<TABLE width=500>% b# P/ M+ [0 I6 j* @1 Z
<TBODY>& R" _7 N" x6 P
<TR>4 j9 ]1 U9 R( U' C2 D0 z) t
<TD><PRE>Method 01 * z9 W. t8 \$ d% K4 M/ x( v4 K2 V- L
=========
: `& h1 Z# `- v: S1 b3 A/ L% k7 M: ~/ U1 M6 o2 X' {
This method of detection of SoftICE (as well as the following one) is
7 e4 c8 L1 o9 W4 w3 x7 iused by the majority of packers/encryptors found on Internet.
% S" d, p4 [. g) }It seeks the signature of BoundsChecker in SoftICE. i1 x/ a2 S" z& \! g2 T
6 b+ G$ j5 y& d6 c5 ^3 {; a1 [ mov ebp, 04243484Bh ; 'BCHK'; E! }) p- ]( P* @! V
mov ax, 04h9 K( L5 L" L7 D5 z8 ^
int 3
0 v6 F' r, F4 ^9 u! w/ A cmp al,4% Q6 P+ b4 j4 @& T8 R
jnz SoftICE_Detected
n% z a4 O0 j3 M* [( K. J. { u) ?" x' \# s- B
___________________________________________________________________________" D7 D5 O2 w3 h+ H1 O4 F% {
! S+ y3 |' j* u4 cMethod 02
, M. H/ m4 G m9 p# M5 j% O=========
$ f! x7 o3 N6 S$ q8 B
: }% r5 r$ h; ?( U( mStill a method very much used (perhaps the most frequent one). It is used
; b# P1 Y M0 }6 \ sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) p) U) U+ L2 V4 Q2 b* a$ o
or execute SoftICE commands...
( b. _6 Y7 R% G$ y1 UIt is also used to crash SoftICE and to force it to execute any commands
$ P) s2 ]1 P1 m4 T9 X! C(HBOOT...) :-((
) j$ X. [7 T& Z8 g) A+ Z
6 s5 _: J) D1 Q: R+ {Here is a quick description: n: U J: E. i( N& {
-AX = 0910h (Display string in SIce windows)
' X# r4 _& P3 x$ |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
w. o' P+ J+ u1 L! ]-AX = 0912h (Get breakpoint infos)- w0 {6 ?+ d- l% _
-AX = 0913h (Set Sice breakpoints)
: K& m. b2 e: P- B-AX = 0914h (Remove SIce breakoints)
: o: d2 B* b1 J9 U5 o T4 ~8 R r* W4 y, J
Each time you'll meet this trick, you'll see:3 c# Y% O4 t7 S+ b4 T: q9 Q
-SI = 4647h
, s- a' `, |2 R, n, C-DI = 4A4Dh
* T6 q: j+ w* B2 x0 S' X! W3 eWhich are the 'magic values' used by SoftIce.2 C( u3 u Y2 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' y1 B( f% Z. K! v
5 Z" x% D. d. ~4 Z+ dHere is one example from the file "Haspinst.exe" which is the dongle HASP# l6 L! h0 U4 w6 O! m
Envelope utility use to protect DOS applications:
5 x& I# @8 L6 m0 k% c8 b
! Q9 ^4 k8 B8 f6 P% ]" D$ p( N' ^. K3 o4 U. M: F4 `
4C19:0095 MOV AX,0911 ; execute command.
# \ n3 ~6 q0 I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 e% C; w7 z: E2 o5 Y$ @4C19:009A MOV SI,4647 ; 1st magic value.
! c6 g: q; ]/ R0 Q J- r* Z4C19:009D MOV DI,4A4D ; 2nd magic value." ~3 j, H4 T: w' T- M9 b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! q. b! w! [" ?4 \/ X+ g$ a* Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" T9 O7 `7 C' A5 X, a
4C19:00A4 INC CX3 ^7 a3 [4 O* D* Y4 L' _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' |! y" z! h9 A' N4C19:00A8 JB 0095 ; 6 different commands.
- y4 d; G7 p2 m& g- t F" i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 Q4 e; G: d* i$ r- \( _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- @9 H: S9 @" E% J1 @( b) B5 P0 b
1 ~, x! C N/ t5 sThe program will execute 6 different SIce commands located at ds:dx, which( x3 x1 ]9 n1 N' q% y. Q1 s) q* G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& m* Q6 j0 ?) i' O( {
: W2 \5 J) W B7 p U; q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. ?! ]7 w% {, ~- w X& E0 g! z) ^
___________________________________________________________________________
7 f7 E( n: Y" R) `! g6 E) \1 f K/ t! w7 C2 f: u
( u& g$ C* r9 E( ^. A; V& T0 H
Method 03
) r. F! x6 V$ \. y=========# ]9 @! r% N* K5 d$ S6 _
6 j6 S6 I& j" c1 ]& r6 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 q& b s8 d I+ U/ u+ q
(API Get entry point), |. J4 V4 Y1 d9 U, A: v6 c
) f5 G% j* `6 A( L
7 a2 x! [) C: s$ p xor di,di
* r% k. t0 v' g& r mov es,di, w% q# [- s9 G$ i& u. H
mov ax, 1684h " B; H# {/ B8 I
mov bx, 0202h ; VxD ID of winice4 G2 Q; l! Q- j" `! c. X' L" v, a
int 2Fh
) M, @& c6 N9 I2 x) f! Q V0 q mov ax, es ; ES:DI -> VxD API entry point
. |9 K2 O& B7 e* S3 A add ax, di
d+ n+ p" V8 _ test ax,ax
6 b7 c) e7 P+ [3 b, Y Q- U jnz SoftICE_Detected
& J* G1 c8 p6 F* Z3 ~3 b1 F4 u: ?1 K" \. {# `) e
___________________________________________________________________________, h8 S" v- B4 W. Y
- g2 G9 ^6 H4 g6 JMethod 04' T; {$ k" z( H
=========
, P8 f: _: u+ w2 V0 W1 a8 Z5 o# M% ~0 h7 A2 `
Method identical to the preceding one except that it seeks the ID of SoftICE/ g5 t+ s4 G5 H% J" x- @& b( m9 X' o- F
GFX VxD.
" O Z3 T) ^) Q. w1 D- @, B& `& ]( s
xor di,di
+ D5 w9 @" C1 G, I3 m B n# ~. O mov es,di
! V* C8 e: ?1 H& ^( k0 |9 ~+ { mov ax, 1684h 5 j: y2 O7 a$ g: w- c1 R1 X
mov bx, 7a5Fh ; VxD ID of SIWVID& g% g+ _, n5 I8 b) [: k5 f3 v
int 2fh
+ G+ E1 K' h( f mov ax, es ; ES:DI -> VxD API entry point6 w6 x# b% ?+ M* b5 D
add ax, di& ~: \- a" a1 n) q
test ax,ax+ m, k& d! j3 j2 g; |
jnz SoftICE_Detected
9 X$ d0 t7 ?! f0 Z/ j0 O0 _- |: z9 w/ l
__________________________________________________________________________" J" e5 [- ~% j8 I" ~3 o: Z
4 `. I8 ~# u6 ?8 w( r) G5 D
6 h4 ]6 ~- D3 w3 ?Method 05
2 Y) |! C% v3 |=========% q. g) b7 W/ ^- u0 Y' R5 T
- W: E1 @! l% m3 l9 [5 _7 j' _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& |2 @& w+ I3 L/ r5 ]: rdebugger. It calls the int 41h, function 4Fh.
$ M' [; F3 r1 q! }There are several alternatives. 2 @, b9 i8 }# V d
& ?1 u6 H! M- R2 J+ V: F# ]. h
The following one is the simplest:; J* p- c& v ?5 n/ T
6 w; Z C+ f- y0 \6 H mov ax,4fh( O" ]& I5 k2 @6 l+ Z+ m
int 41h
) E7 U" p2 J+ N' k3 x cmp ax, 0F386
5 v3 q+ m; R( W- L9 H. b jz SoftICE_detected% x( F6 N$ q% _1 m. D
- G" U- i; K0 P0 q
+ i: i8 z$ ?0 hNext method as well as the following one are 2 examples from Stone's
. g/ e0 ?; j0 k: M5 |' H* K# W I$ Q: D"stn-wid.zip" (www.cracking.net):0 k( y6 V' r! M5 p: \
& U; `, v6 q0 A ^, N* g mov bx, cs9 H# j6 z7 F; N, A; K
lea dx, int41handler2
* ^+ e0 g! R+ Z7 Z xchg dx, es:[41h*4]" L4 [. g6 Y! [) j8 Q
xchg bx, es:[41h*4+2]
1 J; t1 }2 ^1 f; k9 m0 l+ W+ X mov ax,4fh2 V$ t/ j+ y: b0 T. m* q
int 41h: D( X* Y* s/ z+ c6 ]' p
xchg dx, es:[41h*4]( k6 _ B: ?4 D3 y1 ^" r7 S& g8 ^
xchg bx, es:[41h*4+2]5 S- h% Q2 ~5 S* e) Q3 T
cmp ax, 0f386h
4 T# Y8 \7 q1 `6 G Y. ^; Q+ F2 X jz SoftICE_detected; b' q1 x. Q$ T7 s! x
|, l; R# W: i
int41handler2 PROC( o. @6 q- G* r# @$ I
iret
0 j/ v0 g* o, o. d$ K) bint41handler2 ENDP
/ R/ `( Z8 m% D) [2 @9 ^' N% y7 n7 y5 z- F0 g
8 x8 Z4 _+ S, T! G" }0 R+ l_________________________________________________________________________
# v$ V# @+ T/ M, }& ^7 {3 ^ y/ T3 F, k( b- A; X( T
3 `' W1 g) ]2 q- e. z
Method 06
: c7 e+ r4 f2 K=========1 {2 I6 B& o9 d$ h7 ~' N- h* X
9 T+ f5 I$ ?" T( m- E$ F
: [" ^+ }4 a6 O8 i3 q
2nd method similar to the preceding one but more difficult to detect:5 ? q' M! _' M# _) h: {
2 @4 }/ c( [. D8 V
- J. K; `/ N: k2 k9 I$ E$ Y/ T' L7 Eint41handler PROC3 R: Z$ Q/ F1 M/ s I4 k8 l
mov cl,al" l3 e4 v" U2 _' v# [: T$ e$ l+ S3 b0 s
iret& D* b# {* N+ C; L9 B5 R
int41handler ENDP7 F* I. f0 _9 y6 }" A
/ O1 {* E: N& e/ M" X7 V' E
7 D3 d6 e( i0 ~! j; I xor ax,ax6 L( t! u, o: e
mov es,ax/ `# p" [/ c. K0 w+ I% ~# O$ i. [
mov bx, cs
9 v/ v/ j( n( D7 Q1 K lea dx, int41handler
|. L9 I) m! k. a3 x: B& X' ] xchg dx, es:[41h*4]$ H R; A# p3 l: p5 v" H
xchg bx, es:[41h*4+2]( m6 Y! y( f9 P" e. J9 d
in al, 40h
- y( O$ a5 _% p9 r+ j xor cx,cx
) v6 [- a: R9 A int 41h
' S& f- O1 t' D9 ~8 F3 o/ Y. @) l xchg dx, es:[41h*4]
$ x, r" d! `3 {, u xchg bx, es:[41h*4+2]
$ ]2 l1 E# M' Y2 q m, d& K$ F cmp cl,al
( F2 p3 [5 q5 W1 i jnz SoftICE_detected
2 A& ~5 x: `1 L! s9 w; d, N
' l8 d4 T1 }5 d: d) `* j& q6 ~_________________________________________________________________________6 d7 c; X+ I; A3 R, n) M
6 n6 a* `* k( E8 q5 _2 GMethod 07! r* F$ r8 d6 E) l- x! |% ^$ q" r
=========
3 U2 a: [+ s( ~0 e8 _( w9 ~2 Q3 K
' Q, J6 g+ S/ P/ y! F& L; BMethod of detection of the WinICE handler in the int68h (V86)% n. W; g$ f+ K
/ _1 W7 L* l8 r* O, {1 a/ _ mov ah,43h" n: k5 K2 I/ B. }1 L: X. Z
int 68h
5 N8 @* a' d+ s cmp ax,0F386h5 P _5 K) l( |$ M3 n( C b3 |# a
jz SoftICE_Detected
" w6 u2 m( x& |& s; p( e, Q( Z& J7 L0 Z8 R
! s4 {* A/ _" v* `/ A( k' w3 W* ], S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ^1 y8 q v: L4 u
app like this:& i9 q* [+ ]/ @1 i! d b
9 v5 n# u( ^6 a0 o1 n6 ^' w BPX exec_int if ax==68
) w0 w" W9 y7 z; A! _& k# w (function called is located at byte ptr [ebp+1Dh] and client eip is, K5 i8 @+ n- ~# D4 L1 c7 O
located at [ebp+48h] for 32Bit apps)5 c, ~& v7 z8 O$ M1 x% ^6 m$ n
__________________________________________________________________________
& g3 S% i9 D; {# I u8 ^2 n
+ o( y& L; Y/ ?+ i, |% _* R8 b! `' o' E0 B8 I: o+ S( |
Method 08
7 A2 p0 `! H# T- H4 J7 J! h=========
0 `0 J9 s5 C5 m4 W+ ~4 c
# p* N' @4 y$ _9 oIt is not a method of detection of SoftICE but a possibility to crash the
+ n( b* h) u( H% T* h4 `system by intercepting int 01h and int 03h and redirecting them to another. |0 }' o* S) N5 a! g9 h
routine.
( W9 Q1 X+ l% G6 Y4 W8 A7 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& I7 s o: k# ^
to the new routine to execute (hangs computer...)
8 ~' W2 x2 d5 C' Z- B1 b
# W( J0 A! }' i" P- a mov ah, 25h" U3 U! R. W& o( R, w% L
mov al, Int_Number (01h or 03h)
7 r1 J m) }( ^/ ~, ~" \ mov dx, offset New_Int_Routine
( \, O* A7 b' q' I3 Q. t int 21h) h, |" \3 R! i, w
. j* r* ?- ^' O$ T__________________________________________________________________________
8 }7 i+ U$ M. K. ^3 j) p: @. @& w5 S8 P# B' a0 w1 }, b
Method 09
) q7 U1 g; Y' R5 e. U% H( x+ F( @=========
# y2 Y, C( F: k. |. z1 g c
# ~+ k' {7 t2 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 c1 d f& F3 M' D: Q4 y9 Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 M) d" \ ^& n9 p$ `4 D2 a( LThe Get_DDB service is used to determine whether or not a VxD is installed
- c- C4 _6 b8 T6 X1 L+ y: i9 W2 Mfor the specified device and returns a Device Description Block (in ecx) for
5 |/ M& z2 S2 w- Z8 @that device if it is installed.
+ r1 ?# T* C: g. N7 K8 u+ {! g0 Z1 @6 Z ]$ H7 Z; g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 Q- X+ ?/ z, h+ g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 d% [3 w" A3 ]$ ]! o VMMCall Get_DDB5 P4 w1 Y) G( W" C$ [! W2 S: a; j+ s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. p5 u- n1 h) G" d
# A: r" A7 x- \3 b( @$ vNote as well that you can easily detect this method with SoftICE:
6 ?1 ` l( v, C6 k Q: Y bpx Get_DDB if ax==0202 || ax==7a5fh
- O7 @+ }# B M$ n- h3 u4 S9 |; q
4 h5 N% L0 X4 w+ x& E3 [! q__________________________________________________________________________
& p/ ^/ W( c8 V/ m$ t
+ Z" l4 `- A, I! mMethod 10
5 t4 I( J1 K! _& Q5 z7 z=========
, r' v6 i! h$ f h3 H: L
4 V! P( z8 Q9 x! A" _! N=>Disable or clear breakpoints before using this feature. DO NOT trace with
* O# [ f/ @4 o8 E9 g' | SoftICE while the option is enable!!
0 Q, y2 p2 z5 ]0 G7 E8 @( |% F5 Q- n
This trick is very efficient:
5 W; |% n( n& y& L" p# Nby checking the Debug Registers, you can detect if SoftICE is loaded
9 h( [8 d) v% z( H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- _: r0 n. \( uthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 v9 C* g2 l: L$ m
value (in ring0 only). Values can be manipulated and or changed as well& z. p, p% E0 W1 w# R! s* r
(clearing BPMs for instance)" E& ~: z- |( ^7 y `, I9 e
) u6 _) _& U( Z2 k
__________________________________________________________________________ |6 a% \: r6 T. I
: T3 A% L% ^- a
Method 11 E3 b: H( E8 K( ~* K
=========
/ i3 S. ^3 Q5 I( \, J+ W0 Z' h! k W, X, z" g7 Z4 Q
This method is most known as 'MeltICE' because it has been freely distributed
; L' g# g0 y6 T& u2 Y3 E1 Mvia www.winfiles.com. However it was first used by NuMega people to allow t" U5 a; _8 f5 Z8 s7 @
Symbol Loader to check if SoftICE was active or not (the code is located
2 R# g3 _' t8 i. K/ Q, sinside nmtrans.dll).- Y! {' V; ^' e0 o% z3 `/ K
7 w. O/ ]- ?6 p6 t6 \8 @
The way it works is very simple:% E( i7 x9 e7 |; z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 M. o+ V' p- h6 K3 s( rWinNT) with the CreateFileA API.
4 T1 T. a+ R8 _+ S/ m' ?# Z8 j' L6 \
Here is a sample (checking for 'SICE'):
) Y0 a$ \% R. [5 b: u9 R- L
# q/ c0 Y3 S9 a, J+ f8 k I QBOOL IsSoftIce95Loaded()
4 G4 O/ d7 s5 B{
4 j. Z* C' j' I9 [- m HANDLE hFile;
3 \$ h- Y, n; O Z& J/ O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' c4 @- }& F$ q2 _ FILE_SHARE_READ | FILE_SHARE_WRITE,- f- T; R2 w1 ?# \5 J! }/ _3 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 g2 y+ z2 t) ?3 J! w ]0 x
if( hFile != INVALID_HANDLE_VALUE )
3 h8 L" v# ]1 v# i7 M {% C7 f2 B% J3 |" l7 L' S; l4 h
CloseHandle(hFile);! r' j M) N! m6 i) I6 i
return TRUE;% ]- i/ e6 @6 G
} n Z/ U7 w6 f$ p! |. G
return FALSE;) b4 g, i7 _' X- z" W- @6 t
}# q) p0 z+ D2 t+ m! B6 m( ^; ~. F
' l9 Q5 Q& N- AAlthough this trick calls the CreateFileA function, don't even expect to be' p! {+ E) G4 b+ _/ w( r
able to intercept it by installing a IFS hook: it will not work, no way!9 N% o0 p/ S& }3 E Q4 m% \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ L: V) g4 Q$ P% q) z" V3 _! D, _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 C7 ^8 h: x8 c! n) `' k9 K/ kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 e4 @1 p+ m6 B% T/ L4 efield.- O/ ^3 q8 y! j: b2 L
In fact, its purpose is not to load/unload VxDs but only to send a
+ Q9 ?1 _5 @$ a& ^0 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 E, X. k! c, d' G# mto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 v. d8 _ O& J0 L9 `: a4 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 X) q3 V' v2 E1 I0 b$ H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& U2 i: g, X2 d3 m" ]3 S. \its handle to be opened and then, will be detected.+ @" L& e! c! p% O. i% f
You can check that simply by hooking Winice.exe control proc entry point
- |% c/ D! W' iwhile running MeltICE.
+ S! D1 J9 }$ N4 T* C9 R& o! @
2 @) n& a$ Y, V, c7 B- |
5 O& E" L( y5 ~: [; }" ^4 _ 00401067: push 00402025 ; \\.\SICE
; n- }. W$ S( `/ C- _+ h' n7 P 0040106C: call CreateFileA8 L0 Q2 K8 ?: w) d6 G8 M
00401071: cmp eax,-001
9 ]* M: A* }1 F- b! Q5 T8 i' h 00401074: je 004010919 |7 |( L% W9 e4 |) c
' o) J7 t; w a7 y O1 |
* |' \5 d: j, ?5 Q9 j- zThere could be hundreds of BPX you could use to detect this trick.% t' j- g" j+ c4 R9 c4 b7 O0 s* a
-The most classical one is:. i+ Q) `+ I- H5 k; j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& w R- U3 s- b$ G. W( I
*(esp->4+4)=='NTIC'
3 i- T8 T; n1 N7 M% f9 @ ?* t9 U7 v. x/ c7 @ w
-The most exotic ones (could be very slooooow :-(. i U, N3 i2 ^- i. V; w2 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! F c/ e0 q' _9 j4 e |2 j! D
;will break 3 times :-(
9 a' D) J3 x( |' ^$ k( K: |
7 S2 J1 I/ Q$ w-or (a bit) faster: + R8 p# q8 u2 g f/ {" a z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ J4 I" y+ W; a9 Z" V" m* q
. i: t9 \! ]8 Y. }7 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 f9 N! D. N. Q
;will break 3 times :-(
' t& \( A# G. A# R" {# P2 b/ S0 V" j- h; V6 B1 P3 M$ k- H; ]2 U. p
-Much faster:
& S% c0 T, i. h# W3 ]4 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 ]* @' w! }5 k K; c# H
* W7 l" x: P, e) L; E4 R7 D- c$ I2 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 \2 r* f* W" O
function to do the same job:
; G' l0 G/ n% R/ J, R: F- V4 V4 v7 e) ^; R% }1 Y: r! ]8 ^
push 00 ; OF_READ4 Y: l0 r; k" {2 [$ U/ j
mov eax,[00656634] ; '\\.\SICE',0# m- J% n7 L% T! u5 M6 e0 S! l
push eax9 j- l2 A+ b$ d3 L8 G
call KERNEL32!_lopen" T" }7 E g; u4 i! ` h$ h; O
inc eax
: z6 {8 O6 v7 I2 Y2 {& T5 X" L jnz 00650589 ; detected4 R y5 n' @ b: X% j1 O
push 00 ; OF_READ
3 j6 D D8 ^, y* L& n- ~) B mov eax,[00656638] ; '\\.\SICE'
7 n* r8 s; ~( i0 `- D2 i3 g4 S push eax
) v1 W+ V1 f) g4 T) r call KERNEL32!_lopen
f% z/ r: R: I( U; v1 X/ ? inc eax
) ~# S8 a, l6 E7 l jz 006505ae ; not detected+ p( ?* G# j8 e2 q2 B% T7 y) @
/ s7 J S3 [' ]. B: G
* q \9 I: O6 z8 g) y9 ]- K6 C__________________________________________________________________________+ T/ ~3 x9 @- E3 ^
5 B9 h4 O, ~ K% c* m' L2 ^Method 121 J! L& `: U X: z2 [
=========
- B, `# f$ R q' ~( }! E
. M6 L, X% y+ F J V6 TThis trick is similar to int41h/4fh Debugger installation check (code 05
- f2 d) r+ S" G4 I+ ^) C& 06) but very limited because it's only available for Win95/98 (not NT)' @7 d; L+ c( o6 K9 t \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& I$ Z9 A* E6 a+ m; T5 {
8 v9 j, \; E4 m- f' U+ J
push 0000004fh ; function 4fh, m+ I* ?( `9 Z1 @9 C$ m0 ~8 s* L
push 002a002ah ; high word specifies which VxD (VWIN32)/ {2 w/ G) `8 M! ]3 g( B2 V
; low word specifies which service
( p* k" |7 J9 I; \* u; A' t a9 ` (VWIN32_Int41Dispatch)
; a+ j! x; b, l Q: j- K( T2 e. J3 g call Kernel32!ORD_001 ; VxdCall% G9 {$ F4 i0 s6 m! ^9 M
cmp ax, 0f386h ; magic number returned by system debuggers' O# \0 Z8 }9 [
jz SoftICE_detected- |/ J% @- } {0 S
2 U1 y# S* O6 I$ o) G: g
Here again, several ways to detect it:# U2 P3 j _" a- s, j) f1 t
1 v" M4 M& k* ]! Y5 S3 k BPINT 41 if ax==4f0 T) f/ i) W& r5 R1 T: a
5 c$ [( F" Q5 P4 q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ c2 O& O: X2 L( r! J$ H- l: E+ \# _
- t- x; j, q$ X; j+ m0 [& x8 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" s- U1 ?$ k4 A; G/ y. ]( ^" J+ S, ?/ F5 s* P4 Z; I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ o. ]" [( B4 m$ P2 Q
6 W% _5 e2 k: K) w__________________________________________________________________________/ [1 O# Y! _: A
l* B) ]2 ?4 ?; G) e, jMethod 13
0 s8 y# U, [# C9 B2 M3 W4 a+ N; }=========; U, n8 y" c8 h; q: A$ z6 G- R+ v1 u' _
" P7 X/ n% ~1 A, O0 sNot a real method of detection, but a good way to know if SoftICE is
5 j9 l3 D, T% Linstalled on a computer and to locate its installation directory.
; F0 I& I( q- P; O" EIt is used by few softs which access the following registry keys (usually #2) :1 D2 [' ~( @8 p$ a5 B6 @
+ W1 \2 j4 w4 T. u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: B [5 B; p4 I\Uninstall\SoftICE
% o3 M# K0 X7 i+ m7 L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; M/ B6 l( @" }5 J2 u% W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ S$ U( @/ x# Y) r6 a! z4 T: l
\App Paths\Loader32.Exe
/ w' x. p* Y- [7 v4 J2 d2 |) i
' Z v& [5 Y# _( a8 T& V. {5 Y9 B8 A2 c
Note that some nasty apps could then erase all files from SoftICE directory
$ \ k7 g4 A* @(I faced that once :-(! h" O* d; e6 H
+ D* s0 j" K# u/ c0 x% a# fUseful breakpoint to detect it:
7 B! q, d7 I7 r# n. y/ v. \& s2 x% {, A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' q6 s0 S1 _1 G8 X- I# B
) _& V/ U, j0 a1 {2 G( i. I__________________________________________________________________________
( \ i+ h D6 @. _
: y; R- d P9 `# a# U) V) G+ E- `4 b4 J; G
Method 14
1 W. G1 w \& {, v) p2 {! c9 f5 C) \/ r=========; r! R+ P& f4 i/ E Z# {( }1 W
) J0 Z$ h* d+ O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# o+ A2 I# v" {5 V4 H! mis to determines whether a debugger is running on your system (ring0 only).5 \! X2 J' H/ u# \$ T( v4 o e, `5 s
! W- D5 G( L1 y: q
VMMCall Test_Debug_Installed
6 {) D4 o/ ^. E- N3 d je not_installed8 x0 v9 l; k F
1 G: `1 T$ ?9 a$ dThis service just checks a flag.
8 S; V/ y; P' l. `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡