<TABLE width=500>
2 |- b9 O- f+ E U<TBODY>6 ^" C6 Q' E- O" M* D
<TR>
" z4 v$ n' n4 \2 v! }4 @<TD><PRE>Method 01
; G& h2 r, D5 C) y5 R5 C=========
5 k" f/ G* t9 C7 E8 a5 O
/ ~ H! B0 Q) ^6 gThis method of detection of SoftICE (as well as the following one) is J3 m; ~6 b$ q0 ?! d" n
used by the majority of packers/encryptors found on Internet.
5 o# w% Q6 S H4 T; x1 [" ^It seeks the signature of BoundsChecker in SoftICE
% v2 m9 z2 `' c9 l
% e% }, v5 z( U b* z8 a mov ebp, 04243484Bh ; 'BCHK'
. P. v6 U$ w+ ]! A mov ax, 04h
" l F1 N7 D# P2 W int 3 6 y$ K# q, u# I8 q% i, [* x/ c
cmp al,4* V% v- [7 k! D- S' `" _( _
jnz SoftICE_Detected, B* ]* I) |2 B+ W K% q
2 ~* G/ m; o8 |- u9 l) k. _$ w___________________________________________________________________________1 [4 u) x( L& ~1 `1 [. ]/ q
0 A; `. V$ v" z$ j
Method 02$ V- O) G% C3 q7 c* M# s
=========- I- I7 a, b* {; w: m: d7 N( u5 j( k
9 X$ @6 e$ C( h( h# ?, ?Still a method very much used (perhaps the most frequent one). It is used
6 t' A4 s% q$ m# D$ b. r. ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 o/ W5 s# D* U- Hor execute SoftICE commands...
, }) k9 k: M6 O7 L0 V! mIt is also used to crash SoftICE and to force it to execute any commands: d4 j \6 K+ |, I4 u9 S) O
(HBOOT...) :-((
$ K5 t1 Q7 ~6 |) v+ i9 p+ X: m( I: F0 B0 j0 b
Here is a quick description:' Y8 e% y' Q# K2 N7 V Z
-AX = 0910h (Display string in SIce windows)
8 @2 w, _8 w3 H4 n# L+ e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! { {1 q$ E# W+ A9 w-AX = 0912h (Get breakpoint infos)$ U9 @# h Q% x# f8 R1 L3 V9 p8 m
-AX = 0913h (Set Sice breakpoints)
" W' ~/ V( V) }& I-AX = 0914h (Remove SIce breakoints)4 J# r; e; J* S2 a/ l! w- N
% Y! ~. i- V' f7 ]8 D
Each time you'll meet this trick, you'll see:
- |% X' h2 U+ |, O-SI = 4647h. z, [' l7 K/ V6 Y& ~/ G8 |
-DI = 4A4Dh
9 q4 L# b# w6 M, p! V. s/ HWhich are the 'magic values' used by SoftIce.
/ g1 L! o- y$ T6 _% s# G& X& k6 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ c8 i$ L0 y o& @1 Y! Q7 }
6 E' a+ j8 p ?7 x( a z& V# n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ W1 N% N9 i* y; G* N+ @Envelope utility use to protect DOS applications:! b# e0 F' I3 i Q
9 `# O) |5 i1 p8 [9 X) }( v7 p7 t- \, q9 o( O
4C19:0095 MOV AX,0911 ; execute command.
) L! v& B& B0 I; L; N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 P/ @* r0 p; X4 g1 ^% |4C19:009A MOV SI,4647 ; 1st magic value.
+ x3 O& b( [6 H+ n2 E4C19:009D MOV DI,4A4D ; 2nd magic value.! ?3 d" I# D& ~4 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- n) J# b. T) a- i( r0 |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 f; f& I' @* H. R+ P
4C19:00A4 INC CX6 w6 @4 w) H% K9 }+ s( K4 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; m! Q; N1 |8 `% l2 K* i2 D4C19:00A8 JB 0095 ; 6 different commands.
0 j; J( V6 [2 A0 i- r3 I; z4C19:00AA JMP 0002 ; Bad_Guy jmp back." S% O0 o2 s: E6 H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 T, x1 g9 a) a5 b
: Z3 N0 g, I; L' g2 a4 ]The program will execute 6 different SIce commands located at ds:dx, which
1 |; ^' j* D/ C4 U" O. _0 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 d' Z4 O! ~+ y# j; Z% L
$ p+ ^) [! Z9 T# J* @( e" q: E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- B, m! g% _6 k' @8 F7 z5 W* J, {___________________________________________________________________________$ z2 O6 B# g" c) D9 M) j: e
6 S3 V x' H m3 ]! J2 [5 j: {
) _% C9 V4 r5 _% vMethod 03/ P0 {' ^8 [$ v0 A
=========; T/ V9 G/ k% v/ j- D Y
0 A6 h. O. t5 c H$ aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! K {1 p5 s1 h& I8 G
(API Get entry point)
7 c, N% c) R- I
( O7 |* J# Y J W
+ n5 ]2 @) J& S+ E4 x xor di,di& b( R5 f* H# ] |3 }$ {) ~
mov es,di+ v) ?- a) O! b: _5 `
mov ax, 1684h
& T# I9 G* c& ~5 T mov bx, 0202h ; VxD ID of winice
* ~" X1 A5 @+ O3 G) P int 2Fh1 ^$ y a1 ?# J/ }$ o0 D- b
mov ax, es ; ES:DI -> VxD API entry point
9 |1 O$ E. L& ^" { add ax, di0 j5 Q# [: B" E. y) K. d$ E
test ax,ax
$ r9 ~2 V; I0 Z1 ^% Z" U7 t: s! { jnz SoftICE_Detected
8 \1 Q7 F4 D) U$ `7 h3 D+ |1 x
% N/ ^9 u9 a( f$ b5 R___________________________________________________________________________
2 p3 h% k$ x( H5 P1 r2 c7 e5 m5 J+ o
Method 04
& W: r6 P+ m$ \=========
! J, Q9 o# M: Q9 S
$ Q/ p g" O% nMethod identical to the preceding one except that it seeks the ID of SoftICE5 a L8 s# Z" s3 S( }4 D8 z# F
GFX VxD.
% k5 v' D9 O( V9 g2 E$ f. I8 f4 v
xor di,di5 j* F( u2 ~; ]6 V
mov es,di
" ?, m6 r5 Z3 s0 } mov ax, 1684h
& Y! p4 A4 Z1 _& E mov bx, 7a5Fh ; VxD ID of SIWVID
' e& v1 d) d+ U; H9 K- l' Q int 2fh
% A% m* e* Y# P+ t( M mov ax, es ; ES:DI -> VxD API entry point
7 W2 K9 R0 {+ O$ K3 X! L; L add ax, di
: P; D: B- Z3 P. C9 z: e test ax,ax
q# ~7 c6 J5 {0 o, b jnz SoftICE_Detected( \- A) O0 w+ [% z3 V8 ~9 O+ U- Q
4 f4 @0 V# y. N% r3 a# l5 y__________________________________________________________________________
/ q: K- b) O3 @6 {3 l) ]1 u; n0 _+ i
1 A; Z, k" E3 L$ q' ?Method 054 D5 W. j6 ], l
=========
& ^: `7 p+ E9 L/ [2 j! Q, V# t+ Y
) S. ?- s* N" R( SMethod seeking the 'magic number' 0F386h returned (in ax) by all system* U: x( v1 z8 j: f; C
debugger. It calls the int 41h, function 4Fh.
3 b* o6 L$ l; @+ j8 e: g( n4 oThere are several alternatives. 5 z, V/ ~7 k' s& m, \3 M
+ V/ `1 n6 H; o; F l7 b, V: wThe following one is the simplest:
; e5 {- g- D0 h9 ?$ M! b' c; G3 K
mov ax,4fh
1 u' ~) p, }* m B int 41h9 N7 T; I9 q! p
cmp ax, 0F386
3 g# n; o2 X1 g, p C0 L1 ]' Y jz SoftICE_detected# S4 B, @# R# ?0 A4 d
2 B: a: |; Z5 t! D6 ~$ X& ~6 H! m0 k/ V) q8 L4 h
Next method as well as the following one are 2 examples from Stone's
$ q% h- C& Y( l U( I; k4 g* }"stn-wid.zip" (www.cracking.net):
8 o1 U, {3 l* ~1 C3 O; H; l* g: s- M3 S3 O% ?
mov bx, cs* ^" V- e x8 f0 `8 n
lea dx, int41handler2
* N" b) D7 J0 D& N; m, R" E xchg dx, es:[41h*4]4 S8 A( G& @9 C+ {
xchg bx, es:[41h*4+2]
7 X$ V! e" A6 l mov ax,4fh' l: X/ {6 S' C1 {% |1 `
int 41h
. ~4 J& U. Q) o% C- K1 d xchg dx, es:[41h*4]. `. Z' R; | @1 G; y2 I" q& h
xchg bx, es:[41h*4+2]
8 Y$ k$ P6 H! `! u* H% j cmp ax, 0f386h4 v& U! K' f/ {! j" P
jz SoftICE_detected
8 ]4 b3 W$ w8 l- i4 B( ^: J1 |* P) M% d
int41handler2 PROC2 s( n* c: q. }( {$ c6 k
iret
7 p" F5 E2 m* R0 W! v6 ^$ Q5 V; yint41handler2 ENDP/ `% e$ n8 e% @( P
+ m9 k. {6 x5 s1 j9 L+ H5 j
- i/ T' ?# B/ E! l0 B2 R
_________________________________________________________________________% P* D0 c- r, s, E# Z
* n* U( a- B/ X
; G5 S% b# F4 fMethod 06; g5 J/ ?% P0 \1 c1 D5 o/ a! D
========= ` ^* n# ]4 H7 r8 Z& F( @3 y; Z! g: c
5 D4 G. w, Q) f) ~! o* s2 o7 X! r9 U
& R |% L" [4 A9 y V) Y/ V2nd method similar to the preceding one but more difficult to detect:
: v9 X6 t1 Q) r0 k ?- h5 d; m2 [1 l; u7 T" x1 J1 T2 g$ }. b
/ T0 ?: A3 \) T K+ t" h3 sint41handler PROC
- f& g+ D7 [7 c( R, k mov cl,al
" h& K7 P4 a' O8 C% H3 u' B iret; }, L* L3 H& s; r
int41handler ENDP6 H. t$ I1 @; C' Q1 x
4 X- V9 a1 c `- ]7 h
- o7 V- D* J3 V% ]$ v xor ax,ax
/ B; e. i& \6 |, Q: s mov es,ax
* x0 i$ `6 E a _; J) t, @& d7 ~ mov bx, cs
6 M- ?8 w6 q4 |. s9 }7 E lea dx, int41handler
: T3 v V1 }# v$ Q* N; C' S0 R xchg dx, es:[41h*4]
& T0 J2 |. Y: n4 U xchg bx, es:[41h*4+2]- _6 ^ h- X5 Y& m2 e2 a5 d: i
in al, 40h: q M" h$ w$ M- G' c: r( P
xor cx,cx0 D5 U; _' V$ ?/ ~$ ?! O6 I
int 41h
' |) c/ y! V- Z0 T. c0 \ xchg dx, es:[41h*4]
, a- }$ f5 m3 s xchg bx, es:[41h*4+2]! A0 [8 ?$ t n, A P4 S5 W
cmp cl,al: G; n# ^# |2 l! m
jnz SoftICE_detected
; y! L# `2 n/ S2 J9 G3 C
/ y0 h' ~; B" I$ P9 {_________________________________________________________________________- B) Q* _- X s
& m" W- i ]: ?8 {5 g% W" N: T
Method 07
4 X6 x3 `) W( x2 a2 F/ b0 {) B V=========
6 Z4 g& U `2 Q$ K. N% E
4 L( ~( f8 d, S; A8 oMethod of detection of the WinICE handler in the int68h (V86). a4 D& Q! {' x7 k
+ a* [$ Y! l. S% U1 F mov ah,43h
c) q! D; c' G6 ` int 68h! a+ c& L7 r! d7 Z
cmp ax,0F386h
+ e9 g2 f$ m' x# N! y( I) k: B) @! g jz SoftICE_Detected
& _4 E5 D+ A0 K N
& j. z" M) _9 Y+ `9 y. @8 ^5 m; \, G: s- Y6 U! X2 E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. o0 G9 c5 \8 d1 [0 u, J; G5 }
app like this:
, g5 t5 B3 e' j! [" [) K' d) a2 ]' z$ e
BPX exec_int if ax==68
{% \* ?5 @0 P# l0 L/ ~3 v2 d6 H (function called is located at byte ptr [ebp+1Dh] and client eip is7 U% x! a0 \% c! J/ B$ h9 ^- E8 S
located at [ebp+48h] for 32Bit apps)
, y4 S2 ^4 ^5 V v__________________________________________________________________________ s: p- ^& k0 E( n; r
* o) s4 |7 S9 V. M, a0 h
8 P: C+ I( l' @2 Z$ @) ~9 D! ]# OMethod 08' T% A% D, S; M5 v2 S' ^
=========
! H3 n9 }2 G5 t! G( o
/ h. M: ~& x2 _) ~0 V5 {It is not a method of detection of SoftICE but a possibility to crash the. X/ Z" C& V4 S) A, ]8 `
system by intercepting int 01h and int 03h and redirecting them to another
3 p5 o4 k* ?2 f9 `routine.! M$ s1 ]& p$ J4 }' r6 s* {; ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! t: _3 g5 [4 O, B* O+ s
to the new routine to execute (hangs computer...)
1 |) |# G' N7 f* a1 Q+ y% r& g* S- a* D7 \4 ^
mov ah, 25h7 p7 i$ q1 Y% H Q
mov al, Int_Number (01h or 03h)8 M! p# j: K- c' i+ @8 @$ a
mov dx, offset New_Int_Routine
0 d4 O% O: G# w& i5 i) {. @! I int 21h
0 d2 l% x% F, O4 G6 t& k( j- {9 s7 V$ `4 U! ], G( W
__________________________________________________________________________
|; K! A# y- Y- O
# b4 d9 Q) r( S0 o) h0 h- M7 ?! r9 u& `Method 09
7 h- h3 V. B- m& N# }8 b! x, M" p& f=========
2 v0 N) U; w5 U3 k! U. r# E" d7 P# z% C& n( ]9 H6 L& ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only D" k6 D" {6 O y5 R7 X$ c) W
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 o7 G& K8 j$ B8 i0 fThe Get_DDB service is used to determine whether or not a VxD is installed
0 N' e5 F: O& Jfor the specified device and returns a Device Description Block (in ecx) for
, g8 z+ T; b2 c0 xthat device if it is installed.1 i# {& x' X% b5 k) b4 t3 B
& M7 E9 G" m8 q6 L# t9 l! e1 ]( q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 c) t0 {9 p6 z7 K8 S, |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ ~# ^+ k: |, ]3 R3 Y- a VMMCall Get_DDB
' w' i9 k7 l" A2 Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 q9 A& s: ]% g& U# C1 c# l( Q3 `5 m1 j# P8 H; P
Note as well that you can easily detect this method with SoftICE:
! p# R- `. d9 X( k0 Y bpx Get_DDB if ax==0202 || ax==7a5fh# R/ e7 h4 d9 {2 t$ g
& _: m* ?8 n, g7 S$ U__________________________________________________________________________5 h" k i1 @0 f9 b4 l
# P3 J8 T9 w# g: ~2 G6 ]* GMethod 10# X' n: Y% U$ K3 v& P
=========1 T( ?$ C7 P6 B. r: w; w2 ]6 Z' S1 E5 j
1 n1 K! a& W6 s6 T7 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 b. H u6 Z' j( s1 }% q7 D
SoftICE while the option is enable!! q3 x. n7 O' ]$ J1 [% i# {, f7 O5 k
+ B @ q3 j: P( `+ d* H' q- AThis trick is very efficient:
% N$ M: r, _1 t5 H, m+ Wby checking the Debug Registers, you can detect if SoftICE is loaded7 o n9 _ r$ E$ y) {; f1 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( \/ i! }0 E6 }4 @7 c5 q* sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 y( N! R$ p: j+ J% j( gvalue (in ring0 only). Values can be manipulated and or changed as well
3 ?7 ]( L( D. v7 M, \! k(clearing BPMs for instance)% v: e4 w' E2 t3 d% z/ h
# z/ J$ G* |" |) L__________________________________________________________________________
3 ]. W' L/ u4 Q3 a6 `5 Q; Y! j, B: i5 C( d/ ?$ h/ e8 r0 D
Method 11
( q* A1 F6 n( f2 k& y9 n' ?& _; u=========2 e: t8 b& I5 r b! A
8 _8 D7 `: C3 L+ [
This method is most known as 'MeltICE' because it has been freely distributed7 k% V5 ~9 h& p' ^. ~8 a' F3 L
via www.winfiles.com. However it was first used by NuMega people to allow7 s- o( B4 Y- X3 ]1 u* R( \
Symbol Loader to check if SoftICE was active or not (the code is located
1 Q$ U) e# m3 Z% Ninside nmtrans.dll). Q; m9 F" r7 s6 o% b7 r
Z4 K; ~+ c- t( ?6 ]The way it works is very simple:
G8 j* I8 x5 M* ]$ b; `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 V) H$ k% z ?
WinNT) with the CreateFileA API.5 d/ `* K: t/ g! D/ M; O* u
* E9 ]7 n, b% p/ yHere is a sample (checking for 'SICE'):
' O A+ K8 b+ R3 |) M- A% o
7 |& v1 F: y4 c: ~3 D) @% hBOOL IsSoftIce95Loaded()
' _- ^8 @7 o) K k% c! @. X{
2 h! s2 R* I* I- D2 Z; ^( B0 B+ b; ~ HANDLE hFile; 5 T4 b- L6 R, B4 Z/ J9 [- j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 r; \0 e( \6 N1 A
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ J Y$ E. r% F0 k1 o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! l# b$ i/ m) L2 e s2 X3 u
if( hFile != INVALID_HANDLE_VALUE ) ?1 Z# z) J$ q! B9 T9 U/ W
{6 @8 Y% c+ O: \; D# G% R/ w
CloseHandle(hFile);8 l# J* S& y# o) w8 N
return TRUE;
; X. A0 t4 a) \4 o, N7 [ }% V+ h% M9 i6 D9 X2 F+ q
return FALSE;, o ^% }; ^9 [: z1 n+ V! r
}
/ r6 @. d+ |( Q: J }1 @% r8 e( _/ Q
Although this trick calls the CreateFileA function, don't even expect to be2 y+ b6 z0 ]# k1 \8 |, }' z
able to intercept it by installing a IFS hook: it will not work, no way!
; }1 |: D# H1 AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% V* k6 L6 u; y3 z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ a. q- v' O s# p! K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. ~# d2 W: u: A+ }
field.
s2 i, E ]4 W1 @& B& UIn fact, its purpose is not to load/unload VxDs but only to send a
* z. n$ d" w3 h9 s4 a+ v+ a7 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 F* C# o) w2 k6 A. n8 q7 r. ^$ Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 N0 L* R+ e2 \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 I |3 _$ B- f$ y7 Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 n$ W7 l& p9 o! j
its handle to be opened and then, will be detected.
0 F' L" W. C$ i6 C& Y& Z# X; H3 iYou can check that simply by hooking Winice.exe control proc entry point+ h" X+ Z ]) m: I7 P
while running MeltICE.9 Z D2 V" f' G# ~& {
5 K2 `7 ^. b7 U A
$ q) E, ]. X) }/ |& P
00401067: push 00402025 ; \\.\SICE/ [ }5 m5 G1 \4 u* L2 F
0040106C: call CreateFileA+ o( `1 F; N" O
00401071: cmp eax,-0012 O3 J1 O5 C; `/ N) c
00401074: je 00401091
1 H; A3 @8 u% p$ {5 Q" o4 A* R+ T' g. O
/ ]% Y: j- U: _0 v ?8 x- V& h
There could be hundreds of BPX you could use to detect this trick./ Z0 l6 {+ Y F9 ]% b/ {
-The most classical one is:
. s7 C! h8 |. T& H6 H! [ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" o2 b3 g: t+ Y; j' `" h" h( S2 h *(esp->4+4)=='NTIC'
# Q* {& }: h" O* Z; M- D8 }+ R1 _1 f, W& y
-The most exotic ones (could be very slooooow :-(
+ C6 F6 [0 l! ^" ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! i% x5 |& A" _+ I6 f* V ;will break 3 times :-(9 ?: C8 h( n. d* \3 O9 P
4 W$ F: c: R3 D3 q& U, s/ D4 H
-or (a bit) faster:
# d3 j4 L ^' a4 y* [, u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 _4 U9 u6 u5 o9 `% `+ o* U! ]1 b I8 b2 e5 p* n
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. B0 ?) l' w6 D ;will break 3 times :-(
8 Z! V: [- Y$ k0 X# n* M
) _" N N: t J' Z! q-Much faster:
% m' J% d7 P, p8 b6 E$ q3 S# R0 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 G7 S: ~1 z7 O& z3 X, q( H" M6 D! F- l$ g2 J3 ?/ t& b) O- I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" `( p" O0 Z9 z. Afunction to do the same job:& C2 d5 x6 f! d- b" h
" j; V* I: d, H push 00 ; OF_READ
. n: q w: Z6 f8 m$ q0 z3 t mov eax,[00656634] ; '\\.\SICE',0& G! h4 R+ E4 L/ H& R
push eax
# @8 V: [$ M6 e3 w' `6 s4 ] call KERNEL32!_lopen
- |6 i8 X+ H+ V2 O inc eax
5 G5 r+ r: ]/ U' X# n8 O, u jnz 00650589 ; detected
1 Y2 q0 u( [/ ^- J push 00 ; OF_READ q9 ?8 E5 s7 U* k2 H5 i
mov eax,[00656638] ; '\\.\SICE'7 R$ `6 |; z7 ]9 l5 I
push eax
8 s( \/ ]; P9 G' k call KERNEL32!_lopen: }4 n+ W& q* E. s) R. [" g; }7 {
inc eax9 e; _1 w0 `! Z! L+ L- k( D( |
jz 006505ae ; not detected" y9 W- u# v7 V9 F, g
) }4 j9 b- s ]! `; k" |
6 H! }* `( j& N! o. G6 o# |3 S
__________________________________________________________________________
. h& w! N& a/ a0 E. z& V/ F6 N% E
' m- Y: g6 g. y1 uMethod 123 d& N% ~: E& {' Q3 I, @5 r
=========/ S) u# q' f! a9 R; i+ f7 u
$ Q% [) z- n/ j- f, k1 M. xThis trick is similar to int41h/4fh Debugger installation check (code 057 R8 U9 Y% f( i( B; D: Z
& 06) but very limited because it's only available for Win95/98 (not NT)
+ `) s7 D# v* c& j7 t) s0 g) Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 @5 x; r& C( q5 G1 M0 W+ E; f+ \
push 0000004fh ; function 4fh/ o- J2 j. D- Z. y) B" N6 D( M* j
push 002a002ah ; high word specifies which VxD (VWIN32)" |6 _6 t7 q: f
; low word specifies which service6 Z# e X8 ]; S: q9 \
(VWIN32_Int41Dispatch)
* x9 G# ^) S/ @1 r7 A P& P call Kernel32!ORD_001 ; VxdCall
- K* b: w3 D7 |5 W1 J cmp ax, 0f386h ; magic number returned by system debuggers
0 E# H0 I; o# C jz SoftICE_detected
) `, K4 [' o1 U) h0 C$ o7 q( m9 Y
& X. C4 E9 e6 j& MHere again, several ways to detect it:
( t: p, h2 z+ q/ T0 e8 X2 T& z8 g$ V# u m
BPINT 41 if ax==4f
( k( W# k* }. ~ C1 Z, N, l6 ?- s9 N" V/ G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: M' a9 d3 x2 k; E' s8 `* q
$ ]" O( ?1 `, i6 I- E/ G+ ^% Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 ]* @4 \5 ?$ c+ ]9 y
M5 L& Z4 z7 B7 A* _8 }9 n' T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 {5 L6 H$ S2 H5 q, e: F! X+ w
* u$ e7 @* j9 `; h& T# j__________________________________________________________________________
@) a8 l' _/ {. _1 \- k3 |" K& m2 Q9 Y% p& @% _, x2 Y. T
Method 13* b6 H# R) ^. G, s8 h0 W9 ]2 g
=========
8 ~. @+ Q& y6 l$ P4 _8 ^# H4 T6 ~3 e, q0 m
Not a real method of detection, but a good way to know if SoftICE is6 Y% U, L* s+ t4 `
installed on a computer and to locate its installation directory.
/ Y. m! e; F- t) S! i9 K7 ?8 t) jIt is used by few softs which access the following registry keys (usually #2) :9 E7 c' L& i! q) C1 n- o; V' G
( O' _& g. N2 N6 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' Y- |2 _( D6 {# k S\Uninstall\SoftICE
% j; Y; z% p8 |$ R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 o* c) e& z. J3 L: D* V( b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: M- T5 C. y5 O$ ?7 G
\App Paths\Loader32.Exe
: Z, e; F4 \/ a! X3 v# P& I! b
* I# ~$ S" x& y3 p1 j$ F4 X2 ~& Y8 I7 {. Q3 K
Note that some nasty apps could then erase all files from SoftICE directory5 L9 K' i) V, X( }; ?+ x( S) l
(I faced that once :-(! J$ s; d6 |' W. x9 @8 O
& J4 a3 J3 C' j( b! _Useful breakpoint to detect it:4 D" t! M8 J7 I( o% V
t7 ^) u% p0 m7 H' n- ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# u$ r. z2 n: \: {1 u1 B4 b" F
/ u% j" W: ]- O" S" P- l, g1 |__________________________________________________________________________0 Q1 O1 Q+ e' z# ~3 R! H& ` e
4 J$ Z; D! h0 l* B0 [: ]% T5 {
# b- s; S3 g( n; Q( d6 G# K8 IMethod 14 1 i+ O- K2 e% @0 ^; \! |
=========+ g3 W/ @, o$ O- w" n1 V! u z
) ^' N; g1 n( \ O$ D; T) @% qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' U+ X; N2 |2 _$ n& K0 @is to determines whether a debugger is running on your system (ring0 only).
* P" D, B% R& P9 Q
- c* I- F5 a' J# N VMMCall Test_Debug_Installed7 G& n& Q3 y: T6 J. O
je not_installed
5 Z) m1 c1 A1 G) J- O, E7 T Q
- r2 X5 x4 Z; k' ~This service just checks a flag.+ `0 ^: j$ @" f
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡