<TABLE width=500>9 i6 y2 |2 X( f+ y* ?* z
<TBODY>6 } t. @+ Y# G6 i- Y3 ~- O
<TR>
1 A4 Z! @; b7 l# @<TD><PRE>Method 01 4 I; W1 z% I7 y5 s
=========9 ?+ y& [# r5 x- @$ A. H3 J' Y7 U( W
3 r8 `2 o3 t) u+ ^; ]This method of detection of SoftICE (as well as the following one) is& ~+ v2 z6 e1 R o; K/ r: P
used by the majority of packers/encryptors found on Internet.$ d3 o/ I+ h, H' H" o, m6 n, q
It seeks the signature of BoundsChecker in SoftICE
6 I! A: b, [9 c/ B' G' O, m; _3 |0 d
mov ebp, 04243484Bh ; 'BCHK'
' |9 w* }. Q6 P mov ax, 04h" u! T4 L* C2 _& _- @
int 3 ! s/ N' Y- D- D7 C" I
cmp al,4$ I0 v4 \3 Y1 _$ [
jnz SoftICE_Detected
/ @- h- k z# }. [6 n
~) X" _* u9 J, b___________________________________________________________________________
% e7 q8 s5 e0 ~ N
% i0 [4 n& E4 Y. b6 ]Method 02
; z9 @9 j9 A$ l=========
; ?* z; x1 D, _4 \' p$ ]" B& B! w$ m d
Still a method very much used (perhaps the most frequent one). It is used
, A7 t3 ~4 Q4 Y" ?$ }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; v0 j2 P8 [/ @, C' N. Q, a
or execute SoftICE commands... k. r$ S7 ^* ]2 @# q) L
It is also used to crash SoftICE and to force it to execute any commands
! L4 `9 C% Z" ?' G: J(HBOOT...) :-((
4 t8 z( v& ]" p* ]; _, Z8 D' {" d9 v% W6 l# k+ i$ A7 T1 J7 T, V
Here is a quick description:
' K' }& M, [9 P$ ~( m-AX = 0910h (Display string in SIce windows)
: P- L( i3 R+ v4 d4 m5 s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ Z# K( u; x# l/ _8 p-AX = 0912h (Get breakpoint infos)" @' F4 ?" T2 s g2 l% y
-AX = 0913h (Set Sice breakpoints)
1 V2 J; r+ W& Z6 c# M: }( e-AX = 0914h (Remove SIce breakoints)
/ }3 M# q) f' y/ |
$ m/ \. @& R) gEach time you'll meet this trick, you'll see:
w: t# b) f3 h; F# A+ L1 ]# i6 n-SI = 4647h" o: I R% o1 O2 r; p" g4 ]
-DI = 4A4Dh8 R( ~" V O7 E& n5 T
Which are the 'magic values' used by SoftIce.
7 N7 ^2 G: F; T2 P3 J, gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: h8 b4 N4 c+ z$ C- I& V
' P/ s1 `8 h! N
Here is one example from the file "Haspinst.exe" which is the dongle HASP' }0 E8 S2 b5 V3 D) I% Q. L
Envelope utility use to protect DOS applications:
/ W h: h( H7 C2 Q) k" h9 H
) A1 F7 y8 y3 Z+ ]1 z
' z, O* Y) D" H+ Z: `% K4C19:0095 MOV AX,0911 ; execute command.4 z5 E# d/ J2 ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- n! @- M( X% B) w9 E
4C19:009A MOV SI,4647 ; 1st magic value.+ ]# u4 F. |3 G& U8 f/ \/ v
4C19:009D MOV DI,4A4D ; 2nd magic value.
' t% m& r7 H. H3 b; F9 l2 W$ ^6 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# C" C! x8 W1 [2 g& X% V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& A# Y q6 H. K& u4 [' H1 H# f
4C19:00A4 INC CX
/ E2 A4 F1 c! k6 p! t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& {9 k5 [6 l: g* |" j5 h6 L4 y0 X
4C19:00A8 JB 0095 ; 6 different commands.4 o H' d2 i0 w; W* U! R. a/ U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# C7 K9 d$ f# N9 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ O% e% n; D1 S! M/ c2 _. c* U0 s9 U/ c+ I9 h; ?
The program will execute 6 different SIce commands located at ds:dx, which
8 ^5 K: B( M: kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ R- g* z/ @- a7 w
0 G+ b2 e% `; g* n3 x: \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., U% Y/ q1 P+ b' w2 F
___________________________________________________________________________4 M7 Y. @. j. e2 u; y9 z- p. @
3 j+ Y6 ~) ? z$ } }+ Q( n6 j, {
Q" E8 ?+ {- D- D
Method 03+ Q9 L! ^: w( l" J y% u( @' k( {$ Q
=========8 D, ]% E0 e! A* A3 X
5 [! R' L) I' _+ H/ ? X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 U/ X, k4 H/ z( ^(API Get entry point)
7 w' e& A& R/ L, n3 }) c* f% v 1 s) m- b' V- X. X
3 T0 k/ {9 t& U+ \
xor di,di G% y: }) K n. p* G! Z* b; D
mov es,di
X5 m" \4 r. @' n) Q. H4 i mov ax, 1684h - B$ R, ^; k: c0 L) N) q7 ?: F
mov bx, 0202h ; VxD ID of winice$ I0 j3 U8 j: b1 c
int 2Fh
0 z; U7 e) x2 u" L# }% I, m5 d mov ax, es ; ES:DI -> VxD API entry point7 A5 O3 g7 s1 ^% s8 G+ H
add ax, di2 t, p |% E2 A* K& l
test ax,ax
y" V- E6 u: B& S; C& M jnz SoftICE_Detected
0 ^! H% \" r6 X4 W& y5 J* X! I7 _7 k' X
___________________________________________________________________________
' S) x1 F. z7 B& \
6 e: q# [ A- a1 y# H( \# RMethod 04, m4 U4 b' w& n2 @; y
=========
& [9 `& C1 w: p, f7 Y- s2 t' B
) @- e- z4 h6 W# \" x) lMethod identical to the preceding one except that it seeks the ID of SoftICE% w9 @# N, Y r* T+ h! ~. X7 ? f4 D, r
GFX VxD.4 ^4 C: N# d8 F$ L
* g- O* c8 k0 I" J6 L. t, {
xor di,di
" ~; v3 d7 {/ H* L7 v9 ^3 r# U- D/ l mov es,di
3 T: a$ d1 b: i( E: B$ q mov ax, 1684h
% b' C( d* K) c2 y7 \7 d mov bx, 7a5Fh ; VxD ID of SIWVID( P: W/ M% i4 D: D! C( Y
int 2fh
5 F3 S0 k C+ ?/ j. p mov ax, es ; ES:DI -> VxD API entry point0 Y: C& G3 d4 C% V! P: V- C
add ax, di
* u/ {" {3 C( Q ]# e: a! C- p4 r" ^7 { test ax,ax
4 D8 ~3 j# E; E) k8 j* R! D P4 j jnz SoftICE_Detected g; F1 N# Z1 U+ H
) X. K6 y* \3 C__________________________________________________________________________
+ h7 Z* ]' I" o- z Q# `6 W# T2 [- E
1 r; O, O0 ], i' H+ Z
( T7 r( k, e, N0 T0 Z" |Method 05' e0 }, x% X# R% Z
=========" x& h$ `+ ^" b9 j
+ b+ f$ B4 Y5 \+ F3 E/ K3 T! JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 `: i, F; M/ x5 Ddebugger. It calls the int 41h, function 4Fh.: M7 z1 j1 H& _1 E7 m
There are several alternatives. 9 ]' L5 q" h. j* G- ^( L4 l- k
7 ]( ^6 g: x0 \. r- c) N
The following one is the simplest:
$ y1 d) ?" I( D# J9 B0 S6 M2 O" U |# _# U% O# n; E
mov ax,4fh" K4 l; z% ~ e- p0 W! z: W1 i7 v
int 41h$ t. ^: H; o& _' J; [) S0 w
cmp ax, 0F386- \* J! F7 v. E; \ S
jz SoftICE_detected
- y( b( }6 U+ a0 h4 S
1 [# `; O+ @( m& u" D, W
; H) m2 G" H9 m9 a' V/ a9 vNext method as well as the following one are 2 examples from Stone's ' J3 Q* e' G7 ~3 V( L9 k7 d e
"stn-wid.zip" (www.cracking.net):
0 G: @4 O9 A$ P2 O$ X6 Z
/ Z# ?6 H) ^% ~4 G. e mov bx, cs1 S/ x9 T# P2 O/ b: S
lea dx, int41handler2. Q+ o6 O4 x0 a+ j
xchg dx, es:[41h*4]# E. H" s- A& s6 g- _% q" j
xchg bx, es:[41h*4+2]% U Y! n1 T" Z: `
mov ax,4fh
0 n' _1 Q' B/ w# y int 41h! }7 O( D( B' j+ O
xchg dx, es:[41h*4]
$ W x( z( ~" N2 h7 E+ j xchg bx, es:[41h*4+2]' N% Y# H0 Y$ I/ g+ W9 `% t, J
cmp ax, 0f386h
$ q. M4 X3 _" T8 K7 Z5 A% u jz SoftICE_detected
- k9 x% [1 M: P v: C, |
" C, x1 ?( y& E5 a! M8 vint41handler2 PROC
3 D) p* f: q$ {8 }) N( Q iret0 y' u/ r! t+ k/ M- Y$ p/ w+ D0 p2 _
int41handler2 ENDP( i1 Z- k% `8 P8 J# ?% }3 v
1 u3 Z9 |* P" a2 W ?1 H% r+ H+ T! N* K5 a( _
_________________________________________________________________________
7 H3 Y7 b1 t Z" { [6 Y0 O$ g/ P! v! m# O7 @
s6 H! {( I5 \ o9 u* dMethod 06
' f9 Z; N. U+ R ]" m=========
. g4 K/ J9 f. c& v6 Z5 T( Y' k- N% m& t: W$ Z7 p- I
/ U4 x3 e, o$ w! F% J
2nd method similar to the preceding one but more difficult to detect:
2 |" S" C* C" y( Q
! \! l: \5 }4 l4 C7 z% }" A% v6 n8 N
& G, t. y3 o# b2 w, v9 {int41handler PROC
/ J+ f% F4 C! |( G+ {2 f* t mov cl,al
6 m! }0 v; a; p5 o# y1 I iret% R8 m7 ?" }+ R6 d
int41handler ENDP) I4 g; l$ \ _- U+ i# s4 y# y% z
* @$ Z3 P0 S) w, N
* G; z8 [3 H& V* H- J' ^
xor ax,ax4 A- @4 I+ x: z/ _. i, M( K
mov es,ax( K5 C' N2 _7 x+ C0 C6 i5 h- N
mov bx, cs# J. N. }" A+ z5 X+ e) f
lea dx, int41handler1 q8 G* _" I5 e8 Y4 }# H0 ]
xchg dx, es:[41h*4]# U6 A' A3 E6 U9 e8 P5 Z: O
xchg bx, es:[41h*4+2]
, U# }* x* p* h8 E. U in al, 40h
$ f2 l& C7 t& B- Y, [* a3 ?% | xor cx,cx1 Z$ s) X3 [# U; j" h
int 41h {- |% J4 q1 W; n6 m: C
xchg dx, es:[41h*4]7 w" z3 I' D3 V3 p
xchg bx, es:[41h*4+2]
- J9 [/ `( s9 F, r [ cmp cl,al) o7 c' u1 \/ F" y/ S+ J9 B, ^' U ~
jnz SoftICE_detected
/ ~; a, c0 Q' B! ?4 i) W/ P+ c! r( b+ C' y1 b: b1 M3 ~4 t6 n
_________________________________________________________________________
. n& A6 Y, B& F. R7 V
; |- p+ z$ E" K9 @$ ]# n OMethod 07
& V7 O r0 @& @. ^! N=========* M* @/ T0 V0 j
/ E5 P: |2 I. d/ q4 s% v
Method of detection of the WinICE handler in the int68h (V86)% s- ~. B, D6 [- H
2 I$ u1 `! S- @2 I% y/ p. p" W
mov ah,43h
4 z2 ?; Z% ^- U int 68h) Q; X& o3 Z( n
cmp ax,0F386h4 s+ H5 o1 k* W9 w( a
jz SoftICE_Detected3 M2 D; u/ I5 x6 }# d7 R. `5 l* F) h9 L
! T- d* e/ [$ G1 m- K/ f& ?4 o, P. N. i# q! U& C& r+ k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! G! f' w- e' o6 f0 t0 X9 f
app like this:
- y8 r7 _' E! {2 Y2 ^5 m
4 Z1 e o0 Y0 J; j6 b$ t% v4 |: w BPX exec_int if ax==683 E% d3 s$ `' q2 _5 Z `9 k" y
(function called is located at byte ptr [ebp+1Dh] and client eip is+ k9 v: F5 r6 y% S/ s5 F; w
located at [ebp+48h] for 32Bit apps)
3 P9 J: S$ w$ `* m5 Z, H__________________________________________________________________________
( S+ G8 L; u# D6 [. h5 O+ e. Z3 w9 n7 x+ m! ^+ G+ I; r
2 K6 d) W/ G' m6 R& b$ f" \
Method 08
+ V- I7 D, [5 `/ q0 `$ O8 J: t=========
2 v# w+ e# W! R( u3 j6 d, g5 S$ m" W6 }$ ^6 G& Y9 _
It is not a method of detection of SoftICE but a possibility to crash the- q! C1 P2 u+ K- P. H( {
system by intercepting int 01h and int 03h and redirecting them to another2 n+ _" I% p& f
routine.( M/ L2 W# T9 ^/ {8 O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ G$ Q! F n( ?2 K
to the new routine to execute (hangs computer...)
5 o: ~1 m# N* ?
9 D' O/ R' l$ `+ r# _3 t* i mov ah, 25h
* e0 f- r- e+ m! { mov al, Int_Number (01h or 03h)/ Q) N: T: r u! @2 X
mov dx, offset New_Int_Routine9 E; c7 t7 ]% p4 l- X
int 21h) p1 _! X6 r" y, n% x, N# q( S
( Y/ ?5 ^/ y5 i. W__________________________________________________________________________
5 Y3 m- _7 m8 o$ b O/ F! H
3 t+ j* d( P* P2 N7 RMethod 097 [- A) W& J% I: z( E/ g+ B
=========
9 @. X! s; D% W4 s4 j' l1 T) E }" a1 }" i# E, g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: _' E0 K, t! {# V1 K6 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).% ?) a7 O5 s" n% a# O# C
The Get_DDB service is used to determine whether or not a VxD is installed9 w S7 L9 i3 b: Y5 L; r* l& ]
for the specified device and returns a Device Description Block (in ecx) for
: V* T8 V3 E8 rthat device if it is installed.
2 |' J# y" y: K W# U5 H! W
% o( o! k: @3 R3 B2 U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, Q7 N& U. V5 j! `- J! x3 ?% u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ C. }, v6 s/ P1 H VMMCall Get_DDB
( }0 Z' c8 D6 L+ I) q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ d; ]9 B+ g5 E8 g
! `0 E6 L! b. {' E9 u6 y" P& {1 mNote as well that you can easily detect this method with SoftICE:+ H5 s# U+ ]) L, c; q
bpx Get_DDB if ax==0202 || ax==7a5fh
# I% t1 E) R2 v. e: n6 e) h; E
! c" y* n) d% }" a$ L" c" h7 M- a( Q__________________________________________________________________________1 O6 U y9 t; ^- B1 v4 c0 i) d
# Y8 x0 i8 y I; S/ t7 D# J8 VMethod 10
) R5 C! u) ~" W" L; l" C=========4 w/ j% I! a; }& b* d8 m
J: @ M! ?0 H, l1 I9 e @9 x( d
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 O7 z$ b v. x& n6 v! S4 }: N SoftICE while the option is enable!!
9 ?4 I! u) _2 T0 m5 R3 b
: C9 k" X! X3 N! OThis trick is very efficient:
- p+ ]2 r0 P1 \- Oby checking the Debug Registers, you can detect if SoftICE is loaded
. T+ J. s& B0 `1 }; f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: w" O1 s" ^8 Y( w+ D' A7 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their& Z5 M- H; Y, ]+ [7 J
value (in ring0 only). Values can be manipulated and or changed as well
+ Q6 D- n9 D0 M' a- |(clearing BPMs for instance)4 L% Y& n! G- s4 Z
2 e4 g! C8 F3 x( p- D
__________________________________________________________________________0 I' u9 G `& a, O
4 u. F/ ~6 p! o7 @" dMethod 11
( k# p" C& i3 u: W=========
' ` }' z( J7 ~1 p7 H4 H1 v% d7 B& r0 S9 r& n) u% z/ c8 i
This method is most known as 'MeltICE' because it has been freely distributed
2 Y1 w9 Q' X0 I0 R% o: q; q2 qvia www.winfiles.com. However it was first used by NuMega people to allow
! g5 v/ n, {4 O$ @( q0 BSymbol Loader to check if SoftICE was active or not (the code is located; d0 M; g3 |. w) r
inside nmtrans.dll).
! |% s+ }8 }; Y; x; J6 ~
S( q7 B& t! v. fThe way it works is very simple:
) M s! w# {, f% R4 d0 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 g: q# f6 b/ [$ K6 f P. B4 K" @WinNT) with the CreateFileA API.
4 i" p+ X- [. i9 t+ `: j5 m
0 r/ L6 I1 G4 k# K( u: r* b# J) UHere is a sample (checking for 'SICE'):
5 A: p4 J1 L: }3 _7 Z- w; ]. W4 `! d* I7 k& Y& H: A6 Y
BOOL IsSoftIce95Loaded()
+ i, {$ O9 x1 j/ @3 R' X2 j{3 Y s. f$ E' ^0 t, n* h
HANDLE hFile;
" p, j1 ]6 S% M2 d" U( G: L3 m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' T: N) j2 k2 K0 i* l FILE_SHARE_READ | FILE_SHARE_WRITE,
: V4 [: J7 m: y( c# P% r$ S: k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& {7 }5 x5 Z* m1 R- A$ a
if( hFile != INVALID_HANDLE_VALUE )* E$ U8 p) ^: @) x
{' ]5 [' U! r0 j. S# T
CloseHandle(hFile);
/ c0 @8 l; v& D# s6 a return TRUE;- h2 i/ c4 |2 c5 K" K
}
: u* y; o2 ^0 ]0 w$ i A# s return FALSE;
6 T* A. Z& K* ?# v}2 C* ?2 o, p7 V Y& h4 S
3 x& w; P" l f4 l/ V! u; U5 t% |1 m- xAlthough this trick calls the CreateFileA function, don't even expect to be; a* E' b) c. r- f7 @1 o7 ?
able to intercept it by installing a IFS hook: it will not work, no way!
8 N6 R$ ~5 Z5 kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 b% V3 Q! t+ N, I6 P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ v! n: E4 e C: I* n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 D9 ~4 D8 O0 Pfield.
5 p7 n: U+ A3 x: v. c1 ?' Y4 a6 cIn fact, its purpose is not to load/unload VxDs but only to send a ! s" C# H2 X' j9 k+ R( `+ _4 b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 c4 h- d" U$ G6 y! ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
C: @! N) u% g Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).& H- \' y: `/ ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ y" v X! W' `its handle to be opened and then, will be detected.
# u3 v$ ^" O! V4 T" lYou can check that simply by hooking Winice.exe control proc entry point }$ J L: a+ N
while running MeltICE.# M- L# v, `# I" S7 I! t
! r/ Z; w: I6 P. `
P: D2 U( o( q5 _
00401067: push 00402025 ; \\.\SICE
2 {+ k+ [9 O$ k4 \ 0040106C: call CreateFileA" {: R4 a: H/ Q1 o* Q: \ m1 I" w, e% p
00401071: cmp eax,-001
' i; A# E8 p0 @- ^* Q, Q 00401074: je 00401091, y3 U! N9 _6 D& v) ^" R
) R5 `2 ?! o5 ]; z' [; h+ C+ d, l3 l v+ Y I+ u- z- Z' s
There could be hundreds of BPX you could use to detect this trick.
" f/ b% l! ?6 V% G4 Q-The most classical one is:
( Y' ]) l/ ?' f5 N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# \0 [( M) H7 ]* v0 Q b9 ` *(esp->4+4)=='NTIC'; x' s! a% ?# m
9 G4 Q+ S5 Q2 f/ d" a( I" j$ f-The most exotic ones (could be very slooooow :-(
6 G) b2 @5 D4 E! h/ H% M+ ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! |4 b# u+ X3 j' ]: I! N& ~
;will break 3 times :-(
, }/ @3 V* V" T+ S; T6 d9 \
3 i6 {/ F# M6 C, M2 Z4 ^( D-or (a bit) faster: & G; ~2 i* H v7 K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 i, O# n- T3 d9 h# k
) H1 f2 i- n$ Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 o2 O" R( D, F% Z& G& L ;will break 3 times :-( F; P( k* I% ~: Q8 C9 W
' Q0 ?9 l5 [! j7 V! c5 v-Much faster:
+ ^3 S4 _1 z; a4 \8 r2 C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 a+ P4 Q _. \, n& {9 W& C
0 {( d# c! _6 X5 g5 \$ RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* f6 N: i' c% C# G8 F
function to do the same job:
) f: l v7 x G# e8 y3 \* Y2 m" s/ }" q. I
push 00 ; OF_READ
, q" b7 ]4 P1 O mov eax,[00656634] ; '\\.\SICE',0
2 X/ L! p! K% K( d3 [ push eax
% B9 H6 z7 h; u& I# T) j call KERNEL32!_lopen
* E6 s6 q1 m0 ?& e inc eax
6 M7 u" d' \' x* e! {1 ? jnz 00650589 ; detected
/ ]! }2 o7 Q- x. I push 00 ; OF_READ
. X$ H& u2 |6 y! R mov eax,[00656638] ; '\\.\SICE'
9 |. Z0 Q4 [7 g; e. Y9 f6 ? push eax
$ V1 @9 ~! b' N) @3 l J6 O call KERNEL32!_lopen
1 u" E. {8 P5 @9 f! ^ inc eax3 a/ F2 a+ u# {. _6 f! D
jz 006505ae ; not detected7 Z0 c) |- }7 W- R; d$ C
: X( \3 e) ]! h) Y L5 s% K0 E
& f8 U. I5 Q' W__________________________________________________________________________
: Q. I0 E1 H5 r5 Z/ Q( Z: J
7 s. y! C# Z2 l4 qMethod 127 p. n& W+ y9 d. o+ Y' Y
=========
- a- B& L; R C6 C$ g- W) v& q0 A% s7 s$ W0 b7 K
This trick is similar to int41h/4fh Debugger installation check (code 05 W3 l9 d& S6 r& H2 h' _3 e
& 06) but very limited because it's only available for Win95/98 (not NT)
" t/ X+ P9 @+ _- i7 t7 Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 ~- Q E3 L+ k8 o9 g- p
5 ?" o8 X% |% I$ x& `+ p: C push 0000004fh ; function 4fh* z; B" p5 J% l8 B g9 Y
push 002a002ah ; high word specifies which VxD (VWIN32)
6 m3 i5 z) m* A2 f ; low word specifies which service" k$ K7 v+ h2 ?1 n' H
(VWIN32_Int41Dispatch)
. `$ V) |) v5 v* b* _6 a call Kernel32!ORD_001 ; VxdCall
8 z" V! y1 U; |$ n$ X6 K. G5 \4 y cmp ax, 0f386h ; magic number returned by system debuggers/ J9 E. M' r& m* D
jz SoftICE_detected/ h! F. ]- x: Q) S1 ]
! w) o4 y9 C9 ~6 N: g
Here again, several ways to detect it:
" ?' ?6 R# Q. Y% C& e7 @) B+ z" w0 x7 m9 R' G1 a! v
BPINT 41 if ax==4f! q; i q$ m* `; H
6 D$ Z+ d- n8 |& M9 A/ Z: Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 X% B M4 e5 V9 ^2 p& s5 S
' ^( h9 X4 p8 o5 O( w3 S; P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 z- Z( E) h6 E- J; A6 d/ P; j5 S1 L- v* D% t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, U# w3 g8 X7 k+ a! r
' ^* L! ~. {3 h7 F; t
__________________________________________________________________________( H. J) r+ L1 ~2 k' Z
! _' r# C" r! {Method 13. H& L9 d% L3 G# P
=========
4 j0 J$ o, w6 E; A( \! }
% E W4 |- h. c8 L V+ X1 p- |Not a real method of detection, but a good way to know if SoftICE is
( g4 X# x4 K5 Y8 d2 d$ [- P7 qinstalled on a computer and to locate its installation directory.
1 q8 l& C8 t0 U) UIt is used by few softs which access the following registry keys (usually #2) :
; u0 B# O! m) Y/ V7 n+ I& P/ j4 M& [+ V1 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ j, R% t; g7 I! [8 \5 s' L
\Uninstall\SoftICE: B3 I: B- D& r+ q) F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE m2 l5 w2 U* l0 a y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* G1 s# l+ D H7 Z( L# V
\App Paths\Loader32.Exe
% k. @! p/ \% ]6 ?6 |$ `
9 s! B/ B5 s6 K9 ^ s! } u4 U' S" R) J# ]+ P, t% C
Note that some nasty apps could then erase all files from SoftICE directory! |, Z. A# B3 @0 V& @3 y
(I faced that once :-(
, h' _0 ~( [7 Q+ h' e, n* y; n9 N9 E/ v! @4 v0 \3 j
Useful breakpoint to detect it:
. M5 G4 k4 \: i) O' e
( [- U3 @% ?: U* n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% ` ?8 y3 m' P+ H2 G; X
. n$ k0 {: k! m, Q5 j9 `3 u& b8 n__________________________________________________________________________* S% A, K. f! J3 l
' O( [* Q* \. [, s4 e
5 `% b v* b' i( f6 t: t; y
Method 14
8 s) j5 p( |# x& f. c9 I=========
/ ~' M: J, r1 H" {. i( M! W# Z2 _ j. c! O3 c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% Z! J( h0 K/ [4 Vis to determines whether a debugger is running on your system (ring0 only).
+ D4 D7 C) ^6 G" D9 o3 ^+ j" {! B: A0 J
VMMCall Test_Debug_Installed* x0 K6 O0 {. ^. S
je not_installed
' t8 ~* K; T; ^' r1 G6 ^
2 W% ^0 E) w1 F+ K9 S8 @" IThis service just checks a flag.# h! {. x" I% m$ ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡