<TABLE width=500>
' [: i: p+ o- C( Z( E<TBODY>
- o* d% z& k& a. I<TR>
! M; L) S2 B7 I: [% h' E<TD><PRE>Method 01 ; Q7 A1 f0 A1 d9 h. P) |! X: v" {
=========: h5 m( g) t% P5 b) `1 I9 v2 B
2 K6 h( z/ z8 r% O1 A/ D( |
This method of detection of SoftICE (as well as the following one) is: L2 X% g; }% p8 C: C# _
used by the majority of packers/encryptors found on Internet.
& J: K6 `" ?! {It seeks the signature of BoundsChecker in SoftICE) z8 q1 L1 k( M: f
* a: l" S7 {, v4 q; f& a: { mov ebp, 04243484Bh ; 'BCHK'$ |8 K; ~- ]1 |0 e9 s* m3 M; L! Q! P
mov ax, 04h+ ~# F* h# N) K- B7 s' P
int 3 1 U( z, n, {0 z4 Y- p* L. H
cmp al,4
3 C# l% |; j% T* T( L jnz SoftICE_Detected( j9 O0 J$ s# }# O! B
5 q w% d. Y' ]& [1 q4 W
___________________________________________________________________________5 [0 m/ A) n8 }* M" u$ o" L) L( n
1 K2 L8 v, E& w; `* f& j
Method 02
2 t3 \" I: J5 O" a* D, I=========1 W. ~/ Q, W4 R2 B/ a) c
* c. V: w, l9 _Still a method very much used (perhaps the most frequent one). It is used
6 T3 Z: t1 x% T: jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& R: J5 ]7 L# @or execute SoftICE commands...
+ [+ a2 D! T5 z ]- b1 m7 wIt is also used to crash SoftICE and to force it to execute any commands
4 M- j1 j7 J8 ?* s6 Z(HBOOT...) :-((
T9 K! t. O+ B& s2 M! s1 y7 o t; K- U" u
Here is a quick description:9 n; B. N6 Y! f6 A r5 ? Z7 F
-AX = 0910h (Display string in SIce windows)# x2 o2 b4 L) i# o% l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 B/ S% F6 z: q. a( j
-AX = 0912h (Get breakpoint infos)% ?5 g; S# x; o! {
-AX = 0913h (Set Sice breakpoints)" Z3 O* q5 M, d6 ^' d
-AX = 0914h (Remove SIce breakoints)
$ T: ?/ H/ H, @: d6 T
; c/ ?" u$ Y0 X0 S8 D- L/ j: TEach time you'll meet this trick, you'll see:
8 O# K6 T/ P9 `$ I-SI = 4647h+ T7 ]7 i9 H( D9 n6 L9 e
-DI = 4A4Dh3 V4 `' j5 q6 q) A" {/ n
Which are the 'magic values' used by SoftIce.8 A6 y$ F; o1 [( i6 \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) N& S4 M$ V/ a) O1 S" q) D" u1 l. Q0 [* V7 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 w6 C. G4 i: I& U) f( i
Envelope utility use to protect DOS applications:
4 J& X5 g. a; q5 U7 t
0 G x$ _; q% s$ D* @* _
, y4 m) }2 @9 d; H+ a7 c" E% W4C19:0095 MOV AX,0911 ; execute command.. q$ Q4 t8 O( O% o5 w6 [2 ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 j" B" t5 ^3 q/ s2 ?
4C19:009A MOV SI,4647 ; 1st magic value.
1 H, ~ c& M8 H/ [( R$ z4 E- g) G% M4C19:009D MOV DI,4A4D ; 2nd magic value.
7 o7 Z0 X% \; \, f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 ]' z6 e7 B1 U8 g0 ^8 a. a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. j/ _+ Z# V" Z, e# r2 V6 J
4C19:00A4 INC CX) e& n) a; ?; v, d: U% `/ c/ C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ ?; [# E* b: Q R2 B* F4C19:00A8 JB 0095 ; 6 different commands.; M. N+ }8 N1 S( F6 \, K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 m$ L2 ]) I- U z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); R8 P# t7 T Z' p8 u
( m4 n) ?9 w/ P/ y6 {
The program will execute 6 different SIce commands located at ds:dx, which8 P, v# Z/ H. P7 ]. v- t, ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, C, j0 O4 m( C1 j/ j
; L& Z' x9 ]' I" p6 v5 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 B" b8 d/ ]% S
___________________________________________________________________________
7 i- t' u! U3 s4 C P3 N' T0 v0 B6 l3 m/ w2 `1 Q: R
/ h" b# ^6 D: ?3 |/ pMethod 03
3 b$ }! V, |+ l- T=========" |$ s6 G5 x# n; F$ |2 q
/ j/ c0 I0 g0 s1 b8 F* z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 y' c J* w, Y9 F- k# `(API Get entry point)+ A5 I! ~! R. I0 Q4 s* N" J# V
/ f4 c! b* A1 t; r+ | j) h: e/ I2 G; K: {
xor di,di
' w: I" m) X1 ^3 A$ J! y mov es,di
, u' y# p+ g' I* [- y mov ax, 1684h " \3 f' W+ R* S/ p0 E4 B- w
mov bx, 0202h ; VxD ID of winice
9 e+ U o' Y* \8 I; V$ ?8 n; {& a/ U int 2Fh
3 |& }# C4 A7 R6 `1 b4 o mov ax, es ; ES:DI -> VxD API entry point1 j# j# x0 `& K3 J) y5 H8 Q
add ax, di6 C+ P2 l2 @6 {; J
test ax,ax
2 _& u" t, e: J7 u+ z jnz SoftICE_Detected5 ]& b k: ^8 X4 A
3 f& `* r- q5 J/ X2 i
___________________________________________________________________________
1 R7 f8 v8 T5 B% f8 i- o2 T! z" b. }# D& A" y) {
Method 04
: G% Z* z0 R' ?5 _=========$ d$ f7 d% ~7 f( q
4 P2 l6 [) r2 [7 D2 P' A& a
Method identical to the preceding one except that it seeks the ID of SoftICE
3 r C- g3 t3 Z6 l4 X+ W% VGFX VxD.- P8 {+ e% N9 T9 i( H
: A* `- W% Z& O
xor di,di1 x) S3 E) Y1 V* ?, e- P
mov es,di
9 M% u' w" U- _' H9 @ F+ y mov ax, 1684h ! a' { x4 i" t5 n6 s" V; l
mov bx, 7a5Fh ; VxD ID of SIWVID
$ G8 i0 s/ T ^0 i* i& ^. y int 2fh
, _* k4 x' _( |; I6 E) X5 b mov ax, es ; ES:DI -> VxD API entry point/ }' s# e; M4 X5 y5 p
add ax, di
- s5 N2 U' T g7 a3 m test ax,ax
2 @) J8 |) I; h5 Q: [1 B+ q6 | jnz SoftICE_Detected
9 _: l1 o+ O+ {, \$ [+ C% f: w7 X5 _8 ~4 O6 w
__________________________________________________________________________
' Y# N- m" z8 o6 n, R* t2 E# M4 n% r1 D4 N; f
6 X, P h0 _2 F1 s6 b k3 F) `& @Method 058 y' } M6 @$ D$ \1 E
=========0 h" l2 B9 Y% u1 B: I
( v/ W1 f6 I- \6 `8 b1 e. ]Method seeking the 'magic number' 0F386h returned (in ax) by all system a. t/ P/ [% Q: \8 w
debugger. It calls the int 41h, function 4Fh.
( p" b H" x$ S) \4 @6 CThere are several alternatives. 9 r3 `/ A0 p- G1 A$ e" _) m' D
3 l, g6 t2 z/ W& s1 _' s
The following one is the simplest:
r. s/ z& p, H1 a' J# u
9 P* S* x0 N: }: h, e mov ax,4fh _4 b) ]/ x' h! I8 F! V/ z1 i0 z9 W6 n
int 41h
8 l2 F; I* \: E- f9 ^ cmp ax, 0F386
2 t0 n, @2 ~8 o7 x jz SoftICE_detected( W$ J; I+ g2 n- Y$ I; A
3 I% `. d5 j# L1 X! c7 S1 I
+ F* Z- [/ M4 `, Z
Next method as well as the following one are 2 examples from Stone's 7 Y" V7 Y/ S' S( N. @
"stn-wid.zip" (www.cracking.net):0 V0 P- c! f+ k- F" m
. D( J6 v/ f$ d; L7 c mov bx, cs
& O" Z# Q p: u$ p% H& s( _0 E lea dx, int41handler23 q: D5 f8 d; d. {9 t) i t
xchg dx, es:[41h*4]1 x6 L! I% D8 J7 B, O1 m+ n
xchg bx, es:[41h*4+2]
) M, ?* t2 h' R( S T mov ax,4fh3 i2 z; L3 O: C! t, A
int 41h
/ l& N- X7 t- C' d xchg dx, es:[41h*4]
# {5 A9 }% C( E8 g$ g xchg bx, es:[41h*4+2]
0 x- h4 ], `8 {: z3 m4 _ cmp ax, 0f386h: g6 N; e. r- P$ Q+ K/ l
jz SoftICE_detected5 ~# i$ t) C" T V5 M* `1 z
) \, H4 a% h1 A8 z7 `3 aint41handler2 PROC
% _! a9 T7 J" R4 W: ` iret
" Q) p; t2 Y2 }7 `6 w# v. Mint41handler2 ENDP
: N! n: s: j" _9 w+ `
3 W. q4 f! ?% a& `* n# K& R5 O) G: y4 i" l J- h5 t# t
_________________________________________________________________________
" }5 n9 H1 V) t' y# u7 x+ `/ I5 R2 R- `* c# ]- C/ b" r
. d( b5 i7 L* e/ f) ? i. KMethod 06# _+ Q' g' I4 z% L; F
========= |# x% A; N- E5 G) x0 y
* v9 L% o( O) E6 b
9 W. e, U6 b3 x- U* n
2nd method similar to the preceding one but more difficult to detect:+ t) R9 D& x+ O+ s" O
9 T/ c; J2 u! N% a) W: [+ e; z
int41handler PROC" t- N( c; U4 i9 X- O+ R
mov cl,al, a; {) s. _/ p f/ |% L7 Z4 w
iret& G7 j: o! Y" U6 L" B
int41handler ENDP# O9 p$ Y9 g* K4 H
+ @6 w2 H- K, }
. q, I V' K8 f1 P xor ax,ax
' Y( s. Q: @1 r' m* \ R& B mov es,ax+ T& n( u" |" t) g+ A& }
mov bx, cs
) p) X4 u2 @, l1 P1 s lea dx, int41handler
7 W. \5 l2 l$ s3 ^5 @+ G1 E, g xchg dx, es:[41h*4]: p; W! X0 g+ @* C8 x- u. b f
xchg bx, es:[41h*4+2]1 [( A4 o1 U7 A$ L$ V0 r8 m' O: Z
in al, 40h
! W9 R. R i) p" Z+ S" U z3 j xor cx,cx
/ s" h, g7 |3 C& [: Z) s. f int 41h( f7 f4 g3 s0 }2 k1 J- v
xchg dx, es:[41h*4]
3 k1 B+ P- n8 C6 l: } xchg bx, es:[41h*4+2]- N0 y7 ]- o/ O* T
cmp cl,al
! F2 G4 I% \3 j( {& J" p7 N4 ?9 ^ jnz SoftICE_detected) {3 Q! f7 B# L4 C+ u
2 w3 Y( a% D+ Z- W$ n2 h
_________________________________________________________________________
5 c! M' W Q+ d& ~" o- D' C1 s
, w- \/ J# @/ U. r# ?4 WMethod 07
1 e4 P! U# Q8 U' {=========- a1 F( R" F% g& s7 \, v" g
" ^$ L1 w1 e2 `, _* @2 {
Method of detection of the WinICE handler in the int68h (V86)
9 f2 n3 B3 A) L" t4 B+ @, {* z( d% l9 N4 i8 y$ C
mov ah,43h
. [0 I* M/ b: I) f int 68h
, A, C ]3 f, ~7 o7 s cmp ax,0F386h! }9 q: L& _* z; f) o
jz SoftICE_Detected
- ?/ Q, H" @! w& p/ c$ o
+ V; w) ]+ l% O9 k- N2 Z" b) f/ |0 ]: J+ E2 b& p) B, O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
E1 q4 {- a0 Q- D) w7 T p5 a2 `. W app like this:8 N( z" `2 [- Y
7 H. z0 l' T" R( L" I: |) Q BPX exec_int if ax==68& W5 L! D( }& h/ f
(function called is located at byte ptr [ebp+1Dh] and client eip is
, u- \, Z0 ` s) F* j& O0 W% a located at [ebp+48h] for 32Bit apps)& M! L; | d3 \, c
__________________________________________________________________________
7 I8 v Z+ O6 Q9 K! t1 C2 ] g/ P. W
1 j8 X! D+ t& y; }8 e0 D1 O) S
Method 08* X h q; Q9 w& S6 k- M
=========
& a/ K& Z7 S) E2 [ [4 \ ^2 l: \/ L0 P5 L
It is not a method of detection of SoftICE but a possibility to crash the
/ o1 q2 q! t/ @" |system by intercepting int 01h and int 03h and redirecting them to another
. i) \+ s4 X5 d- l7 ^: ^routine.1 y* d# W1 l; y8 Z0 W6 P$ Z" D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ o9 r) ?/ _% M
to the new routine to execute (hangs computer...)
3 [2 l2 @; z5 q5 z, M& m' v8 o0 v7 r; Z- Y
mov ah, 25h
% f3 l0 e* F* [ mov al, Int_Number (01h or 03h)
# i; V: E* H4 p$ t% X mov dx, offset New_Int_Routine
* K2 f+ n' r7 v: G& R2 m9 X int 21h
; z% {! J5 A: A4 T( t& L+ T7 U- a3 O" [8 c/ @* Q, J% u
__________________________________________________________________________) j5 L. U: b; _9 a; g
* Q2 d( z! |6 D/ ~6 y! k6 u; ]" ?
Method 091 T5 l6 L$ _8 Y4 B% |+ I& s& F+ Z
=========
9 Z$ L* ~' t/ w, Z; ^+ ^
( R2 P" ?- Y0 M) M2 L4 _( y3 _. KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 A+ o' ?5 |' U t; l: r+ }
performed in ring0 (VxD or a ring3 app using the VxdCall).6 F( J$ _' B' A4 y# d9 A4 o
The Get_DDB service is used to determine whether or not a VxD is installed6 @! i+ w0 }2 A1 c9 `# W
for the specified device and returns a Device Description Block (in ecx) for
/ M7 D8 q- h; @that device if it is installed.
! Z$ N8 e/ B4 s. G
+ a; G( C5 S2 [% r! s: j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 l& h' H3 R# j4 l2 D( r9 {* i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), |) \( h5 G+ x# K0 g' Q! U
VMMCall Get_DDB/ Y; N s9 k# I0 i' v4 J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 B3 c7 u/ c6 m. E& M5 e* W+ a" ?& D
1 |7 k$ U( n% C# a# NNote as well that you can easily detect this method with SoftICE:5 t+ N& D: G9 D) {( P
bpx Get_DDB if ax==0202 || ax==7a5fh
) o& R! U2 H8 A3 ]+ o5 Q! r4 s) B. z0 l
__________________________________________________________________________! U# @ ^2 b' K n+ Y/ J; F
1 U s* I: A9 a: FMethod 10, X' m2 R" e4 i5 ~. S2 F; M: B0 J
=========
; s# [. _1 i0 V( L# A. k w3 e, G) U
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* y# L) Y/ ]# S( k6 \5 f4 p" X, u SoftICE while the option is enable!!
2 ?# J0 c5 f. Y3 }% ]+ {' Z
5 y- s! t8 z: I5 `2 \( jThis trick is very efficient:4 p2 B- h8 W4 g) Z( I' h& Y
by checking the Debug Registers, you can detect if SoftICE is loaded
# N1 j1 C W5 Y/ Y; _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 o, w) M, Z) y0 Y# z7 M. E4 ?0 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 Z0 W6 L/ H6 k! bvalue (in ring0 only). Values can be manipulated and or changed as well
( H4 X/ J q! ?4 ~" Z8 \(clearing BPMs for instance)
* \" K3 Z8 d/ X5 {! R0 L2 A- Z7 ?. x+ M4 r1 u$ O% V3 @
__________________________________________________________________________' |$ m9 \: K- ~5 q% ?5 Q
9 a/ N; w- h3 D$ pMethod 11
; o8 Y3 B8 e' @9 _8 L=========# T% C" w$ H% V! d$ L' @3 [
& W, ]8 K' H) Q6 B& ^
This method is most known as 'MeltICE' because it has been freely distributed
3 @) H6 C9 I, B& J j5 [via www.winfiles.com. However it was first used by NuMega people to allow
+ v3 p9 v! j/ t/ x2 E0 T4 Z7 I! JSymbol Loader to check if SoftICE was active or not (the code is located* R$ Y- S0 L5 \7 E
inside nmtrans.dll).
7 a v. s+ L4 d+ B' J, V. k( r9 |: R) ]* S7 @8 p" H) M9 M
The way it works is very simple:
2 p% }8 c3 ^! G0 Y" h! cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% K+ }" a. }* `# I N3 a
WinNT) with the CreateFileA API.
r* x8 E( r+ _, Z# [+ z
2 f: Y& T: h) O0 HHere is a sample (checking for 'SICE'):
+ \/ S& T& ~ X3 `2 [# O3 V7 X G" C7 S9 Q* @2 R, `/ \" Z% h
BOOL IsSoftIce95Loaded()
: G) B5 i9 Q6 [9 r7 z/ ~% E{7 f( L M) I6 F! d0 z- h- D
HANDLE hFile;
- j2 L. t4 s, M4 T! b/ n, n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ e# R; W( @8 `$ M+ S2 y1 r: s FILE_SHARE_READ | FILE_SHARE_WRITE,# q9 B. c- y: a1 a! L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 T2 M0 [6 N& y% B1 P; R2 u% S* { if( hFile != INVALID_HANDLE_VALUE )
5 l2 V) v, R: R6 c) z( p& ?' E* n {
3 E" |2 I' c* V C7 }4 Z! { CloseHandle(hFile);: B8 x. l& P% g- h* L5 t" \& E
return TRUE;/ l$ W8 K. ^/ J2 N4 A$ j
}
; Z, {6 h: ?1 N8 w8 ]; y9 I return FALSE;) P( n4 C3 s# o
}
3 G% Q S+ V$ `) P$ m2 M6 k0 j% Y v' \$ A4 T
Although this trick calls the CreateFileA function, don't even expect to be
( D* f7 k( T0 pable to intercept it by installing a IFS hook: it will not work, no way!
$ ]7 P# s+ z* vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 p* M! j! M( W% i& Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 t+ s- B/ h% Q$ J- R+ C: w8 U5 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" b' s1 ~' {1 Bfield.+ ]2 @5 D% a e4 j! V" E
In fact, its purpose is not to load/unload VxDs but only to send a 7 H, ^5 D% m/ ~2 V. Q9 K- _4 c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 g9 |1 b# u8 y/ @* \to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 v6 _/ i, K; T6 i2 ? @$ n6 s: o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 E( I( q+ c: {, J$ C6 S- I' ?6 D
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ i4 S; s4 L) {
its handle to be opened and then, will be detected.% P: k8 t+ U0 R: b: o: J
You can check that simply by hooking Winice.exe control proc entry point9 E+ p5 j& c1 y- R8 w" P
while running MeltICE.
) x9 B5 t' Y* Y0 a, s( g/ s" y: D. c) e6 b& h) D+ N" T1 L; |1 L
3 A$ i5 c( S' J% [6 o6 Y" ~ 00401067: push 00402025 ; \\.\SICE
# t* y8 g+ ~7 ~+ C; N 0040106C: call CreateFileA( | ?3 R5 {3 l5 E7 c4 f" `
00401071: cmp eax,-001
9 w; a: ~* \) n6 C6 Z8 B+ r) ~ 00401074: je 00401091+ y u& C8 @( K# |8 P3 M
, t, R7 ~4 G6 Z1 W! P7 k6 ?0 Z$ f% Q
There could be hundreds of BPX you could use to detect this trick.& g3 |2 f( B% ^2 z7 R
-The most classical one is:
- f6 k( M7 {; ?8 o, e! ?) N8 L/ t* {* r! y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! R3 x* T1 t1 l( c) L4 j *(esp->4+4)=='NTIC'. P# f' ~$ l9 m3 ?
" ~- _: g6 J r5 j-The most exotic ones (could be very slooooow :-(
! A Q' \* C3 z5 C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 A/ l+ s8 s" ^+ ` ;will break 3 times :-(
/ E* |' S) n3 ~+ e& m1 x# m9 H2 ?+ r: Z- f8 m( k) l, J
-or (a bit) faster: ) w# u) z! Z1 i8 ?9 Y; \- g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, G" N2 m) b! N9 R; |5 W
I5 Q( A1 F; Y0 v% a$ q n+ L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 h) _/ J$ ^: l/ K$ i
;will break 3 times :-(
/ x7 }- ~7 K. v( j! S% W: C1 V; A. g" Z$ Y0 A
-Much faster:+ \! f9 O* B! E& x4 T; @1 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 c0 f, {6 A9 z( _
1 k5 {; O: Q. h ?* X) v: d; C5 ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! [6 T8 H3 {) `0 T! y" h9 Pfunction to do the same job:2 ]' m$ \0 {# b5 x' S- T
& x; F, }# p% i, \% [
push 00 ; OF_READ
/ O) m5 V K6 |" M( G mov eax,[00656634] ; '\\.\SICE',07 Z5 l" o6 Q4 Y. U( a' d/ M0 s
push eax" Z: J3 O9 D: c6 `
call KERNEL32!_lopen+ G) V. c4 k! W9 |6 u! a
inc eax
$ l" `/ P$ f6 k1 j# ? jnz 00650589 ; detected
' D, k/ [( K7 d3 F push 00 ; OF_READ
. O4 u+ l, O( l0 K' O+ C mov eax,[00656638] ; '\\.\SICE'
7 A2 x/ m) z1 z9 S5 b( O+ a push eax0 l* B2 p( E2 @* g: h% k; D
call KERNEL32!_lopen+ a, m9 U% `- u& f. V
inc eax
1 Y4 M5 @( o: J5 z( f jz 006505ae ; not detected+ h+ c0 Q: N- r6 B; O1 b$ b
& A# p8 Z3 T. n$ S; J4 m
3 V; x) X; r( ~9 b5 @7 Q) d" U. C1 u__________________________________________________________________________
& `2 a8 {+ e. I. Y$ [
8 }; Y3 b" w: ]+ R; U# @8 RMethod 12: `& K9 C9 ?8 W% C
=========5 \5 B* T; s0 z" h# I
/ R% @, ^( @3 T4 y) S2 G* l
This trick is similar to int41h/4fh Debugger installation check (code 056 [5 S! z; D9 ]
& 06) but very limited because it's only available for Win95/98 (not NT)- n3 g$ n+ i1 z) K5 |! {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# A" c& X% S, e2 u2 }( H9 R/ J$ S0 I6 t* l- c2 J8 D! Q, u3 J, }
push 0000004fh ; function 4fh
- u8 n @1 `0 N push 002a002ah ; high word specifies which VxD (VWIN32)
! c( W9 K( D% @$ l1 G ; low word specifies which service" Q2 p& G0 Y4 f& E
(VWIN32_Int41Dispatch)8 k* \% Y; L* c6 \' d" t) {
call Kernel32!ORD_001 ; VxdCall
6 C* \% G5 k" n" v cmp ax, 0f386h ; magic number returned by system debuggers0 V4 @3 g3 E; U; o. @# j# I
jz SoftICE_detected
4 T: F" a4 s' f( ?- N8 X
8 `. ^, Y9 z9 xHere again, several ways to detect it:' W: ^: P1 J; \7 A
! x* G, m) k }( o7 M: W BPINT 41 if ax==4f/ ]6 H/ n6 h0 i! l
i( n- B b& d: v* G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 s9 Q; W4 R( s- i- a: V$ L1 I+ e, L% q' F, p& B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 |) l& ~" ?! J! r" V. T% d& ^ k, F7 R/ i, K e$ w5 {3 k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 w5 e6 S- ?9 y7 g7 ]% u, [. _
- E5 Y* [$ }: @; T* P__________________________________________________________________________
9 v9 [5 T1 k! M5 Y& \4 M$ l4 E( P
`! M8 n7 i& z/ v, M7 SMethod 132 X4 t% l& H2 {
=========6 s+ l7 ?& o4 a4 k8 @& D
$ r; q% a& |* T4 X2 P' ]1 V1 n% ~3 U/ c
Not a real method of detection, but a good way to know if SoftICE is# S3 v+ Z0 e9 ^
installed on a computer and to locate its installation directory.
- X& ?0 \! Y$ v% J" _6 ?It is used by few softs which access the following registry keys (usually #2) :' b/ {4 u5 o& I& i. ^- y
! L. {& l7 b( Z# P. K6 b$ ^# h" G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, W* R) M. k) P7 `" ~8 d) @1 w
\Uninstall\SoftICE" k0 w# w5 [; a% ^' D, ~! t! }. z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 i* O, L7 G7 ]( h& h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 J2 c- H; r7 V. N z& v\App Paths\Loader32.Exe
3 W' x, k6 C& E* Q( L( V3 {7 a( g; ~. @- t( U
# F9 ]& C$ c# ^! a8 `6 }, ?Note that some nasty apps could then erase all files from SoftICE directory$ N) ?- K2 y2 s' `9 u7 R( y3 B
(I faced that once :-(
3 S0 [+ \4 G Z: G1 `7 v, Y( M* L" |
3 V1 z4 o6 F/ i, d$ C8 KUseful breakpoint to detect it:
9 k3 L* c2 L0 @( U3 { S; I5 V6 F3 |# w, k3 B1 x% Y: Z9 \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 K8 _5 s- k5 b/ j& l$ F' i
) z0 l( ~% U& y5 E- B% \
__________________________________________________________________________
6 j4 O/ d" s9 i$ S$ ^3 `5 O" B7 L( u
0 n/ t @5 O2 k
Method 14 - P4 L1 b8 ^) M h; n+ n/ W
========= Z$ ^$ I, s# u& Q! B& e& I
4 @3 h7 ?. c, d$ T+ w+ oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 l4 T' l. e1 Z W8 Y, b
is to determines whether a debugger is running on your system (ring0 only).
+ x% D% s" ?" N1 ]/ v+ H7 |# z" B3 m
VMMCall Test_Debug_Installed% I) ]* S: g6 T$ _: r
je not_installed
* t+ H. d" M( g" x6 I: D
& Y! F/ U" q. s; Z6 IThis service just checks a flag.
! b$ j6 U {; t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡