<TABLE width=500>
6 v5 |: `+ o# k* ]1 v$ |' M* v<TBODY>7 x8 V [. [' {3 _' n" ^7 v
<TR> j' W& A2 ^' `! Y2 N
<TD><PRE>Method 01
! B' `( G. F3 z4 L=========
: N' @/ j: U% W1 A2 j
9 B3 H% O% u1 ?+ w' ^7 m; oThis method of detection of SoftICE (as well as the following one) is% K2 Q" N6 N) s1 \
used by the majority of packers/encryptors found on Internet.! M! T( m1 s# `6 A/ d7 e% A
It seeks the signature of BoundsChecker in SoftICE: r6 X. d- ~8 }7 N4 C# T% [
Y0 W' h+ x& c/ Z: l( Q7 X mov ebp, 04243484Bh ; 'BCHK'
+ o y/ `. T4 n mov ax, 04h
( N0 R$ G; k) m7 C0 `! n int 3 1 n1 P! o' B7 i& L" f/ h
cmp al,45 |: v8 X# l# V {
jnz SoftICE_Detected
9 G3 w( [ W1 }" h* t* f' m4 ^/ f+ C) @ ^$ K1 L/ G* u" x
___________________________________________________________________________* p& Q6 p* v8 g# f% p
; t+ Q1 ]; @5 Z/ X* |6 s m' Z: c
Method 02
1 [7 ^; M$ F1 y V5 r========= v( H0 s6 M1 |" a7 T
8 L( U9 |6 y$ t$ c v) uStill a method very much used (perhaps the most frequent one). It is used
* D) W8 W7 o- l8 D3 ^! Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( Z& X7 H; k. k& a8 `/ w
or execute SoftICE commands...
) N% k7 I; J6 b: n; T' _It is also used to crash SoftICE and to force it to execute any commands
) w3 I7 g) [% g2 I- l/ }' h; p# M(HBOOT...) :-(( * @: W3 ]+ s6 D+ f, {" w" j( r
3 m% K+ ^1 o3 M. E( o9 W. U- K ]Here is a quick description:! y& P8 A1 b; ^: U, ^
-AX = 0910h (Display string in SIce windows)
% w4 \! x4 J1 {2 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 [) i/ f7 f9 ~8 `+ w-AX = 0912h (Get breakpoint infos)# q) v8 R2 P% ^; ]7 g
-AX = 0913h (Set Sice breakpoints)& `, Z s& r0 \! V# P" u
-AX = 0914h (Remove SIce breakoints)
- a& E6 ~- d' S& r. e2 @5 N7 ~
$ @, K$ s; H; u9 `/ g7 ]0 qEach time you'll meet this trick, you'll see:$ Y0 e" L) k6 a& Y0 H
-SI = 4647h9 J2 a+ ^ m. H1 r
-DI = 4A4Dh
8 X3 ~1 Z+ U) q5 [Which are the 'magic values' used by SoftIce.0 @' C6 J. ?4 r+ V" p. S j& ~; n6 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, W5 L, [* }- T6 l7 D, E8 L- G4 F- L8 Y/ }0 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. H! ^3 P8 ?0 {& zEnvelope utility use to protect DOS applications:
4 G! N. Y1 e9 G% ]
( r6 @ |' C) m2 Y6 J. l' b X! @/ s& x7 D6 U; |" p
4C19:0095 MOV AX,0911 ; execute command.7 ]5 {3 R+ I: ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 U' B/ N! L; z& x* x/ E3 m
4C19:009A MOV SI,4647 ; 1st magic value.
' Y' _0 @# M0 ~& v$ N0 e$ H( ]4C19:009D MOV DI,4A4D ; 2nd magic value.
+ i6 ]1 A8 ]; W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: L8 [6 r/ H$ L- P" \$ {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 ~. x" u" a1 n2 T) T7 \- s
4C19:00A4 INC CX
; T: k1 n& L. J, m3 Q9 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
J4 g7 Q. \: o4C19:00A8 JB 0095 ; 6 different commands.
; k/ W5 g2 U# S- b, }4C19:00AA JMP 0002 ; Bad_Guy jmp back.& o# V! Q* f9 U. C; X V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( b( C& X* }; L' v& v* `* \3 Z
% [, }; w" K- I0 B. z( i: mThe program will execute 6 different SIce commands located at ds:dx, which
) t2 l- |& z6 h4 I/ Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& G- @7 d0 i' a7 _; y m) A6 ?) ]3 I: \; t, m8 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! F5 K8 x7 I3 ~9 e! t( j___________________________________________________________________________
0 ~$ b6 @$ m8 X; d/ w3 ~" ]% z. `$ b5 n/ E2 C. A' A, w
( F7 W3 J% J* [2 d R MMethod 03
$ b# d: K, H2 q0 [4 ?7 t* L=========6 y; W$ S' Z, v2 S& W6 [
G a6 s4 o( h5 P5 C) s) C$ FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) X2 E: K" i& e ?' Y(API Get entry point)" Q k& b. T# Z% b! B' n2 n4 {0 q/ A
3 s) ]* l3 R/ B$ ?4 P
8 w: _# J( l# I3 `; R xor di,di
G: W& x& b5 y' m5 ^ mov es,di/ `! G# q& Y2 @4 Z2 Q
mov ax, 1684h 9 t) f* }$ ~9 \ ~( D
mov bx, 0202h ; VxD ID of winice8 h* w& z8 Z+ x* J; ^4 E1 B9 T
int 2Fh
7 X" `$ ]: P% _4 W$ p' \ mov ax, es ; ES:DI -> VxD API entry point/ ]# i7 B) i* q& X/ P8 ~
add ax, di
# e- G( Y* y7 f6 S) ~6 t test ax,ax$ X/ f! x% {6 J
jnz SoftICE_Detected
$ e5 u6 w+ a8 I! K. `# L& ]( ]- o4 V6 I) @: P4 k' @8 l
___________________________________________________________________________" h+ P/ u& X; \* a+ [6 B J7 F
, k2 q$ y& n* I% Y5 y# O4 R
Method 043 C- G2 S) o h2 l# j
=========+ }# Z6 b! [) O
. r" [4 H: v L* {
Method identical to the preceding one except that it seeks the ID of SoftICE
( S; O0 I* r0 `& O2 uGFX VxD.. O' }5 `. J2 S$ t
- M" a u3 U! U' V) m xor di,di
3 S7 Z. K3 u4 g2 y: g mov es,di
/ d. C) g: M/ p0 q6 c4 z mov ax, 1684h
! _8 S: F" e1 Y2 i. Y& q mov bx, 7a5Fh ; VxD ID of SIWVID
' [7 s2 a! ~& m int 2fh# l# G* ]% ?# p ^9 L
mov ax, es ; ES:DI -> VxD API entry point, `5 K: y, i2 y4 c. }
add ax, di
# K$ o N3 \7 H, U test ax,ax
' y- k! A; S+ L1 c jnz SoftICE_Detected' Z0 e5 R( y' Y! U4 q' E
; E- j' q' D% J; g( v1 q__________________________________________________________________________
3 c7 a) R' H+ J2 d( n
2 s7 D3 u+ N- [: \
( _6 i4 X# v, U( p X. F" lMethod 05* |, a! P( F3 a4 y# o
=========
% |6 h- ]* Q+ v% H- j. u- {5 V
3 l3 ^7 J5 l6 V; W. o) k' W5 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) o& n3 h* S6 ^+ F# v* I \" \debugger. It calls the int 41h, function 4Fh.
+ B- _+ c- @8 Z. ]3 b$ {There are several alternatives.
1 z* a5 I' x+ J/ a8 d, n/ P7 A6 g6 {- S- D( B6 C5 O0 i L
The following one is the simplest:' x* g! f! b( J5 l6 Q
6 P! N- K2 \; [
mov ax,4fh& V' c1 G i' D
int 41h
4 E k) J7 ~2 E# i- K cmp ax, 0F386
7 F& J6 U) h9 z$ Y4 r' V jz SoftICE_detected* b* ~1 ~% z4 ^8 k! {! v
% U: A# _- E0 n6 {! @3 J2 ?& i( R x y
( d: O U; M+ Z) n yNext method as well as the following one are 2 examples from Stone's
+ i5 L3 b7 [9 E"stn-wid.zip" (www.cracking.net):
4 E3 k } l! n6 p( A5 u! f
' o5 K3 L6 O1 {8 w" Y3 k mov bx, cs
# z4 T! E& j/ `+ @ lea dx, int41handler2
+ e. ~0 p/ a0 ~& B( \- E xchg dx, es:[41h*4]8 T: M0 N/ c, B% N. l$ i# v
xchg bx, es:[41h*4+2]
1 n) o2 _+ @" K/ N9 a& C j mov ax,4fh* `" {; }4 H5 \. E9 `2 p( [
int 41h
% l E/ z5 u% I xchg dx, es:[41h*4]
' g" g" e7 g, D d6 i; R: X xchg bx, es:[41h*4+2]# v8 e" ^) D2 E" S& Y) y' j
cmp ax, 0f386h
" Y" |8 o0 j$ ?6 }( b2 M6 q6 a g" l& m8 ?/ | jz SoftICE_detected
; }5 ^+ ~9 E# w6 |' e+ n0 }+ j# w, w( j. p
int41handler2 PROC
/ X! e' V, `; p4 H- ^ iret
0 u+ v1 V" ?2 f" p, u4 l5 ?int41handler2 ENDP. A" k3 z5 R0 D$ k' D! T
6 _4 w" J- [; w
: e! h% r+ o9 |3 y. l
_________________________________________________________________________7 C) ^) W' R9 E3 [/ D$ q
/ T$ {8 [$ \; u' S% q I: j
2 @+ K/ F% p3 f1 m" W* j
Method 06& ~0 [: f7 @9 A4 ^ q5 B
=========
: `( J5 S( y0 X5 e
' R3 W- N4 Q5 D" H8 }7 ~
4 z& F7 |0 [% s0 u6 J, v2nd method similar to the preceding one but more difficult to detect:' h+ N& x1 z, q- d5 G
7 G8 r+ c7 g1 v, r- ^
( @, w v4 b0 Q- _, Aint41handler PROC
G3 v( }- O% Z1 H mov cl,al
; {9 F+ u, o4 c# O% ~) x. P iret
7 s E/ b' Q; Z% J# x8 Mint41handler ENDP4 ~4 i) O. S3 _0 n3 X4 N* I4 F
# Q" m ~1 g m- q! r
: y- D' G9 H- n$ A$ c' O6 R& s xor ax,ax9 u- X8 L" K. {9 @( w8 R& { l2 S. Q% s
mov es,ax
+ p; J2 o* \: n7 y, j D1 Y) n mov bx, cs
( ?7 q1 g) g% W: C k% | lea dx, int41handler. v% g: n; p9 T- g$ k5 X5 F
xchg dx, es:[41h*4]
. {- s( E9 Y- h xchg bx, es:[41h*4+2], L- v+ y* U; K" J/ ] k5 O
in al, 40h$ Y' V* v; N) N0 [
xor cx,cx: \, }* g7 N. o3 b% C# K
int 41h
5 z h E/ H# [/ ]* a* d+ n. @ xchg dx, es:[41h*4]% X0 T+ _; h% v \ O4 D& T! \: x0 j
xchg bx, es:[41h*4+2]
" m1 F; z1 B$ R& _" X2 Q. H cmp cl,al
* F( l; g2 N9 j% X* Q+ B jnz SoftICE_detected/ T8 T7 J/ y O2 H$ I: E
5 ]. t* ?0 Z w% i
_________________________________________________________________________) X( X+ n3 Y6 Y- v$ u
; d1 G! @' }+ c/ n9 L
Method 07
9 ]$ G3 C6 X7 D0 \; m( F=========7 r& g1 W7 _5 r4 f3 x5 V
& U" k2 m8 b# s1 T# B0 U
Method of detection of the WinICE handler in the int68h (V86)7 w; [# {/ N, j/ _8 p" L4 @9 ^
4 p/ }( w x' i$ _ n$ U' N
mov ah,43h. S' J" S F: L& d6 h
int 68h
# \( [1 }& r+ ^/ ~ cmp ax,0F386h" C7 k# b7 `* ^7 h" {- S* I& I
jz SoftICE_Detected6 p2 D- @) o/ |' }* k$ F
* {9 n2 w/ ~$ G& P- v8 }
# K) N! [8 c# M( ~9 u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 J1 S3 O* o5 Q" |# G
app like this:
# _! Y$ M; \# x3 Y' ^6 C. N! t% P; @$ i( R; @
BPX exec_int if ax==68
; j# M) E! v, }# }7 L (function called is located at byte ptr [ebp+1Dh] and client eip is
C# M8 x$ Y4 r: U% i& [ located at [ebp+48h] for 32Bit apps)/ a; Y6 [/ L. C' f) @( X$ r
__________________________________________________________________________' Y0 y4 |- z" q m8 X( a
. e: @2 U: H3 q* J& o# \( c' G& q
$ |0 L: T9 c0 j% w3 _. I: jMethod 08. a" z* \" v, i5 R3 B2 T) F
=========5 M7 J2 E. ?7 M# A* i2 H
/ }5 W$ R! P. E9 g7 f" [" E
It is not a method of detection of SoftICE but a possibility to crash the# [; Y h+ y% G3 |1 L3 n
system by intercepting int 01h and int 03h and redirecting them to another+ t; m3 b0 {1 ~% Q8 P7 k
routine.
0 ^+ Z9 }0 x% @8 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* d! }* B1 c6 C5 p8 R
to the new routine to execute (hangs computer...)4 R f+ |# S. q) \- S) N k
$ R _4 m8 [2 n7 q5 g mov ah, 25h
0 ~8 w/ ^1 Q( p* _6 l. }2 [ mov al, Int_Number (01h or 03h)
7 |1 e. z7 x! Q- b/ X mov dx, offset New_Int_Routine' z# r9 {: ~" R5 v0 X( S
int 21h- ?0 y3 s1 m/ e; t: @1 A$ t
! K" x4 b! q/ R: V__________________________________________________________________________7 ~; f& H7 L+ Z' a5 [
4 V ?2 b0 R( CMethod 09# H9 B! \5 ?5 P7 W7 I0 R C2 d
=========
! l/ l# r& e+ h- b8 U* O) Z/ t2 K5 R4 c; J% T$ }0 _% M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 h9 S! D0 ]3 M4 N1 iperformed in ring0 (VxD or a ring3 app using the VxdCall).* c: A! `+ r. ?* ^
The Get_DDB service is used to determine whether or not a VxD is installed; S# u* F2 O9 ]
for the specified device and returns a Device Description Block (in ecx) for
; l) n( K) C uthat device if it is installed.
8 W; X9 f. p* o5 q- }7 r- W
% `1 V6 j$ e3 v' h% D3 Z1 m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& X) a& }; o& `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 {' y2 ?/ N; M8 k# v6 J VMMCall Get_DDB
% ?: ]( Y6 x ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
U6 {5 C6 Q4 n8 p+ [
) y7 e |2 h# V L3 vNote as well that you can easily detect this method with SoftICE:
4 q- U- M3 j! F% Q0 s6 [& B bpx Get_DDB if ax==0202 || ax==7a5fh1 @: W) y+ [, O8 s/ ~9 R- ]8 A
b: n7 K) _* T4 c
__________________________________________________________________________& q7 E! y7 t' u3 }$ p% f
5 y9 p' ]$ Y3 Q+ I' FMethod 10
! v% e! W3 G% u. j0 v=========
# H" _/ J N) j" j" z4 x6 A& _4 Y. d0 a5 b& z- F j
=>Disable or clear breakpoints before using this feature. DO NOT trace with% C! n% P- M1 L. y) |; v& S
SoftICE while the option is enable!!
4 _' s+ g8 {: M/ h( Y3 e7 C: \, Y# r
This trick is very efficient:! [" H( Z1 I( F- N& q5 U
by checking the Debug Registers, you can detect if SoftICE is loaded+ v% m) A; o( O U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if v( z6 u8 c7 N1 }. Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their# ~7 l- B: Q; n! {
value (in ring0 only). Values can be manipulated and or changed as well) ^/ q/ y/ t& A0 n, w
(clearing BPMs for instance)% w- w Q5 n6 n" t
9 [ R& M: U9 l. w7 u6 I( X__________________________________________________________________________0 f& y p8 P! w' p% B4 s# k0 j
3 n9 y; e! M: N HMethod 11
8 d' d8 }$ f8 X! ?# {=========
" L9 ^) s$ f1 |* y$ V- c7 t2 h' K/ f& C7 s: h: s# b3 t
This method is most known as 'MeltICE' because it has been freely distributed" v4 R+ t) O% U+ k: F# r ~
via www.winfiles.com. However it was first used by NuMega people to allow
& A6 X9 y9 ]1 {2 j4 l5 \3 gSymbol Loader to check if SoftICE was active or not (the code is located
) s/ V/ Y2 s( q. V3 S; O' xinside nmtrans.dll).
7 ^1 H5 E6 K3 }
) U8 q2 a4 }0 B, A. ?' r- `3 LThe way it works is very simple:
5 N. V8 M3 l: Z$ Y( }7 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 n' ~4 h4 G/ a; ^# ]4 o: [0 I) r
WinNT) with the CreateFileA API. i- x+ T l! y: L D
& t/ D `2 U6 Z$ S$ m4 }Here is a sample (checking for 'SICE'):
- s% N8 M4 i! o6 g' P
/ @7 `6 G' @+ }/ W7 F0 K5 sBOOL IsSoftIce95Loaded()% u) s3 r4 b7 A/ C
{
* Q% T3 |, q9 e8 |- W: Z/ F5 p0 E HANDLE hFile;
/ Z, q# g5 ]3 W8 S! T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" P i$ p4 }$ `0 S, j: J0 P FILE_SHARE_READ | FILE_SHARE_WRITE,
' D7 f; g: L- J5 U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 M+ ^. i$ x) q% U
if( hFile != INVALID_HANDLE_VALUE )
# A* e3 g0 X1 K) f {+ ^# F) Y% H1 C4 V
CloseHandle(hFile); ~( j# W* s" A, Q# h, M5 H4 Y
return TRUE;9 J3 {* K# \; n1 K( Z: a
}. m7 C# b# B: W4 i# g
return FALSE;: [" Z1 y6 {' A5 }, P
}* J3 B0 W s0 l) D
" o' H* z8 Z. d9 h' hAlthough this trick calls the CreateFileA function, don't even expect to be
% I9 \9 U: ~) b' R3 g7 R$ g7 P+ d: gable to intercept it by installing a IFS hook: it will not work, no way!& v9 G" a. b' C1 F1 J& `/ f; @6 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' W. `. }( b3 `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# u/ X+ l; [+ X0 n2 i' a7 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 S8 j. s/ h- g, C8 b
field.
9 C* [# X/ d# @4 b$ I0 ]3 aIn fact, its purpose is not to load/unload VxDs but only to send a / ?2 h7 o0 E5 B% J5 A' Y' U% R& X) [: x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ B6 K, m. z9 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ X1 i1 @; h" I0 L3 a# qto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 ?3 K( _2 {' q) T I
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 p- I1 z j' ^& N% H$ L
its handle to be opened and then, will be detected.
# r% C( z1 K% ^5 N$ KYou can check that simply by hooking Winice.exe control proc entry point
4 o$ Q' m# j' k0 L3 Mwhile running MeltICE.( N( b; V7 g/ q, H: e
4 l! E! P: J+ F; G
% Z. ~! L* z" r/ j0 u+ A8 B" Y 00401067: push 00402025 ; \\.\SICE8 J U2 Y8 G3 M6 k+ ?
0040106C: call CreateFileA8 D( w" r* y- h- Y. @" |7 b9 x/ T
00401071: cmp eax,-001
- s/ I9 U1 @) k2 L& g) D7 s6 o 00401074: je 00401091) \& V4 p8 @; t* O
" x8 D; H- |" v0 J. p6 j) C+ Q
) W3 ]% r$ d7 ~7 j0 t
There could be hundreds of BPX you could use to detect this trick.
0 C, f/ P Y# x- a5 r-The most classical one is:
' F# A/ a' A8 B. I4 i- F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! G, H* C: f% K *(esp->4+4)=='NTIC'
% ]8 o7 i2 O! U
2 q$ I C( y9 W: g6 G-The most exotic ones (could be very slooooow :-(
8 g- m' `3 |: h$ x6 @+ u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! x4 m0 f7 O9 y: h, |# Y ;will break 3 times :-(
5 I5 ?/ f# ^$ c# e% W; C5 v7 V; q$ a) Y$ H0 P8 e- x; @
-or (a bit) faster: : X/ V8 r" p) b7 c L) A' ]* c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ u. b1 p7 d, B3 k5 a; y8 i
) G) u4 d) L9 ^: A1 p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & V& T. N$ s0 q4 H& S1 V
;will break 3 times :-(
% f# E6 i% d/ [3 S, F6 n* s
' U( `+ ?" J( e I-Much faster:
2 F9 U3 d" m5 T R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 e. d! T8 i! ?, l4 e# X7 _
( V( R' Y; O5 L C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& ]( C8 E/ T) f) B4 Q2 W, r& pfunction to do the same job:% d7 X) L8 E) w0 C$ f
5 o& W0 R( s7 u. F6 y- H1 Z: w/ c push 00 ; OF_READ
, i6 m- N1 ~8 M! c8 L8 o. z, o3 e1 [ mov eax,[00656634] ; '\\.\SICE',03 y5 S9 U5 `/ ], K0 |6 m9 [" B
push eax
* U% v. A6 t" _' n4 n* `* v! @% T7 Q/ q call KERNEL32!_lopen
7 K# c0 A) @$ y o/ ^* b: m inc eax
1 o7 A1 ^+ J8 h6 ]6 m# r" O0 q jnz 00650589 ; detected. H4 P* p0 U+ P! p! c2 h
push 00 ; OF_READ
0 ]/ g$ h$ d8 b' S mov eax,[00656638] ; '\\.\SICE'; t7 h% h; M6 d$ J& ~
push eax
9 v, S' l8 r+ h& u call KERNEL32!_lopen8 U5 i P9 \4 W( G4 ]
inc eax
' |1 j+ H8 q8 t6 C( O$ L jz 006505ae ; not detected
" V9 Q% U& ]* U- c7 Z$ N
; E* ]- Y, O! f7 Z
- ~- k9 k# D5 N8 T__________________________________________________________________________# I" V8 X- |, }; Y$ f3 m0 l
9 \: ~% x' Z) ^) f" W3 i1 `
Method 121 D1 @; l" q# z- p$ K) _# e
=========
4 w8 t. H Z+ l1 J% g& e7 Q1 R8 |) x! Q! Y. _; P
This trick is similar to int41h/4fh Debugger installation check (code 051 P% m. x3 m1 m- Z
& 06) but very limited because it's only available for Win95/98 (not NT) Z( L. B% s0 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% N3 B6 i7 E1 k' Z& a" O
+ F5 Q6 X7 ~ p0 I push 0000004fh ; function 4fh
; Q( ^( ]$ U% w8 q: y3 w9 `9 s push 002a002ah ; high word specifies which VxD (VWIN32)" t: {/ ?+ ?2 ^! i2 h. |
; low word specifies which service7 {# C* Z9 {) x% k+ u8 ^. W
(VWIN32_Int41Dispatch)
" d- I" e) ~9 [ call Kernel32!ORD_001 ; VxdCall( z; y+ B: m9 i" y
cmp ax, 0f386h ; magic number returned by system debuggers2 O5 _3 ^, ?0 u2 ~ Y- c/ Y
jz SoftICE_detected
4 z7 `) e; H" t( I G, w0 K5 d6 ]3 ]4 H$ X' c# z
Here again, several ways to detect it:- j' K! [$ L4 C
5 S% Q7 i8 {' r& V9 {4 V
BPINT 41 if ax==4f
T4 `' f* [! H' T/ Q, a
% F' t; l1 ?6 N" u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 J" R- ^6 m7 w* [# ]( M& Q
& Q& v7 @0 z5 N$ S8 J* Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* c5 N6 _- C! k0 }0 E( j4 V3 Y: v0 f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ D) G; b/ V. s9 d
8 Y/ U. n8 v; p6 t9 S/ }: ^__________________________________________________________________________
: r6 {) [( Q( k- w
/ S8 j. q% H3 @" `" g @* h, WMethod 133 x* w6 k9 F9 h; u6 L5 E; R
=========
7 J& U$ E7 Q9 r9 Z
2 J! R* i& P( y% j% ONot a real method of detection, but a good way to know if SoftICE is9 |- R+ z6 _& b7 H e6 k3 n
installed on a computer and to locate its installation directory.- i, y. E6 j% S8 h! T7 K
It is used by few softs which access the following registry keys (usually #2) :
6 U0 G% t5 |) P3 E
& h) W2 ?, ~5 D/ ~- M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. b! ]) a" v- K9 z* g
\Uninstall\SoftICE$ q. k$ ~2 ^ K" [* e6 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ T f1 d! b, ?# o' \$ b3 E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% i8 o' r4 R/ I\App Paths\Loader32.Exe
+ I3 x( T( [1 x6 x' I- V2 t* V7 G* y) a% ~2 ~' m z
) P3 {% z8 G: SNote that some nasty apps could then erase all files from SoftICE directory
t, W3 t# Q& M' R5 A8 E(I faced that once :-(
% E1 g0 r8 V3 `: m5 ?9 l2 D' `/ O. }8 t. w! W0 [
Useful breakpoint to detect it:8 [8 c& x1 i( ]! [/ H/ X
: N9 f( f9 ?2 W' j9 N f5 I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# I* ] C3 C9 ~4 V
. y' z1 `+ Y/ u/ C: S
__________________________________________________________________________. d5 |* z! r7 y' }% H
$ A) B: l1 Y. b1 i6 O# H/ K
, D5 z1 s6 U2 O" u$ q. O" @5 _) S
Method 14
H; E4 e/ [+ A' g* W. ?+ R=========+ R; t0 x5 v; [! @, s
3 m# z3 d8 D/ P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 ]; e9 X( x7 |# fis to determines whether a debugger is running on your system (ring0 only).) X) r8 [" r3 F0 B
3 N4 a% N8 i! E4 \0 y2 r
VMMCall Test_Debug_Installed; P7 A* q# L2 k' t! r
je not_installed% ^7 A/ ]- s( V' d; x
- p$ d6 J* l: NThis service just checks a flag.. f2 X, i3 v6 {
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡