<TABLE width=500>
4 ?& t. g, W' \& `. o<TBODY>
& Y& k& W0 W; h- _; `& e. L8 }<TR># V: {: J' g1 P+ p8 W% R: A
<TD><PRE>Method 01
: A: O, F6 c, a5 e0 s( o2 a=========3 e, l+ ^3 ^, q* w' X) j l
4 _6 M" l5 A1 r% f1 f& l
This method of detection of SoftICE (as well as the following one) is$ f. C, g- u5 ?
used by the majority of packers/encryptors found on Internet.. J6 I' E. D) `; W' t1 j" Q
It seeks the signature of BoundsChecker in SoftICE
( F! Z7 Q5 [7 x7 f1 N1 e" M: x+ v* X; W H7 x
mov ebp, 04243484Bh ; 'BCHK'
/ t2 S4 e! K: F) H4 ~0 F2 f8 A7 I mov ax, 04h
1 F0 E( ]( G8 @ int 3
7 y( ~, s$ n9 ~8 [9 W, s( {; s4 E cmp al,4
R7 `6 W0 F$ p* l$ d, A& ~% X jnz SoftICE_Detected. j G$ J: T8 Q0 u2 u% ~0 L
# B& E& g4 V0 R0 P* c0 x1 v___________________________________________________________________________
7 B& V3 g) K) v2 x5 X9 i$ S* r* @
Method 026 I2 W7 Y$ a! W0 Q
=========6 q! b3 U& g; h5 v' |
5 {, t: }: ?: \1 kStill a method very much used (perhaps the most frequent one). It is used5 p9 ]: m1 U. p* ?. V- q( D& u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 E4 n" \! R6 V+ T$ e$ A3 {or execute SoftICE commands...
! p& n; G, u# j# \It is also used to crash SoftICE and to force it to execute any commands" U3 w* G% J+ d9 n" B
(HBOOT...) :-(( 8 m* S- n5 i# @) g) X2 S
$ K' \$ Q; M/ V7 `0 n$ v+ g
Here is a quick description:) r" Q+ [: F- t0 E& r
-AX = 0910h (Display string in SIce windows)+ J( T/ G w3 L3 t: ] d6 K/ K7 D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). F. P2 T& F6 k1 i& C9 u; S
-AX = 0912h (Get breakpoint infos)
, E( b" e3 w$ P3 M-AX = 0913h (Set Sice breakpoints)
4 A) S7 y6 v( _( g' j-AX = 0914h (Remove SIce breakoints)7 j9 T$ _9 M( l( W; s3 E' n8 n
0 R; D; [7 C1 `/ ]; Z( ]Each time you'll meet this trick, you'll see:; x. r" l. W& E1 o. s X6 @6 R
-SI = 4647h
% B# G- `- M: _# Q1 H! q; B, y-DI = 4A4Dh
# E# s$ r7 `$ D1 ]6 h+ FWhich are the 'magic values' used by SoftIce.
! j @; R& v# \7 CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 @! m# u' y, d5 H6 Z+ m
) o# Y% [7 P' B( lHere is one example from the file "Haspinst.exe" which is the dongle HASP1 P/ t4 c1 U( g0 h' h: ^% E
Envelope utility use to protect DOS applications:6 I# ]. d: e. W$ I: w4 e0 ^7 z. E& c
4 a9 B' O: ^( c+ T0 H2 a
- U: `# ?; W S3 d" c4 W: Y
4C19:0095 MOV AX,0911 ; execute command.
( @+ A: {1 i0 ]/ ~+ g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% i0 `2 a. e8 K* u& L9 b9 F: n4C19:009A MOV SI,4647 ; 1st magic value.5 N/ B. g- b/ z
4C19:009D MOV DI,4A4D ; 2nd magic value.
# p. S. ~4 R: k' G) a! G2 S7 n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): }) h6 n. Y9 f* }' g5 _( T( k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, i! O+ N2 O/ i) R" e$ |/ W: `
4C19:00A4 INC CX
9 x, \$ [8 L' i; c/ r% [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 \) M/ d8 | r8 H+ i
4C19:00A8 JB 0095 ; 6 different commands.: l/ [+ u5 A, @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) q' M; v' b2 f# U% P, V( U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 h1 L- {0 ~; C8 u
: ]; J3 u" m% |) X
The program will execute 6 different SIce commands located at ds:dx, which
8 ^9 t6 v$ c$ `, P7 O+ f# ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& b0 s5 w0 A7 I& D
% c* |3 D4 C, P, ^$ \! i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 }4 w0 S( g0 q2 Z/ @___________________________________________________________________________
" t; K+ E. ]7 ^7 D8 r9 \3 y
% L9 d4 c k) g a% _+ {
$ T- m6 k+ S* XMethod 03' ~% F. s4 A- ^' T1 m, W0 J# X8 z
=========
! ~% X6 d6 V" y
2 p7 Y& C" H0 W5 N$ ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 `6 ~$ i" }( U(API Get entry point)
. o+ j7 n( m9 S8 g4 f0 M; q8 |% Z ! r6 o0 i) L+ ^0 ^6 V6 r! Z+ O
6 J; L, i% H5 a
xor di,di6 n+ y3 B6 A2 j" J0 B5 Q: \
mov es,di( K' @1 O0 t9 l( D0 m* r! G) ~4 l
mov ax, 1684h # p1 |4 _. D9 R$ Y/ s; }
mov bx, 0202h ; VxD ID of winice
0 n( }' Z9 ]" ^0 g# ?5 ^/ a int 2Fh1 R0 X- V- `5 Y; V
mov ax, es ; ES:DI -> VxD API entry point/ x' W1 Z8 r/ z1 r
add ax, di9 @, _' C7 D; Y& k2 t$ B+ v @9 K/ k- }
test ax,ax e2 W) V j4 m* e/ o8 G5 W
jnz SoftICE_Detected
* `$ _6 l0 G$ S. d
& f$ R9 c; c* F- P3 c7 J___________________________________________________________________________
. _* d0 L6 ~7 r- ~- G+ v9 k0 e; k
5 j# R7 D, f% ^/ L) FMethod 04+ q: x7 h; ?) L# g
=========! A5 [( i+ e# n' [0 j) Y l; O
; u# B: [7 @* c! R5 oMethod identical to the preceding one except that it seeks the ID of SoftICE
. W" u( n0 `! I+ }% N0 ZGFX VxD.& D% P2 {5 t" A! k2 \+ q1 {8 w0 Y V/ P
" G" ? N7 Z* T+ b6 U
xor di,di% U5 }/ Z8 F" c) ^& v d1 ?. y3 j
mov es,di( i( h. [; S" C; l
mov ax, 1684h 6 r/ Z" s$ H6 d0 B7 ^& k* i8 ]
mov bx, 7a5Fh ; VxD ID of SIWVID; s. e b* ? ^8 Z. `
int 2fh; K; x% p3 V R( Z) A3 j1 V
mov ax, es ; ES:DI -> VxD API entry point- x, f ]" V0 y& \- G
add ax, di
4 ?( n- I; G; c. @' r0 R* a test ax,ax; L8 v9 G9 A0 h+ d1 d
jnz SoftICE_Detected) C. t8 m1 y! z$ n/ z! h2 ^" ^
- F" w" c3 d" s8 k1 e8 z__________________________________________________________________________$ b# m+ F, W6 M" e& v2 [
7 R- |6 H5 I; N( q& k: o
& i' w+ B. K3 P1 t/ v# _. ^
Method 05
! A1 N p7 w) {=========. \: v) A+ j/ V+ D# f
9 p2 {+ s @ }% j, e0 f& M
Method seeking the 'magic number' 0F386h returned (in ax) by all system L' } I- P) j1 J# r: U* Z x+ ?6 a. z
debugger. It calls the int 41h, function 4Fh.
8 W; R" y i6 q. U5 wThere are several alternatives. 1 y2 Q7 a$ r# l* f$ h
: D1 D8 {6 I0 Y! p1 h. H4 G* Z" E
The following one is the simplest:
. Q7 g$ J N+ j% H5 c7 X/ }5 m6 G4 b; W
mov ax,4fh
0 h3 m9 w( ?; v, o int 41h
. a. e3 x/ P' o% K1 l cmp ax, 0F3865 E; _3 C- H4 y
jz SoftICE_detected
! ]6 d/ }1 L& l3 P5 x) G
* a0 H! P+ Y' @! w
E+ w5 k9 `9 m( d* FNext method as well as the following one are 2 examples from Stone's
e9 z, I. u. }2 G"stn-wid.zip" (www.cracking.net):; {8 u6 S8 {- j6 D" O
. B3 n% v) }$ L6 B P. q) U mov bx, cs8 I% f$ F( k- l1 R
lea dx, int41handler2
3 @* ]; D& A# l% c( i. Y: U. @2 O xchg dx, es:[41h*4]
- Q7 i( S1 r7 i0 b xchg bx, es:[41h*4+2]
2 ?4 _- d8 a* W/ |- Q" ~ mov ax,4fh
( o! w+ r K$ @2 A int 41h+ `" F, @' c6 `* W, @+ {" ]
xchg dx, es:[41h*4]; K$ W& a5 i* g' A
xchg bx, es:[41h*4+2]; A9 `: N* d6 w2 o, b+ G- W
cmp ax, 0f386h3 g+ k A5 \( |0 p, J' k8 E1 n& d
jz SoftICE_detected
& [+ l9 D2 T+ B$ G- ]
+ @+ }3 ?, s/ h( d- d, ?( m# yint41handler2 PROC
# b8 }; Q7 G' b' N) V" q iret* N7 _; q8 ]- d2 {, b& Z2 ~
int41handler2 ENDP
& E3 i, q0 l0 t5 }) W
% q# v' W) W9 t( y6 |, J
2 L' B+ y# U6 r' |_________________________________________________________________________+ B3 t. S# Q/ l5 p. ~7 g! I: n
; f; L. t+ E" U1 g) c8 J9 ~4 a( I7 ]
- g( k6 c C) ]: h: nMethod 06
& {9 o, W" s: u+ c+ }3 ?=========
) ^. K, I9 H6 _ j; c/ a3 ]! p9 e [3 x6 E, W I/ W( I6 H0 A
0 _2 W: e+ q) |$ ]
2nd method similar to the preceding one but more difficult to detect:' u" I- Z! l1 Q) U" j: H
' J" o0 U" V: u# J5 P# K9 _2 d7 ~+ w5 B" k
int41handler PROC
# y6 ^4 F- s2 G1 G* F% B5 t" ^) x mov cl,al
; B7 ^5 [) Z/ L iret( G1 p# V0 d8 y4 k( i
int41handler ENDP
+ z4 \2 O( A2 f" D% i
/ z6 [: t$ i C2 g" h
/ x o, E. e& z2 y S* I xor ax,ax
9 O/ j0 f* Y1 N% c; X- L mov es,ax* R) q& b5 `: ^: w3 {
mov bx, cs$ l# Z& K& N) }/ b9 r
lea dx, int41handler
@( X$ Q) u8 u9 O$ _ xchg dx, es:[41h*4]1 d. y8 M: T# X5 [% e
xchg bx, es:[41h*4+2]
2 r% r' \5 p* y in al, 40h
& T" I+ \# r7 F& `; ] D xor cx,cx# h! d$ C$ T: T0 z7 s6 q2 G2 b- |
int 41h
. x/ L5 }: K4 V: u xchg dx, es:[41h*4]
* C1 H; X) M0 J- g xchg bx, es:[41h*4+2]
" N# B: u/ K+ }' e! T cmp cl,al
0 \" }6 }- d1 o; W jnz SoftICE_detected
+ e3 Y! v* ~6 t: J0 q% ^* M
& u: n7 x% [. T% s% h {6 j$ f1 T_________________________________________________________________________
8 }; n* t* r0 T0 @( B% D5 d. O0 X( H% p( P
Method 07
$ D# p& z% q/ W$ Y2 M. M=========
& V3 P) x* [) n* g2 v
+ f7 l0 t- z0 R } K' E3 FMethod of detection of the WinICE handler in the int68h (V86)
0 C( B2 F0 d; F9 c3 k4 ]! y0 I! o$ `& P' P4 Q! q- n3 C9 s
mov ah,43h
" }( H1 W& m4 V2 A int 68h5 p& E9 }' B( n' \, A/ G; B, }# f# G' }
cmp ax,0F386h
" S$ ^$ R) V8 Z ` jz SoftICE_Detected8 P7 L. [- U' @9 R1 h6 o
_ m, H4 h# q/ z M) o
& j( I1 h$ t' l* a6 i=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- t8 F" r: I2 J9 j! ~ app like this:3 | r4 e d) ~9 Y9 n
. N; m; q! W, c- @3 A" Y0 e BPX exec_int if ax==68
: X+ d0 k0 L! ^- J (function called is located at byte ptr [ebp+1Dh] and client eip is
0 V M6 \% D' z+ D8 H/ D located at [ebp+48h] for 32Bit apps) `+ p, b, I9 ~6 U! w7 E, B
__________________________________________________________________________
- p: C* l* `1 v- Z& ?$ k# O' G. U! z$ {$ e- Y- [) T+ W
# O8 O8 \" U$ m) T7 @Method 08
3 G' E; `+ h. @1 }( j# J=========8 d, _! y! R$ {
9 Y' s9 f" a6 ^0 K5 A9 I
It is not a method of detection of SoftICE but a possibility to crash the
1 X2 y8 f2 ]* i8 x) Osystem by intercepting int 01h and int 03h and redirecting them to another9 i+ `# W* [0 [" m
routine., r- q, p9 h& Q+ L5 }9 M2 u+ n. M1 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 R8 q. R4 n% T9 z! w% T1 z( { S
to the new routine to execute (hangs computer...)/ L& P/ v" \0 \# z2 j. N! Y5 g
3 H2 I2 t5 u8 ~3 L8 O mov ah, 25h
4 N1 z. _, _) n; \ mov al, Int_Number (01h or 03h), _5 h' C. }: U7 M! y5 A8 a( _2 p
mov dx, offset New_Int_Routine/ @9 }* R$ M3 x) _. b
int 21h, Q3 Z( [' ^# s. Z/ f, k7 ?0 h+ I
7 Y5 F, ?, u% U B) M" ]* Y+ \
__________________________________________________________________________" s7 A5 y: O+ [4 p) e$ {/ f. h
1 s' b" B5 Q# ^) Z2 I, }' ]Method 091 Q# `! ]8 }! \0 i; ?
=========/ J7 f9 r9 W. ?9 B
+ U4 R U; y) e. @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: O& m. l5 D2 T* t
performed in ring0 (VxD or a ring3 app using the VxdCall).: y2 r& l$ T( X2 [ T9 S+ Q' t% Y
The Get_DDB service is used to determine whether or not a VxD is installed+ K( a5 ]' n) u; V7 O! A5 ?9 g
for the specified device and returns a Device Description Block (in ecx) for
) ~! T2 j3 W' S1 x7 ~3 L1 }! B6 jthat device if it is installed.$ k0 c8 N" Y) k6 b$ |2 s$ D
7 e, Q' B3 {& F2 E# h) J/ n3 Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 v5 O! e" q: G6 Y! x B+ N, v. v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); W9 a4 \$ y* U
VMMCall Get_DDB2 |7 O/ G" {2 E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 Q K# ~0 u3 o: l+ z3 {3 Z
0 h3 w0 e x9 M, i2 X, J6 ?6 M# sNote as well that you can easily detect this method with SoftICE:
- v$ n/ {3 y d7 F/ b bpx Get_DDB if ax==0202 || ax==7a5fh8 s% Z) a' z% B$ V; Y" d. `4 r
0 t5 o" z" C Z' ~( W* |
__________________________________________________________________________1 s9 V4 `# w5 r/ h6 L
7 R( g0 }" U7 T5 K2 ^
Method 10
3 h! P# u v, p8 ~=========
2 i7 _1 E7 j6 u( n
- x, ]( e7 L4 ?7 \: q=>Disable or clear breakpoints before using this feature. DO NOT trace with
% G q. q, w1 e, D" d* [1 e SoftICE while the option is enable!!
" J9 Z" {0 r1 D0 K4 N# x
$ a2 Q- m& c" `( q* ]) ^" BThis trick is very efficient:7 @6 Q4 K) K7 ^. u+ f, l
by checking the Debug Registers, you can detect if SoftICE is loaded
$ b8 ~( G; U% n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% }3 w0 P0 X$ h# _. O* o
there are some memory breakpoints set (dr0 to dr3) simply by reading their- E+ X: _- \; U' s* U) j7 U
value (in ring0 only). Values can be manipulated and or changed as well" p8 g% k3 M+ ~2 Q- n
(clearing BPMs for instance), I/ p7 h: o" l7 O! a- b
- Y8 Z _, G% Q% Y2 [__________________________________________________________________________4 ?7 i5 T: H; z% M* W b" C( o
& B; @6 N. s, j0 t& Z/ a, sMethod 11# z2 J6 T! }" d( r/ \ o' g8 Q, L
=========
. U7 g1 e3 ?4 g! a O
5 e6 c+ l3 b# T- g% U/ dThis method is most known as 'MeltICE' because it has been freely distributed) d; ` f2 m9 Q- k4 D
via www.winfiles.com. However it was first used by NuMega people to allow
/ |0 g4 F; G4 j. P0 x! mSymbol Loader to check if SoftICE was active or not (the code is located# P, a I Z" @' f
inside nmtrans.dll).
~" n: `' }0 @ {7 c3 S& I+ W* w) i; H p& K6 e g
The way it works is very simple:
! j# f6 T$ q& H6 bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ g$ Z9 X5 X- N$ b6 e
WinNT) with the CreateFileA API.0 M. J1 t3 A) [
+ k6 w( O% ?3 K, T
Here is a sample (checking for 'SICE'):
q) b6 l2 O5 _/ {
u; g. m0 J9 g" n" {BOOL IsSoftIce95Loaded()
/ m- l5 S, t) H' U) z9 L& N{
o7 U( s) s. Q4 j/ O7 J9 \! k HANDLE hFile;
8 c% G# v/ ~4 w6 t. E7 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! t" o2 l3 t( q$ U( i# h1 f
FILE_SHARE_READ | FILE_SHARE_WRITE,
: U3 N& y1 s8 i. ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( j# i2 ^0 y: n: J# v$ n; W if( hFile != INVALID_HANDLE_VALUE )& |( n( B" ~0 ?; z" V
{
" j- n2 m @5 a4 d CloseHandle(hFile);+ \% x8 F1 O% F0 y) G. ~. B. o
return TRUE;
, _' Q, }2 V* [/ F3 D7 t) } }
; u3 ?- b3 ~+ F0 p5 W* c7 q/ W return FALSE;
l* r* ?$ ~9 A) t9 W}6 ]3 H# Q/ F# I k, D1 k3 g! v# | P
1 x# D( B) X0 AAlthough this trick calls the CreateFileA function, don't even expect to be
0 C4 Q" y9 ?3 G% D4 Yable to intercept it by installing a IFS hook: it will not work, no way!* V% i: s+ Q7 ?* s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F n3 M! G6 ], U1 Q5 [- Z7 @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# E# ~: m$ {% U. {9 a' V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" G' q4 [! j# ?3 C( }: J0 P9 ]& U
field.
3 P' P. P7 Z9 K3 k, P. @# k7 ~0 GIn fact, its purpose is not to load/unload VxDs but only to send a $ w& o3 j' D( k3 W' O; D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. Q# c# t$ F6 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# G4 W2 P1 x; A) L3 ]' r) lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* _3 o3 I6 [# G: B ?) WIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 ] [9 W' u7 c9 P6 \
its handle to be opened and then, will be detected.+ ^) j: R% l; x2 L
You can check that simply by hooking Winice.exe control proc entry point1 n& N: Z: h5 z2 k8 N* e
while running MeltICE.3 \" i$ p+ G- w% N5 i9 x3 E
' T" z. R8 u+ L. g* P
5 w# {, v- ?9 j6 W+ J( O8 r; ] 00401067: push 00402025 ; \\.\SICE
7 k) T1 L/ F( k; r2 h3 b$ M# `# C; y0 j 0040106C: call CreateFileA) s9 X$ [3 V$ T. ^. K) b/ z9 G" A
00401071: cmp eax,-001$ L H" A, z- q( Z; B
00401074: je 00401091
( f* y8 j# a1 r" d8 q6 D9 G4 l6 U3 o/ T' d) ~/ C/ C
5 U7 r- @* t! i; ?; i7 H
There could be hundreds of BPX you could use to detect this trick.# w9 E, t+ S) T: M) F: y
-The most classical one is:
- H5 i8 {3 _6 ?) S2 B6 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& e- F7 o4 [5 @9 ]5 Z* i1 _+ g- [9 f/ a *(esp->4+4)=='NTIC'; H' }1 r7 K$ f1 ^
# a! h8 V, l U6 k" k$ N6 V: ]-The most exotic ones (could be very slooooow :-(, U& C: Y2 a! s; o5 {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( o6 |% G6 b* b0 s
;will break 3 times :-(0 K3 T8 f6 ]( _; E
! F, y9 ~# ?# `( i% N1 [* \
-or (a bit) faster:
5 c6 U7 U4 h, U# e9 _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! z" I( `+ Y, g- Y
7 [8 B: {; g6 A) O; ~( p' P' Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 l6 G I2 p( U6 C2 c
;will break 3 times :-(8 ]+ X( y; t9 R5 x" J
6 E$ D5 v9 g5 N/ s3 H" T; L1 S7 T-Much faster:7 Z& h! |9 i: E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# E' @8 q" S# ~: ]* U0 ?; Z& }1 e q& ]/ }. Z# p" I$ K; |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 V1 E( G" T4 H, K- ]! @. E/ M
function to do the same job:
$ [- d3 R" q! q" Q. a9 ]# ?
" K0 R& N" K7 L( X$ N+ C0 r push 00 ; OF_READ# n4 K" C: }* E- V5 A4 j9 z
mov eax,[00656634] ; '\\.\SICE',0# S3 @/ A0 q# ]2 E
push eax
3 a$ a3 k1 j' {, ` call KERNEL32!_lopen/ }1 b9 N M/ S6 R# k7 J! h- {
inc eax
, ~ ?1 V6 ~) U; @0 X0 K jnz 00650589 ; detected( T; l/ s) }* ^' M1 V6 H/ X
push 00 ; OF_READ
9 ~' C1 l" ], F b: G% H: g mov eax,[00656638] ; '\\.\SICE'
4 m1 V# Z% x! Q6 b2 g; P push eax
+ }$ ?$ h, N a7 `8 Q* M* B9 G# q8 O% x call KERNEL32!_lopen% G! K- }& ~- L& i% Y c' }
inc eax
{) K3 d8 z5 t9 S f$ } jz 006505ae ; not detected& }- J- d! m! U' t8 n8 ]- @$ q
) j! B- t: S3 s1 f8 h+ |6 o' V) [
) H+ b5 `) [3 L$ j__________________________________________________________________________
. t- {0 ^ Q: m- B4 B. Q) B. O# z8 c2 ?9 g
Method 12- t8 e3 d$ f3 s+ O& I
=========0 ?& g8 ^3 k/ h, D0 D* p
. d* g2 L0 E+ Q2 ?& x6 x! i0 H5 oThis trick is similar to int41h/4fh Debugger installation check (code 05
9 Y) Q0 v" N2 G; w& 06) but very limited because it's only available for Win95/98 (not NT)5 t5 \: x4 C- V8 T% R+ ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 v' R' [. R. m j
6 F3 L4 ~( I3 u push 0000004fh ; function 4fh: u% C$ X% g4 i& d, q- U9 v
push 002a002ah ; high word specifies which VxD (VWIN32)
+ b7 t) Y1 Y6 R) ~ ; low word specifies which service
$ J1 B9 V$ P7 x0 s+ M (VWIN32_Int41Dispatch)9 n! V% Q! i- {# T2 r3 W! t
call Kernel32!ORD_001 ; VxdCall* z& Y) ~ [; G3 ~6 I7 G
cmp ax, 0f386h ; magic number returned by system debuggers
* c* b: q# G& g8 v! ?' T+ v jz SoftICE_detected7 H; e* S t: K4 X: ?: [9 k
& J# t# j( m% o& z: c
Here again, several ways to detect it:/ q2 Q4 n/ Z/ u* D( I
G" v% B) E6 e$ L2 l8 Z1 c) {# b2 F BPINT 41 if ax==4f; ~) Z0 Q' M$ L' B5 ~
% Q5 m# X5 s- D1 y$ L& L# c+ ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 K m6 {) `. `9 k+ D; x7 K1 J' j. H
# |; B" C2 ?6 [1 D! s1 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) D g& s) d. r% X7 ]* Z8 B
: p$ R, P6 s& K$ H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) ^5 f$ \( W% T2 U8 l+ y2 q' s' G( _3 R' W+ A! k, U
__________________________________________________________________________2 L, Z% s$ d4 X7 L6 P: Y
! ]$ n) C' N6 Z6 I0 C; q9 X
Method 13
& T% X" D% q( V+ l& m4 X=========
9 u( j7 @$ z+ V+ M a- X5 V, P, t
8 M8 P- K+ y2 N, y" yNot a real method of detection, but a good way to know if SoftICE is
+ V: ]! }0 W# ] O" o: Rinstalled on a computer and to locate its installation directory.- R! w2 X5 r: `! d+ U; o) m
It is used by few softs which access the following registry keys (usually #2) :
( L, N3 {8 N* w/ y1 n. F; Z+ ?) I$ R
( w/ X4 | \6 ^ w6 B& }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) T$ n& m, J& D. Z\Uninstall\SoftICE: }% K* m4 i7 h- y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. C+ G' ~% F" \9 p1 [" u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 g& n+ X7 G" W# Q3 j9 D7 X
\App Paths\Loader32.Exe4 r4 L1 f' f* b0 O) q0 l; i5 v' ^
- V+ b: B$ A/ p, J% _# q
. w U' }- ~# E# x8 N, rNote that some nasty apps could then erase all files from SoftICE directory
q, n; p/ z0 p& i& Z/ C# x, A+ H(I faced that once :-(
}4 q# X* r- [! W
/ W* Q, s% j! z0 o& `8 kUseful breakpoint to detect it:
" I5 N) F! Z2 V& @. Q. ?" b+ u1 F# m3 t, H" |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) s' v5 z/ s3 G T: ?
3 y9 i' z0 ~3 d7 D$ h6 B__________________________________________________________________________- [8 m0 E d1 T2 v
" W) \7 k) v, i/ [6 {
" y0 a/ ?7 x% _6 Y: R+ w
Method 14
: P+ y/ m( R8 T& y7 j3 w `0 n: K========= E4 t7 @/ f/ v
8 w8 I3 X* k* qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" {2 j; k3 k, v s7 m( Z: K- Q' gis to determines whether a debugger is running on your system (ring0 only).
( O2 u5 J: i+ z! W) R
( w/ c. |5 B' I& G" ?; w VMMCall Test_Debug_Installed
* f; C; \1 @5 d' j je not_installed
/ `* |; y* d" [+ g3 X# e
% R: w5 l4 U* Y# F8 Q0 ?, T4 B4 IThis service just checks a flag.$ w" F# R! p1 K) r3 G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡