<TABLE width=500>$ Y- P) ]5 X9 J9 w
<TBODY>. w! [5 e7 [( E6 i- I
<TR>
3 e9 y* ^$ c! |% d: i<TD><PRE>Method 01
# ]! M3 f7 W* z' X Q9 I; m=========" x! E: y+ T5 `7 l1 ]
{4 V" m! U; {$ x9 }+ |3 c$ Q
This method of detection of SoftICE (as well as the following one) is; K# e. K- ^, ]
used by the majority of packers/encryptors found on Internet.
4 W6 E# Z, E0 x# N5 sIt seeks the signature of BoundsChecker in SoftICE
5 h ]) }3 S M1 H/ @; l: W- W4 a! x6 ~, Q( d
mov ebp, 04243484Bh ; 'BCHK'
/ [( I, W. N8 U M mov ax, 04h' p3 ~! u# I/ A2 n# {
int 3 J# S9 G$ D# R& d. A* P: q
cmp al,4
4 p8 l/ K- t0 z/ P! r0 j, ^ jnz SoftICE_Detected( K: m% o! l7 G# [; B
) j2 ] F& \ t: y' t$ O___________________________________________________________________________
: [) X- ]% W+ f& x9 H: x
) }" U" L1 _6 o) _( ~& L2 ~% h: h- oMethod 02# y/ V* Y5 u! W' N! x
=========8 h/ g2 k/ c4 t$ l5 D
1 {% X1 k$ i6 S9 w
Still a method very much used (perhaps the most frequent one). It is used: T9 B- B) P! ~# c$ b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) M* R% D; s+ q0 Kor execute SoftICE commands...
r' {7 D& ~' P( w( i( ~8 jIt is also used to crash SoftICE and to force it to execute any commands
. s J. F0 K, m7 {6 z& I(HBOOT...) :-(( . `4 g& @; U g& s( D2 ^: |) y' P
/ q6 k# M2 Z7 a9 @* ^1 t& k
Here is a quick description:
0 E2 P B5 H- H; {$ a; k-AX = 0910h (Display string in SIce windows)
! y) j' F# Q `8 |4 K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
|; u' ^" s) \% K8 H$ g* V-AX = 0912h (Get breakpoint infos)7 [, b+ r! B+ y, Y8 u" o; u1 n. O' r
-AX = 0913h (Set Sice breakpoints)/ y7 _1 E4 d9 z3 J: `$ `
-AX = 0914h (Remove SIce breakoints)
; i3 K+ K9 I( d N+ d% Y7 x0 P: U/ g0 U" I G6 b% ~
Each time you'll meet this trick, you'll see:
: y' e( v) b3 x# S-SI = 4647h
1 S* f( @) U% z* } I" _-DI = 4A4Dh: ^7 G& Z0 Z7 G/ r
Which are the 'magic values' used by SoftIce.
2 t1 K/ \3 m- d, TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( `9 }$ ^* O+ }2 N% T
4 @/ Z8 D- j1 u! X9 RHere is one example from the file "Haspinst.exe" which is the dongle HASP
% _! q6 p/ O" T+ ]/ H7 mEnvelope utility use to protect DOS applications:8 }! S. Y5 i# ^/ ]+ |; g
6 M8 \* y8 o1 x% K' L1 H6 S4 z' f' ?! u5 e4 ~ Z
4C19:0095 MOV AX,0911 ; execute command./ L/ K1 V! p- G' Q) E; `; e2 e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 F+ A4 o0 i" N+ G
4C19:009A MOV SI,4647 ; 1st magic value.
; u: {0 [4 v, r, U* }8 ?4C19:009D MOV DI,4A4D ; 2nd magic value.
, l9 E( l# V% a, x& k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ { {" i5 t: Q* J; V; A$ z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" C. y* l0 ~7 Q9 X; b4C19:00A4 INC CX
: _( s, \6 U1 ]* p+ d% {( J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# T5 D6 L$ R n4C19:00A8 JB 0095 ; 6 different commands.) H: y/ F$ J( a5 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back., b! A' C3 e4 _; r0 x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# s0 Y, B) \ ?% J$ l- |1 D1 E1 d: T) W/ E
The program will execute 6 different SIce commands located at ds:dx, which
* {9 I/ X# H" w1 d! v& c$ \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' L9 ?" W8 a# ?1 R7 n/ @" b* K7 T P1 M) G1 w. N1 K# ~& R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" q `( x. ?& s- t, E3 m* J1 y___________________________________________________________________________7 y- D* b$ G; t5 y8 {1 J1 i$ ?
; x9 q' g9 v+ A! H$ y7 c5 U
1 m: n! U( k! F2 KMethod 03
8 J$ j6 |7 C, |. ~ x' x% D; T# c=========; E+ h: S% W- q" [- b+ V4 M# F
/ Y! j1 a2 W7 [ y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# I+ H, F7 N h( m/ i(API Get entry point)
0 N1 m: R# U; y0 P: d1 b , ]7 x& }0 s: g6 x
5 f+ _& j: e6 n$ a xor di,di' e: k0 f0 z+ N. m% R
mov es,di4 y- v" B% B9 t# Z2 N' f) J' {
mov ax, 1684h 6 [8 n( u" p" }
mov bx, 0202h ; VxD ID of winice
% t: N$ g I) t& I- _ int 2Fh
5 B+ p, l( H ?* x. N; H% _2 ? mov ax, es ; ES:DI -> VxD API entry point
* b7 W1 F7 }& L+ i" g& V8 n7 f, t* { add ax, di
* ]! Y" L" y; ?2 E, n" W test ax,ax& J& J P; k1 Z* q6 g3 s
jnz SoftICE_Detected) @% H0 L: }3 \5 W) q, @
/ w5 H$ } [, j2 D; V# D$ M___________________________________________________________________________3 J6 X7 e& ]4 q$ W* O. v5 `5 |- I
+ t. y. v! P+ W* Y5 M/ l7 B1 S/ Y$ u
Method 04. G; A" w! }4 q, y0 d( }
=========
# m- j2 x8 U' k1 i1 ^& Q. l/ B" |; e$ Q2 N% W
Method identical to the preceding one except that it seeks the ID of SoftICE
* c% l3 P' [6 N N/ t) qGFX VxD.
1 H! a! m4 n2 M
* j$ f1 G7 g# v) k" W xor di,di
0 \7 o4 n/ e' S2 [+ B5 B* q mov es,di
5 y6 v# g) w3 p% C mov ax, 1684h
5 Y" N# }* U4 {+ ^+ j0 B1 W8 Y mov bx, 7a5Fh ; VxD ID of SIWVID
2 s4 r9 }( t: ~: s# b$ n int 2fh3 ^! `$ y1 M5 Z5 M4 Q8 T) `
mov ax, es ; ES:DI -> VxD API entry point! {; f. Q: p9 ~$ x
add ax, di
. A6 P# \ x* ^: ?7 y5 [& j test ax,ax
( |9 S5 u3 ^& K' ?! `6 O+ G jnz SoftICE_Detected8 O; ~9 m. ]8 w: S3 G
, d5 @' W3 u+ ]6 W" a5 }
__________________________________________________________________________* {* p# y$ ?4 M8 P: q
" C) P' [" r( V. }! a
! V; l- K( i" SMethod 05
$ V* \0 S( Z: O# E- Q" `- O=========
$ K: D9 W' m2 j4 L5 t) ?
2 |( V, V! {8 \" kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 C8 ?9 Q5 W" } f% }5 o/ ~) xdebugger. It calls the int 41h, function 4Fh.
; P1 s; {( s( vThere are several alternatives. % k$ n$ `% j$ J3 o; L* J B9 q
) M' b0 j6 p" D# b( V6 @The following one is the simplest:$ {4 [9 v! ^2 [6 M* w8 J
4 C8 `& ~) l7 ?9 n, Y% o, ^3 @
mov ax,4fh
( o8 Z% {6 L) {3 l; i int 41h
7 Y' ~8 O6 Q* C& L' J0 P1 r% | cmp ax, 0F386
8 ?1 W9 K+ w2 K* @" s$ J. X! w4 j jz SoftICE_detected
. R' y% J& W! s' U, j
: R6 K1 ~( n) g1 p
8 J$ p6 ^2 h% B: _Next method as well as the following one are 2 examples from Stone's - a% O- H5 s. k- F
"stn-wid.zip" (www.cracking.net):
# d2 u5 X. R5 ]
0 f% M: z- P8 o; H+ n: d. |9 j mov bx, cs
; E' D. u, `( x: \$ U lea dx, int41handler2
, o' d2 F/ s+ _ xchg dx, es:[41h*4]
0 l/ E' v+ O9 i3 d$ S xchg bx, es:[41h*4+2]
/ j3 _! y2 J( c2 q mov ax,4fh) L7 u! m$ t+ X9 @, N
int 41h2 ^+ x4 h6 q9 |0 n
xchg dx, es:[41h*4]1 R8 P' m& r$ f. ]% ]! Y
xchg bx, es:[41h*4+2]2 N# n7 f# |( W3 z7 u9 Q0 d
cmp ax, 0f386h
' a+ H! l! Y8 T5 V) A8 u) K jz SoftICE_detected
: g+ ?. c5 \0 K) e
: e# j5 ~0 X/ N% n, V- Aint41handler2 PROC
$ q" e/ O" I! m1 T3 S iret- M3 o/ A! z* v9 S2 g8 U- N: r
int41handler2 ENDP
0 ~5 H# N1 j$ {) v; \: a+ Q( |1 t
0 U/ C5 R0 S8 e2 G7 Q2 T, a
a' G' W. z2 G6 G* j. P_________________________________________________________________________
' h: y' J, G; M9 U! N: C, u) {0 X5 F7 m
$ k* ]# U# J1 e. U) Y) ~Method 062 K) s& f4 H& r6 z. ]2 Z \+ ]8 v
=========0 [* p- i; W- Q2 v$ {. U
6 d% }/ X5 M2 c
) a1 @% B# B, q" N
2nd method similar to the preceding one but more difficult to detect:& _7 ^* o% p* h& S+ o: O
4 X" z5 p" i! B2 `; h( X/ R
5 g6 [5 P4 h' i* j6 f! Pint41handler PROC1 m' O# J& d! \
mov cl,al
9 _6 p& b4 `, G8 f: z. X6 ` iret
9 p8 G" {& u2 l4 ^5 r8 fint41handler ENDP w! S" i9 J: x/ A* @0 P8 X: P
) Q* C2 |) f" f8 `( Y4 S1 o* u
6 W0 w4 h; `$ B* K9 z; P xor ax,ax
3 R* h8 _7 H. e, s/ j/ V0 J j( h# g mov es,ax) J* V3 Z1 L& O3 r; G$ S6 y
mov bx, cs2 k9 q+ |( O% U* t* A3 h
lea dx, int41handler
" F) {0 m0 |+ B/ l9 a xchg dx, es:[41h*4]# p% ?5 n% f7 \& k( n( R( ] t
xchg bx, es:[41h*4+2]
. ]& F$ H8 r* l e8 O) i" t in al, 40h
" ?5 V$ B% z9 d6 F0 `5 o! m8 U xor cx,cx; M4 F! _, Y' t# G5 b* Q2 J
int 41h8 ] ]. ?3 u3 {8 a
xchg dx, es:[41h*4]& ~% j. \) A* }5 L- ?! M" ?
xchg bx, es:[41h*4+2]
% G( Q# b( Q" K* ~ m F, A! s cmp cl,al
& @+ U( b( r0 T/ _9 J jnz SoftICE_detected( m, E& y% s8 i: [" v& j1 q; X# x
; c. `. o, d6 X d& g
_________________________________________________________________________
' y- k# N6 U1 [- m- h# b9 k& x' i& q. n* u- A& O& C
Method 07
+ M; ?: \ b# N" l( E' Z=========
% m% i$ E& ?# m3 N! A! d; G( s, {$ @
Method of detection of the WinICE handler in the int68h (V86)
+ C! _2 Z, m: d- a" v* K- y7 W
* v& j+ j; |) I2 ~4 X! X mov ah,43h* F- U; V- v8 \, H& d( k
int 68h
, g/ o1 u' ~3 ] cmp ax,0F386h
5 }/ Y! e' z) K jz SoftICE_Detected
, i! H0 e! _) c( z- n, U. O: ?7 P* s, t& `- p, o# b$ _9 L: T! f4 e- F
3 f* a3 y# V$ ^9 [) v& O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
t" ]3 B- H! S# }# Y app like this: d G b: e) n/ K. b4 Q9 j; w
& k9 U( `8 r& a/ W% V3 m BPX exec_int if ax==68
A2 S3 q# n4 C2 R% n9 e5 m (function called is located at byte ptr [ebp+1Dh] and client eip is1 z5 I% S$ N- A, f3 i3 y- [0 a
located at [ebp+48h] for 32Bit apps)
. z* b8 h0 e" l& t# |7 ^__________________________________________________________________________: q* Y/ l1 d1 K. h1 j, D$ s
' d- D" e( y v
) T! z2 Z6 D* Z& E: |7 S& GMethod 083 u: P; ]! b8 x. H& w; Q
=========
8 o7 G- t) \: e) A; h9 c8 {
5 N9 i( X$ v( y% V/ Z) }It is not a method of detection of SoftICE but a possibility to crash the
% L" A, G2 l- Z% A. {* l( vsystem by intercepting int 01h and int 03h and redirecting them to another
0 @0 j/ }6 G" ]2 _+ D8 g" Eroutine.. @8 n1 e. C' I- y+ d7 B$ ?- v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" x, u6 g, t/ f4 H* Y) Cto the new routine to execute (hangs computer...)
% @" X) ?7 h3 |. p- I
& I/ C5 \6 W$ E3 |1 D' f mov ah, 25h0 {; X2 U8 K: J4 H2 ^
mov al, Int_Number (01h or 03h)
& ]) z F; p1 c6 E6 w9 \9 f, h mov dx, offset New_Int_Routine
1 g2 t# s9 m0 ^+ u1 I( F1 r int 21h0 v4 m! z) a$ \
" E" A3 R. F7 d& ?: c- L
__________________________________________________________________________
4 `% D$ k9 y3 M& `: ~" U4 b, P5 F0 Q$ Z9 r* G3 X
Method 096 D4 ^+ {' ]; M) _" d
=========' o# [8 W: |8 [, _+ v; J
; Q" M9 c1 u) X. X* ?8 ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# u) C7 P+ J0 h6 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
: r8 l6 j2 J" U, r( IThe Get_DDB service is used to determine whether or not a VxD is installed) M3 A/ w5 N' T8 t& |1 ~6 {. u
for the specified device and returns a Device Description Block (in ecx) for1 ]8 p5 p9 ^& [0 l6 |% @
that device if it is installed.
; X: i6 n8 A4 g4 `9 I# P: E7 k# C* `# Y n( z% Q' @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. y' o" T. W" s" X0 ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* j) U1 [! S5 x0 l" s7 \% f1 r
VMMCall Get_DDB
1 b* h6 q- D o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ e. ~8 b) R) a$ X4 _1 A4 Y: {% F/ d$ t$ F' F7 h! L
Note as well that you can easily detect this method with SoftICE:
j4 W0 g- C4 N9 s8 z) F bpx Get_DDB if ax==0202 || ax==7a5fh
# |8 S0 w. e+ ]1 T' W i# t h$ c( x; x
__________________________________________________________________________1 i& @( S% y. _7 y4 i
0 W& k: W3 Y' S" P2 s. ^$ T' H: WMethod 10
3 j: }: l) o' R; p/ z' g=========) x3 E+ h, d0 K; I$ @& C
4 j3 |; T; `3 n8 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 G/ T# _, r) K4 b* c
SoftICE while the option is enable!!
, `+ V8 B" j( q5 ^) h. d3 D$ z! c6 ^+ T5 H* W5 t/ x4 O1 n
This trick is very efficient:4 O) r% `4 n* G- ^: X3 `# @! u
by checking the Debug Registers, you can detect if SoftICE is loaded% f- h4 a% F$ A+ I6 t" }$ y1 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- e% ^. e8 n; wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. ^( R1 m- r4 `- w4 avalue (in ring0 only). Values can be manipulated and or changed as well
9 Z) E7 U$ \! V4 z2 g(clearing BPMs for instance)
% Z: b4 ~9 O' ]9 h% ]2 I4 O
6 _& G$ a! z; {+ w: y" g6 [__________________________________________________________________________
/ }& |5 z4 e: m, {
& B, T) b% T o/ Y" OMethod 11
9 R4 P! r% |4 \$ l1 b3 H( ]=========
- c' x; S, B7 w |2 C: T4 r( V5 o; x4 k4 V
This method is most known as 'MeltICE' because it has been freely distributed" V2 r" O9 n& r: x
via www.winfiles.com. However it was first used by NuMega people to allow1 q5 A; C4 N" a% i! F0 a/ C: e
Symbol Loader to check if SoftICE was active or not (the code is located
' A$ c5 U# l8 [8 K* sinside nmtrans.dll).; M6 G( G# O( @0 U7 j, p7 j
, e* o1 U) S7 @/ X* R4 hThe way it works is very simple:# c7 T" C, H7 \- B" @" v; X. f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, g" {1 J) k" e7 K# V
WinNT) with the CreateFileA API.
4 t0 D7 h! B; y# r1 A3 }
$ p4 O+ m _' ^# e$ iHere is a sample (checking for 'SICE'):: I8 S7 z% r1 u3 K8 N2 E" F, V& k5 [
) U- V& T) E- K$ N+ O1 H5 [
BOOL IsSoftIce95Loaded()
8 k: r! q. \* V2 d& q{/ K7 g# M2 A+ o* W
HANDLE hFile; + p" }% l8 N8 \( V7 D' Y: H% y* k6 u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ w0 g( E1 O1 ?* P. g FILE_SHARE_READ | FILE_SHARE_WRITE,
6 H' L0 ^3 j. k! p& \% K2 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- Y* Q, w$ z2 ] if( hFile != INVALID_HANDLE_VALUE )% G; r7 W3 h% C6 O# @9 ?
{% m6 ~& m N3 z1 E7 m" ]0 w
CloseHandle(hFile);/ Q: l+ k* w# ~9 _% l% j- {1 c
return TRUE;8 D2 g8 U# o8 Y' l+ h+ `
}- o% a6 C9 {' P* i
return FALSE;+ q7 V0 Y( c9 \$ l1 L$ A4 t
}& S) P+ @: P0 M1 ^
3 `* W8 ], b7 ~# QAlthough this trick calls the CreateFileA function, don't even expect to be" K9 h* m( n$ I% O% W0 ~* o
able to intercept it by installing a IFS hook: it will not work, no way!
/ g$ B7 c$ F7 v( T' @; ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F! ~/ O. v. {7 s: k" g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) W2 c; I7 @4 C: Q: s5 S6 @( R* o. Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
^* o3 F6 H `7 ?field.
8 i5 `# B3 H3 m( |3 @In fact, its purpose is not to load/unload VxDs but only to send a
' J! C7 x8 l& ]5 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 O* @3 f+ e8 S) P& j' V% z2 L4 tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& K3 ~9 ^7 M3 ^% e* Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& X' R. E9 }! rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 e$ j' u4 K# J0 n) q& |4 {" u, mits handle to be opened and then, will be detected.
+ Z' K6 J! K. H& YYou can check that simply by hooking Winice.exe control proc entry point
a3 {# l# {" z6 ^- R4 _while running MeltICE.
- x. \. R/ |0 c% g
' E- {& l; P9 C# x8 j1 C/ N- y5 @$ c& t2 w; V; `0 n# I) G1 O* h$ t" D: V
00401067: push 00402025 ; \\.\SICE: B$ i+ Q: a# U* G# e+ p4 B
0040106C: call CreateFileA
/ @! F# E0 v, J% x+ a" D 00401071: cmp eax,-001
/ o6 M7 ]) T* r y4 n7 i 00401074: je 00401091
% [( d0 f4 X7 q$ a- b" e
0 T0 [# a; `. }2 j
5 a7 K. y0 \7 i. _9 @& ZThere could be hundreds of BPX you could use to detect this trick.
; t- @" b4 C/ K' ]' H-The most classical one is:
% V v( K& `' C$ k0 T" f; }8 t, T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 g& P2 e& T, r
*(esp->4+4)=='NTIC') _- O% z5 y! W+ J7 r1 ^" E
, M v4 s! v/ `6 U& X! i
-The most exotic ones (could be very slooooow :-(- f2 U- V' a* T! ~9 M5 R8 t a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 s K$ A* k6 V
;will break 3 times :-(
D$ Q% C6 u5 u: w$ l% _7 B
8 S6 Y+ t9 U4 G+ @-or (a bit) faster: ! v+ @- V1 y' Y {- i# F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 z, r. ]+ f* W5 v6 h
0 D. `* X7 c9 E1 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; L2 o5 l) ^* f: J
;will break 3 times :-(
2 Z; d6 t( O9 B
* A" S5 G9 ^* U% \, m-Much faster:
- h) T3 e4 v3 j7 r B- U6 H5 T7 [, m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ ~# O& m2 C+ G# w7 h0 M& R& Q/ E" {
4 Y" p7 M7 S# Y- m' Y5 ?; Y+ a( rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
w) h7 Z$ d$ [9 c' H1 p# I& Gfunction to do the same job:' U& D8 ?) k0 ]* u8 l2 f6 e3 S) P, q& ~
" @ o) K. \" d I) L5 C! k, b- e, s
push 00 ; OF_READ
. Q% {2 Y+ E) ]2 y mov eax,[00656634] ; '\\.\SICE',0
1 [/ I1 e. K3 f6 s r9 s9 R push eax
3 B* k) K. H" z9 z* A2 w call KERNEL32!_lopen
; K1 O: ~; M" C2 T3 K3 d$ r- K inc eax8 c1 J7 `) Z. Q7 b+ I
jnz 00650589 ; detected
6 _- y @: O+ Y' R6 G push 00 ; OF_READ9 q" {' V+ b0 m4 g5 A }6 F7 o
mov eax,[00656638] ; '\\.\SICE'8 l+ I. D! N! e& m9 P: |9 i
push eax
9 l! R; k6 B, M. K+ O call KERNEL32!_lopen
8 m$ W+ I* ~: a# ^+ o7 R5 R, ]2 T inc eax! k8 |! P {8 Z! b, F& a' z+ c& Y
jz 006505ae ; not detected
) c: P* j2 @6 a. L! e" j
5 N$ V5 ], d7 V6 c' D5 g1 V$ ^7 Q$ }+ N- h4 E
__________________________________________________________________________
: T! X: p1 [$ l- d
4 Q( k8 z C7 X7 w' ^2 o- X m; pMethod 123 |* ^& [; K- j3 M
=========2 O2 w" L* k7 W: Q/ x! Y: e6 t) N7 `) h
; u; @7 l& O8 QThis trick is similar to int41h/4fh Debugger installation check (code 056 @# F* V1 p6 n8 l- }- j0 U7 S! ~
& 06) but very limited because it's only available for Win95/98 (not NT)" X& x4 L" r: W) S: s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& D! i& w; |6 F$ S6 N3 j
6 k+ h4 D' J! p3 ]' E9 R9 S
push 0000004fh ; function 4fh
* _) S6 r. \ ^ push 002a002ah ; high word specifies which VxD (VWIN32)
6 G/ Z- H3 C3 U0 Y1 J3 ?* i2 X ; low word specifies which service% Q- r% J& B" D) |1 U
(VWIN32_Int41Dispatch)" m/ ^8 T, g+ e. F/ |5 k. F. \
call Kernel32!ORD_001 ; VxdCall
( O' l# n: \+ r6 m' e( W cmp ax, 0f386h ; magic number returned by system debuggers
$ v f# w$ x) _3 j( L- {& I- Q jz SoftICE_detected. A1 ]: v1 P! b$ n* V: e
! h0 G6 n6 R( d4 V! mHere again, several ways to detect it:8 n# ]" V$ ?% s5 O# X# x; O. p
0 m/ U8 X, f4 i3 G& j, V BPINT 41 if ax==4f
) ~ N+ w4 h8 o/ l2 @
& g. T* G$ _, ?- A2 Q8 |& W* z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* j L* l; m2 O& b" ^+ l
' g+ f$ G" Z- m6 z- J# u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) |; D8 N" j3 i: p" \1 d0 Y
_( p7 U* B" X2 {* j& [+ | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 \: E% d$ |5 Z+ |- l2 o' ?: J
) I# E. m3 ~: f3 ]- R__________________________________________________________________________
, t& x- }$ [+ K3 O' S
/ s' @2 l! l/ J1 B! MMethod 139 i4 [$ B8 x+ ?, O: _
=========
8 S) Q* n* L# P2 |6 R# W* i7 ^. u$ V0 N5 E" C- Z$ X& d
Not a real method of detection, but a good way to know if SoftICE is
& }, n9 m% l t( Y9 }installed on a computer and to locate its installation directory.- O. J8 @ A- K6 Z
It is used by few softs which access the following registry keys (usually #2) :
+ y8 {% `! I7 k5 x: L
5 R& ` @0 e( R: } e0 ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& D% h) E0 f$ P% U; Y\Uninstall\SoftICE; [, i N) t( q' b$ G& O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! u' H: [! P9 ^! V4 ], F) D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 }- P7 O7 h% g- m, K\App Paths\Loader32.Exe, f P" Y0 v+ P+ k9 W3 |
5 p. \$ Q' L, n* n' z) n$ ~8 `- v% D
7 e" D1 Y; t4 M+ CNote that some nasty apps could then erase all files from SoftICE directory
1 ~. c. p" ^% u" c( B5 T(I faced that once :-(
- V! K/ w k- h- B2 C
7 W5 X1 z7 {9 @Useful breakpoint to detect it:
* ~1 E) W7 l5 x& c# z4 ^- D
# k( t9 \9 _! `8 V6 E- i! n6 P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 ?) o* L2 t5 F; E, Y6 A; [; G
6 c4 a% Z; N% u2 E0 ]% ___________________________________________________________________________1 L4 [6 P2 u1 \: c# i
G# z- ^& ^" {" E7 w
% I" [2 L7 V0 KMethod 14
5 X' r! \6 F1 D8 w, X=========
z% w( x' U" Q
4 [: l! O3 Q2 V( p: uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 j' a# t0 D9 a# H' D& y" h
is to determines whether a debugger is running on your system (ring0 only).
2 E8 U& C' R( `+ ~+ [
! O2 H& K5 }& _3 X0 C# B: u0 D VMMCall Test_Debug_Installed0 Z0 ^5 z$ C; l7 e4 P3 B) S9 e! a
je not_installed2 I; L- f t% p% ?4 ^
- l- r/ R0 r3 @; e% yThis service just checks a flag./ t& R+ M& A6 }$ h; e' ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡