<TABLE width=500>' N d# Y% s" u; e' Q. o6 a' c% q
<TBODY>
* p: e9 k( k% S( }1 w- b, z& g<TR>
; ?* v/ P/ _! F% l7 y<TD><PRE>Method 01 % [4 ? I8 x, ~ s+ u( c4 V: y
=========
5 O! D' ? {. n( e: b* w \: J# h% Q: A7 L7 j( c( w# r
This method of detection of SoftICE (as well as the following one) is
+ \3 C3 }6 Y' u2 b$ m# Q) X, k3 Cused by the majority of packers/encryptors found on Internet.% F' I1 @" g0 t2 @/ C& e' P6 P9 [
It seeks the signature of BoundsChecker in SoftICE
) \7 S3 t s$ j T7 I3 j, z6 \3 B9 ] R# C N
mov ebp, 04243484Bh ; 'BCHK'
( y. L1 }0 k7 V mov ax, 04h( f, T$ E+ f. i( a1 M$ u: S( \" z
int 3 . Z/ _+ J, [$ j% Q' L# q. E
cmp al,4
' Y0 T" s9 y' {! Z3 H jnz SoftICE_Detected
: d: f- K6 Y: Y) l6 R% O) H2 K: n, c
& K0 @- f; H0 k. y+ h7 w: y1 s) l___________________________________________________________________________+ Y/ J, @0 `: j% W4 ~6 o
. y5 H' D" N( H( E
Method 02
0 O% T7 `& \& g' a2 j' r$ Z=========% d: Z, G- M2 L( b
" q S& \% t! T# g8 {( tStill a method very much used (perhaps the most frequent one). It is used# s( A; v1 X8 Z) `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 {% D! A+ e% l/ F3 yor execute SoftICE commands...
' X, |7 M( P6 IIt is also used to crash SoftICE and to force it to execute any commands
- r. H/ E9 ?) D5 E(HBOOT...) :-((
% h% P) X; k7 S4 W2 ~ i K9 A9 h( f, J ~( f
Here is a quick description:
3 `& H1 S: k! s+ r9 v3 I-AX = 0910h (Display string in SIce windows)
! U$ y! p9 H1 r( t s# e( ]* s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' D9 v {; t9 [3 N1 y2 l
-AX = 0912h (Get breakpoint infos)
t5 G+ K! j, K, w9 h-AX = 0913h (Set Sice breakpoints)
b& R% i0 X/ @% |+ g9 F9 ?3 d3 \-AX = 0914h (Remove SIce breakoints)
2 E9 j" D! V) o9 n) }1 C% X1 v; Q3 U2 X* g& T& g/ C
Each time you'll meet this trick, you'll see:
/ {- ^$ S" O1 d1 t3 `6 H% l0 V2 ?-SI = 4647h) d$ b* l, h t' d" c
-DI = 4A4Dh6 E; `& X3 d6 _5 [4 E" S, l
Which are the 'magic values' used by SoftIce.
6 m2 l% h! U1 c7 s( WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- {0 ]+ u$ ~7 G, O; i0 ^
# d/ p+ T+ o, n/ k% }7 C1 xHere is one example from the file "Haspinst.exe" which is the dongle HASP9 y! ^" p) J# _4 c- K6 k
Envelope utility use to protect DOS applications:
3 ~$ `/ B7 B' A" A7 [. h/ l8 \5 Z, c1 B
& c3 n+ F. j1 x4C19:0095 MOV AX,0911 ; execute command.) w5 F" C$ x6 m% _/ p* R- E$ s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ j4 V# N+ f+ G5 v1 M7 e3 N2 `4C19:009A MOV SI,4647 ; 1st magic value.0 \7 q9 O9 T C% [3 S; S
4C19:009D MOV DI,4A4D ; 2nd magic value.. H* y E$ z7 ]) g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 G; ~) D) W9 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, Z! H9 S/ X7 C- m
4C19:00A4 INC CX; }7 _: A7 j) [! o& B* K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* L' L9 ~. R- ^7 @2 M4C19:00A8 JB 0095 ; 6 different commands.
8 {; w+ ]4 F I+ ~1 ^9 p4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% b3 _8 q8 a7 C+ P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# z1 t& @; g6 k& i6 r; l y
9 u; q1 S- k8 B$ v& |7 z( X1 WThe program will execute 6 different SIce commands located at ds:dx, which
" ` U. Q! B, j" ?3 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 N: Q4 _7 I( i4 X7 x
* o: d6 @/ O6 a$ @6 i7 z0 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" O H @7 F& X+ m___________________________________________________________________________" s3 o% d( d9 W2 \ ?2 A
- r0 A5 s6 ~6 P4 D) n m
8 P, \, Z! D! g, _ GMethod 03! @* e* c) c4 F5 L. u8 e" U+ T
=========
# d1 t* d& { g) e( b
v" I0 \* M8 F2 X4 \4 |; {. {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ z# I% S# U& T; h9 A(API Get entry point)
* D8 r6 D* H7 {* P- z F, S! p+ r* ~: d( A
' ]8 T- N9 y" T* F4 h xor di,di
$ v+ ]0 h' H4 R- u8 @$ K mov es,di& n. g3 V ~/ F8 o. T, A
mov ax, 1684h 1 S& |) v& S) q n( Q
mov bx, 0202h ; VxD ID of winice1 t4 Y, K S! S6 s; c7 y
int 2Fh
$ C- Z R- q3 q9 O0 w mov ax, es ; ES:DI -> VxD API entry point* M% t9 b% `+ `5 ~& Q
add ax, di
9 ~6 g4 i3 m3 }( ~- ?" A; K test ax,ax9 ]) o2 u3 ?( I* I- Y& m+ @
jnz SoftICE_Detected9 H4 @8 w# }2 r( p
% v0 |1 s: s1 s5 o) Q
___________________________________________________________________________
# Z* t7 {% z2 \1 h2 ?6 e
" e! a/ ]& C$ v& @ {% _Method 04
! S# A6 o3 u* G/ w7 r. o1 s=========
: R3 V9 V3 C* Z! f) f3 F! d2 Q3 N9 k3 y& a2 |2 Z: ?- |1 C
Method identical to the preceding one except that it seeks the ID of SoftICE1 y4 u- N4 }1 I" S! l
GFX VxD.
5 ]7 k" ^: q a. M5 ~6 I# O: f% v, n2 T) E- L8 A
xor di,di
8 D2 J+ w" M$ a" T( b0 ?: G" @- M% ^ mov es,di
: A5 K9 l# ]1 ] mov ax, 1684h + | l2 Y) a7 i' I6 _
mov bx, 7a5Fh ; VxD ID of SIWVID9 d1 P/ P3 S+ t3 [9 V; `
int 2fh1 {, J4 Z0 w1 P, T8 P
mov ax, es ; ES:DI -> VxD API entry point( i) F& }( _% I; E9 q5 ^( s% B1 a
add ax, di- m0 v0 s q. g3 ]( U* n
test ax,ax
& W: \. k6 T2 k jnz SoftICE_Detected
# W5 A$ u' j, c) Q7 |/ b
l* w* e5 ]% n5 [' o" P2 |4 t__________________________________________________________________________# F- R; u$ t1 f/ Y
2 c- o+ D t2 D
; S2 b2 L, n: q! qMethod 050 b) ~2 u! `- ^! e& h, ]# [+ r( Y
=========
+ b$ m( y+ M, k
0 h8 i3 Y0 k/ C+ b+ A0 V% ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 m8 ]# f7 j+ p7 e; C" ~$ |5 x$ Ndebugger. It calls the int 41h, function 4Fh.3 l( f% q/ @1 B5 Y6 f
There are several alternatives. ) r8 r+ n- u: ?* X; O2 Z* ?- Q) ^
& j2 E3 p2 @ n5 E1 K! c
The following one is the simplest:, u4 E# A3 E# {4 ^: _- e
1 p4 X( ]9 B* R7 a) k& V8 s
mov ax,4fh- f) Q0 ]. r$ J! X$ C$ r
int 41h
+ y" K; _! O h6 I cmp ax, 0F386' n- w) C y5 ~* @3 q/ D
jz SoftICE_detected2 d5 @6 n: [( z7 P
& T; [& W, {% y. M6 ?
3 b" {: n: |2 y4 J4 {Next method as well as the following one are 2 examples from Stone's
* e- \& N: ?2 n- ?8 b4 N3 D"stn-wid.zip" (www.cracking.net):; F9 @+ r! y) o" Y ^4 w6 R9 ~
1 P5 A- |/ T+ C. O3 \0 J
mov bx, cs3 R8 b6 U& f9 B' o+ D$ a! \1 e i
lea dx, int41handler22 R& Y4 @7 w* S: O4 Y% u8 M8 d9 o! |8 c6 G
xchg dx, es:[41h*4]
$ j1 O2 v) v4 G4 n; Q8 J xchg bx, es:[41h*4+2]
- p, r$ Z: x4 p1 E; K) X mov ax,4fh" R8 ^& g( y3 M. S
int 41h! w2 F4 q- _# {. x7 c/ ^
xchg dx, es:[41h*4]' _; ?/ V8 h( @2 Z4 d/ A
xchg bx, es:[41h*4+2]; \* t0 @7 v6 J; _" p/ ?( \0 n
cmp ax, 0f386h
) S% b% ?9 ~* V, u$ C$ U- Y* {$ w jz SoftICE_detected
, G% D Z/ C/ x2 I' c% J8 p, S- C5 G4 C
int41handler2 PROC
* }2 ^' q) L1 E! z7 g iret
' O, Q' P: s2 I% pint41handler2 ENDP/ h% m% I* A k4 J! ]
( s; i& k4 {1 }' y0 L6 p
6 v0 |" I) E* T! o3 S( m_________________________________________________________________________* i I( J3 O" C8 z8 I
" ~4 ?% g/ z% ]' r/ `0 M* R; D
; W/ v* B% K/ o7 m; d2 Q" L
Method 06
8 l* K# @5 r( [# H {5 I2 _=========7 @8 X1 F. L9 P) T( x3 G" O. E
@; [& r# [% g0 p, i; W
k. l$ W2 @& [+ B* C, R& N2nd method similar to the preceding one but more difficult to detect:; |. |: c3 A8 x3 ?% f
2 M. E7 h' R* w7 _% _/ L/ ]
4 [$ b. S p7 A% w
int41handler PROC0 L# i6 I% v' H h q
mov cl,al
$ I3 w1 W) r/ r ?- D; U5 Z" Q iret
6 y S$ ~/ d, d I" Nint41handler ENDP6 y, a, s; w; U
. M' U# N& K9 q: M0 ?) `; P/ [& i/ ?, F
xor ax,ax
! m) r8 ^ i \' S+ a mov es,ax0 M2 b7 [8 c2 O1 @% z
mov bx, cs& u9 D) }" @, x3 ^# W
lea dx, int41handler* L( ^: [5 F7 E/ ^- N
xchg dx, es:[41h*4]. n& p7 D( k8 a8 ?) s9 V+ c
xchg bx, es:[41h*4+2]7 w) L* t6 _: O9 t3 J. |
in al, 40h
; l& M3 C' `( ^+ X$ ] xor cx,cx
$ M4 } K- ^7 t) h3 _! o- G i6 T, y int 41h3 a0 b0 Z6 a3 a$ S2 x4 g+ ~- L1 f2 z7 u
xchg dx, es:[41h*4]* i' j# B: H5 C9 e9 t! v
xchg bx, es:[41h*4+2]. t h2 s7 E. F! e) X% }
cmp cl,al2 e( }" n3 ^! ]: z3 U. X, v
jnz SoftICE_detected
, l* U' u2 f; |4 f* `' ^
% S" W% C4 N& w, P3 G3 e8 B W_________________________________________________________________________
0 a& ^- a* G4 C7 v0 R
. Z; }, A1 a/ F' b. h; q/ bMethod 07
9 `( j6 T, i) K# f7 N=========
6 y% ]6 u! T6 \% J8 K/ r; ~: P# j2 E* Y5 P+ p( i
Method of detection of the WinICE handler in the int68h (V86)
' Y7 U1 @! [ ?
5 v# Y6 k' @8 g1 H9 d) E mov ah,43h
+ @! y6 \& s. w1 s! H, @/ E int 68h
# N' A; e7 J9 Q* t% {, C! K; R cmp ax,0F386h
0 h$ m. f8 }8 g jz SoftICE_Detected
% i7 z+ s. _& q0 G- ]4 |. S8 R
# A5 J5 v0 u# q
5 ?' O7 D$ g2 C' Y& j: x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& O6 G1 o/ ]" @9 w+ @+ B app like this:
) F! i2 H, i* l) Q9 ~0 U% ^, s* a3 ]- Q, H/ K( a5 p
BPX exec_int if ax==68& g+ \" Q: e, O( ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 @0 |5 u6 b; K9 i5 q located at [ebp+48h] for 32Bit apps)
& }. k7 R8 ?" {$ l9 `__________________________________________________________________________, p. \" x/ q/ O, ~. z* A; `8 B7 I. O+ W |
* R% q5 Z9 w0 c7 q- ?- }2 H
' C8 X; x d6 d V/ u3 J3 X% ]& xMethod 08
8 i3 w0 |1 [) K; B/ k=========
! k1 |' X- ^+ x, n8 ?* m, ?9 M% M. Y; r0 z
It is not a method of detection of SoftICE but a possibility to crash the
0 x0 t- K" ]1 Qsystem by intercepting int 01h and int 03h and redirecting them to another( D" t( I$ E9 L4 s$ c) L) }
routine.
& c: L2 s/ Z1 |: `/ x4 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 T8 q6 c) Y0 P! P$ ]to the new routine to execute (hangs computer...)$ A/ u/ Y, i* I& V* Y" M4 R$ Z
4 v, s. D- a; F' f2 U mov ah, 25h# A$ i& D/ U2 q$ y6 m
mov al, Int_Number (01h or 03h)$ i9 E9 J7 \# R3 O; }$ T
mov dx, offset New_Int_Routine" x+ N3 j" P5 B3 Z5 p3 t' D
int 21h3 ? t8 a9 [0 p: E7 |4 b9 }: G. O3 E
8 q" y' F$ g$ @7 F
__________________________________________________________________________; p! Q6 K) p s% m! P9 @5 l
+ {9 j1 R: E; _/ J
Method 09: e, Y) [7 l# c8 |+ @
=========
5 P# L9 D4 Q8 x8 H
5 `$ M) z/ Q+ p: p* d X# G% SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) E6 U% f! U! j$ R; {
performed in ring0 (VxD or a ring3 app using the VxdCall).8 v- j7 \7 `( c
The Get_DDB service is used to determine whether or not a VxD is installed
. D5 a& g) i2 ]+ U/ Rfor the specified device and returns a Device Description Block (in ecx) for
8 l* L/ ]' ^5 S( `6 T1 ]that device if it is installed.5 \0 ^+ _5 y' }3 B6 W1 I
' m9 l/ R) ?! x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 d N& z6 b, J+ e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 |# y$ Y: X# V+ h4 a
VMMCall Get_DDB
1 n3 ~4 j, _8 P& _" n+ O+ w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 L; a. d6 ?% ?6 H. E1 g4 r6 r0 ?7 K+ b9 w6 B6 ]0 t9 C |
Note as well that you can easily detect this method with SoftICE:4 ]5 n9 ~; @* V/ a K$ \- S4 n5 @
bpx Get_DDB if ax==0202 || ax==7a5fh' Q' i5 ~! U4 {$ L+ }) u
1 C8 T$ z& f8 e0 `9 Z( V__________________________________________________________________________
/ L; {$ H* w1 h5 x( ]$ O7 h: H1 e4 `+ W
Method 100 f3 v: T5 c+ [( _3 ?
=========/ P& |/ m8 W0 @- \
6 M3 h1 t X! [3 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 b" E4 T- }- U0 X0 C# p) | SoftICE while the option is enable!!
- B' t1 ?/ G0 E. `
* W% x, H4 s$ L* h. IThis trick is very efficient:
8 c: f% V" H1 b) L kby checking the Debug Registers, you can detect if SoftICE is loaded, C! E0 N8 n! z- J! i. ?9 ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( C5 B7 w1 Y% v# kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* q# Y# f- ~! K1 x* f+ O. u2 M+ Rvalue (in ring0 only). Values can be manipulated and or changed as well6 Z1 _, v {9 L7 D
(clearing BPMs for instance)7 y( G. [+ G' a4 s7 }
4 W" g9 x2 Y# l' f__________________________________________________________________________9 b; g w2 T8 V% b# p- d. j c
% I1 Y, w8 R, Y& ]8 {* s m
Method 11/ c3 \! l, W3 [/ @7 ?
=========
% [4 z+ M/ }9 ?8 i3 m3 A1 N& I1 T8 B9 W; C# Z2 l3 j3 H, k0 u* g
This method is most known as 'MeltICE' because it has been freely distributed2 n: a" a+ I& B! B' Z6 M
via www.winfiles.com. However it was first used by NuMega people to allow
0 ~" C0 T( y4 r# r2 a5 _0 T3 L* G9 n1 ySymbol Loader to check if SoftICE was active or not (the code is located
: {, g# U1 A5 {inside nmtrans.dll).7 ~" T' I0 K' l! q* i
" z5 k1 w+ D" t9 }The way it works is very simple:
" q' Y* E+ F1 d8 K& kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& z% ?0 m3 @7 ?8 h$ V
WinNT) with the CreateFileA API. H2 F& g, i7 z) F) o3 W- z5 t
q* D( ]8 d! Z7 Q6 sHere is a sample (checking for 'SICE'):
: |7 T- f$ q9 O- R7 V& ~1 ]/ M/ {" N" l# b: M% {- O! x
BOOL IsSoftIce95Loaded()
" d6 T! u1 f5 e5 m7 O{
: M8 ]* X6 s2 h% W HANDLE hFile;
4 Y0 n4 h% Q+ ~2 e0 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; T9 S% j! \' I FILE_SHARE_READ | FILE_SHARE_WRITE,
: A8 Z( X P6 ]- `* l; @! g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- }; Y6 ~6 e5 A3 Z' F% T! b; T: H0 q if( hFile != INVALID_HANDLE_VALUE )' Z0 }& P+ V7 E1 `* |3 L
{& x% X, m6 B& j7 X2 F( x
CloseHandle(hFile); h M" |/ W" K2 N
return TRUE;
- [! g' N. i2 c4 G5 R }/ n$ u- k8 e0 T6 ]0 S
return FALSE;2 i. T9 H* i) @8 M7 V/ f2 y. b1 }
}
& r& i5 q& m- f: G* k6 M
+ r4 a" b6 L. ~( O# D' }Although this trick calls the CreateFileA function, don't even expect to be( I5 B7 Z `% C( U4 |8 N0 {1 O
able to intercept it by installing a IFS hook: it will not work, no way!
! ~3 V; |5 B7 BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 v* E0 l6 ~6 ]( T! {' Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& d% H b9 l" P& N* F( X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# I5 m& y; r7 L- ^6 hfield.
- P) R1 W. ^: W; M* O. i' Z6 f/ UIn fact, its purpose is not to load/unload VxDs but only to send a
2 m) o# p9 [2 A3 S8 I TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ y% c# d7 g; T# W9 C9 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try: X) A( M. l, z+ I" n- T5 p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: p# A# M6 Y7 z+ ?+ a- [If the VxD is loaded, it will always clear eax and the Carry flag to allow0 z2 p9 V0 _, v1 K5 B# \6 `
its handle to be opened and then, will be detected.
/ ~3 v @ w, L* eYou can check that simply by hooking Winice.exe control proc entry point
; n# _, B& F1 Y! p0 j/ Kwhile running MeltICE.2 D2 i5 g8 W1 s! M
5 s. ]" }1 k$ f" v4 }9 c
' v( `5 e; F; i4 y5 c* |7 i7 @0 m
00401067: push 00402025 ; \\.\SICE6 N e% T8 c4 B( |% t! F
0040106C: call CreateFileA
9 X1 u7 p& z/ V5 N# c 00401071: cmp eax,-001- [- D$ g1 l: H% d
00401074: je 00401091& C, Q5 m/ Y9 h* D' g7 i, L# k
. v- @) j2 K/ N3 R6 C( C0 c
4 H; i0 p( s: w) L$ ^: u
There could be hundreds of BPX you could use to detect this trick.
5 s# t0 K7 O0 G8 V" q4 Y& i1 n2 l, N-The most classical one is:
# w( ~3 D6 K2 L+ V. \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 d d8 C& D+ E *(esp->4+4)=='NTIC') F3 A5 L* m3 v, s9 h, |( R9 d
& f; \. R, ?! @ W$ ] r. ~8 B, }
-The most exotic ones (could be very slooooow :-(
5 o, b, q# a/ } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, |, `. W5 u* b1 k B- `. g ;will break 3 times :-(2 k$ p5 Q+ p: ?1 K2 X) U
' _. h6 x, N) U' q-or (a bit) faster:
8 y. Y& V4 ~6 R7 E$ O" ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 K( @& Y- |9 s& I$ }' V
1 Q! [# }$ A* y0 |5 L4 q! j8 }% q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 M' L0 b$ x0 {3 G+ w2 {
;will break 3 times :-(
+ R0 @) L) n5 }5 c* M! S$ e1 M
$ R: A$ p# S% M! `-Much faster:
9 g& t8 p9 r3 G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- R8 m) h! C6 L" i$ R( B' W$ `; R% o }) _8 C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, o9 m) [1 j( }- k3 q
function to do the same job:
6 C; N2 e' N( k: L. _. @$ ?% R" s( c. y! O8 D5 c( `
push 00 ; OF_READ% E, R) ^, j. n; G( M4 s+ d# m
mov eax,[00656634] ; '\\.\SICE',01 C# s* F* t* U) v
push eax# G3 `. \+ e, V# K
call KERNEL32!_lopen: G* @, O# ^, I- `, a
inc eax
0 k. W" E8 x/ \0 A3 R2 ~5 W jnz 00650589 ; detected
: F" |( A4 ?! h2 _6 ~! o2 |" A2 A push 00 ; OF_READ# F5 j$ e" f* {
mov eax,[00656638] ; '\\.\SICE'
7 t0 ?8 B& X6 l- D push eax5 S/ e" b$ T% @$ V$ P' d# u: e
call KERNEL32!_lopen6 ?; B1 p3 q+ ]: x& W+ H4 `: m
inc eax F6 g- i; |! g4 C6 a A
jz 006505ae ; not detected
4 L2 t/ `) P k& C7 z1 G
, w! D8 m3 R/ Q9 Z. e, N) _
, n: ?- f# y& J$ D8 ]__________________________________________________________________________" F, j5 j' U& |. j6 }; h
# B+ f' e( O4 w( u1 l3 h% ~7 oMethod 12
. ]+ V5 a4 F6 C+ G=========, x% s# `5 q4 }# `) [
d# l1 Z9 `) b* WThis trick is similar to int41h/4fh Debugger installation check (code 05
! @) w6 J$ s- |& 06) but very limited because it's only available for Win95/98 (not NT)2 b) L* }. _# B6 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- Z8 q" b0 m+ ]6 l, o: j6 _1 l) P9 C( Y- L& A5 t/ M* K
push 0000004fh ; function 4fh7 @! o; X/ P/ d4 F8 E
push 002a002ah ; high word specifies which VxD (VWIN32)
E! t: H' e6 m8 v: d" c ; low word specifies which service6 w* [( b* f9 m( U, F0 C u- R# i' X
(VWIN32_Int41Dispatch)
. n( C4 ]) }& J; x( T9 j call Kernel32!ORD_001 ; VxdCall
. X6 N, u1 c/ p3 [8 M( q b; q cmp ax, 0f386h ; magic number returned by system debuggers
' s3 B. j% p7 g/ G: C( i: @ jz SoftICE_detected" o2 J+ v7 m- l u+ ]! i
1 p7 a$ t6 r. \3 L1 t2 YHere again, several ways to detect it:
, H# L9 n/ Q2 Q: E" r3 q- k. \$ ~: \2 k( T' K( ?3 Y
BPINT 41 if ax==4f
8 y' d E+ |9 `5 _9 }" P8 v
0 ?% v4 R6 {, x2 J) y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 |7 _3 i# T; V
( J! f4 l: d* Y$ A& w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' C0 a3 ?! q+ ]/ |
: O: I' Y9 Q* E* \6 I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* z, I6 j, p5 Z0 ?0 i) s1 W0 l
# _* x; Q! ~" g__________________________________________________________________________
8 c9 q1 x7 y% h* o- l
$ w! Q: |2 m" P8 t9 UMethod 13* ]# P- V2 e0 Y7 P) L8 a
=========
: K2 W6 f+ Z0 D/ B4 a1 \
7 ]" ?/ X6 t* i% b* Y' |. M1 @& QNot a real method of detection, but a good way to know if SoftICE is6 I! E; c2 R( e$ q
installed on a computer and to locate its installation directory.
* k) \$ n$ c7 H& gIt is used by few softs which access the following registry keys (usually #2) :
# o* P( u1 m/ A! L- g0 A0 [& b: _' r+ e) ?3 i% B, A: f$ \7 G1 p1 ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* w" _9 U# i9 W' @- X\Uninstall\SoftICE
0 g5 `1 C0 o+ H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ t8 _, [2 v" q8 P: n- y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; r0 e9 n# I/ S, S
\App Paths\Loader32.Exe: ?) I- W" N+ T& i/ ]1 K. V
' U @: u; H+ Z
1 S k: o. G- ^/ R& }Note that some nasty apps could then erase all files from SoftICE directory
+ J7 n) ^/ \$ z7 j' Q. V; X5 h(I faced that once :-(& [/ m( r4 x/ b& v% \
5 c8 o6 V" V6 Y N! }, j) F% OUseful breakpoint to detect it:* [: ^$ j* K* g% `* ^" y; H
: C: G( F3 t) K: N7 c) v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 m9 Q. ^; y4 t! ^% Q( B
" t1 @- X5 j! p
__________________________________________________________________________
- Z; p9 p& x" S L# J
. o8 y. t. n8 A+ h) o& g' U6 M) I( x% M9 y# A$ B* B
Method 14
6 k( _8 ^4 f1 z/ A9 z5 X$ i=========5 ^+ U$ `# G3 A0 r
6 h) f5 S6 m( n" j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 [/ k, ]2 h# m+ H- t+ O0 i
is to determines whether a debugger is running on your system (ring0 only).
* T( n: A, E. g2 j$ j1 M9 H
; P, I. F0 M6 a" Z' f/ K( S VMMCall Test_Debug_Installed1 U0 x# l4 L2 d' D
je not_installed
- m Q+ z. \ S9 x! P$ h- P. P" c2 L9 ?0 f+ y
This service just checks a flag.
+ S. k9 t. r& B6 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡