<TABLE width=500>
; I$ `4 I3 S4 { R6 j9 {<TBODY>% |% `4 ?# D$ u, H+ n
<TR>
_3 y4 I! X, t<TD><PRE>Method 01
) c6 P d# e- c=========
' k: T, O; h/ t' P( q3 P" y: j6 Y& l7 a( g/ ]; {% U. L! |$ R
This method of detection of SoftICE (as well as the following one) is
/ o' |' L, Z$ V) ~0 v' X2 Kused by the majority of packers/encryptors found on Internet.
& _8 U% H# ]8 e" Y8 z. KIt seeks the signature of BoundsChecker in SoftICE
4 i7 Y4 z; f ^6 X
* }( v! g% M5 N/ _3 H3 {7 u' B mov ebp, 04243484Bh ; 'BCHK'
- J* Y. D8 n/ ?% ?4 F1 @1 {% t mov ax, 04h( L. X5 _2 W! | _, G$ k2 w
int 3
" e; a( n, E# j cmp al,4* D) d+ ]+ ^7 B K0 v: ]$ @ V
jnz SoftICE_Detected
( E/ r$ f1 c! R Y! c6 f3 H/ a: E" @
$ Z9 W6 a- M+ s B4 h0 g1 J h- q___________________________________________________________________________2 C4 i- Z) e# I0 [5 ?
7 S- F; b5 S4 q" f/ g9 I7 \ G! }0 X
Method 02
1 Z& @7 h$ o2 j1 q+ S2 ~=========
' Z- D' `7 |3 G2 `* r
* n- a F$ H. z1 B" n/ aStill a method very much used (perhaps the most frequent one). It is used
- e* B2 i% A( H% I$ W/ S2 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 k# w4 `0 y3 c7 E' _or execute SoftICE commands...4 k9 W4 S3 F- ~% M6 v/ O C9 ^. Q
It is also used to crash SoftICE and to force it to execute any commands- c* U1 D# o- q* \
(HBOOT...) :-(( ; P o3 ]9 E& U3 m* d! p% G
8 @' {" y9 ^0 B' I0 XHere is a quick description:4 N6 V- j) f6 p
-AX = 0910h (Display string in SIce windows)/ o/ E+ i1 j# L+ ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 R. D6 ]: o) |% e7 I: U3 a
-AX = 0912h (Get breakpoint infos)
( V- s) s4 g% }8 q& l* \-AX = 0913h (Set Sice breakpoints)
H* a3 _$ z2 k2 `-AX = 0914h (Remove SIce breakoints)
* A/ r2 g: w. o1 g4 s. }/ d. g2 C. y" ?$ ^( i3 r3 I
Each time you'll meet this trick, you'll see:& `: d9 I2 t! a
-SI = 4647h
9 q6 f5 A# i( @* v8 q-DI = 4A4Dh5 b1 l9 D8 T% ] H8 R) a) J3 f8 G' F
Which are the 'magic values' used by SoftIce.: |; j. k" `1 X" `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' u; ]' j" T- {& L$ D. o6 B% k9 ^6 o4 x9 q3 ^/ ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 W% p1 [4 s5 i4 [Envelope utility use to protect DOS applications:
1 R+ Z3 F1 A+ E
+ R9 r( v: A5 C: a) C5 l7 x( M1 R2 u1 l6 o# p2 M
4C19:0095 MOV AX,0911 ; execute command.5 c7 y# S9 [ w" f& r4 f) g$ a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; h, B" [" Y7 N
4C19:009A MOV SI,4647 ; 1st magic value.
+ E# b4 r8 `- b5 \8 s3 d$ L4C19:009D MOV DI,4A4D ; 2nd magic value.
6 F' h0 r% [3 j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 {% h0 a4 Q8 o4 D8 S1 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; |: e9 `9 N+ I" A$ M2 t: P
4C19:00A4 INC CX
. }, s! f$ `- Y/ [& {2 j/ j/ p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 Y- q/ X+ B- z5 m) F4C19:00A8 JB 0095 ; 6 different commands.
# ~/ D2 z% I2 n+ a. \) B# ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; U& X/ V8 q" c: |( R( Z$ `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" T5 a, K u2 K8 l
" L8 {# Q; E5 ]The program will execute 6 different SIce commands located at ds:dx, which6 K# Y* X: [$ }, s, q, \/ _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) K3 T7 W q$ V5 t: z" K& ~
8 ^7 A) N. r+ L( \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( t# _4 j; S; l/ d, ]% P' g5 L
___________________________________________________________________________- X4 F" r! N& k x8 f* p" z
* Z8 q* Z* p+ x5 ?- j
; Y9 h6 x2 b% ]% s+ rMethod 03
- ]9 r8 V2 a; _, A; _' H3 r=========$ l; d d2 u" O5 j6 q
9 c) Y4 a% G; X; i$ y( @0 ^# sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ r* @( L' x! ]0 z$ k" Z(API Get entry point)
B8 a5 T3 Y* w9 G
2 e9 ~7 F+ g/ Z# e9 O, c( W2 N. t3 ~) ~
xor di,di
8 x# l# g- ?9 @+ b' e% ^ mov es,di$ z" A$ |( n" `. o1 X
mov ax, 1684h 1 m) i& M- [' D9 U
mov bx, 0202h ; VxD ID of winice, m, }8 g. u0 P% L/ Y* T: B& s
int 2Fh
D, Y i# Y8 E/ B5 c u7 z mov ax, es ; ES:DI -> VxD API entry point
9 b' m$ l1 l4 V) ~ a0 f8 B5 N add ax, di7 A1 V3 Y5 l/ Q7 a0 ~# i
test ax,ax/ ?7 p3 n# A- H$ ]
jnz SoftICE_Detected- ^2 H9 w0 s u8 h+ V5 b% A4 P
+ [, r( J2 |( I1 @. j' v___________________________________________________________________________
1 E% L& l/ L) P. t/ ?" b
% A8 E& @/ k2 m/ M; ]$ }Method 04
5 j" }' I* g& Q# P; @0 C=========
$ k/ g! v' H2 F' R l5 A! B; Y
+ _3 k$ _2 S! ^3 x1 |: \7 LMethod identical to the preceding one except that it seeks the ID of SoftICE
5 r1 Y+ H$ t' z7 N8 @/ I+ ^1 IGFX VxD.
W7 [( g1 z# e) x( e5 T" d5 r a. H: B+ y8 J9 v+ A7 M
xor di,di
0 D, k, ?& V% X: `8 u& ` mov es,di
m9 O7 X8 Y% W3 K% p$ ^ mov ax, 1684h
3 E+ @ T1 ]- A% M8 O mov bx, 7a5Fh ; VxD ID of SIWVID
7 p E% `2 t5 C# A& p int 2fh& Z; x7 `( i& l! t" V3 d$ |* \
mov ax, es ; ES:DI -> VxD API entry point. f( @* s0 z" m( Z
add ax, di3 E" J! O) m( a! o3 q
test ax,ax
8 _" K2 m5 x% A! J jnz SoftICE_Detected( t- b4 w# l5 d2 w+ [1 @
* i1 e! b$ p6 u# T! }/ T__________________________________________________________________________
; K. m! W; f' T! y+ z
! e) p3 x6 r3 ]* ~2 [; x. x3 ~; ]: ~6 B
Method 05+ r" ~2 i& M4 U* ], \$ z
=========
5 W i. t- D# z8 a! w( t/ V% e
$ o3 W. O! E: Q, M* LMethod seeking the 'magic number' 0F386h returned (in ax) by all system& B3 a# j: _" V; N6 Q( L! r
debugger. It calls the int 41h, function 4Fh.4 y% o6 ^4 D) U h
There are several alternatives. 9 L; B$ n2 r+ ^, {8 k9 S
, R- K9 e6 @! r4 X0 p& D) p: ?
The following one is the simplest:
0 E2 l/ w# ~" L+ G; ?, Y
2 L5 z" ~2 B6 A6 _: G( [ mov ax,4fh
% E( {' `0 A8 Y1 b* [ int 41h- o5 ]' V( Q1 ^% Z- f& @" a
cmp ax, 0F386
; F% L! i) a7 U: R) R- \: w jz SoftICE_detected
$ H) u. [( u* l p% Y' [
! A. F6 R, N; u7 N; b3 R! o$ i7 o" }
Next method as well as the following one are 2 examples from Stone's
; q! y! \+ _* M/ }4 M- r: W% q5 v; u* j! t"stn-wid.zip" (www.cracking.net):. ~7 E! h' m; I6 k x' S8 r
! v% n( A+ C" `& T2 f( h1 Z mov bx, cs. b- |" T3 E0 _! P; @, y
lea dx, int41handler2
2 f% a* E9 Q% ] xchg dx, es:[41h*4]5 v& q7 O, O1 m* C( q( _
xchg bx, es:[41h*4+2]
2 F% ]/ C; V* n8 }! Y6 L6 l mov ax,4fh
" s$ V" a# R( c- Y. I4 m int 41h7 h: d/ K. Y6 _
xchg dx, es:[41h*4]' W% ~4 y* U7 F
xchg bx, es:[41h*4+2]6 B7 C3 o5 s. J
cmp ax, 0f386h2 d) A6 d$ H) t* Z9 N! m- F7 e
jz SoftICE_detected$ F, S+ A# s) m1 Y' w& K2 R" ?: [
8 [ k# W+ X! ~% M( P# U7 `int41handler2 PROC8 J% u; M, ?3 D9 ~ B) Y+ I C
iret
0 f# C% y" L' I/ ~4 Pint41handler2 ENDP
: M0 O9 O" ^8 C0 L1 L9 D& w0 |0 p) p) Y+ D9 Z# `5 g
, Z% B% a5 ?3 n4 S7 A
_________________________________________________________________________
/ x% j* U% p% i' R' X+ J" q# M* U, m+ K H ]
1 `: a0 T0 q/ B2 |" b
Method 06
$ B d; o9 A$ k( }7 [+ O- S6 {=========0 n6 H* v s1 w* z. t) W$ g; F
8 d9 W2 E$ ^4 J7 V/ \4 D5 @4 {
2 A, K5 s( i: p9 C2nd method similar to the preceding one but more difficult to detect:3 H( R( ~! e+ Q+ c3 Q' o* S
7 l$ i2 H6 _ @5 o
, s! q, {0 {5 z! ?' n
int41handler PROC4 z) z1 g' V; \- I9 B$ b, l
mov cl,al7 I0 F4 r8 y7 I1 E F" K
iret/ |. F9 S2 e4 @. i; p; Q$ C
int41handler ENDP' K2 w, o2 r3 v3 n, @ ^
# }& a' p- G9 o6 b& r0 i
' q- h( |$ G4 S& s
xor ax,ax# [7 l; v4 m9 S; _8 ^7 ~: I
mov es,ax$ k! }$ h. m3 n9 g5 w; ^* I
mov bx, cs
; h4 ~. y8 v- A6 h6 f. J lea dx, int41handler
! ]( x3 X" f3 [1 h J xchg dx, es:[41h*4]# e& c4 k/ G0 n6 s
xchg bx, es:[41h*4+2]1 p' K0 q7 n7 V4 S, B4 r
in al, 40h
8 F8 R) |" q3 v; p- s xor cx,cx( [' d; B, T+ b' G
int 41h
, g+ L' N! R, D1 R6 u" `6 U xchg dx, es:[41h*4]$ o3 f# g5 }9 m$ {/ \3 ^$ z/ Q: i
xchg bx, es:[41h*4+2]
% r; E/ _8 @5 Y" ^' t% P$ I! S cmp cl,al( R+ {/ r+ Q1 |* o
jnz SoftICE_detected; d( Q# G# |" |9 ]
' A1 G7 z/ z( f3 E
_________________________________________________________________________
* S( S; ~4 ^" k \) u% y* A& P% `$ G9 X2 d9 @- q
Method 07
: j2 y% l+ b# [$ O" ~4 Y: y& X& `=========, R% z% ]9 _$ ?$ x
6 ]2 F# g) j3 I: o& O. Q) i# }
Method of detection of the WinICE handler in the int68h (V86)
! ]1 Y' h, K3 \
8 z$ j! x) @( y, f6 x ~3 z mov ah,43h
6 ^0 S) q+ Q$ T( g1 a+ K int 68h
7 O' }" k* G4 V1 y cmp ax,0F386h7 g' I9 N! j! q3 D2 Y9 J* x- o
jz SoftICE_Detected
! Z: k+ r! r7 a0 w' b9 F6 y
. d; {! C' N; f9 U! B- s
: l* i; j4 g, F) Z$ }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* M J! U# N( z) x: u) s' ` app like this:( a6 B, s) k5 @, s
7 s! V- \' w: {* D& R' B BPX exec_int if ax==686 w$ |% j! H( y" i. W
(function called is located at byte ptr [ebp+1Dh] and client eip is) K$ F" J! `8 G7 X1 n" |" A
located at [ebp+48h] for 32Bit apps)) Z( C3 U9 ` \) y) b
__________________________________________________________________________( y0 a2 {1 X8 _( f! U: I) G" t
5 A. [) `2 ^2 f
. }+ G8 H. p9 |( o
Method 08' Y- D7 a" f9 ^" z0 B# g8 P# g# J4 z5 z
=========( b$ ]; s: r2 J6 g
8 [$ X1 }$ Z, V- ^& m2 q+ o7 X
It is not a method of detection of SoftICE but a possibility to crash the
! |2 }' m8 D' v$ x& vsystem by intercepting int 01h and int 03h and redirecting them to another
5 I9 {8 k! k& E' }% Yroutine.
1 G; Y" x1 P8 s& I4 w/ F4 ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 L1 ]6 v7 P# e. |% z, X4 k- Sto the new routine to execute (hangs computer...)2 G2 i7 x7 @. T$ U: {$ w. G
: k) Q3 ]: [, E) e- W4 f
mov ah, 25h
8 Z8 |; k; D$ ~( q$ l& Q( Y mov al, Int_Number (01h or 03h)8 r' A) M g3 L1 n: D) l
mov dx, offset New_Int_Routine
7 H0 j. J' W7 [6 ^7 R- G% E' E& c int 21h3 L6 _9 H B5 I6 u5 r8 b/ E- `$ ?8 m
7 _7 f) [2 j9 c- J8 X__________________________________________________________________________
7 L+ ^' R, D: n5 @7 Y7 z
" Y+ C+ J' w$ _4 H% ]9 ~6 A& j- yMethod 09: D4 x; }1 o: F7 m
=========
$ l7 d! H5 `9 U/ X! P) _! E
2 C# j1 b4 ~- N/ g5 NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) v% g: f$ p5 T2 E/ |# ~
performed in ring0 (VxD or a ring3 app using the VxdCall).- a4 I9 ]3 W* e5 T
The Get_DDB service is used to determine whether or not a VxD is installed
$ x C8 r0 \- O6 c) Z4 S. ^. {: cfor the specified device and returns a Device Description Block (in ecx) for3 q0 a/ z# o6 v- o* |$ y
that device if it is installed.: n4 M6 J# \' v c& R& w
* c, o: ~2 q1 _. a2 P% q- `- } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 k9 e2 y; E7 e5 z" v& z; N4 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# X" Z# C* q7 ^) N/ {7 Q; j6 J7 V VMMCall Get_DDB
' y# @' _# J" K: g* p' @/ p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 G4 P$ \& ~$ K4 T- b n
m/ B1 o( X7 x$ {3 E" k- C4 J. ?
Note as well that you can easily detect this method with SoftICE:
( Q& M- |" Z6 H7 p3 ?$ \, X bpx Get_DDB if ax==0202 || ax==7a5fh u& E; A5 a8 n7 _( M
0 s; t( W* M6 k6 |6 L6 t1 l__________________________________________________________________________
5 R/ _5 B& V, ~) Y$ c$ G1 x/ Q; I& N) |) j* Y
Method 106 }- E4 H- k/ [8 w: |# J
=========0 l g7 J- d! n! C0 I: V( \
$ p8 w3 y1 s6 S9 [& z=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 f! P0 v) u$ D: [( c9 t) C SoftICE while the option is enable!!
; s1 ^3 V0 j, g9 v5 V3 a
7 R9 s# V- f; YThis trick is very efficient:
. W; n& ?4 M9 Bby checking the Debug Registers, you can detect if SoftICE is loaded
! U; ?+ P! W5 a, ~* M, U" d" ~: R( y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* x1 ]# d" L) D9 E6 a7 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their; v! t+ f5 H9 U& X
value (in ring0 only). Values can be manipulated and or changed as well) c' x6 P } X" x3 M
(clearing BPMs for instance)
+ G5 y1 \. z( d2 {& {2 Q3 U1 t) K9 p1 O. }% X
__________________________________________________________________________) W' i+ }$ ?+ e) t$ g7 F
2 d% z5 n+ _7 y6 YMethod 11
- R4 M& }. |5 F1 r1 |=========
, ]6 e ?4 V! I! h( b9 C$ a! W# K$ a- M, L
This method is most known as 'MeltICE' because it has been freely distributed* G- M( c& A" \" y
via www.winfiles.com. However it was first used by NuMega people to allow7 y( ^( G- ~7 b5 x0 S
Symbol Loader to check if SoftICE was active or not (the code is located
/ K8 K1 D/ X4 n/ U" n: R( ninside nmtrans.dll).
2 T7 g" d* K. {& _' C A$ ^7 I# q8 N, N2 r9 M: d* r# S
The way it works is very simple:
# j# j" g( V+ j3 v$ r! XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 k# l+ c& |& n0 [/ \/ M' }* sWinNT) with the CreateFileA API." a. ? H0 c) \( E5 t- Z
+ ]% U9 f( D9 f% E
Here is a sample (checking for 'SICE'):# ^5 O* T, s9 T$ f
$ j. R8 X& n+ @+ k# g x
BOOL IsSoftIce95Loaded()' Z! o! _# r4 B0 s+ _0 d% F
{
' V' P5 [: M" \8 e HANDLE hFile;
! [: z _& ]" |' B2 }8 t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% B# N9 \4 b% r) S2 G; x5 _& V4 H FILE_SHARE_READ | FILE_SHARE_WRITE,
) f7 q) `* d5 Q. v% r: ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 A* V0 p' p) @1 `8 R# n) P
if( hFile != INVALID_HANDLE_VALUE )/ ?1 f" _4 c& G" S( {5 {
{
' D4 H) g. c1 Z9 E# x2 p0 ?' i* J CloseHandle(hFile);
' J, M. ?% u/ b" v! t+ I0 M- ~! q+ X7 X return TRUE;6 D" w/ N4 R8 y8 P. m1 H
}5 J" T2 l: Q3 ^- |. x1 e: m
return FALSE;
4 Y( `0 s0 a. ^; S' T# @}! V1 X8 W# b0 ^7 j
1 s2 n5 D0 B) |2 q9 o" q ~Although this trick calls the CreateFileA function, don't even expect to be5 ~4 l; Z# ~+ ~% c4 n1 \
able to intercept it by installing a IFS hook: it will not work, no way!' r$ Q% x; X2 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& y3 F; ~. g' ^/ w9 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 P D0 V! s5 o3 r) xand then browse the DDB list until it find the VxD and its DDB_Control_Proc- K* ~6 K9 o" K5 P `4 Y
field.' M4 m9 l" E5 j# \0 t" N; N' q
In fact, its purpose is not to load/unload VxDs but only to send a
& L. ^8 h- K# `# y( o& S' N/ p7 oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. r. K1 ~9 D; E6 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 A7 C6 `2 y! T- O: L- X7 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 @2 }* d4 b y, v6 c/ {1 B) bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, K& S2 |0 w8 D5 m. {. sits handle to be opened and then, will be detected.
9 W3 \! U* w6 Q8 FYou can check that simply by hooking Winice.exe control proc entry point- a8 Q9 p( o! z0 b
while running MeltICE.. m. L5 T- [) M B
( v; G9 F; w/ B/ b |" w
5 `# ~4 K# W% f2 O4 Z0 ~" f 00401067: push 00402025 ; \\.\SICE
; f4 {* w+ d, F& s- L 0040106C: call CreateFileA; _/ u+ m# U% t# b7 `) k( m
00401071: cmp eax,-001/ ?- d: g3 N1 C( g$ @9 I
00401074: je 00401091( @1 m1 n8 D1 P% v; f4 g% g; t% Q) G! c
6 n" U; S6 }6 t5 X, t. L) u% |# [
& L" D1 |6 b5 E5 z% [. N3 AThere could be hundreds of BPX you could use to detect this trick.9 \; p1 n5 D8 q
-The most classical one is:; Y* l; D% _( U s1 T7 |! \5 k: r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 B4 A# M# C' h' V$ l% s% n
*(esp->4+4)=='NTIC') ~3 M8 l! C. q4 z: I0 H# v
* Z* i e# q0 \9 ~# W-The most exotic ones (could be very slooooow :-(- X/ t, M2 _1 L/ ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 P) D% K+ T- D2 c. s/ F ;will break 3 times :-(
4 \5 F8 _) _: ?* }
. L2 E0 S4 m* }' h% ~-or (a bit) faster: R* ?) [$ k- j) r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) D, J1 `( h9 ~0 u- m( ]( g0 T X$ l3 a3 E0 Z- w. H! S) _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( d$ O% S( U+ ^1 [1 Y8 x e
;will break 3 times :-(
3 F: Y+ d: [! B; n+ P* F8 ^, M. }
-Much faster:& q z5 }6 f, Q- d8 w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; U( z2 \: M4 N
& E+ {% G2 k( V' |3 [9 g" |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 e& I0 r" s, [function to do the same job:
" C' X. I: z+ _1 E" \) _. I# G9 U& ]' }, K$ X1 ?- h
push 00 ; OF_READ
: o1 E* N" v8 R# C. A mov eax,[00656634] ; '\\.\SICE',0
1 F1 k' n, x d7 Y1 N( V push eax
% v, e1 a1 i1 T1 _ @1 u call KERNEL32!_lopen; m; R8 {: }+ t5 v, q
inc eax8 a0 }+ l& e, ~( _, o6 {
jnz 00650589 ; detected
7 f% j: [1 {# k. f push 00 ; OF_READ
7 Y1 b' h7 Q9 Q& ^2 v2 v; A0 B mov eax,[00656638] ; '\\.\SICE'. N7 \ M9 {; z/ @9 ~ o8 ?5 t7 _
push eax; U+ b1 f8 C [
call KERNEL32!_lopen; t0 D1 _$ X L7 ]3 v
inc eax
; S+ y6 d9 H! Y jz 006505ae ; not detected
3 O P8 r8 ^5 F" J0 b, W3 m* d1 f0 v& J* A% m( @0 X/ i
$ q( R7 ^8 L/ z5 \1 b
__________________________________________________________________________/ E1 f4 Q, `- i1 e8 y$ U% T
6 \3 F) \; a" f( g% n% s3 AMethod 12. p1 o/ h9 Y0 S% N# I. _
=========" T+ f& c% g! } f3 U1 n, u3 ]
, r+ ~9 X1 \: q6 x# q9 x6 b( B# _
This trick is similar to int41h/4fh Debugger installation check (code 05
* k( A* f; l. l" d4 r( p' d& 06) but very limited because it's only available for Win95/98 (not NT)
& I9 Q8 t) m# s. K- Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 `- r( i* g+ H0 k! R4 \
0 @0 w3 V: n5 m2 w push 0000004fh ; function 4fh
" c, }" G1 X1 i) h" v push 002a002ah ; high word specifies which VxD (VWIN32)
% C$ _) q7 W+ X' ]9 d$ F ; low word specifies which service
. O3 T2 |3 ?7 E" q) l$ M (VWIN32_Int41Dispatch)$ L! b% G' U$ _! |% T/ O
call Kernel32!ORD_001 ; VxdCall
& S l& ? t" l, b7 x+ |8 ? cmp ax, 0f386h ; magic number returned by system debuggers
5 j) D1 t$ Z E; o7 C+ d, O jz SoftICE_detected
( d" Z2 b2 R5 i" \( A( _; m+ o
. p9 W; [1 v: Q: Q9 }! OHere again, several ways to detect it:
- D$ l( g1 I% |5 n
" }: g) q: n# a# g' N, Q BPINT 41 if ax==4f
( B. P- r* ~( R1 K5 y: l$ G! _2 j( `* {6 F5 U+ O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 C: {+ d, V# k9 R, O
$ l/ n! }7 o( e' [6 c& z. q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( R$ o* r/ L' S
4 |# ?& ^4 j9 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) ?% x3 F5 j( A1 @9 Q
4 q2 J& W& A M- [__________________________________________________________________________1 s2 x$ H9 Y1 D( }3 P
, w) [( Z4 l9 P) Z, ^6 TMethod 13# ~7 P. D }! U* C
=========
5 Z! e# k; q, ^$ { R
1 V0 _1 Q! e9 J; l _2 q5 `4 WNot a real method of detection, but a good way to know if SoftICE is8 x( Q4 N2 A2 S- i6 i. L
installed on a computer and to locate its installation directory.$ u, \; y! x3 ^
It is used by few softs which access the following registry keys (usually #2) :/ k. u* i9 J& q N$ h9 q! J4 d
" Q; a$ C: S) C; d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 l0 |' V+ D! l; z! f
\Uninstall\SoftICE* U! |6 C' R) z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! {" }1 q% V9 e j& ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ n$ [" J& u# S
\App Paths\Loader32.Exe2 y. m! e, c) {8 [- D
. Y; J' E+ P: @
' J4 T; B o# U. `% j, g: l
Note that some nasty apps could then erase all files from SoftICE directory
2 ]% B( _5 f) q7 h5 F$ f(I faced that once :-(
+ |4 B1 G9 C# H! f3 @
! O% a+ {% P* M! q/ {" X, B8 WUseful breakpoint to detect it:2 m, l( e6 q* ^) T" R! R0 X
7 ~' f' y M0 U$ u3 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ Z0 L) _, J6 v4 [7 n0 ?
4 ~" b/ U, ^. c2 F& z__________________________________________________________________________- U" o/ K! [" n& f- |. ^
. C0 }" I+ {! B9 c" N
( V# f& i. y5 L5 f; \8 uMethod 14 7 q* ]9 V( f, b
=========
' w+ [( y' O/ X# y) @& ~% H9 ?8 E% C. F0 p9 ~4 p" [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* a0 X" p% k7 r, ^5 m7 v9 y3 yis to determines whether a debugger is running on your system (ring0 only).9 _$ s1 q: ?! H& Y
4 x* M0 S; q7 B; _* K VMMCall Test_Debug_Installed8 S3 q6 d H) M2 ~3 \
je not_installed
* q5 k' v+ `) L* M( q1 E
- o& Z2 m& s' k1 cThis service just checks a flag.
5 S5 g) q% j$ f! Z0 \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡