<TABLE width=500>
5 W& a7 _) P4 E v; L<TBODY>) T$ ~$ c8 M# r
<TR>" Z5 S7 Z' Q0 B- a( Y9 \
<TD><PRE>Method 01
1 ?/ q. z: N/ Q# L* Q6 g=========0 M) w; F9 H) E; ~: D
1 o* k( v+ z$ K! p: Q/ f) k% h
This method of detection of SoftICE (as well as the following one) is
% F u# k. t6 B, `" U7 h. A5 |9 pused by the majority of packers/encryptors found on Internet.* E* B6 ^! T8 H
It seeks the signature of BoundsChecker in SoftICE
( A) }6 A! R# d! R' [, M5 h; n: Y# [, U2 O6 K& a' k
mov ebp, 04243484Bh ; 'BCHK'
+ Y2 T8 K- _- }1 P$ @. r mov ax, 04h
; c% N, T& u( e int 3 % }0 [0 B+ s! n7 d9 Z6 r/ G
cmp al,4
9 K" z- X; B+ _( ?: l$ _! u5 D" k5 X jnz SoftICE_Detected' A8 T7 v/ y+ n1 n/ t, R3 k8 j
) v) k+ L# c; E( q! S: s+ l
___________________________________________________________________________
- t0 x& K% r( V4 p2 x
7 {8 q2 m3 s5 y" r0 v; pMethod 02' T# B1 u9 B. F+ n8 n
=========
& T8 H; r" B* `8 n: @
1 a7 U7 Z4 N7 r CStill a method very much used (perhaps the most frequent one). It is used
7 b4 J1 _, @" k7 z% G3 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 b6 C) B) V9 b5 ~! D8 xor execute SoftICE commands...- Q& Z* _- F* P' y: N! ^
It is also used to crash SoftICE and to force it to execute any commands
3 H5 F2 i8 W4 e3 [4 `% Z2 q(HBOOT...) :-((
4 F, Y# B+ x1 v D2 E5 e" L' j5 P& Y3 Z; A1 _; g% }% k$ T5 ?6 j
Here is a quick description:
" p H% t* ?; ~5 t# M! c0 E-AX = 0910h (Display string in SIce windows), q" @! j5 u8 z' \5 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- ]/ K( F4 H2 G7 i( Y w9 h* n w-AX = 0912h (Get breakpoint infos)0 R# f9 k* e8 S$ i, `( ^2 ]8 s
-AX = 0913h (Set Sice breakpoints)
- T- |* P& M/ z$ u: F-AX = 0914h (Remove SIce breakoints)+ z( N% Z& F1 Y; E
& x+ ^! d8 Q$ ^/ H/ X1 Y5 gEach time you'll meet this trick, you'll see:8 \- [+ S% |; X- P
-SI = 4647h
2 }1 ~- }1 z3 i-DI = 4A4Dh
# Y; S# ^# y8 v. Y$ X. wWhich are the 'magic values' used by SoftIce.
. v& U" H3 O9 u. ~3 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% ]& |1 Q% L7 @7 z) t" I, |
) {9 d- L6 a/ S7 q
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ [* {- B2 C+ O% W3 v: |
Envelope utility use to protect DOS applications:
_7 ^9 n: P! x3 K: E
# W% d$ |: |4 ^# V! a* G& F
1 G2 M' p9 |# `7 I9 F" U4C19:0095 MOV AX,0911 ; execute command.6 N; ]: J- y" C4 K8 D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 |% N. r9 a5 ]* o2 x+ _2 c5 k" O% U; ]0 `
4C19:009A MOV SI,4647 ; 1st magic value.
4 G5 Z1 W0 _9 w2 u3 G7 Z+ u4C19:009D MOV DI,4A4D ; 2nd magic value.
' x/ I% P8 O& ?, q6 [4 I7 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) h2 V) y& Y4 M! N3 _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- Y9 ^. ^+ ~0 P# f3 m, Z, ~# s4C19:00A4 INC CX
1 W, y/ s; d; K! S" k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
Z9 J& o+ i2 |# i, B1 g4 O4C19:00A8 JB 0095 ; 6 different commands.$ I0 y+ A5 W' r% u r* V0 A) o5 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 n' q+ T& R7 C( q& O* M/ W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) Y/ r2 x; w5 K% E
/ P) n7 m+ A, ?) q a3 ZThe program will execute 6 different SIce commands located at ds:dx, which; _- k3 ]& j0 m3 S: }* b1 M m( R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ^* i( \9 g, k, G0 `
( D( r( B$ k( E9 P# A' j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! I: r8 t, y0 V% x4 ^+ ~
___________________________________________________________________________: u2 j0 `4 N) S7 \/ e2 I
1 r6 @" F& V5 ]' `. V+ e5 M( l" _$ {) z B+ j
Method 032 d5 A" t5 ?% t# K' @ ?
=========
+ D; N1 A& ^% K8 h' m+ Y7 u Q6 U+ w$ O' p4 q0 u- h4 z0 Y# d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& ^4 |6 t9 {, m w
(API Get entry point)
0 s" T! C) y( n/ x1 v' o7 U0 f
. M1 n0 R+ `6 ^& _ w+ o1 }2 `5 F( B8 n, c, h6 a% v/ o
xor di,di
! d3 k% D! b5 c4 g2 [$ ^5 X" \' j mov es,di
1 W8 y1 E$ O# }( {+ q" s" h2 N1 y! U mov ax, 1684h 5 h. A- O1 T- i
mov bx, 0202h ; VxD ID of winice
, }' q( u1 k2 j+ u int 2Fh; X, i2 Z4 O$ B1 n$ q
mov ax, es ; ES:DI -> VxD API entry point
) P" |' N- I- j7 `/ t4 g. B add ax, di
) e, J" G, ?$ t' i& J* X/ O$ { test ax,ax
% ~; \1 G$ S% J jnz SoftICE_Detected
i% r& r+ ]. A, Y8 x& z& m/ O9 M5 x! U3 n0 ~) \" S
___________________________________________________________________________
5 i# U$ D1 g; Z3 R6 G/ b: {! P% o6 `* T, z1 c. O; F
Method 04
7 P0 t6 h, D1 m2 ?=========
7 g5 X( X0 d6 O, X) C: p
8 D0 J" @) D2 m. \5 i+ a* OMethod identical to the preceding one except that it seeks the ID of SoftICE
6 j/ Y+ }& p" }. i, Q, ~8 e& VGFX VxD.
9 |1 x' n+ `/ i7 q7 M/ g* z9 i, s
3 t5 N& g. @0 H* k8 `" M$ x4 [ xor di,di
% Q( K3 U5 X; s mov es,di& {+ F! x* Q$ G; E5 L' J- O' O# w
mov ax, 1684h ! w6 x2 r6 e: s$ j3 A! S* w
mov bx, 7a5Fh ; VxD ID of SIWVID
: |& t+ ?# ~0 Y; m5 b int 2fh
) t! t. ]0 H7 }1 ?" P. w1 X2 | mov ax, es ; ES:DI -> VxD API entry point
/ y. b- j' P: F add ax, di
0 |4 q* ~7 v3 ` test ax,ax/ _7 \" X1 T! y) T
jnz SoftICE_Detected
+ q$ m' F* D, a; u$ B5 r
7 d% l* Y. H0 P& ?& Z! {__________________________________________________________________________7 A! l+ Y2 _. P4 ?6 y5 o
: q9 f; B, Z2 X7 `% @; n; w# H0 y: Z! c! K& p3 N' z
Method 05
6 I, j& H; L+ z. f2 W- I' l=========0 _: M2 q, T7 c8 j( W# J8 X
( j/ y$ x8 `. J4 L6 p
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( {) B: a! s) W& Ddebugger. It calls the int 41h, function 4Fh.8 q }2 z& J7 f1 \- p
There are several alternatives. 7 T* h: O/ \7 G v( Z3 `! U7 \
7 a6 w1 m3 p) t* J( ?/ g
The following one is the simplest:
0 M4 o$ K3 {9 l7 i4 j; ]8 U' ^) f4 q) C w$ s) j
mov ax,4fh% B& w/ W5 ?2 m- r' c; n. s/ m
int 41h7 A2 R9 T" _% b: |* G% Y4 c2 e
cmp ax, 0F386# U+ u- Z5 P) P; v- \6 _% i' ]
jz SoftICE_detected7 v1 Z; W5 T3 x5 Z! }+ r; B2 s
% S) x6 }' |, ]/ I1 K6 @' z! P
3 @0 k1 H; k* z. l! J4 M2 {
Next method as well as the following one are 2 examples from Stone's 7 l1 }4 b; _' s$ m X
"stn-wid.zip" (www.cracking.net):
& u# c1 n# P! b, ?1 i. v+ k. C* K2 ^' Q; {
mov bx, cs
0 {4 T7 v! T$ } lea dx, int41handler2
. U* |% b. [% I3 b xchg dx, es:[41h*4]
9 b3 @# n" E& q, ~0 K, k xchg bx, es:[41h*4+2]- c- Y. O" b1 E8 m8 e
mov ax,4fh2 T* O, C+ f0 |% [
int 41h
$ H, K- C' ?6 f& _( U$ ? xchg dx, es:[41h*4]
2 N3 A1 ? u% i7 G F4 y, ~" X n xchg bx, es:[41h*4+2]
5 ]3 S9 T0 y* L- k5 P% s& n: N cmp ax, 0f386h
' y J1 N5 |6 { jz SoftICE_detected
, G; i6 l% d, f/ v B: p! H4 t6 ]( n# W1 j& D: P8 e
int41handler2 PROC
% D" O+ S: d/ L iret+ ?( c X7 P& U" B, I2 z* e' e
int41handler2 ENDP$ S8 N, d, W+ y3 |2 w& x
. D$ M8 @% q7 D, Z, e9 `
; e' k$ q- i2 A& T/ r_________________________________________________________________________0 R0 o1 ~1 ?; W3 `- @
7 ^+ ?# `# y# s$ l7 r
5 @" N( W2 O/ c2 \2 K# ?
Method 06' |8 K1 `% ?( V: Q
=========
/ ?8 p$ ]6 |5 n$ G \9 |1 ]6 E# j8 y
3 }5 F$ e3 o$ O& p1 O4 P2 Q2nd method similar to the preceding one but more difficult to detect:
- j- T6 Y; e: e9 ?. h
( Z" h: x& M B) O6 E% F3 G) s0 y- G [, E% C; M
int41handler PROC2 }1 w6 }0 R# P1 H8 X* h' ?
mov cl,al' y: L5 T3 \) @9 @) a
iret" V p7 @$ b! y: C6 i) F
int41handler ENDP$ J& {6 ?+ l" c' H5 f0 `
2 i K. i# o6 C; _2 E, p
; {$ Q7 _" u' |- s. [1 t
xor ax,ax! o3 o! y# |" n# Z8 ?1 ]
mov es,ax$ B/ V$ ~: j- p( S G' V
mov bx, cs
1 D5 \, z" }. \ ^* S' U( x4 k+ U lea dx, int41handler
( `4 w0 Z4 G6 h xchg dx, es:[41h*4]+ w# y8 F* c7 g2 Y
xchg bx, es:[41h*4+2]
& y" [0 T% R" z( J3 Q! v in al, 40h+ D) g8 T# G8 `# ], ?. a$ A3 `+ i
xor cx,cx
- V1 V1 P8 X3 ^8 Y0 f2 Y1 n int 41h! ?' a$ X0 i/ P- L1 g6 U
xchg dx, es:[41h*4]0 ~* V0 a8 i. r- c- D4 `) w
xchg bx, es:[41h*4+2]
8 f! @# B& x$ k cmp cl,al
- T9 n7 Q3 J# E P4 f% |$ t jnz SoftICE_detected1 A% B5 v' }% _
5 g( u T8 f% U
_________________________________________________________________________6 V& c3 {1 u" h7 B J- Z8 N
# m- _0 Y5 a3 ~8 M' c
Method 07
) z: [4 A$ i5 e2 [# g6 P/ B=========% D7 @& g* P/ g0 o/ W& N7 u c; G
1 j7 `- l9 S( ^' p! g2 uMethod of detection of the WinICE handler in the int68h (V86)
) x, x5 x3 ~7 Y3 E% {( X* K+ j! z, E' d4 t
mov ah,43h3 b" M' e/ d( C& g: ^
int 68h
7 e) w" N% |8 R& i cmp ax,0F386h
/ f3 v9 x) v, ]" i+ X9 a3 N: m jz SoftICE_Detected1 c3 E, F% ~7 J5 C3 [% Q( L. l* C
& ]1 y! g+ d3 U! R0 a j5 Y7 {5 K ^0 l& j* I' v$ T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! v% [2 Q! s0 ~ ]: G2 z
app like this:" f+ M# C0 u" A
6 Z8 G( T5 h) f$ o# A, ?
BPX exec_int if ax==68( r% r" O" @# M5 ~/ n$ a6 @# t
(function called is located at byte ptr [ebp+1Dh] and client eip is. O# n. p+ U) [( b' {
located at [ebp+48h] for 32Bit apps)
# _! [4 E7 E5 |" ~/ E__________________________________________________________________________; M1 G5 R5 X( g- z+ I+ ]
* @( B3 c5 J7 b v2 |5 O6 q
$ f ^" p, w% `Method 08
! W5 C* k* g( n L=========9 l3 o* N, L# t4 G2 }6 k( n
& i/ [# f2 I0 | z! D6 w
It is not a method of detection of SoftICE but a possibility to crash the
/ {# G* m; C9 |/ J& \system by intercepting int 01h and int 03h and redirecting them to another9 ?' G+ l! y2 v% u' h# _" S
routine.
0 \! Q, _0 h4 [6 v: YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 ]( P; L$ [0 b4 T& |) k7 y. Zto the new routine to execute (hangs computer...)
0 \9 u! `" o+ _1 ?) ?. H6 \- Y& q1 k7 T- S
mov ah, 25h, ~1 @3 b8 V+ f+ u+ H, e# g% {( E9 v m
mov al, Int_Number (01h or 03h)
, I% M5 M, H, j" p1 o _2 k mov dx, offset New_Int_Routine! k# u& x% [) Y5 d! s
int 21h0 p9 k+ J2 }2 X. h) P) V* z
( F' C1 q" R1 E__________________________________________________________________________
9 N" v" {. {" R* N% i+ M# O* S$ C8 L% {$ u1 n: F. b
Method 09. s& Y' @6 P1 F: _& a6 c. A
=========3 S; k' s% R3 G/ K8 a A
( T& ]1 D: X Y, q7 Q! p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- l3 c$ v# v$ b# y$ i! vperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 s9 G( J- o) K0 V% J: |: }The Get_DDB service is used to determine whether or not a VxD is installed" @9 g$ E& w& ^! ^5 I4 z- I
for the specified device and returns a Device Description Block (in ecx) for, E# e& U; R4 W; j2 d: V
that device if it is installed.+ j4 N" Z1 T; i0 J6 H
4 E8 z" T. a5 Q& a5 U3 ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 h& F# q, q0 v. o: Q0 m; |, u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): G! h3 x; u! _& ^$ f; V
VMMCall Get_DDB3 ]7 @. d4 n: [3 J6 Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 R) ?0 s! y( _1 J
9 T) m8 @: v6 d, y, L0 r1 T
Note as well that you can easily detect this method with SoftICE:( S7 S# R; ~4 S3 L
bpx Get_DDB if ax==0202 || ax==7a5fh
% O) h- L. R: D ?+ i( f9 ~% \& q, S/ P _
__________________________________________________________________________
$ z& [ m: T" N' F3 x$ V, K* e+ c- W/ s4 v' R" `
Method 10" S7 R6 }$ Y j3 }
=========
/ y- h- p. T! }" ~7 s3 z9 p% I" e# H2 o: U. \! `
=>Disable or clear breakpoints before using this feature. DO NOT trace with) E: C9 T$ U4 G% B$ \
SoftICE while the option is enable!!% j* z% n9 @6 b K/ e M7 E
) c( S) {! `4 X/ s0 I1 P
This trick is very efficient:
* D" c; ~; Y7 ~4 Lby checking the Debug Registers, you can detect if SoftICE is loaded
. D( x/ k: t5 d; h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) o6 U" T* O# cthere are some memory breakpoints set (dr0 to dr3) simply by reading their; p, U! a+ n. K+ l' g. c' \: X
value (in ring0 only). Values can be manipulated and or changed as well0 D+ q- S4 |2 X# q
(clearing BPMs for instance)/ Y. v& D. M; c- M+ ?; J/ R
( X' ~) i8 N: k5 t
__________________________________________________________________________6 Q5 ]0 u3 h+ s: K
" m7 ?! z+ k% G; c8 i/ n) G5 O
Method 11/ V+ c0 ?4 l1 P9 m+ n1 o, D2 H# L
=========
. K1 M2 m/ Z! G7 |& m/ F- n4 K) x) ]+ D: h, L
This method is most known as 'MeltICE' because it has been freely distributed
" q, r# W- j2 T, F! k4 k' ] ^9 Pvia www.winfiles.com. However it was first used by NuMega people to allow
3 I) k# @# C0 [$ a% |# fSymbol Loader to check if SoftICE was active or not (the code is located
1 L0 }5 Y& W' b7 v+ i# Linside nmtrans.dll).
7 r4 r1 Z3 v4 x# {4 t7 N, x' p) k! W- K1 ]
The way it works is very simple:
! j- |+ D* H0 P/ b" c+ u7 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ Q3 N/ d& X G" y' q4 w" D
WinNT) with the CreateFileA API.
# {- B3 x" |' L) t( P
g' F D" w: |3 H T, MHere is a sample (checking for 'SICE'):
( }7 E6 [% b, F% k, U4 k; N
9 F3 {9 g6 E1 s3 X! J6 \BOOL IsSoftIce95Loaded()
. s/ i6 d% Y2 R5 K{4 K- q4 z% R" j- W( M
HANDLE hFile; , f- Z- {- r( D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 Z) ~" V, d7 v z9 U( U7 } FILE_SHARE_READ | FILE_SHARE_WRITE,
, R! ?/ k& _9 G: \* i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% a \% @) d3 x# B. q if( hFile != INVALID_HANDLE_VALUE )
* d% p& }$ d) ?6 _+ |% L {
) E5 [/ O' G2 L# P7 Q# T7 `) i) { CloseHandle(hFile);; p# |6 R$ X x4 m6 \9 A
return TRUE;, p) b4 l0 ^4 w4 C5 J z! c
}- j- p3 n8 t! G0 B
return FALSE;
: G% E& U: N% H}9 V, _8 J% q/ Q6 ~, ^ `' A+ \* m
0 Y$ C( F( n) X) y9 s1 }8 i' t+ c
Although this trick calls the CreateFileA function, don't even expect to be
, \. x$ x0 ~7 S/ m0 Y8 [* Qable to intercept it by installing a IFS hook: it will not work, no way!
$ K! ~7 u! u, o& Z j- o8 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 o) q4 N" I. Z9 h5 g; M, g" `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- I# n0 ~7 c8 y* f3 u: m5 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ X5 T9 o+ q6 `) ?4 Efield.
' q3 h! [ l8 f8 o: N9 dIn fact, its purpose is not to load/unload VxDs but only to send a
5 E' u' [0 a. kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( u1 G) l( i5 U+ G9 hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. @* [& b8 C5 q5 K$ l& |; Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, ] l: O9 O/ I+ v& b- A! ]6 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow# w$ s2 s3 q# q4 \4 ?
its handle to be opened and then, will be detected.3 T2 q7 |( l- S$ B2 A! Y
You can check that simply by hooking Winice.exe control proc entry point
$ J e9 y% q2 q' k# C2 dwhile running MeltICE.
3 ] Z# w4 u' d8 l& g- D% P( z9 ^
; j2 C7 H# ?7 ?8 ?" a0 b/ I( M8 _+ Y2 F7 T
00401067: push 00402025 ; \\.\SICE, _' u T9 k1 u9 X
0040106C: call CreateFileA2 ^. J1 E& x- G; c) x, s/ o( i
00401071: cmp eax,-001
# n0 P+ S7 m; o E5 n 00401074: je 00401091
! S0 H- y6 T- Y+ x( w; C: {5 I1 j3 b, N( v
D% ^/ c- I% _: ]There could be hundreds of BPX you could use to detect this trick.
9 x/ ]# |4 \+ m1 T& p2 v! U+ Q-The most classical one is:! n- g! t8 K( p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ b0 j o1 Q4 V2 K- ^
*(esp->4+4)=='NTIC'% i9 M6 e* p4 D- p& w6 }# f
1 k. L* k8 e a# a' H1 M7 \
-The most exotic ones (could be very slooooow :-(
: e0 z! M. J2 X' | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( [% }5 b P& l$ p9 q, h ;will break 3 times :-(0 U3 E j( y' R6 {
7 O$ t) }9 C. H0 o4 _+ {2 T4 A+ o& s
-or (a bit) faster: 4 M7 f9 F2 C' m7 o' r% V( q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ p" O' z; V% L7 x: i1 {( r! q2 ^2 V) e1 y& E6 L' U3 E/ l6 S$ v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) e) x6 I) x4 ?" }( x: _* l ;will break 3 times :-($ e$ Y8 q) ]- ?! U, f- r4 o, `
5 c& q. j: k7 w; e O
-Much faster:" o0 V0 G$ M! y$ J8 M$ w l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 l# k! K8 A% l4 \5 @6 {5 x
0 U5 f; @8 S6 r/ g8 x$ L* PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' Z8 q: @% |! Y7 L9 V
function to do the same job:0 ~8 x+ G$ P, s
3 z9 e6 j9 D' [4 Q. b
push 00 ; OF_READ1 ?' }; d3 k6 ~# Z1 X
mov eax,[00656634] ; '\\.\SICE',0' q1 N$ X7 S" o% Q
push eax
- j% w' Q3 w% D0 i- q% r, O call KERNEL32!_lopen. ~7 S; k1 ^! s) i
inc eax5 N) h2 s5 ?" y2 n9 q9 n
jnz 00650589 ; detected
: h5 O* |; X+ g, k! ? push 00 ; OF_READ5 Y* p, y/ [. G
mov eax,[00656638] ; '\\.\SICE'! X. e6 j9 [ y( ^( C! T2 z) o
push eax
. R& T" X# G/ ?8 X call KERNEL32!_lopen
, \, S3 F3 }+ w1 I, ?( b inc eax
5 A( _% N. F/ u1 p0 w4 r jz 006505ae ; not detected
, i+ a* k0 c$ c7 o N) I( ~& L4 i* n) |! @
1 q) c$ b" j7 ]- G5 j; O# l__________________________________________________________________________
8 i) R% n6 ]# `0 p) u+ A
u. g) h" s! d# h8 WMethod 128 Y. A8 H3 S7 v2 R; a4 k% z/ i
=========+ W/ v# K! P) |1 l3 D1 K+ G
) J$ O$ w+ `+ K- X; L- V! UThis trick is similar to int41h/4fh Debugger installation check (code 05
4 j0 w+ L/ a; K8 W" F5 L& p# P& 06) but very limited because it's only available for Win95/98 (not NT)
1 R G7 d' O0 d6 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.: f U2 n) x- B% B7 T
) c/ ^# z! j1 Y3 f0 C, Y; l push 0000004fh ; function 4fh
; n# A/ I$ k' d push 002a002ah ; high word specifies which VxD (VWIN32)5 d$ c X/ g) k! v/ f
; low word specifies which service& q0 X% `7 m9 n5 j# x
(VWIN32_Int41Dispatch). n) T6 c' j5 C! j
call Kernel32!ORD_001 ; VxdCall; U; G- ]/ S8 I
cmp ax, 0f386h ; magic number returned by system debuggers
& i% U9 D! P+ E0 F3 g Z# `5 l9 ?5 } jz SoftICE_detected
- Y0 I6 K7 A% i a7 t/ _' X* V/ O3 S2 l( T) U8 D
Here again, several ways to detect it:
?9 W/ j2 w, B0 ~* Y9 ^ m" |) h. ]* d
BPINT 41 if ax==4f
' B! m1 u) n. m! u1 k. F8 K r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 t2 d2 m- G. d" L; ~# N# F. x6 k. j7 |. D+ b7 \4 d9 h+ u' s, v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 n# b0 a' S6 |/ Z, T2 _& G* I0 Z; d' o9 E9 w4 Y! b3 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* c0 T9 r7 D( W5 S& d5 E6 e, t% ?& h- v' K k2 `
__________________________________________________________________________' A9 \3 B# }, x
- N: u4 X, v4 X, I% e) @7 B
Method 13
, V4 `4 u; i9 R# F=========1 N/ P! J/ Z$ k3 G8 C$ q
7 K. v0 l! \) g4 A" [+ CNot a real method of detection, but a good way to know if SoftICE is6 T3 y0 H# }' N/ Z0 t/ ]
installed on a computer and to locate its installation directory.. N9 b, }' R, X; S% B
It is used by few softs which access the following registry keys (usually #2) :
4 ]* z. K& x9 y
8 I# F3 C! V9 p7 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 B) v$ S( E2 b/ m% v3 {8 g" }\Uninstall\SoftICE
% K% `* a# c- X* Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! b8 R/ j: t0 i1 F# z. O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& o# b; i2 b; F4 ?; V* M) v\App Paths\Loader32.Exe) i" K& b2 h/ h& N
9 P! K4 Q7 M5 [: `! l
! ^7 d! N% J( `4 |0 x( j; B5 @
Note that some nasty apps could then erase all files from SoftICE directory
/ n- N D' l0 O" Y7 ](I faced that once :-(; u& p2 v' d- |+ b0 _, d+ O5 x e
5 ~" V7 L$ r. V5 o# l5 `, XUseful breakpoint to detect it:9 R" V4 ?1 b7 Z( p, D; g4 j ?0 |
1 R9 p9 u: o3 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" [) [9 t( {- c/ ^# m X$ |
5 X0 H( |' B/ @__________________________________________________________________________
; _5 I+ {5 S; z5 H0 H
- y" o3 e6 H8 X; N8 m4 b" h+ z; O8 S K8 r
Method 14
4 @! a# R! Q8 G0 `/ \. b: W M=========
8 K9 F+ T+ z! F) H' X8 E; z
9 v4 Y. h# U( l3 Y+ J# U0 U% AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" k4 W8 b; {; f' p
is to determines whether a debugger is running on your system (ring0 only).9 e0 z! E! h8 O I- h D
0 m. @6 u7 J& K( ?5 S) K/ \1 m
VMMCall Test_Debug_Installed
7 Z! \* f% @3 r# D; d je not_installed
, I6 _9 o9 P# f4 W& O6 h4 p; b2 W2 x# `0 F+ n" D
This service just checks a flag.
* P/ t# x2 [% |% H- W$ O& w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡