<TABLE width=500># }3 G; k0 B- z) L0 _) m8 }( V
<TBODY> t! B% e. |5 q: }& Y/ `/ k
<TR>
+ v5 n, Q+ O |- L- K+ f2 ^8 q5 Z<TD><PRE>Method 01
' h, O) T3 j1 I( Z0 y0 r" n8 H" \0 m=========
; u* H# y0 s+ b( S& ^) E9 G9 t" R: }5 q+ \7 m6 U( @+ b
This method of detection of SoftICE (as well as the following one) is
0 M" g* V! L, L t( Z1 dused by the majority of packers/encryptors found on Internet.! V& ~$ b: N4 S3 s& |6 h) ?
It seeks the signature of BoundsChecker in SoftICE
& U2 \& p0 p: e# r! u
; n0 m3 C1 A' g' R2 a1 A mov ebp, 04243484Bh ; 'BCHK'
, ?8 M, i& {2 N7 N mov ax, 04h: i7 M: a* y2 {- _& l
int 3 ' `9 i" }8 F+ N2 y
cmp al,4# E0 o; y) W! `# x5 {3 X0 X
jnz SoftICE_Detected
6 h2 Q* F. }7 C/ ^4 Y+ c0 L' Z. ]
___________________________________________________________________________
+ p+ L/ _- R ?) \' n7 Y" L8 V
* I7 `2 V! _1 jMethod 02( d v. b$ [' G7 ^; T6 {! j5 i$ w( P
=========( b0 c3 E- G7 Z; Q. ?0 |/ z/ X
+ s4 [2 }, \' h9 V% y) Y LStill a method very much used (perhaps the most frequent one). It is used! `4 _& t; |. d# g/ j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," ^, I1 w: G/ O( ^9 R
or execute SoftICE commands...
9 E$ G1 N; S: v1 RIt is also used to crash SoftICE and to force it to execute any commands
4 B& _' ?7 ^. ~$ e(HBOOT...) :-(( / f9 y3 T. a8 Q% k" h
* c4 ]: ?* H! Z* F* b/ ^Here is a quick description:
1 s/ D- @( b) A5 l8 L-AX = 0910h (Display string in SIce windows)
- _2 a9 J$ K" ~( |/ N: k# p: E) N% l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: A# T( r4 F U/ ?-AX = 0912h (Get breakpoint infos)6 T; U& {3 d1 I) l9 U8 o# c1 ?
-AX = 0913h (Set Sice breakpoints)
0 N+ L! C! `# p, I7 t-AX = 0914h (Remove SIce breakoints)4 J% d( O j, n4 v+ H% o
5 e3 W, H& K) m. W
Each time you'll meet this trick, you'll see:
- N q% K5 J0 O: o6 v5 M-SI = 4647h5 D1 Y/ S; u: Z: d
-DI = 4A4Dh3 S/ \* t+ o% e! b0 P: O) b$ k& C
Which are the 'magic values' used by SoftIce.
3 u: t& V; M$ @; @/ O5 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) x" M" y7 D+ ?* |; F
- J* z- {5 x! v5 l0 p4 |Here is one example from the file "Haspinst.exe" which is the dongle HASP
! f5 R4 Q. \- k+ aEnvelope utility use to protect DOS applications:
- d1 \0 c, T3 G* O( V4 H7 a
) n( r. W5 a8 o8 h
, T0 ]2 R' i* n( [$ Y6 R. w4C19:0095 MOV AX,0911 ; execute command.
- ~$ C* i! s0 A8 t/ x- U4 `4 M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 i4 {- z7 d7 s3 p3 [4 T1 w
4C19:009A MOV SI,4647 ; 1st magic value.
+ z( O `2 Q7 Z0 I4C19:009D MOV DI,4A4D ; 2nd magic value.
& J% L& w8 s% }( W- i; ?8 L8 Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! U: z+ X0 c% b/ q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) b z! E" l5 {9 s6 P4C19:00A4 INC CX4 _/ e8 S, n1 H0 Z T! @. f' R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 O `6 v+ R A$ a
4C19:00A8 JB 0095 ; 6 different commands.
0 q( T. p: g5 k1 z5 ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.% N. W% V( d+ z5 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 f" }5 c# H. y. t! k
8 h1 r, ~+ h1 CThe program will execute 6 different SIce commands located at ds:dx, which+ w2 S3 i, u5 X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( d0 h& ?' K9 j! ?; L8 g
7 e, S9 `9 L4 o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 v3 y! w8 \2 N8 W3 p- F7 n. }# H___________________________________________________________________________+ l/ u" f1 I; P2 R; A# Z
5 U+ [: f* g" U- `8 a! x# L9 h! `# c% P. Y u9 k
Method 03
) `1 s; i& Z) `4 P, G' ^=========
3 m4 y5 Y8 B. O( B/ F! a0 G" `# B7 }) c4 T6 X& g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 H, V' E# U$ y0 {, T2 |: d7 ]. e(API Get entry point)
9 u' T* v9 }4 k+ r
! n) t" L# `/ q4 U* c
( L- p- c2 j4 d3 L3 j X xor di,di9 Y6 M5 z( h( B q7 t
mov es,di) K" R: F: |8 G4 s( D4 T
mov ax, 1684h
3 l) O1 d" x$ w- _& H mov bx, 0202h ; VxD ID of winice; n6 R% r- t. W* D* O$ S" c
int 2Fh
1 a' K/ t2 m0 c7 B: u4 b5 P mov ax, es ; ES:DI -> VxD API entry point
' G% o7 x8 z: _; x* U" R4 _3 W add ax, di
- t1 Z7 J4 @$ t7 _2 d test ax,ax
) i; W- p- g- u+ C Y i% Z: E jnz SoftICE_Detected% N& k) [) G+ r7 l8 C
1 Q$ v. R ^2 \+ P; D, _' c
___________________________________________________________________________* D+ k5 j, ]1 k
7 l3 d+ j& o, w3 s9 G5 t1 [Method 045 O: h( z, {7 I$ e0 D
=========& n" \4 d# h# ]8 T! M
( D- M* A6 k, j$ [4 ]9 g6 v
Method identical to the preceding one except that it seeks the ID of SoftICE
' m) w5 A2 O- J3 JGFX VxD.6 A% a* x# C. a. N7 T6 @
0 S* N- v" |! S9 ]0 @1 Y xor di,di s3 B3 o3 {& x4 p% A( c# ]
mov es,di
8 x; F/ c* z" l& m9 M9 J# T mov ax, 1684h
2 G4 ]4 N( v- [# }1 ~ mov bx, 7a5Fh ; VxD ID of SIWVID
0 ~: \# e! C, J5 r- ?9 [ int 2fh& x, l/ X2 C# T2 k
mov ax, es ; ES:DI -> VxD API entry point
$ p$ }1 a" Z2 L4 {5 b4 M6 ^ add ax, di0 p7 y, c5 w R2 g+ b4 z
test ax,ax1 B) e! Y$ V5 J
jnz SoftICE_Detected
T' E# Y# S" f+ N p' z
% P) N2 T( F$ U2 o, b; g__________________________________________________________________________6 }+ L' e% }# q% |! G* X* s6 E
& m6 ?$ [0 A1 W9 g$ }8 Y8 n/ @
* t- _/ S3 W* S+ S$ `+ G. i% ~Method 057 u _0 B. x J& R
=========) F4 |& K9 z, {* c7 a, o: U
r/ F$ d+ b2 N( r7 X$ R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 \8 `4 O8 G- u+ {) o- zdebugger. It calls the int 41h, function 4Fh.
% b% t' {1 {' p% [There are several alternatives. 5 m9 m i* S: m, @- D: D% R+ T
, b3 ?, `' Y2 S* `# W
The following one is the simplest:* F6 J1 O H4 Q& |. o% i! u, B5 f
. A: R! G" K i# C2 _/ M
mov ax,4fh
# ]/ w' D+ M3 S7 G: }8 d int 41h. N# u( }! q4 N% Y0 {8 n
cmp ax, 0F386" v6 ^( O P4 q9 M+ \4 ~! T6 V
jz SoftICE_detected6 D) q/ H/ [7 w# {, X5 i
, E1 I U5 v F, x
- k% m+ {* f; }1 Z. I, ENext method as well as the following one are 2 examples from Stone's + V& Y- [# j" }5 \- `
"stn-wid.zip" (www.cracking.net):0 I; r5 i$ I, N7 M% _
0 i! r- R% T5 Z1 v
mov bx, cs7 |0 l( r+ ^( d2 A
lea dx, int41handler2
3 A2 P, F! I+ J3 {* L- M xchg dx, es:[41h*4]
3 J4 o3 |1 b7 O/ l xchg bx, es:[41h*4+2]
' n1 j; V1 H; l: }& T mov ax,4fh/ j6 B# Z/ _4 Z8 N6 f4 e
int 41h
5 V$ ~' b( C( e& H- y3 B, s, Z xchg dx, es:[41h*4]/ `5 i. R5 f! S$ m( J0 Y7 P
xchg bx, es:[41h*4+2]/ p# t6 o l) W& P9 n' S" M% N: s: c
cmp ax, 0f386h+ ~8 Q% }# i+ w* y3 _$ |
jz SoftICE_detected
; H- Y. `6 ~4 L; W4 P4 d- {' [0 s; b
int41handler2 PROC, G% O# c( f* s6 q; ^9 c
iret
; o! z) A' c( i$ B5 |9 ^0 r9 Q% R4 rint41handler2 ENDP
! m) C( [, ~/ F, V+ o' z4 _0 y
. a$ Y: T! [ b- y( V' k) v4 ^6 a: \, h
_________________________________________________________________________
3 ~9 V3 @$ M" ]4 R, b9 i
( R1 Y g5 k, ?9 j: Z
$ i6 _/ W- h1 J7 H' P1 vMethod 06
2 C2 Z/ U0 k. | i# Z6 B=========
4 \7 R8 z! `4 ]9 Q
1 _3 v6 _. I# ^5 b" @& W# [( Q- @
' ]7 b) Q. n/ @9 N# F! c+ F* _$ n9 m2nd method similar to the preceding one but more difficult to detect:# K/ L; V2 l3 h" T8 @& P9 I Y( v
G, Y7 Z5 K5 G: C" J
5 o3 \ @% k! j7 W, c; j
int41handler PROC5 @* L) i6 c- L" v# N9 j7 l
mov cl,al- `: l7 g' k2 W
iret
" e* O4 B- P. C( a4 W3 K( rint41handler ENDP
, v% s6 |& U9 S; x$ h2 Z6 a
0 t: n$ G0 A" k1 M/ b$ `+ H, `- c3 Z0 ^* h: b, E
xor ax,ax
6 Z# |* K+ R5 G/ _4 F! \7 D mov es,ax
& l6 D! E" ?% f* F0 ] mov bx, cs
+ ~& U" o9 P$ a* Y2 x$ L lea dx, int41handler* H; w2 S4 @6 H' u
xchg dx, es:[41h*4]
' E' ?0 W: K+ Z2 N) C: Q xchg bx, es:[41h*4+2], w" P, O4 W% ]) J' B* q, L
in al, 40h
% _+ i/ {* u; j( d) ~8 r9 S0 V& s" p xor cx,cx
$ n* w5 q$ {3 b- f6 f int 41h4 H# j- B) {9 @1 D
xchg dx, es:[41h*4]
2 p* [& Y, n% i xchg bx, es:[41h*4+2]1 h3 r; `* ~2 X9 B: S5 F- S/ }" F
cmp cl,al% h4 l, [) U7 F
jnz SoftICE_detected8 |; }: ^9 ]- |
1 H1 S* q" x4 E2 ~! R5 b& I_________________________________________________________________________
3 \. q. _$ a; |, R( @2 r3 S/ n1 v
3 c' a. [% @' X! M% z" ]Method 07
" r& ?3 L- B0 r4 D, i4 y k/ O& m=========" S$ ^# ^& [8 G' C* @! o
6 E9 l) C3 Q/ [+ R
Method of detection of the WinICE handler in the int68h (V86)" p4 `9 }) l9 z, F5 r- f
" G1 X% S/ j2 q; }3 p
mov ah,43h
5 i8 ^# j2 `; H' q int 68h2 Z" R* T) I; m, o; }
cmp ax,0F386h1 u, U; D+ x) e' @5 p- p% o+ }# r
jz SoftICE_Detected) I, l8 a7 ]" m/ W8 N) Z( A
1 l! ]) U8 J, G' z" F/ |2 j) J
. V! b$ a$ s! d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 ~; p& N/ H1 ~6 P
app like this:
; P. D3 Z1 b/ J/ X3 x" ?2 \( K! j [% C
2 @* Q& ?6 y& F! P1 ^: Z BPX exec_int if ax==68' P. `% A/ g& v1 U0 K- q
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 ~' ]( o; l. q/ f located at [ebp+48h] for 32Bit apps)! `1 n( m, Q1 H5 U5 @ a
__________________________________________________________________________
Z7 ~( e8 X) s: f0 K. C3 w2 ~ j4 W0 y) a
* g" h/ }4 ]( a( b: K- DMethod 08# q3 W0 K; `( }6 }
=========
" M6 u' k# H; n; L
& b) ^% f, d! i3 E& j/ y1 wIt is not a method of detection of SoftICE but a possibility to crash the6 [0 @1 Z# A5 p7 M+ _4 `
system by intercepting int 01h and int 03h and redirecting them to another& J# h. x* q2 ]0 ?
routine.! A/ M8 X! Q4 u3 [! G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* k/ Q( G B8 Xto the new routine to execute (hangs computer...)
: R7 h4 ]: G* B+ _) q# J' R. o0 V
2 I) ~& c( m) ^) [1 T mov ah, 25h
2 m6 E3 {- R O6 @5 z' t mov al, Int_Number (01h or 03h)
" x0 G' n" N1 Y4 g, e+ ^6 l mov dx, offset New_Int_Routine
0 [2 e( n/ }2 q/ q3 e# U int 21h/ g2 u6 {1 l% |4 q( |. H
9 A( F5 k3 c ?# @/ \0 o1 ~5 Y__________________________________________________________________________
; d( }+ a0 Z; j
# S: x# N( B, |! e4 C/ }Method 09
- Y" I+ N$ f6 p1 }- k5 x4 }=========& o! W0 _2 a% [! j. w" c
$ J/ v2 S; a0 f( ` L b8 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; d. I, G8 x4 D$ b6 T, vperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 ~. K l% v3 |) D6 K FThe Get_DDB service is used to determine whether or not a VxD is installed
- p+ `. X* O) j$ ^8 X3 B* }for the specified device and returns a Device Description Block (in ecx) for
" @3 R! f5 w r% n: T9 U$ @7 xthat device if it is installed.3 u/ }+ I! O3 r! G7 i
' H% u x9 |3 i( J6 a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 z9 M& k0 C* h# a/ U- B6 ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). o! E7 s$ N& a7 C2 o
VMMCall Get_DDB
. p) `9 W$ f" q2 j- W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 I0 r: m5 N d! N. l8 N
; b$ ?9 Y9 I; V/ n
Note as well that you can easily detect this method with SoftICE:3 K$ k9 ?2 q3 Q2 B( l% O: C
bpx Get_DDB if ax==0202 || ax==7a5fh. \, \/ v$ g" g
4 s8 W, B$ J. ]6 p
__________________________________________________________________________8 y% l; G, Z8 R) U8 a0 [, a7 w, P C
; p6 O: f3 s( H/ P, d* p* D* p
Method 10
6 [* O* e* o4 I; o=========0 _! H5 U: @# A- Q" C x+ Q
8 p: I) Y5 r3 k0 u6 v/ I3 z' W
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. V8 U7 v* f, Z6 K$ L4 m SoftICE while the option is enable!!, K( u- p( w; S: E* C
5 A# X" J% s, m* q$ c2 W0 L2 B0 k
This trick is very efficient:1 s/ w( [9 S, Q) j& a
by checking the Debug Registers, you can detect if SoftICE is loaded
% L1 ^# s: N! R0 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 b. z, E8 g9 c9 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; H. j9 q& \; ]: Q* Qvalue (in ring0 only). Values can be manipulated and or changed as well
8 j2 S9 V* I* r(clearing BPMs for instance)7 {0 ^3 Y5 @% x) D1 y! j( b/ @
8 W# n+ f2 T3 x1 x__________________________________________________________________________. \9 j6 _+ Z& I
) X7 F- F. Y6 ^: F8 N0 M' O: c, EMethod 11
4 A5 m. s w3 m" R: I: L2 y) X=========4 m- S% j$ l1 h4 ^# r1 C
3 L9 }" M M: h1 B
This method is most known as 'MeltICE' because it has been freely distributed
+ E Z/ P& w r u9 e% ?) Gvia www.winfiles.com. However it was first used by NuMega people to allow
# b% L: M( m& J) _0 j: v! BSymbol Loader to check if SoftICE was active or not (the code is located( Z/ n, n7 A6 A/ w8 h
inside nmtrans.dll).
8 c7 b0 B& V0 \4 j+ a' k( G' a
+ `# j+ Q5 e. K! qThe way it works is very simple:4 R; v2 V' Q$ C: H. Y4 S- U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ }" h6 ~) e4 Z2 J
WinNT) with the CreateFileA API.5 h3 {0 S- u2 d+ H) w
2 R2 q1 `4 y! M1 p5 MHere is a sample (checking for 'SICE'):+ F4 |# Y2 F# ?3 i* h& j$ A# [
0 P2 O/ D( S- G" k, l: D- h
BOOL IsSoftIce95Loaded()
1 T8 N) ?- y% X- E, L- u0 f{
- H; n4 k' o u# a/ [3 q6 B HANDLE hFile; # r# E4 f& U$ l6 U% F1 N4 o& u) s6 C1 s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; I) b$ G4 g. w1 X% s8 P' H FILE_SHARE_READ | FILE_SHARE_WRITE,; F$ `9 X- u" @- ?& t; }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; U( R1 F) f. @ if( hFile != INVALID_HANDLE_VALUE )
& z0 Z: ]9 ]4 }8 o" [ {& T6 O. L! V5 n, J& V7 ?; x0 E
CloseHandle(hFile);
# Z; J1 k' u5 R) w) D/ x6 m return TRUE;
" ? h3 K& W" Q7 I* @# j& e }
8 f% N. R# A0 K. H. v R- N" d return FALSE;
! c8 o, ^: E) y: w}$ { B3 P7 y2 x3 b" g
m9 e9 ]* p$ `' I' |- n: o7 e! CAlthough this trick calls the CreateFileA function, don't even expect to be) Y4 ?+ Z+ o( n9 M# B! w. t* E
able to intercept it by installing a IFS hook: it will not work, no way!
8 u! c1 r- g1 ]6 q$ h; e4 X0 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* c1 y9 R8 V7 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* E! S6 p2 v- t" ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# I3 Y7 J' n8 ^field.9 X7 p" O, U" i) _' b7 [
In fact, its purpose is not to load/unload VxDs but only to send a * b8 [" u4 V- L# Z9 ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). I9 y3 y: ~/ [; ~7 U) s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 ~5 D; {& G/ ^( t( Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. N% a* v8 T( H9 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ a4 V$ n, n+ h7 U: E% Z- b* p* N4 P
its handle to be opened and then, will be detected.* b0 o E% }! c$ b- j2 k- ~3 w
You can check that simply by hooking Winice.exe control proc entry point
$ O9 c8 j* q( D) E) T8 m! A! D- hwhile running MeltICE., I1 b c1 Q( K, o( I
0 j8 c8 B+ e3 _3 }. j8 H
# V2 d. \: @* t2 [ 00401067: push 00402025 ; \\.\SICE1 d4 d6 q. X" m2 G, p+ M
0040106C: call CreateFileA
; i4 ?) d2 P. X. b* V+ u3 b9 y 00401071: cmp eax,-001
) y1 G7 \* o8 U) o 00401074: je 00401091# e) [4 b0 ~4 r
% @2 u2 | v0 I% P/ t# E8 `
' X8 z0 a# ~1 H% l' w- O/ XThere could be hundreds of BPX you could use to detect this trick.
% p' t+ B; ]8 |: U9 @" y' }0 c-The most classical one is:: J5 O6 P/ ~; ~! P4 I; d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 a2 w2 N8 X& R3 b% ^+ @! M. y& y, f
*(esp->4+4)=='NTIC'# f4 R3 i9 _% O5 T( b; t3 P; w
: s, H/ j! F% n: D% V
-The most exotic ones (could be very slooooow :-(
; Y5 n: d* s$ |! v2 M. T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + _, Q% x: o8 n9 t' t) B
;will break 3 times :-(
/ Y* y2 `( Y* k3 d. G) I+ O
1 E$ s0 V1 h7 P! K-or (a bit) faster: 0 s9 C" M3 q9 Q8 k* y+ _. w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): {) _+ s$ D. f- a* V
* J* C; K {8 `! z& k8 @. A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. J8 f8 J$ ^) ?9 {$ u' F. P, r ;will break 3 times :-(+ h# z& M5 s6 B" k$ T
5 g6 D5 L$ Q& I9 U/ K0 a-Much faster:2 d# z! m$ b/ b7 M4 Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 `2 B4 _; I2 g- i/ K+ n; }" w, o9 h% w# C5 ^! @* [7 o5 v- u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
W8 S' a! R9 r! ]function to do the same job:
/ ^% M' p8 a& c/ l# `) B. b5 q
2 W3 M0 S4 T4 t/ z' G- T" a push 00 ; OF_READ1 ]: Z1 A, n" r1 K
mov eax,[00656634] ; '\\.\SICE',0
! |; k3 e. d3 d" \+ j( { push eax
8 L& v& ?. J- }3 {, ] call KERNEL32!_lopen8 b' h- f4 X9 B
inc eax$ F! ?* G$ ^8 y8 x- _
jnz 00650589 ; detected$ l% k3 C2 i, m6 C0 Y( W
push 00 ; OF_READ
/ J9 L1 v+ [; y mov eax,[00656638] ; '\\.\SICE'0 o2 L' G# M" |" Y) X
push eax
; V. D" [. P8 ^# u' q call KERNEL32!_lopen
! H9 W# B8 K! Q4 ?% [8 v+ y9 I' D inc eax5 q$ |$ x* c3 i: H; u1 {
jz 006505ae ; not detected
# {$ }5 L1 f1 m/ \- [! a, Q1 ~4 ^% s# j& l- A0 I2 w2 m
% b, m' E! H2 Q* @0 h
__________________________________________________________________________: T" `: {7 `$ A8 n4 E. V
& J. m# a& c( N3 G$ IMethod 12* `$ X8 w9 N" b2 M; X) j7 E
=========
/ n' |7 R3 h$ y+ s3 M
; Y, J9 H3 r* K* G4 CThis trick is similar to int41h/4fh Debugger installation check (code 05
1 O4 E# b0 T$ Z5 f, _' P& 06) but very limited because it's only available for Win95/98 (not NT)
. v. W7 C/ m4 y0 Y' uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* M0 n v Q7 o- ?6 X" @. e7 N6 G2 i6 ~7 W' J+ o8 f
push 0000004fh ; function 4fh; T# V6 j, {$ e3 c; U5 l4 q
push 002a002ah ; high word specifies which VxD (VWIN32) O4 H* s; q3 x6 W
; low word specifies which service
, c0 z) b5 u9 T" x* B F (VWIN32_Int41Dispatch)
: L7 C d E1 c$ [* ^/ L call Kernel32!ORD_001 ; VxdCall, l$ j5 G' [1 g' }
cmp ax, 0f386h ; magic number returned by system debuggers3 [. G) S5 M, R) u9 F, a6 x
jz SoftICE_detected5 R( E# t) C7 d" R" c
0 ^; P% l* c. ~+ ~9 U* N( k( XHere again, several ways to detect it:0 o' Z. O( K; X3 K
3 R' c Z3 [3 G. W BPINT 41 if ax==4f
5 \2 J; i' D8 f; Y: B: f3 e# w5 ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; i3 U/ Y. F& Y% b/ u9 Z1 | f+ s/ i4 P+ H+ r5 ?4 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ Z1 _5 L( N4 n2 K. ~4 P& |
0 z1 Q" @. Y( a# x# u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 ^/ {3 O4 y0 b/ o+ u5 K
4 y5 k* c4 g r/ T0 J9 E
__________________________________________________________________________/ z* p( J3 i2 }1 }4 o
1 l, V1 P u1 p6 l3 k+ u; n4 w$ l
Method 133 w% W- W! H! E& B" d( O
=========
) `: j6 w! p5 h6 ]+ n5 `; Z4 G/ E: {. _: ~7 z) z
Not a real method of detection, but a good way to know if SoftICE is
' L7 O4 [$ A! W( e0 A+ t, Z; R6 Einstalled on a computer and to locate its installation directory.
( a5 h5 C9 [$ E9 d$ r+ v! R' p2 |It is used by few softs which access the following registry keys (usually #2) :
2 F% I1 F+ `' J b$ S, F$ z
0 S9 _8 q) U2 ^3 [- E- g+ w3 r9 l B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) B* {1 F! K+ E& N# J\Uninstall\SoftICE8 a* p4 f% {' g9 x& A$ d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 g+ D. M; X, m3 K. y" \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, i& A/ i5 T4 ?" u% B0 s7 c2 p. h* t8 ]\App Paths\Loader32.Exe- J8 g' `6 j- K$ }! ^9 A0 j% i
0 {# P. |' L" ^1 f7 ^. t/ b2 I. m7 ?' O* Y
Note that some nasty apps could then erase all files from SoftICE directory( J$ R5 J6 W2 A6 V; s" l% G
(I faced that once :-(/ {0 M# \9 f8 \. D+ |
& ~/ R2 k" B$ U9 B! EUseful breakpoint to detect it:4 U! r3 z* e3 v- {! i+ h5 Y B8 c
! I1 B* X# V0 w7 d, |5 l0 [7 a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 c0 y8 X; d1 u7 D% }
8 w/ X5 @$ {8 u7 C
__________________________________________________________________________! e+ { V# `: b4 @% K% N; }
3 ]- M0 c j5 |5 o U+ g, T% M
5 f8 Q0 j5 s3 v+ zMethod 14
7 E" X3 ~, O2 I0 h=========
! H8 j1 ~. ]& H8 W; h' d. a- P* f3 P0 S$ `. I% o4 E0 {* x2 C1 t8 Q. d/ k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
h5 d$ t! { ^$ k7 s& v% kis to determines whether a debugger is running on your system (ring0 only).7 o1 p. \/ M7 \, b/ }- z
+ z/ I! o7 i7 n$ g7 i VMMCall Test_Debug_Installed5 }6 T( E8 U7 v9 Y! x7 B7 S" h
je not_installed
* S* \4 q0 {" a' g% W/ K: p) Y+ S$ u2 p& X
This service just checks a flag.% t' v' b1 S$ Q- V0 Q2 P* n9 m: `
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡