<TABLE width=500>
( t# c7 P+ W! Q<TBODY>& l% P, ~0 v' A6 G8 e8 ^5 G; u6 z4 C
<TR>
' v3 h$ V8 Q; }0 n4 T3 ?) k2 S<TD><PRE>Method 01 : l/ i* ^7 w$ y9 h* b! U: d
=========( W4 r( e0 V* ?- V
4 T2 F4 |% G: k
This method of detection of SoftICE (as well as the following one) is
8 Y4 s$ c n: {* ?+ x/ T1 {used by the majority of packers/encryptors found on Internet.
3 V% B' ?7 b( F- | B. E+ [( P9 T9 B6 n/ jIt seeks the signature of BoundsChecker in SoftICE
/ a$ c/ A- i! j2 P# |
8 }1 g4 g$ y6 S+ `. X mov ebp, 04243484Bh ; 'BCHK'
5 t9 q$ }, V T# X5 d c mov ax, 04h3 `! w: z6 M$ @$ V8 F& |
int 3
5 G, d# @* N2 o* s9 P& {* W cmp al,4
0 R$ O: X o) K' h3 p& B jnz SoftICE_Detected; G4 ]4 _& J- X1 y5 |, [
& L, V& C% ?. `* X, f7 b___________________________________________________________________________
" `( ]3 y9 s3 D0 i; }7 o% R1 s3 e. Y7 e6 ~5 j' F' k! m
Method 02 H8 \4 ^$ ?2 G; @2 S2 d0 B$ b6 E( F
=========
1 n; n J) X3 ?# Q
2 M/ y. g1 u2 g* W2 L/ |- iStill a method very much used (perhaps the most frequent one). It is used) ~; s z; `4 ^. B6 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 Y: Z) S: I4 V/ C- J" Q; L
or execute SoftICE commands...$ X8 |) V3 O; ~- ] U
It is also used to crash SoftICE and to force it to execute any commands
* S, I, u! R. P4 ^# o1 Y(HBOOT...) :-(( $ v! o7 Z% x+ ]
- z! F8 q% t& R
Here is a quick description:1 u" I8 ^4 C% g( A8 _8 m! L
-AX = 0910h (Display string in SIce windows)) d6 i' o, Q" @% Z1 D* N$ `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); I$ _# m! S3 F; a: a
-AX = 0912h (Get breakpoint infos)0 k6 R7 A4 V9 j5 g( K _0 g3 z$ \
-AX = 0913h (Set Sice breakpoints)
) L$ r# S7 O# I- h. X* E0 y) X-AX = 0914h (Remove SIce breakoints)* r+ a& b% B6 E- Y: |3 z9 S
$ I2 ]0 n- p$ Z7 ? E, Z3 s
Each time you'll meet this trick, you'll see:
( S9 }% ~3 x9 O/ f) e$ g-SI = 4647h
/ d% k: o# c: K- F-DI = 4A4Dh5 v! F, o9 w: a, s4 A! C4 o
Which are the 'magic values' used by SoftIce.5 ]2 M+ s7 d" p0 ^3 F9 P6 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( r$ d3 m' W- w/ e( o
+ Z I2 P) p- v1 I; KHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 }' a8 T+ T7 C3 Y* TEnvelope utility use to protect DOS applications:* [: q9 ] r( n0 ?; b! K# [' R
' D7 @4 {: A2 _; f; U
1 l1 g5 O# M4 y2 `. ?. e4C19:0095 MOV AX,0911 ; execute command.4 `, j, e+ {8 B2 ]9 }! U7 {) p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; ^6 ]& Z% A7 i+ L1 O# q. w0 Z4C19:009A MOV SI,4647 ; 1st magic value.% @7 @4 b2 D8 h" A' J
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 O: L* v2 i9 v5 S# r& v# _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( a8 l7 j& @+ r$ n/ e8 @ N e4 k6 f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% n W9 E- ~$ s6 _- P" K" X4C19:00A4 INC CX
6 ~+ m5 k& g- W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# S/ c4 W- U' c4 D3 }' e/ [4C19:00A8 JB 0095 ; 6 different commands.0 F& W, @4 a- B4 j: @: O0 O; c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ n7 v# N' X. x9 I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 R( l( g, c0 G2 q1 Z
& E- j) m. e# r/ H. \) O9 t* CThe program will execute 6 different SIce commands located at ds:dx, which
4 p9 h2 s0 I, D' G- w5 Z# y& Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( z& g8 f& S9 a, t# Z" J
& r6 d. j- t) S1 J' S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 Z3 m6 [, S* ]; C. m) k# o: L___________________________________________________________________________
: @0 b ?+ h7 L/ o. w3 ^3 f
9 |- O$ [& f0 T5 ?, w$ N4 z" x; c8 |% x: O" p
Method 03; O4 A! |- \- [. e' j% {
=========* M2 e! U$ N; L! Q9 b4 M/ O
" q2 F8 [4 R5 H- Z) `3 E# D& z" RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. c1 |5 \8 `$ I# }) P(API Get entry point)6 A2 z! O% n$ U! q# v4 o% W
1 f/ M ^* v; ~- ?. r7 e
- H( W/ j- R! u0 J9 R% t9 l' }) } xor di,di$ j) F* _& o# w
mov es,di
0 U. A; w- r+ y/ a0 c* v mov ax, 1684h - p& r4 q6 w, b- b; C, V' E: w
mov bx, 0202h ; VxD ID of winice+ e1 N- N6 [( m' `. T
int 2Fh
+ Z. `7 G* D L, e/ a" n mov ax, es ; ES:DI -> VxD API entry point+ a+ T3 a6 W$ O+ O$ v
add ax, di# s4 v4 {; j( \
test ax,ax% Q* s }( K7 [' j- Q
jnz SoftICE_Detected
) U3 S, f9 y' E2 P4 {' e7 `4 X/ o. X. j2 b- K0 l {
___________________________________________________________________________
. i2 \$ j( ~1 k. [" U
9 E. { b, f6 V7 sMethod 04 ]1 _1 O$ p4 C/ W4 N
=========6 ]3 v$ g9 v4 ~) e( R
" Z. q+ s' E3 l4 P0 \Method identical to the preceding one except that it seeks the ID of SoftICE3 Y$ j2 f) O# t
GFX VxD.& N; P' ?6 |, u& F
; Z9 R8 S; r/ f; [ xor di,di" \( x6 X% n/ s s! I' f9 w2 s
mov es,di
+ L, J( P' f$ h: `8 M mov ax, 1684h & ]0 @: q5 m: W, g3 e, `& S7 Z
mov bx, 7a5Fh ; VxD ID of SIWVID* b* c6 l) B" I# C
int 2fh
% v0 h9 ?$ Z/ K" z" I mov ax, es ; ES:DI -> VxD API entry point, g, g1 ~7 @& x# B, h
add ax, di. O. |- W' I+ R# n* {2 ]4 m
test ax,ax( L8 h9 z6 ^$ a9 e
jnz SoftICE_Detected
% Q: d9 M7 ?8 z+ b+ R: Y' _
! h* [# ?% m, _$ r3 |0 h__________________________________________________________________________/ g6 W( R1 [" R4 R8 x5 ~
6 Z7 w% G( w( `2 i' |8 i5 f+ V: c7 W( j' P5 I9 u# y) M4 ^6 W& V
Method 053 Z4 r- W4 p n. I: R: Q1 f
=========! b) ~! a' h: j) S8 F" B" |/ l- c4 M
; u: }3 ]9 j0 i5 ^" V3 Y, \& uMethod seeking the 'magic number' 0F386h returned (in ax) by all system; y( u' ^' Q' ? ~* Y
debugger. It calls the int 41h, function 4Fh.% L9 P5 I1 ~4 b, L% ~7 M" E& d) u
There are several alternatives. 0 L, j' _+ u* s9 ^% K
; y- b/ T; M y C! S0 \. Y
The following one is the simplest:: e+ b$ C# K4 V( O. ~; f! @
/ I+ O D; o/ n mov ax,4fh
* q" ^3 c- q# D. r3 H6 T. u& ]# P int 41h
3 H7 Q& J. s: l h. w3 a cmp ax, 0F386
- k$ N V: T5 r. o2 n0 _0 z2 a jz SoftICE_detected
2 {2 ~) Y; [5 C1 b- c
9 b5 G+ k- s8 j' f5 m; C8 j1 |" X
7 s G$ r! z' V2 |1 ZNext method as well as the following one are 2 examples from Stone's 1 r; J) m7 d+ d: X6 W
"stn-wid.zip" (www.cracking.net):( Q& {6 D7 F. K
% [2 U" O6 y" I3 E1 S' b mov bx, cs* {4 a2 ^3 m, n* t8 [
lea dx, int41handler2' K! J3 x9 L& H3 L. n
xchg dx, es:[41h*4]
8 a' {. r( N* J5 S0 ?! `" F/ f xchg bx, es:[41h*4+2]
; r6 O% Q, q5 Y3 e) I/ ]+ _* y mov ax,4fh
& Q0 M" d' E* L* Z* n9 d% J/ p int 41h
+ F; @* H% q( S, a xchg dx, es:[41h*4]
- U" ]& M/ V" d4 b( w; N% X xchg bx, es:[41h*4+2]
: Y1 L( U* t! c0 X1 h1 @1 p6 u cmp ax, 0f386h
6 P. ^1 M a! n1 d8 w jz SoftICE_detected& w! L$ A# D/ q# q
; p- |- }6 o' C9 W9 @int41handler2 PROC
* S: Z' I/ c6 @* Q( H8 | iret& j. d" Q* D+ @, T" L; T5 F
int41handler2 ENDP
$ M" f$ \+ \, K, {; Q7 m& z, ]$ v" h
1 I2 Y1 [$ i; w; X$ __________________________________________________________________________, X$ V4 T( g' d" D
}" K+ u) G& o% c8 t; E2 a( I5 d" L8 s' l
Method 067 j, g! Y- D9 z9 |9 [- R
=========
) n' C' w4 W) T) P0 h
% y2 p% H$ c! w# L1 z) }; X: T% Q; e$ V8 g/ Q
2nd method similar to the preceding one but more difficult to detect:( F& Q$ u4 K3 B* S
$ o/ Q" G, P5 m; H! z \
1 _9 J* F" P% u& n Q9 ^' j* S
int41handler PROC
( @" t% l7 \* f0 i: _; ~/ ]8 { mov cl,al. ^5 `$ S3 `& j! l7 I0 H
iret2 l) V7 |$ y: p& k
int41handler ENDP; n4 L+ p' }2 y0 O- s8 E ~) }' M& F
( s1 I, K# M( h* s. {) N- T, h& Z6 \' z$ x+ v" ^3 U: _2 k$ b
xor ax,ax- E; O7 U; N6 h- U5 \: P
mov es,ax
" X& w3 S/ ]! o' t mov bx, cs! C+ R4 h3 ]0 }2 c' }
lea dx, int41handler
; p6 h: R8 m7 D- \; Y& T. k# i! X0 t xchg dx, es:[41h*4]
& {, L6 c) T. o* @ xchg bx, es:[41h*4+2]
* {( ^9 D7 w; N: O5 r# Q in al, 40h: a4 s( ~+ |9 L& h# Q# L
xor cx,cx
4 r- k9 \" @$ M" Z) x int 41h
, D% w! q4 v' [ xchg dx, es:[41h*4]
. T, A7 |4 n+ r5 M- r xchg bx, es:[41h*4+2]
v6 O! N* S8 w4 s cmp cl,al; ~" U/ o8 C) c
jnz SoftICE_detected
2 {* ?) h! i. x( K: d L5 @% y3 S8 c
_________________________________________________________________________
/ a+ B3 f/ V9 k) b7 v, m8 i1 b+ ]3 ^( g
Method 07- K' }: k; Q. o+ ^
=========) u3 [4 J2 v" u, t8 C
8 Y, v* o0 Z+ w( Z' G6 A' d+ eMethod of detection of the WinICE handler in the int68h (V86)
) P- G# v' ~0 Z- ?+ f" B8 w
4 x0 A* T+ n5 \8 h2 h mov ah,43h
8 z' e+ i8 F7 P- E! | int 68h
8 |! a2 a( |! K6 j$ y$ | cmp ax,0F386h
3 m3 Q8 S! X" U3 {+ \) o7 f7 N [ jz SoftICE_Detected
& G- ~) ]3 O% d* o9 U1 F& ^/ \
' N! R' w4 L1 R8 c& g$ K2 z- T' e0 c2 X7 K7 U8 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" o6 I$ ?8 T6 }) o+ D
app like this:
( m5 w" |: l8 u/ s, k3 d
# F9 i5 r4 I6 x% K% x& k0 Q% W BPX exec_int if ax==68' P2 A4 q: w. t1 ]' A0 W. E
(function called is located at byte ptr [ebp+1Dh] and client eip is/ S1 g4 F; y$ @! Q; w$ d
located at [ebp+48h] for 32Bit apps)
& e5 L) k! u4 N1 O$ C__________________________________________________________________________1 T4 L, f+ {$ @+ X- I4 v2 O
) p7 ~1 _) T5 u* z& J8 t- g' k3 m1 P0 G7 ^
Method 088 s6 o$ L V3 ?" [" B2 @$ _
=========
4 @' b' e! V0 c; v9 ?1 A& ]8 G1 x* w/ A3 e+ ?+ }
It is not a method of detection of SoftICE but a possibility to crash the
& m1 f9 e( n psystem by intercepting int 01h and int 03h and redirecting them to another/ P3 V/ J. d. d4 u0 k
routine.
. O5 d) G8 g, h M9 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. M3 m/ L" ~, O+ K1 Cto the new routine to execute (hangs computer...)( l. u5 \" \4 N j8 D% g
* | Y4 i1 S7 L9 t+ W$ L mov ah, 25h
: _ A) |* H0 ]3 P, {7 ~4 j: Z- b mov al, Int_Number (01h or 03h), K0 ?% j2 Y9 X2 A1 ~
mov dx, offset New_Int_Routine
: F% u2 l5 H) D3 \* p" `; C# P3 } int 21h
. P k6 B/ O( h, _' H* d5 g% e+ A) z) W0 j6 {; u) I
__________________________________________________________________________
4 G9 Y3 i' ~( Y& p0 ? ?& C( w# p4 [- T5 \" O2 a7 ?
Method 09
( o U( w5 v m7 f=========
& Q( [# ?% M a1 x+ t7 P& ]
+ I$ F3 t- d+ q; UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 d: @" {# A9 l$ v) ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
! F, `% P% b: H: V5 c6 NThe Get_DDB service is used to determine whether or not a VxD is installed
6 v V- Q5 v$ r/ s% y- D2 J2 z5 y: \- cfor the specified device and returns a Device Description Block (in ecx) for
2 j4 A* M9 |0 }that device if it is installed.
x9 f* r2 l" R1 g; S/ M- B3 r' P8 Y+ V( V& s! f0 d3 _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ T7 \! w9 |8 y% |+ | C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); R; N! @+ \' }% a! P. a" q- N
VMMCall Get_DDB5 e' ]( j+ [4 N( G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! X9 n6 {& B% G+ Z
8 z/ J7 {' ?! j- a7 ]Note as well that you can easily detect this method with SoftICE:
) f& \' ?: `; O& D6 i* D$ k* g bpx Get_DDB if ax==0202 || ax==7a5fh7 e, {- g# [" @' r
1 x- k4 z* P' o8 g, Q# f__________________________________________________________________________; v( Q$ I+ ]0 s9 K: ?( Q! ]8 B
5 @, e. h; D6 G% c, \' c
Method 10
4 I4 e9 p7 T, U; a0 u3 |=========. l' M$ ?, S7 ~ s- o2 j/ a/ `
( K- p) M8 [; \0 `$ V=>Disable or clear breakpoints before using this feature. DO NOT trace with3 P) K7 F$ V7 b. G9 P, e' b
SoftICE while the option is enable!!
+ E. A7 a* p) P- R- S0 O4 I8 r# V+ L6 x, B& A
This trick is very efficient:9 P4 `: B) S. |/ q, c
by checking the Debug Registers, you can detect if SoftICE is loaded
7 o' B' }) g8 W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 ~) U3 \( B7 c6 e6 w, h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' G! W) p* k- c" x% y. e% p1 }value (in ring0 only). Values can be manipulated and or changed as well
: y7 s2 U$ R/ f) h7 x' T |(clearing BPMs for instance)
w1 t) l( V# D1 {7 @9 ?( l, p4 [7 C3 {! l* b1 h
__________________________________________________________________________: g* W M7 H" ]. \1 M3 o- V+ r
2 l( q( H H* T! k7 qMethod 11. _1 I G4 l7 ^5 t: f# K1 q" \5 S
=========
* u2 T7 ]" q# U4 F! p; w7 u- i( _& r" l! u
This method is most known as 'MeltICE' because it has been freely distributed
' ?; y1 O, z' H# R* E0 tvia www.winfiles.com. However it was first used by NuMega people to allow
9 P% h1 t/ _. c/ p e$ p9 KSymbol Loader to check if SoftICE was active or not (the code is located
1 T4 z" Q4 q2 r+ Qinside nmtrans.dll).
7 E3 m( ~5 z4 E" G$ j0 V/ T- }: z& C0 Y3 o- U7 g1 h7 D* f5 M
The way it works is very simple:
+ q! K( v% J2 m. K! ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 A/ e2 x% E9 _: ?
WinNT) with the CreateFileA API.
. n) g: [) B# Q. o. A- Q& U0 o0 Z& \- ?
Here is a sample (checking for 'SICE'):8 A7 B D: Y; K
& ?$ p8 q4 Y3 f% x6 i
BOOL IsSoftIce95Loaded()# o2 x0 n. S+ X! Z9 a2 T3 e9 G
{
% S, @% U$ K/ F* | HANDLE hFile;
5 I! j e! D9 X; E4 T$ i1 I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, v7 k! A9 [2 p; U! |2 I FILE_SHARE_READ | FILE_SHARE_WRITE,
' Y+ j5 j% ]# m3 H- c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% o& M; D/ t4 F" U# [0 [
if( hFile != INVALID_HANDLE_VALUE )
5 K5 L& N1 R; o! @- F& ~ {
8 M4 I4 M! B% K! n# R! b CloseHandle(hFile);: `# I; d$ l% \
return TRUE;0 R: r& q8 d& }1 F, V7 `+ i! N
}
4 U. L6 |! @; s6 K1 ^: C8 F) K return FALSE;
: b7 Q- N& l% b0 I3 W}
- D" c. G: w3 O+ m; K2 M" f+ a& q& a" Y m, j
Although this trick calls the CreateFileA function, don't even expect to be) _5 v" }* s+ `) r
able to intercept it by installing a IFS hook: it will not work, no way!2 g4 ?- `' w' M9 h1 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) H# x& f; H+ B7 c* {4 C! o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 i$ v% m% Q- _7 v3 i6 p, T8 wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' X- J8 U4 I" a/ U9 u0 v( Afield.1 E% v, r$ B( |" F2 ^$ L: B
In fact, its purpose is not to load/unload VxDs but only to send a
7 a, n6 ~$ A" u. q& b& J- p' _5 PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 y; i* {1 z& B; c% qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 z- g/ d1 h" L% T3 i6 `* r5 xto load/unload a non-dynamically loadable driver such as SoftICE ;-).; ]0 M+ T6 M( b" {8 R b
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 Z# F$ p8 w7 p; g. Q
its handle to be opened and then, will be detected.. l1 Q- N$ }. h) E0 N2 X5 U$ P
You can check that simply by hooking Winice.exe control proc entry point6 J4 z' b1 e* U6 i' t; }) m
while running MeltICE.) e5 [( w$ w ?' P
/ i9 C# `; K5 H8 |! I# e; E/ Q; A: H9 P5 e1 N; s' r( H# C# `
00401067: push 00402025 ; \\.\SICE; F! y! _% `- P7 N* U2 N- W
0040106C: call CreateFileA
- B0 }3 j; X# _' J& ^2 v 00401071: cmp eax,-001, Y# m4 b# G0 r+ R) E
00401074: je 00401091
E; k; e, Q* @" D1 O
; x7 D6 d9 B5 m% r2 M! C. Q$ h- A$ v& F H
There could be hundreds of BPX you could use to detect this trick.: P9 B$ C2 R5 D2 Z
-The most classical one is:
# q5 K J: i' Z, {" | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; N9 G! N7 M; I- h+ \; a( b& U, ~ *(esp->4+4)=='NTIC'
) p3 {8 f8 d" h" Y& h4 V
u7 j# M% @ j. J7 r- Y) e( J- s-The most exotic ones (could be very slooooow :-(1 ~) u6 e: G+ \6 a8 P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / `* `9 B1 y; c
;will break 3 times :-(7 C- |2 }1 _. }
# r1 X, p2 A5 d- i8 p) F( q& R& K-or (a bit) faster: : M7 ~6 q4 {% h# l1 o# q7 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
K4 h3 }7 l; Q# p* J R' m+ |, x/ v) }! J9 A x6 g' Q0 ^( _2 k6 [ `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - q/ G/ t% N$ X8 M/ ~+ V J1 h; o
;will break 3 times :-(( w) k1 ^9 x1 z0 l# T# w, y6 K
: R9 p0 a$ Y9 O5 J% h$ P-Much faster:0 I8 w$ D8 v. |4 ?6 C+ d; T$ y2 r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- Q1 ?, ?8 Q0 g4 _8 |
" x+ V+ E% i/ p* w1 G$ C5 E8 WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* X6 v D7 D7 y/ W/ ffunction to do the same job:, d# a/ S6 E# B) |+ C* |9 ^* g
( j7 p6 U. ~* l7 J( T
push 00 ; OF_READ+ W% Y6 h. w5 F6 x+ ^4 C* K
mov eax,[00656634] ; '\\.\SICE',0' ^ T* l8 I7 F/ _6 f8 J2 {* n- M
push eax
( m& Z8 y5 m/ t: j3 L call KERNEL32!_lopen/ l* H; `7 z' b% |/ D
inc eax
\% ]+ f; ~; y. \1 I jnz 00650589 ; detected
" o. M8 \% b: ^ push 00 ; OF_READ0 K& a x& f8 K
mov eax,[00656638] ; '\\.\SICE'' V& j/ `; _* m! D7 S- \+ H) D6 J2 w
push eax
. N6 _4 [1 ~% O1 ~. @1 q% B: e0 b call KERNEL32!_lopen2 z. e L/ y; \
inc eax* j0 u) d0 }4 h8 |: m1 {
jz 006505ae ; not detected
) ~# Z s* V6 F' B% G$ G+ h. f/ X6 {5 m
) z0 P( T+ o3 Q/ t6 P+ L5 |
__________________________________________________________________________' c! Z. h3 f* g! \6 h
! B$ f* L8 U7 n. l# y: J
Method 12
7 L% H& e3 R5 _$ I* g* d=========. `- h) f. C0 }. F, J/ K# X
# X4 _7 A- [; b6 `
This trick is similar to int41h/4fh Debugger installation check (code 05
" W% V5 G/ X* j. N! H* ?& 06) but very limited because it's only available for Win95/98 (not NT); O5 X) M, e6 k n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' L' u9 b4 I- X. u! t
3 G2 i) J' S8 ?! \; J9 o
push 0000004fh ; function 4fh
3 q4 P( H5 C* U% ?" C$ @ push 002a002ah ; high word specifies which VxD (VWIN32)
- u5 C1 p5 S* {& c ; low word specifies which service) }+ W7 J5 j! s5 G7 S8 @: t' r/ q
(VWIN32_Int41Dispatch)
( Q% C3 l. }- {0 f- d4 D, u- K5 m call Kernel32!ORD_001 ; VxdCall% Q, n" r; z. Q9 _; i, L; }3 U
cmp ax, 0f386h ; magic number returned by system debuggers; S* h J9 G, c
jz SoftICE_detected
" z7 l" E! |8 T- ] |2 Q. C9 p* l' n T- Z$ o0 V6 s, s0 X
Here again, several ways to detect it:/ h- I. N5 ?* L x* m, B5 J6 @
5 r! m I' X; h
BPINT 41 if ax==4f
4 T8 c# A2 V2 ]4 Z7 {
& H( ]8 A# r% a8 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) ^2 ], l5 u/ K8 l& v
0 [; P) N* e! k, _4 T9 ]; i- f- j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
U: f+ G4 ]1 }! B; s! F, W' f# y7 u* o# n0 t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ a x7 v' o; Q1 Z8 T$ A8 U' z0 Y7 [7 r1 f9 b3 J
__________________________________________________________________________# x, n5 n) m4 K+ R
' M" d0 p" ]" [: x; ]+ s
Method 13
! x& C1 I. `$ P' s' l1 }% t=========
; j8 Q9 A* J& w; C% _- L' Y
4 g8 R8 c( j6 I3 f9 r( i" N* u, J$ SNot a real method of detection, but a good way to know if SoftICE is
$ O: F8 \& w! q1 B. c9 {installed on a computer and to locate its installation directory.! B2 I% N7 Z& z/ N; l
It is used by few softs which access the following registry keys (usually #2) :
. l; S$ ?$ N# X6 R" Q2 ~% w$ |2 A$ T6 Y. J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ V/ ] V" O. s3 b! f' b\Uninstall\SoftICE
( j% r$ i3 o! D8 F! j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" A- e# q8 x- |( Q: c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) a4 W9 O# W; S" _4 a/ R\App Paths\Loader32.Exe
: p4 ~5 S/ I" m6 ?3 ^7 R" J! C& c
3 |7 J$ R; S' ]4 }. |/ H0 S Z2 _ f/ z8 ^+ S
Note that some nasty apps could then erase all files from SoftICE directory- Q. o1 |/ ~1 h5 Y
(I faced that once :-(3 q6 p5 v" H# ]" j
- ?- P. t. p& E8 fUseful breakpoint to detect it:
% ?. h/ E( S' A6 \6 s) |: Z8 y/ B" m5 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') q q" p1 |* p) Y
( _. w9 N, }/ h. D$ l__________________________________________________________________________
/ d) j" \' D8 s. m& h2 i; _4 E. I
0 F6 \* g2 ~; I* T
Method 14
+ |3 F2 N% t# a=========
+ D* K# N/ J$ ~( k# X
4 ~( m3 [0 T7 R4 D6 o) JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- _; ?; X$ W5 v& `1 h# Y/ |is to determines whether a debugger is running on your system (ring0 only).
( g& o5 s2 w4 P7 i* L* O! k* D5 v W* O
VMMCall Test_Debug_Installed
+ M5 C1 t- e" d7 S9 E. p* B$ J je not_installed
, F% V' ?8 }* y: D# d7 M6 u4 h
) T- O6 F% {- h2 `3 f. T. e2 NThis service just checks a flag.
+ q0 r- `. {7 F1 k! _0 |2 O</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡