<TABLE width=500> d% T7 m4 m! O2 I9 V
<TBODY>/ w Z% ]7 Z/ r+ j9 z) j
<TR>
( V6 [2 j0 Y6 Z3 F) p. p<TD><PRE>Method 01 8 O# C. m9 G1 `$ `
=========1 t, m- F8 |' o6 I' |
6 I2 n, F2 W) h6 r
This method of detection of SoftICE (as well as the following one) is
9 \; I( ?4 y: B x! q5 w% z/ Zused by the majority of packers/encryptors found on Internet.
6 v6 Z2 S7 ]2 j+ x. z; Q9 xIt seeks the signature of BoundsChecker in SoftICE" P+ n# o2 t- x1 y) k( @
3 c2 R5 ]- q8 \4 Z
mov ebp, 04243484Bh ; 'BCHK'$ r2 R5 v9 Z/ t. S
mov ax, 04h
5 D* \& P% v% f% [# q+ Q int 3
2 s+ w$ Z" ~' }& W6 f. e cmp al,4
" j6 q0 M/ e: c g4 M: c; d jnz SoftICE_Detected2 j, U1 O9 {( w4 e8 l, |
2 J$ k9 N3 c: w/ M/ A! F
___________________________________________________________________________: H$ }! i6 Q' {- A/ ]4 r* Z- g( ~
* D$ f8 Y4 y% a6 w" w9 d+ K9 f6 W5 G8 c
Method 02
+ j+ }0 J$ Y6 k=========0 L2 G4 t& Q; {; |. i* P
1 S! t e- r' {1 `" z4 u* z2 d! V: Y. _
Still a method very much used (perhaps the most frequent one). It is used. t7 `( l3 X0 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 o( o {$ P7 O s" V( J9 W! uor execute SoftICE commands...
- _- b: ]3 _4 Z9 N9 c- t: DIt is also used to crash SoftICE and to force it to execute any commands
+ g/ H7 ~* ?0 o! Y(HBOOT...) :-(( . c6 n3 q2 m" t% j8 N
6 p$ X& c/ {3 ^& W- y
Here is a quick description:& i+ X* }0 f1 L
-AX = 0910h (Display string in SIce windows)) w6 Z$ x- i K; M2 H+ K6 P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 E/ d; A0 w% U6 |2 y-AX = 0912h (Get breakpoint infos)! X# @4 s& b) X5 U
-AX = 0913h (Set Sice breakpoints)3 l* Q- h' d& g/ U+ W& m' y
-AX = 0914h (Remove SIce breakoints). V5 b# u4 c) P9 ]1 k, @( C. {
5 Y5 o$ a8 A9 V3 }$ X% l% O
Each time you'll meet this trick, you'll see:
" U f1 |+ {0 j2 P! H+ h* U-SI = 4647h6 U) h3 ], x4 a
-DI = 4A4Dh
$ n x( ~+ t$ ]- N3 dWhich are the 'magic values' used by SoftIce.! a& [2 n& T5 @) ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( w5 O* m% w% x* h; ?4 C0 u9 Q F: `* `& L( F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: J* M( @/ r/ d% o- e6 UEnvelope utility use to protect DOS applications:
7 l- |/ r. G3 g/ N* z
4 F: V' w# c) x4 \- w, A
; d" S, J* n8 v8 M; g) h* E4C19:0095 MOV AX,0911 ; execute command., {2 D; z5 h3 O5 |% J" x4 e: G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 ?) w. m4 l% L T: a
4C19:009A MOV SI,4647 ; 1st magic value.- X' |' @+ n6 Q( P3 |
4C19:009D MOV DI,4A4D ; 2nd magic value.5 O% h$ c- u+ V- e) k$ n* m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- _5 a9 H# u. H6 p1 @$ Q0 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! T/ b# \$ D% G' E0 R. @$ B) s
4C19:00A4 INC CX8 N: J8 {2 D# B
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 [. C( s7 k) [+ _2 M2 ~4C19:00A8 JB 0095 ; 6 different commands.) u5 V$ w7 h2 w' |. o$ z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; T" ~/ S6 @5 h: w3 ?/ l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! ^: X I+ d. A% v4 d% C
5 d! m- `2 B( |) GThe program will execute 6 different SIce commands located at ds:dx, which
. c B2 o! q, k/ d( aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; n7 t1 S5 L0 ]6 O. L( C, _
9 W% _/ h8 D% l( b3 \- e# N+ b0 h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., V- M6 H& O+ G
___________________________________________________________________________. H7 W& m9 B$ A& _* @
0 K& w7 c. ]2 e
5 Q ^ X2 `& gMethod 03
( f! ^& j, }" W+ C4 _7 `=========
9 g0 F8 x9 S6 O6 ]$ K+ r$ [& ^
: e. q9 E+ {+ h1 iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 D) G% ^4 S6 ?1 L# ^5 w6 U# l
(API Get entry point)' F' E" x. s, l/ D4 I' ?! v. U
3 f# D4 I* [( v, R2 _
" T% ?# t% o: v& w
xor di,di
' |% G/ Z5 }9 P# F0 s! L* I& v mov es,di* i S% f1 C. |0 x
mov ax, 1684h
. Z3 W7 C% j' z+ `) J( D mov bx, 0202h ; VxD ID of winice, z6 D" o9 n* a' g! F
int 2Fh6 W$ I' n S2 d# L6 ^
mov ax, es ; ES:DI -> VxD API entry point
. Z$ s* f1 @$ ?' j) K9 D9 S add ax, di7 U6 F- m3 n0 i5 w$ y& s
test ax,ax& Q3 u. N8 {8 x
jnz SoftICE_Detected( h0 ?' v, N. j$ Q, R" D$ |" ^1 ?
2 m) E0 \3 N, p5 J___________________________________________________________________________& f& ~9 b% X7 k% }
3 ^# \& O6 z0 K |
Method 04* n" V( k# S( T; U1 G( p7 \
=========
4 |2 l( E3 D; ~, S. y
: S/ H; k3 J" n. \" W% g! OMethod identical to the preceding one except that it seeks the ID of SoftICE8 v+ D# Q" g3 K6 \# n
GFX VxD.; N* \$ A. t. Z' `" ^; I3 f) P
9 ^$ L- @2 Y. |+ K xor di,di
" @/ ] z: n* X: Y mov es,di) Z" E2 @- U9 W' F \3 m& Y: ?
mov ax, 1684h 8 x3 g( R) x/ m; \8 \6 c
mov bx, 7a5Fh ; VxD ID of SIWVID6 {: o1 X* T7 j* e0 }
int 2fh6 u, C# X7 h4 K- n1 R+ {( k4 g
mov ax, es ; ES:DI -> VxD API entry point) }6 p/ ~# @( J* @+ T1 G1 g! c: K, j
add ax, di8 }/ j' ]6 k9 M5 R+ a
test ax,ax$ h/ r/ G5 n5 E
jnz SoftICE_Detected5 V/ x3 }" A& ]- h+ [7 |+ V
& W; l, W9 b4 q6 u" u
__________________________________________________________________________
9 } W) q: K {1 g1 Y+ M9 q; z5 ]- t, _
6 S' }: t, D* ^& y$ E8 A, NMethod 05
5 p9 R6 V% U# O/ A=========
( W6 q/ v/ ?$ }
A% J" u' z; ~Method seeking the 'magic number' 0F386h returned (in ax) by all system. D' X: y+ p" f- n& c& f' V9 T
debugger. It calls the int 41h, function 4Fh.3 m6 J1 q! s: r, H) g) U" z& w
There are several alternatives. 8 `9 O0 o x% g$ p4 O+ s0 s
4 @; r w& e3 N; r% ^/ p
The following one is the simplest:
4 _3 A0 ?) T) n- y3 L1 F. _' O7 n; j& P$ H4 X) {
mov ax,4fh. l# z$ N/ G v6 c- C0 Z9 a! E
int 41h0 m6 Z, o8 ?, L4 v# Y& P) g
cmp ax, 0F3866 m v/ B8 |- u# u4 Y- N
jz SoftICE_detected" J( H8 |) `4 ^" t4 i5 f
1 |' i4 {) \) c! t: O+ ~1 a
# L- z' r, D7 R; V* e- z+ SNext method as well as the following one are 2 examples from Stone's
5 l, W& D) h4 |"stn-wid.zip" (www.cracking.net):, j3 L2 R7 a# _$ E/ {$ z
. Y- W$ e% U+ P V t) t1 a% N& K: N
mov bx, cs
( h* D+ d0 c& i. S! P9 k5 p6 D lea dx, int41handler2, y/ U/ z; W# h! Z6 ~7 I3 D
xchg dx, es:[41h*4]
# r1 ?+ Z& {' }* t5 ?2 _% Q3 u xchg bx, es:[41h*4+2]3 Z+ P: {( e2 }1 r
mov ax,4fh7 _" K s0 X% `, {3 N
int 41h& z; D& u' x1 U$ M; @% R" [
xchg dx, es:[41h*4]. o- X0 x' K" j; M0 w9 a* j) ?
xchg bx, es:[41h*4+2]
5 w( _; d0 y- a4 ?, m$ m& } cmp ax, 0f386h
& Z# }& l. Z, q) l3 S jz SoftICE_detected
! l# {+ W3 l% L R, U; M* I6 e& w, J" c( `) I
int41handler2 PROC5 T6 h1 z9 o6 }9 ^3 s
iret
: ?. b; p/ F% [6 Z, D; W$ ?- w! V; Yint41handler2 ENDP
) C4 V5 I1 O' L9 o
8 r# z, ^7 d) t v8 ? ^. }5 b7 Q7 X" q
_________________________________________________________________________9 F) F) L- a5 t$ F' p+ W" ^
5 ^$ Y: X% j' I" J7 }- p% h
8 b3 B1 a9 N) _+ N( hMethod 06
6 F0 i% O1 U% a' \1 d1 R+ h& R9 d! o=========
# i/ @% c, b9 P# [ n, ?. E' j# W) ]+ J
/ U- ?& K K, F5 ^, t4 U2nd method similar to the preceding one but more difficult to detect:; v% M O3 s* I F0 ^) g z( r% l! L
) t T1 b0 W G* A$ V
3 a. ~$ p" R, G: g5 T$ r; o
int41handler PROC' r3 l; t. l. G" S' R' Z: _
mov cl,al
( w3 E4 Z7 V L( f& F: S0 K3 b iret( h; j3 p1 w1 O! ^3 k# X' ^. H
int41handler ENDP
_9 z5 |1 R/ f2 A/ F* d* {, \
2 J3 T& g* t7 u$ h
9 Z ?7 x) l9 K I7 o5 M# r2 X xor ax,ax4 W) d) L2 M, h# e% B7 d8 R' r
mov es,ax
8 b# H3 ~, F0 w K( d mov bx, cs
" m @+ E0 q1 c lea dx, int41handler' g7 B# C! _; l
xchg dx, es:[41h*4]0 _$ _$ B& a {7 m8 O. S
xchg bx, es:[41h*4+2]' m0 B" t& W5 c) G; _
in al, 40h6 Z% E% H1 q# t9 B& i
xor cx,cx; O; R4 c6 C H& U& J/ g
int 41h
o; ]' ^9 [0 P5 x xchg dx, es:[41h*4]
/ U# B( D) i4 N; [ xchg bx, es:[41h*4+2]; S9 Z0 X6 L1 e5 b
cmp cl,al
1 ~! L$ S: P8 l" m) e1 N# p jnz SoftICE_detected- H2 `+ J7 {0 ?- D6 x# i
0 J# f! \3 J1 x" Y% U% M) U$ S
_________________________________________________________________________
- p, d* B0 Y- x/ `8 g( E9 U3 e0 H
6 }& d( E* m9 c/ c+ K: p1 @- h. ?Method 07; v: g9 I( X4 q2 R6 u: t, d) e/ K" h
=========
; a+ O$ E# d1 N; d( B* x
$ J) U3 p3 s0 k+ x; |4 SMethod of detection of the WinICE handler in the int68h (V86)) k5 L- u" X8 X& T, b, a
" X' O0 B0 k3 a1 e( K$ S- q mov ah,43h
* Z# Q. N9 b' t! b' F6 { int 68h
4 v$ o- }/ k; {; s$ l* f5 O# | cmp ax,0F386h2 E- `( N: a2 L m4 }
jz SoftICE_Detected7 P* ` Q- {* b5 m& a
) C( Q9 ]! G6 h/ g% b8 K+ G9 F# T3 _& S3 }5 k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 Z1 R* w, U6 y8 P; I* H2 X2 R, M app like this:
) Z# Y) _: W8 O
3 T1 W+ G3 `6 S7 a% ^: U, j; o BPX exec_int if ax==68
- |+ E6 X- b; ^3 M+ J0 u (function called is located at byte ptr [ebp+1Dh] and client eip is; c) ~# A& i& L6 }- J
located at [ebp+48h] for 32Bit apps)
4 N# ~7 H( W/ ], g3 A__________________________________________________________________________# a$ D* {' j' t
, t, a6 d; C, f
- j2 `6 C& T- Y+ g AMethod 08
9 K. j# @6 y0 n' C8 F" {3 w; X=========
. c9 z( ?9 g Q, [4 B6 l8 c2 j3 S1 u9 r v+ o4 ?4 P3 T
It is not a method of detection of SoftICE but a possibility to crash the
E' f5 f) T0 _" u- b& U3 X9 Xsystem by intercepting int 01h and int 03h and redirecting them to another
' n' v% \7 c0 I7 c: Groutine.% C0 T, d) R7 y/ @* J+ I0 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) E" \3 F6 z' f
to the new routine to execute (hangs computer...)
U9 h7 w& k# L$ r
8 a; ^( F6 y Q" Y, X; M mov ah, 25h; X; t) G( n8 {+ ?! O) N
mov al, Int_Number (01h or 03h)
- `: _; Y' `9 I: u+ U mov dx, offset New_Int_Routine+ j$ v1 {" J; f0 O7 `0 H
int 21h
( F: S& u1 O* g3 J. i+ ]/ G' Y/ {4 a' ?3 V% F" ?% l. s) V
__________________________________________________________________________
8 a: E4 O% M: g5 ~& u* k6 Y
2 j. ^( {+ a8 L$ c' ^+ v7 ?Method 09
" ^$ J, P8 e# A$ G+ s=========% b& o5 Q0 U: j& z" H4 s$ a
$ k4 K0 e$ ~5 ]; n3 aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) w4 n. D* Y: H$ H& Y. Z+ Uperformed in ring0 (VxD or a ring3 app using the VxdCall).1 L! e4 b1 p' {8 t
The Get_DDB service is used to determine whether or not a VxD is installed+ `) l2 G$ _7 Y0 Y1 K8 b, ^1 e
for the specified device and returns a Device Description Block (in ecx) for" P$ C7 b' b/ R1 e& G# b- W' m
that device if it is installed.8 A* V7 S* p- |8 |
; x4 N* ?& p4 |2 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. C) a: \! n$ y6 M# i2 \; b7 F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 O. O: A% W- T$ i4 [1 Q VMMCall Get_DDB* O0 ?" M- g" F! H6 w7 O# f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; `5 H$ g& P+ M7 y% i% R. M
2 r. b: i- P2 e, x9 T# ONote as well that you can easily detect this method with SoftICE:
, y! j8 ~( X" }: E* o# e bpx Get_DDB if ax==0202 || ax==7a5fh8 T! o) d1 ^2 H$ h) W' X7 P4 ]
9 C9 e: p0 Q5 S1 ~: }
__________________________________________________________________________8 H2 O% M; {& k# _$ G
9 h# @5 O3 j/ z- j. F. S( E$ E, t. l: D
Method 102 J' V# B4 {( c9 }0 j
=========; Q; j* t' e, j8 ]: e
9 w1 C% M: f# f' o; G=>Disable or clear breakpoints before using this feature. DO NOT trace with
" V+ d( X4 E- }# j; {0 R" A' X SoftICE while the option is enable!!
6 @3 A2 \( d g; r2 g7 r5 { b$ N) X. y* f& z
This trick is very efficient:/ _7 d! G! U3 I( Q) z
by checking the Debug Registers, you can detect if SoftICE is loaded
8 E3 f) ]/ ~( t$ f3 Y0 D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# w" x" t* r& t# T2 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 C1 F5 j* I& U
value (in ring0 only). Values can be manipulated and or changed as well$ w6 d4 F0 q/ O% m
(clearing BPMs for instance)( j1 a* E, l, i f
) _6 B" _, T0 J0 e5 q( y
__________________________________________________________________________
& s/ v2 f8 Y0 q* X) u4 y5 P1 t+ h5 w, R+ z! w) f2 e
Method 11
* m$ |# ~* ?1 Z7 p( N) Q; H=========
# p; O) K2 O" |4 h1 \! B) p, b! }1 ~3 A
This method is most known as 'MeltICE' because it has been freely distributed4 a) Z A5 z) G1 n7 T& j+ A
via www.winfiles.com. However it was first used by NuMega people to allow" y( w U6 }4 t Y3 G2 @2 Q$ x' V
Symbol Loader to check if SoftICE was active or not (the code is located
* i! V5 E0 D% y7 n5 M2 ?# Rinside nmtrans.dll).
" u: j, u) u4 _$ M3 K
( Q0 {, b" ~0 X% k) t+ vThe way it works is very simple:* l2 H2 `5 s) L. i( X6 |4 W8 c5 Y S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 j/ J+ o6 ?$ s% g& ~5 \1 ^ t. i
WinNT) with the CreateFileA API.
% X f" b, D" m4 v. ^. D$ p$ O D4 U( `" r6 O) j
Here is a sample (checking for 'SICE'):4 ^. L$ Y0 k1 ~8 g) G
0 Z/ p b. ?) [. g1 NBOOL IsSoftIce95Loaded()$ a d' w& T1 ~6 j
{
) E2 H+ N! s0 q5 t9 I( P! B: X$ _2 L HANDLE hFile;
7 \4 B5 I! E1 ?2 n6 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 Q2 u8 @, A2 b5 J6 c FILE_SHARE_READ | FILE_SHARE_WRITE,
3 S4 V( s; d+ ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- X5 F* Q) [4 N; L& ~* P if( hFile != INVALID_HANDLE_VALUE )! C( a* W3 H$ Q; z0 ?
{6 p2 k: u. z7 w5 }- j
CloseHandle(hFile);
^$ `) o6 t6 o4 c+ _ return TRUE;4 H$ e1 @) Y `8 E" ^
}
( Y) I5 Q+ ]7 o$ k3 f5 M) I z return FALSE;
) J) \/ F3 h- J6 W1 g, m) v}
9 k* M X6 T" q2 G5 u* [/ w8 x$ H4 ^8 J6 T* `9 e! L2 ~( V
Although this trick calls the CreateFileA function, don't even expect to be
3 m# Q" P6 e+ m p aable to intercept it by installing a IFS hook: it will not work, no way!# l2 j1 H3 D% y. o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 @; q6 z s+ u# s$ Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% H2 b0 W6 }4 K, I0 F6 G5 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 G' |* ?! c& R5 @# s$ Vfield.
: U8 H# a, o) d4 e6 R7 oIn fact, its purpose is not to load/unload VxDs but only to send a * b% w5 @5 N m2 H! B/ I+ c; n, x M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, \+ ~( ~9 m( p- f3 {+ X# @to the VxD Control_Dispatch proc (how the hell a shareware soft could try' D1 \; g- V1 G1 ?0 t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 [; w: X4 l; r0 s# [
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 Q3 b3 }! E9 H
its handle to be opened and then, will be detected.6 o* K0 Y3 K8 v' o$ U) h* T9 c ?0 d
You can check that simply by hooking Winice.exe control proc entry point+ {3 M" N, k( W; C2 a
while running MeltICE.; P/ ]) }# C8 c
. s% L j2 @3 R( [0 @' S5 f0 B: [; J# q/ P( H5 ]4 O, _
00401067: push 00402025 ; \\.\SICE3 q4 B3 B5 \( w6 G# t, s
0040106C: call CreateFileA
( u" r6 M) y ~. m# o) W0 E: M1 q 00401071: cmp eax,-001, d; v! V+ R0 G7 S; F2 m/ @. I3 {3 m
00401074: je 00401091) Y- H2 O( m, I! t" \
2 H2 s3 Y' p Z. [- u c: r* h3 D+ T4 ^# q0 ~% y$ p0 I
There could be hundreds of BPX you could use to detect this trick.1 E& ?7 q% f# U* D" p
-The most classical one is:- C" |% ?3 u, g ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# H. H" u' V9 C2 i$ W
*(esp->4+4)=='NTIC'
8 [2 s) o2 ^9 B5 y, f* ?4 s
% o; i. \ e' |5 H+ k% X-The most exotic ones (could be very slooooow :-(
4 |# Q3 w, J( O4 F* v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& U. b) q f8 G2 ]7 G# u! R ;will break 3 times :-(# e. Z" v' }4 r: E e* e
5 E) m) n$ v0 {% G: i9 a-or (a bit) faster: ( b3 C4 P% K+ q; C. z" R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ F! F) M8 ?5 ?+ G7 M* s! i' S, j7 z
9 f9 J5 y O4 N, _; k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( R' E; K, Q: W* Y ;will break 3 times :-(
) U5 l: ~3 p6 W& V4 s/ s$ q3 Y/ m; ]( f8 W8 a0 b( X. n f
-Much faster:
$ L9 @9 |7 C4 L! a; Y) i0 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" W) W! T, z) e# ]* L$ Y; R- r; s- `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 k/ u' h4 x5 Z* n5 S; T% ~function to do the same job:7 `7 d5 q G! }/ h8 G
/ u, ]! b+ U$ m2 R8 ] push 00 ; OF_READ
* G L# {# k8 x- ^2 r# @ mov eax,[00656634] ; '\\.\SICE',01 P2 D/ Z0 Q( u( z- P @5 c
push eax
: F7 p3 K# f$ ?6 Z% m# h$ C call KERNEL32!_lopen" o+ S+ j3 a6 H% ]+ W; P
inc eax9 u, E9 }5 K% l2 }% }
jnz 00650589 ; detected
2 F. N) T9 U6 O! K: j$ m push 00 ; OF_READ
/ e9 a2 e# `' F3 _3 x t mov eax,[00656638] ; '\\.\SICE'+ W% m& V: l6 E
push eax7 V R& ~3 @; @( S: E) [( g
call KERNEL32!_lopen
/ H/ o# K- P K) |2 P1 E* ` inc eax
4 C; J1 ~# h4 Z. g( ]8 m$ x jz 006505ae ; not detected
3 v i$ U" [: h* k7 Z& t% d7 d# F
; N2 D% ]7 O( R8 [- ^4 X3 d2 D0 O: f; j0 S
__________________________________________________________________________$ t* `) n! S6 b, V, j# l3 o _
2 M8 h& Q) v& G6 V+ c: ^/ D0 R4 BMethod 12
$ k ?/ `- A9 t3 t7 d( t=========
$ ^) Q3 i' S) k3 u1 N
8 c0 B5 u5 k% b0 F* H9 NThis trick is similar to int41h/4fh Debugger installation check (code 05
# k6 h0 k/ e7 \; z* J; N) b+ Q& 06) but very limited because it's only available for Win95/98 (not NT)! C D. }$ b$ s$ d1 b- o- \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 N& L6 b; i6 P4 r% l
) I+ y, ?) i# W& A( L3 i
push 0000004fh ; function 4fh, `. ~' M- H u {3 w- a
push 002a002ah ; high word specifies which VxD (VWIN32)$ M/ Y1 |9 R) ]6 F* i; E. Q
; low word specifies which service
) Y; s- O, [8 t/ `7 H7 L (VWIN32_Int41Dispatch), M1 h, A1 {' R5 {
call Kernel32!ORD_001 ; VxdCall
( ^( |) A8 S/ ~& u cmp ax, 0f386h ; magic number returned by system debuggers
2 h% ?( P. `# [/ x+ D) i7 c jz SoftICE_detected
) Z. y! Q! c1 L: E9 c/ ?; v+ T$ p9 U) k4 T# B
Here again, several ways to detect it:
% t; k; K& D- ^9 H% ~7 {" y5 l E7 ~
BPINT 41 if ax==4f0 ~. j b2 ~ w0 q& M
$ N$ p! X# h$ m- [! f# P: w* o( t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ j9 Q# }) j( q' a5 ?5 C, W) Y/ F1 V( {$ z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( h, V& j2 K2 Y% S' |4 {
% H; K6 y* |9 B: b. p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: b2 C, M; x4 N/ ^5 g) S) z7 b5 v
: v( _/ o6 H( m+ N4 G__________________________________________________________________________0 Y8 u5 a) ~" h$ j, x$ z' D
& v" u9 ]6 J- }# {
Method 13
% W6 X3 V: g" G& \! a=========
* O6 ?! P/ r& I- l% E7 j) ~1 ` J4 p- k/ d# [. @
Not a real method of detection, but a good way to know if SoftICE is9 @ j2 M5 w O3 ^; p; o9 a
installed on a computer and to locate its installation directory.
! S, }3 X# q: U* fIt is used by few softs which access the following registry keys (usually #2) :) d) r! Q. ~$ q; H8 [
6 X( s6 x+ v; W5 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# u0 `2 ^$ w/ w0 ?8 B
\Uninstall\SoftICE
- q; K" c+ x4 j6 C" M. g. J# y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, o4 ]; y+ ]8 G, ~8 Y9 ?6 a- n1 d2 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 u" t( @+ k) v\App Paths\Loader32.Exe
3 _2 W' f# i9 q( F5 q0 w- Y/ U5 F. J0 @, {
: M) ]7 i' i( e3 F; WNote that some nasty apps could then erase all files from SoftICE directory
. Q) J! j; r- \1 ^) Q4 i(I faced that once :-(
) e$ J$ c/ g4 q. A/ k& C; _7 b! m* [, S2 c& r
Useful breakpoint to detect it: c$ E9 V" R7 i7 L2 e) v* J. f
# e' w5 ?* N8 i' v! L- w3 f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 B3 e; N( Q( E, M, S
! o3 T4 x2 M% K* G" E
__________________________________________________________________________
' g( V. n* N: q |: j7 y
# i( T, g3 H+ d3 ^) B- c- ?: U# {$ E$ O$ B+ C/ R6 R% X" l
Method 14
" b2 g2 t- P* t=========
v' P0 {, d$ _0 ~* u/ L6 {6 ~' K8 j; y! F& b: u: s6 @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 G2 {' A; Z% s: l
is to determines whether a debugger is running on your system (ring0 only).4 V! M) e$ @; W4 |6 j
; \) q7 }+ z1 {( y6 E# d" q0 E8 T( k VMMCall Test_Debug_Installed
& ~, }& j) @! J" ? je not_installed
/ B. v, }, G. N, C; L& ]% C
4 N1 E0 }; v) qThis service just checks a flag." i* i9 X+ c( Y" x, U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡