<TABLE width=500>5 ~2 _, x$ z1 D6 D/ P1 @
<TBODY>
, ?1 w, w1 @: S8 F& N, P) |2 E<TR>& s( z. g, f V% u7 }, @
<TD><PRE>Method 01 - p9 n k) V) i1 `- c! y8 \
=========3 K4 e3 V) S8 z7 {6 {4 v
2 Z. L: t- ~. W$ EThis method of detection of SoftICE (as well as the following one) is- s* T* D2 o" W( V; O! J
used by the majority of packers/encryptors found on Internet. L0 \8 E( q% w4 Z! n# }
It seeks the signature of BoundsChecker in SoftICE, C% D+ {0 ]' {' d8 }% O/ C z# i
" X7 e$ s) O% A7 w- O/ K& y
mov ebp, 04243484Bh ; 'BCHK'8 z) X/ x! Z& Y+ R5 q
mov ax, 04h! l. w: h$ `. d x- ~' y
int 3 ' H9 U8 x6 c9 |$ D/ J7 z- N
cmp al,4( \5 `2 x9 b1 N# l/ f2 M* L- e
jnz SoftICE_Detected
5 D1 i9 z2 d, V9 d: G& {! B$ `( e
___________________________________________________________________________. i$ F2 d% \/ q1 L. D
) I+ V8 J* D6 v: h# r8 X$ xMethod 029 M# \& s) h) x5 A9 Q
=========
1 L& m3 f8 S5 l9 s
" t8 i# q% }' v4 E- MStill a method very much used (perhaps the most frequent one). It is used
* _0 k# h; \+ h! L7 j3 [7 I$ Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 w8 a: B0 g7 D/ E: w$ Uor execute SoftICE commands...4 A4 x$ J1 X/ \# Y1 L% m
It is also used to crash SoftICE and to force it to execute any commands
8 i3 {4 N! ~( ~5 i(HBOOT...) :-(( ' G0 B$ j+ Y2 V+ o0 Y( q* K W
V; F" Z$ Z8 e. P8 N9 V1 q
Here is a quick description:
$ U9 G: d ]* G0 \7 A. A1 _5 |- T-AX = 0910h (Display string in SIce windows)
( s3 a$ W9 R: T, O8 T6 j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 f; ?0 o8 U3 v2 I
-AX = 0912h (Get breakpoint infos)- o3 S& a" F d- P3 k* i
-AX = 0913h (Set Sice breakpoints)
3 R8 h! B1 U6 i% }8 k o- k `-AX = 0914h (Remove SIce breakoints)
% }) S, J4 ~/ h
! E7 f: L& c" ?; T$ P9 e1 aEach time you'll meet this trick, you'll see:. E( Q0 y8 x% U: _) Y
-SI = 4647h' |# t8 }7 k/ @/ p* M+ q
-DI = 4A4Dh
' e, A, n6 `! K* N, X' n" sWhich are the 'magic values' used by SoftIce.
9 E m; g$ V3 z" z" \ lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" I6 M* b' | o9 a, W; W. \% K3 D0 X1 E& S( T9 N3 E" O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 m8 p7 ]. \( D+ Y/ B; I# ]+ x0 wEnvelope utility use to protect DOS applications:
( z& w+ M2 M$ X
; c7 H$ q& k8 T+ A. _% H# h' n% w3 B+ F' T5 ?/ R( O1 v( Q
4C19:0095 MOV AX,0911 ; execute command.# K# ^) D" V7 A; W/ I. T) \& ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" G- {$ Y: v2 L- I4C19:009A MOV SI,4647 ; 1st magic value.
# w, t; W3 [0 R" x/ U, e6 e4 B4C19:009D MOV DI,4A4D ; 2nd magic value.
* A. J \9 k& s. p* d5 G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 C& q' a$ G, A) ?6 A! ~$ i+ W2 o) Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 O8 ^% k& I! V0 i7 J4C19:00A4 INC CX5 ~+ O `" x o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 B: E& k. U! F: q4C19:00A8 JB 0095 ; 6 different commands.8 E6 G) \. k$ a1 z4 p# k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 [0 S7 [, X* K1 t# G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 \9 e) |4 F( D; [2 g. U/ `2 t3 q0 a8 \9 j
The program will execute 6 different SIce commands located at ds:dx, which- h- y, Q3 E2 t" S! |* Q+ R2 _. Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 ?3 ^. F5 V( v( @' Y# F* d2 ^ n, e w. N: b: `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 O ^4 l: `0 Z# ]
___________________________________________________________________________9 H) j' ~ [ x
/ M- i7 D5 |% k1 H+ M5 S* [# N! L3 e1 \# E3 @' {
Method 031 u7 x3 g- i8 E* Q0 E9 O' R9 R
=========
& V L) R) S) i- V; q. Q( \
. u$ e o% _4 n" VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. w7 n5 _- |: e. ?6 }0 F
(API Get entry point)
! n2 M w% W- j4 C9 Y# Q; v" I 5 P% U" ^# g* ~+ a0 |- S/ U
3 O* ]$ }, _: P$ Q# a
xor di,di
& Y- @3 n# O* j$ Z/ Y7 m mov es,di
' s M1 G9 a% M$ k1 n/ S2 R& x7 D mov ax, 1684h
' n. @ C8 U: C( U8 L+ }& d) d' E mov bx, 0202h ; VxD ID of winice
. x+ a& r$ @: Y& X# G. n int 2Fh# w+ B2 }1 v9 J0 ^) W4 [
mov ax, es ; ES:DI -> VxD API entry point2 F$ F. d4 \" z$ D8 U
add ax, di, A3 m8 {9 x; {2 f/ f. ~: ^
test ax,ax0 D1 T, S* s( x' g
jnz SoftICE_Detected
: ]( Z1 c; [, v% ?2 z7 j. N6 {0 _7 q3 O
___________________________________________________________________________
! @# s/ i9 t; Z0 {
3 j" w1 m$ f: h- U8 | YMethod 04
: y2 t5 d/ m3 {8 k4 O, U========= h3 J7 c; d! @) a: L8 Z
+ q) G5 T+ h1 _6 U; F
Method identical to the preceding one except that it seeks the ID of SoftICE9 i7 n) \. x2 G( X, x. a$ c
GFX VxD.
% A. N* c0 y" v. o1 }6 P' ~
& F0 }% r' U& Z0 R8 j. b1 x xor di,di% w. ^; E$ F( i2 D3 z$ |: \; p
mov es,di
3 w* y: u( b: y3 P mov ax, 1684h & ~6 j9 r$ F) L) z- E
mov bx, 7a5Fh ; VxD ID of SIWVID2 _1 g+ V7 [9 C+ |$ }
int 2fh0 e9 r7 {2 r& a3 W5 S6 [
mov ax, es ; ES:DI -> VxD API entry point
6 s% n0 [1 R! S/ m add ax, di: `4 b' d4 y4 |! m
test ax,ax
. i6 ]8 _( J4 H/ F& R jnz SoftICE_Detected
+ a0 d, y7 x" J% K8 `
2 b. _8 `5 s. f) D) G__________________________________________________________________________! Q) d% ^7 i* r: S. N# h, E
" C, v. m/ i( r0 r1 j& ^6 r% ]5 B* j5 m
Method 05
% ]4 P. B" k3 X: k# c" ~% A% ?: T=========
_; U5 o# t7 o r3 `& Q6 |& X4 r4 a
G z& t$ J6 O% N: fMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 e/ H; D# ?* b; I+ n; Y
debugger. It calls the int 41h, function 4Fh.
: G- m7 p: H7 m8 o7 TThere are several alternatives.
' D; G8 r3 E- ?2 Y8 p, ~9 y8 S4 t: M, [6 q' P
The following one is the simplest:) Y2 h" K& P6 g* f' [0 \3 E- @ g8 g
9 C5 {3 @; |5 F1 z6 e
mov ax,4fh
6 M3 u" U& Q/ M5 Q# O% I4 Y' S3 d8 T int 41h
2 [9 G5 l8 ~" f! _* f( U cmp ax, 0F386
2 F& t: X: b* i2 X jz SoftICE_detected
# `' _, ^! o/ S, e& h# f; |3 X6 }) z, M4 H/ I$ G
4 L7 M6 N( k9 j r1 @
Next method as well as the following one are 2 examples from Stone's % e" Q7 F- x) X( g3 p6 f7 p
"stn-wid.zip" (www.cracking.net):8 q" E n/ l0 r$ P8 M \9 s8 ?
* S b7 [. @; a! g* }1 J4 T) T
mov bx, cs3 j3 \: m9 i: R% G P8 Q) U4 S
lea dx, int41handler2
6 K" W8 O9 n, L! c; Y. ~2 N xchg dx, es:[41h*4]
% B6 ?. h3 n- H xchg bx, es:[41h*4+2]. p2 e7 ~! x+ P6 ?! a( ]& c; [8 A
mov ax,4fh
. @. W- N# z9 a4 y- b3 M) |, j' } int 41h/ _; c# `% v1 {
xchg dx, es:[41h*4]
5 A- e4 G2 Y# {, F: k xchg bx, es:[41h*4+2]
/ Y5 Z J. k$ @6 q cmp ax, 0f386h
! @' S# u4 H! |, K! R jz SoftICE_detected
* s W3 s* Q2 w, D D6 {) j" H; t- I: E# f0 O/ V G( \
int41handler2 PROC
& f9 n2 D7 P( k( o! A iret
: R& C% o2 R0 Vint41handler2 ENDP
h$ H% J0 j) k# T
5 K/ N2 H' C' T% p8 r) D" o0 B. ~+ w! l
_________________________________________________________________________
& i4 b! c& o& |. a+ ^# w; { g& x1 C4 w; z, m6 w- u
: u* G& b4 ^1 s" ?" }Method 06
5 h0 E1 k" B& c. G' j=========) c9 S7 m# Z8 D0 y9 `0 w
/ D2 }4 s4 {# @
9 |- d6 ?3 U8 H' @6 F2nd method similar to the preceding one but more difficult to detect:, ^9 s" V/ D( {
& T' Q* Y; r+ g+ P* r! H& L
- M6 n/ [, |7 G. |- ?7 Q: A" W3 Qint41handler PROC
: \3 R* f, q9 S: s( l mov cl,al' A' M* [9 y. E; s
iret
8 n/ S- e A [$ |+ i; H& [int41handler ENDP1 r' ~$ A' z: J! N
, e# \2 V1 o( t9 K, h
& D9 L5 O T8 B* H; o
xor ax,ax; A- o4 t! b: ^4 U J [5 g' o
mov es,ax9 g, x+ O, f+ E5 \6 k2 F
mov bx, cs
, I* F, V2 h* `. e( U' h lea dx, int41handler& B6 V% z8 j/ b5 X F( e
xchg dx, es:[41h*4]6 s3 {' ` u9 N% s1 C e% X/ H/ [
xchg bx, es:[41h*4+2]9 K9 X5 A0 C1 z) [7 q; \3 D# o; v
in al, 40h
6 C7 j/ W. g: @4 ?8 L& a M xor cx,cx; ]) Q, M0 e. F* B- v
int 41h
, E. q, b. S# Q8 Q6 K+ ?6 d2 A xchg dx, es:[41h*4], L* R- K. o8 x4 i- |# t& I
xchg bx, es:[41h*4+2]
0 _7 \4 r& u1 `3 f0 s% |7 Y cmp cl,al" i( U2 |; D7 H9 U5 c$ P
jnz SoftICE_detected
' _& O% w# H/ N$ q1 @2 n; y$ l; y0 U2 p
_________________________________________________________________________! e. \$ B9 }, k+ x" @1 y
& E# E3 c9 ]) u) v6 B2 |
Method 07
/ t* _5 H& p; z$ \=========
9 {& Y& @, T7 d* W8 g' N0 F( I
9 E. d: `) N8 l# F; b) {Method of detection of the WinICE handler in the int68h (V86)
: k# q: h/ V7 N- T( r. `, A
4 A7 \/ J8 q, r; A4 Q* W9 a) _" a9 e mov ah,43h* `# w2 u8 B+ U ?
int 68h
r2 J; g, b; w cmp ax,0F386h
; V1 [3 o1 s4 b& x jz SoftICE_Detected
# R5 z, M# S& p. X' Q( I# J4 O& p/ W- Z
0 |/ O) e. _% I* ? @' C+ U( u3 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* y" X8 j: B8 G* l
app like this:1 O9 Q" h" T8 [! l$ o
$ \* B0 q* r, Z' ]6 J% \
BPX exec_int if ax==68
1 { Z! x8 |, e (function called is located at byte ptr [ebp+1Dh] and client eip is$ [1 }' l- y% M$ _: ]- v$ T
located at [ebp+48h] for 32Bit apps)
& k* ^1 I& V: S1 W__________________________________________________________________________. \* N5 A5 |( |
$ E! I) @# _, Y. D& {) ^
4 Y; Y4 V# s( ~2 VMethod 08
' M k/ j3 P0 U=========
2 X" |% N; o8 b2 A
9 O' V/ m1 E3 G% l6 d r4 |It is not a method of detection of SoftICE but a possibility to crash the0 w# s) k2 t7 v0 @( b. `
system by intercepting int 01h and int 03h and redirecting them to another0 i2 ]5 k* D; U# U3 @0 g
routine.; P2 X: c0 Z; X3 r. L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ T8 s: h3 ]& O( a8 w, B
to the new routine to execute (hangs computer...)/ f7 i1 X' }; C2 ?5 x" V
1 Z) \1 W1 A/ M; K
mov ah, 25h
- N6 s8 W' @; _% `. {9 A5 h mov al, Int_Number (01h or 03h)
* W0 S5 Q1 t, a mov dx, offset New_Int_Routine
4 f- R" y |# P8 U int 21h
3 Z9 ` J/ b. g+ S
& z/ Q" J8 _; r- C__________________________________________________________________________
2 ]* y/ V7 p& I1 s* T, K# W2 G# m. E6 D4 Y" ]; H- U
Method 09$ B1 V/ t0 P" b7 d8 P+ v1 j
=========
, _- |4 K5 g/ [6 \+ D" @6 J+ i4 F: k, w3 W, z, J3 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; Z; ?* Q* m& f& I* ]/ [
performed in ring0 (VxD or a ring3 app using the VxdCall).8 a- _9 Y7 u$ _8 _* k
The Get_DDB service is used to determine whether or not a VxD is installed
9 a) B: s/ V- I# Nfor the specified device and returns a Device Description Block (in ecx) for
% g& f0 Y7 P$ a. j8 m8 ]- jthat device if it is installed.
- Q2 v" C$ J" m/ S. Y, i- F- b) d) @$ n# G1 q4 q- p5 f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" E) o5 `) o7 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
{- C# _9 t6 `3 _1 T4 } VMMCall Get_DDB
# g) ]0 ^9 K- {( z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ ~: {. L$ K! o+ d2 {" j) m
- |" B2 `" W0 Z
Note as well that you can easily detect this method with SoftICE:2 c' _! v/ C! f# y" H
bpx Get_DDB if ax==0202 || ax==7a5fh
1 [( E2 w" A+ {/ r- A& l5 G# q
5 b0 i2 N* b4 b__________________________________________________________________________
T: y7 [5 ~2 c% V6 n( k, M' {5 N8 ?! O9 ]
Method 106 a" s" e( u; c2 K1 N. b0 I7 r
=========
' }( _2 G) M6 x6 ?
; P; a, \- O% ~ R. [6 ]=>Disable or clear breakpoints before using this feature. DO NOT trace with' J2 N( ?. e5 T6 A( t$ E
SoftICE while the option is enable!!6 w* ?- c1 |8 n0 A$ s1 U
; i9 g6 {1 d) FThis trick is very efficient:
+ i! M7 h2 [- K. K1 x; S2 Mby checking the Debug Registers, you can detect if SoftICE is loaded
# J: D+ o/ T7 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 j: h+ y9 d* c+ j" x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% Z* S/ Y" I% j5 gvalue (in ring0 only). Values can be manipulated and or changed as well
/ N# C! n) X* R0 U2 q5 ]0 G7 B' l5 E: u(clearing BPMs for instance)
" u; V9 [4 J0 @# Q
- X. s- l' P' p; k4 O) E__________________________________________________________________________5 z2 e0 T- ^+ U2 Y6 _* E0 m/ W# j
; t. q$ ~& b4 x
Method 11( G+ n9 }" J$ ]: m% \) Q% @
=========6 ~# y8 w K6 ?! }6 X
: t8 B3 f( q( E. G3 G
This method is most known as 'MeltICE' because it has been freely distributed% H) f O3 h# q7 f0 ?+ M/ h
via www.winfiles.com. However it was first used by NuMega people to allow$ w. K9 L0 e0 t1 I* K# g
Symbol Loader to check if SoftICE was active or not (the code is located/ `6 H6 p" {( _& ` A
inside nmtrans.dll).
8 G" ]: ^7 H7 Q6 X
! A) q8 {7 V4 d5 R- y8 [The way it works is very simple:, v( n- Y' s3 Q3 Z, c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 b) R8 ]: [3 r. D9 v. }WinNT) with the CreateFileA API.) O# `; _3 P' O. t# @
2 L( O7 ?1 _1 O. v# ~& DHere is a sample (checking for 'SICE'):
`% }% d2 V7 g2 r$ C; I& p
; y5 E+ Q: ~2 gBOOL IsSoftIce95Loaded()
. E+ V$ d9 P4 U/ L* N% h{. X' V' L# t! f: ^
HANDLE hFile; / L; P; \! d! t: F1 h( x/ `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 z5 B+ [2 @" a+ \& D% d: H FILE_SHARE_READ | FILE_SHARE_WRITE,
: ^8 M0 _8 v! {' g- Y5 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 r$ R) m O, X+ w7 w" O0 h- V if( hFile != INVALID_HANDLE_VALUE )
3 I2 ^+ |3 M l: v4 @( X, V/ C, B8 y {
% U7 @& E! f1 Z% a6 U# e CloseHandle(hFile);
0 V$ ?! |" C* u4 W2 Z return TRUE;
1 j, h' ]4 w5 M( w }. z/ Z! ?. u5 M5 h K. V# x2 Q; G
return FALSE;
+ u' ]: k. W$ c" ]8 V6 g}1 A8 ?# _* K' z3 d7 Y- w' o
" x! u; E4 k5 R5 z. C; o* c( pAlthough this trick calls the CreateFileA function, don't even expect to be: {/ G# {4 M7 ^# ~2 C
able to intercept it by installing a IFS hook: it will not work, no way!3 G2 i( f3 A" [9 N! P: z* b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 K. d6 p/ b* N! U& i5 q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, p6 X8 Y* p5 `; U# ]. Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 z7 w1 j6 b$ w5 W5 a1 g
field.0 C" A) M1 c5 ] m0 K2 {9 Q# ]
In fact, its purpose is not to load/unload VxDs but only to send a 9 P; Y1 L, d0 c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 ]) {" E$ i. j3 a) e& O' b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( K5 u `9 K- A+ k3 h# [* |1 j" M, e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 h/ Z+ e$ G4 z5 Y6 W+ mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. t# R, L- b& \; {) p( r, dits handle to be opened and then, will be detected.
& s. k, f9 Z- M' K7 `1 g. bYou can check that simply by hooking Winice.exe control proc entry point- v0 t; z1 s M4 o9 S" l
while running MeltICE.5 O5 g+ N7 B* a+ k$ X
* t- [) l4 A7 E7 [" L5 q4 z# \/ N6 }
8 P3 X7 T, V( _8 X% \6 W$ c7 D9 U8 H 00401067: push 00402025 ; \\.\SICE' ]; J: g4 p# z- p# ]( m. b* S
0040106C: call CreateFileA. ?0 B/ w& y4 K0 I4 |) m
00401071: cmp eax,-001
0 M- O0 d* w- e 00401074: je 00401091+ b- B6 O1 s" E8 |5 J
. m; a7 X/ ~; E! l0 Q2 s
' p; ^ a) o# n' KThere could be hundreds of BPX you could use to detect this trick.9 C- \0 L! P; b# g% U5 o- ~, c% Q
-The most classical one is:
" d/ L6 ]; ?& n) L: T# Z2 X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 w2 |, u4 q9 Z, Q6 E! F/ d7 E. g) D
*(esp->4+4)=='NTIC'( d0 Z8 G$ I& }# g+ C0 A4 D
. v3 {1 G8 ^; C! A* x1 ~
-The most exotic ones (could be very slooooow :-(- Z4 Z8 D' C$ O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( k8 v# R6 [. r8 | ;will break 3 times :-(" p9 v" Z5 E6 `: U$ G3 }, Q. Z
, J- n9 t) q/ s) K4 n
-or (a bit) faster: ! N: O! x# P$ }! Z8 x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% S3 t4 I* I& M5 ]0 _' ^6 _" ^
0 k. q* u& d |' H5 M# o( l7 @& i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- n K% [+ s5 N2 B ;will break 3 times :-(: N$ c* T: j& e( B" ~, m: V4 e
8 j6 I- @$ G$ N# y/ ~- O9 M
-Much faster:4 y( @4 w' c7 Q" o/ ~5 V' K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( `4 q- d2 O; Q0 f9 V+ T
, s; v) _3 d/ }; JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; D/ E+ p5 |8 ^8 z# G& T/ T1 Kfunction to do the same job:
* J' s$ i, m5 M2 B0 e& Q9 A2 o2 p8 l5 q6 b2 E0 P
push 00 ; OF_READ5 j/ m2 K( R/ k7 X+ d! v6 d
mov eax,[00656634] ; '\\.\SICE',0
5 D. S6 B9 i! X M push eax
6 @% T5 k' ~+ o2 f; C call KERNEL32!_lopen7 R5 A8 O& v( f2 ^( ]
inc eax B8 ~% \* [8 e8 ~( `, L `
jnz 00650589 ; detected
# |/ f" V! L: q( { push 00 ; OF_READ% l5 I! `" Y/ m- a$ e
mov eax,[00656638] ; '\\.\SICE'* P+ q) E$ _% x/ \5 ~
push eax7 }) A% i9 M! Y
call KERNEL32!_lopen" Q' o; D* \# j0 C; @: Y
inc eax
) I. s9 C: F( l; c7 s+ y jz 006505ae ; not detected" K8 _2 x0 C, _" W5 K: b
& ^; l/ \# j6 F3 Y" N) E2 v4 U
) m7 Z, S" ]+ {
__________________________________________________________________________$ F$ v2 ]& q9 p) G0 }! k% F4 S1 r% b
* u) i+ W" O/ KMethod 12 s# A) r/ q: P
=========
7 o9 b+ `9 R% \) O+ `) F8 B) d: H" \0 \3 `5 L5 r
This trick is similar to int41h/4fh Debugger installation check (code 05: _4 J( r' j0 }
& 06) but very limited because it's only available for Win95/98 (not NT)% b, G! j4 r# ?5 Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 M/ b$ H9 @2 g- `% C3 y4 m- z: W Z( D
" F. F% K) Y! b+ J$ ?% h$ W9 q push 0000004fh ; function 4fh9 b: G% t& ^9 P% `% b$ c8 k
push 002a002ah ; high word specifies which VxD (VWIN32)! f0 Y6 r! ]0 V4 U" H
; low word specifies which service
; U3 _+ Z# F5 b) Q) h (VWIN32_Int41Dispatch)
- x$ D3 X& ^- g) u. l call Kernel32!ORD_001 ; VxdCall
9 y6 x9 Z# O6 L+ E. F8 S cmp ax, 0f386h ; magic number returned by system debuggers
: v$ c3 Q' m5 I- B) d) C! d- s jz SoftICE_detected/ m; g3 H' i( s4 g
/ x1 W# q [' t. Z/ [
Here again, several ways to detect it:
: s2 U* A3 w+ f5 {
$ M/ }! Q& Y3 t6 r g, o BPINT 41 if ax==4f
6 j: t. o5 O/ P$ o/ [2 T
: n! f3 J! F- \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" E* u: S# C5 T* T1 c
+ {0 v$ c& Y6 w% y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 j+ n* E$ b. ^! m* p! Y
" f2 N4 N5 R% L, D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% x+ A" B6 ~/ V0 y! b& g! T* g
4 s+ B# B% h& o5 @, |/ c; d! B
__________________________________________________________________________
5 x9 T2 x+ ?* `9 r/ S9 B. E! a( C* [ H. {4 J6 b2 x3 \
Method 13
: q. c! s* ~# Z5 ~=========# A" `" H4 [5 T8 W0 b
: |+ z* e3 T! b. _0 nNot a real method of detection, but a good way to know if SoftICE is
$ w" Z. g4 ~1 x$ v" ^installed on a computer and to locate its installation directory.
! q5 \0 A0 h( p3 a, j9 G# wIt is used by few softs which access the following registry keys (usually #2) :
1 O6 x# d: g- H( v) B- a0 l1 H& g4 F {! U0 J* @7 }! j! Q4 N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' D; O) ?/ }& a6 Q; K
\Uninstall\SoftICE' I9 c4 e4 T- s& ?3 ?6 h* M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' o6 I2 y8 [3 F0 @2 P1 T5 L3 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 F* E+ w+ r/ A* t5 x\App Paths\Loader32.Exe7 v* a) x/ H4 b% `
4 }, L! S) \" x8 M
1 B5 J8 y5 O" @
Note that some nasty apps could then erase all files from SoftICE directory
, s' @/ [# P& C, \(I faced that once :-(
& |6 G% n. A* G2 T4 C4 U
5 X( a- U! E0 FUseful breakpoint to detect it:. X% X* J' B" e) v! x
6 N6 i. G+ l7 u5 p3 k4 }" Z, W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 e0 P1 L6 _5 a; b7 U- E, H
* s, D" K+ r: ]! m1 S
__________________________________________________________________________
[4 w0 g/ |3 X; T) C$ K
9 f' X2 c* e4 B6 l" ]/ V( o" D6 m% r/ D# R, f, i: m/ A O8 f
Method 14 5 v4 j* }, `! T7 c7 z' h K
=========
# L: x0 M2 \' A7 g' d; A! B* d+ _& h8 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 p4 O3 C6 E# C
is to determines whether a debugger is running on your system (ring0 only).
2 y u$ Q G; v, [4 f! I {! Y b. {7 N" i' A) [$ t
VMMCall Test_Debug_Installed; Q5 v( c; e, v4 ]( b% A% l
je not_installed
; }- q6 W. T6 ^, D
6 V8 {- d+ a/ R {' ~3 J5 `This service just checks a flag.
2 d1 P9 \( V" H' C3 ~3 z) {! f; T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡