<TABLE width=500>
+ X2 h& U8 u V! x* g4 e1 B; K<TBODY>
' ]! e, B1 w" q M s y<TR>
' _' C, r( j6 A& K<TD><PRE>Method 01 $ J" u% a& _3 N; ]' s1 W8 J! G/ [
=========0 |. G( e2 t: _. t; W
7 \3 ^& C+ S3 O" S( P
This method of detection of SoftICE (as well as the following one) is! {) S& @; U c1 T# w2 [: {. w* ~; m# L
used by the majority of packers/encryptors found on Internet.
' h) T7 I0 M& D1 V- I* L, e/ }It seeks the signature of BoundsChecker in SoftICE
6 r. s0 P* H- ^$ E0 l/ i
+ |. W8 M. P3 z: I8 c5 |/ [* K7 v mov ebp, 04243484Bh ; 'BCHK'2 B4 p' h p3 ^/ b3 j
mov ax, 04h6 J0 W0 S7 f' D Q6 X
int 3
! h, i9 t( h( b$ a2 }# P. O cmp al,4
8 G9 ~: k8 @+ o0 | jnz SoftICE_Detected
, B& l7 p0 c; J, E
/ d' k9 S0 @# F___________________________________________________________________________
: h$ h. D/ d3 T4 h
1 t) T1 M% P- a& x/ e. u- V+ XMethod 02; f$ S$ [8 t6 P, N( M( o5 _6 b
=========- H. t" l. O* d$ K! H" O7 [
9 X: n0 x4 M% \% O% l$ k1 Q* t& d% XStill a method very much used (perhaps the most frequent one). It is used# q% u1 D7 G6 f6 Q' V# r+ L ^* F$ C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; {: i% N; ?2 I8 {4 _$ L+ b1 I5 P1 for execute SoftICE commands...
# X1 R5 a3 d! ?& E1 V' G; OIt is also used to crash SoftICE and to force it to execute any commands
6 Q/ @: P& U7 ~8 j) q7 f# J(HBOOT...) :-(( " p Z6 ^0 s5 w+ r! Q2 m
: M$ M% J) T2 [; W0 {
Here is a quick description:
: S6 T$ E9 j/ n-AX = 0910h (Display string in SIce windows)
0 c. Q3 y3 [* Z J/ ]' \9 R" c! s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 I( k$ V( `' F! i/ L/ C6 q9 E-AX = 0912h (Get breakpoint infos)* b2 `0 q* g$ E6 @: Z
-AX = 0913h (Set Sice breakpoints)
1 w9 P+ {- R! X1 u-AX = 0914h (Remove SIce breakoints)8 R( H8 Z' P% B2 ]
9 G! s: s! v8 S: S2 F8 jEach time you'll meet this trick, you'll see:
+ B/ u1 W& f& Q, \) u-SI = 4647h
: g+ q( w6 ~1 H$ X-DI = 4A4Dh" c7 ]* H7 S$ \+ Y1 Q4 ?. h
Which are the 'magic values' used by SoftIce.; ^3 C2 f2 H, Y9 M" b9 g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 |' b, ?2 d. s. R
5 w# m5 Y4 I0 k' wHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 U ~- m9 g1 K9 VEnvelope utility use to protect DOS applications:
J( v f- f( d$ J
9 t3 b* ~0 k/ N7 J% m5 \2 j# c3 J* |4 C" N5 a& j" R( f
4C19:0095 MOV AX,0911 ; execute command.
, A- m9 J& g0 \% B, L( }3 r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! r7 @! }' O+ X+ }9 d4 s
4C19:009A MOV SI,4647 ; 1st magic value.
4 [/ O8 w! v3 E6 y' K4C19:009D MOV DI,4A4D ; 2nd magic value.( v0 V' Q* d1 M4 w. O2 [9 ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! v( E& c& n3 Z( e* e- P9 B. ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* U; K, [; j2 C* e9 e4C19:00A4 INC CX; |# |& t1 ~& K% c/ ^5 b" `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 B4 w/ |$ z7 q* o* G4 T3 h) `( R- D4C19:00A8 JB 0095 ; 6 different commands.
9 ~/ @1 I/ m0 X+ ^5 D6 r! p4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 t5 s4 f! l. q% S" v3 X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 ]4 n% p1 Y4 `
+ }: j/ m' Y ? [9 j6 F
The program will execute 6 different SIce commands located at ds:dx, which) C) p- Z, d `6 @) F7 {( q7 }8 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) S" I2 d( k6 w R6 C: L
4 q: w! ^6 k9 E7 \( p! D% P# O: T2 {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% c7 ?+ j E: b% |
___________________________________________________________________________
( `" [' P _$ q! w+ |0 z" |" B4 r& J2 |( O( J @2 R
+ u6 U; }" ]# G0 n2 x. aMethod 03+ V4 N5 k( p3 m8 D+ ^8 f
=========; h1 X) h& ~' M) m! V8 F- W
( ]4 v! h& S# b, t- J: p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& |' U6 G! W7 O. H(API Get entry point)
5 k0 j7 P2 o$ @! W1 N! q/ o 3 [! H& B4 z6 H. U
: M4 X* C/ [6 T4 J! h! H+ W& o
xor di,di1 g3 p3 }6 b8 [/ E; @* N
mov es,di
/ `6 F3 h! Z1 w k5 u& \% r$ U" b7 \/ R mov ax, 1684h
% {' j! @( ] v6 W, s mov bx, 0202h ; VxD ID of winice) Q4 J. X5 @% ~6 O3 v2 F& A* e: R9 L: [
int 2Fh
9 E8 ^4 w- `$ T( r' o3 Q mov ax, es ; ES:DI -> VxD API entry point
. Q _6 C2 ~) H$ L+ _6 f8 E add ax, di
7 e" v, p: y, ?! E+ I$ A test ax,ax0 p) X2 N& c& @2 B
jnz SoftICE_Detected$ u$ x' j N# o+ @* Y. B# M( Q
# z9 w* l! @$ D; f. C
___________________________________________________________________________2 R, x( N& m' X. j% [% \' K
: C* o) G/ G; v+ ^" V- pMethod 040 u6 B% |1 U+ f' F0 D( Y+ ?$ D: n& `
=========
- q( m+ G; ?( ]7 L+ `3 E) i8 P/ s+ }2 x) E3 u+ r9 i0 B
Method identical to the preceding one except that it seeks the ID of SoftICE4 \, ~( A8 [; {; [2 U0 I
GFX VxD.4 W+ Y0 w, a/ ]0 _
$ o4 c" e; g( s2 H) H
xor di,di
+ z* K9 k% ?6 c P" t3 G) g0 j3 @ mov es,di$ f, K. R4 J/ E# U- s8 A9 W
mov ax, 1684h
/ m# g: D3 z% H' { mov bx, 7a5Fh ; VxD ID of SIWVID
; E! c" {/ U$ y/ Q int 2fh# P, ^+ ~/ [5 r1 V7 {
mov ax, es ; ES:DI -> VxD API entry point
" l) W* y' j4 c5 ] add ax, di
2 R' j/ R0 \5 X test ax,ax
* g+ ]# k7 C, [ jnz SoftICE_Detected
) E7 e! r% u) }" V: f9 S
$ E; ~% c$ G3 {( N__________________________________________________________________________- u* @6 D- O( ~- c
1 o0 W, g. j( U) h% [+ g0 q( Z1 J5 v
Method 05' o% z/ P3 P$ e. P& F+ `
=========
$ L3 g8 ^* _ y4 q0 i8 r4 s* N+ V" c: S3 T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ B/ T, L: `/ @5 Bdebugger. It calls the int 41h, function 4Fh.
5 d1 c1 z: Z/ Z8 G) {1 X2 J! TThere are several alternatives. 0 g8 m% p0 z: p2 N4 }$ N
7 T- O$ R: l' W5 m3 y
The following one is the simplest:% K+ M, K- m+ u7 W1 J
1 M8 b8 h% `' N* P0 f0 G+ M mov ax,4fh* `+ {3 F+ i$ q! g7 q9 d9 Z
int 41h2 |8 F2 ~- I0 B7 x$ C
cmp ax, 0F386
: u8 U! q( G& k3 L jz SoftICE_detected
' K5 ~4 D2 J* G' V
; m1 w6 p7 @" \2 J0 W1 q
# P* p1 Y! I( W3 g H! h- d, D/ Y! xNext method as well as the following one are 2 examples from Stone's
2 n4 r) ]* e1 k7 a' b1 h"stn-wid.zip" (www.cracking.net):/ _$ f F) F% w9 Z
1 L# }& f( Z4 S6 Q
mov bx, cs
( W# m9 T8 o h9 q2 g lea dx, int41handler25 P( {9 j/ _4 O8 e
xchg dx, es:[41h*4]
5 [1 X" P6 v2 [* B i: j0 n* P xchg bx, es:[41h*4+2]" j' e( u: e8 o; F
mov ax,4fh. F+ d- G) \& n- }+ M( x7 V$ }
int 41h2 c2 p; G* @, b6 r3 P( c$ [
xchg dx, es:[41h*4]/ a) X S. C0 [& b9 F
xchg bx, es:[41h*4+2]
; F3 P+ l/ o4 `" M4 I' J3 W1 L# y! h) @ cmp ax, 0f386h- T: K7 y, D n- `* \1 M: h+ `
jz SoftICE_detected/ z' E# c% U! @7 e) b. n
* w6 y# L+ h0 gint41handler2 PROC
5 p1 y. u$ M/ l* [, |3 M- ` iret5 d3 C1 j5 n- F# [) ?7 R
int41handler2 ENDP7 J0 U$ A9 l) m* x
/ m$ n2 ]$ S3 p$ O' N: K3 h+ `8 w: |; `7 D; L$ I, e
_________________________________________________________________________
, O7 C$ m% `2 P; d- k+ Y1 J* r6 m* X. S2 Y# [/ j: @7 ]
1 F2 d. b( j! q8 d7 C! aMethod 06
+ U! n2 U8 h) {4 L( O; e4 X=========' M- ?7 G$ }4 E& m2 Z- B0 P! d
9 k% L& R" |4 [% O8 o; V4 P' A
+ \9 Z+ z1 `7 S7 d+ `, e0 d% L2nd method similar to the preceding one but more difficult to detect:8 ?8 O5 m I* m/ f' C
! K7 a: d X' W( ^: j2 Y0 [, A$ A
( H( S; J# Z( s$ }& l- o+ p: ^int41handler PROC
+ {3 A6 J$ S8 V' C mov cl,al
5 a1 J, y! w {4 X0 x# | iret
) W& \2 U: Q7 z9 q( ^5 W I& A1 Oint41handler ENDP9 p G o. ~7 }
3 c! K, m. [& `, _7 [6 A
3 g/ ]5 i1 f! W( Q2 Q- p
xor ax,ax$ V- S+ c: m$ U4 x. G- s
mov es,ax
' w0 E4 l2 O& h+ z mov bx, cs
* d! s" `7 i' g3 J% n0 B' [5 M+ b lea dx, int41handler
1 z" j6 ]+ x5 y" k( \8 R xchg dx, es:[41h*4]" Z2 I4 _* Z' \ `: v/ B
xchg bx, es:[41h*4+2]
3 l6 A/ O+ D! J6 p" T6 w: U in al, 40h! C' z2 d u) l' e8 y- D( _
xor cx,cx
7 b4 v9 H& [1 M int 41h
2 v* Z4 }3 `* j7 ~$ T) ^. K5 B3 e xchg dx, es:[41h*4]
9 _1 x8 q# z6 E; F( T# F& F xchg bx, es:[41h*4+2]
) f' v- ?$ ~" U4 \5 F cmp cl,al
3 T3 R$ _8 e+ Q ~+ e/ o jnz SoftICE_detected
4 C9 v' Z. O# n/ i& F0 [5 m- P1 s% Q) L: ^$ g0 A9 {
_________________________________________________________________________
" U5 S- u- }+ Y1 h y- {* l" O+ O4 o; M# X6 `! @5 c
Method 07
+ M% e" G7 `7 `& ?* Y" D=========
9 z; z1 F# Z5 Y) i4 ]
% v! I% I0 G. k2 Y/ hMethod of detection of the WinICE handler in the int68h (V86)1 |( H; ^. q, B% W
/ r s D; S* B1 Q' a; U7 o mov ah,43h
8 n2 f$ I2 A: Y( w p& a& v8 m( Z int 68h
0 B( j. s/ T$ D0 t1 |# p cmp ax,0F386h5 H7 d$ U' D! B3 h9 g2 G2 ?, H0 G
jz SoftICE_Detected
$ D0 S8 e+ u @2 e
# J! g! g9 m+ s, Z' @ h+ C7 o) y4 F$ b# L/ X' x' r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; K* F0 d/ T( g2 x; N- e app like this:+ S4 j7 m& A2 w( m- f# Z
2 F4 x6 o" G+ q BPX exec_int if ax==68. B# f% c6 n5 H+ T0 c' A% d
(function called is located at byte ptr [ebp+1Dh] and client eip is+ @9 j+ l Q% n; j x
located at [ebp+48h] for 32Bit apps); ^( {' y2 S( R r
__________________________________________________________________________9 n$ F2 Y9 V( x& d& [/ S( `
" J5 }, n* ^0 y/ ^# s' i
4 [5 M3 N, O3 t) h" GMethod 08
- @' m& f3 l! d' U9 s4 e$ j=========
2 a% c. G1 V* Q' w# `5 \% p
2 u4 j7 ~; v, h7 WIt is not a method of detection of SoftICE but a possibility to crash the
! F5 {+ N; Q- q: i9 ?system by intercepting int 01h and int 03h and redirecting them to another' D; G9 |/ N. c3 h6 d. N% X
routine.8 f: a9 B3 t) {" J/ Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) m4 {, x' \; e! e! A( ~8 j
to the new routine to execute (hangs computer...)
4 Z2 j8 V/ E6 M& N6 m6 ~1 i$ }: o
+ k0 Y! [# I6 R! o mov ah, 25h! Y4 s" P3 n6 V5 u3 H/ Q
mov al, Int_Number (01h or 03h)
0 c( E% e% Q1 p$ ^+ A) @ mov dx, offset New_Int_Routine; B$ J N8 G; H# |9 A( ^
int 21h
8 D! z* t4 \0 ]0 ]% O" z) {0 D/ S; Z% H: D0 \
__________________________________________________________________________8 T& Q) H0 Z9 G+ \9 D0 K6 {
) u4 P$ m$ C* o# ?& I+ k7 p" LMethod 09
! c! x' G& W- m+ Y=========/ V: b: B6 f1 @4 o4 W( Y
/ T e! f/ S7 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 m* ]3 j/ H* z2 u; ]$ O- w
performed in ring0 (VxD or a ring3 app using the VxdCall).
; ]& i$ B" X* L; JThe Get_DDB service is used to determine whether or not a VxD is installed
4 C# @ V$ N( g; i, V0 W3 Kfor the specified device and returns a Device Description Block (in ecx) for1 Y) e7 ~( `0 B% C `! n5 J* Q5 C
that device if it is installed.
7 V4 ?; U2 [# V6 U+ h* }: @; V$ M5 v* g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 S/ z7 a7 n3 u5 O' b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 N5 J/ |, l& W
VMMCall Get_DDB7 A2 O# a& H! p5 E% c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 g5 m L! W$ i
5 z( M0 |* @) o! o1 G* `( lNote as well that you can easily detect this method with SoftICE:! ?: d1 u& G" M& w: v$ e. ^" L9 T
bpx Get_DDB if ax==0202 || ax==7a5fh
4 o8 ^$ ^: h. e( M9 X* n# e8 _5 G2 Q5 ]
__________________________________________________________________________2 n! W& G( {1 }9 \* n. ^* d3 p
f" b; y( q+ b+ n# w6 WMethod 100 Y7 U9 u, c' d8 x
=========
4 f; O4 _1 v" z7 C$ D- L1 L+ I6 D0 {3 d6 i" {: I
=>Disable or clear breakpoints before using this feature. DO NOT trace with# \8 W& z2 e R$ L
SoftICE while the option is enable!!
- y% h7 [ `: J
0 W" Y7 {9 Z, X+ AThis trick is very efficient:
3 }2 `% q) G/ g$ ?/ C/ }7 Wby checking the Debug Registers, you can detect if SoftICE is loaded& ^3 ^& @7 U2 S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 O" |& K7 `* M# d v5 j' m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 g: \9 }9 [! l A) K5 rvalue (in ring0 only). Values can be manipulated and or changed as well
- ^- G8 V8 U, `4 U+ v3 j7 t(clearing BPMs for instance)' y( ~! S' k/ w, [6 t4 b
6 ~& A8 r, e1 r% b* f) ^__________________________________________________________________________8 l. p3 c# }! ?: g0 c. S% f
9 ^5 i" t0 ~# D
Method 11( f( F: y) s3 P/ G" `$ y( u0 F
=========
( x/ x# A* W0 Q& A) j; P, O5 j0 b" u8 p( h" S. e2 p
This method is most known as 'MeltICE' because it has been freely distributed# u: i, x6 {0 O: K F8 z
via www.winfiles.com. However it was first used by NuMega people to allow7 l( z3 H y6 G$ C7 C) z! Y
Symbol Loader to check if SoftICE was active or not (the code is located0 F* t4 y1 d5 ]6 ~4 K7 [ g( o }
inside nmtrans.dll).
( r9 R0 J+ }4 }1 l
3 O3 _' _' f% j2 k' T u0 XThe way it works is very simple:
! h" n" e- Z+ g- Q5 u6 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 j/ j |( g7 I+ d) X6 y1 A8 NWinNT) with the CreateFileA API.
) K+ S0 _0 a5 }+ x, F6 {0 A; [4 Y2 ^4 y* P
Here is a sample (checking for 'SICE'):
/ n% s/ L, t) O- Q! _/ k' {5 K6 k9 g% G* a& _ @5 e
BOOL IsSoftIce95Loaded()
4 H9 r, @' L/ f{) ~0 B% S3 Y" w2 S+ R, G4 T k
HANDLE hFile; 3 p1 @7 G/ l Y' x# r; }! z2 c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 L1 a# |/ J8 {
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 L" Y/ S a1 x7 Z) @1 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 {3 Z" X5 w, @) x$ W$ p: [
if( hFile != INVALID_HANDLE_VALUE )* O1 S2 U" f2 w8 P: q
{1 G+ C! } f! P
CloseHandle(hFile);
" a% X. u4 F$ S return TRUE;
; m& s) E; w! n$ Q }: b( n7 f$ M, s
return FALSE; l$ B, U& j2 n. c4 U& J! {, y
}! x1 O0 d6 r- [7 }2 z6 d: Z
, m, T1 K& j! M' T3 q u
Although this trick calls the CreateFileA function, don't even expect to be3 M; ]4 ?. z9 Z g
able to intercept it by installing a IFS hook: it will not work, no way!. K7 F2 Q8 Q8 r" |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' L, D+ B7 S( ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 j% L$ m0 L) E3 Q( a. |; Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; o; E* S7 W+ P9 f# o
field.
- D" n$ ~2 j( \In fact, its purpose is not to load/unload VxDs but only to send a
% n: d- G' V3 e9 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" ] V, B' H3 \" Y6 N; R/ k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% [- ] U+ h+ k, v% b6 i% |3 P! V0 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 ]' ]; L0 e1 c( S$ j
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 J7 o4 W8 b; U1 Y- k+ T
its handle to be opened and then, will be detected.
) U8 E5 i- n6 n: b( h% g4 y8 nYou can check that simply by hooking Winice.exe control proc entry point1 P2 L [0 }% z, f2 F/ u, ^
while running MeltICE.* g* x6 H1 u4 Z# J1 A& \
4 w9 f/ j" [" l6 }, d1 e3 t! U' |+ ^
+ i Y. e- k1 ?- O* D 00401067: push 00402025 ; \\.\SICE
9 E8 ]' F+ P- p* G- {' d$ t# l 0040106C: call CreateFileA+ r* [: p I4 ~
00401071: cmp eax,-001* q- Q* ? J7 z
00401074: je 00401091
% P: D8 y; \% ~9 C
! \. G! y& b2 F1 B) t- M( U% R) _! b' A* B, d) f, J
There could be hundreds of BPX you could use to detect this trick.( z7 Y+ c% X- _
-The most classical one is:
( [" I# Y. U& @6 i5 j$ X1 N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 V+ ^2 T0 z! p% L *(esp->4+4)=='NTIC'
# q( b; G/ p# T: ^' n& p8 x7 Q; z
-The most exotic ones (could be very slooooow :-(& O, w/ c% O) k7 p) |0 I, `8 m! R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + j- @7 M" N2 Z
;will break 3 times :-(2 U) V1 ?; \; l( o9 W9 K: p
: S, U- h. i P-or (a bit) faster:
6 S1 ~/ M% U; r% c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" Q- [& p/ I* z1 e9 D/ F. {* E. y2 d0 z' r. z5 B* L9 N+ y$ m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) D# b0 c8 e( C. f1 S- A `
;will break 3 times :-($ k% R) H0 E( t+ u/ S8 |6 A3 y
! ?) C) e- S% w9 I v/ G; d8 Y
-Much faster:& G# o2 s+ S, a% l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. E, B% D: ]7 y0 ]. U! _& K; K
* P8 T0 E, R0 B/ a$ ~. b( DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 s: P6 ^+ `3 G0 vfunction to do the same job:+ O/ {( I% Q* B( Y6 }3 U. U
9 ]% @& c/ ]8 Y+ s. t$ v
push 00 ; OF_READ! G( ~& Q' s: O7 G- i
mov eax,[00656634] ; '\\.\SICE',0
3 M6 Y1 J. o, n/ } push eax+ n/ c$ R: O4 ]1 e9 Z9 v& E
call KERNEL32!_lopen$ G; r" p: O4 S8 l4 p
inc eax. T6 S& a6 q; u. w! [
jnz 00650589 ; detected
8 n: Z- Z) k" s4 }- F2 e% j push 00 ; OF_READ
8 d* a4 n) S4 l3 q6 \ mov eax,[00656638] ; '\\.\SICE': b# u2 ~" ^7 V/ H
push eax( z, m" U7 t$ j4 w- \
call KERNEL32!_lopen) H) q, j$ Z& {0 ]1 [: D2 k
inc eax1 I5 _1 S+ _$ K; i
jz 006505ae ; not detected5 m: N4 K8 v9 a [3 D7 w6 _
" S, D3 I; n- f
; G( l( Q8 Q5 W# Q' r7 v) } ^__________________________________________________________________________- Q3 b# N. I4 ]8 H5 r& ? V
2 Z% a, P' v; ~2 gMethod 12
0 [% b8 F' b/ ?3 y9 E4 p=========; M9 U; z. G7 ]- z1 Z
1 R6 i) e2 A% H1 C5 H0 KThis trick is similar to int41h/4fh Debugger installation check (code 05! ]& }+ I( L) C5 x0 \* i6 |/ T
& 06) but very limited because it's only available for Win95/98 (not NT). N/ h/ h" f# T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& l# H/ ?* A3 l1 r! x9 s3 u
% @, \- J" _' V9 W+ f push 0000004fh ; function 4fh( I& h" o" X/ M
push 002a002ah ; high word specifies which VxD (VWIN32)
1 Z( a2 m- i) Q' }4 P ; low word specifies which service
# L! q' H8 i& Q7 D2 k! u% l" } (VWIN32_Int41Dispatch)* D2 r4 x4 a) c$ C. [5 ~
call Kernel32!ORD_001 ; VxdCall6 T- W- u: }' ^ J7 v- |* ~
cmp ax, 0f386h ; magic number returned by system debuggers# a. W$ T* K) R7 ~
jz SoftICE_detected
7 p& S4 ]) ~" w/ V( w/ F
! ], c' W( Z* Q9 \4 ^5 nHere again, several ways to detect it:
8 `- S' S b l% Q0 { N! w# z0 ]% `
BPINT 41 if ax==4f
( A. |6 @5 x& {0 O/ x
2 X- O% \0 `! Z& U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ f: q% Q# C* `4 P# Z9 C& T4 q0 \$ ?/ W& T! U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 |8 ]* ] g1 [; `: a
- o9 k( N" _6 @# t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# |, g& H( ? l3 l" g" t+ s1 z3 k- z
__________________________________________________________________________
) N4 i4 L' m, ~4 U; K
- v% L; y! e7 ^# F# IMethod 13
1 K& F" m5 ?' H, J/ f' q. S- ]=========
* Q- `: r, e3 t; K7 h3 c3 V
# u# C+ b; p3 i6 vNot a real method of detection, but a good way to know if SoftICE is# ^3 E# \/ o" ^1 C4 l
installed on a computer and to locate its installation directory.$ d+ I* V, f+ @0 K0 `' Z
It is used by few softs which access the following registry keys (usually #2) :# l, U0 e6 B) Q! R, Y- o, ^
. O) |' f$ q% e. ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 B1 z; S* X" H7 o" z
\Uninstall\SoftICE2 W& {7 f$ k$ G) D7 U" t4 w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 J2 G8 x% G; N W b( O' M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ a0 |, \2 T) j; \
\App Paths\Loader32.Exe7 [8 g( L+ S% k% v
+ Q K' a$ \1 s n# l1 p" f+ m( G& ~- u6 t* }4 U' Y; Q
Note that some nasty apps could then erase all files from SoftICE directory- p6 F& [) f! Q9 r1 ? u- p. p
(I faced that once :-(. Q8 J& _8 @( w4 j% x- Q' q
# `3 o" b Z2 A' d" T+ xUseful breakpoint to detect it:
" X2 @: w: a# z# G! m, n
5 W6 G* R8 }1 k K& G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 f4 p1 b" u2 A
2 ~4 Z8 ~2 e6 a% K__________________________________________________________________________
2 P6 q$ |% j5 [# w3 b+ T6 {4 d. [6 _8 I( \$ V* G ?# l" ^! R
6 C7 _. v; T" @3 q
Method 14 * H4 P9 r0 `" ]3 Z
=========8 v# {# }0 D" M6 G
( ~: ~, P6 ~4 W$ t' B- X ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 H: p9 \9 m+ w @# G' gis to determines whether a debugger is running on your system (ring0 only).
) y7 q: O" p5 E/ A% X) {- ?# k" ^' B2 m+ K7 f
VMMCall Test_Debug_Installed
6 W+ O, q) ] f$ d$ c' @( e je not_installed. Q" v, e$ i" P# M: ?7 h
0 P' D8 f6 K, O. p' Y9 A' ?
This service just checks a flag.
* |0 }; w2 X$ Y/ {8 y, _( W9 i# y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡