<TABLE width=500>& y. ?; e* M$ L5 j8 m \+ K/ }
<TBODY>7 \6 _9 P) u- {( @) W1 f
<TR>
1 |, t8 G* e/ V1 U* O<TD><PRE>Method 01 4 E- g% s' h8 n* T9 M
=========6 N/ f9 ]- I% |2 c, o
' w! B" r3 L: U( k. a' J5 uThis method of detection of SoftICE (as well as the following one) is
5 j1 {% {9 U1 i) }2 Uused by the majority of packers/encryptors found on Internet.9 ?/ [% ^) |+ Q6 q1 @- T
It seeks the signature of BoundsChecker in SoftICE
# g/ _! A# U8 p5 b+ L F
2 J6 u8 j+ [6 J' x mov ebp, 04243484Bh ; 'BCHK'
/ V4 V" T3 Z/ Q- F. \# u' V7 e mov ax, 04h# I9 [3 p4 J) T
int 3 . b' X" n' p5 g; B0 Z
cmp al,4
( Z: E+ Y+ @4 o& A7 a4 [6 t/ U. s jnz SoftICE_Detected
/ s3 ]) v3 Z6 O9 b/ G8 J/ \! ^2 t! O4 `/ t; o0 z! G
___________________________________________________________________________. t- c1 ]2 D+ u9 s9 i' z& R: ]; Q
* a- x8 B& u: `1 |4 E& L1 ?Method 02, J, v" b8 J3 }8 i2 W* G4 |
=========, g" _, W% v! u5 Q \8 m
y! n4 o7 l4 y5 Y! l/ C9 }; W
Still a method very much used (perhaps the most frequent one). It is used' K- `! z5 g7 ~' d6 ?4 O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 x3 D! k' j8 ]( [+ p: Tor execute SoftICE commands...' Q$ ]; K( g: O& u, P) `
It is also used to crash SoftICE and to force it to execute any commands- `( b W! E4 L
(HBOOT...) :-((
* C, i! X5 { S- X7 p g
7 K* W* h G$ A5 l( \5 GHere is a quick description:
, r- Q. r, C' Q- f! `-AX = 0910h (Display string in SIce windows)# j; m$ e* N t4 k# D/ g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" N/ G: o- j' y+ |. l& d-AX = 0912h (Get breakpoint infos)
, o' l; I/ D8 y; z" H+ f-AX = 0913h (Set Sice breakpoints)5 N7 ^/ l( n4 K& }
-AX = 0914h (Remove SIce breakoints)* C7 L8 q' o |0 x, U9 R8 V& p
* u g' d- G: N2 x. S# z( ~. {2 r
Each time you'll meet this trick, you'll see:
& M3 e' } f) `/ F) {0 l; O* S5 q-SI = 4647h" S1 Y8 n- x" z: J
-DI = 4A4Dh
A7 l' x4 o t* d; h+ z+ ?Which are the 'magic values' used by SoftIce.7 u8 _/ ]% ?, X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 N5 O- w7 C" E9 |
3 x0 A5 k) }* K! {) i3 _# h) @Here is one example from the file "Haspinst.exe" which is the dongle HASP7 s! o3 n6 {, _2 `! B+ j) `
Envelope utility use to protect DOS applications:) z# Z% L9 S. W c* b
6 a) N# B; d3 C+ W7 b# x! o; A) E" ]
# I6 L$ E. h; m1 V* t% f4C19:0095 MOV AX,0911 ; execute command.8 W8 l+ c' {, F& T w+ Q, |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! ?. V' I/ ~/ N" F9 X3 H1 Y/ w9 b4C19:009A MOV SI,4647 ; 1st magic value.3 G+ Y4 Z( Y) H \+ r; D: c
4C19:009D MOV DI,4A4D ; 2nd magic value.$ w' E; @1 K* Y8 }, {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# Y5 P$ b7 R6 p; G/ F: U. v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 ~4 _& U k0 K5 t. ^( A4C19:00A4 INC CX V$ [) [8 k/ n+ n5 a2 T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: g+ o' f8 r- f$ [4C19:00A8 JB 0095 ; 6 different commands.: A3 C7 |! R( y" W/ I2 y5 h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; S- D) s4 ^3 p }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) D# P# E( R, Q9 I6 c( d$ v% v
' s! m& s$ Z! @4 U. l( B& uThe program will execute 6 different SIce commands located at ds:dx, which
5 X! y% m- y U- C( nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 ?/ P5 Q4 T2 h1 I( N6 {. B$ i5 u$ {+ o- H' V; @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 z, s4 @/ |3 p. P___________________________________________________________________________, ?7 q& P$ N& _6 O4 x4 a9 ~8 {# w
3 w! E, I6 M+ \( _ { a& \' _
9 k7 z0 S0 M8 LMethod 03
9 ]+ ?0 p* `! H5 a) b `=========
5 h, F7 ~+ L+ f( y) w) B* k+ m z" R
. _. P0 j# M4 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ~0 I7 h8 @4 c. M: E
(API Get entry point)
: M* Z* Z+ I* p, S# B* t3 @3 ^ , `3 K! n; K4 D* g
% q# G/ C) b: n% i xor di,di3 S3 f' Z4 `3 I/ S2 _" Z: z! Z2 x% p
mov es,di( i u, ?! M# u `
mov ax, 1684h ! u7 p" Y7 D1 C8 T: [; A
mov bx, 0202h ; VxD ID of winice
# A, _$ ^! {% B5 \0 s8 | int 2Fh# @! f/ d# Y4 w5 G% f- r+ q
mov ax, es ; ES:DI -> VxD API entry point3 |! U# _+ d' a/ C/ f# A
add ax, di( g0 E3 \$ _% w) y2 C) j( g% \
test ax,ax
( ?. n9 R7 ?6 c' f jnz SoftICE_Detected/ q+ U9 n2 Q, {. R2 g3 l+ t
6 R" Z* ]- p' o9 c$ C6 Q$ l
___________________________________________________________________________. K4 J$ Q3 w- z7 i, C% t7 t( A
6 j: C* d1 T* r, m2 @6 \2 }' \ mMethod 04
$ n3 j, _2 T/ x9 i========= l* s5 p, J7 s
, {& | f: H, m. z
Method identical to the preceding one except that it seeks the ID of SoftICE8 X/ M S3 ^/ _) P; S: j4 E
GFX VxD.
* {( ]7 g$ [- G _! ~4 L; s9 Z
- O, W. A/ ?4 Y9 `- }6 F4 a2 `; S xor di,di; |$ F. v4 t7 |% I& h; Y: h# s
mov es,di
2 W# ^, A% `/ m( [. X, P6 U# D mov ax, 1684h 3 t8 b2 _" p! t5 I L, P
mov bx, 7a5Fh ; VxD ID of SIWVID( C/ ]: w* b- M8 d1 d
int 2fh' l) ^% h7 u1 i2 P. x
mov ax, es ; ES:DI -> VxD API entry point$ C; b) Z+ a+ p: c4 ~, Q
add ax, di
5 m( ?' R' M! J+ Y! E g) N test ax,ax( y/ C. C& @1 T4 P0 C& D: V
jnz SoftICE_Detected4 F, W. p; A7 L, `, \# ~
5 ?% t# Y ^9 `__________________________________________________________________________1 k# V) I- h3 X' n2 |
/ Y3 \+ y: D" Q* d3 a, J% l
+ x: W. Q# _8 R5 _2 h: G
Method 05/ h% f+ f7 A8 u: J& i) {/ h
=========! r; R! n" S0 }3 m
" A( S5 B$ x8 y8 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system& r6 ?, K$ K% }: \! m, V- B
debugger. It calls the int 41h, function 4Fh.+ y7 t# a+ T" F4 E/ R* d
There are several alternatives.
- c/ f# ~. G5 p
& \ l" s! S9 i4 rThe following one is the simplest:; k g. j5 G; b- a5 ?
8 Q. V4 Y: }+ t& I8 ] }5 B3 _ mov ax,4fh* f! h R8 ]' w5 [
int 41h
- g [* Y1 p9 X9 g# ~2 ? cmp ax, 0F386
! ]. _) G% G' m7 J( U jz SoftICE_detected+ U% y2 t& c- B, d- Y
( C0 u7 J: _. S9 z/ F
$ V& o: d# j7 l1 F2 TNext method as well as the following one are 2 examples from Stone's 1 O+ N. r$ L0 f `/ A
"stn-wid.zip" (www.cracking.net):, f, Q6 Y- i5 m+ D
. F0 P& y# E! J. p& E, N
mov bx, cs8 w7 j* y. ]$ ]: ~- _6 Z3 `% Q$ z! a
lea dx, int41handler2. A! v& d/ r; a# ^: l# K
xchg dx, es:[41h*4]/ i. J3 f; R! {; A1 R
xchg bx, es:[41h*4+2]
6 ~( Z; k* j' r8 u3 e+ }; s mov ax,4fh! R2 {7 l* W' B5 b( T0 v
int 41h
6 P* I J1 h! x* S7 P xchg dx, es:[41h*4]6 J/ Z; c" T# \. x
xchg bx, es:[41h*4+2]
8 o( _- a' ]3 A cmp ax, 0f386h2 ? p0 q9 e( |' b! @
jz SoftICE_detected
p1 p+ B. x0 \ w9 ^2 k! Y/ ?. X$ P4 W2 C! X
int41handler2 PROC
1 h. O Q# ?' b$ ^ iret
% M4 b# ]6 A" }0 A3 L' P4 uint41handler2 ENDP; b' Z/ x5 d6 A1 z" D) O1 \- o: t6 C! X
G$ V" H4 ~$ a7 u! U
q7 o# L+ ~' } m0 A_________________________________________________________________________
! k q- a4 u0 J! m6 v
5 k: N% U; [! x, }7 p) e% k/ z" A2 v( _' Q* [% ]# @+ l7 }
Method 06
1 G* p4 I. E! C3 T4 D=========8 @) g+ g1 d& V8 L( J$ g4 Q
' F T2 T2 ]5 z- t2 B2 W' Y) E
$ m+ ~. ]/ r. m2nd method similar to the preceding one but more difficult to detect:
4 \6 C+ b. D k( t, M( N
5 P) J8 t: {7 h/ L# y; \" ^' a4 y& V6 `' h9 y( w; }* G
int41handler PROC: I7 B J( s% |7 h
mov cl,al4 s/ K4 z! k+ d! ~8 s7 a6 k
iret: }8 O, M8 ~9 G, I; R% H" R9 i/ V F
int41handler ENDP
& | m5 [6 M+ r; X0 Q2 K
' p n$ U" v, h9 u# o* Z* q$ }9 C& D$ g' y. _9 d
xor ax,ax
1 }; f- @/ k' k3 |" C3 v mov es,ax
' L: a) `, r& a7 p; c mov bx, cs
0 h4 }1 i8 C& A* J lea dx, int41handler: b& Y( e9 s& D( g
xchg dx, es:[41h*4]
0 ^4 D. ^+ G. e! r5 Y" G, u xchg bx, es:[41h*4+2]) P' m' y1 k5 H$ |8 ~
in al, 40h. O! K; z! j2 F7 E: n2 M/ N
xor cx,cx
+ W) C3 {4 B, f9 J3 u% Z9 ? int 41h& z* b6 l- H7 g# z+ _" N3 f
xchg dx, es:[41h*4]3 U2 @( X. s) O
xchg bx, es:[41h*4+2]
$ B8 s6 W) I8 J. M8 D( e% |" y cmp cl,al
! m5 K% W- f7 a5 ~# L jnz SoftICE_detected
! E P: ~& r6 v. W; ?' E' z! Z# x* c/ F9 q0 F
_________________________________________________________________________: s- k0 o! [& c: Q7 O6 b
3 S9 B/ n* P" I
Method 07 F$ v5 S# q* q; U- {
=========3 b w8 P. N' D* U3 `9 k
% z" V5 s c/ _0 q8 ]- eMethod of detection of the WinICE handler in the int68h (V86)
, C3 F! X- X% b' |4 ^$ T5 h! z; x$ I$ o. |% x9 q8 I
mov ah,43h- k& a3 ]; I* B1 I
int 68h
! D f: f0 n2 Y" p6 i cmp ax,0F386h; [" I2 V0 B" X" K7 S7 P. ^8 m/ z
jz SoftICE_Detected
6 ^- D* C& a" D& G. W. \6 _ [. w" z5 R' Q. s/ Z
/ g2 Z! X; r& Z/ q( I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( X; L/ T* g3 F* ?5 j9 W' t: ? app like this:
" e7 o% Z( {/ g* |3 R' F/ k' p( f0 u2 O' J3 ]. s4 o
BPX exec_int if ax==68
* Q, \) B0 G! M" p (function called is located at byte ptr [ebp+1Dh] and client eip is
( J+ C% l8 j ?/ D- v( n0 O located at [ebp+48h] for 32Bit apps)
+ I7 u1 {1 Q0 `) w5 W4 w/ ?__________________________________________________________________________* E1 O+ R* }' l# {
- x" |* ^8 k5 Q+ M+ l; {
% J9 s3 o: B. @% F$ q! K) ~
Method 08 [* S3 X) A7 F5 i; g# v
=========# P, N7 ~# b; F% E& ~
- S1 A4 R o. \
It is not a method of detection of SoftICE but a possibility to crash the! h1 u' _3 B0 b4 y8 n. A
system by intercepting int 01h and int 03h and redirecting them to another
$ u7 s4 J0 x \, c# V& {. froutine.4 l6 n! h: I! O- D1 e* ]) `3 \3 x5 w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 L5 Q" I2 {* z) \7 m7 ?2 l! Ato the new routine to execute (hangs computer...)% v# L; { {- S( P( ^, r# S
3 o! @. E6 i1 ^, ]0 e
mov ah, 25h, a2 F1 V% p- l( |" N
mov al, Int_Number (01h or 03h)6 v! A+ y! ]; I" |+ L
mov dx, offset New_Int_Routine
9 a1 X& F% D: q' o, `9 g4 J int 21h9 w% C4 G9 i) _# d
3 B' i5 x7 P2 ^: h
__________________________________________________________________________: \. E4 n6 T# v( V0 K
0 [# T( K* }* i% e! S% k8 ^/ zMethod 091 Z& ]0 r# R8 z& G7 \( }; o
=========5 y) _3 b- _1 g
" e# g+ L2 p+ _& c7 MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: q( e3 i% _8 V4 z
performed in ring0 (VxD or a ring3 app using the VxdCall).: o# a& c: d. s: m/ i" g
The Get_DDB service is used to determine whether or not a VxD is installed
9 E( d6 G; N* g5 U q0 y: L# Hfor the specified device and returns a Device Description Block (in ecx) for; V6 ~; b/ S6 N0 ^( o I" ^# C: }
that device if it is installed.
! Z) p% G7 ~+ `4 p7 t. n" e$ y1 g& m r' ]9 P' ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; A. d: U1 R2 Z+ x. T* k" A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ J! K8 o8 b$ r$ K9 Q VMMCall Get_DDB+ R, |0 v! [! r/ L- c0 r! r0 a
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 D: w! J6 T9 |1 Y2 N1 _
' c; ]* d* M' ]1 F% r: `
Note as well that you can easily detect this method with SoftICE:
) x8 ~+ L8 y; o& @, C% c bpx Get_DDB if ax==0202 || ax==7a5fh8 O+ h1 f) }4 z) h3 K) ?
0 Z7 k' Q w1 l6 H6 B
__________________________________________________________________________7 }* Y3 G5 {" B
. b# ^# R6 G5 J+ [; p5 I; N
Method 10: N6 r# v k$ k5 X. d
=========
" G* X; k" ~* b3 u9 b8 |" q
: J& F4 x9 O7 y=>Disable or clear breakpoints before using this feature. DO NOT trace with+ H- g3 h1 m& [: q) n6 s$ Z9 w
SoftICE while the option is enable!!
; t+ m, \- K& Z! E6 I: V
1 Q7 O/ D( P% F0 a0 o( mThis trick is very efficient:
9 l- `# h: ^1 Q( bby checking the Debug Registers, you can detect if SoftICE is loaded
* k* ^. j, i. v/ n- y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( d* d5 J5 D- K( _, N
there are some memory breakpoints set (dr0 to dr3) simply by reading their* |* L- K3 t% C: D' W+ ~- F1 O
value (in ring0 only). Values can be manipulated and or changed as well
C; P1 P8 ^1 o5 b: q(clearing BPMs for instance)
) W( ]; o% _* C- e1 l3 ^& i* L' I( A7 Y; x8 f
__________________________________________________________________________
5 y' [4 g+ |: q- V! B
1 D1 T Z9 |" ?+ }+ ]; H% q! HMethod 11
# U0 D' }7 |) `4 }- S& M=========3 l: e _7 T I. m
9 m q0 D, S/ \ g- J7 D
This method is most known as 'MeltICE' because it has been freely distributed% C9 u/ G6 M3 @7 f+ @
via www.winfiles.com. However it was first used by NuMega people to allow0 C/ y" |6 n0 B, M" z3 h$ m
Symbol Loader to check if SoftICE was active or not (the code is located8 H8 Y2 e% m. N! @; ~4 ~6 N' o
inside nmtrans.dll).
" ?* ]0 {; |4 w; ?. [2 u9 P2 o, W8 [5 p; P# Q" n9 f0 J
The way it works is very simple:% E& R8 W( i) P3 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 |. K. o" @- q7 XWinNT) with the CreateFileA API.
) }( q) [+ M9 W0 ?; Q& d
) W% m M) _" }: FHere is a sample (checking for 'SICE'):
8 W& T5 F) u. J0 o
, C& A, n# K) h+ ~( G$ yBOOL IsSoftIce95Loaded()
! w9 d2 T. H$ D5 N; J{
: A* Z4 N, s' y5 l% Q HANDLE hFile;
/ E2 R3 M: E5 {! I% J: _* t( Y# } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# p1 D# I% m% }/ g+ }
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 b& s& F1 m& U" i$ ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# M& b4 V; n' C" M9 b if( hFile != INVALID_HANDLE_VALUE )
, Q" j* |; w6 j9 Q5 m3 Z1 Z {
# q ^7 P2 O( o) p! g% H4 L CloseHandle(hFile);1 [$ d1 {2 Z) j/ n3 j
return TRUE;' ~. d9 H& R6 {- J% a+ ?# r7 K
}, L+ l& {9 J" I A
return FALSE;
8 H- W( E2 d( N- v" Y& W- V}
6 u: o5 {( J; o1 q R1 Y; v& p! }0 ]. S1 B
Although this trick calls the CreateFileA function, don't even expect to be
+ Y. B# I; ^* Z7 s$ G* y, ^able to intercept it by installing a IFS hook: it will not work, no way!
. @- Y1 x1 _ Z" k0 mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ r/ g2 d* D$ m9 F+ A' qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 ~& _$ ]0 @( P# B. Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 M) ?5 S W5 G' ?" l
field., T+ i+ _/ F# r! e% {% E) ~
In fact, its purpose is not to load/unload VxDs but only to send a 5 V: |6 J) T1 f5 b* M% K5 k) O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 k n; i) v% k kto the VxD Control_Dispatch proc (how the hell a shareware soft could try& n7 W0 _/ N C# l; a- u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, ~* ^$ y6 S0 _. q1 [If the VxD is loaded, it will always clear eax and the Carry flag to allow, t9 E' U& o7 q6 t+ R# x5 i
its handle to be opened and then, will be detected.
" z' @$ l, d% w: D) A z- SYou can check that simply by hooking Winice.exe control proc entry point
1 m1 w& u3 m) K1 `% ~0 T' r; B" y/ Owhile running MeltICE.6 P% U. G+ }8 a% K
8 s9 f3 l8 S" Q9 g" `
8 C b2 D" k( O. Y" l$ e6 w+ z# m 00401067: push 00402025 ; \\.\SICE
% l9 O* G# p) K0 U 0040106C: call CreateFileA
8 i8 J8 w. _1 h* m/ l% V1 f# [) b 00401071: cmp eax,-0013 f/ [% p A5 D: u$ e. B) c$ i
00401074: je 00401091! y3 v# j. e+ e3 P& E+ E T
$ Y3 c0 ]! w! Z- l$ B; ?
: t- d* g3 e: ]& K4 C. UThere could be hundreds of BPX you could use to detect this trick.
, M! l+ ]! h# M1 I-The most classical one is: Y7 E+ J8 n8 l/ p' V' T0 d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" ~+ m e7 k( q1 N
*(esp->4+4)=='NTIC'
# t2 N: D& s5 W S f7 b
* l* n& F$ E, O( b4 L8 v-The most exotic ones (could be very slooooow :-(
" L' j& W( W+ Q& {& a! m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) X+ Z# D. Y9 Z+ y( ]# f( `
;will break 3 times :-(, y1 x, B Y/ y+ C: z( F) B
- n! \- z/ R1 Y m4 M+ ^-or (a bit) faster:
. d2 B* |5 U8 E9 ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; t! {- |. U1 H: z8 {1 p1 J; [5 u/ }$ y! E: O( m8 q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 n% a. I& V+ v$ j$ D, ` ;will break 3 times :-(
9 U4 l2 X$ g+ V. ]" _4 N7 o" |
J3 b) A8 O0 Z+ w, K. k/ N-Much faster:
( [3 G; m9 k3 C3 p" X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" o5 }7 y4 I0 ~% s' [+ l& o$ H+ B2 O$ s/ h, Z8 F0 q. M2 |5 K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 v3 U! |; N" v' @* \+ Cfunction to do the same job:% p2 {: V3 M. H/ g
9 X# ^% U& }$ K0 f* m% I2 ]- q. v push 00 ; OF_READ. h* G! r+ d! t3 n) W' L
mov eax,[00656634] ; '\\.\SICE',0; G0 z( f( _5 D) h, h; U9 ^
push eax
! I0 b/ a2 ?$ \/ r6 h. Q call KERNEL32!_lopen
( o% _. i0 {4 k. ^- ]$ f X8 Q5 f8 t inc eax( V5 c7 H! q9 C/ |' T
jnz 00650589 ; detected
0 B" j( w! b8 B' |6 ?4 Q/ P push 00 ; OF_READ
8 W' V" G9 B% D mov eax,[00656638] ; '\\.\SICE') E/ k& A8 \) E/ I
push eax" b' p' y {- S# P* X
call KERNEL32!_lopen8 n7 ~6 U* D9 H
inc eax1 Q" d# T8 |. i; q% G+ y4 b' B* N
jz 006505ae ; not detected
6 |( O- Y: i) A! Z* r j/ B K, n& q4 Q
- k: t7 N/ {/ N( D6 f
__________________________________________________________________________
1 L8 t" S( F# u2 J+ `3 P
% w( T" V: G* i. |1 q; H. bMethod 12
% y( L- S1 _$ o, k=========
% ~9 K2 |+ L! O$ k `
; S" q/ n9 J( |1 IThis trick is similar to int41h/4fh Debugger installation check (code 054 C7 l* b- `2 Q) J# a+ N
& 06) but very limited because it's only available for Win95/98 (not NT)
2 k7 w5 ]% t3 N& R2 was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' J2 i, p1 F5 h( X7 T& l; Z0 h7 u3 u8 r. \4 f9 _& v5 y' @/ p; x. j" n* ~
push 0000004fh ; function 4fh, R% w1 S/ w e8 v% a1 p: s3 `) n) v
push 002a002ah ; high word specifies which VxD (VWIN32)
5 X+ V/ a4 T, u; q8 b ; low word specifies which service
6 D9 o9 F( d/ g3 u& |' G- n4 W* i (VWIN32_Int41Dispatch)
0 W7 E# d. o1 a; \, C call Kernel32!ORD_001 ; VxdCall" O# w$ ?) L/ ]# i) ]8 L m; U
cmp ax, 0f386h ; magic number returned by system debuggers& E# G& V4 V. e }5 Y% ?) r! b9 V4 @
jz SoftICE_detected
. N& l; }! ~/ c0 z* p: f' Z3 I# p" ^1 T/ Z
Here again, several ways to detect it:* ~! K( i" A' j, q
7 R3 Y1 j# L- U& l) i- c) j5 Z BPINT 41 if ax==4f& t f% i3 D$ ]1 x( _3 g9 m
# Z( @: j; D; q! q0 J& b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 _+ l: i# a* {! _. O* }/ X, R E, X( v- W% ]- n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 d# Z0 m" a# c: j k
; w/ I- a# M; W. k$ g. b7 _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 i" T P3 {% }
0 R- [( y# |# N__________________________________________________________________________9 ]" {4 m4 e1 M! M" p9 ?8 X
" b' _9 T) ?4 g: |- k
Method 13; e7 W2 |5 ?1 W- {' O# M2 e) k! |
=========
6 L0 O* e5 v5 M4 a" A
% |- W" b' R: n. G' C% O; d' hNot a real method of detection, but a good way to know if SoftICE is+ G" A9 O( K+ L7 I9 E; o
installed on a computer and to locate its installation directory.
`* s/ j: u8 _- b1 F; IIt is used by few softs which access the following registry keys (usually #2) :
' e1 c, {/ ~( e- ~- V& `( m
" ^# W8 M& d9 H" Q% J5 x0 p# A* g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 l, F5 H; Q& Q! L" K( ~# `2 o/ a+ m\Uninstall\SoftICE
: j% f/ x/ ~% K0 p3 D8 ]& v( Q( N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' }; m2 D/ u4 O: y# n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 a0 V# Y0 b, g9 P5 L, l( K\App Paths\Loader32.Exe
- y" ?* v! |+ w9 r8 q+ d+ c2 Z2 n
1 u( M# K6 D3 Z. i4 K7 y1 p
Note that some nasty apps could then erase all files from SoftICE directory; H7 O5 v3 I# v6 \* \! |, A5 g
(I faced that once :-(
- _: S6 {- H' Q6 G/ S
6 t" U* I3 T* W/ b) e, n* P+ }9 oUseful breakpoint to detect it:
0 j8 @. Q0 `4 L
- [! U/ N! h- y I! K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& T. R4 z8 R! V7 D8 [' F7 _* z6 r) |% w5 \
__________________________________________________________________________
' y+ N0 M" a5 h0 Q% \
6 j. |6 G* Q5 s5 _4 k8 Z! @5 I. j' U0 v; t* x0 \
Method 14
* t5 P5 r" t( V; `( `/ X2 P=========2 \* b2 y7 f% S2 x! E
8 u+ q0 j; B; f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 w9 F3 E$ k+ Q
is to determines whether a debugger is running on your system (ring0 only).
% y2 V. f4 l7 S. V- ^$ c' m; M
* h) ^* f: B5 @ t5 B' k! S2 v" M9 N VMMCall Test_Debug_Installed4 P- G2 P4 D: A6 f* p K! u9 W
je not_installed
6 k* c$ T5 C5 x, u+ ^' x7 d1 _5 w: U4 m4 J; g0 \
This service just checks a flag.
& k; M6 b* @4 A* ]- ?% A% _5 R, j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡