<TABLE width=500>7 W) K; E; j" O" c. r5 ~
<TBODY>: |* F9 n5 d9 `; r' z3 X) ]5 \
<TR># d, B# j5 i; Q6 a
<TD><PRE>Method 01
9 S6 {# A R3 m0 c=========6 N* S# F/ ^; e- G
$ g! h% f1 O" ^
This method of detection of SoftICE (as well as the following one) is
u+ ?% K* z1 [8 _* H- L+ ~used by the majority of packers/encryptors found on Internet.
! T- E0 u* a' T4 @' O" hIt seeks the signature of BoundsChecker in SoftICE
! |3 T% F: ]1 X3 L" Q3 q
, z& N- i- J X- M mov ebp, 04243484Bh ; 'BCHK') y. N$ j8 n2 f& C& d
mov ax, 04h# ?8 J, K! P: N" d' G' M
int 3
d! `7 B' q# e) X cmp al,4
' S% b, X, J4 ^, D: q! M jnz SoftICE_Detected
& H. r' b- h) b1 b
* T2 h8 K) a, S0 z. c1 E___________________________________________________________________________. Q D# u' B# g: x- _0 _/ v$ G Y+ B1 n
& m0 c) ]# }% A4 m* T! w' q) ]
Method 021 |5 E" E5 b$ t8 p2 B: w# }& e/ k
=========) Z+ m9 B! p7 @, v! I8 A
+ w! D) l: E% s* S" k8 G- D
Still a method very much used (perhaps the most frequent one). It is used. Z4 E3 z7 V# g' _% T/ W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. ?4 h) M4 `. g
or execute SoftICE commands...
+ C7 k" t+ U% [9 e$ b$ h! a# cIt is also used to crash SoftICE and to force it to execute any commands
, _' r ^% K& m# Y(HBOOT...) :-((
9 w5 c# b( x8 j7 ?9 v# v9 D x- x+ z, A
Here is a quick description:- O$ [# r' }6 A" S8 j
-AX = 0910h (Display string in SIce windows)( `6 b4 W z$ c$ k& S* i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). |3 m$ [0 {* L- g! U* D
-AX = 0912h (Get breakpoint infos)
6 u* B0 Z% D' G, u+ b a/ l-AX = 0913h (Set Sice breakpoints)
8 D- _( D' N9 v# }9 S6 Y-AX = 0914h (Remove SIce breakoints)6 n9 ~6 [, s3 X% P1 K8 I! M ?6 F
9 a% V% a( \; c. B/ MEach time you'll meet this trick, you'll see:0 J% r& c$ O! L" z% b
-SI = 4647h" q9 z8 a J4 O- d, T
-DI = 4A4Dh' n# _7 p% m) y# C1 C
Which are the 'magic values' used by SoftIce.+ e/ C3 v; ^* L3 W }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 R4 W8 s- Y, Y- w% x# V$ j
) H# j( S* C+ k/ l9 MHere is one example from the file "Haspinst.exe" which is the dongle HASP; p6 t) x! i( E0 `) D
Envelope utility use to protect DOS applications:. b% {( R: z8 x6 e4 U g! N
- w: J- P/ H; u; {6 c h+ S
% ]7 G* m; P% I: a1 s/ b) c/ ^4C19:0095 MOV AX,0911 ; execute command.* U" y# c: ?, `' G, v/ V& P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 V* Z5 w* {) c4C19:009A MOV SI,4647 ; 1st magic value.
/ v6 C* ]& q" |1 }" H4 h$ ^4C19:009D MOV DI,4A4D ; 2nd magic value.
5 c/ x0 g7 U! ^/ @! F: b2 @7 h4 i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 m: }) X$ H5 s0 s$ v6 h& m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ s. O* a0 w2 L* }3 d2 C& a+ v4 W4C19:00A4 INC CX/ R$ F8 ]. m/ x9 s$ \) v- x, L/ a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 `2 z4 x! Y0 f, V
4C19:00A8 JB 0095 ; 6 different commands.
+ c0 X- w/ y3 T" i# \& |2 V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ w# r4 a* x. h! n; c0 p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 J8 s! R3 `- G3 B3 s( I* ~' H
4 M6 U4 V/ a4 K) U* m8 n
The program will execute 6 different SIce commands located at ds:dx, which9 ^: |( @4 _; I! l6 [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' S/ o- \: J+ a4 D2 { o
! L6 S+ r6 G9 F8 r$ a% U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ N* y$ S4 L/ N( }
___________________________________________________________________________: R; \, w. l `# X( g/ ~4 \
, K8 t* M! |& {# _) d8 x
, ~% F% ]# w# V; |Method 03: e/ H+ Z( I7 G$ B
=========% `9 P3 ^* M/ @# b; T( v, i, e
z* _; h: i# X8 {$ x) Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) M' t: L) `7 J5 s* @7 a(API Get entry point)
+ w: F" o) k) b' g% J! Z
) }' n9 w- M5 b
8 o) r. K$ z1 s7 L' J: c7 z xor di,di: s6 P7 f/ t5 ^! x* p
mov es,di
' z3 b* {& A( V mov ax, 1684h
5 O4 ~8 v4 k' M8 v4 p& } mov bx, 0202h ; VxD ID of winice& R! H9 H6 p, V: \& U- ~5 o
int 2Fh. h+ a5 v+ y2 |: ^% D5 ]! P$ d
mov ax, es ; ES:DI -> VxD API entry point
4 U6 X; _9 \0 J, r- U) r0 A& r8 g) o. Z, s add ax, di* L9 v$ a9 K7 |3 j6 K
test ax,ax
" Y2 @8 N5 ?" i, T% }4 c. z6 Z jnz SoftICE_Detected
, b* G7 ^$ I4 g2 ~% S; j& ^
4 E0 m; V" l& _8 M: p7 y+ \, M___________________________________________________________________________7 {( F5 e+ J2 L: y
8 s/ c6 }9 J. |# P: |' F/ fMethod 04) F, b6 z Y3 n& }" L9 n# S5 \3 d
=========) s+ L9 c" E) M& S: J, T( k
' x, D; R8 x8 Y: {" _
Method identical to the preceding one except that it seeks the ID of SoftICE- E. k- e4 v: X6 u
GFX VxD.
4 B$ v+ x: i2 Y& M; K2 _6 b6 f- w" ]/ A
xor di,di
. c+ Y. c7 D W4 q @ mov es,di( M- K0 ]6 ~1 \
mov ax, 1684h ( ?% P8 D: ]+ V2 n! f# Q$ E! C
mov bx, 7a5Fh ; VxD ID of SIWVID
. R) O1 e: V- @' _1 Q M0 X8 D4 l& x int 2fh$ t Z) X: j7 m# F
mov ax, es ; ES:DI -> VxD API entry point* s" H; R8 @' v+ n: ~
add ax, di
( n$ i" E- B o9 o z9 W test ax,ax# h: p. r! O7 P, [
jnz SoftICE_Detected2 M! P' ^! [% C1 E
- m7 V8 l3 n5 V' Q3 ~% l1 R9 ~__________________________________________________________________________0 S% e7 X2 b* I' |) J6 u2 o
# f& z2 x& V5 V. S9 O! z( E
& H* l: z5 j+ q! m9 ^8 `+ y6 oMethod 05' J: p( i. W; [# |& c6 W' j0 v
=========
) g) s& k9 y0 h- D
. }7 a; `; m2 T. OMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ ^! v1 I7 c- D" n
debugger. It calls the int 41h, function 4Fh.
7 ^- }0 [" b0 z* q$ iThere are several alternatives.
0 h6 _' ~8 T+ x; R O9 V. l. U2 q7 {% h4 v' ?6 O
The following one is the simplest:% `4 i4 r6 m/ ]% R3 F/ N2 M
5 U7 G I! }+ i0 \, H: [ mov ax,4fh
. L5 s7 Z% o' b8 k* \. L0 ? int 41h* y' `5 n- d9 o- W/ r, `
cmp ax, 0F386
) `2 r" B, G$ q. i4 \2 ^1 K- ~ jz SoftICE_detected0 R m4 p& x! [% ~ F# K
; k8 n+ o8 H% Q% \/ E2 [
3 Z) T4 j7 v& ~, `* ~Next method as well as the following one are 2 examples from Stone's
. B% k, [2 }" G! l4 C; U"stn-wid.zip" (www.cracking.net):
3 W' Y5 r! I/ R5 i2 d# T1 e: R2 J# I$ g8 n6 q2 U& P7 i f
mov bx, cs5 x" }& `3 S5 P- M8 @
lea dx, int41handler2) c) ~& ] O- r" ]
xchg dx, es:[41h*4]
# L G0 ^! V8 ] xchg bx, es:[41h*4+2]# m: [6 t2 J# T; j6 G8 w
mov ax,4fh
9 G! A2 l5 i4 O* f5 s! ?& w1 S) \ int 41h" Y9 P! J2 A* B8 _; e: w4 |
xchg dx, es:[41h*4]
9 |, J( `+ k8 j; G1 E xchg bx, es:[41h*4+2]
+ `4 G P' i, p3 p3 Y' e* f cmp ax, 0f386h% ~* Z' T! v) @9 x- E0 b( r- h
jz SoftICE_detected O9 `" w7 s0 c6 G# e( }/ F
0 K$ o/ w/ S; ]/ S! Fint41handler2 PROC
* Z o0 b2 N/ W% T" h1 @ iret# p6 b% E: r$ Z" r! C6 t" J
int41handler2 ENDP
" s* p# C2 Z( |4 r& J0 d& O5 A9 @! L/ f6 m! h
Q9 |5 k- K5 ^) ^6 l6 m
_________________________________________________________________________: M( {! L$ @- i1 e9 L$ W$ z
! a. T* C0 }+ s
$ b" Z) P9 e1 K
Method 06
3 Z. o6 ?. O, Q" d. m=========& T1 p5 E: V" `5 `/ y
8 P: e, \5 |0 g2 j) V" ^& ?/ O0 F# |5 F8 @
2nd method similar to the preceding one but more difficult to detect:
* x" c. _$ ~0 h: j; N% U( ^% H2 J3 J6 p
# l) j) R4 ~$ D( S
int41handler PROC( X, ]9 F! C+ l; k& u
mov cl,al- L9 [7 Z" Y4 p) q1 x) L+ L
iret
) C# z$ ^6 R: ~$ ^% mint41handler ENDP
& r: O. `5 F' \" H0 l
) ^" M/ d& O" K5 c7 z% Y) o0 n) K' ^( V, c. f' I( \
xor ax,ax
7 R+ g7 D& X/ u, ]: C1 v7 z mov es,ax* h. o: P/ S, @. o& C3 n
mov bx, cs; M2 Z' R" R! i2 ^ i- i% n- y$ X. G3 |
lea dx, int41handler& } f5 `5 }6 K; b
xchg dx, es:[41h*4]
, L1 N! O; @1 @ H/ B( c5 X xchg bx, es:[41h*4+2]4 u" P8 ?" a1 [1 e7 L" T" `# y
in al, 40h5 G8 R' [/ j. c2 f
xor cx,cx
9 z5 x l4 F, K int 41h
/ R# x w3 c' M- U) ?+ B: W. X! m5 v xchg dx, es:[41h*4], I/ n4 m$ r2 G/ D. {
xchg bx, es:[41h*4+2]
3 S$ @+ |: D, W) e$ e& m' G cmp cl,al7 a, V, b4 a- F
jnz SoftICE_detected- Z: g) X- S( J! A
& \+ H+ B% B9 [ {, m/ s, D f
_________________________________________________________________________# r( g! h. c- i% E5 Z. J
7 N' F# Q, H P1 eMethod 07
' A. P* W, p/ T, o* m8 I: s=========
; T0 }* t# x" i, Z/ F; X ^& y2 M4 t; \5 Z& m
Method of detection of the WinICE handler in the int68h (V86)
) C9 [, O2 c7 W/ R2 q- S
, N0 T# X+ V2 m* m' _ mov ah,43h
% J% {; f1 a6 Y* f: j% O9 Z int 68h- U$ N Q/ e$ h5 i* r; a% ~
cmp ax,0F386h& @0 B2 \; W. D5 K5 T; l
jz SoftICE_Detected! |6 N: N. z6 O0 F- i1 f8 K6 m
. [: |) f/ N& t9 U( l; p( q. N
# E' j- o; b0 d. N) G7 q6 \' O5 X' j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% N4 r: ^7 j1 G9 u( S7 w app like this:+ s) ?$ F, O0 g/ z/ ]
5 J0 R& t* b7 K K9 u BPX exec_int if ax==682 S s# `9 O J) _4 S) R7 e" m# K
(function called is located at byte ptr [ebp+1Dh] and client eip is$ d8 K5 G+ ?2 h1 m9 `# K: Y
located at [ebp+48h] for 32Bit apps)
L9 `9 Z* Z" t6 Z; z& q; j) h__________________________________________________________________________9 o( Z8 e# Y- w( s5 w- O) r8 b
" |9 @- M9 [ ~$ _
0 H5 X- l/ c+ Y5 @& jMethod 08
3 {3 F8 r, i( V2 b' f& M=========
2 X$ [9 D) @5 p5 E4 I% d
7 q7 `3 o8 _- V0 C( e6 c' [% qIt is not a method of detection of SoftICE but a possibility to crash the
# Y: S1 q) ]0 w- J7 Q6 Lsystem by intercepting int 01h and int 03h and redirecting them to another* J; k3 @: y! I! Z/ s
routine." M- S) [- U! L3 b7 G1 @, l4 C! m' p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* D5 u% g3 [6 p- k* w* A
to the new routine to execute (hangs computer...)- m5 W/ {. ]2 k+ i; `
! s' R3 ^7 m) l- h mov ah, 25h
) V' d0 R5 W# K: M+ D, n mov al, Int_Number (01h or 03h)" V g- n" m% `- Z8 \: _
mov dx, offset New_Int_Routine
8 e8 a7 l, r( K int 21h
7 E4 F5 q" `) |6 ?6 `- P+ q) U: l
" Y5 v9 a% x8 X/ M. M4 N__________________________________________________________________________" Q. Z5 W" u& o( k% M1 b
! M" t: P- X, y$ s1 {0 GMethod 09
2 L( s/ J8 z' b8 [0 \=========
2 Z2 \& X; Y' S0 I
4 a' R( T& Y+ p7 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' b j0 ^" b: W6 |& ~" Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
( e- b, ~8 r# y7 e/ c8 pThe Get_DDB service is used to determine whether or not a VxD is installed
, D( M2 R7 y! b( A. E1 K e4 sfor the specified device and returns a Device Description Block (in ecx) for% j' |" z! [4 \7 C5 a: z: ?; Z7 A9 z
that device if it is installed.
7 l ?' V$ j) r9 q. Z" |
' k$ B$ M5 k9 A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( K( {5 n4 g _, N+ B8 }4 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 X9 G! n* h% U4 q
VMMCall Get_DDB
8 p! Q6 c( P6 M- u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 n# o% u$ l! c2 T
6 g% G/ H# f$ ~/ ^0 j, A. W+ j& z5 DNote as well that you can easily detect this method with SoftICE:! m" s' r6 @4 }/ Q- C+ P
bpx Get_DDB if ax==0202 || ax==7a5fh* V. ?( z) e; v' _0 d v# _- g
) o3 W* U; y, i
__________________________________________________________________________
( h! Y! z! `. M2 l+ y4 e1 m
2 I- `" I1 l+ \, z5 xMethod 10' _* x1 C. R$ @; Q0 O! |9 t& X2 f
=========8 T0 x8 q# f5 {" X: y z5 i
; z# x% g7 T% k: P& e
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ w7 r) D( L# Y1 b+ ?! @
SoftICE while the option is enable!!* h) S4 E9 T8 Y* I# y+ M: g* N, a
# l3 }5 u) I. h C) D
This trick is very efficient:; z8 u& r; M, v
by checking the Debug Registers, you can detect if SoftICE is loaded4 `: P! U" p) d) ]' x+ ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 b, D0 J( t& \# N- i' @7 ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 C& Q' t% D( m' Y( [& J; t) n
value (in ring0 only). Values can be manipulated and or changed as well
; Q& f) h4 S0 d$ f: L(clearing BPMs for instance)
6 d5 J5 `0 e- t8 s, v; n9 x2 Q1 u* [" |5 o: O
__________________________________________________________________________1 T; P9 I4 s5 G1 V& m7 A
O8 w o6 D0 ~3 b* ~+ g# b; T6 vMethod 11! S" l% i' N% K7 d1 i R: M
=========$ I: S; c9 B1 j% u. ^; `/ u' j6 B, H: B3 _
& a* ]1 ^) d$ U) J5 D5 Q6 eThis method is most known as 'MeltICE' because it has been freely distributed
" i- y! p: l9 `: `2 U) I7 M8 cvia www.winfiles.com. However it was first used by NuMega people to allow
& a' Z$ N) ]; B) S2 \Symbol Loader to check if SoftICE was active or not (the code is located7 ?7 D$ _$ j' X9 V7 S: j0 U+ h' q
inside nmtrans.dll).5 p/ ]4 m6 m. j6 R; \3 C, H# F, P
$ T `9 [4 g( c# Q
The way it works is very simple:
7 O! e n+ i' t! [: | R9 jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 } `2 E& z V5 |, rWinNT) with the CreateFileA API.
' V" ^% J" p: c9 t' V
8 O- G. B7 b: P* P; hHere is a sample (checking for 'SICE'):
8 }, v2 G3 @3 E, z; ^
1 d t- A8 ?3 hBOOL IsSoftIce95Loaded()7 t* R( w y& c, B
{
1 I& d' C h. {5 b: K# u! M" ? HANDLE hFile;
: w- c: X* ]+ ^" j7 d( a# J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( m" U b2 |/ [3 G- x( }& P5 C
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ v8 k9 z% S, n0 \* F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 J/ ]. K w! z7 u! D& h* x* O; S if( hFile != INVALID_HANDLE_VALUE )& `: a% {4 {/ |9 I( Q8 N
{
' s2 U! S- R1 p, `, u p6 A CloseHandle(hFile);# o+ M8 z& q+ A& E
return TRUE;! o5 a- K9 Y5 y; c9 l
}
+ T% D* |+ s# c1 {: q$ [( j+ T return FALSE;
% K: _) q( C4 j}8 T3 d: a' t* m/ d6 @* g
+ c: _ A0 k9 s2 c+ m8 \9 YAlthough this trick calls the CreateFileA function, don't even expect to be- r' q4 Y: b) t" y
able to intercept it by installing a IFS hook: it will not work, no way!8 ^9 f' e' ]( X' Z& o/ y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; o8 W" L8 ^+ [2 y+ Y9 O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 x* F& a( c4 {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 e* q" C T; O3 I o. gfield.
9 k8 T2 _+ n S* lIn fact, its purpose is not to load/unload VxDs but only to send a ' a0 w5 H% s/ R0 @ U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 S; X7 m; H1 l; [to the VxD Control_Dispatch proc (how the hell a shareware soft could try( @, H9 G- [# r9 N2 v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 M$ J. Q6 v& d' f% |. z( L) sIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 Z9 M0 `" X2 ]% R* I) H' Z) c8 hits handle to be opened and then, will be detected.
* E0 X$ v0 r6 t" v! X B# kYou can check that simply by hooking Winice.exe control proc entry point
6 C! Y2 H/ Q8 z9 T# }+ C& V0 c/ }- Hwhile running MeltICE.% X: e9 T$ e5 P9 _: _3 c) @
$ w) Y; o- j1 C
+ i- \) P+ E; D6 g7 _/ e7 ~ 00401067: push 00402025 ; \\.\SICE- V$ o$ T2 L3 }; R* ]. a4 ~8 O
0040106C: call CreateFileA
. _6 V2 W0 B4 L+ G) \ U 00401071: cmp eax,-001+ j( W1 E* P& k: _* \
00401074: je 00401091
, i [ w3 _5 o5 H& J& s8 p
: U" i0 V7 g' B+ D" E+ B/ h% i9 H" f" t
There could be hundreds of BPX you could use to detect this trick.
+ k M! d3 J s+ n5 @& C-The most classical one is:! w& }8 r- e% k, G) w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 N# g/ O2 u& I8 ?) Z. c1 e! e( l
*(esp->4+4)=='NTIC'7 d5 u3 t) K, V+ o
( Q/ t7 U$ ~$ s* M$ G3 R$ l-The most exotic ones (could be very slooooow :-(9 i1 s# q6 i3 t5 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* J8 B6 i l* s2 c6 H! A ;will break 3 times :-(% I2 i- @( m- j/ @( Y# x6 v3 t( ?
: |% p, `" X; a. ^$ i! c/ I) b-or (a bit) faster:
& k' Q$ }0 M. ^. W9 \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& g* Y& t/ ?! m! K) s0 w$ ?# H5 f9 d) w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 t3 {% f' @5 U8 ]' v% V ;will break 3 times :-(5 }* w' [: |# @8 ^9 A0 h
: C- Z8 k! {. Q# i$ T* O- G( s-Much faster:
) V+ `) a* C" n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 A! w: W! R. O8 _
/ {# C E9 a0 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% F2 x9 e* \' G4 J$ ffunction to do the same job:* O/ Z" K7 e, H7 B# m- r' b l
" V s3 ?9 v0 A+ S2 {2 E" Z
push 00 ; OF_READ
! A1 B* j" D% }' \+ n mov eax,[00656634] ; '\\.\SICE',0# m( m# I7 u T, n; b7 o
push eax
* e8 t! H h! m- q$ f# K0 i9 q0 @ call KERNEL32!_lopen+ u3 E/ w$ B4 k- I2 s
inc eax
8 {2 W! L. a; t" U jnz 00650589 ; detected) C3 l7 c+ j; N/ e* X2 q: `
push 00 ; OF_READ' }- i2 G2 C' ?
mov eax,[00656638] ; '\\.\SICE'
|/ f# d/ W/ d+ B1 }: ~ push eax
2 N9 b# R8 \" f* X( c: J call KERNEL32!_lopen
8 X2 ^7 v: r7 g; m6 a inc eax* [2 a7 X; |# c3 B
jz 006505ae ; not detected+ X) t' S$ e9 m/ U. M
& m& s+ s( M9 H; g& q' Q7 `( D
- k5 k. Z+ f C! W/ L__________________________________________________________________________. D; a- U4 f5 T: P+ {; f6 A" p
( I! B5 D* g; t
Method 12
1 L0 G. O" d) D3 V=========. D2 k2 ~3 k- p3 J! K7 K
2 d5 _# h: y2 h4 }This trick is similar to int41h/4fh Debugger installation check (code 055 u" ], W( i5 S) c. @" _
& 06) but very limited because it's only available for Win95/98 (not NT), R7 m, ~. Y' C% X: q2 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 t" k2 b9 _; k
4 ~0 U1 \: Y, _4 T
push 0000004fh ; function 4fh
: `4 Q, ~, p* U; `) N push 002a002ah ; high word specifies which VxD (VWIN32)
; i9 ~2 x2 J1 r9 S- O ; low word specifies which service1 o) x) t3 a, w1 ~- K' D
(VWIN32_Int41Dispatch)" ?" C* K& }/ o8 \$ U
call Kernel32!ORD_001 ; VxdCall
9 N# ?9 t9 J% Y7 y2 i cmp ax, 0f386h ; magic number returned by system debuggers6 \4 f* I g& F" I8 o' l* x7 I
jz SoftICE_detected! f' K# b9 I# `% r
V f$ A: Q& Y9 M
Here again, several ways to detect it:
- ]5 H5 q4 C3 l+ R- j) f( y4 y& G t+ S w7 L; W
BPINT 41 if ax==4f
0 G! v# ]7 B, M/ Z& B" t3 f$ H" w- n; N: R9 Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ a8 z+ _4 c- `; x/ q7 E6 ~: H
0 W* s( j" r8 o E$ x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ J# e# ?$ i7 d3 V, a! `4 l
Y3 h$ N: |: z$ M0 d% u5 }- b+ z- n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 M* B1 z4 ]* o* E
- I' Y7 l- i1 Y8 ~* h' t+ |% ?__________________________________________________________________________
5 f, o2 M+ A8 }1 |& T1 o6 n- P6 _, v" j B1 Z3 r
Method 13
, m8 j9 l9 J0 f8 c0 y5 r0 Y=========* Z, }( k; c; J3 E' _8 z
, j, N+ \! j; q! z" @ P1 `Not a real method of detection, but a good way to know if SoftICE is
$ ^9 N1 N. r, P) N/ N6 I! M4 ~installed on a computer and to locate its installation directory.; K% W9 e/ e+ K
It is used by few softs which access the following registry keys (usually #2) :7 |4 Y7 ?/ k6 m* g' t: O0 t
0 a0 I8 C% m" {# l3 X* b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 m6 {, H7 N& J: Y& w: ^\Uninstall\SoftICE
/ Q- \7 _$ T0 V! K3 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 U0 d4 i" s7 v9 F4 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 o/ P: p q* U4 m& \" D1 p! @\App Paths\Loader32.Exe
/ k* j8 ~, w& c5 \, V
- c- @( Y* d; l3 ?. H
+ ]% [ y2 O# W2 SNote that some nasty apps could then erase all files from SoftICE directory. ` o; \9 q5 M
(I faced that once :-(7 L1 U, }& C! `! e* k8 F
. \" A) |$ t8 R7 gUseful breakpoint to detect it:3 x: r5 M. E% g; W; i4 u
8 b5 |5 n/ R! n) C/ x/ b% D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
~ b Q: b, L: T u2 t7 l7 {. ^7 y0 P4 ~$ C0 M
__________________________________________________________________________
* x. Y+ C8 z( ]6 p+ j4 V& V, F6 W9 y5 ?
2 S$ A# a& t$ m: R: G; p( [
; _$ w, ~8 k9 dMethod 14
$ s9 ~" J# m* I2 U=========
. x6 N0 [* Z# q& ~ x, Z* {8 x; c& w2 u. z: |* K! J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! J) X! k$ z8 A4 S2 Y: bis to determines whether a debugger is running on your system (ring0 only).5 h% d7 e" E) }0 m9 h- u* w
- W+ Q: V" V4 T) } D VMMCall Test_Debug_Installed0 r0 p6 [- d/ c$ B. `" q A' P8 v
je not_installed% ~; A, C0 C v% x7 k) l7 G
0 O& Z( c. Q4 i+ X, m# R3 GThis service just checks a flag.
3 `6 t# Y, P( v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡