<TABLE width=500>& r$ s0 ?& o+ `% \! I* a6 ^+ T# ^
<TBODY>8 F' z. f/ X1 O+ V9 j7 b5 g
<TR>
- ?. D" V6 W4 D. q7 s. r<TD><PRE>Method 01
. Z. y. P7 Z' A% y$ V=========! f6 g: h; l0 i6 t {
$ k/ z1 o% l. R$ i- g$ R
This method of detection of SoftICE (as well as the following one) is% Q1 h, a, x4 r' ]% Q0 k. h
used by the majority of packers/encryptors found on Internet.' x( ]1 H4 K! {) T$ F* o
It seeks the signature of BoundsChecker in SoftICE4 G( }7 z ?5 @/ ~( Y, {
* Q4 ?3 ?! ]! u; \8 Q- [, D mov ebp, 04243484Bh ; 'BCHK'$ X( @3 A) y) `. ^$ O( Q! k
mov ax, 04h" ^9 r# c+ e) L- C6 @
int 3 $ O! n+ ~" U" @- L- a7 K# v1 g" H
cmp al,4
8 `- H$ ?4 N$ [. V8 V" s jnz SoftICE_Detected- S* m N3 e: Y& r' d8 u; C
: N+ J* K8 P8 g z1 s" s+ F
___________________________________________________________________________
! J$ F/ h0 w( V3 T5 Z2 _9 b: W& E
Method 02( \6 ]. Q: C; ^! j8 E0 H
=========
, T3 P& @5 _3 w3 ?
5 h; x' w. \) E( \, ^: eStill a method very much used (perhaps the most frequent one). It is used
e7 a P0 i6 I: S" M7 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, }8 w/ p1 q3 G) d9 c* I* Yor execute SoftICE commands...
5 \) U1 p5 g q9 C# D( aIt is also used to crash SoftICE and to force it to execute any commands
/ W, v% l! a/ j0 Q' x- G$ F(HBOOT...) :-(( 4 k+ _- @' F4 d7 Y
[3 U3 U+ j( Q6 w7 V1 VHere is a quick description:
; o* x5 P0 i) H' a% ^' U! j7 W-AX = 0910h (Display string in SIce windows)( p8 p2 @9 I& a. Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) W6 U9 A" N% ~- R7 j
-AX = 0912h (Get breakpoint infos)% j/ H% |6 Q; v @# j# x) R
-AX = 0913h (Set Sice breakpoints)
& _: t$ q, D( C/ z8 U* C- n% ?+ F-AX = 0914h (Remove SIce breakoints)
9 }0 ]- q8 j P( f' V) l; L+ O, Z' z3 M
Each time you'll meet this trick, you'll see:& t# G2 K/ A2 g0 ?6 H
-SI = 4647h6 H( M( b2 F. j+ m; k# {
-DI = 4A4Dh
3 x$ V; y% t2 x- x9 W( hWhich are the 'magic values' used by SoftIce.
$ B8 [' ^/ [, H2 b7 S, q) n# mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% s% g, R5 t1 H/ `9 e# I. e6 W
* b4 T7 O" Z" A$ N
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 F0 y4 V. {* @" I% I! t6 \/ ~
Envelope utility use to protect DOS applications:, k: h- ]- H# \# I i( ~
- h1 _& |# T) Y5 A2 |; S9 f$ W
5 M5 ^: | L5 w. u+ c W4C19:0095 MOV AX,0911 ; execute command.
+ w7 S: M+ |5 y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 U0 A B5 I4 L- d) W/ \, L. B+ h
4C19:009A MOV SI,4647 ; 1st magic value.9 n) L7 N& N4 d" W* C
4C19:009D MOV DI,4A4D ; 2nd magic value.- G' \2 R9 \! w( C) S) [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% Z( y( Y( N) D$ v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 A W' @% V' g: f1 R+ v
4C19:00A4 INC CX0 r4 Y* O) ~( C, _ k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 \5 Q" J: a6 {1 @4C19:00A8 JB 0095 ; 6 different commands.6 V" O* K. j/ i x" _! b/ o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 I/ d- y; a# b* |. r2 I h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" } Y5 f' ~9 k7 V8 U! S% E9 w
$ o) f6 i9 c9 P- A
The program will execute 6 different SIce commands located at ds:dx, which
( p H, j" {& F3 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 n# Z" O8 O+ D9 M/ ~; o6 q- L* O g% ?9 s( Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 H8 V T9 N1 G3 u3 d: q
___________________________________________________________________________/ N3 s% ?- `/ u/ L7 d
1 y" S$ D9 e; }4 H
) u( T& ~& R: Z) IMethod 03
- b+ k9 F; e! z=========
7 D- {9 h' T+ S' d. v+ g7 j/ z0 r- r0 ]$ A% d% b. R8 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 R7 n! ]7 z5 N, `: D( e(API Get entry point)
- v0 K' ^0 q& v* D6 L: \, a4 l * G3 W3 H: t+ K
; P. s9 H+ M: p3 p. a/ c( i xor di,di
) r3 T, S9 A. z! C5 D# ` mov es,di& L/ Y8 L; V% k6 F* A1 |
mov ax, 1684h
7 m+ s& B+ C- z1 ?0 R mov bx, 0202h ; VxD ID of winice
7 A. d& t! ]; ]6 d3 Y% y int 2Fh$ e2 d4 E8 p& N- V/ ~9 V
mov ax, es ; ES:DI -> VxD API entry point
5 H9 ^5 V8 j. y! n6 z) b. B8 f add ax, di. [3 d3 @. z- a, y' c
test ax,ax
" @) K* Q6 f# V! K3 }" ^* n jnz SoftICE_Detected1 b; G" F% d5 G5 U1 e: g, P
7 X0 J* d5 x; k5 v Q5 T$ l
___________________________________________________________________________
* s% B* x ?0 k% ]
$ o# b2 V% a& u2 [Method 04: N: P) V) f4 d# k/ ^
=========9 K1 J8 P1 Z4 P% L& o4 m" ]
: b/ e# q! J8 |: e+ b! NMethod identical to the preceding one except that it seeks the ID of SoftICE
: V9 T# T* F0 N$ H. x3 tGFX VxD.
. ]. n, ]5 j1 s, S% P% {: P$ N! T4 T; n- M) g q9 x
xor di,di
- ^* T; j% }* G mov es,di* n% O3 x9 w U G0 J$ C9 a0 @
mov ax, 1684h ( y8 W6 o6 A1 P
mov bx, 7a5Fh ; VxD ID of SIWVID3 r. V$ I7 k4 U, h! k
int 2fh, T8 e& Y. f& p* R# _1 y% G0 v
mov ax, es ; ES:DI -> VxD API entry point+ F; r4 D# \: g" K6 ]
add ax, di( `9 g( `# G+ {2 c5 R. D8 W* W! s
test ax,ax
5 ?( G o' b" ]3 @5 C4 W jnz SoftICE_Detected
) x' ~9 t2 o' o( k3 F8 G+ Z, b Q) l- O' Z6 N" z' b$ K! g4 Z$ k4 F- ~
__________________________________________________________________________( [% E% r, M) v# {
9 M$ Y7 G, X G# k. x
8 v2 v' Z$ U1 w8 M7 X( iMethod 05
- p3 F; Z$ g7 Q: S" L=========
; A, J4 v o1 P: `
9 Q! f" `0 X* D& b* jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; x3 L( m) j+ B2 y: r9 k4 Ndebugger. It calls the int 41h, function 4Fh.* Q* {( v' K1 C/ T( ]+ Z
There are several alternatives.
% h c% K7 E) ]6 H7 u! E- s/ d4 u' l$ r- z
The following one is the simplest:0 C6 r/ J# C( k% I
8 s% o9 h+ |# \7 n% `6 p! O! E mov ax,4fh
) r. @) d7 Y' b2 O3 h int 41h- {# P/ _) S r% s$ \' p7 F" J/ c
cmp ax, 0F386
: p. {; [* i1 _' v9 J7 k: m jz SoftICE_detected$ c) c% \0 p9 Z/ g
: g9 u, I& ]! Q1 f/ z# f
& l7 s7 x4 c0 {' R8 T `8 u) `Next method as well as the following one are 2 examples from Stone's
, r# M4 k6 t' m/ Y5 Q"stn-wid.zip" (www.cracking.net):5 }( N& T( V8 }& A5 e4 ]
/ y0 _ d8 l) e
mov bx, cs
9 A1 g* J! j! b- X! H lea dx, int41handler2
' I6 e [/ b3 \1 M* H2 G xchg dx, es:[41h*4]
1 ^8 r3 k2 L6 t9 B6 e* o. ? xchg bx, es:[41h*4+2]
5 g. E7 q& Y- j) X/ b$ _ mov ax,4fh
& e/ @2 b" @( A }0 q% t6 s' }* i int 41h
+ n# u6 J. {3 u4 Q6 E! y xchg dx, es:[41h*4]! `. }( L( }% v. p# n/ T
xchg bx, es:[41h*4+2]
' g' x7 x" x- |2 ?2 X; G0 c cmp ax, 0f386h
$ X. W: V# _$ q) M$ }; e' | jz SoftICE_detected, I6 u! n2 H7 w; X! G$ A7 R* y( E
4 g4 F* F2 _' T5 K: dint41handler2 PROC
. _5 V4 K6 p* n0 K/ a c iret0 |4 k5 x- |( a" q
int41handler2 ENDP/ x$ Q7 U5 ^6 v! t4 E
* u2 K) z$ i# k$ m
6 r" d/ ^/ m, R4 Z1 f: @9 n_________________________________________________________________________
( ]: K1 T* y1 \8 G0 q
+ Z! d3 ?) R: I1 P* s. l% J* X; }- d" X9 H2 I1 T& F: g7 r
Method 06
- |4 j+ R; C+ N" [$ H6 o$ M=========
6 q+ Y4 o, c" I- A" i
/ b) y9 H' {& m; W
- A. ?7 {* E' I1 X) v. \" J8 C2nd method similar to the preceding one but more difficult to detect:
6 b" Q& ~& {7 p3 r3 o/ |$ k( Q1 W
+ D& F5 P* S* {5 ~; x
/ U5 b6 z5 L: g( P+ k0 P5 d3 F7 h jint41handler PROC" u8 }( D" E, d2 E8 a
mov cl,al: e7 `3 B+ w% H+ p. e) }$ R
iret
! G: e2 l3 w5 F6 y& vint41handler ENDP
' G R" G/ o6 u, p% O! {) F
: b! Z, e& |7 M; [; P1 W% T9 v; C2 @" i
xor ax,ax, @; F% t/ |5 v! T9 u
mov es,ax
& j; a M# {" G+ }8 n1 b mov bx, cs( {9 a# R) ?1 ~9 ?& B
lea dx, int41handler
: s& p- ~( J: F" E" z8 e xchg dx, es:[41h*4]
4 h4 n2 O) P% ? xchg bx, es:[41h*4+2]
# d3 h2 s: U* @* N4 t* X0 a6 a& e in al, 40h
* ]8 y! n M: K% ` xor cx,cx
. J, O5 L, ]! i O8 Q( K int 41h: F, ]/ K9 \6 q! x/ c# C; \9 R
xchg dx, es:[41h*4]
+ F7 G5 e5 o5 |7 Q7 S xchg bx, es:[41h*4+2]
% O0 ?3 ?& v+ w' j# q8 Z cmp cl,al) P: i% C/ b) ~" Y9 v2 z, a. x
jnz SoftICE_detected; A8 E. x/ l7 A5 q& W: }$ M* q( P
9 v" I9 i% W' |_________________________________________________________________________/ t4 J0 c5 q( H) z
( y+ M$ X7 J4 R% U! C" t: j: FMethod 07; N* `4 O( j+ x \3 \
=========
% w, z- p: G3 u, T5 R3 n5 z5 T) ^% f8 L$ N/ M' @1 C" o( ?7 V8 }
Method of detection of the WinICE handler in the int68h (V86)) v% n! u- ~. f2 `" ^/ h& o
$ s& e( o( h+ S1 ^% I
mov ah,43h2 f$ J0 s- {: p4 A. E p, i
int 68h
3 L& ], u2 j/ S9 w4 w, I+ B cmp ax,0F386h8 T, k1 N3 B0 W3 A$ S( T% d9 R
jz SoftICE_Detected
& m( U* X$ L0 `& D+ {, Q4 a) i& P& o0 K
7 r, M/ z8 ^! i* @& k, l0 v( y: ~$ S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 q, ?2 e6 p; _0 j0 L app like this:5 ~, i$ s) J# k A7 F3 I2 v6 W- g
+ [* U* }* X* B' t
BPX exec_int if ax==68
6 p6 } ^/ l$ y( j (function called is located at byte ptr [ebp+1Dh] and client eip is& W0 @* m9 ~- W9 H5 Z1 J
located at [ebp+48h] for 32Bit apps)
d9 H8 m/ T2 ?* w6 x__________________________________________________________________________5 v. k8 o& M6 w" _, S( |( n
( ?3 e$ {. f! c8 t4 V- L
, K8 J# }/ R2 UMethod 08
0 }7 X, B; s& e/ n9 P=========
$ W& @8 X% [, o9 K8 t- B; u/ N1 Y9 g" O4 I/ Y# G% n( K! W
It is not a method of detection of SoftICE but a possibility to crash the
: g* z; F1 `& y: E+ y2 j; Hsystem by intercepting int 01h and int 03h and redirecting them to another
& C. |% K0 T, @: X1 M& Troutine.
3 m" z: f6 f" x( P9 tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 U; T+ v, G7 x7 `/ b( Zto the new routine to execute (hangs computer...)2 [; w$ [, t' V2 [8 C+ K9 ]) p# b, ], `
7 ]+ ] g0 o3 Q3 E mov ah, 25h& `: y6 j6 `& T& D
mov al, Int_Number (01h or 03h)
6 o8 _) X' R: C y0 E2 V mov dx, offset New_Int_Routine
5 A7 A+ f( ]9 t$ e) @ int 21h4 R' l, [- q9 @) s3 E4 Z
" C* q* V' l! p) Z7 D
__________________________________________________________________________
- h9 t6 |! c# z4 J6 a) g5 m& R5 E- M: }) C! j+ Q0 z( `
Method 09
+ z3 P8 Y3 U- S- U4 l=========
' |- I, F0 V: J9 s" T
; G3 H1 \( z' V( S* eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. E& v+ F$ {: |; _+ Q
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 `. H4 D! r2 iThe Get_DDB service is used to determine whether or not a VxD is installed& R0 ~4 @3 o/ s$ x
for the specified device and returns a Device Description Block (in ecx) for
$ }! V9 A; g0 S. [1 v& B$ vthat device if it is installed. C/ c) F* ^, V6 E5 @2 ^
6 B, C! m6 |$ c: d: W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID H5 H. h5 b, u" E4 s, M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ r/ L1 o6 Z4 |, r/ \' f+ N
VMMCall Get_DDB# {$ B$ H5 X. u: b: l* N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 e/ S* X+ R1 w0 g. i1 D; i, \- @3 |1 R4 o, e% D5 }4 {
Note as well that you can easily detect this method with SoftICE:, W+ B$ T$ ?1 w, z+ `
bpx Get_DDB if ax==0202 || ax==7a5fh C6 f$ i' }/ P; n* `2 H( ]
5 U+ q" Q- w- B% O( n
__________________________________________________________________________0 F; h3 p" h* P- l' D
, D" H* }' N; L2 [% a
Method 10$ N( x* L1 x) q- k3 y
=========
" {1 w# o, F0 `; R) }" T1 b* Z$ I; @3 V- ~+ o; @
=>Disable or clear breakpoints before using this feature. DO NOT trace with, K: D& @7 f& i- Q* D
SoftICE while the option is enable!!6 f" H# @ E% D
7 @5 h) j6 v; q' R- w3 o( @This trick is very efficient:% h: Q- ]3 d2 g3 ]
by checking the Debug Registers, you can detect if SoftICE is loaded
7 \7 a# P, ^3 F: W7 j) w/ @* O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( c# Y& d, v) d9 g; |
there are some memory breakpoints set (dr0 to dr3) simply by reading their
Z$ i) F$ c/ F( B0 e; {# ~- Svalue (in ring0 only). Values can be manipulated and or changed as well
7 S3 k% [2 S j4 R) y(clearing BPMs for instance) O0 `8 ?) N) d! e( s
- }3 [ }$ t' L: k5 y
__________________________________________________________________________0 c& e3 V6 y. }/ ?0 B4 J
8 S1 ]2 X) _9 d# q0 X5 n/ u4 dMethod 11
{7 g' j/ ]6 P3 @4 O: P+ B=========0 g, n% f$ x( s' U
2 r* b3 F) @* c. g% ]7 b
This method is most known as 'MeltICE' because it has been freely distributed& t' J. M3 ~3 s$ y' H* U) B
via www.winfiles.com. However it was first used by NuMega people to allow
- t# N- _5 B" B7 V- d d2 S, YSymbol Loader to check if SoftICE was active or not (the code is located9 I% a& w7 q3 Q! s3 z& }7 b/ U
inside nmtrans.dll).
. c5 p8 C& p- h$ R# `7 X5 o0 k+ _* O" j6 z5 @8 F4 x2 O
The way it works is very simple:6 @# H' G* |' Z0 @0 m* F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' t: k a, P2 M! @( \* V6 }
WinNT) with the CreateFileA API.7 b# e& E; Y l- ^) f$ ^; C; n; R
" `. R' D' x/ [+ h8 A3 t3 C$ JHere is a sample (checking for 'SICE'):
* h: C% C, x L4 m! j
& K' @7 _ t6 D e( d& I% UBOOL IsSoftIce95Loaded()
; n. W9 ]2 }! A{
, ~: n' I- b( _0 F# B. y c2 A HANDLE hFile;
4 N7 {& {" W+ i N Z) X9 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, Z: _- |1 h3 e" Q1 r2 Z4 i% b `- s FILE_SHARE_READ | FILE_SHARE_WRITE,1 g2 z: N$ f. m2 ]$ K9 S& M0 |/ b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 A. z6 {6 G: p' C M
if( hFile != INVALID_HANDLE_VALUE )# W& ]2 v, s% `
{( X9 ]: D9 V$ z$ O, e
CloseHandle(hFile);# a: ?# j4 z- a' r8 U+ C* [$ `' {7 u
return TRUE;
* _" i$ X4 i2 D @4 m# W3 S X9 O1 F }
5 ~6 n0 h5 i9 I4 N* J8 Y, |2 \ return FALSE;% @- r( c3 h% q, [! x7 J' x M- n
}
: i" Y* K) |) Q0 g1 Y
8 ^8 M6 H0 [8 y6 F x$ R) pAlthough this trick calls the CreateFileA function, don't even expect to be
; g) b* q3 Y6 i, f4 k% Hable to intercept it by installing a IFS hook: it will not work, no way!# h6 f0 Q+ F$ m6 a6 E0 U& Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" b/ q- n$ d* _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- p6 k' ^" g0 Z8 s M0 Z4 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: L9 I6 G( g: _ W" g" W( z( Tfield.4 I6 U) h6 |, [& F0 b/ [
In fact, its purpose is not to load/unload VxDs but only to send a
2 l% O4 z8 Q( e6 O, j& ]5 a, GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 r' |, ?* Q+ Y1 }7 `- C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& f& Z$ T5 F3 }2 I) d( z* z% g3 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 V1 q$ p& I( w- M5 sIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 }" d8 U# x) y" M+ ]/ A5 _ Z
its handle to be opened and then, will be detected.
5 C; B0 h4 U& P! ]. Y9 aYou can check that simply by hooking Winice.exe control proc entry point
8 A. i* b" ^# X: {; ]) ?: \while running MeltICE.
, ^% i0 }0 m2 q! B6 f+ g: d
# x4 v, K/ r2 V9 v1 `
& R2 O9 H0 v* J0 a* a ?% Y 00401067: push 00402025 ; \\.\SICE
6 D- H/ U- C: J0 n& q* q 0040106C: call CreateFileA
& N+ o' ~. s) r2 q2 t 00401071: cmp eax,-001# d" ]( j: A$ q
00401074: je 004010911 m, x& o0 o( U) x- N
" d) r# Y" n- t* z8 z# w; s* G. J$ h' l4 b
There could be hundreds of BPX you could use to detect this trick.
# p s- ^; r! ~8 Q-The most classical one is:
" ^5 f! a# B3 v4 m0 ^' n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* o9 w; C% I8 J. }, S+ l* h
*(esp->4+4)=='NTIC'* E0 C/ g" t5 u5 s) D1 ?$ _
6 F/ f2 W! U8 x2 \
-The most exotic ones (could be very slooooow :-(! N {4 f/ q) V# i1 b% P" y) s0 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* K U' }7 t6 e ;will break 3 times :-(9 b. d, e3 i# r5 ]. h
" N# `9 Q4 G( Z# f1 }6 A& m-or (a bit) faster:
6 M+ }9 ?! D( j" ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 G( z7 W' S" T
* e2 e& q2 f; m1 \3 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 z3 }7 v0 `. e3 j- L$ s
;will break 3 times :-(
! D. W( }& B( o" ^
: O* `* t/ N' Z! M-Much faster:/ @+ z' J7 z0 v$ h4 b: ]& q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! J' I8 `. f+ G: J; e2 ^& Z7 w& E
: B0 U- d6 m) v# f. wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& i2 t- s, ~7 K. `) P* Rfunction to do the same job:
- [4 q ~& R6 C6 B& C
# p" E( n% Y3 m" M5 n push 00 ; OF_READ
( r0 S1 Q3 ]' _& p: y mov eax,[00656634] ; '\\.\SICE',0
# b: D. y1 P/ D& \2 b, g- Z push eax
* H7 Z0 ]3 _2 }$ x; F9 y; `! {" s call KERNEL32!_lopen. a$ g. L6 l: ~3 b, g9 ^4 d
inc eax
]2 F2 |9 x) q: _+ k* @9 h jnz 00650589 ; detected
) A) l+ `+ L" y$ d push 00 ; OF_READ
5 a' P! j" ?! Y mov eax,[00656638] ; '\\.\SICE'
3 ^6 c- x( v m) j4 k; C* c push eax% } Z, w! L% J3 S9 i+ x" `* o
call KERNEL32!_lopen. [8 y4 Z5 { l' e' B9 s
inc eax
8 g7 D9 j# x: B jz 006505ae ; not detected$ u3 Z0 v: ]9 r& o
( }: m& \9 `+ w z6 `7 \, o1 k
/ e. i, L$ A# V: X: _
__________________________________________________________________________, |4 A6 j$ A4 ^8 L% K
, h2 M/ ?) Q: ]# {, w* r
Method 12
3 c3 H- b! ^+ Y* p; s% z% A=========
9 \# A, f% G, R# h
( L% ?; X% a' x( b0 d" i5 YThis trick is similar to int41h/4fh Debugger installation check (code 05
- P0 w/ U$ ` L0 c- g& q: g" V( G. h& 06) but very limited because it's only available for Win95/98 (not NT)/ V' i2 V2 M1 Y; j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" `" L. X: |( K }3 Z8 m. S
, N$ N6 C: [: p# }! T, U& Q push 0000004fh ; function 4fh
- j6 V- s; ~; f7 |1 R! t push 002a002ah ; high word specifies which VxD (VWIN32)
1 R) W0 b9 Q- W2 d& i ; low word specifies which service3 H& Q( B8 j! @& y* M
(VWIN32_Int41Dispatch)
# u9 g* n0 k1 f call Kernel32!ORD_001 ; VxdCall6 o }- F- z7 g% E1 p3 t
cmp ax, 0f386h ; magic number returned by system debuggers
4 m6 G. d2 Q- S5 F3 }% [# a jz SoftICE_detected! X7 E) u; Q4 M3 O, P
2 L6 G5 R4 r6 ?5 ~* c" l3 o4 x2 y
Here again, several ways to detect it:
) D5 ]# ]0 ^+ q
% N# [) O' Z, ?. X BPINT 41 if ax==4f# P9 ?. U o4 c6 ^: z7 s1 _
8 D4 n; e1 F( [$ Z4 b& ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( B1 t' ^6 E: C
# h+ J* Q$ y7 G0 B5 a: x) H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
k- ?/ l$ s& Z* e1 }% L# Z+ _; C8 ^: x: `9 o5 y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 G8 \7 E+ J# G8 }
/ i. z& {( ]) e: G
__________________________________________________________________________8 _4 V8 V" H4 }" |! G# X9 `
( C6 [3 v* A- i3 d4 z# u/ }4 }# aMethod 13( I) U/ `# |" J7 k( M+ p) \
=========% X: N' o( j/ R& s9 ^! N8 A
3 E2 S9 o4 c8 z hNot a real method of detection, but a good way to know if SoftICE is
( S, L3 V7 [; v! X/ {; u. {& Ginstalled on a computer and to locate its installation directory.& Q; e. ^' l- g, a+ w
It is used by few softs which access the following registry keys (usually #2) :
) F ?+ ]+ ?8 f ]
/ w8 X# N& a3 i- {' A0 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% O% I, p4 V1 r% a: P# a\Uninstall\SoftICE: x! X& z9 v, F2 v1 H9 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 O; u8 y5 X9 Q' A. m! F e9 S2 T, _8 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( Q$ T, _" `$ Y5 M( i+ b( l
\App Paths\Loader32.Exe
9 U6 k/ f4 K! R1 }7 e0 x$ a2 ?: R: B# L3 i9 X( i7 u
# \4 g; x; Z" HNote that some nasty apps could then erase all files from SoftICE directory
1 w! A4 Z* F8 `8 z$ @. U7 N1 x(I faced that once :-(
* R$ p( _* X! c/ k. t( x
$ W$ p' [. t5 X- B$ R' kUseful breakpoint to detect it:& D7 R# l1 a7 H, z6 E
7 Y$ V4 {" X: i8 c. D+ C1 A2 j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ n. F2 @* u$ U y
: ?6 }$ D3 q% [1 t1 V) H$ c0 G. y2 K__________________________________________________________________________
9 ], i; r7 S+ }7 U: N- ?8 @
3 h- G; }4 s2 {# ^3 \' O- E& Y c) s2 X$ J
Method 14 - V$ q% `+ a. u( W
=========6 k! n1 K0 h( \
! N/ e( @, a# @. ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" s' ]' L, b$ W; m* l+ f
is to determines whether a debugger is running on your system (ring0 only).
2 {0 R5 i. N* g7 }; u1 f, I
: I# T" B& A( v& N- X VMMCall Test_Debug_Installed
* [6 E) ~9 ]" w je not_installed7 e( _. L) h2 t! }/ N
R3 l- o _& ^* mThis service just checks a flag.
: J1 w& B) V" A( ]+ P ~5 I% z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡