<TABLE width=500>5 [# I8 |: x0 Z0 x, ~
<TBODY># \$ f& N( q) O E
<TR>, @7 n% u& g' O
<TD><PRE>Method 01
* \# v% n, f- r# I' A) U=========
0 @5 s4 C5 x3 C% i1 [6 X- b2 B. y; ~( u8 _1 n3 F
This method of detection of SoftICE (as well as the following one) is4 P! `. Z% P( b- L
used by the majority of packers/encryptors found on Internet.
- V+ L. Q, |# WIt seeks the signature of BoundsChecker in SoftICE% V1 J0 O; S" k* M; O+ q2 E. [
0 ]% U" R, i0 T8 v3 X& r, g
mov ebp, 04243484Bh ; 'BCHK'
; j; x( y2 \! u4 K3 y# j mov ax, 04h
( n3 C2 e1 ~+ U) x8 p4 B int 3 8 F% E9 b8 A8 U/ Z: {
cmp al,4% ~9 _! K% Y; S" ~! D
jnz SoftICE_Detected T: c+ i }6 e: B J" ^7 g" }
2 q% o b F( J3 E$ h; |___________________________________________________________________________* s" x; ^- P7 J" _% I( Q
% C6 Q9 g T' i3 F
Method 02$ T9 g# h5 Y, S5 P+ @4 V, R
=========
* M- a; q0 `. v. Z1 z D1 H& M& N
. G& g3 z, j6 NStill a method very much used (perhaps the most frequent one). It is used4 K# d6 q$ @# v6 W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ n- Z: R: Z# H
or execute SoftICE commands...
0 Z+ j: z( \5 K* }: }( tIt is also used to crash SoftICE and to force it to execute any commands
5 o5 W# B1 M% _" s(HBOOT...) :-((
1 q" Y: M! G) n2 o9 ^/ t2 [4 I
' X7 ^0 ~2 ]" E2 X) Y; h& RHere is a quick description:
' U. b7 s; @. f+ Z& d. i0 k-AX = 0910h (Display string in SIce windows)
0 o9 N) d; r5 b9 P/ a- g2 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- D& p, h, @* e/ i% W) Q$ T3 m-AX = 0912h (Get breakpoint infos)+ \+ o, M2 }; Q* w
-AX = 0913h (Set Sice breakpoints)3 ^9 S6 q6 [' j
-AX = 0914h (Remove SIce breakoints)
3 o' ` ~3 J4 }8 Z- j# e7 g2 p5 E% R4 q, c9 m1 N4 t$ X2 h
Each time you'll meet this trick, you'll see:
+ y. g) \' n [+ l( S3 H-SI = 4647h0 Y5 e) B- G9 s/ c. J( {
-DI = 4A4Dh& }% u- T4 Q [
Which are the 'magic values' used by SoftIce.
" |: K7 f+ X- f4 ^9 [/ [/ ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( e& C3 h5 \! d1 X, s+ T* d( K: x8 s5 R1 |* p& K4 l b: F" i
Here is one example from the file "Haspinst.exe" which is the dongle HASP& i; r- v. Y0 e
Envelope utility use to protect DOS applications:
3 `6 g( h$ E+ r2 o$ X9 }+ p! r! E8 ^6 Y& L% h1 \
( ?. t. V) o8 w$ j( N4C19:0095 MOV AX,0911 ; execute command.
3 ?6 a4 A! J7 ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
i# i/ E+ s7 _2 J+ Z: g# U4C19:009A MOV SI,4647 ; 1st magic value.
4 G2 T4 [) m3 n4C19:009D MOV DI,4A4D ; 2nd magic value.. ~* f0 `2 \6 z4 b9 u2 {, c( m1 [4 b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 H- v0 o9 g2 C' ?* U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 Z' G/ m5 w/ b4C19:00A4 INC CX
. v) s: R5 h3 B, z, y4 J, X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; `: N7 f" G6 R( g4C19:00A8 JB 0095 ; 6 different commands.
3 u5 k3 ?: c2 I: `2 K9 W% \ U [. O4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) W8 u$ _2 p4 K$ u2 w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
V7 }( w. e8 R4 [9 b- }2 K, d. v1 W7 g3 }, D6 t2 j: @% h6 h
The program will execute 6 different SIce commands located at ds:dx, which1 \) \$ h# w4 C9 r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 D4 V+ n) Y1 |1 @3 c$ i& q8 L6 H# v& l* v) x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# k! ?0 p- K% L, f2 l; r( [___________________________________________________________________________$ d* S& v0 v& d3 R
$ M9 Y6 w, i& b
- x% X- @7 S+ k$ c. v& b" `5 IMethod 03
. _: j7 u3 x9 ^# b* `" j=========
9 P: n( e6 l O- q& u1 i5 N2 ?
3 g# i! H/ p; E, ?4 g' k: k8 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* z6 Y, n% G4 C' m(API Get entry point)5 _+ T( V/ @$ }
0 t) r# V2 E. m
+ T: g+ m5 o( L, d xor di,di. o- w7 S1 h) S4 l
mov es,di
7 h1 s, r% p( @" Q mov ax, 1684h
1 L" N$ g' b: t+ ]6 U mov bx, 0202h ; VxD ID of winice
: f9 W( U4 n! ?1 M# m8 a int 2Fh' I" M( S" L1 T/ h8 ]$ F0 e! a
mov ax, es ; ES:DI -> VxD API entry point% z0 X$ T+ t* W& r0 G# @! S: F
add ax, di7 F8 p V! K+ ]2 K* W/ N% R
test ax,ax
. y. k4 r1 D4 W9 P' n jnz SoftICE_Detected
7 m" D5 d& _0 t( c4 c5 D" i9 l2 f8 n: ~
___________________________________________________________________________
' C! t' @! \6 }" Q' X [3 }, q! J* e$ \& {$ ]3 w6 u
Method 04+ }/ {4 v, W# U
=========
% E+ D) h1 C& v- U3 @. X) z" [. h! } h+ e- ?# y- b2 Z) k
Method identical to the preceding one except that it seeks the ID of SoftICE& S/ g, j' `0 c* F9 j0 n* P
GFX VxD. g% i# \8 E) n: y$ T9 S
. k* @, {* j" m$ s" Y, g o
xor di,di
; ?# ]# ?5 L8 b1 Z; ~8 k3 v mov es,di
5 n' \; Y* {: ?& X5 v mov ax, 1684h ) J% f' a/ _* _6 V7 a5 S" S
mov bx, 7a5Fh ; VxD ID of SIWVID8 N+ Q+ o5 ?/ W B: @" j, u
int 2fh) p" V6 h! W# a: J+ P2 j7 ]) }) A
mov ax, es ; ES:DI -> VxD API entry point
9 ~* d0 t% z7 G! ^ p2 G add ax, di, C8 P7 y& _7 h. J6 p- x3 L, Z
test ax,ax
; t% w7 M0 q8 U. Z jnz SoftICE_Detected: W- t6 T; h8 z4 x" n
& c d2 p, g9 ?, F4 k6 v5 m' y* U3 P2 i__________________________________________________________________________
7 O, x, G8 N7 j2 S1 h; p2 B" m0 s& B* c* g) y) D* H
2 x. l) r* c, wMethod 052 S: l& o# ] k) ~
=========
- J/ L i% i# c$ q9 `' m! H7 k# V& p; J4 L" Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! j- p0 r7 _& P sdebugger. It calls the int 41h, function 4Fh.
) Z8 R4 a& |: z1 QThere are several alternatives.
" ^* q6 E; x* d5 P( g; K( _# f. l. p; ?6 p5 y
The following one is the simplest:
& R. ^1 b' W7 G' ?; ]7 C! Z# u1 E9 ]* U" L% m7 K; w, Y6 B; V
mov ax,4fh" @) V: R- ]5 P5 A( }+ E& O6 l3 K& W# B
int 41h
9 D" x9 ~# V6 [2 M% Z cmp ax, 0F386. N7 z2 ~; D# S! X/ G! {) V
jz SoftICE_detected
% R! E" { h; o2 c5 o* \2 k
0 U" ?: m. [' ?: `7 f: s% B! ]! I
0 X" v' }2 R+ A/ J$ W+ u( o/ INext method as well as the following one are 2 examples from Stone's 9 K% ^7 C- x1 t# a
"stn-wid.zip" (www.cracking.net):
( d6 S4 Y- l) r; y( W+ a' @4 o# h% J- L
mov bx, cs- S W! t7 _% k! L6 O# M
lea dx, int41handler2
6 _8 B7 ~8 f# p xchg dx, es:[41h*4]
* ~! ^+ X) J3 S2 Z' X xchg bx, es:[41h*4+2]
! y# o* F2 V N mov ax,4fh" l+ u0 P$ _+ f1 }2 ^% L
int 41h
' w6 {& s$ b: g& }' L* e xchg dx, es:[41h*4]
: a& F2 b6 d: T, T# T9 N xchg bx, es:[41h*4+2]; W1 }! T4 p. b3 U9 V- o$ M, E
cmp ax, 0f386h
1 H# _; V; ], e9 Y$ d jz SoftICE_detected
( w1 {( [- ~+ g. x$ L
( G. v8 G. k/ z1 X: W- Aint41handler2 PROC5 l v2 n0 d) m, T, J- h& J, x" c
iret
$ q( E2 s5 t8 Sint41handler2 ENDP% ~1 @9 H4 x1 e. R: |- t
# e' M0 s' V7 Z+ z) p
F3 s F# S6 F! j: s0 a6 M" @) Q_________________________________________________________________________
, |/ O- h ~% W9 |& Q) i, p' Y9 i0 U' t' Q+ T( }
7 `+ ]& g0 a7 a1 E8 o5 \* a5 q
Method 06' r" s. n$ H/ l, v/ a; k1 L
=========
) J# X5 E3 T6 ~+ T3 p
; d1 z( _/ ]( R4 ?! g' ~
. W% V# ^+ ?5 P& r) `2nd method similar to the preceding one but more difficult to detect:
: T" E. A' d* |& M7 y6 }6 V& b U% ~9 }8 b
, Z7 `9 g+ S8 j. z
int41handler PROC& n% o' E$ C$ [0 B3 Q% V
mov cl,al
, z, Z( F( F" M. ~, s iret$ {6 s, V4 q4 L0 y* Q. n3 Z
int41handler ENDP
& R' ^$ C& G8 z ?: J) T5 }. j x: z% f6 s9 W
+ }0 m. {1 W$ Y% s5 ~! u/ M/ R x xor ax,ax, L9 F2 v( _+ W4 Q8 [9 r) _+ ^
mov es,ax# F/ P. S; e/ A% H4 i# D' h
mov bx, cs& X6 Y- K2 V' _+ A- N+ L
lea dx, int41handler
" ]+ ^3 S$ ^8 j- Z* G xchg dx, es:[41h*4]9 U5 R, x( V% J7 w8 q2 C* ]5 q6 `2 B7 a
xchg bx, es:[41h*4+2]
" H2 d6 d q* K( T/ J/ G in al, 40h5 ?& s- Q+ }5 i L! q+ ]+ n6 @
xor cx,cx
: o0 `0 |3 r, r8 s int 41h4 D5 ]/ m( R* `1 d4 ~0 ?9 B
xchg dx, es:[41h*4]
/ ]5 g; r0 f4 M2 `( J. Y* a xchg bx, es:[41h*4+2]
( c8 G8 \0 Y+ F" m4 \& A& C cmp cl,al
0 H) Y0 M) {# c `% l. U$ f6 |( V jnz SoftICE_detected% u( A. f6 E7 v a
: e+ G% B. Y& p( y& p# L
_________________________________________________________________________1 S, b1 I4 O( K! ?! b9 O
+ F' |# V# O' D1 c" O9 o; JMethod 07
7 `% {, h; S, l* P% g# N# {=========, I2 W% _- G) v: n' ~0 b4 H
/ c5 r( m+ s: T# \2 }4 t; @" B
Method of detection of the WinICE handler in the int68h (V86). M0 J8 Z& O$ N& M0 W1 h7 I1 w2 w0 [
+ a- i' u& `: L+ V
mov ah,43h0 i) l9 V5 y+ M/ E: @
int 68h
l i: L/ _4 Z4 E5 _! r cmp ax,0F386h) d# M" ? r' H
jz SoftICE_Detected/ `+ H7 L% M5 K" l1 a! `
, c0 S' J2 j' T5 B* H) P
7 U( u( J/ q7 W, W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' Q2 P: T6 S5 H' p- X6 Y9 h
app like this:1 h V) `& Z+ z& {; p
V% N/ W0 h, t4 J9 e BPX exec_int if ax==68
. L% D+ N% o# C0 M5 j8 } (function called is located at byte ptr [ebp+1Dh] and client eip is$ }9 Y3 I; d- }* N: Z
located at [ebp+48h] for 32Bit apps)
) D1 i& O3 J9 Q5 t9 P7 \' ^__________________________________________________________________________
0 u/ W) b- J& o$ R8 }
2 e; N5 a* O4 s! h/ r( Z8 l
" e0 S2 h8 j$ E+ xMethod 08
3 L1 f$ C2 Q A& a=========; O+ J2 u8 o! |+ {% \. s$ h1 E
$ q( w& c+ L; p5 A4 Q& z% FIt is not a method of detection of SoftICE but a possibility to crash the* L' K6 `5 ^+ Y# m. x
system by intercepting int 01h and int 03h and redirecting them to another+ I& W7 J: e4 D# ^/ U: M
routine.
: D q6 h3 B7 F$ T& `& ?' s" j- v/ KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 g3 q3 k. H1 T- t o. R: o1 Lto the new routine to execute (hangs computer...)* A; e& w+ g z9 }( B% y5 F. \* o
* o; Z) W4 C- g% |! c% A$ k( ` mov ah, 25h
0 Y; S9 F* ^2 m; X mov al, Int_Number (01h or 03h)( _3 l8 @* F& d" R& _/ B* p" h
mov dx, offset New_Int_Routine
. c$ r% e+ S8 F1 l1 n8 g int 21h1 i. M' p, b1 r0 D, T" V
5 {3 Z G6 B: z
__________________________________________________________________________7 E- l G3 V+ d. p0 U0 U, x
( {2 j A; w4 Y! ]3 y! @: y' fMethod 097 J" k- _9 O, E# d6 K/ O% b
=========+ O4 R! H( j- x# _" Q/ B
& J: i; V, f/ D8 H" s+ n8 h2 z$ B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% _. ]& r) ~$ G( f" J8 V( N
performed in ring0 (VxD or a ring3 app using the VxdCall).& g; e i& f: u- k
The Get_DDB service is used to determine whether or not a VxD is installed$ f; u4 a5 P9 V5 a% l
for the specified device and returns a Device Description Block (in ecx) for* ^: y+ G# r+ @- w1 ~9 y2 Q5 N: c
that device if it is installed.
$ `* B0 M" g3 A5 V' T8 w0 @* G' B" b6 O6 [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 H7 ?- P/ ^& i; s& D1 ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), t+ c( g! R- n- e8 p
VMMCall Get_DDB
' x+ K8 m K5 A2 v3 C2 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 Q0 p/ O; P! F9 s4 j$ Q |
/ E" C/ v- T; L$ oNote as well that you can easily detect this method with SoftICE:
* u& K* Q2 W9 e- p8 `* ` bpx Get_DDB if ax==0202 || ax==7a5fh
! I& z. t5 Z( o/ f* S% _" C
& s% w$ c# ?4 o. z! B& \0 v6 V__________________________________________________________________________* e" S* h# C% x- L
?7 [! ^" I! }& K n: I% PMethod 10
% P8 `) o' ?0 v0 C8 a- }=========
; }2 _* B0 g+ Q8 l9 D, K" V# h8 {" y' \! O z8 A+ z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 O& Q# y u' ]8 Y SoftICE while the option is enable!!
: N" \0 M6 I2 b8 b* O4 O' N* S( n* t5 u
This trick is very efficient:7 U! t, p" e; x) }
by checking the Debug Registers, you can detect if SoftICE is loaded
* D6 @8 Z3 x/ [& E2 {( L$ M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 o2 S L2 f. B/ B
there are some memory breakpoints set (dr0 to dr3) simply by reading their! w& N- ]- d( |1 L
value (in ring0 only). Values can be manipulated and or changed as well
7 H9 S, u: |" r(clearing BPMs for instance)
1 ?/ H- @2 m2 R. V& e& o' p: f
__________________________________________________________________________
]6 C$ {8 A$ X+ t4 ^/ y/ `/ T) }
Method 11( b6 |& [- ?4 j7 E" ~5 E$ ] J
=========8 | D/ `$ L$ P% j! U1 b
) \$ ~6 m/ x; j8 o% a! e$ f5 mThis method is most known as 'MeltICE' because it has been freely distributed! Q5 W6 \$ L" ^2 [+ ]% X
via www.winfiles.com. However it was first used by NuMega people to allow
1 _6 }. Z2 g9 [* dSymbol Loader to check if SoftICE was active or not (the code is located
. O A4 f* b. `+ M& Pinside nmtrans.dll).
4 h& H1 V" s3 i+ f8 n5 R- e5 Q% U5 y) z- g# e
The way it works is very simple:
! X4 |* O9 |: i; b) XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! _. Q9 U0 z" {% O. fWinNT) with the CreateFileA API.
8 u" D8 e. Y4 a7 i4 y
9 ]: I; i4 `- ]; b: y+ v ^1 BHere is a sample (checking for 'SICE'):$ b! t+ W4 _$ X( K6 `. e T
4 [2 X2 a1 q( }. h# E" [( Y3 D3 m
BOOL IsSoftIce95Loaded()( D1 G( P' ?5 w/ a: P; N- a+ z' d$ e
{
& ^: I+ @6 O1 B w HANDLE hFile; - a& t& Q2 @ F. X( K$ X* e4 L( ?+ I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 M) j/ _1 X" u! j7 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,% D2 }& ]$ Y/ s2 {/ R8 [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 h& h2 O1 u9 {% ]2 d+ E
if( hFile != INVALID_HANDLE_VALUE )8 i+ L2 D q4 I$ U" K+ n; z
{' a8 X% o7 Z, w; K& ?1 D& o8 ?
CloseHandle(hFile);
7 r3 K# p3 s( X$ L- Z: h& t return TRUE;$ h" |- t9 N$ S
}6 b& [2 M, e1 F, t+ x
return FALSE;! i2 C0 p# I. c4 L, e/ Y2 \+ B
}
5 ? F3 ^) T/ [* p. F6 b
) S, ^- x' _" xAlthough this trick calls the CreateFileA function, don't even expect to be
# a, v: ]2 R7 L# g0 S( I" gable to intercept it by installing a IFS hook: it will not work, no way!
6 q: C4 T" U6 q2 F. GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' w7 d2 _ \, G+ }: I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 h! P$ M3 l' `6 h2 |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ }3 ?. t8 w+ n8 l% |; |) vfield.* v3 ?$ b+ z- @ }8 K
In fact, its purpose is not to load/unload VxDs but only to send a
. g( l! {; U' k- n" H# n6 gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 T7 A( R6 U& w# n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ U* A1 E3 G2 `( n4 y4 X0 q# |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 m g) ?/ {! _6 j; \. g7 \If the VxD is loaded, it will always clear eax and the Carry flag to allow! p4 v4 K% R9 l. o* J
its handle to be opened and then, will be detected.
/ P5 m3 P9 x0 S1 G& c/ {- uYou can check that simply by hooking Winice.exe control proc entry point
4 n# r% H$ Q) x1 g9 Gwhile running MeltICE.
! c3 m: O& O' I/ p* a8 V8 H0 j
, a' Y) }/ D" z! f/ x5 q, L1 L4 u' X
1 N) F. R6 a" O, S( B8 u 00401067: push 00402025 ; \\.\SICE
: V& D0 S ~# y* W, b0 A; S. q; V 0040106C: call CreateFileA4 \* i; N; h$ o9 R1 v
00401071: cmp eax,-001
1 B8 u, B ~! F$ t) t! {7 a$ B( F 00401074: je 004010916 U9 k! t& Z) w5 W: v
8 t2 ^7 t+ B) R! M7 o2 c
! n# X* v. M/ Z, \- H
There could be hundreds of BPX you could use to detect this trick.
# D( L# v/ T; r5 Z7 ^6 L: K* `+ k-The most classical one is:5 b2 |6 c6 s6 N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. ~9 A+ x4 s/ ^
*(esp->4+4)=='NTIC'
( u6 c( `7 F3 M" x
" K; ?/ v0 ^$ F" S/ E; a-The most exotic ones (could be very slooooow :-(, C6 k. b5 R# M; U& g2 l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " K7 h3 | e: r4 i9 Q
;will break 3 times :-(
5 d6 ~. o) ~5 a) K) B
; `# ^, |1 T- S7 \; z-or (a bit) faster: 4 b0 P) V1 J5 m2 s# ]# `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" N2 H5 i/ G# @% T% V, W+ |4 B# A' U/ E, {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; Z [3 D" h+ N
;will break 3 times :-(' ?. a& E: |* w+ \* z) @& U( ^
. v. Z4 w2 ^' R8 w$ c' z* ~% h
-Much faster:7 {1 k& M9 j+ H% y# S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, M, R% K$ T7 B2 c9 N, w% j+ |7 B8 z! J+ {' b+ Q8 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 |8 |0 M/ {1 n( ]5 n$ ^' Yfunction to do the same job:" @( W: J7 C( T3 y* m) D7 r
+ H V: ~# {6 q
push 00 ; OF_READ
! H, Q' M: I2 S8 ~+ r/ p mov eax,[00656634] ; '\\.\SICE',0" B; Z7 N4 |! F! w. e
push eax2 v+ Y0 I9 {1 l; u
call KERNEL32!_lopen$ u2 d/ w+ q U$ O0 |! _
inc eax# w# F6 o: [# W; W+ ^" F
jnz 00650589 ; detected
: F- t0 q1 \" Q& ` push 00 ; OF_READ
" C9 K# B0 B8 m mov eax,[00656638] ; '\\.\SICE'
2 ?2 w3 k. Q8 Q" Z9 Q push eax. Q3 V; t4 ]- {5 \2 f* `) N/ n0 H
call KERNEL32!_lopen
3 K5 P! @ o& O; u C' q( f3 S inc eax) \# S4 a+ k, D) z8 Z- ~
jz 006505ae ; not detected
! H0 C1 ^2 R5 s' } o
) `7 r7 Y; Y& M5 N% A% Q6 d0 g3 m$ U( C9 u( M
__________________________________________________________________________
4 s' j' T ^/ s" i* R9 Z4 C% u. R" e$ ^$ d! `
Method 12
# u' m) k! c( @! x$ n=========
. v+ X4 `7 a/ r' i
Q- c7 ^2 K3 Z1 H. D- KThis trick is similar to int41h/4fh Debugger installation check (code 051 U1 H8 A; a3 a
& 06) but very limited because it's only available for Win95/98 (not NT)" f4 K) ~1 B8 @3 B& H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ e+ q" E9 }+ o t/ O
' ~4 Z& p$ Z. _" ^' o) w push 0000004fh ; function 4fh" N0 w9 u6 E i$ |. A3 z
push 002a002ah ; high word specifies which VxD (VWIN32). r- Y8 q( w. O( N3 y
; low word specifies which service4 k. A2 n0 t0 I" u. v5 E% z$ a
(VWIN32_Int41Dispatch)
& F. C8 P: Y1 ` call Kernel32!ORD_001 ; VxdCall" A2 |) v3 K1 u
cmp ax, 0f386h ; magic number returned by system debuggers
' |. ~( Q/ L4 {4 Z jz SoftICE_detected1 e. j. W a% b! k+ \; v7 c
3 ]2 o( c9 V: m( _" r/ W
Here again, several ways to detect it:/ @* {# B9 A- r( m
" D+ N" U2 F* b+ q7 E9 |" ^' ^
BPINT 41 if ax==4f
Q- {, G; n. q
& t+ l9 }* ?- [+ D0 u H$ q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- e1 n/ B; R U( c8 p" }
@4 R4 M8 ]5 E- g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& {% T$ G" ~* M$ ?6 c3 W" a3 S" |# \+ \( c6 ?, e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! k2 L& r( B1 W5 ^" ^
# k) o; ]: R# h7 k2 K__________________________________________________________________________
& E9 j" F: y% q
/ \* t/ Q% `( b! [ aMethod 133 [3 w9 Q/ K d3 E
=========
+ j: K; [1 C1 j% g; m9 O0 Y
% A; _, @% c# ^; q( _; jNot a real method of detection, but a good way to know if SoftICE is: d8 m' n& m* z% C3 k1 s" \
installed on a computer and to locate its installation directory.
8 O2 A' U7 ]! @: v) V6 E( P$ D8 KIt is used by few softs which access the following registry keys (usually #2) :2 K! q; ?' q5 j. {6 n( c
7 L& R+ R ~2 U, G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! e- o! R) n# [) m1 @% W
\Uninstall\SoftICE5 ~4 u# |5 o% N6 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 y+ W! s- a4 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 {8 e/ H# o' s+ z: ~, ^; O\App Paths\Loader32.Exe& |, v4 i2 G5 Y6 R! m. M, ^# _
) W% v/ n6 p B$ M" c$ F* m9 ]. Q9 Q9 K
* D Y" |; @( T: B6 ?
Note that some nasty apps could then erase all files from SoftICE directory2 e: K8 p1 a; V* r. y
(I faced that once :-(% w) g# S' V) k+ v- S& e+ t
^; z; r1 Y6 j' u+ G+ N0 c
Useful breakpoint to detect it:
4 d! `; u$ ]4 L6 K( Y5 ^: ^* o
+ t8 H4 W6 A+ x8 `( t: F0 T- m) _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ [. t" u6 U1 f0 D0 u' P
% F: P) I9 d3 y; S0 j) K1 r8 n7 z
__________________________________________________________________________6 P+ N& U; @/ Y+ s
( ~) X2 i- i0 a1 X
" C3 ]; H- }% W. e' n4 J" hMethod 14 - t( {6 L( z( s2 K
=========
6 i- ^0 ?5 D4 Q! d
/ \0 {0 I* ~2 ], D, N8 }% CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 D0 _' }' l3 ^- {5 m; L5 ~8 f% m- X7 g6 V
is to determines whether a debugger is running on your system (ring0 only).
- T: d" Z4 P/ Q0 Z. \
& B; l( m# u5 e% [& g VMMCall Test_Debug_Installed
0 v3 B" ^, g. n, m( z je not_installed
6 C8 p1 C7 g5 V
7 ]/ S7 \4 E0 \ [/ g- \/ n& JThis service just checks a flag.8 l! ^1 B' n( d0 ~! P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡