<TABLE width=500># L+ N% n; a7 J [3 x1 I
<TBODY>
: H1 H; J% }" W# ` |# B<TR>1 l% Z6 Y* s) T _% |9 s
<TD><PRE>Method 01
7 l/ T% ^" J! b" v" P* D=========! G* C+ t( n! ^6 `0 w
6 q5 W9 d& v$ L3 `This method of detection of SoftICE (as well as the following one) is
- D' O. l# t/ d" Z# Rused by the majority of packers/encryptors found on Internet.7 x3 L! A, [, ]8 i* T0 \2 T W
It seeks the signature of BoundsChecker in SoftICE
+ c5 u* O5 \2 z& _$ A$ t) o2 z- n7 y# {
mov ebp, 04243484Bh ; 'BCHK'
; B" s: T! X7 V! K0 A8 H9 w mov ax, 04h
' ?" X r4 [! O int 3 2 G9 D. |9 \' K% e- @7 R1 {2 g
cmp al,4/ M+ T: E6 Y" }
jnz SoftICE_Detected
9 u+ O) e. t2 J3 v- {/ o: |+ _1 }7 q$ M
___________________________________________________________________________7 R9 m& t1 x+ ^/ J, s9 {
9 P% V+ }. l! }( h+ YMethod 02
6 j- J. J; k$ F; \=========5 o; \1 Q8 O/ Y( G O0 p! [3 U
* m$ U) [9 k: _: @- j
Still a method very much used (perhaps the most frequent one). It is used0 J: a1 m7 ^) Y; ^) L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 w9 K4 i2 m- Q _ X
or execute SoftICE commands...
9 F1 {6 K$ k% e2 J6 }9 YIt is also used to crash SoftICE and to force it to execute any commands& c1 d0 t" b# A: _4 V
(HBOOT...) :-((
) Z% a: B5 o0 v, H# a. q3 f% z8 l% O0 U
Here is a quick description:
0 V7 k2 r0 r# g' K3 F& A8 r% E-AX = 0910h (Display string in SIce windows)
# K/ @3 ]( Y) v c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): y% D, a/ R8 V+ \! @/ J0 }
-AX = 0912h (Get breakpoint infos)* W+ c8 G, r, Q5 |. B& x" }6 a" L
-AX = 0913h (Set Sice breakpoints)
4 E- A. l6 W% F6 b* Z# u& b- L: |-AX = 0914h (Remove SIce breakoints)8 h% E* W$ V! K. S
" u6 n0 f' _7 R, O1 T0 @$ F
Each time you'll meet this trick, you'll see:
7 j" S# a% S# W, i0 s9 K# \-SI = 4647h
# Q7 Q4 b5 A" O) j/ J3 G6 ]: R3 ?-DI = 4A4Dh* E$ T, H- L' N/ a7 `* X2 f, V l
Which are the 'magic values' used by SoftIce.
6 F% R% ?$ v0 y7 k" T9 h; ]+ j5 UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- ^; l- |) d5 ~1 D/ c. o: d W& N6 w& v5 A I& |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 B2 S5 Q. [1 V0 i2 q) aEnvelope utility use to protect DOS applications:6 \& Y8 V1 ~1 Y M
4 N8 L2 [0 {, v% `! [! D( \
$ Y+ m6 Y0 E% W, F8 F: k: t4C19:0095 MOV AX,0911 ; execute command.2 W) q& Z6 J- V5 D P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: W3 W- B5 x# Y% q9 m! j' P
4C19:009A MOV SI,4647 ; 1st magic value.
/ l( X! e Q/ L' ]% i) T' r4C19:009D MOV DI,4A4D ; 2nd magic value.* m& `( L/ n) b% X$ @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 x1 @- ?2 d: z9 B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) K! i/ x8 N* r7 k9 ?+ K4C19:00A4 INC CX. x* j. W% H( a" b$ N, w7 p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" l. D8 B P% ]% m7 j/ M
4C19:00A8 JB 0095 ; 6 different commands.8 i Z) L h5 J' y6 ]0 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* K i, t; Y* n. X- Y- @$ ]6 p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ Z9 ?$ s- f5 p& s" }; q# f" ?
, b0 v( k' K& [7 J3 f9 y: IThe program will execute 6 different SIce commands located at ds:dx, which
) e# T8 E+ O( b0 k) ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 X" k7 x1 L; O0 ?% r+ _6 _8 ]
6 F% p# R" f- O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% Z1 U K) M& S' f# {0 n___________________________________________________________________________
$ V/ @7 x* p! v5 R
# w- X( W+ C l [" _$ S3 w0 u( R( t8 N4 j
Method 03
8 Y2 E9 M& g! ^$ F3 j! ~1 M, O9 X=========
$ @8 y2 B4 g6 Y
6 ]) w; h- @, K$ c% BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: G/ G. c1 b$ d
(API Get entry point)
* \' a) v, R# b+ X) V , T. s2 r/ L, l6 ~9 u5 |
" h; t, I3 V3 \( Q- F xor di,di p8 q7 ^* V) N2 ^1 R5 ^/ c, |$ ~2 D
mov es,di
. Q% _ E, H5 S s' O mov ax, 1684h
) a# f* r {- ^+ X! L# e mov bx, 0202h ; VxD ID of winice5 F- v5 ?3 \) c, a
int 2Fh
$ y" X/ P0 D3 V. Y5 z( R1 d4 p% q mov ax, es ; ES:DI -> VxD API entry point, S( o& a0 q1 G; m& h( T
add ax, di
' `( u- q4 E: F% ^. y. T { test ax,ax
/ J: ]" j0 S, l J6 |: f& \* y jnz SoftICE_Detected1 U7 p) K# X4 h) I
# t& H- A. R1 ?2 j( ]# i* @5 r___________________________________________________________________________
5 f/ s! ]4 I* q4 l: z+ b/ `; ]" `5 Q8 i4 _5 U4 R5 b1 H
Method 04
: q g: q. v7 V' Z) U/ J0 o% W=========
% {6 h0 V0 ^0 @( o$ }4 G
z% M2 H- J; x- m: u- SMethod identical to the preceding one except that it seeks the ID of SoftICE
: U% C3 U# z t$ I; t- l0 X7 }GFX VxD.* t2 V6 a, {: c+ o9 N7 ?
z* A1 N: F! f
xor di,di
$ O7 ]4 ]2 _4 i9 O* L) N% N1 I7 _ mov es,di
5 P" Y7 u" D: [7 X mov ax, 1684h * b; K2 \5 ~) T: V( o% V" ?
mov bx, 7a5Fh ; VxD ID of SIWVID
0 E. @9 ?8 K7 E8 @( b5 w7 r int 2fh( ?7 Q8 G7 d5 h3 _ E( a- Z
mov ax, es ; ES:DI -> VxD API entry point2 c, m* D& |9 @
add ax, di
9 x% F8 P& W) E, w/ ^ test ax,ax
* @7 p6 n' X7 F, A' c6 Z) l/ E# o$ E jnz SoftICE_Detected* E \; v! e4 _
7 \6 f/ ^2 o1 K1 K; [8 G9 j6 N
__________________________________________________________________________
5 I1 _+ D& X/ e! B" K
; p( \" N! _% I1 [( p4 L# q' d
' r2 a5 V1 a* v, QMethod 05
( q2 U: Q4 t$ y; C/ E' D" N4 M=========
: g& ?7 k1 F! x3 w9 y& R ^4 N u' T% u, [ M! S8 E4 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" g( O8 ?4 a# P/ J: M/ v. v* d, u9 Hdebugger. It calls the int 41h, function 4Fh.2 \/ z0 d& B/ F, c4 I
There are several alternatives.
& K6 [5 n; m( I3 H
2 V% Q) S c5 eThe following one is the simplest:9 F3 e+ c3 S P& Q) P
# s* H9 H4 q& V M mov ax,4fh
, w: y3 Y/ z, ]9 w9 | int 41h
5 ]2 d* E; f, c1 H& \7 U8 {9 f: Z cmp ax, 0F386
& t+ ?8 x: u+ L: D9 a3 E! y1 u jz SoftICE_detected
7 G; L- l9 _; V" J$ H @% ]( R( a) `/ X+ Q' g
9 a/ ~1 [4 ^0 }7 o% r. n; MNext method as well as the following one are 2 examples from Stone's
/ G h1 C& L3 ]/ S! r"stn-wid.zip" (www.cracking.net):
% J5 E$ j3 J. W) A o/ J
: a0 Q, p7 B: R% h& r" f+ x mov bx, cs
& F+ y; K M% x$ y) s: k lea dx, int41handler22 [, H; j- R* B, Z& Q
xchg dx, es:[41h*4]
; I1 K# m9 F+ V' f* N xchg bx, es:[41h*4+2]3 j0 T, c! Q7 \( ?; [( |% g* J
mov ax,4fh: ], [* j+ q& Y
int 41h
' `# ] e1 @, Q- R! u) b R xchg dx, es:[41h*4]
; N9 }, D- E/ \% w& m' \; Q2 { xchg bx, es:[41h*4+2]% O$ P- U: M9 r! y. c
cmp ax, 0f386h
2 x) {' |# [; ?) M jz SoftICE_detected( O5 i; X- G$ g3 v( u2 `
0 N" y3 c9 r; i1 G) a; m
int41handler2 PROC
, p; x! A* J- e Q1 J# O iret
( y( R9 A) \( Y, X3 d. Gint41handler2 ENDP |+ }6 R5 S* x
- U6 @) N( x% y9 _5 o
7 N- t4 U) P9 t/ B( J
_________________________________________________________________________3 x2 j! Y: p9 F L, u7 x0 K" t% K
. e4 C) y* `$ B/ x+ I6 s" Z" M
8 ~, m' K0 M( V: A$ ~- yMethod 06
% I) f7 d+ ]- p3 t' g=========
+ t# w+ K: Z3 A5 `8 j9 @: B$ M% B" n; M/ _* a+ e/ R( X
, \) N; U0 J1 I8 ^* [- r
2nd method similar to the preceding one but more difficult to detect:
! |# J7 u( R" A: }' j
( J. w3 z, k4 Q3 ]1 G& T
8 A/ ?, k2 o' q5 S: Z ~ Eint41handler PROC
$ M7 ?& D. X7 T: G& J5 e' ^3 z6 } mov cl,al" x- n& M% Q2 a7 B
iret: [2 y% B$ G0 z
int41handler ENDP
: D. w: a0 V6 J" k: h' t% w
6 p5 ]3 v8 ^# t/ Y0 S3 \: q9 d7 @. y3 o" [# l$ K1 z w+ x+ A+ t
xor ax,ax
1 d# u" j) m5 u r mov es,ax
- a+ `7 B( Z! g; R5 }& P mov bx, cs
9 B" X0 V" ?. X+ v9 ^2 ~ lea dx, int41handler1 O. f b6 M0 w
xchg dx, es:[41h*4]/ l- p8 g. `2 D9 Y, \9 e
xchg bx, es:[41h*4+2]
" M1 v! q4 G5 A in al, 40h1 ~( Z1 Z3 R8 P1 Z/ y' Y
xor cx,cx
' v% t v/ ]6 S% j8 M- a int 41h. M6 F( b. d2 z# [: k8 m4 g; O
xchg dx, es:[41h*4]* e) ^( F# n- L. s8 N# a+ o- U' w
xchg bx, es:[41h*4+2]
6 e. t2 q" Y. n; N, B( w cmp cl,al
' `, p, a, s- }' v8 [9 K jnz SoftICE_detected# `& Q8 f) d& N
! b- B5 u+ o4 t8 j( Q
_________________________________________________________________________
- V% ^: ?" f' m# P% { V' l
, B8 C* z8 P: ~2 C/ J3 NMethod 07/ y7 [3 { m5 u# l' {5 W- K- ?( p
=========
" ^5 ^9 j: u8 ^) r/ g5 e4 i, |, R+ } g" _& u! w4 m# C& h
Method of detection of the WinICE handler in the int68h (V86)* S+ @( G2 e: Q0 C0 |
& p+ M" C9 Q; M0 e! T mov ah,43h
5 S8 y( U3 S8 d) N+ q- d) b8 g int 68h
4 ~4 i# M$ a- u$ L3 R1 `, H3 v& G cmp ax,0F386h, s; j( A/ M7 v0 Y8 m
jz SoftICE_Detected
7 |: P5 O- E5 h5 x k$ W d: A0 q; y3 Z* r
, T% a$ L3 c7 Q" ?/ R. z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! ]6 r X( J7 H5 R4 L C$ B) X
app like this:
- d5 g/ r8 Q& H7 u1 O1 o% u) {! X; n6 I( T/ X) `8 a
BPX exec_int if ax==68
* d. x" ~0 T) V (function called is located at byte ptr [ebp+1Dh] and client eip is* S2 ?) w) ^ `) P, Z8 F3 H
located at [ebp+48h] for 32Bit apps)9 ]& L9 v! N! O$ F5 ]
__________________________________________________________________________
; N* Q- u, t5 o; Y' c# c
Z$ X% i" t, M3 }& R6 \) v- @
* x+ v& l) o: K! Z0 R! E1 bMethod 08$ y3 R2 m+ c5 ]. v, s( d! U, b. Q
=========* s; R4 G8 ?. w" W% K: E
4 P" W! O, M* T$ h* X* H0 rIt is not a method of detection of SoftICE but a possibility to crash the. l7 [7 u3 f+ M% K/ j! m8 n
system by intercepting int 01h and int 03h and redirecting them to another
4 f% d; l/ a$ r, Z, Aroutine.) M$ z' e9 n( g3 G# c9 s$ z/ a) R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- x6 o, a" M8 z! m5 W+ K
to the new routine to execute (hangs computer...)) w6 \4 k8 V7 W$ r" F& w
- B2 M. s; O! e2 T9 B
mov ah, 25h
$ w6 a2 P- d2 v( N# M u0 b mov al, Int_Number (01h or 03h)! ~1 y/ N. S% C7 n& Z. n
mov dx, offset New_Int_Routine2 ~* W7 q* u3 o O" \' B
int 21h5 b& h! ] x& [. v7 ~2 N
; O7 u# I( F; t5 ?; x__________________________________________________________________________
8 L, a0 V0 z0 o1 A) L
* S% @6 ?( Y) VMethod 09: u* K* g8 d: D4 K- o% J2 Q
=========
& t9 Q$ T5 u3 Z7 Q' K8 c5 T8 i" p( M7 a: L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 [* g4 _ I. T+ k6 w# vperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 m8 k" S2 }: S; T8 UThe Get_DDB service is used to determine whether or not a VxD is installed
, Y4 K: Y3 K6 k" _7 E4 Pfor the specified device and returns a Device Description Block (in ecx) for
* u5 j1 k$ c) p# C3 v4 e# s3 x4 @that device if it is installed.
' A& r7 ?5 X/ D7 j: O5 q8 o( J% P) J- R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 R% e! {5 w% Q! U2 Q* ]; t! c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 `3 k) Q' l7 M+ a
VMMCall Get_DDB+ N" X4 X8 G# B/ f9 B4 ~8 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! r& O$ X5 E5 N$ n% \% F! _& o$ @% S* `' d( U9 |
Note as well that you can easily detect this method with SoftICE:$ _4 l( _) H, l4 d* k
bpx Get_DDB if ax==0202 || ax==7a5fh+ Q7 T @; J7 T5 |
% Z. ?6 S3 Z) p* ~
__________________________________________________________________________ Q. m4 j D& L3 s, D, f4 y
8 e: g8 V \; V2 `: u6 X) M+ YMethod 10
. u% t3 P' @# M" e# v2 u=========
# ^$ U9 q) ?2 `( t
6 l+ s; r' `! j' |6 Z3 V2 S=>Disable or clear breakpoints before using this feature. DO NOT trace with
% s c- B& J) K' S- k2 W5 V' [ I SoftICE while the option is enable!!7 e* |, l; b: R. K# h7 Q
2 [4 X y2 o( A
This trick is very efficient:
8 `* T3 Z. }0 Z% ~by checking the Debug Registers, you can detect if SoftICE is loaded" ?6 K( J" [+ T1 ]! j# i- t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& e4 t0 Z$ U* K' p( l$ F# }, ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; M- G, c+ o/ ^) G% V& Zvalue (in ring0 only). Values can be manipulated and or changed as well
# V% L: Z$ y- Y e(clearing BPMs for instance)
% `% L8 z6 @6 T9 a; a( A0 n8 q, o3 r+ `- J5 w- \
__________________________________________________________________________
+ C7 | _# D% d, |0 [9 Q( `
! [: w+ E" o; |& }Method 114 R4 i( @! I# ]: }& ?
=========, Y8 X! I; J. z. h
C8 a3 ?6 u( F8 m7 E% q) W
This method is most known as 'MeltICE' because it has been freely distributed
% S0 {, V2 y+ u {via www.winfiles.com. However it was first used by NuMega people to allow0 O* Z0 }( d2 h7 U3 o& J
Symbol Loader to check if SoftICE was active or not (the code is located, J% G6 r8 h$ O1 E* k4 l$ d7 O# |, P" w
inside nmtrans.dll).1 d& I8 F0 m9 z' F' a. o' x
! k: P6 {) N; {+ z' j. q# B/ fThe way it works is very simple:+ ~7 E1 u) z; \( q- ^9 ?* [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! n: k7 {1 g h; WWinNT) with the CreateFileA API.
b2 k& |7 q l! h4 }
5 F- j* x; l# H9 V3 S( {$ PHere is a sample (checking for 'SICE'):; D2 Q7 S) m1 I. r/ _/ }$ @
9 \# n" I* H# P. \/ ?" z6 ?
BOOL IsSoftIce95Loaded(). Q# O- B$ d) q' x7 F
{
2 @8 Q9 Z, ~4 }3 A HANDLE hFile; 4 \& }6 Q4 M0 w# N# m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* I% B! S- U' E' m* F3 Y FILE_SHARE_READ | FILE_SHARE_WRITE,9 t6 s5 g3 y6 u7 L0 l1 h2 c2 ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* H3 w0 C' C3 R* X3 v0 m if( hFile != INVALID_HANDLE_VALUE )
2 [* l2 E5 @# e$ y8 v& i4 G {1 J! }# g# x; n: G
CloseHandle(hFile);
' H8 D* |" ~4 ]! s0 I2 Q) B* ? return TRUE;
* @& [; k4 U1 A! a/ z }
/ O( ] A0 C/ l( F% V% D return FALSE;
j2 ~, S3 ~9 V( v}
3 q/ X( s- A) ?# n% [* b. C+ g: F2 i& }+ }6 v0 e) G; t& v
Although this trick calls the CreateFileA function, don't even expect to be. d8 l( v" A+ j# H2 u3 `: |) M
able to intercept it by installing a IFS hook: it will not work, no way!8 t+ Y( z1 H& @$ |# L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% y3 b1 i9 T- T3 I0 L6 rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 u0 Z' k% r1 j% k+ e3 C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. P; F( ^2 \( T& bfield.
7 d; l$ }) y; L1 A& a; GIn fact, its purpose is not to load/unload VxDs but only to send a
6 V# D4 L" H5 [* C+ D( t- B; h6 BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! }7 q! }; Y4 ~7 r' rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" z( L. V' w& M. ]( C. c; `3 Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).. U8 W& h3 i9 }1 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 r+ M u& E. e/ G$ |% G( a; N5 Kits handle to be opened and then, will be detected.! s( {8 S, W+ l4 Z
You can check that simply by hooking Winice.exe control proc entry point1 l9 Q, ?- l$ O
while running MeltICE.
" i' i7 Y& r9 `( g/ d) {( T; v `6 z* Y. G
8 B8 b" \* g+ m8 N& R6 J* }
00401067: push 00402025 ; \\.\SICE
# d! t1 t' g& R, p% N& I 0040106C: call CreateFileA
4 o) e, m+ Q2 }+ V 00401071: cmp eax,-0011 J `: F$ f3 @
00401074: je 00401091
, ^ E, t% S. {; x/ I1 [( M5 i( n! P5 i1 L0 b9 [. h
5 C% E2 w& Q. QThere could be hundreds of BPX you could use to detect this trick.# x; `. t% u) \( E4 M5 ?
-The most classical one is:
( I0 t+ V/ \' y0 n; | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 `9 g/ I2 p. z9 }& M
*(esp->4+4)=='NTIC'5 H$ W K7 z1 b; H' }: k, l0 f
0 V Z& U% Y- j+ L0 Z9 \/ J: O-The most exotic ones (could be very slooooow :-(: r6 v4 X8 k8 o, c, ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) ~) C6 b8 k+ J% Y ;will break 3 times :-(
# ?; ?; Q T& l6 Y# o6 y! l6 t8 {+ [7 A3 R M; Z4 _4 Q5 s
-or (a bit) faster:
q( Z f8 a3 o4 A+ l) B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 r8 z8 U+ S0 y. G7 I% \
& U% e7 l, e( l5 x/ H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% V# U2 W7 N( l6 y. r ;will break 3 times :-(
, v/ e- B/ O4 O- N* G5 J, R F* R7 \# a; Y, l* g: H% t G
-Much faster:0 @9 F1 a1 `( i0 |' L/ g/ u- I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') J. l, F, |9 _; U8 L
6 ^4 O/ J, C, [5 W4 C9 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( _6 F& d! a; X% h% o+ i' m# J- W
function to do the same job:
4 k# u( [: R2 y0 j: g8 U: x) y+ S7 ]* N% G
push 00 ; OF_READ
' R5 b# a( v0 Z% F5 I( E mov eax,[00656634] ; '\\.\SICE',0. P* T5 H8 z3 }: C- U
push eax9 {% @# `! a# C4 r, ]
call KERNEL32!_lopen1 A" w2 N4 w E- a- G1 H4 U
inc eax
1 q' D, G7 s; @" J) k jnz 00650589 ; detected
4 N f1 ~% b1 C6 `! t4 x+ A push 00 ; OF_READ F3 }1 b% f4 i/ i& m# n' ^5 e
mov eax,[00656638] ; '\\.\SICE'
5 n; o T/ b& V# ` push eax
2 {7 U* p. j0 o4 V; @ call KERNEL32!_lopen/ s8 w5 S0 w5 R. h D: d
inc eax6 M- T1 x* W5 J3 n U4 q! n
jz 006505ae ; not detected4 g O8 C7 K" f% W2 x0 v
3 U$ L7 v3 F# m: n6 {( s
3 Y4 _* C( B9 Z. g7 G__________________________________________________________________________
+ l5 q$ J7 d& f* a" {
. i" p- c w6 N. YMethod 12) e. x2 N& u6 E2 [
=========
9 X; F9 r% b- u6 I% _3 {
; B0 i! N% L* \) \This trick is similar to int41h/4fh Debugger installation check (code 05' a( h, ]" W& j+ A l4 ?$ M( R/ p f
& 06) but very limited because it's only available for Win95/98 (not NT)- m$ Z9 F* A0 ]7 g) W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' E8 C* D5 a; G0 }) @
8 n& @* o" D( J# n push 0000004fh ; function 4fh# v" r& N4 u. ?( X
push 002a002ah ; high word specifies which VxD (VWIN32)& L2 c+ D$ q* L9 X8 S
; low word specifies which service3 w* G) }( z _3 u2 a
(VWIN32_Int41Dispatch), F' l8 O8 z/ H* x5 X: C4 n
call Kernel32!ORD_001 ; VxdCall
$ `/ t n. }+ f cmp ax, 0f386h ; magic number returned by system debuggers
* I* P0 S# a! {; S jz SoftICE_detected
1 m* t L V1 U1 J& F N6 r9 ~7 _/ e( v3 p+ L4 u( j4 }8 R
Here again, several ways to detect it:6 j5 f" w* J/ x& u
1 I" x/ s, K4 v! ~$ l9 a BPINT 41 if ax==4f
5 d# \6 ]" z5 P. @# ^8 N) }2 Y8 Q1 |$ f8 s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 o/ P% r" F, A1 @# u) I! a
; ^& R. L) K {% s5 R& S0 D1 V' G% | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' ] t+ S# f* ~% _3 r0 Y* `% h+ E( v! W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 Y$ V6 o2 D4 j5 q, I) X
( G% n: \8 n4 D! R9 w, y__________________________________________________________________________3 @$ V5 y( V: U/ E- P! f t
0 N: u; o2 a! A9 i5 m' b- k# nMethod 13
- J0 S) G; t9 _/ W( ^2 L=========
2 ]- P1 T: y# Z6 r2 k
4 E! L& U' j1 `( a) m0 }: ]) Y" jNot a real method of detection, but a good way to know if SoftICE is
8 g- C: W, D* Sinstalled on a computer and to locate its installation directory.
# y0 A) K8 n b; O ~It is used by few softs which access the following registry keys (usually #2) :
( q+ ~( H0 x3 A X8 K1 b# |" d. o+ d7 h* z2 }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% c1 L5 a' ]# }+ n7 A+ j* z) O\Uninstall\SoftICE, ~0 {' x8 Z% e `' Z( K& w( a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 b/ a, |" u. D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' ` m8 ?/ ?, H\App Paths\Loader32.Exe
/ }/ B5 \; C, _1 ?2 q3 d2 Q) x# I m. ^/ M2 n
_1 B( z2 Y. a4 I* I2 [+ }Note that some nasty apps could then erase all files from SoftICE directory, t* H5 E6 r% ?" s& S. v- w3 i
(I faced that once :-(+ M2 ^6 i6 t7 J5 X
" a8 o- F+ a' _9 G& w; \
Useful breakpoint to detect it:3 Z) l# ^$ H4 ? G
. l# s% m2 j0 Q& t) ~! t
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; c+ W$ w& u; H3 h
+ A% N% e- c, t' \__________________________________________________________________________
6 w% X! m. b( F" V* y% S; \! D8 O, ?$ z) c4 j7 n- w4 e1 I3 l/ ?2 j
; I" p( d5 K8 j. Y7 d& y: S8 N3 [Method 14
! p/ p" ~# G+ L* v6 b0 ^=========
+ B" Z$ f; d8 R7 {) X4 B4 r) ?* R _1 r. [" U. w/ {5 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 {) |! K v- Z6 {6 u u
is to determines whether a debugger is running on your system (ring0 only).
" F) \( R: t: B6 N. y
) @1 q& O, B; q# m; j' J VMMCall Test_Debug_Installed% U5 w4 T3 x: D8 N9 P$ O+ M
je not_installed
8 Y2 b$ A1 q$ s( y, r$ i/ \/ _8 O
. [6 K$ X8 Q' }( j4 {( Q) XThis service just checks a flag.
' A' v$ u: t0 Z; C2 T0 P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡