<TABLE width=500>
, u5 J, j9 t5 C3 r; i* A1 V<TBODY>: c- G9 d: q2 z4 T3 |
<TR>) t6 H) p! ~3 U% k {
<TD><PRE>Method 01 # [6 I f6 q" H) M, ^) P2 W- D, E' o
=========9 h# _2 }8 G9 }, \: m7 v. c; a, `; @
) b6 Z' d! T9 ^1 ~) uThis method of detection of SoftICE (as well as the following one) is
p2 p7 _* h7 w! pused by the majority of packers/encryptors found on Internet.
7 o( F7 o% V0 F1 k- eIt seeks the signature of BoundsChecker in SoftICE
4 y! @5 V& a& a" w, i/ O* b' N" x( |7 m' s4 q0 ~
mov ebp, 04243484Bh ; 'BCHK'
1 Q% k& @; A- N& k mov ax, 04h( B/ B0 E2 U* Z% R- T/ A" g
int 3 + S+ z' o- S% y
cmp al,4/ K5 y( A( |. _/ ?1 X6 C
jnz SoftICE_Detected
, u* m1 O* l1 Q* r+ [$ j/ {- c y
, ]5 e2 o! ^3 C* `; X# \7 d, w___________________________________________________________________________
$ f1 ~5 E7 [: z. }0 g. Z4 X2 `5 _. X* x; r; q
Method 02
; _! k+ Z, c0 S, G+ L8 n; r=========
9 a: b3 [# e( g* r5 u" t. Z2 Z
; {, S* H( w# w! a& w# {Still a method very much used (perhaps the most frequent one). It is used% h; r3 o8 ?0 G0 ]* h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 ?" V$ t) o+ c4 Sor execute SoftICE commands...
8 ]! |9 R: A# G) |$ t0 {It is also used to crash SoftICE and to force it to execute any commands8 X/ L: \7 C9 Q3 t; D
(HBOOT...) :-(( ! c; a0 T0 J, j
3 |5 l4 W1 G u$ Z, ?) ]* f
Here is a quick description:
" Z9 D/ q0 a8 ~-AX = 0910h (Display string in SIce windows)
% @& o0 I2 e2 s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 K+ N) v2 _1 E& \ ~* S1 u
-AX = 0912h (Get breakpoint infos)/ R9 x0 n$ w8 R! o9 }$ V/ q% P* L
-AX = 0913h (Set Sice breakpoints)
9 g1 Q$ d4 q, ?. h$ ]7 W# _- l-AX = 0914h (Remove SIce breakoints)
7 X8 N; C, H3 [7 w! u8 X& ], G2 ?, h" S, d" w& Q
Each time you'll meet this trick, you'll see:- Y& ?7 \' e7 { H7 q [
-SI = 4647h( L j Q0 c n
-DI = 4A4Dh
5 C7 ` n! w, L3 h. U" kWhich are the 'magic values' used by SoftIce.
4 N4 q8 k+ |% K& S% L/ [! b EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ f: g7 k* ^0 `% S: V! D/ j# Q1 ~$ L
1 t; K; L- |) V1 p# P3 P; o
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 {) I' z& z. g3 C: _5 I1 Y
Envelope utility use to protect DOS applications:$ j, s1 [8 R6 y- K
8 p$ N* n l }' m, t- b$ M2 q
& t: W C9 V! `' |4C19:0095 MOV AX,0911 ; execute command.% g) G- b) z- k; \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) R! |: e2 _+ n4 W8 ?4C19:009A MOV SI,4647 ; 1st magic value.5 c. K6 E1 v) k1 Z9 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.2 q' q& B/ r9 [1 }. c. M, o9 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. i% l! D% h* Q. o& k, h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# }$ `7 ]1 U7 n0 V$ @( `4C19:00A4 INC CX
2 `. ?+ W0 W' c9 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 g+ W( A+ J; b: H; u4 |) h" p4C19:00A8 JB 0095 ; 6 different commands.. E6 |/ N# E; ]; ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! f4 M/ G" m8 O4 D4 J0 z; `) q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, M- C" |4 B& L/ Q) Z5 f& D) o! E) T8 u7 X& A6 z- Q! N
The program will execute 6 different SIce commands located at ds:dx, which4 J% ^% E% a5 @, q# S- V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 A( w3 p3 z; U4 e& X' l
' a, Y" \0 C# a: b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 s. x, C$ V- b8 t* t" R___________________________________________________________________________
5 j( _5 v! a8 y, r, c! {% ^$ q v9 f1 m& r( l. w2 |2 U
% E/ F/ G' o; {& Z1 z0 n8 HMethod 03
: G3 w. n; v* [# j+ _* o& A. x=========1 s7 F: k; G3 g, b
+ {* z" W9 U0 \& V3 ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 K( Z9 T3 t1 ?- R& q8 o
(API Get entry point)7 q8 l/ V4 p0 x" h, r
; x% A9 l3 b" N7 u! S. L
: Z, G2 o) x: f( I xor di,di7 F; r7 J9 l: A( N
mov es,di
9 W: E. G) n8 g. s# `# X mov ax, 1684h
3 ~' l$ X/ D6 k mov bx, 0202h ; VxD ID of winice
8 s' T: g- l$ N0 ~6 J& | int 2Fh! }3 O' [) M w$ M
mov ax, es ; ES:DI -> VxD API entry point
9 T/ s9 l9 f" o& Z4 N$ K add ax, di! ^* h; n0 Q5 i2 n8 `
test ax,ax" I* ^# J! g7 `4 m, P
jnz SoftICE_Detected
& @: e- W$ Y" K4 S* e% ]; x( C, d0 _/ D8 D5 j
___________________________________________________________________________
5 _- i& V/ f1 K6 Y% E6 ?$ j( `
# i9 {& |' a, ^$ E% } RMethod 040 l7 ~: U" K! T7 v( M4 m ~/ X& r4 L
=========2 {9 N# p* \! Z3 j0 _ r4 L
# ~; I1 |) a+ R
Method identical to the preceding one except that it seeks the ID of SoftICE' V6 }" A- D K6 n
GFX VxD.( @0 h8 _3 t4 k7 b
" a) ]3 J3 v- K, c5 X1 c( Z
xor di,di
* N, e7 D! X; a mov es,di6 T e$ ~* w7 c" r! P
mov ax, 1684h 8 T2 f' F* T0 a. T
mov bx, 7a5Fh ; VxD ID of SIWVID
5 J: q6 c* P' j. d, O3 @# E! _2 W int 2fh: @6 G3 U' A( Z" Y7 a; S0 W
mov ax, es ; ES:DI -> VxD API entry point
, q- ~2 z( H2 S! B+ A add ax, di) g% M6 J- J; f2 L5 y: [- ]
test ax,ax2 H. P* e/ b& x0 x$ l
jnz SoftICE_Detected) [% c) C, g( d$ j
" Q! |( c: S! W& `9 v__________________________________________________________________________
7 r7 E: `$ ]0 X8 R1 q# Y, I* z6 i2 s4 D1 \
; ?* F. N3 }3 d+ cMethod 05
4 F$ ?6 G0 D6 H. Z% W1 e=========
5 N2 B& Y# L( R: ?! b0 ?& Q7 J1 W5 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 Y2 a$ }: a$ J! G6 o" l0 h4 xdebugger. It calls the int 41h, function 4Fh.; Q# V: T0 f8 }
There are several alternatives.
S3 ~# _* f3 o& [7 e6 W. ]9 c9 I" f! |, Z
The following one is the simplest:
+ q. S+ L; f0 Q! x3 X; v M0 d: H* W" x& b4 @
mov ax,4fh, Q8 m$ w) h1 G$ Z! P3 \- l3 q& z
int 41h
4 m/ c2 W2 g1 d cmp ax, 0F386' q, h& F; R! J( y; J/ v& s$ h
jz SoftICE_detected
5 \. y& y* U. v( I& S6 T: M6 f6 {
1 n5 }9 K b7 @
; g& e: K; g% Z( T1 ]' w9 g5 FNext method as well as the following one are 2 examples from Stone's
- @+ @7 _& A+ E/ B1 S"stn-wid.zip" (www.cracking.net):
6 w8 Q) M. o- `6 v2 ]0 Y( b1 g' {0 z) y: U+ [, e2 G
mov bx, cs
, b4 E0 }2 s7 K) F, c& j5 L2 v9 v lea dx, int41handler2
/ n/ B0 w3 o v" G xchg dx, es:[41h*4]; u7 m" M0 a% I8 S! w; N
xchg bx, es:[41h*4+2]
1 r% `) ~8 C3 Z* E mov ax,4fh
) x2 V9 q( T- E2 p5 Y) D! L9 b4 k int 41h) L0 w) d' \, n0 s2 y8 L% ^9 w# ?+ [' ~) c
xchg dx, es:[41h*4]
# @0 W: F* `, | xchg bx, es:[41h*4+2]
u7 I2 K6 A3 Z' q; d; e$ o; G5 q cmp ax, 0f386h
/ C: D3 U$ `1 o {' _. I6 z% M jz SoftICE_detected4 K8 y5 K# D9 K1 @/ A/ n
! j. [! w* V3 E4 n6 |( yint41handler2 PROC
. a7 E# O% H$ _% h& Z iret6 f! t; J8 z0 ], {9 F" c
int41handler2 ENDP' U2 I4 f7 `8 s2 g) |
7 e0 t2 d2 w3 z) ]1 [) u% P. a7 _+ f
_________________________________________________________________________% N* P# Q1 w. m" x8 Z6 w, J
: b/ |, n) @: C: |8 p& \& c0 V& S3 d- W k e
Method 06, S# J5 @3 N; e+ L# o/ a
=========
* e& S% _' ^" k' n
$ E' w+ v3 X2 b( q3 q( I2 C+ P7 K4 K8 y( u5 P6 u, H
2nd method similar to the preceding one but more difficult to detect: p! k- ?8 b% ]4 n
8 A. |6 s( p9 D4 m1 |
7 |" `% V& T! I; f! Kint41handler PROC4 q: f7 p$ @. m% @' e- o
mov cl,al& y% a2 V1 t% I1 ^
iret8 b- H" ~$ y1 [$ p) z
int41handler ENDP# p/ ^4 |- l3 M& l% j9 Q! h
4 J1 p& l8 ]( F
1 s! g6 G" n" Z- Q \
xor ax,ax! N& h& m- V* n) w+ O, W
mov es,ax! @7 y, W y( ^) W [: e
mov bx, cs8 e: i: F6 g. n2 J
lea dx, int41handler
T) n V- w5 q4 o# _ xchg dx, es:[41h*4]
# h8 b( w0 I2 z: V, T xchg bx, es:[41h*4+2]: T5 U/ {' D/ J5 I- q# g$ k
in al, 40h
7 i- A/ e) B R# Y xor cx,cx
1 E2 ]! k4 E+ h5 A! [$ z int 41h4 g. U( ?# K. \4 @/ q$ A% g
xchg dx, es:[41h*4]% R8 Z# P- {5 n' R: W, a
xchg bx, es:[41h*4+2]# T* Y2 A8 x. ~7 }6 a! [
cmp cl,al# S+ @) r8 y- H+ i/ {% E4 h1 g
jnz SoftICE_detected
+ a! s( a; e6 @
$ s& j6 N8 D# d; ]_________________________________________________________________________( ]/ q/ I5 e* E
# S! c8 f6 j W' ~
Method 07
2 S* [. [2 v5 B5 u* J6 B: B- Q=========
1 W+ P1 `# k* S8 M8 T2 F
. _. c. n! l. ZMethod of detection of the WinICE handler in the int68h (V86)
; c" F% f& T. l' g4 L1 ?- d, s' H# l+ V B" u2 S, Q
mov ah,43h0 v5 B3 o, Q: K3 D* h! D
int 68h
, G' @1 l9 ^! R cmp ax,0F386h! ?( b" m3 M' |# {+ @# U7 E% T1 I6 b
jz SoftICE_Detected
" }1 ~1 N5 j" }4 R& J9 _8 |7 Y9 B" _
8 k. H7 V- h0 B K4 z0 k4 Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% g3 x. a5 @% U( U0 T0 S app like this:9 R# U3 L0 y# a$ C4 E1 j% c
; X0 ]9 o; B% j; M' M! t BPX exec_int if ax==68: z3 S7 G: [5 U7 X
(function called is located at byte ptr [ebp+1Dh] and client eip is9 t4 }( ^) a6 X% W0 `" M* t. ^% z0 k
located at [ebp+48h] for 32Bit apps)
7 t" [& k) M' p& D) i$ {; t__________________________________________________________________________ B- q# X8 h# f2 t2 a9 M/ p# S
! Y9 `( O2 Y2 e( M
4 p4 }& T0 t4 ^: Z
Method 08' i9 _) H* K( c) _3 \
=========# o5 ?4 `7 P [( |7 ^/ @
( z. I$ A" Y) P/ sIt is not a method of detection of SoftICE but a possibility to crash the ]$ N* m9 O; Y
system by intercepting int 01h and int 03h and redirecting them to another
: b, o7 {0 S# I* ?. Iroutine.
. P) U2 C$ { `7 i2 \! V+ i6 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; l+ D& F3 {" E V" }4 ]5 I
to the new routine to execute (hangs computer...)' y! I5 q- B+ ]7 Q
* S; _# A. s+ j. d! u& M1 ^ mov ah, 25h, I* R7 k% v' n6 i r
mov al, Int_Number (01h or 03h)
( j6 ], F; u1 h8 l1 g1 B% l0 R: } mov dx, offset New_Int_Routine
" D. p: P& |" m; v/ ~/ S int 21h
) f3 t6 {0 E* G/ v1 @- s1 f& ~) _& Q8 Z* B4 ^% B2 n0 k L" Y
__________________________________________________________________________
* `% _! q& o: X- v7 O3 K* D5 K; p1 T* Z
Method 09& b- R( J3 {6 q
=========0 ?2 i# @: j4 H$ Z5 {% y0 [+ Y
4 ?2 K- z$ W1 v$ g/ o5 I/ UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; K( O9 x3 P5 |3 s! H3 ]7 h
performed in ring0 (VxD or a ring3 app using the VxdCall)./ P+ T. x j! Z5 }6 ?
The Get_DDB service is used to determine whether or not a VxD is installed8 A* a( i1 Q3 y
for the specified device and returns a Device Description Block (in ecx) for
' k ^4 R0 p! O7 y/ p4 \ wthat device if it is installed.
: ?3 f; n' \* Z2 C% Q2 I+ _( S1 x8 q( M- \% s/ |$ C$ y( S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ v5 W6 |% p) _) J- Z. d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 l0 o/ P; h: q- \9 i
VMMCall Get_DDB
7 R5 w/ K' M' @5 `0 X) a) M& [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 C9 A+ t N' |/ ]9 p U4 ]" y, Q7 ?0 a* k; |2 Q/ @
Note as well that you can easily detect this method with SoftICE:
9 Q, R, ^- l+ [+ t/ ? bpx Get_DDB if ax==0202 || ax==7a5fh
1 H# B% [- n, ?* X3 F* w( P* `3 P8 c' a! x
__________________________________________________________________________
9 l9 v1 `3 w9 a$ R7 _% j F4 `6 E9 q$ Z: ^: l, s
Method 107 w; m. f% g& u
=========
* Z9 r5 e! ?# d. f- L, x) L; R$ z2 h ]% P- l: c+ o# h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& z% @( q! O2 k' b( w2 B: h( M; C SoftICE while the option is enable!!
4 `) H$ n# E+ b8 X
' F" N+ p+ N6 ?' ^& NThis trick is very efficient:
" t* A5 `7 ]/ @0 ~# k4 E! Q. L& U& b: ]by checking the Debug Registers, you can detect if SoftICE is loaded
# L% ]# d! r" [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 H. H% ]1 B! ?5 I- o5 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 B4 y* U( |( \, C+ C# P3 lvalue (in ring0 only). Values can be manipulated and or changed as well
) b" A8 u& j c% E w# ?9 y: p(clearing BPMs for instance)
) Z7 X9 N0 n) Q2 m( H- O' q$ T& S
0 {& s! b L8 F6 d5 ~* P1 Z! v7 f+ ___________________________________________________________________________- F$ k8 T! \; i: u, u
& R# V- D" k2 _Method 11
" }. G1 @$ r2 q; ?. }: ~' Y5 F, q=========! a- C n. V! `$ _
+ [7 T% [7 B( G# y# EThis method is most known as 'MeltICE' because it has been freely distributed- g4 k1 L2 I7 R4 U
via www.winfiles.com. However it was first used by NuMega people to allow/ }: I; D4 i3 T8 k6 B0 t3 R
Symbol Loader to check if SoftICE was active or not (the code is located
3 ]5 w3 ], B4 Y9 M, linside nmtrans.dll).
* f$ ~! f9 a0 E3 P3 ]8 F
4 _! I7 F- ?, J$ e/ |The way it works is very simple:6 u- k7 G1 T3 c, |; B F* c) D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ s1 [9 l( C3 S( F1 X2 q7 g
WinNT) with the CreateFileA API.
: i! g- N9 k$ ~; r m$ C7 V
4 R& g; Z) G- f- _Here is a sample (checking for 'SICE'):
# \$ v0 A; b" H6 V/ U0 ^2 p) [4 j6 X. S+ U8 L
BOOL IsSoftIce95Loaded()$ k7 h6 D8 z* w9 r' X% A( m3 G
{
& d2 }7 }' k4 |# W4 c' L HANDLE hFile; ; {9 n9 O9 X6 [3 p" H& n! X: L' O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! ^' h2 a2 a' J$ I
FILE_SHARE_READ | FILE_SHARE_WRITE,* S6 q$ l/ y' R0 w7 Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ ~/ j1 t) D# X2 R( R if( hFile != INVALID_HANDLE_VALUE )
/ {, g+ P' o: L. {9 P& H: `1 | {1 f4 ~% m/ @1 z G4 y$ s6 k
CloseHandle(hFile);$ F4 {1 D6 i# D* L
return TRUE;1 A4 B% `, P1 i3 _1 _; R6 [
}
- t0 ]/ y* F+ j6 v4 D! d+ n* e _ return FALSE;
# w* q+ E2 B2 M$ V' l}
7 Y+ q2 E) `, |! D9 p/ B
+ ~' Z# Y @( r4 |9 h2 iAlthough this trick calls the CreateFileA function, don't even expect to be
4 A: S6 j4 \" c: `: X, }7 Sable to intercept it by installing a IFS hook: it will not work, no way!
8 ?+ z* L5 U! |0 V |, L6 v% {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! A" Q# E; l+ V/ Z& O$ nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 x; @( e# w# G4 w7 k3 N4 S0 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc" e2 M( l$ e: C% `
field.! `# F+ Q: E* T( j
In fact, its purpose is not to load/unload VxDs but only to send a ( ?5 c5 ~5 T- [2 B' O& H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
N1 i* n( H% l; T4 E+ p! cto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 N3 c- `: j$ P, R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 t% F1 N. v1 y# u. j
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 P2 V, C$ @+ Z8 d
its handle to be opened and then, will be detected." A& X! m, V) g% Z6 u
You can check that simply by hooking Winice.exe control proc entry point( K- ?) _4 G; `0 Y, i0 _. f
while running MeltICE.
1 a, ]: q' U" V d% ^2 [
3 P! A) [; |& e- q! g4 M( ^ r- d k9 h4 i1 _; W3 S
00401067: push 00402025 ; \\.\SICE6 ]3 F4 P& H, O" b0 |7 G
0040106C: call CreateFileA
- W: H$ X e p) J; Y) u 00401071: cmp eax,-001
2 ~& T" a. o' b. U( ]2 H' m3 h 00401074: je 00401091
/ M) m, K, r/ m- R+ S3 k* k% G" Y$ R6 B1 h. {! B3 f1 e
/ q8 G$ E4 {9 M8 z
There could be hundreds of BPX you could use to detect this trick.2 j$ v; x& a: t8 F' E
-The most classical one is:
/ |3 E. E6 |2 M0 Y! L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 n( K3 A; x a
*(esp->4+4)=='NTIC') w* _3 v; X6 v/ ?4 G5 q: C
+ R8 B/ n: A* q2 k, M# u-The most exotic ones (could be very slooooow :-(
7 ? O$ B3 ^1 ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) P: o" N5 P. R) H
;will break 3 times :-(
/ `& a4 E6 {5 P: r" v7 r, c
0 A0 l- \& H: J) }2 S) U-or (a bit) faster:
/ {+ ?3 o) n4 h K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" ^+ ~$ s/ C! @# }5 B6 R
* B' ~5 m% N! a, x! z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 `& h* B5 _0 Z1 y, T+ `$ h0 C
;will break 3 times :-(. h4 W0 R4 E0 ]% v5 z. Q
: {6 b1 ?, Q, S5 g; T. c+ L/ q8 }-Much faster:! ~% a6 P7 D( {/ I6 f. f8 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 T3 d& z0 s) }$ W! A3 q
8 Q8 ~1 s }, s2 R, D# z0 h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ p. ]* Y2 X1 N+ e( n
function to do the same job:- M' |& I9 `+ ~0 I& B
. o4 U9 i; { U4 ^( K# {" k9 ^9 o* C push 00 ; OF_READ# a0 v' Y1 Y6 j7 I7 N# L- z; |% w
mov eax,[00656634] ; '\\.\SICE',0. C5 }, P$ u4 E; R- p, p. Q- I- u
push eax
- s, I* {4 S# f% x4 L: @" C call KERNEL32!_lopen
+ `8 b7 _* m$ @. y8 h inc eax
' }' z/ t5 K3 F! n" u! C8 m( A( ~ jnz 00650589 ; detected
. S8 b1 j" g% e# U push 00 ; OF_READ
$ O8 V A$ m5 D# }% r mov eax,[00656638] ; '\\.\SICE'
6 i: L: ?$ a8 A/ {; Z, R* M, ?/ J push eax
7 w# B& N. p* w- Z call KERNEL32!_lopen
9 F( H: h7 \# d0 P inc eax
2 H# p7 e1 ]9 p9 s. t jz 006505ae ; not detected
7 f% M& `! f" j* J- D8 }+ Z3 s
. V+ R$ ?( e( e5 { p
2 w9 F& i) H9 C% d0 h__________________________________________________________________________
$ ^+ ~3 v( { Y8 V) [' w4 g% J
1 E1 j% R6 v" yMethod 12
2 [# }$ X3 |- [% y1 T=========6 a2 y. H7 x+ \
. t1 Y# }8 F$ W% HThis trick is similar to int41h/4fh Debugger installation check (code 05- n# j; u' @5 |- j% v
& 06) but very limited because it's only available for Win95/98 (not NT)
& i& I5 S/ ~% X0 `4 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 u4 U. J* [3 x$ }9 K2 j9 q
( ]9 f3 I: q/ v0 L/ w* i push 0000004fh ; function 4fh: r; V+ W: u' j4 l" w
push 002a002ah ; high word specifies which VxD (VWIN32)9 N: ]6 p# b# N# }. s }& q5 M
; low word specifies which service
5 L& ]& a0 i- q) ~: H$ H7 m (VWIN32_Int41Dispatch)* Q% a8 n: T. ]. ^
call Kernel32!ORD_001 ; VxdCall
$ `. w5 F( b) Q# `; a1 V3 V- Q cmp ax, 0f386h ; magic number returned by system debuggers
' M z; v9 B0 |* K. p% Q& x jz SoftICE_detected
3 Q& ? }4 u' E% ~+ W& I1 n7 ^1 w( r3 m3 ?. U
Here again, several ways to detect it:
9 m" Y+ {1 O9 ~9 T( {* G- B
. q9 z7 E i2 Z3 ~( j/ r BPINT 41 if ax==4f
9 O0 a) A3 t/ v$ b4 X
5 G$ Y0 o( W8 g+ b+ m8 p1 d9 _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ o8 q+ @2 \9 @7 B1 g
7 e+ O$ i# p- |0 K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A U% W$ H0 T5 K, c! H5 J3 E
+ G1 V5 ~4 d k5 a5 D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. F9 |/ m3 ~/ ^& r7 @8 i
) d2 b* m3 { e9 d
__________________________________________________________________________% {! }; [ o6 w3 R. t! [: s6 b
1 e9 ] C3 t9 W9 B' |! H- g9 x; WMethod 137 E9 i" B, d8 \( o. b, m5 a
=========
! ~, p. P% \* L% \4 o# m7 W U1 e' r* c4 @/ m9 k( y" h: M
Not a real method of detection, but a good way to know if SoftICE is7 u4 j; T, Y9 Z' r( z9 U5 l
installed on a computer and to locate its installation directory.
) x7 m$ y4 D# c1 dIt is used by few softs which access the following registry keys (usually #2) :8 l6 k( D# ^5 I$ Q
0 |' r. L6 H' S4 \7 D) X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* W9 D3 J" y' d ?\Uninstall\SoftICE
$ q1 F/ Y' S# ^; e) N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- F1 c7 h" i+ A# S3 {* k3 [9 [) b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. ]& {: `2 z8 m7 f* H, |2 r( s
\App Paths\Loader32.Exe
' M. ^+ ], X! z8 m
6 T, I9 w: Y% E9 F% k
' S# p* k0 t9 y: s( gNote that some nasty apps could then erase all files from SoftICE directory/ z& p; u4 v4 d- k6 v7 k
(I faced that once :-(9 S: Z, W: S' K/ C) P6 t
q/ T5 X. `2 }8 u2 P' P# nUseful breakpoint to detect it:3 N4 h, i& \, F' J9 q+ o
5 l3 H% e2 u. _( z* M8 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 b" {8 b" S2 Z8 Y% Q$ [6 N+ b9 R
__________________________________________________________________________
G/ n* B' V6 N6 g
; k$ d7 V# i3 f/ x
0 u' B. W, ^* ^Method 14 4 K8 K8 s) T: V
=========& ^; ?$ F0 J! ?1 ~8 d, j
8 K$ J, j8 D; G+ LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 X, C6 x4 c# }
is to determines whether a debugger is running on your system (ring0 only)., v0 e1 B, R- p; h: \
$ P' R) X* `' O% r0 c a8 x VMMCall Test_Debug_Installed
% _! D, T& |2 `* e) ~, O% x, E3 G je not_installed* v* v) ~" c% Y; y3 H3 k! O4 u
( X- r% m+ k8 J/ I2 F3 m: v. Y
This service just checks a flag.1 o) T5 l9 u. {' M' H$ x) R8 H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡