<TABLE width=500>
: x& R) H, z1 M. O4 S5 B<TBODY>
2 ^3 X/ @4 n! F7 r x- d5 a, I<TR>
( e/ i* E5 E/ R4 t# H5 E+ H3 i<TD><PRE>Method 01 , a% O4 E" Y7 |9 L" \0 Y: ^6 _! }
=========. V2 @9 l+ s( Y
! E& h9 F) b$ q. O% ?4 B% f( \
This method of detection of SoftICE (as well as the following one) is [- K v1 v. N6 ^0 ?8 } E
used by the majority of packers/encryptors found on Internet.5 f8 T1 e, o. R) D7 ^
It seeks the signature of BoundsChecker in SoftICE
1 N" \' y, x& D1 u6 _# h# C. J& ^: J
( N& k: }1 ?' N1 O6 b1 @- t mov ebp, 04243484Bh ; 'BCHK', q; _- F2 U5 ]( t+ a/ a7 w
mov ax, 04h5 m. T9 F: q4 b" u7 S
int 3 1 a& j' {# B& S3 @; L. |
cmp al,4
6 J. r) c/ \6 p a! T2 H' h' ]7 M jnz SoftICE_Detected
( d! r8 e3 T4 V/ {7 O% V, L0 \( [! _8 ?" J) x5 B9 e9 ]
___________________________________________________________________________! n6 |! M! `' T2 u
! y4 \. v) T: f4 Z, x6 X& GMethod 02
7 P& p/ V8 i% X( R=========, s( [7 a4 J! f9 {5 `
# s# k" l7 D0 p# z. R, M" |Still a method very much used (perhaps the most frequent one). It is used
9 h! [# O3 X, J& d4 n, I5 L: uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 L9 ]2 Z5 N$ ?% p9 Uor execute SoftICE commands...
* O9 d' d5 N- h vIt is also used to crash SoftICE and to force it to execute any commands( e: [) [# H- T7 F) K6 Y
(HBOOT...) :-((
6 g' P- O* N0 \; A! f3 N. l. G. M5 m. \/ w" X
Here is a quick description:
# B5 @0 D0 }# Z- J# \. d! L5 ^-AX = 0910h (Display string in SIce windows)' t, Y3 B. x; X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ ], k/ m# l) R% |! T% A
-AX = 0912h (Get breakpoint infos)
' w' {+ p) a( [% {( F) x) d' V-AX = 0913h (Set Sice breakpoints)' \- k+ ?7 P2 i2 l9 N
-AX = 0914h (Remove SIce breakoints)! v q# l" Y. s' a6 b7 }
7 g, d! C2 l' i8 t% vEach time you'll meet this trick, you'll see:" A/ B$ v$ ^: \$ ~
-SI = 4647h( _! i3 p# J0 N6 h( D
-DI = 4A4Dh
% d, m+ @7 {/ \& [# v# ZWhich are the 'magic values' used by SoftIce.
* W6 [4 u' a- Y( Z* Y# ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 }5 O9 x- I8 Q! h' x
4 z, `- w; m6 U d6 H# RHere is one example from the file "Haspinst.exe" which is the dongle HASP7 v/ }! T6 J) \( a' ?8 T$ D" P. ^+ z7 s5 {
Envelope utility use to protect DOS applications:
8 ?6 T( `$ ]7 H7 L7 f5 z
8 R" ]7 G8 s' L* K5 v( ?4 g- q+ \& G
8 }7 e5 b& Q0 o% ?2 f4C19:0095 MOV AX,0911 ; execute command.- K! C8 N2 q4 g7 d- E" C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 M' H0 b" K3 F8 B7 @. O u# ~- e4C19:009A MOV SI,4647 ; 1st magic value.8 }% d! D, X! v
4C19:009D MOV DI,4A4D ; 2nd magic value.
" c' {3 k6 d5 Z! n: |, o- U# t9 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( w( U i; w$ G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% \# {9 }' G; c
4C19:00A4 INC CX
3 s `' S) x* m! r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( N. @: [3 a( t, `+ q* [4C19:00A8 JB 0095 ; 6 different commands.
( B7 [" }, R3 i) D+ V6 }+ d4 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 M: ^, N: k" Z# F0 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; T2 C$ f; {' K: S7 W( P
6 p5 U. U$ M- [& a5 o+ u8 I% o7 a% BThe program will execute 6 different SIce commands located at ds:dx, which. l0 L3 P+ ?6 j( n# W; @) t0 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 B% P! F" C2 w8 a& d. P8 P& n
" ~* U% C6 V T6 V r* K7 \, x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 h7 g# O2 C+ ~4 C
___________________________________________________________________________
/ p* A- O% ]- O$ T& I/ [7 Q3 T) [, J, Y6 |1 b; x) R' e$ l
3 o5 ?2 D5 h5 YMethod 037 o3 L% h1 X2 `
=========) _3 n4 m* Y g+ I2 c
# g2 A; T$ l* z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: } c4 E) @' y) ~- y! R(API Get entry point)) l+ c6 D# a5 ] A, Y) K1 S+ q; Y
" d7 P: @1 X( }, Z o8 J2 Z2 s; R* v( d) l9 ^6 l/ @; d
xor di,di$ L- u$ Y) N( `5 Z' c0 R5 ~
mov es,di
/ D1 Z4 L' ]' O4 m$ V2 x mov ax, 1684h
9 |' y8 U* {8 B4 X6 X2 k9 \ mov bx, 0202h ; VxD ID of winice
; |" \4 f a5 N# W4 G0 F7 Z int 2Fh
2 f7 t- L% c2 M9 r5 }( F( K7 ] mov ax, es ; ES:DI -> VxD API entry point' I* W/ j# f" g& z ]8 j3 Y8 O; `
add ax, di0 S) |3 j( E' ^
test ax,ax
/ T5 h( D8 K' q: I0 w* m* c jnz SoftICE_Detected
2 I) d! k: x# N1 S; k9 R$ h" q4 M7 o1 p8 C, h, ]) s
___________________________________________________________________________ y8 r2 R& g, [& T8 n
& J8 ?* f# ^' Q
Method 04
) `! y. @( C; e& y=========
, |6 r3 S/ E9 J( {- v- h8 g0 b4 O7 U2 v8 | t+ Z
Method identical to the preceding one except that it seeks the ID of SoftICE8 c9 b! } g1 \
GFX VxD.
- z2 `8 l7 |* y1 U$ I+ N: M# m3 V6 _ s: x- u
xor di,di" y7 h V$ c3 w$ D' Y; u* U
mov es,di
% U" T: t: a- y& U: z% v$ } mov ax, 1684h : s( x; V: Q- Q$ ]6 f3 l9 T
mov bx, 7a5Fh ; VxD ID of SIWVID
y( T" {# r) l3 c int 2fh
. a$ W. B z& j8 [5 ?( D mov ax, es ; ES:DI -> VxD API entry point
- O; F0 v. ~) A6 R5 P* B add ax, di
1 F% ~2 \( ~, V* d test ax,ax
- p. A5 W' L5 O7 [ jnz SoftICE_Detected' M, k8 ?' u& p7 |2 |
5 W3 Y% [$ _) m3 g- b; F
__________________________________________________________________________
M6 D: d7 P( b# d9 ~" g0 q: k3 J
, P3 Y V1 ?3 Q2 k1 f, ~
8 U4 n- r7 ~8 G W" mMethod 057 e1 B% R/ A2 g* S m, D g" P/ S
=========
; A2 [3 R* x! f2 K1 ]
- V3 i( g9 e8 R9 ]' eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, M. B/ B/ N9 ~3 pdebugger. It calls the int 41h, function 4Fh.0 L& m; i9 n" H1 d
There are several alternatives. 8 B, c6 B& I4 j; f8 }
; E, Z; j. k& t# s( N4 D: K
The following one is the simplest:
& b1 d& g5 t3 r y2 G+ x! d# }$ h- j( Y, d1 ]2 @
mov ax,4fh
, ^6 J0 s; {6 H9 X" U$ I0 U7 H2 n int 41h
( |7 k) D. v' T j$ A4 n2 ^) _ cmp ax, 0F386+ K1 C1 U; k4 P, S" z4 _0 k1 b
jz SoftICE_detected
; Z. \) i- u2 e! b. I. U8 ?- N$ [; u. E) D
3 ?4 w$ S! \ n
Next method as well as the following one are 2 examples from Stone's 8 P/ }' Y/ @9 g: T. p0 K
"stn-wid.zip" (www.cracking.net):. n# r0 C- [0 B6 u
! a2 P, r4 N+ j& K# T9 r mov bx, cs, ^2 K: q3 ~5 _6 ^/ {" Y5 T
lea dx, int41handler2! J/ h8 J1 b( B* F6 V/ g' R! J
xchg dx, es:[41h*4]6 z6 N; i* F$ S% `
xchg bx, es:[41h*4+2]* A2 Y/ w* b8 j1 h; z
mov ax,4fh
( K$ ~7 y4 ?9 s6 b, {3 p" g$ X int 41h
5 H! `! i% b+ x8 V6 g; ^. e4 W2 T. P2 H xchg dx, es:[41h*4]
' ~; G6 s+ J; p5 ~8 u* J xchg bx, es:[41h*4+2]
: u7 Q4 C# t3 _, K; p8 o( r5 U# W, ] cmp ax, 0f386h
! \/ L& ^) N. o( F5 M jz SoftICE_detected0 C8 o. r- q$ M8 E: @4 U6 R9 [
/ v* e" V: @7 E7 _& Jint41handler2 PROC
3 e: [7 }. S/ S3 B+ r2 R iret g9 a- [+ W2 y; b! a
int41handler2 ENDP
/ O9 g" _+ R& I1 n: [* M3 Z" W+ G9 c @' m
/ c. ]0 _6 o$ Z4 [' [_________________________________________________________________________0 A3 V& e- {% Y6 k$ z# R0 ^2 a
1 ^+ [$ h5 n0 t4 \7 {
/ A) z6 l2 _* g
Method 064 c' V0 C$ P$ j0 Q$ a2 B
=========
7 D. I. s6 P& U! f& V' K
3 D4 L2 c' B6 e, Q5 t! g- v9 J* x8 c8 {. l
2nd method similar to the preceding one but more difficult to detect:
4 a: S; u8 ^- ^' Q2 s& [; ]
4 F$ P2 b# d, L f8 i W% l4 I% S9 k# Y3 j: m5 K+ F( ]! G& B
int41handler PROC, j- u8 E) B5 _" r
mov cl,al6 r6 w0 B' k5 A7 m
iret
; A, J' Q, h6 I( qint41handler ENDP
7 G/ o* B7 G% A* k! l) z) G: v5 g! w. [% \7 L
4 ]( z I8 \$ w6 e' P xor ax,ax* K8 u U( }6 s% ]6 E
mov es,ax' p2 s2 S/ o" @6 g l. ~7 @
mov bx, cs
" V, u: e2 @$ S" o% h7 r lea dx, int41handler
# D' f/ v& E4 y xchg dx, es:[41h*4]3 p- s' P5 R& H; R/ z
xchg bx, es:[41h*4+2]
( Y% E9 Z; }) `0 j' A in al, 40h
, A9 u. |! ~4 D$ o9 P xor cx,cx
8 G6 h9 K9 ~; m int 41h# v- E( ^) `" v' Y1 |9 Y
xchg dx, es:[41h*4]* u/ i; Z" M9 r
xchg bx, es:[41h*4+2]
. y: E1 X2 e) f7 c& l: k/ F cmp cl,al, u/ \) ]/ S& T
jnz SoftICE_detected
5 D" x7 e0 k3 d' A) o) c+ ?4 _. [+ ], t, ?
_________________________________________________________________________$ t( u3 v) \# D' A7 U
9 e% T/ o, U- P8 c6 g$ H' lMethod 07
x6 \/ S; Y6 v4 E5 {8 l5 Z' M# T=========* x0 L2 M) [/ x9 S6 ~
0 u. z M8 Q$ g+ b; S+ EMethod of detection of the WinICE handler in the int68h (V86)
2 T1 R6 a; K, P6 ^ X6 c( m; d
F: b# v. N2 N, a: K! ]7 V mov ah,43h
# n, K$ r- N- `# s int 68h+ l7 N0 v- z1 x! y9 Y1 p
cmp ax,0F386h* ~5 U- _: _: B2 D* B
jz SoftICE_Detected+ a3 S* G$ K1 A7 H& a
/ P8 C( d$ U* N. w# P' ~; c0 P1 S5 g7 Q/ |7 F+ K3 l" |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 [* l+ i5 J K app like this:
- [: Z+ N f. _# Q; m" E% g) @, u8 S5 r
BPX exec_int if ax==68
% J. \+ t& v* E+ H) Q (function called is located at byte ptr [ebp+1Dh] and client eip is' g: G% K2 K ~8 J4 t
located at [ebp+48h] for 32Bit apps)
+ e0 O* [+ o6 q! `__________________________________________________________________________9 V, |: Q4 ?8 q' L
" F1 c( k, z8 B; s2 I
# |3 f/ B7 v( X2 n sMethod 08
5 a7 M/ |7 C1 [ u% _8 f=========
2 b2 p9 h4 m- P/ Y5 l' h, h
?4 N/ C) k9 m* F6 b4 C C: k9 Q. H+ FIt is not a method of detection of SoftICE but a possibility to crash the I( t0 b- N p9 r
system by intercepting int 01h and int 03h and redirecting them to another- R) r9 `, G/ q' d& S+ ~
routine.
! H% z: F2 w6 E0 z- U3 WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, z0 s! x3 Y0 Y: o! a' }' h6 j
to the new routine to execute (hangs computer...)
2 _9 U9 p+ [ x/ a8 z/ G" ]$ Z: f4 c7 x, {! B
mov ah, 25h
y2 ~# U1 g( X mov al, Int_Number (01h or 03h)
7 c& T8 Q2 Q2 C: r7 H mov dx, offset New_Int_Routine: q7 U" {2 {0 \, Z6 c) C$ ^1 V( Z
int 21h. l2 Z9 U5 J5 \, e
! z' O- o4 d) Y4 }2 i__________________________________________________________________________
( c8 ^* V! T; p3 }! P$ q" s' {% ?( m4 L P2 m: ?6 M0 K! z; j
Method 09
$ a' D: {; w; G2 z# H( s=========; v: M' w! o6 ?4 d ]
2 G( f7 T! O5 |8 B% i, g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& {0 A. R1 X! x+ `performed in ring0 (VxD or a ring3 app using the VxdCall).
/ d$ ^( R p; }/ bThe Get_DDB service is used to determine whether or not a VxD is installed. {$ ^7 G5 a, m! ] F1 s9 W
for the specified device and returns a Device Description Block (in ecx) for
; S- }+ e. X# o, H" \5 G( E- mthat device if it is installed.# `; F( |3 x$ T& `+ t
9 D$ ~ k* M3 ]: j# N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ V' `3 n+ C4 l" k4 @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 S. y! A- S% T; J% t* k$ d) Z
VMMCall Get_DDB
, J# `/ s* o9 T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' z9 k0 J- z* o
3 S4 x: d! Y+ r% T1 gNote as well that you can easily detect this method with SoftICE:+ \- T( |/ W9 d* S7 d
bpx Get_DDB if ax==0202 || ax==7a5fh" }+ ]9 F. Q g' N# h. E V- j7 t7 u+ o
C" Y( I+ t/ j2 R: q
__________________________________________________________________________
: {8 f8 _) B1 Y* Q/ b3 _* h+ r8 o
) r E) S$ _8 C( z8 rMethod 108 V6 `9 p# q: |5 p r" j
=========* ?& e7 U5 i q9 L
+ s: z/ U9 w6 V' T
=>Disable or clear breakpoints before using this feature. DO NOT trace with! j8 o: h6 [; l0 q. i3 v' R
SoftICE while the option is enable!!
! N# _* X/ Y1 O2 [1 t" G/ B0 ~! e; i. x2 w R+ T! A
This trick is very efficient:
8 K: {0 `" m g% ~by checking the Debug Registers, you can detect if SoftICE is loaded/ s- F- G( o9 H4 D, P3 } D% @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# J+ w, o6 Z9 ~, f6 }" ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 K5 c1 Y! C& q0 x0 \value (in ring0 only). Values can be manipulated and or changed as well. M. R2 t# ^; e2 ]+ h/ p4 m5 R7 m
(clearing BPMs for instance)3 u1 R5 U4 @2 V7 z
- [; _8 W, B$ M8 \2 v w, o) c
__________________________________________________________________________" e; E% I3 _, s6 M# W8 p7 n
5 j% x6 u: w" { F8 d* E3 kMethod 11 D* c+ y3 C: ~% [
=========
2 I3 ?3 F! y# M; t! `
0 N% g2 F; q# h$ j, t+ ~: jThis method is most known as 'MeltICE' because it has been freely distributed5 I% H) n+ p9 f0 U
via www.winfiles.com. However it was first used by NuMega people to allow- b5 x* d! t5 j$ {( y5 ?
Symbol Loader to check if SoftICE was active or not (the code is located
1 \# t3 `6 U) [7 d# Winside nmtrans.dll)., `/ ?" R9 i3 T: w" c0 H. `4 e
) f4 K* W9 @( D( T; |( @5 V: d
The way it works is very simple:# T* p+ c' ?2 c+ G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! o) f% w# c. c) P4 cWinNT) with the CreateFileA API.
" W' C" @7 U/ Y) L u, A* ]
+ O* }4 \7 k+ p/ n! k3 eHere is a sample (checking for 'SICE'):
' Q! T z% ?6 F
9 a% T! c h- X% J9 DBOOL IsSoftIce95Loaded(). u" Z ]5 J1 C' K R
{, y, B3 O; `4 D( s2 W
HANDLE hFile;
1 V; I( p+ u/ S9 X: Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 }1 f- I# ]. r3 E! a FILE_SHARE_READ | FILE_SHARE_WRITE,
b2 H4 \. p7 z5 j" Y' I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ M/ c5 ?' t) b( H+ e, a, @
if( hFile != INVALID_HANDLE_VALUE )! U' r( |3 S H% i* S
{6 _/ ~ C1 F; m) ?$ F% l# p
CloseHandle(hFile);6 |- g1 H$ u; j( Q6 W
return TRUE;1 z5 G! m/ i* P9 R) T6 h
}5 n8 [! r4 ?+ M, W6 r
return FALSE;
7 }$ t7 i0 U d' ^* T6 B3 ?}1 n2 A3 D9 O8 t Z3 W
3 G: f' m7 z2 L0 @4 ?
Although this trick calls the CreateFileA function, don't even expect to be: P: o/ _. ], @1 J' u6 y
able to intercept it by installing a IFS hook: it will not work, no way!- r+ K P' X9 \: N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 Y9 F! S, q' i2 u' I$ }* }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( _8 \ c5 I' Y) f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 P; b" Q- Q4 v8 M
field.' n, F0 L4 U. M, Y1 B! }
In fact, its purpose is not to load/unload VxDs but only to send a
! B; _/ I6 l& b# K# e7 @, F7 x8 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, O' P1 D. K5 |; z2 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 o% X, J- j0 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).; g. D4 |" O& ^- Q1 R V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& G: h+ ?8 W" O! d, nits handle to be opened and then, will be detected.- g5 |8 k' B3 h% @' R4 j
You can check that simply by hooking Winice.exe control proc entry point; Z) s% ?. V% D3 |
while running MeltICE.) w+ l5 O; g3 ]; K
1 I0 y% Y6 `- u
( K9 m6 h1 W) }9 T P6 ~0 E& [
00401067: push 00402025 ; \\.\SICE
0 b3 z( G7 }* r% E9 u- ~% P 0040106C: call CreateFileA
: K. v: L" ^0 o/ S9 S 00401071: cmp eax,-001
( r# d- O5 a. K; s' a$ k o 00401074: je 00401091
' b& V- X$ I# w8 \& t2 y- a6 l4 Y4 ?0 A5 _9 p
) x) G& J" M$ P0 h3 z( t* rThere could be hundreds of BPX you could use to detect this trick.9 M2 x8 k; m4 R" N C5 J# C6 j
-The most classical one is:
* W" P7 U7 P7 q# a5 z- k Z# V9 S' k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 C7 w/ C" D% n0 t7 G *(esp->4+4)=='NTIC'
2 [% j S+ \ y+ p8 B* ~8 p7 ]+ v+ p1 h0 P; ~2 r
-The most exotic ones (could be very slooooow :-(
% i7 d* \4 _4 ?/ o! R8 |& ~$ C5 x1 P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. g( t7 X# L8 H$ o, X, d$ O ;will break 3 times :-($ W, Q) s6 z- @
+ |2 x5 a; p6 d-or (a bit) faster:
l6 F- D& o' n2 g A! X8 O0 y2 F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 V d4 \% o* U1 C8 o5 M4 z& a, z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- o) t7 K! x( y; {" Q/ P" L ;will break 3 times :-(* J9 e# m' p5 B" T. \2 \1 H
5 l9 t: ^. k7 t' W6 p; o-Much faster:
8 N$ {" h' T1 D' o0 Z# z' s1 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ a* T B( o5 A- y( N
$ P9 o3 F6 A* P# {* W" fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; I8 }8 p k2 l6 Y; Y1 A* G% ]3 B T
function to do the same job: O4 R4 n" G2 {2 z* J
9 |" {0 b- e5 b& F9 Y5 |
push 00 ; OF_READ4 Z3 x" f' b4 O% \9 G3 `
mov eax,[00656634] ; '\\.\SICE',03 e0 W# ]2 k1 @! i1 B0 l) u
push eax8 r" x. g: P5 u7 M+ ~$ I& g4 @( ~5 A$ [
call KERNEL32!_lopen
, c8 W7 i! M( Y inc eax
" {3 z/ |$ n5 S; @ T; n jnz 00650589 ; detected6 {! o& |' O0 A* X) w9 s
push 00 ; OF_READ. A* ~0 E( ] O0 g& O; Y4 L% ] t
mov eax,[00656638] ; '\\.\SICE'
0 X' C w3 N* X+ ?; L1 Q8 ~1 @ push eax* |( a2 P( p) o, @* O0 \
call KERNEL32!_lopen
5 D8 O8 l; g& v' W: c% c inc eax) E% [+ |( K+ p/ ^3 p+ e r h
jz 006505ae ; not detected* X3 J3 T+ c t, v+ J
, A* P# A1 L" W# V4 _+ P; a9 J3 {/ `
. l3 ?# `3 l& s- h3 r6 x" ?__________________________________________________________________________! D' d: r6 |9 }" ?3 n
0 j+ J/ @+ l! R5 b5 \0 c
Method 120 q O, f, P- o9 W1 b; j$ M( w# _
=========
3 D4 T1 H6 H! T
; [; e5 P% x6 F) Z v( {This trick is similar to int41h/4fh Debugger installation check (code 05
- D2 m0 v3 A! r; A a9 c& 06) but very limited because it's only available for Win95/98 (not NT)4 E3 h' X! \- ^- u& h& ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, E, f' `$ p( L7 Y( K+ E$ i; A/ Z
( Y7 M$ ~8 C1 ~3 V push 0000004fh ; function 4fh/ l0 X1 J+ Y. u
push 002a002ah ; high word specifies which VxD (VWIN32)( ]. M' w( m3 c& \
; low word specifies which service
9 T2 ?! H% A; w9 V+ _ (VWIN32_Int41Dispatch)
/ x& W# Q5 y6 i call Kernel32!ORD_001 ; VxdCall
2 Q5 D, G) e5 a( T6 O* {$ T: X cmp ax, 0f386h ; magic number returned by system debuggers. A; \* ]* l0 b# _5 }
jz SoftICE_detected
3 u$ m9 u+ |8 r( q- K: a
& e8 ?" w8 j N) u1 V, S3 l& x. LHere again, several ways to detect it:
6 g; n3 Z# E- t1 Y2 E" z
2 L4 x/ q `9 K$ w5 @- \ BPINT 41 if ax==4f9 n8 o) ?' y% s9 |2 G; z4 j
% b: [" t1 U' _+ J1 d/ u. S; i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; b, h! X% {5 |
9 {5 d- `, w1 @. e& {6 J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 M2 Y4 Z. x+ F2 t8 g
# W! h) z/ Z0 H @, F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ i& T% o1 U1 L5 o# D! A. v# N) D
5 ]: k/ I6 O o3 t__________________________________________________________________________# o( v# _, t% Y
% G: V4 L d6 Q. |" c) j
Method 13
: K T/ }0 g* v* a+ [=========# U/ T* W% k( A% F
: a/ i4 P3 O) n% XNot a real method of detection, but a good way to know if SoftICE is
+ u( ]& E0 m1 B: ^8 Jinstalled on a computer and to locate its installation directory.
, h* a+ P4 p$ _7 _It is used by few softs which access the following registry keys (usually #2) :
' k/ A' A8 ~# h( |, z' W" d/ D, `: C6 S* V- E+ }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: D( T& b; T/ g, [# h
\Uninstall\SoftICE9 }* p, e W: R$ ~. f+ a4 q! d F# R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 P9 Q% e* P6 @" ?1 m7 a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: f$ v3 n9 H# t% D1 J8 b: L# p* `
\App Paths\Loader32.Exe; l1 c) N0 o- y$ X9 u, y: S
( V: [1 ~) x* q2 Q$ f+ L8 v+ ^8 f) U6 D: ^# N: g( p k ~ ?
Note that some nasty apps could then erase all files from SoftICE directory }% q' Y( t" D( j1 E; N: \
(I faced that once :-(
& `* j9 V& e" G* ?3 y7 B( ~4 Z
% @8 p, O/ @. k( c* u' M# h$ [% M1 NUseful breakpoint to detect it:
6 O% A, J( z& v/ x* j3 T) K8 F# m$ f" w8 O6 `; K
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 u S6 Y3 d- @' e6 S4 T
8 h7 E, X% Y" {& b& q& s__________________________________________________________________________; n0 j; G, G& @: _/ z$ Y/ m
6 F- h% M% X2 o# D( X! o( r& I! G& ^) ]$ a% Z5 f' q
Method 14 2 ^2 ]1 k4 b/ }1 X0 Q+ J- l
=========' J) q" e& U7 j# b& _
$ }2 p4 @) Y: F% mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. Q$ g9 C2 }! A& Y
is to determines whether a debugger is running on your system (ring0 only).
* y1 D6 K9 h8 g: _: \- U- |. I
$ k: k. M: z/ _; @6 p VMMCall Test_Debug_Installed: t% G' C% D/ N1 x/ `
je not_installed
' t8 p5 T& b+ w, z
+ X% C5 b6 i- u7 H' cThis service just checks a flag.8 }( ^: _6 g8 Z$ T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡