<TABLE width=500>
3 z- \8 G& I+ j& A<TBODY>
. F0 b$ m* S/ G4 m/ y<TR>5 P! q, F7 r7 G' \1 f" p9 k! f5 d
<TD><PRE>Method 01 - x4 b: I4 @' B' c, a
=========
; P% o: ~# O4 j6 ~
" E9 c4 L" a; y/ y+ ]5 OThis method of detection of SoftICE (as well as the following one) is J' ~. l3 t w+ C7 u8 ]7 m
used by the majority of packers/encryptors found on Internet.
0 f2 {! U( G: R" a0 e: ]9 dIt seeks the signature of BoundsChecker in SoftICE6 L, V7 x# \ ^
, S; |7 P5 w1 i6 S4 B7 X' \
mov ebp, 04243484Bh ; 'BCHK'# [; }& O( ]2 o2 s. J8 E7 D
mov ax, 04h) s7 D+ G# E- e. o8 a* D0 F) O" ?
int 3
8 w: @* K0 ]( A. [ cmp al,4
5 l3 T4 t3 _$ k- `! o jnz SoftICE_Detected6 o- S7 G2 }2 ^. [6 v" V1 f
; w: s; a; d$ ~6 n) _# Z( U___________________________________________________________________________
# I3 I& k5 ?2 d; A' B9 K( T, {% G& ^+ P b0 e0 z
Method 028 L; {7 v7 F. c
=========
" U9 O0 C8 {) j8 z% N' i: D; W% H" G' ^3 t; |/ w
Still a method very much used (perhaps the most frequent one). It is used& z7 z3 O, k# v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ X9 a/ v' {. X0 D' Z- Y) L. F% z* ?or execute SoftICE commands...( {* V* K# a8 B( l
It is also used to crash SoftICE and to force it to execute any commands9 H% ~+ p" s; ^! j
(HBOOT...) :-((
/ r# P; y: Y/ ^4 X4 {. r% a7 m9 c5 U0 X( s
Here is a quick description:$ k# U' G+ d. ?
-AX = 0910h (Display string in SIce windows)
0 @& Y4 V. ]) N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# [- e: ~2 T2 \! Z0 M
-AX = 0912h (Get breakpoint infos)2 b1 z; }* k- L2 o. K- w; B" H
-AX = 0913h (Set Sice breakpoints)
0 ~4 ^0 i5 ?' J: O7 p* H-AX = 0914h (Remove SIce breakoints)9 e6 m) @. `- I- H
" A6 C) S1 V( m9 i5 j4 @/ TEach time you'll meet this trick, you'll see:5 ^* W1 A$ E- M2 X3 w, N) a5 b
-SI = 4647h
; H. t9 Y1 E0 D- l9 }-DI = 4A4Dh
) ~2 G+ a9 z& J) [1 v) n; x7 K# gWhich are the 'magic values' used by SoftIce.
$ N$ B' M. t3 B; j. L; @0 VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 u9 v+ L) I. ~' V+ @3 [8 M% h( s* _$ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 ]- {: e- k$ |5 w/ P: g! b
Envelope utility use to protect DOS applications:
) Y( E. C" v) {4 K- e+ c" O
2 k8 x; Q+ s6 ?; c; l7 S7 A9 H- n5 C h8 [
4C19:0095 MOV AX,0911 ; execute command. O1 l: V, j6 m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 ~8 o+ J, R; f# N- Z4C19:009A MOV SI,4647 ; 1st magic value.1 }% n% _) b; v
4C19:009D MOV DI,4A4D ; 2nd magic value.' v4 V( I+ h3 v+ }/ _. o1 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): m% h" N. g) h6 [6 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 n9 U6 `& ?6 G; U9 b
4C19:00A4 INC CX# G" _: e: ]1 e! l/ A( Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 Y( \: X( R0 o( T( y/ b( F4C19:00A8 JB 0095 ; 6 different commands.
$ E7 }, l X7 ]& w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ g0 c" e- |2 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 Y9 O/ _# k/ j* k6 H* @( f
! g- U/ C/ K% \1 M
The program will execute 6 different SIce commands located at ds:dx, which% G6 q( \" _# o. @. C& x! O1 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., u& E% d4 y% k9 p# g( @
" g" w3 S/ q" A( {& w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 Y, |5 |/ j6 g$ D___________________________________________________________________________
4 [, B/ d5 L2 V) V% Q& k: h8 c: J* g+ L; ~* I. F
( o6 }1 z" x# OMethod 03
Q, p' ^7 n/ V# v8 c2 F6 [=========+ z0 S$ F$ Z( U; [
0 |/ z) G& \9 b" ^9 U1 _/ ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 H6 ?* S1 i i( j3 O+ d0 l* D9 S
(API Get entry point)
3 Q f& ]5 _8 U3 ]" j' q# Y
) v4 I; e5 [) J4 ?, ~' X# d, o' ~) C/ y
xor di,di4 w/ d* N1 h6 K
mov es,di
' y8 m1 W# V4 x* ?4 I mov ax, 1684h + x' J% [ K5 t) r# x: Q0 N2 b# g/ r
mov bx, 0202h ; VxD ID of winice
4 _! e* |1 a/ p* M2 Z$ C6 | int 2Fh- T4 R) @: L1 c+ z, N) M
mov ax, es ; ES:DI -> VxD API entry point
2 @+ m4 R$ V: U5 f: q3 q add ax, di7 l; D3 z0 B& V! }6 ?
test ax,ax
- U& l8 V4 t% @3 m* Z7 { jnz SoftICE_Detected# F2 M2 x8 p: z4 E- u, t1 L
/ k# v% O" `8 u( k2 [
___________________________________________________________________________# ^, T- Z, t+ M0 X+ [8 i9 w" c
7 r3 G& i/ q" k& R* `9 x, hMethod 04( }3 d. D9 q& _7 Z/ ~7 D
=========
9 n! @6 M3 ]! q% r3 I5 U v$ q! o, \' @9 T
Method identical to the preceding one except that it seeks the ID of SoftICE# P$ _5 g4 |2 x% l( C {
GFX VxD.
5 O2 H* d+ M" u7 {/ h1 W0 _' w
1 ? d. D6 `2 B D6 q% v( T xor di,di' e1 q4 M L3 }+ i+ ~: N4 y+ w8 D
mov es,di
1 J; V9 e5 O" s mov ax, 1684h 0 i$ y- y! Z* J0 c9 [9 k# Z/ s
mov bx, 7a5Fh ; VxD ID of SIWVID; ?% J' D( ] b6 {" L# h! \
int 2fh
3 a8 P, n" H% t$ [9 G3 U3 e$ E* h$ ~, I mov ax, es ; ES:DI -> VxD API entry point
) {1 Y' ^8 n, y! t" q add ax, di. R) R% z$ ]7 [9 w5 d% W
test ax,ax
* c1 ~6 L3 O3 Q/ `' i9 r jnz SoftICE_Detected
( l& r4 H2 H3 Z' B& Q/ L- d3 Z: T# L P6 M% j
__________________________________________________________________________
& C7 U! m& k% o0 Z- |* V d, t; Z; L
" T9 U/ T# B5 @5 V% I$ m; e
Method 05
, p; Z% U c9 m% c8 C=========
1 W3 m5 Y1 U+ U0 K% |: _0 O
8 I8 Q1 ? j" ~/ ]! |Method seeking the 'magic number' 0F386h returned (in ax) by all system2 v0 t$ j4 U* v% o" Q
debugger. It calls the int 41h, function 4Fh.4 P8 B( y) Z& M0 R) @. F! k" s
There are several alternatives.
) H/ _6 ]- r2 V2 j6 ^, A1 I0 b6 X6 A! i( T: I
The following one is the simplest:5 d! h! {! G4 \0 B2 A
8 b, W( K# G G( v8 K7 R* x0 r$ A mov ax,4fh
! {5 F9 _8 p1 L& o! U int 41h! P0 T8 Y% E8 f! Y+ I
cmp ax, 0F3863 a8 t/ e& @ l
jz SoftICE_detected. ?6 W" t4 V1 K. @+ v o7 f
+ _8 n2 O, Y7 g8 Y
% l, A. R) u# A: _' i3 m; `1 bNext method as well as the following one are 2 examples from Stone's
! L+ i, v9 `$ P W. i"stn-wid.zip" (www.cracking.net):% E! ^" Y) [* B/ |& k
! _3 Q/ Y0 g6 o: C; {. s6 h mov bx, cs
O3 v% V% p' e# ]& r1 @* p: u& L: i lea dx, int41handler2
& M9 l& l% _8 C/ e xchg dx, es:[41h*4]
. H, A* t# t# b2 i5 C' c+ }1 e. X xchg bx, es:[41h*4+2]5 d: c; ^7 B# G/ J; W
mov ax,4fh
: [. L3 ]9 Q" r; t int 41h
6 r3 R& ~4 S! M6 m xchg dx, es:[41h*4]# d6 k. M4 y' ?. W U: @$ K# H
xchg bx, es:[41h*4+2]
( U" c7 N5 g) K l: Z! V cmp ax, 0f386h
# U& y4 I5 L' u3 x, C8 [ jz SoftICE_detected J! N9 e2 ~" j' T* N( X+ w* E
: e' L1 q$ g& h0 a" U* h
int41handler2 PROC* Z) ?: P2 E* z1 V
iret6 \1 _3 |! `' V( `, F9 B" t, i
int41handler2 ENDP$ q1 A. R4 h' i. E J: A
7 {) ^3 w" Q& W$ a, H
. ~% E. K0 D8 W$ O_________________________________________________________________________
7 {+ w* a. C. @8 ^/ b) }( X/ \9 p, W" I
% H( a5 j* H& I7 E" E+ O: mMethod 06
& s( f' h, r8 x0 b0 {* i7 a. K8 @8 |=========8 p. {* X5 ~* x3 j* |( A6 F; O
$ {6 t: @$ T& Z- T$ `6 S$ Q
* U) E P5 H& t2nd method similar to the preceding one but more difficult to detect:, e* {$ p5 Y6 l6 O) W5 e3 N6 { Y4 q
# v. j0 X2 D% X" Q, Z( Z
3 z9 }$ K& n+ P G% eint41handler PROC3 ]. ^0 t& ~9 k7 A5 y2 U0 ]3 J1 ^. j
mov cl,al/ @0 U5 W* @/ J$ {7 `1 Y" ?
iret4 W) X" d" Q9 T. O# f, X" c. n Y
int41handler ENDP
1 h- b- R, J/ l- I2 v$ S A+ J+ L2 f: q* w4 H9 P4 U; Y
, f5 ]+ c5 B( y" K xor ax,ax5 `/ s" F/ ?8 m& l
mov es,ax! d6 s; w3 b( J M: z# m0 P
mov bx, cs( `- v% _0 X# f6 m$ X
lea dx, int41handler
4 z) J4 S1 e& R1 v9 B% h$ V/ I1 c xchg dx, es:[41h*4]! N4 p. w* u, ?2 y8 \9 ?' \
xchg bx, es:[41h*4+2]
6 {% y# z0 Q M* G* K" K# q2 k in al, 40h
2 U- @4 c) D8 ?; o8 ~0 o xor cx,cx* L8 R9 s5 p$ x, t
int 41h
" y6 z! u0 H. x; c0 s; K xchg dx, es:[41h*4]8 i- f# p! Q7 \. ~! H% o
xchg bx, es:[41h*4+2]
, \9 I N R4 g: W W/ d9 v4 m4 I cmp cl,al
2 b" f% r. I5 L( t jnz SoftICE_detected9 a3 T: M8 U1 m# y1 T+ h* q4 q% R
6 v ]7 P5 d, k( l6 x_________________________________________________________________________
$ X3 f$ `& Q( K
0 l4 D1 y* |3 o1 i, C( j( ?! ^Method 07
8 q& B0 l$ n& q( z# ^=========
8 y! _ N, U) ~( m) _6 N: K" H
3 Y8 K) D, Y c8 q& T9 PMethod of detection of the WinICE handler in the int68h (V86)
8 h. M6 ^( q" W
8 N) |9 G& ~5 j1 G mov ah,43h
" f% p5 T9 {" _ M9 K2 l int 68h
# d( f9 ]0 Y) S$ O. A. C) D cmp ax,0F386h
, H# a2 i1 |* S* U jz SoftICE_Detected
6 W# f8 W) |. b5 E h* n! R3 i' I8 Q, a
$ k, `5 r% D6 [7 d' I* J5 H7 l/ p# t5 x- K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 h" o! x- @7 u! l# e0 v L
app like this:
/ E2 T9 q/ k2 q6 G- q7 z" _6 a/ @+ X0 `0 c
BPX exec_int if ax==689 s" K) U1 X4 `5 B! h
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 `2 M, t* g5 q2 | located at [ebp+48h] for 32Bit apps); E6 h0 D/ l* T6 q, X* X
__________________________________________________________________________
0 u- D$ u" V _/ Y$ \8 e6 _$ I% U) \6 C7 C0 P
: T/ T9 _# S: P
Method 08; [$ l5 E& q. L
=========% J1 J1 X4 D% R9 T
6 s) x8 U0 | @( G) R9 n' }! LIt is not a method of detection of SoftICE but a possibility to crash the* N% @! R5 v2 a% H3 k
system by intercepting int 01h and int 03h and redirecting them to another3 D" e( F9 a+ l
routine.. O6 C5 r* v* I! G2 @- K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 J* x5 f) n% ~, x; w8 eto the new routine to execute (hangs computer...)) K2 B8 ~! p1 @, s
' o5 {5 Y: W$ r0 ]
mov ah, 25h
9 t) b1 A6 ?6 e" J5 w: p8 @ mov al, Int_Number (01h or 03h)+ ^3 r' G( }7 I2 _) p+ K
mov dx, offset New_Int_Routine
% U% t7 W/ v; [ int 21h8 F6 a! F. K# Y# @" p9 s
2 W, y! B" S, Q! ~9 L
__________________________________________________________________________# L$ b4 b$ S3 E k
& B' W) \* }3 a6 m, V% c6 \Method 09
" W$ M! r. g9 N% N* g8 U8 S=========
0 Z0 V" y# o# i
; b' X! d$ H/ C; R2 L& B% MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- |% q& G- j cperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 ]9 l! `7 X7 _6 IThe Get_DDB service is used to determine whether or not a VxD is installed
+ Y8 r7 K7 b Z, q: U) J' @# {for the specified device and returns a Device Description Block (in ecx) for e. U; g8 B5 k1 |, y3 N
that device if it is installed." k' o D: |& N) W T* U
4 o( Y5 J3 A6 a; d% u( h+ |5 K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 V# f% h" K# x. C( G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ I$ q) D' X- ]- ~. s1 Q VMMCall Get_DDB
7 Y$ ^% }! r, X. J8 _2 f- @& C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% w7 U& I" h8 U
* B% a# d9 M4 l$ U0 X( B# uNote as well that you can easily detect this method with SoftICE:
e* i! _$ t! g. v+ c+ _; S2 X bpx Get_DDB if ax==0202 || ax==7a5fh
3 ]$ k+ z1 |% k; \5 \8 E# K5 X, g. F5 |* @* b/ s# P8 u6 u' a
__________________________________________________________________________% a _. Q# i( i* x" `8 b
2 r7 i/ h9 O$ b) `; F3 m' F
Method 10
+ a4 u6 W- C& k7 `=========. V \) V2 R h9 g; k) I" I
4 D& V3 V2 p$ }9 g=>Disable or clear breakpoints before using this feature. DO NOT trace with
" d0 M* e% f+ A- \8 y SoftICE while the option is enable!!
. w3 @- {/ k( X( [4 U2 L9 l- ^$ \! Q- h+ v2 p. H% |
This trick is very efficient:7 y: k' A* K; E( {* o
by checking the Debug Registers, you can detect if SoftICE is loaded) i0 |% r+ Z/ c3 j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ]. {5 o2 W, V2 x. L8 H# p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 z0 B7 U& K7 Z R9 j/ X- S7 ^+ avalue (in ring0 only). Values can be manipulated and or changed as well
; ?/ X8 l' u6 ](clearing BPMs for instance)- p( h+ e8 |: _5 H% O, p* s5 ?
& E/ U/ O: d2 N9 D" u+ s2 Q__________________________________________________________________________# e* I3 r8 U) K8 E* E
2 t' Y: q. w' R+ XMethod 11
" T m7 t0 ?% j+ W6 Q- ] F=========& g. f0 Z |; e& D+ i: X
- y2 Q* A, V( [' a
This method is most known as 'MeltICE' because it has been freely distributed
* W0 w" t0 N0 d/ P& t7 B S+ ^( Wvia www.winfiles.com. However it was first used by NuMega people to allow9 o% n' \: u+ x" ^3 a2 B5 ]
Symbol Loader to check if SoftICE was active or not (the code is located
9 H' ~# k1 a& Y- n9 B0 ?, U6 ~inside nmtrans.dll)., s, P% U# u1 i2 F3 E# g3 D+ Z0 E
9 ^5 m- B3 n! @3 b: X, K# F4 GThe way it works is very simple:0 D2 u$ u3 o! k% f% w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* }) R, z$ Z7 ~+ u1 mWinNT) with the CreateFileA API.
4 _1 V5 c4 e+ q. j$ O& L% s
- R1 D1 P) z0 L' g7 y0 DHere is a sample (checking for 'SICE'):* y0 m: E; V- y& p1 G! ~2 N
, U: r, Q4 J/ y7 U- f5 _6 W3 K6 I
BOOL IsSoftIce95Loaded()
/ |" i; n# H' `4 r9 ]+ \{; A" f: O0 F) q
HANDLE hFile; " v0 h% o2 h+ p$ f1 [* X8 [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. z$ F, x& R4 W. E: ?
FILE_SHARE_READ | FILE_SHARE_WRITE,, L, K" E7 Q- O5 V5 N: e# ~2 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 b3 U( h1 A9 O* d if( hFile != INVALID_HANDLE_VALUE )
/ g: N) o: a4 D' C0 z! n {
5 `, W" Q! d, J CloseHandle(hFile);; h1 ?/ n+ K* C8 j: B- R1 k
return TRUE;
+ U* i% E4 g( k# h& m# M( W0 D- ^; a }
1 I( L9 v9 F+ h5 W6 F; u+ `4 w return FALSE;& D( j" _ ]+ E, Q; l
}
) M' S) }9 w- i4 N$ \
# C+ u2 q9 f; o, dAlthough this trick calls the CreateFileA function, don't even expect to be
! E0 k: F1 y J* @able to intercept it by installing a IFS hook: it will not work, no way!5 m3 d4 f1 Y7 w) |' S$ n, n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* n/ _/ y6 g, P2 J0 ]5 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% P, L# r& z. f8 k# i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# S: n1 B3 {5 D* m( s" \field.# R y: ~+ e* w' j' K) Z# N$ H
In fact, its purpose is not to load/unload VxDs but only to send a
- Y/ k9 ?; S: C' M) g1 s+ B: oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 m9 z3 z8 q/ R# U, _! R# @2 _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 f0 J$ [7 A$ [- g7 C4 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).) [3 b' X6 a4 k7 ?4 W$ \7 J3 d
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 |7 j/ [& X# y; Pits handle to be opened and then, will be detected.9 s9 y% @- R, x& H* d2 C
You can check that simply by hooking Winice.exe control proc entry point- u0 O. B1 c/ p2 O
while running MeltICE.
+ a2 D5 C! U X/ Z2 f& n2 z; O' k; N4 ], h+ B4 c
2 s' I N2 ?! g3 ]3 k1 y 00401067: push 00402025 ; \\.\SICE8 n( M* q9 f$ ]/ w; j1 t4 C- q
0040106C: call CreateFileA
0 W! i8 u2 L" G( r6 j' o 00401071: cmp eax,-001
6 Q A2 D# T2 I2 k* W 00401074: je 00401091
" b# [/ U; P! f% b( e; z |6 Z3 h: r/ w, W6 O- U; q6 C
- e; F" ~6 Y! Q- W U, w! nThere could be hundreds of BPX you could use to detect this trick.* Z9 n' M; C- f" ?# ~9 G
-The most classical one is:
0 d5 p7 T! b* m& p2 j0 j- h4 X9 v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 E0 n; a Y5 U" l9 @3 R. [ *(esp->4+4)=='NTIC': s0 h) g& C4 b5 H* j% X
8 ]8 a) r9 _, {9 M! H& m8 p5 r-The most exotic ones (could be very slooooow :-(( O) C& K) @! ]* c4 E3 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 u% b _* \+ f0 { P2 Q4 \" d" _ ;will break 3 times :-(
7 Z% c1 i; j- I) l' A$ J6 c8 _& [ f0 v+ m# r* _3 Y
-or (a bit) faster: # v% _! z) s& w( t4 v; ?' ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 h) E/ r1 R# u: x! m
8 J; T% `! i; P) C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, O0 U. D; c* ~' b( A; c ;will break 3 times :-(
! q5 f/ M3 ~. p( \1 C( D T/ p1 W* T7 G5 L! O3 f
-Much faster: b, z. |& o/ J1 c; l! \: a& d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! y/ ^5 {$ U) s, _' I3 _( q t6 r
! P" ~1 \) w9 c+ S7 J% GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 ~# B0 ?! e3 c2 j! ofunction to do the same job:7 d+ G7 A* \9 ?
0 Z8 G5 O( q5 J( @9 U p
push 00 ; OF_READ5 w- e* I4 N# y: S
mov eax,[00656634] ; '\\.\SICE',0
9 g( m, ~4 p$ @0 @; c# y push eax
& ^7 ~. M# Z/ m/ x) b% U9 r$ a. i call KERNEL32!_lopen
' p, b- O6 }& P4 J2 x9 ?- n* x inc eax
4 j8 y8 c% ~+ H* S jnz 00650589 ; detected
: w7 L( `4 N8 i, }! e' p! I push 00 ; OF_READ( { M% @% g, Q: H
mov eax,[00656638] ; '\\.\SICE'* W8 u# N; ]5 N% m7 h; i
push eax
! ^5 Q7 d6 q$ Q) z% A call KERNEL32!_lopen
; y! X2 B; `4 m6 p0 v) s4 A: m# w inc eax
" A6 J; t+ C0 m jz 006505ae ; not detected
& s: M- _% O& F2 J5 g
0 \" U1 M" M. I% d) Y S0 x2 W& B8 ^# Z |/ g
__________________________________________________________________________) q* h( K- M, M9 m' [; |5 L* t7 ^7 |7 j
( C6 t$ ?0 q- f$ W/ c
Method 12
# Z# `7 F- Q' O' f=========2 M T0 }- F1 |6 g' r' o
- L' y; S# h' l" P" mThis trick is similar to int41h/4fh Debugger installation check (code 05! F. [5 \& G7 q- Y" p
& 06) but very limited because it's only available for Win95/98 (not NT)9 U) [% T+ ^/ c1 f2 B r6 Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! ?$ h4 }. a* |" |5 t$ _* ?; r8 {; X) m- n% E2 S
push 0000004fh ; function 4fh
# d, h( \- `! M6 l. g! k push 002a002ah ; high word specifies which VxD (VWIN32)
4 A$ D. n1 w3 w, Z ; low word specifies which service
7 q! U$ X# O$ R! E6 \ (VWIN32_Int41Dispatch)
+ G' o4 I9 V: }3 T) g" y# o call Kernel32!ORD_001 ; VxdCall
) g2 I1 ~, A+ e& s0 {' q- J7 @ cmp ax, 0f386h ; magic number returned by system debuggers" i! V$ t6 Z. m7 y: }9 l Q
jz SoftICE_detected
+ [7 t! \2 V; d+ M3 W( x S9 Q+ C3 a' g& H
Here again, several ways to detect it:
, M" ~# m2 d) ]0 r- f+ {1 Z3 j& q. V* B3 [& P* B- R; {
BPINT 41 if ax==4f
; U: I( `) t8 w. ?2 q$ w# H* c+ z1 \. O2 {( q! h+ t6 L, ?1 U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! M, H [! C4 A. `
0 \5 l, V* g/ [0 c/ o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 e$ R9 X9 I$ {& I
+ S0 n/ @ t' A- ]# _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 j! @) n3 v- g% e
4 A7 Z5 j$ u$ K" g__________________________________________________________________________ R4 o& I, n! t
7 t! s- j* N" o: X6 m7 M
Method 13% X& {5 p3 X# u5 Q# H! _
=========# n+ I' U0 \: X
8 k/ T4 U! D: A+ O1 U b! ?0 }Not a real method of detection, but a good way to know if SoftICE is0 a+ }$ V0 E( P( g/ E+ |
installed on a computer and to locate its installation directory.
/ B( r1 U: W. A! NIt is used by few softs which access the following registry keys (usually #2) :2 W! \+ Q9 I$ G: u% F: `
% ?- c( h, ]+ D8 ]2 G7 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; @* \9 j P' e. ?, M9 Q
\Uninstall\SoftICE# n1 F% v2 i8 A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ |, k; Z T4 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ]8 ?* x9 x3 e- |
\App Paths\Loader32.Exe
3 D' q+ I+ x2 v* @; r N/ \, D i: a0 v) V& I- o: [% _
4 e( s$ k0 B- J( TNote that some nasty apps could then erase all files from SoftICE directory
! m8 Z/ Z3 u% d A, i3 m$ N% L(I faced that once :-(
. o5 K0 g- @7 ?) b" I, y9 V5 w2 F8 ~7 z1 [, D- M5 M" F5 A
Useful breakpoint to detect it:
% X* u$ ?9 F8 C( z8 A$ H8 J
& M' _% Y0 n! P3 b; i ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 v% }7 h7 {4 K' i( X
3 J$ ^3 \8 d# B__________________________________________________________________________
6 n8 h+ _. \! W8 J0 u% D7 Y9 C' o$ \3 @/ g' m7 @% c+ L
+ J2 b9 S- w1 S9 y' Y9 o3 {& Z1 UMethod 14
. f m D, z! Q5 V) l, B=========
0 r$ }; S; a% ~6 [$ X" H$ e: q
* [" O0 }8 |! G5 k. g; ]# PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 o9 x. @0 l ?; S& ]$ D
is to determines whether a debugger is running on your system (ring0 only).
8 E: d1 \# b: x p
# T# Z' ?$ b0 D1 }2 q VMMCall Test_Debug_Installed
- j" @, \: s% e# G7 E q je not_installed& X+ i$ T$ t1 S# W+ t
9 d3 m9 J( k5 o+ ?+ R
This service just checks a flag.
3 I/ ~% I1 U+ k2 S$ I- s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡