<TABLE width=500>
3 C; R3 W- ~$ p) C<TBODY># J7 n3 m' S& M7 V) }; S
<TR>" V. ?. a' v% @( H
<TD><PRE>Method 01 , S2 v4 {+ k8 P- m# P/ K( K/ `3 K
=========& B! b' v, m! o+ U, x
0 X3 ^3 ^$ @- [6 j. j5 g7 G
This method of detection of SoftICE (as well as the following one) is
& b/ Y0 L4 c9 E* F! e# c9 N; Nused by the majority of packers/encryptors found on Internet.
9 g7 h) r d2 HIt seeks the signature of BoundsChecker in SoftICE
* u/ |0 M) F: D# T" g8 ~' q+ q9 y8 L
5 l' Y, \* Z, ]% i! L1 @ mov ebp, 04243484Bh ; 'BCHK'
- R6 _8 z2 g/ A mov ax, 04h
6 Z$ ~$ `* c2 S: X' K6 u7 Y int 3 % ~; X, G1 U4 ~1 ?' v9 J
cmp al,4/ O. d4 r' r( b
jnz SoftICE_Detected9 Z0 N5 f5 D8 s
( g, h5 Y) {! ?6 n6 x+ V6 h% U
___________________________________________________________________________7 P7 F% e }+ }0 ? Z
1 ]/ [: Y C7 f @
Method 027 @; p) W B @1 @* R4 Q; I) }
=========9 V9 B2 W9 c% U1 g) Q* a6 Z
9 D0 |& k, C+ _: }, i4 N$ NStill a method very much used (perhaps the most frequent one). It is used3 @* A- _- f! D, j9 B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. V1 h: y# g( y' For execute SoftICE commands...
' ]) \+ C H' w8 i7 PIt is also used to crash SoftICE and to force it to execute any commands
9 j: R/ J* }! _# ](HBOOT...) :-((
' p. ~; J2 V. r( z6 f0 ]% \
9 ^1 v( N& M+ n0 PHere is a quick description:" C A& b4 J' e1 E9 h4 A
-AX = 0910h (Display string in SIce windows)
9 C6 J- e5 G4 q3 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 R( D; T% ?2 W& N: y/ s' M-AX = 0912h (Get breakpoint infos)
. ]0 f/ [6 v8 a% |* d% Y9 _-AX = 0913h (Set Sice breakpoints)! g' y, H+ ?( \) a7 R: N/ D
-AX = 0914h (Remove SIce breakoints)! J2 v8 O1 D- P3 O1 v/ [8 I* E0 S
7 n- S5 U; S* Q9 b4 |( E) ~7 Z
Each time you'll meet this trick, you'll see:
3 ^5 N7 M: ]; N7 \3 X9 O-SI = 4647h
5 l5 m* |$ P+ P, M z-DI = 4A4Dh
5 l9 H, U! b7 e- q7 @5 c) [7 uWhich are the 'magic values' used by SoftIce.
8 g, \- v0 D! [* QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 V$ n k" b. z/ S( v6 _: k9 }6 l: w: J) b: I
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 y/ {# p$ v1 X. Y8 Y% ~- G. G
Envelope utility use to protect DOS applications:
$ r: a1 i. y( J0 F6 d& F
5 ~. g) ^* ]& k' N" i0 H- M1 i& x4 e( V( l p0 `% @8 X
4C19:0095 MOV AX,0911 ; execute command., {; C8 G9 ~, C& a2 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ u' v1 j3 r/ v1 Q4 U4C19:009A MOV SI,4647 ; 1st magic value.
0 m) @, f0 K* o4C19:009D MOV DI,4A4D ; 2nd magic value.& L( P ]* w% m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- ?. H1 h4 Z0 Q$ d* R$ L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( r- D. W# S7 m! v k4C19:00A4 INC CX
$ k6 n! P$ Q# j+ x% ^; }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( ]: Y4 ? w# _/ [* J4C19:00A8 JB 0095 ; 6 different commands.
H1 T- X4 ]8 z8 k7 [$ M# H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" K. W& m" Y! v9 X& y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# b8 @7 d: J% B& R* c. W$ A( p" R
; V8 J! y5 U/ v% n: EThe program will execute 6 different SIce commands located at ds:dx, which
1 B/ x8 S$ D; F( T+ M2 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. O J2 L4 j$ Q& s5 {. s N Q
9 D$ Q9 D6 {: Q" G+ ^3 j/ q3 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) T5 K; M4 D( c2 |6 Y9 o___________________________________________________________________________
' p" [* L3 |4 e+ e* r% Q! u1 p" _; ?8 c
3 X# M$ y* @: j( S+ Z4 _) e5 P/ MMethod 03
( u( i8 o/ d$ ?7 e8 F! ^* B( A=========! Q; p* H7 `9 |& J. u. C
4 j/ x0 S. H4 ? @5 L" }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# y8 a- E6 B1 q2 }/ r/ t) _ J
(API Get entry point)" g8 P- z! R+ h8 s# `: A8 T3 C
; \* j2 j& D9 n) S' A
n! S5 |* ]% @8 i) t6 O0 `
xor di,di
# O ]: s$ i: S& G) X5 H& ^! T mov es,di
& F4 q& {* d3 U4 l3 N8 d9 E mov ax, 1684h " r5 e: F+ V* t4 s3 C: O$ f
mov bx, 0202h ; VxD ID of winice
) | y& [9 R! g% o int 2Fh
. B- P6 f6 _/ O6 v7 @5 l mov ax, es ; ES:DI -> VxD API entry point
6 J C8 x/ V! H0 f, G add ax, di7 R' n! S5 \0 p% ^) L+ L6 U
test ax,ax- N& C, B' i& g( S) ]9 o
jnz SoftICE_Detected
2 @1 g# E7 S: f1 A1 j: N$ a: D3 ^2 S3 U
___________________________________________________________________________# t" j: _1 M$ ^& |) J
: w: A- y8 k, B7 {! AMethod 04/ |0 T* y" D% Y* F' a$ J1 R" ?
=========
! R9 o9 |5 E3 n9 O2 U/ f
( c! l! k! k+ Q r$ D, C+ M) w* ZMethod identical to the preceding one except that it seeks the ID of SoftICE+ E1 D/ }$ e* `1 c$ ?( z
GFX VxD.3 @% n' q1 `' b4 G# K4 b1 l
f# ]7 K# c* z- x
xor di,di
7 j1 x6 }% }3 Q: b2 g mov es,di8 T* F) j4 U! t( T. A0 d+ b
mov ax, 1684h
! V$ J8 M; `' S4 K E* W1 W2 _2 Z mov bx, 7a5Fh ; VxD ID of SIWVID
% b6 Q2 Q1 m% ^6 |* P; J, W int 2fh: M, v% H4 W0 P2 c0 a0 P- U
mov ax, es ; ES:DI -> VxD API entry point/ Q8 `, f) j; @3 X0 A
add ax, di2 ^, E U5 n9 t' N% v- Z
test ax,ax
2 T$ R. n: P: Z jnz SoftICE_Detected4 R0 C' m- M: t- J
; p( e6 j( `/ ^
__________________________________________________________________________
" {* c; f3 v. X. u8 w& V% r( n: z/ I8 }& s2 N5 @
. f5 ?4 d* ^, L3 K7 Y; p
Method 05
1 a) n2 N$ }, j=========
, O" \$ x! E( @
9 a$ ?& Y# g8 _Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 p | m' ~+ a O& [; zdebugger. It calls the int 41h, function 4Fh.) k0 n8 U9 z5 d" W2 P8 r* E1 y9 ^4 A
There are several alternatives. 2 S% C" E9 l- f; I
4 }' x8 ]" b. D9 ~The following one is the simplest:0 @; W" y) p( t( ^: _/ P0 J
) j7 S7 C5 X* f5 Z, ?4 O mov ax,4fh7 \; O, V" p( E7 q" J- |8 ]
int 41h9 x5 d, C4 |! A! r
cmp ax, 0F386/ C, A" x, y% O% Q6 M& \, m) G
jz SoftICE_detected
9 v( Y ]/ h5 k, k4 q' Z4 z* `9 `. T$ P9 r$ [
5 _- [3 l, L' {- j! ?" BNext method as well as the following one are 2 examples from Stone's
0 g8 @# U- }' d5 m' }4 b1 g$ v4 \"stn-wid.zip" (www.cracking.net):3 h! U. u2 U8 g2 P' J# l& ?2 @
$ v& \" h0 n5 H/ C; I6 x mov bx, cs% {1 P z1 m* f* ]
lea dx, int41handler2/ t% I8 D: d( ^. @1 G2 L
xchg dx, es:[41h*4]
. \. ~ y+ _8 m P) Q' B* D xchg bx, es:[41h*4+2]) v$ P6 L: t, C- s5 j- G2 z
mov ax,4fh5 ]% \) R' ~2 m! O& h$ [# M) P& t1 P
int 41h& _$ U; | q# K0 m& t6 ?( c
xchg dx, es:[41h*4]- G' K9 b2 b; ^3 [9 j
xchg bx, es:[41h*4+2]& F. Z4 X% m$ H2 W# S, {+ M
cmp ax, 0f386h/ w$ u. e% H) J- R2 k5 e. z
jz SoftICE_detected/ D- T2 [# X- W' G( K
/ u1 e, ?8 P i9 d, Sint41handler2 PROC
2 V- H& D: a; G, g- d iret/ X# J& Q! N, X* g; J" m
int41handler2 ENDP2 G/ X& r2 l5 m) G4 O% c
, A8 \) i1 v J% ~& q
1 D7 Y( K' M3 {7 G& R/ J0 S
_________________________________________________________________________+ _8 {" |! m6 K( t& A" N+ z# S# T
2 q7 w O0 w# H, ^8 r
0 w' O, w$ p' HMethod 06
0 b* u3 b) y8 U/ e1 t6 V0 m4 L$ G# H=========
5 _6 O/ K; Y' h/ s9 g9 L' J! E2 E3 `# D4 \$ Y
* z, G: y8 T1 m& I- T
2nd method similar to the preceding one but more difficult to detect:) B& x# T5 V- I( K! f
6 S, q7 H9 W. R N( l, h+ t0 y" l1 ?6 n2 K
int41handler PROC" j" t9 c1 W- S2 V+ X+ }
mov cl,al
% A7 N3 L3 Q" x iret+ o5 H: j A# C# O5 D* ~6 h4 O: Y' W1 d) a
int41handler ENDP
7 j! S$ d" _7 j: M$ g$ a
, _+ J3 s# y0 B6 z, D6 z. \: S3 F& t. c9 [. q! {4 t( D0 |" R
xor ax,ax
5 S [% R! N1 U: |. v T mov es,ax
# G& {0 H) p* [% F mov bx, cs
+ T: n0 E- {9 c `/ k lea dx, int41handler
" H0 f& V( J) _4 G* }+ S xchg dx, es:[41h*4]& R7 b4 p' t) C8 b5 d) g
xchg bx, es:[41h*4+2]5 D( Z% O( U, t( L e5 e& a. k1 j
in al, 40h
# ^+ j1 l% E0 o# i3 s' f2 l+ J' ~ xor cx,cx( x8 @6 E6 x: K, a% @& V
int 41h) e% R2 @0 W& u+ ^6 c( }
xchg dx, es:[41h*4]8 M) G" a) v9 L2 B* M
xchg bx, es:[41h*4+2]0 O6 V9 o$ N2 _' f: C2 F" S
cmp cl,al
3 b; E. y1 N0 Y. y jnz SoftICE_detected0 N- C( q3 F; |
0 B4 i5 T8 I) t
_________________________________________________________________________
8 E& x7 t! C# a6 G1 C+ G4 y! \. j) d( |' i! ~
Method 075 w; d" e7 s* z ^" @: g
=========/ m# t# H J$ \8 ] E- M1 J% o
2 ]: i8 `7 i: A/ B7 A
Method of detection of the WinICE handler in the int68h (V86)* P C$ D6 t t; t* W& m
8 n& \$ z# J* p; Y! j a# A+ k' { mov ah,43h
# h$ h! `0 u2 q) M8 _5 ?6 a+ G; N int 68h5 u9 Q* p- Y; v, u4 O! G* b9 j; V
cmp ax,0F386h3 L: C5 `& q& W+ `/ x7 z
jz SoftICE_Detected
/ \6 m; C& X8 F/ e- k/ A6 y# q% _+ P2 E
. {/ z' y" U9 T" b, V# F, y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ s% _& {' J' B5 n
app like this: v# ~2 i: C' D! f) @# [
. _) N4 \4 W- t. U2 S, x: j$ p- O6 V
BPX exec_int if ax==68
) F& T0 y& r5 K& z0 s9 l, v (function called is located at byte ptr [ebp+1Dh] and client eip is
K9 Q3 ^' @6 \' w$ u. Y located at [ebp+48h] for 32Bit apps)* G$ G3 G0 H' C; y( T( V# k
__________________________________________________________________________1 ~' o9 f7 H' d7 u1 U
0 Z; Y& d s* }7 S( k5 R7 V
( a! e3 |8 o* Y+ U7 pMethod 083 H. i1 I4 g) `. Z& k" e
=========5 h V7 M7 u! {$ @& {8 t
0 ?! ~; w) }0 Z( f0 BIt is not a method of detection of SoftICE but a possibility to crash the
3 F+ f$ v" O7 P+ {! Ssystem by intercepting int 01h and int 03h and redirecting them to another
. O0 h% f: [) B6 [$ p7 O. H1 Jroutine.
$ D7 K0 I/ w/ {( k; L5 g5 d: ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' g) I) k( T5 B$ e& X Z
to the new routine to execute (hangs computer...)1 {+ A0 B% B$ n$ Z+ L
5 V* r* m! j9 J( K: f
mov ah, 25h
. V; b& u) |: P3 f7 O mov al, Int_Number (01h or 03h)% ~* J; p: J* M3 k0 f
mov dx, offset New_Int_Routine
3 v7 L% Q5 P x, V int 21h4 W8 A: Z( z3 U, L
) k9 o5 P7 ~2 U__________________________________________________________________________
* G8 q3 l# V* }
0 z* I# e0 V. G% r* K: O& t8 JMethod 09/ T# n3 y" a- P M/ p O$ ?
=========
* F4 {1 Z" \3 q# o
1 H4 |& ^$ }; k& W- JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 h4 h9 E# R6 K& I0 T" v5 P' w
performed in ring0 (VxD or a ring3 app using the VxdCall).
j) p; R E1 [" Q0 i9 g1 fThe Get_DDB service is used to determine whether or not a VxD is installed1 j3 y ?" Z( a" D/ N' o% G/ v2 S
for the specified device and returns a Device Description Block (in ecx) for0 s5 Z( Y7 `& S+ T6 i4 T1 l. G
that device if it is installed.
% M# G$ l3 m- U t: H. [; i" l5 Z0 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& P0 r0 v. u% `2 q/ w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): v+ G- J( z( p0 y- h
VMMCall Get_DDB
3 u" P( t7 A8 N. o0 ^1 C) Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 z+ o# R8 N7 V) \: B n- P/ l; O; Y/ g$ W7 ?/ h% O# X
Note as well that you can easily detect this method with SoftICE:
4 F- K; A$ n& ^ bpx Get_DDB if ax==0202 || ax==7a5fh9 w* o' X, V* S6 ?8 z
5 x8 N/ e5 v( x N7 }
__________________________________________________________________________
U- m2 a3 C, j) C/ W
1 \$ |: a" G9 `% r: L( x* A1 t F: vMethod 10
! E# O4 P) g" x3 P& ~5 ]=========+ j" v' J: t8 l6 E# X1 s. y g
7 [& r- _: ]5 h) ?. w=>Disable or clear breakpoints before using this feature. DO NOT trace with- c8 N5 Y7 ~8 {8 S, ?" C
SoftICE while the option is enable!!
# ?! C' ]8 e, S3 \. @) r" b5 [+ g
- i* I3 a& c% g# P; X: f* w# EThis trick is very efficient:
! u& j* Q- w. ?& k& y3 E0 Gby checking the Debug Registers, you can detect if SoftICE is loaded
2 n6 C9 X% n3 |2 n3 W9 }- B$ R& h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 K/ f5 T% `8 \5 w' d8 w5 m9 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 n; N% }& O' h3 k- kvalue (in ring0 only). Values can be manipulated and or changed as well
9 s4 \& `( s" G! p: F' Z(clearing BPMs for instance)) p* z) h/ j: f: E
+ a" o( i- e$ t* Y& e/ ^8 u
__________________________________________________________________________, W% F6 e+ l( o; ~2 e" J
, r9 L% H4 N) l) X2 m- _' N7 E' a
Method 11
4 r& H1 @: H, @( ?. |& ?" U=========
4 ]6 x3 u: ~, x4 D: @( m/ x: S5 O4 g- G i( U8 Q8 z! H4 C; V/ E
This method is most known as 'MeltICE' because it has been freely distributed! r# B4 A- `; G" t: j
via www.winfiles.com. However it was first used by NuMega people to allow* J' g3 Q1 q& @9 R# f& o$ r
Symbol Loader to check if SoftICE was active or not (the code is located
: J4 F% F6 b/ X$ F% ]6 yinside nmtrans.dll).
1 h5 q8 u) b' t" w+ F1 l- }, [) @ W- |* Y1 t" ]: A
The way it works is very simple:8 ?) A- Z' B9 h: x/ w7 x4 @: C9 G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- {0 N" [( w$ o8 dWinNT) with the CreateFileA API.
! N9 r' N7 X# v% O
" D- t& W' D0 m- SHere is a sample (checking for 'SICE'):; {7 m3 \( O g
# c q$ D9 O0 d
BOOL IsSoftIce95Loaded()
$ y& C6 c6 \- Z I8 a, Q- s{
1 n3 `$ \/ }7 D3 V7 \7 F HANDLE hFile;
* n% @( ^5 ?) [* @% m% s1 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ S7 S$ ^" \$ e4 D FILE_SHARE_READ | FILE_SHARE_WRITE,) c8 l# Q( w" l; ~9 t( s: A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ o0 i) }8 B6 b8 r1 F
if( hFile != INVALID_HANDLE_VALUE )
: [6 D! d0 O2 O% _" F) d0 G% s+ B$ H+ W" q {' S3 ~: B) R; U' T0 ]: e1 v" V$ {
CloseHandle(hFile);
# x; T) Q% \, B1 |0 q) X/ ^1 e return TRUE;( }, |: z5 t1 p8 \0 S4 Z M- q- G1 J
}, c) r q7 r- n% d; V- }
return FALSE;/ \) M& a$ g" u8 f
}
" Y S! d. _/ h$ w \' O5 y C1 x7 V0 t R- Q6 s; a f6 e
Although this trick calls the CreateFileA function, don't even expect to be
* c" V3 L1 x+ n, x/ w1 E& T' ?able to intercept it by installing a IFS hook: it will not work, no way!
9 Q6 b2 P5 H, [+ P& j" ]1 Q$ CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 x. B: G! f" w2 F+ N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 x' Z; S: J: E, P. |$ {and then browse the DDB list until it find the VxD and its DDB_Control_Proc. e6 P: {. G1 c4 p
field.* h* d4 ^5 g( a6 I
In fact, its purpose is not to load/unload VxDs but only to send a
/ U6 K! A( U1 S# A( R y+ q9 J5 X, lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" S4 j6 S* \: {0 V; Z0 \" g! W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- d' X! _: o4 Z4 H Z9 z6 o0 mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 H2 c: s; n: h0 g+ w& \If the VxD is loaded, it will always clear eax and the Carry flag to allow0 P- [% ^& M! X7 y% A, y
its handle to be opened and then, will be detected.
5 m: j6 x2 |3 qYou can check that simply by hooking Winice.exe control proc entry point
) L$ w+ ~* P/ L' `while running MeltICE.
4 E/ Y) O; I G
+ l4 \7 j9 J) a2 H6 T$ e% s' b2 a6 f
00401067: push 00402025 ; \\.\SICE
) k" O. U ^+ E 0040106C: call CreateFileA! C7 D1 N. ^% Y. ^
00401071: cmp eax,-001
) e3 ?# p" z( T3 t ~ 00401074: je 004010913 T _/ t; h; `3 W2 t
3 u& }6 j- d) F3 u0 R5 K9 G. M% [3 D; z/ h/ P+ }
There could be hundreds of BPX you could use to detect this trick.! C# k( u% d' a8 l! f% m3 U! x5 f
-The most classical one is:
3 I. x1 U7 t, d+ m. ^0 e: Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! s8 J6 {7 m l5 G0 h8 _" o *(esp->4+4)=='NTIC'
: H! C# t* U2 \
7 O- [; `. w( o6 X' L, y" ~7 Q-The most exotic ones (could be very slooooow :-(0 |. K+ r9 b+ N! o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 H1 n( `1 I4 \2 ]# F, ] ;will break 3 times :-(' O; M" o* l( l+ y0 Z8 k
2 S4 R1 s! K: Q* z2 u4 ]' W
-or (a bit) faster: l2 h4 L: o4 ^; A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 \9 i3 z$ \9 V' v. B0 p+ Q
8 E( f& S; X. R" `) b2 k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % |0 w$ D# C& |! s- u3 c1 e2 ]9 v
;will break 3 times :-(
4 ~: M2 B# v1 J/ w4 d
1 n7 [( y" u* T3 u-Much faster:
% X4 y1 c5 v6 ~9 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 y3 x- M# {, s* D! t
6 K+ z1 o! I9 F- N4 q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 y) k, n3 d; ]* u1 m
function to do the same job:3 ^7 K( F* P' t7 h4 D: R! R& Z
5 G7 S1 F( o9 t- ~4 w" \$ F$ Q3 ]
push 00 ; OF_READ. q6 y2 @( n3 U: F- A
mov eax,[00656634] ; '\\.\SICE',0
6 _# `2 ^. P4 w& v% U4 Y- `0 j push eax P2 N0 l/ x, v z8 `6 ^
call KERNEL32!_lopen
! r) e. I$ m! w+ q: u5 N inc eax
C. D% h7 u. c9 D jnz 00650589 ; detected# S( N+ W% G9 T) ?$ Z* a$ [# }
push 00 ; OF_READ; S) K9 J! t1 Z' o- R+ l
mov eax,[00656638] ; '\\.\SICE'
, o1 W' ^7 T3 m0 u push eax
! V6 y( e7 w6 ~2 N! O call KERNEL32!_lopen
! y1 c: K& o( ~0 G1 h inc eax+ f' W! |" u# @" i% S: C
jz 006505ae ; not detected
8 B3 q$ y4 h) g# J2 N/ R+ t# O# _1 o C/ f
; C2 ` D/ z8 `8 l; r9 a; v__________________________________________________________________________
# U; S" k/ F& N6 c) Y$ K$ ^
- Y6 \' ]+ u3 h" g7 v2 K9 ^Method 123 i9 @. h% q6 @3 X C
=========
; o- q' ~( Y @+ f( V3 A5 h4 M. x& x* H! G3 F
This trick is similar to int41h/4fh Debugger installation check (code 05
- ?) y) y9 @1 E$ `& 06) but very limited because it's only available for Win95/98 (not NT)4 A$ G) b7 Y7 ?9 w4 i8 t" Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# z, U1 [$ g1 e2 R0 A; s& X2 G
- M, |% G0 J7 g5 b* B' N
push 0000004fh ; function 4fh+ y- R7 r P# w# W# J) T# W
push 002a002ah ; high word specifies which VxD (VWIN32): _2 ?/ }8 d9 ^( r7 y
; low word specifies which service
3 E; O" A7 j4 m( V (VWIN32_Int41Dispatch)
$ O3 C8 f; R5 _! t$ n+ n* A8 P call Kernel32!ORD_001 ; VxdCall- z0 V' U. H- Z6 ?8 G* v* t
cmp ax, 0f386h ; magic number returned by system debuggers
9 v9 Z( G/ A2 J8 H jz SoftICE_detected
5 G! r3 o9 @5 a& c# R# [$ z. d7 G: p& `# R
Here again, several ways to detect it:7 U6 u& ` B$ F9 ?1 m: D7 ^
3 g% F0 p$ i7 x1 |" p0 A4 X BPINT 41 if ax==4f- Y2 o" W% x6 T5 y! W
- b9 E$ t1 V5 |8 S( E- y, L- H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' R ^+ _- L' A. g/ I f6 r5 f5 D7 T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ q' v- _$ L/ W# @
2 C7 k I; r K BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# P8 q5 \7 H8 I4 n3 W
. U) Q( r; r0 Y0 r r% j. F2 u" S__________________________________________________________________________' }- G* H8 o6 Q
' }5 a" O9 S6 U. E1 gMethod 13
) j; P1 q; v+ v=========
o- c/ P/ M$ j4 Y' v6 n* B3 o1 d) ?; j& Z1 U( M$ e+ w$ N* m
Not a real method of detection, but a good way to know if SoftICE is0 A$ u; z$ {) s. ~+ A- O
installed on a computer and to locate its installation directory.6 Y. g( P( o+ j3 V+ f( }
It is used by few softs which access the following registry keys (usually #2) :
8 y: z3 O: C3 \0 v5 Z+ ]( Z1 g+ B n) x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ C3 q3 j1 ^7 B' ^ |5 z. V+ x
\Uninstall\SoftICE
" x( R% S$ t2 E, n$ Q( |4 l' z/ d8 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) {' ~/ H0 W4 ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ Z6 I2 C7 J/ S! H\App Paths\Loader32.Exe
5 _& q& K' l$ q, Q2 b5 n
( X" N2 n/ M# K* T; d+ z& Y* _& s; S/ r& b6 X" |' j# f0 k
Note that some nasty apps could then erase all files from SoftICE directory5 w4 x9 |9 \# z* B9 B( ]: x
(I faced that once :-(
9 H, k9 H3 p- B; X" R9 e
% G) X* @9 L0 o7 }! ]& y: d4 B* ZUseful breakpoint to detect it:9 p1 H6 g+ j9 L" u' T
' q4 c* l2 h& s5 y; v1 \/ _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' ~& [6 ^9 d9 W2 l$ c2 s$ {3 z
( @% C9 D6 {9 ?/ ~. @__________________________________________________________________________
. s' c& o6 [+ G& j; q2 Q% `1 y8 J* T! M* X+ s- \9 p+ Z* K# h ^
" g$ a, X. B8 P$ |% w( wMethod 14 9 J2 }6 E# `6 R& E; `: l
=========
1 i% P& L4 C, O
, H( Q1 V" _% \5 i' T: ]5 tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, E& q$ }# B0 j9 I( a9 [is to determines whether a debugger is running on your system (ring0 only)." X& ]5 x4 p) _9 q
4 d7 K1 h; U5 O' N* x+ P9 s# z
VMMCall Test_Debug_Installed3 t0 b+ ?8 c3 f
je not_installed
% K/ s% F. C9 l$ U; l
x% H) X5 X2 z/ D5 gThis service just checks a flag.
) a: ^1 o' z# U0 j v2 n# ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡