<TABLE width=500>
, g/ q. L7 w. O2 ]<TBODY>0 V# }; m7 K" t' ~2 W
<TR>2 _8 X5 v: _9 h. V
<TD><PRE>Method 01 : h- a" y, w6 e- `: A/ f4 T
=========
/ A9 L+ [. R$ b! e
& \. _2 l5 p; A5 JThis method of detection of SoftICE (as well as the following one) is
/ b( |. N6 R+ Z: i! E0 \used by the majority of packers/encryptors found on Internet.8 H% w4 X. O. T) P- o
It seeks the signature of BoundsChecker in SoftICE
3 f# F) j, u1 m* c6 n, Z5 @( w9 r; G- @
mov ebp, 04243484Bh ; 'BCHK'
" ~9 V, e3 I$ x mov ax, 04h
$ H3 m7 ]1 i" t. y int 3
& f1 M8 l' x# q) }/ S$ U& f cmp al,4
+ ^! W; E9 Q- r6 p9 }. k% L jnz SoftICE_Detected1 v$ r5 a1 I& s9 _! Q$ |% b
. I- I! g. n3 w+ I___________________________________________________________________________7 ~' S/ A' e. n; V0 x$ Q0 E
$ Q6 ^/ p: | s8 RMethod 029 Q) ]" p( u3 v
=========( z: P0 ?' ~4 e& v
; k5 m4 f i% U' s4 U5 V' H" V' T" Y
Still a method very much used (perhaps the most frequent one). It is used
9 {$ b8 o. U, i O0 jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 d" S1 }' X% L8 X9 Jor execute SoftICE commands...
- }3 Y. O" ?( a0 BIt is also used to crash SoftICE and to force it to execute any commands- |* L( k- o5 x; r! m7 t2 Z
(HBOOT...) :-((
+ ^( l6 r0 d6 k' S* i$ Z4 B+ c" ?3 K3 b* t- ]/ t7 X3 h
Here is a quick description:5 O8 Z6 o" @5 ?7 @4 S
-AX = 0910h (Display string in SIce windows)
1 i. C3 X. K1 c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; b+ P+ |$ Y, ]3 `' B-AX = 0912h (Get breakpoint infos)0 O, t& |- A. \( F; e
-AX = 0913h (Set Sice breakpoints)
9 p! n1 D& U5 Z' o# i1 i% f-AX = 0914h (Remove SIce breakoints). a0 |4 w5 I' B$ ?4 k3 U
; O" v# c3 O3 e, C/ L: {( DEach time you'll meet this trick, you'll see:" f1 X* S# @- M) Y( \
-SI = 4647h) k; C, S3 R6 W6 ?8 Y% \1 R0 s, R
-DI = 4A4Dh
3 d" c2 l- Z0 ?- vWhich are the 'magic values' used by SoftIce.& x; E8 `9 Y' B {/ x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; o# A% r8 j8 h5 j6 u
! i+ w- i% b$ f V* U* y7 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
, O. f5 Z1 ^; K1 }0 cEnvelope utility use to protect DOS applications:$ i/ D) r/ V- X( B2 a( B( _ d6 A
4 j# U3 Y* a, T" M0 @! w3 \' o ? t3 @
& {2 a: M$ ?) Q4C19:0095 MOV AX,0911 ; execute command.
! ` ^ t: I% a% ^2 e4 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ J' Q! B5 @, t/ w1 b/ @4C19:009A MOV SI,4647 ; 1st magic value.5 |& d4 B% O; i" T0 [6 B l3 A
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 }* S/ X' m: @8 [6 }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& [) _( R- L8 M: M8 m5 H# t4 _ @% i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 V4 Y7 J5 B7 E0 P! O0 K7 v* s" `; l
4C19:00A4 INC CX3 {9 Y! u/ S5 O# D) c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: P) j3 P9 ^6 q8 q4C19:00A8 JB 0095 ; 6 different commands.# `; U$ _# _, V% e& p1 M7 o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% I6 M G, Z9 a' w' t# x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); L% Y, e* b5 p. a
r0 ]9 {; m/ ~3 k& m, u9 ~/ M
The program will execute 6 different SIce commands located at ds:dx, which
6 p" ?# [% i D% X0 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ A) o) \9 u: V- C5 g$ O
. ~ t7 A0 Q: o) _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! [! Q4 c# K% g X: f8 R___________________________________________________________________________. {1 ^7 |. E, i" l1 e
. T+ d$ \' O/ g* m2 q! |# g; s" z' _. _2 g
Method 03
# E( K0 A/ M O/ ~=========9 j# {% H" e" X% u; h: S& Q
) F& ]4 Y7 g2 |: V5 BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( t) N+ g+ x# E! d
(API Get entry point)+ R3 b% v: J/ [5 F) d$ q! _
6 I8 m; S: w4 C% Z7 h P( d/ I
) U" }) H7 W* I( n- S! o1 ]' |
xor di,di
7 I5 i- f2 Y7 ]! @: S6 _ mov es,di
9 j: [! Y- j6 J/ [1 I mov ax, 1684h 9 x6 ^' ?& g! B
mov bx, 0202h ; VxD ID of winice
# N% z- `) [7 ~% k0 Y' @2 Z- f( H: t int 2Fh. f, i1 }) ]5 |7 Q
mov ax, es ; ES:DI -> VxD API entry point. F& Z. S' q& A4 O. b2 X
add ax, di
" W9 }$ k- g0 P. s/ j, X K( \( b& f* ] test ax,ax# r: f$ P7 U* K# Q; o9 Z( S
jnz SoftICE_Detected
- ]/ X4 y; g1 J2 |' m5 }" ~
/ P0 X4 Z0 x4 F$ H/ m9 ?___________________________________________________________________________
6 E+ x; X. G e" E( A. I
, x' Y/ a. H3 l4 y, t# k. ~0 kMethod 04
* m/ }' B7 ~9 j=========, n9 X$ N% v! ?$ g. M+ }
% ~# p6 ]# ], } h: Q2 i# ]
Method identical to the preceding one except that it seeks the ID of SoftICE
4 s- P3 |: g ~0 \% r GGFX VxD." E) s2 p* i7 R6 ~% q* \0 A" u" Y
8 V6 h- [2 ]% Y, {0 E9 Z+ R xor di,di% s8 I" Q* m6 B) y8 h- J: n
mov es,di6 K& Q$ x, v& ]% v) m; c {' j: A
mov ax, 1684h
5 Q5 q e) Q' N- `+ ^ mov bx, 7a5Fh ; VxD ID of SIWVID6 r0 [1 a y7 T1 v, Y
int 2fh+ r' {6 S- X: C* m$ y: \9 d `& A
mov ax, es ; ES:DI -> VxD API entry point
* L0 ~, n6 t4 n5 @! k add ax, di# w' A8 m9 T5 M% ^/ f) `
test ax,ax& t' N2 `( y% n: J/ H
jnz SoftICE_Detected
6 A1 X$ Z! e$ q' u6 M2 ~& n1 C9 n8 Z
__________________________________________________________________________
6 {' x$ O3 Y# x. o+ Q1 R5 f5 K0 ~9 S0 b" h4 L% _
, {0 `. K+ u2 g8 ~" {; B
Method 05, t+ {" R* l- x# x8 `6 `- M+ C
========= |/ m A- X/ L
3 ]" \4 ]2 g9 R* ~( o cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. i; o a7 K$ U7 r# u( Mdebugger. It calls the int 41h, function 4Fh.
) D: `2 f9 [6 w: ^3 _There are several alternatives. 8 L4 B( v. `* T, _3 l8 v! p4 M
# ]. i; |; a# w+ t" t0 a
The following one is the simplest:
5 D0 W$ q4 Y* u1 K+ X+ u" \5 j& b5 v* ?, y8 J! t$ N8 z
mov ax,4fh
2 a1 S; n8 E- ^ z5 P$ Z/ f: } int 41h
L: O2 R3 M1 C6 |; v6 } cmp ax, 0F3868 V* l: h( |/ X2 d0 O
jz SoftICE_detected
4 [, Z2 n3 \: R! F6 E! Q
; Q, L0 {- U' H1 B% w- F1 H: ^: K- ?6 n% D, q3 [
Next method as well as the following one are 2 examples from Stone's
+ T" r9 b$ [& H"stn-wid.zip" (www.cracking.net):8 q* S8 G5 t& O$ Y, m* `
: f0 }4 t r. k6 u8 ~# X mov bx, cs- z! |. N5 N/ ~2 R( k8 d
lea dx, int41handler2
k+ S' Q+ X+ o xchg dx, es:[41h*4], U3 Y. M* U+ ]8 t7 a
xchg bx, es:[41h*4+2]2 i+ i8 L# u! c4 E: X& b
mov ax,4fh0 z$ ]5 p/ c/ O' V9 {- t/ N
int 41h+ [( s! w+ t% F2 d* V
xchg dx, es:[41h*4]
6 k) u+ M& y- J5 ^2 g xchg bx, es:[41h*4+2]
4 [; I. U) A4 c$ S' {& R cmp ax, 0f386h
! Q* c9 M3 n* L; I jz SoftICE_detected5 }& W+ O U( k/ d( g7 N
0 Y; ~% u' F- a, F" L8 `8 B% h; Qint41handler2 PROC
U. ?1 H" J. t4 l2 r' I X iret
8 K, _2 f, F6 S1 N( Hint41handler2 ENDP' I( E$ w3 P3 ?2 N8 e: ]
$ G3 O6 i; r# `8 _( ~
/ b7 } w5 e3 N7 _1 `, a
_________________________________________________________________________
7 H0 H/ f$ E% D' s) t0 n j8 x0 s5 B& m: S
* ^- L1 `, W% s2 rMethod 06
- n, s9 T$ b6 C4 `4 j/ w: y=========/ Z6 ]7 _: o* J" l! c. V- ]
5 S2 s S) v$ C$ J) H5 R. D6 l9 \% ~3 `% Q5 s! [& D8 r5 _3 k
2nd method similar to the preceding one but more difficult to detect:
9 i+ m+ n3 G( X z: |/ d
7 g5 Y- q1 A4 r! a, d+ }) P! T3 b7 |
int41handler PROC
6 `' m" p3 n9 b1 [- P1 g, X2 I mov cl,al6 g% f- t+ d5 [. H; W
iret
* p0 t& d8 L( o" u/ Iint41handler ENDP" [* N) ^: R& r. Q# K
/ \' f) ^. _3 ?1 k5 i
# i7 A' l! p H f D xor ax,ax
8 v9 h- Z; a9 H/ ?0 ~: a! `2 H mov es,ax
1 P A8 r' q" A- U mov bx, cs3 j1 [/ E4 z7 d8 w2 X
lea dx, int41handler
7 g$ c+ b5 i; p+ B3 d xchg dx, es:[41h*4]
" L: L5 j, \! v xchg bx, es:[41h*4+2]. H8 Y+ E8 |6 L" P+ F: `
in al, 40h- o: M. Z- D+ P- ]0 {# U
xor cx,cx
/ h. k* G Y+ g3 ? int 41h1 C6 X& S9 X3 q9 W! G K
xchg dx, es:[41h*4]
# |4 [3 ^! V" a& X2 g xchg bx, es:[41h*4+2]. h' `6 N1 ]8 l/ i$ H
cmp cl,al7 t% n4 `+ F( D
jnz SoftICE_detected
4 o6 ~, f7 x+ d5 `+ o4 Y' b, [2 k' x3 x: A
_________________________________________________________________________
c- D, E9 a5 x3 h" @; k' F* h+ W. H0 k* s6 b
Method 07+ K7 `0 o: l/ m. U' j- ], |- w
=========4 V( M0 v" T5 S' g. m8 A- [
0 P5 Q- i6 X. [
Method of detection of the WinICE handler in the int68h (V86)
z& x: o! S$ ]& o! ]0 I- A* H4 b! v$ y; e7 Z% Y; G! ~
mov ah,43h9 o @7 ]. H9 V2 z
int 68h. `8 N! _7 w: @6 h; b( M0 e
cmp ax,0F386h( _" p, z9 b+ S+ b9 Z
jz SoftICE_Detected, z9 o T; ?+ _8 d' y, _6 E, E" i3 |
* P2 z! a, n4 } K$ ^6 x+ n
- [+ t7 X9 W5 B0 P* O3 v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 P3 o* B1 O- i, y6 H3 ^ app like this:% M+ e# |% R' E9 X5 |: H" Z# i
7 w; I, q1 Y! \ BPX exec_int if ax==68, T! |: z! ?: H% E' w% Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
j1 N7 v* r) O% }: M0 h located at [ebp+48h] for 32Bit apps)8 f2 v7 N* C% n- c& U. V( e
__________________________________________________________________________
2 I! l$ T: @ `7 T' Q3 j- S' T. r5 z
3 E# x- g; O8 w8 J0 j9 {8 r, o
2 o: h5 S1 a. q8 R3 Q* IMethod 08) g; ^, d7 a, W& M4 l' p
=========8 c& M( o3 J* H+ o0 B r+ u/ C
5 |4 i) m, a7 W5 @/ ^- a
It is not a method of detection of SoftICE but a possibility to crash the' P, f9 s9 c, m% h& B$ [3 L3 ~
system by intercepting int 01h and int 03h and redirecting them to another
# r6 y# J/ R! V1 u2 I6 S1 Q ~; broutine.5 z Z. B7 F S4 ^! H9 f7 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 r5 ]& g, q1 V( s/ z/ l
to the new routine to execute (hangs computer...)& D" s/ |8 O4 g: i% p: S8 A6 U% g8 z
; k4 Q& n8 w, n; d% @
mov ah, 25h
7 T: R+ b6 m \$ }# k r1 R2 ` mov al, Int_Number (01h or 03h)' F' b9 F* S6 v) ^% M
mov dx, offset New_Int_Routine
9 D+ q4 O5 B: D1 V4 L( _( S% E: p int 21h
4 C5 L$ r0 g3 Z2 J# p
- b9 H$ K$ V6 `' G__________________________________________________________________________
- T+ b1 b( f. ~1 {2 y1 A* J8 O! d1 |& o
Method 09- v* |+ m% @5 G* p- Y; ~
=========, j7 q) Y( C2 A* F1 G" d
/ r7 ^! a6 i8 U7 Q$ r6 w8 iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 o1 J. e$ ?5 p- Y: S: z4 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).
! s7 O/ N- c% H9 x4 P/ F6 p' rThe Get_DDB service is used to determine whether or not a VxD is installed
7 ^& @7 `3 ]- @for the specified device and returns a Device Description Block (in ecx) for! g S. I0 b% M( ?- |" ?
that device if it is installed.
) m; k; h. [! k0 L) j5 s( a$ T# b" u5 w8 ?. @4 o# b$ g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 r& l2 {, d" e. X/ u; v) g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& S# w, p' d9 L3 F3 \2 X
VMMCall Get_DDB, Y* Z; }0 } f5 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( d% t1 w$ Z/ z5 y1 J+ b# [: g, V6 n% d/ u2 E* s/ }, Y+ i" W; \
Note as well that you can easily detect this method with SoftICE:
# \+ H% e2 t6 I8 m% o- |( @& j% [ bpx Get_DDB if ax==0202 || ax==7a5fh2 v6 W% k3 j/ w' {$ K Z( Y
( U" x: M% ~" V. x! N& E3 z__________________________________________________________________________
2 a; i2 o; q; @/ h; y
* G T( k, J; w3 o aMethod 10/ c* c( F8 D; G# |, w; |8 D3 E. g
=========# l4 {3 @3 u2 M5 A. u
( Y% ]; K2 S( Y, d4 ]' S9 ?; [=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 _- r2 y; w' j* X- b- r5 ` u SoftICE while the option is enable!!0 \$ H" D4 F- D p4 q; d
9 h, t l# F! l8 h1 o/ d
This trick is very efficient:1 i8 D m: x3 C+ ?
by checking the Debug Registers, you can detect if SoftICE is loaded1 U" j' U- d2 q+ K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 q! d: a8 t: A+ B j+ ^$ Q/ Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 l; J% k" S- Q: X6 O
value (in ring0 only). Values can be manipulated and or changed as well# i; {, d& l* I0 C" ], P7 c
(clearing BPMs for instance)
2 @: q0 T4 o$ \: l
# b3 ^! F( U2 b9 s- |__________________________________________________________________________
! k& Z' _# y+ A/ |% y! i
% \8 N t5 b! }) D. o+ XMethod 11 R. F' \1 I, o: \! u
=========/ K: k3 w# T# F' T
/ i6 {# k) m0 c% Z: v! Y& iThis method is most known as 'MeltICE' because it has been freely distributed% i! l+ X; a; O& E6 J+ J
via www.winfiles.com. However it was first used by NuMega people to allow
! Z) \5 {6 G- v, k- Y5 p' qSymbol Loader to check if SoftICE was active or not (the code is located
3 Y4 P3 l- R; M2 H0 w& J+ rinside nmtrans.dll).' h2 a0 q/ o* W6 P0 c5 u+ M
2 W; L7 Z! X" W2 g$ j: l9 I0 a7 L% [The way it works is very simple:) B9 v$ \0 n# I' y: I: l" W/ e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% _# Q4 X# L& p6 c* K0 ] m
WinNT) with the CreateFileA API.3 M$ |8 t, O( H4 f7 h
) o% R* _8 Y' P4 R
Here is a sample (checking for 'SICE'):
. J: g5 {$ K) p/ f, n" p' W
& ~ Q, b# {, D' O- N( [6 Z" aBOOL IsSoftIce95Loaded()
$ T/ n" h8 r, L1 ^' r{
; Z; _3 B& Y ] HANDLE hFile; : T( k1 i9 W/ Y1 I3 K, O" O; E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: [6 c: v; d8 l) J# m$ A9 e
FILE_SHARE_READ | FILE_SHARE_WRITE,3 |% D8 k0 S$ m H- ]: s5 Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# m# Q6 c& b* u2 J
if( hFile != INVALID_HANDLE_VALUE )' y* g) n5 u% q1 e% `
{- Q. n' {. c* Y% h$ f0 H& K
CloseHandle(hFile);7 T9 ^0 P% f% |% q( s
return TRUE;. E3 n2 d3 U j& p: x
}
, x: S1 q: H0 s9 C+ q5 A3 A4 [ return FALSE;
8 U* R& V! N+ _! y3 l" d' M}1 y$ k( U S" t# \: f+ N; X
0 X) Y2 c$ V/ [' o+ F# }
Although this trick calls the CreateFileA function, don't even expect to be
4 o/ c7 b6 K) V, uable to intercept it by installing a IFS hook: it will not work, no way!
( o$ a$ |2 {' E: S1 y- i) yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ X8 ?$ E0 O) {; k \ P. I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 w$ ?1 y2 y/ y4 u2 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# z7 G3 S/ s9 a" [1 sfield.9 X! n) O% M! x$ e% o' N( C
In fact, its purpose is not to load/unload VxDs but only to send a ?3 k+ `) G1 ?- p; i8 ]/ N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 t, v" `* W2 h; J& s7 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try- o& L$ e* I* V# u8 }# ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) Q+ i% E" c; A' z0 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 \( c- @7 y, U/ i/ I+ ~
its handle to be opened and then, will be detected.
$ U7 z! |) L9 h3 A) RYou can check that simply by hooking Winice.exe control proc entry point7 [2 b4 A: F( C& }7 x n; t' b+ ?
while running MeltICE.
4 y$ y% B$ Q1 V+ `* s$ ~: Q6 p, J2 `: K
2 h. R$ J" K1 ~- [' ~* {6 I
00401067: push 00402025 ; \\.\SICE' b3 H, W8 c' Q" t, C* x' V) [
0040106C: call CreateFileA, _4 P5 ?: v4 i o: s) ~
00401071: cmp eax,-001
& V1 E* Q% B2 S- ^+ W3 T6 I 00401074: je 00401091
: o% ~: P3 k% @9 \1 U$ r5 Z3 c
6 T' m! H8 X& @* M+ \/ ]5 a- \; U' `
There could be hundreds of BPX you could use to detect this trick.
0 G% `4 w* c4 J0 Y5 k3 S/ w9 p4 s-The most classical one is:
" |9 l( g% y' w6 b4 \2 @0 q6 P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 Z V0 v" ?$ E% h
*(esp->4+4)=='NTIC'
1 R+ `. V5 }3 x3 |) G' D8 _, H9 Z6 }5 ], ]5 g9 ]
-The most exotic ones (could be very slooooow :-(
4 k9 N. k9 N9 S n5 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; l$ D2 ?4 C+ A1 Y5 V1 b& M
;will break 3 times :-(
6 \/ V2 u) b$ `$ K$ C) R
, q6 |* ~* a! U. l( |-or (a bit) faster: # x) @- V) D3 _1 k6 `/ o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 O/ o, W9 u& Q
4 ~7 k# d9 l& K4 ^# n* f8 \9 H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% C) l% ?1 m+ r/ U( R" t- \0 T+ [/ A ;will break 3 times :-(
( a5 i# Q# v: {; Z
+ Q0 l( _9 l* f( p& f: m* y& A-Much faster:9 S$ U" s* B! S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ N2 Y# p0 D8 |, T; x9 e
5 G. l: y: Y/ n- y& Z% h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 g. p: N2 [5 E# c% s4 M; k- _- Y' Jfunction to do the same job:
+ u. X2 N- d) \. P2 F
5 M/ b3 l7 ^( d0 W9 Y push 00 ; OF_READ* l0 Q! e$ H; ~- u, ^! h$ [
mov eax,[00656634] ; '\\.\SICE',0
/ m! z6 ]4 D, d6 C! ^" K push eax$ a. s6 A! ?& J" f$ F1 z& @) D3 x
call KERNEL32!_lopen
% m, b% f) l- e" q* I inc eax+ W c, P0 W" _' w5 P7 ?9 X3 n0 ?
jnz 00650589 ; detected/ G1 Y1 V4 g/ @# I0 u# P- k* e3 x+ B
push 00 ; OF_READ5 x4 G& W% }8 ]+ O6 Q ]: V6 u/ X
mov eax,[00656638] ; '\\.\SICE'
. R; {3 L8 l$ L7 F push eax) J$ `/ R' x* D% F
call KERNEL32!_lopen
$ R u3 G: E0 X$ ~9 Y' h9 I6 T! } inc eax! f# C P. c' j" K
jz 006505ae ; not detected2 X `% N2 U# s% M: a& j4 i; V
% q4 L2 F3 t% O. J2 V! A- M2 m; e/ ?2 z- S
__________________________________________________________________________
# j. E: O2 Q2 o, J, C) c- u8 f# e; g J; a0 a" T3 K) ?) q2 X
Method 12
$ m9 t* X0 ]' O1 s' j/ C=========
6 a( n% Q& ]. x
+ R- \& j/ Y; b2 n/ k7 tThis trick is similar to int41h/4fh Debugger installation check (code 052 \1 B" a3 A6 {8 n: w
& 06) but very limited because it's only available for Win95/98 (not NT)
- }6 e0 M# c2 a, o6 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! i6 }1 e+ L9 I; Y" e6 C8 y
% V, ]! A( h' n% p: b/ u push 0000004fh ; function 4fh4 ?) j6 {# g' s8 ~: K0 [
push 002a002ah ; high word specifies which VxD (VWIN32)5 n9 x2 A* S: x3 u2 [
; low word specifies which service8 W- B, Z' x& m* Y& G" n" g
(VWIN32_Int41Dispatch)2 M* b; ?1 c" y$ r" Z
call Kernel32!ORD_001 ; VxdCall! y# E0 ~% @0 o8 q$ _; N
cmp ax, 0f386h ; magic number returned by system debuggers0 i3 d! I7 C$ R) Q, E" U m) x, p
jz SoftICE_detected
7 Q' _7 F3 v5 e" I8 T% w- G% O3 Z8 B5 N/ h d
Here again, several ways to detect it:
' Q' [( x% V) k" _! u+ f
7 J& V, U& y s4 W8 j9 B BPINT 41 if ax==4f
) b: N3 L5 G4 |
9 E6 m- ?+ b6 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- V6 g( U) m0 x* Y- e8 A
- z B* J& K" N1 A9 ~2 B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% R* R$ E# L6 ^# i5 ?
7 H: Y7 `* n1 p' A6 x8 ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- ^, H8 e, W, Z/ \
+ h* e5 T9 } n
__________________________________________________________________________! N" D' ~' \# ~; ~- O% r2 j5 d% \7 l
4 \( G' V2 h: g
Method 13
4 Y9 d* h' s! u- m! A/ l+ d=========! p* m; M# Q& Z1 Q
7 g+ T- Y2 q8 O9 h
Not a real method of detection, but a good way to know if SoftICE is
$ W8 `" [: k9 O% P7 L: einstalled on a computer and to locate its installation directory.
$ L! e: X7 A* M; a4 h/ L9 X& aIt is used by few softs which access the following registry keys (usually #2) :9 I0 Q0 [0 ~7 J" }/ J( x
3 w* d& y2 I. N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. D* z# T; C" S: F* Z. |! n. z6 m\Uninstall\SoftICE
6 Y$ b: f! k1 [9 s# L5 t3 E) I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 H% w# x) r; m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 N" Y/ f6 q4 n$ l+ G9 O
\App Paths\Loader32.Exe
4 Z5 ]+ p6 y2 p1 \$ K2 \- Z0 M3 E( P+ l- O) O. d: W
3 Y9 ?+ o; V6 N6 f/ l% d4 A u8 n6 L
Note that some nasty apps could then erase all files from SoftICE directory
* G3 i4 Q1 X, t(I faced that once :-(
) \. B) w3 f' o. s! Y7 N/ q- F& s3 ^" ?
Useful breakpoint to detect it:! [: H, g2 n5 [8 b6 Q- E# Q5 R
. B- m q) S2 T( }0 k' ]/ O2 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) M w0 V& K Y8 {0 f2 c, b( y/ G; e& ?, E9 y
__________________________________________________________________________
5 N5 V4 D. f, k6 L& A. ^; A
. a* d) x' Y; N% K2 M: F9 a( f0 F" z+ s5 b
Method 14 1 t1 n5 q1 H; |/ N( O. Q! M
=========7 K/ t& Y7 I8 ]0 |
4 [# X; Y% [2 M; XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, B! X$ E) J4 ~1 {& X gis to determines whether a debugger is running on your system (ring0 only)., f% ]# O- n' j9 ^6 _
" C+ b- ]8 Z. f1 a( w, C$ _ VMMCall Test_Debug_Installed
) m4 w x- C4 F3 R' V2 H je not_installed" v: H! g0 b5 v/ F& m, X$ p# m
6 X# T# L9 ~0 _3 m+ n
This service just checks a flag.
: d( i* R3 B# [ O8 j8 k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡