<TABLE width=500>
) {* Q1 Q9 _9 |, g2 M; ~ l, g<TBODY>
4 v7 m( i# s0 }2 J4 b<TR>
1 `. R1 \2 S! v3 i+ _! n+ ^- T<TD><PRE>Method 01 Q* s. c. j8 I/ a3 _
=========
1 ]) Y8 h! R% `( n, b. b( O1 G0 d5 U5 \; ^0 U
This method of detection of SoftICE (as well as the following one) is( l/ C+ f' P% e$ M I/ ?
used by the majority of packers/encryptors found on Internet.
, S) o" p6 N4 R7 S9 EIt seeks the signature of BoundsChecker in SoftICE
& |; y" ~# u2 s2 u$ y3 j( ^" p1 T8 p6 }) k$ P
mov ebp, 04243484Bh ; 'BCHK'# a1 ~5 B2 n) o- ?, |7 y, k
mov ax, 04h7 S) ? O" f! F
int 3
6 E/ {: R1 ~9 e cmp al,41 C. [0 l* Z% d7 M+ ~- d# L7 Y' P; {
jnz SoftICE_Detected
; F% A4 g7 ? b1 C6 c
, x. m: y( c- B0 }___________________________________________________________________________) N% v6 V2 }+ W) t# V E1 C
- O9 D) {% ?6 Q1 FMethod 02" `7 f9 P8 |7 T6 r
=========
+ l( Y8 z+ }6 Z: y* ^5 [$ k
6 d( F; |; w: {# _# nStill a method very much used (perhaps the most frequent one). It is used
* r4 W ^8 T: r6 N* ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 l& I4 W7 R% _; D6 d4 G
or execute SoftICE commands... R5 d t0 O) K, Y5 l6 @8 A' r" N. B
It is also used to crash SoftICE and to force it to execute any commands' `+ b X7 A& O' J
(HBOOT...) :-(( ( J; `9 w/ m) v9 A c' [% d7 d
) t& I4 n3 u( N% J/ R1 m( q7 hHere is a quick description:: F* C$ {& a5 X# l
-AX = 0910h (Display string in SIce windows)
w$ Z& S; K8 j, r6 t0 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& @$ c% `& |2 ~9 y( l( |$ y
-AX = 0912h (Get breakpoint infos)5 v7 h5 B; U# U+ V( b5 Z1 Z' x
-AX = 0913h (Set Sice breakpoints)
( s5 E3 B$ c S( x# h# v-AX = 0914h (Remove SIce breakoints)2 X& h% p+ v1 a$ `7 r
' {" Y4 m( C6 V8 \' |) T! AEach time you'll meet this trick, you'll see:2 s+ Z+ x0 `5 r* [! A' S+ b
-SI = 4647h8 X0 o+ S; G$ C( J8 n& e
-DI = 4A4Dh2 _8 v b* X/ O% }
Which are the 'magic values' used by SoftIce.
/ e& z" K) K3 M/ P0 _9 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- X6 t0 _- h+ w$ g7 O; x/ `
- G- }% E0 X+ b" C' g1 i4 L0 x
Here is one example from the file "Haspinst.exe" which is the dongle HASP( \/ K$ n$ q; b% [
Envelope utility use to protect DOS applications:
6 j) z6 k# q1 V3 g; w* f
+ l( h9 _$ W1 r1 T7 i5 l1 v# _7 Y( P" j6 Q) _9 Z* n
4C19:0095 MOV AX,0911 ; execute command.+ b/ Y8 B' C' U0 g2 s5 j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) h7 ~- _6 y& k- B& l+ g2 v. t
4C19:009A MOV SI,4647 ; 1st magic value.- b: V& h' e& F0 w Y% H
4C19:009D MOV DI,4A4D ; 2nd magic value.
" e" E6 _) n. ^1 f# `6 L; J4 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& L! X6 d$ p8 d! g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 B3 E( i' W7 `5 C, y. x" C4C19:00A4 INC CX; i7 o9 P" e4 P+ W. s( r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, f. h4 @0 A# N8 K7 z4 i. I4C19:00A8 JB 0095 ; 6 different commands.
! g N) V& l- D5 t' i% ]4 Q$ g( H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& \1 }- d3 q. l: ?5 r% |* W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' j7 n# o" Q+ i% @9 j& n# Q/ ?9 U( K( z8 b# _
The program will execute 6 different SIce commands located at ds:dx, which
! B, {% g8 l: p/ uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., a0 U* n) W/ l z, z! B
: {9 ?* z1 h ~3 k" h5 P$ H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) T* y, F5 L% p ^1 j1 }7 C9 w___________________________________________________________________________/ _* a3 Z7 l Z5 o
1 c# d6 U8 g# u8 v
; V& Q% u) a. t, i9 y4 E8 @Method 03) B' ?3 v* M' r8 m3 d$ A8 o/ @
=========# S5 H4 f; l( d8 J
1 p" B$ T3 j* `7 dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- E* S9 }. @$ z8 V
(API Get entry point)
! `* s& W* @ T - |' z5 g- P: d/ @ C3 D* Q
* C1 O& `% N* ?% l& ~% D xor di,di. ~- r2 g! l6 A9 Z
mov es,di6 A( }8 U t2 u
mov ax, 1684h
% q. P; P" w9 u/ W mov bx, 0202h ; VxD ID of winice
; R- Z# S+ a- d+ ^2 P* J6 s7 v* i int 2Fh |7 L0 C6 L( ^3 W% }+ i
mov ax, es ; ES:DI -> VxD API entry point
# \5 t, G% g% A0 |7 }1 P/ P/ Z add ax, di0 ]1 j+ L) Z( X. Q* q
test ax,ax, b/ M5 r6 ^# [( |. P: Q0 p
jnz SoftICE_Detected
' k* b% Q8 Q& g" k8 V
( Y( b! i: U* y3 M5 ]___________________________________________________________________________) E/ K' j7 C. _" Z6 I1 @
& X# C* ~! j( y9 B* i
Method 04( _. S9 I6 j0 E
=========
" T: J% m- p* {7 G! @* T; ]/ {0 h9 j7 @ m2 e) ]/ |$ [+ A
Method identical to the preceding one except that it seeks the ID of SoftICE6 @) N: {4 [% G+ h# q
GFX VxD.' S' c; L' |; l5 e/ h: y' c4 v
+ Z8 j2 C# u& C( g( _1 s xor di,di9 M7 `' Y* v) m# c
mov es,di
0 q: x: r8 V4 B4 A- Z3 c mov ax, 1684h / P/ ] g' q; B! o% r! C
mov bx, 7a5Fh ; VxD ID of SIWVID; s% P& G1 M5 S& y
int 2fh% o, j, D; C6 T" m2 K: Q
mov ax, es ; ES:DI -> VxD API entry point
. f9 L: J, y% {3 @) b add ax, di
. ?1 h' Q S2 t+ j& W+ w test ax,ax+ ?% M5 ? t4 |, \9 @
jnz SoftICE_Detected
& L# W* ?) m+ H7 o3 E! j0 u" B- t9 m5 g+ M6 O/ T; A8 [* M& L7 K% f
__________________________________________________________________________
* V% U% Y, s: C+ S" ~
/ E8 j3 i" J, q$ t% V
: c0 z# J' p; J& e" W: N) AMethod 05
2 T! N5 {9 z* d0 E/ _! b=========
W6 d! s1 E: j0 g" B' e) Y% @# @6 U U2 o* N6 ~) b
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 ~! t" U- ] R6 s! c% b
debugger. It calls the int 41h, function 4Fh.: z$ q- i- b! W7 l- |8 {0 ], n
There are several alternatives.
! e& Z$ E1 k! \* v7 J9 O* O6 C" j& B/ o; b
The following one is the simplest:
5 s, k' p1 c9 B! c; L5 r+ a
# Y- Y, M) H- a# S& N mov ax,4fh
6 @ J9 j+ W3 E8 v; c. E# `! V2 R int 41h
K4 f7 c2 a/ C cmp ax, 0F386
, C) Q. p$ _9 M9 C2 T. L jz SoftICE_detected
4 B' V, m3 O: t; o! t7 a5 r
2 Z" U c( O" D9 g9 ~8 |- {9 U) c! {& t! A4 U K: h
Next method as well as the following one are 2 examples from Stone's & Q# H3 W: G& n' M! b5 B2 V6 v; K
"stn-wid.zip" (www.cracking.net):/ f6 s3 ~2 C7 m0 {
, J/ p( T( C- U0 e a: } mov bx, cs; \ C3 |; B, d. c2 T3 g( x
lea dx, int41handler2# m, i$ ?9 h2 e- p& y! f
xchg dx, es:[41h*4]
- \9 b% h% S% T6 s }( d! W; [ xchg bx, es:[41h*4+2]3 ?' V9 S1 Z. [
mov ax,4fh
3 F0 u' b, p3 k9 r) M* a int 41h
9 A2 t; n# ^1 ?3 {$ M xchg dx, es:[41h*4]& H; D% _7 S0 K. a2 ?
xchg bx, es:[41h*4+2]. P) J: V9 v7 S( g( v7 x
cmp ax, 0f386h
* j+ B& p0 C. X n jz SoftICE_detected
8 l- P7 z3 m: n+ C, x
9 N O! @" |# U( B5 p$ ~8 T% |" n dint41handler2 PROC& n1 L! x* R7 H" U9 w, N; N
iret
0 D: K) k' ^. D5 u4 hint41handler2 ENDP9 O% K% g6 Q, ], f/ E* y& u' e
' X2 e; S2 x7 a4 S$ p* k; H
' _! ` `( w) e3 L3 y_________________________________________________________________________
5 ~0 I4 v. p( {( w8 M
9 H: Z" ?5 |8 r( M& a7 z& k& q
1 ]; V, P$ L* i' TMethod 06
5 O, r# k7 X# d5 v% f=========
6 k2 |2 ?1 n6 H# W* Y% I! m
( ^' K" z2 N7 ~! n' H; i7 z9 F7 a9 n' u7 m4 k) J
2nd method similar to the preceding one but more difficult to detect:
( _0 t: o' N o& E$ w" d1 D( J9 z
( ~( V2 G/ V% G% q
+ ^1 e' v. i6 `int41handler PROC! a$ K! _0 X& N; } |
mov cl,al
3 `% N9 Y- X* e, }) X, q2 g iret
( c U; M7 d+ w2 T% r. @2 dint41handler ENDP1 { k& x+ O2 q2 m6 ]4 W& ~
) [( x) A9 y" o9 S
7 x( Q+ ]4 K8 e" h2 A
xor ax,ax1 c+ b" N1 h% T5 ?7 B( @, i
mov es,ax( ], Z' P# i( ]$ E) k
mov bx, cs, u9 B6 b/ v- u
lea dx, int41handler
$ H# Z1 _+ o" q xchg dx, es:[41h*4]
" t3 K4 ^7 C4 D% B xchg bx, es:[41h*4+2]: e. F: s' ~+ K. G3 D
in al, 40h5 s( ^( ^5 @4 ]5 D& G. z
xor cx,cx
4 d5 ~* l) R# f0 j. f( U1 E int 41h ~& U% W1 O* I P5 C3 ^
xchg dx, es:[41h*4]' _4 W6 I5 Z& {
xchg bx, es:[41h*4+2]& \$ O, `1 J, J# \" L
cmp cl,al
& R# P3 {3 U$ { S/ d% c jnz SoftICE_detected( Z7 g! e& y% z- b; R% b2 Q! R: X3 g. }
: l# q- H" Q. a( T8 t* p
_________________________________________________________________________) o- ]* O/ ?" r3 R5 Z9 G
8 t$ r9 z- U/ V$ t* W8 a+ T7 ZMethod 070 q- C4 Y1 w" j3 Y# Q7 K6 P' S
=========5 x9 Y- X# _5 J
+ V! `3 ^5 D( D, uMethod of detection of the WinICE handler in the int68h (V86)
% E) u4 \* w$ I1 _ H* H+ C9 i& F3 X \; A* I. [
mov ah,43h9 C, R5 x. y5 e5 }" v4 T! D F. w# G
int 68h+ q6 }6 V, u9 K; o
cmp ax,0F386h7 @2 w* w" e6 `$ V
jz SoftICE_Detected
7 ^+ o% D5 x9 S: \5 _0 h, h+ H1 t- l2 Z4 P# l, X) a6 ~
4 \1 }1 M2 k( y% O B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 ~+ A) f& \5 `5 C app like this:
0 [( A) _: h) }9 _; C2 x0 q# n
5 l9 G N" K- e+ I y3 T' g BPX exec_int if ax==68
# [( O6 X0 b# Q: s& f (function called is located at byte ptr [ebp+1Dh] and client eip is1 h5 C! X+ w7 p6 ?+ _6 S# R
located at [ebp+48h] for 32Bit apps)
3 O0 b) z1 }4 n( Z! j, r- Q- V6 q__________________________________________________________________________/ g O# @$ ?. r/ ]. M1 f) _
5 R8 E5 a8 |/ i' N E( {# u7 m, R' v' o7 n2 z3 @ z
Method 086 a/ z4 F( S$ Y. h0 i
========= s; k7 ^/ a" n4 {
. L9 D" }) ]% {( B$ {' W0 j( [: aIt is not a method of detection of SoftICE but a possibility to crash the* ]4 c3 y+ m/ K; `
system by intercepting int 01h and int 03h and redirecting them to another
, H6 Y+ S9 m8 K+ Z* F. zroutine.
9 d& {# x; ?$ ?' f1 }5 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: \4 ~" Z/ D7 V5 a5 |! F7 c
to the new routine to execute (hangs computer...)$ `# M, k% {. c9 {) B/ D6 }
+ s% a- b# T4 Z" t
mov ah, 25h
9 y( l7 F" p; P" O7 d mov al, Int_Number (01h or 03h)# F! ?" q4 I' N d
mov dx, offset New_Int_Routine
8 S. w$ _+ h2 ^9 v$ N- t int 21h, v, g7 B' S2 j( \$ U* l3 e
' G; S* c) `* P
__________________________________________________________________________5 c& f- `5 \. H9 k% A
- u, l. V' x% M+ J7 {" y n
Method 09+ X/ ?+ r) P# Y( D- h
=========
7 ~1 j0 E' w, \9 ~' K
/ f: B" J% A. p% A8 G, U) AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 X- P9 O" a4 r3 n! h+ b# E" b
performed in ring0 (VxD or a ring3 app using the VxdCall).
" ]: T; B: N1 @3 pThe Get_DDB service is used to determine whether or not a VxD is installed
( S' q+ q# |, x! O& s4 Q/ Gfor the specified device and returns a Device Description Block (in ecx) for) Y0 m! S/ ] K) q" Y1 S
that device if it is installed.+ a& e& `; {2 u
( V5 G, {; g5 W9 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* l* |3 K. p/ n- U! j0 k4 p& f, o7 J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ k% t" D5 c$ r0 C
VMMCall Get_DDB. I8 U% j( {% ?% r: l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# p- j/ u$ l- [% Q7 l: c4 T3 b" W, R
K- E# N! b" Q% bNote as well that you can easily detect this method with SoftICE:
) f5 p5 P% V" O, l. g/ u bpx Get_DDB if ax==0202 || ax==7a5fh7 M" R1 V+ U0 }* B
9 e# a/ L* ?% P6 I" \( w% E1 O__________________________________________________________________________
1 t; T! |# S5 D. T8 ? ~9 x2 ]9 E# e' B- H. e! _9 S% k
Method 104 @! t1 W( P$ X; r* s
=========0 q/ m/ }8 _8 e' g/ k; w! n0 T
9 g3 g$ p2 B! r1 F* c=>Disable or clear breakpoints before using this feature. DO NOT trace with2 J, B9 j% u% h2 A% Y
SoftICE while the option is enable!!
8 B' V: N2 k$ J$ ]6 R
6 q4 d/ H% \7 ^5 C! S" T- LThis trick is very efficient:: g2 ^( I/ D0 y" U; X) I
by checking the Debug Registers, you can detect if SoftICE is loaded t( n1 k/ Y: D+ J+ l$ l8 r# {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) g4 P. z2 P3 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
, f+ G4 }6 ?: Z# ]+ vvalue (in ring0 only). Values can be manipulated and or changed as well% ~. M! x6 O* x5 b
(clearing BPMs for instance): m) T. W a+ X `% Z- `) b
! F/ G; E: H9 n9 i' Q" Y__________________________________________________________________________
Z! d; g' T8 V5 e% w+ r U, C& O9 r" G3 e/ ^0 h
Method 117 E D* |% G* d6 u- W+ t/ k6 P
=========
{3 W' }& }% V, Y" y
, m1 |7 |! Y1 S J! CThis method is most known as 'MeltICE' because it has been freely distributed3 i# O L* r0 P, F! @) H
via www.winfiles.com. However it was first used by NuMega people to allow. Y9 g/ a$ Y/ L# T0 ]% u$ M$ ^
Symbol Loader to check if SoftICE was active or not (the code is located
4 h! W5 a% M. ], o, X# Xinside nmtrans.dll).
/ {/ X& A, @& U6 p- V' s: d6 |& M1 g$ K$ V O0 u( f8 u; o" W
The way it works is very simple:
) a" m; z9 `0 y( e5 x- rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, H+ n! _. {& ?
WinNT) with the CreateFileA API.7 O3 l' @8 l' T+ Y. `2 d, t m5 |3 v+ ~
4 @# M$ b6 a# I: S- ?/ W
Here is a sample (checking for 'SICE'):
. t1 h2 R/ Y2 y9 S& Y& Q
0 j+ @3 ?: @3 Y- JBOOL IsSoftIce95Loaded() g: x3 \' u& d: M' ]( u& p" a4 y% }* e1 [
{9 l* O, L) L3 y- L2 D
HANDLE hFile;
4 }+ ?: J5 y% n1 o0 ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
M, A F+ }8 W( n8 m FILE_SHARE_READ | FILE_SHARE_WRITE,
9 f4 t& h1 @; y4 J NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 l% F* n1 }% f/ n2 W* }
if( hFile != INVALID_HANDLE_VALUE )
+ V# R. `8 B" M9 V) {$ {; {! } {9 T" ]. Z9 t2 e+ Z; {/ K% |' @
CloseHandle(hFile);# h) k7 W F9 [0 T5 O1 R4 [& E! b
return TRUE;
0 a0 f, _& }7 [* \; ` }7 P! a; a6 p! P) A
return FALSE;; W- {- {/ W" G/ Z3 l
}' F2 }& z' W% n s- w0 M/ C+ u( l7 p0 V
+ @+ b' j. F* t" s1 x5 B/ V8 wAlthough this trick calls the CreateFileA function, don't even expect to be
& W% Z7 E- A9 i0 \" T1 ]able to intercept it by installing a IFS hook: it will not work, no way!
% j6 G' l; K, E/ \8 j/ ^: DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 m. c' F3 @0 S. p) e8 h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' [& m4 R$ U) D' n3 C. }% E0 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 F9 Q Y2 j/ [! R8 M5 q$ M
field.$ H+ q$ W j: r" E: k3 B+ r) a6 ]
In fact, its purpose is not to load/unload VxDs but only to send a , ?7 P. q: j4 M9 {0 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; a# D% Q; s- z" o6 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; s' {) }% j9 w" Z% a# R" Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( z$ `8 o4 K: ^3 Y* rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( m$ k4 P* `: f( I$ A! D& _& O' T2 p0 ~its handle to be opened and then, will be detected.
$ \! ~. |% }/ o$ _- q/ WYou can check that simply by hooking Winice.exe control proc entry point
# m$ A( b; g! E9 [while running MeltICE.1 z9 D! ?3 [# g+ l
# ~& T* Z: Y# S; q6 |3 {; J* z* W
) q+ q1 }$ K. O% y0 @ 00401067: push 00402025 ; \\.\SICE
2 V. V& `9 h3 @+ Q! F 0040106C: call CreateFileA9 f1 ^0 g! {2 c+ I' v
00401071: cmp eax,-001
* r6 N: q; j$ J2 q* @( U; s 00401074: je 00401091
' r! F$ U7 p" ]6 J! M" J
! V* I% b& Z+ Y. q3 i( d- D! _& I ^% S- A1 A6 P: q7 M0 Q, @
There could be hundreds of BPX you could use to detect this trick.
5 B0 K% F' i% N-The most classical one is:/ x6 z# S2 Q6 z6 S5 z1 h( i& ^0 f7 O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* t3 Y7 e- q: m$ X
*(esp->4+4)=='NTIC'
q( F/ v! t/ E0 e+ R
1 J- J% x) J4 g- G-The most exotic ones (could be very slooooow :-(* L% {" O, y& \( X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! k. Z; D, x# l( D' f$ f
;will break 3 times :-(
# c/ a! F& e3 T5 _5 x' V& t( R' X" X7 b3 Y& j
-or (a bit) faster: # _6 ^! f, L% i, D9 [
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 \* G/ g _, J, w2 [7 K" m) S
" o" Z( |- ]/ o1 ?; Y4 ]& ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " _! h1 d; C* g: J) c$ N
;will break 3 times :-(. X) x" U" K5 G+ y6 R
6 B$ g9 O8 ~- E-Much faster:4 B* ?# u s( O9 \: s5 s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 V6 ^7 i4 u6 b* [7 R% ^
& j X! V7 b" C& F: }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* W C+ x: C6 M4 r) W6 Y' j
function to do the same job:
: Y1 [9 e" a2 w% s5 R8 P4 @# p, ` k X
push 00 ; OF_READ
# L: o3 q, e& t8 i* a mov eax,[00656634] ; '\\.\SICE',0
# @0 ^! {. b. r3 m6 ^ push eax
2 F3 {' [1 ], i! V" j call KERNEL32!_lopen' H0 B# U' S& {" D
inc eax
. v e+ Y# [7 f" K4 d6 U+ K jnz 00650589 ; detected
. l1 |* F8 |! U3 x$ E1 {6 c O push 00 ; OF_READ1 @$ A9 Y4 o/ Z ]& Y2 i6 X
mov eax,[00656638] ; '\\.\SICE'
, |$ |# S* T& e2 ?, e2 H& s8 Q push eax' n# j4 G: H( t* m8 y
call KERNEL32!_lopen3 Y" u& C6 Z* F+ K4 P
inc eax
2 h8 M" E5 f! M2 ?+ o$ Z2 n jz 006505ae ; not detected* K: B B3 k( ?# T
; W5 p# D& z3 ~. w# R/ h* [2 X9 U8 r7 q# H
__________________________________________________________________________. B6 b5 J4 ?# H) |
4 d) B8 I+ R3 ]4 H& g: D( h
Method 12
' X9 s: {/ p! `& l- |& f% J=========* `* ~2 a. [- t7 W
6 M% }% J5 R( }2 \$ L! B- WThis trick is similar to int41h/4fh Debugger installation check (code 05
+ g U% l4 X7 y# t. v. R1 {3 _4 E& 06) but very limited because it's only available for Win95/98 (not NT)
+ C" n9 t4 Q# s" |1 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 W: g* I$ ]0 h6 _2 t2 {; A! O2 l3 F% C4 e
push 0000004fh ; function 4fh# }& i7 j' O# o+ K( j/ K1 D# G- H
push 002a002ah ; high word specifies which VxD (VWIN32). X: V1 t; T1 D" i8 y4 B) A
; low word specifies which service* j% O( E. N2 K% p$ {7 ?+ g7 C
(VWIN32_Int41Dispatch)
7 \" O* @4 b0 P. O! b/ F3 q/ ]/ p. o call Kernel32!ORD_001 ; VxdCall/ o3 `# D. A/ m
cmp ax, 0f386h ; magic number returned by system debuggers
2 `8 ~2 J+ s; j( t jz SoftICE_detected* B k5 w% S, s! b, h
/ x0 r( S ?! Q7 x1 S D+ qHere again, several ways to detect it:
- t. t; d9 C t7 h( j) E8 A: j+ r9 \2 \6 |
BPINT 41 if ax==4f: [# s5 Y9 U V0 v2 b. a
- u0 z% G# j1 S& L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( g8 V9 f4 }9 _' r+ H a
7 W( t( y# {8 r" s1 \# L' m$ e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% T6 z' `# j+ n% k: ?6 g2 w
# [1 V+ c( J1 N- C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& Q1 V3 `8 D& w2 ~. n* u' [
4 f/ I2 z( w& n7 T: q__________________________________________________________________________
$ z+ I3 C- V* }" v6 F" p- z$ C
5 u4 o. \& Q/ y5 j! l' |$ uMethod 13
% {4 e) O$ j& |# V& ~=========9 p5 R. Y# V6 u( E& a# [6 ]9 W7 p3 t
3 d0 j! t8 C+ U- L
Not a real method of detection, but a good way to know if SoftICE is& P" C9 ~& n6 ~# D5 B
installed on a computer and to locate its installation directory.
" Z2 U2 X5 J0 zIt is used by few softs which access the following registry keys (usually #2) :
+ d. l- I, }( z" m8 |9 S! l# W! M; \2 k& E$ ?4 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' S$ `# _. ]' v+ V7 E/ p9 Q; R\Uninstall\SoftICE |. m5 j0 g* m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' W5 w' t- z- M, `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. N) o+ x: n8 [ a9 L\App Paths\Loader32.Exe7 |+ o! ]3 P4 S: T7 t8 U
( o- k5 D: T2 _9 k2 J
+ R7 n' q+ I: s) l$ fNote that some nasty apps could then erase all files from SoftICE directory
8 @# N% u* z& n2 m1 A! ]' b(I faced that once :-(/ q m& f! B' {, W j& ] v0 k
z" c" t: S& O$ m* T6 H. ZUseful breakpoint to detect it:
$ L x: D* o$ G% H) I. J* U; r* S' u) ?5 K( D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% I" R# o3 Y5 r. E; t4 \
' Y( s5 g6 q. X5 m6 e* W__________________________________________________________________________
\2 D3 Q. G: I* M+ h* }
9 {( m4 h; z7 Q. r6 w* D9 Q3 C. I, \# C
Method 14
0 n {9 f/ J' k/ t. h3 R- f=========
4 I) Q. f1 p4 L9 p0 g0 }
4 z* f% S! K+ f# FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ r( n# R) X) o2 \$ }, l
is to determines whether a debugger is running on your system (ring0 only).% z# V5 k# x$ A% y
6 m1 H3 @. a$ N* L VMMCall Test_Debug_Installed5 Y% }: n1 q8 v$ p2 C
je not_installed
) e( [5 g) O% A2 G }- ^
$ Y5 ~7 v" k3 B9 ]0 IThis service just checks a flag.
' Z1 V) I' b- D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡