<TABLE width=500>8 S$ K3 f, Q4 v& c- V! ]
<TBODY>, O: o O8 \$ L P5 I2 K% ]
<TR>; ~, O; {/ e- o
<TD><PRE>Method 01 1 b: ?0 F: \ Z* G
=========6 J( e* Y: N, C* t# p9 h+ p* i
/ b8 ?! @! ~' ?
This method of detection of SoftICE (as well as the following one) is
2 W! A0 F$ @+ C. ?. o/ N( Kused by the majority of packers/encryptors found on Internet.0 Z0 g: j- r0 z) \- Z5 O
It seeks the signature of BoundsChecker in SoftICE
8 y% r8 S9 h3 J8 H3 }
. H0 r9 r/ e7 U9 S$ u' _ mov ebp, 04243484Bh ; 'BCHK'/ X( h7 C2 K/ v
mov ax, 04h
9 h1 v, c* r0 U( V2 m int 3 * c5 T$ }! ]$ Z' |& ^3 p
cmp al,4: n6 g6 O1 U; f' u! }
jnz SoftICE_Detected
7 x0 t& S( }4 P2 S& J3 T$ w6 s/ {$ o& ]( y5 R5 z- Z
___________________________________________________________________________
5 _: S9 I8 _% Q; A' M0 @ W. P0 ?# [. w0 U2 s( R: O& O
Method 023 |' n2 D0 D- h- ^2 q/ \/ K% F
=========/ Y6 M! n$ t& q9 p2 E0 X# y! T4 U
( n4 j+ R, l9 ~) F5 u5 A8 ]- b
Still a method very much used (perhaps the most frequent one). It is used
- L2 d: ^, E1 h6 Z [4 S& c, w5 g/ Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 b r2 d( Q: V% y: por execute SoftICE commands..., L5 m" V8 V/ b, X9 M! J4 [; z
It is also used to crash SoftICE and to force it to execute any commands
/ O/ ?) X9 P( H+ C' y) O. s(HBOOT...) :-((
! B3 Y1 N" a# U0 z3 c
, ^4 m g, O8 U, K2 l5 D) A6 I1 LHere is a quick description:
) ~+ g7 F8 a" @ n2 N' M J) K* B-AX = 0910h (Display string in SIce windows)
7 j: l7 P% O2 O7 j5 M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& F$ q1 ~7 v b! w-AX = 0912h (Get breakpoint infos)5 D) F1 ^; K& T, r( K
-AX = 0913h (Set Sice breakpoints)
6 J( c6 A/ Y) l4 C. K& o- O6 I-AX = 0914h (Remove SIce breakoints)! C" g9 h k2 b5 A* I
4 U* _' ^7 m, i- E$ U) V) FEach time you'll meet this trick, you'll see:
3 a' u4 o3 }' i-SI = 4647h$ g- J V! ?+ q% D& S
-DI = 4A4Dh
: T& o0 {, x4 Q& @Which are the 'magic values' used by SoftIce.
& C2 B( T4 G# C9 `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; c# r$ G6 n( [
5 F W& j& |! N9 X3 V7 C# V6 fHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 d9 V+ U: g3 ^! V3 F& ~: y5 HEnvelope utility use to protect DOS applications:# D0 @* o/ c- O% C8 y- G
1 E$ x0 z, @ I1 ]; K9 K" Q
! c; O: i3 i1 I7 i7 V. h& h: v4C19:0095 MOV AX,0911 ; execute command.7 |( a5 l* j T# B+ O1 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 ~- U6 Y; J6 H4C19:009A MOV SI,4647 ; 1st magic value.
: L5 g) Y; \& [3 c Q, B0 D9 n- M4C19:009D MOV DI,4A4D ; 2nd magic value.
- _5 O, R/ s: O2 \% a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 r# w* [! C) [6 |& {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute R" L+ V" z; ?9 Z1 u- u
4C19:00A4 INC CX
, d/ n. T. s" y8 e( o Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 g, x x9 |* @1 z" X$ U, {7 [4C19:00A8 JB 0095 ; 6 different commands.
& G. c; C) ~7 f* c4C19:00AA JMP 0002 ; Bad_Guy jmp back." G' U6 W0 N; r3 M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, j8 R# j) |7 E5 S6 e ~0 S9 `4 B1 |) o6 c
The program will execute 6 different SIce commands located at ds:dx, which$ V, g) a; T% ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 h E) z0 R6 G
2 D' }9 s8 M. l8 X S: S6 `% y7 e7 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! R: K2 k6 |. \/ D7 j! m& D+ D' P
___________________________________________________________________________
. w7 o, C8 O) S, b: ]' S
E0 u6 `: R/ y# P+ H! Y# ?$ q2 n X' q4 k# c! g
Method 03; _* E$ V9 N& _$ y3 V
=========. k, s/ S$ M. n6 d
( p- ^9 O, A4 B5 \1 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ u# I# K( h/ R2 M: x0 t
(API Get entry point)" D7 h- o2 E* h3 F3 X E3 g+ T
, v: u- K8 q+ f9 ~; }$ A t, v6 ~+ x/ X& \) r+ H
xor di,di: X* f) [( m8 }& i# a: C
mov es,di
; R" y0 c2 O* a+ P- { mov ax, 1684h 9 {7 G6 [ E+ m7 r0 j O) D
mov bx, 0202h ; VxD ID of winice
. A) R* J# R- I Q* M. A int 2Fh2 |1 }9 h: e5 T+ @! M" r4 x
mov ax, es ; ES:DI -> VxD API entry point
* I9 L. K1 z9 f( o add ax, di
6 f/ E9 e, o9 A$ n4 N t test ax,ax
1 Z5 U3 \, x7 \1 @1 h6 s+ _3 A- D jnz SoftICE_Detected
+ I: I/ M( Z: Q4 U
% d/ G7 Z( e+ R___________________________________________________________________________
9 v+ {2 ?* F5 X3 |- i2 z2 K. R5 ^
6 }) H3 G" C) G( x/ A" GMethod 04
# ?1 g) N' c0 y3 {=========0 q( H: i% y. ], i, i- [
* Y# G- X" d6 h" Q7 F) \) s
Method identical to the preceding one except that it seeks the ID of SoftICE
7 I( u0 M1 I z* D" m+ vGFX VxD.; P! @. C/ s' z' U6 _$ c! K9 K+ o
) L$ k) z+ ~: ~1 d/ [ xor di,di5 ] t6 @9 _8 _- e) P( S
mov es,di, a. [+ f+ [, k, }
mov ax, 1684h ) ?" n' O4 f( R
mov bx, 7a5Fh ; VxD ID of SIWVID, |: `1 [# V, m+ P, P" G# R: `3 ?
int 2fh3 ^& n5 U1 P" u0 e
mov ax, es ; ES:DI -> VxD API entry point! E! H9 E9 K# h+ A, c1 U
add ax, di
- r1 u1 b. Z' v: _3 o test ax,ax1 m% b0 e9 d* f) }; X1 h0 j/ C" X
jnz SoftICE_Detected1 b9 ]0 W& q# D7 r( x, o' j% y
" V6 m7 X9 H |* i% [
__________________________________________________________________________
6 i1 I2 r7 d! A; J# I
$ M- `- a2 ^: a/ M! V# q1 X- h: Q9 N* X" [ d/ U; m
Method 05
% T5 |5 n/ n1 {/ b" y=========$ w4 a0 }; R9 E& Q5 i: z6 M8 m0 H
9 o. [4 \1 H* k. y6 O8 Q3 GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& l' C }0 e# t/ a( Q8 F+ v* }debugger. It calls the int 41h, function 4Fh.
1 d4 w2 d E) U* {8 i3 L4 NThere are several alternatives.
% @7 I5 p% D2 F' `9 ]
4 L* B9 \; @* BThe following one is the simplest:
' p& `, |# I+ b. I; q/ s3 K9 C
0 x$ M6 H5 `0 Q/ u* R mov ax,4fh
6 ]( |4 f+ w$ W' B+ Q% n6 M1 o4 {( x6 R int 41h% [3 z3 P9 {9 K; N$ c' q! f
cmp ax, 0F386; ]- [: x& Z, N6 b' b- O: @
jz SoftICE_detected
1 \/ t/ b- i' E/ j/ o
+ b. I8 N3 k) M* }% `. C" T5 T" C% H$ H6 A
Next method as well as the following one are 2 examples from Stone's
; t' y0 i6 S/ O! n$ b"stn-wid.zip" (www.cracking.net):
3 t) d& X: ]* R0 o4 T2 E! A W
3 I- Y& `3 @. }" _3 a6 F mov bx, cs- _/ M+ t9 W( ?2 l) A% K; w" H
lea dx, int41handler2
4 i. E3 R" m& I2 J xchg dx, es:[41h*4]0 J. {5 Y8 N" x- r" ]
xchg bx, es:[41h*4+2]# G" h% x. ^. r2 ~* c" V _6 o1 y
mov ax,4fh
' j; A! P* b: n+ F/ U int 41h
) D$ I% i, Z! S/ ^ xchg dx, es:[41h*4]' O5 L/ _* B! q
xchg bx, es:[41h*4+2]- ?: R- ]" q1 \" E
cmp ax, 0f386h) @! u% ^( `9 I5 Z
jz SoftICE_detected
* \- y+ U! r# l2 B( J' v9 ?6 u1 C) Z0 P- o$ B9 V, B+ k( u- u
int41handler2 PROC1 g! v: I5 Q5 O% i& i5 x- b
iret
5 L: O/ {5 P" h4 Vint41handler2 ENDP, Z# b V. P- R2 Q
& ], X! G" t/ h% Q7 H# L1 |
- ~2 A' U, o8 ?. } g/ B- R& C_________________________________________________________________________* T- A) k1 J- p- I6 b
+ J( r3 @. c9 S2 _0 u5 w' r
3 s1 u' m$ n7 ] e! H* X6 R' HMethod 06
, J: `/ i+ |6 D5 e7 {# F' g* ~- ?=========# b6 g1 h% o8 E& \6 m
6 z, y4 R1 A4 ]" ]! W
2 Y6 a- y" o: A3 P/ u, |; n. W' c2nd method similar to the preceding one but more difficult to detect:) K+ t3 ~+ h: ?/ V/ ?* ^4 v+ ]. w4 I
' X5 p+ {4 S% F; H9 ~7 V" W4 T% d& z4 e9 _, P' |
int41handler PROC
% p3 _. V7 a+ V, I4 o3 _7 u mov cl,al( a+ a7 |" u2 Q/ Q E1 |
iret/ o. r v; a2 v6 u0 Q
int41handler ENDP' x0 m7 M: i6 c# {. o
5 M: b1 [: c! j" O5 B T/ E5 y0 [; u3 n5 `3 B4 i' V9 I( s/ P
xor ax,ax- f& }. p5 J% y, S
mov es,ax
+ A; @5 U. C& r5 c mov bx, cs
4 v/ I! F; G! i% A$ Y, I7 C8 B z lea dx, int41handler
) O# m* q* \( B* C) ~* h xchg dx, es:[41h*4]* { V2 H+ S, I' p
xchg bx, es:[41h*4+2]6 V- H/ L0 t9 a! J) x' ^5 I5 I+ n1 `
in al, 40h% u4 q" R! F9 t+ d; G6 _1 W) d4 ?
xor cx,cx
2 N# w5 r/ U1 w$ Y' C$ r int 41h
' r" e8 l. i( P# ^8 |9 \ xchg dx, es:[41h*4]% M- V! G+ E4 r \
xchg bx, es:[41h*4+2]8 Z- y1 [! ^9 j7 Z- ?* N
cmp cl,al" [- @; X' ^7 X l. {! W
jnz SoftICE_detected; g* o6 ]0 ^6 s( g$ f
+ T( g9 b) ^' ]4 y_________________________________________________________________________
+ c% ~9 }2 r5 z- U$ v y
, c2 Y: {2 m' NMethod 07
0 Y( [1 I) W. e* f0 [=========
$ r) a; E& N% V9 g( O, V& V( W! p0 B0 h+ e4 D; ]4 i
Method of detection of the WinICE handler in the int68h (V86)
/ M9 W/ h$ F3 U$ v. r
/ I2 O2 f2 |5 c, b mov ah,43h! w2 W( \ t5 q+ y
int 68h
, e0 `; ?8 W6 y; o6 K7 d cmp ax,0F386h
5 F* [* O B1 v3 F( M6 c+ A) X2 ` jz SoftICE_Detected8 z" y" y5 [% K) p
/ B. _* A: W4 `0 @6 u) n/ q$ Y6 V8 E! ]7 b# \4 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ h& [7 ?! a5 `2 p app like this:) b& @2 W3 O* K. l: Y
7 @ p& o+ c G, Z; Z
BPX exec_int if ax==68$ H) B# k% b: P
(function called is located at byte ptr [ebp+1Dh] and client eip is. E, O+ q" x' m+ W- ^. t7 X# b
located at [ebp+48h] for 32Bit apps): b: ]5 d0 ]4 B, [& ?' A& j
__________________________________________________________________________: I! H3 C. F* Y1 P1 h
- p% X* F! ?. d3 }9 }+ u
5 }# C6 u& m5 c; |Method 08
) ?6 j$ ^( d& C s$ @=========
7 `0 G+ h. W- w3 w% X0 j- ^
# X4 v2 `8 X; p6 z! D+ BIt is not a method of detection of SoftICE but a possibility to crash the0 E1 S0 ? d6 b9 @
system by intercepting int 01h and int 03h and redirecting them to another
( q& Z. P8 \. k$ a1 a6 X! S. l8 proutine.
8 }9 Z# y' a* `$ MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ V O! \/ g% `to the new routine to execute (hangs computer...)2 S- Q5 q( x4 I# o9 Z6 L3 c$ P
" ?/ f* R3 x) i% P. O- E. a u mov ah, 25h
# c: R: z: W" t' ~5 M mov al, Int_Number (01h or 03h)8 v D1 z' ~3 h; R
mov dx, offset New_Int_Routine
2 v- f' C* L i" I& L; h/ R int 21h5 ?% w! {) y8 y2 n2 A% G! a
. w4 X) S [9 N! `3 B6 o5 r% f
__________________________________________________________________________" n* Z1 E$ [9 `3 M: j/ {( {) @" Z
; \) w* q8 P' a" X; f& `
Method 09
/ l' M- T0 g4 v2 F- ]=========
; x; n* h- [, D
( M; m/ p& x7 d; ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 C4 E T$ R% m# p
performed in ring0 (VxD or a ring3 app using the VxdCall).: q# m. T9 {3 V9 k$ Z
The Get_DDB service is used to determine whether or not a VxD is installed' E$ w4 ?0 Y5 s* L' N1 H9 _; T
for the specified device and returns a Device Description Block (in ecx) for
2 R5 ]- ^& h0 p" Fthat device if it is installed.
9 u" a2 o. c% _6 Q1 X! z. a
3 ~5 S ~) R& s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. f+ c/ p! D" t+ A5 D% r: L" `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ Y+ h+ u7 D' ~4 O
VMMCall Get_DDB& S% q G9 B& \( P+ D+ r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 l: @/ F: }, d) b/ L: C
8 y N1 v- F2 J' Z+ cNote as well that you can easily detect this method with SoftICE:
' t$ A1 l' N6 x bpx Get_DDB if ax==0202 || ax==7a5fh5 a8 z ?- N7 P% H
" i8 z; ~& K4 Y+ |0 s4 D, e: u__________________________________________________________________________
$ t* r- q5 ]9 x0 h3 U4 c% s4 ~0 j! } ^& y/ J9 X0 N9 x6 @) R: F
Method 10
! j: X7 C: w# i. I6 t: F6 b3 F=========- k" l+ ?3 T0 K# f- A# D1 ^
+ o% f3 V3 i1 S$ @, j* }4 i$ m5 c, }2 J
=>Disable or clear breakpoints before using this feature. DO NOT trace with# v; M' G# B, h, ~9 u; [. j* z. ~
SoftICE while the option is enable!!
B8 U7 f `# D+ ^4 A# @( j; N" \1 i' a1 r3 |
This trick is very efficient:/ v i# m9 K5 K- i# a+ \! H
by checking the Debug Registers, you can detect if SoftICE is loaded9 n& b5 A. _, f/ w B! c3 w; ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if G5 A B) G; C& T9 T" {
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ J. T$ _5 `2 T$ m
value (in ring0 only). Values can be manipulated and or changed as well
" `# s0 R# w' ~+ \(clearing BPMs for instance): b9 a( h6 z3 j, f3 i) q
4 Y! }/ D4 G1 F6 \
__________________________________________________________________________
+ V4 s7 v0 ^# L$ y
4 N2 e# Y7 b! [& ]8 w+ i3 lMethod 11* s7 }6 r0 o; B) ~ w. a' A/ e$ g1 S
=========
6 |. D" a& A1 J& r
7 h) N$ E( ~4 O+ u; u2 oThis method is most known as 'MeltICE' because it has been freely distributed' g; C; g- L/ E; V
via www.winfiles.com. However it was first used by NuMega people to allow
" I' d; V+ @' ^: J3 y+ lSymbol Loader to check if SoftICE was active or not (the code is located- P1 a+ @( d u/ A
inside nmtrans.dll).
2 O3 B' t& c( }8 O0 j
9 b& ^; f# [4 e0 CThe way it works is very simple:
5 P" h) b b4 k% \+ uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 |# T) o( Y. f
WinNT) with the CreateFileA API.; ?9 h- M# B; m, Z% r% q& T. a
. \: ~5 X% a7 r- M o$ a# tHere is a sample (checking for 'SICE'):( ~( S4 j' ?6 ^* }/ B
9 S; s6 A* g4 Z$ o% J" j
BOOL IsSoftIce95Loaded()
' Q5 {: M( M' a7 t4 V1 l{
" k/ g1 P7 Q0 j% w& B HANDLE hFile; / d. y% w- @, R4 x* S% J2 \ j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- [0 c# u' G2 R' l5 B ]4 n/ V. Z! t
FILE_SHARE_READ | FILE_SHARE_WRITE,9 ]& s, T* b5 e9 m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ _1 u( N% t& w7 ^, p/ }( M$ x" g
if( hFile != INVALID_HANDLE_VALUE )
, H2 U5 t6 V9 I9 u7 j- q" w {
( Y+ @/ Y5 p: N6 m, \+ T7 w CloseHandle(hFile);4 ?& ]) ]- j$ d9 S# P4 e
return TRUE;
" j8 {0 ?3 D y) r' @! q5 r7 g }! H% o4 q- s& _" u
return FALSE;* {8 S8 c+ s" A8 a+ v
}
: h) d% K9 c( R- Y2 V/ R( R; f/ Z: S ~) Q1 d
Although this trick calls the CreateFileA function, don't even expect to be
& i/ V( K5 G5 ]0 y- F/ o+ Eable to intercept it by installing a IFS hook: it will not work, no way!
U+ ?4 |1 v2 C, \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( m, R; b, Q% j- @ G4 i- uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- t0 [5 L% g e+ t$ g$ a% K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& q* C8 p$ [5 B, G+ }) n: I* J g: nfield.
; j7 X! i$ [3 r* X1 C4 L/ l. AIn fact, its purpose is not to load/unload VxDs but only to send a
+ y, w/ A. h, m0 F8 |3 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" o# [+ o( \% U7 J8 n9 U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* @% \1 y* X. ?8 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 r. l, w6 ~7 m& @! I7 W+ M( K
If the VxD is loaded, it will always clear eax and the Carry flag to allow% M2 J4 J+ |: @. W+ F0 b9 a
its handle to be opened and then, will be detected.
4 v8 |0 }* M' w/ Z% ^You can check that simply by hooking Winice.exe control proc entry point
* ]: _' q8 v2 z6 Y0 cwhile running MeltICE.
# S6 \ F: \& z% I" d7 }! i) W* o: T+ O! Q
$ S! w; L4 j. E1 P$ l 00401067: push 00402025 ; \\.\SICE
+ ^8 t, V$ n# q; y4 L; f: o 0040106C: call CreateFileA: N+ i6 E: r8 p. ^4 H+ P8 g# i# X
00401071: cmp eax,-001
& ~! k4 o0 D0 Z 00401074: je 00401091: H' T" F3 ]* O: u5 ?
9 @7 S7 g) q1 r) L7 {8 L, u
9 `# d7 T$ N/ m
There could be hundreds of BPX you could use to detect this trick.
" D6 Y8 |( F# E% w-The most classical one is:
% N, Q/ _8 w- @' S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 F, G8 l% Y* l; J *(esp->4+4)=='NTIC'
/ l9 ]) W0 S5 `( P: X5 ?9 k% g& |& P. z5 S3 z) [- g4 O4 O) O
-The most exotic ones (could be very slooooow :-(
/ \ ]3 E& G! f3 J5 ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( c; {# Y7 w! i7 q ;will break 3 times :-(! Y! F0 K& g. X0 ^ W0 g0 R2 g! ^
S( J; I- Q! L8 G-or (a bit) faster: ) u8 g2 H; P+ w; q' q/ |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ m* J: r, n6 q+ s7 @
. K( P9 E( }0 h# ]% i- A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' M3 i1 B2 T- F0 T: m ;will break 3 times :-(. e4 l" a$ }/ N+ P1 I5 ^
: Q1 {% g/ S! h0 l3 [-Much faster:5 a6 L; Z9 g. e1 y% U4 B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# m8 X5 d' @+ F: e) y' D5 x5 v+ K) s# N( t0 @0 n+ x- [' m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 W- X; O3 M5 O3 `+ U- W5 g: @
function to do the same job: S' |7 ]. O1 |7 c
9 z# l0 o5 d- ?! u) k push 00 ; OF_READ+ [! p9 K3 A5 L8 a- A+ _
mov eax,[00656634] ; '\\.\SICE',0
; V! A4 E; \* [8 S push eax
1 w. L% [, S# M; H6 Y7 u call KERNEL32!_lopen
2 Y; W: u4 K `& b$ z inc eax8 L2 ^; P; I+ b
jnz 00650589 ; detected9 T; ~! l/ q! s1 Z& I- S# e* R
push 00 ; OF_READ
8 r* H; G) j) c6 i* _ mov eax,[00656638] ; '\\.\SICE'
1 m* D# C- [0 V! w push eax) `% n6 _; X; X R
call KERNEL32!_lopen7 S6 n' A, U+ I5 b' {6 ~6 Z
inc eax. H9 f& ], T+ O8 y1 r
jz 006505ae ; not detected
1 T# K" B) C$ K/ Q7 B& p. z) i) |; f9 m; V8 c: {& t( [3 q# f% w3 d ^- X
+ o; U' ], T' j% x__________________________________________________________________________
" `8 s: y3 X$ o E5 f' @" ]
l& w! j6 ^$ ZMethod 12
5 {, U S M! ^! q- U6 ?' I5 X=========
7 y* D; U1 V5 U0 H1 G1 R$ `' v# F5 p& W/ D/ H
This trick is similar to int41h/4fh Debugger installation check (code 05
$ |/ s8 b" l' O, q; \9 z- w& 06) but very limited because it's only available for Win95/98 (not NT)
; p' T1 Q. l8 K/ v0 F: _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 A! [3 d& A2 ^- f/ i
& D& A9 F, y6 {" h2 V& v% [. I push 0000004fh ; function 4fh& D2 i! B# [( L
push 002a002ah ; high word specifies which VxD (VWIN32)( G4 v: T: q5 |4 ~* |. ^ Y
; low word specifies which service) Z* R; T4 A- _
(VWIN32_Int41Dispatch)
; e4 r! }4 N. ?: S+ { call Kernel32!ORD_001 ; VxdCall
9 q R9 J4 ?& B& n/ D cmp ax, 0f386h ; magic number returned by system debuggers+ V8 ?" w7 G/ P% F3 n
jz SoftICE_detected0 A$ G6 [+ O/ x
1 D6 X! L0 G3 [) U/ e8 V6 P
Here again, several ways to detect it:
, V3 ?$ ?" T' L7 p) t! b* X
/ S: l( D( h; ^% } d BPINT 41 if ax==4f* S+ G) t4 ^# d9 ~
9 ]4 Z6 W7 H t- R; O& C% Y( x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' {) R4 i* W( H3 T3 D
* l+ l2 M' j2 ~, y, n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
k3 i& C8 e c$ U3 B3 \8 ]$ X7 F! }, \" q; R J2 V9 B5 ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" o: M$ q6 D- o- t$ p R0 c
$ P' T. H h* s0 C2 e* [' M( n
__________________________________________________________________________
; {9 {' Y I# I( G
# `1 _& b8 A7 U6 x% N8 g. XMethod 13, I& s' i& r( X
=========
9 E& P$ _2 M& ^# o6 A, N! Y4 H7 [: o) P
Not a real method of detection, but a good way to know if SoftICE is
$ U8 E# f7 E8 J* G2 tinstalled on a computer and to locate its installation directory.
2 g3 Y8 A) m4 [9 }: IIt is used by few softs which access the following registry keys (usually #2) :
2 H; R: I8 C6 u3 |) {) }; f- O/ Y9 C, u, u3 d4 n+ p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: j7 s D( b2 R7 b& a+ O
\Uninstall\SoftICE
: u, a( C4 q8 s5 `7 l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' z! w( d1 N; X/ c- t# M1 p# ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" H. Z& ]1 j# _\App Paths\Loader32.Exe& P' J: z8 v# o- ^: Y2 ~. Q
5 D- C+ D p. t
: n7 o+ N( f" N0 H6 Y8 A1 C! qNote that some nasty apps could then erase all files from SoftICE directory
' J& ?8 h9 c( g3 s8 L& W$ w" I }(I faced that once :-(
1 ^) D+ f) W# u' n5 f6 k5 ~* b: R* c. k! W
Useful breakpoint to detect it:
! B1 O) U' T( E& [3 P4 V% m
& I( F# a6 G7 m0 R/ H C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 i5 G) u# Y3 }" a3 l4 `, P- E& u# [0 v: K; E. ~& N+ _
__________________________________________________________________________& n; f/ k! {1 A' N* V) X
* c& J& E1 E% x0 p0 N! x3 T; Z2 V( |5 v
+ `1 U, U, W) t) k& \
Method 14
- L9 F! h1 X7 M" j* Q$ l- d=========
% m3 w. l) ]! u) F1 Y I. C
4 ]" I2 t' t: w. IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- t6 \8 E6 A& j4 w/ e' |is to determines whether a debugger is running on your system (ring0 only).
* C' V, b0 o. p7 t6 Y1 g2 `, O0 T
1 r+ G+ ^ f5 F4 m0 X VMMCall Test_Debug_Installed1 P! T' O1 J: {6 ], G5 A
je not_installed
8 _% E( n: f5 s5 _1 r/ |) a- }/ ^- C& h$ V
This service just checks a flag.7 y! q8 o* X9 H4 }/ U/ b; s( V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡