<TABLE width=500>, ]& Z! A. t; Y* @2 D& m9 P. E! x( T
<TBODY>7 L. r+ v9 m# r7 \
<TR>
; e! \6 O8 z7 E/ A<TD><PRE>Method 01 " H9 _' N( |5 E& h& z1 U. S
=========* k6 C' i: C6 o6 K
* o. S- i( k' y) N8 l, I
This method of detection of SoftICE (as well as the following one) is4 X8 `$ v0 k! }$ S1 p' X
used by the majority of packers/encryptors found on Internet.
; |, G: W4 ^0 B( IIt seeks the signature of BoundsChecker in SoftICE6 g. \$ j1 T9 l6 u
7 Z/ G& ?6 y/ f/ C8 F% c0 u mov ebp, 04243484Bh ; 'BCHK'9 B4 @6 {; u1 [4 d
mov ax, 04h" a/ T& c- Q; r) N/ H/ H( G3 ]
int 3
9 }1 ]" n/ @4 d cmp al,4
, _' ~3 r% o: [; e& j( Z3 [" j jnz SoftICE_Detected3 K& V( ?( }0 w4 Q/ s+ J
3 A2 D1 j! o- p- a0 l___________________________________________________________________________
, v/ c7 \+ c) y6 K, a1 B
2 N Q' h! v0 kMethod 024 f+ s2 x. A6 o9 Z
=========
! ^' p& E. ]& U
; _0 e* T6 n* I% l2 U! F0 n+ XStill a method very much used (perhaps the most frequent one). It is used2 s+ S- J# L. E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# u7 e; o7 K7 v
or execute SoftICE commands...
) M, [, p- U! [* Z+ Z2 @1 X; d, U! `; ]It is also used to crash SoftICE and to force it to execute any commands! G9 [- `5 g" u, p
(HBOOT...) :-(( 7 ?# _6 M0 k" q" u) a+ o
% s3 X: D1 b1 ~1 J6 ~Here is a quick description:
3 {0 i' n' m9 g6 t/ H1 L-AX = 0910h (Display string in SIce windows). c) n. a) |7 L- c- l3 e4 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' y$ f/ @$ c9 l% i" D: i% ]" b-AX = 0912h (Get breakpoint infos)# {& w0 v& p0 U8 Q7 E
-AX = 0913h (Set Sice breakpoints)% ], e2 `( Q* y/ h9 I5 k
-AX = 0914h (Remove SIce breakoints); `+ d8 Y1 |- b9 c( y5 `
8 a) s9 M8 y& }
Each time you'll meet this trick, you'll see:
4 T t. `4 M# w5 H1 |: _+ M h-SI = 4647h8 X. r6 F9 [6 L
-DI = 4A4Dh
. {) N) Z, G9 \# [4 x! O7 PWhich are the 'magic values' used by SoftIce.
! q: K" L1 C6 j+ R5 B- B( X0 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 r; b- M/ f" _7 y! \, q
; ?6 ^0 }! w2 C+ `0 hHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ T% Y5 C& d' @+ o q% a. U3 JEnvelope utility use to protect DOS applications:
: J5 x( d. A. y2 _* E- {4 |2 {; F/ C: f# n
# P) }+ D7 v) @4C19:0095 MOV AX,0911 ; execute command.* a7 f, P, ]2 }0 T0 _6 k" S+ O# M0 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 L! [; G3 y0 w% v4C19:009A MOV SI,4647 ; 1st magic value.
* Q5 h1 {% O, b- V, f+ G, T4C19:009D MOV DI,4A4D ; 2nd magic value.1 Q* \! }5 U: L* q: T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& T5 q3 X! d0 A9 T) }$ v2 G. O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- Z1 p, r" T4 ]% J7 V/ i* k% P
4C19:00A4 INC CX: v; V: l/ U% R5 {7 t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: k+ F1 m: D2 a3 s" }3 J
4C19:00A8 JB 0095 ; 6 different commands.4 c1 T) Z$ F1 A& F/ c& n1 g! n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 S/ N _ G) \* P4 j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 H2 m+ N9 y8 K! X8 x) }% _2 q* i( L; ~1 x' l3 s7 n# Y) `
The program will execute 6 different SIce commands located at ds:dx, which
5 b8 ~3 y% ]' o0 Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! @7 N2 C5 h l; p: M$ }* L6 e! C; q- V2 e4 r2 S; Y/ ^/ I @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) I7 }- ]3 M- O$ }7 J
___________________________________________________________________________
% n0 ?0 _% N. j8 D. i6 G
' m B. q, V6 I
% h6 z8 u! C2 q' ^9 h) _8 V5 kMethod 034 W; y5 u' z. c
=========1 Z7 ~# n0 V( S; o+ E' C
9 I% f2 _! f; w( j& }% r Q3 f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 h& n+ r) C! _' J
(API Get entry point)
1 n6 M/ e( }: F% m( i# `6 {6 W( C 6 a0 l1 R+ T5 P2 S
- b9 V1 `" W+ }; d# {; K xor di,di0 U0 D1 g: c- L! J }: M1 O
mov es,di8 {( {2 t2 }5 k% z) S: V4 B
mov ax, 1684h 8 Y- `( c5 A9 ?
mov bx, 0202h ; VxD ID of winice
5 h4 M/ [1 c+ `5 \ int 2Fh$ n6 Q A/ U0 N$ Z8 ]. V6 M- L
mov ax, es ; ES:DI -> VxD API entry point2 J& ^% m7 S- @4 h+ M
add ax, di& f2 L* g2 a# L, ?* o0 \
test ax,ax
2 ]8 K# v2 s/ m8 U$ |' Z* G jnz SoftICE_Detected3 s8 f7 Z" v2 V1 q; C# n: F+ }
* ]- R0 w5 A% _5 i$ M4 b; j___________________________________________________________________________; V& L0 A4 E+ m" K- S, z2 c
- R6 P5 f% t% [1 m. m1 w+ K6 B
Method 04
; N' M$ w6 g. f2 D$ b$ s p7 U=========( G6 j: `: l$ n6 ^
5 |2 O+ Y1 o; K9 U+ I+ ]3 Z, J* p; @Method identical to the preceding one except that it seeks the ID of SoftICE
% y$ H, O/ {' v9 IGFX VxD.
7 G& L8 h7 L7 c4 x+ I; _, A3 E2 A2 t [0 E( d. h8 E5 ~
xor di,di
Z, ]/ ?. p6 I- z" Y& t5 F7 t mov es,di
/ C# z3 [, j% C/ u* p; j mov ax, 1684h 3 S3 l4 G7 _( {- ^# G
mov bx, 7a5Fh ; VxD ID of SIWVID# i- X) o! \# g: T8 C+ S
int 2fh
3 m9 W1 f$ `' O5 o! o" c, v& y mov ax, es ; ES:DI -> VxD API entry point
3 U/ [2 l, U ]( x8 S add ax, di
0 o. P* Z7 g1 }) j' K- @ test ax,ax
6 |1 m9 L& p/ Y5 q5 B. g jnz SoftICE_Detected
& d+ h. H6 Y3 C9 A+ L
5 m: y( {" E8 H1 M2 w* c% O__________________________________________________________________________( O. ]( p5 @8 F& g' i2 y; P- p! [
- x0 l' u1 n' U: N5 I+ K
) e/ s9 P- r* |" {) o; \7 I0 A( A
Method 059 m4 g$ o: I: B' o1 ]2 I1 |7 k2 c
=========
; U; F$ W& h5 l, ^& z. }3 v
& z' e( Y9 O8 {4 A" ]- fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; ~/ o: c; N9 e! ydebugger. It calls the int 41h, function 4Fh.7 S$ y7 z |; N6 k0 j
There are several alternatives.
/ H0 V$ o5 S0 V$ l3 c0 f5 l$ a* X5 Y; \
The following one is the simplest:
: E/ o6 B3 F" U/ q: ?+ _
; s2 Y5 F& f$ X# x! g0 W) {+ @ mov ax,4fh& W) _' _9 _5 s: ]# d) B
int 41h6 j8 G/ `" E& V
cmp ax, 0F386$ ^8 d4 E' ? b' w
jz SoftICE_detected
1 r) L* {# z0 N4 ] `; v/ b9 g1 [) T$ B- Y- j
" n8 y* \, ]; h+ s6 [$ U+ bNext method as well as the following one are 2 examples from Stone's
) p' p8 H/ }* b9 O! [# o+ d; O"stn-wid.zip" (www.cracking.net):, m! m# Y, n+ E3 U1 g7 g; U
A3 I2 g/ `9 W$ o6 t' j1 x9 _ mov bx, cs! k7 s* X3 J$ @" _" _
lea dx, int41handler2
" _1 [0 l8 c' \6 D# M xchg dx, es:[41h*4]
' i1 T( n% q4 ~9 m& s' c" L' n xchg bx, es:[41h*4+2]' z% t& O% [( y
mov ax,4fh
7 Z o1 ~6 [; j H2 I. U int 41h
, z7 D# K" W! a8 Y8 G, V xchg dx, es:[41h*4]
% r$ S% c. e- Y* h" H3 M xchg bx, es:[41h*4+2]
8 x; {" P; h; `6 w cmp ax, 0f386h. W7 S' ?/ s$ ^; ^/ T
jz SoftICE_detected
/ h- T. E' ^- U% N7 N
5 \ o# ~% n7 X. {int41handler2 PROC
4 p5 ~+ S; z/ ^9 A- t iret5 j' t$ t8 D( N$ M& y
int41handler2 ENDP/ [0 }' b- A+ k+ a/ H5 @ T l
: V9 T9 N# D2 _
1 _- X8 ?* q* R8 Y& P9 }7 |5 y
_________________________________________________________________________! i$ ?, Q8 f$ f5 p
* k# ~ r8 J0 d* r6 I' E A( d
0 {% s9 a/ R7 W/ y$ u- wMethod 06& a# ~% e$ X7 T2 z( x
=========
& j* }6 E6 |8 d' U/ b% N) _+ E1 B9 H0 K( @7 n$ S& h
2 E6 Q" Z# _6 D; m6 S- Y7 o2 n$ i! @
2nd method similar to the preceding one but more difficult to detect:/ K. ~% ?) O' S D% F( y' D
8 S, L2 y4 A, i$ R6 B) x3 {; m
9 ~+ @9 K# w+ Y4 ~int41handler PROC. h* b( v& O: `$ j1 Y
mov cl,al
6 L. p; l: g( U8 W8 g iret( r( Y2 g- U+ _4 {* k9 ^: p
int41handler ENDP
, C# M$ ^: n4 i/ s/ E; k6 M! I& h5 {: ~$ n$ y% T, d. `
: K/ x4 Z% E# Y+ ? xor ax,ax# z* X! I7 G g2 D1 @: W: t/ D9 x
mov es,ax7 p+ M$ E8 a: D3 z* B
mov bx, cs
6 [3 ?1 ^4 Z) e, u t! o5 v lea dx, int41handler9 z' i J3 { L1 {+ t, z; E6 V2 y6 R
xchg dx, es:[41h*4], P/ \2 r9 W3 g3 J& U. l1 f% V6 v
xchg bx, es:[41h*4+2]% E; R( M; l$ U: z% y. w7 d0 }( }
in al, 40h1 \* a+ D/ ]) A# \4 n& h% h
xor cx,cx
" M+ y! a, l& Z" I/ H3 l% n int 41h+ w. _- t8 p# z9 g
xchg dx, es:[41h*4]
# V9 Y R: e& O xchg bx, es:[41h*4+2]
' k0 c1 ]# d1 L: S J" Z cmp cl,al0 M4 Z2 H* y, p# i( y( e
jnz SoftICE_detected
0 f9 W. y3 |* [) Q/ m0 S4 j, p4 u' t# J+ M! B, ?1 t* ^
_________________________________________________________________________
# Z5 i) G1 n+ q* d/ v! j- `) \% H: O0 b9 ?7 m$ r0 a7 M ^0 u
Method 07
3 U+ {. Y& t/ f5 w=========
# W- m$ m2 I0 l6 u3 J/ n$ P
# f6 {7 k4 E# z8 h! y/ Q3 DMethod of detection of the WinICE handler in the int68h (V86)
+ h8 O# K! V! v/ j' m
+ ~3 b( g3 ?! M mov ah,43h& A7 M3 E* ~2 i8 \
int 68h
0 C" B5 @0 F& s3 T. x2 D& | g cmp ax,0F386h
" H% q8 x) V/ b' T& m' U# p jz SoftICE_Detected
; i, Z+ |4 d) P. _) P1 n- E4 a8 u% B$ u/ g) U3 g# I( R
! S* G( F' ?+ [* F0 ~" o: m7 f* c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, }3 n( }# i+ d; j3 _, K
app like this:+ ]& Z T& E! m4 {! K7 t
7 G3 @, W; ^0 T BPX exec_int if ax==685 }5 z8 f8 m) a1 _- @- p/ W; L
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 O/ I8 B: w. z* z5 u" X9 L z located at [ebp+48h] for 32Bit apps)
- u4 g9 [( h' O0 k( R8 B! p__________________________________________________________________________
w' Z+ b `0 t0 ~# v' k- G' s+ W7 @2 Z) v* P1 c$ d- |
0 D; {4 L5 S) W D( T
Method 08
u) O* b4 `+ a; T=========
/ ?5 ?4 ]' Y7 q2 _2 c* M" x ]
It is not a method of detection of SoftICE but a possibility to crash the% c, C& L7 v3 C9 U
system by intercepting int 01h and int 03h and redirecting them to another- v4 @7 g1 H' k/ z, I) c1 h7 R$ Y* w
routine." b( |4 {# O3 L, r# F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; x0 _/ _8 e5 Q9 B; kto the new routine to execute (hangs computer...)* e5 K& r/ k; t$ r' V/ h
7 k% }" w1 Q! n mov ah, 25h6 b6 m3 f# X7 L) v' T+ k
mov al, Int_Number (01h or 03h)
# G5 D6 Y5 S- H$ i mov dx, offset New_Int_Routine
/ T3 V* i2 ?% `" a& P, C2 J int 21h
, B8 h2 f4 \2 V8 P% a' E; O4 \6 U9 t- H. e ^
__________________________________________________________________________' b- d: [# P1 s5 f1 @
4 g L3 {6 v* ^' W' G
Method 09
# x' m/ N+ [9 g1 y' e========= W; D+ y1 d, m$ F4 u l
. \1 `& S8 R6 M& o! ^+ |" b- fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 D9 z: ^) _0 t- E! M
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ C) [) A" o1 r0 g1 o# Y! ~5 BThe Get_DDB service is used to determine whether or not a VxD is installed1 d! t) ~0 V& h3 V6 t! M
for the specified device and returns a Device Description Block (in ecx) for
% G: I# A+ c, H: nthat device if it is installed.# e; l% |, s6 c. b7 Q8 a
* c! }% Q: R3 T6 _7 ^* c# L( O; e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& w( @: n) N/ k$ {; { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ k4 X# d$ K+ q ^- ~7 d VMMCall Get_DDB
5 [$ f, ^% m+ w. r! m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ S) u" h; G, ]- ^7 }* N% \
( [) T* Q0 @# B- P6 `; F8 E! ZNote as well that you can easily detect this method with SoftICE:
$ E# v! m3 ~4 p/ u6 r# B7 E6 T bpx Get_DDB if ax==0202 || ax==7a5fh+ A: E5 r# P/ Q- y, @) s
& L" s/ W& K8 _+ @
__________________________________________________________________________
6 {* X4 n- m* S* f) a w$ [
2 |7 J8 V; @* k g% DMethod 10
* L/ K" h2 }" f8 d. ^! h$ c: s8 {=========3 N0 ^$ b, a6 c: e
% Q) y: g! b$ o0 Y% t/ W=>Disable or clear breakpoints before using this feature. DO NOT trace with6 G5 \& v% l5 p @1 f1 U0 Z& G
SoftICE while the option is enable!!9 _8 Q7 D2 Y5 x
- r9 l4 B* R+ s* j2 ] X
This trick is very efficient:6 e3 f0 E5 i* F8 ?# b z
by checking the Debug Registers, you can detect if SoftICE is loaded
; r% ?! E$ c7 }6 W4 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* O% z6 h. s5 h7 m; F" g3 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 ` f0 e( t! Y, X
value (in ring0 only). Values can be manipulated and or changed as well
+ P% k; q' p, D) g/ [(clearing BPMs for instance)
# Y8 e$ Z4 v/ ~5 v& ?. X8 u4 y! |6 K# J8 P U
__________________________________________________________________________
! D& V$ {& |9 Q& X) H; R+ m, L Y& H, {
Method 11
; ^0 m Q0 T2 f% j5 _, [# i=========' o3 n% z4 n0 A2 `; M# C$ B
1 Q# R8 a* O# k5 j% MThis method is most known as 'MeltICE' because it has been freely distributed4 ?5 q/ D0 E2 G& J8 m; E
via www.winfiles.com. However it was first used by NuMega people to allow$ X2 @+ o" w- o; Y2 T
Symbol Loader to check if SoftICE was active or not (the code is located
! y, v+ f" G5 r* vinside nmtrans.dll).
5 Q w/ T# A% C7 C
M2 R! m/ K0 Y! OThe way it works is very simple:5 s8 p" s6 z& p1 I! e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ m, O" }* i' F# C: @( XWinNT) with the CreateFileA API.* q3 n8 E e' w2 i+ v/ H8 G# j
: G3 M$ W4 W5 t% v- OHere is a sample (checking for 'SICE'):
5 A6 X% L4 A& B0 e
- j" e, t; E# VBOOL IsSoftIce95Loaded()
+ O* I- t5 v# K# }$ t9 W# }; o{% D: c, O+ t4 ~
HANDLE hFile;
/ P& R+ O$ T, k3 D* o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 @% b6 Q' X6 E& n& S2 L5 d7 \ FILE_SHARE_READ | FILE_SHARE_WRITE,
4 v; Z3 s( C. a5 X7 i! v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 i8 B; p8 {+ A$ z4 T* N3 }
if( hFile != INVALID_HANDLE_VALUE )
1 a& ]( B' Q& f {
- x: z0 a/ h8 l& P) z1 U. e CloseHandle(hFile);1 B" m9 U# |# r$ @
return TRUE;
3 L4 s+ t% {: |. O' O: h }
! b6 u: Q- J7 D6 R, @6 C2 L0 D return FALSE;
3 Y$ C4 ]. f c+ E. E+ h3 i}2 m/ `0 \3 ~" l6 T* T) J5 C
, @! ~# i8 j6 {3 P# HAlthough this trick calls the CreateFileA function, don't even expect to be
8 n8 R$ W ?. l0 S' D5 o* u7 e8 Rable to intercept it by installing a IFS hook: it will not work, no way!
, G9 H8 X8 _: x" l! KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 d) @1 \4 l4 s y! U! {; Z$ c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. d6 _( D; I. Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc; z+ ~5 J* k2 Q: H8 C7 C3 ?7 ? c9 m
field. u2 y4 N$ ^( D
In fact, its purpose is not to load/unload VxDs but only to send a 4 k" U+ @9 R* G2 \# n% p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 d0 K5 M( |; B$ {; R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& Y! f6 n' r6 f2 t0 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).. X6 O9 p; F9 L, n0 c7 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow Q. g Z U8 R3 H' d
its handle to be opened and then, will be detected.( f$ Y* j1 i1 u& e# C& Z
You can check that simply by hooking Winice.exe control proc entry point
* _6 A+ v! Y! Swhile running MeltICE." c. G7 y3 @2 }/ Y' h
W" N# s9 U3 x2 h* @& M" g1 I. b* r3 ^/ a, R
00401067: push 00402025 ; \\.\SICE
/ W' \: E ]' |. x% j( b) q( r 0040106C: call CreateFileA
# f+ B; @& t" e+ ^ 00401071: cmp eax,-0010 c7 j: ^. O2 p% o9 g; ~4 g5 h- V
00401074: je 00401091! |' G9 J6 r- L5 i7 X, Z
9 e, @$ Y, Z7 t0 [6 f9 R
& E5 X1 O' n' A* T0 X- T
There could be hundreds of BPX you could use to detect this trick.% r4 ?' `5 W7 Q
-The most classical one is:
$ N4 {2 [* j0 u8 `2 K# Z# t8 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 K& m( M7 _$ U3 L" M1 K *(esp->4+4)=='NTIC'
7 B2 w3 f" F4 P9 x
; v1 F: b! ]3 J7 S( t9 M-The most exotic ones (could be very slooooow :-(+ R) s2 C4 @) T F, s( A5 F% n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# x* E2 [% |0 h2 F9 y ;will break 3 times :-(
4 B _8 Q6 ]; n* |/ @. o! l4 b% Z
# Y9 u8 D" y: E-or (a bit) faster: ! F4 r+ x, C7 S9 j1 E+ j- _: D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ [5 s9 E: w8 t6 x
1 D# g. O" [( v9 t- \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 T. Y0 v8 h8 A$ j# Q# P; h: B* L ;will break 3 times :-(6 ? @. g* Z' c. `; l6 _
C# E3 k0 k, A' b
-Much faster:0 s) P5 q$ D8 X5 y# _) z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 s; n k. ]# b! g$ m e, J( l6 i6 h; ^+ D* ]3 E: Z) l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 {- Q. J) w( @
function to do the same job:
- R2 x% u! ^0 t8 K7 }4 b2 a0 I* Z s# {/ v( q
push 00 ; OF_READ
' z4 w4 h# f3 ]. J. @' b mov eax,[00656634] ; '\\.\SICE',0' ]& F) `& s6 |; N$ t% f7 c* Y
push eax
- n4 p/ A R' q. w call KERNEL32!_lopen% j1 e h2 E5 A. X p# ^
inc eax5 V1 |" P4 r% l7 {
jnz 00650589 ; detected
. N3 W1 V- `9 K7 ? push 00 ; OF_READ
! j1 O: [. G5 g! h) L* ~: H' x mov eax,[00656638] ; '\\.\SICE'% [7 E" ]* g b* i: r2 v9 r' I
push eax& M* A! O: v/ s% e2 Z
call KERNEL32!_lopen$ w; e- A" n) m+ a# @
inc eax
$ u6 p7 C1 N7 J, } jz 006505ae ; not detected1 e, N! o2 x% J' M2 ?/ z, M
: D$ n7 }9 ~$ B, K- m8 X% N0 F
( v9 g4 N$ W) N# R
__________________________________________________________________________
" X Y4 `, {! x4 ]* @- M, P7 Z: g+ }% {
Method 122 t+ V" j) P* E U- L8 D
=========
% r* k3 u1 B1 o+ v; y+ H1 m$ t3 i1 f6 `9 h6 C
This trick is similar to int41h/4fh Debugger installation check (code 05
- j3 V. N3 [( s9 H. V1 D* }6 w& 06) but very limited because it's only available for Win95/98 (not NT)
# ]# ~9 s& Y" Y' W3 M# q! W% Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 s) B) i* s- a: \; a. I5 K' y1 m+ M- Z5 _
push 0000004fh ; function 4fh7 h+ Y/ _0 {/ f# A! p
push 002a002ah ; high word specifies which VxD (VWIN32)$ m* c& _; l, \8 T7 }5 Z6 v8 p
; low word specifies which service$ X& z) X7 A z
(VWIN32_Int41Dispatch)
. D- y# a& s' S) ?" K3 y5 N call Kernel32!ORD_001 ; VxdCall
' _' u+ \% g1 y& S! b, p& f' @1 X cmp ax, 0f386h ; magic number returned by system debuggers h) a; a F- Y
jz SoftICE_detected2 R" ^7 n& ^( x5 C
8 [1 P7 r) U0 [
Here again, several ways to detect it:
+ p/ ?' ]8 O' l' W; u7 s% C" p7 [5 e
{: J* C0 A) Z BPINT 41 if ax==4f
* _: l& X& Q8 n' {
* I+ Y$ A! U. E" P1 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* T8 U) n: p. J0 `( ~; |) F5 X. |+ F5 q( y* u* m# k# m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 Q% r% ]5 k0 M, }* C9 A( U& {: g
( g" U; L! [9 ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 Z' n: D T5 X! P5 t d
# [1 A$ A5 a+ V! A1 V4 A__________________________________________________________________________! V* _0 ]) Z' E( T$ b7 E
2 u: `9 W3 a i, D0 UMethod 139 Y" v1 \7 T9 G8 U/ f
=========
# i8 o5 |5 I% O; S
3 a4 z( k8 H( t% SNot a real method of detection, but a good way to know if SoftICE is
) N4 n# M" J! y- u+ I! P& k' T1 X: Qinstalled on a computer and to locate its installation directory.. w8 c1 X. _2 c4 N
It is used by few softs which access the following registry keys (usually #2) :
4 V3 @) K4 c/ Q U' R, }3 e- a) n& T) T. \6 B( A. o3 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: P" @+ m3 M; p9 ^\Uninstall\SoftICE! E3 S8 ^( x) i$ Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# K& S; q, ]3 t% f' l9 f# H, d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, y& p$ a3 R/ x0 C6 h( \! z4 w( ^8 N\App Paths\Loader32.Exe
4 g e0 A7 B4 n% o1 S9 E. N! U! w/ G$ l( U( u/ X5 F, x* n5 K
& O2 R T4 I/ q& A
Note that some nasty apps could then erase all files from SoftICE directory
7 ^% Z3 I( w8 D. g) T(I faced that once :-(% s; d0 b. j3 T- n
- J& A5 @/ ?, v# Y
Useful breakpoint to detect it:2 ?4 b# {4 {) V% q a" Y
/ p4 `- f' o6 T: G3 T7 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 }3 W, u! J8 Y3 Q. f, u. M0 u1 m6 S" J7 r5 [
__________________________________________________________________________5 Y s2 P" x# r, O% X; `" N6 u& v/ Z
7 @3 G7 K c5 c1 b
$ _, i2 _! _* L* kMethod 14 3 a, r* V4 B# Z B7 I/ ^' c( w
=========; R: ^4 f9 d% ]! ]
0 e7 ]' S, W. j, V* D1 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 V. X. z6 Q, a
is to determines whether a debugger is running on your system (ring0 only).' r" Q: G5 R0 P' A5 {! r/ x6 O
( Z! |" E5 }" |/ S/ y VMMCall Test_Debug_Installed# m7 t4 B6 W, s
je not_installed; E5 d- j, u" e5 Z# @4 H, Q
0 d8 S) w* Q4 r5 _6 wThis service just checks a flag.
2 e0 g. t; n4 B Y4 q( U, e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡