<TABLE width=500>
" i2 g; p: u7 d" u" \& e/ `<TBODY>' L1 f0 g e: r( U
<TR>9 p- Z$ N6 n1 |/ E5 |
<TD><PRE>Method 01 : @) P( i2 s1 N
=========
7 {. _" ^1 E; R/ N* l$ d2 O; H$ H
* O8 X7 w, B5 j0 k( S( Q6 s4 sThis method of detection of SoftICE (as well as the following one) is
) I7 P! o( w- U- |8 _used by the majority of packers/encryptors found on Internet.4 x2 k' k1 {# E! n" I8 l( A% V
It seeks the signature of BoundsChecker in SoftICE
$ E+ S" C% J* a* f' R
# G! |& k% D0 j/ k0 N mov ebp, 04243484Bh ; 'BCHK'6 |6 r- X& t: w, ?, H1 ?. D$ R1 W
mov ax, 04h
( j2 a& ]/ ]$ O; R+ j int 3 / K$ W& \6 M" m \* c& w" n8 u, ^, V, w
cmp al,4
' ] S2 D0 [- J. |' A$ P$ \- R jnz SoftICE_Detected; }9 j, a. v) V$ F8 ?
% T% i' J+ ^* T0 k8 j9 h1 `6 N
___________________________________________________________________________* j ~$ J; L1 I4 K0 \1 L
: E5 p/ x4 S' s. h) z- {Method 02
5 [0 E0 A( f k, e1 l! F9 L=========
$ z4 ~# F9 p+ I; Z7 @* A
/ C3 l1 [- O* W8 O/ TStill a method very much used (perhaps the most frequent one). It is used
+ [9 b6 J Z7 t# o; L/ x1 M4 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 ?6 @. f8 H. ]; K, [: L1 q
or execute SoftICE commands...
, M* I; }( `: K. q9 t3 rIt is also used to crash SoftICE and to force it to execute any commands
/ m3 R$ n, a8 y, ^(HBOOT...) :-((
3 L9 a) f5 |0 _0 R z* [7 l+ c/ ?9 t+ U. U& m$ I" v1 R
Here is a quick description:7 w3 z9 ]" p* h2 n9 V# }* G
-AX = 0910h (Display string in SIce windows)
- _5 N/ h7 s, T) Y3 t0 j q% o' ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 \: i6 G I; z- V+ B6 J. F' m9 A% N
-AX = 0912h (Get breakpoint infos)% Y0 S1 h0 E: Q
-AX = 0913h (Set Sice breakpoints)
" U7 f/ h. ^/ u4 u-AX = 0914h (Remove SIce breakoints)
! z& T; i* @7 L% i2 Y3 C
: U' A/ g+ J" }0 |5 \Each time you'll meet this trick, you'll see:: R6 N8 W) @: e" v
-SI = 4647h, Y! ^5 Z" D/ t; z, h
-DI = 4A4Dh7 V2 \; N0 v M4 ~; v- g3 ?
Which are the 'magic values' used by SoftIce.) c1 I2 ^' n/ J. H" A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ k0 E# x" z4 T+ h F `
# C. z: c% W) H3 BHere is one example from the file "Haspinst.exe" which is the dongle HASP$ r7 B4 E9 j) Q7 `0 T! R
Envelope utility use to protect DOS applications:
: T% F- x6 H0 E) S7 o
& h. l2 N( [# |( C
& J- i1 T6 L& }4 y$ `" O% v/ v4C19:0095 MOV AX,0911 ; execute command. [& K: `3 O; R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: V$ i) w' p9 f, Q8 [: l4C19:009A MOV SI,4647 ; 1st magic value.4 O) d$ u# x% n1 m2 v
4C19:009D MOV DI,4A4D ; 2nd magic value.
w: D8 w' ~8 R: v9 c* t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ d% n% i- y7 u1 K3 q6 ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" B/ a2 o! N) O4C19:00A4 INC CX
3 r4 T# }- H% \5 l, D; q0 i0 f- l& W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# @, j k- f& E& Y4 j4C19:00A8 JB 0095 ; 6 different commands.
( D3 ?4 W+ \% f: o* F' I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 y3 G. R: G2 i( [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ }, S8 ]4 M" b
# r8 w' m; F, u: _9 s" G5 m( tThe program will execute 6 different SIce commands located at ds:dx, which. o2 M$ E0 D+ f% v7 @# r) p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 v# ?! {$ v0 ]& y$ ^/ m: `( z
{# |5 R/ E; K5 d3 E* S# g6 W/ V: O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." u8 T2 a: S$ m6 r
___________________________________________________________________________
8 F/ Q8 Y0 P8 E( s, X; S4 c, y6 C7 J4 U- E+ o
1 g& ~4 M8 B) c* f- R7 `
Method 03
H3 n. K: ]& h& `( w, v=========( K3 I" A, B1 B/ Y% |0 t: J, O& m
- e& k0 E+ y+ K( |: q" c: K) [( \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h f7 J+ n" `% m% D
(API Get entry point)( v ?' q }% k6 S
) r; x( i: m. P
3 ]# l9 `8 w2 I
xor di,di
r* N$ }$ G, P, k }) X mov es,di
* F4 Z! B4 s! I J9 d+ Y) i2 D mov ax, 1684h
+ U/ P! X7 p- I mov bx, 0202h ; VxD ID of winice0 D8 s; ?5 f' B
int 2Fh5 r( }7 s e! k+ O4 ^
mov ax, es ; ES:DI -> VxD API entry point6 s7 H' U# m+ q. ` S( x- |* X/ \
add ax, di
0 A0 P0 m9 F9 g test ax,ax3 \" w M% L1 I1 E6 i; r& e
jnz SoftICE_Detected" t. S: P0 R$ s# X# h
6 q! G/ J8 B% c, \
___________________________________________________________________________
' m8 I% W5 W( Z+ J! l' u& ` y; T$ A% `1 z8 H. w
Method 04$ n8 `2 \$ m& ^9 g8 d- x
=========: `; @& D3 Z! s8 D
4 n2 a8 c' v1 S6 K; _7 a5 S- F
Method identical to the preceding one except that it seeks the ID of SoftICE
4 e* h( `8 M1 v$ G6 jGFX VxD./ n& R* k7 V$ R6 q' m; M
2 \: D3 l5 P2 g8 \
xor di,di
- m# ?; `9 S/ `; x1 R1 T mov es,di
7 ]2 v1 P. C( B: K; U6 ] mov ax, 1684h
) k8 ^: R" R' { mov bx, 7a5Fh ; VxD ID of SIWVID
; A# C6 F) b7 J6 O k int 2fh- c" R- D. Y5 Z( R, S
mov ax, es ; ES:DI -> VxD API entry point
4 Y F/ M- H+ E3 [6 E' c# u3 m6 ] add ax, di
( U. j# ^( z V8 f# c. F8 `' W3 z% l X test ax,ax, u, }+ B2 R; O/ K2 K5 ~ s8 I- G K
jnz SoftICE_Detected3 Z* `- h& F9 U& A; _2 G. N
& h+ e5 K8 P; G, ]6 R7 E; \! J7 l
__________________________________________________________________________
! W. k# g0 M) O. X* D4 S8 l
8 B# g" x" d+ W7 L5 q! s5 E" [0 F" ^! e' ]5 I$ e
Method 053 ^% ]6 G1 }$ D& y( o
=========* {1 \! W: @. v; y8 ^, l
8 a, A1 d8 c# y$ E( A8 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 J) Z7 o& [7 e% pdebugger. It calls the int 41h, function 4Fh.
" V- n0 F. r/ g9 P+ CThere are several alternatives. 9 C( T! k5 B0 I* H. K$ ~ k4 B
- K- I }* g' S+ U/ G6 D8 vThe following one is the simplest:
1 ]8 N' e$ p! _( A* {
$ V2 S" J$ ?9 [5 w% L1 X mov ax,4fh
8 ]0 K( a% K5 p- n2 f0 S" g int 41h9 Y$ h; U2 G0 g2 j$ Y" @
cmp ax, 0F386' ~4 l% r, r+ n" ~
jz SoftICE_detected
4 P6 J1 C$ d& x& i
- r! J' U- g% }+ ^4 f5 x4 }9 @# y- k$ F
Next method as well as the following one are 2 examples from Stone's * M; G P5 a) l2 u! {* K: t8 S7 g
"stn-wid.zip" (www.cracking.net):" n1 D/ w& R! ^% B- n/ I
/ i6 K0 B- {. T" o mov bx, cs) }) f3 }2 [; k! i ]; o
lea dx, int41handler29 D- F2 P& r2 g( S# M. I3 h
xchg dx, es:[41h*4]( m" }6 d q% x" N
xchg bx, es:[41h*4+2]9 c$ X- o8 v+ l! s6 f) H7 f6 C
mov ax,4fh
Q$ X2 O( Q/ w% Q# d7 c, U int 41h
}+ X0 Z2 `2 U& t' s xchg dx, es:[41h*4]: E/ g/ d7 u0 H5 P; H; K
xchg bx, es:[41h*4+2]
4 W" g2 B6 z" S" v D/ }2 M& E cmp ax, 0f386h# b9 S* s( {9 J, a3 T
jz SoftICE_detected* @/ C. o p" _8 L, O8 g+ }1 b
; v- N5 i! j: c% l: j2 v
int41handler2 PROC
! L7 @+ Z: Q3 \1 u0 _8 X& ]: ]1 q iret
; ^2 [" V2 J( a: m! H0 nint41handler2 ENDP
N8 B4 r8 G7 v. D; Q
) M, {& U) Y) p7 O6 I
2 I4 \3 z. b' W5 }# T+ Z_________________________________________________________________________
& v# }3 I+ S- a' ~3 a$ e' _) ?6 ]; A' e8 P2 @
9 V* @3 E2 i% n9 T2 ]Method 06% S: G" x% V5 a9 x
=========' w" J2 Y1 i! X8 z3 D/ T& L
. n5 Z# _( u( r0 F
: i. Q; ^. h/ m2nd method similar to the preceding one but more difficult to detect:/ [! g: H) g" D7 u( k& o2 p
' T/ L" r. T* T. L3 c3 v, Y
' S/ J5 W+ T) X* J6 T! |
int41handler PROC
+ ?2 ~( V% _' b- |+ q mov cl,al2 R* g4 E" @) A) H3 x% }' S. }6 x
iret
3 U, C& D; X* G, t d6 Xint41handler ENDP z ^4 w& v/ F! L4 |
' ^4 W0 r# ]* U$ q: ~* F: T
5 u) u7 ?, X1 |% n$ Q
xor ax,ax1 |5 \ E c" L, z% V0 e3 `# l# Y, A6 s
mov es,ax
. q8 {$ O; q w mov bx, cs
$ z8 n7 [; H# K ?) r1 y: n1 J+ p/ Q( Y lea dx, int41handler
: h. V- e! a! E# ` xchg dx, es:[41h*4]. u$ j3 n6 D. H8 v: y# D- Z
xchg bx, es:[41h*4+2]& F# i' R8 O* }8 Y3 ~
in al, 40h
, K$ V. l( O; S/ k$ Q+ Q xor cx,cx8 a* F5 l. V( B& y9 ]
int 41h" X5 t; _7 B6 F/ O: z' R. c6 O
xchg dx, es:[41h*4]
( ? {* L ^8 o' G. F: [' ] xchg bx, es:[41h*4+2]! d& p' q% K, O x" v
cmp cl,al
3 n# I, K! f* `# C jnz SoftICE_detected0 e" m- d- d( s ~% _
, y/ A# H) x) E$ Z% _$ t. X9 D' h2 l
_________________________________________________________________________
! ]9 K6 W) V9 {! j1 F9 ?
9 P$ ~% j4 ^- s2 [3 n8 [0 ^Method 07
% G4 I+ w( M9 M: s* I" T7 ~6 ?=========7 B) H- l+ ~; ~2 C; b: Y5 z
& N& [6 s- }0 f
Method of detection of the WinICE handler in the int68h (V86)
5 k1 l( M# C5 N/ I0 m$ q$ p
( I" {/ v: v7 _$ Q' D mov ah,43h6 K8 Z6 S. |0 r6 _3 H
int 68h5 z9 w2 O% P# l5 O8 z- i
cmp ax,0F386h+ w; a. C2 s y3 O5 n% p% b/ n' I1 @
jz SoftICE_Detected1 J2 B- h, s: ?$ u7 m5 d
) I, m2 t% U0 [8 m
7 ? l L/ Q7 Z6 I* s# m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. b* @8 ~; W3 @9 i% | r0 N
app like this:* F; h6 B: {4 J9 T' e5 [. e
' R+ y/ K' ~1 |& I! m BPX exec_int if ax==68
' _. g* F. q8 ^- V; d+ x4 I6 P (function called is located at byte ptr [ebp+1Dh] and client eip is7 }& Z9 z# ?+ E% }& J# l2 z
located at [ebp+48h] for 32Bit apps)
/ s7 I: o1 Y0 i ~5 {__________________________________________________________________________
- b, u7 s' M' Z2 Y/ u6 J' U/ ?, G& v- [7 h& L% l4 ]2 A
0 T* i, t# L0 ]6 ]Method 08$ R2 D" ^ s% C
=========
: l5 B; p6 o$ r9 ]1 K" f4 Z2 U% j9 U. u0 s! e, y! k
It is not a method of detection of SoftICE but a possibility to crash the
3 N3 w6 _! Q& ?6 {* }4 ^system by intercepting int 01h and int 03h and redirecting them to another
1 M$ _7 p& l- ~5 u0 E# Mroutine.7 R: S+ x1 E8 C. ^6 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% r! s4 a$ m+ ?; r4 E- y- `0 Y. W
to the new routine to execute (hangs computer...)
; L; v0 h- m B i R+ N2 Y- Q, e! L( k# `1 I6 o" U
mov ah, 25h
. d9 ?* L4 }+ `6 A( Y mov al, Int_Number (01h or 03h)- s* Y0 P4 q u, I
mov dx, offset New_Int_Routine
+ S l6 [& ?& l int 21h7 Q6 v* f0 i3 L: Z' m, H
' I( |% H+ [5 @__________________________________________________________________________
& S9 v- a; I3 M/ {1 u& N1 ?3 e5 \: Z# [
Method 09. {5 e7 u7 R' B8 b$ r6 y
=========0 Y( [3 [" V0 G/ s3 s+ e4 b. Z: G8 H
) Z( a0 z- i. A2 g0 w5 V' YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- F# q7 y1 n# K' N
performed in ring0 (VxD or a ring3 app using the VxdCall).# o4 D7 R$ K4 h4 G; k' l
The Get_DDB service is used to determine whether or not a VxD is installed
. g$ F$ M2 H( W: C* y( [for the specified device and returns a Device Description Block (in ecx) for( i" O9 `5 U, `
that device if it is installed.
2 q, P" K$ H0 g
0 i% @3 I3 T% s- Y9 J8 h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 ~+ k8 I1 Y4 Z) y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ ~, c1 `# S/ ]% ?7 `- r7 S6 h H VMMCall Get_DDB
& Q$ |4 \# F7 y. x& u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 [' _8 C% z1 I5 b
8 x8 j) U5 i# }$ r* O
Note as well that you can easily detect this method with SoftICE:
3 A! M! F; }7 M bpx Get_DDB if ax==0202 || ax==7a5fh6 V% U" o) y3 _% J2 r/ v
2 @0 V9 @ z g. ?; \
__________________________________________________________________________& a% `1 H3 W t8 ~% E, w5 ?4 V: w1 ?% W
/ K5 G! {4 m" V8 Y$ |, n! v8 B' G
Method 10- d9 `6 v* F, Z1 a }5 t5 h' P9 s
=========
7 d/ @) r' E# W
$ h$ W `- ~7 z" n( _& l" G# `5 m& g=>Disable or clear breakpoints before using this feature. DO NOT trace with, h" j1 H% P' h
SoftICE while the option is enable!!
0 F$ @4 {$ I: u1 J' p
4 e$ J6 v7 q+ Z5 u& e! MThis trick is very efficient:/ y) G* d6 G' e8 Y1 Q( L
by checking the Debug Registers, you can detect if SoftICE is loaded4 L# \ F, H1 P: I1 g# U/ i3 _! m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ c8 f4 y6 P9 rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, x4 Q5 ~6 W5 @5 {value (in ring0 only). Values can be manipulated and or changed as well
" T- \4 M- W+ t0 Z8 {6 p8 G(clearing BPMs for instance)
0 A! k W- l) x3 J% b4 z3 ^! y5 o1 l9 ^; l% }
__________________________________________________________________________/ ]: X' l( \% W& \$ b9 V: e0 H
) h7 s5 @. J7 C0 J: d# g* O/ E8 }, m
Method 11
8 K, B% r5 I6 K9 D* ]/ N========= w* I [5 V! G) `$ z- _
; P0 }2 k/ T3 LThis method is most known as 'MeltICE' because it has been freely distributed0 J, T* |9 r* A
via www.winfiles.com. However it was first used by NuMega people to allow
( b7 i& Y( G0 u; |) a( w2 uSymbol Loader to check if SoftICE was active or not (the code is located
) P4 P$ X2 u4 D6 ?8 ?) Yinside nmtrans.dll).0 \7 z: y. _ b8 C, n: t1 Z ~
8 l" ?& A' ~7 d+ i& n5 z0 T, C9 cThe way it works is very simple:
# N) b1 w" d9 H; L9 H4 K/ X" TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! |+ T* J" a3 u& X6 n( E4 o
WinNT) with the CreateFileA API.
9 D5 J; g7 a7 P- F' s+ c6 t4 _ [
# s p/ c9 j0 M# }Here is a sample (checking for 'SICE'):
1 o- I& V! A1 t+ n( m1 f5 c" Z9 ~" A8 @+ X
BOOL IsSoftIce95Loaded()
1 {% h# ]" ~/ c7 F$ A{
3 j4 C# ]. I$ V% U HANDLE hFile; / C6 Y' s' }( l9 t, F+ W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ d; x' P2 r- }
FILE_SHARE_READ | FILE_SHARE_WRITE,- w% o! p# w5 g* o0 ~3 @8 n! c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); O$ @7 {# q$ p" r% l- b
if( hFile != INVALID_HANDLE_VALUE )
% d. \3 X- H* v. w* L% A- S {
5 @ U/ J1 E0 }4 P$ z% v8 R CloseHandle(hFile);
. }$ P. U: A/ l& J+ I return TRUE;
1 ?, \2 l4 w$ O+ t( i1 t }
2 K( m/ v0 f! U% h2 p return FALSE;( t/ U' Z5 F2 B" o. O" I3 ^* |+ J# L% O
}
) }) o( ^ w# _7 C
, v3 L" j/ [4 D! I5 G7 eAlthough this trick calls the CreateFileA function, don't even expect to be5 e1 q1 |( L$ z% c3 n8 t* d( d
able to intercept it by installing a IFS hook: it will not work, no way!: r2 n8 x; s! N. c& L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ s2 G$ t% ]' ?8 F8 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 l3 k' f% G3 j2 f1 E# m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 ? O7 C9 B7 m# L2 H
field., I# Z& Z" w0 t _# O
In fact, its purpose is not to load/unload VxDs but only to send a 9 g7 M# R' T7 T' _+ U6 M3 ~- Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); j7 D4 g+ \+ p N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ a4 k4 M4 A3 v5 R9 i+ ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* b) @6 i% r. F2 ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 j* k, N( i% s% Q# q5 U5 T; d- f" [its handle to be opened and then, will be detected.
( A# h6 E4 [, {7 _; H# tYou can check that simply by hooking Winice.exe control proc entry point# ]3 s- ~$ A& |6 r v6 n
while running MeltICE.6 x, i& X1 k# j5 @/ J8 S2 M4 I& Y5 `
& P1 i& \# M( n3 K- r) h% A: G- J# }3 P% g; k, a) ]9 t
00401067: push 00402025 ; \\.\SICE
: h; `% e1 T+ x: C* j! Q# }! Y 0040106C: call CreateFileA' P3 ^1 x* `1 j! x
00401071: cmp eax,-0012 y% j* Z. J! [3 y$ j# i
00401074: je 00401091
& }: M a! g0 @- p5 z0 c: M5 u- v! s/ H$ u/ S
: w! \- v- K2 b0 z
There could be hundreds of BPX you could use to detect this trick.
6 n- D* Q0 Y: s" ~$ Y# q-The most classical one is:
- ^! R2 x" H8 m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; x7 Q1 ^. q: d0 o f. l
*(esp->4+4)=='NTIC': A7 ?- c- B5 o
0 Z+ M3 a8 ~: ^! A. U; B3 j
-The most exotic ones (could be very slooooow :-(
. L# m8 P7 L. _# q, ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 B" `! `8 ?+ n% D; b* y. @ ;will break 3 times :-(
, Q: v+ R+ P2 x7 D, G, _% i+ b& ?# K4 F9 j
. D: @4 J2 c& M1 ]-or (a bit) faster:
7 h# b% }' a3 v9 Q( b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 V# T6 T% C2 }6 T. s- p) X/ ?: M
7 M. N4 _: i( a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& H* v8 x' D9 K, _% o* ` ;will break 3 times :-(5 c* z* P% b& z! W1 {/ E' \5 y) @5 {
. j' F" \- _) S, f-Much faster:
% W' \' z0 `+ x" Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 V. c, U3 {% w3 b; M c
+ l) f- g8 Q( m5 _. C$ K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& g7 n7 O: l2 B7 t0 t( |8 N
function to do the same job:
8 y* [. O! l( N4 m6 ~8 h) t5 f
6 m3 p3 _( C, I' \4 v, L! A push 00 ; OF_READ" H2 b* ^, f4 A' h( O
mov eax,[00656634] ; '\\.\SICE',0
" j& G) [. I5 o( R6 M push eax2 v9 ]- m& h R: i
call KERNEL32!_lopen
, ]. H9 _( F7 A. Z6 L2 g* a inc eax
1 \& Y P* i8 m' O J2 n jnz 00650589 ; detected9 ^/ @* c- W% i" ^0 m# V# H% X
push 00 ; OF_READ
9 r# `+ S5 `& R1 a9 B$ A mov eax,[00656638] ; '\\.\SICE'" _8 }2 n8 [+ N1 n, w
push eax% ^9 x6 {, X9 }* `! F* _
call KERNEL32!_lopen2 Z2 E! B2 Z' }3 p! W
inc eax& D$ M: @+ X5 c& M; J- W
jz 006505ae ; not detected
; c9 h. K' Y0 b. H* s0 \9 C) Z
6 d4 r. b! \- H/ \
: O* I" e; \3 S& ^__________________________________________________________________________
+ F3 b& G1 ]0 s* z2 [* k9 j" x7 B3 D
Method 12
2 I( W- }. P/ h5 U9 Y* W/ o4 a: ^=========4 \ N v& u8 K+ ^7 m
* }$ h6 D! f1 u8 [ w" Z) F1 RThis trick is similar to int41h/4fh Debugger installation check (code 05
0 t! f" e! S6 C( H/ q& 06) but very limited because it's only available for Win95/98 (not NT)! n6 ? z# q. g- _" G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' F6 z( L1 A1 e0 _7 } @8 u; t
2 n j# N8 D4 b3 S) K; u
push 0000004fh ; function 4fh
- ?6 Q0 }# o- F* I. |7 y6 f push 002a002ah ; high word specifies which VxD (VWIN32)
1 z, c6 A; ]7 u) F- j4 H0 v R ; low word specifies which service
* M3 c; ^9 j+ i m3 K8 a (VWIN32_Int41Dispatch)6 B2 B" w, [4 H: v& r
call Kernel32!ORD_001 ; VxdCall
9 a5 Z4 h3 Y' F cmp ax, 0f386h ; magic number returned by system debuggers
+ L2 a; s) D. u4 B( r jz SoftICE_detected, A1 c* R$ k7 I
. f# x/ y& `$ K/ P! G7 g& [
Here again, several ways to detect it:
+ h6 M7 H$ t* C+ M$ F& J/ ~' v2 F5 \
BPINT 41 if ax==4f B6 |7 a6 A; r
" F0 C$ T& H# Y1 A1 x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% r3 A* j) _% Y; y9 F! L2 k
N* W$ G* \% p$ y2 e% O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 [0 G. u) J$ k7 u
/ [! U4 o- B2 H# h9 I' t3 j9 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) s g" t" L R& p/ Z/ q4 ]/ W4 \/ E
9 Q0 {) Y+ y, U- o, r__________________________________________________________________________
. z7 e1 e7 s `, p* l
& V3 m: a# x, [% D; s! H5 e' sMethod 13 {, ]3 O& G1 ^6 y2 }! D
=========
y' j3 q1 @) j8 r; y* b& ?' P. l, ^" t( P U( t" B3 c8 K
Not a real method of detection, but a good way to know if SoftICE is" z. P- t9 x; ?4 r
installed on a computer and to locate its installation directory.
/ e1 y0 J* l2 |; A6 S1 ^It is used by few softs which access the following registry keys (usually #2) :
6 W6 y! H5 T" n$ Z& t* H
. |" X x( G" d5 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 q O, A; p& s5 @# L! t8 B) i\Uninstall\SoftICE) W" t* z; x; h8 p! V1 F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" D: D4 {% X: A$ h: e$ i, c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' ?. x' i9 E5 O# k8 i% t\App Paths\Loader32.Exe4 y% R y+ f8 T$ u u9 G) p
8 D9 @; R; a/ {3 z5 e& Z' L: `
" _6 o$ V. ]( S8 p9 V+ cNote that some nasty apps could then erase all files from SoftICE directory
9 f+ X2 C" P7 u0 C4 G. V1 N(I faced that once :-(
D ~& e7 n& F/ A' Q3 \ D* u. l7 W" B; E6 q/ U+ H* @7 ?2 |2 C4 L+ z
Useful breakpoint to detect it:5 ~9 V4 G0 ~1 t! p1 x2 [8 f* O5 Z
7 d$ P O( `" T9 R% A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 g- Q0 o1 V8 g- _( I& N4 P1 ?+ |
+ z: E# ]1 s4 s* @$ a$ x+ U__________________________________________________________________________) B: u8 q4 Q4 M# {$ V+ k
' p L+ {+ Q; w v0 ]! h! b
# }; L% z) q, G8 H6 BMethod 14 2 @$ F) t5 N8 O& J1 G1 E* X- H
=========
, s5 q# j0 }! R6 P* J/ U/ t
4 q0 j: v7 u5 B, f! a! h7 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- d; O: R: d1 s2 H B _" ~" mis to determines whether a debugger is running on your system (ring0 only).* m7 Q a6 ?3 s7 t1 m. {
7 \, a3 o: I3 _4 @( a/ S+ G VMMCall Test_Debug_Installed
8 E3 X( k' r1 w. [ je not_installed" E* a$ ?% P1 S! J, D0 Y1 U
( q! V1 b# b+ D5 g& aThis service just checks a flag.
$ H/ n d/ H& U3 ?' L4 x</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡