<TABLE width=500>
/ O( f, T8 |# v u1 S3 j<TBODY>: l3 ~, k4 n V7 R
<TR>
( P6 v0 Z# w* `6 n. H<TD><PRE>Method 01 . o! [# c9 v# }2 L! f/ o- J
=========1 E, g8 {- S9 c1 F6 i( O0 G
4 F2 B7 b: }8 @( DThis method of detection of SoftICE (as well as the following one) is
: W; K' ^4 ^5 h* bused by the majority of packers/encryptors found on Internet.3 [( X! I( r* N1 c* M. g& N. r
It seeks the signature of BoundsChecker in SoftICE
B3 a8 D7 M3 e6 x8 X4 {9 G/ u |6 U
mov ebp, 04243484Bh ; 'BCHK'
' \& D8 o& G- M3 a# U mov ax, 04h \! _* U% S2 r& v! H) R
int 3 4 x8 q* a( T( [5 k) Y; I
cmp al,4
3 s. I0 p! a3 V# J* o7 @( X0 ` jnz SoftICE_Detected9 h; G& ?; ^- x% N
4 ?( P7 Y3 J& H* p. ^; I1 p___________________________________________________________________________ u: [5 j6 _7 J+ A: I7 z% c0 O
8 O+ N2 q+ h- J5 W1 [. J9 I6 a
Method 02
$ J. c4 V1 f! B9 H=========
% Q+ V- I7 Y3 a8 j
) t. r" c) J8 b+ hStill a method very much used (perhaps the most frequent one). It is used- E# ?5 t1 M6 w+ F) y; |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) E a( q, h' Q" C2 `6 r
or execute SoftICE commands...
$ z* d9 j' p+ P2 x% n; N, q, cIt is also used to crash SoftICE and to force it to execute any commands
' _" X& R% X; H5 u4 m4 h1 O(HBOOT...) :-((
. U* ~3 R8 y6 d) c8 Z& K! `8 f9 A6 G( e" N- f
Here is a quick description:" J* @! M" `# P2 q$ l
-AX = 0910h (Display string in SIce windows)" a/ ~' T8 y7 S! m0 w4 K3 \; x( S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 D2 F- V6 y* c; |6 v
-AX = 0912h (Get breakpoint infos), p! a, [* I& v( ^3 |- q& I6 c/ J
-AX = 0913h (Set Sice breakpoints)
$ H: J, A1 P* w4 j-AX = 0914h (Remove SIce breakoints)7 q" o1 P$ U4 F
$ y/ Y: ^9 t# n$ w9 k5 g1 l
Each time you'll meet this trick, you'll see:+ @- ^% e* {8 A3 i4 ?8 r
-SI = 4647h
5 X C( B2 `7 [4 Y-DI = 4A4Dh
8 @- o9 h8 {% d% W5 JWhich are the 'magic values' used by SoftIce.- Y' ?- {) r# w* ]( [, s1 L3 R9 c/ W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* O2 S3 D3 c/ Q
: z+ ^( b* E5 ~Here is one example from the file "Haspinst.exe" which is the dongle HASP! n Q- j# I& H/ ~
Envelope utility use to protect DOS applications:
' D/ X6 W2 j; n( m' B
$ k+ o" r' c& \/ t1 w# u/ t
/ F1 Y* n# ?' y4 W4C19:0095 MOV AX,0911 ; execute command.4 t' C6 R( O" [. R5 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# e$ L0 s/ a) @8 K
4C19:009A MOV SI,4647 ; 1st magic value.
2 E* H( s7 o4 V0 T" R; o. [4C19:009D MOV DI,4A4D ; 2nd magic value.
# Q- U9 w N; X7 G3 e3 \ F3 N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 p6 ^3 a! [/ Z; w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 Y/ ?9 I5 t# r' M+ W4C19:00A4 INC CX+ G% W; v) }1 W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 y- B- h2 e% B- J9 I
4C19:00A8 JB 0095 ; 6 different commands.. l' A0 w, d- G0 B: C8 x8 |: d, L3 M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# d2 n1 H1 A0 T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 m2 n4 u, o% y7 y6 O% D
% w4 h" D2 s! W+ L3 x; w
The program will execute 6 different SIce commands located at ds:dx, which, O+ `+ A, p, t( }( ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! k3 W! N( D2 r% U2 f! A5 V$ L( B& O. B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 m% f: n+ o7 z5 l
___________________________________________________________________________# M# h2 G* o! Y- @, e G9 v! S( E
, y4 }& D; _/ k1 s4 P: F
, s2 b+ _" P2 O1 [7 U/ FMethod 03
5 ?0 ]- \8 v. F. W( ]=========8 Z% a& Y8 x* w& G5 g
( o7 ?9 r+ |$ D5 D& d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! R8 R& @8 h$ Q(API Get entry point)
$ z9 [& w5 k6 z- } ) m. M# Y( D; C. w# t
; U: \4 ~. V. b4 w5 r% k, `( U xor di,di W( z8 K7 w3 x6 _
mov es,di. d8 h& T ?- v. g( u1 s
mov ax, 1684h
L$ h, {+ P6 n! @ mov bx, 0202h ; VxD ID of winice
+ S5 U5 M4 s5 ? int 2Fh; ?* K( U" Z }# P! t: G. o0 F) W
mov ax, es ; ES:DI -> VxD API entry point
4 R, e' G# E* C7 t+ `7 F add ax, di$ n) _: X. T/ ?* M8 z
test ax,ax
) V) s& g# o2 y4 J. ?1 |9 Q jnz SoftICE_Detected
. E5 `7 ]; K. m. M% O, o; N! V7 e4 R3 O: ~' s# ?/ H# r/ K) R
___________________________________________________________________________4 H9 D. f, h. [" g# }; Q. u, P1 B
; b4 s9 U/ ^- Z$ d M3 S: u; U& U YMethod 04! H. j! X. [6 D% q
=========
' e3 P/ @1 ]5 y d3 c- X! @/ S& N8 @8 D' y) f9 }
Method identical to the preceding one except that it seeks the ID of SoftICE$ n7 | ?" s3 J& D7 F- m
GFX VxD.
1 Y: e- U' @$ S8 ]1 }$ C
+ I1 v7 `: y! }* C( S9 R* l, z2 E0 Z; w xor di,di
5 b1 ?6 z6 Y# q O: N0 r( Q- q9 B mov es,di
& m, q) O. t" D$ d0 F! V( d4 i; \ mov ax, 1684h
9 I9 p$ `: z0 N- o5 f% @3 a+ | mov bx, 7a5Fh ; VxD ID of SIWVID
* q2 m, _4 z$ @' w int 2fh# o6 P9 ? X& f/ f; f7 L- u: |# i
mov ax, es ; ES:DI -> VxD API entry point" i4 r/ ~% ~/ o& X7 e! U5 e F& W& V' i
add ax, di \; {; k. Z5 U# J2 x+ f
test ax,ax) z' m# e8 X' a0 A) H; i7 j
jnz SoftICE_Detected9 X+ U2 N' P- s
; \' L0 ?, T6 I* |. E, y; L2 `
__________________________________________________________________________
) R" Y% A) S/ j5 d2 W
" H" i/ r- F+ }2 n( }* g, ] d" L8 G! T: H8 E1 T' C
Method 054 M7 H3 u4 c/ a& R9 g( r2 ]( J3 g0 l
=========( C% f$ T# y6 R, U
+ l2 W3 P; ^( V6 z: a" Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 R1 U9 S( v5 w4 `2 J
debugger. It calls the int 41h, function 4Fh., e8 q) p/ ^/ z& F, w# Y
There are several alternatives.
4 P) ^8 @0 J& B6 r( ~' v2 u3 I5 C
! W' t. U0 W. M6 h* H* v! C# h/ OThe following one is the simplest:
" {7 G9 a4 }; m4 T: n( e; U+ b% m6 P( i8 E. o3 K& u$ h. W2 z
mov ax,4fh( h# n B! A- P2 Q3 Y0 R7 ]
int 41h9 {/ M5 Y1 T9 w8 w) K3 \
cmp ax, 0F3865 A# p/ T6 p* t3 c) f; l0 r' P5 x a
jz SoftICE_detected
* P% l7 L/ z2 _7 E7 Y
4 ], k8 r) N$ T: w( C
) W0 h: y. t+ u+ v( k! v& TNext method as well as the following one are 2 examples from Stone's
7 t- n' x7 y5 ^7 z4 B2 b7 R2 @"stn-wid.zip" (www.cracking.net):
! Z) u4 X Q7 |4 J0 w* h9 G
x' |% B! P0 M/ P, ]4 ?: l mov bx, cs C& @ K( P; g
lea dx, int41handler28 I3 K; m" z1 X* c- W- \* G
xchg dx, es:[41h*4]3 ?3 D* e' I7 b( b% f! p* D$ C
xchg bx, es:[41h*4+2]
" t4 ]7 t, u- K" K/ a0 a4 V" e mov ax,4fh
( h! h2 Q g* } int 41h$ }% Q6 \ X: M* g8 P$ C
xchg dx, es:[41h*4]
: x8 C6 H& d/ I xchg bx, es:[41h*4+2]
8 v' ?6 G. k- s' t cmp ax, 0f386h9 Z* V" h+ V# k! G# p) b1 e
jz SoftICE_detected2 U0 `, R; J7 K5 f/ z
& ~6 a. \$ Z |2 h8 T! eint41handler2 PROC
$ q! u" X, y8 L! o* W iret2 ?# b- [$ q9 t6 O2 ~# R3 v& \0 g3 u
int41handler2 ENDP5 {1 P+ J: v' u: ? J9 w Q
* m, y5 x1 P/ I: y5 H h2 d
2 a8 q. ^: F: x, ~- w' Q_________________________________________________________________________
. O9 K1 A7 b* P0 R( \; ^9 C; n7 [- W5 h3 A7 j1 f# i
. s7 m$ u: L3 UMethod 06
% X( f# w) n1 N% x=========
: g# h/ r5 o3 U% Z, u- G; C9 Y! x/ F/ l8 [
h. \' E+ B0 K/ g# l7 } x5 L
2nd method similar to the preceding one but more difficult to detect:
, A4 B9 S8 i2 k- }2 b* r& m" `9 ~4 V! `2 h$ r. J$ u
) R1 J# L o0 a9 y8 ]int41handler PROC8 M7 m q6 n; S t+ F1 W
mov cl,al
! P0 B( f3 M2 o1 n2 q3 l' p/ p5 Q% g3 Z iret
4 Z4 [1 ]- S4 x' C4 B1 ]7 Uint41handler ENDP
1 @! q }8 `8 t$ A" O- l
1 E* d0 Q' r$ c0 d! g
' T1 X' ^. |5 m9 v. P. |$ h: r! V xor ax,ax
* T( I3 U& a9 P* ]: ` mov es,ax" Z ^$ z6 _" k9 e0 [% c
mov bx, cs
4 |9 ?* v% p- \- X& l# D) B lea dx, int41handler
+ P. m. }' [- m4 T xchg dx, es:[41h*4]- p1 q2 e' O3 Y6 }+ i8 `) a
xchg bx, es:[41h*4+2]' C& ]" W. I9 p4 H; L( v0 w
in al, 40h
! U- f9 Z: D* N c2 p, F4 l xor cx,cx% F* s" R6 q! I) y! c
int 41h; ?/ i% H9 D& L6 E/ `
xchg dx, es:[41h*4]9 u1 b+ ?* H/ E( z
xchg bx, es:[41h*4+2]$ x6 I) X, j9 {- j% u. s" d! M/ y
cmp cl,al
; M3 i' _ D6 V* R jnz SoftICE_detected/ S7 r0 d* h) }
; I& v' U) E& ~& z, f_________________________________________________________________________5 j: }: ^; J$ z7 K6 B4 l1 @- G
7 u0 l: W1 Q2 q2 s, LMethod 07! t* m4 \3 s! l: i; ^6 P
=========. W1 p& t+ x# r& J0 H2 B5 y3 b2 V
7 h) D# m- W, H9 R- ^. S
Method of detection of the WinICE handler in the int68h (V86)3 y5 I# O( z0 m( S
( ^' l/ W' t4 n# o
mov ah,43h* N9 J1 o1 w4 \- O# P' r. H/ V+ K
int 68h
* e! X" C* J% i cmp ax,0F386h1 Y2 K- H7 E9 o* @
jz SoftICE_Detected
" b6 P/ t2 f) }% z6 B6 c/ z) B( J) x5 \6 \% T
, M- A8 R4 N- V' H1 ^2 D; v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 @2 g* }5 d* Q- X4 C0 W2 |
app like this:
' m- {0 S3 \5 A8 k
# N% z* O; V* O7 p BPX exec_int if ax==68
/ `+ l9 W r$ V- t+ c5 b% G) ]* g, I (function called is located at byte ptr [ebp+1Dh] and client eip is
! j2 D$ Y; K2 F3 T, T6 e% V# d9 { located at [ebp+48h] for 32Bit apps)
( m- W# @" X6 G M+ J. X# b: a__________________________________________________________________________
/ E1 M- g2 x$ V" k9 B
( \; T! F( G2 P9 ^1 }9 T X) h* r8 R$ A, A' ^9 L" X# \
Method 08. u) Q; F# S2 t( H# T
=========
. f! F/ d5 g% q: X* q
! U2 ^1 F$ g* J% ]; A5 Z: UIt is not a method of detection of SoftICE but a possibility to crash the$ Q, m- ~; K) E. T0 Q# ^8 w; D
system by intercepting int 01h and int 03h and redirecting them to another
: X$ {# J2 d8 p% V0 s$ o/ yroutine.5 Z* z y7 I9 E! u1 |3 F- u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 F" }2 _7 A% w" q# O: h3 @
to the new routine to execute (hangs computer...)
4 K/ b( z/ N2 S4 G4 ]+ P4 ?1 r6 m- g/ Z+ U1 s
mov ah, 25h1 N6 M7 Z7 \6 }$ n5 r. Z
mov al, Int_Number (01h or 03h) V2 d1 y2 ~- r+ R
mov dx, offset New_Int_Routine" [4 S# ~ S1 y6 t' b& g
int 21h
' @: b7 t& |8 e1 O; q6 q( u P+ k5 v% [" W
__________________________________________________________________________$ L Y4 t% j) o# r
. J2 W( |8 W" r" E
Method 09
- R% D: v6 [- {4 c=========
. G# _- L; V* p( C; D
; j0 v: ?$ P+ E5 G( f+ p/ E) M: _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 H2 `- o( ?* b6 L! z
performed in ring0 (VxD or a ring3 app using the VxdCall).# E5 c& E& _; v( T5 p; K
The Get_DDB service is used to determine whether or not a VxD is installed. X) @5 Z V' H5 G
for the specified device and returns a Device Description Block (in ecx) for. v# Y7 k" X7 [3 d$ P
that device if it is installed.# c& d7 b% m) O
) Q* Y7 X' b8 p8 L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ F4 x; G9 M- K8 `$ ]( m8 N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 ~1 U& f0 X }) s M Y
VMMCall Get_DDB9 F- r' t4 Z6 z2 t5 K3 i S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. b& U" P/ D7 W/ q5 `% v' O
2 J8 Z' E: _4 P! B F9 Y
Note as well that you can easily detect this method with SoftICE:
& t& q {3 |1 n% k& H+ L' g2 w bpx Get_DDB if ax==0202 || ax==7a5fh
, U* L0 U, s) f9 o: j: @! q9 q
3 n6 ]) \1 L! @$ ?& o8 P; }__________________________________________________________________________
* r( K6 s4 o5 p& N+ y3 o6 P7 M) V8 C5 W
Method 100 v' U2 R; f* t* \" x! D
=========" y. r l& }8 ~' U2 K
* g7 ~) ^ n- {5 T
=>Disable or clear breakpoints before using this feature. DO NOT trace with# C( i8 t" K; C9 k0 N
SoftICE while the option is enable!!
! [( X; H/ O: L
0 @0 b" U( L) }+ [3 M% E$ a4 H0 d6 M/ MThis trick is very efficient:; \! Q, ?9 I" @3 o' o3 @. R5 a
by checking the Debug Registers, you can detect if SoftICE is loaded6 v( w! h# `9 D$ ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 ^1 \- d* P( f* r( e1 p" vthere are some memory breakpoints set (dr0 to dr3) simply by reading their% ^; O( I, r; M
value (in ring0 only). Values can be manipulated and or changed as well
4 B. t/ [' |- a: k' q(clearing BPMs for instance)" Y1 \: `) j3 s
& M/ z* I# y5 |( C# C3 [4 q% T( S__________________________________________________________________________
% }' a. R7 N5 S v1 a3 u9 n# E7 y5 n2 [1 L6 `
Method 11
" Z; @2 C k8 j# p4 o=========
: \6 \: z5 n* C9 B& q! B
# _+ @, |3 d/ p. K9 V' @This method is most known as 'MeltICE' because it has been freely distributed
# a' a' Q2 \* V5 K; T E5 uvia www.winfiles.com. However it was first used by NuMega people to allow
: m* u: K B+ P, P. jSymbol Loader to check if SoftICE was active or not (the code is located6 ]+ K" d p7 q! g
inside nmtrans.dll).
3 }* ~9 L6 Q2 `% T/ _8 R/ i+ V; y# G
# S* p( p; ^( `+ W, ^4 pThe way it works is very simple:
: m6 G3 D! D7 s0 u/ K# ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 J. p' |$ Y R8 s U. JWinNT) with the CreateFileA API.
5 g: U' D% M+ {8 q' |
/ b! ]" Y8 b) u; u9 L# |3 f. PHere is a sample (checking for 'SICE'): F* t: M( H% ~' d* R
( U1 L B, a, yBOOL IsSoftIce95Loaded()3 S7 I6 a5 W* [& @, U n0 Y) E
{
) C4 D7 H1 K& m* G( L HANDLE hFile; ! r9 F& G, ~9 E$ m9 D% {% G! ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 \9 w3 z3 D7 Y8 h FILE_SHARE_READ | FILE_SHARE_WRITE,9 ^( l4 s8 x3 u9 s
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( N5 ` e7 R+ @. Q `; r if( hFile != INVALID_HANDLE_VALUE )
8 W: i/ Z% R% J @5 j, u {
' O1 [2 n. G0 U) q8 x0 b CloseHandle(hFile);
% Q i5 \, ~& [: L# i return TRUE;
7 B3 P5 w% ^1 `' N! a3 y5 l" l; b/ Z$ K }
- `6 L' `; J4 X: U7 K! g }" Z- D) T return FALSE;
/ L' k) f/ n1 s" ? r}9 G4 e4 U5 ?* ]! @, @7 b
- X' @3 q5 u1 E" X8 q9 v
Although this trick calls the CreateFileA function, don't even expect to be# r8 G5 h) t/ P, Z g
able to intercept it by installing a IFS hook: it will not work, no way!
0 b7 B- ~ q. `. kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# ?/ {; n: L1 H/ d) r5 a3 M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 C$ O8 V0 \* m' y* F* e+ i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. x+ u' F {/ }, N/ K T* Z. f
field.
7 ], w5 B+ z& ~$ j% @4 r& h) F: YIn fact, its purpose is not to load/unload VxDs but only to send a
2 }/ u4 s& V3 b( x0 L' PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ }9 ?1 t: [/ n& d+ N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 ~# n! p: G( I- }$ o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ Y. B, t% Q0 J; d+ S0 A" PIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 E% j' n& x3 Z) H% }, F P2 A$ d3 O
its handle to be opened and then, will be detected.; K( X( ?+ }7 j' R
You can check that simply by hooking Winice.exe control proc entry point
, C" \1 B( \) Z E- lwhile running MeltICE.
1 A- G' e0 X! W3 q$ u' e* |5 p& V" W! _5 ~ b1 O
' O/ g5 }$ ~8 ] x& B% U: J% q& b7 i 00401067: push 00402025 ; \\.\SICE
, @5 } D, l% p 0040106C: call CreateFileA6 i: K" {3 A( n# l' h
00401071: cmp eax,-0010 v8 e) Z9 |: d) g" w
00401074: je 004010917 j' U' b8 x! D! Y
7 R; z5 n7 n8 S; u) b) j8 G; Q
! M8 N% v' d5 j9 G8 x- S- s( _8 u
There could be hundreds of BPX you could use to detect this trick.% k) @; m: R3 T$ | o8 e
-The most classical one is:
4 p2 J( \ H, s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: l/ t+ a4 H8 k, P9 _8 x
*(esp->4+4)=='NTIC'* N% r% D F* E* }: [- w+ i
; y L0 Y+ M( ~. v2 f
-The most exotic ones (could be very slooooow :-(: S9 L O) J$ y: I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 D9 Q* q) T0 R5 I0 A( a
;will break 3 times :-(
% n/ m, Q! A2 s
. t3 J. E. A5 G9 T1 a) Y-or (a bit) faster: / h) w, ?% V4 o6 b' j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 o. c! B o# v' P) G0 i
6 P+ i6 N2 d1 _9 j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 r# V# J6 b4 J$ O5 G, {! T ;will break 3 times :-(4 G- e5 ~: Z, c7 l, }9 T
! u, M/ R% Q, T! w8 w; p$ y* \/ i
-Much faster:
+ u' Z, E# }5 C& ~ e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 X5 J# m8 {+ V5 ~4 ]) S# I4 L6 z) c
$ F( P! a# p! R0 Z6 dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% k1 _" U5 @. K. Z% yfunction to do the same job:
5 ~6 ~( I8 B, ?$ f6 I
1 X" H2 Y4 c& p+ O: p! n push 00 ; OF_READ
+ H) f0 e, k* x- O mov eax,[00656634] ; '\\.\SICE',0: v, X; p! p" i# q2 {8 D3 y
push eax
0 K5 ]' D- ~# ?% H& _% `2 u call KERNEL32!_lopen
' j& I& d! x3 X: o8 R" [6 K$ Q: j inc eax+ N0 f- _7 J% p5 J
jnz 00650589 ; detected
. Z1 B7 ?- {% U* G( T$ t$ V+ o push 00 ; OF_READ
/ x+ m x' M) O5 V- {/ e mov eax,[00656638] ; '\\.\SICE'" ~4 I% r% F7 h. q; r/ {1 X
push eax
7 ~3 m+ ?3 z4 ^1 N. u" r* s) I call KERNEL32!_lopen
: R, x" _: Y- i# P+ [6 {% o inc eax$ I. a6 i( {+ z3 D
jz 006505ae ; not detected
% x# y, r* B% J% ?3 o' T4 x, a) T+ J' ^ g) s# w. B- U
# U; y$ i, L9 J9 z
__________________________________________________________________________8 L1 T$ Y: B6 V! O5 D$ r! I
4 R1 j" ^) n( x2 Z% K, I' I/ nMethod 12( Z- n# b, a! P/ T4 |) w
=========
! `9 ^1 w+ a5 z2 D9 h. P) p( @0 u: ]/ @
This trick is similar to int41h/4fh Debugger installation check (code 05
0 V) r/ \* L0 k4 r k& 06) but very limited because it's only available for Win95/98 (not NT)
8 \5 c0 \% v$ k3 ]$ Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& \; }( u0 ]; H! k
+ r( y) z, `- D+ X# {" f# k3 a push 0000004fh ; function 4fh6 J% L* f; I9 I
push 002a002ah ; high word specifies which VxD (VWIN32)
: x& q7 ^" ~ v% C; x; W0 i: s ; low word specifies which service0 ]/ I5 a/ F7 ^. H9 @. P
(VWIN32_Int41Dispatch)
3 h+ D8 p- t" F! D! [$ K/ j4 G call Kernel32!ORD_001 ; VxdCall4 g: b/ X8 j. ]0 a8 \
cmp ax, 0f386h ; magic number returned by system debuggers
5 o9 Q; m' c; w$ i# c jz SoftICE_detected
( R+ V( h: f" S' N& n' u2 {2 h% K) K4 |( e% _" {
Here again, several ways to detect it:
2 C+ F: T# Y9 @. J9 b# b j
5 t4 y/ a5 M) r! d& P BPINT 41 if ax==4f/ d. n4 Q# z% B9 U r8 w
2 a& Q- R7 ]4 h/ N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ ~) F2 Y2 J9 j5 Z8 e# m* E
1 m5 O% m; `' t A3 c9 J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ b' k; Z+ J+ |' }2 }
" ~, e- J' F: y2 w1 T% o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% `) z7 ~- `, G: U$ n3 o1 Y* i0 u) z, z) h; C; {( e2 L) e* o
__________________________________________________________________________
0 L/ a+ o1 v. H# }
; V8 @9 V$ p4 H7 N; r! _, xMethod 13
5 k8 _1 g& E4 X: G* K=========1 X% z* M9 R1 N# s) z3 S( @5 i
' B2 e/ V E- ?% R9 y" A9 E5 Y1 v; Q
Not a real method of detection, but a good way to know if SoftICE is
( ?( E1 e3 L p- K$ F( ?installed on a computer and to locate its installation directory.6 n" |+ x+ W7 }; _0 r- r
It is used by few softs which access the following registry keys (usually #2) :
( n. |/ j g) A" ]* H }5 N2 w% \) x. M f) A2 V. Q4 D: x- X# O/ }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) Q4 m M$ ~1 n, U: h\Uninstall\SoftICE4 @9 ? W2 u9 z7 u3 S! X7 y' r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% [2 ^9 Z' J: s2 ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; Q) U/ s M& U6 \$ a6 x4 D5 @
\App Paths\Loader32.Exe. F7 K* ^. x$ k" ^* V8 D
* q# B" |+ l4 v% i5 L7 C, F8 o
, d. `, `- E) s2 z; L9 Q
Note that some nasty apps could then erase all files from SoftICE directory
9 J. }) I; t) r; G7 H( T: U(I faced that once :-(6 V" ]$ F% x. ^+ ]
% c4 |) Y% t; S
Useful breakpoint to detect it:
) w# ~. r' t, @- ~
3 _1 A* |8 `8 W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& Q* I: O" q5 m' P- R7 f
9 q! Q& w; \1 B) `4 T$ T+ z__________________________________________________________________________ u! `: Q g8 [
' g$ C& g. B' Y6 X
: n5 P. [5 [( D; f( D* `: e/ {1 i# nMethod 14
: t8 I: P8 m( f9 Q0 n8 Z=========
! e# p$ R9 s. z5 z
5 z5 Q& _( Z. l- ?7 U# OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 L" _% |' f: h0 sis to determines whether a debugger is running on your system (ring0 only).9 q3 A( v3 w4 ], W) b% V
9 K! |: w: K/ v" L5 U' u% v VMMCall Test_Debug_Installed
# W2 Q1 V1 D' F je not_installed4 r$ S# z. c2 P: G! a
0 w% D# Y. ]' U H9 M4 ^1 }
This service just checks a flag.
7 U! `) v8 F5 f) _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡