<TABLE width=500>
- Q* _$ R% t7 |: t<TBODY># q s* s, u# _: q$ ]
<TR>
8 W" D! ]5 Q8 L) N9 I# w0 B" V<TD><PRE>Method 01
% A1 Z6 ~4 O" F, ~) q2 z=========; r3 ^6 x# D4 I4 H u
% `' S4 ?" Q. B" d+ g; }6 C
This method of detection of SoftICE (as well as the following one) is
3 L" Y3 [4 N7 t7 P+ Pused by the majority of packers/encryptors found on Internet.
0 n; g5 ^! s _It seeks the signature of BoundsChecker in SoftICE% x! U+ {1 k9 B, [2 j
. ?/ m1 G, V1 b/ F0 [- a) { mov ebp, 04243484Bh ; 'BCHK'
; b' d' y" ^; v% C( K mov ax, 04h
$ W. e5 ^0 H5 {9 |3 ~! o int 3
; E0 G# ?* h3 N% u cmp al,4
G1 j/ o3 Y7 O8 ~ jnz SoftICE_Detected; O( q* G* T+ K/ s
5 ^" d3 G, \- J6 y7 O
___________________________________________________________________________
8 _$ y* M! {3 G0 S
" l: z. A% P+ n( e8 ~. gMethod 02
3 ~! `8 e% {1 Y7 k) Y7 y H: m! k=========5 m* [7 A1 F: `# D' _( r
5 B$ d& E& {' P+ q2 f0 M/ H
Still a method very much used (perhaps the most frequent one). It is used
9 z/ z E) E7 g0 bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& I& G6 r' m5 C* K, G! @or execute SoftICE commands...! z. k2 X/ I8 P( @7 `* Z( k
It is also used to crash SoftICE and to force it to execute any commands2 Z# A3 f" d" @6 l" ?# I+ |
(HBOOT...) :-(( ( S) J$ _4 L: r- o( ~) c
0 ~4 u8 u E+ w5 F! M
Here is a quick description:
1 j0 I. r' Z: _-AX = 0910h (Display string in SIce windows)2 n. [4 q# R/ F1 N, _5 _' a- w+ Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* u, X1 t0 {- H5 H1 J-AX = 0912h (Get breakpoint infos)
5 f0 k& k8 m% m) Y" Y/ z-AX = 0913h (Set Sice breakpoints)
( g( o; ~2 l8 t) S6 N* {8 o* e-AX = 0914h (Remove SIce breakoints)
6 j4 {( }; x' ~' h6 t; _3 ]* L' ^4 ?" U O
Each time you'll meet this trick, you'll see:
: m5 [/ C# X) H-SI = 4647h
0 u) g0 p# j1 Y! L# T9 D-DI = 4A4Dh% \2 Y6 |0 V& l3 }, r w- c
Which are the 'magic values' used by SoftIce.6 }* E5 N( X( q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 b& N- F. t0 V
F) } w$ ~: h- n$ |% ^1 zHere is one example from the file "Haspinst.exe" which is the dongle HASP# F$ }0 b- @3 e/ k# U
Envelope utility use to protect DOS applications:
2 H8 e# D- B4 d7 _: s, r3 `/ Y8 X" ^+ t9 F" l+ p7 T3 i* Q
4 f. h$ f: r% l& J4 b4C19:0095 MOV AX,0911 ; execute command.9 P6 A3 q! @# c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' B# Z+ E' F+ o! V$ {( C) z
4C19:009A MOV SI,4647 ; 1st magic value.
' e6 w# ^8 h* c( ? O! H/ c' r4C19:009D MOV DI,4A4D ; 2nd magic value.; A) h' V& [9 i- p$ l: P" M; `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 O. C4 F S8 J" v# ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* @& m, W4 n- a- a. |4C19:00A4 INC CX
- b w, S: ~1 m- I% Z( f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ H4 ^& @' W6 k2 W6 _/ h
4C19:00A8 JB 0095 ; 6 different commands.! {# V- O' |8 r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! x) ]: X- ~. O: V1 K; v/ d4C19:00AD MOV BX,SP ; Good_Guy go ahead :), G5 I5 v- [! f# j" M u+ g n0 V
4 ]' k2 |7 u5 p) @
The program will execute 6 different SIce commands located at ds:dx, which6 O2 y& Q1 d: z4 J9 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ e' ?/ B. r7 H) g
. j: N, T1 J7 X1 M# M" `1 g7 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 s+ q; q: x0 S* v
___________________________________________________________________________6 v+ i: ^# H7 s
4 }% i: Z( S6 K1 D8 c
3 J8 i# t, G( ?: f6 C
Method 03, X/ Q( U P9 H3 C7 U( C) [, }
=========. s/ n5 }( g" m9 x% E) [& q% K
/ N8 f& Q# O0 f4 |- X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 Z$ b! A. _7 u! [! u4 ?5 ~(API Get entry point)( I- Y: O6 g- K# S( v
7 e9 \5 S# Z+ H; _9 W0 i7 Z. z5 U6 p+ e( t, _5 Q
xor di,di& [1 F6 v/ L. G- {
mov es,di
& a5 e' Z+ x' g; s5 z8 x( ^. s mov ax, 1684h . B }5 }4 ~, M6 e
mov bx, 0202h ; VxD ID of winice1 B# s/ V" C5 j( d/ r, W6 I
int 2Fh, {9 n* m/ G8 G4 C$ v: J* H, Z
mov ax, es ; ES:DI -> VxD API entry point1 v$ s2 O$ ^. C1 J% h, s1 n
add ax, di1 i% N* B; n( j1 N" O
test ax,ax
6 R4 _0 m; I3 F- P C4 e1 ^ jnz SoftICE_Detected) L0 e3 T( Q4 e
* @3 C7 L8 O! P4 T" p, t0 g. P
___________________________________________________________________________
( h/ }) M/ Q! u. w8 v" {2 B; R
$ w4 R8 i2 A4 lMethod 04! O* r6 ?- H/ `, v" w9 u5 C
========= |, }2 q5 T* Z7 Z* v5 A- x
( a! x3 ]2 [! |+ e% o
Method identical to the preceding one except that it seeks the ID of SoftICE
/ K# G. n! Y9 T( EGFX VxD.2 C! h6 ?' }5 p( X
& U: q3 n$ X! K xor di,di
( R0 p1 y- G2 h) L mov es,di5 x& ^& G, ~# S& K/ |
mov ax, 1684h , D; p& }, @# G. Q
mov bx, 7a5Fh ; VxD ID of SIWVID' A7 U. h1 @+ S( j- C/ s
int 2fh
0 J" j5 g$ f* ^9 `0 I: X mov ax, es ; ES:DI -> VxD API entry point, _7 T/ R+ b; E7 O
add ax, di% m! w) C) E0 D% ]! k5 L
test ax,ax5 F5 ~6 d$ S: T
jnz SoftICE_Detected
) e& L9 i" a' ^% X% p% B- E' w& ^& s0 R4 i5 I+ M% S
__________________________________________________________________________/ E% A" ]! G* l6 {0 N
! l* t \3 g6 K; Z
G$ _4 M; e$ e% Z( l: q9 f7 QMethod 05
0 B8 I- g! X7 n+ b+ j1 n# ~# Z6 {=========
. \! C& c$ C) v7 L
. v6 t, B3 X' k% X Q* U8 @Method seeking the 'magic number' 0F386h returned (in ax) by all system
h' G7 r; T0 q" idebugger. It calls the int 41h, function 4Fh.' G# q+ N$ t9 T* n" B
There are several alternatives.
% W6 y [) {: t+ L, L# q# q: Q) m C/ @! i
The following one is the simplest:+ Y; ^- s, o1 t! Q1 P' d! }8 t( H
5 @ O. V* Q" n F" h
mov ax,4fh
2 m. J* F8 }0 \8 p! b" \4 i# U int 41h8 L0 F+ t# q* `% ~* k
cmp ax, 0F386
8 P) |- i, w* T+ T( P jz SoftICE_detected3 C; v! o' ]9 s/ v" x" B1 I
. v2 I$ P- [3 U+ k9 E
0 o! ~! n4 [9 X" J0 M0 nNext method as well as the following one are 2 examples from Stone's ) \0 ~' n: I9 O; c
"stn-wid.zip" (www.cracking.net):$ g, C- N, N. K0 A6 f3 H
5 P, Y$ T* K; @9 D5 K" S mov bx, cs
2 g2 s# i1 z, n; B" I+ Z$ I5 C lea dx, int41handler26 q* @4 W& b8 I. g' J, H/ ]
xchg dx, es:[41h*4]( f. _8 t$ k! s% \2 y% W+ o, }: K! X
xchg bx, es:[41h*4+2]
- ?( R% I, K" v- b mov ax,4fh
. |& \' N" N) ]+ d/ n int 41h
0 i! v1 h8 j+ ?+ j( v xchg dx, es:[41h*4]. p" q( |( {( v9 u* _& q
xchg bx, es:[41h*4+2]3 J' S2 ]) x4 ~8 K. ^. w* S
cmp ax, 0f386h. f' [9 ]; \1 V+ Y5 h8 n3 [4 f
jz SoftICE_detected
2 k0 i1 t- C, S3 d
3 l4 x6 `& O& s/ y! R3 Aint41handler2 PROC
^" B+ S2 u" z: O+ t9 Q iret
9 \5 y1 X" F+ _, x. M, iint41handler2 ENDP
& U( }! j$ a$ K8 p
& ]# N1 ?2 M" S8 A3 W# `' E( B) B. |- ]4 C; a7 I
_________________________________________________________________________
% E% J9 `5 c9 h& J, e/ Z ~- I9 B1 F! q% V
/ y! q' ]* Q( ^3 m. \( R( |8 f
Method 06
. V- D7 B$ P* b9 j/ r; N=========
E0 K( ^8 ?5 N2 F# o' T- g7 J, E' q9 s! ^) A1 K! p
, o# n+ z _2 p! p- B8 [2nd method similar to the preceding one but more difficult to detect:
/ n' |# L: a: p' q2 j1 F/ G8 R
) p$ l6 |0 Z `6 M) X5 n1 U" n% p/ f6 ~2 f4 r4 e5 V
int41handler PROC
5 ^5 l, m; L! s! T7 E6 V0 w mov cl,al
5 B/ d# y0 V$ N iret2 p0 ~% G) z2 A% m& d: Z
int41handler ENDP) m. Y3 w3 [, ?" p1 Z; j: p
0 ^0 [. A' E8 H0 x( d' R( q5 G1 u; k4 l0 q9 S1 @) P
xor ax,ax
- I- s" y$ ~9 |9 c1 ` mov es,ax! a3 b- Z0 Y. Y1 ~* Z
mov bx, cs4 H( ~1 r3 U% ]7 y5 A
lea dx, int41handler
; H% u# x4 [ m/ k3 X( R w xchg dx, es:[41h*4]5 j) F; S {( c3 V! g
xchg bx, es:[41h*4+2]' U+ K; H5 B* e
in al, 40h
& Z7 c, F; ?3 F& p2 I& z xor cx,cx
4 Y4 r& K0 Y9 D. _8 |! F int 41h
* J: }4 y# K! Z; {# F' _7 r xchg dx, es:[41h*4]
; y+ N# }3 U2 z' ^ xchg bx, es:[41h*4+2]9 p5 y _- b, x$ N+ `$ ~5 u
cmp cl,al
/ C$ b& u+ s2 j% I; @0 v jnz SoftICE_detected
& C3 J5 D& F, w, N6 O) r6 y6 h1 K' z8 ?5 P1 z0 Q2 v; C
_________________________________________________________________________
: h8 e( U5 ~8 `1 K1 v- d% I, j+ Y& V
Method 07
& m5 ~9 l$ O/ z+ a" m=========8 X9 @0 R( P) s+ y9 s
3 v& Z* c; ]' }7 PMethod of detection of the WinICE handler in the int68h (V86)
8 H% `! l. q* K9 p$ T- s# ?
6 D/ z7 Y" Y8 x7 g- P j mov ah,43h
1 w1 W; k [% K/ d& n; M4 w int 68h% N& L2 e) u/ @+ }$ [4 I
cmp ax,0F386h
* F' ~9 f8 j3 w' _ jz SoftICE_Detected# v! M7 Q( b% [8 R
; P3 Q% ?9 m* G$ o# s9 v" a/ A. {2 x2 e, F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ L2 Z7 W4 S7 Q' J: i9 a$ z
app like this:
( i; x* F1 Q- c2 M6 J4 @5 a) P
0 c6 g. }& s+ D2 \7 f) J/ G BPX exec_int if ax==68; T$ e* w" ?7 x& \5 a
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 @3 O# |' M6 _/ `# T located at [ebp+48h] for 32Bit apps)
3 }: z, F& b* b! N" n) H, c4 b: W3 j__________________________________________________________________________
1 s' \$ G6 l8 d7 I$ z& }. }$ H2 j. Q9 S7 N! N3 I; p/ h+ s
1 y' D p0 }, f% ]
Method 08
# T& U+ f6 ?' q$ N; O @9 d=========- v7 v# b5 D+ I% O/ R
m; k4 S' G; r+ |' m1 l
It is not a method of detection of SoftICE but a possibility to crash the6 @" H. y" J4 I3 m6 c
system by intercepting int 01h and int 03h and redirecting them to another
4 ?9 R8 t$ }, t/ b: F- @% Droutine.
* }) G. W5 C, K9 ], I+ @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- n: ~0 o5 V. U1 }
to the new routine to execute (hangs computer...)
2 V# ?6 y# q2 W3 b8 \# R. w
5 R5 L4 [6 J: U" [ mov ah, 25h
3 R# f- B6 f6 L9 }8 Z8 ?: o mov al, Int_Number (01h or 03h)& l3 p& x2 a5 a" d) U* h# n6 z
mov dx, offset New_Int_Routine" ?/ x8 e, ]1 k0 Q+ u
int 21h
. N% m; K; j0 a$ [* C/ w3 ~( a' t
) S* w" O8 d. ?! O# ^__________________________________________________________________________
6 y6 {4 e; g4 N% T; ?) z
% [$ X& w' T6 kMethod 09
# t8 p: U* s y) E: A8 t& Y: }=========& i/ n$ c5 P( v" p% [* ]) a
/ s( w- P& \' UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& z* v5 R }; U5 [: ~/ fperformed in ring0 (VxD or a ring3 app using the VxdCall).
# {9 [6 Z1 y0 n0 aThe Get_DDB service is used to determine whether or not a VxD is installed
9 k4 D! D+ c* e7 |, Y- O& zfor the specified device and returns a Device Description Block (in ecx) for
) j, e* M$ l, I) q3 Q0 Lthat device if it is installed. Z# ^, Z$ s& t
# G- h* L9 l% a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 P% e/ \% B" F. K9 T( W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' }/ L+ Z: x$ T9 b* I. l4 t: G
VMMCall Get_DDB1 `: `7 n3 R6 _9 R/ q! B6 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" L- Y( Y7 x3 R
0 U: V8 I% H( W7 Y) j6 Y t
Note as well that you can easily detect this method with SoftICE:
$ S' I8 l2 U, g5 I7 \/ ] bpx Get_DDB if ax==0202 || ax==7a5fh# B: g; v5 D+ V6 F9 k) @& O
/ ?0 X! R+ s* f% ]0 K: N% Z7 e g
__________________________________________________________________________
5 D; V6 ^7 K* t
! o* T# i$ a. `0 n' TMethod 104 Z6 G/ X0 ?4 I$ Q4 ?
=========
+ k5 |: M+ F' D6 L) L% U( o, [( ?$ D$ ]" g0 L. J5 Z8 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 \. g6 Z9 l- g9 C* e: L) h SoftICE while the option is enable!!
1 g/ z- ^2 G( _3 v- K; X0 z5 @4 q% T% r6 `$ c6 ~4 E
This trick is very efficient:! L# Y. v: J* Z
by checking the Debug Registers, you can detect if SoftICE is loaded, C% U5 Y; k$ ?! ]: k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; U5 q8 F0 r+ }& h0 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, B/ x) \* `3 X$ l" R. I" qvalue (in ring0 only). Values can be manipulated and or changed as well
9 _, d- y. U) P) E(clearing BPMs for instance)
- e- g" s P! G. s8 W- G) a- Z/ n; n2 U+ F" Y8 j: e/ X3 K( A; l
__________________________________________________________________________% c1 N! _% m8 T/ K: L% E
- H6 V- M7 T( s5 U7 C- c% t& vMethod 11
2 k' \) C% n' i f6 y" S) W9 _- V& g=========( U" C& I5 U9 G: E) o
% ?) L5 g7 V+ ~4 X
This method is most known as 'MeltICE' because it has been freely distributed. y2 L& x O; y' Y+ ~% Z' H/ g
via www.winfiles.com. However it was first used by NuMega people to allow
! W) m% M! R) c1 hSymbol Loader to check if SoftICE was active or not (the code is located
/ ~- _/ z" Q8 H* Q- k3 hinside nmtrans.dll).
6 a, F: K5 S; O! q
7 H8 l+ S( {) X( Q. g- TThe way it works is very simple:
6 P2 T! `& s2 m0 R0 } p6 E7 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, r- r/ y8 E/ C: W9 w
WinNT) with the CreateFileA API.
- S( r% ^' {, [$ Q9 d! {3 u( u
5 p2 a0 D6 W: P8 k+ UHere is a sample (checking for 'SICE'):
: z( h5 @) b" a/ R0 D$ r) x# Z/ y: |0 ]3 O; e2 \: a2 k
BOOL IsSoftIce95Loaded()8 ?& n; y1 d) i8 W, b% _8 s2 ]
{! R& V4 r3 I' x" i9 I# v
HANDLE hFile;
: N. H3 W8 w6 u9 D, t8 Q# i, c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) |1 z% P; {* n7 Z! ~- n1 f7 j( c FILE_SHARE_READ | FILE_SHARE_WRITE,
+ m2 M+ b8 J5 j; m) A+ t2 F0 f0 J. d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. N. C7 {' w" B+ Y( x& S* w if( hFile != INVALID_HANDLE_VALUE )
* y+ y7 V9 ~0 s0 Y9 r. q$ m. @3 G {
( F- i; h5 H" t# S' n0 l& u CloseHandle(hFile);
$ m7 k' g* J0 D$ E, [ return TRUE;
4 A7 ?3 V- x5 v- F9 f: C/ ] }
. f! F s% R0 d; w return FALSE;
- K( H. i7 Q4 D}8 q$ m7 {. I N8 Q# v
$ Q6 D/ W, q j5 w
Although this trick calls the CreateFileA function, don't even expect to be
; v6 e0 N5 l* ]8 R0 uable to intercept it by installing a IFS hook: it will not work, no way!9 }; l# F8 |; n0 W8 Y1 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 `4 C; \7 b" D. [3 P% A% G$ i6 Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 o1 r9 O/ j# V* k$ J& dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# G4 L6 M5 F6 h: X: vfield.
! E7 c/ J( c; HIn fact, its purpose is not to load/unload VxDs but only to send a ; S) q& S3 L! {; H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 D# I, D$ f) E+ p; ^& kto the VxD Control_Dispatch proc (how the hell a shareware soft could try; _: y5 x5 q. i3 l- d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 f2 |0 d2 F. s) d9 J; G" C, TIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 X0 M1 I; O! @7 n
its handle to be opened and then, will be detected.
/ a" y0 Y2 q! n0 H" [; j+ W& {. Y/ y+ c) PYou can check that simply by hooking Winice.exe control proc entry point# b. L7 ^' O4 t+ ^& U
while running MeltICE.
1 F( w/ c/ Y: i# I. r7 C3 c1 b4 U/ D5 ^
* {5 P+ Z( u8 U1 d3 ?
00401067: push 00402025 ; \\.\SICE
1 G, z8 ?3 K( o9 F4 ] W- J6 D 0040106C: call CreateFileA
3 C6 s1 v" s, Z! b 00401071: cmp eax,-001
/ X6 g) a# K& O |. ] 00401074: je 00401091
1 V3 c N2 T$ v5 k# S& c& h# ^5 p6 V3 b, F, b2 o) q$ Q- p
) P6 \. f" I2 m+ s; jThere could be hundreds of BPX you could use to detect this trick./ Y% O/ }" p/ P+ f! R- L$ q$ Z
-The most classical one is:
$ M- Y$ I" R& U2 e; O" w t& G$ ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 g' r9 \ c; ?1 K% q *(esp->4+4)=='NTIC'# o: e" P( S$ S: l* |2 H/ B. l
6 r+ k+ l/ H, _& ~( @: f-The most exotic ones (could be very slooooow :-(9 z! ^- H( e0 C: v2 o* g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 D _' O7 a- r+ ^1 W0 L ;will break 3 times :-() r# Z; y& L- t3 m; B
) V8 W7 {3 o+ z! A/ H
-or (a bit) faster: ) N+ C. B& R# C/ t; q) n7 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ f. _) w( g& m D1 U i) l6 D
6 ~ M7 _& n9 u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. f4 U+ O+ o) f* Q ;will break 3 times :-(
5 l8 B& {4 m6 T( f! R, q9 y2 b' \/ O* w' C4 E: G& s) i
-Much faster:$ i; e+ E0 x* E6 K& a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', A. W e K2 t
0 q2 P$ @7 T# D4 z( _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 c- x, e) V$ _" j; {- R
function to do the same job:
$ `& E8 D- n, s' y; }9 Z0 ^7 Y: l/ G, o0 C9 v9 U. r4 y% W
push 00 ; OF_READ, f1 Q/ l, Q) h- p, U# R2 Y
mov eax,[00656634] ; '\\.\SICE',0, d/ \# c! d% ~7 i
push eax
+ q- M* T( j; [6 D; g call KERNEL32!_lopen5 k9 _; f# p# u" O+ W
inc eax V7 V" X5 Y8 ^$ m! o
jnz 00650589 ; detected3 m7 J- ^" e* B9 k( e. s
push 00 ; OF_READ
# P9 i" h/ A, z: k/ }0 H mov eax,[00656638] ; '\\.\SICE'- |* ~* s$ q* X: L! `: c: u6 S- I. z
push eax
& B9 h& A( U! z. O5 G- ^5 M! _ call KERNEL32!_lopen# E' v/ N: L& S9 [, E( q2 z
inc eax; s& v x- I* ^. O A* {
jz 006505ae ; not detected
# f5 O d% B. E' I3 I; f6 Q
. m- y9 \) Y) M) ?' k& o. E" f9 q2 k! V; o5 P9 k+ ?
__________________________________________________________________________
# K5 _) V9 J; ]! ]" H+ ?2 G- o5 Q! D
1 L: D! n) [1 l) y dMethod 12
: i$ D, ~) }& ]$ ?6 y% b- F. Z=========
* N6 X; [1 W e# w3 v5 g/ V, h2 K" t* z
This trick is similar to int41h/4fh Debugger installation check (code 05; L; j: ?% ?" V
& 06) but very limited because it's only available for Win95/98 (not NT)
* m# C# ~ J: t$ v) das it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 n0 }' `5 s; W7 ?' ^' j+ e
/ ?/ }, y4 C# D4 z" T2 |, `! q
push 0000004fh ; function 4fh8 [& u h. c9 `+ i
push 002a002ah ; high word specifies which VxD (VWIN32)
; M9 C8 i3 J' F+ ~3 d ; low word specifies which service
8 P. h7 i& J) Z/ j! U, T (VWIN32_Int41Dispatch)' l6 S) z" k) N4 t
call Kernel32!ORD_001 ; VxdCall2 N8 J F' ~6 D! ?6 @$ J* E
cmp ax, 0f386h ; magic number returned by system debuggers
& j% G" ^& ]4 |. X jz SoftICE_detected
* c* _$ {" K4 d, [1 m
9 A) \# B( v x7 `7 cHere again, several ways to detect it:! i. C4 ?4 |+ ^" ]; o
9 t5 }! {" j8 D% Y8 r, e1 o
BPINT 41 if ax==4f
+ P: m; n0 Z) I& B6 Q) D K$ v1 z2 x: m5 Y' _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# ^' Y. I, [; J/ ?$ f5 M" ]4 X' k! c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( y5 w- c* m) a) e
; x7 T- R- B; v2 S0 ?" f* @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! J9 x3 g# l! X5 F$ A8 W
1 I6 D3 Z4 c' ?, F# K__________________________________________________________________________4 a$ @ [8 n) g& z- X
& M' A w7 g& k' g
Method 134 A5 Z# `2 Q5 P; o+ e- P7 t
=========0 K; I& _1 m5 w0 B% a. @2 ?
, B0 {' L. _2 d' B% U9 B0 A" }Not a real method of detection, but a good way to know if SoftICE is
1 V$ x% q2 O; t8 h, Dinstalled on a computer and to locate its installation directory.
0 ~" Y# p* F! Z5 E# X9 P7 m& zIt is used by few softs which access the following registry keys (usually #2) :& Z( A& M g/ H8 X. N
& J8 K) M v! }8 m+ a3 T3 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) \) E0 F' ]9 d h\Uninstall\SoftICE! Q& a, m; q/ K' r+ f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; P+ t5 l3 H; o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ?6 W S9 }! _+ K6 X! e6 Q5 o$ J+ ]\App Paths\Loader32.Exe
' }3 ?7 n1 e6 a4 B! M7 c4 D+ S9 m' b0 g8 A. |' a
3 _" Z5 _0 O$ w& M' a, N9 R- [Note that some nasty apps could then erase all files from SoftICE directory/ `" _. h. _" c5 D4 s) o
(I faced that once :-(
* s! T# W- p+ X0 _ C; B. i# P4 B, N4 v$ ^
Useful breakpoint to detect it:
- Z1 w4 D7 @( ^! \ H: @4 H8 ^( q% t0 [% _ F7 Q4 J; Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 z) M5 n& p% \! e; M
/ ]* B# ]$ q2 e- n6 |+ x' p
__________________________________________________________________________
$ K5 G f5 H7 b, Y# b7 y# P2 t0 {7 T7 J& }
/ S8 w: u; I! Y' F! Q: XMethod 14
8 ~- \( ^, L2 B, f: A6 l% u% L, c=========
% }2 Y: p# A/ K4 b
* \4 {% s" u7 b! N' s8 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 V' [. B8 J U8 W: Y0 g( M8 K
is to determines whether a debugger is running on your system (ring0 only).5 N9 \, m0 p+ G, v6 P
" t: {& B1 N$ Y( e: p$ T
VMMCall Test_Debug_Installed( x2 H+ M8 l& {* J X/ Q
je not_installed
8 E' V& Q6 Y, U- Z9 o& H5 _2 W2 \$ D0 j- a4 N
This service just checks a flag.
9 l: M9 v3 {8 b# A/ n9 I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡