<TABLE width=500>( _9 A" Z0 v# L0 d5 P
<TBODY>- P+ z" n1 F8 g$ f7 Q0 R A; u9 X( u+ {
<TR>
. u; P* q: R4 t- k<TD><PRE>Method 01
! Z% N; {# j2 i8 Y; o=========7 D" j' k6 X1 A7 `4 ]7 D- R5 \
) R. b3 i$ `- r+ t: D0 j7 r
This method of detection of SoftICE (as well as the following one) is; M8 ]4 W) p. n
used by the majority of packers/encryptors found on Internet.# ?+ Q u1 T: G8 P7 J+ t
It seeks the signature of BoundsChecker in SoftICE" o) R" y& l0 ~& M6 m
A w7 o2 r9 `
mov ebp, 04243484Bh ; 'BCHK'
/ |4 q' O% b4 s& i mov ax, 04h* C6 w8 Y, {0 L. D9 _! `
int 3 % ^+ v- z# e# z- E7 e0 U& C# b9 U
cmp al,4
; I0 C6 b! ]/ N# L: X+ Y jnz SoftICE_Detected
9 h% b# R' `! G! N/ Y+ x! B# G( z x _0 l, d
___________________________________________________________________________
1 T; r; t% S8 u/ P% n6 {$ F2 q1 J
Method 025 A' D. k- ^3 ]8 f2 k
=========
. a+ T5 s& L4 i+ R
2 U: q0 I8 p7 j5 d7 N: h0 z, {Still a method very much used (perhaps the most frequent one). It is used
2 L, @1 E: c1 U6 h0 q, R& Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- \# {4 {! J, ]2 oor execute SoftICE commands...! k# U7 ?: j# T0 j. ~
It is also used to crash SoftICE and to force it to execute any commands/ {: ?; j9 g" y
(HBOOT...) :-(( + i; m( B. i7 e p: G4 I
0 C+ [' D, p( ^' k, w# D6 U" U
Here is a quick description:8 |6 {. m+ K: j7 g
-AX = 0910h (Display string in SIce windows)4 Y7 Q/ |9 v- }# P1 k' P- v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 o7 Y3 ] x. p6 U/ y( }-AX = 0912h (Get breakpoint infos); @2 J: I) @8 b- R
-AX = 0913h (Set Sice breakpoints)4 y" `4 Y. ^. k% M u$ F5 \
-AX = 0914h (Remove SIce breakoints)
' D3 r; f# Y+ i& L7 i' s# f
, f/ \/ |9 |3 E, s" tEach time you'll meet this trick, you'll see:: y6 v, M3 d3 }! P0 M" T
-SI = 4647h
/ Q3 h0 @) L. w( o, M-DI = 4A4Dh6 ~8 q4 T- W# g' U/ Z$ r; i5 u
Which are the 'magic values' used by SoftIce.! a' ~. d7 M4 y+ y' c. S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 i* s- J" Q$ z9 f3 ]3 a( W
9 x" p' E. @" o; z+ {) A: F/ rHere is one example from the file "Haspinst.exe" which is the dongle HASP/ ~. m/ T$ S* W* }9 \6 y3 Y+ V' F
Envelope utility use to protect DOS applications:
1 M; y2 P! @; t. ?3 u( D$ v
1 F7 L8 S; p' T! u7 }- K
, l6 t) M/ S% R% E. f+ e3 B4C19:0095 MOV AX,0911 ; execute command.
% Y; Q4 z$ M4 l$ h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 B+ ^' K E$ Y0 l* ?4 w4C19:009A MOV SI,4647 ; 1st magic value.
' a5 w8 m# T# M4 C/ B5 f. E4C19:009D MOV DI,4A4D ; 2nd magic value.) N* Y: ?/ |4 B9 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 S. k; S: |& B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute r) n1 d5 T- w3 d! Y
4C19:00A4 INC CX
" @! L* B9 S- v& h' A9 C/ B/ R' \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' G# s" t+ I& E* _% f+ D4C19:00A8 JB 0095 ; 6 different commands.: ^0 W8 M/ c5 R0 A/ c- h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 k* O$ M7 G, ^$ S4 n% c; J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); Y* w/ S5 j4 v- { \8 B% `
4 R" g, `# K. N! ^* g" q1 O% z
The program will execute 6 different SIce commands located at ds:dx, which
& V" y; r' J z: ]/ Q( F% Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 E4 t" Y1 L- i5 E3 @' V4 N+ q
9 b* W1 d! P+ {9 Q4 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- K6 G* o! d) y___________________________________________________________________________
2 N! }; ]6 K! x$ P. l6 D0 R8 d$ H, T5 t# i; D& z2 f- a
# v! `7 V" e$ R, O+ ?4 YMethod 03# _ \% z4 M: B# {" p" R Q* {
=========
) u1 d1 K* H/ b& ^8 l$ V: @0 B2 U% S4 t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! _/ q2 d. p# x" x(API Get entry point)
! D6 J& O- |5 G. p3 E: I
! Y- S, U' l- r' t4 X* q U2 m5 ]; e! h+ }- e2 w
xor di,di
6 y/ |, v1 n2 R) F7 E mov es,di
. Z9 J2 m; Y/ H* O3 k/ A v5 [% d% d mov ax, 1684h
7 \" R# {% B: i( |- \7 f mov bx, 0202h ; VxD ID of winice0 p6 f* n/ d1 ?( O
int 2Fh! K% D% }# O, M. N( ]* N" B, p
mov ax, es ; ES:DI -> VxD API entry point
: A6 v2 d+ B- `' H$ f8 I6 k+ P add ax, di# k- s, q! _9 p
test ax,ax0 y) V/ E7 J" A; ]7 w7 I1 `
jnz SoftICE_Detected: F# O! r B: E2 q9 N% T
0 V1 g8 d4 ^0 V$ D% _& c___________________________________________________________________________
2 K! K3 E( Z6 u% f* v
& o) |$ l3 Y2 j1 c: w& S& lMethod 04% W0 x$ n( x. X8 `" O
=========' Z; b7 T# u K# _% o
6 U0 o9 n1 | g* [ ?Method identical to the preceding one except that it seeks the ID of SoftICE
$ K y7 ^+ G3 T9 ^9 z+ VGFX VxD.& V3 U# l& v4 W9 }, y. m. v5 w4 H
) `2 Y+ p0 f+ g xor di,di* K1 b3 }, v% @6 w5 E/ @
mov es,di" q% o4 u9 ~( K. X( @6 z
mov ax, 1684h " X7 {& b$ p+ Z4 y3 m) f# I$ y
mov bx, 7a5Fh ; VxD ID of SIWVID$ c; _# I$ g* F. E4 w# r/ e% q! |" @
int 2fh$ m# V, W: A' `: N ?
mov ax, es ; ES:DI -> VxD API entry point9 M, J, Z+ r! X8 G6 v) f
add ax, di
" k, @( k( `- |; @+ e test ax,ax
5 i" L" D/ P ^1 I) l, q3 I5 j3 x6 v jnz SoftICE_Detected
! B% q. d$ t( n! g" G6 z- I j3 r$ O: M" ^" e/ \. i
__________________________________________________________________________
7 Y! k3 ^/ C U" h8 V" b; g3 Q$ i8 J, h9 R3 o& T: i
8 M7 x6 J; W% Q2 x% O( |5 R9 ?Method 05
6 K$ U+ A+ [$ b8 j0 H=========' q) V$ @- T3 g* u5 F' A! g
6 O; q+ O2 P4 H- J+ j5 f& a$ y* KMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 P$ Y0 c/ b9 A8 \6 l" Ndebugger. It calls the int 41h, function 4Fh.
5 y: Z: l r( y5 oThere are several alternatives.
8 n6 c( G, M/ D Q) a' p! |5 p, w# i9 ]: w' @
The following one is the simplest:
' T2 U$ @" r K, y- I" n4 h' g: y0 O* _4 O; l, P* J, }/ K( x
mov ax,4fh
3 o! L% o! N$ l$ O: W- k. w int 41h
, R( {( G2 R# t% H" i$ G7 } cmp ax, 0F386
4 h- N# D( V3 X0 ]+ J& F jz SoftICE_detected0 w% [2 J) Y1 H) J T& f
9 a7 u9 w0 V, i- P" N% ?* z- Y' I" \. n1 u
Next method as well as the following one are 2 examples from Stone's 8 B4 I \; w7 y# ^* ^( O8 y
"stn-wid.zip" (www.cracking.net):- o1 o" s) d% {: E: @3 e
6 g9 f% S5 W. K$ [ mov bx, cs: P7 D+ C( b; d5 U2 C ]0 ^
lea dx, int41handler2
5 n F* y J3 S$ D xchg dx, es:[41h*4]
0 J4 F l: r+ O' O6 t, g xchg bx, es:[41h*4+2]6 k- a% K8 H* A9 @% w
mov ax,4fh, t% x- V. I4 x" c% ?8 Q1 a7 k+ V/ |
int 41h
: `# Z0 r1 ]! z, a7 C2 l- Q! Q/ V, _9 A xchg dx, es:[41h*4]9 R/ Y. }' v% R: u0 y2 a1 L0 E( D7 h/ |
xchg bx, es:[41h*4+2]0 X9 j, P( l: M5 ~: E$ D
cmp ax, 0f386h
2 b9 n. y, M6 b; N% F2 ? jz SoftICE_detected
" T3 C; `) I8 E; C3 P' i, ?0 N g. f! e
int41handler2 PROC
7 F5 \' H& ]- K) w7 j. m' t iret
/ ^' z4 S- e' n- p6 Aint41handler2 ENDP! z& f, ]' r& Q5 D8 W
8 z6 K" |% l, L, m
{: i! C) M$ I5 |2 d/ H4 z% `
_________________________________________________________________________! r8 U( F1 B' F1 G$ q7 H. p
# u5 A5 j6 Y8 @3 R" }6 q5 O7 [4 Y
Method 06
* I" g, G4 u7 [7 \6 q$ H=========8 F! h8 l- n" m9 E3 A6 `$ h- W4 I
* Y0 U4 V; _. A m5 v) M) n) L, r% N8 X
2nd method similar to the preceding one but more difficult to detect:& X# m: M7 u# q- h; W
* |, @' `% X7 w( {6 K0 e2 R& T2 o
int41handler PROC( ?) ^9 E4 s3 s; k* q! ^
mov cl,al
$ S# s: E Y9 j! f+ P7 n1 ]( g- p iret
* Q1 i: N$ F6 w% O8 Q% O! }, _int41handler ENDP `- \0 S. r8 A( L
0 \- P: k+ M4 `& Q+ t* u* J G8 i- r! A. r8 T, p
xor ax,ax5 k# \$ w( j$ O9 {7 I% Z
mov es,ax
; I1 H7 r3 U, Q+ ?6 \* N: s2 E- F) I mov bx, cs
3 T" {; `+ A" B/ l, T+ d lea dx, int41handler
8 M% A" W8 I9 r: ?. L xchg dx, es:[41h*4]8 \3 o. q7 h5 p+ D. y. x1 I. `' I
xchg bx, es:[41h*4+2]: `2 k, A& T/ m9 |3 a4 u/ s+ e0 N
in al, 40h
9 ~$ A e7 c; z _* Z, C, ^2 c ^ xor cx,cx
0 t! V3 b/ }1 _$ v int 41h
: ^8 h7 ?- t" n9 A: h/ ]5 M1 S xchg dx, es:[41h*4]
7 E) F% f( n" j' g. z$ }) R xchg bx, es:[41h*4+2]
Y; |" |. ~; P+ [8 G& X cmp cl,al
2 } ~" V# N6 ^8 X/ N# } G jnz SoftICE_detected
1 Q& d& k! f1 H* I4 Z# C- b0 [" H. m- s1 V5 @: A$ B
_________________________________________________________________________
- c9 }! Z) {9 S( ]- k
e3 L' r5 i8 n/ K, | oMethod 07
: Z% X! J+ I+ a) O=========
* y" H6 o$ |1 W; w9 l3 j2 k0 J
: \/ g( } {9 J. h' V* uMethod of detection of the WinICE handler in the int68h (V86)
( j# }9 g/ Q+ p0 |; S+ U6 o
& M" S" N7 G' s; Y) o7 c3 F! s6 i) F mov ah,43h
8 B1 G( q2 j3 J int 68h
; |- O; o' ~" ]- [ cmp ax,0F386h
6 m$ M% P U! I% B+ v Q jz SoftICE_Detected. L/ [" i4 y* X3 R0 c# {
: ~8 c$ T2 w( o1 m* o/ T+ w$ w5 C4 C1 V/ M K. x: ^* \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( w2 J$ Y+ _7 A* m3 I6 e app like this:
7 `& J' v/ \; d1 V. H- [9 A6 |9 c5 @. J/ ^
BPX exec_int if ax==68: n" S2 n$ I$ b! V
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 i! r3 Y4 \/ O# P/ y7 D located at [ebp+48h] for 32Bit apps)
* r0 ]$ x' @4 J) \/ A( V% U__________________________________________________________________________
- F% m+ q$ |0 t, p5 n1 v* X9 r! L; R/ X( P! w6 V, U& a
- q+ n' v% j; p) B
Method 08
/ H; T& Q+ X) e1 F=========% \3 s% m2 [( P' f- R
* a4 ^1 _9 {- i% I F) B! BIt is not a method of detection of SoftICE but a possibility to crash the
+ K* g: v" X1 z* r% csystem by intercepting int 01h and int 03h and redirecting them to another
& `1 b" j2 ]' x0 @9 A5 x1 ~routine.1 u8 {/ v. w' E+ L) F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 ^/ r# @: h- b& d! C" W5 m" q. z
to the new routine to execute (hangs computer...)
( F4 e! u- Y* M9 u3 k/ {' l" P; \( n2 A: x- W; e% t
mov ah, 25h
8 d- B% @5 x! e/ b mov al, Int_Number (01h or 03h)
4 s0 S. f; F. J8 R' Y+ R mov dx, offset New_Int_Routine
5 K Y$ q& R: ~3 v. l: b: K3 g& ~ int 21h, W$ T8 {3 \1 h2 q
' W& r. w8 h) |' o, U0 M__________________________________________________________________________
/ m+ i: m$ Q& V# @8 C- ?0 H
/ h& @' e/ x( A. `1 PMethod 09# h! f$ a2 U! d* B- O; t
=========
5 ?8 m1 A4 G) d6 f9 E& {# U) c* a' w/ S5 a' ? }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: D9 s+ r ~, O$ K! b$ a/ j( c
performed in ring0 (VxD or a ring3 app using the VxdCall)., }7 K& k0 w: x7 s7 _) r) x
The Get_DDB service is used to determine whether or not a VxD is installed
9 Z8 v; ^, m, ^! L$ e# B6 w, cfor the specified device and returns a Device Description Block (in ecx) for1 W4 D$ w6 [: }8 O' H
that device if it is installed.
3 B; p2 I5 M8 h5 b2 M) Y: O1 z7 k3 z2 w+ i- m+ I1 X: O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& k+ Y8 O8 E2 x) f; K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" ^: T- ^4 z( D6 K K: i VMMCall Get_DDB
* P% _0 U. H3 |& m/ K: X2 x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 m9 v0 x8 [! K# Y7 b4 a. g# [) f
U1 r4 j; U, X2 `( y* fNote as well that you can easily detect this method with SoftICE:
# I7 F- Z$ M( P4 @( i4 |9 y bpx Get_DDB if ax==0202 || ax==7a5fh
. C# J/ h2 t& P9 _+ {7 t- `% R, U6 r: |+ I# j& {0 s
__________________________________________________________________________) }0 z) @* U) } S7 R2 i0 u
" b4 J% s8 V8 ] j9 U
Method 107 @+ M! G" q2 ~
=========
5 X0 z( K. m r9 @& W* [9 Y& u$ J* @" h& l8 V# v
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 P" ^# S4 W# v( |2 j/ G
SoftICE while the option is enable!!
& s: C s; E3 e- B
1 E3 R+ p: r+ BThis trick is very efficient: r% M5 a6 X1 k! }! t
by checking the Debug Registers, you can detect if SoftICE is loaded+ C$ t) ?) N* @, P" m8 }7 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' Q) l/ X7 d6 m1 Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: s" h" y# D6 j5 `7 x$ ~3 dvalue (in ring0 only). Values can be manipulated and or changed as well
: y& H, S. |2 D8 b, ~(clearing BPMs for instance)
9 O8 O, ?' ~5 S: h+ s1 f8 I
0 a4 t0 ]$ G4 x$ O5 h__________________________________________________________________________$ Q( `9 \' K3 ^/ q3 m
# O) c2 ~$ V9 g0 N
Method 11! p0 b5 H- Z" t- W! v
=========
8 `. ?! F( h/ g1 F8 Y+ S( i/ k
/ e2 X# b- l9 Q8 dThis method is most known as 'MeltICE' because it has been freely distributed' r3 H& X: ]: ]/ N8 R# M
via www.winfiles.com. However it was first used by NuMega people to allow) [% {& h! k3 h( q
Symbol Loader to check if SoftICE was active or not (the code is located1 t0 @9 O- x, ]$ [8 Z+ K
inside nmtrans.dll).
/ K+ X5 v1 x5 Q7 }
+ w4 V6 c0 ~8 v5 f/ P2 SThe way it works is very simple:. @/ o8 I' Y8 D* y" B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& r. J7 z! u- h2 `1 K m5 H: V
WinNT) with the CreateFileA API.
4 x( D& E* i) I9 O6 i' S! \1 v4 x7 o) u% p, X
Here is a sample (checking for 'SICE'):
, f$ u: J7 R9 l" c+ \8 C; t& I
; H X, C }+ A( _9 \BOOL IsSoftIce95Loaded()' v7 f+ h3 b* o9 t* S
{
/ K6 K! @. z" p. t2 P+ B1 y8 t HANDLE hFile; 9 N8 N6 Q- S; C$ v: d9 e4 C U2 F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 b& H7 Y* o1 L* c4 c6 V% D5 U
FILE_SHARE_READ | FILE_SHARE_WRITE,
; y3 Z* _. u5 E" K; U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* P3 b Y1 p8 g if( hFile != INVALID_HANDLE_VALUE )* b' G; E7 W: ^; {" y! @
{
: N! t2 q5 h# z- S: s7 |% I CloseHandle(hFile);
# u, G; T0 d2 b6 W return TRUE;0 y7 H9 Z% }% h, L6 C: H+ h0 q: x
}( n' a4 c! G* S6 w9 v
return FALSE;/ o" ]5 z) i) p, o3 x) @
}0 ]) F3 F3 N: R/ Q
* w- q* \" I$ KAlthough this trick calls the CreateFileA function, don't even expect to be
$ @9 S3 Y5 F/ [' o; R6 B( ^, zable to intercept it by installing a IFS hook: it will not work, no way!. C4 b3 C; _0 M. b/ w$ @( s2 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& o+ k \! N5 B: Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 w+ |, |$ i+ s7 ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 f8 Z9 ]/ g3 G: I2 b- }
field.
* s! X8 u& _, P7 [In fact, its purpose is not to load/unload VxDs but only to send a $ {+ Q. C. O& l( B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
g/ L' _5 H: W3 [4 A" \% kto the VxD Control_Dispatch proc (how the hell a shareware soft could try& i: [4 y, d7 g+ f3 I A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 o8 p( p: Y( R5 b jIf the VxD is loaded, it will always clear eax and the Carry flag to allow. Y- l0 q7 |! l/ z& O# z& ~
its handle to be opened and then, will be detected.# [5 m0 o+ z. t; n& A$ {* _& u
You can check that simply by hooking Winice.exe control proc entry point" H' m+ Y7 A# B! I' ]- U7 e
while running MeltICE.- |# v' ~. Y# t) Z, i) M2 W' i. u
" @6 z5 v0 f2 N0 w9 b' Q
- I$ }( U: G" Y) u: ^ 00401067: push 00402025 ; \\.\SICE" {5 i- d' I5 H1 F3 H% z
0040106C: call CreateFileA- s6 r* z/ n# `/ A: ]6 f# R+ E
00401071: cmp eax,-001# z4 T/ j/ N0 ^ t: i
00401074: je 00401091: Q3 r* f; M) Z' [3 \+ {
- H9 [6 f% F. n G3 r0 F
$ D6 X* [6 C5 S& M5 B6 \1 D4 d# c
There could be hundreds of BPX you could use to detect this trick.0 d, Z* x! \ u1 y. |! I5 u3 j
-The most classical one is:- H) B- z$ J) Y* j& A( B, B( Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 C( B3 {) i: J" j8 {( Z
*(esp->4+4)=='NTIC'
) R% D, `9 f' U1 s4 I, i: b! L# n4 \& {' K; k( W% M
-The most exotic ones (could be very slooooow :-(
4 o9 z) m+ f8 u% b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 f9 R5 v) ], u+ n; r ;will break 3 times :-(. N$ p6 G' w, s* g1 D
C3 Z9 N# B; Y
-or (a bit) faster: ( t8 T: o, `3 M. d0 p1 B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' P0 A$ n" m+ n# J: ~2 `' `2 E. x9 @# {) h( X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / B/ |* E- J% \8 u9 M: `+ Z
;will break 3 times :-(1 I5 @! r [# L
' n5 Z6 V) ^5 Y
-Much faster:" T" |) B2 c" N$ T( j5 s9 q3 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; J$ B0 ~3 l3 q p' M+ _
7 \6 m6 O! L# N' |, x6 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
h$ w }4 s$ Q) i; a! \2 q3 t: v/ kfunction to do the same job:
4 d# o& U1 A+ i$ k, C+ }* [/ D8 w3 k" D5 A0 ?5 j$ ~
push 00 ; OF_READ4 O* C7 w5 b5 Z) q! ?1 k7 Z
mov eax,[00656634] ; '\\.\SICE',05 c x" l }5 @8 [; c" e D
push eax
9 D* H. p& }8 [) m; E% z5 }4 E' n call KERNEL32!_lopen
7 a* q% I Y+ m( _, M1 `: J inc eax
6 `1 t" x- y0 _ jnz 00650589 ; detected
( v: k4 D8 s$ ?4 G. z5 n0 k) } push 00 ; OF_READ: I% C9 @. E! y* R
mov eax,[00656638] ; '\\.\SICE'
' X- ~, ]+ R: ^0 L( a/ p$ _& { push eax
2 v( s; C% y$ u+ F( p9 h# S- J/ x' ? call KERNEL32!_lopen
/ m5 X& R6 M1 a inc eax
1 M( S$ U5 g( I* |, {- ]% X jz 006505ae ; not detected# L# B! R* j$ }" i
: Q( \; { d, Y. o: L+ m8 c
$ C4 b* h. G9 k% t2 C__________________________________________________________________________+ C' _; e9 p% j3 g! H, {
( `$ Y8 [8 i, S0 CMethod 12
" P; L# @) j) Z: {. b=========
# m [7 D6 _, [0 O, n2 c3 V/ K6 Q8 o) G
This trick is similar to int41h/4fh Debugger installation check (code 05
, P9 ^! d) h. |( o) G3 a. C' V& 06) but very limited because it's only available for Win95/98 (not NT)
) h9 e* l6 D! |% O2 qas it uses the VxDCall backdoor. This detection was found in Bleem Demo., }0 L9 v; u. N; i
( [! K: a+ C' a7 c
push 0000004fh ; function 4fh8 L* v& e u; h; g) V, r% ~8 c8 Q
push 002a002ah ; high word specifies which VxD (VWIN32)- ]; `. |/ b2 F8 d
; low word specifies which service/ W9 Q1 P; Q c4 @9 \) G
(VWIN32_Int41Dispatch)# l( ?* r; b, c1 S% {/ z6 @. [
call Kernel32!ORD_001 ; VxdCall
# z9 C! h* N, S6 i* j4 S- T- z% a9 o cmp ax, 0f386h ; magic number returned by system debuggers" c' Z+ i3 Q3 g U+ B9 \0 K
jz SoftICE_detected
1 N' K) ~8 x* X* }8 y+ u p
( d: k, O% h0 P2 r& sHere again, several ways to detect it:# R. x) A& S' R {' b0 d4 }4 X6 Y
- e: m2 [) a* R3 w* P, u3 E8 H
BPINT 41 if ax==4f' e0 b' n% D- [' _& K" b }
2 k6 r( X) D0 {. p- h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* ? q6 p7 N0 w" c. Z9 b0 C( V+ Y. K+ q( M+ o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 [2 y I0 t: B
% C8 m% p1 u% ]& X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ ^/ G! f: s0 P+ c( |5 d
; X& x9 G& \9 b__________________________________________________________________________
* _# F+ o6 |: D+ f. b! W7 F! K! q- Q" ], ]! {+ [4 y+ [1 T
Method 13- o- O- e" A2 O- `
=========
: F8 @2 b# Z1 O2 d. \# d$ s5 R0 ]# Y# k- V6 P2 d" \
Not a real method of detection, but a good way to know if SoftICE is
5 z5 s6 j2 T0 N+ a- H; f4 Vinstalled on a computer and to locate its installation directory.. d6 Q; v3 A5 C+ F4 o7 U- P7 |% u
It is used by few softs which access the following registry keys (usually #2) :2 X. t7 Q( B3 J
5 j, q( ?+ A+ x& ?0 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 N/ `% B( q% C8 v' J% N
\Uninstall\SoftICE
! [" |+ ^* y6 ^+ R" v: e. e. U, p" l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, R, N; }) N1 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: y& w6 m- X% f# T# Y
\App Paths\Loader32.Exe
. U* E; E9 e, [" s
! a( |% e9 {1 }6 r0 e& N4 P
- X& J" S! C+ H8 v% _- V) N0 ^Note that some nasty apps could then erase all files from SoftICE directory
% W; U! n, Y4 M0 N(I faced that once :-(
9 t9 X+ e2 I5 U* N$ A( P, D U# R7 j3 ] x( [' `
Useful breakpoint to detect it:
0 \$ Z7 H- i: C, O" _" t# l; ?& a9 }3 l! w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# E5 r9 x5 ?0 o: w6 L$ x. l; `! j$ u- y
__________________________________________________________________________
9 S. _- E2 g& @ T5 j
0 `( o, E7 M' l. Z o4 u
3 N) T. } r) [3 J( N( j1 o9 ]Method 14
3 }: L* a" Q. s& F x; { a=========3 G7 R( q' E* b# f- \/ u+ n; \. G. Q. J
. T% i4 l) [% h, qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 U% ^* `6 k: `3 m( E, l3 n
is to determines whether a debugger is running on your system (ring0 only).! a7 g* r5 c+ c- e& a% w5 p
/ D% _7 N6 r! H4 D/ `4 x
VMMCall Test_Debug_Installed2 D' {2 J- e5 Y- x. p e& B
je not_installed: s. @5 H5 r9 n9 V6 A- D5 K: k
- d# k) a! L2 N1 m$ WThis service just checks a flag.
- _0 X o* p4 [7 ^; n0 T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡