat device if it is installed., k& z2 j" J: {6 `( I5 ?: X
& k5 M4 P9 C% g- N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# {1 S8 l% `" }: A0 F! \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# ^; w7 S, @# ?' G# \5 } VMMCall Get_DDB% @, [+ }9 v/ O5 T/ }4 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 p$ D" }3 @- D0 s+ I' ?
1 O- l M- y5 M( }& }: {* ~$ A9 `Note as well that you can easily detect this method with SoftICE:
- _0 G7 Y5 a7 Q bpx Get_DDB if ax==0202 || ax==7a5fh
" X/ n# {% a' b! M: [0 {! J7 y' R& @. f; \$ d" R# H( r
__________________________________________________________________________& X6 Y- j/ p# x7 H) { R
0 f& g. M" |" g3 O7 e, |! TMethod 10
, q) K" e& E( l( k; U=========
. x+ D2 n4 w/ `/ ?8 D# K! B& S! B' v5 l4 u' H1 n6 Y' E. g6 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 e7 i4 b" K+ Z! U. F
SoftICE while the option is enable!!
2 q+ Z) N1 X& X" D0 W% c. N' n. `; k
This trick is very efficient:
2 l% L- [5 o# \! J4 ^" O. [ G* xby checking the Debug Registers, you can detect if SoftICE is loaded: L; e& g9 K/ o/ u( ~# d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, Q# J2 O' \9 T7 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 z! ?' b% z5 r* B" p' r- ]value (in ring0 only). Values can be manipulated and or changed as well
) n& M" O. V& u: q# ]5 a(clearing BPMs for instance)* H4 q% u5 E/ M4 J
P4 M s5 _) ~; ^! V__________________________________________________________________________
& i4 {7 [" d9 @& V& Q5 Z M2 _9 z8 v( n/ V1 t: }+ F* e- Y
Method 11" r( q6 w" R) V8 B' s8 t% N
=========" M6 @; ]" e1 F5 T; t
1 p: R& l1 r" u! I# wThis method is most known as 'MeltICE' because it has been freely distributed
9 j( x7 o- P4 s" |3 ^( U) ?/ j: {# x& yvia www.winfiles.com. However it was first used by NuMega people to allow
7 ?; \6 @# x, [$ B9 F2 M5 T# u, t7 Z' y& hSymbol Loader to check if SoftICE was active or not (the code is located4 v- @* [. Z' z3 O4 H' b
inside nmtrans.dll).
+ B& a+ r4 O% Q1 X: ]) `0 i7 W; _8 F/ Z0 s
The way it works is very simple:/ e& Z7 s% a4 x% n. J' i1 M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. F- w8 m: m9 a; M# f* W
WinNT) with the CreateFileA API.
! C' a |) B6 w) }/ x# N7 x& z
, y$ L% A! B+ C) N" x, W- e- `Here is a sample (checking for 'SICE'):
9 N! ~0 z4 f( g: k; t
3 W/ O( F2 {; {+ w. t* h2 S2 HBOOL IsSoftIce95Loaded()
0 j1 _. b& G& }8 O j& u5 g{
8 W, S2 U' T1 F7 d% g5 y6 w. |8 d HANDLE hFile;
4 f# n# \7 F1 c# R2 Z( I3 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ n( _4 L5 ~) h7 X" Z, C8 M
FILE_SHARE_READ | FILE_SHARE_WRITE,
) W( d3 Y y/ @) B: H4 i; B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; V( [6 w' S$ G& L3 B6 E$ z, @
if( hFile != INVALID_HANDLE_VALUE )
! d9 C6 Y; F) k0 ~) T {
4 O. O' ?% q( ^8 |- l+ P2 J! `6 [ CloseHandle(hFile);
, t* Z6 }4 a$ W1 Y3 ~ return TRUE;0 L3 w3 Y2 W6 c- j; D! K
}
- l( u( Y" ?$ \) d. l return FALSE;6 c) c& P8 z& a- n& }
}
7 }1 V. ^8 z# r! M) v) W7 h$ y# c9 m: _8 V3 v, {' Z' r
Although this trick calls the CreateFileA function, don't even expect to be
8 y; n/ P; y) L( ?* m( ?! V! z( }4 z, \able to intercept it by installing a IFS hook: it will not work, no way!; p( m' W" Q6 V1 ^, [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* ?3 i" ?; H( H0 O. u/ ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) W3 x) D' g& V4 d! p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# W& W( D8 P* G! w+ N8 R7 @field.
/ N+ K8 ^9 p5 {. S) q9 n5 M+ J" o3 sIn fact, its purpose is not to load/unload VxDs but only to send a 4 i1 q* a9 I+ |# \* q2 o. @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); ?- C" R5 K) X& x+ Q0 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 S# V, m) H3 y9 uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 ?) a5 G: Q: F/ o3 R; n/ d2 G$ vIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ S7 U4 Q8 y& r. N. w3 V4 uits handle to be opened and then, will be detected.
' y" D* A# {. {- y B c5 d4 L- TYou can check that simply by hooking Winice.exe control proc entry point" ^6 `8 L+ v: P7 H
while running MeltICE.
4 `4 o0 e5 C e& U: ]8 u
" V) Z, v8 H3 I+ n& |4 X% [6 B' F$ ]" r1 t
00401067: push 00402025 ; \\.\SICE
9 ^2 x# ]+ U8 V. n 0040106C: call CreateFileA
9 L8 Z8 u9 j% N6 H0 Y, t 00401071: cmp eax,-001
( r8 m3 z" G) }1 T 00401074: je 00401091
3 F2 \+ a# M9 G! C/ V, N8 H, v6 J* k4 w+ c
7 k3 S! N. f, J7 _0 A: D& q! u) E
. Z: B( E$ q8 M9 x7 ]2 E, X7 FThere could be hundreds of BPX you could use to detect this trick., b+ n) M5 D- i& P( ?: B
-The most classical one is:: c, ]3 [# m8 C6 f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 _8 n) E( A, N/ I *(esp->4+4)=='NTIC'0 c8 Y& ~) A0 K: }' E
2 ?4 ]9 P: ~: q! ?- R6 o-The most exotic ones (could be very slooooow :-(
" {: }2 ]$ t0 t$ L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* Z$ L" [$ T# d; v5 } ;will break 3 times :-(8 g+ X' f- U& r* ]& k
; ^$ W9 b- ?# M4 i/ B-or (a bit) faster:
4 Z' |1 q( B! V0 T" ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- }8 P( }/ [8 A9 o# l3 Q' u) g$ G5 N8 d5 |3 T1 {' h! @* {1 `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! _$ d* n: e) }" { ;will break 3 times :-(
9 ~0 J6 r# f; R/ r# g. X$ A+ h# `1 _6 o: m1 {4 j' l- J+ E
-Much faster:
8 p* Y! U n+ d& ]0 R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% @# {- |5 u: S, P* E. l6 x6 G% v- O. Z! t$ r [ `3 P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% `6 `, M# Q( O, p! I
function to do the same job:
# F. D" C/ B" d/ [) E( T# M
& \6 \5 B9 ~0 F6 [ ], @0 T1 T push 00 ; OF_READ7 h* [& b: J$ G
mov eax,[00656634] ; '\\.\SICE',0
; M( A; E' W1 G: }& f push eax
, D2 e% I9 R4 m" j& |6 U' m call KERNEL32!_lopen
/ j# [, h% Q R inc eax+ {1 a3 n% J0 a9 \- ~0 R, }" V
jnz 00650589 ; detected1 g, f. Y3 s# m5 `
push 00 ; OF_READ) b% W+ k5 p9 s" n% a0 W8 |
mov eax,[00656638] ; '\\.\SICE'
: _7 N9 O( u7 i; v @7 [& \6 W( ^ push eax
: n% |% f1 T0 a% y1 P+ j: H3 p$ k call KERNEL32!_lopen( M9 a/ ^8 Q+ f; s' ^0 F
inc eax
2 h0 {% M; o4 T8 U0 x jz 006505ae ; not detected
% n! A/ k5 ^5 v7 [7 d7 U- d+ p0 t0 T3 u
% ^* W: `- D1 K, H; {__________________________________________________________________________4 j7 @+ K' U, r0 s( ?
0 F9 D6 Y3 B' j% JMethod 12, y% o! T. H* N
=========
4 r) M, o# D7 r. a4 e- M, ~1 N" B' I4 X& G4 m/ V0 k
This trick is similar to int41h/4fh Debugger installation check (code 05% a# j! L/ X" f) Y( f& x3 ?3 b
& 06) but very limited because it's only available for Win95/98 (not NT); ^- i6 Z2 E6 o7 L- Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; {/ v- c& f$ ]/ c6 \
$ w, {7 s4 X" U push 0000004fh ; function 4fh/ C4 F! `0 b. N5 K
push 002a002ah ; high word specifies which VxD (VWIN32)! y5 N/ ?* E) q: m
; low word specifies which service4 S* v A) ~5 ~' G0 n
(VWIN32_Int41Dispatch)
! h( D: [+ }9 U& b4 `# k call Kernel32!ORD_001 ; VxdCall, m% x5 ~2 C t3 g4 K" ~- p
cmp ax, 0f386h ; magic number returned by system debuggers
9 h( b+ b7 ?$ l9 `( ] jz SoftICE_detected$ y; V1 u7 g: z0 N6 d# b% ~
V6 l2 `9 w, y# {
Here again, several ways to detect it:$ w b5 e7 O1 p( k
0 Y" O. `- E: F1 G2 q! A1 f BPINT 41 if ax==4f
: D6 [6 i8 l- N' S w* {6 a4 M( I1 I: [1 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# E7 b* e* U: k% F# U
6 a, J7 r2 M; P( g# b) Z- O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 N7 c" {5 F6 B; M7 n
& A" T! r4 F3 X3 O% X0 Q4 X8 B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- b0 v$ L1 j I2 j; ^
5 @: T" I: A: I) w2 B__________________________________________________________________________
, D6 X6 F* Q2 C9 d* L) _+ i$ `- R1 ` }9 |8 k) `2 y
Method 13
2 ?+ o: N: n5 @# d4 n=========
- d1 l! i4 q# b3 `% t" k9 a' W; C2 x# t
Not a real method of detection, but a good way to know if SoftICE is; Z& V1 r- L+ h( {+ v2 Z
installed on a computer and to locate its installation directory.
, x8 B: e# R0 a% l- [% v$ oIt is used by few softs which access the following registry keys (usually #2) :' x8 k; B U. v* Z+ t
7 [- W* }9 V% Y; R( c2 C+ V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
g5 J" p- ` N" @( a- J+ ?/ }/ Y- e\Uninstall\SoftICE
$ v4 ~7 \% X+ R7 ~" G" l& C. \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' {. H1 l; X; K" X; o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 k1 k1 W, C& s5 U* H0 U
\App Paths\Loader32.Exe
3 X$ y& v6 P! g1 t+ q) v3 f$ ]# ~- M. y. j5 @& ^
! q" x. l7 d1 Z& e6 w0 e3 FNote that some nasty apps could then erase all files from SoftICE directory
& V) e1 l3 j4 x$ ~(I faced that once :-( P/ W9 y2 D) ?& U1 H5 t4 w' d
~/ X, u H& W- [6 j" h6 {; T
Useful breakpoint to detect it:
" X! `$ `% B9 C8 Z( T9 E' T' m4 G% T( W
) D s' S+ ]% h- m5 s7 I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' N8 F/ q7 z* f5 ?1 Z3 y5 {
) [% `( G& e/ n: h. g0 c% f__________________________________________________________________________
5 z2 X# r7 p' T% e2 p3 ]9 T: U, a8 F, e: n! R; G
; v( r2 {9 L F8 {! O/ ~
Method 14
a3 X( g0 g0 S0 ^1 c# [=========1 H, f J+ i8 ?3 M0 `
' @% ]& c. |3 v" NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! j$ L& s3 P( v
is to determines whether a debugger is running on your system (ring0 only).
; f) @% b# `1 d3 L6 f# o! c8 Z& B
VMMCall Test_Debug_Installed& d% J! w$ E6 v
je not_installed
3 W% [4 e$ a7 K1 O
8 d k ?9 R. ~& K" K( I+ mThis service just checks a flag.
& y7 L" g8 X' }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡