<TABLE width=500>3 K2 L" F& W) W7 W7 I& ~4 P
<TBODY>
8 \" Q+ k& Y! q. u5 I<TR>
% p. u0 s5 w( M R8 p3 I: D<TD><PRE>Method 01 ( J0 j, u) w% j
========= d! B N) d9 Q6 u$ _
' [7 J- ~* B' {- @: l7 Y. JThis method of detection of SoftICE (as well as the following one) is
8 m) ^$ a5 g8 D2 n! U/ Z5 Bused by the majority of packers/encryptors found on Internet.# z6 j9 o. b6 `0 j' o
It seeks the signature of BoundsChecker in SoftICE( _4 ~, h% i% U' O1 t
/ K ?! H5 G0 N6 p, R/ k mov ebp, 04243484Bh ; 'BCHK'
) b( N* E6 ~+ j+ s5 q/ p1 G mov ax, 04h* D$ a, ~ t) ~; ]1 h" n
int 3
& S2 `6 ^7 U, `) m cmp al,4
" ?' ~+ a7 K! l1 S" | jnz SoftICE_Detected
, C) T/ g" `7 X% u: p5 J+ t$ d+ j4 ]7 D& n6 y: \
___________________________________________________________________________
! F& N: _1 h, `( M% x
+ P9 s' } w/ m1 f% g: RMethod 02
4 e# F+ w! U7 ]+ d2 f5 }=========% M- q! z9 T8 C; y
" s8 e* I% v5 s6 z' t: w
Still a method very much used (perhaps the most frequent one). It is used+ _5 O1 P% q, o' g; S7 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ d2 [+ N F1 c+ j/ E8 O3 P$ m
or execute SoftICE commands...
& V9 W4 o2 P: ^1 t( B: B' j" ?9 CIt is also used to crash SoftICE and to force it to execute any commands$ e1 A3 M3 Q) v
(HBOOT...) :-((
. P& y! f9 Q; [( \ c! R" ] V( m+ F4 H$ E/ {
Here is a quick description:) C4 s+ {, w# r: Q5 r4 `9 l
-AX = 0910h (Display string in SIce windows)
* v3 N1 n' o9 J% a; t! v% q. A5 F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; t# x k! m9 f0 X; w5 Z/ @9 H-AX = 0912h (Get breakpoint infos). S0 c( a7 K! X) O, e& |/ z
-AX = 0913h (Set Sice breakpoints)
+ r y6 C5 I* Z& m' F& [2 U6 A, }-AX = 0914h (Remove SIce breakoints)/ |" z$ x* E* _/ f7 A
8 Y5 Y4 [ h1 K' m1 y" {; z3 Y' E$ A: vEach time you'll meet this trick, you'll see:% y, F9 r; y" l0 V; R- C2 A
-SI = 4647h* k( d* s+ K% u2 L1 j
-DI = 4A4Dh
/ @: V1 M! B+ V: T _Which are the 'magic values' used by SoftIce.
5 o+ c" F# m; j1 k/ I- J4 ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( r) o- P/ M' k4 p s5 c+ ?7 d" Q+ Z- e# k" @
Here is one example from the file "Haspinst.exe" which is the dongle HASP- Y1 D& w+ z* D2 u( i4 d
Envelope utility use to protect DOS applications:
9 K' y1 R# \3 l, A' x; \# ]2 K% ^: l0 J( r
$ E8 b9 N8 l T; y
4C19:0095 MOV AX,0911 ; execute command.
9 L0 x3 P& S5 k5 i2 Y5 ^7 ]$ C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 i: c+ j4 N; R4 d4C19:009A MOV SI,4647 ; 1st magic value.
/ W. O; K8 [/ F4 u& D4C19:009D MOV DI,4A4D ; 2nd magic value.
1 V! ?; r Q2 h' w8 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 h) u8 H; L3 X2 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' j, G5 O) E2 V# F" Z4C19:00A4 INC CX& @1 L2 _& K, C" K0 W0 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ R' r- d, H& B) E9 x' ^4C19:00A8 JB 0095 ; 6 different commands.
8 v" b+ A3 T# I, I# ~9 p- f, `, u/ d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: c2 m+ m. G$ O- F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! N- {) D2 W& }, o- b) o2 M6 D* F- D' y- Z, ~7 B8 Q
The program will execute 6 different SIce commands located at ds:dx, which
& o0 ^" `9 Q; A3 `9 a7 E- Y/ fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 g. O n& J: d2 p
+ I4 ?! O! ]2 F; M; {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 n1 z2 ?5 |0 q
___________________________________________________________________________6 h% n4 O" N& c# M: C
# Z! F6 S7 l. a% H$ Q' _& z+ M% }( @: h* v* n3 b m9 _
Method 03
$ k, H" _9 ~4 X3 N, P=========" n1 a% d6 _; A9 K
, S/ n8 n% [- I J$ g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# t5 c( L/ e% w4 X4 V, \- B; \(API Get entry point)
k* f/ z5 t$ Q! {/ `
% ]$ H0 H, _: a, {1 ?$ A- ~9 u5 o' \( F* |9 a: {8 [+ x' \$ a' `
xor di,di
; r M6 M7 f/ i! s7 ~ mov es,di# U) l, t. {& y7 e x+ z8 r$ T
mov ax, 1684h
4 j$ a0 C3 I9 j. b8 _2 P2 D9 F! L mov bx, 0202h ; VxD ID of winice
; _% j& ~4 l4 W int 2Fh
& M E( Y! t. j* `7 I$ M mov ax, es ; ES:DI -> VxD API entry point! b/ s+ t5 H; n: P) z" u! Y
add ax, di
6 w. Z2 n, K- A" S( ]4 I4 p. ] test ax,ax# V" W- C: z4 p: f4 X( ^
jnz SoftICE_Detected- m! x0 P4 H) f1 n
$ e$ z' Q T. C1 W4 Q6 i2 B
___________________________________________________________________________
. l q, O, X; o F8 V; B% }$ ]! ^: ]+ V. Z8 V' _# E# p
Method 04
3 {* R0 n+ l) C=========. D2 @$ G0 P3 [# }0 |. A" J, x
. C9 V2 R7 w7 H1 P# A' E* P
Method identical to the preceding one except that it seeks the ID of SoftICE1 G: X: P, B) f- b2 h
GFX VxD.; @4 S7 @& t! ^/ {7 M
5 I/ H7 A+ c5 l, A# J% W xor di,di8 H' o, R$ q- V3 [8 u' C$ L0 _
mov es,di
$ c3 {" y' F' h! r" h9 T, a$ w g mov ax, 1684h
4 r! G0 I3 B% Z+ `" [0 {* o mov bx, 7a5Fh ; VxD ID of SIWVID% h- [ @# D1 }% {+ B
int 2fh' A" ~, i; g$ y6 }" z% C
mov ax, es ; ES:DI -> VxD API entry point
; _; e" R( |, Y) V4 B/ A. f add ax, di
8 {* Y7 m, \$ M test ax,ax
& [' r1 M7 j, q1 n3 v jnz SoftICE_Detected
' U, ?$ I8 d2 i& a' v+ D) i8 L$ b$ y. ?9 V6 L, d
__________________________________________________________________________
" e% o# P6 w# }! c6 o5 Y7 S
) O) b1 V9 U4 F; S; b3 I3 b. D; g2 p' W; i1 `- u! z- U$ Y+ V5 [
Method 05; s2 u, f ?% Z1 I6 m4 Y
=========
5 p0 N5 W/ g$ ^- {% A# ^! N, t
+ I) o5 v3 ]$ @ Q$ j2 ^0 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ S! n5 J% }. }
debugger. It calls the int 41h, function 4Fh.
' O2 s# x# D! w! Q1 h9 GThere are several alternatives. 7 n" f. m: _: W7 D+ g
$ L( f3 ^$ ] Y: _5 V. e; CThe following one is the simplest:
4 o" K: v2 m4 d' a5 ?
, K# m5 Y* \ M3 e r6 t/ I3 T mov ax,4fh
: D) o8 A7 `5 J% ~' n int 41h1 @& V$ B/ Q/ T6 \
cmp ax, 0F386
f* Z+ ?$ h/ K* w5 Y% a, p* B jz SoftICE_detected' I% T( n. l" @, ^
* z% S- W4 l, n0 f1 e; d) L
# z& e" T5 \% N$ R$ I; |
Next method as well as the following one are 2 examples from Stone's
6 o, B% a& R7 a"stn-wid.zip" (www.cracking.net):8 e% g8 h" o/ L+ _& q& l$ a" M: x
! H* c$ x& Z* T: c. ?& l9 X$ h) z
mov bx, cs
5 ~2 n1 z8 x5 h3 J2 k8 t9 l/ B+ a lea dx, int41handler2
* {; h7 @ L- Y; ^2 F. C xchg dx, es:[41h*4]7 K1 L& c, H% E7 p8 E/ K) z
xchg bx, es:[41h*4+2]9 l m$ }/ b6 w- b6 }- j
mov ax,4fh6 l6 U$ l& c4 o4 T2 w2 [. [
int 41h/ g5 Q. o: U- J+ K
xchg dx, es:[41h*4]
( m) L x6 X) w' b3 o a2 H$ x xchg bx, es:[41h*4+2]* _2 a- K3 ^; u+ I
cmp ax, 0f386h
, n' w! y0 F7 S& U7 b jz SoftICE_detected4 u- a2 F8 V, L# _0 {
/ N U( e, P6 u( t, Eint41handler2 PROC/ s$ F! |, _, I( {$ H: D4 m7 y
iret( _6 b( n+ l/ d7 c
int41handler2 ENDP, p! a8 m* c7 d" ~3 C
3 F' E. i5 X7 |, Z
) o* D1 x# M5 Q# V8 l: O4 Z( R_________________________________________________________________________3 U/ B b b0 ~+ g
: L+ J% R0 w3 p; R4 G. K2 k
: |( m4 j, U# `4 O0 ^# @5 KMethod 06: e/ q; w! X: {6 C( U/ C8 L7 D
=========% u& g. a. w! E1 H# Y- T8 B5 l" p9 e
* C5 T0 O, ^7 i @9 Y4 I- T9 n/ @& f. n+ b
2nd method similar to the preceding one but more difficult to detect:
, J6 v4 [2 C- l c& E8 J) ? R w! u: M: K, r
- D0 V+ }& K4 mint41handler PROC7 U! [& |( I% e" w
mov cl,al. r& l5 t, R; d; i' ?/ D) i- O
iret
4 I; v% |5 l9 B9 r* K3 [: W/ ^int41handler ENDP
* r6 a$ e- N/ O3 g3 |, Y3 {$ E( |% f6 v1 ` m/ g- y
/ P1 s( g% y$ r' ~! } C0 [
xor ax,ax1 I1 O# z" x9 u' u: ^
mov es,ax
; X- k: G" O1 U- |$ S mov bx, cs
: I5 h1 K0 d6 a ]/ Q X lea dx, int41handler
4 t0 r5 D3 Y1 ? xchg dx, es:[41h*4]. L0 O4 k, m: @0 O8 N1 i0 t$ J
xchg bx, es:[41h*4+2]
# `; C8 a3 @, c8 P M2 O2 }- D in al, 40h9 f, v0 j' w R6 j
xor cx,cx* i" s1 s! x1 G6 k: h4 W
int 41h
9 u& I: F: ?8 m% T5 H5 @; W: u xchg dx, es:[41h*4]
9 H! G/ H: D* g: ^ F7 i; M: k xchg bx, es:[41h*4+2]* m/ I. O8 ]- f2 F! Y/ {
cmp cl,al, n9 \/ S% R, ] B" x# K' _
jnz SoftICE_detected: ~) c# C. U. p8 m7 N6 r
/ R/ V" r) e6 M |% f" __________________________________________________________________________
# H4 L8 [$ ?+ L8 {5 \& |4 ^
& h) e( g8 U# Y. AMethod 07
& A% l. H" l7 S$ E1 d. v=========
/ M5 K' A+ j1 P7 w; x/ Y5 L+ K& b# @7 X
Method of detection of the WinICE handler in the int68h (V86)
! x/ L% d/ O! Y) ?& O+ _/ C
1 c2 v: G# l( X# f mov ah,43h7 I& [4 `9 s) r3 T6 ]. d
int 68h# |, }& g. n5 o7 _% t& ~
cmp ax,0F386h
" h% M4 B) k: g8 m( c1 {% C jz SoftICE_Detected9 @' Z' @0 [4 M1 j+ ^; `
& l& y/ b: U% |
+ `- D6 R: _ p: T5 n* d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& H; c/ z/ Y2 V. H, I8 D0 A7 ~
app like this:2 S. k1 h" k% E+ A) ^/ y
$ z0 T9 M2 A; p/ R$ L
BPX exec_int if ax==68
4 E" |2 S- ^$ { (function called is located at byte ptr [ebp+1Dh] and client eip is' i& ?) S' z8 r
located at [ebp+48h] for 32Bit apps)
: c* g) l% `) L/ F2 Z__________________________________________________________________________( s2 p% G) s1 t" s9 M
% z$ W! E% W, Z2 U: h; ]; L1 `+ [; i" T# w* ^6 p3 @8 M
Method 08! i# g, M1 M. t% ]. F
=========
8 |$ x) A' A6 n/ I+ b+ i3 I7 T" [" d6 g+ V1 ~4 r
It is not a method of detection of SoftICE but a possibility to crash the
' T; M; {+ m0 n# V! T& e( @system by intercepting int 01h and int 03h and redirecting them to another+ J# o: P2 a- C% S) P
routine.8 I w) v- |' r P8 O/ @# l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ h8 e" ~1 }# j3 bto the new routine to execute (hangs computer...)5 ^8 G1 c9 N G: a
1 @, G9 r% \; T- {0 t mov ah, 25h0 X+ V0 e9 ~3 m+ ], C6 Q _/ `
mov al, Int_Number (01h or 03h)
6 A) ^ I$ H6 [( X; P6 ~ mov dx, offset New_Int_Routine1 i" q8 G: C* r/ E0 g
int 21h) z9 E! _* C( x3 D/ B1 t1 D
6 X/ o$ }; T8 @) a+ d$ ]% j! v
__________________________________________________________________________
$ x2 J: t; e" W" P' f; a' i: Z0 ?# I0 q$ F, y8 V
Method 09: K2 l# b' R4 ?2 w
=========
' A$ c- i5 e0 I& l$ W X, Z6 t
6 p" z+ D% R* AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 N4 z9 M6 O' I
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 z% k9 U/ Q% W; F# ~2 oThe Get_DDB service is used to determine whether or not a VxD is installed5 E: Y+ W/ u' \ I, S2 o9 |
for the specified device and returns a Device Description Block (in ecx) for
5 K2 Z6 c, A* c2 ^2 {1 kthat device if it is installed.$ k1 f4 d3 J9 R' |7 w8 v
) }( J" A4 K: o3 D7 G4 B8 Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( `4 r: O a5 p* u+ |' `) r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
N! f( h& C' H- ]" R" F, [ VMMCall Get_DDB
& H; F' C- O! N" T! s' R$ \6 \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& [3 L1 Y& S2 p7 u6 b B6 I- n" C& M1 @' l
Note as well that you can easily detect this method with SoftICE:7 g1 d) |$ Y; O) d) t
bpx Get_DDB if ax==0202 || ax==7a5fh
7 M4 g+ n2 e+ ^
% I! _. Q( N# y8 ]% F' }8 s3 d__________________________________________________________________________
+ g/ J# n+ i8 C
) Q7 K. c" B8 c1 F/ l8 JMethod 101 {# q; t6 p/ f5 L/ X/ q3 ?3 p5 }" R% w
=========% S% M8 q/ r) ~4 y% @: T
U/ X5 Z+ `% c0 D7 |; R7 e/ Q/ V
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 @6 |0 x; _% S5 U" c# } SoftICE while the option is enable!!
8 }" @8 b" I+ r) |1 k3 _- p& ~+ W/ O( A1 [ t
This trick is very efficient:
" I5 O; I$ ], a5 U9 `; f) Oby checking the Debug Registers, you can detect if SoftICE is loaded6 s" A& g( E6 d! D/ X( Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! B* v/ W9 a! B; `& }& @0 R {% Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 `/ r7 p" I- Mvalue (in ring0 only). Values can be manipulated and or changed as well: w7 w0 @9 u# E% t
(clearing BPMs for instance)
\& t$ \* a+ {2 N: J5 [0 Z7 a' Y, z$ i* V
__________________________________________________________________________) H9 K: K: w' ?$ @0 e; p
7 y y0 w! f6 C/ }, p; @; k7 lMethod 11* U! {: x8 }8 i$ {8 C3 h. ~ k
=========. G5 B: K1 X3 g1 d9 e. q' m: x2 n
- \0 d3 Z- C; N0 ~
This method is most known as 'MeltICE' because it has been freely distributed
5 x! M# n r P- ^: F% yvia www.winfiles.com. However it was first used by NuMega people to allow9 _8 _" X9 @: x$ k5 e3 E
Symbol Loader to check if SoftICE was active or not (the code is located! J; `8 ~5 g/ M
inside nmtrans.dll).' Y. J. q1 |$ @" I# h- s% } T
% H2 p; n# r7 f1 x! gThe way it works is very simple:: r5 J3 U5 ^4 v8 ^) U, m; B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 b- D6 m4 j5 S% UWinNT) with the CreateFileA API.; b' \( l+ p9 u# k5 I, L7 x
) x6 @, C1 a) R( D' Q; }. }+ N
Here is a sample (checking for 'SICE'):
* S6 l' |) {( i: e- J
) f4 u. E# a a) G" e5 JBOOL IsSoftIce95Loaded()
- @% W# p: P E8 X2 ^- u& o{4 h: ~+ t _' E' J5 M9 P$ N; T
HANDLE hFile;
, ]4 j+ a1 W+ L1 ^" b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. \9 m+ ?9 Q) @; l
FILE_SHARE_READ | FILE_SHARE_WRITE,
, Y8 }' O& L( q, F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; J4 E( V5 F* X if( hFile != INVALID_HANDLE_VALUE )0 G2 N9 {2 v0 @& N, {
{% ~( x. x4 o3 n- b' `- j& b$ c
CloseHandle(hFile);
3 t1 Y. e, j R6 O) ? return TRUE;
5 _4 j6 {; d9 T; ~ o2 K" x+ x( t* I& M }/ }2 A, j x R/ D8 ^
return FALSE;2 m# l+ P, p2 {1 v! h
}
* n3 o) v4 |3 [0 Z0 M, H6 u9 g% H+ t
Although this trick calls the CreateFileA function, don't even expect to be
. S3 y2 X% J' Gable to intercept it by installing a IFS hook: it will not work, no way!9 H/ _: }- O) ?+ R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' l" M d8 t( V( Z( X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 U) c9 I8 j; X& x1 [! D+ u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc _: J4 R/ X7 j2 X) U
field.6 ?! v; {) k$ K5 @
In fact, its purpose is not to load/unload VxDs but only to send a
: h- O, ]. B0 n, a* E% j& x& bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! Z$ p5 R, c9 E; }, Q( Y- h3 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 T4 [8 W `8 ^8 o: L& Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ T! N n( t8 S, S
If the VxD is loaded, it will always clear eax and the Carry flag to allow& T5 x$ `8 T+ p
its handle to be opened and then, will be detected.
9 s1 ^- c5 b9 J1 Q: m# lYou can check that simply by hooking Winice.exe control proc entry point
; Z! R4 L/ S& f1 ^9 c M! x. hwhile running MeltICE.
1 ]! _' ~2 o+ b" Y( T" a! Y
3 u9 ^* i6 z3 r" o: y. z
( k5 f+ Z' l% W$ V } 00401067: push 00402025 ; \\.\SICE
& \- r$ ~; i* P( I. Z1 t L 0040106C: call CreateFileA6 N) o8 e$ u2 ]6 D/ |
00401071: cmp eax,-0014 S3 r: L# H- S, d; Q. y% {
00401074: je 004010916 v6 t8 S8 f5 a4 P+ d
8 b" c! X+ w' D5 [
) ~2 e: M2 e( vThere could be hundreds of BPX you could use to detect this trick.
% F& o$ N3 {4 D: q: L- Z-The most classical one is:# g z& r( k" p. r# n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) h( l. j4 p, a% j; f& E7 o' K6 c
*(esp->4+4)=='NTIC'
$ `+ k \# ]" H- W( S( D t; r% ^9 s ~& L9 J" d
-The most exotic ones (could be very slooooow :-($ G5 Y* W! d0 i* g! m* y9 ~6 _6 y4 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 Q+ f/ \, ~ n0 q- F ;will break 3 times :-(
4 y( q! {9 [+ ^5 e0 u+ h1 M# f" w% [8 p& g: A* ~: r3 C/ _; K
-or (a bit) faster:
- C9 m/ u! L" |8 y* ~, X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, S. ]' }* [; N4 \0 ^4 R7 O$ C, |4 u( _. Q" W% T8 r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ o$ J/ p: ~8 m2 P9 C7 Q# U5 d8 M/ M
;will break 3 times :-(, U1 c0 z( U8 t1 E# q- y
- p1 u' M7 \" q) Q! K0 H; P' v- N-Much faster:
/ R8 ]+ W# @4 |. l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 a7 K( c: d5 t, [- p
8 u+ ]- y) \0 ?) i/ eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; G" s! ~6 e4 {8 v1 yfunction to do the same job:9 g5 {; ]( V6 U% p. T# q
! C+ e3 a+ a( J# a
push 00 ; OF_READ
- F/ u( F" V/ F5 } e mov eax,[00656634] ; '\\.\SICE',0
- I9 N+ a2 S# U1 E: f U( c+ c push eax* N/ L' g' Z0 H9 z
call KERNEL32!_lopen6 f$ A Y& A- S) ?# Y/ j. N- l$ S
inc eax+ A+ m- J; g9 L! v) d+ s
jnz 00650589 ; detected7 c. D+ O2 S( w
push 00 ; OF_READ
7 i% {8 C# o4 u mov eax,[00656638] ; '\\.\SICE'- d* N z( Z; i% o
push eax
A- y$ ~1 \9 c- k; i8 v2 r call KERNEL32!_lopen4 r' u N& F& A% i5 q
inc eax
. [+ E7 p; d9 Z5 C8 j9 g jz 006505ae ; not detected2 G$ }/ x( h' b, j
8 O9 m; n# p/ ^, r7 I. a
6 y9 f5 p! [: T' Z/ ~! @
__________________________________________________________________________
5 t, i$ m9 N' n& x J7 U
! t7 O* w) U5 _" S- _. zMethod 12
4 }1 z# I7 i; \8 a========= C- q) l* E% @. B0 K c
6 \: Q+ e& f% {; d7 g5 n$ FThis trick is similar to int41h/4fh Debugger installation check (code 05
7 z6 |# [, R, A0 G' W) r7 R% j& 06) but very limited because it's only available for Win95/98 (not NT)
3 k$ p4 s7 p4 h* x# Y# \* C, {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 @: _: u* N; Y8 F [/ t. l) h0 X/ q6 d1 l u8 w; ?
push 0000004fh ; function 4fh
9 a% b; {2 i3 t8 Z push 002a002ah ; high word specifies which VxD (VWIN32)
4 m3 I9 T; Y( c3 ]9 [" t/ F ; low word specifies which service9 x9 `" }" i- w# J4 M+ K% {( _
(VWIN32_Int41Dispatch)/ ~7 s" z9 ~! O! R
call Kernel32!ORD_001 ; VxdCall
3 O8 \* P( u& X" Y5 p% @8 G2 G0 u( H cmp ax, 0f386h ; magic number returned by system debuggers
* x+ n4 k, H; i2 d1 S jz SoftICE_detected2 m/ B. V9 ^) r- O2 }; O
' Q, R; o( w' Q0 ]1 }Here again, several ways to detect it:6 Y! n3 d, j+ N1 E
* y9 b9 X* k" W, d
BPINT 41 if ax==4f
- E, }0 F/ T2 J, P5 j% k: }& k% e
8 b& U3 @+ N: C: M9 E4 O$ m! c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 P/ L4 g9 Y# w. X9 i9 e$ ~4 M% L+ [& c8 T0 P6 y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% H* t0 o- B2 }# f' `
c9 V7 P' D9 S. S5 p' F r! t+ C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' @& @ h# j( O) f. t" p5 W2 }
* i4 o. P% {6 M5 F" p' G
__________________________________________________________________________$ p. h8 l& o% G' i P/ S! l
6 F+ K! v9 t+ r7 y; l
Method 13- }$ \: f# L' C* E, V$ f
=========& |% a {" M" c, F
% }! p4 H* c/ d5 p" M* o- L- }2 S( [; f
Not a real method of detection, but a good way to know if SoftICE is
4 \5 W Q$ [' C4 Winstalled on a computer and to locate its installation directory.
; Q1 K) \- @2 A4 j2 UIt is used by few softs which access the following registry keys (usually #2) :
. u g L. E$ |$ z# Q/ O" |$ L @. z9 x: a) p: `8 k/ e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 E9 I2 X9 D: Y! C# ?" a8 E
\Uninstall\SoftICE& b: q5 G; z" O. W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- w/ b( W+ I0 u w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. j6 E! v3 P+ S2 H, M
\App Paths\Loader32.Exe
3 J' T$ k4 h: z
2 Z9 f8 ^0 P3 o( a- M- F
. h$ U' U4 O9 i9 q# n2 W QNote that some nasty apps could then erase all files from SoftICE directory
" R* g2 F! a0 |! x u& W(I faced that once :-(/ k- ~: a" i# u* y" ~* D
# b1 M1 j, I, @* l3 P- `Useful breakpoint to detect it:* m+ ?2 P$ W/ `7 j1 b
, ]# R7 U b! o R* O4 G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': N7 T& h' m9 h+ Y( ^6 U
! q' U1 p. }# {! M( F
__________________________________________________________________________7 M5 j8 _0 P/ }( `# z
3 g/ g6 O1 E7 R. s$ a, B
, {0 a- g* e9 ]' X, I( j. \0 nMethod 14 ' a$ `7 |" c8 B
=========
: x- }+ @# R9 k Z$ ~
5 C) G8 Z' X+ L& X- OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 e+ r/ y' f7 R7 w4 ]) S/ ]5 W1 m
is to determines whether a debugger is running on your system (ring0 only).
6 o) k. p7 L* S4 D1 v6 p4 d5 g* m9 K) V5 M N3 l
VMMCall Test_Debug_Installed; p& i, e8 D E8 |& t# {
je not_installed
2 M! Y1 N5 c# w( u: N
) L) Y1 A0 \' |& }This service just checks a flag.
1 [2 j' v9 H" q( D# O$ U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡