<TABLE width=500>2 [0 y* n3 A5 h& `: [$ {
<TBODY>
4 N2 Z. g- \1 ?* L<TR>7 l8 \. @7 d, f* G) W5 g
<TD><PRE>Method 01 8 ]9 s, b3 G5 P0 J6 `& u* K
=========
5 k. h9 _+ O9 i7 T, I! l& G' W+ I; r) Y4 E0 K- h6 {7 i/ ]
This method of detection of SoftICE (as well as the following one) is
+ }" Z2 k1 @9 h$ [* }5 yused by the majority of packers/encryptors found on Internet.
7 S- x3 G# q" p' [+ F1 m, yIt seeks the signature of BoundsChecker in SoftICE3 D4 W% K$ G$ b0 z9 {% Q
0 g* @& j& w; g* A7 ~1 G) i, F6 M
mov ebp, 04243484Bh ; 'BCHK'8 D+ Q* u ~, j6 u' b. c6 j, ~
mov ax, 04h
5 a1 r* i1 @7 ?/ p: t int 3
9 r, s0 o6 ?% p) _ cmp al,4
: a1 g- |! `9 n2 f, S jnz SoftICE_Detected- L& v6 m5 h$ ]+ i! P6 `
. v3 k* Y) j: x% @9 I Z) J* `
___________________________________________________________________________
0 M4 m2 O" D% M3 s) {* N1 D. Y! V4 N0 J6 D5 c4 o8 X: s" ^' i
Method 02
; b |; u3 |" ^/ @=========
7 n2 @$ _: `, @+ N) x/ p/ j
" M, Z; K$ u3 v \$ `9 vStill a method very much used (perhaps the most frequent one). It is used
+ Y6 M; i6 J1 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 o! Q9 v# P0 i, H
or execute SoftICE commands...% L7 x8 t& E1 s9 f) d7 a
It is also used to crash SoftICE and to force it to execute any commands
+ h3 s) |( n1 _* b- C& o6 h) T(HBOOT...) :-((
$ E' z% Q9 ]2 w9 p# u+ p% [3 d) D& B& D( T( R, ?. O5 G
Here is a quick description:
4 W& y7 [& \5 A' _. Y-AX = 0910h (Display string in SIce windows)$ v& `, z% w- X* \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 r( `" k5 W2 Y1 X-AX = 0912h (Get breakpoint infos)& ~8 D+ g) N2 H6 W6 r. O
-AX = 0913h (Set Sice breakpoints)
' g, I5 m, p8 V7 C0 k: X4 y8 Z; a-AX = 0914h (Remove SIce breakoints)4 h2 u7 C1 C7 m* Y/ S
7 o8 [8 g; L! ^' `
Each time you'll meet this trick, you'll see:4 K( h/ r B/ c% q9 [: B7 z5 ~* p z( o
-SI = 4647h
$ W9 Y% L" P3 {1 ^( l" u, v-DI = 4A4Dh
$ B4 C( M/ \7 t' z- r1 a' C6 }Which are the 'magic values' used by SoftIce.
* V ]$ w; r9 M' m5 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( ^! b6 b' ~# }0 ?$ L4 i& k4 z* F/ I& B! e
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 w5 |; Z* ]4 l7 t
Envelope utility use to protect DOS applications:
9 w. u8 F& Z* H C3 @$ ]
( p) K7 z# F" a: O6 _% a% k( x
% x* P1 Y0 B. L: l( O1 q$ F4C19:0095 MOV AX,0911 ; execute command.
! q# M" y- T1 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! T9 m* B, L2 Y# S, n$ d6 j8 ~% y
4C19:009A MOV SI,4647 ; 1st magic value.
Q# _3 l k( f4C19:009D MOV DI,4A4D ; 2nd magic value.
. d5 n7 w; ^- p# h% x: b; F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 F7 a, j$ p3 f _& M( g& x, X( K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. T+ R$ x* j8 `& O
4C19:00A4 INC CX
, m. F( q+ Q9 ^- ^: T4 H+ M ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* ^) V6 u u5 [/ b. l# d* ~* A8 I4C19:00A8 JB 0095 ; 6 different commands.* p Z$ t1 f' ^) O7 Q1 M
4C19:00AA JMP 0002 ; Bad_Guy jmp back." E6 [1 e ]- R8 c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 }# x- s( b: \+ v
: S2 u: k. N* t5 U" J* U# K! rThe program will execute 6 different SIce commands located at ds:dx, which2 w7 j1 _. I+ a* f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# Q6 ^& K0 x" s9 I
* _3 t+ T1 {0 r6 R( a! o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
H4 F5 o" ]3 x+ D___________________________________________________________________________, K& t/ \$ _- |! i
* R2 v# ^: G+ e
3 i. o$ c L* q/ Z. P
Method 034 ^- s$ q: J+ u+ G- |
=========
5 J5 l$ s1 E8 d* U# U: u0 A2 H/ X9 A7 c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ z" J; u Z9 A e. I(API Get entry point)( J0 q: n' U) @5 m! b
3 L1 U( {8 w' {+ `2 O' D
, D) ^- y- C% Y xor di,di0 ]0 C. d4 H& N/ w! R0 D* ~
mov es,di' Y0 C8 K+ c ^1 G' |6 [+ i; [0 A
mov ax, 1684h $ Q# b, z& B4 a/ n% N- r5 E
mov bx, 0202h ; VxD ID of winice
h% i( v: K4 R' u$ x2 d a int 2Fh7 g/ n4 Y1 ?' `8 r, K
mov ax, es ; ES:DI -> VxD API entry point
{6 Y8 }" H$ f) L+ h. b% ^9 w add ax, di
! z+ d# O& O$ E/ y: e' Z test ax,ax
$ [4 H" ?* D& ~2 ]6 F& ^- R jnz SoftICE_Detected& \1 \# |* c0 U( F' l& |
# }) W& `% U' F& Q* m3 L6 x: J3 S
___________________________________________________________________________
2 T1 v* _, n- e
! M" D7 [0 O+ p4 H" YMethod 04/ X) r4 Y5 X; f3 M+ _
=========
i* }- E* W/ w5 ^" N2 b( p2 i
$ L# S7 y' H8 k' wMethod identical to the preceding one except that it seeks the ID of SoftICE
+ l) w: y; v7 s8 U1 C+ L2 ZGFX VxD.8 M! o8 y, }. r5 I5 z" ~9 c2 p
, X8 h# N; P* U6 v1 p! q! z
xor di,di
. V' M1 u3 a( g1 R mov es,di0 _% T* w1 |+ V4 a* |( p
mov ax, 1684h
" i# Z( n0 J5 P( E+ u. e, z- S5 q mov bx, 7a5Fh ; VxD ID of SIWVID7 U# i- S( S8 J9 H
int 2fh
+ v, n5 |! M7 | mov ax, es ; ES:DI -> VxD API entry point* y* Y( y4 w& p. Q' A- A% P# C( ^$ m
add ax, di
- R# |- e- ` G7 c( L- d, a test ax,ax
+ H6 `2 G$ d7 G; T6 Z jnz SoftICE_Detected
$ z$ d$ a0 J+ Z3 B3 Q$ d" S0 f# Z, U5 Z1 Z1 R( G
__________________________________________________________________________) E: w4 i% F; f8 s/ L
% `4 D9 g6 z: C) m6 Z# ]
) H6 N1 I o3 A$ i( ?9 T1 sMethod 05+ Y# @& M) V0 z% W% ~. ~' `
=========/ h1 b" P, F# Y+ o
9 X+ A* w* _( u1 Z* _Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 Q$ B& Q; E& H* X5 Sdebugger. It calls the int 41h, function 4Fh.
' z+ J; B& J9 I9 y" B0 |There are several alternatives. 2 L' p+ r6 `7 b% ?( @) T
2 x4 j" E1 [3 [2 N$ W4 M
The following one is the simplest:# r, y2 x6 p, `
! u5 T+ {7 {3 G$ t2 C
mov ax,4fh' f5 r- d, L% r E. F4 s4 r/ b% N
int 41h" @" F* z7 y2 a6 d; ^. L- g0 H
cmp ax, 0F386
6 M* S# _9 O; G" `; Q5 a jz SoftICE_detected
! L# f+ m9 Q& \, D1 C" Z# ^9 Y+ l$ q7 M
) V9 M6 p m- }. P. m5 U
Next method as well as the following one are 2 examples from Stone's
+ ?# N, I0 g# J1 U"stn-wid.zip" (www.cracking.net):
% ^' S% b+ Y; [* `( Q
) P: D. [2 o. o& G# Z mov bx, cs+ S7 O/ d! D. N% E# c: P
lea dx, int41handler2- r3 v) o! u0 c; }
xchg dx, es:[41h*4]
! J j" }0 F$ y; b2 s xchg bx, es:[41h*4+2]
: R5 @+ z3 b' q3 s& o8 z/ M mov ax,4fh
% M1 l& x1 X7 S7 e" k( B int 41h
( ?: H7 n3 P' S5 f xchg dx, es:[41h*4]
& p, c" d, u, `* R$ v6 V1 ^ xchg bx, es:[41h*4+2]8 q7 m! e$ \ V' h$ N
cmp ax, 0f386h6 M$ y& Q! z) ?! F
jz SoftICE_detected3 p3 x; k5 U1 @
k6 w" k- ]1 L) |! r
int41handler2 PROC4 c ?5 Y3 i( e, {6 N) w
iret
. H! |5 o2 c5 d9 J6 tint41handler2 ENDP
$ Q2 I! ]5 _" S7 n8 }8 ?9 C. \$ l9 p7 [" o
9 {+ u+ S4 S4 Q% J0 [5 Y
_________________________________________________________________________
2 D: \. i6 r# W$ O: [# j& p9 |/ R
4 g' a3 X2 ^ c( z1 E' z3 r
" \( u8 ^" p8 M- z6 u- K+ B& a- SMethod 06
+ r4 Q; N5 b" l=========
1 v( U: g( F8 z, T2 c! s
0 o2 q9 M: F( W/ \4 ~
0 W% X7 `1 p6 i, H: y2nd method similar to the preceding one but more difficult to detect:
% V5 U# k) t5 [
# r) w, H1 K! Y' L- E1 G% d. O. T @, H+ O5 S: y* g
int41handler PROC
# F/ ^ ~! |# p. ` mov cl,al
, _7 N( _# q- d( C iret
! r l3 z, y3 D( x* Dint41handler ENDP
6 ]' o* S% l5 a7 l; {
# ~4 z' `+ G9 Y. [: ~* y8 Q
- T; M, _0 `6 C4 I xor ax,ax
9 q' q% K. p, [0 F, L8 r mov es,ax& S Y, f+ U# y0 n$ r% d5 a' a1 c
mov bx, cs
) K. v; f, G% I9 c lea dx, int41handler
x; Z" v. U: y1 Y1 d8 s; z# h9 d/ f xchg dx, es:[41h*4]4 Y! u) g# v3 Q ~1 @, `# @ q+ c
xchg bx, es:[41h*4+2]$ N5 V: K$ c( ]) O
in al, 40h
. W% L# j4 Y6 S xor cx,cx8 h2 B* H# M% f; }; k
int 41h
; c$ k& \8 L4 m, [ xchg dx, es:[41h*4]: I% H1 ^1 u [3 X; v, k
xchg bx, es:[41h*4+2]
9 t7 ~* c* S! w cmp cl,al
0 q- ]7 I& o2 E+ h2 N; Y jnz SoftICE_detected8 i3 X% j0 q# a2 l6 O: y2 G: M# X6 Z
^% @: s0 s, ?0 i+ L! j8 A0 Z, k
_________________________________________________________________________9 |' `3 s+ B& C: ~ q" g6 F4 w0 S& g+ q
% }4 Z5 A: Q4 ]: oMethod 07
3 ~) A' B( C" V ]1 i9 r=========: Y8 [3 ^5 K" C& }5 q
- J6 U) N- J' ~7 U6 q* eMethod of detection of the WinICE handler in the int68h (V86)
1 G7 g" Z# s. D4 f z
" ?& a; N i9 U" o w7 }/ E. T mov ah,43h) T; S: F5 u, z y. D1 T
int 68h$ [% z/ c! f5 u6 ?
cmp ax,0F386h
6 @) s/ k. u8 P9 \ jz SoftICE_Detected
( a: E% h7 b+ H; D
I$ U* a! q# a9 a8 L6 Y, A* P" D) ^ ? s/ z" f0 Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 T/ r' A( f5 k
app like this:
; r. ^4 _2 h2 n
0 A% `0 M$ w' ]8 d BPX exec_int if ax==680 g9 t* v5 E: C- p
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 u% x8 n% ~9 X! q, l7 s: X located at [ebp+48h] for 32Bit apps)( P* D& Q4 X1 ?' M* y
__________________________________________________________________________" j# S1 K5 I$ p; E6 H
( P3 j6 H3 }9 n) w) M2 [ a3 [ ?- Y
4 Q8 L; l6 `6 X* ]2 D7 B2 h8 ]
Method 08# y% l8 U. t. l3 _7 v
=========
. ^( G' n6 i6 [$ ~' \/ {8 b( h0 S9 B, L+ M8 l" [4 F
It is not a method of detection of SoftICE but a possibility to crash the
5 K9 i2 U- k4 d2 n! Z4 U& C* B% @# Wsystem by intercepting int 01h and int 03h and redirecting them to another9 N- E' h# {0 L; R' X
routine. f" e" |3 z4 A4 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 A3 ?$ o+ F1 z, x: e
to the new routine to execute (hangs computer...)6 @- U3 x+ l) U9 P% {- H
6 R& F* A" |, f# x! Q" ]
mov ah, 25h& R/ k. V0 t. y2 s2 Y
mov al, Int_Number (01h or 03h)
" X" T$ x F* `2 f mov dx, offset New_Int_Routine
}8 Z8 Q5 {$ | int 21h0 v, R( W. d$ t+ \6 d
. T8 k# \; w% @7 J+ \__________________________________________________________________________
$ C8 i3 U ~5 w7 C7 m7 M# [
! I, W6 o0 }; ]7 k! \& R2 pMethod 09
+ |& _% B) V2 O, Q- i/ D" n+ B=========/ Q1 q6 d. C' I$ D6 _, N
! \1 W# Z3 b+ n! u; EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 a4 l# `; E* `! {0 c i
performed in ring0 (VxD or a ring3 app using the VxdCall).; o4 r8 `( o" k+ i: Q! E
The Get_DDB service is used to determine whether or not a VxD is installed
3 k* `- M! B3 s: B5 t' xfor the specified device and returns a Device Description Block (in ecx) for
: m. J: I6 d0 ^5 N+ D% ]) Q0 lthat device if it is installed.7 y6 D* [ B+ t" k) k) {
2 l) [0 M+ ~. x4 B) ^4 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 e8 f6 P) @& X6 r* N4 J' ?8 x0 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 K8 C5 {( S1 a( F
VMMCall Get_DDB: c" l- h5 J+ a! b c5 X9 ?: k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" M% ?3 E4 m# V4 X
$ a4 I5 w8 Y+ k" j) i MNote as well that you can easily detect this method with SoftICE:" D$ \7 F, j9 c* B6 t# }. l* Z& ^
bpx Get_DDB if ax==0202 || ax==7a5fh# D% b2 ], v9 z* U1 |9 ?8 T
# l' V: J8 Y) |4 V
__________________________________________________________________________
/ d. R- y) u- k5 F! a
: I; c3 W( S1 ]& I' L, ^Method 10# U1 k: N) B7 \- r$ ? C
=========
3 z4 ?6 B0 x. g# L% {( C! |. A) N
% o* [9 [* I# g- Q$ d=>Disable or clear breakpoints before using this feature. DO NOT trace with! Y: ?/ h. V! k+ n5 F
SoftICE while the option is enable!!
1 h& v7 ^# ]# ]8 h3 \/ W: t, ~7 ]3 v4 C( i& ^
This trick is very efficient:$ i5 ?# Q- B3 N' s- M* S
by checking the Debug Registers, you can detect if SoftICE is loaded
" a9 ^& ]( V9 i3 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 D0 P/ U4 F+ Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" p) H4 U# f1 U* e$ [( s9 Lvalue (in ring0 only). Values can be manipulated and or changed as well
7 r0 P3 t) U# C# r- p4 s! B; {9 a. `(clearing BPMs for instance)# \' I& ~: g. b& y0 c
# Y; @" b6 K+ c, E6 R2 z( Q__________________________________________________________________________
4 }" n1 U% \7 |, V$ o) j$ f! ~7 p* q" m }$ I& i7 U
Method 11. ~9 a l4 }$ M1 ? S+ D
=========! E& P* ]1 ^" z8 m8 w1 l9 n
& Q6 n" I3 a& o2 h: g
This method is most known as 'MeltICE' because it has been freely distributed- w1 ^" \! g3 j1 K" s
via www.winfiles.com. However it was first used by NuMega people to allow
e+ d5 ^- Z7 a9 h4 z! r( V! lSymbol Loader to check if SoftICE was active or not (the code is located
5 n# D! H# Q4 T! s. ^inside nmtrans.dll).
4 R6 R) g9 r$ L5 P/ ]( T& L' s6 d
The way it works is very simple:
) P3 T. l+ o# y, A' wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 G/ N" c: l1 x$ ?2 ?8 L+ mWinNT) with the CreateFileA API.
8 u& p! I9 W `, Z: X! y3 w
9 L& g0 U# h* P1 ~& Z) ~! ~Here is a sample (checking for 'SICE'):
: X. ?4 S2 P% b: G3 \/ x0 R
& u' [7 ?9 o) |+ `5 w' j' t$ OBOOL IsSoftIce95Loaded()$ F; S+ S7 e I' O9 y
{
/ V8 [( j$ j. z( d1 J+ F7 R HANDLE hFile;
" _/ f I/ e2 u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 y( A* k( A3 `+ B4 f1 M
FILE_SHARE_READ | FILE_SHARE_WRITE,
! p6 S2 d% @7 B- D9 p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( ]( g; ^3 U, N! L! ` if( hFile != INVALID_HANDLE_VALUE ). p: n% E t5 n% F) M) b* a
{
' } P2 Y! Z! ^9 o9 n CloseHandle(hFile);5 M/ B% ^3 {" S6 {+ f! e
return TRUE;
+ l9 |2 O3 c6 O3 Y }
5 P) K$ r. t* o3 L return FALSE;
6 ^$ D0 p" h2 W; X* f3 y}
" i3 E8 R( w4 r2 H( P! H- E, N' N2 N. S, m8 N9 n% u
Although this trick calls the CreateFileA function, don't even expect to be
( i. q2 V$ \. P6 `able to intercept it by installing a IFS hook: it will not work, no way!9 H+ ^$ M9 Q6 t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& B, E9 B7 v" _1 Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ E- n: J: A5 m# Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ w, ?3 S# b* P J# Ufield.
3 S" j( \# s- H8 m7 {$ wIn fact, its purpose is not to load/unload VxDs but only to send a ( b0 t' V$ P9 k5 @- H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), F. T' k) t0 S! G- j' b' F8 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, Z5 L2 d% o6 L0 I2 l G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 Q. v: |- f, S. y$ pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
Q$ P! B" p# N! a" u3 O* sits handle to be opened and then, will be detected.
3 [0 v) f1 H. X- \You can check that simply by hooking Winice.exe control proc entry point
H2 D7 `1 w$ f& q7 F: {$ Xwhile running MeltICE.
! ?. A A# H$ W2 N" e9 s8 Z
4 Y; `) o' Q' o8 ^- N0 @) a ^6 D$ r, r
00401067: push 00402025 ; \\.\SICE- J& z6 G& w* `" I( d
0040106C: call CreateFileA
4 u% Q, @/ s& D1 k0 [; O 00401071: cmp eax,-001
7 c- V( d/ U4 Q4 i4 d" N 00401074: je 00401091
m+ | G7 z9 W+ A. L4 p9 I- G6 t6 [9 t) W$ L0 Y: [; b
9 [/ ]/ P- j! V! }9 q4 R
There could be hundreds of BPX you could use to detect this trick.
* v% B5 f( O7 I5 M R5 N, Q-The most classical one is:/ q, J8 R+ P& g; e5 K1 L1 V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 Y+ j- M, A2 v1 g9 Z) f! }
*(esp->4+4)=='NTIC'! M: T7 y& Z# d& V& g% P4 [6 {# J
, w5 \2 O6 `0 ?( n# k; m6 d2 g-The most exotic ones (could be very slooooow :-(
* u' F% E+ E6 ?3 g0 ]3 L3 ?4 \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ Z2 k v1 i' z8 b( Y ~ ;will break 3 times :-(
5 q, v2 E+ E4 c0 d7 W4 b2 m6 f- Y) e( I1 [$ q; \7 t7 o& U
-or (a bit) faster: , I+ @6 V& d, N$ l5 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 \/ k, A7 e* O- F
. I# a1 i" x( x; k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 \" Y+ `+ a; T4 d( d% Y
;will break 3 times :-(1 o9 W6 Q d2 T! n& {9 F
0 z% q7 ^; o/ Y( i0 l" U
-Much faster:
! P6 ?6 t q0 ?% G) j3 o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 m( f: F0 x' A/ ]( v$ M# E) B8 e" s, m% G: A- Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' {0 j2 Z1 w6 `( Y+ z1 Z, V M' z
function to do the same job:
3 V j& S W4 G2 P& H- F( @: l+ k, z8 @! h
push 00 ; OF_READ% r/ P0 |( e( ^0 z- R; J5 y
mov eax,[00656634] ; '\\.\SICE',07 u- z/ w0 K: ]7 c& l
push eax
; o7 Q! w6 x) t call KERNEL32!_lopen
- I" G- E! w9 L* ?1 K inc eax
" D, }' z; t' t6 O+ j jnz 00650589 ; detected
) o8 p! U: v, L, C' j push 00 ; OF_READ
) j+ E5 |. Q! S m2 | mov eax,[00656638] ; '\\.\SICE'' s7 w! q P! @( T0 J6 U! N8 N# x
push eax
; q, p& S4 z0 S6 m0 ^' d$ C+ {/ g call KERNEL32!_lopen
7 Y$ o2 W* r7 n0 _% k R4 {" } inc eax
* u/ E. H3 k6 p0 L( g9 F0 f$ q f jz 006505ae ; not detected
' u# X. G2 D# @ p6 |9 z% G# e2 r# r4 O8 g
: d5 [- R. Y7 L__________________________________________________________________________! w8 r# j4 o# Z0 z9 i
( U% t( F: r+ b4 Y& _" OMethod 12
" O( v1 h3 m8 n* o* e=========, i3 j4 u! a* P9 \% G2 o
1 h; z" O( k* M
This trick is similar to int41h/4fh Debugger installation check (code 05* ?8 a$ G: m$ C8 k- |' D7 ^; }! c
& 06) but very limited because it's only available for Win95/98 (not NT)
3 c; H) s' F; ]/ ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- m8 l7 v6 t \4 k: _; I3 y: G' [* s& U- {" L* n
push 0000004fh ; function 4fh
. T3 l7 ^4 O9 ?2 I6 \# A. Z push 002a002ah ; high word specifies which VxD (VWIN32)4 ~" U3 J) I# w7 N4 I" ^- a
; low word specifies which service d! I1 C1 r% B9 l! z& e' z2 T. l
(VWIN32_Int41Dispatch)
- A. h* v, T( Z2 M call Kernel32!ORD_001 ; VxdCall
( C# h/ j! a) R cmp ax, 0f386h ; magic number returned by system debuggers
4 g `" R% y$ ^$ \& U! O! ] jz SoftICE_detected% S3 s* e$ r g( F9 @
" ?" ?) U- X b8 }. d7 @" yHere again, several ways to detect it:
/ ~+ S8 C5 \. o/ |$ {2 u8 K, u, u- I @
BPINT 41 if ax==4f q9 E) y, C, y, \ g
+ e; _* y6 T) m! g, u' X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 W, Y+ D4 }: ?, u3 a
8 V' J; S A, K/ C' W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) i* Q0 K+ H" L& R
+ X$ A$ h; k! ^& ]* Q0 z6 j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ f7 C. A p6 m4 b
; Q/ l+ N$ Q% C, j" l
__________________________________________________________________________9 m$ n) p* D* A3 ?) x
( z! j4 y( T4 rMethod 13/ \6 q& m" ] A6 r$ `( t; P
=========
D( ?; w% D3 Z2 E; V% ]- x
4 U% z) a# A/ N7 _Not a real method of detection, but a good way to know if SoftICE is
% B" \2 V% z: [5 ~% b1 u+ S4 Rinstalled on a computer and to locate its installation directory.
8 V7 O& X7 A8 HIt is used by few softs which access the following registry keys (usually #2) :
+ F; w. ~( p& y T' p- K) d$ D' M- f1 o% T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- Z$ L4 X5 u5 G- s ?\Uninstall\SoftICE7 l* I& F& l# U. {0 o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: t! o+ d. b3 n8 O5 k8 X4 T+ Z# M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 O+ [0 g& [3 W- N ]
\App Paths\Loader32.Exe
& R( t) c% w: O2 [* X; q6 W
7 ~0 z+ N1 l) c' s( D% i; y$ r8 b
% O, b. G# R0 Z9 q0 i! T# lNote that some nasty apps could then erase all files from SoftICE directory
! P/ y% ?$ w, X" d) E(I faced that once :-(
3 I+ P# r4 z- F w8 T) V6 @6 t, }9 H" f5 l0 U
Useful breakpoint to detect it:
$ ? \( T' P# g
* V5 @2 [/ z& ?+ F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', B, S- Q0 C: d/ o9 d( n u
' ]9 y+ z& H& J" J__________________________________________________________________________6 c8 B G+ ~: \/ W- M
5 R8 s6 c, a6 ^
2 d: x$ Z. ~9 s0 s' G, O
Method 14 . v5 X& w- p) I8 c$ v- A7 S- o2 c
=========
5 L2 ~% A6 M T
" s) d- v- x' ~6 b+ R; f9 yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# B8 r1 Y6 E3 v% Xis to determines whether a debugger is running on your system (ring0 only).
7 j! P$ f* } \4 Y7 l9 i3 m
0 v2 j/ z* L$ f* @5 V VMMCall Test_Debug_Installed7 w* j/ `0 w V F/ W1 m' [$ ~
je not_installed
( E3 b w8 I" _ @. x, |( I W/ a/ m Z% }) }
This service just checks a flag.1 s% d/ x) V1 A7 \* }9 L) P S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡