<TABLE width=500>- A* {1 |0 J$ Q1 F( g: K; U& e
<TBODY>
2 y# v1 c/ V: N<TR>$ D5 Y8 G$ a2 i9 f1 B3 L! y
<TD><PRE>Method 01 0 \( @+ P6 f1 X# Q; ~
=========
+ r+ {5 `$ z8 K4 F/ ?$ D
" ]* f- K3 p) r! kThis method of detection of SoftICE (as well as the following one) is) e( U) X, o" k ~; h- x
used by the majority of packers/encryptors found on Internet.! m. L' r0 \" b1 U' V
It seeks the signature of BoundsChecker in SoftICE
4 W5 d+ r: j" Y( z* m
6 x: A# f2 X1 u% M# U mov ebp, 04243484Bh ; 'BCHK'
1 U5 ]- E. Z9 t D u mov ax, 04h
: s b* O" A" o, N: Q& N0 O int 3
! Z% B/ c6 }: D- l; F cmp al,4
7 h$ ?4 U0 u7 M8 g/ ~2 l jnz SoftICE_Detected- k5 l8 s( u& l7 p
( k% O/ \) y/ V7 d0 W3 J- {
___________________________________________________________________________8 G y" G+ C) Y/ }
# g! Z% z5 L( Z( k0 l! Y8 V: pMethod 02/ T3 M" \: F) u) c" V
=========
9 J! X4 Q; o: t+ i: p- R9 b8 b4 Z0 X7 }3 r+ y) [" F
Still a method very much used (perhaps the most frequent one). It is used m# ]$ c5 L. t! b3 Z& J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( `. q8 ~) |3 V& B; \- v
or execute SoftICE commands...
- L v/ y) Z; ]9 jIt is also used to crash SoftICE and to force it to execute any commands
1 }# L1 g4 u9 I6 C: P( n1 ` r: h(HBOOT...) :-((
; u+ e& {8 |" U0 h: M" V3 i. _4 @$ Y0 b' S H) I f
Here is a quick description:
* O, X( w' b+ R: b-AX = 0910h (Display string in SIce windows)
7 T+ Z/ ?& A1 W& i) L, L9 M" q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 y6 T* h% K' @% B' O
-AX = 0912h (Get breakpoint infos)+ Y2 L% X! _0 {% P1 v
-AX = 0913h (Set Sice breakpoints)) V# [" O0 E" R: U2 s
-AX = 0914h (Remove SIce breakoints)
% L, o0 U9 s0 \; @
9 X- n; E2 J1 Z0 ^3 G; p! l& x3 ZEach time you'll meet this trick, you'll see:9 a8 o1 J8 {8 ~) l* p
-SI = 4647h% e7 {6 X4 `) m! J8 u# C
-DI = 4A4Dh
* H: Z( R! E5 U4 T v) A0 ^( ?+ rWhich are the 'magic values' used by SoftIce.9 [0 q# e5 _7 x2 w3 G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 v+ O& ?$ I U% Z A/ d1 d& i) O
$ r( L+ m1 R' @5 G9 K/ p! `( J
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 V* n" D' b! yEnvelope utility use to protect DOS applications:
+ {! K. I5 b: ^' ^8 E0 G8 l8 I+ x# R* o* M8 o8 I8 s
& T5 _% f) R' R7 g- u0 j. O
4C19:0095 MOV AX,0911 ; execute command.
2 V. ` F- ^- ]. b6 x! Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& ?: L' w$ F% p# ?& k# @) _( G
4C19:009A MOV SI,4647 ; 1st magic value.* f6 l. {! Z8 P2 U! V
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ S, E6 g3 }# n e. J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 {0 ]$ Q% `* H8 Q: K6 D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: I( i- w% K$ N- p' A- @9 `
4C19:00A4 INC CX# D u# \3 N! l6 M: Q2 R! N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( H$ d5 Q' y! l, z4C19:00A8 JB 0095 ; 6 different commands.
% X, f, |. c/ s0 P/ O S# e) u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! _3 W6 W5 e% z. L& [) ?+ s* x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 l/ h" x+ {* N' E3 y& Q5 T: S5 Y7 t9 L2 \2 F
The program will execute 6 different SIce commands located at ds:dx, which9 [2 |# Y' Q: _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 E6 Y4 K2 y6 F0 i* }' K
8 v2 u6 v5 D) ]3 k8 u& K7 e$ V. a0 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 ^9 \3 c( H+ K/ t7 D___________________________________________________________________________
, E5 V1 o4 o$ s5 l2 w
( c$ @" N- B6 b3 y2 a, F1 O
# O" P7 v( ]) H- {' C! QMethod 03) t9 z3 R- \0 z* ^! S) a' n
=========
( u% M. F b" F$ i+ g5 J! N
) @5 G5 Y4 ]% A& `% g9 c5 [' L O/ wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* J$ t2 P5 ~7 y
(API Get entry point)
1 o, N n+ V3 N M - H) ~2 x1 R W/ r* z" { u
2 ?8 K0 |& D/ a7 a4 l( Y
xor di,di3 X( }$ ]' ?. q' L1 M4 L
mov es,di# _5 Y& ~$ C5 D; X) @! Q
mov ax, 1684h 6 @2 \! ~- D! x2 \! m% G0 q( `
mov bx, 0202h ; VxD ID of winice
7 S* Y2 {0 ?+ @. ?/ W3 k* w3 w+ H/ G int 2Fh' a0 s7 q* v. `& z& R$ _ ?+ G
mov ax, es ; ES:DI -> VxD API entry point6 c. K6 n+ i% p& L% A* x& Q, |
add ax, di
& {' z# I2 R; L. j test ax,ax
9 @) P9 W- }4 X) f, [ jnz SoftICE_Detected# t+ t/ u8 X1 D' `; Y+ e
/ R( e2 w" Y* ?4 F, ]9 I___________________________________________________________________________4 {7 F& z' l0 W% r; b/ S
; k" `% B8 V$ l7 ]/ I) i9 J: _Method 04
4 q$ o8 O4 Z7 }=========
1 a6 S* K. P0 |$ Y
, C: q( f1 } H0 p9 Q$ } V' ?Method identical to the preceding one except that it seeks the ID of SoftICE
8 D' K P; w. WGFX VxD.
2 U- e C2 [! }- j- E* l l
7 P7 M6 C# c. @/ r; x* Z$ Z xor di,di* m; a/ ~7 `1 R
mov es,di: k! I* n0 ?) b. Z$ {4 R
mov ax, 1684h
- Y+ z, X1 i5 s9 | mov bx, 7a5Fh ; VxD ID of SIWVID7 z5 m' P3 j# {( X5 a
int 2fh# q+ y5 M9 q# H/ z O
mov ax, es ; ES:DI -> VxD API entry point
) k/ \. b C% F3 D9 w* A' G' V add ax, di
L. Q( U) a! S- i' @1 z4 e6 W E test ax,ax2 r) F. `& K. A4 i! y* O3 k
jnz SoftICE_Detected
5 n* c$ ]" M8 y$ a8 [
* H, [0 j6 a2 X3 E__________________________________________________________________________% Z% o0 V4 p. a+ |/ j# {0 k. B
+ {1 k" [) v' z/ v& s3 q% U3 I( t6 W$ `
Method 05( x4 K( E+ p: ]! M9 y# T
=========
; o) ^) S) l. t7 @3 j
. Q. z& J! W/ M3 S! O( c9 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system# p' ]4 H4 O$ H. o6 y9 z8 `7 E
debugger. It calls the int 41h, function 4Fh.
; J$ h6 ?. }) d$ m- K R9 h6 zThere are several alternatives. # `7 Z# g$ E5 h" ^8 U4 R/ h4 {& F
4 b0 ~3 I4 h' Y" m- H- E4 h2 \The following one is the simplest:
4 M% @2 V, L$ ^" V# t. l) f, L
7 c$ U) b/ s! O" Y M mov ax,4fh
' G) g: X6 p3 z7 H8 [ int 41h
; H( U1 \# M% i, Q% T, N, g' y cmp ax, 0F386
! G% W( x; z3 u4 |% u% }* y2 X7 E jz SoftICE_detected. { \( X( j/ w
/ Y3 i9 m: ?9 D/ x
/ Y# `& D9 W! j: TNext method as well as the following one are 2 examples from Stone's ! k: j* K. Z+ A+ @
"stn-wid.zip" (www.cracking.net):
) f: g& o, @: q$ M o; m {7 ^% n4 t9 C+ Q! U
mov bx, cs! f3 R7 o( Z3 f+ s3 [5 U# d
lea dx, int41handler2
* G' @6 {1 Z; N4 h xchg dx, es:[41h*4]
6 l6 N8 C- j( d$ H- {) E) n xchg bx, es:[41h*4+2]* z H# I9 \- B3 L& }! m! W7 e
mov ax,4fh
- J+ L3 B3 P2 Z* ] int 41h
/ B I! ~$ ]9 @0 `5 I2 I+ p" v( T xchg dx, es:[41h*4]
: |0 I; V0 o: w, A. U2 J% @ xchg bx, es:[41h*4+2]- V2 E: d/ ~ L! c7 {& B6 y3 G
cmp ax, 0f386h
7 l" Z7 E- T" v* E- l! w jz SoftICE_detected
3 f" m7 H. D% |# ]% q- q7 N' W J/ _! c2 J
int41handler2 PROC
3 U; D, x, Y2 {0 K' _ iret
7 r% @- y# v' W1 c$ K' i0 S( u/ Vint41handler2 ENDP& g4 m3 y" J, K% Y
4 J4 H [1 ~ Y* f; V/ @$ L. U
/ }5 W% Z8 H. j8 i& K" L_________________________________________________________________________
0 k y, I* I8 p, }
* w }; b- i3 @( A2 U7 V$ k+ N( `
W" b& F% V4 h8 I$ {! rMethod 06
! ^) ?" s9 C0 I4 S# a! q& R- y# j=========! t7 l/ n0 c9 x: L
N0 V, V; Q9 ?! e
* t$ R. A5 q; P) @/ J5 P8 E' `
2nd method similar to the preceding one but more difficult to detect:. Y/ [* {, o& ^9 p& e/ T H
$ i+ j$ |- ~7 v ^% {# b+ Y% J0 i: W. e/ T
int41handler PROC2 _0 ~4 J2 O+ h$ i* V
mov cl,al
; J/ L- l/ c6 k0 ~; Y# E iret {3 i# p3 n3 P* c N
int41handler ENDP3 h( }1 ~/ |) Y
8 y* Z$ _/ L4 F. l( ?5 {& L5 y
5 [- W( h/ P5 ^" Y
xor ax,ax/ G+ ]6 A+ c4 }# F% F0 D+ N$ e
mov es,ax3 Z- X* k/ t6 I$ Y ^ g
mov bx, cs" i# O$ \, d& Z' W7 d' Y* p: f4 h
lea dx, int41handler
! ~* L) _- }" z9 H$ T% C3 M' M3 E3 Q* c xchg dx, es:[41h*4]6 e/ N1 f0 D5 U7 C
xchg bx, es:[41h*4+2]
2 q+ S% p: g, E in al, 40h
% n- B6 T' c1 X) a xor cx,cx9 |, y3 ]0 `* r
int 41h
6 C# q2 V$ n8 z1 i4 ?; n) b0 _% C xchg dx, es:[41h*4]" }! l; w6 o; y! L- F. O
xchg bx, es:[41h*4+2]$ \ ^' }0 g: z
cmp cl,al* |; R2 o) T" l# q
jnz SoftICE_detected0 R( [9 e; o/ g5 @
3 M, X* V* U R1 s_________________________________________________________________________+ t% G$ n4 `* X' b" x( I" `+ [
4 M m# I/ V+ A1 j! x7 RMethod 07
6 Z4 y& H& X4 j! L4 n4 M( i=========
6 K. G# |7 Q: x" ~) e( f
; s* P+ C0 u; i, A2 G7 ^Method of detection of the WinICE handler in the int68h (V86)# E \. F2 P( Q5 N$ y3 {7 T& w/ l
' m0 e' T# P: V* H( t mov ah,43h
$ Y7 [; u. k- q8 I' Q* M int 68h
- p& o- m( D0 B2 e- t cmp ax,0F386h4 E5 d: v: J+ b6 J: f
jz SoftICE_Detected
2 H- A- t9 j) {0 u- m! J) o) J- l6 q* F5 [# d
# ?+ i! T2 \9 J1 c: r1 ]! F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, z/ k7 W% y5 y8 ]/ W1 w5 w& E
app like this:
) {! ` Q" N% h1 h( p
& E) x" U. `, s+ q) b3 f1 D BPX exec_int if ax==68% i! a6 Y6 \ \ ^; I; Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
* [6 ^6 u _! f5 [ located at [ebp+48h] for 32Bit apps)
# p% u. i& k; E; Q__________________________________________________________________________& n* ?0 o t5 i6 l. Q/ r
& e$ I/ p" a1 T5 A: C" O8 W4 g( w) c0 W; s( J' b* m2 S
Method 08: W7 ~# @* j0 u) K" Y8 S1 I4 J
=========9 R) Z2 p0 C6 ~& H3 K# `
" w- q7 k; h$ O4 m' CIt is not a method of detection of SoftICE but a possibility to crash the/ p! Y6 m# d1 z! r% w6 f
system by intercepting int 01h and int 03h and redirecting them to another: w, @, s! _0 \, e, | s
routine.% Y: s& z6 O' t2 j& B, W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 C- c1 l* M5 c5 [0 o) P
to the new routine to execute (hangs computer...)
. @5 i% I( C( g3 Z2 W+ ^
) K+ k' l, L8 v6 {7 O mov ah, 25h
2 F! z% ^4 @% H! n2 {1 D mov al, Int_Number (01h or 03h)
4 H9 H9 i; @- N' f+ [) B7 y mov dx, offset New_Int_Routine
6 E7 B+ n# Z% t0 f' @ int 21h
! H8 |" b) S" c$ ^/ v8 \6 F# F3 s0 o6 a/ D5 Q* l
__________________________________________________________________________+ u% F# B6 N- \; o1 E
: L* g* x$ D" [$ t5 Z- F; }3 PMethod 09, F& N2 |) Y* f8 V3 C- e
=========3 [4 y; Q3 {) u& E1 m
7 D& a" N, q: N# T- l9 U' p5 w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 Y6 c- C! M0 t1 l: {performed in ring0 (VxD or a ring3 app using the VxdCall).# j: e1 a" f I* s5 a
The Get_DDB service is used to determine whether or not a VxD is installed- ?. m! Y9 v& ~7 j# Q6 E) U. c8 h }
for the specified device and returns a Device Description Block (in ecx) for; B# U5 h i7 e: Q
that device if it is installed.) P' D- I( x: S& r7 ?1 G
# c' I4 F% ^7 v, J& H T! Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: q" b2 M3 \$ G }1 g9 x2 W0 Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( l" L# Y H/ O1 }! Q
VMMCall Get_DDB& ]: Y; t- @' F/ P# p1 c2 g8 a# r, U% t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- w% z: O9 j4 a L& u" M
) t4 K* A2 C- V6 |8 _& PNote as well that you can easily detect this method with SoftICE:
( I% _$ i) @: q; _' [ bpx Get_DDB if ax==0202 || ax==7a5fh
9 M1 ?& l4 r4 P& L- E f
) {9 w4 r% P9 Y7 D__________________________________________________________________________$ S' N' D+ L6 H8 H( K o% V0 }& U
3 ^$ a8 x0 d' _8 Q
Method 10$ T: u2 m- t h4 h- R7 k/ X
=========
, s9 V# e3 v3 @- F4 ?/ } w- q k5 y9 e6 F ?1 m: G1 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ j( O' @1 N5 n& c' Z* T6 a5 E* V
SoftICE while the option is enable!!- F& C; v" n9 J2 X
$ L9 Y5 ^4 O% D6 U) F
This trick is very efficient:
, j7 c: B% T# }/ I' O6 D2 J; `1 ]by checking the Debug Registers, you can detect if SoftICE is loaded( y7 E3 o7 I, u; h c# K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; x3 g& C0 b- othere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ L, T' f& w8 f0 }- Qvalue (in ring0 only). Values can be manipulated and or changed as well. h$ ]! e4 l: [
(clearing BPMs for instance)
9 p" ?* I1 y: O; K4 f4 W7 M) r
4 x1 ]& h, m2 m$ F. _ M. c, h0 k* J/ [__________________________________________________________________________
1 y% X: C# w# b5 y( N, g
: q& [# |) R f# V# ^- ]Method 11
+ c2 u7 {4 ^, w b# ~/ K=========) ?% [2 ~5 e. C7 \7 w c, F! g2 m
$ X3 k7 s3 a; ]8 w& J
This method is most known as 'MeltICE' because it has been freely distributed
X+ b) y3 p+ `. l! H+ {via www.winfiles.com. However it was first used by NuMega people to allow
- F: d3 h& b: ?3 A! O% uSymbol Loader to check if SoftICE was active or not (the code is located
5 e; K! ?5 v2 G+ }; E, d& Rinside nmtrans.dll).0 F; G s- ?/ \6 c) L
! _, Y. o( W) z# {2 ^
The way it works is very simple:8 U8 {6 A( p6 `; ^' \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 L3 O. R" q' r# sWinNT) with the CreateFileA API.6 _4 T; t T" x3 v
6 |3 d+ x+ m* P5 hHere is a sample (checking for 'SICE'):
6 N8 j! ~5 J4 s* ~1 ~
9 \9 r/ `6 N0 ]2 |% \' C0 cBOOL IsSoftIce95Loaded()
" S+ T4 F a* _8 \$ p{
4 R: p4 U9 j, x. W7 K( t HANDLE hFile;
( |' x) s+ x" v. v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 H' y, ~4 G8 V8 F) Y* \: V- \
FILE_SHARE_READ | FILE_SHARE_WRITE,
* R3 O4 b+ I; p w4 B7 e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ [! d- w. B. H
if( hFile != INVALID_HANDLE_VALUE )
6 f( ?' ]4 X: n K {0 T& g; J/ g& K* l3 q7 s" F# F
CloseHandle(hFile);
% l" F: i+ \. r% x! [1 d return TRUE;
/ O4 x: j$ E) Z* L }0 ? b }
$ b& n2 H$ x8 v( O" `2 }# l return FALSE;
2 u" L7 s1 @ |- Y! j6 a}
: i. B, H1 ?. n- C
9 [* Z+ {& [+ B7 B$ i, k5 dAlthough this trick calls the CreateFileA function, don't even expect to be6 B3 t7 g. l6 F L6 l9 t
able to intercept it by installing a IFS hook: it will not work, no way!
" o5 M$ ]6 k, {& T% J5 Z5 H; TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% U4 w1 o- a! K wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ p5 N! O" D$ P. t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" R9 C2 d) B$ G. r# N
field.
q. Q7 i0 i5 A$ P# |7 tIn fact, its purpose is not to load/unload VxDs but only to send a
1 i& L% u( p# [4 x( H hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. z+ |* A+ B" c8 g* oto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 O! ]: o1 |3 A4 T$ L3 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% B7 Y& \* O/ t pIf the VxD is loaded, it will always clear eax and the Carry flag to allow" u+ n5 q J$ I: ^8 \% M" |
its handle to be opened and then, will be detected., ]1 B9 U0 y* g( o' g0 p
You can check that simply by hooking Winice.exe control proc entry point
0 }0 A2 ]2 _$ c- E& Y. nwhile running MeltICE.
3 o: ^0 i$ J0 F4 L1 A! ]5 U
9 ^# m5 {8 j" m$ q( M; }1 R# }( L4 M; J' Y7 n
00401067: push 00402025 ; \\.\SICE
) y" G7 C" B+ }: _0 ? 0040106C: call CreateFileA
6 P7 @( b7 {. L( l 00401071: cmp eax,-001
2 x6 l3 i1 }8 \4 I2 d 00401074: je 00401091
% z$ t& W, j; d4 _( ?! @
D4 o3 Z$ X( g, l2 R9 U+ r8 o9 O9 P+ R) R, c4 |6 S, w, f
There could be hundreds of BPX you could use to detect this trick.
/ T) v7 Q8 S$ Q3 W-The most classical one is:
- Z0 s& v# K$ ?( V8 X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& n' I+ Q# W J1 `! g
*(esp->4+4)=='NTIC'- u1 s% L; t; q. t
0 k9 t8 n3 @+ M: W6 ? s% e-The most exotic ones (could be very slooooow :-(
# n. e4 r( t3 c( }, G/ p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- A5 p. Z& e5 I& G C- t ;will break 3 times :-(7 J- }* [& O; R5 G
: L* P7 c4 h) c2 U0 m8 U
-or (a bit) faster: ! X) r9 j( Y& k' ?( t& X6 w% r+ v4 ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( A7 P- Q9 ` n' v$ M' n* A6 y
1 N* u0 R& W, H1 z- H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& z6 F9 y1 p1 I5 v1 q/ F ;will break 3 times :-(
/ h: Z# Y# e5 @" c+ B+ Z% I
) U6 B/ y1 M4 I7 r6 O, ~-Much faster:
) I6 {# `: |* n7 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 a) R) P" r1 O, H
& v* }& k& |, k2 ?. X! j, a) ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ @" R m6 v: V8 c( }/ k. H
function to do the same job:- ]5 m' e4 }4 k2 w0 _- H; z
7 u" [/ W0 ~5 ?/ J5 n5 O
push 00 ; OF_READ# r$ L9 f* b2 L
mov eax,[00656634] ; '\\.\SICE',0
9 T/ n# x1 _6 T0 ?) J push eax
3 j8 Q& y. y, H' F- M5 U call KERNEL32!_lopen% v' U& Y1 I' l9 q
inc eax" T V7 h Y& }$ O9 d3 {" D
jnz 00650589 ; detected* @( o! D3 ^" r* x) h
push 00 ; OF_READ0 A" }1 O l8 R! l- ^
mov eax,[00656638] ; '\\.\SICE'
7 G, t, M2 K' k7 Y0 w. _& v: _7 o push eax! n0 @! ?6 H( y
call KERNEL32!_lopen
3 ^6 ~* S6 V7 ^$ L! ` inc eax8 D0 K8 |: O+ x7 f5 O; S3 b
jz 006505ae ; not detected
, W' B% e5 A5 K% s
8 b% T# A) K0 T7 ?" H0 x# G' B5 R" F p- o
__________________________________________________________________________
- F7 V5 v7 f& p1 f3 T+ t9 D8 Z! E
" z) w6 L/ T. T7 HMethod 12
5 f" i7 E( K# `$ N=========
- S2 Y5 P/ I1 f# I# u3 J- k! x# K3 y' C
This trick is similar to int41h/4fh Debugger installation check (code 05
& W4 W" |! a5 b( G+ e7 n& 06) but very limited because it's only available for Win95/98 (not NT)1 p6 C9 r6 U1 z& P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 }! |! B4 q8 R( y4 u" l/ p" w2 v! K' p2 I
push 0000004fh ; function 4fh
) [; L) C! l" ?& D. y! P push 002a002ah ; high word specifies which VxD (VWIN32)
& L- k2 B6 i. Q2 ]8 Y$ ?0 x ; low word specifies which service
8 B7 t- r4 h/ x" F; h/ d$ D (VWIN32_Int41Dispatch): q) p8 V9 K2 _' L! S
call Kernel32!ORD_001 ; VxdCall
5 u! @$ T6 G I cmp ax, 0f386h ; magic number returned by system debuggers
5 u+ T5 m' \8 b! J# @ jz SoftICE_detected; M" a$ Q! _% p5 k# F
( b: e2 M6 t& a, }5 E7 n# L- A9 vHere again, several ways to detect it:
+ e' Z; F0 Z+ q" ~% h7 _* M8 V! v) B4 k$ B
BPINT 41 if ax==4f
. k0 O$ m7 J0 s+ z: l7 M* F( v
3 z1 t! y- U1 K" C0 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& S6 W9 x9 z& Q1 _. t. S: W
% t" o1 c, D7 }$ u6 o3 ^, M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' \" i( x* Y0 v( o. F
2 O' @4 y9 ~5 s& _) a* r" o6 u8 o$ c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
K! o0 C. L9 ~
! U9 r4 R6 z' e$ S$ U__________________________________________________________________________( M: e/ f; }& r/ i) y$ T
! g1 |, k5 A* C( U9 S+ p
Method 13
- L* i5 C+ x4 M) I; j+ r- e=========
/ ]5 K2 N* W& C V( Y, v' t: W
+ C( U; T2 Q/ O x) O: @Not a real method of detection, but a good way to know if SoftICE is9 G) c! w5 S9 O9 n9 p
installed on a computer and to locate its installation directory.3 G7 L! e' E4 K- Q, P
It is used by few softs which access the following registry keys (usually #2) :/ @# W, @9 o r. S: m8 S
- ?4 B7 k+ [1 n( ^" i# T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; X* s' |8 d; ?1 b( }4 G
\Uninstall\SoftICE1 R% G; }+ D; e4 |# s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 r4 j& D2 Y( R3 \- }* V; Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( P3 ^" h) \- |1 [/ ?& i\App Paths\Loader32.Exe- b Q7 ?# }, e
- @6 C$ n! l. T' k$ `; I B) Q9 m# U* \7 _5 Z
Note that some nasty apps could then erase all files from SoftICE directory1 `( C/ |2 G: \) Q1 ~! x# K
(I faced that once :-(' {$ E+ W/ M# x4 `. ~8 T
) i) ?8 o* ?! w) T; WUseful breakpoint to detect it:3 n2 u! U& U7 i" Q$ J. v
* r2 E0 ^0 i; a) l, I3 [- F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' [- }& M# @9 E/ C8 k
9 E/ U9 Y$ ~5 r- _, |0 c' `; d
__________________________________________________________________________' y* o; Q: n1 F" Z6 z
" O; @$ }- j5 H, g: d) }
- Q2 @, ?/ u- X! yMethod 14 + l( _3 B$ @7 @. E6 q) B0 n
=========
5 S; Y1 R m$ e. G( K K3 a" W! i) E" Q7 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 ?6 K& _, n- @ o: l% cis to determines whether a debugger is running on your system (ring0 only).
9 g% e, L6 E; t9 b+ h, o1 h5 l5 V! E; G' B
VMMCall Test_Debug_Installed
/ Y+ b. H! R+ [. O7 J5 n/ E8 J je not_installed
* I" A- k2 O1 i# J* P
( ]: e7 q u8 r/ uThis service just checks a flag.
4 d: w( E M: q( `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡