<TABLE width=500>
. n9 }. y" Y7 s9 J$ j<TBODY>
! m" Q: j" ~) L+ w1 @<TR>6 y5 ]9 C7 q! L1 o# r& ]3 Q' T" _
<TD><PRE>Method 01 % q# e" M L) G/ x! p7 @0 _
=========: l% q, V# C6 }/ a9 F
' q; N" R& W" w! CThis method of detection of SoftICE (as well as the following one) is7 m+ S% K( Y( f6 C6 M% w
used by the majority of packers/encryptors found on Internet.
9 X) D |4 X/ M( `" T9 Q: B6 L/ _It seeks the signature of BoundsChecker in SoftICE: O, [, G; X0 h) V
3 ?% v/ U' k# v9 ^, D( j. h2 F! I mov ebp, 04243484Bh ; 'BCHK'
$ ]3 x1 l; a0 h: [ mov ax, 04h
6 e, \' u% Z: |8 s) d int 3 4 M( R b, n& \+ ]
cmp al,4, u$ g1 j, W4 u! V4 P0 w" {4 M" _
jnz SoftICE_Detected
) ?( u6 r3 v& c V$ [
* G# G5 d! v$ F9 B4 |" A___________________________________________________________________________
' L: n; R$ i/ I. W' j" L5 q8 s. k2 r" j) G0 P. M! ^
Method 02, i2 `/ m+ n v* M8 e+ \
========= |8 M+ ]. y3 ~6 b* C: D
" N! F! }9 Z; O. Z% c
Still a method very much used (perhaps the most frequent one). It is used
& y+ D, x( L& w$ U. Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! C3 I( f/ f, V3 k' |& P8 E V
or execute SoftICE commands...6 {! i5 J4 L- M$ S$ m
It is also used to crash SoftICE and to force it to execute any commands
* \& l: f- p3 e6 F9 S7 y(HBOOT...) :-((
; Z+ p, C1 ~6 I4 b( n- C2 W
6 Z( g |/ J3 C+ gHere is a quick description:
/ g- h: J; ^1 I) `: `8 ]! T" A-AX = 0910h (Display string in SIce windows)
1 |# ^! _ s$ t) P# H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; ?& }$ f* R4 u. a6 ], t6 ^5 q-AX = 0912h (Get breakpoint infos)& K7 y" O/ F- r0 H8 s
-AX = 0913h (Set Sice breakpoints)
6 ?# U( i: I8 G/ [# s! }% S-AX = 0914h (Remove SIce breakoints)
' t/ j0 L, |3 z: j, t1 U0 o' A7 O5 O& Z" s
Each time you'll meet this trick, you'll see:
: @) }! i% n5 g) h- \' S2 B-SI = 4647h. N9 `& x: O3 F# n
-DI = 4A4Dh
1 J. u/ X+ Q) `0 \( b' aWhich are the 'magic values' used by SoftIce.! T1 a+ o7 ^" n3 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* u' \3 f# I! `4 c1 _
! Q; \9 s; M6 h! Y0 F- k8 P4 ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! W% R7 R& Z Y& b' q, |Envelope utility use to protect DOS applications:
, c4 R1 I6 q# L0 c) g( R+ ]
. G. n9 C7 C, @9 Z
' ^; Z3 |& v) ^& C4 L1 l$ t4C19:0095 MOV AX,0911 ; execute command.
5 a) ~! B$ u1 v: n* V* M/ g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: f* G3 p1 K" z8 _" w8 v) P. t4C19:009A MOV SI,4647 ; 1st magic value.8 i! u1 k, J9 w5 p4 }" v
4C19:009D MOV DI,4A4D ; 2nd magic value." L. W5 M3 H! `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 O' Y) w, k% w5 f+ `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' [+ Q& P/ H5 X4C19:00A4 INC CX: n# h$ i: U7 t# i' i# V9 S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; y+ N* O x$ W2 \/ B% D- l8 ^+ g4C19:00A8 JB 0095 ; 6 different commands.' h( W5 V# a/ T- @, H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. z9 p5 Z1 i Y; X6 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 C0 K- f1 V: n( @
( f3 O3 w$ r+ O1 _! lThe program will execute 6 different SIce commands located at ds:dx, which
" [- d2 E% k4 C1 G! E' O' E& b& Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- j, Y% ?9 O( d2 L# j c8 D1 }
: U( v* W* f" E; c( Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 z- U! h# p. O, v6 U2 I___________________________________________________________________________; Z% }& x- S6 t1 J& }
% W5 u, ~3 Z1 {! q# e
7 U1 f8 P4 R( @# J$ |Method 03, Q. w1 l. M/ P' ]6 P: k1 g7 p
=========
/ x% ^, a" H: m6 d( p/ A6 }, O( ~9 H4 @: a5 P0 Y3 ?0 v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ X9 l4 G% e$ g, n. x(API Get entry point)
; Z8 o' a% w+ h, c
! m& l1 a* H2 m0 \% ~' R, z x$ K
xor di,di
2 [; k! M' j9 q: R5 C! S; ]% ] mov es,di
3 S* J8 f7 p( c" d: e+ |; m mov ax, 1684h 7 N/ ]+ J/ ]2 k0 `6 c/ Q
mov bx, 0202h ; VxD ID of winice! ]9 k' g3 M* b& l& U
int 2Fh& ~7 z; r x2 K0 y
mov ax, es ; ES:DI -> VxD API entry point
5 J- P% @$ _; N add ax, di
9 d! D( {0 i: @* W K5 h" v$ Q test ax,ax7 C. \( x" n- Y4 j' _1 l3 A
jnz SoftICE_Detected
; h0 M J4 f5 O) s6 y8 E& x
: `5 X( h5 e6 S/ g& s; y3 C' Q' Q___________________________________________________________________________% g% ? U/ X: j5 t' l; h: I
+ a9 @+ Z; G% {8 N( ~
Method 04/ r1 J5 B T! C6 f
=========
6 K K( R/ r) A
9 s6 D! m4 f2 Y. N+ LMethod identical to the preceding one except that it seeks the ID of SoftICE
2 _" b1 u3 d* `+ P1 E% A' HGFX VxD.
, V" N1 `9 ~- R! D# g4 f* h# j) A" U; x
xor di,di
c8 ?* u5 S2 \& u5 W& M- Y# l mov es,di6 V# @7 W# ? n* |; H& \. s8 x3 r
mov ax, 1684h * j' [- w$ X6 i C9 ]. X( A& h
mov bx, 7a5Fh ; VxD ID of SIWVID. c2 S6 q: W3 }
int 2fh3 N. J* ^# i$ |, w1 v$ {6 u* E
mov ax, es ; ES:DI -> VxD API entry point
( T$ r; i6 q! }- j* R4 @8 \ add ax, di
; R3 ~: s8 A1 T3 E: Z/ J; R test ax,ax
- ?: ?, L; Y7 F2 b" | jnz SoftICE_Detected
( y3 s3 X. ?% } q# h5 }" m0 J2 m" l e7 I
4 C4 r" l5 o& x9 l6 c__________________________________________________________________________
) _4 q5 G. S. b' k5 E3 i: E g5 j l4 T! Q2 v* E9 ]6 {
( D' l [1 T$ P4 aMethod 05
: x& t7 ?5 K& `) F=========/ `9 N) J$ }2 C3 \1 y. n5 @1 T! j
^/ d N4 g, a# U1 i4 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 i5 i: J% q# A# L6 r$ rdebugger. It calls the int 41h, function 4Fh.: r5 o; `; ^$ _* [/ y1 \
There are several alternatives.
2 e, _, y1 R* u( U9 W: n- |: i1 P( k& D) w
The following one is the simplest:. ]8 W. L- z) j X. ^! ?. y
1 I. L) m% c6 z+ Y6 ]5 | mov ax,4fh
2 h6 \& p& r# n0 B; Y int 41h
6 M: Z/ O& I: e) R& h cmp ax, 0F386
+ ]+ q& _. \" C7 r: V5 j1 J jz SoftICE_detected4 g. B5 y! d4 w/ P; e( H
2 q- o$ V" V1 Q# Y+ d) }; R% R8 R. S8 k& j( S5 n4 N* w4 E) R/ `
Next method as well as the following one are 2 examples from Stone's
8 y! I% q" S# K) j: t8 m"stn-wid.zip" (www.cracking.net):" Q" i. S/ ?2 [* W |1 e
3 N: K* J: }" x5 R- H, h mov bx, cs4 k1 M# V! }3 C: B3 w1 m! G
lea dx, int41handler2
# E/ ~" C. o2 w; ]3 e xchg dx, es:[41h*4]
& f4 T" \% d1 m4 V& T0 p) Q xchg bx, es:[41h*4+2]
: u4 |( b$ O/ h+ h2 i1 X mov ax,4fh. N6 _ L7 [/ C7 Y% i" J
int 41h8 n5 R! Q6 w4 B) W" A; D0 Y
xchg dx, es:[41h*4]
1 c% S1 [8 q9 k2 s ? c) l. ~) N; f xchg bx, es:[41h*4+2] r* z5 k6 g3 @7 |7 o' y
cmp ax, 0f386h
& N" ]" w, o k) N0 P9 Q1 _1 m- X, N jz SoftICE_detected
. `% g! F1 @# w
+ I( V9 u; I2 ]7 l/ ?9 hint41handler2 PROC1 ^3 {) ?, c8 Z) z
iret, J* f) O& [% ^
int41handler2 ENDP
1 b4 E% l5 F6 s+ n
* k' S* t. W- H" Q; |) Z" a' I0 r( d) q \/ U4 N+ r
_________________________________________________________________________
: ~1 M& z! y5 n: ]2 E4 }* H8 ]# W
3 l+ ?" ?0 g: V* C- [
Method 06
& g$ \$ s# ~" i Z=========/ ?) J, ~! R1 j: Z* V: K
* x3 M/ L6 e6 G/ d0 }6 W" H
9 \5 X6 F) F3 R
2nd method similar to the preceding one but more difficult to detect:; o3 |: G/ }. {" W( C- j! S8 s0 `
+ Z' k* K8 \+ s9 [( i* k9 x, v) J
* u# c- F x* m9 c: r8 h/ X
int41handler PROC
' y3 t, t' Z( s9 ]$ {8 M6 X mov cl,al% A/ }5 {8 U" B+ U! A
iret
2 o8 B% K8 ?! u4 Qint41handler ENDP0 }& b& X) y) D; w8 r
! j) ]1 k, f5 W! K. \6 p n
& p0 `; `+ q9 l' C, H# B xor ax,ax# l! @$ |" Y" ^/ g
mov es,ax; [3 t0 j$ s: {' \
mov bx, cs! x. j0 R% C0 G% Y7 e
lea dx, int41handler
$ D! c# P3 p/ Q9 Y* p8 @ xchg dx, es:[41h*4]
) N5 |* W3 `/ u6 [) E, U6 i xchg bx, es:[41h*4+2]. V# @9 l [. v0 q3 t1 b, ~" ^: _
in al, 40h
, D) e \( }# I( c xor cx,cx
9 G# e, k$ k4 h, I' Q int 41h
' ]2 g0 E4 e3 ~7 W6 |9 p; H4 e5 l xchg dx, es:[41h*4]8 l8 x. }+ Y9 c) P+ h+ c
xchg bx, es:[41h*4+2]2 y# m7 i8 @% ~! d
cmp cl,al( A6 f3 N5 M, ]( u: A' i t
jnz SoftICE_detected. G7 A# y+ g+ Z" z% n1 S
$ U/ e- s5 P f# C! Y" j8 C_________________________________________________________________________8 M" z2 b. @/ C$ x0 r- ` V
1 b" Q# n7 K. k4 `8 l- H' X5 IMethod 07
- y. ]8 O/ L9 U=========
$ F+ ^' @( k0 O4 z# }" R- f6 r- O9 j: V. R0 d. [
Method of detection of the WinICE handler in the int68h (V86)' I5 a: Q9 \0 i/ [' b |- K
8 e8 C, L/ G# D( ^4 N- s7 G
mov ah,43h
9 h: ]+ x6 {; F5 X& e a+ X1 | int 68h
6 D* a j- s$ p3 v3 i# Y cmp ax,0F386h
1 K! Q. {$ b' @ jz SoftICE_Detected
- H2 z, M3 k1 C( v. {9 |2 _ ?% c& h* [: a+ v
6 y$ N/ K& z; r1 i+ B9 [5 r3 h7 Z8 W, B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- H- p+ q C, s/ X8 k9 s; [6 _. e$ G
app like this:
$ Z: n/ o7 }! c& R# I
6 \: S$ R% e7 D. F* ?! Q: B0 ~ BPX exec_int if ax==689 A- @' ~- n$ C9 T% r+ j5 h
(function called is located at byte ptr [ebp+1Dh] and client eip is2 W: }7 L3 I( X. _3 |
located at [ebp+48h] for 32Bit apps)
9 r! c. ?) j+ h__________________________________________________________________________# ]' o* V* i9 u
2 ]- U8 n4 N4 I1 d" t4 y6 Y( Z
& o% d5 |/ j+ H) n) E5 [% oMethod 08
4 g6 `7 V- j" l5 J$ i=========+ c' c& D/ g6 G& R& }
5 q/ O, k4 v) a& B- GIt is not a method of detection of SoftICE but a possibility to crash the& R' N" ^ H) C4 z
system by intercepting int 01h and int 03h and redirecting them to another$ n e, ]! d* D2 Z! i0 Y, j; O4 w
routine.
, y+ ^; T# L8 _8 ~/ pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. p+ w$ U) s3 z# E$ b' ?0 nto the new routine to execute (hangs computer...)
' i- F: H& N/ K: p$ {
& {* G& Q& E% ^; r7 b mov ah, 25h
8 i" k! C, E. G2 J) n% m/ }! z7 n mov al, Int_Number (01h or 03h)
h: C# T: P" T3 d, U$ [% u mov dx, offset New_Int_Routine# Y) f2 Q+ l# O
int 21h
: H& w; I, B3 `, T' C
. S4 y" _7 s* E9 T, E4 V! u3 M__________________________________________________________________________
7 h q! \/ p0 z. H( A5 W
; ?5 a( N+ N; o qMethod 09
! [& M2 g$ v8 v% P8 V=========
1 H- v# f) v/ D! ?& P+ S
8 j4 |; @8 h0 ?& K; y- L H# ]! E7 [8 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. j+ k# j+ Q0 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
* r, O ~3 I7 O+ qThe Get_DDB service is used to determine whether or not a VxD is installed- T4 C7 m: S6 d3 w( R% v# t
for the specified device and returns a Device Description Block (in ecx) for
7 }1 q* Y1 T9 e# U, nthat device if it is installed.8 [1 ^& ]/ T5 U6 V+ [# |
y& A) n5 e/ X: N4 i: b! ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; t( R: n0 T+ q2 ^% }8 W0 Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 w0 B( T1 o0 `# K: h+ t VMMCall Get_DDB
9 K" w- h; O Z8 n7 P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! P% U* k; j) k1 p7 ^3 I# @, ]3 z k' F7 b( f) [! d$ }& i
Note as well that you can easily detect this method with SoftICE:
( J7 Q9 Z% b( L# s bpx Get_DDB if ax==0202 || ax==7a5fh) j- g, }: ]5 S9 c
0 I- L5 g4 W% g' e! h8 @& Z0 E
__________________________________________________________________________2 A' K4 K3 {5 c% }4 _/ j$ i# ?
+ X, K* q( R" N: tMethod 10
2 q" h% i" l/ [. ]=========+ g' M6 q% d2 ^3 R& }, ~
b& E4 X+ j# V' o7 C" J=>Disable or clear breakpoints before using this feature. DO NOT trace with
* E$ B3 B0 R% S- Q7 z SoftICE while the option is enable!!
$ |+ r, u( X- P! [, c
7 w0 D/ e+ \* Q% ^This trick is very efficient:
. o* d: z; i5 `* H, ?+ Tby checking the Debug Registers, you can detect if SoftICE is loaded% k' ?1 n4 P$ t8 O. ^! b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( R" A! M# C4 t
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 k" k* i$ ~; | ^( T! D( Yvalue (in ring0 only). Values can be manipulated and or changed as well
, g$ ~) u5 P0 x& L9 q2 U(clearing BPMs for instance)0 r' B4 \3 Z) o" w8 i
M% i0 Q% k, T6 o! |0 ~/ E E4 ~' ?__________________________________________________________________________; S. o5 w1 |7 l; x @6 Y. o8 _
6 S" [5 H) A, V! ~3 B! m. [Method 11: b# x- N6 _; U# ?
=========$ H6 K8 _) E5 W1 _1 X+ Y
M" `& t8 `; [! ]: w' p0 b) _8 z
This method is most known as 'MeltICE' because it has been freely distributed8 y! r. L7 n$ Z# u% T( p
via www.winfiles.com. However it was first used by NuMega people to allow
' X1 H0 t% S1 USymbol Loader to check if SoftICE was active or not (the code is located8 c5 o, u1 `( N' u
inside nmtrans.dll).- I* s$ ~) R$ } u; }% m+ l
/ y6 i+ ~: t$ PThe way it works is very simple:0 S/ S; b2 W; r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: H) c; c( b8 W; ]0 K% sWinNT) with the CreateFileA API.3 q) a( p3 C0 t2 K9 j5 G/ M8 h
$ m% N7 }: k+ b' c# n% ^& yHere is a sample (checking for 'SICE'):" U9 z" |9 d( x5 Y
$ I1 L6 K3 z# J* m4 `1 V) Q# Y: QBOOL IsSoftIce95Loaded()1 Z# \+ b! ]/ Q! V
{
5 Z1 t) b6 Y8 d4 L! d3 b HANDLE hFile; g+ z0 j- @0 a9 d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ W! K8 G; a* }7 M- F5 E( Q' Z: [
FILE_SHARE_READ | FILE_SHARE_WRITE,. y- O( ^, ]- ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% B3 x3 W p8 P) ?; F# n- d if( hFile != INVALID_HANDLE_VALUE )
# k" N9 Z% q6 d1 O" w: @* { {5 S5 Z/ v0 N/ A
CloseHandle(hFile);% i: N6 l+ ]2 L8 `
return TRUE;
$ y% A+ B4 \% }/ g: d5 L9 a. M }
I( E; q6 y3 K5 d3 y1 t return FALSE;
?3 V- l$ z) Y& y2 I}
* I6 n1 K6 V: }) p4 |) a3 J8 t/ B7 y* T/ i$ y, Y& Y8 X
Although this trick calls the CreateFileA function, don't even expect to be
3 p7 {$ a+ W$ wable to intercept it by installing a IFS hook: it will not work, no way!$ L- t0 G0 ]3 j; m5 ?: j8 g! b" o0 J1 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 h' x( Y) E( y( r$ t. `$ g5 f4 y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ `: @% J( {; w: t0 m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 r/ p1 v7 l/ T% H+ f1 {2 Dfield.; P: e a$ {6 n+ Y
In fact, its purpose is not to load/unload VxDs but only to send a " i, f& G+ t5 d3 d% n5 n3 W) y* ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" \1 ]- A' s& }3 e4 ]8 T) _to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 I( q+ |; ^) \, e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 [# `1 d% {5 h/ S. K% p- ?If the VxD is loaded, it will always clear eax and the Carry flag to allow4 d8 B# a7 @2 m- u- E8 P% W+ e% X9 }
its handle to be opened and then, will be detected.
* ]7 ]& p9 z5 Q. c4 o% JYou can check that simply by hooking Winice.exe control proc entry point6 G/ [8 f0 _, M+ f( R5 J
while running MeltICE.
+ v1 }- g8 I; h8 \0 R! r6 p" U( I/ d1 S$ q. ]0 X! v
- T. L! K- u4 O; m3 p* g6 F 00401067: push 00402025 ; \\.\SICE/ S3 A2 p% X: Z6 _( p0 ?, I
0040106C: call CreateFileA
" e$ Q8 [, @6 R( K- P# W 00401071: cmp eax,-001' U7 b/ W9 h- e8 [0 M* d7 U
00401074: je 00401091
1 S# z! v( V9 s$ h/ A% ^4 i8 H. A; T9 T' u
; k: c9 I" W" f* r; O8 I6 PThere could be hundreds of BPX you could use to detect this trick.3 j9 A& `, @5 y) D2 j5 v
-The most classical one is:: p% w# N# \+ Q: H6 p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# ^! s* p: F0 E: E *(esp->4+4)=='NTIC'8 F: f8 l$ c8 _# i
) a% P0 K6 O! p( [2 [
-The most exotic ones (could be very slooooow :-(
) M% k s6 K' ?3 _3 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ b2 b( J3 i- D9 X* o- F6 X ;will break 3 times :-($ w1 ]- j* a) z7 i% p) Q: H; `
9 I8 }2 ^( z3 a* p& P+ G% R
-or (a bit) faster:
5 Y. L1 K! ]( a) ]: m- d! Z1 G, J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! C3 j8 F! l1 B$ c9 k( {
/ B' Y4 K t- y( } V5 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; a! H* d+ B% l, l* h7 ?- e ;will break 3 times :-(
, `+ K+ z3 A- W% l( N
! Q! e& H% k, a/ f4 f-Much faster:
1 T/ j" D# F! n# o" Q- N" D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' u6 p2 n/ \" Q5 l% H% T; s7 {
4 T& a' K$ ?, N! z. PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
I! B& {9 a7 z" G* g% M. Nfunction to do the same job:8 W3 i( |/ }! N) i# q" }3 S( o4 \" c( d
`. H% j% u0 ?% B
push 00 ; OF_READ
: o z4 k# G N# w8 a+ G mov eax,[00656634] ; '\\.\SICE',0
$ m/ F+ U ^3 P3 R push eax
! t/ t0 Z/ i x# }8 f4 S+ [. J& t$ h call KERNEL32!_lopen
6 E; y# i9 B6 l1 u. Z+ O inc eax! C: C% O- H9 [& l7 {5 N7 U! f9 Y
jnz 00650589 ; detected
R% g1 V" Q+ i3 C push 00 ; OF_READ4 r7 r6 r4 u* M @+ x
mov eax,[00656638] ; '\\.\SICE'7 E& U6 L: A; W) d1 Y( X
push eax- g' A8 v2 Q ?$ [
call KERNEL32!_lopen" l5 k, U( G. B7 e
inc eax5 U4 A8 X1 Z# F# H5 O3 z5 [; y
jz 006505ae ; not detected
+ {/ B+ o! T. g! }8 a/ A) Y9 _0 z% Y3 f9 e( p" I Q
2 j+ J; w2 M0 L+ q0 o( w2 d+ Y9 c& f
__________________________________________________________________________$ S# E4 M" T: D
! `! x+ w. R2 @, q: aMethod 12' A$ c0 E7 \8 N% J* `& m
=========: i' Y5 @+ @6 C: _3 C- S5 f
8 W! M5 z+ z# t. V2 N b* p
This trick is similar to int41h/4fh Debugger installation check (code 05
; I- [( t4 c# B9 f& \$ ]& 06) but very limited because it's only available for Win95/98 (not NT)
, s8 T) k3 E/ r, h* v; }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 J0 A+ d: ^8 m/ X& D0 ^
7 K& `0 @) ]; Y% E
push 0000004fh ; function 4fh2 i, n& E. J) E8 r5 j: ?
push 002a002ah ; high word specifies which VxD (VWIN32)+ ?' e7 s5 c6 U0 c0 V7 f- P
; low word specifies which service
8 F0 K+ t i1 A! x( L (VWIN32_Int41Dispatch)
/ q5 B& H+ c5 u2 a call Kernel32!ORD_001 ; VxdCall# p; m, s" z! z" {. H& x
cmp ax, 0f386h ; magic number returned by system debuggers
+ i& c" ^' j/ x+ v' O7 | jz SoftICE_detected
# d. r6 v! t7 I/ H
6 O: L! N" ?9 c' I$ o N U& } EHere again, several ways to detect it:
( p2 \* y# ~% D0 J) Z5 s# }$ V3 }: N& N
BPINT 41 if ax==4f6 O Q/ q; h+ l
8 ]5 c ^, m \7 O* W3 S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one F' `, D5 Q+ n- q" E! J
# l! {0 m7 e4 E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; ?% s% [8 H( ?$ T8 C3 w" _% A- _5 O3 q6 H3 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 o) L' f# h# z8 @
6 B6 Y. E# X; A2 R__________________________________________________________________________( d' I4 i. T w' l! c$ j; l# d
: g. D, I O' N1 z- t
Method 13
; m ^0 s! y* C8 A' {6 {========= D \* j$ z% `, p% N
x) L* B) `* v E# v$ c9 HNot a real method of detection, but a good way to know if SoftICE is) P! h0 \( f5 v6 J; c
installed on a computer and to locate its installation directory.% c! Y A* W* Y8 N8 e) Q( R
It is used by few softs which access the following registry keys (usually #2) :% ]/ I, \ t% a( Z* g( C) A
/ W; b, N4 P& C% P3 V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' G% L% R+ z0 |- j
\Uninstall\SoftICE
, } s0 o# l: J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: E) M1 K5 B. B7 P2 t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 T! [* {" j% j% p
\App Paths\Loader32.Exe5 S3 r% P* ?' R7 p
' X* b3 B) y2 J' X. m) {! t
# d1 e0 T' T' s2 E! H
Note that some nasty apps could then erase all files from SoftICE directory! Z) ` L. |; C. v7 i, C; S
(I faced that once :-(
" l f8 K" Z/ K$ i% R
4 U9 U$ t1 G' Q, m/ U8 QUseful breakpoint to detect it:+ S. F' \0 E$ @0 y3 I9 ^2 {
+ Q5 M( K0 G3 m4 |# s6 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 x Z- D+ U8 ^7 F
0 O( }/ M6 o! f0 Z& a__________________________________________________________________________
) ^- D Y7 M4 f9 V; |, Z- s% f6 q* i! d
/ F! W1 z: R% m Z( P2 o( X9 \Method 14
1 S$ C4 h. |) l/ u% C=========2 b9 m0 z2 h& q8 ?% ~" r! V5 Q
2 g0 z4 F5 f9 E* q( i" d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- r& g9 ~# [+ [( k, S
is to determines whether a debugger is running on your system (ring0 only).) t. `' S% f2 W2 d4 s: V
! c: e3 f4 X$ I% O+ H; i. r; ~3 L
VMMCall Test_Debug_Installed9 i2 T3 n" `$ O4 h5 |! `5 ^
je not_installed
/ i/ x1 ?2 f6 A+ V7 l1 N7 O5 B* W2 s; e; w+ s; x" C
This service just checks a flag.
! y$ v- J7 _- d2 G/ j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡