<TABLE width=500>+ A2 N5 a9 x+ o; H
<TBODY>) m: x# ?: X& v" \8 p3 N$ {4 }: A' l
<TR>
2 t: y' \9 F" V4 g$ `2 b/ n, a0 s: }<TD><PRE>Method 01 5 \: V( _- u2 J
=========( k; k b `5 h& f- j8 L! n
" T9 @7 P$ s8 g+ ?/ }; N; w9 ?7 BThis method of detection of SoftICE (as well as the following one) is" }5 L4 J. W; [4 [4 E! N) S
used by the majority of packers/encryptors found on Internet.
" K2 @# ?& |/ ?- h1 \It seeks the signature of BoundsChecker in SoftICE
3 S0 y: }* ~4 z5 T; ?: ^7 l P2 u p. s z1 U% R4 R6 y
mov ebp, 04243484Bh ; 'BCHK'1 b" O: L( y% S5 h3 T0 T
mov ax, 04h8 T8 G9 n2 Q, A# `) v2 ]3 N
int 3
$ f, L" ~7 u+ ^4 a8 V3 a W& l0 H1 d* L cmp al,4
0 `# ?; @% z0 c: j jnz SoftICE_Detected( d( g3 ^/ Q% w5 |% U
/ V( ^! ]3 @! x" c/ G1 ~8 s% |$ J___________________________________________________________________________! \' l' s& x3 A
2 d6 v) J$ A/ p6 x- @, }8 x
Method 02
4 V% k" T' G8 D* i=========: ~: b1 |( I: _8 a
+ W1 I( K3 ?# p* G! tStill a method very much used (perhaps the most frequent one). It is used( i" k" P, w9 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( v5 A8 k9 f5 r: ]1 \or execute SoftICE commands...
9 G; H5 b s3 ~% h* uIt is also used to crash SoftICE and to force it to execute any commands; {( \6 z& d# J; D% W8 A/ H7 R
(HBOOT...) :-((
1 K, o6 N0 Z/ N+ U, p/ q9 B/ U* {8 f) \) P
Here is a quick description:! z7 ^- b" u6 N g: M) S
-AX = 0910h (Display string in SIce windows)2 s1 p" Z1 W4 T6 c9 L# ?6 I% h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 h/ s* l0 h/ a1 k4 O+ T
-AX = 0912h (Get breakpoint infos)
3 R% J' j6 T( v4 B; A-AX = 0913h (Set Sice breakpoints)4 Q, R2 E) F8 `7 r
-AX = 0914h (Remove SIce breakoints)1 l, w5 t! W: m( I
. B0 q* `6 p9 t
Each time you'll meet this trick, you'll see:
# c' O, f/ ]% ^+ x" Z-SI = 4647h
F" x3 S$ |; ^/ V% `+ V-DI = 4A4Dh
# z* F, S# C+ EWhich are the 'magic values' used by SoftIce.
3 D* W+ _9 V0 ~' k4 N: l- BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: J0 _9 {7 M, n+ O" g7 N9 p1 K2 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 {5 W. H0 `5 H7 K2 i( L
Envelope utility use to protect DOS applications:
6 {1 Q" p: Z) C* ]9 R( Q5 g: M5 h2 ?0 E
' `' A) n$ i' B; W# Q
4C19:0095 MOV AX,0911 ; execute command.
" c4 \9 f( @7 p* v: y5 d) o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." t, h/ W3 R* y+ Z4 z6 F
4C19:009A MOV SI,4647 ; 1st magic value.9 \6 X+ B3 L4 q5 g0 R( Y& N/ e, E
4C19:009D MOV DI,4A4D ; 2nd magic value.
. y) X7 M+ d9 f2 b+ P g2 G! u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 c0 W* F0 g- p8 y* D7 @5 ?% b* \0 N/ _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* B9 _; B* \1 n0 Y) o
4C19:00A4 INC CX
% u3 @7 b5 T6 P7 q; r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 k# W3 {% \3 _- D/ @6 h
4C19:00A8 JB 0095 ; 6 different commands.1 @2 L+ f3 m/ r4 D9 `$ {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 ^6 ^% e8 ]1 c5 q4 G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 r' t( O# j! \7 |
5 g7 o8 B# e$ b+ z$ e# h* nThe program will execute 6 different SIce commands located at ds:dx, which
: Q7 J3 p0 t& z5 m" kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 m' C+ t3 N) |" d" R; w! p! y+ K
! i, j+ w0 o# r+ l: Q. z, F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ m7 I5 ~( F% H, s& u) o% G$ s
___________________________________________________________________________4 P! {" Y; z1 x+ V
/ \$ A9 y% T; ~3 Q4 o. Z! O! D
4 F; w8 a5 a2 s7 w% g, qMethod 03* x/ y5 \! Z: b- ]4 W
=========: K& ^: n. g8 H+ p0 f* L/ m
) A- x! M! J; n* ]% g2 R4 B1 |5 {& z$ q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" V6 M4 e$ l- V9 ]& ?0 V- F4 z
(API Get entry point)
; R/ q8 K/ e6 H% L2 f, W+ @6 A) L ! V8 ^4 k* z& J, J$ e
5 M) V5 j: Y2 i& y8 G/ {# D2 A
xor di,di
9 g0 G. K; `- i: w7 z! y mov es,di
/ C7 w" ?2 N7 X( z1 [( j1 B mov ax, 1684h
- v+ e( q, A" A0 p, o; I3 L mov bx, 0202h ; VxD ID of winice
2 c$ G% v2 u9 w J C- E int 2Fh p4 ^8 Y# g" A1 u7 `' o
mov ax, es ; ES:DI -> VxD API entry point
# x2 T% _5 o9 u7 C$ D add ax, di
* n% a( d/ _4 o' O: e. l7 w test ax,ax: W( P3 C* f4 E. e
jnz SoftICE_Detected u6 q; g: l3 l
9 u; R* x H5 k( v0 ?# K- N
___________________________________________________________________________- [" O; J2 S" p
' n9 N( J9 {1 `, E8 n4 ~' X6 `' eMethod 04
- S( \: i- b/ ~& x) s# l=========. i9 ]4 f6 `' s6 d- W
' w/ F) s* C0 T0 h$ {2 }5 W! _7 w& fMethod identical to the preceding one except that it seeks the ID of SoftICE* b$ W: ?6 Y7 v6 K4 e* w2 o
GFX VxD.! h a; i! Q0 j/ G
3 v5 X: w7 A% j0 s* F xor di,di6 W5 l6 g& m; g" E0 q2 a z# a$ F/ u
mov es,di, a* k% y) i' h' D6 _; c1 \
mov ax, 1684h 2 O% ~& p4 B/ V
mov bx, 7a5Fh ; VxD ID of SIWVID9 Q7 E3 @) I4 @. W' }
int 2fh
2 o) o5 `: P4 }+ \8 V3 |) X- b mov ax, es ; ES:DI -> VxD API entry point
1 Z$ a3 B u; G+ q$ [1 D) f add ax, di- D: |# j& p; J2 P" m( |2 y
test ax,ax9 _) v! Z2 S) b9 d& l5 I
jnz SoftICE_Detected
# D5 R! ~: j8 e6 c E3 z- i* N# W# r1 k1 J
__________________________________________________________________________+ E5 @9 ~9 ~5 |( ^* L) G
( d _5 Y- P$ r/ q) |* x
) q/ M) L) C6 b
Method 055 i4 ?2 ?: L1 y& Y5 u1 f
=========
* d; s( [1 P1 A3 L2 b7 u: n4 n1 U8 E, h' n* j
Method seeking the 'magic number' 0F386h returned (in ax) by all system" K. r, w6 N" i5 [5 r" D
debugger. It calls the int 41h, function 4Fh.% t$ E) E- J! C
There are several alternatives.
. F0 ?7 D9 |! @7 r9 |9 i# u0 R% w, D& ?
The following one is the simplest:
3 d) g6 h7 B5 d: F0 a' I
% J8 h/ G3 H/ b: r2 ~% ]4 o% _/ n mov ax,4fh* X: b3 y8 d7 j# T7 J3 M
int 41h
9 ^' f# l2 d1 f/ d" I0 S' ` cmp ax, 0F386" [; o$ }" @: w9 v5 I2 F# D5 H
jz SoftICE_detected
! Q5 i7 D: d1 H7 v1 x' o
2 M; J) R6 L# w+ ]' U: O/ X# u0 I
! w+ r5 R/ C; t1 f0 G7 M. Q( SNext method as well as the following one are 2 examples from Stone's
& {' E% S- l& A$ p"stn-wid.zip" (www.cracking.net):
7 k$ E: H! n2 c8 E% h% |! ]) i3 e0 k; `. m8 H j" z8 I) q f( n9 g4 N
mov bx, cs
5 d7 E- O) i! S8 _, ~8 C' _ lea dx, int41handler2
" R& n% M$ |7 D* ? xchg dx, es:[41h*4]
9 s% E7 i* D4 t. |) t, ~ xchg bx, es:[41h*4+2]
' D6 L, @: x$ E" ^% A mov ax,4fh: m& [% n' {8 v. S/ t
int 41h
/ a5 D1 x0 W* K" w9 c( o# j9 r xchg dx, es:[41h*4]* y- b: ~( U @2 ~
xchg bx, es:[41h*4+2]
( f4 A2 @7 @3 ?& I" G cmp ax, 0f386h9 f/ m+ y, v1 u9 x& G& l* e; ]
jz SoftICE_detected
+ @7 }" w3 ]* X- N. p2 d* Q. J7 Y; h4 @
9 G3 o. C7 m/ K0 T: G: Tint41handler2 PROC
9 V, P7 \* T9 {" r9 S$ X# V: ~, Q iret
/ y! d% G& r7 h, D" q8 c4 _2 k$ wint41handler2 ENDP
" r7 w3 Z- f! Q$ [# A' K4 A
: `- O Y1 }+ {- x$ O% A9 k1 ?2 ]: ]
$ D$ u( _0 t2 |) ~$ I1 H* [_________________________________________________________________________, _ F3 |' I1 P' c9 x2 o; c2 e
2 _: K& y. M& f+ X* N c
3 X* X4 A2 ?1 u& T9 e) ~
Method 06( y% u2 s! K2 `" s/ [; g
=========& }' W2 T) W) P8 K' W( I& D1 d
) B3 a& c" q. M* X- b4 F0 j r
% D5 E! ?6 C/ D8 r# h& U
2nd method similar to the preceding one but more difficult to detect:
+ ~5 l( @$ B8 P4 y
+ I5 C* R% M6 [, F9 E! Y9 ]/ C
" J4 W8 T% E$ P9 vint41handler PROC* ?* G0 Z- ?: I# E
mov cl,al6 { y0 x' L- r' c
iret5 n1 w& v) E$ s- G7 Q
int41handler ENDP9 ]2 u2 m1 i7 f' G5 [
C; E; F. Z" p5 L, ^3 G8 r
6 ]) A+ C' V4 _& p xor ax,ax6 C5 k7 M- C7 q a$ ^# U$ F
mov es,ax
4 B' l# Q' [8 m* r w3 y6 J% ]; a mov bx, cs( b* k! V* _" e( D
lea dx, int41handler4 z4 [- t. e" |3 Y7 j: a4 p
xchg dx, es:[41h*4]
3 ~, l# N, K' ?( _$ p2 j f xchg bx, es:[41h*4+2]8 B/ U h" N3 o* ~! p y4 i! f' q# ~
in al, 40h/ K, L' g5 L2 m5 u* M
xor cx,cx
& z9 a( d' y( J/ J' i* _0 E9 J int 41h
$ R* b, ^! D" A2 ?! k xchg dx, es:[41h*4]" ?2 |; q" g) E" I+ P
xchg bx, es:[41h*4+2]
& i u5 U, ~- e- `9 V4 p cmp cl,al
$ z: h4 G" J/ A3 g jnz SoftICE_detected$ @+ T" N) S1 w( Z7 M
( s b; Y6 u- E) l5 h, K% x
_________________________________________________________________________
6 G H4 U2 u& z9 b2 ~3 _, t7 {& j5 [
- A8 ]; f' O3 o) P0 H5 aMethod 073 r2 m; T6 w4 a; y
=========
6 x& G5 P/ ` A2 \, s2 ]$ I$ k; Q, H5 _7 Y) R% M
Method of detection of the WinICE handler in the int68h (V86)
1 p- a4 ~& l& J5 f+ H. H8 u( Y6 q' B: z: b
mov ah,43h
8 j7 u+ E5 I5 b; ]3 o: R int 68h
, P; s# _% Z( F% s# m8 H3 ^/ p; T cmp ax,0F386h2 {- \2 d4 ]% C8 R
jz SoftICE_Detected% o3 C' p, p- f; P% |" ^
! ]1 i# Y5 f! y- n9 ^
7 T+ ~+ |# X2 S0 E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 \# W9 D% Z4 Z- s8 p app like this:+ k' q1 }4 I1 r* D% b6 i
/ P7 G$ U4 m0 t: A5 p5 \$ g, [. o
BPX exec_int if ax==68
( E4 S; T& K0 U/ W: N (function called is located at byte ptr [ebp+1Dh] and client eip is: W, T2 K8 q" W2 K$ }
located at [ebp+48h] for 32Bit apps), R& C" t6 _5 h4 q: b
__________________________________________________________________________
% n2 t$ W4 d- B9 I2 e( m* u
! l9 v1 ^. ]3 S) k: T8 P' R3 q0 s: k3 ^8 `9 P4 I0 R( P7 y# f
Method 084 R2 k L# S1 B& @
=========
" z6 F0 x' b) k0 ~3 Y- O+ w) s
. n8 U& o# V0 K3 |It is not a method of detection of SoftICE but a possibility to crash the
) ~# m$ ^/ q* d6 H& msystem by intercepting int 01h and int 03h and redirecting them to another
0 a# N/ M8 D' Y! ` `! ]4 ~/ troutine.
) j* M* R$ h4 {4 x' \4 X% T2 {; q" BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 G2 p0 W! K" \' n rto the new routine to execute (hangs computer...)" Z5 X% S; s5 {' F2 `
1 c1 l/ v3 ^+ y5 M$ \
mov ah, 25h% I; w% H, K# _6 @* k
mov al, Int_Number (01h or 03h)
- J/ v5 j! c2 J* \ mov dx, offset New_Int_Routine
/ t7 p" C* o. m, F) u int 21h1 `. X1 I5 y+ u1 L, m1 P% u
. a4 b& Z5 S+ F" l+ D0 q3 F6 r; Z
__________________________________________________________________________
, `: V, `) C( o$ M% M1 ?- _1 B/ P5 K4 m/ {7 a# O1 A# d
Method 09
: w7 ?1 N0 h7 ]" p! E- [=========5 [/ i+ _0 G9 g8 u( T N
7 |% ?% v# w4 {% p9 T4 c0 ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( `/ b4 ]5 q0 m6 z# D n( E
performed in ring0 (VxD or a ring3 app using the VxdCall).+ c. w6 x& Y0 ?7 C3 R8 R- y7 l
The Get_DDB service is used to determine whether or not a VxD is installed
/ I+ ]: z) E; f: Tfor the specified device and returns a Device Description Block (in ecx) for
" ^9 Z3 B! P, y/ ]: o5 |that device if it is installed.$ k5 G$ t' @5 ^2 D$ U, _! v/ u4 H. N
! F7 l W5 W1 {2 A( p$ n6 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% m7 i/ |) B1 f) ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% Q6 f; Z! J/ v( m! m
VMMCall Get_DDB ?; X9 `8 L$ |. r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 A3 F* U% Z* ^! w
( t. U2 p G! A6 fNote as well that you can easily detect this method with SoftICE:
+ h+ l8 Y0 C6 s4 ^' p1 w# F bpx Get_DDB if ax==0202 || ax==7a5fh
: H/ [% Q7 |0 w! I1 R, N! S) r" K& H0 Y( t9 X" h/ f; B7 M
__________________________________________________________________________, C+ X$ V! h$ s; @
6 r+ g( c0 r- V- @. a& {) hMethod 101 k: R6 Z% ~, K3 E% U3 x3 f5 y1 u. M
=========
' k' H H- [9 Q" `- A2 J3 j% v
d: J) V: e8 G5 k=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 P! `6 R! f, o, A! K4 g$ b SoftICE while the option is enable!!
7 G$ C% ^# s+ I/ F/ P' [9 F, ]4 d- u. G& }5 H
This trick is very efficient:; ~. E" U A$ e" ]; _$ [9 X% n& y
by checking the Debug Registers, you can detect if SoftICE is loaded$ ]& l3 ~6 J2 K- b0 g) s7 ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
}. w9 t4 j9 n0 }. |there are some memory breakpoints set (dr0 to dr3) simply by reading their5 X' N* N" l2 ]
value (in ring0 only). Values can be manipulated and or changed as well
: x! }; H- v- d" g& }( q: s(clearing BPMs for instance)4 {, }/ Q, ~% x& r' w/ i2 i- _0 P
( q- Y. \- k% ^' y
__________________________________________________________________________7 K4 z7 K4 ~/ ]& H) m, s2 j
& M# W2 Q( S2 e: t% e9 UMethod 11' Z3 v' s% C8 M/ ]" B* |4 p( g1 t9 n; V
=========9 G( G* Y2 M; I, B5 _& R+ v7 ?5 `
( C# |; V) \( F! w; p2 XThis method is most known as 'MeltICE' because it has been freely distributed, X" G/ `0 b) I& j
via www.winfiles.com. However it was first used by NuMega people to allow+ I* ~7 }; ]3 F: l% J$ ]
Symbol Loader to check if SoftICE was active or not (the code is located
* J+ Y3 }: j n6 D8 R1 n I' Ninside nmtrans.dll).
8 q+ ^+ n v3 ?& Z; k, G* j
* X+ \# E e2 F } f3 fThe way it works is very simple:
1 l! x; Q) k0 g+ Y+ A' |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: i1 w, c: Y! z6 L9 t
WinNT) with the CreateFileA API.
0 i! b" u/ V, D7 J% d' ~7 K0 i9 A# t& C9 A
Here is a sample (checking for 'SICE'):
/ w! `: \' k, O/ V& r. z4 Y. y8 g7 I9 M* e" n$ v' ~7 L: K$ R
BOOL IsSoftIce95Loaded()( r) s# z/ G8 U) |/ T
{
. w! {1 {7 f5 F1 q* { HANDLE hFile; ' [0 T7 b* x% H6 D& X3 s+ \, V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 ]8 q3 y! s' w6 d& @- F FILE_SHARE_READ | FILE_SHARE_WRITE,& z' m! @# R7 E' y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! ]4 h! `) r; J$ \! l" ~ if( hFile != INVALID_HANDLE_VALUE )
3 S! K [# N6 T% H4 Z {
o( W1 C+ u L0 V CloseHandle(hFile);- E) l# }) o5 }1 j
return TRUE;
6 p& _4 w. E# n% ?% k( k }4 U& c5 l( E5 L, g
return FALSE;
\3 {5 Z3 e" B# ]' b}: g4 @/ t% Z+ B# L' ]3 N
2 Z4 |/ q( _8 M( a5 s: X7 L( j, k9 ]Although this trick calls the CreateFileA function, don't even expect to be. \5 e- ~: ]" Z0 f
able to intercept it by installing a IFS hook: it will not work, no way!
8 K9 g; j$ J( P0 C( N# xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ a& C1 b0 `( Y# E8 z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 t7 m" J" a9 `- ~9 z: p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 w( {1 V) H G; _
field.8 }! o4 C! s1 p' G; v
In fact, its purpose is not to load/unload VxDs but only to send a
- l3 ^. C# E. o$ |3 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! E; r# [: h7 o+ X) o% w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ F2 \! C% D# H( ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 w: ^! w: q- |. J- n2 A$ M9 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow# m- U& f3 r/ F3 ?
its handle to be opened and then, will be detected.5 R: e# t2 v" ?- P: i' s- m
You can check that simply by hooking Winice.exe control proc entry point6 b# z' v2 L7 E! y
while running MeltICE.
- _# M( f& ]/ G5 n8 F9 o) d. w# f' g- L2 v
) m# [* q2 K4 w, W' n 00401067: push 00402025 ; \\.\SICE
$ w# O! j. j. \' }/ }/ x 0040106C: call CreateFileA& x3 a( W& O' y6 [% X2 ~ X& l
00401071: cmp eax,-001" S$ `% {3 j8 a
00401074: je 00401091! @/ }* L) Q9 h) v) h
( @1 \. e2 r, h# O
i1 R; O+ T# G. t8 a2 Q; P p4 cThere could be hundreds of BPX you could use to detect this trick.
5 l$ t3 g/ C- h d3 ~& i-The most classical one is:. l9 x/ f5 Q7 [9 O# o! ?* s/ S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ l$ s5 @- M- n' R) W' g0 ~9 ] *(esp->4+4)=='NTIC'
, o5 e% ~4 H4 j$ }
' d/ c% C% `; T-The most exotic ones (could be very slooooow :-(
* B: o% s! w1 G- Q, x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% k* [& m- r6 U! O( H4 z ;will break 3 times :-(
+ ]; |. H+ I9 v) v3 C7 n; F8 X& Q
# Z5 c# u- E, d$ X-or (a bit) faster: ) m I, a/ G; ]( ]/ I5 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ T6 k7 K' _1 K; [8 ^4 N
% R7 a* ]' `" B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 Y* U2 _8 k, D ;will break 3 times :-(
: m" t4 h( D; }8 c' n2 I5 K8 I3 i; s( M8 U" H$ W2 z
-Much faster:# B; `" t% v7 w0 l$ P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( ]1 g) V$ j c' {! L' S" s% G7 t/ F; Q6 |' U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" e$ m. y8 `8 _- yfunction to do the same job:
' f! D7 _, r8 K! u4 B1 Q
* K2 q8 d3 `5 s push 00 ; OF_READ8 M+ \% n$ G; P: b# `$ X1 z( f
mov eax,[00656634] ; '\\.\SICE',0
$ f! U' ?) P8 s3 F- p5 ~* V push eax n; `, a( F( h/ o7 ]( _
call KERNEL32!_lopen+ R; D& W9 N$ O2 D j$ H$ s2 s
inc eax) Q/ r z0 n/ Z8 T
jnz 00650589 ; detected+ j } }3 A6 X! S7 p9 X4 @
push 00 ; OF_READ* N+ S/ c; w% [
mov eax,[00656638] ; '\\.\SICE'% K- z& `- l; o: R% A
push eax
9 Z" C# m. H% H- W! s! m call KERNEL32!_lopen# x3 t5 k3 n$ V' x4 n
inc eax
7 x0 J/ i/ G9 G& Z1 K) ]4 t jz 006505ae ; not detected8 J; {1 P, h) H8 h4 X1 a
G% Y( T1 N- `$ q) g) B: J
w( I. \; t( q+ r
__________________________________________________________________________2 T0 N' O. A+ p9 H
9 f) l/ m/ e) a: c
Method 12
/ D/ Z m) ] V=========* j% r1 e4 D6 Q4 z3 W: q4 t" H0 i C" n
; m4 P$ }) _9 v
This trick is similar to int41h/4fh Debugger installation check (code 05
- ?0 \0 \ N/ M+ Z& u! c& 06) but very limited because it's only available for Win95/98 (not NT)
x$ x8 E. g$ y, d/ R; K7 \0 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: u4 ]8 J: j8 K# q }. x0 ~4 f
push 0000004fh ; function 4fh" l& `4 r" q" j1 v; G E" ^
push 002a002ah ; high word specifies which VxD (VWIN32)) Y, ~' |/ i. X( p0 j. ^
; low word specifies which service
3 n5 C/ }3 G [( N: q) v (VWIN32_Int41Dispatch)7 V8 Q% ~' O& _- J9 g
call Kernel32!ORD_001 ; VxdCall3 q( O" N3 v7 b$ H, g n# o
cmp ax, 0f386h ; magic number returned by system debuggers; N. E+ @! v6 P" m# y
jz SoftICE_detected
/ K; f7 i: ^# C7 Q! i' P' i9 c+ k9 @
1 ^0 }, F8 o- d- G0 @4 [Here again, several ways to detect it:, g4 b2 `8 P- t: |- B8 F
, Q! a/ h9 \( I$ N5 [ L. u1 P
BPINT 41 if ax==4f
! q; ?" q+ ]9 ?4 R& [% ^) B/ P! f% A/ O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! |" X: [: [. x/ l3 B6 s* U% i6 k
* `. [1 Q: b* X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# Z( j" J" ^& @2 N9 C" T1 _
! M" ^# @9 [& | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: N( J1 h; h/ G: h, u
% E7 r; k( w' E/ Y__________________________________________________________________________" {; E' N4 s' ~* J& p& F
, X- w) [* Q2 w" Y
Method 13 K' u! {- S+ T- z- p
=========6 v) j& g4 K f9 c9 D
7 d: g7 \& r& t9 u7 rNot a real method of detection, but a good way to know if SoftICE is4 x$ j4 m. ]4 y7 R
installed on a computer and to locate its installation directory.. b& f4 e9 | P, y8 f
It is used by few softs which access the following registry keys (usually #2) :
' C3 k5 J! w9 Z8 F5 e& Z: q: e4 ^- E* ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* [) s$ q: X9 I, T2 L
\Uninstall\SoftICE+ @1 v4 [& A( T" K9 e% T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ C1 T6 S! F" T/ E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; T' n# b, ^+ ^5 I/ @/ p\App Paths\Loader32.Exe6 |3 K, h5 R) K4 r
0 [1 C+ S: I2 S; d
' j2 d2 Y$ @' Q6 @- o4 i5 e+ \Note that some nasty apps could then erase all files from SoftICE directory
( u' J, I, J7 b% M! t' v! L(I faced that once :-(/ v0 a- \, w6 u: Q) i
. f+ Y2 w% ^5 P) ]- f5 ?/ w
Useful breakpoint to detect it:
' G# g5 f2 Z+ W' M, c* g# |9 @8 w4 m4 j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. v9 Z1 F5 c k$ M" e1 g a$ u+ ]( P4 P. i/ t: q
__________________________________________________________________________5 `8 U" J P; K! R Z& G
% `7 Z, j1 R/ @: [4 b: j, V% m4 p8 ~5 M' }( J
Method 14
; h% T! C& k* F. m8 ]/ W=========! ?$ @2 j: m" ]- Q8 u' d7 |2 v4 y2 U
( N" N, n8 f* c; m" d' U- U, o. \. c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 m$ ?9 q; {8 k f
is to determines whether a debugger is running on your system (ring0 only).6 z( E& u8 B) [
3 R, W, g" ^9 X0 _) q1 c) x; T G
VMMCall Test_Debug_Installed; E# z0 g, n, O! ]# f
je not_installed- w9 y: ]# q) B$ m6 H: E
, b. k$ H& |8 F: }This service just checks a flag.
1 w4 v- y& p; d; g4 j0 K# L' m</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡