<TABLE width=500>9 j4 L+ S! [7 y" B
<TBODY>
0 a. f6 ~8 t5 W( D9 E, ~, ]<TR>
* c1 O2 `4 y" R<TD><PRE>Method 01
+ Q2 Q& H' m9 D9 B9 I, o, g4 d=========
' j r; |2 p* s/ z
6 x4 T/ B/ L5 yThis method of detection of SoftICE (as well as the following one) is
/ A( O" @* g" M3 S+ E6 pused by the majority of packers/encryptors found on Internet.
1 b5 a+ n$ k! R/ Y R* sIt seeks the signature of BoundsChecker in SoftICE9 | U# s0 m" O$ b6 b( F
. }+ c1 f1 ]; c$ E
mov ebp, 04243484Bh ; 'BCHK'
5 B" G3 s7 G1 U0 B7 N; D mov ax, 04h4 \7 I# }6 E% a1 ?, @, A
int 3
* b0 b& ]6 }) W A* Y+ l6 e cmp al,4( P9 J4 g# [* N7 a1 I
jnz SoftICE_Detected* j0 S7 U* h; a: f9 `$ B; \9 K
( E, u1 w# k0 q5 Z" O
___________________________________________________________________________, a c1 z2 h" p2 n! s/ i8 m5 O# l
/ L- d& w9 Z; t2 R2 _0 ~# N
Method 02) I% [5 q9 e1 w% ~- f) Y. S
=========% g( S) j! K/ N( y5 n
& \$ y& v! T7 H$ U8 R% ~1 T
Still a method very much used (perhaps the most frequent one). It is used1 }# |: E' e' M4 Q ^3 i& B% Q/ t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," y, S7 n& ^$ ^! k7 j
or execute SoftICE commands.... V- _; v* l0 c0 H+ n a
It is also used to crash SoftICE and to force it to execute any commands
8 |& J% _ |) d$ l. M(HBOOT...) :-((
9 ?, P1 G! J+ q9 i$ C) S
4 A8 c9 }0 k7 J$ H; Y4 @Here is a quick description:3 [! A7 A" @: X' v) P
-AX = 0910h (Display string in SIce windows)% o) o: ~8 w# t8 \7 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" x% o% k: Y# Y$ V) u# [/ G. h3 a
-AX = 0912h (Get breakpoint infos) u2 w2 ?! V4 K( I% x
-AX = 0913h (Set Sice breakpoints)/ U0 M; l0 ]! ?) q) h
-AX = 0914h (Remove SIce breakoints)% J6 T. v0 f4 }
' S6 e2 V$ ^. I1 u/ j: p( pEach time you'll meet this trick, you'll see:: p7 b8 Z/ K4 Y1 E$ Y7 b
-SI = 4647h
5 ^. t6 Q( T1 C+ c% f-DI = 4A4Dh
t Q) n: Z7 M# J! @9 vWhich are the 'magic values' used by SoftIce.
* T8 Y' {4 r5 H; X8 XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 p+ _% s. \5 c( W8 O3 H
4 e9 {5 `; F6 S& r2 sHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ r( b' |& i7 Z5 jEnvelope utility use to protect DOS applications:
. P: o0 s/ b A' M6 f) x# _) B: c: f U: r% K. l, y
1 K+ ?9 S3 G1 U8 N% m7 G
4C19:0095 MOV AX,0911 ; execute command.
: W- ^. Q: H& h5 T' r# T3 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ N/ M- n j1 }8 z" P$ [
4C19:009A MOV SI,4647 ; 1st magic value.& ^# u+ D# @, n& W
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 C. k8 b. |8 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); \, B6 C6 ]) j ?) S3 C8 W4 V$ N4 L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ^4 K9 G7 w k- |, L+ ]* D4C19:00A4 INC CX. i: [ L6 o$ M: C+ W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 j _* Z. t- a; ]
4C19:00A8 JB 0095 ; 6 different commands.1 l; c; [, E: M$ W" l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% F, Z! Z0 J4 ?; ], Z' v4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 u. }! p& s) B2 E ?! ~1 g$ R% e- ?5 _+ a- U3 \
The program will execute 6 different SIce commands located at ds:dx, which& k. O% U5 q6 ]6 Y% l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. u' m" }+ S( }1 ?" E
- z& j" g0 V: M5 T4 b5 f+ L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 }% M* \% O+ F, {
___________________________________________________________________________
+ R( T2 u9 _& Z, B& ]( D* q9 ?4 x, ?% A8 P3 G8 @+ j- S) \( y( X
' C' X! n# x( h6 jMethod 03- |/ J" D* @4 F7 l7 V3 \1 o
=========$ L6 R) `8 Z o6 U
- e' x" h; a: Z' E& y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ B& W- V* J8 `/ U# G& O& A(API Get entry point), f9 X! M. @* x8 B3 U$ l, d& W
& c; q3 m, y2 H. P' w; Z$ G# M1 Y
! B* T, Q8 m O' e4 | xor di,di- b3 F5 J& D9 {+ N
mov es,di
0 E G' z- L' l2 ~4 n/ y mov ax, 1684h ( I7 x+ _6 Y; r, v/ C* G
mov bx, 0202h ; VxD ID of winice. C7 c. b2 m, L) O5 E
int 2Fh
; X5 f$ \9 c$ W; p4 G, a" r mov ax, es ; ES:DI -> VxD API entry point% m y a4 E- I& g" {2 \
add ax, di
5 W7 F, H S# E/ a test ax,ax
6 [4 F1 y* K" E( ~ jnz SoftICE_Detected
% K! d9 K; |2 ]0 A$ j; |
7 y2 O) B- H+ u2 t2 M___________________________________________________________________________- \% g1 H9 B2 a" t
- ~# E* x9 j" l& u8 m( I) b- E6 _Method 04/ d8 \8 j( D3 Z0 p/ c. C
=========: r% J8 C/ v+ ^$ M, x
" t. l/ b8 e+ D: h; S. x
Method identical to the preceding one except that it seeks the ID of SoftICE; P8 q( q6 |1 G+ ]
GFX VxD.
4 K6 S* G4 Y* U2 ]' Q( D9 ~$ q1 {$ s& ?5 I7 Y
xor di,di# f; |* E5 y$ o4 r; w" a
mov es,di+ b1 w' F E' U: b. B6 ^9 |6 _, `
mov ax, 1684h ' @) C$ ~& @; R7 _
mov bx, 7a5Fh ; VxD ID of SIWVID2 l. F+ Z) J) X* Y* T7 N; i0 ^
int 2fh5 c% h! O& q, j2 B$ f
mov ax, es ; ES:DI -> VxD API entry point8 t8 x5 {9 m% P5 s* y8 @
add ax, di
5 w+ s1 ~# V& Z# I( |+ J' X test ax,ax
P. P; C: H* L: m& Z7 `5 p jnz SoftICE_Detected0 o; r9 {& t3 m- S% i" C
, V8 u1 a, G1 q" \
__________________________________________________________________________; v0 F7 ]9 {+ v$ }2 [
4 l. Y9 T5 t$ u; Z% c8 ?9 s
6 X' o2 M; U6 u' X7 r4 }4 xMethod 05 f2 _8 m! Q a* c: q. `, m
=========) H5 S% Y2 L% g' T
, W& e& `, W. k+ w
Method seeking the 'magic number' 0F386h returned (in ax) by all system; W3 s7 Z- f. n/ c. M# z
debugger. It calls the int 41h, function 4Fh.
: I* [8 t# G8 z) `3 \9 Q2 }There are several alternatives. ) J7 z8 _9 K' e) j
/ z1 W2 s, y7 r9 c: {: L, E; l
The following one is the simplest:5 u0 a0 c5 x, q: b6 o# b3 B. H
( h$ _( w$ I$ Y6 A- V
mov ax,4fh
4 d. `# t- G" }* ~$ { int 41h
1 d1 I( k6 P0 S. w cmp ax, 0F386
* B1 V" c: X0 S- G" Q" { jz SoftICE_detected8 Y& u0 a A' J6 z0 H0 I
7 s8 y @; X( M$ Z4 s6 f7 ]$ b' N5 y% }+ a0 n3 x* B1 e0 H
Next method as well as the following one are 2 examples from Stone's * B* m" z/ H( M1 w4 R E
"stn-wid.zip" (www.cracking.net):
" N+ `( T5 v! ?3 t; F9 [& g; f+ Z; h1 D, n4 g
mov bx, cs0 l y$ Q" L1 n" l+ {' b
lea dx, int41handler2
/ |+ v# l. Z6 d- I5 S xchg dx, es:[41h*4]
! u& r& v8 ^2 Q xchg bx, es:[41h*4+2]5 d3 v8 X# v8 r
mov ax,4fh
# a' }% u2 w1 E/ G( y int 41h7 A! E) a, N; r0 D5 O6 z
xchg dx, es:[41h*4]
% \2 b2 F9 M# i. k+ U; W xchg bx, es:[41h*4+2]- Z( A1 i1 u3 d5 X" l s: Z! d
cmp ax, 0f386h
6 M0 f2 R3 V0 }% b: u, Z4 P jz SoftICE_detected
5 N% |, y, Z* }1 s0 {3 _2 N$ O6 ^( n0 F# k. n9 }0 F: d! s
int41handler2 PROC- h- T* w9 _0 O( W0 s- X6 @; n
iret1 H" ^+ J S4 ?* Z6 E4 f. [$ I
int41handler2 ENDP) h: `2 `; i9 ?
/ ~6 u+ E+ ]8 L+ J
5 s$ K# `, m# {: N2 b
_________________________________________________________________________
9 F _) P1 K6 Y# Q0 D( ]: p
9 U2 E# w2 Q/ U% a2 f: N. @/ D8 T# R0 p: S& R. ], W
Method 06
2 N$ [) ~* ]" n8 H5 Z=========9 ?- B7 E) d+ T8 ^6 ~
' x$ r% f& L$ N/ L6 m# Y9 K4 c4 w8 h) h2 m+ O* M
2nd method similar to the preceding one but more difficult to detect:, v0 K3 G" L6 J/ y! y1 a4 ~
% n+ m7 W( h2 S! w, X6 T& L
" m6 l* f9 o: k& f/ ?int41handler PROC
; G* a) T! C. c" R! n mov cl,al
2 f) p8 U7 d6 \0 q$ P( x! [ iret
: a$ R' e; |: A4 i k$ I* wint41handler ENDP: A. E& {/ K+ l0 Y F p
6 d3 R: M0 W3 P* Y2 m: O1 @% D% I
+ S0 T, a2 ~4 \2 E T
xor ax,ax
2 l# Z" _- N$ ?9 J- ^$ o# k mov es,ax7 x* G, e q$ l- z7 [1 j* u- |
mov bx, cs
- S' W1 A3 r9 G i0 x& G, o2 U lea dx, int41handler
* Q. D& w- e" n. w xchg dx, es:[41h*4]9 s' t0 V8 ]1 K$ X
xchg bx, es:[41h*4+2]& L& R/ A0 k1 g5 j' W: k' z
in al, 40h
/ ]" w) o' K# r' U& N* b) i. S xor cx,cx
0 ~9 _3 G) I' X int 41h/ T1 ]- ^' O7 y' h
xchg dx, es:[41h*4]- _: i7 u9 C" X R! e1 U' l
xchg bx, es:[41h*4+2]
* O3 m" v) ]- a0 `3 J* t0 P cmp cl,al
# j; a$ c% `; g1 |9 Q& r jnz SoftICE_detected; I) `8 y$ f) I: S/ l
% o% r3 S* i6 L! \2 j; q$ l
_________________________________________________________________________
6 a0 E" k! r, H7 }! @1 {, P* O3 F( U
Method 07$ N9 O, B2 I1 b- U, R- D1 J
=========7 A& E. l2 r3 [- s$ R( h7 M* s, ]5 b
6 Q0 p, ^4 X. F! {* WMethod of detection of the WinICE handler in the int68h (V86)
+ Y ]1 A0 f3 }6 J9 ^6 [0 R4 |: _7 k* |
mov ah,43h
- r- g1 a9 C+ i7 O int 68h& C |9 r5 x; {3 p
cmp ax,0F386h' P6 _6 ]7 N+ D5 _- p3 w; y
jz SoftICE_Detected# v3 ?; m6 b" j2 F9 Z8 D* k4 x
6 y. C \" c) C+ t9 y) M0 w/ ?$ B
. l% ~3 _$ R I W" {( K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ y; d4 c0 Z3 k5 z
app like this:9 s4 A" U9 t1 ^/ t
- U3 e7 q6 I+ `: _ BPX exec_int if ax==68
# R$ l7 n. J8 }0 H5 Q: e2 `' M (function called is located at byte ptr [ebp+1Dh] and client eip is) T: p) q4 z9 I d: ^- V
located at [ebp+48h] for 32Bit apps)
$ y4 [% X7 Q" [: i1 [8 v1 Z__________________________________________________________________________% r2 W/ `: W3 Z+ t7 M
3 D) W/ T, T. X, o5 p* D7 n7 t3 i
* x" b! d! o; }2 Z T
Method 086 E; t# w' _2 |; }
=========
! V' a3 I9 r3 u) M, [0 E
( I/ B: D: g9 f4 D3 J w3 s! {It is not a method of detection of SoftICE but a possibility to crash the
! p2 D' Q, Z2 Usystem by intercepting int 01h and int 03h and redirecting them to another" G; I* M- C# S l4 M( \
routine.
2 |: s& x& ?! ^7 {, _- w: t4 N) ~. HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% U$ c" {1 ^! p9 c. S3 jto the new routine to execute (hangs computer...)/ j5 N" T$ F( x5 _, m
( q' g; ]* h0 T, X; l! i8 C mov ah, 25h4 [. b) C, n4 C1 [0 s4 d# q
mov al, Int_Number (01h or 03h)
3 E. H& I9 x$ v; l mov dx, offset New_Int_Routine
# X/ w3 P+ a( M0 @- x int 21h
# O2 Q2 C! z% G9 x2 I2 i4 a9 s5 n: @6 k
__________________________________________________________________________
4 G& S# A9 W) E2 h( P& o' j
* P7 ]9 W, k- {5 WMethod 09) B- d3 o0 f$ s# Y& n& W( W
=========& q6 Y" N2 ]: @ q! d0 ^9 w4 b
2 a% {5 c* S9 l6 h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ ^, h4 G- V. A4 B% f0 P
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 g/ m2 w3 _3 {9 _. Z5 NThe Get_DDB service is used to determine whether or not a VxD is installed
; _- \1 q+ i* S2 ?for the specified device and returns a Device Description Block (in ecx) for
( ~7 T, a7 d" X5 m# I, zthat device if it is installed.- P% n* ]% R% Q3 d* I$ L+ M! v
8 j1 _1 N) B1 p: x) j; @# {) \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: G" c y7 L0 h- J+ X0 c% J( \8 u) Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# T0 Z; O* F- t# I
VMMCall Get_DDB' v6 Q' a4 P. A: Z! j- \7 f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, E* X' q" Q" j$ \0 x6 `9 k Q/ c
( h* C5 X5 Q8 [, q" T! n" UNote as well that you can easily detect this method with SoftICE:5 k) f: l8 `6 J0 R! }: t I9 D' x
bpx Get_DDB if ax==0202 || ax==7a5fh o- b. z- K2 n# Y7 _- r
_/ i& P3 T* I7 C2 K' d
__________________________________________________________________________
6 O0 B/ r7 F8 J) E) w% S7 U. F& x: V( \- n! A
Method 100 F8 x L' ?/ y
=========% P1 b/ v, }9 c& h
% a4 r3 C' o w8 Q8 ] V# L
=>Disable or clear breakpoints before using this feature. DO NOT trace with( s- Q8 ?6 g+ B
SoftICE while the option is enable!!
2 ~' ?' S1 ~" T! f1 `" d5 x6 y2 `! I" |, W
This trick is very efficient:% {8 K) I; W2 J. t3 K& k
by checking the Debug Registers, you can detect if SoftICE is loaded0 P6 _7 y0 z/ h* \% g- s( U9 t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! ^% C: t! p( p1 L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' z; M" [- l1 S$ d/ [( |value (in ring0 only). Values can be manipulated and or changed as well
# A4 z8 @1 K& P- f% b; v(clearing BPMs for instance)# {4 P1 @# S4 i% u) b; e
) D4 R0 ?+ j/ P8 w. x' a4 C, G* S( i__________________________________________________________________________4 {$ T4 ^) [$ ]" F
; X2 q. ?' |7 ^5 L! U5 o) lMethod 11
9 o! y2 S2 I) W. b; G=========: \( `0 h' @' [+ F
_% @! i9 x4 @ L
This method is most known as 'MeltICE' because it has been freely distributed2 _, e9 t. S) }8 b6 S
via www.winfiles.com. However it was first used by NuMega people to allow
; U9 N2 e- p* l, \3 }3 [Symbol Loader to check if SoftICE was active or not (the code is located Y- V) G" U( w
inside nmtrans.dll).. |4 g! Q7 C7 E. w+ b
K# L8 ] E+ z+ Q; G9 U
The way it works is very simple:# o( L1 F# \- b" |/ X9 a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% L# n- s/ d2 G' e3 v, o
WinNT) with the CreateFileA API.
; y' H/ O+ G1 }4 `
9 z* L0 P# L8 D8 [- K, H4 P/ {Here is a sample (checking for 'SICE'):
% a# Z9 e, E4 F; f) E$ r) G# S$ p) ?/ w6 f$ i5 a1 |7 `
BOOL IsSoftIce95Loaded()! J8 M7 r, f4 l. Y+ N( I- Z; f
{
9 |6 @4 M. c* K HANDLE hFile;
, k3 l4 \ r |: P, | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( ?" t" {; J" s7 c4 s/ t4 h" I FILE_SHARE_READ | FILE_SHARE_WRITE,
9 H: m$ p/ l) r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) d5 e0 a n: C1 l; z
if( hFile != INVALID_HANDLE_VALUE )# Y0 ?% b: z* O1 m0 R: H8 k
{
* h# W3 Q5 k v9 b: v: l CloseHandle(hFile);" x* O* m4 R' Z9 ?. M; } t6 [
return TRUE;
! H; o) J; I1 J: ^7 o1 o }2 P8 D. [( ?& c6 n
return FALSE;
8 W6 [5 V4 F6 L}) ~' l8 b3 _7 G; Q1 v
, L8 h7 R6 T: T7 T2 X$ c9 a1 X
Although this trick calls the CreateFileA function, don't even expect to be
) W% A2 d/ T2 c$ Zable to intercept it by installing a IFS hook: it will not work, no way!% v `, z! M' u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 X$ P x% X9 E# K- q( [5 A% I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" Q( p) } R7 e3 A, m8 I1 a4 p! Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc! I( E% j$ Y# H2 h
field.) |" }* a- v9 |. B" A3 y8 C; u
In fact, its purpose is not to load/unload VxDs but only to send a ) B5 L, ]7 e1 R6 p' \) H4 I8 P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 i+ m8 r" K3 L% d% \7 e+ c* y5 f6 P* ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ N! c( k( C3 {* L8 Q4 M2 P/ [1 Y4 Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).9 ^# E( J# J* ` j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 u: ?4 I( U6 e7 [, X8 v6 uits handle to be opened and then, will be detected.
% R# t5 S: y% I6 ^: p& S. k6 uYou can check that simply by hooking Winice.exe control proc entry point5 z$ V/ x- r* Y0 K, R
while running MeltICE.; b0 f1 m: x( f8 G* Y0 |
3 X) H& \7 @* i0 a3 E
) [1 }4 q% X4 r( H' ? 00401067: push 00402025 ; \\.\SICE; w: ]7 t: Y& \+ u) y
0040106C: call CreateFileA& k! O$ Y* B8 ~+ n( u# M
00401071: cmp eax,-001
5 w& U7 V. S/ ^( e# i 00401074: je 00401091& N0 w. l- W: y2 U! H8 [4 L
7 E; k; l; z2 R% D8 m, N
2 Z" O( y$ O0 l8 j1 m6 U
There could be hundreds of BPX you could use to detect this trick.
3 o6 d8 C- `: X4 u% G; G-The most classical one is:
# O2 d% L3 E8 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- e- m% J6 o4 P: m *(esp->4+4)=='NTIC'+ L5 m, f: h' U; c! x' H$ Z2 g c% p6 L
+ N2 S. b/ w1 ~9 V# h, ?-The most exotic ones (could be very slooooow :-(, R" Q& l7 Q7 D5 e5 M8 Q% M. m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) }9 l3 |) W* N% j& `% q# N
;will break 3 times :-(4 a" J9 J5 {3 N! m
0 p7 f3 R7 ]4 h- H6 y% S* Q
-or (a bit) faster:
4 e. F$ S2 y9 r K% M, r+ I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" C" a$ U' N0 v& d& y" s7 G, X; l; \: j/ w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 [* i; X ^1 w v
;will break 3 times :-(
8 V$ }0 |- a7 D- i2 t% J3 H* b4 X# y# k# G# |7 \! k. M r. {
-Much faster: m( C& K: M5 z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 [; u% Q. \6 u' J! T8 ]" u- o4 q
& Y3 I0 Z5 Z( N6 dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 |$ F( U: r/ R/ J& @/ lfunction to do the same job:% Y. f) f. x: A% e" O7 c! Y
6 K1 Z1 P7 W, J% `" `/ c push 00 ; OF_READ
8 z9 o4 R7 |% J2 T! ` mov eax,[00656634] ; '\\.\SICE',0
! |) R1 K* j' d2 C6 @3 L9 T push eax& V" j$ Q1 O2 ~/ Q- M
call KERNEL32!_lopen6 ~# L) r3 y! @& U, i S
inc eax
2 W" \& |. R+ L7 q" l5 G& J jnz 00650589 ; detected& x6 T3 M5 e- A; D. l
push 00 ; OF_READ
, m ~% d. z9 X( F mov eax,[00656638] ; '\\.\SICE'3 I* V' q' q/ X) M
push eax
3 }" z: x( [+ v/ m/ u) H call KERNEL32!_lopen, ^2 N: c, \! u$ Q8 H
inc eax
: L$ M. H* |2 d+ M; }; y" o jz 006505ae ; not detected
& b$ w4 H; I- V" F3 ?5 `7 ~) ~# _. {+ `; t! W+ \+ g
4 G0 R9 q; k$ ?! Q: H; w) m__________________________________________________________________________ s# }" N9 n+ x$ ^( w% s, ~3 q( Z" f5 U
0 _4 O" X6 u2 k$ Y7 \1 t( WMethod 12
; W+ F5 q4 g8 v$ h H=========
) Y3 V: t" |) Y% X4 G$ j( K" \) b+ X( [, _
This trick is similar to int41h/4fh Debugger installation check (code 05. }1 l: I6 F2 H" `
& 06) but very limited because it's only available for Win95/98 (not NT)0 ~7 K$ ~5 C4 B# P9 e% N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( ` V; j# I0 J& ]$ f2 l/ T* Z
# |4 | v; b+ i1 l3 d push 0000004fh ; function 4fh9 R4 y" q( d5 x- w
push 002a002ah ; high word specifies which VxD (VWIN32)
3 F# B# r1 \6 N: X N# s ; low word specifies which service
7 U1 @4 y I7 q3 j (VWIN32_Int41Dispatch)
$ D$ K& P3 a$ \ ~$ ]5 O call Kernel32!ORD_001 ; VxdCall$ k+ }+ {& W5 V, ^; I( e; Z
cmp ax, 0f386h ; magic number returned by system debuggers: M& Y9 j$ I% f
jz SoftICE_detected K* R, D- N# F( P8 {; u3 w
/ Z- p$ @, K \: m! {
Here again, several ways to detect it:* x3 r; Q9 n* c( i1 L
& z+ P: S4 n) a/ D3 j
BPINT 41 if ax==4f
. v4 E& W; g& {2 h1 N
. a, V; c8 k# j2 @ S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 V) I: P' L- H ^$ y
: L. |9 I" x+ i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: b0 S* n" A; \$ |2 U* y5 G0 ?2 K" A C$ @. \0 i9 e9 Y3 A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) _6 P4 x2 k( P* ^( ? d" Q5 j# t4 x5 w0 D
__________________________________________________________________________
! v2 M8 j z) d7 E- o9 u O! |* j; f! r1 x% t+ ~/ O
Method 132 b* X8 A7 [; G7 L8 _
=========1 ^8 G' T8 O/ m$ P: g! t
5 [4 n# Z$ d' K9 I( N) mNot a real method of detection, but a good way to know if SoftICE is9 |: ]2 u: k6 Z* u E+ m
installed on a computer and to locate its installation directory.* V/ k& o0 E- h$ {9 r: {9 ?% ^6 S6 L
It is used by few softs which access the following registry keys (usually #2) :
( W# C L. w! z2 k* f. T" n
% N( [# L! s( {5 [5 A2 n+ A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% t) d' Q% W- p9 [( o) ?
\Uninstall\SoftICE
0 p# Z' v% b3 i" m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: p: b# c$ h/ ]5 @4 }6 M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) w' b4 [3 S7 g\App Paths\Loader32.Exe
8 T; Y5 Z& x& K, G) W1 M
6 V" B5 M7 x6 k
( K$ F/ {- H; o `, hNote that some nasty apps could then erase all files from SoftICE directory
- ]2 f: t0 K" ^6 _# e(I faced that once :-(2 H- Y# \9 o8 `( k
3 K3 S" ]' \7 m! K3 h& l
Useful breakpoint to detect it:+ \0 ?% T8 S" M2 n; G! N Y4 u
% k+ {6 ]) Q1 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 m, _7 e, Q1 S/ T) [
& i& k8 I6 g+ q% }__________________________________________________________________________ s. {2 E- n0 a
4 q; r1 k u0 W9 U! Q! X" s, n; T6 p7 }& |0 p+ I
Method 14
, g3 M! q2 ~& f. p: v=========* c! A$ G* }6 b+ g
2 y; M/ Z7 w7 q" GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 O2 I6 p( E E- _2 M7 x6 S' s6 Z
is to determines whether a debugger is running on your system (ring0 only).0 R' n: b6 ]! {; J* I; f! V; ~- S
3 w( a: Y, T( \) K- ^ c
VMMCall Test_Debug_Installed" e" `' \, u4 T& O3 v% ]
je not_installed
! k/ G# z6 r+ c! \! u3 c# Z
% Q5 ^+ o1 ?* H9 \! |This service just checks a flag.7 i( o7 @; W4 z" X: N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡