<TABLE width=500>
2 C6 M2 E: p) u1 r<TBODY>2 A6 g, J. A) y, K' Q! i: I7 v- S) y
<TR>
) N) O! t' H* V5 {, [* J9 X<TD><PRE>Method 01 ) p, T1 B, {0 N F& @! G3 ]
========= m! \: S3 Z) g3 N& m
5 k% y; \4 F6 S8 P$ j
This method of detection of SoftICE (as well as the following one) is
. n+ p. i; }* _' f A5 @: Q4 mused by the majority of packers/encryptors found on Internet.
' u' @0 i2 l* Z& a$ j+ f5 |6 qIt seeks the signature of BoundsChecker in SoftICE% Y2 @% Z+ d% u5 G# F+ @ K+ w; c
1 e2 l' C% o, H1 s% o
mov ebp, 04243484Bh ; 'BCHK'3 X. m6 K, S% |
mov ax, 04h( D+ f8 t* z2 x- `+ S
int 3
: x2 i3 Z% A7 r' O m0 J cmp al,4% z0 z! M3 F) h3 O
jnz SoftICE_Detected0 d7 h; [, G! J+ x! x
4 M$ z: {0 N/ u+ ^___________________________________________________________________________1 C7 M9 m3 }% f, z; C8 R; J5 U/ R
: V* l9 T+ z% D! ~" K; FMethod 02* _4 t) d; K& r4 M
=========
5 u7 j; u! {6 h* b5 j5 G2 Q2 T6 Y2 Q, v" }
Still a method very much used (perhaps the most frequent one). It is used% A# m6 N- B! B! F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 b; W/ P9 i' L8 ~4 `. gor execute SoftICE commands...
. x k6 v% Z3 \6 l% yIt is also used to crash SoftICE and to force it to execute any commands4 Z3 _9 A! e0 F
(HBOOT...) :-(( + }! \. b6 v, g! a9 V( E0 g
: C9 D' V9 w x) g
Here is a quick description:7 e3 L9 k9 x. j p
-AX = 0910h (Display string in SIce windows)
; E" c. }9 e5 n H" L6 B2 d0 q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ r3 i0 r" E) g% x
-AX = 0912h (Get breakpoint infos)
y) }( o, _1 N. ~9 N1 c-AX = 0913h (Set Sice breakpoints). J& O( q- N, C# R0 S
-AX = 0914h (Remove SIce breakoints)
3 ^: @; \. C8 H" [6 j+ M+ E9 i2 A4 { w1 ^; P! K, Y T
Each time you'll meet this trick, you'll see:) B# h6 S: }7 e- Z6 P5 B8 j* W4 @
-SI = 4647h( P* b! Z9 \: t
-DI = 4A4Dh2 N' P2 W& Y7 a1 m$ c. X) r* R
Which are the 'magic values' used by SoftIce.
' F% e8 K( G2 c! Z* h" q$ eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& H( @9 p/ [" @1 V9 j, @8 Q! M1 R3 U! C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( m3 p2 x: |, i4 D' yEnvelope utility use to protect DOS applications:
- w0 D4 p0 \/ f9 n- N# p
) `( _- H1 q( w7 {! B- F! [# B {' T2 O
4C19:0095 MOV AX,0911 ; execute command.! B' [0 G; `, r) R5 d' s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. J. ~5 P9 ]$ F: V
4C19:009A MOV SI,4647 ; 1st magic value.
$ C1 K) j) F0 K) W. B4C19:009D MOV DI,4A4D ; 2nd magic value.5 Q3 m& v$ F" E: ^/ H. o) h" L3 |6 r- O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 r- i9 `7 U# t v% U: G- X' W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; U7 @& F {3 T+ k" \
4C19:00A4 INC CX2 q6 j' X/ m2 N- U" D3 t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" X6 A- } H) e* A; @. G6 d
4C19:00A8 JB 0095 ; 6 different commands.2 Y" L B2 w1 f" W$ }2 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 a& m8 Y9 D/ N) |/ [6 e5 U6 H, K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 {2 }9 E v! d" |
) W6 J* y$ J* k4 Z, f' N
The program will execute 6 different SIce commands located at ds:dx, which
4 d2 @/ M5 E' Y* F% t" dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ O5 U( ]4 A- f1 n+ i/ k. T5 D
3 I4 l5 a) ]% g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- h) `5 A# ^, S+ Y4 a7 ?
___________________________________________________________________________
# p$ Y7 h7 ]( Z2 K( A* b* @ r b4 T/ Z' x; P
$ x* C) {5 y+ O' i( B7 RMethod 03
4 D2 Y# J' _8 Y5 `5 s; ?=========# }5 P A) ^- s' E! q: Q. F
9 M4 O/ Z# M7 T! C9 u7 H- Y* D9 }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. b$ r) p2 W1 L# K(API Get entry point)
$ {& ^+ t$ l+ u' H( o
9 N2 t/ Z4 q' N7 C+ a/ X7 c$ ], x2 b* i' R
xor di,di7 v- A5 F* F6 q/ W" Z0 c
mov es,di
! I1 |+ P- {/ R0 D mov ax, 1684h
6 j8 ^- n% g! }: t6 o8 H; b( J) u mov bx, 0202h ; VxD ID of winice; w V& m# e8 s" ~7 ?) y' v
int 2Fh
0 I$ U. o# Q6 Y2 p/ h3 M5 ? mov ax, es ; ES:DI -> VxD API entry point
( E1 L* X T8 E7 L, N0 l! x add ax, di
1 u: r4 d& y: l ]2 w0 m test ax,ax( ?: ~- Y7 r3 v/ j0 i
jnz SoftICE_Detected2 H. z# l @1 C! D
5 a6 i- m% H6 F/ H: V4 @8 p___________________________________________________________________________. w$ q1 X4 j6 @/ i( n9 W" w; b
( ?: B4 f( D) k6 |! j( o( gMethod 04
1 a3 E) T& q& n! x* q/ }=========0 U, u7 v/ z* D {. r3 e- f: N9 e
. f* Z& G( z3 A& G; m5 c ?0 r/ d6 K. DMethod identical to the preceding one except that it seeks the ID of SoftICE
: z9 _$ V, ~4 ]9 \8 o l4 Z7 GGFX VxD.
7 }1 V4 v7 M0 \- o4 h! T8 ], w5 T3 D5 E2 N, `- C5 s
xor di,di
2 E( d) j9 A( O. P$ Z( l. z C. \ mov es,di
: f2 T3 b) O7 \ y% f mov ax, 1684h
" ]- U- k" h$ O1 @7 N mov bx, 7a5Fh ; VxD ID of SIWVID
) B C% C) X) M int 2fh
* V' T6 @$ h0 C' z' l mov ax, es ; ES:DI -> VxD API entry point
0 b1 p" J" k6 [. Z add ax, di2 }8 g+ H/ A% }) O b$ Q
test ax,ax7 i1 z3 c( [ F( s
jnz SoftICE_Detected( n" O! G+ k1 y# N. c8 J
~ ~1 p8 b+ r3 G4 w2 ^2 E6 y__________________________________________________________________________
6 X' p( q$ {' ?6 t1 o6 J- k2 |8 R8 H8 e( C) q" Z0 K% J V
* y- v1 H( o3 F1 |" t
Method 05
4 ~/ m9 \/ a4 m5 ? A) C=========3 ?2 l9 R4 M6 d4 u; Y
[& p1 y. E7 FMethod seeking the 'magic number' 0F386h returned (in ax) by all system" Z) O- R6 ^/ ^6 j7 G8 d+ z
debugger. It calls the int 41h, function 4Fh.
0 W8 C+ s: y7 V! TThere are several alternatives.
$ @: A/ A7 |1 c& I. ?
+ \: |* y3 s" L7 b f5 @The following one is the simplest:* P$ y/ s( D: m9 m
4 [& f! d8 V+ x mov ax,4fh: q9 L" F7 ~# f
int 41h3 W9 o3 w# t: w1 L; F
cmp ax, 0F386# D2 k$ `! j0 g
jz SoftICE_detected
! g9 Q F" v9 G4 j8 [ S( G
' C+ q; r' g+ _1 B9 L# b% Q, k) n( \" i/ S; `1 h- H
Next method as well as the following one are 2 examples from Stone's
9 Q* F0 b/ a- f4 R! v, F/ ~"stn-wid.zip" (www.cracking.net):, C3 E0 A" c; x5 W. E* t8 y. g
1 P0 j% O& S1 T8 \. X
mov bx, cs3 b5 t* l6 g$ s: H8 m& z" I2 j
lea dx, int41handler2
) L! J+ y [( p xchg dx, es:[41h*4]( i- W; F k0 |* |! G
xchg bx, es:[41h*4+2]
) k* N! u" k# L% M! q( p, v mov ax,4fh+ m m9 Z( P1 r$ U9 A
int 41h
. q8 y/ A& S3 y5 x4 g0 C/ h xchg dx, es:[41h*4]
- `. K |: C L; S+ D" s xchg bx, es:[41h*4+2]! Z: p, z1 X w5 R
cmp ax, 0f386h
& b/ x, j; j$ J' G k+ G0 Z jz SoftICE_detected
6 a1 W. N; a3 F1 [6 S0 d% s! ^: V1 M4 p
int41handler2 PROC' ?9 V% h$ T5 u9 E% r8 G7 Z+ k2 w
iret# i( `! d8 r6 X& P8 M
int41handler2 ENDP
; r- C, L- D. R6 n* a) H% `% ~! a- r; k$ `/ g7 C+ Q+ g: r
) g i( s/ _# H4 w; y" a: Q) [
_________________________________________________________________________; s8 G" O1 \3 D+ m: E/ F
+ L, i. m! C# ]3 S+ \/ w9 X, ?0 ^3 F# g" e
Method 06
( u. u/ p3 @# e: F=========
; Y2 x$ r" a1 W6 M! P% j( A2 B$ C& r- w* R
# _6 _ I) @( K1 q |
2nd method similar to the preceding one but more difficult to detect: p9 P" J: ?* j4 Q% f
) N) R$ E% i/ m8 ^# |5 T6 @3 G2 Q
! W: }3 P/ h4 u/ Y+ D5 t2 k+ Aint41handler PROC
2 h9 X) \3 R6 o4 C2 Y9 H) [: R# R. | mov cl,al
, C. I& {4 ?: f/ X! X T2 K iret
6 h7 q8 H3 _+ p" h! F, ]% Mint41handler ENDP
2 V- r% B2 [ [$ L+ p2 a: n- Y9 o% Q% @" A
" m/ j* n6 d2 q D4 j xor ax,ax9 n0 ~3 |' m, T8 O
mov es,ax- Q/ b7 o# ~% {8 }9 L7 F3 {
mov bx, cs
u X: {1 {" ]' x! t lea dx, int41handler& u' u% t3 L- z/ L0 X; r
xchg dx, es:[41h*4]; g3 n8 t1 y5 L& t1 K
xchg bx, es:[41h*4+2]
. t' f/ k+ x8 e: m1 O! w& L% n8 b in al, 40h
0 a& W0 R: {$ I, U( I9 u xor cx,cx8 u4 s0 }9 o& [ T4 [+ j$ R
int 41h$ D+ v1 \0 N; c& |. U' S, G
xchg dx, es:[41h*4]
! p1 v( h$ E' q4 m% T# y3 o xchg bx, es:[41h*4+2]
# a( ?" B2 E5 Z5 K2 w" }& o cmp cl,al; o5 m# T' E& h0 U& P
jnz SoftICE_detected8 E1 d5 n5 \0 N5 x7 g5 \& k
9 n7 A4 C- y" c+ c
_________________________________________________________________________# } P" K" l- C; C- ]4 S
2 e/ C: ~% s2 t9 d P, OMethod 07
8 n7 a1 L) P( q' q- W: x, X/ h=========
! d: |/ h9 m$ e9 W C- b) A: R
1 P+ x! ~. Y# [' F; N8 QMethod of detection of the WinICE handler in the int68h (V86)& I- q( X0 c6 l; P2 n7 M' R
1 e w( z5 F4 F/ i/ ? mov ah,43h
7 c, k, |6 ^- F% |' E7 t int 68h
9 K6 o! p& u1 e( N0 i5 J E0 \# s cmp ax,0F386h" X7 n/ M4 r9 X6 W: t
jz SoftICE_Detected
) A( @3 w1 D! A" y' A5 [2 k' R# @9 ?+ U1 ?$ J2 a# [# C$ K0 R. u% q: @
# _: k4 }6 z9 T( s! x+ C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ W0 e, A! [" M; H7 W
app like this:0 G# M5 V4 E8 D- {- f/ J' I
) D, k1 S) i4 u$ h, I5 S1 ^ BPX exec_int if ax==68
4 Z; C) Y! y; }+ w- R$ Y (function called is located at byte ptr [ebp+1Dh] and client eip is
! y- p7 y( l" [" A6 C3 T located at [ebp+48h] for 32Bit apps)
" v7 o. E/ [) Y5 [* \__________________________________________________________________________
A! c) h7 Z3 m w) h" j, Y& k! B+ F$ v! B8 G9 ^% `2 X- ~
6 h8 L( w: v. `9 [Method 08/ c- ^, A% y$ a+ [1 [, w4 h, k
=========
. Y, {1 a- O7 P! C4 |3 }" {! K: j, D! t( ]; h
It is not a method of detection of SoftICE but a possibility to crash the' c2 f6 R1 C* _6 |, L
system by intercepting int 01h and int 03h and redirecting them to another
W) D) l: x: c& Troutine.
5 C6 Y5 v8 b' `- r, e" O" aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 @( j0 {' Z0 n' w
to the new routine to execute (hangs computer...)
5 g& B. {& H9 a& ]# E! h; g8 v1 E0 R* C2 G0 t# v
mov ah, 25h8 B# D) e$ x0 D- n4 l+ P/ ?
mov al, Int_Number (01h or 03h)6 U: I. A3 V3 h/ Q, \, X7 y R
mov dx, offset New_Int_Routine
+ T7 n# z( A" u2 F+ h int 21h
8 c' v! D- M1 J Y# T2 f
# ]4 I2 d! m, i5 y% p__________________________________________________________________________
2 p! D3 L6 b1 I7 W3 c3 L) }3 K+ m }/ B
Method 09
1 U/ {4 m! M% [9 p7 q3 f9 R' p G& _, ?=========
3 u# ~, g U0 y! u7 _4 C# I p( M. `, p3 O/ U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
G3 m8 K/ U. f5 W* U. Cperformed in ring0 (VxD or a ring3 app using the VxdCall).8 I3 I' |# d) W3 m
The Get_DDB service is used to determine whether or not a VxD is installed
: Y$ j1 R% ~7 ~8 Q: Efor the specified device and returns a Device Description Block (in ecx) for
7 w: J# `" o; B! u4 E0 gthat device if it is installed.) g- X* a. V0 F' C. r1 Q, ^# K6 R; o
& g" H0 d; _! v. w. l8 Y0 G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 d3 W) Q, e# E. w# s* y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* p4 u9 C8 n9 Y& k+ M
VMMCall Get_DDB2 J E; }0 T( c/ c, d* P5 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; S7 Y' s$ W: \( b: ]" ]3 C: ^0 H0 `% d
Note as well that you can easily detect this method with SoftICE:1 x* y" o/ y# X
bpx Get_DDB if ax==0202 || ax==7a5fh
. @! h8 z, X$ W- Y$ @- ^4 a' R" m7 I- [, G7 K. T
__________________________________________________________________________
( M8 W) x! V5 e
8 {( y7 q& K8 x9 }Method 10
0 t6 Y6 [4 r. L0 K1 K" \& w8 R, T=========, m- U+ j3 c$ f+ F
# w; |- W. f! i$ @1 V g
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 R! o s* h. @3 Y
SoftICE while the option is enable!!
+ s' F; J3 x) Z0 }6 g9 K" d" ^! G) D
This trick is very efficient:) n! s [9 s7 ^9 F* Y& H9 `" ?! X
by checking the Debug Registers, you can detect if SoftICE is loaded
- C) E5 U* n& [" d7 G2 y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% v" R% z: Q3 ?( ?there are some memory breakpoints set (dr0 to dr3) simply by reading their+ V2 v: ~! d8 [' Y+ `0 T: F
value (in ring0 only). Values can be manipulated and or changed as well
3 i* d1 f/ x0 _- R(clearing BPMs for instance)$ h) n: s( }3 M! C
3 k# j8 V1 ?; j# t
__________________________________________________________________________
7 p) r3 `: k4 n: u9 m
+ {" K. N2 H. W6 R9 AMethod 11
, v' N9 \# f0 G0 a7 q! d w6 h=========' Y0 {) O" \. \! P
/ G+ n2 Z2 V- {; X2 x) s4 Z5 ?* R
This method is most known as 'MeltICE' because it has been freely distributed; `" G3 S! f7 e& m. X* A( L+ P
via www.winfiles.com. However it was first used by NuMega people to allow& e# z, }5 Q, F( i9 J
Symbol Loader to check if SoftICE was active or not (the code is located6 n E5 D' v8 j0 Q$ r5 V
inside nmtrans.dll).; M0 H4 w/ |, k" w3 w/ i- e
0 C2 S4 @- n! _- m
The way it works is very simple:9 ?" i% R) i" L+ G5 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 q! X& x# E& U" Y' u2 H% p( |6 ~& aWinNT) with the CreateFileA API.
" h& L O; f3 p6 Z: Z4 Q7 R" A$ t) i, _/ g
Here is a sample (checking for 'SICE'):1 ?! R0 c$ i7 \: Z2 T
* Q, v' W0 L. @1 U. _BOOL IsSoftIce95Loaded()5 @0 z1 }7 o0 Y6 f" k4 P$ a0 ^
{$ ~) j* }; B" V$ `$ q* }
HANDLE hFile; 5 j6 @8 p3 W: p- q" o4 g, V8 c t3 l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 r; T7 Y+ w# Y3 i( p
FILE_SHARE_READ | FILE_SHARE_WRITE,
# t+ P- u9 A- \* N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); D- R) T4 u8 o& m/ C
if( hFile != INVALID_HANDLE_VALUE )
1 A9 t1 Y Q. i- A* A; `0 |: ? \ {/ W7 }% r8 X4 m H9 b; A( x2 N6 @# ?
CloseHandle(hFile);
2 ~4 L) H5 V4 F* u! | return TRUE;" ^: w; d- d) V2 o$ w8 M+ ^
}
* [( `: ^6 O7 | w o6 e) x) O! M return FALSE;
8 ^% u* _ m+ a) M2 }4 Q}% R6 \ r3 {' s
x. z% r0 T& U" f% p+ tAlthough this trick calls the CreateFileA function, don't even expect to be
2 A+ h# ~2 t! `% n9 M( Sable to intercept it by installing a IFS hook: it will not work, no way!
7 a( f$ w; m0 U$ Y/ u8 |6 IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ \+ m6 C( m3 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- H% [: [7 O" t, k+ y! Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 K4 k4 b, x, _% f. i. v3 ?field.
; q" Y U4 e) o& g; R, MIn fact, its purpose is not to load/unload VxDs but only to send a ; i! p1 f* p5 j u4 y1 w2 F1 o k4 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. I3 Y) P. r9 N5 G, ^1 v3 L/ z# ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
?# F& w. p- v! g0 T+ Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 a& J% m) s6 m" ?; SIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 _" D0 E: |" T" W5 s' {; d- z. D
its handle to be opened and then, will be detected. d) {1 C/ v( y' O- ^
You can check that simply by hooking Winice.exe control proc entry point
2 ?5 Q0 c- n ewhile running MeltICE., V* V5 U* E! x7 o
3 P' W, @* F2 E8 g
0 f* V8 K0 \1 P/ U& r2 Z
00401067: push 00402025 ; \\.\SICE
# N, s c/ Q& u 0040106C: call CreateFileA! x8 y3 Z* D: C1 l
00401071: cmp eax,-001
6 k0 N5 ~7 C9 w) ~7 C7 @" ^ 00401074: je 004010915 w. n8 r ^2 n @" P1 Y
7 E8 r; }( w( P/ O3 |/ U |5 {0 s- N
' u4 T- e! S+ }There could be hundreds of BPX you could use to detect this trick.! c4 b( o9 D5 A0 g8 u5 I
-The most classical one is:$ I( P* j; q. w# K8 h/ V1 Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, ]( @0 Y9 c: s0 _3 ~& B *(esp->4+4)=='NTIC'
* R b4 c2 c! y; Z: U& ?+ f ?" u
6 F4 K6 L/ H/ R" r-The most exotic ones (could be very slooooow :-(( P: _! S& m6 G; \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 v0 v/ t* K- P( ~* U3 d0 u B
;will break 3 times :-(
% A, t2 t' [3 e5 D: i6 H x: x
. r9 m, ~2 k. ~, |-or (a bit) faster:
' Y* J9 z8 d r" q: z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 x% s. j3 j0 w- d8 \" _) o
; t$ U1 D4 ?) x" y/ v, Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # W) J* M |7 a* f9 L
;will break 3 times :-(
' U3 w7 v2 g! F4 c. L; x! G
/ t. V% G$ \3 `-Much faster:4 u/ f# G5 }& X8 i& j, `8 ~. H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' W8 o6 Y: X5 W# Q: n' r% g
( }8 m" f7 s/ m& k, {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
d T" A9 W6 xfunction to do the same job:- C$ q2 y0 G& A% N- Y& n. \
1 c1 a8 i5 g2 W- \2 V9 a
push 00 ; OF_READ
1 A7 ^8 s( l0 Y; { mov eax,[00656634] ; '\\.\SICE',0
# M) p2 T9 o5 j: F% a. p# T3 j push eax! N: Z2 `' p+ Q- {# q/ e* y
call KERNEL32!_lopen$ N0 k; w/ z7 b' L r W: @1 x
inc eax
6 l, k! R0 k! \) q/ p( Y jnz 00650589 ; detected
& h) s& R2 v) G; V7 D* Z9 v( G push 00 ; OF_READ
7 S- `" L6 e5 b9 W: [8 i* K mov eax,[00656638] ; '\\.\SICE'
) W9 m4 V g% n7 L5 W3 r0 ?+ N push eax
& |; e4 U% ], ~( n# S/ o. [ call KERNEL32!_lopen
8 Y) T* s& `, [/ V2 j2 | inc eax
7 D$ u0 I# i y' L3 w" W4 c5 ` jz 006505ae ; not detected
6 K2 L- R) W8 m9 u- Q! E" S& F+ s6 m6 n8 Z
, G) {0 i& n6 D; l. Q5 T0 W__________________________________________________________________________
3 ^) Z! @$ b1 w5 k; ]) z4 s% j2 ^' ]. [2 n1 }- z7 f, j
Method 12
8 r' s9 }8 u! Y- f========= M$ h: f' ]- c, `9 c$ f" _
@7 K, V& S# v% N3 Z/ J. |This trick is similar to int41h/4fh Debugger installation check (code 051 G" w/ d" y/ [ b) I
& 06) but very limited because it's only available for Win95/98 (not NT)+ S- h# d$ \- g) V2 B0 O# c* y7 |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* e% u' u' ?8 o; o
: k7 t& [+ p! X- o4 p% q( t push 0000004fh ; function 4fh
7 w, c8 q* }9 m push 002a002ah ; high word specifies which VxD (VWIN32)
4 F. n8 C J( {( Q7 n$ G ; low word specifies which service
1 {7 m* l, B9 O (VWIN32_Int41Dispatch)
& m) D" K4 H; m$ e+ L9 U, L) A( I4 Z call Kernel32!ORD_001 ; VxdCall
4 @ U, U8 ?* r- l) a. ]# n# D, `$ E" J cmp ax, 0f386h ; magic number returned by system debuggers( m1 s8 c$ n D; r3 a* c
jz SoftICE_detected$ G: f' C1 k. S# S4 O) h
# w$ n& m! S- c7 t! K- JHere again, several ways to detect it:
7 k0 {- Z+ H4 V1 A3 y* Z0 H/ g8 `$ {
5 N. [$ \5 E8 e4 u3 y8 S BPINT 41 if ax==4f
- \$ ^/ s( W. Z! d$ e5 b& ^0 K; m2 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 W6 x1 G4 k6 u3 K& I/ l X% \
7 g, E8 `3 ]* @( F' d7 u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' G% a4 W- v' m3 F+ E# \/ N$ m, ]
7 [. U% g3 F1 a# J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ `5 U$ o" l8 S- c: ]
. i0 c9 c$ b h* c$ O) \$ z" |__________________________________________________________________________6 G& n; L' p9 Y
# E+ }( F# j+ q" f
Method 139 f# G1 d5 c l/ L. s' ]
=========
- |% Y6 _. O) T4 ?$ C+ h/ A6 ?0 z d$ s1 _
Not a real method of detection, but a good way to know if SoftICE is9 K1 u, H# ]3 M9 v# }7 w1 f/ G7 @
installed on a computer and to locate its installation directory.
& ?( ?2 O j# Z3 A: AIt is used by few softs which access the following registry keys (usually #2) :
1 u/ Q. c! a5 T- p. c) h }% h2 X# o- h/ p4 m9 G3 J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( ^4 t8 I5 z6 l\Uninstall\SoftICE
/ W0 l8 P e/ F- V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 @1 g+ s8 d m6 d+ d& w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ h) f. q3 w. m
\App Paths\Loader32.Exe
+ ~" ?8 M* W) \0 d1 {* t
* r3 F( \% j7 o% _3 A) q
0 l6 L. X5 \( r$ ~" M L0 sNote that some nasty apps could then erase all files from SoftICE directory
# l7 L3 J- m ^ U; [3 V c(I faced that once :-(6 P9 J1 x3 C5 R2 K# E
) R/ q2 w0 f- j" s; _7 G
Useful breakpoint to detect it:
) h) u4 C' C' n: ~' V8 \* |, k. w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# h# C9 t. c0 k' |# N, V" f$ I& Z
$ |# |: q3 x. R7 l__________________________________________________________________________
% ?" V) } k7 L# g& ` k& e5 K# U
- p2 Y+ a2 @: m' G+ {& v5 ?% e2 n
Method 14
2 v% ]/ s, x9 ?, ?1 B9 T+ w7 q=========. D+ \+ _) Z, W8 V; ^ k
" r" m8 E( ]. _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* P5 o. Z$ ^! w7 x8 ois to determines whether a debugger is running on your system (ring0 only).0 E& _- Y* m# H/ `4 f1 `
: `6 w* n3 P- X( [% ~3 j J+ c VMMCall Test_Debug_Installed
7 h4 n9 ^8 d2 Q- h je not_installed
' r5 V2 L' [9 `
/ v4 W, H# P3 d) rThis service just checks a flag.. }( b3 z, d$ o7 S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡