<TABLE width=500>) u/ L5 z6 f9 [( B# z
<TBODY>
, O7 ^% c0 Q* S) b7 g2 A* i1 ~6 i<TR>: s9 p3 l6 D" L% x. Q
<TD><PRE>Method 01 F# B7 N* @, ]8 U% i
=========0 ~$ |5 `6 W4 T$ u
! N* @7 Q' Y6 ~0 ?$ [; V3 J* s
This method of detection of SoftICE (as well as the following one) is
% l& s9 q8 e+ q- j3 Nused by the majority of packers/encryptors found on Internet./ v6 h- e5 f; S" Y* U. N8 w0 l
It seeks the signature of BoundsChecker in SoftICE
% f- z5 J+ {" n* [8 N
1 p( g& k! ]0 F$ A6 r mov ebp, 04243484Bh ; 'BCHK': A- ~5 B$ U% o& p# C* w+ i
mov ax, 04h
4 j5 G$ h o: ? I7 G' I int 3 3 }. ]! v. n. ]" Z" e1 {% U
cmp al,4
; ~+ o* Z' E2 t3 d( n% N/ K& L jnz SoftICE_Detected
* W. a' r4 l# ~% d, W) W7 t9 \1 ~0 l8 J2 e }
___________________________________________________________________________6 U) d9 c7 M Y$ K$ ?0 H4 |9 O4 R
% H- G! k5 b8 e* x
Method 02
0 z! M6 b" E5 F& t: c3 C" h========= R/ V$ F! c1 v/ K% l# T
$ i3 j0 M5 m+ b( {! t
Still a method very much used (perhaps the most frequent one). It is used% V: s1 U1 `4 g6 c! B& A" n' B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: s7 D0 f5 W. [- H/ dor execute SoftICE commands...
" m6 ~/ I' y# z5 a. d1 oIt is also used to crash SoftICE and to force it to execute any commands
# `1 d& ~) ?# h( z(HBOOT...) :-((
$ l g, @0 `: n; q( h% Q5 N2 A: g) x1 N5 g/ U" X9 J4 `" b B y
Here is a quick description:1 Z, v" ^8 N: x0 R, {" h: \4 [
-AX = 0910h (Display string in SIce windows): }. s: K l% l6 S, p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( R% m9 Y6 a" i0 {0 ?
-AX = 0912h (Get breakpoint infos)
" ?4 @# |# u$ I3 j' ^2 o-AX = 0913h (Set Sice breakpoints)
' y/ D1 D9 q z/ S+ J W( N- e-AX = 0914h (Remove SIce breakoints)" `- f; B1 M9 b. D6 w0 p; v
3 `* B# w7 _. J* qEach time you'll meet this trick, you'll see:: W5 m& E7 u: G, c( V, u
-SI = 4647h
: X( A2 e) v" t+ K-DI = 4A4Dh
. _/ m _ N3 ]3 d; [, hWhich are the 'magic values' used by SoftIce.
( A0 H/ ]) m5 u4 ~+ mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 T* _3 |, X) K- v3 w4 v% H+ S$ {" S2 ~* s
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 R5 l6 X, Z7 i! B/ G! c& d
Envelope utility use to protect DOS applications:% d& b L7 K" ]! b% T4 A
8 ~$ ^1 M- }$ O$ Z4 i) ^$ g
2 w. d) n6 N# b% s _, t4 m4C19:0095 MOV AX,0911 ; execute command.
5 u7 n6 _( K3 C# D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ r/ j- [% ~/ o6 a, a( |4C19:009A MOV SI,4647 ; 1st magic value.
- g, {1 I( C9 b( M0 V+ b2 G5 i4C19:009D MOV DI,4A4D ; 2nd magic value.1 k/ t# I1 C G9 d4 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: _+ d) t6 C) N5 B q. h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- z0 ~' _2 E3 {" M& z6 G' @) E4C19:00A4 INC CX
2 a4 S" s- q/ F/ ]+ F3 n9 r3 ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: m* @( Z7 J, p6 O: O! {, d# D2 [1 P
4C19:00A8 JB 0095 ; 6 different commands.
5 x" X4 j/ F7 ]( R% e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* Z7 L- L) h% y% S4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
{' E, E! |9 C% _- `' ]. F, T% Q% G1 b: P
The program will execute 6 different SIce commands located at ds:dx, which8 V6 k( m9 v- e+ M5 m( N6 C$ t) P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 x. w4 P% I+ s% j v* s# C* A) \ x) t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. @- c _' ~. d9 L
___________________________________________________________________________
+ v$ `8 M2 l! I
/ e- U% t: Y- H; \! a; D( }/ y( P u; @
Method 03
0 f9 g! r! J% z% O0 r=========5 ?2 X% S; T2 Y' J& G- D1 @
9 m- u# V! e) E# a4 h/ e4 o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
s6 n: e' ]: Y9 y1 r3 q, J(API Get entry point) R7 h/ ?9 s, Y3 b- L0 m$ E
1 V! L$ n0 I; o3 u" X& \$ ~% m9 D. ]7 ^" C. o0 n& k" T$ m
xor di,di) ]1 X3 G3 }" j
mov es,di
" _) h6 n. d3 [, \; l" n# f' J1 R mov ax, 1684h
; g1 Z/ b7 w$ r5 R8 ], @ O4 i mov bx, 0202h ; VxD ID of winice
u8 M# r2 m& L int 2Fh4 j# w) g1 z8 P" s* Q
mov ax, es ; ES:DI -> VxD API entry point
, s" d c9 [4 t4 h0 _+ K% }0 c. o add ax, di7 s1 U( q2 Y, n y5 n8 P/ I
test ax,ax
# Z* q5 L! q6 c1 W" m! Y% s jnz SoftICE_Detected" V3 c$ b' U$ L4 r \8 w! h
! Z8 y8 I3 M2 i* D0 ~' N% {( J0 z; X3 U___________________________________________________________________________
4 V; X h9 |0 o
, ~' y2 L% A$ tMethod 041 ~( W5 k% `) X
=========$ m: b0 o7 c! K& ^: H8 T* n2 K; J
/ L# f$ H% u2 n0 E! v6 [
Method identical to the preceding one except that it seeks the ID of SoftICE
: ~4 a- g; G5 f+ j6 o1 q: ?" ]GFX VxD./ o7 S' ~' D* J" C
. T: g$ I! U' X4 P xor di,di7 ?4 o5 g2 ~1 m: w+ H
mov es,di
: Z) U6 k. f6 {2 E* w9 _$ ~. H2 o mov ax, 1684h
3 V& A# s& L& Y8 @, G: E0 i. V5 _ mov bx, 7a5Fh ; VxD ID of SIWVID
: q) W: f3 Q' m& O! W$ h1 ^" s int 2fh0 v( |" l. e' y6 a) V$ p5 Q( T# R( A
mov ax, es ; ES:DI -> VxD API entry point
; i! e7 m$ H. ? add ax, di% t2 d X# P5 I/ { a, J' r6 z/ K
test ax,ax
o1 s1 M$ K# [, D8 a( { jnz SoftICE_Detected
( H3 i* L9 X; C# A6 R, q* R
! _3 u9 q6 r. Y' ]/ @/ @" B__________________________________________________________________________
% e# \' [8 G; A4 X# ?
i5 y5 ^( g5 Y4 H: C! W2 s7 b
- U" h" c! g1 ~) F. c) s9 i& \& c; xMethod 05
[- ]# g" g. U/ [=========( p+ o, y8 c, n j
: b8 L. A- K/ J. \Method seeking the 'magic number' 0F386h returned (in ax) by all system/ d0 }5 P% ]2 K H7 Z5 \# r4 d/ D* ^) J
debugger. It calls the int 41h, function 4Fh.
# n1 i4 F2 S. `* H) h1 @1 sThere are several alternatives. # M% }) Q I8 F* Y2 U! n4 W" j
0 H7 w7 e# W+ G. S# i* B' Z7 ~
The following one is the simplest:8 ~1 I) X6 y' I2 A1 T
. b) d1 X k: Q0 M+ T mov ax,4fh3 b. E. Z8 N, K, w
int 41h, V& p: i( @9 m8 F9 V
cmp ax, 0F386
% i2 k( p/ O9 w K6 {" p% e% |8 U jz SoftICE_detected
( w! C5 }$ M& f$ r
+ a* U$ X; s0 `* t, `4 I
$ L- ~- n! U" `1 N/ D7 C$ _Next method as well as the following one are 2 examples from Stone's
^& Z3 [' \& \% _ z4 R"stn-wid.zip" (www.cracking.net):
: r) Y8 Y5 w4 p( R$ e2 {; Y% C. [( q
mov bx, cs
3 F) t' q* J( b! N' j# w lea dx, int41handler2
: S8 N7 |( [- s xchg dx, es:[41h*4]
( }0 N3 w) Y+ N- I xchg bx, es:[41h*4+2]6 ~- Q3 J$ I6 `* U/ }& \
mov ax,4fh
4 o8 y$ b' j1 V' Z6 N9 t6 ?. w+ l int 41h: P7 _- R! x& m' }
xchg dx, es:[41h*4]
1 u9 ]2 ?& W/ k. u8 i$ J3 ? xchg bx, es:[41h*4+2]3 ~# h$ j% U0 u5 }
cmp ax, 0f386h2 O$ ]2 Y, ^1 S& `+ O) J9 ]* O
jz SoftICE_detected3 y' i7 G. j% ]# A, d8 f- X/ I1 Q
! ?5 ~: A% q5 Fint41handler2 PROC
$ q' B/ @$ h" i5 L, h% ^ iret
& |1 @2 k1 O3 e& e" S9 @; P, iint41handler2 ENDP
/ {) T4 U9 `9 {& n% O; I0 O9 a% j8 f& X
* P! ]* }# F2 K7 P% ^_________________________________________________________________________* F) v+ r6 S; A" t x9 i: K$ }7 M
1 m' m$ M. s. B, f, d, A
! c: P# Z, i+ S5 MMethod 06
9 i! N! n6 X8 {; l=========
- \+ A, z! z+ w: w. j, J6 f- x$ L0 G& V: K |: l; s7 |0 A% ?
% c( E5 K; S9 ~- ]* B q
2nd method similar to the preceding one but more difficult to detect:
5 S$ t, @3 f; N+ \) _: W. j- T+ y' v' q" d J
; O/ ?- F( _+ H, p7 L- {- mint41handler PROC; c! x9 a) N% o! Z6 N7 U
mov cl,al
4 f# w( n v- t1 p: R iret
; K5 b. H+ \' i B; gint41handler ENDP9 k/ e; v! U* q8 y9 W
" f1 K) P/ }8 w# k( ]: i7 H) ^
7 W0 V( ?$ ^, m2 q xor ax,ax6 h( [$ h$ i) z
mov es,ax
' @ D) l3 z0 S2 ?8 g4 x* g5 F mov bx, cs! A/ t. B5 b$ u3 O3 F
lea dx, int41handler$ V* ?0 [4 `' f; n" T; z: ?5 T8 y
xchg dx, es:[41h*4]
+ K# e x8 M' m% V Y6 I xchg bx, es:[41h*4+2]. K$ _6 s$ y4 ~; C
in al, 40h
9 F; m8 J( K) @8 ^ xor cx,cx: g! ?, j7 h( }. N/ y
int 41h
0 ?' T H4 k+ U: r- \ xchg dx, es:[41h*4]8 d" C( l/ |. Y1 ~! `% _& n0 q
xchg bx, es:[41h*4+2]
* E. G% R! e" l! j& \2 d7 j1 V cmp cl,al
7 ^3 K$ [+ ^/ _7 o9 y l0 b jnz SoftICE_detected* O/ a) @0 {( g5 S& b
$ ]% U Y% |7 p7 v7 f- S_________________________________________________________________________; H5 H/ n, u* ~* |+ p! x( {6 F5 i
0 ?1 W- G3 l7 S
Method 07, `4 q# t/ C& Z/ Z6 j, |1 _
=========
. N+ K" S" a! @* M0 [6 y0 b
3 j7 o+ [- E+ l' DMethod of detection of the WinICE handler in the int68h (V86)
! }/ G m' g8 Q2 l1 h
" Z$ Z0 w- h9 V, H2 V mov ah,43h
* l5 }3 V( l% J) O% } int 68h
6 N# m' P3 w0 D5 ^$ F5 G cmp ax,0F386h9 {% }1 [6 A3 K' F& t- R
jz SoftICE_Detected5 K& b3 @) O* H$ N8 y+ p" L# m
& ^/ z$ L6 ]# a
* W5 D4 A/ d6 Z7 P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# K/ B4 q+ \; J. _& S- @. Q6 [3 N app like this: L7 U) J. i2 \4 C( W
; c# ?9 @, t, C" v8 N) } BPX exec_int if ax==68
9 T$ Q" w S/ R9 R (function called is located at byte ptr [ebp+1Dh] and client eip is
' [9 X. Y. `1 x located at [ebp+48h] for 32Bit apps)
: h! O; g. b+ x( P, A8 e# K2 U2 S__________________________________________________________________________
# Y% |$ c$ H# M0 U3 M, P/ l
+ i4 Q- ~: j2 b6 `% L& m5 o; E4 H/ b
Method 08
; k) E9 N- ^- B; ^* ~) g+ C=========, E+ {5 {2 h A
9 ]7 q. m" s. q
It is not a method of detection of SoftICE but a possibility to crash the
$ ~$ k/ t, y6 a7 c! o* f" [: jsystem by intercepting int 01h and int 03h and redirecting them to another: m5 Z$ |( E y, F) N
routine.
# t; h$ l8 d1 s; rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% J% F' ^* w7 pto the new routine to execute (hangs computer...)
" }% M9 G4 K% r8 E$ R. E% H$ o
" q3 y; o5 u9 m7 F( {. x mov ah, 25h
- F- d$ Y( N$ }: R" E5 e mov al, Int_Number (01h or 03h)+ s$ ~! o3 v( C. U( `2 o% L$ ]
mov dx, offset New_Int_Routine
4 ^' q1 o9 u' } int 21h- { M, J, s4 o _
7 g# k* Z+ g) i, q__________________________________________________________________________3 ]4 h/ \0 O9 m; w/ q% Z" T( s
4 I/ _- |( T% j& }% ]
Method 09
6 Q. v* o. c" K" w6 T5 K! m5 `# n=========2 L5 G0 [$ ]. u! [$ o
+ O$ m' s. w- n$ M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' s8 z! P: ]4 p" ?/ K# m. g
performed in ring0 (VxD or a ring3 app using the VxdCall)., X. P" G) R3 R% M$ U
The Get_DDB service is used to determine whether or not a VxD is installed5 q6 W. r* Y4 Q. Z8 Z& E
for the specified device and returns a Device Description Block (in ecx) for0 k; P1 R. I2 d0 U& e! F4 F0 `1 n
that device if it is installed.4 J6 p( j1 v6 P# a4 G) D2 ]
( O# D( f# `+ a- V0 E+ w$ A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 S8 @: s5 i; L3 t2 m0 k; C% ^1 F mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) j% o/ s9 E7 T( {' S; j# q* x. M
VMMCall Get_DDB
6 @2 h6 q3 W9 g4 m3 L* z; ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' {4 _" A$ Z. s. d( E, J
$ X- t# C4 ]! I& r9 @
Note as well that you can easily detect this method with SoftICE:
8 k: H A: A5 e+ i% G3 E O& B8 ` bpx Get_DDB if ax==0202 || ax==7a5fh1 q9 y$ U& i" M. n" u, D
: A& i P; E; ^! X( c__________________________________________________________________________( i8 h5 L" z/ j
/ v, G& e% Y u+ W6 W1 e9 T1 U
Method 10
* I! z8 _5 m# W( w=========! \3 `5 t$ [) a: J# F# v
# t4 D/ g5 p; G3 e2 v& P6 H# T=>Disable or clear breakpoints before using this feature. DO NOT trace with9 N. }; y. \# g! Y7 M0 h
SoftICE while the option is enable!!
, w( X2 m' R. a% r ]9 R
: H2 l% F m2 S, e/ ]! nThis trick is very efficient:
. S* M, ^, ]3 B* N5 Iby checking the Debug Registers, you can detect if SoftICE is loaded
6 n7 H0 s% @: B: O K# b% I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% v$ J# O1 R6 U" a
there are some memory breakpoints set (dr0 to dr3) simply by reading their' U2 X. w0 c |6 s) @! Q/ W: T
value (in ring0 only). Values can be manipulated and or changed as well. h% v1 B/ L' d* W" |
(clearing BPMs for instance)
u* v ]: A/ \; A {0 V0 I
( |2 `8 S9 \4 D# d. r1 ]( l0 |__________________________________________________________________________
4 _: F/ X2 q% X3 N& p* [+ \% d! B3 \
Method 112 ^/ h3 f- P {
=========! ^! x8 B7 ~! z
. u' D8 R1 }: p, q# e( h
This method is most known as 'MeltICE' because it has been freely distributed" p8 C0 q& J6 h. y5 C, s M
via www.winfiles.com. However it was first used by NuMega people to allow
+ s6 B1 @7 C5 e7 q9 U K8 kSymbol Loader to check if SoftICE was active or not (the code is located
0 K) [( o* j! d4 t2 Cinside nmtrans.dll).' s& r) L) t* }" S, m- G" Z2 p
& C- \: n, a1 h" v8 GThe way it works is very simple:
5 \7 ^5 U8 a0 a9 o" DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: u% T x! ^6 E& FWinNT) with the CreateFileA API.
& l2 G+ N- j' G; B1 b, h/ H. v) Z! v5 V- E) j: h# T x
Here is a sample (checking for 'SICE'):' v5 [9 v! _! h" x7 d6 ]1 c' m
' \3 d9 z& i8 C. @% h* C. h( P6 z
BOOL IsSoftIce95Loaded()
$ x% ^5 t) ]4 E# c7 w9 y{
0 m" W3 C) a: V2 U B0 l! ?; w- r HANDLE hFile;
n$ f w% m, _* B3 a0 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ F- g( Q6 F$ D2 t$ A, D/ g
FILE_SHARE_READ | FILE_SHARE_WRITE,- @6 d7 s5 s) b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; }" y6 x: Y0 q if( hFile != INVALID_HANDLE_VALUE )& \% t$ W8 z q9 a Z
{. g: u( s# O1 }) |
CloseHandle(hFile);" F/ W6 @6 \& W4 ^# j5 r
return TRUE;
& E' ]- ?! C1 K }3 S( _' t% m: C% V( ^
return FALSE;
/ g7 Q* D. U( \; w' P. T6 B- J7 K( t( V}% a( W0 T( Y/ ] x# N5 ?
9 t p8 ]) k( Q2 U) P
Although this trick calls the CreateFileA function, don't even expect to be
8 D6 U$ M+ Z, `7 F5 j/ xable to intercept it by installing a IFS hook: it will not work, no way!
) [4 D) j+ s' s1 s+ rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' _; o8 q- |3 j( a# h/ d9 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 j- ?! S4 n- B9 w! e3 F5 V* e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: E* M, s# W; Q( sfield.+ k$ U6 X8 J/ G
In fact, its purpose is not to load/unload VxDs but only to send a
: Z/ ]! t+ t- WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ r. w. [7 |- s/ p. jto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 G( v8 `( m0 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 k; Y5 R- D- ?" W* x, ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 p5 I' X* f& T8 Z5 b( o& G# L9 N) Y* D
its handle to be opened and then, will be detected.3 l, ~3 k' c' `, S' F, b9 ^
You can check that simply by hooking Winice.exe control proc entry point* U: |$ y6 s; Z/ _% h
while running MeltICE.5 Y& q% {3 \9 `$ L
$ p7 H7 y( Q* Y! Z/ C. z
( s& v8 Y+ C+ {9 Z 00401067: push 00402025 ; \\.\SICE, {. y$ v1 _ E- Z& ~$ N, D
0040106C: call CreateFileA
& j- ^4 b" T0 e4 T( M( P. M 00401071: cmp eax,-0014 n7 M# W+ U3 {/ |5 f) d$ }
00401074: je 00401091
1 O# [! `9 ?1 ]; M- p9 k1 B. o! u/ o% c
% H) b n3 ^+ f& i2 i, E1 zThere could be hundreds of BPX you could use to detect this trick.1 v" u" m" ?" ` h+ P" M- O/ `4 Z
-The most classical one is:
# j s6 t6 b! L; V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 a, l/ Z* g* d T3 z
*(esp->4+4)=='NTIC'$ b) Z Y# g1 F/ k
9 o( ^: ^ W; J+ Z! w2 N& Y) J4 x-The most exotic ones (could be very slooooow :-(
, _0 p+ z* G- m0 A- d( ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" \4 R+ `5 Y4 b w4 @7 t ;will break 3 times :-(
# w7 J, T. z% z; K7 {: r; L
% ^2 }3 x: ?7 T1 A9 q; {) d7 k-or (a bit) faster: 7 D6 @. }+ l1 Y: M6 h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 [7 c, i- ?. A1 s8 N& g3 s4 D: @# W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! C! I, u. S# \
;will break 3 times :-(! Q3 @6 x- o- C9 G: H
8 B% X0 n% K3 A: ^( _! Y) m
-Much faster:
9 `( ^3 m* j9 d) o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 s: r9 b. N- Z8 b
9 h& |4 ?- r0 l: s- }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: e" e5 G; s& b1 f4 Efunction to do the same job:
* o h6 T$ K g: i2 f, l$ ]
# D6 r6 \& o( X0 d/ ~4 w6 } push 00 ; OF_READ2 Y5 l7 X/ ^& l- u: I
mov eax,[00656634] ; '\\.\SICE',0/ H1 l7 F0 i6 s, d
push eax* C- y( f% `1 ?5 X; A! H1 b
call KERNEL32!_lopen
$ |7 k- ]7 i1 Z* ~7 L) U inc eax1 ^) a$ F3 v0 \5 D: R4 Z* o; d
jnz 00650589 ; detected5 a( R( D7 N1 `9 j, T" n" ~2 E) [4 z
push 00 ; OF_READ
; Z' `" X3 ^6 J4 r; u3 S mov eax,[00656638] ; '\\.\SICE'
4 A, _; s& o# y push eax
' v+ k. k" H, l& `# Y call KERNEL32!_lopen: K' Y) N! @9 j' u$ n6 @; v3 H: i
inc eax: f/ ^/ t( p1 `) [8 K% A1 t2 w. A
jz 006505ae ; not detected( L/ |) K! \1 e2 x$ E" t" z
E2 S$ ^" b/ }4 t ^! Q: O1 b0 z. _1 }$ @1 z' t2 e6 F
__________________________________________________________________________
0 R1 y2 ~2 k$ s8 c
( V+ D. q& T3 _" W3 s! |6 e# [Method 12
$ Z4 z% a9 J- `$ \" r" [0 q=========
; ?) u% N+ I1 P' q3 d$ q/ Z9 a& Z# @+ ?
This trick is similar to int41h/4fh Debugger installation check (code 05: s0 p8 m& ]( \0 p: B
& 06) but very limited because it's only available for Win95/98 (not NT)
7 k4 f, `( O9 k8 N+ q- \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 l. x! j' s ]9 S9 D3 A3 U
]. G. E( A% G6 a4 ]
push 0000004fh ; function 4fh
7 H" x7 k" Y( f5 G& X8 q* w push 002a002ah ; high word specifies which VxD (VWIN32)( P: E: D9 c+ T: S6 @" ]
; low word specifies which service- k5 B$ N4 t; S5 ]
(VWIN32_Int41Dispatch)' J& ?# k! e. l% \% M
call Kernel32!ORD_001 ; VxdCall0 E3 Q7 ?6 f, s: @% [
cmp ax, 0f386h ; magic number returned by system debuggers
, C* d" g5 y# X) e" E( Q( T- W jz SoftICE_detected
' V! [5 T# y, n) w9 j& r
& ~1 s7 ?+ }- F3 zHere again, several ways to detect it:3 r$ b2 q( x+ b1 V' W
/ e- J8 g% [; `: o) t. L6 _
BPINT 41 if ax==4f
( Q. B2 c. U: [$ [5 e0 [0 I: b1 e1 G, L9 V& }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! o/ b4 f9 b! }* }0 h* [
1 e& u8 H' }; g n4 g+ c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 n3 s) E" ]2 I. j
) |+ P* [8 _& ?8 s: r8 d( V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 X' m8 H& j" `* l7 u
& h* A' v: P5 Y! d. J5 s1 x" E+ C
__________________________________________________________________________" T; A% a. ?! ~. l) q7 m
, a6 Z! y0 F8 {: [+ {Method 13
% d+ Q! a' \6 ?. |; x, @=========
, F( K" L! j6 {4 K9 u* h2 T0 i" q- ~( N1 Y9 J0 e
Not a real method of detection, but a good way to know if SoftICE is
9 N$ J! [$ b' v$ [; E3 K9 ^% ginstalled on a computer and to locate its installation directory.9 X1 J, Y8 w# U; c
It is used by few softs which access the following registry keys (usually #2) :% [9 Y! x1 t( l# U9 J! f
# ]! e! N1 f* c" R% [0 _, x* v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' }1 N8 O/ H3 m5 g
\Uninstall\SoftICE5 C* ^% ^% o& M! z" n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' s4 W8 z9 E' q/ J( F6 d5 f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ I) X% z, c Q8 n5 ~9 N' p2 Y1 _4 o
\App Paths\Loader32.Exe4 B/ x, |% n! g' t; f* j
! S3 G, E, |, k7 j" v
) K6 Z D5 } Z3 E A# G) y2 H fNote that some nasty apps could then erase all files from SoftICE directory8 `* d7 L7 j& x' O6 [
(I faced that once :-(
1 l5 K! Q c9 N2 P& g P9 A, \- _1 N$ h
Useful breakpoint to detect it:: L/ f; ]- e. M6 E, x- ^
* d1 a) Q5 I2 l, O/ A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! w: s' J# J" T7 I/ p2 o
6 i( V* k0 q; H0 R, o F8 s__________________________________________________________________________
" f& q8 Z$ X( f( s% B1 P' }9 ?7 o v/ A- t. O" F4 ^$ ?% @' H
2 V& l1 M: L' x, `
Method 14 : }+ w+ a: t4 ]- |3 n' \. E
=========
7 }4 D; S: d5 [
2 R" S- x0 R' GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 h' [3 d; [/ f J' s9 {is to determines whether a debugger is running on your system (ring0 only).
' J. B/ I7 g5 @5 X" i- a
( O' [& O; Q! r& w, Q4 [* F ^$ c- u VMMCall Test_Debug_Installed
- a- _1 ?1 ~$ U( ^0 J je not_installed
* l- y0 A: y* f9 n) b4 ?0 r9 A
6 ~2 J; g5 }5 h' `" ]% YThis service just checks a flag.
/ v6 d y/ ?; R; b# P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡