<TABLE width=500>
0 N/ z3 Y/ P* P8 Z4 h1 M<TBODY>
: ?9 P& F! y( `* C5 ]5 J) x<TR> J) Z; ^2 o8 u+ C' r* u+ `# ^* u. C
<TD><PRE>Method 01
* c, Y; q) P7 R1 X=========
" f, N( I- u x7 ]) y3 \/ h4 F$ i
This method of detection of SoftICE (as well as the following one) is P* u% P1 [- ]4 \
used by the majority of packers/encryptors found on Internet.2 b7 K: `- x1 e# F* h
It seeks the signature of BoundsChecker in SoftICE/ u1 P1 O+ N; M1 v* k2 B: q8 }
) }; w$ a* ?1 S3 h1 h3 a1 Y8 ]
mov ebp, 04243484Bh ; 'BCHK'4 l, p: a0 z" J$ i; H# p, v
mov ax, 04h3 Y3 L7 k# v2 b' {4 Q2 p6 X6 x
int 3
$ l4 t6 P6 d" f4 P3 T cmp al,4
# F2 E5 L; l# b% D: y: O' \3 U5 w jnz SoftICE_Detected0 V: I+ B2 a) N( ?! y; Z6 O$ ^ y- p5 j
+ ], h; A6 {0 O2 \0 t: A. Q4 U4 ~7 Q2 n___________________________________________________________________________& Z+ `* ]0 x P; b8 ^
& Z9 |, F/ U0 m; x1 k+ n2 y: o; a1 u" UMethod 02
% ]7 ]6 N! x& |=========
: Y8 s- g) [7 u9 x) }$ k' h1 h& [4 d6 r- f7 m7 G# C4 k) \7 A) s
Still a method very much used (perhaps the most frequent one). It is used
; h- e; r' W( R& k' U$ Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r% M, t$ Q* ]: @
or execute SoftICE commands...$ c# e2 A- @1 ]0 |+ ~/ R. _
It is also used to crash SoftICE and to force it to execute any commands& ?7 {- X9 Q8 ~ m$ K3 c4 [
(HBOOT...) :-(( 6 q, V6 m9 H7 j: S) G
* m& K# B9 ]4 |* t7 t( JHere is a quick description:- u4 f2 [! v- a! C$ A a
-AX = 0910h (Display string in SIce windows)6 {) @8 _3 j5 o$ p2 J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 e- ~7 Q9 o8 j1 c" m1 Y5 x6 v, Z
-AX = 0912h (Get breakpoint infos)- }" ?0 D: J4 a, M
-AX = 0913h (Set Sice breakpoints); J! D% }; {( T
-AX = 0914h (Remove SIce breakoints)$ M6 I# R" u1 E! l: X& Y/ c. ~' c
6 `8 ^$ d$ y7 y& f( i& g' h
Each time you'll meet this trick, you'll see:
2 Q8 r. u/ {& }) z-SI = 4647h
7 |7 M7 P/ a3 e) M5 O2 v-DI = 4A4Dh+ I* g9 N4 z% W4 _! h
Which are the 'magic values' used by SoftIce.
2 G2 d6 ?6 C3 b$ N3 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% g7 I4 A( y- t; v0 @$ ^2 Q& {* L
% q" L2 K/ O% T4 A5 |& c6 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ d4 \. ^. ]* ^) V) W* v* aEnvelope utility use to protect DOS applications:
& n5 T& L8 Z0 a) l
) Q) O9 p1 ]- E- ~' ^
# ~& \- z: z$ _5 X0 F* {4C19:0095 MOV AX,0911 ; execute command.* d' I$ J+ w7 @& a$ H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ L! w) E6 P" G7 E1 A4C19:009A MOV SI,4647 ; 1st magic value.7 }/ J* [2 x% l; q, p
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 b" V6 X) L5 J' l/ w" }9 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 m! U+ h; Z n9 @+ V: j- I( B" z/ K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& }) E1 f0 D# H9 g# K- v; [ H/ w4C19:00A4 INC CX( a; C& t) p! k4 ?, p) C. ?( V) r0 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; i$ E, x7 x( A
4C19:00A8 JB 0095 ; 6 different commands.
" F$ ]/ K1 p. a1 l4C19:00AA JMP 0002 ; Bad_Guy jmp back.' p$ |) K9 T" q% g7 \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 J, p5 X ~/ M1 j# M2 ?9 [+ P! n
( [1 l% R$ B {. o$ r3 X
The program will execute 6 different SIce commands located at ds:dx, which& B* d4 g/ f, p P/ O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 J s* n+ ?$ o _" i# s0 M$ |$ U$ _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
M! z+ K0 c) k___________________________________________________________________________4 Q& C' i& ~# o9 _% I# |
2 z+ a' v+ n) ~( K
2 Q; l5 _( t1 g
Method 03
2 s" e% T# J- K* f: V=========2 |1 _# f# e3 V4 u5 c
! l7 |5 r6 k3 e0 P. {+ G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& W4 x" n1 K( J7 `0 x
(API Get entry point). m$ ^$ \5 l, p& }
7 G4 {3 j) u3 _3 p; g/ E1 ?/ \7 y; J# |
xor di,di3 p6 }* i% u; b8 K' v5 v2 v& y' Q g- F/ \
mov es,di
1 Y: L3 @; Z; T5 S- t mov ax, 1684h 4 f! ?$ e! L2 @& i5 l9 R
mov bx, 0202h ; VxD ID of winice
( `7 \# x/ V6 s2 {) q1 f" ~ int 2Fh' J+ B2 ]' w3 D! ?1 g0 j0 K8 F2 r/ [
mov ax, es ; ES:DI -> VxD API entry point
% L [8 A5 B0 C add ax, di
- ^, `$ L, }6 s test ax,ax
3 s* z9 W' {6 i s5 V6 O jnz SoftICE_Detected
' F& G! Y: R. R' ~, Z% |/ H2 S0 P" u2 `- T0 X) ~' @6 X
___________________________________________________________________________7 p$ m7 o5 M2 R3 F7 S% K+ Z
( N! i3 }1 ~! I9 Z+ h8 {/ sMethod 04+ {' N2 y# u9 S) r# i+ w8 }
=========
9 D0 p& _0 Y4 f m8 H5 k* p E8 r/ w. v
Method identical to the preceding one except that it seeks the ID of SoftICE" H5 O8 {6 H( X2 L1 ]4 B9 p4 F8 }& w
GFX VxD.) I- X9 G5 K- ]2 p- M2 B/ J
; A2 p: f1 S+ K" G, @7 m9 T xor di,di
" e4 a; y5 F+ U5 d6 N mov es,di* c9 R, E5 G9 s% \) J5 @! |0 d
mov ax, 1684h
3 `/ m2 d; X7 z* ^0 E9 w' C6 y mov bx, 7a5Fh ; VxD ID of SIWVID
- i$ i- V1 G3 A8 }& v int 2fh1 h4 @+ R. {2 j0 E
mov ax, es ; ES:DI -> VxD API entry point; S# ]1 B3 }( y$ s( s( f
add ax, di
- r6 v: Y* U3 h9 { test ax,ax
9 g i: H+ c$ c3 N% f8 J( x0 k jnz SoftICE_Detected7 [4 F* w5 g4 Q- a# r% t- i/ O
$ X- c) R# s( @1 h__________________________________________________________________________/ h2 J+ U! L0 L$ J$ X$ X
6 p- p+ i5 k# `3 w3 e2 L6 O7 K1 {, |! c
4 i$ ^7 |6 o& T: @0 u$ c3 b" T
Method 05
[/ v! N) @. G! f: M; m" s L: I=========' H( f% N* j+ `! r' S1 w9 C+ I& v
}& f4 Y# ]( M$ H) ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( L8 r; H4 g- X, F: m2 K# B0 C6 g0 @debugger. It calls the int 41h, function 4Fh.4 L5 A3 f; H+ c/ k$ \% \
There are several alternatives.
/ j: [! r7 r' d- I: i9 v9 v; U! }* `' p' c
The following one is the simplest:
/ ?7 u- W& N Z7 U5 [, s, U- Y$ c7 M: Y
mov ax,4fh' K: ?4 }2 a/ T h4 I
int 41h
- L; K" ]0 z9 c' Z& D9 ] cmp ax, 0F386* n, ^/ @2 A& h9 q" U8 T+ _
jz SoftICE_detected
% F/ e) V8 M1 Y8 R2 J% n: g0 e( C0 ?" |7 B$ S9 f
^+ ]" p' x1 e! `5 ~$ g
Next method as well as the following one are 2 examples from Stone's 2 B/ T W( a* h& L- r# X7 `
"stn-wid.zip" (www.cracking.net):9 N3 c' m" z9 `4 c, o1 d
5 m, c- [* f1 R: _+ s( R
mov bx, cs
3 c) ?% Z" D. P, {! ]2 C lea dx, int41handler24 v/ o) ]+ L. Y) @1 S4 d' T
xchg dx, es:[41h*4]* M! c( K8 y0 k7 S) y
xchg bx, es:[41h*4+2]& g+ e) D. ]/ D; [
mov ax,4fh
, S" f! S8 S4 ^$ C) z, O W$ s int 41h
5 s. ^1 n! S! l( E' q+ G+ _$ \ xchg dx, es:[41h*4]
, P+ T, `9 B# n1 V$ c* k xchg bx, es:[41h*4+2]
! r( y2 a& |6 f* D q+ ^2 O6 M cmp ax, 0f386h
. Z) s. k6 k3 d3 G) p jz SoftICE_detected8 `4 C4 j: B/ H- j; x) p6 _ m
8 ?+ U! g6 s; d7 Z" S8 L9 Wint41handler2 PROC
/ o" m# \0 j7 m6 ~0 j# P iret
6 V% [7 [' _/ ~$ kint41handler2 ENDP
$ Z& s4 l9 U k6 b1 y2 W: I2 T, [6 N1 j
* o2 }% N) l! _( A! b( P- ?
_________________________________________________________________________! g' ^% Y( V" {- T9 L0 |
5 y8 J: d n% D7 q
A6 K/ L# D8 f t6 m8 I- r& S; EMethod 06" o8 V: B# M/ y5 ^' g; v4 g9 C+ V
=========* u. w. T( S& u: V: o
5 y9 l$ N' W" v) l' U
7 ^" m* S4 c+ S8 w+ k2nd method similar to the preceding one but more difficult to detect:
+ o( P* O* H8 X# Q. l; F( d4 Y7 J
( V0 Z1 d: o/ a. K' U( f7 T% o6 S0 N+ u, }2 R; k
int41handler PROC: k# s0 i+ n* W9 u/ ]' |4 Q$ `
mov cl,al
0 {9 _8 l. D" X3 r; ?4 `5 h iret2 X8 R5 ~5 l$ t0 K
int41handler ENDP
; u: b3 G, z! R" ^6 H% D2 J" K
/ O$ ], y W5 \5 M/ d4 w% y) _! ]+ p
" L" _3 [& l6 Z# I8 p6 d xor ax,ax) j; h! ?: M0 C
mov es,ax
$ r& K$ X3 e+ g, @9 o, _& N mov bx, cs9 H- N4 Q& \! H$ u* Y0 U; \, G
lea dx, int41handler
- K. W6 w. r: C4 {9 A( F6 T j xchg dx, es:[41h*4]) B( c* N0 M6 d
xchg bx, es:[41h*4+2]
/ S7 Z6 _* b' J6 L5 G in al, 40h6 V( H+ f7 [0 y; d9 P
xor cx,cx/ \5 A4 U1 d' N6 G7 T
int 41h
! ^& F" W6 v$ h xchg dx, es:[41h*4]
$ M0 g4 b) k) j! F" | xchg bx, es:[41h*4+2]5 L( `/ z) G. |6 }" n7 `
cmp cl,al' y5 l ]3 \, C Z4 Y! @' D
jnz SoftICE_detected, }2 h. x: h* i. x! t
# V" F0 d3 ]; G2 T_________________________________________________________________________% C# a# i& g5 w; ?
7 o# J2 l" {' J: x' ] V
Method 075 m$ @; q+ |! L2 t( o' p
=========
! D! j* |- H! c5 f* | g$ D& z& I4 d
) K( i# |* Z, EMethod of detection of the WinICE handler in the int68h (V86)
% { k: y" g2 c6 ]
' h; ~& q. O# B mov ah,43h
, C, k( P% C- Y, `0 M int 68h5 d- c7 l! k( c" H
cmp ax,0F386h
/ }6 n( N6 G9 b& V0 z$ F jz SoftICE_Detected
. n% N$ X% I' [/ c6 b" j v
, W6 v/ z Q2 y# w3 ~$ D" V0 Z+ c7 d, r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: M/ p! o3 y$ X" l! ] app like this:
8 m" L2 ~5 }! ]! {* D* y: \
0 v0 I* F3 P, }- Z8 {& s BPX exec_int if ax==68" ^# ]$ _, {8 M6 N3 o/ T9 \
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ m2 D6 H# O/ G$ h+ I0 a located at [ebp+48h] for 32Bit apps)1 P! u1 D6 d4 B! |
__________________________________________________________________________5 h: Y6 p$ V4 T* ^* P* ^
/ D2 K3 C- `. l8 X
4 o" W8 e; T. G
Method 08
7 j+ q# X: h e0 T9 V1 z7 G* ~=========* _/ y) e' _2 K. {& s
9 |" ]9 T, u! ]) ` J( Y% A( C+ k0 o
It is not a method of detection of SoftICE but a possibility to crash the
; M$ W1 L/ E. j" Jsystem by intercepting int 01h and int 03h and redirecting them to another
' W& `0 L- j8 }& h2 L: rroutine.
( q0 |3 \' l' o- m: d; i4 | i+ ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( r' X3 N2 Q% P$ I; q/ M8 W- D
to the new routine to execute (hangs computer...)9 ]; v1 W% ]) D5 ]
1 G; g+ o/ i7 n- r( | mov ah, 25h
8 h4 Y' b% s4 }2 z, s- b mov al, Int_Number (01h or 03h)+ L# E2 M, \# M, g7 a: K q& f" ?
mov dx, offset New_Int_Routine
0 w' c% e: H7 D" V int 21h
, H' O" j6 g' v4 f- ]$ _: ^. V) }' v
__________________________________________________________________________
, I# f1 z, l. S
3 w' b5 O0 L1 b( k# w, kMethod 09
: j' G: W* C! T: R+ H8 X=========8 J5 q1 l1 R7 Q2 h1 u, }
9 g, p/ a, o( l5 {6 E8 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* C( m7 U" \: }performed in ring0 (VxD or a ring3 app using the VxdCall).. _+ U0 B L3 U, I
The Get_DDB service is used to determine whether or not a VxD is installed6 K; m6 f }- I. X/ a6 T- ~0 X
for the specified device and returns a Device Description Block (in ecx) for
" `9 |$ |7 v V! \6 ^: r6 Q( Q: [that device if it is installed.2 p1 b! t- a( t7 V4 k: U! p+ p) |
/ p: J/ K1 z# r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& Z# Q; K; b8 H. A2 K# H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; b" y' q; H' i/ c. w# m3 v VMMCall Get_DDB
2 e+ c$ g# W! h7 p( j4 V5 P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, H& i& j1 L5 ~' }, I, M' h. ~, M/ J, J$ y; b, G
Note as well that you can easily detect this method with SoftICE:1 X; l3 U2 ^; m- U! m
bpx Get_DDB if ax==0202 || ax==7a5fh8 l: H# K$ }' G( X K
! l/ d4 n+ S& e# v__________________________________________________________________________! b9 h2 l6 g3 J b
0 U9 {- R, p- C: BMethod 10 v, p+ ]+ r3 f7 j# o
=========- r. V5 z% M- _" A: E, h5 h
- R, c# N* Q; T5 x=>Disable or clear breakpoints before using this feature. DO NOT trace with0 E! f! P' e. l5 X5 s
SoftICE while the option is enable!!
* |; M: K5 J# |
# A+ `$ k: A* t) }This trick is very efficient:
* D$ i" j G8 T- Q4 w7 u9 [by checking the Debug Registers, you can detect if SoftICE is loaded
* q( ^2 r+ f% X1 q- f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 a$ G1 T4 X8 c; G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 S: @( s. _0 s; ]value (in ring0 only). Values can be manipulated and or changed as well7 ]5 e/ j' v! ]1 p8 P2 L
(clearing BPMs for instance)
' V. w% ~0 U9 O2 ~/ \3 o
3 L7 G, J" u/ X0 i! u__________________________________________________________________________
: Y6 G) p+ ~) i
8 K" w3 ?' h! r7 _: `4 GMethod 111 v$ `, i O4 O4 C/ n, I5 S; M
=========
* n0 r3 U$ K9 _% N9 a' u5 t# D, I4 L4 y) @# Q) s# {# x' ] H
This method is most known as 'MeltICE' because it has been freely distributed I- x# q5 P0 _' z; t+ K3 Z! z
via www.winfiles.com. However it was first used by NuMega people to allow
6 W3 j7 C" L( C, cSymbol Loader to check if SoftICE was active or not (the code is located) W" k0 D! O" o+ R5 P
inside nmtrans.dll).2 G2 H( v3 ?% ~- m6 w2 H
e4 I# h' ?6 F) G! LThe way it works is very simple:' T: q7 _. J `- j0 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 }: q6 A9 z4 z) U3 Z7 V
WinNT) with the CreateFileA API., ?8 R6 J9 ^$ l9 r
. Q+ P% t0 k- L) B. a3 N! M, D% ^Here is a sample (checking for 'SICE'):) c# @. H# I8 Y( H' I5 F, v9 p
% g( D, T) m* Q8 d& s4 j7 c
BOOL IsSoftIce95Loaded()) X9 y( b) P T' m0 M3 `
{
( G, G! }) F, g' A HANDLE hFile; ! {# q) p* V4 y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& f/ m) B4 Z6 y- W
FILE_SHARE_READ | FILE_SHARE_WRITE,
: z% k- ~4 e, z$ d/ a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- b. u2 {* ]3 n4 G- A( n
if( hFile != INVALID_HANDLE_VALUE )- Q" M$ ]" @( `) z# r" L; A
{
( c' E, I- v. [' ? CloseHandle(hFile);
, a- m8 \. U$ O/ F# |" ]% e$ R return TRUE;
: S9 |2 v1 Z) l# D' [! | }4 w2 ]3 g8 c; J, t
return FALSE;+ i$ Y9 E4 `, X6 u/ W
}; P% Z; j: A1 ~( r
; I$ O" q- J9 P% w1 xAlthough this trick calls the CreateFileA function, don't even expect to be& n8 b5 b* X: J$ `; L$ v% ]0 o% y
able to intercept it by installing a IFS hook: it will not work, no way!: q% K* a& v5 x3 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 j, P; h' P$ V* r/ Z' T$ G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 Y {; e* m" Y* C# ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: N2 d. Z! m0 _6 J* X. L+ Q
field.+ C1 l! H' t3 H8 I4 G& W
In fact, its purpose is not to load/unload VxDs but only to send a ' \& x. Y5 J! k, Y0 P$ E4 j# z, D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); ?0 H2 d! _( d- o, j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! [* J: O5 F! t' T, lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) j p/ ?& A' @ oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' V% h+ {/ p# N& ~7 `# S: a2 ]. Xits handle to be opened and then, will be detected.
7 I+ [+ r. `! ~3 M" KYou can check that simply by hooking Winice.exe control proc entry point, J+ X7 v$ P# a- [4 G
while running MeltICE.
$ M; Z% W$ F! V' O# r0 n
& r. V" ?: G/ q, T( _/ B% l8 B% h- L1 S7 {) ]8 y
00401067: push 00402025 ; \\.\SICE
6 z' l: m# u. w 0040106C: call CreateFileA8 @" B8 Z4 [6 ]& ^8 a9 P }) h
00401071: cmp eax,-001
6 |7 A* i8 O+ n! n! f- M3 a& m 00401074: je 00401091
+ R/ N9 O+ j, [
1 x8 e$ V! N/ u% ?1 k2 N: F% P" T+ y3 ^+ N
There could be hundreds of BPX you could use to detect this trick.) i M/ X/ H3 O* P1 @ A& C7 e. B# X `
-The most classical one is:
$ k7 k+ m( |" p- r: {; ~; E5 S: O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% x! H% z$ g/ J" w2 Q; H0 q, M% n t
*(esp->4+4)=='NTIC'
. J: a, H ~3 Y$ e0 w7 K
+ u8 v% g, t0 Y) S4 D6 [* W' t4 [7 T-The most exotic ones (could be very slooooow :-(
' x- S+ |% j% i ]( B: C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " Y/ _$ P% s( J# \ X! X
;will break 3 times :-(; n' u" g) f3 l; D+ d$ p u
' P& J" y0 t& ~& d- s- a
-or (a bit) faster:
* u0 o/ E: b- m% R* b9 W& P! s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( Z9 x- o8 n2 }1 Q s" ^+ s
6 k: W1 b% r S( u& m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% G5 \8 k3 m2 o& v8 s" b ;will break 3 times :-(
7 o! ~( B( }( o" P; | N
, a, D$ b1 k+ c-Much faster:
+ O. [# @0 c8 ^ ?% J' E2 d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; z- \) R/ ~2 }3 F% ~) |' {
' o3 ~" @4 l6 \! Z, U+ F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- x- _! |4 N; w3 Zfunction to do the same job:* f: P: P& U, z5 ]5 K, b" P1 E; V T
3 X$ m* t+ L0 l# V
push 00 ; OF_READ( W* H$ c- z: ^2 m2 U
mov eax,[00656634] ; '\\.\SICE',00 {0 I& U- k5 a, X9 Z, ?$ O3 L0 @
push eax+ H% @1 G$ v3 h) R( P# K
call KERNEL32!_lopen
" t- z' o5 ~2 H4 K: s t inc eax
; @: z% X: ^# f; k! k# Z: b jnz 00650589 ; detected
[3 N4 a, B! q/ a push 00 ; OF_READ
2 z- A1 k/ N! A; ?5 m" g8 Z mov eax,[00656638] ; '\\.\SICE'
+ m: d- R* A, U; m push eax4 F7 ^8 q2 Z) v( _1 w; n. G
call KERNEL32!_lopen
$ S/ V( n9 k1 t9 K inc eax& c: W6 p' Z3 H9 b1 Y
jz 006505ae ; not detected0 X3 b8 Q- q6 \4 V" m( D. F; C
7 i+ W5 g c3 b" _3 P2 g
& ]: L U0 H0 | S/ V6 k
__________________________________________________________________________
( [* a0 D3 `% u/ O/ \$ G! n( c8 N# m1 Z! u
Method 122 E( g- z! v3 A. L5 ^9 V
=========' G N& F7 D$ x. p' b
/ b5 f3 V5 J! \/ ]5 a* _This trick is similar to int41h/4fh Debugger installation check (code 055 O6 w. g: d' ?" c! E
& 06) but very limited because it's only available for Win95/98 (not NT)
7 k0 ~$ U& q# j$ X" Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! I6 Z1 t/ P9 H* t1 G
$ l J! e) g* m
push 0000004fh ; function 4fh3 k$ J0 p: J6 a6 E; ^
push 002a002ah ; high word specifies which VxD (VWIN32)3 q& r$ Z/ U4 z+ k
; low word specifies which service( f9 V6 `! \7 |% i2 E& l+ J
(VWIN32_Int41Dispatch); S. e0 X. A: @( m+ ]# @
call Kernel32!ORD_001 ; VxdCall
v. }4 f0 x ?& { cmp ax, 0f386h ; magic number returned by system debuggers
: h8 h9 p$ q# R) \+ @7 G jz SoftICE_detected( w* f5 S2 y$ a0 Q1 z' d
8 s, m/ p" z+ K2 c- _
Here again, several ways to detect it:
/ ~3 D5 v& c6 f0 b! F
\! _0 u7 L$ S, @( U% P4 w BPINT 41 if ax==4f
6 c) H1 i5 O9 a- D! Q& Q! z8 ^8 W. t( f0 l* w9 d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 R, `+ E! V6 k M: E: u; c0 Z5 |
" \/ b+ b! _# Y' @ ?& p; ^; b" D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ }1 P6 Q3 q* ]" }, k9 ?! |
1 J% Z! z/ s- G+ J- ?* ]" @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 ]& {4 D( H5 J7 j. f% w- s
' j7 D; H e U, G& Z4 M5 ?__________________________________________________________________________
( N9 u6 X1 F8 M, N& `
" Z* N" e+ B+ k% G, |! YMethod 13
( ~+ l. y* B/ i6 V: l2 p: }3 S" r7 J========= A3 H, B) K6 x
% G3 l# ?& W8 w2 a8 ENot a real method of detection, but a good way to know if SoftICE is/ _) a& D. P2 I; Z# @, r
installed on a computer and to locate its installation directory.
% {1 n7 Q W. I/ fIt is used by few softs which access the following registry keys (usually #2) :
* F* @3 Z/ ]5 Q( Z& A$ w
% T! ?/ m) c5 {2 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( j+ J4 O. T$ P. z
\Uninstall\SoftICE% H) t0 c7 X% H! J& T8 _) n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE P7 {, H6 ?) r. f5 @4 Z. w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! b- J0 R+ K* c% ~$ S3 G
\App Paths\Loader32.Exe4 \9 l0 i. ?0 u2 x
3 e" t# }3 q- Z* {& \, e3 v+ f9 t
; u5 Q: b( O8 W1 q! z
Note that some nasty apps could then erase all files from SoftICE directory0 ]1 ]' {6 V1 N/ @
(I faced that once :-(! D1 N8 o% [) J
! {5 b8 n3 B# k
Useful breakpoint to detect it:" a5 n4 L0 p+ p
7 s7 y$ _' E9 m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' x- s) S% y( ]% K5 U
# ` H* }/ r9 ~+ m( S' D: I__________________________________________________________________________
+ T1 T. ]# e+ w1 k4 [: R. J/ j! {0 g4 q. X# V8 [
2 X9 O8 n5 }/ wMethod 14 , i1 Y8 t4 M! C" f0 Z: A
=========/ D$ B9 P% g7 r: H6 s
8 v1 u4 q# n( t: q+ v7 e8 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 H& ^2 ^+ Z1 u Y
is to determines whether a debugger is running on your system (ring0 only).( @4 o9 y( n- S" e4 Y4 ]
. ?; F! h+ n9 C/ O3 }5 P! M
VMMCall Test_Debug_Installed4 u6 p& `# B! ?% J# a* _* o
je not_installed
5 k2 i- ?. d& j5 V( f
+ @( a8 |6 e% b/ z W2 x, A, HThis service just checks a flag.
1 K# `* Y( r# B% L+ D( O5 @/ b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡