<TABLE width=500>
5 x. b( j) O: q<TBODY>
" p- C* v0 M1 u) F, I<TR>9 t9 Q. W3 y, I# H! v' P
<TD><PRE>Method 01 ! n3 r6 y4 a# \
=========4 h& g5 r) ^4 g! N1 p
( D- l% s$ l) X8 y9 C0 Z/ v3 n6 |
This method of detection of SoftICE (as well as the following one) is
& v$ F% o6 t* X& mused by the majority of packers/encryptors found on Internet.
4 ]1 r# O; j+ j/ f4 X5 ^It seeks the signature of BoundsChecker in SoftICE
' |* F! M# V: Z4 |( z
1 T2 \/ x& r1 ~6 k$ ~9 u mov ebp, 04243484Bh ; 'BCHK'6 E1 G# X- R4 [5 l
mov ax, 04h
N0 T9 f; [; ~" b# b9 g int 3
* {; m3 }* b" x& `5 J3 ?4 G/ _& h cmp al,45 y. B9 v0 q6 l% s3 i
jnz SoftICE_Detected
: I0 }2 x" N+ a' C+ q/ e7 @/ l- q0 g0 m- Y9 ~' r5 t
___________________________________________________________________________5 M# g% u5 S7 N: V' V( Q2 D! j
. F, T& c/ ^( T' H3 ^
Method 02
2 z$ W/ q+ ]4 Y, w; F=========" U# P6 s# \5 f8 S1 H; R: E% Y( s4 V
/ }2 f2 c9 V9 X$ D! o ZStill a method very much used (perhaps the most frequent one). It is used
- X7 A2 ^( e5 B" [9 J( F4 @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* x0 s+ j/ F5 K+ R. l4 H
or execute SoftICE commands...5 S9 _8 q6 r- W7 O+ x7 D$ A. a
It is also used to crash SoftICE and to force it to execute any commands2 R, g0 _- \0 T- A! D; T
(HBOOT...) :-(( 0 X9 c( y0 }/ \* Y/ y6 K3 G
9 Q9 m0 W0 T6 f' S: ^! S' FHere is a quick description:
9 u3 N1 F: ~- L* E( @( |-AX = 0910h (Display string in SIce windows)" |# ^0 u5 }! t M8 G% D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# c6 I0 ?/ ~$ i7 _9 `
-AX = 0912h (Get breakpoint infos)
1 q% ?: L* s" u: w7 ^* S-AX = 0913h (Set Sice breakpoints)# F; c* Z& |3 r$ T) z
-AX = 0914h (Remove SIce breakoints)
}# F# c7 {) F( ]: i* w1 d/ p a( R
Each time you'll meet this trick, you'll see:) O+ w( n5 C" X2 d+ H3 O+ v- T x
-SI = 4647h
' l8 h3 a+ e p8 W7 H- ~-DI = 4A4Dh
) c4 d( p8 ~8 N0 ]Which are the 'magic values' used by SoftIce.8 X0 r+ K9 b5 H4 y# N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 |1 o2 w$ u6 v' b) R
0 H& B7 G9 E8 Y' w6 K. z8 FHere is one example from the file "Haspinst.exe" which is the dongle HASP
: c4 D2 [! l3 L; `; NEnvelope utility use to protect DOS applications:
' W& A+ [1 R% x* t6 I2 M0 w0 p1 ?8 V) z, m6 I+ R( z
" O/ W2 ?( T9 Z- P1 Y+ ]* ^& V7 a
4C19:0095 MOV AX,0911 ; execute command.
# n2 l/ g, r& z1 x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ m v/ G! p$ g( X7 H3 K8 B2 q4C19:009A MOV SI,4647 ; 1st magic value.
) x C/ v! x. L/ t; J2 }4C19:009D MOV DI,4A4D ; 2nd magic value. R% P- ?! x* n7 |; A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 D' j+ ~" t( p0 }# U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ k5 K3 }: s6 `% z& |
4C19:00A4 INC CX
! o* a9 X& g2 g& O0 O3 C5 ^( A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) [5 l% J4 T. p4 i/ n2 P/ [4C19:00A8 JB 0095 ; 6 different commands.
2 \# |$ {1 r$ E: S4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 O3 K# W3 n' J+ {7 D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% k; ?& r; c' G3 O8 H2 e; s
5 {0 W2 {: t" K3 H9 |( ^The program will execute 6 different SIce commands located at ds:dx, which
4 {9 R$ U Z9 p7 M! f( O bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ W/ l4 }( `# @6 T
, z5 T( q* `6 I. s9 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. c. y+ a' S5 t( {
___________________________________________________________________________
: M8 D8 h1 C) m. }# @7 \! `
! H8 y3 `/ b! r5 A' N% J# v
0 c0 o( l+ b3 b& o+ bMethod 03 I9 c) j4 \6 n+ R2 F3 O
=========% `/ [4 u; T$ {2 N% s/ i7 F4 _
) p3 |+ u. y1 v; B5 Z- ~1 hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 H( v2 q! j4 |3 {: x( D& s
(API Get entry point)# i6 D5 p! l" C0 s2 [1 R8 j
3 T; c( n/ i' M; l7 o3 o$ C. Z4 I' o- F5 S( F- j2 B
xor di,di! v9 ~/ w8 x+ [1 C! I( o# b
mov es,di
: P3 }5 ]; q) G' g5 J6 s7 F mov ax, 1684h 3 B% p/ s) @) g0 D5 T6 @2 X f
mov bx, 0202h ; VxD ID of winice" j: H& ?7 i; n
int 2Fh
0 ~5 T1 k5 l( {' N mov ax, es ; ES:DI -> VxD API entry point% \, D7 I4 Q/ V$ r* J: `5 ], A: ]
add ax, di
; m& k( {) O' i$ L test ax,ax: ]/ |5 C; x& L' s
jnz SoftICE_Detected
" M# G( h7 O7 k# w. j
# }) ]2 Q1 q' e" m___________________________________________________________________________! X" t/ J9 p: z3 Q- n0 o4 {
; L/ U- K( M: H' P I4 @
Method 04
; d' g* u+ Q, ?4 k=========
* \! s6 u4 ?. A+ O, R" B+ F4 e
& _3 @% O# z( q! K2 HMethod identical to the preceding one except that it seeks the ID of SoftICE; w0 \* M/ I8 ^5 e( _
GFX VxD.
8 A! W6 o& t" k+ k* k* H( X% M( }- d, K7 p5 O
xor di,di: M2 A; r) Z* F9 Z/ O0 X, m" I
mov es,di% `5 @# q: f+ b4 s( x2 w
mov ax, 1684h ( G; @. P2 D; \9 v3 T0 Y9 c
mov bx, 7a5Fh ; VxD ID of SIWVID
' j# k5 [' ^1 ?, Z int 2fh
& u2 ^$ R, [- G6 J$ t mov ax, es ; ES:DI -> VxD API entry point
* M7 e! { N# k% o/ X add ax, di
7 h" W+ b( x4 m test ax,ax
9 ~& F( Q8 r/ t. n: I5 y jnz SoftICE_Detected
) Q4 e% a! V1 Q- ^6 t* [# P, J! K) F
__________________________________________________________________________
. ^9 D$ u8 ]/ z+ t7 g% d/ ?7 s: u W$ L
- j4 h9 ~* H$ KMethod 05
) \8 ^: v$ `7 o' m=========
! R1 T* Q9 t7 _# K3 z
. p5 u- o S0 H& r! NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, M" p, E. r. m0 ?- [8 z0 vdebugger. It calls the int 41h, function 4Fh.9 V0 P7 e% d( Y, @
There are several alternatives.
+ T: T' H* B% E' ?: ?$ m V ?
9 C. `, }6 h$ nThe following one is the simplest:3 o* ^' F. W9 t$ i. y0 P
e Q" D4 g4 `4 A& A1 ^4 j4 I mov ax,4fh! r- L5 V' a" G* d# J
int 41h
* q0 G9 _1 O. d; w. }- c4 L! i cmp ax, 0F386: ?- H. l9 k0 R, k+ S
jz SoftICE_detected
z8 Y: T* Q% j2 K3 M) X5 n2 }- W6 e6 Z% m( C0 ~& I* V0 Z, d3 T
/ d1 H- I. B! H9 Y
Next method as well as the following one are 2 examples from Stone's - ~/ N4 ?/ y# B8 D+ s; M) B4 R
"stn-wid.zip" (www.cracking.net):# A2 V3 u- f1 p( I. F% U1 e
' x& x1 a$ v6 `& `. z
mov bx, cs& X( \+ z6 k: S2 y5 T9 W
lea dx, int41handler2
, F, `8 Z1 w/ ~2 g5 P8 c xchg dx, es:[41h*4]7 G1 A, r% s+ W- D0 f
xchg bx, es:[41h*4+2]! r& c# s- j& y Y
mov ax,4fh% `3 j. ?: n: H9 Q5 g, k
int 41h; Y& n8 X- s) \6 l5 T
xchg dx, es:[41h*4]
6 [7 Y! r$ I. X7 @( s; b$ A xchg bx, es:[41h*4+2]
& x7 a% p) M6 Y7 X/ m' b cmp ax, 0f386h
- w7 f) [8 x6 l u: D jz SoftICE_detected
: f7 q" o, E) v* z: D6 r6 }* i
4 o) n) B3 \' V7 m2 X3 D+ B1 `% K/ |int41handler2 PROC! |) i! ^, v( q8 E: V
iret
5 ]& j: A) \' Q. @9 }, d' Zint41handler2 ENDP
* ` i( B( |' M7 j2 }# |
! }1 r& [& |: h" j' T
$ r: ]" r8 W" }0 e, v, |& [8 c_________________________________________________________________________
1 a: r# v5 h" Q* c9 @* J g' e' F6 q; ]% p8 \5 ?
4 o, ]6 h7 d; \3 D
Method 06
0 N5 ^7 S5 w; X L" e& f# k' s=========9 B8 }' b6 P2 {/ ^4 e; Z. w \4 b5 g
; [8 p8 G( n. D8 l" e- f0 e$ i$ m0 `6 f/ j% G
2nd method similar to the preceding one but more difficult to detect:
' k4 ]. U T }. z; `5 v- |6 Z% D" y9 L9 \
, P2 Y9 O7 a0 o. u* bint41handler PROC
& c' o5 T V# I4 t mov cl,al3 v9 V, D8 @. k) F
iret
, f" d4 H: e% P: c9 Hint41handler ENDP
' w- j2 a2 d, S' }/ l; T8 @3 l/ k" n9 v
' C# ]% [6 E3 L9 [ xor ax,ax& a+ `: D: a; a
mov es,ax
/ Y+ C! I) {. D0 ?8 s2 x3 ^ mov bx, cs- X6 {% l( U- |. ?3 t, H
lea dx, int41handler9 F9 b0 N& x! p0 N1 \' G9 j: c
xchg dx, es:[41h*4]1 { a t, U5 e! z% o# j9 x% `
xchg bx, es:[41h*4+2]% B4 H; V9 p/ l/ D Z
in al, 40h
% A( }- Q. Y. u/ a/ h) B xor cx,cx
/ W8 n- H" t" P1 g; V6 e/ k int 41h
f0 x; E+ E( ? xchg dx, es:[41h*4]+ S# V3 H/ Z( o4 u
xchg bx, es:[41h*4+2]9 C7 R* x" G. `2 t7 `; U& ^
cmp cl,al
( {9 X: \) {/ ^3 F) S# J jnz SoftICE_detected
: {8 H. m) L' S# U7 Q; L+ a7 d* f; m
_________________________________________________________________________
1 q, T3 |4 R+ f& [# G0 g
4 D& e% W. s9 D4 Y4 G% J1 r# H- @Method 07' e8 l( S/ u5 i" [9 i/ u9 m
=========+ q7 A& r2 t- I4 Z
0 S8 P& g" t; |4 b2 LMethod of detection of the WinICE handler in the int68h (V86)' M+ M m/ n }- |5 _' U& @
4 i+ T( P& d& H6 X% T mov ah,43h7 k5 L! A- B9 r
int 68h
8 w1 K6 { o0 j1 r& M. W cmp ax,0F386h/ h( ?7 ?" t+ k6 E/ c6 R. t6 R% M
jz SoftICE_Detected
) c" k" d8 d# L) M5 w7 Z9 a" V4 k
8 }- J8 P/ b- f; j# d# ^: m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 Q! ^/ r. |% B6 ^. B# ? app like this:
{1 X+ p: v& \
/ \# _, R2 S+ y4 V% E1 C- [ BPX exec_int if ax==68
' I! i3 {9 F. f6 r' v# G$ {7 _. p U (function called is located at byte ptr [ebp+1Dh] and client eip is; J: n3 e7 E) T( c1 l3 R. K0 {8 `+ ~* n
located at [ebp+48h] for 32Bit apps), @# ^- ^; j1 ?' C5 z! D( K
__________________________________________________________________________
2 {2 ^1 Z8 A! m4 G
5 ]- l( l3 F3 K# ?7 M* b
6 h U9 u$ h; r* ~! {. MMethod 08
8 ~5 ~/ h/ h; ~4 m3 x9 ^8 J=========9 G& z$ s4 x! ?- D1 F3 w# Y2 M
# }( Q& k I$ q7 v6 v3 n& m
It is not a method of detection of SoftICE but a possibility to crash the
+ D2 m+ J8 d. X7 q- N7 bsystem by intercepting int 01h and int 03h and redirecting them to another L) E0 R( ^0 x. @ l7 X1 Y
routine.
1 b b# t" O1 [0 R4 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 E9 ?& N$ o7 N
to the new routine to execute (hangs computer...)
/ {( d8 [9 K5 o9 s9 x" u R; A% G( G- B5 o2 c* Q
mov ah, 25h
0 p7 f k: @8 L8 ]# c mov al, Int_Number (01h or 03h)
. r- `5 z# S' Z( I mov dx, offset New_Int_Routine
3 h- C( d7 n' W: k# Q: a" J8 n int 21h3 g! R# \0 `5 y1 H% [7 [' w) a
6 s1 U% Q. e2 F
__________________________________________________________________________+ _& w. c; G) a+ ^3 \$ u4 [6 R2 h s
4 n- L' H& n7 d( j: B) |+ X
Method 09
& N* A1 M% O3 L! C Y; C# b=========
$ I+ f7 x# O4 W; W- ^" J' d
) @7 w; Z5 [; j2 c9 z; YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 D9 Q2 N9 Y) l! G: b1 \9 nperformed in ring0 (VxD or a ring3 app using the VxdCall).
{; L) r9 s3 }/ c) ^% L& FThe Get_DDB service is used to determine whether or not a VxD is installed, {( `3 P8 m# Q3 v, \) o
for the specified device and returns a Device Description Block (in ecx) for
- f- l: I% y; K) T% E$ ^; Wthat device if it is installed.
3 d1 j2 m1 J1 [! V0 O; E( B
9 \9 \* R* ~% `- j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! `$ |# Z! w9 W, |) w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ R8 B5 g& P$ \) t VMMCall Get_DDB
1 w' ]5 A! D5 _1 f) F0 i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 Z" j3 N7 c& N% x4 b
8 }/ Y" V }; T& A" u0 u; M( RNote as well that you can easily detect this method with SoftICE:
, Q: U. V7 z2 y' K ]3 j bpx Get_DDB if ax==0202 || ax==7a5fh6 S3 l4 \; u+ o0 r6 \
& I( j9 h. _8 C3 ^ c5 @3 _" ~
__________________________________________________________________________
4 c$ F8 ^9 H0 v( [! p: n3 I; |! p' L$ T+ N2 p% T, q9 S
Method 10
; @1 m$ Z" j2 r4 V1 l/ H- ~=========
/ r+ X% i- p! ~" l1 P) I8 C" F* H: r- A c F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 d$ m% B; O5 v% E2 w" c$ l5 T% u# F SoftICE while the option is enable!!- x9 w; o9 V; u) z
( S+ S, V: ` P7 K1 I! f6 C- VThis trick is very efficient:
$ m) c& S0 c- Z: Fby checking the Debug Registers, you can detect if SoftICE is loaded
) T' H0 u m+ X; K! `# u" ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 {" d% e3 r9 }" `
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 E/ C4 k$ w. E4 x6 u# f
value (in ring0 only). Values can be manipulated and or changed as well
T) \" W% Q2 e# u/ ~(clearing BPMs for instance)
3 T( `6 F* \: e6 }* U
- ^ m; n) L% R7 i4 p__________________________________________________________________________
* J7 ?$ {, W0 W7 I& U' y8 Q* u
* p0 p- j n9 y; P t; h; bMethod 11
% [7 b) `) E+ b: O+ D! X: l=========8 x1 y/ `' S/ U3 Q2 Q" Y6 J. X& ^7 z
' q8 J' f- `" o0 K7 Z: h2 r
This method is most known as 'MeltICE' because it has been freely distributed
$ f! E7 @5 z J, T# z, [6 uvia www.winfiles.com. However it was first used by NuMega people to allow( c& Y/ L% @: \+ f. Z6 ?
Symbol Loader to check if SoftICE was active or not (the code is located
& m" h+ |6 k" Hinside nmtrans.dll).) }6 S$ U# k; U6 B, I* ~
# G2 ~/ K7 Q4 q! ?! R, dThe way it works is very simple:' | b& a: _9 \: [, E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- K* L2 Y. E% H% p# t/ f* D
WinNT) with the CreateFileA API.9 L8 F1 H" K" j2 C
7 U. I4 B: }+ K" l& @, hHere is a sample (checking for 'SICE'):
, ?) ?# g+ E. s, X8 ?! R2 w, ?6 N+ m t0 |2 W
BOOL IsSoftIce95Loaded()
% z" D/ i$ ^: t; H, d% B. b. v" T0 L{# c% A3 G9 e# z/ y. K( G
HANDLE hFile; 5 F% p# E* E+ Z. F( z7 x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 F/ {0 M% x5 I' Y* s
FILE_SHARE_READ | FILE_SHARE_WRITE,7 B/ B3 K. v$ K/ O+ K& g4 ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, D M$ S" f. x! v: j5 { if( hFile != INVALID_HANDLE_VALUE ), r: W( e1 |2 g1 ?7 V
{2 ]0 ]0 j: n1 ]/ m
CloseHandle(hFile);: q- ~% A$ c7 v% F+ k
return TRUE;0 c* e& Q7 p7 @6 h' y: S7 w& N/ X
}
. `; ?# D! @" x9 q$ x- e3 n L return FALSE;
7 f/ _1 {3 m3 J}
4 @7 s# t T+ c" l. _: @. B7 G
* u& Q! K9 m( M: D! `* QAlthough this trick calls the CreateFileA function, don't even expect to be# U0 _& G' C8 ~' K
able to intercept it by installing a IFS hook: it will not work, no way!+ C! n2 E+ P9 M( P- R6 u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% R* [; p, k& c5 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
A, e( I' |3 z. A& a- s! Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc; a3 w2 Y/ N* u2 N9 @5 u
field.
# B( d& W- z2 u! R& xIn fact, its purpose is not to load/unload VxDs but only to send a
' A: j; V9 z5 A9 {! W8 C: y$ Y: d: N- eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). U" }; N+ z: J) W+ n0 r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" E0 W' a) M: J L+ B+ }6 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 P/ e" F; [" a1 ]1 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 ~8 g1 ?, C; Z) Z7 Z8 C! c" f) X
its handle to be opened and then, will be detected.. w1 e* g" h7 g
You can check that simply by hooking Winice.exe control proc entry point( c2 G2 \# L8 D! z5 G
while running MeltICE.
4 x# Q: _5 `# V) s/ f* E$ b) m, o2 \2 y! w' ?* Q3 y0 |
$ M# i% T$ r" J- _& Q: l, F
00401067: push 00402025 ; \\.\SICE
6 _+ @/ ]$ {# q1 ]( l5 ` 0040106C: call CreateFileA! @3 w7 ]$ Z! O& `: R1 }
00401071: cmp eax,-001- F. M7 W# s, r1 _9 \+ f
00401074: je 00401091
: n3 w9 p( l4 E5 k0 v# G% t( q8 o
) ~6 a% w4 U1 s" z. H6 a9 z, @# n
There could be hundreds of BPX you could use to detect this trick.: h4 g0 [$ d$ e$ Z
-The most classical one is:8 r$ {% Y+ H8 D. [1 G& t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! f7 ?$ B+ M" P5 ~. d1 U
*(esp->4+4)=='NTIC'
' r. m- C( B, K% ?9 h, }; ~ H4 S) K9 N# t
-The most exotic ones (could be very slooooow :-(: k' F7 U0 P8 U3 J/ s! J9 ^/ Q/ ]5 a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% f0 P# G% b# d ;will break 3 times :-(
8 l% O4 j, z& y
. Z, n' D+ o0 n. V: L' _% I w% `-or (a bit) faster:
' g; ?1 Y$ \8 o6 D* u- K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" ^+ e5 V1 @" A+ g* N3 L
$ ~9 I5 q6 G6 w3 H/ Q3 u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 n$ n) q. L1 T6 u K# c' Q ;will break 3 times :-(7 B X$ f. r0 U- a7 Y
2 ^4 `4 I! f w0 H7 Q) G3 Q- z-Much faster:
" O$ N0 i8 N" _* ~+ g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 N. a* }, }+ j: C( \! F
% Q, t1 H/ ^9 b$ ]) X9 _6 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( ^1 A2 z1 V! Y0 B. [7 m% G1 b
function to do the same job:) G5 P- l8 E- P$ w4 A8 R
$ b3 Q% b2 ^7 f" c+ U" n% n9 B
push 00 ; OF_READ3 Z; R; e. i( A! h
mov eax,[00656634] ; '\\.\SICE',0
% q5 t+ P, J6 x push eax% K: _ `; }. O6 ~, I
call KERNEL32!_lopen) R, I' R. ^0 ^3 i
inc eax
' P1 F0 B7 P e) l& d jnz 00650589 ; detected C! B0 R0 H5 v$ S2 h8 E
push 00 ; OF_READ$ K; j& D9 ?2 F! T# p7 p7 v
mov eax,[00656638] ; '\\.\SICE'
9 u# J. T! k# I. V push eax( `% X' I/ H7 H1 n
call KERNEL32!_lopen
/ H1 b- O, u$ f) b9 }# U& I inc eax' |2 m) C. o# Q% `' a$ O U& f& p0 r
jz 006505ae ; not detected
+ I$ Y2 w+ p) _' e, F9 w
2 V5 P' o8 Q8 H% O) _+ B( ^9 f: {9 b" @
__________________________________________________________________________
. a- n) q' m R( N; \9 D$ ]2 u; n4 M3 A
Method 12
) N0 V5 h; w# o3 [=========2 w0 t; s% f& v: p2 C' p
! J& {! z* q# z3 h- H) m
This trick is similar to int41h/4fh Debugger installation check (code 05
4 t9 A1 k0 P i( N# j3 k8 O& 06) but very limited because it's only available for Win95/98 (not NT)- D: m! T: l5 l& _- e, g4 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. N; Z" O; H8 ]* N
2 R6 U. V# ]" L ~) N5 M: T2 M push 0000004fh ; function 4fh8 }/ G, c* n1 I/ R
push 002a002ah ; high word specifies which VxD (VWIN32)
" @: x9 b, @' T9 F8 y: q [ ; low word specifies which service
! \$ F0 D" z: J+ u3 [2 i: E5 B$ o (VWIN32_Int41Dispatch)% e; y u, o$ O9 V; V$ d% P6 ]
call Kernel32!ORD_001 ; VxdCall
+ ]2 F& {3 j" P0 q cmp ax, 0f386h ; magic number returned by system debuggers' U) x3 C+ Y- e: \5 y2 Z& {0 \) i
jz SoftICE_detected; j j7 |& K7 w9 F. F+ `
5 E3 v" c& M! v% H9 ZHere again, several ways to detect it:9 j" T+ q# B: \+ W5 N' o
$ z5 h9 o# g4 W" K. e: [8 Y BPINT 41 if ax==4f7 E8 S, B. R* _5 z. H/ m d
3 B+ u' n7 Q( a6 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% D2 h: k6 G9 j& x1 B; W+ D4 C. ?, x9 `0 y8 w) x+ u0 y" a, L
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 g- e9 M+ z- D/ f$ x) ?
9 Q: q0 J% U6 C9 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' q$ z' T# r8 |. K) U4 i" ?$ v
+ w3 X" q6 f$ m- r7 b) K4 i y# u
__________________________________________________________________________0 r: R5 H% m# f: O/ Y* C
/ B& N9 F1 L d8 @' O9 a
Method 13
) Z+ k1 Y- t/ p) C=========3 P4 U9 l- G$ S6 O$ b3 ^
V7 [7 ?" y, d) U* Q
Not a real method of detection, but a good way to know if SoftICE is
$ B3 _* [ d1 U" Finstalled on a computer and to locate its installation directory.
1 I; L) X, O9 X- j3 qIt is used by few softs which access the following registry keys (usually #2) :
: O5 j& B- Q/ F' z3 n, Q) n, N5 t, |9 ^3 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- e# E0 d. m2 D7 B# {\Uninstall\SoftICE
4 O7 D( ]% `0 V% y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- Q) W- G& s9 n2 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 r3 _; X2 T* t# |( I, @" h
\App Paths\Loader32.Exe' o7 k) {+ l# g( L
) X: M8 X- O/ i8 `* r% Y# B! n. a/ ~2 j! P
Note that some nasty apps could then erase all files from SoftICE directory7 h3 @+ w; d% H* q) ~2 f
(I faced that once :-(
- O% [: ?* K6 G7 b0 N' v' f. N( \1 _9 ]) T* x
Useful breakpoint to detect it:* o/ r( L- N+ I) [- O+ f% J9 B; p" E3 X
+ q" a) D6 `' r7 X7 Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) C5 T, K0 ~8 r2 n9 \7 D% ^/ D
( J1 M' r/ f1 f) @__________________________________________________________________________" f$ q! R5 M9 z3 f9 ]$ J' h
9 e. i0 B4 s4 G7 {; E9 g. w
/ ]/ b0 Y" Z0 |, T. C5 c- U- ~2 s% HMethod 14
' o) }0 m) u. K5 H; ]=========: D/ I2 K! `- }
! Z4 W0 [: D. |, `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# g5 t) M6 W8 n o
is to determines whether a debugger is running on your system (ring0 only).# l/ ?& r. j& i0 g5 B ?9 L
8 K/ C2 Z4 s# k3 v7 k" y8 B% L
VMMCall Test_Debug_Installed- x) s, F+ `5 b2 F
je not_installed# z2 P: _# ?/ O" E; x
* M% o/ d- t, L5 eThis service just checks a flag.8 r1 ~9 r& o; f5 r; V- Y% ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡