<TABLE width=500>/ ? W y- a A- C6 A; ^2 K
<TBODY>
6 O- }- r, c' m- {$ m& k+ k<TR>" S6 Z' A" h5 Y' {2 a$ k" H
<TD><PRE>Method 01
* O7 F* F" K1 u6 C% d. w8 ~=========6 U( T5 i1 o8 _4 I) v
" X6 }$ H' M. d; M+ lThis method of detection of SoftICE (as well as the following one) is1 z3 h: v& a3 z9 ]) Y& ?4 u; x
used by the majority of packers/encryptors found on Internet.0 q/ q0 X. {' ^- C! M. r4 P! E
It seeks the signature of BoundsChecker in SoftICE
+ U. W3 |8 ~" ^
- H# O+ b6 k4 x( v mov ebp, 04243484Bh ; 'BCHK'
9 \$ k% ]9 a6 |4 N$ o mov ax, 04h
/ y% \1 }6 P) O1 ^' D5 \/ G' _ int 3
, y: B3 B5 D+ }) c* @& O; P cmp al,4
$ p3 J" i& x: B' }8 J jnz SoftICE_Detected& ]- ]2 `6 J' l2 S
8 ]4 }* V! v+ u @8 p/ b8 Y* ^% A___________________________________________________________________________6 I( S1 O: u: R! D& i
6 m! p* e2 \6 U, w, g
Method 02, Q6 h0 }+ v! |7 i8 H* M! G2 |
=========
2 [ ~$ |/ j* }2 t
7 S1 F b3 @* w7 e& J( E4 iStill a method very much used (perhaps the most frequent one). It is used
% V* f- H2 O- zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" T5 W- c. N& a: q5 d8 H0 Dor execute SoftICE commands...
/ q' x; }. _" O( YIt is also used to crash SoftICE and to force it to execute any commands
0 Y* b- d% a/ C5 H3 M(HBOOT...) :-((
{& Q5 O, i6 ~1 U1 H2 E* [" m, z2 r" t6 F8 H
Here is a quick description:
1 K. ^5 r- w$ e* T* u s, P/ O( L-AX = 0910h (Display string in SIce windows)
- `6 E$ t/ z2 [# v) e7 ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 Y; F. \ Z0 Q6 i( u-AX = 0912h (Get breakpoint infos)
1 m2 |/ R* u! I- a-AX = 0913h (Set Sice breakpoints)
+ C9 X. `+ F7 z5 t, m6 |-AX = 0914h (Remove SIce breakoints)
6 P; b! S) \' s3 \+ {# C; L
) n, z% C4 I2 E) HEach time you'll meet this trick, you'll see:
. Z" h' W1 F. A9 l2 l/ W-SI = 4647h
2 O) M% K5 O' ^6 |( H7 S6 `-DI = 4A4Dh; Q2 f" d( o" Y9 Y. {( z- G
Which are the 'magic values' used by SoftIce.
, K& |9 R0 s2 S( O* c: @4 E( g, lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ S- P( [- o; V+ M) q. G1 F) T, |! L, o- t1 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 x5 ~5 o+ B' x3 f! SEnvelope utility use to protect DOS applications:) x |1 [- p F" b
2 N6 a/ j7 l( A" H6 S
+ }9 [+ L8 P5 u4 r# ^4C19:0095 MOV AX,0911 ; execute command.
5 y: p* r+ `% f# c: a( U' p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. |# D" ~0 I- R; y3 A* ]4C19:009A MOV SI,4647 ; 1st magic value.
; E' t2 Z# ^9 |$ P; V8 X. H8 `4C19:009D MOV DI,4A4D ; 2nd magic value.
. [3 e3 f& j) T+ y. a# K- z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' X5 i( S3 |$ }! w& A0 j' Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 |& u! B3 R# J" A# G
4C19:00A4 INC CX& j8 D7 ~; V3 u' J) C6 _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 K3 g4 }1 l7 j& o" K0 E4C19:00A8 JB 0095 ; 6 different commands.
; C/ K( ?# [( O1 `5 r4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 a' h. k5 \/ T* y! _" Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ h8 g r& Y6 G! q
, c4 m+ y# U& w. E2 f5 `, A; {6 LThe program will execute 6 different SIce commands located at ds:dx, which. w; N. H* E( ~5 C5 N8 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 Z$ t3 h/ `! Q8 S* t6 Z& H
$ {' N' M# n6 X. T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 n M( [2 m0 z8 R: |
___________________________________________________________________________
: D2 U- K; m: J0 @0 Z9 A, N4 q
" H/ `' q* |. q9 o) I( ]6 u2 J/ X; ~& V- a
Method 036 Z$ s! C( q, {8 m
=========7 K9 Q9 d8 F* K# e3 @
3 X- p. _6 g9 j4 q( z6 n+ j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' d0 X3 O! z5 ]3 `/ h n8 @8 D(API Get entry point)
# l. ?8 y6 g6 A- d! D8 [/ g * O) V! r8 [( y) ]$ t1 A K1 U' f" k& L
3 z; Z: X# U# t* [7 F( s/ @
xor di,di c# p% q1 C* i j4 ~
mov es,di
" ~/ E6 L4 V7 X5 R* \ mov ax, 1684h
% O# r3 |7 h" R z7 B' W mov bx, 0202h ; VxD ID of winice m6 l" H( g/ ]8 L) ~
int 2Fh# m8 a7 T2 v6 c7 J: c4 V
mov ax, es ; ES:DI -> VxD API entry point& P& t. y4 S( K0 ?( n$ b
add ax, di
- q8 {! p! V- d test ax,ax
2 @8 D- }+ \) P8 g9 Q0 _( i jnz SoftICE_Detected
8 u% y: p5 c9 M9 c+ w: s
2 {, |/ O7 b6 h/ V) z, ^& D- V___________________________________________________________________________, s6 r2 L0 q/ A2 C5 ~9 C
! y) \9 _* i) m1 }( r, F
Method 04
8 f. ^ \4 }! F* j- V=========
7 [0 r- a; j# W" s+ V' D
3 S0 U Z6 o3 Y( aMethod identical to the preceding one except that it seeks the ID of SoftICE
$ w7 [. w. y$ H+ O; H" |6 A9 ^5 d1 a" H- ^GFX VxD.- Q& D- }& ^% w" B8 _( ~% P1 d
$ m" T) k& Q1 W8 r. E$ E
xor di,di
1 [& L6 P7 u; g3 M# o% u mov es,di; f' l( Z# S. X, L9 X3 d
mov ax, 1684h $ v( s- v8 S6 W% x( z
mov bx, 7a5Fh ; VxD ID of SIWVID
& W: {4 ]# N6 `! |+ r int 2fh4 W4 M. O/ x# v; d/ R$ k) a) {
mov ax, es ; ES:DI -> VxD API entry point
3 c/ p3 j3 x, J, q, x. A add ax, di
5 n$ ], c% D( g; V$ ^' _/ z test ax,ax2 V7 ]9 @+ ~( q
jnz SoftICE_Detected
$ ]7 P1 P- }0 Y: i* K4 i
5 j3 C' M6 g' g2 ]4 e4 ^6 V__________________________________________________________________________* t; y5 }$ o5 c0 U+ d! ~1 A
* F3 }$ {; u3 n. Q7 l: @+ A" {
8 ~' A1 e, i F) @; A/ wMethod 05
' z k! |1 s, Y* ~4 v=========
; e( j2 T* e% _: a' c" l9 i; Y7 c" s( o( z. m: u
Method seeking the 'magic number' 0F386h returned (in ax) by all system. Z: Y; U; ]- o9 Z3 T# O: i: M/ y
debugger. It calls the int 41h, function 4Fh., ]# b* U" P$ q( a5 K
There are several alternatives.
6 f# X3 c: B; _
4 B; h" a- G' l7 O ]; G1 _The following one is the simplest:
! [ d1 ?: Z: p+ ]" s
: ~. r; h7 D2 E6 o# p mov ax,4fh0 T$ a' I, S2 W' {( s% D* D
int 41h0 B* Z0 z/ p' g ~: F: V
cmp ax, 0F386- t; H0 h# A1 g! M3 I% ~
jz SoftICE_detected/ \, l4 \* y- T1 o5 Y- N( y
4 C( B, Z* P3 p a- `" M6 \; T9 \3 F- A' V) C0 ~0 z7 ^$ @
Next method as well as the following one are 2 examples from Stone's
* ~7 x, O8 V& i# o7 A0 p, f"stn-wid.zip" (www.cracking.net):
, L2 p, z& V+ A$ H6 }' w- Z+ v( y+ [6 b( L' @2 O
mov bx, cs
8 a6 c$ Y% V( V2 L0 k/ { ~2 n lea dx, int41handler2
% M3 ?3 m& `/ A. U xchg dx, es:[41h*4]
; w, Q5 k5 p8 R; l2 E8 p xchg bx, es:[41h*4+2]- f6 l& [+ @" c4 w* V6 ~
mov ax,4fh( l0 @: @( H/ [) A! }
int 41h
8 b3 x/ w$ T$ h# W' ~: z8 [ xchg dx, es:[41h*4]4 {* J6 M! p, \0 R
xchg bx, es:[41h*4+2]
3 O8 F1 T, {9 h2 v* n# w cmp ax, 0f386h
) a3 P" J3 W' o% I+ J9 o jz SoftICE_detected
. O0 V* M* u+ y8 u4 o7 G# O- X: E' n- t
int41handler2 PROC: l: v" ~6 M0 p V
iret; p4 T' S3 z/ v: N
int41handler2 ENDP
+ m+ A: L7 g3 b5 p* h! u0 K1 Z$ m6 x5 {
' w! B9 m! ~- n5 P0 [$ K/ g. Y* {_________________________________________________________________________
6 g+ @* c" s; ~9 Q# Z( N
3 T, N; C% q% k/ q- ^- S( B7 ~; ?* ~4 P7 m2 l2 B7 K
Method 068 I: y/ a0 g: Q9 I; e
=========
( g3 `3 o( {6 ~6 b3 g( o7 Y, X5 T3 a* u
! Q' _2 s, ?2 l4 f# [2nd method similar to the preceding one but more difficult to detect:
* \* Y. n7 `: Q" v9 H& ~) Y4 e; l8 B9 {. _# O2 b4 T B& r. E: r( K& s; Q
$ h$ }) s/ n# u/ e$ A
int41handler PROC1 }1 c1 Y% t0 y# `
mov cl,al* D: Z- u' a: Z; l8 j9 [, z
iret( n/ b+ Y6 s0 A% I7 N
int41handler ENDP0 s$ p& T, V) {* y, G& E* A( I
; S9 m; `( A! q3 F
5 C5 d4 q2 i: o3 x/ {" t xor ax,ax5 a' J/ z1 K8 J" p$ X
mov es,ax
7 {* Y! k8 Y1 ?8 ]6 J* \! a mov bx, cs/ U4 ?* \! j: o0 c- q) H
lea dx, int41handler
: b) l- I p# a; I+ m xchg dx, es:[41h*4]
. C, A; a T0 {: _( x* w xchg bx, es:[41h*4+2]" L: y7 Y7 V- T7 A9 u6 U
in al, 40h
- {( m9 v2 m' j) g3 J4 i, E xor cx,cx- i% V5 n6 B# z8 U/ G
int 41h ?+ v$ P) a5 s* L
xchg dx, es:[41h*4]. t* Q0 Z% X& s+ [! U; K/ y9 \! ?
xchg bx, es:[41h*4+2]+ F$ h3 `+ W" e8 m, E
cmp cl,al
( p5 z% g) s; j- C) _4 S jnz SoftICE_detected
1 |, y w4 H$ u5 L8 F' e% s: ]
6 g* O. U8 V( l# W: ]. I_________________________________________________________________________
8 \* L+ x, U, \. X6 G6 g6 b3 J
7 }8 E/ T9 c: ~/ x) BMethod 07
- Q3 |& l" s0 u9 K8 `* v=========
- _& A! v6 Z8 c" e( p+ [0 S
, u( k5 b5 C7 \7 m `) h% SMethod of detection of the WinICE handler in the int68h (V86)
) i' ?! [- [; @' j r" T2 ]
# j- D) a2 L2 _ v mov ah,43h3 C0 E8 g8 J ~
int 68h$ I+ h* [& K% @8 w3 H4 ^
cmp ax,0F386h9 t& G* t# k6 E8 N
jz SoftICE_Detected
9 i3 K% w( c4 K! H; v) q
5 O1 \* e) \" P. @' ~5 v2 t6 c I6 D9 ^" w. W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 v! b* w% U" ~, E/ K
app like this:/ n: _& d c( U- e
" g, a. G: w$ ? w
BPX exec_int if ax==68
$ _2 ?5 i, h5 ~" |. j0 J& ` (function called is located at byte ptr [ebp+1Dh] and client eip is
; H6 M" c" B9 O7 O located at [ebp+48h] for 32Bit apps)
# E2 z2 [7 i- e2 Q! g__________________________________________________________________________1 Y$ d/ @# r/ P. p; i
( ~, \6 y! y5 N* h# M! E: I9 W
3 t" N) R3 r5 x% P8 [$ S+ EMethod 08
" ?, w* L) \+ U=========1 Q- W5 A( t2 W' T
+ o9 u3 j; Q: q7 h8 f
It is not a method of detection of SoftICE but a possibility to crash the( O" [ W b7 n: R6 R) ^, s
system by intercepting int 01h and int 03h and redirecting them to another) c% Y8 r. j& i. } _3 o/ Z- R8 j
routine.
: t8 _) p* n9 ?) R8 S. J: CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
K/ x* h' d/ k: j$ |9 ]to the new routine to execute (hangs computer...) G( I3 `1 M& r2 |* Z' ]1 o/ r
. _2 q2 Y7 f j% y5 J+ I
mov ah, 25h' w( |- {! u+ h# w6 ~ x
mov al, Int_Number (01h or 03h)3 U2 s' R! s- Q! b
mov dx, offset New_Int_Routine
- D3 e, j ] `& c int 21h
7 ~9 V( E" X0 Z i- v8 i& G, b: W; E8 ^) W- E1 X) R( V* z8 D
__________________________________________________________________________; r* i4 D2 l2 _; @- {
1 Q# O' B Q: s. c# p# B
Method 09
+ x% ]3 H4 U( t6 h) d5 g6 B=========$ }6 e- [& I e9 O9 [+ R) f
, r: F: \1 f3 j$ qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 {6 k2 ?0 l/ fperformed in ring0 (VxD or a ring3 app using the VxdCall).
% H' e5 b( w5 x, B, nThe Get_DDB service is used to determine whether or not a VxD is installed6 x6 K+ V9 p4 j- }; h
for the specified device and returns a Device Description Block (in ecx) for5 e' Y% h+ O) k+ L: U
that device if it is installed.
8 @; E1 n( n1 |( J$ I3 h% k- W' a2 ]+ G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 g& L& g% P/ R; C: Y; n; Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 ~9 C2 D. x6 N! v- p" }/ B8 Q
VMMCall Get_DDB* `) y# ?2 h7 y. h* m6 g- }+ l/ Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 m1 I- h. E0 x+ w- t7 O4 Z; [
% h3 Q: U+ _- k T* Q: \, ZNote as well that you can easily detect this method with SoftICE:
# ^& ^, U5 H1 k* D9 G. ~ bpx Get_DDB if ax==0202 || ax==7a5fh `3 U3 c5 `( |. e
: } Z) P$ p+ x. A9 ^3 v
__________________________________________________________________________5 R3 P4 H- Y+ @* x$ Q# W: S0 H
7 e; X# Y0 f: Y
Method 10; F3 J% d8 I( I8 Y/ [- ?% U
=========
2 y2 i5 @) E5 c* o* C4 Q" C- P
) D3 E: }6 U6 k% m1 S: O& r=>Disable or clear breakpoints before using this feature. DO NOT trace with* d* D6 u, E3 X4 F
SoftICE while the option is enable!!& ^& P$ g% F+ P. u; P% o. U8 z
8 j/ n* D* |+ A* u" y& JThis trick is very efficient:) N( ?% q% Q2 K8 A
by checking the Debug Registers, you can detect if SoftICE is loaded
4 b8 A+ ?9 r7 [# R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# J3 r0 ~0 M, [5 U1 T hthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 r" T' }2 j' V7 F$ ~
value (in ring0 only). Values can be manipulated and or changed as well
* R( l" @! T! w1 \(clearing BPMs for instance)% E; ^" F r- J: L( |: Y
( ?3 u8 M! m# }% A$ Y6 \5 z5 l! n__________________________________________________________________________% c/ b8 t m7 F5 }. V7 t# M% V
4 Y% L/ d9 y, o# A- l5 ]
Method 11
! \! z5 k3 w E; }' T& g=========0 _9 K& q1 C) x. J e# K
! \) b& U4 K) ?3 i. D: D
This method is most known as 'MeltICE' because it has been freely distributed1 b T3 Q9 ^) v6 ^$ |$ W/ O# G2 T
via www.winfiles.com. However it was first used by NuMega people to allow
0 L3 ~- _! P" q* C; wSymbol Loader to check if SoftICE was active or not (the code is located
3 d/ H6 l+ k3 Cinside nmtrans.dll).+ m% m6 S9 h0 ~; J% j# R: B
" ~0 `0 v3 t" n7 p$ cThe way it works is very simple:- Q8 F9 {) i+ ^5 @% E9 c3 g& h1 S5 N, I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 B9 j; _# y. l& z8 mWinNT) with the CreateFileA API.1 k$ a. k2 A* \6 A' Y! q
; B9 f- H9 G" i G) Z/ r7 T
Here is a sample (checking for 'SICE'):
2 D" ~) y$ d+ `, X/ B
+ x4 n; A, T7 t) q! I3 CBOOL IsSoftIce95Loaded()
% W9 M: @, G/ F8 c( Y5 V: H1 u{
0 \8 J5 j; _8 K HANDLE hFile;
$ ~( X; Z5 v% I5 i# o7 L& f4 Q5 d6 r- R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- { f! N2 y* G9 b+ r! W% v1 K
FILE_SHARE_READ | FILE_SHARE_WRITE,
' d' y" p; U0 Q% a0 E3 V4 S% K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 P0 n2 ^) ?1 i9 S7 o. ~. u if( hFile != INVALID_HANDLE_VALUE )
6 Z# O( G8 x) J' @) [/ @$ M {
8 [) c2 \! o6 Y) \* r' ~ CloseHandle(hFile);
4 q8 u' H( Y( f! ^ return TRUE;: h* K( R. F- f! ?9 g
}' w1 n! O' K9 Q
return FALSE;' N/ e# w' l y( A8 ]
}
) Y6 b2 b: d' _" q7 C4 K
9 ~$ D3 h4 H6 W; g' lAlthough this trick calls the CreateFileA function, don't even expect to be! a/ Z0 X% t! \! }. V! s
able to intercept it by installing a IFS hook: it will not work, no way!4 A0 O0 u; c9 ]0 K# P n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: O& \6 z' j9 p1 L2 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ `' o" n. {3 s8 m. t/ Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc( y6 X( M5 m; j
field.' E# O* H( e. a( H. R3 _
In fact, its purpose is not to load/unload VxDs but only to send a
# b" I8 A( l6 R9 G- pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ u7 ~; ~9 C Q+ w( l3 U3 qto the VxD Control_Dispatch proc (how the hell a shareware soft could try# E: l4 ~) x6 m5 a. z0 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 O) s$ X3 D3 z2 Y. a, i7 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, o/ B/ @% B' d7 Xits handle to be opened and then, will be detected.- m& n* @6 {) i
You can check that simply by hooking Winice.exe control proc entry point/ e/ E! Q" J# t5 p3 g; l6 t0 k
while running MeltICE.2 ~4 b/ o ]; c4 L7 s/ o5 E- }
$ p( P) G6 h5 R( `5 S
/ m) Z$ ~3 C" ` 00401067: push 00402025 ; \\.\SICE& Q) w9 ]2 j! ^
0040106C: call CreateFileA
8 [( h% G3 F, k5 `, w8 \* F 00401071: cmp eax,-001
; x" J3 k' J* l; g! u. X 00401074: je 00401091
1 v) F& i6 R. H, V: V& g! F/ f2 }1 Z4 D- {
6 e9 ]. j9 o+ A" c1 F" l! V$ y
There could be hundreds of BPX you could use to detect this trick.# t/ ]4 ?' Z5 e c# Q7 t" F
-The most classical one is:! G6 H" x. R2 E$ B" c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 j1 o- h7 f% u* P. B *(esp->4+4)=='NTIC'
) q3 D1 c) I y: {$ [* Q2 ?4 z y0 @# Q$ e1 O6 F
-The most exotic ones (could be very slooooow :-( C. E3 R' u: e M. v) V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 ?7 V' k# G5 w+ Y- l( C ;will break 3 times :-(
2 t: H0 ~) r; z/ d- v }2 b1 I) s( s9 g, O
-or (a bit) faster:
9 @# w1 i2 Z2 f1 o) `; x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) P) l; ^% N( o3 L- M( Q- }& M2 M
/ A9 y2 E. k2 g2 ]: a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; x- k: j+ h6 k+ S9 x5 R2 s# e! H, J+ V
;will break 3 times :-(
' D0 k. e1 e2 [& k4 R% K
- P# j& }& g: I( Z+ g-Much faster:" [" D5 v% ^: I- o+ _4 O+ m6 i& q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 J @) o8 {4 n
! C5 p$ J$ r. Q- ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ _) \8 A9 s7 j$ `. `( L
function to do the same job:$ d5 s* U& p8 w& z# U/ a+ b9 T5 A
5 h ~- z* P; A- [0 B
push 00 ; OF_READ; w' v: z9 S8 {* m9 K) w
mov eax,[00656634] ; '\\.\SICE',0
5 y$ z3 b2 p( l" O- D9 u push eax. R( L/ W6 X7 y, Z' ^
call KERNEL32!_lopen! a! V9 }( F9 `) W
inc eax: `+ u- a. p/ s2 z. d7 Y' U5 R
jnz 00650589 ; detected
/ a/ E. F4 s; x8 l; N" } push 00 ; OF_READ. ~ I! P1 |' G R. e, ~ L& P
mov eax,[00656638] ; '\\.\SICE'% M/ d' Q5 |0 o; F9 I
push eax2 k9 J7 l# ]4 z& L
call KERNEL32!_lopen
+ F% O) O5 ]" V g5 N inc eax
6 O7 N" l$ _- R jz 006505ae ; not detected+ B% T7 a+ Y5 l: F8 ~
9 \% p$ `1 M& D: v( a" S( o- a* x. }
1 S; N$ l4 f, f G9 y6 }% c__________________________________________________________________________
6 B1 A3 o, a' t7 }. L# G* E- T' l% {9 F" `$ F5 Y
Method 126 r( G: R: {3 T4 ^* Y9 k
=========
9 J- {: @4 ?* {) ]
. C% \) T4 p- Y9 X7 P7 w4 JThis trick is similar to int41h/4fh Debugger installation check (code 05; o5 i& C1 W ~$ x9 h# D8 L
& 06) but very limited because it's only available for Win95/98 (not NT)
# n- v _; j% @, W" l7 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 p- @: ^! u0 z1 }5 V) G3 i
1 ?3 n# K, y/ ^' d: ]- F push 0000004fh ; function 4fh" U b# n+ r- i$ P6 N
push 002a002ah ; high word specifies which VxD (VWIN32)4 H' l7 q5 p" Q5 J$ w! Z; b2 n% y
; low word specifies which service2 X2 r2 E$ p+ g
(VWIN32_Int41Dispatch), D& `, s* g5 h- {
call Kernel32!ORD_001 ; VxdCall# @, c( z$ G9 Q4 |2 ~
cmp ax, 0f386h ; magic number returned by system debuggers
( Q7 k9 [- M! D/ H- s% j8 c jz SoftICE_detected
: C/ ?; N9 h& R+ u$ [9 D) p& D9 t. Y9 b4 n O! s0 {
Here again, several ways to detect it:
1 y @# [# A6 u, l7 B9 W( F( f" ^' p. H" k/ {7 k- i
BPINT 41 if ax==4f
* K) d2 D% m( N* Y q
$ E2 ]; G' a% ]# g; n$ E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 w* g" ^1 y; Y
. `8 g) E7 m( n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" q1 L# }* t" z' P
9 J. g, u( l3 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 V' }% A5 {) H/ L$ X) F) N* M G( l6 t% ?& G
__________________________________________________________________________! M, A8 N1 K- p# r
3 e0 ^ _1 t$ U6 n2 R6 eMethod 13; d9 y; w2 J8 W# b
=========
8 @* a% w1 K8 W' |! U/ ^, \2 c
* B8 X% w* e" d5 x; J) aNot a real method of detection, but a good way to know if SoftICE is& r7 u( ], T0 N* E" s0 L0 }; Q
installed on a computer and to locate its installation directory.( Q5 w9 V' f1 {1 ^: B
It is used by few softs which access the following registry keys (usually #2) :
; Z! U/ F% t+ D( r: }
$ w" y. f' j; T" {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 V0 j% F |6 B$ N* p+ B0 `! h
\Uninstall\SoftICE, h3 X+ V- L/ n1 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, E# {, E/ }( \! }4 b: e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ N, N' g6 v- F0 q. @* r( Z\App Paths\Loader32.Exe
H |0 H$ r9 x) _1 {
6 R1 [/ k. T6 G6 |/ d
! P( r, r8 P" C uNote that some nasty apps could then erase all files from SoftICE directory5 z9 U7 q$ {1 I- g4 ^( Q; T
(I faced that once :-(( B5 y; v6 P9 S1 h7 p! R4 [2 {
; m! V/ U9 E) [6 c* W8 b+ \& V
Useful breakpoint to detect it:
: a, _/ t: ~* [/ T" Y1 ~- u6 B5 M6 L) p( J7 u0 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! b8 _3 g5 ^ ?
; ^/ q8 ^) y: `, x+ T__________________________________________________________________________) G( N; H8 V( M1 g
% w! C% V# X! C3 x$ E* Q
" ^, e2 ~( T# S }& P2 u- i
Method 14
2 G! P* D, \6 \( H=========* r- H3 o8 F" ]0 s% U3 g
1 T6 _* F" B1 ]0 e* e9 e3 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 r/ J, J/ s9 s/ L; sis to determines whether a debugger is running on your system (ring0 only).
. x5 J( u' c, V- G
/ M9 ]# B* r- f VMMCall Test_Debug_Installed
6 i7 f# n1 g7 f/ u S- g2 q& \ je not_installed: R* T1 v9 ~. w1 O# @
. O4 n1 G w) T$ P9 s
This service just checks a flag.2 o3 B. W( |( @1 C# ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡