<TABLE width=500>4 }- D) o! Y0 \! R0 R% a
<TBODY>
4 |7 A% Q% H4 D4 d1 G L<TR>- e3 a; [$ u3 h* \# n1 k
<TD><PRE>Method 01 . F9 x0 _# L$ n6 {/ y1 R
=========
. ]7 g9 r% L. K; \2 a& m# ?9 H* L+ `9 t8 Q% A0 t8 F
This method of detection of SoftICE (as well as the following one) is |8 Z! Q- Z2 a0 V
used by the majority of packers/encryptors found on Internet.6 L) j0 m; \9 }% r& x
It seeks the signature of BoundsChecker in SoftICE
V3 d- }$ m P7 I- `0 {3 a0 U8 a
' @ l3 f8 S2 q3 ^ mov ebp, 04243484Bh ; 'BCHK'
+ ~3 w. V) j* E* k* G: E mov ax, 04h
1 G/ ?; ?# k, w6 U/ s) K int 3
% ]* O" w' Z9 o/ [4 Q6 M2 ? cmp al,48 f7 ?" t" j; v, S, g
jnz SoftICE_Detected
* W: W9 \5 X$ `5 E9 P6 |6 A: G7 d6 U: q0 A9 s
___________________________________________________________________________
8 H/ j. a4 j" v' I: Q
7 g5 O3 j, {2 fMethod 02. h" B; b* @! {2 o4 m% d/ f# {7 W
=========
, k N1 m; z/ G8 b' }" s* {+ G" J. h
Still a method very much used (perhaps the most frequent one). It is used5 h7 b0 w- h) s% F* m' `0 |3 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 e" [, y$ ]% I+ x [. mor execute SoftICE commands... m( }: H" T1 O- E* C
It is also used to crash SoftICE and to force it to execute any commands
0 D0 _/ n2 D @(HBOOT...) :-(( 8 h$ M$ z; S6 K: y, [: I
6 g/ z% A( j4 F! {1 N: z
Here is a quick description:: [# L. N% z0 c4 z' F% p
-AX = 0910h (Display string in SIce windows)
0 V% P4 |' ]. K4 y$ f7 |/ P! i! A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. W. e3 n# C1 s( G-AX = 0912h (Get breakpoint infos)8 S* }8 ^: ~/ n0 ^" a
-AX = 0913h (Set Sice breakpoints)- |& L% ^( a; a+ g
-AX = 0914h (Remove SIce breakoints)
1 @. Z& v- x0 Z; f1 p( y, A* k# ^8 S8 Z
Each time you'll meet this trick, you'll see:
9 U3 V+ F; D% ^ Y& }; A: h-SI = 4647h9 n! m! {* F. y( u( @! e/ c1 H+ Y
-DI = 4A4Dh
& n2 |" ?0 \" S( @4 A1 kWhich are the 'magic values' used by SoftIce." g& |9 G8 n: T1 a0 d9 c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- b2 G4 w9 l5 A( Y6 X
8 p9 D1 b! s) Y: m$ x8 T( y7 V _
Here is one example from the file "Haspinst.exe" which is the dongle HASP( @! {3 t# J e: H8 Q
Envelope utility use to protect DOS applications:
* d* T% s% a# n7 w6 Y( g3 g/ S& X4 C/ q. s- I8 l4 a
$ y. t/ N- E) p o0 C) I4C19:0095 MOV AX,0911 ; execute command., a5 c" `! L4 G2 o3 p% |, g& z8 n4 ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. {9 }) U8 p& L4C19:009A MOV SI,4647 ; 1st magic value.) u, S- D( v8 m9 @5 v1 D
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ ]$ d- \. G( f2 N# D7 N) T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% h' i/ [3 m) z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) ^, a6 i8 U0 h8 y3 j
4C19:00A4 INC CX
2 [ K6 r6 ~% G) b9 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' y+ K5 N3 Q6 x: U# a! r
4C19:00A8 JB 0095 ; 6 different commands.+ k& I) s3 }. m" R- t5 u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' w2 k. \+ S. H1 o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; W* z* M% b! B2 }8 ]& \/ b; r! N4 g# _/ O9 S8 K
The program will execute 6 different SIce commands located at ds:dx, which1 O2 ^& a9 ?' k+ N: d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" G0 ~$ t" h; y5 V. D9 b3 I8 h8 H3 x( ]2 d8 W# C( t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 Q6 u( A% Q* E
___________________________________________________________________________
- Q$ | t1 E. `, [3 R
0 ]! [+ v) A( j3 n+ ~
+ l; ~4 _9 t& e; X D6 j) n: L7 m! FMethod 039 ~/ G' l: m5 Q: {" O1 D. n7 m
=========5 K- z& }! M. u% t8 K; b3 r3 z
$ e( O6 ^9 N; V- W1 sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 z0 B9 x" u4 b. U1 F2 x: [(API Get entry point)3 P, @; t: Z% }
: a# o$ Z. c5 T2 a( C) \: r6 y8 s% G3 D t% ] [9 D/ W( P) v/ p Z1 q
xor di,di+ O' |) Y3 a$ k- N/ P/ w L
mov es,di
; a* P M) c# N mov ax, 1684h
4 r7 O4 Z# O) x1 r mov bx, 0202h ; VxD ID of winice. s. t, Z4 I$ u* I2 T l
int 2Fh
# o" n6 [* Z! Z, Y* @4 B0 v/ U mov ax, es ; ES:DI -> VxD API entry point. g( Y+ L2 s6 O3 T- \$ ^5 w4 A
add ax, di" H2 J. f6 g2 _, V
test ax,ax
4 I4 v7 Q+ {/ F jnz SoftICE_Detected% E: D/ J* S- V; _& R3 ?
# M5 m( R4 X. N+ H: j
___________________________________________________________________________
4 r1 Q! G5 B6 u( n- U i4 B9 T3 b; t/ t `
Method 04
# V; F7 Y% b3 x2 i& Z8 T- M=========4 ^- w7 \1 |' m1 t1 d
4 l6 B% Z/ U4 f* `& I d* i
Method identical to the preceding one except that it seeks the ID of SoftICE) U( `1 v/ i7 K' Y8 q Z8 T
GFX VxD.1 h) b% B+ y5 V) u8 `+ Q
/ Y- I; ]- V. B6 |, v xor di,di2 \- h! b' a. ]$ n
mov es,di
" k$ B5 Q8 Y1 T7 Q9 ^' x6 p mov ax, 1684h 2 U4 F* z9 K' m! Y9 W$ e( x
mov bx, 7a5Fh ; VxD ID of SIWVID; U, s; q/ S7 L7 ~
int 2fh2 ]: x- A9 D/ n: ^
mov ax, es ; ES:DI -> VxD API entry point
1 t* `8 S+ d; F. x2 Z& I% e5 n" J add ax, di
5 n0 k& s% E' i$ \8 g9 p/ s, [ test ax,ax( w4 `9 ~3 @3 p; @& z8 G* \! i4 `) [ z: D, F
jnz SoftICE_Detected) L5 |. b% T4 S1 e+ d+ m* F+ J
$ Q, G6 h2 }2 R% D8 Y
__________________________________________________________________________
4 c' `( ?0 v( Z! @0 e. U: k4 g& V- I" ^5 g" T, I! Q) Q
* K8 }. b' }4 EMethod 05
8 i% G6 o7 Y( r( G5 N=========: q9 y' G) {* e
9 M! _: {1 d: V9 B. \1 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ }8 W t% r( Qdebugger. It calls the int 41h, function 4Fh." e/ c2 I) ~$ w) \
There are several alternatives.
+ ]" W; k1 J- v6 ?2 a8 C7 l9 L
1 w3 t; s2 w4 x3 w; v- v Y! j0 ?The following one is the simplest:3 x% @) Y9 t3 b" k( W
1 E* H- {; n: j, {8 } mov ax,4fh
( X: G8 E2 U" I, Y1 Y7 R7 L8 _ int 41h( m9 x- Q, e, S
cmp ax, 0F386 \: u* E: a- M: W' z9 |
jz SoftICE_detected
}) f6 ]& N1 c9 v0 M a" ^0 C
1 a2 B D6 f6 d- d& {" n# b
' e: i' S/ C0 U0 YNext method as well as the following one are 2 examples from Stone's
( W0 s1 ^& S4 b& Q* L3 b+ f"stn-wid.zip" (www.cracking.net):
& A( E4 H2 u, i
5 ^& z; m' ^% R c' u/ G2 I2 a9 Z mov bx, cs% k: [2 i+ o3 g8 N
lea dx, int41handler25 c! J/ k: M3 \+ u+ M0 k& E3 b" g
xchg dx, es:[41h*4]9 W& P3 h, @% [
xchg bx, es:[41h*4+2]
. t- [8 ^0 Y, T mov ax,4fh& F1 W( o4 q5 E9 }
int 41h8 x5 j+ B' |/ L( G5 I5 k
xchg dx, es:[41h*4]6 [: e! A, k2 y) H' k; M
xchg bx, es:[41h*4+2]7 x. w) Y/ T: L% E4 ]
cmp ax, 0f386h
; |0 X l' n2 H: X4 r2 G) ?+ J- _6 v jz SoftICE_detected7 f, Q% S+ l2 h+ M- {! J
9 Q8 h: I/ `: ] x8 B! d% aint41handler2 PROC2 U* w/ `) Z0 e, C' C1 k
iret7 K; p* V# F# |" G8 o) A( o! x- n: a
int41handler2 ENDP9 H! I& w1 N# P; @2 d. L
7 \5 E" P: R: T3 X( G. z( h0 J
M0 {- s9 ~9 V6 v2 i8 i2 n_________________________________________________________________________
; X; j9 ]: x' q3 z6 N# L, Y" l6 R
9 ]2 _1 _$ \; G' \( w$ u7 c. P: }
Method 06- V# o6 a* h9 Z5 y
=========+ |: w) @' K& @6 p5 l0 R2 o
i8 Y7 l* @0 }6 L
# c/ L2 j3 E, S, a" Z( O2 J8 w0 m
2nd method similar to the preceding one but more difficult to detect:
$ }9 m8 M3 L7 R. X* ~/ p1 q' j& R+ i* X8 Y; f; T) l9 G2 G7 {; o
3 d) \, N) X, z4 `% `" q9 K2 Wint41handler PROC
% [# k% x; E$ V4 w1 S( T7 A# v mov cl,al0 r+ O2 v9 }8 h9 b4 S' L
iret
: T5 Q: c1 \3 l+ R( W: \9 _int41handler ENDP
* h' [5 P; ]3 }$ c7 G; k& H
) B; ^' ~- M* G+ F' O# ^, D% ]4 D0 r
xor ax,ax# I3 u9 h$ f4 \3 V9 y5 d* N
mov es,ax4 l' F7 o A$ S6 U
mov bx, cs! f! l9 H; ~4 h% O" D
lea dx, int41handler. ]& { C/ ~; L
xchg dx, es:[41h*4]
j. b9 o7 M. B8 _5 E1 w xchg bx, es:[41h*4+2]- \5 r3 L! i" u- [2 B& K
in al, 40h
H9 r& Q; z9 `! w) \& X' n xor cx,cx
* J( [& M0 v; }4 z. r int 41h
( n% n; A) ^% y3 Z0 W xchg dx, es:[41h*4]
v1 N' Y5 M0 P7 N' y- a( f+ h xchg bx, es:[41h*4+2]5 O$ E" ]1 ?7 H# P
cmp cl,al
" n3 n) d; e9 G jnz SoftICE_detected" V& }9 y4 N. s1 r3 t ]
/ J/ D3 x9 g# `' T/ e_________________________________________________________________________
3 }: q( X9 h1 ^, U
' D( n/ V( v( r0 [& P0 qMethod 07# R# D, G1 ]. _9 X* R6 n
=========1 G4 }- }3 ~ c$ z7 D E
% H* ~; f3 d4 D+ x8 t
Method of detection of the WinICE handler in the int68h (V86)& |; N- N: y+ B8 a" H# K0 e. d
0 @7 w& C1 r% V5 o6 P0 P mov ah,43h+ T4 @5 o; O' f) P1 F9 {7 o) Q
int 68h
2 {1 J! Q# }* E( R, s cmp ax,0F386h _9 u2 j, Q( Z$ Y0 @/ F
jz SoftICE_Detected. F, T+ P2 R$ u1 c, j- @
' J, X& {2 \7 t! P. ]) u% v7 n7 W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ j: b1 y7 t' L: _' P# i) ^5 `% I app like this:
5 Y1 J, B0 E4 p8 o/ N4 v
' t5 x* A- W1 e BPX exec_int if ax==686 T- _% U G+ {) s. f2 _
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 Q: y! n) a# b located at [ebp+48h] for 32Bit apps)
4 |1 ^$ o3 V! t1 Z! y/ H__________________________________________________________________________
8 J( x: u% g/ v2 C5 g0 K/ S
4 [ O- j( ~7 b0 _; f2 V4 L4 ]' A6 }2 |, Y) y
Method 08# Z/ p) I+ W4 h! \( ~# g- A
=========
0 j( o I6 [4 ?: _; h( o6 `2 |1 ^1 [/ ?9 h/ _) B; b* Q
It is not a method of detection of SoftICE but a possibility to crash the
6 q3 }( C" H1 k# Usystem by intercepting int 01h and int 03h and redirecting them to another
) P) c+ z2 o; F3 xroutine., K4 U6 o; u$ h! t4 {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points B5 M8 S0 E) e/ y- V$ {9 S
to the new routine to execute (hangs computer...)
4 ]" Z1 F+ v% e. A$ D# v8 v* R7 I2 C( s$ x
mov ah, 25h
. i I, s- X6 H1 n& ]. V9 N mov al, Int_Number (01h or 03h)
$ R% h# X0 W5 a* b mov dx, offset New_Int_Routine
9 N# p0 |6 K6 }* d; Z7 f int 21h
, Q: V* ?: \! t$ A. k8 d% a; C. e9 ^; v- V) `. I) O: r: T
__________________________________________________________________________" s( w/ p( |, V1 @, d* I
% G R, i9 d1 @ ]' l3 f; }* m) r
Method 09
+ J6 c% d+ A9 [( k+ B. G' [0 c=========/ `. Y8 Y2 f' I. u( w7 t* U
9 J, y( ^% ^& [# M5 UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 {7 N ?' T( ~, I% f' u
performed in ring0 (VxD or a ring3 app using the VxdCall).2 ~8 r, B4 e( i5 L$ Q9 T8 Y c
The Get_DDB service is used to determine whether or not a VxD is installed# C: _" h6 m8 D$ H5 p+ P
for the specified device and returns a Device Description Block (in ecx) for+ Q' Y/ U }1 `1 K4 i" E
that device if it is installed.
5 @. t ~0 a2 X0 Q9 r. G
; h1 t% { f+ Z3 [ c! E- H- F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- X# T, r* Q2 K# G; _" t, `( e1 m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# H/ B% n- ~3 V9 n2 ~1 s! z4 N$ ]
VMMCall Get_DDB
+ P' r1 m e% f6 J* q7 ?" D4 ^( Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 c+ N0 f6 Y8 [. A. U
: g" ?! f$ Y% N3 Q# C
Note as well that you can easily detect this method with SoftICE:+ `# v8 t w8 P3 b& I
bpx Get_DDB if ax==0202 || ax==7a5fh
- P7 D( @0 _9 w) F) @, Y- y1 l! ~+ _3 H( @# t0 h
__________________________________________________________________________# p% D# \2 }1 @3 r2 I! u. [
# T* b* E( |0 G4 Q* R0 h" b7 b
Method 10
- x/ U2 y' l' t=========
% I4 P/ Q @) _* `9 W) I7 f& [" R: F1 ?# u! a/ H( g1 A
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 U, @; D) n! @7 u" M
SoftICE while the option is enable!!
2 ~/ Q( K, W0 [1 A; ?
8 T: o4 q( e1 h1 JThis trick is very efficient:. m5 k8 y/ Y! ?7 y& a$ E: `
by checking the Debug Registers, you can detect if SoftICE is loaded
" [% o1 w% W2 |) @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- z: t) @, `# R7 _. ]. k& x; qthere are some memory breakpoints set (dr0 to dr3) simply by reading their; q" N9 p' y. k
value (in ring0 only). Values can be manipulated and or changed as well9 b& U# V( j! A
(clearing BPMs for instance)- z5 e! ~- Y9 b: k
- z" L" r2 t% M! Y+ \6 w
__________________________________________________________________________. \7 ~6 w8 ~) D# W
, e$ @' f' u; t( y+ N# a; C* iMethod 11* n I7 r# e. C/ Z5 L# Y; M
=========; S0 W4 D/ P' A0 i+ H' ~( p
" g) Q5 X3 x" V. ]. W. V0 DThis method is most known as 'MeltICE' because it has been freely distributed
8 _9 k, \& ]+ [% l# dvia www.winfiles.com. However it was first used by NuMega people to allow
; n9 F. X" z. z" w) F CSymbol Loader to check if SoftICE was active or not (the code is located
% v5 Q' p1 M! c: P( L7 K) Cinside nmtrans.dll).5 f* I. }/ I9 z/ C9 c/ `4 g
9 E6 i! L) I- N7 [The way it works is very simple:+ S. }- j9 u) G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 F/ X" g6 \) E/ q0 ?! s
WinNT) with the CreateFileA API.
7 c8 ^. D& \( `+ k
( |# N4 I$ n& D5 y5 W( iHere is a sample (checking for 'SICE'):9 N/ b) s. k& {: k) x. @% P
) J2 j6 r! L, N+ |: f
BOOL IsSoftIce95Loaded()
* G! e) g& r& L# f1 x5 r{
5 x3 p J5 n n2 ] HANDLE hFile; ) }* _3 B% s1 b" c: s- U: d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ V4 E0 \& p0 K7 s$ j FILE_SHARE_READ | FILE_SHARE_WRITE,
- m$ y% t: g# H+ X5 t: q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) g! M& l* x, d e if( hFile != INVALID_HANDLE_VALUE )+ s" N0 @# W4 ?" G2 P. o9 _7 _
{7 g7 C" o9 ~) h4 R
CloseHandle(hFile);8 P+ I, Q( ~/ W a$ S- T1 v( |1 P. q3 Y
return TRUE;6 F L. [5 j* g% s! o
}( }2 L+ F4 T" E7 W$ _
return FALSE;
- m' @0 ], t1 Q* X; O}' Z! C `$ t9 b0 Q: E3 I% g# l
/ F5 ~( q5 ^( T: c% {6 C2 o$ f# s
Although this trick calls the CreateFileA function, don't even expect to be- d! L5 S, X; V
able to intercept it by installing a IFS hook: it will not work, no way!7 G9 D: v4 d; G" G4 r! A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
P& j, e$ v' {1 l) g. R/ @3 uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 j" B! O; c2 h T! ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! c/ Y5 q# f5 v! n, ~, }% D# k
field.
3 Z5 Z. j4 i1 v" x: v8 w# q6 cIn fact, its purpose is not to load/unload VxDs but only to send a 7 W0 F" R4 b g/ \* j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: }2 t; D' w8 t) v! y' Z8 ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ {+ \: A+ R* g3 J6 a, q2 g: ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ G; n7 H- O& b. n
If the VxD is loaded, it will always clear eax and the Carry flag to allow i' s' h* w9 x5 x0 `
its handle to be opened and then, will be detected.
, i/ u% c# F( \: }4 LYou can check that simply by hooking Winice.exe control proc entry point' p8 W* e$ Q! a: Q! D
while running MeltICE.
; Y4 H) Y0 C; m9 f+ W: K% z$ B8 J ^. g3 J0 E, [$ B" X2 `' k, B
; ~5 j% w% k" l9 f! l0 c, E2 m 00401067: push 00402025 ; \\.\SICE; a" q+ w; W i8 E
0040106C: call CreateFileA
! V* M3 |6 b2 N4 l( |" {3 j S 00401071: cmp eax,-001
' G2 ^4 l4 D2 F: p# E. o 00401074: je 00401091
4 B' q2 C3 O! i) y* ]! j3 c+ B
+ f& X0 x4 B$ n% l/ l$ v2 B# p- k8 _# S' m
There could be hundreds of BPX you could use to detect this trick., R4 w" @# P) a. S; A4 d0 M5 Z: C8 d
-The most classical one is:4 X+ u2 J& l4 B' Z' ^% r) ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 a$ b8 y2 I# n( Y: @ *(esp->4+4)=='NTIC'
* A/ {6 ?, [# I) ^; P+ ~+ g; p! v% L3 L N1 y
-The most exotic ones (could be very slooooow :-(
0 \/ a: j7 [0 R# l8 x& Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' S0 z* C n. r) _* [
;will break 3 times :-(; [8 B7 ^& F3 `: L
+ _4 Q6 \; I+ N5 a1 k; N, x-or (a bit) faster: 9 j n5 \ m1 D1 y, E, m3 k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 H/ ~8 b; z# V K4 D6 N1 O( K
* o+ }9 U* t+ {/ q+ J# ]& I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! P" p: K" D6 J" e1 N" w' _ ;will break 3 times :-(8 f0 C3 z1 n8 c. y6 v: c$ R) e
# Q: b0 j: N8 m8 N) p9 [' R# w-Much faster:
( ~( W" F* i& J' f) m2 O, q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 B* L3 s+ B' p& z) F! `
7 D( S1 z9 g6 [* V# qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ Q- ]# n, k8 M0 f# T( ^1 z
function to do the same job:( s- t: R6 |6 W/ N) x
/ C" s: I n( }' e: V& W
push 00 ; OF_READ
! |9 z& X) C" U! @ mov eax,[00656634] ; '\\.\SICE',0
: P+ E6 C& i" Y push eax" V2 c8 m6 C( Y9 m/ c8 V' I1 I& M) N
call KERNEL32!_lopen
: Y5 A: `: B I8 O1 s" c inc eax8 |0 R/ r2 U3 `3 ?0 u0 j
jnz 00650589 ; detected
2 P6 q- ^% ]7 z* z% v push 00 ; OF_READ2 r2 n( }8 N0 V! k s) Q
mov eax,[00656638] ; '\\.\SICE'
1 Q' ?( p z: N: ? push eax5 t4 w- s# E, l% ?
call KERNEL32!_lopen2 [! e+ Z$ a! `
inc eax; a. R/ Y7 T( K6 }! u! h
jz 006505ae ; not detected5 U3 r: j: F( S* J, x1 w, ~/ M
0 O6 _: v; G3 r4 F
% Z$ Y! ?1 J& U$ T* v2 a% X__________________________________________________________________________4 D: T( C: o3 I( P/ Q9 h( W8 u
{7 J% g1 u3 \2 V' L" q3 XMethod 12* M# P2 `- u3 b- r# S
=========1 M2 M0 O, L, o0 X
' Q$ G% H6 p. m. C, L: k
This trick is similar to int41h/4fh Debugger installation check (code 05
0 M' t! E4 }. J& N# N& 06) but very limited because it's only available for Win95/98 (not NT)% j5 m5 u7 H& ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 x! Q" v2 s* @! b3 X3 s1 v) D% E
, g/ m$ |9 p. m- ^4 Y1 D
push 0000004fh ; function 4fh o) T; a% a7 p( [1 I
push 002a002ah ; high word specifies which VxD (VWIN32)
$ ]+ c7 R" r' d: M9 o ; low word specifies which service
4 ]$ J, a( c+ }1 T3 t" N0 c. | (VWIN32_Int41Dispatch)
1 y: c$ ]; m! q0 \ call Kernel32!ORD_001 ; VxdCall
$ U2 x8 d) v# S% |9 w/ m6 J cmp ax, 0f386h ; magic number returned by system debuggers
^3 J4 x" v/ r6 O. U% X/ H9 b jz SoftICE_detected
0 N) s! L/ p! Y- K% ^7 H+ I
2 A9 W. w3 I' J' EHere again, several ways to detect it:1 ^6 q( {: W6 Y
: K8 V1 o& d- F; Z& g: e BPINT 41 if ax==4f
. z0 l8 K! ^9 E. `* p* Z6 K& ?! x( F0 g7 U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( p; ]; a1 t$ j7 }: ]6 Y* l& B, H
E% A; u. ?% U. m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" x. ^1 S- h; I, p
$ W P' Y" K7 X D- ~' t2 P& f0 c) z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 c, v7 O, S. Q9 S
/ l+ n0 Y* H; m& v__________________________________________________________________________0 A& E3 B0 n3 b$ I
- P& w( i0 M+ F6 I1 F- \+ S
Method 13: l& |( A9 x) N* Y/ z7 A% y
=========. G' @% Z0 U) E9 D, F1 @7 [
2 ?8 N. x' u/ p5 r/ D. S* qNot a real method of detection, but a good way to know if SoftICE is. ~6 {4 w: y4 d# Z
installed on a computer and to locate its installation directory.
; p: h; S& _, z) Q) B' ? hIt is used by few softs which access the following registry keys (usually #2) :
% X9 e* _+ B$ e! \$ ` b+ x6 E3 \& z! S4 h( ^$ c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 J. r @8 R" V6 ~
\Uninstall\SoftICE
, @: C$ J5 A9 Q8 w$ V7 r* B" E/ t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. w/ ^9 V M9 g6 t6 X0 y& G9 |5 m% T0 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( c+ W6 V$ @* O6 S# }\App Paths\Loader32.Exe
. _1 R; Q- u- `5 R
2 m7 y6 ~, [/ a1 M$ m7 D
6 m6 u- O0 C5 V+ m7 B* QNote that some nasty apps could then erase all files from SoftICE directory
/ T" |7 n* y; u* e W: P% ~8 M(I faced that once :-(
1 f( u& i8 }" `0 ^* b9 s/ V" c+ E7 U. [1 U4 h
Useful breakpoint to detect it:
& N; ^. ~. S; p0 M8 ?9 H4 ]! {& w4 P; B' }/ W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& m X( Z4 f9 F8 L2 e n7 n. K( s. S l5 n# c
__________________________________________________________________________
/ E2 l$ v3 a, w. ~4 A' O
" n' T( o/ O* k" X$ F" H* Y6 f! k; p7 X% F" z
Method 14
% j0 P5 ~! R% C% L6 a=========$ @* Y# F2 E3 V/ d! d
! @/ m. Y/ L' R; k6 W/ k/ P' FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 I$ L* v: [0 N5 d" R; k1 _" n5 t
is to determines whether a debugger is running on your system (ring0 only).
8 X# I4 G! K; m$ K% i0 d
3 `4 U n: ^. |6 i5 w2 n+ W/ V VMMCall Test_Debug_Installed
6 m- h6 W& w1 F L je not_installed9 D! V) C; c5 d( ~+ [" ~0 j Q6 @
( `' q4 u. v: N7 O, r/ e' y3 fThis service just checks a flag.5 l+ u7 f) z3 O& _& q, t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡