<TABLE width=500>
' d: ^' p& s8 @<TBODY>$ Y( d9 d$ x/ y1 W
<TR>
: [' c; |- A! N8 Y7 Z5 \; \<TD><PRE>Method 01 0 S) Q8 H9 \8 @) V
=========
* y, G u+ K3 s6 U5 s( V6 a
8 f( k, q l# ^+ SThis method of detection of SoftICE (as well as the following one) is
1 u" d( y. @, B- @used by the majority of packers/encryptors found on Internet.* A& U$ \) S( x# T1 I
It seeks the signature of BoundsChecker in SoftICE
3 f2 k6 S; p0 u& W, v
# q1 o% _, J2 k) x: a1 q3 c mov ebp, 04243484Bh ; 'BCHK'5 C0 [, s t" a' B' m, n9 u
mov ax, 04h
8 a2 ~- z. K0 \) @- i int 3 3 q2 k" s/ u* Q9 ~* U+ N
cmp al,4( P( r: N- P4 A& K
jnz SoftICE_Detected
" k+ h3 l" J/ [) q g9 f Z- b% c+ \- s! W/ X- t
___________________________________________________________________________
4 C, W& q2 W& _* W0 T( y4 O( x
I! i8 A2 ]1 b! E; }8 M' Z' lMethod 02" D6 q8 o ~* x) u* ^3 ^
=========
) l" o) k$ A4 d! E' u" T
+ r/ G6 a& G, P/ j% ~! j: s& L% yStill a method very much used (perhaps the most frequent one). It is used
7 |9 }; M8 {, r9 y& Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 j6 f, X0 s0 |: L9 Z/ w+ Eor execute SoftICE commands...
! Z3 m. s( A1 F J' \ aIt is also used to crash SoftICE and to force it to execute any commands z7 C0 Z+ g# A
(HBOOT...) :-(( - f7 _' @3 o: M
9 a4 K% C R$ j( V+ i H
Here is a quick description:
# f$ M% F- u! P/ ` a3 Z. a-AX = 0910h (Display string in SIce windows)7 t: {5 k9 _% M. G7 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* G4 M9 L: i a4 T% x: _-AX = 0912h (Get breakpoint infos)1 Z# ]+ K9 P& M& e% [
-AX = 0913h (Set Sice breakpoints)
/ F( E% J r: }. o-AX = 0914h (Remove SIce breakoints)
8 l1 A9 a( C, v- o
: W6 R, g* p9 WEach time you'll meet this trick, you'll see:
2 k' B0 g( s+ T7 B9 w# ?-SI = 4647h
& O/ K; d/ Q) `( _/ m/ M7 l-DI = 4A4Dh! E7 `8 E$ D/ _6 J/ w% r3 O
Which are the 'magic values' used by SoftIce.3 N/ h/ [! Q# g: H$ V+ [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 A1 T# I! x9 p$ }) K+ B: t+ ]$ D2 C" Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP; X; h ^1 f- F" J, L1 L
Envelope utility use to protect DOS applications:
, G9 T7 f" J1 T. A! l1 j: O; ?+ ]: ?% ? b( |1 p$ ~+ `
$ u! H0 ^; u) \4C19:0095 MOV AX,0911 ; execute command.) ~( Q! G0 |) V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 \# D9 @& [# U1 ]2 P- [! }8 ~5 `4C19:009A MOV SI,4647 ; 1st magic value.
5 d _( ]' P8 k3 a% @( b* m4C19:009D MOV DI,4A4D ; 2nd magic value.
7 X p9 n ?9 B; s8 D& n" S0 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 }5 V5 c8 h( D0 D: ~ X( O9 h/ Q* ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 J7 P$ l$ `9 o6 \! R# I4C19:00A4 INC CX2 j4 I) h9 J9 y4 v; A' A+ J( ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 I' Q9 a( Z2 Y; E2 j
4C19:00A8 JB 0095 ; 6 different commands.0 ~. y4 h) @ l. s+ o: d, I$ A. F3 U2 Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& ?1 [: \9 o' ] l; z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 E% E9 t; a2 A6 Z2 c# W
/ T6 u) j" r9 U# H& e6 aThe program will execute 6 different SIce commands located at ds:dx, which2 O8 z: j+ e, f" B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 U1 c5 f9 a: C
! r2 q2 k" X/ y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! q2 h; B, e1 {! u2 H4 N" r: W3 @___________________________________________________________________________% Y9 W2 X; o( t T2 c+ T
% U; a, w; p9 `; h4 Z2 B7 }4 V0 X1 H" |, Z& l- U2 r6 \
Method 03+ u6 s3 ^# m1 ?: B- l/ p% Y# `, ^6 B
=========, i2 L% n9 f% x5 u+ P [
+ r- v1 F9 a5 _: |# m! c9 T1 [2 o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 g1 o y( M: G% f9 N+ e
(API Get entry point): J, s% O J* \, ^ u1 Z
. l, m/ d, J7 p" _" q/ N
# a8 o J0 Z' v& K/ _! T xor di,di. r9 k& M3 ]' i- w$ q k- ~" p
mov es,di) A- n- U' S5 x5 o
mov ax, 1684h
* r5 a; D! O3 p; O mov bx, 0202h ; VxD ID of winice
: i" B. x9 r6 M( M int 2Fh
( a" ]4 L4 K/ y: w mov ax, es ; ES:DI -> VxD API entry point: y( e& o0 y! r0 `) H4 i
add ax, di% \0 c. ^# k) a/ y0 E$ S7 B
test ax,ax m7 o$ }. e2 d7 J) \" t9 w
jnz SoftICE_Detected& S8 `* ]; N @" n/ Y
; F% `" _! L" _' l# e4 L/ `___________________________________________________________________________
" j2 b* C H; [4 f2 C# `" S. f5 f% h. J. `5 @& }# p! {* N
Method 04' ]5 h$ _5 ^6 [. P: L3 [, c
=========9 d# C) [" P2 B5 k& w
5 J' V, c1 D' W$ n s! J0 w6 ]
Method identical to the preceding one except that it seeks the ID of SoftICE
* k4 D" ]+ O. I9 f$ {" M+ BGFX VxD.) S6 \6 L: S4 f+ ?+ a
; j" A. U( ^: J. H( l8 u+ l
xor di,di
; {7 E% O; }% f5 Y) U3 ] mov es,di
- |% g( M+ p& V$ w- n9 U5 L mov ax, 1684h 6 B6 t8 [. o, L( J+ l$ w
mov bx, 7a5Fh ; VxD ID of SIWVID s% S8 |* ?, D* {, d. o4 ^7 [
int 2fh m' |5 X6 Z8 w) U' W
mov ax, es ; ES:DI -> VxD API entry point8 ?( f! S* T8 l2 r' @
add ax, di
6 a6 ]% X* v" e; h. ?: i. } test ax,ax' y3 t" y9 z* T! c
jnz SoftICE_Detected3 Y1 M' K- m2 l
$ x8 c5 V6 c! z* @" d/ o__________________________________________________________________________
0 G L. Z/ d% S/ A. x5 i) k3 c7 n' }; C' S* d; }) d q
8 D* V' G8 d: i% p: a N
Method 053 E, v% n9 o6 H2 |% O9 }
=========( C( W9 @8 k. W3 T# X J. Q
- K' i; ?( G% P# F2 Z/ `
Method seeking the 'magic number' 0F386h returned (in ax) by all system: l4 V! H% `: b( ] o. l; L. ]
debugger. It calls the int 41h, function 4Fh.0 n# t" F% u2 o
There are several alternatives. 7 Y. k4 T- P5 o" U
8 F2 ^ o3 h, s) N) V) U
The following one is the simplest:
, y; A V* `. q$ M
: x9 V+ [% D" B mov ax,4fh
4 j+ z$ Y6 J! k: N& ^ int 41h9 p8 a! C$ g* \/ w
cmp ax, 0F386$ x V0 o9 e7 `1 ^0 T
jz SoftICE_detected
: U3 ?, r7 M$ O# r
& G0 i8 v% ~. T' d+ j3 v9 |) u1 b, {: a+ y& q" H/ {: X
Next method as well as the following one are 2 examples from Stone's * s H9 q9 B9 i9 @2 T, }, Q# C
"stn-wid.zip" (www.cracking.net):
( t1 h/ Z2 t$ }9 ^
, o g# {: p$ m( k mov bx, cs
) I. V! m3 q8 i* G% R' Q" F lea dx, int41handler2' Y* g9 w2 i8 [1 p3 \
xchg dx, es:[41h*4]& H* h8 r3 p6 `0 o
xchg bx, es:[41h*4+2]
2 z8 [$ q+ }. V mov ax,4fh
- x, g4 Q, m4 @1 t int 41h
2 j' n7 Y, \ X$ ]# V xchg dx, es:[41h*4]
' S8 a% o# c$ x9 m, J m xchg bx, es:[41h*4+2]
4 I0 r( I9 a& _2 ` cmp ax, 0f386h
' w9 t4 g& a) q9 O, `5 B+ u6 H jz SoftICE_detected
$ y! |& S, x q0 W# d7 Y" V4 _) c$ l: i, N o" n
int41handler2 PROC' ~/ E" v6 V9 @% f$ X5 K
iret& ~# z* v, W8 V; u2 Y
int41handler2 ENDP2 d" }) ~- L! r; U
' `; H" m/ e( e* S" X+ t+ r s: Q2 z$ J Z, [: [& p
_________________________________________________________________________6 @4 s9 I0 D& o* P1 z( X
7 X: x4 d' L+ _8 F) F1 h
2 X5 g; f+ [( R% }% @Method 06& |# o$ v3 [) f. R
=========
6 S* Q, c8 ^' E* c/ f9 G$ `" ?& C
) T9 Y# O! w. z) k3 e1 f1 W$ k$ k! |1 v0 c$ f% b1 j2 i: H, F z
2nd method similar to the preceding one but more difficult to detect:+ F* \, N: V5 q$ D! R6 t8 y6 h$ ~
; i; l& F! f, l M+ r
8 o% f; h. C' w1 K, Nint41handler PROC8 s: X' I9 k z- L- v
mov cl,al
9 w% N% B0 |0 R |5 d9 P$ u; h. ]8 q8 u iret8 [$ [6 ]# L% n5 k* h
int41handler ENDP
# N. L% D# ~# m; z
1 z& D8 F: G/ U: Y8 t; q7 i6 k& R) c& ?
xor ax,ax' m. k! R: K/ k6 W1 g
mov es,ax3 t% b1 G' s0 V8 N3 e$ Z5 f
mov bx, cs
& g5 d/ B* y3 f6 l" I lea dx, int41handler e. `" t8 ]4 {' O
xchg dx, es:[41h*4]
: W1 x- h! j; I9 G) w xchg bx, es:[41h*4+2]' w2 h# s+ B9 D3 w
in al, 40h" t" U U$ u1 d5 O9 d2 R: `8 n8 V4 @
xor cx,cx% }( D8 e- }. v% F8 U
int 41h$ R+ ^0 e p6 M1 k& r/ J
xchg dx, es:[41h*4]9 q2 `* I& [9 }# B! E' E3 Y
xchg bx, es:[41h*4+2]
1 f4 \4 R; K% }) k0 a* Z( @) k cmp cl,al
% I; U' L l7 |& e" R! i jnz SoftICE_detected9 T& A0 g, L9 W6 N
3 A1 c! |% o/ C5 k, X, q7 t_________________________________________________________________________$ _0 r3 S+ K7 a$ N" e0 c
1 T6 b8 o1 f# k% v
Method 07
; _9 Z& a$ a1 j* d6 K=========
5 w5 f" {& N/ V
0 y1 ^+ f, E% G! ~Method of detection of the WinICE handler in the int68h (V86)
% e& g9 d4 j6 n) Z1 K+ p- i" a
1 Q1 v {8 Y! F) O7 p mov ah,43h
# m+ w4 |: j$ O& X: J! j int 68h
7 \# I( c+ f' Y' u! S) c! d F cmp ax,0F386h( r( I& k$ J) L' }/ L
jz SoftICE_Detected0 [0 `" x1 C2 W# v' D6 J" C7 H- r
9 O' W. c+ a9 r4 Q3 [
8 v" n2 N+ f6 C; @9 `2 b$ N, D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ [( N7 P8 J, d app like this:
. m- J. V. ^1 p
3 ]$ [# m5 p% h BPX exec_int if ax==68- C+ x# S4 F# q( a% N! R
(function called is located at byte ptr [ebp+1Dh] and client eip is
- a3 e6 _4 J( Z located at [ebp+48h] for 32Bit apps)2 g7 z2 f6 g/ q' a% n* U
__________________________________________________________________________
8 J8 ~8 q* u& Q- b3 J0 {1 P1 }0 b2 b, v
( j9 Y/ C* A4 h2 n: q6 f( I2 c1 V
Method 08
' Z R+ z+ f* _2 C3 f- N=========
9 s- V4 _/ U, f4 A) q
# M* T/ D1 P' X5 n1 G3 jIt is not a method of detection of SoftICE but a possibility to crash the
: h; g# U% W; E3 U, Ysystem by intercepting int 01h and int 03h and redirecting them to another& \; c/ `% L) v+ L$ A
routine.
`& z2 R: @* M2 fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ n7 f* z: T' g
to the new routine to execute (hangs computer...)2 d. X( ]+ h( ]4 q, L+ ^1 C1 J( f
3 s3 z0 i4 e6 G9 U0 Q/ r+ t mov ah, 25h
! K0 I+ e- o8 h3 _' n mov al, Int_Number (01h or 03h)
8 V, b0 S% D t2 V2 g$ j6 \ mov dx, offset New_Int_Routine* m1 x0 C2 z2 Z. B: h
int 21h6 ^1 R% K+ J, [. c- Y- K
4 Y) S( W. r( D* `
__________________________________________________________________________ N: d$ I& ?' }3 } { W" J
) g. ?, k' I" m' ^5 z0 i( w, CMethod 09
1 v* C' {9 B! X5 T1 f. a=========( X+ M7 z# T% f4 d
+ Y" i4 A& h( I" h7 `6 H# j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% l: U \6 n! \0 x
performed in ring0 (VxD or a ring3 app using the VxdCall).. ^2 Y( ?- t; l/ d, S. Q9 U
The Get_DDB service is used to determine whether or not a VxD is installed4 d$ }" Q5 O% x. {" s
for the specified device and returns a Device Description Block (in ecx) for, E" Y4 d1 b' ]6 F* B. }' N# a7 a9 g
that device if it is installed.
/ E' p7 x: Z4 P9 B8 z4 F8 m2 A5 C/ M! \, t1 r2 P# Z9 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; {: g q" m/ J2 [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! M% G/ ?/ ^7 E# i
VMMCall Get_DDB
7 Q$ B& ^# q7 z: }# l" u; G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) t7 p& o# u& s5 o
5 q- P) S) \8 i( Y; U7 U% U3 [
Note as well that you can easily detect this method with SoftICE:
3 b _) ]- Q- M* I+ l) F* [ bpx Get_DDB if ax==0202 || ax==7a5fh
5 E! y0 l; s3 E( X2 M* c4 T" D9 n
# K1 m1 n9 @" z9 _7 h__________________________________________________________________________
- O+ L' S( y- S
' z& x; u: x3 S1 x3 xMethod 10% Z" M3 O" t; w9 i" Q
=========
6 `9 }8 J, m8 Q0 T) A
* O7 E9 Y' I3 {1 A. |6 u=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 v. o/ o5 w ~1 C/ u& h% D5 L0 v SoftICE while the option is enable!!1 `9 F5 |+ k$ M; B5 _) } n4 z
$ f/ A+ P1 [" E! P; f5 F. {3 KThis trick is very efficient:
7 F% z6 O M# k. l3 A! y6 _- ?by checking the Debug Registers, you can detect if SoftICE is loaded
: a9 x7 Y% T/ T/ S. i/ H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" H0 s; E- o2 {% P1 r* P) jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 _5 o, n2 C! [& Q% n. Pvalue (in ring0 only). Values can be manipulated and or changed as well
8 x) c# N4 v+ m" n0 w(clearing BPMs for instance)
3 [2 {0 J7 D4 v" |( Z% ]. X3 g, y+ I8 X
__________________________________________________________________________
* t5 [ K# `1 F# Y$ \8 l+ L$ ~7 V9 p& \# _
Method 11
8 A2 G0 o% m8 p z$ l- h' n=========% L/ T. W: `$ _' H: p' H9 Q1 i
5 q6 [2 N+ V: @$ Q t! pThis method is most known as 'MeltICE' because it has been freely distributed- U% [' c. P* m# ?* z4 x0 y& @3 H; w
via www.winfiles.com. However it was first used by NuMega people to allow. T" S0 g. f" Y# U$ y3 q# D/ ]' t
Symbol Loader to check if SoftICE was active or not (the code is located
4 q- W- j z+ K& J: Jinside nmtrans.dll).* H8 f$ c8 v2 j1 g! D
6 Z) `! s* W" S& m" F" @7 n OThe way it works is very simple:
, }, s) Y2 x# \& I2 xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 w0 [* F) `. m% X8 H2 ^7 T: c
WinNT) with the CreateFileA API.6 ?- k1 r6 m5 f6 N+ j4 R1 I( R
5 {+ S1 [% w! q" V& k4 v" ~4 dHere is a sample (checking for 'SICE'):
7 u, J' i1 d# O- x; D5 U/ l
2 a9 N' ?2 m- T2 NBOOL IsSoftIce95Loaded()
2 v! q6 V) Q5 T{
0 S k4 x9 l! g% ^6 V _ HANDLE hFile;
4 m& J9 ~- S3 D& m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 [* f2 e' x% s$ W9 p1 D! ?; D FILE_SHARE_READ | FILE_SHARE_WRITE,; A n T3 s: u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. r$ q) c+ q j* x" z6 I8 Z! t$ K. ?, b if( hFile != INVALID_HANDLE_VALUE )! J9 ?0 ]% S* _, F+ S
{
, T0 I$ y3 ?8 g. ?" ^& A0 v8 Z+ [0 ^ CloseHandle(hFile);
j/ e% m5 l0 u return TRUE;8 y3 I5 x2 d5 D! D
}
1 k" B* ~; G( J return FALSE;
Y S) M, a# E8 w9 i- N/ ?}
; l8 h) c8 Q1 ]
8 X# {7 g3 Q7 ]# d& n( ^6 hAlthough this trick calls the CreateFileA function, don't even expect to be9 G" P" q. x; j; n8 |
able to intercept it by installing a IFS hook: it will not work, no way!) ]4 K. I4 U6 t% v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ G; Y6 ~9 U2 G' h3 _9 u: ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) ^6 U) E: C' i2 R1 V4 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ K8 B& p4 _0 ^0 cfield.( T% }! a w9 T% v
In fact, its purpose is not to load/unload VxDs but only to send a
% [7 p& C6 h0 p1 h1 H) B" KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 Q1 E" ~0 A8 U) G% x; e/ @to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 r$ G- e2 Q3 b- l/ R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' t/ N/ G# a( q% {4 f& ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 p- a7 ]1 X2 P' I2 Y$ iits handle to be opened and then, will be detected.
( }0 z* `' C' i2 V* W' LYou can check that simply by hooking Winice.exe control proc entry point- o/ z4 W+ |9 E" W8 y `
while running MeltICE.
2 h" C* r. ?( r! Z8 P: w" o# H5 f% M* e7 P- @. O* s$ d2 ]: }
1 u* V6 _2 d) |: l 00401067: push 00402025 ; \\.\SICE
/ ]8 h8 A5 P" }. F3 t7 ?1 Y. o 0040106C: call CreateFileA
6 C1 N# O9 D$ z U3 t! b( w8 G 00401071: cmp eax,-001
4 G& u R! S: i. N# ` 00401074: je 00401091% J9 ~" _+ a+ M
' J8 `* I7 W7 L$ v$ t+ ~1 k L9 S( G8 M# L8 d/ z/ X5 w/ W( l( w, C5 o$ b
There could be hundreds of BPX you could use to detect this trick.
! q- W8 \7 `. `0 e0 e-The most classical one is:# A, P/ E$ J% @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 f: b l5 D) `, I) e! R8 L$ F- W *(esp->4+4)=='NTIC'. ?8 {) Z/ l" k/ V" F
/ Y3 D' D2 a0 Q-The most exotic ones (could be very slooooow :-(
, X( x& F* E( o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 k; n5 [- K3 f0 b
;will break 3 times :-(4 _5 \- E; W% t6 Q" p0 e
- j, `3 @& G U0 I5 H6 @-or (a bit) faster: ' {5 c% C c" i9 ~7 U* @6 T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 i: ^9 K9 C8 a% I: y* s2 n
3 Y; H; j/ G. A6 k4 O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : ~- D# ?% \. L0 u% t( x& L* T9 s
;will break 3 times :-(3 S, H8 Q9 n0 X& i
8 `; `7 y+ |( t; q/ D; ?6 N( g
-Much faster:- E. `* g9 w3 x% h; w8 J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': \' d7 w( v8 H( Y q/ b0 S
! b2 }2 w' W- J" a# R- d) }# m4 N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' N: E4 r+ }# m( |) @function to do the same job:2 K3 ?3 [- h) {* C1 D6 B- E- e
. E, j4 _' ~/ |* I push 00 ; OF_READ) Q' |2 s Z6 g8 b9 \& F5 E4 }5 b
mov eax,[00656634] ; '\\.\SICE',0
7 K/ z# l" W& K2 f- O push eax5 R$ \+ p% F% Z" H) m
call KERNEL32!_lopen2 O4 N2 R! G4 h @% u& k$ P! \6 ]1 `
inc eax9 {% R/ N( U9 h' l
jnz 00650589 ; detected
4 Z2 O( Y0 G$ H* |) c& r, M push 00 ; OF_READ
1 T0 c$ Y3 Q8 v! @: ^2 {3 W& R mov eax,[00656638] ; '\\.\SICE'3 L: O) [# d5 Z2 W C8 L
push eax
- V5 A- r" E8 x! z/ ] call KERNEL32!_lopen
1 {" q8 Q k4 p inc eax0 N, O6 j* f& n* a& y
jz 006505ae ; not detected
# U/ a* s+ p( L$ g
- L9 z5 E1 A: v
8 B! M' h- _0 p& v$ P4 O" N9 z__________________________________________________________________________! f5 c1 P" L, q% Y. J6 Q" E% }
. a; c% b' j. F8 zMethod 12: Y0 q( d1 ]/ C& B( U
=========0 ~# {; d6 ~$ Y, u
8 ^" j I$ ]: }. ~
This trick is similar to int41h/4fh Debugger installation check (code 05
: |7 O& S. `; R- j0 J( Y& 06) but very limited because it's only available for Win95/98 (not NT)
1 _# i& K; I7 |& x3 w, B1 j D2 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 `7 n6 X8 ^( K( l
1 W6 I4 d0 r# ]9 A, Z push 0000004fh ; function 4fh* k0 G3 R- r0 [& ^5 m
push 002a002ah ; high word specifies which VxD (VWIN32)* x8 g8 j9 ~0 y- u
; low word specifies which service6 n$ `, W; ^# J) v
(VWIN32_Int41Dispatch)
8 V1 G7 s% O0 @ t/ ~; q call Kernel32!ORD_001 ; VxdCall( {0 n' S& s9 }8 e5 Z- z
cmp ax, 0f386h ; magic number returned by system debuggers/ d" j# b7 G. y8 n7 l; o
jz SoftICE_detected
P, d- J; g+ O4 W# `$ z0 l0 P" B8 I3 L! _% X( {+ Q4 B1 C- k3 l
Here again, several ways to detect it:5 x* E# C& e0 M! w& G6 v
. c* p8 d1 ^4 A* C! q+ N! c& X
BPINT 41 if ax==4f3 n! d3 B+ X3 Y! o* N, k+ V
/ {- z% k/ a5 [, K; n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. l3 {3 O( r* ~3 I5 O3 C* j
( Y) J" j3 j6 @( D8 ^+ R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; e( U; e0 F& x0 o
4 x6 ~2 e0 F/ I2 T4 ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" v/ f; z* k5 y7 r/ [6 l/ J$ J
! ]6 q) `$ n9 I2 W2 u: v% I__________________________________________________________________________
X, D9 A* D" f1 ]5 i' S! _
* u" \, Y* S9 o- |+ [- LMethod 13
_& B1 `% Z9 V# k- K5 _" G" Y& k=========
+ a# d6 k( `6 a* A, A
% W2 A2 q; D9 h6 mNot a real method of detection, but a good way to know if SoftICE is
. a4 O% h8 ]$ P/ I. G* X. Minstalled on a computer and to locate its installation directory.
: X6 _, V( i9 fIt is used by few softs which access the following registry keys (usually #2) :2 [) E; X% K# Z4 }* v" ]2 P
; }6 @/ f- Q. p5 C E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 e3 Y( n/ q. U2 h
\Uninstall\SoftICE
' c$ _7 c; ?7 k2 ?& z2 V4 t3 U2 k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE q' |1 i9 ?4 w, T# P K: X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! x2 k7 D; b+ \5 u/ j: d3 H
\App Paths\Loader32.Exe) E) I) ?* ]& P. I* n
! m% h9 `8 E* {9 B
! s6 R* m0 i/ \8 `- CNote that some nasty apps could then erase all files from SoftICE directory8 c% [+ V- l, {8 ?) v
(I faced that once :-(
z, B S. h& b0 s M+ k6 @/ Y* i
" a0 s1 X4 } L$ ?2 M( G+ n% H# jUseful breakpoint to detect it:0 p9 d2 N0 n G4 q% E
& o* w& ]) P$ [" N* S( n* j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% N2 ]( o H5 Q% `; Z
2 o4 [1 O" o" f, e9 t__________________________________________________________________________
& h; z# v& f! _4 B4 e
* e# S% X6 d; E6 }( C+ ?6 v
# ?2 M- v/ ^! [# j2 bMethod 14
1 Y! g, B9 Y3 r) E3 F! M( k=========9 T7 n8 d# n8 ?9 V
3 R2 n8 I7 [, L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; |- k: \9 ]$ H+ Wis to determines whether a debugger is running on your system (ring0 only).. Y/ P; [) I2 P0 G' m5 }: Z
r& H% P; ?, {+ c" D5 q% h VMMCall Test_Debug_Installed
# r+ B# ]3 `+ C# J je not_installed: | W I( e( u2 T$ ~5 s
9 w. R3 [" }# a) y1 M
This service just checks a flag.: h6 y' R% U4 F7 U% S. |3 v/ F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡