<TABLE width=500>* i0 \. D" P( F: n/ y5 i
<TBODY>: {- { K; [; f, D& M
<TR>
3 s+ ^# M& Q- `) v9 J<TD><PRE>Method 01 3 K) _- y3 R+ ]) u( [+ z
=========; a& E' y# T# g/ z! u0 j# o
( J' E' C8 u) e7 U
This method of detection of SoftICE (as well as the following one) is
4 F7 q! j j7 q% x! [ h7 Vused by the majority of packers/encryptors found on Internet.9 m; C3 \, _4 d% N1 ?
It seeks the signature of BoundsChecker in SoftICE
G! F: Z$ ]9 t: e7 g6 l! ^7 j/ P) H% a+ G4 f
mov ebp, 04243484Bh ; 'BCHK'
1 `/ T4 {# U* d& w: h# q$ R mov ax, 04h
; G* }& @) a6 \! j# j3 i int 3 & G d; h. L( B$ {9 Q3 ~3 U
cmp al,4
2 i: N% C- ^: R" U jnz SoftICE_Detected
) {/ c" S/ {1 [4 @& Z }
. P& Q4 o0 r H. f7 r% N___________________________________________________________________________* J* c" T# _7 l+ P) q9 P
w/ c" m1 V3 U; y: O, p( } M8 {
Method 02
9 T; x& d% g& G% ^8 m=========% L9 ~( T y. i; J* F
1 j O9 x3 |& t9 V* W
Still a method very much used (perhaps the most frequent one). It is used: `; B6 x" t0 G$ u& V4 p. X" L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' Z' A: E/ e' l" Y' W
or execute SoftICE commands...
* X2 L I% p ?8 u% AIt is also used to crash SoftICE and to force it to execute any commands2 N& i- _3 r: v6 \: Z
(HBOOT...) :-(( $ O9 o0 Y$ T5 s- o
/ N) _0 p& Q8 O8 c2 JHere is a quick description:
# K- A' E4 u4 [( W, s-AX = 0910h (Display string in SIce windows)7 i& x% G* c: c2 [; @( Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 N+ J: l' P' @+ m
-AX = 0912h (Get breakpoint infos)( d" [, S* k0 y( [6 @- ~
-AX = 0913h (Set Sice breakpoints)
7 h9 x( K- b$ w: j8 L: s% G( d-AX = 0914h (Remove SIce breakoints)
+ M! T; C0 T A9 K) u/ R1 ~6 V
# u# ^7 ~6 \' |9 |6 [3 c- o* cEach time you'll meet this trick, you'll see:
R% o4 \! v3 J2 n F2 h-SI = 4647h
4 y" _8 `. V" R-DI = 4A4Dh' k) _6 B2 x8 D$ P* y
Which are the 'magic values' used by SoftIce.
& |0 q* ^: v1 w2 J' rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, x, A) `7 o8 S) C) a8 x. o6 L% ~7 h; p D' y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 N' d/ H# T. ~' V7 J+ S! r) T0 {Envelope utility use to protect DOS applications:9 x r* K6 T# C- U* p: }0 a- W9 H" Y
/ a# y7 F/ ]3 Y p
1 |" V2 ^2 k3 P' v! S; v4 _4C19:0095 MOV AX,0911 ; execute command.8 @; |9 t% G p1 T3 M3 q7 D4 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. H% r& g4 ^5 D+ D2 j2 @4C19:009A MOV SI,4647 ; 1st magic value.
. q& ^" y. B* C0 J7 B. b( l d" R7 O/ R4C19:009D MOV DI,4A4D ; 2nd magic value.' N4 m* e! b4 c V9 g9 ?' W9 g& l6 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 }' X2 D1 @& Y4 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 [2 b; r; Y; f4 v8 ~% P. G4C19:00A4 INC CX
* r$ A3 r: F) ^) a s0 K( m& s0 x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# p K7 E- g# B0 b
4C19:00A8 JB 0095 ; 6 different commands.' W+ ^8 U4 a5 v5 k+ B r& W" T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. y/ |. r4 v* S% |* ^( H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 m. c/ R1 F; O1 x& R& j
, b2 W" J5 j% t- O+ F6 v4 g# m+ ?; QThe program will execute 6 different SIce commands located at ds:dx, which. |- e9 Q. }; u) X) J; w. |: G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ s5 J, g4 G. t4 F9 ?* k! _% [. \: N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 c) A j& C* o- @. C/ J! E& Q" K4 s___________________________________________________________________________
/ m: I% @4 \6 N7 o- X6 Q$ Z9 T$ f" q0 T8 X/ u; I7 a, J
, y+ B( c V( D* z' |3 t
Method 035 J3 O6 y* k9 E
=========! d4 ^& U8 ?! q# R5 h1 m
, e: A9 t4 o2 E* J+ o$ V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ t* W9 j1 E& X! D/ r) A
(API Get entry point)- ?* q7 j2 b4 E% E# }0 U; W
% g' [& J) {+ k. D5 v- I1 a
( {# z( N8 p, a3 m6 I! Z4 x
xor di,di7 @5 w- W8 J, ~
mov es,di
' b% e1 W) i6 C- i. E mov ax, 1684h
2 v L$ @ j$ G9 u i6 M mov bx, 0202h ; VxD ID of winice
8 S) Y' \1 q+ N$ R/ n- c# j1 q& ] int 2Fh
$ \8 @+ R- P# H% R# P mov ax, es ; ES:DI -> VxD API entry point
2 I9 u l; [: c' J add ax, di" A& b) N- [0 {
test ax,ax
5 W3 F+ m# G1 ^- o* M8 |3 t jnz SoftICE_Detected
1 d$ O* f" y! y' G1 X% H4 s, J
! ]3 J( m7 W' Z2 |___________________________________________________________________________
! d! J# W: i/ L* A" T5 }6 ]
5 E7 P, C& Q* u0 J$ {* JMethod 04
1 y" V( E' i; ^" U$ h=========# ]+ I/ Q- d0 X, J0 k& C y1 Z1 u5 G
/ v5 U) i0 N6 C7 |2 PMethod identical to the preceding one except that it seeks the ID of SoftICE* R( }. B& O' O" X. L
GFX VxD.
& S2 r3 C+ y- j3 V0 q4 y9 W: M E8 W% Y& G# i
xor di,di
! O9 [; B5 k% ~5 N0 r. p& U6 |3 E mov es,di
F/ G8 G$ d& ?. P mov ax, 1684h
: W% U7 C8 X9 J% T! }0 c1 d mov bx, 7a5Fh ; VxD ID of SIWVID
5 B5 z G0 S7 [, [- ?+ l( _5 _ int 2fh
& ^( }% F8 R2 u" w4 [ mov ax, es ; ES:DI -> VxD API entry point1 \- i: A3 Y$ ]1 e( @
add ax, di0 K1 e1 x! c: A0 H
test ax,ax
) _4 z6 z) _7 | W# F* M* @! a% ~5 o jnz SoftICE_Detected% {$ A% N- v0 m* o& i
/ e. M) G/ a' V) I' H: ~# x- P: N__________________________________________________________________________
: o" f+ E2 u' J6 d6 f( ?/ X2 d8 Q4 w h
3 @8 r% |7 V% p3 W& D
& l, m0 _2 G: G4 E* M6 jMethod 05
& K- m p; A+ M9 C* N3 w=========
- ^$ z2 w# I9 ^4 O, A4 T" L
! o* s+ F' j% I1 wMethod seeking the 'magic number' 0F386h returned (in ax) by all system" ]7 j% u5 }9 |. u/ W6 r
debugger. It calls the int 41h, function 4Fh.
6 y, z! I8 w/ F3 j S1 t2 cThere are several alternatives.
% X& h3 Z7 s2 J
- c+ T! j" G: OThe following one is the simplest:+ M3 f/ j7 {# n1 T0 H
+ B- k6 u- V$ V mov ax,4fh
! d$ n: b) Q# [9 T int 41h
+ L1 D* Q4 P; z cmp ax, 0F386
4 `4 S& {6 ?0 o b jz SoftICE_detected
9 @# u3 |! E" e
6 q' s0 k! j. ?3 N8 s; h& {3 }7 |- ^
/ ]& [1 f* q& O }Next method as well as the following one are 2 examples from Stone's
2 a/ t i& z6 R2 \0 J0 f1 q% q"stn-wid.zip" (www.cracking.net):! N0 ^) w! a$ F" R8 W* B
( I |. L2 k1 q2 C$ y mov bx, cs1 q1 J, t- \/ t4 `2 @2 Y" j5 B* P: U+ u
lea dx, int41handler2" m: O8 i3 q. U: v$ K; j
xchg dx, es:[41h*4]! G' L' \3 j! v
xchg bx, es:[41h*4+2]
) v& V7 z5 P" E mov ax,4fh" z! h4 ~6 E2 o, z P( m
int 41h
, y4 w1 N7 c0 h4 o6 @ xchg dx, es:[41h*4]9 m7 ~8 W$ X7 L& r
xchg bx, es:[41h*4+2]
/ z* e3 [, p& ~, v cmp ax, 0f386h! Z1 d2 k* S4 J' ^) d) y$ o& x6 S
jz SoftICE_detected
5 j$ H" y" H# U1 d2 \6 I7 G% T* m I7 _
int41handler2 PROC1 [( P; O3 q1 \# }
iret1 d- G. ]+ \3 b' }8 _
int41handler2 ENDP( B7 V, R$ T) v
; c. c8 r2 u; y- }( {, }) v$ p# u( u6 E7 J+ `
_________________________________________________________________________
/ g- ?. {0 I- v+ W% Z# T" C% z% l3 z1 _! V( n) P, ]. f
0 h" P1 j: t+ P; s& s) |/ D
Method 06! y7 H& \% e6 j, z
=========( v0 x& J- F" n s6 k$ G f
" F+ o8 }, t/ S5 ]* C( D& U4 o$ J6 [% e
7 H) T! H* u) c0 U
2nd method similar to the preceding one but more difficult to detect:
, d& l8 ^8 L( U0 y! Z
5 Q1 o/ Z6 e6 k) |* g
6 j. |! x7 k" H* F7 T0 eint41handler PROC
' S% } O: H+ h6 t, k mov cl,al
9 l8 K- l H" c6 C iret
+ E( t4 T3 I) kint41handler ENDP6 _# `3 V: ~; O8 B/ Q% \5 H# h
/ _) P/ {& V% b* ~. ~' @0 [2 L# F6 E
6 t: v4 d# m+ O+ f; y, T3 D' J! X xor ax,ax
0 i- [- q& n& g; } mov es,ax
1 f: F6 d' ], w- d$ A: @ mov bx, cs
3 F5 z3 w/ @, W& f* P0 F lea dx, int41handler
1 e2 E# i m2 L8 k- h, P- L$ ` xchg dx, es:[41h*4]8 q7 Q% M5 v% }$ p& y4 ]
xchg bx, es:[41h*4+2]2 }' ^: {3 y+ A7 n. m$ ?
in al, 40h
( q9 N6 A9 ?& L xor cx,cx+ e; z: g( ]/ ]
int 41h9 ?1 V& s. e4 b' w v
xchg dx, es:[41h*4]+ L8 a) C' x) e
xchg bx, es:[41h*4+2]
. v4 f( \( i" t0 E% J: T( }+ h1 t# Z cmp cl,al
~$ r, b) Z1 L2 h3 y& m, l! v& @ jnz SoftICE_detected
2 \: p. Q- F Q5 n8 B7 g) v" p8 G* n" n, z5 j2 [4 d4 N: E
_________________________________________________________________________" B# v1 f, g6 B9 e' W0 }6 X
1 b# b" B# r2 t& V: K
Method 07
1 P" Z# A2 g+ b, |9 c2 I* }=========
! w4 t2 R1 o& B2 s4 N" ^/ @0 T3 `3 q2 C# v" h5 x% g4 Q2 v5 z$ _
Method of detection of the WinICE handler in the int68h (V86)
1 g7 J& J" k! \5 I2 l; N4 d4 e$ I2 v0 a
mov ah,43h
2 F) r. [4 v$ V- |( Q0 I. n int 68h
3 Q3 w) U6 ~$ J) E: t cmp ax,0F386h" m+ b1 ^ p( d% n. P4 T: _
jz SoftICE_Detected+ L/ o" ^) ~# t9 G# ~" T6 b
: O% A4 H( S5 `; k: I3 k, I2 f% f) `( l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" F/ K0 I+ P0 l {; r/ x
app like this:4 X! @/ i5 g9 v% D+ y2 q3 s/ _- q
3 E1 a( ]8 H- A- q# }% R
BPX exec_int if ax==68
. F3 a3 d9 {# Z3 z2 c (function called is located at byte ptr [ebp+1Dh] and client eip is# y* x% r. X t3 t- d* t% d8 e
located at [ebp+48h] for 32Bit apps)' r; U, E% m1 b* S* u" ]) b
__________________________________________________________________________
; ~( V3 }5 H3 v; }' c) K |
, t: O# M# i: @3 y8 j2 u$ ~8 j2 w2 J0 v0 z) d6 q/ T. o" ^
Method 08
( A1 i* N1 ]/ |6 e=========/ f. T0 d2 F0 {) I# W( B
* v; w1 @/ n' h/ z5 W% ^" X% oIt is not a method of detection of SoftICE but a possibility to crash the
. o! U6 y, u9 W5 W; ]4 @system by intercepting int 01h and int 03h and redirecting them to another. ]* _' Q& I- ?0 g4 U9 E( U5 d
routine.
$ P+ d9 J9 U6 i' T. a% g# YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! Z9 Y( T& Z, V% e9 nto the new routine to execute (hangs computer...)
. ?; `7 d G0 n) R+ Y6 J6 W Q% C" ]- w+ I% l- q$ k" C
mov ah, 25h
! D* N% g5 J( x9 }6 }! Q mov al, Int_Number (01h or 03h)
- x6 d" j% m, y( j( X* { mov dx, offset New_Int_Routine4 r8 o! [) U C! P
int 21h
2 ` _- ^! T* d- m* S
3 }) }4 o5 V B/ ?# Q8 ]__________________________________________________________________________5 _( B W2 ?0 a
1 y4 q8 w, S: E4 A' }
Method 095 G; Q9 V( v9 A, O$ [6 w% P
=========8 i! q* | e: ?/ V* v4 _% L0 X& S
: `. y# b2 g! f0 ?$ \1 E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 y h: ^5 `# T) s8 a3 k, f; C
performed in ring0 (VxD or a ring3 app using the VxdCall).1 k' \& }3 w! Y7 v. d1 X
The Get_DDB service is used to determine whether or not a VxD is installed Z# I( Z9 r$ T# H" }" A y
for the specified device and returns a Device Description Block (in ecx) for
- w5 F+ Y* E6 I% x( P3 d9 m! mthat device if it is installed.
+ K1 i, W& U* g4 V7 _
6 |/ Q! }) C+ s3 G* G( k& L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 i& M9 p' h8 d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( O$ m/ y6 b) o" G8 p, l2 J
VMMCall Get_DDB- i( s$ L. G9 ^* [% X& A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 Y! T7 G% Y, c* M3 i
9 D- r; y- S) G3 U% e2 k9 k# R
Note as well that you can easily detect this method with SoftICE:( H* e, a# C& Z* X
bpx Get_DDB if ax==0202 || ax==7a5fh# f9 @% b/ I. u' `
# m) x# S1 \" }* K. s- x: h# y__________________________________________________________________________* Z; {- e8 @3 J! A0 f' `( I% h
/ A, l5 j, w5 [9 p
Method 10
; d) q6 T- N0 F=========
8 s# |5 I9 G# p& e: [7 k' q& [
) }- P- Z6 K& u! k/ ]. `4 S=>Disable or clear breakpoints before using this feature. DO NOT trace with4 M; K' b0 g- C) X1 f/ Y1 ~4 v8 R
SoftICE while the option is enable!!
+ a; A- b& i8 s
$ \$ d2 ?* l$ Y, X& q4 i2 b5 m/ a1 iThis trick is very efficient:
7 M% O1 m2 B9 ? L7 wby checking the Debug Registers, you can detect if SoftICE is loaded
X* u: r' z' A2 @8 _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! F2 l9 g' J1 r
there are some memory breakpoints set (dr0 to dr3) simply by reading their, d, u8 q' E& B* C# q" p* H r
value (in ring0 only). Values can be manipulated and or changed as well
% M# C$ Q/ |9 [ ?(clearing BPMs for instance)
3 n% B) B/ P' Y0 r, h' j0 R9 p3 W$ p2 Q7 w5 _6 U/ w
__________________________________________________________________________/ p. M; G+ i. R z
3 ]) q# n7 ~" S9 p$ m+ T- w- Y
Method 11
1 C) e E+ U. O" V, G7 B=========
9 H! E( x& r- a' l! c, x8 ^. G& s0 _! z; G
This method is most known as 'MeltICE' because it has been freely distributed- ]8 @3 S: j. P) i I! Q1 b
via www.winfiles.com. However it was first used by NuMega people to allow! M1 I- e5 x) z4 u7 Z0 ?2 A
Symbol Loader to check if SoftICE was active or not (the code is located
) _+ h0 S7 E N3 `4 [# }; _6 i. I; Vinside nmtrans.dll).
3 G# a7 g( H8 r$ J8 I: ~# S$ x: Y" c& z2 S
The way it works is very simple:) h+ x8 K) c1 B* E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ N0 \, N. Z6 d, \1 y5 w* W% |, q
WinNT) with the CreateFileA API.0 A2 @7 a9 R1 H+ m! D( j. @
- j3 n4 a) M1 R/ v$ t
Here is a sample (checking for 'SICE'):* r+ S; ~' J! a; @
& Y& I# y/ ~1 N& c$ @BOOL IsSoftIce95Loaded()7 [8 C7 v- U6 K' {- r% J1 c
{! t, R; I* Z" M$ Q5 O, D f/ _4 Y
HANDLE hFile;
4 z; |: Z4 M# M5 K% i5 \: k# s4 _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 P) J& h8 ]$ ^5 [7 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,# D4 [/ N' t" K- M% o& ~5 q B; z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. a1 Z) }. X! @" u- M. e, H
if( hFile != INVALID_HANDLE_VALUE )
0 T' H6 j) L# e; H: H3 R {
$ Y3 K, I6 N( C CloseHandle(hFile);
- m& E" G1 y8 Y return TRUE;* C. c3 \( L- E: d3 q+ b. W$ O L
}
% M" s; ]. E+ H) P. [% ^5 [1 q return FALSE;
- J" p0 Y3 Q% e5 h4 Y% y}% L+ z$ S$ c5 h9 a& q' {
! \7 e8 Q* b5 ` T( u8 I& t+ x% B
Although this trick calls the CreateFileA function, don't even expect to be+ P) S. B. V6 Z& e$ n
able to intercept it by installing a IFS hook: it will not work, no way! `' o& e" x* c; K4 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( O- b, n% s2 H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 Q& N$ B$ ^ a; }! p: N* E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ L: T! t6 v* i& c! I4 z6 efield.; Z6 R2 U7 K. b( r5 `8 x! \$ @, X. d
In fact, its purpose is not to load/unload VxDs but only to send a 2 T0 x5 E- m; ^4 `9 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 N. y& n) _0 A7 a0 S) D9 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( @$ {$ L! C' w- ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, d$ b5 C& g4 D) G! @* J1 m* {# KIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ l2 b2 ~; y* G/ B+ D5 ?
its handle to be opened and then, will be detected.
. M* K; x; l- p- qYou can check that simply by hooking Winice.exe control proc entry point" h5 A6 ]; t e, t( S) G
while running MeltICE.
/ Z0 Z+ O2 P4 |
- I$ V1 l, T& W% A+ [9 E6 a% F& c8 y$ k' S+ Y" @
00401067: push 00402025 ; \\.\SICE
, {. D5 k. o# y6 w( |- Z9 x 0040106C: call CreateFileA5 ]8 ?# F( O; L+ |
00401071: cmp eax,-001) N' _9 X2 W3 q3 C) Q; H
00401074: je 00401091
# s$ U# M( A$ K' |
6 n7 W2 E) ^6 X3 p: A8 Q; I4 L) _" j8 M" Y% R
There could be hundreds of BPX you could use to detect this trick.' a6 H5 c* _& T {5 U b4 O' S
-The most classical one is:
+ G6 H3 i" r0 l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ z4 w" Y! v; j- H% E; ], c2 G9 ?
*(esp->4+4)=='NTIC'
, X) Q+ Z# L2 n, v" E& q* `
; O4 t9 {3 p' {9 f. x-The most exotic ones (could be very slooooow :-(
, P" T. Y( T% P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 S N" X- B0 U* t
;will break 3 times :-(. }& t9 |$ c/ a! r8 S
+ J6 H4 f- K' D9 k( x
-or (a bit) faster: % P0 _6 f8 B* ]2 V2 [: ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). J* P; O7 @0 V% m& V/ s* o, z
8 R; O. e+ c6 C6 {) x6 k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . c0 p7 w9 m2 {1 E
;will break 3 times :-(/ b; O) W$ ^/ p& I
7 y% c ~& D7 F# f* b-Much faster:
7 W* H5 y9 F% L/ e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 E, }& q, B2 q+ r4 ^) H5 T. T
* V7 ^; x/ ]$ X2 n# g: h3 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 v3 k& q: O7 ]. d- bfunction to do the same job:
' J) v( `, l# h) _$ F0 _6 n
& D& b; o" G/ g8 {9 b \ push 00 ; OF_READ6 u x( g, {) {5 v5 `
mov eax,[00656634] ; '\\.\SICE',0- ^9 S1 i/ t5 n3 H/ j0 E
push eax
) |( Z# b5 f, Z J% H call KERNEL32!_lopen
1 O5 m( K h# `% m3 _: S0 I inc eax5 v* B( d! Z5 O/ @- e! U
jnz 00650589 ; detected- {- v2 t) D# Z
push 00 ; OF_READ
* r6 Z% t; { c; l- S p" { mov eax,[00656638] ; '\\.\SICE'% R8 v d6 `! w6 ~9 \# h& J
push eax
; N; ]3 x. h) h5 S1 Z: W. H( |5 |- E call KERNEL32!_lopen, s* {" H9 y/ T9 R4 s& W& }) j
inc eax& b3 ]$ \9 n) m) a0 _3 n p
jz 006505ae ; not detected% |' m! A. `4 T, v- d) D, _
: w; ]8 B6 i: T' [8 y' c
* h4 g w! }, `4 T- ~# u7 f__________________________________________________________________________
8 ]! b1 C0 A3 K: i4 u
4 [4 n' M6 e9 l- B) D! |1 KMethod 12
8 A' F& G6 c! k& l$ [=========! u" f9 C/ i& _. s" d
; B$ V# S7 n) D$ o' S, f
This trick is similar to int41h/4fh Debugger installation check (code 057 j" P; b- Y0 _: ^8 K
& 06) but very limited because it's only available for Win95/98 (not NT)/ F+ M5 a+ Z- q* U7 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- _* C; k6 W2 L Y% \3 N# h6 s0 e7 O% a6 ]& I$ o9 A: d+ @
push 0000004fh ; function 4fh$ A8 ?" V1 v9 v( ^" \2 h
push 002a002ah ; high word specifies which VxD (VWIN32)% m; C$ R2 _6 @; w
; low word specifies which service4 W% |, y+ R1 F, c6 C& a2 [
(VWIN32_Int41Dispatch)
- b6 {4 p& c9 t* J call Kernel32!ORD_001 ; VxdCall
) q) [( l" V6 G \/ B6 [3 P cmp ax, 0f386h ; magic number returned by system debuggers# Y+ U; g2 ]* g' Q$ K" W
jz SoftICE_detected
; ]4 R; ]4 I( {- {0 d8 n9 N& `- X: L& l! Q
Here again, several ways to detect it:9 I, Y! u! `. v, A' O
|4 M4 Z# V- q! h' n6 ?* c; ?/ [ BPINT 41 if ax==4f
" G8 u8 _ x1 k+ ^8 R' j: W; s4 |9 v# p- p$ i( K* p% o; `" {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ P! K* E8 j; S
1 C9 O0 m0 E' Z! S2 \9 j$ }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' }6 k& `' I* i
' A7 J' ^* h( d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" b( X$ a; e& ~, A/ F
. b7 ]8 h) s5 W9 G9 `& D0 Z0 f__________________________________________________________________________
8 h" Y+ F x/ |9 B, v2 F; a) J1 E4 Q( I! Z0 J0 Z2 j" V
Method 13: o; {8 X! F5 g. [ O3 n4 a8 g& {
=========9 a( L/ t, x$ W2 P5 O/ I
: e* l- H( r8 `+ ^Not a real method of detection, but a good way to know if SoftICE is
) R/ X+ x9 R# l" N/ i5 Jinstalled on a computer and to locate its installation directory.$ Z' U- B' O/ _. c& m6 @
It is used by few softs which access the following registry keys (usually #2) :$ ?. h& A; i, A2 \% _- ^+ E* y- ^' I
8 p0 M/ J8 c$ D$ N w0 \1 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; ~3 O0 _( v) S: `4 b5 }\Uninstall\SoftICE% { J; D2 [" r% L8 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 e: U' B# I7 C- y F. R% E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ^ C( F1 a7 r2 [5 f\App Paths\Loader32.Exe
/ k. a8 q) y* I( K; ~ V) i& X4 M! X
3 C/ j8 Q/ U( P9 \
Note that some nasty apps could then erase all files from SoftICE directory
9 g X8 g7 |; _(I faced that once :-(
2 c) `& F' b0 L0 q5 ~; u. B3 I, v5 h& O8 v- B( k$ t# S
Useful breakpoint to detect it:
1 y0 ~& A: _- Q' j( R4 w2 b: x* b+ T+ k4 H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' y D# l+ l* ]2 ^
, Z, R' o, k3 G9 l: h) j__________________________________________________________________________
9 `" ?* t8 l" _5 O' a0 {" J, }7 @/ O2 L% [) _
: |* O5 O, r5 C! ^Method 14 ) k* q/ S+ ^% l+ @1 f' d2 s
=========
4 [3 h# m- T8 Z" w. d- X
6 f u& B2 o. ? KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& C: M" Z$ y' X7 t) s6 U2 R
is to determines whether a debugger is running on your system (ring0 only).& A/ i: f |+ i' ]
' M1 S4 U2 D3 \" \. ] VMMCall Test_Debug_Installed1 G+ S9 ~9 O' B3 I
je not_installed0 V; X2 w) l+ L+ r6 q, h7 W; E, P
- ?4 m8 L1 G) \" X @
This service just checks a flag.
4 Z" W+ o7 l0 ^# S- H! _; ^2 i% ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡