<TABLE width=500>$ `: }7 `5 \# o8 r. Y
<TBODY>
, G/ i) J% U9 [& U: }<TR>
# Y# n6 T2 L/ I( f! K" R+ K# Y0 Z<TD><PRE>Method 01
0 r3 @/ [: S4 E$ `1 b" ^( `9 G=========9 w. y& o+ h& I8 L: d3 w* c
; X @, L% N( y( r- H8 F
This method of detection of SoftICE (as well as the following one) is, Q, ~ _+ P, ~' n1 n3 v' w( l( b
used by the majority of packers/encryptors found on Internet.: O: [4 \& Y. Q9 u% h2 W- d, C' |
It seeks the signature of BoundsChecker in SoftICE) j: z: \: C) H4 K7 K- ^& R
9 b/ u& X( I. l; Q
mov ebp, 04243484Bh ; 'BCHK'/ d# p3 e8 I1 ^/ f5 g" E% H+ _
mov ax, 04h2 b2 I$ ?/ @' Q. I( e4 t4 @/ @+ d0 p
int 3
, I) Q+ ? F5 n& s cmp al,46 a- i: z( Z% h# l) ]1 c4 u
jnz SoftICE_Detected
3 H1 m5 \/ }. |2 g* e$ W& ]( [8 K" e, c
___________________________________________________________________________; O/ E. p1 L) n) }( z
/ _2 h$ F, G, Y9 ^& I8 ~Method 024 j& w6 B8 E) ~2 b
=========
( ~5 J7 K5 Q5 ~, s# w
4 e3 L2 m" H& C9 yStill a method very much used (perhaps the most frequent one). It is used( @9 ?9 Z: F, u7 o# t1 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 P6 \4 d! B# h* Wor execute SoftICE commands...
7 W- W* \; C, sIt is also used to crash SoftICE and to force it to execute any commands" Q' d7 k: w! F
(HBOOT...) :-((
! Q7 c- T1 c4 |1 k6 v; k2 Z- z% _- d( j6 _, x
Here is a quick description:
; c/ i6 [" H( A! Q, s-AX = 0910h (Display string in SIce windows)
% n1 x9 E3 v% ?' T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): k/ R" P; L. _! s
-AX = 0912h (Get breakpoint infos)2 D/ P+ h2 h8 N) T' N
-AX = 0913h (Set Sice breakpoints)9 e& J- Z/ n( ^0 |4 L
-AX = 0914h (Remove SIce breakoints): v5 P1 b0 d' }, j9 I
7 a& J6 _) ^, w5 _0 m4 g9 C
Each time you'll meet this trick, you'll see:
! |' T; P Z: y-SI = 4647h
( a5 D' s! x- b: d( U- y-DI = 4A4Dh) H7 Z2 ] d$ e
Which are the 'magic values' used by SoftIce.
+ F+ {* q! E2 ^7 I% C7 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 [! |; O- n( }0 b
# Y8 a# l7 {& `# u" @+ K6 T2 S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
C* U# ]+ k7 N2 \Envelope utility use to protect DOS applications:
: H# ~! i$ ~7 e( V
. V* t& P! [; @/ _0 p! F" S. J' d/ G; w3 Q8 {; A
4C19:0095 MOV AX,0911 ; execute command.
$ h# C+ p8 j0 Q9 ?/ s2 Q* ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: c. {6 w7 A, k4C19:009A MOV SI,4647 ; 1st magic value.
& `' ?7 J3 p& ~: E' D* g% r3 Y0 g; {4C19:009D MOV DI,4A4D ; 2nd magic value.
7 q. ~& D( x3 h2 ]; W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 C5 a- s" B" w4 R4 D3 U5 r1 M3 O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( v" M7 P% F9 c+ n' L6 h
4C19:00A4 INC CX
8 B: e) e' H" @6 D, V. q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* K/ D* C1 Q8 F! w) ?' Q
4C19:00A8 JB 0095 ; 6 different commands. j% b# E) i* s6 Q3 G1 B
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 L* n$ q: B0 W% m6 k4 V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! p v8 G, r. z8 ]
" m* G$ p/ o6 ^The program will execute 6 different SIce commands located at ds:dx, which$ b5 u9 J" u4 `9 }# g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ y8 E, o4 [- G0 H( E& V
7 H2 a) _* {1 |! Q: l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
]$ |+ F( X- G2 Y6 p___________________________________________________________________________
7 ]7 w/ S( `9 q9 O: z
9 [: c7 J0 p/ q( k' [# B+ m9 j. s" A* g) g, q; }" w T4 F* Y, T5 R
Method 03% W/ f) z/ m$ Q8 ]/ M* l3 `: I
=========+ k+ \, g2 o6 M- y9 W8 d( C" w( J
( f p8 Z: G: W0 ?) b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- |" c7 @1 ~6 \% ~) x
(API Get entry point)/ e7 {2 M+ j) u6 Y
1 n& k2 Z1 l' Z1 d
4 w/ n$ J7 y% K8 I4 z
xor di,di
" B6 B" X ?& u r7 J* ~ mov es,di* ^$ r" F' }* o: ], Y5 h
mov ax, 1684h ' T7 j* A3 I4 [7 _ I5 A) G
mov bx, 0202h ; VxD ID of winice
3 |4 f, n7 b& a, k int 2Fh
7 E$ U$ |- H$ O$ }0 ?5 y2 q- F: C mov ax, es ; ES:DI -> VxD API entry point( e+ G' w# Y$ S5 m4 {+ c9 B
add ax, di K9 P! w* S- [+ G& p5 B5 t! R
test ax,ax
+ q9 [0 B+ ]" H' B" k r, [0 |% P jnz SoftICE_Detected ^ Y8 v% z" k8 @5 a
& q! L5 \/ x; d
___________________________________________________________________________
) s$ `* X1 N- S. }
' n! V7 m, X$ Q% ? IMethod 042 W7 L: a4 ^& s1 m
=========. j5 m2 O; [0 P7 l: t8 F/ D
6 l' L5 F( z$ G) Z" G
Method identical to the preceding one except that it seeks the ID of SoftICE
. ?+ k- w& _2 d/ PGFX VxD.
# V, a. Y* d" Q! X: M1 x5 m" g' W* C
- Z. D8 Q5 [2 O; d) _ xor di,di6 P! H$ F& o, p) _/ J& _4 A
mov es,di9 o5 v9 _* V/ @. e4 x
mov ax, 1684h ! w( Q2 u# s1 i6 P1 E
mov bx, 7a5Fh ; VxD ID of SIWVID
, W% `- q+ Q9 ]$ r, z4 _ int 2fh
& a5 h2 r& Z# T! c mov ax, es ; ES:DI -> VxD API entry point3 @! Q2 Z+ `) w F
add ax, di2 w5 [7 j' p' X' B- s
test ax,ax/ }6 [, t5 S7 T, U! P/ v5 Z
jnz SoftICE_Detected
- S% y H _( `' _9 N2 L8 `' y8 s- E. H
__________________________________________________________________________* u' s3 i9 h# o% f K8 _
9 z& t/ o7 F! x
: V* o* H( }5 ` z G' }* tMethod 05
3 M* z8 F+ w. O8 P, T. |, ?% q) X" Z=========
5 S7 I* e7 K1 y" V/ O2 B+ n/ d( f3 U; ^( L' }; s: n7 K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, b% c: X+ ]; @6 K( ]debugger. It calls the int 41h, function 4Fh." x, Y- a( r9 d. Q- y L7 o4 q/ L
There are several alternatives.
) l1 Z8 k' [0 @( c ~3 u7 Z
! C3 Q: G/ A/ S# I4 S9 _3 o, c: PThe following one is the simplest:4 q" D; u* K- M, _0 u- m" `
5 t2 v8 x+ G2 j7 n6 t+ j7 A
mov ax,4fh+ }( [. c1 r8 b. B' x1 G) I3 @$ ^
int 41h; Y. v. |1 Z7 ]
cmp ax, 0F386" c3 j: N: _% R& z0 X
jz SoftICE_detected5 Y& }: E/ @- Z9 c
) Z' i+ d' L0 e. c
0 x8 P9 P7 U: D" t3 D+ l4 H9 a
Next method as well as the following one are 2 examples from Stone's
/ Q/ A# ^9 ?; r"stn-wid.zip" (www.cracking.net):
8 k2 Q/ C" W- k3 X% C
" Q, G. D% L' ^2 a4 h# d mov bx, cs
- D7 `0 b/ n8 K; W9 e lea dx, int41handler2
8 ~) r1 b* v* M, W xchg dx, es:[41h*4]
$ K, ]7 k2 Y: x; g9 L2 m m xchg bx, es:[41h*4+2]
* W/ i3 S: L4 D& L0 d6 w; L mov ax,4fh: o4 R( {$ e! H" z: i$ J
int 41h, H/ |$ U- h$ E
xchg dx, es:[41h*4]+ @$ @; \# a7 d2 S
xchg bx, es:[41h*4+2]
4 a. u8 x; ^1 G1 ?4 t! T- E$ t! {4 G5 _ cmp ax, 0f386h/ t C$ u9 o+ M/ n& M1 G% J
jz SoftICE_detected0 T% N/ G# i! X% J, ?* ^# H. l4 r/ q
$ K* o& q$ w. j6 g4 x5 S6 w
int41handler2 PROC: F+ |% p9 N! u: z) t- d1 U
iret
) w& O' A7 y7 J- A v+ pint41handler2 ENDP. ]8 K0 X* N, S5 e: g- F3 m
0 d$ I& U" Z; @* v. s( M5 g9 [- {! N
6 ?9 b! I" E( w* l5 |( K5 X
_________________________________________________________________________
! z: P7 ?) ?8 a6 ?
+ U" C- @ k2 x- M: x1 W0 C6 [) M
Method 06- a0 s" p0 x' r) X A
=========
8 R, d9 a. M8 S+ y7 J. \) R! H( `4 }
* x, E, ]; e5 K+ V. W
2nd method similar to the preceding one but more difficult to detect:" b* U2 e/ F6 v+ x5 p0 Z8 q
) X9 h, w5 {' ^* o
; @7 h9 @& X) F7 j2 ~3 pint41handler PROC
B5 [+ V+ n$ F1 Y mov cl,al
D3 i# l2 C' p, h+ {. @2 p/ o iret
; \- I1 s! G( `" K2 k, Tint41handler ENDP
% p0 }9 m. K& y4 @5 E3 V; {& W, ?& z: m) v' k, ]6 D
. o8 Q6 w; V/ ^, w8 l
xor ax,ax
5 _* u( k7 F% F5 O( A mov es,ax
H; ^& k9 I8 q4 ] mov bx, cs
5 G! Q9 }# {: ?, M2 N lea dx, int41handler
) N2 c w: V" ]3 f! w xchg dx, es:[41h*4]4 p8 W1 F; ^4 V
xchg bx, es:[41h*4+2]/ X- v1 q% F6 j9 D9 i! B! R
in al, 40h3 ]. V% L* i1 J
xor cx,cx
5 X5 N9 X5 u1 Z6 l. [ int 41h3 L% Q% q' c- U- b% Q' I* z8 g/ k
xchg dx, es:[41h*4]
& t1 U& p+ ^# F6 e# K xchg bx, es:[41h*4+2]: Y3 |0 s% b6 R8 d( ~) j
cmp cl,al
9 w- \" F$ v* ?6 E" C jnz SoftICE_detected
+ K3 L" E) U/ s& c% U4 k! g) v2 a: @2 y& `
_________________________________________________________________________
" E* V1 y. u4 K/ g2 o& |/ r. D& G" S* _, ^! d, x! _
Method 07
6 @3 k* ^0 ]1 N1 v. ?$ ~=========
9 A/ C# G2 i( y7 F! N! h, _1 [ `
, q; Z& t- n" O+ P+ i7 K5 v' T% iMethod of detection of the WinICE handler in the int68h (V86)- r% u4 u9 e5 A$ h
( d. ]3 b" G. h1 t) B# V
mov ah,43h7 j- ?$ w G5 r/ ~, n8 t8 n
int 68h8 j9 K o7 d3 r! J: F2 X
cmp ax,0F386h& ~" B$ P1 |$ K7 e) T- |
jz SoftICE_Detected0 J4 Q1 Z/ X4 C" a! Z, E
3 |! C7 N2 R/ j; m4 B
0 q& P6 A" [$ z. [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 o) v' Q* w H/ X$ p7 W8 S+ L
app like this:1 K9 K; F* ]7 [$ T
* }, u( E( c" t- g5 k8 {# z
BPX exec_int if ax==68
1 f( i4 T- B/ W6 { (function called is located at byte ptr [ebp+1Dh] and client eip is
I- A/ E3 p2 p+ t& D# p4 z7 A located at [ebp+48h] for 32Bit apps)1 L9 y0 I f' E) F
__________________________________________________________________________& ] f, m- U2 e- j4 J7 F. T
* @3 Y8 F( w# Q g) S% K2 g0 D1 ^
. U, V+ R7 C/ l% x: d; T3 y( Y
Method 08* P; _0 y! e2 N
=========& @5 A6 [) ]. e+ g" O
5 b+ l+ ]1 M( D' m2 S0 F4 \
It is not a method of detection of SoftICE but a possibility to crash the
" q6 a( f4 v, N3 f3 A4 H3 psystem by intercepting int 01h and int 03h and redirecting them to another
! ]; [0 H/ C7 R- l+ F0 t9 u, ?routine.
+ j- C# h: Y" ?. W8 }: zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% M- Q4 r# V( Y: Z4 Yto the new routine to execute (hangs computer...)
, a9 X: h d1 r4 L- r7 e1 D2 l
/ \5 C9 v8 A; D6 z f mov ah, 25h
8 J1 K, ?" K" _0 K mov al, Int_Number (01h or 03h)
' }+ T2 O$ U' y! P! l mov dx, offset New_Int_Routine& t% `" i" @' I) z" s' d' ^
int 21h
7 `/ s9 Y( c) R$ [! _0 T
" v: _) Y, t8 [0 V: { a3 g__________________________________________________________________________
9 m7 \0 M2 d8 }
8 l; ?9 H1 m m# g% r6 PMethod 09
, y4 R! N f" C# p=========. x6 u7 F i) s3 J
0 X2 ]" c/ T* ], xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 S# F/ O& @+ A. p$ n( i6 U
performed in ring0 (VxD or a ring3 app using the VxdCall).# B2 @' A' F/ i( M3 w. B3 a9 z- S
The Get_DDB service is used to determine whether or not a VxD is installed, ]/ E4 B% ~6 @/ M. W$ ?7 h' l
for the specified device and returns a Device Description Block (in ecx) for
: {3 `! w( v; R5 W/ ?5 v0 bthat device if it is installed.
# s0 @, r5 S: C1 D/ E4 q! E' }1 q3 [0 Y5 Z8 s6 B. D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% y; b; h3 g* B: A# H& g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- z- Y2 G. u: Q5 M8 z VMMCall Get_DDB- w a+ y v4 r; m2 J2 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 s9 I* _1 z. ?1 }+ b1 J7 I
- o" l: t- _ B: h# S* z. d* UNote as well that you can easily detect this method with SoftICE:
7 G4 a$ x! N1 d; b+ X bpx Get_DDB if ax==0202 || ax==7a5fh
3 f( S3 b/ Y! ]+ d8 N2 f& z2 i; J7 K) u1 }7 b
__________________________________________________________________________
m0 l7 ^7 G0 y$ G s
; t$ H6 _& Z' p9 e2 AMethod 10
- q& A1 @$ A- m" A=========+ Q" F( i O& b4 b
7 M( t- R7 ~: I0 L; a=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 [" f8 X9 l2 N3 R8 V SoftICE while the option is enable!!' X2 Q) e8 T0 J+ U" J7 x5 |
2 |% D9 G8 M3 M. Y! V7 Y5 g) ^This trick is very efficient:
4 R( B7 t; o4 ^/ K' @0 |* kby checking the Debug Registers, you can detect if SoftICE is loaded% W) O+ D9 q q7 S+ G+ ?1 d; K) y2 z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# u N( Q4 J5 K1 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 {5 I5 Z: D: ~3 r: p1 qvalue (in ring0 only). Values can be manipulated and or changed as well$ s" j9 G2 C( R
(clearing BPMs for instance)( l0 L( o; x# Q- S; j& z
" N2 D$ X- |- q* j4 g) h% @: ___________________________________________________________________________/ F# {9 y/ b! S K5 j( C
! m( K' } v3 cMethod 11! w5 q* c! i' V1 P/ |2 |
=========
+ U% o, C- }; f" l+ c
! P* B6 {6 Z3 H8 F) q7 \6 bThis method is most known as 'MeltICE' because it has been freely distributed
9 [8 e6 \, p4 o; Svia www.winfiles.com. However it was first used by NuMega people to allow
# q) F0 L3 j6 f: wSymbol Loader to check if SoftICE was active or not (the code is located
! C& Y" Y: x" {+ C9 k8 oinside nmtrans.dll).& l" c, p' Y l: |8 d
$ A0 c. a1 w, ^4 n; v1 _. R) L8 g: n0 uThe way it works is very simple:% q# x/ `- s$ u0 ?# n6 L% j# t* H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' c, P" h$ C0 X" J2 S4 @& D! v5 @WinNT) with the CreateFileA API.
5 W) T" W% C* r* J+ ]' a/ l4 C! _8 t, a1 m: `3 n0 j: P* E' _0 ?
Here is a sample (checking for 'SICE'):/ u4 B8 Q5 ]/ U5 R
. `; M* M: {$ b, ^* h- l' A
BOOL IsSoftIce95Loaded()6 _4 {- Q) A5 N% w7 i- c j, p
{) N8 E$ I" j! } ]/ N
HANDLE hFile; . e" B9 e6 M# O% x1 J4 I$ k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 Q$ R9 T# m' J& [3 _ FILE_SHARE_READ | FILE_SHARE_WRITE,
. }( M! q, v9 [* m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- v1 Z) n$ n9 B( |* y
if( hFile != INVALID_HANDLE_VALUE )0 h/ k% T3 E! U
{1 R( X2 q/ r I! T' q6 T9 _1 K
CloseHandle(hFile);
9 V S: y3 _) d# ` return TRUE;; x2 U5 N4 _: }, L4 G
}1 D1 }9 J, R, K3 r' i2 L
return FALSE;' V/ I" B0 t: g
}
$ k0 u0 l$ x( X' t/ i* g/ w5 [$ l) R. ~# b2 o
Although this trick calls the CreateFileA function, don't even expect to be
& T+ q; Q5 r( Fable to intercept it by installing a IFS hook: it will not work, no way!
; J X i0 W( P& I- f5 T- d2 {( N' UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 c5 T# ]$ @# y/ m+ e% c- {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 n3 B' i* q/ ?: B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 g) a. u: `5 s% a% J2 y1 U9 ?
field.
, B: s$ c) g0 eIn fact, its purpose is not to load/unload VxDs but only to send a
$ A1 m- m L0 [9 M f& H, cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 q ` I1 |1 f& I5 K Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( T5 Z6 ?9 q9 ^! ` V3 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).' l) P8 J: @, v. q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( n' [) Q& F+ @its handle to be opened and then, will be detected. B3 x/ y6 g1 O3 M5 U9 A, I
You can check that simply by hooking Winice.exe control proc entry point: s F4 N/ G3 p# |! c* b% \
while running MeltICE.
0 I* x$ e# L' w& b6 y: | q
1 x9 ^5 }! ^. f$ @3 L
: M! A# c* P. W v. ^; u, B* \2 G 00401067: push 00402025 ; \\.\SICE) [- r7 L8 Y( }6 S d% A' v" f
0040106C: call CreateFileA
$ k( N8 \' x+ b% ?, T2 K 00401071: cmp eax,-001
) D7 R [; L7 S- r N. V2 D- ]+ B 00401074: je 00401091
6 J: }5 m: S* k% |! f5 e3 I8 e" d; l8 q3 v* V: d
1 P$ o' }! S0 L8 X! u9 o7 @
There could be hundreds of BPX you could use to detect this trick.
% C. V- S7 E( T4 X' K: `-The most classical one is:1 f7 `9 Y1 C& t3 [% A; c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || ?6 j5 }) ~6 d( P$ {! T
*(esp->4+4)=='NTIC'4 d: d G0 L6 i7 f& ]
( p" ]0 u. w6 N) s: A, x* K% j1 Q-The most exotic ones (could be very slooooow :-(
: A6 k P ?9 I0 B6 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 R# v& n7 }# ?5 N6 }% y, c1 t
;will break 3 times :-(
# _' X7 x! W! L6 X5 y, z; X' b1 ~2 T
-or (a bit) faster: $ s( G7 h/ s7 Z _9 l& p0 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 p; X2 J+ W$ r; p) d% Y! G
& I! s# {& \$ X- Q0 b/ i. S6 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 n0 p; d7 c# n7 Q8 H" A: ^
;will break 3 times :-(
7 o7 e) s+ j' I# V/ c7 r7 m, n
( N8 U T4 V# O' H- M2 t+ {-Much faster:0 m8 U, W& j( z# A; b( m# i0 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( _; h6 ?* z4 R
) I4 C/ N* ?2 g- G4 F7 V# [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- N7 ~* y& q& R2 `& s3 Ifunction to do the same job:
% v. b& o9 J% L4 `- w: w8 x* i2 J2 w- q0 U" ?! p
push 00 ; OF_READ- ~$ v& |' d" g! e0 Y j% U
mov eax,[00656634] ; '\\.\SICE',01 q: @8 J3 k0 f3 [" a
push eax
! C4 i# Z) ]3 I" r( ~6 r! O. p" F- [! w call KERNEL32!_lopen
) n# T( U% l# g! p: \ inc eax
7 |; ?+ G& k; q/ J7 ]+ W0 P \/ A jnz 00650589 ; detected7 G! O8 W! u6 i9 J
push 00 ; OF_READ
Z1 p/ a5 V( m5 M+ A l' x mov eax,[00656638] ; '\\.\SICE'
! O4 |2 m0 M8 J% J' ]# l# [ push eax
5 x, x# C/ ]4 ]+ e1 b4 W call KERNEL32!_lopen
k! k8 p8 z& n6 h: B inc eax( p+ z0 o" @+ K; c2 b z6 _0 ^! ~
jz 006505ae ; not detected* l/ p( w F+ R& l
0 n/ r0 s/ l5 c! Q6 y
+ V7 y" S9 _! R/ W4 {* H0 a
__________________________________________________________________________
9 p5 J& ^7 e! ]1 j L. T6 X( X A
0 u% W0 P/ Y7 E9 G8 k( zMethod 12
( X* n! p1 Z$ P( T7 s! E' J6 Y3 M=========4 F, y. x! s0 y2 f
* d+ ~- h% e K* K; ?This trick is similar to int41h/4fh Debugger installation check (code 05' T# A4 d/ m% E# ^" W8 w: T' p0 `
& 06) but very limited because it's only available for Win95/98 (not NT)
; Q/ ^1 {( u; ~3 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo." h6 U- \* P& @/ u
U0 O3 @7 ]. b, R
push 0000004fh ; function 4fh0 Y2 k( m" A: M9 l; f
push 002a002ah ; high word specifies which VxD (VWIN32)0 M$ u4 }8 _+ C
; low word specifies which service
, F- u" q' E2 E- I( h3 F: X8 a (VWIN32_Int41Dispatch) L' n5 K; g4 a y
call Kernel32!ORD_001 ; VxdCall
: a( |. E, g* X3 ~. { cmp ax, 0f386h ; magic number returned by system debuggers s- m* z z, e& L" P; Y
jz SoftICE_detected
O7 R7 l$ i y* F2 I1 G& J
$ b o" E- j" P! R+ Y& LHere again, several ways to detect it:0 d2 \0 R% W" U. q6 Q
+ [6 i9 J- ]: ?/ \$ s) q$ D
BPINT 41 if ax==4f# w2 q$ I4 e7 ^& q
) v ~* ?, p. J6 d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: D9 j9 n2 H$ @. F3 ^, |: t. S x( s7 c1 ]1 q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ [: j/ e3 v6 Z F: h; j
! L0 o0 W1 r- b7 x) ]0 c& h. @; [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( C7 U2 Q& i4 I% o
( i+ \& x. W+ l7 F
__________________________________________________________________________( |( F" ~. m) t" q' d
& z$ W/ h. o5 P+ g9 a) T4 ?) PMethod 136 [9 L9 {8 c6 T1 }
=========) e/ C5 ]3 q. H! v! @! I* A
3 j3 V& ^6 R+ M0 B1 C' e
Not a real method of detection, but a good way to know if SoftICE is( f+ I8 {2 P* \6 g2 d' S& y9 N) q! z4 ]
installed on a computer and to locate its installation directory.: ]3 S& G. p( q, F
It is used by few softs which access the following registry keys (usually #2) :
t# t4 q% c3 Q& l8 r' {
6 b- h- E6 x( R5 |. G. ~' h! B9 V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 F3 @) l3 z+ X) ]& k\Uninstall\SoftICE
' U! ~+ O3 N) |$ a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- ~& \/ ^; ^+ u1 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( Z( c$ c% a1 _( D" w1 a\App Paths\Loader32.Exe; B- `5 t9 Z4 E! O( @
7 ~' z0 y7 G$ F1 T; g( w: p+ p
* [" S# q. U( F; A' \8 w" C& l
Note that some nasty apps could then erase all files from SoftICE directory
# P% R( b5 E- c" y8 \0 L8 k(I faced that once :-(: X' _/ V) F, e& {$ W+ K* m3 W' m
1 I, t# p0 A/ }# u; P w
Useful breakpoint to detect it:7 O# R2 v/ ?' r: i' {2 Z
" S; N- ]6 {8 s! S- W8 d) y1 U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& c3 a& I: G. x( [0 S9 I$ S+ |
9 l0 L. y+ N) i7 q6 y, ?6 Q__________________________________________________________________________
+ m2 K! j, b. [* ]7 N' v' f4 c! N- X; n- b8 ?; E
1 {/ N. c# m) ?& e; D4 n$ eMethod 14
6 u; I7 y* r" R4 x% a8 S1 L+ ~- ^" q=========
5 m" Z( ?/ h6 h- e) i3 f
. S. g* z, l7 D1 SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( X7 z( V$ U' N4 d* W8 `
is to determines whether a debugger is running on your system (ring0 only).
1 v/ R$ E. j: x2 j& v1 O* R: [2 d8 ] \+ X2 N
VMMCall Test_Debug_Installed
8 K5 R9 ?7 c" S w6 N ~ je not_installed
8 e+ _; K5 C" Z8 p5 g
& r3 ]* d* L; s" L& T/ RThis service just checks a flag.$ P4 h! h- `# r$ m% e0 t* E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡