<TABLE width=500>! f5 T' Z p0 Z0 B2 U
<TBODY>
" b; f3 ]1 i" n% z1 P {! D+ y. g<TR>2 W T: Q) [: _, |
<TD><PRE>Method 01 / {4 O, A) F7 o, {* }4 c
=========
' C, k J( R5 I( I2 ?; ?7 u8 R: T+ e' |- H2 J, P' H, I
This method of detection of SoftICE (as well as the following one) is1 v5 m( _1 w! I
used by the majority of packers/encryptors found on Internet.0 i) ~- x. N8 y4 L
It seeks the signature of BoundsChecker in SoftICE9 W7 `# Z; f) n* Y1 h5 x6 x
- X! Z# O8 h# D. y+ O) s; v# u9 J mov ebp, 04243484Bh ; 'BCHK' t4 s; t, f3 k, n; r6 y0 Y( C( P
mov ax, 04h$ V! e5 f r( R; ?9 o K
int 3 8 `/ ^8 V$ [8 }; a. L6 d
cmp al,4
: v5 h+ q3 _: M jnz SoftICE_Detected
9 J7 @" g# _$ Y- Z8 X$ W
7 j; v& F; M z3 N___________________________________________________________________________' I- r+ U6 _$ K( h5 ]2 W
; i( g/ {8 x0 \, Q1 B5 S
Method 02& U) l8 o9 N. X
=========1 t1 o; G8 ^0 b: |
$ t! f L9 t9 z" ]5 l" @
Still a method very much used (perhaps the most frequent one). It is used
" G, ]$ \% G4 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. W) J+ |& K+ Q$ K2 S& x9 W" `( a
or execute SoftICE commands...
- R% [% D! _6 O/ Z! TIt is also used to crash SoftICE and to force it to execute any commands) v; h0 E. i r; u' Q2 n: G
(HBOOT...) :-((
, |' ~0 a6 R0 I% W/ l" {% P$ m% r/ q+ m$ z1 m! G5 x6 c3 T+ N: F7 Q. I
Here is a quick description:) B2 N9 w7 L$ `4 W) Y2 ?
-AX = 0910h (Display string in SIce windows)
3 |" E/ v. i4 `! X. q n9 @ Q: T. V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, V+ {2 D9 y, l-AX = 0912h (Get breakpoint infos)5 h" K6 u' H5 j! m) p) @4 D
-AX = 0913h (Set Sice breakpoints)
6 B/ X1 |3 v9 i: y7 L-AX = 0914h (Remove SIce breakoints)/ s8 v/ h# X# M( D6 @
% M' O- Z; f. X S) o
Each time you'll meet this trick, you'll see:
# c3 v) i- d! r* U/ A7 t/ m-SI = 4647h$ e# w- |- s, J9 D6 Q$ _" _* y9 d! m
-DI = 4A4Dh
' R- \' A) m3 I. P; EWhich are the 'magic values' used by SoftIce.
! a7 E: _' W( w" LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# |2 H$ w6 j: q; J- L* M' S f0 t, B7 a8 Y0 q% E0 a# {: R8 P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; n' A4 }- k h( LEnvelope utility use to protect DOS applications:" i# R1 K- I0 d4 ~% N
- E) w& {, j3 k5 U; a2 K" W# r
7 `; b- ?* i; l# D- H4C19:0095 MOV AX,0911 ; execute command.
" T4 ?! h$ d6 w5 D* Y& y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; A( g$ S! {) V4 m1 r- N4C19:009A MOV SI,4647 ; 1st magic value.
* F5 `/ b! R" Y4C19:009D MOV DI,4A4D ; 2nd magic value.6 h1 v% V* w9 I0 }* K m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' g3 }& m0 D5 I3 I# n% I1 o! E" |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ h6 d3 \9 w7 B" z2 i
4C19:00A4 INC CX. s' H. z9 B; p# _ a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' W* D" k7 n9 u& k; s: {4C19:00A8 JB 0095 ; 6 different commands.& Q! \4 A# r. t) ~! C# P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( Y8 x6 y/ @' c) d7 r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, \/ p# A9 j$ L8 V3 J" h8 B* v2 H$ y% y
The program will execute 6 different SIce commands located at ds:dx, which; T1 z- S7 I" O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& O2 ~+ z4 D9 N# m m& v4 s
2 X! l4 r2 e- b+ T' j# t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 j4 x" a% {; m, F$ M. x+ F/ b( U___________________________________________________________________________
7 T# N' o' Y' U6 _7 }. d2 U" i1 X0 r' M& S1 R( X% R! @9 f) n
; m1 ~% q( V7 S2 wMethod 03
3 k3 ^; O ^1 Z) Q=========
. Y3 X" O5 W, N6 `5 E
0 U3 q- O. N( o) }3 C, F7 b% ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 d0 H0 }1 U' q' z4 N$ P, i c+ {3 x
(API Get entry point)- z& b% v- Q* r i9 o! u. s- d' W
) Z+ W0 |- r* _' \7 U9 D# E$ x9 k' u2 w) m; t) d" G
xor di,di X* I- e M/ Z1 v# w
mov es,di# X8 }* M6 Q" \" \
mov ax, 1684h
! P5 D( r( h4 ^ mov bx, 0202h ; VxD ID of winice3 e* _8 R# @# b. Y8 ]. v
int 2Fh
0 z1 b- \( h3 j9 h1 c4 B mov ax, es ; ES:DI -> VxD API entry point
# A! J( B+ t% M add ax, di
# p8 _% j0 @. C* z4 X: v/ [5 w. o test ax,ax
+ d3 B8 ^5 q# b- H4 F- h jnz SoftICE_Detected
! ]# E1 G3 B. l* o6 f0 g5 }- ?/ v0 u7 t( [/ D' J' b
___________________________________________________________________________7 W) ]' W! L' E: `
! S4 A) h D1 l. G) \
Method 04
' C3 O, o3 Y/ B; e, f& S: Z1 ^- c. {=========
3 }- r& i+ O# z2 j4 z
0 N" T. y' l9 C) z# e1 X/ _ T& dMethod identical to the preceding one except that it seeks the ID of SoftICE% a0 s2 ^& C6 x$ u4 y
GFX VxD., t2 \5 d9 ~- |
+ k6 P7 M! O, K
xor di,di& X Q- O( F/ ?7 j& F6 L
mov es,di% T' j, x0 p: S! a3 v
mov ax, 1684h 3 f# W( {$ ?% I* t, @5 E. n( ^
mov bx, 7a5Fh ; VxD ID of SIWVID. V7 s* {+ r* U! X
int 2fh& ?1 D. b% f# |
mov ax, es ; ES:DI -> VxD API entry point' [) C/ V9 e* P# @ F# H, _
add ax, di
+ W5 o* \8 G; C; t9 g test ax,ax$ s, o: J4 `- F. k, x0 A
jnz SoftICE_Detected, s4 T7 k& Q) U+ J* O3 j/ W
4 h) y5 D, F5 P1 g) e1 Y) @
__________________________________________________________________________' L" x- P$ v! p6 k6 ]
1 Q7 I3 ~, V; f4 ~* ^# i+ W9 B* d( n4 e% K5 _
Method 050 I5 V1 S! u8 i( D& o5 {
=========' n1 R0 ~9 h0 _* s: C a6 Y% d' d R, B
, A9 L1 f: R. X9 E( ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 }8 C( Y7 r% l9 E- S5 R2 kdebugger. It calls the int 41h, function 4Fh.: ~3 B8 C6 o( }, R
There are several alternatives.
% y5 D/ \9 J- n( B6 n; W, j3 r. v8 r [, o( a" p/ F' B2 ^! \
The following one is the simplest:
( s/ b+ \ X, U8 M% s4 q6 d2 R
3 b! B8 ?4 a* W& |& }% y. { mov ax,4fh3 u. X# f4 M: p8 t% s
int 41h7 _$ z6 b9 d* G: c- e [' y, _5 r
cmp ax, 0F386
: m2 g. M+ u: I, a5 w; A# _4 T0 q jz SoftICE_detected2 W- D7 w/ S1 {) @' i; |. [$ T
+ P ?: ~7 ~) G; l) p6 Y
. Z p- l( {* z! nNext method as well as the following one are 2 examples from Stone's
6 f1 o9 N [ Q+ v" J* t: u# d7 Z"stn-wid.zip" (www.cracking.net):
& ]9 o3 E! h3 {5 e/ S
! D0 C4 R f% \& u8 H0 c/ T) x mov bx, cs
; I) |! d7 q" b" A1 s* o: G lea dx, int41handler2' N. }, B' L# t$ L8 y% W6 ?
xchg dx, es:[41h*4]
F9 h* n( x) f! ^# `* E6 n xchg bx, es:[41h*4+2]
. J( G- ^2 f) U mov ax,4fh
5 e5 ~- u/ W0 t) h int 41h
7 V2 D0 s0 o2 U3 c3 B xchg dx, es:[41h*4]
) }- B8 {2 x. t$ X7 @ xchg bx, es:[41h*4+2]
- G I8 M6 [ s9 W cmp ax, 0f386h0 I! _' p$ M" L8 M, W+ @2 u N7 x- I/ P
jz SoftICE_detected
7 `' k/ ?) B% Y7 t" {" @' X- S2 o
3 Q3 ?- N, Z wint41handler2 PROC1 b0 |$ [( |' n
iret C# b- Y& \) W8 ~9 _! E. H( K
int41handler2 ENDP, j5 a9 w4 m$ f e
7 ?/ Y: O. f4 i6 V; A" C
: F" S4 ~; g6 Q4 K2 b+ u3 V# J' k
_________________________________________________________________________
7 m# N" T0 |& w# a! h( w8 F! v* D5 a& k9 Q; Q, z M
. G( l+ n9 c! P$ F; D! j( v$ ^
Method 06$ m% B0 w3 A/ j/ M2 \: u$ B
=========
. {) {0 V8 v+ q) K* H9 q0 D5 q& c8 e- v' G9 @3 h K2 I
; b7 z; c* L: i
2nd method similar to the preceding one but more difficult to detect:
* U6 i7 [0 Z* ?
5 {, Z4 b$ e( L7 s. G0 O3 Z
# [7 ]9 _4 K' B: c% P' _int41handler PROC
3 O g4 f3 u8 b8 [- O) Y3 U mov cl,al
9 ~2 Z4 b: Y1 e( ^* A( \ iret# Q0 [; k! K! }" F H
int41handler ENDP: e, ?( Q; l. o! w" U/ h
; u+ T0 \2 f1 m: K' o6 Z! r, `- B
' B* A! D9 y, M8 p3 U- r1 I xor ax,ax
) ?: s# d. t& p% u5 o7 G/ t mov es,ax/ R7 [/ o1 T/ A: H
mov bx, cs- |5 r% {' j9 m1 H% X( h% |& {
lea dx, int41handler9 E K: M& P0 o& L! q5 x
xchg dx, es:[41h*4]! E5 n9 m; P, C d$ c( J
xchg bx, es:[41h*4+2]
- v q8 t! f. B( a. `3 c% { in al, 40h
# ?/ \5 V; u( e+ k; G3 B xor cx,cx
# x0 H5 Y6 x" N( ~1 k8 X# m int 41h* @) r8 V9 @$ y! F& `
xchg dx, es:[41h*4]- X8 Y2 A, M; H+ Z8 K$ V3 r8 V
xchg bx, es:[41h*4+2], t" Y! H' H8 R4 O9 { D# d
cmp cl,al5 O0 }- I* d I+ F
jnz SoftICE_detected
; m( D: W F. w4 N l p7 q, Z5 J% x( |% M
_________________________________________________________________________
" x& R! y: j1 m. U0 e' h& m; M2 v
8 l1 W% C! t! {/ T- |Method 077 z5 H3 A9 h, ]4 C
=========- k' Q* B p( d5 T8 i0 u4 M% a
. m4 p, q0 X" g6 b
Method of detection of the WinICE handler in the int68h (V86). N+ p, U( P* {, b8 F
* Q: H3 a2 \+ x6 Q mov ah,43h
2 `. \+ X% _! a L- J1 x- J9 @3 ^ int 68h( ^0 p- B4 ^' n# M) p- [; G! b
cmp ax,0F386h7 Y* }8 S9 A5 c8 G6 Y5 k7 Z- a
jz SoftICE_Detected
6 ^* k4 O4 b4 b+ k" \0 e# S, Y) W' ?" \" e1 r) {1 y! R
! H4 n% M5 B/ C1 q, {# \" M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 ~% j4 @7 L# h! X app like this: B7 o7 D6 G1 s
" W9 w2 |/ E2 n! Y w1 p6 a BPX exec_int if ax==68
2 q. Z' ?7 k7 f& e6 N4 f (function called is located at byte ptr [ebp+1Dh] and client eip is
( l; R+ j/ s, @8 q located at [ebp+48h] for 32Bit apps)
) g7 ~: H8 [+ q9 S! P( k8 |/ b/ D__________________________________________________________________________' q( X) r8 c. M! H l5 r7 b
+ q' p6 t4 h" H
$ N6 U% Q F, `0 d1 L/ RMethod 08% f3 |0 X# l. j) Y9 {) H
=========
$ y# k6 J# h5 r1 M8 X `
5 P1 ^) z( Q! d: O: A3 u2 H5 YIt is not a method of detection of SoftICE but a possibility to crash the- J2 B& v3 W7 D8 m5 X5 u
system by intercepting int 01h and int 03h and redirecting them to another4 T& F% D+ G2 G
routine.
0 ]! ]3 Z, \, ~6 V) s bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# M% ]. m1 ?: H6 v4 ]6 Dto the new routine to execute (hangs computer...)6 \* E+ p1 g: `
9 [/ ^1 u# H2 o: B$ K3 O* D mov ah, 25h$ ]' U$ j" C) b3 x! `
mov al, Int_Number (01h or 03h)
5 W! S% w; M# ^ mov dx, offset New_Int_Routine% w$ d# H- G: K+ y, N; }, V
int 21h
$ o! D# e' |4 P1 X. T }( u
- F6 v( Q3 I! r/ G" h__________________________________________________________________________
# ~7 H9 j2 D+ I2 o C ]
9 P3 X0 q- _/ l6 k& bMethod 096 X) @; `3 L% q
=========
- H! \& k+ u* K) c" e4 j! ~! o6 G6 f. s8 b$ B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only a" q. _0 _( u p
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 v. q1 B6 o5 f5 C+ m! xThe Get_DDB service is used to determine whether or not a VxD is installed
3 t! |, {7 h+ @4 x* Ffor the specified device and returns a Device Description Block (in ecx) for
. g1 e; \% T# _ g$ h5 Uthat device if it is installed. M, X; a) N7 _
8 I9 Y. L, S# t. h. }+ z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# q/ J( \, H$ G' @. V' F/ \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" |# f# [- r4 S" H
VMMCall Get_DDB" g9 d! Y0 ~- e6 P% B" r/ G" F. N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- T: _- T4 M2 d# O0 ?
' o) p) `0 T8 q# l, x
Note as well that you can easily detect this method with SoftICE:
9 u) N. t: p, F: v4 e bpx Get_DDB if ax==0202 || ax==7a5fh
+ {: |- r" d: B: B* e4 w. D& d2 e' e- Q% D( O! z& b; J5 ~6 L
__________________________________________________________________________2 d/ N* y3 z2 W# w' j" m
8 H1 |# m0 G; d) MMethod 10( n; J( v" z/ P2 U( V0 V
=========
7 R9 D9 ]* b/ ^# d7 X; ?& x5 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 P/ M+ G) l$ t; J* Q: _$ [
SoftICE while the option is enable!!
: ]* f$ [. d1 M! ?$ G4 S, \' g) e0 J# [5 x
This trick is very efficient:8 j+ |- ?6 i6 E+ K% }
by checking the Debug Registers, you can detect if SoftICE is loaded
# i8 b1 I# L$ Z6 r& ]/ ]$ ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 O4 U8 `! u, c7 U) hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% E1 y3 L/ g @4 g9 P5 qvalue (in ring0 only). Values can be manipulated and or changed as well1 V8 k @7 m4 s' g' o
(clearing BPMs for instance); T9 j0 F0 R6 H. h
( {6 X7 E! D+ I8 _) Q. O; c8 P__________________________________________________________________________
) M# q6 p3 |1 C1 m7 V. d
. h, w! P9 H( f$ \ s3 ~' qMethod 113 d+ G' ^5 R/ a
=========; j. S- r# h7 a/ _* I; z5 x
! s6 Q) s8 @/ K5 H3 _7 RThis method is most known as 'MeltICE' because it has been freely distributed
' J' c# I& ?" ?/ x( uvia www.winfiles.com. However it was first used by NuMega people to allow. L* _4 [0 ?. F# c$ \3 u; X
Symbol Loader to check if SoftICE was active or not (the code is located$ C m" J6 H. A3 x* A
inside nmtrans.dll).
! t% L( f6 u3 {, k$ D7 o$ H a
) g' W4 t* ]. _) b- O2 IThe way it works is very simple:
% s* J6 }& a: {0 N0 oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& Z' q- ^* D f1 f( CWinNT) with the CreateFileA API.
2 g5 @4 T: X4 s! O3 e
8 L. ]2 o/ ~7 v6 tHere is a sample (checking for 'SICE'):
7 o) Z" R/ y. W% c- J9 n4 ?# p' i$ F; g) H* @! X9 Z* o
BOOL IsSoftIce95Loaded()6 R6 y; G+ A" O& D
{2 m" T# _4 f% \' y! l+ s
HANDLE hFile; 6 W% }1 l3 w; P' b8 C0 S: ~! y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) y; I+ E5 n9 o- _ FILE_SHARE_READ | FILE_SHARE_WRITE,
+ g* Y% p+ @, T; ^' M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- i, C; q: q; P2 m n if( hFile != INVALID_HANDLE_VALUE )
- o3 F2 ]# g1 T0 e; T; h' @ {
6 p% Y' k2 X" Y" y2 a% c' h CloseHandle(hFile);
! X! Q# K' t# u& S' M5 W3 a2 E$ p' t return TRUE;( W! Q% A, I& f/ A$ @3 I
}
0 T2 }& ?* ^& u* Y" {+ Z7 F9 n( S# e return FALSE;( p. b; x8 T: a$ B/ z7 J7 b
}( `1 e8 b9 w4 A
: S6 w% L$ G: f! Q" N' g Y- wAlthough this trick calls the CreateFileA function, don't even expect to be. H, \" v. h5 u. P- B4 g0 N: t4 V
able to intercept it by installing a IFS hook: it will not work, no way!4 f0 O$ k- B5 T- @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# e8 t) o7 d$ A. X) r- _- J: ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! Y# W7 Q# C+ {& S/ o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& q: c( l8 `! x/ qfield.) N/ M% i' Y; R+ p: `, g9 z
In fact, its purpose is not to load/unload VxDs but only to send a
- m4 K1 {$ {7 Q! M4 y" QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# g* d1 {4 G* q7 ?0 N4 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try: L& R5 P- { b, B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( X+ @5 n' u! g: @" jIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 @3 G5 g3 S- U% H8 X
its handle to be opened and then, will be detected." f( ^5 s. `, o4 C" s. N
You can check that simply by hooking Winice.exe control proc entry point# O& i$ e% u$ N: E" U! J
while running MeltICE.. V3 h; |# W" W) E) I
2 {7 u1 o2 a. o* M/ C7 U6 u
* J# ~3 m: n4 k) Y) v/ E/ s 00401067: push 00402025 ; \\.\SICE$ E" x$ d9 `! F( d! E
0040106C: call CreateFileA
) f4 D6 W# `7 \$ I+ p% R* ^; v; | 00401071: cmp eax,-0014 l7 H& b: i) e- E
00401074: je 00401091
3 u- ?( P5 P; n" O8 R1 p2 h! e5 V) _% C
$ Q, u" L+ f! e7 qThere could be hundreds of BPX you could use to detect this trick.7 ?# I; _. A6 {( y* Q1 }1 B
-The most classical one is:; a: q$ t1 v- P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) }1 m. D" L# s% U* z3 k' \3 U k *(esp->4+4)=='NTIC'
- D5 x5 m6 ^( g/ h* n1 |" p9 R
3 s6 j6 T3 c0 I# U8 a-The most exotic ones (could be very slooooow :-(
8 i+ U. ]' f+ n" w4 ]$ i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * J. F" E2 J3 X2 s: _8 x
;will break 3 times :-(
6 M0 V- v8 Y8 t: I, E, F* U/ t* c4 u) Y/ E
-or (a bit) faster: % h, w: z6 K2 t6 p g) {. c) m4 D- W/ F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 G+ _0 z1 ]" F1 r
* p% ]# N1 @! H! D! [- F' X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 U+ X+ D1 B. D) o0 `
;will break 3 times :-(2 M) K+ |% D+ r6 a* ]3 T
/ X8 e# H( I$ U" d, b0 E! q# G6 H9 B-Much faster:, e* m4 A1 Y4 l# ^# ?% I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 B2 d1 X+ ^7 q8 O
- u: z1 @$ h6 _* E4 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 O1 B$ d# T y# l+ sfunction to do the same job:( U2 V; g5 W6 I5 F0 B: I6 G0 U* D
. T# E$ d4 [4 U" A. Q$ F% V
push 00 ; OF_READ) r1 [! |+ y& q" @6 H
mov eax,[00656634] ; '\\.\SICE',0" i) w, t6 y0 Y% A7 G) [, w
push eax9 n1 c4 u" b4 U. R
call KERNEL32!_lopen8 e# o e5 v" B) h* R
inc eax
& B5 B0 x1 N# o; a& @7 f jnz 00650589 ; detected1 o8 d: W8 D/ J4 L
push 00 ; OF_READ
8 H8 d% a3 Y. G/ F- m mov eax,[00656638] ; '\\.\SICE'4 o& g' b1 R% K2 s$ V; p0 h
push eax) `7 m! u+ c' [; G- r) _8 X
call KERNEL32!_lopen& |" T3 m- L! M2 \& l1 Y& z
inc eax
/ g" M% R8 x$ \7 }6 M jz 006505ae ; not detected7 ]6 y& m: @; n7 M9 Q0 n& A" O9 R
; o8 J: P$ V0 ~/ I; @/ k( ~
( L+ o" T0 }; a) ^& K& R+ F& i__________________________________________________________________________
5 \: b7 V( X8 r" R! ]9 y+ v! b5 @- w0 }1 W+ C% v2 ~" v
Method 12
+ r: _. Y+ @4 ]. ]' ~=========* }( Y' y6 L( Z# F% V: l) H9 B. J
" y6 S1 n6 U. h3 u
This trick is similar to int41h/4fh Debugger installation check (code 050 E: O) h+ j% s2 C" q0 ]
& 06) but very limited because it's only available for Win95/98 (not NT)' S3 D5 l& `, @7 z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; \ G+ B6 T; Y$ }: w( T& e) q% F4 g w8 V; [1 T4 @
push 0000004fh ; function 4fh! m& Z* d, l4 {3 Y3 h: [% h
push 002a002ah ; high word specifies which VxD (VWIN32), ]* u! Y& S' {
; low word specifies which service
: t& q6 D( {4 a. ?9 N4 \+ @ (VWIN32_Int41Dispatch)/ i8 n/ G' H! k. q5 E t& x
call Kernel32!ORD_001 ; VxdCall2 U1 i+ O/ E, E3 b
cmp ax, 0f386h ; magic number returned by system debuggers5 R0 D X% d" A: ~( p' ~8 ]0 |& I2 h! N
jz SoftICE_detected% L, U9 |7 f6 i
: W* c! j A$ g- c0 s5 W2 qHere again, several ways to detect it:; J. @) V: [# \' T8 t* E
3 G0 {9 `! ~& n: r6 Z BPINT 41 if ax==4f
3 I5 V1 @& e( z( z$ L6 H) s3 B5 h( l4 ]1 ^0 Q& C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 ?, S( Q' t/ a" c, O
3 u( t6 L* U9 c. g9 a, ^$ z# \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A |1 k% w/ ?* u0 c
% w: ]1 \+ z0 F, k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' ^& [/ q! \* v# C
$ [. k" e- H9 o' U4 L9 G) P8 o- ___________________________________________________________________________
1 s; F( G2 }: ^, l9 q' B1 z. G8 V
Method 13
Z2 v* {6 n: n2 b=========, M* T; v% I- e, n2 c! Z7 W! |% g" |
8 r5 j; t4 j9 P V" ~- o- x) LNot a real method of detection, but a good way to know if SoftICE is
) Z& c/ F* A$ D+ D: @installed on a computer and to locate its installation directory.
/ ^- P3 v1 i/ z: x$ ^It is used by few softs which access the following registry keys (usually #2) :% T/ |5 q% r' ]7 F% ^3 P" W8 V. H
! {* O% h: Y4 @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* l; X1 ~9 B% W+ r* j' l) [* n/ n\Uninstall\SoftICE9 o; j. J4 n- |, J8 |$ ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ Z8 ~( f; a: A/ t8 p# g9 I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 H9 n- s/ Y* S7 p: q+ T4 g3 s\App Paths\Loader32.Exe) G+ C8 O5 e- e9 _! u6 [
4 a- v; `% e& D' m+ F0 g* j9 c u2 M/ u0 S: O$ z2 h; F
Note that some nasty apps could then erase all files from SoftICE directory
& Z9 [! g ^& G5 ~. d4 ?; T3 i(I faced that once :-(( \3 v3 ?* N4 |4 J
' _6 L4 v. C, i; N7 k# L( G. J+ n4 F
Useful breakpoint to detect it:) a' v+ a1 N, S0 @
$ @& }0 C( T, C4 E, m: r3 Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* ~* e- S; l6 o) e
! @6 h8 m% G) r& w
__________________________________________________________________________
. t0 g" I% g# ?7 J( b4 v s5 h% Z, I3 Y6 q: q
- J- L R4 y+ M# n. ^
Method 14
% m& @* h- V/ w5 P/ x) [* Z=========
' S: b9 f; z( t5 o+ B4 k
( f/ ?+ x4 Z% X, t* T$ OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 b: o6 m4 W! lis to determines whether a debugger is running on your system (ring0 only).+ W2 j6 c6 \! Q: k5 l; V |
: n& J$ o& ^' c& \9 L
VMMCall Test_Debug_Installed
& g' J" ~# V8 W- U l! k/ H je not_installed, ^7 J9 H) Y0 R" F3 C
4 W3 Z) R1 f U0 }. RThis service just checks a flag.
- ?, u7 W% u5 l: p3 I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡