<TABLE width=500>
3 ]5 l" B/ B. W! l' `<TBODY>
% b6 ~. f3 x1 I$ _0 h5 t* n<TR>" Q# s1 G2 f: w: R- y4 \7 \
<TD><PRE>Method 01 ! g3 A/ C$ f$ V8 `( O# C
=========5 ^" p0 J" U) C* X+ u/ a) V# B
7 f0 z; U( k7 AThis method of detection of SoftICE (as well as the following one) is
; A+ [9 e; o# p- }5 x2 U6 Wused by the majority of packers/encryptors found on Internet.
" w7 n! w( ~7 f5 H f2 gIt seeks the signature of BoundsChecker in SoftICE
: }7 }+ M8 a% J- g6 ], m& U' ~( j U
mov ebp, 04243484Bh ; 'BCHK'9 d8 |0 ]0 o8 m! c A H8 \' z
mov ax, 04h
( Z9 }; f$ y$ o7 U' S: H/ @ int 3
* Y2 i* W0 X$ C1 n6 H cmp al,4/ E& `9 U$ ?, A
jnz SoftICE_Detected
* J' d% G% i( r* N1 i3 J# J! K3 q4 G
___________________________________________________________________________6 {8 i4 O8 G( o' J: z, I
" l# N8 \; i$ V& aMethod 02
; a3 B% B# q; B4 J4 r. J=========
! ~7 `5 `) A+ a ]. B. C% l3 Z# A) v" M; }2 E3 B& r& b
Still a method very much used (perhaps the most frequent one). It is used
4 s: ]$ W- @( @# \ Z$ D9 L; R) Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" P j: s* Z7 u- N# h1 kor execute SoftICE commands...
) \2 P, [- w9 O. J; T. _# IIt is also used to crash SoftICE and to force it to execute any commands- P4 c2 R/ k/ Z! d& ^; g
(HBOOT...) :-(( ; ]; {- F: I) O8 Z
' @5 V7 C/ z O) `, ^Here is a quick description:8 Q$ e& p# t- w
-AX = 0910h (Display string in SIce windows)8 o9 g4 ?. X/ u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 w2 ?2 f$ X, W/ O% n; D
-AX = 0912h (Get breakpoint infos)8 P4 F# `3 |' j, [
-AX = 0913h (Set Sice breakpoints)* f2 X, `4 Y D* h# @) {
-AX = 0914h (Remove SIce breakoints)3 `$ u# N' \" V9 J! G
6 k R1 B+ l6 K2 `9 o8 I3 A
Each time you'll meet this trick, you'll see:# n! Q% D R( F/ x$ v( o" p' Q
-SI = 4647h0 f" `6 \* O9 J7 Y" q/ D
-DI = 4A4Dh
! w/ M! j3 Q% v# q( jWhich are the 'magic values' used by SoftIce.
7 E0 h- S& W0 S6 J+ [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ @& d6 P& Q2 p7 B- c3 G, r d3 D, [
1 Y) c) h) C% ~) m8 m4 wHere is one example from the file "Haspinst.exe" which is the dongle HASP8 o4 i. b1 }# M5 e8 t- e& i
Envelope utility use to protect DOS applications:
( n1 V* \! c( u* ~! R5 _( h
$ f+ g8 j! w* W+ Z& Q# @! y
2 J* l' e) n: C0 k/ T6 C) v4C19:0095 MOV AX,0911 ; execute command.
) Z R( V* [5 K8 [7 I" y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 f# ^+ G5 N+ j% k( P4C19:009A MOV SI,4647 ; 1st magic value.
% m3 S+ x5 o8 d) T5 l9 x4C19:009D MOV DI,4A4D ; 2nd magic value.( ]* g* G U2 r; c6 n5 N) P" J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( p3 u8 W( g5 D. u9 I9 q% k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& c* @0 n$ B$ V- K" U+ U5 @1 J
4C19:00A4 INC CX* d% R- o* P1 K, X8 i# ?, u, _. a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" i- G9 D( @9 g' [- M& k! U- X4C19:00A8 JB 0095 ; 6 different commands." c1 W& k1 w+ C/ v& I% b7 X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# O( a7 j3 b. y; g. a9 T8 K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" D' y/ ^7 G/ ^5 q6 t, K' V8 k( y
3 g5 j, C& ]9 s# j$ kThe program will execute 6 different SIce commands located at ds:dx, which( W* b' E; h4 }4 t- | [* M3 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. }3 B" w% s1 V, m& v6 S, }% c( P( ]! U. D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 N. Z% F6 q$ q% Z___________________________________________________________________________
! I, g7 v- o/ j* b3 S
( Y1 H- J3 Y1 r, `# F g$ _6 ?2 W- P$ u4 f# C# v4 C
Method 03" t8 }0 O, g5 D5 T8 f, m% @
========= Z5 s' ^1 [% U
5 T* K9 b( s& l( gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# n* P/ y: b, b4 l, Y(API Get entry point)
* p% Y* G( D& G n; E1 J0 |
& M5 {' x8 X e' M2 k/ V
+ o8 b# l6 x; h) ~; c7 U4 G xor di,di+ e. M* I5 { d
mov es,di7 _/ |+ R5 O; k6 l. G, ^, C9 T) k
mov ax, 1684h % z: W: f# J3 m( t
mov bx, 0202h ; VxD ID of winice ?# S* Q$ e |( h* S5 d, j
int 2Fh* F* G9 @. O3 e5 O: n
mov ax, es ; ES:DI -> VxD API entry point
4 A4 m1 q) Q5 J( U/ Q; ? add ax, di
7 |9 L3 g/ V; l L9 c, y test ax,ax# ? _' \- y% C6 q9 K( ~7 _
jnz SoftICE_Detected
/ K, Y0 Z( c$ Z4 |
( Z; q, h' P8 f0 j6 k( Z___________________________________________________________________________5 k# ?: t8 T4 m, g8 ]& {0 H8 s% Z
- m. A1 \- b) W- O! c1 C; f
Method 04
5 E, E8 d( a1 x: e=========/ ?$ z B8 ]+ z* \. _+ A6 l! N
! y7 y+ \! z1 GMethod identical to the preceding one except that it seeks the ID of SoftICE
/ _: W) F! I3 t ?: i2 PGFX VxD.. k. [! x8 [# ?6 ?$ `7 k4 S& K
' ?% L2 E; f5 [ xor di,di
6 i0 a) U; h' l6 e; V V6 c mov es,di" }: `" f4 W* w% n3 c. x, m
mov ax, 1684h + A9 A- A+ ]( \$ f7 _
mov bx, 7a5Fh ; VxD ID of SIWVID5 q, O9 U: B5 B N' S" b# r( L
int 2fh
; J6 [ X- y; k7 M, K* S9 P; m/ ` mov ax, es ; ES:DI -> VxD API entry point% X6 s3 [. W. N0 d
add ax, di
( v9 d) F9 s, `5 t test ax,ax- _7 N! @6 K; E" n5 i4 K; @2 t
jnz SoftICE_Detected
1 Y) z$ ?. w8 Q
' J, c/ x. j6 j: g__________________________________________________________________________
) D* H& B' |# z+ e) l. o
2 i8 U$ A- _$ V B E9 g% v+ J( K
$ ^% |, B' q% O: p4 C7 eMethod 051 c" S& ]1 u) A; m: C
=========
/ Y: @, X0 ?. z! q
+ U. j6 o) T2 [Method seeking the 'magic number' 0F386h returned (in ax) by all system: X. Z* n8 o: Y! N: D4 g
debugger. It calls the int 41h, function 4Fh.0 K$ D+ N4 y3 Q$ N' n1 A, l6 N
There are several alternatives. 6 r: o1 N) J' _, ^7 p: a
- a! r" p# I* ^, `# t" EThe following one is the simplest:0 F( t& z* F) c9 M
- z# U" |# l: C: `% }
mov ax,4fh
w k+ u2 s, t' c/ a$ C/ O int 41h# I/ F$ b4 V/ p9 C5 z) }0 ^
cmp ax, 0F386+ y* J1 y0 E6 D0 j& S4 ?- t9 L5 u( V
jz SoftICE_detected+ s. m, b( m0 z
# {9 S! e% D( N2 p2 Y V3 ]
4 u6 ?+ ?& E; P3 V5 ^# ^; INext method as well as the following one are 2 examples from Stone's
& ~6 x+ f2 r- t* ^% y1 Q$ E2 Y. C"stn-wid.zip" (www.cracking.net):
8 u( F& v) r! P* z* A+ @. k/ y( s) o9 G" Z. l, p# P
mov bx, cs2 P0 j+ `6 B. q3 S
lea dx, int41handler2
* W' Y `1 S/ J8 x xchg dx, es:[41h*4]$ {/ P, r' v0 M0 [6 j! y ?$ t
xchg bx, es:[41h*4+2]
8 a7 e8 A3 e0 p mov ax,4fh' F/ r. V, X. t; a
int 41h2 C% P8 W2 D# [/ Z- Z) u
xchg dx, es:[41h*4]$ \# C" J8 J2 R5 T% p- ]6 v
xchg bx, es:[41h*4+2]
/ I/ i( O2 f$ u4 C# `8 I cmp ax, 0f386h* W6 r, Y( D( f5 x _" d- I
jz SoftICE_detected* z7 A8 D9 P% H9 }+ r' E) K
& r/ n6 y; N/ a5 u9 Bint41handler2 PROC8 Y3 [' p3 _4 O! t, e! \$ }
iret
, w' }- o$ K2 m C- Y3 c5 A8 fint41handler2 ENDP# r# z- s1 D) v" x/ g1 E
: I5 f' ^7 z/ s# u1 Z, }/ J3 l, X1 v7 r k1 ~) @
_________________________________________________________________________' [6 C" {! P+ ?7 w
/ ?' N( Y% L! g
8 m$ L! l, F9 r; RMethod 06$ r3 \9 J k3 [1 x& p0 k) F4 y5 g
=========
7 x) c2 F1 r- M* j8 R" T Z3 ]0 I% f% o
3 Z/ {* s+ Y2 t' O5 @+ r% W. \
2nd method similar to the preceding one but more difficult to detect:
6 F; j) j" ^- x% I# |) N% T, }1 P1 [" {4 N, ~' I4 ?' i/ o
9 c; T. a1 ?3 U7 l* P4 U6 u
int41handler PROC
" J/ l9 l: {/ A mov cl,al
) J4 x. s$ f% m, R% s iret
4 |: }3 {: C$ G$ J$ v& Q0 a9 L6 Kint41handler ENDP
% p6 S; _4 h/ c
# K! G( [1 ^* A7 e2 I: A6 z1 G4 X& }/ p
xor ax,ax
# ?' Z3 i$ ~) Q8 t1 p mov es,ax
6 R. F" s4 g5 c) b" G2 R. b/ d0 \ mov bx, cs
0 @1 _1 M+ I) Q" g* {+ U- T y4 _$ f3 s lea dx, int41handler' t2 o1 J- P$ r. m
xchg dx, es:[41h*4]% S3 ^1 b$ M6 Y) d1 J+ u' e
xchg bx, es:[41h*4+2]
5 Q- f- Y, j* ], c- K+ q4 D in al, 40h
$ I. j; \" h# P2 A. P d, n; E) K! j xor cx,cx4 B8 w/ G3 e N9 _8 k% @
int 41h
+ v0 P: r& K/ A. |0 h xchg dx, es:[41h*4]9 _5 S; _1 F! c8 F2 D1 C3 m$ A m
xchg bx, es:[41h*4+2]/ `5 H I+ y4 M1 z: N, a
cmp cl,al1 V6 {7 \' _; |8 t% @7 x1 @. b9 l' M9 z+ X
jnz SoftICE_detected1 t. b+ A+ q$ ?9 I l
B1 v" q' d5 a; ^* S1 b9 T, _2 @
_________________________________________________________________________
$ ]% b# r0 @+ q2 B3 ?. U, s* q+ u9 V- c; [. X
Method 07 r* X8 {6 ~& m3 M. {/ ~" C
=========: @, |# t3 _( [4 [9 G s; R" _$ T
+ E+ i) M% S2 C3 z$ {% p/ fMethod of detection of the WinICE handler in the int68h (V86)
4 H6 P% j# B+ }# k& ]% g" d( K5 G* Y9 D( g
mov ah,43h
8 N2 ]) J e; T5 p' j) I% f0 V int 68h
5 R$ k+ E' E6 P0 ~* ] Z cmp ax,0F386h
* t" \5 _. }9 R0 z+ J# k! s jz SoftICE_Detected/ i4 V. L2 b" i' Z
, B" X- p9 e4 x3 J: p9 y0 r0 O6 @; [
R# T8 T7 @, R1 U. p; }8 I! K1 k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* T! d& H7 p% e `# X3 q* c app like this:3 t/ [: R& u0 W: r+ @1 N
' t! a. u7 |+ W! C BPX exec_int if ax==68
! l' X* u2 A8 w( @0 M. _ (function called is located at byte ptr [ebp+1Dh] and client eip is. ~/ x+ ^2 p) m6 q4 C- `
located at [ebp+48h] for 32Bit apps)3 W4 Q- c. C4 I% h y0 U
__________________________________________________________________________
, j J0 f3 @$ _/ G' f
: ?9 m/ k' y8 L1 B
' `$ |$ @6 R6 G6 ~! E, {( G6 YMethod 08
5 k5 {6 ?7 B3 B! a7 v! n8 F=========
: v9 }' f5 g* C1 `2 O) }8 x( l8 l+ o! N9 g& j$ Z: P
It is not a method of detection of SoftICE but a possibility to crash the
& O( V; f2 L0 n1 Qsystem by intercepting int 01h and int 03h and redirecting them to another
# Z8 W) Q0 | U, x4 Y- broutine.
) r1 w9 {% O+ s% s9 U% p( WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, m8 ]+ l7 a3 G8 W7 {! \ M1 f! wto the new routine to execute (hangs computer...)! y. P$ T1 L2 T) ]! k, B2 B
2 v/ }9 S& J$ c s
mov ah, 25h4 F& L) h! A) ]
mov al, Int_Number (01h or 03h)
( J. T' g( C! `/ c mov dx, offset New_Int_Routine
3 L/ x$ |6 }" ~. ~8 h int 21h
9 ?. u. E$ }+ Q3 ~
: k, l. B" d, K2 M__________________________________________________________________________" z* w# L" d! s& p" l+ v
8 P& }/ t3 {) F+ eMethod 09, N* h4 P% L* r4 `
=========5 Z* p, m9 X: E: D
+ Q7 \2 y* U; w9 M' m- S N5 R% r: BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) v D+ R; H( }) bperformed in ring0 (VxD or a ring3 app using the VxdCall).$ X) Y4 z2 w1 K4 h' B o9 A
The Get_DDB service is used to determine whether or not a VxD is installed% {: d& n7 B$ [2 B/ {6 L' z
for the specified device and returns a Device Description Block (in ecx) for
/ r, C7 P5 J, J$ i( I5 sthat device if it is installed.
4 f. |" U) N5 w* h6 I' j
1 ]8 P q& R! V, e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& S; B! p$ F) m8 r4 q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' m/ B0 h+ [- \ VMMCall Get_DDB1 t" l2 C9 C+ M. d7 B3 s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 \; t8 u/ b$ {; c9 P' _
# ^3 {' `: l8 f# H6 ^) x
Note as well that you can easily detect this method with SoftICE:
4 y* Y% y$ Q0 g$ q1 x bpx Get_DDB if ax==0202 || ax==7a5fh
, Q' r* u, E* Y% b
% N' B0 T- v- |1 {" h4 x- ^/ U__________________________________________________________________________, y+ A! l) M+ E. f
" H' E! l0 ^4 `" s9 @
Method 10 l# a) `: ?) M7 s6 J
=========
7 i) v4 K7 b# a1 A# A8 E: D' A( z8 H2 D, B! i7 E ~2 H
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 S( I9 m9 I9 u. c5 ^+ O# i
SoftICE while the option is enable!!+ r3 T" [6 i' b: _- c- t. h3 o
/ a9 I+ p$ @- S0 f" Z! V/ V9 @
This trick is very efficient:: S1 y- z M: C) }
by checking the Debug Registers, you can detect if SoftICE is loaded
! P. ^5 v! _' H7 `% U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 z1 I7 ?' u% K- Y' |+ G i
there are some memory breakpoints set (dr0 to dr3) simply by reading their w5 h" H8 s7 b! j. U, G# t
value (in ring0 only). Values can be manipulated and or changed as well
0 [7 P" _8 }3 X; A0 v1 ?7 z(clearing BPMs for instance)
4 o" g+ h8 X" N3 w
3 m1 R( J; u3 V7 x4 w__________________________________________________________________________- _# {, W! w+ o3 I$ e2 T1 f& c; {
1 P1 C" i; N) DMethod 11
: H% O6 g. V; B- m! G3 q=========' r/ J! o( L' h3 x, m0 @* ^
( [- S- T- K1 g& t5 e" c7 s
This method is most known as 'MeltICE' because it has been freely distributed- ]. |# y! d: z) h H2 k& q
via www.winfiles.com. However it was first used by NuMega people to allow
' H" D f) ]5 P8 ~1 mSymbol Loader to check if SoftICE was active or not (the code is located% r. p, j8 h7 V2 f
inside nmtrans.dll).: [& N$ l; h0 d. Y
( X& F4 m' R7 b* j( _3 mThe way it works is very simple:
+ z* v" ?4 M. dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 R% q, C, z+ I; a
WinNT) with the CreateFileA API.
$ M- `8 l0 S0 e$ m4 Y2 W% ?& r2 j9 t2 E
Here is a sample (checking for 'SICE'):
% ?$ F0 }) T& W4 \* G, h4 n- Q) j- M& O3 q& s
BOOL IsSoftIce95Loaded() g* L: h3 N+ v7 J4 B
{5 ~! }8 U& K1 `' L( l6 I. |2 S, D
HANDLE hFile;
3 `; _5 i" r- V' J% N8 S4 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. ~+ M! E; k, x: o* e1 m4 |
FILE_SHARE_READ | FILE_SHARE_WRITE,
# \5 {! Y: t o( d% ?5 L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) F8 W$ ^3 A7 d& c- E' a
if( hFile != INVALID_HANDLE_VALUE )- o! u4 j+ {2 L. Q% w
{
5 \1 E: p5 a7 t CloseHandle(hFile);
# W- ^3 Z; [3 U$ g! a9 G/ M$ [# R return TRUE;
/ f: g2 m% Q* K- H: e: X3 J4 \ }9 @/ W1 r( L& }0 {1 D: R. E9 E0 k
return FALSE;! {5 s# R( W. a! v* F+ U
}) S$ v5 t) `' Y8 h- W
0 {5 i, Y% t3 [3 [5 [8 E' U
Although this trick calls the CreateFileA function, don't even expect to be1 o: i5 a; G8 F) }- x3 s" T' {: v
able to intercept it by installing a IFS hook: it will not work, no way!
# W1 Z; _- ]8 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: A$ n6 t+ R7 X/ zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" T3 f4 [; |( B5 b. v/ e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# D! F8 U+ b* p) k3 w) {
field.
: Q, D1 C: f# C9 r/ EIn fact, its purpose is not to load/unload VxDs but only to send a
: E* @$ d4 T; j: }7 J, ]: F: z( E. r2 [" oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 n3 ?6 j- O" {. J6 \! H, z# kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 J2 D; l# `% u: Y6 p Pto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 U& {7 \2 ?4 W+ _9 P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; v1 [# _9 e& \, U( M5 xits handle to be opened and then, will be detected.
) T% J* E3 U. e4 QYou can check that simply by hooking Winice.exe control proc entry point
6 i9 o9 z `+ C2 ewhile running MeltICE.# B1 w) Q7 f2 }
9 q# }' T7 V5 [+ D, m; F4 z7 k; X- b' O! B% e2 k" Q6 r
00401067: push 00402025 ; \\.\SICE
. o. r1 y1 }* n 0040106C: call CreateFileA) v8 P) y) v. h3 r" p
00401071: cmp eax,-0018 ?; o4 W) C5 Q8 P
00401074: je 00401091 C. E& ~ Y2 G: u/ _$ h$ C* B/ o
7 l) s7 U# y' N' c; z4 f! t3 a8 i3 C/ j
There could be hundreds of BPX you could use to detect this trick.
2 P" E' R( X* B$ J# v4 _-The most classical one is:$ [& r: ~7 L8 x) b+ a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
Z* n1 W% q/ Z2 I. M *(esp->4+4)=='NTIC'( ^6 e$ G4 X* g! S+ {; }
/ c: m, p1 g% W
-The most exotic ones (could be very slooooow :-(
- |2 @* P1 m; D: R2 J" L$ h3 S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% b p" Z" }2 l( h ;will break 3 times :-(0 ^* w& K. d8 e+ F- D9 r e5 y
) w9 d h3 I% {
-or (a bit) faster: ' H0 p* K" y! e! O% R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# K3 I/ d3 [/ m; p& }
/ [ R" k: G6 `: R( C$ \$ ]/ }; e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * E. Y1 t1 y+ a1 |# k! H
;will break 3 times :-(
& k' F8 M4 z& p6 |5 Y) O# f$ m/ \
+ A8 o* j; M7 O" t/ q2 N-Much faster:. ?4 f2 `7 ^, P4 u- z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ T! w5 m- ?6 z0 o7 o8 S8 l. ]( r7 {9 d. ~1 q4 Z( l+ D# v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 [+ g# ?- J5 I5 ]% p3 h# ofunction to do the same job:7 B0 ~4 e" V; d, F
' W% M8 b0 r4 u
push 00 ; OF_READ# Z1 ^4 ~0 [# j
mov eax,[00656634] ; '\\.\SICE',0& U9 O3 K- t' ]8 v. h. w
push eax" h6 A) s4 z' v- N4 z! p
call KERNEL32!_lopen& K2 O' s4 U1 n o6 ?" i. x
inc eax( r H2 c4 O# g" v) E( q
jnz 00650589 ; detected1 a* [1 H- w- z; Q3 h+ R
push 00 ; OF_READ+ ?7 _7 J+ C8 O! T2 Z+ C
mov eax,[00656638] ; '\\.\SICE'
4 S- P8 \( X8 ^7 ?3 T6 ` push eax0 A$ T0 a% Y/ C. F& I
call KERNEL32!_lopen4 F3 B D, u; l' q
inc eax
: O2 O6 J& O" Q4 w: G. T jz 006505ae ; not detected
3 R) I7 s$ G6 q+ v: ?6 F( [0 @& Q
7 o. O# a+ b4 n" x8 j! s. t3 I
7 \ i8 l- Z& k0 X__________________________________________________________________________
; e, Y3 N% C0 e' S
! {2 d0 z3 d" P) i1 v, ]* O& \7 }Method 121 c# {4 i( Y/ d" k7 h
=========0 k; B9 Q0 H! A# W4 t) ?& Y, }
: m' |) C/ [' d4 F
This trick is similar to int41h/4fh Debugger installation check (code 053 l4 o( a& J' N4 a% W7 A9 [
& 06) but very limited because it's only available for Win95/98 (not NT)
: V- P/ V/ c% k4 J }6 U) D9 o7 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 O+ C0 p& ~& }4 n
, p+ d$ M4 m/ M+ r+ W' X$ a3 `5 `. i push 0000004fh ; function 4fh
: v! @+ k4 p. ?% |# v0 B; Y- Q; K push 002a002ah ; high word specifies which VxD (VWIN32)) W W- g3 `, h* u- j
; low word specifies which service# `( d8 h2 @- p, L
(VWIN32_Int41Dispatch)
) k1 l; `& I# L2 G+ }3 F; F: G call Kernel32!ORD_001 ; VxdCall
9 A$ S$ r+ J1 P cmp ax, 0f386h ; magic number returned by system debuggers6 a# p& K: R3 p) P
jz SoftICE_detected2 C4 `, H8 B# z5 v/ m; c
. h! W$ ?, h8 z! JHere again, several ways to detect it:
0 d3 f' @" a4 }' v3 D
7 l2 w$ `: J& _3 ] BPINT 41 if ax==4f4 f) D2 B! D6 t m. b7 X
! }' @" O5 f! z: R1 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 f/ N0 X( K& L' B4 c
& a8 e+ T- w; L/ s1 X, d Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* z. f. w* Y4 @7 Q8 h! X* s. s
4 g3 y% q2 s+ n- D1 s' v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) Q" I; G+ E& _( u1 K# h5 D$ A0 f
5 a* D: F9 z5 r
__________________________________________________________________________
u7 u1 a! M1 x/ w2 M5 K2 M) D! [2 ~* W9 Y2 N* f4 ]
Method 13" p7 |; h/ q5 ?3 v u, ?
========= J* C# p! Y; Q2 V& G3 N) l
0 s' {5 e; r1 k+ Q! `Not a real method of detection, but a good way to know if SoftICE is
- q* ?% J; N& @0 a3 Jinstalled on a computer and to locate its installation directory.
) [$ a% p7 t7 M( L# cIt is used by few softs which access the following registry keys (usually #2) :
; l2 b' L4 w/ q- k8 E" @( I
5 z- x/ [8 c' z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 k8 |4 F/ \% D! y/ K
\Uninstall\SoftICE* n8 A& `; u' i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 ?1 J' R( v6 h0 J- {' y" D5 `0 T) j+ X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 V U9 [/ q5 o! \) `' G1 C" h, t\App Paths\Loader32.Exe7 ^/ u! A# X6 S/ F
* O( d% m# S$ u8 D4 M1 G/ X( Q
: u x6 }& @5 D6 _& ?Note that some nasty apps could then erase all files from SoftICE directory3 Q/ X H1 l/ Q8 c5 j, l
(I faced that once :-(! k# W) s7 C, s4 D* }8 a" a4 R4 k
4 s. e0 ~# d& J4 pUseful breakpoint to detect it:
5 T N: ]2 C) j; \& p$ ^, `+ I7 e' y9 F! j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" \8 N) \5 ~9 [# H0 I
% ]/ n1 J5 ?- X" P) N6 m__________________________________________________________________________; w4 h6 O8 M* N" G9 j
: Y$ ^# D6 B! H1 a) B/ z5 J" n; t2 R
# q6 V- m1 S# u( k( d
Method 14
; t7 b( Z+ [# z$ a% }+ k0 }( e=========
6 i& k) R2 r; \/ U. N3 [/ i1 P% c$ P, Z2 ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' r/ b: [* V2 i' O; h$ Iis to determines whether a debugger is running on your system (ring0 only)., C# _; |% N, C& U6 z5 @& z& ^ M
" Y* w3 @7 R' w8 A7 q& e/ N: L
VMMCall Test_Debug_Installed) [9 Y# h I! P
je not_installed; J: M( g& G2 F
6 g X) O, [) `! O$ D
This service just checks a flag.
- L3 R& [1 O' @1 r# ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡