<TABLE width=500>3 q6 I& |* G! I. P, Q/ z
<TBODY>2 L f- E) w, W6 Y6 p2 p6 t
<TR>3 |/ r! u% T$ ~) y: d
<TD><PRE>Method 01
" q- S, e3 V9 b. l3 m=========' g% A# i n# K; W+ ^
, i7 H/ }- o' {$ I, |; D2 ~This method of detection of SoftICE (as well as the following one) is
. f6 }+ }& p2 Cused by the majority of packers/encryptors found on Internet.$ ^3 _; p' y8 H- b, E7 l
It seeks the signature of BoundsChecker in SoftICE$ q) ?6 t1 H2 F6 A [( ~' F
3 G. g4 Y( R7 A Q' ]5 E
mov ebp, 04243484Bh ; 'BCHK'
' x& j; o0 d4 P3 O% J( [ mov ax, 04h
. P# ?: l% p# ^3 V, K) x9 ]- w9 y int 3 # S$ z3 g( V9 g# S# ]1 O
cmp al,4+ j, Q) p7 e% S' [. Z, U6 A( D
jnz SoftICE_Detected
' w% c8 t! g0 T: {$ e2 P$ g; n% f `, w9 h( H- @$ G+ Z+ ~# T9 s
___________________________________________________________________________
, a) l. B0 F) {& r4 }% V6 L
( `' n d/ R5 @/ g" ~4 D( uMethod 02
: K1 t4 R& P2 ?" _1 c6 ?=========# L8 k4 u6 m; N/ f7 a- U
) E, o* o/ B* O
Still a method very much used (perhaps the most frequent one). It is used
: F+ b) i: r r" L* y* {3 z1 nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ q+ Y# U: `) ^
or execute SoftICE commands...
. L8 \' M2 M1 q- C% G _8 yIt is also used to crash SoftICE and to force it to execute any commands. |# i* d9 R- h5 K9 Z
(HBOOT...) :-((
3 ^8 O0 `9 Z7 i% `& b, u$ s
: U: F! G, ~/ G7 h2 ~+ U4 n. VHere is a quick description:: A8 s' ^5 J2 {( q! ^ `) [
-AX = 0910h (Display string in SIce windows)
" D( B. d. f- {$ v2 L- }! }4 x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& w+ R) G. `9 M-AX = 0912h (Get breakpoint infos)
" I# G$ ^) s, X0 H-AX = 0913h (Set Sice breakpoints)
1 B, l. Y: ^& O6 F7 O0 I9 M+ \1 f-AX = 0914h (Remove SIce breakoints)
" P6 n- q% G0 x- R9 N- y8 w. j1 L- [
Each time you'll meet this trick, you'll see:
( X) ?$ b) ~- I% v$ n& a- ]; A8 s6 D7 f-SI = 4647h
1 `( F# O1 L. S0 ?, _-DI = 4A4Dh
' N+ l+ l( Q6 u9 C3 `8 e& nWhich are the 'magic values' used by SoftIce.$ b* t3 J) C3 S" i0 G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 m2 T( l- s0 I5 {9 }8 o
' a& n8 g- @! o
Here is one example from the file "Haspinst.exe" which is the dongle HASP* v% v1 `, t) ^- |% I
Envelope utility use to protect DOS applications:/ M O; f; {0 Y1 W; v
( k7 q+ A' a9 s2 e/ J- ^& ~8 J# c
9 ]! @2 x" W" S2 Q7 P6 `4C19:0095 MOV AX,0911 ; execute command.$ P! O, T6 c4 Q0 F+ T9 T, |& L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) G* J, @8 A; G" r1 A4 @" e4C19:009A MOV SI,4647 ; 1st magic value.
9 G$ S [$ k% y. D9 d4C19:009D MOV DI,4A4D ; 2nd magic value.
& g$ L( e. i1 |- E) P3 a$ h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 m9 m4 q7 W4 d7 r5 w1 R" r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( E" \1 V) H4 R9 c, u4C19:00A4 INC CX
+ ^3 R/ t0 m) u9 t4 M- B: d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: |$ m0 b1 n3 t% `- z4C19:00A8 JB 0095 ; 6 different commands.
! y/ k: z! h- R7 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
j) C% ]# h5 ~7 D3 [5 B/ _0 h0 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( w4 |% `0 y5 F' i; A
4 ~) G7 \+ c( o) d' x- PThe program will execute 6 different SIce commands located at ds:dx, which/ |. f- f* ^7 s* k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& n- e" h7 |# ~
+ N. z1 J- |) `& ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 Q, U6 C& c4 `3 r% d___________________________________________________________________________
& W6 u* @. V( I1 z: E
, D6 a+ g8 y% o( l! [
6 P- n* a& q! O3 r0 OMethod 03: ^* A7 A( s b6 O5 U
=========
: A, M- L1 \! c% k, |% J ]# {/ R) A$ ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' |" `& r O! i- g& \6 i" ^(API Get entry point)' @' H3 g: U- [ k
% D& ]) c% H. m9 e. `! b
& b8 j3 X# Z% G, S9 J
xor di,di( D# ?0 l3 W% K7 \9 i1 E
mov es,di
: e: P6 Q, b- f mov ax, 1684h
& C' F) O! B" w H) K0 } mov bx, 0202h ; VxD ID of winice* D: m" m- A& F2 ?) D7 w8 t7 W9 J. N
int 2Fh
) X( @" g. j1 y7 p5 z mov ax, es ; ES:DI -> VxD API entry point4 B7 i; Z2 l, }; w
add ax, di
$ d# A: K9 F7 ^5 i8 [ test ax,ax8 h/ L2 @9 R3 k6 ?/ T4 y" ] d
jnz SoftICE_Detected/ ?* o' a* o/ t; [2 G; Z! p+ B( Z
8 o9 f8 f) u" s+ ~$ f; Y" Y
___________________________________________________________________________
: x; d/ j3 {" \: ]$ P* T
: D! o$ o$ ~7 \& Y$ z0 DMethod 04
/ c: g0 {6 H7 m7 g=========
, d; t$ h# ]9 y# g/ u1 S
3 K l2 Z2 @9 P/ ]4 m; l1 yMethod identical to the preceding one except that it seeks the ID of SoftICE
0 {0 T. J1 S l* S4 ?2 m1 p! iGFX VxD.% O2 \$ r4 n, w6 Z
7 y! ]% u: r7 t9 @. f5 \
xor di,di" C; J: n0 [; Z% G
mov es,di1 y* v% N( w" J8 y6 S; c3 B
mov ax, 1684h ; R$ l9 k( {. t" F) p+ T
mov bx, 7a5Fh ; VxD ID of SIWVID
: i8 z9 s! [4 r; K l int 2fh# Q' i# x: r- }" B" B. X6 r
mov ax, es ; ES:DI -> VxD API entry point
3 O; m: U0 ?7 B$ B D add ax, di
7 l( }: d# P5 F ?: i, f6 I test ax,ax* d0 S) y& m% [' G" J9 J
jnz SoftICE_Detected
8 C( F( `% v& S0 h) g
% o" N1 k" I( c/ A8 }/ x \0 R__________________________________________________________________________
% a g0 @3 C( z2 {. E
6 r( J( M2 b# v8 i
+ g3 q1 S3 I3 t3 O, S# aMethod 05
4 W! ~5 o+ W- z$ Q2 ]% |1 t=========4 \+ {, J/ W1 e7 m
1 W. s+ ~3 g+ I8 vMethod seeking the 'magic number' 0F386h returned (in ax) by all system* w3 D' C5 a. V& y
debugger. It calls the int 41h, function 4Fh.3 Z* c" q: A( E( `; T4 t" \
There are several alternatives.
9 G6 P% ?. z2 R s& W$ s* j/ U; C$ g4 V0 A- n0 W' S% i- o7 p
The following one is the simplest:( A: n* T9 M4 n) y4 r$ _
: x5 r- H" n5 r9 G* m% ?4 X mov ax,4fh
. q5 r( w0 @ S n int 41h: @3 V/ g" R$ v( T6 @1 S
cmp ax, 0F386
2 z2 c( b/ j5 ^# V$ V+ ? jz SoftICE_detected4 V" S: @( M b& M& o& u( [
k0 R+ e$ L8 s1 t9 k0 t) Q$ S
7 S, Y5 g% H; w9 ]" R! J" e
Next method as well as the following one are 2 examples from Stone's + ^8 m2 f* `4 w1 C8 k
"stn-wid.zip" (www.cracking.net):
" ^' g! ?8 O6 O
4 C i% R5 x u& h2 h! i& V" y) G mov bx, cs
1 n) e& M# Y8 [, H1 g# f) q6 k lea dx, int41handler21 |2 L. @# q* f5 v& F' | u
xchg dx, es:[41h*4]0 P: L7 T+ \8 Y! O! b7 Y
xchg bx, es:[41h*4+2]
0 k% _# _# U' Y9 {7 N mov ax,4fh
. [. L5 @8 f: K8 Y+ _ int 41h
6 } \' I3 z2 s6 Y xchg dx, es:[41h*4]
6 l- b; x& d6 k9 N# g* z) x xchg bx, es:[41h*4+2]
, X7 x; s& F7 O" y# A cmp ax, 0f386h
0 o r8 T( @7 Y# `( L C" d jz SoftICE_detected
$ C8 Q" G+ H# B8 h/ [. a, W( n: e$ [
5 j3 \$ b* p: [( `2 {1 R0 _, Gint41handler2 PROC
3 Y2 L5 J' o3 `7 f6 A iret$ A* y: u: R3 l. A
int41handler2 ENDP2 L# q5 W+ o, D9 g, @
6 i7 f: j8 B, y, |1 r- K9 ], Q" `0 Y# ?) ?0 h) f- m
_________________________________________________________________________
" `7 X y( m/ p( p! \
& A+ L, J4 W: D8 C* E3 c: s& L3 m) @( q
Method 064 _4 V9 _% E- V3 A( ?
=========& o [8 T* U5 K; |
5 R0 _( ^( j V. Q. P+ R
A& Z$ r8 Z4 u# R$ A2 u, D& b2nd method similar to the preceding one but more difficult to detect:
4 s- [4 ~% \) [& L4 u0 _5 Y
8 D0 W1 b% G% }; ]5 R
/ u; k! R0 _1 l3 M- u/ ~int41handler PROC
- {' G& t- ]( c mov cl,al9 v2 ]+ i! M# M8 {' t7 M4 V
iret
+ L/ ]8 j, v$ V gint41handler ENDP8 e4 N/ f: F* q$ g0 |
) H& X) L7 U+ O& R
, Q% L5 v) |+ `+ F" L+ x xor ax,ax q7 e9 Z* w$ R% ^( ?
mov es,ax
( [/ D, r6 o" W+ R8 x mov bx, cs
( I7 V, b0 n& W- U lea dx, int41handler9 r# I: a( o. L1 @! q1 w
xchg dx, es:[41h*4]0 C- O" m, {, v3 U. ?0 m
xchg bx, es:[41h*4+2]! ~4 C, v$ s) d6 ? S7 g8 h8 K
in al, 40h
9 n7 W8 A8 f! h0 M# P, F xor cx,cx- M. l7 H$ g7 Z/ S& @* m3 t
int 41h, A3 P/ h H" P$ {2 ]/ ]! b
xchg dx, es:[41h*4]
, d& ^$ _$ I' v! S0 | xchg bx, es:[41h*4+2]
7 G4 a& u( k( a9 {0 J5 w+ F' h4 A cmp cl,al
$ P2 o& R3 c9 ^9 f7 D! W jnz SoftICE_detected
" h9 ?% j$ L! v( o8 c) U% m5 N" d5 u
_________________________________________________________________________
4 |5 {- }4 L3 g4 K i# X. {
3 i- E: j% j' LMethod 07
. T7 B1 Y, {3 Q8 Q5 H6 X4 M=========
- D) F% G9 \5 Q; C5 M2 T2 s* P2 F3 L8 c' R
Method of detection of the WinICE handler in the int68h (V86)
8 s. |6 z" z( @0 Y# ~8 M" O" o, a2 n
; W6 E; I" h- c1 m+ M mov ah,43h( M/ C/ \+ W4 V# X0 a" c8 e5 W
int 68h
: H2 p- M& M- O: V* C- F) y, S4 Y cmp ax,0F386h* M( }' N5 m- T( Y& m0 I! o
jz SoftICE_Detected$ m4 m# n. _) G8 ~9 u% H
1 W5 a6 U2 r; P
}& M7 }/ [ Z' `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ i8 [* `4 p3 y, p app like this:, w8 d2 i) U# L$ o) x
' Q& ?) [1 s* L BPX exec_int if ax==68. G7 M* _+ a$ T
(function called is located at byte ptr [ebp+1Dh] and client eip is
. H: G3 Y. }% v8 B0 [" Y$ P located at [ebp+48h] for 32Bit apps)
+ Q, C4 |* J; G3 d( Z& ~; S__________________________________________________________________________2 t5 H0 P4 F4 L) [7 R [
8 k$ w9 W E( p9 i
2 l% }7 N3 p, d* Q0 U$ fMethod 08
; c4 a* d% T$ M+ B' y. {=========. D, b7 V1 r4 N- v
' ^# p4 l5 [6 a+ o9 |0 J' N% VIt is not a method of detection of SoftICE but a possibility to crash the0 F. X* S+ y% ^2 ]' o
system by intercepting int 01h and int 03h and redirecting them to another
7 h( d8 x# q2 l9 Z, i! D3 p& _routine.
: F; z: \" u7 {9 B7 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" @) H- _1 O$ V& Z1 V; lto the new routine to execute (hangs computer...)
5 ^6 a/ x8 f6 P, V% e! g6 Z4 s0 g
% `7 N" B& B- P+ ~3 [ mov ah, 25h
' B5 ?* M1 e4 s a; z, X6 x mov al, Int_Number (01h or 03h)
) M" @2 J, v$ ~ mov dx, offset New_Int_Routine; [: b: d2 Z8 u# g# e( I7 M, Q, e
int 21h3 x( F7 Q" I# S- S
( e% b" J5 d6 \4 G! q0 `1 E: w% f4 M
__________________________________________________________________________4 ]% R2 C. n M/ W8 Z) M
8 P; Y) }( z p' G! S; hMethod 09! {% S3 Z- ~& X" _
=========
% X* E5 g L+ s z7 i
7 e# ]" i- M7 ~3 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 i( T, }9 k0 N3 U- [% M/ N
performed in ring0 (VxD or a ring3 app using the VxdCall).7 `/ s, h4 m: `, E# _/ b
The Get_DDB service is used to determine whether or not a VxD is installed
1 q3 E8 t# S' N: X* b0 W# y3 ~1 Z5 j6 Vfor the specified device and returns a Device Description Block (in ecx) for" n! R+ b- W# |, ]' m
that device if it is installed.
9 S- K6 C3 f, K5 ~
1 z- n+ u9 s- ]7 W7 Y5 t+ a; z4 h O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( v) ` I+ k: q& Q: Z/ X% V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% @; P1 N, F/ _0 L* i" b VMMCall Get_DDB
4 E0 [5 P8 Y; K b& @# e7 f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 l4 ?: L2 k w3 l1 G. C# R. `% _
6 U) @7 E7 M1 S+ u; O. TNote as well that you can easily detect this method with SoftICE:
2 ?6 e* f+ e# v+ b4 d3 I. M; Y% F+ N bpx Get_DDB if ax==0202 || ax==7a5fh
( P' P& f: c* k& j
$ S8 ?9 J; F; k0 n e, O__________________________________________________________________________! G7 F* J7 }2 O6 l
% e0 F8 U" E7 X1 K* {0 XMethod 10' @/ R+ Q; P [2 i3 h
=========& y/ Y% G, L2 D- F4 T3 y/ N
W) q2 r" Q* V8 U, }/ n& Q, u=>Disable or clear breakpoints before using this feature. DO NOT trace with8 J4 T2 I- |) t0 x/ R
SoftICE while the option is enable!!
/ m5 S0 |1 s. Z& E9 L6 M! }3 ~8 [) Y6 k3 c0 j5 {
This trick is very efficient:
/ V0 Z! [* V) A1 Z7 b8 nby checking the Debug Registers, you can detect if SoftICE is loaded
: i) p+ a# A& P4 M8 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; |0 d% Y. K, M* tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) a. B( t; D8 j evalue (in ring0 only). Values can be manipulated and or changed as well& ]* |; |$ E( E# h9 ^+ L4 n
(clearing BPMs for instance)
2 y- b) x b7 [: c. L, o. v6 K. z; F% B: p, {. R
__________________________________________________________________________7 p8 w5 y, d( v% X
& z: S# Y0 x' L ^7 v8 n
Method 114 |+ L7 b/ v! t0 U/ }6 f
=========
; X, E9 p0 d( x) r/ h& }7 f+ B5 q! R' c" V6 D# p
This method is most known as 'MeltICE' because it has been freely distributed0 l, ?8 f! e% ]6 {8 e% v2 r% \
via www.winfiles.com. However it was first used by NuMega people to allow
) u: G: a' Q8 E" P9 bSymbol Loader to check if SoftICE was active or not (the code is located; m+ T$ u' d! g8 ?0 ]7 t1 j4 c! L
inside nmtrans.dll).5 i4 I m9 \3 ?: {& I
6 ]% b/ V6 C8 j# c9 A2 h* XThe way it works is very simple:
+ G& I6 _5 w% Q3 S, e. rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 E5 T/ N# L/ w% l; o/ uWinNT) with the CreateFileA API.! ?0 X: R9 N$ d) u" }& p
7 K& ?( {7 o* W' R$ v3 z3 u! HHere is a sample (checking for 'SICE'):: Y Y' c e. s- s! b6 i. R
+ P0 S3 f* s( o, T
BOOL IsSoftIce95Loaded()
! Q- V0 F% f9 A3 k* B# f3 z/ N2 x1 N{
U( P: |% U% k7 @! f" ~ HANDLE hFile;
9 H4 B% V9 U" E2 N% M( l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 l' g7 W; C! O! r+ n FILE_SHARE_READ | FILE_SHARE_WRITE,
% y! n; G, w* z4 X% L) d8 {* y( e- F2 @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% Q0 {! i0 x% ] if( hFile != INVALID_HANDLE_VALUE )6 x' @5 L. Q7 D
{
( u/ t( R8 V3 M U* v3 p: \% d) j CloseHandle(hFile);7 J; y" B. \5 L3 O2 I
return TRUE;
0 ]8 F: e2 v# \1 Y* D4 H# q0 R2 H }
% ?. a2 e7 D* X# ?( H return FALSE;
+ E5 Q& p& N4 C$ ~: @}
/ r; Z& y' t" h0 i5 W5 V
" ]: q6 @# W$ f! @Although this trick calls the CreateFileA function, don't even expect to be" H$ O* h* @! J8 p; M7 o8 M
able to intercept it by installing a IFS hook: it will not work, no way!5 e* c" g h+ j/ @) ^# T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 J) S3 T: u; w( q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 _6 h! M) x7 H/ c4 I7 yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# c4 a6 c6 R" Z8 F: Bfield.- a: Z; `/ k4 S5 ]' K3 s
In fact, its purpose is not to load/unload VxDs but only to send a
7 @4 m: o4 E' y& O: J! mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 v) |; K. T5 f# I4 c' E* g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- w0 N5 z7 P0 z0 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ e w8 A! x$ H* B* s' K8 }If the VxD is loaded, it will always clear eax and the Carry flag to allow
. u- F7 y' ?; cits handle to be opened and then, will be detected.
9 e- p7 }$ U+ [" H2 M/ D# I9 }You can check that simply by hooking Winice.exe control proc entry point% ?- x* l8 C' a) @( @& Z
while running MeltICE.) p8 h$ x0 b; `$ ^5 I9 N! T8 v5 Q
9 a2 f7 Y3 r6 U# k: `# r7 g4 A& G! ]
+ U) J6 u: d" p+ {4 Y7 w: b
00401067: push 00402025 ; \\.\SICE
0 I1 ^+ q" v3 \$ m3 L/ I, ?( D 0040106C: call CreateFileA+ Q% X; {4 |4 _3 ^, }' J
00401071: cmp eax,-001
8 |' R( J% j! C! t 00401074: je 00401091' b7 N5 {: K( q! `
; @2 E# ] V8 k/ o
+ a7 j8 z' m0 t f/ u+ iThere could be hundreds of BPX you could use to detect this trick.
. J' w H" O9 h2 B-The most classical one is:
: v4 s# s5 O6 M6 c% Z6 U. H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || B# ]- ^' A3 b+ g
*(esp->4+4)=='NTIC'6 V+ X. d3 |1 W N' Q
7 p5 ?; ~" E3 c+ d. B
-The most exotic ones (could be very slooooow :-(" g$ _/ n' X1 n% D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% ~9 P7 M2 u6 W5 ^' w ;will break 3 times :-(0 K4 d2 U' `. O4 \% K
9 d3 ^5 Z$ o; z2 m-or (a bit) faster: 8 I$ v5 @) N6 a) K8 B! N) P5 q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') Q4 T! l/ ?# Q: A* N! Y/ G
0 j; i9 [( M* L9 Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ a% H8 ^2 H% U ;will break 3 times :-(
) J2 s5 {+ U2 j2 x" I4 |4 A$ j
3 ^$ L6 c) ]9 q) j-Much faster:
% X8 K: z1 X/ Y8 t9 Y$ ^2 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. N2 l3 d$ J) m7 Z6 L, J
* R8 \' d* I& Q3 _' F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ T3 N3 j( U! U; I# Vfunction to do the same job:
- n2 q8 j/ `* \3 ]( `5 b! e T- _
4 C; r' l$ f# c+ z push 00 ; OF_READ* w! t0 Q4 j0 `1 E* }/ e$ R
mov eax,[00656634] ; '\\.\SICE',0# N6 v/ o' p- y* Z
push eax
. m+ Z7 F$ e$ p9 @2 @/ d* F. G call KERNEL32!_lopen- e: h- \- ?& D: o3 B9 V
inc eax5 @3 Z% q: I- B+ [. H
jnz 00650589 ; detected
; L" l* S" Q2 Y, [5 ]9 d" q2 F push 00 ; OF_READ
3 e7 M* r/ L- ?* d( B* A/ H3 V, H F mov eax,[00656638] ; '\\.\SICE'
" j( \+ E( G3 K6 @ push eax
' y. P+ D" O. O3 v" O2 a call KERNEL32!_lopen
; d. k) I$ X O& i inc eax
- T) X+ V7 [7 ^7 N& r/ w1 } jz 006505ae ; not detected0 j6 m$ P; L5 E( t0 Z! t5 Q
! x E/ j: W; S/ Q8 v
. F3 a4 v% _" F" |4 F1 ]__________________________________________________________________________/ c. D# N' \2 L3 \" K( C" N8 }
D+ r! z( F$ B
Method 127 P0 m, G9 i# G8 E
=========5 M% c. j6 N! f4 I2 i
6 a/ _# D- D$ K* f9 R# d* T( I% A, aThis trick is similar to int41h/4fh Debugger installation check (code 05& \" h9 X+ ~0 Y, w' d
& 06) but very limited because it's only available for Win95/98 (not NT)
) U/ y, l% E* s. e, las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- s) ]% M' l8 E) @% P5 K) K% v# H9 C$ u, G* w, \/ ?
push 0000004fh ; function 4fh! f# m# D2 e) U) I" |% s4 C3 v* ?4 T
push 002a002ah ; high word specifies which VxD (VWIN32)
3 ~/ d" C8 b/ i( P: j ; low word specifies which service
1 V" ^' O$ |# J (VWIN32_Int41Dispatch)
o' q: D& z) d" W& S$ \ call Kernel32!ORD_001 ; VxdCall
# f0 a$ r# E# m+ y8 g: _ cmp ax, 0f386h ; magic number returned by system debuggers! P! G0 E' `, d7 D" p
jz SoftICE_detected( Y! T, x1 ^( E
B! g3 ?1 v) G0 Z8 ]Here again, several ways to detect it:0 q3 [; J8 J/ ]5 M2 J
6 e9 X; m9 h9 v/ v+ F0 U* X BPINT 41 if ax==4f) G8 J! \3 @+ `. ?" }
3 K8 H% e% D& D1 X# j! s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! z% {& g0 @7 @8 ?) t
) i% x& T9 P% I# g, g3 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 u# n- c" u4 K$ j: z0 n( A0 ~+ \2 k: e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 Y3 n' v$ H. Z# D5 T. s+ C0 |
' r" v1 u9 k% A5 b% e) |__________________________________________________________________________1 u- ]% S) ~3 \1 W5 l
5 T7 P8 t- L0 @* o% T. b6 RMethod 134 e* W/ O7 m6 h+ d# H8 F7 F. W
=========
; n3 y7 a0 W( ~2 |3 i# {1 [8 v: N. d6 C6 @
Not a real method of detection, but a good way to know if SoftICE is; Q `/ T& p$ |8 C1 I% e
installed on a computer and to locate its installation directory." P7 L( d2 A. Z! D$ O. Z
It is used by few softs which access the following registry keys (usually #2) :
5 k( `, ?, I& {5 r1 P- b2 @ p! K* e( J0 v' ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& X; [) z# o8 K1 U+ d2 U: {; ?) r\Uninstall\SoftICE9 J1 V; B' o, C- J7 R6 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' t' u, i2 u2 i# @% r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 C7 J; n% t! h$ P# S\App Paths\Loader32.Exe* @; u n8 [6 u) m4 z
* l1 z. y$ b4 D& B; s: ?6 `5 i
& U2 \6 `0 r% x0 y# gNote that some nasty apps could then erase all files from SoftICE directory1 \0 C2 i# k5 `0 s0 M- f+ v
(I faced that once :-(& c7 U% r+ x# C& ]. Z- \. b/ P
- j! y. u' G; @# H1 g- q
Useful breakpoint to detect it:
6 {+ q( D- f U; y
1 O% d, M( D! l7 b- |8 K; t& {3 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', _0 G+ w0 c: `) o; v
9 q3 e b, t( r$ i$ x; s6 b__________________________________________________________________________
1 }+ f2 d8 k9 Y. ]/ B
4 t6 u! A0 H8 Z$ V' ?* W' Y7 t
' t$ n! f6 |4 Y: AMethod 14 # n; @. m( X+ ]3 H
=========
: f* r, r8 i+ s. y" y# x
! \4 C# n1 s8 I8 L5 r' ?+ W8 Y' W9 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; C( h8 d2 m, A$ d/ tis to determines whether a debugger is running on your system (ring0 only).
7 G- m6 D, R* p. c6 z* J& t. A6 y4 `& R0 D& |, t( @
VMMCall Test_Debug_Installed4 j& ~* u4 m, a; P5 e) v
je not_installed }# L8 O( @9 D" X
7 T! d9 z: S! v3 M' E8 @8 AThis service just checks a flag.7 W0 i1 z, G2 ^' v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡