<TABLE width=500>
1 c* s7 p* v0 J% o& K: f! ?<TBODY>1 j2 q& e+ c1 w" z# \1 U
<TR>
7 _/ n* _. S+ u' ?<TD><PRE>Method 01
1 o* R1 t+ `* r1 ^7 }" c& q=========" Y4 n3 H! p, l# k" O- i! U' q
1 Q: w+ _* ^2 G* {# r9 l5 w2 jThis method of detection of SoftICE (as well as the following one) is
/ s+ f; P% V! u" [: i& ?7 X& u" Mused by the majority of packers/encryptors found on Internet.
. W6 B. Q. T* H- l0 ^It seeks the signature of BoundsChecker in SoftICE) S6 H5 b; x& A# C8 G L8 [, c9 L
( \( `! ~+ Q8 W5 N- i; V; b
mov ebp, 04243484Bh ; 'BCHK'# Q+ r# L0 b. Z2 m6 r. p
mov ax, 04h
" j8 Y: Q, w" N% x$ H9 v7 N( S+ M2 a( [5 d int 3 # J& Q# {$ O% e5 H' [' O7 }7 R+ \- b
cmp al,4
7 x' u% I1 U0 I P- A$ p; P& j& s jnz SoftICE_Detected4 s o' p$ g8 F) _& t
" G, P- t) l# N V. a$ a& u" Z/ Q1 M___________________________________________________________________________0 {, b- e' ^: w) u" X. ^$ }
) g5 s8 a1 o9 o8 Y& k+ s! ?8 b9 v
Method 02( b, e, n9 l7 i4 c
=========* @, [ i& x2 q2 d6 k$ ?, U( q8 R
7 k6 }. c& h* X6 O& \% DStill a method very much used (perhaps the most frequent one). It is used* o q W4 w2 @! J+ O/ c# q, f- t' F0 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 x; F1 L8 P7 S/ ]$ \7 ?
or execute SoftICE commands...% l5 L5 j/ h- P( H/ U2 R+ k
It is also used to crash SoftICE and to force it to execute any commands
; |! s. n9 Z1 |, S(HBOOT...) :-(( ' D% v8 V7 p/ Q6 o
: @4 l" e! B( ]4 bHere is a quick description:. H6 ]' w5 C( Z9 z* e8 n
-AX = 0910h (Display string in SIce windows)& O" U6 K; h6 f% P# l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 N( `# q" m2 k, _) u. F3 }
-AX = 0912h (Get breakpoint infos)
6 y/ _+ M a) D2 y& c+ h4 i-AX = 0913h (Set Sice breakpoints)
# _4 k+ Z- `, \$ v! j* h1 Y-AX = 0914h (Remove SIce breakoints)
+ E3 w& \; U! E; W" P- o- M, f2 b( h, c/ ^/ a3 j) E t: G
Each time you'll meet this trick, you'll see:# J% W9 s; Z9 s. L8 w% F8 \# B
-SI = 4647h
% h: N. R! h0 p) p-DI = 4A4Dh$ L& h+ Z: i2 ~" P* t2 p
Which are the 'magic values' used by SoftIce.
! }* G5 |$ t" F$ F/ y$ \* d$ jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ `, B7 D. I# r/ F+ I
" }5 \$ G6 s6 GHere is one example from the file "Haspinst.exe" which is the dongle HASP1 t. G0 u7 D. B" g0 \ ?0 `* g
Envelope utility use to protect DOS applications:) U2 X6 k$ w- O4 R; J( X, C% @
+ [) ?' x- d1 D$ e4 }
+ |/ C0 d& t+ {" [: y w4C19:0095 MOV AX,0911 ; execute command.
- t+ A% V0 [' S& m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." g H; {9 R0 z4 c
4C19:009A MOV SI,4647 ; 1st magic value.
% h6 x* N# x" f o, f/ K% n: O. }4C19:009D MOV DI,4A4D ; 2nd magic value.9 g3 G9 F+ L# u. _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). O5 }. q2 l/ `2 O! w# e- S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 y1 _# p3 ~2 e) S4C19:00A4 INC CX* h. q' ~8 G- d' ~* m# o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 J6 ], ]; W; n; r6 t4C19:00A8 JB 0095 ; 6 different commands.+ O* u' E0 o# N! ?) t/ c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ f+ K- o4 T/ H, Z: r) y4C19:00AD MOV BX,SP ; Good_Guy go ahead :). t3 X9 M6 C3 m8 X+ L
, G2 d) F, E1 x1 ~/ f
The program will execute 6 different SIce commands located at ds:dx, which
! w, h$ w- j2 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! K# K/ y( m. M6 |) S
+ u- g9 ]" r. A8 p/ f7 y$ P* s5 _! [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- }$ l d9 k/ n V# l___________________________________________________________________________
) s# L7 d# U3 e* H2 s8 [/ U3 C3 R
3 \6 `# X5 a/ W" {* X9 _
4 F8 l% a" ?1 @; i4 GMethod 03
/ L! V$ m' b7 f3 d# w=========
# b( V( A5 k1 |* [4 N
8 O) ~$ y( ^2 y2 W5 zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 J; H! a& V6 `, t; L! p
(API Get entry point), i$ H/ [: Z+ b* n3 ^! n5 v
* C- S" o1 o" E* ^1 j
$ p' U$ x& `4 P- b8 [1 U xor di,di* u' \/ `, N; U1 X
mov es,di7 R" O' j! U" A6 }4 s9 `
mov ax, 1684h 0 b; y' |/ E9 z( W/ L7 Y, w- |/ O
mov bx, 0202h ; VxD ID of winice
( X: H' K! x. a5 V, ]7 g5 B int 2Fh% Y- b# b' t+ e
mov ax, es ; ES:DI -> VxD API entry point
; [% H( i8 I, n( }8 }& Y add ax, di
' e" A* ]6 D+ M9 _, h test ax,ax1 g& `6 v% k1 o6 f
jnz SoftICE_Detected
9 R$ |& V. B1 j7 C
* F, r; g& S$ I0 q6 H___________________________________________________________________________
5 v3 ^! b/ A3 A( i d! Z7 Y: P! m. V5 T1 b
Method 04. N8 L) Y ^# \; {5 o9 [
=========; O5 m, F0 e7 c6 v
4 F; W$ t3 R: D
Method identical to the preceding one except that it seeks the ID of SoftICE
8 f- W0 E+ t7 F' CGFX VxD.
# {* I) b: t' M; `9 c9 \7 B; r( a, z9 |6 R4 [
xor di,di" a2 n- A/ W0 K$ G6 \* j
mov es,di
! n9 Q# i% B$ T7 G# e mov ax, 1684h / H+ w8 o- m' }1 p# U
mov bx, 7a5Fh ; VxD ID of SIWVID
* o( V8 {: H. q, h8 [/ S. } int 2fh
3 ~1 f5 d) @3 o- j( B mov ax, es ; ES:DI -> VxD API entry point6 _9 j' a6 r- M) L) Y% F. m9 x
add ax, di
j! I1 a% N( B' Z! W5 t8 ] test ax,ax
) `7 o* j( M8 i9 N; t jnz SoftICE_Detected
* h N# R, A& A7 [: u
, k( T& @% C4 u: w+ p, H__________________________________________________________________________
9 E# c7 J Q" T4 z, y A4 ]- s% S/ {/ G3 h9 W
1 P! s3 z5 d/ d, i7 o9 |7 IMethod 05
( E* w' Q! h) C3 k% E=========. T9 i: E! q8 h; E
1 J# K# ^( B3 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ ~+ d4 u- s1 q: D0 udebugger. It calls the int 41h, function 4Fh.8 p. m& }7 ~; U; u- i, S
There are several alternatives.
3 p0 W4 s+ R& e) c! O7 A" m
3 a( s, v- s( u# v' \/ M* wThe following one is the simplest:
+ \2 f; T2 `) q! G
- |3 c% }: F) i& k mov ax,4fh
1 ?0 b) |( _' d3 } int 41h
; o; z; ~, L' ^# ~ cmp ax, 0F386+ `- A s. ?4 g0 N q9 |
jz SoftICE_detected5 ^6 }8 y8 s) C
1 F. C4 ?6 J, D% a7 H% T: W! R4 D
- E0 X I: x5 ^+ |
Next method as well as the following one are 2 examples from Stone's
4 }# b& q) X G5 Z% V/ }"stn-wid.zip" (www.cracking.net):$ b J1 C$ R" y+ C( @% U2 U
. K; u2 z R# y: G7 c mov bx, cs1 D2 Q% b9 _3 q9 J( D
lea dx, int41handler24 i3 j2 r. L6 G
xchg dx, es:[41h*4]
5 M& y2 k# N9 C0 \) I+ B xchg bx, es:[41h*4+2]
$ _" n% S7 H) Z& i: W, V mov ax,4fh9 k$ w3 ^6 T# c0 B
int 41h
' {% s0 q: M% x6 `2 ^( z xchg dx, es:[41h*4]
2 e" t3 ~6 w: V. ^ v xchg bx, es:[41h*4+2]
: t$ U- E3 L( Z# a5 D, N cmp ax, 0f386h4 A: B) X6 U8 {) m/ B" G
jz SoftICE_detected
% M2 W5 H3 ]6 @* E8 ~; g- |7 u$ Y# V: ^
int41handler2 PROC
! f7 h7 o8 J; ~# K4 r$ r iret8 g! ]. l7 ^0 r8 r
int41handler2 ENDP
. w5 J9 J/ C. P) z8 k! f L4 J9 ~6 Y% u4 }. ~' w
1 |! v* ^# j, b; G- s
_________________________________________________________________________2 M0 E$ W' ~4 U. V5 _( e# M
( L- y( O/ x5 l+ U" q
7 ]6 @3 o; s& E7 S; [2 o# L. F
Method 065 f5 R- e$ r2 K% ^3 a% ~! a3 B
=========
' f H- V# I: F% `' b; L6 k& C* H( [+ L/ |; A$ u
- |+ b& s, z+ u; [; }2nd method similar to the preceding one but more difficult to detect:9 y9 b! `" Z6 P# F3 h. _: C% E
$ ~* X. y9 Z6 c, `( a" A( @+ m v( E
7 a: O2 [6 \5 d" M' v4 ?. }int41handler PROC: `% e x, Z# P& }" X
mov cl,al
9 j D9 y! E7 @6 X/ s6 q iret
! [* Y: }# Q8 }- `2 T+ h: Jint41handler ENDP
1 n4 }( Q7 ]% T9 R0 J
9 @) l% x( D; h5 _
3 n" \ @" H/ i+ I: ~3 G6 j xor ax,ax R' T7 d+ V4 a ?$ d$ f
mov es,ax( M y3 v! m% }, G
mov bx, cs# v9 s& e/ N/ x ^
lea dx, int41handler2 V6 R) B* E5 G
xchg dx, es:[41h*4]' G" ^ j8 J5 t- Y1 c7 f e) h
xchg bx, es:[41h*4+2]* w( r# _6 c: L) @/ c: t9 a) V
in al, 40h
# _, R F9 m& y- N xor cx,cx) F+ ^% r {+ U" J; ]
int 41h
7 H# H3 b& \# S xchg dx, es:[41h*4]
6 B7 e) v, E$ ^$ J7 {, u" { xchg bx, es:[41h*4+2] n' s; A; v. H; h( k
cmp cl,al9 ^: `4 d; C. y
jnz SoftICE_detected
. a7 u" S! I% Z: k) U! f4 H' l7 ]& s
_________________________________________________________________________
0 ^/ d0 `9 g) H8 y' o2 E. O) N$ a! n( R1 O7 N, Q
Method 07
3 H+ C2 W8 `; d. ?: Z- W=========
# m; G% \- I& U/ a* G
0 t6 l3 ^7 c5 p, X# y4 @) J1 U4 }9 SMethod of detection of the WinICE handler in the int68h (V86)
. V) O( y+ _% z w) T4 y- A. A: I4 J) O
mov ah,43h5 D8 b4 E: J! a9 R9 U/ Z
int 68h
* p6 k5 X. A- T# ? cmp ax,0F386h5 p5 L2 ?( }+ A8 k3 [1 p
jz SoftICE_Detected+ }8 ?; N6 f& @9 s/ Q0 d, Y+ s! t
/ @: S3 {; h0 K- H. i* b
6 V( |, p+ W+ ~( X# K3 i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 l. X9 V) p; ? app like this:% t+ a* k1 k( c
! P" u n* A& a3 W6 A9 H
BPX exec_int if ax==68# V! u9 R* H2 g* }. ?+ U% b
(function called is located at byte ptr [ebp+1Dh] and client eip is
, s" G! n/ @$ `$ X5 ~4 z8 N) U located at [ebp+48h] for 32Bit apps)
7 M7 U5 v+ ]$ ?) t" H( [( t+ i9 V__________________________________________________________________________* a) t& u1 Z$ S
3 X; T7 e, q s3 \' U. [' p. X ~& X' j9 O9 M
Method 08
5 ]& C7 P4 ^# ~9 ]' R: G0 D6 A5 K% a=========4 p7 Y# A) E5 F, d& p! o
9 x+ a O. P, @- k' {! M; k4 d% S- F
It is not a method of detection of SoftICE but a possibility to crash the- D' E2 E2 ]6 ]8 j$ u
system by intercepting int 01h and int 03h and redirecting them to another
+ {' a7 B' U2 Z) X/ D8 @- D. croutine.# [7 g6 ?& X# I+ ]; H" p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' M7 O/ M- j6 \$ ~, i5 Fto the new routine to execute (hangs computer...)
! p) V0 H" I5 W, ^/ {8 X0 f* S
$ h; L& q5 H# V! D3 V* m, a mov ah, 25h9 Q- y) a0 e0 y3 S$ p4 M
mov al, Int_Number (01h or 03h)) o0 Q. I* x. A; t- e. l+ e7 ~5 Q
mov dx, offset New_Int_Routine0 b8 r! T8 h! P$ E' H7 W$ X, W! Z' ?- \
int 21h
$ z" p& Q; K# _" N# T6 i y
9 A" |* W2 x' w0 y1 F/ Q+ G__________________________________________________________________________
' g; ?9 s$ Y9 h: \; o* [* I$ q5 x4 D! a4 K. b$ r3 b
Method 097 o; I- l3 V. L" t) e
=========
( L, [9 t& ?0 [' q( _
/ {( j2 t8 A. ?$ |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* G& q+ M8 m( s- I8 I; Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
* l% W3 i1 O- R" A) DThe Get_DDB service is used to determine whether or not a VxD is installed+ Z& s6 E4 Q4 I5 k
for the specified device and returns a Device Description Block (in ecx) for5 X- p' A/ j( p# D* t" e
that device if it is installed. E7 u- F2 Z7 L- ~ r7 P
+ D: n" \5 m0 Q7 N8 s6 B! R% T5 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ {1 X. K! T3 R6 e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 p9 S# c# x5 j( E; u: H3 W4 ]
VMMCall Get_DDB( u9 B! M% w; Y; G' \9 T4 g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# I5 i3 `0 B' P% t& n# r
9 w0 f+ w* u: q
Note as well that you can easily detect this method with SoftICE:4 a, C/ a/ u: f7 Q7 X) a, B8 e
bpx Get_DDB if ax==0202 || ax==7a5fh/ a' k: y$ C" ^* A
: T4 [1 A x# H1 p* o__________________________________________________________________________7 N$ g' f( ?# p# g% u3 Q
' Q0 n+ r; y: }( y. U9 i
Method 10
6 P) O5 d/ z% k# H- @) x9 J- F=========' E9 g6 B# K& m/ r7 Q# G# ^3 O3 r
" g% `& ~& R5 M+ Q: [9 u=>Disable or clear breakpoints before using this feature. DO NOT trace with0 {/ I# g) l$ g1 i1 P
SoftICE while the option is enable!!7 }& M: N" P" q) }4 |
) `, i5 I ~% F. P' q' K3 l) P: YThis trick is very efficient:- F5 ~; o1 `- P' {
by checking the Debug Registers, you can detect if SoftICE is loaded: \5 q: [+ m) \8 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 Z* o. w u) r$ G1 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ x1 M4 g8 k/ ^/ _value (in ring0 only). Values can be manipulated and or changed as well
4 W4 o! _5 T4 Y3 t2 G; `0 N4 j, q(clearing BPMs for instance)
* l- x0 N- t/ h9 N
& ~4 N- V$ j: H8 U__________________________________________________________________________
( x4 I* ^: }0 E5 Q& h- r6 T# i6 m( H/ v; p8 U) P6 u" c% G
Method 11
2 ]9 P5 G P( \# b. P7 r. m: h- h6 N=========
9 V- x+ b3 c8 i! j4 k
& f. Z! L9 n4 {) C9 V' k7 HThis method is most known as 'MeltICE' because it has been freely distributed
2 L0 L' P7 |' A7 Yvia www.winfiles.com. However it was first used by NuMega people to allow7 J+ ^& y- ^/ |) n9 [1 v4 n( U
Symbol Loader to check if SoftICE was active or not (the code is located
: ~6 O# b$ v y) {* I9 Xinside nmtrans.dll).
2 S( p( J$ y% `9 n! u3 ^
8 v/ b; e4 Y0 |The way it works is very simple:- C) K& D0 L% T' X8 @+ }. U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ l! @- d% X% X8 H. k
WinNT) with the CreateFileA API. e: H% @0 L6 |" D. `
$ @, Q" A6 G. _8 G/ U/ Y$ l/ pHere is a sample (checking for 'SICE'):; x5 k, u Z0 K" R O6 A
W" ^ l# p) X( n: r
BOOL IsSoftIce95Loaded()
3 ]2 |9 j& B& R, o, g& G{: c7 `4 V. L2 {: p
HANDLE hFile;
9 s% B" }: B% h: y4 I3 S1 g! w" G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* l3 r0 g; A% o H
FILE_SHARE_READ | FILE_SHARE_WRITE,) c2 b4 Y8 R d7 o3 U& g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' {+ W7 U) {; H0 t if( hFile != INVALID_HANDLE_VALUE )8 s. [% H1 U }& |
{
. C& B5 _; @, g4 n: T8 t3 ]. l CloseHandle(hFile);4 {3 I7 ?% h2 L
return TRUE;6 Q# g: G% I$ S$ Q/ i) j: ]4 j; D' Z f
}
; a0 A: ~) q- c- w) W8 a9 [ return FALSE;
) f) G# W2 m9 k}
/ e( P, p9 J: I, i$ C/ z L0 H
3 X5 P; n, @9 j% f3 ?Although this trick calls the CreateFileA function, don't even expect to be
1 r% B U! H) h% T: O( Z' s0 {; Rable to intercept it by installing a IFS hook: it will not work, no way!
2 @6 I9 v( N" z: J! v* [' mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; n6 o! x* n: m5 m7 }. l& m% n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ ], D7 T7 M7 {0 z( D' I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) n% v, x4 Y1 ~4 T i
field.
9 z* W: _9 Q0 h" ]1 q, e6 o' gIn fact, its purpose is not to load/unload VxDs but only to send a
2 N' }; Z2 ~) d% F8 x! G+ EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" ?, a; {3 e' ^8 f5 j2 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 \. ^& ~4 @% `+ `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; Z. J" g7 N* s+ f- ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 A: k, J9 `- ~# y0 v% l. nits handle to be opened and then, will be detected.
) [& I! S2 c: P) |; H aYou can check that simply by hooking Winice.exe control proc entry point
7 L, ~ U& \0 D+ h! y( P' _3 ^while running MeltICE." `) s* n% Q, B& D9 l0 j( v$ l1 k
% I' X6 M- `( x0 g% r* T* V: F7 t* b* @4 U
00401067: push 00402025 ; \\.\SICE" N: v4 [ l( p8 J1 y
0040106C: call CreateFileA
e) M! ?8 g/ G 00401071: cmp eax,-001
# T1 l! d, \* m8 M" M/ ]( `5 C 00401074: je 00401091; R4 E* q) [% x; k! I7 i6 V
. O: l3 `8 {+ A) E7 r6 a
# E" C$ [6 [# ~There could be hundreds of BPX you could use to detect this trick.
# h% w: E' M G8 d-The most classical one is:
" r% d9 R1 h4 l) Q' ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! ~, t( T9 ?& G8 t, s5 a4 _+ H6 d
*(esp->4+4)=='NTIC'
$ R' n2 A1 f7 N' v! q
: Q& Z5 O4 |* B1 t-The most exotic ones (could be very slooooow :-(
: e, q* \' u) \( P# x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' X. k1 N: W% { G1 p
;will break 3 times :-(& q# g {2 q$ m6 E
" k4 E, C& }- S' D4 K- U
-or (a bit) faster: 3 o: \4 v* J3 w2 @0 Z: Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 Q Z- e- E9 e! |5 f9 H. l
) X$ O2 U* ?; S+ ?6 K4 f9 J" l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% P b/ {1 J# ` P/ w ;will break 3 times :-(
7 I/ {- X8 z; }
4 [( M" a+ o$ A/ ^-Much faster:
+ {% f- j' T' |5 g t% Y; R3 E: b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ z# Z. l7 X( \0 C$ a9 t$ _* \% m6 _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, Z+ `6 X7 u8 }0 D; [6 B
function to do the same job:# \6 m2 H6 I; G% F7 D
5 `( p+ @+ A3 x7 l$ f6 p push 00 ; OF_READ
" S( Z+ [& l* N; L+ z; I7 m d! E mov eax,[00656634] ; '\\.\SICE',0! p. G+ _* }* K0 l5 L" {
push eax
7 ~8 ]# w. Z( X% Q9 }% _ call KERNEL32!_lopen5 N3 P# c6 B# N( Z7 P
inc eax7 n4 `. [: n. f; y! e l2 G
jnz 00650589 ; detected& G- i# |8 F" `* Q3 y% z+ l5 z: ^- B
push 00 ; OF_READ
0 {& p# K) ?- E& ?2 Z% v" a mov eax,[00656638] ; '\\.\SICE'% S; ]# R, W3 O1 U0 ^- g" ?2 ~
push eax9 ]$ [; g/ L$ D9 ]4 G
call KERNEL32!_lopen
$ j2 h3 T7 X/ q" k0 T r! X inc eax7 B8 N- w& p3 e4 {. s) H
jz 006505ae ; not detected+ I- \4 {! l; }7 T
; O1 A% m! r( ]! `1 |3 @" g1 H8 Y6 h6 Y. z* Y
__________________________________________________________________________5 M% a; Y0 d7 ^/ @$ `
% b' l- S. l/ S) Q0 U
Method 121 w: G: V$ W5 B( H' J3 W
=========) Z) m7 ^& P4 H+ [
# I' ]& ]& X3 w7 wThis trick is similar to int41h/4fh Debugger installation check (code 05! n- b, g6 S: w9 a, e
& 06) but very limited because it's only available for Win95/98 (not NT)
) E2 L, J# Q; Q6 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) B. J4 x$ [$ g4 J* K
0 G. T5 G; o+ \5 J m
push 0000004fh ; function 4fh
& l: s! Q9 f% k' O6 Q& f: k# V$ H push 002a002ah ; high word specifies which VxD (VWIN32)4 A& B, ]3 o( d' \
; low word specifies which service
' z! {4 Z( }3 @; R9 v9 m (VWIN32_Int41Dispatch)
3 t* _2 ~2 W8 i5 b5 @ call Kernel32!ORD_001 ; VxdCall$ u4 ~4 L! W3 p+ }
cmp ax, 0f386h ; magic number returned by system debuggers; u/ V# S( Q2 p( J. ] U1 d) S
jz SoftICE_detected2 i8 N, y! T. ^. E
" a U3 l" C8 P2 O4 yHere again, several ways to detect it:
9 X5 S/ M9 \4 S# t% ]8 q; }7 b0 [1 U
BPINT 41 if ax==4f
" s) H: }( ^$ Y- L, H) ^4 ^& R9 v* J$ }& V+ ^$ _" m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 E2 ]! z- q$ o6 y* \, e
3 c. y' J8 i9 _) T0 U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ c# ~% ~8 z8 p" f4 ~ p F
6 U; q' w& p# ^9 p- @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% N7 v1 N* u1 b0 _: f: q
) j: @5 e; Z, }__________________________________________________________________________4 q3 Z( ^7 L; [2 i w
! l9 E5 W! H8 k% C7 l4 f6 lMethod 13
2 E+ ]4 W/ N$ z+ x: F' M=========- ]5 l. d# l+ D* n/ a4 a5 @
' ]7 [0 H6 a( LNot a real method of detection, but a good way to know if SoftICE is" ]% O2 e: v* r. J/ a1 i
installed on a computer and to locate its installation directory., M; F, @4 ]7 _; H* {: x
It is used by few softs which access the following registry keys (usually #2) :9 t! R# [, k/ b9 k1 \
0 v8 O8 F$ W, |& G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ J; B8 X4 R& G, o3 k9 c( @! u\Uninstall\SoftICE: r! I- A. {7 ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ D! D2 q4 m+ f$ F* \! E3 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 O, Q, G. ~& [& E
\App Paths\Loader32.Exe
2 c& ]; i9 y7 K) F# C& x) n) Q0 w4 D# b# W/ F; I+ D$ Z3 V3 z
; j" x7 }0 Y9 I0 h! \
Note that some nasty apps could then erase all files from SoftICE directory
6 K7 ?' i6 u; F2 Y# p& d(I faced that once :-(
7 w/ F: z# |& E, w& d
8 I, V) l. ~4 Z/ _% WUseful breakpoint to detect it:8 l4 ?1 X( |* ^, T
! k9 o3 k* Q. { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; I( k8 g) F; h+ M9 w% J- K$ _' O$ u, r0 Y/ v
__________________________________________________________________________
! M3 p2 _- d2 r9 G/ t
9 o/ ~: {6 L R8 O" T
9 B: x( q* g1 DMethod 14
% |# ?1 Q0 b, [, D6 ^# o=========" x/ w: r( \. @) S9 d
' G" |5 p" y$ K3 [. `; S4 d" IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 g0 I6 W' ?5 J( Ais to determines whether a debugger is running on your system (ring0 only).) n* [- R1 h8 e0 q* W x0 e
8 G6 h. p% v5 Y1 v1 Q& d6 l
VMMCall Test_Debug_Installed
7 [# x- y; _3 L je not_installed
" I( n" F6 ^2 G$ ~8 g P: e& w5 r2 d0 w9 P
This service just checks a flag.
& m( {) f6 P2 C8 M5 D/ [' F7 F</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡