<TABLE width=500>6 v/ Y7 m* a' T/ T
<TBODY>
( N. p: e% B7 |& ?& Y4 |9 v<TR>4 Y e% g, S4 f( z; j' A
<TD><PRE>Method 01
8 ]- Z4 ^/ z$ y2 s4 f2 o=========/ Z2 T/ Z% h o6 ~, w5 d
/ `9 x- @1 p- E) A; S* p
This method of detection of SoftICE (as well as the following one) is+ J& O( m0 E' U+ l' U3 e
used by the majority of packers/encryptors found on Internet.
/ A3 v; M0 x5 Q! C6 o6 @( VIt seeks the signature of BoundsChecker in SoftICE
# r! P e' e$ @- r
' s- D1 s( U( h+ n# b9 Y; G mov ebp, 04243484Bh ; 'BCHK'# U( u X/ b, Q( `# F- C' N$ _
mov ax, 04h. c2 s! [% {$ f% \
int 3 7 o( _& t) I4 t! [5 q4 |) @5 ^* ]* m
cmp al,41 i, n9 B; p$ ?$ Y1 | L
jnz SoftICE_Detected. d* G1 `& C$ N8 j6 Q8 Z
. Y' {8 a' q9 B7 y, Q7 C/ ~
___________________________________________________________________________
. q" u6 e6 }, R
' n5 W2 l& u6 k: S5 [, \Method 02) V. d+ I$ R/ u: C4 e5 M. ^3 x
=========0 S v* j \ e# P0 D
/ v# k2 @. Z. n% ]8 p" Y" M% |. F5 }
Still a method very much used (perhaps the most frequent one). It is used) }! C4 G) d Y# |5 }3 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ h: p O! @! O" J& y) G8 qor execute SoftICE commands...4 ^) s, Z+ v& [+ i
It is also used to crash SoftICE and to force it to execute any commands
3 |9 M) ^; b) I& c& ?% w(HBOOT...) :-((
4 {8 ]# U1 U& x" r: k a" l8 E" m O6 d4 o6 F# K# c' [
Here is a quick description:
/ ]" `/ l0 m* {# E% ^9 o-AX = 0910h (Display string in SIce windows)2 l$ `' y& y* R' ~: A! ^( l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). J2 @5 d" x1 B" c0 P" k0 w$ E8 [& V
-AX = 0912h (Get breakpoint infos)8 I& @. `' _. R% {
-AX = 0913h (Set Sice breakpoints)
% Q& ^5 h, \; P5 a4 A ~-AX = 0914h (Remove SIce breakoints)8 s _8 ~0 A! @0 R6 [
3 R8 |, J+ ^$ X) S1 pEach time you'll meet this trick, you'll see:7 {4 W, r, _/ D9 y" [3 h* X: `9 {
-SI = 4647h- A* Q3 \1 Q$ ?; W. G. J1 J9 a- F
-DI = 4A4Dh
4 s# J; x: Z) K: uWhich are the 'magic values' used by SoftIce." z, b1 }. b! o, e* y3 W1 k+ a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 ^/ I" G) x, L
; [4 I( @& L9 N" `& sHere is one example from the file "Haspinst.exe" which is the dongle HASP
& j1 ~( y: [$ m$ X" w& sEnvelope utility use to protect DOS applications:, C- Y' O& O5 j( @8 g
1 F7 p% d2 @( z$ W9 ^' y. h( p
, O* z- a7 d" X' Y' O
4C19:0095 MOV AX,0911 ; execute command.
9 p% A/ r8 P- w& N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" R1 n1 e2 j( ~9 [; t8 d7 J, Q4C19:009A MOV SI,4647 ; 1st magic value.
+ U! m& d1 U g" v% l4C19:009D MOV DI,4A4D ; 2nd magic value.
- p1 I: `$ ?- A8 G! `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 \) g* J) i7 I5 U# l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: m1 `! D: w5 s& H, K4C19:00A4 INC CX
* I* Y7 U- S) v' H G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 p0 a1 g, B% S3 w1 A
4C19:00A8 JB 0095 ; 6 different commands.0 i5 {' P0 f! T/ ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 y+ e y- d; M3 z6 w/ X+ G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ ^8 Q8 L8 c! o7 z6 y, B+ |) L; [- s" R2 P8 T# Z1 F7 Q, e, V
The program will execute 6 different SIce commands located at ds:dx, which
$ k. `# ~# [0 K1 T: Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- G/ h! t5 d* v5 L
`# i2 p8 W: J7 z* E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( h1 F* Z4 k& w+ w- N7 E. s. U___________________________________________________________________________
8 i/ f# }7 U, N9 L: G# `7 C3 E' E' E* L Q( b
$ R; p8 ]* m. ]' QMethod 03( O1 e5 e. g$ {9 K
=========% K" r# T' _! i t& y* J. L+ n( Y9 b
2 q% [! B7 M. f' iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
l H) \0 f& I" Z1 K) x(API Get entry point)5 h; f1 Z/ m' ?& f! E) A1 a _
% J' @- X; w1 C. g/ t4 J6 x/ n( w" J8 y/ a
xor di,di
9 V7 l# W6 c' @( ~+ M9 Y3 |7 O mov es,di
8 [5 R( X$ f1 {1 X3 M mov ax, 1684h
& |5 J$ z9 K _9 K. F* n6 A6 J% T mov bx, 0202h ; VxD ID of winice
w' D: C0 F1 A- L3 W int 2Fh
! [0 R1 R v4 j$ s mov ax, es ; ES:DI -> VxD API entry point
3 `( [" g$ K! M- u add ax, di* ]! R! o1 Q# B5 I( V- W. i8 k
test ax,ax% P/ Z' r6 X$ `8 }8 ]
jnz SoftICE_Detected6 i7 L/ k1 P8 J, f. r" r
D5 T5 m4 r- p
___________________________________________________________________________
' k; K# L& a- J6 x3 D+ ~. j2 J5 S" l0 G! U# ?. g4 A
Method 04
) e* D+ p4 x+ C0 J2 {' D6 z=========
@. j! R2 l2 Y1 ?3 T
0 I6 L2 X6 M- y6 `Method identical to the preceding one except that it seeks the ID of SoftICE+ [7 d; K- x; C3 Z
GFX VxD.! `3 d' m1 H/ |+ [% [+ F
. h- J2 a; @( ^ Z+ v3 [- M0 c xor di,di7 O# v9 } E" M6 f( \
mov es,di$ H+ t$ j1 u( D
mov ax, 1684h
9 b6 ~; t/ V$ w1 f mov bx, 7a5Fh ; VxD ID of SIWVID0 Q8 g3 v4 J7 h: `
int 2fh7 }& A- Q$ G! T# t8 t. b
mov ax, es ; ES:DI -> VxD API entry point/ p) f' Q: l! E g7 R8 S
add ax, di
! @2 w; Q4 G3 ]7 e0 x test ax,ax+ v/ |. x; M) v" D
jnz SoftICE_Detected9 C% q F" U- n" s0 Q# [# d( j
) F# \2 E' \4 U- z' q1 x6 V
__________________________________________________________________________
& w6 }4 \1 L. V% R+ h
/ G3 p" G2 b- n
4 d$ P8 D$ M7 N4 g3 T4 Y: IMethod 051 |( V: d# J) o7 I0 ]9 o) z
=========
1 P% ?, ]! C+ @8 S2 h7 c3 |% C- B; H/ N: \' A
Method seeking the 'magic number' 0F386h returned (in ax) by all system% Z% [9 U- \: w2 G8 B9 A
debugger. It calls the int 41h, function 4Fh./ Z8 Z4 k& o6 {* ~) n
There are several alternatives. 6 T, j; W" Y7 U; p: n- q2 q" V
: J8 A5 U* f5 b' O( t5 J7 E
The following one is the simplest:9 ~6 b1 U2 \) }! x! w; n; g: A
j2 r* B; t3 w( t0 ]: \
mov ax,4fh
. z7 F* |( z+ P int 41h# E/ m: K' J- V6 O; A
cmp ax, 0F386
2 u2 Y- |# f1 n4 T jz SoftICE_detected! H& e- p9 b1 j" H1 F( y) k& r3 f4 `
, \6 U" V2 @4 Q% L( J, g
$ r" n+ H0 L5 `/ m8 h \Next method as well as the following one are 2 examples from Stone's , F# E7 r$ D5 M5 v
"stn-wid.zip" (www.cracking.net):
: o! Y/ t" N% J6 D
1 P* |' F" j# Q4 f mov bx, cs
* H/ w& Q$ `- o lea dx, int41handler23 q8 u3 L! v! E- d0 l. b0 y2 l
xchg dx, es:[41h*4]! t# z1 w, S# j$ L
xchg bx, es:[41h*4+2]- n% j; |8 @. [) s4 w: O
mov ax,4fh
/ L- ~6 C( h( ~7 Z7 Q$ F' | int 41h
& n" I, C1 o6 D/ \5 m xchg dx, es:[41h*4]; Z4 G0 T4 y( h; F+ o2 R7 g
xchg bx, es:[41h*4+2]% x$ T) Q2 A0 j& p3 Y$ C
cmp ax, 0f386h
V3 V' c* d6 e! s+ V jz SoftICE_detected
. d2 j, S! J8 A t& v7 g+ f, o' h, {) P% A
int41handler2 PROC; ~. d+ C2 R- L! r7 Y6 B" b
iret3 n! o% N- u+ W+ p# U# e
int41handler2 ENDP% W$ L$ T4 j r7 A8 j: B% d1 {
) m/ G5 A, z. u( k/ M; P; u9 q, n* v; d' Z$ y# W4 [
_________________________________________________________________________
, ?/ J6 a h( Y
% Y* m2 N* t3 [+ E Z- U
7 b' k) I `! @) W3 k/ [/ e- \# zMethod 06 i( J; ?% \0 S$ j" g- H+ a
=========
4 ]$ p" z2 d2 i* i4 s3 Q' v; |
+ l8 F6 I. H* ]+ s( L9 E
, T' U1 `/ U+ E, b0 X8 S* X1 J2nd method similar to the preceding one but more difficult to detect:
7 i L5 G0 a* R
5 ]+ [7 a# p1 f0 ]8 Y' K( R- p. i$ c4 w& R' U5 O
int41handler PROC R# Y* T3 _0 E
mov cl,al* k" n6 j$ y6 z ^) G
iret
$ F: b! u) _" T/ ]5 nint41handler ENDP4 W0 ~. \- ^. W& p
5 N- p! v6 ~% e. L8 Y; c% D8 h
$ x, S( ]4 ]/ \7 _. O* c xor ax,ax. P, K$ b+ j& k4 k
mov es,ax j. p7 f: ]' d, b4 P# G
mov bx, cs
3 V& J3 d% p8 J& l. \8 [& E lea dx, int41handler
$ E: U& W s0 } xchg dx, es:[41h*4]3 m1 d2 H6 M! X0 J# {, f' E
xchg bx, es:[41h*4+2]
/ G, L* b" j0 b4 k+ h' J: s! v in al, 40h1 `4 H$ ?7 \* ~( x3 D/ A) I) d9 A6 B
xor cx,cx( ~0 k2 |9 [4 ]$ w
int 41h
2 e# y# z1 f) h4 G* o xchg dx, es:[41h*4]
8 D# T( Y" o$ I) H' v: r) M: ^4 L; _ xchg bx, es:[41h*4+2]
" A+ z" c6 @. }, | cmp cl,al& B9 z' V% Z6 H) I: s O; g& a
jnz SoftICE_detected
3 F9 H9 M% M5 O% b
+ w( s9 R9 R6 }6 y( p; @4 F_________________________________________________________________________) w$ c. y$ r( Q) w3 y6 p* b' Z# g8 X
& z: [: T! v: Z% TMethod 07- S2 N7 B0 a9 U, i8 H0 N
=========- c9 A* S* P. d1 j3 b6 I7 h
* y, @: r% H& {' D3 \6 ^
Method of detection of the WinICE handler in the int68h (V86)% ~4 j- H" l& p' `* r6 |. t* q$ a
7 r" w/ Y" ?" S+ Y! ^. N" K8 e
mov ah,43h* D* k+ n+ K( Q
int 68h
/ g8 x) {; {4 ] cmp ax,0F386h& W/ P B3 b& t9 A! `
jz SoftICE_Detected5 Y/ y4 ^4 a* x7 r1 ?( U
3 _5 c8 T0 K- ^, ~8 x9 q1 ?+ u# F& R
! Z" A8 k: K0 `$ u; g) a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* @/ n/ t9 \5 \; [2 i
app like this: l/ i1 S9 |$ q1 I2 F3 Y' P+ s2 B
1 ~$ C0 t- `( e6 P BPX exec_int if ax==68
0 l, J, w4 N) P) H (function called is located at byte ptr [ebp+1Dh] and client eip is! d- D* y, _+ U! K# T m
located at [ebp+48h] for 32Bit apps)
3 d \8 I8 Z% H X8 I4 x( k__________________________________________________________________________* d7 E- e+ y8 n; W2 k7 B) n& L$ V
# o3 s. }6 f9 k' M2 n, Z7 o
) I0 u) ~' t( z& w
Method 08: `+ ]; r5 n6 B& t. ]* z
=========
' D8 ?; | o: x! q$ f+ X, F# }6 @2 ?9 Z: k
It is not a method of detection of SoftICE but a possibility to crash the
B! Q" ?: o8 k: r4 A/ _) z3 Qsystem by intercepting int 01h and int 03h and redirecting them to another
; M% a. F0 Z, ^9 A+ p5 M( Rroutine.
7 d0 t" N1 l1 D+ M; d" qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 _# e% o. S: p& g: M3 p
to the new routine to execute (hangs computer...)- d2 q l2 u: T, e
, j) l% t0 ]9 X& ] mov ah, 25h
0 q6 L& X" A, R! f, l3 l/ D) r" J mov al, Int_Number (01h or 03h)4 h6 K0 x+ S. i
mov dx, offset New_Int_Routine m2 A$ E5 }* J$ O
int 21h
0 ]! j7 W* L# l9 z7 `7 B; u9 N& b# s1 s4 j1 M5 T0 \, m+ r4 S
__________________________________________________________________________. f2 Z! z( G- }4 E8 q( A7 @
' C+ ] m \& hMethod 09
( G- }: Y5 A. p$ C# h=========" i; h2 S5 L& R" `9 I, n
+ ^- s( R/ v9 g( B7 B8 H- n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; I e$ v0 B* t
performed in ring0 (VxD or a ring3 app using the VxdCall).: i/ ]' M1 @! _7 L: n% y, u% u
The Get_DDB service is used to determine whether or not a VxD is installed: r+ K5 E% Y; |. D; K" K4 [9 ~ D
for the specified device and returns a Device Description Block (in ecx) for
4 {; _1 ^4 T2 i0 t/ e0 Pthat device if it is installed.( I6 W9 h5 Y$ P6 K9 e
4 g. I' Y+ i5 `5 ~- s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 H9 P; L. [& X2 T/ [5 X f- Z7 y( w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ A5 k$ l1 V9 D: J! E' Y, F
VMMCall Get_DDB
" O4 C# ?0 P& ]' V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 l6 E5 A3 g H* b% c
7 H* w9 Y1 O3 S1 dNote as well that you can easily detect this method with SoftICE:) X; b' Q( R! u9 c5 P9 T, ?0 Y
bpx Get_DDB if ax==0202 || ax==7a5fh! v* i' E* v, d! h e
: C( t- {3 w! y8 Q1 x0 x__________________________________________________________________________6 ~0 F9 N2 R" U4 g9 m
8 a" g9 V. D bMethod 102 Y" @! q" P9 i- }$ l" w. p
=========! L0 [$ [: U$ s8 w" V
* g! f0 M* r, M
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 H. s n0 k" w3 q- ]
SoftICE while the option is enable!!
1 j# R$ ~" f3 E6 K3 E/ p' a" @+ V: a& e% c; o& N8 X
This trick is very efficient:8 Z2 U1 B# W, B( T: X
by checking the Debug Registers, you can detect if SoftICE is loaded
3 j- B) I+ N1 F" a4 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* t; w" O' ~. G4 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their; k2 F1 X( E$ w# Z) e* Y# G. |
value (in ring0 only). Values can be manipulated and or changed as well
% R/ B0 z e0 | j7 j4 l9 ^9 c(clearing BPMs for instance)
9 `% J1 ~% K% S: F8 M) J6 [/ n- d, t% \. ?' z
__________________________________________________________________________# N8 u8 W2 W% J8 _5 C+ a9 a0 Q( K
! y- \6 C" D2 g$ A$ z, l* [Method 11
/ n6 b* E) t( L" P) V+ ?=========5 q3 f1 m0 U4 L2 U1 W1 t
/ m; ?9 y2 Y2 C; D' A; r
This method is most known as 'MeltICE' because it has been freely distributed
: L8 n6 e2 ]$ [2 ~$ Avia www.winfiles.com. However it was first used by NuMega people to allow
& G7 s: k# y0 b# _' v! j* QSymbol Loader to check if SoftICE was active or not (the code is located
" j: Z+ b5 B0 xinside nmtrans.dll).
3 ?* o% g' T" V, r3 P3 ]' X8 u7 z, L
The way it works is very simple:
/ D* U- P$ x5 W& s2 C ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# P" c* z5 [4 M3 n' Q
WinNT) with the CreateFileA API.
! y7 x# C8 }- w# }6 L7 c, U$ \4 ]$ l7 H5 P, L4 E
Here is a sample (checking for 'SICE'):
" ]* I# F& g. T# k; E: s- D3 L# d) ]0 z7 v. F- I
BOOL IsSoftIce95Loaded()
- `5 s0 w: ^+ j2 v- r0 Y. a{' t( G/ P- i$ f4 f
HANDLE hFile; * P m, H% N3 L' c5 [5 S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, \) ]4 j. m' ~+ y% C
FILE_SHARE_READ | FILE_SHARE_WRITE,; G" d( |5 b$ G4 W3 d1 `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- k: a2 D) X8 ?" Q: t) e/ m4 ? if( hFile != INVALID_HANDLE_VALUE )
, o1 T$ [/ f$ k+ z" Z {# Y3 v( v1 J2 i# Z) b: A% ?
CloseHandle(hFile);, q& Z4 v0 L2 w" }4 D. D+ I
return TRUE;5 D9 _8 ]/ D( m4 w. S$ }4 S# h9 m
}
! y2 |0 n' s2 Y W: |- r return FALSE;
. ~, g d: o8 t}
9 `% v8 `2 G1 }; L0 l2 h5 w
. K5 ` ?; g* @6 v$ AAlthough this trick calls the CreateFileA function, don't even expect to be
6 j3 E* I" E% s* n2 t. k, hable to intercept it by installing a IFS hook: it will not work, no way!
. y0 x- P0 M2 d) m, r; T1 RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 V9 G) i I6 ~' t+ F. Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! B+ e7 W$ F7 X1 `7 B+ Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# b; j+ V% _7 I7 t4 n8 Y( Y
field.) @; W: p7 K4 M8 L. S [; \7 F/ b! l
In fact, its purpose is not to load/unload VxDs but only to send a ' @5 D6 W0 h. A p1 p( H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 e: C1 e- V& ]. \( _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- T% Y: L! o" Tto load/unload a non-dynamically loadable driver such as SoftICE ;-). e, c4 F8 c5 E1 o8 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow. L3 I, o0 p& F) C' U; |
its handle to be opened and then, will be detected.
2 @% o2 B- o! D8 J; ~You can check that simply by hooking Winice.exe control proc entry point
" z4 x6 L: N( d( Qwhile running MeltICE.
# ?7 I8 ~3 {4 d1 e4 C
$ e |$ P8 F. f2 C' ?) o" Q6 y. L0 H, l _- R( g4 P
00401067: push 00402025 ; \\.\SICE9 B2 |3 ?; {; l; m, e# X7 I
0040106C: call CreateFileA
# U$ B3 {) H2 h' W" V 00401071: cmp eax,-001. T6 ~% B/ f3 X8 {# p
00401074: je 00401091; e0 R" ]6 ~4 X5 R8 |
$ o, N! u, f5 h# N
) \9 \6 F9 M% K% {7 Q* p
There could be hundreds of BPX you could use to detect this trick.8 K; a( h) z7 M' C; k" q$ G B
-The most classical one is:1 C z% W# I- @7 J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' Y, S! t! L, l0 c8 i* a/ L0 x2 e
*(esp->4+4)=='NTIC'
$ C; r# M% z* X# s; s0 }
* J3 H+ a) ~6 }. W( s1 V; q2 l4 {-The most exotic ones (could be very slooooow :-(( B2 ~1 Z) c: E' t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 b* h i% e- q9 L) I9 o: z ;will break 3 times :-(7 I$ h d1 ~' N. k, J: T1 u: r7 _
& i& m; S/ S8 z# q
-or (a bit) faster:
) J* W" t3 A3 o! ?: X* K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 A P& I$ x- v: p& S2 l9 B+ R
+ }2 a: t7 P) z3 Z' K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: R, P' X; z0 \' ]! { ;will break 3 times :-(. J1 J9 N+ q, p/ d) W8 d
- `- o9 R9 V4 k) m% \
-Much faster:0 v& L; F4 [) B3 j L! y& b+ C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, g- A0 o( B+ s0 T: l+ j, |! D
6 {" V4 K7 V' b3 s. L) w& w- P# @" hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, W- C1 ~4 [ n" ?/ j
function to do the same job:
- B }& J+ C% B4 I) _5 Q! Q, |/ i5 m4 A" t3 {# P' B
push 00 ; OF_READ
3 ~/ ]( q. T+ w# V mov eax,[00656634] ; '\\.\SICE',0
1 @6 A- u/ w/ }. ]6 g2 M0 I' d push eax
5 u/ z- [! H7 Q% m+ n. e" k call KERNEL32!_lopen
" l$ x/ ~" ^& X/ J1 L6 q5 a* h inc eax( {! C' Z6 \1 D/ \* U
jnz 00650589 ; detected
: N! r5 {! o. X3 c6 u, v( q push 00 ; OF_READ( J8 \" u- _* l) _2 \
mov eax,[00656638] ; '\\.\SICE'
1 x5 S$ f6 u1 g" D$ d push eax" O$ J6 ~. F z: |* I/ F
call KERNEL32!_lopen
/ g: C; t& C8 ?* D inc eax( Q+ P7 `1 W: g$ ` U
jz 006505ae ; not detected6 R. B+ I4 u( t
4 Y# }% c8 }2 x3 H) O& L& u$ x# a4 {5 T! p2 U/ y! L
__________________________________________________________________________
1 E7 W: k1 l9 O' W8 J/ M' z- \7 t
Method 12
: J5 G8 F, N( y9 l3 r- T* L: n=========3 j# n2 l% }1 J) D; L" c: A7 I
2 t; z6 B9 _" M5 b1 g$ }+ V4 e
This trick is similar to int41h/4fh Debugger installation check (code 05
- X' D4 R1 I8 l) z# s- Y1 w" O& 06) but very limited because it's only available for Win95/98 (not NT)* E: e9 _9 s" P2 H" F% U7 H7 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ Q, o O: a) @( G
+ `8 p$ G7 q! I( D# k! \6 i. ]( b3 y push 0000004fh ; function 4fh
* ]/ n% O/ A/ r+ f5 U& d/ x push 002a002ah ; high word specifies which VxD (VWIN32)
4 I+ P6 U p. B* h. x ; low word specifies which service
$ l& S( g$ H. g1 `. O (VWIN32_Int41Dispatch)
3 @2 h1 E, S8 s8 T call Kernel32!ORD_001 ; VxdCall/ y: w5 v! W" [1 \
cmp ax, 0f386h ; magic number returned by system debuggers: M& i' o. `3 a) j" X
jz SoftICE_detected; n3 d; v( E/ ^3 k7 T- y
, @. G Z6 T" g0 ^: i7 c: U: H) ]
Here again, several ways to detect it:/ {: {; T+ D6 R
5 z# V/ _$ }3 p
BPINT 41 if ax==4f
1 e7 U9 I( z. g5 f0 t
2 M ]+ P, Z1 h, C- u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" C! J5 L4 z8 r6 P+ q
2 O- @! |0 w, n, O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% ^) I( N' U# ]/ L; b6 ~4 C0 v
% t6 u0 v% @: W$ E* q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 } S# @. W0 U3 ^" ^8 @/ b
4 s: s& [/ u* d$ e0 p
__________________________________________________________________________- d! ?- w* ~2 [/ |: X) b8 E; M
( }2 B7 l) x7 q) }* p) p3 SMethod 13
$ C: |5 z; X7 |$ K=========
. r& Q/ S/ X; l
& i* H8 F6 ?: }6 Y* B# G* ANot a real method of detection, but a good way to know if SoftICE is
% E& C. t9 o+ z, r# r; sinstalled on a computer and to locate its installation directory.
0 U4 F8 P% b, O3 Z6 F* L/ E u1 JIt is used by few softs which access the following registry keys (usually #2) :
$ |+ X& B+ q+ W* f
$ }' e9 l3 M% D3 }$ w5 O) @8 e) n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 E/ @! K5 p+ m8 Q# p" J
\Uninstall\SoftICE
" w# H5 S8 ~4 h# ` k* O- A+ _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ V. `% c9 y% a; a: K. U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; M1 }* ]- D W3 |# @' c# g\App Paths\Loader32.Exe
2 E5 u6 I, c( h% m: u9 N2 Z
' ], D \: s6 o3 X$ x
7 W+ `& d2 T" U* dNote that some nasty apps could then erase all files from SoftICE directory
; o5 l/ R8 z- n. h* Q D(I faced that once :-( ^5 a6 c, b% i1 q
/ d8 _8 Z3 U; b8 k- r. h+ y
Useful breakpoint to detect it:
. Q( j8 i' J3 y+ n# g* [3 K1 C6 F- K2 w7 y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) z6 T/ J# w2 [- O0 ^& m
- P) K$ H3 S/ t% H4 c" d6 ]__________________________________________________________________________6 A1 ?% G$ P' O
F' H& S0 }* m9 Q3 n. x2 J! z3 ~
% L9 `- l4 r- F( _" i& Z
Method 14 6 f8 a# ^- C3 V0 g
=========
" ^9 [# t6 Y, P5 }" H8 H8 s$ S: ~% `) W; ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( m" b( i8 n- ?$ s8 e2 ]4 J B1 P
is to determines whether a debugger is running on your system (ring0 only).1 @3 \" `! L+ }4 M' q5 c. }
8 q. D9 P! R6 A7 ~+ U VMMCall Test_Debug_Installed* \( a) u. v$ N" d/ @0 y0 X# K
je not_installed! R, \, Y+ G# t6 M/ d1 d. E
4 S, M) `5 e" Y+ h! NThis service just checks a flag. \) B. P" E8 a: q2 Q; [
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡