<TABLE width=500>/ p: y q% I4 D9 ]6 t- e9 u; C
<TBODY> o' f: Y1 |: u \, W
<TR>0 h0 @0 D- _+ }, x5 L
<TD><PRE>Method 01
$ e" T6 M' w O# U=========; J& c/ p9 T& h' U+ Z7 m/ D7 |
& B: S1 g+ F `% I) y( }" fThis method of detection of SoftICE (as well as the following one) is
. S( I9 ~* b7 y/ t# dused by the majority of packers/encryptors found on Internet.
9 Q2 R6 |$ X3 S' h* o5 `2 |2 GIt seeks the signature of BoundsChecker in SoftICE' D3 w( a1 D9 j4 B& W8 i5 x# k: q5 ^
o0 B4 M' U/ e- t3 C1 _" [1 @* L
mov ebp, 04243484Bh ; 'BCHK'/ T: Y$ U) c7 `; R" j; \
mov ax, 04h
) u0 a8 l( u; W/ y7 E! d int 3 - j. w% Z, \; T% K$ k9 c. V' ~
cmp al,4
$ ?% \" r+ q1 V& R4 C) I3 A jnz SoftICE_Detected
1 G' J4 z% `1 H% f
. t- J6 n1 v5 W/ c$ l# H___________________________________________________________________________
' F3 ]' V/ }! x* ^) a7 q9 y! }1 h* c$ R# H4 Y; C
Method 02# i7 \' @$ G& z0 E- k
=========4 I ]) n7 R& k/ m6 t! z1 D
' Q, k' q# [ V2 D/ a/ `. a3 Y( cStill a method very much used (perhaps the most frequent one). It is used
* k: u7 Q) }1 X" [; E. sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 V$ Y7 L; L1 d% ?
or execute SoftICE commands...! C2 Z" P( ^5 [" K7 ]5 m
It is also used to crash SoftICE and to force it to execute any commands
' E+ u0 \; m J, I& b8 p K+ k* ~(HBOOT...) :-((
9 j6 Q2 b3 Z% }. L7 Z9 |9 V1 Z* `6 i7 a, u
Here is a quick description:% v. k" J. q9 E# q! [# v" M
-AX = 0910h (Display string in SIce windows)1 E- _' c6 }8 b; M+ C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 O7 M1 O, I! ?! Q8 m0 a, ]5 K0 h4 A' u6 z
-AX = 0912h (Get breakpoint infos)5 b) Z$ D7 n% `) p
-AX = 0913h (Set Sice breakpoints)
# F ]) y2 O: `. A( i7 C-AX = 0914h (Remove SIce breakoints)
1 J" @2 W! o( ]; |, B1 Q& `- W
1 e# |2 A5 S m8 h2 o# SEach time you'll meet this trick, you'll see:9 R1 t, J a/ V. v- D
-SI = 4647h2 _5 J( `* l5 p0 z
-DI = 4A4Dh
- Y: U0 F% p- S+ ?7 K4 H- CWhich are the 'magic values' used by SoftIce.' E1 e+ ~8 Q# v+ s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ f; w; g( O" t9 C% A
* R( l- o1 ` JHere is one example from the file "Haspinst.exe" which is the dongle HASP3 Y; u: j* I |6 y! |$ K# t
Envelope utility use to protect DOS applications:' \* F: T1 }: j0 [5 E+ N3 u
* a4 Z' W+ o& B* K' ]+ e8 N7 g+ Z( v X. ?
4C19:0095 MOV AX,0911 ; execute command.- _& p0 R5 ~3 x" F6 S. g- n3 I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# t8 m( e& J4 T' r& U% j1 E6 e
4C19:009A MOV SI,4647 ; 1st magic value.- j" A% C; Z" n/ d. a$ B, `
4C19:009D MOV DI,4A4D ; 2nd magic value.' K I! m2 [2 i; l3 l2 y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); A9 x" z Q' Q. M V0 k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 C7 f7 }: a F) e/ G
4C19:00A4 INC CX
7 h1 P- X: T7 ^, W7 T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ W5 L8 u4 | _1 |' S/ p4C19:00A8 JB 0095 ; 6 different commands.
6 S1 G' V, I6 N( i) x9 N4 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ q, T# E& k5 D3 b% m% e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 t% G9 |3 c( [" B6 S3 d9 e" H. z% ^# d5 O
The program will execute 6 different SIce commands located at ds:dx, which) E! i# g: @. l) N5 q" Z! h3 j8 [* A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* H, Y7 @. @0 L3 i. `- U6 n) a, p# R9 v8 e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# f; {" \0 W1 m7 l R7 A
___________________________________________________________________________5 f# _% T# b$ z8 U3 B# Z) Z
. w: d# l5 M& ?: y7 p
9 w p# y/ \# }7 }9 aMethod 03
" E3 v9 N: _3 f. Z1 a, _=========
. d6 Q* j- s ^( `! a/ ^7 T1 _% ?' U$ f7 c! Y( ? `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* m3 |6 `' H$ g) H* y7 A(API Get entry point)
3 C1 g% X5 A8 [% D7 K3 q , Y0 K+ v& x3 b# L
5 S" o; {5 L7 L7 ]5 T3 X) M xor di,di4 h% O! \/ i3 r/ a, u( h
mov es,di
) [4 J% n& w" ^6 ~8 B1 u! }+ m mov ax, 1684h 4 B, n2 s+ e# {5 E% R
mov bx, 0202h ; VxD ID of winice' l5 n: H; I- E- \
int 2Fh% i" G+ t; L+ }' K* z9 D; m) W/ |
mov ax, es ; ES:DI -> VxD API entry point. d7 p$ o7 C' p* H! L
add ax, di5 ?6 Q+ @# W1 M) w
test ax,ax
* O$ |2 ^4 H( S2 E9 |# X jnz SoftICE_Detected, `" D+ l- _5 j4 Z! X
$ @0 a; S, X$ c___________________________________________________________________________
* T. `+ }- {# O( J" N* ~/ w
; n6 ?+ [' B. t1 |: XMethod 04
4 C0 m0 C* T( j& k% c=========
. a b! y8 [' I. ?9 }1 _
5 V. d' Y: E2 H) S) KMethod identical to the preceding one except that it seeks the ID of SoftICE
5 h7 h x8 G! O% g/ g# N) |% i% \GFX VxD.3 C4 t" F f' _5 Z! b/ b( g- ~
0 ~: ~( |4 [& Z. a
xor di,di
/ `7 `5 K8 B+ ?* P" d: ~ mov es,di
: @# Y+ w) k" o3 u6 E5 H mov ax, 1684h " O9 X' y, g1 {4 f% R. k
mov bx, 7a5Fh ; VxD ID of SIWVID
4 |# q7 n' g% H8 g1 Y. P, e5 S int 2fh
: o, I9 c1 o/ b$ _ y" @ mov ax, es ; ES:DI -> VxD API entry point4 e- s2 P, C3 r7 r4 o" G, Q8 x( P U
add ax, di
. p \- S9 M8 M" F0 w test ax,ax
1 @! J9 W: |0 U% O4 w0 {% |* n jnz SoftICE_Detected
: X \0 B7 ~. O6 Y+ |/ Y/ x: X3 ?
0 u$ W7 t) F% S+ W7 q. J' [; y, d__________________________________________________________________________
! `# a6 O! D$ T( Y$ | H- w* t0 n, h! T% ^9 ]. N
' M4 G K, S( t0 aMethod 05
3 y/ g4 b) o3 R. F% d0 H$ S, C=========* a( \( y5 m2 t; p
! X' A `) F2 r/ \* |
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 W% } p, f q u: o" F8 N
debugger. It calls the int 41h, function 4Fh. u8 {7 Z# T( [ `7 `* o4 J
There are several alternatives.
. R0 s3 u/ F4 _) q6 ^; g9 [" a; V4 K% e2 M; u$ T$ A# i/ {
The following one is the simplest:, B8 Z( F! d7 ~' N2 t
$ n1 X( N2 x4 u: B% @; c( |
mov ax,4fh
( n+ A1 G$ J5 ~6 Y4 Y' w1 a9 T int 41h! m) C9 ~$ G9 l% C8 _- ?
cmp ax, 0F3860 E8 v% Y# L+ k! V
jz SoftICE_detected
! d1 r1 s; s' D4 @ N: R. C; ^% J! _
, E- n6 u, g/ m, | eNext method as well as the following one are 2 examples from Stone's " Z+ F7 s: o. e( r. F
"stn-wid.zip" (www.cracking.net):
& e6 x) v h$ i* o0 }' v
4 D* a2 _) w7 U$ J8 R mov bx, cs% k# T# V9 B2 C% O
lea dx, int41handler2
; D$ R$ _$ q# Z0 R8 \ xchg dx, es:[41h*4]
4 B- A& z1 }& C, s xchg bx, es:[41h*4+2]
& r0 ?/ J, d/ V mov ax,4fh
) ?) P; k6 b& I' o& D int 41h! ?$ a' R/ C7 ?; I% i
xchg dx, es:[41h*4]5 ^' i5 K; j N5 [9 j- a) I
xchg bx, es:[41h*4+2]
2 \% p+ e& z' j, x9 {/ s+ w cmp ax, 0f386h5 z8 W4 |, C2 L& w! ]/ O
jz SoftICE_detected# ~% _+ _& n+ R3 n% e
) ?8 V5 K. n$ P' H- `5 hint41handler2 PROC3 N& A7 ~6 M' T6 [ [: w/ T
iret9 ^; @! x, I4 N' a
int41handler2 ENDP2 C2 n4 N) G5 c2 e7 k; Y
* j* h: M" c$ o: h
% W% c1 [$ E) Z1 O- O_________________________________________________________________________
7 E6 U* @( T: p! W: v; y; |7 s1 m% r" _* E. a* P
4 {6 G; u8 P, ~6 X* O% f5 E% h
Method 065 d; Z. I+ ?" i. q b0 F% ?( U: s
=========
5 C2 h+ q$ G6 W. @) f8 `
& m, T* X) |/ o3 @$ f
J2 c/ M, P' W2 o7 U2 g" l2nd method similar to the preceding one but more difficult to detect:
' X$ G# R3 e9 u3 Y* l
5 k7 j5 I! G0 y: _% U9 ?( ~
+ U- u% [4 B U+ k4 G) yint41handler PROC9 Q5 b* J. {/ o' b
mov cl,al
8 o* _4 Z( ~9 h iret
+ @! z' i& s A7 kint41handler ENDP+ v# t5 f+ z( e) h9 _& z4 h3 H/ Z
1 p( e9 K; y0 [8 \' g% |8 u4 h& d4 m% k* k) l# C+ t3 V
xor ax,ax
% R0 z2 ^& H5 j" Q: N4 t mov es,ax
( [/ L3 s" u/ g! M) X. h mov bx, cs! S# d% T" ]; Q8 F, y' y, F2 ^3 p
lea dx, int41handler
+ e% n: X$ s8 z! k4 f/ E9 _, l: z xchg dx, es:[41h*4]' _/ ]/ D: }- @6 L( w$ [/ |
xchg bx, es:[41h*4+2]# |# [9 w3 c' H3 l1 I2 Z
in al, 40h
$ ~$ ]: ~ }9 y# I1 q/ \ xor cx,cx5 i; m3 Y, s6 f% |' p* ?' V7 W* T
int 41h3 i8 u3 S3 G0 R }. r
xchg dx, es:[41h*4]
& d. ]+ t: `# ?/ p2 |' ] xchg bx, es:[41h*4+2]
' n) Q3 T& M3 q( ]+ L cmp cl,al$ ^8 U7 y. B) f$ q0 {) {7 s
jnz SoftICE_detected
2 O+ I- j) K% F) B, ?
: ]5 C' x2 u, `$ f1 m% I* Q_________________________________________________________________________
, u) y2 G1 `" k! O( G- n* t5 c# j: U
& @/ ]6 m/ K; R( gMethod 07
" w( R( H) t6 g' u=========6 D/ G0 t5 S( ~2 q. N ?
9 ]( t) z, E+ m9 J4 w' y* z7 l2 Q
Method of detection of the WinICE handler in the int68h (V86)& Q& d# n9 ^4 w5 O( x/ {% O. |
* _0 b4 S. D1 F! k! b
mov ah,43h. s0 y1 c3 X- h1 ?
int 68h
3 S- Z/ w9 u/ w cmp ax,0F386h
) T. `- c9 Z, _% U4 u jz SoftICE_Detected
0 H. |4 o$ x. J! j+ \$ _* j" L( N, a: T7 C, u0 k8 b/ `
]+ ?8 U: c& v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; I4 [( J. ?2 K# T9 z app like this:' g$ X$ |# b) W! h# g4 u
" a. o% y" P6 Y, h" b4 z4 d& x
BPX exec_int if ax==68
; }0 _. F3 V6 I' K% @) m/ d (function called is located at byte ptr [ebp+1Dh] and client eip is! u: v- r& g- F' i$ L! ^
located at [ebp+48h] for 32Bit apps)
' ?' d. H! @8 @. u/ `( |__________________________________________________________________________" R* _, _8 ]" ^8 p6 m5 T
, l& J L5 N( G- Q
# R% X, E; I0 c# o; a5 |: R% FMethod 08
! a1 C6 ~. a- k9 k- ^=========
4 f( y$ `( h- c8 Z" E8 H8 w! V3 H/ y/ B. ]) g3 \
It is not a method of detection of SoftICE but a possibility to crash the1 y) v- y8 B: n2 l+ d5 h
system by intercepting int 01h and int 03h and redirecting them to another" Q0 U* ~9 P: G" `) I
routine.
7 @) q. f0 h: R9 T; ~# @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, B& {/ t+ {4 V" X/ c$ ^) k. s5 J
to the new routine to execute (hangs computer...)
& ^7 k8 V# d% c: } ~1 V. h, k: v3 X# H7 e
mov ah, 25h
9 Y7 h$ X: a) Q; P' Z2 I mov al, Int_Number (01h or 03h)
! q# t* u, `& W* d6 R mov dx, offset New_Int_Routine
7 u5 G% E2 T' X4 b+ s0 B int 21h
2 Y7 b, i( t8 B: K4 b5 j+ @# g6 e. ?2 K
__________________________________________________________________________! i5 w( Q: X. d0 [, Z* f
. Z8 l% V. z( d% o& eMethod 09
5 T: X- }; A3 T. k=========
+ U" R5 n# {6 L4 h" H& F i: g. }. {1 w; a( a( }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 n& f+ _- H$ @; L6 J
performed in ring0 (VxD or a ring3 app using the VxdCall).
& \, [* r! c2 }! e! bThe Get_DDB service is used to determine whether or not a VxD is installed
4 O4 w9 M$ V" N. x5 o3 M! Z* qfor the specified device and returns a Device Description Block (in ecx) for
7 ]$ r' w( [! B% ]* v+ I0 Ithat device if it is installed.
) V T! R+ Y1 q6 }6 P
7 V+ l, }4 y O, Q* n, { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 |# T: Y3 [) `& }0 C' L# b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ s1 R G% f' `' I8 ] VMMCall Get_DDB, s; J V. V) ~( m( L. \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& {, Y1 H) ]# u
& t2 S! T# h0 ? W1 SNote as well that you can easily detect this method with SoftICE:) q9 X" `: h: _% Y Q0 ?' G
bpx Get_DDB if ax==0202 || ax==7a5fh
) A5 y1 o# U" @ D5 E! n
# r, O1 r/ o" n; ?__________________________________________________________________________- y) R( z9 M, J s D/ J6 A, g
1 b# a" Z- q; _1 B1 t3 r
Method 10
) ~4 s2 g. ]% W: q8 j0 ^. u=========: C/ H( N# N0 T6 t" x
( c6 K1 R: f4 D4 L+ ]=>Disable or clear breakpoints before using this feature. DO NOT trace with
' b! {1 c- q1 s5 N SoftICE while the option is enable!!
4 m- T0 W- s' {0 {" w( m5 j1 R, x5 m1 Z" Y2 d
This trick is very efficient:
' X1 `( D- |2 |/ Q3 ?* x3 wby checking the Debug Registers, you can detect if SoftICE is loaded: O7 H1 I- _" s, R+ ]; P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. A& F( X- I/ e$ U+ }' E% tthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 N4 [$ o- s" w& j4 }; z
value (in ring0 only). Values can be manipulated and or changed as well9 V3 e; B6 i+ u6 r8 }
(clearing BPMs for instance)% D: K5 A. U* @: I1 ~; f" w
4 l. o9 r, L. X% f
__________________________________________________________________________ m# ?9 l& Q1 ?0 j+ ~. L$ F
' \: y' C3 N( R9 ]* v9 k4 H- d
Method 11
; L) {* t3 d- d+ ~=========5 O, o1 A+ S/ y$ b
7 X5 H: {" N2 b" H% Z8 ~This method is most known as 'MeltICE' because it has been freely distributed
3 h. d p, B0 D4 I. t& Rvia www.winfiles.com. However it was first used by NuMega people to allow; r5 _8 m' P" w2 P
Symbol Loader to check if SoftICE was active or not (the code is located) T/ ]6 n; L$ R. \* e" s' }9 [8 T0 ~' l
inside nmtrans.dll)., [# r" c" T- V _ f7 x1 B! S
8 ~' U ?" W* C' Z( P+ E
The way it works is very simple:
$ y; c: d3 i) b3 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( B2 r' k1 ]! M) I+ i
WinNT) with the CreateFileA API.) O- z7 T0 K d7 ]+ Q4 E
" |6 z% O( j/ W6 m) S' q: x
Here is a sample (checking for 'SICE'):
2 V e4 M6 K- S
. K. F# |* X; ]3 `/ v. j6 K: c& m8 TBOOL IsSoftIce95Loaded()
, v. P$ a) X- \7 t/ \{! h+ h, m7 P2 n* A
HANDLE hFile; 8 T7 A4 s& g7 V7 ]. a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 ~ z4 O) Y) E. n" |4 s
FILE_SHARE_READ | FILE_SHARE_WRITE,9 C9 r5 ?9 b6 m( i" ^' V6 P$ j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; v$ X# D) x# q/ m5 Y. Q5 V if( hFile != INVALID_HANDLE_VALUE ), A# N( K% s' }& d. v8 _
{
$ ^8 k' e9 P2 e, T8 U* B CloseHandle(hFile);
4 P/ n( B, k4 S4 ~; `! E return TRUE;
! M6 h+ u; g* B. \% V9 ` } {- E2 u+ I( L s
return FALSE;
* `7 H8 Q! x/ V. K9 R$ {6 D$ L}
8 a) W, B$ ?' U# w9 S6 h l8 L# o& [9 p+ \- C+ F. ]
Although this trick calls the CreateFileA function, don't even expect to be
9 h# y$ R( f) o# ?* `/ Eable to intercept it by installing a IFS hook: it will not work, no way!% q5 K1 F: j4 g& t. u( X8 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' o) h: N" C, M ]2 |, e" S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- {& L$ W6 U, T }$ r8 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 B2 R9 r( U8 y* }. M# r
field.4 P% `- W- i( v1 e
In fact, its purpose is not to load/unload VxDs but only to send a
" B1 n$ G9 Q+ v* k' I; h) dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 ^ \! y2 E, O6 o Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try- o7 z' }9 z# j: M9 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, C: v% E2 b& U0 N9 z% U7 hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 o* L* r; k8 F! T* b. {its handle to be opened and then, will be detected.
! H/ W9 c5 O, L) XYou can check that simply by hooking Winice.exe control proc entry point
S/ H, M% D, Y' j' Jwhile running MeltICE.& ^7 `' W$ ^+ l; \, ]4 J
0 ]# U' V5 ]' P+ h* `% y! H5 x1 u$ C$ ~. C4 J/ \. }9 w, M
00401067: push 00402025 ; \\.\SICE
9 K' U# A, S3 Z5 E# c4 s3 W+ G+ @( h 0040106C: call CreateFileA# S# N$ k; t9 ]9 w+ c# A: g, J
00401071: cmp eax,-001( {: G2 e: k- [& _$ ~9 o6 Q
00401074: je 00401091
+ W9 a) k0 o% {8 f$ _" |
. {0 D: U# y! X/ K, a' Q4 X
' L9 z/ `. u A# n! `! tThere could be hundreds of BPX you could use to detect this trick.
& L- L1 h' t/ M-The most classical one is:
- t6 h2 A# [9 y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: O. u& W: r0 f# t *(esp->4+4)=='NTIC'
+ l) ^: G6 j+ r5 O8 N6 z$ q+ @ w/ E0 H9 c7 \
-The most exotic ones (could be very slooooow :-() e0 K- s1 {1 Y9 B' M3 ^3 b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' U. Z# n( D$ l* e9 C ;will break 3 times :-( m4 o5 p3 {5 ^" }) F0 N$ v0 P0 f% M/ I
% A6 y; ]8 D1 X8 n7 n' L m2 }% u
-or (a bit) faster: ; v2 X0 q; x9 P% `( Y' v5 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) O' O8 P( p- a, w' M
. q! `+ Z& R( i4 o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ S( V$ U; k! H' Y9 A9 ^% T
;will break 3 times :-(
! B" `: {8 [1 A9 f) ]* I! g0 S2 U
6 K3 H% m$ T, o% _& {6 F. c- @-Much faster:
) Q# {9 \& S) H/ w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( q' Y4 s8 \. E
; c# Z( Z" u4 F6 d BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ v& b" B; E: ]' R- Y2 b7 Hfunction to do the same job:2 e$ t2 p/ B7 _9 R8 O R
9 g3 }9 v3 a0 G: g push 00 ; OF_READ
, _0 N" F q# z1 i8 P mov eax,[00656634] ; '\\.\SICE',0, H, s5 L' q: E' j3 P/ p
push eax) V1 @9 J6 i" j7 a( H$ W" F
call KERNEL32!_lopen
5 n6 ?" D5 S$ ?0 H+ G& w6 n! O inc eax5 ~. R# H% b' v# x3 W1 D
jnz 00650589 ; detected& |- @' i% q: ]' ^
push 00 ; OF_READ
: H9 _6 A6 M; Z T+ g( r mov eax,[00656638] ; '\\.\SICE'6 M/ H* {8 M7 J& d! P4 z
push eax1 O4 v \$ V1 m' X
call KERNEL32!_lopen
; g; r; y Y7 [& W inc eax
. L' {" {* a4 w$ m2 ]4 ]( Y+ _' \ jz 006505ae ; not detected# Z7 }# h3 A+ u- w- A8 c: m: ?& D
' T3 d7 ~6 v3 b5 ]6 f" @
6 x$ R0 p/ K' C1 b, |$ X__________________________________________________________________________+ ~/ k$ G* {# Q a
6 Q8 K1 h$ \+ {
Method 12" c9 w9 I# h+ C, k2 U/ c/ c: Q
=========" O3 X5 U* m3 O% j% j+ R" ?( [
9 t0 g3 M0 l( j, N% cThis trick is similar to int41h/4fh Debugger installation check (code 052 {! _" C c5 c
& 06) but very limited because it's only available for Win95/98 (not NT)" d0 n" \9 t' a9 u# r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 ~3 a1 N; c- k0 Z# m, \6 [* E0 s# i0 P4 N% b* |% C
push 0000004fh ; function 4fh2 z( t9 [7 T+ n1 C, J! H b* v3 X
push 002a002ah ; high word specifies which VxD (VWIN32)& |) m) E3 h6 h6 |$ C M
; low word specifies which service
8 P6 H3 F; M' C! j" A' v2 Z (VWIN32_Int41Dispatch)4 L1 q0 K! ?* I) A' P
call Kernel32!ORD_001 ; VxdCall
* Q+ N* {8 F3 a7 R. ^" \ cmp ax, 0f386h ; magic number returned by system debuggers4 T; N) q7 A6 H$ n- Y4 j
jz SoftICE_detected
6 \- \" q5 g' J/ a7 f8 d; S
$ D* L+ F% B& K) GHere again, several ways to detect it:' x- o$ H7 V: r8 l+ w! A$ |
$ n- `& n0 F( W BPINT 41 if ax==4f- w7 k0 {" f: S4 J. c
/ U) t$ U" {4 z4 Y' t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 a% T$ t9 [8 D! B3 M5 o! c2 K: g( E1 G9 ~0 V0 T" C y9 k( O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 |5 c2 @1 j' \. \. A) _; u1 R; m& R3 ]0 v6 c/ c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 C0 ]! B% s! ~' B; l- K! N, t5 C8 E* Y: H
__________________________________________________________________________
5 Z8 R" C6 C; I7 q5 j$ g2 P L: @* @" J. }6 j
Method 13
) G8 p( a% p! E1 z$ ~; P=========
+ p: ^8 n1 |( U2 h: \& ?8 m5 S- n% Q7 E8 P
Not a real method of detection, but a good way to know if SoftICE is. w( _5 |5 n. Z( Z4 I) f/ U$ h
installed on a computer and to locate its installation directory.2 R- E3 r0 F' K# p" ?8 w7 _: {
It is used by few softs which access the following registry keys (usually #2) :
9 q9 X- `5 R- `# s8 ?, U" ]& N5 l5 y, o$ w4 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 J; L5 F9 u9 ^5 _$ n
\Uninstall\SoftICE, {: q \1 w8 v$ C$ q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 X& l$ }+ p* }$ g" ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ [) s# R& Q0 f* u; a/ Z, c5 M\App Paths\Loader32.Exe# ?/ c4 k2 J6 [" ^. S+ T
- W; K5 ~/ T$ n0 R# m. _. x0 \! c4 l
; m% P: ` r! W J JNote that some nasty apps could then erase all files from SoftICE directory `* x4 ? z# R; v0 [4 B
(I faced that once :-(
9 _4 L/ }% |% p. X9 } n; U; U; O$ J* ] |) D% m: K1 f- E4 k: y9 f
Useful breakpoint to detect it:
6 Y# H' I9 n0 w1 |; E
. [" c7 ]" F* C1 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ O% D) D. S% w2 y. h2 {8 I. z( o7 u6 u4 _- M9 d( `
__________________________________________________________________________
! h* P) N3 @- B2 e8 P7 v- z- S6 \: Z( k' ?# b: a
3 i) U& S3 A, S6 `8 _& @
Method 14
, ~+ F+ \$ ?5 `, [=========3 q E* d- E( |- b: q
; w, V8 K3 A; f9 Y- y R/ y3 X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
m+ Q% M. O! }% c- ?) h- mis to determines whether a debugger is running on your system (ring0 only).
/ [+ {3 ^6 k( m8 u6 S& M1 y- z" }$ F$ J( l& n
VMMCall Test_Debug_Installed
4 R% r# {! x6 \% L9 c+ {" `' q je not_installed
* ]" A: y* h# y: X4 R2 J# l: N( U' Q3 O( {0 R) ~* l( J1 e
This service just checks a flag.4 E, {- d8 I, `& ]- g' O+ s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡