<TABLE width=500>: ?% M+ C" r' v# h
<TBODY>
9 C# r+ p* g, z8 V<TR>; ?5 H8 N/ f9 P, m! w' Q
<TD><PRE>Method 01 / `: h6 W, P7 ?8 A
=========
y6 J( `: j2 |
( D6 `! m/ d; D* P5 tThis method of detection of SoftICE (as well as the following one) is3 e+ ~8 d1 P. ~) {. R; Z# P
used by the majority of packers/encryptors found on Internet.: L& v+ m5 u3 |$ A# ^7 H2 h
It seeks the signature of BoundsChecker in SoftICE+ Z3 M% C5 G9 L: e7 c1 f1 ~
5 n2 u6 ?2 e( z1 p& V! `4 L8 W0 X mov ebp, 04243484Bh ; 'BCHK'5 q+ h# X1 _) }
mov ax, 04h
' p. q; \7 `: F" B! X int 3 ; \, ]5 Y+ u- w/ ]" S
cmp al,4
" [; D8 S' O; ]7 M \* C jnz SoftICE_Detected n0 @7 s8 q7 @" b
8 O- u4 _+ y7 {0 S2 j___________________________________________________________________________: K- ^/ z1 n w0 L2 N% l
. m1 `3 M5 L% S2 F$ TMethod 02
) x) a* |8 X" P: |=========
# L& \1 H" i4 b4 t" ~& B" }+ K5 W3 B) S+ z$ n
Still a method very much used (perhaps the most frequent one). It is used
( K7 A! M4 T- Y, z2 a; `7 j" V" @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; ~- T, ?- V/ W2 W6 P' ?. C$ I X* Nor execute SoftICE commands.../ r( |! C" I! d }! w2 e
It is also used to crash SoftICE and to force it to execute any commands
* q- O7 g# ^! u7 i(HBOOT...) :-(( " K4 ^$ w t) C2 |9 T4 n9 Q
" Y5 B, d% l( M& O# Q* aHere is a quick description:" D9 K; `) _2 P9 c- ]: \8 G b& _
-AX = 0910h (Display string in SIce windows)
% c* y9 b0 G8 i' p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); e; j% l5 I, c; s3 _
-AX = 0912h (Get breakpoint infos)
1 v$ t5 P0 {% u5 s" _! O4 q-AX = 0913h (Set Sice breakpoints)
$ V: \. x; F" X7 Z) p, C; t- |1 H-AX = 0914h (Remove SIce breakoints)7 y% t, P; r& o' B! u
; P: o: G5 T( a& t! F
Each time you'll meet this trick, you'll see:4 p! C2 g1 B& Q9 ?
-SI = 4647h
" {) m) q8 n5 k, c# P9 A0 J/ P-DI = 4A4Dh4 W, y3 u8 L3 j0 ?' L
Which are the 'magic values' used by SoftIce.2 F' ]3 E9 P' g! P; y! G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ f# I, K8 [$ ~. [! G
' { _3 r, b, ~( a3 K6 }" ]+ mHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 N+ T3 c2 |9 ~2 jEnvelope utility use to protect DOS applications:2 G% C; x' J2 s# p, q0 T/ I, d. D
/ f Q$ ]2 F/ k) h2 ?6 L! a6 R& L5 n
4C19:0095 MOV AX,0911 ; execute command.; Z2 d- D- S3 l4 K# p6 b# B' }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) L0 q7 V( I/ b
4C19:009A MOV SI,4647 ; 1st magic value.$ s$ _# l$ r& X6 P+ V
4C19:009D MOV DI,4A4D ; 2nd magic value.
" F$ l J) J$ C& o5 C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 a/ E3 ?" O3 U& {4 M6 P' x, `. N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: {6 g$ r1 @: `2 _4C19:00A4 INC CX7 p4 k+ C5 s' S3 ~1 M, v) E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 ^3 y- r5 ] h: m% D$ E
4C19:00A8 JB 0095 ; 6 different commands.& y( T7 r5 G$ }5 F$ e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 r/ F. l2 h- B9 ?: g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' z" m# o9 y. o4 O& h9 k5 d
) N* h4 F, M& o8 k6 ? F
The program will execute 6 different SIce commands located at ds:dx, which9 d# n5 L1 u# E" q7 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 M/ E' s% e7 N3 r' c5 I4 `9 H b' ?0 b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. y( q7 C B* C: I
___________________________________________________________________________
3 t& M. Z3 ~9 J1 W4 S" s. V% h: ~# j& s7 p6 m l
3 X' O4 E* o; |* f8 d' a* ~
Method 03
% z% H N6 H3 [9 t=========
& e2 o5 M0 W: N$ a1 J4 ^5 X* y: N* R$ `6 C7 t- a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 M6 z4 e3 t# }! |3 Y(API Get entry point)& P6 J- g2 Q" ?+ t' J5 w3 d+ \8 P
/ W6 ?- F, d7 W; S. h1 K. p5 y7 c0 |$ H T6 ?5 L9 ?- l
xor di,di$ o8 U, w3 v! B" U) M
mov es,di
9 J, I- t! z i6 }; ? mov ax, 1684h
8 r4 ]. R3 C9 b2 Q- h; V2 r* U mov bx, 0202h ; VxD ID of winice
, e6 x" r6 ~5 ]! U; e int 2Fh
0 N0 H8 C7 s* S* o) @& c# v mov ax, es ; ES:DI -> VxD API entry point2 K4 ~9 A0 N4 e R! r; Y
add ax, di2 V) [# U# G1 S) O% `% s+ O/ U! L+ V
test ax,ax
, Q* p w- c& d m: t- T F jnz SoftICE_Detected8 O& D8 {6 ~" N% j
- N' \4 z* f- R% l8 V
___________________________________________________________________________ {' I7 X8 F) e1 v2 R4 P, y
6 X$ J; B: N) H& k# hMethod 04
* ^1 l. D/ W6 `0 I6 f, z3 A9 M=========
1 R" G6 }! }. u" Y* N) G9 J u- ?7 X
Method identical to the preceding one except that it seeks the ID of SoftICE8 p6 j3 S5 K0 w
GFX VxD.8 D- G* n: _& a7 ]; R
2 c# a0 d6 y# ~" R8 ~7 ^7 R! V( { xor di,di% m4 c4 R' `. i+ m4 l
mov es,di
% |+ y* {# l4 U+ M; z# R% r/ W mov ax, 1684h . {, K- w* x) D' ~$ h1 e
mov bx, 7a5Fh ; VxD ID of SIWVID
! L3 j7 s: g8 H7 s* O int 2fh
4 Y* @( S ]- o! r) n+ |' a* M mov ax, es ; ES:DI -> VxD API entry point$ r$ E% m! y( [& U0 D. Y9 T
add ax, di: G g! C& K+ K! u' O# j
test ax,ax
+ t3 S0 y6 G& h9 ] G' C7 U' L jnz SoftICE_Detected
+ N7 y* R8 H& }4 k/ p$ B) @. c) o" W/ ^! t" A8 I: s% d
__________________________________________________________________________* p; g6 V* f4 e, ~: x+ _1 X! s
+ A; v9 E8 Q7 i1 v. P
( ~. N0 Y- D$ D' l HMethod 05( X- ]4 E* x% d U
=========
" b) z6 G8 V ~, r/ j" |' n
+ F9 a& |5 C, B0 `: Y0 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system" N b* ~& H( v; S; H
debugger. It calls the int 41h, function 4Fh.
3 \9 B6 Y1 Z' F! VThere are several alternatives. 2 v# V$ ]# ?8 h- a5 V! D+ ?
# ], g9 d% H; D2 g0 {' P. M3 b9 B
The following one is the simplest:
) B" K. G. A5 V; Q; @0 T6 B, G
Y; t+ B- c. V* d8 C- j mov ax,4fh4 \/ v* y/ E X
int 41h; |! W6 j. W4 S. h( x- a4 Y
cmp ax, 0F386$ `% R* W& O, P& K5 t9 q
jz SoftICE_detected6 y0 {+ q1 Y6 A- x4 T0 Z
; x; d/ g# U. W4 V4 g6 t- S5 i
1 s+ ?, Z# E5 D: NNext method as well as the following one are 2 examples from Stone's {2 p2 h! N5 z: ]' v& |" S. D7 t8 B2 |
"stn-wid.zip" (www.cracking.net):
/ ?' ]" y5 u4 L$ U) Y( A' N# i
; _& `" M* X! a: U Y0 [ mov bx, cs8 z) h- ]; B+ u" ]
lea dx, int41handler2
# ? u( ^' [) _( r% i xchg dx, es:[41h*4]
! A4 _* k" p- ^4 l xchg bx, es:[41h*4+2]: V6 i9 @; M( m# B
mov ax,4fh/ K& k- J/ \- ?4 Y# M/ B, G7 ?* [) `
int 41h
* I* \. K4 ?9 E) r xchg dx, es:[41h*4]+ L: E4 g* B' L1 X$ ^% V7 c
xchg bx, es:[41h*4+2]
4 q& Q+ v3 \8 [4 C, { cmp ax, 0f386h/ R3 m8 B: _6 o- |0 G) [8 m) B
jz SoftICE_detected
1 Z& R7 _. B7 a d& W! p3 K+ l9 X
int41handler2 PROC) W5 J7 \4 A1 d" N* n* R0 q4 J
iret
( r. G# {* k+ V& h, p7 J. T) m8 x' E2 zint41handler2 ENDP9 V/ V0 W' }- w* l7 k
: a( T1 M8 H0 s0 K. }' K5 e. g) [; o8 r6 U2 A
_________________________________________________________________________
4 l4 M1 x6 |8 z2 C4 D2 q' t; m& K! e f& G9 s7 H4 k/ p( V
7 Z' r# _5 b0 D0 u- c9 _
Method 062 {" t, Q k2 E2 k" {
=========- G& f& M) O$ R7 ]. s
6 w! ~- }, b8 a9 ]8 `
* y, O, e" C) `2 d2nd method similar to the preceding one but more difficult to detect:( }6 K: c3 t- u/ N( U4 D
+ Y/ N! p* O' i& G6 X: O
5 K6 H' Z% A% B9 G B) B tint41handler PROC+ p! l0 q$ g' A- ?+ l" W" j% S
mov cl,al" K3 j+ U; V+ B5 h1 v
iret. c3 ~0 T1 l+ h+ O. B
int41handler ENDP
' ]6 a [9 M8 N& Z2 m6 f6 ]' l
. {1 p& V( M! @9 @; M3 _1 {; R
7 e1 y5 l ^6 X' P# X) f xor ax,ax _9 Q( k! E. D1 {1 O& n" _9 ]
mov es,ax
0 g- @; c+ }- @/ H mov bx, cs( H# L$ \# K* ^0 R
lea dx, int41handler3 Q( V& a0 A8 b7 Y+ r- c' e
xchg dx, es:[41h*4]1 e* l; t6 U; i. E' O! h; t
xchg bx, es:[41h*4+2]
* G5 g( \; e+ m% `: L( H! d" O in al, 40h
0 @/ }5 |+ q7 L+ O xor cx,cx9 K! r9 _: o) o- l# N* S
int 41h3 E& b1 Z8 W/ E! B# z- @
xchg dx, es:[41h*4]; Y' J! c- M) g- u7 i: E! p
xchg bx, es:[41h*4+2]) h) U I! C' n8 x& O
cmp cl,al
. p( Z9 [9 T! c* b jnz SoftICE_detected# }# ^3 F; Q9 |5 [) t; o+ X
, m/ ~6 d4 ~" {$ {_________________________________________________________________________
; T$ ?# @; i. X; \# }1 h1 ?/ s3 C: B6 {% T7 }
Method 07
7 q) Q7 \ x! e$ L- H7 V0 p=========( q0 f5 U3 e1 E: @2 I" i
2 P7 \, E# K# iMethod of detection of the WinICE handler in the int68h (V86)
* @( H8 u( S; j' y$ w% X5 I+ s8 E5 k8 c$ K1 n
mov ah,43h
e# v* A4 U7 [/ q/ T int 68h$ G& A M& x* T" z
cmp ax,0F386h9 u) k: U8 {5 h6 F. U. X( W7 E/ e
jz SoftICE_Detected/ x/ Q/ j; z* q5 l
# w1 ?0 f3 c2 g6 D3 N6 J
8 F! }4 n' E5 U9 m) K8 \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" e4 C3 y- d8 D6 h. W5 }( f [4 A
app like this:: N, Z5 Y+ D/ o) e! b) Y% o0 J' p
; V( C& d+ Z( m5 P2 u! p, V8 I
BPX exec_int if ax==68
N( _- E9 O! M2 `: h0 ] (function called is located at byte ptr [ebp+1Dh] and client eip is
8 v) R1 a$ {* L7 N located at [ebp+48h] for 32Bit apps)
# u8 t/ d8 E2 t% j9 g' j__________________________________________________________________________6 Z% ?0 v* a9 U" E, l
n/ Z9 X1 e* @- t
+ \5 `: N; {. J% P# OMethod 086 M: W4 X0 Y7 z" B
=========5 S" S; Z( _/ N) E3 n
$ g+ J) g$ F _1 x( }: U+ \
It is not a method of detection of SoftICE but a possibility to crash the' S( N' Q" M* `2 S5 F! l4 f- n
system by intercepting int 01h and int 03h and redirecting them to another; F9 x, f- Y5 G( u
routine.
$ z3 Z5 a( o2 X D4 l( y$ TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* M" H* ~' p0 @+ |% O2 Dto the new routine to execute (hangs computer...)0 B1 w% p' l4 a0 D _, v' n! Q
+ }' m* b& l# G
mov ah, 25h v4 Q' v; L& f, O" r& U6 _( ]
mov al, Int_Number (01h or 03h)0 e8 S; X# T% E
mov dx, offset New_Int_Routine
9 `" J& v e8 k0 h. J% I4 C' R int 21h$ _6 A2 q4 x( K! G4 F2 j! \- j! q
& q6 k7 Z, v$ b/ W" O__________________________________________________________________________
3 c/ i8 C. I. C0 }$ u
& y3 E! z& D2 G# g2 VMethod 09
5 l" T# X) l/ P+ A; e+ V& }% R=========
% L _9 F/ J& ]7 ?- Q- g( F9 |4 |8 [$ b/ Z4 P* ~! P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 Q2 Q* s* C8 H X
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 H a. H. A8 S, g2 GThe Get_DDB service is used to determine whether or not a VxD is installed" }( Q( @ Y. U5 O9 ^. G6 g9 U
for the specified device and returns a Device Description Block (in ecx) for
6 H; m C% T/ e. Pthat device if it is installed.8 z$ {# w) k/ N& q% i1 p; R
8 o9 {: r8 L# E4 E2 o- N: V- {' l% a/ ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% G' V8 V+ E1 J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 d: x0 S) D6 m# w" m
VMMCall Get_DDB
* q2 C# ~5 }4 Q7 g$ b1 v+ J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& `7 m# ~6 }( w$ i* b
* g1 F, @6 B8 O( R7 E: ]Note as well that you can easily detect this method with SoftICE: f% G& S6 g7 i6 a& F8 l* u
bpx Get_DDB if ax==0202 || ax==7a5fh/ S7 N* l% |* ~" u3 K! `
8 v7 p4 J. b9 B1 Z__________________________________________________________________________: [* }4 h5 g0 U: m
; m( P: e5 q( p- Y* o
Method 109 U( `' h, F- T( |; p
=========; O4 G. D4 a! h9 K
' l& ~/ W! h( p, j# W3 t, G=>Disable or clear breakpoints before using this feature. DO NOT trace with8 k1 }% p+ ?' g4 G8 \
SoftICE while the option is enable!!
9 f% Q, }5 S+ I) D9 X; ?3 u- U
2 e+ N& D' O9 F' CThis trick is very efficient:
1 d; e$ J" F$ E, K) Hby checking the Debug Registers, you can detect if SoftICE is loaded
7 U5 @7 t6 C0 J; }6 h% g3 w: Z. O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 i, g# u0 X* k& g; D8 K6 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& g/ c& @. d. Q: B6 x0 a# Jvalue (in ring0 only). Values can be manipulated and or changed as well" I, s& f& I; N" {# b
(clearing BPMs for instance)
1 o9 K# U% Q" ~1 y0 I8 H
8 j0 p0 ^9 _* I/ u! ~- T9 u$ z) h__________________________________________________________________________
) F/ r5 @5 S% {6 O! }# g+ b' ]
4 d5 c1 l; h% } k) i& k/ rMethod 11: l* d$ |7 O0 I) a2 ?
=========
# p6 {$ K: q1 U/ N* `
@6 | A% j0 B7 o. hThis method is most known as 'MeltICE' because it has been freely distributed
- S2 s/ m, a1 d2 B& o& e, ]! [1 Jvia www.winfiles.com. However it was first used by NuMega people to allow
- i/ F& a$ D/ B4 m, ASymbol Loader to check if SoftICE was active or not (the code is located9 `& S2 x. n' m; J6 ^
inside nmtrans.dll).
7 _% z( T! ^ \* f9 h# Z, \) g8 e. v5 u+ @8 ^8 F/ w
The way it works is very simple:! n! i; R( ^. G7 _# G% M, f: g) `6 ~( C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 z9 R2 a& |8 \" Q8 P
WinNT) with the CreateFileA API.8 X. X y) P/ i9 D
/ ^# P. F# p0 U1 y3 \
Here is a sample (checking for 'SICE'):5 A$ H9 P1 n0 a
% Z2 O* v, R9 K x3 }, i2 EBOOL IsSoftIce95Loaded(); n$ q8 z$ Z; U* J3 a3 ^6 k% Z
{
3 ?2 c$ P I* @ D; a- q1 A$ }4 M HANDLE hFile;
- U! G/ y, w5 s8 I! a0 h% p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 W# _8 U3 {% v" I' U" [0 y FILE_SHARE_READ | FILE_SHARE_WRITE,
6 h$ v+ f* x: ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! W" K) M9 r2 e% R if( hFile != INVALID_HANDLE_VALUE )8 G% z3 S9 G* f8 i% K: }
{
' a T9 `/ P. N+ k0 n+ F3 G7 Q CloseHandle(hFile);. e% X& Y' g& B' f/ @- [
return TRUE;
8 j$ V2 Z+ r# M2 K% Y }! \2 w0 U) |& u% S# o$ B. _0 X1 K
return FALSE;) V; E6 ^2 g2 D* ^7 n, ]
}7 E v! P0 y6 p
- E- ?8 }3 T5 |! d' B) o
Although this trick calls the CreateFileA function, don't even expect to be
) K6 w1 V- d: S6 }$ c! F* n, U5 X# zable to intercept it by installing a IFS hook: it will not work, no way!9 l0 c$ k4 j& h7 f+ q9 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- r" J7 o1 t# |! z+ ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ^* a" J) M% i: dand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 B. \& a/ u s. \8 a
field., i+ \$ U! @. ?! }3 o
In fact, its purpose is not to load/unload VxDs but only to send a 9 U* o3 }7 \5 p! C! S) z* C0 @- N0 i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! g+ k- v, w5 Z) c3 h, ^4 oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 S; x8 H+ W5 q9 a7 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).' \# `- p) p F8 M8 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- {. G! n( X" q0 A" Oits handle to be opened and then, will be detected.
$ s: Q$ l3 L0 E7 ^2 e; N8 [) I& M" }You can check that simply by hooking Winice.exe control proc entry point
# E* Z0 }- p+ s( ~/ Z" X$ Dwhile running MeltICE.
. ?! k2 Z8 d* Q1 k ]( D
2 o2 u. B- _" l9 k" {2 u9 n( ]! C1 J) T" W
00401067: push 00402025 ; \\.\SICE
8 I! o! T6 J. v6 c8 l 0040106C: call CreateFileA& C2 N8 @- m+ V- t: F' I! }/ c
00401071: cmp eax,-001
& U# X4 d$ y) {+ B& V0 n- Y% d 00401074: je 00401091( F- N% Y+ u' z
& i* X, M) p* r, v
1 x4 {) v0 b) r" {There could be hundreds of BPX you could use to detect this trick./ L0 k+ Q7 [1 f. p6 A- D. }
-The most classical one is:
- J( X' t8 I2 J6 c% u v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 r" y9 o1 ]# M6 r *(esp->4+4)=='NTIC'
6 O5 g# E& P* A7 H4 W( @
2 S6 {$ j$ P8 c; a" Q-The most exotic ones (could be very slooooow :-(
( v' S5 p( c6 ^0 x7 E8 M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& X4 K) R: R% I4 B* U& o ;will break 3 times :-(
# u9 z8 O# Q9 p9 k
& x p/ x/ l$ S' \+ t- ]-or (a bit) faster: 5 u# x3 h9 B# S! Z; Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), `, q6 |5 f% ?# p
- f9 m8 v* I3 j9 H7 D2 G* ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% h% \0 k7 r; V+ F2 w ;will break 3 times :-(
( D- {3 a4 I( ^7 H, P( E
) M0 A2 r3 J/ J+ W [3 R7 n' b-Much faster:4 N$ D# P! a& _3 \5 F$ y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 j: ^+ U O/ C+ f- z& ]: n( N3 v1 W* ?( m: X! C' c+ w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ E! ~. | L7 h# p: E) t$ ^
function to do the same job:% V$ |% s# [! I/ [; \
% {+ L' j( K( x# T% B7 G0 s push 00 ; OF_READ
9 z! q3 ?% q3 v* \7 z$ I, H mov eax,[00656634] ; '\\.\SICE',0
0 v# N9 P8 ]: h! T, S push eax8 L: e$ |4 D! N! ^/ W3 M! U
call KERNEL32!_lopen. b; `, H! r2 O8 V; n- \- o5 F
inc eax
1 P+ g/ \) w( w+ m: ?" @ jnz 00650589 ; detected
' V4 w+ T& z/ j5 T push 00 ; OF_READ
2 y2 V8 r) Y" n" ?: ` mov eax,[00656638] ; '\\.\SICE'7 v; |3 C1 B/ G; Q: |7 L$ d/ z' X
push eax' j% a- C2 k; G1 }; b& v
call KERNEL32!_lopen6 J3 r9 {8 ^& r2 j q
inc eax
# N1 K \( y9 h) f9 d, ~! J; g jz 006505ae ; not detected/ e! n" r6 @% j A4 W) I
# B6 V8 u- g( B' `) ~ ]! R
9 c$ y+ Z# x5 f8 U2 ~- S__________________________________________________________________________
# Z I' v( Q6 M4 s# e: C( i' {0 A3 l" Q A; z) D! e8 g/ I
Method 12) P5 L; f4 J0 n% p) }
=========9 n+ ?, S+ j/ b
2 n6 B9 A& M H3 Q: L
This trick is similar to int41h/4fh Debugger installation check (code 05+ P& m1 a. Q' i2 N. E6 L3 \; p
& 06) but very limited because it's only available for Win95/98 (not NT)
1 |$ c$ o! H; h+ U2 |5 x- e2 T+ \/ e8 K4 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ ]( A' k- A) k$ k
" j E' s& D- v: k8 g C& N push 0000004fh ; function 4fh- J/ _* ?, r5 j& H* l
push 002a002ah ; high word specifies which VxD (VWIN32)
$ o6 x# ]3 ~- n! Z" u& G5 E' q ; low word specifies which service) j: }8 {3 k; {" O+ W2 e! a- C$ A
(VWIN32_Int41Dispatch)
" o1 b+ A7 z- Y; [# ^2 d) I call Kernel32!ORD_001 ; VxdCall
6 i* W% G J& b/ R6 U' u cmp ax, 0f386h ; magic number returned by system debuggers# ?8 ], ~) S% b. D# r ]+ G
jz SoftICE_detected: e$ z! g M4 L" c/ L+ G* [9 N
* G' J: l: v. c S
Here again, several ways to detect it:
+ q6 V7 |; a9 N+ V6 g# N. V4 i- `- ^4 K6 K, I! z
BPINT 41 if ax==4f) V: C: t/ ?% L y; g" s+ t
/ K+ c) [% @- {- J9 e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 f; v }6 J: u. a' v8 E
8 T+ G- D& h- a- R9 |5 |5 N3 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 }2 N, K! R2 Y1 X% c
8 z9 d# |; Y3 f: m% h" j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! x7 ?( K: h) F
( ^# T" y; Y7 L2 U" ?8 H2 H1 B__________________________________________________________________________
; g+ [+ b, X! v5 ^' z% Y
9 F9 g8 O9 V$ \Method 13
8 ]0 X5 A2 Y+ a, G$ @=========; v' Q( u% [* u5 S8 R; c% r$ @5 I
* b5 D: u* ~% w; A# _/ ?; l; [) j
Not a real method of detection, but a good way to know if SoftICE is2 h" w+ I. V* @7 B+ ?
installed on a computer and to locate its installation directory.
% n8 e) u4 P+ C4 E% b) O- EIt is used by few softs which access the following registry keys (usually #2) :
) s0 q, a! @9 u* h* b+ b$ V
# w: h, ], ^2 T* }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ^& h: t% f+ v0 I
\Uninstall\SoftICE
2 X, P# G/ y0 T, d* f2 U- u: i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# b5 M0 V R! {' M8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 @% G; z& P3 X) N* b- ^
\App Paths\Loader32.Exe- `1 t3 k Z: L4 ?) P0 T8 Y
- Q1 `5 a3 q1 v$ O' t1 Q
) A' x+ ?& q9 q8 F9 R) ^Note that some nasty apps could then erase all files from SoftICE directory: [& I6 N) E8 y2 o5 q7 P9 X- D
(I faced that once :-(
* W: }7 X0 a, G/ u; n0 U* o
( o" _. G: `4 K. o+ R" C9 u4 qUseful breakpoint to detect it:
l5 ?& }" F" Q' ]- g/ _( j9 j+ G" _
! I9 e+ j- o4 i, b- g. b' p' m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 ?1 R( [7 E5 C- N7 T& R$ x6 ~7 e3 k) `
__________________________________________________________________________
" {3 N) N. J! K" @
" n& S, S8 m/ A! X+ v
% D/ c" V* l$ I3 eMethod 14 0 j% z, F0 i) V, \9 R
=========
5 G$ T' a7 u9 q6 i, ^; S
. l6 a S$ o: s# CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 E, F: q5 k! ^( O+ fis to determines whether a debugger is running on your system (ring0 only).
: }' q9 [) s! Y$ R4 }6 i8 A* N+ K/ U
VMMCall Test_Debug_Installed
7 [9 v7 ^) F- A je not_installed7 d" d: j* k8 R: w' O% Q
+ E& u; v+ a5 o* v: v0 EThis service just checks a flag.% t3 h8 f; }! g+ E% l$ | v% @# P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡