<TABLE width=500>, H, y. J ]% S! ^" m
<TBODY>
8 H+ B2 x+ J3 g3 x& k# w1 N<TR>5 g: J# |8 b) J0 _
<TD><PRE>Method 01 0 N: C4 D# I5 l- {, l5 U; [
=========
* K7 k* M& r4 O H; n# T% o6 m& l- b
This method of detection of SoftICE (as well as the following one) is
$ W, ?$ }( }5 \, [& hused by the majority of packers/encryptors found on Internet.
( [+ ~, B+ |* o. Y$ F) e6 KIt seeks the signature of BoundsChecker in SoftICE4 Y* e" } E& z* w+ v i+ p
) X9 B- c( b O* h% P
mov ebp, 04243484Bh ; 'BCHK'
5 s; r. n9 ` c4 C- x mov ax, 04h2 p, f( [- ^7 g' Q: M. \$ ~
int 3 ; d% L( L8 d' P! N) [2 T- G7 r, I
cmp al,44 r7 }& g3 r+ U' \$ B' L" W
jnz SoftICE_Detected
$ [/ R9 |, {( i! C% p4 z7 S9 K1 D1 v5 C" I0 k) F
___________________________________________________________________________7 \' [0 @% j5 L' |/ F' i
, j! M& c9 h2 Q! u1 m1 yMethod 021 b/ V8 p3 L( O; |$ k
=========8 l/ w, i: v8 u. x0 q# J" `7 q
0 w+ j7 {! [* I, w" R9 Y8 ^2 j+ sStill a method very much used (perhaps the most frequent one). It is used
) H" w' [. ~2 P+ A: k( y) Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 {+ ?+ h6 v1 u" s6 lor execute SoftICE commands...% F+ f6 `. R( R/ |
It is also used to crash SoftICE and to force it to execute any commands
4 f$ p/ I' H7 ^! s+ z(HBOOT...) :-((
5 @+ Y( }9 z: m0 ?. M( |
; |, y! M9 D& m4 c: }Here is a quick description:3 w: b t* @5 o" x5 Q% ?
-AX = 0910h (Display string in SIce windows)
# K* _2 H+ A& G* c4 e5 Z1 `2 V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ P; z* W9 u+ B-AX = 0912h (Get breakpoint infos)0 t) G% h3 |1 F2 M3 f& y
-AX = 0913h (Set Sice breakpoints)
; p# s( |+ f5 M3 g" o4 \( A-AX = 0914h (Remove SIce breakoints)# W# ~7 @9 ]( {2 L# ?7 A
, R$ u9 f w* I# ]% aEach time you'll meet this trick, you'll see:
) m! e. I; j& I1 M1 T-SI = 4647h2 z4 q# @9 Z& G' w2 K3 a( k3 W
-DI = 4A4Dh/ p. J) H$ P6 e2 F1 I; Z) L
Which are the 'magic values' used by SoftIce.
, z. Y3 \4 r! r. lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& e( o8 M" y$ _3 H* ~; j- e' w$ g1 Y, f& P
Here is one example from the file "Haspinst.exe" which is the dongle HASP% Y$ s6 U3 K& }/ n7 ~
Envelope utility use to protect DOS applications:
0 C [# N4 h# O
0 g; }! m) u5 `8 F0 R7 N* T0 V& `+ j9 e# @9 E5 r) t
4C19:0095 MOV AX,0911 ; execute command.( ]5 i# m5 k; l) A- I) X5 @9 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., V/ q" l& X$ `
4C19:009A MOV SI,4647 ; 1st magic value.7 Y9 |# j6 E+ _6 T
4C19:009D MOV DI,4A4D ; 2nd magic value.
, X& R4 M% L4 f8 m% y& L5 Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. K: v. S w1 a2 O5 z, R0 |* t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 K, v9 _; \# J/ A4C19:00A4 INC CX* D# Q( j& F9 E @: B" H& t% S6 I# E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 S# M! S e+ b( C$ R& Z4C19:00A8 JB 0095 ; 6 different commands.: ]4 H; D% u* ^, D! e" X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# [" a/ `) A# z' }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! |( D( z5 _# T. T; G6 h
# o J- N% f8 o# [( Q& n; [+ a/ [6 GThe program will execute 6 different SIce commands located at ds:dx, which$ S+ x4 g4 p K# m5 U9 O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." K5 d% Y2 l5 U* x2 }* D: T( O
, N; N* u+ `4 v' y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 ] I3 k. y$ F% f" X___________________________________________________________________________
y+ V" u: K7 F/ N+ l' [; k K6 J Y( Y( x2 [* E
9 V; A% g8 @7 _" b- t: S$ ]' l, v
Method 03
& [ [1 s$ M' P7 A' W( _$ p=========1 h3 Y$ l& z8 A
3 T6 r% [& t5 l4 e) b" p6 x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ ?9 f Q' s9 W1 [! ]0 {/ u9 _(API Get entry point)- x, V+ l1 I h( r5 w
/ \+ W+ Q* j: ^" R: Z3 b
9 \0 I. z0 N9 M xor di,di6 a" K8 K* Y' I( o
mov es,di
, D9 y7 q" x1 E8 {. W mov ax, 1684h ) ]- L" u9 q; i$ t q1 k: D3 A
mov bx, 0202h ; VxD ID of winice4 ~- ~/ X: c- U( c p4 @8 u
int 2Fh# v. D- k) i m0 _4 B4 }/ z
mov ax, es ; ES:DI -> VxD API entry point
$ N2 {' Q( u8 y* K add ax, di
; A+ K* ^3 n, G4 i8 f test ax,ax+ u* f/ g/ @% I% Q2 T
jnz SoftICE_Detected% I& C! F1 f* K& U
, M3 r4 Q+ ]! s& x___________________________________________________________________________
7 T5 {# M& r- x3 a" C; i' C6 c, ^4 a0 \% y, c, ^) _. u2 p
Method 047 q7 U X* E# `* P# m' P4 g+ A
=========3 B* z ^, C+ \
! M- Q h0 T9 H* s$ }/ zMethod identical to the preceding one except that it seeks the ID of SoftICE. w* r: ~$ { l) P5 }+ i( ?% `) z/ T% N
GFX VxD.% H: ~8 d* T a9 \# f$ n
5 C4 L6 s9 I7 s, y6 ^( v xor di,di1 U- V4 l+ j$ E1 }4 p9 V
mov es,di
! L0 s- `1 a' f* `. b: \; A0 l! x mov ax, 1684h * [0 W9 U5 w9 R* \, A2 b8 V
mov bx, 7a5Fh ; VxD ID of SIWVID( V$ [7 C& o; C8 a& y7 T
int 2fh9 W: r V* [/ h; @# m& f
mov ax, es ; ES:DI -> VxD API entry point
5 H; l% H* H+ w add ax, di
) ^. M- M. S2 W. r) o test ax,ax
9 Z/ M# L; d( F/ Z$ a. y jnz SoftICE_Detected
7 j3 W: X' b9 F& j, C, v7 w
* E0 a3 a; Q. l9 j__________________________________________________________________________3 L% v; P* K' m- l) l
* `- a+ s1 s4 }/ Y" K) O# F2 k
# i* r# v/ e6 t1 p; W2 j8 WMethod 05
/ ]) `% v" A6 I% i2 O$ `=========
7 \ e1 S; a) [. l5 W! Q
% x0 M ]' W. ^+ `. r, k" j9 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. ^4 O4 I6 _8 ?. N6 tdebugger. It calls the int 41h, function 4Fh.& j6 G+ {8 |$ x% s+ [' V
There are several alternatives. * A4 X5 c- X8 h
* b" }. k+ m" z
The following one is the simplest:4 f& Z9 y$ `5 P5 h$ ^
( I. V( @% M( U1 _ mov ax,4fh: c/ ]5 | X0 T5 ]
int 41h, Y$ C% h J* P0 h
cmp ax, 0F386
- N! Y0 s: R" J. ~( k9 a jz SoftICE_detected
/ F8 f8 j5 L2 A. a
% h0 h# m- z% U' _* ^, I8 v8 k" ?, b, i, R: o# n3 V
Next method as well as the following one are 2 examples from Stone's 6 {5 p- ]' l1 T4 V4 t) `. ]) W6 l
"stn-wid.zip" (www.cracking.net):: p, {/ O# i. O$ s! [9 w
6 W% V- `* I! f4 g# T- s. E: N5 d8 K+ Q
mov bx, cs; l6 y" v* Z6 b2 w
lea dx, int41handler2# m: D6 H8 q2 F
xchg dx, es:[41h*4]
: |$ t6 n4 _, F9 L$ }* ] xchg bx, es:[41h*4+2] d% H$ L0 {7 {5 A
mov ax,4fh
5 }+ q; J: r: d6 u( [/ L( l; ` int 41h
+ B8 O$ I8 a/ ?+ x( P# H9 N xchg dx, es:[41h*4]
5 O$ |* j9 S# y* J% I; r4 [ xchg bx, es:[41h*4+2], G/ t) e3 T! h! w( |
cmp ax, 0f386h Q% a1 n+ k) y2 V+ |. q
jz SoftICE_detected
5 ~4 {. Z; D+ v+ \% M7 D4 S7 ?7 p& U; c' L+ d, }, \
int41handler2 PROC
: g& O; b5 y! e$ e$ |" p+ e iret
& v' r: f; a- B3 d& R7 C! oint41handler2 ENDP
3 r T7 J- O4 X; [6 B% Z! z: T: D5 ~
/ d; a: V ?" v8 o' C# q# {: V/ D_________________________________________________________________________/ W7 D) g: P* _' E" l
( J- ^7 y$ n. \) r, D- \- j
4 N: f, D' M4 @" X
Method 06
8 `* ~6 f$ D" Q* E' f0 o=========8 g: y" o& W' B% |7 o3 n' S
; S! C: z9 l! m0 K! f7 l. s# J6 S/ r* H" n& d+ u# [
2nd method similar to the preceding one but more difficult to detect:9 p. g8 j. h) l X$ V7 J- \
' U8 _3 H" { n3 H
1 @. Z* H! E$ B' m
int41handler PROC) ^- V+ K$ v5 X$ c
mov cl,al( C6 I; L2 s) S# Q0 N
iret. _/ ?1 G+ c/ ]
int41handler ENDP
4 B0 q' C! G% j) e( K% G' [3 B4 N( Z! z% ?
. S1 D% l3 _8 ^9 E9 N* Z7 B/ x xor ax,ax) N C$ ~6 v# f; T1 x
mov es,ax! f( L7 ^5 F, T+ W
mov bx, cs
3 w+ y" m$ G2 F7 H3 `8 x: p lea dx, int41handler
( i3 i/ w: c; M4 \; L1 _ xchg dx, es:[41h*4]" j8 q: V# ?% R4 V9 n+ ?
xchg bx, es:[41h*4+2]. @$ p- W; v% T# s0 R2 I. l2 W
in al, 40h- n$ _2 S8 O4 o' g5 N7 E/ ?
xor cx,cx/ I2 n' j5 t# o" `( S
int 41h
& k; f4 p7 j& w& W! ~ xchg dx, es:[41h*4]
6 \: ~ v, `, s8 _9 C7 ] xchg bx, es:[41h*4+2]
: g# r U7 n: y2 l! X9 w cmp cl,al
; u- {: n" ?* `: u( g jnz SoftICE_detected7 F. P' I7 \1 i# W8 y& k1 X! V
8 y8 v4 M5 |; ?8 @4 c( H* K$ F_________________________________________________________________________/ i. f$ a3 i. U$ j
0 ]/ Q {% G9 A+ o1 o& \5 MMethod 07
4 X4 H; K) u( A: M$ X% B=========
* X5 z% C% n& A5 x0 v! H- b5 s- q) C0 E. s- k
Method of detection of the WinICE handler in the int68h (V86)
7 i. {& b: i8 }+ m9 }5 S, Q, X1 ^9 y( q$ U# V, Z0 O4 ~
mov ah,43h
j4 H2 U* |6 p4 `; h1 [ int 68h. S; L# C: z5 u
cmp ax,0F386h
! U: [( [" t! K, j jz SoftICE_Detected% \& D! R3 `& I* z+ S+ G
% ^% a, l8 G L: q1 O7 U
- {+ d6 ^' d8 c' s1 e. U+ F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# z* Z$ G; C7 h- I app like this:# a( v, N5 [$ \( A6 Z2 ^ I0 j
, U. {2 z: z/ \5 t" W$ @; V8 @2 b( M BPX exec_int if ax==68
; }; p. T* ?9 d A1 V (function called is located at byte ptr [ebp+1Dh] and client eip is
% W9 R1 C2 B; R$ x, J located at [ebp+48h] for 32Bit apps)$ i) x) m5 }! d) k. E2 X" i& o
__________________________________________________________________________
) S& W* n% u0 ^; o' q6 |
( y0 Z% f! @9 l6 B, @0 E5 Y
X/ V" h9 f* U" p! y& f9 ^Method 08; K* p! B# e0 X' \ v3 i, d
=========
7 _- F Q. Y, w: v: S
* F$ ]5 v5 c+ k* ~3 BIt is not a method of detection of SoftICE but a possibility to crash the" s0 z" O; B2 c) x) {4 w5 l
system by intercepting int 01h and int 03h and redirecting them to another% u/ J2 t9 |) x6 J5 V& `. P
routine. [, a% l) `) c' R- i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. Q, ] _. K- Q1 V
to the new routine to execute (hangs computer...)4 `/ z- Q; }3 @: i7 j" R
" n& P6 U+ L' W, d+ A3 ]/ ? mov ah, 25h
( ]# V& y" {4 L6 M5 t+ {7 c mov al, Int_Number (01h or 03h)4 {. W" t% ~. h) D. M
mov dx, offset New_Int_Routine
( J. e! @9 i: [5 l g9 | int 21h
* t7 @, ]* w2 o' }& W# W1 Y
, W. v- h/ _" l4 |5 Y4 v* v: [__________________________________________________________________________
! [' a7 Y/ W) ?. [7 Y6 e2 c- T5 B) U; Z0 n) g7 \6 T
Method 09
3 Q0 t/ v/ ~/ I8 V1 Q) b=========( F0 O) e# }' }( D' a' ]
- T9 W2 D( E" s- ~6 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( P: [3 \% j; }, ]/ n# \ rperformed in ring0 (VxD or a ring3 app using the VxdCall)./ @; T+ V2 z S* H
The Get_DDB service is used to determine whether or not a VxD is installed
; a" B, U, ~5 l$ u) [+ Jfor the specified device and returns a Device Description Block (in ecx) for
H# ~1 G" J5 ~% [4 @that device if it is installed." P+ E% R4 t" O
% M; ^. t' _5 w0 s( _! o5 W" X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ Q6 c+ {6 O2 O! k0 U* k& W# e- }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 W% H& D8 Z" E- S
VMMCall Get_DDB; J. r, k4 e3 l8 y6 x7 d; V1 a7 G8 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 h# U# K v3 V* j7 F1 @' S/ v
9 M9 R4 h7 k( a' U! b& j% }' i
Note as well that you can easily detect this method with SoftICE:, Z4 L w) @' U! S- ~
bpx Get_DDB if ax==0202 || ax==7a5fh* C: Q% ~# ?/ H9 A- B, N
9 A. [3 R- {9 V2 i4 y__________________________________________________________________________
1 Z( N4 y, d4 E) E' P: r9 b! d0 C# e! P5 D( V! K: Y$ R# p
Method 10
4 {7 k6 c. S6 ^& r& Q, Z=========
& j7 }! V3 U; D# j
! D* G2 I7 E$ d+ B=>Disable or clear breakpoints before using this feature. DO NOT trace with8 A! W" f8 t3 N* {
SoftICE while the option is enable!!
" L. v: N6 B' d; y, N" c, q) Q8 i, u5 e3 l$ h6 k/ t. ~* j9 @
This trick is very efficient:4 s" R q& S5 u% C: S: X) c
by checking the Debug Registers, you can detect if SoftICE is loaded
3 C) F: z$ k, l3 [; M7 |. r& \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" O' N% }9 Y& j& a( j) K* y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' r! _; r( G! \- qvalue (in ring0 only). Values can be manipulated and or changed as well
4 e1 z, b! w Q ] ]1 _* v3 ?) o(clearing BPMs for instance)
% J- \) F9 `- l2 V o8 m
9 o/ o# `% h# Z) @9 c! R( G__________________________________________________________________________
! x) Q% N- x, a
- Z; j1 a! s' T# ZMethod 11
$ [8 B) j" y0 W! t8 g* ?1 u=========2 o; }2 N5 j$ T
; Z5 S( r% x# r3 P5 |1 zThis method is most known as 'MeltICE' because it has been freely distributed% S$ A- S7 W% u& o! H' P
via www.winfiles.com. However it was first used by NuMega people to allow% h7 D H+ M+ H9 T- \# Z
Symbol Loader to check if SoftICE was active or not (the code is located
3 o9 ?" k2 Q0 h# dinside nmtrans.dll).+ |8 M1 K/ m! w2 q4 `
+ w3 K S3 B0 t2 S3 P5 b4 E& d! CThe way it works is very simple:
$ ?, G3 S) F# l) V7 m* NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) [/ z4 h7 U9 W5 ^0 o. o( hWinNT) with the CreateFileA API.
2 _6 h5 h6 {) k8 ?8 _; p5 _" a4 f0 ]7 R# {$ \ a" h; A5 r2 C" Z
Here is a sample (checking for 'SICE'):
, i0 \, ^- x6 o d1 y! i4 j) s K! O7 s0 N* u( d
BOOL IsSoftIce95Loaded()) [% p. W/ w" @9 c1 L1 B
{
9 q. O& O* J+ T: j5 N* d, F- y HANDLE hFile;
; U6 a, P! d% u- s) T; j- ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# t/ A& H4 T3 ^3 |1 n# W1 R, E
FILE_SHARE_READ | FILE_SHARE_WRITE,
) i1 S1 M+ Z$ x: z1 e. V" Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- J5 y, N; G# q4 `/ _% i' J
if( hFile != INVALID_HANDLE_VALUE )! f; Z7 _- \5 j8 J9 q( u
{
6 @7 l; d# w# O9 G$ G9 c CloseHandle(hFile);, w q! T s9 u( d0 J9 D
return TRUE;
6 d9 Y. i2 h# R6 O( ^; D }
9 W* `. }0 w5 F5 G) O# T4 p return FALSE; o& m$ Z! n6 @. ~7 ~
}* ] h1 x* s0 }% ?7 K0 v# I
S4 P1 n/ e- D# ^
Although this trick calls the CreateFileA function, don't even expect to be) @4 g% D# R2 A, ^& @0 t: c3 K
able to intercept it by installing a IFS hook: it will not work, no way!3 ]. W# k( }' {# Z5 B4 V, ?! |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! s' p9 [% s( mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" F/ a d3 W! S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
v$ E9 M; T9 S. O/ |9 G0 X, B# mfield.. Z2 P7 X( p& B/ J+ p6 ^
In fact, its purpose is not to load/unload VxDs but only to send a
3 X, I) d+ k4 }$ t/ x8 wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
U, ?8 L8 S# L. uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# [2 C, G* w$ j7 Z0 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 w1 X$ }7 ]8 U" q$ N: S- n9 k+ K
If the VxD is loaded, it will always clear eax and the Carry flag to allow, Q8 c% ^ `* x+ j
its handle to be opened and then, will be detected.
/ f0 b6 {2 m% m. y/ qYou can check that simply by hooking Winice.exe control proc entry point: I& i3 _1 A( D
while running MeltICE.
0 I* T+ C- ^7 l+ u8 k7 j1 x* _
/ B: ], o# L- x3 A2 s2 ~5 R. _
% P! Z3 n. ?, ? P" j9 P. O& M @* j, y 00401067: push 00402025 ; \\.\SICE
* P! e1 {1 B7 r3 C 0040106C: call CreateFileA
) I/ [- f9 C% I 00401071: cmp eax,-001- O# a$ T7 ?" b: M) i
00401074: je 00401091, y8 j* m# s% t. E2 Q7 h7 q- ^
0 y9 N6 g9 @' W* H# ?! v
: E6 `3 m9 ]9 h
There could be hundreds of BPX you could use to detect this trick.
; v- ^% h+ d v; k-The most classical one is:
8 ^9 e7 Z: V2 X5 H0 S8 g w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || t& j3 ?- S2 ]9 Q+ H1 ]8 z7 a) f
*(esp->4+4)=='NTIC'
* {* `, Y& M" A+ G/ j% X' |6 E8 Q% T q) J9 O: a2 n! Q
-The most exotic ones (could be very slooooow :-(
/ j' ^+ M; L" R, H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 H% z& a0 I5 m( R9 Y
;will break 3 times :-(
1 ^8 l* R, K3 J+ L) C! S' N
" C# y& n+ V K# a5 \! U-or (a bit) faster: ! U' N( l3 f0 W# _; w- I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* X7 c+ A4 I: l) Z- @
' s! u/ o7 C, a) M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" o8 _7 g5 z6 R+ ~) I9 ~# Z& o ;will break 3 times :-(( c5 ]$ j$ }9 _* s
$ z/ c7 E$ m5 A5 h( O( |% U
-Much faster:$ O- V- S- G. ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. O5 S% U0 N, @7 H$ p$ _
/ z1 E* `5 u; q# M5 {2 w. B5 t) CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% K9 d, T: G6 Zfunction to do the same job:3 Q7 o3 T0 X7 i( q1 N( e' O
3 a: l6 D, P/ m: z' j( }. ^- I6 \
push 00 ; OF_READ
- d& {" J' {( G( k, P z( O' A# g mov eax,[00656634] ; '\\.\SICE',08 l* B$ Y, e' \# z
push eax6 Q5 b1 H6 J/ _
call KERNEL32!_lopen
9 R0 B T" n/ n4 Q; t4 k inc eax5 f) K, Y; F7 m3 |% i* }; Z2 e
jnz 00650589 ; detected
5 z- v( E, U9 h! \ push 00 ; OF_READ+ k* b& f) C& U R# L
mov eax,[00656638] ; '\\.\SICE', j5 Y( `8 F: B
push eax C0 ~0 C# ~8 D: p& n1 {% G! p
call KERNEL32!_lopen
( P4 P' K; {, T1 _, o. Q0 A inc eax- X: F- U4 H, P
jz 006505ae ; not detected, N6 {) X5 Y' Q
8 X4 x4 r+ i5 b8 n) F# K
3 m: x' @9 o" w4 B. V__________________________________________________________________________# r5 y% Q4 a& A9 L; m; g$ M
! ]+ U% `' F9 B/ L" e( V0 l: y; L& N, b
Method 12
4 a( o) X( R/ U) m M# }=========# d) D5 i; V; C! {1 U( e! B
5 [& f* F s W1 |' ]' `; U
This trick is similar to int41h/4fh Debugger installation check (code 05
* }* {( k4 y: I* C9 c& 06) but very limited because it's only available for Win95/98 (not NT)+ K3 R8 Z/ M/ z0 L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: U' ]( @* P. F) M3 @" v' \1 E: }- P+ v9 [% T" L7 Y. {
push 0000004fh ; function 4fh
5 z, h0 V5 L9 u) `* a* k2 u. K push 002a002ah ; high word specifies which VxD (VWIN32)
N' e0 s$ w' T9 U6 m& a$ |) b ; low word specifies which service
8 ?% A$ ]' c% U3 V (VWIN32_Int41Dispatch)$ y7 ~- O8 U( ?5 |* ^6 ?
call Kernel32!ORD_001 ; VxdCall
! v6 Y' ?3 R" |# t( v: C) | cmp ax, 0f386h ; magic number returned by system debuggers
: s) G5 ?8 ]! Z# J X" Q" s jz SoftICE_detected6 l! d. E1 J6 {3 P3 E: E
1 o; k- `2 S3 ^ M3 i2 ~
Here again, several ways to detect it:
8 R' W" A' X, ~: d. K d0 J; v
7 q+ h9 u q. C4 W BPINT 41 if ax==4f% T6 o; X2 F5 x
- E( j3 ]/ D* Z: S2 E) z8 r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! `0 r+ a- t9 M) M8 A* _9 |1 H0 F! C5 ~5 @. h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# z5 w- S3 d: F1 l2 W% x
& x% r. j$ e- }$ I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: R( }2 K, t* x( M; a5 C/ f
$ I$ C/ l7 K+ R2 Q& T) v__________________________________________________________________________
6 y' z$ @. W! V8 o& K) X0 N
1 w5 e% _2 [, V7 a$ qMethod 13
) U$ I0 l: ^7 d7 ^5 V& J$ s3 o/ }% p=========
& e+ \4 E# M- o5 w- ]8 Y4 q. T" o( C6 K& s" _, _, ]
Not a real method of detection, but a good way to know if SoftICE is6 c( I5 g( _3 U
installed on a computer and to locate its installation directory.
8 U; h- T" u; u8 @7 jIt is used by few softs which access the following registry keys (usually #2) :
9 i( l$ J1 c& h- c9 D; j( J" _1 l' T% n9 H' [( o% E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 t2 q' Q& |4 W% S: N\Uninstall\SoftICE
' o1 A1 s$ N9 C) y; C" p! b- u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 R. l/ t4 }( q# s! h( W4 D0 V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 ?2 _" o# A* s- @\App Paths\Loader32.Exe
' ^, B y+ I8 F2 M
# T/ y4 k$ X \
" v6 |, C$ G2 d$ n- ]Note that some nasty apps could then erase all files from SoftICE directory- g) p( `9 c7 ^" c& W. a
(I faced that once :-( Z) T8 E1 k: r1 ]7 u) u+ ^
$ ~. u6 C/ D( h$ f) z' y) R B# ?
Useful breakpoint to detect it:+ |6 K- G+ g4 T: U3 U
& x0 l6 E9 Z" h$ u4 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 M" x7 f6 I9 ~+ u O8 d7 D6 w0 U0 }
__________________________________________________________________________
, _' }. _9 {6 n3 o/ f3 v! a9 ? D9 g; f6 `
2 i$ C' {( ]! Q$ h( U& u# w- PMethod 14 8 W: P9 I9 _' w- o
=========* i5 S$ H% }& z6 s& ?9 W/ I; \
- }: A6 V: ^: S: {/ EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 I; \. ?) Q/ J9 X. p6 G/ Q- f* `is to determines whether a debugger is running on your system (ring0 only).0 C' B( T( a# @7 w8 n+ k8 }
2 m2 _1 f ]8 @; ~' T& Y4 N VMMCall Test_Debug_Installed7 @8 S9 Q' y- I- J
je not_installed
" [' R( N( ^- M; P$ i. P; c! A" `" y. t% O+ ~7 M+ a
This service just checks a flag.
/ I( w" P' N) q3 o6 c* }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡