<TABLE width=500>
! ~+ P, O6 e9 R+ a5 L<TBODY>. Q* Q- o8 B$ c+ Z+ J
<TR>
" e, R4 _. U# C! U<TD><PRE>Method 01 ( T" S* |3 K! B
=========
7 N$ V, v# u8 N$ L% U! @0 Q2 k7 z& Q5 q
This method of detection of SoftICE (as well as the following one) is- i9 u4 k% D5 R3 m/ a$ F- O: f
used by the majority of packers/encryptors found on Internet.
. c5 [5 Y+ L( V- h" s$ LIt seeks the signature of BoundsChecker in SoftICE, O. U4 X$ U3 y) X* j& ?( ~5 Z
6 t' P6 x2 _) ]" j
mov ebp, 04243484Bh ; 'BCHK'
& F4 B3 y# Y* N' r# ]. \ mov ax, 04h
. y9 D" N2 z( ?3 o int 3 9 d) [/ w" r6 \, D
cmp al,4
0 s! h/ v$ |( p. S" F jnz SoftICE_Detected
# M( i$ s; j0 T* I3 N
' n9 C) }/ ?1 B& G) q; w2 {0 r9 S6 `___________________________________________________________________________
+ {* E. F% ?/ w
8 |, D1 Q1 W5 D$ T, X$ g- l6 z: |Method 02
9 M; e0 @+ n1 z$ P+ M=========8 t }, S' R( O$ i
; P* Z) e, A4 P; V8 ?9 X
Still a method very much used (perhaps the most frequent one). It is used. q$ c8 U1 H8 o5 b; ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- Y0 ^) E8 r' l' r1 X7 O* G% F8 Lor execute SoftICE commands...
. @) r3 F7 R* r0 e, DIt is also used to crash SoftICE and to force it to execute any commands
0 ?0 G7 e# }6 x7 m2 _' i( s(HBOOT...) :-((
' ^. S f1 m, O- y! U1 x# |1 ?) ~# w# `* J
Here is a quick description:
5 l7 @/ C9 G6 y-AX = 0910h (Display string in SIce windows)( `- L$ {3 j; @; `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 p' r3 [- h# g- C1 h1 X8 |0 U-AX = 0912h (Get breakpoint infos)
$ |* i- x+ T3 T* h-AX = 0913h (Set Sice breakpoints)6 W/ H. z/ W7 o( k& J; u' ^
-AX = 0914h (Remove SIce breakoints); Y) {' `6 ~- F, l
& d$ B) c* a5 y) L# R, m. EEach time you'll meet this trick, you'll see:1 L5 A- V/ ?0 n8 p+ n+ w1 q
-SI = 4647h) h5 A8 ^ d" y4 {' B5 M9 {) t
-DI = 4A4Dh; N) x9 m1 r4 A) w. e+ k1 `* G- P
Which are the 'magic values' used by SoftIce.
M9 [: [& z3 z. zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# ?) y- N0 S3 \9 ^3 f) y9 d) p
7 X" J$ O4 @7 B' G% F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ \- t" J: J! jEnvelope utility use to protect DOS applications:! N& y% v- x2 n" d# w2 P' N* {
! H+ Q1 Z8 C( [" s, @/ a/ i2 [5 G
4C19:0095 MOV AX,0911 ; execute command.2 ~* r; O4 j# f) N" @3 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. J! a0 O) {: Z# v
4C19:009A MOV SI,4647 ; 1st magic value.3 }2 L3 ~* J( q0 r; N
4C19:009D MOV DI,4A4D ; 2nd magic value.* i/ r& i9 a$ |/ {# Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) x) R; l- c0 p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, I( w4 E5 ?* y( Y, B
4C19:00A4 INC CX+ ?9 R) X9 {8 U. m( P5 J4 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ `& Y9 ^7 w' D! w- Q3 J' v4 j9 {
4C19:00A8 JB 0095 ; 6 different commands.$ c& f! B, i! d
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" V% i/ z0 d* \4 L5 V! B4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) F1 c" {2 ~4 p6 e- ^1 K4 s# }; |
2 K" ^2 Y, [) p3 F$ y2 `( e$ R
The program will execute 6 different SIce commands located at ds:dx, which; s6 v4 {& U: X. l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) ~$ W1 L& ?1 J0 y
& v5 M& Q. z. u- W2 p" f' ^4 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; r" [+ J2 w! L8 f+ e3 }6 x
___________________________________________________________________________
J6 ]7 @+ {( t! e, Y
. Y7 z0 A& S2 s
7 J7 o2 ^ F% [Method 03
$ |* F( p) K A% E- I) v* y=========
( F& N9 G7 Q+ @: d' D3 @
6 T" o2 P* Z- B5 G& \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. c2 D" r' m- g7 C( a( H+ u d
(API Get entry point)
# A3 ?) T4 q" }" Y1 G
4 i8 \6 T4 j* r% Y# Y& K' e
9 A* Z! W- ~ d" a# J( d: o! h0 } xor di,di
, y) U8 u% b" t. N Q3 c mov es,di
0 `# Q) l( C9 J" p, ` mov ax, 1684h
7 X4 I# o( e2 d6 T4 y mov bx, 0202h ; VxD ID of winice
! m5 }5 d$ z" |5 N- h/ e int 2Fh" ^4 }9 P' z$ l: q
mov ax, es ; ES:DI -> VxD API entry point; x. o' `* k$ T: i
add ax, di$ M$ Z. U2 S. o
test ax,ax8 ?# {) U* M! b+ O q# z
jnz SoftICE_Detected
. r5 W4 W. v) x5 q6 o. p8 ?8 Q* m$ I0 m
___________________________________________________________________________
9 A! r6 G% B) s9 c9 T* s# Q/ l
! x- x G1 R4 a5 NMethod 04
' Y; S( J8 n$ x! O( s=========9 c7 z. n) g. Y6 Z( f
. B8 I5 ^5 D3 P& H: j* n- rMethod identical to the preceding one except that it seeks the ID of SoftICE- Z e8 C% M/ K' z
GFX VxD.1 y w8 ?! E3 p% W9 r2 Y6 _- |- Z
3 ]/ k/ c5 i. s$ h! a* F xor di,di
. s. u, O6 N4 M3 u2 n mov es,di
; u$ Y. C H, u* A" K! U mov ax, 1684h 5 b; ^1 Q3 S/ S. M2 v+ Z
mov bx, 7a5Fh ; VxD ID of SIWVID
; O( q2 v6 S K8 B4 |# y int 2fh
/ S; s t4 i7 F! D W0 i# ]# {- [ mov ax, es ; ES:DI -> VxD API entry point7 G5 i; ^3 |) I' ]5 [
add ax, di
7 X- o2 f% u0 F5 V' ^) q test ax,ax
e& O7 p, Z& F) i+ b7 h+ o jnz SoftICE_Detected7 t0 ?) a4 f" |! T
% Q$ s6 C8 J: O: E P: }7 {
__________________________________________________________________________
' `" x, I! ^: [' x" z5 X$ Y6 C2 @& g* a1 _& T6 O% b1 z
2 [2 u/ }0 h: c4 @. r X9 BMethod 05
1 c1 X! }/ N8 w, R=========
( k- Z9 T$ n. k$ o& ~: h$ c, O: z6 u* E; N
Method seeking the 'magic number' 0F386h returned (in ax) by all system# s5 C$ |, [8 i) T7 R0 i; z
debugger. It calls the int 41h, function 4Fh./ o6 ]( e- @+ q" O' }1 z
There are several alternatives. 7 D/ l7 i$ A' D' i& `4 ~
% @/ {7 e1 c& w
The following one is the simplest:1 d6 g2 M' W* e8 t5 |6 s( G; ~
6 W) d/ r: ^: l9 o, p mov ax,4fh3 p2 J* |3 t- o6 K5 I/ Y2 M/ _- u
int 41h4 m3 l4 V$ I" v2 |! g
cmp ax, 0F386
! q/ s i$ q, ~4 ^& W jz SoftICE_detected
- ]( o5 c* ?( |" [1 Y+ m! [1 u& q
0 F9 |( X, B* f8 F9 G$ f O/ ^7 T r) {+ S4 D/ E8 C W
Next method as well as the following one are 2 examples from Stone's
" S: f# \' R' j" X+ Z( M' Y"stn-wid.zip" (www.cracking.net):
" |+ d6 j4 c; @$ V7 q' U- t; i4 n
mov bx, cs
, E" W- h. W& @, O8 s8 T- [ lea dx, int41handler2* H: w. l0 e" A* F3 Z
xchg dx, es:[41h*4]
: L, m' J* ?- \1 Y xchg bx, es:[41h*4+2]+ }3 {4 U! o1 i3 J+ M: I
mov ax,4fh5 W( G4 D9 `+ C, \) n
int 41h
) S8 Q" D# M: W4 s7 v) | xchg dx, es:[41h*4]
* D/ \( k0 J& f. r xchg bx, es:[41h*4+2]
0 A) `, U% B2 j7 R$ k cmp ax, 0f386h1 m+ m( v, b6 |, J- r# w
jz SoftICE_detected: X% I# i4 t7 P# F
+ m) v+ l1 Q7 R/ I8 T! G5 T/ ]int41handler2 PROC
" G! P7 z8 V' V: C iret
: C+ G0 o. B! B6 b& G% fint41handler2 ENDP7 f. ~+ h4 }$ }6 m
1 }! @: ~5 c8 I$ H: J8 t6 o0 B, g! n0 G% L0 `
_________________________________________________________________________" o* A( D2 y6 m2 C
9 F- X$ P$ f l. s& X# G
* U& {' G# T+ e- v% O. _/ a4 S! CMethod 06
$ R9 c( e2 H7 x! Y=========7 p5 ]+ d+ Q+ G7 G8 d
4 {: _' Q$ D! m3 E, |8 A6 K3 p
+ s4 l, A+ }; g& y! K7 w# ~2 x2nd method similar to the preceding one but more difficult to detect:# N' w7 b& R4 k5 j6 E Y
; J U: H! D6 [- w% O4 `3 r
9 m! `0 l p' n7 b D! Z5 u% S- cint41handler PROC
& j* y0 P8 j$ ?+ W9 e7 z mov cl,al# Y: U w8 Y2 v* J
iret
7 }3 V$ v2 |3 A6 r4 xint41handler ENDP
& C! U0 b( p" M& w0 }' j( j" `& g8 G1 C8 o8 F
3 n% _2 }8 L5 n% C
xor ax,ax0 Q G* f' ]/ ~- f' t6 W4 R* G
mov es,ax
5 x$ E; S1 V! C9 Y mov bx, cs4 L2 ~8 K' c4 Z/ T3 u! B
lea dx, int41handler- Z7 g9 ~0 q$ n! B( V" @7 C
xchg dx, es:[41h*4]
8 J4 L3 o) u0 i- e! k! H; n xchg bx, es:[41h*4+2]4 e/ m! ]5 a3 `5 I5 A
in al, 40h& M4 o. o& e0 c: e* j' E
xor cx,cx) S7 w9 x& `9 h9 U" Q) ]( D- R
int 41h
/ P+ i6 B8 N7 l5 I! s8 Y F xchg dx, es:[41h*4]; x8 m1 U- ^+ f' F a
xchg bx, es:[41h*4+2]
5 R4 f0 D" m6 g( P7 X! F cmp cl,al
! o5 C! Q! B0 W jnz SoftICE_detected
3 y- C& K T& ~" u2 F- I- j% [( B$ Y; ^
_________________________________________________________________________
3 H. H- c( l0 [. C. ~' U0 g ?: ?7 k4 \+ B3 e( H
Method 07
( g$ @: T" l" g/ `) V9 x; O& J9 M) A=========
& s) g0 }) ?' B) ]' O- @2 G1 B Y# I" u. H' r. }( ]( a- D* s
Method of detection of the WinICE handler in the int68h (V86)
) Z2 n; V% V6 T( d
# j8 c6 C5 @: r( }! m e" e) L+ Q mov ah,43h1 E+ U6 l9 R- z7 o6 g
int 68h" K' e0 U6 F! s
cmp ax,0F386h+ x2 m3 D( u J
jz SoftICE_Detected
8 h" n0 O. z+ ^8 J* o# y( ^5 R0 g: E8 Q/ t
7 C# j- b3 Y& p, i! M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) `4 y& {$ q) g9 Q+ d# ^2 Y
app like this:- T4 m( w$ J* N( k5 P- ]; C
& s) P/ p' o7 ?/ X( ]+ I& n K! H BPX exec_int if ax==68
3 w8 g$ B# d5 X# ~ c (function called is located at byte ptr [ebp+1Dh] and client eip is$ A4 n& G/ t% J" S5 e9 W1 L9 S3 N
located at [ebp+48h] for 32Bit apps)6 H; q/ X* H B2 E. |9 z+ M
__________________________________________________________________________
- ]3 Q) H w+ @9 E& x( m) N( T4 d
! F/ K& P# W: Z( w! }( _$ c3 P. g+ H/ [* @
Method 087 q/ {& i* s* C s: i# ~/ z
=========
# F4 Z1 I. N) l& D& i- T: G" M5 N' E8 f7 d% F, s
It is not a method of detection of SoftICE but a possibility to crash the
8 ?8 r6 J: Z- N; wsystem by intercepting int 01h and int 03h and redirecting them to another
( w6 X/ I( p4 Croutine.* L- G5 @3 R* D9 C9 j3 W& c% F) E3 e6 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# i: r, z% n4 J4 s' {! Cto the new routine to execute (hangs computer...)4 _- Y" J$ z; P" c- P
$ u# R- h8 u! p- L) E) J
mov ah, 25h
0 @- w' l) y5 \5 F T0 h8 c1 N mov al, Int_Number (01h or 03h)
! ^/ p) l: ]( r2 J) z mov dx, offset New_Int_Routine
+ G# q& c/ J. n' k3 t7 T0 }- i l- N int 21h
+ B1 e; b, T/ `3 K9 n3 y
: l* j/ |2 r9 [3 {. d. Z6 h7 R) r5 z__________________________________________________________________________
# G! j8 S' T, Q- @% ~: I( H+ x9 b! ]8 P& }3 K( z4 O
Method 096 y9 f: `; `2 [3 U( f2 q
=========
( w0 { {" o# c% y- T# D. J8 O7 ~7 }8 B- d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ m" G9 W- D. @+ d" J9 T( |
performed in ring0 (VxD or a ring3 app using the VxdCall).2 w. }3 r9 p0 }- @
The Get_DDB service is used to determine whether or not a VxD is installed1 Y$ J$ O- [7 y) i2 l' Y5 B1 P" a
for the specified device and returns a Device Description Block (in ecx) for
( d A! ?, N* |: athat device if it is installed.
# }% I. o% _' U! c/ w$ k. ^# g% H2 n9 I0 q2 o7 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% B% h( w: |) J0 f+ ]: h+ C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" z2 V n* W. ~5 G6 ]* H2 E# o5 \
VMMCall Get_DDB' ?! y, @$ K3 h# J7 o- s; e8 M) v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 e$ s; s6 D9 l& D
8 K) C$ N$ I3 c8 wNote as well that you can easily detect this method with SoftICE:
6 |! e2 f/ b7 p( y9 ?9 i( U0 k8 Y- G- Q bpx Get_DDB if ax==0202 || ax==7a5fh
& L) l; W$ _. [3 S
% A( g8 _! O8 h: y/ y! N__________________________________________________________________________
( h1 U8 w+ D# U+ w8 ^, J g+ g! t1 P
Method 10
9 {. E4 J* Y3 z4 h1 A/ J=========
5 D1 W: Y# a0 F/ b' D4 k
: w; y, R% S5 q& K- W. {=>Disable or clear breakpoints before using this feature. DO NOT trace with; Z( U* V0 G; D/ H+ @
SoftICE while the option is enable!!
# s8 K+ A# B* Z2 G3 ^# ?' q
* A8 N/ w0 w- ?- |/ @0 }- X3 YThis trick is very efficient:
, `; U7 C: r. A' |% jby checking the Debug Registers, you can detect if SoftICE is loaded
$ `( r3 d1 n2 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- O) u E$ ^, g. g/ D/ ^/ Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
' l" K1 f; h/ b. Tvalue (in ring0 only). Values can be manipulated and or changed as well
$ E+ v3 L3 D! T5 h& G) y(clearing BPMs for instance), u, @+ m* t, V4 p9 W% i S9 j' [# V
5 w) X- S, O0 R
__________________________________________________________________________: e% V p& k; v ~! T7 J- N
3 x" x5 ?/ @% U! EMethod 116 b7 c) M: Y: d! f6 u3 R2 X
=========- C# k8 f% o( [- x" q* I
: L% P9 z4 K; z: p2 x7 mThis method is most known as 'MeltICE' because it has been freely distributed5 a3 B3 [3 s, b3 p& G0 G* ]/ v
via www.winfiles.com. However it was first used by NuMega people to allow6 M( @; S( V2 @. e
Symbol Loader to check if SoftICE was active or not (the code is located
$ j$ p) `" Z. X( W: Zinside nmtrans.dll).
- J. H" [% L0 D9 U
: K) |* \- [9 N9 [The way it works is very simple:
; b8 W9 ?/ Q/ L! }" TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. E' p r( S* I$ [' k) O
WinNT) with the CreateFileA API.
2 e: a: r' f ~# G" P. ]' s7 j! x* g; K4 |% O3 S
Here is a sample (checking for 'SICE'):# u, f+ q" t0 C
9 F) w# T( Z$ f
BOOL IsSoftIce95Loaded()
+ q' A8 K4 r) n% R{+ n$ v- ^8 a K2 V: I9 F9 f
HANDLE hFile;
2 M% }" `0 s4 r, J; Y) T9 I, F8 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 W2 J# t3 P" s i1 J FILE_SHARE_READ | FILE_SHARE_WRITE,
2 L1 X1 r) D0 ?) D/ d. L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: o0 ~3 M8 b6 M8 h! B5 C( \8 N if( hFile != INVALID_HANDLE_VALUE )
- \4 n' R5 H1 a3 ~8 ~1 N" } {
5 ?" {& Y1 d- H: D0 ? CloseHandle(hFile);
, a0 b: R/ [% }3 V return TRUE;
& G5 U3 R; N! i) r) U2 A% I }* f, @4 h: t. v( n. {1 s% E
return FALSE;9 h( j# N& C- U
}3 P3 T Y: e7 r1 H6 r2 B4 c
; m. U7 B s C5 f; S, s! g/ h! hAlthough this trick calls the CreateFileA function, don't even expect to be Y4 ] X4 ]. ?2 x/ Q
able to intercept it by installing a IFS hook: it will not work, no way!/ s9 F9 i( {! {$ x* P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 \& F# Z% Z; c% F( Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ u) l1 |5 x3 P3 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 W( n/ e% j* H1 A: nfield.
, o5 D$ s/ L( ~' b. UIn fact, its purpose is not to load/unload VxDs but only to send a / \% ?, f# u; j$ W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) [0 Z& R4 G! o; O; Y. v- Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try' P; V9 b* Y6 f8 {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& Y7 E$ K0 f0 w2 Q2 d$ YIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 Z* g; R; v$ M' e9 q3 K# a- G
its handle to be opened and then, will be detected.
' S ^6 X% L! \/ `- q7 nYou can check that simply by hooking Winice.exe control proc entry point
0 H* v8 D u6 d8 u5 P/ L7 G: Mwhile running MeltICE.
]9 _* V: R, t) q/ Z2 Z( a0 s+ ~7 Z& K) v, N; B. [8 F# g
- t. I$ x; Z' b/ { k
00401067: push 00402025 ; \\.\SICE
$ l' N1 ]' j: |! H! m' |; {* } W 0040106C: call CreateFileA
7 z3 i0 W+ F2 U3 `; l2 z 00401071: cmp eax,-001& W% {1 H, u3 u9 {8 }" K
00401074: je 00401091
- |% b% ^2 [! T" N# g' D2 V* }, N! r
9 @) v5 G0 h- H7 I
There could be hundreds of BPX you could use to detect this trick.
5 s+ q7 `2 C) O9 A0 B! {4 o/ V-The most classical one is:. v; D/ Y! f& _* ^/ t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 i! U! U! Q# w# Y6 _# z; p *(esp->4+4)=='NTIC'
: b1 Z6 d3 W# c) Q- o* n) Q- \2 e/ Y) `5 K# B5 @5 u7 g( F$ S2 O2 b
-The most exotic ones (could be very slooooow :-(! j% N( o0 E$ P9 D! D# L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " }$ r3 g) u: U8 \6 W
;will break 3 times :-(
/ |* i1 m z& R& q1 L$ Q. n+ w. v/ ^* v4 C' y/ Y" C% R
-or (a bit) faster: $ W" K( s9 d8 s) f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ j$ s$ J$ g3 U4 S, l3 K+ N+ u
" Z. F9 C# i8 F7 N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) `9 F v0 |3 ~; T8 Q ;will break 3 times :-(
8 ~, \! s6 C, R; R o& v. K/ j$ L, F8 J+ F: v- B5 z" c
-Much faster:
3 i1 y, F- v! b% [" [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', w, l R& V; x7 H- j, z) _
/ G7 a! J" Q; ?& O7 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; V4 b& P) d3 d" q# y/ t% z
function to do the same job:
! z- d" j: m7 W# N' u: R+ G7 X) Q4 J% X) a# v+ G" v) ]
push 00 ; OF_READ) ?1 n- r9 N8 p4 I* T
mov eax,[00656634] ; '\\.\SICE',0
* |( c3 \: S% j; J m% x: u push eax4 _0 C8 u" q( l6 x$ T
call KERNEL32!_lopen
' ?; k6 N- Q/ E* }" N+ o& ^3 d5 z/ \ inc eax
7 V1 G0 w" t+ b0 o jnz 00650589 ; detected
$ g% R8 C |) ~! _1 F2 u% c5 h push 00 ; OF_READ
/ h# v H5 d- L* f% T, h" H mov eax,[00656638] ; '\\.\SICE'7 _- |9 w7 l$ K6 u9 k }8 N
push eax9 f. y O: h2 `4 G V. r
call KERNEL32!_lopen
& B. P# H7 d" }# u' j inc eax
1 [4 F7 i( r: k' k' R1 p2 P jz 006505ae ; not detected% f% b3 d* ]8 O1 W* e
8 @$ i6 D' }+ K3 N. a/ s# _7 j0 W) i6 P. F, h0 j8 M5 x- _8 R: L; ?
__________________________________________________________________________, S3 a0 @' [- m% [
* I! V. z2 P6 ]. [Method 12' n, W3 [0 }! v
=========2 ?( q6 \; @; |$ D
! J& ^! H0 X- V; h# S& o
This trick is similar to int41h/4fh Debugger installation check (code 05
9 ]* d3 |+ o) l* [: o+ h* s8 Q- j& 06) but very limited because it's only available for Win95/98 (not NT), Z: H/ ~) D+ ^) ?; g1 h" F2 e- ]7 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 A9 h7 n# C8 ~4 a- a8 r0 { S/ ^0 m" b
push 0000004fh ; function 4fh/ ?+ _ ^/ U7 C; Q( v
push 002a002ah ; high word specifies which VxD (VWIN32); o( ]0 a# j0 z
; low word specifies which service
( S! j9 b1 q, e2 c7 X* h (VWIN32_Int41Dispatch)
# X/ o8 C: M; y; c call Kernel32!ORD_001 ; VxdCall! a0 ?0 G8 ^5 g( [2 p2 c5 o
cmp ax, 0f386h ; magic number returned by system debuggers
; z0 E1 U( c! v2 ]5 | jz SoftICE_detected I% T% C5 J" \# j& j2 `9 ~' l
) g) ^$ G5 Z' L+ L7 j8 UHere again, several ways to detect it:
5 E3 k0 _2 a0 |; l0 S5 ]/ @2 `
7 O J: b) y* l5 |2 A7 P/ s2 D BPINT 41 if ax==4f9 x( I. F/ I1 ]: f2 y7 D9 a# E5 q
$ I, z8 u' `3 P/ z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, I# N9 L1 s+ R+ i) U
# {2 w+ V+ e! P/ k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, Y; N. d+ i$ x, K1 D
. `5 A3 `- B |, J( h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; I1 ]& [: s P' o
; N1 @3 q! G, L! ]
__________________________________________________________________________9 _" A$ }9 y% x0 ?' ?/ u
5 ]) V' Y* Y( U; d# ?# u
Method 13
( o1 |5 l' Y- F: w* e=========5 ^( Q- N- e- H3 [& s
- a/ ]7 N0 n$ q4 Z+ M0 \Not a real method of detection, but a good way to know if SoftICE is5 B3 I8 L% D7 @
installed on a computer and to locate its installation directory.' ^& U; u7 j7 t/ F" ^% T; k. }
It is used by few softs which access the following registry keys (usually #2) :
0 ]' Q" {. e9 M, Z& S
2 v* W9 m% g. P' H" f6 v$ ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 i7 a4 }# ?' u$ H# L\Uninstall\SoftICE; G! \" D4 g7 C8 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! K8 g3 I9 H. m" R$ q; _ N- k* G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 {: Y0 h. r- Q3 @- r8 T
\App Paths\Loader32.Exe
& s% B# q# a0 ~9 x* ]# z7 \3 B+ }9 m) n: S1 L
: {: g H8 n/ D' X4 ZNote that some nasty apps could then erase all files from SoftICE directory6 j) c8 U1 Q: E3 H+ {
(I faced that once :-( V. Q7 ]$ e6 z5 d) L
* J0 v3 D% j% M2 v, X9 e
Useful breakpoint to detect it:
4 l/ V" V& j. F) b5 S' Q- Y
9 i8 y5 N# o) V+ \/ ^, I- d) x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 W4 x8 J2 s* M: L* ~" p% k- w! p/ _$ B
__________________________________________________________________________' @1 C4 U0 Z+ P- B1 q. K
1 k2 |8 ]0 ~) [% E
! h$ {! S' z+ B9 Z# t
Method 14 * |, b6 E3 M8 o) A/ k
=========
I- x: u/ v- K5 \, n5 D. j9 Z+ R& \& j2 ?. v, Z+ L7 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ G7 {3 M# y4 E, @
is to determines whether a debugger is running on your system (ring0 only).
v( ?& S2 U, Q! X, c5 Q
# z' @* E G- ]6 E2 ^ VMMCall Test_Debug_Installed' s$ H* f) K! t. w7 g$ ^9 N7 }
je not_installed
$ h) w1 M, ]3 D4 A' _4 o: x, `9 D) L* {. W% U- M
This service just checks a flag.9 w. e/ b3 f. b4 m% m' p5 J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡