<TABLE width=500>
, `7 y4 b" b# s' p% ]& J<TBODY>
7 m& m, q; d, X1 } u- D/ i+ I, y<TR>8 p0 i# O- k7 b% j5 ^* s$ [
<TD><PRE>Method 01 ( ]7 a( B7 w: J" n% q# o
=========5 \* |8 k. C* s" Z) t$ x
' B5 h3 J9 r' |. G5 {8 Y; x
This method of detection of SoftICE (as well as the following one) is- e# `% G& ~6 r* l
used by the majority of packers/encryptors found on Internet.
j" H% W( g5 L, |0 x4 R+ T8 p2 U2 gIt seeks the signature of BoundsChecker in SoftICE
/ q0 ^9 l1 V% c; ~( G( T# z& W5 _% q& ?( R
mov ebp, 04243484Bh ; 'BCHK'
4 V5 F- ]0 a( W& t) a mov ax, 04h
+ T. i9 K9 \5 G$ d& c int 3 ( ^2 K' k' X) ?$ w" Z# Q* U
cmp al,4
' y; g, O$ q. ^7 H jnz SoftICE_Detected# s$ ]$ k* m, ]! g
- s7 ~" m; X0 w. F% k @___________________________________________________________________________
7 Q/ G; j- b: X% A8 f$ N
9 H; {& o2 n$ z6 E4 g RMethod 02; H1 _8 [8 w; n- W% f! x. N" w
=========
c9 \ W: U% \5 g
8 q( {# N$ c5 x0 L! Z* PStill a method very much used (perhaps the most frequent one). It is used
5 |- W [& j0 q _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. H: p* f: r8 d: V) p- l* y' N, Vor execute SoftICE commands...
. V. q) j$ g6 t% u% b5 y; h# P( DIt is also used to crash SoftICE and to force it to execute any commands
' h: S; w! D& g8 A) b& e(HBOOT...) :-(( * a9 k$ K7 q7 F+ Z ^
0 H4 T/ c/ c( k$ ]4 VHere is a quick description:
% d5 {! x& A, X* V3 }' q-AX = 0910h (Display string in SIce windows)
( E6 _5 c6 J/ t8 K! o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& }3 I$ ~, {5 E3 u% [
-AX = 0912h (Get breakpoint infos)
4 u" C; t A+ p4 X g' D-AX = 0913h (Set Sice breakpoints) p: h$ p2 ^4 `, v. Y' W
-AX = 0914h (Remove SIce breakoints)
9 N* p7 ?4 _1 ^ {4 C: k- n# l$ _) S+ i2 P: G& f
Each time you'll meet this trick, you'll see:+ I1 E9 k9 I* e0 \5 W/ ?
-SI = 4647h0 G# m* Q( d" v4 G% Y
-DI = 4A4Dh. B* R# B6 }, w8 I6 D
Which are the 'magic values' used by SoftIce.1 ~, r# l E7 e- S0 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 V/ S8 c m% Y3 G! ^" \+ l7 W
5 s0 U/ k) T5 b; l, KHere is one example from the file "Haspinst.exe" which is the dongle HASP, c- z+ Y. T: d7 _
Envelope utility use to protect DOS applications:
* S# n/ H; Q" X" {6 `9 O( S7 ?! d1 |8 h, y$ H, {1 ]! ^( I6 j2 [
- U ]1 X- l% t
4C19:0095 MOV AX,0911 ; execute command.
I- p, n: D/ w" Y/ w6 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# Q$ z: f# [9 O4C19:009A MOV SI,4647 ; 1st magic value.
& F6 m" n8 t+ }' g9 `- X2 w: \4C19:009D MOV DI,4A4D ; 2nd magic value.
& a6 T: y+ _; w1 v- K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! p2 ], L1 R2 x# m3 k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) M+ Q- m3 l+ r2 \' S9 v4C19:00A4 INC CX" C0 O5 U$ S' A+ V) ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 C* ^+ N! k. D9 I5 G% |2 \; g4C19:00A8 JB 0095 ; 6 different commands.
4 P- }6 }6 B, ~2 n5 \& o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- q7 F$ F U% o6 ?1 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- ^. b, Y8 G# ^1 ^* c. [: ?
0 o( |4 ~" Z5 e$ EThe program will execute 6 different SIce commands located at ds:dx, which
! j- d( ~' E8 q/ p% \; I! Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 m& c7 w! V7 @ ~* A. u v9 A! R; T& \1 h# ` [, n0 o4 y5 c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- ~0 F$ r Y% W/ x9 Z3 k
___________________________________________________________________________5 c/ F( E* b9 ~+ y- `8 @
6 X9 `2 k- l( g
- b, g" P% g; P2 Z/ y& s# q$ zMethod 03
3 A% o9 k! D2 O7 [5 G1 h4 f=========
/ x3 [3 u/ `) \7 y8 g) G" r$ |! O4 ?8 }, N R6 e" I9 V# W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 `2 v; l& s7 H2 A" m
(API Get entry point)4 l4 I1 d, \1 Q) b& a0 r- U3 L
! o9 h$ p) K" @0 o$ M# @
- c8 `* o+ C* F& s xor di,di
) O( i# k# f, a3 j. r- u mov es,di
$ |0 | f. Q+ E. m! \ mov ax, 1684h
+ \, |6 Z( `: n% F# J mov bx, 0202h ; VxD ID of winice# c* A5 M4 F4 C# M& a
int 2Fh
8 }& V& B9 Z/ l* T/ `, j3 J mov ax, es ; ES:DI -> VxD API entry point
B/ l( q7 O( q7 R( d: K0 k( Q add ax, di
' O# U6 n& O* d& t test ax,ax
2 q8 t$ C v) l |! y& B1 @ jnz SoftICE_Detected' \; N0 v1 a" N& O+ A4 x/ K# u
) o& Y. \% a7 s! t W8 Y. T___________________________________________________________________________; T" W( M/ V6 r( W' U( N) O" S
' k) l8 C5 I: C+ W) k1 nMethod 04/ b1 W. N. O, s0 a
=========4 }4 [# I; j, x7 Z+ Q( ]
, m H6 s8 @/ d! j9 |1 m1 {) W
Method identical to the preceding one except that it seeks the ID of SoftICE4 }6 R. w* P& L5 s
GFX VxD.. j- M; e: I% r
3 W7 _9 Y" V$ B9 C
xor di,di
+ I) p/ Y3 X, E4 n8 n mov es,di
+ L8 ?5 B7 A* E } mov ax, 1684h
& X2 o! l' X5 [+ J/ u c mov bx, 7a5Fh ; VxD ID of SIWVID j/ j; Y: | U
int 2fh
, u/ z$ Y" P4 i7 _( r mov ax, es ; ES:DI -> VxD API entry point
, x1 I2 o7 g7 S' X7 ]. j add ax, di8 L* { Y+ r4 Q$ v
test ax,ax% g: X, ^* K3 M5 m6 ^
jnz SoftICE_Detected" S& c5 [7 I+ T2 \' C; j- f; O
9 m; s8 {1 `! Q3 E
__________________________________________________________________________
! m# X- ?: v4 u: i8 d' i+ r m1 v, i7 p
% k: ^# z& |5 v! ]! h
Method 05
" f+ r# Y* l9 D8 d3 \; S=========6 @, ]( d7 g+ ]; V8 l! X0 i8 i
+ ?" f; C z, K& Z2 U$ T, V
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 Z6 P" Z3 z8 j. p7 k# q
debugger. It calls the int 41h, function 4Fh.4 [, h) f- A, ^
There are several alternatives.
# B9 ^* `& ? R1 a3 u! e2 C: ~5 z) x# G* ~3 ]# D
The following one is the simplest:# ]6 f7 H, N" V7 R
5 U5 c3 Q% h& h. J* l mov ax,4fh
, P1 Z0 ^* g, W9 U r( j0 M int 41h
+ H3 g$ z7 {; a& C cmp ax, 0F386! z9 c/ s0 ]3 V( q5 r, j
jz SoftICE_detected3 r+ M7 v5 q( ]( ^0 H0 N
3 S0 K/ d [( {) t* @; l& m1 N8 h7 Q) V. y* U0 _% x" T2 z4 W
Next method as well as the following one are 2 examples from Stone's ( l7 H2 F( {8 ^* i! U. v- Y
"stn-wid.zip" (www.cracking.net):, k4 l* w' P! A* Y- U
" | c8 y% ^4 M9 t8 s( L mov bx, cs7 J5 J7 m* r7 [, t
lea dx, int41handler2- i5 @+ U8 i! `& f+ w
xchg dx, es:[41h*4]0 I% w& N; H5 I/ i. @* v
xchg bx, es:[41h*4+2]7 ?' _" A" C* n
mov ax,4fh
' h- U A# y! w, d! M int 41h
. b* O/ k; y+ ?, X; k, o xchg dx, es:[41h*4]$ N; _. M' I; S- h, J9 f
xchg bx, es:[41h*4+2]& n Y3 g1 _4 e5 T2 B( Q
cmp ax, 0f386h
+ ]+ I3 f6 U1 E6 `. ]7 i# o' ?' d jz SoftICE_detected
& l W* R( ]: o
2 V5 I8 ]7 w: D) m. @! d( Pint41handler2 PROC0 e# J) k9 a& i( E( @3 A
iret
: S q s8 C) Q7 b, `" O/ bint41handler2 ENDP
' ~( _! z7 ]. ?2 y8 x A( C
4 o0 O; `; x! \7 y' V3 p; ~! l
( t2 o$ o* Q0 A4 `3 H7 @+ q; |_________________________________________________________________________3 D/ J$ x7 d8 Y' A5 E
# S+ H$ B- I6 g1 T4 s( x8 f; b* N5 Q* R, J& @% w1 a% B
Method 06
8 d' C# l8 t4 [/ \=========5 k$ M+ i/ Z1 L, I1 }& j
/ ^$ ]* m0 \' w/ x, V @& X; S+ _5 X% I# w |5 M( B
2nd method similar to the preceding one but more difficult to detect:
' t5 x. @* }. F) ]+ a2 R% p% p- A) h+ N7 k; |( n/ Y
+ }1 u( y# B$ [( I' L2 d; Kint41handler PROC. U! Y3 f! \* b9 V' D E
mov cl,al" W$ p" K" n$ o0 l) Z* u$ s+ K
iret
$ \+ Q5 o" A3 Wint41handler ENDP
+ T \$ q. e: d' r! x3 R6 @4 O
& ^' h4 ^3 \% I4 ^1 s; l% A9 F( B% V4 D' O& V+ k3 q+ _
xor ax,ax9 P" ]% k" y: ]% ~. E6 V! v
mov es,ax5 i% H8 [8 e4 C8 |. z
mov bx, cs6 [ t2 w9 M) n% V
lea dx, int41handler
/ M( @- _& y5 R0 O& v xchg dx, es:[41h*4]
6 Z1 M) Z" I0 g4 y" F5 m xchg bx, es:[41h*4+2]
& @6 f" B# R- c& C ?; q2 w in al, 40h8 O2 V4 Y& {- M; L6 c/ Q
xor cx,cx2 C' ?) v, J. G6 ^
int 41h
) o& X' O- H- J6 j, F& z% Y xchg dx, es:[41h*4]3 x3 n; h. n: d- e$ {: @
xchg bx, es:[41h*4+2]+ m' }* ] J# d# W& [
cmp cl,al
5 o2 d3 ]: F1 z, J: P" z Q+ O jnz SoftICE_detected; c) J/ b3 l6 ^# R; x+ Z
# o6 @) d* ~# w* }# y' _0 S: U_________________________________________________________________________
# W5 K Y: I% Z
* S+ X( K9 J9 C1 AMethod 07
5 o$ F K" ?6 m% M8 _* m4 |2 c5 V=========
, L' l- t, K" Q8 @ w
4 l0 H2 s+ H @" `# W1 _1 N6 R, r# OMethod of detection of the WinICE handler in the int68h (V86)- I* I' w3 P1 L& P2 o
% H Y6 Y* m4 U mov ah,43h
- f2 H1 i3 y! t8 X- O1 b int 68h
- w. i+ [/ [9 M& M, F- G, p0 Y cmp ax,0F386h
) L& }0 q# s' v; f: j jz SoftICE_Detected. q) K; t. _. q: g$ @* E
, A/ `. z# T- p7 P; u
3 K; L" C5 j$ o& D) f* \8 y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 J3 U6 o) q9 G) \) y9 A6 n# ]
app like this:
9 n' T8 X- G, c( V, u, O- _0 K% @6 W% S5 d& ~0 U2 {& U
BPX exec_int if ax==68 K3 z* q% ^4 P) x
(function called is located at byte ptr [ebp+1Dh] and client eip is
: o* `2 P, s$ b# a2 \# P" c located at [ebp+48h] for 32Bit apps)$ X( h: F; M0 y; l1 c# h; @
__________________________________________________________________________3 i% `! \2 c7 [ o$ r' O. q6 V
' c) F6 w8 S$ z5 n3 f* @2 T8 w4 ^5 |. o/ [$ ^
Method 085 O2 d' z. h/ e: B Z
=========
S+ {- H4 }2 ~1 W7 i4 b1 k
" D/ S7 u8 \" o2 C0 D" WIt is not a method of detection of SoftICE but a possibility to crash the. D. f5 i8 A: ^; l9 H: h: c
system by intercepting int 01h and int 03h and redirecting them to another- f8 {# Y8 t3 M& ~4 y- h# S1 q' t7 P
routine.1 G! M2 x3 K% ~& ]; Z0 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( q7 B# B, O0 i1 F: |: p- R" h
to the new routine to execute (hangs computer...): v Y+ j0 T* n Q7 X8 o) i3 i3 J
8 T0 }$ D! @0 M! R7 W: Q8 p7 j( z; { mov ah, 25h
3 `0 K) f8 I8 S) [) _ mov al, Int_Number (01h or 03h)
$ a. o5 S! P9 `. f- f$ T mov dx, offset New_Int_Routine1 n# T3 Q; y$ k/ M5 C+ ^
int 21h
3 M: d1 c- }* ^ `3 k) y% x+ L+ j- y
__________________________________________________________________________
6 r$ y; K# {) X" U/ S4 J0 t
' P3 }& u) q( |4 y) F* H) @Method 09. G; l" B, @+ k! V& N7 u) e
=========
5 g- _, m. T) k4 B/ N) f8 Y, f2 ^2 d" e* U4 f7 c$ d. N: T# n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ U/ C4 V3 z" o7 y' N4 u& Z; Z& _performed in ring0 (VxD or a ring3 app using the VxdCall).$ @/ s6 l) |% F; N
The Get_DDB service is used to determine whether or not a VxD is installed
5 H j; h4 d" O2 [% T( Ffor the specified device and returns a Device Description Block (in ecx) for# N) |' ?# z% n! j: ^6 k
that device if it is installed.4 }1 E4 m# ~! R" ?' Z
8 K) X4 |% X8 l; D, V* Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; u7 |* L% Z( z7 ?" ^3 ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, \3 Y- t: t+ O' B. ~ VMMCall Get_DDB
, {6 u4 N# s7 F3 y7 R. b; p; b+ l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% W" E6 k' e+ M! ~* S
6 N% D' S$ I) c5 i t' ]
Note as well that you can easily detect this method with SoftICE:/ K6 q R D4 u2 ^6 ~# K9 c7 q2 A8 Z
bpx Get_DDB if ax==0202 || ax==7a5fh2 B. P7 {5 \0 V
, n1 K4 o5 |, J: a9 i
__________________________________________________________________________
: S0 C' m9 ~/ [/ ~3 N" A
$ T) C ^1 @4 H0 J$ JMethod 10
8 L7 j2 l: F' [) W) Y$ v=========
1 A$ a3 b$ _$ m- M/ l7 C
$ C* ?& m5 o. Q; [9 f- n C8 I. O=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 k4 [9 l1 z% B- o8 _9 y SoftICE while the option is enable!!
O/ i2 T0 w2 s: y+ Y9 ?9 u: r. Y" d% @' S1 y$ F. q( n4 Z
This trick is very efficient:0 r# c6 t2 F% x6 C
by checking the Debug Registers, you can detect if SoftICE is loaded( G, U' I* p X# G) s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# ?% {! R, \; ]& _
there are some memory breakpoints set (dr0 to dr3) simply by reading their: L6 N9 @/ o" t- T
value (in ring0 only). Values can be manipulated and or changed as well
: _8 J( ~: h' m! [(clearing BPMs for instance)
8 ~5 b) c% ?( ]6 [( g8 y6 J1 ?
4 X6 g3 M2 |" X4 B1 V__________________________________________________________________________
! d: _7 h: f3 `) ]9 G6 d" @: Y/ C, h1 i$ U
Method 11! Q* p. m3 a0 W r% Y/ f* n
=========8 T# _' C9 ~' t5 i2 X$ K
) ~3 B3 r5 Y+ g) I
This method is most known as 'MeltICE' because it has been freely distributed; s0 ?# T4 T4 }$ P/ ~
via www.winfiles.com. However it was first used by NuMega people to allow
/ s" V7 U6 W' P VSymbol Loader to check if SoftICE was active or not (the code is located
+ t) N6 K9 F, |: jinside nmtrans.dll).) ?7 y- p& _% w' X
" R# Z1 d( ~3 R4 Z3 [6 Z% V
The way it works is very simple:
) X( u" P' ^% ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 D# ?1 `& o; U* w- ]WinNT) with the CreateFileA API.
; O8 ?9 E0 Q9 p- z3 {) |1 D! h* F0 u, J* `! n
Here is a sample (checking for 'SICE'):
1 H* H/ u9 x% [% g& ?+ T5 |/ n& l t: \( w% z0 Z
BOOL IsSoftIce95Loaded()1 w& L6 x5 S! o9 _8 a. v
{3 D, q' ]0 P, Z* [, {2 X
HANDLE hFile;
" F* r" `' }+ V7 ^2 L- W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& b& w4 Q7 G2 B2 @. \: \- Q. q FILE_SHARE_READ | FILE_SHARE_WRITE,, K$ I/ O/ @8 ?+ Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: B9 _9 K# s0 Z" F8 V& W0 R% O1 a4 N if( hFile != INVALID_HANDLE_VALUE )# G8 _' @+ P; V4 [1 a* ]
{, W" B. ~% G% r0 L4 z9 F8 ^' v
CloseHandle(hFile);, S. O" o% o F- z; m( @0 I% d
return TRUE;0 m2 ?- s. b# }; L1 J- W
}
8 b7 n6 X, V& S" J6 D& R- }" h return FALSE;. A3 j- p. W0 L! c, q/ w
}
6 b0 `9 R3 j2 h h# J, D8 s8 d
?: C1 N: G) rAlthough this trick calls the CreateFileA function, don't even expect to be8 \: y1 I6 B9 w+ a& @2 q, J
able to intercept it by installing a IFS hook: it will not work, no way!
: Q, h% V( H6 _! JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% r' a; c+ g% \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 Y0 D% o4 I: jand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ P/ W( i' v3 h' r1 h9 o4 F X. C
field.* L/ {$ d% G( i# S ?* j& \# I, v
In fact, its purpose is not to load/unload VxDs but only to send a # _+ z- c6 | b* L% Z- @$ M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* C9 @5 y! D, s* n# R/ Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( [( c0 ~7 M! z& W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! n7 J" t6 ?; l/ E3 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 B, m) X7 i% j) C. ~its handle to be opened and then, will be detected.9 \5 E! x, o2 g& T) W! H
You can check that simply by hooking Winice.exe control proc entry point$ c7 g: X- _: c. i
while running MeltICE. B; C3 b9 }8 d9 l& {" }
0 U3 P( o! q0 I1 c, X* `
" ]4 Y% Y) B* D# }# K 00401067: push 00402025 ; \\.\SICE! h7 n1 q) A6 |: H: ]* M
0040106C: call CreateFileA0 ~8 E& X2 c4 ~: G% J8 o
00401071: cmp eax,-001. N1 ]' Q7 o7 d- n2 u
00401074: je 00401091
9 h: g# U9 o& I8 a) O6 S9 @) q( }6 m
1 J$ _% H1 b$ b( u* U
There could be hundreds of BPX you could use to detect this trick.3 X0 ?0 G a1 C
-The most classical one is:
+ E" h4 {" y; D9 H: z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 n5 d9 Y' C3 Y& ` *(esp->4+4)=='NTIC'7 @& i* H M' p, }0 j5 u
1 y. h& {+ H6 Y+ l1 d) ?) I5 x-The most exotic ones (could be very slooooow :-(: B! }* I7 d! ]; ~1 _5 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, v$ d# Z5 v3 M" b; G ;will break 3 times :-(
9 n$ W1 [1 E8 T2 s' p( @3 S' ]2 W3 K1 i" X4 m; Q1 d* Y/ l
-or (a bit) faster:
& a: e7 E; F0 @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). t# X, Y* E2 K
' N( `: {8 w0 q- T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. b0 C8 J6 t' ~$ X; c ;will break 3 times :-(
4 M1 r4 D% ^1 v: O" [
4 T5 @3 F2 r6 r& i- G4 g$ s( ]$ M |$ j-Much faster:
' P# I' D0 `, O7 _! N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 P' B) y" e' h f2 c" `: a6 @
2 c+ g$ u6 ], h% { M z$ H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ C* M9 @' h6 w; l( T
function to do the same job:; u# W. z1 t7 p" `0 ^0 H! @- T5 L; h7 B
$ ]0 e: A, |- I; C1 p7 B push 00 ; OF_READ
) [$ x* u, ^- f q8 Q7 Y! a mov eax,[00656634] ; '\\.\SICE',0
- E+ p# _6 F; |+ J. c* E6 ^ push eax
, z8 n" x0 S: M. ~! d% f2 a call KERNEL32!_lopen
/ J5 b/ O9 i! l3 A7 J" w- C inc eax3 k o/ y1 P; |# z! ^5 T k; @5 |
jnz 00650589 ; detected- E% F" d2 G0 I( w' X# W. L5 ~ m
push 00 ; OF_READ& l* v/ R* A& k' c& X* g4 R
mov eax,[00656638] ; '\\.\SICE' t& p1 P2 M# q0 H: E* y5 k
push eax
! Y2 M0 j3 ^' J" t$ D8 t& l) p call KERNEL32!_lopen
2 S' e+ b# T6 s B3 Y- X inc eax
) d" ]9 T# A$ o* V& m* S( { jz 006505ae ; not detected
: {! v. N* [) f7 P2 H9 v# u* l# g$ j# p, S
5 C) z2 j. i5 z( S. k" g# `__________________________________________________________________________
8 p4 a; I+ m% s6 b( P. z0 o
. ^2 ~% W. a, F0 U5 g' UMethod 12
. c# h. {' I" R8 e% k) u=========
/ |! g9 C* }2 _: `" u5 _: {% e+ M; h7 ^2 U% d7 T, u
This trick is similar to int41h/4fh Debugger installation check (code 05* f4 c/ g/ W n' g$ o) e6 q9 z
& 06) but very limited because it's only available for Win95/98 (not NT)2 d3 y. l# z) Y2 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 ~& H1 P: z- u2 B# X$ p: u& {5 Y. \+ B* Z6 R* H
push 0000004fh ; function 4fh
2 ]% F/ F, i4 `% s5 U4 j4 E( a push 002a002ah ; high word specifies which VxD (VWIN32), P3 t' T7 O c: ]& V" P6 z
; low word specifies which service, {- I0 V0 z% E9 @3 k
(VWIN32_Int41Dispatch) c" C5 F0 b d3 M; T
call Kernel32!ORD_001 ; VxdCall
& d9 s! c; N0 e5 @4 D cmp ax, 0f386h ; magic number returned by system debuggers+ V9 y" N: K. x" x7 \8 @3 z G
jz SoftICE_detected
6 |0 p+ V% a. c: g8 O; r$ J" y
2 y i% @! S6 t( nHere again, several ways to detect it:6 Y" K6 X0 _2 g% k
0 [$ s1 \) r/ U& E5 N+ f) D2 }
BPINT 41 if ax==4f! V1 a+ z8 W% x: ^
4 L' P+ V7 m7 N' T* c y% w" a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, m+ c( ?. L" q$ q6 V
- m- |. \4 C ], M: Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. [& V' e4 X5 Q8 N7 |
5 A$ N3 z# K3 o1 ^5 R$ X9 r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% l& ~( N4 V6 j, w" [
+ F9 |2 f) H$ u& E
__________________________________________________________________________3 {% a1 C, J1 Z: Z) ~% v
) H- D2 @! X+ bMethod 138 \7 C) T/ V T4 v. p+ C( [6 X
=========
' O3 w0 H+ U' B- l
) J. Y. U/ I$ y- yNot a real method of detection, but a good way to know if SoftICE is [7 S& b& p' W7 `% ]$ i( _
installed on a computer and to locate its installation directory.( V( j7 R9 e, e, ]: c! \5 N
It is used by few softs which access the following registry keys (usually #2) :
( ]. q# G6 S0 d7 }* f- U# f# ?1 w' E5 e) D- ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 X( c r# E3 e# W/ m$ J8 F
\Uninstall\SoftICE, ]' s8 b/ \- O* V1 W @0 @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 X) `, |) F; Z4 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 L% t/ y% M4 A; o1 x\App Paths\Loader32.Exe' y2 h- |5 G! E8 ~7 @* [* X
2 c& I4 o# A: u! ^% R! c6 k9 b0 n( ^% T" f1 u
Note that some nasty apps could then erase all files from SoftICE directory+ _+ S7 Q" @% v4 V0 g5 \
(I faced that once :-(
; x* o/ ^1 E: E! M0 q1 L% l& [& H8 m3 X+ M# Y: d
Useful breakpoint to detect it:: [" X1 O( a, a6 ~* q. O$ |2 Z1 w
( F% t' d% p! {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 h* P" \( [: H8 j' O
- _' S; k" [% B: Y: G6 k__________________________________________________________________________, j, N/ D7 A& P3 i* N! Y5 O9 n
3 P1 z$ g( ~3 L; e% n4 e0 G9 C
7 U3 Z$ s# ]5 F% OMethod 14 6 z& L6 F8 ^/ M
=========
3 `+ r9 G* i, u4 Q/ h
8 s' c0 P3 \. DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 ~# r; X: D3 o3 q d% p sis to determines whether a debugger is running on your system (ring0 only).
1 q5 U9 [2 `" ]0 f& N0 T" s- `4 ]; N# Z6 h7 {( E5 V
VMMCall Test_Debug_Installed
: x- }: z2 O* m* h3 D/ ~0 D; }1 n je not_installed' s8 ?3 j+ l2 j2 L) S
! ~0 x9 L& z4 x( f1 w3 jThis service just checks a flag.
2 D$ {! k* w4 z; v+ Z3 a0 v a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡