<TABLE width=500>. o$ w# {$ v3 c& | U
<TBODY>
7 T4 Q( O- |9 H7 A- I, }( k<TR>$ c/ Q2 }% F. X, P) `
<TD><PRE>Method 01 9 J9 F% T$ u0 u4 P; r
=========7 S* ?; S3 ]7 Y8 l) @
) `$ ?1 [8 @* v
This method of detection of SoftICE (as well as the following one) is9 |7 W# ]1 N. `% N) ]
used by the majority of packers/encryptors found on Internet.% Z0 M0 s; N6 J* I/ W2 o
It seeks the signature of BoundsChecker in SoftICE" b$ C) H5 H5 _7 F- T4 O4 F* {
) C8 G3 m& |% ]( X mov ebp, 04243484Bh ; 'BCHK'
5 t: B+ N' ~# D3 c& T- [, F1 }2 S mov ax, 04h
, u, c8 E; x4 V% N* r) b# A7 o/ W int 3 i; E3 v- J+ O
cmp al,4* M3 u- a& K3 x( x9 q
jnz SoftICE_Detected
2 J, {8 M) t/ e5 `; {3 x+ r* s& I2 E% i+ i
___________________________________________________________________________; t5 ~" |5 M9 ~0 @( e" Q
9 q4 ?% i5 E. A
Method 02: C- D/ @1 N ^
=========
2 ?# y/ ]8 u( N+ b4 ^, n
! P) ^. G, ?. y: T2 D/ X% eStill a method very much used (perhaps the most frequent one). It is used# V) N) U+ u7 t1 [9 R, K1 I7 V0 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 n: S8 K# m" I( \1 r; \* _# b% jor execute SoftICE commands...: M2 D! u4 G2 @& O1 Y
It is also used to crash SoftICE and to force it to execute any commands
' X2 ^3 b! g; A(HBOOT...) :-(( 8 g( T+ o; [; p7 D5 B: q: ?) W
1 X' X3 x: B/ t+ EHere is a quick description:
+ G, u \) A& s-AX = 0910h (Display string in SIce windows)
) v _) Y2 ?, z9 J. i( Q3 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ A$ L& m* x& F+ P3 M/ \6 Q
-AX = 0912h (Get breakpoint infos)! |3 j% \' \. }4 \8 P! G
-AX = 0913h (Set Sice breakpoints)$ ?" c' l6 ]. C% R! Z
-AX = 0914h (Remove SIce breakoints)
, [$ `' ]* t Z# U, w9 e3 K1 A9 j( u0 e: y. d% e6 }+ F" `* I7 u
Each time you'll meet this trick, you'll see:) `! Y; C2 s5 J4 C) n- r
-SI = 4647h8 q8 [8 I9 ~+ P; s$ m5 r8 w
-DI = 4A4Dh$ J0 t$ I4 w C6 u5 l' Q& f
Which are the 'magic values' used by SoftIce.
; u0 E# E ?4 A) f% X" a/ n# z3 W1 v3 IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( G9 s# H; ^$ |+ e
5 l( x) ?- N1 i5 e) W9 xHere is one example from the file "Haspinst.exe" which is the dongle HASP" x8 `% m5 Z7 d( ^, r, A
Envelope utility use to protect DOS applications:
) z6 c) C) p& x9 D! n
. [& O0 R, h" X. s0 ~; [; ~$ E
) l* m- X( J( V8 b1 z8 L4C19:0095 MOV AX,0911 ; execute command.
) M x! t: b$ a4 D8 g4 v+ f8 q+ |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. @' \: i( z9 d* m# @8 s+ C2 Q* Z7 ~6 t
4C19:009A MOV SI,4647 ; 1st magic value., V. L/ u) {/ u" o1 n
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 V7 t: v; z# _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' | u. z' b0 g/ x, d8 Z/ M% n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# X3 z ~, a' x ^6 U! o
4C19:00A4 INC CX
' f+ K2 G$ p: W: K* A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( ]7 w6 C; C1 e2 b7 q/ ]$ D4C19:00A8 JB 0095 ; 6 different commands.7 u2 i/ ^& p- a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' h( i8 }4 N% ?1 e. \* A! k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" Z5 F' Q8 a7 Y1 |2 B
5 S; X u: M$ tThe program will execute 6 different SIce commands located at ds:dx, which8 A& J+ `3 u0 G6 Y. ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 K) i; X D( W
6 J( w @6 w1 H. Z: b/ `4 g. O* ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., {( x, X; j4 r3 C: w
___________________________________________________________________________% M2 q5 l% W4 y$ ~) \& U Z/ D
( S! Z6 U* X) o; b
# ?+ {! j: x2 r! a: ?7 tMethod 03! a/ c! f: o: r2 |% a
=========
. H1 M1 m! e; A' G, l1 Q+ b. v* i- x* U2 T' Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 _% N$ X5 n: K% z* r$ k" \
(API Get entry point)) Y) @- z- c2 Y
: I. S0 u4 ?8 q4 D# | p! |5 j7 w3 p
8 Z; I- E5 j* [1 } xor di,di
2 W/ O* _' Y% Q: \" i+ k mov es,di; l, N3 R/ Q2 V' n5 H
mov ax, 1684h
8 _4 z" `0 G1 Q3 H. m: C3 u! c( g2 m mov bx, 0202h ; VxD ID of winice9 J! j9 u/ v0 E: u% |; \
int 2Fh
1 r3 V0 ?; V1 q$ P mov ax, es ; ES:DI -> VxD API entry point; Q; g% o! F! q. k$ e: ?
add ax, di* w, v5 J1 i1 ? h5 D" y: E
test ax,ax
1 Q9 M: ?5 B% L2 Z) b% J( v jnz SoftICE_Detected
; h) E7 e4 l, K5 X P: L w
4 w3 y. u, Z. X" R+ N P& w9 V___________________________________________________________________________+ P, o& l/ x9 k+ z& }, d4 M
0 n( k& G6 p& S6 H. M. q; `' F7 W
Method 04) I& p6 {2 H# g, M
=========
6 q2 o6 n3 i8 _( \7 ?. ?! f# J" [. @6 j' }
Method identical to the preceding one except that it seeks the ID of SoftICE
, j* ]. ]0 \. F* g% ?. i: V9 EGFX VxD./ e3 S- N3 O, `) n- A7 k$ m% }' b
* C) W+ {% z; k* M$ a7 \* h2 | xor di,di
& J4 w) Y+ z, r0 o1 \ mov es,di# E5 l0 M& F3 Y( Q& Y
mov ax, 1684h
) N( }& i( ^% |6 j, l9 ] mov bx, 7a5Fh ; VxD ID of SIWVID6 ^/ ~* S" Y% G; j9 m0 ]/ o
int 2fh2 T2 R+ z- T3 ~* x$ `1 [
mov ax, es ; ES:DI -> VxD API entry point
% }- K3 v) ]9 T4 X3 s9 ^) p add ax, di
7 F' q+ T/ K2 j" \- N; }7 t4 V test ax,ax6 {- I4 i+ U8 ?! A" A
jnz SoftICE_Detected! r z5 W# \& i7 Z0 ?# Y; _
5 z! M% [( ~( U! e__________________________________________________________________________
% y3 o% f4 x- s" ?! j+ b5 y/ a9 n( s0 R: Y! Z/ z5 X) P' f
A2 }" s! y$ e z" W" q
Method 05( U3 p$ k0 c4 ~1 H) C' l0 s
=========- U* Y" H! K$ i! A% \7 _
% `% F+ N( O, |* C
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 H- A& t/ I3 `8 H( H0 z" c1 r: L8 K
debugger. It calls the int 41h, function 4Fh.9 }2 K9 A$ K" _& E! L1 V3 N1 |- F$ n
There are several alternatives. ) ]& J7 b7 i! f$ O" X& K1 k
. y% P( R. a3 {9 a# n$ B/ Z3 Q2 S4 J
The following one is the simplest:
, n0 q! @' o v2 k. J
1 C! `8 v: g; u+ ] mov ax,4fh
; n7 y) F/ F" v) F0 g int 41h
( d3 b/ @$ H/ Q) ?8 C1 \# ^ cmp ax, 0F386
/ O* F( m& {' K8 A) ]) l jz SoftICE_detected
7 H& D+ U- p' z( v9 p1 ~6 L
3 [2 w" F F5 ?9 ~
* M4 n3 i7 a. \7 K, _( [3 @, VNext method as well as the following one are 2 examples from Stone's ( {' w# Z, S. h/ l
"stn-wid.zip" (www.cracking.net):) w- T& y# R, j8 L
, T- v- P3 _3 w* c5 h' d' h mov bx, cs$ O: I8 M/ [1 S, o! b/ t
lea dx, int41handler2
( W/ y1 a& O- ]$ K( E9 u/ z xchg dx, es:[41h*4]
$ k- ^ t1 F! ~. g1 W6 S; P- M" o5 { xchg bx, es:[41h*4+2]
" B o; w; E! G' x' Q' G9 |/ Y% K% n mov ax,4fh0 p0 G* [2 t6 ^+ X! P4 h- b' A
int 41h- Z" c" |/ R! y; \$ z( T9 Z
xchg dx, es:[41h*4]8 Y' s; u! J* m
xchg bx, es:[41h*4+2]+ P- o* H( J! I' c. V8 V
cmp ax, 0f386h
& r: V: |; X2 r) x: b- c3 } jz SoftICE_detected0 `3 Y! U7 J; J: T I
: W/ i. N2 x! b- O! n: f+ E7 Sint41handler2 PROC5 l$ }" P' S9 Z4 i+ ]6 Y
iret
/ h# g# X o. b8 y$ v3 I7 Bint41handler2 ENDP* ~9 A5 y+ D# I' \" ~* ?8 H
- M: g n0 |! }$ n3 B, S9 F! \1 S8 M) K9 K( ~! Y
_________________________________________________________________________* r( n6 V4 J" e, O2 {) u
" h2 |& n& q1 l; Y$ h5 u4 a
1 {( P* Z) D I& Z2 t7 v* b% \3 m
Method 06/ G* [6 N+ E* Z( s
=========4 z- [) h4 T, G9 S1 K5 y) y
2 p W' z! V! _
: U3 N+ O$ y- e1 T3 `2nd method similar to the preceding one but more difficult to detect:% L1 X) U. T9 k
G. E& m$ b+ M1 q
1 E) |4 m5 h% wint41handler PROC
/ z$ D0 p+ e; Q% U/ P: Q9 K mov cl,al
3 H! J9 [5 `8 H& v iret: f; Z* N P4 a& y# d$ K+ s; S% f
int41handler ENDP
5 K4 Y2 b/ J* Z( _' e8 f, \! e5 b5 C
0 c5 _3 Z0 s' Q E: L xor ax,ax) `4 k/ D7 b+ ?" n6 L+ c
mov es,ax
v8 l! E' I* t5 f% ~( F mov bx, cs: n$ r! F% A [( p
lea dx, int41handler
* M. t w% t" h4 w) | xchg dx, es:[41h*4]
A: x5 V3 v1 q% X8 D xchg bx, es:[41h*4+2]
1 `1 t* c5 S' g# q* C1 l. F( e in al, 40h
( k% D, s: _2 V* L+ J0 i3 l xor cx,cx+ @- {: |, H U$ l* _4 S6 w
int 41h/ ~: e1 P7 e2 |9 {
xchg dx, es:[41h*4]
. B' A0 |8 q0 G" T: v xchg bx, es:[41h*4+2]8 P3 p) W# b: K) K3 P/ w" Y. H- j
cmp cl,al
4 k' x) t% z" ~. {4 x8 [4 p jnz SoftICE_detected2 d6 o5 q8 I. ?; t9 l( Q
! w/ J- C4 _+ x- l: F1 p_________________________________________________________________________
# x; ]) x* d$ R) p! b; G; ^+ G
4 c% i% q8 D+ k9 d: bMethod 07
d0 J+ B& P8 L=========
1 b6 S( P# _7 ]$ Z% l
" b; X/ A' n1 u$ ?; t! VMethod of detection of the WinICE handler in the int68h (V86)" S0 H$ M/ m: l+ p3 c: A
3 Y, p1 N$ }1 |* a
mov ah,43h
- @: \1 v2 A+ S+ m int 68h
$ |8 L& E: T, R2 m. ?4 q cmp ax,0F386h& E6 j8 Y0 z& ]) C( l
jz SoftICE_Detected0 F8 n9 @( m) n* B( U$ ?+ O
4 e# f8 l; {' u3 m& h- A
( Y' u* o# V: Q' G7 _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ g8 _& R+ \" h3 ^ app like this:& c" `3 t% m- R, @
8 ^3 o6 J0 w5 C6 {9 l6 H BPX exec_int if ax==682 p! t1 P3 M: v* }8 A2 q/ J
(function called is located at byte ptr [ebp+1Dh] and client eip is
: w7 [9 S) J7 I3 Q9 T located at [ebp+48h] for 32Bit apps)! K* Z& \5 Z% P. [* I7 B
__________________________________________________________________________
8 o3 q: g" f, g1 }2 {& X
" r+ B1 f! K8 p! k8 ~" L
+ e% i' e" W! f* r0 PMethod 081 v/ F- ~/ K- J
=========$ D$ X( X& J w/ C+ ?7 a- V
# G/ d) e, C: Z( R
It is not a method of detection of SoftICE but a possibility to crash the" X0 q, i2 s2 W) m- ?$ Y
system by intercepting int 01h and int 03h and redirecting them to another R' Y4 N9 i1 c) }
routine.
# z% Z, w0 z! C+ s, J3 t: SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 g5 {7 u- C9 D; kto the new routine to execute (hangs computer...)" K2 T6 G2 ?$ ^9 q1 U# n
/ h4 U" B& e/ c3 y) r
mov ah, 25h
2 d, I6 p2 ^" }3 w" ] mov al, Int_Number (01h or 03h)/ C$ W* H y. c3 Z
mov dx, offset New_Int_Routine
, G8 N" H, ?, N2 t0 q* r int 21h
9 |+ P! ^7 ]9 y/ O0 c8 k, `% T3 |2 ~$ O5 V( ?8 u+ W
__________________________________________________________________________( ], G2 _/ L2 N' i |5 o7 Y
- y5 \7 R/ p7 X6 FMethod 09
" A2 ^. m/ C1 b3 S=========
* s; Q! d3 z# A% U" B2 i& W' S! L0 F3 Y1 R" j7 E# n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# E6 R2 W+ a4 ^2 z4 M) Y
performed in ring0 (VxD or a ring3 app using the VxdCall).5 f, D/ m, O) F( R4 o6 P
The Get_DDB service is used to determine whether or not a VxD is installed# u3 v* E' i$ Z5 Y6 I+ _) P
for the specified device and returns a Device Description Block (in ecx) for* ^6 T& w, N5 V5 N+ g
that device if it is installed.
% D" ^% ^7 ~! E+ u% F, j/ X7 q0 X! i X; J+ A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 ^, I2 Y# \& H. _# @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); c7 `. l. B6 M4 b6 B4 ]8 L
VMMCall Get_DDB
V) k( o7 o* l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed q7 f; E- z2 H! T/ [
) x( x3 j& T" v8 R1 ANote as well that you can easily detect this method with SoftICE:6 b! o" R: K! I3 t! _' E
bpx Get_DDB if ax==0202 || ax==7a5fh
7 V% K/ s8 o0 J; d. q
' m5 ] l0 t$ m0 P0 m m__________________________________________________________________________ b0 }- p* {8 A: b1 O8 Q
7 {7 I" }2 i5 b/ V) P7 `! VMethod 10
+ ?% n |9 N4 I2 ~+ F5 {* v=========
. P( F& O) b. w+ f% V0 x/ N" |: Q5 }3 J' O, h$ s9 m9 |" v
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ B" a0 ~- h2 u7 [; j8 }
SoftICE while the option is enable!!
- p9 G) |- F! M2 ]% C$ F: f6 ]: j) j% j
This trick is very efficient:) N: D- c# _3 L" f6 f* e- G2 T) W
by checking the Debug Registers, you can detect if SoftICE is loaded
3 x; s9 \- a! N2 F& y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 s1 Y7 E4 H9 u; l8 Y. uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' h" |/ {2 ~4 j2 _9 m1 |1 [& a' Xvalue (in ring0 only). Values can be manipulated and or changed as well
% e) H( T8 m. h& O6 p" m$ |, K(clearing BPMs for instance)
8 ]; O4 w. o0 r2 `3 o8 J& ^, p7 ~ G; e
9 Y& n5 y0 b* J( r- D7 s4 Z__________________________________________________________________________# L" X4 [# d0 [& Q4 Z1 a
0 A: j! I# [8 [: f7 R: [5 nMethod 119 t" Z; n; p8 @4 J, M) |3 B
=========
" |& w, U5 u$ i# v I) `" V9 J5 g7 l' V. G; S& {6 D5 B3 e
This method is most known as 'MeltICE' because it has been freely distributed/ C1 o7 j, n7 g
via www.winfiles.com. However it was first used by NuMega people to allow
5 v% k& {! Q6 F D# A. LSymbol Loader to check if SoftICE was active or not (the code is located
* k/ R# g1 A! Y8 hinside nmtrans.dll).: l) {/ X# b% P$ b* U3 W) H! ]
/ y$ @. r1 a+ y& R
The way it works is very simple:( |2 n* t; \# n4 s! t3 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 _$ S# o% x' t: C- n& j
WinNT) with the CreateFileA API./ O4 M/ C$ k2 G# n9 }
: k6 U5 ^5 N9 j1 G4 k
Here is a sample (checking for 'SICE'):
( L P9 A8 ]" w! W# c' a+ E
! G! u. T: D) \' y0 QBOOL IsSoftIce95Loaded()' s. k. d3 l% U
{
% B& w. B7 ~1 w" ?8 F) J& f HANDLE hFile;
s4 A, O! x: T. c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: b7 [' \. h! T- j8 u( ?
FILE_SHARE_READ | FILE_SHARE_WRITE,
" u; p; M3 J8 s. Y6 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ g! y5 l! U& T8 ~# \
if( hFile != INVALID_HANDLE_VALUE )* u) w% Y: a; f8 w- X8 k
{
% M. u! U: t! j1 `5 W CloseHandle(hFile);
$ ]+ r$ z: [5 f) X" l* c1 O return TRUE;
1 I* L# U/ r3 q, H) ^ }- n9 c. |2 v2 H
return FALSE;
9 J1 q! C2 R0 R+ k}
+ e: [/ s$ t; a% P. m' O
( r% }! j# j; Q2 fAlthough this trick calls the CreateFileA function, don't even expect to be8 J9 k f) |% ^3 L
able to intercept it by installing a IFS hook: it will not work, no way!
Y7 f( g' u z9 J. aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F x% h+ j' I' w8 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& }5 d3 r: L/ `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& L6 t5 n7 |4 U& j+ xfield.6 R/ q9 q/ j$ e! q0 D6 e
In fact, its purpose is not to load/unload VxDs but only to send a 1 g3 H, |% w: V1 R/ s1 e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 v' F3 s( i" U K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 _; {. V2 ~' U" Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& r8 A, h X5 H, b" Y# a* [If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 _8 j' L" F Q, o1 }* h: Hits handle to be opened and then, will be detected.9 f3 L9 _) V( G; D' s2 Q; |1 I. O
You can check that simply by hooking Winice.exe control proc entry point
- I( \) X" h1 O% n5 l7 z8 |while running MeltICE.1 l; Q1 L0 ]* A( `& u
. R+ T- A& ^, m9 P* f! r
1 i' ]: j8 I7 s 00401067: push 00402025 ; \\.\SICE7 J* K+ @9 {* v- b
0040106C: call CreateFileA
# t& F; R$ s% ?& B( D" N 00401071: cmp eax,-001
* }7 x$ l3 b% H2 ?- b7 ~: ~0 t! l 00401074: je 00401091
( V: [8 O& Z$ @1 ?/ r2 \
& p% ] o/ K- P2 a, a2 [; Q
) D6 [0 ?4 n; f; m0 R3 IThere could be hundreds of BPX you could use to detect this trick.
t. p( G( r, Q& a: A- V. ?2 l-The most classical one is:
$ e7 a0 v7 e) V8 |3 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 s# r. D5 G) ?: K) A* b
*(esp->4+4)=='NTIC'
9 G0 \2 c/ {9 P$ p7 _2 v
; l- E, v4 h9 S' M-The most exotic ones (could be very slooooow :-(8 g* L6 r* l+ d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) a2 a, }( z% H1 P
;will break 3 times :-(
: O) R; r) z8 j- K; d3 y
" B% D( x' J4 y; o, r }-or (a bit) faster: / G- Q' v% r* j. V! a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& ]8 D; c: M9 p
+ w5 a& ~8 T1 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 q5 y9 }$ C! I5 E; B
;will break 3 times :-(& f7 U+ Q) g$ Q" V5 `3 A
" d0 A. ~! V- K4 Z+ I# h& }-Much faster:
/ A! }/ g1 a, r8 s9 t0 V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 M: d# L+ ~" c% L/ m1 G7 z2 G) K2 V8 L6 @6 M( D' G2 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: p$ v1 |# X2 w* \$ @function to do the same job:$ e) c1 |6 q: s+ z6 S8 z
1 |! g5 p& C! n7 B
push 00 ; OF_READ$ L1 i, I9 V. r! f
mov eax,[00656634] ; '\\.\SICE',0
( [5 a( M, N/ B2 [* t push eax
0 J5 O' J/ ?' \ call KERNEL32!_lopen. c# D' i( c! r! c# g f
inc eax1 O/ w" }! t% B6 b+ f6 w
jnz 00650589 ; detected% c; X1 o& U. J- |2 U* @
push 00 ; OF_READ
W& _" Z' P$ I3 S/ n3 f2 P4 X4 O mov eax,[00656638] ; '\\.\SICE'
: T9 `9 }/ W5 ^9 {# y- _ push eax
3 L+ a6 t( G: K5 u4 g$ c7 o call KERNEL32!_lopen* c i1 z% t; ?
inc eax6 L; B7 o6 Z" ]
jz 006505ae ; not detected
: K F" l3 Q5 h2 V8 C2 V2 a+ m5 L+ n8 X; U+ \% |7 h8 p) J
6 f! v4 R% ~, {& i
__________________________________________________________________________' s( J* Q2 M/ j/ U! \3 [
- N! K3 e& H) t8 n2 y4 V& {( Q( b
Method 12
, ?0 z5 n' P+ ]$ a; c3 `) G" i/ U& V=========5 \( h- ^. l% q; l+ J3 s
9 w) Q/ G) B ?7 m. n" @6 x% k
This trick is similar to int41h/4fh Debugger installation check (code 058 j; X; \1 A; [" B9 j
& 06) but very limited because it's only available for Win95/98 (not NT)
% ~: _; ~9 Y4 W6 V; m- Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 L; p' [6 {: }8 ]/ q
1 h7 k" D5 q* x I) U$ ^' _
push 0000004fh ; function 4fh
6 d! ~/ |# O: n( w" h4 O; w push 002a002ah ; high word specifies which VxD (VWIN32)
! _. U* r4 H, b3 `" W) i" V ; low word specifies which service% t1 x+ f$ Q# S! u& }1 H. X
(VWIN32_Int41Dispatch)) ?4 c" b5 h( B9 e- g1 G" H
call Kernel32!ORD_001 ; VxdCall
( t( d* h6 @, l$ @8 H cmp ax, 0f386h ; magic number returned by system debuggers& L; F; N$ ?5 S: `7 T
jz SoftICE_detected; }7 l, F3 T2 l t/ U* w& [6 s
4 `) ~- ?- F3 a- K% n
Here again, several ways to detect it:
' X1 n5 r. \; Z# x( b
/ [* F- L( [3 } BPINT 41 if ax==4f
9 U( L7 E% y, @3 f6 v* U
, N5 e* y7 \3 e y- s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 A2 H5 z" |" S6 M. K4 q; k% ?, u
+ [& s! [& E7 [5 G$ o2 f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& m1 W3 N3 d, O4 s
3 [+ e% n# c7 H2 s F$ e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! k( @- H( F- o! X# ?! h, k- \! d1 M& ?, A7 e6 b% M
__________________________________________________________________________) t3 a: H. C1 O5 M
) o5 ]8 m% ]2 c" }+ ^ L2 Z8 a7 J
Method 138 J" i/ ?9 I8 R8 Q4 `) X
=========( R6 Q8 g$ u3 y
+ J8 m( H: `- o. s% ^. \1 W Z& nNot a real method of detection, but a good way to know if SoftICE is/ U9 a/ Y, L- v0 R4 H$ F
installed on a computer and to locate its installation directory.
9 @9 T9 \. q/ W/ {: p: sIt is used by few softs which access the following registry keys (usually #2) :
# x( D5 r% x; n1 j# J! m5 d3 F
- X! Z% ~! U$ ]" |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ U8 {$ U. _/ s9 v# ]
\Uninstall\SoftICE
# D/ K& l. n2 X# H& U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 {# D, O4 G, n3 N" s$ h3 m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. Y) Y, _0 T- |# @$ u ~& W
\App Paths\Loader32.Exe& v( B3 q/ m; Y8 m
; A! u4 Q/ p. U2 ^- n. {( r2 _8 |. f8 x/ a
Note that some nasty apps could then erase all files from SoftICE directory
$ t s- A, R- C(I faced that once :-(# n4 N8 r$ Y7 ~( k+ h% z/ g% J+ K5 e
9 s/ c8 j8 t% fUseful breakpoint to detect it:
$ s. r3 G1 N% u, [& g5 \9 r6 j0 S6 T5 C- f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' c5 h: O9 a z5 v' Q Q
: c7 s2 L- W; ^$ \& ?$ `
__________________________________________________________________________% n! p( {! U3 \5 ?; h" z: i
, U7 l" U7 H* F( I* ]' c; _
+ f# f: O& \- ^. K* xMethod 14
/ E. q- k$ x w& k) y j: [# @=========
3 e ?( i& a$ g2 }) W$ |, L* G6 U, x% I( X! |( F/ X- y: P7 W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ K$ G. d9 X& A' s( Xis to determines whether a debugger is running on your system (ring0 only).
. Y3 g& L! K4 z: P( V4 C& L( Y
0 \2 }7 e, }1 e% B2 }: |' v8 | VMMCall Test_Debug_Installed
3 _" W3 E. _# Y6 l$ s# j5 a) w je not_installed+ [: U' a; W3 A
0 k) c |( Z7 K9 ~6 ~. _
This service just checks a flag.! N2 e) k( L& k( e; c* f( c
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡