<TABLE width=500>
0 L8 N0 _; G3 V4 r/ K<TBODY>
) ^1 v8 I8 \% j3 G<TR>+ F7 t" W) @% e
<TD><PRE>Method 01 4 d$ U9 \# \! q- v! K6 f
=========
. n& E, [) x: f4 d1 v2 v* ]" W9 a" \) S4 @; S
This method of detection of SoftICE (as well as the following one) is/ l# }; u0 Y# d. [/ F9 [. q2 T
used by the majority of packers/encryptors found on Internet.
- y/ G! X. B0 u$ @It seeks the signature of BoundsChecker in SoftICE
4 V5 {8 O+ k' d M
! s8 F) u9 Y' o, \9 R: Y0 Y# q mov ebp, 04243484Bh ; 'BCHK'4 s0 Z+ T% I* L0 }! b& K
mov ax, 04h
4 K+ g- A4 W6 J% w+ z int 3
* Y) P2 x; Y& Y cmp al,4
4 G/ U! U. I" S. T1 v0 i2 T jnz SoftICE_Detected7 _6 I1 N* s/ w
7 f8 `- o( r2 k/ L" d% Q. d# D
___________________________________________________________________________& I2 C D: v6 d7 t5 {
+ S8 f3 c x& I( z! u# t6 K2 r: S
Method 02
. C3 Z/ X: m6 L=========1 c* U3 A- r; M) }1 h
" J0 D2 B9 L n5 e& W
Still a method very much used (perhaps the most frequent one). It is used
- x9 l, O$ k! T( Y- a+ bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: [8 l, X4 k; h4 k+ V! U( e& ior execute SoftICE commands...2 \2 B) z' ?( [5 a2 V
It is also used to crash SoftICE and to force it to execute any commands$ \( h' h5 k% X1 p
(HBOOT...) :-(( # n; Q: S1 w7 C% M1 |
/ N) C' V: |6 e6 L, h4 {" z
Here is a quick description:
: z4 P* e+ c) w-AX = 0910h (Display string in SIce windows)8 u0 ^1 I, Y6 l- K3 x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 M- m: r6 m, _( D6 _0 }
-AX = 0912h (Get breakpoint infos)
& u, T/ M! R$ N& O/ {-AX = 0913h (Set Sice breakpoints)
/ b, W& _8 w: \3 Y-AX = 0914h (Remove SIce breakoints)
- K! Z% s! R" {9 v* m4 \- G, i8 l9 G& p
Each time you'll meet this trick, you'll see:
" m4 |8 ?) A Q9 |-SI = 4647h
+ _ u+ l& C( u-DI = 4A4Dh
. x) d: U3 n/ {5 gWhich are the 'magic values' used by SoftIce.! R; d. R+ Z& @& e* u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 E, B; g. r1 k7 L# `, _+ Z
7 {* }" r& i7 N! l/ ]; \Here is one example from the file "Haspinst.exe" which is the dongle HASP N. \ [$ z# ]
Envelope utility use to protect DOS applications:
) n$ K3 Q9 ?* K/ q! g. a
1 n: ?# H) l' U
3 E3 R8 w+ n' V5 F4C19:0095 MOV AX,0911 ; execute command.0 x1 F+ _: n) o+ s+ w0 {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 H$ k: ~5 C' d2 ~2 L
4C19:009A MOV SI,4647 ; 1st magic value.8 v: L; p1 i8 {* Q% e' t" F9 y
4C19:009D MOV DI,4A4D ; 2nd magic value.2 l- R o3 ~2 C+ G& c+ z- o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! Y. q& f1 v5 r. f9 ]4 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ ^8 v) \- U# r1 E* z! n p
4C19:00A4 INC CX
: L5 p+ D# a' A) g- D( C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% F, S- M- N: ~- y4 |4C19:00A8 JB 0095 ; 6 different commands.: @3 g2 O3 o2 h$ Y7 j$ l$ ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) n0 X9 s0 k9 g7 `) z# N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) `/ }! H+ R* n/ {) s
! E$ i7 m7 R$ z' s
The program will execute 6 different SIce commands located at ds:dx, which
0 p( I4 P3 F% b( \ ~& dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., t% G. l( V" z p/ ]8 [
$ o4 n$ c! j/ n6 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# B! I# ~/ J" F3 M& k___________________________________________________________________________0 I! X3 r+ F3 G6 N- u
4 N8 ]2 s. \$ @# @4 ?& v! @
+ w3 B, j, e' x! t" P; bMethod 03# `: C8 B/ j5 w4 q5 F0 @$ d
=========
" [: ?( I. k6 @% y5 u) g0 |- v
; z- W3 C5 V7 y& E7 KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* a5 v6 i2 O" ?- M(API Get entry point)9 p- a" d* F% d) y
& G+ V- l' I5 }5 J- l# E, ?
: e8 L, ], X! r: I; N" ]6 _ xor di,di
+ W, M! G. j4 j I4 P( l5 i% H: c mov es,di* T% a9 H. x1 R' O1 i5 |
mov ax, 1684h
+ i T1 Y& z, o. @) C mov bx, 0202h ; VxD ID of winice7 J" j+ c( ^( F8 g3 o4 `' k
int 2Fh
" Q' }( B& {! H( F4 D# A mov ax, es ; ES:DI -> VxD API entry point+ T# _3 H: v# D+ F- @
add ax, di2 [% Z8 n' j+ T9 B7 q
test ax,ax
4 _8 G0 R" [8 x. i+ N, ` jnz SoftICE_Detected
& ~. k; K: {' c
3 f9 e5 d. {9 s" e2 N4 ^. `2 Z___________________________________________________________________________ E' F) D/ Z! ^: t% c5 e, a
y |0 t$ I4 @9 e" k" [
Method 04* u5 J; O- G* P8 s7 P, }. c
=========; {* T9 U5 N) |* P% A* L, O
3 c2 J" J' _1 S& M# _$ N0 @) pMethod identical to the preceding one except that it seeks the ID of SoftICE
( F. ~( [ i' q3 I/ l( f3 m& S/ yGFX VxD.0 ?1 X: J4 m) }) r: K& R: D
2 a2 \6 \% S! A8 N2 t7 _% u xor di,di+ L% u0 f5 h9 }8 }
mov es,di( m1 l9 O4 Z# r. V$ b: n- Z
mov ax, 1684h
?& Q& E2 }3 T1 T6 D! i mov bx, 7a5Fh ; VxD ID of SIWVID
. j+ z8 s/ e0 g int 2fh
( {/ C0 R1 U2 Q+ @% E! o1 n2 @ mov ax, es ; ES:DI -> VxD API entry point
5 R; |8 e9 Y8 m& t8 p2 A, s6 ? add ax, di) o& L, r( a3 v+ k8 [3 w J
test ax,ax8 f# R* D3 k- t8 Q2 u/ d
jnz SoftICE_Detected
# L* m% S0 Q g" ?3 U' C, j' R3 v0 R5 X& Q" a" W
__________________________________________________________________________
/ o/ X. Q/ q+ O5 S/ Q- Q7 U: [% H! a0 X" y7 e; m
. B2 o2 C" g9 P* x& \: ? E) c
Method 05
# _; \/ h. E7 B- c, y$ ]4 Y2 F=========5 o _# C1 \( U
2 u, A, \) c: v* L' w: y& }) ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 x. @5 q* L0 d8 D' Mdebugger. It calls the int 41h, function 4Fh.9 J6 T* R' I. o* L% n
There are several alternatives.
! r6 y; f2 E( N) r6 z8 i' {" b- M% j, I( A
The following one is the simplest:
* a$ R" N$ t8 a
6 t' F+ L+ W% s- d4 O1 V mov ax,4fh5 }0 c3 ~6 a' T$ I7 ?# q6 y
int 41h% z/ |* T: \5 f; e/ G
cmp ax, 0F3861 m7 Y0 \+ i" n2 X5 T. r
jz SoftICE_detected
! I% L/ _- |" O9 V% I( c
/ d% h- q, b) s) O, I: {7 @! p. q3 l" s
Next method as well as the following one are 2 examples from Stone's
6 h+ D, \& } Z"stn-wid.zip" (www.cracking.net):$ P1 R1 n) Q- p
7 o6 d$ D/ m/ V4 S# }$ C+ x
mov bx, cs
4 u$ [: R- }( h6 c4 x8 o lea dx, int41handler2+ K- l" @8 c" e* T
xchg dx, es:[41h*4]
( n( e0 p, c2 ~% r' l xchg bx, es:[41h*4+2]9 V% ~+ J& R) d" ~
mov ax,4fh
' G8 w- S% J2 I$ R. u3 W1 g int 41h
8 l7 g# F7 Q+ S& r4 O) l xchg dx, es:[41h*4]7 X, p9 F+ s2 Q' [4 Y- o4 \
xchg bx, es:[41h*4+2]
# \% u. R' d/ Z: N3 _ cmp ax, 0f386h
- ]6 t: D1 |/ o" o* Y0 h jz SoftICE_detected- t; d( `( }6 n( _# G
) i+ K7 ^% Y/ s3 f5 Y" T; b: s
int41handler2 PROC) b" u, o9 c: ^: n
iret& p5 Z2 S) s, v2 i5 I% S
int41handler2 ENDP
5 D' B8 y+ [ b4 y3 `$ A/ {' P" E
9 ^' `; C0 }& p, Y; Q7 R7 }) I
& |# y$ v4 U0 j" A" q# Q0 N% k_________________________________________________________________________
. Y8 L0 T8 j' p) i' R8 A& Y
( I4 I0 y# G5 u* W8 B* f4 F
* _3 q- a5 o$ d0 wMethod 06
$ f% J* h$ E- R" B" o' o=========
3 r5 q9 D& z8 J7 M4 ]
0 k3 V) _6 K, L I9 b
( y! \& s1 Y& i: Z3 \2nd method similar to the preceding one but more difficult to detect:
4 e! R4 [% K* r& \0 y7 ]5 ?
. ^5 r1 O7 i% e e2 e; ~/ m3 v+ S5 L: k: D& R, t* O+ ^ N( [3 ~
int41handler PROC3 O# V2 Y+ L m4 @
mov cl,al& b# [# |! g3 X' N# U% c$ F' l7 C% F
iret
, r7 n! I6 m4 n& tint41handler ENDP; S% d9 i6 f& |1 u9 n6 a
1 q& L1 l- [! o) S0 G
2 z/ u3 N1 W. i8 z. Y
xor ax,ax5 ^ |2 a1 O! t1 D2 u6 a- X* O. B
mov es,ax8 _7 l0 N4 [4 M$ ^* }3 z5 d
mov bx, cs
( L7 l- D, @5 f; ]" G lea dx, int41handler% g3 v& t! p* a0 X- K
xchg dx, es:[41h*4]
5 E/ t+ G& ~0 Z& q9 y xchg bx, es:[41h*4+2]
9 P7 L$ I. n) _0 K in al, 40h1 ]5 q7 P( Q8 p' N$ v& M9 b
xor cx,cx. L. Z. \" l; v8 @' J
int 41h
2 [; n6 A6 V$ f# _) M5 B6 x' O- @ xchg dx, es:[41h*4]) q- z% ?6 k* @6 m% q
xchg bx, es:[41h*4+2]
1 T/ E4 E* n" g$ \2 A cmp cl,al+ e( t- r; f* ?' `
jnz SoftICE_detected. B( p7 _' w0 F6 f
7 T" v7 Y% r9 U' v2 {3 U9 h$ u9 Q, d
_________________________________________________________________________4 M$ B+ H( s7 \; n7 o, o
- L% ]* L. j/ ]& U/ G
Method 075 z# W9 B& }. w/ w5 r# [
=========, U4 x; ~9 c* f! `' ?6 h: Y
1 A' V& ~/ F" f0 JMethod of detection of the WinICE handler in the int68h (V86)2 F: M$ v# [* i6 U- ~
. q) H# K- L1 y, F: G9 L
mov ah,43h
- r. z1 |7 d) ]! ?! u/ t! P6 n int 68h' f1 P) M5 O0 P6 \0 z0 c" G0 O
cmp ax,0F386h' J8 F, _. g- Z, b
jz SoftICE_Detected
; V8 Y" P, Z0 p4 l6 N
8 ] k% i# X3 R, I- U) h5 U% H Y8 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- T# s& U! [3 ]& y# A$ ~
app like this:
9 O- c! E6 r, K: g5 u3 m8 ~( H# l' r
. D4 G3 ]# O) r7 [* f/ Y6 Y3 Z9 U. R BPX exec_int if ax==68
8 C- _8 V( v! P- _: a( p: I9 O (function called is located at byte ptr [ebp+1Dh] and client eip is8 v# f/ Q. X& F; _7 {1 _( Z/ I% \
located at [ebp+48h] for 32Bit apps)" m- H: P; s: B2 J' S8 I
__________________________________________________________________________
" h1 X8 P( ? ~% o6 H9 C4 _) z) `; ~8 ?/ x# {% o% Y4 ?1 Z. s0 q. |9 |4 r
' _. p8 p' Y8 ^) @1 m8 b; B+ [Method 08: E5 e+ f3 d5 U5 S7 T' {7 @+ h4 X( H- g
=========
, r5 c8 k3 t9 b0 _+ ?8 h1 v# Q: H: C
It is not a method of detection of SoftICE but a possibility to crash the
% K4 `2 R# o7 Y4 k4 Ssystem by intercepting int 01h and int 03h and redirecting them to another0 \' p& ^. ]% L* X- N' ?# z% M
routine.
$ A- ]+ u I1 p# f1 K }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 A/ r% v, `/ s c0 U9 \to the new routine to execute (hangs computer...)" c: b9 c/ p; |0 p! ^9 `1 a7 q
- N; t! K, Q& v+ [
mov ah, 25h$ m& [# H* i- u+ } ~3 l* A$ H. }
mov al, Int_Number (01h or 03h)4 A+ O% E$ [2 g( }) y3 I
mov dx, offset New_Int_Routine
2 D" Q. U% F4 J- s7 B# e2 i int 21h2 R; j* M/ J' d- p! d3 M
5 P* A; m( q$ `* T" Y# v. t
__________________________________________________________________________
+ Y: v: H+ F3 w6 b$ J w
q( q% s0 M5 S5 t- ]8 ZMethod 09
+ e; j6 p) E7 C; B: y3 F3 Z=========
7 A8 J# w+ ~# W9 S8 k' T8 z! p7 V+ Y. o/ f$ O" P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ ^' Q8 ] R3 U( T5 h% z3 r4 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).* x, }' M2 S h) Y, G" v
The Get_DDB service is used to determine whether or not a VxD is installed
# z7 x1 A! d) I- O, r) v1 Z9 i& Jfor the specified device and returns a Device Description Block (in ecx) for
0 c% R: R7 z+ o2 n1 gthat device if it is installed.
$ m) S4 J, I. |1 x6 N' V( B* R; t" g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! }) E9 s. r5 c+ A4 Z# s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& H7 _; C) X; B9 G4 K VMMCall Get_DDB
; L% \* g) l8 K6 r8 o7 q, M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! ^1 X i3 ?1 L0 ?, o( ~$ Q; h/ |
2 \0 l. f% K1 p" ~Note as well that you can easily detect this method with SoftICE:
6 M- \& g( P% k8 x! q4 { bpx Get_DDB if ax==0202 || ax==7a5fh
( g5 ~5 n- J. H$ g( X' i
2 v, Z v, p9 I" i__________________________________________________________________________
# D& u/ b( {) E% C8 D+ w: T" ~
, e. Q! v; F; P/ V" U; \Method 10
. u* J( `- Z B=========4 H. ~3 S+ l, s9 V( b- W
1 R* J- j" ^) d- C0 _=>Disable or clear breakpoints before using this feature. DO NOT trace with, S3 V% |" T2 N" T3 X
SoftICE while the option is enable!!- l( Y, t- x- b, V8 F
% Z2 P! x0 L, x/ h
This trick is very efficient:
0 z( |& e0 Q/ p8 i' r5 |& Fby checking the Debug Registers, you can detect if SoftICE is loaded2 v9 G n- q, x+ D! i4 Y. }$ D& @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if c/ V; r2 D6 Q4 m. ]+ N
there are some memory breakpoints set (dr0 to dr3) simply by reading their: {) U3 ~) H5 l: c$ `, ?; P, [
value (in ring0 only). Values can be manipulated and or changed as well$ B1 x: @0 l8 G% B& p3 I, u
(clearing BPMs for instance), Y7 W& E7 k% x {
3 N! ?6 t- a; j& _5 p* T$ t7 H3 L1 ^__________________________________________________________________________9 k0 }6 o. x! C/ |/ b
! a; V+ L h9 `Method 11 W5 d! j" b. l, f' ?' V
=========) A2 f& A! J* s9 T1 F& `4 n' k
1 Z6 s' ^' a. s( a# R3 M: ZThis method is most known as 'MeltICE' because it has been freely distributed* ?/ [, |6 S, s% {2 I. _$ K
via www.winfiles.com. However it was first used by NuMega people to allow
( @* ]" f! _, f) H: K' b0 n' pSymbol Loader to check if SoftICE was active or not (the code is located5 U1 G6 x" _$ j8 e& ?
inside nmtrans.dll).
( w2 _- r3 r' c* V5 A# [7 U d9 N& ]7 i4 {+ \- _
The way it works is very simple:; b$ f5 |. |6 i+ R' P; d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# g% }* Z7 |8 W
WinNT) with the CreateFileA API.
) A0 \0 m3 O& g. P9 @: z1 N- c/ Y z9 C, [' _4 h& f
Here is a sample (checking for 'SICE'):
6 o# v% ?6 c0 I. J1 p
& I; G8 }! X0 c; wBOOL IsSoftIce95Loaded()
: C8 [- ~" \( s! m: S# B{
~# u! i9 [! ]$ M- f4 N: r HANDLE hFile; , p# Q! ^+ O- I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 a0 J/ |6 d1 Q# u3 S
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 e5 R; N, Z2 j, O0 R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 `1 i% U5 H% L9 L, p if( hFile != INVALID_HANDLE_VALUE )& O3 |, l1 X6 q0 s6 @
{/ U- F4 B# R# [$ ~4 h
CloseHandle(hFile);
r5 A, e/ T* P3 R return TRUE;
: y9 \6 Z) t w8 b2 z! A) F }- K! T. [3 `/ A+ G9 j
return FALSE;
+ E2 ?/ @/ q! }2 a, W3 x* T}( _; J, z7 R4 P4 i9 s. M+ N2 I
* H( i& y- w9 ?" K1 F* E/ ]
Although this trick calls the CreateFileA function, don't even expect to be
0 K" c" R- C, T: Pable to intercept it by installing a IFS hook: it will not work, no way!4 y" m7 ]" J- f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' h2 B% l; Z+ Z7 ?- aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 L6 i4 f H. Y) X% B. U1 a- a" `- ^7 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
i, e3 I+ {7 y6 X2 n, ofield.
. d; E1 b6 R: J C- ]4 F* dIn fact, its purpose is not to load/unload VxDs but only to send a ; a9 M% H4 N9 p. O, Q. ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 X) ]6 y. ~9 K9 Y9 D8 _3 }% A# Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 L* b$ p+ u4 f: y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& i x- F d+ N- O( ^# c% `If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 o$ w4 o9 [3 Xits handle to be opened and then, will be detected.
; E+ y8 Q: F$ I9 V7 j3 l9 mYou can check that simply by hooking Winice.exe control proc entry point8 X/ p+ c9 r! D
while running MeltICE.$ |$ ?( n! y; K! n
" g( I6 b1 W! y" k! J! n6 e1 s3 y. Q$ A Z
00401067: push 00402025 ; \\.\SICE
5 I4 Y" A0 k% ^, p 0040106C: call CreateFileA& g. S) X" n! {( D! q, T
00401071: cmp eax,-001, Z7 G# _# B. y; x( K+ C) T' \
00401074: je 00401091) q0 Y* k1 L* b
: Z0 v- S1 E1 F) I% N' s+ \
; X& D" X, ^; B- q3 hThere could be hundreds of BPX you could use to detect this trick.3 t( ]$ B9 {9 ?+ U$ {1 o4 i
-The most classical one is:5 L" Y$ a; b9 R/ E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, h- [: t# F4 P& z, g- C *(esp->4+4)=='NTIC'/ @7 R+ l" \& D$ e6 |( {5 Y
, x. H. ~! U3 P+ Z. }
-The most exotic ones (could be very slooooow :-(7 N$ r' w/ @( n) q4 {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( m6 J5 c. _6 G$ k' k, q. H
;will break 3 times :-(, P: [, Z/ |* d# D) f
" |8 Z2 l/ X9 v( I9 y
-or (a bit) faster:
( \4 r/ h( A6 d; i/ C% t3 {2 Q; _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" L9 q: J( t9 C8 b$ d
0 `! `- H) {( w+ n2 R$ O, J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 d3 _" D* v+ J4 n' a! F1 a- c ;will break 3 times :-(# L% l4 B( ^7 o9 L- \8 c
5 R# G( @9 G3 O8 p+ \4 @9 f-Much faster:2 c, `0 V2 |* ~1 h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- r) s. q" Y0 Q4 V9 o- v2 W4 ~7 R7 S7 {: P; {- P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' f H F+ g1 i5 `: c. ?# H7 f7 @1 J1 k Yfunction to do the same job:
+ D- J- _4 W) `- n
" x' E5 f+ A2 T5 b8 V6 n+ \4 d push 00 ; OF_READ
; }" b \' y* A; d# R' k! e mov eax,[00656634] ; '\\.\SICE',0
% u- w; O# f* O0 _ push eax
: w' \- P4 [1 v call KERNEL32!_lopen
2 L, V! }: M' e5 O6 } k inc eax
5 u6 m# I( O m: S: ? jnz 00650589 ; detected
+ n, F4 i2 {/ o; m8 T( U push 00 ; OF_READ
) K( V3 @3 J+ o: }8 n. L' ~ mov eax,[00656638] ; '\\.\SICE'
0 x. _; P& E4 F" d; \ push eax
/ l2 l# K: h5 o9 v, T0 s call KERNEL32!_lopen* a5 x( E$ L S! h
inc eax# ?2 D$ E/ h& D3 d; `1 |) N$ t7 j
jz 006505ae ; not detected. e6 S6 `4 U+ V1 R% r; z+ M
8 t1 b" }3 H; N) b' D4 Y- k
( T& B; n3 f0 |
__________________________________________________________________________
' a: T$ c; `6 m3 ?* X, d5 g8 m/ Z' D3 o
Method 12
6 O* s) ~/ a0 W" O# t* A=========
% F+ g* o0 R% U2 H* W7 B8 }: f
; L5 b% `; z" d3 _- z9 ]$ S* }This trick is similar to int41h/4fh Debugger installation check (code 05/ E) J+ z+ U1 f% q4 A7 M) g5 _; W- [
& 06) but very limited because it's only available for Win95/98 (not NT)# \0 c. r ~( ~0 w7 F6 I# S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 d; C. v4 H3 i( X
% ?8 y0 h* @3 C6 R
push 0000004fh ; function 4fh( y6 y: k( I# X2 n& y' h
push 002a002ah ; high word specifies which VxD (VWIN32)- v+ ~& O1 N4 m# U1 @5 b* a9 E( M
; low word specifies which service
) k" e6 ~+ U0 l* y& \ (VWIN32_Int41Dispatch)# @& O& r; ?+ P1 y1 f
call Kernel32!ORD_001 ; VxdCall
- d8 B/ n3 Y# b# {, E/ H0 K cmp ax, 0f386h ; magic number returned by system debuggers
! I8 t+ A) a& l jz SoftICE_detected
; i+ s4 f# G: R+ x {9 l. E* q- B8 u: d7 h( j( N! r
Here again, several ways to detect it:
; r8 M) n! z {# p
X( N, w1 W1 y H BPINT 41 if ax==4f
/ m& n1 J) k% \1 Z. b& W* t8 U7 V7 t; c- {* Y F3 ~9 e/ }0 T6 y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: F& [7 X, T- b
# B2 ]$ h' U% u) Y: D) \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) b( u' b# H9 ?0 q# Y5 L( k" }- ^7 |2 ?2 Z! T2 b( \! e: x0 @7 f2 K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 R$ W3 f" H6 ^
7 `" h7 C( D$ J7 X/ r
__________________________________________________________________________
) J) |$ R: p S
3 g% N0 M8 s" [0 I( D7 X% d; nMethod 13
, j5 m3 J7 k9 H=========
7 I. a4 \* K) Z' _- I3 {2 |! p$ |5 w* |+ j& { ~
Not a real method of detection, but a good way to know if SoftICE is0 t8 H% p0 o7 {) i
installed on a computer and to locate its installation directory.( i6 e1 [# @. @( }
It is used by few softs which access the following registry keys (usually #2) :6 i8 x' X3 {5 e T6 Y
. Y( Z+ o( z, k8 \ Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 m1 w4 i( H$ l7 Y- o4 ?
\Uninstall\SoftICE
( {; R" G# R5 r' ^0 E B' V3 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( s, j8 o# O4 G4 Y/ f! i' a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' R+ O& M% a' E3 u
\App Paths\Loader32.Exe- A6 \9 S3 k0 ]; ?% p! f$ u X
. s' {: |) |0 J9 U. p, ?
, a) V% F+ U, Z) N; l! w- D; pNote that some nasty apps could then erase all files from SoftICE directory7 }" ?6 o H" B0 t! [' q1 ]* D
(I faced that once :-(
, G; T2 u* E; J6 i% v. }) x# G5 G. ^' [3 P7 I9 f U) \# g- E
Useful breakpoint to detect it:
' g+ t+ O2 J, k; e% `' x- d% e# w1 v0 u+ U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 G5 i2 L* m) V8 d
. C% v( C. c1 c z$ ^8 z__________________________________________________________________________
4 m0 i; S5 b1 R7 G5 q4 \# y8 W" }3 x1 I' b( p
# u( H; p) m' x9 MMethod 14
" K# @+ y. g# U( Q=========5 g! s* P8 D2 i& {) F5 I+ @
0 b2 w+ q3 L2 N% CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
j9 ~' U) I& pis to determines whether a debugger is running on your system (ring0 only).
* r9 P7 h3 X) m* X
7 N1 L/ O7 f# X: r! B1 L VMMCall Test_Debug_Installed2 @! D3 W" _& ~% f# `9 v0 ?
je not_installed
: d/ O( D- j. i2 ~3 b5 L6 a' M' |: v7 `' M
This service just checks a flag.
V" b* }! J( N1 E$ r! r- ~0 z/ s/ {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡