<TABLE width=500>
: h5 a Q0 @0 R7 o7 P<TBODY>0 k/ G. |/ b; G9 L+ X- C! f5 a) |
<TR>
7 G$ y) C8 |, q6 a( o) C4 D% @: Q9 @<TD><PRE>Method 01
9 @/ l- ~! ?8 t$ k5 q& |. D7 Q- M=========6 v- A4 v, G, B7 J# y T3 _ d, c
6 r# a" L, k4 [9 u0 u# O, W3 qThis method of detection of SoftICE (as well as the following one) is' m5 v9 @5 z) ^! C2 I' e( R+ E
used by the majority of packers/encryptors found on Internet.
- t5 C# Q L a* f3 L, uIt seeks the signature of BoundsChecker in SoftICE
& Z9 ~( c. A" K, u: j& G2 m3 n! }
mov ebp, 04243484Bh ; 'BCHK'( B9 T& ?1 M; K9 i- K1 D
mov ax, 04h
7 A" o3 |& |5 h6 x4 k6 E int 3 i; z" N0 r6 Z! _1 @1 B/ f; r7 n
cmp al,4
2 L( s' V0 |# Z% n8 w1 g jnz SoftICE_Detected
; W* q4 u2 H1 c8 P- K+ k, s- d2 ]4 d
2 _, D% B4 F/ H7 T+ P( X' r, w5 g___________________________________________________________________________9 q ?) \8 Q8 v! _ b5 d( _0 }
; M# g* ?" ~" J# p# h+ u: Z
Method 02 E% ]& ~1 n7 b3 X1 K
=========7 ?) T* A+ {9 b* z9 Q- h9 Y
* H% S3 W8 u' @( ^2 jStill a method very much used (perhaps the most frequent one). It is used( E5 H2 D" ?. a; g1 X# C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# `$ d2 c# L8 `, f3 u* ^0 xor execute SoftICE commands...
: p, g9 a- _& c5 JIt is also used to crash SoftICE and to force it to execute any commands' c8 i' ]% a7 C& f% C& z
(HBOOT...) :-(( 3 c' W y2 ~1 p" C3 t; i1 F/ y0 P
5 V& @8 {1 i' `
Here is a quick description:
2 x' l2 p2 E" E+ n9 s R4 k2 N-AX = 0910h (Display string in SIce windows)
1 f8 O: s7 P2 B3 l9 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 |: c: ?0 z# n/ I/ O-AX = 0912h (Get breakpoint infos)
, n& {! t! t5 i; T-AX = 0913h (Set Sice breakpoints)/ i* G& ]4 a, r3 d
-AX = 0914h (Remove SIce breakoints)
% B2 H- e4 D: b5 S5 j/ I- l$ p$ J5 C7 M' {! t# r2 B. Y9 y" H
Each time you'll meet this trick, you'll see:2 k8 ^+ l. r/ J* k4 i9 p" F
-SI = 4647h" x: C4 ^2 s! M; l0 k9 q+ X
-DI = 4A4Dh
r2 H: }4 f) P5 z# {Which are the 'magic values' used by SoftIce.- H6 R8 V9 k- A: T( f) N0 O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 z* }; C5 U8 Z8 T& B% _. S
0 g6 i2 O% @8 B# M8 m2 g* X
Here is one example from the file "Haspinst.exe" which is the dongle HASP. [0 c" {1 n. S; ?& `* k
Envelope utility use to protect DOS applications:
3 h# v( p! A2 b( D# `3 I; }- F9 R9 P1 L- I2 X
b# _; u* H% x3 C) E, _# @
4C19:0095 MOV AX,0911 ; execute command.
! a' R8 N: D0 Z. H6 O8 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% {9 X5 S( W) {0 R4 F4C19:009A MOV SI,4647 ; 1st magic value.
/ w, `/ J% c" C4C19:009D MOV DI,4A4D ; 2nd magic value.+ N7 @6 g( Z6 D0 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 K- _! b* b+ N1 _0 Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) U7 ~" h9 x' a3 z8 t% u
4C19:00A4 INC CX
- g$ Y/ k+ {7 o& ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' u3 g: e! G# [3 m3 I, o
4C19:00A8 JB 0095 ; 6 different commands.
, J; k, M! I6 K( n3 e$ i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* o) t0 f8 D( r4 ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" p2 ]% @+ q5 Q- z6 P
# A- s1 L# f( w8 d: T! zThe program will execute 6 different SIce commands located at ds:dx, which
& Y6 ?: f8 C; J- Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. n& l- N: ^% z$ m0 Z
( x7 [3 [, }- o1 z* Z4 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 X' g. s+ [8 u3 O6 E5 O___________________________________________________________________________
" {9 }: y, h, E( ]9 d3 Z' F5 o% U3 W$ L1 g2 ^- P* J; K
( Y" y1 ?& r4 |7 v
Method 03
( Q+ Y' |% {0 R1 N2 n" g9 m========= X7 d8 v2 `, \: T# x& Q0 \
$ |% ~4 J& ~4 f, c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% S! g6 ?. p. v
(API Get entry point)9 g i5 A/ O1 d3 n+ O* G
- g# e; `# p) K V% s0 p7 l
4 k3 J8 P1 j4 P* j, B" d xor di,di8 t1 C2 ?( K" M7 K, }: R8 L' M3 ]
mov es,di
) Q; y( f% _# i: ]' B# P mov ax, 1684h / p7 p: o( ^4 e. G; v$ u
mov bx, 0202h ; VxD ID of winice
- j2 b- Q2 F5 D3 D* i( T int 2Fh
+ ~2 A$ k4 N7 I mov ax, es ; ES:DI -> VxD API entry point) \( _- A& R1 @9 t, h2 d
add ax, di
. q5 Q( G. W1 m3 _+ }4 f# T test ax,ax
; L0 `0 l, o6 L* _% Q* Z jnz SoftICE_Detected) c7 x+ l5 G8 x) c# G$ K+ @3 j
9 c0 V4 r7 [# t2 g
___________________________________________________________________________
9 l4 C0 M# S- H t! `: z) m4 \6 J$ f( g4 U8 ~2 x% n
Method 04* I5 h# ^. J! o8 x& M% U; W' X5 z
=========& {9 r: b, F) c: O2 P: X6 c
6 T3 C+ L. w# l) [Method identical to the preceding one except that it seeks the ID of SoftICE
- V/ u# _8 K. p, EGFX VxD.
2 ~/ }0 A/ F+ V; n# G6 B/ J* b0 M% f$ a7 y# ? D4 Z' _1 g5 m3 C. `
xor di,di
) ]/ K- {) x; r% ?. P mov es,di
0 a$ ]* ^, O! @; R, U& D* U mov ax, 1684h
! y( U/ e+ O x% v, U9 \ mov bx, 7a5Fh ; VxD ID of SIWVID
, j6 T Q+ }# p7 \ b int 2fh+ C& K# n# }8 s: j% n: J X
mov ax, es ; ES:DI -> VxD API entry point0 p6 @% O- t2 }, ]% |2 H+ G7 R9 W
add ax, di
% t5 Y- Z6 l7 s6 j+ n test ax,ax
3 p8 A* E) ~' n( O5 Q jnz SoftICE_Detected# \6 R! }9 B3 \8 b0 m
& @/ m2 b' p6 W" L$ [
__________________________________________________________________________& u) a- X, l* _6 W
+ a: W9 K8 f$ o$ _
4 V+ R( _; R7 p0 I. CMethod 05
* y3 q! |" ^: t; Y3 S=========3 m# V9 R3 K! U8 E
r3 z- y; Y$ N" j) x" Y8 f$ QMethod seeking the 'magic number' 0F386h returned (in ax) by all system, T. j. q! ?* j( g9 j$ r
debugger. It calls the int 41h, function 4Fh.8 ]/ a/ `# R1 B. N, T- c
There are several alternatives.
- t! ^/ ~. N' G$ k5 G7 w
( A* o+ Q" f' H) I( V: h8 o) g, RThe following one is the simplest:
( H% d0 n9 Y$ a1 u# B1 u/ s Q( {) m6 w
mov ax,4fh
/ l5 }% f# i3 `3 M; p int 41h' T* M; q, D6 z2 X1 @- u" W
cmp ax, 0F3869 j" }8 _1 k& h$ L- Z% g
jz SoftICE_detected9 w" r0 P" \$ N4 p; b z/ S$ H
5 R0 e! u' c( X) J
' {4 O- ]! N$ ]+ y: i8 z5 jNext method as well as the following one are 2 examples from Stone's
Z Z z/ E+ w"stn-wid.zip" (www.cracking.net):
9 C' b; g/ v- i" Y' S5 q' M
+ X6 A4 e* [; r& K+ v3 D( M mov bx, cs
' ?! x- V4 @1 K% }+ _& t lea dx, int41handler2
: X* \4 e; M" i3 H xchg dx, es:[41h*4]
: v4 R+ J1 S8 L1 @+ |3 s& c xchg bx, es:[41h*4+2] z+ w; x% L, L; _2 A
mov ax,4fh
: n& M5 I! O5 g3 ^ M int 41h8 `. }8 t8 S; t$ E
xchg dx, es:[41h*4]
+ q" P* Z* p3 Y3 M xchg bx, es:[41h*4+2]. r9 P1 @3 ^8 d0 h6 H# p9 a8 O
cmp ax, 0f386h
$ h- P- C1 V! W' l jz SoftICE_detected4 ?1 B% t+ `) H3 E4 N8 l* k7 [
. y5 {- g. s& Q+ }/ B: V2 F
int41handler2 PROC
. x! W2 M. G+ U$ `( `% M2 w iret8 N( y p) w- G2 H: X) q
int41handler2 ENDP( P4 Z6 d; L5 I* w
. d4 E. `& r7 c- m+ t$ i6 ~1 H
+ }9 a' t q1 x+ y2 R
_________________________________________________________________________) `$ ]* y2 ?4 {
X( d, R3 O/ ?: {1 `- v6 }) v; @, U. }
Method 06
6 `+ [, j% f% w" l=========9 j$ t& @1 y) P7 W$ `
+ I6 ?: I4 S" H9 Z% H: Q" V" B
3 r0 v7 e& w4 U2nd method similar to the preceding one but more difficult to detect:5 s& l' k. ? `
; I$ [! l' O# z2 J$ c+ O+ O
, D z) e/ M6 Y( {& S; m2 `+ ]- z4 p" Qint41handler PROC$ Q7 ] X' C: U" W4 C, ~7 g
mov cl,al$ |) R# R& H) B+ T2 P* ?) ]& m- C
iret
% u* v7 E- V, ^' B. x. uint41handler ENDP% M! O6 {, M) `) ]
1 b! F) l+ i( H y( ]% `
) F' P: N1 J' q0 i @- G xor ax,ax K) l* V6 @& F f* ], i
mov es,ax& L6 i( s; M2 W, w
mov bx, cs
4 z7 B3 Y. v7 @2 ]9 u lea dx, int41handler& G7 K( O( I% F$ B1 }# F7 ?% {/ q
xchg dx, es:[41h*4]( n0 S' N& }$ e [: t& P
xchg bx, es:[41h*4+2]
6 M! `, V# v) b in al, 40h' |3 v, t9 j0 J2 h; X) F3 {. F" i
xor cx,cx5 M, l& \+ @/ W: w$ \" C- n$ h
int 41h
% P4 L4 e* @# C& e7 X xchg dx, es:[41h*4]3 f! U7 F/ J- n( j) N2 {# c! D5 _- U: |
xchg bx, es:[41h*4+2]$ A9 S% K: w& ^7 @: A) G
cmp cl,al0 @+ b5 z* k* b! X. L
jnz SoftICE_detected
' c% V7 X3 m! i$ T& `( \
* b# l7 ~1 X5 `_________________________________________________________________________% a% M9 b, A6 v/ N
+ V5 |/ y" z; L/ Q! f, ?+ r( eMethod 07+ n8 w& s9 X3 u! F% M- j5 d" l+ L, B1 j
=========: C5 G# `. d* |. e
2 r/ j0 ~) Q6 `. `' @
Method of detection of the WinICE handler in the int68h (V86)
, F1 L; C0 b) I! c2 o
% `* G( _5 g- C, w+ S L: ~ mov ah,43h
3 t% n' k; V, ^! t' D int 68h
+ F2 t- g2 h' v$ Z+ K cmp ax,0F386h
$ S5 K1 m3 h" T3 z; m jz SoftICE_Detected
: u$ z, p1 q4 ~/ g- D1 Z" l6 l
9 ?% b/ ~" ^6 v0 F. N6 q( {
R _6 w! n% e& }4 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# O3 a% w/ E0 k# |5 q
app like this:# n) w. e* _7 Q+ Q3 K( A- Q
* J/ Y; h; @1 o( q BPX exec_int if ax==68& `4 F7 a" }5 Y( D3 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 a2 [5 K2 ]% M8 \4 \ located at [ebp+48h] for 32Bit apps)
, a0 n" S% j2 F9 K8 X__________________________________________________________________________) A2 K" b. K0 l0 n. L3 R. H
3 D1 Q( a% r* d& j
( v; o8 R5 c* I, ]0 hMethod 08
) s$ r# a% v; Z, R& C& o=========
2 Y8 q1 @4 M: J4 f" h0 B9 E; q2 o$ x
It is not a method of detection of SoftICE but a possibility to crash the
1 N( @- y" ?5 o+ Gsystem by intercepting int 01h and int 03h and redirecting them to another. n. h, N( `. h1 Y S5 h _
routine.+ Y7 v# ?0 A6 ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! j1 B( q9 m6 W2 O8 h" z
to the new routine to execute (hangs computer...)& ~2 e. L( j% V' i8 m
; ~: @& C0 P2 T! _! h/ ^( i3 o
mov ah, 25h' A r! J% z( L. T
mov al, Int_Number (01h or 03h)0 Q x# A( `: `4 U
mov dx, offset New_Int_Routine+ }) ?+ {% q1 ?& V$ S8 |
int 21h& T3 s+ O! d7 \
D5 R# |. a7 {5 U3 d: ^+ ^__________________________________________________________________________
1 L$ i3 r, Z. `9 `# k0 E. m; b, t: d9 f1 t
Method 09
- _& [7 j2 x7 X' b5 G7 d=========
% a: H5 Z! U& \/ M5 [5 ^9 J- d! @/ A6 I' q* P1 R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ p" O" r# ~ q7 w) ]performed in ring0 (VxD or a ring3 app using the VxdCall).
: y7 }, h2 K% p) \% j" j; @The Get_DDB service is used to determine whether or not a VxD is installed
+ Q; Q% d+ n4 \0 M' v" ]& Dfor the specified device and returns a Device Description Block (in ecx) for' j, u8 w- _, g, k5 H
that device if it is installed.
% k$ C$ C0 z) H' `( H0 m+ c+ _* k
# b, X0 W$ l3 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 g! q' w: D7 o1 y. e) n0 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 ^' i$ a8 X# Y& ~: T6 h VMMCall Get_DDB
l/ n9 v, E( d' Z" t$ K6 c0 U4 r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ Y+ ~7 V' ^# P- r/ O9 Z
) f$ W! ?4 P6 j# L! ]0 c! C( yNote as well that you can easily detect this method with SoftICE:
5 U7 F* r; n: G" H( q0 v7 A( T0 \7 m bpx Get_DDB if ax==0202 || ax==7a5fh) Q g0 Z" m# Z4 y0 u' Y
+ H3 E+ g0 q" C5 z1 z! i1 u& \__________________________________________________________________________# g% ]2 u2 a% z% [; W8 F2 E) }
8 y% O- X! ^- k( Z
Method 10
: {6 Z* _) w+ v# U# V( h) w) i=========
' M8 Q( F% K$ o" D( |
, J/ O0 h. H9 [/ v6 a- e=>Disable or clear breakpoints before using this feature. DO NOT trace with, b* C9 M4 q( i. s
SoftICE while the option is enable!!
5 G& J0 D, G# Q- H( Q
) z6 a- D R/ V e4 A$ t- M6 RThis trick is very efficient:9 b F3 a( `% t" t4 t0 k; L$ f
by checking the Debug Registers, you can detect if SoftICE is loaded+ m% e3 D) e2 A- v/ V4 F' e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: x% h- c6 [- K, I2 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their: F, x. }2 T4 D( ^+ w4 H
value (in ring0 only). Values can be manipulated and or changed as well1 f( n! p. W# K" ~
(clearing BPMs for instance)) c* y* B' S. f
) U" w* X- H# T, h0 w__________________________________________________________________________
. ~. {+ r5 I2 V5 O# S; k% G8 m }# x( r+ W4 j I
Method 11
; W/ q) I) d% y- I1 W. h=========5 l- X" g1 b$ t7 W& g, n' z( T
5 w1 I4 z$ r% q# kThis method is most known as 'MeltICE' because it has been freely distributed2 X' j0 w. D* Z) x4 H7 n
via www.winfiles.com. However it was first used by NuMega people to allow W" u2 M6 ?4 c8 ~5 P- a
Symbol Loader to check if SoftICE was active or not (the code is located
" I0 w( E m- q6 ^& ^7 Finside nmtrans.dll).+ C: h0 u+ R; l6 V' C
: w* x! _( ?( w2 rThe way it works is very simple:) a5 b0 L8 B8 j( `+ }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 E$ F: t; @3 ~. f/ V
WinNT) with the CreateFileA API.! N7 g- a: J9 R" y- @+ D
8 e7 N/ z$ |6 P6 H+ q- s
Here is a sample (checking for 'SICE'):, H! S P( P5 O6 F" ]* P# ~
: ~4 ^6 k3 s! b, N# P% C
BOOL IsSoftIce95Loaded()& r/ g% Q# D: X
{7 ~; g2 g& q* b/ C Z: e9 J- s6 X
HANDLE hFile; - Z+ d! L3 A9 V) a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ m& ^+ K& a* y+ X# D# y, o0 F7 N FILE_SHARE_READ | FILE_SHARE_WRITE,; k' D: F, p% _4 J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" a/ n0 H d' ]) z4 J; r( l
if( hFile != INVALID_HANDLE_VALUE ): ]2 R2 d. z: p( _
{; M% T. d6 t. f3 C9 g8 a5 n
CloseHandle(hFile);& p H9 I' C2 o6 E$ e
return TRUE;7 j$ I4 O2 Q5 p5 U7 N) R. p
}
! t+ s( l" U/ |3 P5 r% t: S return FALSE;& g# u0 z% [, ^- B4 \& ?4 ~0 v
}
$ P" E' E0 q, F: Z" Y/ ?5 N& \9 @/ X: U$ `9 L, t
Although this trick calls the CreateFileA function, don't even expect to be
. |% V5 ^/ G4 T! g1 jable to intercept it by installing a IFS hook: it will not work, no way!5 z8 S6 u, E. H7 J8 R& W; v* G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, K4 x8 ^( [6 ^& N1 e+ ^ y/ R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" @0 `- x/ h. R* k0 x9 U* eand then browse the DDB list until it find the VxD and its DDB_Control_Proc' }9 o1 \ l/ s4 t4 @
field.& U- o% T0 c% x0 e
In fact, its purpose is not to load/unload VxDs but only to send a
( M1 m0 b) X# w" ^& h+ ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 c& J& X7 q3 q9 ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& e. G; S/ f1 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" a/ k( N4 |7 J7 Z5 H6 }If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 n! y$ }/ k$ Hits handle to be opened and then, will be detected.
( w- X; W3 H5 A6 d WYou can check that simply by hooking Winice.exe control proc entry point
0 ?5 f8 ^6 V" A. z1 W3 A% g* Fwhile running MeltICE.9 R9 ]! d( E3 ~2 ]2 y
: {8 o+ u( Z6 T* w+ v
$ ?9 o) D- w0 l5 p# o+ K 00401067: push 00402025 ; \\.\SICE4 D, T2 x3 @, T" ~6 Z
0040106C: call CreateFileA- C6 \. c* L) t7 A$ h6 V* ~9 y
00401071: cmp eax,-001
8 E" M. y5 T" r( J# C 00401074: je 00401091
- z6 h. @7 q8 r9 `. i) H/ E5 y T* D5 f! r+ k0 S$ |2 ~
6 \$ y W( d- b" BThere could be hundreds of BPX you could use to detect this trick.3 b$ }) L2 i0 q, Z$ j' g
-The most classical one is:
- D7 W: p! w' }# J5 `2 [2 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! ]6 D5 _! W( u B6 D! n8 J# A
*(esp->4+4)=='NTIC'
b. `" ?, e0 q) `3 l5 b1 B \6 I& q) |6 Q1 I
-The most exotic ones (could be very slooooow :-(
, X' _* W& Z7 C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# h' B8 M2 D$ p! o" l; A$ t ;will break 3 times :-(
0 g- [2 L) |, H" A U- ]" J+ R
-or (a bit) faster: , R% o; p4 l6 g& W# K8 U/ M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# Z4 V8 }4 y: }( Q: |* c3 x* f q/ R# N+ y+ _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * ]4 N( a y$ L& v
;will break 3 times :-(( X6 C/ R" [- F* U3 Z$ `
5 \! g; d6 d0 Q6 U
-Much faster:
/ S% _( l6 }; H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
^9 D1 q6 I, P5 ~, s4 u4 e9 u$ X! z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! ?( s" ~ i0 R7 D' dfunction to do the same job:
+ q8 i3 N6 k9 z% m/ O% q7 Y
2 k/ A8 L3 y7 H: K! H3 o0 V push 00 ; OF_READ
- K) S6 r4 `: S! i } mov eax,[00656634] ; '\\.\SICE',08 [1 }: Q1 W* w2 W" t0 F# |8 j
push eax' b6 T2 S- f% T! D7 r
call KERNEL32!_lopen5 `3 G3 c% j3 X; `
inc eax2 z7 J+ C0 C* H$ N! { {
jnz 00650589 ; detected
$ h/ W$ P+ Y: E: L4 e: [ push 00 ; OF_READ
6 \: V+ W$ R( O mov eax,[00656638] ; '\\.\SICE'
% A& b" x" }: B push eax! }/ v* u5 i% X' r8 E* o1 W
call KERNEL32!_lopen5 ?- Q6 }4 @0 f: K U4 o
inc eax! o/ o; J# I- z' u( j3 a0 ^
jz 006505ae ; not detected
7 O7 h7 [0 M& r" O- n, ?* I1 M% v0 d9 W. t6 e
# d, g# M" e* ~; n__________________________________________________________________________
$ \" \3 r5 d: C. K6 g! D8 z7 k; |" D" Y. b; I
Method 12
9 v2 B* G/ k' Z% O. S* p# m========= X" n7 R4 w" r8 N, o
/ [" @0 {7 c% e; l
This trick is similar to int41h/4fh Debugger installation check (code 05
7 Y8 h) w8 B3 y0 |6 r: x6 s8 t& 06) but very limited because it's only available for Win95/98 (not NT)
7 J0 m5 w0 Y% ~7 m4 Z1 Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo., ?. N! s0 {& o. u
0 d; e# r5 V" Y+ @6 T
push 0000004fh ; function 4fh3 |1 W' B% F7 l2 B& |
push 002a002ah ; high word specifies which VxD (VWIN32)
4 M+ f ^: f9 F ; low word specifies which service2 u d7 J1 x r% u
(VWIN32_Int41Dispatch)
2 n( B4 x# [. D/ o call Kernel32!ORD_001 ; VxdCall
' G$ l. T6 f0 \( y8 o cmp ax, 0f386h ; magic number returned by system debuggers8 f! \' f& J" m k/ ?8 H' S
jz SoftICE_detected
' y. Y ^. B) Y9 q0 W& E4 e
$ [% R$ X$ p* o7 ?/ ~Here again, several ways to detect it:) f+ ]# F4 l+ W2 g' z
6 o; Q. M! W$ ^% P BPINT 41 if ax==4f0 m6 f X: \- N" Z* s* I# ?
! s8 [. a9 W2 s" {+ J- ~5 o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ j6 |$ h6 j4 I+ M. v; Y9 b {, d& r: a7 V2 }, k. x) M1 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
u+ W ~; q% p+ F8 U2 I* N, B! J( m: I1 \- U* x- a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! s- h5 G0 @. \- [! B2 {$ {% P& d5 f
; e- ^; K6 G# U7 f! I! R' ___________________________________________________________________________7 l; i: _' q7 h! o* g
" b1 w0 U! S/ iMethod 137 j. y6 S' A, T/ U5 H# Z
=========
0 |: H$ k; Q1 i7 H
/ d* r1 M; O- ^& e! JNot a real method of detection, but a good way to know if SoftICE is
2 r3 H- T9 G" d8 ^! Vinstalled on a computer and to locate its installation directory.' x9 A) @3 j9 p! \- I8 F
It is used by few softs which access the following registry keys (usually #2) :( e' M1 v& }4 `4 q- B: g
- r0 y7 f; ]3 i9 L! R. t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ h! A! d; ~' m5 h\Uninstall\SoftICE
* g3 f( e" F6 y* W4 B! S8 `& h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( T$ A% u* }! k: l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; U) f! U$ V% t) r\App Paths\Loader32.Exe" j" c# c3 w' W3 ] K5 l- A2 A
' [2 j- E8 y3 t* O( j2 @' P* }
9 [9 E& V+ U r+ p
Note that some nasty apps could then erase all files from SoftICE directory
# D+ X8 Q0 w% N( d- |. ~(I faced that once :-(
5 D- h" w0 B# Q# V' A8 G+ Z4 K, }1 U9 ?+ b1 h* }% ?/ _" b
Useful breakpoint to detect it: a: ^" d9 b0 Y9 i
, l& t0 E' y! s) [( n- Q. [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 [ D: r: G/ e! ?& |+ {, G
p! M. ?5 z. g, ^: Y' x }" G
__________________________________________________________________________
4 u4 S. e+ E( P4 U& m
: g% |* S6 h2 k9 x0 M0 K% H) u
7 q, M4 d( Q, X2 NMethod 14 , z0 a# _( W- U; e
=========6 V L+ S8 u8 j. r2 s9 m
, A) G! [* m# h8 Y: m& |: O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 V- [5 Z4 |; Nis to determines whether a debugger is running on your system (ring0 only).7 k! ^; O0 C) T$ r2 o7 b
3 T8 v) z( z! P- ?& x VMMCall Test_Debug_Installed- R, T- H5 |) z0 g5 G
je not_installed4 a1 `; Z6 E1 ~% s
! @; s' X' n2 B* ?
This service just checks a flag.$ @5 M9 m3 t! {
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡