<TABLE width=500>' U9 R8 C" E% ?1 G6 S& p
<TBODY>2 ^5 M4 M& i: V1 C; ?
<TR>6 n+ h3 s0 K9 ~6 b" t3 `+ a
<TD><PRE>Method 01
# E; a" l2 ` | @=========
+ F- ^+ B0 l+ h' a3 v
) p+ S/ ~* E! oThis method of detection of SoftICE (as well as the following one) is
& }" U+ t1 ]+ g( ]* @4 ]used by the majority of packers/encryptors found on Internet.
9 ^# t7 x) {! S; d) hIt seeks the signature of BoundsChecker in SoftICE
' [% j2 A) \ C/ ]& m
4 F$ c& D: ~+ n9 ^2 ^+ F mov ebp, 04243484Bh ; 'BCHK'8 y& k1 J2 v7 c7 U
mov ax, 04h
3 n$ E3 B4 H- e# c9 p# g$ x) H int 3 5 v" ?3 w1 D1 r" w
cmp al,48 S9 h- G- X0 m$ G. w
jnz SoftICE_Detected/ r$ T7 `, M% r- `( b ]. O
0 r. M0 P, I$ T ^+ U: E. |0 ` k___________________________________________________________________________4 u% B+ ]2 d6 T7 Y3 \
: p$ j2 l s# W5 UMethod 02; ^+ P: o0 V6 @% [* Z$ E. A) U) P: k
=========
% G: o! ~1 k$ x; l+ E
+ f) Y* I( c( g& W* O: }Still a method very much used (perhaps the most frequent one). It is used( f6 r/ n; E6 d5 H$ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% a) Z6 ~1 o# T2 n) [
or execute SoftICE commands...
' a5 K- s9 J+ d0 p, p+ y# vIt is also used to crash SoftICE and to force it to execute any commands
0 e4 i2 I$ P4 ~- J4 M3 q" d2 X4 H( n(HBOOT...) :-((
; r5 V t p: _5 D
2 R# _9 ~8 Z& V8 EHere is a quick description:
, `1 m- y2 y" F( h-AX = 0910h (Display string in SIce windows)
5 _5 C8 {+ ?. O$ S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 |, U2 Y+ r) y4 }- N6 y6 F6 ^
-AX = 0912h (Get breakpoint infos)
+ T2 u X0 h6 e9 ^- q* d7 d-AX = 0913h (Set Sice breakpoints)! k8 T- Y( Q$ d$ A$ r5 S* y+ w) t
-AX = 0914h (Remove SIce breakoints)
7 h6 J0 l/ {7 q4 F) F" r ~4 U4 f4 x% }, ]3 C
Each time you'll meet this trick, you'll see: w( j% i- a+ g) w, D$ l( S
-SI = 4647h
w8 a, J) q2 y# e, u2 H-DI = 4A4Dh6 q2 d5 c: a8 J* B- Q4 w: t. U
Which are the 'magic values' used by SoftIce.
$ e8 A. u: `: q( q, }$ DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." Q$ f' O6 F: r
% G6 w. o" G$ I( @ f, }0 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ B& }7 Y5 A5 L6 s1 g1 ^Envelope utility use to protect DOS applications:
% [: [ X+ D! x9 f) C
! s/ c9 C) `- c: s4 r) {2 D. v7 j
( ~0 N! \8 p/ h# |: e4 K' g' ]4C19:0095 MOV AX,0911 ; execute command.4 m6 d1 `% H- Y4 S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( k( I3 V+ {; J4C19:009A MOV SI,4647 ; 1st magic value.0 i6 ]9 \% x2 b0 F. C
4C19:009D MOV DI,4A4D ; 2nd magic value.
& W' T8 I" j. Z# \ B5 w, o+ \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- [& b K; f9 h6 v: {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) k _/ i" i4 u F0 E4C19:00A4 INC CX* F$ K- a: Z4 J0 s6 Y3 T2 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: g/ c/ I9 b0 _" @4C19:00A8 JB 0095 ; 6 different commands.
5 s8 d7 h5 A _* K/ |4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 Z/ a# I$ `9 L' ]& e* `2 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' R1 ?# Z3 `4 W% |; {2 {
) L$ C8 r) i2 E( U8 q. A8 YThe program will execute 6 different SIce commands located at ds:dx, which8 p8 Q! r% N0 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. H A1 ]$ B$ w3 ?) f
) X- H' n; ~% l+ \, O# c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 H2 I% `% p8 ^5 v# [! z___________________________________________________________________________
; x$ ~: {& c1 ~, D: b
& t' P, {3 y' D* X- M7 {1 D# {
3 M5 H2 a8 H2 HMethod 03
8 Q7 t* o+ [5 \9 t' }! a=========8 L: q& ]0 }% o( \6 D0 i
_5 F4 L# _0 g0 o' R& X+ j# {/ uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( {5 u& x2 E" N+ l( n
(API Get entry point)
$ P y. C' e8 d9 o" j* h
0 o, x" X U' i% {$ L( y8 G7 n* ^4 E
xor di,di
+ |# M9 G. V' U/ u& e mov es,di
2 K* U& O5 {- j: ~. q mov ax, 1684h
* o1 L: A2 E7 R; R7 }* D mov bx, 0202h ; VxD ID of winice
: a& t& @7 Z+ p& u, a- N int 2Fh/ f/ O4 w0 H0 f8 p; `- `# U
mov ax, es ; ES:DI -> VxD API entry point
5 R7 z0 ]& C: B1 b" O+ o- _6 a add ax, di5 c3 o; ]" O4 ~0 }3 f& r/ c
test ax,ax
* b6 [5 C1 \8 K/ `+ A+ j jnz SoftICE_Detected9 _, {: O" C) z) H7 J4 C
$ i$ t0 E+ p8 W7 m" X. E! z9 X
___________________________________________________________________________
, E K" O( c/ I7 g. a. Z( N
9 K- S6 }, f$ d" e; [" KMethod 041 s+ Z+ f+ {) r' a+ }
=========) _& U% g. } \+ p& b& j; @( p5 K
# j; v) w Z0 j7 e$ E
Method identical to the preceding one except that it seeks the ID of SoftICE' i/ ~" |9 w: d; ~% s2 A+ E/ ^
GFX VxD.
* y3 u8 r$ r4 g9 p( n+ t8 ~
9 D( ~ [- P- O4 R# y xor di,di: M0 f! W" E& M5 n+ e1 u$ }
mov es,di8 M9 S+ z7 U! @1 c6 N8 o( k/ R$ \
mov ax, 1684h / I# c2 O/ f: K y8 A4 @$ H
mov bx, 7a5Fh ; VxD ID of SIWVID9 M) v1 V, T" v
int 2fh3 J" S: L# Q9 x2 V1 A
mov ax, es ; ES:DI -> VxD API entry point
+ r ?1 j# |; V+ y1 a" r add ax, di
* F- Q5 H: P3 ?' f& H test ax,ax9 F5 |9 G$ \' X( ~2 A* z/ L/ m
jnz SoftICE_Detected
I) T8 p9 Q% ~. X0 B0 V0 T: N- }, |! r7 D* H1 X
__________________________________________________________________________
# H/ U2 J0 R, \8 I8 L5 u
, ?% W7 Y, H- |$ K! y( ]
3 A* A8 J& K$ x& hMethod 053 o! S5 y) `! L$ Z6 A$ n5 v, z7 |
=========
5 }& c$ R/ n( w5 O& m# {; V% b7 v9 v& ~8 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system' g6 ] Z8 V8 u( h7 x6 L4 L# {% S
debugger. It calls the int 41h, function 4Fh.9 j1 T" n0 Y- E3 s3 ?0 q
There are several alternatives.
. K( c9 W- D" Q, b7 j4 F& b8 E' r+ k" p- i; V* l$ b
The following one is the simplest:/ V( H* O- M. W, G* h
- w" I* T! U) h x# K0 O3 Z mov ax,4fh
$ o% p8 B8 F3 U3 q int 41h7 @0 P: c* P$ [) P3 u
cmp ax, 0F386' L7 P8 u0 X& x. H3 Z/ B1 k
jz SoftICE_detected9 x; ^8 Q2 L. z
' E" n; ]- c4 @ e6 `/ ~$ S; C; M9 r' B3 z
Next method as well as the following one are 2 examples from Stone's
! l- K( m' G6 I' k0 o4 T$ y"stn-wid.zip" (www.cracking.net):" p) O$ W; k8 `+ y; |: H- ?% @
- ~" k/ [3 V+ |4 x1 F6 G3 d
mov bx, cs
# a, Z1 S% ~0 Z/ ^8 r lea dx, int41handler20 ^6 A& N" [& x5 l8 L: _3 P+ v( m
xchg dx, es:[41h*4]
3 ~( e3 n0 M$ I5 t xchg bx, es:[41h*4+2]8 p& W' j6 R$ _7 e' R7 M, W
mov ax,4fh- `$ H: t" r0 P" d1 A+ T# ? j3 T, j
int 41h( m% n% D6 h2 F0 M r
xchg dx, es:[41h*4]
- q9 T( l- P, `$ i2 e xchg bx, es:[41h*4+2]& D0 Z- I" Y- G! w$ @; ~* N
cmp ax, 0f386h- h* Y) y7 D% E0 P8 N5 t8 J
jz SoftICE_detected
. D+ ^2 s2 {/ S7 Z7 s! g- \7 `6 B9 ^+ `$ d
int41handler2 PROC
4 p1 n/ ^9 v1 ?. ~4 S/ S* I iret
* R% g% Q" i1 Bint41handler2 ENDP
) [( \" e: r) T4 K' H# [6 n
# X4 ^/ ]# {2 [" l0 [2 c: e: ~' f/ I4 f C$ I1 W& W. T! M# j
_________________________________________________________________________- g a" l1 J5 T* r
, L# s* v7 V0 b/ i( k/ g1 V# j5 J$ \3 G# x1 D
Method 06
/ s' g$ z/ i [4 [( ?3 Z=========
9 i, u" H$ ~# z
2 q; |) {; C5 c5 P8 F
5 B. B( T; O! H) m2nd method similar to the preceding one but more difficult to detect:
7 i8 W( v: O/ d/ U+ W$ D# p! \ ^, u- k: V6 F7 [
- o4 v' u2 E4 S' T/ F1 Y
int41handler PROC
! y9 w: V" P; ?# Y& t mov cl,al3 R9 A0 @8 t1 ~' H# }) k: w
iret
/ f& v( ?8 ^: d! x. Iint41handler ENDP$ d. y- ?6 X% l& U; O- V
* {1 w" v; Z g: V. O
1 M/ H& R3 A0 o% C
xor ax,ax
1 {# C# n; |; E. ? q mov es,ax8 a2 z/ d" q% r+ ~& J
mov bx, cs
, p x2 G: S% B- } lea dx, int41handler/ a0 g2 l9 `0 E/ j; \
xchg dx, es:[41h*4]4 |1 b. u% o, [+ L6 `& ~
xchg bx, es:[41h*4+2]
) {( n' D8 f2 }3 F* g$ t2 F# N | in al, 40h
% b2 e& Z, s- g( u5 g: I# s: m xor cx,cx3 Z8 D0 ^, R/ U
int 41h/ u. y0 ?! }: m% U1 T# o( f3 |" M
xchg dx, es:[41h*4]
& _' c* V# T" x a% a% c xchg bx, es:[41h*4+2]
1 T6 L+ T5 d. G: g( T: I6 T cmp cl,al# H0 `3 k/ }* N: Y0 U8 ~
jnz SoftICE_detected/ y7 Y# Z3 P* u9 h
6 E; q" x! P5 H% S5 Q+ I
_________________________________________________________________________
1 J, x# P# r. E# ]- C& x+ U+ [5 d1 h" E- [
Method 07# s7 q7 \7 l4 ]# b0 D6 x& K
=========! K1 P7 Q9 F0 w" C1 b- h1 u6 ]
3 w @, @/ d! K; m( l; z
Method of detection of the WinICE handler in the int68h (V86)
5 l5 O: P7 o! G, w, U% R
$ U3 A7 H4 k: z2 U& L: Q$ A mov ah,43h
$ j5 ]. I- g3 w4 y8 _# q! Y' Y int 68h
" x' B+ V) [% p0 B# e0 ]7 Q7 h cmp ax,0F386h
z( {# J* i; r, e6 d9 R) i jz SoftICE_Detected
. U* h: a6 s' g* Z: l0 h( t; D0 A# d! t; ]/ e) }# r) B7 ^ h" t
, {+ `7 {# k6 E2 l# c8 {0 h$ u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- @# q' E: a- R, T) m app like this:! H) ~8 J9 p' w. I+ C* {
5 m+ p! o- I; d' m" s6 u# O& L$ w1 U BPX exec_int if ax==68
* y% J! J" B% F8 W$ ? (function called is located at byte ptr [ebp+1Dh] and client eip is, P5 N! ~# K( z; s% o ?# a0 k
located at [ebp+48h] for 32Bit apps)
- ~9 ?' E% n9 S Z/ s2 h__________________________________________________________________________, F9 |; T8 B6 b
" d, @: U) Y1 r' Q4 `
7 r; P6 i/ U' `* h+ F& l. w
Method 08& \5 R1 {& c: \
=========
0 ]" \9 J/ |6 n# q" B# T# v) K0 G- H" ]4 g
It is not a method of detection of SoftICE but a possibility to crash the. t- W) \4 W$ j( ]
system by intercepting int 01h and int 03h and redirecting them to another8 v# b& u; |9 `. N
routine./ B' N- j8 W U9 f4 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% v0 {# s! q7 M* @" w
to the new routine to execute (hangs computer...)
) T8 W4 L% Y: H
7 x# Y5 S+ k5 K' A mov ah, 25h- F7 z: X( {" E) X/ \
mov al, Int_Number (01h or 03h)3 o5 _- \$ z) ?6 Q
mov dx, offset New_Int_Routine
% _6 U. h+ e; i int 21h
0 Q7 \1 d: }5 K+ ^. g' r% f a
" r2 o# }) `6 m7 L8 M& z& U__________________________________________________________________________
N& z# j0 ?3 r# [3 j& s1 T
2 R8 e& y/ G' i7 H* n1 qMethod 09 K) h3 m% b; r6 J
=========
& e; }' b- |+ U k
5 ^. y) c- n+ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% T, K0 q# p$ F o5 }) f' f
performed in ring0 (VxD or a ring3 app using the VxdCall).4 ^: C. f' u6 t. b
The Get_DDB service is used to determine whether or not a VxD is installed& {: J, B! C) b" I% L- n: I' n
for the specified device and returns a Device Description Block (in ecx) for, ]) U7 ~# Y$ ?1 b7 s/ I
that device if it is installed.. S+ k$ E9 O/ V4 j
& v- M; ^% C% g, E: I$ V7 @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 }8 X1 L4 m& ]) Z1 m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 o7 a0 z2 y s% A+ {- ` ^ VMMCall Get_DDB. j5 U9 _. Y m* p- N, H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 ?$ F8 A/ c; L) m. r
7 Y2 \( H! A1 UNote as well that you can easily detect this method with SoftICE:
! }. T" t% F2 Y bpx Get_DDB if ax==0202 || ax==7a5fh$ _( T- n8 k- ~# l9 [
& L& w1 d# j7 f* |__________________________________________________________________________
! J+ X" B2 i% e& d" l
$ T, j: O% n, |3 xMethod 109 f0 Y; j" S% p% L$ O5 \" g1 F
=========
' \( w/ w8 N: M4 j# x
# Y0 ?6 Z4 X" K) ~8 q$ [9 a=>Disable or clear breakpoints before using this feature. DO NOT trace with2 J6 n# J* o- z" W/ j" Y0 F# S! O( P
SoftICE while the option is enable!!; o+ }' R) [5 ~- c8 A
( q" r# P" ?' U/ W2 H
This trick is very efficient:) E$ L! e$ d& B
by checking the Debug Registers, you can detect if SoftICE is loaded) V* P. b- M# n; f6 l# T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 V6 Y0 o/ M$ t$ Y* w* ^there are some memory breakpoints set (dr0 to dr3) simply by reading their9 C& R" [% o3 P2 T: F# j
value (in ring0 only). Values can be manipulated and or changed as well
' @4 j% t5 ~/ n, H# D4 \* `(clearing BPMs for instance)
) P+ k6 ?% ]- p* L1 y, n& I* q0 s6 Z& X% K% S+ l% ?' x7 n
__________________________________________________________________________) M; _, q5 s! L$ o* W
' N! t* f! T2 M- x% v
Method 11. j7 [) T% g! N# y* f
=========
, F1 T& o5 m% y& x
! r& o/ d5 Y+ Q7 i% r/ h, }This method is most known as 'MeltICE' because it has been freely distributed$ A; b" Q- ?1 Y% t, ~/ m7 K
via www.winfiles.com. However it was first used by NuMega people to allow
6 X& Z* @( v4 [2 ^Symbol Loader to check if SoftICE was active or not (the code is located
/ l& ~- i7 _: @6 k& f; qinside nmtrans.dll).4 c' `2 F* l m! y- ~2 I
- S; V K* Z, D+ x! M, B# y" P
The way it works is very simple:2 e' \3 g0 E& d% ?3 Z1 G, ~
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; E& H' `, B" U }% ZWinNT) with the CreateFileA API.# \$ D- v q( c8 X" b
* H1 W. l' M6 g+ z2 o- w& ~Here is a sample (checking for 'SICE'):* R8 o/ [8 T8 s" O* j
3 c% x/ u, E) a! y- |- ~
BOOL IsSoftIce95Loaded()
4 I7 A2 X9 W1 i6 b3 _" J6 G- ~{" }! G+ c9 @8 A6 q$ F& @ L
HANDLE hFile;
: Q8 S9 b; Y5 D" t2 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 x7 Q3 e. z: b* k& n7 F' }
FILE_SHARE_READ | FILE_SHARE_WRITE,5 r( _+ ]3 y$ i1 B1 E8 e! |. t( G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) {1 D) Q0 E# J0 J6 J if( hFile != INVALID_HANDLE_VALUE )
# O7 T5 L4 ~* r! C+ Y {1 ?$ h J# t ~7 W! W2 ~5 {
CloseHandle(hFile);2 ?, H y% w- \/ c. C0 ]/ U
return TRUE;! h5 z2 A3 A' C. l+ r1 `
}
' ?9 H K6 j" L9 b# c& Z0 t return FALSE;
+ |/ Z+ t6 e6 @3 B1 E}
% L9 J; j c. T3 G; S9 I5 t3 J0 R s8 d6 N& N
Although this trick calls the CreateFileA function, don't even expect to be( ]: g! S" o: Y3 z9 F% E$ P
able to intercept it by installing a IFS hook: it will not work, no way!
V C7 t- v7 V2 B! XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 l7 Z& e& t. j2 Y' O) P4 wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 g) h, x+ K) y1 A- _* uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
G' E& F, J( |8 Sfield.
! ]& D- P; x" CIn fact, its purpose is not to load/unload VxDs but only to send a ' }( Y& h( Y0 b" z# I& _/ N0 O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) L) _8 ]( [; `3 b* O, d$ ]4 p' b1 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" R/ R }9 `4 ~0 D% _5 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ U& g% K6 } S9 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
: |* V$ e$ t" R4 eits handle to be opened and then, will be detected.
' l8 s9 R3 c! L u- W6 z- {You can check that simply by hooking Winice.exe control proc entry point
g; o, ~) D3 @3 J5 N2 G( Ywhile running MeltICE.
P2 g' Q/ Y# \9 I/ H5 N6 w! Q8 h! v8 k) f3 j9 R
9 [# \/ a. \: B3 Z 00401067: push 00402025 ; \\.\SICE
9 Z9 I7 d2 ~% Y9 ~ 0040106C: call CreateFileA
9 G1 q2 a/ r( z1 e2 n. ?2 [ 00401071: cmp eax,-001
6 J" q% A/ z' u; g( r- l( ] 00401074: je 00401091
8 ^5 j0 T$ I$ G H4 W* w) |+ l, l2 ? Z! ]
5 @# Q9 A1 \( ~, D& P( MThere could be hundreds of BPX you could use to detect this trick.
9 Q# N0 t: t: `3 q-The most classical one is:
6 g2 f8 p5 v7 {. m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# @$ G+ i, X& Z# F
*(esp->4+4)=='NTIC'
- d- f7 e3 l! h2 x6 f5 b
/ C4 a8 _# e8 j. i& R- F-The most exotic ones (could be very slooooow :-(9 k9 ~2 B, s E) Z0 j, T# P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - _- L) h! i4 V
;will break 3 times :-(2 J! D4 y2 G; A8 E5 a |) o& p% _$ ~7 ^
5 U% k% n& K9 X' x- I. i; p
-or (a bit) faster:
# i: e. K4 L: \) ]$ x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: N( s3 j- B" |' w; [2 ^6 y9 B5 R# A0 y% t( ~3 e' s* f( s3 R O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 {. j2 \ T" Z8 }8 Z; ?
;will break 3 times :-(/ V( ?% B! q2 w* e+ o9 e5 j
, Y0 [6 [/ Y+ c
-Much faster:3 r4 V; m- g8 C, d' U9 ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 I: _3 ]9 C! _" _
, S7 u, L7 `* NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: x" o4 c2 n& xfunction to do the same job:+ ^# b3 q8 V) `4 {1 ^( Q6 v
4 @ o8 g F; J; A5 j$ q" Z+ p
push 00 ; OF_READ* ~% L8 @% n( s- z: X- c
mov eax,[00656634] ; '\\.\SICE',0
! {+ _* d: u( T- h push eax
, Q9 w' x& @1 t3 \% |& N call KERNEL32!_lopen/ u' ~+ p% n- ~; i4 A( b- H' i0 V
inc eax! B# ~( F! b* `8 Z: B+ }
jnz 00650589 ; detected
! g( r$ }! G/ o1 J. H* w push 00 ; OF_READ
! ~8 Q! _/ r$ Q0 q mov eax,[00656638] ; '\\.\SICE'; z) `$ M6 g( O; q; ?4 i/ O
push eax9 W+ @' S9 Q, Y, a A9 J
call KERNEL32!_lopen
3 J% _( Q' g, N% g% H F7 } inc eax
- V- H- m& N! Y+ \9 Z/ I( y* C jz 006505ae ; not detected' t8 g) V% b3 j0 `# ^7 ]7 d2 c
! O" \ i F& D, K, L( C
0 g% d; O) D# K- {( l; F# r$ G2 v__________________________________________________________________________3 s8 f' e6 f: E- v, }1 I
3 W* u) \0 l' C- c1 D9 u$ I
Method 12
' J, ?# z8 _1 q$ a% \; I=========" ^+ B9 Z& F) [" j& `
k5 S' i' K# }( T( f$ a& u6 {
This trick is similar to int41h/4fh Debugger installation check (code 05; b; L& o4 X; i0 W" Z* M
& 06) but very limited because it's only available for Win95/98 (not NT). h# _& l, ~' E# E* L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. G' [$ w; ]$ ]* v# u8 |- s8 Q! D: w; M) K
push 0000004fh ; function 4fh% C7 x- P- R) a
push 002a002ah ; high word specifies which VxD (VWIN32)8 S6 ]; T+ ~# w! S
; low word specifies which service
, i* n/ ~& `- M: ^ (VWIN32_Int41Dispatch)
( i3 x( e: s9 }+ D& L call Kernel32!ORD_001 ; VxdCall+ x- E* E; h' A# X
cmp ax, 0f386h ; magic number returned by system debuggers
0 v+ m; }5 ]% ^" u) u jz SoftICE_detected
: `% r$ ?5 j2 r! w4 j6 C% @0 |# B2 R D! V. z, q, M: K6 w) i Z
Here again, several ways to detect it:
/ @) l) M* {6 I+ [' }# u& `% z: I
, K; H0 U7 P7 r9 {: o( T BPINT 41 if ax==4f
% A, F8 h6 J6 X2 l( i" Q% o
( a0 V6 J K% s$ c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 E3 d% [$ C8 r% C3 Q
b5 J2 F0 W+ D3 D: i1 I( ?1 u' H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 L. t! X/ }7 ]. K" N6 _4 j
* t; R: ^. o6 }3 O9 l+ s: i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# M! p2 i0 g1 w- E! s. m( s
0 t+ R U9 |" R, D2 J! w7 q6 e l__________________________________________________________________________
5 s; o9 ~. M/ X2 o+ s' Z( ^1 @7 s \7 a
Method 13) l) a0 c) B4 X. \' D& C! h
=========. M" O6 p, }' j# F8 v `- R% C. b
2 @0 w" t/ |9 V) P( cNot a real method of detection, but a good way to know if SoftICE is6 Z* o5 H$ v, C! }6 J+ e' S
installed on a computer and to locate its installation directory.2 t, U1 [% j/ k9 e
It is used by few softs which access the following registry keys (usually #2) :
4 g4 T- m2 y1 P& D& m3 |; k( ]) y$ L( F' @ @& S' n# z) A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 C5 K/ p ]3 a7 U2 Q) H\Uninstall\SoftICE
* k5 A4 j; L( \5 C" \/ g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* m. ^' _+ ~3 Y8 ]$ h" y4 J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* L3 X$ U: R; b
\App Paths\Loader32.Exe7 j4 k. d- e1 j/ ?7 K
' S4 s# |" F* E' j* W: E( Z3 ]
/ Q* M( C+ v; [Note that some nasty apps could then erase all files from SoftICE directory3 e. j( h- y6 e, y: N8 S- g4 v
(I faced that once :-(
$ s0 [) m# |* ?
0 ^2 V% M8 L( t/ W) j1 gUseful breakpoint to detect it:* P! Z8 @, q, ?: s
! P- |: _: ^/ P ^* q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# v8 m4 @9 s6 d9 _8 p
3 a, V& l2 x3 Y4 L__________________________________________________________________________* r q0 b/ C$ e' m% K' E
: [) [2 \; M/ w% b/ M$ H
+ O& e, Q( u, {5 m; pMethod 14
! O2 I* Z# u) R7 |% q=========' _2 H& |( ?0 X
3 Y' _, o8 w9 k+ c) [. [7 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 z3 r7 H! @. o, j" h- T* @+ }9 b
is to determines whether a debugger is running on your system (ring0 only)." y3 Q s: ]# w. P% Z6 A) g$ x- F
& K O% ]( m1 n" K, U VMMCall Test_Debug_Installed
( S8 I+ L; s+ }- H0 E, A! w& C je not_installed/ [7 ~4 X1 ~2 O4 C; }' S
& _" `% J- M% h3 T4 c% S" S. kThis service just checks a flag.
# h S8 j2 A; L8 o- p1 n0 M8 ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡