<TABLE width=500>! s _; u8 i8 Y" B8 B
<TBODY>
, I- g5 X, V4 h<TR>
5 `, k2 ]. x5 |9 A" h/ Z$ M<TD><PRE>Method 01 % w. i/ o) ^1 b4 Y: E! B
=========/ v8 k& z$ A% b' T& `5 z% S1 W( P, e
) {1 B: d6 [$ Z* F% A' l5 {; Q
This method of detection of SoftICE (as well as the following one) is
' j& s/ x# I& N- s$ T9 u4 d. H- Qused by the majority of packers/encryptors found on Internet.
0 }9 |6 Z: V! TIt seeks the signature of BoundsChecker in SoftICE$ z' P# ]) l& d2 M/ \
: V1 j1 d# h- u! M
mov ebp, 04243484Bh ; 'BCHK'
5 S& o ~+ j$ L# t& X mov ax, 04h$ ^ ]; @6 i; J, C% R0 |: |1 t4 |
int 3
2 o# [1 \( f$ j5 J7 P. ? cmp al,4" R0 ]& H: S' N, M! |2 O0 T
jnz SoftICE_Detected* o& s: O9 ~4 g7 E4 _5 X3 Y
J; r# D9 E& T8 e$ h% }___________________________________________________________________________! e+ ~6 e# n( w3 d/ l" W8 S
1 `- }2 f' }# a. l, x$ W9 D
Method 02
+ d; E# u4 S, `=========3 g; d% Z1 q3 \! s# J& t
& O1 E8 u! m: g# Q2 D& g. R/ V
Still a method very much used (perhaps the most frequent one). It is used
9 K* ~- g, b& ~5 s0 A0 r* L" _. Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ S$ R X9 }9 [" W0 T4 b6 B. K0 u4 jor execute SoftICE commands...5 O/ q& X' E; B" \! j
It is also used to crash SoftICE and to force it to execute any commands4 T& ^ F1 W- l; ^$ H
(HBOOT...) :-((
. V5 l! W. s1 Q: D# P4 \0 L& _1 V" {: P
; ^$ K U) O, ]) E. cHere is a quick description:
( O! Q. P- P$ q& J/ Z# k-AX = 0910h (Display string in SIce windows), z! R* [" @: Y# c3 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 _* R) T/ g7 F! M1 ]8 t
-AX = 0912h (Get breakpoint infos)
i+ |8 D4 d- o-AX = 0913h (Set Sice breakpoints)2 c( k F6 q/ M& H/ [
-AX = 0914h (Remove SIce breakoints)) H6 X5 S+ H5 s5 O J
7 }2 D4 L+ `5 T4 k9 @$ `- K
Each time you'll meet this trick, you'll see:
$ A {6 w! J4 l6 h-SI = 4647h
' O9 \) S/ q h9 h+ X2 n- V% @-DI = 4A4Dh% z- `* e6 s; v3 F
Which are the 'magic values' used by SoftIce.' Q, N" ^& j. m( U& w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& }' _4 u" c; c7 n% q2 ?8 J$ \
' j; h ~4 V- ]' MHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 _ s* q, `! ?/ ]7 \: T6 q, J- hEnvelope utility use to protect DOS applications:
. K+ m" J' ]2 n0 n# Z/ T
' c0 ~: z* G9 L0 j8 M
, z; A5 Z8 A, Z) [2 E/ w5 ~ o4C19:0095 MOV AX,0911 ; execute command.
0 D; v0 N7 w; p- Z; C7 k D J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. a& v- k( q1 @* i4 n9 p4C19:009A MOV SI,4647 ; 1st magic value.
3 e% h" b. [7 l" j5 x4C19:009D MOV DI,4A4D ; 2nd magic value.5 k( g( x5 r8 M% H. J& ~6 @: S2 Q$ `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; W8 u4 l: k* q7 X1 a7 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ a9 V4 V1 z7 P; f& I4C19:00A4 INC CX
7 |7 n& _& N* N3 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& m( N' z0 \+ m; x$ p2 b5 H7 k5 w4C19:00A8 JB 0095 ; 6 different commands.
: w. i8 G! N! G7 }" p4C19:00AA JMP 0002 ; Bad_Guy jmp back.! {% A+ V% Y" a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" N* K, h/ L% L& Z4 S5 r6 Y+ A/ w9 D
) O9 l( G, A; m- S2 b4 J. s9 d$ TThe program will execute 6 different SIce commands located at ds:dx, which
/ ^' \- N" A4 g t% t* ?, G8 gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# [9 q+ h0 z: W6 i8 L+ Q+ j; R) O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! z: h+ H2 |, |
___________________________________________________________________________/ z! q6 r, b2 p, h
4 ^& a8 U; c! O/ `! _1 \ {5 Z
! a3 \' K- H' A' I" n% QMethod 03
' }0 V' A: A: \* `2 U) n=========3 ]* B- O+ N4 R6 x8 Y
% `- }) _! {1 N6 e0 n( C0 }! D) PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; ^' n7 f M' W& s
(API Get entry point)7 h1 F! `" O0 c0 k( ], |6 U
7 z; ]# m( V1 u" ^1 \# w
. q: E$ }, x B8 h3 }
xor di,di
5 I5 t, h+ Q" d) Y8 U$ A9 l mov es,di
m2 T& D& Z/ B mov ax, 1684h 7 S1 w# |2 F, f7 N1 k( Q7 \! c
mov bx, 0202h ; VxD ID of winice" x+ a; j [/ h( d8 w& e
int 2Fh0 n, R; p, B+ L/ K2 _
mov ax, es ; ES:DI -> VxD API entry point
- A; N7 X* z1 W/ L |2 l7 X. L4 G add ax, di" N9 ]5 n, F$ i$ I# ~
test ax,ax9 B+ e/ s( N. c1 O1 i x
jnz SoftICE_Detected' w3 I7 {& m5 v' Q
. V& p3 W7 B( {! ~, a7 W' X6 O
___________________________________________________________________________
9 n. m7 \* t* X- R% E2 E. b" Z# {) C( T
Method 04; C1 D. e2 d+ v. Z& F, M4 R
=========
9 V1 L4 J& k6 m% \4 J" j
" {, Y/ V6 Q$ I' ]Method identical to the preceding one except that it seeks the ID of SoftICE
- ?8 N( Y5 `7 R+ x! N! EGFX VxD.) X# q4 |# @% r1 a- E
' T3 ~5 @3 M& l
xor di,di" S4 z2 U% A* {/ i* ?4 Q
mov es,di& t% p" k. L" j* |
mov ax, 1684h ' S/ A* c1 s7 e, R" s! d
mov bx, 7a5Fh ; VxD ID of SIWVID. N. ^5 ^* |" L7 ]; k
int 2fh0 j5 n. b" B4 f5 a& {* }+ c
mov ax, es ; ES:DI -> VxD API entry point. V( W, A. b" H V
add ax, di- M, o; S, X3 O; N7 e& s3 {" e# o
test ax,ax
$ H1 L! V0 e# d( [; @6 a' z jnz SoftICE_Detected
4 [$ d9 M6 F% |6 {$ N' Z+ ]: z+ o9 M
__________________________________________________________________________
7 x! T, }- q, k: l% T' K \* b7 @& D0 _
5 |9 O+ P$ F' t# c* E( p6 B4 ?Method 05$ K! Y {/ H2 U, t6 S
=========
7 @- c- p8 U. q6 R ^3 `) s
! P* I* ?, Z! s3 w5 S" DMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 f5 D9 V5 H! W' `- j% n5 ^( K. l8 [
debugger. It calls the int 41h, function 4Fh.
) t, b( {$ R2 y; H* g4 g& cThere are several alternatives. ) ~( @& y8 P% y7 n* ?, t5 V
% @) M) m9 g/ j) C1 }3 mThe following one is the simplest:: i5 V. X2 B6 N9 B- [3 F. E7 e9 }' W5 k& m
$ S' q# ]! i) O
mov ax,4fh) Y1 q1 v- t9 z5 K
int 41h
@& l+ e7 h( N* Y. m) y) ` cmp ax, 0F386& y: `) L5 s. I# e5 V5 W
jz SoftICE_detected
% i5 L* c0 ^% K: P7 u
8 C( H, t; p6 Y% K3 {, x- G) A0 t
/ G3 V5 t3 ^4 Q3 p2 X1 f9 u1 LNext method as well as the following one are 2 examples from Stone's : K$ R; \, }- c9 U$ T9 Z
"stn-wid.zip" (www.cracking.net):$ U; _3 Y3 W7 y1 K
$ \* z' G L3 ?) n mov bx, cs
/ l$ `% d& H0 m: R' V6 z lea dx, int41handler2
0 U$ r* r; E0 D# ?$ N xchg dx, es:[41h*4]6 _, o; X; s1 A8 o, R6 j3 j
xchg bx, es:[41h*4+2]
. d/ S, C1 u$ J3 C mov ax,4fh0 {+ ~9 T9 e. G+ z& P
int 41h/ |5 E, q6 v4 z2 b
xchg dx, es:[41h*4]$ I, a3 R5 B7 @4 b& b a9 J( R1 i
xchg bx, es:[41h*4+2]
! d$ ]& Q0 B& N2 r5 \' R cmp ax, 0f386h5 p) D2 j4 f% e* w
jz SoftICE_detected
% \( c4 ^$ v" q( P% M/ B, `; ~
: k, E0 q5 ]7 c7 J% Z2 ?7 ]; Kint41handler2 PROC
# e$ c5 Y" R. u iret
6 d% J% u, ^" x* [6 J/ I0 @# \! Uint41handler2 ENDP
4 ]0 @) ~& u% j& r( o) J- h3 f' o# j* r$ F; b, c
& y! G8 G7 _4 N. V( z+ F8 x# L( h9 {0 a
_________________________________________________________________________
& e; ~/ [" y9 J* ~* P- T% o0 p) l: J( Y, s6 C9 T: p
! V* a; A F3 Q$ h" X: H
Method 068 }' x5 \1 z( l. q% W" B& Z- n' K
=========+ g: m, d$ j5 [+ I: l, @
7 o' ]$ u" I a" e; r, ~+ }0 a" z3 ~, b2 P
2nd method similar to the preceding one but more difficult to detect:" s# l1 o" y2 ]1 s0 Y
/ Q( |6 S+ n/ N/ x! ^
- w% G. U8 ?. lint41handler PROC
. Y. e7 i u% T mov cl,al% T9 t& F1 i! X9 Z& N! t
iret- p2 `3 D, w- _! t( E" Y9 H
int41handler ENDP
* s. l8 s8 [: Y9 ^1 F
' ?) i) R+ L6 H4 v
; }, d4 P7 t) d8 |7 B8 l \ xor ax,ax
, Z6 a( c, }- r. u* D, [4 ] mov es,ax6 q0 ~& S# \" j1 y
mov bx, cs2 ~/ }& V, z$ Y7 W* u
lea dx, int41handler
7 b* E- D3 N* d; j1 v$ p xchg dx, es:[41h*4]* n( n: T# C9 p& P) B l" h/ p
xchg bx, es:[41h*4+2]) `; u5 M4 X0 V6 z
in al, 40h+ G( Q9 ]$ y( B# f
xor cx,cx) y. k5 S+ Q; O- w. r( J8 }0 K
int 41h: S m/ @' H. k) p
xchg dx, es:[41h*4]
* Q5 n0 ~, L, t5 G2 q7 U0 { xchg bx, es:[41h*4+2]+ {1 G" }* b: {3 ^6 g/ O4 w" w0 F
cmp cl,al
! D x8 @& o8 f Q jnz SoftICE_detected& W# q \) w- v) |% y
S; J J+ v5 \- X, w' G! m_________________________________________________________________________# y- J x, v3 e O! }, q4 ]
6 P" }+ m. [. q' z% |Method 074 c7 h! V5 q1 j9 X# I
=========! U, C `. P9 V* S) u
6 M# V: a* s# F' o U; uMethod of detection of the WinICE handler in the int68h (V86)) ^, o, q p, h9 x0 X# ~& {
4 L+ S' X B0 H# I1 U. U+ S/ \ w mov ah,43h) t1 M& E. Y U1 W- G7 L
int 68h
: ~- x) a+ u) _' x" ?- @ cmp ax,0F386h
3 Q/ Y4 F! m* { jz SoftICE_Detected
+ D' C- R d) `1 C/ ~" h
; ~) w9 _, [# e& v5 r, \8 w# S
2 Y% H$ k( L3 N5 D% T" k6 r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. I& n& y! w0 |8 T! N app like this:
; h. w, L6 T9 {- q6 J2 K& a
& n% z f! ^3 W) I3 Z/ h BPX exec_int if ax==68
2 y& E* G5 d+ q7 {0 v6 w5 C9 @) v (function called is located at byte ptr [ebp+1Dh] and client eip is
2 X3 }2 D- ?! D) D located at [ebp+48h] for 32Bit apps)
- Y4 V' [3 `+ A# O* q__________________________________________________________________________) h+ l1 C4 K! [* Q! P/ r3 {
$ E3 O) C, I, g3 r
, e* m& Q, c0 X, E( O$ f4 j/ W" ?7 v
Method 08; l8 W# [: T8 @0 G0 X7 a. e
=========0 h% `8 F) ?* _5 P7 p
% u# s9 f( Q" l" ^It is not a method of detection of SoftICE but a possibility to crash the. c0 u6 f4 n+ S0 N
system by intercepting int 01h and int 03h and redirecting them to another
) |) O. L0 D* _# w: Q8 A# A7 eroutine.
# q4 x- n, T' j e0 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! a6 L9 Q) E# M+ zto the new routine to execute (hangs computer...)6 X; W4 K4 s1 W
- u% D7 d) n) A* w- p, }, n
mov ah, 25h- U9 j+ H, N" _8 u/ b7 A+ |' i
mov al, Int_Number (01h or 03h)0 p" K" L6 p6 t: V
mov dx, offset New_Int_Routine+ d D9 G& L# B" O! N
int 21h
. g( e* A5 M1 O. `) M( m
* B1 p6 i8 l. x/ `# Y__________________________________________________________________________
% x6 i- ]5 L v$ v. Z1 a- B8 g) I' x/ { |3 k% I! p
Method 091 k6 `; b1 I+ m, T
=========' Y& s! N0 F3 r* g' w+ F/ [' b+ c3 A. [
% h/ q' G8 q8 D7 V+ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ d5 a3 j. n: w3 g) kperformed in ring0 (VxD or a ring3 app using the VxdCall).% E( G! @- n7 J
The Get_DDB service is used to determine whether or not a VxD is installed N5 f+ B/ R! s/ a$ U
for the specified device and returns a Device Description Block (in ecx) for2 M- Y+ y+ n$ n- \9 D7 i
that device if it is installed.
; ~ V. [( a8 y q' K" [: a+ q5 o! ^% R0 u6 t* m) U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 c+ Y$ ~# C! H! z! v X1 p M# C) \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* ^3 l+ \* y& y& ?& F
VMMCall Get_DDB
2 N, p- l6 \) L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, o% A% b) f$ N0 M' }5 V$ {! f) Z3 L8 j- a
Note as well that you can easily detect this method with SoftICE:$ Z R& b! i$ E" q8 \# @, o
bpx Get_DDB if ax==0202 || ax==7a5fh/ W( [: E: q) i5 H6 x+ B$ Y, i
) o# f+ l6 L4 v7 N__________________________________________________________________________
3 F+ p. y1 N1 a2 U& d, Q1 A( l5 q
: Z' m& i3 R6 R/ L( p) l4 y- GMethod 102 {/ u$ Y1 B E; b5 W8 A4 v r
=========3 y8 y) S# w: r, E/ F
" \% ? `9 D1 D/ m; T=>Disable or clear breakpoints before using this feature. DO NOT trace with) X5 N m; ]5 i
SoftICE while the option is enable!!
0 w) O; Q4 v+ ^" z! X
) J8 s3 {6 @ R) S. f- F. eThis trick is very efficient:
* p+ t0 H* Q+ p" e8 |! mby checking the Debug Registers, you can detect if SoftICE is loaded0 s* g$ s) U7 E2 T1 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, F! V2 T: `% ^. \2 }+ Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
( R. S! E0 c! H1 g4 |value (in ring0 only). Values can be manipulated and or changed as well
# [8 O, O A6 p5 N4 _/ i(clearing BPMs for instance)0 k, W- A; ?+ N% ~: u
3 Z/ O/ k* S. \8 C' m. [& R: E8 k__________________________________________________________________________
# R& ?# l8 f9 m9 u8 J* U2 E/ `, y1 j; a8 G8 O% n" s- n
Method 115 S3 l( i" U$ v8 E0 F8 }1 C
=========
" a, V6 P2 L. j! V% q Y7 _: o1 L
This method is most known as 'MeltICE' because it has been freely distributed! ~# }0 D2 [7 d1 Q* X
via www.winfiles.com. However it was first used by NuMega people to allow
( V* m. h( |2 Y& x) D: `9 _Symbol Loader to check if SoftICE was active or not (the code is located
) g* b* E) i O9 a/ R9 Qinside nmtrans.dll).5 C' ]/ @" Y8 S3 h- g
! y$ K2 w2 @+ i8 e
The way it works is very simple:# E2 x# R, P- ?2 j( V3 N, L0 `; `: ]$ K7 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 x# ^) \# \6 S9 p! Z" N) L+ p* TWinNT) with the CreateFileA API.
! e$ }1 ^9 `: Z6 _1 a, [2 C+ L, c7 c5 ]4 v8 D: N; O
Here is a sample (checking for 'SICE'):" o0 d. Q- w5 [1 P
* N. I$ B& B# o9 m; kBOOL IsSoftIce95Loaded()- r# ^$ R3 S% A1 W$ m% A
{4 Q: }$ k- S; h2 x. a/ I0 z
HANDLE hFile;
1 Z* e; U0 v! s$ l4 v+ |, V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! T0 g r( Q9 Y, f- { FILE_SHARE_READ | FILE_SHARE_WRITE,
9 P" F, o2 _2 r) n. l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. y) J \! X- K+ ~4 G5 E9 e( F
if( hFile != INVALID_HANDLE_VALUE )# U) O- R- D: r, A) Z2 i: j6 V. l$ ~
{
2 R0 c1 K9 A, L( p7 V CloseHandle(hFile);
, C4 A- s( \! z' y return TRUE;
8 y* m% R+ Y& G3 T" r }
+ T( e! z, V0 L6 q# D) x/ D# X, p return FALSE;1 k4 @' s2 v9 R$ S6 y9 W3 ]0 Q
}" a0 S' a, [ ~, i7 p
$ y+ }) j% G; y! [! _; }Although this trick calls the CreateFileA function, don't even expect to be: L# W* r* W4 a$ ]
able to intercept it by installing a IFS hook: it will not work, no way!7 i! V1 K- {# {; D' l+ D8 k+ P0 ]6 B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* _: U, ~) G, {5 F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 M# T$ [ S1 c7 G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- f: H1 {+ X" i0 Z3 bfield.
$ L2 P3 q) q. Q) p. R( Z9 z5 iIn fact, its purpose is not to load/unload VxDs but only to send a
! k: D" s5 S4 N8 @9 N' mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' j& g; a3 ]; I& D! r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 ^) A+ l8 q, o) c6 m- Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).; w2 t6 l' V3 [# R, |' g& z4 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow& L0 M. @* ^$ |) y2 z" R2 K3 a
its handle to be opened and then, will be detected.+ Q7 V( q: k, C, |8 Y _) u
You can check that simply by hooking Winice.exe control proc entry point; a: ?/ I. f' B
while running MeltICE.
/ l* o8 j1 y9 x+ t% ]5 ^/ V: I- h
7 z ^. K P6 F8 B
00401067: push 00402025 ; \\.\SICE
1 e0 E7 p+ W' I+ o* b6 J0 R' B 0040106C: call CreateFileA" ^% L9 P) [" W% Z# B
00401071: cmp eax,-001
( Y; V0 C0 }- w: b9 v% [0 H 00401074: je 00401091
: r m# h7 i) G- F" U7 x" V& I. J# I2 e7 R, Z
! K4 s2 ^ j* O3 h& aThere could be hundreds of BPX you could use to detect this trick.0 [, P5 u$ L: J1 Z% l
-The most classical one is:
, E0 {* S5 E: |! N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 B1 F" \, }5 D7 P1 c *(esp->4+4)=='NTIC'8 X+ m k6 n9 x( v2 k4 n
. n! @# M# w' d8 u$ ]# D
-The most exotic ones (could be very slooooow :-(
: A9 p9 S+ g8 ?# C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: X% N6 B7 H; c' ~+ a ;will break 3 times :-(
( C$ l% w! ?3 P Q
0 B; `9 q9 u) }, W5 e-or (a bit) faster:
% x7 Q( K# ]; t1 m; h4 Y+ {% I) @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! ^+ d Z! O' _5 j+ T" v* i* {8 W1 l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 O9 @0 g/ a$ M3 z% x. I0 F; E ;will break 3 times :-(
( ]& i$ ^- r. b! T
( V+ a5 ~ E7 Z# \3 S/ w# q; _* L5 l: s-Much faster:, S. `, b; m! A9 g% _* d+ B( X6 b2 U3 b: _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* s- z% Z" g1 T6 p. f4 e" B5 D& d1 _2 K% p8 ~: i3 k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 Q$ y. `& u& R5 `( y% D. dfunction to do the same job:0 ] W& f, ?5 C$ X3 y# O1 H$ f2 `6 \+ z
! S$ Y' L5 S# h8 V4 A3 a3 E
push 00 ; OF_READ, V. [! U" H$ b* S
mov eax,[00656634] ; '\\.\SICE',0
7 @" P3 U* g0 R$ |2 M push eax0 S2 h: H( [0 t8 Q; Y
call KERNEL32!_lopen# [6 P# D9 B3 l; T. [: \' l
inc eax' D+ i! O/ K* ?
jnz 00650589 ; detected
4 U% l# \+ P; M6 ^ push 00 ; OF_READ
& h9 ]0 v7 C- w# F, ` mov eax,[00656638] ; '\\.\SICE'
/ r' D+ E# i8 G; j# K push eax
- o/ A& r: T' n. G( y7 }- O call KERNEL32!_lopen
+ F9 n/ B4 l9 p8 F3 O4 @" v inc eax
0 ]. P! c0 }; Z7 t& y jz 006505ae ; not detected
: A2 Q' L8 y# d
( k* \6 d; w$ m$ V8 d% X9 C( y* Y0 J9 W) n' j5 M
__________________________________________________________________________/ |# w1 |4 }5 j! k/ ~
% k C0 \3 X- C' m& B
Method 12
# x$ O' | G) ~5 h: Z1 h=========
8 O' Z) @9 K, X& Y. c' h
* r& T7 y- g- p0 n& JThis trick is similar to int41h/4fh Debugger installation check (code 05
" [) p0 N2 s- s& n3 a& 06) but very limited because it's only available for Win95/98 (not NT)* y& P, y4 K9 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( ^% t. E: r/ \
! ^0 e6 @, Y! ~; a3 w5 ]: A# F" j
push 0000004fh ; function 4fh
( V' Z) v( Y# [6 H, K push 002a002ah ; high word specifies which VxD (VWIN32)
1 |& J, ^. {) R! t ; low word specifies which service7 I5 I% \9 z% `- F; p% |
(VWIN32_Int41Dispatch)
- D/ R3 q; h2 W4 O" v, p* U call Kernel32!ORD_001 ; VxdCall5 {3 C& ]: B7 n) c1 v5 l9 [
cmp ax, 0f386h ; magic number returned by system debuggers3 ~5 g! Z% k+ ^. o
jz SoftICE_detected7 _" G* I y3 I: v) z; J& K
( R0 g! y$ J, U$ \
Here again, several ways to detect it:
) e: Z+ n! M* n% b
" e" B1 ~/ y4 D8 z+ q7 M: g BPINT 41 if ax==4f9 s% [: H4 R) z8 U6 F6 O- {
: k: R2 O. ~% ~" I! B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) g& q0 h+ L* B% J! O4 k. P: u2 w2 }; O( F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 l8 L+ d. L5 }- p j# U) X. p: o$ X9 ?- J0 s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 S8 P$ M3 W, Z+ b5 X3 n% A
4 ?- |, ^( N# F2 K__________________________________________________________________________7 d2 N; R$ H6 ^+ }! ?* v& d# x
L" |8 }0 R7 O% ? v0 t8 qMethod 131 Z" \5 ?1 [0 N8 q' T$ p" P7 L
=========6 p* T% A* | l2 S- Z
) O0 I+ G. M1 f% u1 bNot a real method of detection, but a good way to know if SoftICE is
, S1 h) ?- w+ F5 f; finstalled on a computer and to locate its installation directory. Z" h5 b2 ]/ b1 `. U0 i. b
It is used by few softs which access the following registry keys (usually #2) :
9 S/ E! D( `' p4 }# j e& C8 g" D7 l; R N& o; I# K8 v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% l# U: x+ e0 P
\Uninstall\SoftICE
+ E- f; G" j+ q6 u% Q- |; `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ G7 }5 O1 {5 B. K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ J2 I" N1 x- x1 }! U; D\App Paths\Loader32.Exe4 l! V7 y3 q& s
6 v9 A; x7 A. Q
5 S# a; \# w5 g, E& QNote that some nasty apps could then erase all files from SoftICE directory
9 D( J+ s" @$ `) [9 B$ a, f(I faced that once :-(
: V2 z( ~! |9 x w! M: K5 l5 r& u
' w# M2 w! j& B$ h& T. o2 Q4 sUseful breakpoint to detect it:
# J/ }7 H1 ^2 I7 }8 O
+ c+ ?; E% \% g2 C4 P( d& |+ A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! y8 |4 w C3 {( T8 x$ J( ?
( h2 ^# ~. L1 P__________________________________________________________________________
4 r/ O* A9 O; R% T" G; w z* M: l. n; ^
3 }; {6 V, b: c/ A, d$ @% G5 \
Method 14 5 W! |) ^1 h) `9 z
=========& z$ v0 ~0 o# G# @7 Q! D
7 T$ w9 `( x" u- l$ v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) e! G a( o* ^& a( R4 e. a
is to determines whether a debugger is running on your system (ring0 only).
1 v& x+ [: A, W7 u' ?# |4 X' M8 k6 H; J
VMMCall Test_Debug_Installed
( V7 H+ Z- N4 \3 n1 x9 T! w& I2 Y je not_installed& e, l0 j; o5 F/ [ X
( N( E. x5 ?9 H8 y$ V
This service just checks a flag." i0 Q& s6 q$ I/ \( ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡