<TABLE width=500>
9 o# } w' q( F0 P& _( h, q<TBODY>, {: z* s) B: u1 }6 j$ r
<TR>
0 ^7 E3 U' v3 g4 ^& {" Q5 |+ s4 t C- t<TD><PRE>Method 01
! D& j. }( q& N" v6 I; C! {" V=========) U+ H3 h* J9 Y( U3 Q) ]8 t
; c# Q0 s. B w
This method of detection of SoftICE (as well as the following one) is/ G! h$ V2 `( ]
used by the majority of packers/encryptors found on Internet.! b. Y w# c2 P, z; U9 K
It seeks the signature of BoundsChecker in SoftICE
~0 O+ `: D% t- }' c4 T5 q. ?* a9 m
mov ebp, 04243484Bh ; 'BCHK'% t" {( v4 V1 T9 b
mov ax, 04h+ | D% U- R8 [: X; U
int 3
* B# P! ]$ B' f3 H- d: j- W cmp al,4
" J2 d: y: O* l4 {! G# q6 Q2 E jnz SoftICE_Detected
5 u- s- w3 \" G- T- f& y3 [0 d; n7 B- t+ z& B
___________________________________________________________________________/ g( n% H1 N3 e) L6 M
1 L T8 {( N2 j/ q2 \5 _, Y+ j( T
Method 02: ^1 d4 b1 |! a+ a
=========
' Z8 |$ N i- c; Z( h( [6 i) D1 m9 q: m
Still a method very much used (perhaps the most frequent one). It is used8 a8 Z4 d& Z- I1 r+ d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- t8 _) f% v: T6 Bor execute SoftICE commands...
0 B+ a2 x& ?8 E2 j9 sIt is also used to crash SoftICE and to force it to execute any commands
$ N: j# ]# x! p& a) U; W1 {(HBOOT...) :-(( ) M; }# g7 ^$ M7 B6 m7 ]/ W7 H, r
9 o) w# S0 R7 ]# l8 cHere is a quick description:2 O9 V' G2 R* ^. X' A! T
-AX = 0910h (Display string in SIce windows)
7 i, M; \+ V) \! x+ M, f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- n' A! x( U2 J7 B-AX = 0912h (Get breakpoint infos)+ e" |: Z& O8 ?1 U# t: R
-AX = 0913h (Set Sice breakpoints): Z4 Y, G* f- h% U0 W! q9 N
-AX = 0914h (Remove SIce breakoints)
$ Y2 B% V/ x- @ O
1 E, C3 L/ P) |! |2 r1 KEach time you'll meet this trick, you'll see:
/ R: _/ J5 s4 Q3 } Q i8 t-SI = 4647h
; J2 H8 H7 {( J( [( U8 @-DI = 4A4Dh8 a/ W5 J. w# | u- s+ Z M
Which are the 'magic values' used by SoftIce., F9 K5 }: A1 T( j: V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' R3 o3 u6 \$ @: ^8 t2 U. _& T) G; B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 n7 @( I* ?6 k: \. yEnvelope utility use to protect DOS applications:$ ~" d: \4 l# D( U6 E* I% D/ J: n' w( C& r
. F- w1 {' G. H# \, R- t1 J* ^' ]* V# j" k+ U8 ?
4C19:0095 MOV AX,0911 ; execute command.
; S! a8 M9 s5 U6 D, z \ T7 G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) z F6 [$ b g: S5 ?! Z! D7 f- Y$ K
4C19:009A MOV SI,4647 ; 1st magic value.
% a; f! F: A" A9 o4C19:009D MOV DI,4A4D ; 2nd magic value.# e$ ]6 Z/ G- p4 m n# Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- @( f0 k3 g2 r3 b" _* ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ S8 {5 L6 q/ E& C8 j
4C19:00A4 INC CX0 E1 ^) w' Y- D8 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" p% A$ G. l. x. f$ G" B# Y, ~4C19:00A8 JB 0095 ; 6 different commands.
2 r$ d8 W- x2 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 A) C7 S" [) G; ~2 e* p0 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& q6 d9 s9 P% y' j& M- |/ i- g! P
; u2 H7 C; s- v: f g( UThe program will execute 6 different SIce commands located at ds:dx, which7 r5 O) a* Q( H0 b/ y f$ O$ i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ i7 z6 z K) c( ?* R" ?& Z
1 w9 c O3 K0 T/ c. `- x5 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 ]6 V3 ?0 i; Q
___________________________________________________________________________& V: Q0 O6 N* F! H# y2 x% ]+ A
( F6 ]- j+ C0 S) f4 P* i8 r/ K' C
$ ^( q2 h5 k! e3 c9 B# }Method 03
: A' H2 O: A1 G& ^% W! N+ l& F2 b6 K=========
/ \4 X$ I) n9 s* r3 e! m7 o4 N' c1 |4 ]! w; r# k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, {1 a9 v) I6 V- }" b% m& f(API Get entry point)
) j; E% @# ]* W2 W( o! w( Y : U! N3 a+ e# `4 I5 [
5 U6 k% \/ n8 z2 C. v, Q xor di,di
% y0 Z- ], Y! D9 {' @ mov es,di; D) G9 B/ Z1 T% k- m
mov ax, 1684h
" R" }( f1 z' d5 x mov bx, 0202h ; VxD ID of winice% S$ ~6 d6 x) t5 N0 R
int 2Fh! S8 T9 Y4 r9 {' `) ~! l$ j
mov ax, es ; ES:DI -> VxD API entry point$ ^$ r3 s% D% R, ?5 r7 f
add ax, di. V- ]4 n! p4 m& i$ z6 }+ q
test ax,ax
; j2 {& |- ?, u) q; j2 c3 L* G- X( } jnz SoftICE_Detected# x( H: x' O2 {! D- X K+ p |& W# k
) l0 Q) _( F4 }4 \1 j( \___________________________________________________________________________3 N7 T' R7 R' a F
, W" O- y" l p6 h( tMethod 04
' Z D! j1 ?$ e=========& }) e/ n" ~) {5 e& @+ u
) N( E# _1 E8 a& S
Method identical to the preceding one except that it seeks the ID of SoftICE
: b) F! x9 e3 f) k7 V# b$ ?9 m/ ~GFX VxD.9 y8 _, R j) z0 ^
: P* I! }* n5 o7 y1 X! \/ d- P xor di,di: k- k- f$ t8 L0 Z# W' G% {" x
mov es,di8 q; {: k# W" g1 g& `
mov ax, 1684h
, X8 m* q/ D' a6 W8 t1 D$ O$ }; V mov bx, 7a5Fh ; VxD ID of SIWVID, e/ u9 j9 q1 A9 R: H
int 2fh0 |: Q0 s/ `9 d) C& |* }
mov ax, es ; ES:DI -> VxD API entry point
: a9 v# C9 ^: e9 Z add ax, di
4 `- l( l5 i! R/ C/ e& s, B/ X test ax,ax1 k" K) H, K9 B# h( B
jnz SoftICE_Detected
/ H$ a: V: a+ l4 B
' k8 @" k( h# q) }0 Z8 ?5 i% R__________________________________________________________________________
1 X/ n# r a! M+ L8 \" E
$ b! I& |' g9 u8 O% J9 z! m
- f. a: R! `7 o3 f2 h6 u! q3 [Method 05% Z! O. s6 ?) V
=========
* v7 M% ]0 @8 ?' ?- i }. J
0 X; Q+ p! U) `Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 g( s" t- {* J t$ tdebugger. It calls the int 41h, function 4Fh.
( L' I9 J' m3 tThere are several alternatives. 5 J: l4 d3 n: F7 n/ ]
0 S" n% t6 \4 e; `# T4 I& ~' K, v, YThe following one is the simplest:
4 N5 Q5 O# V7 o7 C+ I- u, r2 E) b0 o$ h) y+ f% v9 I M
mov ax,4fh
" X% b+ a' y/ e+ \0 c6 F, l int 41h
4 k* V" |2 g7 a6 t+ _( d6 x cmp ax, 0F386
3 P; P# g5 x8 \! E8 x jz SoftICE_detected
; ]) z9 Y" M- J7 s \) {2 C: e
* @& j9 V" W2 h8 w7 \9 z% [. ?. W
# ] L* d. ~2 v( h% ?1 m; X" c) QNext method as well as the following one are 2 examples from Stone's ' p4 g9 z, U, v$ v, ]4 v5 f
"stn-wid.zip" (www.cracking.net):$ [% j- T2 d; T6 B3 x! Y$ @* k
# w" x) g- C! M! ^2 U1 j! C mov bx, cs
6 p8 A' |$ G0 m' E: V lea dx, int41handler2
5 ]& L/ B7 k* V# b xchg dx, es:[41h*4]+ X( K; j( z0 x a- q, z
xchg bx, es:[41h*4+2]
. c; N7 h+ m& D8 u& N" j7 u( |1 ?8 F mov ax,4fh& X) `0 ?. A, { z6 l
int 41h, H7 P& w8 S3 J% k
xchg dx, es:[41h*4]
3 U% X k5 G3 h. v/ H, T! j. | xchg bx, es:[41h*4+2]! y4 ~0 `, A( M
cmp ax, 0f386h. l n$ r, I4 w5 d
jz SoftICE_detected
+ Y2 @% t$ T F/ n9 l9 S8 D6 e
) H# E$ R9 J8 ^; T% Vint41handler2 PROC/ S- {* Z' o% ]$ L3 ? o# i
iret' U1 @, Z0 }+ B1 J2 C
int41handler2 ENDP
; }+ |$ F7 [" G4 s6 {6 N
; G* N0 P) y2 P6 l3 n% C* B. c3 b* _' `5 R
_________________________________________________________________________
* C3 P. Y U) Y' k$ M$ S$ ]# y) c# l4 \; F
, l; J( y' j8 C
Method 06: l0 d6 H- j- w2 [" Q' Y. y7 w
=========+ Q& S1 H4 w4 j! O- O$ f0 E
6 l4 n# w5 x, P0 J: ]& {
1 m) M+ [7 _9 ?- S, ` N0 _2nd method similar to the preceding one but more difficult to detect:
# v Z+ ^! N% V) ^- ^
/ l" f7 R& z) {% N0 c3 t1 j5 ~/ Q3 `
! D' `9 c4 h: v3 w" Jint41handler PROC( s3 f9 z9 q# Z4 X7 Y
mov cl,al8 a# o( r& @" L$ d
iret. E$ n4 m! [# [2 \0 M/ v
int41handler ENDP1 ]' J& {! j* Q
- e" e+ c, ^) {$ M, X, |% _3 }4 G9 o; a
5 R7 U7 s% p( P: d r& \- B; I6 k xor ax,ax
! j: g6 q8 N. i. ~ mov es,ax
" {- I/ k: Q: n9 X mov bx, cs
2 ~ x9 V7 K c8 N4 Y c( x: s0 _ lea dx, int41handler$ x7 X0 U' n% A+ G A5 [2 S
xchg dx, es:[41h*4]. _2 k' J0 h5 P4 y1 \
xchg bx, es:[41h*4+2]
' D5 ?/ h# ?( y: i in al, 40h
, V7 N$ C3 ]- x8 k* r xor cx,cx
; t7 P2 I( x2 ~- Q+ a( Q0 g p4 H int 41h
# k% V3 u# u" k: {5 [) v xchg dx, es:[41h*4]" k# [3 l% G4 g% ^
xchg bx, es:[41h*4+2]+ z0 B/ x7 c' J
cmp cl,al
" j2 k+ Q* x! Q m0 A; ]* e jnz SoftICE_detected
% X$ T1 @& i5 k/ X( M1 w
- G6 ^ v# x& `+ q: f9 S) J_________________________________________________________________________
- i; Z: A& D5 |; T/ c
8 C; K5 @9 c2 }' i! Z. i2 M5 qMethod 07- }6 Y9 f. y2 L( `
=========/ {$ Q1 G) `8 s9 S
" E. u) x0 v% c- Y! }- WMethod of detection of the WinICE handler in the int68h (V86)
& o' w1 y# M3 b
2 |1 {) R% M: X# T/ g mov ah,43h
: r4 s) V0 s* M6 b4 K3 D {$ {/ A int 68h" G3 h t5 O' w' j% A6 g
cmp ax,0F386h
5 y- G1 L- V+ v, }( U jz SoftICE_Detected# M$ n, x5 g5 Y) a
) w1 D. z0 l I8 w; \
& b" E& t/ }$ L" }& [+ T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( t i% S& W9 A5 q. _ app like this:# Q, F# p2 F! X
' k# H7 Y4 w! Y" d% y# c) D) ^ BPX exec_int if ax==682 j) [: ^6 C+ C# |" g. v
(function called is located at byte ptr [ebp+1Dh] and client eip is
% `" i/ Z1 A K% p7 }" L- g, s% `! n located at [ebp+48h] for 32Bit apps)
) J2 i: Z/ M T__________________________________________________________________________
6 Z: g4 D. O. q5 `, y/ e
! |; {( I6 l- Y- t7 v4 `7 E/ T0 @4 |' Z9 [2 w5 X! H" t2 K
Method 08# g/ u8 P2 `7 e1 c$ x0 r4 {
=========4 {* X& p" a/ J) ]1 [) W
8 d0 Y9 S: Y- C
It is not a method of detection of SoftICE but a possibility to crash the
5 O5 D Y: Q" g( ?7 {system by intercepting int 01h and int 03h and redirecting them to another
* z* s7 @3 h8 K) ~2 U3 ]7 Oroutine.1 m4 ?+ S" b+ j5 U2 D2 A+ O: |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% f0 P8 J0 ]7 O
to the new routine to execute (hangs computer...)
! [* n% J0 R ]3 i3 ?6 n; Q0 Q6 I5 ~# a/ a. A+ f
mov ah, 25h
$ R( S( c% r7 W( v* i9 p5 W mov al, Int_Number (01h or 03h)5 B( T& Z- d0 O" Y: v8 h
mov dx, offset New_Int_Routine
& u; a. z& G. i" O( D int 21h
& ^+ L- O$ k$ J7 T0 t
- B( Z' H/ H! O+ p$ `- q- X7 M__________________________________________________________________________
; x6 T. u4 l r9 v' C5 H/ o' |9 Z9 [; h% m# h, Y+ q4 z
Method 09
3 V9 u3 i" E) } q=========
! D( N. E/ l2 O2 C
0 F# \' ]2 ]! D% ?- d- ~) lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, b: s( T* w; V0 ^performed in ring0 (VxD or a ring3 app using the VxdCall).
" i8 D+ t1 k( W: o. |1 Z4 NThe Get_DDB service is used to determine whether or not a VxD is installed
" k% \# O2 B# U+ Z' ofor the specified device and returns a Device Description Block (in ecx) for
/ M/ f9 k- o6 d1 e& Xthat device if it is installed.
7 }8 S/ a5 C0 R/ r% i( t. P7 a# t8 n8 D2 J, x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# t0 u0 O. f6 J7 \5 x0 c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- K1 V g( \5 r$ x. l3 A VMMCall Get_DDB% @% H. r* M' a; J$ o9 s! C, i+ g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: H+ P# I0 @3 |3 Y( y
4 c8 i& g4 o( o$ ]7 d( `; k: e% n NNote as well that you can easily detect this method with SoftICE:
0 [/ B% S! t/ N( v# g bpx Get_DDB if ax==0202 || ax==7a5fh
, Z1 b/ o4 _) a( K! O" ~8 ^ Z5 k( e/ n$ I( U/ d
__________________________________________________________________________
& W$ ]# n6 L, @5 _8 ^2 R
2 o1 u) d. X( c* V! l" ]Method 10& X' y8 a B3 a! R" ]
=========
3 u7 [) d" d0 m2 k6 @8 l% H
3 k. A$ z2 h9 ~) ?* S8 V=>Disable or clear breakpoints before using this feature. DO NOT trace with; m- h8 G$ b% H
SoftICE while the option is enable!!
- N: b; Q* q. X g }" C4 {
+ i d" S Y3 F1 _8 G$ i( lThis trick is very efficient:5 n2 ]$ D! ^' l7 E% p/ S
by checking the Debug Registers, you can detect if SoftICE is loaded \6 y# c! Y) ?! ^# w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 v% w! D- I( e {% [3 U# v! Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 U1 i& i+ x6 f. p4 ^+ g& qvalue (in ring0 only). Values can be manipulated and or changed as well
) {' E5 N- }, |(clearing BPMs for instance)
! N5 L& U5 I% T! U2 H( p) y" `1 N8 Z
__________________________________________________________________________
6 O- _9 F( V1 A/ m! C @" T
% L+ j% x5 N/ h6 E! A+ a) zMethod 11
4 V* k" d( U/ g# b=========4 u8 N5 c0 {# R$ j( G: |
a+ k4 e3 E( wThis method is most known as 'MeltICE' because it has been freely distributed
% e6 x, O1 P- B$ N( r" K3 Fvia www.winfiles.com. However it was first used by NuMega people to allow8 m) z- w% u3 g( w
Symbol Loader to check if SoftICE was active or not (the code is located! q" a# {. _; Q& y# _+ D; M& V
inside nmtrans.dll).
2 o9 j2 W& K, V4 L; w# t' e# U, K v( }3 d: P* o) g
The way it works is very simple:7 C6 Q! d! L" l' Z' a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 R% c- u" y8 M/ ?% f% h( g
WinNT) with the CreateFileA API.
; |/ i1 i5 b/ {3 u! O; V* Z% P7 h, d' O/ B+ K8 G
Here is a sample (checking for 'SICE'):
0 s6 T( A7 I; D! \. m
) {& g0 @ f7 j- d* x. SBOOL IsSoftIce95Loaded()* J! c& O7 B3 O: d
{7 ^) e0 O7 H9 u" P" d: ?
HANDLE hFile; 9 N- Z2 g) f6 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. a0 y8 e1 l! w0 C/ H
FILE_SHARE_READ | FILE_SHARE_WRITE,
! I& j+ F# m3 A4 q# w" t7 a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, d' D8 ]4 N7 c
if( hFile != INVALID_HANDLE_VALUE )
1 G* \ O& ]" _# a2 W2 G {
9 ~3 w, w) O+ L7 c$ R; d9 f% U. q CloseHandle(hFile);
& x; J( W% }! ?; N& t" |1 F return TRUE;
2 [& t: b0 @% q* e5 A9 Z- {; u }
( p# k8 t$ U/ g+ ~- g5 c2 t return FALSE;+ N0 E3 h8 |* g# m3 ?# v" w3 |
}. Q( y& J( V% Y3 ?1 j7 b: \
. ]& ]. ~; H+ H9 {: I
Although this trick calls the CreateFileA function, don't even expect to be
: q/ o1 _$ N2 H8 B- n' W; O' w' yable to intercept it by installing a IFS hook: it will not work, no way!
" U+ u* n+ W4 f7 pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( \& ^& x$ t8 G! p1 \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 O! y) d* @ R8 \6 f" T5 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 G* r1 n1 d( A7 v( v0 L
field.
* p3 E( m, c, ?% D+ I! r0 q4 B" EIn fact, its purpose is not to load/unload VxDs but only to send a . J J7 ?4 W" ^6 @/ e$ ?" v( @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, }% s, k( l: Q$ d& w. Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 ]$ I$ g; w8 i+ v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: G4 K/ j' B. O9 R- k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ o$ |% |0 N, H# Q" W9 @its handle to be opened and then, will be detected.
* `* [: x! |: ^# jYou can check that simply by hooking Winice.exe control proc entry point% ?! _( Z0 M5 q7 C* M6 E
while running MeltICE.1 @0 A3 ]; f8 r/ ~+ ^: Y3 m
2 A$ _2 r2 v* R8 F. f J
% v5 K' p, Y% u% o 00401067: push 00402025 ; \\.\SICE7 M6 S( u( K8 I' a7 r: y
0040106C: call CreateFileA
9 _0 [( b+ i1 I, `% L; l 00401071: cmp eax,-0010 {7 u" g: Z N8 C9 H$ C' l* B! \
00401074: je 00401091
" i) g& h0 X; O$ Q8 U: ^
( a5 i$ m. p3 X D. b* I/ b4 c+ T" |* v& V
There could be hundreds of BPX you could use to detect this trick.
# R, v. {, @& z4 c2 s- J9 E; \-The most classical one is:
7 w# ]+ H1 R- S e: N7 p* } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 \. m+ c& q4 T, c/ [- N+ }
*(esp->4+4)=='NTIC'( |8 s0 P/ Z/ v2 W. f$ I6 r
( G4 G2 S5 D, E6 ~
-The most exotic ones (could be very slooooow :-(
* P- ]2 J& V5 W5 F; c8 r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ w5 t1 [4 J7 @4 d& Y ;will break 3 times :-(& [7 W/ V* T7 d
! l1 w) Y$ Z$ W" Q" ?- }* V
-or (a bit) faster:
" k# h2 ]2 f- s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 w# ]2 s @0 x# F+ [
* e% S$ q- C- t( T- a0 ?6 {$ ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* L- g7 ]# U* m: S, Y; f* Y' o- O ;will break 3 times :-(, o l: V" P7 x0 g1 z; G2 z- q$ x+ g
& l2 I) V1 Q6 d8 `
-Much faster:2 ~/ P+ {% W2 x5 _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! }5 j9 D+ k% I3 a I
- V# ^ c2 R* Q$ A& BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' f2 c0 t6 q4 k+ @- |7 C7 t
function to do the same job:
w% U6 [% I" b3 o. \ ~3 M+ P9 W; }
push 00 ; OF_READ
' B$ l3 K6 K$ P# W F b# `9 W mov eax,[00656634] ; '\\.\SICE',0
& S% }0 l3 d- E/ m- @ push eax
# I8 L0 l; H% W) t8 u, K call KERNEL32!_lopen
# ?* w |. _3 U, P& U! k inc eax, g8 q: f: ^5 t# N7 ?0 P; k
jnz 00650589 ; detected
4 r* u# Y, E( k* c/ o" c) \ push 00 ; OF_READ* v- M5 b7 p& N$ [
mov eax,[00656638] ; '\\.\SICE'" o% s2 N; l! e, h& @* w) ~
push eax
8 k& s, G* c( G' B* v. L call KERNEL32!_lopen C6 k4 S1 h5 t9 O* o* Q
inc eax
' l0 r$ k- s" y0 }( a+ M jz 006505ae ; not detected
9 k1 z$ m% B7 L; m, \
# O" F1 Q/ `3 N
- P R/ K2 F* N% K9 K__________________________________________________________________________
! q, t) o+ o3 H
% t; s: M6 B+ h9 K. W( gMethod 12# V |( N, t- m3 j
=========, L$ B' E- g; k7 z0 j8 \; T1 `
! s: `( W8 F7 m+ D* ^* ]5 A
This trick is similar to int41h/4fh Debugger installation check (code 05
% `7 n( A' T" ^' K9 E4 _1 N& 06) but very limited because it's only available for Win95/98 (not NT)
/ X/ v6 y4 B& Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; \4 a4 m; E4 Z. d+ D
g- n9 v' `9 K- l3 g6 V1 O
push 0000004fh ; function 4fh
$ p$ p* Q7 a" r+ L/ t push 002a002ah ; high word specifies which VxD (VWIN32)
9 E5 Z0 k/ N/ X, b5 L8 A+ d7 o ; low word specifies which service
7 }) X- Y- o( Y* U (VWIN32_Int41Dispatch)
3 G% v5 A! H- l) E5 k$ D3 ~! Q; k call Kernel32!ORD_001 ; VxdCall) _: |% r" r }- C
cmp ax, 0f386h ; magic number returned by system debuggers
. {1 m# Y! {$ d! U/ w jz SoftICE_detected
) c! z8 l' g6 u7 Z3 P6 |3 ~! L
2 ^* K; T& ]: h% _- E6 N1 PHere again, several ways to detect it:
1 ]" e) `" `+ j% l
; T3 ?! D4 E& O9 e* ^8 q BPINT 41 if ax==4f
% K8 _, ~7 d. A# b4 \9 _. `: |/ S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 T7 c8 L7 p5 _" h7 p
& @; x- T- r$ y7 Q0 O# w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- H4 K( T: v6 q
/ \1 a% A' C) L( l. ^0 p9 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 S" J7 _; K V# s$ \) _
: ]4 l: W# M; I3 W* Y n7 c__________________________________________________________________________" ?2 q8 P% [6 F# i
. v( E0 j) N8 r ^* o6 B ^8 n/ |! {Method 13
4 C. A4 D& m0 ~9 D=========
4 e+ N1 u" N8 \. e! D& a# s8 n* H2 N5 b
! n# d) h6 T$ d. t$ ^Not a real method of detection, but a good way to know if SoftICE is. Q1 ]1 F" J t
installed on a computer and to locate its installation directory.
9 }2 r" X" h2 b9 E2 B; T, e$ BIt is used by few softs which access the following registry keys (usually #2) :
1 {* R; F/ j8 a8 ]# C
' |" ` o `2 @, K/ H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* ?2 {6 E6 d+ c7 B7 Y" p4 ?\Uninstall\SoftICE5 S3 A( X2 u' n; ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! `5 ^7 a: I( q# p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 ]7 Z) c7 d9 S# r; E I0 `, a\App Paths\Loader32.Exe& W, u( T% h) [+ U2 |0 U- Z
7 }3 I5 l) F4 O" d, B
' h5 Z2 f* k9 V1 s F
Note that some nasty apps could then erase all files from SoftICE directory
: G! U6 Z$ |* M5 l0 ^(I faced that once :-(3 o/ J9 H3 b& g1 W
7 W- t, I3 m8 ~) L7 ]4 I6 q9 PUseful breakpoint to detect it:
. A" s- s* M: b! @
P9 ]; l2 _& F6 A2 y1 i/ B0 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! o7 B- K$ s, Q( E4 H
' ?( {! Z/ C& T2 S3 f__________________________________________________________________________# h J6 p* g( j% a! Y* H
% C% h! { O( f
7 `7 J( E# e" L1 w) dMethod 14
+ {$ ?" }: p' n1 X! }; m; g=========
) I1 m, i; p3 _ ^: p+ h8 z& k, ]+ L" B& {/ z9 P C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' r+ m$ R0 K7 o* G6 R$ n: N' p
is to determines whether a debugger is running on your system (ring0 only).7 R, @5 o3 G: T$ h o" |! R
' R1 u- B8 I7 ^3 \9 P+ H0 T+ f+ y VMMCall Test_Debug_Installed5 b; e6 G$ K" d# I
je not_installed( X' m% f0 x- x5 {
3 K& L, B6 T& f7 n
This service just checks a flag.0 ?5 ^; b4 b1 i5 e9 [
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡