<TABLE width=500>
; E' @7 Y, `9 m<TBODY>% m3 Q5 u# T' q" d5 D5 ]: y
<TR>
" Z: C1 x# y' W/ e2 C5 w" R! x, Q<TD><PRE>Method 01
" H1 ~9 q9 X# X" Y6 x. i& _3 G=========
0 U& W. [9 n2 e, H& C7 p# R: S h2 W2 L7 e3 p, f4 ~4 S
This method of detection of SoftICE (as well as the following one) is. _. q* A, E0 M f- e+ Q9 t' b8 u
used by the majority of packers/encryptors found on Internet.8 @2 b. a; ?5 j6 O, ~2 j
It seeks the signature of BoundsChecker in SoftICE
9 C4 A' B7 n2 \6 P' m4 B$ P$ m) T. `+ A. ]' C) T& ?
mov ebp, 04243484Bh ; 'BCHK'" B# L1 I9 n' N) A1 j
mov ax, 04h
' [! W/ k4 [1 E/ v int 3
' t5 |5 l% C5 v( U" v" E3 u cmp al,4+ o1 _+ Q; W( O5 K3 x0 `
jnz SoftICE_Detected, O8 d8 Q3 ]; [) A6 j
; U6 d# h/ o+ ?) D8 D___________________________________________________________________________4 x6 l9 M, a- m1 L6 M/ {0 }
$ V$ Q8 k5 C' V( \4 I5 u) t/ \
Method 02 r; c! j8 I) h( w2 e6 q
=========5 P# a- f) V: g' x, ~* P
, f7 I5 s3 C4 x' X( R0 C' k5 l: VStill a method very much used (perhaps the most frequent one). It is used- \" ]/ H0 m. P; V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 e: G" a/ L, l
or execute SoftICE commands... M* R' {0 j7 I- _$ \2 D2 Z5 s
It is also used to crash SoftICE and to force it to execute any commands
6 H% J8 d+ x2 T2 G(HBOOT...) :-(( # ]( f0 d% _) u. _9 w8 K
/ d/ @) {* Y; h# v% w4 R+ n5 {
Here is a quick description:5 k8 h* r6 J' `# x F
-AX = 0910h (Display string in SIce windows); D0 u# f% i+ u2 @ c( S0 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' O% p) m5 n* A/ F
-AX = 0912h (Get breakpoint infos)7 N {1 L$ e' i; L
-AX = 0913h (Set Sice breakpoints)7 x6 }: K- r; y$ T4 @- d o
-AX = 0914h (Remove SIce breakoints)3 q; b2 s) \# a, z. E: w& l
6 Q* p1 c, E" W5 d' mEach time you'll meet this trick, you'll see:
6 M; s: j+ H) b+ ]7 w3 ?+ a) v* j-SI = 4647h
0 _- s2 X+ E0 V! h2 D-DI = 4A4Dh+ t7 n) d. s3 K+ ~
Which are the 'magic values' used by SoftIce.+ M9 `0 I1 }) u1 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 y r/ D0 a9 s. f1 j6 A1 V8 U1 j3 A+ h0 b! H
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; u! |' j% `6 J3 h ^# C: m* aEnvelope utility use to protect DOS applications:
) S6 f* p! e7 m$ f5 z6 _6 k( ?* r: n: A5 C
, ?! E/ J- `6 o0 t4 M, _, c
4C19:0095 MOV AX,0911 ; execute command.0 @+ a5 d" p6 g# l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) @1 m# a2 | N2 ]: _& ?$ L: K" p4C19:009A MOV SI,4647 ; 1st magic value.' `/ g- D9 \ q$ s) i
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 @" x* b3 n) I* n( x! V; K) }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( m% W! b3 a$ ], l# h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 u0 V. t' S: j7 ]; N' `
4C19:00A4 INC CX
; q+ F, R# Q: s- [+ Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' ^2 K/ _+ ?* M* o! q4C19:00A8 JB 0095 ; 6 different commands.6 |" e" [/ ?* L) P; k, t; q, ?# V) h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' Z; z; S; a/ x% a5 y# u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ G1 H3 C) d9 `1 o# H6 h
+ `4 z6 K6 b" F' W( w1 f; B8 ^The program will execute 6 different SIce commands located at ds:dx, which, i7 v# @3 g# x- L; s/ {+ o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 t% Y+ @5 E4 I; a8 G% a8 b6 c' R# q j0 K- Y" [5 e+ b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 }; K" A+ z2 H0 d: O
___________________________________________________________________________
+ \; c3 f" b/ O
/ [% h+ g9 k1 C, B- \5 u- M
4 X( j$ \6 M, ?Method 03
) l: N" _2 o3 l# ]: I- ^=========" a; {/ f! T$ p5 B
5 Q8 g- P. \3 E m% J. L! N8 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" K. T; o1 L/ ]# q
(API Get entry point)
; H* t0 H: N% O, [0 \
1 `5 ~7 }7 U4 N2 y; l, y, o3 ` W9 D' w
xor di,di4 V# A; c; S3 z2 ^; G5 a& F3 `/ l
mov es,di
2 G: p4 S1 c% x* G: b mov ax, 1684h % c5 \* _% a1 l; g, x8 C; r
mov bx, 0202h ; VxD ID of winice
5 r) Q6 X# t* Z. X int 2Fh( I+ U; b6 S- p6 a
mov ax, es ; ES:DI -> VxD API entry point2 @, P/ L1 [* c; O L
add ax, di
6 u& c5 z/ A7 ~ H2 {1 z5 c+ d test ax,ax
5 A' P3 b# h( I7 N jnz SoftICE_Detected
+ y7 J( S$ H5 [5 _2 S( _0 `7 T. A% o- I/ W/ e& l
___________________________________________________________________________
3 V9 ~. L# I& Q
0 | O c2 S2 G+ `* {Method 04
- E5 w2 h+ J6 T r; ~=========
v% F% W; [0 J6 }( u
- S" k5 d0 w8 e) rMethod identical to the preceding one except that it seeks the ID of SoftICE
6 J7 W, A' d4 t. d7 v' Z! KGFX VxD.+ `7 j. s* F5 C) o9 y4 Q. N5 G
$ ]) B' @8 m+ W0 h+ s$ J2 K8 S
xor di,di
: r+ u' @/ E1 A; k mov es,di+ }* g) D* W+ O
mov ax, 1684h
7 e3 C$ ?1 m7 F$ h# h mov bx, 7a5Fh ; VxD ID of SIWVID' \. A, |( b6 q. v) Q: J T5 A# [$ v
int 2fh
$ U5 l k" ^7 s" q; c1 b mov ax, es ; ES:DI -> VxD API entry point
/ j/ D; r: \! W2 z, I' C) V" \0 N add ax, di! ?% R) c+ X1 ~3 I: q& f" _: K2 j
test ax,ax+ `& R' I' l! j/ {& L- H0 _
jnz SoftICE_Detected
0 Z1 a: x. `1 U* Z7 v6 f
3 ?, @$ \# n: ]__________________________________________________________________________
" m5 `$ C0 { a& A# ?" C/ y+ e0 t
2 C6 z& X. O) `( M" I# W- xMethod 05, o4 J. F2 V) j# L
=========' Y& J9 J H' H6 Y$ q; Y- F
1 Q: t% C; s/ j2 z4 I& v/ {Method seeking the 'magic number' 0F386h returned (in ax) by all system. d( q# c+ K* H$ `
debugger. It calls the int 41h, function 4Fh.
3 Z/ ?" w; N+ b! ^, z; e3 PThere are several alternatives.
' B" v1 i5 j: ^
0 p* Z4 }0 b2 ?- d& o f' M5 HThe following one is the simplest:7 r$ a( ?) y; p. Z4 _7 [
+ K6 ^7 t( V* Y9 A
mov ax,4fh
1 G' ?+ N5 s5 Q, \: E- } int 41h" G- w% q! K' K3 ]+ ?! D2 n8 @3 m
cmp ax, 0F386
, | o) g& \6 m M# e s jz SoftICE_detected
/ N# s- R1 ]* Q3 [; `3 k3 e" @$ U) f4 o8 a& f- Q8 ~: w+ y
! n4 ^- | Q. X/ wNext method as well as the following one are 2 examples from Stone's
' P% a3 w1 C& B# H7 y"stn-wid.zip" (www.cracking.net):/ P1 w* ?1 e; ^( c
" M5 N4 Q6 h3 G8 k- ~% ]" ]
mov bx, cs& F6 P4 u: l# t1 A' n2 Y) b: i$ i
lea dx, int41handler20 D! N O- P8 |0 v/ K3 f5 L5 L
xchg dx, es:[41h*4]% K- d, Z: f- ~8 P
xchg bx, es:[41h*4+2]
7 F. N% q9 V& W, ~ mov ax,4fh7 k& ~) \ p1 S8 @* K; F
int 41h+ f5 D$ w& o$ w( }7 M, D3 m
xchg dx, es:[41h*4]2 H" C* g) P c( {
xchg bx, es:[41h*4+2]
6 Y! c* a1 A7 }+ J) I/ H( N cmp ax, 0f386h7 m0 b3 `. Z5 \* q1 T' D, v
jz SoftICE_detected
; a* R& t" {( y. n8 [- D( l( f2 O, p- w
2 H# C9 I1 B4 c# K1 l) A. Jint41handler2 PROC
/ J5 p) P o# k; o1 L3 d* W iret \5 d1 J8 o8 `
int41handler2 ENDP
1 y( c5 ?' E7 c8 V9 D8 L
" ~0 N- }0 j; G# L0 @7 l, `+ G) Z% I7 P, I9 Q
_________________________________________________________________________
" r( n9 u5 e1 f: \
5 ?- `4 {% G, c2 q" ~: W& ? E6 i4 a: Q P0 x7 a6 F) E W8 i: B
Method 06
, l4 [9 C7 x+ X" a1 P9 ?4 `=========
4 s: p% n' w) F/ G) i( [+ k/ ~& y' N6 L2 L! v
- d& ?6 M/ X! I& r% `) Z
2nd method similar to the preceding one but more difficult to detect:( |( c7 A- t9 v: } a; A/ C
5 s* T7 l5 H: ^& I) o. q9 r: g( g! K* m
% [2 f+ L7 H! X/ \
int41handler PROC! b- L1 ~3 x! `1 e0 \5 [
mov cl,al
5 N: P* W) W' s* p9 |, | iret' `7 Q6 R( p# U5 z ?" ?
int41handler ENDP
- }) _" ]; C8 o" d$ i: o* |' e- |3 Z9 \9 i! _3 u0 ~7 k. r' l
; v8 e7 J2 ~6 s* S xor ax,ax8 V% ]0 J5 Y* r A0 E" Y G+ S
mov es,ax
. h+ h2 J) k! |9 B; y( ~; [ mov bx, cs# l# S/ d: s( ~0 D' G* v/ y$ c; Y
lea dx, int41handler! Q" `2 C: w( N; U' z3 T
xchg dx, es:[41h*4]
. h$ q0 t5 d/ ?7 [4 n% x1 g xchg bx, es:[41h*4+2]
: C$ r% T7 z. T in al, 40h/ W$ _: q, @1 v$ Z) C+ Z# E' D
xor cx,cx, ~ v, Y5 [5 U! A
int 41h& V% t0 i, F6 r$ W
xchg dx, es:[41h*4]( j; G3 X% g5 c3 G0 i& e
xchg bx, es:[41h*4+2]# O: S/ U& P& O
cmp cl,al
, k$ `8 p; K6 d jnz SoftICE_detected* ~% C4 H( o6 S
. m9 z2 P! I2 N7 w
_________________________________________________________________________
' q1 f+ j, e" j6 _- X, S6 d6 B+ M2 j& N9 g# D
Method 07
/ }& x0 J$ C2 W: @=========
7 Y! x- I, ~/ N8 m4 j# ?- ]( B+ v, [. I# h
Method of detection of the WinICE handler in the int68h (V86)
4 _" A% y7 T" [) U# I, U" \0 h* w- D- {/ a: h
mov ah,43h
. B+ j" w( ~0 X0 k% d int 68h
$ Q# L9 F& n- v+ F1 d cmp ax,0F386h; B7 Q, X% W3 A8 l0 t( l% K
jz SoftICE_Detected0 m$ u! F. e8 Q
K# |3 m- J6 [3 A/ Q+ g5 @1 s( d
$ l6 ]3 y/ Q R2 M6 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# j1 H7 O6 ~. l" p, a- R/ d; c app like this:
4 I+ p0 s4 D6 ]* l6 U2 h4 F; c7 O d7 p
BPX exec_int if ax==68
- O5 _ n0 W0 E+ A' }! x (function called is located at byte ptr [ebp+1Dh] and client eip is
( c0 b0 J B8 p7 `: ~ located at [ebp+48h] for 32Bit apps)
1 V" Z) t* ?( x8 B3 C2 T% N__________________________________________________________________________
' t9 b+ V- F; U: \ L# r6 `* s/ L0 r! O+ S- z1 p- d9 w0 ~, B
. A" T+ b0 s( r/ E' Q% O$ BMethod 08
/ C# K9 r @7 p0 k=========: `4 ^4 G7 [% f% B) q* i' e0 {
: Z+ E' U) n1 L% Z; T! D; b& GIt is not a method of detection of SoftICE but a possibility to crash the
( j9 y7 r1 P4 [0 \6 j! |' b3 Osystem by intercepting int 01h and int 03h and redirecting them to another
W/ [5 q& u3 G/ x, n" N9 `routine.
1 z @: s2 e8 J6 @) QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( S1 I% g E& N @$ Vto the new routine to execute (hangs computer...)
U w5 [; G! _7 a: M4 t6 r+ }9 {" \6 E. n7 Y1 g' H- D
mov ah, 25h
+ Q6 D3 W. b9 |2 m4 q mov al, Int_Number (01h or 03h): B% ?+ ]1 j5 s* I
mov dx, offset New_Int_Routine/ Q3 S* p- [& `$ A1 d5 b! M' U+ b
int 21h
7 s+ j8 o9 Y: ]9 C
0 h( C) t: Z) F& J__________________________________________________________________________
j/ S& O. G5 A# G
/ H) h3 g' \& ?7 @+ F- GMethod 09
5 u3 q. ~, k# ]% e+ r" g& {- y/ `) p0 ~=========: A h8 G9 {2 v/ D% I7 D- L
- s: }) o6 _( M6 n; ] x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 V( `" _/ t- c: ~ G
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 U5 z7 a" M% x0 QThe Get_DDB service is used to determine whether or not a VxD is installed+ O0 U F& R. `9 h0 _+ d
for the specified device and returns a Device Description Block (in ecx) for/ ~8 J3 { r, @* A
that device if it is installed.! I1 m$ N7 Q! v7 `+ L
4 C2 o4 d9 R" x9 o3 W8 l) H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, p6 ?4 z2 y6 ?3 I" C& L$ N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ A# I- p+ @2 ?3 J VMMCall Get_DDB
) \* N" z- |$ N% `' x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* e1 |/ p9 D0 D0 r: i1 ]1 p+ i ]; c: e+ R" c# r
Note as well that you can easily detect this method with SoftICE:
$ i4 H2 Y7 G# i- z) }5 v7 L bpx Get_DDB if ax==0202 || ax==7a5fh4 [; z- N0 K) z. @- Z2 s
% O+ C1 P1 e& D$ ~% z; ~/ u/ z__________________________________________________________________________1 p$ ?5 n2 F6 u d+ `( \& b5 z9 d
3 C6 m; E& C3 wMethod 10) ?7 Q# w/ G- ^: i8 `; g
=========: K: I0 u7 W! D) c: W
5 N u, c f A) t4 E5 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; J2 }# e, c, c SoftICE while the option is enable!!4 P/ {. A. L' R Q* f( F4 d
" C) n F% E) g" a5 t% j9 aThis trick is very efficient:5 R0 t# l2 N% o8 M3 q
by checking the Debug Registers, you can detect if SoftICE is loaded
$ ?- p7 C# Y. j" I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- g+ D5 J1 w9 w; N& nthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 Y) j& s9 ~ m l, X: t' S5 k% O
value (in ring0 only). Values can be manipulated and or changed as well2 g5 K. c+ {/ g% P: e" p
(clearing BPMs for instance)
) j7 p* i, @2 R! e# s% z% b6 f4 a6 k6 y0 ^8 v/ @7 T
__________________________________________________________________________
$ ~! X3 |4 j( D; ~9 c [
$ I6 n M- K3 L( F! S7 v4 t3 pMethod 11
- @3 g" P5 P! W=========
% U! V4 E D9 `9 Y+ M9 M0 g0 |; a8 F. f
This method is most known as 'MeltICE' because it has been freely distributed8 n5 r# ]2 m( A0 ~& Y1 L
via www.winfiles.com. However it was first used by NuMega people to allow
& |9 K2 u6 Z4 GSymbol Loader to check if SoftICE was active or not (the code is located
5 p. i: u1 X( A/ ^ L2 V: hinside nmtrans.dll).8 f/ w& u& C) \1 \5 F! d, y% [
7 o5 w) h) S9 N6 n1 l
The way it works is very simple:
+ ^- I( w. x7 |" e9 o% N5 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 p0 j8 ^, H9 l' f$ i
WinNT) with the CreateFileA API.
4 p: O$ l7 \2 z$ B- I. L! I
9 x& m U7 x& y- C; w4 `2 OHere is a sample (checking for 'SICE'):
. \" l5 W2 c" C2 A0 A
( R+ e9 Y- y0 iBOOL IsSoftIce95Loaded()
9 F' a; c Z% N; B; p0 {) }{
8 O. Q7 S* m/ s5 q9 v0 f& a" Y HANDLE hFile; . o: Y6 F J* Q- A7 O0 m0 H( {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* s3 N2 ^+ }% V1 {# i O5 ]% c
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 s, c/ J4 G7 t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 j# i5 m8 d& W# I5 m# j! T if( hFile != INVALID_HANDLE_VALUE )) e/ g8 G3 d9 E. y2 G' n& \
{
( }5 r3 {7 u C( b CloseHandle(hFile);
5 ]9 {# v+ Z4 A- v }9 `% { return TRUE;
9 }4 r& e. J8 n, Z8 f, l8 E }! k5 t: s( s" f+ p3 v. l0 }" u9 \
return FALSE;
: a8 s# [# N9 L& z& e; ~}- L2 ~- v1 d# P; F6 L7 h: M/ C/ F
3 W) M! j6 i4 V/ j3 uAlthough this trick calls the CreateFileA function, don't even expect to be2 E- J+ Q0 g, i6 r" u, u
able to intercept it by installing a IFS hook: it will not work, no way!. ?) m, C& l2 x- H# p: }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! m) X3 q) B- I1 R; g y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 H* Y4 w& N/ u/ Y# wand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 z9 q$ y" c0 z' H3 @. G
field.' l* J& a0 u( T2 [; E
In fact, its purpose is not to load/unload VxDs but only to send a
+ q* h0 M# g% c/ r dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) L1 Y7 ^" c; U) S5 ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ M5 g$ `" S5 T. m4 m5 h3 V8 rto load/unload a non-dynamically loadable driver such as SoftICE ;-).% }. f% S* g1 A1 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" h4 ~. z& o! z# j8 Iits handle to be opened and then, will be detected.
5 b. O- |2 j1 I9 H" `You can check that simply by hooking Winice.exe control proc entry point' Y* Z& f- H) ]# a
while running MeltICE.
& [9 E I S1 c$ N3 Z
" v$ G* k7 m" V# W9 U$ s" K' v8 E; }$ v% a: T% P
00401067: push 00402025 ; \\.\SICE2 k8 i& T) B0 Z1 I
0040106C: call CreateFileA5 q2 S0 r7 d' l" J! ]! A) U
00401071: cmp eax,-001
. D P9 ]/ v! {5 Z' o/ W6 D0 o 00401074: je 00401091! t: z0 c+ L1 @, H4 u9 y. k2 {
6 }7 g0 G6 K9 L8 G. L$ e# N2 }
9 {3 s9 O$ b6 l/ _There could be hundreds of BPX you could use to detect this trick.# n; v! x/ ~* Q& M/ @1 y3 _
-The most classical one is:: v- p9 y" \ n# M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 g: h ]- L: a' v1 C1 p
*(esp->4+4)=='NTIC'
3 v4 D( u1 ^+ J* v! ?8 @6 z. `6 }9 w9 |$ N+ O8 q2 q( r* ^3 @/ }
-The most exotic ones (could be very slooooow :-(
! N2 w) b, A- {! K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; K; [3 K* E# z1 [$ H$ h6 C) W- \& e
;will break 3 times :-(; g5 \% |" m! A! m
/ g% F3 b% j- L* Z-or (a bit) faster:
: c- ^) `( N6 m( e0 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; M" ]) T0 V' K8 o- N$ Y8 I# I& M9 X) J- n6 I2 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & D& [2 A2 A+ Y) W# @5 v
;will break 3 times :-(7 P5 s2 f6 Q# P2 a6 N
# N& h, D1 B8 z# {% G. R7 j
-Much faster:
$ L9 J( d0 k; s* ]# o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 x' ^' {* ~' b
' J% V0 `; k: X4 Q6 v* I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 l5 N5 G/ w! M7 E5 hfunction to do the same job:
0 }3 ~: X" f5 a L6 I- w' ?# e
; u0 B0 n/ w9 ^" p6 p push 00 ; OF_READ
$ {9 G' z6 Y' c mov eax,[00656634] ; '\\.\SICE',0' l9 m' s6 @+ E- z/ H8 j9 Q1 ~
push eax0 e7 @; `4 W5 i
call KERNEL32!_lopen! _6 M" N! y( X1 v9 \5 ?8 I
inc eax
) o- }( I$ Z0 G n, Z q jnz 00650589 ; detected
2 K+ z& l5 u4 v5 m6 B push 00 ; OF_READ
6 P* Z& u* t- @; T# [* ] mov eax,[00656638] ; '\\.\SICE'
6 d( R* { |. J; W% x push eax
/ g5 q9 v3 D; q! f1 C call KERNEL32!_lopen8 y0 o. S% }( z& ?$ f
inc eax# W2 f: Y$ i$ D0 ?0 p4 Y
jz 006505ae ; not detected) k5 f. C. e* ?5 z4 n0 }) s8 R
8 A7 t5 ~/ K0 \% u* F7 c6 u
# U; P% |4 [9 v- H: v9 W3 n__________________________________________________________________________
3 V ]7 |. Q# ]' s8 c( b/ }
+ S) a" ^- t* s/ P) aMethod 12: f; A/ u- |8 K8 y3 K
=========: t6 D, i- {: R$ w3 F% n/ K p- [
( ~; J+ |6 [2 F) [3 `3 y' x. e
This trick is similar to int41h/4fh Debugger installation check (code 05( ?+ i/ k$ \, m- _% H( I% Y
& 06) but very limited because it's only available for Win95/98 (not NT)
* W! g- M) G- E: T8 C! `6 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo./ A6 c* x6 A7 v) b4 D* w
0 h7 x* }& f& |7 O push 0000004fh ; function 4fh
7 K& w# [$ g& A# i6 s6 m4 Z; B+ N4 i push 002a002ah ; high word specifies which VxD (VWIN32)
2 A% R: w* |1 q6 |! g' ?' d ; low word specifies which service
- u5 r/ g4 e/ }9 X/ J2 p6 g. B$ N (VWIN32_Int41Dispatch)7 f' u7 ]9 v% A, O
call Kernel32!ORD_001 ; VxdCall' [# c! y6 Z q( K/ N8 j
cmp ax, 0f386h ; magic number returned by system debuggers; \0 ^ U Z# P) J
jz SoftICE_detected4 H2 ?8 S7 f- D6 m6 e
; E" S3 Y* O/ B1 A
Here again, several ways to detect it:1 |2 W& S, T8 n
4 P9 w* B' G/ W BPINT 41 if ax==4f( C/ A; @" R, ~" v! z! i7 z. u) `
2 ~: E7 v7 i( k. G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' m- {1 H" |4 O G$ K) ^
3 ?6 Y6 R2 t; F# _; y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 q- T& l# u1 _8 |* W
1 m) n: v3 T' O, H" J8 ? t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 i1 j I$ ]2 {: e6 u6 `
- Q, ~7 f% N6 G) E1 [. N" h__________________________________________________________________________5 Z7 Z& \' g4 U g# T
7 |6 n; k+ } nMethod 13
( O$ v- k3 |9 g" s1 @( c1 g, M=========
; U# }6 r& |2 b6 h K0 d2 G+ d+ S2 N( l7 _' ]% W G. o; H) G$ L0 l
Not a real method of detection, but a good way to know if SoftICE is
3 s6 G5 X1 R# j1 winstalled on a computer and to locate its installation directory.
: }1 U/ u" o1 ]- N0 _+ |/ VIt is used by few softs which access the following registry keys (usually #2) :
+ Y& K" P. l7 g) Z+ R2 ?
! e& M( x1 M: \( U5 W* u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# |* |2 X/ {% m$ v; A* B; y% ] y\Uninstall\SoftICE
9 t7 b# P: S6 F/ E, b+ d; y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( B* m& r6 F1 k, G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% N! v. {$ j- O
\App Paths\Loader32.Exe
" _" ~; L! m4 Q! R
& A! c( Y6 c8 K/ g, b* T/ S- Q3 E. p& I4 ]% U+ c
Note that some nasty apps could then erase all files from SoftICE directory
; E- X$ @% f( K% \+ ]4 t(I faced that once :-(6 l0 _& F8 |& w$ T4 i" \
1 Y# i( n5 z; j: N$ L& V; bUseful breakpoint to detect it:
' C. _0 o5 o4 \9 b+ A' j
8 P7 q V+ H* W% {7 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 g6 s# ?5 Z4 B9 i, |4 J- S k! j- n7 t
__________________________________________________________________________
. G: p8 k6 e( |* e2 P1 D1 s; {
+ O8 w! [! g+ H9 l( ]2 }0 RMethod 14 . W: o1 }9 i2 i, Y4 x& k
=========
8 N! X3 E- H4 o$ i3 v) d7 _
& P9 w9 S7 Y- ^9 M5 e4 |" sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ G( a1 U0 a. ^3 s; Bis to determines whether a debugger is running on your system (ring0 only).% v' X' M0 l$ \+ ]" S, D- b. o
, C% D) T1 B4 i4 h
VMMCall Test_Debug_Installed
4 t' C+ s" W. b8 M! S9 w je not_installed. j" S# m4 W3 t
9 s* v+ z+ I) }, V2 h4 {/ ZThis service just checks a flag.
% |( `' p3 z' `5 T- I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡