<TABLE width=500>. K4 B& k j7 s* T: _% b; f0 t5 `
<TBODY>
* i2 R& H5 V% V1 I: Y6 | [ w<TR>
# B$ _0 ~5 v c6 |6 S* i8 E0 Y; a<TD><PRE>Method 01 ( {$ V& t3 r% W" g0 `2 D
=========# H; \0 N6 d6 k. X. a9 K9 k
/ o9 t" h% O7 M5 d7 \+ p P
This method of detection of SoftICE (as well as the following one) is. X; D" p, K8 X l1 W! H8 J# k" S
used by the majority of packers/encryptors found on Internet.
: ]. T) D1 R7 n/ s; B- BIt seeks the signature of BoundsChecker in SoftICE
9 ?1 F9 m, R1 T1 | [& }6 T
9 h M; j$ M* y& |* k5 j mov ebp, 04243484Bh ; 'BCHK'4 U v5 x/ D9 Z+ S9 r5 l7 Q1 v: a* U
mov ax, 04h1 K" h4 C( b. z: \% A4 K' L0 v/ Y1 d6 x
int 3
2 Q6 P _% I& m I cmp al,45 a3 Y2 n8 J: o/ u J$ L
jnz SoftICE_Detected P' R* W. Y' ^5 w( d g7 s9 L; p, s2 ]% F
# |- w/ V+ n; [8 b5 A P6 g
___________________________________________________________________________+ T X6 u: h0 S4 C
' I! n0 {# S a$ l: J% a5 g
Method 02
2 B, h& k2 A, X7 G=========5 P Q' G' n N% x2 M) @
) m3 D; m% A0 QStill a method very much used (perhaps the most frequent one). It is used" L5 t* ^* a) J9 c- E* a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% m* M, p5 W: Z* ^4 M/ ?
or execute SoftICE commands...% ~: T2 G6 X1 h5 _5 w9 z6 }5 z
It is also used to crash SoftICE and to force it to execute any commands
4 G/ N. x1 p: x: W' i(HBOOT...) :-((
* _8 K V0 l: X( E: a$ g5 X" d$ _
Here is a quick description:
, b. B' H5 k3 p; E* y5 x-AX = 0910h (Display string in SIce windows)2 q% _4 d( z0 t' r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- M j- g0 j1 p( _-AX = 0912h (Get breakpoint infos)8 `/ ^! _, u: y% ]
-AX = 0913h (Set Sice breakpoints)
+ |" y3 p7 _ t-AX = 0914h (Remove SIce breakoints)
4 ~; p& c/ y6 }+ j' W% a, F! [6 L m2 ?6 t+ e% W$ n
Each time you'll meet this trick, you'll see:
" [( L0 P% o; D-SI = 4647h
/ ^. y& Q- f- l) `" {6 i-DI = 4A4Dh
' E. ^, f' W) N9 _7 fWhich are the 'magic values' used by SoftIce.
% W# v% H3 _; Q0 ]: n9 C0 Q4 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h., `3 X% l; f9 s8 f- t. @
1 u: E/ f5 a: V$ m: {, s# lHere is one example from the file "Haspinst.exe" which is the dongle HASP* `+ g5 p9 G5 w8 F
Envelope utility use to protect DOS applications:9 r. i( L' \' A- e. r: ?; @5 X
5 X9 C2 A3 g# Y5 `0 U# h8 o! A! s0 ^( \$ c$ S
4C19:0095 MOV AX,0911 ; execute command.- {9 P8 Z" D: K5 w1 l3 }' V4 n; u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' E. i6 e3 b6 f2 R6 M- Y+ h- x
4C19:009A MOV SI,4647 ; 1st magic value.
1 D n a" e& t h' P# N4C19:009D MOV DI,4A4D ; 2nd magic value.5 z. e% M: \0 `" i2 M5 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* ?3 H& C' ~1 q* k! L2 s! x( T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ I7 Q/ g& Y, k) ^( w: X4 G$ e
4C19:00A4 INC CX; r/ J/ A$ T4 z0 b1 h( C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" S( |2 z6 S$ x4C19:00A8 JB 0095 ; 6 different commands.5 r7 q8 Q3 }* ?" T/ R y8 o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( s8 w4 Z* |, a/ k$ m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# r2 h6 g; E! m) E% h1 U1 {' }, R% e+ f/ d! H
The program will execute 6 different SIce commands located at ds:dx, which4 l3 m( v, k8 V( {4 C& [: ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 o9 G3 r# v, Z e
J0 i1 {* P% N6 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( [5 y. [2 Y( m% D/ J
___________________________________________________________________________
) H, j5 g& @' j) L
$ k' J s/ ^9 B6 z
2 T6 s* t7 J5 IMethod 03; k4 H; B% r! i/ ?0 e3 k+ @
=========: E: @/ C& o( x* A3 {9 E
& L; Z$ b6 K3 C+ h( {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 A p' I3 E/ p# D(API Get entry point)" s0 A/ R5 f1 B6 c/ x
* ]' z! X, o' r/ o8 D0 I6 _( M
" g/ U( n- h# Z z7 O; F# G3 z0 ] xor di,di3 ~# @* `5 z. _/ t/ N
mov es,di
- O# }4 @/ r: S; A# W4 e6 _9 Q8 i! Y mov ax, 1684h
6 g+ f4 P3 o7 T mov bx, 0202h ; VxD ID of winice2 m; Y6 p, S$ ^7 }2 g( Y
int 2Fh$ N$ Q+ \" v+ T; g+ [
mov ax, es ; ES:DI -> VxD API entry point
7 y: t; i/ E. f2 f4 k/ R add ax, di9 P. v1 T. |* X, q
test ax,ax
( Y& s* N( I# M j2 A) T jnz SoftICE_Detected
% g$ j6 ~) S) `5 Y1 v) F% f& \7 |4 ^9 l! H' B+ j7 x; M
___________________________________________________________________________ c- U7 F- M+ M4 U; Y0 i) p v
3 }5 `7 P' T' s& ?Method 04: C- u% k( p* }! l! R; M/ I
=========
$ T" u) u$ j) P' u" e2 o" C j% h% U, D7 U, X$ c$ X- T! B- G
Method identical to the preceding one except that it seeks the ID of SoftICE
, E3 w. V: [! L) f0 A7 tGFX VxD.* y! [/ P S) {* b' S& v1 y; B7 |9 W
% L+ V* ?6 ]( W/ K( w, M
xor di,di
9 u4 c1 C& ^/ T8 T8 r mov es,di
0 ^2 W- j: f c- K0 ] mov ax, 1684h
6 }2 `4 y* O; X3 w3 w. h mov bx, 7a5Fh ; VxD ID of SIWVID
4 k* [0 R% y( u7 O6 P int 2fh" v- O/ b' ^- D/ G! H2 W
mov ax, es ; ES:DI -> VxD API entry point
3 S* M: a8 T" M5 }# W! d% b0 V3 f. ` add ax, di
0 o/ u2 i8 L4 H2 j% ? test ax,ax
5 T) G d6 _: X1 y jnz SoftICE_Detected5 p0 h+ V8 @, v( _. W
' X o5 v+ i% u s4 S' v+ S__________________________________________________________________________
3 v2 [4 i5 ?+ Y/ Y2 L. N4 A5 \6 o" G. I' c L% v2 A4 F
% p5 ?! l$ S6 S# ?
Method 05' x, c) ]- |3 J P, _+ `5 B6 ]
=========
0 p. o j7 \( d7 y, L- y; O t2 v
2 A0 i* y, }9 n( p' yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ |' q6 `9 F7 V1 L! N$ p6 Idebugger. It calls the int 41h, function 4Fh./ `9 h8 t5 i$ {+ i1 `
There are several alternatives. & r4 W, J$ X0 H/ v( ~
3 [' \+ i3 X( v: BThe following one is the simplest:$ N, ?* O* n7 A) [2 V4 x8 D( z7 h
* c/ X) M9 M- W* z
mov ax,4fh9 V( E4 Z( S) P; c
int 41h
) K$ X- [ }, v cmp ax, 0F386
6 H8 ~' T1 w }, [ jz SoftICE_detected9 g i! O) a @6 W& T1 r- {
! w. }. R# Q4 [
$ c+ O+ J. K: fNext method as well as the following one are 2 examples from Stone's
2 c+ C8 R4 W. ?$ y e! _! E"stn-wid.zip" (www.cracking.net):& c6 `( V" H0 i r
7 ~' G, s/ Q1 K+ ]8 O mov bx, cs. h" o+ n% }$ a: W1 L: \3 W
lea dx, int41handler2
. D/ c: U$ E% D" q$ m/ H xchg dx, es:[41h*4]- F6 p: O" R+ _# m+ A" b4 ?; F
xchg bx, es:[41h*4+2]8 `7 I; O+ g0 Z( n" y# X) ^4 c
mov ax,4fh ?* q; M) B* P W4 X* J/ V/ m
int 41h" y: u8 ` V U/ P2 w! M9 A$ t# r
xchg dx, es:[41h*4]; s/ R0 D1 t) K* Y9 P/ C
xchg bx, es:[41h*4+2]0 A, S' a8 S1 R! g: s8 B7 i2 ~6 z
cmp ax, 0f386h$ x" \4 s; w" Y/ `1 A, C
jz SoftICE_detected
% p- d- a9 Q f0 U6 H5 k+ f' U6 r8 K; \$ h; C: R7 K
int41handler2 PROC+ { T. ]) G6 E( L* z- W# V
iret
' b m! s5 k% l! n# Jint41handler2 ENDP
' k. P7 W5 F0 U4 d* a4 \; U9 y% W9 o6 L4 o
: A9 ?$ R& n3 o; [- __________________________________________________________________________
: V/ x* a6 I! [4 S+ u8 w! U3 @* u; v1 ?
+ C; _" _' q0 k* w4 S* X
Method 06; p, O! n% P, J% E u# b1 y5 A. B
=========5 l: b' ~. }# y# M) J$ A( t
8 z7 J; Q- F. I
2 P: C7 W! `! W2nd method similar to the preceding one but more difficult to detect:; F% x+ h8 l6 k. d2 f! J
. p6 m! L' \7 O- ?) G% a% T6 T
* \1 j: z# H, n$ F& J+ y% Qint41handler PROC
$ M S1 f- J6 v$ P2 q6 X$ v d mov cl,al
t1 \* c2 b; a* t3 q' W/ `; s2 K iret
4 }- {: B; L" E0 H$ y' `3 q, nint41handler ENDP8 Y; P8 m' q4 Z6 u; p. N
0 N3 d' q, n0 S7 G3 n r- I% c
8 t2 R# S5 S, P xor ax,ax7 o& K$ s; [: O6 G$ R
mov es,ax+ w' E* ?, C f* @, H; c
mov bx, cs Q' g" u/ X0 ?: X0 g2 U: }
lea dx, int41handler
& K" X. H! I1 E$ H xchg dx, es:[41h*4]8 X( H3 R5 G1 \: @9 `
xchg bx, es:[41h*4+2]! L I5 H Z; G2 ]4 H) i" Y9 m" h
in al, 40h6 I6 X$ s1 |; P. _; \
xor cx,cx$ g. v! \$ h# m# y! B; x
int 41h
( Q4 N0 P8 A# T* [ xchg dx, es:[41h*4]
: ]$ @5 V$ k; d5 S xchg bx, es:[41h*4+2]
9 h9 L$ j( h5 n/ {/ b cmp cl,al( m, ]' |" v& \! _2 y1 L' H" k' }
jnz SoftICE_detected* B3 z5 @0 G2 q' n8 O- K1 z/ w- a
T E* H6 z1 x* [& m
_________________________________________________________________________
; m5 J3 j2 A m5 @+ n* H
& C% e. m# H# p8 D% ZMethod 079 z* G e, Q. |* b4 t1 D: M0 s" B/ U
=========
: a/ @4 y. _1 Z# a1 n: C. p. j8 I) G q- J
Method of detection of the WinICE handler in the int68h (V86)
+ X9 C* p: h% v2 Y1 R5 B
' ^1 O% }7 a4 f& Z; i mov ah,43h
6 d, { u8 F1 G% u int 68h
! h7 R$ D Q" t6 X cmp ax,0F386h
6 i6 {' z! W( x! |- t jz SoftICE_Detected
; D' m& |) N0 G% I8 y8 G i7 c3 }" t1 j" s4 b; I
) G6 E; B. X' K$ E. M' ~7 i" f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 [! p* B& e5 J: v# }7 t8 W app like this:% J* P' v. f: N9 \; U8 d
+ D! d: {2 x0 L+ _5 I
BPX exec_int if ax==68' c/ n& j, M$ g& Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
* ~' ]7 z( V1 N2 g- P, g0 \0 U located at [ebp+48h] for 32Bit apps)# T9 j. c4 e9 `: J0 ]8 t
__________________________________________________________________________& h7 C! Z8 K" A, L5 J2 ~6 B4 b
5 C, Y" J, D3 C& o. V+ B) B3 A, X! T; ?* ~/ a( N' @: C6 R
Method 08
% O1 \; M, L# e" {2 z/ u. G=========2 U6 `& u- M5 w2 o- i8 I% u
' Q5 @. O$ B% _3 y
It is not a method of detection of SoftICE but a possibility to crash the& @- n3 {; y2 k1 t" j# `
system by intercepting int 01h and int 03h and redirecting them to another
$ G8 Y1 j% }* }routine.
, T# x: E5 m/ N" {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: H6 N! S& k1 g: g: ]to the new routine to execute (hangs computer...)
/ B2 m, k! ^) _1 ` t3 X$ }# W" ~. e1 s
mov ah, 25h
; o. A9 C( q' E/ g mov al, Int_Number (01h or 03h)
: l) l! z5 k) e6 U3 s mov dx, offset New_Int_Routine
3 z3 Z% k7 G: K6 Z+ K J int 21h
$ x' }: ]0 u6 f& i7 D
0 O5 p! a! P- i% y__________________________________________________________________________, Y% N0 n+ s" c2 p" Q0 Z& r
+ {! @: b) M' z8 i5 }Method 09. [: F$ G; g# v; e
=========
2 s0 l! D: o+ ], G: [2 b5 s
( F) Y' [ k0 W2 p, \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 l' H4 x/ U' L: V: ]1 }performed in ring0 (VxD or a ring3 app using the VxdCall).% M7 H0 D0 N# W. z% [7 B
The Get_DDB service is used to determine whether or not a VxD is installed. S6 n; M: J$ S9 {
for the specified device and returns a Device Description Block (in ecx) for
% E3 |; @: `$ _% v6 t4 Dthat device if it is installed.
0 | ~! n9 w* x6 K0 @/ G
8 y, N% S1 j+ l3 ~* E$ ?4 t2 l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* y; h1 e' t9 _6 U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ Q/ r4 n; l- M# L, L/ F. W
VMMCall Get_DDB% P/ r+ Q' j5 O" l7 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ C1 S, P C* U$ ~$ y& b% L }6 e8 ]$ }' y# M
Note as well that you can easily detect this method with SoftICE:$ t4 f' E* J; Z3 r% K3 h( j9 W
bpx Get_DDB if ax==0202 || ax==7a5fh+ g5 k9 w: U C9 ~7 T& h) Z
r& Z) {% j) |0 i' p
__________________________________________________________________________7 s$ ~* d9 |8 A- N- y
+ ]- S7 S6 A8 a" t3 fMethod 10
! s0 w6 W1 Z, {, u* a8 {0 O=========4 b1 \ z% k. F# C
e0 j% b) k, E% ~7 z( r" v* i! A=>Disable or clear breakpoints before using this feature. DO NOT trace with3 d4 h- }/ p t/ Z) s! ~& w# V9 ?% s
SoftICE while the option is enable!!
) b* i2 C6 O9 q; m6 m( H- g, \4 b0 c0 s
This trick is very efficient:! U8 O* U" ]; a% E# T d8 \- t
by checking the Debug Registers, you can detect if SoftICE is loaded
+ F& g$ ~/ t$ d7 E' N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: h1 K* c: }& |7 K( d5 C. X
there are some memory breakpoints set (dr0 to dr3) simply by reading their* A' i4 q! u9 K: s
value (in ring0 only). Values can be manipulated and or changed as well
2 g# r- S% \1 x. D" N6 f(clearing BPMs for instance)
1 F) p6 H( h- n6 {$ x" k% C7 ?
0 d/ J! G9 u2 X__________________________________________________________________________: T- h S i3 W
; {* O$ P1 d E! N; J) @Method 11
* P/ F" B0 _# N* ]4 ~7 z( E=========# Z/ e+ n q2 k9 g( @" G8 x
9 L7 v$ V6 h. G! w
This method is most known as 'MeltICE' because it has been freely distributed
- P$ y2 _; K7 b7 R, avia www.winfiles.com. However it was first used by NuMega people to allow
1 S2 v( h8 t2 ]/ W8 MSymbol Loader to check if SoftICE was active or not (the code is located
! D- m+ \) N: H, Oinside nmtrans.dll).
* p3 Y7 T/ {/ [1 Z( s' X) w4 l& G' U; I% L
The way it works is very simple:
3 V6 V _8 s7 j$ \7 U" u2 M4 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 f6 V- ]* X' `, Q8 jWinNT) with the CreateFileA API.* r/ |* y" X, S2 Q8 l
$ e$ y2 F# t0 J/ c0 D7 @; y, _0 k
Here is a sample (checking for 'SICE'):
$ T8 Q, o6 s$ j. T* p/ q8 Z
7 _: `, d& f* P8 X* d8 S- gBOOL IsSoftIce95Loaded()" A+ \$ A9 W) r. v3 \
{
; @1 z. _" E1 n) r x! b/ g$ R! X HANDLE hFile; . o& ?2 p' b3 j4 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( d1 A; W) l4 S! J$ K FILE_SHARE_READ | FILE_SHARE_WRITE,- l" V! R; I( _& ^5 m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 Q! N% j" F2 ^ if( hFile != INVALID_HANDLE_VALUE )
7 u$ f/ ?2 ~' V% Z0 ^ {
! \2 H4 C% S0 ]$ h4 f' \) @ CloseHandle(hFile);2 ~( L% O" p/ g( g# P
return TRUE;( v2 [9 N* G. z2 P
}+ V; o g: u% Z( t i. O9 p( g
return FALSE;
0 F; r' J- D( x2 A}8 ~+ H z) [4 m* B- H
S! f \$ b0 i% K) Z
Although this trick calls the CreateFileA function, don't even expect to be* v+ K& Q: P. n: G" a
able to intercept it by installing a IFS hook: it will not work, no way!3 }9 p* ]* x6 [, m' M+ X4 a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# h) S+ ~: i' x; M* z% @& Z- o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' o- A; y1 @& d, n! y2 g2 Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
D9 {) C* ]# }4 yfield.) `+ F+ t! p% V R) `% J- L3 z
In fact, its purpose is not to load/unload VxDs but only to send a
, u" h, \+ b- q! \! |, LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
Y& Q7 N9 D. K9 M3 r6 P8 e- q* y, Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 ^' J& s# I4 t! I( k# Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ y$ t$ W2 i' B" \
If the VxD is loaded, it will always clear eax and the Carry flag to allow- }* H: s2 k8 K/ ~ c
its handle to be opened and then, will be detected., K/ C1 m1 R! a5 }1 H' m3 E1 m
You can check that simply by hooking Winice.exe control proc entry point
6 Y8 S8 ?6 h- S# _% cwhile running MeltICE.
* Z l" F3 }: _/ v, K, ]$ s, f7 u8 I+ p1 X3 Z7 z# ~3 m% \: x- C. u O
]: C0 ~ A! b6 H5 k
00401067: push 00402025 ; \\.\SICE; g! k7 ?7 Q0 l+ h' I3 l% N* X
0040106C: call CreateFileA
4 e8 A1 ~4 W ?0 o3 V 00401071: cmp eax,-001
0 A# s: v( t3 k+ u: d" ~3 Q9 L 00401074: je 00401091
5 y4 o9 ^- m; P/ p7 c |8 S# H7 n: G( }% Y& i. e+ o
- |' z6 _/ j; q4 S- ~
There could be hundreds of BPX you could use to detect this trick.
4 h7 T: ~4 \8 A1 L-The most classical one is: R' _% t8 T! T+ y* Q- g) y4 R. N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* O( }& S6 ~: s/ ^0 E: F *(esp->4+4)=='NTIC'
( K) u5 `% |0 B, o: m+ p& }
9 r }0 L+ S5 }. y7 p, u3 Q-The most exotic ones (could be very slooooow :-() y* [+ q. Q- X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . ?) F2 c& z+ l8 h
;will break 3 times :-(
# n% `6 E' B8 K; l5 Z. a$ Z5 n
5 j8 f4 w6 X& S* L' k$ f-or (a bit) faster:
2 X; d: V) h3 c: \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 Y: g6 Z+ e. h/ H( g; `
8 V1 N3 C5 ^# x" s8 O5 P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + ?7 d: c9 j; j" w
;will break 3 times :-(
$ g3 C% X7 k. w* A1 V2 o' P) l
" K; C0 i$ M! _6 l, q-Much faster:
+ X5 K/ `1 G3 V/ _% i" O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ ?; o6 F" J2 C: H) {3 H
6 |! W& v J& d, k) U) k9 r) INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 Y& q' h0 L% ^& _function to do the same job:, o) @9 F, |1 l3 J! H# T8 t
) ]+ k4 R' o C9 q+ g+ Y push 00 ; OF_READ1 D* W) F% S: ]: t7 K7 e+ S8 Q2 B) |
mov eax,[00656634] ; '\\.\SICE',03 [! m P% [) Y( F8 i1 i
push eax
5 R- f& H4 k" g5 T b( o2 [) _& i call KERNEL32!_lopen7 D9 D1 K0 v# @& m6 q5 N1 b
inc eax5 b0 F# w( f/ O, D& E4 h
jnz 00650589 ; detected, F$ G7 J5 V' Z1 X
push 00 ; OF_READ2 l* _; V2 a7 p( y1 y1 S1 o2 ] `
mov eax,[00656638] ; '\\.\SICE'8 u3 g" @* t( [6 n5 P
push eax8 t' P4 y0 V L9 V& H
call KERNEL32!_lopen O2 i! S: b, `8 ]; f
inc eax. T$ Q c" ]6 W# S1 i( q: J$ _; m
jz 006505ae ; not detected2 o, q' j+ ^8 X( {2 z; R
/ v0 T K2 {/ s! i$ t% |$ M
9 f' T1 o9 N7 |! h2 C__________________________________________________________________________3 Q4 ~" d* F0 w. f& @+ p
# Y$ t2 E4 s* F2 T
Method 120 i! ?- X* C. o/ M& W+ G- y. ?
=========
, [/ V) r% [1 K4 B) t
) c7 q1 h7 O4 e" uThis trick is similar to int41h/4fh Debugger installation check (code 05$ i0 r8 m6 {; l1 a4 q" y. p! r' b
& 06) but very limited because it's only available for Win95/98 (not NT)
3 T# U4 B9 S- U+ P( @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
s: E) j% ?7 g- H+ L8 T- A# M# [( m5 Y/ h0 A
push 0000004fh ; function 4fh
- F& ]0 @8 }& I4 l% a$ D5 g0 K push 002a002ah ; high word specifies which VxD (VWIN32)
1 _3 E$ X. T1 M( O" ]5 P' y: t ; low word specifies which service
+ x+ T* Q' f; W& S (VWIN32_Int41Dispatch)! [' I' t5 ]: Q$ d. W2 }6 L
call Kernel32!ORD_001 ; VxdCall! Y' |1 [, ?" Y, M
cmp ax, 0f386h ; magic number returned by system debuggers* }4 ~$ G3 u' T6 W( Z3 ?; A% ]; ~
jz SoftICE_detected
' i% m+ K: q# M. H5 |' z0 c: c/ ]! ^2 z6 z$ `1 @2 t
Here again, several ways to detect it:
/ _5 | A% ~- b6 |: u4 ~& X
1 q. w4 s) G# |7 H5 y BPINT 41 if ax==4f' B4 k0 e0 X1 J) S/ O C! N% C
: U9 q+ P5 w; w/ d/ s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- e( b4 @5 D" s4 l6 V$ [3 I9 T8 o
0 R9 j. u/ `; h* u* k# e1 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, d z3 a& ^+ n; c/ k
& k+ \8 y" X2 B, Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. ]9 S5 h) Y; x# t" Y% p7 x
$ [. l, K1 Q' i+ q& c4 [* y. i__________________________________________________________________________8 d2 }% i7 Q7 c/ y
$ \3 S1 c2 G* L
Method 13! U6 L; W$ Q& G0 V) a/ _- @$ i# Y
=========
% w! n, ^: L, L. @% M7 a% p6 ] y) G
: R, _, n; e/ |5 P- ?( r7 bNot a real method of detection, but a good way to know if SoftICE is
, S, T( X% j7 b* N; minstalled on a computer and to locate its installation directory.# a8 C+ l+ _( W' @
It is used by few softs which access the following registry keys (usually #2) :
; P5 X- O5 V1 Y: u4 v/ r: i3 E1 z B9 f6 ]- B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" o p6 H0 C; y- W( p% u1 i9 }
\Uninstall\SoftICE0 L$ F9 ]6 n' |, i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& J4 Z: d( M5 c. c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 H {+ F2 F, e& A\App Paths\Loader32.Exe
4 i ]' h$ z5 ?3 S/ r) {: C% X# x! E- [. Z
- X/ P7 u3 Z6 v2 o( p) u. R$ z5 V
Note that some nasty apps could then erase all files from SoftICE directory
2 y L4 w7 |* ^' {4 M(I faced that once :-(
- y' O' s7 S4 O1 Y% V) C/ i# o' q1 N' y: S7 S" P) F8 p
Useful breakpoint to detect it:
* W7 l) d0 R {* ^6 B4 U+ S
. m2 n( u6 W) A# X* ~5 }+ n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 p3 Z' }. R6 f: r6 Q1 p: X \. P4 _
__________________________________________________________________________$ C0 X5 b6 X- \* b: P9 P- T. ]- C
' `' J4 D( |! e: t, V+ V+ U. M$ p9 o
% J9 Z- T: j6 |9 J6 k8 t1 gMethod 14
* y& P2 Z/ I4 S* |8 s" L# b=========* N1 d3 h; e9 C, u: r
( y- ~/ ~" p; T) ~! X2 q( b* I5 {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 c. E" l. C) w# E2 P
is to determines whether a debugger is running on your system (ring0 only).
5 a0 I* f, Z3 J* w3 M, x7 U- X. s" ^, v9 |
VMMCall Test_Debug_Installed
2 n' g5 X# g/ e9 b1 A je not_installed
7 F) O/ c& l9 [ P7 n3 a8 r, T# M8 Y P' b3 G [6 M) z
This service just checks a flag.' f/ w. S1 ? }5 x2 V" ?* E" k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡