<TABLE width=500>; B2 ?0 V) V0 y% l
<TBODY>
# X3 \5 p# X# d, j8 i" T<TR>
9 B" t8 P/ H* J3 `6 d0 o) n<TD><PRE>Method 01
0 B* g, s/ F0 P8 p9 Y6 b/ _. [=========
9 J% ]- N& x1 F$ t- u0 a4 T+ N7 l2 A2 Y; ~5 r
This method of detection of SoftICE (as well as the following one) is
- P6 W# }" v {. e0 hused by the majority of packers/encryptors found on Internet.
+ Z- o! z' b9 S- JIt seeks the signature of BoundsChecker in SoftICE
" i% X$ m. }; d4 A' w& w8 z% N5 [+ {3 V) j7 z- f! ~
mov ebp, 04243484Bh ; 'BCHK'' L |: V3 u6 ^
mov ax, 04h9 O9 B: V& {' o$ k
int 3 , P$ J7 F8 y2 y7 O4 _
cmp al,4
# [! R5 `0 q3 H jnz SoftICE_Detected0 F% |( C6 u# O- [5 U: F' J
% b6 V9 q( y2 E' t- R6 P___________________________________________________________________________( V; N. r; R4 g! j! Z* |+ s! z
& k2 o+ d4 N! W9 E1 s# V1 vMethod 02* C @9 c/ G/ F
=========
+ _8 P* f; N# F
# w) f! @( n5 c1 R# @* U6 NStill a method very much used (perhaps the most frequent one). It is used
: ]( G2 Q: H& }/ Q9 c: b+ ^) \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
i, N+ [' t6 e5 C1 [or execute SoftICE commands...
: p* E% p( Q- e. W7 o- H3 ], G8 jIt is also used to crash SoftICE and to force it to execute any commands, }2 f3 J$ h, K0 v% e$ t- ~
(HBOOT...) :-(( 0 o& L% u6 Z" L4 _
" s! w4 `4 O: c* j: K! w
Here is a quick description:
9 {/ j) x' |9 M-AX = 0910h (Display string in SIce windows)
) Y. V$ `" a( G! b* z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ M9 W+ `- A+ S7 T- u- l3 H, ~-AX = 0912h (Get breakpoint infos); _, i; n. l" D# F
-AX = 0913h (Set Sice breakpoints)
$ x. H3 s6 C; a. n3 A" `' m( N$ l-AX = 0914h (Remove SIce breakoints)
3 g" O! U5 ]' J. B! P& d6 n6 c
# g+ Z, b' ]1 ^! }2 _0 T: NEach time you'll meet this trick, you'll see:
' o1 z& `& K4 A' y: Y: w-SI = 4647h
9 W7 a$ ^" K$ y' D- D-DI = 4A4Dh
8 Q" G8 B m5 W+ V! t6 l; oWhich are the 'magic values' used by SoftIce.
& Z) ]+ O, Q" U) a" PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 W, @5 z( K" r0 D5 d6 ]/ @
: M+ }, i" b' d( D) x$ j, \Here is one example from the file "Haspinst.exe" which is the dongle HASP
) i/ T; E$ S, W0 A9 OEnvelope utility use to protect DOS applications:
0 @- L' |+ c& p! X* G( |) Z( d! ^+ @, Y( N3 M8 _4 a; y
1 Y$ s2 N/ A; K' I5 W8 ^, |
4C19:0095 MOV AX,0911 ; execute command.
6 o* m: ?1 L I& ?6 w# A" {- u. q$ a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- {8 [; k! s1 {
4C19:009A MOV SI,4647 ; 1st magic value.! D# Q/ T" i2 j) ?/ ^6 q
4C19:009D MOV DI,4A4D ; 2nd magic value.: F* E8 V6 }. W8 i' ?3 T7 w) j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! r7 c+ `# e1 v! \5 q# j8 N; N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( d4 E; I* A- a+ g4 s
4C19:00A4 INC CX
+ _8 V' q/ o4 M$ u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 s/ z P0 f9 B7 w
4C19:00A8 JB 0095 ; 6 different commands.. U. w6 Q0 s$ e( a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. Q8 j1 O5 T. U# l0 _# F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 f- ]% b6 F9 f! y
8 z4 ^! `9 M& j. O9 t0 @3 s1 x
The program will execute 6 different SIce commands located at ds:dx, which
2 n9 F" j6 {+ s" kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 n# d( u: J" b9 m! F
" ~; `6 l" P% J9 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 L* p- y# t: [ L, e% p___________________________________________________________________________
; ]4 r/ ^1 C9 h
; Y" N1 M+ J& g1 Y& @* W
: b5 y8 A& F* U: wMethod 03
+ J; `8 i: _' h. S3 J: e+ g. S: t9 J=========
' ?! N# o1 h, T( b1 Q. v* r2 O7 `1 C& n* d2 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 s" B1 A/ K! i) r/ k' z
(API Get entry point)
* W0 P. j7 `2 Q1 u* R6 o a 3 h/ R" {+ b2 x& {3 y5 U
$ S1 J4 r( |/ T2 `! h6 S
xor di,di, b2 s5 I2 b- @
mov es,di
`& z1 m F }7 O# p mov ax, 1684h
& Y( ]) D- P- [5 T mov bx, 0202h ; VxD ID of winice5 v ^4 Y! t- U$ U( O
int 2Fh
- p7 c8 t( k2 R1 A" O1 U" ^3 j mov ax, es ; ES:DI -> VxD API entry point
! ?. ?; T; d% A4 w! H add ax, di
7 r- a( n7 \! ]' V; P1 c test ax,ax
- m: P1 c, [1 I& @+ W jnz SoftICE_Detected/ e! [( k( Z* O& g# k9 i' l
- s7 U/ ~9 Y; S* u9 ?- k& w9 _
___________________________________________________________________________" l& _' l- \! ^
7 I E5 ~# k3 CMethod 04
/ c0 N2 h0 z) x=========
- a4 g% \: d, [
5 f9 E' I) N7 ] c, V' ZMethod identical to the preceding one except that it seeks the ID of SoftICE
w4 Z! z. l5 X, \& n0 `GFX VxD.
% l" g* H+ Q8 B: e
! S$ m1 r, H$ O xor di,di9 E5 q$ {! N: X8 l4 E- H$ Z( O W: M
mov es,di
' E# ~6 m9 n. ^2 r2 o mov ax, 1684h " {2 y2 I! w' H) d% S
mov bx, 7a5Fh ; VxD ID of SIWVID9 b3 w# P% p. ?4 x
int 2fh8 P: g7 v( g. ~( x! Z9 j2 }% r* i
mov ax, es ; ES:DI -> VxD API entry point
+ q- B1 a; K" L+ n7 G/ f% U8 l. ? add ax, di9 P0 Q+ t1 c1 W: J- e
test ax,ax
. y) I* a ^' J u0 p3 l jnz SoftICE_Detected
$ R5 h5 W L& r5 u( ~' G
! _' ?5 D, u; F4 }) N0 |6 H- e: ?' A__________________________________________________________________________
- J6 Q' h: J1 U3 V2 l& x! p' U" R, r6 k7 E& O' o6 L7 X( \( |
. t' A: {2 p! v. HMethod 05* d" G8 [1 ^3 L7 l# q5 _
=========
+ t. B' t1 ~. x# {0 Y0 H: Y, I" U
( J! n) o. {$ ~- P; ]. t# jMethod seeking the 'magic number' 0F386h returned (in ax) by all system \" Y$ [0 ~/ l/ `/ a; X- q
debugger. It calls the int 41h, function 4Fh.
V% K5 r) J3 n5 z; v- m# fThere are several alternatives.
/ v) P; G1 _/ @8 n) Q" V
4 Q# x0 O7 s1 |$ |( V ^/ L1 ZThe following one is the simplest:
) j7 y. |+ c9 i& o3 J4 Y, U
: U1 g* v$ F* ]' L# k mov ax,4fh
2 o, f6 k8 m2 \8 D, {1 o) i int 41h
6 T% M2 k$ W7 a* P2 I& R cmp ax, 0F386
9 Z) n3 `9 n" e jz SoftICE_detected
: v+ U! P9 z7 g) B. Z- d
: L7 [6 e1 U2 V, G' r0 m$ P( y1 Y5 h; f! B- O
Next method as well as the following one are 2 examples from Stone's * h: x. d% B/ T2 }2 i
"stn-wid.zip" (www.cracking.net):: m) G# y2 J( |0 k! s
8 R( z2 W7 E5 _$ i( g+ A
mov bx, cs, j/ r: Z9 z3 a6 m* N2 h' w' t
lea dx, int41handler26 P4 m& C5 S q4 T+ w
xchg dx, es:[41h*4]( P/ }- y0 U! n R' C. B+ _& W
xchg bx, es:[41h*4+2]
7 A' q$ s8 h( _% |6 Z3 O mov ax,4fh
' {, a3 \6 [) D- z' J int 41h ~4 Y, k7 g$ P$ D( d& S
xchg dx, es:[41h*4]4 I% m- Y1 U i# U: z3 ?2 i
xchg bx, es:[41h*4+2]# [3 O; ~$ K1 [
cmp ax, 0f386h6 ^; L$ [, u/ C6 L
jz SoftICE_detected: {* p1 {$ h4 i- X0 I6 r c- Z8 r
. i2 ~4 Q, f; K1 {6 bint41handler2 PROC: C6 V9 f% x* k" b# y0 }
iret
. W+ {8 W. C p* l; kint41handler2 ENDP
& e) g3 z( C) H3 h. G* @! J$ I3 F& i$ X& X% M9 c1 v
1 M8 [, {9 C1 D* b" E1 {4 d
_________________________________________________________________________
4 B" X0 W8 {3 e
6 g& j! d( N8 s ?& \2 Q" o; Y1 G& W6 g; G0 S+ P, b
Method 06 [9 d4 W3 h( y
=========
) y& z/ z& _: f5 \* u& t0 |& P5 V+ c
1 @' m7 n; h% g9 x, s2 X7 J# |/ V& x' ?$ h0 K% A
2nd method similar to the preceding one but more difficult to detect:3 V0 I7 s5 x4 d+ g
) m6 c4 L. Q. J5 W+ h S. _
. N$ g- t1 a" q, c: m2 B* Vint41handler PROC5 a: X7 X; y! V4 A8 w
mov cl,al
' T& y& [' L* _3 i' X. a iret
3 w; o( u G+ F- e6 O1 R7 jint41handler ENDP
3 G0 j3 m. K' a! {& n+ e( G& `% F4 B& N, P/ Z( e! G& d
/ _% N. A1 S9 o; `% z5 {
xor ax,ax' x) `3 A7 @- V Z, D9 `
mov es,ax
8 |/ q0 U7 V( }9 [( i mov bx, cs
y2 D) A5 U* c, S" K lea dx, int41handler
! R2 F6 A# l$ s/ u xchg dx, es:[41h*4]( S+ e m) `( O: H4 \- ]$ `" Y
xchg bx, es:[41h*4+2]
}* t9 H; X/ {7 h9 I* c" d in al, 40h
4 ^ n8 c) L" A+ D8 T6 j5 Y9 @ xor cx,cx
: i- n3 c6 ^4 Z; {; a9 t+ m int 41h
, \, a$ p) ]+ S r C, ~/ H xchg dx, es:[41h*4]
! [! \, ^) V1 b- J" P6 p0 z xchg bx, es:[41h*4+2] c, @0 ]& l- X
cmp cl,al
7 f! U$ M: _0 J1 U8 _5 a% E& B" R+ u! A jnz SoftICE_detected
C# ]9 q1 x2 m, }
+ t- |! T4 l! H; {& r, A, n5 U" a_________________________________________________________________________
k% F: Z/ o& x
) E" L4 [$ v* i7 j3 ^( pMethod 07
8 f8 E4 s: d% x4 @: R. e/ M=========
4 t% ?: X2 H! d
/ J% X' I& r# B, U1 g% pMethod of detection of the WinICE handler in the int68h (V86)- o3 y: v% P0 E% L1 a, |$ Y/ K
) I. ] y! I2 l3 V% j3 b mov ah,43h
2 W: O) p6 @/ o- n( e int 68h
; s3 B( |8 q5 u5 s' Z cmp ax,0F386h, b# B7 T- ]3 }
jz SoftICE_Detected
! ]: C2 o- `- E/ _: E2 L# Q+ ^; @2 ?( ?. f& u
S# W; _$ H9 J! |8 n& }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i; D" h5 }# Z5 c) V app like this:3 c3 ?9 c' [ e: |% Z
f1 l R+ W# y+ H0 l
BPX exec_int if ax==68 [# a, i }2 G8 s" @
(function called is located at byte ptr [ebp+1Dh] and client eip is. [1 W# `8 }" W1 U
located at [ebp+48h] for 32Bit apps)
W% s* Q4 ^% E5 ^' u3 {7 S' f8 p__________________________________________________________________________5 `: B+ H; l$ ^) m. e; {
1 H) T5 J, j% U0 M* {0 a6 @
* ^( }, U' W8 o0 y
Method 08
" j- C+ x9 y' L+ ^3 V2 w=========
) v8 n% l- ^6 {( b
; K7 n3 Z7 n- |7 E& }3 C& K6 \It is not a method of detection of SoftICE but a possibility to crash the
1 F5 O6 q! E# J2 R2 G% F, t) [8 esystem by intercepting int 01h and int 03h and redirecting them to another4 T. V2 A- I" I f) _7 h6 U8 F* q, c
routine.
$ X$ E: d* F4 `9 [. F5 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" ?/ ^4 X( P) z5 \( X- i
to the new routine to execute (hangs computer...), N5 @! e" V: n
0 t' P. F3 B7 w% } mov ah, 25h
$ }5 \+ ?7 W8 ~. r6 K9 J; Z mov al, Int_Number (01h or 03h)
7 @; O2 Y k$ ?7 J. Y7 u mov dx, offset New_Int_Routine" \' `+ P; i* Y% C8 _$ ~2 c
int 21h2 d2 y9 @/ Y0 i: @( d: e4 t% C
; l# U* C, Q/ E' A$ y' G: r6 C__________________________________________________________________________% n( x8 r4 M- s* g. O f
+ s& e4 D6 S1 C2 x# i- k
Method 09
4 ^+ W: w8 b5 c# O2 B& Q" z6 E=========
$ u1 H$ z4 [$ ]2 h: U0 T7 S( ]. Q7 J. a9 _4 S% ]( Y# a) [: }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' ]$ f5 ?, {! F" y8 {) u7 E
performed in ring0 (VxD or a ring3 app using the VxdCall).* U' M6 t5 B+ V9 P
The Get_DDB service is used to determine whether or not a VxD is installed! Z4 V$ T6 Z2 {. c
for the specified device and returns a Device Description Block (in ecx) for! P* U, \) N! S
that device if it is installed.
/ E7 C3 E' X# H i
+ M! R" D' [( t8 c; z# H+ \8 z, l( w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" G( [* D8 R3 c- R$ f) e# S+ {$ I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* [9 f) _. W, l" i( [ VMMCall Get_DDB
X0 O$ ]" c7 X1 A2 ?! e# L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, h. p @. R- e* \. [
( V. J9 C$ h9 s( U5 r5 S RNote as well that you can easily detect this method with SoftICE:
! |1 W: b. y2 c; [1 c2 c bpx Get_DDB if ax==0202 || ax==7a5fh
/ |8 W: e3 d: a# ?' G1 R8 n; T% p0 L" V1 F5 f
__________________________________________________________________________
i2 Y0 `$ g( s, e4 J5 z" y0 P3 w
4 `6 L% g( r% {8 M2 H4 J* t$ Z PMethod 10
& H6 V& b8 Z2 J0 X=========5 v. e; N& n% h* U* Y
3 \! r' t/ Z& @ J8 N
=>Disable or clear breakpoints before using this feature. DO NOT trace with# w/ ?2 d! _% F/ @2 ~% N2 E
SoftICE while the option is enable!!- S* ?5 @! v" g$ ]6 ?
1 f8 ~/ ~: c" b$ e1 D
This trick is very efficient:( m: O E: B! I0 [
by checking the Debug Registers, you can detect if SoftICE is loaded
) q# Q" N9 x. d+ ?9 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- A8 |6 o. f# R1 H% y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: P" R9 B0 h |6 N6 D7 y" J+ y. |value (in ring0 only). Values can be manipulated and or changed as well
- Z" D9 h2 v8 d2 d(clearing BPMs for instance)7 r( x6 R+ t. u
3 Q. x* [7 A9 ?7 s6 l/ S- w! n
__________________________________________________________________________
) P& s @* ~2 U2 ]$ ~, f$ B* n/ \4 ^: |* ^2 z( {" S; ]
Method 11- k5 E5 L8 s6 c2 }% a! A
=========5 {' W( n2 i, i8 e+ R
6 K, q0 J$ X2 Y" h$ @+ ~7 q4 gThis method is most known as 'MeltICE' because it has been freely distributed- ?3 b! }: C( W P
via www.winfiles.com. However it was first used by NuMega people to allow
% p% M$ e/ ?7 ?1 [' _Symbol Loader to check if SoftICE was active or not (the code is located
0 y9 n8 n1 j' einside nmtrans.dll).4 L. Q: W0 a! M
4 a, w/ k$ H* w% g5 @: b: V# G
The way it works is very simple:
. D" u7 X* E. m8 N% h1 |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 H( d7 V. ?$ w( Y9 i6 E* MWinNT) with the CreateFileA API.
2 y, ^& p9 @. A/ \) t* N S" [" P
4 N% }. K9 _% k4 a# x0 CHere is a sample (checking for 'SICE'):/ F P2 w' l/ `$ a* p
7 _) W1 n4 W' g ~7 _' R* V
BOOL IsSoftIce95Loaded()
( K* m+ ?" s' Y1 W# `2 Q8 U) a{9 G' o8 a' W+ a
HANDLE hFile;
% i1 `2 d; N+ I2 V; d" v, d; l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. ~4 J& O3 L4 ^/ Z9 e
FILE_SHARE_READ | FILE_SHARE_WRITE,
, ~; e/ @$ M7 T+ [5 L1 b$ [1 q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' `0 o4 v: ?+ L) E
if( hFile != INVALID_HANDLE_VALUE )4 T$ |! S v; z: Z2 j3 j J
{
, }+ `0 j/ B! X$ n CloseHandle(hFile);! x2 T$ a( }! M5 I: D7 Z; D
return TRUE;! m, a) j7 g& B( E9 t0 p
}
7 N) g- x: j, t6 e5 J F; S return FALSE;' a6 ~* K3 ]: U0 z% R j( c
}: D, E! V5 H7 T
+ T d7 S" v9 ?, G5 @Although this trick calls the CreateFileA function, don't even expect to be
7 G+ l* Q1 v7 D* g0 `$ T' r, Cable to intercept it by installing a IFS hook: it will not work, no way!
. F; g4 {, _ u: L" l2 N# S9 d3 eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. g7 E% `6 o1 K# }" ?' C3 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 Z) D0 \- j) m) sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 p) e# J* K% @$ i* m( `7 tfield.. f% o1 k; O- L6 O$ s4 q3 V- ]3 Z( c$ d8 _
In fact, its purpose is not to load/unload VxDs but only to send a
, O# P2 e6 i. j2 y$ ~. {5 i' AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 |5 W5 m( x3 o# D2 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( M4 Q1 e r( ?9 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) u% b0 B* n5 S4 vIf the VxD is loaded, it will always clear eax and the Carry flag to allow; F; h' I8 M8 a, T1 V
its handle to be opened and then, will be detected. t) X' |( R$ {. }0 a
You can check that simply by hooking Winice.exe control proc entry point
7 ~: A$ m. I. W" O/ J! Mwhile running MeltICE.
6 P2 t9 Z# B( x' o# l
2 w2 E, d$ h; _) |+ p. V: w( }1 M T* K$ D" {
00401067: push 00402025 ; \\.\SICE
" Y3 p. C; h. R- u2 i) H* n 0040106C: call CreateFileA
+ _( }/ u* J2 ?; H! s3 N 00401071: cmp eax,-0019 Y9 i; t1 K7 v3 u _
00401074: je 00401091
" j) l* b- V, g G$ i: Z, [1 N/ d8 G& v2 a
/ Q/ ^. C- u+ L; {' @9 j; u& R
There could be hundreds of BPX you could use to detect this trick.) Z/ }) a* `& r: [
-The most classical one is:
) _* ]5 E3 u3 s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( F$ K4 f' L7 F
*(esp->4+4)=='NTIC'
7 D* ~5 e6 q' a0 Z: T5 l4 t6 s z6 ?! _/ Q4 b+ t, U
-The most exotic ones (could be very slooooow :-(* c2 P) Y2 G: J: j/ ?* v& c: \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * W; E" s6 I+ P1 b# P+ A
;will break 3 times :-(3 y; A, N) `2 z; Z( V
7 v H3 x7 m4 ^" H0 L
-or (a bit) faster:
' X: U, w, q# i$ @% @, f$ T# Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ ?. w9 q+ g7 `/ X1 p( B1 x4 J; A3 u! z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! }- K3 Z8 v* O' t# _: K# O ;will break 3 times :-(
+ Y& j" G- ^8 Z0 \! }+ r
8 Y/ v& O' \- |-Much faster:
& x( R. C- O+ G) |8 `0 F, @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
Y! ^; q! Z# c; u3 \/ v& O# N N- g9 |. J1 l" b: }5 Z: N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. @, Z& X* x$ N7 E1 T
function to do the same job:
( O6 T0 r7 I( A
- J, T, n% |, D/ P [" i6 |8 B push 00 ; OF_READ* x7 A! |, h/ f/ Z; K) Y9 q; \
mov eax,[00656634] ; '\\.\SICE',0
. |% y \; G+ ] `+ L) m push eax( Z9 e. G7 @2 q5 m8 A, d1 I
call KERNEL32!_lopen/ K* O5 [: D+ X3 R
inc eax
: M% h! X/ Y' Q( j& V3 J jnz 00650589 ; detected
+ K+ A- R/ }1 d" l) F: d push 00 ; OF_READ. h$ Y5 }" |$ Q5 N( E
mov eax,[00656638] ; '\\.\SICE'+ ^5 G) m/ m; g4 g2 V8 J
push eax7 p! `% g( x) f5 k% s4 l
call KERNEL32!_lopen4 l( s b2 J; ~" P# S' C' G
inc eax
5 q5 Q5 m d0 f jz 006505ae ; not detected R0 P9 o. F; t3 S' x- @
5 B& v0 A3 u5 F* f* }/ T3 i, [ I( `. ~; Q; u, A
__________________________________________________________________________- \* B3 V0 X1 J/ S0 ~
) T: }& m0 o3 s4 E0 I( g6 e
Method 12
7 p* c6 e' E. p+ Y3 }=========
/ V, W- q- l: l% c C% N9 W' Y) |* D
! m$ D! @+ T7 @2 C; C: e$ N8 I! vThis trick is similar to int41h/4fh Debugger installation check (code 05
) H( q1 D1 c1 o6 m& 06) but very limited because it's only available for Win95/98 (not NT)
3 ?6 d2 k- x) `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( @3 @1 A+ K2 J( c; ?2 l2 |2 S% v) Q9 H& e' y/ r
push 0000004fh ; function 4fh2 f. K( n6 P: m& ~9 d
push 002a002ah ; high word specifies which VxD (VWIN32)
# J* z$ O: s1 R( \: {# S$ u ; low word specifies which service
/ M$ h3 g- V. ] e8 v; A, _) Q! ] (VWIN32_Int41Dispatch)' s. U- W8 V% E$ a; S! A; C0 K S$ X
call Kernel32!ORD_001 ; VxdCall- S4 u$ `& U9 m: {. |4 }
cmp ax, 0f386h ; magic number returned by system debuggers& y. H; i! L y
jz SoftICE_detected* W5 [/ q5 ]8 h: D( f
9 v# o3 r8 \- L: _0 U
Here again, several ways to detect it:
* R; Y% i {9 L5 i$ B
@( Q' T* Q$ e2 d' ] BPINT 41 if ax==4f
2 |+ n( {3 z' z% t; s( e$ [, A \6 b8 A: N$ A4 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* V# T. i4 t! W9 `% C
9 ?* q; g6 h, q1 j: ? Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ R( ~9 b. A/ t- q. {6 B/ Z7 Z) ]9 A/ i+ w Z* B# t1 j9 ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ f& O. H0 X9 k" |9 w& ~
0 ?7 Q3 A T5 ~
__________________________________________________________________________
, `2 z# S* S9 n1 a- ~8 ?$ t' J6 o5 s) e" C- W8 r5 L. g5 L
Method 137 n( t5 R; W$ {( J' y }/ ~' H
=========1 v* ]: |" q& y, f, u$ ?
}* O$ Y# y+ ]$ U) x/ MNot a real method of detection, but a good way to know if SoftICE is& q1 _. a Y& p- @# u) |
installed on a computer and to locate its installation directory.: X. w8 p% Z. z
It is used by few softs which access the following registry keys (usually #2) : x# F) a3 r2 |$ R) H
" C5 B' ^+ V' x" ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 W# I$ L4 w9 _6 I
\Uninstall\SoftICE9 W' m4 h3 l ~3 K+ Y. b- g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# l9 B+ {9 b% ^$ S4 m \* Q- S& I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: S# a H2 ~: U* O9 Y\App Paths\Loader32.Exe7 ~. ] |2 \. @/ H# m! | v
& M7 q8 v4 L x7 F
; I5 ^! K- ]' N5 z% F1 T: PNote that some nasty apps could then erase all files from SoftICE directory
. [3 ~ h3 C+ u(I faced that once :-(+ d3 K: {) J4 B! n) h" p! Q- z
. L+ Y! W3 r o6 B! S9 O7 GUseful breakpoint to detect it:
! t+ r) K5 w# P& e3 @: Y V, [' {& M4 c8 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 D$ J$ a1 |. P0 k; V% U- Z3 A6 ?" b6 d5 d8 |# T8 G+ `$ m' |
__________________________________________________________________________7 P9 v. k* [; j9 K0 P
0 r* z, a3 ?# {0 ~
: w3 S& Y% W. A" o# F7 f
Method 14
8 g" r3 p- Z" v4 _2 W=========% q! G. V1 [* ]5 l, x4 e) J
& ^1 z$ J8 D9 i2 Y# h5 ]: e5 S% o3 P$ dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 S5 C5 I: e4 uis to determines whether a debugger is running on your system (ring0 only).
! X# [* v( `) f0 k: }
: V- U6 }& {" t3 e; S# }) s VMMCall Test_Debug_Installed
/ Y2 ~7 ~' b; i! x) u je not_installed
s! P& z* P9 X6 Z& M: q0 ]8 \ f5 x) m0 ?, J+ l5 H v! D3 O* E
This service just checks a flag.
# T& e& B9 R, l/ m6 n) _" e% {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡