<TABLE width=500>
4 k; ?0 m' U1 S" w9 g1 b, Q6 A$ |<TBODY>
# B) B. B% l4 Y: M0 h' u<TR>. i, a+ |2 I6 `7 W
<TD><PRE>Method 01 4 I" X5 T! U3 s, H
=========
$ p p; I. r' g, x
# D& l/ T c5 t; c$ w' H% G( Z" iThis method of detection of SoftICE (as well as the following one) is
# d# c' w' i. W' O/ \* I( jused by the majority of packers/encryptors found on Internet.
- J* w( e) h' s4 QIt seeks the signature of BoundsChecker in SoftICE& D' D6 J" T( x7 _
# @2 |3 X, }) k( D0 M8 \
mov ebp, 04243484Bh ; 'BCHK'
* B; q6 t! ]2 |# k" m1 o. a mov ax, 04h
2 z+ I% l# w+ L" P" [ int 3 ( |7 J8 r: V$ K8 K, g1 N
cmp al,4, f# A7 ~. Z! O% y5 p
jnz SoftICE_Detected% v! B6 R# h# g$ d
6 J! f- m4 z ?2 m
___________________________________________________________________________
_2 K' z H9 {& P J) T8 [& H- f8 O: Q' X2 W: q/ V
Method 02
: r2 `, p! @+ Y- {2 [1 V# k! L# n=========
8 G/ |) X# Y+ R- j3 P& R9 B! [$ D" L9 x6 l. ^0 v
Still a method very much used (perhaps the most frequent one). It is used: k# z% I; Y! k. K) g7 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 r9 f2 j% A5 Q$ B& b. E
or execute SoftICE commands...
; y% W& c% v6 w5 |3 NIt is also used to crash SoftICE and to force it to execute any commands
$ d ?& N# l: i% k. Z% f7 Y. e(HBOOT...) :-(( : W6 @) r5 N! G
- n& [; G* z3 Y7 ^ k4 _3 }9 H
Here is a quick description:8 E/ h" t. }0 x* @
-AX = 0910h (Display string in SIce windows)
9 h' l7 L6 D9 T. K2 J+ ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): A# j* V6 n+ h' c( g' C
-AX = 0912h (Get breakpoint infos)7 H5 i$ d- b8 P L* l
-AX = 0913h (Set Sice breakpoints)
3 C* n, Q% \' x& T0 o$ H7 G# b-AX = 0914h (Remove SIce breakoints)0 i" O$ d* z, f; L+ C7 z
) a) h9 Z' B& t+ qEach time you'll meet this trick, you'll see:) |: X/ t5 {" ^) a
-SI = 4647h
7 Q# H7 j; V" D V2 `-DI = 4A4Dh6 Q& J4 l& X! X# }- p
Which are the 'magic values' used by SoftIce.
; U5 s: @( b2 V& [3 M+ NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ o* I# w$ L5 |/ P
; e% Q4 l, Y* aHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 X( T* I( v z3 YEnvelope utility use to protect DOS applications:
) y# a4 Q6 K o# w* r* y0 K4 l
* P1 R# Y% @: z% |9 t j+ i3 V5 F2 E
4C19:0095 MOV AX,0911 ; execute command.' a0 f* P% \5 d# g1 U' |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ T& z) E5 F. t7 Z$ w# y4C19:009A MOV SI,4647 ; 1st magic value.! b! P' L) [9 G* e2 f
4C19:009D MOV DI,4A4D ; 2nd magic value.6 n" J% p2 j4 p3 l1 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 U% D$ `) T+ N/ ]+ i: w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: I3 A; ^# |7 M d8 ^
4C19:00A4 INC CX
1 |! q X' `4 o. b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ z3 [. [; y$ K0 V; ^% s1 w! a: r, J; m
4C19:00A8 JB 0095 ; 6 different commands.! _" G& O* s; F' |4 w& O( M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. C% ?) A0 R, n# ]9 K5 V) C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! W9 h: r$ N. R! H0 T' S, |4 F+ R: l( k- N( K6 Y- x: |6 N
The program will execute 6 different SIce commands located at ds:dx, which& f2 g: E/ t: Q; |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 h6 Z6 l" Y, ]7 T2 B# [5 \8 A) X! A2 H1 U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) G/ ~2 X4 H6 [* R% M. e+ g" C3 }___________________________________________________________________________
1 z3 M+ F @9 A& u+ S) ]+ f- [8 S- V; e# K& ~' T; V }
8 C( v0 A$ i* g& |$ R tMethod 030 [) a, c* [( N1 l6 @
=========6 U4 {# B: w6 ]7 G' a" [9 o+ E1 u
# m) z6 {+ P- @8 O# c# P1 f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, a% X7 r; E8 c; L" J(API Get entry point)
# s/ R3 J: I& L# n7 Z
+ i4 Z! j: l8 e% w) L) }/ j5 l M1 B7 Q- P6 ~9 A2 `
xor di,di4 q' `( ^. n' O: Y: v) R6 J
mov es,di
2 B7 n6 f* C9 P1 d1 a mov ax, 1684h 7 e, N0 |) {9 J' }1 d/ h
mov bx, 0202h ; VxD ID of winice
N# ^( d3 D$ ^, s1 ^" [5 A' Q" x int 2Fh5 N8 D2 H4 K2 o6 h$ |8 `
mov ax, es ; ES:DI -> VxD API entry point0 q n" Y& b5 N2 L
add ax, di( q2 l3 R/ n. q! B. q( i9 Y& V5 e
test ax,ax
! @/ K, M/ _. ^! t3 D2 ` jnz SoftICE_Detected
+ e9 j( ^) Y- B, `9 E5 }6 Y0 c) y/ A5 o) f, W# r
___________________________________________________________________________
( o2 @( C1 H0 h5 \1 h' a1 R, S8 O/ j* R7 K( i: X
Method 04
7 d* h Q( X/ C; n0 j=========
/ Y p6 i3 |& {8 r7 l
% [0 y$ [9 O1 b3 a8 Q5 r7 d( Z- YMethod identical to the preceding one except that it seeks the ID of SoftICE
0 ^' h3 c+ a3 s: a# c. i+ l8 w$ a. EGFX VxD./ [$ b' m6 r: X; _7 I3 C& S
2 @" h7 {2 e% y6 I5 g- U xor di,di) h$ a: l' O( g# X, n2 k- |
mov es,di5 ?8 ?, V/ B0 q) _
mov ax, 1684h " [+ H1 a: F* u% J0 u' v
mov bx, 7a5Fh ; VxD ID of SIWVID* E& f" q. w$ O; K! ?7 s5 R
int 2fh
" F- R0 A2 y7 L/ }2 X$ K mov ax, es ; ES:DI -> VxD API entry point# e/ b, \6 h7 ^/ ?& ]# |( l
add ax, di
4 f* T$ R8 U5 z$ S" l: Y/ T0 ~ test ax,ax
{$ M v' S8 f$ A. i& ?( T jnz SoftICE_Detected7 \2 p, l7 K: h$ S( \, w A" ^
. ]9 g, J& s$ O: k) o: L__________________________________________________________________________, b+ T& x. |/ f9 x% p
, |6 `* `* i, a2 N$ b" F, M" Z
7 s( O6 F2 a* `4 f, P2 ~: s
Method 05
" j- m& E ?3 m& [=========
2 s9 [- @5 f: z5 E0 h& n6 l
2 B* e5 Q1 H0 [5 [/ [5 Z5 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system; S+ z' r d! f! V
debugger. It calls the int 41h, function 4Fh.
+ f4 w9 h% _& t/ JThere are several alternatives. 5 h9 p6 }$ [) s+ a* B
) D9 x/ t5 ]; Y% ~( M( MThe following one is the simplest:
* W! q' N3 E# }7 _# `6 }
* S* w9 }' C% V% ?! P mov ax,4fh% N; R$ ~8 [5 R+ t/ @9 Q( C
int 41h- X4 [" E5 t6 p
cmp ax, 0F386
% q9 ^' h. c0 h$ z! A8 N. R9 w jz SoftICE_detected" R0 `. V0 L7 D7 P1 d
3 Y; [; a% i/ m$ ^/ Y0 q
" w/ ?* j6 [$ X, INext method as well as the following one are 2 examples from Stone's 7 B# s1 _/ l9 J2 J) Y2 T# f
"stn-wid.zip" (www.cracking.net):; z& y. @! i2 V4 a" v: I1 b/ ]
7 P9 v! ]5 \$ s mov bx, cs
- Z& j1 p& U2 ], x) [; Z+ l1 ? lea dx, int41handler2
3 r/ K) R3 k& f xchg dx, es:[41h*4]
. n; j& B8 Y5 x xchg bx, es:[41h*4+2]% O% {% D' z0 @6 M
mov ax,4fh; L0 ~1 G" i( }5 \
int 41h
. ~8 l* A* W8 L7 n; F5 G xchg dx, es:[41h*4]/ j, s6 j9 Z! C% M+ ]- k: d* ?! ^
xchg bx, es:[41h*4+2]
1 i* z0 {% r0 A F cmp ax, 0f386h
& x. Z- P0 I: b7 m jz SoftICE_detected: D: G$ a0 p p" A+ l& m
) _) f+ b% A) P; U' Eint41handler2 PROC. G- r7 T" W2 s2 N
iret
& R8 w! A1 L) xint41handler2 ENDP
- b3 k7 M+ R/ \: s5 Y
+ x* {5 h6 w) [# H
; C* R: q7 n; C$ W$ Y- @, u9 D! R. V_________________________________________________________________________. k$ J; G! C- t9 W: Y& w$ [7 D6 ^
1 ]4 ], w) l. M# j: N
% u8 E: r( D' j
Method 06
. M2 m5 j- Q( v+ Q=========% v$ I$ F' C# K6 B
* W: @9 B7 F1 o v* O' R& j+ `
, h, q/ u4 y! A% r: J2nd method similar to the preceding one but more difficult to detect:1 D; B# U/ e, }2 Z) x! g; c
1 r0 K! D5 K2 ]! z
3 x# K6 K; ?9 z# v1 ]! Bint41handler PROC
! q0 m0 [+ M7 |% \3 J- C mov cl,al
+ ^& J6 u6 ^: Z1 Y$ C4 S! b S iret7 d7 S! H% @8 `, I) {
int41handler ENDP5 S6 B" }9 X$ \8 E! r& p
9 L* y+ r6 I% C; |7 X8 ]- ?
" B& K' _; P [" u/ B1 t9 a
xor ax,ax
7 |! z! x! s5 B% B* ] M/ y3 t mov es,ax
# O4 _, u. C! T mov bx, cs+ p9 T3 T2 }8 R1 I* T
lea dx, int41handler. u$ r% ]3 |+ M+ c& d* J
xchg dx, es:[41h*4]
) J3 U' v+ J4 Q' L7 Q1 A xchg bx, es:[41h*4+2]1 @$ z7 _/ w6 P3 e/ a! Z6 y
in al, 40h5 [. L s3 J$ c
xor cx,cx
1 G4 Z# b( A- {9 o9 | int 41h. R4 h& t$ q' ~
xchg dx, es:[41h*4]( n1 K( G0 Z$ ?( m$ D# i: O
xchg bx, es:[41h*4+2]3 F! O0 N% n: b+ o
cmp cl,al
2 x% p2 t( U5 |# }& y jnz SoftICE_detected! u+ `( \/ Y9 F l$ S0 [
/ D' S; H+ I$ h1 V# a_________________________________________________________________________
9 t3 R1 F0 p# H; t0 \0 x7 I
2 A! U. S) R" H2 Z: L. nMethod 07
% p* [9 W$ o4 d/ y" {=========
2 |) _* m* n7 m0 C- e
+ g- o7 u0 l2 \8 ^Method of detection of the WinICE handler in the int68h (V86)
- y5 B+ i/ \9 R' E2 X- n+ J0 N0 R2 w9 d( O& u: y* ]
mov ah,43h
' x+ ~( ~: m( ] int 68h
4 `* D! f7 L( I5 s cmp ax,0F386h& M8 f9 z+ u" ?+ C( U' r4 A+ B9 n: V
jz SoftICE_Detected3 {4 i% D) ]; E% j; h2 @3 b
3 W* y. {" U/ f1 q" i. ^( y/ }* T3 T& ^! e: ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% U5 o {: V' [( g, O
app like this:
% G3 x* t" ~2 R3 e- g# e7 L
. @( Q- |# E( k! O7 t; h, [5 \0 ^ BPX exec_int if ax==68
7 \ l+ T$ l1 V) }; k* k (function called is located at byte ptr [ebp+1Dh] and client eip is4 t* N) H& a) f" V1 T$ [+ Q
located at [ebp+48h] for 32Bit apps)2 J Y8 x% C- n$ Y
__________________________________________________________________________
+ p+ x8 ~) m, @+ K' a: @0 D+ h& O+ R4 d! Y( H+ h# e9 A
9 z( I. |/ M; f. ^6 [7 [3 W+ E
Method 08, \+ e K" k: i# k& \$ N! a
=========4 Q3 |2 G/ t% g/ x
7 [0 _7 k t, U, K+ p
It is not a method of detection of SoftICE but a possibility to crash the
7 |+ A- Q9 m5 h/ `5 dsystem by intercepting int 01h and int 03h and redirecting them to another
' U1 R/ _% l4 [" W$ O3 Oroutine.! q9 x4 L9 i" S& d, M8 m* J; o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 k k; e& A' pto the new routine to execute (hangs computer...)
' Q6 c6 l" a, z8 G7 M0 l Q* i4 M: n2 \3 A4 X
mov ah, 25h
% e, K0 ]) v* h q( g ~1 M mov al, Int_Number (01h or 03h)
2 K, }0 ~8 |4 i! ^$ k mov dx, offset New_Int_Routine
P# q7 z) Q6 y. m8 K* C' K/ c int 21h
. \2 D+ c! h2 y* Y s
0 @# y1 y7 w2 G- }# ^$ Z# Y+ I__________________________________________________________________________7 o/ s) y9 y' b' I
" B. S, E7 z# s7 Y$ lMethod 09+ M+ I/ p% l- G' M* f& ?7 S9 Q
=========/ t0 F9 d! Z; K0 b( N6 p) S
9 E, F! f- M9 r8 c$ l! ]- A/ Q# X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 E$ }* V h# P# ?
performed in ring0 (VxD or a ring3 app using the VxdCall).. ~( N2 t$ l+ p" ?+ ?
The Get_DDB service is used to determine whether or not a VxD is installed
+ k# A" H; S* X; Zfor the specified device and returns a Device Description Block (in ecx) for
& e" ]+ {, @0 j3 f8 I* }1 tthat device if it is installed.
6 \! v2 T# [; z* | r) s- j) e1 d5 r# F. ~# K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 l1 ^& ]( A# }3 I) T9 `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ J0 ?# k( C7 g3 m* Q- y& C
VMMCall Get_DDB! _& W( R4 E" J4 Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! U8 s( t( Q" Q7 r; ~' S
8 g. i5 X6 k g6 H3 L
Note as well that you can easily detect this method with SoftICE:
5 B5 t, Y3 K |6 C& j0 s3 Z bpx Get_DDB if ax==0202 || ax==7a5fh: c) Y( s- D1 f. Z6 K- e
1 a5 c0 ~+ V; G1 ?9 o1 ?1 ~
__________________________________________________________________________, Q9 K; V" P3 Y' {. K8 [2 ~
& @4 o' i6 K/ S) k
Method 10' L4 {# }. s E0 P1 i$ |
=========9 ?* `# O4 P' g+ @9 e- z
2 L1 u! M, |0 [( k4 C=>Disable or clear breakpoints before using this feature. DO NOT trace with
( e5 l* r4 c, w5 P/ D SoftICE while the option is enable!!3 p" z6 K7 K: Q
: k- e6 `7 p0 K& o, _This trick is very efficient:8 ]: |5 F) n3 f+ K& l
by checking the Debug Registers, you can detect if SoftICE is loaded
d' w3 o/ i8 y. j8 X; S G! p b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
o% l8 v9 u+ x7 s% Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* ?0 t- D* @& t; Q" p$ |/ wvalue (in ring0 only). Values can be manipulated and or changed as well
* O. O) C. d7 q; H(clearing BPMs for instance)
o# o3 o# j$ \ @
: K. c6 R$ |8 \2 m__________________________________________________________________________1 `( f* j( l7 C$ v
; v0 ^ Q. W& @( ?; X1 G% a5 K( n' ]Method 11
$ f* p3 K' h1 z=========
6 O; `3 r% M7 P3 Y; J& a1 d7 Y" {" r. _& h1 C0 M) V
This method is most known as 'MeltICE' because it has been freely distributed9 d. m4 o: L! @5 i8 K2 w
via www.winfiles.com. However it was first used by NuMega people to allow5 q" y) x8 {# F5 H( N4 J& Y# H
Symbol Loader to check if SoftICE was active or not (the code is located/ d8 [3 J# t' ~% }
inside nmtrans.dll).; a4 g1 \4 \% K& _7 N
8 }# @2 |. q l9 {2 v
The way it works is very simple:
0 i# X" A- c! w1 A( tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ Z; h) V8 o* j/ a3 j+ }4 ?0 Y& R
WinNT) with the CreateFileA API. K$ W) s) T/ t
& w2 } m7 O' y& J) M3 q/ n K8 w0 I
Here is a sample (checking for 'SICE'):
- T1 L, E! Z% _1 e+ ]0 E. H L6 d+ a, ?7 t* }0 ?+ ]5 i0 U" i6 d
BOOL IsSoftIce95Loaded()+ ^. \0 {7 l% a
{
/ {- c* e) z( J! u+ q HANDLE hFile; ) h! F& j( l6 u2 p6 o& P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( u3 U: H- a- s/ @7 o. p& }+ z
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ ?, ?: {# A4 ^4 I2 l4 T' O9 y$ Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 z, I+ J$ ]3 ^8 f' P+ {+ l; O! h if( hFile != INVALID_HANDLE_VALUE )
/ w4 F, O* o% R( n) g! f {
! H' {' _! ^9 h k3 J CloseHandle(hFile);
# e. S w+ X3 [4 L _1 \) A6 Y return TRUE;
5 f2 m v4 ]( H* B* l/ Y }* ^' G- |7 ]5 o7 k: H8 W" {
return FALSE;
; v- L' ~& V2 ^}
# }: f" L1 s" c: d* _+ d- g
" i4 I$ l+ J4 Q- D8 CAlthough this trick calls the CreateFileA function, don't even expect to be
0 |2 ?/ ~3 ?- _$ g% uable to intercept it by installing a IFS hook: it will not work, no way!% M& m. j7 b; w/ w5 v/ l* ?3 w$ H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' A) Y/ S5 ~6 @" O' g% O* \5 Y# _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 I' t( R; Z; Q* s2 b: e- c0 H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 T- y7 o/ P1 }2 N8 y3 p
field.
) N+ }% z: @9 e0 s/ w' T# VIn fact, its purpose is not to load/unload VxDs but only to send a
, w5 u: d- \6 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" i( s( ?# A! U% h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 G+ \* \6 \/ R5 H3 D8 M8 Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 }7 r2 P6 \0 A9 L7 s# p$ y8 q5 }If the VxD is loaded, it will always clear eax and the Carry flag to allow
( ~, R5 l9 z3 R0 m3 O$ Nits handle to be opened and then, will be detected.
/ T9 k! U' J4 F% L- o r+ W2 cYou can check that simply by hooking Winice.exe control proc entry point
4 g( L: w) G9 T% | J+ _7 Uwhile running MeltICE.$ K$ ^ T5 r3 `0 K& q
$ \1 p6 d# A+ r& [! U
. C& E: z: S, C5 b 00401067: push 00402025 ; \\.\SICE
9 \ N7 d+ K6 t- f' f 0040106C: call CreateFileA5 p1 ^# C6 p) i% o+ c
00401071: cmp eax,-001; [! g7 D9 w" k3 B5 B! J
00401074: je 004010919 j q: S4 B" }6 e& ~
9 |, V" Y3 Q* R
. E2 P' Q) S) G+ t$ JThere could be hundreds of BPX you could use to detect this trick.1 m9 S+ f" A9 I% Z3 ]5 d9 H. `
-The most classical one is:
' h. a4 L; f/ W' [' u* x6 ~* \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) a/ s& d4 v# t *(esp->4+4)=='NTIC'
/ Q/ q& x: E! y: q4 v$ k$ T4 P% k3 E5 e0 ?. Y; r" m- i7 N( G; v
-The most exotic ones (could be very slooooow :-(
- ]% q' }/ \# u I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 v, I4 y1 S% ~! q2 h* z
;will break 3 times :-() M: `" @7 i/ j5 Z+ {7 ^9 e
! ]6 F" S: ?5 @, I$ v-or (a bit) faster:
- z% W7 c% M5 l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* a _+ Z& }3 ]1 X# V7 V u. w' |: q. ?1 E' X4 Z/ E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& U2 ]& f2 V1 n) p( O% _; _ ;will break 3 times :-(7 x' ~ H6 O7 J8 B( o; R4 j
" `2 t3 Y2 R! ]7 e5 q% z% g% ?- a-Much faster:
* a0 d1 _* j- t% B# K/ B. C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 p( q1 {, s2 a2 l, W3 n9 L+ l( ] j: K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 i" [6 q" [+ f- k: y3 _
function to do the same job:
* y! N) R7 Z& J
. {# }" U( ^6 a0 l% @6 i1 L push 00 ; OF_READ! W. a) q( x$ @& f& O
mov eax,[00656634] ; '\\.\SICE',0
8 K+ F0 I8 t2 L push eax+ r6 f. z9 V5 j
call KERNEL32!_lopen
* G. {( F2 `, u0 W inc eax
) [$ H+ Q4 y9 k jnz 00650589 ; detected
3 J% _- A: P& i0 U" T- m push 00 ; OF_READ' k# X# | m6 v( v) s% X O
mov eax,[00656638] ; '\\.\SICE') |$ S8 d" U+ ^- q
push eax
8 s9 _- k( o0 I/ T; @7 m+ m$ x6 B call KERNEL32!_lopen
) L% {7 z& n2 L" o, C6 a3 { inc eax+ t8 ~5 m/ e: y
jz 006505ae ; not detected
+ H0 P# B* e" g# }: T$ ?+ o# p5 I- I2 l9 d
2 L! ~% G+ C6 l8 O# e
__________________________________________________________________________
& [2 E3 }2 v- E
% W- v4 @1 C. u& gMethod 12
/ n) T- Q1 ^& b=========/ L7 }. f/ c4 z4 [- d" g. R
% }! K( u' S! p+ G8 r
This trick is similar to int41h/4fh Debugger installation check (code 05 `) k" Z' N3 u8 A/ C9 F' e
& 06) but very limited because it's only available for Win95/98 (not NT). M6 k$ D, T1 Z+ p4 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ e A: b8 p h' F) E/ L( d
' y# j" n E* n- S push 0000004fh ; function 4fh$ I1 d' l+ _4 E. b
push 002a002ah ; high word specifies which VxD (VWIN32)& p, T; K# a& I9 F0 s/ O7 w0 t
; low word specifies which service
4 w3 w: D# v/ _3 S/ [ (VWIN32_Int41Dispatch)
. G' Y+ |4 l$ N+ `1 T* \ call Kernel32!ORD_001 ; VxdCall2 A& `0 P9 b. C
cmp ax, 0f386h ; magic number returned by system debuggers
8 ]& b/ w& [, f, L. Y1 Q) P jz SoftICE_detected8 D* C/ s+ s8 d! a E! m
) \& d1 C6 G& |$ w6 V# ^: c; d7 l
Here again, several ways to detect it:
! ~: |# A( B/ j( D5 W2 l6 i$ E- E) h0 E! L: r+ w" _) S" i9 S7 z( P F
BPINT 41 if ax==4f5 z! I4 C; g9 r! t- ]2 V& M |
6 d5 l9 i" O$ o* \) C$ K/ Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' q0 M( l$ H) P7 [5 m/ `% R8 ~* X) v$ n6 N, D! _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 S/ F, g/ z/ Q/ i$ C1 T [5 {7 P
9 J# |1 X( I% W; g: Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 k4 F% `4 b Y1 r8 p N8 }5 s
" v" e$ e2 W6 x9 Z. S" [2 I
__________________________________________________________________________5 {4 Z% }" Q2 n; n
$ O1 c2 D! ?" t- q4 e) i' eMethod 138 G2 z. [0 V- ^& g; m
=========2 t% q( M7 b: M" I
+ l! L# ]- n5 X' H$ {" Z# f( mNot a real method of detection, but a good way to know if SoftICE is
- G" x3 E6 [, ]+ Iinstalled on a computer and to locate its installation directory.) [2 t m$ j/ F5 l
It is used by few softs which access the following registry keys (usually #2) :
4 V: B1 P4 e3 c! {! h
/ n, I+ n% k$ d5 G& z- S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 }3 T: P3 J3 C6 e1 l: J
\Uninstall\SoftICE% Z! P; s* N ]; r1 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 c; a/ S e% X9 i% F, M, }% z# N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ i: K$ d5 [# u\App Paths\Loader32.Exe" s5 [5 X d& |: G" j
' l/ {4 I+ M+ k+ e
+ p1 [( m' O. U6 R2 l* F" C% ^
Note that some nasty apps could then erase all files from SoftICE directory& V. s, o( z i( R
(I faced that once :-(& t$ s; N: B6 n Q8 r
1 K( W$ ]# X1 m5 Y* PUseful breakpoint to detect it:8 M+ I; e) X: o# e- x, O
8 [9 I( y' m) y, U+ S1 ^! v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. z4 |: v1 g9 @% S
0 ] i5 o* }$ g4 O* U/ ?
__________________________________________________________________________
7 r9 b* I7 }7 l! b* N* k& @
5 o% {+ i& W, @7 a1 Y2 X% @* L V9 [2 @
Method 14
5 N# g5 x" }1 Q' ]3 ^- u=========% q P+ ^% e8 O! A5 z2 P
( m% v8 x3 p+ E* X1 z, x- sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( o; I2 P9 o& _! p
is to determines whether a debugger is running on your system (ring0 only).# u7 [2 |7 |7 V
8 a8 v& k( `; q8 y0 q VMMCall Test_Debug_Installed
, s6 i2 P# a& }, i, n- P: Q+ ` je not_installed
+ v) T j$ {) A! h7 `
G9 J6 l) q* ~1 w( J, _- l# s* [This service just checks a flag.3 a, U0 O5 B; \2 t7 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡