<TABLE width=500>5 K4 n% g+ t! N# K( U! @9 M
<TBODY>
8 W+ H( O6 m2 p8 t; {2 ^<TR>
- q% P4 y. r, P<TD><PRE>Method 01
3 V" ~* G" n5 y- q1 Z=========
. w# d- s3 Q9 L# Q& b" j) P4 R. _7 U- M8 Q
This method of detection of SoftICE (as well as the following one) is, p( N+ y+ O' v9 f4 F8 {
used by the majority of packers/encryptors found on Internet.: }3 ?- y: \4 Y' _, e0 w
It seeks the signature of BoundsChecker in SoftICE
1 ], H. ~( Q/ R' F9 V! U# b4 ]" E# f2 w. f
mov ebp, 04243484Bh ; 'BCHK'
+ d9 K* ^/ i' j mov ax, 04h
( Y0 k( B S3 |/ b' m& ~ int 3 6 f( C( G% l, q/ k* q6 \' ?8 C
cmp al,4
- _0 y* D% i8 {& O6 R+ U jnz SoftICE_Detected
; u" y! ^$ u/ r$ M" c: b% e0 {7 Y! {! \0 u; U1 {1 G
___________________________________________________________________________8 D* v5 V/ g' k; }! n
H" p# ^% K9 Y- N5 z- TMethod 02! |/ N( l0 J) J: n6 ^5 s6 g
=========+ T H) @9 b* X4 s9 @: J5 F
& L* b- a; n% b3 w$ `& M9 `1 h9 K, I
Still a method very much used (perhaps the most frequent one). It is used
2 x- T% v% l" E; w3 B _' @: ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& U! b8 |+ X8 {/ Y
or execute SoftICE commands...) R* Y+ F4 Z$ v% P3 b
It is also used to crash SoftICE and to force it to execute any commands9 w# t( x8 \) T- ]. c/ ~& g
(HBOOT...) :-((
. `& U. F4 u& Y' w& W, d' X! Y0 H5 _+ G! Y
Here is a quick description:( d4 K6 d. o' F5 ]$ N
-AX = 0910h (Display string in SIce windows)# w% h$ V- y4 ~9 ]- j# X* J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 c* v( R& r6 `/ ~
-AX = 0912h (Get breakpoint infos)9 @+ W6 @6 g8 w2 ]& _ M
-AX = 0913h (Set Sice breakpoints)
& a7 G" i* @, J-AX = 0914h (Remove SIce breakoints)
( L! o Q- A5 d u# M3 e/ \- S4 L6 S) m& Z0 J
Each time you'll meet this trick, you'll see:, \! ^! _! X) a; q6 B8 ]( X7 n; ~
-SI = 4647h& w. @6 l) f6 _7 P7 w# h
-DI = 4A4Dh7 `- f& V8 v [6 S8 t
Which are the 'magic values' used by SoftIce.
2 U% f" [6 f: ?( H( |- p; P# F3 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 C* a2 h0 `4 l2 b! J6 N. H/ N' C
, j# c3 b- ~* B3 ?) G$ T4 |. tHere is one example from the file "Haspinst.exe" which is the dongle HASP: T6 ?, u* g1 p Z, F- ]1 G
Envelope utility use to protect DOS applications:
0 f! [! A6 r j6 [4 ^& C( Z$ [8 j0 W' e: p6 V1 k! `- ?( f }6 Q
& P$ B0 d4 W: C0 |) q3 A( N
4C19:0095 MOV AX,0911 ; execute command.
$ P# v x! X4 X% Q* U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 e6 ^. r% ~4 ~( U$ B* W9 {, i
4C19:009A MOV SI,4647 ; 1st magic value.
0 A4 t$ e) k L& n& K6 _4C19:009D MOV DI,4A4D ; 2nd magic value.
" [4 C& L* [3 x6 e% v0 |. a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 A, Z& x* x" H. b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( L) g$ Y% X6 k
4C19:00A4 INC CX* r3 l/ P% K) K3 l( s% r0 [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" ?: B) E: |/ {4C19:00A8 JB 0095 ; 6 different commands.
" S, {7 U+ O" A! F4C19:00AA JMP 0002 ; Bad_Guy jmp back.! z0 r- |3 z( P& O! n' }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 m2 F' d7 E; Q/ o& Q ]
2 ?$ G: q! I0 y4 M4 [The program will execute 6 different SIce commands located at ds:dx, which! T8 q8 K: m1 o! X; ~, @% j* I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 {# C2 Y4 k' ?4 B' ~; @
/ G3 o! g+ A4 r0 [; O+ W: z' Q" x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" r* J( G2 ~* {3 S___________________________________________________________________________
* k3 c2 ^/ @, k6 W/ y k& @5 |( k j
/ m4 T% h$ W, y" i& L, zMethod 03
2 @7 R! V; r( L! o" z/ |/ |=========
. h& V! g* L* {" R( d0 x. C5 p4 M
9 B {/ f4 Z/ i5 Y& s0 D8 M8 }7 tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# u: G) U: X% L9 y0 D9 G+ o(API Get entry point)0 ]4 x S. C5 b+ K
4 x5 q. d6 y$ I4 f$ o$ T2 t9 J0 a1 e$ H& `9 d4 g% R5 ~0 P
xor di,di
2 E* N* U+ C6 ~ mov es,di$ N" O( ~; a: ?
mov ax, 1684h ) u7 ~9 K3 \* x3 @) Y8 l# r
mov bx, 0202h ; VxD ID of winice3 M& \, S6 A! [6 a6 y4 C$ s
int 2Fh
) G7 G4 y s3 J) U5 y7 I. i# u( V mov ax, es ; ES:DI -> VxD API entry point
) C, ^8 j! z( F* i ^+ f& H add ax, di: U7 V; y# D9 _
test ax,ax6 M$ S: [- F `. R/ I _1 o. ?+ S
jnz SoftICE_Detected
/ f: K% Y0 b% N0 R4 I+ p2 S0 E9 R
. v: Y4 _/ ]$ R2 C- a) Y5 H0 {___________________________________________________________________________
, ^ k4 J7 p/ ?! n8 C$ i$ T6 b1 U6 X! g6 a9 H
Method 04
) H3 T% }3 r4 r2 B& y8 e=========
3 \6 |3 g" O: a
! {4 @# s7 i @6 R" U2 `Method identical to the preceding one except that it seeks the ID of SoftICE: i: u3 Y' X) T5 h* c2 ] X& m
GFX VxD./ G/ v3 B) W6 E
+ J: g) ^8 [. H) h$ e
xor di,di- Y- S" x5 c' d- _7 |8 t5 \
mov es,di7 C( F# W& e( J$ f) M! s. r8 m6 _
mov ax, 1684h 0 `% H- o" j4 o* t/ {# _0 ~
mov bx, 7a5Fh ; VxD ID of SIWVID$ g+ N/ n" X1 M- c: Q& d
int 2fh
; W) N: P4 B4 M: K3 W2 t mov ax, es ; ES:DI -> VxD API entry point' Z4 Z% U3 s; N3 f
add ax, di2 J# M6 W5 }/ X- g
test ax,ax# ~: [% O+ t, K. ` j& Q
jnz SoftICE_Detected4 q7 P! B1 f* p
9 ?. c; ]/ ?4 p7 W- @; a4 w__________________________________________________________________________; B0 Z' g2 Y; f# p1 X6 O
" l7 E) u, \, J6 K" ~! S; ^" Y' f8 S& t
Method 053 n0 I; |: w& g7 r H
=========+ k1 k1 D4 g+ O. E' K0 `
; k2 Z+ y' i( B3 T% uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 ?$ u& L. ^; r+ F: d4 F0 I. Xdebugger. It calls the int 41h, function 4Fh.% c+ d# ]. ^$ ?, |# S. n, ~
There are several alternatives.
* \. B% S% U5 p4 e H! S- V5 L B8 \- @4 B
The following one is the simplest:8 X& Y) i0 e+ A' G/ f; g
7 m; x) ^% E( n. f/ b# j. i mov ax,4fh
% m2 }( W2 b) _: { int 41h4 Z- S( ]" q* F0 a w! {
cmp ax, 0F386+ b8 U" d8 `2 ^. W8 I/ a, |
jz SoftICE_detected
1 ]# M% \* @1 ^* a, }0 Q- \2 k
/ D7 F+ w% _' z4 I; Q5 ^6 \+ b% v
; A# `: w' ] R% [, NNext method as well as the following one are 2 examples from Stone's
* m+ m. V0 \) L( Q6 {( g5 K; p$ B"stn-wid.zip" (www.cracking.net):* H C3 R7 `2 u u. g- R0 c
+ f3 {. p2 S! A3 P3 q. t
mov bx, cs$ `, M/ Z7 U5 F6 {
lea dx, int41handler2
; L9 Y4 r0 `7 O6 j: y1 Z7 C" g f; Y xchg dx, es:[41h*4]+ y* v! ~( H8 r; p5 d$ X
xchg bx, es:[41h*4+2]
* {* m9 i2 ]1 F4 ]# o1 x$ i mov ax,4fh
; V" F$ R. N4 i' h% W! C int 41h
: Y5 G+ i; e, i c; s! A8 e xchg dx, es:[41h*4]# ^' A, y; j3 F. u
xchg bx, es:[41h*4+2]
' e) z, \ J9 @: q! r cmp ax, 0f386h
" C1 p3 g8 c* g3 w: N jz SoftICE_detected2 s% a0 k9 S9 w
/ l3 q, `, Q- R: h9 p# p/ @
int41handler2 PROC! v; [# A, o4 u4 c0 P. H. @/ g% _* b
iret
6 ?, C' ^" Q* v& g6 zint41handler2 ENDP
$ r! P0 g$ X# t9 b2 {
7 E d" E% O+ s. W- u9 |( e+ I9 V; X% B: W5 l4 V7 o( F
_________________________________________________________________________' D$ N% A0 C- p: B5 d
6 s; h- B8 \" ^ H# a) L# E+ ~' T3 o7 I" G, E5 R
Method 06
- g5 D3 C- K& X& z( {$ w; P/ N=========5 Y, [% y0 V$ R9 m! _
: o& J9 ? t0 V5 l+ L% A
9 C v/ H6 z7 S8 l# k2nd method similar to the preceding one but more difficult to detect:$ \% ^( o( R6 F7 l+ k2 u
# n# _8 B- o# P ~5 _
# @. z1 M5 l( X% wint41handler PROC& u9 w) }+ B0 t. U6 O# ?
mov cl,al
x# z6 O& }/ N iret
0 c; b9 q; l4 eint41handler ENDP
2 l/ k2 w, g( }9 c( n; C" h( r* b1 D9 @( o
6 }. Z' @+ C+ A. J' |) S
xor ax,ax
4 @+ H0 K; H6 J5 y mov es,ax8 s W# w n2 d; I0 f3 ?
mov bx, cs
# o9 I8 P9 ]& M7 j lea dx, int41handler
" U, }: b# \# f% ]1 X xchg dx, es:[41h*4]9 q. w5 t# w$ `' g
xchg bx, es:[41h*4+2]
" n0 `" {4 E% l g' t1 q' H in al, 40h
' J. ~# E. u) J. u# r xor cx,cx, n- @0 v* E0 v/ h
int 41h* h' t. c2 m7 i6 }4 w
xchg dx, es:[41h*4]% ]/ S, B1 l( s5 c4 H
xchg bx, es:[41h*4+2]9 \* J" D6 I+ J+ Q& R; U
cmp cl,al4 b8 E- Z* B) U* C
jnz SoftICE_detected
) V \& O. M# r4 N/ E( r: d
/ j3 b. C- c- [! O I, ?_________________________________________________________________________, S- E4 |0 d& o
3 W _ ]* ` F4 Z( q! Y; CMethod 07
3 O7 I0 G1 a9 w9 z( p& b=========, C# U/ f2 W1 C: O7 E4 c% K
- f, U/ @' H/ X- i+ pMethod of detection of the WinICE handler in the int68h (V86)
' N0 p1 X' ]0 _0 L% e" ~( n# ^$ X, w! }4 G( [0 J1 D
mov ah,43h
: I1 o2 Q6 d9 k5 T, ?$ c; i1 | int 68h
, ]9 w# h. V/ s7 I2 m! o cmp ax,0F386h- J0 U! Y+ ?* H3 v8 Z
jz SoftICE_Detected
" {2 s# y G D6 B6 f, }. D8 ?) d, d# {: C% u+ m& m( D" | R$ D
" M( c# [, P4 b$ J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) y5 C. }, ]6 {$ n- M app like this:
9 ~ D% B0 F* s3 j$ D8 X, v: \& m+ U
! ^' H" ~) A8 ~+ ? BPX exec_int if ax==68
+ m4 K0 q% b3 ]3 v$ }& W$ |6 ]0 A8 y (function called is located at byte ptr [ebp+1Dh] and client eip is- i a5 |: e4 \9 u
located at [ebp+48h] for 32Bit apps)" x+ I9 v* S5 Z3 E5 |
__________________________________________________________________________; k. G O: I4 J6 v1 X
: ~: E6 O# c: z9 |3 y1 H# F
& u( Y( b3 ~( |0 _! sMethod 08
2 f* Z5 G8 o/ S=========! A* e5 `9 M0 b" O; q8 ]# O: K! F
$ q' k5 ~0 o9 U1 O" G) s! d8 ]' e- wIt is not a method of detection of SoftICE but a possibility to crash the3 Z1 a! X5 Y# u, I) f0 ?& B
system by intercepting int 01h and int 03h and redirecting them to another
2 ~3 w% m1 `+ y, p/ y5 yroutine. |0 j' @5 d# B* ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( G; S7 S5 l# oto the new routine to execute (hangs computer...)" _9 q* @' ~( h# w" m
0 ?8 P: B% T l mov ah, 25h7 {! ^) A1 g: s# x
mov al, Int_Number (01h or 03h)8 j: I/ V( z7 m8 m6 J
mov dx, offset New_Int_Routine
+ ?- I' C0 p7 L5 s+ I+ } int 21h% u. X9 X0 J/ p S' z# |
5 b, y- v a) H, w% v1 p( q1 @; U
__________________________________________________________________________' k6 U q9 C5 y+ E
4 |. ^/ P; O/ [# m' Q' \
Method 09$ d4 c6 l- B2 L: \
=========9 P' X% A( U7 h2 m1 H* G
7 d3 Z7 ~/ W5 g. yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: A7 [" ~% {$ L0 E7 I6 e0 _- Z, Gperformed in ring0 (VxD or a ring3 app using the VxdCall).
: Z+ \8 m% ]5 l' R7 VThe Get_DDB service is used to determine whether or not a VxD is installed: |0 {4 M2 S! B6 Q" B+ b& f
for the specified device and returns a Device Description Block (in ecx) for( _0 J. }- g5 d( B3 t# G, a: f
that device if it is installed.
' ~! H: m; C9 N+ ?7 X$ D
! L- w; K1 n ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- g4 D2 E2 B( |$ G! y' Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ y& Y* ?( k1 k: C/ w( S8 s VMMCall Get_DDB0 B3 a1 k- a/ ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; }. w! r6 Q5 T( D4 h0 A7 e! E! F* @; d9 a! X
Note as well that you can easily detect this method with SoftICE:
+ L/ |, H7 z* h% Z( D% i1 r+ { bpx Get_DDB if ax==0202 || ax==7a5fh) {- B( D/ `9 G1 V/ ~- F; X7 a: X4 N6 F
2 F9 ]! {' D3 g# ?+ E& J& @
__________________________________________________________________________
6 `! i. V1 P- W6 c
' X, c" j0 H* N3 D& H8 M* P9 ~Method 10/ O* ^' X& ~# S; k& E; G3 W7 u
=========% @7 Q5 c) P5 z6 @ r' l1 J
: E' f6 w" s4 h* D=>Disable or clear breakpoints before using this feature. DO NOT trace with! T6 K2 {- L# f. T
SoftICE while the option is enable!!. O3 Y! c C8 b* t
1 y6 G* t1 t9 z% u2 {This trick is very efficient:
/ P! I7 v6 Y; z) C% Gby checking the Debug Registers, you can detect if SoftICE is loaded# o/ V# F* j# }" j, p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 n# }6 t0 G/ N: y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, h4 G. p. { J3 Ivalue (in ring0 only). Values can be manipulated and or changed as well q' s+ M% ~! B9 B4 @6 l
(clearing BPMs for instance)7 c2 l* ~+ J7 H. u# E$ |! S1 F
( k+ q1 v' b9 G7 ]3 y
__________________________________________________________________________/ g9 P! N( ]7 d: J
5 g( q% p( J! d9 i5 b/ d; y F9 F! jMethod 11
/ j3 s' Z8 D. ?& Y, U=========& S( n+ Z( A! Q# [
+ e) ^3 Z5 a! q" ~This method is most known as 'MeltICE' because it has been freely distributed- z# G! n6 n' W( ^6 g& s
via www.winfiles.com. However it was first used by NuMega people to allow
) s4 i0 B+ N1 h, B) a0 pSymbol Loader to check if SoftICE was active or not (the code is located( Z; }: r0 h& [
inside nmtrans.dll).
8 d9 i6 u% Q- v( e2 z. I" F& S$ t, n4 N a# v$ A* ?3 x4 d: [
The way it works is very simple:5 s: ?/ m& ~2 C& B M: }, h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 R& N, l# {* l, X0 n% IWinNT) with the CreateFileA API.* H/ _5 \1 F9 T; N0 h
& Y+ ~# o! K( k; N \2 i/ [1 K% V
Here is a sample (checking for 'SICE'):
2 t1 \3 q: C, G% i6 E. E3 b
! z8 V3 O' B# eBOOL IsSoftIce95Loaded(); |" S/ Y" Y; ], ?' }
{
# [; _" |! j4 s- h8 F HANDLE hFile;
& `' |& g2 F( _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 ?2 J: o% l* B/ M
FILE_SHARE_READ | FILE_SHARE_WRITE,. {' _! |, ]2 p' p9 i5 y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 `( R: r+ W: |% K8 ^
if( hFile != INVALID_HANDLE_VALUE )
+ k+ a- g! Q3 c6 N0 X! \ {7 g3 \8 _) |+ a# h' _
CloseHandle(hFile);
% n: Y* w+ W* L9 B) o |4 y) n return TRUE;7 b8 z. p" U9 a' [7 G6 V8 }3 h8 g
}
' w6 O+ V, @8 L1 Q" B( N return FALSE;
% Z- Q% H9 M4 O5 d, d6 R$ D }4 ~8 P( N}
7 M2 R8 v9 H, V4 `, X3 I' U6 _
- o5 T3 U C4 z( }1 P# X. H+ zAlthough this trick calls the CreateFileA function, don't even expect to be/ ^, q- \2 K: h$ b
able to intercept it by installing a IFS hook: it will not work, no way!
# O4 u, |2 x+ I+ UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ u0 l8 k) d7 C3 l! n8 u, hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 |6 ^ l, s( \7 {0 l) Z2 o2 T6 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 M' W% [) q+ X; ?# s8 z
field.2 P! c& F" b* O$ n" |
In fact, its purpose is not to load/unload VxDs but only to send a
9 d6 r# Q6 S9 u( q0 x9 p# z- l3 IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! f1 T1 g- ]( {$ {" a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ J: e2 ?! m$ s mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; ^) O% r9 \3 h) _If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 s t. f" N' j! rits handle to be opened and then, will be detected.
5 b" r8 D9 f9 M7 A8 dYou can check that simply by hooking Winice.exe control proc entry point
! u1 K7 |: Q+ `8 @3 dwhile running MeltICE.* M; n4 V2 s( Z5 h U% u9 S# c" q( F
# P, o5 ?( m; Z* [6 u, j
9 j; j& F1 v4 K. x) i 00401067: push 00402025 ; \\.\SICE6 m# X* N1 e7 X
0040106C: call CreateFileA$ u1 ^. _9 x& O9 e, P; W
00401071: cmp eax,-001/ D. J+ B$ e$ C. a7 P
00401074: je 004010910 `! X" u" s u: r
7 ~, ^, D* R0 ?& A. H
5 H0 {/ P, N# }; ?8 r4 W0 ~/ c
There could be hundreds of BPX you could use to detect this trick., c D* V4 A+ K9 U. n# N
-The most classical one is:9 ^3 b* R1 F. l* l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ D* w. x0 r: M% G3 V1 n; C *(esp->4+4)=='NTIC'
$ O6 f2 E, G& v) _" H+ t6 R4 z/ H0 t" c- V2 r. E5 \& V
-The most exotic ones (could be very slooooow :-(9 Q# w' e# b1 K0 H5 }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 H+ d1 @0 a. M5 H* R1 E ;will break 3 times :-(
3 _0 e* T/ b$ c; w4 ~$ x& f' o+ f/ v3 W, ? h1 v- g
-or (a bit) faster:
0 _" ?5 s- L) x y' \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 u+ S+ ^+ O( \
, T/ R0 R2 x% \: Z2 s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, W+ ^1 p$ D: w ;will break 3 times :-(. n; d- S- w* N( r7 {
6 W* l: G; ~) c( F: \9 [# m
-Much faster:4 O: _) C4 {5 s* P$ [0 L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' l5 N8 _% x# P0 _' ~7 e5 E3 K5 q$ X3 G+ R; h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
{$ `7 X8 i0 }function to do the same job:" J: H8 t) X, m2 N# \( j- w
. j, m& V7 S) [& b( R6 G
push 00 ; OF_READ
! v% I) u# f9 s+ p$ v mov eax,[00656634] ; '\\.\SICE',0- p. W% @8 |3 D; ^
push eax
2 M2 T' e9 S4 [; W. Z4 h call KERNEL32!_lopen
" U) {& }6 d1 _& h' x7 P5 F- d inc eax
6 |0 u" t- e! a* ]" t jnz 00650589 ; detected( A1 }0 \! I- z0 a" e2 M
push 00 ; OF_READ
0 N9 |/ K+ `$ e mov eax,[00656638] ; '\\.\SICE'" k0 w' R) y' f! E( N
push eax
( T# g% k2 y; t9 X' P, U- l; \: U call KERNEL32!_lopen" g( v" H* S! ^$ U8 f1 s
inc eax# }' I+ e1 h! `* H' B5 e6 W) h( P
jz 006505ae ; not detected& J1 j8 B' r" N' ~
/ z; Z8 Q$ `' _- Y0 B$ w
) N0 h1 w( X1 A0 w6 f7 v( ^4 h__________________________________________________________________________
% l7 H. G; ^7 j& O/ _/ z
' S) M8 B- K5 f# L5 YMethod 12) R3 b( I; n* ?0 ]9 Z$ x, {
=========
, t6 F+ }. `; {6 p! e" D( S6 Z' _, N
This trick is similar to int41h/4fh Debugger installation check (code 05
( I N- R% o/ ^3 _9 b @5 U& 06) but very limited because it's only available for Win95/98 (not NT)/ h) ?' Z6 T, ~- k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" p) [, a/ A) l; ~7 R' X- r
9 m, y1 d+ q! B9 a# g: @6 ]) B push 0000004fh ; function 4fh
+ s# m) T/ R, q9 U push 002a002ah ; high word specifies which VxD (VWIN32): Q' L/ U. U* i
; low word specifies which service V2 r1 J- x( ?
(VWIN32_Int41Dispatch)
0 _3 `9 G7 d! P6 j/ N4 q call Kernel32!ORD_001 ; VxdCall
8 W6 \8 v7 X o6 ?8 D# O cmp ax, 0f386h ; magic number returned by system debuggers
; q2 y D0 c$ M6 |# Q jz SoftICE_detected
0 i* t+ R- e( k0 X9 R7 j* m6 N( S* `: I: p. U0 C% ^
Here again, several ways to detect it:
! i4 s0 G( y3 S
2 ~. C0 D' A) u C1 R b3 v+ V BPINT 41 if ax==4f
" }# J+ O2 W5 b( R5 t& W+ k7 [8 b$ I# n! E3 v" b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 ^$ w5 C+ L5 W4 m ]8 R0 h! f
/ B5 W/ h$ P ]7 `3 G: K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- z. q4 ~/ u/ a5 ?; {
% v2 X0 c3 t* o1 N! E" X. Z* ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 ^* @, v1 y. t, I* U0 W
0 P' W. j& N1 W2 i0 A0 D__________________________________________________________________________0 i' E* M8 e) j& V3 V4 y3 Q& K3 b
7 ]: ]. V- I* m
Method 13
" I6 [9 p( S, o9 E0 C& E8 G========= b8 [$ Y: U5 J5 A8 v- J* U( i
6 ~- N7 u- ^* F- d/ C1 R
Not a real method of detection, but a good way to know if SoftICE is6 D- B& M$ }) Q" T6 X4 g' Y; {
installed on a computer and to locate its installation directory.5 A' j9 Z2 M9 D. G
It is used by few softs which access the following registry keys (usually #2) :
6 k1 u$ k/ M6 `1 t3 P
" o% W5 E4 V- V& ?0 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" p- R' D- B4 }3 w% t g\Uninstall\SoftICE7 k$ ?- m5 i5 A& l8 r( l$ y' G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) A; F g+ D T! L1 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" e2 P1 U( H2 B. U4 S\App Paths\Loader32.Exe
9 b$ [3 [3 z& `9 ~3 h2 T
$ E& }( Y8 W6 Y$ T6 Z! g6 b2 ]. {/ C1 c# q1 }
Note that some nasty apps could then erase all files from SoftICE directory
" ?: ^. j5 Y5 b4 D* ?3 d* ^(I faced that once :-(0 r; t8 b) T$ r8 } O3 ~, U
) q$ i3 {" K F/ A4 n7 w! x9 W8 q- j
Useful breakpoint to detect it:
( K1 B( w1 Z0 q& r4 o7 o, _$ Z& i
. f, c1 ` E7 L. Q2 V. y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' T! `& U7 Y2 f* l6 j, ^, |; \, N
1 }6 G; m5 z$ ?1 T) m) R' J( J/ V__________________________________________________________________________
( F8 B. `1 \8 r% p4 Z# ]+ P8 B7 a0 ~$ q) a3 X, o5 F$ K: i$ }
. L" B1 {( W( }) E0 ^
Method 14
8 E% g( g0 ^/ D" j=========9 a. {& ?/ F5 {! b0 ~: x
+ G; v' I- K1 m" c' T# |1 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* |- i! _2 }; B$ K! ]$ ^
is to determines whether a debugger is running on your system (ring0 only).
- y8 k; D7 _+ j/ a- H$ r0 h, C0 e
VMMCall Test_Debug_Installed, t9 l w+ [- w- c7 x
je not_installed1 j8 G; i2 M3 k. X
% F" y' w. U9 B% sThis service just checks a flag.
6 B/ d0 F% K7 j' }+ D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡