<TABLE width=500>
b' Q7 s: K" ?0 l<TBODY>, z3 k9 Z. a( Z& n9 c6 y
<TR># n' J6 |( k& q" X( h3 t; f
<TD><PRE>Method 01 3 H# `! l9 o6 r$ @. m
=========
& K3 c" P) B' @% y1 {
5 k: _- {. @5 [, Q) e+ tThis method of detection of SoftICE (as well as the following one) is
# U* h. Z; s! Sused by the majority of packers/encryptors found on Internet.
0 K0 {2 k/ O- E5 PIt seeks the signature of BoundsChecker in SoftICE
- u6 @- v2 m" @$ A& A. m4 G0 J3 ^ X
! u' q" g1 i1 R) z1 n) `7 E mov ebp, 04243484Bh ; 'BCHK'4 B. [' V% b7 V$ g% {! c4 i3 A; \
mov ax, 04h9 D- `6 \2 b$ \
int 3
; { M7 T9 q) \2 y3 k+ I cmp al,44 r1 v* O9 _, z, r6 W7 R
jnz SoftICE_Detected
. S# [; D. o1 H7 A/ ^9 P! l
) P# ?4 o4 c, m4 }4 D8 x2 q1 @___________________________________________________________________________
9 L% P; X. E; y/ U6 X* e% x
5 ?& t, S8 ^& ~+ VMethod 02; | N% B' C# ]# a; x' U' S. G. ]
=========, [7 v* `4 J, U( o2 v N6 x
, N; K3 v6 m+ A. f# u/ Q! dStill a method very much used (perhaps the most frequent one). It is used% j2 H$ M l" U% E0 Q# |5 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 o) A& c7 ]' o' G$ B/ u
or execute SoftICE commands..." j, [; Y- p9 P* x
It is also used to crash SoftICE and to force it to execute any commands
+ i9 u6 g5 [) o(HBOOT...) :-((
' B$ ?1 T7 W9 s- z' L! D2 Y$ L" Q$ k- y, ]9 i
Here is a quick description:7 j' E4 r' c" Z6 g! J0 ~# R
-AX = 0910h (Display string in SIce windows)1 u/ Q& l# V( u) N4 Y7 S0 b. f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( W- ^4 t; D C ~* n-AX = 0912h (Get breakpoint infos)6 E! P3 }* n/ d6 r
-AX = 0913h (Set Sice breakpoints)
5 m. t5 p, R& b$ B; s-AX = 0914h (Remove SIce breakoints)
% i1 R; G$ a% `* v1 c$ ?
' T* ^5 h' k) Q* m3 tEach time you'll meet this trick, you'll see:' ^* ?; k+ F% p K1 t9 t" s }1 z
-SI = 4647h/ A0 B( S' J( n8 l O: [. s
-DI = 4A4Dh( n6 A; j" w5 X. F5 l0 O% w
Which are the 'magic values' used by SoftIce.; I c$ I! q$ x+ ?4 I r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ Q4 M% o8 n5 D3 e$ U3 X
! t2 c9 v0 V; p( iHere is one example from the file "Haspinst.exe" which is the dongle HASP" ?7 R0 C* v! L& {- L; Z; [/ p
Envelope utility use to protect DOS applications:. }. y, I) {. L8 ?$ Z2 N8 D; A( J1 V
! T) Y/ F4 o1 ?8 G- W
, U: N' S) G, P9 b* {, l- X4 R/ X4C19:0095 MOV AX,0911 ; execute command.9 C5 ^2 p- i/ F( d! @- A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 {+ ^7 i4 l/ s5 P4C19:009A MOV SI,4647 ; 1st magic value.6 L1 f1 w# l& n, r* Q" _5 W6 T
4C19:009D MOV DI,4A4D ; 2nd magic value.1 u6 R! s. ~! E1 k9 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& d: K/ }+ N4 P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- _8 s# E. d$ Z5 l4 o7 H* J% K4C19:00A4 INC CX4 C5 ~; Q. w; u! g# U* E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 S; C+ g+ M* |; ~4 ?6 x( C
4C19:00A8 JB 0095 ; 6 different commands.- O9 N6 o9 c+ L& ?* |# F
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; R, o4 |+ \, C$ u+ T- q4 H; }" V9 f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 ^5 r% n6 u e, u3 x+ u2 U
* t* m, p' a0 K% e# D
The program will execute 6 different SIce commands located at ds:dx, which
; Q# j7 t, C: Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ H/ |. H# ]( b/ I) S
. d& c0 w& s; T! s( y( U' s! q$ Z' v! H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 U+ v4 N I+ t
___________________________________________________________________________! a8 M. x* t6 B1 X
2 t5 [ [: o0 v9 c/ j8 |. g! X$ E6 Y2 G5 t+ K) u I5 i
Method 03
! ~0 w# i& a8 |% S! Z. E9 ^( V- h=========
+ C, d0 a* P9 I2 a6 |+ O
; x+ L. |/ X) v' N5 O& d: ^& o% ~* KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 k t) R9 w. I! h2 c
(API Get entry point)& G& i' G7 e$ d/ I* L$ B
- x' \! \; k: U4 j/ s1 s3 q( U
1 n4 p: z. Y, k% A. \
xor di,di
& |6 A5 j$ t: I mov es,di
5 w, T- x: N# ~! t" X+ h: o, {& j mov ax, 1684h
+ f: i% t0 a: p mov bx, 0202h ; VxD ID of winice0 I; h8 ^+ `4 Y, k% \1 _( E; p
int 2Fh
2 h6 u% P# D1 P# y$ O mov ax, es ; ES:DI -> VxD API entry point
: ]( h; a3 d* f* x o add ax, di [0 A! W A+ h
test ax,ax
2 C V3 X3 k2 k8 g jnz SoftICE_Detected: V4 v" E" m' D% L
& z+ i% G0 J0 t* C& g2 ____________________________________________________________________________) g' `( {$ _7 [+ z7 r! Y
8 |. y) a2 Q+ M6 P6 Y
Method 043 l( g2 D$ Y* u
=========
$ M% n$ J/ d" T* @
: z5 U0 T6 g) k: u2 NMethod identical to the preceding one except that it seeks the ID of SoftICE7 i& {% k; b% y
GFX VxD.8 r7 e8 u, t6 J* C
4 I( d8 `7 ? x( [: P$ `. z+ N
xor di,di! l8 c' M5 d5 i9 o/ G) W& J2 N
mov es,di
h- g3 `; f: |! t6 Z' @ mov ax, 1684h 3 e3 i0 P& e9 y" U. ]
mov bx, 7a5Fh ; VxD ID of SIWVID% o( v/ H. ^9 F. n/ @& B3 t
int 2fh$ B: p; }4 `. m$ ]- |( \
mov ax, es ; ES:DI -> VxD API entry point
o6 s: P# h! _& }* Y add ax, di
' U9 `/ C5 }. {- R, Y test ax,ax
6 k# s1 {: x( v* c: @, Y jnz SoftICE_Detected, W$ X7 q2 L% y6 v! P, {' M; h( U; q
4 c& D/ [. X$ D& h$ |# r4 d) Q2 ^
__________________________________________________________________________5 @3 l8 T: Z+ F8 w, M& Q2 W3 i
9 Z" s: D, d0 J* i/ ~
' \& E, [8 J+ K3 d' |
Method 05- a! W* q, l( s7 U5 h$ G' ?
=========
i9 Z. j$ b, N8 n) k6 X
$ S( V A+ o4 C( Q6 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 r' q; H" q; p, }2 I
debugger. It calls the int 41h, function 4Fh.: Y! ?6 f. j+ i2 Q
There are several alternatives.
6 @4 G# @, D! @9 Q* x& F' Y2 _$ `4 M( b3 i# u1 E9 d3 ?0 r
The following one is the simplest:
2 T. T: `/ I0 c! e2 r
5 Z6 E1 }; W% f mov ax,4fh
$ _/ u1 l8 P3 o int 41h
" i6 s1 I. B% U( z3 X3 ~ cmp ax, 0F386
P. o$ g; k! H1 v jz SoftICE_detected" R& v9 Z& F4 Y8 b% x
% Z3 _2 u( C' L; |- m
0 `0 K$ }( s' y5 g; e$ C
Next method as well as the following one are 2 examples from Stone's
: y0 e4 i# M, ?' d y"stn-wid.zip" (www.cracking.net):
9 W" X8 o9 C a. e# Q6 m3 J2 b1 z9 T% _3 W' {, Q2 s9 v
mov bx, cs1 v$ N$ b% W% @7 n8 d
lea dx, int41handler2/ T/ T' C: H2 V, ]/ K. [
xchg dx, es:[41h*4]
1 ~# n" _' d* W! g xchg bx, es:[41h*4+2]
9 e g3 Q$ v k& g$ E+ H mov ax,4fh5 d5 O: p( G G- [1 w. h/ [: f" q
int 41h0 N0 h0 \" @! c" }& ~
xchg dx, es:[41h*4]+ ]8 R& k: o2 L$ ?
xchg bx, es:[41h*4+2]7 Y: ]8 C' F7 t) M/ k
cmp ax, 0f386h
8 N# E' y- Y3 |3 V" u jz SoftICE_detected' T6 T1 Q! R5 R8 F( \0 _8 Z
j- E% I& k$ T& O
int41handler2 PROC( R: Q7 \" b/ t" O0 G2 w2 D
iret
8 h* t p+ Z) O" r0 P% X6 |int41handler2 ENDP
4 g9 g; Z+ K7 i+ [; _
! F1 j R- n. i, Q5 w* u
8 }9 R6 _5 a; T( t$ E4 d' P_________________________________________________________________________
m+ g4 d2 A* W7 c: j* ^! W
0 O' o1 ~) Y' c3 G
) y0 ~6 w1 D' f0 i3 ^Method 06
) j" J8 D# \! x9 Z=========6 {7 V3 U% F* m3 a
5 y; z* D* H* g9 }4 K
0 i) |& ~. Y. J7 Q2nd method similar to the preceding one but more difficult to detect:
) w8 |/ [3 Y( [! S% P& g: Z( x* i" X- a. p5 u
4 S- e' B4 O4 [5 J! m" Zint41handler PROC' i9 n" i* z( R" z4 R6 R
mov cl,al, L+ A4 K' I4 P' k1 X$ C
iret! [5 Q2 ^# x( y1 i
int41handler ENDP
# a2 x' v c* d+ V
5 B1 B$ T& L+ N( q( x3 o6 k$ K( k5 O* P+ K4 j
xor ax,ax
+ P& r; X& D) y1 Z/ Y5 I* E0 {8 O' J0 T mov es,ax
! Y# u9 n! q+ Y) q7 D mov bx, cs
+ w* ]& {( U O# q) d4 }, B1 s lea dx, int41handler
1 x0 w' S9 Q+ O- f' Q$ T$ ?5 p xchg dx, es:[41h*4]
) l0 x" G6 v9 K' m xchg bx, es:[41h*4+2]
5 }. H$ |. s; ~/ P/ k4 T in al, 40h
& r/ o1 f# Q( w2 s2 Y xor cx,cx
7 V1 ^; H6 F; m& F5 A: Q int 41h
# @! s' n$ B- y; c; m4 i xchg dx, es:[41h*4]
3 A- M# N5 A, c xchg bx, es:[41h*4+2]/ n5 I# W' a+ Z$ T, w2 f+ ^- ]0 }
cmp cl,al r. r( D) c9 X6 P& B; P# R
jnz SoftICE_detected9 i" O6 Z0 u) d$ ~8 s9 |' \
/ {5 ?6 G; {; K
_________________________________________________________________________2 v( B) L7 U' q) d7 Z
# X+ t; B. z+ Q7 r
Method 07. W& p6 v6 N6 W
=========
3 r' j; d8 f' j6 @9 U8 c% E
) n: {" l5 F# e4 X# n) F8 G$ x$ ~, _Method of detection of the WinICE handler in the int68h (V86)+ [ `/ c* a" X, b
1 `& E+ P' T" c/ M: L/ N5 j5 Y1 H
mov ah,43h6 K& H1 G- Y( y+ N' X+ h( t
int 68h" D. @3 Y. Y; ]+ D0 _) C- ?
cmp ax,0F386h- e. m" f& N( a# Z4 \+ v
jz SoftICE_Detected# |- d0 _: J4 x. v2 O
9 M5 Q5 C* m5 _ b5 X2 R, G
) A# Q4 D6 m; V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit o6 ^4 O3 q* s- M* { N ~
app like this:2 b+ N( h+ z- @6 B7 d/ K# R
, q" X1 I6 Z3 j, F% A# B; [
BPX exec_int if ax==68
. M: q. {5 {; j5 l (function called is located at byte ptr [ebp+1Dh] and client eip is, v# M8 }$ G- g4 x$ h
located at [ebp+48h] for 32Bit apps)
7 L& ^8 A9 y& w6 O7 }1 o__________________________________________________________________________8 a0 U8 z9 G7 v" }- Y+ Z
. S4 ~2 {6 x2 g* } T+ b: }& o# @
6 q6 f5 d2 E' p+ d {! HMethod 08
' a* G( A' y: F: q- B=========
9 S5 ?. ~# Y e5 Y: z. _8 {
, f" E/ c% s: c+ A, W7 _- TIt is not a method of detection of SoftICE but a possibility to crash the) H. Z! |1 X; w0 ]
system by intercepting int 01h and int 03h and redirecting them to another9 X" ^& [! G% @) r: j6 F
routine.
+ L. m) `6 k& z0 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points l) J& v$ w- Z# Y9 t5 o7 ~9 k
to the new routine to execute (hangs computer...)
0 x* ]# k- Z4 u& T& }3 _6 a( |; Y |; k0 e) Y4 S) y& U
mov ah, 25h" _; P0 e% O8 H, c" K( M' }
mov al, Int_Number (01h or 03h) ^* W2 r [& w' p( U
mov dx, offset New_Int_Routine
. `0 {7 Y- | y6 B* W: A) P. k+ P int 21h# y+ f) F! A. ?1 V
% f) [, R: x$ a; T* O- |! a
__________________________________________________________________________
- e! t5 J8 Q. q1 x% ~& x4 @7 \
m. I X3 B0 lMethod 09; o6 @* ^! ?+ l/ H+ f8 q. ?0 j
=========4 U% ?# M) ~: f
9 ~: l, w D7 [1 l/ |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; C' n* c) u2 n, D5 K# M8 ^( Uperformed in ring0 (VxD or a ring3 app using the VxdCall).6 c( e! \" x+ z9 x4 u9 ~8 T1 @
The Get_DDB service is used to determine whether or not a VxD is installed$ |) x7 J0 g1 z$ v( q+ T
for the specified device and returns a Device Description Block (in ecx) for
0 Q: K4 O% l* N9 e5 athat device if it is installed.
: S0 L# _# C; ?; \0 ]
* u: N' S0 r% a0 L0 n, w, J mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# k3 |3 ^2 j7 y# W& l+ d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' |. q2 C, t& U) v9 [- C0 ^ VMMCall Get_DDB
) l: J0 o8 S9 X7 ?# ]* T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% M% e4 m" g6 R) n. t. Y" l
6 G9 R! V" C. y( G0 A% [6 G% M: a
Note as well that you can easily detect this method with SoftICE:" o) d' ~& g- a$ B8 b& T( M
bpx Get_DDB if ax==0202 || ax==7a5fh2 }0 e8 Q/ ?9 [4 h; [- G
( a4 D3 }( B B. J ^4 B__________________________________________________________________________& T1 N0 O$ {# L0 O" [& V
/ m5 I5 h5 H, A; \( EMethod 10: i* i2 i5 D7 v' e# p0 p2 D
=========+ e' A$ P: N6 i% z( y4 D
% M! Q9 m) Z0 ?! @2 X0 `! f" x/ r, \=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 }0 X4 y3 M2 x SoftICE while the option is enable!!6 Y! T+ U" |* m1 \6 g
* ?8 k! ~3 B8 u
This trick is very efficient:
0 w8 u2 }% k- G$ `) u! t6 D& bby checking the Debug Registers, you can detect if SoftICE is loaded
, |8 l& b0 {3 b3 Z% s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 u+ e4 N5 t6 A: O2 |there are some memory breakpoints set (dr0 to dr3) simply by reading their9 y& S4 p5 Z" P
value (in ring0 only). Values can be manipulated and or changed as well
1 Z0 Q) b& w8 O. t(clearing BPMs for instance)* w9 A2 Y1 M. h4 I' L6 M
! O! p0 I2 C9 z3 q2 G( j5 `% ?% ]__________________________________________________________________________( n G, i9 Q$ }9 O& N
! R3 n4 i% X* `4 c! fMethod 11" R9 ^6 `" k# X3 P) @" d
=========
4 x% ?2 B2 j8 q& S6 z# [
) i: R, p+ O( ~This method is most known as 'MeltICE' because it has been freely distributed
& G% J) C3 W2 w# c* bvia www.winfiles.com. However it was first used by NuMega people to allow: M/ I1 v# Y) ?$ e, C. r
Symbol Loader to check if SoftICE was active or not (the code is located
4 N H6 O9 e: I5 G% F; Y9 hinside nmtrans.dll)., C+ t W1 v, _. d$ D9 V
) R" e6 f9 S) Y8 {/ {1 N Q _
The way it works is very simple:" X7 u& n' l" r1 c0 @1 H G1 j$ p, d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ]) k0 b0 E. n* Q& r0 L/ ?
WinNT) with the CreateFileA API. L' {8 V! c& Y U4 w& U: q
$ j* q6 z& U! xHere is a sample (checking for 'SICE'):9 g) E" i! T9 m' V8 X4 J; |0 ~8 \
5 t- f3 Q0 A, @1 o* W8 ?
BOOL IsSoftIce95Loaded()
% n/ K# a: k* O7 F4 w! x5 n{
& U" D" {% |, H5 R9 }- q* I* ^ HANDLE hFile; . X6 a6 C8 J4 U1 e5 W& p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% h# s) `( ?; K0 ^9 l2 B1 {; N' h
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 f" N0 U; {& x6 t8 U( [ I( _4 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 u. b- z; g% h8 ^ I if( hFile != INVALID_HANDLE_VALUE )% z& ^2 d$ s) F
{! |4 O% B: x7 w/ i
CloseHandle(hFile);9 j/ y! D! H* J; a8 U
return TRUE;
& ?; ?8 G+ e) [/ J( G @* H1 W7 @ s }
- e4 Q6 \% I$ J" l/ Z return FALSE;. f8 J$ D' M( w4 F- b
}
( S; G( E, h3 d; e% z+ `( y
4 \- s7 C/ R& K2 c* g Z3 V7 qAlthough this trick calls the CreateFileA function, don't even expect to be
4 K# O: Z' |# Mable to intercept it by installing a IFS hook: it will not work, no way!
6 G7 }/ B0 C4 Q; r5 I+ O8 K3 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% D: `. T2 P/ g" U2 F8 ~1 ` Q4 P9 ~& ?7 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 z8 ~. }" o8 x/ M5 O) Q: d/ ^! P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 g( c% v9 t7 B9 a# {6 Nfield.
, v$ O+ p' J& U W( lIn fact, its purpose is not to load/unload VxDs but only to send a , ?9 m! Y7 w9 E6 L% C, H. D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! Z; R/ v: ~4 M m$ ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% h5 b% l3 V2 G( {; Z/ g: I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) z) v Q# Y; a. i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) X- [( P# y5 C5 ?! s9 Wits handle to be opened and then, will be detected.% f: |2 O6 `5 j
You can check that simply by hooking Winice.exe control proc entry point1 A9 v) [9 X& }
while running MeltICE.
3 t2 C) i7 m( r2 w1 F5 G+ D+ ^
# X) ~+ O) H. [/ s! e# T% n4 z: J$ f, P1 ?/ w! s4 w
00401067: push 00402025 ; \\.\SICE4 c7 f( \* ~0 l }
0040106C: call CreateFileA3 ^6 X; M) S9 @: j. N+ o. _
00401071: cmp eax,-001
4 g% X1 n- _7 w 00401074: je 004010916 p: k) f7 B4 ~; {. m* |' w- i: [
! D/ ^. l( W& Q/ b4 F4 P, n1 P2 P% G$ h' N+ q
There could be hundreds of BPX you could use to detect this trick.! G0 Z6 v0 |: p5 b* E
-The most classical one is:
# _& F* @& v- u/ Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: Y- M, k U, g1 [5 X" F2 C
*(esp->4+4)=='NTIC'- ? D' c% Y K$ N1 \: J, M J
/ G! A: q. h# T4 t- ^8 O; V
-The most exotic ones (could be very slooooow :-(: Z! S: \: [' j% f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ W* l1 u3 M l0 A! S1 k- q% H ;will break 3 times :-(9 E* }/ p( H/ b" c
1 X. Z5 K, i7 g-or (a bit) faster:
! g; v7 M) J0 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 e; j9 h+ m) r' j B) {* R. i
" Q3 P+ {! H' p" r* }0 E; x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 k! t$ O# L I# ~
;will break 3 times :-(' F) S6 @3 f- V) @
( a4 [- h7 f% c3 {# Z! r* [
-Much faster:2 ~' ~/ ~( A1 Q" L+ I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 N9 u' g1 z7 E, A J+ N
! B9 l {: H) a, @+ D& YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; H& n% `1 v3 a$ x! Y3 l
function to do the same job:
5 }; T$ v1 h$ H8 f0 n2 N5 h* N0 v z* G) W% y
push 00 ; OF_READ- H% P9 ?, j; f4 f; K6 `
mov eax,[00656634] ; '\\.\SICE',0: u9 v% @6 L$ b7 a
push eax
$ T) k7 Q ^, m, M$ N. G9 n call KERNEL32!_lopen
p2 L; c2 B" o. y, ] w7 J5 t v inc eax9 B/ o9 f* k& r9 G0 v
jnz 00650589 ; detected+ Y9 p9 f% S; q- b. i& T. O& I% T
push 00 ; OF_READ! q8 w- `- X0 D! _
mov eax,[00656638] ; '\\.\SICE'
3 a# }. ` l0 h1 e( B4 @ push eax& ^+ W7 M$ r3 ~% ?8 J
call KERNEL32!_lopen2 { Y9 | V! V# R5 `3 z
inc eax
8 _+ a% d) m/ I2 I( ?' L. |" e jz 006505ae ; not detected
/ U6 S3 M8 y3 p- u
" a( I2 B. m. }+ Z+ ?% y
" H+ j1 e3 \% e7 k& W__________________________________________________________________________! B& T0 l( o& d& e, w& m
- ?9 G' ]$ G% uMethod 123 I* d. x# }) E/ _
=========5 Z7 O# S" ~& G
0 D' U7 Z( {$ G
This trick is similar to int41h/4fh Debugger installation check (code 054 q9 Y) c" t$ m, J* R0 d+ m+ k
& 06) but very limited because it's only available for Win95/98 (not NT)2 i. g0 b2 |: n: q3 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' I3 Z G+ |0 l; |
# d! W* g) y+ t" @4 f. Q) R
push 0000004fh ; function 4fh: u4 x. I j4 L3 U4 F9 b) J
push 002a002ah ; high word specifies which VxD (VWIN32)
& n% t1 B, v& i) j1 ^ ; low word specifies which service# @# H6 V; Q2 L3 I; h5 ^1 Y
(VWIN32_Int41Dispatch)' N- \4 z) X9 [! N1 B+ S9 e
call Kernel32!ORD_001 ; VxdCall9 p7 \5 @" P; x( X5 T, K$ g* z
cmp ax, 0f386h ; magic number returned by system debuggers+ ? ~/ k4 {2 ]; r
jz SoftICE_detected- Z! X5 R$ l- B* p D
1 {6 R1 _6 \$ j: S. ^# X
Here again, several ways to detect it:
1 X, H$ M" u0 P- ?& N
$ n+ N1 k1 v. P' K( d+ L l BPINT 41 if ax==4f' D& y8 \) c0 A: x2 A
2 f) ]! |5 Y8 ~, x" W: V" ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 L5 F* r+ L" @) B, m. z5 P+ |+ n, H
) C4 ^) I9 P# F9 @$ i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 A; m b- W6 b8 V' L( r1 M- m5 a6 p; G s: c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; E) S/ f4 Y/ {6 v# U
: `( p1 |4 z; A9 ` F$ l7 T__________________________________________________________________________
! s7 h. Y# d" P5 k
- Y' A5 I B) _. b9 `/ H' {$ QMethod 13
. o& N: ~, i5 @ M/ x, @$ q=========, x* }/ \5 e# ]2 w6 J. I$ A: g
/ k" ~4 x! ~) Q: Z- A9 t- G
Not a real method of detection, but a good way to know if SoftICE is0 }1 b/ L8 f" A9 h
installed on a computer and to locate its installation directory.
7 G; ?; p3 B3 q, N$ x0 I5 w# a' xIt is used by few softs which access the following registry keys (usually #2) :
. G, r' q- K+ k& B
& h& `* O2 Q5 M$ T3 q6 k/ B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 B r# r' P/ [; y7 q% ]& D
\Uninstall\SoftICE% T; t9 [+ I9 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! @, a, ~, \7 e* B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ R6 k& m6 Q& S; P: u& D\App Paths\Loader32.Exe1 ?# L! z$ y. |1 }0 `+ M% r
( g! P& m) q, o5 D" c2 i, d' h) q, Z& q* w1 ~* F
Note that some nasty apps could then erase all files from SoftICE directory O. @! Z5 C9 K+ c+ W( N/ @, n$ P
(I faced that once :-(2 I7 w! j5 M n# d4 I; A$ M) K& x' F
9 I7 I# ~% d! R$ L5 y2 B) G
Useful breakpoint to detect it:
+ h* o2 ^6 w/ Y/ n9 N, I
) n9 l: b& a9 N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. A3 T. k! c$ {0 Z s
3 P9 i6 |$ n5 a, o; C; H; x$ {__________________________________________________________________________: ~! H/ R% s5 Y) [* r+ W
( k' H' w9 ~. C' c
9 Q- q3 ~) j% C! I: W) b
Method 14 ! \7 F% @) `( \" O0 \4 A l& z: V
=========" r `5 K! q1 c6 N z
/ E, _0 z7 S% EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) r1 b$ O+ v. e/ r% wis to determines whether a debugger is running on your system (ring0 only).4 m$ ?" Y2 ?5 M& [& `7 t
9 z% a9 c7 g$ z5 F$ W% e VMMCall Test_Debug_Installed
$ f2 ~* b# m: y( a je not_installed! F! ]( g0 C8 _0 }5 Y* P
$ a" B% I0 X3 h7 qThis service just checks a flag.8 ?; N; |6 s% G- A9 ~( K! _8 j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡