<TABLE width=500>" Y7 }& q* |7 v' S
<TBODY>
" x" ~) V0 C% r2 ^- Q<TR>% N, o* L/ Y# G% L! p# y- }
<TD><PRE>Method 01 1 F" G# ~2 Z+ }: b) z7 w
=========
; j$ {, i0 i) Q+ x
4 T2 {/ A* ]% Z3 ]9 Y8 Y' P1 K5 OThis method of detection of SoftICE (as well as the following one) is" j. Z: Z! l0 p& x4 f; d. e4 [0 \
used by the majority of packers/encryptors found on Internet.. A+ z0 C1 v3 a" {. n
It seeks the signature of BoundsChecker in SoftICE
3 O1 o! a% @1 ^1 Y1 i
3 d6 |, \$ w3 {* A mov ebp, 04243484Bh ; 'BCHK'
7 q" H" G/ [9 ^4 g; }/ i mov ax, 04h
" S: q. t; v) ] int 3 ) _5 Q2 T$ J. m l& L% E1 w" _
cmp al,4
0 N9 _5 J& g7 ~% R! X jnz SoftICE_Detected h0 ?' \& B: ]2 x
; H7 y( y B$ |- U___________________________________________________________________________
+ R. K: T( U" s, c n+ b% d
7 Z/ a' D K6 l! A. N: sMethod 02
. B& Q! E6 o4 v) ?8 D=========
) [2 g( Q2 e4 @7 E/ H3 n: F* E. |2 r3 ]5 A5 g. Q1 [
Still a method very much used (perhaps the most frequent one). It is used9 m- m. z- N9 D& ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 @( D: W1 t7 z" F- H) [
or execute SoftICE commands...
. G4 l& q% f6 G( M3 a, IIt is also used to crash SoftICE and to force it to execute any commands" Y& _7 r: ]# H* u8 R0 i3 `: O
(HBOOT...) :-((
9 y) d$ ^* B3 F" A2 l n { {! u w/ c& J; [8 G& {
Here is a quick description:
* G9 S# i. @, Z3 J1 Y3 ^-AX = 0910h (Display string in SIce windows)
( O( E# ]2 n' Z' `$ J. b- `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" r5 g2 ^9 n: T) s$ T3 _
-AX = 0912h (Get breakpoint infos)
# Z, O9 u4 [- m( r: W-AX = 0913h (Set Sice breakpoints)/ T. m7 b2 U6 U6 Q% u( T
-AX = 0914h (Remove SIce breakoints)
$ V# I$ y7 J& p8 ?- r
0 Z* M4 ^! e7 O: WEach time you'll meet this trick, you'll see:
! X% C6 y3 P w/ z" U9 h-SI = 4647h
) @8 G5 F- H+ T1 T7 r4 ]-DI = 4A4Dh
: X/ l. I. b# i! O+ C3 {1 lWhich are the 'magic values' used by SoftIce." l: i: ` {% O: @ B# f8 U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; ]/ j( g4 a8 |; z2 K/ L
5 T3 M: M" m9 y& pHere is one example from the file "Haspinst.exe" which is the dongle HASP
! K: d: l6 E8 a3 @- tEnvelope utility use to protect DOS applications:
- f9 j9 F& J8 J+ X* R. E
! ]. N$ d9 K! e9 h- w: ^2 `; S5 o2 r' G' X$ P W9 E
4C19:0095 MOV AX,0911 ; execute command.3 |% j( e+ N8 n8 O4 ~1 u8 ~) W( y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 G( O" I( q- Y0 ]& F
4C19:009A MOV SI,4647 ; 1st magic value.0 q6 v$ N& q2 r6 y& o
4C19:009D MOV DI,4A4D ; 2nd magic value.3 c" I1 X" C( q" o* V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ d3 j6 ^3 n; a7 L' {; u( h) r/ I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' X- Z( X- p* s/ y! a
4C19:00A4 INC CX$ n9 E& G( ^% j& w8 t0 {/ Z& b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) a# Y0 a' [% e7 ]+ P4C19:00A8 JB 0095 ; 6 different commands.( u! O+ a# y7 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) ]& E$ u9 O& j: L s4 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, c( ^, |+ G* s7 G
x) a; I& f" X6 M. e' tThe program will execute 6 different SIce commands located at ds:dx, which5 J0 {% e9 U! N: p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 |' D+ ?& K ~. f( e3 y# ~# `7 B% W6 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ^4 F# U' ^' D: c( J# G
___________________________________________________________________________
( P% K: {8 M' M7 X; a+ T3 n
* B0 B' k, X6 O3 _
' ?4 F6 i0 [) H3 s3 S- b& a; e5 l! SMethod 03
! ]6 D# l4 s& M/ J=========
/ [- W4 q w) Q8 U8 h: o( z/ e) B' d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" b, R" i# h" o* O, L3 U(API Get entry point) p% m- Z; {3 k, t3 B
+ K* h P0 k8 Q4 s% L; J) S8 `
. I% F1 q1 l' m( u l- T
xor di,di& ?: d8 ?2 b, {: u" I6 |
mov es,di2 o' W% ^6 x0 ^: F1 B" w! ^
mov ax, 1684h
, K) U& k/ {" g9 _ mov bx, 0202h ; VxD ID of winice
8 ?2 E$ B( u0 ^: ]# f/ T int 2Fh
0 E# k% ^) M4 E" E) [6 F mov ax, es ; ES:DI -> VxD API entry point
( j$ H$ ~7 y3 _! U# V add ax, di
$ A/ _& H4 G. J8 | v f test ax,ax
6 d* @ ]# M$ _: b+ ` jnz SoftICE_Detected0 w- q9 s- Q& z) i8 y7 f
$ k* D# Z2 W8 |' c( v& G1 ^! f$ Z___________________________________________________________________________
7 I# S$ H& N8 g3 g6 X- u! Y I- q
. Z1 u/ U6 \6 b# @: \6 \- x& }Method 04# q# W4 H. }/ X0 o$ t3 S4 ]1 K( c
=========
* ^5 x" s. Y# h& M* W$ _
1 F* L l u1 ^- }. ?, w, }, VMethod identical to the preceding one except that it seeks the ID of SoftICE
' Y% `7 \* e* E) {- o' { r% b( y* x. pGFX VxD.
! q- n" T1 v: \9 J" @% W) }
; |9 U" K1 O; R5 h& k xor di,di
5 c' G m0 M: y! d8 P8 k mov es,di( E' x* _4 h* z
mov ax, 1684h
$ Y x8 Q0 f4 K" l mov bx, 7a5Fh ; VxD ID of SIWVID
3 K0 o7 W. I- ^1 d int 2fh
- {7 w% a& S: U4 e! M8 X mov ax, es ; ES:DI -> VxD API entry point
$ D7 M: `9 j, V6 r2 h( X add ax, di
: L" j: p! H! F) [ test ax,ax
) s, }5 ]- D4 V) g, h) S# ^! f# J jnz SoftICE_Detected
9 X7 y( A% Y# F; \% Y9 E+ `) y2 B3 v
__________________________________________________________________________
3 h) g9 `! O8 p+ w) j$ G; x m g! Q' V2 K& N4 g' Z" m
- v9 r4 j8 t) x3 _& x6 i( F8 o
Method 05
2 f% M# F5 S& V5 S=========8 u# I, e6 l& V" H
7 ]3 Z+ C: ^* ^/ ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ {8 w$ h) ]1 ~- _. q+ E8 }! H2 Cdebugger. It calls the int 41h, function 4Fh.
$ `4 R2 z2 {# u8 aThere are several alternatives.
" j0 C& Y, T1 z
* o6 u- P' q1 C' G5 k* bThe following one is the simplest:- Q0 g2 Y0 t! m( k" i
' l' {' \/ e, q mov ax,4fh
$ d, L$ N; S5 L) T( ~, Q3 V5 f6 z% A' s int 41h' E/ B" l9 E! e; U* A' T+ v
cmp ax, 0F386
2 i' O7 m3 ?2 X) X$ _4 W jz SoftICE_detected
+ S9 `5 I; M$ T
: x& d: t) F: L* T; P% M3 Z
5 K; z7 t2 X* J/ D+ @7 I9 `Next method as well as the following one are 2 examples from Stone's 3 @6 O8 i! N/ y
"stn-wid.zip" (www.cracking.net):
) G) X; G: A l( s; F- n) t, c2 |6 f' ^0 v1 \2 d. w: D
mov bx, cs( E4 K% G b9 d" C9 a
lea dx, int41handler2
# m& h& r3 U+ p+ J3 G3 Y" D$ e/ b xchg dx, es:[41h*4]
; ~! l. C3 r- s' c- D; e xchg bx, es:[41h*4+2]
' G y: r; n+ x3 a4 S+ [ mov ax,4fh
, ~% d8 I" U5 M b int 41h) }+ u* k' X* l& K$ r) B
xchg dx, es:[41h*4]
, f7 [7 b6 P7 X) R2 s0 ^0 G xchg bx, es:[41h*4+2]) o1 z- I1 j9 f1 f+ @7 n
cmp ax, 0f386h
2 o, Q2 L$ u2 Z; p7 z jz SoftICE_detected2 L) k# U. Y2 |" ~ _5 |
" {* ?$ G9 R% H8 S$ V+ eint41handler2 PROC
/ L k; P2 g8 O- i iret
$ T) `$ v' `$ _ r( |% D/ m+ J6 V0 t$ Kint41handler2 ENDP
" ~/ H3 a$ L: {% e8 {: h4 }# o8 ?, r' j" S. v* K0 Z" F- E; r+ ^
i/ H* N& g* x) @1 y! R9 v- Q( z. U
_________________________________________________________________________2 J& ^4 N; N: y7 f2 y
( X* n1 T( v8 @1 J7 \0 _
6 u% @" M: e- B3 v: IMethod 06
$ J& F! C& B7 X7 _/ c! Q=========4 `0 p. _: E1 s6 T O# F
, h9 I/ ]8 M( V$ D3 I. D ]$ p" Q C4 b
" w3 W/ u3 E, D2nd method similar to the preceding one but more difficult to detect:
8 c* g( i* q8 u/ ~+ Y" m# m, c/ @5 w2 E/ ]& a$ }' O* \
$ t9 d! `* V* A! Y4 w# X
int41handler PROC
' A |1 o3 e/ U, n7 u, `, H mov cl,al6 e* A# ^4 i4 N* g8 i# ^
iret
9 i( I8 \" o- T t. h: O/ ?: Kint41handler ENDP& ^- A& B8 Y1 ^: f
) S1 a# p/ [% v
3 k! B3 b% H2 V6 \9 O
xor ax,ax
2 ^0 y. J( ~* I& L# i mov es,ax
f @: c, g. V mov bx, cs
; u9 a( i" v2 d+ H$ f lea dx, int41handler
1 Z" r' {& d* }8 E$ T6 ]9 O xchg dx, es:[41h*4]
: Y9 ^/ t, v2 Z( F# S# g xchg bx, es:[41h*4+2]
$ q7 P% [4 d0 R# i. f4 G in al, 40h2 c b/ m2 U) m( o$ y
xor cx,cx
8 g% J/ J7 D0 \. `/ U- W int 41h1 p! ]6 x1 ~% Q: s
xchg dx, es:[41h*4]7 L' W. L: O L6 O
xchg bx, es:[41h*4+2]
" B3 s; z/ d: a: F, p3 j9 ]1 Y/ g cmp cl,al
# @( w: z5 `8 j, \" O jnz SoftICE_detected9 q* X6 C* a( S8 F/ M1 k
2 H1 q8 q0 `" @2 B6 f/ P: P0 v( p0 g
_________________________________________________________________________: h" s b7 C% v4 o8 [
6 O2 {3 v/ l7 x; X8 z: c; I. A% {5 {Method 076 x1 W/ S- W5 a/ n
=========
) F# H5 l% v' Q; S" }0 z7 H" c0 Y/ P, H3 |* t# Y
Method of detection of the WinICE handler in the int68h (V86)
2 f9 B2 O* z7 c& G4 t" f+ I
. L+ c" M$ m3 L( ^ F8 } mov ah,43h4 S1 Z5 k; c0 t" a! Q
int 68h
# t8 d7 J, Z! m; K' Q cmp ax,0F386h q/ m3 `6 M% R
jz SoftICE_Detected; F) K5 L6 G. k) f8 X
3 E! w" x, P/ s; b
6 e, ~3 h4 I+ z# ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 L3 Y, J8 z, G% O
app like this:- K: `+ V+ N- m- n+ f8 [
' L- S0 c7 M, n
BPX exec_int if ax==68
, e' u8 {, ]/ a* u* ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
3 t" a" f1 m' ^& Y: |2 `; | located at [ebp+48h] for 32Bit apps)& D5 b- b+ U* W. |* X5 `
__________________________________________________________________________5 ]' n+ t2 f& P) s
. i% n4 Z7 V/ {6 K% O1 F
! D' d/ D7 {7 ?' h8 |6 }- d2 n3 y* p) YMethod 08' k8 N- i `! @/ X; Q0 P
=========7 N9 _" u3 B) [
% Y7 G5 E0 Z% i; g. c7 B! nIt is not a method of detection of SoftICE but a possibility to crash the0 F8 \- v/ @! \. N( J7 l
system by intercepting int 01h and int 03h and redirecting them to another
; r# C, p# @ H" ?routine.- @. y: ^$ I6 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 { n: j/ [3 ~. a. Y7 `
to the new routine to execute (hangs computer...)$ o! @% S- g- h& X# `
: p* M0 W! A9 ?
mov ah, 25h, W t8 Y4 U1 q1 `
mov al, Int_Number (01h or 03h)
9 y/ t# h! Q6 H- f6 ^8 x mov dx, offset New_Int_Routine1 Z/ D( I* o' h0 @
int 21h
% j1 n. k7 x* h* x! b7 d/ }0 @$ Y( I) r l
__________________________________________________________________________
/ A5 x! Y* F) n
( x. ?8 S' v/ B; D: OMethod 09( A+ `6 q" v: ]& D
=========4 p( |( n' K D+ P! ^
8 G; J; j! n) O0 o7 A, P5 G& y* yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
T. V9 y8 ?$ K/ Y7 T3 i e8 \% _3 {4 lperformed in ring0 (VxD or a ring3 app using the VxdCall).: U) |* l9 m: d0 F4 W( h2 M, n
The Get_DDB service is used to determine whether or not a VxD is installed
2 g3 f9 X. R' n5 o9 [5 _9 R9 Qfor the specified device and returns a Device Description Block (in ecx) for/ ^4 y' R# k5 s' _$ ~" I* N7 E9 m
that device if it is installed.
1 ?5 p- h" ^3 K8 _: m3 `! J9 {1 y: D! v( N4 j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ }( \. z' |& K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ ?5 |" L" K9 G" O6 ~, a
VMMCall Get_DDB/ C, t6 a% Z) i/ |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" f4 n* y( [( {! b; ]/ w
3 h0 F2 E2 S" z5 p/ T9 rNote as well that you can easily detect this method with SoftICE:$ w& c/ L) S. d. f* ~
bpx Get_DDB if ax==0202 || ax==7a5fh3 A" l# {/ t8 v' y9 h& m+ X- H, N$ T
. J3 a* k0 C0 u% z; \( j__________________________________________________________________________' I$ k' i- k0 q3 i, L7 p6 N* Y) Z
+ D8 S, m a m1 U' C+ J
Method 10
7 T9 I- [* _; C1 ]; x=========# `4 n1 O, |* G8 `' \2 `- S
" O0 j% I6 Q) G/ {=>Disable or clear breakpoints before using this feature. DO NOT trace with/ a9 R2 j! E7 u7 n% C' ~
SoftICE while the option is enable!!- C7 z7 D3 j& a9 P1 u1 `' J# F3 a: s
8 Z/ Y- r1 j: x2 O1 O. v/ ^9 ZThis trick is very efficient:+ q! o/ U1 E: e8 U% \) G2 t$ W" {
by checking the Debug Registers, you can detect if SoftICE is loaded
; C5 {! g* R, L8 j' W+ T5 W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; Q _. ^( }: M+ c) M: P9 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their' b; i# m! I% r4 K& l/ B" g; O
value (in ring0 only). Values can be manipulated and or changed as well! f- M5 }1 p. Z" ^+ _! x
(clearing BPMs for instance)! S. k$ h' i: `, p* c
) |3 A5 T) h! V4 a: |/ Y$ B0 K
__________________________________________________________________________
; ^0 \! R) A$ d4 T, M5 X
! x7 z. v ~; v3 F; Q$ K, A& `. |. d+ LMethod 11
2 d/ [0 h$ W5 s) t6 O=========
" c0 B9 m8 J7 n5 w( i) S$ @) e* b. j% G' q5 X& g$ _* A
This method is most known as 'MeltICE' because it has been freely distributed6 T, ?/ j2 w& K1 F1 j
via www.winfiles.com. However it was first used by NuMega people to allow
7 j9 _) \' i4 |! O) x. ~4 nSymbol Loader to check if SoftICE was active or not (the code is located5 ] t! ~' d( w" f! }1 ^* v
inside nmtrans.dll).. x2 H! W ]8 A+ f" ~( U( P2 Q
2 E }4 ] E6 h/ [' x- jThe way it works is very simple:
7 C9 L! A( C) s9 N7 bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 H8 {$ q% Q' V6 ^) c
WinNT) with the CreateFileA API.
, C6 E8 [8 w, E9 G& P# O- K1 ?9 J. w6 K& T% N$ B0 L, n
Here is a sample (checking for 'SICE'):
# E' R8 {3 F1 i9 |( W, D5 V: K9 }( @, q+ M( H% `! C
BOOL IsSoftIce95Loaded()9 y! l _$ r# p9 A- @
{
; S) O/ L9 }% C* N, | HANDLE hFile;
" A; \4 w: H6 o Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! [" ^; m) w8 \+ j8 v
FILE_SHARE_READ | FILE_SHARE_WRITE,8 E7 Z# B+ B6 e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 c6 N1 [5 d8 _/ J( R
if( hFile != INVALID_HANDLE_VALUE )7 H1 U* ?# r& [2 I$ j5 n
{
; d0 b4 `1 X2 u/ R CloseHandle(hFile);5 J2 l+ ~7 v$ x o
return TRUE;% \- H$ y7 E$ t; ]: H7 b$ v3 R
}4 n6 F+ f# v# p0 U8 f3 m- Z
return FALSE;
" L$ B1 p& c6 _7 O! i}7 H6 c% J+ n, Z: P
3 B8 G/ v0 [" j
Although this trick calls the CreateFileA function, don't even expect to be
, y, P0 W7 s ^' |2 s6 mable to intercept it by installing a IFS hook: it will not work, no way!
( K' f b9 v+ X0 ?1 S- L) AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 H2 Y2 M+ D f' ^" z* Z% v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( G5 d4 f+ Y% _6 y+ ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc# G! O0 J c# I5 i0 t2 ^- T* \' L
field.( s4 Z: o, l1 B) p# o G- `
In fact, its purpose is not to load/unload VxDs but only to send a
2 T0 Q$ i% n3 u7 k$ ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: d+ T) Y! v$ k1 Z; I! eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" k8 z/ q5 g" h) k! Q5 f: d( {6 jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( I% N, M8 J4 \) L5 TIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 O/ {0 ]8 j+ ~! S4 b# i. w$ @
its handle to be opened and then, will be detected.# c5 }* C! M, j
You can check that simply by hooking Winice.exe control proc entry point
# m6 p- B: h' N- q8 q- X" Ywhile running MeltICE.3 p% X/ a/ R0 ^& Z+ t
; s$ f9 j. A% j8 H/ b
& `) h/ S5 R: B8 b 00401067: push 00402025 ; \\.\SICE
* ?; ~% u/ ?& [: H 0040106C: call CreateFileA
7 @7 C" H; H0 a2 v+ @ 00401071: cmp eax,-001
. o" R" ?, i2 F3 V f6 g* c: ^ 00401074: je 00401091
- s9 P* O; q) J; E2 i! w! Z! f) V9 u1 k3 k/ U4 X: ~# q
" Q2 m( A. ~2 O( K5 tThere could be hundreds of BPX you could use to detect this trick." d& w( T. L9 d+ H
-The most classical one is:
9 j3 b; I- F) n0 r% _: o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 X' ?6 ]/ K% [ C" v5 y6 F
*(esp->4+4)=='NTIC'
# b. g ?/ L5 @# @% q: s+ k+ ~9 Y) ^& ]. j2 i
-The most exotic ones (could be very slooooow :-($ e4 g/ I% Q+ k6 V' C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 o( h; B' [# Q1 @
;will break 3 times :-(3 W+ x% S' v" W2 Z" g& ] o
* J. E8 k2 y* [3 q9 u/ l/ h-or (a bit) faster: ; w) F% R7 y. z6 V$ I5 i! w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" ~" M) Q, K% _, @; q/ `% a3 V
: E& W. Z+ M% G" Y+ A. ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ \" p; U5 Q; g5 \8 _5 d ;will break 3 times :-(
' } A* E |: B7 t) v% H: C, p+ T% T6 m0 y+ Q; |& l1 ^
-Much faster:/ R; m7 _9 V9 o- ^" d9 J* p( q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 E1 h! N9 ]; p9 g6 E
9 z' ?1 X2 s* ?( {& cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ G3 R5 Z2 V6 Y2 ffunction to do the same job:
# b" p/ c/ B5 I$ X2 I* B4 H4 g) r% c. X9 M# J% @9 l
push 00 ; OF_READ
7 a2 W8 N' D1 G+ T mov eax,[00656634] ; '\\.\SICE',0
( H% p( G; p$ ?$ W4 v$ i) |# C: E; u push eax
X4 ~% ^3 m# \4 E call KERNEL32!_lopen
2 K0 W0 ~- m' w4 ? inc eax* T/ I# h0 A7 f+ D! m" v5 t5 O& M
jnz 00650589 ; detected5 C- c# n, b# J X3 p6 B5 T
push 00 ; OF_READ
, a6 q$ {6 G7 [1 A mov eax,[00656638] ; '\\.\SICE'& y/ ?4 C8 ]/ Z1 u4 p9 r$ f; M# t* Z
push eax2 a: e- K' n! e8 [: a0 v
call KERNEL32!_lopen& [& ~. W! C7 R" X
inc eax
# t2 I, O1 v9 I+ j; k. E1 O& A jz 006505ae ; not detected
4 ?3 P, l5 t& W' n# a/ Q3 y/ |7 H/ W, K9 G8 o9 J
" o* Z7 ~( t$ n$ s) M0 T__________________________________________________________________________
~1 e ?, X4 M- u) v3 H9 N2 Y
; D0 D. i2 R1 O& F! a) RMethod 12
; l4 H* }$ S8 M$ @3 u=========- z- A( S- E' c' e0 d5 S: k$ B/ b( L6 L
: w9 [- S+ y. f% O( g2 e) ~This trick is similar to int41h/4fh Debugger installation check (code 05
9 N8 C! h2 x+ {& 06) but very limited because it's only available for Win95/98 (not NT)1 S2 K) n9 {+ i2 X% C9 H D2 u) t: o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; S; a- `- }4 ^* s! h+ t
' p0 A9 `: o+ b S7 T
push 0000004fh ; function 4fh
8 ^9 M' E9 I6 Y push 002a002ah ; high word specifies which VxD (VWIN32)3 X. V, E% |; M& x; N" e* l
; low word specifies which service
( V# |, d( @- i* {3 ? (VWIN32_Int41Dispatch)
9 p. ?+ k% H5 T6 r call Kernel32!ORD_001 ; VxdCall
9 x+ t g% S( y cmp ax, 0f386h ; magic number returned by system debuggers' _: F) o( O9 v6 e- y$ t
jz SoftICE_detected
1 d+ \, B. @8 F* Q1 x) u0 t. H
( ^ A# Y# Y8 o1 [: N# QHere again, several ways to detect it:8 R5 R% k% ^( a6 S
6 m& ?7 I' f" y) o BPINT 41 if ax==4f
/ `% b8 P8 w% S! I
% X$ c2 `* ~6 M; ]! r- I9 H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# ?6 f9 F( Q! N. d& R. [$ f& a E, m* C9 o4 t! E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; f6 G6 q: G, ?- ]- [
! H0 e: w( y: ~+ H+ Z$ G) t) ^: c2 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! }, ^2 j+ N/ {8 F
l2 |) M% z0 d5 }2 m5 c3 L
__________________________________________________________________________
' A8 ~4 H% E# L: L3 D% {5 m+ E. d: k. c$ C( R2 d, ~/ ?
Method 13& L$ ^3 a! P" W8 Y6 x
=========- q8 Y! L H3 ^
4 A8 y+ I- R. N
Not a real method of detection, but a good way to know if SoftICE is
( ^; p, W4 L( q; R% M; v7 v# jinstalled on a computer and to locate its installation directory.
9 H: q6 W) L6 _- v5 QIt is used by few softs which access the following registry keys (usually #2) :
' ?9 P. N, X; A, O
/ ?9 ]! o8 i/ V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 x! d, g0 _7 }! q/ t2 j8 w9 L O2 b\Uninstall\SoftICE
6 q/ o+ T& |7 j4 _9 u( W0 k$ c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" l v; X d7 ~3 t) N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 p4 m) E+ H" r* T* S\App Paths\Loader32.Exe! ?' H' `, K5 o4 `0 {
; m+ _5 W0 Q3 u
& T+ p4 z% v$ B; {8 l3 H) vNote that some nasty apps could then erase all files from SoftICE directory
. i6 F# \7 s( A7 F(I faced that once :-(
, M9 [7 T( y- Q* B& K& T# v
* O p. a* r9 N. O2 P' `0 ]. nUseful breakpoint to detect it:
" c0 @9 J/ ~1 q. @4 }1 _9 M L% J' V# A0 G' @. q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. K' m. o: ~% l3 [8 e5 z
& I' h9 K# l- ]__________________________________________________________________________8 t3 L$ |$ _7 |0 g1 J
5 l3 ]+ i( U! r
6 v4 x% c8 K7 v2 R
Method 14 . K5 `8 |+ x' B) r& @4 C& S5 j, F
=========, O B$ W2 L! P0 m. R
3 n3 P& C8 ~8 K- B" V. GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" H5 Z6 O0 m" L! Y( ^; c
is to determines whether a debugger is running on your system (ring0 only).
/ l% x, q, @: L- D( K
l) Z: l. D" ^6 N VMMCall Test_Debug_Installed
% ?! U, H* x- j y je not_installed0 s6 I. r% a/ p
7 Z! y% j2 g; VThis service just checks a flag.
, {& c# w8 z2 e$ r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡