<TABLE width=500>) A. K4 r6 j% F" y- I X
<TBODY>
. J8 j- n" ]* R/ `- _7 [( _<TR>+ ?0 b+ V7 k; p' m% ~; a
<TD><PRE>Method 01 . L5 _ ~1 m+ M) Z9 q; @4 X
=========; J$ x* }+ h. a$ q/ k4 m
: v, Y$ u. M# W8 y, nThis method of detection of SoftICE (as well as the following one) is' `4 _( O6 H: Q3 q$ ?( R% h
used by the majority of packers/encryptors found on Internet.
& O( w- F; ~$ O$ I+ `It seeks the signature of BoundsChecker in SoftICE
+ ~$ ^. O0 K' `$ S# x S* s9 [3 a6 R9 n
mov ebp, 04243484Bh ; 'BCHK'
+ Y* D8 ]; G b% q. s# _! y mov ax, 04h( R5 `, \0 {7 q* c+ F6 L9 X
int 3
2 b/ g; J( S; E' s5 I* Z% D cmp al,4
/ T1 f9 R z3 t# `- _7 ~$ r f1 M. ` jnz SoftICE_Detected: F4 P( }" A' l' ?) y
" U" V5 h1 p8 t
___________________________________________________________________________
6 a. t, f4 V% e- b0 ^ p, K
( k$ ]9 W" \, f' A7 P+ nMethod 02
) W" t) ^; i. l* |; F=========2 h! r1 G7 C0 A( q/ j0 D' i/ w
* F: M& U7 w+ U/ CStill a method very much used (perhaps the most frequent one). It is used
. _- u5 a3 q6 Z4 s* Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( [/ d9 b0 p4 ^
or execute SoftICE commands...8 \1 I3 V4 d; d9 {" c
It is also used to crash SoftICE and to force it to execute any commands
( J& ^% f4 ~; Q3 m' T: j(HBOOT...) :-(( $ L$ }) A' h9 H
6 \( Z8 L* R( ?' h
Here is a quick description:
* i* G' e# V& h: o! ?0 Q% V-AX = 0910h (Display string in SIce windows)+ w" @& ~" X* `" R7 b* K3 m; B; ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' |' g2 U3 |) f) J. k! @
-AX = 0912h (Get breakpoint infos)
* k3 {, G C* `5 R-AX = 0913h (Set Sice breakpoints)7 i# v9 d5 h7 k/ p
-AX = 0914h (Remove SIce breakoints)
7 `1 l# ^+ c% `/ }
1 f9 S3 k G |3 bEach time you'll meet this trick, you'll see:+ z; M/ y+ H& m5 ~0 {* ]- }
-SI = 4647h& p; L ]: @! p" ~7 r2 k" _4 [0 |' c# T* L
-DI = 4A4Dh; M0 }# L/ ?' o; o1 O8 ~
Which are the 'magic values' used by SoftIce.' c+ s. G! c7 ~0 {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# x* B; r3 s- Z* g* j' F' o! n7 ^7 @) W
Here is one example from the file "Haspinst.exe" which is the dongle HASP% @, E# U$ r8 o* ^, l
Envelope utility use to protect DOS applications:; A/ b$ q' ?: V' S1 @9 L
+ z- F- h; Z4 N' s% ]7 s& j+ x$ O
8 [8 f8 T0 G2 R4C19:0095 MOV AX,0911 ; execute command." f- C" o% Y$ G/ d6 }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! c' ]' u8 f% D" j2 g/ w) L" B- G7 b7 r2 G
4C19:009A MOV SI,4647 ; 1st magic value.
+ x5 E: e0 c; l: Z9 k3 [4C19:009D MOV DI,4A4D ; 2nd magic value.
4 S$ g y2 Q0 v5 e& `$ E4 |, b* |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) c( A" f2 K( j# R0 l- L0 z3 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% Z+ F1 J, U# X( H/ V
4C19:00A4 INC CX
* c. w; m& x; S- d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 X) R2 K" K( R5 Y5 c# s$ [3 t% E
4C19:00A8 JB 0095 ; 6 different commands.
; v1 l: D; X# {* j& x2 a4C19:00AA JMP 0002 ; Bad_Guy jmp back." h' a f& r; F4 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). X/ b7 g3 |+ l* C
B$ B8 k* V$ kThe program will execute 6 different SIce commands located at ds:dx, which
- P& O! C$ h# f$ `2 jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 |$ |# H4 P$ ~" @0 _% i P
2 u* T3 Z) X: P: H( @% V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( O2 [/ u) r4 ~- l
___________________________________________________________________________
# [- X/ K8 S; A: Y7 O! |3 {, ~) c" `+ D5 P: Q7 M" ^5 R
6 i, h P/ X9 L* t7 U& A7 jMethod 033 X8 U+ F; a' i o, e
=========
! c- s H8 E% a% i/ @9 W3 D
+ n- o( r3 m$ {* q0 Z/ f# ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 t3 O/ V* X/ Y& S8 \) k, {
(API Get entry point); Z$ n" F6 H+ P
. r) y0 j2 [5 y& m) A8 Z* @
: O* W) K3 m' T6 l( s" f* V xor di,di0 v5 O. q! w& h. i9 Z7 l* E% [
mov es,di
3 J' v D+ \0 n: Z7 Y% M2 N mov ax, 1684h
- \0 _ Z4 Q/ }, Z+ h# { mov bx, 0202h ; VxD ID of winice
' n- S/ {* p1 L& d% p int 2Fh! {, F5 y4 B3 z s
mov ax, es ; ES:DI -> VxD API entry point, K& }( U3 G1 }! Y
add ax, di
: i9 i8 E% M3 v4 Z; _3 Q' G test ax,ax
+ B7 Q7 u i5 p+ ~; l2 I7 g1 T% Y jnz SoftICE_Detected8 r5 R9 I; t' n; T
7 P% F: L5 w! U4 z0 r& C, k; M% V) l' V___________________________________________________________________________
) j" ^) Y r; U/ ?- W+ j2 m
, O8 Z* M+ w4 i9 F+ W2 N0 KMethod 04
! }# v: e$ K2 h, k9 y i=========+ @, k7 S0 d6 l, d7 ?3 N/ Y
7 I1 V) m& }/ y% N+ [; D( d
Method identical to the preceding one except that it seeks the ID of SoftICE
- Q7 u8 L6 x' j: G* [! sGFX VxD.
$ d% G% n+ t1 y
4 @! p5 Y8 n2 N0 ]; q; I xor di,di
4 Q8 f" Q9 P i mov es,di
6 j0 V0 }7 g! L# k mov ax, 1684h
9 ]' ^8 E. L8 T+ A2 f @ mov bx, 7a5Fh ; VxD ID of SIWVID
1 R, o! u- ]% a. Q; V5 ]6 G) r4 ~5 l& c int 2fh
9 N7 ~7 y5 Y1 U5 j5 h9 P# h. {) n mov ax, es ; ES:DI -> VxD API entry point
T& R' \1 E8 O- ?% D+ B add ax, di
+ m i$ ?1 i5 o' K" Z test ax,ax
1 n# v8 [9 Q' n3 l+ [- ^' n7 p% j jnz SoftICE_Detected
+ c+ n0 Y- d/ B Y
7 m+ u) B9 t+ P; T__________________________________________________________________________
" z( A" N1 V1 J( n3 z! x) K+ O# ^* L4 G- V$ H7 }( b
( ?% e+ B. z; j9 V' _7 U8 F6 p, Y, J4 [Method 05
) [7 i) s9 Q. `- _6 t, e=========) d1 w# u* w6 q" ]
. }4 c' C8 \) a! ]+ i3 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 ^; x2 q7 d1 ]
debugger. It calls the int 41h, function 4Fh.
' i% `3 f2 l( r$ U' G! SThere are several alternatives. : j# @$ i. m9 i& F; r( ?; b$ o: h
* n- B' }0 G4 B! uThe following one is the simplest:
$ i7 x6 \, w: r7 Q; _% M/ A6 ^! G4 ~7 e& F6 K5 S
mov ax,4fh( g) _, Q# m" I
int 41h
8 e0 H0 l: v% w/ t5 F cmp ax, 0F386: x, c2 L+ u( K7 s
jz SoftICE_detected( D" t/ G, { D
$ l4 h$ x8 O$ x, e# j' V0 v/ o+ O" U; Z- X/ a
Next method as well as the following one are 2 examples from Stone's / w/ N% X9 N9 E& z F6 n
"stn-wid.zip" (www.cracking.net):2 D2 g* j3 v, f4 ~5 _2 {
" U. V/ W% g5 n/ d% e$ d mov bx, cs
7 s C: Y3 B" V/ v( f- k( H lea dx, int41handler2, h# h5 x! Z: i( ?
xchg dx, es:[41h*4]
7 N2 a* F2 K. ^. C3 a3 B3 g xchg bx, es:[41h*4+2]# w4 K3 W: k9 l7 f
mov ax,4fh* P* \9 h4 M7 H6 F+ v
int 41h# M, v, |6 t& f1 F
xchg dx, es:[41h*4]
( y, P. }! A- a# q9 x8 Q( c5 e xchg bx, es:[41h*4+2], }4 F% z5 k7 _2 R9 }9 v
cmp ax, 0f386h
0 V. i; U4 I: p0 ^2 i! |1 g jz SoftICE_detected( q2 N1 B2 \& g) [7 Q- s/ y$ T1 W
4 Y6 c5 R( b6 W% C- n6 s/ R2 n1 @
int41handler2 PROC
9 F+ G4 r" t l7 w4 N: j4 v% c iret- z6 q! S: J' E. N5 R8 n2 X
int41handler2 ENDP
3 q0 @* g: Q1 ]( I4 E
5 c1 ?& e+ A$ X; h) r
' l D& v5 C! O/ C1 s8 C_________________________________________________________________________( T+ M6 X, v- b& [2 a' e2 e. g
7 W; ~$ D6 E% i/ B; D% d( w/ {
1 n6 K- u" K+ S4 XMethod 06
# L3 u2 r! q4 g6 R=========" \2 ?3 ~8 [6 j) e
; J' {, F+ U! z3 K p! F7 A3 g% K& k) l* Z
2nd method similar to the preceding one but more difficult to detect:/ i0 P, Q9 ^. ]0 i3 g" C. ~: `8 a
; ^6 l" A& I! p, v" p' D h% P* C
5 l. w7 G/ {2 |8 B; M2 R! x
int41handler PROC1 S2 u7 E# M6 |
mov cl,al
0 R9 I3 a2 X" c" u iret
6 W, K/ ]; H/ u, i" i& x0 dint41handler ENDP3 a3 B0 V/ n! [) ~7 b W
9 O% Y# v# a2 v- h. x- o% ?6 z$ A& d- p' h1 t) W
xor ax,ax' D& ]- P' w$ g4 Q; G3 ~6 h8 T) S
mov es,ax4 }/ z: s' C6 \1 `
mov bx, cs
# _* `: C1 o K) F9 l' ^0 O* ?- D& [ lea dx, int41handler8 M5 J: J7 k7 |% p. r) N8 e
xchg dx, es:[41h*4]
( l' i k* D8 c0 L1 s xchg bx, es:[41h*4+2]% J( F: D/ V z! Y _
in al, 40h
: c1 C# v( t& H& J& V) s xor cx,cx
+ z3 `5 W! l* T- D int 41h
' F8 W, i- T8 x/ @4 C2 t" `. q8 F I xchg dx, es:[41h*4]5 k2 f+ h! ^3 ^: @0 ]8 Q( o
xchg bx, es:[41h*4+2]
: t$ B/ T3 k, w' L& r cmp cl,al! S( h1 C! u6 C- W. b2 f
jnz SoftICE_detected M. H# T, m* O0 N$ G: P
1 L8 M6 o" Y5 Z! W& |5 ]+ f_________________________________________________________________________
1 ~$ C1 k, ~7 P
2 E1 W" m1 N- N2 q6 H4 |/ gMethod 07
5 d0 N& { ]8 |( b- W=========
! D. g; ?- Y- l5 G) w6 ^3 q- u% G8 V9 p2 ~, _' _1 X/ s. J
Method of detection of the WinICE handler in the int68h (V86)
# n, B2 [, J( B7 I) r2 R
1 D: ]. V5 D& \* v+ b mov ah,43h+ u7 A9 G1 H# n3 z$ ^5 ?8 y
int 68h9 d' \& X( T( I; [* u6 S6 O* [& ^% Y
cmp ax,0F386h
- p/ P# N. j! C% c* F1 A! J jz SoftICE_Detected
$ d5 V$ R: I9 D3 K1 u8 K7 H, ?( _, }" [- ?! C7 U
3 |# R) J2 x; G/ B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: ?: R, k G Y% @/ R% c
app like this:
. N$ }% w1 N2 N/ q6 h/ A" C" J5 k* H) }+ i/ f! `
BPX exec_int if ax==68
6 J! M" Y3 a/ U( U& Y% W% ~2 k (function called is located at byte ptr [ebp+1Dh] and client eip is
" u- ^5 L& x+ A4 B% Z+ N located at [ebp+48h] for 32Bit apps)" `5 m2 z, q4 g. p5 {- i4 {
__________________________________________________________________________ v$ d* i+ D L, \! t1 [6 E, Q
' r, S& J. @8 `. N7 A# T
. H! y" n# J Z7 f) ]* d! bMethod 086 {) f3 m) t3 m, ]
=========
3 ?* B8 O* Q2 I s1 A5 P- k1 |! L" ~
It is not a method of detection of SoftICE but a possibility to crash the1 ^9 H; C# h q4 S$ d6 x
system by intercepting int 01h and int 03h and redirecting them to another( l2 h, L& Y# E# N6 A* F: t. `' d( k G
routine.' L& J5 ?% L/ x4 O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 U5 [- J5 h' P& y5 |# ?to the new routine to execute (hangs computer...)
/ u! _6 B2 J" D$ [7 b3 y5 A" e) ?3 o {4 i5 }" g7 g- H
mov ah, 25h
- @( Q, F: X. M0 s mov al, Int_Number (01h or 03h)! [% f, D4 b: n: i$ H2 N8 N- `
mov dx, offset New_Int_Routine
5 U, q1 v7 n$ F int 21h% q @+ p9 T, c
2 ]- h2 ?5 O+ p& s0 U, B+ G
__________________________________________________________________________4 s# `/ ^; t" i. l- x9 e
3 T6 v: G- G: l- H5 g* q
Method 09
3 Y2 m# I8 I. P; \+ V& q5 c=========0 X2 I* c% i1 V1 \
& _' _$ R5 t) W4 }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; R1 o. h' |9 ?) Q5 n$ {+ Fperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ h( S( r: S% E$ Z. v2 ]% eThe Get_DDB service is used to determine whether or not a VxD is installed
, J0 \ a" H' a( ]. X6 sfor the specified device and returns a Device Description Block (in ecx) for3 X, M, C' R; S+ g! y. Z0 p
that device if it is installed.
4 j3 i! G; q; \) k% m* r% [
/ R9 ?# h5 U; N; K" k. k {( G, W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" l; T& C" r% d0 A' W& D' v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 I' l* P% s$ S# d' @. D8 U VMMCall Get_DDB
0 k5 C" T; C5 f1 j& r, V& R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 o8 }( Z$ h- ~- i! z. |
+ y% K, Q5 [2 K" U+ z0 L$ O. E3 iNote as well that you can easily detect this method with SoftICE:
( }* L" N( r. k9 u j0 S+ r; a bpx Get_DDB if ax==0202 || ax==7a5fh
! f$ Y& v" @& y n4 u' ~( H- Z! ?+ Y; H+ r0 j, n' @
__________________________________________________________________________3 _7 ]6 B% B0 @5 Q/ n% Q& E) f
1 A+ y; d" ?, I2 p7 AMethod 106 v/ K: _" j/ S
=========& i/ y1 U& k0 Q) \
2 H7 w. z9 v/ |$ `. T+ L4 d7 }
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 J# K5 {: X0 U' J% C" t9 D
SoftICE while the option is enable!!5 ]- E ^- t8 ?+ v6 S2 z# s9 x- x
+ @& t. O! A# U
This trick is very efficient:
5 y! {! L6 j& G1 sby checking the Debug Registers, you can detect if SoftICE is loaded
/ N" C9 M2 E9 N7 k0 Z' x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, ~! _; t+ S( h1 C% M6 L# g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' Y2 y' J. r4 U' b) p9 D) [3 Yvalue (in ring0 only). Values can be manipulated and or changed as well x+ J1 L* O2 ?# S
(clearing BPMs for instance)
: o) H& k% n) ?
5 g, v: R! c5 k) I" a0 w& M__________________________________________________________________________
! B; b! V L3 S0 k( K) i( W/ k4 m/ L9 r7 ]" P1 @+ B: E+ e1 D
Method 11
- w% k: T) f+ b6 x/ }=========
; U* V! d3 E0 h2 m" N( K" ?( n& G
, Y0 U# v3 O4 f6 u1 A2 |This method is most known as 'MeltICE' because it has been freely distributed
0 e9 J7 U9 j! o( z. ~+ z: yvia www.winfiles.com. However it was first used by NuMega people to allow
* @! H& z/ l8 f/ e) }Symbol Loader to check if SoftICE was active or not (the code is located* O% X3 F+ t$ \+ T% D+ U3 ]# e
inside nmtrans.dll).
9 j& Q' N! j, I. j" z$ j" T# g7 Z0 t
The way it works is very simple:
& ^. _& |# x1 w9 IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 X8 p% J8 b$ c( l2 O2 _( c8 pWinNT) with the CreateFileA API.
; v$ k- W' I3 Q' j) s+ m
5 Y5 F6 v2 k# n% G1 g/ AHere is a sample (checking for 'SICE'):" Q9 H$ x `5 a; `% ]9 c
f3 X, e! K. t' D: o7 h' v) s: z
BOOL IsSoftIce95Loaded()
( ~. D% M$ \0 p2 ~{
7 H! Q7 |4 I5 D! n# Z/ Z( l HANDLE hFile; ) V3 ?( t; F) A8 W* C( w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ H/ ]1 K5 K3 P+ R, n8 A FILE_SHARE_READ | FILE_SHARE_WRITE,
" e0 q5 T9 a) I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: i& }5 [! W, }) c' I/ ?2 H" H% Y
if( hFile != INVALID_HANDLE_VALUE )# v# e2 K4 i5 `& S* I |
{
; j a4 g1 b. z/ e' G+ u3 c CloseHandle(hFile);3 s* `4 y& y" W& B" b
return TRUE;
& b2 ^9 U* ]! N: L; ` }( _+ j+ o$ a* W, j( I
return FALSE;& Q' O7 A- ?/ z* K6 o% W7 U o
}& h5 j; t5 f+ P" Y
/ F. l$ z2 r8 g, t& {; h, k
Although this trick calls the CreateFileA function, don't even expect to be
3 D* C4 }; W9 _6 n4 d( D Xable to intercept it by installing a IFS hook: it will not work, no way!
" }% J' I* P: ?, c/ p' Q" v3 nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% k4 m' ^4 P# g' O, s3 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- r: Q1 @- Y9 V& j. W# u3 T7 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( ` o& d4 j% e. F2 g- X5 Kfield.
, p0 k" E- y" V( o4 I0 iIn fact, its purpose is not to load/unload VxDs but only to send a
% i- D1 Z& `* `' i% t9 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 J2 ^, ^, \1 V0 a# k2 t2 W, F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. u( d. v# q7 ?+ h. j) v- a( T5 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 }0 b! `3 O, S# G" s+ cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 h9 ^0 [- F$ ]( M" s8 b% m" U0 J/ yits handle to be opened and then, will be detected.
/ i. N! ]* x8 EYou can check that simply by hooking Winice.exe control proc entry point
8 Y5 p( Z+ `' Nwhile running MeltICE.
$ L" y% m$ a1 }1 c
$ k$ d5 J: F' g: S
# I* r" S$ N. v& a( g4 ] 00401067: push 00402025 ; \\.\SICE' G9 y7 Z- m8 g1 o
0040106C: call CreateFileA9 f6 L' E. N1 J2 K5 m, B
00401071: cmp eax,-001
/ j6 G& `1 m4 ~4 ~ 00401074: je 004010914 f7 F4 C0 [0 e$ U: j# g- }# L
& ?4 H5 d% B( ~0 |6 O
. l7 Z2 ~& q7 }0 E Z) W
There could be hundreds of BPX you could use to detect this trick.
2 R; w- Q; R( n6 d" O0 p# B-The most classical one is:
( m; r& @7 N _: } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% C7 P7 k4 n5 y" A
*(esp->4+4)=='NTIC'
7 R+ j) E2 X) a& y- ], g7 G" C4 p$ p# [) i/ `! V8 W# ^
-The most exotic ones (could be very slooooow :-(
+ `0 c- j% {1 J# k1 { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ d) Y1 s0 p6 }& f l2 b! O/ {
;will break 3 times :-(& l9 Y* j# K; S
2 c8 z; @& j! ~4 ?
-or (a bit) faster:
. o+ U3 }' }; [: {1 H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% S+ I0 e K) G/ J! i6 S8 r
) a5 m" M' G0 R$ s8 q7 @/ E) m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( n, ~9 K5 ?# S) F* ~
;will break 3 times :-( P0 V: B9 c2 J1 x2 W
- |$ | K9 G+ p" c7 o) A
-Much faster:
7 l! H( t- }$ u' g$ ?* ~! V( {+ u5 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& j \5 g/ y6 Q9 J- ]9 b. h/ N
( K. A* N: F; H. Q" F6 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) A+ W# A) H. P0 Y
function to do the same job:
# {/ g+ M& w& u$ J
0 `' w$ g' P' N push 00 ; OF_READ2 L3 C. K4 q# w) K v
mov eax,[00656634] ; '\\.\SICE',0
: h% A l) c0 C: l- A push eax
( w3 x5 v; O( K' I& z4 h1 E call KERNEL32!_lopen
9 h b. N) @: g$ _! m inc eax: p; `! b0 Q$ [3 O
jnz 00650589 ; detected- |7 S X: }: _
push 00 ; OF_READ
; B1 E$ F- b9 c) x1 X3 o mov eax,[00656638] ; '\\.\SICE'5 g" @$ S6 ~2 i" Z; c: t. u8 w
push eax
# w2 x3 d3 Y0 i4 s5 U% r call KERNEL32!_lopen
8 Z7 b& p2 X7 `6 t/ x3 H inc eax
0 |6 H2 `" ]$ | jz 006505ae ; not detected' l2 U+ F2 b( O9 B* S+ M
& }+ \' r+ l% W* e' i$ ] h# K+ K
& B9 L8 H' h2 K__________________________________________________________________________0 ^% o t0 v* e( a$ X1 [6 t* P
7 r+ D. m! C6 w9 ~! \Method 12
7 G% a8 o! W- S5 v" g' R=========
( G* l8 l1 ~4 t" s4 {( t! v: C4 Q6 W. B# n% R
This trick is similar to int41h/4fh Debugger installation check (code 05$ U' w# q6 c: d' l, z8 n! M9 M
& 06) but very limited because it's only available for Win95/98 (not NT)
M3 a. u6 s6 V' t' }3 Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.# u8 J* z! c# \3 d
9 G1 P8 F0 Z, `! v push 0000004fh ; function 4fh% [+ F2 a/ b& B/ k0 _* y+ M
push 002a002ah ; high word specifies which VxD (VWIN32)
1 L: h5 t. _) X1 R ; low word specifies which service7 f) Z/ ?! e) J/ |
(VWIN32_Int41Dispatch)( E$ w9 ?% W3 @& p4 b( n( t
call Kernel32!ORD_001 ; VxdCall
, t/ G/ i) q. \ cmp ax, 0f386h ; magic number returned by system debuggers
$ d2 ` H9 W; a1 h jz SoftICE_detected; \- m. ~" x/ A9 F( p
- u$ J1 L2 I8 k1 N4 D2 P5 K* ]
Here again, several ways to detect it:9 [+ E5 s" L7 f' [5 b9 j( k
! J$ R5 u* ?6 q; z# y( u' S- A3 E BPINT 41 if ax==4f+ A8 m; j; s' W7 I3 {; I
2 Q7 s! w' y9 R* F8 a; g/ t! G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% o- p9 p9 h) }: b/ `0 F& v& P j2 k" g' |2 z; a2 R7 o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 f8 r5 M9 o, y; J& X- W ~4 |1 z3 g" M8 {' A$ s, s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 H( ]. h: S# D7 `9 @- V7 b9 m5 q& [
__________________________________________________________________________ H8 I8 `8 a6 V- G' B
& z5 _& `$ P! g4 ]) m* HMethod 13
) D6 s* l5 R/ o2 N& U=========! n9 ]( ~$ X3 ]0 q) n2 L" T" Y9 T: Q1 c
+ {8 m& J7 p- w8 j& H aNot a real method of detection, but a good way to know if SoftICE is% [# ~. o( h" D$ g% L
installed on a computer and to locate its installation directory.' J( y! c2 ^* y/ ]; ^/ v
It is used by few softs which access the following registry keys (usually #2) : S C8 a- ~2 O8 \: S/ o
6 c7 B3 L" O$ ?4 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s+ k! A- x3 G- K7 j, J
\Uninstall\SoftICE
* I3 ]/ P3 C, n# a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& _* `( {0 h4 `0 _4 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) K* T( t8 O9 o4 g: `: b8 m
\App Paths\Loader32.Exe% ]. D* |$ L1 D8 ^& l- G
% t7 s6 G5 ?( d6 B/ k
3 y" }; [+ A/ C# e1 [! f
Note that some nasty apps could then erase all files from SoftICE directory
" C/ }; v! _! [' _' o, X(I faced that once :-(
0 F- |3 E) \. G* f% e; W' ?2 ^% b
+ m; o5 [' `) p# ~# HUseful breakpoint to detect it:
4 |) J$ P3 K. }9 f
4 K& l% p4 ~/ {" s0 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 |% n" E/ g6 Z9 z' X
3 I' R; ]3 r1 {" F" l% y J; d__________________________________________________________________________
, V( h6 a: F" ?" A4 h+ r* T6 F& ~9 O+ A: P8 ~3 E
, s/ a" g+ O% H4 F$ y+ @9 C5 WMethod 14
3 S4 \7 M2 v6 @4 `# ^1 i2 q=========4 v, K# D0 N9 m$ p; m3 Z% c7 n
1 ^' u5 c8 N/ t5 V3 \1 Y( q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose w o( d$ D7 G& L' \$ a9 ^5 N6 g' Y
is to determines whether a debugger is running on your system (ring0 only).
' r( @( i8 `! B E& u& x, [/ U; g$ z% m/ N9 r6 r5 S3 F
VMMCall Test_Debug_Installed
) x0 K# |0 | Q7 m' Q; F je not_installed
. t9 b. m3 o! y; D9 c; ]( x6 m% ]! @
This service just checks a flag.
7 O4 _& D l3 G' F; I4 V$ n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡