<TABLE width=500>5 Z% n' G2 O, [! n, ]6 w2 z3 j9 c
<TBODY>; b1 J# O0 O. G9 S
<TR>
0 L" V. H8 n1 d0 o( g+ X<TD><PRE>Method 01 ' ?% L& i5 E2 g2 [) k
=========
, p' a# r0 P' A& b% `2 i0 R2 e6 z4 b
; e5 L1 l# T, a5 r4 a* O9 [) r0 hThis method of detection of SoftICE (as well as the following one) is
. b, p) }) P* W3 M9 d5 ~/ D* ^used by the majority of packers/encryptors found on Internet.9 \! m" ~7 s& ^
It seeks the signature of BoundsChecker in SoftICE
: a: W2 x. o( d; `% K0 k' I9 p+ L: m/ L: K- E# \+ f6 X% u7 q
mov ebp, 04243484Bh ; 'BCHK'
: O9 p5 p, G8 Q' g2 O2 @ mov ax, 04h
8 F* O6 D9 O/ w5 X9 E9 H8 D# l int 3
1 `1 k3 s7 \6 z+ J0 y5 z5 V/ j cmp al,4! D) U0 b" f- i/ W0 J" ^
jnz SoftICE_Detected
4 n+ G/ B7 L4 E9 X9 J
# ~6 E& h- p. z. T8 d0 o4 K- @___________________________________________________________________________0 T9 m2 f( r5 T+ Q+ s
8 E2 E; ^- N+ t+ v
Method 02
' e, Z# m; U: h3 q2 ~; n=========- p; f# i" G" W; U# R1 n' y' ?1 G
" f6 e. s1 [. _) ~3 H
Still a method very much used (perhaps the most frequent one). It is used( q& Q1 K7 R; E* K- q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 x: v' `+ k8 J- Cor execute SoftICE commands...! L" c- M& m X- e+ U% k w$ n
It is also used to crash SoftICE and to force it to execute any commands" y* f( `. t9 k/ J ^- p4 G+ g
(HBOOT...) :-(( 9 s3 X% |8 f ]% o
( r1 i$ r5 W; I) |3 j/ N6 Y
Here is a quick description:- Y. w& f( h; w
-AX = 0910h (Display string in SIce windows)
8 C: `4 _7 A0 C- x( f. z. b, O+ u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), H2 R, g& O# W
-AX = 0912h (Get breakpoint infos)8 j2 J5 ^' F0 D6 \
-AX = 0913h (Set Sice breakpoints)" {1 Y% Z6 @6 U M3 D: O6 h1 M: W
-AX = 0914h (Remove SIce breakoints)
$ ?8 g4 B$ Q8 i5 z6 }) m
! V/ M; @1 i2 ]: ]' m( YEach time you'll meet this trick, you'll see:9 o6 i, y) r7 _' U1 F/ O* b0 z
-SI = 4647h* u1 }5 g# r1 g1 W4 i, r- |- L
-DI = 4A4Dh# C1 n% W) l( G3 D+ E& o9 R- m, ?
Which are the 'magic values' used by SoftIce.! Q. o h2 \ n5 F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 M1 l: W$ }9 Y: \: k
% O+ g" q. O" eHere is one example from the file "Haspinst.exe" which is the dongle HASP
: M- p- P; r* m4 v9 ?" v' dEnvelope utility use to protect DOS applications:. Z& m3 @) E' b. q7 f! J
0 W, Z/ S2 _( V
# n1 R7 W% s9 Z/ d
4C19:0095 MOV AX,0911 ; execute command.
0 _; M7 L- t z. a4 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). N$ o# \( a7 S4 }* z
4C19:009A MOV SI,4647 ; 1st magic value.
2 g& Z8 i8 K- T ?3 E0 z4 z% k6 d4C19:009D MOV DI,4A4D ; 2nd magic value.
* c( ~: Q7 a6 t5 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 Y' a# K3 H/ K% V) y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# c' \( y0 A3 A& }$ d0 L ]4C19:00A4 INC CX
5 Z) R! E: f. @2 K! w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) Q3 j; F8 k, R
4C19:00A8 JB 0095 ; 6 different commands.4 T$ Q0 ?. c5 r B: x' ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- t! h# T% \3 n3 a$ U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% f, X: W; R* j. S8 A0 f4 V5 Q
4 _* U8 \" @# yThe program will execute 6 different SIce commands located at ds:dx, which
, L( F' T; H" E, C, [6 [, Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 `) A5 w5 e; \" U7 l
7 m+ K9 v9 w0 o! W6 G; p) E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 u1 n$ S# @1 D- P9 J
___________________________________________________________________________
, ]3 O n! \" Y1 ]2 j! q4 e7 _ u$ j
# Y1 W7 A. B2 s6 ]* @; _' x: G
4 p" r. P( \* DMethod 03+ A' w* J: { _- h/ q) O* F7 q
=========
5 Q: N8 e' }$ |$ d. c8 `
; k0 X- l& |$ ~, p1 HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# b! n- G- b0 K! s* Z7 J$ J(API Get entry point)* _, f! J7 n& l2 ]
. j7 ^7 u% U* {- O. z+ O+ B/ K: w
) R8 d$ M* a) `% V& J5 [- R: ^ xor di,di
/ {% j7 x* o( f" B! m8 k: {0 f mov es,di
5 {$ ^+ {9 g9 ^: a, m mov ax, 1684h a7 p1 F6 |' M0 ?/ U5 N
mov bx, 0202h ; VxD ID of winice
: u3 \& X2 X4 k) N% {4 f2 }" y; c9 g int 2Fh
, N+ t- a9 r( v* G+ I6 [' t mov ax, es ; ES:DI -> VxD API entry point6 E- {0 Q9 E' j& Z- w0 z q
add ax, di/ C! r$ I- ~" I" I
test ax,ax, o( i$ O6 c( Q
jnz SoftICE_Detected/ U0 Z1 `: [! U- l9 @$ Q! J
4 I3 S( R6 U$ |5 g, W- ~" ]
___________________________________________________________________________
" n, n5 } r8 l4 T' g$ }9 @7 m8 _
Method 04
- D4 q0 Q! l9 w=========, w7 I, ]+ a! \* _8 d, G: q
_ G$ |9 h! O
Method identical to the preceding one except that it seeks the ID of SoftICE6 ?" ?6 ~2 v6 P
GFX VxD.
# ^) K* I w; d; o. r/ M1 o& W9 _
- }9 k7 i; f) F$ `5 r$ \: r$ M: ` xor di,di6 K# b4 Q2 l$ _
mov es,di
* i% W! p" x4 l" }0 z" Z+ a mov ax, 1684h 8 T+ z, y4 F; W4 c- X. o
mov bx, 7a5Fh ; VxD ID of SIWVID
, c [3 q1 O) }9 ]4 W" p0 F int 2fh0 A& B( a! t- h q/ y5 n! q0 e
mov ax, es ; ES:DI -> VxD API entry point! H# U/ G. A& T, b( U
add ax, di
' W" G% z8 L( v; X0 }9 I test ax,ax
" o8 ~8 M( j/ t: Q- ? jnz SoftICE_Detected
7 t. m" V/ e* o& \" v! w, R& _
0 M7 R% i; X$ L4 S( _7 @$ W! j__________________________________________________________________________
( M6 W7 e' {& N- Q! x, H2 _4 r0 f8 _7 J4 u/ O: K7 a1 L
4 p6 X* W+ i9 J! ~& G' v0 m
Method 05
+ z" R f% o- d! d) V6 {0 t# R' ^4 U+ d=========
( q, J- V) i- J: l( t! F
" g& f9 N. p$ w, dMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ Z: N- k. l7 a+ |+ [( y- \, [
debugger. It calls the int 41h, function 4Fh.! a% f3 R1 D$ u6 r& q
There are several alternatives. 3 W3 n0 u" Z0 i5 p- {: ?9 v; ?! }/ |
/ x* P* i+ V2 @# `The following one is the simplest:
7 C: j) @: o8 u# f; _; Z
: I6 V( G% e; |# Y, _( C mov ax,4fh
$ y( Q6 O. N/ u int 41h
9 U6 a/ _/ D- L( r: Y3 f6 Q cmp ax, 0F386$ o9 _3 y5 q, y/ Y* E
jz SoftICE_detected$ F9 s; k* } x0 F
% {% O% s. |& T4 v
- Q) _ k7 p$ ZNext method as well as the following one are 2 examples from Stone's 6 U! g9 R4 x3 _. u
"stn-wid.zip" (www.cracking.net):
; |8 s3 v; O( @( d* W
; e; |- J5 e0 d6 F' M3 B7 Y" w/ } mov bx, cs" H" [" l8 {2 C7 E. T! ^$ Q
lea dx, int41handler2
( H; O) ?+ r! V3 `; x! B: t xchg dx, es:[41h*4]# c6 s/ ?: N; o% e: J: i \
xchg bx, es:[41h*4+2]
3 ]- s9 k1 r2 g* W mov ax,4fh% h# R; w- @) f0 W2 G" n ^, c
int 41h; ?* L' _" M# W D m) h) A- M
xchg dx, es:[41h*4]
5 d' s. I. m2 y xchg bx, es:[41h*4+2]4 z5 L! V0 Y7 c0 ^ V' w
cmp ax, 0f386h
5 P. J( G1 L" e" R7 i- _. l jz SoftICE_detected; H0 v; K( [2 y
' l1 G# n/ m2 ~% w% n/ m( a
int41handler2 PROC; a- d- E( Y7 O1 @/ A
iret
+ p& a% h8 H7 |" d6 M3 K3 cint41handler2 ENDP
; _+ w2 P5 X0 L0 n: f/ ^ s2 X! E6 P$ j; s
6 y3 ~/ J0 N8 m_________________________________________________________________________
" [- s) `; @8 W% ^* l' A% I" _4 G; {& `& ^
* w: B, I/ T+ G b
Method 06
. x% M0 Z, z! w=========$ t" a! V, \2 j4 g$ \* n9 ]
5 ^" t9 M1 o# r
4 K' m+ L, r4 Y# n6 U! `: p9 u2nd method similar to the preceding one but more difficult to detect:
2 _0 d8 \. r: f% C3 Y4 \* @8 W. u0 e, u- q/ ]0 p3 h
$ _' B. h0 U, D
int41handler PROC2 R, d* @, G' E+ r- {1 i( ]
mov cl,al
+ ~4 b. e' n1 j* P iret, e4 V9 Q' G4 t8 C c! ~
int41handler ENDP- ]( T9 u$ H) D' O" @1 b% J% P
2 L9 `2 R. m. `8 S* j9 w& s' ^ o7 L; P- M$ L8 S1 Z: s% ]3 N) |
xor ax,ax
1 _ s1 \9 u& L& [* T mov es,ax
2 Y) j, y. _# R! K* B" c4 C mov bx, cs
9 T z. X* c) v+ F lea dx, int41handler
8 N3 G2 L4 D$ x7 E" [) o5 c+ x xchg dx, es:[41h*4]
* G9 Z/ P7 I7 ~ xchg bx, es:[41h*4+2]
^" H- V( G: n# {6 P. p) J in al, 40h
; \) M( c2 t! x xor cx,cx7 \4 } _, L& ?# Q9 K" S
int 41h
( \; t( c' P" ~& W xchg dx, es:[41h*4]
9 ^7 O$ a! b1 F8 L8 \ xchg bx, es:[41h*4+2]7 J1 X( O E+ E2 P( x8 w. c
cmp cl,al9 Q7 N0 P& F! c [1 S* u
jnz SoftICE_detected$ M, B% i1 S; ^5 `! b" W* b% G
9 Z+ Y/ B2 G, ?% w) Y3 ?' {+ Y_________________________________________________________________________
! ?1 {' N- l: x% h9 @' d' L
" L0 ]% R! I) {' EMethod 07
9 U# `( u2 c. X/ v- d. o=========* E8 s( C* S/ `" {
6 g/ z& n2 W5 z! E9 I: I% f
Method of detection of the WinICE handler in the int68h (V86)
6 k5 ~) Y6 P$ x" Z* V8 N) O' C; B( Y7 ?% \
mov ah,43h- Y1 `6 F2 y- j7 L/ I; K
int 68h6 C' \+ @! S }+ [
cmp ax,0F386h
9 ^. y& J1 o; ]( C$ I1 N) ] jz SoftICE_Detected: J- s& e8 l6 a1 O! h& i
$ L% Z6 ~0 r) ^7 a% v7 N* G2 R& f, I# |$ }/ A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( X3 x# }( R# S" E/ g
app like this:
. I: c" g# I- X( {0 K$ R* I
7 B; P4 d8 M3 P/ p8 @* j, r BPX exec_int if ax==68
* E; U) Y0 ~, \& l# ]. O5 z (function called is located at byte ptr [ebp+1Dh] and client eip is
' F5 m3 K/ R- r5 [5 G! T: f located at [ebp+48h] for 32Bit apps)
/ p3 P' v" d; H) H7 K5 t4 r2 }__________________________________________________________________________$ Z9 I' t0 k4 r _/ C+ u
1 R3 R+ e3 E: B+ _' r2 Q Y7 w7 F, R0 h
Method 08
* y m* u! E8 I( K=========
) o+ H4 A7 T) _- k& v6 c- P p, |/ t5 R& o. Z1 m, y
It is not a method of detection of SoftICE but a possibility to crash the
1 r# D0 \) g- g/ xsystem by intercepting int 01h and int 03h and redirecting them to another
- N5 s& T7 \+ d m5 q' H) vroutine.
7 [/ I4 G& W4 XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 r) d8 B* K v6 a$ vto the new routine to execute (hangs computer...)
5 ^1 Q: F1 J/ p* n8 d) p& s4 j; z: `4 R/ O3 V$ q
mov ah, 25h
( \$ l! b5 ^4 B f& v1 z& L mov al, Int_Number (01h or 03h)6 F4 U( r0 ^% V+ v
mov dx, offset New_Int_Routine
4 k+ s7 U4 D9 R int 21h
( |. [- E4 _2 z4 V$ D: v- M( g3 o% w+ u+ y
__________________________________________________________________________$ u& a; n' i. L8 b0 M% i
3 J' {4 e% A3 c+ u& Z4 c5 R& t
Method 09
7 a4 b$ i$ J9 S, A- s5 b" p6 e=========
1 ~# R, P, p# ^5 l5 ]- Z
' t4 ^/ T3 Q2 t$ q5 W3 E. m2 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- e. D& j1 L3 F( _& l0 t7 V( X/ |7 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
& N$ w8 ]5 K5 ~3 c; vThe Get_DDB service is used to determine whether or not a VxD is installed c" T7 T% s; z) `
for the specified device and returns a Device Description Block (in ecx) for
! W5 U; Q1 W! E2 dthat device if it is installed. g5 w/ d$ g6 }5 x, s8 k: p# N* d6 ]
5 ~: H* k7 C- F! h( j+ B7 z/ ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# z# _/ b; z! Y; h8 v B- e! k) o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 N& t7 C4 n8 s
VMMCall Get_DDB: i' _. e( Z3 W+ \: l/ A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ m2 Y$ I8 f6 N$ R
- J5 T8 k* |5 y/ rNote as well that you can easily detect this method with SoftICE:
% z' w: d6 n' _" q bpx Get_DDB if ax==0202 || ax==7a5fh( f# z# j2 L& W( {' J/ R
( U- Z* s4 O- J& d7 d* B) X! B
__________________________________________________________________________$ h4 U) s8 X+ B6 y- u+ a
2 |; G2 ]& ?3 j" \6 V/ S0 a RMethod 10( W( u P) ^6 E9 N2 N7 w
=========# @% |% H) H1 c+ L9 _1 W
9 J1 `1 r( E" n5 c; t8 d=>Disable or clear breakpoints before using this feature. DO NOT trace with
& E# A. q7 g) G SoftICE while the option is enable!!
' _ ^" S" f: b! o1 ?8 D' D; j, r) s, Y$ O2 l
This trick is very efficient:4 M0 g: e' x1 _1 V( n
by checking the Debug Registers, you can detect if SoftICE is loaded1 t8 q& A7 d* b1 k4 z+ }) R, C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 U& `; @7 l9 F. b1 ]1 v) {# xthere are some memory breakpoints set (dr0 to dr3) simply by reading their w; H3 c G: s" {$ {( B
value (in ring0 only). Values can be manipulated and or changed as well
% s9 A+ o' A7 k; i! y(clearing BPMs for instance): B3 N# O) I" S0 d1 L
- a: N! N3 T$ t; _8 b. E
__________________________________________________________________________
3 J. R5 ]3 S2 n1 A% A
' M# M1 C; @8 m0 pMethod 11
" R. `6 o0 K* P% l3 B* J# U, z=========: e3 Y& a- n' a' I' b5 ]
1 z9 `" \5 Z2 ^; z0 M7 P R
This method is most known as 'MeltICE' because it has been freely distributed2 T, p2 m$ d: D: R4 k6 R, i, S3 `
via www.winfiles.com. However it was first used by NuMega people to allow
! @' v/ u2 a o" n; A5 nSymbol Loader to check if SoftICE was active or not (the code is located3 \4 h; y e% a( |: A6 M$ }' @. @
inside nmtrans.dll).5 H* T R7 Q5 ~( z1 w3 P
1 i. J- ~4 {! G
The way it works is very simple:, R: L( O5 i- u; ~8 `0 Q! F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* P V' {, ]' xWinNT) with the CreateFileA API.. ?& N; u. T, S8 h
# T" B2 N( X3 C; Q0 x1 c
Here is a sample (checking for 'SICE'):
6 s* D5 m: l4 x8 b9 O6 `- B6 ]$ n7 X
, a; y% e" I( l" S4 Z9 ?BOOL IsSoftIce95Loaded()
# i, R1 S8 }8 r{. _- ]3 ?8 m% e) U# O1 _+ k8 N2 L
HANDLE hFile;
2 y* }7 G m5 J- G0 a7 y0 g1 K" i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" ?" G4 h; e! ?' z FILE_SHARE_READ | FILE_SHARE_WRITE,
1 d, o& U% C8 q% x/ S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( T- m( O& X$ K1 C) G; a, h
if( hFile != INVALID_HANDLE_VALUE )& ?7 ^4 f1 y, {% ^+ D) {5 s+ F
{
* L0 g! N! F5 u" k/ c/ t CloseHandle(hFile);; d% i" N0 n, r# a* J6 }" \
return TRUE;5 p; z1 H; j; a
}4 m9 ?) ~1 G7 w
return FALSE;3 p( o! V6 I; w
}1 v& R; H0 }# L! N& v6 a$ C* W
?/ `6 z: W& xAlthough this trick calls the CreateFileA function, don't even expect to be) g0 o7 ^3 u3 ^$ z9 \8 @1 ]
able to intercept it by installing a IFS hook: it will not work, no way!
* p, q% f; J2 @( E! XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 d" I3 u' k3 [- ?) M( V% @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 L- g4 ?3 B9 n9 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& X* K% M g" afield./ I" X. U8 t* X; x5 k7 ~5 H
In fact, its purpose is not to load/unload VxDs but only to send a : Y8 T8 m! V6 t5 s1 ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 S/ [( E* `$ P6 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ V$ B& A) h1 q; r5 }7 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 A: h( q5 n8 h3 z- {4 k, E, NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 H: V$ H( i! ]8 e; ]its handle to be opened and then, will be detected.0 W8 t! H3 V8 [4 U: }3 ?
You can check that simply by hooking Winice.exe control proc entry point
7 ~/ T! X9 R* r- |* w0 y4 v( Lwhile running MeltICE.
4 y0 f6 X" h) `: ~3 u" g' Y: I% y" ~, x+ X1 K, d
+ ]% z4 L9 E/ {: l, T' G0 d: F. d
00401067: push 00402025 ; \\.\SICE
5 G0 h4 s# Z# X. J 0040106C: call CreateFileA
5 N( V2 J' _1 ] 00401071: cmp eax,-001; s; t* Y8 B, t* }
00401074: je 00401091- q; c% g/ `) `* E/ V* q* n3 ?1 v& N
% s5 ]' G/ u7 B6 c8 E
3 Q0 y& M8 @& B1 @There could be hundreds of BPX you could use to detect this trick.
) C, W( x0 h- W1 Z7 p-The most classical one is:2 I& ?: ?' Z# G/ e: V9 b/ v6 x2 G; t1 J8 G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. ?0 K$ U. l- L: A; Q0 t
*(esp->4+4)=='NTIC'
- f/ p) ?/ }7 A9 `* l6 [+ l
! R/ ~9 D9 X3 Q' n3 C! J-The most exotic ones (could be very slooooow :-(
/ q8 Y- N0 Y$ ]5 N+ z$ U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & p; r: u% ?( ^
;will break 3 times :-(
/ ] e# Y# W( z0 z
: V& t2 B& G* ]- b+ f-or (a bit) faster:
$ R. S" i! m. R6 P4 q5 B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- E7 ?: e. q: f8 n X
$ f3 F9 K) U% c/ M+ n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' y% V( ?( u& x
;will break 3 times :-(! d) `7 T. A9 P) N
( B4 q( D& D1 e* k( c4 Z
-Much faster:
0 H8 ?: @# q! V5 v6 j7 m. I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 j" ?0 v# O( ? x
) _& J3 {& u5 e) s+ Z k4 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 ^. M. }( M( t7 O+ E$ C
function to do the same job:- l4 J- ^: L" T0 W$ { ]2 z
$ b( Q6 u1 H# d! p i( I" m3 G push 00 ; OF_READ( ?1 ]- B. `1 s8 Q: W, Y, y
mov eax,[00656634] ; '\\.\SICE',0
! }3 n. C4 H' O7 X, P# m push eax2 y1 L, U1 ^' O6 e
call KERNEL32!_lopen
6 @; k- R6 n( S6 e- B7 e( s) j inc eax. H8 o' v% |- e) G& l
jnz 00650589 ; detected
) C4 U& _/ ^1 e push 00 ; OF_READ' X& [' w% {) u; b0 ~
mov eax,[00656638] ; '\\.\SICE' C* j: ]0 Y W, C1 F4 C, J
push eax
" x- C8 {0 S, B1 Z/ L4 Y0 | call KERNEL32!_lopen
; K" Y' w Y; I2 V% X inc eax
& q/ z" o, N3 I jz 006505ae ; not detected
; R1 G$ [8 Y6 j
3 _1 J) q9 u9 r @0 y3 Y! Z' O' K/ L+ Z% U, C: s% W
__________________________________________________________________________, h; X( |/ S1 d; y. p. I$ I" o
7 `1 n e1 U, F( `0 J9 t
Method 127 l" c9 Q8 d1 m3 b5 A4 F- ~! y
=========
& C6 \# M8 `& M; K
) ~! l+ z' u/ F+ L. W9 D! {* z" k- GThis trick is similar to int41h/4fh Debugger installation check (code 051 L. ?, e' } B, ^, H
& 06) but very limited because it's only available for Win95/98 (not NT)
8 Z6 M! ]/ x4 @, E6 o# F( u4 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 f) T- A; \- i! L( H( Y9 }; P: Z, E& e/ X
push 0000004fh ; function 4fh
- e( k" ^7 i/ h push 002a002ah ; high word specifies which VxD (VWIN32)
+ u( |/ K0 t( B6 U& G ; low word specifies which service7 t' V3 w6 B/ [ i' z, }# r
(VWIN32_Int41Dispatch)
( d- _+ I3 H; B8 C: d5 N call Kernel32!ORD_001 ; VxdCall
) B$ |9 T. h. t+ E" t7 W( L cmp ax, 0f386h ; magic number returned by system debuggers! r4 s" U" I) x* ^
jz SoftICE_detected
3 c3 d5 }6 a+ K' Q0 f
! O1 b; U9 w- p! [Here again, several ways to detect it:* y9 k' l& J2 L! _; W" P0 m% l! Y
/ v$ X* C5 v- N( Z7 G2 L% L" r
BPINT 41 if ax==4f: N" y" n, c1 O$ d5 v
$ Q4 w; P6 S3 }8 y8 u- V2 d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) \) M( ]1 [: d$ ]) u
1 f/ q% B; c0 d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; u$ k4 j" b8 {+ W, `$ Z" q0 `9 C# l# x' q$ @% ?0 [/ {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ B% G6 U- v# h
$ m3 Q. i! P* B5 \7 k__________________________________________________________________________
+ t- H1 n j! n8 [0 M- ^
4 b }7 u1 d- z; J8 r0 kMethod 133 O5 u1 v. k6 b
=========
' `) W1 k. A7 g/ c8 v9 Y" \- S) f# ? l
Not a real method of detection, but a good way to know if SoftICE is3 J7 a/ p9 [8 \# v# E/ F5 r P- l
installed on a computer and to locate its installation directory.
) V; g8 Z& X. B1 E, ^3 b, ]It is used by few softs which access the following registry keys (usually #2) :
& o9 R/ n# m. e# S% d3 V' f1 M- v1 @) \) j9 q4 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) R/ B: h1 r; ^% q3 n7 Z\Uninstall\SoftICE+ c! @8 R4 ^- W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 w2 S1 b- b3 [1 r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 d2 A( Y3 `# v/ b, O
\App Paths\Loader32.Exe, c) k) z" v' h9 b, ^" q* A" N; H
/ a% d" J" B1 x1 p7 @! E. g4 Y4 O! g4 i4 n& M% C# f
Note that some nasty apps could then erase all files from SoftICE directory
4 d/ s+ {6 s) q+ a2 C y, r8 @(I faced that once :-(: v3 r' x4 P1 ?8 B; Y5 ^
4 h0 L, ~1 c, B. x$ I* PUseful breakpoint to detect it:1 D& L) a: D$ E9 s n
5 C. G* F% p6 Z7 _, d! s' \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ E' ~2 W; ?# X# |" T* t: Q \$ h6 } R( Z
__________________________________________________________________________: N. i' u6 C, _1 Z
6 [, e4 d% M" v% t; I( r
$ I5 y% d9 O9 H) H( c. u3 V, O
Method 14
6 l# z; |( W- A" ^0 P' m7 }8 ?=========! C$ v3 V4 v; R
# H: c- u6 X" p0 D* rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- |5 I2 ~7 Z8 W8 i& \. dis to determines whether a debugger is running on your system (ring0 only).4 \8 V4 S1 ] j) ?0 Z. z$ L
' B; k' ]3 {1 J- n5 v% Q' ]$ q! \ VMMCall Test_Debug_Installed2 `6 k2 f$ v" M2 C4 h/ Q
je not_installed; L4 s8 L& ^8 }4 g: N! C X4 B
: k$ w N9 s: S( {9 \
This service just checks a flag.+ ~9 V5 Z1 k& M8 V% a) p9 K2 M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡