<TABLE width=500>
& P+ f' o* G- C) s<TBODY>
7 z2 w, O6 h1 B, Q- f; f5 D$ D<TR>+ m' F# l! }! a; H' i* K' a2 W
<TD><PRE>Method 01 9 [6 D1 X3 B+ M
=========4 X" b- Z8 E v; a- B; d
; L5 A* V2 ^. M$ Z( LThis method of detection of SoftICE (as well as the following one) is
/ p, F4 t% `( A `7 Z' Vused by the majority of packers/encryptors found on Internet.+ D. {% G, Y7 {$ W9 M: b8 F" c& l! ~
It seeks the signature of BoundsChecker in SoftICE
7 u4 j `0 V8 t& h4 u& M3 W; a* u8 D
+ \' |! p( J( o) N. m8 i. a. ? mov ebp, 04243484Bh ; 'BCHK'/ o4 H. p* j( |& M! M: w. C( g$ Z
mov ax, 04h
6 ?1 A' A' G; L int 3 L0 W A N8 K
cmp al,4) C- c6 c4 X3 F* Q1 f$ s. ~7 \
jnz SoftICE_Detected
: }( I6 g* {7 x8 p2 q5 s- B6 K: c% m% L8 u" @8 E; [9 i# D
___________________________________________________________________________
! h/ v4 X5 l6 [+ ^0 x6 O5 r) \
2 x: x- g! c7 T+ z7 B2 nMethod 02
& }1 R$ B( `/ p=========) m5 _/ D9 W5 E8 Y* t
, C9 z7 N/ ~1 @. iStill a method very much used (perhaps the most frequent one). It is used$ l9 p& K4 @& S, R/ Z; D5 M5 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) x0 M1 c1 ^0 T
or execute SoftICE commands...
! N2 m0 }) ]+ ]( D9 T9 h8 ^- x8 p EIt is also used to crash SoftICE and to force it to execute any commands+ h* [$ U- p8 Q% v
(HBOOT...) :-((
3 h- X$ T0 }/ }' J* n) W3 q, q
: v% Z& a# c& M( B: }4 i% bHere is a quick description:
/ J; v q( K& V* a7 J8 m-AX = 0910h (Display string in SIce windows)" u" I0 f/ i. w5 i/ p. x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 e M: _/ K8 A6 i( _
-AX = 0912h (Get breakpoint infos)3 A% R- c0 p5 V# }0 F M
-AX = 0913h (Set Sice breakpoints)8 e, f1 @3 Z1 N( y; P/ G" V: m
-AX = 0914h (Remove SIce breakoints). ^3 Z" {% c4 U5 p5 |) J
- X+ T7 B0 z8 P, v* u& A( [Each time you'll meet this trick, you'll see:/ r& E$ _% {, |% P. `0 V8 K
-SI = 4647h
9 {$ P1 p0 l7 j2 R3 v: s-DI = 4A4Dh
2 @) ^* w- A$ HWhich are the 'magic values' used by SoftIce.* m- H$ t! c9 j0 @1 m6 M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 G T7 E* L& k( R4 D
9 t {8 b7 y: n1 Y7 HHere is one example from the file "Haspinst.exe" which is the dongle HASP+ U6 ~8 W+ u+ U7 Z5 R" Y$ C
Envelope utility use to protect DOS applications:$ Q a0 l3 u1 w" ?0 |
+ q. V7 u+ ]! W+ B2 R* E! g% c" R. q- h- w
4C19:0095 MOV AX,0911 ; execute command.' ? b! K! A2 b& ?6 D. h8 _! [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 A/ X+ \+ \: F
4C19:009A MOV SI,4647 ; 1st magic value.; V; i3 k( J% P; z$ |; q7 P
4C19:009D MOV DI,4A4D ; 2nd magic value.8 s8 m- ~6 ?' p' T3 B7 D/ w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* s+ W2 H# M/ v @ d6 P2 Z: O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 J: w" W! I$ J4C19:00A4 INC CX
3 |1 o* h. t5 a' p4 [6 e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 q- Y2 i( o2 V. L" `' K
4C19:00A8 JB 0095 ; 6 different commands.
9 ~7 D" @9 b+ D5 U4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* M6 R R) v- X$ E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ O$ h# a, `' K7 z6 w; Z. Y5 E% E+ r# f' @5 G3 v* L
The program will execute 6 different SIce commands located at ds:dx, which
8 J& [, p. o+ t8 @% Z4 x/ tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ y# Y7 }) P6 T. L: M
, E# Z/ L* H" A+ U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. z+ |- G3 v9 b
___________________________________________________________________________* F7 {7 Z* w! A" _# E9 ^
1 H) A' F3 s" V% W4 _
8 L0 E, K! t" i5 j5 B" L1 h6 YMethod 03
, | [' c- z/ c5 i5 Q=========, I& @9 R; Y& ]' P% {9 v' R, T
- @, ?! z+ ^# _% W/ s7 @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# Y W6 ]* X1 a6 O9 x$ G, x- k6 g
(API Get entry point)
4 [' Q6 k, ^/ B9 ? * Q H# `2 o- W" G+ y1 q
* o- P- f* A/ e. t) }8 ? xor di,di2 e4 {8 P( L0 d. Q
mov es,di* G- u; H" c& C* [8 h5 T# ~
mov ax, 1684h
H) ?- \5 ?3 D/ C$ c mov bx, 0202h ; VxD ID of winice; M3 d$ u) `- G) G. w8 \( X
int 2Fh
7 }5 m4 p& b/ @6 y2 G mov ax, es ; ES:DI -> VxD API entry point
' L. V: M0 U7 l+ O+ m3 e6 v j* a add ax, di
0 N! ~( r, A4 Z. C5 U$ J test ax,ax
, ?, k% }4 t( J" u" H9 ]7 E jnz SoftICE_Detected
' R- i5 ]# q* e2 m* x
6 p, q4 M2 t- k$ |6 Y___________________________________________________________________________
7 Q8 A# [3 m9 o
* z8 `) \" ^3 _) T2 p) p$ l3 I2 RMethod 04
* K/ M! f# F& _! k=========
! p& T# O% u& ^' ]
6 V9 l, d# Y1 U, C5 y3 XMethod identical to the preceding one except that it seeks the ID of SoftICE
0 a/ U; A. x3 F( Y7 b4 ~' Q U. pGFX VxD.2 a! q8 A' p5 O
6 {! L) {1 U% C4 M0 R2 G
xor di,di. V* _: J6 V( ?; Y! D" L$ j& r
mov es,di/ r- k h0 @! I& n- t
mov ax, 1684h D. ~) v6 t! V" g( j) d
mov bx, 7a5Fh ; VxD ID of SIWVID# k5 ]4 [* w& f8 O
int 2fh4 T% F# ~- t. D' t: X4 b' b
mov ax, es ; ES:DI -> VxD API entry point( E0 Q# |% {" o- O+ u0 J b
add ax, di2 ?8 L. Z5 o. W4 C7 w# v
test ax,ax+ K e% [1 n: E5 {# v, O, Q
jnz SoftICE_Detected( p2 H: Z0 P% ] F, Q
& C7 }) G# h5 o1 ]/ ~' x
__________________________________________________________________________& V& g) p5 v. L" r J3 [
9 Q0 s5 \. B7 J) B6 F4 \
" j g* R/ d3 ]Method 058 |* S [* z' G- [' {# p
=========) ~: d3 Z2 |, r: E# p
2 C0 [7 v, C. W. ~, M& ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 t7 R3 u9 T1 U+ a. i1 ndebugger. It calls the int 41h, function 4Fh.
$ z* {6 R! m# o6 l' V" aThere are several alternatives.
3 c" @8 s* E ~8 }% _* G, k7 C9 L/ j! T! [2 T: V3 z
The following one is the simplest:; D0 d/ r1 G8 d/ X( x& K
0 e( ^( P- L0 l/ A7 g0 M9 G, u mov ax,4fh2 z) @, Q9 S2 ]9 r
int 41h
( a1 O7 _+ e/ M6 L8 z0 M cmp ax, 0F386
) h- | K: {4 o& N3 O5 f0 J# e) |/ T jz SoftICE_detected& {9 Q( J4 J" C: I6 F# ^
! B4 E3 k5 v9 C& S0 r% W7 l( c! X0 M
Next method as well as the following one are 2 examples from Stone's % m* w& G: C2 M/ Z8 h
"stn-wid.zip" (www.cracking.net):
b( h. G: z8 U1 V5 U8 n' @, n& ~0 @8 K9 n6 `! Q8 i/ v" R& x; s
mov bx, cs: j. F* y$ W$ m Z% f: x/ X
lea dx, int41handler22 H, a2 L0 s( R. A0 o1 Q
xchg dx, es:[41h*4]
1 f( @* S7 c4 x' p. h4 l7 B9 F xchg bx, es:[41h*4+2]
& i6 ?. m( Z' { H3 K# d3 p g mov ax,4fh
- { _0 N- W' a; j+ K( B! Y int 41h
% k2 P: L1 S% n: g0 [, i xchg dx, es:[41h*4]
6 `2 F9 v6 }! Z1 k5 f xchg bx, es:[41h*4+2]
2 z4 L% q) e- p: G5 W. p& ? cmp ax, 0f386h
/ i& V5 _- k+ p8 A! ]2 a4 I+ U jz SoftICE_detected
! Y4 K: l: w: F$ y: `7 z$ A) l6 T3 n) I; X' ^* M( O. Y$ |9 h5 |; @6 ]" y
int41handler2 PROC
$ o3 r8 w! [# @' p) t9 v+ r iret
9 j& v3 k9 L/ E, M Cint41handler2 ENDP
" e. d/ i) M" |. {& ?! i- o! h- W& R' B% N/ q6 B
5 c& n: T7 [0 t8 i$ a+ f
_________________________________________________________________________7 `3 L# {3 Y+ h" Z5 Q
( R3 a! g1 L4 N9 J) g% Q$ v1 |# B0 f% M+ s, \4 [, {
Method 06
$ U; N3 \+ @! \, V, R: P=========) j4 ]3 D" m0 Z$ G
- ^: p5 E! K1 g8 B& M
% b; t% l) O& w5 v i2nd method similar to the preceding one but more difficult to detect:: c8 m6 M" H/ C$ l( j0 Q
) @/ g. P0 \- C# J5 [, V$ B
1 I; ^6 t$ u2 b, o9 X9 y& Lint41handler PROC O; p8 c, C1 p; S6 {3 Q
mov cl,al* G: i: g- [$ Y' f
iret
" X' h- U$ w: B4 U) Tint41handler ENDP" }- v" u, m/ E" V K
! p7 z6 g9 Y3 h3 P3 x& r, d# P" e5 V* p) s M) v% W
xor ax,ax/ l! |& h# `" O8 n
mov es,ax
: h ^- p3 V: j- d mov bx, cs
# G" o1 f, A6 u' P; i) g lea dx, int41handler/ b0 ]6 n0 T8 z
xchg dx, es:[41h*4]# v+ u# g u5 `. [$ z$ t6 F k5 U" f
xchg bx, es:[41h*4+2]
# J) J+ y1 C7 ^7 Y* G; L in al, 40h
$ q; H0 W3 K6 E/ b9 y: X5 p xor cx,cx
2 g5 O4 _& ]# k' ]5 v: q7 _9 g int 41h) e4 [5 x" S+ ]) e: P0 ^6 c
xchg dx, es:[41h*4]7 A8 I4 k6 K- N* C u6 w
xchg bx, es:[41h*4+2]% d) g6 G$ K9 \: F; P( N! [) ?5 W
cmp cl,al
9 o) p* i$ F s4 x# v5 n9 m8 E jnz SoftICE_detected# I' B' P) L$ @
2 y& z/ Q' S8 z B( `" s8 N5 @_________________________________________________________________________' v; ]. b& ^4 j8 V/ [: _
4 l$ ?3 \; v; g1 J$ }
Method 07
# {+ Q2 A j7 I! X, \* w. v* C ~=========
4 ?" U5 j, u& u8 I+ k3 L
! {$ h" v5 i8 t( CMethod of detection of the WinICE handler in the int68h (V86)
$ ?% Z2 P k2 e8 e& H$ c
9 }8 ^/ d3 V$ Q4 A) o, E1 I mov ah,43h
, F& i, K7 [9 V' r4 G7 X( u. K& s int 68h
6 v- U0 [1 h0 O$ e$ Y/ n4 J cmp ax,0F386h
' g; s8 k: F+ p' b jz SoftICE_Detected0 G6 d& W* A; l' w/ D% ~& l$ r
# S* f" Y3 g0 \
& s# S3 U3 @4 @+ v9 U7 n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; A5 q l" F9 {# x: _
app like this:
M" Q9 A2 U# a+ ]0 B: W( F7 i d N" F
BPX exec_int if ax==685 j% w4 d# u- m' i5 T; A* q4 [1 t
(function called is located at byte ptr [ebp+1Dh] and client eip is8 z0 ^$ W* i1 e) R0 J& I* F' R, P
located at [ebp+48h] for 32Bit apps)
( D( j) Z7 z+ {6 ?- M# V__________________________________________________________________________, Y! Q0 l7 i2 A* j3 A
: e% u! |/ C5 f$ z6 I8 Z [4 S
- J# L( J. D) i$ xMethod 08+ f) A7 h, U0 R0 `8 P; J
=========
& s/ Q- ^$ t/ E6 m, v! Z3 r
2 } f, l/ A% e' l7 L1 H8 \6 `2 Q( qIt is not a method of detection of SoftICE but a possibility to crash the4 }& W: u% K& w# B
system by intercepting int 01h and int 03h and redirecting them to another- y7 |5 d4 a* T( l, g& F
routine.
. k/ @( z, k% ]; sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' X- q9 x/ f2 x+ H& S
to the new routine to execute (hangs computer...)
) Z( H% P) v( u1 c# J
! d. ] `- G% M. u/ a- U mov ah, 25h( q# Z$ d; T8 A- r! ~, N( o: l
mov al, Int_Number (01h or 03h)
8 x9 ?: I3 U t) E, E+ n mov dx, offset New_Int_Routine
+ E4 M5 y3 f0 | int 21h+ F& T( o9 i! j. A
; i5 i+ w, g4 I0 x0 W
__________________________________________________________________________/ l) j$ O9 v; o" j' y( Y# d9 L! O2 E
2 q) ]- c$ _/ n# m, AMethod 09
1 B& ~" I0 R. k |( P# E=========8 [* v1 I% l: b+ k9 ^& t8 _
7 k' R% D' E9 h! \& J* dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& X0 M, o/ T/ u4 @5 [& K0 Iperformed in ring0 (VxD or a ring3 app using the VxdCall).: ]- o9 e% N3 B; U
The Get_DDB service is used to determine whether or not a VxD is installed/ ~7 I/ {- i3 z' m
for the specified device and returns a Device Description Block (in ecx) for$ V: |' H' ^/ g# L
that device if it is installed.
) e; A# p7 O/ F1 b7 d3 B0 `4 T
6 }# C* ?0 P/ \& w {* c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ f% Z8 }6 m* U6 ^0 t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
K8 v: r9 H$ Q VMMCall Get_DDB* y' M9 v% y- `+ F3 G& u5 h! D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( S! i, L7 I5 x, r6 t \9 J" ~7 x' B& c( v) I! d! ^' Z
Note as well that you can easily detect this method with SoftICE:
! E) e4 S3 Y0 L& w4 Z$ Q3 e bpx Get_DDB if ax==0202 || ax==7a5fh
+ W* y5 \ z/ G! r) D5 U6 e7 f2 h8 Y9 c9 Q+ {4 f
__________________________________________________________________________( D. f, Z4 I% V6 Y8 R
- D) L x2 X9 S' F' ~
Method 10' o# V6 M# m/ M( J$ |
=========2 F3 w$ [% e4 T4 c7 m
2 M' z( r1 U; B. U5 w4 j( n=>Disable or clear breakpoints before using this feature. DO NOT trace with+ F1 t" V9 @; A
SoftICE while the option is enable!!1 A0 v3 Z+ o; t8 ]. _
1 B& ^4 I2 M) b, s9 O
This trick is very efficient: a; D& b$ c; _6 f5 f y
by checking the Debug Registers, you can detect if SoftICE is loaded
7 [; b$ Y' O/ ?+ ]$ d+ K0 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ E1 v0 f9 W! M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 z9 d/ h" R6 Z2 M3 C4 R$ `% ^value (in ring0 only). Values can be manipulated and or changed as well
7 M+ d* _; g9 g/ Z- i$ o(clearing BPMs for instance)3 _: Q+ B7 \* R1 v0 l
3 [9 p' ?' n2 I__________________________________________________________________________, f: n5 A7 y5 ]& U
. H t- e5 x5 ^# qMethod 11
* u2 t! H1 e9 v* S4 T- F! t, N=========
: }/ _" T9 S1 H9 b) e( q, U( ]5 i
This method is most known as 'MeltICE' because it has been freely distributed+ x' P. H" G/ |; A* l0 ^, W& j
via www.winfiles.com. However it was first used by NuMega people to allow6 B' F1 ^& Y! t& ~, F7 o
Symbol Loader to check if SoftICE was active or not (the code is located2 l3 n, A% P' B
inside nmtrans.dll).) |! C7 {/ ], A8 `( a8 B
, c) e' i3 j! T+ M% yThe way it works is very simple:
" a7 A* g" Z; R$ gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ y# ~+ F/ S' \+ g* k
WinNT) with the CreateFileA API.# H" \; x7 w. W. Y$ U( r: j
( l, [; _ H1 ?5 Y2 c7 b, OHere is a sample (checking for 'SICE'):9 S2 s2 B. p* }5 Y9 ?- A2 ]. f
6 E& \0 i, d) b' d/ b6 TBOOL IsSoftIce95Loaded()3 B' K- D8 P6 ]* }: U
{+ }! ~. L) [4 u; N0 @$ y
HANDLE hFile; 3 d& v0 s+ m0 [6 }% ~* ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 l. `7 H/ I" e FILE_SHARE_READ | FILE_SHARE_WRITE,
) z4 M" U) K# m5 ~, ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ I, G. }! R6 M& t5 l C
if( hFile != INVALID_HANDLE_VALUE )
; F) e$ A2 D( K$ M {" d4 [) {7 e' w1 D) c
CloseHandle(hFile);
0 V7 ^' M6 m; ] b9 X/ A1 O return TRUE;% }; P, i. z& t- W
}
$ H& |. s0 k5 v7 G return FALSE;9 t# k# I$ p g6 k
}
1 L" b9 m* | o) S: u: c9 T* i$ y% N" k1 K* T
Although this trick calls the CreateFileA function, don't even expect to be
( R1 J! B1 z4 N9 G: c! xable to intercept it by installing a IFS hook: it will not work, no way!
5 d# A- ^& W& I5 X, NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- k3 D2 ^7 C; ^ F' G N( H% Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 y. H0 T& `; \( J1 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 J& P4 M* l" ?9 h! O9 o# o t: W$ V
field.7 f+ u( P+ K& H p
In fact, its purpose is not to load/unload VxDs but only to send a
. O3 L) v/ h7 m4 p% k! i0 g5 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 W6 q2 t3 i6 M8 r* i4 ]* dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# D2 l( o. H# C8 K0 r1 M7 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).% q6 Y) j. M, N+ p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 F4 w+ z) e2 H; J+ Oits handle to be opened and then, will be detected.
5 i7 r+ j: d+ sYou can check that simply by hooking Winice.exe control proc entry point
. m$ j6 o1 w5 Nwhile running MeltICE.
! X2 c" I8 P* p J+ k& r8 a& c6 U/ c1 b
( x1 {. S+ A6 W5 p- {' t6 F/ N
3 n3 Z4 X8 Q9 u7 I' Y 00401067: push 00402025 ; \\.\SICE
& F, s+ ?/ |! _" ]2 g. P1 F! A2 F 0040106C: call CreateFileA
& K* e$ f7 J& _# S( N) b! N- l 00401071: cmp eax,-001* V6 Z& K4 Y* A* D5 x. h
00401074: je 00401091
, r7 N# B* @9 ^( U0 }* j( b4 q" S6 m: G% w
- c* |( a8 h) ]
There could be hundreds of BPX you could use to detect this trick.
* Z( U! O* D! Y-The most classical one is:
( p* [6 ?! ]4 y/ d; b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 D7 E( J; Z& ^; _ *(esp->4+4)=='NTIC'
+ [0 M6 F# v# v7 |+ ]
. T# _% `4 v; T9 R, J; q. X-The most exotic ones (could be very slooooow :-(
1 e. [3 z H' W2 N$ q4 G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 z" ?& o- g. K; Q9 g& h ;will break 3 times :-(+ v. `+ Z' h# l1 V
4 p3 g' T! X$ C7 K-or (a bit) faster:
# G3 a& ~- i# t8 X2 w' e8 u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) T6 V& t% W4 V% p/ ^% `( z
# ?( w" a6 W$ f, I9 r5 G& l3 R0 [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) d7 U# T+ P! _
;will break 3 times :-(5 q8 ?8 l' S: F- s
7 g! k2 y0 {! ?* d% s: M% J
-Much faster:6 F9 N$ A- }. ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 ]& [% z( G- z' ?# V2 N* \' w2 U+ B: E1 k2 L. p, q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& T; P2 g% C' sfunction to do the same job:0 c( L0 o; f8 N
: z5 D m9 I8 N+ d/ i push 00 ; OF_READ
6 g; V' M* h7 ?) N( u U mov eax,[00656634] ; '\\.\SICE',0 u, U1 c( k+ G: u& C( l2 i
push eax' o$ x4 A$ L3 J) z$ G! O
call KERNEL32!_lopen2 c6 b% C4 M9 @1 U) @" o8 p
inc eax |% c0 C Y" k, R
jnz 00650589 ; detected1 P0 F9 p0 p) \5 r# j% U6 p3 q5 l
push 00 ; OF_READ
* I o+ m0 p# `. V mov eax,[00656638] ; '\\.\SICE'6 \0 t5 ]9 d$ {9 B
push eax5 f4 R; O% a7 W2 _
call KERNEL32!_lopen
; M0 l# m/ S2 T' b1 y; e. p! E% @' y inc eax, D; u6 x+ k4 O: ^; S5 G1 d
jz 006505ae ; not detected- o# C; n" m" ~$ W4 }
) R: w' C" `( q
* R( n ~6 Z8 U0 ]$ Q( g# i9 n__________________________________________________________________________% q j1 u# F* a) l: W
1 j& P# X6 n% K, }Method 12! m+ O6 K/ s4 K# n
=========
6 _- b" d, b0 e0 @3 } x6 ~3 G! X* V+ F3 }: [4 h
This trick is similar to int41h/4fh Debugger installation check (code 055 T% Z4 m9 [" C/ v( z
& 06) but very limited because it's only available for Win95/98 (not NT)& W( f' P8 P k3 \9 ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 S6 }% D; E/ B
2 K7 |- H- W) E. s% E9 E push 0000004fh ; function 4fh
+ Y1 c: H) k# P5 N3 S9 S push 002a002ah ; high word specifies which VxD (VWIN32)
5 _/ l5 U; ^$ M( g, [3 p ; low word specifies which service
5 G" X. c! ?* j. N. z# f9 W (VWIN32_Int41Dispatch)
- P2 j! o. u, v- G call Kernel32!ORD_001 ; VxdCall. J L) S( o% ?# {
cmp ax, 0f386h ; magic number returned by system debuggers
\4 r$ V- _, L5 A2 R1 h jz SoftICE_detected# ^2 N8 B6 k2 D" v! R& O
; H1 B" h: P/ E3 X* v, N2 a3 Y
Here again, several ways to detect it:
6 j7 R' P; @9 H6 u- g3 m+ {. L# v5 C$ t/ {/ T
BPINT 41 if ax==4f" n k# S! t0 d/ p: r* t
$ i5 d5 P P, ?2 W, ~% Z. K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 U& C/ B2 G" O% v: N4 Q: A$ w# \* a
( D. ]& I1 c+ Q/ f( I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 l1 @ l0 p4 H; ]6 _! h5 Q. J( G( \6 b( N; Q+ e) W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' T. @6 |! p6 T t& `$ p3 q& M4 X% M D% [% |
__________________________________________________________________________# ~* B8 [, h, O$ t& P3 q
) H2 L2 A% q' ^* C$ Q$ {1 @) ?# J
Method 13" _: R; f9 ]0 B9 q
=========; f% ^9 F: g) e% i
% m' v* k6 [/ z( i$ `& b7 fNot a real method of detection, but a good way to know if SoftICE is
1 O: }6 q& D8 ~# n* Rinstalled on a computer and to locate its installation directory.5 |1 R) e X3 k0 G* P+ g5 I7 s( h* ~
It is used by few softs which access the following registry keys (usually #2) :
) j$ Z+ L- |' e
4 ~# @0 ]5 z$ R$ F; w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( K$ _$ O8 t" W+ d# ~
\Uninstall\SoftICE
$ M0 L8 s) K2 J4 [8 O& _: f; s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
P: v+ J5 j2 L3 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, C! V) b; L2 V
\App Paths\Loader32.Exe$ q @( m6 R" {+ ^
4 b4 n( f/ e+ `5 p# D A9 N$ A( G& ?+ y! r
Note that some nasty apps could then erase all files from SoftICE directory/ ?- `( g; G( Z. y
(I faced that once :-() z. g; M8 Q6 \
& I2 o) o3 g, j6 _ @% x3 ^' K% E
Useful breakpoint to detect it:4 K4 E3 i. ]/ @. o) M. g
$ O; l* T, _7 g/ j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 P& a* j1 r: y3 j1 Y7 P( a2 I5 ?7 F" ^- v" X4 g
__________________________________________________________________________
8 k. ]2 v9 x. O+ D1 c# b7 J5 j3 q4 |
- g9 Q! F ]/ B
Method 14
. c( F( w7 N7 z+ L% b=========+ L8 Z! L6 M# M* d3 M3 Y3 L
5 `# a% q, k/ q3 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: j* v1 O/ F6 U) `# Nis to determines whether a debugger is running on your system (ring0 only).
* o Q1 s9 ?9 X* [' {5 j% V8 E4 e: Q6 _* Q S: S/ w
VMMCall Test_Debug_Installed
1 [7 u: K; y5 W z% o je not_installed, {8 y6 w$ Q( A0 _) ^. r' t
% r3 V7 ]& U; k, s6 X3 o }( CThis service just checks a flag.
! b/ O7 u( q+ O1 f; Z; r/ p" H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡