<TABLE width=500>2 a _ `4 g# H( E; {
<TBODY>9 D# @7 B3 P# W6 `) M
<TR>* Y$ N3 ^! V" m8 T: H3 ]
<TD><PRE>Method 01 % z8 ` r& [$ x' z+ q5 g/ H
=========( R- a) p% I# \# a! @
( U1 n( z7 W O7 n1 @& P: W
This method of detection of SoftICE (as well as the following one) is, t3 N0 r) `3 w n! ?
used by the majority of packers/encryptors found on Internet.* @+ n8 S5 |. ^' L: G, }; Z
It seeks the signature of BoundsChecker in SoftICE* ?' O, f4 s9 T. s4 P+ U2 R
# I) N! h. _, M; Q2 {! D5 X( F; ~; ] mov ebp, 04243484Bh ; 'BCHK'
. e( v9 w7 \0 m- p9 l6 E* v mov ax, 04h
( }9 @ K- `& H' M4 C2 Q int 3 / f! E% ^! i2 m5 ]7 F4 x# Y) G3 g3 G
cmp al,4/ U8 E' w9 V5 H# l7 ~
jnz SoftICE_Detected2 ^0 s# \4 f j( ^2 v* ]
& v! p$ z E! y6 p" ?4 ~
___________________________________________________________________________. d7 y: B }; v" Q4 F
- a/ k6 _- S0 _4 YMethod 02
6 t+ G! D$ W% G( D, ?: s=========
9 B$ m7 g+ r" v+ u! Z9 b2 h1 ^" Y' o4 F) F- \) H$ u# m& m
Still a method very much used (perhaps the most frequent one). It is used) C% J. V5 L; t0 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' m: U" Y3 y2 Z
or execute SoftICE commands...
) n! k/ c$ j Y8 ~It is also used to crash SoftICE and to force it to execute any commands
4 ^: F) ^' ^/ E: y+ g& F; l" ]6 L(HBOOT...) :-(( ]: y1 R7 x* y8 h) p
9 R) w. C) j9 t$ [) f r) a: RHere is a quick description:- a: r1 H @0 _; u+ A) i3 [( b
-AX = 0910h (Display string in SIce windows)4 P3 O* Y6 e1 W' |; G4 r9 c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 g% ^6 @3 T% t0 F- F5 g-AX = 0912h (Get breakpoint infos)- [5 `8 M3 [: m, S$ O- X$ d. Y. D
-AX = 0913h (Set Sice breakpoints) \/ X b8 a1 O1 W
-AX = 0914h (Remove SIce breakoints)
: ^0 Q) e, X6 H/ N& h4 P; I' @! d9 _; i1 m
Each time you'll meet this trick, you'll see:1 r$ J5 U& z$ o9 v& Q8 W5 k
-SI = 4647h
$ P4 v' k; E$ @/ T8 q-DI = 4A4Dh
: Y/ [( o1 l( ~6 @8 aWhich are the 'magic values' used by SoftIce.9 Q/ i+ m: B. [2 D: n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 p! |1 Q) y; m& ?) e: S% A; P4 T; \) X; {- R, F
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ M2 i# B+ j; r7 k4 f* @, o- \
Envelope utility use to protect DOS applications:
! ^+ s& J, W7 \
; T7 I6 f3 Y4 V8 N: @
% C7 S7 E4 f" _% I( c$ S) I, W0 z4C19:0095 MOV AX,0911 ; execute command.( w8 ^2 j" m+ g. w- w) ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ U) Z5 O: O! p4 j y5 z1 q4C19:009A MOV SI,4647 ; 1st magic value.8 N$ |+ S5 {4 w. }4 G* c! o4 v3 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
" h8 ?; d5 P, ^( S+ Z" [6 f& n/ ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 t. L8 W5 f0 A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 L+ ]0 K: F; Y8 v; E4C19:00A4 INC CX
h1 Q. X. r3 E, B& ~2 j; o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 ~9 M9 p6 E0 Q( a% d/ J
4C19:00A8 JB 0095 ; 6 different commands.: D: M o! K1 l% V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 f: p2 N( u W' K. d/ g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- _! P0 s& c2 `0 N
: y9 E0 r# ]: J' P) l n# T
The program will execute 6 different SIce commands located at ds:dx, which
. H$ n& J" ?9 [* s- bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- o6 W, u& |& F/ _% a- W
; ?% ]8 o8 h* T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: ^% {& }7 J. m0 u___________________________________________________________________________/ _. y, ~# w% U! l
; @( E/ Z( p) d- }) V% f. W8 ]. G9 G
6 e& A2 b2 l( XMethod 03' m! v5 F$ F: n, U/ A* h" ] s
=========
Q7 t8 I7 q/ p; c6 B; V3 M2 Y+ R& a8 u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 e" N* t1 V0 b' T' u(API Get entry point)4 Y, v" i) `( ^* v' [6 J: v& u) s
: Q& S6 }' N1 j* V0 Y8 f7 h' P
; L! l; C3 I: D xor di,di
i' \- L) s: L mov es,di
! P3 S' C# {+ B# | ~ e mov ax, 1684h
: ^* F2 w1 ], X mov bx, 0202h ; VxD ID of winice
$ M6 z5 j1 M: l! l; I int 2Fh% m' b" r" J7 k7 M' e9 S1 s
mov ax, es ; ES:DI -> VxD API entry point
6 K, P8 W1 v( e+ J/ t add ax, di+ F- p) _0 p. ~7 @% q
test ax,ax
- h: |) q; U% R# f$ W0 S0 Y7 A7 | jnz SoftICE_Detected, N# U' E+ w5 j/ r. l" R, ^
" a' ?: s* v2 z9 u; p
___________________________________________________________________________
6 r' M) v. ]+ B- J; ~# J: l& _ J. U: [0 v1 E* g! I" W. x
Method 04
: V5 N% ~( `$ @0 r1 L8 C- E) b* T=========' `! _ _/ F+ @' }
& b% K' ]& Y |; ?5 y5 N4 R
Method identical to the preceding one except that it seeks the ID of SoftICE
8 D3 R. D" ~1 x: W0 _GFX VxD.
( I# v/ N! M7 K% L5 t
, ~! `* H$ |1 m) j( m! y9 T xor di,di
% I" H1 R5 b8 {) m. j M mov es,di
: \! K+ C3 J) b- ~6 } mov ax, 1684h 4 n! \( E# X3 P) f7 U( s; I/ v$ ~
mov bx, 7a5Fh ; VxD ID of SIWVID
- n3 Z1 n, C" {" o1 A0 V int 2fh
# z& ~. y: J0 s$ |" w4 A' ]1 @4 a: g mov ax, es ; ES:DI -> VxD API entry point3 F2 d% D' o1 ~$ D
add ax, di/ ~9 s9 t) q! j/ @/ h; j5 w
test ax,ax
' k. J% E" k8 f H4 }) | jnz SoftICE_Detected& c+ W) _6 X+ X7 K: A
8 e& ?6 p% {8 L; x* ~0 }: ___________________________________________________________________________
, D' Y3 O- m0 g) f0 r3 {( s* K2 s
. ~. }% s: {2 Q5 o1 J, |
) Q) i% p+ n, O; ZMethod 05: g p5 H0 W& V$ M
=========$ i) ~& B4 D( Z9 N
5 @" ?% C. Z& z* yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 q2 }+ S$ K- Bdebugger. It calls the int 41h, function 4Fh.2 [" e- o4 @4 Z8 ?! w/ g; f, A: ]
There are several alternatives.
) Y9 S5 U- A1 E1 }) \% v' Z/ `5 m I4 q9 ]6 t
The following one is the simplest:) ~* f. e3 ~) g* N+ H
! p3 B8 P5 h9 w$ \/ ^
mov ax,4fh2 j" t5 {4 f5 h$ Z0 k3 }2 G
int 41h
% u; i. ?& |" u; y* ?: b/ I. G7 k$ ~/ x9 ^ cmp ax, 0F3864 H5 r3 u% h( C0 _0 b$ j% I
jz SoftICE_detected$ c7 ]& ^- V" D- _" P9 i; W, L& ]
+ K. b# G5 G7 ]& @. j0 I# {
8 t8 J! l) v6 _ K( `5 }Next method as well as the following one are 2 examples from Stone's . j/ b6 R) U9 M8 B- I
"stn-wid.zip" (www.cracking.net):* y% z. x: b' B( |
' [( q/ ?) P. F \' C* @- _: J mov bx, cs
5 }: Z' i: X& E+ t$ p lea dx, int41handler2
7 [8 O. ~5 m0 y2 o( T7 W xchg dx, es:[41h*4] k& b/ u6 W0 ^# u$ k
xchg bx, es:[41h*4+2]
. s+ J2 s* L- x* _' `* S, j8 g mov ax,4fh
% @: k% w- |% ?5 t) p5 z# d int 41h9 w7 s' y6 f; b
xchg dx, es:[41h*4]
- D6 l$ l, P: Z0 x) `0 A xchg bx, es:[41h*4+2]
. n9 U- q ^7 ^2 y* ~- u4 d7 J cmp ax, 0f386h
9 c/ I- ]- e5 R, R- j jz SoftICE_detected
/ U$ e1 U4 y# \! y1 ]( [% W
: d! T- `; w9 N. z# \+ X9 `, sint41handler2 PROC
" E# b. ~. H) M. ^+ u% y/ m3 K iret/ }: m) v4 x$ W' x- t' p5 ~
int41handler2 ENDP
" K0 v8 ?# \0 B$ X u8 S
! R" f9 J' H! X- e" n5 Q
" _& ~1 n- J" w* P_________________________________________________________________________
Y$ m/ O( _- M/ q; e# k4 p/ g$ W) l: X- [; s4 M
4 q" w! g$ q3 v7 Y+ N
Method 061 O: h5 W, W* f
=========2 k2 H' Q# G0 V) e3 t- H# F, |, B' B
0 _7 G7 L9 Z* O! y3 w8 }
. `" u' a* ^- a8 Z5 f
2nd method similar to the preceding one but more difficult to detect:
: ~& B, ^9 m3 H2 Y* g4 Z, D
9 v- A1 w) c* w4 K+ {
. C) q( Y( z m+ w/ nint41handler PROC
, e4 o' {% `; ? mov cl,al8 R" p/ a0 @: s9 d& }) W
iret
7 D. Y B1 M5 Z7 I( Wint41handler ENDP( [3 ]/ m7 |) _5 q- i* K
, P" q0 K1 h. S2 I: P6 J' ~. M. p
: ^! V0 P2 S6 x
xor ax,ax
/ Z5 y! D1 r S" ~" e! e* z. B mov es,ax
! |; K( ?0 {+ ~4 ^7 j mov bx, cs; Y( ^5 g& {0 o6 ?# o
lea dx, int41handler, c& y2 z, N" j, m0 ]
xchg dx, es:[41h*4]2 m' D5 G/ M# L6 [( w
xchg bx, es:[41h*4+2]
5 a& E& j1 {1 d9 d" g" n& H t in al, 40h7 m4 t. l0 m0 H% u p2 k5 y
xor cx,cx
O+ g7 }+ t7 x( E" W- [ int 41h {* R c+ p4 K$ {" ]4 t
xchg dx, es:[41h*4]
0 W W& i) N* v: h- F8 J xchg bx, es:[41h*4+2]. X3 s1 m( L7 X @ Y
cmp cl,al
$ T( ^ z, H0 w. M6 {3 z jnz SoftICE_detected. @3 `' u' b4 f) c
8 ~* a4 [; r. ^+ E
_________________________________________________________________________
* n6 W# c# Q3 i& Q E& c
% X: d2 c6 j S5 i* iMethod 07
i3 G. m, y/ |) d% H, [=========
' q9 e3 t s5 c; W3 l! X; K5 T8 A8 H6 \4 B4 y
Method of detection of the WinICE handler in the int68h (V86)
3 a$ ]) Q8 y; a, D! V
) C" V) P% Q- y5 V7 A& c7 R mov ah,43h" _% C: Z3 k5 F: B' }# d: b, C
int 68h
; \* O1 s/ S6 V& u, Y, Z& q; O cmp ax,0F386h( d" i' K* F7 X8 f$ A _5 E
jz SoftICE_Detected
( ^; w s6 G+ X; P
5 Q6 I2 k8 ]: B
7 f: `( \- ]8 F- f& Y4 d$ x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 z, `/ B% o1 k J/ [4 y( ?; Y
app like this:2 J- K8 ]; Z2 W0 O( ?! Z
% J, z$ c& C# m4 Z3 V! F8 K
BPX exec_int if ax==68
2 S" t8 i, W8 X6 L ~5 x" P (function called is located at byte ptr [ebp+1Dh] and client eip is
8 }8 y$ |0 v5 h2 D* u% r6 i located at [ebp+48h] for 32Bit apps)
6 [2 N* _' I# P# n. U8 E__________________________________________________________________________
8 B% C! A+ G$ s
; C3 e1 a/ X, Y7 w1 y# c9 n) e
1 _, P. K; l6 z) E) @+ FMethod 08
' F' R! B' ]" Z+ N=========
- `, i% h5 l; ?; W t# g/ M K- |! h8 V( ^: k
It is not a method of detection of SoftICE but a possibility to crash the' m( K5 \1 m% e1 f% I; B- _
system by intercepting int 01h and int 03h and redirecting them to another
X# q! b7 {3 ?# N; p4 l! _# Wroutine.0 c3 G3 R5 N% V' K* a% w0 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 G& f3 @) ~% a8 H: q) U" j
to the new routine to execute (hangs computer...)& s4 T9 b6 ]5 u4 ^5 V4 k5 Z
/ y2 A0 M# x6 _) s
mov ah, 25h. _/ |( h# s) C$ G8 A/ o
mov al, Int_Number (01h or 03h)
$ X9 r2 l/ ?9 x; _% T5 N- s mov dx, offset New_Int_Routine
& B" p9 j }" K, w4 `0 l int 21h
' W# y% y6 |' g, X, {( c$ z' g+ M/ w+ ~: P e u9 S, I$ k
__________________________________________________________________________1 E8 M* J7 o4 X' S" W; c
/ ~3 D% I) b4 [; _; T: OMethod 09
6 t- R3 D: P8 b) U/ L' |& p=========
+ J0 X/ {' }4 F4 ^
4 z3 U W5 [' e, m" h- e# RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; j7 _0 p% j4 z8 e! qperformed in ring0 (VxD or a ring3 app using the VxdCall).- A) [8 N. l7 w0 \
The Get_DDB service is used to determine whether or not a VxD is installed$ |6 R# d5 g$ ^0 F2 B3 Q0 u! X
for the specified device and returns a Device Description Block (in ecx) for
5 u0 S' {8 o: ^) H9 z) [, F% x) kthat device if it is installed.
$ Z+ M5 m4 `- p+ q; D! d* c# a* P$ a, `; u" s! x: a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 U. s2 j( W5 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! ~$ y1 f: C! g/ Y7 z# ]/ k1 J) i
VMMCall Get_DDB- v) W: W( Y( m5 i% h+ t1 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" _- l0 ^4 c6 p. A l5 r
3 |( R; \9 m0 c7 L$ UNote as well that you can easily detect this method with SoftICE:+ X( Q# L, A9 [) E
bpx Get_DDB if ax==0202 || ax==7a5fh
?8 x4 _* L* Y3 Z, j: a
u6 y6 ~ }, Q+ u# s; ___________________________________________________________________________
3 P3 @9 O) x% r, e- j( K9 o4 e+ B( Y1 i
Method 107 I9 o! m, }7 G! v2 L
=========+ g* Y4 A( b9 q8 B4 k1 i5 s/ Z& A* ]
( w- q8 v7 [5 q0 k0 h8 s=>Disable or clear breakpoints before using this feature. DO NOT trace with
% G, l7 T' A) C) r3 G! D; p SoftICE while the option is enable!!
" J' ]8 q& J1 w1 R3 f) b
4 {6 h2 r) @4 BThis trick is very efficient:2 t1 j$ Q, n. z: I. k
by checking the Debug Registers, you can detect if SoftICE is loaded
- ]) m! B6 K5 z4 j2 d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" e* b3 e, @8 v( l0 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) S$ j: V' y. h S1 a3 rvalue (in ring0 only). Values can be manipulated and or changed as well8 j6 N$ H& h3 ]5 z# S
(clearing BPMs for instance)# u3 W$ [4 i& P5 X8 i# `
3 K- _+ Y2 @% s__________________________________________________________________________9 }& ~' ^: F' X5 w1 `
7 b3 u/ W5 Q9 R7 k
Method 11
% R' [. r% S% ?=========- a$ @, u! d# N' s3 `; L: i0 N; J
% s \6 q1 i" s* h6 kThis method is most known as 'MeltICE' because it has been freely distributed, B7 `6 j. Z% F& X5 F+ L
via www.winfiles.com. However it was first used by NuMega people to allow
" Q! m, R- q) F" m2 I+ Y6 ]- Q6 pSymbol Loader to check if SoftICE was active or not (the code is located
( H" L& s' s) a! E7 Linside nmtrans.dll).2 w; f; i1 P9 z) M! [& ]( [ n" U
; Z6 s, D& G' ^ f
The way it works is very simple:4 ^1 D9 s4 `5 Z+ y2 d1 n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
^0 {/ L: { A) kWinNT) with the CreateFileA API.
- g3 h& [& |6 S: K, C# G5 i5 `1 c& C [1 \/ @/ \. d7 Y( b7 ]5 v
Here is a sample (checking for 'SICE'):; W0 H! N7 d; D* z
6 s2 @# v9 D" A: Z) F; g! a
BOOL IsSoftIce95Loaded(), z3 M' O* y( M4 S; ~# v* ?
{) C1 z9 Z: O9 |/ y" J/ W8 z5 r* N
HANDLE hFile; 6 [( L& A* W% ^ N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 P* K/ T# B' ?# | FILE_SHARE_READ | FILE_SHARE_WRITE,
/ t* L' G, z! F3 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) O0 c4 w( W1 W5 B+ |& N* M0 ~
if( hFile != INVALID_HANDLE_VALUE )
) t% G" y" S. g1 o* T& ^6 X9 }$ u {, M6 L, U' E4 s/ P1 G, `
CloseHandle(hFile);
% X2 Z4 V! a' Z# Z0 l return TRUE;4 f3 T m& a- s. s/ W! a5 }
}
" y' A- s$ O, t l7 j return FALSE;: \9 K4 q" V) q( w6 q u
}
$ _3 `/ O% L8 G/ |
. V" F7 \, {$ \3 h6 `Although this trick calls the CreateFileA function, don't even expect to be+ F+ v( L. O. G7 O0 N
able to intercept it by installing a IFS hook: it will not work, no way!6 e; b/ D5 a. {2 V) g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: }0 a4 _% q( p8 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% w0 |; B6 _) W+ D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 E0 T v* B1 ]$ Z- |) o5 I2 z& n4 e
field.( A1 t7 x0 N* u6 i. p) W, L
In fact, its purpose is not to load/unload VxDs but only to send a
. b* M9 o: ^1 o" a% t! q$ W& lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 B5 w4 t* X- i! L! R' Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try ?* w8 p8 |0 v8 W: q# Z0 g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" y$ |, Y5 ~) b: K0 T" L3 Y& {If the VxD is loaded, it will always clear eax and the Carry flag to allow
. C1 _. L" Y, n: t Vits handle to be opened and then, will be detected.7 G" w! M! R/ |: Z1 Y- w8 a% V
You can check that simply by hooking Winice.exe control proc entry point
+ Q* Z. D( S3 n9 J) s9 l: Z) u; a t! Zwhile running MeltICE.; y. T6 i/ D# H) d5 G- q, O
' J- s3 m3 O0 F. w0 ~7 q3 i1 P+ D" D) J' h$ A' z
00401067: push 00402025 ; \\.\SICE
1 A0 M% A) I% o& }' u, C" @7 n 0040106C: call CreateFileA
" E* H* o( {. i3 N 00401071: cmp eax,-001
& T1 h7 W! @. P' s! d) y4 g 00401074: je 00401091! j. q2 X2 o8 a8 y+ Z ~5 m
, l5 H! z7 l6 l5 Y+ D5 E, l! F! T$ w1 ~; |# a
There could be hundreds of BPX you could use to detect this trick.
# x# N0 |5 _; i. F. Q# {-The most classical one is:
: F; b5 d6 w; G8 s' M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# [7 i3 a+ B( {; @ *(esp->4+4)=='NTIC': r, @% v, {: M5 N/ i
g$ Y% p& o/ _! \
-The most exotic ones (could be very slooooow :-(2 i8 f1 \' r" V$ q8 r6 p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! W# W6 `& _& J e% V( ]+ D ;will break 3 times :-(
4 W& c0 ~% w9 D. @3 _; l3 z; ]8 |. Q ~7 U* ]
-or (a bit) faster:
/ n5 p' C: }! q9 R2 U$ M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 B* J3 V" m* h! `" n; z8 y) H, o
3 ^, D+ ~+ c# ^9 H: r) O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, ~* d2 b3 o; C3 o# g! z ;will break 3 times :-() \) _1 ?) T/ [2 u( p* P, q
5 W, x1 p0 ^- ?$ W- N5 F-Much faster:" o; b8 L) X" O# }; m l U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' ` q% l& e+ N2 ?) a1 [' W' R* G. h: [" A6 ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 H% E8 @$ c+ q
function to do the same job:0 O% A7 \2 T c$ G4 y$ l
9 q/ I# ^) l ?- _+ k( ^% b$ K
push 00 ; OF_READ5 W* C4 m5 \5 i$ f1 c% F" N. ?
mov eax,[00656634] ; '\\.\SICE',0* u A/ U/ c# o* S4 [6 `1 S
push eax7 d( p) h; [: |; B5 v J
call KERNEL32!_lopen2 s. P8 G! ]' h; [% V
inc eax
2 Z) s% x, S+ O b jnz 00650589 ; detected
* u+ c7 N. n4 X& M0 n push 00 ; OF_READ
1 |, B# j0 I8 C c. K mov eax,[00656638] ; '\\.\SICE') ^! q `9 m& G M; }9 T1 l
push eax: y. c) N. ?) O: ^
call KERNEL32!_lopen/ W3 V* a# o* V' D6 Z( w
inc eax
0 s8 e7 H [) W. k+ V* Y4 k g jz 006505ae ; not detected- t3 ?) {! U A9 v3 V# V
% Q8 W) }! l' y- @2 L6 J
" l w' |# U7 W2 L) C
__________________________________________________________________________& \) U" `; Q w" D. \' D1 P
J3 ], {7 Z# y6 X N
Method 12
. N4 `. T' F0 J. \* ~6 W=========
) h$ }1 K$ t: \ @
& G/ p1 @- g/ U+ b2 s, HThis trick is similar to int41h/4fh Debugger installation check (code 05
: A7 c0 [2 x2 W% O: \; N& 06) but very limited because it's only available for Win95/98 (not NT)
( _6 S/ z: Y3 ~; U% Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% Y' f) u, p: j5 u! F/ Y+ D9 X; C
5 D- H: S0 a- s: g1 x" N
push 0000004fh ; function 4fh
9 ^+ _( C# h% f$ V) p& S push 002a002ah ; high word specifies which VxD (VWIN32)2 A! C1 k9 J' t0 M1 u8 i" v9 S4 f9 ~
; low word specifies which service
% \& S, B; S& Z$ F* u5 f (VWIN32_Int41Dispatch)4 H* @* X; i) Y a2 m' J" v
call Kernel32!ORD_001 ; VxdCall
! P% B) {* G- O6 _ cmp ax, 0f386h ; magic number returned by system debuggers. ]/ A1 c, R7 b5 n* a/ [5 e" P
jz SoftICE_detected
; L4 d! T9 Z: G' E2 e; s' y) b! K. ~5 o
Here again, several ways to detect it:
/ {8 }0 m3 \4 G! ~9 q* a
B$ M( r" W N' L* } BPINT 41 if ax==4f
& U: ]2 |0 O* g, M0 B" ?) _: t" m4 [3 m! L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, b; k$ j1 L8 E5 l
, F1 d& d4 r) j/ Q, {( ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 `8 q% A5 j# A# w* ~
9 [! Y H) z9 z, V+ I* b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. n2 W {% x( f6 Z2 E) r5 Q6 ?8 v A+ V" q* _3 l5 s2 [+ ]0 t. g
__________________________________________________________________________
7 q+ c# ]' W, U3 e4 e# P5 R1 g/ `4 b- l; t1 b: x' l
Method 135 P7 b7 W6 Y& J8 K" C9 L' x
=========
2 ?& ]9 @% r) K6 j N9 V
, b }' q) c9 g* GNot a real method of detection, but a good way to know if SoftICE is
+ R3 B$ a) J- ]3 o5 Tinstalled on a computer and to locate its installation directory.5 `& L3 ]0 ~4 S) Y& | X
It is used by few softs which access the following registry keys (usually #2) :; v9 ~3 s/ V6 x9 f" k" X2 r
* e! f2 X7 N: V8 ]3 T, q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ L8 r: L# Z9 c+ |7 d& A
\Uninstall\SoftICE; ` s' A/ Z: ]+ l) `! {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 B/ f' X8 D0 b( {$ Y0 T& g; a6 \' V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% j z2 j: F7 {# y4 r" c0 D
\App Paths\Loader32.Exe. Y V) C9 w8 E( A* m
( {! B' e6 l* B4 |7 {$ U# u4 A* R" D5 S9 v* @) S+ S6 C7 ~
Note that some nasty apps could then erase all files from SoftICE directory9 r' {5 p- Q9 @1 T( ~1 f3 U
(I faced that once :-(& ~6 D: k3 `* ~7 T# ^% M
& i8 x* D7 x) e# J1 m+ @, D
Useful breakpoint to detect it:
) u ~6 C/ M \ E3 Q* F5 v/ j
3 ?) l: B: ]4 m& j: @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 J3 h5 e7 _: X% |- J& @& W
; z4 O7 w! b4 u8 C8 F__________________________________________________________________________
v4 [$ v% H$ u, q3 a% O5 A- r( M1 w: o0 D8 S; @
; @* P% P2 s$ K4 o4 Y7 v( v0 W
Method 14 4 E9 R$ {1 d3 f" A* M( g& T& D
=========; B! O A8 {- A& U" H) v# }
8 n' P. o- @9 X( D- xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* Q# M' [& i' r- S
is to determines whether a debugger is running on your system (ring0 only).
4 @ L% Q3 \+ \' t9 D+ q
^& t0 Z7 d* N) o VMMCall Test_Debug_Installed
% T5 x( t$ d& L8 S, i: l je not_installed: ?$ \& f! b6 u+ W8 x- _, U
2 k/ t1 F. G8 W: {2 ^This service just checks a flag./ e' Z; _! v0 D. ?& w+ t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡