<TABLE width=500>
# c" r* a% O: f' A9 ~3 y. l<TBODY>& D; H7 I0 E# k
<TR>
7 I9 o9 T. { ~5 L" }<TD><PRE>Method 01 8 J8 J; z( N! V9 j
=========, ]4 F* c0 }0 i* w
& m# q1 q7 O- C# ~, |4 x9 A0 i
This method of detection of SoftICE (as well as the following one) is
* G: U) k* h' z9 J. R5 Wused by the majority of packers/encryptors found on Internet.
! ^# z: T3 {7 l" \/ h& d rIt seeks the signature of BoundsChecker in SoftICE
, J6 @- s! ^: e9 f0 U1 n
i, x5 c \6 W1 c) K; ^5 f/ T mov ebp, 04243484Bh ; 'BCHK'
6 y: F5 b: j2 N0 h/ \ mov ax, 04h# |9 p4 ^ j6 n& q6 p# a
int 3
* d$ j+ K. U3 r9 L cmp al,4
# V3 \4 }% K. L% P* e6 P0 B jnz SoftICE_Detected
6 v1 d n% p; }* T# h+ [; u8 E6 f! T; b2 d
___________________________________________________________________________) g9 S4 j8 h: y) X7 M
0 Y1 D# `6 j$ A* F+ uMethod 02! d8 m9 b2 V e& G" j. s( ~8 n
=========& Q9 w' D, K! i5 L
; E& `: h; Z! k$ ZStill a method very much used (perhaps the most frequent one). It is used
9 @/ g& h; d2 f- S0 `; D9 p- `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" f% M5 Y3 d' Z1 }8 h0 i6 M1 j8 por execute SoftICE commands...3 M6 s( [/ \* O: K- w6 G% K v ^4 k
It is also used to crash SoftICE and to force it to execute any commands; w7 V! b! N0 b
(HBOOT...) :-(( 4 T! y8 }( l2 I" r
4 M6 i! Z3 |8 J! O$ g. M+ J, P$ YHere is a quick description:. }. F' L" ?% n3 s
-AX = 0910h (Display string in SIce windows)6 f( K$ }; H- z! a( s7 ?# P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 c% N) o, Z" L0 X-AX = 0912h (Get breakpoint infos)1 x; r% m/ t3 q6 [. Q
-AX = 0913h (Set Sice breakpoints)
. }7 W8 D9 x' |' y0 I* ^-AX = 0914h (Remove SIce breakoints)/ n/ \5 M' ]7 Z* ?9 E/ s/ K
' @2 q0 G Z6 l, a" N" I1 w% _% q
Each time you'll meet this trick, you'll see:6 i2 P$ X* i1 {( f8 g4 {; }
-SI = 4647h' P/ w. M9 e4 K; N& m
-DI = 4A4Dh: S" |' C3 J& ?( f9 g
Which are the 'magic values' used by SoftIce.
( X D4 J, e) Q3 I1 p* n; v( x9 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." G A+ a2 |- L: ~/ q0 y) w
8 Z, Y, L1 L, c6 O8 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 Z7 s t1 |' c' n' `5 XEnvelope utility use to protect DOS applications:' \+ W. o% ~8 D2 L
# @" {1 d5 V' W
. p9 M# m4 V; | s L' a: F4C19:0095 MOV AX,0911 ; execute command.
% ^& R2 e4 s3 T. \1 n b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" ~) e2 K# O. V0 Z' C4C19:009A MOV SI,4647 ; 1st magic value.
0 D' R, L/ b5 D7 [2 v4C19:009D MOV DI,4A4D ; 2nd magic value.
) u6 K5 w, [6 q, u p% q. n' M( @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: Q# `( h" Y6 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 Q% u' L$ @) x4C19:00A4 INC CX
9 Y) }3 ^. @6 B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! }8 m, O, q- P1 o; u7 N
4C19:00A8 JB 0095 ; 6 different commands.7 T' p( z5 O$ G" a2 N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- w/ y" e3 ]; k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 u: o: o% F/ `9 w# y
- V) q& x$ w7 o' e7 C \6 ?
The program will execute 6 different SIce commands located at ds:dx, which
% F3 k2 ?$ M/ d- |2 Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 g, p; \: b' L) x% H# t8 g
! I3 F' G/ k) {8 Y. M5 Y* t4 Z U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) U0 e6 c3 G9 R. g, a$ f7 R* C: C___________________________________________________________________________9 k5 t6 ^3 x$ q' R: |0 e
, C4 F3 }3 U$ \, p9 M! y, F( n1 O, p! u- Q5 f
Method 03: C5 B1 k. _, N0 N
=========
; O1 w- Z$ E9 \# ~4 L% `
# S: X4 f! p* [! h- S; ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 o! M6 U }, }1 h
(API Get entry point)
8 V6 W5 c+ q# O1 T2 H: K
' t* c8 O2 I0 o
. Q; i+ \% t, A$ W xor di,di3 m4 y4 `# O4 D1 K
mov es,di# w/ X+ `6 I; R+ i2 G$ }" s% V9 {
mov ax, 1684h
% U, {$ G# f0 A: Q# S& P0 O9 Q$ n mov bx, 0202h ; VxD ID of winice$ l$ F8 Y% z* j4 t8 x5 q+ |6 d! i
int 2Fh
9 I4 ]7 S- H* V: Z# [. j6 o+ i- n8 ` Q4 U mov ax, es ; ES:DI -> VxD API entry point2 X ]; w c0 n0 w1 `3 V
add ax, di3 l5 i1 M( A% T& a" P
test ax,ax; F& I8 c4 B; @+ M
jnz SoftICE_Detected9 S3 }' E' |) H6 J$ Z1 E4 H# W4 p
8 _9 l. E9 X$ D9 n2 `# u3 u___________________________________________________________________________
# ?4 `# p$ G: C: ?7 |% f
4 g" `1 _7 V e z5 oMethod 04
# z# ~! H2 r/ {( Z=========
4 A5 q6 w' {) d5 x h1 C; v* [. Y% {, F' q1 d$ e5 N. V- b
Method identical to the preceding one except that it seeks the ID of SoftICE
2 ?7 u% d$ S# q( w/ i! Q( PGFX VxD.5 G3 U9 |; Q" L2 t
( e2 [3 ^# m9 I. Q xor di,di
/ O$ {) l) k2 K) Q mov es,di" E# ]* j- ]# ~+ X
mov ax, 1684h " r* ?& g& @2 E' s
mov bx, 7a5Fh ; VxD ID of SIWVID/ b& s8 |9 j6 o4 a8 X; K/ s5 V5 `
int 2fh+ n: W* ~- ?! |! ]& n
mov ax, es ; ES:DI -> VxD API entry point m; Y% P2 w3 c7 _, m" ?
add ax, di
2 Q" x" {: a/ s# ~; u2 A5 m) m4 D test ax,ax/ G3 R2 W( n. t$ _8 u- i! ^ l
jnz SoftICE_Detected
0 M, P9 z$ _% B) z% X2 X8 }8 z% ?1 X5 w* o9 n2 I0 S! P1 V7 T
__________________________________________________________________________
2 m* W5 |4 E, \, l' a/ O+ G
/ I5 A8 W Z' i$ {4 B" N! U2 s5 A
/ \8 i v. x0 k( tMethod 05
( H1 v% O0 B7 M/ N( o; `% p=========
/ W& W, c. r; G5 B' a/ X. {: d
9 T# j. m, V3 c" ?5 X6 mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' I6 Z; @. ~1 l5 v8 @( c) Vdebugger. It calls the int 41h, function 4Fh.
$ S5 X+ f% G0 C( \There are several alternatives. 5 G+ b2 b, j6 a! G6 @, F5 E# o. y4 g
) H7 o k( T' z# t! L2 r
The following one is the simplest:# H/ {) v! S! b- |% I( Y3 G7 F
c# c F$ u; u mov ax,4fh H; l6 M$ C+ Z- E) [% ?% |& e7 n
int 41h
! s+ t9 j1 B, D* j* t cmp ax, 0F386
; a4 s! ?/ N+ c ]6 A# W4 O jz SoftICE_detected
/ {9 ?( E9 ?: y) D2 ?+ T
j) O7 u! H( j$ o5 Y: O7 ^3 N3 U) w
Next method as well as the following one are 2 examples from Stone's
4 v3 o" ~. i0 G; t+ \: [, `5 n% |"stn-wid.zip" (www.cracking.net):! t0 z! `& l( b) R& d
3 u: N2 Z; }# X* M
mov bx, cs5 h( ?# i: R% e4 O, p4 P3 a* O
lea dx, int41handler2
/ w' q' W* E7 L8 E$ g xchg dx, es:[41h*4]9 R! ]6 @ F/ q+ u) w+ _
xchg bx, es:[41h*4+2] y4 p! c* y; K5 B/ u
mov ax,4fh* N# w S! V2 v+ L2 G z
int 41h% u" G$ q7 q" q, G+ @& q2 Q1 z
xchg dx, es:[41h*4]
\& u' C$ r( W8 w" P: l- e% h/ ] xchg bx, es:[41h*4+2]
) j2 J; ?; M( D0 q9 t* h cmp ax, 0f386h0 B. e* e( ^& ?
jz SoftICE_detected
% O: f* B/ Z5 W3 ~. x
$ ~$ G: X- @1 vint41handler2 PROC* i. l) i6 n' \
iret
3 u6 D4 R. l [" P' A( U. Uint41handler2 ENDP4 R9 N+ L" T( J! Q( T" b
# O5 H- \# M7 r! e0 D
8 z& ]1 a4 E" G3 R/ z_________________________________________________________________________0 n8 `) B* V. H/ a1 E
N- H* c: p3 `0 l, I& J& h" l. a2 d' A3 E2 U, y" K
Method 06& X/ H- H0 I( y, D
=========9 }. h' g1 r8 W1 a: y4 F6 |! b
4 Q( S T9 E' [
, P0 E, ^; v! m, v* G( {3 v2nd method similar to the preceding one but more difficult to detect:
/ u, W6 F$ E. R4 l4 O+ H3 t: N X' }1 ?4 `: Y% V! I3 }3 B
& E0 `* G0 h- F4 x& ]2 O5 [
int41handler PROC/ o0 s5 h* B" m) V9 h% j
mov cl,al% e( \6 X6 W' V! \% q( E
iret
6 L6 H: x1 U# l% M* l0 @int41handler ENDP
' i3 w! f) B4 z" a( q- r( x: h
4 M; V( p1 n( X% @% i- N3 @2 D' K5 ^4 ~5 x
xor ax,ax1 X2 ?$ F! a9 w) l4 R
mov es,ax
5 `4 n+ O0 K5 g Q9 P. O! z6 Z( j5 ^ mov bx, cs
/ n1 ^: D/ U7 K: w4 U2 B lea dx, int41handler
! B1 C2 h9 ^1 F xchg dx, es:[41h*4]
U+ D6 E5 {. h1 _8 K xchg bx, es:[41h*4+2]
: ~: S* r9 O ~! I f. ~* c0 T in al, 40h, E+ t. `6 i% [- ^) _$ B/ A1 u9 G
xor cx,cx( K3 p9 F9 H' O& t3 Y8 `7 H1 S
int 41h3 N( i) K9 b$ }5 f5 b0 }2 j' Y: q
xchg dx, es:[41h*4]
* x- ]2 S" Y+ w0 j/ D+ k xchg bx, es:[41h*4+2]7 k* y2 [8 \( B' y, k/ w( T
cmp cl,al
8 a* z5 v4 @: b2 Q3 r jnz SoftICE_detected
; b, R" C# n9 k% b; O6 e- F* {8 z/ N
_________________________________________________________________________2 P+ a# E/ e z- o% Q5 A9 J7 V
+ |& q$ m, I& ?! |
Method 07
$ v% _: l+ d6 Q5 ^=========
7 ?' `# S$ m( |: `/ |# |' b I# `" ]5 y2 _/ a
Method of detection of the WinICE handler in the int68h (V86)
$ U' T; n- h* i+ e# d/ b0 b+ D7 Z6 W8 q$ y( c
mov ah,43h
" e+ P! Z! O* E9 P int 68h B m9 U, D( Z! J- P6 k! r& o
cmp ax,0F386h
* y- B% V; l+ o& Y4 A jz SoftICE_Detected: I2 j: S( m* w1 t$ M J
/ Y8 }9 q6 T7 L. U" n1 c+ U) Q# _! p+ P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% O$ e M- `+ g" m9 G, W$ q& S" P
app like this:; x7 s, ~/ R; c2 f2 U
# L3 i. _4 y/ L% w/ @1 l
BPX exec_int if ax==68
4 n( s4 q0 F8 N (function called is located at byte ptr [ebp+1Dh] and client eip is
- k5 w+ w8 t D located at [ebp+48h] for 32Bit apps)
4 v) Y9 ?! c4 G# q__________________________________________________________________________
! h: B h2 u& ~' Y4 l2 O9 Z- V8 d! `2 c g8 |1 s
1 m% l3 g6 c7 S$ `# Q. T# sMethod 08$ E# s6 K1 o# i2 G9 c, K9 D1 g
=========
& `' i+ m4 Q" H' L
9 H6 a( s& i4 G) lIt is not a method of detection of SoftICE but a possibility to crash the
1 S/ S4 N! d- k3 B- T8 O2 esystem by intercepting int 01h and int 03h and redirecting them to another
. \$ z* o4 L5 R1 Q! h4 Q) P6 Jroutine.5 G, @2 M3 ^# S+ o* s9 B+ H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. z/ n; ]. b7 d" g; _, v6 G/ j
to the new routine to execute (hangs computer...)
" z, S* |+ ^& c+ d/ q O1 W3 ~- H2 R& _' r/ p$ V
mov ah, 25h! D# I" H9 N6 F% X$ J" E% Q$ d
mov al, Int_Number (01h or 03h). O4 U6 [$ i) R. P1 b/ v
mov dx, offset New_Int_Routine
' z- Z( g/ q6 } u9 z, \' K int 21h
: p6 p4 i8 J; m0 L9 |7 F9 i, i5 f7 i* S) @
__________________________________________________________________________
3 h) k& Y7 d& T7 o3 @# a) G ~
8 D. ]. {4 Q5 G, l- d5 uMethod 09
3 c9 W4 u0 _9 m b0 k+ B( k=========: F. F2 N& w: X! k: }( j( ?
& F. {8 Y/ R9 g5 {9 R) pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 e- ^* x. o) \+ B p" Y4 l7 C: N8 Kperformed in ring0 (VxD or a ring3 app using the VxdCall).# G& S* Q4 B- M3 d& K& P6 N; r7 h6 L
The Get_DDB service is used to determine whether or not a VxD is installed
, b; y, K$ O: t6 H8 ffor the specified device and returns a Device Description Block (in ecx) for) ?2 R' [ U$ m. S; U' _
that device if it is installed./ ~6 R5 H& K/ W& R6 I( n3 U
) r8 B6 \1 \& {. m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# x! [ v6 g: Q$ d; M( q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 S5 R5 g: S$ N& [. ?
VMMCall Get_DDB
# s6 Y6 L- B; I% r! F# J3 B* {9 P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" x: K2 x6 Y" I$ f4 Z8 ^8 }* I: M" W5 p* i9 v
Note as well that you can easily detect this method with SoftICE:+ ~# n* T/ R' q$ F( p8 k
bpx Get_DDB if ax==0202 || ax==7a5fh
' n/ N* j) T- c) t$ F: x4 J! o
- u; m9 S4 r3 h. A5 \0 I__________________________________________________________________________6 ?! B! i" {6 a, b j3 S
4 L6 S0 h, T$ _. ^. c2 P
Method 10$ x% d% b2 b) q8 x3 \3 V8 X
=========# T' O" I0 ]# ^( f9 D
9 w& x0 V- J; R( S7 t* P
=>Disable or clear breakpoints before using this feature. DO NOT trace with- j/ R! d3 w2 z( @% R: R' n
SoftICE while the option is enable!!: m: p0 l: G, E$ f) \1 d1 v% n! }
: Y9 Z2 l6 Z# P1 t6 Z, z( KThis trick is very efficient:6 J N g$ @( K9 Z C- w* t
by checking the Debug Registers, you can detect if SoftICE is loaded& H, v3 S7 g6 c2 T7 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 f: V2 N+ A7 G* G/ f/ p. C/ y9 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their" P* g- y; ^$ |
value (in ring0 only). Values can be manipulated and or changed as well9 A# \7 e9 ]; |" j5 u0 |/ Q
(clearing BPMs for instance)' G, I w) n6 G0 I3 o, g8 D
% v3 }" t X: _. U
__________________________________________________________________________ s% e$ }' J# b
' ^/ t& A/ D0 B( {9 o* WMethod 11
# D* B! K: T' L2 d1 D% M( T=========$ b& l4 t% I; G2 q" G- v. Z
# i* o6 o9 g u, a+ Z! TThis method is most known as 'MeltICE' because it has been freely distributed8 b' ?! _4 n' o# e: P, b# W5 r
via www.winfiles.com. However it was first used by NuMega people to allow5 m9 {$ b) R- W* w
Symbol Loader to check if SoftICE was active or not (the code is located
1 J& u: D, K, P: O# ainside nmtrans.dll).* @9 Y" |$ p z4 f; v
# C8 d9 ?3 n. ?3 z$ b; _' z: kThe way it works is very simple:$ \3 R. j/ x" ^# U% y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& e/ j0 _+ i Q' C' {4 \7 j
WinNT) with the CreateFileA API.1 `6 ~* p" h5 v% V: [" t' R
1 Q) a* t: i, S, UHere is a sample (checking for 'SICE'):5 g. G8 d% H' h
: f! i( M7 T8 C6 ]BOOL IsSoftIce95Loaded()
7 y) J% M; t: ]& D. M* q0 I{
$ f" g @7 w" V: I) n7 D& ]: r8 ` HANDLE hFile; & _2 }" O8 U: a& S' g8 e1 ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 A% Z! H1 ^% k6 V [$ M FILE_SHARE_READ | FILE_SHARE_WRITE,
% H5 \) n+ b" {9 T* ]1 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 d6 _4 r: u" `# `7 C, n, X! w if( hFile != INVALID_HANDLE_VALUE )! c0 @1 T& t2 [
{
$ v$ d5 R4 H; X& u# F" _ CloseHandle(hFile);
" K. \! T* t: k+ y+ ~) [ return TRUE;* k5 y9 n5 |' v/ F) A5 I
}
3 T2 H! y. _* [- a6 K return FALSE;+ \& F! m* d6 j. @* u9 ~
}* R% x a& N0 s$ |% `0 i' Y
9 s! Q5 ?* G, o* T7 tAlthough this trick calls the CreateFileA function, don't even expect to be
( Q* y4 M& V+ T! T$ `; rable to intercept it by installing a IFS hook: it will not work, no way!6 L& d& Q5 o7 H7 q( S* [; {- |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( X( ~6 p2 V" r4 ?, }# R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 K, B9 ~* J) A9 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 u+ K$ W; F4 f3 s) Dfield." M' C! G9 f9 s2 [$ ` a# f v" i9 r
In fact, its purpose is not to load/unload VxDs but only to send a ( `1 m# ?' h( |9 ^& g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, [- m9 H0 K) A5 _2 J8 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 T% I+ I5 d& O8 o5 u ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# k% v) _/ ~+ N' Q) `If the VxD is loaded, it will always clear eax and the Carry flag to allow2 h, w) J- J0 x
its handle to be opened and then, will be detected.
# b! ?0 O2 A. ?4 a9 s6 t4 Z' WYou can check that simply by hooking Winice.exe control proc entry point
, D& K4 W0 t( v( u# \while running MeltICE.* L1 L! m4 U2 y( ]
0 a! X# L1 ^# x! H; y- r
! w7 B# }' h F N. t7 d: ~7 e# P, M2 { 00401067: push 00402025 ; \\.\SICE
5 Z: D+ Z% p7 J% j. y( ` 0040106C: call CreateFileA* b, X2 X7 N$ ?7 Z3 I# u
00401071: cmp eax,-001
$ y2 e N$ e% p4 P: M# c2 @ 00401074: je 004010911 D$ J3 z! p6 a% ^8 D: u
5 h _/ X% Y8 h) d4 m* y/ A. W
7 \' @2 I8 m5 Q6 e% yThere could be hundreds of BPX you could use to detect this trick.
) B& K+ V0 y5 X- ^& U( Q% @. I-The most classical one is:
) ^$ `7 u9 X; K, w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" k1 z6 [& |' w% ], O% A R# e& y4 B% |1 u *(esp->4+4)=='NTIC'
9 `1 i3 S0 a! f$ H" q, I1 X/ H3 I
6 e& u% O- W: j- i+ r-The most exotic ones (could be very slooooow :-(
5 ]3 Z }. k4 o4 M! h3 ^! k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 v a3 G% w i0 D& z3 ]
;will break 3 times :-(
1 ?! G1 j0 k2 K2 A7 e
1 t" ?* A. [) X# c, D; I0 J7 v$ o-or (a bit) faster:
7 m8 q1 F' A4 T1 e, @- F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 k& ^( a, @4 f e! }$ ?& j+ G9 g7 k; Q' ?4 `1 B% m7 M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . o7 V; _% M3 u: r S% w- A
;will break 3 times :-(; V5 c: ?9 g( V }( A, ?! q" Q3 g
1 n( s0 I7 e+ H T1 Z2 g-Much faster:
( ^7 T( O3 g9 a( F1 n" S5 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: g z1 y/ C# i9 w
8 |& L. I, f$ N7 H2 ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- o) y" [4 \8 v+ {! M
function to do the same job:
1 m3 v0 p+ Z6 M. D8 p0 g) j1 B) }" b! v: c
push 00 ; OF_READ# O" {" O: m4 X8 f% x1 o
mov eax,[00656634] ; '\\.\SICE',0
9 t$ u4 a- g+ k5 H8 c push eax, U5 O; R3 ]: J
call KERNEL32!_lopen0 E, L# I; |' {: U$ o- a
inc eax. I9 J% \: j- G; w
jnz 00650589 ; detected
) o& n) ]; |4 ]1 g" E push 00 ; OF_READ
6 O% v- x) ^+ N) W v- ^5 R mov eax,[00656638] ; '\\.\SICE'
7 c# W) o( t5 Z& w7 P& J push eax9 m* f9 I2 J/ P, l
call KERNEL32!_lopen
+ _# ~9 L" x- D" _ inc eax
# n1 y9 k) k% x jz 006505ae ; not detected
7 v& K) @: T% `6 N) Y: G0 n
]( g" s( H5 O5 W& A o$ l1 z( K
__________________________________________________________________________/ X& ]% O/ ^3 ~4 t/ l8 x* P2 Y
; c6 f- E- Y7 q0 Z9 ~+ O& |8 K3 k
Method 12& f( w; o7 D. K$ y, F" y4 }4 |" w
=========
5 n3 G, S8 |! x- A Y
9 \; K- m' J1 C) v! L# H5 c7 RThis trick is similar to int41h/4fh Debugger installation check (code 059 E% J9 ^9 y! N) u, d
& 06) but very limited because it's only available for Win95/98 (not NT)
+ X5 i( z% y2 \. Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.' Z+ Q8 w1 U* k/ g+ h
+ y# R. j) k! @9 d H0 K9 H push 0000004fh ; function 4fh6 F/ @& B! [+ b* T
push 002a002ah ; high word specifies which VxD (VWIN32)
& ^' K4 \0 n: E7 e2 j. h ; low word specifies which service
) X& D8 n' B$ j# G5 q. e (VWIN32_Int41Dispatch)0 M( t* z: \3 H: d! Y1 U
call Kernel32!ORD_001 ; VxdCall; r4 }3 L$ R& a, K1 M1 q! S
cmp ax, 0f386h ; magic number returned by system debuggers* {1 s( h* E6 i i ?6 p
jz SoftICE_detected
. P$ I9 V/ u, v% Z1 _3 P* Z
' m5 `* S% o( r! F3 m; V" SHere again, several ways to detect it:- \. l/ ?/ w" E+ ~) z
$ @# ^8 ^( |* q6 l! x
BPINT 41 if ax==4f2 b! o3 A8 Z7 o6 S8 w% D+ h
( k: c, o `8 G9 ~4 e; ]- h! n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 h) i" m0 B! E* `- F* C5 M' d- p j) _0 V; T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 N( s- d7 ^5 e' ]) r7 O/ a" ]
% V' q: p Z+ y$ s' T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! I+ g3 { e6 p' Q
, ^& Z" j3 u$ r0 Y
__________________________________________________________________________& z# n+ l8 u4 t8 ]0 y! X# U" P
+ Z4 S- \* g% T; M- _' _
Method 13
& g( l1 I" b3 M=========. k0 L! V/ U; X) X
% I+ H9 K! _' M9 g' u: e
Not a real method of detection, but a good way to know if SoftICE is1 Q0 {; I+ e9 b8 r; k: s
installed on a computer and to locate its installation directory.
h6 L( R' z: A0 @3 pIt is used by few softs which access the following registry keys (usually #2) :; `% j: q4 p2 |8 `3 `. F4 M+ `
& J0 P7 x3 v2 `& f, O. T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 H) [# t2 A7 s7 z( }7 H
\Uninstall\SoftICE6 F6 I4 j( J. B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* M" X) A# }; h- L3 C/ \* E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ N8 q; |3 N0 f. y
\App Paths\Loader32.Exe
1 D! Z0 N" C E+ w
0 P) t/ W: H' I
0 V1 f& |, u! V6 z9 }0 {Note that some nasty apps could then erase all files from SoftICE directory
6 q0 E" ^, `7 q3 i3 c(I faced that once :-(
# N: L. A5 j2 d( i* Y2 r$ i) w' Q1 r! Q0 w
Useful breakpoint to detect it:. k$ I D; y( a% s v; N
6 U6 L+ Q0 l$ C& V$ h/ |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 p+ I8 T W# K. [" X
$ l, m0 u K/ s+ _, E; \% y+ l& P__________________________________________________________________________% N4 L! I7 X& g; L$ U; H8 o, ?
2 \& e+ D6 l/ b' r7 Q9 B7 U5 ?% u4 [9 {% r
Method 14
$ W7 M9 e" {4 k$ R Q5 X=========
% a9 j3 A5 V5 c8 P5 r6 E+ T
$ u) C4 @7 Q. d# a1 y" qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' ]% N9 C" M' I4 d7 G
is to determines whether a debugger is running on your system (ring0 only).
9 E9 W' G0 [% f2 E$ Z9 b% B
7 [5 w3 y4 ^( ~0 N VMMCall Test_Debug_Installed
: C% N6 H( }8 Y5 V+ ? je not_installed' E- L2 a+ c3 W% @9 Q5 Q9 g( r& N
/ Y, F! ^" [6 e' E ]! P
This service just checks a flag.
2 B i2 }; o* Y. x1 R# H0 s/ Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡