<TABLE width=500>! y( C5 o) T6 P9 z: l# r! H+ u
<TBODY>
) n6 ~9 q. Z& A! c. r6 N0 `<TR>7 A2 A/ D7 H+ B9 J" G
<TD><PRE>Method 01
6 ], H: S1 l( e1 f* B" S$ Y; L=========7 e: u) B1 S% z7 a% i7 I
, A. B# N8 f# ]
This method of detection of SoftICE (as well as the following one) is5 m5 Y' _8 N1 C
used by the majority of packers/encryptors found on Internet.
: E' C! }9 ?0 @) D; V* {& |: qIt seeks the signature of BoundsChecker in SoftICE$ y( l: s W9 W; O- F' v4 L
; E9 x9 M' U+ T& P9 r mov ebp, 04243484Bh ; 'BCHK'0 A2 F; f+ |8 M; N' w/ y+ ^/ @
mov ax, 04h
, l: F/ o- x" o3 | h int 3 2 l" j1 D% \. j' l0 ^2 ]1 b( |4 H
cmp al,4$ v' P/ O: Y" S- n; n+ K
jnz SoftICE_Detected
3 \# D/ C) |$ m3 O& p
* b( U. z, }9 {. L# j___________________________________________________________________________
" r/ \- M* d, u# b) h) ?- A) Q( @% Z' T- P9 A) M& j
Method 02
4 u9 _1 ^8 s: e' @+ l+ q=========' ?: F% y) t0 C% N2 Z% N$ A9 U
m i6 y% {1 w' q1 kStill a method very much used (perhaps the most frequent one). It is used# D2 z& z" r9 `! S% P+ z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 ~$ D: o H" N; n# Q7 v1 L6 yor execute SoftICE commands...
' O" K4 F4 a# H: k. K) a3 GIt is also used to crash SoftICE and to force it to execute any commands2 h' v# K$ N% _- o! |1 A: ]
(HBOOT...) :-(( & |' {) m3 g1 o: X
; d8 E. I0 ~5 r. R$ J H6 D fHere is a quick description:, N0 T$ F7 T( I
-AX = 0910h (Display string in SIce windows)
, B8 f7 |9 ^3 B" Z* e& @4 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
l2 i; X6 Z2 _9 C$ T L: ]: f-AX = 0912h (Get breakpoint infos)
6 q' }& C) m! V2 ]-AX = 0913h (Set Sice breakpoints)% E1 q( I6 F" r( a( [! p- L
-AX = 0914h (Remove SIce breakoints) U$ i$ z0 l" S6 k
+ K1 _: t$ q2 p5 S2 Q4 M5 Z C( _Each time you'll meet this trick, you'll see:
7 r/ F, k- W5 q6 O2 @- g-SI = 4647h
a: ]3 B* M8 R: Q; p9 `, l6 s: E7 |3 ~-DI = 4A4Dh
9 @+ Z+ V! Z0 D( \% U) D8 K" CWhich are the 'magic values' used by SoftIce.
$ f9 y1 c3 d( ^/ G l* wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% R/ X2 d" s& t0 G. _) ~
6 k6 z& J, z1 K9 g: P' ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ a! `1 a7 I) u, j6 j& D. ]* w A& BEnvelope utility use to protect DOS applications: p( K% d" O4 T* ]0 K. F
: _, H5 J7 `2 {4 P9 V; i; O
' z& R% p: Y: S6 |4 Z3 Y4C19:0095 MOV AX,0911 ; execute command.
& m% E: R) [, m1 F1 A) n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
Q2 {" e" W$ U) B; ?4 G, Q6 H4C19:009A MOV SI,4647 ; 1st magic value.* j+ S2 y* N0 X+ ]$ `9 \9 Y f/ c4 V7 ^
4C19:009D MOV DI,4A4D ; 2nd magic value.6 g- j `- D6 L+ H! a% c {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 |; Z! g# X1 N; ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 {! {, L$ [7 R8 `4C19:00A4 INC CX
0 c, |6 F$ _4 ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* l0 a' K" y( O; @- `! x7 l4C19:00A8 JB 0095 ; 6 different commands.
( [" V. p" ^( z, u0 L$ m1 w4 K; E6 W. J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' U" B9 d/ S1 l [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( Y7 m* W& T* G' H9 G1 S
7 D- o+ Y6 K+ S% T7 u! VThe program will execute 6 different SIce commands located at ds:dx, which
3 \" G9 i: A# x2 Y, d2 Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. I6 J; x9 a( `' a4 K. j" k3 C# B( y: D0 W0 F8 g; f/ S' h8 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 X2 d1 n# n* f- \___________________________________________________________________________) e) k( U Y8 K, f
* m. \: ^; k& p) u9 P' z# e0 X3 B7 g- Y# [8 p
Method 03
" x) ?4 |% Z h" i# @' V A6 u3 V=========
' B a$ v# y/ E8 ~1 O: m/ @8 s7 b4 I g/ n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 y6 \% S, P1 E9 U(API Get entry point)3 J# b# V4 h6 B
8 P# P2 Z, }/ ]; P2 P4 Z- a& u7 k
. \- j- b0 r% c xor di,di9 z9 g) `- v- t6 s
mov es,di
" T5 w) c' I8 G5 w! {5 Z U4 C+ b mov ax, 1684h ) e" ?* @9 @3 r1 x2 R2 a( Y0 {; a
mov bx, 0202h ; VxD ID of winice
5 F$ r2 X- L/ `; | int 2Fh
2 ?4 f0 t. J! @! a0 P9 e mov ax, es ; ES:DI -> VxD API entry point8 ~7 k( \/ F& b' ^) F8 Z
add ax, di
; K1 k3 i$ T, d) y1 y1 K test ax,ax0 T$ Q; S9 h& W
jnz SoftICE_Detected6 o) S3 c+ L# L1 f
7 I% k( V1 |4 Q! l8 Z
___________________________________________________________________________1 H* u* u$ ?1 y( @7 U6 B# |
+ A1 k" Y* O! m4 O; n! MMethod 04
& f/ U7 | n+ i; I, D=========
; x0 |! H" C) g' G8 S3 f4 y$ |1 [; m1 ^, b% |
Method identical to the preceding one except that it seeks the ID of SoftICE+ V+ T) E% q+ C
GFX VxD.
3 o, ~" a5 M. u2 ?) a& I! `8 w" S* }& y
xor di,di' F1 V: M/ l; U
mov es,di" M, l5 Z6 m5 H6 w9 t
mov ax, 1684h 6 W4 q6 [/ [& |/ j8 B, E
mov bx, 7a5Fh ; VxD ID of SIWVID. f9 {( D$ J2 z% W& C8 t
int 2fh
5 |% p. T$ s# B, u mov ax, es ; ES:DI -> VxD API entry point
- W, `8 j+ A) ?: {& q3 C4 _& t add ax, di
, O6 I4 I/ [+ J' \0 Q test ax,ax3 S) f. E+ R' t+ k/ S) p/ i
jnz SoftICE_Detected
4 H, @. W4 ]$ S) [8 {
6 ?' Z8 I" Z5 J/ |__________________________________________________________________________
! ?* m/ [* U7 E5 n0 y! q. B
. D( G) N# E. Z& [
- K/ d2 A# p- E) A# H; R& {. j8 tMethod 05! i I! ?/ g6 A
=========
/ W0 J) }- e S! b+ ^/ b/ A+ I3 _, \5 t0 D
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 z2 V' _* n) r* S
debugger. It calls the int 41h, function 4Fh.
7 \( T3 V- P+ |4 |There are several alternatives. & s6 u7 I% @$ Q* K8 `, L: [
+ V' e& n g$ GThe following one is the simplest:
3 c. K5 {4 P2 Z# f" }5 P, |. K! V2 u. K+ c ~& S
mov ax,4fh
8 r7 u; C1 r# _/ Q% k int 41h! E2 w. d' O0 n) O2 G3 d2 q
cmp ax, 0F3865 T8 y* U8 z6 m+ J
jz SoftICE_detected# a. Z0 V1 n1 `5 G4 o W
/ s: i3 n; ^& }9 S) z0 }% ] s5 { U7 {' A: C/ J
Next method as well as the following one are 2 examples from Stone's 2 T; H5 U( f6 G' m5 D
"stn-wid.zip" (www.cracking.net):
; [1 F- J/ Q' o- L$ `8 j% X5 r, i7 Y% f, o8 x6 h4 ^4 J9 D" v* N
mov bx, cs& n6 U$ u$ I) l
lea dx, int41handler2; }, Z& b$ e( t% `: V6 o
xchg dx, es:[41h*4]$ {/ X( T3 q% X
xchg bx, es:[41h*4+2]
& I$ R# t. L- i mov ax,4fh
% W" v6 c. y7 E4 P int 41h
: r. C3 V( g- d0 v1 B3 w d9 U8 a xchg dx, es:[41h*4]6 D# \* [2 e. X) ~1 X" _; L4 {5 H
xchg bx, es:[41h*4+2]' _" A" L/ H; ~, G4 U
cmp ax, 0f386h
3 E* }! h$ j6 X4 j6 ^ jz SoftICE_detected6 V& E2 g8 b8 a
" w4 O7 s% Q" l# n5 d4 Q
int41handler2 PROC
& h. l5 }5 \% }2 T/ T iret/ l; \3 L5 t( D: p$ y, T
int41handler2 ENDP9 a8 r% K# m) M, B+ b/ T* Y
9 y. U j4 |0 R/ x# ~& y$ H+ ?& e3 t$ M3 y: N3 O! h B
_________________________________________________________________________
( `8 V# Q M& t2 j5 q/ \/ r" \$ f
- A$ m& \# W5 Z8 F& `8 G: h/ B, P
1 k* B7 s5 H$ F1 R% \2 \Method 069 L, x! X; q$ ^ s
=========
( ?( f2 p* S+ b, L7 U( }' n
" z3 A' f! D. x, J- X, y, l7 b7 ?4 E' `0 T0 i- a5 B
2nd method similar to the preceding one but more difficult to detect:6 m- k; O' \$ L6 b' [
& z! \ ?$ o* \9 m4 l
) ? B8 g- C/ ~+ e0 S# ?# Dint41handler PROC& D( a* ]3 T# F( N
mov cl,al
3 u. c& o, _2 R6 d, C iret
' _4 b. b* l( T3 d) y' [5 s8 [int41handler ENDP* m2 s& ]" I4 l; Z2 G: d( y! ?9 u, u
) [) D$ ~ T/ ~ e# Q0 P
6 S) k/ T! b9 S7 F, J: F3 A xor ax,ax& m; u* k, ^) V% y8 u: `
mov es,ax! s9 ?+ t3 [: \4 V! {' r3 m
mov bx, cs
+ z2 }) p" F) B c: z# V lea dx, int41handler
9 \5 b5 a9 t b" A. s% Q xchg dx, es:[41h*4]; {/ A* R; N8 B2 a
xchg bx, es:[41h*4+2]( A/ s/ E; o! W/ B# i3 `1 K1 T3 Z
in al, 40h
7 g" s6 M) U& m' t2 r xor cx,cx
2 K3 \0 n) V" _% I, Y7 Q2 L int 41h2 h3 y/ z$ J" Y c# P
xchg dx, es:[41h*4]
$ w9 m% r" ^+ J8 E' Q" n* X xchg bx, es:[41h*4+2]' l% D; L* }2 S0 P) ]* j
cmp cl,al& u) u& }0 F z& E* g9 i+ b
jnz SoftICE_detected1 {; ?/ G' @' x# ~2 A3 C! }
& o' g/ N$ {& l" o$ n* x5 n_________________________________________________________________________
|. [2 i# n1 d! `( E1 R. \1 e/ P8 h
Method 07& q; P3 ~8 v$ b, v$ S n: w) U* l/ v
=========
: E8 m( M: z3 l" g% a! J0 p$ j. Q/ r: n* g Z' ~
Method of detection of the WinICE handler in the int68h (V86)
) {+ p) o6 a. b1 u8 k) S
2 t$ E: {" S2 ~ mov ah,43h
, @2 I2 W0 G0 z/ [* w9 i# @ int 68h4 `0 F/ s/ ^* ~+ d0 x5 ?( A. o: u- Q
cmp ax,0F386h
2 B3 f( {* g' q( V+ o: y- \ jz SoftICE_Detected! Z/ |1 v7 v% f4 O, O8 d+ S# w
5 E" T) U( _7 ?! s* h
# P' s5 @) F. I2 z0 y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) r9 p& f" K( F/ Q; E) w- K- W1 h- l- B) {
app like this:" k- R' B5 G6 n1 {
7 N9 m" Z) J' @% F8 r5 e BPX exec_int if ax==68
9 J( E( b1 I+ u9 Y) ~; W (function called is located at byte ptr [ebp+1Dh] and client eip is
. A7 |/ \' ~" Q located at [ebp+48h] for 32Bit apps)
x8 L8 ~; m& n9 b3 s4 m__________________________________________________________________________
9 a, k0 m' m6 z+ O; k( {- c1 `7 |
" M( \$ _ _# p# F* ~
- b4 L) X7 V* b2 U' _Method 08 M& J! q4 K& c2 o3 M3 I
=========$ A3 V6 n p7 P$ j4 k! a
. l9 Q7 o# y8 B" u8 |3 T
It is not a method of detection of SoftICE but a possibility to crash the
' C# Z' r$ g: n8 @ {2 S0 usystem by intercepting int 01h and int 03h and redirecting them to another
8 M2 N( ]1 Z( a1 z7 g" jroutine.; z4 S& B0 g; O9 `4 ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# a" q3 b4 Z: j8 v# F* S' T
to the new routine to execute (hangs computer...)' w1 f/ o5 h: m1 f' t
, w8 K: ^% b6 b
mov ah, 25h
* r3 e. g5 Y/ h" D2 b# L9 t mov al, Int_Number (01h or 03h)& M L1 r/ j2 o% A7 H6 z) Z
mov dx, offset New_Int_Routine
% S3 m2 b9 @" b. N# ]0 {/ q( r& ? int 21h
8 X% g% X$ Z! b! v0 E3 n2 B3 F7 P5 D. S0 p) H: n; O
__________________________________________________________________________
! H1 L& d/ D+ C/ r& R( B9 {& z& A( q0 m+ A4 V# R
Method 09# ]5 I v. {3 w+ `2 h; z
=========
, a3 w- B0 P" \+ L* n. e, F* n5 S+ v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) X Y3 A8 h+ b" [performed in ring0 (VxD or a ring3 app using the VxdCall).
' T8 o2 R- Y) p$ cThe Get_DDB service is used to determine whether or not a VxD is installed
+ `0 X' B0 v0 N# t- } b9 i: Ofor the specified device and returns a Device Description Block (in ecx) for
- U& N0 s1 [, s1 ^% \$ }that device if it is installed.! f1 A5 [5 r& P% \2 U" U2 p- y
. Y7 K; p7 D/ s4 c5 N mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ B& Q& l5 d; W$ ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 Q* B$ Z& U2 r7 ?+ d: E$ W VMMCall Get_DDB
( r# s m1 \' \% c' w$ N/ ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! o, |- F5 ~3 D* q k8 i# n6 R
- b) j$ S, G0 \% k5 u6 F1 P4 F! ]
Note as well that you can easily detect this method with SoftICE:) n0 i2 @/ J/ I3 j' `
bpx Get_DDB if ax==0202 || ax==7a5fh0 L6 ~+ a/ C* R* d {
' p% V7 a4 H4 l: z% Z6 o__________________________________________________________________________* T. Y# r; S- p* y: x* ~; A( t
; G( P; x }7 ^% _1 T0 v+ n2 a/ ?Method 10! i/ o& c. R8 G5 A+ a& v
=========0 s' ?0 B; S9 e! o
: x# Z- m6 i5 C0 M! l9 H; g" v=>Disable or clear breakpoints before using this feature. DO NOT trace with9 H- E, @8 Z+ q: c% O' N0 J
SoftICE while the option is enable!!8 \9 Y; V% \1 e/ {6 j7 a. q2 o
8 G& N4 }: j7 J& _3 P* R& `( k" H. N$ K4 [This trick is very efficient:' g* C$ K `" c1 d
by checking the Debug Registers, you can detect if SoftICE is loaded6 U% L7 d! ]" g3 Z$ L U* l7 k2 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; D" K% L0 f1 V9 j7 ?4 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! p7 A- P3 `# z2 }, Q* zvalue (in ring0 only). Values can be manipulated and or changed as well5 Z$ } l& T3 G3 T2 z* N! Z% H1 [
(clearing BPMs for instance)
! |: S: s# z: u. Y( w
' y. E' G9 j4 q+ R9 D! g__________________________________________________________________________4 P$ a; T6 v/ r1 T/ d* b+ j
. ^6 A/ Z( L% |' o) b# u8 X. w9 FMethod 11
" F( k9 U+ C/ m& W/ ~+ x! w* r) i3 }; h& ~=========% c \4 {0 H" H: b- D* v: O ]
6 L+ |; C/ V" ~8 E$ c* g4 q5 l/ i( K s
This method is most known as 'MeltICE' because it has been freely distributed
7 B, }1 s! _+ a6 Bvia www.winfiles.com. However it was first used by NuMega people to allow
! H* _4 {& t" I4 Q1 x7 PSymbol Loader to check if SoftICE was active or not (the code is located' V# H1 E0 v+ ?+ ~8 C0 B9 t
inside nmtrans.dll).$ d) w0 i3 P4 n" u: K. D
% M D9 O7 s9 W0 h) z! c. u2 k5 CThe way it works is very simple:) t" |: e3 n6 ?# `, _, z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% D4 S4 q9 {" L: c" X% [9 L$ [8 B2 JWinNT) with the CreateFileA API.) h3 C3 I. F3 d- @/ P9 [
, b! _1 N% E3 E+ f
Here is a sample (checking for 'SICE'):5 O! G$ O9 d: O' Z! l5 F9 u: ]
2 U2 L$ Y1 R& I9 Z" l H# Q# _
BOOL IsSoftIce95Loaded()
$ F# Z& Y+ F( l7 ~/ y6 i{
2 m/ g5 T7 E, U4 k HANDLE hFile;
( J4 h6 D, ` D5 J+ u, l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% k7 W$ E* ]; Q. B
FILE_SHARE_READ | FILE_SHARE_WRITE,; w, A; |8 H. Z+ @/ \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ? W+ m) W8 f. d. a
if( hFile != INVALID_HANDLE_VALUE ), q$ E8 i0 D: r# I
{6 d7 N0 p# m) o& d" a- q; P& o" J2 d
CloseHandle(hFile);" t; [$ v' v( I7 m0 M4 M( v
return TRUE;" r+ J. U' Q0 Y" ~
}; H1 Y$ D+ w# P# @: x
return FALSE;
" K; @. y( C2 Y$ {}+ i: ?& H# n: d! ?
. V' E/ C8 [; \- [1 @) l0 z
Although this trick calls the CreateFileA function, don't even expect to be3 J: q w3 B0 O% n P1 ]' E, R
able to intercept it by installing a IFS hook: it will not work, no way!
# R0 k- k/ b+ o2 f9 \* N) m# \# dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. i9 q4 T" N3 H7 o7 m, A2 yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 q6 @0 g% v- w# @5 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc; b2 M. O @* S' n4 X' h2 B
field.
# e6 J" q1 l, N! y9 X$ ~" IIn fact, its purpose is not to load/unload VxDs but only to send a
7 C* E6 ^0 t9 [' u6 J% |3 qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), z/ H0 J4 Z2 }! ~1 p9 M2 g# e: E0 [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 q) h) k4 K; s( ^5 t" `7 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 |6 `9 `3 x; ]* c9 y% o' A Q A9 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
! c1 I+ p- R- R% j5 eits handle to be opened and then, will be detected.
+ j. E; ?6 N5 H8 eYou can check that simply by hooking Winice.exe control proc entry point
, K* h6 l' w* l6 Lwhile running MeltICE.7 y5 R3 f4 g2 A0 ~/ c# v
) ~- ~ v% v& r: }) u; a
8 J! m2 s0 ? C3 s 00401067: push 00402025 ; \\.\SICE! k/ W" B. t; x! F( X# b$ K0 {
0040106C: call CreateFileA A; G9 U% }9 U/ a _7 p
00401071: cmp eax,-001
5 T a: E0 d( `# H: m8 i/ ^) J 00401074: je 00401091) ~8 |1 G2 L% a3 O: N; B) J5 z
! J* m5 h+ r4 ~& _
4 f" a! a9 {% Y0 C6 }There could be hundreds of BPX you could use to detect this trick.
8 C# }& x$ `% S9 s2 d% K-The most classical one is:
6 y1 C$ ]* l& x0 B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 P) |7 _) w" _: I6 ]
*(esp->4+4)=='NTIC'7 M5 R1 D+ }0 h
. o( D" D6 O: r, g6 q, {
-The most exotic ones (could be very slooooow :-(
; g m& ^6 s* [0 W t1 w6 M+ ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' B; u& }# e- t* U5 j2 l9 m
;will break 3 times :-(9 E* c' g5 Z! B; I$ K
) j4 N% @* ]" t1 E6 K-or (a bit) faster: ' g+ d( ?# n3 \7 m+ Y- `/ i# `, z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ W: F G5 g% ^ f. }
' I; @. K3 I6 Z! w6 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" F- Y: k3 ? ~) ? ;will break 3 times :-(
# i# c) ?5 g: D% D7 c
2 Y- Y9 I5 B" h4 f8 e7 `, Q7 j7 Q-Much faster:0 r; N6 l- s5 g8 y1 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 }* n Z. ^, e) {
4 j0 ^& p# M: w/ D3 A) |2 S$ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" H" E7 k Q4 E1 ^
function to do the same job:
0 q, u y+ X& \( }" _+ S
: E) W! u2 ^; F( m- R' n3 p' \/ ^ push 00 ; OF_READ# n3 \8 @) T, Y* L' K q
mov eax,[00656634] ; '\\.\SICE',0( r, {+ {$ E% N0 d# W
push eax
1 Q/ ?+ S. e; h4 G2 k* U: G$ Z call KERNEL32!_lopen
3 o/ A2 r1 N) E2 r+ M+ v) F inc eax9 c2 Q3 p3 s. I
jnz 00650589 ; detected
3 h9 Y$ P& Q& b, m push 00 ; OF_READ
. P* p \; @ {, f: C: F$ v& R/ \& C mov eax,[00656638] ; '\\.\SICE'
0 y. j" W5 H' F0 Q0 v. J; t8 I, E. t push eax
; t: [0 e- b4 U: H R8 k5 G call KERNEL32!_lopen
7 h2 P5 s( i* n v! b inc eax
# P& u6 v1 F. g jz 006505ae ; not detected$ \3 E4 |2 N$ Y7 w" V8 }: _
\. @3 e: e% V% f. r U
% u1 {; ~2 K1 `" A( F__________________________________________________________________________
: J: F% E. k5 s0 t' W! z3 M
9 }+ q, |; ?8 h1 d1 N+ lMethod 12
1 N0 d3 S" Y2 z2 ~( B9 y. K- ~=========2 [6 m' V4 I- {1 L2 D' g/ h
1 b2 q4 g& d9 n9 V
This trick is similar to int41h/4fh Debugger installation check (code 05
( W) o' X$ `2 H _; D& 06) but very limited because it's only available for Win95/98 (not NT)% _/ P9 `# c; ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% D1 X* ~" G% o$ r' G3 `8 i, X6 G- Y
! |/ _$ |: L% Y% Z" t/ M) u# K push 0000004fh ; function 4fh
# Y f5 [% T4 |3 j8 x% X; N" x8 _0 s push 002a002ah ; high word specifies which VxD (VWIN32)/ S: @' u3 S1 ^. P/ r
; low word specifies which service* R2 l' m* W; Z. D1 L- n
(VWIN32_Int41Dispatch)
" q* F [: {7 T- A+ Z* ^- @. b call Kernel32!ORD_001 ; VxdCall
! f: N6 ~( ^3 m2 ~5 t( I4 I cmp ax, 0f386h ; magic number returned by system debuggers
+ w6 D+ z- g# z2 j7 T8 V jz SoftICE_detected
2 l$ D. g2 P8 v1 P, ^5 {
( ]8 C; E) S% N0 DHere again, several ways to detect it:3 Z- W2 S& ^+ i6 m7 D
4 H6 ]; a. q; r" J- ?% `- V
BPINT 41 if ax==4f$ G: [' B1 V/ p. ^
) X/ N t6 K( u- e6 w- J2 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" @: ]: I# M j: ?/ e5 c/ y' H! g* Q7 X* L" h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 }# v8 r' `0 {: y; B7 \: s3 \) c! y9 k. m/ D/ E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! R2 q" T7 i" k. D3 R
- B- n Z( s8 r__________________________________________________________________________
, W" W- o6 Z; q3 C
- F1 J N/ Y) j j& GMethod 13( T; S/ i$ D/ L$ E( E4 B/ [
=========
2 z' o6 F2 [* t
( }4 d% J' R \, }9 P! p' g/ J; YNot a real method of detection, but a good way to know if SoftICE is& q' q. D+ M( a: D1 u# g
installed on a computer and to locate its installation directory.9 u9 b6 k7 G- V, V2 t: _! {
It is used by few softs which access the following registry keys (usually #2) :
4 g# F6 F M% Z& }/ l
5 X) n8 w$ [, m9 ]% u9 E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, z$ |+ v+ x6 F' L* y$ m\Uninstall\SoftICE/ l% V T8 D Y4 ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 w4 s0 C" Y6 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 d* ~0 @7 H9 s% I" u: u" Q& n7 j
\App Paths\Loader32.Exe
! S5 Z: z. [" v* Y: V/ C5 e8 ~6 F3 ~) @
, x; d2 f" {/ T% [7 }) w/ I) SNote that some nasty apps could then erase all files from SoftICE directory% h( c3 e, X( l
(I faced that once :-(
5 A& x6 b, V- H3 F- u# Y4 k8 f; x9 F2 f* h7 }& _9 F
Useful breakpoint to detect it:) v; `0 u6 x+ o7 I
; ^" n+ d0 d$ q2 O/ } h8 m8 m) k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% d, _0 K T, O# V/ l! a: e5 {" Z- T5 P( s; g6 V% o; o# \" ^! E
__________________________________________________________________________- K( L0 ~9 p4 y0 {) m' C% O7 M. ^
, c0 G4 H8 b& `8 W2 S/ S [4 F
: B: ^* n9 U# ]- k+ F$ FMethod 14
& l' e8 u7 o- e3 J0 c" `1 t: u* F=========5 u1 b F: |+ }" j) A# x" a
3 Y$ |4 |* Y! G6 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* o' x2 F6 {& W. T. m. {6 L; P: ]' kis to determines whether a debugger is running on your system (ring0 only).. R$ n, g: V- m% i1 @
3 t; \! J+ Q/ D. F
VMMCall Test_Debug_Installed, s* m* ?! [2 `
je not_installed3 B& j+ X# o, {( S" g
& ^$ ?- s7 E# A7 I( z& i
This service just checks a flag.
9 b6 m S, U5 E. h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡