<TABLE width=500>& V4 r+ w. |4 s0 a- Y5 k
<TBODY>8 e0 u7 A0 }7 z) v, ?4 D
<TR>
9 ?1 v; Z$ o# c2 i* P+ C/ X<TD><PRE>Method 01 : G/ T: h4 `# L4 m+ D
=========- o# ]1 @; Q; M H+ _
6 @3 Q9 C) D/ ]3 m7 @/ ]! T1 zThis method of detection of SoftICE (as well as the following one) is3 J, }3 Q O# y9 W5 X3 H- ]
used by the majority of packers/encryptors found on Internet.
4 F/ W& G( o) S, x l NIt seeks the signature of BoundsChecker in SoftICE
' t# t0 M4 `; |3 M& A: l! A* u6 H
' Y& t: ]$ ?/ l2 K mov ebp, 04243484Bh ; 'BCHK'
' D4 v5 L$ [4 {: P- S. s mov ax, 04h
9 Z+ M9 b" ?" z1 V. f* |; M int 3 % Y. f8 b E( [4 {/ l
cmp al,4' ~- a# a" F6 s/ ~: z2 N% c/ H
jnz SoftICE_Detected5 q/ r0 Y; P" S+ y3 C& f
3 s; U+ L8 T' h+ R- x
___________________________________________________________________________" j7 @! K" y! }( F7 C) W$ ]
4 Z: H( b3 R: {+ W% O" J1 G5 Y4 |Method 02
# F% o) k8 c: ^=========
# c: `7 `2 G+ V; c$ R! n9 S- Y3 d8 d$ Y: d" p
Still a method very much used (perhaps the most frequent one). It is used" T6 E5 M+ Z2 y) C! ]- u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* J7 B; R+ R2 U g' J0 x: F/ P5 Yor execute SoftICE commands...
4 D! W& y% c9 n. R& a- zIt is also used to crash SoftICE and to force it to execute any commands
* }% m+ \8 ]2 y* k# C( U4 I(HBOOT...) :-((
7 t, Q$ N% V, c* Q7 }2 W( P- L/ i& P; B j0 b5 O+ R
Here is a quick description:
, x& S h' |* ^ X-AX = 0910h (Display string in SIce windows); q' l0 m- c) O: h* C6 Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ [+ Q* p. w/ \5 p! v6 m
-AX = 0912h (Get breakpoint infos)
8 ], B% E2 q1 X. W2 n8 N-AX = 0913h (Set Sice breakpoints); c1 x2 @- @7 ?9 e2 {: a! ~# ^
-AX = 0914h (Remove SIce breakoints)" b4 G" @6 ^ ]: m! ?! o5 Q2 n
( i$ G( H0 H% |+ GEach time you'll meet this trick, you'll see:7 \5 |2 U% p, F# V) ?3 D
-SI = 4647h9 P) [" c' Q( o
-DI = 4A4Dh x! q. Z6 A, ?2 F
Which are the 'magic values' used by SoftIce.( ^# e1 g2 a2 c3 t0 L' w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 ]' u- ?" w1 P E* C" \; g% `) r
& m2 l9 |0 i0 e* N$ S) q3 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
z# H0 {; _# }8 Q+ dEnvelope utility use to protect DOS applications:
. L( N* t' a" k/ Y4 F8 h, W
, N; P3 Q% m( T1 U8 H1 _" v% F' \$ [# u+ _( E
4C19:0095 MOV AX,0911 ; execute command.
" b1 L: P5 t3 A' q) z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 y) W) R$ |# H2 B, k% c& R+ p
4C19:009A MOV SI,4647 ; 1st magic value.( k7 p1 F0 D. y4 @+ v6 ~: @
4C19:009D MOV DI,4A4D ; 2nd magic value.% I! s$ m( F" v; k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' Q m- r e# i3 n& n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, `' T$ k) [: W4C19:00A4 INC CX
9 {% |# v1 d) [5 h: ]! e! m4 Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- `( C4 P/ R/ } B! t' x" Y4C19:00A8 JB 0095 ; 6 different commands.1 h9 w: c7 _3 n& k3 X. v9 E+ X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; H4 K# }6 E$ B' z0 f0 c6 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ i: R- i m D7 T; T
7 I" L! b5 [! `7 eThe program will execute 6 different SIce commands located at ds:dx, which! @5 E6 m7 w0 C) a3 o& {, L4 W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 e. s$ J- V6 c$ K P9 r% u# Z7 s l
2 a0 t" H$ B2 c8 U/ a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 F: u" V. y3 j- s% ~4 V1 p9 @
___________________________________________________________________________: Z2 U7 `, i* a+ \+ x8 s
0 k3 s% X/ h0 O% y
. ]7 m& y$ \9 R1 d. d4 g6 dMethod 03
, h1 v' S% y8 u6 F" B( E=========
/ n" f2 _: Z0 {2 v% K( E
0 @) o$ p( \- e' u/ g( \+ Q0 aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' a7 K2 o& m, N$ d(API Get entry point)
, B0 B u8 y5 H0 i+ {# L 1 Y; I5 O$ j/ b3 x( e. I
* Z5 ` `5 z( h# j" F
xor di,di1 O0 X. k: G0 n4 t
mov es,di
( g0 i$ R3 |. f* v0 L0 m mov ax, 1684h ) p6 H. Q Y1 g5 @( K
mov bx, 0202h ; VxD ID of winice: z R O2 T7 { B+ Z9 ?3 p
int 2Fh5 M. y# u( @& j& {# b0 q* [- u
mov ax, es ; ES:DI -> VxD API entry point
# `& F/ k5 s# u+ s5 D add ax, di
" ]; |2 b1 g& E% R, v, z: [6 c test ax,ax
5 y; _9 @% E# Z2 ]4 b/ {: S; \ jnz SoftICE_Detected+ r X% l- P7 R
6 t7 h6 R. u( _5 p( b___________________________________________________________________________6 u/ r6 s5 R4 E1 O. w% K9 ?
7 K# c, |1 U# ^, b! |, E
Method 04) ^4 Z! ~; F' ~+ w Y/ ^
=========& I! d2 V# X! Q6 a1 }8 X* l+ ~
( _3 J5 q' ]: w+ [( t+ D; e2 Y
Method identical to the preceding one except that it seeks the ID of SoftICE5 N u5 e _: J ] G
GFX VxD.- u: E D* \; r8 M1 W
/ [ j4 j0 b2 [0 B/ J
xor di,di( K* O) T% v5 E% ]
mov es,di2 m7 F& b* _3 d- C+ j
mov ax, 1684h
2 m" @+ k# _' G4 M/ I7 } mov bx, 7a5Fh ; VxD ID of SIWVID
: } R( ^6 S- ^$ ~. n int 2fh6 j$ X1 V) O% N3 c& T% ?9 ^8 N( d
mov ax, es ; ES:DI -> VxD API entry point# U. V- B0 ]# Z' v
add ax, di
! _3 t# l8 S9 i/ ] test ax,ax+ _, w( A3 Z* @' f5 @
jnz SoftICE_Detected- J! W) Y3 j" C/ [8 A& Z. Z0 V6 z
; k7 ]+ ~# } B
__________________________________________________________________________; h1 q z! O; z* s/ @, t& @
! m9 g4 C! w P. ?% h# ?
, I, d3 I& S2 ~4 GMethod 05( [6 F* M2 P0 q! s1 M* ]1 _
=========* k" B: q. U0 X) F3 ]& C$ v9 Y- J
7 z- U/ M3 I3 X# x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( B7 p1 B$ Z% v( y7 T5 xdebugger. It calls the int 41h, function 4Fh.* w8 r/ i# O2 W4 K: c2 b e
There are several alternatives.
7 S1 ~' Y5 ]$ g M4 _, a" u/ _
# b Z m C0 i. ?* Z' a# f# x; G( eThe following one is the simplest:
- y& `, w- o& d+ z, j
3 g9 t4 W1 S' t+ q" }# F mov ax,4fh
: H* Z4 |" f" a' { int 41h
: W; I2 H8 g; |; \ cmp ax, 0F3864 y6 [& Y, v* }
jz SoftICE_detected
# V5 W9 u I6 F$ l+ {5 u% C5 t
5 |& l% y0 D. E% v1 S9 o |- v# ?' [- L
Next method as well as the following one are 2 examples from Stone's - J2 d% h- M/ W# W, M
"stn-wid.zip" (www.cracking.net):
1 R: o6 e0 B/ K- }9 J X! G& j: C
# L, Z" `" @* v/ b3 A" y0 a mov bx, cs5 b4 d- } t- W# X
lea dx, int41handler2* o1 }1 F% _: E: i3 l! I
xchg dx, es:[41h*4]$ H/ C9 Q A* ~! A
xchg bx, es:[41h*4+2]
0 T, V/ E! Y4 |/ C7 G( _ mov ax,4fh
5 d( U! r @) S4 L! l' } int 41h* K8 q- p G# _: F3 F1 p; {
xchg dx, es:[41h*4]
3 h, k( n$ V* [5 z5 i xchg bx, es:[41h*4+2]0 v- C0 K1 E4 }, e. @! F1 f
cmp ax, 0f386h' Z- \3 ]1 |- F) s
jz SoftICE_detected
9 y c, a7 q& F3 M; X1 @' m8 f0 t. x6 c) \. ?8 {* x
int41handler2 PROC( I: R' E& c1 y& l o. }" ^; O" B
iret: n4 O' j1 [) N: B: I
int41handler2 ENDP: a5 e. Z9 r: H2 N
- }- x* H2 E; W- k( K2 b$ w
. E% `6 A; {8 Z. _5 O F_________________________________________________________________________
( s9 T% {# _4 \ r' p3 P7 C: s" L7 P4 q% {
8 ^9 p4 Q" `/ E' E
Method 067 g& j3 N' g" ?. B
=========' `( ~% I" q0 \# C& M0 p
5 q' x3 n, R3 S. |3 q/ Y0 L7 b
9 l( w( ]5 ]; d2 I' C4 w3 T2nd method similar to the preceding one but more difficult to detect:
Z9 ~, h, m# l I
0 Q7 M0 E9 I! a/ X
, z" _0 [ q! M7 {7 F$ @% Aint41handler PROC: X) F4 R; F9 n6 b4 _8 A* j+ U
mov cl,al# w$ D; @. x- Z4 `( G
iret9 P7 h A7 h5 Q9 G3 P" g
int41handler ENDP
4 W( R8 p7 s9 j6 d+ m, ]+ E8 d) p: K# U
, u- z/ ^+ B9 p4 H6 F, b xor ax,ax$ t; ]' Z5 t8 t8 }2 D: f
mov es,ax
) r! s/ R/ G9 h# `: g! X# r mov bx, cs
2 K( I& d2 C. ^, Z6 g5 O0 K lea dx, int41handler
/ |# t: o. d5 z2 v2 O xchg dx, es:[41h*4]
, s8 G/ f% y1 h0 q6 i* k8 t xchg bx, es:[41h*4+2]
+ l7 J7 d! p J! f o/ z& x7 Q( h in al, 40h
4 S$ G, a6 x/ k0 n) k! v& c xor cx,cx
8 l7 j8 Q- I! i9 ?/ V7 E! O int 41h9 H4 v, c3 {, Q' f& p; _7 v
xchg dx, es:[41h*4]: S8 c& V% [4 Z9 ]; N
xchg bx, es:[41h*4+2]4 \$ b3 X& Y9 Z+ r, E0 M
cmp cl,al
) M2 m5 \% S" n9 H. K5 M jnz SoftICE_detected- D0 W/ a' q7 ^9 F7 ?) L
# S9 e. h& P8 I, d* F) _* b; R& K2 N_________________________________________________________________________
5 d2 K! n! m. z5 o9 z3 ^0 ~' W
; G- G0 i. V6 i* p% R4 cMethod 07
$ A6 ]# x/ }4 P+ O- C! ^=========) t% U( H! I; C( J% y
) h4 H2 M% Y! R1 ^! Q
Method of detection of the WinICE handler in the int68h (V86)2 ~* C7 f' K L/ ]; a1 m* p
9 ?2 h7 D9 n8 Q, r3 P/ t! C4 c# k mov ah,43h9 a) ?/ H1 A0 V3 O' x
int 68h
2 D- u: }8 k0 b6 u1 n0 t cmp ax,0F386h3 n- {( I g( M8 B$ U
jz SoftICE_Detected
c* ]& G2 }4 Z6 J4 t% G
{7 O& l# E# d, H* o: ?' D) [6 g3 r; ^; p+ h' m0 x4 L8 |6 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 {3 r: e+ D7 v! P1 w% P app like this:
& r" Y o9 U/ o) p/ Y ^
6 z& k0 m# m! c9 v* u3 J BPX exec_int if ax==68+ u7 N8 p! b) E
(function called is located at byte ptr [ebp+1Dh] and client eip is
# D Z: m/ w6 t8 O/ W3 X! R! d P located at [ebp+48h] for 32Bit apps)
c3 m9 f# ?0 D__________________________________________________________________________2 U* F2 f6 l9 n1 k- `
, o' |& D# i+ Y" Q
7 w; M$ v! h! a8 W6 M) RMethod 08: ^# @1 \, `! v" F
=========- u7 _' {/ W! z1 Y2 ~
- r3 z: I" V2 h) I# a0 u1 Q8 |
It is not a method of detection of SoftICE but a possibility to crash the
' F3 j6 ~ N! v! p3 esystem by intercepting int 01h and int 03h and redirecting them to another% {1 h8 S; G2 h B
routine.
3 p( @& I! F' C- p* {* MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% }) I! H2 ~% X
to the new routine to execute (hangs computer...)
3 V" ~: p& N8 L, o+ z6 Q' D- l; l$ ?* g4 i& ?9 |
mov ah, 25h! l. z3 H7 G; ]
mov al, Int_Number (01h or 03h)
$ G$ n( M5 r( x* d+ M' t9 }* f mov dx, offset New_Int_Routine' \9 Q3 O9 w C; b
int 21h
( h/ @) L) M, X* E
: b7 S1 K( l9 G2 S__________________________________________________________________________. ?! o- k- Q0 w; W# v& p7 s4 n
6 {+ x: l* p: P8 e& Y2 C- P* t
Method 090 ?; f$ l) o) B5 ~" F
=========
3 v/ A8 P A6 s, p7 c
8 X; E) G: \0 G: x3 @& d8 f3 r$ RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) W7 ] J7 j6 z+ p5 z8 v
performed in ring0 (VxD or a ring3 app using the VxdCall).7 a8 i, K# Y- Q) f
The Get_DDB service is used to determine whether or not a VxD is installed
- g( B/ [( y% |" [9 L; f3 l& P5 [for the specified device and returns a Device Description Block (in ecx) for
. Y! B, J! @" ethat device if it is installed.% e/ d0 u* s* @% b7 c5 E! {
; O; h: v0 A% L( {+ ^1 k! ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 J- Q- t. l/ R9 n( L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( k) V+ @8 X1 A VMMCall Get_DDB" N0 s8 k$ G; |$ d) O/ ?3 K8 ^! I* U( f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 E7 R% k9 p- `+ ?3 ^, E! ^6 O& u( S
Note as well that you can easily detect this method with SoftICE:8 h* w% i/ e$ Y v; q' s
bpx Get_DDB if ax==0202 || ax==7a5fh
' W0 R# }. L; E2 {8 ?: B+ i( s
, v# C0 G6 h$ H__________________________________________________________________________
, E+ h. Q: K6 E; k* F, P3 ]9 G, D1 x' O# L" G
Method 10
3 W1 }) U: x F8 W=========
+ R3 x# `2 L' A( Y: X5 l
! I# y5 ?( D# v$ H0 i=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ P; x% a- @' R3 T. m8 P. X SoftICE while the option is enable!!1 M% G: g( }* B* a; T: Y4 |: H
# Y& g8 m! ^$ j( F$ wThis trick is very efficient:
, X7 E( B: j0 @by checking the Debug Registers, you can detect if SoftICE is loaded
3 J! `7 V% s" j1 H- V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 U2 v, M& M" E+ {
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 Z& O2 A3 N9 S
value (in ring0 only). Values can be manipulated and or changed as well$ T' F4 Q2 g7 B7 D1 h# K
(clearing BPMs for instance)0 m. v' r; o7 t) U9 E, L4 C( @) f
& `! W5 n8 w% `$ Z5 D4 I- h
__________________________________________________________________________
: m7 w& \5 i+ [1 D+ i; h7 P A! N
- Y7 |( h" y+ D0 C' J4 R3 ?Method 11
+ [+ @3 ~; ~( T, x=========0 @, `9 w. l( w! q' s# O
. X- F7 a R1 G$ x- BThis method is most known as 'MeltICE' because it has been freely distributed
# ^" A) k u6 H2 a1 h8 k1 r2 jvia www.winfiles.com. However it was first used by NuMega people to allow% J- m9 Z9 g3 J3 d
Symbol Loader to check if SoftICE was active or not (the code is located" l R9 v/ N/ V" r; Q( h+ r
inside nmtrans.dll).
|# y2 B6 n1 E, V0 U& i, E; `4 [$ U' U+ j
The way it works is very simple:9 S, M: o) ~! s6 W/ u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 F, N+ n3 W4 @
WinNT) with the CreateFileA API.0 F( m$ Z$ }( x' [- a: V! v
1 }* u* C' @ L& g
Here is a sample (checking for 'SICE'):
' V! W) t: z( ^! B( s2 i9 W! r: [% A* s5 c4 _& A& M' H U* |3 i5 R
BOOL IsSoftIce95Loaded()
0 a( h( L4 ^3 ~4 m{7 J; |! q) B: v/ ]
HANDLE hFile; ! m- ?3 H5 ^4 m& N: H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% u; D& r6 c, R9 F) c4 t% p
FILE_SHARE_READ | FILE_SHARE_WRITE,# B4 H; z) |5 k3 J j# k# H0 U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 p& q5 R$ u% U- h( |- h6 w if( hFile != INVALID_HANDLE_VALUE )5 ~ {+ @1 N6 n) g$ D2 w
{7 d6 m, ?# t$ F! T" |+ z, i
CloseHandle(hFile);
$ V' H/ H8 r2 y4 U! F- C% T0 j return TRUE;' }2 P: Y r+ N0 \+ p9 {
}
* H# ^) ~. \4 g+ g/ n return FALSE;
$ H& F; E( O) L/ X. _+ \0 L {& u- s. b. }}6 |% V3 P& K9 V
* h& k+ @6 r1 ^/ V) |2 T- VAlthough this trick calls the CreateFileA function, don't even expect to be1 R/ I% f+ d! z8 r" N4 j6 H! e
able to intercept it by installing a IFS hook: it will not work, no way!
; k; V3 O; L3 W6 H R+ UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 D! s& x0 N, ~8 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 r4 E1 M5 \! b m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 @' V" ^6 M' w" O8 u+ o0 H- B; U
field.
, F9 Y6 w# N# h8 N* S7 ~In fact, its purpose is not to load/unload VxDs but only to send a
5 f; |% i- J. x1 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ B3 j8 S t; W% p( w$ Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try" Q I ~& F$ }+ X- @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ m3 K2 v7 `& F5 ^' R5 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 S& E1 W7 f5 J* `8 M& p9 g& P6 l6 ~its handle to be opened and then, will be detected.3 Q0 s/ C3 F/ S/ `# l! }
You can check that simply by hooking Winice.exe control proc entry point
3 t- z: `; g' |6 b. i8 q* l" Cwhile running MeltICE.
9 u+ @* P, g4 f }2 [$ h
, ]3 M* [9 `( a2 N$ i b
! [) ]+ N' F; z2 s# R& W+ U$ ` 00401067: push 00402025 ; \\.\SICE6 j8 r+ j4 Q6 |- P8 u
0040106C: call CreateFileA
! y& b. Q, I. M2 S8 E+ q 00401071: cmp eax,-001
+ U: y- }% S, L. x! b; {) N5 }6 s 00401074: je 004010915 x$ {' U c2 r; y5 }3 { x, K
, T9 R, @4 H9 l% J* ~
7 a6 s1 F9 }0 H& z8 x4 J5 oThere could be hundreds of BPX you could use to detect this trick. p) m# C ?3 M. ?# s5 q
-The most classical one is:/ t8 o* B& E9 f) {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) H% w( J4 t6 ]/ }) f6 f" f1 z *(esp->4+4)=='NTIC'& F# d9 I) r: X- A% C4 i' C$ J
. d8 J0 d$ n; Y: H' [! J$ U% K-The most exotic ones (could be very slooooow :-(: n0 D l4 L9 _. z l0 F( E" |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ D5 P" P# N! C& j. H6 F ;will break 3 times :-(5 g" F G' w2 E w& i; p
. _* }1 o; F2 s0 S' A) s$ J-or (a bit) faster:
" _; ^! t2 N4 O) w, L9 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" R3 `$ A- I3 q% n7 P
) T& o- b7 E! w& r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; \5 A* o+ }7 r ;will break 3 times :-(7 R( D$ H B q+ q* i/ P) V% K8 A
( @) {- b; S- G$ S* M
-Much faster:
, h' `8 X5 h3 ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 K& f6 f8 X! {+ H3 J! z
: q, B( J9 @1 }; Y; ?3 E0 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, z0 S+ b T+ B9 c; k1 afunction to do the same job:
5 H; s+ i: \% ]/ x6 W. X# t4 \- @3 s! D& h& m. t' R
push 00 ; OF_READ6 E7 ]( e% D3 g& E) u# X
mov eax,[00656634] ; '\\.\SICE',0
& }& y9 y: h, T- ^7 Y' N1 b push eax- H" e; s" ~3 P( s! e- v8 [6 G
call KERNEL32!_lopen
8 b9 C9 w. _. w; j2 y: @( z# `" _ inc eax- C4 M% S9 e# m& }& l' U4 J8 z
jnz 00650589 ; detected
$ m9 ^( U# C5 o$ D! o7 G/ j push 00 ; OF_READ; K& n9 e) k9 ~3 y3 T
mov eax,[00656638] ; '\\.\SICE'
" v* s' `, e3 b9 m2 ? push eax
# h4 V- h5 ]! \. G5 c0 n" k$ Q2 f call KERNEL32!_lopen3 D0 T- t5 M! k# i _* S7 X9 x4 ]
inc eax
' w. ?! @$ |& E+ T+ z! e: W jz 006505ae ; not detected
; S5 `$ r4 b0 {0 a( O. V9 ]+ {/ A) a* g, K W% P( ]; h3 r. J
9 V+ ?; B; d& E/ ^9 a) q__________________________________________________________________________+ R1 r# Y! v+ \0 T- Z
' U6 F0 g1 H8 ?$ z* E+ ^Method 12& i) Q1 J* d9 z& S# j, ^
=========& P/ R% }' w1 ~! \; m1 w
! l4 g' b& S. r% T
This trick is similar to int41h/4fh Debugger installation check (code 05 z2 v( @' K0 G
& 06) but very limited because it's only available for Win95/98 (not NT). b- a3 v W- p% t1 d8 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* v+ t- C# {$ Z" ~$ u
9 h8 a- w" ]7 p( y6 Z: `
push 0000004fh ; function 4fh3 S5 e3 q. z0 x" m) h8 c% }1 f
push 002a002ah ; high word specifies which VxD (VWIN32) A, v; H9 ^, [% U) N. S
; low word specifies which service9 u# V/ i% }$ Y- n: Y
(VWIN32_Int41Dispatch)
3 n1 W7 R1 Y1 W" y% X4 G call Kernel32!ORD_001 ; VxdCall
5 U) A/ z- a7 c) r$ b0 v1 W- L4 a cmp ax, 0f386h ; magic number returned by system debuggers4 L/ v1 V% C( Z9 b2 ?
jz SoftICE_detected
9 e% F1 P5 |! P' I+ e5 X# n. ?# B$ D+ S% r+ g" v. I
Here again, several ways to detect it:, Y' t. d3 n" y' u& Q. t( X: e
6 p4 v- `) h$ D$ G) N% J( u BPINT 41 if ax==4f
% U0 f2 b. k0 T' D5 v+ X( w0 X d% N, P; E9 X( a- Y. P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% R$ N1 U- v+ {5 c6 V' v( C
# e* y G0 V) O' H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: @$ _$ A- Z0 p, k
" Y- Q" q) U( j$ O+ R, c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 i, y( t; S6 c& S: y
) W- H; |) `7 G! h__________________________________________________________________________3 R2 u0 y R' F% D# n' b6 ~
+ Y; u- i* \/ T& w8 ]( y' vMethod 13
! _7 \6 @- h- K. H6 a=========
. X% T3 k$ l0 }, ^! B1 t+ ?% I: x& D& m8 Q0 P( T
Not a real method of detection, but a good way to know if SoftICE is& ~! {& C; v9 G. ~' i# i, q% n
installed on a computer and to locate its installation directory.
( y4 v9 `" v$ x ?: z, V; xIt is used by few softs which access the following registry keys (usually #2) :
% y: q f4 w% @9 a
3 u. t0 y5 u5 O% `& `9 G, l3 N/ ?( }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; R2 _6 u3 i9 P! q8 \
\Uninstall\SoftICE( t' E& u% ` z6 D. B! f. o! `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ g& g- t0 t- U+ E; a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, m3 a- }" k! N# H\App Paths\Loader32.Exe3 F" t/ r* v$ y2 Z$ ?3 _7 @
3 O* w: d* }' G" _
$ R' R9 k$ f% b e) q+ q0 M) d# tNote that some nasty apps could then erase all files from SoftICE directory
: Y& Z( m7 Q) k8 [(I faced that once :-(7 p1 n7 y6 b* v/ B( z. v/ l3 }- V: _+ k
$ w* B' A% Z" p7 UUseful breakpoint to detect it:
. |7 x! J# K- ^
+ t \6 h7 x h' H2 G: ] o4 j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ w3 k9 I% q- H3 g' g* y+ v4 O7 M
__________________________________________________________________________6 j# s5 h' L$ J
( U7 r- _5 Z7 d7 g! T+ i
, m% X5 e% @9 `/ G- cMethod 14 0 g8 A' v0 w+ x" e' ^/ f$ ]
=========7 @2 F( r) |) a& r! i! t4 ~' z5 \
+ S% u) E( q8 T4 g3 A/ m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 B3 {+ y0 I# Tis to determines whether a debugger is running on your system (ring0 only).
1 J# @% I# ]& f8 @) ]) @( W% e, {1 w; ?9 w. j
VMMCall Test_Debug_Installed
9 @. p3 h3 T+ [2 d je not_installed$ X+ T/ `7 t# Z) y, f. m" s
+ s; f& W8 Y2 O
This service just checks a flag.
' @, Y5 r2 S7 R6 @ r4 g</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡