<TABLE width=500>. n2 m5 N9 G2 W9 ^& j+ v
<TBODY>
5 j& |2 N2 V+ \<TR>
h/ E x* U5 j& ~5 m<TD><PRE>Method 01 : c7 Q a- n: ?3 t
=========
7 E2 Z: o/ h% c6 i8 Q" O
) o( x5 p! |8 F% S" SThis method of detection of SoftICE (as well as the following one) is
9 h# O# k2 H) |7 M* r# t& c9 l, e) rused by the majority of packers/encryptors found on Internet." l$ |: g- r d1 S0 j8 _, V
It seeks the signature of BoundsChecker in SoftICE
7 _7 i# v( k. y. E/ j- G; w
N1 h4 x; _ C) _; E mov ebp, 04243484Bh ; 'BCHK'6 h, C; ]* T7 d w
mov ax, 04h
c; P0 A& l% I o2 {; h/ r$ V int 3 " ~6 r3 _8 e* ]* W0 @: K$ e
cmp al,4
1 h( K: T6 _1 ~ t( W5 h! X jnz SoftICE_Detected
* Y8 J m! w( t& h/ o% @
: F4 \0 ^/ i) g+ X7 W8 l1 e/ |___________________________________________________________________________
+ x* c9 f. v2 ~8 i [4 s, U! ` u7 d4 t* H. O9 Z+ l9 `
Method 02) H6 `9 Q4 b* K8 k2 Y
=========9 y/ R) M% x# H5 s+ S
' ^( R2 r5 ]1 @/ G# B3 ?3 NStill a method very much used (perhaps the most frequent one). It is used0 k5 E, l9 ]# N( S% s9 H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. ?& Y* a- A7 d5 ]7 `5 z$ L; R/ D+ ?; X. }
or execute SoftICE commands...
7 ]2 X+ q4 q! h7 A5 XIt is also used to crash SoftICE and to force it to execute any commands
1 w& z9 w# f9 k6 S H& I: ~ Z(HBOOT...) :-((
7 v( c3 B4 }. S: W/ b3 |3 e* \7 B+ g0 N6 `' a9 Q8 g0 C
Here is a quick description:
& p9 e+ i$ V7 {3 J-AX = 0910h (Display string in SIce windows)/ @ r9 C5 ^. _8 [: ^4 @1 q/ Q/ q3 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 P4 t9 r5 P. Q5 H( y# @% s: B-AX = 0912h (Get breakpoint infos)! }9 z" H* L2 a4 ^, }0 g& F
-AX = 0913h (Set Sice breakpoints)
8 u9 e# N6 Q4 N5 h' u+ P* Y* x* c-AX = 0914h (Remove SIce breakoints)
( [- }0 z) E. J
6 [' g: V" r' v/ Y0 o& F0 M+ vEach time you'll meet this trick, you'll see:
3 a7 Z0 G/ Z, V-SI = 4647h; N+ R$ \5 @0 w7 j1 m$ y
-DI = 4A4Dh, |( \* j0 q0 E3 V0 W, Y% p5 o8 O% j
Which are the 'magic values' used by SoftIce.
; T0 u$ s8 V; N- F2 I& eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 ~. w3 V7 {5 b5 x
* G& D0 ?4 R/ D. I' `Here is one example from the file "Haspinst.exe" which is the dongle HASP
. T8 }2 p# f& l: K4 L1 EEnvelope utility use to protect DOS applications:2 l* y, B$ p7 [$ \8 A( K
. W- T- Q' J; g; t% B
) S$ t. N- T- E; A5 ^& \4C19:0095 MOV AX,0911 ; execute command.
# }9 I9 V: p- d* q* |" S4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ P1 c$ Y" X8 l. [/ W" G) o/ P0 A2 q4C19:009A MOV SI,4647 ; 1st magic value.
& G- x0 B) j- p. E+ ]- {4C19:009D MOV DI,4A4D ; 2nd magic value.
! \' C+ w7 X" m+ j6 K ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- q2 m' k% w4 D& s9 ]$ l( I" i4 L2 X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# M9 ?4 K; G' I% a
4C19:00A4 INC CX F( W* k' C, o6 U5 D) S, ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 S7 x, Y2 X" T+ P
4C19:00A8 JB 0095 ; 6 different commands./ W8 m0 j' ~$ ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
k' [% H) y( R7 c) o5 U6 ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 J8 y4 {/ _& r9 u# y* _& F3 z
, w% W' E6 Q1 F( S- T& Y
The program will execute 6 different SIce commands located at ds:dx, which
+ z7 T1 Z R( J0 k) z/ A9 Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. d% a# C# Y7 |# p- b
1 M0 a4 z; K* j t& ^! R$ z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- e/ A# o8 N% {6 _8 \ ?
___________________________________________________________________________
0 O3 J( l! g O& g1 b5 x" L% N3 Q4 l6 W
1 ]4 [' s6 c* g' c w9 _Method 03
& }4 G! J0 {9 T" H3 P8 P! C4 H$ w=========9 q! D$ }5 x+ V6 }; ?
& o- \7 Y: b1 q$ ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, m- L2 U, U Q/ n, f4 T6 T- [
(API Get entry point)
7 i( `" D+ c* x' n9 Q% w8 E7 s , R E f( h. @; K$ r ` v& N" P1 y
+ ~3 Q4 G5 ^/ l" f xor di,di
3 L6 }2 M' {! p9 m0 B mov es,di, s: A* @+ K9 w2 `5 M7 G" q4 |3 h r! [
mov ax, 1684h $ V& a/ }1 O: }1 }3 }
mov bx, 0202h ; VxD ID of winice+ r& l( |. a5 l& |7 Z) T
int 2Fh0 G5 \" G [: ~9 d4 X5 K/ C$ d0 K
mov ax, es ; ES:DI -> VxD API entry point
) K+ T; T% O2 u' G add ax, di! A4 C2 J2 ~' I; j
test ax,ax
! [& a* ^6 V Y0 r jnz SoftICE_Detected6 g# o: h9 k/ Q* j2 v- E
& ]: f" y! K: t
___________________________________________________________________________
, a, p$ ?0 z/ ^8 P0 {6 N
& n5 m' |3 C8 x4 J9 o; gMethod 04
) B4 s7 Z* b0 z: L: N=========
/ I6 r3 T( d T, T( q* V/ A9 h7 l) D) K# t2 u7 v; m6 v
Method identical to the preceding one except that it seeks the ID of SoftICE( K% o# z! f. C7 Y# z: [
GFX VxD.6 R6 Q) {) m+ {# I% ?* A
( h& x' \& i/ m a H8 l4 v
xor di,di3 ^2 [3 ?# i/ u
mov es,di3 b+ k$ X/ }* D9 _' T! R/ N$ _1 i- J
mov ax, 1684h
; B5 D# D0 q9 N2 D mov bx, 7a5Fh ; VxD ID of SIWVID, H+ f" z( N9 W
int 2fh' P0 F! v: K0 ^" o, H2 k b$ B
mov ax, es ; ES:DI -> VxD API entry point
; H; o6 Q: s" L, x add ax, di
' A. h5 P+ z8 y. ~. y+ M" d8 t test ax,ax, s& `* O+ t! C0 i
jnz SoftICE_Detected
) M8 @, C3 j6 M3 K% f5 h
1 ^% R) e' r( s, O__________________________________________________________________________
7 B$ H' k" M" n' C! d6 O* l
3 X4 f- M7 H4 A: N4 o$ a1 X* D6 p G' v0 Y4 K+ x7 a9 H* ]
Method 05
* j) A* ~3 f' U7 X=========
: W" }$ D X# c3 w5 f0 w% L9 M1 K( E. @; [* g$ z2 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system# X( o% g, V! W# C; k
debugger. It calls the int 41h, function 4Fh.
5 ~' Q+ W- y& YThere are several alternatives.
2 P0 b( d/ b0 y& c
- E5 B4 u3 ?" s2 t0 v* n5 o/ gThe following one is the simplest:
O1 p' v$ s* g8 y/ Z* u) t8 J' X% u2 E0 \. D
mov ax,4fh
& u) |8 v, q$ e+ k1 y# y- g int 41h
W2 t/ ^, A7 K$ m. ` o cmp ax, 0F386
: }2 B6 k/ d' [' F* L/ W$ c% f" S) x jz SoftICE_detected
. u. V n! s) B5 L
. }7 n8 ?& [) ?. W) d/ r: o
) u( D: f( _4 r) CNext method as well as the following one are 2 examples from Stone's $ r6 o+ h: A! L4 \9 j( z
"stn-wid.zip" (www.cracking.net):
2 D. i, \; E( Q& j3 H' U+ ?, F( n( ^
( m/ ^: o% T% r! u mov bx, cs
& Q3 n# L V- z lea dx, int41handler2" T3 h' C7 z. C6 O
xchg dx, es:[41h*4]9 r" e8 l# ?, k/ n# D
xchg bx, es:[41h*4+2]4 r5 H" X. {. Z6 F; z3 Y
mov ax,4fh6 E7 s& m! l" y. T
int 41h
* f7 n- R; F: e' q) B- j xchg dx, es:[41h*4]
1 F; O* q8 W5 Z: R- ~$ L* M xchg bx, es:[41h*4+2]4 l4 J l! d+ a
cmp ax, 0f386h8 U) [0 _: O y* b, N6 r; f$ l) p
jz SoftICE_detected
/ g0 {0 W6 F. U h6 n* S/ J6 Y, c" K
int41handler2 PROC6 X1 D: l- w7 c2 d) A& z/ Q* x
iret
: Y+ c, g2 I& X, {& Wint41handler2 ENDP
9 ]+ J" g* r! n; B; a- i+ Q9 C z9 W
5 R/ y ^8 S1 ^0 T0 B+ @
_________________________________________________________________________
* I4 r, q- } L6 D' W
0 \& [" H) S0 d4 E8 p0 p0 g' i+ q% Z5 j9 E
Method 06
* D4 V$ z4 m% Z+ Y+ [- J% @4 G G=========' K9 i4 L4 J0 M, x
+ c/ E3 b0 z6 a8 l# \. v6 d; |9 v+ X8 e* \+ h5 {$ W
2nd method similar to the preceding one but more difficult to detect: \) A& p7 {# h3 S+ X" c) G
% [7 b- ~# j* c7 W4 A% \% d
3 Z4 l* K. e2 ~int41handler PROC
, ]3 F6 ?0 }! [2 C( t; F4 F+ I mov cl,al
9 K3 w' M8 P6 T/ [; O0 G% D/ ?- e iret* f& G0 D- j/ N- f9 Z$ C5 ]
int41handler ENDP
, Q1 _3 h( n, N9 j7 ~6 [" `. q% h' {6 Y! j! A
/ b+ J- j% X+ A xor ax,ax# X1 Y6 ~; c+ s' i
mov es,ax% X% n! g7 b& }* n. U5 L: c
mov bx, cs; ]2 U% G& K2 y% ~) t7 }6 c V
lea dx, int41handler
& ?. ~, h2 l- \. L7 x xchg dx, es:[41h*4]
1 j+ Y, X5 S1 K8 T xchg bx, es:[41h*4+2]
+ i( `/ i7 o3 d# [' A% j: l. J in al, 40h
6 s' o p! Z8 A' ~ xor cx,cx
- y9 u; T7 P/ l! p9 ]) m int 41h
: V( }" ] J. P xchg dx, es:[41h*4]/ R. ?% a* j5 A1 X! ?2 O
xchg bx, es:[41h*4+2]
7 y6 ^) V3 _4 R: n cmp cl,al& z/ k' f0 x: M$ L$ [
jnz SoftICE_detected. w& z8 h3 W0 Z9 e+ m% v
7 a+ a4 g' n8 n" R* O+ z2 R
_________________________________________________________________________4 s" ~, @$ ^# ?; z% O
[! i# J2 H) d+ J k O v; V" t: d
Method 07( i7 d7 R" K5 V* D
=========
) y# a9 o6 t. D6 |8 ^
6 P/ N% s- l2 z. F7 _Method of detection of the WinICE handler in the int68h (V86)
/ d$ S/ E% |: ^1 ]
0 ~( K6 s& L( W! b2 j mov ah,43h. D) G: u9 h: ~- i! R" e: i4 D2 H' l
int 68h% Z! _( S. o4 I( t3 Q7 H
cmp ax,0F386h( r! ^7 }6 }1 E2 C3 i& [
jz SoftICE_Detected
; Q5 D2 L, z1 h. T& `, R$ e- ^% r
" Q$ n; Q0 D7 f
% j# s0 q" b" x1 S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' B" R) d1 ?. J/ |. r* S) j app like this:6 y/ v. T) k/ y2 W
3 Z4 ^% [4 h: c% A) K! G- g
BPX exec_int if ax==68& p. t0 I" x5 z! R
(function called is located at byte ptr [ebp+1Dh] and client eip is- `# v. w5 X- o2 s, J9 Q- Z
located at [ebp+48h] for 32Bit apps)
( }. A% O v* M. A__________________________________________________________________________
3 l$ Y# a5 o+ Q+ [! _6 W/ I& ?$ ?3 G9 [/ ] w0 H
) G, d- A! D4 |; W h6 C
Method 081 c' G; p7 j, P. [
=========
. v4 B- }) @( e' _3 C
) w6 z5 Q" F6 g9 \9 X; |It is not a method of detection of SoftICE but a possibility to crash the
~ F% U2 V) g4 h2 d- W$ t8 @system by intercepting int 01h and int 03h and redirecting them to another% r% Y) n/ S; J2 n# b% y/ Y) P* z
routine.) W0 M8 k& }% p0 k% u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( U$ e j: L$ a" \9 z
to the new routine to execute (hangs computer...)+ Q5 x, G* n5 j
; I( P; k6 L9 n# y( M7 u
mov ah, 25h/ V+ G) B0 q6 e; e5 v, r' R8 V
mov al, Int_Number (01h or 03h)
. j0 g; U% a9 T1 K4 ^ mov dx, offset New_Int_Routine) ?# C k$ c4 W; T% ?
int 21h
% E3 v5 R4 v H+ Z9 O, m4 S) m
) W( s( B5 l2 x6 W3 L% x9 ___________________________________________________________________________
/ @3 a* V" n# ~3 m2 g
9 l& P# p) G4 l g J: ^Method 09
) {& b: l2 g! h+ ^8 M1 ~=========
! Q. ?* z# \* \6 F6 ^! E8 j6 S6 Z" k) i. H% i4 Y+ m& _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 |# T' u9 N' @& bperformed in ring0 (VxD or a ring3 app using the VxdCall).) A; i! H3 B3 [5 g+ v+ q
The Get_DDB service is used to determine whether or not a VxD is installed/ a# a- a* \. S: T! J* n
for the specified device and returns a Device Description Block (in ecx) for
* Q8 u$ U5 S* e5 B- H3 x' G# Dthat device if it is installed.9 w: L$ E0 u1 d% j9 H* V& e
1 ^- M% b6 n% o; R& U- x+ Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& [8 C9 o9 C1 D. d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# m2 [& V& t4 |8 M6 ~9 M
VMMCall Get_DDB0 _/ f) Z2 f6 ~- Q- l9 c9 [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% c5 L3 }3 F% T f+ o. C
/ k5 _8 D/ a/ K8 KNote as well that you can easily detect this method with SoftICE:6 y$ p2 i. g! l0 ^, u" p
bpx Get_DDB if ax==0202 || ax==7a5fh
6 S ^4 e G* E' T' o; q1 |3 s5 L& o. g/ B: `
__________________________________________________________________________
: w1 @, `6 d" k2 @: S$ I. g0 V+ u" o# u* w# a X: I
Method 10
+ y4 n; h- R+ Z& |# J+ T/ n=========- y& J1 E% r6 X( c T
; A3 r3 m/ x2 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 n; f; ?; I% [& h& t9 t SoftICE while the option is enable!!
/ E3 _' |! q+ w5 f# b
0 M: p$ t3 {- r* t( N0 R! \This trick is very efficient:
1 @4 J: O/ e* a4 r; |: _7 A! T* {" uby checking the Debug Registers, you can detect if SoftICE is loaded
$ \0 K! I. |4 \' m+ X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' ^$ @/ S( c6 u+ ?( A, s
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 G, ]8 Q; @1 m' A- ]4 K; ?# Avalue (in ring0 only). Values can be manipulated and or changed as well
- n t& q2 I j: \(clearing BPMs for instance)
4 o- v* ]( j9 ^+ r( O/ V+ @7 h
! k/ _0 Y* {1 P! ^9 Z3 U__________________________________________________________________________
# r/ B1 I- z6 n. c4 x. x: j
1 L# f: U9 A g) O7 b1 M, \6 c! NMethod 11
* C+ u" ^; c- h) H x# K=========
- \6 v& ] o# I. ^5 Z
" r6 |- M/ `) Y0 y+ |6 ]This method is most known as 'MeltICE' because it has been freely distributed+ O# L9 ~/ Y. ]/ l
via www.winfiles.com. However it was first used by NuMega people to allow
; a4 e6 P2 g" B W- G7 |' lSymbol Loader to check if SoftICE was active or not (the code is located
- M4 i% _) a# _! J! ]2 p9 h binside nmtrans.dll).9 Z8 p9 l$ _/ K
8 O9 ~9 m8 W$ \The way it works is very simple:
. }% E& y' p" U% N) DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' j N) ], C0 ]( [* RWinNT) with the CreateFileA API.
3 V' f* y/ }! x+ ~6 _/ F. f* B$ K- H- ^# ^; \
Here is a sample (checking for 'SICE'):) h" h. q! S2 O' C$ S$ C# \
5 |4 i {7 g& H: [5 qBOOL IsSoftIce95Loaded()7 t: F+ i. d+ c5 X9 g( A( _
{
" T& J6 e+ N! N/ U* ?: a/ v HANDLE hFile;
( ~: Y* K* R) q# h0 ^7 g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 N, z3 y' a1 y9 z! h2 L
FILE_SHARE_READ | FILE_SHARE_WRITE,
( ]7 O# N) D' q( a$ i; @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- e: L/ V% S m4 \1 d2 e
if( hFile != INVALID_HANDLE_VALUE )6 ^& V7 L7 H: `$ U
{: \. n8 A6 t1 ]6 B; E* l
CloseHandle(hFile);) A# H7 G* l: s5 q, j n
return TRUE;3 A' X& i2 c6 G) X1 h
}
8 v# B' v" Y% u4 c return FALSE;
5 ^$ R2 ~! f' X! e, l}+ F/ U6 J, S3 s/ ~% G) i
* b1 ?8 F1 \- g; hAlthough this trick calls the CreateFileA function, don't even expect to be
4 e: u1 A7 g; F) L& H5 b# }able to intercept it by installing a IFS hook: it will not work, no way!
# X, |3 e' j+ h3 r0 H1 i: q9 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ s, \6 S" ^4 w6 q: @! Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% u7 d) s7 r1 f* Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc& {7 v$ i: v; S! ?& J$ B
field.
. }2 Q9 H O( X8 i0 z; g9 k9 z4 g+ XIn fact, its purpose is not to load/unload VxDs but only to send a
2 l z: R3 [9 p+ e. {1 m8 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 J& X4 Z. V- S w9 f2 C. Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 B/ P# A. X8 K# ]" w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% M; D( W8 r) F, y- QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 e& s5 X8 E% e8 C- rits handle to be opened and then, will be detected.
1 A' T4 u9 Z4 e, z4 Q- i8 kYou can check that simply by hooking Winice.exe control proc entry point. l( g) |4 Z& n) k, |( [% i
while running MeltICE.# _ T7 e7 C% F, R
+ S3 j# K" T% {% o2 K2 H q7 [
0 `! T- s, q$ R- m! J
00401067: push 00402025 ; \\.\SICE
* N+ V9 v# R+ a+ ^/ o# ]! k2 I, d 0040106C: call CreateFileA9 `4 x8 a+ i6 M, N8 R
00401071: cmp eax,-001* n; ]* O' ]) x, L9 n* ?( h0 a' P
00401074: je 004010911 q8 w; \6 ?, C7 A
8 ^5 w8 V2 @ S8 ^9 c# Y: z
$ x* u) S; f4 k4 k& Y% GThere could be hundreds of BPX you could use to detect this trick.
4 }" I7 Y1 U* Z-The most classical one is:$ l2 T+ i" }3 k* y" Y* Q% m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( L6 V2 \, Q! _( {: K$ B0 D# H) y3 ?
*(esp->4+4)=='NTIC': k7 o8 A u3 N1 D1 M' u. M& w
* n! r% V8 Y. d! k" j6 O W
-The most exotic ones (could be very slooooow :-(, i" [+ X" t5 R# `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% v( w, Q# |+ H8 B1 I1 B" E+ f, s: y ;will break 3 times :-(
; z: N* a8 m1 X% }; l5 ~) T" O; n: P1 Q1 J" E. q
-or (a bit) faster: ! w. M, Z: o2 }( l1 D; I i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 v0 q- ]' F% f2 M/ x; P
, H( _! T8 D7 b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
J" G( b9 m* N7 c. | ;will break 3 times :-(* D. e: |( w1 |' ]/ \+ G
1 c. j3 s6 b { @% N
-Much faster:
1 e+ m& V$ F s5 H9 c( c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 t$ Z/ Y( R7 R. V* n
# G: [( T: @! `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 C% V/ C6 p& K# M! t/ {
function to do the same job:
8 M* q3 h0 J2 b* t6 n- O/ J6 H
0 k& t7 F4 ?( Q v0 }# g8 d0 C push 00 ; OF_READ+ k+ ]$ q z. L0 {/ D" S1 L" {7 e
mov eax,[00656634] ; '\\.\SICE',04 v5 W+ P1 }. d" S8 F1 @8 Z
push eax
+ q5 M" \* j* o2 H# a call KERNEL32!_lopen
& F( r$ @$ x t) c+ d inc eax
" X4 ^; v/ w F- b/ T3 |! g0 v jnz 00650589 ; detected
. [) O0 ^4 N' k" L- J push 00 ; OF_READ" z0 a3 O' O4 E, G0 J# r
mov eax,[00656638] ; '\\.\SICE'" y! ?; R0 ~; Q; l! h) c- @+ {9 U
push eax
; V8 v2 P$ f; I# f7 ~( w call KERNEL32!_lopen2 o# _( C0 b' b$ ~
inc eax
) {+ w7 ?0 p: g. O7 a. j4 n jz 006505ae ; not detected" v& J9 i5 f; M# q. Z: {$ p" l
( A7 j2 }7 Q1 B6 }
2 v( G6 K0 M7 y8 }) r* r- X1 n__________________________________________________________________________
2 A, i0 g2 o" W* ~5 u- j
$ G5 W2 G; z3 ?, i6 B/ u/ o% RMethod 12
5 O# H l; f* n4 h+ V% Q& {8 ?=========8 ]7 I" U+ T$ [" z
( t& j" r% l1 ~' I% \/ s
This trick is similar to int41h/4fh Debugger installation check (code 05# {9 U; @6 P) [' g) Z/ E3 C, |4 Q
& 06) but very limited because it's only available for Win95/98 (not NT)
- y# v" z8 U5 ^$ X) D$ Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.* w6 ~, u$ y1 F7 ~. M4 q% D! Z
' q: i% e) j; W. P push 0000004fh ; function 4fh
- q" U h0 |( I' I" C+ P push 002a002ah ; high word specifies which VxD (VWIN32)# ]! ^; R& |' H- m
; low word specifies which service
5 U# l6 c% g" c% C5 o% D6 Y (VWIN32_Int41Dispatch)
. _9 Q5 j$ |/ g call Kernel32!ORD_001 ; VxdCall" Q1 t X' A" v5 n# }" j1 {
cmp ax, 0f386h ; magic number returned by system debuggers% { o0 t& Q9 R2 }4 D; ^
jz SoftICE_detected3 s- n9 @$ O0 Z8 q" L i
( ]) ~/ Z% i5 j( dHere again, several ways to detect it:6 V/ N/ F' ^# v3 G# j/ A
% F( B. w; w: r: M6 }5 u3 U
BPINT 41 if ax==4f
+ F/ r# g1 }2 g' J2 T$ ~" s- I8 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: b; B5 |$ r& U
4 N( Z# f% x% r% @9 I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) E4 D2 ?0 ?9 U* k7 i
4 e6 g5 w. y- `2 q- o2 [4 O! i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 m+ i4 x3 T1 l5 |- g( K
% X4 E r+ S9 ^9 O; i5 C( S: s
__________________________________________________________________________
O3 l. \! [8 C( u4 u( S7 H
3 V" b- q) T" k2 e, \Method 13* C* g0 B$ v% a/ ~. v) V
=========0 J' Y) {0 G4 t/ p
$ {1 S4 q, L# z* f. q3 e9 WNot a real method of detection, but a good way to know if SoftICE is$ z# j3 [7 a+ T0 f1 M
installed on a computer and to locate its installation directory.
2 G1 s' p) ]# j9 h- M) ZIt is used by few softs which access the following registry keys (usually #2) :
8 [: x% H; N! h2 _! O
) t# V8 ? @: O: s. n1 ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& t, B" t7 y2 f$ n+ l" A5 Z
\Uninstall\SoftICE- f& h/ ]5 H4 v6 o5 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ t( e0 n% d) p6 T! Z$ K2 i& q$ j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) N/ S& w5 H* r+ K( c
\App Paths\Loader32.Exe
8 R2 g% ^( x& w0 L1 z5 c3 I9 D" g- Y5 a) o3 B2 u
( k2 c, Z w7 a( z
Note that some nasty apps could then erase all files from SoftICE directory1 j- M' d- r* j5 U T6 ]$ B
(I faced that once :-(1 c2 H* w8 t9 K
3 B* i e3 K4 G# C/ E
Useful breakpoint to detect it:' s0 A$ x7 @* E% O
3 l* M# h" m3 b# s P; L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* `7 X5 `: x* a+ \# z8 R) b$ |
( V& T3 u' y" D! S6 e7 L) R__________________________________________________________________________
; o7 ?6 N( F0 ~; ^: s- r; R5 T0 r4 K# }2 h5 O
; i7 n( s7 n7 YMethod 14
4 e, v* d3 N% _ q=========( A8 ^7 R! C e6 T5 w; Y
* X, }. c: d" A0 U# j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 o& B$ }# u5 P; ~
is to determines whether a debugger is running on your system (ring0 only).9 r3 o: w7 [1 E5 h: C' V2 |
2 Q4 x! M. p! S' C$ q
VMMCall Test_Debug_Installed# A+ G0 a3 |% K7 U Q/ ?! s! W" |
je not_installed
$ z" G- K* L% Q3 A( I- a9 h+ N! \
# T$ B4 Y& D0 X5 a; M4 vThis service just checks a flag.! \' {+ x4 q _6 c- a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡