<TABLE width=500>6 x3 h& E C4 E, \0 x/ W: K1 @
<TBODY>! q, |: U: B6 P' j
<TR>
, E* h# `' O' d8 i6 e: x; y<TD><PRE>Method 01 0 `( P% H1 @; T/ N& w- }
=========+ Y( S# X8 ]! |" r2 Y7 W
& b1 A9 D% I! n/ |This method of detection of SoftICE (as well as the following one) is
" |4 [/ S j! A g ]4 nused by the majority of packers/encryptors found on Internet.' G+ f' g8 {( B ?' ]3 i, k
It seeks the signature of BoundsChecker in SoftICE
/ V3 f& \8 s7 b2 o4 H- r+ @. s$ Z! r0 Y3 R6 `* I
mov ebp, 04243484Bh ; 'BCHK'
$ q/ @& F1 s* Q7 | mov ax, 04h( c! G" ]7 E+ ^
int 3 4 H) M$ M, k& w: x! p4 ]* k
cmp al,4" I# a6 h. H2 U& y; k
jnz SoftICE_Detected
' c1 r* s% ?; r, L5 z4 j
* Y: F, g4 z: R___________________________________________________________________________
: B% ]# c- J; O" H8 [8 o3 l
1 u7 `( d' `. U8 S' u: KMethod 02
& Z- X6 F. E1 U% W* T=========% G, g& `% j' q: a: C! b: a
% V. j9 L; p# T/ @1 F0 v* P; X5 `
Still a method very much used (perhaps the most frequent one). It is used
I) c. F. W! @$ ^* T M0 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# l) m/ C" ~+ F1 k, [or execute SoftICE commands...& g% ^4 |" x5 F& k( T; ^
It is also used to crash SoftICE and to force it to execute any commands
0 ]$ }0 B9 i4 T8 d. V(HBOOT...) :-(( 6 C! `0 i* k" ^* L. s1 O
' I# d2 E* E/ ^0 G) J2 f I4 Q/ i; iHere is a quick description:
) F7 O: B/ N" R2 k( s1 f-AX = 0910h (Display string in SIce windows) O1 ?& ^1 Y. t: f" w" x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 M3 Q! w2 v3 S: @' G-AX = 0912h (Get breakpoint infos)3 }: _ J( V9 H
-AX = 0913h (Set Sice breakpoints)! ?$ N; K3 E) }% d( Z* a9 K
-AX = 0914h (Remove SIce breakoints)
# o; B! l; b8 b) d' k$ s5 T
# t) g7 R- F% l0 Q; REach time you'll meet this trick, you'll see:: O/ k* s. m: D; i! u+ U
-SI = 4647h' {( p& i, m7 n
-DI = 4A4Dh/ B7 j3 Y0 D, W- O$ A7 {3 m
Which are the 'magic values' used by SoftIce.9 ^8 V6 u8 n, T# e, ], a u. F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% t& A, L, T+ y
: V, S5 F4 `6 o; BHere is one example from the file "Haspinst.exe" which is the dongle HASP
. T) ?2 \9 C5 J; u$ F, T* ~0 i$ ]Envelope utility use to protect DOS applications:
2 z% X I5 B/ P, p9 Q8 a) h# o E' I ~# }+ b4 N
+ K. {6 K/ G$ [& c6 z& W& ]
4C19:0095 MOV AX,0911 ; execute command.
4 ^; U1 Q! c2 I8 X3 r. b/ b2 y4 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ L/ t: w$ t8 P4 N7 z4C19:009A MOV SI,4647 ; 1st magic value.+ H; S. U# h" D8 {0 V
4C19:009D MOV DI,4A4D ; 2nd magic value.
( s5 ?9 S A6 s( U; S$ \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 g: V/ T! s( v6 R8 ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 K- i+ x7 d# V4 V! r
4C19:00A4 INC CX( y+ V2 z9 z, i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 O9 D3 n" W/ B" x- I3 |/ v4C19:00A8 JB 0095 ; 6 different commands.: i* Z: N, a: `0 L$ b; u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* J4 V/ p$ Y1 g) C8 n/ ? ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: y+ ^: P9 _: a# g$ s7 H3 f' p3 X; [3 t0 z
The program will execute 6 different SIce commands located at ds:dx, which- f B8 @3 o9 y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 i0 m: g$ t4 n0 _/ j& h" T5 _$ n2 G4 Q+ n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) S1 Z3 v' U+ g+ ]
___________________________________________________________________________
5 q; ]6 p; b0 A* a3 u1 K$ e. M/ [3 V' x0 S- o3 a
/ E4 j( c9 h4 G" I* I4 B& hMethod 03
' s4 l. I0 \! X) d9 O0 R# U8 }=========; y# {: R. k7 y4 l( g) w( T
5 _" B/ F$ K6 m4 r5 y7 l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 _* {* ~+ Q; E" r( d(API Get entry point)
- ~5 u T! _2 `8 H1 e$ y, d
! ~; ?- d) r- S0 w, u
$ ?5 w1 p0 z0 t- q6 y xor di,di3 L3 j# u# Q, O) s
mov es,di6 X, j: L7 ~- j# J
mov ax, 1684h
4 N9 N3 d9 R H mov bx, 0202h ; VxD ID of winice7 w9 W8 y+ G, X' E
int 2Fh
# v* ~$ ^0 }0 _$ ?' ?+ _ mov ax, es ; ES:DI -> VxD API entry point4 d5 e3 e* S( g$ L4 Z2 B( {$ ]
add ax, di4 Q- o5 I" N+ d/ P
test ax,ax* X% t$ T7 \, u+ r! h
jnz SoftICE_Detected9 G* C- ?; \# x) R8 ]6 X' W7 o
9 I( a, K- }. _: v___________________________________________________________________________9 ^7 m8 ^0 m r4 b
; Z+ b' M) A8 P2 V: D; TMethod 04, e# A$ S4 g5 ]
=========1 M; t* ^8 _' t% ?* k- L( G- h) u
! \$ J$ d- j" F5 w& xMethod identical to the preceding one except that it seeks the ID of SoftICE* y3 }& \3 I0 a6 K$ A* ?) i' `
GFX VxD.
( e: D, M$ R& Q1 q
% L3 x* }1 `' a* D( J/ |8 ?: u xor di,di
; G' E2 Q! n5 b mov es,di
w* r8 L$ c5 E r7 G/ w2 B mov ax, 1684h
* X& U( r) t3 \3 R% g& }% } mov bx, 7a5Fh ; VxD ID of SIWVID8 U2 E. K Z# w5 }2 G8 ?
int 2fh
! r4 K# I* b. M7 v& C' A& x/ j mov ax, es ; ES:DI -> VxD API entry point0 {5 \* b% x5 z: K
add ax, di
- P2 B% ~& r% P) ]3 H+ Z; L test ax,ax
8 ^0 [% u9 E% e. b jnz SoftICE_Detected8 W! e! ~8 ?2 E% b- c
; P) s$ @; N. L: Y/ K
__________________________________________________________________________' h6 y0 A' X7 r. }. N! S$ h; W4 o6 k7 K1 r
( }9 [) A( D, Q
$ m5 ^0 u5 h+ I) LMethod 05
2 f3 e! z. T: X% B$ I=========
3 i/ ?; q; e/ ?
* v, C/ B! G$ P5 m* `, BMethod seeking the 'magic number' 0F386h returned (in ax) by all system: A- z I- Z9 ]$ [3 {
debugger. It calls the int 41h, function 4Fh.! U |- {2 q# g! w& P6 }$ M
There are several alternatives.
4 t$ e" m" w0 r
9 K7 ?. g7 }: Q5 U3 [ KThe following one is the simplest:
0 q' k) K4 M2 {! s) T! K: y+ C+ s
; @1 F5 ]- i( ~* f mov ax,4fh
* v9 l& m; @1 j/ U int 41h, ]$ J$ Q! Z; z3 a$ `1 H( N0 d
cmp ax, 0F386
F0 U B* L+ j jz SoftICE_detected$ N; ]3 G$ [8 M; a8 D' H4 g
" M1 p' m% d5 |1 e
3 J5 S& M' V( `: o# ?( VNext method as well as the following one are 2 examples from Stone's
% D% u$ W$ }" s"stn-wid.zip" (www.cracking.net):
& v5 J% `0 X$ D: T8 `
) O$ R: C1 _1 H# ~. S: ]4 I" ~ mov bx, cs
7 N7 P$ p5 Y2 l ` lea dx, int41handler2
" c' {. c, K8 q+ K7 l xchg dx, es:[41h*4]
$ A+ L1 u! c8 m0 h) [ xchg bx, es:[41h*4+2]; L% s3 ^) ` q+ |1 Z! W3 c7 E$ R, I
mov ax,4fh
2 R) Q4 _. l% k7 z: M int 41h8 g/ a; Q3 U: G# B2 |
xchg dx, es:[41h*4]
, I8 b0 \# _0 H8 Y xchg bx, es:[41h*4+2]
! ~6 J; X* C2 m0 Y, A cmp ax, 0f386h
! Z2 c6 ?* b) I( F( G; V" P6 p& d jz SoftICE_detected
4 u6 q+ j' h, h" i4 I4 h+ b" G, B i# |2 Z4 [
int41handler2 PROC4 ~( p7 Y3 q" o# O2 Y# K
iret
/ z( f8 ~6 x8 y$ z4 x8 F8 g. u) |" lint41handler2 ENDP- O$ Y. [( P$ v. e
% A1 P J* D( \
+ m$ r: B1 z3 `! Q_________________________________________________________________________
/ N( B6 ^+ |0 ?( q# [: w9 n) F2 S ]+ Y5 C/ n
7 f- E& z' p& K: x8 x8 f7 V; W
Method 06
2 H i3 w6 m2 I) L" v=========
% z( ]* Y" j% K6 B+ `' X3 b: e* Z; a1 W0 K# f+ R4 \2 B
; o8 z8 A; V* M/ M
2nd method similar to the preceding one but more difficult to detect:3 [* \9 l. ~' T m# p$ W6 X
) C, y) o& D5 {& q) X( a! a. N) D. Y) i" A( z
int41handler PROC
" U% C; Y. p9 k3 c mov cl,al+ B0 ?$ Y) J h. U" q2 O
iret
; p$ }2 \0 h; o: }2 S0 ]1 }$ L& u/ aint41handler ENDP
3 z6 \% c- D# `6 l# E+ e: h
, _/ ?! Z( c1 c- K; d% `& v9 L0 `/ ?0 J! i5 ^. }1 P+ O
xor ax,ax
' h* X8 s( N' z/ R% \3 k3 l9 B' O& u mov es,ax
* F# O0 z- _: m, x/ y mov bx, cs8 l: }( K7 Z- h+ ?7 Y& H
lea dx, int41handler% ?7 W" [* e' x r5 G& @
xchg dx, es:[41h*4]
; F3 l; Y( z% Q6 N) r' } xchg bx, es:[41h*4+2]
- i, i- N1 b4 ]6 R; q0 I in al, 40h$ S+ @- P6 B: m/ N1 W0 d
xor cx,cx
5 _* r' X( Y" M6 m: [ int 41h+ B0 Z7 ]$ m' N9 ^5 C9 z/ Z5 j
xchg dx, es:[41h*4]
- C1 r% ^& _' b, r6 c xchg bx, es:[41h*4+2]
O( S6 [ u5 y6 p1 R; Z cmp cl,al w/ S5 J, F j7 V/ b `( |! E
jnz SoftICE_detected+ ]3 W" ~( \- J5 y8 w. B
3 p( r K; R$ h7 i5 q
_________________________________________________________________________) q+ `; }5 D3 ~ N3 }
5 _4 y" D7 s) X* B) r4 P4 U( G
Method 07
2 p$ N, [# }8 _2 ~=========! y$ s# M& _4 w7 x3 B
7 A" v; i, r2 u4 g5 vMethod of detection of the WinICE handler in the int68h (V86). w" a9 y5 n$ z' e: V' k
) C6 k# `' m% o2 M( m/ V
mov ah,43h
& k/ b7 n. ~* k! ?3 E int 68h
1 L, h" I" j8 u cmp ax,0F386h
. B# T: K- L3 O7 e# a% \1 w jz SoftICE_Detected
3 \. E2 K& |2 S$ r8 }7 j4 M u& t; R8 }! c+ o2 k) a$ V7 \( t9 u
; X2 }% s4 X- J* _" y e( {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 C$ H, H) ^ C6 \9 Y/ {; z9 \# z* w app like this:2 V. e0 _4 V( r: V, j
$ G% R4 L2 ~% V/ o6 u2 Z% ~7 [
BPX exec_int if ax==68
5 V4 i6 h) ?3 j- q% s n2 j4 V (function called is located at byte ptr [ebp+1Dh] and client eip is
! I+ r$ G( L( j: v9 e; `$ b located at [ebp+48h] for 32Bit apps). W0 |' }' k+ l, q7 e4 T/ j6 c# K
__________________________________________________________________________5 N' Z- e- I! O$ L; G
+ q! x; t+ X5 y& D' Z
: b0 H3 I& [8 p7 Q6 i
Method 08
$ l, B: P' A# }9 z8 s=========$ B0 x) e0 j) @) K$ |# i, ]" |
, X% T+ d h* r7 ^8 [2 m
It is not a method of detection of SoftICE but a possibility to crash the
* F* s7 \' Z9 V) w* msystem by intercepting int 01h and int 03h and redirecting them to another
5 ^+ H) r2 N4 @ ?+ j6 {4 eroutine.
! E, {# d; Z) y' \8 a0 V: ]6 WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" i9 k; ~" M7 m. p9 Z( h& {8 c
to the new routine to execute (hangs computer...)( X8 T1 D# L) L
* E6 W$ w( O- D- g* Q) b Y+ v- l
mov ah, 25h p r9 J' I K" Q# A% G4 _
mov al, Int_Number (01h or 03h)
! z- X* h7 J2 U( h9 L' Q) ?) I mov dx, offset New_Int_Routine5 \( j. R7 b8 y7 m6 r0 ?
int 21h: ^: M0 l: Q8 T
9 N6 R3 m( `5 G) W5 R+ z__________________________________________________________________________
0 V& [8 [7 O6 j U @. _2 i8 Y, B1 j2 _4 m# E1 h
Method 09
! X, Y9 ]1 r( c- w: d=========
1 J8 t" I6 r# h6 e' V U3 ], j1 k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 t) Q- H6 P/ s" o6 _6 x
performed in ring0 (VxD or a ring3 app using the VxdCall).# z( F+ u+ _) x4 M: {; |
The Get_DDB service is used to determine whether or not a VxD is installed- M3 M. X# a' f
for the specified device and returns a Device Description Block (in ecx) for
5 Q" V0 a; a/ L/ S8 Gthat device if it is installed.
+ _0 C ~ D1 S4 N: k# t, ~7 q0 @, i5 ]' z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! `' A3 u2 g* e2 \ c- J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 ]& t' q6 O/ d! B' ^# m
VMMCall Get_DDB, h0 [, C0 e7 m; U$ D! n- |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; B8 F- r1 d& S/ d8 g7 ]$ B6 T7 o9 V" T. ~
Note as well that you can easily detect this method with SoftICE: q: |, @4 g: D7 f0 _# c! R
bpx Get_DDB if ax==0202 || ax==7a5fh
# a+ C7 [) ]5 }' k% V; C) @/ k0 E, `" c
__________________________________________________________________________
8 _) _% A9 I) P+ D' E
% P/ j, z. a$ M6 ]' E! W) P5 U' rMethod 107 L' Q0 F% W2 U$ a! @
=========
" R; n! @( R0 s; x" W
9 w6 f( i/ [. Y=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 v/ n2 Q3 g$ W* a0 ? SoftICE while the option is enable!!+ |! H, O, \) v9 Y$ J7 B7 H
% Z3 c2 V; j7 f! JThis trick is very efficient:* r" w# M5 b5 S4 U% i
by checking the Debug Registers, you can detect if SoftICE is loaded$ m" n: r5 b/ M% v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 U- Z; C' d. z' ~; ^$ F, `" ^2 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 o& @" O! F* Z- z+ @" Z) u
value (in ring0 only). Values can be manipulated and or changed as well
\- M. ^3 k6 s, v I(clearing BPMs for instance) c$ P w$ x3 k" i1 \4 \0 r
6 `6 ]6 e0 z+ O9 \6 [, G
__________________________________________________________________________0 ]5 p5 r0 [- _
1 c" T5 g0 {4 ?0 U: d1 R
Method 11
2 Q) c8 J. d3 w2 m1 [3 G=========- h2 @+ e9 g, ?. r$ [
/ w- W; ^$ M- l0 B! l: C3 {6 z0 ?
This method is most known as 'MeltICE' because it has been freely distributed
+ g! q3 a h; e$ v$ N3 J$ jvia www.winfiles.com. However it was first used by NuMega people to allow
' F, ?1 i9 d' u" n! F4 ^5 B" R) f0 VSymbol Loader to check if SoftICE was active or not (the code is located
2 `& _* V' g; e7 \! Dinside nmtrans.dll)." H$ M1 ~/ c3 B
1 [8 ]7 l9 T) l. p( n4 P
The way it works is very simple:- S7 Q7 S# u8 C- o4 T+ k% M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) T8 ^* M/ v* r% y) A( B* N6 E0 ?
WinNT) with the CreateFileA API.
/ {. u5 F% j# r- k) T: m
$ F0 `' `( ?1 R/ d% G( W; yHere is a sample (checking for 'SICE'):/ |: D* {4 m f' a
- P4 w2 z, C$ g5 |, ~3 o5 ^9 E2 zBOOL IsSoftIce95Loaded()
9 \& Q, l8 D+ p; Z{
3 r6 Q. {5 h3 X# S3 T$ `9 e HANDLE hFile; 7 P2 z, v+ t9 A* ]( E6 b* t; ^! A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 O/ e: |# a& E' ~5 m
FILE_SHARE_READ | FILE_SHARE_WRITE,$ {" X# c( h% Q- p: u5 s. @: Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% F; C3 Q% o6 d( R. X, n; `
if( hFile != INVALID_HANDLE_VALUE )2 G4 q9 {) W8 @
{
5 W/ l. F) P2 y CloseHandle(hFile);# S1 S! m* G( @0 r2 B
return TRUE;
4 x% b, S* J; O1 n: m; D }' H9 P- n& V4 }% F, F3 G+ p6 J P
return FALSE;' y5 k- i j2 k
}% }1 y( l& a0 q2 m! h6 c
: e& ]* \5 Y* b* |+ m) d" n$ W2 ?" z$ ^
Although this trick calls the CreateFileA function, don't even expect to be
8 l$ B6 ]5 M# W: Table to intercept it by installing a IFS hook: it will not work, no way!; {) F5 Z, g8 e0 J' Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 r4 a+ m6 {& h5 ~1 Z; \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ A/ C* \% b7 b6 G% R! z: o8 Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( u) I8 O; ^4 t; s, N, ^field.
4 w) E9 t- _! R- ?1 e1 bIn fact, its purpose is not to load/unload VxDs but only to send a / f6 m! j1 @0 J9 B) d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 F& {) v* B! _$ A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. o2 Z4 w: @" r+ b' w1 z i7 q6 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 [! ^9 Q2 w; P" X- |. nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- w( a c7 J9 R J& X. m4 L+ Aits handle to be opened and then, will be detected.8 A& T1 b ~& f. M) u
You can check that simply by hooking Winice.exe control proc entry point
9 c6 [+ F) o- T6 z z, l1 rwhile running MeltICE.6 a/ K8 t- o/ D8 ?
) h$ g6 ^1 Y% h9 B0 k0 x/ f2 {
1 j1 `, z5 y! E6 _. b3 N 00401067: push 00402025 ; \\.\SICE
; n# ?( F3 U' z* e 0040106C: call CreateFileA3 E' ~% I+ h- ]5 X+ k( L
00401071: cmp eax,-001
; A6 N2 u0 D6 E+ u 00401074: je 00401091; A4 h; L2 _* d6 H' {
) G4 u8 f( g- s8 K- Z
# a/ A8 h1 E+ SThere could be hundreds of BPX you could use to detect this trick.) s9 }7 z7 ~% ?# R; H& o* U
-The most classical one is:
: K; N+ F6 f" H$ @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! b" Y: U3 R Z0 j
*(esp->4+4)=='NTIC'4 M; }, O: X/ }- w6 O# q4 A; k
" ]4 C0 Z/ D0 n9 x
-The most exotic ones (could be very slooooow :-(6 m' _( K, }! \, Z( ?6 ~0 A- @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: y$ q0 t7 [- k, t% _" n ;will break 3 times :-(9 g4 L3 S4 J$ T% x" H/ ]
, F& M7 z% R) a" A-or (a bit) faster:
* D8 h' H m0 R: s, b2 \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 Q# v$ e% G5 M& N
; g9 F5 \( k( X7 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! q* r1 s `2 i: p8 I; q+ i% ~* M+ m
;will break 3 times :-(
. b' Y3 `# I* A! p" @$ n6 Q6 _( s4 v8 m( W5 O- J: F
-Much faster:, X/ v" \( \; k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& o8 C3 q/ h+ z) ~2 l
, H& x8 q% n: k$ A- d- p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) `7 n7 @7 Y0 l3 `# Zfunction to do the same job:
, U% O& Y( f5 [ G# q8 {( j
2 ?7 t6 O; H" r( ]* r* F5 K push 00 ; OF_READ
! B, ~* l$ E8 x( a: F" P6 Y mov eax,[00656634] ; '\\.\SICE',0
2 @$ m% W3 F1 X5 z2 d push eax3 O& f5 j# w1 o% } Z. }. V
call KERNEL32!_lopen5 t' J; Y9 O& \; A, J9 ?6 m( `' Y
inc eax
7 P/ Q+ ~/ k' X6 z$ N6 G jnz 00650589 ; detected% a1 O2 n/ g3 P2 ~
push 00 ; OF_READ
* ? u% B" Y, P ^6 M9 Y. b mov eax,[00656638] ; '\\.\SICE'3 I! F8 x! ~& E1 D7 z$ P- X c
push eax# e! I* s0 B. h+ b( j
call KERNEL32!_lopen$ o( N9 _9 w& b) k( g' f; S
inc eax
w, E; D% Y! B jz 006505ae ; not detected
& j( y# R7 X) Q( ^# c9 `9 A. q
! D N: s9 b- K% E6 G
/ g; k% z+ U9 g) b; Y0 F* v7 ]__________________________________________________________________________& Q' Z/ w* u5 ]! i4 o9 V# p8 [; }
6 n. v, X- c, ^
Method 12+ L! }( o; r& e
=========+ g) ]" [' Z9 w4 E. }
1 Z& J/ \! s; TThis trick is similar to int41h/4fh Debugger installation check (code 05
4 N/ }- m, y; c3 b! X. [. S5 T& 06) but very limited because it's only available for Win95/98 (not NT)
9 j( G, L2 w" L, Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.) F; _+ e' e4 l! b. H" w: }! w: V
# {# o* X; X0 [- b3 Q7 f1 u push 0000004fh ; function 4fh4 n% Q4 u( R- L3 X2 @" `% \* }
push 002a002ah ; high word specifies which VxD (VWIN32)" C @) ~' e; i: z
; low word specifies which service
/ L, i7 F* \- y M (VWIN32_Int41Dispatch), D/ w9 j9 B4 q5 T# M0 e
call Kernel32!ORD_001 ; VxdCall) d0 w% ] U# _( b
cmp ax, 0f386h ; magic number returned by system debuggers
K& v9 o! S+ a' T! L jz SoftICE_detected% T: ]( h- y# [, q% ]' g: t0 h
, l# [& `7 g9 sHere again, several ways to detect it:
) B6 L5 W& M# q/ @! E4 z' h# z) \% L
& I$ w5 F- G3 U5 p, m9 t [ BPINT 41 if ax==4f$ b2 L" Z( R( b
+ a: [/ Y$ p5 l1 ~7 t) y( _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, A& m# A; }8 q K9 Y
$ z& M# @5 }2 f8 t$ x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, K1 S7 ~- R# T' z! L& T2 v& s- J- C) A" r: b; V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 H6 C: z Y4 G" Y/ ^ s1 p9 ?
$ q) C6 X8 D# F3 m__________________________________________________________________________# E$ c" S) R3 {. r
2 o8 ]9 K/ C/ A. } k
Method 13' @; f' b8 q \! ]
=========
, ?5 f9 Q5 D# ^8 L7 t5 o9 m& K2 _9 _* Q- B. `; @; v
Not a real method of detection, but a good way to know if SoftICE is5 Y2 G# s+ r/ G! q6 R8 [
installed on a computer and to locate its installation directory.& J5 b ?! e- X$ I/ a' T
It is used by few softs which access the following registry keys (usually #2) :
2 y% Y+ o/ e: _# e$ j
) U+ [1 O" y2 ]( o+ i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 W) a0 u( |% f. D1 G\Uninstall\SoftICE8 k( A$ _; Z+ W* C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ ?: ~- {& o% N' s; c- h* ~/ g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 m$ J4 i0 n! H1 I* i4 K0 u
\App Paths\Loader32.Exe
2 s# y7 E% l4 d; U6 G5 m" ~' t( F0 e5 c K' I' O) w8 A5 D7 y9 {
. ^% F4 }5 Z2 N, O4 f3 y+ `5 C$ V) C
Note that some nasty apps could then erase all files from SoftICE directory3 A; ?1 _+ W! z: H% U9 X
(I faced that once :-($ n- Z$ S4 g: C5 `6 u `" \
- G$ n$ Z& a5 i' w
Useful breakpoint to detect it:
& V. |% c `+ N9 X4 P. T
* j$ V; z1 R- v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 b! q. n9 |4 c, p( k; U* p3 I& J7 g( W
__________________________________________________________________________% R: z! u- e5 K' s$ |
$ ^6 Q7 r& e: q: a2 J
# e! _# [8 R0 o" u& E
Method 14 , C2 b! B5 {/ t. [ \
=========0 Z; z% H( _. Z" b( O# F
+ Q5 o3 j% i. q7 y+ I" @9 C5 y _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ Y6 u8 R5 }7 e3 \) Ois to determines whether a debugger is running on your system (ring0 only).
* Q7 L" j8 [1 O9 d" `( N$ |2 p8 P1 C; o+ L$ [! p. s! B7 q
VMMCall Test_Debug_Installed
7 [) D9 j& [- i. j je not_installed
$ d+ y2 B" E @" K8 j, c+ V7 K. {2 j# \7 D+ F
3 U$ S1 Q: X8 N* g4 a& W/ iThis service just checks a flag.# O' u! L5 I1 p) G2 Y1 I+ ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡