<TABLE width=500># D4 w; Q9 F. d7 b3 C
<TBODY># p1 ?# p. s7 Z
<TR>4 A0 ]( J7 b+ g* A- S; W0 B" d
<TD><PRE>Method 01 6 M' }7 a4 L# x! M) t
=========
, B' ~! _5 O: b( |
, ^3 _. u! k6 dThis method of detection of SoftICE (as well as the following one) is
+ u4 s( K# Q: |0 r- c) A0 fused by the majority of packers/encryptors found on Internet.# t4 b* i# W/ l, V% b
It seeks the signature of BoundsChecker in SoftICE
4 U: d! |8 Y9 R1 h, @% L; Q* g( {& M' z
mov ebp, 04243484Bh ; 'BCHK'
2 A; x6 C( x2 I% n$ e2 z& ] mov ax, 04h @; N( R# p, T. J6 B2 i, m4 ~
int 3
) G/ {; Q) R! y! U q8 P( H N. z cmp al,44 I+ z3 n3 N4 I5 p$ y5 W( \ }0 x
jnz SoftICE_Detected4 C& T/ P* |- z0 Q n1 |
9 ?+ R5 T" i1 D
___________________________________________________________________________, g% U' o) g- `" G9 D* s! `7 a
) Y. q+ H" ^# p9 k. d
Method 02
: o6 C( C4 P4 g5 V% f7 I=========& J* b7 S; Z( Q
. q% d" [9 M7 AStill a method very much used (perhaps the most frequent one). It is used0 `$ P9 k8 O* u- y' l; h, O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 Y( W. K1 h Y0 H P9 {4 vor execute SoftICE commands...
4 e5 @( a% o8 b0 T7 n3 cIt is also used to crash SoftICE and to force it to execute any commands& r2 p/ |1 X2 x1 k
(HBOOT...) :-(( ) x5 e0 \6 D% n. B
3 H9 h y. y+ h: B5 FHere is a quick description:
, x1 y: y/ W# R# i+ z: O4 e-AX = 0910h (Display string in SIce windows) e& o& c( T7 F( g+ z! c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! v( I% u- k; O& n8 P9 l1 L-AX = 0912h (Get breakpoint infos)
& H3 ~& \/ i: Z; z; T$ n' Z1 ]" F-AX = 0913h (Set Sice breakpoints)
" |8 I6 J0 q& l-AX = 0914h (Remove SIce breakoints)$ \( d9 x9 A9 x5 Q" u
7 t1 _+ c3 Z) |+ d0 k1 e0 e5 g
Each time you'll meet this trick, you'll see:
3 \; B2 q6 S, A8 l-SI = 4647h
3 I, b/ t1 C! g1 T-DI = 4A4Dh
# V: z w8 I- SWhich are the 'magic values' used by SoftIce.
( u& V, w9 v" c) H) t& KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 H8 h- V4 A ~7 W; P% Q
0 ?$ T) g- C: ^$ V3 L1 P& WHere is one example from the file "Haspinst.exe" which is the dongle HASP2 A' Q+ Q% Y1 t; r4 F/ V* Y
Envelope utility use to protect DOS applications:
- ^4 p2 B9 R5 b$ F
. F' m: R- @' `# n6 o( z: S+ p) a$ }$ R8 e1 \) M8 a9 U
4C19:0095 MOV AX,0911 ; execute command.( k2 G3 _; D/ B, X9 c: p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ B+ V4 g" W: [; h- p, C
4C19:009A MOV SI,4647 ; 1st magic value.3 ~6 j8 m5 i) ~5 v) C
4C19:009D MOV DI,4A4D ; 2nd magic value.5 I) o) p8 v9 y5 k9 S7 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 ~5 ~9 U" |; ?$ R: R3 \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
A+ X" W0 Z% i# F' Z) J4C19:00A4 INC CX
! z8 k- ^, Q! K6 Q) S% q9 M4 Y- O+ a6 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( u) y9 r; z, V& B- a1 {/ M
4C19:00A8 JB 0095 ; 6 different commands.2 u6 s& L' W& Z. [; y, X, {9 U! ~2 k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 a+ R9 W+ |( z' o: W. }+ J! P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 m3 j" E% ~* q g6 Y" a8 {7 ?$ d% V0 Q" H8 J2 O) a, F! K+ O6 g# w
The program will execute 6 different SIce commands located at ds:dx, which
' G- k% H6 J: H. l! Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& S( r- Q, q5 e6 S G& h" Z' c5 G
5 Q) C' u& i% e' [( N- [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: |% P, B" z0 l+ ~ Z- B4 F
___________________________________________________________________________- Z3 a" ~5 ~4 j9 n' g
4 b/ I( Z# B! Y* b
: s# y9 t( r4 [7 r' ]/ U! \
Method 03. v. N: C3 H- X( l: B* b
=========$ J. A7 G8 u O& t" y: h
7 V( a* X5 R6 k" w6 n9 l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" s; b. q. I2 S- c- o, E7 q) z
(API Get entry point)
6 d: F7 E, Z; r2 r I5 c
6 H$ S) A0 t3 ~! P1 H2 x' F
+ [# c5 R9 I) b) u* ^ xor di,di
% C w( O# E$ v- L6 P mov es,di7 N) Y4 ?. W; R! P: j- m& W
mov ax, 1684h
4 u, m/ W' n F' x3 R mov bx, 0202h ; VxD ID of winice
5 r$ }4 v3 u- i$ t int 2Fh
7 F; y3 [0 D7 c+ S mov ax, es ; ES:DI -> VxD API entry point
' b: B+ a" Z- d1 D3 k4 T add ax, di8 Z" a$ w7 U; J3 v. x8 q% U
test ax,ax
/ ?# r1 e* h( {- y jnz SoftICE_Detected
2 @# d" Q" v2 Q8 C5 I, y0 M6 I2 s2 c* S4 v6 M( H) L
___________________________________________________________________________! ~1 H2 e0 @: p" |+ k, p8 Q6 E
6 X( d1 W8 i) u$ V3 ~Method 04
! ~% g+ \# |) P2 H: y=========
. m( ]/ Y) \& W( a2 O% [& J5 a ]5 z- I9 q z+ T
Method identical to the preceding one except that it seeks the ID of SoftICE* i( u- R4 u3 U0 r [
GFX VxD.5 M" w8 @( {7 I, h- q9 _
, Z, [5 U- F2 ^( E. _: ?# y, e/ U5 F xor di,di
& x) S3 C. Z% s% y2 T' n mov es,di
/ L' [% A; N( } ?$ i7 U mov ax, 1684h 7 e- ?. J) t4 b1 z% @
mov bx, 7a5Fh ; VxD ID of SIWVID, ?) u0 K% f% |; A* F, |
int 2fh" L- u& Z2 j; P: q5 r
mov ax, es ; ES:DI -> VxD API entry point
- v8 e: M# U' Z7 k0 e+ [9 i add ax, di: x. w" B. J! i- O0 K
test ax,ax
& G( G- B. A Y6 n" I5 H) I. X jnz SoftICE_Detected
$ D5 f% Z" ?+ J! i. Y5 v" c1 d$ V
- O u, X5 B+ B" j. ~" B__________________________________________________________________________
+ i/ H; F. I' L0 u7 c5 G/ E$ H6 m: w3 G( r
: r% U$ v% h0 q$ k6 \ KMethod 05
# K: x. |- E9 M/ o s, _=========; c- r! t- Q4 j5 f
/ o: Q( F! E/ P3 U% _Method seeking the 'magic number' 0F386h returned (in ax) by all system+ A* I' e2 }. I6 B8 k$ v: W
debugger. It calls the int 41h, function 4Fh.; v: y/ ?7 Z; Q5 o
There are several alternatives. 5 ?( Z$ i* y! m9 ^, r% f9 c
$ Y5 o5 o, Z) U3 F
The following one is the simplest:
$ w# b; \) ]% r* p; t! U
4 a7 b R- S: t, K3 T1 ~. h mov ax,4fh
% ~. R0 u. E, r) @! x% }3 f int 41h) h- d" p d! f
cmp ax, 0F386) {- \ D3 m H3 \' b2 o
jz SoftICE_detected, \5 D- n. g1 S5 ?4 P1 X
* D( u' h0 P; w' O2 Q
2 |1 Z* t5 u8 u% ?: K0 y5 c# }
Next method as well as the following one are 2 examples from Stone's
1 Z B6 y( _' n4 I* o7 I8 ~"stn-wid.zip" (www.cracking.net):
, v) e) {. J9 u; a/ S+ D
' S8 |$ q8 g: I: J mov bx, cs5 l) k+ E% n. O" m! d0 c3 y- R3 N6 m
lea dx, int41handler2
$ q, T, u. [5 A" K# r N, x xchg dx, es:[41h*4]
4 I6 T; ~; K: {. g" P7 B T3 K xchg bx, es:[41h*4+2]
9 B0 o# ^5 x; V; y# Z mov ax,4fh, l9 Q" v' F5 J8 X
int 41h
& y' s, r! p' A, R- G xchg dx, es:[41h*4]# ^; w: n' e$ \" Z/ ?2 o
xchg bx, es:[41h*4+2]
7 U- \: q0 B/ K6 s+ G cmp ax, 0f386h; o/ L9 P/ a& Q6 V
jz SoftICE_detected x/ a( _8 k5 z
! h4 X# @+ g* s+ M6 E) F) R1 K
int41handler2 PROC
2 W+ L& a' J0 w) ^' x5 }) m iret" Z* A5 E- M$ a4 M9 ^( k
int41handler2 ENDP
$ M7 F0 c4 ]3 {$ u0 q* \7 e3 ~+ x' e* ?5 ]
0 S- z: C: f9 J% G. Q N# g6 x
_________________________________________________________________________9 K6 D; Z& b# C, U) X& r
% C M3 ? ^* `8 ?8 i* I6 n- N3 y- W: }) N' A7 }
Method 06
/ J& Q7 e8 j$ B+ ^ f=========1 K% R# S: I1 N! I0 k( Y8 `
4 D, V) [) \! p4 { F+ Q
+ H2 a: Z. `% Q: s2nd method similar to the preceding one but more difficult to detect:
1 w* N5 Z: N$ {: P5 Y! Q% H* S
, E- p1 w! s8 m8 s; E" o/ ]/ Z2 @" O2 ?4 W
int41handler PROC3 F1 ?+ i7 I2 y( s
mov cl,al8 U9 O2 u! F2 M6 K1 p& U" Q/ y
iret
" X& ~6 d r0 Z9 V3 V3 Dint41handler ENDP3 b, D! q- H# h
$ p; v. F1 Z5 B% L3 o9 M; N- c, e
% e; ?# w$ B! E2 x! Q1 `
xor ax,ax
# E W+ N" d: Q0 O7 j2 K mov es,ax
& K# y+ s' i/ s# e; {/ o mov bx, cs& S8 w, D+ }/ n" ^( J% b. W
lea dx, int41handler
; l2 w& N- G( [: C p/ f$ T2 Z) N+ @" _ xchg dx, es:[41h*4]
: X7 U/ T( N: i6 k+ `: E' V$ [ xchg bx, es:[41h*4+2]+ X8 W; a% z% z" ?
in al, 40h
0 j( J7 V3 `+ P2 v' |: | xor cx,cx
& b. t: s( K W. _ int 41h% |: n2 s0 c6 r4 L) C6 q, l
xchg dx, es:[41h*4]
5 O# m: ?0 J! l3 K; ~: H& c5 {2 g xchg bx, es:[41h*4+2]
# v5 M* F, [& v7 J- l7 R cmp cl,al9 `6 r/ S9 L# b, V+ [) q
jnz SoftICE_detected
5 O2 N4 l/ r" p8 r8 k, F U2 g! M( D' b4 c: D h* H9 J3 z8 w
_________________________________________________________________________
* S1 J6 L# y0 y2 h7 ]/ L! `4 X2 \! Q3 u1 @8 w1 X
Method 07; M8 d- K. T; ~$ b% L
=========
8 J) ]2 q x; F9 w3 ?& j0 u& t2 F% B' l& U" S \
Method of detection of the WinICE handler in the int68h (V86)
9 M* i) s! s2 u# ` s" L' v R% J& V
. X4 @6 F/ l/ Y" W mov ah,43h
* R7 a+ y8 j/ Z# M' E int 68h* O$ f" c" g! [8 z- X
cmp ax,0F386h
4 e$ u9 a$ u4 u, X; k( Q jz SoftICE_Detected
0 [0 Y2 A- [7 a$ p, K
h" T' e$ C) `6 g# z
5 y) k/ ^" y2 C# u% M8 S3 _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ I( P( K' |) x" W( J' h2 e: h app like this:
5 \! u5 X1 F4 j& ^3 @" p* @4 P
3 h2 t3 Q1 ?3 \3 @7 |% D# y BPX exec_int if ax==68" S# F2 ^% ^- D
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 P9 @. t* z6 n& {# g1 z+ M" F located at [ebp+48h] for 32Bit apps)4 {* C5 \8 S8 T" N' h4 I
__________________________________________________________________________
6 ?9 p9 z; y8 U! ?$ Q: j- s% z$ I8 P0 u6 A X2 q! E
9 f9 `3 r! E! A' M1 |5 M5 zMethod 089 X$ [$ H3 w9 P- X0 J [
=========0 X8 A* R' r+ _+ l0 a* r% e5 a
c3 m2 [( t3 X/ c: I
It is not a method of detection of SoftICE but a possibility to crash the _8 f/ G; F! v5 Y" C2 ]
system by intercepting int 01h and int 03h and redirecting them to another4 }" I9 S; g" {) ~9 y: J
routine.
8 K6 U4 S$ t: G3 w7 A0 aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 n" l. g( W2 ]8 Xto the new routine to execute (hangs computer...)9 b: q& ?' D6 m
0 r6 \* `/ Q, X' \( o) Q mov ah, 25h5 Z# U' r( L% T) n! |
mov al, Int_Number (01h or 03h)0 J! \+ r u* [4 ?. _8 ?5 @
mov dx, offset New_Int_Routine( ~. C: U! h! X% J% u
int 21h0 { o1 D- h [) f! w( |
7 L# {. P2 u2 s$ M l" W; F- _3 P__________________________________________________________________________
F& U! B$ A' n6 K/ S" Z
2 K" u, [; ^& BMethod 094 r4 e( c6 e4 }* @; A
=========
$ j4 d0 _2 m! {
# {/ F5 a8 o6 |4 D! vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) A7 _; p* U: R W7 Z4 c4 C, n
performed in ring0 (VxD or a ring3 app using the VxdCall).
' W [$ s/ ^$ z) b# K* d( ZThe Get_DDB service is used to determine whether or not a VxD is installed
N, E3 }! L! A# v9 kfor the specified device and returns a Device Description Block (in ecx) for6 W" h4 x( x) ]" i2 z" S
that device if it is installed.+ K+ O8 Y' t( i% C7 Y
R( {6 e! V! y+ V2 c3 ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ J4 v+ B: \% d6 O3 X0 E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% `8 [+ ^: R2 o0 d& a
VMMCall Get_DDB, j: ^. }5 W. t( f0 b! B- }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 Z+ R9 i0 F) t% [; o
) O; w6 _' \& v. u i' d9 qNote as well that you can easily detect this method with SoftICE:( j; d1 x6 y$ W& x0 T
bpx Get_DDB if ax==0202 || ax==7a5fh H* e) n/ f5 c) X* r
8 Z: x1 z# j6 Q- J" G7 |. g9 `
__________________________________________________________________________
7 u$ y0 e+ \2 E1 H8 X6 [+ v; r8 N
0 U j. S0 e! P m+ bMethod 10, v* k# J4 ~4 V0 D# i+ o
=========
) l, r' R ~8 j. N: V! z
8 V) U5 Y: T' m. O7 _=>Disable or clear breakpoints before using this feature. DO NOT trace with
. `% I! a4 y- P# r+ I SoftICE while the option is enable!!1 f$ ?, \% G I ~# W+ S' d
5 v3 }" H! ` h+ @' j$ } ~This trick is very efficient:
0 h Q6 x2 h0 n+ |4 e% tby checking the Debug Registers, you can detect if SoftICE is loaded9 @) ~/ |4 o6 m. e( _4 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 ?% R# c+ W: x' r% E9 Z' E1 l' b: Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 G, N( d2 I6 y7 N4 Z$ F) v3 \value (in ring0 only). Values can be manipulated and or changed as well+ e0 ~: Z0 E- M( R
(clearing BPMs for instance)
' d* e) D4 P3 h( Y/ n9 y0 S" o0 P& M' a: T' b$ U
__________________________________________________________________________
! M! a, R/ `0 s0 @, q
7 a; t# B9 B, R; f8 \Method 115 v. V; i3 t" v7 h5 @* F
=========! }. p; D2 d& U' g5 V) k1 P
8 O9 q7 C0 ^' U% A; m# v
This method is most known as 'MeltICE' because it has been freely distributed
9 ?( u6 Y0 B v+ N0 ovia www.winfiles.com. However it was first used by NuMega people to allow
( e* q' L; [/ \# w8 Q( sSymbol Loader to check if SoftICE was active or not (the code is located( o8 ?: H' B* x- h" Y* ~* x
inside nmtrans.dll).
9 E8 q h3 C; N; D e Q$ b) t
! d* y9 x7 f% P& o" h2 x0 LThe way it works is very simple:$ i3 D1 z2 f' L" E- r8 x `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 P4 z0 k" g1 P
WinNT) with the CreateFileA API.
7 i# R" {/ s: j6 w1 `# V2 z% }8 q8 x2 ?: |6 ]: p! J1 k
Here is a sample (checking for 'SICE'):
+ z! a% @/ B/ F8 U! O9 H: d! O6 o+ {% w5 K. ]2 ?4 Z+ A3 v/ W3 d
BOOL IsSoftIce95Loaded()0 Q9 k$ u7 w8 Y9 g0 p
{
, C0 @2 G: j1 k N9 g HANDLE hFile; % X, m, ~% f* R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 Y9 x4 d1 Q) ^# Y' G6 H( j
FILE_SHARE_READ | FILE_SHARE_WRITE,
* ?- x- x9 j/ T6 t1 }4 u0 S' T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 `) h9 A+ O. H( R2 ^. z! j
if( hFile != INVALID_HANDLE_VALUE )' x5 l0 G9 N! o( n
{% _& M( ?& g8 S6 E2 R8 V3 t
CloseHandle(hFile);7 M+ e( S. N- k0 ~5 E5 a1 C
return TRUE;5 Z1 X7 `- w! @
}
0 B: R6 N7 E! Q: ^4 e3 N+ K5 @* l return FALSE;( n- Q- d! y% P8 r) H" B3 y5 }: l
}, E4 ?: T+ h/ r
8 f: V. n3 H- G+ N2 O1 f+ |9 b. XAlthough this trick calls the CreateFileA function, don't even expect to be' }# u3 X4 W/ W P5 u$ l) w
able to intercept it by installing a IFS hook: it will not work, no way!& W) S1 l+ K6 L6 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 y& u" Y- Z. B- L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" o: _9 h h [* g5 \* d8 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ K4 ]) w, z/ m
field.
8 S1 H. e# t% t4 |3 uIn fact, its purpose is not to load/unload VxDs but only to send a
- @- n5 D+ q; yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ r! z3 W- n( T0 c0 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try. J& n7 @7 U9 `* M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& U' | n7 D5 i; G7 d
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 n+ v5 n3 }! n# v" \its handle to be opened and then, will be detected.' z8 Z# K# J" z& c6 n
You can check that simply by hooking Winice.exe control proc entry point' i9 L0 g& E; | {2 @' R; t! |
while running MeltICE.3 z! x+ ^. _$ }& L0 R/ M0 B
l; s2 X2 s4 n# |# s2 l% S; T8 A& Z* A! W% z) \6 c
00401067: push 00402025 ; \\.\SICE
- j3 B& K; _; `/ T" E1 ]. g( ^3 k 0040106C: call CreateFileA
+ w+ i% K" d! a, o 00401071: cmp eax,-001" P; r) ]$ @ }0 t8 s! x4 ~. j2 ^
00401074: je 004010919 ~, I/ L/ x1 L8 H- t" C& v9 h
5 w" f u; R0 b$ e9 j% Y0 f
4 | T4 a$ K& Q, E0 s/ sThere could be hundreds of BPX you could use to detect this trick.; Y. a% E. E% X n6 O
-The most classical one is:* H& d, c& P# t& A) w* s5 f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: ^6 G v6 d; M$ C: N& X9 [) L
*(esp->4+4)=='NTIC'
3 w8 u2 D" O; _0 }. Y' |4 b ?; [4 Y+ o3 [8 k) u& ?8 l5 f
-The most exotic ones (could be very slooooow :-(
7 B% J/ t- {) F9 x3 W% E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 q: F0 u- w( i! G9 c
;will break 3 times :-(0 E8 z6 \( n5 G
5 D# N/ l0 q/ V. r3 c: g-or (a bit) faster:
) [4 [3 d6 _: W# v0 z5 F! q+ E4 O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ w+ c. q `4 D1 Y3 \' D8 N* Z7 {- ]+ ~0 o- ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . B6 d, p O- b
;will break 3 times :-(
9 h7 V8 [' ^- k5 {; x5 Y
) Q1 G% i3 k/ E2 z* |0 Q-Much faster:) ~0 }& p( ^7 K R, Y* j# }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 d0 d- I8 J1 A) {2 N# L
/ h. s( o1 S8 { h# o- w9 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen* U8 c' z( _3 g: \" S
function to do the same job:5 x8 i# L+ v0 y/ ~- K
. p+ X3 ?' k' S+ u; p
push 00 ; OF_READ! h$ r! ?1 r" d9 r5 ?- i0 e1 T y9 n
mov eax,[00656634] ; '\\.\SICE',0
! | C, ~3 L- n# M; k$ l0 l6 S2 X push eax
5 T/ z( I a- @2 o# n call KERNEL32!_lopen) F( |: v4 ~- G) _: `- g- |. h
inc eax) D2 Z: D, B1 _3 G: m7 [* X% O
jnz 00650589 ; detected; y3 [6 X$ i" w: F3 s5 |6 P
push 00 ; OF_READ! O/ }& [) N7 ?; x
mov eax,[00656638] ; '\\.\SICE'- p/ Y: L) p0 d5 l) |* {
push eax
o' C" [1 F( V3 U call KERNEL32!_lopen0 o+ m! r' Z# P9 H9 Q; @$ D! @) ~
inc eax$ |0 o( d3 t. J5 @" P: p
jz 006505ae ; not detected" s! V7 V( b0 A$ o2 ]2 ]3 a
2 s5 l. e; g% f4 l3 e% H# q# E6 l. T9 o9 S5 s4 ^* `; s8 T' Y
__________________________________________________________________________
2 n' y" J0 z0 m5 m$ I* p6 [3 m( y& |( @) @7 r) H2 c
Method 12
: G0 X; g% [1 k1 v=========+ N& K* \& q' g: A+ ?) g. L0 T
2 S% d R* K5 [3 xThis trick is similar to int41h/4fh Debugger installation check (code 05
7 y+ F+ S' P) O a$ A$ i Z& 06) but very limited because it's only available for Win95/98 (not NT)4 m, X. w* g3 U. Y8 C7 u3 |& X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! H% A3 p. ~- y1 o
6 J4 W& f3 t' \ y- O t- [ push 0000004fh ; function 4fh! Y7 P Y" |1 A5 g
push 002a002ah ; high word specifies which VxD (VWIN32)' o; v6 I6 s C8 C, W
; low word specifies which service
- R! S) Z) I7 W: A$ J (VWIN32_Int41Dispatch)
/ o9 \$ ]/ O) C$ Z- I( w call Kernel32!ORD_001 ; VxdCall+ r+ D6 `: n! Z3 o* h0 Q& A3 @
cmp ax, 0f386h ; magic number returned by system debuggers
, V2 L# y1 K4 {- @6 l jz SoftICE_detected
% b2 V2 G0 a! R( d1 @0 ^7 M) Y7 Y: _+ _! s0 v
Here again, several ways to detect it:( ]" x3 t' j4 [" T
$ X1 h* K# ]$ S6 e0 A0 Z/ S' W BPINT 41 if ax==4f1 d0 X" X- R$ y3 u7 H. s
- u, B/ Q! f$ s- D2 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) F& E5 [; G: i1 t2 d1 v. g9 \6 I& T4 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 g2 E C7 @& }
) F' m( H. a, F7 L/ I& j! H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: _1 D2 E0 i8 V; f. q
+ d; ~, R9 M4 r, ^5 o__________________________________________________________________________
, N1 A' z- c4 p+ n' G9 O% E( }, `# }: ?) r t
Method 138 H" F+ C" E( ]' I9 }4 K6 Z6 @
=========
6 c, f: l0 r- Z6 D% f+ P. V3 B8 }" }6 A2 N& g H! r
Not a real method of detection, but a good way to know if SoftICE is
& t3 G0 B( u! g, N* z8 d- G$ Uinstalled on a computer and to locate its installation directory.
" z/ d7 F' ?) A/ ]7 o0 YIt is used by few softs which access the following registry keys (usually #2) :
- e8 D! B4 l) i7 ]$ N3 Q0 l9 v; }0 |- z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, D; U/ j& g% X\Uninstall\SoftICE$ Q3 w( ?4 o; r7 a5 N. O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ M1 m2 P3 s4 J- R2 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 E4 u: V# X& D) i
\App Paths\Loader32.Exe
$ Q) g; `/ v& B/ b1 S" T) j* _" D
( A0 W- S- a2 F% w. }( }$ y$ a, `" x/ f- S6 J/ q& |
Note that some nasty apps could then erase all files from SoftICE directory
# q* k) \, z, I4 c(I faced that once :-(- Y! M- h0 _/ B; B& O3 b
3 ?7 n ^& e; |: X5 Z
Useful breakpoint to detect it:
6 J6 ]. m9 v+ E$ {' E6 Y0 O
/ r n# m0 z" O7 Q# ]! l7 N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% U: G; N' P9 d
* x4 U: O0 v8 ]9 x5 S, ?) Y6 A
__________________________________________________________________________. ?& g! w7 N. x+ f" m9 n/ u5 w; a
" p- N; l, T, _4 g1 l! H$ n5 N7 N' K
Method 14
# [, L4 @, {) a$ i+ m=========
$ P- Y8 D( l0 o$ W* b' D: i
: {) {6 K( E# }3 Z, R0 MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 t6 y3 b! q6 _6 dis to determines whether a debugger is running on your system (ring0 only).
" w) }9 F4 e' C# V' {, j% A+ J2 ~; |# r( Q
VMMCall Test_Debug_Installed- Q: ]$ g ^( p0 d% ^; d
je not_installed
% g! L# E/ v3 v" M0 h: k) }+ q0 A( |- H0 W- y' b7 h9 F# X
This service just checks a flag.$ b; a0 h6 ^. K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡