<TABLE width=500># {/ |3 ] w0 \! J' `5 F
<TBODY>/ q5 a p* H0 {" M
<TR>5 `( u: l9 X2 t, c0 N+ z/ c5 R( i
<TD><PRE>Method 01
5 i$ d8 V5 k# O4 \=========: k' u/ k$ p* N; @: L: ^' C
3 G: v0 B7 u5 G5 A. q* B9 h% d t2 PThis method of detection of SoftICE (as well as the following one) is' F# X, ?( A8 S7 S% v
used by the majority of packers/encryptors found on Internet." \% \3 u) s& P% Q0 x
It seeks the signature of BoundsChecker in SoftICE
- r- O8 g# w5 J1 X Q8 _/ l2 r
+ M8 N/ A9 B8 Q/ z& y; D% _ mov ebp, 04243484Bh ; 'BCHK'
q m! ~' H. U4 _$ \ mov ax, 04h
|$ ]+ E. Q" Y# }! _2 P8 X% t int 3 " [1 l/ M- M1 T7 V
cmp al,4
3 u; c8 J3 ?1 Z% Q* i& h) u8 r6 [; v' C5 y jnz SoftICE_Detected
+ s Z2 J u% {8 f3 Q6 D- w, m m' s& R7 K! R7 `
___________________________________________________________________________
+ a& ~) U) y* @9 `( U- f/ c# j% i: t7 M" c' R
Method 02
0 g7 {% q- w. J/ p=========7 x$ K6 n$ x- v F! C
9 l% o2 v3 p! @7 s5 q0 x+ [% p
Still a method very much used (perhaps the most frequent one). It is used7 y7 O; ^4 W+ a4 @4 W& N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* Q2 X- ]$ V, C# C, por execute SoftICE commands...# Y* I: n+ j) b7 Q
It is also used to crash SoftICE and to force it to execute any commands2 ^& l* i2 X5 y7 z! d3 |
(HBOOT...) :-((
- N! v* w5 ^2 P2 u; O1 c( K) @7 K7 x! L% p
Here is a quick description:
: Z- B8 |! }8 a+ e1 L-AX = 0910h (Display string in SIce windows)
; e+ \ m2 e% v' R9 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, X" L' X; ]/ ?! x+ C-AX = 0912h (Get breakpoint infos)
- x3 p8 b$ A& i- i-AX = 0913h (Set Sice breakpoints)4 y0 k5 l5 \; R
-AX = 0914h (Remove SIce breakoints)
( k" c4 L* ]# r7 ~% u ^) o2 Z8 a% q+ l4 y+ J5 w' s2 M
Each time you'll meet this trick, you'll see:. o/ |* t/ v y8 E, ~0 s
-SI = 4647h
2 E$ a( Y j9 s, L0 E3 {-DI = 4A4Dh
& @% B4 J) Y9 N+ `% p- H2 {5 @Which are the 'magic values' used by SoftIce.
& N$ k8 S7 e- P5 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! X. K3 z6 x# K/ d4 c4 q8 [/ J0 ]6 y6 e: L4 J
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 l$ B l7 y: `& h7 \/ ?
Envelope utility use to protect DOS applications:) k" l( U! X, y' M" U, y* n3 @
& t8 T4 T) N: h1 w
L1 P9 N, i& \" I4C19:0095 MOV AX,0911 ; execute command.
, Y9 z/ n8 l5 W3 ^# H- H5 r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# e) I8 p3 Q" t2 `3 B$ ]/ r4C19:009A MOV SI,4647 ; 1st magic value.% b- g9 H, q1 F# r. Q$ d7 k
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 X9 n1 Q' g- O4 }' o$ r( n5 b) J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& H. l' g' u4 y$ V& x( b' ^: v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% X1 L* `4 ?9 l2 O! C! x
4C19:00A4 INC CX5 I8 p& S; ^: N$ s1 i8 u: J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- T- ]0 F7 h M
4C19:00A8 JB 0095 ; 6 different commands.
" e- n4 j2 h1 w9 {- s+ M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
G. H' j, c* p4 x# Z0 `. n: b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ b0 P4 G- j( x& {; }9 [. k$ I' q* A5 ]7 C
The program will execute 6 different SIce commands located at ds:dx, which3 |9 K* T/ [8 G- c4 T) D# O, m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. G/ V K7 o I6 c& J* A
, m! I; N) E3 R2 q7 y! |$ D# m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' L! D4 b2 \; N) W$ l
___________________________________________________________________________
5 t. `( n9 c" E8 C, ]0 [
7 g3 `8 p0 S: K% ~5 s1 Q3 q' y) m# ?# {- J% i3 M p
Method 03
?6 T& h2 p$ \2 I=========( @$ I' M- U: ^) a& E
# N# {. [+ M( y3 l/ N: mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; O9 s j4 q U
(API Get entry point) v3 G" Z7 x" J8 g% `" E' p( r* Y7 ^) U: @
" q/ p- q; c# V; [- j8 |0 h. x! i3 W
5 G! o5 b u( m4 p' D5 ? S1 |
xor di,di
" F; a! Q5 ~$ D mov es,di
, I* S, F' j1 K' r9 X mov ax, 1684h
- { Z# R. a2 w0 p* I mov bx, 0202h ; VxD ID of winice
" S; Q' g8 y6 }. `* ]0 z/ O1 D% n int 2Fh
# ~: w/ E0 T: W. y' G2 h mov ax, es ; ES:DI -> VxD API entry point
' ^4 K, P- i0 Z! N) Q, ?5 l add ax, di
- o/ k0 B( y0 v, V0 t* c test ax,ax u0 w9 t- A2 D1 o6 H0 b
jnz SoftICE_Detected
6 z* r. x. `8 u5 g! \% `1 ~. j
4 T7 l% h i" M& a___________________________________________________________________________: \& D4 T ]' |$ T
+ f( @) f: ]2 G5 F% FMethod 045 K) N+ l) j% e7 w# Y
=========- s T" _6 Z' ^7 a) P
& {2 T; I& r' y% z& G& Y' nMethod identical to the preceding one except that it seeks the ID of SoftICE R( L5 P9 P% D% I2 T
GFX VxD.. J7 T/ j% S8 [- a
+ M$ n( U8 y& r xor di,di$ X6 _) D4 A$ o* w0 W; m0 }: N
mov es,di( i, M* X" ^# D2 w8 h4 A
mov ax, 1684h 1 c$ e' e' |) _
mov bx, 7a5Fh ; VxD ID of SIWVID7 j2 M8 i% k7 `1 G8 N
int 2fh* }1 d( r I* j2 ], Z! c0 x. j2 H
mov ax, es ; ES:DI -> VxD API entry point' D* l9 Z2 l! E _# s$ v
add ax, di
' y I9 V& ^ i1 q) m1 F# R$ d- E7 h3 h test ax,ax" p! w1 [ a/ a) y G! V6 Y2 y
jnz SoftICE_Detected
: n. b7 L5 |4 w( f. H$ D2 p8 V+ T7 i n2 k! D9 ]2 n
__________________________________________________________________________. G( x4 N# Y3 z8 ?+ u! l8 y
( l) b9 a; O& e6 Z8 P
4 \) ^# E& f/ b* [
Method 05
7 Q2 d C% S* R$ u2 a$ H7 W- L=========2 ?& b0 Y* L. N9 [ e- _- m
" f7 h8 A5 h& S( t; t ^' k: M
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 `' @ c) f* d" c+ [5 R) f
debugger. It calls the int 41h, function 4Fh.* ~ P7 y2 a8 Q0 Q
There are several alternatives.
5 _: Z* K" v b) M9 m
m( `. L/ U' ?) {, E" Z) Q# QThe following one is the simplest:
8 U7 j2 ]7 \4 \# C3 Y$ d, h/ g" R* ~& H8 ?1 A
mov ax,4fh
& s) {( _* y* L% K; H& Z% n int 41h# u% j4 Y3 b& B( P9 y
cmp ax, 0F386
, ]: H% V! O, E; b' K5 o+ ? jz SoftICE_detected
+ Y/ \% ?! q& X9 ^% s( o/ I5 p3 A6 d* M. \! Z7 R
$ O1 k/ a4 u/ _/ r; \$ v2 KNext method as well as the following one are 2 examples from Stone's ' U% l- F5 M$ a) _. Q% S/ c: G3 o
"stn-wid.zip" (www.cracking.net):3 W, l+ Z8 d( u* X
3 Z" _, {' p8 f2 N) _; g mov bx, cs
7 l& e2 [1 T8 |$ Q2 P$ t, a& d lea dx, int41handler2
; S. {8 @! T/ }0 v4 ]. M. X xchg dx, es:[41h*4]
% h* X$ q" k; _& Y7 g; U4 U, E* V5 ~ xchg bx, es:[41h*4+2]+ T' D' @: u: N, v
mov ax,4fh
$ A) F w6 {8 e# | int 41h
0 ^4 u9 @. Z& T5 `! b8 \ xchg dx, es:[41h*4]4 y4 N+ q- |! M0 j
xchg bx, es:[41h*4+2]5 J5 {/ j. m, a/ c
cmp ax, 0f386h0 w3 h0 _. z' z
jz SoftICE_detected
0 k6 I% y; R1 ~, l( @" O
! k$ G$ u( U# ~2 i* o5 x1 R; C+ Fint41handler2 PROC1 r, g7 X2 R+ S& ~- H
iret8 D& i" N. T0 G
int41handler2 ENDP5 e" R5 a1 n/ a: ^) `7 |6 \0 L
* g7 H+ j. s1 J4 _
4 p b9 }' T0 P+ M0 _, _
_________________________________________________________________________
; X" G! M2 e2 w. a, ]; r# `5 J. c; S% p, U, H( v# f# x
) O: b: C# Z8 C2 ^3 T: T- L8 E4 [Method 067 f0 w) \+ G5 E3 d/ }5 V
=========1 M) h+ s8 C" H$ ]1 G- Y' h
/ M3 J- \. q+ v5 ~4 R7 ^, W$ u8 t8 O$ U
2nd method similar to the preceding one but more difficult to detect:, c/ \) _* _4 c, t3 U6 _
- F2 a1 ^& x' ~: [' A
; o! ^3 N; y b K g; P% |int41handler PROC
1 V5 R5 Q4 j/ p' e6 S, B( { mov cl,al
9 H, X1 _- b& F& P& j; P iret7 W: @7 [+ V9 `) J) p4 K7 S1 x9 o
int41handler ENDP* y4 ~& |, K2 z% J
6 `2 E' i5 {/ f* H
4 w$ ~3 h6 B8 ^2 b2 ] xor ax,ax4 V; e2 U0 ?2 m$ ^9 l
mov es,ax
+ `# O. r6 h5 G D. @4 m5 h+ A mov bx, cs R( F+ s( ]1 f) b( y' C/ ~
lea dx, int41handler. Q- s& a( J: Y/ w$ {
xchg dx, es:[41h*4]" x/ [* f" B- @; V: q. l# d4 s8 C( Q$ k8 o
xchg bx, es:[41h*4+2]. l9 s( l% Y) \+ x3 V7 B( d1 k
in al, 40h+ ]1 [% u, y2 E9 D6 \. e g1 f
xor cx,cx; E) r+ D. S- T7 i' ^ R
int 41h
5 m6 S ~8 h) |# | xchg dx, es:[41h*4]/ u$ s3 Y4 B: l% Y5 S
xchg bx, es:[41h*4+2]* {& x8 F- g5 x8 l' y/ A
cmp cl,al/ w. ~1 u( q( `$ n
jnz SoftICE_detected
4 H! q, [) {0 _, P% f/ J9 ~! S( N% r l% a
_________________________________________________________________________! K: w* s) d+ V3 C0 L2 [1 W
7 Q3 c9 q9 r, g; \, {Method 07
+ _9 Q! J$ [+ R' S; b; E=========
/ `; T4 w; y4 X$ ?
/ M7 }# R( F2 s" N% l1 _, r2 LMethod of detection of the WinICE handler in the int68h (V86)
& _1 t0 Q0 t, A. q
6 m7 l' ~' R/ b2 j/ P4 k7 i/ M+ _ mov ah,43h6 ?# b4 p, J$ p' k
int 68h
A' _+ e U, Z1 |% W cmp ax,0F386h
9 m+ R& J2 ]: f: V8 a( A5 N jz SoftICE_Detected3 y& @- u7 x- T* E& N' V+ c
6 ?+ [1 i0 F0 ~/ D G# d5 f& U6 T: Q6 b6 G7 y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- H& J4 p6 E: M F7 [
app like this:
. h' F+ U1 n/ j2 b' y
0 p y/ k8 l3 Z9 d7 Z' S" k" }+ R BPX exec_int if ax==68/ o0 m" ]: D w
(function called is located at byte ptr [ebp+1Dh] and client eip is
" u' m7 K" `; S3 j located at [ebp+48h] for 32Bit apps)' u3 e) B8 u) Z* c; d: q
__________________________________________________________________________
: u# n& ?* I4 _$ U* a
: c5 g% n) t. C" s! a
$ i: F, z& r, d( e% t% Y1 O/ JMethod 08
7 |+ t9 k" A) v4 A' G2 C' c=========
( P. i+ J( l- p6 H4 m) K. N6 O4 o, W! C2 \3 a+ M6 [& P
It is not a method of detection of SoftICE but a possibility to crash the) j p* }/ M+ X9 j1 S3 W5 z* S6 ~) {
system by intercepting int 01h and int 03h and redirecting them to another: O! x1 P5 V2 B
routine.
- K8 s7 [+ Y9 k# LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! R! s/ O: t' `7 O& o, M1 Zto the new routine to execute (hangs computer...)
/ S! b8 f; B& @4 \" W
% C; k9 k |, g2 q mov ah, 25h
1 X) m! c7 `0 L; B# N5 |0 C mov al, Int_Number (01h or 03h)
( R! m$ Y* B# u* P mov dx, offset New_Int_Routine" V) y+ ^* ]4 V X1 J
int 21h
3 G3 Q# O3 Z* s) `9 t- |5 ~# H+ p3 f3 U" H2 W+ Z" }& B: [
__________________________________________________________________________
# z" U, E/ U* \( j1 b) E0 L( \1 `- Y* O, @- O" [6 y1 I4 h
Method 09
$ H( n4 Q+ l/ S; R9 b s$ R=========& y9 M K3 _* V6 _$ O' t7 c- a
. T5 z. J7 ]. b1 r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 o, J7 {8 W7 O" x3 l- j: eperformed in ring0 (VxD or a ring3 app using the VxdCall).
, C3 d0 S9 n. NThe Get_DDB service is used to determine whether or not a VxD is installed3 b" u {: {$ T- ?. F9 b; Z
for the specified device and returns a Device Description Block (in ecx) for
% \$ x" E. D) k; A0 Qthat device if it is installed.- b7 }. r7 J* n3 l
7 p* U/ {+ M D( B6 B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; C( E. D z* E3 r9 S# n6 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 N' f+ O; f1 @$ ?5 n VMMCall Get_DDB
4 e# j3 _. u* u7 {8 i2 z" M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; G, f0 w1 h3 k' ? }; w8 @, L' r7 j3 z# ~7 V( V
Note as well that you can easily detect this method with SoftICE:5 e; w; J& O: ?; u8 V' M4 \
bpx Get_DDB if ax==0202 || ax==7a5fh
8 X- r, n8 T% y4 b4 f
! J: [# U% ~& q8 Y( n__________________________________________________________________________
% l$ d8 f; I4 | G/ o9 ]8 j
1 }$ \( G* W9 q: p1 ^Method 100 F1 z+ x! m# S/ ]) s
=========
9 g- g4 W2 j9 ]- b" J! {% f% S: E" @, n0 c" U0 K0 L* d
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ i: { X/ k2 A" e# [/ [ SoftICE while the option is enable!!- x. V. M/ N X% Q2 x1 Z9 ^
8 F3 o$ w8 `' k% T. x
This trick is very efficient:
( R7 G& X$ C. |1 Qby checking the Debug Registers, you can detect if SoftICE is loaded
9 X7 }2 @- o* x X9 D6 H0 X7 _& N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ ^: Q. `" K8 k/ r" S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 C" ~8 d) h7 |" w3 h3 F* r4 tvalue (in ring0 only). Values can be manipulated and or changed as well ]3 S+ z1 C5 h& n" ]
(clearing BPMs for instance)6 d- E7 D% ?8 [& J" Q' L% ]1 ^1 U% L
E3 G& X% B. ~6 {8 A$ g__________________________________________________________________________
5 N- Q' W& h0 S
3 O2 ^! |$ Y' g! L3 K9 lMethod 11' Q* }. V1 B. U7 Q5 f" \
=========
& [' I. i. Q; i) f, O
; L: Z" P6 M8 q: v5 }This method is most known as 'MeltICE' because it has been freely distributed
6 e: p( ?3 @+ k8 y# lvia www.winfiles.com. However it was first used by NuMega people to allow- D8 _8 T+ u9 j
Symbol Loader to check if SoftICE was active or not (the code is located
5 v3 `! t, E7 T! Z0 ?% v ]& iinside nmtrans.dll).
0 V- I) d0 ^) G g6 h% x: k: v$ K5 e0 x+ r! ~2 z
The way it works is very simple: A3 P* J& C8 G. w5 e6 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 S. f, o( X7 _" I. p' x8 C% fWinNT) with the CreateFileA API.* [# {3 A/ ]4 k( c5 n# V7 ]
0 o/ D: y! B2 I' R" z' }/ z2 m
Here is a sample (checking for 'SICE'):
/ X% V, G1 D4 _! t o7 t9 J) ~
2 Z8 k4 S" h4 c. p8 p: nBOOL IsSoftIce95Loaded()
' A0 a4 C5 |& z' C{
- }+ j2 @4 w2 G HANDLE hFile;
6 N6 q z" l$ N- X: p4 R6 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: }. R, A0 _1 m, i3 X% K
FILE_SHARE_READ | FILE_SHARE_WRITE,9 t+ {) g0 o9 X6 }5 `& K8 j' \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ }' H$ p7 V4 m0 J% w if( hFile != INVALID_HANDLE_VALUE )$ f# _5 F& M w; \( O
{
5 y2 @8 u" |; Q' I) p4 o8 S) ` CloseHandle(hFile);# |5 Q3 V) ?: h; d3 g) t
return TRUE;5 y! I; B0 K- Y f( [ ~9 V: X
}% b/ ~& h* F1 v% e0 q
return FALSE;
! Q3 x# S! s. y9 q* k$ g8 l+ J1 k}
# n* S1 W+ U% ~, }7 e6 j! l% B
" E' S; p! Q1 F1 ]: H3 LAlthough this trick calls the CreateFileA function, don't even expect to be
% y. R# }) Z: C2 K# L% iable to intercept it by installing a IFS hook: it will not work, no way!
7 g6 w) l, ?& f9 {- n% l J/ M. y) fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. h% g# A+ q5 ~) N' u# kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 D% l! ^4 g1 I' @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 `. P0 j+ k% N
field.
+ C5 x7 `, x7 K4 N* }/ Y) p' ]% ]% cIn fact, its purpose is not to load/unload VxDs but only to send a 0 J8 P+ R: c$ ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 b. A! q5 V0 _6 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, m" W5 ?1 ^8 a, l) \0 U |0 ]: ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
~4 [: _$ c) b* u* TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 a4 U: Q8 ]* W$ D5 T0 }its handle to be opened and then, will be detected.
1 N- b+ t3 x" ` T% g, EYou can check that simply by hooking Winice.exe control proc entry point
" L3 M6 O. Y5 v7 z$ fwhile running MeltICE.
; G4 d8 U4 C* Z3 k
5 P8 b7 Z2 V9 v5 D" L0 @: K1 i( N$ b. l+ E( q. y1 g
00401067: push 00402025 ; \\.\SICE
5 z0 q: i0 q* k" N0 R2 o 0040106C: call CreateFileA
5 |9 W/ L4 \' l# ^$ I- n2 ?% ] 00401071: cmp eax,-001) m) X% b8 J* V& X6 e/ B. R; _' Y) {
00401074: je 00401091
+ i4 q4 l6 Q, n, P2 M; A. g1 A! b4 q6 a2 ]
4 G& `0 Z+ p( U) ]* r3 AThere could be hundreds of BPX you could use to detect this trick.+ `% V7 q$ U6 ^: C7 \
-The most classical one is:
/ _! f1 k H/ c+ g; N/ ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! ^2 O- Y% ~3 ?: l *(esp->4+4)=='NTIC') M5 Q( P) R" s: [5 s; u
9 i: T( B; u2 N3 E6 [; b
-The most exotic ones (could be very slooooow :-(# Y( U, Q" u8 O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- i1 C& t& [& ?' H) t) ]( ` ;will break 3 times :-(
* |" i4 q; T0 {
* }( @/ R" e- B! {0 P W-or (a bit) faster: . | Z/ X& l( K2 I$ c- Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# G; [* F: X% ^' U' ~* ?4 k- D) t8 L4 l3 ~' l" x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! C( o B& P$ h1 I4 [ ;will break 3 times :-(0 g3 ]" |0 _( }3 U+ S
1 o( f0 U \: Q: N R* u$ S
-Much faster:
" B( A. K" h$ x( `( G1 l3 X: a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. d; }. v5 m- v+ j8 s# y
/ C4 I' [$ T/ o; YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
K q$ {, M9 Y* n8 B' Y0 s2 }! g hfunction to do the same job:
s/ I; @4 @. x. g' G# L7 h+ o o: n3 b. N. n/ P& V$ W
push 00 ; OF_READ
& E U4 R& D) u9 X/ K1 p1 v/ O mov eax,[00656634] ; '\\.\SICE',01 r4 z9 R% |+ C
push eax
; Y0 V4 P* m+ b* j. C* l& s call KERNEL32!_lopen# n" Z. C, z) H7 |
inc eax- ^5 Z4 p5 r w8 }& v4 ]( l: y
jnz 00650589 ; detected7 G0 t0 P1 I0 b+ t& \' D& V4 O6 q
push 00 ; OF_READ
; @" O/ {2 C {/ Z+ b3 P4 x1 U/ h" Y; s mov eax,[00656638] ; '\\.\SICE'6 ` r8 R8 ]& t
push eax( Y3 P/ u+ Y1 \# Q
call KERNEL32!_lopen
' D9 @* g: B$ f' Y* T. T4 ^0 ~! k inc eax+ z; T s4 y1 X1 R
jz 006505ae ; not detected* K- j) X! ^8 r9 |" y" }- K
. q# e) _: J1 b3 ?; C$ k
* }: L. Q. |8 ~. r) O2 ^+ N5 K__________________________________________________________________________
0 @+ z- T) z9 g# ~/ } P4 N+ f8 S
, E/ {3 _" V( G8 ? A# ^8 fMethod 12
/ q- J! |; o( W1 u4 p+ C=========, V+ y8 E+ F5 W0 x
) G: e" i8 Y7 o1 i5 w
This trick is similar to int41h/4fh Debugger installation check (code 05- s) ~( ^) ]" l# i8 F/ M
& 06) but very limited because it's only available for Win95/98 (not NT)
! c# E; f( {( M: ~3 u, t8 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo. s6 E w* J! C7 ]8 r3 v9 U9 w& k8 G
1 q3 u2 e9 @+ ?( \% H$ b7 X$ F' d push 0000004fh ; function 4fh
, D& k/ j5 v4 J* G; s# }7 {$ m; H push 002a002ah ; high word specifies which VxD (VWIN32)
$ I5 B$ m3 }$ k/ ]& a- W3 c, k ; low word specifies which service
1 N% ~+ N% `# `( z; q# Z8 L (VWIN32_Int41Dispatch)0 W0 L9 q! B# J. z x- ]4 A
call Kernel32!ORD_001 ; VxdCall
/ `; i3 k5 `. m cmp ax, 0f386h ; magic number returned by system debuggers
8 O+ E% k: M! j8 ]1 m8 a5 R" U B jz SoftICE_detected; z( x- y2 Z& C9 c
! D0 M) y, ^+ @& d$ @
Here again, several ways to detect it:
8 J& Y" [' j$ g' F" F) p% ]0 J: e8 S2 }
BPINT 41 if ax==4f( _5 r! i7 w6 ^& w
: Y! Y) {+ G. G* P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 z' h# l! q5 k( B9 T' |8 T
* I# U7 r: U, L2 ?. t( a, X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 ]& h+ g3 _5 p9 b6 W. b9 r$ c4 i
0 H2 l: t8 M7 e+ F9 H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ o. q& V. _5 q% z+ F
4 b2 }4 w3 f3 [8 F" O) |7 I__________________________________________________________________________
0 R8 v1 Z, Z p9 D# k6 U. |/ X+ e6 Y! ~* l3 H) f
Method 13
! c/ W5 o% x: W8 L* ^# j& D) V. `=========
: g+ W6 m3 N/ H* ^
& p/ p8 a" u# J ~) B# @Not a real method of detection, but a good way to know if SoftICE is4 A/ @: C- `1 ?+ k
installed on a computer and to locate its installation directory.
+ H( z$ D! \" e% R$ p4 ~8 ]3 p+ ~It is used by few softs which access the following registry keys (usually #2) :
# ]/ {3 C: w* v. r1 D6 s, @3 p O; Y8 v- G* c$ f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 h" t8 T5 ?6 V3 o
\Uninstall\SoftICE
8 U5 m4 M3 e4 E0 J6 [4 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- \' a: G/ G( D2 T; A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 l7 g4 C" G. c# L3 z3 Q5 L% C
\App Paths\Loader32.Exe
4 C/ {2 U( K+ K
# i D; V: M, _2 P) c! `& ~% _
) D2 I) M# Q+ j( o) UNote that some nasty apps could then erase all files from SoftICE directory
8 s4 f0 P0 o* w5 j$ i9 L' Z. H' S2 A: ^(I faced that once :-(2 s3 U% Q" F! I1 Y: O
) c( T+ X0 o; ^ l0 m6 q9 G I2 z
Useful breakpoint to detect it:
- Z' ^6 k$ k$ C4 H+ y
$ P3 R4 B5 S1 P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ A2 W$ r9 Y1 H1 J/ b0 M
- |/ Z& P* b- W2 [, H2 a7 R, b
__________________________________________________________________________
0 |8 ]- k7 i" r* k; U) {9 ?/ l
) C2 F9 Z+ g& R! L
! ~' m+ m2 s3 V. w: o! k/ q7 WMethod 14
1 t3 g% K- O6 y& ^=========5 Z, b7 Y7 _1 V
" D) H7 d5 g& B' q+ f. n) oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 R. g; {) N" F, w8 F t1 ?
is to determines whether a debugger is running on your system (ring0 only).
& p! b2 O8 C; s' B3 M* x( p. N# i- [- o7 [$ [* i5 N
VMMCall Test_Debug_Installed
( g8 {3 w$ h' q& U3 I3 j je not_installed3 \) w2 t2 j* c5 F
% f. t( d) I; B) f" T. V9 _This service just checks a flag.
/ l/ _" n2 U1 i! U# @2 h# u4 g</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡