<TABLE width=500>! h2 K( o9 S2 d7 j1 j* \1 r$ L, e
<TBODY>' o1 Z- }0 E1 m
<TR>9 b% k$ y7 v0 `4 [3 `
<TD><PRE>Method 01 ( X& }" r: e, u0 h$ b6 h5 X
=========
( D8 d7 x1 `* V0 v7 b$ O+ B( V/ E! {4 K( O$ Z/ r4 @, H5 R: |
This method of detection of SoftICE (as well as the following one) is/ y9 d7 _% r4 N9 T5 [. Q
used by the majority of packers/encryptors found on Internet.
3 S% a# r/ w8 i$ { iIt seeks the signature of BoundsChecker in SoftICE# ?6 S$ D; F, }& s
$ K2 Q6 [+ ]. \! k. ]) j
mov ebp, 04243484Bh ; 'BCHK'
$ ?4 l# I, R* `% ]/ r6 u mov ax, 04h! \8 a3 l) \+ S9 W2 c" i$ A! f2 x; |
int 3
. {) f* r( @( \$ N+ R' o cmp al,48 F7 B1 ?2 \5 {5 P* m$ f
jnz SoftICE_Detected4 g; v( y* B% [- C- T
- ]% Z6 O' Q9 B! e5 @1 u( r7 v
___________________________________________________________________________1 v* ?2 t, {7 U* M' n
2 ^# t' X! A( Z9 uMethod 02 S$ V& k- D9 T; d: z1 Y
=========
7 q: w0 W- V' h3 [) U/ z8 g
; E# D& D7 [& @6 c0 ^Still a method very much used (perhaps the most frequent one). It is used$ S$ E* D5 h* g6 M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% ^( X2 ^6 Q0 o; d8 _1 Vor execute SoftICE commands...7 H- V1 u- j6 o
It is also used to crash SoftICE and to force it to execute any commands
9 V1 g0 `5 x" m- V% k4 a2 @(HBOOT...) :-((
9 }8 z* N/ ~1 d2 c" Q( Q9 q J9 l. ~- ?: y' Z- E
Here is a quick description:
& B/ O" R. Z: G, }-AX = 0910h (Display string in SIce windows)
+ C: L" [$ ?- w5 R7 h- B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 H" y$ a2 _, m+ p& `- y-AX = 0912h (Get breakpoint infos)
$ C% B* l. I: T% d-AX = 0913h (Set Sice breakpoints)4 |$ L! t& }9 _" T* F) w# t1 k
-AX = 0914h (Remove SIce breakoints)4 Z* D( ~0 u& R
# V4 ^* w; \/ G" [- T; s
Each time you'll meet this trick, you'll see:) o+ y$ L0 }, [- @0 T
-SI = 4647h
5 U2 `: |, \2 @+ `' B0 A: k/ O& y-DI = 4A4Dh
( k2 B, r$ `, L$ { o- DWhich are the 'magic values' used by SoftIce.
, x- ^% G* Y0 c; NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% R" u6 H: z2 k$ k% M9 u9 }
# ?0 Q u& G! o; Y! t% `1 h; ZHere is one example from the file "Haspinst.exe" which is the dongle HASP2 J' j, q0 E- }0 ?8 Z
Envelope utility use to protect DOS applications:
3 M- r4 P7 A, L K3 H" b! V" l: S! G
+ {1 j$ A0 l: v1 I a' j
9 m( e6 R* ]. `* D4 j* v5 s7 l4C19:0095 MOV AX,0911 ; execute command.' b3 Z. b# w. L _5 ~6 q1 x* F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" j$ R: T+ x! N7 W: g! H4C19:009A MOV SI,4647 ; 1st magic value.
. |& K, A7 V/ t' c8 @4C19:009D MOV DI,4A4D ; 2nd magic value.
# C% J9 B$ c4 V- R$ A+ w+ C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 s6 O2 B1 a& Q" ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 T) w! F/ G, F8 z4 T
4C19:00A4 INC CX- d% ]7 Q& J+ J0 s( S+ ~$ T- }7 }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 `' ?8 C* p3 O! o4C19:00A8 JB 0095 ; 6 different commands.
: a/ d$ `3 t1 {# v- g4C19:00AA JMP 0002 ; Bad_Guy jmp back.* L' J* n4 s1 j$ J5 u( ^0 C* {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ z( w% C$ R* A6 { _- ~& }( n# {0 S+ @8 S) z0 x3 k% G* X# H
The program will execute 6 different SIce commands located at ds:dx, which
! N2 c# _# l/ ?+ Q8 E. kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ _6 \4 T, w7 N) W; U) G7 D: ` r
. C$ E" R* i( L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 E; D, `; b. y! p4 j9 K0 z
___________________________________________________________________________( d0 g5 l b/ ~% \. E
k9 k! n7 X8 E
8 Y2 N8 Q. D/ |3 LMethod 03
9 D7 v& ~! ^7 [+ V+ O* S* w" ]) b=========
$ ?* ~/ j' U$ n) W9 ^: I0 U
: ?- v' k8 F: S. X5 c; @# dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& m$ m. Y: R: y5 h; Q+ F) V# H(API Get entry point)
9 w3 s" z. z. D. Q, z# `. ?
6 c: ?6 j$ G2 Q) D$ W! z k7 y1 e3 f \6 x) u1 }
xor di,di1 C# x& c& w% |: q" K, B! e7 Q {
mov es,di1 U7 ?: s) ]4 n3 h, u
mov ax, 1684h + v& K! M' x0 s* _/ C/ A3 v% r# |
mov bx, 0202h ; VxD ID of winice
: a+ j) d+ A$ K1 G, R int 2Fh
( B" f" @4 ?% L+ j mov ax, es ; ES:DI -> VxD API entry point
9 @ y4 e }7 r! _: k add ax, di- j7 L; M$ r: |, {5 b; e5 ?
test ax,ax
, W5 j1 l% m/ U4 O% w+ l* ?& o% y jnz SoftICE_Detected: i- a2 |% v0 U$ X# q+ H* Y; D+ b
1 m) L! m8 h$ i8 V+ I1 \( f___________________________________________________________________________+ F6 b. U% r6 r
$ a B" y$ x% v0 T1 GMethod 04( B. |8 I4 o( H/ I4 j! I
=========, E" n" ^" [9 n3 q% h
5 e# y, H6 W; T
Method identical to the preceding one except that it seeks the ID of SoftICE
. N3 f% S7 G8 Y9 Y3 d9 @3 m4 ?GFX VxD.; i1 w5 C; _* n; E# ^ l: P
7 B. K2 j5 ~0 k# N/ U* E" x xor di,di
; A. o+ R! _9 `# ?; y mov es,di
3 Y2 ?2 d1 M$ c* i2 Z; [; c mov ax, 1684h
: [/ t* b4 M, R mov bx, 7a5Fh ; VxD ID of SIWVID
9 A9 z5 Z6 K/ x$ K int 2fh
0 R7 U1 d4 b5 N6 O) W mov ax, es ; ES:DI -> VxD API entry point$ ?" c2 K7 U k$ Q6 u
add ax, di
; A, _& J/ Z% Y9 I. J test ax,ax
# _ [$ Y! u2 p8 Y jnz SoftICE_Detected
& J, e! q' q- S# U( i; P! n' C- `8 g. u6 Y6 S+ K: ~, P
__________________________________________________________________________
7 [. j! w8 K6 r% o1 ~9 M! h6 h" x$ Y. s
2 h" j# J& m* w! LMethod 05
0 M1 a& @) f& b( K* P2 a=========4 ^# t% U( u0 c/ e0 o
1 _+ f7 h( S; c- e* s/ {" _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 o) g( J$ l& ^- u6 Qdebugger. It calls the int 41h, function 4Fh.
/ s Y" E& O' M5 _$ OThere are several alternatives. 6 T- s- A& t6 `3 C$ p" ?# V
3 Q. D D7 ^6 S4 f1 n( v8 K8 XThe following one is the simplest:
( ]& p7 n G( W- V, v
7 I s: R6 B8 @& Q" T4 s mov ax,4fh
+ y2 h3 ` S$ Y( ]# h0 o int 41h- B% ^3 P3 h2 o2 v& G( c) E
cmp ax, 0F3861 y, c; y9 ^- q
jz SoftICE_detected
# v5 ^3 T( a! `4 j5 Y: R4 Z" q2 z: v0 I+ A$ F4 v+ K
4 W9 |) l; A5 l% h8 Z& u
Next method as well as the following one are 2 examples from Stone's
& q z! r+ W) [: z8 K' `"stn-wid.zip" (www.cracking.net):2 ^6 b- U9 K8 m) d( h) x
& w0 ?1 x2 T4 J4 v, u
mov bx, cs
3 [+ X A, Z* x; T H2 x3 v. g lea dx, int41handler2" k+ t0 _ ]" I1 R2 w
xchg dx, es:[41h*4]0 P+ m4 ~# o3 O+ Y/ M% n
xchg bx, es:[41h*4+2]$ l ~7 e6 {; O0 ]
mov ax,4fh
' W$ R. H$ s0 L& C$ j) |' k int 41h& X+ m5 k. k" H+ x/ P ]
xchg dx, es:[41h*4]
6 \8 m; j; K& M' L# ]8 \0 B0 w xchg bx, es:[41h*4+2]; m* G4 G& U) e, `8 F
cmp ax, 0f386h# z) P% O( l9 D/ ~+ u
jz SoftICE_detected
* H7 I/ V7 |* {! b3 R' t" l0 u, k+ g; _5 M2 v) a6 j; Y
int41handler2 PROC
/ i8 ^+ }1 _, s% C `5 ?! [) U iret
! R1 N; k0 W2 ~9 H2 c% pint41handler2 ENDP, f- y- }. ~) m4 V
" c7 I6 e$ G/ Q" S8 l' R
: K. j6 z! y+ o# C
_________________________________________________________________________
0 H* E( c, M( |5 E! A2 W, W/ M, R% @ }+ p
X* a, D4 k+ C8 G
Method 06% L$ Y/ p0 C& L
=========1 R# S, i2 T9 e) v7 ]+ U8 c4 c' X
/ |, v& `( X3 |
) C/ y/ p: x8 T% z8 n, \+ w0 I2nd method similar to the preceding one but more difficult to detect:
% W& L+ u( Z. w/ s7 b
# k9 _+ M" {8 R7 Z
5 {+ P( k" o) X, D) }int41handler PROC
$ h+ _5 c% P C mov cl,al
" x& ]1 B/ J+ H) f$ G' f& [ iret
$ ^( [8 o! N( C r; h4 k$ F; A! @int41handler ENDP
8 _! m0 I7 A+ i3 V4 Z; n# k4 e( |/ v6 I. |
8 V; J! p" F/ ~. J% t' B
0 p8 p' \- b, b2 o7 I, S! Q: T xor ax,ax
) b1 y9 D1 |% t mov es,ax
4 j# L! N0 y, U, r! B9 h* X" _' ` mov bx, cs
( G! ^' V) u& p- ? lea dx, int41handler
" Z. }- c" \3 [1 _* r6 G! c xchg dx, es:[41h*4]% R! V; ?. P5 j. b
xchg bx, es:[41h*4+2]
1 B4 x7 j- @ v: d7 y% y' a in al, 40h t: k/ _; R: I( @7 {1 c
xor cx,cx
" e: {; I5 g- B+ Z4 V: m2 a: [# g int 41h8 s! n$ Y0 r; v% u7 }$ V0 `
xchg dx, es:[41h*4]: j& Q' j- X% O( u0 w
xchg bx, es:[41h*4+2]
! m9 u" t' O" s! Z$ A( u4 H cmp cl,al7 M% l" R2 ]% K7 O7 G, @" J
jnz SoftICE_detected+ @* }8 Y$ l9 `7 M9 w
" o3 _: z6 g+ q9 W3 R9 H6 }
_________________________________________________________________________
* f" h2 d. V6 H( A9 U& V2 I5 [
$ h7 b2 i- ~5 U; ^0 \Method 07/ b: u0 k' }5 [ U6 u
=========8 {6 W3 O+ K/ p2 _; J% j& J9 S
: D$ B; h. H1 OMethod of detection of the WinICE handler in the int68h (V86), Z/ T; A: K, \5 ^, ?6 B+ G
( M& T) x6 H' W9 C3 J
mov ah,43h# m( y: g. ?+ X
int 68h/ d) w5 P* }* m U) w
cmp ax,0F386h" a' J, O9 v9 G4 U. v
jz SoftICE_Detected b. k4 [: B% B _" h7 S
- u5 Y) }) b- K0 n7 D! e6 Z
$ E$ c3 k1 z5 Z! X# S; w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 |2 e) L: |& Y0 Z3 C app like this:/ d& `, v: X3 B1 K
0 }0 P# X. p; i( Z BPX exec_int if ax==68
! W# l4 |2 i2 Y+ ^: @. H (function called is located at byte ptr [ebp+1Dh] and client eip is! b: @& M' G* D* s* z* W7 T
located at [ebp+48h] for 32Bit apps)% K% K: ~# B5 {
__________________________________________________________________________
" R3 Z; _9 k! @8 p: ]# b3 Q! O% ?/ K& W' X0 F, {
! v$ ~+ ~' C+ e x1 {Method 08) q) Y1 n8 O( I2 r
=========* y& t3 o q& q5 O+ |7 `- T2 c
% L- J; `1 k2 y9 s- PIt is not a method of detection of SoftICE but a possibility to crash the
. _2 K/ R: Q( W/ z, B3 N S( msystem by intercepting int 01h and int 03h and redirecting them to another1 {3 t7 [* Y2 N }
routine.
# B3 R( b- y$ u2 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! d8 F, w* q1 `8 Y0 k! K% Yto the new routine to execute (hangs computer...); m% a0 q! e8 U, V
( E0 K; \: ^( g; d: _
mov ah, 25h
; X# Z" E; J. d4 s' N9 p9 A" s4 c( V: ` mov al, Int_Number (01h or 03h)
0 e* |( Q' V7 {- a/ ` mov dx, offset New_Int_Routine+ x! w- b7 N" n% [4 e$ ~7 K) d
int 21h( T6 Z! |. K# R
( R/ E4 m1 _; n9 z0 n$ M% l4 f# M
__________________________________________________________________________3 I3 y7 o2 X2 k: m. A4 n1 b
9 d- k5 s! Y# _9 h+ uMethod 09; _7 ~6 a f/ P
=========
/ ^" ]8 y. j) [7 _' \- q0 a9 V
( L3 ^: \1 ^* d* \7 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# ]: M1 z2 F2 P1 `* f5 h4 [. z% n+ c# O
performed in ring0 (VxD or a ring3 app using the VxdCall).$ M. j3 K4 y4 ^7 R! `+ w& p/ [3 w
The Get_DDB service is used to determine whether or not a VxD is installed
' P6 O, C; }2 \ xfor the specified device and returns a Device Description Block (in ecx) for
! i p! {" q) P/ H& M% u2 I, Lthat device if it is installed.
$ j+ Y3 n! t3 T9 X7 u( B
: f* W- ]# X* {2 l6 r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# f. @- [* f6 d+ Q2 u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ @8 U/ [5 O1 n# u VMMCall Get_DDB4 i* S+ h, o2 `: v8 A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( A8 Y/ x* |! N4 B- \6 T6 U
M5 [: k9 b8 n- S0 gNote as well that you can easily detect this method with SoftICE:% v6 s' A* G8 z$ N/ ]! @
bpx Get_DDB if ax==0202 || ax==7a5fh1 ~" m$ w; V2 L S2 Z
. ~, R( Z; ?! p: y+ d% M
__________________________________________________________________________% o- ^# z& d# f2 Y
& I$ h) a$ h4 Q3 l. ?: {( ?4 Y# D8 wMethod 10' h* o$ U& t$ A( c& O- X5 H2 B
=========* E+ n6 U$ k7 t- b6 Z8 F
/ o/ Q' {. v9 o8 _* \
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" F# [0 d! Z* }& E SoftICE while the option is enable!!& _# ^: Y5 l* Y! u4 J
& h" }% v+ e& S/ m
This trick is very efficient:. F* i3 p3 V; k% p$ i1 ^
by checking the Debug Registers, you can detect if SoftICE is loaded
0 f# ^& f: u9 K2 e$ j4 e3 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 P4 F% `) P/ q' d R; ?there are some memory breakpoints set (dr0 to dr3) simply by reading their/ E9 P0 L. d: C( |5 ?/ l
value (in ring0 only). Values can be manipulated and or changed as well
8 _8 c& @% | G( i/ `; `(clearing BPMs for instance)$ R Z: \7 L3 d' N$ x. s# w7 u
: F) a4 \5 t8 f' |" W
__________________________________________________________________________, G, K( ^. ?# {
' D5 b" n" r! b# e( w5 `Method 11
4 u9 F* o( s- e2 v7 K, r+ X; H=========! ]6 ~: m1 x' K9 X4 X
- @8 X0 L+ t; E- J3 hThis method is most known as 'MeltICE' because it has been freely distributed
/ ? l; [. v( c* P: h2 J$ W' Zvia www.winfiles.com. However it was first used by NuMega people to allow5 D- k. x5 m. ~0 |1 X. G
Symbol Loader to check if SoftICE was active or not (the code is located
+ T5 l. W/ ]# s% Iinside nmtrans.dll).
5 w6 W0 E0 x& D5 r2 U( m8 P- X
2 \0 P5 P- `5 f$ B; G) z7 tThe way it works is very simple:
4 _1 J' O* ?4 D4 S. Y$ mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ^& H7 M- \! h6 f6 t/ d; M) OWinNT) with the CreateFileA API.
7 _& V, X p: X5 Q: u( ]1 n4 r2 W$ ~& T# Z7 t" T/ g8 U
Here is a sample (checking for 'SICE'):- P- m1 `8 I( D6 U- X4 o
% K) t& `! o/ v0 C" `1 `8 t% aBOOL IsSoftIce95Loaded()/ D" b- {7 Y4 Q" e) p
{
5 e2 D) A) N: r) B HANDLE hFile;
9 U% @$ ~" H- e6 d# B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) {6 H( n3 C7 T1 n- t FILE_SHARE_READ | FILE_SHARE_WRITE,
: o3 @" z8 v( i$ E& h0 F+ N& R# [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( O0 n6 l7 {0 T7 e0 \6 X% [+ r6 l8 {
if( hFile != INVALID_HANDLE_VALUE )1 W- b' p. y- _
{2 J; p' B' I0 j# L3 R
CloseHandle(hFile);: y$ h4 `0 h5 y5 l
return TRUE;
- e9 p' v! }! ]* O( |( H# H& T }
" \5 ~, C |# l; C0 x; m( d5 { return FALSE;! ?9 |7 N: r" |
}
" y5 ]$ |. E& |, A6 |* V4 Q+ W7 b$ a' m$ g3 k2 P) }
Although this trick calls the CreateFileA function, don't even expect to be
+ R. L: q/ ]2 cable to intercept it by installing a IFS hook: it will not work, no way!$ }# q) P0 A5 I* s& g5 P4 J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! \+ a9 [( e: n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ M, M6 X" h: X0 ]4 E6 m- `; Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc W# {+ O7 e* K9 C# l
field.6 x- w) n* p: a* @4 D s; F
In fact, its purpose is not to load/unload VxDs but only to send a
# }" ]; x, w8 V; F: d3 jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 b! ]% p/ P9 n1 M) ]% ^, R- E% xto the VxD Control_Dispatch proc (how the hell a shareware soft could try& _: |& q4 r# [( w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ N/ M) ` ^, b* o) tIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) S9 T6 H4 j* c% C2 W4 S8 z9 Wits handle to be opened and then, will be detected.
, }$ e, }0 h( a8 N7 J! xYou can check that simply by hooking Winice.exe control proc entry point1 h6 q& A! V' Z- p
while running MeltICE.' `9 U2 [& S: G: R8 s' W
B% c0 {9 e% u. ^
5 f F# l0 M6 p2 L: ~/ X- ]: x8 ~
00401067: push 00402025 ; \\.\SICE3 C; `: G1 \2 f3 R; Q
0040106C: call CreateFileA; x# b& |# g# M. x8 ]+ `' E% H
00401071: cmp eax,-001# c8 O; f8 Z z) o B$ x0 c
00401074: je 004010915 e* o2 @; E9 e x1 H3 {
% Z; L+ k* x) [5 p- S* f) j9 ^
7 R# _/ S) @2 f6 `+ W$ M
There could be hundreds of BPX you could use to detect this trick.
+ ]* H$ R8 h* `-The most classical one is:
' g) e& A4 T7 w" ^& F# t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ z6 C; _' j* U2 f2 Q *(esp->4+4)=='NTIC'8 Q6 j$ [) q$ B: \4 ` C& l, D1 |
6 c6 S* i# f- j
-The most exotic ones (could be very slooooow :-(
+ u' e. ` s1 R9 G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 l! ?8 i! w; `! ~+ t ;will break 3 times :-(5 N5 U) v- F% V. l2 E$ @" z- L: A2 R
% }. ~! h c/ ^1 l3 W1 o4 V
-or (a bit) faster:
* I2 v! U) {* Q( K) U, Z u, |1 Y4 T( O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ t4 W3 c( `9 Q# F, s7 R9 \" g4 P
& V/ P# q5 f; \) }( Y V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * g( |0 o# B* B4 i, K
;will break 3 times :-(
" @' q* P( v8 i- @/ O0 s `
7 H& d+ w1 p6 J; h3 a9 ~-Much faster:
/ k4 M( g1 g# ^4 `" P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ M+ Z4 l- _( z5 v1 j; R, [* \
n7 [. c8 [$ s" k2 [# ]9 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 V6 t/ Q% _( s& g/ d: K4 Q
function to do the same job:7 Q0 H6 u$ z; a/ I2 T' b
2 A5 V6 y6 Q/ N: O" G' A7 G; u
push 00 ; OF_READ: p/ n6 S$ ^$ g4 K7 f
mov eax,[00656634] ; '\\.\SICE',07 I: m! q. N8 m+ }$ i5 H$ E
push eax" ~: Y1 |! V) }
call KERNEL32!_lopen
% U: T' V ?9 i# ?6 `# T inc eax
+ N; i& f4 J1 Z u jnz 00650589 ; detected% W3 t8 [7 V6 H/ z9 @+ G' t
push 00 ; OF_READ
1 S" B( l! F3 j0 e mov eax,[00656638] ; '\\.\SICE'
. A/ ]! l: a0 r' W9 F push eax
8 ?% X0 i6 ^9 R" y) w& b4 K call KERNEL32!_lopen
; b, n) H. h/ ~7 {4 q; F inc eax
( x; {- U5 h; E: O jz 006505ae ; not detected( Y" F+ m; q; p& o9 i- S. M; {$ Q
& L0 u9 G; S: @0 }% Q2 s3 @$ a! {, T% W7 b9 |: Q
__________________________________________________________________________: x, s2 N1 @# X B( c
* y4 v4 T! h f6 e+ `0 eMethod 12
- Z1 x1 s2 @" e. L; U) f* \=========
L: D! |( p! |* g+ s& J- \9 b2 E; D1 G0 C" k5 X
This trick is similar to int41h/4fh Debugger installation check (code 05
9 s; Z! x( A: S' T9 |/ g- a1 l& 06) but very limited because it's only available for Win95/98 (not NT)
) O2 h7 A+ v Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# U# D/ e9 i# @) @0 O3 ]
' E1 g; N, d# Q) q push 0000004fh ; function 4fh
% N5 }. K( ?$ T) u) E( Q5 D5 P push 002a002ah ; high word specifies which VxD (VWIN32)- ~ I( o) L+ Y. x' z6 L R4 b% S
; low word specifies which service9 ?% M8 I# S' k: q( h' x& r: d
(VWIN32_Int41Dispatch)
- t2 l: }5 L1 A call Kernel32!ORD_001 ; VxdCall
% O( h6 a) V" J' ^$ S" f7 ]) C cmp ax, 0f386h ; magic number returned by system debuggers5 b! s! r- U( p$ ` J
jz SoftICE_detected
6 o8 \, s7 a3 [# H% ]7 t% I
% s6 A2 P% }6 u. v+ j& bHere again, several ways to detect it:
* m1 o- ]/ p, }, ^) S8 p6 N, P1 P
0 z! ~9 a, w0 w8 W3 ~7 h BPINT 41 if ax==4f
; R! O3 ]% R! n3 Z n& v
4 k% `. N/ \& w# X" l! b S/ q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 h5 I; u: ?& h2 S' o
! r N& {4 Z! P, F4 I4 g* W2 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, H! A# B! h- Z9 ^7 b8 J
# v/ | x% `8 X6 N) v' I! _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& W! Y0 I! E( w R- d( b- F9 ?
# I1 H3 [" }. z, R2 o) B__________________________________________________________________________
$ G- A* T( ~4 ^8 n, n6 B# ~% Q/ S+ O/ F0 [: _
Method 13 f5 x4 i. h& [! B3 Q6 K
=========, {" U; C; U, O) A* q# E
. Y7 G4 I- i% E( V$ S3 nNot a real method of detection, but a good way to know if SoftICE is4 J5 ?0 |) m# t
installed on a computer and to locate its installation directory.1 c1 K# e& L* O3 H# a& q
It is used by few softs which access the following registry keys (usually #2) :
: K# l- e* o7 R( p, n) ?0 Y, a; h3 m" A& t0 m9 b1 `( s. x2 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 }2 u8 f3 W. J
\Uninstall\SoftICE5 p( i1 l8 u6 x+ m9 O0 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 \; x3 R% y2 O. i1 _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Q3 }7 n, x6 \4 J9 q
\App Paths\Loader32.Exe! Z9 }6 B; O! a
# S# K! T/ H1 c& Y% Q$ q \. `+ w4 R6 @( w. A3 O' C* w( V
Note that some nasty apps could then erase all files from SoftICE directory9 ]' M# p$ x1 T0 V# y6 h
(I faced that once :-(/ I7 w) E$ y7 L/ ~( W* c, B
. X2 Z( K, k# s) c2 b1 x7 J
Useful breakpoint to detect it:3 G: |6 |4 U/ Z/ Q
) ]! N/ M$ r7 a( C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 W# d6 X u6 E6 n" ?- B n! d
; t# q. ]4 F* f- C6 p1 b5 f9 Y
__________________________________________________________________________, [% h! p& }2 i" G( k+ s
1 p+ y$ N+ S4 P1 f7 o+ B9 w
/ ?( i" ], y/ W5 EMethod 14 % J3 b" T& j$ h8 _: q; R) W
=========
9 @7 L, n+ A, u+ B
3 l K- ^) M! `$ r- W! WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( L8 V- N* B1 U7 x0 M6 `2 E0 k nis to determines whether a debugger is running on your system (ring0 only). J/ G* h& ?, K, P/ J, n
" ?9 {$ a1 ^$ R$ d/ n3 c VMMCall Test_Debug_Installed. @% y% P! Y+ S* A" G0 h0 E
je not_installed Z: l' m5 \) M. h# L+ a+ A
5 V8 { ^. J; K/ O- `5 G% A# `+ JThis service just checks a flag.3 \, O* c/ e! c2 U& M/ p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡