<TABLE width=500>! ?- i" y8 Q5 c9 h
<TBODY>
+ }$ ^; p) z9 X* A% b) q% J/ E<TR>) `/ J. C. Y8 U) X7 |. F
<TD><PRE>Method 01 , T! {! h$ n- Q, c# R# N
=========
& }4 }( \4 B: |% ` `8 l) x& S9 ]- x6 E2 B# ~# b8 }& {* \' ]& Z
This method of detection of SoftICE (as well as the following one) is
6 [6 u- ]6 J( b2 ~# Zused by the majority of packers/encryptors found on Internet.
; G* q5 D5 d; r5 P2 G. o- lIt seeks the signature of BoundsChecker in SoftICE
l5 T, w+ M0 k4 H4 d1 r
0 D7 G- K, }- g4 Q0 T2 i8 ] mov ebp, 04243484Bh ; 'BCHK'
( ?1 }# @4 ?( W( f* }2 v+ ` mov ax, 04h; e/ `8 x2 R* t
int 3
& {; C3 E; y1 @7 \" C* A/ @ cmp al,4- Q- B+ F8 @! b% n( |* w# W) E
jnz SoftICE_Detected
1 l$ M5 L, q! x+ Z- C& x3 ^4 h8 F5 h/ U' C" G
___________________________________________________________________________9 f6 Z. I7 F9 S0 L+ i) b& v
8 x# F5 u: d1 h! p8 \' j/ FMethod 021 P8 q( I$ ^; I; a
=========
; R4 U$ W" M& ~. h. w G$ k' P$ K- {; U( M* D
Still a method very much used (perhaps the most frequent one). It is used8 [) }, h3 x0 x/ _+ i7 |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& {9 C. z; h! n( \* b# h/ Cor execute SoftICE commands...
. a j. a4 T0 _7 `' h9 _It is also used to crash SoftICE and to force it to execute any commands, @0 R) z: h! x1 I! ?
(HBOOT...) :-((
& D1 b7 h& B$ f1 ~- _+ q7 o5 i- ~! ~- X; R% a. T$ m9 Y
Here is a quick description:, d+ w2 l E0 V$ Q0 ]* R
-AX = 0910h (Display string in SIce windows)0 `1 V8 a* x t y0 l$ i) [5 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ {+ l, ]9 D' i f: y" `; N-AX = 0912h (Get breakpoint infos) o5 y) @- [* D7 a$ J" w `! \5 q
-AX = 0913h (Set Sice breakpoints)4 w3 ?7 m0 H4 k0 C; N
-AX = 0914h (Remove SIce breakoints)
& x% L+ D$ d* p4 ]2 h) f0 W
# o8 {9 K8 b& D6 i0 AEach time you'll meet this trick, you'll see:
, r/ x$ V& ?! e; j' ^-SI = 4647h9 e5 |. f- U* q' f5 E
-DI = 4A4Dh
1 |/ I9 l* V2 d; ^0 x; D3 ]5 g9 dWhich are the 'magic values' used by SoftIce.* \3 y) p: M' W3 ?/ O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' A6 ^. P) N$ {6 v% g
2 @5 }& b8 I+ b0 r: C7 l& M' uHere is one example from the file "Haspinst.exe" which is the dongle HASP/ J% h- O2 K8 r. s( i7 k, z
Envelope utility use to protect DOS applications:4 V; W2 x& z8 F0 @7 `( w9 }
" b0 ] Y4 I0 c4 R/ ^( H7 i9 P' D) l; N2 A( \! a. s6 f
4C19:0095 MOV AX,0911 ; execute command.4 K* @1 e8 ~( R' L3 B. k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* ~ J% ^/ ?& n' Y
4C19:009A MOV SI,4647 ; 1st magic value.2 ]4 b" ^( l; O& ?- s
4C19:009D MOV DI,4A4D ; 2nd magic value.; Y) H% p- K) ?' W- U; d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 Y9 |/ A% N7 |2 W4 a0 |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ U }! d, G1 R& f+ [. ` `4C19:00A4 INC CX
" j+ _4 g6 e1 b( v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 s) P5 j) r7 \3 C0 [. E$ ]% f4C19:00A8 JB 0095 ; 6 different commands.
1 T& R; j: Y0 [6 |: }2 g4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 ?& P$ Y6 b1 L" P3 C; T$ C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 @. G7 v; ?3 K' L3 j! M
+ d- o, S& N; y4 H' G5 z/ [) x8 C7 \& vThe program will execute 6 different SIce commands located at ds:dx, which
9 p6 i# O+ C5 T1 K4 ?0 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 e# {: J! E {6 B. r( k$ S1 ?
3 Y2 w M) d% X( j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 E5 ~( }5 j3 ^% b5 _& x: C* d. b2 ?
___________________________________________________________________________& V6 C6 \1 N; ~9 r6 y
6 Y4 u. x+ j& A% x
* G \1 b, r1 d1 NMethod 03- {. v- L N% T: H; @- E A
=========
2 t0 E0 ~6 z- ^( ~' }* U3 k
. Z* u) a( _8 e. [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ o# d, ], i" k5 }; _+ G5 ^3 U(API Get entry point)* G% U6 e0 ~! M5 B& E3 h c
+ V% |* E5 y/ B2 Z I) w# X& }
/ H0 a$ v, ~3 T9 y3 U5 | xor di,di0 N& h* K9 p+ Q1 X" B! U) p: s" ]
mov es,di" o* R8 Q+ H' }
mov ax, 1684h
; _1 g! R; Y" `% Z) |7 t mov bx, 0202h ; VxD ID of winice2 a3 d& Q2 e, {
int 2Fh
, _, N( ]' y9 g( V0 C* [# z mov ax, es ; ES:DI -> VxD API entry point
- D5 K2 e/ d+ A8 ?! E3 U( ] add ax, di3 ~- Z1 W* k8 P7 I6 C
test ax,ax
1 r# Q5 V2 l0 B. S" I) U jnz SoftICE_Detected
$ T S% t/ | R. ^8 B
7 u6 m: Q. ~9 D/ T___________________________________________________________________________
$ @; M) `) y# s- B( D5 S) Z: `: I; ~! g! i
Method 04
8 i# U7 C# p; D8 \9 J1 `- Z9 H=========( Z5 x' |1 c. ?2 J- a+ D6 l7 M
- f; U5 c+ g* h5 c& b) mMethod identical to the preceding one except that it seeks the ID of SoftICE0 D+ G. U: e- |$ n
GFX VxD.
1 ]& y4 v* n. h2 z1 U1 w: e1 Y( g [- S- `
xor di,di" B3 o O1 u$ [% C# u) W
mov es,di
" q: p$ X% M' p' L* w0 u mov ax, 1684h / N, d/ m5 v d L. L* ?+ N
mov bx, 7a5Fh ; VxD ID of SIWVID
4 g! C+ c& @" b3 h& |4 }' @! d+ N int 2fh
2 R/ h& G! E4 I+ [ mov ax, es ; ES:DI -> VxD API entry point
; G- L9 C, n( T3 | add ax, di1 U( V/ R; J5 K6 m$ p
test ax,ax
# A# n. d2 k, ] jnz SoftICE_Detected
, c0 B5 Q' B/ O$ V7 V: d" I& i$ Z3 t8 h' N3 x% p: e6 f
__________________________________________________________________________
, h5 c7 M0 c% A& t. }* D
! }' C* \) i4 I- x3 O3 b+ _+ L# G+ A# O! m1 _0 y' H
Method 05
$ {) |$ Q; X( N4 G' f" L=========
8 k6 T' E9 {. Q& [ {' K+ L# w; n$ c% M" r
Method seeking the 'magic number' 0F386h returned (in ax) by all system* Z/ S7 O2 ]* O) V: d: P9 _. w3 m
debugger. It calls the int 41h, function 4Fh.# B0 [. z5 B; K0 G! U3 J
There are several alternatives. 7 U% [; E( {: Z; a, s
& b4 v/ ~3 e2 N0 jThe following one is the simplest:
* k! a7 h8 G, s1 s
5 W* b2 X1 Q5 `/ q( d mov ax,4fh) w9 C9 j* Z. G3 M* \7 ~% N
int 41h
3 m' D* y5 @( y/ [ cmp ax, 0F386$ t9 V- u3 t: }4 _8 g
jz SoftICE_detected8 a+ I2 P( r; b2 ~% N
6 ~7 ^2 R. b+ ^5 T" e+ e
" D# N: V( U0 B- k4 M. Z' S6 ?# f7 eNext method as well as the following one are 2 examples from Stone's ( |. p9 O1 X# s
"stn-wid.zip" (www.cracking.net):2 w$ s6 K& g, r; r* |
8 J J( a5 ]& o, ~: w, x* r
mov bx, cs0 M" ^* D4 a7 ^, `0 V$ _* [
lea dx, int41handler2
/ a. ? ]& G6 m8 t9 I. E% ~" R( j" { xchg dx, es:[41h*4]
4 [3 {) u+ M6 z2 r xchg bx, es:[41h*4+2]
; W; N+ S5 G$ e mov ax,4fh/ \1 v) N! ?& [% ^' p' `8 T9 ^
int 41h* p" R0 s. H3 i# _: |) s0 P
xchg dx, es:[41h*4]; _+ L3 C9 K9 N" q" Q
xchg bx, es:[41h*4+2]
6 q' Q/ a! C& S0 \4 f8 h# t/ l cmp ax, 0f386h& O/ ]4 H3 h9 ^6 I! Q' a
jz SoftICE_detected
9 [0 X& _) {" v8 j# a' R3 S3 h7 m1 |9 e- T3 f
int41handler2 PROC
. r8 U0 W! ^! N1 L; o% n iret, s' X0 i% a, r7 i( a' C+ z! S
int41handler2 ENDP
7 {- K' T# z3 z' K @* ^( j8 {7 t% h& S9 i/ b
% ^7 A, o# J! z" |5 l! J/ z_________________________________________________________________________* z5 G" ^% I2 p p9 J
7 f* Q0 j7 i8 C9 d$ V, t+ m2 Q4 E# m( T6 k
Method 06+ s: }# s$ p# [5 n1 j1 W
=========
$ e0 b, X4 D0 D, m% @# S
) G: \0 j, f! R# m7 x% v) ~1 Y. u
2nd method similar to the preceding one but more difficult to detect:
1 |9 R! f. f' E! X1 h
$ r$ i% ]* Q- H- O+ p/ f5 v5 j3 C- o$ l- s+ \/ d. S
int41handler PROC
0 o& N! ^2 a D4 ^! y, s0 H mov cl,al. |4 A4 H. h- L, r
iret
! M. n, Z$ O% ~' X( }, J& w* fint41handler ENDP
2 p6 V9 j! n, \" y) M! @( M8 X, B$ `1 _! w4 T) R9 ]
7 W& O. T6 \! y" d4 ] xor ax,ax
3 L8 h( v$ h" `0 G b$ Z mov es,ax
# l8 W& F1 o& n. G0 [ mov bx, cs# E# k/ Z+ H7 ^7 }
lea dx, int41handler
/ D$ o p+ z4 x xchg dx, es:[41h*4]2 F/ G7 N, O: v( K5 r8 y( |- S# h
xchg bx, es:[41h*4+2]
$ E! N4 U( y" k7 q# a% C' R in al, 40h
) Z9 [& V9 I7 ~ N7 c xor cx,cx
* ?; r* [5 ~( Y* z% |' {% G int 41h
. b3 I& ~1 l( J: Y, E" ^ xchg dx, es:[41h*4]
! B# e, R2 t7 a5 x4 \) ~5 }$ J: g6 ] xchg bx, es:[41h*4+2]
1 L) O% Q @$ l# v% L5 j. D cmp cl,al
. p+ p7 `5 I" b! G2 T m$ O5 a jnz SoftICE_detected: ^* [, |3 V3 C2 ^$ Z
( h2 S; N/ @8 Y0 X0 M
_________________________________________________________________________# J. `, B/ t' f: d
$ K7 a/ q" J7 d
Method 070 S. _- v6 f+ l+ r6 @" r
=========2 G- f' D# l. F( D5 N9 l% a; w
( W& X* ~. H" p) n) Q* C+ a( S% A9 TMethod of detection of the WinICE handler in the int68h (V86)& I6 D+ m8 J1 e$ H, Y
; W2 T8 W9 x" c( q- R6 J
mov ah,43h5 D2 f& @' m/ R6 t1 S) n# ]
int 68h
: U5 A' l" c+ B, A& `& J/ p( [6 L, N cmp ax,0F386h0 e9 E$ Z# w7 h1 L" _; u: W
jz SoftICE_Detected p* m7 r4 `& N& { ]: K" k
8 h8 Q% l$ Q! c2 ^
. l% B) k2 d- m! Y* p+ H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ J y: S* c" J4 X ~- |, F
app like this:- W2 Q) D' a& b: `2 C6 b8 l; G; J
7 w9 h) y. U) s W! ^) V BPX exec_int if ax==68
- Q6 d: j+ P4 n. P3 s# U. g (function called is located at byte ptr [ebp+1Dh] and client eip is
2 [* q6 [9 f& d& ` located at [ebp+48h] for 32Bit apps)+ R" {, f- z+ L
__________________________________________________________________________8 Y: q$ \8 k7 T0 C F7 {: a2 Q% ?
Q; R$ a. t7 A1 ]; m) b, `4 U& h$ E5 g5 k4 z3 ~& n u
Method 08
5 w; F3 |% r$ D L=========
& s3 v& `* u. f" D, a& `5 m6 }' |( `# ]4 n% w5 K; j
It is not a method of detection of SoftICE but a possibility to crash the
! _ t2 S+ l z) {system by intercepting int 01h and int 03h and redirecting them to another
j5 E' g/ l9 n) E- @' d# y1 b2 Kroutine.: N( B1 R* F9 U$ \4 p5 g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) z- _8 I* o, \( `: I$ I
to the new routine to execute (hangs computer...)5 M7 T" ~, T) T2 s& V2 `
' V# I! m7 d+ |6 a. X( g( V+ l% y/ f mov ah, 25h
. i: e, ?. d) B# L* I( b! P( Z% S7 E( e mov al, Int_Number (01h or 03h)3 U& U* y k5 j0 Z/ M
mov dx, offset New_Int_Routine2 L& @2 A7 {" A2 r& s; P
int 21h: K" H* \1 K0 n- b, H1 I* D+ g
7 t. Y" R; E' O
__________________________________________________________________________
$ b0 N, j: L" a3 m6 z- Q7 `1 r4 ~7 R+ \# n, `0 e
Method 09
+ n, D3 u4 U7 P2 M4 K. ?3 h=========
0 m% [2 a0 z l% z# `$ a% G3 F9 Y# G/ W- D2 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ n3 t# X. i8 G: S' d$ sperformed in ring0 (VxD or a ring3 app using the VxdCall).
& T8 s# d, s# D1 ~The Get_DDB service is used to determine whether or not a VxD is installed; W4 z- @5 n: t
for the specified device and returns a Device Description Block (in ecx) for7 e8 m' ~7 v) v. o) E' N
that device if it is installed.* P4 o0 _6 D2 F+ F: \: G2 @7 E. Z
4 `0 {" h+ \3 U2 K: m8 {7 U! { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! k: h3 O$ w9 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 d4 H, y* M1 c& H. b8 x4 h+ H
VMMCall Get_DDB
# C. n( A* n7 w* l9 R$ D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; t) a* k/ n. n2 W3 m
# G {8 O7 m0 i2 D( g( @$ ^3 I
Note as well that you can easily detect this method with SoftICE:
* O, }; X( N. l, }. t$ P4 d( v bpx Get_DDB if ax==0202 || ax==7a5fh
/ I+ ~+ x0 J9 Z+ o- l% M( \* m6 Y+ R8 y0 o! X3 z
__________________________________________________________________________
: V4 A5 n6 J4 h; u
/ ~6 l: F h8 U; tMethod 10
0 G7 r; j g( \- c! E6 r* z: d, M8 g=========
$ }; w6 L) I: ^) E/ S3 H
6 H! Q) D6 h: t! b2 F/ |=>Disable or clear breakpoints before using this feature. DO NOT trace with( z, [% u: I( C0 q
SoftICE while the option is enable!!$ h' L l1 F4 d8 L2 X
0 P4 a2 @* p1 Y& K% n/ p
This trick is very efficient:
" q: ^" F* s: W5 o. |5 G$ sby checking the Debug Registers, you can detect if SoftICE is loaded
8 H" A8 {% U6 x6 ^9 c" }6 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( R; b. m/ N- A* v! kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 y- T8 V0 g; @2 x( |5 kvalue (in ring0 only). Values can be manipulated and or changed as well
, f5 C$ [: i, [9 p) U6 w(clearing BPMs for instance)" i4 X2 m; k; {! |0 M) w4 f' B. n. {1 j
+ M; `) W+ v" C4 d8 Y/ C8 s4 Q
__________________________________________________________________________. \) m( q$ M$ C# \$ f
) \3 d \$ ~4 v! u
Method 119 E+ c9 ]4 t+ _; T/ D4 E
=========% O, |9 v8 I% y6 `, G+ y
6 V( b2 y* R. P$ M2 FThis method is most known as 'MeltICE' because it has been freely distributed
" h$ \2 N8 F, z* ]2 Y9 f) |! ]6 Gvia www.winfiles.com. However it was first used by NuMega people to allow$ }! w! F2 F: a0 Z8 M2 a [
Symbol Loader to check if SoftICE was active or not (the code is located
! P6 F. y+ Z$ a! ginside nmtrans.dll).
1 @! u6 z' M( e6 b7 M% Y! U, z( I8 @6 y8 P
The way it works is very simple:) j. @' j; R/ {8 Q S1 O- h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 ?5 b. \- l; e+ t' j6 {# Q2 z
WinNT) with the CreateFileA API.
9 H5 [. d+ a# s( x% f7 i
. r* a& W6 g# x" s* m2 R) x- V1 MHere is a sample (checking for 'SICE'):9 Y( v% @/ S3 |4 f5 d
, i# R! O' N+ i6 g% TBOOL IsSoftIce95Loaded()
8 H) U; W. B- w% e: W{( x; l. r0 z+ D
HANDLE hFile; + A; X! ^* b- Q. P, j/ Y* j% a- n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' {% a7 P! D* p- j* `7 E2 j4 r
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 N. Q8 g$ G8 [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- w' D$ k; h: S4 n
if( hFile != INVALID_HANDLE_VALUE )6 ]. Q n8 f# g2 c* ]# |
{
. k6 d/ k7 s) T* B- p/ s7 G. D. g' F/ A CloseHandle(hFile);$ u7 U B. m8 L) F$ G6 I- h
return TRUE;; ]! g* ~+ K8 H
}
9 j, ^. C- P0 p { return FALSE;
2 l. f$ a7 F: D4 W- N}+ [) e* k' c; j- {3 B) Z. d
% u b, P! J( D) j W, x! p+ ?Although this trick calls the CreateFileA function, don't even expect to be
, z/ S7 Z! s$ ^8 k( {able to intercept it by installing a IFS hook: it will not work, no way!
9 \! n& C$ ?7 i; S! V9 R, }In fact, after the call to CreateFileA it will get through VWIN32 0x001F: D, Z+ Y0 O. O- u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 `* ]: ^/ F& c3 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ u0 j8 F( [' n1 k9 p/ |5 w. Y
field.( @$ P5 \/ q" m1 {, l7 L" \" E0 W
In fact, its purpose is not to load/unload VxDs but only to send a 1 }# w2 d: L, Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* Q3 d2 v. |( `8 s6 F6 wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 Z+ J# F' p b4 _2 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 k* l& |, o9 t% C- ~' K! o) oIf the VxD is loaded, it will always clear eax and the Carry flag to allow- _( t# b& O* @5 N- G9 M; H
its handle to be opened and then, will be detected.
L" B @7 T0 t+ `1 L! A4 a# X) l7 bYou can check that simply by hooking Winice.exe control proc entry point
! D8 [3 r: s A& w% Ywhile running MeltICE.# A4 T: N( l3 J
* a9 c$ L) D$ Y2 v' N; W2 z, @& L. L5 f" d( m
00401067: push 00402025 ; \\.\SICE
; x5 X# Y* L4 x# {9 ]( M 0040106C: call CreateFileA
8 C9 b; {0 i# I& q, b1 Q 00401071: cmp eax,-0014 \6 y9 ], j% l4 i
00401074: je 004010912 n2 T$ U; o0 j2 H& C* g" d2 D
; i2 k5 f9 k2 j+ U# B# F: t' A
5 ]0 ]6 h5 |: r% L6 m+ \$ G" z
There could be hundreds of BPX you could use to detect this trick.+ U" J4 y) e% R$ r
-The most classical one is:
* S0 K4 j+ B9 { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; }! V1 Q: B* d% F6 P
*(esp->4+4)=='NTIC'
w6 I; t3 O8 i& D# x( [% @8 X( v. r
-The most exotic ones (could be very slooooow :-(2 ~9 S$ p' V$ [% e" Q& b. y8 X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% B/ M# [1 t8 f) _# l: ~ ;will break 3 times :-( n! D% Y( V& Q: o& A3 _& W1 S2 `
! N' C; X0 f4 n) e9 T
-or (a bit) faster:
5 O) {/ E. |5 }7 g$ O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 s# {2 {- g6 |- T P/ A
- [0 h/ F$ i! x6 b; f+ B) h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* Y) w2 J; z8 {7 a; L ;will break 3 times :-(2 ^9 q9 R6 `9 j- u0 N$ M" z
C0 V3 K! G# M- T6 D! W8 ?( I0 U
-Much faster:
5 i4 a. v# `# ]' F0 n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 g r% d2 Q9 H6 P0 G
. ^, v- K2 F: ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ `, q' s0 r" V( y2 D7 h6 Cfunction to do the same job:
/ D2 K8 T: L: p& C& t
6 [9 j7 M& Y# g' } G O8 Z1 l! @- y push 00 ; OF_READ
8 S" V& W+ b4 Y! y& T, F; r: w4 I mov eax,[00656634] ; '\\.\SICE',0: z' K4 [$ K2 v2 B
push eax
. h% Q# I6 d* g call KERNEL32!_lopen9 Q$ N: ~2 I' v8 U% x2 t/ b
inc eax- w6 D+ g& ]/ Z
jnz 00650589 ; detected
1 ^7 t3 L( B& _+ D2 e, M push 00 ; OF_READ
" ~8 K4 P' a/ u6 ]1 { mov eax,[00656638] ; '\\.\SICE'
% a8 O$ r8 O, W4 P( E push eax
1 O5 q6 f+ m( v call KERNEL32!_lopen: T. T( g1 A, m4 l3 t
inc eax( C% `- e* A6 J
jz 006505ae ; not detected5 P4 l" h8 @1 E6 U- W
( W2 {. l; l8 l) u+ T6 }2 c5 K3 Q. h/ X, p. U
__________________________________________________________________________
# R6 h* G7 J$ t" P Z
# p4 x, O3 Y2 C: Q \ t- b; ` ^; CMethod 12
& W R& u6 e6 M# e+ R=========
Q) S7 m( t2 k- Q* p. u, H
" _ E4 x, w1 i0 [) B3 _This trick is similar to int41h/4fh Debugger installation check (code 05& q1 |2 a$ H$ u
& 06) but very limited because it's only available for Win95/98 (not NT)2 z$ ]. u o7 X8 A3 e, Y- N2 e$ q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 w0 [. o! v5 e; {, }5 i+ d8 t* F/ o: v: h4 v
push 0000004fh ; function 4fh
6 d+ u4 l0 Y- Y8 T push 002a002ah ; high word specifies which VxD (VWIN32)0 y2 _" s' B/ T2 v1 w4 z
; low word specifies which service
7 G/ E! f( R! H5 i& H( Y, i, { (VWIN32_Int41Dispatch)& l& \) K) Q2 {6 O: n$ W: r% K
call Kernel32!ORD_001 ; VxdCall
4 e9 L( f8 O# X+ x+ S cmp ax, 0f386h ; magic number returned by system debuggers+ w+ g! x% W, F1 t& Y3 N
jz SoftICE_detected- T/ s6 M: e W1 S
4 b. D8 p6 ?% G, S8 lHere again, several ways to detect it:
- K, D3 }4 |& E1 X) j* g/ |: j0 O" n0 H/ k. R
BPINT 41 if ax==4f- w! t8 a2 z$ R7 U. J
, T* z; \$ A- z$ M9 O0 A( A+ S) r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 p3 b; K" f' B6 Y8 X8 Y
9 v/ F1 E9 K9 j: T) G* B- q$ ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' L O# H$ P. ?: `. ~$ y0 N" n
2 {7 V1 s c+ U; I3 j I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ l$ B$ x; {1 c! h
6 R3 v3 D/ Z, e6 X! W5 v__________________________________________________________________________/ H% c/ j4 H+ J; o
7 T8 |* `+ I- W7 B6 L) R& T
Method 13
% S3 x# x1 s& W9 j3 r* B1 s=========
0 T" p) g, _. @2 D7 l$ \+ }1 d4 J7 b% R5 ^
Not a real method of detection, but a good way to know if SoftICE is% g' {6 W' ~% G+ @
installed on a computer and to locate its installation directory.$ \- m: i& E. `: A
It is used by few softs which access the following registry keys (usually #2) :* R7 D; K/ Y7 }3 p$ [: S( @5 R( N+ G
" \$ c+ S9 U% {) Z& F- Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 N. M- h4 Y$ s. c
\Uninstall\SoftICE. _; r& n. V) M: g+ W+ {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& Y, p5 m/ T+ l$ _# m9 s6 {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. g0 H- N6 I* C; |( I; z\App Paths\Loader32.Exe
7 s2 `& M6 d; ^/ ~8 P9 T, j; ^& t
; d1 s' p7 X. p% \3 Q) I" N. yNote that some nasty apps could then erase all files from SoftICE directory$ N J8 _1 F4 c( ]% g
(I faced that once :-(
1 j% h H& { j1 n1 c
7 P5 A% ~+ X# a8 I' f* qUseful breakpoint to detect it:- M7 w) x* ^3 C L1 E4 U
' q& c8 V, B5 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 ^$ g/ a/ Y3 O# |: ?& O$ f6 M+ w% I6 }
__________________________________________________________________________
- p+ D# @" ^, @+ G
: m! v5 o% K! D8 k. _+ }9 c( e8 P" r3 ~8 h
Method 14
/ O; V* K( E5 T; B; S3 q=========: D8 L6 e$ I3 F- V1 @4 @! T5 Z; y; F
1 d/ k7 V2 Q3 Q. k1 B, y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' F( d4 k% c- eis to determines whether a debugger is running on your system (ring0 only).3 ?& { C5 e; l9 Y1 T
4 u1 c: `4 o7 ] VMMCall Test_Debug_Installed/ K+ a* r$ B. r8 c% d
je not_installed- }3 \$ \& [' I; ?0 |/ j t, I
, ~) i+ h0 j! g i- H
This service just checks a flag.0 ~3 e* W! t& r* A0 r! k* E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡