<TABLE width=500>
8 X$ `$ W3 B5 ^8 U: `<TBODY>- u$ \7 U0 _' `& L3 |
<TR># o, m) A2 A, N1 Z. ?/ F
<TD><PRE>Method 01 6 P" W4 p% e& m {( `+ e) l
=========/ A9 }' V. |* R% _
2 r# g( L8 A ^! P, m# T# h0 Z
This method of detection of SoftICE (as well as the following one) is9 u: j0 m2 c T# q, ]* y/ z
used by the majority of packers/encryptors found on Internet.* n% {/ ~ o3 M2 h5 }
It seeks the signature of BoundsChecker in SoftICE
* H6 p8 v+ I6 p. A8 s4 M
" Q" Z4 }( R- g, n8 ?1 P mov ebp, 04243484Bh ; 'BCHK'3 H* P$ I+ N; H
mov ax, 04h9 r& _$ q9 T2 b+ x4 I0 ]$ u4 B
int 3 5 G; S. A! T- p5 F% d6 r; h
cmp al,4
+ g( V. |9 R9 K jnz SoftICE_Detected% O* ?6 d- @' I* i
) T/ ?* b; S* Z: W( P1 z( {* \; y___________________________________________________________________________, e6 r# \. }" j) P0 W2 }
5 K1 O8 ] A# G3 p, tMethod 02
6 O9 Y$ |6 K7 `( k' i' F! V=========$ h0 {3 U; W/ a& f9 A0 y
& f) ]# Y" _. {/ K, h" E* R" WStill a method very much used (perhaps the most frequent one). It is used# z# ?8 \* C. u: K, i4 V1 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 f" ?5 D* Q5 a) |! H& S& {& Tor execute SoftICE commands...$ e8 `( E$ w! L2 a) T8 D
It is also used to crash SoftICE and to force it to execute any commands. A: v" z) Q; q J) R7 E& I: J
(HBOOT...) :-(( * u$ E2 G4 ]# ^: A9 [+ ^
3 S3 M" L/ a: U9 s/ ~8 j) }
Here is a quick description:8 Y, _$ `. X" L5 b3 V: M; w
-AX = 0910h (Display string in SIce windows)
7 u5 D) F( J8 p; ~4 Y4 y. x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 j7 i: B q5 U1 R
-AX = 0912h (Get breakpoint infos)
) B$ v7 K; p( ~4 y% V% o+ P: z+ C-AX = 0913h (Set Sice breakpoints): _* k6 M( j6 p Z) L! P
-AX = 0914h (Remove SIce breakoints)
, }2 R- m# Q" r! }! I
6 P! g; b+ K4 g! d" Z/ v% ]' nEach time you'll meet this trick, you'll see:; \' k. r$ i2 }% V2 F5 B2 T' y7 ~
-SI = 4647h! J2 j% C, z9 a: Z3 J
-DI = 4A4Dh
2 ^, L& c! I5 }. LWhich are the 'magic values' used by SoftIce.: T: |+ k. p0 R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& j0 c+ M9 Y- x7 N% {$ V
' \- e. H1 M5 E$ J! H6 V4 U% ^% gHere is one example from the file "Haspinst.exe" which is the dongle HASP
' u) J, Q* o y5 a8 [3 WEnvelope utility use to protect DOS applications:
0 c' p% H' Z# e7 Z6 B2 \' J4 b
$ v3 [0 M2 q) v, @) \' x/ p' X' R) A
4C19:0095 MOV AX,0911 ; execute command.
) U* n F* o! O7 y& P9 o& x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 g# }2 i+ R5 ^: H
4C19:009A MOV SI,4647 ; 1st magic value.
1 i9 z$ R3 q# v4 U" j! g) `- }4C19:009D MOV DI,4A4D ; 2nd magic value.. `& I$ S7 `1 E% o& H: Z& O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 _( _+ y* G5 v |+ L) V; H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 J: U/ U4 C; v' C: K% {0 u+ W
4C19:00A4 INC CX
. N8 N& A7 C7 A) @" e1 d, \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* p8 ~$ U) S9 v4 G- q8 e: W: s4C19:00A8 JB 0095 ; 6 different commands.
# H) a0 D2 T8 Z) K" r! t3 e4C19:00AA JMP 0002 ; Bad_Guy jmp back./ a. b( X4 T* P1 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 ?4 F1 H2 \! F3 U, Z* { k; e
+ s/ r7 w2 D* { O3 h3 B- zThe program will execute 6 different SIce commands located at ds:dx, which; w2 N4 ~7 U t- g5 N; {6 {% z8 i, J% W, I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) p: {: Y1 _8 k7 s. |: ]# |5 I' ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( h; m. P7 v# j" E___________________________________________________________________________
5 v! }* h0 f: x: p. f' Y! o, s4 J
}; D3 I7 V' K3 B7 s5 wMethod 036 V5 A; u0 X4 M5 b L0 Q4 y! z
=========1 p% ~& z2 ?. b) {! g: c& ]/ n7 |
( ^! w r/ ~5 _" n7 F M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 @4 ?' z" `: {7 L$ F* C8 x(API Get entry point)+ b0 d. U' M5 h# S. Y
! i; f- ~2 C# F( O" `# b. h5 u8 i
xor di,di) y J& I; f5 G& `
mov es,di3 W8 S7 O/ z# |
mov ax, 1684h ; [2 p: a; g! {0 V* W1 E B4 s
mov bx, 0202h ; VxD ID of winice
8 P& O1 {0 D2 q# ?! O int 2Fh* ]* v) P/ |7 S$ }' y9 }
mov ax, es ; ES:DI -> VxD API entry point, ]9 ]7 {# S$ }
add ax, di
5 q6 t6 P# D, s9 p/ J2 | test ax,ax
! o" R% R5 ^& J [) d# f8 `2 Z jnz SoftICE_Detected7 @6 |+ M! n8 Q
+ F. ^7 I; D* m3 l: o3 f$ l, h" P3 z+ ~
___________________________________________________________________________( F* i1 P( H* U6 Y
7 K& k9 Z/ m* J. ]
Method 04$ i/ h1 |9 R; j' U; b
=========- R; D: t2 ~/ b3 A* p @' o
9 K: h8 Y6 g9 A2 R+ s
Method identical to the preceding one except that it seeks the ID of SoftICE
! A$ e+ m3 v G& ?8 N1 AGFX VxD.
0 @! u3 X+ z8 y# q) J0 r% m# S4 f6 a# o
xor di,di
R _& L! R! L. F, Z" T mov es,di
; c) R0 X) Q R$ ? t: h mov ax, 1684h
3 _$ H5 W1 S& l# l& B: b$ S mov bx, 7a5Fh ; VxD ID of SIWVID/ ~' m" { o" G5 k$ B
int 2fh
, U5 C) Z3 u* I; b. u mov ax, es ; ES:DI -> VxD API entry point
! q: ]* W5 h3 W6 Z add ax, di
) v/ c1 |6 h! d6 @" Q" O3 s' f test ax,ax1 c& k' {3 I8 b2 e+ a
jnz SoftICE_Detected
1 p0 | I5 h' J) u r8 s" x1 }( f: v' Q; I1 j* m2 a: W1 m! v; r" x& f
__________________________________________________________________________
6 l: t7 w" X: m5 n8 n" y" Z, P5 u; w0 E: F8 N7 R/ b, v
# O {4 M7 c& f) W. l
Method 05
" u/ X5 p7 o% _! C=========- p( [9 X. m2 b+ L* J
1 t" w0 u) l6 s& F& b- i
Method seeking the 'magic number' 0F386h returned (in ax) by all system. H2 u1 k1 \. g, P3 p1 X/ I
debugger. It calls the int 41h, function 4Fh.& T% l, E# a }) r5 _9 l% H
There are several alternatives.
5 m1 J+ |$ _- n% O1 Q8 M2 S9 T W A- k% i
The following one is the simplest:
: M5 F5 \4 @) F7 p" f0 ^5 R
' q) W3 T" [5 [8 f% K! e5 g mov ax,4fh$ N0 p/ s1 t. D
int 41h2 f0 ?" x' F, F) D) Q5 c
cmp ax, 0F386" n Z+ B' P! O& T# l
jz SoftICE_detected
1 C+ x5 S" J; \( v5 L4 u5 l# b4 p1 y6 B1 [1 Q) V
7 r) a! m c; z) \+ w5 R% X, X
Next method as well as the following one are 2 examples from Stone's
+ X) \9 t3 B, x2 b/ h4 h# i% g"stn-wid.zip" (www.cracking.net):
+ `# J! D) i- k+ a+ y5 P1 S- Y4 s2 }$ ^
mov bx, cs9 @$ I4 h. e: y7 Y. C1 Q( ]
lea dx, int41handler2' c$ g' ~ K& \# b; W% z
xchg dx, es:[41h*4]
: P5 c2 r( T4 m2 J, V" S4 Z xchg bx, es:[41h*4+2]
$ U1 L; S$ i: u8 Z; U mov ax,4fh
' P: N5 f( m; C) ^ int 41h2 l2 e( w; |( P' w9 w6 h
xchg dx, es:[41h*4]) c* l$ X9 W7 |; B; j
xchg bx, es:[41h*4+2]" ^: V% K* {5 C, u" q
cmp ax, 0f386h$ f9 D" G+ z2 R. o( @, M3 J
jz SoftICE_detected
8 i7 C. J2 s, T' M8 n8 C9 K* o8 e2 K, O( X0 u6 s. \7 L
int41handler2 PROC
1 I( q. t3 \6 Z9 S- ?. l7 O O iret- z3 l6 ?) Q' |2 {; G" n$ F
int41handler2 ENDP
- [+ X( H j# g+ t
, E* E! w7 ]+ h1 ~8 ~' M+ ?$ f7 Z g F- m; p2 A9 p: U0 u; z9 U0 Q
_________________________________________________________________________4 J7 U6 P ?% \; z& I
! t0 g1 Z9 D* j6 v! y2 X7 J2 k8 H7 @
Method 06- A, T/ c5 G7 a# b+ S. y9 j2 \
========= w! A0 O3 e+ s" d+ d7 D
, s$ C# n6 z" ~
5 ~, j5 P' y# S0 n7 ?2nd method similar to the preceding one but more difficult to detect:0 f0 E* a9 J- |
+ M0 E4 e2 Q8 ^8 e( s. ]
5 ^; n) o1 E6 t9 i5 T: R
int41handler PROC. @. }4 l& \* u6 ?" a9 ^
mov cl,al9 F: M8 `- U8 |: d; { d
iret! g# t2 O( ?! l1 z1 A; f O: c
int41handler ENDP
* w; p3 U8 \) n- k& i9 `0 `) i! `- r7 y7 P- C' q4 x P
. X0 h( l0 p! a4 _1 J9 k xor ax,ax
$ H% a, R! C1 S' @7 F3 f- c' V) z mov es,ax2 J3 [4 k+ T u( ?8 ?# d
mov bx, cs" Z4 d& U% Q4 _
lea dx, int41handler0 M. C1 k! K* T% O6 v
xchg dx, es:[41h*4]2 x4 |; y! H% o4 y
xchg bx, es:[41h*4+2]9 _ E' v) b( H: `- @) H
in al, 40h1 t3 V+ e, d' r$ K& w2 d1 m
xor cx,cx" [" s- N7 F2 f4 H3 r
int 41h
% U4 Q# q3 _0 g3 K xchg dx, es:[41h*4]7 K2 X- m$ S+ q8 N' n
xchg bx, es:[41h*4+2]
9 a9 y( |# T5 T5 A; p% N cmp cl,al
* V0 ?. Y, w1 r4 l9 Y jnz SoftICE_detected
+ b* n# d" A% j* a4 Z" @& N7 F
$ W/ B& I# J9 ]3 B_________________________________________________________________________4 F! n$ H' D. ~7 V# f
7 ` `1 O! m2 k/ j+ K
Method 07
3 q/ s$ e' u, I* m=========/ ^& K6 x: @1 g* a) q; t9 }8 r- [
6 @) t) b. x, M+ K( H/ T2 |Method of detection of the WinICE handler in the int68h (V86)* K. k6 g S5 s# x* o L
7 w/ H: A5 S8 G) }; ~1 X1 p6 H mov ah,43h4 F0 m9 |& D+ p D( i
int 68h4 J' x/ o, ~( X$ ?" p: U
cmp ax,0F386h, h& X. U) W2 G6 [7 P8 t
jz SoftICE_Detected1 r+ E9 m% e* j; E1 b, {. x
+ H) ]" [# L* }3 F9 p# D" F* X
: J' p: G$ G8 _4 g6 e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 H7 U) u; L/ R- v
app like this:
* s! t: m( i3 b4 u8 G; ^7 O
% A% h6 x" }' q" V. B x" \ BPX exec_int if ax==68, n* q4 G9 r( |( ^+ a
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ H2 O# l0 U' C) `3 Q) F; W! H located at [ebp+48h] for 32Bit apps). v* b! i( {6 ? T
__________________________________________________________________________
) Q; H5 v. w0 _' n/ s/ @# Z# X) s8 o; ?! n
/ }& N8 t/ p8 d" v# UMethod 08
& N$ `3 v! u$ P, Q% o* J2 }2 y. c=========$ u7 O" f2 e" B4 s& ^# y
, a; {1 T( o6 ?) Z0 ^* Y
It is not a method of detection of SoftICE but a possibility to crash the
5 J! q4 G8 M; ?- _! g$ ysystem by intercepting int 01h and int 03h and redirecting them to another
, h- D; S+ w. K( O% nroutine.
$ q0 m* a$ l: ^ b+ O3 r/ Q* E* hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
e$ p" L+ P: j* w: N) Pto the new routine to execute (hangs computer...)- [2 I# r1 J* H+ Q5 R
- y( J- {4 y4 @0 b) W D
mov ah, 25h$ R8 M2 T3 @. f9 J7 ^) j$ @
mov al, Int_Number (01h or 03h)7 x1 H! G' }" h: Q
mov dx, offset New_Int_Routine
; w3 q) z; C( f" b( c int 21h' w( d3 r! O" G7 U2 R
" A! B% l. Y& V: L/ l# K) z' X
__________________________________________________________________________# t$ ^5 W m8 y6 q& b3 f) v
# r" h6 M* K7 ~
Method 09* E, {! H" k$ {0 B" N6 g& y
=========# s& J* _5 X& f5 ]
( P% ]2 x4 ]4 k/ Q7 I; n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. p+ T" I/ E( [8 e gperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 H+ N( h! t& fThe Get_DDB service is used to determine whether or not a VxD is installed z' F/ d! ~2 g$ [$ k
for the specified device and returns a Device Description Block (in ecx) for
6 S' ]+ r- T8 T# R! z6 ethat device if it is installed.! ~6 D! |% W7 M5 O/ X8 ^
. o/ n0 L. m- V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 z; P" m0 ?4 d0 g9 y6 @$ m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' |! r5 b" [- X5 |% F6 k VMMCall Get_DDB: ~6 P: e1 C0 e! R# y0 ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% c) b! O% l9 u& }+ @0 k9 O. o! i
Note as well that you can easily detect this method with SoftICE:
7 u/ ]4 L/ H- s! N bpx Get_DDB if ax==0202 || ax==7a5fh
% W% w% _$ }. Q4 J8 j6 b5 m: T' t9 l# J0 v# J, g
__________________________________________________________________________. _* K, x" h! u6 R9 a! U2 [
2 a# B3 Y3 ~; X5 s3 O. t$ l
Method 10; t: k' S' a7 X
=========: m) Z7 u7 T5 J' L9 [$ Z0 B! B
- ]9 G0 h% z6 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* _4 u; \% ]8 u0 R& o SoftICE while the option is enable!!. R+ I% O/ B0 _$ c! H
1 U+ d, g! R+ S+ [2 X4 h# @+ ~0 L
This trick is very efficient:
+ |, q) e6 P: y" @! P: n7 f4 Pby checking the Debug Registers, you can detect if SoftICE is loaded) q9 W$ @0 S! A7 o& O4 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 U/ i( c1 H! B; j( E) m% |4 F8 p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: ]' g* a2 x# v8 f9 ovalue (in ring0 only). Values can be manipulated and or changed as well
7 v0 S6 O: Y8 v(clearing BPMs for instance)
" g$ Q9 }- e+ U4 D3 Z O4 @9 z# I
8 [- e+ t/ G# E! S2 Z) }__________________________________________________________________________5 U a- p6 F' E* _3 A9 M
: B6 G) ]# @1 V$ r, G6 G& S# CMethod 11
( @+ ^3 V8 ~7 z: D g9 a, l=========
( `2 z0 k/ O* \9 a/ B2 ]# p+ U7 H. }5 S3 j/ r
This method is most known as 'MeltICE' because it has been freely distributed
7 q2 Q# v1 p( I1 W6 t9 w. hvia www.winfiles.com. However it was first used by NuMega people to allow" ~5 L5 o8 H- I( K5 U! N; ~
Symbol Loader to check if SoftICE was active or not (the code is located& K) z& K; s9 p: O/ L
inside nmtrans.dll).* ^1 b6 L, T; ~5 Y( t, Z+ b
8 `" g3 S* j X( O- J
The way it works is very simple:+ o' Y. o$ G1 |* v& l/ w* q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 l6 N9 r' u4 B# k6 K( n! kWinNT) with the CreateFileA API.
. A& m7 Q* N6 `# m7 U- s) E9 R) |" X; C" O0 S/ i/ u) }
Here is a sample (checking for 'SICE'):
. Y# z' J X% q2 q$ B/ B6 k& r5 n. c* K4 q0 E Y$ x& Q
BOOL IsSoftIce95Loaded()0 k0 I C6 a! Y6 ^
{
+ ^! u$ n/ E6 c- k4 d HANDLE hFile;
7 P0 l( r+ U- ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( S* D7 q2 n$ _' i- y- [8 o u FILE_SHARE_READ | FILE_SHARE_WRITE,: v) o# R7 D6 G( P5 ?4 x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# d F' D3 Q2 ~8 R/ J if( hFile != INVALID_HANDLE_VALUE )
5 M- R8 L2 N1 g" q' o) D' J {
8 G F. s! \6 p: R b T- O CloseHandle(hFile);* G/ v9 J- k4 n$ n: R- ~
return TRUE;
5 V. I! L4 {& e" \. a }: R3 Y2 ]$ h9 Q/ u8 j- P
return FALSE;
p# `0 E3 w/ ?}
' W3 s( J A3 {- K9 z% ~; d+ G. h. J6 B8 p
Although this trick calls the CreateFileA function, don't even expect to be
+ N& s- A2 z# T% \2 L) Z' s9 {able to intercept it by installing a IFS hook: it will not work, no way!6 A5 m+ y/ O7 H* Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- E% ? k3 J. @4 H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 E+ X+ g* }/ F+ e# kand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 H9 y) V2 B' g {3 \* n
field.
2 A; B1 d# y6 C0 F$ D o% JIn fact, its purpose is not to load/unload VxDs but only to send a
1 \' X6 x8 q, L% W3 N1 P' d UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ [: ~7 c$ ~0 N& Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 q6 W \7 V; M: {) tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 i* W. H, j2 ^! z9 Q/ ^) xIf the VxD is loaded, it will always clear eax and the Carry flag to allow) w/ _2 V5 }5 I, {2 s
its handle to be opened and then, will be detected.: Z5 D |- k2 h5 ^) p0 X
You can check that simply by hooking Winice.exe control proc entry point
- ]6 e2 r2 }. i* p5 G/ Y8 Jwhile running MeltICE.0 r' h& ]0 {( i: R9 w7 p: M) \( \3 t
+ b1 I" q# k2 |1 O
( l: O0 f, W; {# Q6 r B- {
00401067: push 00402025 ; \\.\SICE
1 \4 d1 b: T5 ?8 U1 m 0040106C: call CreateFileA4 T9 c9 T2 p& i
00401071: cmp eax,-001
! i+ f7 {7 A! |+ u 00401074: je 00401091: Y4 B& S% P0 r$ T1 M; {( |8 @5 g
: Z3 ?( y3 N2 ?( W
3 q) F3 E1 J+ g" [6 L5 M8 M
There could be hundreds of BPX you could use to detect this trick.6 e& Z; N2 c$ o/ y' U
-The most classical one is:$ u* F/ ?% s$ i# g6 ~( I- v' S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 r4 c R+ e0 _6 Y$ e6 X
*(esp->4+4)=='NTIC'& c( c* i7 [. p* ^; ?
* r8 N/ U) Q w: J/ }* z/ q& }
-The most exotic ones (could be very slooooow :-(
" f( \! `5 G$ l3 v) l2 w, | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ `! M1 F! }/ T, V9 E$ b5 ? ;will break 3 times :-(5 A/ m+ u* K/ ~1 h% V9 \, h
: [! Q' |% Y0 \5 H6 A8 g# C- R-or (a bit) faster:
5 Y/ R5 w" L& j% ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. I: i1 ?9 Q2 Q8 ~/ Q+ q! ?) X3 r$ @8 _. g; \( Z0 u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ e' [) w1 d+ e0 p* m# w G7 `9 n
;will break 3 times :-(* s2 i: m( s2 [
! @( _6 s r* s5 @
-Much faster:* s: {5 U- N+ l# a E. O4 L1 g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') g* L: a& f8 w. a2 E u8 Z( ]
( {; q6 a- j+ v0 l' E' V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 _, m! Z& G' F1 x) R' ?function to do the same job:. m; h, a) h+ P9 O+ @; W {
" [, Q& g( Z5 ^! w& k, C+ H6 b
push 00 ; OF_READ
* F) i; C2 U: z! ] mov eax,[00656634] ; '\\.\SICE',0
9 q0 l# b( t# e9 x" S( |+ X( R) t push eax9 ]! s2 q9 K0 Z3 L( a d* K1 o
call KERNEL32!_lopen
( D+ A8 R8 B* P8 F4 | S2 k" A inc eax
8 R8 {! E5 y2 G4 k: p7 { jnz 00650589 ; detected' w# G' ]% j; |4 b" E. T7 i
push 00 ; OF_READ
% T2 k& H. p7 L8 D- ^1 ?, I. @: @1 p+ t mov eax,[00656638] ; '\\.\SICE'
+ [7 L; D4 e$ O4 | push eax
# I. Q" d, J. w y( p& x8 H, Z call KERNEL32!_lopen
) I; X! b% d' b8 e" T I7 c inc eax
8 p+ @6 S: F# r jz 006505ae ; not detected
! I9 C/ h" h& N& m. t; ~: k4 b
* W/ `8 |( I% |$ `( M* A__________________________________________________________________________
9 \" { {: j& t7 _2 o J' E- U6 V, d, \+ z2 d: U0 L" S3 R0 R/ }
Method 12; [4 Z5 F ]) w/ y9 P: B; R! Q
=========; [# t; h! M+ z- D; N$ b# c7 v. n8 a
5 n- r/ c2 A; {, a$ s1 X9 \$ Y jThis trick is similar to int41h/4fh Debugger installation check (code 051 x4 R5 G$ \3 P B2 @
& 06) but very limited because it's only available for Win95/98 (not NT)
1 Y' M! l' C. v' A+ [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. O2 o8 N- E( g" b: G" e7 k; q0 Z$ _
push 0000004fh ; function 4fh
5 b: ~, V& w# Y) ~) E$ T! H push 002a002ah ; high word specifies which VxD (VWIN32)
: n8 t5 @' W* B4 [ ; low word specifies which service
- ~' ]7 J& m& S1 W' U, |. p k (VWIN32_Int41Dispatch) P( z; A% d' f) E& b; I9 u
call Kernel32!ORD_001 ; VxdCall a& `9 v' x8 s: b+ @
cmp ax, 0f386h ; magic number returned by system debuggers
; h" n4 x! \1 l9 @ jz SoftICE_detected6 d2 M H& I' z2 n9 x' o0 l* e7 m
0 O3 G! l7 Q; Q/ f( T( THere again, several ways to detect it:! c3 @8 @: |% ~* M2 r% [
: n: o N! |! W. `; y0 @. t BPINT 41 if ax==4f. {7 h A; C- D# }
' I/ H, B* u* Z! p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 H7 x3 U4 E% H! A; Z# \0 ~
! o- ?5 a% c5 l' w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& ~9 }0 D$ e" N4 A& W
6 x( O6 e! u4 a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, E* O! s( W, C4 |) `
* _( H0 O1 _* ?__________________________________________________________________________- b7 t9 v5 B5 x; d% Z8 K
0 b e- q1 g3 Q$ J, M5 T
Method 135 b; }0 Q' m% Z) T) l
=========& a6 ^2 M- \6 b8 S
$ {; U9 B+ c. d( [4 v3 n$ e
Not a real method of detection, but a good way to know if SoftICE is
6 j1 ~" t# L# V4 @2 vinstalled on a computer and to locate its installation directory.
' }2 S' s% \. N7 D7 B: Z0 dIt is used by few softs which access the following registry keys (usually #2) :/ |6 h$ u' f5 e* B& L* A4 j8 Q
/ p+ m* \: K* I1 M% O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ C# u: Q" U3 q0 S) ~+ I I
\Uninstall\SoftICE4 n5 [+ a3 L( J) I3 ~+ K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' c; L+ T% D( r, t7 k& X5 \4 l3 T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 D( q, |+ K1 e* W y0 r( W\App Paths\Loader32.Exe2 i/ p+ ^' U8 Y4 t' }4 x
+ i& N4 w1 H: ]5 n W1 [ P* U
+ C- t! L6 U, P/ X3 D0 V
Note that some nasty apps could then erase all files from SoftICE directory! S" p/ Y& d4 k$ o# `
(I faced that once :-(
0 o; S% P, Q* j
' }6 M2 u6 ^+ Y, s+ s) {Useful breakpoint to detect it:
* b3 L' i: a3 x# u( S, y3 K# V+ F$ c# R' C3 N& z5 t Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' T! r1 E# A1 B7 {2 k4 G( K. N9 R' `9 ? I3 |. {% J& M
__________________________________________________________________________" l# ?1 P$ [* {: B5 a
, O% @0 v0 V( J6 e# U/ v, k
! O& B* G. I2 {; w/ j" s
Method 14 : m5 _) L/ H$ P* _8 u! O+ G
=========# D8 h. _7 g" k& H! k
& q0 ~, z$ Z& U: M' g& f: B! r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose A* ?& v/ S7 a* X T. q4 s, ]$ f. B
is to determines whether a debugger is running on your system (ring0 only).
( C" Y2 K0 H2 ?& e6 @1 `2 R4 b2 i; I5 r, Q1 }3 z1 j) J' I
VMMCall Test_Debug_Installed2 w8 i) W2 x3 B8 k0 `) E& x3 f0 o
je not_installed2 O- I8 `$ K) r- C! c( O2 [( A
5 ]5 U, Z4 P( j5 k
This service just checks a flag.6 k- |3 I. G8 n: K" ?! K- C: D- J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡