<TABLE width=500>. w' \3 D5 H/ a0 b9 @7 O+ t& X
<TBODY>0 h% ]9 _, e" }+ J
<TR>9 Y/ b* G% R) }, ?& ]0 T
<TD><PRE>Method 01 % g9 Y% }2 f3 Z
=========
+ _" Z6 P/ B4 |- T$ f) T. m# m$ F
^" T. W. [7 w3 Z" [3 WThis method of detection of SoftICE (as well as the following one) is3 ?% p9 _7 K4 H/ m/ T
used by the majority of packers/encryptors found on Internet.
/ y: f" c9 {& i( f* D$ K1 p2 YIt seeks the signature of BoundsChecker in SoftICE! R* s2 n% l9 o, u6 S8 G
6 J- B# \, q" c) p mov ebp, 04243484Bh ; 'BCHK'
$ P- x4 q0 B3 p$ {) w2 G4 B, ?4 z mov ax, 04h
1 e+ d6 j' l: _1 G7 Q' \) T int 3
\* y& K! f# R cmp al,4
% p7 w4 g: m2 L+ x" D8 p' I+ K. {5 ` jnz SoftICE_Detected
/ g) h g3 C" ]
, N( r1 w. w* g$ a/ r___________________________________________________________________________
* y+ h# `2 d9 ~9 h( f0 T
5 O; A) \/ \& u& U9 l- @; CMethod 02
. x$ d, u! ^ U6 ~=========3 o" b9 |+ g/ m0 j% s1 p1 T0 P
# t4 u8 U& a9 a6 {
Still a method very much used (perhaps the most frequent one). It is used9 ^( l; b) d& b! E8 C4 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 y, o2 S, \6 g e* k
or execute SoftICE commands...9 ]; X: ?) Y* Y& S. k0 v( j" z
It is also used to crash SoftICE and to force it to execute any commands
! D3 `5 x& q; A1 A(HBOOT...) :-((
! Q. L2 h& q! Z7 Y8 [( s5 M
* G( \) M7 Z/ } p5 l) n mHere is a quick description:
2 }7 p9 U+ W3 N% k: Z/ O: N-AX = 0910h (Display string in SIce windows)& q+ l1 n5 K" A$ E5 o. `: [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' X9 k# F0 }3 X7 r; H C, g& O- T
-AX = 0912h (Get breakpoint infos)9 X* Y, ^* S3 r2 o# |4 ?
-AX = 0913h (Set Sice breakpoints)8 I5 B7 O* o" q( G
-AX = 0914h (Remove SIce breakoints)
8 _: C8 @0 c+ P
) m! L# b6 `, {$ j: U7 S( nEach time you'll meet this trick, you'll see:4 ]5 U, W5 f5 x% Q: L: D! ~
-SI = 4647h
0 i9 d, ~: p( S( M-DI = 4A4Dh
6 ]7 @: r3 P- J0 D- {Which are the 'magic values' used by SoftIce.
6 f# L K Z& q/ e( i# n7 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& f; r! I7 X9 S+ i
0 A' M' I# }0 @5 a0 r, P% b+ p: ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP& ^& Y( J! r/ P+ M) m2 B/ X
Envelope utility use to protect DOS applications:! L: @. E: W0 b" @0 A
6 _: C! `+ r0 P* v- i! P5 K' J( E3 b2 j/ d- R3 \( [
4C19:0095 MOV AX,0911 ; execute command.) E, n. B3 ?, R7 T6 I) _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: d3 H# |9 w+ i
4C19:009A MOV SI,4647 ; 1st magic value.
+ F# K$ q# N2 ?! m& Z" y- {( x" r8 w4C19:009D MOV DI,4A4D ; 2nd magic value.+ K* \. Q$ V: I4 {& i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 y5 ~( ?/ M! Q2 G; g" v/ y8 s+ }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 w. \' Y3 U2 D a6 V
4C19:00A4 INC CX
9 m4 t# Y F* E; a/ C ^8 ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- S' N+ x% w- F6 F* t F* [
4C19:00A8 JB 0095 ; 6 different commands., i% i3 ~, ^3 S( _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ M2 j n2 O& a. A2 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 O$ t4 t9 p2 n& a1 d( H% E
( m6 q$ a g4 {& q+ \. l) ?The program will execute 6 different SIce commands located at ds:dx, which
/ l5 i3 K( f2 u; m" uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 r5 I" H% s4 d/ Z7 K8 J4 p) {* v% U) T; X) [$ f9 a6 \% y2 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# X1 j. U* J J( [. X
___________________________________________________________________________
5 N' L0 w, I4 u
8 L6 c2 Q, {4 d8 V' s
! T3 u p/ k7 E0 O6 EMethod 033 s0 X( _/ ~0 y P" { H" y) g
=========
# `: d7 o3 |% x% z
* b, Y& m* R" _4 Z% JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% y7 |* r u( L* C(API Get entry point)7 G- t5 X+ y1 j4 y3 k( c) c" H
% j. |% x+ ~: _# c
Z: x5 ~. Z( g, U xor di,di
- x' u3 u, t# m% N9 X, H3 y7 \- M mov es,di; S# D2 S3 @; ]- E
mov ax, 1684h
$ J+ a/ b V% S7 J) Z3 ~' n3 T mov bx, 0202h ; VxD ID of winice7 t( Z" n7 b3 y: ]- y$ d& {9 h
int 2Fh/ A" [( E. \% c9 l5 r
mov ax, es ; ES:DI -> VxD API entry point
2 l d; Y$ y: J4 d d1 r4 Z add ax, di' h3 C1 V# F9 F. c4 R
test ax,ax
. @9 R) _" a8 P7 `* Y/ [6 W jnz SoftICE_Detected
3 @; F% D6 P9 B5 H+ p5 I/ M4 m2 i- A+ O% y0 \
___________________________________________________________________________0 k+ |1 L$ G6 [* r& n, D* O
7 v6 p5 w0 l* B4 r' \- i, |
Method 047 e1 b# p c# v3 g C
=========
# k" B$ |$ I+ F) d3 R, R1 y$ `% ]
* Y, u, s: D3 xMethod identical to the preceding one except that it seeks the ID of SoftICE
3 y: a& o2 V0 i5 z( y% S: lGFX VxD.
( ~ x" ~8 X6 Q: Y% s1 F1 d1 i8 z' ]
( I' O$ ^& w/ q2 E xor di,di! z$ H- P7 R0 V: e
mov es,di
" E+ T" A& P6 h5 f8 {9 f" D mov ax, 1684h
' G$ v- K/ C& P mov bx, 7a5Fh ; VxD ID of SIWVID& R) d5 P5 y' h$ @ P, f7 o5 k
int 2fh
/ i0 c, B O ^1 U) ^2 v, @" `( A mov ax, es ; ES:DI -> VxD API entry point6 w! q% s- ]# `& E1 t6 o
add ax, di/ A, a _; B" q8 F0 @& X8 }3 k6 Z
test ax,ax; F, _- t! y- s7 I
jnz SoftICE_Detected
+ L* }, {( I/ w2 J1 h. ~/ u7 }, X# [4 V+ X
__________________________________________________________________________ ?/ N8 C1 j4 X5 h/ ]! `( h, R
6 x# c' n0 a4 C( t- D b
\* G1 {0 K- \$ K9 i
Method 052 D& T: Y. W& q) I
=========; X+ y+ Q, y/ j
1 b, v0 t, [, R; |Method seeking the 'magic number' 0F386h returned (in ax) by all system4 T1 A& ?/ J/ d; B" ]
debugger. It calls the int 41h, function 4Fh.) C3 D' c9 M5 A
There are several alternatives. [$ m! q8 f+ o4 I8 n2 S
! f. i. w, w# N9 S! K' nThe following one is the simplest:
, H! I. V% c% E' W p; ]& }$ \$ q* G" C) c2 f
mov ax,4fh- J+ `( s$ Q* ~9 s
int 41h
# T/ k$ x; N( T cmp ax, 0F386: K2 g" } F+ j7 L' b, s
jz SoftICE_detected' V% s+ \' F/ Y7 d4 o
% }# @ E1 q$ f. e! \" R6 |* A/ [0 {
Next method as well as the following one are 2 examples from Stone's ( r# J# l6 H5 [7 g4 c
"stn-wid.zip" (www.cracking.net):/ N$ f3 _! Y* w4 Z' U, C
& W* r9 ?3 u- f _ mov bx, cs* J0 {# f2 ^* i J
lea dx, int41handler2
$ J# h, r7 R, R9 {- N xchg dx, es:[41h*4]
$ e Q O) m& L xchg bx, es:[41h*4+2]! D, ]2 @; J( ~* X% f" h
mov ax,4fh4 B; ~5 c" [4 E; a$ y9 J( w: N
int 41h6 O: u/ C# b# K7 o# \
xchg dx, es:[41h*4]
! e |5 G) g4 F* w# b xchg bx, es:[41h*4+2]9 `) H/ z5 u( Y2 H3 w( D
cmp ax, 0f386h3 J( p, O1 A7 G; U, J' Y
jz SoftICE_detected* q7 P0 {' F, o& v+ r0 @" d. R
" m. q) t5 F7 |& |3 d& bint41handler2 PROC
1 r- c6 C2 k( V9 x iret
/ w$ r! E) Y$ f# j. M' mint41handler2 ENDP
' D# X. D8 Y3 m- Q/ g3 f, Y/ s1 [ Q0 s$ E
; N6 P( _$ c) i! c
_________________________________________________________________________; l# m# L3 {9 G p# X
; t* {& v5 {* \/ ^- R/ L: k
1 I0 D. j. I" d7 b
Method 06
: P- h/ `8 a- M9 Q3 U7 d=========& d0 L. D8 s* P6 u: p. ?
* m6 o0 ]. ^6 Y. ^3 Q
: U5 e% @6 `0 X# \8 x( T8 {
2nd method similar to the preceding one but more difficult to detect:# }# s7 m& E7 V7 V: K0 d1 D2 R# }
# l! o9 c0 P4 Z- Q/ n0 Q E4 t' Y/ o6 b) ]# `
int41handler PROC$ j, c% s7 h( n
mov cl,al
9 y& O5 ~7 ]$ ?+ F5 U5 i1 D iret
' v$ x* O' Z ]5 dint41handler ENDP# e+ R9 ]% I% z5 a" O) H
, X- e; p+ ]: F: N/ @; j
' \2 j4 \0 ]& ^& Z5 F" b
xor ax,ax- h6 {7 J# {5 h, Y# S
mov es,ax
1 ]( ]2 M# w2 `7 m! o mov bx, cs
0 v% M7 w; Z/ ]6 B1 q- j& i) s lea dx, int41handler
( s! }' `5 z& O& v+ q) N" T xchg dx, es:[41h*4]- Z" }& l; y$ G' e% o
xchg bx, es:[41h*4+2]
4 h9 T1 F# i5 c2 n4 }3 ^0 x in al, 40h _% }- v. o" G3 O. @7 S# A
xor cx,cx
' o7 S9 s q& _ int 41h
5 g4 {) S( f& O) K( \2 n1 H$ i xchg dx, es:[41h*4]0 l8 L: b) L7 o7 J+ w
xchg bx, es:[41h*4+2]% y3 }7 h _ I
cmp cl,al
- J9 }* K8 t& q jnz SoftICE_detected( Q% h7 E9 s" T4 S, {6 Y y
- }1 ]4 f$ I4 [8 @# T! l_________________________________________________________________________ @* R) B9 B2 Z& A: J
) X1 l9 c, Q# ?
Method 07
9 Q3 A m4 S2 C: W9 Z=========
. o% o7 ^: T1 G7 _$ i- W( u8 I# ?; j
( K4 Z% D' W- z* O2 b4 Q+ z' wMethod of detection of the WinICE handler in the int68h (V86)
/ I e6 u( O7 r4 i! ?0 J" J6 u1 D% |2 x
mov ah,43h4 y7 ~/ q* R1 K' T: e. u1 w8 y
int 68h" ^8 d; {) k$ f; z
cmp ax,0F386h
% D9 d9 m3 T: n# t1 @# D2 e: Z" ] jz SoftICE_Detected
- i4 ?1 Z- o3 ?+ m) }% y$ J" K$ Q
: W" M; I! Z+ ~! l, u
* o5 t6 }# _. N$ \% Z$ \6 q0 D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ D# o9 ]1 L6 }2 g( {4 p
app like this:
2 B, {! @: l2 m `# E2 L# Q. Q+ z+ [7 W+ g0 U
BPX exec_int if ax==68 b: @, U, A8 ^" C
(function called is located at byte ptr [ebp+1Dh] and client eip is& ~2 {( {) G3 w, a2 @* y
located at [ebp+48h] for 32Bit apps)- d- a, |) B; L6 T8 V0 F
__________________________________________________________________________2 U5 S2 ~2 ~& }* t
# m6 n4 K& A9 J9 O. R1 F6 ]% \3 H4 P9 y( J+ r6 z6 U+ o
Method 08" m% O: S* p' w* w' |
=========
5 T3 B' N7 g$ V/ z, V5 M9 p" B& t$ q) A7 ^7 A# S
It is not a method of detection of SoftICE but a possibility to crash the
" q6 H4 }. T) |/ n* w. hsystem by intercepting int 01h and int 03h and redirecting them to another7 @4 c1 H* r% U; j, k B
routine.6 N' }, _, k; N* x9 G2 P) ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 g0 u+ C5 w% E' Z' S( N
to the new routine to execute (hangs computer...)
# e3 C3 F& q+ c( M+ d+ k- r5 G
% h1 H+ J7 F# S. Q. _9 S mov ah, 25h
; ~* k! I4 ]$ t4 b& e mov al, Int_Number (01h or 03h)% A8 G' y4 q* n/ s+ U# o
mov dx, offset New_Int_Routine) w9 _! L1 N- _ r9 s0 Z
int 21h
: W- F/ D5 [, K+ q2 t) c. E- A+ D8 ?2 K+ B! H; l
__________________________________________________________________________0 d5 }5 \& ? A/ K3 J5 B( r" H
; T( @: W( \1 ^9 F4 v
Method 09
' o- V; _5 R0 j) k( {=========. `5 n# l- o3 q" z" B
* _3 G. }* c x, M' K6 I9 c) @8 O7 Z& ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 t1 D- c8 _: mperformed in ring0 (VxD or a ring3 app using the VxdCall).
' X) @# Y6 A/ |% C- ^+ D2 SThe Get_DDB service is used to determine whether or not a VxD is installed
1 N/ r* D; o) n& Y/ V) w4 X- zfor the specified device and returns a Device Description Block (in ecx) for
, B# c& L6 T, j1 ^1 Pthat device if it is installed.. k8 n' t) y) z1 P
8 F) [$ H+ ~, F# w9 R. ^4 j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 Y5 n7 ?# W, V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 ^) H+ M, M: \0 ^ VMMCall Get_DDB' w, i2 D" J. q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% F1 z+ _& ]$ E; ~$ Y
/ F: o. e/ G C% R6 h/ H3 ^9 v
Note as well that you can easily detect this method with SoftICE:
5 w* A& `9 y' e0 h' y bpx Get_DDB if ax==0202 || ax==7a5fh
/ B, \/ B4 d1 V5 P6 N
) [$ R' j+ Z/ U! ]__________________________________________________________________________; H% n1 w6 b& h/ }. v! j
1 m p2 J2 m" S7 X3 tMethod 10' G4 s9 P5 h9 M0 g& U
=========& f) c" T8 m* h! ]/ i5 u5 @+ T
" o9 n4 F) [/ w" l5 x" w: P=>Disable or clear breakpoints before using this feature. DO NOT trace with9 P. y8 r8 `$ D/ ~0 O( {
SoftICE while the option is enable!!- j+ a1 N5 M# |8 k' ?+ } n4 E
% k& G2 A/ w7 C0 f/ |This trick is very efficient:
' r) B' i, }9 ]& [, f0 @+ j# i$ bby checking the Debug Registers, you can detect if SoftICE is loaded
9 u. z4 _7 y& W$ `0 Z7 }$ n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' A% L& n3 O! q; j2 R; {there are some memory breakpoints set (dr0 to dr3) simply by reading their6 w# ? @* Y2 i$ h, k
value (in ring0 only). Values can be manipulated and or changed as well6 R9 i; a R. P3 k# L# O1 f& F3 C
(clearing BPMs for instance)
3 D- ?6 b" q/ ^$ r8 V# @3 v
6 }; P# Q8 B! Z' {0 Y4 {__________________________________________________________________________
3 L) H; @$ C" ]' F; |& f
, n' d0 R' D# k4 BMethod 11
: X/ L$ }: y# r& M7 H. Z+ K=========
: N; _2 m1 f# y
1 J$ i7 Y8 a* p: {This method is most known as 'MeltICE' because it has been freely distributed
- f5 Q, J! l7 w+ |3 N* c9 H! _via www.winfiles.com. However it was first used by NuMega people to allow
; P9 c0 u) D; {8 u7 xSymbol Loader to check if SoftICE was active or not (the code is located0 y6 N- Y" s8 i' W: W" M
inside nmtrans.dll).+ l$ z; k' N5 U6 h% E- h! o
* P! D0 H& P! u3 e4 j0 ^. y4 vThe way it works is very simple:
1 c o, j( L- @: _: GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; H$ q ~4 ]/ t7 P( d0 D2 I+ r
WinNT) with the CreateFileA API.: t, a& F$ ~6 a/ x
; {* C2 d. s2 E% ?6 KHere is a sample (checking for 'SICE'):' e. s/ N7 D+ N1 Q) C; d; V: d& W' {
- y9 W7 N5 u, v3 MBOOL IsSoftIce95Loaded()
. q7 J" Z2 W2 _% |# k A{ ~. K5 p9 i2 f
HANDLE hFile; M2 `. T' x4 o# K1 g7 A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 j& Q" q7 Z9 L( ] FILE_SHARE_READ | FILE_SHARE_WRITE,
9 P2 p/ f2 r1 h5 m a9 }# c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 h" F. [: ]% A9 z
if( hFile != INVALID_HANDLE_VALUE ), T7 V2 o' J- Z% p Q* B; t
{
4 y* u& P; Z# F$ B CloseHandle(hFile);
I' y3 G) [; ~4 _* \: C return TRUE;5 d/ G' S, B, P1 ?0 q" C
}1 ?3 P5 T; ]- L. D3 ]' o5 P0 R
return FALSE;
8 y% a/ i! l A7 H1 Z. d5 g}
: L# Z8 a# i l. t+ K1 H% B! h( L, B; ^
9 [' v2 s7 `, ?5 G! t6 HAlthough this trick calls the CreateFileA function, don't even expect to be, o% d3 ^2 T6 M( N
able to intercept it by installing a IFS hook: it will not work, no way!, S$ e! t; c$ X" L. W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# T! ^2 \+ N/ S r! Y. c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& R% x% y2 i& t5 m, B! p1 F( R2 M2 Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 P4 D, L! N' ?- i4 O; k
field. B9 ]. }5 }+ u
In fact, its purpose is not to load/unload VxDs but only to send a 6 o$ D$ d7 b9 V# S+ O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). n8 k# @9 `9 C; P5 h" }6 ~. R2 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% W: h: H4 `# o# t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; X+ J3 V9 Q6 O5 t: Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 S: \. o0 o, j% P( R& h- F
its handle to be opened and then, will be detected.& g& }9 Z6 z; u/ O0 Y6 c) J
You can check that simply by hooking Winice.exe control proc entry point$ i- C0 C8 D! H* S( a+ V& V8 V
while running MeltICE.
) d! ~ b& S% F) ?
% F7 u% Q# `/ G4 G( w/ h( D" a9 h$ b0 l) O, D& _1 `
00401067: push 00402025 ; \\.\SICE3 k3 @+ x: R, [+ Z9 {. G
0040106C: call CreateFileA4 h7 V; d4 V/ \' x$ i. B9 g
00401071: cmp eax,-001! E. E, u9 ~ h7 \
00401074: je 00401091
( x5 a/ D, f6 T2 v" r
# @! d) l3 M) ?# S/ ?5 |
5 U) O4 W, U% L( g. x4 iThere could be hundreds of BPX you could use to detect this trick." X5 \; H8 z3 Q' K
-The most classical one is:' o, ?0 f; S8 Y: z/ Q3 R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% G0 L( c/ }2 l- d% {6 p% `. @ *(esp->4+4)=='NTIC'
( I* O8 L, y% z! f* ?
0 { w# c' t4 a3 g- j-The most exotic ones (could be very slooooow :-(
4 c7 S* ^4 e5 n- o* r+ B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, Q! Z$ c, w( A+ ]3 y* J7 ~8 i ;will break 3 times :-(
: }+ q1 Z; t( z3 }
% _- a& D( u) {) \, k-or (a bit) faster:
) T: f2 \6 \+ r4 L5 Q& X) D+ K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 B# L9 F; N6 U6 I6 w! g) ]- W4 A( O- `8 B, H1 ^ @: G7 o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% k5 u! }2 h9 |. \) ~/ A" J. M* R ;will break 3 times :-(
! Z |( ?* z) P# Q
/ @: K& y9 W m- M- g-Much faster:
7 E% x5 g* c7 l% |' J' P! E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- P. e, G7 P6 P4 W9 [$ H! q
2 j6 x- _& @, k7 y9 f3 Q2 P$ T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, @9 K- Q7 q- A( {6 e$ B2 efunction to do the same job:5 \7 T" {$ v0 i- {* B/ n2 B% f) @
- Z r, I4 @& X6 T1 t5 o push 00 ; OF_READ
4 W* Q3 h0 r# C( J mov eax,[00656634] ; '\\.\SICE',0
$ {/ i ^$ n7 x7 M3 w6 m, V push eax
+ _5 A$ A; i' M# a call KERNEL32!_lopen. B1 U# P6 j: }% S( H4 u) A8 U" |
inc eax% z m! p# a% [- ~7 [ i9 `& W
jnz 00650589 ; detected7 T, ]5 n! y% }0 i A& p
push 00 ; OF_READ
+ ]4 R }$ ]! L- D8 _; { mov eax,[00656638] ; '\\.\SICE'
5 a- X/ h i( x8 L- z' @# Y push eax
& c5 f& `% ?" V* K call KERNEL32!_lopen0 z) r! ]7 N8 c1 m6 l& {3 a# p8 a
inc eax
) k% `$ Z: O* {0 H jz 006505ae ; not detected
# p/ B+ e. L: Q+ f5 c
$ P7 n9 ]9 T" b$ J+ x& Q1 V& V5 }7 z3 C8 `+ X
__________________________________________________________________________
3 v$ P/ K' _; D/ C3 N' F( @* m* i( }6 U7 Q) F
Method 12. e9 n3 x( O0 ~7 N$ d
=========
, K# m1 f0 f5 I. j$ ^2 Y
4 a0 M1 h- O6 b1 |2 n _) _" z. y( jThis trick is similar to int41h/4fh Debugger installation check (code 05
9 c! Y1 X, o1 ^' g! d& 06) but very limited because it's only available for Win95/98 (not NT)
- W) n8 ?1 L6 las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 D: F$ `. D, c
! N9 X* f3 ?% `% F4 G5 U) J; g. m push 0000004fh ; function 4fh
% u4 j4 k5 V9 e+ Q push 002a002ah ; high word specifies which VxD (VWIN32)
- O. [, ^! O2 K ; low word specifies which service( K) c( \# E* t; B
(VWIN32_Int41Dispatch)1 t, U( D/ u3 P I7 s: k1 x
call Kernel32!ORD_001 ; VxdCall9 F! P$ _3 A, _0 q' M, m
cmp ax, 0f386h ; magic number returned by system debuggers
; }6 v+ @: V. |* X7 A jz SoftICE_detected
- Z8 @3 c- I" c/ G* n5 x. }9 |2 g |& y0 l0 h6 N
Here again, several ways to detect it:
. d. b' x: m- P- g% b7 i/ T- G: J, I9 a9 q% V1 o) c. g
BPINT 41 if ax==4f, o+ d4 Z' Y! i* J; F1 v" }6 ^/ I- n0 L
) N( v! {$ c4 ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) F& a: I+ L1 E
! p0 k$ ^# A/ L! \8 {$ t9 v7 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 ~* n p; o3 Y& ^3 o0 y. f3 ]
- J2 ^, V2 z1 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, W7 q0 V( o3 l
6 |! ~- a7 ~" f* Q, m/ g8 M
__________________________________________________________________________* R6 U: Z9 M; W" N! j8 y$ s
/ m0 o7 f1 a5 t* Z3 g2 ?' ^2 o* ~( v
Method 13% i/ [2 {0 e& P% Q1 z
=========# a1 y. r) U3 R2 k
?1 v7 c5 o4 H; L! \Not a real method of detection, but a good way to know if SoftICE is# q$ `; D2 Q: E1 Y# M" Z+ U
installed on a computer and to locate its installation directory.; m# [: Z! E v4 ?8 V; Y& n
It is used by few softs which access the following registry keys (usually #2) :
: j( v" T9 V& q9 F0 L- R6 r- A( `1 h( s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# s( T- E' }/ ^" {3 h
\Uninstall\SoftICE
7 E. \" y4 ~8 Y* N5 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' O. g7 P( ~+ s$ s P$ F/ r3 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! w, A+ j& i0 [" s0 p, F% d( ?- Q\App Paths\Loader32.Exe
, Y" x) n) {8 _( d% ~/ F# x
, _, v" `! \3 a( c- `3 ]- ~
, N% @ d% e' a: ANote that some nasty apps could then erase all files from SoftICE directory7 A! v7 O/ Q' A' d6 _
(I faced that once :-(" s6 j# q0 b+ p5 M3 D( w+ v9 p
& V) B" w' S( b9 A
Useful breakpoint to detect it:" l/ `7 K% W- A" J* g4 b
+ O4 R) Y( ?5 g/ y4 W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ k$ C) [) z! U6 @
3 }2 C: j4 d! \! d. C__________________________________________________________________________
# l- M7 d4 b9 L; Z( W% i8 l7 w5 c1 E6 b6 J
& Q, ?/ k0 N. p3 F- F6 a& ^& o5 g+ F
Method 14
- c, q" k0 U( E. |' s=========
6 t- |2 U. s% r& g) ~6 j
$ b) K: ~6 i. D5 N& ^) D% nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: ~/ E8 {: T* W% E5 B& S+ k
is to determines whether a debugger is running on your system (ring0 only).! \6 S- R: \9 z. S) a
$ Y# B3 h" ?# C8 i% r VMMCall Test_Debug_Installed+ F3 g) n" R( f
je not_installed
* v u9 }/ O- W5 M+ @: ?
& z, k* f* B) t5 j5 o1 L/ tThis service just checks a flag.
- Z5 `% W& }! ^' a5 e2 F( M I- P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡