<TABLE width=500>
$ h7 i* p" W* n<TBODY>7 Q( }, @' v) x) R
<TR>) m" v+ T( {6 q6 q) ?" |
<TD><PRE>Method 01 3 u" m9 j1 B, e; ]3 t# C1 ^
=========+ n& }9 M+ _' {# j
9 P+ E6 Y$ X! y" v; AThis method of detection of SoftICE (as well as the following one) is
5 m, @( \; t5 D* sused by the majority of packers/encryptors found on Internet.* b9 c: {; ]" z% X3 i: x* Q
It seeks the signature of BoundsChecker in SoftICE( v4 D6 r: I, E' l8 _" W& [- ]
" u" r& e2 P+ z$ f5 G8 I, c mov ebp, 04243484Bh ; 'BCHK'
: p% i# R; q" ?8 b$ _1 F mov ax, 04h
9 s7 a, ^) D% s3 f7 J3 l int 3 2 G( ^/ O( ~( G& e# a1 |: ]% A6 C
cmp al,40 W5 w' Y( r9 t! b0 p3 O! c, ?
jnz SoftICE_Detected8 \; T4 Y* `- V! `3 ]( l
4 d: q" ^. f) ^$ o0 }
___________________________________________________________________________ Q+ q! A8 T* M3 w. Y' o* m; [& T
) o5 O2 k& ]9 o, x T. n$ v4 G
Method 02% _6 D$ \% t+ M" M+ P$ S" G7 H/ G
=========0 W' G' _) ]8 L8 ~, e- d
, A; m9 Z6 T U) y
Still a method very much used (perhaps the most frequent one). It is used# `- P" j% f$ @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ u; r1 M& r( C
or execute SoftICE commands...+ Y- f1 N1 C% t5 s% O0 A
It is also used to crash SoftICE and to force it to execute any commands
. ?3 ]" O7 E9 n3 I(HBOOT...) :-(( - O6 T& t' H7 c3 \5 V; h
" @* P( g7 v8 R0 f1 U3 r( iHere is a quick description:
7 z( T; b7 S- i: K* A$ \-AX = 0910h (Display string in SIce windows)0 A+ G& _' m, S3 Y5 \( L9 l9 P+ i: A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" a4 b1 b- ]$ p) E-AX = 0912h (Get breakpoint infos)
/ Y* F0 ]: g3 {- J-AX = 0913h (Set Sice breakpoints)9 e* F h t5 [ J2 s# T
-AX = 0914h (Remove SIce breakoints)
- | N. R2 c/ o$ ^4 n4 v+ J. }( ^ N6 M
Each time you'll meet this trick, you'll see:9 o3 N# m4 G4 p i- a& h; X
-SI = 4647h
" m# x. O: r3 V-DI = 4A4Dh$ i4 y. [7 Q: l' b) i! d6 {
Which are the 'magic values' used by SoftIce.0 P; ?: K5 A; M4 E9 ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: ~3 C) N) M e! T1 p, L2 W+ a0 Q' G$ o1 V% w. l% M; Y8 a/ ~, x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- Z4 t9 c- `0 J& O/ YEnvelope utility use to protect DOS applications:
6 [0 W0 f' ?- K( [4 a1 l% l! X3 ^- ^$ k# a! Z y, T
" o( ^* f: }- T6 l6 u* M
4C19:0095 MOV AX,0911 ; execute command.
! }+ t/ l5 v( y9 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* {& g! P8 f* s7 P$ K! B3 P, W2 b
4C19:009A MOV SI,4647 ; 1st magic value.' w' q8 s; M4 l; m6 B- L) E. R
4C19:009D MOV DI,4A4D ; 2nd magic value.3 V& c, E/ u2 H" u2 D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 A' Z9 e1 v1 l6 M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; x4 i" }$ q# h% _3 W4C19:00A4 INC CX3 s: w/ H B4 I+ d! Q% `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& W( V/ c$ N# W; I) k
4C19:00A8 JB 0095 ; 6 different commands.- x4 ^# h& {7 P) a0 d2 N$ Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ [- T$ c2 f5 _' O- g( S" H" f$ M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; k. O# {1 G1 K2 }3 M! M- p5 ]3 r& Z; m u
The program will execute 6 different SIce commands located at ds:dx, which
8 u O* L; C: w8 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 z7 Y: @" w/ e5 ^4 W9 V* @
. B- }1 v( U" N0 v3 M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ y# m+ J/ g7 x- \7 Z1 I8 M2 o, _9 y___________________________________________________________________________0 Z" S9 z2 p) p+ ^
- [( G/ d3 F2 K$ D4 d# W' J% ^6 k4 y, C. y: \" e4 ^; X, Y5 K
Method 03
f0 k, K% m! [3 l=========6 B5 o$ W" p1 U$ ]+ P' ]7 k, ~# k
; V7 p- c. v9 u+ l2 H" w% @8 p/ w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ e3 A4 a+ A/ {& H- ^8 o, O
(API Get entry point)
! j$ G) W. O! {5 D- W; ^8 m
( d: S4 Z# o$ g4 C2 B8 q7 [
" u3 X' C5 W6 \, k& `5 `0 T$ z xor di,di: ~% G: g1 ~6 F
mov es,di! q4 w5 j: H; G" b$ P/ C' @
mov ax, 1684h
5 E+ S0 c+ e) C mov bx, 0202h ; VxD ID of winice
5 @, B+ v* S9 M% J; ` int 2Fh3 O* {# T8 a, R# F* Y% `
mov ax, es ; ES:DI -> VxD API entry point
( ]8 D- Q6 q `6 Z$ x. U add ax, di6 I9 I3 B. X9 |" x
test ax,ax$ R, d8 O$ @% `; B7 ^
jnz SoftICE_Detected
9 J6 n( E& M) H, g( T1 k7 n0 n1 d) l' y; S) j$ m; F0 ]
___________________________________________________________________________
% e* F; T# A# u7 I2 S( S$ q) z8 N6 q% \$ Q
Method 04
/ w( T1 Z. N* S, y7 m o# K% G=========! j5 V, `# G: j
+ V2 {; ?% N& Q& Q0 I
Method identical to the preceding one except that it seeks the ID of SoftICE+ G9 F. j& K0 d: D# G3 _' s3 _
GFX VxD.! y L o) u' H* P1 v
, L: X# ]8 p& z. H xor di,di; |- b+ m: x8 X. I- U
mov es,di0 ?6 y& f$ ~! P
mov ax, 1684h ! r }/ j0 H; T) S0 w- X( T
mov bx, 7a5Fh ; VxD ID of SIWVID' [3 Y" A9 z0 U; t! O: ~# a+ M6 M9 ]5 V1 W
int 2fh
- ]; Z+ G* K3 ?5 {& T& ^" V7 k mov ax, es ; ES:DI -> VxD API entry point9 |- L# |4 q6 Z/ Q
add ax, di0 p \' G1 i- f
test ax,ax# ]% m0 `- v: v( K7 V8 ~
jnz SoftICE_Detected5 v2 s& f4 L5 L: B
2 |, @( W1 d) n" m__________________________________________________________________________7 r/ E+ H& d# s. ]3 S+ K# K7 F
8 @5 y! t: E9 h4 i/ S1 y
3 P' c7 L2 B# G- M+ s/ j' JMethod 050 k) b+ Y7 Z1 i3 I4 H' D
=========7 e2 e2 V0 n1 c
& ]: Q! u/ F$ l% X+ T
Method seeking the 'magic number' 0F386h returned (in ax) by all system. w; r$ Y- r% Q' x
debugger. It calls the int 41h, function 4Fh.
' e/ @: \% B9 i: T7 ~4 Z& b4 G( mThere are several alternatives.
' C0 h# j6 G* v* w& _ G/ P: K. W
The following one is the simplest:/ o6 R6 h* V- C/ R* R- o
- R& j" o5 B; G* V
mov ax,4fh
7 K7 G9 R4 Y( I4 I int 41h
, Z* D. l( {- o6 _# ` cmp ax, 0F386. S5 m1 n" I7 x# i( B1 n
jz SoftICE_detected
( S. V/ x* u7 S0 n
( R8 e. P+ I3 D- e0 x x+ z2 q R6 l
Next method as well as the following one are 2 examples from Stone's
1 {+ f7 C% K$ t h' f"stn-wid.zip" (www.cracking.net):
' g8 V8 V6 R! m2 Z! P5 M0 ?. ?
mov bx, cs& E$ Q! h: c X; ~3 {
lea dx, int41handler20 U- Z3 O$ g/ h7 X9 n6 F1 ~! B+ \% p
xchg dx, es:[41h*4]
) q, u# H# d% h xchg bx, es:[41h*4+2]
* W$ ~9 q9 k/ d4 s' q7 v/ |# n0 o mov ax,4fh/ C% w) q/ g1 o
int 41h; X( r, n, z( D% X' _2 Z/ s: {
xchg dx, es:[41h*4]& t+ d$ g* W4 |6 j
xchg bx, es:[41h*4+2]& N- n3 f1 J3 q% s9 F' g
cmp ax, 0f386h
/ B( r& H, [7 y2 R4 `- _ jz SoftICE_detected1 q* _5 s% a' f$ E8 ]
& b% e8 s \. z
int41handler2 PROC& W9 ?1 i4 w9 j# _6 i" i
iret
3 \+ |/ ]( o/ _int41handler2 ENDP
; {1 z5 d, g8 }8 I3 x5 F3 L1 g- X
" f, |- q( J+ f e7 v6 K( [$ M$ {3 }8 }1 S4 M0 ]
_________________________________________________________________________
7 N$ Z% X) |4 h, X+ P
2 [9 O* o7 x3 a% V
% X0 w/ i4 ], B; Q$ hMethod 06
6 h- N" m( U) M" E0 F2 |9 ] p0 Q=========
# x2 [, i) s3 @8 {" \( m7 Y' W6 S: Y }& [, M/ D
' e3 d; L( h0 B% e/ h* K& b$ u/ i2nd method similar to the preceding one but more difficult to detect:
- y8 e, O: ?# K* k. B( Y7 @ Y3 S+ E( Z9 q% B a+ `! G/ V
. _, R- _/ o" t, ^$ @
int41handler PROC
! i5 z. m( E# k( F/ i1 u h z! X8 V mov cl,al
2 j9 U5 J; k% |* y iret
, H* U2 M; _7 j8 H! D. Gint41handler ENDP: Q. j+ x* v- n, b2 O0 B9 m
6 R3 [( `3 g( S3 | p
+ i% C" H' E) X& c7 j
xor ax,ax
0 a8 p5 G: V$ W. o' W3 O1 K; h" R mov es,ax2 E: ]% w+ ~ ^/ m/ W+ h# g
mov bx, cs
6 N: P# ^% h9 z lea dx, int41handler- q9 }0 }* P* F* v
xchg dx, es:[41h*4]) C6 [' q \7 |- Q
xchg bx, es:[41h*4+2]
% u: f. B# W- r a/ d5 Z in al, 40h- O& @! c C0 {% X+ F
xor cx,cx
8 }# _; Y1 k& j- r$ ^. @+ j) } int 41h; C9 n' E, d& b. h. X6 P5 Q8 R& p# J* N
xchg dx, es:[41h*4]
8 t9 J* U* `) ~( a9 ~- u8 j xchg bx, es:[41h*4+2]
. k6 Q8 j# y, f1 c cmp cl,al
2 X# O! |: t1 L jnz SoftICE_detected
, h0 u3 o n3 N Y5 @/ a B1 Q. R- Z, t9 W
_________________________________________________________________________9 _( V8 K3 l% D4 U: l9 W
# B0 ]# j9 e2 R" s, m( ?
Method 07
$ @) n J/ W: b9 H( ]- @. _& W=========
2 M/ Z: u" p C' @2 C, b. e n% k# W" K
Method of detection of the WinICE handler in the int68h (V86)
( \1 r3 s0 ?7 Q- \) @: a- ^5 I% v" ?4 p o* J" h5 ^) F
mov ah,43h
: e/ H; p' U& m8 o# r: i8 K int 68h
2 t0 {9 P( `+ b5 q+ d, S6 s7 L cmp ax,0F386h; e7 |4 L. l9 m6 C
jz SoftICE_Detected$ d0 z) u# Y1 R% A s5 e, a
r4 [! @# G* p o( q: {* r4 n
. e1 M' x& ~* k* w0 e" t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& w/ F+ j9 f2 z; V5 x app like this:& [4 k" a- [! @! `
' S% ?$ Z! I: z' e BPX exec_int if ax==68
, ~9 J* T' ]1 C) S (function called is located at byte ptr [ebp+1Dh] and client eip is; M* q) B* ]; n- P
located at [ebp+48h] for 32Bit apps)
2 F% s. I) u' W* t7 B2 y__________________________________________________________________________& x' Q- a+ H7 J# e( ]
. f5 ^- P! U! f0 S9 x: W" u
/ n# r) ~. F: V. TMethod 08
$ t: g7 ^% V% ~; p6 c=========9 ~* k7 Z0 l7 J. z5 E" [
6 Y; S* v0 Q0 Z9 L6 BIt is not a method of detection of SoftICE but a possibility to crash the
3 S, ?. V7 V7 C, a ~& C6 w. q8 zsystem by intercepting int 01h and int 03h and redirecting them to another
0 W1 h, c/ Z& F" a) W- y; u6 c) broutine.
9 N- T5 o f/ @3 wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 l$ T4 K- T4 [) i
to the new routine to execute (hangs computer...)
( h3 T& \9 f. K; K) o: _) p* A0 w% W" o& l* ~! T' T4 N% c: K6 U& M( E
mov ah, 25h" l" I+ Q5 a7 Q: a; T0 U: t: x
mov al, Int_Number (01h or 03h)7 d' {2 w$ [/ q; Q/ S
mov dx, offset New_Int_Routine
8 _# m8 \4 A$ Z5 C' w5 T int 21h, @- w3 l3 W9 H8 `9 [) `/ s
2 D* R7 k1 l; r' ]6 B& m4 I__________________________________________________________________________
+ u/ m; d; i) M$ N; u0 z& N
, E2 Z( ], T) p \" L' }4 IMethod 09
# u9 D, F. n) I! O% a% k) c& g=========' H" l- O, R: d# j: W" Z5 j2 C( I
% `$ k4 T/ B7 N0 L1 U! D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 q. w- }/ [" r/ f! U7 U3 cperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 ?8 i3 J; \2 a) [# e2 C: R9 tThe Get_DDB service is used to determine whether or not a VxD is installed" n0 b: ?1 C/ W9 A* n' Z
for the specified device and returns a Device Description Block (in ecx) for
% a9 @) X' s6 Ythat device if it is installed.' d* M! K5 s0 J4 C; n& z
$ W( B ?) m7 k& \+ K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. y; c7 f" s* q- g9 z; i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( }% h! U( F. t$ q/ J: g5 t5 e
VMMCall Get_DDB
; [5 Z2 x$ H, I5 `5 `0 _5 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' B5 v% W) B. t3 V& g/ K
, d+ c" k7 L* L5 J+ D$ }Note as well that you can easily detect this method with SoftICE:
. T. O& S( R) l' m9 y bpx Get_DDB if ax==0202 || ax==7a5fh0 M/ ~9 _6 I9 a$ I" T( {5 D7 ?
" _9 m( b f! w. ]( s
__________________________________________________________________________
" J% Y' _" t9 c) b* \4 J( k+ M& y3 E) _3 H6 Z& F
Method 10
3 ^& D6 w) x! E2 G z7 K=========
}: L" @" D" Z- T+ ~+ s% O6 I: `% M: U5 X; I' |2 D) @
=>Disable or clear breakpoints before using this feature. DO NOT trace with% d6 W' u4 d1 O
SoftICE while the option is enable!!
# k/ w- L# n \1 N) S; l8 r, ^3 x
This trick is very efficient:% H8 \1 \0 `! r/ S
by checking the Debug Registers, you can detect if SoftICE is loaded7 Z. e D, N$ Y! T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if q: M- y* H/ P/ b! |4 E2 R; F
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 l% v! m5 v) K3 C" r
value (in ring0 only). Values can be manipulated and or changed as well- M' @5 \7 v4 K& ~
(clearing BPMs for instance)% z) T8 c, I9 P
; y& R7 c6 E8 H/ o__________________________________________________________________________
) |' s- ]" u! y) x4 v% H* M& l0 o1 c( R8 _* A
Method 11# m6 C4 L/ V9 x: S$ T. Q
=========
0 q0 x" v; K5 ~! m5 ^
* [3 n" v$ T7 {# w6 ?' M4 VThis method is most known as 'MeltICE' because it has been freely distributed
7 g; p; ?2 f& S( m9 `2 dvia www.winfiles.com. However it was first used by NuMega people to allow
9 ], i( G' Y7 i9 A6 K( L+ TSymbol Loader to check if SoftICE was active or not (the code is located$ S) P& _' E3 M, d ~/ _% J& A
inside nmtrans.dll).
( C. \" }6 i) c
' L. _$ }, o F" C5 h1 xThe way it works is very simple:
4 r2 Y( @2 K ]' qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 l; y; C; i0 K$ d5 F- v3 Y
WinNT) with the CreateFileA API.
: {/ K6 p3 o4 E% W* |. h; v+ Z
: c: @ r" L/ P7 g8 F4 y( m' }: mHere is a sample (checking for 'SICE'):3 H( {6 G1 S" w9 d5 }4 ]
4 c! s8 k/ {- S1 e4 @: rBOOL IsSoftIce95Loaded()* q3 } Y0 M: V% i9 k3 \3 m/ M2 w8 d; t
{
" @4 H9 l5 J( H$ ^0 G# A HANDLE hFile; 5 H- B, `( \; I' t4 B9 g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ l. w/ }4 ~! J$ Q FILE_SHARE_READ | FILE_SHARE_WRITE,
& @. `' X$ \( d9 n; Z! a+ {. F/ f! |3 ]5 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& X- J3 J1 O9 Z4 n1 F- x$ X- Z2 _! H. I if( hFile != INVALID_HANDLE_VALUE ): q6 r% e0 s+ t/ R. _6 F$ }2 ]
{0 {3 b1 y: F: B0 Z" }6 P) L
CloseHandle(hFile);
7 f7 X" d7 p/ J! T+ R return TRUE;
, N T5 H9 ^; ?; @& I1 r }8 }$ I4 a, ^5 V+ d) z4 ]. T- P7 G
return FALSE;' P9 x+ y( ?- @0 B+ V, q
}: b4 ^0 Q4 S) X- G! V
- B8 j6 ]0 r6 J
Although this trick calls the CreateFileA function, don't even expect to be
2 G+ L# }* `% F; k N$ mable to intercept it by installing a IFS hook: it will not work, no way!
n( Q8 }0 p8 _1 lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ Z/ M) D. r% F6 i4 K0 ]% h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 \/ S5 u4 m) Y" U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: F, [% d% [: c# \' ~9 Lfield.5 b) \5 [1 X8 k, }! {
In fact, its purpose is not to load/unload VxDs but only to send a
& ^# R# B. f# ?( _: J# _' M' _3 [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 L- f2 F) s9 d# a. t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; N$ U3 l/ t C |# q6 Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).& ]$ ?* z6 o; V0 f5 ^% F& F
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 B3 Y$ H+ p# W5 m
its handle to be opened and then, will be detected.
! y% M# u* }$ ~& i+ X% z% Q/ e( JYou can check that simply by hooking Winice.exe control proc entry point
( I' j& M+ h' T: }6 [3 wwhile running MeltICE.
& Z3 F1 D( A! G8 E4 x; x
~) S2 w( G( x7 j6 A) k4 S$ V* W5 y8 h* }! m G
00401067: push 00402025 ; \\.\SICE
3 U1 l, G4 U/ O1 p* a' P+ ] 0040106C: call CreateFileA
8 t- \* T+ J7 X 00401071: cmp eax,-001
7 w6 m4 ^4 [) ` 00401074: je 00401091
' R, V/ f; t: v% T; Q- n, W8 [+ x
- q% o. f5 Y! T+ v8 }) T$ ^. a3 E* k# @ r
There could be hundreds of BPX you could use to detect this trick.
3 h4 F" q' A' I2 z. J0 r-The most classical one is:/ b( _6 b. l4 b1 K& s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 G: w y0 a' O( E( W) J5 \ *(esp->4+4)=='NTIC'' m* _. Z5 h' b* ~+ u
0 H- N7 T3 f0 B- B# q1 v-The most exotic ones (could be very slooooow :-(
: j6 `: ~% K( ?4 p6 w _( k% j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- b4 U7 T9 Z; O8 [7 r ;will break 3 times :-(
3 K- Q8 N. {% N: q S- V6 |* p% n1 X$ [1 E
-or (a bit) faster:
+ w6 M3 u' ^( t% K) R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 |7 h0 K0 d" a0 T2 S" j: ?4 `) O) D, Z9 q* O9 g G- L" N$ _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 ? L& n2 a" j0 `. _6 C* N
;will break 3 times :-(1 B0 h6 i m5 y0 q/ t0 S
" K2 Q/ S0 E7 ?$ y% ]6 _( G6 _1 O' z
-Much faster:
% z, `+ x4 s' ?+ d+ ?9 b7 p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 X2 L2 |6 }( G; C1 R" s7 \6 g* @% M* W+ p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 c# S( F) A" ~% D1 Y$ }+ afunction to do the same job:+ J9 H- C. T, o& w0 N5 t
1 Z3 z, U s* {4 D2 q1 \- j push 00 ; OF_READ
: l6 O% i- n! M/ A4 R( ] mov eax,[00656634] ; '\\.\SICE',0) D4 G1 H( h" A3 ^: w1 m% m4 Q
push eax
! F( o O/ r- W# O* `# V: Z2 e call KERNEL32!_lopen
7 o- w5 P/ X/ O1 {9 [+ G inc eax: U8 E& ~3 S# A, E4 P
jnz 00650589 ; detected, a Z" l, S* h e* W
push 00 ; OF_READ6 j) z7 w3 m1 \
mov eax,[00656638] ; '\\.\SICE'5 H0 J2 u3 k8 q% Y s6 J W
push eax
9 b, ]! _/ k( w4 F3 D. u call KERNEL32!_lopen
* H3 N* c( y# P1 J; `5 U B3 r inc eax3 A2 }( A# G& O' X1 S' f
jz 006505ae ; not detected8 G9 Q( U1 i) `' ?
) t: u/ \* z) V+ T @" q6 T& d3 f5 ^% z. c, @# T; h. U
__________________________________________________________________________
$ p6 K8 Q' S9 E. v2 w) }6 u$ c" S `/ W' B
Method 12 W$ |: E* W: d9 U/ u
=========
( y7 S. j6 R- \3 c- ]7 W7 J( Q: U& ?
& ]" S5 T4 l. e- m" N! UThis trick is similar to int41h/4fh Debugger installation check (code 05
0 E9 `6 ^! L/ O7 c& 06) but very limited because it's only available for Win95/98 (not NT)# P, A. h1 d( T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) g# C$ A( e- v, H7 h% E h$ u
' K+ W$ M9 s7 b: E1 q9 j2 j push 0000004fh ; function 4fh
) O9 w$ g; X2 M6 ]" g; w push 002a002ah ; high word specifies which VxD (VWIN32)
: {9 ?9 R2 i% W/ e0 A5 q) u$ D ; low word specifies which service
9 g. Q5 h+ P; _ (VWIN32_Int41Dispatch)
: f# U# w9 Z1 _9 n call Kernel32!ORD_001 ; VxdCall
; s, ]# K' k+ z& L2 l% I1 I cmp ax, 0f386h ; magic number returned by system debuggers
( J9 ]# Q0 p6 n! y7 y" P jz SoftICE_detected: p) K; N6 G# s- B+ J3 y v' F
7 {$ \2 [7 `; _5 _6 r, x$ P
Here again, several ways to detect it:
/ n% n4 O. \. z& I, p0 M E+ }; S$ u% g# y4 x# @" ]
BPINT 41 if ax==4f
. N) I9 N% Q0 }. b- g! p0 \
2 _' k) q5 S" S+ U1 @3 k# Y7 G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 G. G' h+ @. U9 \* R. ~
& Z$ a( t( Z2 M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* {* V- F1 p$ {$ Z( R8 T4 g7 |3 x3 D+ p; A3 w! t) r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( }" t: m1 q# Z! I* ^# `: a9 K/ J% o3 d: [" y; R7 a) f* d
__________________________________________________________________________
7 V2 F4 C1 Z' |3 d) c
* R. {6 i4 y; J" m, m8 @Method 13/ i; h# q8 f( K2 P+ @) t
=========; s5 R/ v0 }/ v8 m
2 A0 f% [/ J% N1 M7 k/ ~: h R
Not a real method of detection, but a good way to know if SoftICE is
$ B3 d& ]' W1 q" q* Oinstalled on a computer and to locate its installation directory.9 r; A8 X- K) k6 Z% l+ F$ h
It is used by few softs which access the following registry keys (usually #2) :
0 t! V* j: k( x" }5 I( h. l- R
% F' I0 O) D+ W- r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. e8 S M4 o: n' X\Uninstall\SoftICE
6 h" u- s$ C' M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ o( ^; {! @3 U# S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, u+ n7 }$ j7 k. ~( `- ?
\App Paths\Loader32.Exe( ?0 B5 E* M8 ]
1 O2 Y0 \ p8 C& R3 z. j* m& I3 L1 J1 _
Note that some nasty apps could then erase all files from SoftICE directory- _6 b) A0 s& x$ f
(I faced that once :-(# W- c1 f* F2 i1 D9 I0 D
% \% i" T8 I: [; H' b+ A3 H S
Useful breakpoint to detect it:7 Y. s$ [% p {; u! I/ Q2 N: y
+ P2 U* p% x P0 {0 w; z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 y( S4 @' C8 v/ m* m4 ~* y. _0 ?, E) i6 Y4 N l2 i1 w/ D
__________________________________________________________________________
5 I$ Y0 j1 y% W2 g; R( n; r. w4 h" ?7 X/ @5 Q- o# R1 T
0 w, ~, B" \6 L7 N
Method 14
- D) z) T9 k6 V- _0 z- P=========
0 k1 B& E' b6 i. h, F7 n: z! }) g6 p B4 ], t+ n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% @( I8 S0 m. W; N; B
is to determines whether a debugger is running on your system (ring0 only).
& Q# N% |3 {; j) y, r9 h3 b1 W0 v" Y( ~4 Q3 R) J
VMMCall Test_Debug_Installed. n( ~( E& E, I" y$ R
je not_installed
0 h8 S) n) f# e
) C7 @# L4 \# e1 FThis service just checks a flag.
) \4 s5 \9 \9 { N* B A; h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡