<TABLE width=500>5 j6 J+ `+ u( a( B4 ?
<TBODY>0 O0 [* ?& M, L: s/ H
<TR>" e& @ m' Z9 `
<TD><PRE>Method 01 : A" B5 H$ ^8 R5 ~1 g) R$ N
=========
. K. K, r; S* z: O: d. D% ^
9 t4 @* @7 g6 @2 N$ ?, cThis method of detection of SoftICE (as well as the following one) is" d! s2 `$ { a; U
used by the majority of packers/encryptors found on Internet.; S3 k- A( @* D. G0 T8 D a
It seeks the signature of BoundsChecker in SoftICE
y0 F; V& A) W! `$ x, G5 W
6 k4 S- y% |/ T8 n8 P# z% L- q mov ebp, 04243484Bh ; 'BCHK'. A2 n/ x+ u. v& m+ ?2 x
mov ax, 04h% R. c' V% {$ ?( ^5 M: y9 n
int 3 6 H) [9 I0 k3 a& V ], L3 v
cmp al,4- Q1 u: X" J( ]0 z
jnz SoftICE_Detected
2 E( ^+ }6 I g/ [4 j1 U: t$ s3 q+ J0 U' q- e
___________________________________________________________________________8 K* y2 r. C* X
: l/ c" p" A/ K% a+ Z$ H* c: ?
Method 02) j' `! f" z+ ]9 C' [, g! i
=========+ y8 u7 j( H) ~* ~2 g$ y7 E
# O! w1 H2 Z) f0 m. j( zStill a method very much used (perhaps the most frequent one). It is used
0 ]1 |1 [7 _ [9 H0 N! Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 X5 y+ E: ?: G, W2 R6 N! ?, ~5 @
or execute SoftICE commands...7 o/ V x: ^$ {% m3 J \% k
It is also used to crash SoftICE and to force it to execute any commands$ A2 y6 T8 q9 L, l/ \2 y
(HBOOT...) :-(( 5 p! l% C, L, J# d" X7 `3 M
. L$ R" `7 n" H% C6 G) T4 m0 `) |
Here is a quick description:) O6 P# F! r$ S$ H9 K% A. j
-AX = 0910h (Display string in SIce windows)6 F1 W% Z9 Y# S) ~$ u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- R3 |7 h2 b2 Z( h5 ^+ \* a-AX = 0912h (Get breakpoint infos)
9 [9 z9 N4 w1 R$ F5 @6 Z-AX = 0913h (Set Sice breakpoints)
. l9 I( ^, f7 M' @-AX = 0914h (Remove SIce breakoints)
s. {9 U& G& a# R, d
, S3 D5 W2 q: N! g% qEach time you'll meet this trick, you'll see:' _5 i0 K( |4 @4 V( Q
-SI = 4647h
% v0 X' @; \; K% z-DI = 4A4Dh
' s: T) N- |9 T8 \- \4 z; l, B& ^Which are the 'magic values' used by SoftIce.+ G! z+ G) v% T5 `+ P+ z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 @2 n7 o. {3 Z: ?
6 X8 [5 c i3 h% n" p0 PHere is one example from the file "Haspinst.exe" which is the dongle HASP! l3 I" M' D$ `- j
Envelope utility use to protect DOS applications:
4 l- o1 T/ w9 m$ c/ m6 M( j; b+ ^
4 s3 R" o. x9 _1 \+ w
4C19:0095 MOV AX,0911 ; execute command.
: C* A; p {: d6 L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& X1 t% U2 E7 T4C19:009A MOV SI,4647 ; 1st magic value., h) h0 Y* E2 X! M4 [+ c& K
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 }2 I9 q7 ~' o. z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" Z, ?/ K9 E5 }. r3 q; k5 z6 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 z3 a# v a- z! V4 F/ g, |
4C19:00A4 INC CX
' \# d5 d, S2 C ]; H9 R( a) R# g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- l% E: m. H& J/ [8 {1 N/ Y
4C19:00A8 JB 0095 ; 6 different commands.
3 @1 e& ^( y3 K$ ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 B* w; B5 D- x/ [% D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 O7 g0 Q y7 h0 {5 e
. [* x m9 b1 O% ^The program will execute 6 different SIce commands located at ds:dx, which5 U" r" H4 b$ Q! D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 @$ P' N( C u0 [( n# B
) m( a4 w. y0 c. i* s# _' d" ^' e" W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& R; N n/ w3 T0 J___________________________________________________________________________
, e$ _7 R2 ` [0 ?3 y. j9 w {; H1 G& \% P0 l; v+ H0 d* ~# c# k3 L
: Z3 s6 X ~, }Method 03. o* Z6 c7 C. k7 C& R
=========
& H* R9 D( C, f
6 y d5 w5 g' J2 wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* b4 E u G, W! \
(API Get entry point)
) y: i7 H0 Y8 U, {7 i3 H 7 ~4 f& X, Y$ a0 m K2 z" ^
a# O4 ?$ x+ [/ Z$ o( a5 k xor di,di/ q/ [% W! b% f- ]
mov es,di
1 x: A) i1 _' ?& ?2 @$ b( L) Y mov ax, 1684h ! z* v, p! f+ B4 o( K' u0 b
mov bx, 0202h ; VxD ID of winice
1 S/ {8 [( x& G6 T# N$ b8 [( _ int 2Fh
) N7 R2 ~: N# B, }& [! _" k6 r mov ax, es ; ES:DI -> VxD API entry point- h" @, G6 U* z, R
add ax, di
/ i: k! [( \( [ `( L test ax,ax
& k/ X/ }4 D- L- B jnz SoftICE_Detected$ q; Q" ?6 q) O+ e. p% H1 p
) q6 D+ o6 T5 x2 e___________________________________________________________________________- \6 `9 N7 m6 W+ `" b# ~
% l% A2 M9 g& N2 F: K5 j1 }
Method 04
6 ?0 \1 }# K4 |=========
. X6 o% r, M: T# t* f$ V* w% ^3 L$ h) U4 d* \0 _
Method identical to the preceding one except that it seeks the ID of SoftICE4 G0 r; o z+ ]$ Z0 Q. X
GFX VxD.
7 ^" V. p' @$ N; A0 |
' i7 Q, x. d$ A' Y- T xor di,di2 B$ U E2 F# i+ S3 M
mov es,di
% g: ]2 C! o" k2 M mov ax, 1684h
2 `- Q* m/ G: y8 K% ]" ] mov bx, 7a5Fh ; VxD ID of SIWVID6 i- B F' W2 ^/ p* D
int 2fh
9 D/ ] }5 M l: P# r3 d. i mov ax, es ; ES:DI -> VxD API entry point
7 d U% S" E. A, K) f add ax, di
1 S# H c8 T: p4 X9 H* L4 u, ~ test ax,ax
- U3 y/ W1 k, A9 G) X4 o( l jnz SoftICE_Detected
) k; W6 p1 o+ d1 |4 h {% b$ w, O' J# K, a6 E2 F! N/ E0 c; v$ P
__________________________________________________________________________
- L7 ]: a4 Y. U" J c' p0 }/ m0 u. F b3 ]6 }0 R/ n. T6 ]6 K$ G
3 K: j; u5 }- F& ^0 \! @! q! ?Method 056 p2 _5 C) y, F) [1 A/ z
=========
$ s# e) ]: T9 N! @, ^* |+ t
! G& n& I8 _, qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 v& D3 g, u+ |0 `' d k* }4 S" ydebugger. It calls the int 41h, function 4Fh.
5 p) T' B K2 s$ Y& DThere are several alternatives. $ f2 ], V4 }* x A- S9 C3 K6 B& t! }# n
* M2 m- ]( }. p# j; RThe following one is the simplest:
, F8 `" P8 G5 f& o9 d3 X9 _
7 z K% I6 a. [2 P9 u) n" d! \. k mov ax,4fh! H4 E/ e+ [; y$ V5 m/ z0 i4 ~/ O
int 41h1 |+ W- ?9 K" n
cmp ax, 0F386
0 V7 Y" {& J$ P* e jz SoftICE_detected
: z% ~; o0 y3 F6 R7 I2 O1 Z' f7 c' b! T8 \
" O- v4 o5 l- J/ r5 a1 x
Next method as well as the following one are 2 examples from Stone's
6 J& D" Y. l& ~! r8 w"stn-wid.zip" (www.cracking.net):( ]( N6 x2 p7 Z% A$ [
' U- g2 k0 c( y$ X mov bx, cs+ X/ ?3 g7 ~) P! Q n
lea dx, int41handler2( R& a2 V2 i) Y7 _( D
xchg dx, es:[41h*4]$ \$ K* t: u, q/ e; j
xchg bx, es:[41h*4+2]3 z4 F- P2 T6 h9 D6 q+ y# O- H
mov ax,4fh
+ x" D$ N' D& E' y+ l& Y int 41h
6 b0 ^" H+ K- b j# V xchg dx, es:[41h*4]
/ @0 ]# E& I0 `# Y, h4 ]9 e xchg bx, es:[41h*4+2]
/ P/ X- ?; V0 s0 V t1 p) r& h cmp ax, 0f386h
. i- p* }& ]" r9 ^) W w5 n8 X9 R jz SoftICE_detected
5 j' y* o$ M9 f+ H- O4 a; G& a. C& N+ m2 q! K! s& z3 s4 v7 f" |
int41handler2 PROC
: |1 {( K& ]9 k) H iret
. I: [4 D% A( Yint41handler2 ENDP9 Z& ^6 v. Z# e$ v
7 H, t, a* A8 K4 R
6 ~# `* s9 o' F) {+ Q4 v- i! t0 v
_________________________________________________________________________
& L# }. _; i: q- u- d# M) L% H2 d7 h% l! J3 \
% P* Q! _$ f& ?2 `2 TMethod 06% P, ~1 l) w9 u* g! Y3 p
=========' q# _! }' ]* e6 O6 e
( a* b4 N ?7 B0 M
4 ^0 W6 M; t9 v7 K( V2nd method similar to the preceding one but more difficult to detect:% d' j4 k0 T+ j, z* ~. |
6 m" m* [5 H u
3 m0 }# j; B2 g) C2 Fint41handler PROC
8 G, s& w; t7 c; h% Y6 G4 t mov cl,al
6 y- ?0 w, b9 `3 B, \1 c iret
9 f% d5 x" c0 k' T) \3 Pint41handler ENDP3 a: v3 \& m8 l0 u. y
7 {7 v8 ?9 a6 L% b' G
9 [5 [1 H- | a+ `- n8 `) K xor ax,ax
x w1 t m& B& x1 `- M* A mov es,ax6 T# W+ Y4 f' b8 @9 L/ i4 N' U
mov bx, cs
4 d. [5 K( P- g3 J. ` lea dx, int41handler$ Q+ w* ~. x4 V4 R0 m; l
xchg dx, es:[41h*4]
# j- R) S @9 M! ^ xchg bx, es:[41h*4+2]" R6 x' I3 f- Z
in al, 40h
2 n1 r( x7 `( l" C6 I! G: z' O xor cx,cx |6 ^) P F$ R+ c
int 41h
; U% v( L# \9 s1 b xchg dx, es:[41h*4]' L' r3 L. |: E& S0 c0 V
xchg bx, es:[41h*4+2]
, K4 r# q2 x! Z cmp cl,al
: G# Z8 \/ I, D: O+ E* _3 s jnz SoftICE_detected
7 V' R3 r( \% M& R' ?' H! z0 g4 q5 \2 l1 b- C) {8 h# s" ?5 l2 Y
_________________________________________________________________________2 I0 F$ z. c4 G) g
' W0 M7 _( H9 M2 e7 f7 V" hMethod 07+ @% r9 J( ]) t) k
========= B# U0 v; [. {( R1 s! y, s$ W, m
% A* o0 T: U r( y1 @3 }Method of detection of the WinICE handler in the int68h (V86)
' g. C2 U0 [" x* l* O* k9 P9 u. Q; }, h4 U a& ~/ x9 b, Q6 q0 l
mov ah,43h! [/ b4 T, V- G" ^, R( _- a3 k
int 68h. B- g; _* z8 r
cmp ax,0F386h
' R% _4 A( X6 F* k: W- m m8 ? jz SoftICE_Detected
9 c0 N( A- H. y3 q2 i) r$ J/ O6 R1 i: s4 e
- r" L8 z4 g0 K5 V, ?) A& h' e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" W/ S8 N" h* V& d; Z) l app like this:
% H, T8 H4 f; {1 O y+ b; K% U1 q) m+ x! m7 w& u: C
BPX exec_int if ax==68
2 p9 q& Z8 W2 \- N @( ?+ l (function called is located at byte ptr [ebp+1Dh] and client eip is2 ?, _' o4 q5 H; x/ |
located at [ebp+48h] for 32Bit apps)
& E$ Z" w% I1 Y& [$ |+ _) q: L__________________________________________________________________________
/ `' A. f" w# a( B. K& ` o, j, j
' g, n% S: T) L. \2 h D
! ?$ S1 r* J5 q! a& p* M+ vMethod 08# h y: E4 z+ J( P8 u# E! A; P, w
=========
8 Y- S+ I; s2 Y/ S- c/ d; Y, ^( ]( k' U9 X! U. e# c, `
It is not a method of detection of SoftICE but a possibility to crash the
Y: X# o6 J/ o( isystem by intercepting int 01h and int 03h and redirecting them to another
& M% W: z3 F( t( o" croutine.
. S+ R4 m+ J$ N4 ?" @2 z2 zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* x3 d2 z; O, \, ~/ a7 z0 B
to the new routine to execute (hangs computer...)
2 r4 E8 t1 W6 R3 S* a8 S* S: V! y- h0 z
mov ah, 25h
7 P. s7 E" P( O ^ mov al, Int_Number (01h or 03h)" i( n* H/ `' k
mov dx, offset New_Int_Routine
2 {! f& \" t$ y6 W# ?0 ?% y: L int 21h% H! H4 p/ O3 s$ u
% }' M. a4 A2 e( d__________________________________________________________________________3 p8 O& h9 } b$ P4 V
/ d7 R/ v0 M0 _9 JMethod 09
, R- v. U! U# c7 {* {=========9 U7 O0 |2 g4 ~+ d/ d2 F* [
5 P0 R' h" @: ]6 ^6 Q3 {) y8 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, R! T0 w3 ] S' ~& T
performed in ring0 (VxD or a ring3 app using the VxdCall).. K+ p) J9 |) ]. i6 c7 f4 y
The Get_DDB service is used to determine whether or not a VxD is installed6 P5 Z% z/ r; M* e
for the specified device and returns a Device Description Block (in ecx) for
( y- s9 L2 u# |2 n, b$ R. lthat device if it is installed.
$ Q- X* \5 ?. D. j( b" ^' j+ g; Q H4 g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ ?) @5 h+ [5 Y" L2 {7 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). a# ?. `. p, n2 g$ X3 S
VMMCall Get_DDB
( O. N. T8 U! p9 h+ u: n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 ~3 j( V( n8 g% g0 }
# E" Y" o8 W+ H: XNote as well that you can easily detect this method with SoftICE:) `- o& A) y/ ~9 Y9 C' Q
bpx Get_DDB if ax==0202 || ax==7a5fh
' `1 o1 @( C5 E$ |1 N
/ M7 _* Z+ i l8 r" n2 C R__________________________________________________________________________
8 m. j/ q: w: C6 T8 R# |
1 y5 k2 I: h+ QMethod 109 `) {) D" C1 \# \6 \$ V4 f, d* N
=========
, _9 c+ U3 X O: f/ R7 t5 M2 a. l4 P5 y6 ?. M' A4 s
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 F# r Q: I6 `9 K2 U- o4 [' `
SoftICE while the option is enable!!( A. I# h7 C) w7 v) s3 y. \
- Y0 W2 m" G9 K
This trick is very efficient:
4 O9 s: l5 j* i( ? j j& Zby checking the Debug Registers, you can detect if SoftICE is loaded. Z/ F0 D0 O/ i, [+ z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" }! I e# _" N+ X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 e1 k% J! m* i }4 w) a3 D7 xvalue (in ring0 only). Values can be manipulated and or changed as well% z" d7 D$ t" {! _( ]
(clearing BPMs for instance)
! C1 g: A( c8 a$ c$ b! F; ~. j
0 A2 c( d o* E/ c N! X9 ]__________________________________________________________________________
: X+ Z0 X4 X3 f# J7 @- U F0 c* o3 B7 j
Method 114 H% b. l5 h1 @
=========
- Y5 H+ v% ], c" B9 `4 L- z% ?% U' l' z: {! ^" ]& B" z5 B
This method is most known as 'MeltICE' because it has been freely distributed3 h( e t4 r9 C; X- i+ K# H+ t
via www.winfiles.com. However it was first used by NuMega people to allow
9 |: O, y9 O9 g# v) H. j, aSymbol Loader to check if SoftICE was active or not (the code is located
7 G4 p6 D1 I* q! o6 f% y5 qinside nmtrans.dll).
+ V% b" ^' V/ Z" l( {# r# X1 ^& r2 A4 {) U# [7 u/ |5 G
The way it works is very simple:% Z- n! z$ H0 w! V8 e' \* l/ C- W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, r0 R& \0 v ]6 R2 X8 `. v' dWinNT) with the CreateFileA API.+ z/ i E. m9 x* S' T
# H: C3 A& o! v: [0 @$ Q
Here is a sample (checking for 'SICE'):; b# i0 j* @1 C
; x& o/ m- z3 a G0 [, S/ pBOOL IsSoftIce95Loaded()
0 A/ G) S- r& m& k7 A{
1 v( h! [% T: b2 K HANDLE hFile;
. m, B6 V+ J2 Y1 z% L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ b% t* j. B' @1 |% a! L FILE_SHARE_READ | FILE_SHARE_WRITE,
, I( P# e- N) ]: J* e& b1 h5 V- Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) `2 G; q% f( i3 d4 _% Z! O% w/ m; d if( hFile != INVALID_HANDLE_VALUE )1 b) b! n1 e: B4 c2 U1 C1 w6 U! ]
{5 M# E5 f$ P0 A5 a7 T8 f' }$ B
CloseHandle(hFile);
+ s& `; _' g9 k# {0 S# L: b return TRUE;/ t, [/ b. r7 c# U4 w8 D
}7 J& q+ W5 m( i1 u3 }, W
return FALSE;/ @, O$ H+ J" p% N% C0 o/ K
}
1 k) Q2 C8 ~2 \. ?5 e
- K# U9 X' ~3 Y* ^: e8 bAlthough this trick calls the CreateFileA function, don't even expect to be
7 W; Z& v% J4 P( V: _8 s$ l; jable to intercept it by installing a IFS hook: it will not work, no way!
7 k' p3 c& \6 L: F8 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F! b) U1 |; {; U0 \' a+ t+ B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 }9 X* y4 B: ~, k6 S+ @) Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. l+ j$ I: r: A2 V1 j" q) Nfield.% F! z# z" W/ S7 `% O4 D0 J* k
In fact, its purpose is not to load/unload VxDs but only to send a * X) u+ ~! b' I3 ^" O9 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). m3 B- g( j. [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- v$ K" p" { \" j/ V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! d! N; B! m) y3 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ c% e5 N4 N) ~/ h6 s, T
its handle to be opened and then, will be detected.) N- U0 j2 S; Q+ j7 W; d4 e
You can check that simply by hooking Winice.exe control proc entry point, \. |( q# I- I( c, [
while running MeltICE.
2 A4 O) S$ L; [# |" L+ h& p5 U8 }5 t: s9 n& E; n2 j0 u
0 c! c/ l2 q8 ]1 C( {0 i 00401067: push 00402025 ; \\.\SICE
: [3 m) i' T: e" ?- ? 0040106C: call CreateFileA
# f" O( M! T; \" y4 _6 v 00401071: cmp eax,-0015 U6 \7 `# H5 E) `6 p' I8 L0 X
00401074: je 00401091; s6 W4 e! a$ X8 w% f
% o9 N/ O& z. l/ y0 W" ^8 |* W
4 X9 `# t) j y% p. z4 Q
There could be hundreds of BPX you could use to detect this trick.% J6 Y) s6 u9 r l, s, ]; f* L
-The most classical one is:
3 R# u6 o' `+ c( x3 T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: ` ]0 G. Z5 F( k: C, s5 N8 [5 D *(esp->4+4)=='NTIC'
5 e5 u/ w$ o3 C7 l# ^ Z
8 G- V% a9 A7 o& w+ V0 P0 Y-The most exotic ones (could be very slooooow :-(. f v3 Y) W0 ~- T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : @3 D* `' l& k* _: z% \. ?
;will break 3 times :-(
5 @( ]/ N- _7 @7 f0 `7 w: Q6 z
1 h* J% g5 G. Y6 A' v-or (a bit) faster:
+ S& D2 Y: Z4 P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, U7 K( J' E9 H$ ^2 j0 B# w, A+ W- m5 y% E0 F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; f+ L8 i: B7 c- w ;will break 3 times :-(& C. W6 R4 _( g" j7 j' [
& o+ k1 Q" t2 o }6 s& {-Much faster:: U7 Q; y, f) _; V0 ?3 E; W4 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# b* f3 R2 n a) Y9 {; u
0 _& i' ^+ h" \% U* M$ @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) Y- L& V) |, X p( v) g
function to do the same job:
& |3 A' S' Z) E" o
) H$ H, X% H3 {, r push 00 ; OF_READ
6 T5 v I8 b' ^- w8 x0 c mov eax,[00656634] ; '\\.\SICE',0
9 `2 `! g/ z" a. a! ?& X8 D push eax5 {" S' J3 H0 O& r
call KERNEL32!_lopen0 p, p6 |9 V0 O1 o. G i5 L
inc eax
4 g! D! e0 c% W5 }- z jnz 00650589 ; detected
+ z' a; m! C( U. G push 00 ; OF_READ' p% }9 k X; T o H" ?+ W
mov eax,[00656638] ; '\\.\SICE'- H" a& F, Y0 B5 O8 b4 E
push eax
6 [- r3 k+ m3 w call KERNEL32!_lopen+ q2 a, H& x8 P2 w4 ?5 J; m6 L" f2 ^
inc eax$ y* Z- v: z( \6 ^% v6 ]( M
jz 006505ae ; not detected
8 v! g. B( C. S3 |) ^6 w+ c
$ {5 H2 f0 _: T' E) R6 o
! v/ Z! L, r* I' G$ P, O__________________________________________________________________________- v+ q; w, g3 C& h
% \3 c6 Y3 ?+ l0 Y1 s2 LMethod 127 W5 O& m' I" j
=========
2 [ o0 ?3 [( Q1 _# G w9 Z+ H5 |9 f" p
This trick is similar to int41h/4fh Debugger installation check (code 055 z4 t% E% l1 {+ p) }3 u
& 06) but very limited because it's only available for Win95/98 (not NT)7 B5 p7 `$ ^* O' E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# ?7 I' E+ V' N; P* U
2 `9 W+ E" n6 Y, `6 E" C
push 0000004fh ; function 4fh" D4 m+ \0 `6 P
push 002a002ah ; high word specifies which VxD (VWIN32)1 j# j! a8 R% u. @5 d
; low word specifies which service9 P7 c/ ~0 l3 V* |6 @2 M! _/ ~
(VWIN32_Int41Dispatch)
5 I7 `' u2 A( D" W call Kernel32!ORD_001 ; VxdCall
) }$ l' M7 e7 o* f& @7 r2 c cmp ax, 0f386h ; magic number returned by system debuggers8 M. F- `' P }, w
jz SoftICE_detected
7 m- F1 U2 C- o
1 @' s1 Z# @# d$ B+ {Here again, several ways to detect it:4 w% ~9 h! K9 |5 _; s
2 w- l+ U# m4 ~4 X4 X6 N; h) D
BPINT 41 if ax==4f7 {6 c# Z8 d0 ?9 c
% i; t* i3 q: a- ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# y9 p) P2 Q( C) i% |7 a0 X2 ~5 u/ U9 q& @) K+ {/ u- i- F) p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& Z, U5 ]% j% v" h# l; e8 M4 h8 x1 \; X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; w- D" ]) N/ |1 z2 b& V
: C! C5 o, S+ _& j8 ~
__________________________________________________________________________
; Y0 z" i) m3 I, o- ]( x0 N: Q! U1 t9 b4 H: t% b) n1 O
Method 13
7 e: _2 [: V2 Q& H=========/ @: X A0 Y c8 Z0 W
8 G9 g# \% h0 K8 T. b/ eNot a real method of detection, but a good way to know if SoftICE is
0 n8 O* U' L7 Z# J' n" q! ]- Rinstalled on a computer and to locate its installation directory.6 I/ m: [' S1 T9 {* K y2 H0 t* a/ z) I
It is used by few softs which access the following registry keys (usually #2) :
! E" G$ x* u* J( _; d3 x& ]
6 h# r' M8 u. B1 F6 A' b7 ^* j3 ]* T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 I4 I: W" i4 d: f\Uninstall\SoftICE
" n4 i: {6 v% [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 H: D% v0 h( }- T6 a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% W Y% A" v5 t
\App Paths\Loader32.Exe9 C, b* I/ p K6 P e# G( ?
! B; V a5 g. G$ R
- F% f9 _& e5 `- \3 T4 [1 v- ?
Note that some nasty apps could then erase all files from SoftICE directory
0 [; L% O4 h w9 B* ~/ \, N(I faced that once :-(- ^( V0 _0 t) c$ I0 O
* B6 T. {2 d) W$ sUseful breakpoint to detect it:& a6 G% q: h" J4 X
) B9 D& t9 R, [# S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 `5 \' Z2 q3 @- Y' O
& Q9 Q! p8 L) O( |5 @2 }( _3 }
__________________________________________________________________________
" y$ y3 O2 S8 H/ y! o: S
, m. r! I7 V8 i7 Q: N& {+ |* W, B3 `" t% c+ X
Method 14 7 c6 l* a$ Q' _4 R6 q
=========
8 K0 U* @& i+ p* t1 l3 R' ?. f) k7 U) x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 _) {6 m, ^3 {* U# V0 B
is to determines whether a debugger is running on your system (ring0 only).# P- S2 n: c# r2 Y; d0 K
) H9 C, T" v/ | G6 P* Z" P
VMMCall Test_Debug_Installed
9 |: Y/ t. T8 Y- e" L4 D1 c% B/ S je not_installed* @, a/ j3 h/ H% e2 _
, ~- d3 y2 ]1 Y. t8 BThis service just checks a flag.
3 t) G$ m! z2 @# C* m</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡