<TABLE width=500>% X: a6 a% v8 H! n- L
<TBODY>
3 u# t; }6 q. A) v1 q5 b- _: X<TR>( X$ S5 v3 j. i5 ]$ A; g
<TD><PRE>Method 01 2 w; J$ u& ]; n; X5 X$ Z
=========
: h' J2 L& |! S
$ u: ?# d% k; ?This method of detection of SoftICE (as well as the following one) is
}8 o% Y- t- ^( ^8 X. v$ `used by the majority of packers/encryptors found on Internet.
: i9 v+ n( @$ V5 |It seeks the signature of BoundsChecker in SoftICE0 p5 {4 k5 i* e5 W( F* e3 \5 a1 H
1 _" P, ]( C h6 J2 c9 F6 z
mov ebp, 04243484Bh ; 'BCHK'
9 V8 P" z" l. l5 s( ^7 @ mov ax, 04h
% j8 {4 }; e4 y' v; S7 n1 N! O int 3 0 N% `9 K3 S. a6 T4 R6 I! [# F6 o
cmp al,4: }9 A: d5 T$ j3 ?+ ^) `. p8 C; G
jnz SoftICE_Detected8 G7 E; }: C( y5 f: Y" C
3 M0 M2 b' P' E, Y/ L
___________________________________________________________________________
& r: h' }8 C' ^) N) v y$ q& s2 O7 C" l2 [ l
Method 02
# H& `, u( `1 e: G6 N" W* y=========
+ }# ~5 j- k, |
$ d2 o2 E( a& l0 F" O0 l# |Still a method very much used (perhaps the most frequent one). It is used
% J/ Y) A$ P( d: O. R/ P" E3 W6 {2 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" [9 V3 `; y& ]9 f F/ J& lor execute SoftICE commands...6 B1 m1 Q* p) k8 }- g
It is also used to crash SoftICE and to force it to execute any commands, Q/ d0 e0 f5 k$ [. l
(HBOOT...) :-(( ' K* U7 s* } P6 [/ }# ^3 q) q
) s" B* y4 X) I# N1 Z s
Here is a quick description:+ d; G4 H* k' Q- R! k
-AX = 0910h (Display string in SIce windows)
1 W3 P z" M( y! V1 m# s* m0 y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). g( p; a( r+ H
-AX = 0912h (Get breakpoint infos)
4 b: ?% R/ S" K6 q, h& @-AX = 0913h (Set Sice breakpoints)
8 J+ @1 p+ V4 y+ {-AX = 0914h (Remove SIce breakoints); V8 j! k: H1 Z. K4 r% i" C1 h0 n
" r: ], ~: J$ U4 A3 z" o
Each time you'll meet this trick, you'll see:: q: R' w H( F/ \
-SI = 4647h
* X c+ B2 Q. }# H" f-DI = 4A4Dh
; ]3 |, |" I; Q5 S! OWhich are the 'magic values' used by SoftIce.) Y G, {% G; n" a) I$ C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( L" m' Q- H, k0 i v- r2 K* I: A4 M; y; W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) A: V2 s8 m- z, [3 }. w- ^% hEnvelope utility use to protect DOS applications:
, J3 @4 p- t8 g5 D7 }5 }# G+ i" T; B# m( m/ B' R$ `5 D
8 q& t! m) i: p( Y& }
4C19:0095 MOV AX,0911 ; execute command.! a/ W" R/ L3 c/ j% E7 o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& v: w$ [9 z% s' f3 @4 X0 Q2 [
4C19:009A MOV SI,4647 ; 1st magic value.
5 \* d, V: d3 a3 I! _7 I0 P4C19:009D MOV DI,4A4D ; 2nd magic value.7 l; d% m& D) p7 i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ n/ {2 j+ p$ R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. D! n# s: k6 M1 W+ `* K+ p5 Z4C19:00A4 INC CX/ j2 t) i$ I/ p/ [! K' V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' F2 Z7 D3 J/ s0 M; y- Y$ A1 Y4C19:00A8 JB 0095 ; 6 different commands.7 K" g; j& J. r+ c* Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 p* a2 y, w V: E. J \0 a6 p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, W e* W) \( }8 E2 j4 J5 y' `2 H" M2 S/ V1 e6 }
The program will execute 6 different SIce commands located at ds:dx, which
+ D" a! N. K4 d2 h' g) L0 Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) Z6 U: h3 w7 S |" s5 |8 X9 L0 m9 ^% ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; u5 |* {5 J" W( |___________________________________________________________________________
4 I% s- R. @! }5 O/ } m
( S3 Q* T4 z6 F9 V3 V5 ]6 v
7 |; h$ _8 S; D9 bMethod 03
+ \" `( p' j; T* v2 B8 n4 U/ j=========2 [/ ~; `; u3 X, S; }; d+ |8 G, a! T
% U& r, a: k8 {$ R( z8 Q* xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" W- d$ O$ {( ^8 K( M; C5 c(API Get entry point)
9 s* u+ a: \1 g3 [( K! T
2 C& `* W! |& [- c
: j+ I$ R: m4 c- L xor di,di
4 u. s+ w# ~6 ^4 D# [ mov es,di
) r+ K& s9 N3 B; f' q mov ax, 1684h
1 z( e, G# i. k" r" {! A3 _ mov bx, 0202h ; VxD ID of winice; I6 E9 v) {- J8 s! r
int 2Fh
- m& O, e& B$ A* C9 ~+ t mov ax, es ; ES:DI -> VxD API entry point, v8 q, A7 C3 C o B
add ax, di
% ~. P( ]4 {. e- x5 g test ax,ax
5 N$ u* g. R, Y2 h3 o jnz SoftICE_Detected
2 y+ u/ \2 g) v/ d( d* [- c: R1 P
___________________________________________________________________________# P w( E! e' @( H+ q* }
1 z2 u0 `/ c' L! X4 Q4 S" q
Method 040 o9 C8 r: s% u" I2 B2 X O
=========
6 r( }8 X% J5 r! _3 w7 V; }) `3 [: g6 d2 o* b; k
Method identical to the preceding one except that it seeks the ID of SoftICE
$ h* B Y- @+ m) }4 c7 qGFX VxD.
8 E: N! Y3 E C& p! `, c
/ C- W3 ^7 w. c! E. h& ^6 W; W xor di,di
7 R, \' [/ J- g- i# C/ w' |, ^ mov es,di
) y. U9 j+ Q0 }4 f9 g/ N0 w7 D mov ax, 1684h
1 d3 j7 V5 i# v& f& `" P2 Z$ `. B( V% a mov bx, 7a5Fh ; VxD ID of SIWVID( a2 p! T% L$ | K
int 2fh
3 ?) z+ Q9 n1 F! g/ H# J mov ax, es ; ES:DI -> VxD API entry point
7 ]* g( e# P0 r/ y add ax, di: O, B& n6 O( @# K, X! ^
test ax,ax
. D; b+ v$ q' I/ F, t. Y+ y9 J8 B' N jnz SoftICE_Detected
6 t0 `6 g& O1 e' W( z" w j6 g2 p, K: e3 \: G6 E) q
__________________________________________________________________________
* ? e+ v# q1 ]# T7 j/ J: s' b% F) F4 }
% |8 W7 ?# F; cMethod 05
- j9 g5 ^. Q- E) G=========8 W0 Q( q7 }3 n
0 S0 u# a8 k( K/ |% }7 r
Method seeking the 'magic number' 0F386h returned (in ax) by all system, r4 j7 |1 Q- I& r. y
debugger. It calls the int 41h, function 4Fh.
8 {" s+ b: B! g. Z1 y9 @. IThere are several alternatives.
/ g! u: S& o2 Z/ ~; V$ ^. t8 \6 H& @( @ U9 i# @$ Y" M
The following one is the simplest:
6 r o. ?3 L. d. W' u( A8 V1 O$ g; n; i. a
mov ax,4fh3 [( u& o. I4 O4 r
int 41h( H1 ]' d/ h2 B: q
cmp ax, 0F3860 C1 l; v% H, I
jz SoftICE_detected
- C: W5 m' O `: [$ O. e4 k3 c% C2 o J: u
1 `* G$ W) M; ^7 d& z3 q, kNext method as well as the following one are 2 examples from Stone's , r C0 ?3 Q; l O9 O
"stn-wid.zip" (www.cracking.net):/ a& W7 A9 H; _/ J) `9 L# |
2 C0 m+ \& i8 @3 S
mov bx, cs
6 P# R9 P; W$ X% e lea dx, int41handler2; F( g- Z7 y. y
xchg dx, es:[41h*4]
, m3 g& M8 Y6 c0 T" X9 [ c xchg bx, es:[41h*4+2]
' _; B* l/ R) B8 z( L8 ~; K+ Y% m: B mov ax,4fh
* {( W& R6 W$ M" Y! Z! g- R; Q' A int 41h
! M& _* r5 c+ ]3 t. F xchg dx, es:[41h*4]$ q- P4 Y( M; I% `
xchg bx, es:[41h*4+2]: e- ~% J* D0 `( h5 Q/ J& H) a: U
cmp ax, 0f386h
( r- ~; r9 t2 w% @0 ~ jz SoftICE_detected5 \2 @) A. z! G! E) }" ^" N% z
) u' f/ O/ l$ ^! g1 j
int41handler2 PROC
4 x' M" Y; m( R' j; e iret
: y# Y% l! J' V' g( ~1 _int41handler2 ENDP
7 m5 D- o' n. Y: R% A1 }$ ? n( C# _6 a8 q# l
% a5 D, G+ o( f! m! C; O* c* @
_________________________________________________________________________
7 T- Q7 t! b4 n2 I2 _# `7 G% C: G s% h+ [9 s5 f- `7 ?# @
6 g% I: L* \4 e! @& k3 r8 _! x
Method 06, S1 m/ u# P; c5 E8 E. F: O
=========; ?: m9 Q9 X, L/ R
% Y% j; J# n0 `! P9 n* a" s" t" \1 j' E1 |& n
2nd method similar to the preceding one but more difficult to detect:
) ^# [5 h# [+ x9 S6 h# ^2 o8 q4 U9 A0 ]9 m+ k- \& X6 o
# P1 t) a+ x' B0 ^7 |2 U! Z' h4 j
int41handler PROC
5 l8 R' f, e. |! r( b# L5 g8 @/ P mov cl,al
' o3 H$ y6 K) C6 s" G" x* H iret
) z. `7 i3 j8 B- y7 _* h; Eint41handler ENDP- T1 v, g. s& \0 W8 w
}: E7 B/ I, |( _
0 S% W1 d- k& ` xor ax,ax
* B0 a+ M, N4 A0 }$ U! t! R mov es,ax
! l" T8 p0 K( {& v% b mov bx, cs
- S/ i# X3 n" C0 D1 A lea dx, int41handler
% v) u% b: X- D9 Y9 a$ f xchg dx, es:[41h*4]
9 i! B8 [ ~+ b! p( M, I9 u/ R# x xchg bx, es:[41h*4+2]0 I) h0 Y; Y9 J% _ i" O. ~* w5 z
in al, 40h
' B) G+ R( I2 R. W xor cx,cx4 [! Z/ ~" l/ t8 ]" V& I
int 41h+ P) \- n1 c$ `" P8 w |
xchg dx, es:[41h*4]: H- A! n$ g, S8 P: l
xchg bx, es:[41h*4+2]
3 L: e8 m6 J# z5 f; L$ r j! `* @ cmp cl,al
3 `8 s5 y2 J6 m: |7 @6 z jnz SoftICE_detected
/ q$ b' u( [2 |3 O7 r) r! W7 x
0 y7 N2 D1 ]6 D# z+ n_________________________________________________________________________/ Q9 ?5 ]7 N. q
5 Y8 z- R1 B+ gMethod 07
! B" n! h% }! h=========
k! V$ `; R) \' \
% K! ~1 ]" o' Y7 ^$ m7 qMethod of detection of the WinICE handler in the int68h (V86)
* p7 l* O |- Q3 u2 k% o( A l6 j' K
mov ah,43h
- H" Y6 Q5 ?4 G7 n/ n( C x int 68h" G) L4 r+ g0 z# c
cmp ax,0F386h2 |, b7 f8 z4 r, v
jz SoftICE_Detected
) _8 l4 z0 }7 u) M7 U6 d
% g" B& {: `2 [- k3 w( s- V3 v$ G6 A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 ]0 X" D- j5 q7 A2 `, @7 t& \
app like this:
5 {* X: x4 V% N0 T9 M* J
- e/ g7 U$ t) U7 h BPX exec_int if ax==68
+ F& X9 A- |. C0 ~) |4 t (function called is located at byte ptr [ebp+1Dh] and client eip is
5 ~" b S- e0 @/ A& a ] ?; U located at [ebp+48h] for 32Bit apps)1 h) L1 s% j, p$ A7 X
__________________________________________________________________________/ P! d F# ~/ D4 t
3 s& |5 P1 C% Y8 E; T
: ]9 M2 w6 i) w+ w
Method 08
+ \) o' | p4 w" B& `=========
- v* w- x+ [6 `3 A1 F2 v$ Z3 ?2 z- i6 B$ L$ k
It is not a method of detection of SoftICE but a possibility to crash the
( R' V& b8 T! W/ Dsystem by intercepting int 01h and int 03h and redirecting them to another0 V3 Z+ P B2 @/ S i2 K
routine.
% U t7 }7 m V2 U* K- z- UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ ?# c* d/ N9 N% {) p
to the new routine to execute (hangs computer...)
7 P0 | X$ g' f5 `; _) P3 Y6 ~. |, L! x* ~/ F3 x/ O
mov ah, 25h+ l: L) I# ^4 P( T1 t. o! ]9 M3 r& v
mov al, Int_Number (01h or 03h)
4 r6 {: o% L1 G- B& ~' _" w! }' M mov dx, offset New_Int_Routine
. v- C& y6 x9 {) Z8 X# Z5 H int 21h# j$ `$ Z3 X" j6 G/ X+ a
; l! l4 C$ ]$ K1 }. J
__________________________________________________________________________
) j9 f5 X% X! F8 F9 f2 z3 i& u
Method 09- ]2 O# Z) ~+ ~/ g w: k5 L. I
=========% N- m0 o2 q6 r O w$ m# [5 l+ ^5 s
: d; d1 x6 Q* LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 o5 z& Y1 n2 H; v1 n
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 K/ C( k0 o5 m2 d5 {1 TThe Get_DDB service is used to determine whether or not a VxD is installed
, m% r. e) b6 p3 a5 |. dfor the specified device and returns a Device Description Block (in ecx) for
( M4 {* m& v; ^$ sthat device if it is installed.
( }# k# r" R2 E7 E7 N# M) G" b! P/ d7 A$ I" {. l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. s% w3 d; g2 N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 A, o7 k+ M& Z/ K8 O VMMCall Get_DDB/ ?' @ S m' |' I9 k i' _, j% o3 I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ ~! b# e( V% Z" f! x
' K6 s8 K4 B2 A+ n/ W3 E
Note as well that you can easily detect this method with SoftICE:1 Z" z9 N; N# o4 n7 t: Q
bpx Get_DDB if ax==0202 || ax==7a5fh- Q; j) K& {9 n
. }9 z: l4 W6 a" \1 a" a- N
__________________________________________________________________________
6 Q# `1 }& L( c9 t/ ^/ o* v4 I5 _7 d( C+ t7 G- q: i; A8 `
Method 10
! T; u+ g0 A. x9 K5 c$ L=========
; J6 I: R* l9 b5 m- r1 T9 R5 ^0 y0 C+ _ R. b3 P } ~; J' s: v# m
=>Disable or clear breakpoints before using this feature. DO NOT trace with' T* z9 j: I* K9 [8 S! C# R. L
SoftICE while the option is enable!!: ^& ~7 i( q' e
+ d: O) o! b2 O* l8 n9 R) {
This trick is very efficient:. q9 _4 l3 J/ i; g
by checking the Debug Registers, you can detect if SoftICE is loaded* \. f, u2 k) i% J( T1 y1 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 X0 v" w+ p* m {. Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 L- e8 y3 p2 }6 [, O1 M. y
value (in ring0 only). Values can be manipulated and or changed as well
8 k" p" @) _: T e. T1 b( L(clearing BPMs for instance)
7 O' x: v: i8 A! E0 c3 L2 ^3 V' i
__________________________________________________________________________
! v* a; ?. q! ]# a& o {+ V
: S. m/ [9 e8 l& ?% nMethod 11
6 Z# Z r+ i" L$ d' o=========
* |( f" Y2 M, T, x
4 q1 o3 u! y9 K, h$ R/ MThis method is most known as 'MeltICE' because it has been freely distributed
# ]. ?, L3 l6 x/ @; U5 L, p; \% A, Qvia www.winfiles.com. However it was first used by NuMega people to allow
4 x# ?2 r7 \& V, G4 J, vSymbol Loader to check if SoftICE was active or not (the code is located
: j y% w; h% h! O* N# Cinside nmtrans.dll).+ G' ^( y) V9 C3 c
7 @: \) c9 g# q0 m: Q* N' c( P- _3 IThe way it works is very simple:
. X; w/ {- V; x' J4 d9 c/ {4 j/ xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 y" W: w2 _7 v: v2 _
WinNT) with the CreateFileA API.2 ]/ S& T# \% `+ Z5 y5 l& @
$ ^- v1 s; [, f) U2 T; d( U/ eHere is a sample (checking for 'SICE'):& X3 N) }1 O7 d. p8 |- @
) Y) z. |4 q5 X2 Q. C, D# B1 F
BOOL IsSoftIce95Loaded()
* ]! }8 g& Q* Q' W{
% N2 b) @5 U- S Z% x HANDLE hFile; ( |- P7 [( Q, a3 m8 S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 S5 Q1 U9 r {" M1 G6 t4 \
FILE_SHARE_READ | FILE_SHARE_WRITE,5 ~4 T% s* w4 b& ]/ W% g7 p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: ~8 @: N/ n9 D' [' l2 q6 v if( hFile != INVALID_HANDLE_VALUE )
8 f% e) y- L$ p/ R2 Z! K. M+ e* h3 L {
& o4 h8 b7 N* T( E* w CloseHandle(hFile);# `3 B9 Y, ^% l. i1 K8 J& {
return TRUE;
1 A: F# e1 x% L1 ~9 X9 G4 E/ i }
) N7 m' |. b0 F. }/ ~+ d' V& r, O return FALSE;0 x9 g1 k. n( v
}
( I* w9 q) S3 ?1 E- @% v
9 K- W+ ^, P0 b3 y% }- eAlthough this trick calls the CreateFileA function, don't even expect to be9 v. q) B, U3 a1 Z5 X8 F
able to intercept it by installing a IFS hook: it will not work, no way!
; f0 C" v- |- M( M3 m+ kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 J; e5 M1 {* I a2 V( u! s( V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& e" X7 G; N2 l r( N; @ K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# o/ V9 g( z, ^# Sfield.7 h! l7 K% n% k% l/ H1 J" Y& j& p
In fact, its purpose is not to load/unload VxDs but only to send a
, G( y, F8 X$ [: sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# [. c1 J" L G( a8 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" h i3 }/ K& n9 y1 `8 B7 xto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 v; V0 [' l- b# D. ^8 Y/ T3 f) q
If the VxD is loaded, it will always clear eax and the Carry flag to allow! v) o4 M1 ?; M9 b8 z5 o+ N
its handle to be opened and then, will be detected.7 `( g) {& k. q e+ s) h
You can check that simply by hooking Winice.exe control proc entry point
$ j2 x* F3 V! E. ~while running MeltICE.
& l; L! V6 o# ?2 I9 v+ X
8 T" S: _" T9 h, K) w( d$ V' [: ]: k
00401067: push 00402025 ; \\.\SICE
. L' v9 r; x* s, K. y1 H 0040106C: call CreateFileA" ~$ v" u, v6 _3 k5 G2 {0 ~
00401071: cmp eax,-001/ a' ?0 q" ?! g/ \$ j8 u! _
00401074: je 00401091! [2 y$ y: Q" i% f1 \
- @/ m0 t+ I* g" T/ F, j$ m
8 b$ a9 _% P& N3 aThere could be hundreds of BPX you could use to detect this trick.! c; |, V: _- p5 |' o( J9 @1 C
-The most classical one is:
4 Q N) Q/ ~/ N' i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 V% W+ @2 W+ H- z
*(esp->4+4)=='NTIC'4 J( d v2 {6 s2 U# P
/ }& A, Y+ F8 ^9 J$ P, F5 s5 O-The most exotic ones (could be very slooooow :-(( E0 R5 r: }$ E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 K% b7 q8 A2 [+ u; L% W: R ;will break 3 times :-(
+ G2 e, q$ j* G
1 d9 T: x- u! @9 l4 Q-or (a bit) faster:
4 Z) R/ g7 k5 R) z' M! s% D) | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 P5 d, g- D J% Z1 h0 ^+ q) V4 g
4 r3 N! {5 c V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: o, h! T) z9 j& q7 | ;will break 3 times :-(1 Q) E2 D! ~( k4 ~' J3 R
; h6 y$ M7 v3 z4 t! ^+ ] Y-Much faster:. i, W) a q$ O% ^+ ?5 U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* L+ J+ g1 M8 D1 z
9 r% Z/ R7 W% P: c! PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 J- N4 M2 c6 C5 b/ o3 |; w3 @4 |function to do the same job:
. O7 G4 d9 K6 C: P6 H; t# @0 Y
; j; d! X3 m7 N5 { push 00 ; OF_READ
: n) T" e, z+ F) e mov eax,[00656634] ; '\\.\SICE',0
, \: f' T: ?5 S8 X! t; [ push eax
' ^- Z8 J g, R! G4 ~) F8 v. w% Y call KERNEL32!_lopen
9 Y* K. P" j3 _0 T: w inc eax
) i( i& h8 `: E) u9 Y jnz 00650589 ; detected/ _9 ?5 N8 @- b9 W
push 00 ; OF_READ$ [0 ]. Z, b0 j/ h; f1 o& r! x
mov eax,[00656638] ; '\\.\SICE'
6 J' ], t. M- ]! G" l5 b2 e push eax) [9 [, g; q3 N; }
call KERNEL32!_lopen
2 ^8 H; {3 Y4 t8 A* w8 c# E inc eax
2 c* s8 @0 e" N' b- v" t# W jz 006505ae ; not detected
' f3 I# v. P0 s6 z* D
1 w" S+ @5 i1 [+ j( C! U$ _9 u
8 @4 t; l* G+ |' J$ L' o! Y/ B__________________________________________________________________________
, j2 \5 P6 ^1 |: j: |5 b& [8 y- b$ W2 l3 _- c3 T$ d S
Method 128 P0 A( U1 j: M1 X$ P) v5 a
=========
0 f# C T( ~0 |6 M
7 a5 q0 S7 f6 ?7 yThis trick is similar to int41h/4fh Debugger installation check (code 05
4 M5 m& c, [6 l) ]' u& 06) but very limited because it's only available for Win95/98 (not NT)
- G* a3 u+ }) Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ [* l( n0 l* Q2 X0 C
2 N6 h u, ~: s2 z8 {4 h( T9 f push 0000004fh ; function 4fh- h. b0 N+ _! j4 N5 n g/ {& U
push 002a002ah ; high word specifies which VxD (VWIN32)$ r% L. _+ c6 t* s
; low word specifies which service( i1 h5 \7 ~* c) U# A
(VWIN32_Int41Dispatch)# l% H3 d2 o+ X
call Kernel32!ORD_001 ; VxdCall
, r$ D* X8 S; ~1 L cmp ax, 0f386h ; magic number returned by system debuggers) f$ d2 L' V' T: Z( ~! j% Q
jz SoftICE_detected7 f9 G- X. P9 ]5 J4 w2 x
4 w ]; ^) c& t `8 G
Here again, several ways to detect it:/ `+ B* b1 u S E; d& a
" ~) r/ [1 u6 v7 p+ d& B, `) L
BPINT 41 if ax==4f7 A2 T4 _ ]0 y$ P4 a1 P
+ B2 O' |6 A6 F+ D7 g D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( R" N6 w7 q+ @$ c3 L
. T5 D' ~" Z& Y! \( I' A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' Q# I; @1 `: E* N9 N& f: k, B3 v i
' C. m& Z" }. { A% H' U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& {2 M2 q" D' v. _. l, ~' Q
/ _7 e9 p" D# @. D+ O9 h! ~, e# Z
__________________________________________________________________________0 |, @8 y! h# J0 A$ J' n7 N
, o# m% ]5 \* L0 u( @
Method 13
; {8 K8 a; z6 Z" J# n' d=========9 y2 x! `9 `6 S' _& F! A* p
- r" K& x) R* N3 ~Not a real method of detection, but a good way to know if SoftICE is: ^, D% O6 G* O+ w# U
installed on a computer and to locate its installation directory.! k, A! S1 l1 m( v! X" o& P
It is used by few softs which access the following registry keys (usually #2) :
1 c! Y5 h+ I/ y* B! x& \; @+ Y+ f2 k, W$ z' y0 @$ y6 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( b9 U' w6 |4 T; K
\Uninstall\SoftICE$ V3 |0 X" s2 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' R% V, ]7 d9 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 i- n* [, I( b1 ]8 C g. |1 h
\App Paths\Loader32.Exe8 R+ |4 c" n. w' n8 l/ ~+ n- l3 H
( f; f0 X/ c! A, S7 M9 A
; M0 h- \9 v' B4 u1 V: r5 d1 J7 xNote that some nasty apps could then erase all files from SoftICE directory9 {# V" t7 F; a0 ?: j) E
(I faced that once :-(. D! G7 e& P/ a% t3 _. g7 f, ~: W
! H3 t; f* L3 }% t7 S' L/ H( D8 l6 o4 QUseful breakpoint to detect it:
1 N6 G, Q! Y9 |" `3 X, S/ r; G# n+ j$ S) y' s6 k) Z0 V2 \ U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# q- b& _% p- a# }- v
3 G2 m# a l' r
__________________________________________________________________________5 ~6 J7 s: U2 r y
* X7 l7 c% d% F4 v
: w( i) M5 }3 M# N$ d1 bMethod 14
" \2 \/ R' r8 i+ c% S=========
& f9 n V* H: [/ @ S f# Z- m2 d9 U( d, Z- {- g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) j% e8 J6 l0 v$ u
is to determines whether a debugger is running on your system (ring0 only).
# ~2 t+ o' Q. y2 x% u( {
8 R, @1 }1 N0 L VMMCall Test_Debug_Installed
1 B( F9 W1 Z/ h4 g je not_installed
6 w' x4 m0 w, g0 S6 D
2 \& a A# I& F0 d; |7 }This service just checks a flag.7 d6 j0 X9 ]3 s; l# G" J+ U6 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡