<TABLE width=500> k5 X3 A1 {0 `1 v6 t
<TBODY>( ]+ u& f$ N/ Y
<TR>
0 M4 l. q- g3 W<TD><PRE>Method 01
* z) M- g* u5 n* y E0 a1 S=========8 y4 Q* S0 g/ t* b
# L3 c/ T! p* i. g# U9 q( L! M: \This method of detection of SoftICE (as well as the following one) is: f1 h3 N! I: w6 w8 r
used by the majority of packers/encryptors found on Internet.
; w; |% \) X0 F5 B( gIt seeks the signature of BoundsChecker in SoftICE8 y6 C$ ^4 ^# w7 m9 ^8 G
( a& y: |/ a# [. @2 e: O! `
mov ebp, 04243484Bh ; 'BCHK'
* U( ^: q9 p* {8 @. ? mov ax, 04h
( @7 I, I9 I' x/ Q6 i int 3 7 {) h# a6 B; ~2 q8 r
cmp al,4
% q! }5 G$ X- V jnz SoftICE_Detected. A' W% ^# \1 L# q) s1 Y5 R2 v
. ~5 x) M( V& Z& k& [
___________________________________________________________________________
2 }9 b5 R5 j9 V7 A2 [
, B/ U6 x) d" v! OMethod 02& u- S5 k3 o$ J+ u$ q
=========
5 y' ?! @4 x! K
, D( O! O: i; Q0 e# M) k hStill a method very much used (perhaps the most frequent one). It is used) r j, n& j, t/ E8 W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. N! P0 n: n; b3 R3 tor execute SoftICE commands...) m" m. E% W/ w g, J+ i
It is also used to crash SoftICE and to force it to execute any commands; r# ?3 d+ C6 ?9 r1 {& b" I
(HBOOT...) :-(( ) W) e, D6 i# o& w
8 B q+ s9 q' }- mHere is a quick description:5 H4 V' y; ?2 l$ Z3 I5 j
-AX = 0910h (Display string in SIce windows)5 X( M7 p% E6 {0 f! O7 M7 S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 r1 s) E- u- q% k4 {8 z
-AX = 0912h (Get breakpoint infos)+ k5 }. ^# F8 @) f$ M* ]
-AX = 0913h (Set Sice breakpoints)
; s6 F" n; P& B5 P8 c-AX = 0914h (Remove SIce breakoints)
( j. |: C% f3 q% s& [0 X; B% U$ {2 I/ r- b$ m
Each time you'll meet this trick, you'll see:
7 e- e" I8 e* X6 `7 }2 o! d2 A) J-SI = 4647h
Y- X3 k K' B. |/ _7 q-DI = 4A4Dh4 `" W; m3 E8 ~! t* ?
Which are the 'magic values' used by SoftIce.
- \" Y8 @/ Z( P# d1 q8 bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# T4 E( N1 K4 ^( D
1 u5 \0 @+ e; C+ oHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 c+ o d' \; A+ ^# a6 [Envelope utility use to protect DOS applications: ~; Y$ R3 R% a8 d; {
, q" T6 Y/ i0 d$ f
2 v# _* D) H. H" _ P4C19:0095 MOV AX,0911 ; execute command.
6 b. C9 {7 W' r+ }. O) z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ b( S9 L1 S4 u1 }4C19:009A MOV SI,4647 ; 1st magic value.1 h( ] i6 v7 q b$ j
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ ^4 @8 E1 g3 \0 l: u) k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. ~- u* J) o8 C! J5 G2 B# e3 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% e$ H: `; M8 z0 Y/ G$ ^4C19:00A4 INC CX" A. Q: U- g2 q1 S& J1 W' h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, |" s2 [: \- A& y+ s$ y4C19:00A8 JB 0095 ; 6 different commands.$ K k4 y; L, b9 c6 u( \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; K3 @, G9 N8 R( H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! n- x' L# Z: f. v# A# t
! \# D+ ]8 y1 K0 a8 \) ^
The program will execute 6 different SIce commands located at ds:dx, which9 v) u( H5 `0 L. ^" B# a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 _: y) Q* N1 r* S- s q; Q% m0 ]5 `8 G: J0 z" O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' J) u# p0 @# Q+ y
___________________________________________________________________________
& Z* M( P- f3 T% l9 x3 ^" C
9 N F. R/ g/ T6 ^/ [- c
3 }* E' X; M2 n: N: xMethod 03
/ H' u: ~% s0 K% _5 u=========
9 b' i4 U4 ~) x3 g+ v" T+ E1 u, f6 c c) m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 p2 l" h9 r: T* I3 s
(API Get entry point)
+ |; o* Z$ c, Q6 m* h6 y
# ^' S& |2 i) C' d6 e; L+ k
5 |: H6 E# X$ H- S/ W xor di,di+ c( R! e9 o4 J+ B
mov es,di( ~ N' v: O. f3 k; S
mov ax, 1684h ! B/ q# E/ Z7 N" A$ b, b1 M
mov bx, 0202h ; VxD ID of winice
6 v- y$ _( k; m8 l1 ], ?$ I int 2Fh( q4 j- ~+ c) s3 u' D3 x
mov ax, es ; ES:DI -> VxD API entry point
5 q2 O9 w& ~$ y+ C6 I. x) j/ B add ax, di
j0 h6 P$ N3 {, \+ f" f test ax,ax) @# `" R% c8 Q$ B2 l% d
jnz SoftICE_Detected9 H- L3 n2 V% y, \
7 z1 V r8 E* ~& t
___________________________________________________________________________7 l# b! \, R0 N& \$ k3 U$ N
; T2 ^3 O$ z. D' f r/ D7 G' FMethod 04! S" d2 j- a- T3 j" q8 V( p+ V; M
=========
( u5 u* v; X7 ?, s& ~% g7 k7 X3 K
5 ^# x* }/ [1 r2 ]' hMethod identical to the preceding one except that it seeks the ID of SoftICE6 b4 Y5 W1 |. D1 D9 k# {' ^
GFX VxD.) b# N1 D. l1 b2 G
6 E" a# A9 Z* z" o* }* }
xor di,di' S' [$ s" Y9 u2 B2 e- `& p! U* I
mov es,di2 h8 o1 a2 Z2 E
mov ax, 1684h 6 g7 i ^( ]& j3 g3 }; n! [
mov bx, 7a5Fh ; VxD ID of SIWVID- K# s% g" W4 ^" t6 O) d
int 2fh4 \% [5 Y z0 U
mov ax, es ; ES:DI -> VxD API entry point6 z' ^2 S7 Z& ?' z* q
add ax, di
, ^* v3 C/ I. C6 e/ P test ax,ax7 o" k' Q! J6 }* q& r; u
jnz SoftICE_Detected, ~' |( v! |% W* f/ ], c9 ^
8 F! y' C, Q1 M% Z- Z+ i8 F( X. m__________________________________________________________________________5 x0 W# V, y* u k
/ P+ v6 i. t) t" X9 A4 y' x
! h# [" k8 e% P O! _- y1 g, z
Method 05' h3 ^/ I3 H& c% W+ F
=========( s: A6 ?$ F: E, P+ r7 D) O6 e
: i. U% v5 U& j* y% T( v4 @- C9 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 W) T; ]0 z2 c7 n1 Jdebugger. It calls the int 41h, function 4Fh.
# t7 @: U3 P G# a u2 R3 |- p& iThere are several alternatives. 9 F2 }- A4 \' r k
+ ^( }6 j/ n X1 @* `The following one is the simplest:1 P& } g/ v4 w# l) i8 n
5 Y, V! |; c4 T, x/ |; D( C
mov ax,4fh
0 I/ b2 m S3 {% N% X: w+ t s int 41h
; w# E# `. `8 @1 l9 Q Q9 ?$ w( Z5 X cmp ax, 0F386( d0 @" q" h* M' r, k& g
jz SoftICE_detected9 N8 x& U5 N% H* B
7 A) ?1 B! B* k* |, _6 W P. j
$ \7 w( q6 @, b3 h6 G+ T) DNext method as well as the following one are 2 examples from Stone's $ O& v' v% @) z& c. M. V5 C3 b
"stn-wid.zip" (www.cracking.net):; Q' F, B& `6 d5 E- ]
# x9 w% w4 `0 G mov bx, cs, G& G: [6 p1 K. d; G; Y+ H
lea dx, int41handler2
3 P1 X# G" U+ i" } xchg dx, es:[41h*4]0 q! `! d; C- Q# m6 Z1 h
xchg bx, es:[41h*4+2]& _; }# K6 x, [3 ^6 P. J/ _! ~
mov ax,4fh) f7 l3 Z3 B. D: k- g
int 41h
: G3 p# H1 q1 x+ ]5 i }. y! X xchg dx, es:[41h*4]' N" \9 g3 I/ S- F
xchg bx, es:[41h*4+2]3 c! K. h! N. L2 Q
cmp ax, 0f386h! x5 q* @+ D/ A+ {2 ]; s
jz SoftICE_detected1 Z u- G9 Y, m% X9 B
" g0 L' ]5 V& t% p* u, Q9 O8 h E& `int41handler2 PROC
4 ~ a1 a$ @; _7 t: Y iret: S( T5 l! ~* P, |2 Y) I
int41handler2 ENDP
. O7 }# d/ l! I9 O; y6 k! i) ?, w Y9 T5 |
2 H2 x. F6 A9 D& u4 [1 c2 R_________________________________________________________________________
: b. X. R4 S$ r% T( G2 S0 L
" R7 T/ f& d9 |, K7 o) S& N# G P* ~. M/ h: C" p% a
Method 06
* F! k% v' Y* D2 L; {% d=========
: N4 u4 Q q+ g E& D5 S* k4 Z; U, v+ r5 m- h/ z2 G9 x
+ _/ L3 D$ I0 V) Q* |9 L0 Z+ Q2nd method similar to the preceding one but more difficult to detect:7 [5 Q* Y! ]7 t! ~
! D0 G- _! X# _7 h. @
& Q3 s. Q- ]8 W9 S) a F4 i
int41handler PROC7 d% i6 z% Y. ]( U5 {
mov cl,al
8 V4 X8 k% [4 e" o! V1 j9 ?) N iret* o( S$ |$ L0 n* Y
int41handler ENDP1 n/ _8 I* B' @4 e8 g" s
3 Y5 ]2 a/ x" V/ V0 L
& V0 I) S4 [$ Q0 ]" p' q xor ax,ax, K# I" g: _- x& x: J
mov es,ax4 r6 j" b: y% O4 a4 I+ W2 F" W
mov bx, cs
. ?+ F# C- ^" o ` lea dx, int41handler
& C# t; j2 a! |0 p xchg dx, es:[41h*4]
. Z, q, |: S! r xchg bx, es:[41h*4+2]
( Y7 {' H* `' W9 B" M& b; q1 H% | in al, 40h. r/ o8 a u$ R* k# O
xor cx,cx
; l+ m$ ~+ U$ e' |" [ int 41h; n" L% _0 J' O/ r, K. \
xchg dx, es:[41h*4]; ~ _9 Z8 S, J6 \- h( }
xchg bx, es:[41h*4+2]
, @$ h0 e4 X7 l k# Y0 E$ e cmp cl,al+ u9 D% O3 Q3 \
jnz SoftICE_detected
- U$ k" _& ~# A) }% \6 F
; d& k4 D, d% s9 p_________________________________________________________________________
1 F1 o9 o) ?' a3 v
8 z/ J: e9 G6 G6 WMethod 07
+ k5 B4 ~/ q& G; S7 J=========0 f) ~. l" p4 q. l. D- F
! O t; Y9 l5 |" ]. w4 u, B7 KMethod of detection of the WinICE handler in the int68h (V86)5 c$ G- k+ a. I1 z
; g+ b" R/ j& f( [/ C3 \* ? mov ah,43h' R. }# q) h! i+ X8 X
int 68h' A4 c. t: a8 I% h! n" w" C
cmp ax,0F386h
% d! V! {/ v4 A- k3 f: X; I jz SoftICE_Detected
) m6 ~/ b \8 G+ ^$ w4 Z* E
0 g+ n( ]8 U7 T H% @* g* T: y) z& ]5 p9 k5 Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: u: t, u. f% I& D; ]" {1 V) O0 ~ app like this:
8 c% I; `7 A' X7 r( Q: ?. A2 l6 `) \) v2 B7 Y8 ~- B5 f% w4 y
BPX exec_int if ax==686 c, Q) `* p( i- K* u. ~
(function called is located at byte ptr [ebp+1Dh] and client eip is d- B3 n' }6 m& g B* H: P3 C
located at [ebp+48h] for 32Bit apps)% Y W' e2 n5 f, P4 r4 m( O( s r
__________________________________________________________________________
3 ~) R4 \$ n0 p# b, w+ s* p& Q9 J7 E8 ~: F
& v! x; e2 `2 jMethod 08; h; }' C {9 j
=========
7 K' ~1 V5 @7 P3 h% z. [! Z) f
; L4 C& F# \ ~. g% u( c; A* V1 x/ m8 nIt is not a method of detection of SoftICE but a possibility to crash the, r. z- D. {3 \4 N$ V
system by intercepting int 01h and int 03h and redirecting them to another; w" t' O3 l9 N% ]% y2 Q* O& c( N
routine.+ O+ o6 g* l& f+ ^8 i( }5 X- l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' {, \" Q* N& T* P* h/ {6 N2 eto the new routine to execute (hangs computer...)! @( z* J% l4 n0 X4 b
5 e6 x5 A, @/ L9 h& @1 b( K mov ah, 25h# }7 `/ \) \$ E/ C
mov al, Int_Number (01h or 03h)
4 }; Y/ T* I' K' R/ O mov dx, offset New_Int_Routine6 I: p* I* l) _/ w
int 21h
2 O* d( `" ^% Y/ h/ C6 t% d3 E7 w, m, [' A, k
__________________________________________________________________________
( Z/ a1 m4 k& {+ h0 L9 W9 v2 L, n& [; f7 c7 l7 B& y
Method 09. J/ d. L! K; B0 n9 c3 W
=========
% @2 J$ J% V% _6 e: X' V/ {/ c/ N/ h( R% L8 a' z2 f) Y9 v2 Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 b6 N& H. i: J, a
performed in ring0 (VxD or a ring3 app using the VxdCall).$ A1 |, A3 b# W- [
The Get_DDB service is used to determine whether or not a VxD is installed8 D' ?1 L* |; i$ V
for the specified device and returns a Device Description Block (in ecx) for! G# |4 L4 ^ K) Y* y$ @
that device if it is installed.
0 h/ e. D) b& ^ R9 @- m/ I" C/ h. u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 H# ]: q1 G( _& z+ u* N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ U! L. c) ^7 [9 ]
VMMCall Get_DDB' X0 v' |4 W$ v% G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, k. Y6 ~* R$ D& g) J
, T P) W+ V! l8 ?' F( @
Note as well that you can easily detect this method with SoftICE:
0 K4 U7 j9 L/ X+ [ bpx Get_DDB if ax==0202 || ax==7a5fh
9 M9 C$ D/ Y2 p8 t& L+ b& x+ _. \' i5 }8 J* i9 q6 e l
__________________________________________________________________________
5 s! c5 Z! T9 c/ ?
" U8 M3 J; r3 i1 |Method 106 {. b& e1 d5 U" }2 ]0 A
=========
, S7 q5 `+ K& P+ M" Q2 O8 X* E9 [7 D. I" s C1 ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ U; P; N- W, b
SoftICE while the option is enable!!
( ~6 c" E( n! J, n9 ]9 ~! G4 P5 V7 H$ w& h+ _. }5 g
This trick is very efficient:* Q3 F' Y2 _% ?8 k* H9 @0 d
by checking the Debug Registers, you can detect if SoftICE is loaded
; k$ I5 y6 M1 X# c+ |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) t9 i- }/ X: V' Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
* l; p6 v1 M, [' I* Svalue (in ring0 only). Values can be manipulated and or changed as well1 y' X& t3 u* C. R5 X% V: x
(clearing BPMs for instance). r' @+ @7 O6 I9 q& E
) q( p+ s3 [$ u6 R* y+ }
__________________________________________________________________________1 I7 q5 t" I; L2 r4 M
0 e/ r5 @9 y+ h, i9 x2 P# P: w, V
Method 11
+ \; Z! [ [- c9 }! Z1 L( }% V=========
: \7 A& k; f% X X& ^
! a8 t) I- y9 f% wThis method is most known as 'MeltICE' because it has been freely distributed# X) p; y7 x/ O9 Y( s9 `! ]
via www.winfiles.com. However it was first used by NuMega people to allow8 o) z: O$ ^8 [8 c, B7 [8 k4 N
Symbol Loader to check if SoftICE was active or not (the code is located
5 Z C" q% W8 ~: z$ ^ r _inside nmtrans.dll).
( T; Z' \, h+ g; N- e9 V: h1 k! N4 D6 d" j7 h
The way it works is very simple:' G. m' j: d6 l4 i! S3 [8 ?4 Z; N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! K0 V8 U0 E* ]* O' N
WinNT) with the CreateFileA API. y! p: A6 }; z8 G7 C4 o# b0 y
& ]% v7 a1 q1 o- L2 w( ?Here is a sample (checking for 'SICE'):
9 G' r( i2 H1 X# |2 K& I- G0 D2 Q" E! b
BOOL IsSoftIce95Loaded()
+ d0 H6 n. Z( P! y{3 g$ B+ Z+ Z3 p7 e2 _
HANDLE hFile;
2 h' e; u: I* X0 d3 F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; Y& t/ Z W9 q" S9 n/ g0 X7 L FILE_SHARE_READ | FILE_SHARE_WRITE,
$ Y7 w$ T! o8 r( d" Z$ { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& C U# ?. n3 h) Z; K/ v# W
if( hFile != INVALID_HANDLE_VALUE )
0 i1 F6 B5 w4 l# T/ f+ N ? {
( q, g9 s% u, C: g3 ~. _) o3 N( I) u CloseHandle(hFile);
X) _2 O M. d return TRUE;* m9 s! `% R; c9 ?; |- U. R
}
2 u; ^7 S. [% g( q return FALSE;
* [, Z* m) o$ \( J1 Y% ^}
' a6 L5 x9 r/ A. @; m* a* M
& f9 S( J5 k1 W4 `Although this trick calls the CreateFileA function, don't even expect to be& V; K" {+ j( j7 a) b" m5 i
able to intercept it by installing a IFS hook: it will not work, no way!# W$ \- k1 T8 r+ u; w: G: ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( f, v6 k' K4 i/ k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k9 P, _ L# S8 x- O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ a% { I% U/ |9 W- rfield." m* i1 z2 ]) ~
In fact, its purpose is not to load/unload VxDs but only to send a
3 K7 ^. |% A0 n, J4 t5 m( qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ }1 ]+ h, ^) _/ P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 @/ D* ?& `5 r) t! G2 ]# F
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., x( C1 |' J R' Y* u( s5 I. F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 c( S- b0 r; [: r3 G& S: uits handle to be opened and then, will be detected.
& I3 y9 N, _" m# U6 F% ?: S2 zYou can check that simply by hooking Winice.exe control proc entry point
: V+ a9 I: i, F0 d Qwhile running MeltICE.% H" X: z" |: \/ m% u( G" s/ U
7 p) b& w( E8 ]+ D% I5 P3 w) M3 G$ v% w) u, S9 o B) \6 l
00401067: push 00402025 ; \\.\SICE
; ^+ b# }! C1 ~% [! B8 n 0040106C: call CreateFileA0 a- E: J7 h5 ~0 j) J- k$ K. _* c
00401071: cmp eax,-001
( ]) H Q1 }. X) D# t 00401074: je 00401091" i7 l3 H) M U- A6 c
- e* L+ N% Y! O, r# [* G* b6 T7 j/ t
) ]1 I2 C r* g5 q" z' V4 QThere could be hundreds of BPX you could use to detect this trick.
$ s, { l1 L# ?# ?9 d: C" S-The most classical one is:
# O5 e3 G" G) [" T$ }* R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ E% }: e$ N5 y9 v7 d
*(esp->4+4)=='NTIC'
$ G6 V/ t; S9 A% `" a; p8 K& h
/ I4 O% \- Y; b-The most exotic ones (could be very slooooow :-(
1 n' P( ~% c/ x# x- d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' F" N X9 `4 D9 r5 e# b ;will break 3 times :-($ t: y! g$ F2 f) L# r- [& D- w' }2 F6 ]
; g+ n' N) c* g* A1 @
-or (a bit) faster:
& b! N D! V1 s" ?+ t6 @( ~, g; c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 i+ {9 n; H5 A [3 {8 V
; ^/ a, B: X# F& A- u4 \6 p$ P0 ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + i* @. S x& s, a
;will break 3 times :-(* y1 h; O5 Y4 c' X2 I
2 w6 L" H' C* V
-Much faster:- o0 h' ?# r) f* o/ U0 p1 N/ e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 \' q% x& }& Z v& b5 F
6 b: l: p2 |3 u+ r+ j7 L( F0 gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
r9 K& \+ P+ ^! d# A: z* Efunction to do the same job:
4 i0 o* z/ B# t' e- P: e3 a% T$ v
4 Y# F( @& X' a- j# u/ L2 X# B1 R push 00 ; OF_READ% c/ U% ?5 K( o- \. B+ H
mov eax,[00656634] ; '\\.\SICE',0
2 y) \1 L# k% ^5 p; W @* i push eax- U; [! X8 H* a: H9 p1 V) s
call KERNEL32!_lopen4 x3 @" V( e, ^, \7 u& E
inc eax
- }9 l3 \. x9 U. ~% J* H* _ jnz 00650589 ; detected |6 F8 j4 _0 d+ b+ w
push 00 ; OF_READ6 P3 z! b) e( s
mov eax,[00656638] ; '\\.\SICE'0 o; {' C6 J, V+ U5 o
push eax
3 U2 S! q+ b1 i% m call KERNEL32!_lopen
4 s: |# ~* {7 E* z! T' e inc eax5 r% q* T" X/ ~( \6 I0 N: t
jz 006505ae ; not detected
) \- j; f* d5 }) [* w" `5 h
9 u: t) G9 b3 Y9 J" Y, |; w
9 y* F. m; ?& O9 u__________________________________________________________________________
- W7 v8 `# N* ?7 b- ~& r4 p3 a z$ {0 z+ w& N- s( k
Method 12
4 m; ~$ {% u' l: y8 A2 _=========2 z# p# \9 c/ Z8 q# R$ Z0 P
( y1 `. T" S# c- U" N
This trick is similar to int41h/4fh Debugger installation check (code 05$ Y/ J) t4 |( d5 u. e( X4 K
& 06) but very limited because it's only available for Win95/98 (not NT)" _( e6 m' D4 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- [1 `" L4 P$ `2 h* ?
- ^ A3 |. Y) `7 Y7 S3 l
push 0000004fh ; function 4fh
0 X+ v) h" f/ q o* l push 002a002ah ; high word specifies which VxD (VWIN32)- F# B+ ]/ _) r3 S+ s3 V
; low word specifies which service. T& j# l- }% F+ n/ ]
(VWIN32_Int41Dispatch)
: h- ~& S- ~2 H# H8 C% l call Kernel32!ORD_001 ; VxdCall
; ?" I) m# c+ G6 ?$ Y2 u% t cmp ax, 0f386h ; magic number returned by system debuggers4 }& ?+ y% S- ?# P5 @# ]
jz SoftICE_detected
* N5 D" } c1 l$ d* _8 s2 ?! V8 v# h, {( W
Here again, several ways to detect it:9 j* M* W, x. z" T
4 n$ [7 b+ K6 [* t
BPINT 41 if ax==4f
* K5 W* t8 }, r, Q( e
8 S& S. X0 c3 _6 d5 B# @* J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ a( P) m$ p# S" ~; n* X/ }7 p, P: k
+ o8 ~! R6 I7 g/ b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' j2 X6 \+ V+ U( N3 R) M2 h' D% b: x& ^+ F* d# A# ?' ^1 h! ^& k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 u! @3 v' `& j+ w+ D! k6 h, h( |3 U4 f) D
__________________________________________________________________________
" Y- q/ g2 F2 W4 D1 H7 |
) ?( ?4 G+ q1 \Method 138 e( E; K0 k4 w/ L: s
=========
/ [5 @& W4 U" N6 ]
3 b: v' S: F# q( U3 YNot a real method of detection, but a good way to know if SoftICE is
4 W+ c7 T0 o+ k3 |* A# D5 v( sinstalled on a computer and to locate its installation directory.
% [+ {5 @' f& {! ]1 |; m; c7 ZIt is used by few softs which access the following registry keys (usually #2) :
0 L" z3 H" h) ~8 m! F
, e7 [* ? @5 [: _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& { K3 B2 w3 p# J% f5 v X. A. h\Uninstall\SoftICE7 U T. s! p2 L: V1 d5 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 X+ a; }9 l0 x4 @: C- r* L, ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) \1 W; o8 K# h' |- F\App Paths\Loader32.Exe
/ Q t3 E( H) G! R. j0 j. I( G t) q2 g! F. [( x2 L, M9 B9 \, T
1 b o5 d- |& @' a/ a8 T3 b: jNote that some nasty apps could then erase all files from SoftICE directory/ c1 ~: y% `# J4 x/ R6 X; u
(I faced that once :-(4 S7 \: ~# H/ Y2 n4 ]& l4 s& O$ c
# I- z5 U3 {! w( H3 Z$ o6 [Useful breakpoint to detect it:, y5 `* S5 M4 z3 Z$ C3 d
* B* L- J) _4 o$ n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# B% r# ^$ m8 w
1 @% I T$ ~4 ~: n) w
__________________________________________________________________________* K5 D' q$ {& B. _- E
, N% P- e0 v ^3 Q2 ~! b
- }6 n0 `& `- ^ d) ^5 ^. O2 aMethod 14
) S" V: l& t5 J! d# x=========
) u- a2 l4 \! T' A: g% l2 M9 |" u8 c) z. Z' ~% V3 S5 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- X% n4 \! X3 O2 U }1 e; mis to determines whether a debugger is running on your system (ring0 only).
+ g. q' j6 c( t: A- ?! _$ u0 v, o7 t% U7 t$ C1 u9 z
VMMCall Test_Debug_Installed
+ \, s7 [# f: p" G: D* E je not_installed
" ~( r8 r" c2 v0 r4 m3 \$ S6 x' y, a* C0 v# r6 d& v' s
This service just checks a flag.. ?, ?& k0 u; E! v1 Q! ]6 a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡