<TABLE width=500> A- A+ z$ K7 v. ~& ~; a! a: r v
<TBODY>1 _% G) t+ x( C
<TR>
2 e7 x, y) @3 M# ?* Z$ Y<TD><PRE>Method 01
7 K$ b! h d: f; s) }=========- R5 q6 }8 g: |9 s/ E, L+ ~/ W
5 a8 a$ K( N' Z7 }8 h
This method of detection of SoftICE (as well as the following one) is# u) e' b" ^- G2 J9 o
used by the majority of packers/encryptors found on Internet.! Z8 S) F5 c( c! v
It seeks the signature of BoundsChecker in SoftICE* J2 c* |. T# ]; H. N" m
6 c# k3 v3 i8 c; S5 P% {; Z/ |
mov ebp, 04243484Bh ; 'BCHK'" ^1 L- i: ^: H
mov ax, 04h% c7 u/ c, E& ?/ I: @
int 3 4 p. r& Q: ~$ ~
cmp al,4% D6 ?: q0 j0 c5 Y& N6 a- ?: V9 Y
jnz SoftICE_Detected
5 |2 o2 t/ {4 G( {) M
2 r2 j5 c- E) F* p/ i+ k___________________________________________________________________________
2 N1 K/ Y/ s( d1 D1 m+ }* A) p: r3 `' n$ k
Method 02! C+ G2 I/ H6 o g! [9 j
=========
! c- W. W, h. M+ @% U& f, o8 q0 v2 s( @ F# m& x8 l) [6 H
Still a method very much used (perhaps the most frequent one). It is used3 y7 o$ M5 c! X5 z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ C- g3 M% B- {4 |/ A- A
or execute SoftICE commands...
1 N0 c% U! ?" P" n7 |7 g+ FIt is also used to crash SoftICE and to force it to execute any commands
/ o" d2 T8 H6 r: y& }" i(HBOOT...) :-(( A# N3 p( `9 v9 v: ?' B, ?
. s' H: s) ^) v
Here is a quick description: x8 ~; ^. O$ |- U2 [: J4 H% j+ w2 f
-AX = 0910h (Display string in SIce windows)
. Q" c2 y0 U8 I; R( D; ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& W4 Q+ o) G {
-AX = 0912h (Get breakpoint infos)1 ~, Y9 I' X! h9 M5 V, W
-AX = 0913h (Set Sice breakpoints)
8 m9 I0 L1 G# x. c-AX = 0914h (Remove SIce breakoints)
1 }; w$ u3 i& R3 B; U$ @ t5 \3 Z+ T* {7 V
Each time you'll meet this trick, you'll see:: P ]# p' {* R% a9 N6 i2 b( r9 \
-SI = 4647h
. g1 C+ S& ^$ T$ j-DI = 4A4Dh
6 e6 r O5 H! e" e! G$ e' m* nWhich are the 'magic values' used by SoftIce.
9 Z2 B" s% @* p1 WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 W% E1 V2 a ^) i J3 N. L" O) C. Z) ~+ T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" T8 {- D8 {: i9 {! ~Envelope utility use to protect DOS applications:
! Y/ k* n @" @5 G
! |$ q. x# q$ k. e0 t% V9 o& J8 l6 g
4C19:0095 MOV AX,0911 ; execute command.
8 R- p& l3 n3 w. ?1 w, K$ D8 Z" U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; a y# r7 T( s- I& m# ?, I
4C19:009A MOV SI,4647 ; 1st magic value.
- w N y9 m9 h r; O" f4C19:009D MOV DI,4A4D ; 2nd magic value.2 J. `$ _8 c# p, \& N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, J4 F+ x5 e8 t+ `0 @* P& K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 J0 W# H" o3 `6 Z% }; B1 C% h4C19:00A4 INC CX! K0 R0 T) D) `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* U/ T* @4 e p) j* }% _! U3 G
4C19:00A8 JB 0095 ; 6 different commands.# ?7 _* U5 Q, |& Y) t+ v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) i. ^2 u, @. L2 ^* }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ D4 A# ?# ~* Y9 d1 Q+ n! T0 D7 N9 y
The program will execute 6 different SIce commands located at ds:dx, which
1 Q: Y& l# U2 _; W) }1 eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 J/ m) e9 O+ V! X; K+ o5 X; e
3 r% l. t9 s u# R+ G1 V& R! M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' C5 E1 F; u6 v/ e3 Y! W& O
___________________________________________________________________________' d o9 [/ t8 A1 W8 X' E
4 C, b Q& v( c! r* M
3 L, h) ?6 q& Y) S) D1 [, fMethod 03
^- r I' E: l+ ]' p=========
6 I& l1 C1 `1 O1 `2 t- l; V
) v. T/ U( m, w8 D6 b( X' dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" I( {: p6 B( [+ J) |% z! m(API Get entry point)
' h5 v% `& q4 p 2 I4 n/ S3 ]; a7 q" R/ p. p6 ?
7 Y1 I6 O8 h$ P5 h* W
xor di,di
3 ~% M) N( C3 Z mov es,di, d3 z+ r, K6 ]- X1 U: J
mov ax, 1684h
5 V2 Q8 p( }3 W0 l b mov bx, 0202h ; VxD ID of winice0 S" _' n6 a9 `! y; U
int 2Fh
K4 R- j# p! m* W1 E7 s7 z3 P$ V) ] mov ax, es ; ES:DI -> VxD API entry point
; t2 b# A# A7 \5 _; b# O! D. e add ax, di. M' g3 P, M5 V# C
test ax,ax
& ^4 r0 G# Q/ w$ }3 T+ v jnz SoftICE_Detected1 Q+ Y" H2 R8 T: P0 u
+ c3 k' j+ @) K9 V j___________________________________________________________________________' b) M. F: k$ Z5 w. f
6 a) `3 m* c/ E6 @Method 041 P; d, N( x* }! B. k
=========/ h1 q' ]6 x* c/ a4 a4 E" u
; I4 ?, z1 U, K! O
Method identical to the preceding one except that it seeks the ID of SoftICE
6 L! g6 v9 {' z6 ?6 _# D6 rGFX VxD.
/ n( g. l/ C! i/ Q l4 K* ?$ H) ]6 W3 g0 i
xor di,di
1 t, | V+ a a$ h) I mov es,di
7 }' b0 }6 D* Q mov ax, 1684h
& i5 J3 x3 m, e9 A! k* Z! r( V8 O4 m mov bx, 7a5Fh ; VxD ID of SIWVID* ]. Y: I @- j( o9 m" ]" z+ A
int 2fh
! A2 E9 B3 w* A9 W2 O* a mov ax, es ; ES:DI -> VxD API entry point8 ?9 C0 w; a" a+ Z) q
add ax, di
6 t: e/ B. m) L- x: [ test ax,ax
9 P8 b! X7 K$ j7 l2 d5 I jnz SoftICE_Detected
' a. g, A* K+ F6 g+ r3 s
; N% ~5 s- F3 G! b2 z0 i__________________________________________________________________________1 e! T. U* N+ i# L7 C' @6 O3 ?
5 L; a+ h. ~0 w5 A; j
* y. \; y% k0 B- g( {Method 05
* F- R1 b+ v) i: [/ _=========
$ Z$ J* j8 N" ~
; {4 `: x' ^ }) C" U$ i6 S; t* r3 ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ S+ p8 K) q0 O' {" h2 e2 v* Odebugger. It calls the int 41h, function 4Fh.
3 x$ X5 ]& O4 J) h9 HThere are several alternatives.
8 E: R) S0 z% v$ f
1 `- P6 O7 Y1 s6 Z# [5 F: E. ~# {( o3 eThe following one is the simplest:8 D- z/ E1 [# o( V2 s4 n) k/ O8 F# g
" V# E! K9 U- o F! y
mov ax,4fh
+ `3 e- }: a! Z/ f: H P c int 41h
+ q9 n e, M7 k' F cmp ax, 0F386( I5 |0 S5 ~& b- J/ x- Y
jz SoftICE_detected. R2 R' C) k7 n2 q. S& L) o- i
9 }1 u/ q# V7 ?
3 p. L; m, v [% W2 E6 j5 KNext method as well as the following one are 2 examples from Stone's
9 i$ V% ?! A1 P3 y1 C7 `; H"stn-wid.zip" (www.cracking.net):
" F( B; ]! t1 T# e; c. j/ ^: }& ?# q2 C" _1 V O2 Y! w4 e
mov bx, cs
5 c1 x, k. Y' K9 m! L lea dx, int41handler2! J" s9 `7 u3 {4 h. F% A' {. t6 I6 P
xchg dx, es:[41h*4]4 \' e* C) W4 p9 E* D4 K
xchg bx, es:[41h*4+2]" k& j1 B/ ~0 z4 l8 @
mov ax,4fh
0 A- {/ i% L. P2 T int 41h
0 ^0 y9 C5 R0 M9 C xchg dx, es:[41h*4]4 u( F& \. r$ z! R7 C) W
xchg bx, es:[41h*4+2]) ~+ ~/ `5 M9 e; L' n' I0 {) a: W
cmp ax, 0f386h
5 P+ Z( s0 O) R jz SoftICE_detected# Y3 N8 ?+ _) ~% a" z
0 ^ p9 g( j) K! x; ?int41handler2 PROC
) f2 Z |9 Y8 F iret
3 ~3 I1 _% X' [5 ?, j" Sint41handler2 ENDP
6 v) e6 @/ I8 j$ D% B4 D6 Q' d9 b" W1 n. H1 q
5 q- Z0 J/ r8 H+ `6 _4 g
_________________________________________________________________________
5 P4 p. i/ R% z$ Q' g: t
+ [* s. p6 I# h" d+ v# L. Y7 [$ R, e( ~1 k2 L
Method 06
& \. ~0 x7 z. T0 ]=========) [+ _, S q4 ]: d& _$ i6 H
( i" Q3 D6 f# R, Q
4 d8 {0 ~0 v& u0 j% ]: }' h2nd method similar to the preceding one but more difficult to detect:
4 m9 T* f, v; V# }
7 ]3 _" z5 K+ d! ^( b& u
: Y+ ]2 u( `$ C; M X6 Hint41handler PROC9 u6 Z& {5 O) ?4 S5 |2 G9 _5 A
mov cl,al* S# |9 m7 u0 ?; q% _
iret
, z: A- A; o; ?4 t. U$ m0 o; i8 |7 Tint41handler ENDP
& c# V% H. a- \$ l! J8 N, x: t# Q8 o7 s+ D* J9 O
$ {- y* K0 ?* F
xor ax,ax
9 ?/ W" ^) S# k" t4 h; Z mov es,ax M' c9 ]/ r/ f0 S* c$ b! c
mov bx, cs
) \, x0 g" @( l2 n, i7 d lea dx, int41handler
% h; C8 q8 K( z/ t# ?6 s. M" [ xchg dx, es:[41h*4]
" F& l4 b% A/ }% C' R! Y# I% V- f5 ~ xchg bx, es:[41h*4+2]
+ i) N$ V3 t2 l" P$ }7 W0 S in al, 40h4 Y6 k8 w0 B u& ]6 D
xor cx,cx- g5 @. }" v) X! f2 `; C# ] L
int 41h% \4 P9 K7 Z; L) u: [( z/ _1 a: j
xchg dx, es:[41h*4]3 d! g5 L. r0 ]
xchg bx, es:[41h*4+2]
5 A7 ?5 ]4 X; C0 V cmp cl,al
3 J: g) q& @: N0 U! v9 y; i* r) T jnz SoftICE_detected
* p7 E. p1 A/ e; R5 \ s- a' z. [: l3 R' f1 U2 r" o( [) z8 {* c
_________________________________________________________________________
+ h; t4 G& `( w' e t1 `0 Y/ Q" x! X" l! @
Method 074 Z: z- W- m4 K, J: @: X$ _
=========1 V9 t2 W H5 B( z9 y4 W" H
! e/ }$ U+ y. O/ w& ]7 m: G ?1 W
Method of detection of the WinICE handler in the int68h (V86)
# n+ a8 C7 }2 }! b6 L! X& u% b; F3 E5 R* T
mov ah,43h
2 Q" k0 ]9 W* d' m7 U int 68h
5 u4 U/ R4 S3 v" o2 \ cmp ax,0F386h4 d' f% W! _1 M, T
jz SoftICE_Detected- r7 s4 F6 Y- |: L/ C: [( p( S
! {/ h+ N6 |( ]" X# a
# H3 y/ F a+ K* m4 _8 I& p$ i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 b: |$ A4 k0 ?, Q* j* n$ n% d$ t7 Y* @
app like this:
7 Z$ s3 a) q! A' _! q" V) X3 _1 i2 m3 `' p8 s( F
BPX exec_int if ax==680 D1 u5 ^* ]" S; j/ t7 U
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 Y/ o/ t6 E4 A( d/ v located at [ebp+48h] for 32Bit apps)* M, c! [! B' {6 R# A' E
__________________________________________________________________________' d8 L- v9 p- \
- C2 M# O2 {3 A6 N6 q- [5 u+ E0 e2 b$ [9 }
Method 08& q6 w, _+ X; ] d& F/ F4 u
=========
" P# f8 b5 u& q# J- v) h5 _3 x0 x7 `- j7 r! @6 z4 p& e' E0 ~% [
It is not a method of detection of SoftICE but a possibility to crash the7 _" ]& w& Y5 J' G( y- `3 t7 D$ x
system by intercepting int 01h and int 03h and redirecting them to another
5 `. F r7 M% B4 vroutine.3 v. [3 X. T$ |6 U' V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* O- C2 z- p$ S2 ^8 s- Z
to the new routine to execute (hangs computer...)
1 X" N( X% W8 B6 d" }- l5 _( U
1 `: w1 V8 \. o X mov ah, 25h
) S2 U7 ?3 j ]. p. h7 A5 g mov al, Int_Number (01h or 03h)
% w1 n" ?! a' G' y2 }7 q: ] mov dx, offset New_Int_Routine
4 I. |0 x7 s$ } {+ f int 21h
. z( x+ m/ o" z) E1 ^* G2 c1 [" v9 [& k1 y
__________________________________________________________________________* e O3 n+ g& a2 B# @/ C
/ m, R& }% P* l* B
Method 09
( e# v2 u( ]; U! I, W9 X# W1 A=========! r: y! _, @% B5 |+ C9 `
0 [* J7 A$ N( F# r/ F, B }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& y) d* J- N% b! m2 Y Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
; E1 I) J& N$ o3 DThe Get_DDB service is used to determine whether or not a VxD is installed7 W9 n6 a8 H. A2 @: A" U. f
for the specified device and returns a Device Description Block (in ecx) for: ?4 P. h% z* p9 V" N
that device if it is installed.# g9 `' k- q0 _4 {# o
5 t+ E' W3 a2 E, j+ d, T: n* o/ S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ b! P! i* V6 t2 _" U# Z$ ]7 y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- F" o6 c/ N+ ` VMMCall Get_DDB
9 V# C0 o2 i. B0 D2 U8 Z' t6 ]% Z, d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 @% N' @6 L% o6 T+ w) c- [5 Y
" A" z$ y* i \+ M" ]) F! R+ K
Note as well that you can easily detect this method with SoftICE:# k, c. M3 G" @* i) l
bpx Get_DDB if ax==0202 || ax==7a5fh9 `( h7 M7 T: `7 i! h- M
9 Q0 ?- }0 h: B' G8 I' i) u k2 d__________________________________________________________________________' y# q; v9 P8 T0 x
/ n# s8 V+ r: z% Z! ~
Method 10
2 U- E& x' ~! p0 k+ B0 m* k=========
' l U& X6 }% s. w! F$ q
( [6 L& D- \. Z9 f# B( H8 O=>Disable or clear breakpoints before using this feature. DO NOT trace with
( F5 B0 {7 D9 c% n, X) m' ~ SoftICE while the option is enable!!
. t) o* _/ X% h) ^' S1 O. H! P3 ~; K/ P+ | i+ o" C
This trick is very efficient:
3 B0 a' r! ~2 M4 ~$ @by checking the Debug Registers, you can detect if SoftICE is loaded2 n" q# g4 F' P* N* Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& ?& E5 ^4 d C# R) ~ Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their# i- f5 H. w# g# C9 r% F; h
value (in ring0 only). Values can be manipulated and or changed as well
6 ?4 m7 h0 u5 e' T2 e* B" ](clearing BPMs for instance)
$ G/ c5 g4 J0 l% n) w5 f8 N7 {
+ A/ o) m1 `9 k l& R: O6 o1 h7 ~__________________________________________________________________________
, L! `8 X0 ^$ T4 i9 I( r% c8 y4 k
Method 11
, P: x5 m3 @* i o \=========$ b' t, v0 q; n3 X& n& w- p( C
: U4 W) N' P$ O) E
This method is most known as 'MeltICE' because it has been freely distributed
) M2 q5 d' v$ I2 H! r, H; \5 i8 }via www.winfiles.com. However it was first used by NuMega people to allow0 }3 X7 D% N _, ?! X
Symbol Loader to check if SoftICE was active or not (the code is located+ a8 T$ [! a, y
inside nmtrans.dll).; M- _ Y# `2 z; e5 d2 A
3 ]8 K2 U) S" A' a$ s
The way it works is very simple:
& d1 s* J- L2 W; x# V9 C% bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* `) I" H/ j5 X
WinNT) with the CreateFileA API.
+ H$ G1 R7 Z5 O1 c; \- ~
& S1 D! |* w" l6 y3 W# T7 c# aHere is a sample (checking for 'SICE'):
( Y# d/ R5 B( U8 o/ l% B- P- H- g. m8 E k& K- f- C+ z
BOOL IsSoftIce95Loaded()- }0 ]% Z# Q+ h* y& i/ p5 s
{6 a* Q9 a; c& C. @
HANDLE hFile;
9 g. n b4 l8 l8 p( A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 R u' s, h7 H: x' v7 i1 C7 X% f' Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
* `8 O5 ~ `# V5 C+ F& R2 A) g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 a: w$ A& i, e# a5 ?4 L! ^ if( hFile != INVALID_HANDLE_VALUE )2 q% Q4 p8 \/ y- A h( h R# x
{
1 Q- h( Y# V9 D3 Y CloseHandle(hFile);
2 Q1 u8 `' ~: v9 a return TRUE;
2 |/ v! I X* ]& B) ~ }3 B ~" U0 h. j6 _; H
return FALSE;
0 A$ O- `( ]/ v$ S5 s( `/ l}
) E4 C( ~! Z1 r# h) e" m5 p4 u1 B1 f; {+ D. y3 D5 {
Although this trick calls the CreateFileA function, don't even expect to be
! e0 k. q! Q$ Hable to intercept it by installing a IFS hook: it will not work, no way!9 i5 h. G! H( o, w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ X- k- V! g: g; T6 W8 x0 C9 ~; F7 _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 L$ ?- P* w( q; w3 i- _" r' i0 ?1 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; Z6 H+ m: I) E1 X3 I# w7 [- y% ?field.
( I0 K7 t0 Y! J, `3 u4 K% LIn fact, its purpose is not to load/unload VxDs but only to send a
& _+ b0 e6 S6 [; [; UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ A9 m9 t# `2 u& I# P8 T e( E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* H: b. w- V8 p+ A0 _# r" Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* U8 D7 ^+ b! p2 Y5 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* S5 k0 F9 G3 j% d5 U( f6 l$ Nits handle to be opened and then, will be detected.
9 J1 P, B5 N8 s9 w4 y9 F; `6 xYou can check that simply by hooking Winice.exe control proc entry point6 {# O! O+ `2 R0 r* E
while running MeltICE. j! b5 n- I! E* j4 r" F4 X" }
' V+ N* ~8 }! Z/ X6 f3 C1 p# ]& a
d ?# m/ z/ ~9 m* u( r! B# ~2 H 00401067: push 00402025 ; \\.\SICE
$ {% } l5 Q; S3 F* y5 w 0040106C: call CreateFileA
+ K! d9 q; L8 r+ O' e 00401071: cmp eax,-0012 ~2 ~8 O, J# O5 O' t% K1 [4 A
00401074: je 00401091: ?4 N# i8 N5 e& G
5 O8 S( j) f2 N# k0 C
* {) c) i; K! L! m K
There could be hundreds of BPX you could use to detect this trick.# f J. ~/ s( Z; H6 r. y' t/ @
-The most classical one is:
" G `" Q3 I/ ~0 M( H$ I' _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. E/ ^3 w4 O# U( K, ]
*(esp->4+4)=='NTIC'1 f- U6 O: o: m, F( _
- G6 ]# R4 z9 R6 A3 z-The most exotic ones (could be very slooooow :-(
) q9 ~% {' @- |, |6 D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - V9 a4 E& @- N1 x. ~; _
;will break 3 times :-(" }& p! t0 X- B" X
4 P9 I0 L8 ?: P
-or (a bit) faster:
/ y/ Z" ~2 ?" J8 z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- k) X( h2 g o7 z/ ?# [$ X7 j" x# q2 H R. `/ u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! T' Q! R$ Z, I/ @
;will break 3 times :-(
+ Y1 e, |' j* G" D0 I
, M0 u4 J/ Y: b! n-Much faster:- q0 F* G% K! U1 a9 ^; Y" [. b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ T) E# L+ c' p* B7 J; \& g3 T: v% X' M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% {1 n9 c; {# J" V0 u- }/ N
function to do the same job:7 E! ^/ E' C9 _" w
2 w _) e8 @& F5 E- i# }$ A7 W push 00 ; OF_READ
; O7 O" p: v: y& K' |; R. H6 e8 T8 z mov eax,[00656634] ; '\\.\SICE',04 I3 d8 J7 M: O1 i8 {
push eax
1 Y# Z0 w b* I6 X4 \" C6 q" ^6 \& P, n call KERNEL32!_lopen
4 I" g) P9 N" S9 @ inc eax
3 t8 u( s) y Z5 e: t; t! E jnz 00650589 ; detected$ l% W, w+ A2 L' e
push 00 ; OF_READ3 j' Z& m/ s" q/ I8 z
mov eax,[00656638] ; '\\.\SICE'
' S# K+ r8 v5 }' G; s" b push eax
+ G m7 b# m, L9 E3 B call KERNEL32!_lopen
+ C+ t3 x( Z5 {0 ]$ z Y U! } inc eax
+ p) v- R" C {4 ]7 }4 P jz 006505ae ; not detected
3 O9 R( H; z" Y2 F$ W
) f& l7 w, r# p) _8 [1 s" B7 i% O; r, V2 _: f; @8 t
__________________________________________________________________________
# O# m0 D/ a/ T1 S
' i& c( R$ P- C, UMethod 12; T6 Z C! |! l7 L7 ^7 @* E
=========
3 H3 T1 c" f' }% I2 |: z' Q2 D0 F3 Q
This trick is similar to int41h/4fh Debugger installation check (code 05
i8 ^& \* u1 [" x0 R9 m: K. ?& 06) but very limited because it's only available for Win95/98 (not NT)
+ _9 Y+ Z) l0 j+ K/ mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 `' e( {! i; h2 b
' N2 h! q1 a2 j push 0000004fh ; function 4fh
; _) K2 @0 Q4 m0 a P L, Z4 G& ~ push 002a002ah ; high word specifies which VxD (VWIN32)
2 h8 ]8 C+ }, g+ o ; low word specifies which service
4 ~! g0 ~, o4 [, Z1 m1 q (VWIN32_Int41Dispatch)
4 o8 K# `& m; S3 `1 Y call Kernel32!ORD_001 ; VxdCall: M; {1 _+ S; K
cmp ax, 0f386h ; magic number returned by system debuggers7 }% e- U, y+ B3 @! \
jz SoftICE_detected
' o! d0 _- _/ t R6 j! V+ H" l
; T# N1 U+ X, f6 U" y! V PHere again, several ways to detect it:
" T; [* p; Y7 X$ B* w8 a8 b6 t' R1 f
BPINT 41 if ax==4f" P1 d- _9 J+ b. i) \* t. o( U7 K
& j* K. G: w- X: n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one F) l% }# R9 I
; Q6 Q7 ~6 F7 A. g/ z1 f0 U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; L: T- J& S( w! w0 B* ^& }1 s* B0 d& h5 j4 S6 @5 L! E* S) `: ^! B$ s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" n s& p7 I* U7 Z
+ N# h, i) v$ [1 Z
__________________________________________________________________________
, P A" N+ G3 a& b' x9 Z' `) J8 C0 t4 I, X
Method 13
+ I2 j+ a- P0 D% q$ C* l2 U s( \% U" `=========
6 K4 b$ i1 i: J, {! P
* e. Z/ e1 \; Z; f8 sNot a real method of detection, but a good way to know if SoftICE is
' y7 K+ q. ?' T. H `9 n% Yinstalled on a computer and to locate its installation directory.
6 w4 l; k2 I/ b+ ?It is used by few softs which access the following registry keys (usually #2) :
" J1 K6 @+ z# ^- e( V) \. z' Z
( X2 W8 M9 j* N- R4 w7 ?: g$ k3 j) i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* {: `0 T% t* O# a5 ^\Uninstall\SoftICE3 n8 w9 K/ L5 O! {8 \$ e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! v0 c4 L2 h! ^5 R- w h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 s q) [/ [! a; a( q1 ?8 `) c\App Paths\Loader32.Exe
# u3 Y1 \3 h6 ?% {/ B$ _% [* g. O- A6 P/ X0 B
( @9 ^/ h7 `; a. J2 PNote that some nasty apps could then erase all files from SoftICE directory! _/ Z& {6 N3 ?/ t
(I faced that once :-(
- t$ s+ G* a }' O8 `
$ I5 o# W$ w. S! F r' v# IUseful breakpoint to detect it:; y; x; P6 _9 j' x* J
8 z; ^# s& c/ o; U1 V$ D0 G! P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ I1 `6 f8 K% Y, B8 M/ c' Y7 x0 h' w: D# K
__________________________________________________________________________
$ P/ n& e0 r; |7 }) }% P- P3 M
: N; o+ m$ D/ l; e# I: c6 H' x2 k: o4 e [+ l4 S6 F
Method 14
! D7 J5 O' {- F7 [# Y=========
! a0 E( l2 o' a/ X3 X, @; b9 r& P: x h! O, d& G0 |: n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. o# R- b6 @$ b: ?) T# Xis to determines whether a debugger is running on your system (ring0 only).
1 F2 Z! t( Z% L3 ^9 p- B' L) I
VMMCall Test_Debug_Installed
) y0 A, X) {6 ~" V! N je not_installed2 H' J; b/ k0 |+ m. r7 y2 z3 H; G
5 m* B9 |* v1 a3 _8 \- u
This service just checks a flag.( M. @: X9 Q5 c; I: ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡