<TABLE width=500>
* ?% H1 y' C( o# v0 f. y1 i# }- r( f<TBODY>
- t0 r+ `/ R; i: b6 s i+ Q<TR>
! ?$ R! R3 {4 {8 g<TD><PRE>Method 01 , r; {8 M; F- v- C
=========8 e% e9 g1 { S5 [. K. C0 {) A
5 ?" b5 _4 N0 p5 t9 ~7 l" q2 l
This method of detection of SoftICE (as well as the following one) is* {' k$ r$ q+ m% M
used by the majority of packers/encryptors found on Internet.
' R: ~! }$ i+ r( t2 x6 oIt seeks the signature of BoundsChecker in SoftICE) y6 L* i+ f+ `, K
. N# z( m0 C7 O5 Z$ U ^ mov ebp, 04243484Bh ; 'BCHK': B5 u3 ~$ H, t" j. `
mov ax, 04h
- m. {, V/ D8 ]1 W, D, [# G6 L int 3 * ~$ | `0 p. x. T
cmp al,4 W# b, E# A7 @, C
jnz SoftICE_Detected7 K3 q3 Z/ Y9 X& X( S( m Q
, z d+ y5 P: ], a, i
___________________________________________________________________________
- n2 s! d5 S5 \! P% s8 L* x
/ D. R$ V! ^+ Z) b5 tMethod 028 [/ M5 g- f0 n, n, _6 }
=========3 Q2 Q0 o8 Y- d5 m
* M* }2 O+ Y6 E, Y# l& wStill a method very much used (perhaps the most frequent one). It is used' H7 M% {5 [1 q* N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, _, e7 e7 d4 r5 c; o, M
or execute SoftICE commands...
5 y4 S4 X4 @( u5 R! GIt is also used to crash SoftICE and to force it to execute any commands3 ?: n8 T6 L5 d _
(HBOOT...) :-((
; i0 _8 ^% e5 W" s' g% J
X' d8 S0 _% D; eHere is a quick description:
2 Q/ h( m. j _-AX = 0910h (Display string in SIce windows). d! E( `* p, u( h7 c1 `" G0 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' V1 O2 L; Y) h! ?
-AX = 0912h (Get breakpoint infos)
5 t0 j. E, p- }4 n. b-AX = 0913h (Set Sice breakpoints)( _7 z( J' Z4 l5 a" L
-AX = 0914h (Remove SIce breakoints)* r' a" P, C$ w+ O% `' c/ I
5 ?) J: z- M' x3 |% B' [
Each time you'll meet this trick, you'll see:- c- o+ j# n. W% V/ v v) ~
-SI = 4647h
2 l9 Z, X* Q) J* Q-DI = 4A4Dh( v3 o+ y8 ]7 U7 y* ?* [5 ?/ Z
Which are the 'magic values' used by SoftIce.
. w3 A& y, N3 C" w9 t* o' @6 }4 F1 s8 \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 a$ {5 ~8 j: S! K" v; V: Q
& Z. e1 F# X* Y5 u$ b
Here is one example from the file "Haspinst.exe" which is the dongle HASP i/ U G3 A3 V
Envelope utility use to protect DOS applications:7 l+ r/ R( B* r
- @9 I; f& O9 p) L+ B+ x7 t6 i
* r5 \0 U0 c7 P1 x2 ^2 p& c- i4C19:0095 MOV AX,0911 ; execute command." P7 ?( v5 ], C3 w) J$ G G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# f: @+ D9 z) V: s6 f& B
4C19:009A MOV SI,4647 ; 1st magic value.% r9 f6 C+ U) `8 ]; s5 t- F, j0 r
4C19:009D MOV DI,4A4D ; 2nd magic value.. L: V. a) v. M6 U& }& e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 I' H7 B' L1 X! F0 M6 r+ R4 g2 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! @$ ~+ n0 @! J8 ~8 ]
4C19:00A4 INC CX
0 X! Q! @9 \( ~' e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% f" d# u% F. n6 l/ v, M4C19:00A8 JB 0095 ; 6 different commands. g( h4 ?: Q4 d9 z% {" u) t) K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: m. g2 \' y- n ~3 z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 F2 A3 i+ u, e0 d) x) e
& ]) i6 l" ^0 j( T1 VThe program will execute 6 different SIce commands located at ds:dx, which, @ o, X' p i. E m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) h: J# Q! n1 _6 R5 `+ n1 c5 j- F
5 R2 r) n; f- W" k: l5 \% f- U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." J9 v L$ Y' g& p2 p+ ?1 g
___________________________________________________________________________
( B# Y; f2 j" c! q9 W, ?" D) N' l1 L2 x4 u" U/ `: l. T4 L
" s/ N) _5 [- | V' {Method 03* y; G7 i( `' d9 N( l) _- x
=========
' l9 F( J" b+ @) ?
2 d+ j: J! A$ TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 y. h5 V6 K* L1 H4 ?
(API Get entry point)
5 q0 s$ p" L& \+ r/ D # x9 [/ l r" |- D
0 {, i$ p. c0 I- a1 i# y xor di,di0 \( x8 s3 R% v% F% i+ I
mov es,di
8 o' E! t! Y9 J+ l( @ B! p- _ ] mov ax, 1684h
3 r$ V9 G6 s3 A" q mov bx, 0202h ; VxD ID of winice
- { V1 y% A) K0 }2 }7 F6 J! F int 2Fh
' Y/ |5 y. p) U1 L" z mov ax, es ; ES:DI -> VxD API entry point
2 ~0 K$ w+ y( G6 Q add ax, di
4 O1 Q# [5 k7 p" v l test ax,ax, \9 w6 l" J$ C0 a. _$ ]* \
jnz SoftICE_Detected
4 a6 V, h0 u1 X% y% ^$ R
, ^" {7 a: n" k; Y' s9 d* F___________________________________________________________________________* x; d: d! {$ R, m( ?4 J8 l
4 d. d: { H6 z; ?, t
Method 04/ H! ^( r4 t. r0 W7 I8 o
=========& y+ d2 E, p! F2 z3 L- k0 q
; l0 C5 i" g2 R" I3 xMethod identical to the preceding one except that it seeks the ID of SoftICE
2 p4 ^/ L1 ]) K- oGFX VxD.
) o6 q! H! P8 E; {; A& M X8 m9 J# D4 o' ?7 s0 B, ~& z @" n4 J l) T
xor di,di3 a$ i, k5 {5 N/ P" I9 B9 k" B' p; R, p
mov es,di1 h2 T" n8 g# ^0 S1 C. c
mov ax, 1684h ) q3 r8 N$ J, [# q$ p3 G
mov bx, 7a5Fh ; VxD ID of SIWVID3 b/ q5 K: N5 `
int 2fh! K0 B, U( V' E$ a d% Y, s* @* e5 ~
mov ax, es ; ES:DI -> VxD API entry point
' e/ o# U8 ^2 G, `2 n( l( _+ a7 { add ax, di
0 x" G9 r' Y; `/ _1 A test ax,ax4 [% U# y$ h! D
jnz SoftICE_Detected2 Y& c0 a( {5 U! V' b
" b1 z5 S* c6 @9 t# U7 s__________________________________________________________________________& l- S+ }8 O6 c
0 M! X; o+ p; b! @0 ]: \5 J# q+ f+ e3 v9 I9 U
Method 05/ ~/ S! n" w8 F# [8 m
=========
" ^( |7 K% f; }6 K- g/ r& j' T9 O3 |8 L
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 X. P4 a# _; U; g4 E7 c/ }
debugger. It calls the int 41h, function 4Fh.' c! b0 F o' }
There are several alternatives.
0 `: Q* K' \# t0 g
, w3 P4 w$ Q5 U& G, pThe following one is the simplest:
Z2 X2 F* y& A% y5 `6 c# F8 f7 b& g" J3 H L" Q. p9 |, Y
mov ax,4fh3 o4 S- P; Y& F6 {0 F
int 41h& x1 Q U2 q- P
cmp ax, 0F386" G. G0 \6 r1 P7 Y' R4 m
jz SoftICE_detected9 J% w/ i* z+ E4 r$ V* ?* O
1 Q0 } F. e; _' a* f- f6 g2 w9 _7 e; A' ~) A
Next method as well as the following one are 2 examples from Stone's 7 @# a. T# D$ E+ l% X1 ^0 A* T. _9 o
"stn-wid.zip" (www.cracking.net):$ w- L2 [! Q" c9 V+ q
& s& o! Z! y) m8 w8 x6 J mov bx, cs
) C" J/ q! w# E) Q3 d4 l2 x+ Y6 D7 W lea dx, int41handler2
' @7 K: J3 b; P* D% `, A6 E- b xchg dx, es:[41h*4]# }3 _# [7 v6 s: U! U- q8 W
xchg bx, es:[41h*4+2]* T3 N) l/ V) {
mov ax,4fh
4 m- l: m# f3 ~1 z. [+ E! R" X int 41h
% d8 B6 I) U) M# \8 n6 F; y xchg dx, es:[41h*4]
. T& _4 }$ W) G5 Y/ q% \7 T, g5 T xchg bx, es:[41h*4+2]
, j) \/ R- p g5 H/ n cmp ax, 0f386h
7 h3 \ l5 O3 e' L9 Y9 T" w jz SoftICE_detected
: V* M7 ]6 l, N0 A% t, r, x3 p, f% o0 C. w
int41handler2 PROC3 O6 F* @& f! I1 [- i- J
iret
\0 G: j' i/ Wint41handler2 ENDP C" C' _ j; g! t7 U6 K/ r
+ w8 n: E0 K/ k" k# m( M/ ?
: i& i: t3 Z3 W' ^
_________________________________________________________________________
9 g# ^ J w. G5 z3 X' P3 ], ?/ O8 |$ d; X1 U# @
' v7 G0 S0 {/ k1 IMethod 06$ m1 I; J; Z& R4 d% y: _9 [0 k
=========* r7 f$ w7 f# z. ]
! O: H- \& p, _ F" N
# B6 z; \' u% D: s9 o! H9 r2nd method similar to the preceding one but more difficult to detect:
?: E' ? P9 [: U
' e4 A7 }: c1 Y" J# |: U, ?$ I# w
, ]0 s) @) Y- _8 g4 Tint41handler PROC6 N+ K% T6 m+ e9 A0 a. E
mov cl,al4 t5 u0 r/ o" d; U, w
iret
! p; S& N% _$ G; l% Rint41handler ENDP& H, N; a( G/ N5 T9 @3 W: G9 N1 i( f" ^* H
/ g) G N" @1 ~1 A! N, f+ _
2 |/ [ X& Y6 ?* E xor ax,ax* N ]; b4 ~# P# ^4 {/ y$ ?
mov es,ax5 A/ Q8 t. S6 Z1 R! G
mov bx, cs: c9 w, y1 ]& O
lea dx, int41handler
9 D }5 ?/ v0 [ D, @1 `$ [ xchg dx, es:[41h*4]
# W9 T, P! }1 ]. a6 N5 `$ M& C xchg bx, es:[41h*4+2]
. U$ L- X% q, r: C! q in al, 40h! t6 H- Q/ ^' O& k& l, }3 F
xor cx,cx! Y5 ^# i1 O; f/ K0 s+ t3 `5 x
int 41h
+ c& B1 y+ ^0 P; Y+ x xchg dx, es:[41h*4]3 z) H$ r4 B& P9 s; ]
xchg bx, es:[41h*4+2]
. q& S; L( c& W% t! `3 { cmp cl,al
{ j& v9 A: ~- R8 \; E jnz SoftICE_detected0 i$ j! j8 H( D' {/ Q( _
) V' E" q! H, I( S6 e+ l
_________________________________________________________________________9 B" F2 `$ n8 Z/ B& [& c/ \7 s
8 D) i1 E, y3 SMethod 07
4 j' f. P/ n6 S4 C' @7 Z# N# D=========; P$ s; v) Z3 j' o9 m
3 l& }% Y5 U$ I' xMethod of detection of the WinICE handler in the int68h (V86)5 X% ?. t6 B4 M) Z0 C- k- W8 ~$ }
E5 l6 h: ^. r' @ mov ah,43h! o4 y- y3 M6 J( o" R! I% P
int 68h
8 C4 W* B8 t$ o+ x$ x cmp ax,0F386h
6 _3 j8 J$ [. E$ r% o jz SoftICE_Detected/ ?4 X: C2 ~1 l8 |
2 } o" @) |% s, h0 \9 K, M/ y7 {! k9 |* Q7 m% F, `( Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& D8 Z8 _! B% @" J9 Y app like this:
8 R1 k( i, t3 S; |& H. z
* n* F ~2 s) a! c BPX exec_int if ax==68
8 y7 T# n3 C1 p2 m# s. d% s. b; ~' ` (function called is located at byte ptr [ebp+1Dh] and client eip is
' x# R7 A1 s3 t0 D9 |& |8 { located at [ebp+48h] for 32Bit apps)6 z: s- `2 w' D
__________________________________________________________________________
% u% O8 i+ p7 @8 G- `/ _
; p3 a% u" P, x* M: ^5 W. [# q; W* {0 x) [% G0 \1 G+ S4 |
Method 08, U! o, ^+ v7 N: H# K3 m% {* m6 N* M
=========
/ D4 `7 P# r0 f9 I4 G( r; P- D; B7 |1 F& \5 H9 D+ F( ~
It is not a method of detection of SoftICE but a possibility to crash the" J4 s: R/ [1 v) z4 A- p
system by intercepting int 01h and int 03h and redirecting them to another; A% J' [" F& P3 I! V6 d+ U
routine.
2 o9 c4 t* e' e$ @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 Y1 X' V* I7 `, t1 K; C) x6 s
to the new routine to execute (hangs computer...)
( T0 k# m7 j2 [6 x
! c/ B* x$ w* a8 \1 L* O mov ah, 25h' }* E; ], r& n! |5 E- O
mov al, Int_Number (01h or 03h)
0 N1 R. V# _4 b5 b8 r* x; _ mov dx, offset New_Int_Routine4 @9 t" V' n# X; U
int 21h3 A/ q- l- t: j$ T7 a$ ^9 d
& y6 P$ ]8 O' f2 _% r) a__________________________________________________________________________* i% V! D0 b+ E3 j6 b+ v. z% q
9 }0 R7 p/ G( W" Q+ h' D
Method 09& H+ j: ?0 l1 ]& u1 _1 p ?: z) b( ^( p
=========
! D2 f( n% ?0 `/ e
6 z& t9 i- X K6 U! k, p3 jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 v5 k8 C" Q0 [7 z6 f
performed in ring0 (VxD or a ring3 app using the VxdCall).
; P) b) b' W/ f( {9 u% @# IThe Get_DDB service is used to determine whether or not a VxD is installed# I+ h0 S: [7 _. ?' [- F( |4 ]
for the specified device and returns a Device Description Block (in ecx) for( a* w5 b2 L1 p' c. `1 F
that device if it is installed.
* O/ m5 i: |9 ^6 T: J8 [' }" J5 ~8 {0 ^# i/ S- m1 [0 g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 p% l6 [/ ^9 d% N8 g0 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): O4 I* D0 k' p9 {4 b& e
VMMCall Get_DDB
* Z2 z; O' q8 h5 h# p; X2 ^0 a: R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" [ b; T4 v2 Y
" w1 Q5 O; a" s6 y6 N6 |
Note as well that you can easily detect this method with SoftICE:1 I7 a" j4 I5 p) K; V
bpx Get_DDB if ax==0202 || ax==7a5fh- B' b9 V! h, d* d
" p* z4 m5 D9 x% P/ n8 a& z' j
__________________________________________________________________________" d4 H# W% M( ?4 v+ h2 O! Y
/ i: t" j" }' _ J! g# i; Q- z
Method 10
& I9 f* s0 D% V! S5 r=========6 L$ Q: K8 j4 U- w o4 U: }$ T- v
/ {! g% U( R9 W( }% |/ a, p=>Disable or clear breakpoints before using this feature. DO NOT trace with9 U4 O$ z$ y4 s9 P
SoftICE while the option is enable!!
4 U7 m" Z2 ^- t; q' e7 `! k, d& Y, L# c+ X# i0 p9 g
This trick is very efficient:* x7 p! T: ^; L+ j5 [
by checking the Debug Registers, you can detect if SoftICE is loaded5 H* @) Z; T# x* K6 b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) s# R+ I( q% l: ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 i- G0 p% X4 r6 @value (in ring0 only). Values can be manipulated and or changed as well
. S: h5 ~0 S- ]0 x G \(clearing BPMs for instance)
) ?/ J4 D- ]" B# r# L
: @0 E' {. Z2 M2 I6 M__________________________________________________________________________
. q& V7 S7 M! {6 n( T t, d6 L, B9 r" W( V. U' t
Method 11
G0 n; U3 L% `=========9 d4 w( M D: D9 i4 I5 s( D$ ~
" g N3 k+ h0 [; C
This method is most known as 'MeltICE' because it has been freely distributed
5 a( W9 I5 [, F4 k% W. kvia www.winfiles.com. However it was first used by NuMega people to allow% l: {& @. P9 ~
Symbol Loader to check if SoftICE was active or not (the code is located
5 R- x; B% |0 Kinside nmtrans.dll). M4 i7 s6 [5 R- r' o! B! t. y
+ H' X* ~) ]9 S! a5 C; b" T
The way it works is very simple:
1 H* ^) U% J! \" V& g/ _7 x) NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' \) L& ?, f$ z& \1 k8 q1 Z
WinNT) with the CreateFileA API.4 M6 l+ I5 j2 X
0 X' J% H# C2 Y) [: ?+ w- l2 V# q0 z6 BHere is a sample (checking for 'SICE'):
6 u4 T* w, @6 t6 `7 O* A! |/ L: N: r: H
D. v0 c; l* k1 k: T. f) q/ \BOOL IsSoftIce95Loaded()
! @$ L, }5 z+ |+ s{! b( `( d0 y9 m5 J- T4 S
HANDLE hFile;
2 U# z6 H# n$ ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 c. G( p: P% c5 Z+ `- ^: z/ p3 V/ u
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 ]0 k* Z0 y5 z: o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( z& P+ ?" @9 T, q' _
if( hFile != INVALID_HANDLE_VALUE )# x* X: k3 x: {/ _ l v. S5 w0 F2 C
{6 ]4 w3 a8 c* R/ r6 H6 V
CloseHandle(hFile);6 }6 U5 o+ n# }$ C" J& m
return TRUE;. P0 S3 g1 p) m, e
}
* p, n, ~; j) q1 ] o return FALSE;/ ]0 z+ ]' `& G- ]$ @. X
}
7 Z& @7 I: x3 ~- k$ c
. Y, g. y* H" e% CAlthough this trick calls the CreateFileA function, don't even expect to be
+ T* D2 H6 x. v- ]9 x# wable to intercept it by installing a IFS hook: it will not work, no way!# d6 c+ O: k6 s' h1 {2 E. h9 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 |$ M1 W2 b) J$ M8 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 S6 P) J) `; b9 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 w- K9 ^& L, a/ g0 m% { Rfield.
) x- V3 X- R: w6 sIn fact, its purpose is not to load/unload VxDs but only to send a _) g- ]! W- Q; u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ l, b$ j9 t/ s! s0 j1 C7 @$ Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% e9 }9 R8 \5 N$ R3 ]+ u8 H; J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 u5 x6 ], M% m$ [% O; c! M2 h/ N! ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ K2 V/ m* @7 l, E2 y C) Cits handle to be opened and then, will be detected.
2 @3 ?4 K8 n4 g* T5 U. ?5 I7 vYou can check that simply by hooking Winice.exe control proc entry point
' V0 A& z( j; y/ ]/ E H% n6 Owhile running MeltICE.
: Q6 Q: O1 P% F, {: Q. N P7 A/ B. v" H4 ~! a4 v* z: X
9 e! a$ z* f9 V7 y- b; h 00401067: push 00402025 ; \\.\SICE
$ H( b! n. A/ ^ 0040106C: call CreateFileA3 j$ b) ]5 c0 l: A& `) H
00401071: cmp eax,-001; e( E6 t. ?0 l, j6 U
00401074: je 00401091
, g. ~* F- ?' I$ l. k/ ]/ H8 F: @$ p. ^& V2 Y) R
( F+ a/ y+ p; x' w% @: DThere could be hundreds of BPX you could use to detect this trick.2 K% I' w4 c {9 e( T
-The most classical one is:
2 F6 p3 W8 a- C7 A; Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 P2 T: q0 h) j% q8 ~' e% M. ?6 c5 ] *(esp->4+4)=='NTIC'
; X4 s$ x. m4 P6 }4 }2 ~0 Z, l* P1 k$ x# V
-The most exotic ones (could be very slooooow :-(" i8 ~/ H) s3 P$ n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 t' V8 ~" Q/ x' i% i
;will break 3 times :-(3 N% f% x& o& Y7 O
3 {1 q4 I; ~) n, d-or (a bit) faster:
1 s5 G+ k2 M7 w% P' `- G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" q; P; ^( E7 \% V
- W# j& P1 ~" M) }2 F/ O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : n% Y5 T3 ^, ?4 o
;will break 3 times :-(# l9 ~0 u e: R; a& \
1 r' K6 V8 r, f, @ W-Much faster:
; ? B5 c, B. C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 R8 V8 b; y3 d2 M& k) }
/ F% a7 h! a2 _- INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" u; `1 h6 l! N; G0 P9 \function to do the same job:4 c2 x4 Y2 }( C) U- p
3 L6 u5 g! [. M, L push 00 ; OF_READ
2 ?" d7 q% ]& n! Y; [6 `3 ~ mov eax,[00656634] ; '\\.\SICE',0
% E( `- }, b% \2 L2 s" L6 g/ T* L1 @. `( z push eax/ Z, y8 l% }1 z. p D
call KERNEL32!_lopen1 A% b* x8 E3 L* K* u
inc eax
: i, o6 U; L$ x, ^ jnz 00650589 ; detected( |% q- w* n) _" ^6 G' i
push 00 ; OF_READ
3 W, [. q3 b: Y' s mov eax,[00656638] ; '\\.\SICE'
+ H- f1 F6 T) ?/ s2 N3 L7 N push eax
1 ~" D$ y Y5 x8 v' i call KERNEL32!_lopen
; Z: C$ f" F! j inc eax
) R( \% |3 l# T0 h jz 006505ae ; not detected
2 A! L! O( O- n. _9 S, T4 F. v4 _' S V1 {1 L9 U9 [
3 z. ?. W1 l0 K8 a: \2 }' f+ [4 e__________________________________________________________________________
# k( l8 c8 c: G$ O3 X [8 C
, \) R& @' F* C5 S* V* UMethod 12
. s8 x/ h5 |5 H8 [, P x) [=========
4 L# {% S( }& N
2 d- K% ~. B0 d& b( EThis trick is similar to int41h/4fh Debugger installation check (code 052 X: [. ~' M) I, l
& 06) but very limited because it's only available for Win95/98 (not NT)% ^* Z9 z/ ~, T& r& \' m1 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ ?% Q2 w% a, v: d' ] s+ B% v3 j" I) F1 n+ d+ ^ ^
push 0000004fh ; function 4fh
1 b+ j( I' v8 i$ `8 I push 002a002ah ; high word specifies which VxD (VWIN32)
4 i6 L( }1 \4 v" C, j: u ; low word specifies which service
! {3 Y, c7 I _2 j( R1 p9 q" P/ k (VWIN32_Int41Dispatch)) c7 r1 B* I: T- o4 Q- L
call Kernel32!ORD_001 ; VxdCall& o# ~, z$ U6 c# _( W1 [ E
cmp ax, 0f386h ; magic number returned by system debuggers3 c0 k' j, h' p& D6 c" ~9 e0 Q
jz SoftICE_detected
5 T9 X& c9 j _( }9 w% W7 ^
5 V8 u9 \ N8 `3 i. D$ Q) bHere again, several ways to detect it:
. j; c+ V3 D& [ O2 p) |5 f; A2 T& d1 J8 t7 ~4 g9 r
BPINT 41 if ax==4f
1 | c: q& m8 H' m6 \, \: M
% l2 V2 m9 O* L/ g. E3 l. L: N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* n( d e4 `: p' C1 b6 x
6 l% [. o+ r3 d* N2 J4 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 }- A9 ^/ x/ w% m; W+ s C4 g0 p8 M5 c( U( E7 V, L. Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& @3 Y; z0 t( W; H: u. m& m0 n! t
! {" c# {" S, [__________________________________________________________________________) l/ V7 }- U' ]- v# p" c& k
3 s; m, M/ D- k& |" Y( K5 oMethod 13$ p- z7 ]$ P/ | d A5 g
=========
0 q2 t! R% c0 C, i' W: I5 h6 W3 m# s2 a. n4 d4 U
Not a real method of detection, but a good way to know if SoftICE is; F4 p0 ^* ?2 u# S& U+ e, M
installed on a computer and to locate its installation directory.$ N! X* p5 h# t1 V. ~
It is used by few softs which access the following registry keys (usually #2) :
$ N' w3 ~3 y# E7 ~; @- n+ ~0 q7 H% g6 B+ g L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 m9 |2 ^. o) o+ `( a; \: E6 o- F
\Uninstall\SoftICE, ~3 `1 l! w0 v) v: C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 q% a& J% r0 P- ^* E$ P6 [/ ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# k# {% w" s5 Y& Q# O0 {5 `
\App Paths\Loader32.Exe
1 S9 g. r- Z/ v) k. p+ i/ i% x. K' A/ m1 ~4 `# u
6 t) D# U- Z9 n4 C* K3 t& w
Note that some nasty apps could then erase all files from SoftICE directory; Y" d9 R! \, q8 E3 g8 b
(I faced that once :-(
0 D5 P! O7 m* n0 [5 t* N) v+ ]2 O& F8 C
Useful breakpoint to detect it:% `! h3 Q# `+ o4 c
1 {8 n- v% g! b/ s7 ^ n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 n4 @# E2 M( v) J9 m+ ^8 r( i9 Z7 I2 s
__________________________________________________________________________# V+ U+ }( I' d1 R0 M3 I
7 o4 M; z" Q1 D4 M, i( g$ u* M% i' G. a8 T$ M1 [) b
Method 14
; c) t) d F2 n) c8 b) F=========
# a/ t5 y+ q* A" z5 u2 ]$ W, ?* R K9 t. n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) y. _7 v+ P4 [- M2 J) t
is to determines whether a debugger is running on your system (ring0 only).$ m! d9 u6 E; a1 e( n2 _# D
2 ]! ^( \/ `4 V" ^1 p VMMCall Test_Debug_Installed
3 Q4 ~" h' U$ o0 P4 F6 d2 E5 y. A# l je not_installed& I7 ~8 d2 C3 J1 V7 l
( s/ Q: N" Q. f1 [0 m
This service just checks a flag.
" ^( |/ a u7 f; w: Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡