<TABLE width=500>5 R \6 B2 d3 f, }/ K3 u; B& C
<TBODY>
7 i' Z" h% L1 d7 {. _0 x2 _<TR>
. R( m/ x. s$ \4 t% V7 O9 o4 p<TD><PRE>Method 01 8 n. s' j8 G7 ~ h
=========
d9 ^1 o5 D6 a2 [' f! i) \( G9 z5 f1 h
This method of detection of SoftICE (as well as the following one) is
% R& H; N/ M5 Q) M) z0 d& q* zused by the majority of packers/encryptors found on Internet.+ d: q7 W7 S2 o- }8 D: E
It seeks the signature of BoundsChecker in SoftICE
3 @8 x2 b6 K: m& ?! P% x& \
6 M/ g# d0 M7 [- X9 m mov ebp, 04243484Bh ; 'BCHK'
, g% _' p) j. c4 l5 | mov ax, 04h
, W0 J/ }8 C7 x int 3
/ u* K2 G/ S. E; s- T cmp al,4
/ M4 u! }6 y2 I k jnz SoftICE_Detected' q. Q) u% l! y O
7 i e' I% }9 L* v0 ^
___________________________________________________________________________0 U( n5 B8 W: P$ L
~% V, t2 W: a v2 x! ?& D
Method 02
$ Z) N7 k& P1 {% [: I5 _+ {' i=========
/ r, B0 @) ?7 V) I* p
5 Y" {7 I% `/ Y8 J! i9 _( G" ^( X4 s: zStill a method very much used (perhaps the most frequent one). It is used
/ J5 Q5 K) L: Q6 S( C6 yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, a( X, E k+ a% X/ Q, Z% K! B- Wor execute SoftICE commands...
& P* G L6 N. T! P+ x) N4 TIt is also used to crash SoftICE and to force it to execute any commands, ]. s0 d! e4 w
(HBOOT...) :-((
]; V( M& f q' d/ X$ @! r- _ ^* J! x5 k$ Z1 g
Here is a quick description:
8 {, Q# ]0 z0 r9 ^+ o- P-AX = 0910h (Display string in SIce windows)$ Q% d3 q( d$ v1 ^4 U6 S* e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 d, T2 L W7 X( R- l9 j-AX = 0912h (Get breakpoint infos)
, q3 d8 P3 ]2 O0 ]-AX = 0913h (Set Sice breakpoints)
' Y$ @. N: [8 E" C$ K9 S/ q0 }-AX = 0914h (Remove SIce breakoints)" A9 i' E C; ^4 J
. X+ V6 ] I8 g
Each time you'll meet this trick, you'll see:7 E4 p1 g% D1 t% \
-SI = 4647h
; o( H1 i( V% O' s5 y-DI = 4A4Dh
; p3 T' d8 `: I9 r% _Which are the 'magic values' used by SoftIce.1 }) V0 e* d1 C4 Z% T, ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., R) o# ?3 |; I$ N
) [9 B9 ]7 L- X! m
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ ~3 n4 `( |* `Envelope utility use to protect DOS applications:# [5 @; ~: W0 H2 w# }* h& y& J
9 e1 n( q t. [
/ o R. f2 g- T9 K4C19:0095 MOV AX,0911 ; execute command.* Q( Y+ V; r' v0 T4 ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 M: n8 C7 F3 w( B- z- Q( I$ n6 ^, w
4C19:009A MOV SI,4647 ; 1st magic value.
, ~) D3 p- J' i1 U9 X* b _' ?. U; m# m4C19:009D MOV DI,4A4D ; 2nd magic value.: p9 Z/ z' {8 E) |$ a; Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) v+ C; s; v1 k3 A+ B) ~6 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 ^: f( T% A5 R% w& W3 R4 q! I A
4C19:00A4 INC CX
' r) Z$ ]- @. D* I( N7 s, z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute f3 @% ` t6 r/ {- H0 K3 o
4C19:00A8 JB 0095 ; 6 different commands.5 ]3 I. r& S* Q2 @" ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 z/ z8 s) w( w4 s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( i# @+ _1 M9 v3 v4 e
/ e2 M# p1 r1 X0 ~. ?$ g9 T( k% \) b
The program will execute 6 different SIce commands located at ds:dx, which! W+ k- [9 j$ i y7 a3 @, m" m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! j( A9 _1 _. n8 Q
6 d/ W& C- }. m- \1 }7 X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ Y& l3 i8 `& {1 A6 W/ i. l9 r- m7 a___________________________________________________________________________
. @. p8 @$ r2 G. j+ l: l6 O
" H5 V# ~/ J/ \$ O3 j! V P) p/ l3 t; N5 C
Method 03+ O t$ I' M0 v3 _( n
=========& O+ h: k i2 i+ x T5 N
( t" H' c' [6 A+ p9 c& uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 U4 l c$ `! `2 i. e
(API Get entry point)
. t2 p; o& i) b
& ^. Z. `% A! L) o2 c3 Y5 Y- u) |' h$ @0 ^! p9 o1 m a! W
xor di,di
/ ?# `! \0 h2 t1 S mov es,di1 c% y- q0 s' G6 Z* N
mov ax, 1684h ; {% k9 x, v/ q! |- S$ ]3 C$ \5 r
mov bx, 0202h ; VxD ID of winice4 N4 q) u& k5 ]8 @4 [; }# M; U
int 2Fh
3 i( R* V" f0 _ F mov ax, es ; ES:DI -> VxD API entry point
% n8 S4 J. A9 ^& J add ax, di
! M% Z3 L# ]1 c0 u) [6 j4 N test ax,ax
, [3 D1 ~4 P4 N0 ]8 X+ x3 l jnz SoftICE_Detected
. i! i+ r# S$ y1 M2 X; @1 y) l7 d* V% p$ \) T2 U$ [ f, A
___________________________________________________________________________: S0 w7 J+ f! ~5 m- K) w
% b% Q5 j3 P5 P0 v! K3 X5 X
Method 04( I+ U, E6 e+ R9 Y9 I* c
=========
4 v$ s7 e: U# Y
7 N" z: X; |# C3 t: d$ S3 n4 cMethod identical to the preceding one except that it seeks the ID of SoftICE# F$ K; }. F% h6 P" b9 x- t
GFX VxD.
# ], T- [4 H, H4 j. Y
6 j& {4 n; W6 R+ Z1 ^" Z xor di,di l& O7 a! k* S: P
mov es,di# O2 {' c7 I, D
mov ax, 1684h / h4 _3 M$ I8 v& A2 W: Z, m7 t
mov bx, 7a5Fh ; VxD ID of SIWVID) t) ^% a9 g" d! t2 [8 I+ k( N/ `
int 2fh9 o k9 q! h7 U- ^6 u
mov ax, es ; ES:DI -> VxD API entry point
# j; t7 W4 S M9 V add ax, di
: p8 e/ t0 H0 Q6 O5 m test ax,ax
$ X `$ V! y. G( X! M! D' @ jnz SoftICE_Detected% M/ X; a8 F5 @$ m$ ^9 A4 U+ a( W
2 d! K; @! N% X" P# L% ~
__________________________________________________________________________9 T; g6 s& v, U, N" a* ?4 ?$ n
$ F" ?0 X: V h5 s- R$ U4 V
5 s/ L& T6 p0 c* VMethod 05
2 H. a4 R" y% [2 ?' m4 y- @=========) ^: ?* R3 U; ?! d, A" N
) D& U( q; _8 c- B% [9 IMethod seeking the 'magic number' 0F386h returned (in ax) by all system: s- k! F! n. U( m5 i( \, n; ~
debugger. It calls the int 41h, function 4Fh.
# b# C5 W% r/ K+ S: x9 uThere are several alternatives.
9 d; x8 i7 j7 z# T8 K: V& v$ K& S* f/ T. U6 x" y
The following one is the simplest:: n1 a+ i U: c& K- ^( \
( K# o$ @7 j* Z W9 ]4 J
mov ax,4fh! e K5 O7 b/ d9 O
int 41h2 g! Z* {1 k# i
cmp ax, 0F386
3 j4 F- G. P! h jz SoftICE_detected
( [$ U3 i3 {+ ]# H2 h; w
4 v! Y" W5 p n: |* R, E0 `9 N) [: l1 B6 U1 L: |/ D' ?) z
Next method as well as the following one are 2 examples from Stone's
; k0 T+ z3 V6 }- e7 g: S' V"stn-wid.zip" (www.cracking.net):
, x. z* y D3 R2 w; Y& }
1 D! z0 i( R$ \' z$ ~6 L- j+ Z) E mov bx, cs/ S7 G. i! K' s: @1 k. S
lea dx, int41handler29 N2 a& p0 X \, H: ]; C. R2 i" @
xchg dx, es:[41h*4]
' h* @2 u" w n" Z xchg bx, es:[41h*4+2]2 ?! B \! d C; r% K5 }# E9 ?
mov ax,4fh* L9 p/ C( m' z2 R
int 41h. t( F9 w! m* J( W7 ~
xchg dx, es:[41h*4]
$ K7 \4 [. I0 l. @% ~ xchg bx, es:[41h*4+2]% `! q7 D+ q5 `7 J) T
cmp ax, 0f386h7 }. I' e& ]# B3 R/ v& P
jz SoftICE_detected9 p2 s2 m" t4 Z1 g5 `
5 [, ~3 T+ C7 Q7 F# r" h- `1 q
int41handler2 PROC) Y% U/ T* ?' V: S
iret
" E7 i/ S% g* a7 Yint41handler2 ENDP
+ I: D& z5 g8 {. l& h
, \6 x1 [ v$ y5 a' h* C
$ i" P$ J2 {3 Q0 X' M_________________________________________________________________________
- F. Z4 I# P3 a6 U4 b; E
* U0 s& ]3 s0 D, k
9 }2 g) {& N r0 y- cMethod 06
. K. [. B8 D+ {7 W% ~8 |=========$ m* _* ^. [3 _0 O) _* ~
. O) @7 E: E Q7 L, g. n7 i6 D, t7 g5 R; v
2nd method similar to the preceding one but more difficult to detect:
P: p4 D3 o, V5 y x [+ J/ O2 b+ K( [/ S; n8 {. x! N
8 |& o, ?/ T/ ]/ q7 }# u9 z& N" X
int41handler PROC
3 ?% w/ F# R! u }- U2 W- } mov cl,al
1 }! Z" A1 ?3 w; y |) E9 Y- x iret( B% [" W8 |8 A) [: x4 o3 V& S
int41handler ENDP: l+ O, {# V9 z5 ]
5 x/ Y3 K. p& O$ C. u. s. s% l2 @1 y5 s# s: {6 p- V7 c
xor ax,ax
* z2 [; g" `8 t mov es,ax& T% E+ a3 \% [
mov bx, cs
2 |! ~/ |1 ^: ?3 G, q lea dx, int41handler/ Y4 T8 V8 k' q& ?3 p1 k/ B
xchg dx, es:[41h*4]
# l: q0 @, u: n! U xchg bx, es:[41h*4+2]
' F; H9 f% y8 [! Y3 W6 w" G5 \" c in al, 40h$ C7 H, y' s/ @
xor cx,cx# u0 {6 N; q ~! U, s
int 41h* V* X1 q6 l0 Z5 C
xchg dx, es:[41h*4]4 l: y& S i' E7 n" O5 j
xchg bx, es:[41h*4+2]
* N3 P% Z9 W- { cmp cl,al
# E1 b4 A f' N; g& u2 t, y9 @' L5 T jnz SoftICE_detected2 @; J0 w% c8 o; I, j
: M+ X; f1 U0 r6 b+ y_________________________________________________________________________, ]6 u: @' V- L* T
: U) T# U3 l% r0 E/ ]Method 07
1 S. X) o. x/ B! ~- X7 e=========$ N: S5 z9 u* P* H1 D( l5 G3 w8 s
9 h, o* v# c, _! e- B' f
Method of detection of the WinICE handler in the int68h (V86)0 d9 D+ ^% ]' h* P; X2 F6 V7 ?
+ _) H% K4 b- D
mov ah,43h3 q5 D6 ^6 O' M- }* ~
int 68h
) k1 s: P! _/ n cmp ax,0F386h
" _* n* @6 a( M2 t+ s/ u jz SoftICE_Detected* K2 p2 E+ M3 l9 i3 l& A, {
- _, N2 i- f5 ]9 o* Y$ a, Q! g4 J* b) v
. S) f; t% L! }1 |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ n' J8 ` H8 X6 |) s5 K app like this:
" W5 h) d1 i, [/ B
4 r v. U1 Z' }( {4 @7 h BPX exec_int if ax==68
( b- P2 l9 V: E% g% y$ i, { (function called is located at byte ptr [ebp+1Dh] and client eip is
+ R. C9 p- w" {. M- m located at [ebp+48h] for 32Bit apps)
+ i8 P0 `5 q, G2 C__________________________________________________________________________! I$ K4 L1 ^, K! G" S
! L* L5 @; {3 O! ~+ `7 `! G0 N
Method 08* Z6 Y* W, @% h5 m6 y# f
=========' G) u$ T4 h. u3 R
7 c& p* U; `# b4 S1 c. J
It is not a method of detection of SoftICE but a possibility to crash the
8 S4 z/ X* W+ K; Vsystem by intercepting int 01h and int 03h and redirecting them to another5 T5 C; P# ]& K- r
routine.$ H4 m7 q: S3 q( `' i# K, K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 O, F, k+ `0 a& Y9 ^8 B6 eto the new routine to execute (hangs computer...)
, b! d! {2 s1 y5 y
- W' z: f+ x9 B& f mov ah, 25h
5 Z% w+ l& ]4 {* D$ R! v& L. |& l mov al, Int_Number (01h or 03h)+ g! J- Q4 \1 ?: P
mov dx, offset New_Int_Routine
$ }, b& F! V+ s) S, D% p4 o int 21h
& p7 V4 [0 i: }- [( k
" {$ L9 f/ u0 G0 O8 g. I+ v; Y) Z__________________________________________________________________________8 v( J, J% J" y& i4 x# D# S% T$ X
, o' Z5 m- V1 U
Method 09
5 A! Z* W5 Y. |, a {=========
g! Q7 T+ O/ p
+ w: R" q! I7 X5 Z0 jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 h# j5 j& u% I3 u# q9 T; X) tperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ `( E6 \0 L) E' \The Get_DDB service is used to determine whether or not a VxD is installed
5 B. Y" a1 M4 M) J& ?- ifor the specified device and returns a Device Description Block (in ecx) for
- d+ W3 W7 k% l9 A" x' W+ gthat device if it is installed.$ e( k4 ?8 I1 U
8 h$ P4 F, R4 D" l- X# a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% h; \- z1 [6 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 n4 ?* C3 n: k" U
VMMCall Get_DDB
* ] n$ G* Q/ Y$ c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: Y: C/ C7 Q/ ?0 Y3 S
9 x* v4 ]( \9 P
Note as well that you can easily detect this method with SoftICE:3 X4 Y: ^) K( i' d
bpx Get_DDB if ax==0202 || ax==7a5fh6 |# i" h9 e1 j' Z& G7 c* ]* u/ P
: B5 n: w5 B6 i3 K3 I9 y! z
__________________________________________________________________________
7 i. B. y, r! A5 z
: l( ]# o2 j/ N5 O5 GMethod 10# f; \# k/ j# w- \6 c x
=========
5 P/ H* Q; T4 p' X( V8 L! _# V2 K7 s6 \: m0 L8 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with, ?4 C/ A. F( ~, X6 p3 @8 D
SoftICE while the option is enable!!( _& ~: {; p1 R" {
7 N7 s# m4 a! dThis trick is very efficient:# Y( Z! y$ W6 p$ [6 b, c% w
by checking the Debug Registers, you can detect if SoftICE is loaded; |3 d2 h' o( M' y5 h: u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 C5 F7 [, ?' k5 p1 f+ D; i0 y& Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their. R$ U/ b2 ]! _ Y8 X; R9 f
value (in ring0 only). Values can be manipulated and or changed as well6 ~' r# t8 g$ T! y+ l
(clearing BPMs for instance)
2 p$ J. {" T2 D/ o8 `4 A% A: i# B: ?
& f- H# `8 }- w! h8 L2 s__________________________________________________________________________4 k) B T9 j& I
2 Q1 W! t1 ]* b% x. \5 |
Method 11" }; @9 J& d! t# o
=========
* k4 u5 J* [ h$ [
8 F" I# y- F$ j& z* y3 VThis method is most known as 'MeltICE' because it has been freely distributed. Y2 ]+ K$ r* u. o ]9 {& X. m
via www.winfiles.com. However it was first used by NuMega people to allow
& [% z$ b* ^2 L2 A1 a$ ?/ ?$ C4 W* ^Symbol Loader to check if SoftICE was active or not (the code is located
7 c" N3 E1 r# }0 ]/ N: hinside nmtrans.dll).0 [9 F) w/ \" T7 Z" e
* l- ?& K5 |; M0 I
The way it works is very simple:4 N! B3 k' o6 s! z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" _+ C7 M7 m8 y+ R. Z, t) Y$ l
WinNT) with the CreateFileA API.
9 O/ l4 m+ G! d2 |
7 n0 @9 T4 K; z+ o" e+ r* c+ }Here is a sample (checking for 'SICE'):: [9 r$ S# @% V
m2 X+ T% F$ M) }3 @% N& MBOOL IsSoftIce95Loaded()1 N! {; j9 n! l' j- T! \- ]
{: K- m1 P+ v3 D0 K% i8 l7 P: ` K
HANDLE hFile;
, p. b) `9 ]4 I% S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( o( {6 x# T$ p* ] FILE_SHARE_READ | FILE_SHARE_WRITE,
: l4 ? s2 {. _% q9 Q: I' B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ H) i* Y+ F( F6 ?2 N7 B) J! K9 u
if( hFile != INVALID_HANDLE_VALUE )1 N) K8 I7 r' v2 A* F
{) a3 k" w2 r1 {( p4 S
CloseHandle(hFile);- X% Y$ s U! L! f6 x- ?1 Z( o
return TRUE;
- A, M5 a8 d. o9 O: D }: ^+ K4 B- v0 e& S P: |
return FALSE;+ g$ J9 O4 s* z: h( J1 ~$ _, @
}
# D8 Z) ] b& m& ]9 F" z: P* e: C- X& E, o' S4 j9 E# ?# ?2 m
Although this trick calls the CreateFileA function, don't even expect to be
, @; b6 E; J% Z( f( |5 Iable to intercept it by installing a IFS hook: it will not work, no way!
! U$ R( T8 ~- B- d# d5 h( V N; EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# G+ y7 S) m3 O( B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ L2 X) O! ?/ T8 k" H! v; Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 ^# s2 Z8 |. x
field.% {% E5 }! v- X& ^5 u
In fact, its purpose is not to load/unload VxDs but only to send a
# E: h8 `" R/ e% n! u; YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: ?/ H$ _' q* Z& a" ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 `7 n# m; D) Z& s* I! D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; O# T1 {# o2 |- W$ i1 ?+ y
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 p/ L" V) _. {7 ?/ W
its handle to be opened and then, will be detected.( a& T9 E' H( u. E4 W8 F
You can check that simply by hooking Winice.exe control proc entry point
; ?! t; X' F# x3 Uwhile running MeltICE.
, I8 G Z) T; t" y& v- C* w
+ {. `3 n( `* I# H0 D& V' P; `& X. N0 m& g) l
00401067: push 00402025 ; \\.\SICE
: ~; ?. \; j: I7 [7 w% g2 j+ N* P6 ~ 0040106C: call CreateFileA* G! K4 w: `& S" {
00401071: cmp eax,-001. J- h# Z( K4 u: ^) a4 @# o. B9 j
00401074: je 00401091
* g: `- L; H; L' \( q$ a8 }
* T4 w% q3 Y5 a, c; P8 {! X; z
) a) |6 U% }6 F; l% a% i# zThere could be hundreds of BPX you could use to detect this trick.# u0 }5 _. C( o0 q3 h
-The most classical one is:' Y4 K- M. w- P. z5 W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 x0 z1 }5 h$ {; p
*(esp->4+4)=='NTIC'# }% r2 m4 `7 x. _
0 T5 R& X' ~ B K+ J$ E% W( @$ k-The most exotic ones (could be very slooooow :-(8 n: A" X5 E! T* H) j* _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * D# k( K9 i' Z! E- P' Y& Q
;will break 3 times :-(
, J* F1 G3 R; O( O8 r" N' J/ v0 Y5 ^8 z) N6 B( r2 U' Z, h5 Q9 F4 O0 v
-or (a bit) faster: # j; L. H! n0 L5 z6 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ ?) W. ?' I- ~5 s% X8 s0 J* Y) d$ z* J6 s$ t: ~) X& p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; u" {9 v! P) C/ ^# D* [" ^% y3 T ;will break 3 times :-(3 u, o5 B3 O) e* t
! ?( _ v# Z" r# t$ A5 K$ z
-Much faster:
9 w8 J. F9 ]( o' Q' I, F+ y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% l" n4 o8 `0 u: h6 Y' n* l0 g% F0 r7 l3 s9 k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; B- k% P' r! h: F1 k$ |( o+ Kfunction to do the same job:) @; ^3 N5 P: x/ y( O
: J- z- U7 G3 W# V0 M1 ?. W push 00 ; OF_READ b5 y) ]3 I) J& S5 {: {
mov eax,[00656634] ; '\\.\SICE',0
7 p9 G8 ?0 I0 i) c8 C push eax
" k D4 s! ^- } call KERNEL32!_lopen7 J7 H2 e+ w# B7 M& G' C4 K
inc eax
& y' B. f+ W5 y4 g: v jnz 00650589 ; detected
4 E, C0 q7 W# K( R ^ push 00 ; OF_READ
2 u' K' h4 C# R mov eax,[00656638] ; '\\.\SICE'9 n/ K' z) [+ `- H& L
push eax
0 ] V4 w2 W1 q5 n) s call KERNEL32!_lopen1 P7 b, l: o" J' \, a
inc eax4 @& w% p9 J8 Z8 z5 L9 ]: I
jz 006505ae ; not detected$ f" v6 u& E, V' A& X; ]
; v9 {6 t/ c3 o* ? ]5 u4 P, U0 D# v+ ]
& m. w1 m- ~( u0 t' R
__________________________________________________________________________: p2 Q/ @% N: h, \/ C
! _( i$ m+ e% C' k L
Method 12
3 ~3 d+ m/ O- u! e=========
) k$ _ F9 ]3 y6 O0 ~: R/ b0 B8 d* A, _9 d! S/ A! E
This trick is similar to int41h/4fh Debugger installation check (code 056 U$ a2 i2 B; g9 e# m0 ]9 q
& 06) but very limited because it's only available for Win95/98 (not NT)
0 N" l7 m0 D" Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 ]0 [2 `% Y2 G9 x3 {
! ~7 r4 ?5 {8 ~6 T# D5 N* ?4 f0 R push 0000004fh ; function 4fh0 c2 ~& c) ]7 q, z
push 002a002ah ; high word specifies which VxD (VWIN32)
" A( D1 M% {: N, L2 F! K ; low word specifies which service
# _* ]: [1 {; q& t (VWIN32_Int41Dispatch)( q6 x; J9 S/ }1 |) g/ D- ~7 `6 ?
call Kernel32!ORD_001 ; VxdCall
, V5 ?4 Y: a! C' B& M6 ]0 n cmp ax, 0f386h ; magic number returned by system debuggers
_2 S' I' F9 N7 i' T4 E jz SoftICE_detected
- s8 C6 w& M7 u3 T3 j4 J6 L
: v: l' v# C! ?% q/ ~; }- B) bHere again, several ways to detect it:
9 m3 E# P* C- H. k( |
5 Z& F2 A7 r" q' }4 [0 @5 ` BPINT 41 if ax==4f. [% u! {& A. ^, R( ^9 q U
3 J. I" M4 a7 a) O9 p# B8 k" o% L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 }: B, [' E( m% w/ Z* ?$ Z; g) v$ Q
: L9 f$ ^8 f$ W& Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, M$ c- F4 P! m ?
) ~/ F8 ^% b x3 k/ _+ a) f% _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% V/ ^) s4 B, R$ @* ~' ?, k' z2 b6 ~9 K) C6 n% b- T
__________________________________________________________________________
. H, r/ h( G2 P5 u. h( q- x2 Q/ `! D8 F9 I3 Z
Method 138 y$ }9 x1 z) a/ K/ _. W9 {
=========
% s, N Y. t3 z! M" e' Z
( }, x" X% D7 _& {" pNot a real method of detection, but a good way to know if SoftICE is
7 C& D2 v& L$ yinstalled on a computer and to locate its installation directory.
( V4 O9 I/ S1 a& G t/ tIt is used by few softs which access the following registry keys (usually #2) :0 Y% a( h( {6 c4 A. K
1 y5 _5 a+ z) A0 l6 f/ Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, Z4 u3 U3 ^. w! B' g, a4 t
\Uninstall\SoftICE( i$ U+ j5 C0 Z9 V: j* ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& ]6 y# T8 M; ~. d7 Z% ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! e: F' r l5 @9 |3 ^2 i\App Paths\Loader32.Exe
* L3 X& y: `, i4 b4 t5 l
; v" w8 t3 b* v' I# w1 D, T
9 G1 ~6 V+ P. R b( N( n1 VNote that some nasty apps could then erase all files from SoftICE directory k' m, u* u. K# @" i* c" }; n
(I faced that once :-(
0 f1 O/ c, f0 W8 s# H6 F2 g8 z" T4 n# E& S) P! }! N4 g2 k
Useful breakpoint to detect it:
! p ?0 G. C5 s. V( P) N* L! Y: ?& G' _! M( Q7 O& y3 j; y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 y. Y) S$ |$ E- }7 l% Z0 C
. N s& ?# O8 k$ ~8 \2 M__________________________________________________________________________( c5 J. E; N5 } ?* `7 t( m7 F
5 M' |1 c& x4 S8 s: v# W: a. f# Q8 {& K- Y) Z l( e$ O( a
Method 14
% F x+ r7 R+ R/ o4 A$ B=========
; ]) Q$ W4 @0 Q9 j
5 c m9 s5 w. \) D. DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; }: d& ^, i) \0 m8 e" h0 Gis to determines whether a debugger is running on your system (ring0 only).
1 j" o4 k: q% ~3 c/ t, s' ]4 F" k
VMMCall Test_Debug_Installed
4 n4 b5 o& \8 k$ j( @ je not_installed
- h! C7 T" f1 F& m1 d8 ~) _
/ C3 U% F l. UThis service just checks a flag.* n* N5 s, [7 s& _! q3 I6 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡