<TABLE width=500>
/ e5 I+ f1 b/ \6 Y% i8 N: f1 k0 m<TBODY>
. m3 _9 _1 b, f& R<TR>) W' e- k; W2 i2 a8 [5 x& p
<TD><PRE>Method 01
) r5 V4 @1 ^9 t=========: S# |- ?/ d# I) p0 f
$ n+ y" G" b0 o* p( f5 Q1 cThis method of detection of SoftICE (as well as the following one) is
; h- z% x" m8 R- Mused by the majority of packers/encryptors found on Internet.1 f! ~: p8 u: s/ L8 O/ k0 `- C
It seeks the signature of BoundsChecker in SoftICE: a& ?/ ?3 b" K4 i. ^
7 h4 c& m o7 _& E& l M" u) B# l q mov ebp, 04243484Bh ; 'BCHK'
) v% k; u% o7 `& w- L0 F mov ax, 04h
, A- P! C |$ ~0 d0 ^' I/ F int 3
, T; X: }5 o9 x cmp al,4- `1 V7 z" V5 |$ l5 L! }' @
jnz SoftICE_Detected1 l+ W5 U; ~4 {( y9 ]4 {& B1 ^4 w
/ G5 r6 d! C" @
___________________________________________________________________________
( _4 j$ d, `2 ?- l7 L# ^$ }
2 r3 p3 O5 n! |" w, L- M8 HMethod 02
4 \) ]/ n; C+ s3 X7 `=========; q. L3 f% e# c% q7 H
/ q7 U' R |0 ?* U% n! I6 G p; yStill a method very much used (perhaps the most frequent one). It is used! G4 n) T* e# @1 g0 J+ |2 s2 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- L$ {9 V0 Z, l$ A* n
or execute SoftICE commands...
" A+ i4 X# W7 }% z! eIt is also used to crash SoftICE and to force it to execute any commands5 C- V+ \ f( O; g) f
(HBOOT...) :-((
9 }1 J' v: c9 V$ ?5 v0 x
) q+ @7 d8 V' I* J8 }. O7 }# R+ A" bHere is a quick description:; p' m2 O* Z! _! ]& D
-AX = 0910h (Display string in SIce windows)
! [$ {( M! p3 D" y, j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 h( S) X1 A8 ^4 d
-AX = 0912h (Get breakpoint infos)
; Z9 Q. B* c8 X3 u-AX = 0913h (Set Sice breakpoints)
, J$ u1 ~. g8 N! ?) p+ J% J) C0 }) }-AX = 0914h (Remove SIce breakoints)) a i/ }( s( o
0 c$ O, }) W( Q! c- G" Y; t `Each time you'll meet this trick, you'll see:
" G3 T' C7 U3 Z5 H$ ` c/ q-SI = 4647h
2 Y J( |2 x0 Z3 {/ h- B5 o) y-DI = 4A4Dh' w9 M& _! c! ?+ j
Which are the 'magic values' used by SoftIce., `! Z* y1 ~* o4 }( M+ g* a4 u3 t: j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) D1 }" j) d2 J8 | {7 I2 u9 U0 x! m, E1 `, A4 R: F8 ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" R& d8 |9 Y% V1 HEnvelope utility use to protect DOS applications:
: y8 u; ^# I8 |' U1 E7 i
8 E5 K: L4 |- H- f( ]$ m7 O
" O, V; I" [2 R3 b* d( w4C19:0095 MOV AX,0911 ; execute command.
% d z& b0 o) `, m( f5 L6 D% R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 A$ n( _5 F; ~6 @2 ^
4C19:009A MOV SI,4647 ; 1st magic value.# x5 j7 h0 E* W, b9 H, m
4C19:009D MOV DI,4A4D ; 2nd magic value.2 ^' Q7 U. K8 E; |. _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 k! l; Z( y0 Q/ d0 C! z5 Z6 P; a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 x& {( b, Z) U6 h, Z6 s; C- e3 m4C19:00A4 INC CX
0 J7 |8 z$ v. b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 C) Z* F" Q% A8 \0 ~* t* h) f
4C19:00A8 JB 0095 ; 6 different commands.1 T( Z' q. I. n0 J+ \1 x& o% f) a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 L$ c% B. N( x2 L x* V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 H }+ s9 r9 \4 F9 t- {/ Y& b q
+ ~' w' h" p1 ?2 k2 Q. Q
The program will execute 6 different SIce commands located at ds:dx, which. k$ q% h( `& F& @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 `+ _8 T3 D# r/ ?: X
0 [; q7 x, D! \( U; w5 n& T6 h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; M& t _5 n' M6 J; S9 g8 L8 ____________________________________________________________________________
; O& V# w& _& x; e' I* W$ d( x0 z; K( L! N) \$ U
7 K) x+ k! _% i0 \( vMethod 03# Y' {) O* A4 g3 }2 w& e$ D
=========
4 w9 j, @! D9 q! u' O9 _4 A' L
" f7 V# S9 R* F7 K% QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
@! K h4 \2 j(API Get entry point)- ^9 h4 v1 c" N; A/ P
4 f1 `1 w9 f8 Z3 o2 |# B
; p5 Y: d: p2 E( ?. z; w xor di,di
4 D/ r4 S, q) x& c/ T+ v5 k* E mov es,di) C* \( U* D7 y8 n7 L- }
mov ax, 1684h ; r* m+ }1 _$ y& p6 [0 t
mov bx, 0202h ; VxD ID of winice
2 [" t* v8 `; m$ _ int 2Fh! a3 S# X% O2 I' u
mov ax, es ; ES:DI -> VxD API entry point3 J: N7 l" f) s$ ?" _- M% W
add ax, di
: F. a( x6 H7 z f5 s6 } y test ax,ax; @6 T, J4 S+ ?6 ?
jnz SoftICE_Detected
1 D) }0 F& I, P: p' g- k
+ p6 @ d2 }9 _# ^& G& h3 y$ u1 A___________________________________________________________________________- J; J+ d- G! n; Y1 a5 ]
! v4 z8 s3 K# h4 N0 }8 i3 B
Method 04
2 U" Q* C B& ^) _=========0 V. @& K6 l! J- T2 q `
: _4 n( X& B P9 gMethod identical to the preceding one except that it seeks the ID of SoftICE- q4 i) z2 E# O
GFX VxD.! k6 C; f8 E" L6 I" W
7 O( _$ M( v9 Y6 n; [) u F* W/ {7 U xor di,di1 p1 A( C, N( ?+ j
mov es,di- h* ^/ u, Q5 \1 Z8 L$ }
mov ax, 1684h $ T+ R, I% N l, L) Y$ [
mov bx, 7a5Fh ; VxD ID of SIWVID. K& ^0 q; G- Z7 \
int 2fh
! [; \4 F" `, _( s2 u7 _( U mov ax, es ; ES:DI -> VxD API entry point5 C7 p" J2 V# Y0 {
add ax, di
8 b! j5 b) Z/ \. p/ h# P2 z test ax,ax
: l; m' a! A7 \" d jnz SoftICE_Detected
" D/ I( V7 }* ^: C- g; V$ T- R6 W0 y) x5 S; b M
__________________________________________________________________________
9 w2 M' `$ T! @9 N+ W1 [1 A" o
9 y! `% z8 D) q, |; |$ d
, O9 e+ E" ~8 U7 wMethod 05; `. @" x" J5 B/ k: _3 |
=========
2 \0 U: \# |+ b. E9 Q( T B0 q& ^1 ?, ^8 h
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 F) Z& Z4 d' B) a
debugger. It calls the int 41h, function 4Fh.
/ [, S2 w3 V' X- ?( eThere are several alternatives.
) Z0 q$ o1 [/ a6 _3 x
0 p! f( V( N( {5 p: ~8 ~( uThe following one is the simplest:
3 b) O& g/ P5 W1 u6 m8 `; M3 K3 q1 ~3 L" v% C( {0 I
mov ax,4fh
* T6 f5 i( {5 Z, @) {5 _" V% R int 41h
" R1 Y" i3 h/ r5 ~* n cmp ax, 0F386- I! R. ]4 i2 J, p8 ~' g) a/ g3 J# K
jz SoftICE_detected
% y2 n5 C3 T0 D0 m) C+ R
/ Z0 K' T+ l. c% k7 M1 k
2 b2 ^+ f+ F8 R6 k0 JNext method as well as the following one are 2 examples from Stone's & N" g& c/ K$ V; t* k0 l( F( a5 W9 |
"stn-wid.zip" (www.cracking.net):
: i. S) j4 d$ E& d' e2 c$ Q9 r: l
mov bx, cs
& S7 U+ ~. s6 K% X lea dx, int41handler26 d' o* {/ H8 f! p0 p/ ]
xchg dx, es:[41h*4]6 [% E( Q' ^1 Q7 ~4 b1 U
xchg bx, es:[41h*4+2]/ r' a8 x0 U9 f3 N6 T
mov ax,4fh
' }% u; t; O: {5 L6 ?. s int 41h3 A( \8 o" d n2 W( }4 R: w
xchg dx, es:[41h*4]. n6 |' X8 i7 f: \9 m
xchg bx, es:[41h*4+2]
4 w0 a, J; M1 c# A cmp ax, 0f386h: i# _* T" e* D( F% {) U( @+ e! Y7 N
jz SoftICE_detected
3 |8 i. j) G% X2 t9 T) |" L! K2 Z$ m% k: N3 I5 O" z `+ |! b' @5 \6 n
int41handler2 PROC
0 o' Y$ J; D5 t2 Y3 z iret# j, f* ?, {3 E; {
int41handler2 ENDP
/ K) x+ B+ A5 v0 k5 _4 d' q7 Z8 D7 W# p) R
; o, M8 J2 m: Z9 T, i, c# [_________________________________________________________________________
& ?+ e) p8 z. U* e1 W6 ]# ]6 K7 m) ~% Z3 z$ ~6 |% i0 c
# ^+ i) D! Z# D% p4 C u# EMethod 06
J4 H/ Y: p& `8 I. r=========# p# N- m* J \) q7 q% J
: l& S4 J Q4 u; E2 o; X7 Y5 `+ w& \; f1 F$ W2 @
2nd method similar to the preceding one but more difficult to detect:
0 j. G0 h7 E( D, P8 _7 y" t, ~) l* R; S: _9 F1 b
' B8 n& y* H4 A* ]: g% p2 `int41handler PROC! k) J# h7 f3 j' ]* V! W, o
mov cl,al- F% ?4 e" D1 z& Q2 m
iret1 \8 `. F# T; P' f
int41handler ENDP( M) F; F8 } W- \. e4 ?
2 _; j8 R5 a: F! d" c z& b, ?1 i3 F+ }
) z- x7 j* \7 a( _" F: ~ n2 W7 T1 [ xor ax,ax
7 `1 e# @8 c+ X9 b mov es,ax
' p% R" l; U) l7 j9 b- S$ f& W" n mov bx, cs
! H; ~; D( l& z) Q7 r lea dx, int41handler. ^6 ]6 I6 a+ I
xchg dx, es:[41h*4]
2 \4 b. m& X. d, Q" ]8 K. |/ e xchg bx, es:[41h*4+2]
. Y6 k5 `' W+ R+ C8 W in al, 40h
) v: p2 ]3 m7 Z. }8 H xor cx,cx
4 I0 @! P1 E% n B! M! m6 ? int 41h3 i# k/ L k& P4 O3 A
xchg dx, es:[41h*4]
8 R& x5 J- P2 j xchg bx, es:[41h*4+2]. H* L$ H) H- j- D
cmp cl,al Y; D M' ^0 B. H7 x' y" N
jnz SoftICE_detected
; |: _$ o+ i, A9 [- j+ P8 w2 Q- J! X$ V4 c5 B# ^
_________________________________________________________________________
- G) d/ _, V7 A" [& I* h# w# T% `$ e
Method 07
& J$ J1 n1 m7 M=========
1 \7 C2 X! V- |* T3 Z# b/ }5 W" G: h) H) d
Method of detection of the WinICE handler in the int68h (V86)( r M, D0 x. R) @& h- F
5 j; q4 L; _- O0 q: `8 h8 v; P
mov ah,43h
2 U8 s4 p! Q' E! h7 h int 68h
. \/ o' a9 G3 A0 A: _$ G! a cmp ax,0F386h
9 z! `2 i& a& o1 ^7 d7 V1 c3 T jz SoftICE_Detected
Y$ `5 ]( {# e6 r% \' m- K; s
' Z) Z5 v7 u5 x9 q1 f# U/ u% O( u/ D: ~7 b# ^& C& h8 U2 @8 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 t+ r3 e9 Q' k* Z. l: I
app like this:; X7 S1 m- h; N: X$ M* F, T3 D
" Z7 L$ C N) {) N; o
BPX exec_int if ax==68
2 k" G4 e' p6 S9 F7 E (function called is located at byte ptr [ebp+1Dh] and client eip is* Z L6 H- L! G/ g5 [( Q ~9 u8 z7 i
located at [ebp+48h] for 32Bit apps)& y E( G/ P4 ~9 ?
__________________________________________________________________________. _0 ^8 M( c1 c( Y& |; ^
$ E# U$ T Q* T, w; v; I4 ~. W, A& b( @7 x% C
Method 085 j8 Z2 x+ ], S) e& K) X
=========
O* M% L. J, B Q0 \- u7 j. e6 f" g2 F' Z
It is not a method of detection of SoftICE but a possibility to crash the! g: A) r7 I7 x5 r S/ y! h
system by intercepting int 01h and int 03h and redirecting them to another
, H [7 {) @- N5 J2 n7 Rroutine.8 L D8 k1 b: O: F4 ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' C) X6 I8 g# P" Y; `to the new routine to execute (hangs computer...)' Z t7 A( f8 F+ I/ u2 j# w
2 o! F: x# h$ k, Q: h
mov ah, 25h
) {5 l/ V( y! l' c mov al, Int_Number (01h or 03h)5 G: }( Q9 G5 _+ ~* Y
mov dx, offset New_Int_Routine
2 d; V& R3 ]$ o8 {* g, l' z9 i int 21h
! O1 O; k. _. y) @: y" }3 D1 L6 N6 J ^2 `0 ^- i
__________________________________________________________________________# D b# Q# c6 C4 p- p2 G
) H# U; k* @$ L0 T( b& Y8 o
Method 09+ @0 u* w7 K7 u
=========# Q8 F( i' t6 w' o" U% E; p
% Q) I: u' `6 c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% A( R; H9 m; Q9 e7 i
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 L6 C" e8 j* Y1 q' }- EThe Get_DDB service is used to determine whether or not a VxD is installed
/ L/ V* c- G/ F4 z4 q$ _: X- Efor the specified device and returns a Device Description Block (in ecx) for) q. O! j" \& l' l6 [
that device if it is installed.3 P9 B8 b. U! j
& |# a4 z8 f! P! H/ V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 Q8 |9 y5 d4 D/ J9 K0 o% A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 Y$ O/ a7 i$ T VMMCall Get_DDB, i+ O1 k5 c! T& L+ l' J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 ]# A+ X9 c. i4 H M) J
1 @: r5 h: n1 _8 Q9 LNote as well that you can easily detect this method with SoftICE:
% x; m" D8 D z bpx Get_DDB if ax==0202 || ax==7a5fh9 H/ M& q4 C* J( t* P+ Y3 ] o; m
3 V5 r. t3 _4 P* K& R
__________________________________________________________________________& G: z+ l5 W# Q4 m/ a
6 M ^, ^( a+ BMethod 10
6 E& b" @; u3 {8 r/ K4 v=========
/ `" Z; ^, p8 r I0 e8 Z
% X" K& ?4 R8 j l=>Disable or clear breakpoints before using this feature. DO NOT trace with1 [; E: T2 P ?' c2 k* i
SoftICE while the option is enable!! q9 [3 \# G2 W X9 \" |
( R5 {4 Q8 w5 F- e+ b% u5 l1 cThis trick is very efficient: F- e6 C* e7 p* q0 L+ c+ d/ P
by checking the Debug Registers, you can detect if SoftICE is loaded" B& t3 K3 G5 j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, i4 P( X# d/ ?) x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# T% U# n0 `3 y+ D Wvalue (in ring0 only). Values can be manipulated and or changed as well
. d& m6 b$ I$ P( F1 z(clearing BPMs for instance)
0 E; x0 o# e W% {& T0 C& F: o6 ~. Y) [1 |% g
__________________________________________________________________________
$ `# \5 S+ P+ q6 s B/ H; ~
( E; Z+ d! @+ U! KMethod 117 q# ? O2 s# B9 W7 n2 ?* q
=========+ ]( z* y' c" I% M% U
. S5 Y* [$ B# z4 B* p4 P1 kThis method is most known as 'MeltICE' because it has been freely distributed! _- W3 b; Y& Y B7 f/ y: V
via www.winfiles.com. However it was first used by NuMega people to allow7 ]1 S5 w: ~2 A: K
Symbol Loader to check if SoftICE was active or not (the code is located
1 A2 F: N: a$ Y9 c& w* i' kinside nmtrans.dll).
1 q" b3 T) L, p5 \! z a' N2 ~ O& L/ F3 u' h' j
The way it works is very simple:
0 U0 X M+ [- X. S9 ^$ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* p) @6 N7 ?; E _$ ^1 @% N) O3 qWinNT) with the CreateFileA API.) g4 C8 {2 t* K4 }* v/ a3 ~3 B/ J- z
9 ]5 }; q5 S! \9 u8 O; hHere is a sample (checking for 'SICE'):. O# T3 H$ k$ i! h
, |, ]) B T7 X3 v u) LBOOL IsSoftIce95Loaded()
; @+ G# j0 s& A2 L% q{: Z+ ?* }1 `* [5 {& M; Z. U1 E
HANDLE hFile; ( D3 }) u) L7 c5 ^6 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; L% ?7 s9 A3 R FILE_SHARE_READ | FILE_SHARE_WRITE,; p$ C( O; t; a2 E# j! i* B
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) U4 {1 U3 h t3 x* V I
if( hFile != INVALID_HANDLE_VALUE )
F9 w- E5 `$ a; ~. m2 _5 N {
+ }" Q1 [; o9 J \$ F+ p CloseHandle(hFile);
8 i9 T) b& U3 [! ]8 j* S/ g, r return TRUE;, Z+ S( H% p. N: `" D( L- L
}
/ v6 O3 U! @2 J- G4 P! d return FALSE;1 v, T4 U, L! R- P
}0 M$ M! X1 y, f" B% D# } y7 T
, J7 n4 Y* e& x/ HAlthough this trick calls the CreateFileA function, don't even expect to be4 b0 P5 `6 B# k
able to intercept it by installing a IFS hook: it will not work, no way!
; U4 D2 ~5 r6 R% [8 P0 ` e9 n+ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" m) s; m% t3 z _% ?. b9 ^( c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" |) T/ x" X' U/ e. \$ [/ b6 C5 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 e' {) z6 u# H6 o, k: d3 zfield.6 m4 ]( C5 C6 |" Q& u- u/ Z" X) t+ g9 c
In fact, its purpose is not to load/unload VxDs but only to send a
9 V9 P9 R$ ]) }' E" E- ^! QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! _9 F* K5 f' @9 N! ?" z, j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( g2 D+ g, c5 H# W3 x+ uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: b2 G! ~7 `' f k' W2 xIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" b; G5 k" y6 m' r g# iits handle to be opened and then, will be detected.
6 P+ B+ f# E: R- ^. yYou can check that simply by hooking Winice.exe control proc entry point$ A/ O9 F' ~& \* G0 Q
while running MeltICE.
5 G0 G+ G |% U4 `
+ w! y. {% i; D$ Y J+ z+ i
; ~; G B5 T- L& Z3 `& x% g 00401067: push 00402025 ; \\.\SICE
1 F8 @! V1 M& j 0040106C: call CreateFileA
+ f8 |: {2 w7 ^# E 00401071: cmp eax,-001+ W9 E2 K0 t: m8 c- T
00401074: je 00401091
- t- [& U' ^ b4 E/ x' b7 b+ B
P1 s7 p6 i. K6 q- \$ f/ |" H' j# S1 s5 T3 F5 t4 e' k8 o
There could be hundreds of BPX you could use to detect this trick.8 I6 {! T0 J: `- ~
-The most classical one is:
+ _. f& y, n) _- q5 ~0 p V+ i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' g; p- {0 _! T3 ~" r$ `8 A *(esp->4+4)=='NTIC'
- ?3 R2 b0 \! b+ Y; ]" o7 U4 B% n1 e
-The most exotic ones (could be very slooooow :-(
: o$ @- x; F2 |" d* `2 ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! f! i7 k8 b+ ^3 _" J, C
;will break 3 times :-(
/ c! G7 O$ s7 @; [7 g! M" h6 v
2 Q6 f: t# D8 F* t0 ]# Z; G-or (a bit) faster: % P, \0 [6 W* m6 T& u1 r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( L3 J% T6 Z" J
U7 g: q C$ R1 p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " {; ^& ]* |0 S3 Z2 m1 ?
;will break 3 times :-(* |9 s/ m. e% S/ w. E- s, N! y+ {* [
2 R" l4 {1 L a9 d d4 t. }! X
-Much faster:
' G9 p) }* ?( T9 h' k$ @) | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': B8 T( r( w+ q1 `! p" u
5 V- S& j! F4 d5 N, A% ?: v' `+ g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. V. N: H( N3 P+ M" ?1 w) |' h' K& i hfunction to do the same job:7 K* m; R$ v% ~# j6 b) l2 q6 h0 X
# l5 S, u. e1 c1 @$ w7 @7 C push 00 ; OF_READ. C' ^2 p) R# g& w) \# F& g9 ^: ?4 r
mov eax,[00656634] ; '\\.\SICE',0
4 |8 k' s6 H. |( r @# N push eax6 t) u5 n8 o7 K p0 K
call KERNEL32!_lopen
- y% L( i! F, i- a inc eax
8 ?% Z( Q/ ^. E8 @8 G+ W4 @ jnz 00650589 ; detected) i- d$ Y: B6 X U
push 00 ; OF_READ
, i& M7 F$ Q+ O) z, l% J mov eax,[00656638] ; '\\.\SICE'
, Y, _1 A o1 A8 d* x/ h, z8 s8 s push eax9 S; W% r1 _8 A# d
call KERNEL32!_lopen* f6 X2 y. v7 z1 D: m- x1 e: _
inc eax" s2 \1 F3 s: B( J" Q: Y, K
jz 006505ae ; not detected
8 T% [( R, I* _: K. q6 _3 A- ]8 x5 _' n' T# P+ _* D
* s% E. ?; s, L) d; s, f0 l1 F
__________________________________________________________________________
: J3 V% v7 `/ ]+ k
* H- A6 Z' e: Q# ]4 UMethod 123 x" I5 U( `6 B8 x
=========! M q' K* l& M# [! P6 i% `
% L4 x% M7 _) c7 uThis trick is similar to int41h/4fh Debugger installation check (code 05) e7 d3 i1 c9 R d2 b4 [: D. G
& 06) but very limited because it's only available for Win95/98 (not NT)6 s3 W) w* c& W; G. }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ f- p0 k/ l) `- `2 S" s8 b4 t4 G9 @
) v( ?, Y5 }8 G% d push 0000004fh ; function 4fh% c' q3 | B, ^& P1 L+ N! m, n
push 002a002ah ; high word specifies which VxD (VWIN32)
- r1 C+ N4 f% V4 h+ S0 Q) Y ; low word specifies which service
/ O$ f+ T5 O# s# R) u! j (VWIN32_Int41Dispatch)
7 n2 D; _& a, P5 r call Kernel32!ORD_001 ; VxdCall
h: I. k' ?$ F3 J. L5 Z5 j cmp ax, 0f386h ; magic number returned by system debuggers# P! n& k' U4 `$ C# B4 |
jz SoftICE_detected
9 {/ t8 w: d2 ]) H5 S% Q" |
) B) i9 @) {2 J* Y9 qHere again, several ways to detect it:% J0 l- s Y$ |8 j! j. @" Z
) E; f3 [& _4 ?
BPINT 41 if ax==4f
! C/ p, j) d. D2 Z$ v
- s) p3 ^: v6 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 [" E9 v$ Z# @2 a; V C: v: \$ h6 F& F& p0 e: J( Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; w" ~8 n6 ^& x! V9 D- V
4 h4 q# n7 D8 V: [, N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# t# V" Z0 e8 T6 X1 D/ u: c* n; r9 g5 b3 w7 W
__________________________________________________________________________+ b+ B+ @9 h0 W
& I& T; l; A4 qMethod 139 r/ i7 U* M1 P' h
=========
3 Z5 k+ o% R- a# F
9 P0 n: @' m( N# Q5 N) z# sNot a real method of detection, but a good way to know if SoftICE is
/ s# x$ P J! d) [installed on a computer and to locate its installation directory.
4 y9 K# {+ }) S1 gIt is used by few softs which access the following registry keys (usually #2) :
4 x8 ], M: N- }! m3 C* a7 `+ v, n0 a; U0 i5 F$ ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 d! V, G" z" z9 M\Uninstall\SoftICE
+ w* ], F7 t& t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% Y' c, [4 ~* ~( S# p* g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 Q$ e& |* ~+ w; |\App Paths\Loader32.Exe
9 N7 L- v o; i f8 w I$ v8 b
) H' r0 f5 X3 V( H* R& V8 W& q: P% W6 j, Y
Note that some nasty apps could then erase all files from SoftICE directory& S$ r6 P: X; M+ n8 L# K
(I faced that once :-(; m8 J# h+ w3 c- N% w1 I
/ r4 ]3 z* U) F" @7 yUseful breakpoint to detect it:
& k( s8 [) d8 T6 a/ `3 ^/ g' U5 C; M. `, R6 F. O& x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" y8 N* ?- T A. j, ~
6 s9 i* Z6 k P! h2 O8 o8 G__________________________________________________________________________
) S: |! n7 x$ [6 H
* c- D3 a5 ]' G. h8 d, A7 {4 w
3 R9 V# q9 T) l) GMethod 14
; {# `2 [' l, w3 ~/ y=========/ }9 w/ m' ]2 g# k7 o; e
: h0 i Z$ v6 G0 K4 t8 i. _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( L, b4 p- c: R0 d
is to determines whether a debugger is running on your system (ring0 only).# c+ f8 ?7 f% ]- [- X2 t, }# _
! d( u. j; j7 n2 x# S" s& c
VMMCall Test_Debug_Installed
% [8 }) z( W6 X& `: d v je not_installed. e+ \! I! {: ^$ ^# M0 K
+ }$ o' ^4 d) d& r' X5 S
This service just checks a flag.
% t) l `! D4 M/ V# A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡