<TABLE width=500>) Q5 Y3 d5 @$ X( \( i
<TBODY>! i5 e; H! q3 J
<TR>
" ]3 X& z7 T; ]9 Q- i1 ]2 b( K9 q<TD><PRE>Method 01 . Y7 @/ h/ P' w/ }6 g9 x( J& |# q
=========
: R, P* k; o% @" k, K* y+ t. e- c; i) H0 l. Z# i7 R) @ ^
This method of detection of SoftICE (as well as the following one) is% y3 s* G& g1 ^1 X7 j: Q% e
used by the majority of packers/encryptors found on Internet.# ^0 ? k3 b- R4 h
It seeks the signature of BoundsChecker in SoftICE7 p6 s/ p k) Q
) t/ ~2 w- D" u
mov ebp, 04243484Bh ; 'BCHK'
* u( _( d7 m) z0 M- B( X8 `8 H mov ax, 04h9 b0 Y1 S- e7 u! {- k9 P2 Y7 m C" h3 q
int 3 0 E, z K v( s" i$ r, o( f5 O
cmp al,46 {7 o) t' c1 u: V8 V7 h) |# V8 I
jnz SoftICE_Detected3 B( r" v! ~% }/ N2 K# |$ w. s j' d) V
" d: a8 T. I( p5 x2 X4 Z
___________________________________________________________________________5 Y, L8 G* q" J T: N$ [+ }
; x4 d) V/ E' P( O6 v* |) e( n' a
Method 02 d/ T9 w$ ]1 S: Z4 t" }" v1 d4 c- d
=========( V- P; O+ e j0 }7 |
7 }( v8 C# X1 a8 A' \) Z' h5 q, Y- XStill a method very much used (perhaps the most frequent one). It is used& ~8 v& H3 u6 c* P; i1 c9 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 m8 Y' z% R- L- C. b# t
or execute SoftICE commands...6 A o5 E- P- A/ S: C# }, x3 u
It is also used to crash SoftICE and to force it to execute any commands! h! p4 V" f1 S% r0 c" Q
(HBOOT...) :-(( 7 \; i2 c. r. W; v& P8 `8 V
- @3 x2 b* [! i6 M" cHere is a quick description:" J2 S" u' E% a3 L$ N& y- `
-AX = 0910h (Display string in SIce windows)
; _% u& M* M8 t, V n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ N' i* \% F' a' _6 q$ Y, ]! @
-AX = 0912h (Get breakpoint infos)
- Q2 L! E4 p6 U4 m) [-AX = 0913h (Set Sice breakpoints)
! d) t( T# ^- I1 t2 R-AX = 0914h (Remove SIce breakoints)
6 s0 X1 O, b+ B7 d% n
3 i$ H% U, g0 i! Z% U. qEach time you'll meet this trick, you'll see:9 M! X, K1 ~3 K/ D6 w$ I
-SI = 4647h7 z7 s9 q. j9 q3 i+ Q
-DI = 4A4Dh' f* h. a, {& M& l5 s% `
Which are the 'magic values' used by SoftIce.
3 ~6 Q7 a) a* I6 GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 a: h: s/ u/ ~6 I* k9 D' D2 I. k% w% U
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 @! @' d' s3 T3 k
Envelope utility use to protect DOS applications:
4 B6 Q g7 u; K
1 i8 ]1 q* a8 t' g: a1 h n
' b9 b, g9 ~; [$ i+ `1 y4C19:0095 MOV AX,0911 ; execute command.: c1 }" s3 l4 m1 Y( l" N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 _' s: g+ u* ^# r, K
4C19:009A MOV SI,4647 ; 1st magic value.
) L0 a# a a* T8 J% r* u; g& f. f% D4C19:009D MOV DI,4A4D ; 2nd magic value.
! u; I- ~$ X9 D4 q# x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 y4 W9 F; K# R2 X2 v6 T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; o) y+ X m9 S% x4C19:00A4 INC CX+ j' ]0 p! U4 E+ c; ]4 n, L. x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& g" w% c1 |- j* F" ^) p5 p+ ~7 v
4C19:00A8 JB 0095 ; 6 different commands.! x* f# x' W' F6 i% z& ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 g% [0 [! z0 K6 }& }+ U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ X( y# K8 h7 g7 E
8 h9 x3 Q. y, }The program will execute 6 different SIce commands located at ds:dx, which8 C" Q7 M) \" W5 F3 c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; }6 S8 r' i/ m5 P; `% z9 H2 [+ v% S) J. _" N( t4 `3 t' i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' a% F: z( A+ w0 y' Y
___________________________________________________________________________
& l- U! H4 L' l- b6 P( Z1 k. x* k! [9 _ ^! _: I' a( W6 |8 T
3 e2 O9 I, L9 x5 ZMethod 03
/ Q/ H$ j8 Z$ t3 E9 X=========9 K' l: x) u' ^! ~
q6 O1 z: z* e( }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 H7 D7 Y7 s/ Y& Y) |
(API Get entry point)
( U0 E5 X8 h F# }* {" D, \
* t! q$ e( V. ~/ D" T) D6 y2 v( N- G! s: ] i
xor di,di! w8 E( ^4 M$ A E
mov es,di
: F) ~' q( P" n* u mov ax, 1684h
) [! Z. p4 A+ c mov bx, 0202h ; VxD ID of winice" p' G/ X6 g% X, U8 T* G
int 2Fh+ ~# u4 r: I* y4 Y$ i0 |9 {% v
mov ax, es ; ES:DI -> VxD API entry point( S/ x; {8 f) t2 q0 I- H
add ax, di
% M1 f |; C$ d& S test ax,ax
. M0 C* D# {" e6 a jnz SoftICE_Detected: b- R/ g4 z) R/ ^) e
& A9 F7 P2 P+ N4 e0 b+ V4 W
___________________________________________________________________________
8 `5 u$ u$ |" n8 x5 h6 w# O1 K7 b( r- ^3 F( o) g# C, T+ u" H4 e
Method 04- x. j3 M1 }7 W8 T: v# ~" c0 m
=========& g5 [, C" z# ?6 {+ `. b+ _) y
! |# C' H. z4 p# D$ tMethod identical to the preceding one except that it seeks the ID of SoftICE
; ^9 C& x2 }" KGFX VxD.( m8 C; R( \& v7 o
: p6 |# n6 G8 z xor di,di
7 b2 X; q/ G/ y mov es,di* S/ ~/ ]/ _. k2 y+ f/ I1 C
mov ax, 1684h
: z2 }6 E/ N0 F' O mov bx, 7a5Fh ; VxD ID of SIWVID
2 W. |0 \$ _% l9 C$ n p' i int 2fh
+ _5 |: K$ Q! o$ ?2 ^. }( Z# m mov ax, es ; ES:DI -> VxD API entry point7 g: d4 [1 o5 b: F1 H8 I: ?! e
add ax, di
1 s* u" O6 C J: n& w; n test ax,ax, ] o$ Q/ G3 m: r2 F
jnz SoftICE_Detected
* [ |/ D/ [- v4 Q8 Y
2 k# D/ P& k) h6 b* @__________________________________________________________________________
* _' q- U2 K" l$ I2 ~7 o- H" y3 R$ k
- [. D; Y3 ~' M& N* s5 }& B9 A3 P( X4 W
Method 05
& `! B! t) p# c" ^=========
7 N5 O& ^/ U1 e" e, X. e/ x" D3 |( q" t+ R- q$ t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* G, `4 D; k; Y- x. Odebugger. It calls the int 41h, function 4Fh.
' X! p7 }* T. E5 b; J5 RThere are several alternatives. : q. F d; q8 d5 W2 j m# ]
- H. T. t' T4 x M; B# i( s" e
The following one is the simplest:1 j" f, o: |) S: J- d/ o
5 e( i1 x7 f+ o, `; z4 _0 C mov ax,4fh# W" @+ n- r2 y. t. Z
int 41h
) h% H% |, f* A5 w( ` cmp ax, 0F386
; b1 v* e& \$ o+ Z, N& d* s+ P jz SoftICE_detected
) [. z" j- o$ p
* }% q$ U) ^, R% E8 ]& k) c! `8 T1 F& j$ O) _2 D$ ` ~, A0 `
Next method as well as the following one are 2 examples from Stone's
' ?. n# }' _6 D"stn-wid.zip" (www.cracking.net):$ I! E5 e3 [* Y" h
( x& ~4 U0 C2 ?' _* L! O mov bx, cs+ Y2 R$ e% N! u1 P9 F
lea dx, int41handler27 c3 ^4 t& m7 c: S
xchg dx, es:[41h*4]$ R' T; G) q* Y* J g, a: S
xchg bx, es:[41h*4+2]
1 q- a4 M" R9 f" Q/ W1 k4 t+ a6 i! r mov ax,4fh1 d4 J+ K& C. D4 V; Y
int 41h' c, \% B. M) e- t3 D' O% J7 k2 x. ~
xchg dx, es:[41h*4]
2 b: d" \1 b$ C" O2 V xchg bx, es:[41h*4+2]
% n0 E3 ?8 z' ]) R7 f6 a. q$ q cmp ax, 0f386h
6 t- E3 N/ Z) f, U1 [) l; E jz SoftICE_detected6 b* R" L; `# Q
2 q* e) m$ P+ K7 x7 F
int41handler2 PROC8 H* M3 m) ~+ G i: `
iret
2 ^$ u a$ \/ F* x: v: N( D9 f$ ?int41handler2 ENDP1 a' c0 p8 l& P7 v2 N
! ~ P1 x1 h5 y! R9 K! |) A2 N) d8 l( X0 i4 ]' ^# ? h
_________________________________________________________________________9 j9 v: I! I4 W w) Y! Z
2 A# t* L: ^8 u& I# f( n& I0 m/ |; o0 C; ^ \8 d
Method 06& |, w6 Q B5 `) O& e# S! I
=========
" Y' Y+ Q6 k, d; e5 A; y9 G8 n- o n9 S: Q
# y. ?8 Q& q, R& f, X) d
2nd method similar to the preceding one but more difficult to detect:/ K1 F) t% H( `/ a0 a8 T6 q- h
6 u" X1 _5 e6 g0 |9 h7 u
2 k4 y6 Q* M# w! \' ^
int41handler PROC0 s) i7 w: X( A- X; M. H
mov cl,al; S- a+ i# C- F) X t( q) z; X
iret* d( G3 b* Y8 P
int41handler ENDP# @3 w, q8 E, X6 S- a4 ?, j
. o1 W- q/ V4 b! i
3 e' z1 D! {% K1 E xor ax,ax
% v6 y, D: R R4 k mov es,ax
: r9 O2 w( f0 @0 F9 d1 | mov bx, cs0 d& F, R2 o+ o. e8 c+ u
lea dx, int41handler
, S7 S" m% q$ w, M xchg dx, es:[41h*4]* d$ Q+ o8 l* W% ~2 E
xchg bx, es:[41h*4+2]
# ]/ A# N$ t4 _& {9 K1 x in al, 40h
6 B6 B J7 e* `3 W2 i( d xor cx,cx8 Q; A2 @0 J, m8 r2 y0 g, x% K, l
int 41h' M6 r: d" A- ], c
xchg dx, es:[41h*4]. o6 @6 [1 f/ O" k
xchg bx, es:[41h*4+2]3 m) o# c2 k/ M' i7 O
cmp cl,al% ] _& v$ S; y6 P3 ~# L7 a3 M
jnz SoftICE_detected, D0 u) m. P1 G1 z# q
0 S3 F H; f" r1 {: v' a_________________________________________________________________________
3 M$ t+ L" V8 ?5 [
8 T4 y. s. ^% S; h) R& H P# kMethod 077 u% C7 x2 g% K1 g! W& k U9 g
=========
R; z4 k# Z' h# Y, c$ h
8 n& b" k' z4 r0 MMethod of detection of the WinICE handler in the int68h (V86)
/ r9 m. m# \4 ?- i# [) I
& u* X+ O2 U! }6 O% f7 a1 c mov ah,43h
5 f4 T/ S: M8 R; | int 68h
7 x2 t& N ]% n* d* D cmp ax,0F386h7 r# s( O+ c' m1 v8 s# B# F
jz SoftICE_Detected# | f6 [( g8 B: r9 |: w3 p7 v7 x
& G1 s- R; [7 |( m0 H
. f9 ?# I# B% v8 d4 ?7 d3 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* ~' b; z5 W5 p3 U% z4 P: P) z5 ?1 t) j
app like this:
: j+ i4 H) h- T: B& e- k* r' M
- E7 W6 i$ b8 s3 g$ C0 |0 M3 G BPX exec_int if ax==68( E* l/ l) y' |) z$ N$ D
(function called is located at byte ptr [ebp+1Dh] and client eip is. ~. A0 y3 f) X* E
located at [ebp+48h] for 32Bit apps)
6 f1 [7 G* z! m5 Y" {" r__________________________________________________________________________
2 n- [+ Q. b# j: V% i3 N. l7 G
6 g ?4 c5 G3 u6 V. M( Q$ I1 k; X. k3 K
Method 08! ^, v1 z' q1 K6 ~+ |' c; C2 b
=========
& k1 G/ u5 a% g9 B/ y. F/ ~# X0 {- u4 m: m0 `
It is not a method of detection of SoftICE but a possibility to crash the
; O9 O7 {& n% {% T& z( p9 isystem by intercepting int 01h and int 03h and redirecting them to another
/ P( q8 S: Q) froutine.
, y/ f+ t0 K' c- \* e. J, oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 e$ K* S) [- e$ |5 gto the new routine to execute (hangs computer...)4 q% K) ^5 l8 l( y1 B
$ P& n3 v8 ?) w mov ah, 25h
7 k. m6 E$ h8 E5 l9 v4 u mov al, Int_Number (01h or 03h)
: {- y M! h c% o; y( j4 N) b mov dx, offset New_Int_Routine9 O2 C& h$ T: a9 U
int 21h; W. q* v' B7 E' t
1 j% q' M/ N* S/ y5 C& ~__________________________________________________________________________% ]$ \5 f6 M6 I1 h
# r6 j" p1 `. V8 s: \Method 09
/ f' U8 q! W% f- J: t=========
' T+ s" Q6 O( G. Y; P/ H: c
' \* b% |8 A. K9 e% |6 Z/ gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 b# ^3 x4 T9 c9 bperformed in ring0 (VxD or a ring3 app using the VxdCall).
, _3 w$ t6 C; b8 r( hThe Get_DDB service is used to determine whether or not a VxD is installed) G1 g3 n7 L {7 Q
for the specified device and returns a Device Description Block (in ecx) for
' A; f5 H4 r+ K% D) R" Sthat device if it is installed.- s, V; B; @2 {4 I
* i' W9 i8 N. M6 _. o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) Y1 }- I6 w- u- Y* y' q% V g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! B( t$ Z/ C% `1 ^ VMMCall Get_DDB
- m0 w* ]3 ~4 h* C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 c4 c1 i+ |# i3 _( N$ E8 Z$ S5 i. |* F' I1 r
Note as well that you can easily detect this method with SoftICE:7 ]4 O4 {) c+ @# h3 x
bpx Get_DDB if ax==0202 || ax==7a5fh$ w# ]! r# _" Y- @8 V" O; x
# Y3 r2 d/ M( K) G( m% \
__________________________________________________________________________
! p) m5 g) r* P5 A4 H7 u, h+ L: L, z: r+ n0 l
Method 10 P: {; w4 `* ]) Z- Y( }
=========: F3 w5 Q/ D! O4 C& ]6 |
, Z$ p2 H4 t& I$ A2 V=>Disable or clear breakpoints before using this feature. DO NOT trace with" [: N$ L& D+ ~" J/ s& }
SoftICE while the option is enable!!( J' w7 O$ {& ?$ t3 V
, r0 E# @! y+ s8 z$ g9 Q7 L
This trick is very efficient:
( P! M3 F, f C. f; [by checking the Debug Registers, you can detect if SoftICE is loaded
' Z+ s& T2 c5 ^, Q5 i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 N2 \# p! Q# b1 a H3 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 \. R \9 Q4 }5 u4 I
value (in ring0 only). Values can be manipulated and or changed as well: D; f. x8 Z" n4 |/ B% m
(clearing BPMs for instance)2 t! B. ^ |# |6 [$ f
+ y" `0 B0 ^, r. |0 v. w. A__________________________________________________________________________
2 q+ c' n x* |- B/ x8 f3 a' p: }% Q7 R Z2 ^7 U/ @/ X5 S
Method 11+ w3 M4 x' D3 E5 [3 V
=========4 o# _. h4 o; s; t7 L% S
, C( K0 L! f# ^ w9 X! m+ HThis method is most known as 'MeltICE' because it has been freely distributed$ s* ~( K. L: |- l g2 Y+ g
via www.winfiles.com. However it was first used by NuMega people to allow! f, g* h5 z8 l! I: Z
Symbol Loader to check if SoftICE was active or not (the code is located
+ g% K1 i8 F6 E1 ]0 `inside nmtrans.dll).
r% ]. u. j0 o# N, x) t# v
; F0 n& q+ q- a5 S2 kThe way it works is very simple:
- Q3 o5 ^- i3 F) ?" g* Q$ MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- A `7 H s# v* Y q4 h6 R/ iWinNT) with the CreateFileA API.
f% m/ i2 x& f; k# \% l
* n1 J; P1 X- ]7 I. [Here is a sample (checking for 'SICE'):
! }% @* |- u: k! O: Y4 [: a/ C
/ N; c4 r( \6 E$ a- k; P/ ~5 oBOOL IsSoftIce95Loaded(). Z) S: t: Q, A/ m5 b
{
' x( `8 i4 v# K& Y HANDLE hFile;
: l. e4 r5 y, A, e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: x- ?0 `! h/ k& \) J+ `+ z
FILE_SHARE_READ | FILE_SHARE_WRITE,
" k! e! Z; _( V/ m$ L7 ^- a+ v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ Y0 q0 T. X- Y& k) g, H# c* q if( hFile != INVALID_HANDLE_VALUE )
8 e3 P$ d. o5 s0 d/ i% n3 k8 w {
- i; G5 N) |* Y CloseHandle(hFile);9 f5 _, K: r0 C1 R3 _. q# p$ N
return TRUE;
" s, d# S6 P7 ~4 K# k0 l }
: K( f# v b) N return FALSE;
% P4 _ N5 R8 c; z9 D" ^: B}
6 P: A/ @( J. y# E% n! b. M! {
, P/ P% F/ } ^$ VAlthough this trick calls the CreateFileA function, don't even expect to be
4 d* S, N9 J w) D& |able to intercept it by installing a IFS hook: it will not work, no way!
7 m& }+ U a3 V, OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 s( P' L, b1 M# m) d! E+ }# o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ J/ i; V6 g; r8 r3 v. zand then browse the DDB list until it find the VxD and its DDB_Control_Proc' u* N; Z: M. E! A" X: J( B2 Z
field.
& a1 B$ \ C: r1 T( V2 o6 AIn fact, its purpose is not to load/unload VxDs but only to send a
+ }. Y- ^4 j2 o3 s oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* q4 X. r7 N8 v1 `0 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 r! K9 ]4 g& {" a4 u6 C5 t0 X! E! i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- K! ]6 B, H; ?/ M" N
If the VxD is loaded, it will always clear eax and the Carry flag to allow* w. p* E1 }) s8 m5 T' H9 G
its handle to be opened and then, will be detected.& `1 T- }: u2 k* i8 t* K
You can check that simply by hooking Winice.exe control proc entry point
& Y8 H5 w7 k$ U+ @while running MeltICE.
. \$ m Y8 A# d( O' S0 \2 n7 o L) l' c, \& Q0 o% U8 I9 T) Q
9 y6 j: X& J; {( i& E, h: g
00401067: push 00402025 ; \\.\SICE2 ^2 s) q& n3 ?, _/ h
0040106C: call CreateFileA
; G# i$ y0 ]" |8 \+ N) n4 S6 x 00401071: cmp eax,-001
& g% ~) |1 k. w2 {6 }8 P+ b0 N6 J 00401074: je 00401091
) w% { l5 b+ r# \0 f ~1 _* t
4 e4 e8 _% k- q7 [. F: Q8 c [
7 o0 |+ S9 C3 U6 C1 Y" EThere could be hundreds of BPX you could use to detect this trick.
6 P" _) B4 v: `) t. h X-The most classical one is:
5 i2 m- s8 d6 S! y* c' |- X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. b. T @$ H5 H4 ]/ | *(esp->4+4)=='NTIC'
0 X0 E1 Z5 o! }) r
1 ~4 D+ m R5 J: S1 @2 j0 h-The most exotic ones (could be very slooooow :-(- z$ |3 I0 W" D* J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & p" d; E% p" r7 c8 C
;will break 3 times :-(
& _2 x# v! P1 ~/ O" o5 v W
5 m6 k" i! F# f6 J# n-or (a bit) faster: ! u6 j, m- j J; |* {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- P! ~# H" a" f p: L1 E" k Z7 v3 ]) w! \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- J, K# A2 S a5 U' y ;will break 3 times :-(! X1 P6 @" d* U4 B2 K/ ?
) q7 _* l6 i( A3 Z0 A
-Much faster:; {7 B" }. A# k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', O; I; a8 D: h- Z% c) o+ ^
- I+ t/ i! ^- c2 X+ f4 g' [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 F. K( t. P* `1 `
function to do the same job:
" Y7 ]2 a* n; \, N0 S
) w2 C# m& ]! B push 00 ; OF_READ
% G/ B0 B3 n1 ^) s. H/ Z" y4 f1 E mov eax,[00656634] ; '\\.\SICE',0
" E3 F S( a4 @7 l# v push eax3 m; Y! U, e' |9 q" l/ V0 E+ l; c
call KERNEL32!_lopen8 L" p* [8 u$ }7 w& k
inc eax
1 r g# e3 `! i( E jnz 00650589 ; detected
3 r1 {" q7 Y: J) h/ R' H push 00 ; OF_READ- U1 B+ K0 O8 c6 S5 m9 e
mov eax,[00656638] ; '\\.\SICE'+ [! [8 t( e4 L9 K! G- [0 ]
push eax
5 H4 z. T$ h4 G* s1 k call KERNEL32!_lopen! j) z( Z7 E2 z; f" E. }( i
inc eax% C5 U( n6 N9 V0 C" J
jz 006505ae ; not detected
$ ~ I, D, s) `. y1 W; Z% ?8 r9 ^
' p3 O# g$ t7 O__________________________________________________________________________ p' n0 F* D* Y6 z# b
% p* Q& I7 S2 o- YMethod 12/ {/ y# f& |& Q# B" e
=========" R5 S7 C# s4 N' _5 ^7 z1 _; Z4 ^; i1 I
! P' B% \ ~, g8 p6 t5 YThis trick is similar to int41h/4fh Debugger installation check (code 05
0 Q, L& b3 E5 t# j9 ]* I+ e& 06) but very limited because it's only available for Win95/98 (not NT)
3 L0 k+ o6 E7 L3 I- D" |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& ]9 V! K9 p ~7 Q O# q
^0 X8 C6 K0 ~$ i
push 0000004fh ; function 4fh
) i. ~6 i+ K0 P% Z# b7 j push 002a002ah ; high word specifies which VxD (VWIN32)
$ F+ F8 U' d9 J ; low word specifies which service
0 z% I$ ^. F( |2 A' H( G% e& L. ~3 H (VWIN32_Int41Dispatch)! E7 X# F# s+ H3 m
call Kernel32!ORD_001 ; VxdCall4 J- @" N/ x1 o- v8 ` W
cmp ax, 0f386h ; magic number returned by system debuggers8 c# E2 U/ V( h" s: G' W9 R
jz SoftICE_detected
8 ~+ V/ e2 W, U2 ^0 M! ~
: p7 ]" i5 ^1 b8 L K0 OHere again, several ways to detect it:7 a) @& ]+ ~; W) p- x1 l' e8 F
2 @! q4 z6 \& W% v6 k BPINT 41 if ax==4f+ Z& Q$ S ~" i% p7 S. v9 z) y
/ \' `0 g5 D: A6 R+ [& z J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ n- u9 K$ i0 e
; ^' ~/ p, m3 V: O2 B: m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 w# u2 }! k9 G) i7 F6 m# X" ^3 b! o* q/ X, F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) h" _4 n6 A6 A& w6 H+ J9 P8 v2 u- X
__________________________________________________________________________
' _) @7 D! A' E7 b" Q& U7 [& @, v% f
Method 13
3 i9 j! i+ s; B1 g+ f1 J=========( N# Y2 i' {' Q
; K: N2 A8 ?: {Not a real method of detection, but a good way to know if SoftICE is
5 h6 N! b& }# R+ c Ainstalled on a computer and to locate its installation directory.5 v( L3 ~4 S: C
It is used by few softs which access the following registry keys (usually #2) :
# P3 z5 d+ ` y3 y! D6 |& }+ u
! [3 |; N$ Z6 v$ e2 E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, ]- a% Q. b4 w/ x ^
\Uninstall\SoftICE
+ y8 }3 `8 x9 Y" r0 N6 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 {, |: ?; S6 N, g- F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 z$ l* H8 M& Q
\App Paths\Loader32.Exe
- l% _0 f. Y4 q a" v) e4 _( s/ g$ N7 x' w
' b) g: G1 O% X; ?& `
Note that some nasty apps could then erase all files from SoftICE directory
4 e& J0 g# {* M(I faced that once :-(
2 [2 N: m# F" K5 P: Y8 y- |# C6 H" Z x! F$ e" \$ N! T
Useful breakpoint to detect it:
7 X7 }. |& |3 t* G4 k& b7 e( h2 G- `- H6 i. o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 W* B- \' D. |
3 J) @* O! K: P$ B__________________________________________________________________________
9 P7 j! d8 V' V/ [8 U0 v' X5 v) c
4 l/ n/ G+ ?# W8 l) {" Y2 ?Method 14 9 s$ i% x. |$ t2 |1 I
=========" J6 {# b7 B' @ L; F0 s+ k }9 a
& S5 z6 ?% P$ [6 ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# z5 e- V5 Z: {, d
is to determines whether a debugger is running on your system (ring0 only).5 e( A g# `/ F5 z+ w
7 H; a$ s) U# h. l1 G, G
VMMCall Test_Debug_Installed
( l- n! N6 K% ` je not_installed
7 `9 C ^* w% E/ ]+ V/ F& @" O0 u: Y+ i* `9 A. i
This service just checks a flag.
! w; g- a4 i1 Q2 }5 I6 z* a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡