<TABLE width=500>
7 K7 `$ w; j0 Z$ M<TBODY>
1 @5 S" q$ l# e/ L<TR>
. G: y4 S3 K V5 w1 q" o4 ?9 z4 K<TD><PRE>Method 01 3 ]$ W/ t7 o4 V+ @( L$ `8 }2 ]
=========
! ]; f4 o: x; g: c7 t, B: Q z% I4 r! o' q( ^
This method of detection of SoftICE (as well as the following one) is
* I% l; J$ x" I5 s3 ]3 Oused by the majority of packers/encryptors found on Internet.. Q/ O" G v0 n' l6 u. P
It seeks the signature of BoundsChecker in SoftICE
8 p0 j7 s0 l6 Z! P& @# J. [, N: u/ Z+ n8 {9 J7 ]- ?' e/ ?) K; N% n$ Y
mov ebp, 04243484Bh ; 'BCHK', _: S2 `, v: }4 W' U6 }2 N
mov ax, 04h8 k0 Z9 o0 z$ l1 w
int 3 # ~5 K/ A- a7 @ _$ v+ |. }6 i
cmp al,4
1 \3 Q ? n1 X( Z jnz SoftICE_Detected0 q" L% M! _1 O' F$ l# i$ M7 ]" T
! F I' `7 `4 N4 o# q v7 {
___________________________________________________________________________4 r; ^8 }' g6 u+ }/ H, L- q
3 S% R7 r: H9 Q$ X5 {5 _Method 02' e. V. ~: z5 o# E3 @, o; x
=========
" c* I4 e0 z# `4 }; c- i2 p3 E+ q' m \* F
Still a method very much used (perhaps the most frequent one). It is used4 H* q$ @+ x1 ]* j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 P- B) L# D; G, T- @or execute SoftICE commands..., e6 x6 C! ]6 ~* Q
It is also used to crash SoftICE and to force it to execute any commands; c6 t5 B* K/ O( c8 p, C5 F9 W
(HBOOT...) :-(( , j T# L0 O2 B
- z% y% c' R9 B/ e; S. T, UHere is a quick description:. `; I. h# x& W' Z
-AX = 0910h (Display string in SIce windows)
" ?- r7 E: b# m2 K! D! I2 Q" o7 ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# X" I- d$ p3 M6 G
-AX = 0912h (Get breakpoint infos)
) q4 s% w1 g2 A. t1 n-AX = 0913h (Set Sice breakpoints)
( \1 e2 f/ x8 C ` e5 @-AX = 0914h (Remove SIce breakoints)" [ \% M& w5 n$ i1 E' g. o: }
7 S8 r( ]8 t$ V6 y" A: u8 VEach time you'll meet this trick, you'll see:1 }& T* R" H& v( x2 u0 H+ m
-SI = 4647h; L3 q) h& L9 J9 D4 n& e& |3 T* t
-DI = 4A4Dh* X, \5 E: y6 X# o
Which are the 'magic values' used by SoftIce.
! F* u5 _* d3 [( cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 a' ?, b% D: ~5 N# j; Y
% `$ Q# @+ g ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP; E0 U. e! {+ k7 r# U# n
Envelope utility use to protect DOS applications:
4 l! J) m# t, ] H5 K
. @% C+ N7 ]* D2 m4 W$ A
1 S+ k7 Q$ T' W9 ^5 z( Y1 r v% s4C19:0095 MOV AX,0911 ; execute command.
6 ~* O1 O9 Y9 v! m- @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. H( Q: ~, }. {- s0 _; _2 N
4C19:009A MOV SI,4647 ; 1st magic value.
/ }! ]8 e; N% G( Z2 I4C19:009D MOV DI,4A4D ; 2nd magic value.
: {( y7 ]7 O/ F+ @* y" n7 V* [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 E* E, S' g5 Y* }5 n4 x9 |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 U" C/ Q" A! ]3 D( [5 F$ o
4C19:00A4 INC CX3 f( [( r. _+ O8 N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 |1 g: R( t/ W4 _
4C19:00A8 JB 0095 ; 6 different commands.
0 j) X$ o+ n) S$ s' [' d: _; q2 u4C19:00AA JMP 0002 ; Bad_Guy jmp back. S& @4 a2 H ~# I! O- K& R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- q5 ~1 f. ~9 a1 G# {' v" M, F
" ^* ^8 d$ u! l% d8 H. O+ W. jThe program will execute 6 different SIce commands located at ds:dx, which
! }- o4 y; w5 o# K0 f' Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, g+ `, H8 [' q. Q& o0 P2 r& r, o* G# @4 S( D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* a: N6 E$ d" b. Q5 s8 B8 y& \4 w___________________________________________________________________________2 e. H) o7 Z2 B3 B5 F) j
) Y `6 }* k- N% S6 e! _. }
}5 k( ?" P( q/ }Method 03
3 c' L+ K" R6 | n' e& H9 L=========$ H" J8 R" o6 b/ ] P2 [7 j) x/ v
1 h' `$ o# N6 ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* n% e5 S+ ^) A
(API Get entry point)
. e7 x$ Z1 R6 E0 U , i; M3 |5 h8 |, [- j
" e& i- g9 U$ c2 t0 q! [9 E xor di,di) }4 L; F/ `$ B; b. I
mov es,di; N% G# O$ `2 r" z: Y" [: N6 |
mov ax, 1684h $ K" |7 Z t. l
mov bx, 0202h ; VxD ID of winice
3 k/ F% j7 s2 u, D/ \ int 2Fh- A- j' D s5 c4 ~. Y" x) S8 [
mov ax, es ; ES:DI -> VxD API entry point
2 u8 d2 E: I6 Z; f add ax, di
4 N, Y8 R: R+ x# J7 `/ @& _ Q test ax,ax2 R0 F ?6 Z$ T" c3 ~2 I# {
jnz SoftICE_Detected: ]! o% I _- Y5 u. @- C. y4 W" T; K
3 C* r6 s, ^6 |6 p
___________________________________________________________________________ ^$ Y! F" h& A% l/ X
4 Z0 j p; T6 j9 FMethod 04
2 F) x2 ~1 ^9 P* j=========
+ h5 ^+ @5 y( c ^
% Z$ f, s* O) X. S9 D5 {* ?& MMethod identical to the preceding one except that it seeks the ID of SoftICE
. m. O# b) U6 c6 D/ mGFX VxD.
9 m5 K7 p* V% W7 M) L$ [ V, N$ B" a
xor di,di
9 ?9 d/ ~& P1 X7 b mov es,di6 ?$ z; s6 A m
mov ax, 1684h ( F, M2 ~' z3 C; l
mov bx, 7a5Fh ; VxD ID of SIWVID/ c7 H! o, R+ I. d
int 2fh! v/ S6 v. \4 v* y( ?8 y! z
mov ax, es ; ES:DI -> VxD API entry point
2 \% V6 r$ ~2 j3 C8 r: O add ax, di
2 i, w% B: @0 E test ax,ax
3 A4 q/ A) w7 k7 E. E! V jnz SoftICE_Detected! u: f& u6 A; |! e
: d4 ?6 b5 b4 ]$ l
__________________________________________________________________________
* V1 A: M4 R/ P |" n) }; ^$ p6 Y' O5 t C; d( L1 X! }
0 G8 n/ q, }/ {2 p; ^5 T" L0 k
Method 053 n) [4 b0 G7 j/ J B1 C4 H
=========0 H+ ] ]) S! ?4 X) V& y
; r r' I- p( H) `' c g% ]Method seeking the 'magic number' 0F386h returned (in ax) by all system& m7 I5 R j1 h9 ?9 `
debugger. It calls the int 41h, function 4Fh.
9 Q( c" b+ a6 i# o+ @There are several alternatives.
# J4 c1 g$ [( e# X
2 i3 B" k( m8 C1 c4 ?: j( TThe following one is the simplest:
! I/ h/ F( C4 u6 Y- A/ h7 S$ @2 f% O; z f
mov ax,4fh: b& L; D f( e2 o! c, j, b
int 41h$ D. g+ G0 `! i7 j$ B2 L( m
cmp ax, 0F386
9 z: {1 s( Z: Z( d- P- Y) h jz SoftICE_detected0 R& h, u o. D" m6 x6 n. x
* q* E" t3 U' r8 b% Z; `
1 h9 P3 ]( ~- x! t% UNext method as well as the following one are 2 examples from Stone's $ D b5 X# \0 S* y v
"stn-wid.zip" (www.cracking.net):
1 P' }* L9 W0 ~+ g2 e/ K' k5 S9 y$ v( ?/ l1 B2 M& K
mov bx, cs
r# A* e# P. W. s! Q# M! k" v lea dx, int41handler2, Z2 L2 r$ ]. Y* R$ ` u, N# }7 H
xchg dx, es:[41h*4]- r5 h$ u! U: Y; B% Y; {5 M+ T
xchg bx, es:[41h*4+2]- l/ C- Z1 D0 W+ A7 [
mov ax,4fh
$ `% L; ^% [' { int 41h
, I: G4 g* @8 q; u+ v! N xchg dx, es:[41h*4]; x: p0 {9 T( [) M. q( k
xchg bx, es:[41h*4+2]
" V; f, t+ q( d; |# ?/ o( D. Y cmp ax, 0f386h
, `3 U. n/ L N- G# S jz SoftICE_detected
5 D8 s" Q1 {; i- `& D0 g1 T% I$ g7 _
+ c, s. f/ T8 r2 o3 N W" B* T H6 fint41handler2 PROC
6 a. ~, t+ A% Y0 C iret7 u7 L( T/ k! f- e. g
int41handler2 ENDP
Z3 t1 G9 p& B k1 Q. D
4 L. k# M- e- T$ ?/ N/ A
% }5 V l1 z/ {_________________________________________________________________________
2 D% K- N& G4 ]; x/ J1 d
. n% I9 `! G* l9 ?8 H/ X9 n4 X" f, r9 F
Method 06
& s1 y& s; I6 K+ {7 x=========
# P, z+ r" x/ h' {; e$ T
Q' I$ g9 T* N: F
4 z% D6 x$ `; }0 Z% Q" E2nd method similar to the preceding one but more difficult to detect:$ v% h1 M% ^4 f K, E5 E
* G9 k5 n a/ U4 K: k0 \ W; |& \+ K
int41handler PROC% ^# r/ i( }0 K
mov cl,al D% e# a4 V! y) z- H2 G$ v
iret
& Z# V7 |$ M0 }int41handler ENDP
. ?' P. E: X4 T
4 j& K5 R5 ~+ y- M8 ]0 K9 q3 U: n1 x1 [2 A1 k4 R
xor ax,ax
! E0 D. T0 ?4 Z6 V. V mov es,ax2 O5 E5 R' A4 n# e% {# p8 [
mov bx, cs% C1 H2 ^0 _9 A2 g; T I
lea dx, int41handler% Q& \% D e% b# {% {7 N6 K" F# O
xchg dx, es:[41h*4]
' u, Y( a6 T" e, c3 } xchg bx, es:[41h*4+2]
. a9 W, k6 }* p in al, 40h
2 I6 [5 I$ ^ U5 b( `4 v xor cx,cx1 a3 G6 S3 P5 d4 b& K1 m
int 41h) @ c" c! y+ y$ \
xchg dx, es:[41h*4]
6 t1 b. k, b' X xchg bx, es:[41h*4+2]& E/ U$ A; E* u& l" L: @
cmp cl,al+ c8 `" M# _1 f; `
jnz SoftICE_detected
! S4 J! r% X, O/ l5 b! f- Q' U& F* x5 ?0 X6 E1 W
_________________________________________________________________________
3 X6 K. z$ }6 B
* t, b. I$ y, P8 V ` @+ X1 |/ d' KMethod 07
4 p7 y, B& r' B! y" U/ w1 c" Y- G=========
7 w& ^# b; g7 u$ a7 \0 J2 Z* b3 u# e" F% o" M
Method of detection of the WinICE handler in the int68h (V86)6 T) L/ S- O4 U |9 b. `) Y; `
9 F; O# |: ?$ B/ `! _
mov ah,43h
4 N3 b! s& c0 ^1 `3 R6 Q int 68h. c2 \2 p# X/ L1 f
cmp ax,0F386h" }8 R8 L! `; }) A5 F6 M2 N
jz SoftICE_Detected
9 \+ X/ x7 o( \$ z9 W% s3 A4 }# u6 y$ j4 Y" ^+ ?: p4 ]! H% c
W% f3 T# c2 R$ e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ W4 N3 b6 ?' U1 N/ x8 U' |9 G app like this:
# A! k2 M- W2 |. P
* T+ b" L7 p* I4 M; T. d BPX exec_int if ax==68
' ~% O5 m2 H7 A1 z* z3 [ (function called is located at byte ptr [ebp+1Dh] and client eip is! Y' q% T; o: V( E _
located at [ebp+48h] for 32Bit apps)3 o3 E0 G2 o3 y& v
__________________________________________________________________________! n y" ^& A& ?8 Z2 [- {; h
: J0 F( d/ v1 ~4 `6 z$ s4 X+ [
. ]- U. F% m6 ^- UMethod 085 u7 k& x( L( A, v$ f
=========; r1 D- Y1 j# c0 K% I
7 T, C( J% d# B( R c! sIt is not a method of detection of SoftICE but a possibility to crash the
5 U+ \$ j* s6 Q$ K& H* Xsystem by intercepting int 01h and int 03h and redirecting them to another; t6 d! y7 J6 p
routine.: g6 Q4 S% R, I, [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& i; |- ~# }% F6 Z) f0 @; {5 mto the new routine to execute (hangs computer...)* @( Q. c5 X0 _
8 j! p) B7 _( c7 b$ ]
mov ah, 25h
6 p+ A( k9 a5 l0 g1 x mov al, Int_Number (01h or 03h)% n/ R/ Y3 S+ ~+ Y
mov dx, offset New_Int_Routine8 ~2 M, \' b1 \% I6 E
int 21h, ]& Q5 G5 G5 e9 }+ Q& k
/ R& y* R' T% B: N. Y
__________________________________________________________________________' v9 l& c7 `0 ^7 J
% w' x* h/ |0 k4 j4 H. ^- i
Method 09' @! s3 z F+ d* [" z3 \( G: l9 u
=========
: l8 m1 M( s$ r, w( ^
, f1 T1 @0 {# H _" MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; D3 K$ p& x. B- t/ wperformed in ring0 (VxD or a ring3 app using the VxdCall).$ ^ d1 C! c3 m/ a% a" v! I% E
The Get_DDB service is used to determine whether or not a VxD is installed8 o. T% b& J, Q1 U) i& j% r% @: V
for the specified device and returns a Device Description Block (in ecx) for
0 L( c6 A( [1 R4 O0 @that device if it is installed., l" Q% R6 Z% ^
% `3 z6 y& T: ]- Z! f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 L3 F `5 T' t8 [6 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* f! ?7 Y0 C5 d/ A! c3 d' E# T
VMMCall Get_DDB4 L; q4 Y$ l( W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 `, t$ t- M* {' ]; Z @8 R. `0 m
7 Z4 d$ s0 y4 G8 z2 f
Note as well that you can easily detect this method with SoftICE:
3 \1 Q# i) w& e: W# C1 G bpx Get_DDB if ax==0202 || ax==7a5fh
$ F- |1 `. O+ c# E2 n1 _( H9 S$ ^+ V+ d
3 F8 {" g( L6 J# U+ b! Y__________________________________________________________________________
^2 }6 u$ Y9 Y; T8 U9 _4 u7 }2 u! u. h: \5 P% r! n; N
Method 10" ~# c) t: J8 W- @
=========
* [4 \6 v+ m V9 M( h3 M% {
5 d: q& J5 V; W) U=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 K! f# w0 l4 p; T9 z SoftICE while the option is enable!!
: ^4 a) p6 Q- N# R" |
7 A) V" T: I4 pThis trick is very efficient:
9 w% v- l! m% |* B/ _8 k0 vby checking the Debug Registers, you can detect if SoftICE is loaded
: G: F$ P7 x, P0 F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 O* t$ h5 g1 d7 L2 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 Q3 |( E, D; x6 ~: E- q* U
value (in ring0 only). Values can be manipulated and or changed as well
# E& h1 D, U) @, ~& H4 g. `* W! g(clearing BPMs for instance)
' Z: a6 P1 b- ]) q% M1 x9 o
8 I+ ^: R5 r- h$ h G* N' Q__________________________________________________________________________
5 R% _1 }: I" t- m6 P7 X) K" y9 ^0 ~( h' ?3 n& d. X# H( M' z) Y; W
Method 11/ t9 }; \/ Y E6 @- l# m4 E
=========
" x+ o$ L) ]/ X9 ]: F# ` C3 c- I9 _, z2 ?7 s- N) _, @
This method is most known as 'MeltICE' because it has been freely distributed
* Z, h4 q) z0 Svia www.winfiles.com. However it was first used by NuMega people to allow
$ M+ m+ M* I9 xSymbol Loader to check if SoftICE was active or not (the code is located
7 T1 x+ X' h. y, k5 F8 Winside nmtrans.dll).9 X- A5 H1 k; o; y" U @- G% |
/ L1 K- C1 t. S4 s# l. i* W
The way it works is very simple:1 j, C2 y% D( p# @2 _2 E& z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& G; G5 W5 Q: D p' I1 y
WinNT) with the CreateFileA API." {! `) n/ Z* V v% C8 H I
* [' m# J( ^+ Y! L- k9 C! I( C( wHere is a sample (checking for 'SICE'):% ?$ g! b) v2 O6 N
9 N/ A" Z6 B I$ B8 |) W ]' T; g4 U
BOOL IsSoftIce95Loaded()! H" x: v3 x& M
{) ~ L i G+ A2 m4 |! ~( y
HANDLE hFile;
8 U6 G# i* b5 T* w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! G9 j8 W% T8 Y0 t/ z6 E% Z FILE_SHARE_READ | FILE_SHARE_WRITE,3 V' R' w; l2 S5 `3 o8 R' S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- y- t7 |2 G) W: z% c/ ] p
if( hFile != INVALID_HANDLE_VALUE )0 M2 d% T9 g5 E! ]
{7 w+ e' [: N) U H; e
CloseHandle(hFile);' O1 k/ h8 O N5 t4 A. L) J6 \
return TRUE;
3 V0 m& D3 ~1 b) \ }0 i9 {+ B) b6 B% T
return FALSE;. u& S1 B# v P/ @8 O+ N. W" B
}. h, m: M$ [! J' M% O% \3 B8 d4 y t
1 \# P) g: _6 E& Y0 w# d( D, ^Although this trick calls the CreateFileA function, don't even expect to be
2 R! z$ A9 C$ H8 ^- h8 Iable to intercept it by installing a IFS hook: it will not work, no way!" z$ H$ G' ?" c, `! V" c; C2 t- M. Z, c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. C3 \) h! ^$ |+ ~1 |: f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 T1 \7 \2 N* t. w& {2 k! R |and then browse the DDB list until it find the VxD and its DDB_Control_Proc. K- g$ h, G. M' O* q% B3 i6 |
field.
, o# J _0 z/ cIn fact, its purpose is not to load/unload VxDs but only to send a 5 h% M4 T- M7 v. }1 p) L/ v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) W; q1 |( t+ q/ N2 M- x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' Y4 X; L0 V# T' M0 W( w. k6 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& m6 }" t/ S3 T) k$ f. {0 N: s$ g1 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) `3 R' @2 ]9 c1 v# uits handle to be opened and then, will be detected.% Q6 Y1 n& _5 z/ G4 z4 P" @
You can check that simply by hooking Winice.exe control proc entry point. \3 E- r& d/ d, \+ Z8 l
while running MeltICE.5 g+ j2 W- O* E U# k
: u1 M, \6 x; y% @
! t6 Q# p0 A" C; y& G. S7 L
00401067: push 00402025 ; \\.\SICE
/ E: x5 z4 d# t) k/ H- | 0040106C: call CreateFileA
0 P! @' a; A, |- s2 E 00401071: cmp eax,-001
; q. z1 }$ J# k3 w% @/ Y; i 00401074: je 004010916 V5 g7 M v$ G8 w
, o. n1 P* \' e4 [9 f3 N
. J3 U" O7 | m. m/ F; gThere could be hundreds of BPX you could use to detect this trick.8 E5 O3 C& `5 U9 z1 L/ F
-The most classical one is:
7 G# u9 i+ G0 P8 @- v4 P) s! w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 U7 `1 R) k. d2 V5 A' K/ G
*(esp->4+4)=='NTIC'
" o# W1 }# Y' ?) z* k
6 ]7 K( w& z% n1 H! b- r-The most exotic ones (could be very slooooow :-(% v! y) j7 h: I; S( A' ?$ h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& j5 h, Y; ]5 b3 t ;will break 3 times :-(/ X, u0 H. z m9 T+ |6 V
. n h, R; q0 w, Q2 B7 u6 j; f
-or (a bit) faster:
0 w5 i a" i, z4 r' V# G1 \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# ?. Y) K5 i: u: Z2 y5 u/ \$ }0 ]& F5 V8 m* ?7 ]$ M/ ]( c! ^! g0 j9 V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ ~% D# E6 Q5 q, h3 M# t1 t
;will break 3 times :-(
7 m1 r$ h4 J* C" h4 e# b+ u6 }2 Q
" g3 n8 m K! N4 A7 {2 ?' I-Much faster:0 @& a+ H0 U2 _: j& a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% Q8 E! Q/ H4 b- M; e, ~& i
. s; A2 w$ t/ ^; Z* _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: z$ ?' f" a7 m& ^function to do the same job:
y- C+ `) S V4 B4 C/ @% @$ F. m# s* k- E; p! c
push 00 ; OF_READ
2 ?# n/ Z2 f+ E v ?' k mov eax,[00656634] ; '\\.\SICE',0- g" z& ]7 i. U
push eax8 e4 l- J# Z2 R6 S3 ?6 l
call KERNEL32!_lopen
7 y Y7 e" A! M0 D. q" v inc eax- @% ^8 Q3 ~, k, v# J+ Z* e
jnz 00650589 ; detected( ]! d4 O* ^3 Z+ ?" K+ Z" h
push 00 ; OF_READ
" d9 a+ j/ [; P% Q9 I0 M4 g" B$ M mov eax,[00656638] ; '\\.\SICE'
) G( o: E( k' K* l' r Z push eax
3 \2 t: A/ p4 U* Z$ E% N# z* ~ call KERNEL32!_lopen
( h& Q9 i5 y+ M! h0 n inc eax0 E: e4 H, `' D4 L9 D/ x$ c
jz 006505ae ; not detected$ f+ G8 k: ^. D# j5 O' D
9 ~( a8 n3 K' P
4 V+ {9 y. x6 K7 ~7 d) ^; B8 K__________________________________________________________________________% V9 f8 f7 ~. t' k5 T0 o
8 m" W# e: h0 d0 l YMethod 12
# x0 `" [9 c9 v0 D% I+ Y=========( A5 y4 ]7 m7 @: D
6 r4 L0 p# V f9 F: jThis trick is similar to int41h/4fh Debugger installation check (code 05
( D! x5 c6 f' f' ^' ^& 06) but very limited because it's only available for Win95/98 (not NT)
+ [# W* \0 P- H2 s m pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.- }( [/ f c9 x$ n! g: v+ j
& S5 K6 e. Z K; ?$ b! p n push 0000004fh ; function 4fh
$ Z1 ^& T9 z- x/ B push 002a002ah ; high word specifies which VxD (VWIN32), J# V* D" P' g7 }) U. F
; low word specifies which service
7 a+ m6 G% d8 G: `0 j3 W (VWIN32_Int41Dispatch)
" g* A1 a' S/ y8 ?8 g1 z* U6 H call Kernel32!ORD_001 ; VxdCall
# y8 a7 G" `5 g# n/ S6 L cmp ax, 0f386h ; magic number returned by system debuggers5 @# ~: u+ Y. g9 e- z
jz SoftICE_detected
3 T" M0 X; \ w: p* P3 K! d9 o) K/ f
Here again, several ways to detect it:
5 U2 M7 |+ V( x- p( w2 p0 k, e6 v$ O3 A
BPINT 41 if ax==4f
* w& U/ p1 {/ i
- Q% j# o# h+ }8 f# S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
A; t4 c8 h! y' J: ^- f( e& I2 F V$ x1 i7 L: u! @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 S; w* J; P9 V( {) b$ P
) ]+ W. Y$ t% S2 v2 x" T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 T& }% p' M+ l7 e; [
; X! m/ N5 w( n3 x2 \6 a* p) v__________________________________________________________________________
$ g! d! @* y- ~ v- I w ~9 O; [- V7 |& R) f" B, g1 f
Method 13
% M! g8 j( p5 G: [$ Z3 K' k=========# K+ P/ ~: d: U0 \" d- L' T2 y
, }/ |2 E2 B( N& n# v3 N
Not a real method of detection, but a good way to know if SoftICE is3 ?2 X O5 x, |4 F5 a( q
installed on a computer and to locate its installation directory.
; @5 I& s- k! JIt is used by few softs which access the following registry keys (usually #2) :. L: [) a& B7 ~; ~3 J: l
( ]) |- N; S1 i X2 t5 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# m; p% m; i( ]
\Uninstall\SoftICE5 d: C* F; x: o8 I) c# P% x8 ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ t; D2 t2 Y# C7 m+ h* ~ ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% \3 ^& u8 Y9 K' n" a\App Paths\Loader32.Exe
7 f6 k1 H8 x: H4 n9 i2 X3 Z; ~3 g8 z$ z" u; n9 V
' M6 K) b1 k, O7 w+ i' R
Note that some nasty apps could then erase all files from SoftICE directory! D" q" n c0 H, q9 W" n# j, R
(I faced that once :-(
8 I" q/ g$ l* Q8 i2 _- q) T. y; S r: H8 g% m
Useful breakpoint to detect it:
- M) ?( y! j! ~3 J# r! Y* I# f1 K/ h* {% O2 Y) x3 j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 T9 O& L: D+ D/ K( {7 m
* f5 `) {6 m8 x9 x$ {5 P; T3 b__________________________________________________________________________0 K' [* y8 C9 k5 X, K" O
, S0 {8 K8 ^/ w; w7 l. M7 ^0 L) j
" R) A( Y5 s+ i; m2 n v, I; V L
Method 14
) c, K. _2 U7 _4 j' t% x* }=========
0 c# s: _/ V) A+ v' n: I3 b/ x1 r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! d% f, x9 @% [/ r1 c1 D
is to determines whether a debugger is running on your system (ring0 only).
, Y2 V M: R4 {: ?+ k. n! G; a, G1 e7 I8 |7 s; X
VMMCall Test_Debug_Installed* K* \) }( U. v0 x- P* [
je not_installed% j1 l, o7 T# {1 }% F9 v Y
0 ~- _& g1 r) G* |This service just checks a flag.1 [4 u* Z6 V9 d2 U' h! a$ @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡