<TABLE width=500>6 E0 D- Q7 w4 Q: _8 i- j
<TBODY> l2 y* Z. v& ? ^
<TR>
: A; z, v( m; @/ q2 s2 O( O<TD><PRE>Method 01 $ k% Y( O" l" D4 m. o
=========
$ T/ ^ L& H. b7 ~) {) d* {
" R3 v6 D" e3 O* l$ `1 v1 [# t! MThis method of detection of SoftICE (as well as the following one) is4 Y5 ^1 `+ S4 j4 f* y
used by the majority of packers/encryptors found on Internet.5 k( W7 f. ?0 i2 h5 Z* S" Q
It seeks the signature of BoundsChecker in SoftICE
; O% [9 k$ p e, ]8 d7 x
/ X0 C% P1 n7 c- I5 k3 i mov ebp, 04243484Bh ; 'BCHK'
! |' E: ?3 a; @" W2 k7 c5 L& H7 ? mov ax, 04h. e0 h5 ~9 V6 d8 C& }$ e& _$ Q
int 3 ( p3 |# s' H( H
cmp al,4
d1 S) a0 H% r# E3 Z- W2 F8 y9 L jnz SoftICE_Detected7 x+ G9 z- D+ F
2 Z% `8 \% `, M* M0 ?
___________________________________________________________________________. O$ x: p0 J( j1 Y
; H- b5 p% x+ [8 dMethod 02/ H# z% J/ x) z' d
=========
3 o( b4 \/ S3 O. _; O: s" L S) H" D A% [) P" m
Still a method very much used (perhaps the most frequent one). It is used0 z z) b2 ~9 o" h! k3 v* {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 e: j9 x+ C; u( Y% C
or execute SoftICE commands...$ L' v2 r |9 P1 ^ `
It is also used to crash SoftICE and to force it to execute any commands4 L' k5 Z. k( K4 c' Y# [* h
(HBOOT...) :-(( k& f9 Z' e; W5 ~# ` C5 m
: M8 X, [2 }7 VHere is a quick description:
1 o9 K c7 o/ d-AX = 0910h (Display string in SIce windows) N k+ y' P+ f# l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 v3 V/ y1 `3 t" h-AX = 0912h (Get breakpoint infos)4 R& d5 k: [6 U
-AX = 0913h (Set Sice breakpoints)
0 e6 j, [# y" Z8 C$ l-AX = 0914h (Remove SIce breakoints)1 w) e5 b$ z4 n% u1 f7 W) {+ n8 u& \
" R; e. L' S( J$ ?Each time you'll meet this trick, you'll see:
7 b7 a; C2 I: ~1 {$ }-SI = 4647h
; ]! X. V) V9 H3 i1 p-DI = 4A4Dh
" c! d+ \# r. {* y( e2 T1 Y) uWhich are the 'magic values' used by SoftIce.
8 }( A* S5 Z( [/ j' P+ zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! z, E$ |# z' A; r7 H$ V. n
! P4 ]8 M1 S2 }8 D9 tHere is one example from the file "Haspinst.exe" which is the dongle HASP
( E7 b0 w: J3 M+ y3 o7 m; w F+ w* jEnvelope utility use to protect DOS applications:* V6 _! [, E4 R
. n* q: ?2 q' I( |7 y
7 }$ k+ D6 `: T: a8 A i9 Q7 C. h4C19:0095 MOV AX,0911 ; execute command.& J5 F, P* w# b1 {# k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 u4 a5 y; }, C7 m6 v
4C19:009A MOV SI,4647 ; 1st magic value., v' f0 Y9 w: G
4C19:009D MOV DI,4A4D ; 2nd magic value.
! g, o: I6 B9 `/ B/ T$ w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); y; p* n$ \% M( `6 }1 j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, b# V) ?( E4 ^8 v( H Z- X _
4C19:00A4 INC CX
; L, e# h7 \5 E& O* J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% c. N2 Y& m# r' l) X
4C19:00A8 JB 0095 ; 6 different commands.
$ f- g% V' U2 N1 E" ^* h4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, K* S* d" I; ?: u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) |- w5 @# T8 M0 J: ~* x3 c6 K* I! {% x! m" G
The program will execute 6 different SIce commands located at ds:dx, which
0 [ N$ k! j& ^8 w8 i+ d$ o$ O. yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., m; n: K+ Q& B$ p: v' s
7 t' {) H8 c9 x+ Y% o: c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., R" V8 ]4 F: g0 t4 c
___________________________________________________________________________
; N! o& {0 J; G3 q" ~; G3 b
# `2 E/ ~- u; ?2 `0 O- U8 c) f0 [, Z% q* t$ x0 W
Method 03; r1 ^, O1 W2 ^
=========5 O& G2 N8 `- b/ _! ~8 {" r
: K# P/ F( h- F! Y$ A) b6 x, ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ^9 H7 M. _+ ]; L7 O* S* J L/ J' c
(API Get entry point)" B1 T4 G7 O+ ]0 ?* L. D. W
% t' O) H# ^" |1 L: d6 e; S
9 g$ H1 ~9 I# ^# j Q
xor di,di8 @& R2 y1 ~! J2 y
mov es,di- T3 W. S3 h" Q
mov ax, 1684h ' ~ V+ o6 Q$ o" c% J1 E' x2 ^
mov bx, 0202h ; VxD ID of winice
+ ? Y) e/ [/ v% N7 f; N int 2Fh
1 i! `3 W- H! P* L% T( h2 y# \ mov ax, es ; ES:DI -> VxD API entry point
0 W% a* ?7 Q' Y* M' v add ax, di
% A: Q; e. X5 ?' ~2 d test ax,ax
q$ V! l) H+ X q7 u$ s jnz SoftICE_Detected5 D z5 d/ w: ?, y" O5 n. ]
0 I' x9 Y6 Y2 k1 _- Z; o* {8 S7 x___________________________________________________________________________( R2 n1 Z9 E: a( \1 C
" R: W6 o0 S: s
Method 04- U- b; R* A, M- t6 X6 U: r7 q
=========
; x& ~* v5 Z, {/ U0 u+ N
( `" a! J6 P' v$ j& f2 ~; L; j7 ?0 fMethod identical to the preceding one except that it seeks the ID of SoftICE
% V' z8 E- Y6 o9 U: _% K9 L& A1 gGFX VxD.
' @3 E% [8 v; @$ S7 }8 v; G" t2 A0 f% u2 O4 N, t
xor di,di
7 F1 H* U8 e( n% a( R mov es,di3 `4 h1 F) d, }: L
mov ax, 1684h ! V0 y7 p( ~0 w% v0 K, {
mov bx, 7a5Fh ; VxD ID of SIWVID
8 M, v7 \$ X% J. v9 X int 2fh
& B. P- V( |$ { mov ax, es ; ES:DI -> VxD API entry point. _- [5 O# d O+ e$ G9 K, f
add ax, di
! d7 Z& H% X& u3 \/ e3 R test ax,ax
R) R& n$ Y. P7 n a jnz SoftICE_Detected& \, q; @9 m8 D
: I2 W+ v D% U9 T; \. I
__________________________________________________________________________: O7 G$ q) w" |4 U, ~* l' W
+ @5 M- C- V' Q7 o _/ f
3 `4 N$ [' K; n5 i% {8 }1 uMethod 05
$ H3 [$ Q1 a% C( O$ u/ h# _6 z* P7 T=========, I/ N9 A6 R/ p$ u
7 k2 \0 ?0 ~5 b# P5 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 o9 ~" M% T: b" ]# X/ Udebugger. It calls the int 41h, function 4Fh.
6 O+ S* s( B. b. m( r0 a- {There are several alternatives.
% l: `& J! v. C$ c- r# B! ]. D3 a, z5 A2 b
The following one is the simplest:1 J! ]- q! W0 d# a2 m) v1 N
- N- X3 S7 N; _7 k6 c4 ?* { mov ax,4fh- p& q- X7 \8 g. f z: c
int 41h: v6 C! O5 T! z8 i
cmp ax, 0F386! d% m0 b, p) F! B( v
jz SoftICE_detected: ?. q+ b: E& F- b/ _
, W7 D: E" ?! h7 _
- P ~/ l% D; b. N# i7 MNext method as well as the following one are 2 examples from Stone's
! v. J* n1 v; ?! s0 m4 L2 ^" g"stn-wid.zip" (www.cracking.net):' y, a( B* m; y" b4 m; a3 i
( B, P) T( M4 Q; O7 ~- b mov bx, cs
6 Y& q9 A! o7 M- U. [ lea dx, int41handler2; r6 P, b' n/ y: r7 S0 ]7 j/ r% N4 [
xchg dx, es:[41h*4]
' S5 B: @+ Z+ M k0 N8 W% G3 f7 V3 m xchg bx, es:[41h*4+2]
9 A3 j/ {0 @" f/ e- i+ H2 x7 y mov ax,4fh4 c9 C9 e0 ?# X, O. q3 A: \
int 41h
. z) ~3 J- U' z' n: r6 v) C xchg dx, es:[41h*4]
# u3 ^8 W6 F& I$ y ` xchg bx, es:[41h*4+2]8 H4 J+ S% b. r& ?( A6 W
cmp ax, 0f386h
, ^, `- b8 \+ H; E/ j$ u jz SoftICE_detected, B7 t H& v# B l' ^7 P
i6 p4 ?) o: ]int41handler2 PROC
) j+ h9 P# b' G( f/ y! W iret
# ?) O. o6 Q, E* ~int41handler2 ENDP% q" u. F" X! P
9 k- I1 I" {$ A& p( X/ O! V
5 e7 |3 c3 y1 _: |8 h, V_________________________________________________________________________
' E" E) j+ ]7 j- h% ]% f
2 Y9 l; @( ` R# c$ N# \- d( V# Z4 h+ `9 m2 s
Method 06
c. x5 M; {; X( a4 V3 G=========
% ` M- y$ S9 x7 w8 M, d
) ]8 J& E2 d, ^) |5 N, Y/ X" }2 G) y1 ?2 ]& n" S3 c I4 ]3 O
2nd method similar to the preceding one but more difficult to detect:
5 i8 s( V5 t4 [ l3 p3 ?
- x' R! k+ [9 r2 o( u1 o8 G7 ^/ f
. k& a- d* L0 e6 k% j& l6 ~4 aint41handler PROC
# g) j) Q( X* f6 E, K mov cl,al9 {4 n) M8 y, Y( R0 ?' H' E; Y8 W
iret
( Q" U& @4 `2 K/ |! I, j6 p4 Yint41handler ENDP
: E. l5 B' q, X. w/ G7 z2 U; y% [$ [) S# _8 [. ]0 F! w
- \$ t# @7 ^" s! O
xor ax,ax% {" H* Q$ j/ V1 V
mov es,ax5 `/ `7 \% k. G/ _7 H$ |+ P
mov bx, cs R, _' H: m$ b0 ]. F1 O# U( e! j
lea dx, int41handler
2 {- Z6 Z. H/ N9 N xchg dx, es:[41h*4]0 r" C/ B) X1 x: Y
xchg bx, es:[41h*4+2]' D, Z- R$ P4 c! { h
in al, 40h: e6 o% R( ]! M4 J9 @
xor cx,cx
5 U' b' f6 k- u% ?+ P- V1 m int 41h
0 E4 M, {6 W% w0 N xchg dx, es:[41h*4]
- `5 F; _! ^/ i, R8 N0 e xchg bx, es:[41h*4+2]
* Z' k$ H% n% w cmp cl,al$ S4 }9 p8 ^# ^; }+ R0 u' l
jnz SoftICE_detected
. M2 D6 v1 [; E# L( V& D# b; L" a- M% G) c( M3 _4 |9 U6 O5 z" W
_________________________________________________________________________5 J5 L2 Z8 _4 A9 ]7 a0 I( {
; |0 h: N+ X+ N+ Z7 PMethod 07
, r" D* `7 h" V( k" w=========
8 h5 `' Z: e7 [, X5 \ d) p& k6 `/ V, C4 f) c
Method of detection of the WinICE handler in the int68h (V86)
& `# `9 Y& F6 g/ I7 ^& C- M* o3 X
1 Z" C& W; S1 j& d& M; a5 x mov ah,43h" v* m6 B- ?5 I# N$ ~9 s0 L* {
int 68h/ t0 x3 T3 u4 C- s! e! K5 l
cmp ax,0F386h* a* ^8 z9 R V$ Z
jz SoftICE_Detected ~3 O, V5 c4 r+ e
' q' I% ^/ e* n/ }2 S
m! Q3 V7 L3 |1 A" Y+ \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ B4 W. o/ S: g. t; z
app like this:: f( q$ G h( D6 M8 j5 H! [/ X
, G9 Q" z1 ^% {- r3 }: L BPX exec_int if ax==68
; y; s9 Z2 U; g: h Z (function called is located at byte ptr [ebp+1Dh] and client eip is+ I) d' N/ r9 G5 H5 v& h
located at [ebp+48h] for 32Bit apps)" @7 Q0 O) O4 W5 K0 s
__________________________________________________________________________
# y& N- p( P- [, @& V8 ~1 m* j3 W
/ n( K1 i3 X7 E2 o% C; H5 i6 A5 Z5 u- P! ?3 A6 M" W
Method 08
$ k# t+ Q- o' {- z9 X: U0 D=========
2 i Z$ D) G! {! T, J5 t; _: V8 Z6 i9 |6 V% S+ M4 f' X
It is not a method of detection of SoftICE but a possibility to crash the: x" R M# g+ q: h X9 o3 o3 x4 f
system by intercepting int 01h and int 03h and redirecting them to another
) Z( n2 p2 o" E v$ e( @& Froutine.' h x, E& ?7 o5 t) {) H6 v( u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 ^; |- }; ?$ h3 q0 @3 [
to the new routine to execute (hangs computer...)6 E2 F8 E5 [ @: Q( I* j
/ @, L. Z, N N7 O
mov ah, 25h, l8 b: P. H+ Z- @9 x4 ^3 [
mov al, Int_Number (01h or 03h)
0 p. ]* H4 m0 G2 B9 C$ G/ I! A mov dx, offset New_Int_Routine ]4 ?2 W/ L3 P0 U$ Y7 u, A
int 21h; d+ n) G- K$ m2 ?9 {
7 W, p! V) w/ B__________________________________________________________________________
5 C' t) w) Z" Q. J2 r p; [8 M9 t9 m1 n# u
Method 093 {0 k% }! w3 v. E8 V. X& m' d k
=========; [) w. x( a d! a6 P. c# F* {6 _
- C7 h& |1 {, c; \( C! L9 eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( J# E% U: m% u" R1 {. H& a+ W
performed in ring0 (VxD or a ring3 app using the VxdCall).
, Q6 \( m# b' J. g. ^5 s1 yThe Get_DDB service is used to determine whether or not a VxD is installed
- W2 q5 f: V- S6 C7 jfor the specified device and returns a Device Description Block (in ecx) for
/ w" {# T* _& lthat device if it is installed.
* S1 y; z5 d8 z; |) J7 ]
0 v E* a; v9 s$ z8 N mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 F8 `. m& M( K1 k: v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) j3 T* f3 B( N/ p& z6 Z8 P6 i, H4 \ VMMCall Get_DDB
% q6 i% L0 }7 ?$ h0 d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# i5 v: `/ b# T2 f9 [
8 e9 Z' ^) |( S2 Y+ O$ b7 ANote as well that you can easily detect this method with SoftICE:
0 O. z+ j0 V0 X' S" @( u2 a bpx Get_DDB if ax==0202 || ax==7a5fh
; D4 K4 ^ q" l/ E$ G R1 y/ Y, F3 l
__________________________________________________________________________
; `$ X) F9 A' o3 {( h4 d$ J6 Q
! O7 D' A% _5 M1 \4 J7 zMethod 103 ~% k( I% d5 M
=========
1 w2 t* D. `# s& ^% d. w
5 c$ N' Z" s( z0 M, @. ~3 y c+ I=>Disable or clear breakpoints before using this feature. DO NOT trace with9 J( t5 k7 i, Z% m" S( c
SoftICE while the option is enable!!: ~% |: X& t# p- c& @4 W' L8 k
& A5 ~7 h6 S& T' V( i1 I
This trick is very efficient:. b# P9 v* Q6 Y& l
by checking the Debug Registers, you can detect if SoftICE is loaded
4 r: Q7 ~2 ^1 R! U' }" |+ z- i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ O. e3 q$ V" M! d1 {there are some memory breakpoints set (dr0 to dr3) simply by reading their0 {6 q6 @6 K+ i$ \( i
value (in ring0 only). Values can be manipulated and or changed as well% ]! e' t, b% O/ e
(clearing BPMs for instance)
: z7 W2 I7 i4 u# v- \3 e V4 ?' Q3 I6 W. A
__________________________________________________________________________; c: @9 a0 `2 C2 b( p1 F
* f4 g. w; v7 }, {
Method 11
3 H8 ~/ d* |- ]4 Z* v=========
, E! C, g" S7 x1 Y0 g6 s1 d; W% W" Z9 | U
This method is most known as 'MeltICE' because it has been freely distributed
& z- e1 |$ b9 j- L! r0 y. i% mvia www.winfiles.com. However it was first used by NuMega people to allow' N/ {& E# |7 L) q# V
Symbol Loader to check if SoftICE was active or not (the code is located" \: b" ]# j$ Z" z% u
inside nmtrans.dll).
; q4 _9 j5 }, K) r. C9 f8 c8 C
The way it works is very simple:0 y4 R4 k8 }: Z9 m X' s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ Y; P( {' I* b
WinNT) with the CreateFileA API.
. A8 ~3 C- i2 e( a+ w! c5 t1 ~" t; `) {! R( r/ u8 f1 P
Here is a sample (checking for 'SICE'):) w( ~; v0 m" M: u" O
0 c* S5 c P- C9 e k9 T: ^9 ^2 aBOOL IsSoftIce95Loaded()
: t4 o! J7 E" t4 C! w3 n4 n; `{
7 q+ F4 `- h7 t6 g9 P1 x& H! S HANDLE hFile; - X: P9 f$ B+ Z' g, {8 E3 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 ]; R1 Q! b& J5 y" D7 V
FILE_SHARE_READ | FILE_SHARE_WRITE,
% |( L* ]2 e: ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% r' n9 B# `' c5 } if( hFile != INVALID_HANDLE_VALUE )
5 b3 U% ]' c& B2 ?/ ~ {' S, y1 z/ j) S& Z4 Y* P) `
CloseHandle(hFile);
" U: A, D8 c0 S, Q& N% P; Z$ L return TRUE;1 p+ f" L7 z o( O) }& n
}
$ J' P6 i6 V, p9 s. ?# N return FALSE;' Y+ t8 A! h8 [. v- Y4 _
}
( U# ]3 \7 z3 v# ]
2 [ i' q' J$ |$ M5 q5 d% jAlthough this trick calls the CreateFileA function, don't even expect to be/ G$ H. \8 ?# b: y( t" a
able to intercept it by installing a IFS hook: it will not work, no way!
& s; H3 Z3 M, v: cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 F, K. g7 b: \! G3 Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# R }& f: B, h( M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: j- u% W5 [' U% Jfield.
' J4 o( j. d* a+ b1 t9 r" }In fact, its purpose is not to load/unload VxDs but only to send a
- w/ Z. i. G, `2 M8 s- |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# E2 \8 R8 @; U$ Y/ s/ B* U0 ^9 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 p8 S- q8 h' n( Y! h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 j( i$ t4 D1 w" F. F# e3 z( WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( M- b9 Y* o, b- o5 y4 u6 Vits handle to be opened and then, will be detected.' k, o# b$ _& H& ^/ X0 w9 H; T
You can check that simply by hooking Winice.exe control proc entry point$ l _% L# S7 N2 m, K; x; h3 U
while running MeltICE.% F1 q2 r" f& [% d! B
! u% L, ^7 h3 V7 n3 j. T% |
6 w4 Y" S* t( a9 s6 A6 X) W
00401067: push 00402025 ; \\.\SICE7 C( H# a0 d1 c$ y1 _4 A# M
0040106C: call CreateFileA, {2 i" D, i5 p P
00401071: cmp eax,-001
. x1 n" v5 R+ r9 I6 u" @6 e# \6 | 00401074: je 004010915 x# p N7 [; _- A# U/ F0 I$ h2 }8 O
* D6 m$ u) X0 B' M* L
0 ^+ ^ ?! K9 Z+ Y8 aThere could be hundreds of BPX you could use to detect this trick.
+ G5 b2 c0 A. u* K-The most classical one is:
" D/ \* y G2 T5 e, J" G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 q; m% T {7 n7 Z
*(esp->4+4)=='NTIC'! ~4 j% p6 e0 r" g' q0 ^
3 f4 h$ V8 Z' Y0 y
-The most exotic ones (could be very slooooow :-(6 j- e) O4 O4 M8 g& p+ b1 X+ h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * B5 Z/ {7 [7 @ U- H
;will break 3 times :-(! W* E r* e& C, ~, ]
F% ~# Q6 s3 y9 t; t" ~-or (a bit) faster: 5 `) O0 A- e* \; x* v, M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 ? T: p8 e) m0 Y& M0 s- A/ R6 z
- E+ z+ m8 R% R9 d Y9 K, ^% X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 ?9 j7 F! j9 _0 {& x ;will break 3 times :-(. j5 V0 K, M- r. {! K
8 h' I* s7 l% W, X! [
-Much faster:
& \ L+ ^, T9 A4 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 R& n. r$ H7 b L1 ]$ a- B* L& l
$ C* ] l7 [" w7 J1 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( o u# X$ w; E$ d/ ^# I1 cfunction to do the same job:6 T, o! y6 y1 a' {+ V. B) R6 q
, y7 k9 e6 z8 J
push 00 ; OF_READ i8 S' }" `* r7 T+ ~
mov eax,[00656634] ; '\\.\SICE',0
0 ]( Y; c7 w4 i. q( |. S+ N O push eax
/ E+ x$ z3 @& x% Z call KERNEL32!_lopen
. |9 N, D( W7 O) ^2 t5 ~% v1 H inc eax7 D% e. o+ w5 U' A& ]
jnz 00650589 ; detected
+ v6 n! Y3 O/ E4 U$ A push 00 ; OF_READ% D. }' t; _* ^" K9 {$ y
mov eax,[00656638] ; '\\.\SICE'. l% @# n# ^9 y1 D8 y; d! U5 ^
push eax+ f' H+ R2 A3 w8 ~, F( J
call KERNEL32!_lopen
: ~% i# C7 x2 h) z& i; l; i inc eax
# _( z* V: |" G jz 006505ae ; not detected8 D) i* t3 a* R' |/ I/ R; f# {
5 } ?) d0 i, ] V9 u! q e
& [" R9 R" n2 y. Y0 r9 z
__________________________________________________________________________# b+ B. K# R3 Z2 O+ ` j' A/ s
* I3 s# N- O5 c0 C9 P: k. }
Method 12
2 x6 F; [; O4 \8 d$ R9 u6 A=========, m7 O, ~; Z% ]( n5 h
; p5 {4 ^2 ^- g* j3 D$ h d$ |: @
This trick is similar to int41h/4fh Debugger installation check (code 05
6 `# W$ v; Y$ y, Y6 R$ s; a, I& 06) but very limited because it's only available for Win95/98 (not NT)# b: P# y) K" g7 D( v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; y/ r0 s+ |4 k9 L; g; ] U) M, N6 j7 Z J) y1 N8 q6 ]$ d
push 0000004fh ; function 4fh
; t4 m) \3 u1 B push 002a002ah ; high word specifies which VxD (VWIN32)( r5 i" w% _6 h0 m: |( D4 D. [' ^
; low word specifies which service
( m" `7 f' j/ d, S3 \" m- c/ J" m( { (VWIN32_Int41Dispatch)/ O7 }& _& o$ }" S. z; P
call Kernel32!ORD_001 ; VxdCall
7 }9 J7 r4 f: U7 n9 p# T cmp ax, 0f386h ; magic number returned by system debuggers3 B8 E2 Q1 F: v9 O
jz SoftICE_detected
- N' m* H4 l# Y0 K1 |% t# D& Z. f5 Y' r# W7 r
Here again, several ways to detect it:
6 R6 J) d6 J3 O6 A
* g; G/ g' C1 S BPINT 41 if ax==4f
& v& ^5 j7 ~& y6 J. v8 d; I
( G# N, p5 B* P# ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: h7 u4 N ^3 `, f
* a; O/ D7 }3 l0 i1 |& V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 G! g9 q% O+ r3 @. k+ A* }
4 _: h m1 M2 t0 N+ n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) b! ]: y8 ~ k* E. [
! Z3 {" Y; s8 ^__________________________________________________________________________
* W4 j: F. O" r4 p y
. c2 ]- [8 c/ U. f. f- I* ~+ `4 LMethod 13
! z/ K p2 E3 Q8 \* g) j=========# q+ ?9 m m x1 _+ v$ G
. T. u" s' _5 ]2 \4 ^- _Not a real method of detection, but a good way to know if SoftICE is
* [5 C: F/ U* [" }1 O7 iinstalled on a computer and to locate its installation directory., O. Q' u" ~7 x! M5 l$ H, r; L F
It is used by few softs which access the following registry keys (usually #2) :
2 @: o$ w/ V. I& J! o! m
. [0 H# [1 V& w9 o% ?9 c8 h& t. z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ^) @2 Y" G& N4 ?# K5 L\Uninstall\SoftICE
! ?" h9 L+ n! m( ?# G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, C L9 c* W; o% u+ [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 D: @0 v) W; l9 R8 ^7 E" @) @. U4 w/ \
\App Paths\Loader32.Exe z0 d. N$ z, [
6 G, h$ c. j9 I2 f5 U1 V& S2 s& o+ m" A% m" ^0 j4 I
Note that some nasty apps could then erase all files from SoftICE directory
% d5 C9 W; X5 S9 b! ^(I faced that once :-(( H. A) E( \0 S* X
2 |) x* C7 I+ R, a. u6 j+ ]
Useful breakpoint to detect it:# p6 Q4 D$ Q0 \: ~- R% K* d9 n J9 H1 J
4 r0 ]) B! ~4 t$ U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 s8 b4 @. E* M& g0 ]3 K C* e8 `6 S7 ^6 B& x3 d) }
__________________________________________________________________________
( j/ i2 e- Z. p) p" p7 ~1 J, |3 k! `3 _7 H: H! H
, i& S; s- ]1 ~9 k' N
Method 14
6 a; x' I7 S+ I x. H: }* Y=========
6 v% K" V) G$ a3 V4 Y0 r: Y* E! H2 T. X& c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& J! b) d. L! L1 h
is to determines whether a debugger is running on your system (ring0 only).
. i4 u% I0 ^4 i& L, z$ `" A$ M0 @ G. r* M' b
VMMCall Test_Debug_Installed
7 j- w- ?. c! z/ \, _9 h( K je not_installed( |& r3 D. O0 d; W
; A! C9 I+ y5 |This service just checks a flag.( k7 ^: D/ c2 U2 `* Z. i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡