<TABLE width=500>( e5 c* f5 o- k" d
<TBODY>
& A0 b' W6 @3 `" \: t* M5 x<TR>
/ f' d! v0 o% i, Y3 S- D/ B/ T<TD><PRE>Method 01 ! r* i! V0 n3 b7 B7 X
=========
6 z) c C0 e$ k' ^$ R
# U9 r' m1 v" X, ]0 F; j2 pThis method of detection of SoftICE (as well as the following one) is
4 l5 E, G5 q; }! @7 Z4 o0 _% ~; D" u+ bused by the majority of packers/encryptors found on Internet.
+ o, ^2 Z. n: H# ?It seeks the signature of BoundsChecker in SoftICE
# L6 {; [2 K3 d. o* _- B* h
1 m K. U: e* ?- T$ s! i mov ebp, 04243484Bh ; 'BCHK'
: C. N+ z7 N3 x& [. W mov ax, 04h2 G4 P( F1 n8 h5 o: A( J
int 3 9 {# w. i1 k2 ?+ a7 Q
cmp al,40 ~, |$ v' R% V$ @2 f
jnz SoftICE_Detected* c" P: u, L2 W' c
# y6 a1 F" B6 ]___________________________________________________________________________4 G9 n/ U0 h) B7 E. g' @/ Z* {
' S: x5 c" G( [5 \ Q
Method 02& K& p0 D; G7 M6 e( B8 G* ]
========= y1 R: r, M0 p/ k, z0 P. y1 U
& u3 I; Y) W6 \- J2 Z
Still a method very much used (perhaps the most frequent one). It is used( F2 T) X* t# V8 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- f7 _/ F8 z e# J0 Wor execute SoftICE commands...
& c F3 @, W R# x3 }9 v# g- Q5 ^4 b/ `It is also used to crash SoftICE and to force it to execute any commands7 U8 A! g* t/ b1 K0 D/ y
(HBOOT...) :-(( 5 Y! t6 v2 w5 b. ?$ G
3 o% M* M$ Y3 @& _" l: cHere is a quick description:
; F! ?+ B3 t6 o-AX = 0910h (Display string in SIce windows), k0 |# H( b1 o% b8 G; v7 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. P6 @ }: d. }2 P" ~-AX = 0912h (Get breakpoint infos)
+ R2 u7 v9 z) p-AX = 0913h (Set Sice breakpoints)
; U3 d5 E; m; U, i7 b-AX = 0914h (Remove SIce breakoints)
) a3 J* N* q5 y5 @; K5 v- i, N2 b; ^: p/ ^
Each time you'll meet this trick, you'll see:
# @: Z$ r6 U E0 A-SI = 4647h
& m* X4 v2 T0 e# C3 X2 }-DI = 4A4Dh+ { A# R# x/ i; d8 m" D* H! r
Which are the 'magic values' used by SoftIce.) s1 C: L' i L% k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 y8 g; d$ c3 Y( \7 n/ S0 n \
1 _/ \. b: t3 e: n6 pHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 z0 |2 N, p5 N4 ~6 Y! J: v) _Envelope utility use to protect DOS applications:2 E9 }; W: |+ ~+ g: K1 c
) h$ L1 Z6 t% \0 U
, c1 f8 ], U% g& b+ u) a
4C19:0095 MOV AX,0911 ; execute command.
; ]( O8 W/ P* w2 q! ?8 z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 n0 ^2 u6 g+ s2 A2 b
4C19:009A MOV SI,4647 ; 1st magic value." S1 J2 a5 G6 ]" K
4C19:009D MOV DI,4A4D ; 2nd magic value.3 a+ B" r2 y2 D/ w. Z5 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 t( |; n8 i7 W2 f( @3 b8 X: g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
L5 e+ f, T$ k( z7 q4C19:00A4 INC CX
0 ~- e1 V; k9 L& q/ L4 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 s3 m2 k3 [$ ^' l0 l4C19:00A8 JB 0095 ; 6 different commands.4 @2 G) T0 h# e$ f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ t0 ^% x' f5 D' i# e2 s. t
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ B1 s' }( J: `4 ^( ? T
- j5 Z a* w* R( b* ~+ k+ V, o
The program will execute 6 different SIce commands located at ds:dx, which Y+ `6 ~/ ^% E0 @: V6 h- H) d- ^$ h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- u2 a3 B J1 Z2 ~6 x. M
9 I( k+ d+ c6 ^/ T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 c6 Z) g! Z$ p$ A& v6 j
___________________________________________________________________________- Y4 x: y& J- ?
n* ?3 Q' [+ }; X0 n- k) l2 R' F0 T, m
Method 03 F; k# e( {2 Y2 F" P. s( q
=========
# z- g6 f) u- i# [; s4 N7 x2 l7 o9 m% P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) A- r% m6 b0 i9 P- T* M8 E. |(API Get entry point)
) b) r1 {+ s3 A) |4 U$ x
* J+ t9 p! l4 V8 S5 y/ P+ A6 X; t* J
xor di,di
: h7 ^: Z: s( l mov es,di% _4 _% a; x; [) o6 \+ t" [7 Q
mov ax, 1684h & \: U% Q( z1 y2 N! d' a L% m
mov bx, 0202h ; VxD ID of winice( R; ?3 k$ Z. z% [4 k
int 2Fh/ G% d% E" D1 J2 p/ O
mov ax, es ; ES:DI -> VxD API entry point( G8 T- f: E- I3 J/ M, b* f
add ax, di
/ F% S1 l- P Q# w test ax,ax
: g9 _9 G7 `/ e0 w( x jnz SoftICE_Detected7 [! s# t" w, Q, |; R2 A3 e
1 Q6 b' @: q# ~8 S6 z
___________________________________________________________________________
5 |! l3 {$ p; q
+ U7 Q$ I T9 C! U1 `Method 04
# u! W9 m* Q# {, ?1 }=========* V$ a) t, x: q4 H
2 j4 y' [/ h8 B) r) M
Method identical to the preceding one except that it seeks the ID of SoftICE# Q& n. ]$ V% ]- X8 |8 P
GFX VxD.
" q) W" U% n- m9 P
6 G, W/ \4 x: ~ xor di,di
I) n7 O+ h6 x# B mov es,di
^( L2 D! ^9 ~1 Y, U mov ax, 1684h
" E+ y* H" V$ g mov bx, 7a5Fh ; VxD ID of SIWVID
6 G5 r+ \9 Z% H, x5 C" h' ^0 h) s; } int 2fh
+ w* n) Q. W1 z" `7 f: P' i mov ax, es ; ES:DI -> VxD API entry point) Y- w; X3 Q% Q( j, q1 k
add ax, di
" X; \1 G2 ]' Q. Z: N* r test ax,ax
1 x T; v" `9 f/ Q jnz SoftICE_Detected- R* I; d/ E; L4 P3 V9 k
) g( `! u7 H/ z/ |8 K" d% ]__________________________________________________________________________
( H6 s1 T" } Y, h% t' c& {( \8 A3 a) G3 `/ V: f* L
! x1 x4 N" d1 |3 e! x! E
Method 05
" a" b c& e3 ]& i=========
, P) i' D+ D( i6 K0 u
7 d* f T* \6 l8 K( ]- n HMethod seeking the 'magic number' 0F386h returned (in ax) by all system; @" i4 w5 \& ~( O; D
debugger. It calls the int 41h, function 4Fh.' [% X0 m- n# J. ]6 }9 j' b
There are several alternatives. - y$ E6 [' o$ h( A4 W
/ {$ [3 c2 k0 H4 d7 |1 |0 DThe following one is the simplest:+ }6 ]) n4 L$ p# e: y! c
( R6 a9 g% D- f% a2 K- E- Z mov ax,4fh& f3 U1 O$ V! G3 m- ~" K# R* ~
int 41h T6 T4 [, Y) g0 }! B$ g
cmp ax, 0F386. |: }9 L X. _9 G$ k- T9 n5 [
jz SoftICE_detected2 k7 k4 x9 j$ c! J1 K; _3 I
& i% v# M9 p- I, T+ T
- M7 o5 t; B8 Y: \) @Next method as well as the following one are 2 examples from Stone's 0 k( v% R/ V7 f M D" }
"stn-wid.zip" (www.cracking.net):, j( c% u7 {- Z( T7 f
6 c& }* P7 m8 A2 I
mov bx, cs
: Y7 L! y. \7 D3 W+ M- n lea dx, int41handler2# k5 c1 n+ r. H/ V
xchg dx, es:[41h*4]0 U! s/ F3 p; @" H0 F- [
xchg bx, es:[41h*4+2]* N# Q& s7 G8 K4 m: N0 H' N! V1 W
mov ax,4fh
! P3 V7 X/ P' H. X int 41h
. ^/ d* Y' ]+ S* h xchg dx, es:[41h*4]
, Y- w1 o' K7 i+ `* O. l/ g xchg bx, es:[41h*4+2]
& X( h* {% \! J1 E! ?2 Y cmp ax, 0f386h# `( B! Z: \9 Y( y. n
jz SoftICE_detected3 `; i0 J0 g2 a
' Q/ u- S: i& y0 a F
int41handler2 PROC
5 _' Z$ p1 p b2 l- D iret4 L7 I. v4 h5 I3 T8 X
int41handler2 ENDP
4 {; ~) \9 Z! ?/ H$ q! t1 k1 k5 Q* @4 E6 Y4 h; S7 o- ~
9 {- V& @/ X }; f% T$ y( D* d4 e_________________________________________________________________________
2 U+ p8 [+ ^ _% K7 y
# n" _9 B8 X6 {, ]# m$ M3 Y6 [) \% ?% P' H( X6 I V# R
Method 06$ m* H% m% V2 c; k) Y/ v0 h4 H
=========& K) ^7 l9 Y( F& O' ]7 p6 p
0 k- h' p9 h9 n, J$ T4 L5 t
' K" q5 n, z2 L, \
2nd method similar to the preceding one but more difficult to detect:
- D7 ~6 c+ x' G, K; i
" u0 E7 p8 v( s1 X5 ]7 m1 W
$ {- X# F! y! i/ pint41handler PROC
+ n# C' J/ ^: { mov cl,al5 I/ b1 u, H; [* H) W9 n" z
iret6 O7 W# T: S4 ?; z5 m m; B- e
int41handler ENDP
, A5 }! I+ D' x6 @2 h6 H w: D4 F* ]8 c7 w; Y7 s& {4 c0 A- h/ t
" ]$ q1 M5 G8 _" e7 d
xor ax,ax! a1 _. Z9 o0 e# Y4 r: N8 u$ q0 X
mov es,ax$ `1 u4 J1 S% J5 M0 }
mov bx, cs
6 L; T2 E$ d& o lea dx, int41handler
6 W8 ]+ m( c- U, Q, R @: {! o xchg dx, es:[41h*4]" n; I0 x/ r3 y
xchg bx, es:[41h*4+2]3 H5 j W* k" v& w; F/ {: R7 H
in al, 40h% d' g8 ~, b, ~4 Z: t: H! |2 Q4 ]
xor cx,cx K! l" V" f/ E
int 41h
8 m, I; A0 V4 y: G! R xchg dx, es:[41h*4]4 Q: Y; Q5 L+ f0 M9 m( k- b
xchg bx, es:[41h*4+2]4 B9 y: U6 C5 Q
cmp cl,al
, b( U5 s! M; O5 Z9 w( z4 [ jnz SoftICE_detected- W6 D" V& }! Z3 _/ g9 Z, ?9 [9 z
( e. w- F4 }8 g9 k) Z; s$ y_________________________________________________________________________
0 s9 `& q0 Z' M5 E: u+ l2 e& Z- W9 n: ^( y, @8 \
Method 07
4 ~! ?) K+ o5 E; \/ {/ h0 B, o=========
- _8 i2 t( B+ J1 H l) X1 }, l. Q6 [ [6 @2 v8 E- K* Z* c/ e
Method of detection of the WinICE handler in the int68h (V86)0 P, [$ w+ `7 r/ T/ B' s
& a& N6 _" k2 m( m7 e0 Z8 _
mov ah,43h5 N7 b8 T+ b0 \5 H! d' r; u; g
int 68h
: |: x3 ?6 a( d cmp ax,0F386h
: C6 x$ P; g, C jz SoftICE_Detected
! t) {; p4 C! ]7 b: ^
l6 X) A5 b7 c1 u
1 ?. J. l5 X0 l7 W Q. j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& b' |2 q2 i/ {& y app like this:: v* F! U( Y+ Y* S/ I# d
" D( V& o" i+ V7 j- @) ^ d, q& ^& U BPX exec_int if ax==685 u8 |, ]' y0 r$ a, X4 |" b/ }6 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
& n! R# |7 L- E. S2 b; g! f6 ` located at [ebp+48h] for 32Bit apps), R r- |- \# p) h
__________________________________________________________________________% ^# ?& j# _1 [& {, E' [
5 N( @$ o. W6 K; b% ]+ K% w, d
5 }9 s6 D9 @7 I8 fMethod 085 q! \+ j6 _' A& p* R' o
=========# ?1 m2 \9 f* V# y0 E" }
9 z& T+ s6 N2 V. P4 a1 A4 `. s
It is not a method of detection of SoftICE but a possibility to crash the$ e1 h+ Q; ]8 V2 v( m4 B' G
system by intercepting int 01h and int 03h and redirecting them to another
m8 f# _" R. z; q( v3 }routine.
; G) h$ w# |: w6 i9 E8 \7 t' [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points L8 a$ \$ }1 a! v: ?1 `
to the new routine to execute (hangs computer...)
9 G) T( j$ Y) i9 ^) ]; s: q9 F3 L) `# h* P- o5 Y
mov ah, 25h, X0 d) W' _& }, n
mov al, Int_Number (01h or 03h)
' e( m' h' w" y5 q. x mov dx, offset New_Int_Routine2 Z; H# Y( R3 f1 u' _1 w
int 21h' w7 ^ x# y3 @
* _! v! `6 V2 m" z, c) R$ P. G
__________________________________________________________________________
7 a8 P- ?8 l! ~9 F+ s
5 |9 t" q$ l4 K' WMethod 09
! O+ j- h5 |; q+ F7 i7 `=========
- ]( X3 Q; I: n9 n1 M# G, l, m5 Q' n' H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 p& G% o/ y/ \8 @1 A
performed in ring0 (VxD or a ring3 app using the VxdCall).4 E& n( m0 `3 z" `& M* R# ?. a" p
The Get_DDB service is used to determine whether or not a VxD is installed
4 f) x- E5 `$ \for the specified device and returns a Device Description Block (in ecx) for5 s) D8 N+ U3 C% ?7 ~" J) B
that device if it is installed.
3 W6 x$ g6 z+ V) e1 }/ {& [4 E5 B% O% O' T1 U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 T1 }2 i: E. g; e( ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 b* Y% |. W- h
VMMCall Get_DDB, [+ T# `. Y2 G6 ?1 K3 X' ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" n1 l* r( l. A7 T$ r$ F* X- x. D' X- X$ h6 p# {, d# N
Note as well that you can easily detect this method with SoftICE:9 y8 u0 b' {: x) T5 j/ R) q, l8 I
bpx Get_DDB if ax==0202 || ax==7a5fh
) O& M/ d( |- Z5 t
' j$ y0 T! n# ?& V6 C, y__________________________________________________________________________9 R/ o t5 R5 k; _( b" ^/ R
n" H* c4 A7 X/ u" }% g3 AMethod 108 V k _) P4 p0 v% f! e* d p/ [
=========
5 O! i u& t _0 d) J( u
% Z7 X* ` Y1 Y' ]+ b; H V' W=>Disable or clear breakpoints before using this feature. DO NOT trace with
& W. [) Q$ p) k) R# Z' `( U SoftICE while the option is enable!!
( ~2 g$ [; q( x) T' j
' R; q/ P& n6 ~ BThis trick is very efficient:
w7 I; g" G2 B1 y+ U4 @5 b$ e \& nby checking the Debug Registers, you can detect if SoftICE is loaded e* ^0 Z* v( _4 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 M: ~1 @5 [# b/ F3 E
there are some memory breakpoints set (dr0 to dr3) simply by reading their) p/ n. g Q Z
value (in ring0 only). Values can be manipulated and or changed as well8 T% P) p$ C' g
(clearing BPMs for instance)# n5 @' @5 k, f
/ }3 W0 f9 M' |) I: W3 V5 h* B
__________________________________________________________________________4 M7 I2 w- L& ]) B/ @9 o/ o
$ G; t6 y# p# \5 h M0 h3 G! T
Method 11
) X) \5 l9 F2 P=========
; Q. j1 [ H6 s0 n- ^. J* u" n6 U- z+ u( q# z
This method is most known as 'MeltICE' because it has been freely distributed, |5 C& E+ x- ^6 l* d0 s' ^
via www.winfiles.com. However it was first used by NuMega people to allow: e6 H' x# P4 e
Symbol Loader to check if SoftICE was active or not (the code is located+ z; a+ B$ u+ }; D6 w
inside nmtrans.dll).: n7 Y& m' x1 H0 l6 J6 m. Y
: W% _* w) [9 a9 GThe way it works is very simple:
9 ]( G B: Y! i0 G7 H6 r* bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 }" V" N4 l9 q$ h* M% V
WinNT) with the CreateFileA API.$ A& z W- e: @1 A- x
6 R9 v6 _% y7 K5 f% r+ UHere is a sample (checking for 'SICE'):. Z* Y3 V# d6 `- C' A0 E F
: L0 N$ i0 ^, W2 m: y" DBOOL IsSoftIce95Loaded()
$ n' _7 T! l+ E6 x8 g{) p, s# P; q6 W: ]4 M1 L
HANDLE hFile; & `& {! s- ^" p2 h, T$ U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 G: `" G7 ?2 p: V# I5 |) i* |, ^# O
FILE_SHARE_READ | FILE_SHARE_WRITE,. l$ k2 `4 o% V' u- [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! c- N( u+ f. _5 \* f0 @4 {( D if( hFile != INVALID_HANDLE_VALUE )
5 o3 ]" W* x8 a) U8 S N1 F {% E0 V* B% \% e+ G
CloseHandle(hFile);$ f3 Y, t% t# t9 k. P4 O* L
return TRUE;1 } Y7 F! {; V! T" |
}
8 C2 {# ?$ W2 @3 b, J$ u$ A4 L5 v7 J return FALSE;
; o% `6 A J( H( a: W}
+ ?, ]; @$ b- ~, X* J) j' D3 C! Q$ ?) a, C7 X" h; P2 ~+ s# ?
Although this trick calls the CreateFileA function, don't even expect to be& d8 h7 E- B' e) P1 ~( N
able to intercept it by installing a IFS hook: it will not work, no way!
% T* H! M m% x5 O1 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F' l, F; C5 [- r1 n' a, C* G( ~3 k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& }/ L+ ?6 ?) i# h1 J: Land then browse the DDB list until it find the VxD and its DDB_Control_Proc- {, l$ ] h6 m+ c0 ?
field.
1 Y3 H3 A7 a4 T: V* c1 G1 V/ ^# ]In fact, its purpose is not to load/unload VxDs but only to send a
( M) v* x5 p. U0 G3 HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 T/ k: {* a9 y1 t7 hto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 p! z l* V0 }3 r8 V. S3 f: m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 f$ `. n6 X, A* p( M
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 I+ W- X1 K$ Q- ~& U T
its handle to be opened and then, will be detected.
; n/ F" k: t% {You can check that simply by hooking Winice.exe control proc entry point/ _9 [8 B( R; d$ f6 K
while running MeltICE.; u) l6 a& R; U; n, U$ ^: ]
* ?6 [5 a) J- F4 o6 p( w
( h" N4 ~# N. i2 U# ^/ v) H7 q
00401067: push 00402025 ; \\.\SICE0 B- g* R$ Y% K& D7 c2 Z
0040106C: call CreateFileA: o5 x8 I4 \4 D/ E
00401071: cmp eax,-001# C# {# M* X6 P8 w7 T
00401074: je 00401091, z% [7 B ?! n1 u. Q- H
; H, @6 D1 M) }: C2 X. y: Z+ k M8 j# w* u! k) l
There could be hundreds of BPX you could use to detect this trick. j/ U: B- |9 k' V% S" m
-The most classical one is:
4 ?1 ]6 u/ k3 ^- F9 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 l3 F9 L) v/ L! ]5 D% d
*(esp->4+4)=='NTIC'
/ I( W/ r. B/ N' T
$ e6 J* T3 W2 [+ C( `0 ~2 n-The most exotic ones (could be very slooooow :-(+ D# B# w$ f* d3 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ B4 E- p6 I; T3 U+ {: } ;will break 3 times :-(
: \0 H3 t: ]$ X' I+ ^, }1 n! ^3 r# E3 [/ n7 s. A6 Y1 }; c
-or (a bit) faster:
p9 y: M8 V% ^6 f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
b- i6 H7 E/ h8 C1 p# a% p0 ^2 ?& M( X0 |9 e" s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % q2 H: M/ ]. v
;will break 3 times :-(; }5 i; ]' H" ?6 u+ z7 r
5 I# C1 }% l. ^9 L* Z5 {' p i/ Y-Much faster:- x8 I5 Y3 l3 \8 q+ a( m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 }- ]: R! t( ^6 T2 T
2 N0 W! e8 ?9 P7 R, T0 U6 K4 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 y2 J& U. B: q8 R) A
function to do the same job:4 ]7 |& o2 \5 Y
6 V2 m0 c0 k# A$ ]" v q3 \5 q0 T push 00 ; OF_READ
. O2 C* n6 k! Z6 K mov eax,[00656634] ; '\\.\SICE',07 O: `6 k) }8 c9 ~
push eax
/ `" t n- }0 s+ z9 y* _ call KERNEL32!_lopen4 T- ^( T0 W4 r) j6 [" W8 x
inc eax
# [7 F8 J& ?' U) n jnz 00650589 ; detected
0 T, L0 t# V/ v! N( F5 `: @ push 00 ; OF_READ
- \% O4 b; R; A6 Y mov eax,[00656638] ; '\\.\SICE'- z, b8 Y& p1 u. f
push eax7 L5 h5 B- Y1 T+ t- O% d
call KERNEL32!_lopen H1 N- C+ I# y, t3 Y- V" m2 Y
inc eax
# z, @! Y" l U( u+ s# @' V jz 006505ae ; not detected& y, x5 I4 K2 U' i7 O8 @ r
2 J5 ?, ?1 y" r ]
6 s8 Q; P, l2 J" H__________________________________________________________________________$ z0 h w) y3 O* ~" O# R
* j- `, L$ I" ~# FMethod 12
. [# ?6 `3 L9 {$ s7 d=========
' Z% S& c( z! @, V5 u# s8 x, }: ~! L( i- `. `( m
This trick is similar to int41h/4fh Debugger installation check (code 05
' l# L3 A: @: g3 X8 F! o" y* c; F& 06) but very limited because it's only available for Win95/98 (not NT); A8 e1 j8 v; |% `. Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' r: B0 }# g# @& C) {: n& k
* y: B/ @- V7 W; L$ h push 0000004fh ; function 4fh
4 ~2 L4 e" m- g' L! y0 z push 002a002ah ; high word specifies which VxD (VWIN32)& B8 P) J1 q& m' U3 |
; low word specifies which service5 K M3 g. y% ]1 n2 v5 A% R V. L
(VWIN32_Int41Dispatch): B; U1 h9 o: ]$ ]: C
call Kernel32!ORD_001 ; VxdCall' ]& k0 j( |- R, N
cmp ax, 0f386h ; magic number returned by system debuggers8 c/ x1 p+ S8 u6 W. D/ O& P% {
jz SoftICE_detected* U5 U6 ]2 |3 e @$ }
! J# w* r* f4 KHere again, several ways to detect it:
6 ]( R3 o: M) A" _$ r
! D# z' n/ u# a. F- n BPINT 41 if ax==4f
% v4 P2 \+ V- {8 p. m
1 Y: s5 o; T4 M1 f8 @% I0 J+ A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 d. k& J5 n0 `4 F
3 r9 K) o, t7 \5 Q# }' W: Q- o. Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% `) `4 y" @6 p- O% q
9 G. `* x0 r, _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. Z& W) p: m) w# n& Q N/ w7 F
v4 ~( q3 J" V' o
__________________________________________________________________________
; H9 y9 L; k& J) i v* c9 ~
7 F; ?* T# r3 R1 |) @2 h9 t" wMethod 13
; v1 u& J) K- G; M=========2 Y; o0 X4 n6 ~: ~- w
: m. l% V0 u! W0 x P
Not a real method of detection, but a good way to know if SoftICE is
! ?1 H2 b/ ]( A# R$ o! |installed on a computer and to locate its installation directory.& j/ L& p5 ~$ x* N) n. S# {4 n
It is used by few softs which access the following registry keys (usually #2) :
4 D( e, L8 K/ L3 U9 Z
- Q4 c! U2 H2 e8 g* c9 N; a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- [* x( E4 ~3 m! h$ d J\Uninstall\SoftICE
8 [4 k+ @5 O$ Q+ E/ ~: y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' V5 l9 _+ z2 G# m2 m6 w- W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% W5 k" G7 T+ P( c F$ B& G\App Paths\Loader32.Exe$ N+ |$ y7 F; l0 |; {% \2 y9 V
/ o6 v+ ]8 W) w& ^$ b
2 l" \. z9 ^/ _3 ?' W1 vNote that some nasty apps could then erase all files from SoftICE directory9 u/ f" C1 ~: W4 d
(I faced that once :-(% s: t; K3 n7 R0 M
: \# ?0 K# ~ u* ~
Useful breakpoint to detect it:
) \% {: x& n9 K7 a4 @; V% s* A; q8 _: F! Q$ d" y2 G. C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 W2 ?) j0 d; _: }, R' W5 M2 T4 D
% }% P3 N' Q7 l* f3 r" Y; Q9 O__________________________________________________________________________
4 i! B' k& o6 F6 I
0 J. H6 y; c# V6 s8 I( W- ^; L' ] l" J% a( ?/ ]
Method 14 ( n' E9 g$ [; @
=========4 u5 @0 n% a# ]6 D" ~3 P5 a
6 \, \+ O( [9 a5 R" H9 O& o8 bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) d8 J& M* p" w7 Z3 n9 W7 Z
is to determines whether a debugger is running on your system (ring0 only).& I( v: N* F: Z$ J3 Z: [
$ I) y, f( e& m& ^# p1 V VMMCall Test_Debug_Installed
% K6 H o- M5 H$ p6 V3 I je not_installed
. W1 W" z' x; e3 @
: u8 S) o* G( _' M) \This service just checks a flag.
4 f& J7 C" p; H* R, K0 L9 i: v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡