<TABLE width=500>
) O( \9 ^2 n8 |7 \) |<TBODY>
5 I3 u; m+ d9 g' }1 b<TR>
1 Y: ~( L: }3 l: q. U6 B<TD><PRE>Method 01
% m" u) B$ a. Q, x: b% x=========
- [( k A+ m8 k+ E8 K, X; c$ u
- O- {& m p* `- d0 E3 x, bThis method of detection of SoftICE (as well as the following one) is0 t( D. P. ]* I9 r0 [) _% q+ K: Y
used by the majority of packers/encryptors found on Internet. o! F) H" m8 ^. ~7 {* a: ]+ Q' Y4 E
It seeks the signature of BoundsChecker in SoftICE
4 L5 f$ o/ _( ^* w' t# d' C: b U+ V1 b
mov ebp, 04243484Bh ; 'BCHK'0 i6 W3 c3 U4 Z4 b. q2 K' V2 h
mov ax, 04h
5 A3 B! s/ ~$ I int 3
0 P6 i& D1 O( v; T' i cmp al,48 X* d* W. R& k; v# S# q
jnz SoftICE_Detected
2 t! I- B4 b6 d6 `% e! O! ?# f( i7 F+ K- ]
___________________________________________________________________________- |/ E+ H* t' [7 Q) F
1 |# g8 b9 T3 N0 v3 ]
Method 021 I- p8 T0 |' t% M: ?9 f
=========. R$ a9 `; k6 Z0 I6 ^1 S" _, j
7 m3 `- Z" @& J: h* o
Still a method very much used (perhaps the most frequent one). It is used
% ]0 u, y1 p: P I$ l& J2 a8 N/ ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 `6 I. I- `+ o+ p5 ]" u) `
or execute SoftICE commands...8 \- E. E0 _6 f0 b9 f9 |( f# r
It is also used to crash SoftICE and to force it to execute any commands
$ I% |. z; f$ e9 g" u2 [(HBOOT...) :-((
+ w& P6 j$ X/ [( \4 c" w+ Q0 B
- B5 o! a; w2 |! b/ I8 E; `8 rHere is a quick description:
2 q( [3 V: {& `3 [' p-AX = 0910h (Display string in SIce windows)! j: R' @3 b5 v5 r1 Q0 `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): a- b; v7 J7 O. M7 ^
-AX = 0912h (Get breakpoint infos)
, x- `: x" M- S8 S7 ^8 b4 _-AX = 0913h (Set Sice breakpoints)$ Z Z' {7 x$ N( y
-AX = 0914h (Remove SIce breakoints)
8 `8 a& v, v. C5 q! i+ U2 }0 ^6 K0 {6 { R5 E+ T
Each time you'll meet this trick, you'll see:7 L3 A3 a: F$ ]( m6 ?5 S
-SI = 4647h+ @( g* Y+ ~( b
-DI = 4A4Dh
2 o9 I# V2 J- Q) e6 n; G wWhich are the 'magic values' used by SoftIce.
4 {( U8 g" `9 |$ L x) h2 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 Q6 `, q1 o' C; n1 z
0 g2 p+ i* Q; I" n A4 FHere is one example from the file "Haspinst.exe" which is the dongle HASP# J. w: Y6 d; ~6 r7 e
Envelope utility use to protect DOS applications:2 N; L) c s6 H) A) K
* N- G" F6 T0 m/ j- g& f
. O1 ^) |: ?; h2 b
4C19:0095 MOV AX,0911 ; execute command.
0 }0 L- z, n; J/ `' l `3 ]( s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( x3 F, e( {! ]8 J" P4C19:009A MOV SI,4647 ; 1st magic value.
/ ~: t7 ]- M( n& j( n% Y4C19:009D MOV DI,4A4D ; 2nd magic value.
. Y F+ l$ n2 r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 W: [* W& Q8 Z9 u+ A0 H! G6 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 R/ J8 L6 t6 I
4C19:00A4 INC CX
+ {* \) s) d @3 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 O" L+ M3 V/ S* G) L K$ A D
4C19:00A8 JB 0095 ; 6 different commands.1 ?1 b8 b+ r* H4 ~: A9 H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
~; F* b! I: P" B; h0 C# h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& ?5 {1 `1 A! g& O9 W0 w: L3 Q
8 e( v) E7 l& z1 H7 j" \; ^9 E
The program will execute 6 different SIce commands located at ds:dx, which
/ F3 W4 Z6 V# C2 b/ R& Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. N" i# ?' V7 q/ `; k. C% ]/ p& X9 v' G; m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& @; h/ D/ L& W___________________________________________________________________________6 b8 x7 j1 m9 x: h/ `/ d; d
) W) @- L- u' x7 l# L k. C2 L- l- N2 B1 P: _7 b/ U2 G3 X' T
Method 034 \ g3 W1 O( ^/ t; Q! ^
=========7 T3 N: {1 b2 {% \# Z; ~
/ x( k% C+ z( h( I. O. t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ K2 v1 Z6 I; o) i9 ~(API Get entry point)
. ]3 `7 }, A' y& q! C
, |5 D# W6 ^2 u' s" `# n8 ^( l' r8 }
+ p7 d; N0 d( n9 X) j5 ]" a xor di,di& d9 }0 c: F+ J2 n, z9 u
mov es,di4 L8 X. @+ ~6 c. z( k
mov ax, 1684h ) Z1 O: d! f o$ R) Y+ m
mov bx, 0202h ; VxD ID of winice: m/ g6 a. {: H3 E1 a, u
int 2Fh
3 `7 b. \: H7 `9 H# [! e& h mov ax, es ; ES:DI -> VxD API entry point
; z, n D. d- L/ X; N7 X add ax, di5 I7 I3 ?0 ?% F6 A
test ax,ax7 l& Y1 B: `" X* `0 N6 Y) {/ q
jnz SoftICE_Detected4 u! t6 n S! W' I" J' v" i
m/ X4 C/ D8 y___________________________________________________________________________
$ `. u7 H! h9 A) v( y2 H" k7 N" N5 m6 \
Method 04- R) h! h5 W- F: g* V2 Y
=========7 M* c6 z; v, O* u3 n9 B! r7 f& W
" Q, y; r0 Y7 U4 I+ X( m: xMethod identical to the preceding one except that it seeks the ID of SoftICE
0 o' }( ]3 Q) U! H4 cGFX VxD.
" ?8 R. W. L4 N% v% `: ^" m9 k5 A s5 m K. L& n% Y6 H
xor di,di
, T1 m7 k( K1 v, q3 g mov es,di5 B; A6 [+ A" P0 ?& m( A" A4 i
mov ax, 1684h $ q3 X f( u* ^
mov bx, 7a5Fh ; VxD ID of SIWVID
5 G% E3 O% m) o* N7 U' i7 b int 2fh
* g; p r- G8 J" y6 ^% u mov ax, es ; ES:DI -> VxD API entry point
8 G# Q& z4 `; y& L6 I1 N6 l add ax, di
+ W- J, T( p$ A3 C7 A0 l$ b9 E* I test ax,ax% ?6 n5 E: I% l* `+ D! Y
jnz SoftICE_Detected
, X4 F8 [; l8 R8 o4 E" @6 U7 }) ] Y. l5 J. Z/ v" Q+ B# u# Y, K
__________________________________________________________________________
. o1 C( {7 u6 n J% e B4 i7 y( n$ L, t! p0 k
% m* _/ q& O! x, _5 dMethod 05, p! \8 R3 C8 X3 t+ J H2 [
=========" Z$ J& G B' ]8 p2 G1 v
& V3 X: f% ]8 H, G( o$ M' VMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 D: v2 s, F" D# l9 P/ D2 p* F
debugger. It calls the int 41h, function 4Fh.
. G9 r3 `# ^0 V3 R4 |There are several alternatives. 4 I; \& X, b5 {
0 E% p2 m' ]* t. S4 k! nThe following one is the simplest:2 z% A* x2 z/ `5 c' y
9 Y/ M; t+ e! E9 v" E" ~6 P mov ax,4fh* H N- n5 {0 A% ~, a, @% H
int 41h
( l: o% [) y5 A' e% V cmp ax, 0F386
% h- p4 y2 H" j# E jz SoftICE_detected
2 m) E* h( b( [) L* |0 O4 b$ T2 \: |5 @6 r" Q
% I& b7 G" A7 x* sNext method as well as the following one are 2 examples from Stone's / N( f- ~" ]0 n: w/ W
"stn-wid.zip" (www.cracking.net):- H' K# g% |. J4 T6 P. f& Q
1 b. }6 g( V! q+ B5 F mov bx, cs
^6 \+ {2 a9 y7 V* `, l7 l lea dx, int41handler2
X) }( I( T. \( J, K9 o! K xchg dx, es:[41h*4]
" _5 x% V& u9 e) z! | xchg bx, es:[41h*4+2]
& H& }8 @, h0 V, W E mov ax,4fh
$ {4 v; Y( {2 f( _ int 41h
* ^! b: n/ ?: x! O' g xchg dx, es:[41h*4]6 g1 P+ G' h& w2 i# |1 `2 V, O
xchg bx, es:[41h*4+2]( s9 J4 ?% w) ]
cmp ax, 0f386h
. y: ?; V4 ^ A3 X6 U1 O' I2 } jz SoftICE_detected
; X1 y6 C1 p: {; B) u% R9 W- t( H
( c3 x/ Y n# r! W" Hint41handler2 PROC
3 N) B8 L# J- I) A iret
; t3 ?" _# y; |int41handler2 ENDP
5 n0 W( D: I" |; E3 b* f$ e( l% t$ e, f7 v, [
1 w3 D# _& x0 h$ p6 E+ ~! T0 ~9 n
_________________________________________________________________________
) l5 W5 K" t+ _2 n/ ?% \5 ?
& p: r) q- `5 S6 ]- I# t+ j& [; B- b- J
Method 06
5 r, Y( }* f9 u5 V5 c: u=========
& x+ I3 q( @: W% d# C5 a6 g5 r1 N0 W" o3 n
1 _$ I) ?% {; H, `
2nd method similar to the preceding one but more difficult to detect:
/ ?9 e; X6 a. s1 C9 |! B6 O0 X; M) B- T6 W/ q0 m8 @- @
2 ?* o0 v5 @, ~1 D) cint41handler PROC
) q' M/ B) ?2 v% \" W$ K+ _ mov cl,al6 U& D! T5 J7 H0 S7 k( f6 E
iret% x2 h9 J' f. z% G7 F3 L
int41handler ENDP6 m7 H( B/ w- K- I' I& M$ u) w
, y6 Y1 B# J8 y* Y, k0 N
5 U: j- L, P1 F4 W/ ]% B/ | xor ax,ax
; h9 U1 B7 s& C/ t$ S$ k; [ mov es,ax, a8 U& `1 Y2 k1 X& _
mov bx, cs
# n; n1 O1 r$ r' k+ J4 k lea dx, int41handler" M" A" g/ ?: A5 {5 u. ~
xchg dx, es:[41h*4]
" f1 o6 `1 v8 l+ T- _ xchg bx, es:[41h*4+2]# p+ ~- @* M9 F- l1 g8 M6 V
in al, 40h
0 }# E w1 R8 F0 P% ]" Q. j xor cx,cx" Z: o5 @! v% G7 ]+ J, `# P6 b
int 41h
0 R y8 Q. o6 a7 x) E: e# \ xchg dx, es:[41h*4]
: e( k+ S) F) T3 V/ \ xchg bx, es:[41h*4+2]8 F, \/ S( k6 \- W( R7 L
cmp cl,al
( s3 ]. D5 u$ ?& [! X; T* V, V jnz SoftICE_detected
6 r- [4 {( a( L6 ?* L* {
( g6 i* ^0 @9 N' K' o, c. C! I1 Z_________________________________________________________________________& ?) W$ A6 X& F+ S; C; K
' j9 K8 M9 G2 _7 e6 ?; yMethod 07
}# }! R% Q) j=========6 H. a% J$ o, O( Z
' c9 ]7 `2 p9 R* j J4 d
Method of detection of the WinICE handler in the int68h (V86)0 \8 }3 u8 [, h4 H A
6 x3 @+ ]: q+ b
mov ah,43h1 z" |- k3 f6 W- Z
int 68h9 q/ D7 Z) y, d+ p* l9 N
cmp ax,0F386h7 M# n# X+ ?# S* ^# ?+ X
jz SoftICE_Detected2 }9 w" b. D3 c! P; t) @ P* ~
" M, l5 u2 D1 e7 o) v
; e, K v% g; L4 E9 h. P% z" \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 A7 B2 y; C/ w( j5 o/ Q app like this:. C X6 ~8 z3 K, L: I4 Z! Q9 i
% c+ `+ O. i/ i/ y BPX exec_int if ax==68
2 O+ _+ }3 K4 y: j7 w2 N$ { (function called is located at byte ptr [ebp+1Dh] and client eip is. W* z8 |- o/ X! u5 a
located at [ebp+48h] for 32Bit apps)8 U' ~# g2 B+ ?6 U
__________________________________________________________________________/ |5 e6 K( F- j4 w7 }5 p5 _
' m, [/ v- M2 K( U5 F
& E6 s$ v% e7 r a- b4 O6 PMethod 08
% M2 Z$ }. g p: N$ Z3 q8 B6 X=========/ `" o$ k' c; y. u/ }# X% t
. ] ]0 |5 F( y# O& M
It is not a method of detection of SoftICE but a possibility to crash the
8 x- b4 }$ U, w# wsystem by intercepting int 01h and int 03h and redirecting them to another
4 I A3 l8 [9 J: R; l6 x) U% |routine.( e! B" r4 h, ?- m. M s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! w, ~5 k. n0 Y4 g: nto the new routine to execute (hangs computer...)
+ g/ q( i0 ~( ^& r( h, q, o7 H7 I
mov ah, 25h) ]- x$ O7 U: L; `' M# N# x3 ]
mov al, Int_Number (01h or 03h)
! Y' ?. w$ D( T9 Y- l i mov dx, offset New_Int_Routine
- p% `$ y+ o; B; J! ^: a int 21h
' x; @' f: ]$ B1 p9 ~5 M& @% l4 P1 @# j3 f: r0 G, |% Q
__________________________________________________________________________6 E/ n! }$ `- D+ q$ h2 u& O- x
# ^7 p5 b2 i) J: z) n+ J$ T; {1 Y
Method 09+ f0 C: }! f5 d) d/ P; o8 R
=========
! p9 |$ X) b( h6 D' ^- Z% H+ f0 c7 g2 ~6 D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 y2 C* O& k' [* ] fperformed in ring0 (VxD or a ring3 app using the VxdCall).2 u4 {2 W$ Z, M" B. \& f
The Get_DDB service is used to determine whether or not a VxD is installed4 U8 k, [. a. a) U# X( G7 J
for the specified device and returns a Device Description Block (in ecx) for+ G! y: q2 M6 } O5 _
that device if it is installed.
% [- [' y% P3 s) G# i2 N% ^! k) [/ q' v: E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, W6 G' S! ]% E6 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 A1 d* q- m1 `0 w VMMCall Get_DDB
# A6 m' q4 r c$ c8 m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 A8 s9 Y2 e" g: o8 z
8 z5 N( V$ m mNote as well that you can easily detect this method with SoftICE:
i! o/ z! a5 U; ]/ x: M8 G bpx Get_DDB if ax==0202 || ax==7a5fh
. I! a8 V8 H& F, Z
: t3 f' I4 N% m6 d" G4 ]8 N3 Z6 t__________________________________________________________________________
" x* ]: O% s4 f+ b5 \ ?/ _: h/ D# w8 }% h) ^" Q3 z
Method 10! {( ?1 g1 y. [* t
=========1 V7 }2 f9 `; r: F; \+ t$ J
, Q' B" C" R4 \% _" z/ q3 P8 Q. o
=>Disable or clear breakpoints before using this feature. DO NOT trace with, e+ E7 B8 U, B6 {8 M
SoftICE while the option is enable!!
) `9 X& w" h: v, x8 l" O0 O6 R8 N
This trick is very efficient:
: `7 Q6 A% w5 C% i+ eby checking the Debug Registers, you can detect if SoftICE is loaded7 K1 c' G1 u4 t4 {! o% |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, v0 R" {9 s. `' c; r; a0 D5 w/ J* ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
( @4 ]# n# ~1 m; t( q. D2 J Wvalue (in ring0 only). Values can be manipulated and or changed as well3 T+ Q w1 [' v- O) k; Z
(clearing BPMs for instance)3 W: j. |( Y* K. ~0 i
/ y1 @0 \7 E6 p1 A
__________________________________________________________________________, u, e S; [. X$ A+ T5 ^: p) H7 E
- D+ s1 r" G1 [% x0 b
Method 11
/ l6 K$ w e6 z" @; z=========
" t D3 s9 M+ x& m8 M: X4 p q+ m+ I. l6 z+ F% V& A& @
This method is most known as 'MeltICE' because it has been freely distributed
: v( c. \( x) z( R7 {via www.winfiles.com. However it was first used by NuMega people to allow" p* k; x% R' w" \5 H4 v( L
Symbol Loader to check if SoftICE was active or not (the code is located6 P6 V' ?8 g/ \) W. R; @
inside nmtrans.dll).4 r6 |! t9 @" P5 H
7 y$ \5 n) k" p$ c" Z
The way it works is very simple:
( R3 b. S( i( W% ^& A9 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ m" P9 w. t* p8 c% k% A
WinNT) with the CreateFileA API.! \9 y; [! s: L' s
, n: v# Z; n1 h0 j" FHere is a sample (checking for 'SICE'):6 O. ]0 w! k, t
6 {* ?9 G8 o; J; q3 U% w, ?# HBOOL IsSoftIce95Loaded()
5 R$ j8 m' Y7 }# P$ O, |( b+ G{
& B9 P1 T% l" `/ j4 @' z5 z5 l) O) I HANDLE hFile;
- G' o5 h9 T, c6 M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& E7 `2 Y# k# X( i9 b3 X
FILE_SHARE_READ | FILE_SHARE_WRITE,
( e* H$ p1 n* g7 X4 k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" @3 y& q% M) \* M; s
if( hFile != INVALID_HANDLE_VALUE )
2 U, ^' q; w' n; G0 C& } {
& g2 v' _2 P. G' w CloseHandle(hFile);
" m, I8 \4 x; e* p4 K! t& @ return TRUE;
0 l: ?0 a+ w- q' z- r }* W- y8 D. a8 {- } F
return FALSE;
; n( g' A1 c: i3 l4 ]+ J. X}
$ |4 b- N$ l( y h+ ?# K' P$ v! U+ W. |3 k3 m0 W6 `
Although this trick calls the CreateFileA function, don't even expect to be
7 F* s; R* {) Oable to intercept it by installing a IFS hook: it will not work, no way!
8 P4 }% B7 v" k i- z; i- oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, S( R5 o) w1 `* S# ]1 `- Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% Q) B7 p7 P) ^1 N" N# f9 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 ~- `2 s4 ~7 l# F$ E
field.
^; L- f9 Y4 P6 ~3 oIn fact, its purpose is not to load/unload VxDs but only to send a
9 q; h; f* u2 G- o3 L6 Y$ D" IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 d) F3 g2 u7 p/ Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try- R& m a3 M4 ^. K7 v. C1 P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 m- M4 @; o- j8 T1 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 c, L6 a% ]+ c1 J- q
its handle to be opened and then, will be detected.
1 L. z" Y& R# N8 f) }You can check that simply by hooking Winice.exe control proc entry point! d4 w4 j2 V8 P f
while running MeltICE.# ?6 \" `: Z+ C# T
& ^# s, D0 T! G8 U( R* O* @
6 M( [# B8 g/ q. R2 i4 z- \ 00401067: push 00402025 ; \\.\SICE& {8 N8 R4 `7 t
0040106C: call CreateFileA
6 D9 @9 }; A- B7 r i) l- l; p 00401071: cmp eax,-001& S1 |! h& Z; Y+ k' {7 t! ?
00401074: je 00401091
' X% M' w) L% O+ _3 y- T# Y# L1 S, t, @2 m( ?7 N& |# d! N
+ v7 e/ e7 J+ B b, Y" ]# \ v' ?There could be hundreds of BPX you could use to detect this trick.
8 J$ q p8 b$ \! x, t( u& j2 e+ Z-The most classical one is:' P4 T9 E8 R& \* Q/ m/ x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
y3 h" o4 \' v$ _ *(esp->4+4)=='NTIC'& X( y5 A2 l ?2 }$ J/ |
8 Y7 s4 d1 H$ r. f6 M+ a5 b5 v-The most exotic ones (could be very slooooow :-(6 z' s) K h% a* F. j9 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 y9 a; ^3 Z7 `. a$ R; f% e5 A R ;will break 3 times :-(: m0 m6 x( U- Q2 ]% p( ^. Z
+ H2 i/ b2 v! }8 u-or (a bit) faster:
4 M. |$ {/ \ c( x1 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 c' s( s( ]1 Z1 Y5 n! p6 U4 \( n2 h, y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 x; J% k! Y- k0 ~9 P; n
;will break 3 times :-(& b* G- u+ m! y, i5 G
J, V' U3 T' e, p( }1 C. M-Much faster:
- q, `1 z; |6 b+ W: p( M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! k2 M, w3 u& u& l, C* b& G3 o' s2 e6 ?. I, Z6 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 Q1 [: X% B' V: d% [
function to do the same job:
8 Y0 W. c; @' S8 ~* y. z( ^+ C/ X, J3 P) W0 m" ?
push 00 ; OF_READ. A% m& B! |4 ]* q( A* u
mov eax,[00656634] ; '\\.\SICE',0" E( w" h. [" L- x ~
push eax
9 t+ J% v+ {; ` call KERNEL32!_lopen% {& i& H8 Y7 c' f8 ^
inc eax
6 l. a( @0 D0 k/ _$ h& c jnz 00650589 ; detected
! x6 ] e7 e t! X+ | r* \8 Q push 00 ; OF_READ
- r3 F- | W+ F# S mov eax,[00656638] ; '\\.\SICE'3 `/ h$ g9 Z, v5 \: m
push eax
w* J! w2 k- x+ Z call KERNEL32!_lopen
- u1 b& o! w: F2 e. N, X) r" } inc eax
F& e' A" S1 F jz 006505ae ; not detected p. T# C2 m4 `; U$ d7 l6 b
# k1 f% `0 ?9 }: P7 h, g+ z( J: }5 n8 a7 p
__________________________________________________________________________
) {& C, h5 u9 k: J+ \1 ]; V+ |$ `4 ^2 {4 K
Method 12
; D5 r3 U2 X7 [ ^=========
8 B+ `: S7 A+ [* ] o. _' E9 o+ I |8 Z
This trick is similar to int41h/4fh Debugger installation check (code 05
3 h) |. ]* ~# S3 C/ P: M, r; F& 06) but very limited because it's only available for Win95/98 (not NT)4 T5 {1 i* a- H6 ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 O0 \0 y# F( E8 d
- P7 Q) P. q H7 ~# {" e1 \
push 0000004fh ; function 4fh
4 p4 r! S" d- C9 Y: O push 002a002ah ; high word specifies which VxD (VWIN32)
; H; a8 X( v; P" [3 b! b; M1 q ; low word specifies which service
* E5 f# E! D [: A (VWIN32_Int41Dispatch)
9 _" V% ^1 j% F' a5 Y: j x* O call Kernel32!ORD_001 ; VxdCall3 D1 @1 e" ] J6 B# c
cmp ax, 0f386h ; magic number returned by system debuggers
1 V4 Q& l! `. k4 m jz SoftICE_detected
. `% [0 T2 c! M+ `( L8 |! h
, W+ x5 @6 u0 h! Z8 A3 a2 l, {. gHere again, several ways to detect it:: P3 h+ l& c3 o; e7 Q* }
5 R1 W9 Q( P% j BPINT 41 if ax==4f9 ~, @1 \0 U3 \
) Z9 }6 G" p5 ]1 A8 T# Z# z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 N+ ?( ]3 b. D. d# \2 W: M
3 x+ v0 O. a' z6 ]& _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* U' z! s5 w4 W% p. z4 L
4 p# u9 U, p1 _9 A9 O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( G6 P' z6 H9 W l/ l; t- T$ J0 S6 O+ I. Y5 S/ m+ _" {
__________________________________________________________________________2 V a ^$ N- l- Q* ?9 w b* ?1 k+ \
( p" n. R' q& ^/ m' M2 T! {Method 136 x4 ^' \" e& `0 c a
=========& d( h- [+ P r* ~, G
0 J6 r/ P: O9 q$ a! |; [. H
Not a real method of detection, but a good way to know if SoftICE is0 z7 B! m. X1 s9 W+ Q4 f
installed on a computer and to locate its installation directory.
& `" x% c) z' x; q: AIt is used by few softs which access the following registry keys (usually #2) :
) e. n7 N. E* P4 v' D4 Q+ k i* w
* ^. i- p, B9 @( k# P. J6 X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 m, C# @( l5 F0 Z0 y% R; A. W
\Uninstall\SoftICE
3 B2 s# y3 B! z, L! V6 f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 o, K, h* `0 Y6 G9 ~9 U- a! k9 d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# h2 {* i; ]* b# N7 B9 p2 w
\App Paths\Loader32.Exe" i! y' @) |) i4 d: n7 t/ [0 ]" o
4 x, v G' k) `, z
! Y, J! r& y' f( r5 d8 B7 QNote that some nasty apps could then erase all files from SoftICE directory3 _3 g9 |7 i8 Y' ?# U! j
(I faced that once :-(( I9 ]# D$ v. T4 G0 Y5 _
' f( u0 u4 d* C& B
Useful breakpoint to detect it:9 }0 Q3 h1 w1 h: }% U, d9 `2 a
: w. K: U3 }, B' g4 C" C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, }# h: P7 h7 c/ m2 `3 @! w @2 \9 b/ X+ o: O. B( u% Z* U" H
__________________________________________________________________________2 G9 s, @# U4 ?* ^; {5 Q& Q
3 E) H0 A9 P6 r( n, h1 k& J
* h3 R6 x8 s) @' L0 w5 n8 _* E4 pMethod 14
" T# o" s3 t5 I5 K=========
! E2 E1 t( u) A% Q! K6 W g0 H( a9 h: `/ `( U/ I# B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ ^9 Q- ^. C% \& c `9 U
is to determines whether a debugger is running on your system (ring0 only).
3 d- s5 P. Y5 c% R/ n7 @7 V% s1 S$ }- {
VMMCall Test_Debug_Installed
/ g$ I4 g; P9 v- `' C3 H9 A je not_installed
1 O6 s# S: \, D* f+ b# ?) b5 Z4 A+ \0 g# U: X% g/ \
This service just checks a flag.9 r3 f+ ]; X% {- ^& O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡