<TABLE width=500>9 G, P t& A% O8 k) {+ \2 k: n
<TBODY>6 b9 y I Q6 j+ y. k
<TR># ]+ o- M, c+ p
<TD><PRE>Method 01 3 ]' L% y& i) r& a$ t" p `
=========9 s4 I% Z2 B1 w# r% P# e! L! j
" p5 t7 b+ r3 z- T2 Y$ f l
This method of detection of SoftICE (as well as the following one) is
' ~5 |; }5 \8 T3 r0 }' y0 c+ Pused by the majority of packers/encryptors found on Internet.
& z" P+ g/ K1 g0 S% z7 ]It seeks the signature of BoundsChecker in SoftICE
' A3 t r1 L6 ]/ Y4 x# [5 w; f2 h, B3 i& L0 P
mov ebp, 04243484Bh ; 'BCHK' e5 u- y7 I. ~9 ^/ r/ ?9 A
mov ax, 04h
: p& Y% O/ H% u. C6 C) o; b int 3 ( _4 R8 D& t* S1 ?7 c6 G: m" D
cmp al,4
* P5 @9 Z8 |0 \- ]0 g jnz SoftICE_Detected6 N7 v1 I$ \( D: M8 r6 I# \7 v' O( o
% f2 z1 U. N, q+ ?+ S* _( O___________________________________________________________________________6 E+ o. W) E7 s$ j
; h; q9 D; ^( T7 |, HMethod 02, I) w6 l( R, q7 H" g( ?- D
=========
1 w- T, V! _ V ^6 O# i! A$ c. ]( k% X* B- n- q# m+ G# T( R
Still a method very much used (perhaps the most frequent one). It is used/ i! h4 [' C# F' Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 m2 s7 J, B: k! vor execute SoftICE commands...' g5 k0 e3 H8 w4 i* B" Q
It is also used to crash SoftICE and to force it to execute any commands' c- @: u r9 S1 v' k: `# M0 C
(HBOOT...) :-(( ( X8 `5 C( R3 F! i8 z+ |4 ^; y# E
1 z4 D: |- ?; H; C* i0 N4 J2 I1 i- LHere is a quick description:
9 G1 H9 {! w: H7 k-AX = 0910h (Display string in SIce windows)
* G1 J3 ], J/ s! k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) r( v5 E" Q. e1 ~ L$ o$ j! z
-AX = 0912h (Get breakpoint infos)/ w/ T% F7 j1 p+ I) y' t
-AX = 0913h (Set Sice breakpoints)
" W. ~5 `; R$ f-AX = 0914h (Remove SIce breakoints)
2 `" ]5 U2 s1 u' K$ F+ {5 P/ j' u- Q% i, O: O- k
Each time you'll meet this trick, you'll see: N6 W0 I$ g% z+ \( O) R$ E( b$ A+ C
-SI = 4647h: P7 Z6 T; h; B$ Q
-DI = 4A4Dh
7 K% o' ^% b# G+ m3 B4 y) x% NWhich are the 'magic values' used by SoftIce.8 \+ q C$ `, ?7 i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 X' c$ R) S& U. ~
. Q% w8 ~+ I) MHere is one example from the file "Haspinst.exe" which is the dongle HASP" e5 u! y5 y, I$ e, G6 U6 H
Envelope utility use to protect DOS applications:
0 @0 S0 s6 \! S0 \4 i# L8 s
, Z8 h( ? K* N$ @/ H
# ~. q5 O& r5 K, \! a4C19:0095 MOV AX,0911 ; execute command.0 B9 T8 {9 Y% r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 c1 ~- j k) D5 z+ n4C19:009A MOV SI,4647 ; 1st magic value.
9 ?# [' R5 o! ^8 D$ s# i& n2 x' ^/ J4C19:009D MOV DI,4A4D ; 2nd magic value.1 v# |) {$ [7 D2 G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- v6 T- ~0 I3 U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" c% }6 s( }3 T4 w0 m/ t/ ^: p
4C19:00A4 INC CX
8 g! C4 f7 B) S0 c/ G% T. M) O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 q% |* w2 d( d0 @9 _( ~4C19:00A8 JB 0095 ; 6 different commands.
8 Z) O/ f% Y* {) H8 j" l9 e/ N4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 A" T9 a X$ t1 k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 D0 S1 U/ J+ N1 [
2 k% M5 p% X2 x% ]5 `$ l" S5 BThe program will execute 6 different SIce commands located at ds:dx, which+ x8 ]- r6 X; B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! I/ [8 p! Z- M( ?2 q% G0 I" s6 a, d8 A+ K0 c* v, U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. D0 n" _2 p6 @, E
___________________________________________________________________________
$ {4 h, s% I& V- c2 c5 P8 n5 G" f0 w3 h0 }6 |
9 L# b( |( C% i9 w- \* s, k
Method 03: Q- H) d; E" Y% s9 W2 [ ^
=========
~ ~1 F u/ @# e0 g4 n: R$ R0 H2 ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 A; o4 K: }6 w9 E
(API Get entry point)# L1 {, P6 F& z, R# y h
: o) Z( r; |; ^* e8 g7 [" f+ H3 v1 Z* Y" N8 B" {6 }, n
xor di,di
( A: v6 B- P% u3 U4 o8 x7 H mov es,di4 |8 N3 _8 s9 Z2 L
mov ax, 1684h
! Q- |/ P3 |6 n" |, ]% P mov bx, 0202h ; VxD ID of winice9 @! Y2 H9 J$ }. o
int 2Fh7 S; G) d1 g$ u1 L2 b# H
mov ax, es ; ES:DI -> VxD API entry point
8 c, C9 f6 s7 i% [7 }) ? add ax, di% R; K8 k8 x7 S( [' A5 U* j
test ax,ax4 k; @4 x7 X0 M# } S e* F# @
jnz SoftICE_Detected* a. _8 ~3 h" a( I
2 G4 N1 j/ Q" {+ h
___________________________________________________________________________5 ~, t# j* _% X; d u, D+ C
; z4 k" ^( N$ o9 x* h: ?8 V
Method 04
$ }) U+ P. K/ c; I$ L0 I=========, k2 a( L+ C8 j( j: U; W" j4 _
5 j; t, \# v7 v0 ~
Method identical to the preceding one except that it seeks the ID of SoftICE
: @* A1 f5 H+ ?% N. EGFX VxD.4 H3 ?+ K+ ]6 g, H* }- r- |' a
2 G" |; `2 E& Q; f& w' g
xor di,di) ^( {) g8 t4 B5 ~
mov es,di) \5 l: V( d n, C
mov ax, 1684h
0 @ a* P) o k, N mov bx, 7a5Fh ; VxD ID of SIWVID8 b2 U" J4 L3 t7 C
int 2fh
2 }" {4 a$ }8 c5 c5 [1 k: l% y: o mov ax, es ; ES:DI -> VxD API entry point
. c4 D: |0 ^& r* m2 b* y- v add ax, di- O, s) ]4 k- P9 a
test ax,ax8 c% r$ Y1 u( u; P
jnz SoftICE_Detected
: W K7 R; B: b6 j1 |/ m2 [
2 V7 J7 }5 h. f5 t__________________________________________________________________________
8 q- `) y6 ^1 C5 B' Z2 \' j% \' e+ \; h c* `) W( s3 e2 r+ ^
! U% \# U) _: Q1 c' A
Method 05
& E) L: ^ V% e/ l! ?- J=========
$ h+ i n9 l% d9 k
3 H3 y: ^; [* j1 |7 X2 QMethod seeking the 'magic number' 0F386h returned (in ax) by all system" m9 J4 l t; E, }( S( \$ u# s f4 ~- \
debugger. It calls the int 41h, function 4Fh.# k+ c9 ?2 Z5 O& z. L
There are several alternatives. ) G) P# g" L2 @: Y
5 y' V g' r9 l, }( P' E
The following one is the simplest:
7 Z! a4 N3 \* h$ X+ ]5 q) t+ q: G) Q
mov ax,4fh: y$ w, f) O6 L
int 41h) h& b' I5 u ^$ b2 C/ U& {
cmp ax, 0F386! N9 x# d9 t7 u# \% x
jz SoftICE_detected
, g$ M% g: b) G! K; x' m. u( x9 f: ]" D( j) D" F3 g5 s
1 m7 |" @ B# o: |8 x& U( p% RNext method as well as the following one are 2 examples from Stone's {/ y* l) o* y$ T& ^; l( S
"stn-wid.zip" (www.cracking.net):
! u6 H" V$ _) m9 m* s4 r0 p3 F* w( Q" B# Z0 ^$ G9 g
mov bx, cs. e. c0 o/ a$ x4 |
lea dx, int41handler2# Q' Y$ t1 m" E1 h1 @
xchg dx, es:[41h*4]
% A3 I( _1 \* p7 } xchg bx, es:[41h*4+2]
8 H# s. o- }8 r; N7 K. F mov ax,4fh
- ~& R: O7 w/ d$ A E int 41h0 V$ [6 G( b# a) h1 K2 _
xchg dx, es:[41h*4]7 g& K- u4 L4 D0 G; }+ v6 R" k
xchg bx, es:[41h*4+2]6 `5 h% d% q) ?$ \' f/ d
cmp ax, 0f386h- K- K$ ]$ ~& g" U
jz SoftICE_detected
4 N* K9 n ^) w2 [% U4 p/ X
4 \- \; r" R4 t6 F" t) }+ Q5 sint41handler2 PROC
, P7 X/ u3 V2 o" L3 g; F# S b1 C1 ^3 j9 g iret
6 c# r/ `: F7 a) p+ F) ~: y& }, ^int41handler2 ENDP0 ]* G- r5 Y. O7 h0 }3 n
: E! h5 {7 X7 I- f; [+ |+ s8 v
. Y F% I S( f9 ]
_________________________________________________________________________4 S. s' `/ |7 }7 s5 M' ^( D
; G4 Y Y9 u) p6 n$ W8 ^0 F
9 R# K. k7 ]4 F- b$ z- h
Method 06
& Y0 z; a7 [0 ~ R' P=========& Y* A f0 J9 X
; [! c r4 G2 v) u# _" c, T! c
5 w9 V5 s1 c, P) A2nd method similar to the preceding one but more difficult to detect:" K& s* [6 n7 n+ }% f2 A3 t
0 f0 u* Y3 l/ W7 w- t' ?
1 P& b7 s" R7 D* ^ W
int41handler PROC
! X y. e6 d& a; ~8 J6 k mov cl,al8 S& w: M$ g) W2 H& O
iret
8 A3 C- u/ q `9 U9 \int41handler ENDP
1 @* i# \- o9 c- L: p9 A# Q" V/ R- r/ r+ T( ?& O0 X
F1 o' \9 j0 l: B! i p! n# Q
xor ax,ax. s) [' T% S1 U: R
mov es,ax7 C1 g# h- C4 }) w# X
mov bx, cs) G. X9 B8 u! M/ S; ?. `2 d7 V4 i3 w
lea dx, int41handler
: ^, k! k7 U6 \2 v3 s xchg dx, es:[41h*4]
" @; i4 V; W; i$ }' Z7 j xchg bx, es:[41h*4+2]
' X7 p) v. e: }; m& E6 G in al, 40h
9 T4 X1 }2 g, I% c# y5 C2 i4 E- [ xor cx,cx `: X1 W1 C: ?
int 41h
% W! k/ e6 d8 {3 j8 ^7 _: b% f& E xchg dx, es:[41h*4]
) F, ~* p r, o: i) |4 f7 w xchg bx, es:[41h*4+2]
& w2 J5 y. U6 Z$ U1 Z! J cmp cl,al% n& K& Y/ f, \: w1 G) {5 u5 A
jnz SoftICE_detected) c1 C4 n% k' v
: t; i- m' |; v
_________________________________________________________________________# u2 \ N! k, j/ ^
q# ^$ U5 p1 d# A7 v0 E
Method 07! x' V/ K: M% f K4 ?5 R
=========
! m- g* S5 N% r# G* J
# ~, `4 V( ^9 oMethod of detection of the WinICE handler in the int68h (V86)! v% o) J( E1 ^5 N, k7 q/ b
9 j. a9 r' W7 G1 h* j4 B
mov ah,43h
7 U' D. d9 r* i$ k: q int 68h; d: y/ M! t; i0 P
cmp ax,0F386h' u. c) ^7 X9 H" s6 [& i, N0 I3 C
jz SoftICE_Detected( @( e. l& J; B
/ S2 S( P2 p% _9 g; _4 b' w- v# p% m" G% K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 m m3 N( t3 t. q! M5 s0 N( O; L app like this:
7 \( x/ L4 [- A0 L
; O3 d: l) _1 W8 J( a BPX exec_int if ax==685 k) q( u* T3 J
(function called is located at byte ptr [ebp+1Dh] and client eip is" E1 c- x+ H+ G) x. A+ j
located at [ebp+48h] for 32Bit apps)6 G, r5 P) F9 U
__________________________________________________________________________
+ G6 h: \0 |9 Z% G! i4 `% D6 U6 T8 z/ u+ k6 `! T, N
6 {! ~6 t, \, m7 Z0 CMethod 08# j: T7 b# m @. I# A- p$ O
=========
- u9 g/ T! o2 V4 h
2 q# p, {0 }! S! S7 x9 }* ^; DIt is not a method of detection of SoftICE but a possibility to crash the
1 X' z! }4 C4 gsystem by intercepting int 01h and int 03h and redirecting them to another
5 u8 d1 o2 x* B5 U P: L5 x" Froutine.
+ H3 g7 O; V, V" L2 ?! HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 Z8 |1 v0 o/ G% ], g
to the new routine to execute (hangs computer...)4 T( I+ C \& f5 S! F6 s% H! w
( W- x, K! n: @% ~/ e& m0 z( y) i
mov ah, 25h7 j2 j0 N O5 W# W
mov al, Int_Number (01h or 03h)
, _1 N4 m2 L3 T- _ I mov dx, offset New_Int_Routine
( T' `' n! p% s- B! | int 21h' A% R4 A2 g3 {& e2 R
1 f& B: F' l( C* o__________________________________________________________________________
5 M$ d; E! ^4 d4 B& w3 o/ i8 o9 Y/ I
( a+ q5 I- \8 m7 N3 lMethod 098 B1 Y( d: h, k/ [0 [0 K
=========
& h1 r* F) _- R; v# y( }+ l
) e9 ]: H- V/ }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: L6 A0 [7 I @6 G+ T2 ~performed in ring0 (VxD or a ring3 app using the VxdCall).3 x7 F5 e% {4 Z9 w
The Get_DDB service is used to determine whether or not a VxD is installed3 M% e1 u* N! C5 t
for the specified device and returns a Device Description Block (in ecx) for
) L: Q& `- D9 @that device if it is installed.( X- W% t0 G6 ^% H8 f6 \* k0 M
3 ^- w; h* z6 B7 f* ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* m2 I% B7 \" y0 @+ T4 h; @# A7 | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& n/ G* ]- V! U- p9 W
VMMCall Get_DDB
1 F% C+ u5 l [/ Q) ?: I$ x$ o8 }% S! b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 S/ O, n p8 J
+ Z, g$ P w; \- R, C z/ A0 z
Note as well that you can easily detect this method with SoftICE:) L$ _$ g3 J1 [/ H7 U% S1 H, U3 a9 p
bpx Get_DDB if ax==0202 || ax==7a5fh2 e2 ?* {4 g( S: ?) C% @
$ L( v2 M/ o4 ^4 B
__________________________________________________________________________4 J+ A; r k. Z! f" O
9 b( B g/ v+ S% {
Method 10# K$ m$ l4 Z8 v [0 V6 ?2 }- a( ]
=========
9 j% s& y" s! U0 |; N" Y& l7 E, ^/ Q, r% |3 Z7 a- J7 [6 t8 `6 V) f; I/ L
=>Disable or clear breakpoints before using this feature. DO NOT trace with
B6 \" U. j; v$ M SoftICE while the option is enable!!+ |. k" c1 |' f6 o" T/ P1 h+ ]
9 J" `2 ~3 e: R& |; Q2 MThis trick is very efficient:" B6 f! \. B; ^% S+ |( C- B
by checking the Debug Registers, you can detect if SoftICE is loaded
( l' P& y' Z2 x0 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. v' {( e" _+ p+ u% `; @, R( Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 M5 l; C2 @) }5 Dvalue (in ring0 only). Values can be manipulated and or changed as well* r1 _ ^& F% a7 I
(clearing BPMs for instance)/ H4 D, `$ l6 d
2 Y1 h2 _( }6 r; W" K7 Q4 r* @__________________________________________________________________________. G$ ?7 E2 u5 L/ `) z' y
6 b W3 i0 t5 J- U0 }1 qMethod 11
1 K* y, f7 |/ `: |* N$ P1 J% ?" P6 i=========
4 M4 V' u2 J; N' X- O# T5 P W) i- e" ^3 @) f( ?- J$ |$ Q
This method is most known as 'MeltICE' because it has been freely distributed5 L/ |0 b4 K7 z# A& |; o w# z
via www.winfiles.com. However it was first used by NuMega people to allow2 f( S) J! ~/ j2 r! i7 N
Symbol Loader to check if SoftICE was active or not (the code is located
+ C, X' ?6 A; A' w) e: H4 P2 Rinside nmtrans.dll).' {3 W) L5 j5 B8 t
) J- F9 G8 |, a# x7 p( U3 aThe way it works is very simple:4 R# B9 F8 @, ?4 T! {* X+ r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. J3 o: k$ X8 M. YWinNT) with the CreateFileA API.4 J3 K6 k, C3 f I1 J
- P' L. t9 ~: t* U. T# T+ H
Here is a sample (checking for 'SICE'):
, Q4 s3 p' ?4 J7 z% r0 R
+ v& o* e d4 T8 a- IBOOL IsSoftIce95Loaded()
" Z+ w. N% Q' e0 ?{
4 w2 \/ d" p D: V' { HANDLE hFile; # b3 p. }9 ?) J# \3 ^8 v4 D" K* K5 a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: D; f0 l H' c) O/ O& Q FILE_SHARE_READ | FILE_SHARE_WRITE,
" u! Q( U2 z5 B0 S1 n' h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. l4 `- O) r' B' W' V0 U* l
if( hFile != INVALID_HANDLE_VALUE )
7 F" ]" ^2 v4 d8 x/ S! v5 Z {" [9 S# k9 g) E
CloseHandle(hFile);
- q7 O% b- \/ w- Z- ` return TRUE;2 a' O5 E* z; x0 D) t% ~0 H1 D
}
( @ W4 ^8 K7 K9 m9 v2 k9 p! i return FALSE;
/ W3 k3 Y; J& Q0 j% [2 ]}9 l) Y) V Q/ t$ O
) Z3 n* r* ]0 T7 X% h, Y* d
Although this trick calls the CreateFileA function, don't even expect to be; T" x- g- x8 C2 t& t9 W) @5 G; W
able to intercept it by installing a IFS hook: it will not work, no way!
9 ^2 T2 B, A+ b0 R) _% |5 P6 E% s% u AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ^+ J) x8 a, I0 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( h2 y. P9 ~3 k/ c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 z: ]# B r1 |
field.! M- Z8 N+ W3 M# x+ o
In fact, its purpose is not to load/unload VxDs but only to send a & K; \2 o( n+ _- a: n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# q; D7 [7 ^: k# N/ c! @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 w# Y8 n6 D0 d: m8 w" f9 I8 Q. rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 Y: O' l+ p7 b3 f3 {7 x+ AIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" Z, o6 m6 B% t6 f' Eits handle to be opened and then, will be detected.
1 k" Y3 q6 W: j O8 ]2 x6 EYou can check that simply by hooking Winice.exe control proc entry point
, p3 h, b' W5 _+ u3 J7 ]& Rwhile running MeltICE.
3 q/ z" x* Y9 k& z# F( _0 N8 m: A* |( r- w0 Z: u" M1 Z: {+ e
& n- P7 y: z! Q9 I/ E! | 00401067: push 00402025 ; \\.\SICE4 j" m9 V' U" u& K' W0 O
0040106C: call CreateFileA
! u( e5 s5 | i, k7 a, c: a 00401071: cmp eax,-0018 n$ S/ V4 M+ z1 u' @. Z, f' K
00401074: je 00401091
& T" ^9 B2 B- Z/ b4 g4 b8 B. T' f0 s$ U
2 Z# E( G- Z, X- d
There could be hundreds of BPX you could use to detect this trick.
' x6 c! c( U( { p- U) B-The most classical one is:( b$ R O8 t1 M, {3 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 G1 t9 t8 G5 [7 B; t
*(esp->4+4)=='NTIC'
8 U! q9 d% y u+ c1 m
- e' M* [- P, i' j-The most exotic ones (could be very slooooow :-(/ f$ F2 U! `* @3 r8 u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: O$ y) E# @3 \5 |: y8 A ;will break 3 times :-(
6 q- G( K5 t h* w
P' Z( f$ ]. N3 X7 `0 b; x7 `# k-or (a bit) faster: ! ^$ r% u5 I1 Q/ S" T$ |- \9 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# }5 q F6 n& i+ r9 F
9 H7 S& |' P+ n& c: A% J! {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # f A0 j6 F3 H3 J$ `! R* x
;will break 3 times :-(# |+ S8 @$ _% b4 }$ W
0 l3 a' J# K" u
-Much faster:
7 v7 L3 x/ J) e b! L$ L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 X% Y D1 a: z. z; ?; j, C
4 m3 }5 g7 E8 s1 q) c( ^4 j3 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* q, s2 m! f9 f; s+ x& K
function to do the same job:
; F( j4 t+ F/ O; t
# e" d; w' o4 B0 P: l2 z push 00 ; OF_READ$ F9 ]1 \, g) b; }# `/ X. K
mov eax,[00656634] ; '\\.\SICE',02 Y6 v/ c* F& c! E4 N) I5 k2 C
push eax
x0 a& ]' |. \# l# q+ ~ call KERNEL32!_lopen
8 ^+ L& x5 I, ~9 s inc eax! P/ u' F$ O9 \
jnz 00650589 ; detected6 S& T! S( x- u; q
push 00 ; OF_READ
3 K& Z/ j, W% ? mov eax,[00656638] ; '\\.\SICE'; o7 b% R/ W3 a3 A! \9 Z, ?
push eax% I6 P! W" H1 [ A3 X
call KERNEL32!_lopen
* c- j6 s9 k R4 F! m, r% l) t/ K) a/ _ inc eax2 ~: Y$ f( H' k; y. I
jz 006505ae ; not detected
4 K2 S0 x2 C/ T* L! n5 f: q6 T2 h- r* j: W% X0 `
1 u1 O N( f8 @- z$ c__________________________________________________________________________: i+ e' J! V6 x, r; ` M
, W+ z6 K( c: q
Method 12/ Q; d) a: F1 v
=========
5 R, N5 u6 d3 G. i% p
' ?* T M( S7 G2 t0 |This trick is similar to int41h/4fh Debugger installation check (code 05
: s) J- d- y8 h9 N' N# ?& 06) but very limited because it's only available for Win95/98 (not NT) L- ~$ W: M7 n* \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: ~$ B' j. X4 S' O0 r4 W" l; u# ]4 f1 W5 {# _
push 0000004fh ; function 4fh
, h! _2 O6 h4 L: m% ]0 k push 002a002ah ; high word specifies which VxD (VWIN32)
% W0 D# ?2 H8 H( s6 {- A ; low word specifies which service `4 H+ u9 ^8 N$ ]: {! ^* g0 @# l
(VWIN32_Int41Dispatch)
9 E- I5 B' }# V9 c% J) _ call Kernel32!ORD_001 ; VxdCall% c- i* a3 j O6 c4 D$ d
cmp ax, 0f386h ; magic number returned by system debuggers7 H8 T) y3 w& j: W3 i* j
jz SoftICE_detected( V9 x9 M' Y5 v+ Z- P9 z% y
- \" ], T) R' s3 e
Here again, several ways to detect it:/ |$ v% b2 }: G
. R# D# Y, _7 f2 @3 D0 i BPINT 41 if ax==4f
& c+ A, |7 z1 U* @, k! U+ R# ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; o: _3 m- H4 a- z9 `4 p j. j/ q! G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: t" R8 `+ n" @6 o6 w% X# Y9 a. T) k5 i, |+ |! P$ s7 O; d% V3 I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. f( x9 u( [ c) }
3 L: |2 c- F; T! [__________________________________________________________________________! d9 l! |( |( b# f: T
& ?& J6 k l9 c! l, X1 g( D4 hMethod 13
8 g6 t4 d8 l) ` o" O8 G( b7 z+ b=========
h2 x: Q" D! P1 p" F# A2 ?2 O9 I/ V6 J0 p/ d, x( Z
Not a real method of detection, but a good way to know if SoftICE is
; m& ]$ \# t! C$ u l; [4 F+ }installed on a computer and to locate its installation directory.
7 o( R8 j& J! L' }" }+ Q) kIt is used by few softs which access the following registry keys (usually #2) :+ {, a- f8 o/ P1 ]8 [
. \- C8 Y( ~& a9 K; n% Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 M6 V2 f! r+ W. E: W' i d2 `
\Uninstall\SoftICE; @& O5 O9 U' |* `0 i$ x( a" q. @4 O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 R" u& ]# x; \6 i! o9 i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; F" ?; d" f- n& H- G7 n6 Q% b& A% r: R& I
\App Paths\Loader32.Exe
c: L* y0 M9 U. w0 S" L9 t( t C1 I' w% p
2 I2 U; a: F" k- }6 e0 _8 K1 h% H3 INote that some nasty apps could then erase all files from SoftICE directory2 C, Q8 p' w) f+ A
(I faced that once :-(; A3 ]3 [3 O; A( P$ L/ j$ P. }
' K7 l6 i9 J5 ~# k* C( K8 d9 |* o
Useful breakpoint to detect it:7 k+ j: o/ A& P' O4 Y- J( P( M
" w( |& O7 l! G. Y! L% @! t) l# [5 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! W9 Y! D6 q B" h
; |) Q9 B) U8 ~3 Y* n; C) h__________________________________________________________________________
P+ L$ p; `$ M% {
6 N% A1 K5 n1 }6 T% [8 Y" w9 C7 _; V# ^8 W( _
Method 14 1 M. n' L. q1 O( z' w% A
=========
0 j3 A: n" E; `/ Z+ ]/ v4 A' T! i- C# `" n0 I& a$ P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" f( O$ g$ K, N8 ?/ |; j8 W% _
is to determines whether a debugger is running on your system (ring0 only).& {& p9 q9 V( I; i4 g
( e) E' ^% a4 R% Q" ~5 ~ VMMCall Test_Debug_Installed
4 S6 D/ c- w; M% w5 H* O! h5 } je not_installed3 m9 n3 B. @+ H; l
/ i) C* k6 {3 }2 o4 i4 X3 |# c
This service just checks a flag.
) H; K) K# q' n* ^* _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡