<TABLE width=500>. k( o8 a5 T. c& ?" H6 r
<TBODY>
2 H3 ~9 ]# D1 n7 g3 w, P4 i' u* \<TR>! {' T5 B: Q( }& L" |5 G/ `
<TD><PRE>Method 01
. ]7 N# M* J! h( I- G. k8 ]7 @=========
7 R$ ?0 F/ ?' l- Q- d' c5 T( {
! ]4 p6 e9 e j: p6 IThis method of detection of SoftICE (as well as the following one) is
- |. m9 G' M' W& j: Yused by the majority of packers/encryptors found on Internet.
7 {# n( M/ @/ W' ^4 IIt seeks the signature of BoundsChecker in SoftICE
7 P9 `3 P% v7 H; s$ D) E6 ^6 e T, F2 ?9 v u* _+ f4 N* Y v/ q
mov ebp, 04243484Bh ; 'BCHK'
% u6 o# T: T' V8 D1 M7 ~ mov ax, 04h9 Q+ W3 b0 l- \4 Q6 g* N
int 3 , }: F! s* R' X- T8 ~9 U9 r1 `6 [
cmp al,4
& ?8 q- Y/ o2 j% m, m8 e1 _ jnz SoftICE_Detected
! j& t. w+ z: b- D# \$ m- t
6 [; a1 Z8 v( C. G___________________________________________________________________________" W9 q0 P p6 A1 o2 p
/ A1 l& Y. L/ sMethod 02
! r0 }% f' J% v5 `) A9 B4 r=========
$ i( F3 {! k' c8 E
; O& ^" Y* t% R) N5 S) `: k7 OStill a method very much used (perhaps the most frequent one). It is used
7 C! j& Z M. n2 R$ j3 u: Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: m# F0 d: F' a, b* _' J* S
or execute SoftICE commands...) ~3 U: O" m5 K( k. u. G0 G/ v
It is also used to crash SoftICE and to force it to execute any commands
$ Z# f$ i7 u8 M& u9 a% e' T(HBOOT...) :-(( 3 a. G6 B: n: J6 ?4 I3 }
( d& ?; w5 M& j
Here is a quick description:9 F. k+ W/ ]: K5 n2 w+ e
-AX = 0910h (Display string in SIce windows)
- k! B1 U0 v( i; _% i" _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, R- {; ^9 z: A' s-AX = 0912h (Get breakpoint infos)* |% |: T' @' E$ C* ] e* i: i
-AX = 0913h (Set Sice breakpoints)
- S0 u3 W0 K1 f! n2 o1 `( G; E. f-AX = 0914h (Remove SIce breakoints)7 y/ M# B' W) D$ j
, I" X9 |" V# s! r! `0 { f! |Each time you'll meet this trick, you'll see:
8 E; f i7 g3 h7 _-SI = 4647h+ i2 L1 x3 h! V- d, H
-DI = 4A4Dh
; v' j8 c, {9 d6 T7 B3 Q2 cWhich are the 'magic values' used by SoftIce.& g! E+ o* ?: S; m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( `: k6 i6 [" A; V( H- S5 w2 G$ P* ?: `# G+ p% W7 }) B: c$ @
Here is one example from the file "Haspinst.exe" which is the dongle HASP; [7 @* x" J3 e8 K* n9 L: O
Envelope utility use to protect DOS applications:
`5 {6 f9 o2 n( ?# ]% j% T) m7 h0 F1 {) ]' F8 P: A" m( u. e
|; U' ^3 W+ z4C19:0095 MOV AX,0911 ; execute command.2 D. {7 [7 |* } u, w2 ]0 y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 h- ^* E* o/ [ W% q8 I
4C19:009A MOV SI,4647 ; 1st magic value.% m. ^; X) x3 ]) X- _; v$ H. @) M
4C19:009D MOV DI,4A4D ; 2nd magic value.
# O8 }4 ~$ r- o7 K# o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* G! k& P+ @8 a: D' Y/ i/ @5 [* D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 K B/ l# n- j2 w1 k, W$ L# ]4C19:00A4 INC CX
; N. z# x+ C) s0 l6 b. Z* U" v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 X. \" _ U- V" K8 P7 ?
4C19:00A8 JB 0095 ; 6 different commands. x5 _4 m P: U [) d1 s) P3 O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 ?4 w; R. M# i& t% B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) h$ |8 N3 k% s$ P" ?, }
1 W" x3 R# G8 F$ ~" kThe program will execute 6 different SIce commands located at ds:dx, which o& R: n& I5 [$ F# Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 V+ o+ x6 R5 t+ V5 R6 |
+ E* T4 F* m$ W& r, w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' h8 d2 D0 L: _" x+ N4 b
___________________________________________________________________________# K2 S4 z5 C- C) t% X
' Q |2 E# H8 J# [: b0 W6 B
, y% [! R% s- [! z6 R, ^2 NMethod 03' ~. q l' ?* y
=========
/ r; {! C9 I' m$ v+ J7 \6 [* ~1 s, T N: D4 A* ^1 c: ?8 j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# l+ ?: o2 C! p9 l6 w: Q
(API Get entry point)
9 g3 j& J, R; S. e / H3 |4 P1 [& b8 B$ n1 {. [
6 z; I2 _9 J/ C+ O; u7 C xor di,di0 Q2 D6 w# b0 z: o8 d% s" m6 j4 U' Q
mov es,di
# @+ n& m4 f V$ Z mov ax, 1684h ) _0 T4 d% {+ Z6 H4 ]2 b
mov bx, 0202h ; VxD ID of winice" ]- b+ a5 A# W# ~
int 2Fh* G; r# {# p5 B- r
mov ax, es ; ES:DI -> VxD API entry point1 s# M% A, C% {% a+ Z* Q; z
add ax, di" o- y7 P, f1 q: I& E
test ax,ax7 O0 H. Q h2 V1 C- B8 S( D) t
jnz SoftICE_Detected
5 ]3 } @3 Z+ D" B* _$ P1 y
" M$ x$ ~: ]) w- \/ K, P( W+ F___________________________________________________________________________
9 p' b+ N9 L* X* [3 i9 K! K# |$ z. w6 g
( l u# z5 B( y4 y. hMethod 04
; F7 ?! U/ k" F4 _- q4 R9 c=========- T8 |9 u" P* g7 p5 B& |1 a
: `& ~8 n% ~& G5 n: VMethod identical to the preceding one except that it seeks the ID of SoftICE
\- y. X9 c+ oGFX VxD.7 a* X2 t4 y0 K# O5 }- H
- q8 I& F4 F/ a/ L xor di,di+ _# @+ K: R7 J; D% @7 o
mov es,di6 Q4 G7 `6 _; P# @. L* y9 k
mov ax, 1684h 9 K7 a5 @5 I6 ]7 X
mov bx, 7a5Fh ; VxD ID of SIWVID
8 A. F x2 s4 O) g3 Y; a int 2fh
, N: @ y, N1 U6 R9 m | mov ax, es ; ES:DI -> VxD API entry point2 a S; |% b- X
add ax, di
. `3 R; M7 E0 m( E; n4 a test ax,ax
) d6 t$ s }( E' q7 J9 h! N/ u l jnz SoftICE_Detected& c4 G7 ]* n5 r* S7 B
) k' O8 \& R6 y3 i; T9 P' W* C
__________________________________________________________________________0 L5 x6 r! n& j' y5 k
+ k2 f# v( R) d B
; ?4 Q9 ~7 S' RMethod 05, g) m. m% c: _
=========, |) X5 m+ {9 ~' a4 Z' \
, d5 U: G* C5 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 n9 g4 v0 Y& y3 r8 l
debugger. It calls the int 41h, function 4Fh.
1 R5 k) d/ C& f7 m+ p; w# r: u" m- jThere are several alternatives. ; Q3 Q, \9 `! b- r! I9 A
3 |5 W2 I) e3 B' w6 U+ i
The following one is the simplest:
9 G. e( ~7 ^$ n: p7 z1 N" @; p: O2 M; Y: w0 n0 d
mov ax,4fh
' T+ Y% ^5 }" x$ a1 x. ~, b int 41h5 t. G, X# C& c# y+ O, c! x
cmp ax, 0F3860 C% x0 t3 ?8 x1 C) C0 [
jz SoftICE_detected7 K# e2 F$ y* C) Z4 E7 ]! |
' @) [- ?$ N. K# P* W0 m5 i# k6 S1 @
1 `' ~1 \; Z6 \$ gNext method as well as the following one are 2 examples from Stone's
2 R/ ^2 ^1 Z$ u2 e2 @; n"stn-wid.zip" (www.cracking.net):% ?/ u( Z2 g, @- C4 _& c4 \
0 S5 i) {$ _1 m: p+ Z0 o( T+ i! k mov bx, cs
$ C) x, a9 b% T! C% R7 l0 y& Z lea dx, int41handler2
* _5 t0 @: y, W' k& g6 u xchg dx, es:[41h*4]
) N9 q4 j C5 b7 C/ H. ~1 D" e xchg bx, es:[41h*4+2]3 w% _7 h. ^( q0 w& U
mov ax,4fh
8 L% G; W% c# P int 41h
9 K# Z7 F$ w) c/ w! u xchg dx, es:[41h*4]' g: U! @ @: O J( G
xchg bx, es:[41h*4+2]
( _( X& p# M% r cmp ax, 0f386h0 w& B/ ~. W7 H
jz SoftICE_detected
$ d. {# b8 ^) s& ]: e( A1 J
# N9 n6 n" ]6 m8 X. c" B: xint41handler2 PROC
# ^* m7 g8 d1 S0 @1 U iret
# z T/ R( r5 W6 Nint41handler2 ENDP) d. O$ E8 F% _* r }2 Z. G: u2 h
0 }; _0 B* m9 L: a) D& O! f1 U* G. L6 ~
_________________________________________________________________________
4 P: ^0 R; H; T: c, B3 g
* K$ A. [' p6 k' ^1 f* I4 O* A/ l7 _8 c! V# E( B1 S% `9 P
Method 06
$ G, L# }4 T+ n4 M=========
' X3 c7 ^4 z8 Y0 I+ c/ I
0 J# q7 P% [, v% c# Q1 g7 T
! V$ g1 X& r4 V, b$ G" W: y: {2 y2nd method similar to the preceding one but more difficult to detect:
$ j1 J8 _9 u4 @! n4 O' N, p2 u; D7 K5 ~' r
) U; e% k$ V" b3 A7 n1 A# r7 Mint41handler PROC$ ]9 f, {. G* J& V- {' r7 U
mov cl,al
( l: F! |; S6 V) G iret, @' Z' @+ b [
int41handler ENDP7 \) @+ J w# s+ {. Q
4 g& B3 a/ c* [0 H& B4 a
) L2 a7 ^7 C2 I' @" |. C xor ax,ax( c5 v0 G. J% H' S% X
mov es,ax
# r$ {, \* W0 x2 F7 _) J9 d mov bx, cs8 j% |+ F8 t' ]) m/ @9 r; n g
lea dx, int41handler& z2 s" s# a1 A. H) H# [6 b9 {
xchg dx, es:[41h*4]1 ]" [2 m8 b, e- Z" g% M2 }# x6 K
xchg bx, es:[41h*4+2]9 U9 `( U/ O$ t5 P3 A
in al, 40h
6 ^# u/ `. y& k r1 P xor cx,cx! _3 K+ F: E& W0 Z
int 41h) j2 b/ u3 T/ M" l3 K' \
xchg dx, es:[41h*4]
' R8 U& l$ Q2 M. x5 g$ w; { xchg bx, es:[41h*4+2]2 f2 E4 t' W1 K$ R n" f
cmp cl,al
$ s( s6 Z v& F/ H jnz SoftICE_detected& r! d# Z; e1 w
6 `9 f G& [; |9 {" d. r9 a
_________________________________________________________________________
' [! X" q( g- Z5 I0 e- `3 P) p1 L! \/ s6 D5 o
Method 07
8 [/ K$ e- D4 ]" x! T3 {/ T=========- Y3 U2 K' v# {" Z U
9 {! {1 O% t' X( e u
Method of detection of the WinICE handler in the int68h (V86)
! s! i# g/ b) H8 ?$ y9 x% {3 B
3 S; z2 x& ?. o& w mov ah,43h
1 O0 p# ~" e2 n2 l5 n5 l$ Y int 68h# d0 o2 O/ e$ `! i& e
cmp ax,0F386h
1 ~4 D5 r& d( r$ z jz SoftICE_Detected" V/ |$ c% A; j2 `* ~7 h
& R! b0 `/ _5 d* R' P
! r8 I' e% M' t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- Q& E( n/ V: ^1 |7 u6 c2 K3 k app like this:
7 f! {. S: p0 @# y+ U+ U- O" b+ V7 {# B* v: B4 X1 u
BPX exec_int if ax==68
9 p5 S4 B5 u& [; R (function called is located at byte ptr [ebp+1Dh] and client eip is
) q; v( s7 b5 Y( i/ Z$ k4 Z located at [ebp+48h] for 32Bit apps)
# e b( n; u4 C2 n__________________________________________________________________________
- P3 w- m- K$ u N7 \3 L' Y
8 E+ V- f& e% u( @! ^+ @ [( P l5 u6 r4 T- ]. Q4 D1 R
Method 084 h8 H4 e2 s: v' `& u' N8 _
=========
& O: Y8 M8 a) ~% c1 Y$ J
. t, u7 }' @4 K" a3 c* QIt is not a method of detection of SoftICE but a possibility to crash the
/ |9 K. ~5 H N+ R. g$ xsystem by intercepting int 01h and int 03h and redirecting them to another
, g- Q/ v4 v% B$ ?routine.
' ?% o6 j$ L" v" Y3 ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# A/ D, [% D0 T0 i# Uto the new routine to execute (hangs computer...)6 R5 ^$ e: _" g3 v1 @
/ v4 \# m2 G9 [
mov ah, 25h
3 E" l, ^0 a8 L% ~. e( ^ mov al, Int_Number (01h or 03h)
. d5 g7 r. [9 u. i# X! V; l mov dx, offset New_Int_Routine. }5 C# M9 s" [+ y6 M* M
int 21h( W% w! {* r1 R+ e
. |4 X- E' g+ w% Z3 \
__________________________________________________________________________
[% O7 o: s1 o3 X% V7 N, m; x( h; q. c, @1 e. D3 x
Method 09
- ^3 i/ q, ?3 h; z=========
4 s1 o) _7 g) j* E
5 [3 k/ F; u0 @5 R- C- h4 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 ~* ]. d: A F. ?performed in ring0 (VxD or a ring3 app using the VxdCall).3 Y. A1 s! o& C; Q
The Get_DDB service is used to determine whether or not a VxD is installed
, z6 N7 K9 I# J! Q' T* h" Xfor the specified device and returns a Device Description Block (in ecx) for; F6 {9 h( c; N4 D
that device if it is installed.% I {& t ~- M8 W% G
`" @& d% S9 y( d" r; D+ |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( ?" {/ B7 O( P) h& p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 W4 A' A( p& b+ p; G" w! G1 E
VMMCall Get_DDB
3 ]) ]* z" H+ p6 b: ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 ^+ I9 w' y# C: u4 Z
, ^8 k( `) v4 @1 z0 ?% ]
Note as well that you can easily detect this method with SoftICE: v1 f6 [4 X/ W3 R( r1 j) j g5 `" ]
bpx Get_DDB if ax==0202 || ax==7a5fh
9 r+ y$ [8 g' }/ S. |3 S6 m2 T9 r3 Y) x. @- P+ v K
__________________________________________________________________________, a4 M# H, P' r2 p* m
9 }. v& ~2 v: ~ R
Method 10
% @: g$ y( v: |1 P; k, t" s3 z b, P: A=========
2 v8 q5 w; U$ M" H
( {& _) v! p; `: ?- v, i=>Disable or clear breakpoints before using this feature. DO NOT trace with! R/ \5 f$ z: o% z3 _
SoftICE while the option is enable!!5 D+ ~( w+ ~& d# C+ ?" ^
# [7 k9 J. X: i
This trick is very efficient:
9 A9 B5 Q3 g' W: Y+ r/ |by checking the Debug Registers, you can detect if SoftICE is loaded7 V7 [, e- v M1 g# l0 P1 G" l5 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* w" l3 h) K3 `9 s4 I6 |' t2 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their' U8 k$ C- p2 j0 ]0 k
value (in ring0 only). Values can be manipulated and or changed as well
; p. K- i5 ^: u. b(clearing BPMs for instance)+ w8 O U) o( y0 k; W
- x+ s, Y/ l, l; M- N" S
__________________________________________________________________________
8 n+ p6 \- q0 v& B3 E( E
0 _& D) Y) i `# fMethod 11
0 C* ]" j m2 M. j' i6 ^=========8 f8 B9 x2 S5 }3 G. q/ Z+ p0 k7 [
# w9 C; l# U5 c* o: y r$ m
This method is most known as 'MeltICE' because it has been freely distributed
* I1 l/ G; ~; _- m# w( u jvia www.winfiles.com. However it was first used by NuMega people to allow6 P1 k) J% T* d! O: \4 W
Symbol Loader to check if SoftICE was active or not (the code is located% Y7 ^6 T' a) }7 M# j+ `4 V
inside nmtrans.dll).0 f4 U5 ^. K4 b' A1 R
& l5 P7 P; S1 Z# ?$ q* }
The way it works is very simple:
- j; q6 L5 t) V7 B6 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- q8 m2 K1 `/ W# E3 j: o, _WinNT) with the CreateFileA API.( q! ^8 K7 ?4 @5 T. Q4 w9 U
! U; ? Y1 i9 w* q' @+ @
Here is a sample (checking for 'SICE'):
2 b) N! J4 j' t. v3 G" D) C) P- n2 a% z
9 |2 A6 r' N. F% S# {% B/ D3 FBOOL IsSoftIce95Loaded()% f" ]2 S8 r& I0 f- |
{
' t" F7 [9 U! D HANDLE hFile;
$ o1 M5 ~. H% S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& d) }! v% e! L" A+ I4 N
FILE_SHARE_READ | FILE_SHARE_WRITE,3 w0 {" |" |5 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 ^6 R# s# N8 f% N: G5 u& G if( hFile != INVALID_HANDLE_VALUE )0 s$ x6 A7 Y* [* W) P" j4 `
{
* D7 }6 D( s+ r CloseHandle(hFile);
* G) f3 I7 a0 }$ ? return TRUE;& y" M1 o0 L4 y
}- P; V. m. m1 H2 N. y0 D; |
return FALSE;: u5 \! t/ t6 w1 f
}: c3 b& E+ {& p3 F
3 F) ^' V& R6 R C, k# L: \* j, u- mAlthough this trick calls the CreateFileA function, don't even expect to be
2 g5 R \0 w6 U! a& s4 zable to intercept it by installing a IFS hook: it will not work, no way!+ v+ _) M% I( U( a F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 r1 y3 B- m. V9 `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& ?# X n, J8 \9 Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) r% ~2 C3 c2 A$ m8 Hfield.& o5 m$ q$ ?, ?! a" c {- |
In fact, its purpose is not to load/unload VxDs but only to send a % K- i" K0 R9 Z; x2 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) E' s4 V2 I! M$ w6 @# r3 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* B, y( L+ l3 w/ F( Q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) j6 f6 ^# n% w, W1 J. ?- RIf the VxD is loaded, it will always clear eax and the Carry flag to allow- T# I' I* `* w# Y
its handle to be opened and then, will be detected.
( K2 ]; l5 y/ E1 Z- N2 gYou can check that simply by hooking Winice.exe control proc entry point
5 d E$ P3 \& L5 t# n* swhile running MeltICE.; @4 I: `. v9 B0 b) d
2 a0 s5 \( c1 L9 Y
/ e, ~' T6 f/ N" b. d0 S% z
00401067: push 00402025 ; \\.\SICE
# ^% _1 l9 l" @+ E 0040106C: call CreateFileA- {* t2 u/ F3 w! ^8 l3 k6 l; e
00401071: cmp eax,-0018 V: z4 V$ C7 D8 ^* ]2 n/ A# }
00401074: je 004010911 r* I* w/ c3 g" H0 e- a
( Q* e2 w* b7 F& J1 i8 S
7 X4 K7 v" [9 l5 V! u4 a& {There could be hundreds of BPX you could use to detect this trick.
; Z) `0 t+ Z5 X+ X0 e0 c-The most classical one is:
0 _9 ?- I5 K7 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) l; ~* u o. c4 H7 W% J7 M) Z *(esp->4+4)=='NTIC'8 Z% R; I# C3 p
2 Q- H& r$ T$ n
-The most exotic ones (could be very slooooow :-(" X& A; A' m W1 `. X# A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 s: R3 p7 `' _8 B. w1 f8 W$ u
;will break 3 times :-(
+ A4 ?; q8 W, ?! i: T9 w6 F+ `
" _$ E; J9 T; k& v4 A-or (a bit) faster: 1 g2 B( f# t2 s8 V2 W6 s, c: F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 O# m* D0 S0 i% l8 F+ w( |
. i- |/ ]; Q. w) _1 m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * l/ l- d# Q' V" Z+ F! {
;will break 3 times :-(
7 D( y0 }8 F9 ^0 t4 G8 z) _6 n0 `) Q, K) n, y: a/ `( n* y/ c/ [
-Much faster:: b2 f: x$ ?# H4 `$ {) A7 u$ q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 S, z& Q9 t+ c9 D- w0 f8 I% {' L5 N) N O1 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* F/ T0 B3 U" }$ h3 f
function to do the same job:- M6 d, Q& j* Y0 X! ^2 N
% d, |; ] r+ r8 z* C& K* a push 00 ; OF_READ
8 |' h/ D6 A4 U$ ?. G7 `" m mov eax,[00656634] ; '\\.\SICE',0
" @2 `; \6 R8 o8 _/ t push eax* O8 ^0 P% _7 n4 X7 r0 {, G. O: }
call KERNEL32!_lopen& |) @; X# Y3 s% N- H+ Q
inc eax0 V3 q6 |; l# q8 k. l `+ l, N: e
jnz 00650589 ; detected6 L$ u2 J3 `6 r6 _2 p
push 00 ; OF_READ
! G% W1 R b; h+ i3 K- H( g mov eax,[00656638] ; '\\.\SICE' W* w; {8 C' y! [ j) O# L
push eax4 i. a; D0 T" E1 \ ~2 J$ b
call KERNEL32!_lopen
1 S# Z2 b! J+ W1 o7 j% J! f! M7 X3 M, h inc eax6 B' O3 x7 g" g2 q: Y
jz 006505ae ; not detected5 C2 Q/ z( B& F O8 v
' E. h# \! e. r5 F
0 M2 r Y& u! ]" J6 X* Y__________________________________________________________________________
5 F9 u/ q+ i; A% K1 ~0 O
( X, T) |; u0 k' lMethod 12
0 L! \& A) A( ]1 a, Z=========/ B" \# |1 ]. g+ ~# c; p
3 O2 }' l( w. d G0 X8 N, P
This trick is similar to int41h/4fh Debugger installation check (code 05+ k* {9 J1 p. C( Q# t! d+ T! G
& 06) but very limited because it's only available for Win95/98 (not NT) I9 `% `& Y( J1 e5 O8 `& E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
z( u: \$ f7 v4 E/ H! Q
; ~7 x1 @' p. ~0 }5 ~$ \) i push 0000004fh ; function 4fh7 s' H' E/ i7 F5 g D" B
push 002a002ah ; high word specifies which VxD (VWIN32)& z+ l* a ? I6 h- e
; low word specifies which service
1 o* y& r# W" Z+ [+ J (VWIN32_Int41Dispatch)
( ^& @+ K) G& N+ C( m* d8 h4 \! } call Kernel32!ORD_001 ; VxdCall7 C3 a" J7 k) |; ~
cmp ax, 0f386h ; magic number returned by system debuggers
7 t# o: V. h7 d6 d2 o+ r3 } jz SoftICE_detected
' ]2 e, l/ y0 R4 V1 {1 u% d+ a" X! u# k% n* Q5 g
Here again, several ways to detect it:
2 q2 E I9 k; y, B; ?+ g1 [$ Q
3 e7 \: {! R% y* g9 |4 X: L BPINT 41 if ax==4f7 C5 u G4 s1 f
0 S- r6 l! g$ k3 f; S( T9 [+ v0 i! @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' w8 u) W6 I5 o; f u8 \
; f: C9 ~- [5 Y8 r. q" }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 d+ R! e) h( ^6 i+ i' R1 ~
3 X; |8 h4 ]" B+ t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 k4 P4 F" `: P; |& |" I5 M
) D3 @0 J5 u" K C3 P3 u' l
__________________________________________________________________________; V( A. H" o8 P& J N, S6 m% _8 }
. ^( O0 m8 m# m
Method 13
0 j: _' N- v; p6 C=========/ S7 \: d7 d9 V+ a$ X" ?1 I2 K
! A" Y% a) I. M# c
Not a real method of detection, but a good way to know if SoftICE is
$ a& m. y: x5 ~ B3 p& d8 ?: Ginstalled on a computer and to locate its installation directory.
5 A$ n: h" F t, B/ ?It is used by few softs which access the following registry keys (usually #2) :8 h& C- V8 O& u2 r( ]
# p) e' Y& x3 \& k7 A) d4 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: {# M6 o( {% g3 K+ K& ], K\Uninstall\SoftICE- s8 Y- B5 b) X n( K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: X$ k$ F4 \1 ~: }3 H$ v$ r: `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 k4 t- l4 t" S. D% W& m
\App Paths\Loader32.Exe$ [4 ^. Y7 F1 t2 v/ c* ?; U2 z# L
! C( k% n( \3 T: |: I- q
3 L( i4 @! A, `; y$ @Note that some nasty apps could then erase all files from SoftICE directory9 p5 ?- _7 b' P- k
(I faced that once :-(
0 Z5 l9 B1 N" g, | v' X( h% ?2 d9 `4 |" C2 c
Useful breakpoint to detect it:
2 C# t/ P0 u" H* g
9 Q) T- u# U" w7 R) @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ Q- T9 w# b8 z5 }. d2 u
: ~: I/ R9 x0 o3 K__________________________________________________________________________1 u8 ~+ N* g- z( z6 H
' O0 u+ c. s8 \2 `
+ t1 j# |- M. N" y- M( o3 ]& MMethod 14
3 B$ ]( _8 u! r/ S=========/ |: u& T1 E5 V
/ W4 i/ B% j5 A s/ Z9 W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; i' _" l0 D/ s$ f9 H& x
is to determines whether a debugger is running on your system (ring0 only).
f1 ]( V9 U& S3 P% P; D8 U; j
VMMCall Test_Debug_Installed4 ?: j C2 v/ Y6 Q, D8 d) G" Q
je not_installed L: E; \: j# d3 T- {& ?" C
& r# k# `! J" p/ v! rThis service just checks a flag.
0 m* u& z* y# L) o, W! i2 O! [6 n5 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡