<TABLE width=500>) ^4 V% H8 Y8 h. y, o
<TBODY>: L* X* c* a) x: }+ v/ U8 B0 d
<TR>
1 k1 x5 R- g1 N. g7 ]& F% d<TD><PRE>Method 01 + v' ?5 n, C! C* @ h; I7 p
=========
" ^. i/ }- E$ }
0 @. }: c; J# @6 D' |6 @$ F0 AThis method of detection of SoftICE (as well as the following one) is, L' ]" F& B6 F! [: z5 X" F
used by the majority of packers/encryptors found on Internet.
. \# G5 v4 ~% R4 E$ C. X$ [2 z5 o# BIt seeks the signature of BoundsChecker in SoftICE8 U0 J/ \6 d9 v
$ g: Z6 }3 i$ {( }
mov ebp, 04243484Bh ; 'BCHK'& h$ [7 e1 L- K, F
mov ax, 04h6 s+ E5 {2 l- d; U4 X" |) d
int 3 4 j; r" i9 y, ]' m4 W" l
cmp al,4
/ @; u# V: R& {" Q. D jnz SoftICE_Detected3 g2 K& D* d8 c; A7 z; D
8 h) n! @; w0 e
___________________________________________________________________________5 Z5 v3 E5 ?+ V4 m0 Q* a9 t
* \- Y4 ~& j% @
Method 02
- i2 W, { M: x* E5 x8 Q=========7 ]# a4 Z# P$ ~+ q/ a3 e' W
# @ Q5 D B. \% G
Still a method very much used (perhaps the most frequent one). It is used( y* x: n8 ]' W8 q! V6 g( b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 }" A% D$ N+ E1 |$ v, b! [
or execute SoftICE commands...: H* W5 `6 x! F# c
It is also used to crash SoftICE and to force it to execute any commands! o' s' |/ {& ^# `" W0 P+ D
(HBOOT...) :-((
7 W9 F: A1 b( H7 ?9 V4 S z/ o0 t# m+ \# e) E0 J- K
Here is a quick description:: m9 H0 K1 J+ Y8 H( d
-AX = 0910h (Display string in SIce windows)
: ~5 W' s" @" J/ p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& D8 r' l! _ O2 k4 n$ l
-AX = 0912h (Get breakpoint infos)4 a/ o5 H% H* x2 p" c) N+ g
-AX = 0913h (Set Sice breakpoints)/ z- Q9 a- w1 M* \- a3 W, j
-AX = 0914h (Remove SIce breakoints)
" Z8 M2 [+ }$ |. z# R7 O7 w% P' q, z6 k) E( [+ |
Each time you'll meet this trick, you'll see:. x1 u* j* F! a g0 @3 q" U7 J* _
-SI = 4647h
) C# B( P' X+ u `-DI = 4A4Dh& P8 x8 G, n- p% C; I# m5 S
Which are the 'magic values' used by SoftIce.( o% O- l4 u- U! |) g* @$ ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( a# p0 e* _) C& W& z
" q% u) T/ n5 F( ^0 n; u- uHere is one example from the file "Haspinst.exe" which is the dongle HASP+ |* o) z; f: t! f8 T3 z- k# _
Envelope utility use to protect DOS applications:- c( t# @1 F0 u; V% f4 x5 b
0 q8 o! J6 S' ~/ d6 s) }) w
% V. H6 k' h: z7 v
4C19:0095 MOV AX,0911 ; execute command.& q% G5 @$ A6 y% N. V5 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 Q8 j6 u Y# K6 q9 Z" @4C19:009A MOV SI,4647 ; 1st magic value.
5 T; x5 F; ~1 t0 K: K4C19:009D MOV DI,4A4D ; 2nd magic value.5 X* v, I; N0 ^) `; P, c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 N& C: C5 l# g! E+ o. b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ ]3 w) Q, M( O# v% e, P+ c
4C19:00A4 INC CX
6 t( C8 n2 ]" X5 @4 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 J) j/ i# B& K: x$ e; m4C19:00A8 JB 0095 ; 6 different commands.
7 B* T5 |$ k o- H |4 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; z2 y" ^( p8 q; @: f* p6 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ z7 v- Y Q q
3 y5 h) Q q* O6 D IThe program will execute 6 different SIce commands located at ds:dx, which' X0 |; x/ T( m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 C5 m% V& W. l* D5 V& ~* _4 A. J$ D w. M6 l- F: I+ ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 v) S0 S, i9 s' ~2 Y8 @
___________________________________________________________________________% o5 m. u( A. Q j1 \
- j" `# a8 c) S. O8 Z- o
3 `! f0 v" d# iMethod 03- f$ q9 K. G+ K, X7 b8 B. a
=========) g' t) L) q4 ]8 Q
$ `7 ~9 j0 x& V0 \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, Z2 o$ z5 v: a3 R9 M) n Z6 z
(API Get entry point)
# z* f! ^& S; ? M
5 I e: d5 T% L; Q- |/ f. q
' W* f# W3 o4 W+ Z8 Q xor di,di
% N8 j7 @9 v+ f% \5 O mov es,di5 e" p/ z# ?# ~6 U0 ^4 C1 t% q
mov ax, 1684h 1 p7 ?/ I# u5 y1 {% T$ g1 y* `
mov bx, 0202h ; VxD ID of winice
3 H" T& W( V8 ~+ Y9 n t% A r! q. o+ S int 2Fh
, p# V" m7 g6 X8 l% h1 I mov ax, es ; ES:DI -> VxD API entry point8 b; ]# j4 Q/ F+ ]# z: w! e
add ax, di
# ]$ }) p3 X; _% d7 |# g& N& \& b; D$ M test ax,ax5 q8 v& _1 w, v) m
jnz SoftICE_Detected
, a1 h$ J* `& z$ D% M) M( i( k( L
___________________________________________________________________________. m- m0 U2 ^% r: g
! B5 ~% G, U& L* N- S
Method 04- c, |# S, _! ` b' ?
=========
: A% t3 j2 a1 T6 W! D6 N, J: M) A0 K! [0 k$ V, L7 P& D' ?
Method identical to the preceding one except that it seeks the ID of SoftICE/ s, V8 ~2 w7 D' r! K) N: S
GFX VxD.. d( r8 D5 r7 F7 X$ Y% [4 z
, y( } S7 J9 f+ S9 ~" H1 ]
xor di,di
! |, h% m) r5 V; o mov es,di
# y' U" e. g5 R2 M' c, H( b mov ax, 1684h , o& P* L. \' y+ |
mov bx, 7a5Fh ; VxD ID of SIWVID
, c: K- x4 a9 |6 R int 2fh' c1 s1 K$ U+ [! r
mov ax, es ; ES:DI -> VxD API entry point
3 y! v+ I$ Q+ J- _; B# [/ Q1 e( z0 F add ax, di8 Q; A0 d9 T1 m! v4 i2 s* m: x2 f
test ax,ax
% b3 x6 o8 x8 y. g6 z4 V$ T jnz SoftICE_Detected
& j& `7 T1 l$ G8 j! f5 H0 k+ b* ~5 N; H9 r1 J+ Z
__________________________________________________________________________( u- Q0 R, d/ e' f- U* ?
: E$ x; j; d3 f+ X
, W8 H) r+ t) p( ]0 K) I4 |Method 05
/ ]. r4 y0 ?& x& k" ?=========. e4 u; P+ Q& m. B2 J, Q5 r3 M
Q' J q( c q$ P4 X: N
Method seeking the 'magic number' 0F386h returned (in ax) by all system! v! J) L" |# j1 S% C
debugger. It calls the int 41h, function 4Fh.4 p/ A& k, {! ^0 _% S& Q. R& m6 c
There are several alternatives.
9 O I1 C: g3 x+ k
1 y; W1 h7 q$ Z, S. r- vThe following one is the simplest:8 i" K' c! C' ^- ^$ X6 a& v* ~. s' j
, R0 O4 s( F* [: V0 H mov ax,4fh; K" Y4 r4 a, n! T' @7 S
int 41h
7 t- @1 i) S) W cmp ax, 0F386& H0 @1 M5 i" y
jz SoftICE_detected7 M- b1 X. E& Z1 D' ~
1 I2 Q6 F' y9 H# |1 A/ G1 \6 z8 ~- G9 P a+ D
Next method as well as the following one are 2 examples from Stone's 8 S& B0 m* M% n, `4 J- d
"stn-wid.zip" (www.cracking.net):
" } R0 W5 P k2 m, `* ]5 s8 [% S+ \1 Z
mov bx, cs
) m. w$ A6 y6 H% k* V lea dx, int41handler2 @* n9 _ l8 B2 p$ R0 ~
xchg dx, es:[41h*4]
& |3 _& M( r' _8 _# }/ u8 H xchg bx, es:[41h*4+2]; \6 h: X) v9 C: R
mov ax,4fh
" Y+ _5 o }, @, h int 41h! D3 C" { S! N3 y: @* V
xchg dx, es:[41h*4]
5 }& `7 e/ K4 B# N, g K& K xchg bx, es:[41h*4+2]
( N& r/ r/ A" \" H! t1 Z8 [# I. C7 T cmp ax, 0f386h
3 _, N! s- T( Z$ g% L6 R# z jz SoftICE_detected) ^% r, \- g7 B, x+ ~/ d/ N, C
' w9 b/ V1 X+ s5 ]int41handler2 PROC
8 l4 Q. Y" G3 _* i" I( e" v8 s iret
' L" |. n' u" @# d; r( Aint41handler2 ENDP
: _' e) l/ ~/ d1 m' e8 t) b2 J, D: `, }6 j
& b4 z0 I2 `7 h4 l2 I2 X_________________________________________________________________________5 I; b+ s7 z0 D
! `1 M6 b" b }5 R2 [9 V
9 J, n5 Z& L2 U$ J# g, qMethod 06
i! j* u2 W4 V9 a=========
( Y5 |; c7 k9 V4 ^9 P5 C. Q* B7 ~* U) C* y: j; g( F
+ W( p. {8 O! z/ d( M/ ]- {2nd method similar to the preceding one but more difficult to detect:6 ?5 L9 C; s P. H/ R
6 q& {" V7 I) ~+ l) F m' _) ?& J8 q" N% j; F3 O
int41handler PROC0 T0 P! Y8 y. l( q5 n; A
mov cl,al
, o7 _$ H: c/ R8 v iret
- R% [# I k: R3 s3 aint41handler ENDP( b* o. B' | _6 U
, A) f$ X. G2 f; k7 X ]# O3 Z2 T8 s, \0 U- A1 @
xor ax,ax
4 J. W! ~* j7 t# C! M mov es,ax
3 ~0 O5 N& T: m% m! @0 n. ]# o mov bx, cs5 h5 H+ e1 g& [6 g! o& {
lea dx, int41handler3 M) f' L/ h9 u) C
xchg dx, es:[41h*4]
% H. `. i( N% ~/ }4 r xchg bx, es:[41h*4+2]
1 R1 d! j3 I5 i in al, 40h
+ g+ l* Z, |( [1 i( N! u( p& t xor cx,cx- V& s5 Z& x2 V
int 41h) ?0 I/ S5 T- K! w* X' ?
xchg dx, es:[41h*4]
( V& p9 o+ y5 t3 [ xchg bx, es:[41h*4+2]8 Q( ~% \+ v* ~* {
cmp cl,al
9 y* v( ^, P& }0 h# W; t) Q" w g, N jnz SoftICE_detected
, J: \+ D) [- {, b: Z, I ?. M: g: s( W" r& o& T& P
_________________________________________________________________________+ _5 \3 a. v) W1 {; z- @' x n# y9 z
! V: `8 x$ X/ F! S( L4 A. u0 G7 LMethod 07
4 |2 d+ x/ T/ v% W& y=========
8 {2 X1 O" B0 h* F$ A6 j$ h6 Z+ K/ ? v/ ^) a
Method of detection of the WinICE handler in the int68h (V86)$ z! r8 c. o7 Z( K1 R- J
y5 s5 [2 s( l
mov ah,43h
: l& N* n* N X; c" B. s: Q; m+ } int 68h
0 z7 T+ ~7 Z: ^) J' B% h cmp ax,0F386h* ?+ n2 E1 o. O. i' N9 `% W2 r
jz SoftICE_Detected; h( T5 t7 F( t: Q
; _" l: E0 P0 J: |
y- b* h2 `/ T' S# }" u+ d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ l2 O/ c7 Z" j0 `; P4 ~9 I, I. V app like this: d+ \6 F) R" w/ F6 |0 Q
# d5 d+ n; G8 q7 g4 J BPX exec_int if ax==68
) V. ?! `2 n$ x3 j (function called is located at byte ptr [ebp+1Dh] and client eip is
4 Q% W& ~+ t3 O' d3 _9 l9 X located at [ebp+48h] for 32Bit apps)' r l) O2 a4 `1 O* p, k! u" d: t
__________________________________________________________________________ {( B% ~1 `6 G' J. f2 _
. i- `8 C0 C/ P3 _! |7 X+ J
7 {- v) A# P- X- P+ L! e" zMethod 08
1 l/ T6 ^" R" ?" O2 \0 { I% u=========
' e5 H. e9 q( `4 s8 ^
, `2 e' E, K* CIt is not a method of detection of SoftICE but a possibility to crash the
7 ]5 D. ^3 s7 vsystem by intercepting int 01h and int 03h and redirecting them to another* C/ ] H8 k2 e/ ?# G" p# E' y4 @
routine.
I; s: v: _0 T+ ?! aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ H+ {+ X9 b2 h# _8 R& r3 P
to the new routine to execute (hangs computer...); M( i. { s; _7 s
1 C4 [4 I$ U- a* K6 s9 [ mov ah, 25h3 K; O3 T9 X B. p* V
mov al, Int_Number (01h or 03h)' }9 H' @$ x2 S- U P) a
mov dx, offset New_Int_Routine
( a/ n- ?% f6 Z% C- u5 J% S int 21h
8 j4 a; W$ \5 i8 Q) A
$ E9 a; y0 ^9 {: g$ Y/ w; Y: r__________________________________________________________________________
3 c' K" f# a6 l2 s) [
3 U7 E( s! k+ K$ A; O! vMethod 09
$ @* C2 w: w b" ?9 |2 j=========
# N3 ?8 {% j$ c) b. L) u' d: E# \% u/ o$ X5 M5 H+ n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ c% X2 }: E; Z* m: k+ D' e- C8 Dperformed in ring0 (VxD or a ring3 app using the VxdCall).2 m! {4 j2 S# h* a; S' ]
The Get_DDB service is used to determine whether or not a VxD is installed; b" |0 f9 _2 m3 t. ?0 q
for the specified device and returns a Device Description Block (in ecx) for
* ~6 M$ k8 \/ O+ J0 ? N: mthat device if it is installed.' k7 L4 }: ?7 x4 c: V5 d
1 l6 v4 i* _% [+ H# L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& q( |/ c3 _. H0 t- V) @& k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! d$ i3 ^3 F/ S0 q" e
VMMCall Get_DDB
3 M1 y, Q% @/ T9 H9 D v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 K' i4 M! N- h
6 V' C0 M* {. ~0 ^' X) t4 S* ~Note as well that you can easily detect this method with SoftICE:4 q- S: u- i1 e
bpx Get_DDB if ax==0202 || ax==7a5fh: p/ w* \. a8 S4 c* q1 D
1 `5 ]2 Y: L6 D! ?5 h' w$ W% {
__________________________________________________________________________
, C& c, _8 ~7 i* q+ Y" C" w8 G Y, w- [8 f4 F* e: M) e2 f" E
Method 10# z* E$ _8 ^& }9 v) u5 z
=========: ^/ @9 W2 V# l5 W6 {) C0 x L
8 m! r$ t- p4 S$ F' E=>Disable or clear breakpoints before using this feature. DO NOT trace with8 t# S9 }5 B, x6 B, g: I
SoftICE while the option is enable!!: a7 C4 s( O4 g Q) Z) G+ S
# {* e. n. `) i0 ?9 Y! HThis trick is very efficient:
+ x9 |! p# X* A- e& F) [0 iby checking the Debug Registers, you can detect if SoftICE is loaded
+ `6 D2 l# I" H" @- y6 |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 B5 s2 ]9 i# K" n- u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) C3 r1 x: ?; S7 q8 m. S0 H# ~value (in ring0 only). Values can be manipulated and or changed as well
6 O: [* i7 ^' f+ M' ~/ Q(clearing BPMs for instance)0 G3 R: a8 Q7 L& N( C+ h2 p
1 q% N& v- B% ?2 e1 Z5 W
__________________________________________________________________________: \. Z, ^; c% \ g% B+ P
1 Q; u. @2 k, b* B
Method 11: D3 r0 c( r% r) b& w
=========
1 z: k- s: F+ w8 w
1 k/ A" T* m, @) \3 XThis method is most known as 'MeltICE' because it has been freely distributed/ {, l+ H( Z( f6 Q3 b' x( s
via www.winfiles.com. However it was first used by NuMega people to allow
/ ]! i' B- C% A, n5 x6 oSymbol Loader to check if SoftICE was active or not (the code is located
- H6 s& X3 x& {inside nmtrans.dll).
7 j/ _) d8 `7 v( G Q' [, v' Z$ d0 a" r7 z% K Z# a. w
The way it works is very simple:6 l& ]8 f4 K' Q8 X2 k+ f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
}$ V* g) H2 K4 M; BWinNT) with the CreateFileA API.) N3 Z! W9 |! M8 @7 z. Q Q
, f% U5 n! W- l6 @5 J8 g, R% HHere is a sample (checking for 'SICE'):
$ N, x7 K! |! H; b% w
5 L' D9 X# G: X$ x; J' GBOOL IsSoftIce95Loaded()
# k6 K! @( F8 k7 k1 S{
& ]8 m7 |9 H3 p- T0 @9 g, h HANDLE hFile;
3 n* Z0 G, ?% w3 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) w& p D1 u& G3 E2 \( | FILE_SHARE_READ | FILE_SHARE_WRITE,8 C& \! P0 ^ P# ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% \4 v! m H0 V6 N* p# k
if( hFile != INVALID_HANDLE_VALUE )
g2 Q' Z! n) _ {
; Q8 s! o9 Z& z& _ CloseHandle(hFile);$ b1 y+ c5 l. L/ J P
return TRUE;9 B/ a5 {0 }- o3 `
}
$ V ^- T, h- U return FALSE;( T7 u( O7 ]+ r; S) D! z
}( V9 S, W+ I6 G, v; i
4 d; v! G& \/ \" R: k7 w( rAlthough this trick calls the CreateFileA function, don't even expect to be
. r# G" v. o4 `/ ?* y2 W" D6 eable to intercept it by installing a IFS hook: it will not work, no way!7 r1 L$ o/ F0 {3 x3 P# e2 I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# Q- t! ^8 N5 d& W+ I% u- m8 zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 V/ N8 |3 ?" r% e: nand then browse the DDB list until it find the VxD and its DDB_Control_Proc* _, T* O1 |- T+ V' S, E% u) w
field.3 Q8 ]3 ]9 \9 } B' o1 t
In fact, its purpose is not to load/unload VxDs but only to send a
: ?" n! b0 ]. v" k. SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 l/ ~" t8 [' m- a/ ]9 b6 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try# p. s& `" `% \# R# g! }: V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' s' W% x1 n5 k, o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( M- o/ q, B! a; Q$ m, M- Tits handle to be opened and then, will be detected.' Q7 {3 e J4 n) m: j
You can check that simply by hooking Winice.exe control proc entry point+ d; b" |9 ]0 o4 P1 E) u5 `
while running MeltICE.
' Z _) _5 }3 X0 |3 V
3 }5 F( C* \4 O% Z$ w+ X1 M! v9 E( R$ @3 L1 b5 }) X: n- h5 Y3 R) V t
00401067: push 00402025 ; \\.\SICE
% V3 ]# u0 e6 [# X( ` 0040106C: call CreateFileA
# _: f5 c4 k5 S; k 00401071: cmp eax,-001
! W0 c3 J% n! A8 J 00401074: je 00401091
8 C' r' Q# d! E! {' `( l+ E# G( V. x2 R/ V6 P4 _2 r, n# X- X
* D; O8 C1 I* @- ^" K
There could be hundreds of BPX you could use to detect this trick.
X& |6 l4 U. }7 Y5 R4 n-The most classical one is:
* H9 a" S+ |* C& @" m; v: J' X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, e1 L1 s6 o' E J) w( ? *(esp->4+4)=='NTIC'
. w9 L' z. Y' G5 e* _" \+ @6 R- M2 D; X1 @7 X* _# y
-The most exotic ones (could be very slooooow :-(( W6 v7 O3 y8 O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 T" a" M- f3 n$ U4 Z6 n( l$ S& G ;will break 3 times :-(
& z8 n. E; S- ~! ]! ?$ x# \
+ n' ?8 _! w" e& m3 K-or (a bit) faster: 0 B% t3 B4 e# s0 D) M7 H2 r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 Y% b1 t; k! Z) u- z. M
& r, R% d6 V! j0 L7 C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 C* M/ @. |/ j ;will break 3 times :-(# g5 J$ f3 z* {2 {0 c
2 ]# a, C' L; S$ j
-Much faster:
( q( {( `) T( S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- P- Q& ]( q# b7 S
8 \/ l; d7 n: j0 h. N) ?9 V* R) TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 @ v% ?' G. O& ?2 e8 _' Q7 Lfunction to do the same job:
. x- F/ D% G9 v) P7 v% D. O! W1 ?5 V U' w5 [9 W7 C
push 00 ; OF_READ
1 F/ f( Q. S1 g mov eax,[00656634] ; '\\.\SICE',0# ^4 T* R7 Z2 A+ N7 T9 [0 c
push eax
- Y. f- Z" Y. ^8 i' v0 x call KERNEL32!_lopen$ V: R$ ^# O' B# O9 E3 h! R( j; B
inc eax7 L, u# q2 s: O2 V' m7 X
jnz 00650589 ; detected
6 z( K" w6 k2 K+ Z+ c push 00 ; OF_READ, h Y- {0 X8 k) L
mov eax,[00656638] ; '\\.\SICE'
+ I) r5 _% Y2 ~5 \' U+ U6 `/ K push eax6 y6 M/ u# [; O4 Q2 c8 k# U! D; ^( i
call KERNEL32!_lopen% o/ z' w2 o, H8 O
inc eax
N3 ?" C8 y, {+ K' O- s! t: m0 y jz 006505ae ; not detected: ^9 r7 x- N3 ~
1 u- p0 d( i% M9 B. ?
& G% \% o9 l' ~ t! K__________________________________________________________________________
- J+ o" K0 k1 }& y' N5 z2 @( i" r3 i5 o9 y- y- Y9 T
Method 12! |& j4 {- M# R* @" ?6 O
=========7 L/ s8 G- {$ s6 E7 q
9 i; d9 w+ J$ Q9 `
This trick is similar to int41h/4fh Debugger installation check (code 055 f) I, b" i* ?+ B0 z1 C
& 06) but very limited because it's only available for Win95/98 (not NT) S# _8 w4 R5 L- e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, j* `9 a% n# ~
+ _# \8 m% |5 k$ M9 x' V7 U: t push 0000004fh ; function 4fh1 L: ^4 X" d9 q. P
push 002a002ah ; high word specifies which VxD (VWIN32)4 c: g! N' b4 t& p. N' m
; low word specifies which service
& v) y4 m- O; t D" H) ?- X (VWIN32_Int41Dispatch). |8 F. d' \0 W/ {, W8 S4 N
call Kernel32!ORD_001 ; VxdCall8 Q9 | O( i4 t( ^! t+ g& J
cmp ax, 0f386h ; magic number returned by system debuggers
6 [: K: C: W- O W+ J. T# V9 y jz SoftICE_detected
6 k" H2 ^5 s0 L7 Z1 h; ?7 _6 ?$ F- w3 }: l- ?3 [
Here again, several ways to detect it:( I) E/ Q i$ w9 W
. r9 n7 f+ F. r) N" d
BPINT 41 if ax==4f
( a0 g9 y( Z5 H# ^
$ e# k- j( a- L/ w+ ~# _1 A, X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- o v2 |' W( d$ T1 t* y0 @
4 c5 _: w0 A" k- y7 C! {. ?7 Y7 b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 f- t2 Z3 f; z, S X, M
7 j+ K8 J3 f; _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. \1 W, F% }5 s& y/ c: W5 a" ? S% Y4 y$ l
__________________________________________________________________________
% [4 ^+ w, B! ]+ y
; a+ A" n1 T o( P4 {5 m$ P; {0 qMethod 13
- |4 p9 ^5 [( h. _# ~4 c8 ^: }# i2 t=========
' v+ e& g7 i3 v( f5 I1 u1 l( j7 a: ]+ L. k& r- y. C0 |; _8 H
Not a real method of detection, but a good way to know if SoftICE is7 d4 v' \+ T) {2 }' z, J8 R% ?) L
installed on a computer and to locate its installation directory.0 z- G7 o% a" s# ]
It is used by few softs which access the following registry keys (usually #2) :$ ^! W1 a$ U5 u6 k
7 i, v c' o5 _" \* {- m. f' _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ?4 C2 @+ C- ?$ `+ }
\Uninstall\SoftICE
3 P8 C# B7 W9 V% C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ h3 A/ S* Q7 \+ P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 h5 M2 o; O4 v5 B7 Q% a
\App Paths\Loader32.Exe
7 R1 s3 @$ d& B B0 Q3 P( G* S3 `) C: L- W8 Z. S' L) Z( G; @
! c- _* ^" B2 \/ O
Note that some nasty apps could then erase all files from SoftICE directory
/ n6 s: N. _! |9 q1 }4 `% n(I faced that once :-(3 Q3 [4 ^9 ~/ e' t2 H% ]) U6 f
5 @* q) X* a* w' S
Useful breakpoint to detect it:
( ]( u. i% e1 C, E3 s: |) V W. K5 v4 Z8 c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 _8 I0 l# i8 s5 |- [
1 T1 p* w0 v" C8 p' J7 R: c5 y- c
__________________________________________________________________________/ b4 q5 {9 z6 f: K) m# }
" ^, }. V$ E( m' p( x2 u
% j5 K( S) H/ Y) ~7 G) yMethod 14 ; a6 l- A# k1 c1 t2 ]1 \
=========
; p% T! V8 s, o* m5 ?' \! Z
4 h- t3 d. o6 m: fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" i% Q+ V& H. `2 c1 `3 M: @7 E
is to determines whether a debugger is running on your system (ring0 only).
. {- Z! s$ x0 M! X8 T6 o. c/ `: p! }
VMMCall Test_Debug_Installed7 c2 Y5 ~! U& m1 H
je not_installed/ C+ t$ o* x3 H; f; w
8 H; ?8 `/ c: L( F8 b% `3 ?+ T
This service just checks a flag.
# {! l; n, Z$ ]& o& Y- O- c( T/ ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡