<TABLE width=500>- C9 _0 \3 Z' S" {6 u; i7 B
<TBODY>) A0 b' ?1 Q+ `6 C# o
<TR>( g; H& G8 O% r8 z; e. t# h
<TD><PRE>Method 01
4 M1 _) P+ S d k( z1 ^& Z=========
, w& m7 ` P% y$ U' u0 N+ M% r/ a- A+ K) U& x! K
This method of detection of SoftICE (as well as the following one) is
' l! t! L* M" Q# V/ jused by the majority of packers/encryptors found on Internet.
: F, V# Z# k) B0 ~; bIt seeks the signature of BoundsChecker in SoftICE
( S: t; i! k$ e/ @: L
- k; h! T$ z5 t6 ]$ u. d8 Q# k mov ebp, 04243484Bh ; 'BCHK'
, e. Z7 V6 }. w: P/ A" v mov ax, 04h
5 u+ [; k( @3 T2 j: b. p7 z3 m; I int 3 4 O7 @; Z. b* Q% Q, A2 n
cmp al,4# T) [% a" ~/ m! A7 U
jnz SoftICE_Detected4 ^$ a4 k) I- ~3 T' h. T/ N8 e* H
+ A' D& L" |! u" j
___________________________________________________________________________% F, F# v' w# F' {) f8 V0 S! f* v
+ n, h- L& L+ I3 V% i. F- R) D
Method 02, e+ y/ E$ p& b* i
=========5 I" ^' c) k/ e/ s5 V0 W/ T% ]
) C# j( U3 J# ?0 B% ~ CStill a method very much used (perhaps the most frequent one). It is used& v! i% Z3 B% `9 h: _) L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 f U" L3 n1 M! P/ Wor execute SoftICE commands...
% {9 S" k1 q# F$ a( ~It is also used to crash SoftICE and to force it to execute any commands: p% u) N" g: U- U7 `$ | x" [+ A: O3 d
(HBOOT...) :-(( ) Z8 v, L: K! o4 V
$ R, m: |, ?- _: z5 Q0 X1 W
Here is a quick description:# B0 I0 h& C. z W& S3 U3 |3 G
-AX = 0910h (Display string in SIce windows); u" g' i$ v- ~6 c7 B: [& K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 `0 B9 @+ ^7 H' ~
-AX = 0912h (Get breakpoint infos)
0 k9 Q2 V# g' q' C" {1 @+ G2 c, |-AX = 0913h (Set Sice breakpoints)1 G5 l: e9 h% h, Y; I$ H
-AX = 0914h (Remove SIce breakoints)5 c9 P1 @) c/ g. z
' M( L( q6 ~+ y1 _ S6 j1 tEach time you'll meet this trick, you'll see:9 @- k5 W# ~- J+ W5 z+ ? ^
-SI = 4647h- F8 G) d- h. f, V' a; f5 [
-DI = 4A4Dh8 ]( [: W) J: B( f8 d
Which are the 'magic values' used by SoftIce.
9 N& U5 u. Y$ B: PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ N) G! c* X! Z$ ~7 ]
7 t& a! O; m! B* _Here is one example from the file "Haspinst.exe" which is the dongle HASP
: p! B' Y. x8 C9 k: u* u4 ?Envelope utility use to protect DOS applications:
+ D$ t/ l$ P9 F1 r+ x
) F# V" h9 E7 g! w2 p
+ ?2 O/ L: P4 E' _6 Q4C19:0095 MOV AX,0911 ; execute command.1 K5 o5 D2 I( Z- h7 F7 e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: M5 g9 G2 L+ `; l8 v( v8 K4C19:009A MOV SI,4647 ; 1st magic value.' c" f; z8 Z7 r! l7 T3 \9 a
4C19:009D MOV DI,4A4D ; 2nd magic value.! g0 D% S9 X1 D, p( v- \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 n8 A0 V0 L/ w# A9 I2 S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 Z: y8 `9 c* m
4C19:00A4 INC CX! S6 {$ G9 K9 t8 U7 p( c7 N9 v: e2 k$ M- o0 P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( W0 O1 t$ \1 ]. V* ~. s
4C19:00A8 JB 0095 ; 6 different commands.
( K0 M+ S! e$ |* P4 M& }$ L4C19:00AA JMP 0002 ; Bad_Guy jmp back.- L. L9 S: {7 J$ U+ V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 Z8 G6 U9 x5 e7 D: R) K- L5 ~8 l
% ]/ _3 f( J4 Q/ W6 @! D8 _The program will execute 6 different SIce commands located at ds:dx, which) X" G3 z+ |) K: |) K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 J5 ? v% Q( U0 s1 h
+ l! F3 @3 P6 L* a$ }: Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 S6 V0 z( Q0 @6 R( g" u# ^___________________________________________________________________________
# D+ P8 q h) t% V+ ]
& H8 _. t! v) m: w0 X6 ]: C0 L3 U' l& f( W( m* `$ X- j
Method 03
# _# a2 B1 W, e# \- v=========2 D: P7 {& ~& U
$ q8 O- S3 K, {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 a6 m7 u; k6 |. P3 f(API Get entry point)
! C- y% g6 a/ N- e+ [! h # j' |" T% h& d/ ^' T& t" G$ E& g
, ^8 C# m; T/ k* j6 }8 w; T) j, m xor di,di5 b/ i6 a0 d2 [6 \
mov es,di3 T' y( W4 {: V% l* U4 |
mov ax, 1684h - Z4 ~6 Q' ^$ X9 \% A' P+ H
mov bx, 0202h ; VxD ID of winice
( G4 K* K# Y3 E3 w: ^. q int 2Fh$ \9 K8 z4 \! s i
mov ax, es ; ES:DI -> VxD API entry point) }8 R8 G3 {4 n( S0 Z
add ax, di% F$ [: \) D$ a0 i$ G+ k% ^- u+ ~7 U
test ax,ax
( P3 u8 N( k0 Q jnz SoftICE_Detected6 ~8 F9 }' Q, ^' @+ w" _ U/ `
! K9 H& M- H% ^( t___________________________________________________________________________: J! u$ Z5 g! a# U
6 h; c1 U' ]* g. G0 ], O7 [Method 04
: `, L" x1 T# c( K0 e=========( F7 A( x: u3 h) A" ]
$ [6 P3 i7 g) ]) H; e# ^; Q/ j: p' DMethod identical to the preceding one except that it seeks the ID of SoftICE7 ]8 o% k- P# P* E" L
GFX VxD.* Z3 m: Y! S: U' B& i% k
/ h! A, J$ A- m xor di,di9 b# k# f1 B' n+ X! J
mov es,di
& E9 s; s. J$ A0 U! v8 F1 g- H mov ax, 1684h ( R" T6 p% ^' m$ x/ B% K+ b0 O3 f
mov bx, 7a5Fh ; VxD ID of SIWVID
) _' H4 Q# M1 [ int 2fh( X4 k4 e6 g5 h# B$ [+ r
mov ax, es ; ES:DI -> VxD API entry point$ L( L% p2 S7 [ J& O [% l
add ax, di
. ]; N+ q0 m$ j! C4 Q" y: G* v test ax,ax
4 X: W, S! t2 ]0 ~: e6 m6 g jnz SoftICE_Detected. m) ?3 Z& g2 O Z3 N* \
S+ n, }/ x# P* X& ]__________________________________________________________________________; Z* c$ ]" p* p) @# P
- D& n' {, o4 i) ^) s4 u# s
5 A4 {3 p4 C2 r1 T4 e8 f- ?
Method 053 j1 g0 d$ e, W0 Y, w. G
=========0 X& ]* h# w6 O1 i+ `$ K5 `
9 P; S/ N, C8 p M& {) k* p7 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 k/ @; @2 A1 H3 Kdebugger. It calls the int 41h, function 4Fh.6 [3 ]6 F+ l* H1 n; z
There are several alternatives.
$ M2 ~! B, L) h0 t9 r2 n O# l
0 Q. S; J1 L) s& I _The following one is the simplest:* F) @/ U/ C3 o4 d) K
; t5 {6 }7 I% b$ W mov ax,4fh
, O+ C; l6 J% Z, V1 w int 41h
% X. A+ g" W U1 c cmp ax, 0F386
* _9 ~/ U1 t- M& G" s, ?; Y jz SoftICE_detected
w( C+ I7 y; Y/ Y) R/ m4 P: }4 G. T- @' }" V1 S: ^
8 F+ O8 L9 J2 o! Q! V; QNext method as well as the following one are 2 examples from Stone's 0 D7 }- h, }8 z, E+ b& \
"stn-wid.zip" (www.cracking.net):# v/ d/ ~% S, m4 M
8 J5 C( J% b- f
mov bx, cs* q5 y% n8 U4 y" q! U8 O$ f
lea dx, int41handler2
: @" V& d/ h' u5 U% \ xchg dx, es:[41h*4]
6 {6 k1 r% d5 m& ?% I. c xchg bx, es:[41h*4+2]2 p2 `% Z8 E* T' p% T! [
mov ax,4fh
, ~5 \) }( m5 n' k, I4 ~" W int 41h
0 u3 o; c$ Z: w xchg dx, es:[41h*4]5 @4 x; I+ G* R3 L$ d6 p; h
xchg bx, es:[41h*4+2]' H% o/ J9 t/ G: B: ]1 y
cmp ax, 0f386h
, R0 p/ g- k% \5 U5 ]) a" J% P jz SoftICE_detected4 h5 ]$ e' D, |9 u+ k
/ F3 c$ \. {8 Jint41handler2 PROC
5 s6 L U9 i" L. V+ l iret6 w0 F) b( e( o/ ?
int41handler2 ENDP9 H, b* i o1 N
1 N$ ~) B' Z% c/ s; M
8 y" _2 }# q5 C_________________________________________________________________________
% u3 h: h0 `, |: j; c% ^. H! D% A; T- f5 Y& r& j/ `
~; x) q% i0 y' L8 m$ n3 {$ I
Method 062 q# e+ }! j3 v
=========
4 g- J$ Y3 ]: f* w+ D4 X b1 x
( }) `7 G" U1 g5 W: s. K$ I- T: I
2nd method similar to the preceding one but more difficult to detect:. Y! f. d, r& K1 J. l& d
3 m z# h* g" R& ~4 P7 N
& `: ?) v4 ~5 iint41handler PROC
* L" l c I, g7 K2 {+ f. B! o mov cl,al( G M2 U' n' r4 u# H
iret* P# H" b' S6 J: W A. o7 g- z
int41handler ENDP) L1 I! _( d& O) h/ H
% i- ~& g" Q! q9 n
& N3 l( j7 |+ B& m
xor ax,ax
E/ x0 p& L8 J6 h$ P mov es,ax( G" G% @6 n' i- V& S3 ?
mov bx, cs2 G# _+ i7 f+ G! B
lea dx, int41handler" O7 g; H k. a( x3 t
xchg dx, es:[41h*4]$ l2 {. D7 z6 `! `0 Z+ N
xchg bx, es:[41h*4+2]
5 s6 v0 x3 u& s" r, R. @ in al, 40h* W G- K1 q1 x+ e: ]- W6 T1 D
xor cx,cx
$ f2 b* s j. \# n3 b4 @ int 41h
( j0 d, s* r7 s xchg dx, es:[41h*4]/ G& X# F% Q8 E
xchg bx, es:[41h*4+2]# l/ G: g, Z5 U0 N
cmp cl,al
. G, u0 ?) _5 W* N: {3 `, v jnz SoftICE_detected
6 H* H! X. ]5 _! T" o$ l# I4 p2 a+ X) y# \7 w) L- ~* M
_________________________________________________________________________
/ R4 w6 Q4 ^* u) Y/ z% _) w' m; Y0 A7 ?! L# b5 c9 \2 A
Method 07- t# V# n- T* |
=========. R: O2 F& F" V: I0 z4 ]: M
' r: _! a$ t2 E/ F* m; g, `
Method of detection of the WinICE handler in the int68h (V86)
% h! E& ~+ z0 V, F# \/ b1 M( P
" B0 T& R G' j9 ~$ R8 } mov ah,43h
" F# O3 N0 I0 w* [/ C- v, \, o int 68h! s6 p0 `; L* h* B
cmp ax,0F386h* [$ Q! o7 \2 E S" o5 u' I: m
jz SoftICE_Detected
5 F: p2 P0 Y* Q% [# E6 ]) {5 Z; V3 D8 W
% _* g4 o2 s4 ^8 _/ x8 h2 U. v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- c# h2 e i! r2 `$ Q
app like this:4 Y% N# ]9 r7 _% g
! J6 l) W/ }0 I
BPX exec_int if ax==68
5 t8 m) L) f7 h1 ~" }- t (function called is located at byte ptr [ebp+1Dh] and client eip is
0 G4 k% a. n8 g# ?, C' k6 v" I v located at [ebp+48h] for 32Bit apps)4 z! |* `# h6 b6 ?2 r
__________________________________________________________________________
9 [8 r; J# K1 A
, g/ }+ N3 g8 M- C6 s5 ^ Z# T
8 R9 s8 q7 L6 tMethod 08. \- }: g9 c* Z7 O, P/ D
=========
^" A+ Y; M2 m c" Q
: F2 i. I5 C3 d/ X- u$ tIt is not a method of detection of SoftICE but a possibility to crash the$ D# W8 a: F) Z# J9 c! b! w
system by intercepting int 01h and int 03h and redirecting them to another+ B0 J. J) v( |
routine.5 C% q3 r) h8 o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, F0 g5 t9 w( Q1 l: |8 h0 Q
to the new routine to execute (hangs computer...)
2 b: T; T6 `6 L9 q% B( ]6 t
) C. }. o, R) f: t! H mov ah, 25h
/ o" O+ H% Y# ~5 L# |3 E2 w& r; I mov al, Int_Number (01h or 03h)
* R" m4 Y0 J9 C+ i) h; g& [ mov dx, offset New_Int_Routine
9 _( K$ m' ]9 |0 ~! {% B, i int 21h
* L/ R+ E6 Y8 A/ [' l1 }3 i& Q* e
. B6 L5 `5 m9 g2 D__________________________________________________________________________5 z t, _0 m" q
3 j/ M0 l b9 J$ J7 @2 H5 v% w9 q) G% i
Method 09
( u! c7 M* N, \8 w+ {: E=========: u1 S' H3 ^* m
1 r/ G" ~4 d0 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 j, J" s! `4 j6 |; M: t4 O: [
performed in ring0 (VxD or a ring3 app using the VxdCall).
( _4 g8 F% s: v, |8 A. i( y; X6 ]; oThe Get_DDB service is used to determine whether or not a VxD is installed2 ^) h6 d. P) p c/ o7 V" f6 `6 j! X
for the specified device and returns a Device Description Block (in ecx) for2 A( q6 ^8 H# a- M+ _5 F
that device if it is installed.
& b0 x& H- I G: B3 s# L0 X9 M, W* z' {3 t* }# e) ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 ?3 G3 N& I9 B9 t' Y. W% J" t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! y% G/ K3 Q7 N
VMMCall Get_DDB
: S7 U9 L U. j) E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* s9 `) s" M3 b* [) y9 `8 p; Z! z
1 V8 E; B* X }* Q& w4 S4 GNote as well that you can easily detect this method with SoftICE:( x6 `: X9 a2 `9 Z( {. f
bpx Get_DDB if ax==0202 || ax==7a5fh0 a# j @; F6 b) T- y3 h2 r
6 q! b/ I! g& `+ w4 F$ f__________________________________________________________________________
& f+ Y& \ Q% v7 }, i& t& R& ]
. g7 k+ c% }$ w- M% {; S, I# P; ]Method 10/ F \0 E$ K" H8 t
=========
$ T2 a. C- y0 F$ X. c1 ^ z& f
; Z! n( r# h6 O2 p% y- o=>Disable or clear breakpoints before using this feature. DO NOT trace with/ C1 Z3 Q+ m# f e$ G4 }
SoftICE while the option is enable!!
* @4 \# [, {9 S! k% t9 C1 a+ C# e6 E' M
This trick is very efficient:; ~, j: m' d# I; T, _7 W
by checking the Debug Registers, you can detect if SoftICE is loaded" R# p& i/ V7 W4 |& o3 h8 b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 ~1 M- f+ z( z) b, Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 `) d5 O6 n) c! u- h7 H5 _, z
value (in ring0 only). Values can be manipulated and or changed as well" D0 M5 W# b u
(clearing BPMs for instance)
% B9 M6 n4 V1 Q; j* [, t8 M/ N& Y, ~' ^# y% D
__________________________________________________________________________/ R/ D3 @ b' u' c" J: R- a" z
: h6 @% v+ ?& n' z+ vMethod 11
5 P, Q+ k8 n$ f=========
: C5 O, ~9 k& Q: s* Z. |. s4 ]9 r4 l& O7 z9 H/ h7 D$ d
This method is most known as 'MeltICE' because it has been freely distributed% m; o2 _+ N9 R" R4 [5 a9 p
via www.winfiles.com. However it was first used by NuMega people to allow
& A. O* {, D' m2 n! V# t. s6 H4 YSymbol Loader to check if SoftICE was active or not (the code is located
+ S- E# r& G g* Iinside nmtrans.dll).' D# C8 @9 l: {/ l& J8 q2 _
# a V, _, l9 ~8 t! ~7 e/ OThe way it works is very simple: z% u* Q% G7 v9 _! z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 `7 z( q' W1 ]9 r
WinNT) with the CreateFileA API.6 |" h+ j: Y+ U6 U4 x* q
+ l$ q# B, o( Z- z! JHere is a sample (checking for 'SICE'):
9 L. O$ K/ P* i" W {# l" B# x
$ p& e9 {' ?/ S. c9 L. VBOOL IsSoftIce95Loaded(): V1 w% S" m( {9 O
{
s' r- b: f3 x2 D' K p HANDLE hFile; 6 K1 N" a3 s' a3 V" P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ s( \8 v0 _4 e* k9 }( k% C! L
FILE_SHARE_READ | FILE_SHARE_WRITE,
. W2 V+ \; G: l" Y3 F0 k. c' X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 i6 `8 Z( W% H7 {$ D" j& M if( hFile != INVALID_HANDLE_VALUE )
, h6 W4 |& j4 E& k% L0 o. M {: {* q+ |" q: ^
CloseHandle(hFile);) x+ r/ A& j0 |- D, q' S
return TRUE;
# K' q9 f7 @$ l# L+ s }
, |: ?6 w' K8 {! e0 F# Q6 ^ return FALSE;
) \' g4 o. r* _, K$ F+ A) c}
' ^. W0 l: K: z+ n' B) N
# T" W3 }- _/ Z2 A7 Y7 cAlthough this trick calls the CreateFileA function, don't even expect to be
4 `! r1 W- y+ s9 Eable to intercept it by installing a IFS hook: it will not work, no way!; Z8 ^- c, z# } @9 v+ J/ a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" ^( w8 @- U7 y$ U$ K1 w7 p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): m) h) n! f4 k/ W7 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* X% P K- ?/ n/ N
field.
# j# E$ S! e1 X+ W9 M6 W! }5 @In fact, its purpose is not to load/unload VxDs but only to send a
+ T" Y4 b: C# f- e2 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% C# M1 C6 \, Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 P% n, _) d8 X7 X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 i3 e. m( D1 q- X3 d7 N( x3 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" M2 o+ J6 P4 Q Kits handle to be opened and then, will be detected.) T! @4 d) @! \8 P/ q+ g/ j
You can check that simply by hooking Winice.exe control proc entry point& e, d7 L7 { P4 \; Q; E2 l
while running MeltICE.9 {& W- ~' z" V. o# M2 ]' |; M
1 ^- i) M9 s5 q
5 U4 ^& T1 c2 y2 H- q: b6 F' d* K0 R/ N 00401067: push 00402025 ; \\.\SICE4 h; @$ S4 w- n) j, y) }
0040106C: call CreateFileA
5 F0 _) \. u9 M9 b* N 00401071: cmp eax,-001: H4 o, ^2 {9 o& Q3 G1 }
00401074: je 00401091
9 w. W; P2 R3 R7 p1 C& e( [- v& @3 l: t6 s/ q8 S) S$ C N
7 J4 y* z( K) p% I5 B4 s
There could be hundreds of BPX you could use to detect this trick., o( Q9 ^" `1 @) p. ~- N
-The most classical one is:3 |2 v* d; U& Y0 E+ D' d7 ?" n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! S: n/ V, e& G! N u. V, ]
*(esp->4+4)=='NTIC'4 t0 s1 {/ o" C& ~
! O* c$ W+ Y3 C9 F" W, J; d
-The most exotic ones (could be very slooooow :-(
, s# O! S1 m8 q( H8 @% M5 U; L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 c( K! o2 f. J( ]/ R ;will break 3 times :-(2 I0 M7 g: Z5 Q7 W% V
/ c! {) [9 ?6 c: A! K-or (a bit) faster:
% }8 C0 o3 g( k1 y. @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' S8 e2 G0 u3 q6 ^
" g5 E: T9 \9 L) q H' S# `: @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- m) @7 g! N6 e) R% k ;will break 3 times :-(( e4 F) b. {4 k% f- V" F( R" ^
( N' ^8 N' w3 X/ N-Much faster:
, C; s$ i9 k& X5 W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 V; F' d V Y# V. G' t" V: f* R
2 Z y) m7 n7 y. _ K; y+ cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ u1 V- _& j6 v# H
function to do the same job:9 i# e9 ?# U* q) b0 |" U
) K1 {" `# v( n& A3 b( I+ W) r
push 00 ; OF_READ
5 I u6 a" O* n4 h. q mov eax,[00656634] ; '\\.\SICE',0
# ?% ^, u0 b, V3 S push eax
& l v5 Z# ~: o call KERNEL32!_lopen
6 D2 k+ w% ~& ~/ } inc eax
+ Z5 W! G) W$ S jnz 00650589 ; detected. s) J8 E2 _$ C/ T0 Z. U* D
push 00 ; OF_READ5 q+ v9 ~6 h" r+ }( }! |$ I
mov eax,[00656638] ; '\\.\SICE'
. W. j$ Y4 c8 H* v) S4 K7 F- M7 {3 R push eax: F% O& e7 R' Y- h/ w0 q1 s
call KERNEL32!_lopen9 q) f2 B% ?' @' e4 o/ @
inc eax* g: ?% g0 c5 s% W0 G# H1 p [
jz 006505ae ; not detected
5 N1 T# Q I; V# a& x! }' F1 p
5 o* R+ b; z! ~% Q. V6 g# H' B1 f
" i( {3 v+ `" j__________________________________________________________________________
( c& }0 w! }. X% ?; i. e% _8 w* p' }- P7 c' b1 |& q
Method 12
+ z3 |# N' l; ^5 _ s" { S=========2 {" m; X3 H. @3 ^! P& x/ V: L
/ }8 A; j( J! i/ k. b
This trick is similar to int41h/4fh Debugger installation check (code 052 ]$ ?4 T% Y# j/ c1 k
& 06) but very limited because it's only available for Win95/98 (not NT)' r- m: z; {' n$ j' ?. M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 Q P$ V0 {: n7 t1 W- ]/ y) s
4 {( }& w4 r6 t5 `% L# J
push 0000004fh ; function 4fh0 S/ r1 }8 N, d
push 002a002ah ; high word specifies which VxD (VWIN32)4 h# {& i( y6 e/ ^. y) e7 G
; low word specifies which service% C$ z, c6 M& r+ b" K! t
(VWIN32_Int41Dispatch)/ D! C& F- S0 k: Z+ Y) g
call Kernel32!ORD_001 ; VxdCall, f$ f7 U+ D, K9 d! q& m+ O8 C
cmp ax, 0f386h ; magic number returned by system debuggers
8 _/ F; U3 h: g% y5 d jz SoftICE_detected
, H( K1 `5 y8 X! G
' P- T/ ^" _1 Z6 {1 l. SHere again, several ways to detect it:, @* I; @8 W# Z) b) A+ m
! B) l, K3 P! m5 M! ]; a; X# s BPINT 41 if ax==4f# _# @; \/ X) v" A! p
: m$ v' _& O/ n7 Q7 w% E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; r, x h/ _$ p; ?3 r0 F8 u' x9 a; R' L& u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* W! g" v* f( @6 M. u
: a% g* \- {+ c( h$ g( U3 P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
q% f* ]/ R& V; m% M
- y6 y, c/ \1 R7 K$ T% M__________________________________________________________________________2 {3 f, S' F& a* a. c1 A' l
6 [) R5 T5 i2 ^% |, t1 k
Method 13; q( Y! J3 P9 n6 D6 w* v
=========
2 H! o: e/ n/ a2 |& V! s( i# n5 s! P
Not a real method of detection, but a good way to know if SoftICE is
, o4 u9 K( y0 A& `& m4 s* Einstalled on a computer and to locate its installation directory. L5 v) k. |& Y, J
It is used by few softs which access the following registry keys (usually #2) :9 r- ]; j m! q# u2 u
0 R/ |& H6 U0 J# n2 q0 w" O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 E) T, S4 M, R$ M" ]8 ^+ a
\Uninstall\SoftICE
# H* {4 t8 ~1 I6 ^2 J$ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& Y7 ^, k2 s+ r6 H) M; a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) v2 v: L7 ~! x) J* N: V
\App Paths\Loader32.Exe
( N0 O) o- W" n; l, \
3 s6 w; i8 a6 C' ]7 S5 I1 t
2 K% }0 h; n' r( h8 `3 g) kNote that some nasty apps could then erase all files from SoftICE directory4 K! D% F2 a# n8 `8 v
(I faced that once :-(
& e2 I# |1 w% O' l/ l2 F, o
5 b g) E( E! a# E0 F* m. wUseful breakpoint to detect it:
; h" q$ q- F4 V3 k$ }) W% E. i: X- H% q; c9 w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': C5 |+ k M. p5 N! A5 R
4 P/ B% B O- F__________________________________________________________________________
% Q. l. N/ m& ^4 i; ]
% z( r: ? V' f1 z* W; t6 L* [, | }
$ u4 K8 o% l" R8 {8 X. X. NMethod 14
' \& B/ c4 @) Y9 s=========+ q" H3 y; ~8 e. A. m
. G1 [5 e* v5 u3 S" KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& N# } ?! ]3 yis to determines whether a debugger is running on your system (ring0 only).) k! k" f) m+ y5 p6 E" U
' Y3 R0 s4 p6 S- f VMMCall Test_Debug_Installed8 [8 b% L" F! n
je not_installed3 |3 a6 D' V! B. U
* A+ W" A+ o" c9 Y1 T% VThis service just checks a flag.
) l$ h: `8 \4 G0 _7 G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡