<TABLE width=500>
/ m" Y9 y! ~6 ?" V<TBODY>
$ O" m) U6 ^0 |9 } \<TR>
% Z& y* @4 h! T! D2 k<TD><PRE>Method 01
: n9 q$ G% `, V; G9 k( m* O7 d=========
7 N/ {0 |+ ~7 C% u
* h3 T1 T9 ]5 P8 r! `! Y- R3 PThis method of detection of SoftICE (as well as the following one) is9 x+ c% s8 p; q( N$ r
used by the majority of packers/encryptors found on Internet.5 S$ Z: D" G+ `" V; ^9 C6 s4 I
It seeks the signature of BoundsChecker in SoftICE
6 L% e5 r5 {! B, e' k2 g" C& r& `, A2 V% @
mov ebp, 04243484Bh ; 'BCHK'
6 O! N% r$ G0 ~% r mov ax, 04h
& P2 {2 V2 I! l% Z5 e v2 H int 3
0 A; P! S8 `, Y cmp al,4! ]+ z3 M/ V2 L9 g* g
jnz SoftICE_Detected
4 i8 X/ J: w& ~% E1 x' k: ~8 R) s$ K/ g+ v7 @+ h1 O
___________________________________________________________________________/ ^0 m- o$ K, f# S- d" K
; `) N& {" b- sMethod 029 m* h( F6 e% x ]
=========9 t& ?) J7 J& `3 e1 Z7 f; ?; J0 i
0 E3 l6 b$ `: _Still a method very much used (perhaps the most frequent one). It is used
) F1 y. ? g: ^% x# h0 w9 N$ rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# S% G( h( k! l6 X
or execute SoftICE commands...
: `2 }5 w' k7 Q- G P" nIt is also used to crash SoftICE and to force it to execute any commands
. l# s- \2 A- T, E) z4 S(HBOOT...) :-((
, A- Q. j4 z- z7 M" [# j; f" B% `% p0 f. d; e
Here is a quick description:
7 j) H7 A) u% I( V/ h- C- d( o-AX = 0910h (Display string in SIce windows)
. a6 W+ a0 C: b8 O" Y/ @7 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: V/ k% l) G: `-AX = 0912h (Get breakpoint infos)
: ]4 B: H, c1 s& L6 U4 C. ~-AX = 0913h (Set Sice breakpoints)2 J' y' w1 \# D) h
-AX = 0914h (Remove SIce breakoints)
7 v v2 @8 c5 M' Z/ \) I) Y: r* m2 Y4 Y) a6 S" I
Each time you'll meet this trick, you'll see:
+ m2 q g! R5 x' o. H) Z-SI = 4647h7 H$ U5 ~8 @8 C: f
-DI = 4A4Dh- ^; Y" m/ Q. m4 ]4 K! o( O; r
Which are the 'magic values' used by SoftIce.
& }$ v) f8 F( `" f5 S4 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 }3 C& Y+ U4 c$ [& p
0 W4 h* \* \, G; `0 M; zHere is one example from the file "Haspinst.exe" which is the dongle HASP+ ]) B6 p1 `$ v" L$ A
Envelope utility use to protect DOS applications:
1 K0 v; H3 M! v) c- D+ e% {. s4 h
8 n$ ^* Y0 E5 ?2 v
) k$ Y! m. }, Y# P4 i4C19:0095 MOV AX,0911 ; execute command.% D. E. c. ]5 M8 p: N& z I# I, l7 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 }" C9 e$ B0 G5 ~4C19:009A MOV SI,4647 ; 1st magic value.
* p1 I3 w# a; @4C19:009D MOV DI,4A4D ; 2nd magic value.
5 r$ b7 y T6 l' S. b$ Q" r( |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 Z9 z4 p( W0 v- T$ e5 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 R" @1 Q+ O1 @# R. l D2 c
4C19:00A4 INC CX
9 r% V$ P3 I+ T8 s# M4 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 c4 Q* A$ z D4 T" l
4C19:00A8 JB 0095 ; 6 different commands.
Y' o( m) W; I2 O7 e, n" ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 y( f* C2 I: U# [% o8 Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 \* K- M6 j; ~7 X7 r/ H' ^* ^$ {9 D& h4 b& z
The program will execute 6 different SIce commands located at ds:dx, which; g6 P2 B- L( T1 ~1 n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' c |3 d) t& u
9 a5 I% `# _1 W$ L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 [) O* c7 a( z6 H
___________________________________________________________________________/ O6 }* ~; k: ]+ Y& u6 a
, x' J8 ^# m$ L- c1 R( I5 e
1 n( ?; j1 X. j, ^Method 03! B) {7 Q* ]8 W2 N0 u( J
=========& X) h( e5 {' ?8 y2 ^
v# Y' l5 R! B- W4 Y- nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' }, k' G& }! g(API Get entry point)
6 D( U# L5 k8 g! p
. l8 g! t9 r3 [, P; `2 @- F) I6 c6 I
/ V+ J. V1 R& C xor di,di. Y+ ?% V8 n" B- V$ ~# {: m
mov es,di
4 q* G) _% a7 r* \ mov ax, 1684h
$ d- u; y! Z( ]' b) g$ m$ n! ^7 W mov bx, 0202h ; VxD ID of winice
" x6 N( F$ G5 o5 U int 2Fh
) l0 p# d5 {" o) j mov ax, es ; ES:DI -> VxD API entry point
4 T3 m' @) ]" l8 \' L7 ^: S add ax, di9 Z6 M( L/ u: M, H" o" B5 W3 y
test ax,ax2 b" [$ i: A7 [% O, E ?% w# k
jnz SoftICE_Detected
. t C6 O. S9 s* N7 |3 L3 n
; s4 ?0 e0 l0 O& S; r& i5 Z___________________________________________________________________________; @- j5 t/ X0 o4 H& x: \7 t0 k# ~$ x
9 J5 a) ~8 [# O+ y) S9 b& VMethod 047 K# ~6 A8 g" q" g) \2 v
=========
8 v+ u6 m. p' Y R; D: J
2 N, R- t1 T0 E) \2 t* V AMethod identical to the preceding one except that it seeks the ID of SoftICE
6 o9 C- b" S- t5 I* O j* Z* D OGFX VxD.
- O+ X% Y$ g9 T7 ]/ t9 X" D; N( n" e
9 M, {; p4 T w! A/ h xor di,di! R+ z, C( m( I! F
mov es,di1 P7 t: ^. i2 X9 p
mov ax, 1684h 8 e) I, g- M5 u! l2 F2 }7 O
mov bx, 7a5Fh ; VxD ID of SIWVID
8 M6 u. i* _; U8 k* q* L; { int 2fh5 g! o7 w* g5 }* Q) p
mov ax, es ; ES:DI -> VxD API entry point
# S5 y7 G! v6 `7 w2 Y add ax, di
- b8 o& c3 f. b/ Y test ax,ax3 S) ^8 {% g1 W P6 o! c
jnz SoftICE_Detected
$ i6 O; @7 P O; m8 i' X, f, T/ b
__________________________________________________________________________
$ c, G# ]/ R, e" t! B+ R
6 d7 w8 \5 S! Z4 a6 `8 {# W6 A& ?. S: V; \1 e
Method 05 R) p8 x2 k3 X8 N$ a8 _! F" ?5 n
=========% i2 y( x3 J4 t/ [8 u5 f( E
* Z" _: M: S- [
Method seeking the 'magic number' 0F386h returned (in ax) by all system" I2 b; b: ^3 f7 y; ]: S6 q3 ~
debugger. It calls the int 41h, function 4Fh.
, U! i( V) _( h: yThere are several alternatives.
1 |( L6 B! k x3 z/ } v. E/ Y" v8 L! B0 m( N: x3 b
The following one is the simplest:
, w' i1 L* B# |+ Y- a A( `2 p
2 M- o& _9 K, ? mov ax,4fh; z2 s1 x1 {5 M, V$ R3 f
int 41h3 n& J6 r, ]) E s/ R1 m, n4 c
cmp ax, 0F386+ G0 D0 p8 ^3 b
jz SoftICE_detected
7 T' B7 H- c1 m! W. N: C( C
9 w4 `$ s; d0 ?$ `+ g2 X7 h9 w$ I w" Y6 O2 h$ Z% Y
Next method as well as the following one are 2 examples from Stone's : u, ]4 \( G! [$ M, `1 F+ f- V8 H! E
"stn-wid.zip" (www.cracking.net):
! U7 |& Q& M2 j0 l" ^! i
" W$ X/ |3 M* {9 z" @ mov bx, cs& s% O. V' C& s" b
lea dx, int41handler2
3 |3 k. J& @5 S, N$ t8 H% S* w$ f xchg dx, es:[41h*4]5 J' w* d4 o3 o& N8 r, w2 p+ U
xchg bx, es:[41h*4+2]3 S7 v+ ?: j* x+ F% Y; F
mov ax,4fh
+ X3 x! l4 o g4 c9 t$ {# L/ n int 41h
& t# Z0 O4 g2 L2 I" ^9 P4 P7 k xchg dx, es:[41h*4]* z1 Q: h! K8 Z; w
xchg bx, es:[41h*4+2]
: S! [1 ^2 |4 ~. D" a cmp ax, 0f386h0 ~4 D5 \4 U @7 Y
jz SoftICE_detected+ O: p( k/ \, ^) w k- a
2 ? y& \- a9 c
int41handler2 PROC, t, g( N. T3 e( S$ m3 ?
iret: b( A/ K$ K" N# M, ?7 h6 i0 p
int41handler2 ENDP
9 p# t t( C( V( w- o
5 y. V: z" K6 f& ~7 S" |3 d5 e5 A; k. Q) C6 ~
_________________________________________________________________________
& C8 W6 _( b) D1 W" }* ]. A2 S7 j9 w- B3 f* t- N
! C, e7 C* v O3 ^# fMethod 06
! R) c4 U: x! m- Z3 A=========" }5 L$ M9 A8 f
/ i; W$ o) n$ [7 F) `! p6 T1 G" x: }! D' E
2nd method similar to the preceding one but more difficult to detect:+ ?+ O( n9 T/ s$ @5 `9 U
9 o" Q2 L" s6 E3 n3 I: x! j9 H2 _! K+ N9 M* Q5 |( m
int41handler PROC& _7 |. }9 C$ d3 m" i3 _
mov cl,al
' D/ t7 _3 D& }0 d, s, v* U% @ iret
9 A1 G5 d0 B- H+ ~9 o+ W/ tint41handler ENDP
& b8 |5 h+ V1 j, `8 d: Y Z+ ~5 a: L% C j) j# O
0 w, x3 y( F0 \* I! |
xor ax,ax
. [* f9 m8 x2 d' M* H mov es,ax
- Y& }! o. Y/ w* f mov bx, cs
7 A) x5 n1 X5 \+ D: I: K! e lea dx, int41handler
) l+ ~5 @, \; Q2 J. ?; U1 `6 W xchg dx, es:[41h*4]
" m: q, U# F7 k: i/ b5 Q) ?2 Q xchg bx, es:[41h*4+2]' f# Y1 W- E, g
in al, 40h
* K9 n$ _5 x# [$ \* ^5 I+ |7 x xor cx,cx
0 {: C8 b) ]8 o int 41h
7 v4 t3 W* n m, ]7 c xchg dx, es:[41h*4]* [6 Z! f3 R/ P' ?" ?' e8 W/ O J
xchg bx, es:[41h*4+2]
4 K7 u. `2 ]5 J! h2 _7 A# @ z$ {" G cmp cl,al: k# j j/ J9 L" Z9 q! d
jnz SoftICE_detected8 C4 Z) i0 X: G! Q7 L( y
; s d n, M+ f2 E3 f_________________________________________________________________________' ]2 r: w' F. B3 X# B4 o5 ^
. L! W3 d' _. E$ |* H; [ _. AMethod 07; o! w% W; r) y# Q% k+ F7 C3 P
=========
3 P9 G7 k+ K; @0 j+ C: g
+ n9 `7 M5 b) _" G: ]Method of detection of the WinICE handler in the int68h (V86)8 z7 d9 r8 p. [. b0 C
7 t- w1 _: n+ O* E3 g+ @ mov ah,43h
7 g& o0 H8 B5 D int 68h
+ m; N. v, l" } d9 A1 Q cmp ax,0F386h
8 M! I) Y6 O' J2 I+ t2 {$ [ jz SoftICE_Detected
; o2 u( n q6 `$ k! H1 k! d
) c* Y: c4 D2 |6 h
: ?* B/ l6 a% y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, D: L) G* B+ H app like this:2 N4 e8 Q2 j$ }3 c6 W- B
: l a1 Q& K3 ]
BPX exec_int if ax==68
# C' L7 b8 f# z# i( O. Y7 |$ S (function called is located at byte ptr [ebp+1Dh] and client eip is
, P; T. J' K0 |+ t1 s located at [ebp+48h] for 32Bit apps)
/ S4 R* W9 g3 F# F: ___________________________________________________________________________
4 c G' W9 l3 t7 [9 U- F @& l) G- u; N& |; `- p: `
U2 q2 }0 C# M0 A+ O
Method 08; E' `5 b# l7 }5 q A2 ]' U
=========
# R: x; z% }0 R3 X4 S& {& K
, h: K& R e7 m5 p' B6 f, FIt is not a method of detection of SoftICE but a possibility to crash the1 `- @* ]- C' s2 V* [2 c/ W
system by intercepting int 01h and int 03h and redirecting them to another- C* c1 i0 w* N b, v% {4 {
routine.1 V2 P7 Y+ d" q, k; m6 q) ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 N7 f, u% @2 ]9 oto the new routine to execute (hangs computer...)4 U$ V& o/ u* X4 N+ b
- u+ m4 Y! V: v4 i mov ah, 25h
' M3 R! o k8 |0 ]+ h7 N5 y mov al, Int_Number (01h or 03h)* w- l: c' B3 C% r$ l; \: F' F7 q
mov dx, offset New_Int_Routine( r! B4 u, }+ Y- _# N4 j/ `/ s
int 21h+ c l9 _8 \0 q. M( `' z" p$ }
; m2 S& j: Y6 ?4 S4 B+ u& J__________________________________________________________________________
: X5 b1 F% F& y1 ]! k0 n, M* @5 x: c! J' y( }& x
Method 09% _8 Y' e) W4 {, e& O6 A* f
=========, {7 t( J9 y, L6 a0 F
+ T# e9 ~: L: N% b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ X$ }) w+ R- o' N: b% `4 wperformed in ring0 (VxD or a ring3 app using the VxdCall).( m, s; F3 Y5 O8 i8 b
The Get_DDB service is used to determine whether or not a VxD is installed. o6 o* F8 r K$ n8 i0 z6 _
for the specified device and returns a Device Description Block (in ecx) for5 `4 ?4 }% j) c i
that device if it is installed.. M& _8 t0 J9 `$ `& w/ |( x/ F* a6 A
$ R" Z8 d1 h- h9 y | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" S! Z9 v. \( O/ D# G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 _- V9 M8 X% ]* j% [* `" p3 y
VMMCall Get_DDB
" z0 A9 S: K! g- t9 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 [- D2 _* G/ [( K c0 ~& M
4 h% p) r2 `% j, D! v, U+ KNote as well that you can easily detect this method with SoftICE:
. g: k* F( |7 c) e6 o& t8 c bpx Get_DDB if ax==0202 || ax==7a5fh
( a* Z L7 U# [( |
0 z- M2 [& S" H9 n: U z" y7 ?0 W__________________________________________________________________________
T6 |. K( U9 D, [ G9 L( ^9 w
E* H5 k% Q$ D7 `Method 10
& U) R* n4 _- w7 b=========* p4 ^# g) Y* [/ a$ z. R
! p& `0 X# p; Q# e* _- _=>Disable or clear breakpoints before using this feature. DO NOT trace with
: s2 J5 K, |! k SoftICE while the option is enable!!
; ]4 r2 P/ o g- l2 P/ O2 G* @4 B" x9 b4 Q
This trick is very efficient:
1 J) f; | N( s- c" Y& Vby checking the Debug Registers, you can detect if SoftICE is loaded9 _) S. L" S% @; ] ^, L# y( F2 w# c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ a/ S& Y0 c8 {9 j% d9 C+ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 g) r6 W4 `2 ?
value (in ring0 only). Values can be manipulated and or changed as well6 I- v! L' u' ]/ Q$ J; Z
(clearing BPMs for instance)
5 h- Z( m" k+ e: Y2 o6 t& A% Q* O3 B& U1 y
__________________________________________________________________________
5 @( M0 w' G) u1 d
Q5 _/ g4 V8 b- S$ ^1 R8 ]Method 11" a) j K& k$ n: i S. h
=========" N7 L6 r; a1 ]/ j2 c8 g) s
$ q# g1 I, i+ K. N. J$ A6 fThis method is most known as 'MeltICE' because it has been freely distributed6 T, y; X0 E" A1 e& ~9 i! X' J8 k
via www.winfiles.com. However it was first used by NuMega people to allow& ~$ k$ d/ I. g2 m4 w
Symbol Loader to check if SoftICE was active or not (the code is located# ]; }, C: v% p- {
inside nmtrans.dll).
* n3 e' i" J. J+ [. [- B! [, d, t
4 e2 B/ C7 f- P1 U" p$ XThe way it works is very simple:
- Z; ]1 C8 U4 _% rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 ?; x V( x3 D0 ^$ z) t) S* IWinNT) with the CreateFileA API.
1 o+ o! ~: n- Z/ ?, h
' P& B. d, ]3 c5 |! `7 @' I7 K7 N! FHere is a sample (checking for 'SICE'):$ Q' w% a! \6 V" D; ^( X g1 \3 d
0 k8 m3 ~/ b. i) S- ABOOL IsSoftIce95Loaded()
; Y1 Q. |" q0 ]* s& d. s{! N- G* U" _1 f1 `+ w
HANDLE hFile;
" V" y7 l" D& O6 U" F: N, T7 D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& d8 W. m! A* q1 X+ E
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 X1 ]: C/ y4 c8 _0 Y' V) j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" e: \/ _6 k7 D3 b; r if( hFile != INVALID_HANDLE_VALUE )" f$ \) C1 I" ^
{& W+ o0 ^& |" u H% P
CloseHandle(hFile);
" H$ d* e( S' q- v% u) K9 H* z return TRUE;
8 l3 x6 u( {! q: r. ]7 V' ^ }% y7 s0 e: @- a8 O" Y D2 r) a
return FALSE;
' [5 y. w& F4 @}
; O) ?! g- s5 F; ?4 b, x' K A9 b
! U/ h4 r/ X) A" T* a( u6 V5 R- s# eAlthough this trick calls the CreateFileA function, don't even expect to be
0 z, y: @! M2 T6 I3 T! Zable to intercept it by installing a IFS hook: it will not work, no way!
( N$ Y# X, ?. P& \4 A* cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" C0 A/ `/ J" i( O& M/ J- {( v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) d% Q$ u8 k" L U h: b& q( w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! S9 L6 ^! k) N5 E" F7 Nfield.
! [9 \2 G) g2 Z* Y) qIn fact, its purpose is not to load/unload VxDs but only to send a
: ^( N( B9 [( b$ Z6 w6 b2 aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 K0 ~5 ^! K. lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 Y1 \0 v4 v& x# U. m3 i1 p( o; {) bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( s6 k5 h _% |* V* NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! V( n8 h0 H( r" ], u$ ~9 t, bits handle to be opened and then, will be detected.' s9 h) N' U; C: k# q8 {
You can check that simply by hooking Winice.exe control proc entry point. E- T0 P J# w$ G+ V$ w
while running MeltICE.! H. @+ P& V/ l" K' ?
9 d$ @) _) [( h9 o' ~, I' v0 M0 v& S
00401067: push 00402025 ; \\.\SICE ^& p8 n0 A( V/ J% z, W& p
0040106C: call CreateFileA
4 o6 x" N, B6 \3 _9 F 00401071: cmp eax,-001
/ y; P% ^* |; M8 V9 v6 e 00401074: je 00401091
& G, @0 L& r/ g* X' M8 i0 k" q2 Y7 g2 k" R
/ M* K" O; ^1 b$ ]7 } _
There could be hundreds of BPX you could use to detect this trick.
9 N% I1 Q: ?5 f6 a" g-The most classical one is:0 x7 z* A5 @" l3 N4 h% \& e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* e9 V( ^* y7 t, w5 i( ^7 k
*(esp->4+4)=='NTIC'/ Q4 g: l7 @5 q0 A( m* V
* H& [4 ?% v7 n3 R
-The most exotic ones (could be very slooooow :-(. W% H$ M: Y1 w5 }2 p0 T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) Z/ L1 c- S7 D3 `# e# D
;will break 3 times :-(# h0 l' g# t2 w# m
: ~8 t2 O% K* v( F
-or (a bit) faster: % L+ l; W7 j# T- |/ ]* S" x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% B$ x# k+ f9 }# O/ u a5 {( F! A5 j L5 C+ q& p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ f% {3 D7 B0 v# Y T ;will break 3 times :-(
/ K6 w% Q2 Z( t! M X1 B) S2 Y0 Y4 Y$ \
-Much faster:
# D! @. A" v3 n3 F/ y) S' s ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ Y* O$ h* l" |6 x* e" o$ B/ }& E2 @, |9 R k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( w5 F7 E/ g3 ^+ v, y4 Hfunction to do the same job:6 N/ n/ G) [* y% y4 Z+ V$ a
! ?3 q! x( j# N" m( R0 t* r0 `- \
push 00 ; OF_READ4 m( S, L# }7 m5 Z h: F$ E
mov eax,[00656634] ; '\\.\SICE',0
* k* A L7 M- P" l" e push eax0 ^+ |$ {6 i7 I2 Q3 q7 m
call KERNEL32!_lopen
/ T# p o- z! m' W) o# S1 i0 X5 L inc eax+ a, Y# _; {1 ^% p8 |) ^
jnz 00650589 ; detected
( F. ]* I1 g" H push 00 ; OF_READ3 J" R. A0 Y. v3 s: P
mov eax,[00656638] ; '\\.\SICE'- x* a! t2 m6 M) s1 w3 Y
push eax P% L4 ^1 {9 a+ j
call KERNEL32!_lopen
+ G/ O" K; j" B inc eax& W4 q1 U' f7 Q. w) D) u" R
jz 006505ae ; not detected7 c8 p4 V! a/ w% r+ I5 j
$ R1 f: k/ v( o! Y) m* j& y
2 s# v6 G: w% K4 u__________________________________________________________________________
& p6 F/ j, C3 M2 l' X9 W: u2 b
4 q. s; B( z, h/ \' M6 fMethod 12
' C' x$ {. o. d6 n2 n5 i) m=========
5 F$ F8 z8 l) h& M4 g$ G1 x* H2 m; Q& J$ Q9 c( Y0 A7 u
This trick is similar to int41h/4fh Debugger installation check (code 05
/ s0 V' n \# m& s/ Z j! m& 06) but very limited because it's only available for Win95/98 (not NT)) Y7 |3 Q* ]; C2 c' d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% z" \2 E) u6 e6 f: f) f4 o& u; s) }! I2 V
push 0000004fh ; function 4fh+ [( _; [3 X; t: [
push 002a002ah ; high word specifies which VxD (VWIN32)
0 L) H" N* Y+ R, F- X' w ; low word specifies which service
- u' x& D+ W: D: m( s) W. | (VWIN32_Int41Dispatch)* ~8 s7 O7 @ b+ r
call Kernel32!ORD_001 ; VxdCall
; g0 E0 Y5 L% `1 ?8 ?* V cmp ax, 0f386h ; magic number returned by system debuggers
: b1 h7 L3 r; d jz SoftICE_detected
E8 i* n( O- z1 U- k$ C1 V# s: P8 M, Y9 O
Here again, several ways to detect it:
6 _+ y* B& D& C) `3 I. m2 b1 I/ j, g- P4 c+ o9 w
BPINT 41 if ax==4f- B t7 }7 g8 [4 m( H( R, M6 J3 O
' |: t9 Q' A! I" b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 X. ~/ O$ R: k% N5 R7 a& t
: g% [/ O. }4 i$ ?2 y7 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 V( ]) R" @& y. a1 h1 g
' s8 x% s' G9 s( @% ^, ~! X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 l& r/ E3 a/ |6 B% K h
2 \! Z5 D# z& L# S% H__________________________________________________________________________
( `# V& C& k7 i
2 k4 e: r7 ?5 c& n5 b( \1 rMethod 13' G1 H2 R# v6 U S
=========
4 Z6 I/ Z8 z \6 S; B& Y8 O/ P' u! _7 N/ L+ S- G" @
Not a real method of detection, but a good way to know if SoftICE is! ^ E0 A- V; G9 U# x7 _0 p
installed on a computer and to locate its installation directory.
0 u: y" O! {) w; G* UIt is used by few softs which access the following registry keys (usually #2) :; u& X$ [7 g- t7 e5 d" O: Q
$ ^# O# \* J3 E. j3 ~( x2 n- T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* e8 d. Y$ B8 V. } i3 P' T
\Uninstall\SoftICE
4 Y! B; W: s" p5 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 ^5 i% @; ^2 v8 B" y3 S$ y- M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 k Q, S* R# N/ y\App Paths\Loader32.Exe0 a0 \, z- J* H1 y. N; G# _( O$ w) I
; W( l5 U, k( J& ?! p+ V m" U" f1 L. ^
Note that some nasty apps could then erase all files from SoftICE directory
9 V5 R& b# i R(I faced that once :-(# P6 c7 i: O7 g' f' W
- V, Z- z9 w3 D h3 y5 ~
Useful breakpoint to detect it:
2 u. e; a7 u2 {4 J+ w8 |+ S2 k" @6 ]# V' W5 F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# M$ N; T, F2 K3 \
. Z. Z/ K6 L, L0 z' \: k! h__________________________________________________________________________
6 k. r- D' L+ c( K, Q; i+ i( i! q9 E' [: G" k" S! D9 S
4 c0 h" z+ d: R. v' P) Y' D8 Y
Method 14 $ ?# w9 E1 w5 n) M5 v; p& i# V
=========
5 \5 U x7 y+ ^# U% y6 h+ E! }2 ~
t0 `( L) o( f+ p3 LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 Y1 @4 K0 q- j3 B, A
is to determines whether a debugger is running on your system (ring0 only)., z- ^3 s+ z; \% r, s9 y9 z
0 a" Q4 {, A# k
VMMCall Test_Debug_Installed
[& s$ r5 G7 @& b je not_installed9 [8 W, ~3 o+ R8 E8 x- X# O
' [: l. D G: |" EThis service just checks a flag.
# Z5 C# a Z$ y. J q8 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡