<TABLE width=500>! y; j$ S7 e5 y- ^) J8 W4 J& p
<TBODY>/ n& K! k2 w7 e1 n- y$ S
<TR>
9 z1 r! p/ t# K' w- y- z<TD><PRE>Method 01
: a1 W3 L" M& A3 h3 ^; p. \=========
/ V7 f! J& m3 l' d$ w7 W7 w) \) ]- ]' P" z3 k1 i
This method of detection of SoftICE (as well as the following one) is( I: x( [* u2 B) G' I+ D+ o/ {9 G X6 b
used by the majority of packers/encryptors found on Internet.2 l7 U* [$ e5 W! x0 T
It seeks the signature of BoundsChecker in SoftICE7 c: U# ~3 K" E) @
7 R) _5 Z% ^7 }( I
mov ebp, 04243484Bh ; 'BCHK'
$ B! L; a" J+ x9 K mov ax, 04h
' a$ y) k$ h" R- ^. K0 S int 3
" v) `/ E6 u7 c8 G0 c* P cmp al,4
4 O d6 y. n- D3 n7 L9 \ jnz SoftICE_Detected9 h6 _! g* [3 w" J) E
, |9 s6 i0 f) h/ R! [___________________________________________________________________________
5 m- {% V$ w* S" f3 j+ f* s6 }6 Q; L0 F( |3 r& m" z" J
Method 02
0 [7 G9 T7 r- \# A8 |4 ^, p=========
% T3 p+ k& h( H' U- q/ b
7 c2 O3 Z x+ p1 _2 o! b aStill a method very much used (perhaps the most frequent one). It is used
; J4 a6 @$ S z: R& Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 j5 J- X( ]* _! n/ m, E) j( _or execute SoftICE commands...5 G0 M/ V5 ^2 E m5 f8 _
It is also used to crash SoftICE and to force it to execute any commands) U4 ?9 }. t# D
(HBOOT...) :-((
' O" \9 K8 A8 e: D1 K7 G- p8 f* }( J5 c1 r6 N+ J$ d1 x
Here is a quick description:
& w/ h, x" n$ j-AX = 0910h (Display string in SIce windows)# p3 Z- }) v6 ]3 i/ d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% V! I2 h1 Y7 Q5 a2 c8 m. Y- R+ E1 g
-AX = 0912h (Get breakpoint infos)
- p4 w& u" r, w8 H/ W! [. m-AX = 0913h (Set Sice breakpoints)
* G. k. L, ?# I-AX = 0914h (Remove SIce breakoints)4 F0 t3 ^- ?7 Z' J
/ O8 j! L' G% EEach time you'll meet this trick, you'll see:
9 c$ j! V( D2 D, f-SI = 4647h
8 ?2 z; |& l, P% K' I% f( C-DI = 4A4Dh
" K2 }7 H1 V, lWhich are the 'magic values' used by SoftIce.: f4 ~7 @! }) Z, r r/ }% o. L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 i) N( T' p' a$ N/ Q8 S5 p8 o
6 O4 M- A' X d( `4 M7 Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 B+ k; S8 X; H! x2 Z
Envelope utility use to protect DOS applications:
9 d+ Z; X% a2 W) W, e V T1 M' ~' a. w
2 p9 W, o6 ^& |: p9 r5 n3 b4C19:0095 MOV AX,0911 ; execute command.$ l: x1 E$ G9 m* v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ l& p% o% Y7 {! ~ g$ A4 M4C19:009A MOV SI,4647 ; 1st magic value.5 e* n( t8 p* m& X+ n
4C19:009D MOV DI,4A4D ; 2nd magic value.
; B; |' s9 {& ]$ u) ]. {2 n' s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! m0 Q) ]1 z9 k7 x7 j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 a: ~. N# Y# v0 l
4C19:00A4 INC CX. K' u2 f/ u5 j2 v3 i3 {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 z2 s# ~ J) \4 a0 H
4C19:00A8 JB 0095 ; 6 different commands.$ y) s, ^4 q. C) i2 {1 h: ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 x) R0 C7 f) S* M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 b* m" p8 d; o0 c
8 A/ F/ z( Z/ y0 ~4 F4 o3 _The program will execute 6 different SIce commands located at ds:dx, which
: g0 R, W' h( ~2 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; [5 s7 M$ l: W; p- }
; y+ \, \( N# y( n G" |8 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& {3 B8 V3 ^# X___________________________________________________________________________" P7 e3 s6 l y+ T$ l2 E7 I2 Q
& `) l7 m% c! Z1 y! K8 m7 [2 X4 T1 C6 r
Method 03$ J5 ^" _' E+ l: M7 z/ F
=========
; w+ J3 o! J( U6 _$ d7 E
: S1 p6 i( B' `; S. `% f8 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& ^4 U* ~. o* h- P# X: q5 _8 N(API Get entry point)
3 l$ p9 n0 H! H/ Q/ ^ * u0 g% Z- [3 H6 J4 K9 x# |( p; H
9 `5 t: z2 {( l9 M# @- l1 ~ xor di,di
$ y/ }8 B) _" s. d u9 ^ mov es,di: A: O3 a5 K6 K/ Q C% e0 S2 o: i" U
mov ax, 1684h 5 X$ A E4 }: G/ I% X% ^- `- v9 I
mov bx, 0202h ; VxD ID of winice1 c: j9 s- G9 V5 q* B( r: `6 |
int 2Fh! {2 H% C5 Y4 E, @+ U: M
mov ax, es ; ES:DI -> VxD API entry point
- `4 X; U% e8 R/ d! P& V+ l' j add ax, di0 }- K% x2 p; Z9 e' }, t* V+ c
test ax,ax
) h5 p3 m5 @; m" \: k$ j' u0 r* Y jnz SoftICE_Detected
# Z2 M. O/ C1 k$ z* h: o1 K' {/ V4 H f3 e) `# D* [0 |$ C
___________________________________________________________________________( \! G7 X2 T5 ]* T& i2 Y9 `; j
$ x, [# \5 ~7 Y# n4 {7 eMethod 04
- L: L8 O F) u3 k=========3 Q- L/ j( V% P5 ~* H( Q" Z1 {
" s B5 W0 c( P
Method identical to the preceding one except that it seeks the ID of SoftICE
2 D. [2 S! S! n+ T3 wGFX VxD.
0 U ^4 f* }$ M% O2 y
0 v8 X& {5 z- ` V xor di,di
" V8 _. R6 z W/ b; K5 g- t3 _2 B mov es,di
8 Z, S4 ^' [+ q6 p# y- u7 L n. J mov ax, 1684h
: W {/ G9 H: Z1 f. p3 z8 t2 i6 Y2 A/ @1 z mov bx, 7a5Fh ; VxD ID of SIWVID
2 K/ o$ S5 B6 s int 2fh
# M# P4 M' \% f1 n) U, F9 t0 |8 q mov ax, es ; ES:DI -> VxD API entry point3 ]' A$ ~) q' Q& {6 I
add ax, di
, y8 _. x# D# L! |* O% T test ax,ax
% |* v: | U) e8 Q5 i/ o; k% g6 T jnz SoftICE_Detected) G# U0 Q* n) M: W% L
3 a5 z N0 U8 r" t* ]4 V__________________________________________________________________________
- t$ \7 k! b) l6 a% T* O2 a' A9 U3 M: J
+ _) _& Y7 E* e: C% s" h* D3 o, uMethod 05
8 O7 M) k) Z' O6 r1 g( d=========
. g# r6 t. ]' z5 p4 [+ u$ u" c
u7 L" N3 e) O3 ^) m7 @Method seeking the 'magic number' 0F386h returned (in ax) by all system+ t; o2 L% | K. A' C3 ]& g+ b
debugger. It calls the int 41h, function 4Fh.! l; v; D" ?1 p: s( \ W! A
There are several alternatives.
( }5 ^- V8 ]; Y1 D
4 p: R' w! G, I3 r+ f DThe following one is the simplest:
3 B+ C+ Q" O8 c9 F
1 z- E3 T- h% \ z mov ax,4fh
9 G. o% `2 `' r3 w% Z int 41h) i, x' e, @' a' G
cmp ax, 0F386( b5 ^+ x9 t7 B* @0 F6 h x
jz SoftICE_detected
7 [$ e" Z d4 z& B4 k: A
5 p3 c+ y# L: I: u& A' s
6 @" N) E; K: W3 }% D( q& R* QNext method as well as the following one are 2 examples from Stone's % F2 Z" K5 C/ p. R+ f
"stn-wid.zip" (www.cracking.net):! w4 H5 T; g+ j, @" U
# E& z/ t) d5 ` B5 F mov bx, cs* [- B9 j( R- Y/ X; q$ L* _5 E2 [6 R
lea dx, int41handler2
8 p+ p' \: M6 r7 h' z xchg dx, es:[41h*4]1 M6 }+ \# U1 f9 ], a2 P+ N! I' \' b
xchg bx, es:[41h*4+2]
1 y8 C; i; N) W5 }6 K, a/ r mov ax,4fh
0 J2 K7 j' y8 ?# Z a int 41h
f4 z( T$ e5 u" y2 f: y5 e xchg dx, es:[41h*4]
$ j7 X& p5 f9 v2 u" j- T8 l' f xchg bx, es:[41h*4+2]; z" a5 d7 @/ b9 Q$ O# T
cmp ax, 0f386h% N, F: m" Q6 Y$ r% |
jz SoftICE_detected
$ X: ^& a& t q" m; I
" Q% v; p. f( w5 r yint41handler2 PROC
+ `" x( l1 `' l5 P iret. n! N7 m, w9 o7 P3 X6 c
int41handler2 ENDP
1 z; B" a# [, |5 e
6 t& \: A( D; M$ T. T q) ~9 F& I6 s5 _" x7 s2 V5 B- V
_________________________________________________________________________3 k0 \6 R) {7 l& ]( R4 \$ z! h
' v2 k C8 o5 e& w1 L8 k
( `0 M) Q: R, V/ U) C3 x
Method 064 H) f ]9 G! K4 ^
=========/ l, N( {0 ?+ P# f# V& a
9 _# S3 }9 n- {+ l( f6 l$ R# f$ r# J( ^# I$ w+ J3 K/ ?, E* Z
2nd method similar to the preceding one but more difficult to detect:3 s2 J4 G, s5 M+ \: `! ^2 c
' H. m! B0 `/ ~, h" x: C$ v8 Z
3 n- m: u0 _$ e7 d+ Q2 B2 Sint41handler PROC
5 b& M9 I* C4 w' b* h mov cl,al, B* K }* z* x$ l7 r6 Q X
iret% h. D( _3 n8 h; S( z
int41handler ENDP
+ ~+ L3 r- w9 \. O/ N/ J, p6 w- Z5 u6 u3 {6 o! ?0 j
( [4 e1 b/ G! w4 k# n, v) G xor ax,ax) @4 V6 P) a$ ~, n
mov es,ax& c7 s' f% N A! V. V
mov bx, cs
9 d8 E n' Y- [5 L. h; F6 c lea dx, int41handler
3 | O) Q+ F% Q' c# Z) ~4 z xchg dx, es:[41h*4] Z% T1 z j8 V0 |4 K4 j
xchg bx, es:[41h*4+2]; x$ t2 ]0 U4 I- R8 }
in al, 40h: h' ~" e1 f6 W3 i4 \: k
xor cx,cx
; C; H" i+ J/ x K int 41h! j3 S; \7 s6 W- Y% H% l
xchg dx, es:[41h*4]1 \3 u/ {0 ^. Z9 Q* s; U& G3 q
xchg bx, es:[41h*4+2]+ ~' j! B7 \9 A1 \+ J4 w! d
cmp cl,al
% F# z" |% S0 z: V jnz SoftICE_detected
4 E) }. t) E9 v/ ^; j4 S: u- j9 E; e4 |
_________________________________________________________________________
7 ^2 q2 ^$ P( g) d$ r
+ O: j! a i6 R( r3 @' g0 VMethod 07, S4 Y+ W( S1 U8 d, h
=========* u1 l% T/ B, Z5 f
- N# g! x1 H# C& o1 ?7 p8 jMethod of detection of the WinICE handler in the int68h (V86)) B6 ^: v% k# ~9 k1 F3 B, I/ X" W
: F8 G5 K. z. ^* z8 k) c mov ah,43h ]" X8 _% ]% ]
int 68h
" j9 x& g3 k2 \$ _+ ~/ W* Y0 n cmp ax,0F386h2 |1 v4 ~: P2 e0 ?
jz SoftICE_Detected
7 r" d/ v1 T% L [ V1 g8 H5 U: U7 o1 j/ l
# U5 ~: z+ H" ]8 A1 A5 b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- W/ Y# i/ q7 \6 H app like this:6 A$ X* K! D7 y2 _. D0 J, J" u9 i
+ m: E6 r }% R# v3 i, }
BPX exec_int if ax==68( U- J7 B/ T. j! k9 t% G
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 m! f* H$ n1 ?5 I+ k- I. Y* r3 [ located at [ebp+48h] for 32Bit apps)! Q7 K+ T" M% T! C1 [5 ?- l
__________________________________________________________________________
8 d; @( H' h" J9 U
5 X: c0 Y1 Q' | I* G2 e+ ] w9 i9 `" m2 l _2 ~. }1 S
Method 08
* V& G6 f6 k; A/ q=========
0 ~9 o4 G. E. d" b+ x; K6 L9 G% `! l4 z4 \
It is not a method of detection of SoftICE but a possibility to crash the
1 z3 T; F' Y, h+ X1 k$ lsystem by intercepting int 01h and int 03h and redirecting them to another. p6 c. E$ S3 g+ o# D) V6 f
routine.
$ T& k$ q/ [& Y/ m' gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 ]; w; v8 _4 l4 U1 [/ Nto the new routine to execute (hangs computer...)3 G( n; A6 I, O ]* J2 j7 b
9 L$ n+ d/ x- g6 {8 f" v
mov ah, 25h0 |5 }+ \- m1 V- w5 v4 o0 i
mov al, Int_Number (01h or 03h); F [8 _- W) T. b+ q" ~
mov dx, offset New_Int_Routine
) f) O Y7 N. I int 21h
+ x' l; `2 r7 l _9 Q7 `8 R
& M5 C5 t- p k1 d7 V/ X__________________________________________________________________________
5 ^1 V' ~2 U7 W6 n* z7 X2 q/ s; X5 P) f2 S
Method 09
f1 q. f6 q6 B3 R1 L) K. l! J% \=========
: G+ q4 X( D( g# A2 U
5 o! V* k" g5 ?7 l- Q2 m- EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, ]" g* L {, w+ A
performed in ring0 (VxD or a ring3 app using the VxdCall).! A! |! H7 p9 x8 C, {
The Get_DDB service is used to determine whether or not a VxD is installed
3 r7 ~0 b+ k4 q! L2 hfor the specified device and returns a Device Description Block (in ecx) for1 P5 @8 A) _$ z! y. c8 ~! d
that device if it is installed.
3 n B5 X8 x6 Z" G$ P8 v( u' z
3 z! v% w, a2 E0 n* E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 X0 m: x; C8 a5 o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( R5 O$ J' F5 h# p4 l; a- U |" K VMMCall Get_DDB" d: p" D m: s& F$ ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ l4 [" l+ W6 c; R Q
B- A1 b: w' M0 q: K2 ~* F7 o4 c
Note as well that you can easily detect this method with SoftICE:. }8 b8 g* r* q E
bpx Get_DDB if ax==0202 || ax==7a5fh# e c% Z, q2 X$ p2 g( J1 w
( F" `4 ?1 G. w3 x% d* V6 j
__________________________________________________________________________8 F9 ~$ h% h' [
8 K6 e' }( f0 C, S/ P4 I# V+ fMethod 108 r7 p0 Y( o$ Q
=========; R/ o( |( E9 V$ y3 e. }
8 B/ J! b* ?5 b) x=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 Q* ~. @- _8 f* t n/ h SoftICE while the option is enable!!
! S' G' F6 V+ L" b2 R* V/ @. s( _! ]& |
This trick is very efficient: `; q7 i6 {" |; Q" [
by checking the Debug Registers, you can detect if SoftICE is loaded
& e Z X$ |% {+ l0 S' Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" q( X& A4 C/ Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 t/ U$ |" O& q9 r+ L, b" s
value (in ring0 only). Values can be manipulated and or changed as well& L9 u e9 |. J" u& l
(clearing BPMs for instance)
3 T' Y" N( o- t, D. |; F. l! Z2 H( A5 K5 a- c9 l, {; y, E4 v0 p1 d7 m/ D
__________________________________________________________________________% M5 n D8 A9 |" N, f6 _5 @
# n/ J# p1 `: _& K1 KMethod 11" M, }* _9 s o
=========& p1 V$ m' l* ]+ J# U
, y9 Z& F' }2 ?
This method is most known as 'MeltICE' because it has been freely distributed) j9 E0 s: \$ |4 M5 n5 P, Q
via www.winfiles.com. However it was first used by NuMega people to allow
; H; _, c; k' t7 \9 t6 jSymbol Loader to check if SoftICE was active or not (the code is located# w; J5 F @% p/ J8 W
inside nmtrans.dll).
3 p! o o1 M, M0 p! u
- h) K7 M8 n" KThe way it works is very simple:* A1 }. ^4 o7 b1 V) N# O B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- {2 |" ^ S k( t( ]1 e5 @+ YWinNT) with the CreateFileA API.8 z/ l- N0 t) i. w7 W8 q5 K
}8 [; b1 P' \( }$ a0 t$ IHere is a sample (checking for 'SICE'):
3 e1 Q, i7 H" z w6 @# @' ^0 R1 `" a* p2 n$ ]) ]% e) B
BOOL IsSoftIce95Loaded()
; F# ]; c2 @8 V9 A{
. z+ G ?2 e2 y0 X8 G0 h ]+ q HANDLE hFile;
7 @! E9 X- _& H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 u `3 k- S Q0 A# q* l FILE_SHARE_READ | FILE_SHARE_WRITE,
6 f; m9 ` ?- M" t5 P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# L* ]. Y8 c9 J9 Y! C if( hFile != INVALID_HANDLE_VALUE )9 C9 ~6 t, b) @( A
{
Q* t, ~5 K) b+ i CloseHandle(hFile);
- j7 J" ]6 h- P8 q return TRUE; b. [' b: R# Z/ b& J
}
/ T1 C6 ]" ^ |+ w& f3 Q6 K return FALSE;
- i8 L k+ H8 v' Q& Y}
- W8 s* M! W0 o. X0 p" V! \6 d8 `; B2 m, D: F# S& g P; ^1 X, |8 R
Although this trick calls the CreateFileA function, don't even expect to be
# X) r) f' L1 Uable to intercept it by installing a IFS hook: it will not work, no way!8 O# g4 v0 d v( ^* o9 }, ^) d# Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! ?/ k2 I- k- k+ A4 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 n5 B. Y/ x! B" Y5 O- s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; ^2 L8 i( ]2 _4 ^6 }/ U9 Cfield.
) M4 l* t0 O( e! J: CIn fact, its purpose is not to load/unload VxDs but only to send a 5 W: l: u! P! _9 h. w. n( m9 I( X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 u T, J w7 u4 K: Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 u# F, |: ]* A$ vto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 ^4 Y: b6 y, A8 j' F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( A7 ]+ ?" m2 {' Pits handle to be opened and then, will be detected.
+ e. j: q y0 r {. O, BYou can check that simply by hooking Winice.exe control proc entry point4 Z7 l6 W0 }7 G: \
while running MeltICE./ K8 A: |2 k4 X3 I+ C1 ~1 i% p
* Y" d6 a4 }) U4 N% @" D( n/ `
4 g. M: m4 C( _9 O% q/ J
00401067: push 00402025 ; \\.\SICE1 @ j& B- b2 e x4 g
0040106C: call CreateFileA
1 D2 a7 S0 _5 J 00401071: cmp eax,-001
. O+ F4 g% n& a% y5 B1 L8 P0 @ 00401074: je 00401091
( _ J( t3 [" }2 c5 f: d/ Q W$ x% A, G
: ]# G1 j$ }2 |$ F' k% s
2 v: F$ A6 ?7 ]. `" [There could be hundreds of BPX you could use to detect this trick.' d4 u+ x/ Q. q- `, D e
-The most classical one is:
5 k+ F& f5 W$ ?; A2 P! A9 X5 h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) D# d% m3 n9 n+ P) a, ]/ w' a: M *(esp->4+4)=='NTIC'
! B; u8 t8 l4 } \+ A7 J* V/ f% h3 b1 e9 H0 S- z
-The most exotic ones (could be very slooooow :-(6 X- S7 t- {7 a& a+ y2 v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; m' w- X C# e$ t7 u
;will break 3 times :-(# e& y2 \) Z! h
# L4 y4 P$ T& j8 h. k4 L( C: l1 A" v-or (a bit) faster: , j! h% M" l1 M& Z% ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); _2 e) Q0 d6 ^4 I9 q* I2 y2 z
3 [/ D! X/ a+ a! N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . E9 K& w! W& {7 B7 G: y+ s, J, s4 k
;will break 3 times :-(
) F: C: a1 E8 V# Y& X$ X# C& Y
% Y; B% K5 i: a) @-Much faster:
* x1 r; n0 @ ?0 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' m. j# p+ E' G" Z0 I% g3 ^
- q# C+ c5 @- W- v _, [7 ^+ j7 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ B- }6 ]5 Z+ o1 `9 W& a
function to do the same job:% h- h6 A& z3 k0 i
0 ], J) k+ N, [* n+ m5 X, L1 w# a7 e
push 00 ; OF_READ7 P4 s# W* L# J+ F5 r2 d
mov eax,[00656634] ; '\\.\SICE',0
& _% E' X6 s* c) }; P push eax
9 a3 E4 H9 [- o1 r! d$ d- c2 Y call KERNEL32!_lopen
5 A/ C& Z5 [/ w7 I$ V; S, l inc eax
$ J: ]) v7 ^' p* {+ T jnz 00650589 ; detected
- Q* V6 D. p5 h push 00 ; OF_READ
' O( B/ x+ f; W# T# H mov eax,[00656638] ; '\\.\SICE'" \: e. Y/ J r! ]' c1 G$ m
push eax
: B! y& R) g- r/ a$ T8 Q, _+ y call KERNEL32!_lopen0 Z. G2 {: P# k% e* K. K9 K
inc eax
3 U1 }& r3 b3 r5 H jz 006505ae ; not detected# {7 e0 G/ l! _3 a
& w y, a1 _9 H7 M! Z- d3 W4 o
( X! {- G% h9 b! p
__________________________________________________________________________
, `3 x$ C$ M% e
: D% S) m* c0 O; c) a; w n* LMethod 120 S& d1 j+ J) r0 ? t
=========
/ }* g" j: H! u' Q! z
& A& `! [" V/ I" D2 p& |$ @This trick is similar to int41h/4fh Debugger installation check (code 055 ]3 G" z- W0 A. w! C6 A
& 06) but very limited because it's only available for Win95/98 (not NT)
! u2 q- z" Z1 T. }. fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# H* P; L% N$ |, O% z+ b* v! o# W0 r% R9 H- h- c' w, [, v
push 0000004fh ; function 4fh0 D0 F4 u9 w/ C6 x# ?+ N9 z; R
push 002a002ah ; high word specifies which VxD (VWIN32)
4 C$ u! ]4 e/ g) k- D ; low word specifies which service9 x0 F" n" [# ?+ X# \5 R1 E
(VWIN32_Int41Dispatch)
7 ~% A6 X2 X( f) K+ ~. m call Kernel32!ORD_001 ; VxdCall% D! l7 x7 A" i. f
cmp ax, 0f386h ; magic number returned by system debuggers
W @: y2 O% m+ p7 r' u jz SoftICE_detected1 v& h4 m$ Y7 b1 s1 A1 e. o6 w
; E% z9 v9 s) a) p. D
Here again, several ways to detect it:, c9 R7 v3 J: S- l( ?! t/ m! m. P
, @$ \3 d. j, X j3 i BPINT 41 if ax==4f
+ H4 _6 n0 L2 `0 D( x5 ^% `9 x' J) o+ p* m: G7 B2 L4 _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: x+ y) {% z; T) v W$ X, W
6 U" g+ p6 F' |5 h( n% S$ f$ y5 }9 c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, w- p4 |2 g5 p! l, K" R; I" Z
- Y4 F& T' Q, O1 r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! ~6 d& n' S0 M3 U0 c" p
4 _9 t% d4 l- d9 m5 l: w% l; _
__________________________________________________________________________! V* R: ~( X! _2 g, i
- ~6 b" }) m6 I1 J, [+ K2 HMethod 13& x/ J3 k% j `: y
=========
, K( e' y; n+ J
8 d( H) s5 j0 ~5 v7 j) ]Not a real method of detection, but a good way to know if SoftICE is D* O$ N, q) e0 U+ l" K c
installed on a computer and to locate its installation directory.* m% e5 i" P. S/ M* ?% F# L1 V
It is used by few softs which access the following registry keys (usually #2) :
4 P/ F) ?+ p) i/ \ r- k& b' W" h! x4 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) I1 a: E, I* B, x S
\Uninstall\SoftICE
% h) E5 F& \9 M9 l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 t( {7 i9 g0 m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- O$ h1 x) y P5 }\App Paths\Loader32.Exe0 W z0 e. i1 h0 _4 k
$ W& |; k& S6 p' J' u5 z) Z" o& H4 X
* t1 ?# ]* X5 l8 @, B4 R* MNote that some nasty apps could then erase all files from SoftICE directory- Q4 F. F. r8 S5 s0 \( y, M. D" n
(I faced that once :-(
" P& W+ c# Y1 B/ ]. t& x2 \
W$ b1 Z9 l0 k7 s7 d& jUseful breakpoint to detect it:
5 d( s1 E" w* ?3 G0 c7 t& J( p* S8 R1 s+ T, `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 o! L5 z% S7 f% g
. c9 p1 E" y X% w5 F__________________________________________________________________________" _: M* E6 _4 s0 V' }) @' G
4 M p% k$ s5 g
% j) g H& Y5 t- U/ n6 i0 G1 a+ x2 A
Method 14
6 A$ c, q% g2 Q3 V; O" N=========
8 h8 M. g l6 [/ |0 N% |: a# ~
3 k" p5 V/ L: p; XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% a" |4 c0 f5 q& {4 ?, t' K
is to determines whether a debugger is running on your system (ring0 only).
7 D& x/ U! y" N {/ e2 Q q$ |- m) t, V8 U, }1 S( V9 ]! U" c
VMMCall Test_Debug_Installed
/ V9 G2 \! U) D3 {( a je not_installed
! a3 A; c. N# @5 Z
% \* o) A5 z2 aThis service just checks a flag.
6 n; C! j% f& z9 d( P, p, E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡