<TABLE width=500>6 v' }, D( ]" b+ {7 Y. p8 ?4 ]
<TBODY>8 K+ M& W1 F+ }3 s0 T7 C! D+ |
<TR>
) U0 M) S7 y+ ]7 u0 b- K<TD><PRE>Method 01
0 d, | M& s/ \( S) ` |=========8 I$ r3 u; _# g' y' b& g
" O2 O5 ~* z' ^This method of detection of SoftICE (as well as the following one) is+ A( i+ V! f8 n1 c# ~3 e& o, P. W
used by the majority of packers/encryptors found on Internet.
2 t. C0 {$ x% V' D/ I" @" SIt seeks the signature of BoundsChecker in SoftICE" v6 |" h$ S/ M; |$ @; A1 S
7 i7 C0 |) m) ?+ C4 e$ Y, [. Q
mov ebp, 04243484Bh ; 'BCHK'
9 U' N1 I. X* F9 V6 S9 Z/ S mov ax, 04h5 N* P5 \* h4 ~0 L; d
int 3 2 |" i2 U/ j8 \( a' t6 H# b
cmp al,46 V( o4 H- H9 q( h* w
jnz SoftICE_Detected$ H& C9 a4 ]% p! j/ R4 B
: D, c- q! V/ G5 c3 m___________________________________________________________________________
, ^/ X4 c! b% D& B
* ]( F2 v5 F- ~% cMethod 02$ r, d6 O1 S; t7 O, b
=========
9 L( k& S$ _# J! S2 L
0 t+ h! {% @0 p$ w) n, [7 r/ IStill a method very much used (perhaps the most frequent one). It is used% D7 N2 H" b% q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 i0 Q0 I, _9 m" v( E* u* For execute SoftICE commands...
6 Z* C0 X" N5 q% e; d1 @* z6 QIt is also used to crash SoftICE and to force it to execute any commands
* L9 ^7 \& w. K(HBOOT...) :-((
3 Z( C6 \! w/ |9 n1 v8 X5 p
S# F# U& v0 ~5 R4 eHere is a quick description:) |7 V% f+ |6 p c! q5 o9 X, O
-AX = 0910h (Display string in SIce windows)
+ W; q& x1 J! E6 @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ T: R! U0 C7 A" k6 `, n-AX = 0912h (Get breakpoint infos): D3 M2 V7 k& \/ q1 a
-AX = 0913h (Set Sice breakpoints)
; Q- a0 x. y* a2 L-AX = 0914h (Remove SIce breakoints)" j/ q: z. N. T0 z
) k. M5 |. O. tEach time you'll meet this trick, you'll see:
% J; M3 s) y Y-SI = 4647h
9 r5 Y7 [+ V3 j j2 z& e$ _' L6 F" Y-DI = 4A4Dh
* u* T G8 N t$ Q1 @1 XWhich are the 'magic values' used by SoftIce.
1 A% I3 E; _! K8 `, ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( e& Q8 G0 Y* f5 q
3 ?0 I. [! z/ JHere is one example from the file "Haspinst.exe" which is the dongle HASP# y/ Y: [3 t6 O# l- q/ [
Envelope utility use to protect DOS applications:
. R- K' S E# V1 c% d+ `: [7 d8 S- t; T5 h" w
7 t' [( T7 X+ Z: c4C19:0095 MOV AX,0911 ; execute command.
0 g+ ?9 x. \" J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 E- w6 }8 H9 T4 W2 V6 Q
4C19:009A MOV SI,4647 ; 1st magic value.
1 t3 F4 P& z: i! ?4C19:009D MOV DI,4A4D ; 2nd magic value.
+ U k9 \6 k0 v% G B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! \9 q& r' D! ?( I; A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# |& c, h( _) c* n$ a4C19:00A4 INC CX# n$ k8 S4 h5 P$ R5 C7 v! t2 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" z( S* E- e; T
4C19:00A8 JB 0095 ; 6 different commands.! K, ~3 ~0 S1 |2 D9 x' d- N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 X- @# [8 w$ s: B- x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 [) `6 C& C& i0 V
. W, E% b3 t, [. i3 gThe program will execute 6 different SIce commands located at ds:dx, which
% m7 j2 b: l! Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# @1 }0 [1 `# w0 |6 T& H. a' H6 a; |+ u- E: M% C0 t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 I2 g' E: j4 J: ~
___________________________________________________________________________; I! n- i) _: i4 C% r: J
0 d L# b7 u/ ?# }( B
! a$ P4 V* q' Y& t& {( M6 g! {5 w
Method 03
. ?& i# j5 s8 }- o. ~* s8 U, S: h=========
" e( L+ f4 F8 {6 y. Y, L
2 V3 b+ N" r7 ~# x4 Y* QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' ]' j! j# |& z6 j(API Get entry point)
5 K( u V" p; I9 S( }4 i7 D! h . g" O& a2 E8 d- R" G! u' Q" V
0 t; ?) a- e4 B% J: _
xor di,di
+ g; q6 D& [) K% c mov es,di
1 s# A- x% P. ?+ {3 Y1 j' I* h" u mov ax, 1684h + J9 _& m3 W: I6 \: {% `, D
mov bx, 0202h ; VxD ID of winice0 k% ^- e0 J9 J6 _
int 2Fh V4 }9 f& b+ X |: D, a# q
mov ax, es ; ES:DI -> VxD API entry point9 R" c2 k- F7 B' M a% b! d
add ax, di7 p" Q* a9 D! K' p: k0 }8 ?1 @
test ax,ax2 K3 Z2 }4 a- h' B' |! M" i
jnz SoftICE_Detected" B' L) Q; j) h0 q
2 O. A7 A; t) X1 i; A; U
___________________________________________________________________________6 R$ G) U; @& t$ o0 B4 o( k
, o4 [ @* W! V0 S3 y% [2 S3 b
Method 04, u2 l+ u T3 T7 v& F
=========
& e( J" K; H* q2 s2 `1 s4 t
, q: n8 c2 B) r5 Z8 F& pMethod identical to the preceding one except that it seeks the ID of SoftICE
! D, G. J! G9 R* `: TGFX VxD.
' M" b j" u) G; [; v1 G5 \- b/ G
/ S6 y! `( V/ I8 K0 b xor di,di
2 W& U; a1 G! N" E5 P9 h1 h4 ^" D' M mov es,di4 D6 }% q6 e+ q6 B( T4 @* z- N
mov ax, 1684h 3 w' J, Q+ z" M7 H5 H* G+ v
mov bx, 7a5Fh ; VxD ID of SIWVID$ }4 t+ K9 P2 d2 y% x0 _/ @
int 2fh
' ^" \. m$ }! u' F1 \ mov ax, es ; ES:DI -> VxD API entry point5 ?7 H% I5 v3 I/ b0 e
add ax, di3 R% ?8 @# O) d! V5 I. m! I
test ax,ax
5 W4 x: \1 @( \& @9 Y jnz SoftICE_Detected: p& G: G: H ]4 ^. E7 ?: F' T+ \/ s
7 g" l0 o& h6 A" h__________________________________________________________________________
" Q* G2 N. U" Q+ k7 r6 C* c. C$ i5 i5 L+ [; a, i
9 k( v4 `2 z! k: }+ m0 m* ^
Method 05
' J! f% N3 f. E4 P6 X========= K2 P4 a; C5 n# Y0 z+ `1 @
% b- c* n" K6 [$ n/ r
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ c, |& I8 @" j2 f
debugger. It calls the int 41h, function 4Fh.
* U2 U7 B2 M+ C& sThere are several alternatives. 6 E' _' X) {# u. C$ K- s
3 G6 X0 P# C( Q3 N. C" n/ dThe following one is the simplest:* t; [& s0 V, c0 d) |; p# o9 O
) T8 v7 |' u7 a/ u4 ?( A mov ax,4fh- e0 L& ]% x, P' G" |
int 41h
. q1 S% L" v) w% R cmp ax, 0F386
# Q d! B- B9 B# a jz SoftICE_detected; `" k! a) R3 \7 }6 y
& m6 m! V6 j1 `% P# L- B
/ U L1 h3 n; b; BNext method as well as the following one are 2 examples from Stone's 0 w, s* M8 Y$ s1 p5 E* E
"stn-wid.zip" (www.cracking.net):5 C( Z, G6 ~# y- }5 Y' Q' ]/ o' M* U
9 A! |1 z# E0 U8 }7 I. Y
mov bx, cs
! @$ a& H; g8 _* S7 K: d; H lea dx, int41handler2
' X( L, S Y' Q. y% F, j xchg dx, es:[41h*4]6 f C) k& ~9 l5 c) ~7 \" v
xchg bx, es:[41h*4+2]# _' ]5 g5 t8 b7 }7 Q- f
mov ax,4fh
, ]9 }# Q3 r0 ]% J# ?2 i3 k int 41h
K! I" [6 Q; H4 }4 P xchg dx, es:[41h*4]( `0 [/ B- b3 ~) V
xchg bx, es:[41h*4+2]
) U/ y3 c* G/ P cmp ax, 0f386h! F' E. ~, e" T% Q* N' z) |
jz SoftICE_detected
9 u8 a! {# g: C. S% N! Y( r2 m6 Y F
int41handler2 PROC2 G# P1 x$ v& y
iret
" ?* ]; L% \% Q0 C: K' B3 ~! ^5 Sint41handler2 ENDP' o# Y1 W$ ~- S3 F# y
* t, u0 X* f1 n, A% K4 }+ X# U j% k. W0 g% g( E) l/ B
_________________________________________________________________________
: Z* B3 l3 ~& C( K9 y
- O% B8 M9 I* U
2 Z1 \; |+ w( w) ^6 Q& XMethod 06
' s6 N. V& B8 P# j3 i1 A=========9 N+ |9 D; m+ Y9 Q! @; A7 [: H
5 c! i; Z' p5 E) I* @8 g, B3 X' i/ q6 A/ _' `( ~4 U9 }2 M+ p9 p" O
2nd method similar to the preceding one but more difficult to detect:
& {- B& L5 e# ^% h2 ^9 W$ ]4 o8 ?5 E8 w5 I
I% {, p- p! K2 R' g) \
int41handler PROC
Z( ], V' ]- J2 }/ l/ z# j mov cl,al. c8 W' R. h# r5 W: N: ?6 V Y
iret
8 h# `/ U# E& g$ S5 y& _: `int41handler ENDP T3 t* L2 p& B4 i1 L! B& c5 X @
& C0 f7 W" V" O) G( r) i' D9 f+ M" w H& R
xor ax,ax- n2 v. c2 f' N8 Z6 e! `. `" ~
mov es,ax. Y7 S+ {+ E' z9 R* W$ |. e
mov bx, cs
7 R& s; i) c4 R! V9 i/ \8 ]1 I lea dx, int41handler
0 X6 F) |3 ]. I7 @5 c xchg dx, es:[41h*4]* E8 U( P1 a' f \
xchg bx, es:[41h*4+2]) p( j9 w. w) }$ I/ O
in al, 40h
2 `- `$ w4 F# L" l( z* B xor cx,cx5 s* h+ G; i0 n: s7 V$ j
int 41h& `; G1 o9 g, }8 w) N. e
xchg dx, es:[41h*4]
6 N3 y m! V- m1 j2 W& s xchg bx, es:[41h*4+2] a3 @5 f: ~. G) K: s$ a4 R* H+ S
cmp cl,al
$ B8 l6 o; A) ?: L/ e0 B jnz SoftICE_detected* _$ ?" J9 Y% }+ }
& b* S6 Z: f5 g. Q+ |
_________________________________________________________________________
# a V& y8 ?1 [ M7 s8 \+ r7 Q$ f" v; @8 \' o
Method 07; q8 y. N0 A! E, G9 Y$ i& x
=========5 ], [ ?& s7 n& d
5 R- S5 k6 n, Q. C' T1 N" v2 w$ D
Method of detection of the WinICE handler in the int68h (V86); t. D0 B& k% s+ ^0 _+ U2 v. q
; l+ w+ T) W. p' N( f* z" A2 K mov ah,43h' ~) G1 u. c. f: R* ^2 i" |7 j: s% T; |
int 68h' x: B, q: o! {. S- \
cmp ax,0F386h' c% Z! Q6 g- A
jz SoftICE_Detected
! f! n# m" D: |( A1 S1 Q
( f) I$ p6 T! z }% J% }7 u0 h( O+ L/ {- |8 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ D* p. q1 v' r; w& U" j app like this:
/ d; a0 w Q3 D+ Z: m+ M
7 P: B2 g3 Z! O/ O' M+ h BPX exec_int if ax==68
/ \( V- p8 t: g4 L# K5 g3 z0 G2 I (function called is located at byte ptr [ebp+1Dh] and client eip is
: _ y; C) w# z1 s located at [ebp+48h] for 32Bit apps)
* u5 H$ T- K& q2 w__________________________________________________________________________
0 i+ |8 }6 J) z. P% D0 \* H! y+ [
* W) c. M7 z# P* I+ w- D$ o! p' W% v8 _8 C9 R
Method 08
: s* a( c: i1 I=========4 b( Q+ c% x1 h0 s4 b4 Q
$ m1 }6 g/ k3 ^2 W: q: R9 Z) c$ h* _
It is not a method of detection of SoftICE but a possibility to crash the
1 T. V$ J8 J5 ]! y7 lsystem by intercepting int 01h and int 03h and redirecting them to another
. y# h ]/ [2 I* ? j8 Z, G1 Xroutine./ h! m$ l" S- D, @1 G' J# E) O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- ]) k. Q t8 c* ^; Q7 m6 f' }( Q( Rto the new routine to execute (hangs computer...)
7 N& q1 X( g! B: t+ u8 N* i7 B5 y8 O+ y! ]8 R
mov ah, 25h
9 I$ N% u: {* S4 ^: R mov al, Int_Number (01h or 03h)
" E S/ m$ {& G0 J! S mov dx, offset New_Int_Routine% a5 P5 X/ K5 M" ~
int 21h
' d4 d, C5 w7 H/ }3 d3 [7 [1 r- J& R# n! K: I
__________________________________________________________________________
; g6 B5 F2 L0 H/ N [6 p7 ~2 I' [9 m- {; f, q! ]/ U
Method 09& g* i" f! n% I$ v) @) f8 E
=========2 ^/ p7 ?! Y; A4 ^
+ W( G- s( O: d, _5 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ @' \/ R/ z5 f9 D
performed in ring0 (VxD or a ring3 app using the VxdCall).* h2 Q' F+ r" |9 z0 V9 R
The Get_DDB service is used to determine whether or not a VxD is installed
. z2 A9 V: T, P0 U& n _for the specified device and returns a Device Description Block (in ecx) for; y7 X6 Y. m) G- e
that device if it is installed. J( F. m2 p$ j' a; g% {
% Z3 s: q+ b7 ~" V7 ^7 g, X( M- \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( M7 e" v. u2 b% ]& p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; a. E+ L+ l% R: j4 k# o VMMCall Get_DDB' f4 O9 K7 }. E, t" y2 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed V# F4 i$ a& S) t6 z' d
. l ?. f5 G# p2 c' E: D
Note as well that you can easily detect this method with SoftICE:
( A+ v0 x4 K' p8 \; s bpx Get_DDB if ax==0202 || ax==7a5fh
1 c a- i/ N3 r$ g8 u% b+ e( f: J3 E0 \# F' A( E
__________________________________________________________________________9 i5 S: p7 z4 ], K
' T$ S8 y, |/ q; R$ c! K3 ?
Method 100 v; t9 v& x# U: T5 d8 L
=========
1 w0 C8 ` ^4 N$ g7 Z( H1 c$ Q' V# G5 k, W
=>Disable or clear breakpoints before using this feature. DO NOT trace with. f3 ?; R, M2 W3 P
SoftICE while the option is enable!!6 v2 f4 h7 e& l$ V7 \2 ~# {4 k. R
) t8 B) Y9 |* i. zThis trick is very efficient:
1 e ?, Z, f f2 c% c6 @ `; ]( n/ bby checking the Debug Registers, you can detect if SoftICE is loaded) G4 I! s' G0 y8 c$ q/ Q/ c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, B: m9 u$ {( K; O2 Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 Q8 X# |& I" l" n2 j3 M \2 G
value (in ring0 only). Values can be manipulated and or changed as well
3 |, g9 `' @- d7 O$ u# ~" G(clearing BPMs for instance)
, q! k, t$ Q2 a+ |9 z( U n9 H: L3 c7 I V
__________________________________________________________________________( a- I: h( {# b9 q7 L
) e% C: E' `2 NMethod 11 s8 b& X) K% P( G6 @/ s* Z
=========, t0 [* F! f. {, N! a& g
2 x& \% i2 B- H3 ]. M- ~$ ]This method is most known as 'MeltICE' because it has been freely distributed/ i0 q" V$ d; N9 h4 B* h
via www.winfiles.com. However it was first used by NuMega people to allow
6 m9 g# K: k# @/ GSymbol Loader to check if SoftICE was active or not (the code is located
+ b! `" i b3 u. Q u3 n9 Ninside nmtrans.dll).
1 M) S) ]6 ]6 C% P B* M* W
+ F* I1 |- b3 b/ I+ }+ O9 h( i, PThe way it works is very simple:$ _" q4 Y Y$ F# A- f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; i. b8 G D4 i* d) z. N1 \
WinNT) with the CreateFileA API.
! u) T5 Z, \0 B
0 |" H+ R5 N: ^Here is a sample (checking for 'SICE'):
' R2 z0 X. S( @3 @2 I9 S! G. U, ~# f2 Z$ _, A# b4 l
BOOL IsSoftIce95Loaded()
3 L* v$ Z1 ]1 u, I; Y) h- v! v% U{
# _$ s, ~0 @! Y$ v8 p" O! A6 ` HANDLE hFile; 1 g: g: G9 v p1 K: N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 Q, s/ p1 Z" H# |* L" x# ^* u0 }
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 `: r0 e9 E3 {' ^# k, u" h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 q1 x' m& q( J) [( ]( `( f if( hFile != INVALID_HANDLE_VALUE )
; {; Q9 K0 K7 I+ h; m, c( Q: b {+ J) \- F, a. b& o3 D, I; |
CloseHandle(hFile);* p1 {& ]$ {* w
return TRUE;5 V3 N/ P# y* x( Z
}( m0 P; \7 o& U, F4 z- d" B
return FALSE;
* ^9 K! l* F3 {6 E* j+ P! Y}+ Z0 b* j: X' C0 U2 `% B; W: u
+ k- e: H* u$ i7 V$ [: fAlthough this trick calls the CreateFileA function, don't even expect to be5 ^& y/ L4 |+ @% C2 Z9 c. B9 A3 z
able to intercept it by installing a IFS hook: it will not work, no way! ~6 p" r9 e) ]% P3 ]" [( e0 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 H4 n) S5 T7 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' @! M' N6 R! h: F: t5 Z/ g) Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc% J" W) h9 }5 l
field.
: c' A9 _) v( }# e' [+ bIn fact, its purpose is not to load/unload VxDs but only to send a
% B) i& S7 F0 _8 |) m: t( sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 N& L" H4 s9 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 t! \. O( C( P4 f& Y9 bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# w% l6 {( h5 ~8 W) uIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 U3 T# `$ J. T# U8 ?: z
its handle to be opened and then, will be detected.
, L T4 N9 ~3 s" l' o& cYou can check that simply by hooking Winice.exe control proc entry point
) q; l# d6 b% c/ s* v u7 _$ c+ Q# lwhile running MeltICE.
4 {2 X3 J) S9 v, u( o' Y$ m: p; p: {1 M! j% P M
% m0 W: A! Q0 q. j f& E 00401067: push 00402025 ; \\.\SICE7 l2 ^ p2 ?( `- A
0040106C: call CreateFileA
" h. j3 A- l/ E4 Q7 X A 00401071: cmp eax,-001
* e/ i( p5 b9 }3 N$ ? 00401074: je 00401091' r" K1 s: k% S* b$ y0 [, A/ K$ j, T
1 Z+ z: d: b) J' l
1 f. j! M. Q* M! J% E2 }& _* G0 SThere could be hundreds of BPX you could use to detect this trick.2 G8 J+ {2 L6 [7 ?- Z a
-The most classical one is:9 `4 l: w+ y' A4 v+ y; s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 j0 p4 R; D+ D V8 x/ {
*(esp->4+4)=='NTIC'
9 p: u2 ?# b! j$ L/ f; I
: E. J+ _. M( D8 Q% s2 w$ E-The most exotic ones (could be very slooooow :-(, ?) m! F0 d2 m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. |, M0 G$ V/ E3 x) Y ;will break 3 times :-(/ _7 ]5 {5 Z6 Z' C
! r) w5 W6 y/ Q. ^) j+ a, r% k-or (a bit) faster:
^, c- X: C: u4 w% I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ P9 ]6 p) Q) u/ g
- c" ?! r4 a! W+ \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ u- u- B" \" h3 V" D ;will break 3 times :-(+ |9 r# b4 ?# F2 b5 C. ]7 b! D) B% Q
6 v5 u5 z% g" F* ~5 b4 N% P
-Much faster:
: C W) I* D" N8 X; L" T- h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 D3 f, X6 H8 i% u `4 v0 h
5 ~2 a2 @* t+ X- ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ p& f( c- F5 n7 [6 O6 hfunction to do the same job:0 h. N8 l, V; ?) w, C! E
# l9 r& u- Z" o2 ~7 G6 v" {9 x
push 00 ; OF_READ
% A+ Y9 g) H, r& N7 Y# O" v mov eax,[00656634] ; '\\.\SICE',04 j$ E7 \4 h# U
push eax, C# n, ^0 s+ J: z) Y
call KERNEL32!_lopen
6 a4 e8 T; y3 I9 x/ ]4 T# c inc eax. n* E' H- }- }% w& k8 \- }
jnz 00650589 ; detected" V1 X- v1 ~ z+ c8 h
push 00 ; OF_READ! |; ]0 I' x& x$ S+ l; R0 l7 ?
mov eax,[00656638] ; '\\.\SICE'4 H, K% w# U2 f' u4 _
push eax7 ~0 x% V9 { W' ^. x+ x
call KERNEL32!_lopen
1 E8 i! z; P0 a" |- Z- \, @& F0 g inc eax1 Q& e; j2 u) c# A7 Q
jz 006505ae ; not detected
7 Y) D; o1 f9 S5 R
. h u+ _' ?1 J* B
# j6 e$ Q4 _8 l__________________________________________________________________________
( {# w/ q- Y9 l% H9 j, U2 L8 M' w
Method 12' w* w) ]( S' [( E/ G
=========1 r1 ?9 Z5 l4 \% E
& F2 P H' e) W$ A4 j8 m
This trick is similar to int41h/4fh Debugger installation check (code 05
I& R4 r) K1 i2 e7 S& 06) but very limited because it's only available for Win95/98 (not NT)
2 o; h7 r+ U4 {$ kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' G* B, T- T. f
* E" W4 F% X: \ b) Q push 0000004fh ; function 4fh. s# z* |" a- L* A
push 002a002ah ; high word specifies which VxD (VWIN32)
2 F) d$ E* D- \2 c3 L ` ; low word specifies which service
' }, f2 V+ ~& }. C0 V) z (VWIN32_Int41Dispatch)3 C z# c& i7 L! q
call Kernel32!ORD_001 ; VxdCall
" \0 n/ ]; ]7 F. ~! w cmp ax, 0f386h ; magic number returned by system debuggers
; R8 r7 y* H6 m) u& t jz SoftICE_detected
0 ^0 i) z& C8 m4 w; [. r
6 O5 t% \( h1 {' ^5 a) C5 DHere again, several ways to detect it:
9 f8 p5 v! e6 ] f3 Z/ E
8 r, E2 \/ ^! S" C0 h0 v BPINT 41 if ax==4f$ K" `, p! k. K" z6 E
1 M' C$ Z3 P1 n& w( l4 H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 V# y) y% ]9 |+ C6 C9 c5 a* M+ N
! T1 Q4 j: U0 j y7 A) A) U. p+ k* L* x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) ]' y$ B* W. Q, r; n) C& @% D. I$ m7 n. Z1 a! U& [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ Z# x; p% ^: F; F
. w# h u3 f4 K2 V$ s
__________________________________________________________________________5 D' D+ _5 \3 M( N7 S' P. g
6 i q) Y% Y" gMethod 135 H. o5 E/ g5 p7 [- l) W
=========
$ @! D% m$ a4 G+ a Z& r
/ R0 A8 K8 K% v7 Q1 ^* w) qNot a real method of detection, but a good way to know if SoftICE is
6 a9 [0 q* B3 Z+ s Winstalled on a computer and to locate its installation directory.
: W8 x+ b8 R8 CIt is used by few softs which access the following registry keys (usually #2) :
; S0 }2 E8 Y" P- H1 K+ z& F) o+ ?; O1 n/ A+ Y8 S, E5 J$ ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' s+ s- ~5 b* P, n\Uninstall\SoftICE
- F6 j- A/ j3 w' v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 K. s& q5 g4 b, d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 z' \" r3 g6 K9 t4 ]\App Paths\Loader32.Exe
: b$ _7 {) r# @
. W; I) I! f- v0 V! n4 s& p& R h. P
Note that some nasty apps could then erase all files from SoftICE directory
{* J9 x5 w& T7 ]& v( r r! R q(I faced that once :-(
$ P, K8 s( v. G0 _2 U) B- O( J/ @; g% K4 i5 d. J% T
Useful breakpoint to detect it:
% G- Q/ X# A9 |' j" d. x
) s1 y5 Q' O' }0 C+ ~! [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
P* J5 c% w; p1 M0 u. m& H* m* f: H
__________________________________________________________________________' |2 o$ @! E2 b, X. d( y3 } }
( l k0 j4 X& z! z
+ J- t& g# t# s0 b: O' M2 L
Method 14
3 z! s3 G6 a) c0 y3 S=========
' G0 c# C5 y% ~9 J) @" l; k2 ^/ f6 D: J" h0 Z" y% T: s) A) v* _7 V5 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ L: [4 F. E) [- e$ Q
is to determines whether a debugger is running on your system (ring0 only)., D/ W4 c% H7 E
! Z) s' W1 y3 [ y7 f0 z; y, { VMMCall Test_Debug_Installed
d' p* |$ S9 ?4 m. s1 p; o3 c je not_installed" \9 I" B/ z( C; L0 }0 [* {
B/ Q5 }4 Y/ K* z# q3 T4 IThis service just checks a flag.
0 T! S1 \4 m. v; b6 I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡