<TABLE width=500>2 s1 O8 h+ R1 v
<TBODY>
4 s8 K9 U g- F* h( X+ E3 I<TR>( l1 q! `3 x6 K3 e+ s+ z, a
<TD><PRE>Method 01 2 ~& F# m0 o, s$ [
=========5 e/ Z% J3 f3 L5 O, Z$ R: u# b: G2 ~
4 ^0 X) [! _ M$ ]& P
This method of detection of SoftICE (as well as the following one) is! [, H9 g% _$ V+ P! L
used by the majority of packers/encryptors found on Internet.0 P$ V0 Z) f: {4 K
It seeks the signature of BoundsChecker in SoftICE2 e7 {3 I% p/ K. z9 v: \. J. E$ F% F
9 h' C: L# b5 Y- Z1 N( I) U4 P mov ebp, 04243484Bh ; 'BCHK'6 W. l# t- J) I' @% r
mov ax, 04h
4 E$ B8 L0 u4 j6 w; o int 3
' j4 f4 Q" s4 V. q cmp al,4. d+ q% L/ C! v: j5 R# A6 u n
jnz SoftICE_Detected) h7 O( O! s+ F3 m6 B/ t
6 r% T2 U I ]4 e+ m/ A___________________________________________________________________________
* q( B0 y. m/ Z' t1 j' g/ q
: q0 p" u6 E2 P8 XMethod 024 F4 ^$ O. \# ]7 _: ~/ A& S3 O; ~
=========
7 Q, V+ }& V+ m" F- J
' ?( T! m: v7 R) a1 X. t8 p- MStill a method very much used (perhaps the most frequent one). It is used
6 n' ?- g, u3 e* ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 B8 R" ]1 S1 ^9 V4 [or execute SoftICE commands...5 z1 x w! j# v4 Y2 m
It is also used to crash SoftICE and to force it to execute any commands0 l/ W3 F$ X/ {8 D! O7 I
(HBOOT...) :-(( ! b4 N7 E/ \; N9 Y5 X
: `# T& y! e* Q. i' t9 s9 @
Here is a quick description:
! z' K& H$ w. G( m0 J6 i-AX = 0910h (Display string in SIce windows)
5 t2 z3 f$ y+ N- j' M3 T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- `: k! J3 W: ?7 v/ O& @2 q
-AX = 0912h (Get breakpoint infos)
2 u/ M! a& \+ y4 i7 p/ L& O1 O-AX = 0913h (Set Sice breakpoints)0 P5 u) M) Q8 A3 k
-AX = 0914h (Remove SIce breakoints)
8 c7 O2 G* G1 A8 Z. {9 K( O7 z- B9 G$ `& n* u: c
Each time you'll meet this trick, you'll see:
# ]* Q* w* E* I8 |1 @-SI = 4647h$ i8 D# S/ m/ M' U- j: I' U8 {- q3 U
-DI = 4A4Dh2 g- W% |0 K6 [* B) m9 w5 @+ F X. l
Which are the 'magic values' used by SoftIce.
- T3 T' `5 T4 w' ~) ~) @2 WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. N$ t! F3 O! h" D9 i0 l; s: L: P: c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* b4 A+ z& L2 z$ U& e4 v) dEnvelope utility use to protect DOS applications:' s- K9 c. n6 u/ Q
% O5 v1 E! ~1 h% K7 W2 a V
5 a" }# T) s% f- Y4C19:0095 MOV AX,0911 ; execute command.
3 O, b! ]$ ` H' f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 W$ X# o" p: r
4C19:009A MOV SI,4647 ; 1st magic value.$ E; y9 h' L. a1 g+ m- C
4C19:009D MOV DI,4A4D ; 2nd magic value., t" e* i( l4 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& Z7 p* }5 U6 Y! _, } @9 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 @( ^0 q' T$ J% K- U0 w
4C19:00A4 INC CX
o* R* H$ s+ }2 a5 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# j8 `) F, H( e+ K4C19:00A8 JB 0095 ; 6 different commands.
4 p. P8 e/ N* k3 g$ ]# M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 u) _6 W2 C& S! R9 T/ d7 v3 ]2 l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 K' n9 K \8 o
. ~6 L( s6 N( NThe program will execute 6 different SIce commands located at ds:dx, which
+ ?9 v5 A3 R* o# i1 X) Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" U8 d( B( z% Z$ y- K/ A, }. z2 A+ t$ H& u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." z. o8 }) D# W- O I: C
___________________________________________________________________________
8 y3 `, B6 b+ j7 E9 v
n: n6 h! E8 C: |: ^! ]/ y3 e0 S' ]3 ?3 w5 g7 M
Method 03
% x5 b+ Y1 K/ t9 @3 M. n2 W=========
/ _: d; s- D8 P$ I+ @, P$ n, e- J0 b+ q# W/ G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ m& `0 e1 [* G% f3 ?(API Get entry point). q( ^. D4 F- ^. j, a
, g# G* P4 {6 D7 d3 ?# h$ h0 C( f( c
xor di,di
$ M/ b* R3 M' x0 l; N$ ?% P mov es,di( _. [8 p& n6 _& c& g* {$ t, ^: N7 Y
mov ax, 1684h $ ]6 x+ P" f: S, [$ b% R
mov bx, 0202h ; VxD ID of winice
$ V# y* E8 ~7 V/ I! g, Y( l int 2Fh, p8 R3 B, D, b) j2 Z6 l1 d6 E
mov ax, es ; ES:DI -> VxD API entry point
9 @% H' |, i% _, K% N add ax, di+ y0 Q" G( r! e4 M3 k# W8 _
test ax,ax
7 ]8 D* W/ N! r3 L# A jnz SoftICE_Detected
% a/ L( @; V% u' z! N& A% k( c9 Y, a! U
___________________________________________________________________________3 @8 ^3 [" j9 @% L) l& U
% H" B2 V+ \2 Z9 w( L& V+ mMethod 04" ^4 l }# ?% Q1 n
=========
4 h) r7 X; }6 ?3 j! [; m" _
: o' U8 |! A( CMethod identical to the preceding one except that it seeks the ID of SoftICE0 }8 @/ K: Q5 I c
GFX VxD.
/ S5 o8 g0 g3 v* Y+ H! ?3 ^7 \5 N$ p2 b2 q9 ~$ ~
xor di,di- v. j9 d g# I% V
mov es,di; m1 _/ j7 V5 F
mov ax, 1684h ! j. ?6 P$ D. u$ ^- A. Y
mov bx, 7a5Fh ; VxD ID of SIWVID
8 [# r2 z' L- {+ F5 s/ ~3 ` int 2fh
7 v1 z [- g; a, Y& b0 R: J, \$ y mov ax, es ; ES:DI -> VxD API entry point
* ]: }7 L. H# h3 x; A0 n add ax, di
3 Q2 d: r& T4 Q5 t# n& ~ test ax,ax
0 F5 f, X0 F0 ?9 k* U3 |2 S( i jnz SoftICE_Detected5 `2 b4 e/ `; ^ C: g' Y
- G2 j4 G* D* q) H: L3 C# H__________________________________________________________________________
5 @9 v& z8 U: W7 j% ]/ ~$ }9 r( M
7 j7 C+ g) G3 t3 S" ~Method 05! G2 l" q9 W+ Q+ x ^% g- W& J
=========
, N! ^9 f# d# D' p5 i4 T" R
( S \ O! c& W9 I7 H2 A( YMethod seeking the 'magic number' 0F386h returned (in ax) by all system: A+ u, |0 r* ]9 c
debugger. It calls the int 41h, function 4Fh.
! K# ]: B. E9 r. G8 JThere are several alternatives.
o! V( N) ~ c% c2 Y
& W4 n% A1 n3 y( [% e; g# t- a0 YThe following one is the simplest:( Y5 `# g# T+ {! t! w5 k
4 V) u, J0 j+ K
mov ax,4fh
0 @) e9 t6 X5 V @1 n. g int 41h5 ? J5 b, u9 d
cmp ax, 0F386
4 A: l: l9 V' d. A3 Z4 a; }1 c jz SoftICE_detected
. I; w& q0 q+ S9 s' k: d
+ N2 {# Q2 m/ \8 x8 f( ^& q5 D' y% \/ h7 ^
Next method as well as the following one are 2 examples from Stone's 2 ?2 Y! X( F a
"stn-wid.zip" (www.cracking.net):+ n4 E; s% U# k1 L0 o( I
. C1 r e# M" x( A, W5 M
mov bx, cs
& t$ r8 O! P5 i) U% \4 h6 q+ j/ q lea dx, int41handler2
) M, [& |. r+ p) R+ w" [ xchg dx, es:[41h*4]
% v- T8 U) {$ j& C xchg bx, es:[41h*4+2]
7 {- c* a1 l! o3 L mov ax,4fh& ]. v1 |+ S6 t. }7 z, g
int 41h
. G6 t- l' J3 m9 U j: l }" w xchg dx, es:[41h*4]
4 g4 m' |8 @* L/ @: A xchg bx, es:[41h*4+2]
+ D6 I1 u" o% H3 g* P& \ cmp ax, 0f386h0 }" g* ]2 N5 g/ v" S) F7 Q+ `: u
jz SoftICE_detected! w! @8 l: R" t; Q' [
7 G3 K( T( |/ C* f- Z' Z
int41handler2 PROC. [5 M" {9 M) C0 N, G( S
iret2 R. T9 c( A9 A% g! n/ S
int41handler2 ENDP
- F' n) U# `. R7 B" `& |; D1 E9 ~! H# e$ p8 V0 Y4 J- _
9 l' D* F/ _6 A2 K: ~
_________________________________________________________________________
: r& n/ n" a/ `% S
! z' m* Z* u6 h6 E( ~+ A: k
+ D0 _0 o3 m7 ^1 y; k8 O1 }, FMethod 06, F. D' }- P" _9 ^' @1 }
=========
F- @1 a9 e( t0 |( g$ L) g% x
4 r4 H' a( `3 g
* |$ ]: R4 M$ ], l, A2nd method similar to the preceding one but more difficult to detect:& l8 J. @" S" k% r8 O3 ]. a
# F$ m/ R. E1 Y4 {* f& H( c0 p
8 u% q* J! G' H! J4 s$ rint41handler PROC
8 O2 e; ]. ~# a5 [; I. b% p mov cl,al! u# d. X# U# U; P; y
iret$ ?5 N! S2 A# u" U9 ~
int41handler ENDP
3 l2 [% k! \5 f& s# I# o4 ~3 Z/ J: l& I7 t" ~
: S1 _4 p2 E: V! ?( {0 t: B0 g xor ax,ax: X$ o N& V6 ?: t6 U# \! S
mov es,ax
1 z; j# A7 { W# [6 x6 F* ^7 F' i mov bx, cs2 j9 R" X! C$ o8 a8 e8 `, u
lea dx, int41handler6 U3 h/ P1 J3 a, S( z9 E; Q
xchg dx, es:[41h*4]/ h; F2 \$ s: m7 h9 k
xchg bx, es:[41h*4+2]6 a! K, r6 [& q
in al, 40h; D. n! E( m' ]2 ^8 w
xor cx,cx, Z+ j& V: a0 P$ {5 S% `
int 41h
' i5 a. z1 `; S2 b8 B2 [* q xchg dx, es:[41h*4]
7 g i( h# l) V( _- J7 j) L xchg bx, es:[41h*4+2]" _' t: a3 @9 ?0 ?/ e! d% M! C
cmp cl,al
* q6 N4 X# [$ I jnz SoftICE_detected
1 \) i( |8 m2 V- i$ c: ~8 w
( F# |0 X$ Q$ u" j$ z_________________________________________________________________________; Y7 Y" l5 T! v: a1 _2 i
. I) Z; m$ Z; C7 f
Method 07; @% o: v6 X$ C4 w+ f7 u
=========
4 R( }0 P8 \% \# |1 t. m+ G
8 L' e5 L0 q4 W2 B2 XMethod of detection of the WinICE handler in the int68h (V86)
* f& }' Z9 E, {: g6 O) |
1 }* U! v6 U! |- ^; f mov ah,43h9 M: D. Q% a. `1 _; A
int 68h) y& V% X* V$ }% c5 Q1 [2 Z. b$ s- h
cmp ax,0F386h# m2 a$ z" S' @) w) {$ O( L
jz SoftICE_Detected
" \" C8 i% H0 j! k6 ~$ K1 X! [
( }& z9 l; _. z: S) P8 F- T/ I" `) v- z- ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 {$ R; v! M, C
app like this:
8 J7 {7 `+ j; {$ V5 J9 w' u, ]( d
2 y0 C: X! P) U, I+ Q BPX exec_int if ax==68% o) p! [* N; o: z* Y
(function called is located at byte ptr [ebp+1Dh] and client eip is- t& b# A: L, k# E+ I/ \0 T. R
located at [ebp+48h] for 32Bit apps)3 w' h" n2 z9 J4 |
__________________________________________________________________________9 J. X' v4 o: \. z$ h3 M' e' \4 s! a
3 w. X- j7 u# J2 \! H
s9 g$ F! ?* a# `, G, E0 iMethod 08* v/ o4 L2 I! y, C* Q# l3 W
=========) V) N J( _2 j" F }+ I3 r. V
2 Q; h d1 c: @: Z, ^7 z: e* R9 {It is not a method of detection of SoftICE but a possibility to crash the4 P( I' }; \' M3 m4 W8 U2 x8 I
system by intercepting int 01h and int 03h and redirecting them to another# }* S% O2 O" Y' D& x% `
routine.
. A2 m9 R+ T( M( iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 h! {& O8 f' }) D& Tto the new routine to execute (hangs computer...)
! r% e# |3 o; L7 w- Z
% E8 p% n) X3 |: V4 q+ M: N mov ah, 25h" y+ h& U* N) E3 v* h
mov al, Int_Number (01h or 03h)
% a! x" Q# f$ M, A3 N% O mov dx, offset New_Int_Routine
2 o0 k( o6 v' E3 s3 K3 V- i int 21h
9 d4 H1 X! q6 m% r# ]3 }/ w% ~2 B% r
; K" @) A) }4 L9 ^) Q9 E' h% Z__________________________________________________________________________! A5 ]% B7 k& e1 [0 ]
! t" v8 H2 e4 r+ VMethod 09
! Y, j; H7 E$ g @9 U=========
* D2 x {) G2 t7 `
1 M Y5 }" _- z, @5 M% LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% G1 y4 V5 o0 o; y
performed in ring0 (VxD or a ring3 app using the VxdCall).; K* T h) j5 R' \ p9 ~" T
The Get_DDB service is used to determine whether or not a VxD is installed
- i6 ]4 E$ J5 p$ Kfor the specified device and returns a Device Description Block (in ecx) for
- V% z' ?* J; ^8 C* {3 T3 hthat device if it is installed.
' E8 I, C+ s8 ]- F
3 g, ^& b4 [, [6 T8 g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 i& x( z7 }9 X* R% M; A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! i3 x& |; u3 Q: R6 l- E$ Z; { VMMCall Get_DDB
+ U3 P$ N8 C" v0 D4 v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- r! V4 }$ L: L8 J- o2 b' X' q9 d5 c1 R6 u
Note as well that you can easily detect this method with SoftICE:
5 ~& i) s8 j# M! X bpx Get_DDB if ax==0202 || ax==7a5fh
! C0 L% _; @8 T' T+ z
1 S# s" V' |7 ?% { R__________________________________________________________________________) N- X. N2 i# g# d: X' d
2 I; P6 Q" h' U( b8 G, U3 ?Method 10
+ Y3 O- N7 X( ~3 M) s1 ] J# k========= {! g0 j" F/ @$ H7 n/ @
1 F8 c0 s1 P1 a; u( j6 S
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# ^, h( z% L* ^5 {( H3 k7 P SoftICE while the option is enable!!3 f& G$ m$ w6 I3 z' \8 b
( d; ^3 R" u9 M8 H4 y, Y0 }. C( x% aThis trick is very efficient:
; t# K$ n" N- P Z* n+ v; W: Cby checking the Debug Registers, you can detect if SoftICE is loaded5 W) E+ K- K* f, ?& C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" L0 @" O. @8 w4 w1 h8 C) `% ?there are some memory breakpoints set (dr0 to dr3) simply by reading their
( n# L$ b# G4 F$ {% `. v0 Q$ [9 [9 Wvalue (in ring0 only). Values can be manipulated and or changed as well8 d+ G6 {6 ]3 v P8 u7 J- z" D, G$ f
(clearing BPMs for instance)
0 Y( p" s+ \ ?" U* [
$ t" x' O+ D0 z7 |+ T__________________________________________________________________________% `( k" Y4 u8 j( @# i) v
! u' p* l* b* j$ G5 x: N+ @4 lMethod 119 g# ~0 p8 B3 F$ Z3 D
=========& D5 p1 y' N- `1 k5 D& J% x, q
4 a S j: K' vThis method is most known as 'MeltICE' because it has been freely distributed
6 h, x0 R. A6 J! ]! m b8 l. Ivia www.winfiles.com. However it was first used by NuMega people to allow4 @) x& }8 d: t+ t9 ~9 G9 z
Symbol Loader to check if SoftICE was active or not (the code is located! r* d5 f5 \6 Z% f& }
inside nmtrans.dll).
! o- e3 l1 n) [6 r& i
) C( F& F3 y) q' k4 f5 q$ W: rThe way it works is very simple:
D3 ~9 H4 Z% p) d) hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) _2 J1 }8 Y7 @0 dWinNT) with the CreateFileA API.
) K5 k, y2 _8 J i) H: x9 ^# o5 c; p& g" a# N N* t
Here is a sample (checking for 'SICE'):, C9 `( F/ \7 b( X1 F6 m& m1 [
7 h6 f1 F9 o' s
BOOL IsSoftIce95Loaded()
( g- x7 f: I5 S( `9 m" a{
9 h1 g" m5 R! D5 |( e* |2 _0 {" f6 E HANDLE hFile;
% ?2 F- v9 ~4 N3 m" W* f$ C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, ^- u9 ^* C1 ]) T4 r9 A% N7 n
FILE_SHARE_READ | FILE_SHARE_WRITE,3 @+ }2 W& x8 G9 {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 q- _9 F' F. V" i% |* y+ f6 s
if( hFile != INVALID_HANDLE_VALUE )
2 O) Y: k$ e% L {
5 w; @1 ?9 a/ Q( @( e2 F# C CloseHandle(hFile);: `: _ K7 u/ {( f' \' m1 }
return TRUE;
( ~4 l3 b- b2 ^) | }5 R; D r2 C! i- h
return FALSE;! e5 C; ~% a) h1 `. S, F O, e1 t3 m
}1 z+ v$ @% ?. f2 W3 Y2 e5 y
+ S8 r. q6 m+ _Although this trick calls the CreateFileA function, don't even expect to be' ^! @* E( z) z
able to intercept it by installing a IFS hook: it will not work, no way!
8 e7 p1 |# {9 L. W& J" I0 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 x- U$ [, y$ @: J1 l) l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" S' _6 q+ q4 E$ e( l* S! Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 I: t. |4 {& l* A3 Kfield.& h. U' k6 j6 \" J- D4 l0 ]$ h
In fact, its purpose is not to load/unload VxDs but only to send a
* J; t# E" Y, i( { i, `+ xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 }: Z+ a, p0 a& b, q9 E9 O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! g2 r. c3 n, C# |% |5 F5 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ d4 k: q$ s4 N% BIf the VxD is loaded, it will always clear eax and the Carry flag to allow! @# v+ W4 ~& j1 |( Q5 z
its handle to be opened and then, will be detected." R) {" Q( _* T! `( R+ [# g& {
You can check that simply by hooking Winice.exe control proc entry point: z9 _4 U% r* b. m+ i# `: i
while running MeltICE.
+ j/ b' U: I, Z% w* z
1 L! @ _4 W. {9 i& y
9 U4 L, H) R8 _5 ^& \ 00401067: push 00402025 ; \\.\SICE
- L4 a/ \! z) D ?9 w 0040106C: call CreateFileA
7 Q% s) M4 I" Y2 _8 K8 C 00401071: cmp eax,-001
% i: a7 h8 ~, ]$ N- W, L 00401074: je 00401091
3 {9 G/ ~. O3 M) e( [) j. Y% |- C( h5 x) M" B- m. ?
8 e3 D+ i7 O; }' ]There could be hundreds of BPX you could use to detect this trick.2 ~* d9 \5 j0 r3 M
-The most classical one is:
, ~5 S/ e/ j$ [3 A( \# O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. N& I* W6 D" }& o; p; g *(esp->4+4)=='NTIC'- q- T" _& E+ K& S( k3 t
7 N7 Y: y, r1 P4 E7 i
-The most exotic ones (could be very slooooow :-(
7 X9 S6 ~- T* |9 z3 p% C! }3 w U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
i3 R3 Y; W0 g) M. I2 M. q ;will break 3 times :-(
5 G3 D. {! o8 U' z9 \/ y& _+ q- a7 B" S6 i( ~ @
-or (a bit) faster:
v8 [6 ~$ K2 ~% y+ k# S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! a3 M- N! I4 q6 l" Y% ~
/ K, y O8 ~3 x; X5 D$ d" X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 z/ F/ N- B/ e, _' F' m5 A0 V6 j
;will break 3 times :-(
% R# I7 G1 e) m9 ^4 t
3 J; Z9 c8 V0 W' `# k4 ^-Much faster:
( p* i- c6 _ h! M% ^/ I- V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 ^8 O8 _! U- `' |- o! o; H+ w2 \+ ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 k$ T7 u) p# B& q F% }8 s5 i% r8 N
function to do the same job:
7 w& k, _! m. a/ T! Z0 o% Z! n- S7 x
push 00 ; OF_READ
) x+ z$ B2 V2 x* y* P mov eax,[00656634] ; '\\.\SICE',0
, [- N* k: f( b8 r# g W2 Y" J1 O push eax
7 S6 J% D4 Z1 g& ?1 E) s3 i9 J" n call KERNEL32!_lopen" A+ R' \$ E) m
inc eax
4 r8 q6 t2 L. N3 {; L jnz 00650589 ; detected
; \& F4 J0 D( s' E* A push 00 ; OF_READ
/ Q: j" Y# _4 } mov eax,[00656638] ; '\\.\SICE'! V6 g! ^: o* C1 D/ c: J% Q: ~2 `
push eax
0 i% e7 u0 X2 K% d6 t. f; I8 ] call KERNEL32!_lopen+ ?. P: E" Y8 b
inc eax
' e* L, y1 s" D4 j6 x jz 006505ae ; not detected
7 e0 w( U$ r% [4 r9 A$ @
( S9 k( r5 x/ d( @0 z9 Y8 }: y
+ N; n. n# }4 G8 l__________________________________________________________________________0 _! Z9 m$ O: ^9 H1 Z$ g, q. A
1 c% A9 z' E7 B; |8 `Method 12
# m1 w) P2 w+ A) b. z& N8 y=========
# o5 r9 H7 a% b0 l+ p. s( ?. u8 M8 r0 h/ s9 D# ?% L
This trick is similar to int41h/4fh Debugger installation check (code 05& w- K( h+ I9 L$ t" d
& 06) but very limited because it's only available for Win95/98 (not NT)
) P6 o g1 N }: ^ Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ _* C- `- O: [( W% r' D. o$ M/ f; y5 P9 C0 c
push 0000004fh ; function 4fh
- a5 V# M7 T8 a6 L) I! N k9 K5 Y push 002a002ah ; high word specifies which VxD (VWIN32)
, g5 `. h, h" @8 }5 D6 C/ t# a ; low word specifies which service9 i* T, E% o6 o! c* Y
(VWIN32_Int41Dispatch)" q* |+ l- d! @. `. y- j
call Kernel32!ORD_001 ; VxdCall4 S' {" Y1 {4 `2 k+ b
cmp ax, 0f386h ; magic number returned by system debuggers; i0 A' I) q3 J: R1 r# g
jz SoftICE_detected5 ^' j' }3 h F2 k F
/ d5 `, S( j) ~, C
Here again, several ways to detect it:
1 ]/ u8 b: u, o: y1 L0 I
- f8 {+ B/ u: D6 ?( _9 x& ] BPINT 41 if ax==4f, X- ~! Y6 r4 j1 u- A* _$ ?$ l
4 S; e4 V, h0 N; a9 L- Q7 u# i3 U) R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, l) W; [3 C5 N
6 v, d" F+ _. u. ~' d* c2 S u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 S% H c# n$ T1 ^6 v8 U
6 _ Q6 x' f& q4 c" _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% {% |+ @& f- W6 d
3 r* D- t: w; i; ?, c, G' K" a% m3 C
__________________________________________________________________________: y! o a5 K5 R1 J; M
2 \1 H* u; M2 G. c
Method 13: J2 L- [ D* Y) P. }
=========
) b+ J: k( p+ `& ^- v) L. M- v E: h0 e% |9 M' y- I
Not a real method of detection, but a good way to know if SoftICE is# X9 f: G( x' @3 h
installed on a computer and to locate its installation directory.
6 B0 G4 N; n5 l% a8 z8 cIt is used by few softs which access the following registry keys (usually #2) :7 K; M; K2 d6 `, Y0 J
( q( q) P D4 U4 z; g0 K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* A7 |3 X7 y) E- ^; `& \: G% B\Uninstall\SoftICE. F4 `2 R- O/ w6 B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 z. c5 }' u0 x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; P) J4 R" I7 z$ {* z\App Paths\Loader32.Exe
7 ?# o9 l; ?1 P2 v8 @5 g* s: X" u- w. j- M: C9 e% R9 m) L6 l% v
9 t! {3 e, W5 i2 v- e( L
Note that some nasty apps could then erase all files from SoftICE directory! J( H6 J8 E* d1 F- D8 {1 f
(I faced that once :-(1 Z$ C' q8 E6 |
) t; B0 R" l8 N$ A$ x; K" L) A8 O
Useful breakpoint to detect it:
4 V2 M8 F& B5 `5 x4 {/ v3 a4 w' b* A' O7 t" t
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 S9 W2 }- E9 Q$ Q1 W2 I/ J* w% F D& ~: s
__________________________________________________________________________
5 m, L1 T! V! n8 g
3 Y6 U+ G" u9 u0 u3 w' R/ U8 z- \: L2 t: y: x- S
Method 14
8 u+ G# e3 r6 d2 H* T+ [=========
" f/ H* ]5 j( w; v- t: [& r. U# t
3 |, Q$ U& }$ q6 e# r9 V1 S# f f8 N' N8 _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 k) O+ r" k' f; f0 v+ d
is to determines whether a debugger is running on your system (ring0 only).2 l+ i5 h# _7 N# Z: j# h1 O
0 L: q Z, [' p" H# E% U
VMMCall Test_Debug_Installed
) U8 d4 s) t8 P" F" _6 R je not_installed
O+ o f4 ^+ x! }5 q+ U- n& I8 \' [7 C* ~9 _7 p. X" m0 ?
This service just checks a flag.2 f3 _* t. T w4 B+ g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡