<TABLE width=500>
- r4 y, f4 {' k+ L<TBODY>
) k* ~" s+ z* B5 y5 [; n<TR>8 V/ {2 Y7 F* ?9 U& v ^
<TD><PRE>Method 01
. U1 a# f2 I% T1 n |6 m! p0 F* j=========4 F" S7 A% i" T9 i0 l9 c9 v
& X- q0 @- I' \5 r/ x5 |, ~: ]
This method of detection of SoftICE (as well as the following one) is" E2 [: o1 s# ^' ]/ Y) Q
used by the majority of packers/encryptors found on Internet.+ N7 G9 j, w/ M
It seeks the signature of BoundsChecker in SoftICE
( l! U/ h0 j$ \% m5 D) K1 }8 ^9 s E& h0 l3 a2 f
mov ebp, 04243484Bh ; 'BCHK'
[5 B# [) c7 H3 R3 M mov ax, 04h
$ _# x% o7 j% z( N! z4 d% y int 3 ' o D; O- F9 {( G5 q
cmp al,4+ w5 {; W! \8 [) w/ g) K9 B1 t2 {
jnz SoftICE_Detected7 R9 M+ f- w3 v# `; p
' M# m! m7 J% J6 r$ ?/ l
___________________________________________________________________________
: L, D% @+ h6 p" Y0 |6 [% L4 y4 q% h/ M# P9 \2 l3 m
Method 02
; E2 R) D) _7 G. H: x8 F0 P1 k=========
' e8 ?6 e/ B6 i. X! T2 K2 D& {* J% C2 x$ }, R" m8 [
Still a method very much used (perhaps the most frequent one). It is used* f# E. y5 Z5 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 E. Z ?7 I Y7 I. i
or execute SoftICE commands...
( S$ ~# H3 w* a# p, D0 L0 ZIt is also used to crash SoftICE and to force it to execute any commands) P+ z7 S# i1 j
(HBOOT...) :-((
/ s0 G: }, J U+ C! q0 T. X4 \+ Q* e# X& L* j
Here is a quick description:
+ E* m+ F% m6 C, F-AX = 0910h (Display string in SIce windows)
% E% s1 Y3 I. a1 h+ [4 r8 ]+ t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); L* G: z$ |1 e
-AX = 0912h (Get breakpoint infos)" M/ f" k8 f- M+ c
-AX = 0913h (Set Sice breakpoints)/ l. j2 G! k2 M& R7 f- n* x
-AX = 0914h (Remove SIce breakoints)
" h: [* c4 A% I/ i5 R9 j
$ X% N5 K0 ^/ N; qEach time you'll meet this trick, you'll see:9 q: E$ R$ c- g3 C
-SI = 4647h
/ H5 o4 a( J' _; @; ~-DI = 4A4Dh
2 e6 [5 Y( C1 W" m+ aWhich are the 'magic values' used by SoftIce.
, v% ~8 n$ V/ y* r# B; O% nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ]/ P% o! P# z( _
6 d. [' @4 O7 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 c2 O5 a& p5 g: z* W6 c
Envelope utility use to protect DOS applications:
9 J+ G3 L8 Q; D+ Q* Y H! S
8 W7 b8 W+ C& v) O/ H' w r! [' u0 K1 f
4C19:0095 MOV AX,0911 ; execute command.
, J" H6 }) ~! E# d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! |; ~( ]8 p' f5 u {9 d8 B$ H
4C19:009A MOV SI,4647 ; 1st magic value.
2 X5 J" ]/ j* f" ~! d& r4C19:009D MOV DI,4A4D ; 2nd magic value.1 M1 {4 L1 {! Q8 T! `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) N, V/ R2 [6 F$ z0 L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 x h, B; v2 K( O4 a9 K4C19:00A4 INC CX
$ C4 W5 p; Z6 _1 z0 Y. m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 V) F2 c3 i* n" @* g* G6 m
4C19:00A8 JB 0095 ; 6 different commands.
& ]' K0 e& s$ ?8 h. Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, `; x! v& W0 G7 N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 h6 O0 d0 D3 w- f
! ?, ^- Y% `' Y) d- pThe program will execute 6 different SIce commands located at ds:dx, which7 b w& I6 @: y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 u: j3 v3 O2 H7 M
8 i- u5 U, I% M4 ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 g. ?5 x; U( C0 G___________________________________________________________________________4 o, A) j' S7 F. R
& R/ I9 D2 w( V) O- T, ?6 U
0 ~# O9 R3 c2 h9 K, o$ C1 UMethod 03
; M0 u8 _; _, k, d6 U3 h=========
: V/ W5 L8 ~+ q: \" o, |7 L+ i( \, h. k; Q4 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( U* Y, V2 g/ Z# \/ V/ o* J(API Get entry point)% m7 K" o3 _3 v; |# _( ~
' r. m, o [3 E" w' ~2 _/ I
+ X! S# ?9 N/ B9 F
xor di,di
2 y8 r* M) b5 ^3 {0 } mov es,di
! w- n( I- }0 T; J) q mov ax, 1684h 2 r& z! x$ r- M% m+ W
mov bx, 0202h ; VxD ID of winice
9 _# [- J5 W5 U+ B int 2Fh. u9 o# r+ v1 |5 j! _ c# G' K
mov ax, es ; ES:DI -> VxD API entry point* w2 H5 c F1 U6 Y) C: M
add ax, di
- \' h6 w# V' e, z3 Q6 e! W# t* F test ax,ax
& M8 c6 _; o& R# L" L X jnz SoftICE_Detected, C: w0 y8 t5 F/ m; p
8 O" T0 K# f' e2 e; y% Y. L
___________________________________________________________________________
7 D0 g) L$ T. A8 v8 m
1 Q: K7 B/ l/ `3 _( @. K/ @. b- fMethod 04
$ B% Q7 S& `5 z2 k=========2 t* X Y0 t y, G: g0 z
) T" D2 m" ?+ u8 Y: ?$ P2 V: Z: ~Method identical to the preceding one except that it seeks the ID of SoftICE
! D( C) i* a) I! RGFX VxD.3 V5 u1 y' o8 Q6 n: E
# I: M8 H( W4 C1 V" Z( t
xor di,di& I, K* a) }0 x7 T- ]9 p* l
mov es,di
; A8 h* W7 J; r# P: {0 h mov ax, 1684h
p3 ^8 e% _* I! i mov bx, 7a5Fh ; VxD ID of SIWVID/ n7 P0 D" L8 C. C" H' q; R
int 2fh: X& `; D7 X+ u" S- J# u
mov ax, es ; ES:DI -> VxD API entry point( N- x* O- q9 x+ @
add ax, di
4 a* u1 O5 g) e& q; A% [ test ax,ax- W9 K6 q; d* X. @2 l7 L. R
jnz SoftICE_Detected, j: r. \7 c& z# W) l6 o, r/ X @
2 I1 q* M* X* r& o
__________________________________________________________________________
. f, Z: q7 z& [. \, R( j
# D" F1 U5 ^& n: X0 {: B) F& q0 G+ `( m, G( |: [# |( M0 D
Method 05
' e- K* z& Q, I6 [2 F! B$ ~=========8 l, g; H& T+ c$ \# Y3 C# K5 G
0 Z: {' \% V& l6 W- ~6 G9 D% Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system) H" ]# z; V; @5 d& U5 p
debugger. It calls the int 41h, function 4Fh.: C0 U- z$ ~# S4 X" S+ T% L& {
There are several alternatives.
n: p/ u& L' d y9 s5 c2 X# |$ O* o0 i$ T3 s+ \
The following one is the simplest:
% c& x( {* C3 V7 V- c2 [
7 y- e5 j) `4 D* _( N4 g mov ax,4fh
( b4 l. E: {. v+ C7 j int 41h
5 _3 j- l( Q' r C0 I: X+ j/ W9 Q. d cmp ax, 0F386
, `: f/ G7 A7 r/ U% \ jz SoftICE_detected
2 g8 z. ^( q! R" n7 q$ @; u: M8 ]5 q3 z' `# H2 X7 y1 B
, e4 b! P% N7 a
Next method as well as the following one are 2 examples from Stone's / k) c6 _7 f2 Y" n4 r6 h
"stn-wid.zip" (www.cracking.net):
5 ?+ I9 x9 D* {5 P% O
( l# p6 H( m; R7 Y& T9 P% I mov bx, cs
2 A3 Y2 X- I# Y lea dx, int41handler2
3 @* D& b- i5 v$ _ xchg dx, es:[41h*4]4 h0 ?3 Z0 _6 f+ U: M% L# ^ E$ }3 J
xchg bx, es:[41h*4+2]
7 n9 ~# M9 i$ ]" S7 K mov ax,4fh
/ x% x3 p% V( ~6 ~ int 41h) D! T2 Q) `, a$ |5 H3 }0 z/ s
xchg dx, es:[41h*4]0 L. m; a' N( V# ?
xchg bx, es:[41h*4+2] ]1 d+ p R5 C* x
cmp ax, 0f386h
5 S+ _ ~4 J" v9 e. y3 c jz SoftICE_detected
: r' W9 h/ o( [! F4 _( j* _
9 l( y% y8 C- P( |4 cint41handler2 PROC% b/ D z* d5 _3 v- t* [
iret
0 h; c* n) B9 O& U6 Eint41handler2 ENDP2 o% J. c& M: Q) N+ T' A
" U- W0 }7 _2 A% T/ `! Y2 a3 w# c( h1 [
_________________________________________________________________________
$ `# }0 w4 x8 ~. U7 ~, I
& i5 }8 Q: Y& ?: s9 o Q3 b n4 {% U5 M, F& A8 Y
Method 063 t( g3 |. s: ^/ f" _6 Q7 x
=========, D: C4 ?6 v( ^5 C. h
; ?3 j$ a. v% O$ o: p
) k9 h+ \1 Q* t0 _
2nd method similar to the preceding one but more difficult to detect:5 U; @; D! h) S
% I! t; Z9 n. Q4 D
! S3 Y& V# |* _1 Z1 d# A
int41handler PROC
; t! ]% T: T8 K/ c, l mov cl,al$ g! s* {. Z ]
iret- t- K% ^8 }7 \# v; \% p9 |
int41handler ENDP0 c, t) ~+ V) l( Y3 H9 s
: }/ F+ d: x0 g
) _$ E2 E7 x" c4 E1 o: F" a
xor ax,ax
5 R N& g1 e: `0 K mov es,ax
/ H' {7 I, k# l* `9 C6 _ s5 [ mov bx, cs
) M( e) D# M8 T9 e& k) D lea dx, int41handler
0 `, J8 w# ^% e xchg dx, es:[41h*4], w3 r- m7 {8 g4 J
xchg bx, es:[41h*4+2]0 `+ `/ Y) c$ a4 t: B
in al, 40h
: Z: L% \1 ?) p6 V+ t9 y xor cx,cx
: E3 Y0 l2 U) s: n% K- G int 41h3 {; o5 i. a5 B( T
xchg dx, es:[41h*4]
[9 ^9 @9 d O, i1 {$ ]/ `/ c xchg bx, es:[41h*4+2]
# _ ?& L; D% J, a# I0 Z cmp cl,al$ R& ~6 M4 z3 V; R. ?8 p
jnz SoftICE_detected
% C2 ]/ l4 W0 j+ S/ C) ^! q1 n: I
_________________________________________________________________________
. {# N0 X2 V% x
" ?* L4 x* z @+ x% h( l( K1 kMethod 07
' k) H$ g8 P- ]( `& i5 w=========
) W+ A9 B5 {& K+ ~- r8 M
* Z+ K2 M& B; l$ {; u7 h# u* wMethod of detection of the WinICE handler in the int68h (V86). o$ B" U3 V* W1 e& e1 O
7 a% _& E! u, W' q8 h @; }
mov ah,43h
3 p3 e# s, f7 K a3 \ int 68h
; V% K: l8 U& F/ u. B, e/ @1 w cmp ax,0F386h
: d6 G6 ]) ]$ D/ Z jz SoftICE_Detected1 R) Q, o! U: o4 }
) L- u$ o8 E( c9 U$ u
7 M5 R* `+ a1 Y `4 r9 ?/ z* c1 n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, i$ `' D: M" B/ E9 K app like this:' `1 c4 i: f& e9 g$ X' t
+ V6 O3 k7 O2 f6 H! B" @3 H
BPX exec_int if ax==68# Y# P" B7 T" A* Q
(function called is located at byte ptr [ebp+1Dh] and client eip is# E1 @" `% z9 M5 e% d& e
located at [ebp+48h] for 32Bit apps)
2 u B2 S) i. i( D6 G* ___________________________________________________________________________ X# G; z* G% B7 M* E
0 Y1 @* M0 z2 e$ S( `7 H# b8 m. R
& w, a( X, ^! |Method 08: R- @9 D2 r2 i8 K6 N" H
=========
0 |& @- _ p) ]$ m' m( }$ u! J9 v# f: j$ W9 a# T
It is not a method of detection of SoftICE but a possibility to crash the
+ s" C; X& `( D$ f: m/ Ksystem by intercepting int 01h and int 03h and redirecting them to another! l$ o% t5 ~3 t/ K
routine.
+ [" t; T' Q; E1 Y" V/ \3 b& k3 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ \% x% y* F8 j; Bto the new routine to execute (hangs computer...)
2 X* y9 L3 ?/ {5 i0 E
l9 h$ B9 { E2 ~. W5 a/ X0 O. b mov ah, 25h
4 ?$ `: q) S6 { mov al, Int_Number (01h or 03h); f! l/ d. @1 v& Z
mov dx, offset New_Int_Routine
, ~/ L8 e9 j7 t8 w4 C4 t( W# D5 [ int 21h
1 q' k! H+ R! @+ {/ ^
- A; @- l9 H# F2 \5 p6 `__________________________________________________________________________
0 \" {1 J1 p0 z1 Q% P
, l4 P( g; w9 E7 ]3 x5 K( XMethod 09
( Z2 p R8 [: H+ K' Y- A" a$ W=========+ f) K1 R& T# C, l& a' B- S5 N* v
" e1 s% _, C( G! a% q2 r. |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: W: v3 W) o) ^- operformed in ring0 (VxD or a ring3 app using the VxdCall).
) c, P# r" a% T6 VThe Get_DDB service is used to determine whether or not a VxD is installed7 I; N/ F4 y* |; N, E
for the specified device and returns a Device Description Block (in ecx) for: l6 K5 ]" X/ d% U5 G
that device if it is installed.
9 q2 C/ n8 n0 F, H$ C8 ~
: p4 t% x/ S( \. J; Q- i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ s4 j3 J& \7 q2 ^9 b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- J+ x5 a, D; B! o: | VMMCall Get_DDB
! K1 n5 ?+ {" k1 n+ O' s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ |8 S) p' t# H- g- G- J$ |* Y
/ l2 m* o: Z5 I5 S7 B0 u
Note as well that you can easily detect this method with SoftICE:
7 H5 m5 [, g# c+ C+ `1 ?9 \ bpx Get_DDB if ax==0202 || ax==7a5fh0 `& R/ B$ c. ~( _+ x; E1 @2 q. k9 z5 J
% Y: P$ z# n9 U__________________________________________________________________________
& L3 A/ p% V6 x; G D8 x& W! h6 o, y
& I Z* e( H$ e6 g0 C4 nMethod 10; j4 P1 }" g2 Y+ k' W, e. |) n0 N
=========
- F3 {* N7 w- g4 U1 Q) t) I
/ D+ j3 L# p& ^: H/ m; s+ c=>Disable or clear breakpoints before using this feature. DO NOT trace with+ k9 ~% i& s1 K* ~3 M" U+ a& g. e
SoftICE while the option is enable!!
# ]% }$ L) d" {2 V: y1 X) O( Q0 L. K
This trick is very efficient:7 f& g- h+ E% n* V8 a. `5 ]
by checking the Debug Registers, you can detect if SoftICE is loaded
" x. U8 ]/ x$ [6 s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 _8 l6 k2 x, O2 P3 y: i) X( N4 Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ T& V E; M2 F/ p
value (in ring0 only). Values can be manipulated and or changed as well
: X" ^5 U) u+ ^' d4 X* }) Y) ](clearing BPMs for instance)
* h8 j7 O5 q0 n* s4 i7 h2 c* a# k. H. V/ K9 z2 ^
__________________________________________________________________________
/ l/ L0 G6 D; L7 s( |$ E4 v' F
3 r" U0 i' l {- dMethod 11
' m: P$ H5 j' o- S8 n8 O- k( c0 Y; B$ e=========
) S( H/ V9 Y/ n' r) z- b$ K5 \: f- I- \# S
This method is most known as 'MeltICE' because it has been freely distributed: O0 t9 w, s1 |8 ]5 K# B1 C! R
via www.winfiles.com. However it was first used by NuMega people to allow# a8 l( o3 z6 _5 y1 S; R
Symbol Loader to check if SoftICE was active or not (the code is located% T, @4 p0 {" K3 d; t
inside nmtrans.dll).
2 z2 i- L5 z0 T$ }' f k
3 M, f! U2 e2 _# E( x) k- j1 w. oThe way it works is very simple:: l% g# O# G7 L& O- m# O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 g( L% v2 U( ^( ~9 m" A1 i9 s. [WinNT) with the CreateFileA API.
; C! p/ ^- w6 [: c+ p2 k4 F6 ~
, K* `2 Y+ G' _0 zHere is a sample (checking for 'SICE'):$ k! s' w+ c1 o* d/ Y& J
6 L+ V B1 e$ g) L8 _BOOL IsSoftIce95Loaded()
% }5 N a, G/ l d+ s1 X{, l& _/ o( O7 [
HANDLE hFile;
+ N4 h5 j: A( W% E$ m5 n- D' E9 J; p8 q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, p2 w1 ~" M+ h6 p8 J
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 k; k/ h4 H4 o! { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 r# A, Q- ?0 D
if( hFile != INVALID_HANDLE_VALUE )
7 U% `/ f' m( B, O7 u; {/ a {
! n! K" K" I t/ F& K CloseHandle(hFile);+ \& ~9 H: @ z3 g/ I; B
return TRUE;
5 `6 {* [7 X! q! P }
# P9 j; r- T$ r& j0 Z6 ~! Y return FALSE;" J' [2 z, D6 W- L4 P. N
}
3 F2 m3 ?+ Q3 X# A3 {) Z
9 u* ?0 j, `: c! N1 fAlthough this trick calls the CreateFileA function, don't even expect to be
( U6 F3 C$ r: k4 N% ?4 K! x* |able to intercept it by installing a IFS hook: it will not work, no way!
9 g n5 u' Q6 Q1 _6 p3 n. sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ X, J. `! F# r$ A; i G- \/ P' {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: M( o5 T; r( _# J. j. X: ^2 O: ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ X( [# f! j3 F ^# h$ X
field.. a8 b3 W" j9 Q
In fact, its purpose is not to load/unload VxDs but only to send a 7 N& Q7 @3 i; b, Y" @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ [3 w4 r& J9 S! g3 C- vto the VxD Control_Dispatch proc (how the hell a shareware soft could try" b# F5 f N3 h% g8 D O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ i7 J& f' H ?( ]: z( |" R& F6 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( g; ^+ g# i5 p }) U b( S- Jits handle to be opened and then, will be detected.
! N# U# ^' z' c% L6 q' x8 x. FYou can check that simply by hooking Winice.exe control proc entry point2 l7 E( ~. M' d6 N- k
while running MeltICE.' _/ w H3 Z' |- H
' X5 t- A* L( [ O0 h3 n& y
1 w. p0 w5 d6 y8 \ 00401067: push 00402025 ; \\.\SICE
2 t* v# y' r, }7 q 0040106C: call CreateFileA
1 Z' x" c) {$ r* n* L: J 00401071: cmp eax,-001
: p" v0 Y6 j( c; {) g) `0 | 00401074: je 004010915 ?$ r# B( k# M( r* g
% D2 a" S" q. x6 O2 k
4 m4 V/ o; x; |% _5 B+ i
There could be hundreds of BPX you could use to detect this trick.
, T/ g) s2 J. z( E0 ^) D-The most classical one is:
1 ]6 ^0 h# a6 A6 f0 ?5 y K0 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 u1 f; B; [( z2 l! Q6 D
*(esp->4+4)=='NTIC'2 c! e! y: q* ^% `
1 \- d7 g% w5 j1 {2 l* y$ F-The most exotic ones (could be very slooooow :-(
. t& `& o% {) Y: W9 `( r6 _% S6 z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 q3 K, P$ P" k& E4 G ;will break 3 times :-(
# |+ q4 u. h6 |) u- W4 K) M6 u# B6 A1 M1 _( }
-or (a bit) faster:
0 Z; p6 B7 Z2 E: z5 g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: D* Y8 t S% \; R
/ I; j P3 Q" m) B' Z: q2 G' B- E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( x, E8 n& V! Z
;will break 3 times :-(
. l, {% Y. B# v, c0 S: n! P: |! g; w+ i
-Much faster:
% T" D1 f% V. ?# C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 Z6 f" a4 V$ ~: ?
; U3 Y& D' h! {% F2 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 j8 D4 _" o% T4 Q7 X6 B
function to do the same job:
; R$ z& b! A' T, d: c" X
: U; e/ j, R# j! J2 G: m+ \ Z; q/ Q push 00 ; OF_READ8 M2 U& L7 }$ p! l" d
mov eax,[00656634] ; '\\.\SICE',0! |9 v* D4 e$ g' z7 H8 r# t! \% o
push eax# n. _$ j8 `% x9 f6 g0 Y
call KERNEL32!_lopen1 e; f( R2 z; O/ G+ J
inc eax
, q/ S9 n8 I9 z$ r) A" \ jnz 00650589 ; detected
# y3 ^) v: |# M: [0 s7 W4 o8 N push 00 ; OF_READ/ J( b( W' |# n5 \1 i
mov eax,[00656638] ; '\\.\SICE'1 h: r, H1 T8 f- R& B' p5 [
push eax( ]" [7 G2 s9 V3 }: U
call KERNEL32!_lopen
6 o% }( X& e# F9 \2 G4 g inc eax3 @0 z( G+ ]& F
jz 006505ae ; not detected
: }: L0 k* f( R( s; g# ^
% e4 q2 y" \, v$ r7 z0 f
6 g* I1 p# Q$ `__________________________________________________________________________
) F; X0 ]3 W. f% n, ?
: z' `( X7 g6 X; n+ f: d' ]Method 12
# o5 ]2 ?8 ~- ~ {4 {- A8 h=========
# ^7 X# R1 _ E! p* y
2 s" F* ]9 {0 ]* IThis trick is similar to int41h/4fh Debugger installation check (code 05& K/ z* R4 ~+ g
& 06) but very limited because it's only available for Win95/98 (not NT)" `% h+ k$ b' U, \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ u/ B/ k) Y( Y w
_& `. @# @( z$ u! O# ^ push 0000004fh ; function 4fh" E& t2 h6 ~0 W4 V4 w0 W
push 002a002ah ; high word specifies which VxD (VWIN32)5 q7 f4 l* \& I$ o2 D* Q3 l$ V- H
; low word specifies which service8 s. O! B8 y9 v e2 c7 _) U9 A! J7 }
(VWIN32_Int41Dispatch)
; n1 z5 m2 c4 ?* J call Kernel32!ORD_001 ; VxdCall8 r/ I; p+ Q) r4 e
cmp ax, 0f386h ; magic number returned by system debuggers
5 X; i# p0 l* E- O" b jz SoftICE_detected
~9 C1 W7 c$ W3 N( `" B
& f+ N# e7 e' CHere again, several ways to detect it:
4 [# z1 [8 y! C3 Z1 \$ ?$ A( W& i: e( r4 W
* U9 @1 ^2 Z5 E5 ]) W5 S6 Y BPINT 41 if ax==4f5 s2 X. |' r' c, J6 v
o t# q7 z7 {3 [8 d n, u0 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" W# {* h, N" q4 J# \
$ h, Y8 p. V3 _ m+ l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 q- A4 o; {2 O9 b) u2 w4 r0 B4 M6 n- n
+ G% U4 ]& f* K6 c+ R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 J4 v; m0 o/ w. ]: y/ Z5 x8 L+ c: T+ F/ z
__________________________________________________________________________1 g8 |9 _* j! ^) ]9 |, `, d
0 c* B! N" X u
Method 13( w: U5 j% M( f9 S
=========
: v a- z) b) y, k% q
6 K |% |& X. @" W2 f, `* @, cNot a real method of detection, but a good way to know if SoftICE is
2 e4 N6 r0 W! P2 l9 c& z- jinstalled on a computer and to locate its installation directory.
% E; U3 K. k' J" Z) _It is used by few softs which access the following registry keys (usually #2) :
7 }: w; ~. X" e1 g0 [" D0 n% q O; Z- w$ b7 N1 R# e( J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# N" k* {4 }8 [9 q) D$ W
\Uninstall\SoftICE' ?+ E! F! U/ W L: q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* w; a" I. [! t8 u8 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! q' x$ J, J1 t& O0 z9 N/ w\App Paths\Loader32.Exe# }+ t: ]+ h, e9 Y6 i% r
& k1 I) M2 [% [% [0 V
! e! B/ j( n2 FNote that some nasty apps could then erase all files from SoftICE directory
9 o- F2 M0 ~& k; B0 W(I faced that once :-(0 z# u; Y5 f3 x# f3 r+ l
1 K; z1 e; L- {9 C5 w- ~Useful breakpoint to detect it:
+ u: Q) o6 X. e) I, x7 i
( b; x d3 c( S; h2 i( Q; p! f% E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% Q7 s |. [9 V; o7 b9 @4 C' F
" Q$ J) `8 e% t) ^! ^# n& c( }__________________________________________________________________________
$ T) Q! ^3 t+ E2 t4 H- W3 l5 o- ~6 ^: Y% n! ^9 n- g5 _
7 V4 G1 Q, P! |+ f( X" u6 S% iMethod 14
2 f" H8 _: D! o. x" c: Y=========
8 p7 i2 X- d V3 c
) x! \! p& n0 l7 {" w& ?$ \! N- oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 L2 d% w& D. c0 }$ ~
is to determines whether a debugger is running on your system (ring0 only).
1 m2 Q5 g7 _6 C# n! ^8 P9 K" }; m6 t- j$ O" D$ L/ S
VMMCall Test_Debug_Installed) T& c$ s A# [9 b" d
je not_installed
# ]# _* i/ d: T! }# z9 I+ _2 X: H; j
. E8 }1 h5 }4 h4 J5 _This service just checks a flag.
. ?! f. ^) P6 y9 O8 o$ N" C</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡