<TABLE width=500>5 ~7 ?% T% }% _8 ?/ ]
<TBODY>
& v, X& K& ? v- ^) F, w' S* Q<TR>
# R4 V+ Q, f i' t8 `<TD><PRE>Method 01 & }( b) a( s9 |
=========( q" P! b2 R+ ]+ @5 R9 [$ E, G, i
1 d& C9 M4 J# U$ X4 D
This method of detection of SoftICE (as well as the following one) is
2 P) a5 b6 Q5 k/ q0 ]4 y2 iused by the majority of packers/encryptors found on Internet.
# `( e- t1 j7 D" m* N. ZIt seeks the signature of BoundsChecker in SoftICE! C+ c I5 k) G1 F5 _0 _! @) V5 k
# \0 Q/ M9 a8 j$ M: @0 ?
mov ebp, 04243484Bh ; 'BCHK'
4 m+ y, U" M( m; A* _8 Z mov ax, 04h! W9 z* X3 B& }/ Z
int 3
& w: n1 f P3 ~/ q cmp al,4
, W3 @" S% I3 [+ Y( _5 r. ^ jnz SoftICE_Detected; h* ~% u# J9 J; r0 o; _3 c5 |
' N- E( Y- n+ Z, J% {
___________________________________________________________________________+ o9 i9 y n6 V7 ~0 m
; y. ~% ]) s; G" d0 [7 R! M, ~8 v
Method 020 q, N, ~* F; R
=========
* c& n3 B! e# E# {8 d# m8 j3 e$ G4 S
$ k4 L0 v( f5 g+ o9 o- a5 a7 w; pStill a method very much used (perhaps the most frequent one). It is used
5 N8 i3 Y* n! K4 D( D0 D. L$ V5 Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ C' I+ l2 | E5 }1 t0 I2 k; dor execute SoftICE commands..." @- ^# `( d3 |0 c8 P
It is also used to crash SoftICE and to force it to execute any commands7 W- ^: k9 d/ [+ c7 v
(HBOOT...) :-(( , C) C0 {5 ~: ^( A( U
( R( }, i% y6 p: C) X; v
Here is a quick description:$ t' M) T( R; K& U' S
-AX = 0910h (Display string in SIce windows)$ `7 l0 l- Y* m! H! c$ c3 p8 V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 J+ H% ?+ D c- B$ U
-AX = 0912h (Get breakpoint infos)
7 U2 p: {" G" z( \* ~0 ]2 e/ u-AX = 0913h (Set Sice breakpoints)
, [$ \1 Y/ \& `0 @5 R-AX = 0914h (Remove SIce breakoints)
% Z8 k1 E8 Z; o6 C2 w% t0 N. c9 w
# Z3 K+ O) q% {6 c* r: [) S; xEach time you'll meet this trick, you'll see:0 v8 ?4 r- W- r; [/ T2 e1 `
-SI = 4647h$ i( N# l u' |% v0 [0 j
-DI = 4A4Dh" v K' A5 ~# _3 W5 ]/ N( k. V9 H
Which are the 'magic values' used by SoftIce.4 H/ g' E. F, p' F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., N; |6 y. }, T b$ a9 m
, }, }0 _) _ ~' MHere is one example from the file "Haspinst.exe" which is the dongle HASP% t& ~! c3 N0 P! b# k5 t
Envelope utility use to protect DOS applications:
6 P. }3 f# R: |8 t8 Q" x
. n7 Z3 V, ? Y5 ]2 l5 g* N* S3 w p- y1 F
4C19:0095 MOV AX,0911 ; execute command.
& s3 P. P; d* Y# c# N; ^' w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 R: x5 z# N0 R; k& G
4C19:009A MOV SI,4647 ; 1st magic value.
% \& e) L0 v7 M7 R1 x4C19:009D MOV DI,4A4D ; 2nd magic value.
$ ^1 g( O/ K- R4 P3 X' L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 Z& ?' K3 B9 k5 e6 @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# b: l& w% E" F4C19:00A4 INC CX- ^5 |8 `) ~8 L$ d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 S; J8 e- o; v4 P4 f6 {4C19:00A8 JB 0095 ; 6 different commands." T9 n6 ]/ q6 c( b" h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 Z* w3 K6 i( u/ G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* ]: t* N, o( s% p! O, B
: N8 @) i+ W! m: l' P2 B$ T
The program will execute 6 different SIce commands located at ds:dx, which
" l5 o4 F) e9 n. T; [ Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# O; E2 y- L' B0 J+ Q
" K) O) e! t( `) L( d0 d8 u: m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ L( D2 \0 G2 W! W/ A# ?( B" T8 b
___________________________________________________________________________: }" T* n0 @- N! B2 z
4 w! D* \7 t% l& H/ ^
+ E" H# a/ |- [. ^Method 03
* F7 k2 y2 Y! X' Z4 a8 N) d' n D=========' x1 t6 H7 W$ F8 V. B( Z; D/ W
/ u4 `/ a n* m8 f( c3 }. xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' A: z1 Z8 J: x' ~$ N% T! Q5 n- `
(API Get entry point)' W+ J7 H) J: [3 {2 h: D! h
1 K5 z" B/ c5 D: t; P
9 x2 |2 D7 C9 r' d3 A' W' D4 I
xor di,di
$ }7 o0 ^/ P! L! i5 ], P0 e5 D% N: r5 i mov es,di+ _/ l5 j# r0 C0 d- {
mov ax, 1684h
# h0 O9 ?5 E ?6 n7 W5 ?; K" f6 v mov bx, 0202h ; VxD ID of winice
. k2 d5 a+ n6 q int 2Fh- V& ]' h( a2 w6 ~' l% H- y
mov ax, es ; ES:DI -> VxD API entry point( e% J2 c6 B1 O
add ax, di/ l" s- _4 P* l2 j; y6 H0 V
test ax,ax4 e4 G: y& N9 s/ D
jnz SoftICE_Detected
8 [5 C. v1 G5 Y* o: n9 X6 [; `. i c% m2 V) h( p( [$ B* {- C% l
___________________________________________________________________________ u& A8 W4 N% e* Y
" z; r, K, m4 s0 S5 H+ S4 a$ n. \) LMethod 04. `, k+ f& K7 o' M8 z, V" V
=========
" W: @+ s. m" G& ~5 |3 B: |
- }- g3 b; f0 [' T0 D: qMethod identical to the preceding one except that it seeks the ID of SoftICE
! ~3 }9 c- v D3 {' x2 f; fGFX VxD.. T) R+ ~0 _9 |$ ~4 T, ~% @
5 [+ z3 F) X& v" L& b# h8 w% t1 L' i xor di,di% H ^7 F' [) L3 D" y5 H
mov es,di
. Z. N2 A' B4 `5 w mov ax, 1684h
& L1 y7 u6 [# _' I, l. K' | mov bx, 7a5Fh ; VxD ID of SIWVID( W8 t- J8 o7 M( S
int 2fh
2 B! a9 w7 g- x7 x3 D mov ax, es ; ES:DI -> VxD API entry point
; s' z, ?& L- V+ J. `' ^ add ax, di1 h2 M- K- t9 Q3 p
test ax,ax
0 w9 `& i; r: v$ R7 w3 H jnz SoftICE_Detected
! v' p, I4 H, P! E. e2 v
- @; g0 x; E9 N) v" y. F2 a5 A__________________________________________________________________________
8 J# @2 m; V- B" X3 P. C; Z, n6 U0 C/ E2 h* w# ^6 `8 ]
" D p* Q8 Q! O6 R, n- |Method 05
/ G8 A* f# b) H9 F6 C% d=========4 k. z. x3 F: G" u& L) ~
6 E( Y, m# t6 a6 U4 E; U% w! M D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% |* a" H8 g% z6 Y4 G8 c1 l5 pdebugger. It calls the int 41h, function 4Fh.
+ b) ]- [, k' i8 AThere are several alternatives.
o4 [! [9 ?' G$ h9 O0 E6 @* o. H& Y8 H
The following one is the simplest:! B7 ?: K7 Y3 P. M' Z
$ Z+ ~5 F, n) d: p4 U
mov ax,4fh
! k: q+ D+ _! j, L7 ^0 A# {6 M# ` int 41h$ w7 K# |5 g; _1 Y( i
cmp ax, 0F386
1 L. a3 [, t6 `0 Z& L jz SoftICE_detected
, Q {" ?2 `$ ?0 P1 F0 B/ u! H( I5 L h3 c
6 C: S& `) |6 h) A- q, a) X1 ANext method as well as the following one are 2 examples from Stone's
( B; n" A! g$ P+ w# u, k4 h"stn-wid.zip" (www.cracking.net):
K8 K) [1 a' ~ m# d4 I9 ?2 K4 n/ e% r, F+ {, S/ o9 Z+ q/ n4 K
mov bx, cs+ ]8 _) t6 q" ~; y, j8 U0 Q. f
lea dx, int41handler2% ?/ J7 c: R5 @; j# V- t( H
xchg dx, es:[41h*4]
: x) ?$ X) u# ]0 n6 J xchg bx, es:[41h*4+2]
) g! {$ Q$ \& l! l mov ax,4fh
( `0 y9 D# k( _1 r int 41h3 M+ | }: b# j2 Q2 A1 ~9 @2 a) o, M
xchg dx, es:[41h*4]4 g2 Q) }% i" t4 w9 j9 r. ]4 P b
xchg bx, es:[41h*4+2]3 l: a# w s" o) i# B
cmp ax, 0f386h' X& d" C5 f/ [, T
jz SoftICE_detected/ ^/ X+ ]# g6 S( `$ R* `
" z% C& \1 W6 x6 x \( yint41handler2 PROC) E1 L# m, j \. @" R6 M
iret
* }2 T& c% ]' P- b& K0 Wint41handler2 ENDP# j( W0 E ?+ p5 e
2 s1 F) i/ k* _9 ]8 s6 _' b6 X' H3 U1 l; U
_________________________________________________________________________
@9 S' G, s9 h5 h+ p x; i0 I6 O; d) B4 b) H3 P
2 K2 U) z# X8 J4 @9 V) l, A* G& k) C
Method 06
* U4 ^% H! K" S5 F=========
1 d+ ?* I O9 P5 ~4 m: f/ U. o# K
+ F7 z% z+ M8 p/ Y# ~. \
2nd method similar to the preceding one but more difficult to detect:
' v; n- ?: c) E6 ?& f, U5 O6 z# s. P4 R2 `
) m, M. g- _! m
int41handler PROC6 ^) X' z8 E! L, N7 w5 z1 G
mov cl,al
5 J8 [% P, y: F8 d7 o( M' n iret
: L: `/ g/ p3 y" ~) vint41handler ENDP
3 |! p) r+ Q& J1 v1 ^
2 j1 }2 f$ j3 E5 Q( c* x3 ~# P6 u, g) N7 B3 o7 K
xor ax,ax
. A) F0 m1 Z+ h2 h8 t$ e9 @ mov es,ax5 a! p& c! f: v& f& g9 o) j
mov bx, cs5 |7 p# |; w/ i( r- L$ a: s
lea dx, int41handler
5 Y" E2 ]; j X xchg dx, es:[41h*4]
* j D" Y4 H6 W5 j1 S xchg bx, es:[41h*4+2]
* T! Y+ T) {: D in al, 40h
8 m4 x* H9 U x xor cx,cx
6 v; O5 e# v) o+ @: ^ ? int 41h, P) \5 z P5 D: n
xchg dx, es:[41h*4]8 k/ U% h. W: ]0 p
xchg bx, es:[41h*4+2]- O& ] b4 Q) I
cmp cl,al
" r+ [1 _" J d2 O" [, q8 U jnz SoftICE_detected
( N- |8 d' }7 B% ]9 l& Q/ h4 p8 w
_________________________________________________________________________- S! K4 e! U" {, `. R
6 _8 x0 {0 G$ _$ i5 q( g
Method 07
6 b5 G8 h% ]: i( w- }# B8 i& X0 ]4 `=========, n9 P5 U3 c2 N3 ^2 H* }
1 l1 W! Z4 ~7 E0 R/ I0 s
Method of detection of the WinICE handler in the int68h (V86). Z! ^5 ~4 D# t' F
0 c3 o9 ] b0 @9 i/ ^ mov ah,43h" m8 n* M. g* M' u6 g
int 68h f4 N8 ~* Y" e( `+ j* m
cmp ax,0F386h7 n% B( j& H. t, k' C, d3 ?
jz SoftICE_Detected- V) S) A5 F& ?
7 v$ v& {5 n# Q, ], o( G
* [& u4 }1 U0 L/ A; Y4 b3 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; u& T- e# d4 w4 Y4 q: [ t1 w/ X% g
app like this:
]* h, n9 o- q1 ?& K
; i+ E7 m: i. e# ~: O$ U$ F BPX exec_int if ax==68
! o+ \4 y/ _5 u! }1 `/ \ (function called is located at byte ptr [ebp+1Dh] and client eip is
& d; ?% U5 i2 B8 @7 _ located at [ebp+48h] for 32Bit apps)
2 y4 C! e: G4 _: L% V__________________________________________________________________________
9 s- U3 ^8 x' q; y, i% A
1 B' P) i1 G# d/ D; ?4 f- ^6 l0 g6 Q& w0 ^1 M$ a' T
Method 08% C- Q: K& D; B# ]: H) ?' l" n
=========
6 o: @ k m- Z% T0 Z/ _
; n, P$ s9 K* f5 \7 P2 H9 Q" mIt is not a method of detection of SoftICE but a possibility to crash the# @0 s$ S! t; g& C
system by intercepting int 01h and int 03h and redirecting them to another5 }, n1 a0 f- o
routine.
- u( t& Q1 X- h+ W( H& M9 R, i2 IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, J* u( n3 n, V6 M0 q
to the new routine to execute (hangs computer...), Z9 f* O' `4 n* Z
[( [1 `: \( l- y
mov ah, 25h" \# |/ K7 o( d
mov al, Int_Number (01h or 03h)
0 A7 r3 |% ]. n% p mov dx, offset New_Int_Routine$ m( _* x1 s: b9 V3 t
int 21h
1 P7 e! s' t) z5 w0 m0 W+ M
& Z- l' W& h0 \, C! C( k* ___________________________________________________________________________6 t; F; ?1 N2 K- G
" }9 e5 s+ ]# a, o
Method 09* \$ ^0 N! x O5 [# S$ k
=========, d6 E) |4 a1 O4 }6 e3 N
3 a W& B: Z! \4 P6 C6 Q: R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. d/ k8 e* D8 y- ~! t
performed in ring0 (VxD or a ring3 app using the VxdCall).
J6 _& }( E/ }1 E3 B4 IThe Get_DDB service is used to determine whether or not a VxD is installed7 _3 ^! u( ~% Q' i! g
for the specified device and returns a Device Description Block (in ecx) for" j4 B5 Q0 S5 A
that device if it is installed.5 N ?# f: h/ W# A
4 g; B: K& F/ s1 H/ G; A2 C0 ]5 A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 X- |$ W' G, v* S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 x5 K! O) o) H6 J1 |
VMMCall Get_DDB
) W$ d6 k7 z) u* D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 o! R6 c$ l' _! I3 t! z+ v) \; ^$ }( b" y4 q
Note as well that you can easily detect this method with SoftICE:9 K: |, F0 z8 ~! d" @: Q
bpx Get_DDB if ax==0202 || ax==7a5fh
% \; G4 M& x! K: V; G8 g3 {: }) q# c+ w" j7 I
__________________________________________________________________________
! D. X7 N0 ^! e8 s# Y) @7 a5 ?$ m. O1 P, V9 u% B
Method 10
/ c% \8 d7 P6 R& q0 n=========( X) N1 c/ V% x1 z1 J1 l: Z% A/ V
" j7 C! T3 j S3 y=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 m# j7 _) E- a- F6 c0 o$ N$ t SoftICE while the option is enable!!' f0 N9 z" c) r6 L3 n: z+ Z. r
+ Y8 [- Q& g: A b$ q% f K/ }
This trick is very efficient:* r# y0 x. D# s4 S4 B- |& L
by checking the Debug Registers, you can detect if SoftICE is loaded* j; N' C P" R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& l! e1 o* x/ r+ ^3 H% |$ O
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; v3 K& o% X+ H Uvalue (in ring0 only). Values can be manipulated and or changed as well
! V$ F4 I' z- W, h5 U1 q(clearing BPMs for instance)+ d6 x0 \2 w% z" y( g$ E! X" P
! b: f6 T7 g4 z1 ?+ B* |
__________________________________________________________________________# `' A7 q8 }, x. K
& M4 F# u: X" ?: v: b2 ?: x& rMethod 11
6 [- E, K( b1 j2 \& w- B, o=========
% i6 m. H O, q# i. X6 A! J' Y- K1 v, [/ r# d, R
This method is most known as 'MeltICE' because it has been freely distributed
9 U- f/ z( {3 B# |via www.winfiles.com. However it was first used by NuMega people to allow
. C8 X+ d) _0 _: B( ESymbol Loader to check if SoftICE was active or not (the code is located
2 G% U, j5 `( |6 \inside nmtrans.dll).7 h5 Y8 q2 _- T( ]; e
6 M% a4 q! v5 e: U$ IThe way it works is very simple:/ T/ `; v/ h s% n9 m, m1 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 M" C X* v5 S: X+ y1 [: }WinNT) with the CreateFileA API.
* M. I2 J$ E% j( ?& T' J9 e# j3 ]6 I0 }9 ?
Here is a sample (checking for 'SICE'):
k n3 j5 c3 o( q1 o6 _7 W2 N
1 p. f3 w, M! U1 S& Q |& }6 uBOOL IsSoftIce95Loaded()- \ p5 }" Z* Y) V' t( F
{8 o; E( L( r, R% ^" U$ N9 s/ L$ u4 ^
HANDLE hFile;
& X& }: \8 i" P! z3 E+ W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: a2 ^" ~. f$ `, a FILE_SHARE_READ | FILE_SHARE_WRITE,
5 U; q7 @; |! Z6 n; m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* S- q! o+ O: B# {, n) I2 S3 s5 ]& J
if( hFile != INVALID_HANDLE_VALUE )
; @; N0 d8 R% I. c M& J4 F {" i: ^' @& b/ P% [5 T: i7 }# }
CloseHandle(hFile);( c6 v' F5 g1 _; r- f" D. A; ?$ r
return TRUE;
/ Z' d5 C5 \) T7 M. I }
! s9 e% v- A5 K" P return FALSE;
8 P, H* E% K h# ?% Q& N}
7 J% |7 p y# i7 I- X( v6 b. r N5 C' U* s N3 a/ Y. d3 G, J" U
Although this trick calls the CreateFileA function, don't even expect to be+ U h5 i+ n" X! E2 L
able to intercept it by installing a IFS hook: it will not work, no way!# Q: V! H& p+ Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 F' x) M+ W( r6 k0 }, H) V+ Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 i( `" b+ h" Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ v4 w% j/ r5 F+ e3 v
field.) O! ^( R2 b4 F
In fact, its purpose is not to load/unload VxDs but only to send a * v8 F" I2 ]5 F5 k& r5 J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% \/ @, y" ]0 f# P. w2 ~# qto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 M" z. Y H' A, W
to load/unload a non-dynamically loadable driver such as SoftICE ;-). i9 K9 W1 {$ k# t1 h' T
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 x- b7 e6 W9 u6 x1 a! I
its handle to be opened and then, will be detected.
/ n: h: J% V, {+ X6 y( k% Y+ CYou can check that simply by hooking Winice.exe control proc entry point) e9 t9 S l/ r# t; }
while running MeltICE.
) E5 v0 k) j4 y; g. W: \
+ M. U- M J# ]2 D3 z+ t: J: z
( S( i& V+ G8 r, u2 } 00401067: push 00402025 ; \\.\SICE
- ~/ f4 J7 ?2 W3 Y" |% @ 0040106C: call CreateFileA
0 V) d1 k0 _; ^' o/ f 00401071: cmp eax,-001* i* D5 T' Q# R0 W# ]5 S
00401074: je 00401091
1 N/ @) v$ D7 N6 ^& |' h: r; C$ H5 `$ d' C
& S2 ?; m T$ o7 {2 c) [There could be hundreds of BPX you could use to detect this trick.
* i* W3 c7 I, C0 R* p-The most classical one is:! ]4 t5 v! ]: O3 z9 K8 f# R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 q: M J2 _ E *(esp->4+4)=='NTIC'
; x3 n D2 r& v5 Q ?
. `7 a9 G" L ^! {# o( p% c-The most exotic ones (could be very slooooow :-(
. I4 X8 s6 g4 V- g( i) Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 m s+ o: e: ?# v+ J. j- s ;will break 3 times :-(3 j, X" M7 l. t) i6 x2 C) [7 t
3 M% U7 s9 L; [/ K8 O5 ?2 j j8 w& l-or (a bit) faster:
4 G5 L6 ~7 |3 I' I2 U6 \8 f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 p# ]4 ]- F0 Y: L- y5 l
& |* a! ^* i7 G j* B6 F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 U z; a# i) C; L" u0 F9 i6 k ;will break 3 times :-(' S4 T7 N# C3 r2 j6 g5 A! g1 X6 N
. l% M7 c) a* `3 q* _-Much faster:
/ {( _/ Y! f! [8 A* C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') r7 k- w( n8 S6 Z& _
/ J' i5 S5 q) ~; P8 c/ \9 J8 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
M4 m* k0 x! G' P! C; w# [function to do the same job:, q2 {' f [) S0 T/ b8 m! O
& H/ Q0 u. C4 {: z) o
push 00 ; OF_READ
1 D$ E9 M# x9 `0 i mov eax,[00656634] ; '\\.\SICE',0
- J8 @7 S0 E/ {3 ^* u1 m7 Y push eax+ E" t# l! ~: l% ?+ E
call KERNEL32!_lopen5 w0 D7 g0 O$ o; }2 m* W
inc eax
6 F/ g' t0 a5 d* ~# y( h jnz 00650589 ; detected
/ u/ N% w( n: @ push 00 ; OF_READ6 J7 x# d9 K2 `: {4 V* O5 a5 p
mov eax,[00656638] ; '\\.\SICE'
3 t# M" |9 |9 k @ i) L push eax
5 y2 H" v% a% U9 w4 A* P+ `6 p call KERNEL32!_lopen& [ t Z+ }% o, i
inc eax7 ?4 k# K" W. N+ N% e4 [5 V
jz 006505ae ; not detected. c8 w5 v9 L6 {& R+ |% a/ j
8 j% ~+ W. X/ ~ B o( v
/ S. O6 q2 \5 K: E+ [) y__________________________________________________________________________
" D4 D& b( a6 m$ o: F% L! S. W; P# T3 Y5 J( O' G
Method 12: m4 b( A9 t7 U
=========
. W- V& A, ?" f
S% J2 L! D C" FThis trick is similar to int41h/4fh Debugger installation check (code 05
6 z7 f: P2 p+ i# N% _. ^& 06) but very limited because it's only available for Win95/98 (not NT)
! x6 z [( s% m$ Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: _ G7 O& P8 S* z! C" n6 i8 D2 O/ L
push 0000004fh ; function 4fh
# D) f$ t! N4 w" V: a, \# E push 002a002ah ; high word specifies which VxD (VWIN32)
: D! q! H( ~3 J$ R" g w+ t* p ; low word specifies which service: A* D5 Q7 N+ w9 H9 Q' ?) C
(VWIN32_Int41Dispatch)
* @7 p- n3 B0 t. ^1 x call Kernel32!ORD_001 ; VxdCall% ]0 \# V; @, a% z! Q5 q
cmp ax, 0f386h ; magic number returned by system debuggers
5 U0 c0 z% `& C3 }; D) j# M jz SoftICE_detected6 f! |2 ~% X" y
4 l* J- O) w; x9 }) }2 g
Here again, several ways to detect it:
" T8 t. I, V# r3 s- L' y5 o7 Y# N) A& a7 ]7 X L( L% x$ W4 {3 ^
BPINT 41 if ax==4f7 X7 V$ ?- s6 e3 D- Y2 M
& I- G5 {3 p: x6 x- a0 F4 O" l9 D3 C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# S: C% `+ ]! ?: q( f
0 P( U: Z) b* P* P: ?$ \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 w& W6 e, T7 s( m* G W0 s% d [3 f% J! W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: N1 l7 p2 Q: \' P5 z# @
$ [) {; n( c! F/ M- R/ b__________________________________________________________________________
) Y! }+ u) w$ Y
' I5 _' B/ n7 T, PMethod 13
3 H4 z. c* K5 d9 k=========
% C/ Y" k8 P. ^' F4 T; @, f4 f' @) _5 ]$ M
Not a real method of detection, but a good way to know if SoftICE is6 w3 C# i& k1 D" |
installed on a computer and to locate its installation directory.) \# ]9 _" ^9 \4 `+ \8 C! g
It is used by few softs which access the following registry keys (usually #2) :
/ f3 i% f, q0 z* ^- v
: m S' I, [# l* ]3 \6 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 K( r) ^4 m- ?! o# I" b$ _\Uninstall\SoftICE# i" n( E0 ? V. o" R8 F( [) o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# O- A% q( m }( |$ L& l' q! Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 w# N4 o- g$ _* i\App Paths\Loader32.Exe
6 z0 V3 x$ s& e. d- [
) E5 e" r* ]" M9 g$ H4 U3 g {) o# F0 v! {( u
Note that some nasty apps could then erase all files from SoftICE directory1 y8 t3 u0 b( K% B; B; \$ z
(I faced that once :-(
: e6 g" H0 w7 t. Q# [# v( A
3 |5 q C9 J/ G& j2 x2 cUseful breakpoint to detect it:
5 e) K8 Z( C2 n) q& T7 j9 N* Y
1 W7 |# ~) T4 I5 E2 Y5 y8 @8 { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 B7 `) u+ h4 Z& y" M
1 o4 }8 m# Z0 l. J( I* @& `( A__________________________________________________________________________
& f5 O9 B0 f1 y' j1 Y$ H& \& b( r# Z6 K4 |
5 i. R+ c. x u9 eMethod 14
: F: C- S8 t; C" z=========% ?' T/ V% g+ ]; m5 q
" i7 P3 P8 Z w% e3 {, D) ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. @3 D6 p" u1 l H, z( h
is to determines whether a debugger is running on your system (ring0 only).2 T: x5 E$ O H0 z& z
" a4 W5 w; p) p% _1 Y w) c l VMMCall Test_Debug_Installed7 b# ]7 N+ G9 A! m7 `
je not_installed$ Q0 s7 l1 B+ J! Z% o
& H k% y. x! Y+ ^8 a
This service just checks a flag.
' g" M' ^0 q" l* I l: X# W& u- y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡