<TABLE width=500>& a& s2 k6 a" r% w
<TBODY>
+ @" m8 T2 h( y& |$ o<TR>, s. ~: ^' q! R2 i0 i& M
<TD><PRE>Method 01
$ r8 u& q/ J+ N% f=========
! ]0 n' w" a' i6 O% L, z5 T6 v6 S ]- C7 y9 Q5 \
This method of detection of SoftICE (as well as the following one) is
+ G$ V' z! b; s+ s. K( xused by the majority of packers/encryptors found on Internet.% m6 l2 G( t2 r, k. T
It seeks the signature of BoundsChecker in SoftICE6 u9 T8 E* f3 K* m( X4 b& F& [: i
. j# T+ ]9 t; @# w
mov ebp, 04243484Bh ; 'BCHK'- l" P8 N, z% i2 T3 ^
mov ax, 04h. |. F/ f& N" x, K% t, T# a H- M
int 3
; U- U) w! Y! A* k L! s \9 L z cmp al,4
+ Z2 F' I3 d% i7 U4 T% W jnz SoftICE_Detected
2 w/ h3 v s5 P+ x9 V5 ?5 x" h8 ]; S0 Q$ r0 [
___________________________________________________________________________
$ Y, ~0 U c% m# p4 X' z
" H, s( j% l0 N7 K3 VMethod 02* s' n3 \# w6 Q% |) z4 I$ J
=========$ g- m7 w9 m* o7 I- G4 o
5 ]6 a( a, ]" v' N$ O. x
Still a method very much used (perhaps the most frequent one). It is used
, J; X5 T J! Q$ l$ n6 M0 V( fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 B" ^- v0 l5 U3 U+ k# k- [" T8 n) \or execute SoftICE commands...' k% @+ R. _ ?+ n& Z8 a2 j
It is also used to crash SoftICE and to force it to execute any commands" ?$ H. f9 U& v- g6 _; L9 ~
(HBOOT...) :-((
: I- u8 U0 [( J. f9 V8 f6 Q- ?/ g3 F( Z! d2 s+ r+ q
Here is a quick description:1 O+ {4 A5 O. V. n. j; S' ~
-AX = 0910h (Display string in SIce windows)' H/ N) c" ] n: r& z: v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 T( u7 z: r/ J2 E
-AX = 0912h (Get breakpoint infos)
( T- j% M# U+ Y Y% b6 j9 ^& {-AX = 0913h (Set Sice breakpoints)$ o. d* g4 Q4 I6 F
-AX = 0914h (Remove SIce breakoints)! Q2 q% p/ q6 [5 t( g0 X4 z
( o; x! {2 G4 k# r6 O
Each time you'll meet this trick, you'll see:
$ H2 Q$ v1 d7 [-SI = 4647h
' V$ l1 g7 H' {+ B/ g-DI = 4A4Dh
7 K! s& }* w3 i( QWhich are the 'magic values' used by SoftIce.
1 P3 o* u- g* N! j0 [ l% u JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& j4 a; ]$ L& O% n9 L( K4 {
/ |; t- A X8 c) B7 qHere is one example from the file "Haspinst.exe" which is the dongle HASP, H0 f. ]# k( z4 ?3 E9 }
Envelope utility use to protect DOS applications:
/ U3 T! b0 N2 k; u( z( L* R& f8 d) J% r z3 [3 M: |; T: S
; Q( R# G3 ]" `4C19:0095 MOV AX,0911 ; execute command.
+ s# L1 ]% d# i. I* `: _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: {7 T4 m' a) `% m H [* a4C19:009A MOV SI,4647 ; 1st magic value.6 Q. U6 \ v6 e& R6 M
4C19:009D MOV DI,4A4D ; 2nd magic value.# m* p" I' z& _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& {% G2 I( B* u* E+ m& q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ T# c! L( P6 q( Y& b$ N* b0 q; _
4C19:00A4 INC CX2 e8 u0 t' l9 l. { C. U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) ]3 j8 i% C* Z4C19:00A8 JB 0095 ; 6 different commands.% t5 S& S- ?1 H! d' b& R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ |( O" {$ o: X+ ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 G6 h- D$ W5 }! B) x" A! l
8 ?' J B- B0 t. o+ IThe program will execute 6 different SIce commands located at ds:dx, which9 W* c. K/ B Y( Y( S' d( s2 X n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ d3 x8 q9 n) N1 A9 I
1 X O3 G( o V* C9 ]8 i& u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. P# Z. K2 w0 Q0 f: I
___________________________________________________________________________
& U4 t. T; L% @7 @$ D4 e/ s3 t2 J8 N# q8 c
$ R9 Q+ j: r8 ?) P( }6 _Method 03% c8 v9 O) V3 V
=========/ `# U: `0 O7 X& F
: { L9 m/ }# ~+ B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' F! V) E+ o5 L8 _. f& i4 w
(API Get entry point)
) t# Z0 |9 x! X$ r8 Q% D / E8 [9 Z$ o1 y: q" h4 L) |
* x9 a9 u3 l7 c- t8 t d$ }
xor di,di* T1 g: ^2 }9 O$ K- r% R% U
mov es,di. x& k; B, y, u% e6 C
mov ax, 1684h
* a6 Y( m7 y( O9 h' b( l( ]% X mov bx, 0202h ; VxD ID of winice8 V4 k9 T4 }2 `) ?- G4 a
int 2Fh0 [/ A6 b: A2 ~) r$ }
mov ax, es ; ES:DI -> VxD API entry point
: {" w# U0 `8 ] add ax, di: [# f/ P6 h% k7 h. P+ Z1 S
test ax,ax
& f* e" W! F5 n. _ jnz SoftICE_Detected" R- _: p1 R$ S% C
0 U! c0 `- ~: R( k$ [___________________________________________________________________________8 l9 N! i" ~2 A7 {: x6 v$ e
4 Y' p9 j5 N4 s% V" \7 @! I/ DMethod 04
* E, |5 j& o. [7 w=========% T \4 L8 p" W- F( V" Y# ~, S
; |- u p& v9 Z6 f6 U: F& R* I# sMethod identical to the preceding one except that it seeks the ID of SoftICE! W) {5 N. F i9 L4 e4 ?
GFX VxD.0 b( T2 h$ ], G; f4 s# C
6 r) w" W: e) Y! Q4 L. p xor di,di( R, u: i* Z8 w& x9 \6 ~* O
mov es,di0 q6 y* L* `3 H! z6 z1 l
mov ax, 1684h : a/ c6 y2 o0 b4 ?! A
mov bx, 7a5Fh ; VxD ID of SIWVID3 `, l$ l9 o. S% S" i- Z/ T* ^0 m
int 2fh
' B* s) m& L c4 }* N mov ax, es ; ES:DI -> VxD API entry point
+ B. V# R( ?6 V6 E4 R add ax, di
( m$ j1 r2 x4 T- a$ y. Y test ax,ax3 W5 H/ w, L; b1 b( p
jnz SoftICE_Detected
7 B! I- t" w% I6 _! p8 n+ p0 \
' c( x+ Y; u; X- T__________________________________________________________________________
M" h: r& E& f- ~5 W$ ]
0 ]# |8 d% D: q8 I
. Y, W' [$ R* E& P5 j$ F0 eMethod 052 _# u" u5 {) u. i" j, k) Q
=========6 e" \! z! T( X$ N7 U+ l H% b
) T, u& D- ^ L; c' f. t* C- JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 k& i6 Q! o& ddebugger. It calls the int 41h, function 4Fh., S2 \9 c5 U* \- |# ^ @, e
There are several alternatives.
7 Y% G5 G& B* b- I T
' p; K, L) {! J2 O; @% n3 H ]The following one is the simplest:6 A$ |# j/ T* P0 u, T5 N! A
1 w$ h$ Z3 {' r3 C/ K# A
mov ax,4fh2 r0 V4 s' l' `1 H! @) h
int 41h
! {' Z0 h$ ?7 K, D cmp ax, 0F386+ M0 z9 J) Z, a2 J& N- }/ a" D1 T
jz SoftICE_detected
4 U: q$ o' ~3 L2 Q* A! d8 d) x7 X" E* T5 i
( {4 x# G; Z$ E, B7 F) lNext method as well as the following one are 2 examples from Stone's [* H4 l( g, o: l3 ?# h9 R
"stn-wid.zip" (www.cracking.net):$ w" S' B& V% m) w. L
- _$ \2 p7 G7 a& _* D T' b
mov bx, cs
2 Y. o# ^0 y! B& u5 {( M lea dx, int41handler2
: t1 j n. S7 k1 i: n# _/ B' q xchg dx, es:[41h*4]
# r2 K( \' R5 h8 v, }& d3 Y# U xchg bx, es:[41h*4+2]! s! m3 d5 b5 t1 A9 H; r' Z/ k
mov ax,4fh# R+ x! C3 v* d( b. p
int 41h
0 {% b7 ~) U7 A* m0 I xchg dx, es:[41h*4]- |: ]* w9 ~# s; C! _
xchg bx, es:[41h*4+2]
: b9 [) @* U% \ `5 M J6 p cmp ax, 0f386h
; g1 ]' A }: t5 B" G. y jz SoftICE_detected
9 q, i4 ?/ l' |! [0 `5 f6 j5 V! l9 n9 Y/ F9 S6 X, j0 |1 a4 _+ l9 @
int41handler2 PROC# _/ f+ w5 |2 w" q. @, v
iret5 _) U$ {. i; Q
int41handler2 ENDP1 M1 u* k. k; G/ h1 H& k2 H
& u- y ]8 e/ K' d: b/ b% Q) ]4 {! ?1 q) ~: r' R
_________________________________________________________________________( h4 F% i4 X9 Q' h
6 L# F1 g0 h2 ]" w" y% `
1 w* {& X3 d5 j2 b7 V7 F1 S: ?Method 06+ X9 v0 ?, H r6 ~9 E- e
=========7 n7 K8 F* g9 E) s) R
7 |. g( e$ g9 \4 f3 ^+ W
; x8 |/ `& R( O/ m+ Z) m2nd method similar to the preceding one but more difficult to detect:: W3 c2 v2 R1 w$ A4 I& C: ~8 F: G+ G7 O
1 \$ b+ N4 ]5 A S5 C
' F' `8 _4 ?6 z: y" G: z4 f- i1 O6 [
int41handler PROC9 O3 r: B2 d& O+ ~2 P2 C8 X; P
mov cl,al- j0 n3 ?, z; A) c5 y: h2 u$ }1 k
iret
& d' w$ ~( g$ b; e- Fint41handler ENDP" d* s3 {! A" U' w% G: d4 M
7 g1 G0 _8 T) y; d: l( A
4 ^4 y/ n; `* P' P& n
xor ax,ax
* v j( k1 k1 ^) R5 \( ^) g mov es,ax
( Z1 v( x5 q3 C) c' B F% p mov bx, cs$ [" ?5 j4 B1 H8 u5 Q
lea dx, int41handler
: t6 p+ i2 j. O* ~ xchg dx, es:[41h*4]7 E" T4 W8 P7 E% X% D( J- B
xchg bx, es:[41h*4+2]
6 [, \# X/ e; @3 S% o9 D" f. A in al, 40h1 f- o5 I" F! m
xor cx,cx
( k; g/ ?& o5 h4 o% e# A5 g int 41h
8 U5 F Z. z' R9 M1 \: M xchg dx, es:[41h*4], W$ ^, t% j- \/ }, [9 w
xchg bx, es:[41h*4+2]
& g! _% w3 G; i cmp cl,al
# `7 C' A8 a @7 r% g: Q jnz SoftICE_detected9 Y7 E3 C4 Y6 I- o+ b
0 D# f4 A0 M* G- b5 Q5 a: m6 s_________________________________________________________________________
3 H- \! u% a% R. Y3 C+ R2 h$ M2 @+ d1 u- P! _
Method 07' `2 Y" }" f! j: r
=========
+ @6 `) c+ g7 o) B, Z; |: l T% x! {+ T- E: u
Method of detection of the WinICE handler in the int68h (V86)
, f9 n, K% r+ ?& a- Y* z; d" P8 r/ e' f9 g
mov ah,43h
7 @) l: @6 k. k9 N$ Q int 68h
/ M2 |, Q( I( L' N/ {2 I }* C, b cmp ax,0F386h
9 h* e6 a9 H# X9 C: I6 S jz SoftICE_Detected9 c8 [: n3 k5 ^; }2 Z- L+ J1 r
5 t8 w# A7 E. N4 S& l7 f
$ Y- {8 C$ N- `6 i P$ i4 G' m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* K% O# }+ v! v' D$ M
app like this:9 u8 Z. _# S+ o7 F4 Y
+ U5 \- z- u) f. U
BPX exec_int if ax==681 n% j6 w0 _5 J, R
(function called is located at byte ptr [ebp+1Dh] and client eip is
" O% |, N) v* ^2 ?% |5 d located at [ebp+48h] for 32Bit apps)
3 o3 F- Y m4 M4 p A' P__________________________________________________________________________1 v- E6 i4 D! l: S( Y1 F
1 Y3 Z- z0 l ~6 g8 N& S
$ M& Z% S0 B$ h* LMethod 08* {. S e, p ]
=========" m( Q/ e. q8 k% X, |/ T! J8 ^/ y
/ R: v5 H0 X! D# W: [' hIt is not a method of detection of SoftICE but a possibility to crash the- m+ n0 o4 I. m- k6 t/ S
system by intercepting int 01h and int 03h and redirecting them to another
) L6 I1 t0 m, V" e% z% a. Yroutine.
1 S7 q; X* W) G8 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- I" a* j; f& M! I* H7 V: s) a" xto the new routine to execute (hangs computer...). `1 K! w- m" f
+ e3 ^# s6 @3 k; Q" ` mov ah, 25h; R) I6 g9 A( T" e, V4 V) L
mov al, Int_Number (01h or 03h) m7 {7 g r7 h# d8 Q" _
mov dx, offset New_Int_Routine
. I2 w, ]' ?7 P+ \, J" b6 Y int 21h. }: i( J" E- t9 B0 L) C
( I$ l- K J. H4 O: A$ s, q9 B__________________________________________________________________________+ W7 [# Y! A& q
9 s6 p& f( w4 t: C$ V9 V& W0 _Method 09 \3 T$ f( O9 e& Z8 \3 n& }. o+ {
=========
# Q7 q- I6 ], B3 v
* X. w( K/ Z0 [0 c4 g1 V5 }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- x2 N+ h( P0 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).5 w6 X0 ?6 y# Z3 q, B" S& ?* e) p5 H
The Get_DDB service is used to determine whether or not a VxD is installed9 Z" h0 w# l* M9 [9 x
for the specified device and returns a Device Description Block (in ecx) for+ n& k& R, J7 |9 N/ o
that device if it is installed.: I; z. `2 t$ H4 N0 h% o7 E
; T9 [; V- O9 @5 b8 j h' e" f7 g& h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' [1 B( z2 G" |/ t2 W3 R! c& ^2 k& W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); N% a1 p, M+ F) Z0 C
VMMCall Get_DDB& ^" q: {! z- b. q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, b6 |( u2 }9 f# a9 R; ?9 T8 z
, j: p2 e! g$ u* D* z1 ~+ J% z/ s
Note as well that you can easily detect this method with SoftICE:
6 i% E. W B0 j4 Z0 x, i4 j bpx Get_DDB if ax==0202 || ax==7a5fh$ C0 T9 t! i6 c1 e( Q6 m- O7 H
6 B$ e! [/ h* j8 v__________________________________________________________________________* [; X9 [# E/ ]8 p
) S; g; i3 \* D* D' j' XMethod 10
+ ]6 K: t- [" g6 ^$ T/ y* z=========
0 U8 ^3 I$ H/ l0 @. ?. A; A& J
! O+ D* N, n- u9 @6 _. W9 r=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 j3 R7 k- U, h1 h SoftICE while the option is enable!!3 T7 ]& I' K* b) t; Y# W
6 I4 r6 w+ L0 A# |9 u
This trick is very efficient:2 Z0 P2 U, e; q
by checking the Debug Registers, you can detect if SoftICE is loaded
" L& m/ s0 X6 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- Y: u2 V3 q; m ~+ ?5 s+ ?there are some memory breakpoints set (dr0 to dr3) simply by reading their" ^6 c, i+ M& |$ y3 _
value (in ring0 only). Values can be manipulated and or changed as well6 m% C# }6 I; W5 k
(clearing BPMs for instance)! [9 s/ T/ t$ M9 s7 j
2 m, x7 K: P" D1 E z
__________________________________________________________________________
0 v0 d. `2 j& \/ Q8 n/ \! q) W
* P0 u. r3 R1 EMethod 11
& v0 ~! W6 r2 y8 D; m$ B7 M- k=========# s& e8 B' E) D- d0 d
* p* L% ^1 S# N$ ?# PThis method is most known as 'MeltICE' because it has been freely distributed
" e7 o* y( {2 L" T( x& Zvia www.winfiles.com. However it was first used by NuMega people to allow% L! D- R; O5 I" S4 w6 {2 b% c3 I
Symbol Loader to check if SoftICE was active or not (the code is located9 \0 ~+ v0 A: J" o/ W
inside nmtrans.dll).+ ^" X+ E6 R0 S. G9 g7 @, v
/ z( c0 _0 \6 l5 u. n: [" \The way it works is very simple:4 f5 v6 _! ^: a( d2 ` r* _! _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! S- c2 b& i7 Z1 F( p) o9 ^0 }WinNT) with the CreateFileA API.
8 K% u; x+ [: P! V
k) o1 m e3 V5 e' RHere is a sample (checking for 'SICE'):
' x ~( m, o: F# `* Y' ~( o6 r
% P$ G# g0 Z6 z6 @4 c" E3 oBOOL IsSoftIce95Loaded(), d' ~- y; l: g0 a G; B; \: `. }
{
! h; C0 _% \% l: t, e2 Z/ a HANDLE hFile;
0 y& i u7 K5 d' D: N3 s, Q/ ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; m! d& U! e# s9 O
FILE_SHARE_READ | FILE_SHARE_WRITE,
. D' t4 v/ v- y' C; ]' F7 r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, x$ a4 ]; Z( Y, T
if( hFile != INVALID_HANDLE_VALUE )! N9 M$ ]. x/ o$ ~8 m5 K0 B
{
; @8 o) t# Q" [; E. m) Q CloseHandle(hFile);
" T0 f2 q8 Q! w- u. {# l return TRUE;
7 C+ l: T" R% a" u+ } }
( [3 ~6 l8 J& d8 [- V, R" U return FALSE;
: @. X0 i! P0 U}2 C/ S/ s6 Q3 X; I
. b3 }2 q, ]9 S7 p
Although this trick calls the CreateFileA function, don't even expect to be
1 ^3 T. T. U9 F7 w- Table to intercept it by installing a IFS hook: it will not work, no way!4 s5 }0 |) @) h8 _) Y& e# I2 d( z6 Q3 Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 J* p2 c2 N% y9 w9 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* b e/ N7 Y1 U/ ~, `0 {% k, C) _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 z6 Q1 E$ A/ q& f" a# Xfield.3 e h; l: G; x! H& v! U
In fact, its purpose is not to load/unload VxDs but only to send a + M& F6 x: D! ?; S- S# h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( y; O6 G% z# m# ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 J6 V% Z8 }& U3 z9 v- {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! f9 I4 s4 e, L: @7 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: t$ k: }7 r6 C. H" Y1 R* gits handle to be opened and then, will be detected.1 A! W& Y8 }, r
You can check that simply by hooking Winice.exe control proc entry point5 b0 H; x8 Q& [
while running MeltICE.
3 D3 g( Z6 Q2 @; g# x' F$ e- ], G% h+ W2 d5 r* O% I6 A3 G& y/ B
) C8 d. R& }- b
00401067: push 00402025 ; \\.\SICE* s7 R, t; O) G: m. A: e3 ]) R& |% a% g( D
0040106C: call CreateFileA
/ {" L8 x: v8 F 00401071: cmp eax,-0014 j7 | _- K! r, U; u, e1 p
00401074: je 00401091
5 I( p* g3 Q2 X! v- j
3 w0 |$ J0 r, m! {
2 A! U3 Z" m2 g4 @* VThere could be hundreds of BPX you could use to detect this trick.
5 M9 w/ Z$ p' Z4 Z- c H, @-The most classical one is:
) v, D; q6 P- c' q7 { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- V8 ~' N. a4 F* P. e* Q
*(esp->4+4)=='NTIC'
3 I- Y7 S, y2 V) B8 o1 W1 w
: X3 y8 h0 @ K8 |( B-The most exotic ones (could be very slooooow :-(
- j. C) U* a, `4 {" ]9 r6 T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- Y2 m9 s" I1 J( P# s ;will break 3 times :-(
! X/ z% ]- ~& g( ~9 W, l
" W5 ~7 m! C: z* D5 ~1 }. M-or (a bit) faster: 3 K! s1 n, V( i0 n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ _+ f( {: X& R! H) |; G" Z5 X a: G+ \7 k- w8 P, T9 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( f$ t0 e1 n9 I3 `) N( a
;will break 3 times :-(
) a& y. b2 h) [/ M! U& n4 }" g; [
. ]- F- m# h$ ]$ G-Much faster:* p8 i7 v# @0 o% n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) N- S/ ?( W$ `5 G7 A b j5 M2 Z+ T8 D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) t) S% \& ~, l% j6 d! O
function to do the same job:
3 B! j0 i5 V" U9 y- n. o
5 i V) t3 P( N push 00 ; OF_READ* J7 Y; D8 J0 @0 o& N5 r4 b
mov eax,[00656634] ; '\\.\SICE',0" t" J: k6 F- Z9 } j" h1 |$ g/ P
push eax4 N; o# g. u3 q, }
call KERNEL32!_lopen. H2 `0 ^& R" o6 ^/ |( k4 H
inc eax
/ h7 h- Q: ^& t jnz 00650589 ; detected# j; j. H/ d; |9 I: J
push 00 ; OF_READ
& e8 F, g( E- R4 V/ f8 D6 n mov eax,[00656638] ; '\\.\SICE'
6 y5 N" S2 [+ {; C6 E0 ~9 I) S push eax
8 m4 T5 c3 m1 q, Y7 @ call KERNEL32!_lopen
: Z' O( g1 [/ k# @ inc eax2 m' R/ J {( w- K$ j: F" ^, ]
jz 006505ae ; not detected
4 X( I1 a$ \9 x, |- Y
' T. l& S. r- k, A) b- V/ U. a* b1 E c4 o8 D( R5 T2 s
__________________________________________________________________________5 W) J. I {, M! e l1 N0 H. `
4 {/ p6 z- W8 m$ X% t
Method 126 K' B% b9 m- B. n
=========
( C5 ? r1 I. Z4 U/ t- ~" v2 i7 R4 f0 h% v9 e& m
This trick is similar to int41h/4fh Debugger installation check (code 051 ]5 B; D U" V, E0 d
& 06) but very limited because it's only available for Win95/98 (not NT)
% U( ~; E H( N) u: \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ B* b3 l2 t/ \
. I4 {* c8 I" i( d
push 0000004fh ; function 4fh
0 B/ O0 m" Y% V+ s; x" b1 S push 002a002ah ; high word specifies which VxD (VWIN32)
+ ?2 `0 j: [; `- e; d' u: q ; low word specifies which service
4 Y4 ~" q! q! a, d5 d! s (VWIN32_Int41Dispatch)
& [0 u3 o- \- n1 b call Kernel32!ORD_001 ; VxdCall" P5 ]5 G5 n. Z' h
cmp ax, 0f386h ; magic number returned by system debuggers
1 ^6 I" e3 B/ u" C" J8 h5 J jz SoftICE_detected: [8 p( K% y7 W! w9 `& R- q* n
, a5 a( A( V' O. Y6 X
Here again, several ways to detect it: @4 g: Z6 q) l# L# e
8 o" b0 f- h( k8 j+ K4 C, P) |
BPINT 41 if ax==4f
5 c {; [( J0 _4 S& k6 p
; ]# v4 d" i6 q) F; O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ U+ K- U/ N; |3 `0 J
+ d$ w& g! u' B" |1 M# G8 }/ Q% B" M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: q# H" g: p7 B# {6 J% Q) r
% h9 t7 ?* W5 d, ^" t* p) X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% g) B4 S Q: x; f1 z- {& T, ^8 m9 \: @1 b) }* e \% m T
__________________________________________________________________________
$ ?4 e- q* U' Y }& s7 i$ }9 F" c% n% F$ e# b
Method 137 N# s/ I8 m$ g$ N! d7 ]
=========
' X x! [8 l( C, Y1 u# `0 o' t
. g6 ?0 R0 H5 z& y; W) q! |8 a6 r* wNot a real method of detection, but a good way to know if SoftICE is2 A- k. Z: b0 C
installed on a computer and to locate its installation directory.
) f4 ]+ g: s" A' eIt is used by few softs which access the following registry keys (usually #2) :
2 O( {; V$ ?7 ?1 [- b) h% }$ N9 K3 P! G- Y/ ~" d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" M. I r m6 H5 Z\Uninstall\SoftICE
( b9 p& w4 I$ G4 \ G( K7 G4 [1 x0 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, J* q Z% ?# q* H2 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* E. S* b9 a0 y' v
\App Paths\Loader32.Exe
: E l& ]7 p* G
0 Z, n/ }9 `* t# J3 U% x9 e6 `& r! j* Q5 i+ S. Z/ T* v
Note that some nasty apps could then erase all files from SoftICE directory0 @ K, q7 \/ n3 {4 \1 s- c, |
(I faced that once :-(3 u3 N! p, v) n/ t# E" m9 a
( w5 z# S( M# H8 @3 V5 }
Useful breakpoint to detect it:
1 ~1 [- f O4 n8 l! y, Y2 W% x$ }; I! u! s7 P1 Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& u0 r+ Y6 Z* V; S& ?, v& z# O8 g) p4 Y3 T
__________________________________________________________________________' k. L9 w6 W" s9 B( J' K. E9 Z) f8 P
( u- d* r& H) [* K
; J; w: B7 G4 p8 y. z$ L! T
Method 14
! h }- p$ x/ x* F$ F" J0 V% t=========
' I) d7 {3 y1 Y5 \. Q9 e; ?- O' k$ U$ M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* t/ Z1 s+ a- l8 l3 c! M% V
is to determines whether a debugger is running on your system (ring0 only).1 w4 n; x! k2 {+ U1 a
' G$ u v7 C x% s VMMCall Test_Debug_Installed, d3 G2 I7 O1 u
je not_installed
3 w- H6 o9 i0 A* ?% C. ^) o9 j2 x; D- U
This service just checks a flag.
' e4 g& c8 b6 O6 L' ?9 r1 f# V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡