<TABLE width=500>
& A! H8 G; Y& Y& `! g3 z4 u<TBODY>
_* S, w- D7 q8 }- t( c" A' |7 y<TR>! K( ?3 I6 ~5 Z/ X" ^* b- Y
<TD><PRE>Method 01
2 b2 a' `- u0 J& x=========3 j& h2 w# w5 a
+ ~1 {, w) ?& Y* h. fThis method of detection of SoftICE (as well as the following one) is
0 f* \9 U _" v# l+ Q* k+ ?- tused by the majority of packers/encryptors found on Internet./ o8 G9 H: V5 a& @
It seeks the signature of BoundsChecker in SoftICE
% ]% `( R2 J/ J6 i. U3 p
; q& k- A L8 f/ e mov ebp, 04243484Bh ; 'BCHK'/ g. n) s9 r+ b; g
mov ax, 04h
+ B* p0 ^7 `# d2 O. [ [8 g7 A int 3
6 Z5 B/ f; ?( g9 }% s _8 h cmp al,4
7 K( W# j. K! l! w3 k% |+ K jnz SoftICE_Detected
& N0 {& z! \7 ?" E. o% j
( ]/ b( K# [3 g8 k" Q Y___________________________________________________________________________& X# r2 M8 u+ R. a% y' C' Z
+ O0 j2 Y5 f. QMethod 02
3 A1 V- C+ a* t" W& E2 [0 Y( W=========
/ h5 A) L' ~1 s. Z& u7 T# z
/ w; h! L6 y- UStill a method very much used (perhaps the most frequent one). It is used
6 c' j7 b! b% |3 L3 lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ a- b+ S; Z, ? |
or execute SoftICE commands..." R0 r; L3 ?6 K! g2 I$ O- l% m
It is also used to crash SoftICE and to force it to execute any commands
+ @7 A @7 l E" F5 e(HBOOT...) :-(( ! O3 S: k7 E6 E+ ^# u1 F# W
$ m, w7 C( U5 U& P. r0 k" {# a
Here is a quick description:6 c' T' O3 \! N \1 Z5 F! |. S
-AX = 0910h (Display string in SIce windows)* M |7 m% f, m3 k1 d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# Y5 @7 `$ o1 L0 ?6 m6 n3 P, A-AX = 0912h (Get breakpoint infos)
- a( I5 }" \: y( p4 d$ x$ d& a-AX = 0913h (Set Sice breakpoints); H& K8 |3 `. D
-AX = 0914h (Remove SIce breakoints)" x2 r+ _- D! _& N1 K8 q% b1 \
3 _7 G j; M9 e& H8 P/ O G
Each time you'll meet this trick, you'll see:
9 I/ ]& T/ o, h& ^" r- ^& V9 N" l-SI = 4647h& Q, Z; z& k; F$ Q \ N% r8 b
-DI = 4A4Dh
. K3 \0 j' V6 f4 LWhich are the 'magic values' used by SoftIce.
* B- ^! v$ c3 X3 F0 lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ ]/ R) J2 E8 d) F/ }! U* j0 C. z% X7 Z
- Z/ {" U' Z% F- X$ `6 c( s8 AHere is one example from the file "Haspinst.exe" which is the dongle HASP
* q0 o0 Y$ W; Q5 W0 ?Envelope utility use to protect DOS applications:3 k4 b3 i5 M$ A( m
$ X2 D0 E! _5 p$ _0 F
4 q2 Z* P8 B! D: W& f4C19:0095 MOV AX,0911 ; execute command.& r& ~7 A& q: U% [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' {8 Q# `6 `+ r6 {/ v) f/ C
4C19:009A MOV SI,4647 ; 1st magic value./ J! A; w* k! V5 @8 m8 K
4C19:009D MOV DI,4A4D ; 2nd magic value.
* j' X7 b8 }* Q' f- ^/ Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 C& ~, U P3 O6 X1 J6 Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& D1 f+ g4 [- } G9 g2 E d; O4C19:00A4 INC CX
" Y/ z; A1 b0 S" T, v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, ]% u; J0 P5 C. m+ R
4C19:00A8 JB 0095 ; 6 different commands.
6 Z# u7 R* M, ]; r* l! i4C19:00AA JMP 0002 ; Bad_Guy jmp back.. C" a5 |: p' f3 h* K& c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 {* U* A8 [# }3 r0 p- ?, C5 s' p9 B6 L2 F4 U) q/ [. F) ]
The program will execute 6 different SIce commands located at ds:dx, which' D+ W/ q+ l) q, p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 E8 {2 k4 h9 x/ Z1 E
! u1 l* s2 J' n b4 n6 O! C, ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, i0 k' b, v/ ]. B; g5 m% a___________________________________________________________________________
6 |8 Z& [( V, r8 \
. K1 ^2 F! @8 f8 }9 l* r$ ]/ u- H7 K9 A" `( A' m( U# f
Method 03
/ l2 M+ n/ ]/ {$ `: z=========7 i5 w3 ]8 @( z: Q# s9 s5 T6 E
$ b3 {7 ]; ?( m6 DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' W M, Z. Y" r. K
(API Get entry point): x. e5 v$ b* l! v
. c ~( l7 P+ W6 W: A# O( y
6 c1 w0 n5 N3 a& G% c6 q; g r xor di,di7 @( H4 ?% ]1 q; h# x
mov es,di
4 v! p/ I2 q2 X; g! `0 F+ _1 F mov ax, 1684h j" T: Z( \# B, t, n! L4 Z& F
mov bx, 0202h ; VxD ID of winice
/ B" W2 m/ M3 j4 S5 o; ?. M int 2Fh9 N2 P& \5 W" ~" T/ {5 n A
mov ax, es ; ES:DI -> VxD API entry point
) {. w Y1 V+ _( D j9 f add ax, di# |% S8 B, j, i- X* ?6 I
test ax,ax* ^ D% e/ U- v7 A
jnz SoftICE_Detected
! E5 J0 r3 c( t0 i0 p1 v9 O" t! r$ A2 J" |) z
___________________________________________________________________________6 F& l/ c. c% W( X
$ L Q, P+ o% [- U) _! d I$ h; EMethod 04. B( U9 H( z5 ]: c$ f
=========2 a- M9 |' }2 B" h
4 N( I6 W0 d2 m0 K8 T1 D) G7 Y" x- HMethod identical to the preceding one except that it seeks the ID of SoftICE
% T3 A& o: y5 q/ D, n3 zGFX VxD.7 A) o' s+ f/ z. z u2 U
' `, o) K' I, c9 R8 G6 e
xor di,di/ A& l8 W7 k5 V5 ~0 @
mov es,di/ y; S( k) X& W7 N) A" X9 n8 Z
mov ax, 1684h / J9 @2 s# Y8 E' G. m# U: W2 t
mov bx, 7a5Fh ; VxD ID of SIWVID; Q# v5 v% i# z9 \
int 2fh
5 s1 }/ Y+ ^! K* @8 B& ?. H+ C mov ax, es ; ES:DI -> VxD API entry point
# V, W# d% s$ [ add ax, di
! Q1 ?8 ]/ ]( P" z7 p) s' J test ax,ax/ `# Y/ v9 t( x1 h) F
jnz SoftICE_Detected! r+ V" L" }9 L0 d; \
7 d `) C8 B% L: Y8 [3 D0 E
__________________________________________________________________________ n" t5 F% [* t
) Q/ U' c2 D" S
/ n- f! z B8 ~/ uMethod 05: [) k3 \% N4 N
========= k% b; W* X4 H( s! F3 {' G
. e7 D( L( C! p. W* P8 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* K3 M! F/ g3 ^debugger. It calls the int 41h, function 4Fh.) l. y; m1 _$ X2 [2 i z
There are several alternatives.
. [3 x1 K$ {2 \0 @% _" L0 b" C, M' N1 G
The following one is the simplest:
8 J& S# c$ Q2 l" f0 t" Z1 u/ ^% F! E& } o' n& p" T% V% W
mov ax,4fh! Q P- F1 c. l/ O5 A' [1 L r0 J
int 41h( h; A( v* V+ a" r$ c1 ?4 }6 O, P/ S
cmp ax, 0F386
( @2 @: n: x, N9 h9 L jz SoftICE_detected
" Q9 d4 g( e2 g3 s8 n8 |
% E8 A1 E4 |2 U3 c
- p; O, B9 I4 I: G, w2 f2 }Next method as well as the following one are 2 examples from Stone's 0 [7 L5 s& F9 c3 F7 T) u
"stn-wid.zip" (www.cracking.net):# P: Q8 Z! a1 j: t6 B, t
$ B: l. A4 v- T1 [. `. G mov bx, cs& l1 R) s5 M% {* {
lea dx, int41handler2- J% Q; d0 y2 @
xchg dx, es:[41h*4]
3 ? l$ v/ o4 v, C+ X; K; x! Y/ X xchg bx, es:[41h*4+2]
9 N1 v: T8 X% l6 G mov ax,4fh
9 t$ P! X# t, Y* N int 41h
* U0 X+ l* J) ?) ?7 g6 P1 A xchg dx, es:[41h*4]
" q% ?: ?' x) J9 G+ Q8 b2 M+ t R0 B xchg bx, es:[41h*4+2]1 Y8 C) U$ K2 R2 s2 O. _% } ]! a
cmp ax, 0f386h
) T# c' {" ?+ _/ F jz SoftICE_detected
' ` p8 B# s7 n0 o
, H9 x0 O- [, F+ h- X4 dint41handler2 PROC
; ]1 w9 u' T- S6 {4 X- a# p iret/ k, c$ j. A, E# ^
int41handler2 ENDP
0 L0 ^0 K: x, p) O3 S& i8 t v+ P: C+ X2 B* \: ~' x/ j
/ G/ l# K8 _- w+ i( a5 y
_________________________________________________________________________9 N% t' T; J7 j( Q$ J s2 A
5 H" X) O6 X Y ?* ?/ ]8 G2 G, g: z
Method 06
0 \( }1 i$ q1 O. @2 ^$ `( V=========. p+ R/ ?/ t7 \ S4 Y( s! ?& N9 ^
9 y( t1 G" w0 C; [& w9 j$ j$ \! r0 @9 q* w) R
2nd method similar to the preceding one but more difficult to detect:8 J' Y6 ^4 ~0 N6 X: \
1 r5 o2 E6 m( j6 |' r
' p' ^" m1 b _* d9 S/ Cint41handler PROC
$ J% K( p i8 y- D* b4 o mov cl,al* O0 r6 f8 p) U4 @: w
iret, I" |) M9 A& k$ E$ A+ p* Z
int41handler ENDP
7 s' L& x" M- R. U' M
# x; z4 O o* e$ B9 J! b/ {7 i7 h, T! R9 ~* u" d+ t4 Z! g; P
xor ax,ax
% ^; m2 Y9 h) d7 m i; u- Y# X mov es,ax: W! w, }: p: E( w
mov bx, cs
3 b' b- N# E( [' s* \0 N+ y8 F lea dx, int41handler
* L q' g5 \& u F% s) h xchg dx, es:[41h*4]
8 L1 `6 v5 d* ]7 a. m7 [ xchg bx, es:[41h*4+2]. `5 Q# J; v. \8 ]0 ~6 o
in al, 40h
2 a! d/ R4 n3 ]" W1 n* u- u+ _ xor cx,cx
+ A3 u$ y; }2 a4 Z3 _8 O int 41h
( s& Z3 s0 Z# a% y. K( |2 C5 B+ p xchg dx, es:[41h*4]. C6 B+ A1 o8 _7 D, P4 m
xchg bx, es:[41h*4+2]
' d. _3 V4 \1 C5 u3 h cmp cl,al: q! w! f0 r4 P: G0 O
jnz SoftICE_detected
. U, B* K( M1 j+ @$ m
: W/ G. P' I2 g9 b: K- S_________________________________________________________________________
6 E/ Y: ]/ M# n# |, x/ c
5 O( x$ R& _- m8 O, e4 ^Method 07, S6 k( r5 d4 Y( v6 j
=========4 ^, q9 p9 N: D
( H9 I7 g+ U3 v9 J' q. FMethod of detection of the WinICE handler in the int68h (V86)( o2 {4 t9 S1 U! A& C$ v z
6 @4 f" m& W0 V* Z* A, W
mov ah,43h
3 y9 Q3 J# d& X7 x! R% ?- U int 68h& ~" ?$ K- Y1 R
cmp ax,0F386h3 z: B( {) n: I u
jz SoftICE_Detected) d% i6 {+ e3 G
7 ]5 C" B% F, e4 P( ]: k5 j# ?0 C i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 v l" y$ \0 D+ w0 ^- B. _
app like this:
: ~' a3 D+ j" V x: ?% E+ L! V3 K1 t9 k) T
BPX exec_int if ax==68
8 K0 _: n" s# r" V1 `! v2 Z0 ? (function called is located at byte ptr [ebp+1Dh] and client eip is
) i4 w4 s9 ]' Q) C& I) y located at [ebp+48h] for 32Bit apps)0 u4 c& x B; L, D/ K' i" J
__________________________________________________________________________3 `7 G2 ]! [. h. m2 H3 E9 j( K, _
; D" T7 E3 \3 t8 D- O0 M
7 {" U( x2 z# M: Q% b# a# `7 b
Method 08" _. E3 A# {; { o5 Z% P; ~4 r0 l
=========. P6 s p7 D. \' R' j* D2 @' |
6 b) b, Q1 Y4 y' _% Y1 i
It is not a method of detection of SoftICE but a possibility to crash the& a+ D: ~- }5 [. G4 d5 v/ B9 B
system by intercepting int 01h and int 03h and redirecting them to another$ G, D" b4 r9 d
routine.
) b8 j$ t3 ]- T0 r' [3 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! {4 G8 S/ c# ]7 |
to the new routine to execute (hangs computer...)+ B: \& |5 v3 {4 ~* h
9 ~' G5 }& v* w% K+ w, J5 H. m* p5 ?
mov ah, 25h
1 B. ^4 o* l8 ~5 e7 V* I6 I mov al, Int_Number (01h or 03h)
4 j- Q) p- u8 m: t9 H" T( e# i' D mov dx, offset New_Int_Routine5 i: [- s% ~4 B" I/ x1 M4 o
int 21h3 ^" ?2 n" D' B/ U# S, C
0 ]. v. u4 x7 h. f |& h' E7 J__________________________________________________________________________: x: e' [# {0 q, @9 y ~% b. q
& A+ k; h) a# _, I- A+ n5 iMethod 09: v0 N* C. I* Q
=========
; Z% y4 o/ ?; v# r+ p) W1 i3 F, w( r: _- g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 U! n; L0 A) I( \& P5 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).. f# I! U8 T5 N, g" e; |
The Get_DDB service is used to determine whether or not a VxD is installed/ z, h& n' E2 b: |9 n, k. F
for the specified device and returns a Device Description Block (in ecx) for$ w5 [2 ]% U8 j. h# ]* _
that device if it is installed.* C d/ I, m W5 K2 I
; y5 x5 w5 b" I& n# K( j/ P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ A* }2 ]1 s c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ T( |0 T; ~( h, n( v VMMCall Get_DDB* A$ o4 u7 h( G! w( r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; g/ g" ]3 @# p9 R: J0 U6 i9 k+ Z$ J1 ]1 ^" W
Note as well that you can easily detect this method with SoftICE:1 K- J- m3 t Y
bpx Get_DDB if ax==0202 || ax==7a5fh
( L6 z" t$ O; P. }/ Z" P- |% e2 G) C( z x1 t7 H1 I' b9 E
__________________________________________________________________________
7 d. F) L5 _& \; o. `* C$ d, [% R8 ~) v G- A& L. _+ b
Method 10
8 y+ {8 V: ^ C T( m=========
: u% t; T1 T8 p5 ]+ k* Q0 S x) ^% {2 F6 E4 f. c# F
=>Disable or clear breakpoints before using this feature. DO NOT trace with. L! |, Y7 M/ j- t3 c5 z. [4 b7 U
SoftICE while the option is enable!!. o) S! k1 O9 o4 ?
4 Q# q8 h4 e+ k1 t* {$ b! EThis trick is very efficient:" ~7 y" a, w: p+ T% S
by checking the Debug Registers, you can detect if SoftICE is loaded
" Z) G6 ?4 u5 r; |' ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, o' f6 m- ~' p# E( I7 ]2 F% i/ nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* C, ?" \9 o0 q! h/ gvalue (in ring0 only). Values can be manipulated and or changed as well. }0 g& I" `4 s, Y9 a
(clearing BPMs for instance)* G* K5 v9 w& e. z; h
l% K+ i; q8 R. e1 Y7 X__________________________________________________________________________
$ @9 d" n6 E7 O9 }
% g1 a( E+ A& ~0 PMethod 11+ c% e! |: y% K1 ^1 O
=========4 B' Q/ M5 j0 ]: f+ z) M; e
% t6 ]) y- ]/ J/ z& Q
This method is most known as 'MeltICE' because it has been freely distributed( P+ k& b. u/ l0 @8 m
via www.winfiles.com. However it was first used by NuMega people to allow b; W+ a' _" l# r" X& | |
Symbol Loader to check if SoftICE was active or not (the code is located
- m6 m1 a) Z- m! h T% U, b+ L$ Ninside nmtrans.dll).5 k/ y8 Z8 ]+ ?
* _3 V& p% y+ q8 sThe way it works is very simple:, y7 r6 k: Z7 }2 a$ b! b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. F6 z. B2 \8 A
WinNT) with the CreateFileA API.
& P2 b) [; x; P- R6 T; ]- k f
0 O" W7 X# n4 W. UHere is a sample (checking for 'SICE'):* L2 l& ^4 I+ w5 X6 n' t
6 N1 J! w$ r/ J
BOOL IsSoftIce95Loaded()
" o; L! E" X3 T& K- m: S- N) U7 X4 y n{
1 ^0 D! m7 c8 ^) J+ x. Y* r/ ] HANDLE hFile;
# e& t$ \2 D* \) V0 @5 y, c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( a" a% `3 ]1 b, a) U: @! _: w
FILE_SHARE_READ | FILE_SHARE_WRITE,6 E7 f% _/ P: {! I0 R9 c. D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( g+ M- |1 p3 _# n
if( hFile != INVALID_HANDLE_VALUE )/ d" M: e/ E4 a! ?4 \
{3 F9 @2 d. m% l5 R
CloseHandle(hFile);# ?5 }0 A. b$ I) e
return TRUE;
4 i. s0 e7 A0 X }
1 h- t! Y; a- u' i* V- ` return FALSE;) t- J8 m" i% ]- H3 T+ Y9 }7 I& J! T
}
( R6 D& N# F" U( f/ ~+ @( E
* {4 ?2 P+ P. E e' P2 G, ?Although this trick calls the CreateFileA function, don't even expect to be7 Y9 n% H4 C+ T3 K! Y! E
able to intercept it by installing a IFS hook: it will not work, no way!
5 ~* L" K7 ?3 t- @/ y7 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 m- n( m# o+ ~1 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 g5 n* a+ O1 i- c" ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 M! @! Q% g5 Tfield.
0 U0 P6 ~1 e- [( d3 _In fact, its purpose is not to load/unload VxDs but only to send a 7 e0 z! N9 S7 X" ]. O! D& l) C+ ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. `/ D% A3 u3 N( t& H Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 A8 X7 b4 E: M- hto load/unload a non-dynamically loadable driver such as SoftICE ;-)." H( [. B9 ]( [' S3 ~8 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& c$ k# I7 M6 {5 F+ P. z$ }+ D! ~its handle to be opened and then, will be detected.( a! q# _- r, L! f- [! n4 g
You can check that simply by hooking Winice.exe control proc entry point0 w4 w) f: V1 G0 Q6 {; z: S
while running MeltICE.
- \6 R' g1 D& }
' T0 Y/ a. C' U G' x6 E4 [) s$ u9 m2 p
00401067: push 00402025 ; \\.\SICE% ], X6 E- P6 w8 e
0040106C: call CreateFileA
3 U% }" Q' U9 S% t. F: O 00401071: cmp eax,-001% j8 _5 y- |( D4 _
00401074: je 00401091) x8 G1 u( u; x5 G7 Q0 k- G
, V' _! e2 T1 B% R5 w0 U9 k& p& ?$ c! ~- E1 K' {
There could be hundreds of BPX you could use to detect this trick.
; p. I2 Q6 j5 `- |/ _: x-The most classical one is:
$ U H k2 O T+ A- { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ O3 W+ A2 s* s# T; c7 Q" d *(esp->4+4)=='NTIC'
/ e9 Z$ o3 K0 u. W) I& P4 Q, W7 }* x/ g- p4 B
-The most exotic ones (could be very slooooow :-(
2 M2 _ ~6 w9 y6 L7 h. C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ Q a0 m N- g ;will break 3 times :-(
8 I$ G0 |" |1 w2 F8 r: z! {* C# b# F0 w$ u6 h3 W8 i# t
-or (a bit) faster:
, k7 J' D9 f! c' f" w8 M) | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' W$ N+ U/ x* f" s1 M* E. o
. I/ U/ z, z& x' [7 y% G' B" W: V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 O) S5 |1 S0 N [ ;will break 3 times :-(" q- J( x* H: B5 @& E% e
# y; c0 n2 c3 n-Much faster:8 X0 }( p4 \/ b% [$ M: X# z2 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 l8 m; {- z8 \! K8 i& Z! h! g6 f, i2 G4 x1 K& y/ }, y# M- G3 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# ]5 M/ Y% e0 A- u
function to do the same job:, f h" z2 A7 q/ |5 h
5 ~. ?3 l/ V. i/ x X b
push 00 ; OF_READ- q# p3 a/ I- W. F6 k8 H
mov eax,[00656634] ; '\\.\SICE',0
' t. Q6 ]8 `7 f3 a5 U0 d. K/ ^( U push eax
F2 ]7 J0 @( i, x E call KERNEL32!_lopen
# q" p+ F0 n* T1 w inc eax6 n8 R" e2 e7 B) k
jnz 00650589 ; detected
3 [& m/ F# r) X" a push 00 ; OF_READ
& e. S* T3 U' g( I mov eax,[00656638] ; '\\.\SICE'- N9 ?! I! X# g3 i5 p! n1 j/ ?
push eax' o: F: x( {- i9 r6 j
call KERNEL32!_lopen8 T# s. n; h0 j- e
inc eax
, W) f% }! u E7 q jz 006505ae ; not detected
( ?& m8 E- i* ^) a$ g- Z# g, f4 V- v, e7 ?- x8 `2 X
; |+ O# k3 q. x- b$ l( Q__________________________________________________________________________9 v# F) i$ q0 G/ Z" S. @" g$ `- V
1 i. s1 Z' t; `$ f$ }- \. oMethod 12
6 `! E$ ?8 E V( I=========
8 R; k4 _8 k7 ^3 a3 P" Z% R( [; n! Z; ]( t: n# E
This trick is similar to int41h/4fh Debugger installation check (code 05
% U: x, d# q! a3 @! U* e& 06) but very limited because it's only available for Win95/98 (not NT)
U8 y3 J. c. ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% v$ q% Q" R1 u6 z. \
+ I4 r: o3 A9 _, c( Q/ X2 D push 0000004fh ; function 4fh
% B2 I& O% k, _$ t/ C push 002a002ah ; high word specifies which VxD (VWIN32)
4 \4 m8 K; `* \5 K ; low word specifies which service
+ Q) t! L2 k. {) _: R0 ? (VWIN32_Int41Dispatch)0 d' ^. @ w- I* ^2 U2 u
call Kernel32!ORD_001 ; VxdCall
/ P! q3 ]: A; P# @ cmp ax, 0f386h ; magic number returned by system debuggers
8 M2 \3 _) N9 C* f ?$ K jz SoftICE_detected* _9 n/ {: M" P- w- P3 n3 j
T* K9 J) B% JHere again, several ways to detect it:
; U2 B: V& b: C- A( P
& N: W7 k! [! g( a BPINT 41 if ax==4f
W S$ `9 o4 c4 |. X4 c4 l7 ?3 [: e+ A% k7 f# h) E/ Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% X% Y. Q$ a& @
% n; | ~* q' P1 n& ~3 Y! ^" } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' }6 s& i: Y9 z6 |+ l. O- B4 W7 j, b( o0 W, n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- A7 C" g/ _' Y/ s- _
( Z1 k. E0 G$ w. y3 \8 G$ t) B__________________________________________________________________________
; p8 e$ C, P6 U" N" @. L$ ], h) T2 \- |- v, c
Method 13
6 E( Z! N2 X' q1 P, O=========
% f7 U8 C+ z7 U' w, B* ]
0 t4 m; F6 {) W7 u7 D5 `& J8 XNot a real method of detection, but a good way to know if SoftICE is
) a- b, c; D6 a, ~installed on a computer and to locate its installation directory.
Z* |1 H' k5 ]5 MIt is used by few softs which access the following registry keys (usually #2) :3 y- G" r6 T3 d# u
* r. H* J8 P$ P% D1 I5 j. X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( ?7 M" J9 [, m: `) m9 l\Uninstall\SoftICE
$ q) {, f( [. C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' ~& B l- c) j2 v' n7 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) i. {' w8 Y+ J4 q6 `4 @
\App Paths\Loader32.Exe6 e; ^) v0 r; ^9 M- G1 [
. j1 i3 V6 h4 k2 ^; X4 U8 {0 `& v( m+ x
Note that some nasty apps could then erase all files from SoftICE directory
. _4 M9 [- q7 E' s9 Z7 m8 \& L1 N(I faced that once :-(! P5 T2 Y4 B! ?- \6 g, Y- Q! H/ |
* v: q( D) q" ^ @7 O' e
Useful breakpoint to detect it:
2 I% R+ o' r* R# C( V; J+ T7 ^. z& k. o/ Y* f' Y! K) |, `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& z! d! U2 c1 [9 B" Q* E
, z0 |' a3 c8 i! x( Y$ P% b1 S__________________________________________________________________________
9 Q5 t; f: ?4 J8 \5 H1 ?1 T9 {
7 S8 i$ Q7 u; Y' h1 _. yMethod 14
+ g- p9 q1 P9 N. D" T- C( ~2 D+ O=========
9 p; @; z' p1 i/ j, F% l% L/ P1 H
7 g; l! `, j, aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 i4 Q- y9 _) w9 G& m
is to determines whether a debugger is running on your system (ring0 only).
- ]$ R8 |# e) r& Q* O$ z: K8 P* O* t1 H$ R
VMMCall Test_Debug_Installed
9 I9 ]6 I& b5 Q) h je not_installed' p5 ?, X, ^9 S% }+ P- ^
/ F) \$ B& t7 r; KThis service just checks a flag.+ U5 s) m3 F/ S, B# k: `2 N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡