<TABLE width=500>
) ^- c* b/ |& B! }1 m) Y<TBODY>
) v2 D! s) v+ l" ^<TR>
. B) s9 C" R$ U, P6 [<TD><PRE>Method 01 * a% @# g' C5 j3 s( h0 n2 i
=========/ e, _9 |; z2 n- S# {; k" x
7 f) E/ x4 q( U* y7 N: S2 V: f iThis method of detection of SoftICE (as well as the following one) is
! f D; L% `3 @3 pused by the majority of packers/encryptors found on Internet./ a; \, ?3 {% z3 B( [- K% @
It seeks the signature of BoundsChecker in SoftICE
# e- u/ b- i' c9 G. y" z% t) D, T+ f# D+ b v
mov ebp, 04243484Bh ; 'BCHK'1 X. L5 F+ n, O7 o# X# g
mov ax, 04h
% O- ^$ k Z/ z% S0 d# [! R int 3 # p' m3 j8 q d$ \' F1 D
cmp al,4
5 }- J" ?; c7 k1 P5 U jnz SoftICE_Detected8 ]9 y8 B! z" l7 i o
. g1 K# w/ F c4 }8 V" S___________________________________________________________________________
j6 z; }! P8 s, {. N3 A& [; Y! F: n# m2 {
Method 02. A( {* x) G8 h& Y4 B7 x3 ?3 y
========= m `1 Y: _% u3 c' T9 [
3 O" h0 K; k# @; `Still a method very much used (perhaps the most frequent one). It is used: S) k7 b. o! w" O& j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( w: u/ D+ X' {4 W6 Z
or execute SoftICE commands...
; f8 a L, B# h7 eIt is also used to crash SoftICE and to force it to execute any commands
, F2 b5 O( z/ _- v6 X(HBOOT...) :-(( ; d6 b8 D. _' c
- U9 O$ R" a- H6 KHere is a quick description:' I0 u, W9 a5 O8 @5 K2 d
-AX = 0910h (Display string in SIce windows)
% }; I' ~- X$ I) Q( T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) r2 |6 q, ^1 d1 A+ U+ x-AX = 0912h (Get breakpoint infos)
5 b, [& @" p3 H2 `/ A: k( t, U-AX = 0913h (Set Sice breakpoints)
' u- {! N# ~( c) t) E-AX = 0914h (Remove SIce breakoints)
: t" h, U( l' N: b2 w3 \) A
9 C/ s+ O! ]* ~4 E! Z+ l. sEach time you'll meet this trick, you'll see:5 Z, R! P. G+ C9 I+ K0 q8 l
-SI = 4647h0 _3 @2 \0 m. p1 h. j
-DI = 4A4Dh& E* A) v4 }, @; d3 m
Which are the 'magic values' used by SoftIce.
# g( ]# O" V5 f2 K4 UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; Y$ n( m& F: B7 z' U
: `5 q& Z" T; z% Q6 AHere is one example from the file "Haspinst.exe" which is the dongle HASP6 U6 Q0 O' U# Q$ P/ H, @9 I7 ]; [2 v' y
Envelope utility use to protect DOS applications:) L6 i4 q4 @1 D" d9 P
/ t7 N3 D9 g' e5 Q& V0 U: N
, b8 P6 N+ o( _1 t7 W4C19:0095 MOV AX,0911 ; execute command.
I4 |/ t6 E4 a; k. l5 m' ]' [$ X- L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. G3 B( e8 H* i4 z/ Q: b
4C19:009A MOV SI,4647 ; 1st magic value.
. ]1 S/ f* H+ O: ?4C19:009D MOV DI,4A4D ; 2nd magic value.
& l+ ~' N( k# D! R, `8 T$ q& J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! F+ ~& J1 y9 X# N. J2 v% |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: S9 W# k1 p, ^) _: O4C19:00A4 INC CX
* R) }5 A9 M8 f9 E, A0 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 t0 `) G9 `2 R6 l+ C1 h6 ~2 H; q4C19:00A8 JB 0095 ; 6 different commands.9 G) Y% P* [. C9 u8 ]: y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: \& X0 R. Q9 d$ b; {7 A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 ~' \# v' p5 w5 {
S& T, p% d8 a: s1 ^" @
The program will execute 6 different SIce commands located at ds:dx, which3 m* N G/ d; l4 b0 z# r7 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 O2 Q& L( a' Q Y- |& g7 |& D- K! c, p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 O( T, c& q( r___________________________________________________________________________
/ k" c% D; Y* o/ }
0 b6 X6 h$ t# ~6 N+ e1 s. _9 L1 m- z: { ~! h; L
Method 030 B, g( j- \. l+ E3 q% f, P
=========
0 U: d$ G' m0 S& j; v# A5 m- h; p, J) Q7 E4 B! _1 D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 S. K* K' s( H- h- v! X(API Get entry point)2 l6 Y( p4 S: H+ Z
. @/ W+ G/ o/ |$ Y6 g7 C0 h2 N6 Q8 A, m) W
xor di,di
* e0 ~! F$ h( C( ^% S& S mov es,di
! g7 B/ @4 M9 M4 f7 n mov ax, 1684h
& X/ [( n- ^& h mov bx, 0202h ; VxD ID of winice4 G' Z E) [ Z8 p9 Y
int 2Fh- n+ y8 Z9 R3 M2 \
mov ax, es ; ES:DI -> VxD API entry point
" w- h" F' T% d0 ^$ q. A add ax, di. l7 Y. ^ L5 K w9 N) ^/ G
test ax,ax& f+ v1 n. V0 m$ G# N+ X- q
jnz SoftICE_Detected2 J4 A3 p. [' s/ t6 v, R! }
9 J( m7 n7 j" f, T3 l
___________________________________________________________________________1 r9 m" {8 P; V9 j
9 N% L; b9 q8 e0 g4 U
Method 04
! J# G+ n, v; R+ T=========
( w8 Y/ @0 Q+ a- T `& I1 J' n; z0 W* q! [% Y. _ B9 r
Method identical to the preceding one except that it seeks the ID of SoftICE
3 Q& [7 F# P/ E. x, R2 ZGFX VxD.
' q( E8 m6 l/ C* t. P& y3 ?2 |" I5 `( e9 k+ g9 {
xor di,di
* X: C7 {. O# b S5 f x6 j6 F mov es,di
8 T$ C( V ^ o! r, D mov ax, 1684h / B6 @1 m" \% h1 D
mov bx, 7a5Fh ; VxD ID of SIWVID
! k& c% X& W, v int 2fh
; W$ ?* P+ E3 r+ q+ R* G mov ax, es ; ES:DI -> VxD API entry point( r, H3 O) a4 Q8 l& i
add ax, di
8 o s" o% Z4 B5 g. e test ax,ax
% C/ W f5 c1 f l7 R jnz SoftICE_Detected8 }& r0 K& {8 h9 v1 n# }3 `/ N
9 F, _* w4 C( ^__________________________________________________________________________
, A2 A; V0 d. @# ]1 c8 H1 {9 S4 a
5 R g2 m8 ^" i1 `6 j* z4 C/ C s) s' _$ W2 S. t
Method 05
: `" V& G- P5 h! V2 M' }=========
/ q/ a8 U" ^6 k4 N3 ^1 N V* b' h, A( J0 t* ~/ Z. q0 S3 C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 f/ _' A& Z! j3 {* Y: q, Zdebugger. It calls the int 41h, function 4Fh.6 C' g$ }# N! ^2 b6 Z5 U w
There are several alternatives. k. p+ o! Q6 c! _
' L4 [; v( A2 ~0 P
The following one is the simplest:0 f/ i* ^) H( z- I( l
4 F! D7 J$ ~! Q4 A$ f8 \! H
mov ax,4fh2 q" I# e# r1 D6 H/ P( d/ A! C+ ^9 o
int 41h
; e5 i$ @6 [0 z. r& m1 p! x cmp ax, 0F386. }8 F1 x2 W0 u- p& A
jz SoftICE_detected
) ?0 f9 I: t; g6 ?: D! q
4 J$ T, ?+ W& {4 f9 Q$ w5 Z2 T% u+ b/ B+ O
Next method as well as the following one are 2 examples from Stone's
; p- ~$ g& K/ U8 v1 T& ?"stn-wid.zip" (www.cracking.net):
! h9 A ?" Z m ]* L! ]
& F* |- j/ D1 l1 h- z! i mov bx, cs) N% h7 B: d$ r5 q- c: J
lea dx, int41handler2$ `! V: r4 t6 D8 y/ f5 w
xchg dx, es:[41h*4]
4 h+ C& ^3 y( c xchg bx, es:[41h*4+2]) H2 t# A, e% Y' n- h5 S" [" f- l4 j
mov ax,4fh
4 A9 i4 L6 j8 [ int 41h+ H6 Y+ l% L& v7 t+ v. P6 T; q
xchg dx, es:[41h*4]
9 d% O! B2 _1 M# j, ]- U# B2 N xchg bx, es:[41h*4+2]
# u! J2 T# R4 h: t2 M cmp ax, 0f386h
/ r0 q }2 l) ^' C' R5 b6 J jz SoftICE_detected
/ n/ M$ J8 V. D- B& F w
* q/ a8 m! V8 B" Z: o v( fint41handler2 PROC# W* O) J2 S1 V. T# a% }& W4 J
iret8 z: A+ v- c) ?- q: |
int41handler2 ENDP
$ ^ ?4 e# Q8 V# ^4 ?
2 j; h i8 Z% \. _8 T, P# L5 G4 B( f j+ y+ D. {
_________________________________________________________________________
; e+ o& L% V) z" {% i l* `
0 ^' M3 I0 I3 V4 t* |$ n
B" l2 V5 c- E( e" ZMethod 06
) K' l+ z5 J) {! [! U=========
' `: b) f( N- H- g* a1 [& m. m, i5 b2 P1 ]" ~
6 y K. Q+ p5 @! P0 o" w$ s2nd method similar to the preceding one but more difficult to detect: C8 Y1 b7 X2 d! @7 z4 G5 s8 f
6 r+ a, o7 g( B9 X5 h! ~# w
/ M, {4 F8 T% m% w% I! g# g( S8 K6 `int41handler PROC
- f; M0 i+ }+ p( e& M mov cl,al
! [" q) a2 O8 r+ w* w3 s Q0 j iret
, R. K: u, e" o4 Q* D: |" t5 x% oint41handler ENDP* c8 {2 b& H% ^" m$ x) S% D( A
3 j7 |* T) d; d; ^. `- O$ r9 ?! r; M
( B, W- Q& T5 o* |
xor ax,ax5 F* C9 u6 A9 \2 I
mov es,ax
; E& E4 z; i- T* ^$ ~% F mov bx, cs/ d$ l- Z! i" ^& U2 ]. W/ ?( b5 T
lea dx, int41handler
4 O- g6 ^ k! r! v, @% H xchg dx, es:[41h*4]$ M; p$ ~) q9 D" U
xchg bx, es:[41h*4+2]' G( L$ |% u/ D9 W' f
in al, 40h1 R8 H3 W3 j& R: Z/ C8 v
xor cx,cx/ x. z% |/ Z% b n+ f
int 41h
# W) w$ t1 e$ n6 g$ A' S xchg dx, es:[41h*4]
! N, E* |2 |. b& f/ ^, m xchg bx, es:[41h*4+2]5 t/ J; t) r' }; T
cmp cl,al
_/ ~. E' B5 j3 H jnz SoftICE_detected
3 q* Z, Y3 \& _# P) I8 F+ }! e$ |6 B$ R% y C3 I3 g3 v6 ?
_________________________________________________________________________7 R% f" C6 @1 X2 _
5 S& N; R! J4 @6 v. T; ^$ q) }Method 07; `$ B @3 v& C, | t
=========" i9 v" @6 C" e) R) s9 g
6 C& K% K0 z! N- v/ @ hMethod of detection of the WinICE handler in the int68h (V86)
/ o2 p9 g' _$ u# i- X/ j- k6 m w8 f$ y2 z' c
mov ah,43h
& `) S5 q4 ~8 B1 n" z- j1 R% Y int 68h/ b5 K& a K6 z% m8 J! Y: L+ r9 y
cmp ax,0F386h
3 Q' W" T6 v* u: a! n4 b6 C jz SoftICE_Detected
4 N- U5 h- H: O& X
% l* R* e" k; w# u
2 M' O& B5 C% C: z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 Q3 T8 Y2 G/ J app like this:
3 r3 S4 S$ J6 U" T1 V1 q/ o7 q# R3 A6 P
BPX exec_int if ax==68
. \9 W, E- m$ Y6 i! A: I) U (function called is located at byte ptr [ebp+1Dh] and client eip is0 \# v) J/ M3 _- Y7 S+ M1 Y
located at [ebp+48h] for 32Bit apps)
" C/ ?* T$ e7 f5 v/ u3 v$ C3 p; Y/ `__________________________________________________________________________
5 B& ]. g( j6 F8 t5 P. k, P% e7 \% T& k8 X
5 l3 Z: c3 R7 _# q5 Q
Method 08
3 ?; V1 j- ~: X! v, v4 m=========7 F8 N5 p, P/ I+ w! E
( G1 K/ o( M5 O% h+ u! hIt is not a method of detection of SoftICE but a possibility to crash the" z8 W) g) z( o( ]
system by intercepting int 01h and int 03h and redirecting them to another6 x0 v& q* T- v8 Q }$ A
routine.) B7 [5 E# s/ Y4 `0 o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& s9 B* z# L* }to the new routine to execute (hangs computer...)
9 U$ {- R4 ^: r2 D! o0 H
( c, E% l8 E% M; N: y mov ah, 25h4 e0 p: R0 w0 ? f2 ]
mov al, Int_Number (01h or 03h)
% e/ ?2 K) l" D2 ]) x* i mov dx, offset New_Int_Routine2 m! [& z2 b# e' B
int 21h/ x7 j( J" a4 l; X" I9 }
0 q6 Q/ g3 b% O$ U__________________________________________________________________________
6 L! n; Q, U3 Y! b6 e4 e% q5 i: G0 s6 L! D
Method 098 P2 I* m1 C5 O s- c/ c$ c7 ^6 L
=========8 p. B2 q2 e x4 [; e
# B/ l9 r8 l8 @8 J8 F4 KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 `. M9 R ^! W0 W" R# C/ zperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ O1 b, \8 f6 D) J/ G1 d8 ?" yThe Get_DDB service is used to determine whether or not a VxD is installed
I! n* v: ?. X$ T7 q7 U9 G# ^for the specified device and returns a Device Description Block (in ecx) for. \6 g6 s" {7 U6 O( ~
that device if it is installed.
" Q P, e) T! ]
) p% P9 [- ]. x9 \' o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 y+ _: h; ?& t! L- F- ^7 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 a# }9 [8 s0 s* L2 p' A* Q9 `- ^/ @ VMMCall Get_DDB
2 g% i& g1 l# O ~ S. M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 g2 a( i6 \! |/ ~. F2 Q: b
8 c' Q& ]/ g/ f. H3 q6 _- pNote as well that you can easily detect this method with SoftICE:
) {' B3 O2 F# g$ }( R( k0 y3 d bpx Get_DDB if ax==0202 || ax==7a5fh
, P2 ?9 V: K' Z: o3 T5 K
# o8 M& X" ?, E% U1 F' x& Y# w__________________________________________________________________________4 l6 `0 W6 }* J0 C- E: s; |
) Z; j; O) C8 A% ~$ X; v. O+ zMethod 10
8 e' [, J# E# v) U7 _=========
- {" W) |: `2 r) ^2 F. Z% F+ {6 P0 a. N' l- M- L. Z' d
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% @% r E8 Z% i4 ~% N- p SoftICE while the option is enable!!' \2 D9 p6 u% s0 q( D8 x
1 o( G6 n* Z8 ?, O' s0 P
This trick is very efficient:
% R) m, R( y% i& ^- i' w m2 q! vby checking the Debug Registers, you can detect if SoftICE is loaded9 U# u5 [# V9 y+ W8 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 `; d/ i0 F" q, B
there are some memory breakpoints set (dr0 to dr3) simply by reading their& H8 h3 }# b8 H. x o" d6 m
value (in ring0 only). Values can be manipulated and or changed as well
2 @/ l/ A- ?# b! x( w& W `(clearing BPMs for instance)" ~$ |+ s0 H$ `
" n, h- _; O( n ^ Y
__________________________________________________________________________
! W1 e) t/ J8 `, o, R5 [4 D3 h' q
Method 11
}4 Z4 E# v5 q( w8 y' G: r3 ?7 K/ W=========
( w7 x6 {" i+ X6 r- x# c3 \4 ~1 K4 k! }# R6 [ j
This method is most known as 'MeltICE' because it has been freely distributed9 \& v, p' N% _8 z- m$ U
via www.winfiles.com. However it was first used by NuMega people to allow5 q; n3 P) }, x8 t
Symbol Loader to check if SoftICE was active or not (the code is located
5 I4 J; n1 c$ W. ?inside nmtrans.dll).$ p" w3 q! M' y) w7 C$ z1 J% N
5 b0 Q; b6 ]& v- t; k: B9 l# LThe way it works is very simple:
' Z, d" X0 g' u" TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 u0 S" t0 {( z- I! _/ GWinNT) with the CreateFileA API.5 n1 I: G- K/ w7 {2 R
( z" U2 g( G; q6 n$ b' m: P
Here is a sample (checking for 'SICE'):
' U+ g/ }" I! i. W
8 Y. X9 |, i# L9 `/ TBOOL IsSoftIce95Loaded()
0 H1 N; z [" k5 x8 }4 G; y{
" y4 o/ r9 n; T% c; Y* I" Y" X HANDLE hFile; , }* L$ n) b9 O/ ~: C+ A& l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% [5 r( M9 e' B$ w# q- S% W, }
FILE_SHARE_READ | FILE_SHARE_WRITE,3 J4 f& }# _& d6 l& J( c/ [2 D: q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 w% `6 _; @& l
if( hFile != INVALID_HANDLE_VALUE )% N" Y* b" E- x) E3 S
{! S9 F0 J6 c$ ~3 I5 E2 X6 \/ C
CloseHandle(hFile);
( A' k! x/ j$ l: I4 \$ e9 d return TRUE;
9 J( v$ p1 I! B: C$ E) k% M+ Z }
2 m" f4 L. ?" {( S. x return FALSE;
8 Q# m# R# g9 P2 W P/ {}
" `- D+ J# f6 v0 c4 ], ^. S/ b' r# V# ^7 D4 f0 a, f
Although this trick calls the CreateFileA function, don't even expect to be8 B: J8 i" m7 \- ~( N, C8 @
able to intercept it by installing a IFS hook: it will not work, no way!$ K; S D7 u: `( @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& Y- `) q4 U, @/ L7 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 e3 L; F3 X/ ] A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. \ |5 k& Q! c
field.2 `! E9 K0 V0 ^& @
In fact, its purpose is not to load/unload VxDs but only to send a : G, F" A" W) v* F6 b5 L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 e5 w% c! Y' o/ w# }7 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ `+ [3 K. I! j% C1 S/ v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ z/ l4 c% C7 G8 a" t6 a2 n& m9 g$ bIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ w: U& F; D- c& m' |
its handle to be opened and then, will be detected.- v, d! T, {9 s' U
You can check that simply by hooking Winice.exe control proc entry point6 c9 a0 f$ i' } ^( P, q
while running MeltICE.5 M1 O( R7 t3 a& M# p- X
4 V1 @* P- |$ s/ _0 k2 }8 t+ {1 o3 N: U$ m: u' A
00401067: push 00402025 ; \\.\SICE% Z' d4 Q# }, Q0 H; X+ b7 d
0040106C: call CreateFileA0 Z& C$ _- `9 b4 F- m: m P
00401071: cmp eax,-001
3 D! Q' p% ~! l' B 00401074: je 00401091$ @' z" \2 @ }2 {3 e
7 l% R* `9 Q' a: j
Z2 \3 n0 K$ T1 F+ `( R
There could be hundreds of BPX you could use to detect this trick.
* z- y8 ^" s) g4 I- w-The most classical one is:
2 V8 p1 C1 \7 R% B# w5 V* O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || J& k$ s( s: ^- f, o
*(esp->4+4)=='NTIC'7 O x+ H' S* F7 |- \ Y* l
o) b! p q/ M5 y& P-The most exotic ones (could be very slooooow :-(1 |: o( y* O2 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" m* \$ H1 \2 y2 s& Q ;will break 3 times :-(
- b. N' N$ U! R" s: s0 Y1 d* `& H
/ h- z: `4 L0 d) S9 C5 r-or (a bit) faster: + l' s5 f' J7 R# g/ J# D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 a4 Z% M" }3 j
. _0 Y- e) B' Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 X$ G" A( @$ y* S w ;will break 3 times :-(
0 z" q1 F# Z# c7 a+ K( n, C- \: }4 f/ ?/ k0 `1 ?; H
-Much faster:, H1 K) b3 Y# _0 b2 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! Z# y; v1 Y! _; K
$ v6 y E# a4 J5 @4 T( oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ n4 d& w. J J4 z- L8 e$ ufunction to do the same job:
/ g/ f, f: u h `: l3 } ?' m. @+ V: z: k7 F4 U0 C! T! V
push 00 ; OF_READ
% G6 l3 U( T; {. ` mov eax,[00656634] ; '\\.\SICE',0
: n( u) Y+ h4 ~ p4 l) i/ x1 ^ push eax
. Z8 X+ s6 u7 k- I4 f8 e call KERNEL32!_lopen
) F7 s8 l( y$ q' u5 b6 s! H inc eax
5 U# `* k3 w! {6 g4 P1 c3 x jnz 00650589 ; detected2 S% W" @7 z2 J/ r0 ~: _
push 00 ; OF_READ* U6 ^! k1 E, H* e3 W, j5 O9 t+ c
mov eax,[00656638] ; '\\.\SICE'! a+ T }- r; O. E& n! o: n( @! Q
push eax7 B1 F& v. s+ }3 B4 v2 C l
call KERNEL32!_lopen
. x' H3 @6 h0 `, U inc eax
1 r I9 L5 F. L2 | jz 006505ae ; not detected
0 J. b9 h/ E: t* ^! U' J! R& S+ F6 s( O% x" O. p4 P( l
& r8 A! \) e# Q3 q" \( O__________________________________________________________________________$ ^/ S& x/ Q0 j$ _- m& U- J6 u
' W w0 b- U+ @# X @6 o$ c- NMethod 129 b2 z5 t& n$ j4 y
=========
/ Z. }( ^! T9 a0 u; i- Q# \3 P( S; _" E! b3 j# m
This trick is similar to int41h/4fh Debugger installation check (code 05
. T% g: X: B: K% M+ a( O& 06) but very limited because it's only available for Win95/98 (not NT)
6 T' K0 C' R( I d# B& j8 l9 e7 N" Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 \4 E/ f3 S! r& x+ F/ [5 R
r- H6 @1 x$ [( B7 r push 0000004fh ; function 4fh; T5 w: Y. H$ F
push 002a002ah ; high word specifies which VxD (VWIN32)1 c/ _. [" ]# \! C' \
; low word specifies which service; j. n7 _7 Y4 \+ O
(VWIN32_Int41Dispatch)
- S9 O, S3 x6 @3 W, j9 B call Kernel32!ORD_001 ; VxdCall% H: _" {5 c6 D R/ `: `
cmp ax, 0f386h ; magic number returned by system debuggers
) `" N, a& |. K+ [+ c; w jz SoftICE_detected6 Y; D3 h. f0 @+ M9 V1 ]$ P
9 T) K9 S7 P* b+ h2 sHere again, several ways to detect it:
2 l8 B# N7 E8 T0 c% a- L" o, z5 F. T$ B$ W
BPINT 41 if ax==4f9 r, M" g3 f2 E0 H7 A$ {
S, g0 S. I" U, D, k. p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 \' H# ^* s+ o/ u$ B# @1 x
$ m3 b6 q9 g1 \2 B1 M; H% P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 x+ f0 T6 r; d; ?
2 T' |9 O' M- H: e4 a9 P+ E+ n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 Z) `1 T& K' R! f& q/ M( p k
- A p; X8 z% y5 C__________________________________________________________________________" |2 x* j9 u9 W0 w$ Z3 z/ C$ H
& l3 i, [; r2 |. x! ^
Method 13% G3 W, h7 w2 a& r1 n
=========# Q( m+ `1 N0 B" [& a4 K, G
. ?/ h' L7 c2 FNot a real method of detection, but a good way to know if SoftICE is
5 V9 g5 C0 t+ w, Ninstalled on a computer and to locate its installation directory.3 B0 @5 i# @: d4 r2 g) b
It is used by few softs which access the following registry keys (usually #2) :
# J; |6 x0 z( r7 V; [
5 I& J% h) d# Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) _# E! X+ ~! }& x" W
\Uninstall\SoftICE
6 q& B2 h$ J0 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 y; ^3 ]. k- d' |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; d9 l4 u) |; q* e: `; v. G\App Paths\Loader32.Exe
8 n( [5 R- t2 V
. I( H& I, W- M) A' i- l" j7 a' S+ ^7 I% b9 A8 W9 J9 T' G
Note that some nasty apps could then erase all files from SoftICE directory
* o, v" p9 f9 H- S. \1 `# p(I faced that once :-(
& i; b4 T; p# e; p2 G/ D6 Z1 H$ b3 g& T
Useful breakpoint to detect it:
6 ] M3 D D, q+ l1 H% f: O
4 I9 I8 l1 z% ]; U+ B/ O+ ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
a3 e- a+ Y% ], d6 ]- A8 e; ~0 ?* y& z
__________________________________________________________________________
7 W. k3 W; l7 d6 J% J a e7 f" V$ T2 }; i1 T/ _2 Z
8 n9 t* {1 p6 v. P8 JMethod 14
2 g9 E3 t1 i& w; x, n7 b; Q! I=========
, b' k* b) V( X5 }; l) G+ ~7 T- g* U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% \( [$ F. c, h5 W6 h9 @( O
is to determines whether a debugger is running on your system (ring0 only).
6 d) p+ K: q* C
' I0 c+ V j7 N& Z& ? VMMCall Test_Debug_Installed
0 t2 p: o2 \. P3 }2 I; ?+ G je not_installed3 c5 A& T- X5 V* G; @* S" w, @
' |# v( D, d5 V$ \! c
This service just checks a flag.
. A4 O; A6 M0 w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡