<TABLE width=500>4 D' A ?% K* E6 v2 z4 |
<TBODY>, u7 B ]4 p3 W1 `8 R
<TR>3 r- i* J6 i/ E
<TD><PRE>Method 01
" Y, \8 N& w, k4 U. q- I=========
$ d+ F: x2 A9 ?; K" _: Y9 U6 ^& m2 G
This method of detection of SoftICE (as well as the following one) is9 q5 h" X* ^" \# }; p
used by the majority of packers/encryptors found on Internet.7 q) [6 v& Y) S: A% z9 G. j- B
It seeks the signature of BoundsChecker in SoftICE
9 g8 r- w- K3 t" |) l6 f
0 ^! d9 W+ e* ^* N' w; r- K1 ?; D mov ebp, 04243484Bh ; 'BCHK'0 D+ E: M; }) B! J9 v! _4 M
mov ax, 04h
+ W6 x: r. T p9 c5 ?4 D7 J int 3 ( a8 e* P. ~' F4 M0 u6 ^
cmp al,4/ ~, O3 a# Y" e. z# H l! `% ]4 v# _
jnz SoftICE_Detected
; N7 |& C& K; N Z3 {
c8 H# ^/ ~% f+ i+ A% ____________________________________________________________________________
0 ^. s Z! s; E& g$ o; i8 V2 P6 M; V6 f
Method 02
5 k( O: J- w4 e& ]& {' C7 J ]=========
- B* p" s" M- x; X. l
& a# }8 c! L* r( L4 ~2 g! W% G2 xStill a method very much used (perhaps the most frequent one). It is used
) P( Z- Y8 n: ]7 Q4 X) S' f1 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,% Y7 d+ t$ A- A) e8 r& c
or execute SoftICE commands...8 b2 }( }/ _" z
It is also used to crash SoftICE and to force it to execute any commands8 a2 w, C* D W, g( z
(HBOOT...) :-(( : C( x J# e! M3 n% Y0 S% Z; _
8 Z& T; z% I' ^- ?6 M7 U7 rHere is a quick description:
( v% v+ n' `' A-AX = 0910h (Display string in SIce windows)
: M q" C) B) ?' G( z3 d! {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 X) l4 ~/ D; Y; {. b-AX = 0912h (Get breakpoint infos)* _3 k7 L# Q# g
-AX = 0913h (Set Sice breakpoints)
2 K, ^1 m( ~( ^8 {-AX = 0914h (Remove SIce breakoints)1 j/ U; b0 g- j* m- i
9 F8 Y9 d$ y* w# b' ]2 @( I8 a( J) ?
Each time you'll meet this trick, you'll see:
; V- W6 \ W" F J; n' v- y-SI = 4647h
, u5 V" N: q! H' s2 G) t7 d-DI = 4A4Dh
! Z% |& |3 |, u qWhich are the 'magic values' used by SoftIce.
8 q+ z% g. D- J& mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& A: d2 B" }0 V8 d8 @
. I) h* M4 f: S& `' I
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 y& `: p5 [5 U! _. F- l* D
Envelope utility use to protect DOS applications:, a! y4 g, D0 ^0 f
8 G ^1 Y2 C6 r; R! }2 U+ W& q" k
6 A2 K3 O8 D! O4C19:0095 MOV AX,0911 ; execute command.1 z! V3 @# x, E5 Z4 \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' o) |3 i2 N$ v; m5 ^+ I4C19:009A MOV SI,4647 ; 1st magic value.
- R, D' X. O; Q# x4C19:009D MOV DI,4A4D ; 2nd magic value.
$ E- l4 d8 E" x% u+ a! W" i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" C8 J* \3 Q# ?; R, m( A$ K2 D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 y. L/ i/ U& _% {0 h
4C19:00A4 INC CX
A3 Y2 S7 B0 J# G* d( v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 o! s9 x# s5 H" B# g! J
4C19:00A8 JB 0095 ; 6 different commands.5 l5 V8 R( x6 ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; K. u! g v# r" t0 P% B4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 Q0 _1 G- c' }+ e0 k: {. | `5 p" z' P& H+ q! B1 l
The program will execute 6 different SIce commands located at ds:dx, which
4 ~* t+ Y$ v4 iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: P. h' R% `9 d2 Z% }- D2 [/ s- l" V; |2 n" D/ [# U! j2 {2 K; j. B" W3 j+ r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. y! Y4 t# o! n8 z( [( i
___________________________________________________________________________4 @7 ~& x1 W& h7 F
& |1 j+ ]' J6 G* i" |! n2 ]9 F, n/ \& U' z' [
Method 03/ q4 c4 w% ]* v' S' k6 t4 Z
=========0 i2 d4 k3 Y. {$ I
3 j2 M- o6 Z& y" eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* N! \0 X" G ^# U+ ]5 C: U H3 Q
(API Get entry point)8 h; r- N% v0 R" {: a
) ? o2 ]( I; t( c+ a( B/ u3 ?
# g- K0 L3 x1 g0 Y xor di,di
1 v( \& @! P" e mov es,di
. {6 G9 z' c6 F% x# J mov ax, 1684h & }- ~ `3 e5 r q/ k+ X
mov bx, 0202h ; VxD ID of winice
, Z5 \7 F) s3 T( o6 e int 2Fh
$ z$ U5 r) U2 h8 o, _3 W. V! `4 \* F* S mov ax, es ; ES:DI -> VxD API entry point$ _' m: g, F( t" Z: q5 |9 p3 `2 r
add ax, di5 K! s) w+ r: r' h
test ax,ax
' ~/ H' o7 F5 F1 m. c- l jnz SoftICE_Detected& B' J- m& e$ Q0 t8 o. O! ]$ ]
" O1 N2 Q6 w' `9 k8 i7 ~
___________________________________________________________________________
6 O& M9 x' b' ~0 Q* w# a; J4 ?6 t" q! ^8 t6 L1 F
Method 04' C1 M; q9 @* c8 ]& ^, U; Q* X
=========
) n' g+ ^* W" ]& Y9 [8 T% U; O9 Y) l: g8 ^: n
Method identical to the preceding one except that it seeks the ID of SoftICE" u/ A9 L% w1 k
GFX VxD./ @6 U' { `! ~5 y
6 @' ~5 j, F* `( Z& S# T) o
xor di,di& O) l( _) t& Y: r6 d
mov es,di9 | r: H7 y3 i6 F3 ]4 }2 V. |' e
mov ax, 1684h
4 c0 g8 H- [: D O- s" ]( Z mov bx, 7a5Fh ; VxD ID of SIWVID; Z1 F* U7 C. A% ?! G
int 2fh5 @( _0 t5 U$ I; S W, _' y/ r( t
mov ax, es ; ES:DI -> VxD API entry point6 i# p8 D8 z: Y( R& p' v
add ax, di
/ Z: r4 S+ I7 E9 l test ax,ax9 @9 a, e- v7 z: Z, L9 U0 s
jnz SoftICE_Detected: ]- A* d7 h6 J Z5 n1 Z' V+ c- H, t2 d
/ P5 R3 w9 i9 t0 C
__________________________________________________________________________
5 j+ L7 k. ?+ x) ^/ l7 E* z; _6 i
# I& u4 h6 \9 N
, P0 \2 X; ^8 C1 Y% dMethod 05
9 c0 p5 R: F: H$ ?: c' R=========1 M6 L% z; D& K( \! c0 s
4 B- P5 _+ V3 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 e2 }: f; L4 X0 f, w, Q
debugger. It calls the int 41h, function 4Fh.- o( A" `, N1 r3 L) v
There are several alternatives. 2 C; @! Q' s; Z3 O$ d
6 s- ]; Z% F$ v3 a1 p5 j: u8 H7 gThe following one is the simplest:
- `. @! f! o# Z) {/ b2 c( k2 ]5 X6 g) E* H( ~. s9 T4 ?, [
mov ax,4fh8 S5 f' ^# T7 J2 v
int 41h! x- x6 w2 w+ b1 n7 [1 [
cmp ax, 0F386
4 R+ G( Y+ I, B$ g1 z jz SoftICE_detected
5 s! a4 D6 Z- j; n! z7 g8 C, k2 o, C' A5 V' F9 P9 s
* C, \( m9 K8 w0 Z, _, e6 i+ ANext method as well as the following one are 2 examples from Stone's & r! ?# `# [+ s
"stn-wid.zip" (www.cracking.net):
. n# Z: t. M& n" {: q& X
, h { f! u" p5 A3 S* d! q mov bx, cs. h" l+ D8 L4 {; u( t3 u
lea dx, int41handler2
& s, @6 M" T# l; d$ q xchg dx, es:[41h*4]
4 l k$ E; y3 S4 ? xchg bx, es:[41h*4+2]& T' R, _9 ]; o4 i# ^- s$ Q; m
mov ax,4fh
! {! D1 V" j/ V: Z& |2 ^ int 41h
6 N( K: G1 ]6 ^ R5 h1 b# x xchg dx, es:[41h*4]
, [+ ]$ u1 k( f5 W xchg bx, es:[41h*4+2]
& L/ K, S6 j' p- g2 I6 G cmp ax, 0f386h
& P3 p% @* i# S2 _) i6 r* n. _ jz SoftICE_detected6 b1 W7 p1 A9 C, E
& v ~! u3 C9 ^( n
int41handler2 PROC5 r/ |3 S- Y/ |
iret
* M( B3 g4 ~0 A. [9 ^& H, Bint41handler2 ENDP
$ n' a0 \0 I3 H
( x0 ~% g! W( G0 E, ?3 v# z2 U% ]9 }
_________________________________________________________________________: }+ s/ n/ I1 g6 z" G t% u
" F2 g2 C7 b- i1 A9 e4 N L! B* u X$ G& I7 |
Method 06 T* W; N1 |4 p: h0 c4 w3 ~
=========/ D- C+ K1 c9 ?' }5 X
5 M$ W+ z" w% M( |
+ k9 b+ @3 ^9 e3 Z' T, F
2nd method similar to the preceding one but more difficult to detect:
5 W0 ]( [- l8 |9 _/ H3 ~! |" k8 h1 q1 {4 G2 m
) [% ~2 l* H: ~( D& j1 l
int41handler PROC
\* m) W0 V, m4 n" \0 ~3 | mov cl,al1 X8 h0 A2 x6 O) n8 n8 j' ^
iret, \8 W Y* p5 s6 [7 O' M, J
int41handler ENDP. z" K- B0 \* }$ W: e
1 j* a; K- b; b( g: r& A' P3 ~9 y
" k! v. d# Z) w5 Y/ k xor ax,ax
3 |" E0 M6 Z2 T4 b: d4 K) d mov es,ax j& R$ v/ D/ W% {5 a Y* j& q6 M! [7 a; ^
mov bx, cs, D' e& Y, o5 r0 g* } j; t
lea dx, int41handler6 X9 S1 r! z! z! ]2 ]: ]- s, z
xchg dx, es:[41h*4]
- x- |+ e( d. k% r( D& m% ] xchg bx, es:[41h*4+2]
( I6 o) i4 M% A. r; B in al, 40h
4 m' k9 H$ k2 h |9 K* s" L3 o xor cx,cx* T4 O; _" o( Y5 a1 y2 }1 |/ m4 t
int 41h
" Q- A: D5 N0 c6 m# v7 c% J xchg dx, es:[41h*4]
p+ R* ~! @- A, a8 w xchg bx, es:[41h*4+2]
! E# C" I, O5 Z cmp cl,al
. F; u7 s, h: y jnz SoftICE_detected7 j$ @; F k# Q* n
7 `$ @; B& x# p9 C( B_________________________________________________________________________+ ~8 Y4 a9 Q: I* w
! t4 e) b. O1 }: p; v( HMethod 07
8 ~# D8 _) s6 g, J: }% x( F=========
( l$ q1 w, ^% {& ]# c! S5 q- b% l/ s. z& E2 }" w: {2 A
Method of detection of the WinICE handler in the int68h (V86)
' B% R, @6 k1 W+ r. Y6 A) T
* t5 b' U9 K6 P, J) ~& ~ mov ah,43h" D3 T" q4 z: _% r+ x1 t* {
int 68h
8 o- C. n2 e1 f% ~9 C. G cmp ax,0F386h; n, d. V8 b' Q; y- p
jz SoftICE_Detected
2 I) h8 W/ ^& p
/ i& V g4 `( W3 o5 y" N; D6 i( x3 _0 m# G( S3 j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 x3 Z1 x8 H. i8 E
app like this:) g' U9 I$ q1 v
, ]1 b4 Z9 n+ c a BPX exec_int if ax==68- \: I1 e! l& ~4 i* w& V6 a, c7 t4 ?$ y
(function called is located at byte ptr [ebp+1Dh] and client eip is! ~7 ^, x% n! F/ }: ]- ?
located at [ebp+48h] for 32Bit apps)
9 x8 i9 y" _4 D d$ T__________________________________________________________________________
/ I" |/ \2 w# Y ~$ O& {% t$ Y* D( d4 I& p0 T& O6 {
- j" T. c6 h$ q6 F& m$ VMethod 08
N- T7 c1 l9 `2 _% G=========
( b/ C$ |% L$ e9 u8 |/ y) a6 H
3 g- I% @4 u& _4 ]" QIt is not a method of detection of SoftICE but a possibility to crash the
, G/ a9 u. T% G( ^ \+ D0 _# c' ]: ysystem by intercepting int 01h and int 03h and redirecting them to another
9 `( u* h* H6 Wroutine.
; q; Y0 Q& u" z8 a# l" `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 j2 n* x* D0 p, o! K% @4 f. g
to the new routine to execute (hangs computer...)( i1 h, s. z7 C6 ^& G! c( |' T' g
* y1 V9 Y9 k' c6 Z5 |6 [
mov ah, 25h/ i+ T' M, ]& r
mov al, Int_Number (01h or 03h)- e& ?/ t1 {4 i
mov dx, offset New_Int_Routine
) U) W4 [6 _% q( b, W( v, f int 21h/ _* n2 M5 q( \6 t* p- P- ^
% [4 i! G4 n1 S2 s! N$ \__________________________________________________________________________
$ S b& e' y4 z: k# {$ _
! m. C8 i9 S' c5 v# D% c9 V5 EMethod 09
$ m: u' l; x" X: S/ O1 k========= m' o- V3 I7 i8 _1 A
/ E' }7 c' P0 w9 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. n# q$ u, n7 dperformed in ring0 (VxD or a ring3 app using the VxdCall).: Z, b7 _' {8 S( `: L( B" V/ }
The Get_DDB service is used to determine whether or not a VxD is installed. t' }* f' w0 S8 b# Z! S9 I
for the specified device and returns a Device Description Block (in ecx) for: t3 A# Z) G. q" t4 t' c/ g8 r+ s
that device if it is installed.9 A* @3 d8 ^4 i% z" d
1 J: }+ y2 H f( `0 K8 ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# [% J+ [4 V: h" t6 W1 J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), r4 I" F2 ^$ p; P) E. g5 G/ K
VMMCall Get_DDB
& |& c5 {) q3 |" |1 e/ W0 L2 C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& x6 |2 W1 C' s8 C3 Y$ p" ^! \
" I# o. }% U# l }4 y( u8 MNote as well that you can easily detect this method with SoftICE:8 U% o4 F o3 j) y2 x
bpx Get_DDB if ax==0202 || ax==7a5fh3 V5 c/ q: ^6 ^& I8 |1 M
0 ^% P: ~$ z4 n# E__________________________________________________________________________
7 e5 M" P! o6 |+ ^8 j) v' |( n5 B8 t' ?/ \5 O6 c* R
Method 105 k& D/ U `- | n
=========- n% g# \( S j/ @' u/ ?! Z
2 C/ H6 Z7 h$ ]- o: B/ H
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 B2 K4 p8 V7 U" S7 L
SoftICE while the option is enable!!" b$ s$ I' }/ n0 `8 G7 g
* X+ J9 Z& U+ k; I$ M+ KThis trick is very efficient:$ M8 g; w+ P1 q' q0 o: _; [- U4 L
by checking the Debug Registers, you can detect if SoftICE is loaded8 c0 B$ K! M1 b8 F* E" j4 Q( ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 F+ b: t# c( U: e$ Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their& P6 ]$ z6 J/ A. z3 m* L
value (in ring0 only). Values can be manipulated and or changed as well
2 }( x* M5 G3 Q. N- j( }# E2 L(clearing BPMs for instance)* E% h: _- g' U) o
/ c' E/ U) G4 j4 P# G! J, h6 h__________________________________________________________________________
! K1 {) y1 f) T3 Q
. l" o, f6 Z7 Y+ Q$ N" k" ]Method 11
* R) H8 H. n( {+ s& v) v=========: L4 ?+ x! }2 `
- T7 B2 Z! [8 v* f$ k! CThis method is most known as 'MeltICE' because it has been freely distributed+ n f" |2 X2 N# [. }4 o* Z
via www.winfiles.com. However it was first used by NuMega people to allow" c' @6 g9 e, [( g1 M* s1 A6 w5 l
Symbol Loader to check if SoftICE was active or not (the code is located% _" D, ~9 \2 M5 ]
inside nmtrans.dll).# S, k3 Y, h6 @
$ H* a+ U+ j) s' H& g
The way it works is very simple:7 G9 }' u8 E6 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ]& I0 w( c2 F' d4 Z9 pWinNT) with the CreateFileA API.1 Y# c( `) N: a! @
% g7 Y( S- {5 n7 x* o V* ~! A
Here is a sample (checking for 'SICE'):
: X% [2 B/ P& P" Z3 R; V2 I3 s8 Q( J! C9 { Y
BOOL IsSoftIce95Loaded()/ b5 C- ~0 K) o ^. h5 R3 @& E
{# k( ]5 g4 F7 i1 W
HANDLE hFile; * C: i! j# d. c: X% b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 a' d0 c; y! b, _, Z$ Q FILE_SHARE_READ | FILE_SHARE_WRITE,
0 s8 h: c$ ]8 u: U6 i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( q6 B/ X: D8 Q1 n( F" K5 g if( hFile != INVALID_HANDLE_VALUE )* L _" K' w1 R6 h: v3 p5 `3 Q
{- ~6 R% V5 `7 S. w$ D7 q7 N
CloseHandle(hFile);" ^+ u; a5 P. b9 G5 U* o
return TRUE;
, {& S8 i/ T- ]% c5 |( V/ j: C }
# F3 T, I. D x4 G return FALSE;
5 w1 q# B3 N" J' `' M}; K4 I: r- D8 @9 N8 o# x6 s) m
9 a8 Q# f8 v2 t y) nAlthough this trick calls the CreateFileA function, don't even expect to be
2 X: `$ n% Y7 \; h0 ]0 Mable to intercept it by installing a IFS hook: it will not work, no way!1 ]2 x( i8 L2 A5 l8 W$ S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# J- }$ m% s$ l" @. i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 a% _$ C7 ? T7 h# t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 w4 B5 ^# i. }3 ~5 ~; k: Jfield.
: L# f1 \7 ^ ^ m$ c' t0 P6 N& sIn fact, its purpose is not to load/unload VxDs but only to send a 1 e% ?/ ]2 i/ x5 G; F2 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) r- F- F/ n, W) S" P# z$ E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 I# B& H1 e* C/ ?" D$ [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- b, G% h2 a& ~' s/ ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 R2 E# H: E& \9 B) uits handle to be opened and then, will be detected.
1 u4 i T9 h3 S- W Y c" mYou can check that simply by hooking Winice.exe control proc entry point+ q& L! {1 H3 ~+ E* ^
while running MeltICE.
% ?2 o) a) u9 l- [" }. R6 A9 v$ X
9 m( S5 k( j* E- _) |
00401067: push 00402025 ; \\.\SICE2 t% v- [6 R: O
0040106C: call CreateFileA
|' Z" ]1 ?7 r3 L. A 00401071: cmp eax,-001
- o$ C- M$ T d3 M% A 00401074: je 00401091
n+ H& Y6 J2 K2 P [6 D) \( g/ |7 I* y7 L
7 P7 C4 g1 w, MThere could be hundreds of BPX you could use to detect this trick.. q# P7 J* r% k9 n
-The most classical one is:; b3 J/ C5 r8 H, r9 e# [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ y+ n1 ~2 e$ b) B *(esp->4+4)=='NTIC'
' h, V5 O! n3 p& D
& _+ J- M# `9 |; j e- P-The most exotic ones (could be very slooooow :-(
6 G/ g" |7 K/ h! W" V w* z( x3 f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . q' x. d) n$ ]; Y- J+ I# c
;will break 3 times :-(
+ s- o+ r& u( j, S2 J e3 C: D0 g2 A) |
-or (a bit) faster:
0 `- _# q1 T' Q- f0 f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- {0 l7 \& Y7 e8 ~# H2 r
$ R" h* a$ `# |: Y* n* u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 L3 Z7 g8 U$ R; t+ S% |/ y ;will break 3 times :-(& u' }7 ?9 P# x/ z9 d
1 i! r1 `% b, u! D; a
-Much faster:
# r( H5 Z4 @4 `+ _ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 R' ~. r6 R" V. H2 u
% ]/ o( N, [6 x5 a0 L& RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 h" S! [$ V* A8 b7 k T
function to do the same job:7 `# Y6 B3 n' b8 `
& x4 B. s" r1 _' Z& i
push 00 ; OF_READ
- ^, r; K1 e: e) Q6 A3 Y( E mov eax,[00656634] ; '\\.\SICE',02 P' ?( B2 @ r
push eax
- _7 L) f" x( y7 C5 G" O call KERNEL32!_lopen2 |+ s6 n( a1 C' N" Y7 A
inc eax
8 C1 g3 U" E& h( R' M8 j" ~# \ jnz 00650589 ; detected* d; n) }! ~; L1 _
push 00 ; OF_READ
9 h4 Q0 {% Y. L' |9 c) M mov eax,[00656638] ; '\\.\SICE'2 U' i, L5 w) f6 g) B5 B
push eax" ^" Z, G; i) j$ w' w
call KERNEL32!_lopen9 b3 W ^0 R: L) e9 [
inc eax
- L+ Y- ^, O# u: O8 w$ c1 l' J+ U jz 006505ae ; not detected
9 v. Y8 U D9 ^
* J- T/ \% f, \ w+ m- h* H' t- Q6 Q
__________________________________________________________________________
+ s1 A& P6 ]! O) T4 v7 ], T3 L2 C9 M8 A0 l c# [3 D7 y; \% l. j
Method 12
: Z# B+ P5 Z9 J=========6 o; u$ h! g) \& J( |" n
, F% y6 l- \& I: Q1 KThis trick is similar to int41h/4fh Debugger installation check (code 05
5 z8 {% u: N0 R7 G% m& 06) but very limited because it's only available for Win95/98 (not NT)
! w5 Q" \4 s- k5 _8 ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo. ^9 q1 X: P6 U
/ H' c) T6 B% G3 u2 e: Q
push 0000004fh ; function 4fh5 _' U' S: e ?7 z
push 002a002ah ; high word specifies which VxD (VWIN32)
! U9 V' s$ P y+ r' V ; low word specifies which service
$ V' M: F# s. M3 v0 z3 w (VWIN32_Int41Dispatch)
2 H- ?: \6 p7 j call Kernel32!ORD_001 ; VxdCall5 y% |6 G) P$ {6 W
cmp ax, 0f386h ; magic number returned by system debuggers
, l1 S% f) C0 ~5 v. P jz SoftICE_detected
4 o8 [9 w: o4 X2 |: b: y* d( o* M9 r
Here again, several ways to detect it:
& @& M% e: F1 M7 @; o+ G) F! J; c; f2 |2 T2 U. ^) v
BPINT 41 if ax==4f1 c9 T/ t7 }& ~9 J$ T
3 V9 }9 V" W5 d! O, b) l2 D4 E; d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ b2 y3 H6 }% t# j3 z+ X& C0 r; t5 Q/ I" V* Q! X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ l6 I L3 V* E; R8 t- N
/ `4 E/ Z( c9 P2 v% ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. s/ T6 J2 D% E. |+ {
" s) d+ A& s+ m4 \: }__________________________________________________________________________# k, f8 O/ f4 Z0 h$ @9 L1 B. F1 Q
+ |! x$ \7 P; J/ t& z' bMethod 13/ g. @9 T2 n# t# b- P; h
=========
. [1 E8 D9 p8 z4 j' z0 K' ]+ E& V. n
Not a real method of detection, but a good way to know if SoftICE is
" `$ G: m! c- Rinstalled on a computer and to locate its installation directory., W3 s f8 ]+ |, Y( z# l
It is used by few softs which access the following registry keys (usually #2) :
# E0 D. E! C4 P/ @( h; _( ^% s6 Z4 C
& I/ f& q5 U1 q; D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ?1 A( {7 y( b% C3 H
\Uninstall\SoftICE/ w( } z" c! ~3 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% N+ M0 _. E* u- q2 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 [2 G% E. Y7 I8 E) C8 {\App Paths\Loader32.Exe
2 T' E5 S2 p& }: m$ N
/ }% v/ W7 C& `7 Q& Y# r2 |3 q! w4 h* o1 G! @) j6 }8 _% A* M
Note that some nasty apps could then erase all files from SoftICE directory' T% Z5 D9 N8 M+ i( G% I1 W
(I faced that once :-(; I; T: @- A, S [# v" }, m1 t% N
8 m1 b0 A0 W0 ]0 F6 @% u
Useful breakpoint to detect it:6 M6 c1 Z' f8 j; u. [/ {
4 m! R/ j/ F1 v( z# q1 d( l5 c. p) {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 h) o6 R& E* p3 w
6 F6 ^6 U7 M" L! G% M) }& q! }' q, ~__________________________________________________________________________
$ N2 B$ k$ y: m& N0 f- H4 {3 \! N: J8 ~- r" w. }
; Q3 T! a1 K E' Q! RMethod 14
5 m6 \5 m: e3 o, m=========
: }. h2 N8 l0 a4 B0 ]
# w3 e* F# q8 l5 l& BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ d& v; |; P4 {! w$ T& ^is to determines whether a debugger is running on your system (ring0 only).3 O, _; H1 H7 y& r; q, y$ v+ @7 h
2 V$ I2 g6 L9 l' F1 E4 F( m
VMMCall Test_Debug_Installed! I; U# Y2 I8 s
je not_installed5 m+ A7 e( g3 _) }+ p
7 i; |" H9 I- l) D9 mThis service just checks a flag.
( ?* y4 q. w! p _; x( X/ o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡