<TABLE width=500>
8 H( \% j3 V* E& Z5 J9 N& c- _<TBODY>9 G$ K: f. B& K& C) K! {
<TR>
/ `9 p5 W% {+ F' @$ B7 ^$ B<TD><PRE>Method 01 1 d$ j6 ^% I1 ~+ }! f0 D. u7 _
=========
0 s; T9 ?; i; w4 c
! U' F% n4 j# y5 I+ @This method of detection of SoftICE (as well as the following one) is! Y) g, }! J! _) C
used by the majority of packers/encryptors found on Internet.
7 V" j+ B, U* z- TIt seeks the signature of BoundsChecker in SoftICE# r$ v/ q; s7 w: h! V9 s9 z4 [
. V; f4 B N: |3 k7 T2 v
mov ebp, 04243484Bh ; 'BCHK'( ?. O6 l! W. n
mov ax, 04h
$ N/ A0 H' S" a+ V" U6 g int 3 / j. u5 W+ |& J3 n/ q- s. d) O
cmp al,4( Z3 z' t9 d! W8 N% h
jnz SoftICE_Detected7 j1 s$ Y6 U. c' l6 F
. X! ~* Y2 ^2 _& z) h" r: S___________________________________________________________________________( Q, s3 {' C) R+ D* b$ C5 x
7 |7 S" q2 d! U. s6 V+ |, OMethod 02 c2 f/ j2 Y- s3 e% E% J
=========1 _* G$ C/ S& f0 v0 t/ q
' u* J, u' B# `
Still a method very much used (perhaps the most frequent one). It is used( |3 q; N1 T: @3 x% N* z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 U) Y) n4 i) i; I: f* P7 M
or execute SoftICE commands...: ~' p& Y/ S; g' d" R. v; I
It is also used to crash SoftICE and to force it to execute any commands7 h) F0 l% x2 M7 f! ~
(HBOOT...) :-(( 4 Y# r Q; A6 B2 C. B
0 o- \. t- L! G3 q k
Here is a quick description:
& t* J2 t: P! G, L4 j: K-AX = 0910h (Display string in SIce windows)# p4 f, f6 f+ A/ g& |1 A3 L( ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 B& U' e: U( [0 j
-AX = 0912h (Get breakpoint infos)
4 z; b) E" N+ v4 V-AX = 0913h (Set Sice breakpoints)8 E( c9 C i0 B) W! y
-AX = 0914h (Remove SIce breakoints)
9 Y6 ?: u# a0 m* `) H; e* g, `) P% B) @9 ^/ h5 Q; d4 i) ^5 r% D
Each time you'll meet this trick, you'll see:9 {7 T) a6 C8 [5 H+ K
-SI = 4647h
F% a. D5 P5 x ?. r# {-DI = 4A4Dh
. `8 r0 l; n; } T( x# q4 Z6 o! IWhich are the 'magic values' used by SoftIce.
, k; p$ S* ^- F1 Z7 K" MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% g- }. I1 _% S& v: P7 P% B
/ V" }) _4 I+ g$ j7 ^8 \' oHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ d4 f+ Z3 @2 ^9 ?! i5 l/ l4 Q# w& REnvelope utility use to protect DOS applications:
# X( ~! Q3 b+ E! ~3 [* C2 w# V- D1 c: a4 e0 Y+ q# s2 `( J* ]/ K
3 ]% n: @- p' E: J; _& J2 V) ]& z
4C19:0095 MOV AX,0911 ; execute command.
3 e: D" u9 }$ v5 o& C0 P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: G& {9 k- R# j$ `" w
4C19:009A MOV SI,4647 ; 1st magic value.. H0 S, G* v* S2 ?! k6 R' q* }5 N
4C19:009D MOV DI,4A4D ; 2nd magic value.
# e/ s2 ~0 c- E0 }1 p; j8 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 y+ u# L% b! t0 y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ |% [1 T$ {1 p
4C19:00A4 INC CX. [5 i3 f) p9 }1 N$ a! ^9 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' }3 O/ M4 V* k4 N7 J' C4C19:00A8 JB 0095 ; 6 different commands.
/ n7 A2 r& y. _ }! S0 I9 N4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 `2 S4 _. s" m; Q* s" d/ Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). m9 C- a, b7 m1 T4 z. ?+ ~5 @. i
1 L; L9 U+ u& K! _
The program will execute 6 different SIce commands located at ds:dx, which
% T# O5 m2 _8 P L% D; M5 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ J8 `0 q5 C( v# j5 b k* `: M! Z7 j9 B* O) c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, s0 A, I% e" ]( w+ U2 X$ T___________________________________________________________________________/ U p4 i) |4 `( l3 M
- Y* m! _' ^. w; N/ Y* P& k3 x
' T. L+ B* y3 a8 _Method 03
# ^0 ~+ r, Q2 E! J2 a1 D& }========= V" U" M F- y# h- ^% ]
" D3 [# g$ R3 Q# k# w3 S9 D5 q6 h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, \7 S- \! i! {$ N0 x7 V
(API Get entry point)
8 I* ?# K8 b2 A7 Q* @. n
0 v9 J4 ]2 E5 L% n
4 n3 c- U4 F" d3 Z xor di,di
8 S f& Z7 L3 a mov es,di7 g8 S2 Z5 B7 l* J( y' e. G
mov ax, 1684h 5 j0 m0 h6 }1 C5 F
mov bx, 0202h ; VxD ID of winice& J6 E% B, T$ X+ H! v* o+ {( {8 L
int 2Fh
. ]/ Q1 S8 T* Z! K mov ax, es ; ES:DI -> VxD API entry point
7 H& m5 L* D# ]- K8 A' h add ax, di5 d, O% d3 z3 u/ s# m
test ax,ax
- c7 s" E3 _5 c& a4 n# o jnz SoftICE_Detected
o6 I M j5 x2 l& h/ c& e& \$ \8 F" a# y
6 {* b0 s8 O" d3 a B7 ~1 q1 O___________________________________________________________________________
2 H3 `9 Z$ H$ L& Y' N) H7 h( {# u. T$ e5 Y- x0 ?# k7 ]
Method 041 B0 S! U! |6 d( @* t$ k
=========8 t t+ K9 }; q
# }- Z+ J. A7 {- {" H e
Method identical to the preceding one except that it seeks the ID of SoftICE+ x9 @$ ^' {- o( f) d( m
GFX VxD.- H# ~' Q1 Y: R$ U9 g2 n
: S; C4 y* ~, _* x0 o k5 s7 z
xor di,di
: K5 v( `: l. W) Z0 a mov es,di
& e, d1 T/ ~& q' H; C. V mov ax, 1684h
5 _* d* y7 @: u4 N% D) ?. ` mov bx, 7a5Fh ; VxD ID of SIWVID
- `0 Z4 m" b8 ^& z, C int 2fh; C4 Y# s# P9 v+ I) a: O
mov ax, es ; ES:DI -> VxD API entry point
7 `/ D- i( X! t add ax, di# j! L0 a- E1 Q0 }5 ~& I' s
test ax,ax
* n7 @9 x7 X2 P' L k% h jnz SoftICE_Detected$ b! @3 m( d) `- x* L
# `( T2 Q0 n6 t* ~( e__________________________________________________________________________
$ ~; Q' s5 x* u
4 S* [- x" `9 a2 H$ L
6 w1 m/ X1 s5 l1 EMethod 05
2 ^4 k2 H" Z. ^! t=========
% T+ [3 M# p' S. E3 f- F0 X$ E% W5 Q4 C/ t0 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 }7 _" a* R P# k. Z1 M$ bdebugger. It calls the int 41h, function 4Fh.
# K! @$ N$ K5 q/ H$ T, PThere are several alternatives.
3 `# h0 Z* j8 ~/ g3 J) Y. d7 _6 F, B# U. x
The following one is the simplest:
$ J ?, m$ I9 I* v# _" W8 `( O) ~4 t) d" k# ]
mov ax,4fh% B4 F; O: n% Q* _ ~. i
int 41h
: _. X9 Q( u1 q v* {( x cmp ax, 0F386$ u4 ?* R7 L+ y% X$ x* J& |
jz SoftICE_detected/ K6 ?" t' {6 |5 F
6 ~. e y; k. q9 l+ c1 e/ _* C) J# b1 z* ^. U2 f/ s! D0 g; r
Next method as well as the following one are 2 examples from Stone's 1 ~1 A, i7 _1 z; `
"stn-wid.zip" (www.cracking.net):
* v& k s3 s% C- L6 A+ Z( e1 m9 V
6 j Z( E2 K2 Y+ A5 s! B5 m9 R! T' F I mov bx, cs/ f ?. K& R! p W+ c/ o2 b) P
lea dx, int41handler2
; M+ I, x8 k8 S) ?+ S xchg dx, es:[41h*4]3 ^- \4 ^5 o7 x: S0 J3 ~8 m! p
xchg bx, es:[41h*4+2]
+ n# I: A$ j4 L mov ax,4fh8 ^- ^. S* J- L3 A" u) J
int 41h
' B8 o0 s' ~" t: H xchg dx, es:[41h*4]; `+ ]0 Q0 v2 k" u8 T6 s
xchg bx, es:[41h*4+2]0 P' ~7 x3 g6 c7 R2 D
cmp ax, 0f386h
& f. D" `: I- f9 N jz SoftICE_detected
0 L- u. K0 Y2 Y9 ` u3 e' i
% k7 h% l0 b+ Rint41handler2 PROC6 ? D$ E2 [( }
iret/ D& E4 R, h& |& L0 T4 s
int41handler2 ENDP* O1 H4 a8 P6 ^; H; }) Q
9 y5 i, Q* G7 K- u& v! V) D
+ }9 [ ~9 @! m* u$ v! F: }" l
_________________________________________________________________________- p# \: L2 X8 z) c- t6 A
* {: h6 c1 w3 c/ Z- s1 W3 A/ J
" d: U6 u$ t/ \* N# N% |1 ]" f
Method 06
4 L$ o' C: g. _+ N+ l=========% H+ ~3 t9 b1 |6 l: ^" b4 a& L% l
/ q" T& ]( `" o; ^$ |7 A4 [$ }$ w m M
. u& ]; D; r& R
2nd method similar to the preceding one but more difficult to detect:
" j* L, v7 B9 o. {# W/ p# M g A1 m0 E4 z) y' S; P0 @; Q
; m7 `8 n) a) K! ?# c3 h
int41handler PROC {$ F. E( s4 n! U7 ~& m
mov cl,al5 F, j( G) y/ l
iret9 I7 A( U( R: W
int41handler ENDP6 ~4 Q8 ? I3 y' i, P
- h0 Y: p( J! I! v4 C) a
. K, J3 ~" [% {$ e1 D, e, h xor ax,ax6 H) d, m/ u% C1 ?$ s& B6 `3 ] N( P
mov es,ax3 f, `! t( q" I4 I, z
mov bx, cs
' o& n/ V) n M5 }9 D% i. } lea dx, int41handler) x1 r0 y8 \: r# S; G6 G. a9 z
xchg dx, es:[41h*4]
. I. _( ~, i6 m P2 p% f% A xchg bx, es:[41h*4+2]
+ b! b1 t7 j3 |9 m2 @ in al, 40h: t3 b, {9 k6 k$ o N) V! j( v
xor cx,cx$ K2 ]' P0 k. Z* W. O7 \
int 41h2 G) J3 X- s% w/ [
xchg dx, es:[41h*4]- Q# Y" o* v' Y6 ?# c/ z' n4 I4 \
xchg bx, es:[41h*4+2]+ {5 ?" E3 Q/ _: x
cmp cl,al% W2 ]! _7 @# `. z# M9 E
jnz SoftICE_detected1 g$ G7 Q) a/ T9 J( f' \' f9 B
: f* |3 x" }# W* h7 {' u& b# e: H_________________________________________________________________________5 s Z2 y* p( z5 @6 B3 a9 O2 L& B9 ]
) M: g4 Y+ n9 M$ U! XMethod 07
7 \8 A' R# p' [( ]9 a; c' d=========
% h. R4 e, N L1 h6 E! I J. C
8 M' i8 p" {" A! FMethod of detection of the WinICE handler in the int68h (V86)
" m! L3 m0 C5 y2 g' R2 j K* X5 c3 |* Q3 p# w
mov ah,43h. h( H* o2 r ]! P: F
int 68h
# w5 P& q, R8 d+ ]" | cmp ax,0F386h# P/ I2 V& V' s) o5 q- B& E* p( L
jz SoftICE_Detected
) X8 C Q- \ Z0 B* D0 \: {$ g/ t2 ~9 p1 Y
1 S" \; {5 |7 A3 }7 R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 U( M1 E0 H+ n* r% J
app like this:5 j% i1 K( F$ H6 `* R; X
3 u- j, T. j* W7 i BPX exec_int if ax==68
+ v$ t, G: t$ X7 U1 ^' Q7 i (function called is located at byte ptr [ebp+1Dh] and client eip is
/ y4 d+ ^% f: G* `1 G6 N located at [ebp+48h] for 32Bit apps); f! Y& Q# | K* n/ u G7 M
__________________________________________________________________________7 j# M+ P: ^& h0 i
5 G/ t, j1 o% b4 }6 Z) @: \ C0 f. c6 m7 S J
Method 08
' c, P& i" X g; v+ I9 V3 d=========5 \" s% k/ N) ?3 q. \
. V$ D% n. `' ^3 F7 m: G1 W
It is not a method of detection of SoftICE but a possibility to crash the# p- B1 U, p7 f; K4 K
system by intercepting int 01h and int 03h and redirecting them to another( g( G- b) u( H" P4 k
routine.( M" u1 s: x& S) B0 I9 K) r/ z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- |; A" J# t" t3 E6 L$ t! rto the new routine to execute (hangs computer...)2 _" T+ g5 G" }! K9 p
& f, d+ U5 c2 e& s mov ah, 25h; {1 y! w/ u( ]. S
mov al, Int_Number (01h or 03h)7 {$ l9 k! _" q; Q* Q0 N2 D
mov dx, offset New_Int_Routine
' G; F6 p ^, M int 21h
" Q3 i0 e& M& `5 D" T7 D" @- V! e* j4 ], Y9 q& S/ }% }
__________________________________________________________________________
. P1 e, V, C+ m! q* f! L
b" C2 \0 Q8 X7 e" QMethod 09! q7 O9 W) f; P8 t7 G* d# e$ ?! j
=========
' f% o* j$ {$ ^0 t- \" o2 T
" K; o% v7 r/ E9 o% bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# V( H1 h, @; a
performed in ring0 (VxD or a ring3 app using the VxdCall).
) a+ M2 `, Q) e; y' S5 A; j+ t# @The Get_DDB service is used to determine whether or not a VxD is installed
& `1 }( H0 G8 _5 s- Pfor the specified device and returns a Device Description Block (in ecx) for
5 G- k9 B x5 R% x$ ^' u/ D! L4 ?that device if it is installed.( c# `+ q, b. c
& B' c# K5 E7 _# Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 ?3 `. x7 y9 G9 _; l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 ?& J% ~; _4 ^; u VMMCall Get_DDB1 B# k+ o7 J& j! G, N6 [2 x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( l$ r6 s Y: q4 p$ _* [7 C
7 R2 u/ @. L, }6 dNote as well that you can easily detect this method with SoftICE:
- E% J; s) @, U+ G9 c% w& v bpx Get_DDB if ax==0202 || ax==7a5fh
8 L: M( b4 n& h+ I+ O7 P2 a+ {3 k( T) Z$ S2 L5 @$ D: \; n, o7 a( L
__________________________________________________________________________
+ {1 n; i, w4 C! l$ |1 X. D# l% J7 y" b" M/ j4 J7 y m
Method 10! Y D1 k) o! S/ Q$ o6 ]
=========6 d! d$ \* h& k- M/ P
. n/ v3 I o4 n4 O5 u$ T=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 I' ^8 _) m1 w9 x1 o SoftICE while the option is enable!!
" m/ D% x7 S# g0 `# [$ x0 k1 }& w0 ?: p9 t* u
This trick is very efficient:& _4 }+ z/ @2 v) Q1 l9 A! o
by checking the Debug Registers, you can detect if SoftICE is loaded
+ e) b Y% v D! q$ u4 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; I$ X% [8 z# E2 C3 F7 a2 D0 {, e2 b/ Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their" b. K/ p# z, Z! ?
value (in ring0 only). Values can be manipulated and or changed as well9 Q3 U: [& p. j( ^* @; }( s
(clearing BPMs for instance)- T. n& n9 ]; ^1 h# ^3 c$ T
0 B6 W! d% j0 E- g" j( f
__________________________________________________________________________) h( ]' n; t# p# W8 _, q
3 O0 R& F+ m* t( s+ A) wMethod 116 A2 O- ?/ q# @; Z
=========* q7 s9 @" |5 B0 u/ s e+ F
7 O5 l# b; [$ H+ Z
This method is most known as 'MeltICE' because it has been freely distributed
8 _! ^; Y0 d& C, dvia www.winfiles.com. However it was first used by NuMega people to allow6 Q% ]5 ]" v. m- e7 w% a, o
Symbol Loader to check if SoftICE was active or not (the code is located6 S" A/ [ X2 u) ]( P
inside nmtrans.dll).6 m1 W! ]. j# N7 f
# F4 n4 v! u8 f
The way it works is very simple:: j2 i ?3 O: R- @9 }. C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& G4 O |+ \! ?WinNT) with the CreateFileA API.
0 }% P% g: x. X$ ^
) J! w& Q- f& T3 ~- ~Here is a sample (checking for 'SICE'):
/ i1 f) h! s5 i* d) m P" r. [; s* R& S" S
BOOL IsSoftIce95Loaded()# x5 m; G) y( H
{( c. v: u% ]- H/ H: F0 m8 y
HANDLE hFile; 6 y$ T! S# R% E( g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ y- ]3 m8 x# W' E
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 d1 r0 w' r" B6 Q5 ^/ _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 k" U7 `0 K0 z
if( hFile != INVALID_HANDLE_VALUE )
9 o% `9 e8 Z- c1 ^0 l" R$ H. Y {
d m( c0 z+ i6 } CloseHandle(hFile);
; Y2 Z$ f) c6 i7 g9 X return TRUE;) F" k7 n' X5 v
}
0 O) C4 ?! x) H9 u; g# @ return FALSE;
0 F, W; J( f* U/ W4 {6 w( T4 t; w}
& [' d, i; ?/ H1 j' O& R/ `( _) }
# Y! z9 H ]$ t2 Q7 uAlthough this trick calls the CreateFileA function, don't even expect to be7 ^: g$ n6 [$ a) A1 | r
able to intercept it by installing a IFS hook: it will not work, no way! a. n" ~2 y+ n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' h. F% q% V( xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) B, m) s8 u$ T' g1 K r. `( Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 Y% e0 Y% c% ^
field.( S2 E) r: ~, X+ z g7 f9 [! L
In fact, its purpose is not to load/unload VxDs but only to send a
7 G$ y+ F" ]- \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; h! I2 V0 a7 k. hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% I" \' }% r. r& H7 rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 z# P4 h+ W3 @! rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. U- o; L- b6 `1 ]* h7 h& lits handle to be opened and then, will be detected.% q* C, b9 a c) g6 o0 F- l& S2 a
You can check that simply by hooking Winice.exe control proc entry point6 m/ Q; P" j4 B1 T
while running MeltICE.8 ~. R" ~5 B( G* {
+ `, ~- [& y7 r
) d' w% l0 R) c1 g" u! T$ N 00401067: push 00402025 ; \\.\SICE+ G0 h7 q+ f/ M) ^( Q! @
0040106C: call CreateFileA$ t: d8 x* r; U8 t5 T" R
00401071: cmp eax,-001
/ e2 ]7 i5 F) U J5 _/ v 00401074: je 00401091( Q+ C. R5 S0 _; j9 j0 Q+ }
3 C6 r8 W+ n% O1 p \9 ^
/ \3 l1 s) q- f# F' e9 v0 j+ U7 W7 m0 nThere could be hundreds of BPX you could use to detect this trick.
( L# K" A$ ^% n) X3 }-The most classical one is:+ u; u0 _+ v) b$ H% \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ T: Q% S7 K: E5 P. B3 o
*(esp->4+4)=='NTIC', R6 v2 A( i& f3 V4 [
+ E! z* s' \' t( B- r' }3 R
-The most exotic ones (could be very slooooow :-(4 U) `1 S5 T) U8 c) D0 G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 M* G! X$ E6 U. W! j9 ^1 F
;will break 3 times :-(
4 N( D: z) N+ `& O6 {/ G! o% v5 U/ C" S6 Z; |6 P2 }, S
-or (a bit) faster:
8 w ?4 }, o9 \# u2 I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" \0 B$ C4 W9 }4 [# E0 Z9 L8 @7 P Z" Y# \3 ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' D- E8 b8 T7 b) l& n v& d
;will break 3 times :-(
0 J* E, V& n: `2 m m) C3 O9 L$ C3 p/ f
-Much faster:
* j/ B" |- D. l& W8 J. d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ l! G/ U7 Q M$ o/ a/ a0 X7 x6 }. ~& ?0 @; q& l, k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 _4 [, ~- u% ~
function to do the same job:" U/ K& j+ Z* h, a- n- U
3 _; H/ i5 H8 q( h m8 ?
push 00 ; OF_READ
8 p- g' {0 x% O4 z mov eax,[00656634] ; '\\.\SICE',08 b/ r/ A* y0 H+ \" f D$ b
push eax
! L2 O& O% c" _5 N A2 D call KERNEL32!_lopen
! k3 I( o6 W1 c) p, E: c inc eax
" v8 P, ?0 P4 ^6 I. T jnz 00650589 ; detected/ C! _# H" h4 r% P5 {
push 00 ; OF_READ0 @ ]- I! E" e I5 y- e( ?* e3 G
mov eax,[00656638] ; '\\.\SICE'; I9 D0 k; k2 d+ ]4 S
push eax
y- w* X& z# C0 e% a4 ? call KERNEL32!_lopen1 _4 E7 j7 Q2 ]& Y; _' P
inc eax% }1 O" y2 g# u) P9 k
jz 006505ae ; not detected
- \1 [3 T3 P3 u; f
R- j. f$ v& s# d' _( {: ~ q! h3 M2 `1 K a) }2 p+ Q
__________________________________________________________________________* p" W3 U: D8 R+ m3 s
) h8 i9 [( f. ?: UMethod 12+ g1 R2 y- r: ^1 b( w4 O
=========$ s6 w' Y, o" _3 U/ {8 _* [
+ K3 c- j" r3 l9 V% S- lThis trick is similar to int41h/4fh Debugger installation check (code 052 y; q- ~- s' |3 E( C
& 06) but very limited because it's only available for Win95/98 (not NT)
: B1 H0 R# F1 X. o4 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# ^, C3 Z6 P8 q
L. A* {; c# X4 n! e- f5 G1 L
push 0000004fh ; function 4fh
- ]7 J! V; Q) j3 G push 002a002ah ; high word specifies which VxD (VWIN32)
; q* z& `9 j$ H, e2 W- c' b ; low word specifies which service
' b1 |$ t- l0 x8 E0 {9 d2 s (VWIN32_Int41Dispatch)
0 S# ?8 M% n- |8 t# @ call Kernel32!ORD_001 ; VxdCall4 Y1 W3 v% z! Y/ W4 E+ x
cmp ax, 0f386h ; magic number returned by system debuggers
* J. g. _& B, }! N4 Z! R5 ` jz SoftICE_detected& _, |" l5 V6 u9 H$ `
$ }* ^% N0 c) Q& p
Here again, several ways to detect it:
2 M( Z3 ^( m5 @) @4 j) _ i) j" N
% k0 Y& s! ?4 i/ y v& l BPINT 41 if ax==4f B5 A0 m3 {( J$ O& h
. ^3 z! B; |6 c9 c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 w" ]& M8 z4 f$ k8 \. l% x, b& w( K# v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& v0 [( \ j( M2 O9 ~! b: v9 |; K& ?8 a. ^- G7 i I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% w. m( f1 I9 q0 _4 C0 I( u& U* w* `! D# K1 t7 r) Q
__________________________________________________________________________+ b# O" l( I# C% u# c
7 P' ^. c% d4 }" A. T5 AMethod 136 \/ q3 b; b9 l+ ^1 B+ ~
=========
/ q) v! M6 r! o" k- P5 b7 S, R+ y# a" m
Not a real method of detection, but a good way to know if SoftICE is
% \( _4 y. ~& O6 y" J6 Oinstalled on a computer and to locate its installation directory.
) Y' a" G! K4 J( ?% |It is used by few softs which access the following registry keys (usually #2) :" s: k3 Z+ [2 |$ m
: N( t' K! S' u& F6 f, V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 R0 X9 \ }2 a4 P! I
\Uninstall\SoftICE( M) f$ l1 K3 l* p, A$ T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 l0 z- \( p9 O# I0 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! ^# i/ n: @8 R\App Paths\Loader32.Exe
( \/ Q9 }) u% P3 [9 u
* x K" x5 A6 r- d5 R' z) B: _$ ]/ V9 K. G0 K4 v3 T, ]. b
Note that some nasty apps could then erase all files from SoftICE directory
d( z. T9 i0 O; S5 L(I faced that once :-(
# K* @+ \2 n" s8 t' b: J! b3 L J( x9 G, K2 C; J
Useful breakpoint to detect it:
7 b8 T* f" U8 S3 Q" Z4 m
p6 `9 ^# s0 `4 {! ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% I3 r8 h/ q6 ~. @3 O" H6 L
) N* I8 x+ |0 a0 }6 \! ?__________________________________________________________________________
( u, p% u: r! z4 i; s) N) V2 e; I, d' O; b
" l7 f- I* z1 L9 c
Method 14
* ^( O# G- C3 f' ^=========
& F3 T/ u. q4 s7 G. K, y
3 \0 p' w% o7 A( T6 z% M: t7 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 z. `- D. x2 q6 His to determines whether a debugger is running on your system (ring0 only).0 a3 }3 U/ W A' Q- H/ B; I
! \/ a/ K8 @6 _7 G
VMMCall Test_Debug_Installed% w: t% v0 S1 G& I, g, _$ q8 ?$ Z
je not_installed# x: R$ a5 E% X) F. Z
, E: X; S, G- O+ ]5 j
This service just checks a flag.$ q E# C6 N1 s4 e. `% ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡