<TABLE width=500>8 _; t+ ~1 ^, a5 T, z
<TBODY>
: y! z0 E2 Z/ x5 H4 a" ^2 f4 V$ Z<TR>
- m: ?) s2 X% U1 ~: ^<TD><PRE>Method 01
W6 F5 i; S5 I( H5 `+ |/ P=========5 S. _8 |% D' o" ^' l$ D' K
- o7 y9 a- n" M6 n+ \# W
This method of detection of SoftICE (as well as the following one) is
, b8 T7 w2 _+ X6 \" e" sused by the majority of packers/encryptors found on Internet.) X* ?. ]4 O3 [4 y+ S$ T
It seeks the signature of BoundsChecker in SoftICE
& U3 N4 \, A4 i. i
$ b1 x) D3 n& G# Q& P6 U6 ?) x mov ebp, 04243484Bh ; 'BCHK'1 a. ~* j& x! C: D) `9 ^
mov ax, 04h( U+ N3 j* g; N& S" h* D/ A+ Z; K) G
int 3 Q$ ]9 r' P. ?( y [. V& @
cmp al,4
4 A& T& G: k. r jnz SoftICE_Detected
& _ ~* |% m3 T/ m4 m. @, v
" i' p: ^9 F8 Q- [3 N: P! n___________________________________________________________________________* c- l$ x) }8 u% C: ?$ g
0 U8 G' o) S" t W; U; CMethod 024 Z+ q2 ]% w8 e8 S- p' D
=========# Z6 Q/ M( e: w: V6 k
6 |3 \; {7 s1 r- h* S2 i. bStill a method very much used (perhaps the most frequent one). It is used0 j, C, N, }$ b# f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' U+ p, {, l/ _2 for execute SoftICE commands..." i1 y* W B6 B' b
It is also used to crash SoftICE and to force it to execute any commands
" n2 |; q5 G( R, v( _; W(HBOOT...) :-(( 3 b# X& H4 _: n Y2 v7 D
" }. k) ?8 f. U5 O5 M. e. a) M* @Here is a quick description:
3 `. ~* s( Y& q6 B4 E# U4 h F$ w-AX = 0910h (Display string in SIce windows)
: |/ [4 p3 V8 G- D4 v; s9 X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 R ]0 [# ]8 q( u$ {- o3 t-AX = 0912h (Get breakpoint infos)" w4 q# P% ?0 e( ?2 `
-AX = 0913h (Set Sice breakpoints)
6 X) v- Q( K9 c5 A! u+ u-AX = 0914h (Remove SIce breakoints)/ x# v; q* }! L1 w( e
2 [1 }; j, V$ C1 JEach time you'll meet this trick, you'll see:
: x4 G0 r0 e0 Y0 \/ x7 s-SI = 4647h
0 j9 L! c% P. M-DI = 4A4Dh
5 L" g8 m* X9 K) Z0 F, _' mWhich are the 'magic values' used by SoftIce.
, y- y$ b; Y" o9 @5 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
r! ]4 @2 Y9 f3 ?) P5 X$ u1 I X }; P& n" R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 e5 M1 I- r2 D; R/ z& K+ U0 e# SEnvelope utility use to protect DOS applications:
. u( Y/ l2 ]% g3 ~# i! B e
9 m- h( y/ F A1 y0 \5 p
3 L8 D; }1 [' H5 w& Y' O4C19:0095 MOV AX,0911 ; execute command.7 q/ W' ]: Q) S8 G" K8 `" d- C3 u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% `6 l6 Z& J& Z1 M$ Z& Z0 }1 ^4C19:009A MOV SI,4647 ; 1st magic value.
9 s' Y( v9 Z3 C5 t. D3 n* `4C19:009D MOV DI,4A4D ; 2nd magic value.- U9 t( S. |) l/ X& e- M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): w- g1 L6 X, W2 ?3 G: f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: T: ~ P9 U9 t; D" R) J2 u: _
4C19:00A4 INC CX
0 L2 g$ F4 \6 x* Z5 z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' K& q4 n. Y# w9 P6 `' ^8 c* ^. _4C19:00A8 JB 0095 ; 6 different commands.
7 p- u( x. G; A4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; G. g5 }& _- r: \5 y+ P4C19:00AD MOV BX,SP ; Good_Guy go ahead :): b7 E4 z0 N- a
+ a* X/ Q: _2 W. Q8 q
The program will execute 6 different SIce commands located at ds:dx, which
0 P' @9 j% D, B R( r0 R) Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 g* `$ K0 h7 G% v) `7 w* [
" k _( Q {$ \4 T t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- B* Z% Y# m9 F" o
___________________________________________________________________________6 |( l4 L5 J: e" }
, X7 U6 d& {; p7 B% z8 T
$ p; q9 b6 ~; rMethod 039 A, j. X5 C: I* k) z8 @; q
=========
) P9 a/ x. A6 f5 t2 a: Q& E7 c- P6 Q5 }& t, ^& ]" M! S' `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ n# Y. \4 j) N Q$ l! D( Q* F; I(API Get entry point)
) Y/ k/ e" n6 E/ q) T% m1 h( \* w
! I3 Q0 u9 f, R1 A% E
3 S* t7 u5 H! p9 H5 F5 v+ E! E xor di,di- _5 O3 O. e. o0 m( r
mov es,di
& i3 J8 B7 d# i- m: Q: X1 x1 w mov ax, 1684h
r0 L2 r5 }& w! l# R8 t; B mov bx, 0202h ; VxD ID of winice
+ \$ q2 }+ C7 Q int 2Fh, }7 g) u( S4 ]) c- [# U
mov ax, es ; ES:DI -> VxD API entry point
) q+ t5 V% E8 p; M/ v add ax, di3 v' l* h1 v1 s+ x5 l
test ax,ax
: g/ ~" _! G5 ^% o' p9 Q+ d j5 \ jnz SoftICE_Detected
* e; P' J# y/ C/ \* d* g" g: b/ E l5 }; Y" k. Q b: m
___________________________________________________________________________# U" W. p2 D! m* O i A
: G6 b: @9 X0 o4 sMethod 04
3 a" J6 v) M# a e3 t5 b=========4 y/ O; a9 Q6 q1 J/ q2 s
" F0 o. W8 e; D( k$ S6 n
Method identical to the preceding one except that it seeks the ID of SoftICE
$ W6 N0 s) o7 a( d) }9 y/ T( fGFX VxD.
; j( t& S, c- ^0 e$ a/ `- O5 O+ ]9 h+ g
xor di,di
$ f0 B. i* f4 F. X, K" g6 D mov es,di% U7 A2 l6 z/ [ M1 s( [
mov ax, 1684h
9 j' a& b: t3 \/ S# i mov bx, 7a5Fh ; VxD ID of SIWVID
9 @- p- o; [: u h( K+ Q5 ~1 l int 2fh) i9 ^! @! W+ z& N5 _6 a
mov ax, es ; ES:DI -> VxD API entry point5 R8 d. f2 M I+ U8 }: P) s6 {
add ax, di4 ^+ V- o% u K1 ?) A
test ax,ax
$ h6 K4 l- x2 U5 o( h jnz SoftICE_Detected
2 X+ W3 D/ U( ?3 J: P' b: u$ V" n% ? W) B' G
__________________________________________________________________________
2 U- e& T" i9 h) }# v7 h% _6 s( k4 n8 v
0 y; I) z3 |. ? u* r9 ]Method 05
4 I5 t: b B Y1 V9 O" Y; p6 \: m" @% _=========2 M9 o2 `) p+ b% Y; _9 |& [
* ]6 q% n' [! a4 s$ W& NMethod seeking the 'magic number' 0F386h returned (in ax) by all system& J6 ?) }& k8 h6 Q h2 ?6 j
debugger. It calls the int 41h, function 4Fh.
3 m8 ]7 n8 ^" z; j0 HThere are several alternatives. ( J" _' s; t9 k
J& h5 n Y$ p+ AThe following one is the simplest:
0 I3 ~- g0 i! F) V" R* g, c, I" P" Z+ S8 v) {
mov ax,4fh
3 U z! _, X/ g. t, r int 41h
0 [) K8 t) c2 e) H0 C* m" X cmp ax, 0F3869 |1 d$ U2 {2 t5 F6 L, |# Y
jz SoftICE_detected% t, R O* ]4 ]7 z( p* ^$ j
& \! I8 j' f& w2 d( N& @# Q7 m0 s/ M1 Z. _" Q6 u
Next method as well as the following one are 2 examples from Stone's
+ \# R) k: D- Z/ l% k8 H"stn-wid.zip" (www.cracking.net):
! x \4 `8 l/ G( i' [9 q, ?, D+ u0 e; S# e' E1 m
mov bx, cs
T* V/ V. |' U: A7 p: R$ H' ]0 [ lea dx, int41handler2
9 q: S. y( e% e xchg dx, es:[41h*4] W& Z0 z( X) L
xchg bx, es:[41h*4+2]$ H9 h! _6 g, ?7 A; ]/ ?: u
mov ax,4fh6 N% W2 b4 y- {0 c* {" i
int 41h
4 x" _" e+ h8 d( F* ^ xchg dx, es:[41h*4]; k1 h) M D3 c7 k
xchg bx, es:[41h*4+2]0 c. |1 ]" p, V( I
cmp ax, 0f386h/ ]! q: W2 x6 s$ T, h2 s. E
jz SoftICE_detected5 Y! ? C8 N9 f* |1 j8 m) y" P
: b* J) M1 q' k' V a5 G; c
int41handler2 PROC, n2 q2 y' T, \, {8 p
iret+ O" L- x6 k# `$ e
int41handler2 ENDP5 J! D; M' _$ u! S3 M9 I
! |6 ` l+ S2 g( {; w+ M; `
. V; [4 v9 t3 \' g$ B) T# K_________________________________________________________________________
/ G. g9 m6 ?* U+ l
* X) f3 [* F, @ M1 }& i% c' ~
9 q/ @- }4 P2 j! Y+ IMethod 06
9 c9 R/ m! s- X% y4 X. }=========
; ]$ E8 t/ q+ I5 s2 C% E& o. \1 J% ]' t& n0 {- C9 g! U
& k+ P' J% ~* [/ R, F( n9 }. M/ L2nd method similar to the preceding one but more difficult to detect:; s9 U& U1 `6 V& [2 \- c" y$ u
9 {# e1 X$ A* ?' f `# S$ ?; J& i. ~$ p$ G7 U$ T, i
int41handler PROC) l0 q0 O+ t7 _* Q0 R) ?" s
mov cl,al* l% e$ q p" X+ Y# D5 i
iret
/ S) v7 l4 d7 E5 h" d6 Lint41handler ENDP
2 B6 \ ~: U; f( f3 `6 b7 v: U9 a8 q
: h3 Q* M; E# L5 @0 i
xor ax,ax
# Z' s6 e' I; ?9 Z9 l2 Z mov es,ax
\9 j; N4 X4 `5 `4 Y mov bx, cs/ n1 U& p d% `
lea dx, int41handler; ^* M3 K: W7 W- k9 G8 b# H
xchg dx, es:[41h*4]* W6 C d0 X. A. T; S8 z$ m; }* P
xchg bx, es:[41h*4+2]
* }3 s5 k( ]3 I/ S5 T/ r in al, 40h
N. {. Y4 E2 J b4 | xor cx,cx, S2 \9 y0 p& F, [
int 41h" C9 w! ^0 A; K" ?- e/ v: Z
xchg dx, es:[41h*4] P$ O" ^& Q( O. ]' o
xchg bx, es:[41h*4+2]! P0 r! o" ~+ d. \+ S5 B0 B/ i
cmp cl,al
1 ?6 A! C0 a+ ^ f! f0 w& S jnz SoftICE_detected
, w3 [; ~' c/ m% c8 e6 {1 }9 a! {) L) x' Z9 R4 y/ e' X9 d
_________________________________________________________________________
. n8 Q/ e' ], Y n
1 i* {/ Z( y# k$ a* V& }- PMethod 07
2 q. y# ~. y" o! ]/ R& f=========" M" \0 |% X, K1 _. n7 C% Q% y' `
]7 k0 J' f; kMethod of detection of the WinICE handler in the int68h (V86)
) v. a: r6 R! N, t0 g7 [
$ D# o1 o; j' G7 W. B2 X mov ah,43h3 P5 ~) B5 ]0 G; v* |
int 68h6 e7 O) ]4 O8 n1 e
cmp ax,0F386h7 J3 f- a/ I* F: r& ^
jz SoftICE_Detected2 C$ [+ f' v' S
' ?- r, \/ @1 I6 x4 p$ y$ f! N" m
/ r5 b' c$ P# O# n( \. P. }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 w0 m' R( @* q( \% R. b app like this:
' G$ r9 f- G+ l+ q
4 C+ f- q& K/ k5 z BPX exec_int if ax==68) |. a3 i8 C9 L1 I
(function called is located at byte ptr [ebp+1Dh] and client eip is
# i, S9 N! E3 E. b; ] e$ ]1 o located at [ebp+48h] for 32Bit apps)
' `5 B$ ]* P' j! V3 p; b__________________________________________________________________________/ O, C' z( i6 x" X* Y
' @" N* j! r7 K" [( [( i& G4 E# h
5 c2 P4 P8 I6 \8 z' I, `- r% T8 {8 Q: PMethod 08
' h7 |" q9 v+ m" j* |; n6 p: H3 @0 h2 H/ F=========! I+ A D1 B! T
; T' t# |% u: o
It is not a method of detection of SoftICE but a possibility to crash the) n1 [6 t. M2 n7 N
system by intercepting int 01h and int 03h and redirecting them to another5 f( F+ N5 B0 u, l2 O( @: p0 u
routine.
4 K2 T% f0 [$ z3 q# V6 P$ cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- ^/ {2 l% _) f; w# Hto the new routine to execute (hangs computer...) C$ P6 b# n1 x* l
) k+ J/ `4 `8 P/ N mov ah, 25h3 R7 N5 O( [6 a1 u* H' p" y* J! |# S4 n( {
mov al, Int_Number (01h or 03h)
1 e7 r% ?8 O- t. ?) d mov dx, offset New_Int_Routine
/ m+ G0 u, y+ O y7 f int 21h
9 E* u5 j5 w! T: |: J
3 N4 k; m/ c) N. N__________________________________________________________________________
. P& c$ e% V9 O# p1 @7 }/ ]% H+ R, j% E+ F9 a' f& O
Method 09' _# c0 O; M' y9 Z, t. R! e! @) m2 T
=========
4 ^2 l$ J5 V( J$ _& {6 h* G/ B! I M! D" i. S+ p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 g6 g( `8 l: B+ W1 ]8 dperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 j% \# _, V, T. yThe Get_DDB service is used to determine whether or not a VxD is installed
: {# {% |* M, u+ d$ G1 R4 D& wfor the specified device and returns a Device Description Block (in ecx) for7 ]9 r0 r; p# a7 J3 ^
that device if it is installed.
; v8 w }/ B1 w) \8 y
( x: n$ q; i5 v# i# h, F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! ^# h& v' N" m; x
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' c6 x" B' @& _8 ? VMMCall Get_DDB C. d6 W# w! [& O& k v$ e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 A0 }* p) n8 a" w1 E0 ^ ?/ l. e
7 ^: c8 S" s( S& oNote as well that you can easily detect this method with SoftICE:
0 |6 Z1 o) w1 h8 m bpx Get_DDB if ax==0202 || ax==7a5fh
* i3 c, t. F9 H7 U; d% L& a( T$ U$ d q
__________________________________________________________________________
# q% u, s2 L+ x! @! e
0 Y1 D! i# C8 l6 dMethod 10) e" }5 Y2 Q- s( b1 }
=========
* P) ^2 t$ Y$ T1 l, M
$ @ {- R$ g. S- L=>Disable or clear breakpoints before using this feature. DO NOT trace with
* r" B$ o+ k. D9 d7 @ SoftICE while the option is enable!! }$ b2 F3 Z. C! @
/ i4 y: x* b" i8 E( b% QThis trick is very efficient:
2 X8 p0 {$ A. I$ u8 {1 a* t' oby checking the Debug Registers, you can detect if SoftICE is loaded- v2 r# P" G% T0 P0 j C1 P/ l+ e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& Y+ n8 E8 @& i8 j3 _there are some memory breakpoints set (dr0 to dr3) simply by reading their
* ~ j$ o; u2 C$ Lvalue (in ring0 only). Values can be manipulated and or changed as well4 K# K/ t p% b: W
(clearing BPMs for instance)
& ^$ U. O8 C }% f r. p
. e% c% k7 k: v# b4 G0 S__________________________________________________________________________! m* b* i; b1 M: a# U T: |
# _: q4 t) i: k6 [3 V
Method 11
6 O$ S( K2 L- E: x/ g=========1 n3 i% K/ ?1 R! {; s/ n2 q5 ~
1 a5 l; Q; ~' f7 {# Y- O
This method is most known as 'MeltICE' because it has been freely distributed
9 h y; {" b% E* Z6 l. ?% D, rvia www.winfiles.com. However it was first used by NuMega people to allow$ G4 Q$ g8 J) J) J0 G+ I) N/ D
Symbol Loader to check if SoftICE was active or not (the code is located v4 U1 Y; T# K( g
inside nmtrans.dll).
! T8 G/ N) [& f }" m0 R
* L( C3 E# i6 J- Q# `The way it works is very simple:
# B n0 u" q3 E# D9 `+ d6 uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& U+ T( k+ t4 V* ~WinNT) with the CreateFileA API.2 ]3 D. a" o/ E. M
. I/ Z8 @) u8 H
Here is a sample (checking for 'SICE'):8 A6 n( u' n* P
+ y1 Y4 Z5 ~0 e$ x" [; x) Y& ~5 B8 q$ OBOOL IsSoftIce95Loaded()
) P6 J9 f: J3 ~6 ]{
$ w4 T. J, Z$ e% j/ T# P2 B; e HANDLE hFile; ( I; R' ~& K. Q8 ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ O! V5 `* Q. ~+ e FILE_SHARE_READ | FILE_SHARE_WRITE,, ^0 n; V8 a/ i8 C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: L+ n1 m+ S8 h- o ?. v; ]3 P if( hFile != INVALID_HANDLE_VALUE ), b0 _5 ^" j# y0 B8 S; V! W
{
$ G7 B1 n$ T- w- ] CloseHandle(hFile);1 W( G j* v, a3 M. |
return TRUE;- J/ [1 P2 f6 D; o. p4 Q
}7 s0 ~9 ~! g4 [; B7 n( |/ t- Q/ c
return FALSE;
3 R3 T& k( ^+ g}& j3 X$ ^- g% x1 o, L9 U8 f/ E
& ]+ z7 x# N S2 A4 w3 l3 S( IAlthough this trick calls the CreateFileA function, don't even expect to be l8 Y9 S9 H4 \3 O: o
able to intercept it by installing a IFS hook: it will not work, no way!
' W: f" {! r0 b: hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 F5 G+ s) {+ D, ]# Z F, R0 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! y/ i6 @8 \3 R! R7 Z: M/ ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 g* q3 [! i/ q" b9 q; j
field.# N4 B" Z5 i& u) o! D* q7 t
In fact, its purpose is not to load/unload VxDs but only to send a
" _! s0 T$ ^; y! D9 S K) XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- A$ Y; r G. }to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ u0 u2 ]! {$ T$ s4 E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 ], h. H, `9 A- S. k! NIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ Q, C3 V) k/ x, x" {$ T6 V* D
its handle to be opened and then, will be detected." b6 T. J7 C2 o8 u; ]: T
You can check that simply by hooking Winice.exe control proc entry point
% O- L1 X/ |- K7 b' D# q3 O4 Pwhile running MeltICE.
9 V6 z Q4 C0 f+ Z7 g$ U9 k! V6 H/ a- v0 }) h5 d
9 W* I# L# H/ N( d. g 00401067: push 00402025 ; \\.\SICE
) m3 a9 e) I3 o+ W4 w% z 0040106C: call CreateFileA, t. ^5 ^ F ~6 `3 m
00401071: cmp eax,-001
: {* K! w& @0 M) J; v 00401074: je 004010910 p, [' J% U! R
. |" v$ y/ H1 L5 |% o5 j/ Q9 p/ p9 _6 i: |# U' }2 E4 }
There could be hundreds of BPX you could use to detect this trick.* [5 ~( N: z( g
-The most classical one is:
6 ^/ a% W8 T7 I/ e9 U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 H" E8 Q1 v+ H2 n& S/ p. {/ E *(esp->4+4)=='NTIC'
* F. m j* M/ b+ u) z7 q. V# Q5 K2 F4 E `! D) x% w& {- J; u
-The most exotic ones (could be very slooooow :-(1 e1 h/ c& i3 a, Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" U: K! n# F* y2 E3 W ] ;will break 3 times :-(
# C+ X) w% [- X' K) W- C8 T2 S2 ?: H% z k9 A
-or (a bit) faster: u; Y7 r+ P6 {/ a, L9 g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- M2 ^; K, v3 j, T1 N4 Y M1 C) q
; Q9 [! e* [; S1 F7 X4 p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : v+ I" p5 L, B+ {0 @
;will break 3 times :-(+ [$ d2 s: S" U8 @
7 p# v8 T! n7 A2 b5 A2 t3 b0 x! g-Much faster:( ?! u F3 f) ~" z- W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# n9 F: [5 s3 T3 G, Q3 o* w4 M% d
. Z; ?( c2 E! w* S6 g4 U4 s9 z/ b7 dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 t9 @( X0 s* N1 Sfunction to do the same job:
& A' F! M- ]* x) D4 d- a* Z- b
8 C+ I1 Z2 ]% N$ [ push 00 ; OF_READ) F0 O" |+ ^% g
mov eax,[00656634] ; '\\.\SICE',0 C1 p1 B8 V3 v; }' z5 Z5 j# L
push eax" V. k3 w2 \$ ~6 M1 H* Z) O$ U
call KERNEL32!_lopen, s3 z7 O5 S/ C+ ~- t) T% g
inc eax
, U3 u: W6 ?+ g) { jnz 00650589 ; detected% M. d$ S; W6 T
push 00 ; OF_READ
6 ^+ d" Y0 I' H. O, U: Q# U5 L% S% K mov eax,[00656638] ; '\\.\SICE'8 U- j: o! k. }0 g8 H
push eax: a" N7 O2 W" }4 e! L+ O9 r
call KERNEL32!_lopen; r( E# ?2 E2 q% S( f3 j
inc eax* A0 R/ m" W4 T* [( Z
jz 006505ae ; not detected
0 {4 y' n6 t" R/ K
: R* O3 ^7 }2 Q& V {6 h" \* m8 x4 e2 l# N' t2 G
__________________________________________________________________________
6 J$ l( j% }+ q9 C$ G
4 I+ |! g5 L) @7 K( F% UMethod 12
2 m( Y8 `' \1 f+ P5 ]* I5 L+ P=========! l- ^& ]- U2 d2 f! G- I* B
* W; I) Q$ S+ e- l5 ^" l$ D
This trick is similar to int41h/4fh Debugger installation check (code 058 f$ D4 X Y, j. ~* T
& 06) but very limited because it's only available for Win95/98 (not NT)
# A7 ?* f5 N% V9 L7 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 Q7 J) T( h9 U! d: G3 g9 f! Z
}) E' r" ?/ _! g/ V
push 0000004fh ; function 4fh
# w7 ^ ?8 E9 Z% K* ^4 @: F push 002a002ah ; high word specifies which VxD (VWIN32)
" ~3 y) `1 ^6 A. R U$ S& B ; low word specifies which service
( l3 {" |0 E$ g2 g4 F (VWIN32_Int41Dispatch)
6 P+ v5 R- X7 r! P call Kernel32!ORD_001 ; VxdCall, f# m& l) h+ e
cmp ax, 0f386h ; magic number returned by system debuggers1 A$ U& h. G. Z Q
jz SoftICE_detected) h3 d X2 ^5 i% _) ]5 F
7 Y+ E* C1 J6 ^/ G+ x4 MHere again, several ways to detect it:
- [& X* U/ T" w7 B. h- V6 a$ Y( w6 ^ z+ _& f
BPINT 41 if ax==4f
9 t& M+ Q4 X6 M
% B# [& k+ l5 P' H2 q! x! b0 R# S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 @$ t+ H3 @5 ]& l2 N+ K
. o% ~4 {% O5 C& ]) S0 ?3 }6 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 K# d+ r9 r: r T' Y
/ {( d8 z8 X# B3 Z5 v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 y, _' e0 _* _" o# r
. |; k! A6 S( W) n) P7 i, z7 K0 K9 C
__________________________________________________________________________" E$ c; e3 R1 P% q& R
+ N7 t$ z; v1 q, u$ _
Method 13
, X5 q* a+ b W' _=========2 W( h& Y0 @8 ^% L# B. l; m6 R# Q
& n; P! ~5 y0 D9 A$ U4 p3 {Not a real method of detection, but a good way to know if SoftICE is* _1 i7 ^% a9 j3 H
installed on a computer and to locate its installation directory.
/ M( ~7 p" W. n- uIt is used by few softs which access the following registry keys (usually #2) :- ^# B4 w$ [- J) ~2 F
. e" @& o0 M3 k: @6 n: c5 V8 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( l- L% B- x Y/ s" x5 T
\Uninstall\SoftICE
7 X5 o/ ]0 D: |9 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, T3 y) n7 [- W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! w" a8 d" `) Y/ N6 m" y3 U
\App Paths\Loader32.Exe( s1 Z4 L& h- L3 Z
9 @+ ]9 f% j e X3 K5 f. _
$ \( s' L1 r5 n+ t" \! wNote that some nasty apps could then erase all files from SoftICE directory/ n+ o4 z. \* n/ g _0 Q# C
(I faced that once :-(' f1 k' I) t+ j+ _, u" L5 A
0 C5 }3 w) g6 H* j9 _( B
Useful breakpoint to detect it:
% D% ^/ }% Q5 h% x9 D5 |7 Y" [8 S2 Q6 x R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 v- ?; P# c! k6 ]; Z1 M' l% U" v& a T/ b/ b! t5 w ^- \: |
__________________________________________________________________________, [5 y$ U+ z. N% U1 f
3 I* t5 s! f1 D+ `
9 [3 O4 f# Z& M P
Method 14
& q2 b/ V) T$ [ a. y' @; r9 Y6 x=========
* G5 o }, W# u/ p/ e
8 d- b' [8 s% m* G' yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 Q1 ] W2 m t5 C+ u
is to determines whether a debugger is running on your system (ring0 only).
" D2 A( a, H# G* U
/ s+ x6 i: l# n* s' q* Y VMMCall Test_Debug_Installed" i. T# y; z% K
je not_installed
, u, F; g1 A3 y# R
! q: r1 N" m; y- t+ `4 o. w: D8 D a% lThis service just checks a flag.6 Y/ D6 f) h& g5 a8 [; `& `
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡