<TABLE width=500>0 c& q* X3 y5 R6 C* n; U
<TBODY>/ T* p3 T. P* v$ `% I& {
<TR>; G% K% \: V* M7 G
<TD><PRE>Method 01 ) j2 G0 J& C o5 ?1 {
=========
, C; {' t% i9 a& f2 H @* B& W* C% _/ Q3 D+ l7 R0 Z! l' a# r
This method of detection of SoftICE (as well as the following one) is T( C) Z, b4 P, U# C2 h4 v: ~. `
used by the majority of packers/encryptors found on Internet.! p7 Z+ H) j9 S; t3 @
It seeks the signature of BoundsChecker in SoftICE
. t# _- I" O S1 p% B ]4 |1 J2 ?( k" _. }5 D% a0 v
mov ebp, 04243484Bh ; 'BCHK'7 R4 p( b/ \6 v3 S* N
mov ax, 04h
( L% |9 r1 Z# C int 3 ' z& m! @% |; Z% X5 u1 @
cmp al,49 A8 l4 ~4 L* W% u
jnz SoftICE_Detected
! P! w/ E" x0 L( x, r% ~- s
, s1 d+ T5 H; a( ~0 K( O___________________________________________________________________________
$ P/ k* X; U* W) h- W: @1 j
' D' g% b: M( H- qMethod 02
3 w \1 A/ |: s' N$ O: h. b q+ j=========
. `% M- J3 |3 ]6 f! e9 c# |) C2 Y# C
Still a method very much used (perhaps the most frequent one). It is used
( _& ?3 | x7 E+ G9 X4 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 H! k' e' h! D" r( ~
or execute SoftICE commands...2 N4 S3 f; B" r; u- n% _
It is also used to crash SoftICE and to force it to execute any commands; ^0 D0 G0 o: H( M
(HBOOT...) :-((
- Z- R" |$ q# | A& H- h+ c# Z' F/ {& x& Q3 r4 p9 [" j
Here is a quick description:
% Q, b+ J2 F" g$ {-AX = 0910h (Display string in SIce windows)- ?5 j1 p+ {) U/ Z7 m" C) i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 _; W6 f9 U6 e. d-AX = 0912h (Get breakpoint infos)
; |% i0 `% f( [5 \-AX = 0913h (Set Sice breakpoints)
9 l1 V" n7 }/ N# t-AX = 0914h (Remove SIce breakoints)
+ o& {9 u6 Y- s& `9 ~ g
# R0 @ a5 X" |Each time you'll meet this trick, you'll see:/ h8 h6 |0 ?4 n3 ^% Q5 D! e: M1 g# }
-SI = 4647h9 O) w# [; e# v: H1 h% J# z6 J8 b
-DI = 4A4Dh% | q9 Q. V5 `6 S) _
Which are the 'magic values' used by SoftIce.* f5 ?" @/ c* r% W6 \: C3 m7 [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* j! D# k+ {( V2 t- f9 F% \5 ~+ `
; p1 P+ ^) x4 x* B( N U( g- G
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 M( a9 `' M5 p0 a, E
Envelope utility use to protect DOS applications:
p* c# Z' ]6 I3 q+ Z8 \; Y& f- K3 n/ O( W4 A& ^
5 {! y- ^ ^2 e0 X- i8 y4C19:0095 MOV AX,0911 ; execute command.
% Y2 |) ]& x7 R' J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 [3 V# A2 A* ]4C19:009A MOV SI,4647 ; 1st magic value.
- G7 q' p7 e$ o' I4C19:009D MOV DI,4A4D ; 2nd magic value.
) t& T2 p- ?- J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 {% w* z4 P j1 \3 u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute E) U6 [# l( Q- s: C1 F
4C19:00A4 INC CX- ~, h# d6 J& b2 V* e2 ?! w! h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 d M1 D; u. k/ z) f# M9 D4C19:00A8 JB 0095 ; 6 different commands.
4 o5 V% i& c: H2 f& J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" ^( _, G- H& s# m* w( ]) i. Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ U( c5 n5 z# x1 e" ?
: d4 |8 g' v0 u
The program will execute 6 different SIce commands located at ds:dx, which
: y5 ^. c9 i7 a5 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 f1 O! u9 ]" c8 k4 T% M$ W& f1 `! B! C/ p/ M6 H+ s1 n* t5 A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 g! h" c+ Q' x+ t, x___________________________________________________________________________
5 E7 J2 [, G4 o3 c& B6 N2 s5 x: l
@5 ~4 w# r8 i. {
' A/ c5 Z1 V. j5 ~. @Method 03
3 U! f* U+ J( h! s, Z( T& |========= L: U' K8 J/ T1 y: @1 L4 Z
5 W1 G, @. X: x4 G: _0 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ @) G' m% |% g( E- t+ {
(API Get entry point)5 e% I; c6 w g* ]; u/ } q$ I( Y/ l- s
. j! M0 |) N% }3 U2 s) F Z& s3 G
! f2 z7 E) L$ K: [
xor di,di+ q" r) s+ d7 G) Y2 Y* i8 U
mov es,di
6 A& ]. X$ C+ a8 S6 x9 g" Z mov ax, 1684h
7 l! N. r9 q& e4 K& ` mov bx, 0202h ; VxD ID of winice
4 d! v9 j9 J! L. s2 ~3 V. ]' M int 2Fh
+ _; Z8 i. O3 v: @ mov ax, es ; ES:DI -> VxD API entry point+ J0 U% z) u" ~+ p- v* x+ u6 Y
add ax, di
' B+ w* i0 \, ^! D- C! X: D% x; G test ax,ax! A/ \+ n& F c$ M' b" A
jnz SoftICE_Detected
8 Y; w1 n9 f0 i+ R' v1 r+ e5 o; y1 \4 Q# | L4 J3 d
___________________________________________________________________________
% h; D# A7 g. n* M) S8 e; w8 Z' k4 B$ I H) l, E
Method 040 Z. N* a7 p1 x* A ~( n
=========1 l1 i7 ~8 W$ c7 r' Y, F
+ q. D0 ~$ W! k+ K- Z4 o: dMethod identical to the preceding one except that it seeks the ID of SoftICE6 ~3 e" n9 `. W0 P* B
GFX VxD.& k3 X8 g, Y/ z# G
8 R2 W: c) z& q xor di,di! j. `3 ~4 Y% q; |0 `3 E/ E
mov es,di1 ]5 O, s- q! l& ~
mov ax, 1684h
+ ]' S, \6 z* p! x5 F) I0 x1 e mov bx, 7a5Fh ; VxD ID of SIWVID& l" `- m _. y" q* e: d/ P! l- Q
int 2fh
! T4 ?6 |1 W8 x+ G; V! @% { mov ax, es ; ES:DI -> VxD API entry point; A% J5 w# ]# c3 h6 E2 L3 }
add ax, di
& O) t6 w+ c- n# k8 }/ D test ax,ax' Q6 y O& A) K+ A7 g3 Z
jnz SoftICE_Detected
& @& z; s1 I! A" l' K" a" L- z
# Z3 x( R ^) {, }__________________________________________________________________________1 F7 L1 a! z2 M7 h
+ S0 S, _# l" ]0 ~$ ^: L
* j2 o; ?$ s& F
Method 05% W9 Y' T6 O4 `9 b" V
=========
4 Y! F1 Y* [& T% \2 n5 L: N' b8 O5 q1 |+ |
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ \) s7 D9 n6 q+ D0 |& L
debugger. It calls the int 41h, function 4Fh.- z9 O& T6 E. {8 h
There are several alternatives.
' Z2 V) O+ D* J/ S, ?6 |/ q
i8 d9 l0 T% ?3 \2 n4 tThe following one is the simplest:' f1 u3 t0 e/ r. n9 U$ Y2 ?
/ N+ @3 Z! S, y mov ax,4fh
6 Z$ E) _- `# I& {2 c" D int 41h) Q, p0 A; J! _' o1 }2 h1 r
cmp ax, 0F386+ R, }/ E; w, K
jz SoftICE_detected- U6 d3 T' ]( F/ ~
" i0 j+ Y" O* c6 V2 j x7 \) M3 O1 T* K. O8 B& p+ D( w2 f' v( s
Next method as well as the following one are 2 examples from Stone's ( b2 W( C9 A/ y. {- _/ m+ o
"stn-wid.zip" (www.cracking.net):
. s7 ]8 m% U9 S! Y7 m1 y9 R- T
* h! _8 x' s; b- i mov bx, cs1 L, i: T1 m& k# K. Y* l- i* \) d
lea dx, int41handler2! W2 H {4 S3 L* o, E, A$ w! i
xchg dx, es:[41h*4]" h9 C! B$ N) l. `
xchg bx, es:[41h*4+2]
. c, g4 j" m ]$ s: I mov ax,4fh9 u$ i: q" H5 Z: }
int 41h# W1 z" P3 Y. Q% N1 S/ o
xchg dx, es:[41h*4]2 x, {+ s' ?0 w: X) {; f7 v! |
xchg bx, es:[41h*4+2]; O0 \( u% {, @1 j
cmp ax, 0f386h
" ?# a2 d; u/ i4 u! H' m jz SoftICE_detected, U+ f+ e6 T3 ?# o4 i( U
5 z; h: v- j2 w7 [/ s& T+ ? @int41handler2 PROC
% @/ S/ q, I$ R5 D6 H iret4 i* W6 X$ R' k a% _* U9 T
int41handler2 ENDP
4 `0 c& T6 Y H' F5 v. @: E! l$ L
% t* |, Z0 ?+ v- t; K( h
+ p; F7 Y2 I" B_________________________________________________________________________
- X$ y( x& m. H" V+ k8 Z
# B7 o) M, @1 B/ Z+ r' |9 ]6 H; Q
Method 06
9 q3 g& A/ \7 Z=========
W; f- V$ d( A9 u, g
i" }4 J# E3 U% h: `8 W) C; h1 u( a9 T/ D1 d, ]
2nd method similar to the preceding one but more difficult to detect:
2 w2 Y N' s/ W* g0 d& \4 L( K; i( |1 T, B9 S4 P
- L1 M) E7 C) ~6 p$ C0 s8 V
int41handler PROC
9 h, v9 p5 _1 x6 w, D" { \ mov cl,al- h1 H/ d3 D7 w2 D4 z' C l
iret' n: Z3 ?8 _8 p$ \* H: C, [0 c! |
int41handler ENDP* P& R: F- N- Y* ]* x
- b7 w6 E3 C! w9 Z. j' b$ p# D
! s2 W" C9 ?! e3 I8 z xor ax,ax, q, Y7 q, U" f
mov es,ax
& ^( O8 ^4 M! P0 m- A' c mov bx, cs2 w6 b2 K& {- j+ w8 U
lea dx, int41handler' o" p0 k3 A$ y. T
xchg dx, es:[41h*4]
& E6 a" j. L$ Y" M2 ]0 e xchg bx, es:[41h*4+2]
: a2 q6 q4 {* F- j2 V in al, 40h
7 U+ Y" b9 }- i xor cx,cx+ ]% V0 H: o" Q+ g
int 41h2 \ i$ K l# U& r: V' p2 [) z
xchg dx, es:[41h*4]8 P( d2 h# j" c, y0 `* Z2 i3 \4 ~
xchg bx, es:[41h*4+2]) l0 {7 p' f9 M3 ^9 E' ~4 P! d
cmp cl,al& `4 S: A" q9 ]- o9 ^: o N
jnz SoftICE_detected
- J$ b6 {" a' N! h* l, E% o* p
/ h! h+ e7 j; f+ Z+ j+ w' f0 l v! w. a_________________________________________________________________________
4 _6 j8 k+ i8 D$ } }
7 c b" t6 A8 p' A# F' H4 e3 @) h$ `Method 07
8 Z" n" d( B6 L0 Q=========
$ e0 n2 c! T) W5 q/ d7 v; U+ ]6 F9 w% P0 v. B) m0 r
Method of detection of the WinICE handler in the int68h (V86)- @3 p' _8 z7 U4 a0 s! ^' z
7 Q: W/ x* {8 C7 G4 j8 k' h2 {0 M
mov ah,43h' n ?3 M/ B, B0 b! Q
int 68h( V( _ r7 R2 S5 N4 F+ ?8 P) \
cmp ax,0F386h
% l* K- u5 ~ E, N jz SoftICE_Detected
% z7 C& Z6 d( a2 v( q/ s5 \
5 c9 H/ u; I9 [: C4 _) X# m+ Z
0 Z. g. C6 P; ^5 Q- Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' r) H0 ~# i6 I: x; N# _6 o app like this:5 T$ U) Y# ~" B( R. X
6 ^ ]+ n6 D: X$ \4 Z( U
BPX exec_int if ax==68
! m) v; ?6 ~. H; S (function called is located at byte ptr [ebp+1Dh] and client eip is
( i" j* w ^/ @ S6 x: d located at [ebp+48h] for 32Bit apps)
0 i2 [" P4 s' y6 [- i5 Z6 I+ ]__________________________________________________________________________$ O. q5 F# h$ s4 o" ^
: S% E3 V3 g' l
7 x2 g: V: p$ M) V, S; d9 KMethod 08
" b5 @# A$ D! ]* W8 W5 @=========
( F% ?$ X# G! I) S( m) T2 w" H% j$ B# z0 c/ T% w
It is not a method of detection of SoftICE but a possibility to crash the9 e. f. T* O! X$ H3 {
system by intercepting int 01h and int 03h and redirecting them to another9 `; g. H, B- f& E. d
routine.: c9 w# ~; k# t* P# G6 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 r; _& c4 t' A( e+ D* l& oto the new routine to execute (hangs computer...)
) s1 {4 t+ t( a# L2 H5 Q1 L) j
- D* M8 k$ G5 \1 H+ C& y" T% R3 { mov ah, 25h0 E" B/ C( g" j% U+ _# }
mov al, Int_Number (01h or 03h)
: `2 L. ]; ^; N+ V# j* ` mov dx, offset New_Int_Routine6 L+ }4 c7 c. S- W8 m0 R
int 21h5 v1 P! s* F1 @4 k
& U( ` t; g% B1 F7 m
__________________________________________________________________________0 G+ u3 W8 \; p2 K2 |% f
$ j; S. Y0 }. i0 v5 BMethod 09: C8 q) ~2 O) d. h: l2 c9 F
=========
7 y, i! P: B1 A1 ^7 J1 d3 u! V4 ^8 O1 a, e; ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only G) N+ A# D3 x5 m$ R
performed in ring0 (VxD or a ring3 app using the VxdCall).7 t" n) r/ ^: v! h, s" I
The Get_DDB service is used to determine whether or not a VxD is installed
# c) v: |& [& H; A8 E: ]& Q; bfor the specified device and returns a Device Description Block (in ecx) for
" c1 n- o2 u' P: t4 [; `/ cthat device if it is installed.. b$ y Z+ }0 l9 s$ q" U( c
{( A, [4 `# m B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ y5 X! ^7 H' Q% J0 j3 I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 ]) g# g' z6 ^8 [- `- c h' M VMMCall Get_DDB1 \5 @7 |& ~! y$ O1 q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. w5 T: X$ `$ N" Q7 p* ~) T# w u5 |; S% o
Note as well that you can easily detect this method with SoftICE:( |3 t. m0 K2 Z% ]
bpx Get_DDB if ax==0202 || ax==7a5fh
I z# o9 _! C A6 P- Y
7 y4 X3 m9 b, x__________________________________________________________________________
5 d M9 q0 o8 I2 P1 Z: n
. H1 E; o9 r( S* I" g+ M" PMethod 101 u% t$ p+ n- h
=========2 g( ~8 N& i7 ~ I( j2 `
J- ~ H( w4 i1 O" [9 J
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 N- e4 P$ F' F2 _
SoftICE while the option is enable!!! H1 V0 d8 t1 z+ {1 K# C. N X6 h
) J7 U8 h8 n2 K4 i8 YThis trick is very efficient:
8 T1 N# q/ k% z+ M K! W2 X8 Z2 r3 eby checking the Debug Registers, you can detect if SoftICE is loaded* Z0 B* \9 l# h L7 G. E. R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. k! y! o E7 o+ zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) y) K$ w% J8 c7 z; I- I' P) Xvalue (in ring0 only). Values can be manipulated and or changed as well
0 w% h4 D T" k4 s/ X* |/ s0 M(clearing BPMs for instance)/ f' w/ G$ |1 ?* u' ]
: }$ e; {% ~# ^7 U2 K" \ N$ q; {- c5 H__________________________________________________________________________
- r; i# B2 ~2 g0 z- u8 h( V. `0 I- m
Method 11' g+ B6 A4 Z, H) [* V: |) r
=========) e3 q% h' Z+ u, F& Q4 Z8 v6 a
- {, y7 z6 {( ?' c1 ?This method is most known as 'MeltICE' because it has been freely distributed' t* A3 u% }4 Y
via www.winfiles.com. However it was first used by NuMega people to allow
7 g7 H, b4 _" }2 _7 _Symbol Loader to check if SoftICE was active or not (the code is located
! ]5 T# u3 A; r+ }! R; ~/ o, cinside nmtrans.dll).7 s+ R. `+ r7 Z4 V" v. U' Z: v0 M
) ?) K2 m" T2 `& Z2 ~- L- q( r
The way it works is very simple:& B$ }; V8 q* a3 Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ ^' L$ u1 S( r) G, }
WinNT) with the CreateFileA API.2 n7 B: Z$ X$ n3 A$ F4 K
9 l- T) w; h! U/ }# n0 d
Here is a sample (checking for 'SICE'):
4 k9 ^6 Q0 _. \2 P+ e* ?, F( u# r
BOOL IsSoftIce95Loaded()
8 s" S- q7 {. q. u, d+ T{
" H6 ^" `, R! V% [1 J0 @9 Y0 _) T3 E. Y HANDLE hFile; $ v4 k- u/ v$ \6 K h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ Y. O9 G" q& ~9 V1 j6 v FILE_SHARE_READ | FILE_SHARE_WRITE,7 q: M2 t% `) Q4 U* S( G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# W' F1 U1 ]( v- ]1 I
if( hFile != INVALID_HANDLE_VALUE )* e, z# [' s, v
{
! C3 H9 S- h; ~ CloseHandle(hFile);
/ k1 `/ _0 r( }+ |- H/ C return TRUE;
' q9 D4 k" C6 W d0 R9 d# I; ^8 W }
3 f" S1 i/ y/ v! P. ~6 { return FALSE;
8 S$ k* ^5 b! }, {; W& F" t}9 [4 e, r7 J* S& H0 w, w- B
0 h% h0 F0 g v5 V1 dAlthough this trick calls the CreateFileA function, don't even expect to be
, ^4 ]3 f: P7 S5 ` ^" Fable to intercept it by installing a IFS hook: it will not work, no way!
5 T; t6 n) e! w! U' ]$ h) ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% G9 m1 J0 s H! N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 \2 C5 d9 @4 U |- P0 _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; U( u W) m5 c* z* [9 W* cfield.3 C3 {" R0 k7 [5 v
In fact, its purpose is not to load/unload VxDs but only to send a
( h2 F& F* w# NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 t6 P$ F# j3 M2 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! X) _3 c: F+ W% r* a* Y% J, Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 h+ J E1 a; rIf the VxD is loaded, it will always clear eax and the Carry flag to allow* D0 F! r( r8 E8 I8 ]8 |' d
its handle to be opened and then, will be detected.' Z! K3 k \) z
You can check that simply by hooking Winice.exe control proc entry point
1 J1 r' ]. U) @1 bwhile running MeltICE.
# b& e: @# [ `$ B4 B+ G7 v
$ ]. Z$ O3 o* t1 r$ V
: v+ J. y R! _0 g 00401067: push 00402025 ; \\.\SICE
3 }/ r2 u2 R* L2 \, w/ G9 G 0040106C: call CreateFileA
" ?! b" {& z- t; I6 ^, c 00401071: cmp eax,-001
5 G/ u" s7 s/ b% A0 ?) c 00401074: je 00401091. d3 ~. | l; c$ X, R" \" X: j) z5 B' i( E
$ _; K1 H' ?2 b+ x: r2 V( n/ z/ h5 X1 C" y
There could be hundreds of BPX you could use to detect this trick.
- J) r+ B. I/ E/ o-The most classical one is:) L/ C6 ~6 Z2 P) m/ V2 _! N" Z# U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. ~- n% i& n) S3 S *(esp->4+4)=='NTIC'/ I( E7 S5 |: R- L q3 q+ O
' a3 {% c; p0 }2 v
-The most exotic ones (could be very slooooow :-(. C' { _# T: D$ [/ Y5 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( H; \% }! u# c" U9 Z( u, Y' t, c5 q
;will break 3 times :-(4 \* [8 m* ^" |' F
: d9 z; p+ A6 T1 ? L" ]8 w" y/ w-or (a bit) faster:
& H, C( { k$ u$ q* K3 o F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 E0 z2 S0 c" n/ ]
, E0 s- f' J/ d7 g: }5 O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ V* x+ d) U) [' b ;will break 3 times :-(
7 d z8 _$ C0 C5 z& }2 X
& g- B/ O1 w1 G% f1 G0 z: @-Much faster:. e, X2 F9 j* V5 i. |& ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
J+ G8 K1 c$ j) |. a
) k9 ^$ x: @* p* eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 m+ C- b1 ~/ I2 zfunction to do the same job:3 Y5 t, ]/ ^2 K g
: S9 n3 d$ }9 T+ q) A+ L( w T push 00 ; OF_READ
( `, ?* ] T( `! f0 R+ e& ^ mov eax,[00656634] ; '\\.\SICE',0
+ ^% f7 J. _. \, P. f8 i# l: P8 j push eax1 {% J! Z- y* `9 B
call KERNEL32!_lopen5 c: H V- c' b- {% b& Q( f6 c
inc eax
8 r: W* B# f' ?; V( U- f' f jnz 00650589 ; detected
; @2 T7 @2 e* m push 00 ; OF_READ
6 v P: L5 n' M/ P" ?6 b9 m) d* \' Z mov eax,[00656638] ; '\\.\SICE'' ^+ @7 H2 ]% U! |4 a; Z
push eax
' G; @. V/ C0 Z2 H; N, [" x call KERNEL32!_lopen9 {9 q# K" j: M. s$ `% O9 ^, ]- s
inc eax
' L( m7 g, h0 u# q jz 006505ae ; not detected
) T/ _% v6 O- L( A! u
; S4 ~' V5 L5 u; W7 O0 l; q) [6 |; u
/ U+ T1 e( B( E! u__________________________________________________________________________
4 u2 k8 A1 q! r, T
$ T; d/ D! j8 @5 _3 uMethod 12
' I7 v4 f% |$ Y5 a=========
8 e1 a) {# G: ? g
$ W2 g$ e6 V0 [' S* m& @This trick is similar to int41h/4fh Debugger installation check (code 05
9 b6 Z3 b& \' j; N+ i) j& 06) but very limited because it's only available for Win95/98 (not NT)
7 ]3 ]( c+ C9 q/ K7 jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ a* x$ A& \7 u9 i! O$ b1 A* g9 o. q- F8 Q) V/ }" r# u' [- x; `
push 0000004fh ; function 4fh
8 w7 k4 w7 V" ]) [, r# ~4 x9 F4 w) g push 002a002ah ; high word specifies which VxD (VWIN32)
6 ?/ @& \% e! R7 J' z7 P ; low word specifies which service7 R& ~# n" S$ B6 I( M
(VWIN32_Int41Dispatch)
3 ~; x: ~: [6 M2 h call Kernel32!ORD_001 ; VxdCall
- l6 Y, ?( s/ Z+ N8 N* d cmp ax, 0f386h ; magic number returned by system debuggers
M2 ^/ u$ P. p9 C, ~ jz SoftICE_detected' N3 c, w5 V( B7 i5 F5 I
, ^% \, e; O# x
Here again, several ways to detect it:5 N0 H0 L% B" N
- C8 h$ E% R2 L BPINT 41 if ax==4f5 j/ Q8 T& q% d" `; E/ o% T8 \/ R, y
8 E) b# B4 c/ {7 ~) f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! o7 h7 W0 S5 U S3 ?
: l8 H2 e- {- `" ~% e v$ k) ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 H* Q7 k2 P$ p' K/ U
7 v# s/ @7 d) d- O. |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. g+ G4 a5 a; ^! d
- K( l$ U# L* r- I+ @5 U1 N__________________________________________________________________________
/ s! _( q; H5 n/ e6 `
7 M, g& u9 ^- U3 _9 aMethod 13& [* m' A0 x: L# x* i
=========
( m- g# _ G6 n: V( D0 u, c5 V+ O5 `1 B. l. }4 X
Not a real method of detection, but a good way to know if SoftICE is- E3 g+ D4 t# I/ D6 I) Q' `
installed on a computer and to locate its installation directory.1 i2 N$ p: x7 a6 s
It is used by few softs which access the following registry keys (usually #2) :
! i- [0 x* Y: i: {2 z, {; Q4 v, @; L) y' q) ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 t3 |! L3 X1 M$ a+ q\Uninstall\SoftICE
! y( @/ y! B& p, P5 l* H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
X) j& L; E3 }# ~: P+ h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion m9 K( M- H9 u- i' G+ t! O
\App Paths\Loader32.Exe) {4 Z$ f: j2 [
2 x* t' T) @% |' ]0 Q1 B, v+ k! i
d8 G2 W: r4 }+ A+ P+ cNote that some nasty apps could then erase all files from SoftICE directory
1 H B' b( I1 `4 u8 B! \) L(I faced that once :-(: `! Z3 f7 J3 F. M$ {$ G
" T. M" V" ~( I9 {5 s; WUseful breakpoint to detect it:, l- A% y: Y; d9 w
4 I8 W) L6 o; U0 Z/ Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& D. N3 [! P' Y( _7 D) a- c' h& n
! p2 G7 `' N* e% q7 ^__________________________________________________________________________
6 |7 k# M8 f' ~( p5 d3 f
x5 Z7 N7 Y- x* u3 X( r
9 N9 ?# W# _3 |4 V) NMethod 14 `6 @7 ]8 ]' F3 q. t, i4 ~
=========' Q! G/ S8 t( H* c* i
4 n$ }6 n- T4 U2 q( b QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- e/ }2 J" X2 o* _
is to determines whether a debugger is running on your system (ring0 only).
8 B& J- ], i, L$ F$ V* c7 s
. {7 i4 b9 l' [( M# |) t; \5 ^ VMMCall Test_Debug_Installed& B! ?' H7 K) O3 x0 s; x
je not_installed
( P `; ~5 \5 {
d9 ^6 E0 L; n( l" v F2 ~' E ZThis service just checks a flag.
& B: h4 s* M: {- v5 U% ^* W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡