<TABLE width=500>6 B' t9 r" {/ e# X. v
<TBODY>
& n0 m1 _: M5 g) Q9 m$ ~<TR> G2 I/ l1 R6 P5 y
<TD><PRE>Method 01 1 t! ]1 T6 Q- i# {# [
=========/ Q: K9 w G2 W# W
, ?4 O1 D" H2 t2 ~# v2 R
This method of detection of SoftICE (as well as the following one) is
5 c( Y. K, H P7 s7 i. }# s% B" F8 tused by the majority of packers/encryptors found on Internet.* w2 _1 Q; b: B8 F; \7 V: l( h4 e
It seeks the signature of BoundsChecker in SoftICE4 Z0 h, V7 T3 j2 b
% G+ w7 q4 R" v, a8 \% g8 `0 C mov ebp, 04243484Bh ; 'BCHK'1 r Z. G8 ^1 p/ P: w/ N# D
mov ax, 04h' Z8 P6 [1 V; H; D- D! N# X; t
int 3
" n! z1 l1 D% R cmp al,4
' ]: }1 Y, A% n. _: U& Q! o2 E2 d; | jnz SoftICE_Detected
# ~# a ]6 N- M- |/ O# H/ k/ }- P
5 @ `+ u9 {# W6 H4 {___________________________________________________________________________- u& v0 q" r: r6 d+ D
/ z7 E/ |4 ]2 p$ z) Z4 D. _- IMethod 02
' H# T. X! k# s' b" |" l, q2 y, J# H=========
" O# Y1 P- k2 \5 @9 m+ C4 S7 V$ g0 g
! T+ |7 d# V- ]( r! H& EStill a method very much used (perhaps the most frequent one). It is used
6 m) M0 V* o, F- F6 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,% f9 l! z3 z1 G6 H S/ s5 H Z
or execute SoftICE commands...
* R! |5 J' Z0 k* U$ T4 aIt is also used to crash SoftICE and to force it to execute any commands
7 U4 r8 ?. c1 T. z! V1 A* B" c6 }(HBOOT...) :-((
& o/ r% e8 y0 k& X/ j x( v' H
# `7 B9 w) U+ o% UHere is a quick description:
, R. I4 ~& h* a6 w c! g6 e" @-AX = 0910h (Display string in SIce windows)
0 _3 J+ A2 L& J' n$ T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& Y" S2 f. @" ?7 q" B( Z# \$ k
-AX = 0912h (Get breakpoint infos)( k4 B* H- ^* B% W3 H
-AX = 0913h (Set Sice breakpoints)* N1 G' N) C- B
-AX = 0914h (Remove SIce breakoints) v8 n) C2 `$ }* q
p. R7 a) M5 M8 k( lEach time you'll meet this trick, you'll see:* B9 x$ d# l! J$ o1 e9 k
-SI = 4647h/ }& j5 g8 C: u, ?( S! e
-DI = 4A4Dh
5 s% Y& m3 H( m! g+ M; pWhich are the 'magic values' used by SoftIce." }) p% N: w0 {- o$ d \0 D& m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 l' i+ \" t# o
8 A7 T+ t& k; W7 r* XHere is one example from the file "Haspinst.exe" which is the dongle HASP" H, y5 l; Z) ~# ^: W- z2 t
Envelope utility use to protect DOS applications:0 p- C' F; S) x# R8 r. q$ L: \
$ d, c/ M8 R- n8 v4 ~- `5 q2 g7 G$ L; P0 a9 l' q. W
4C19:0095 MOV AX,0911 ; execute command.' ~# h, N6 \! Y& ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 n7 ]6 l6 N) C' ^3 \4C19:009A MOV SI,4647 ; 1st magic value.
$ a3 Q5 J. \+ |0 {# r7 P- U& P4C19:009D MOV DI,4A4D ; 2nd magic value.
' P. ^! J: x. x0 `* E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 h2 u4 u9 w1 k9 q8 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' b/ }4 S& K* n0 ^2 \
4C19:00A4 INC CX
3 `+ N0 ~7 k; A2 r4 t8 S) N2 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute H5 `2 F, t, x) |$ E# H
4C19:00A8 JB 0095 ; 6 different commands. @$ d9 N- m5 p' q% n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! d) e; j+ X1 Z# s& {5 Q6 e$ ~. _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 J0 \0 r8 u4 _; ]' w, q4 Y. v% }8 k- v# l: L5 Q$ {
The program will execute 6 different SIce commands located at ds:dx, which
4 y$ e8 f6 T1 x: Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& M3 }& r7 t5 S+ y4 ]
- z$ H. r( R6 z2 }" W+ @7 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." s0 M4 a0 K2 s s7 |
___________________________________________________________________________9 b! ?8 X e/ h* J
8 X& f& i1 x" H* J+ L: g6 v
! n( L4 Y. P( b; T4 I
Method 03 L& |- A' W/ ~
=========
: _0 _* t# m1 _& h4 K4 X0 S7 c
* [& E4 Z: {7 ~# OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 s0 n1 k+ i' j% S4 g(API Get entry point)! ]# s( ~% l$ o' k
+ ?: b2 J0 b' g0 E, \! [. T9 j# x
! k+ J4 V2 ]& N# \8 P# R xor di,di
. r O/ c4 u# { mov es,di$ @- g2 j6 K9 L9 e
mov ax, 1684h 9 c& `" j8 s$ L* ]4 \
mov bx, 0202h ; VxD ID of winice& C5 p1 b$ g g P
int 2Fh
1 C7 T, F' m0 B. }6 N; h+ i4 X mov ax, es ; ES:DI -> VxD API entry point3 s" `/ ^- P" }" X$ K1 t
add ax, di
* v9 ` ^; N; W0 ` test ax,ax
# Y& @- [% T$ H* a2 o jnz SoftICE_Detected
5 E# k. k) r I& u
2 ]! X' _9 d6 [4 O___________________________________________________________________________
- X! B% y0 J! N) J/ }
* O, y, o9 z' x4 R" e BMethod 04
O0 t6 t5 [/ C=========
* G; h6 W- [3 q' Z3 F2 D
6 f6 }9 B# D0 u9 y/ h) c/ wMethod identical to the preceding one except that it seeks the ID of SoftICE8 S. P0 r) x8 N3 W! J1 R
GFX VxD.
* ^( i1 N( U0 Z! `; }+ P( r) q1 ^# a1 Z
xor di,di# o: l# A4 S( I+ Z
mov es,di! P! Z9 Y8 U8 |# ^* u! p
mov ax, 1684h 3 K8 T7 \1 l# T4 K
mov bx, 7a5Fh ; VxD ID of SIWVID ]2 X. n$ r2 S+ x5 `# W% f1 y. E
int 2fh
; U1 j/ d9 D) Q( ?2 ~, s mov ax, es ; ES:DI -> VxD API entry point
5 w ^+ X' \# y' Z2 o add ax, di
( }) J4 q; j4 }; L' m test ax,ax
" w; m9 T1 T: Y/ c8 l% T" K5 E jnz SoftICE_Detected, j7 E) h+ N+ S, h1 _' R5 [: C
. [& d! b& [) B2 B. @
__________________________________________________________________________4 x/ C! L" V& e. }2 t. }
6 ]1 t% }2 H7 a. S1 v, _
9 L1 o) w5 D7 S1 b; AMethod 05; V: @" G. A& Z Y8 y5 [
=========6 `: j# W# T; ^6 W' u7 n$ ?9 r2 q
5 [+ |) I2 u+ ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 X; u- }$ n" z% U
debugger. It calls the int 41h, function 4Fh.
5 \& n _! D/ p- ], [1 CThere are several alternatives. 1 G* Y" H! l0 q$ f0 P5 w- w# r5 X
8 M+ C5 c( b8 @! yThe following one is the simplest: }6 J# E6 F0 U% ~# O6 ^* f
2 w( f7 f' g, z+ P& ^3 N, }
mov ax,4fh4 J1 d; P+ l- q2 U& o2 W. n
int 41h
+ c, \. r1 I3 H! @ cmp ax, 0F386
, {! A6 X7 x1 ]& f# q jz SoftICE_detected o( q6 q+ I Y2 W% ?
4 [8 j! d0 I7 M6 Y' l7 _$ g6 x
+ T7 [/ X. q" z9 h) f5 h9 q1 k2 gNext method as well as the following one are 2 examples from Stone's
3 j, Q$ N8 C* t( `2 O' S' |# n* f"stn-wid.zip" (www.cracking.net):
( e, g4 q. H4 h! Y" N4 Y5 g# E, @- S# q5 h4 V. s
mov bx, cs R8 z* g( W5 s+ }
lea dx, int41handler2
i% Y' B8 g* b: o5 [5 Y. u { xchg dx, es:[41h*4]
$ K6 a3 o* X# ]5 t xchg bx, es:[41h*4+2]/ _. T7 T$ q4 Z$ l
mov ax,4fh7 H3 U- ?& ]2 E; ?
int 41h: j: ?' h% d: }* M# ^# X: V
xchg dx, es:[41h*4]- C+ R$ E3 y" X) |1 X) h4 M
xchg bx, es:[41h*4+2]3 B, R; N2 A- ^+ g4 \! z
cmp ax, 0f386h
, P) w0 U* `% Z8 W' A) m0 b jz SoftICE_detected3 m+ N$ u: I6 ~1 Q
1 J3 H8 c7 E& h" m# F& _int41handler2 PROC
6 K6 P X; U# K8 q, s) I! K( M) m1 P- d iret
" r4 S' N/ \" E- ], Cint41handler2 ENDP+ v9 t7 d) P' k' w
' s( c% A" O/ D, s
( s F( U# P' J_________________________________________________________________________; s; Q+ `3 G$ Z1 T
% C1 l1 w( |( }" _# i0 Q6 l! Z2 C8 y% L, E9 M, N9 r% S h
Method 06
% w! b; k# U* Q9 _=========, j. y5 }: C) Z7 @2 Y# N
( w3 \: u/ i k0 t
. ?3 x C5 O; y6 _6 S! {8 K3 p2nd method similar to the preceding one but more difficult to detect:
- B# V+ [0 E' S0 z) l [' @5 H" H
5 S& Z, I/ | e9 D ~% k* O: a% E% i
4 C% u" @4 J3 E) F$ |! s. h, g7 Kint41handler PROC
$ D& e1 k- J9 \ y" N$ y9 p mov cl,al; S, B( ]6 f; G5 v: B
iret p9 c8 w* x6 A; r X
int41handler ENDP* c& d; i4 x/ V/ U' z7 s
% F( L1 m0 L( @0 x9 ^
: k. C% i# {6 K# r xor ax,ax5 z! R! E/ f( m2 a- J
mov es,ax
8 B/ U3 y' p: Q- G' _, A mov bx, cs) a5 x$ J6 n6 W: [' K8 G" Y" F
lea dx, int41handler
1 f% H6 O* [" W xchg dx, es:[41h*4]- @& h9 c* m5 U9 `3 ]
xchg bx, es:[41h*4+2]
. R1 S: F2 ]% o1 w+ H- Z in al, 40h; ?9 t* |3 H' W Y7 d0 F9 D/ y! X
xor cx,cx& F. m, G) S; V! U- z4 S8 E3 c
int 41h) Q0 c7 f: I1 c' O4 u- E% Q
xchg dx, es:[41h*4]
3 W. N5 ]; D: o { xchg bx, es:[41h*4+2]$ o! i" N. v" v: W6 ?0 v
cmp cl,al3 I! O" m; d+ X# c# r/ d/ N9 n
jnz SoftICE_detected/ _! k" _* ~' D+ i3 V2 @! u
1 i* q/ P6 q6 U3 o8 y- Q. Y
_________________________________________________________________________
1 w" E* t- P: N6 `+ Q# e
4 ~+ i" G5 d$ L# w0 gMethod 07
. o" ?8 M1 Z. u=========0 h" r" L+ P, l' G6 m" G5 N6 E* z% d
V+ Z7 W- r M2 B1 JMethod of detection of the WinICE handler in the int68h (V86)# W( O9 m5 V- R
. O' l! [, P4 R) K) z mov ah,43h
3 r* g$ i3 k% ?4 t" S( M2 } int 68h+ W$ a$ q, M. x7 a! t! E0 n# x
cmp ax,0F386h
6 c% C4 G' E# `1 H: r jz SoftICE_Detected) z8 \; }$ V% b. C ^
$ B+ s: w+ s$ B' d
: \. q3 R2 V2 _& V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# \* o; s" e; T" W \ app like this:/ m9 \! u% W% i
( _; o5 [& A/ q BPX exec_int if ax==686 s% I3 z0 ^' h& A1 V
(function called is located at byte ptr [ebp+1Dh] and client eip is( j5 q8 A$ J$ m7 @" `) q1 i. U
located at [ebp+48h] for 32Bit apps)" @- ]$ D3 ]7 g
__________________________________________________________________________
& u- K1 f- A: m6 y, P2 g/ W
' D9 m1 z$ W) u7 ~7 R# o; c- Q$ ^( O5 ]7 }( g1 s% ]
Method 086 C' w& l. E! t, g& b9 J1 ~
=========- }2 @8 ~9 @1 a# C; s- w9 A7 o0 e
& O2 a, U$ x& [; U: rIt is not a method of detection of SoftICE but a possibility to crash the1 J: [6 L2 j$ P; r' B
system by intercepting int 01h and int 03h and redirecting them to another
% U A: q( E, S0 Froutine.
% ]9 S0 ?' D7 u9 h1 @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 F2 ^2 f! }4 q6 `+ O9 e: B
to the new routine to execute (hangs computer...)0 n, W, B+ @; _) b! I: R& [6 ]
, [, w9 i, a% [( F) r4 ~: @
mov ah, 25h
( [ b/ }" _, t3 L mov al, Int_Number (01h or 03h)- F9 t, g' D* U0 q. n2 u8 C" R
mov dx, offset New_Int_Routine
4 E/ b+ f: V- g, ]4 `6 F( W0 r int 21h7 S' o: S5 h7 w! a% }& ]" M
; i C: f% m# {8 Z7 m9 [% S' n- }' a
__________________________________________________________________________
! {, a/ g% ~3 w8 n6 |. M
3 Y; o' ~2 H9 C# K5 m6 {Method 09/ H/ V& ~' S6 [/ U
=========
7 {. Q* z% D2 l8 Q
/ _- n7 i3 l& V+ R2 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ f2 L# M3 [( I2 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).' ~: m+ U3 ], }4 Y6 T
The Get_DDB service is used to determine whether or not a VxD is installed
* E( l3 D, s3 J! M8 lfor the specified device and returns a Device Description Block (in ecx) for
1 D/ l t; u5 F( M) \$ q9 `0 ythat device if it is installed.7 g: l" O( F) g! c; P! g. C% J D
% K; h7 L4 X: w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- b4 Q8 x/ ]% D- J0 O- m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# l3 x6 Y9 h. V7 X- r* R) O
VMMCall Get_DDB
O1 O L$ i | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ c' k9 H5 I% g/ a1 h1 n* D( \6 J5 a( `+ L; v1 c" @
Note as well that you can easily detect this method with SoftICE:
9 U$ ?6 I# K0 U4 v4 ] bpx Get_DDB if ax==0202 || ax==7a5fh
, |4 ~* J9 n% m0 ~' Y- J2 S- b( t; U$ K. T' H/ x, T$ r3 o
__________________________________________________________________________
5 Y# o; s$ G; j' h0 d! o6 ~! p+ k) F* J6 b ~: g
Method 10
4 R2 E. K w* ~3 j=========& k. P1 |$ E5 o% y6 }
! m+ X( t, ~8 q" C
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 T9 o8 b) y0 V/ g. I
SoftICE while the option is enable!!+ @# v8 J/ B0 `/ _/ p1 h
7 P- w* Z0 y& E9 ~. k3 [: LThis trick is very efficient:& o- R- B. y. X/ G% I! ]
by checking the Debug Registers, you can detect if SoftICE is loaded$ a# h9 `& h/ V( d, I \ Y0 a& c" Y" v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ s' b ~) D& A) h# M* X$ f
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 y& H. s6 `& M/ Z, f/ q* qvalue (in ring0 only). Values can be manipulated and or changed as well
* c$ T ^2 d& p4 b% C(clearing BPMs for instance)% _5 r" B- D4 U$ t
" H! W1 P: @! D; C$ N$ Z8 ]3 H
__________________________________________________________________________
2 p( \( A' ~0 J5 H$ y
, B( K0 U5 O6 S# {Method 11
7 N* n9 x2 J0 y/ C* l=========
( _4 D; x- A) n2 m4 y, m2 L+ e3 J
) t* H7 c$ V* _0 r$ }This method is most known as 'MeltICE' because it has been freely distributed
, t% H$ T; z2 b& f0 g# hvia www.winfiles.com. However it was first used by NuMega people to allow
0 s9 d9 X) { A' |, DSymbol Loader to check if SoftICE was active or not (the code is located \" P+ k- s+ M3 D0 b
inside nmtrans.dll).( y# X1 p+ E* w8 v) O1 z
! R, U! `7 S, _- w
The way it works is very simple:
9 L+ [ }# E4 b. t8 ?& B6 o8 QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 h+ C# X3 ^1 ~! M
WinNT) with the CreateFileA API.
* \; m2 w7 r5 o' Z3 r, j- t7 |3 l8 y# f& m1 C
Here is a sample (checking for 'SICE'):
, q: H9 E6 u5 U+ G# }0 N* M a- w$ y) e G8 P, {8 M
BOOL IsSoftIce95Loaded()" m& `' z$ |0 n" L1 [
{/ }! u) m* K& A3 Y" g' C
HANDLE hFile;
9 Y$ C; \! x* G# i3 R2 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 e9 u L; u( N3 k- m3 f0 @* n FILE_SHARE_READ | FILE_SHARE_WRITE, V7 Z4 G! u5 `% x; q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. E! @9 H6 L0 Q U- c
if( hFile != INVALID_HANDLE_VALUE )0 ^/ K3 O1 T* a
{
3 U: S, Y+ h$ B5 }( N' b CloseHandle(hFile);6 s+ C+ s* U0 B
return TRUE;
U+ ?0 u* v7 _' f" \2 @ Z3 L }
4 R0 {9 F) p' _. K" P return FALSE;
) E* z F) i2 v, `( `$ }: }( f) ?}
/ W* s! K6 {) `- [# q* O& _- C0 q, C0 {* U- B$ ~% Z+ U; [! K1 m. e! Z) x" t/ H- Y" l' B
Although this trick calls the CreateFileA function, don't even expect to be
L0 n* a; h/ T9 n; d) j" \able to intercept it by installing a IFS hook: it will not work, no way!
- ]4 O) H2 ~8 e- TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 ]* A, @* P Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- n% J( V) }9 q+ K0 \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 l' b, p+ q9 E1 Hfield.5 @- g. o" }: l/ }9 r
In fact, its purpose is not to load/unload VxDs but only to send a
. ]* V7 |6 D! P0 b- jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. m/ C; p6 t6 s% yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 l3 |$ W" c6 } `; T( Y& @+ q3 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).: x& Q( M: V4 G! J9 H/ ^2 w6 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 ~* h3 W4 X& y- F6 m1 P( D( Cits handle to be opened and then, will be detected.0 Q& z/ Z6 J; F3 x2 g9 H7 M% @
You can check that simply by hooking Winice.exe control proc entry point* S6 n- n* }; x4 B1 i/ A
while running MeltICE.1 ^2 S/ Y1 `) D, o
4 K e0 [. q2 ]! i! P( w5 y ?
3 Y8 {8 x+ {; E' g 00401067: push 00402025 ; \\.\SICE
" s# i- k( A) a7 R+ a) n 0040106C: call CreateFileA
$ ? g7 k/ I' f8 @6 J+ R2 G 00401071: cmp eax,-001
( S/ h3 [% ]4 p7 c# j# e 00401074: je 004010910 W: f! |* t" m2 j* E6 V
) F3 M& P$ J: `6 ^4 p R( ~; j- y, O) C, }9 Q/ s) z8 v3 M' t; {
There could be hundreds of BPX you could use to detect this trick.
& i4 z- |# u) \-The most classical one is:
7 J% S6 O H; L2 m7 e4 O S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. `) C) r$ \9 E( C+ a+ i *(esp->4+4)=='NTIC'# h' n m8 k8 i6 o
. T& C: d( d' J8 C. e( \, L' l-The most exotic ones (could be very slooooow :-(
& j# k4 v3 g& @/ v% c6 D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 n( D6 o3 P5 b6 ?9 J$ O; G
;will break 3 times :-(
" L; z2 P$ d& F
( H2 K9 z) k4 ?* c8 t: U-or (a bit) faster: 5 X. L& z4 y" U* Z0 {( \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ b% c3 F4 ]& z$ S- o2 U( r) L0 D* K h
! ]# e3 P6 k8 j/ U- y+ s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 e3 `! q8 h, ~' f, l ;will break 3 times :-(( I: ]+ y4 u( ~ S/ L# R
8 H6 \* W' T1 H' V, h5 _9 U3 X: u
-Much faster:
$ T! n% B& `8 e: P8 W( m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 t" a3 s! n! Y9 G; b6 b
4 K1 t7 Q+ j8 q b& {8 [! tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 i" n+ Q; x8 w% S2 X
function to do the same job:; y- {# X+ N6 o |# ]4 R3 I! T m1 K
( i6 q+ _% d! T/ L2 { push 00 ; OF_READ' J0 g6 n" f2 z( v! z
mov eax,[00656634] ; '\\.\SICE',0
" ]! m. d; b' j1 Z0 X g. f push eax9 Q& ?6 r" t; K6 S: ^, ?4 E
call KERNEL32!_lopen( n& ?2 ]) K( c$ E( u9 d* A4 m7 O
inc eax! _% B' `2 S! C. P
jnz 00650589 ; detected
, i) }5 A$ c" m$ ~- m3 t; R; G push 00 ; OF_READ/ e: n5 d$ H) A# ?) n' }& Q
mov eax,[00656638] ; '\\.\SICE'
* g1 U. W% j! y8 V- e1 {2 ] push eax( }# S# r' h8 o9 J# ]
call KERNEL32!_lopen
+ u" U A' S& U3 y2 C* N9 w! V inc eax9 j! w9 J5 V% U8 ?7 i* I# }
jz 006505ae ; not detected
p8 j% }$ t2 Z8 P0 s8 ?
, ^( W6 n/ ~ `6 y) t- `% u4 [4 Z) q6 g1 B5 P9 k$ b: e
__________________________________________________________________________
- f3 V0 ] |- A: C6 |; K( n
8 x7 E0 r/ `+ M. MMethod 12: { \0 N& W0 @* @
=========
9 \. ^+ J7 Q: ^7 i% e- t. b0 z( Z# d4 S- s C; @3 u
This trick is similar to int41h/4fh Debugger installation check (code 05
# l2 h$ g& o1 W1 ^$ u& 06) but very limited because it's only available for Win95/98 (not NT)9 b2 m0 O" R- U) U- Q1 C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) |- O* z6 }( T, ?) f
; Z- |! j0 S/ L; q8 G* t
push 0000004fh ; function 4fh, k: _& X, U+ k* l R
push 002a002ah ; high word specifies which VxD (VWIN32)3 \ ?/ C* w" }8 c4 e6 B" v
; low word specifies which service6 L8 _- z4 H9 ^: f# E+ ]
(VWIN32_Int41Dispatch), f; |% V5 s$ w
call Kernel32!ORD_001 ; VxdCall0 r/ T. o. [1 M9 ~) s, a
cmp ax, 0f386h ; magic number returned by system debuggers5 b" f" o% `( e1 J E, w) {- g+ [6 }
jz SoftICE_detected
4 G t4 Q8 M" R8 ]/ G# ~4 A8 H
7 G) z% D, B; r |Here again, several ways to detect it:' V+ t2 d2 c# E1 ^
& s& r/ Y% @8 I, N- j1 T2 y) S BPINT 41 if ax==4f: U* n2 N( Y% k8 @7 ~* r/ T% m
4 w6 e2 ?6 ~. H' `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" Q0 b. W( \; ]9 S/ c1 c: d% P; x3 r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* p8 T/ {6 \/ k# \1 M) Q" B5 S
) E, j( A8 n# c" v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- H% h5 {' y' w% [
" D1 C0 V- D; }0 B; @& w__________________________________________________________________________
% m, h: ]! L0 h0 M# z
7 Z5 W: g0 X7 m d b3 n. E7 oMethod 13
. g, w/ r# z# H9 E% q" U! B=========# Y6 ?7 j4 h- f0 W
. n* G9 M L6 W
Not a real method of detection, but a good way to know if SoftICE is
q) D8 d( k) n/ }2 D6 e# ~installed on a computer and to locate its installation directory.2 l4 C1 A4 g4 X6 ^2 r
It is used by few softs which access the following registry keys (usually #2) :
% }+ Z2 \! ? j
" v9 V! x5 w) ^: H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; W4 \- M2 w3 p6 I\Uninstall\SoftICE# w! f1 _; u2 M0 p( i% O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ L; G h( h0 a4 D F, W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( w! s- A5 r4 N2 Y: G* W
\App Paths\Loader32.Exe6 r, |8 _$ x; _. z7 U
+ [4 p- v$ ]/ h9 {' J$ g/ Q5 F1 m3 `
$ Y3 ]" B' b7 P2 e# Y6 W9 `/ ~
Note that some nasty apps could then erase all files from SoftICE directory
6 b3 F* s1 c! n, G# i6 f7 w(I faced that once :-(
2 A6 S$ w7 Q. ^$ s/ E4 M9 p; l
: l& ?) ~' p" c. n" M7 A/ jUseful breakpoint to detect it:0 [( A; C% X/ q+ L6 p9 |+ h3 n2 v
$ K0 a0 S: K( W: L4 D# K3 Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' ?' K- B Y0 B9 E
& }0 e* [+ w' s5 u__________________________________________________________________________' ]$ j1 N. t2 r/ J1 g9 o: ~
+ ?0 l( Y& M" \; j4 T
2 G% K+ K8 Y x5 D2 ?Method 14 4 R- l+ F: q: `! @) u! A8 k6 u
=========
* n1 Q# t/ P* C f7 G$ M
y+ _3 P) _, f4 Q3 Q# S* JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# p) ?# J3 }6 `0 t9 x" nis to determines whether a debugger is running on your system (ring0 only).
" o: h) a; b7 f/ f$ j f9 t* Z2 g& ~+ m
VMMCall Test_Debug_Installed, i. ~* _7 ^& _8 `- F
je not_installed
# Y9 P. k9 j: h0 P' Y
5 T6 g& C. ?& k: ^This service just checks a flag.
1 O/ K3 n5 Z2 c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡