<TABLE width=500># N- q# Y/ c+ X. R" Y h
<TBODY>8 f, o% ^/ q- q6 X
<TR>
6 S: N) \$ Y2 s2 K; x( I0 q% k/ P# t: M<TD><PRE>Method 01
, J3 @$ W! a, C5 t2 D: N1 N5 m=========
" k9 i, r' A$ o. c! S6 `# T3 {+ j8 ~2 V+ s: r
This method of detection of SoftICE (as well as the following one) is
+ B- `- G$ X% V f3 Uused by the majority of packers/encryptors found on Internet.
1 H; O7 i5 v! {3 WIt seeks the signature of BoundsChecker in SoftICE
6 v* [" o. o6 |4 a' v0 D
7 u6 X0 E& a/ l' W9 \ mov ebp, 04243484Bh ; 'BCHK'
+ a* o! J. d8 [, R+ P0 L$ N mov ax, 04h" @. z' ^3 Q J1 f- L- N7 F
int 3
0 H; E. I5 S H$ A cmp al,4; n$ \( k$ C$ }& G
jnz SoftICE_Detected
$ |) g- ~1 L ^7 a' G
8 ~+ ~) W( y( Q7 |3 K3 r, S5 o___________________________________________________________________________
1 |9 E+ i7 E6 G) l q. l. c3 y7 {$ S) w
Method 02
% k0 \0 [5 o' [& p6 C0 R=========
6 f$ W6 r& e. n- d) b0 W, x& e/ G. {1 i5 f$ @
Still a method very much used (perhaps the most frequent one). It is used& T9 d6 R0 @$ s- g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( k+ u+ M0 G0 H/ e p4 g
or execute SoftICE commands...$ h4 ?# s4 i* ~% R
It is also used to crash SoftICE and to force it to execute any commands6 F; ?, A' y8 D) i# k$ }3 S
(HBOOT...) :-((
; f7 G3 N5 i7 n2 m
: G, S9 o, T. _6 YHere is a quick description:) N. |/ A% q* O
-AX = 0910h (Display string in SIce windows)$ x3 ^5 I% K3 \2 G* ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 X/ }/ L& q6 K/ v
-AX = 0912h (Get breakpoint infos)
' V' B- G2 u9 i; \5 X9 ~7 F-AX = 0913h (Set Sice breakpoints)1 T0 Q6 P; c# o7 T0 V" Q5 @3 p. [, l
-AX = 0914h (Remove SIce breakoints): x# Q% x- C1 L% ?) n
6 M/ X& C4 Y# _9 a/ X8 a& U5 oEach time you'll meet this trick, you'll see:
4 U% }4 ^8 \% ?) |' s-SI = 4647h
5 ^9 m& _3 l9 l6 S-DI = 4A4Dh
6 }# x# y7 v( H# ` V( J/ qWhich are the 'magic values' used by SoftIce.; G# h6 ^6 ?* N: j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) P( U( Q9 _) D* b4 Q) e6 v+ q6 V$ U( e5 B. k/ t1 d5 ^: [
Here is one example from the file "Haspinst.exe" which is the dongle HASP& j* M% e, s$ m
Envelope utility use to protect DOS applications:- i4 ^* M" K% ?/ N+ L
9 p( h$ M( }. e( L3 h0 f" m% [) D: F, _' P; {9 @+ ~$ U* I; b" W L
4C19:0095 MOV AX,0911 ; execute command.
- Q$ a# x- h4 S' B6 o* b$ @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ R/ g- d5 a3 w7 y% ~+ E
4C19:009A MOV SI,4647 ; 1st magic value.) k, X q+ _$ ?& s3 W( {# E, N- H
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 D* W1 ^ ~& F+ n! h) a. G% k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 w O5 d( t' C4 U; d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. R; L. O- x- K+ t
4C19:00A4 INC CX
& l. U) M5 k5 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, n! |0 l% S3 t4C19:00A8 JB 0095 ; 6 different commands.
P4 h$ K7 A$ M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 p; z# e" h& L5 k6 J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( J6 K& P) G3 E% W
: @9 Y3 Z- e* b
The program will execute 6 different SIce commands located at ds:dx, which
' e" H3 l* L1 e P- Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( ^- r3 m/ u I- O' K
$ E8 X0 d' k* m& V. r+ u7 A1 i$ ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 \ P$ p9 I( t$ x- R: \ T- Z- i
___________________________________________________________________________
- Y A( A8 n* N/ w5 h: g; m! X2 u& d" ]
" P( N' m' B% |$ S7 f% d
Method 034 r+ u+ [) O* \+ P. p+ H
=========! L! V) l$ j$ g' v& d4 S7 @
3 Q" Y3 b0 j' P8 t& j6 C8 K! z1 n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 k% P# W6 f( l, J+ O. [( y(API Get entry point)
4 H# L& S" \: H6 A: W* \ 6 O! r& d S2 A2 K
3 f% b, @, U5 q, ?$ R xor di,di
5 m* F$ c" c+ I7 R mov es,di
- b* E3 M$ t% r H/ C mov ax, 1684h
7 J) \$ I5 O8 v J& i$ Q mov bx, 0202h ; VxD ID of winice% H5 `& b9 x+ U+ T, R
int 2Fh
+ f1 K* [5 D+ I' V0 Q1 e9 j mov ax, es ; ES:DI -> VxD API entry point
0 z4 M# b. y9 o( b9 d" n add ax, di4 u2 ~: G) y2 q
test ax,ax
2 T" X1 P0 n) z1 f; i jnz SoftICE_Detected
) p9 F' ~- {' s) m" j {# A3 r, e/ V7 i# g+ B9 M2 I
___________________________________________________________________________1 C+ b4 Y" c* C3 S7 w
. a, F4 P* h- a4 t0 M7 X+ Y/ L% TMethod 04& u& M7 m/ r1 b' u$ @ q& C
=========
7 Y. J' C7 ~) x4 z& G U; ~6 M7 T# z* n5 E2 C: ~
Method identical to the preceding one except that it seeks the ID of SoftICE% u) s' m- l9 M6 k
GFX VxD.6 P" n3 g8 O3 r
1 M9 I6 M, Z$ t' Y% z$ B2 ^6 a xor di,di
! K" ^ s& Z1 Q0 {& E% n mov es,di
& Z& h' I0 t+ \! V9 r4 h) U( } mov ax, 1684h
% ~9 w9 ~! ]* u* ]5 O1 Y mov bx, 7a5Fh ; VxD ID of SIWVID" w( Q- X/ i) T2 z, _/ p
int 2fh
& A" u3 ~! }; p( u: v mov ax, es ; ES:DI -> VxD API entry point3 [& T( O* C3 l5 Y8 S0 @
add ax, di; j- a G' \. x
test ax,ax
% f d2 s6 x. ` jnz SoftICE_Detected- D- y$ e. s! L2 z) i X
' |) X( {0 Y1 `( _. j# O" y__________________________________________________________________________8 Y' W! l- g! E0 T9 @/ H0 U
2 u1 K& Q" Z& Z" d5 j1 ^) P" Q h# D- w2 H% ~- _
Method 05
4 z; q- w, i; V' }2 T6 z9 V=========4 b) Z/ p" m* m
0 j4 l6 ~5 U, N& k% HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' o4 |- r e- [9 G3 Ldebugger. It calls the int 41h, function 4Fh.- S' R- ^+ ?8 q3 X/ j
There are several alternatives. + V, h2 {1 }5 f" [
/ D1 u+ k; }6 b) Q3 ^+ T. v0 O
The following one is the simplest:% l4 q2 f1 w0 h1 y- Q( `
% R3 Y# {1 G: ]. y5 g9 O+ C mov ax,4fh! X6 O l: @4 b1 b7 J9 j
int 41h9 ]* B) \6 F k4 }
cmp ax, 0F3867 B$ b5 g5 [% b6 Z- B* Q0 B
jz SoftICE_detected5 ^$ p- n2 Q9 {- b
! _2 ?/ Q9 Y. B- L" C, \) Z9 \+ }; i( _2 e3 O
Next method as well as the following one are 2 examples from Stone's & X' [# M0 W8 O1 K+ D( x5 @/ J
"stn-wid.zip" (www.cracking.net):- V+ l; k% J) v7 `( ?+ ?
4 |- ?. m8 `) K r, j$ J
mov bx, cs2 Y, u7 x K7 t* Y" k
lea dx, int41handler2/ L& M C, M. m
xchg dx, es:[41h*4]
4 b R9 k+ F* c( g xchg bx, es:[41h*4+2]. Q4 B+ X+ S* M& Y- q+ c: t0 \
mov ax,4fh* Q* _7 _/ O+ h) }# Q$ L
int 41h
/ W* x4 Y4 Y: n/ g xchg dx, es:[41h*4]* u4 @" o# G3 S; s% z( z
xchg bx, es:[41h*4+2]
, @% ?' v8 i5 F7 q cmp ax, 0f386h- q. M0 ^ W S9 w2 Y' W, y, E- Z
jz SoftICE_detected F/ Y0 ?2 p+ Y$ k- ]" p# R
) C5 y# A ^( D0 \+ V5 Qint41handler2 PROC6 S; H" J: N, ]
iret
+ E1 T/ w& w: ~4 p# a4 Qint41handler2 ENDP
8 b) i# c H& z- Y$ B$ |' C, @/ p; X' Z* R( m! p6 {
7 G9 `# N C& q. k/ K_________________________________________________________________________
S7 K8 f% K2 ]* X+ S! W
: A v4 {+ R! @6 n& C5 ?3 t% Q% }) u8 U$ w- P& \3 W
Method 069 G7 |/ F& P% s! X3 ~' z v
=========( Z6 f% K0 V o( E, P: D; L
: } {$ _7 R1 A4 n
) U m) O3 b- o2nd method similar to the preceding one but more difficult to detect:) p* W9 Q7 N* U/ \) d- b4 W. z
: Q$ d2 u( [! f8 n) G$ M) l0 i" n& \& C O6 }& M
int41handler PROC5 ?0 Q" G: R& O1 {1 U4 A
mov cl,al: O4 T* x. y+ p8 `0 R L
iret
& i+ j0 O0 V5 E, u6 y7 \3 wint41handler ENDP
6 L2 R$ u3 j& f: v: Z; V v6 c% ~" B1 h& Q; g
6 Q) S. V0 q! N# R' z% ^. z xor ax,ax% M, b% S/ n+ O$ r. u$ }5 @: b
mov es,ax/ X6 b' D5 ]% R# n4 y) ?7 P' q
mov bx, cs- R3 T& T& _; l% M
lea dx, int41handler
- S1 q) Z4 H4 @; m0 T- Q' E" p xchg dx, es:[41h*4]
1 ?- Q* a8 O( j9 @; T+ I; T xchg bx, es:[41h*4+2]
7 M G- {! U0 c! @8 R2 [4 I in al, 40h( N6 v; C' |' D. a' t: V5 j
xor cx,cx
! x( [$ F' o) n# T" G int 41h0 ?+ M& r% h9 m1 Q% k6 ^0 S
xchg dx, es:[41h*4]& i C! g. t; R4 v
xchg bx, es:[41h*4+2]
) C# T% n5 I: D) N$ L cmp cl,al
5 P# R7 _+ I( g) P# H jnz SoftICE_detected
0 d m0 v; ? J W1 B
; l: g1 E$ D( h_________________________________________________________________________/ ?/ F9 O* p0 ]9 x. t
2 r0 W+ {% d3 G: R0 [3 t; E
Method 07, t+ K- e/ X4 x7 H
=========
$ b7 p4 x# p5 f% T, i9 A) O; v: | {$ p% W0 h. J
Method of detection of the WinICE handler in the int68h (V86)
+ m! x" f& N9 c2 I! O% ^5 Y* M+ E
mov ah,43h
6 ^5 `. ?* Q1 ]5 q. r3 d3 Q int 68h. o0 e2 k4 V, s9 h$ ?* E
cmp ax,0F386h- p. ~* k% x* u7 I
jz SoftICE_Detected
4 ?2 D7 c8 |) s" |! X0 \5 B; e9 @/ T3 r
3 F) [5 k! ~: s4 x( d C! t z6 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 A3 a3 ]" w- c$ \. T/ l
app like this:
* G3 w& K- u. p7 E2 T8 w
3 z, v# j# j0 t p. s+ l0 x+ q BPX exec_int if ax==68
. l$ G- j, j/ [ (function called is located at byte ptr [ebp+1Dh] and client eip is6 B8 W( o2 T( U: [- z% v) @
located at [ebp+48h] for 32Bit apps)0 s" O/ x' C! E! V; o
__________________________________________________________________________) {5 _8 X# w: h* ]+ p4 @+ ~3 f
2 [* N, I2 q9 r& e/ L
1 ?; @% Y( f' e5 N' Q f& \2 dMethod 08
) a- @) ~: O* w6 q: d" Y, F% g=========
' [0 ?; d }, r. y4 z5 x; {) l9 c4 ` `& B B( Z
It is not a method of detection of SoftICE but a possibility to crash the
3 S1 S; ?$ L5 t# Z, l0 Osystem by intercepting int 01h and int 03h and redirecting them to another
# \6 `, y0 i3 s( U1 g8 broutine.5 j! j# K4 x' w' q. Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! I ^7 f4 b! u% a6 o1 k( a6 {
to the new routine to execute (hangs computer...) v) {2 X* D! g! m0 g
7 B$ A8 ^; \0 t u# a3 d& V mov ah, 25h
# ]8 ~9 m& D+ v* b- p" J mov al, Int_Number (01h or 03h)8 D9 f) i5 C7 g( _" R. X/ J I0 s
mov dx, offset New_Int_Routine
) o$ b# ~' Z! C# p! M" A4 j int 21h( K. O' T' v) f$ n/ @# ]
2 V6 L8 t# I, ]" I7 C__________________________________________________________________________
( m/ C( G/ d0 K* j5 C9 K2 v
2 a3 K3 @+ e# pMethod 09
* y+ l- l/ H" q- E) c- W/ G' E: _=========
) A2 N# g5 x# s4 W
: L* m- K' S) r7 h# i0 O4 P$ D6 |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only T L+ l% W: r( W4 L+ z
performed in ring0 (VxD or a ring3 app using the VxdCall).
, @9 Q9 B. G! \& m6 F- ]% NThe Get_DDB service is used to determine whether or not a VxD is installed
- G' W0 {4 Q$ X1 s. B4 s$ V# Zfor the specified device and returns a Device Description Block (in ecx) for) D7 X9 o- Q4 u* f6 _
that device if it is installed.5 J! X1 E8 f& L7 K$ w
: {, m0 A4 V) p% o6 X1 S6 r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 h+ l2 t0 c7 ]+ k: [3 n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): K* p# P! S( t* T
VMMCall Get_DDB
* C: C. s5 B Z: N. m* ]! U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. [7 P# i& {; c- I! d' ^/ Z+ `- W* @. P
Note as well that you can easily detect this method with SoftICE:
6 O! ~- u& H7 D1 Y bpx Get_DDB if ax==0202 || ax==7a5fh! k7 W8 I& n, h8 R
8 u6 [ t& r0 V/ j7 b6 ]__________________________________________________________________________
I T7 }+ z9 @5 u1 X+ \; I, P
/ x& Y* r/ e2 a* N+ S% I0 t0 cMethod 10
: j+ Q. F! t4 i- w) }=========6 b2 p$ C7 m# F2 `
$ S' ]- R7 P, c k: e: l" E5 ^6 A+ L
=>Disable or clear breakpoints before using this feature. DO NOT trace with) i+ I$ A& G$ g9 b, E v0 m* W- K _
SoftICE while the option is enable!!- i0 O: @+ V9 @' Z' `
# f4 ?3 h; V4 R1 UThis trick is very efficient:
/ @) e. b& i/ p* e* ?by checking the Debug Registers, you can detect if SoftICE is loaded
- p4 |, L' f5 W- r3 J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 {, d8 \% v. C7 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' r: `* R" U6 _0 qvalue (in ring0 only). Values can be manipulated and or changed as well, U! ]2 y& P9 J% P3 X/ ]
(clearing BPMs for instance)
) ]& n% ~0 f' s8 C6 U+ k
( n: a6 n6 z* r* g; D; a' ?__________________________________________________________________________
2 S8 p& l m2 g; {* @4 _. o0 p/ K0 d& n9 n# i$ @* t$ B
Method 11" l$ q, E1 j( Y- Y& `
=========2 `" W4 L/ K3 u; h) \' i4 P
# Z9 c1 t( h9 t& S8 U5 D8 OThis method is most known as 'MeltICE' because it has been freely distributed
- o- M2 ?2 x$ w, K1 k, W0 Z+ gvia www.winfiles.com. However it was first used by NuMega people to allow
5 e; \ i1 B# w+ l7 p% J' mSymbol Loader to check if SoftICE was active or not (the code is located
' W% W" J! p4 _* x" {! E4 iinside nmtrans.dll).: g; K. k/ f, R! y/ c( l; n- R S7 P; ]
9 L7 `! F$ h' [0 I7 N! TThe way it works is very simple:
: K+ a) i$ X5 Z6 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 }7 w5 I; g1 _) sWinNT) with the CreateFileA API.% p. h1 A4 C3 V. h
4 O) s* l5 ` x. H' c
Here is a sample (checking for 'SICE'):7 j& O; K9 b* f" P! m. i
" O8 C2 J8 P2 ~) t) j% WBOOL IsSoftIce95Loaded()
L4 g3 M. ^8 o% ?1 Z{
# ]" P4 {6 O% _+ ] HANDLE hFile;
) O$ {& S& y0 M% k# V, v! p; I0 _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: o3 ]; h& g1 ^. k) a5 `9 l5 i
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 H4 t" g( R* \. A1 Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 i5 J8 ~: D$ N! _; ^8 T0 H if( hFile != INVALID_HANDLE_VALUE ); c# [& L" N. t: j) t8 c
{& x6 @0 w; Z6 l1 g; L3 _/ ?
CloseHandle(hFile);+ Y% J* I( ?- _/ L6 e9 I$ |
return TRUE;
7 y9 u4 I' y0 ~+ V8 _& T7 Y- r7 E }
3 t( }9 |: G9 O7 [ return FALSE;) u+ r6 E" n/ u" w/ Y' @0 B. g$ T
}4 ^ U; O5 D" r9 ]2 O8 ^; U
$ @# M- i7 ~' T/ @7 n; |Although this trick calls the CreateFileA function, don't even expect to be
% Z+ o1 K% o/ g" x# C6 M! gable to intercept it by installing a IFS hook: it will not work, no way!$ r. D' f0 c {) `8 \& E& P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ k& V+ P5 x. Q5 s |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 I- a3 H6 f) E% q7 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 j1 I5 K6 p! }4 [3 r, k7 xfield.& S7 E9 E4 d6 ]$ @" L
In fact, its purpose is not to load/unload VxDs but only to send a
- P. _7 ^! \/ r1 `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! i8 A* c. C7 K3 ^ V5 _$ X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) x8 z1 Z9 S2 i7 `9 D7 U/ ]4 s2 ]( cto load/unload a non-dynamically loadable driver such as SoftICE ;-). Q' E6 _" r- w/ Q, [
If the VxD is loaded, it will always clear eax and the Carry flag to allow, K5 P. f+ s3 w* P: K! D: s
its handle to be opened and then, will be detected.( z5 U; u# d/ i/ d+ G3 i
You can check that simply by hooking Winice.exe control proc entry point; d: a2 G1 }. Y) M1 Y% S4 Q# m3 c0 U. b
while running MeltICE.
5 G; o7 D4 r! Y7 x5 H- o5 ?; ]& K4 K! }
# i; C3 S: H3 x5 N7 g2 T k 00401067: push 00402025 ; \\.\SICE
( e% y! Z- a* }- i% L 0040106C: call CreateFileA* G9 ]# R% O% }7 `, _/ b
00401071: cmp eax,-001" S% K& \( a. d$ s" U c
00401074: je 00401091
9 v& Q6 i4 C9 K# _0 v+ P2 S% p( f2 `( q! M* s
! S8 x: G. ?% ^There could be hundreds of BPX you could use to detect this trick.- Y1 H) \% l3 s. L, J
-The most classical one is:' b+ D3 l- i. {/ a `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" v g+ m- k; Y3 @% g7 X
*(esp->4+4)=='NTIC'
1 O% L4 l$ e$ i6 |! W5 c8 x" ?* j' T7 ^! [! l+ A
-The most exotic ones (could be very slooooow :-(
+ D! o& Y5 }9 r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - v X1 ~" Y8 X% t% C4 [5 N% S
;will break 3 times :-(
/ r. |4 [; Y2 K X8 m
' u8 L9 [1 C! f) V* g8 D-or (a bit) faster: $ O, C) q( u1 N+ l3 D- ^9 q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 }/ {4 k- G* @
q! W. b9 h7 t% k, Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; I2 J; }- T0 m$ b' D, R
;will break 3 times :-(
5 l/ S/ W! r2 w2 w% T& R6 {9 L* B+ X1 R. ~: P! _
-Much faster:
' Z+ \- V& C+ e+ F9 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ P6 H# ~; A9 ~3 ~7 Y* d8 P
4 ?4 H# f C4 r8 b5 U# HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" `2 R9 i4 s' zfunction to do the same job:
2 o6 G6 o2 H) q: A
, C& e& c5 D3 p4 p3 C8 H5 ] push 00 ; OF_READ* x6 ?: p+ X2 ^+ j$ I G
mov eax,[00656634] ; '\\.\SICE',0
9 q: R6 d: _6 X" M9 J push eax$ M3 z {$ y; z7 l9 v7 m
call KERNEL32!_lopen7 t* |! \& O2 S2 M2 o* Z
inc eax" u+ `; {0 J7 [2 m5 ]8 f& P0 ?
jnz 00650589 ; detected
3 j$ q* u2 x& v4 k4 w+ Y% Y$ O+ Z push 00 ; OF_READ/ ~* `( R% G: H% K" f0 c; @' ^! {
mov eax,[00656638] ; '\\.\SICE'/ e; t# ^! K+ K& ^; ` Q5 X
push eax
$ m5 q# P. X3 K! {' k% J, W call KERNEL32!_lopen7 y6 P- @. B1 y z; y( q, Q5 j
inc eax* x2 c' y6 ]/ |# n" l- H' K0 M
jz 006505ae ; not detected
& ^6 @/ Y( r5 T- r9 [. J8 u
% t9 V9 U" X$ i5 @* C8 M% y# [- N; O7 X6 }9 W% @
__________________________________________________________________________9 w3 R% k( C! l2 B. E1 Z9 ^
( _* Y/ c) C2 r2 {) \( y7 t) H: kMethod 129 D s) u. Q# x' [( m
=========
& R& T. i( r P0 P6 D3 ?7 R- V) G/ v8 ^! z1 \ f* z
This trick is similar to int41h/4fh Debugger installation check (code 05
* l3 \0 W' N- `0 Y4 c& 06) but very limited because it's only available for Win95/98 (not NT)3 V% H& O6 {9 V6 U; U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 [0 r$ T' Q7 q R
7 [9 {" X$ s7 R push 0000004fh ; function 4fh* c0 }! x v) `1 Z' k1 D+ P5 F0 g
push 002a002ah ; high word specifies which VxD (VWIN32)
( h& L& Z/ B0 R2 [& l2 u ; low word specifies which service
& t% x E7 E& [2 o$ s( `% N (VWIN32_Int41Dispatch)5 r, Q- }- e/ ^: O
call Kernel32!ORD_001 ; VxdCall0 ^! r( z6 N; G9 h; F
cmp ax, 0f386h ; magic number returned by system debuggers
# d' m1 X9 g4 A$ c8 r jz SoftICE_detected
2 F: @4 Z* g# L! K; r$ a3 Z$ R/ O- T1 D7 L
Here again, several ways to detect it:
* x/ ` c+ j4 ?4 Z- Z1 E6 @+ V% w2 W$ W3 d2 V0 z1 b
BPINT 41 if ax==4f
. P3 o5 y* Q6 i% s3 _; f5 `8 F+ q" U2 W8 M2 [2 @# B' I( k( x7 `: S" \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% u+ F$ e% E& h% P! M
. B1 j2 s6 R& j' c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 o" |3 f& V; {( m, O2 S" c
. d. E% z5 Y4 A* K, [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" U2 g6 h4 R# T: A( Z! J( _, I8 n) r! f6 e* e2 A5 ~/ @) X
__________________________________________________________________________4 z- M: t. O7 r
3 [2 ~$ d0 z! R8 b6 {, k( RMethod 13
) p0 K5 b h# B/ `=========3 F! }) S5 F( Y1 z; t! Y6 {* T' X
4 Y2 e* }; C' X
Not a real method of detection, but a good way to know if SoftICE is7 O, }' E2 B) ?- J4 ^' K
installed on a computer and to locate its installation directory.8 d5 b; h8 L. B, |0 g3 E( C
It is used by few softs which access the following registry keys (usually #2) :
. h4 q2 r0 o; `6 P+ f0 E* w1 @$ T0 X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 }" X6 f$ `* L+ @! C
\Uninstall\SoftICE
1 x" q/ a! f8 C1 z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' v$ W' ]* a! A; X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 j9 ~8 p7 m: o6 I( ~
\App Paths\Loader32.Exe
r1 n. o6 C; e) z. Q5 |6 M. [
0 F, S0 V" }0 P5 Q- Y3 e" b
/ [" x& V$ \# S# s3 I$ G# VNote that some nasty apps could then erase all files from SoftICE directory
) \+ ?9 e& l, {1 S6 n- H8 z- |( }(I faced that once :-(5 ~7 N, H' P5 o! q2 G# h( y
! @/ O. Y5 W, I$ m) K6 aUseful breakpoint to detect it:) U' ?- Z" [1 y7 }; {
( Z' x' \! R0 G8 k1 f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' u3 W. v/ }7 [) t% R' ?
! z$ R. a, B- ]+ w* ~2 J4 `
__________________________________________________________________________
3 f+ e& o7 G7 n8 q% O) S" ]$ t" m& Q8 S- v7 X
2 B/ j; z1 W! V8 y8 Z5 KMethod 14 $ m* Y5 {$ H5 ]8 B" n; }9 m& k) C
=========8 o4 U3 e, o a8 |5 }/ E
# O+ \# T& ~( \- ~0 W" _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& ~; ^( `+ i8 ]
is to determines whether a debugger is running on your system (ring0 only)." a1 v% ^0 Y4 z
; j& e* E* d% `) J9 E! D# }7 c
VMMCall Test_Debug_Installed
8 H: q7 P6 R. g, Q! B9 m I je not_installed, B+ u2 s# c# w# S5 }3 h
- D+ E: [+ S. ]( b& X$ r" eThis service just checks a flag.1 w) d6 Q3 R: c G" N4 v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡