<TABLE width=500> c9 _. X$ C6 e+ ~: d
<TBODY>
. Z7 ]. j8 ?3 b# ]<TR>& I; p; h$ Z/ B% P
<TD><PRE>Method 01 , R$ V0 P: r; f; p" e& u
=========, h; ^0 [8 x/ ]: s
- c0 {$ I$ a/ U3 r; X7 mThis method of detection of SoftICE (as well as the following one) is
% v% @3 z0 B' g* Z$ y# e/ ^, xused by the majority of packers/encryptors found on Internet.. l% I+ \& h2 c5 S5 _
It seeks the signature of BoundsChecker in SoftICE1 h8 r, J/ O. ?
! i* y5 L7 q" \; ?7 N( j: y. o; T mov ebp, 04243484Bh ; 'BCHK'+ C# T4 H+ w0 F" R) A9 A+ O2 W0 d
mov ax, 04h7 M* f. b6 y3 d0 e, P5 I
int 3
+ E5 u9 K/ L2 D; e0 q' W8 \ cmp al,4
) o) K: H$ n4 a. q jnz SoftICE_Detected
$ k1 k) A5 f9 C5 E- _5 r0 |1 j
4 s0 l9 v d' V3 B6 Z* k___________________________________________________________________________3 o3 V8 U# d6 V
. b9 l1 ^* v7 [- v: Y% l: V3 ZMethod 02
0 g$ Q" Y, K% ^* R/ }/ J=========5 W% t+ {7 Q9 }9 l @
0 r: S+ {, G) g/ L: K1 z
Still a method very much used (perhaps the most frequent one). It is used& d, e5 ] i2 u# N8 g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& K2 i5 j$ d2 x U% ]! P, R+ For execute SoftICE commands...
% p. P! ]: I5 U# H! m' {It is also used to crash SoftICE and to force it to execute any commands+ T; O; M! ~/ U0 F1 @
(HBOOT...) :-((
* T* f# d. `% S1 j" l/ t6 D g0 d
) F6 r* C0 O3 _% k7 xHere is a quick description:
# m* f! B! g$ p0 i/ N" M; b-AX = 0910h (Display string in SIce windows)
) [ J# U- f+ ]8 x5 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 m8 r/ A" e8 {. V5 b+ M# ~# y
-AX = 0912h (Get breakpoint infos)
+ f8 S- O0 K, | ?$ o: J @0 t-AX = 0913h (Set Sice breakpoints), \" c+ V! _7 m/ U9 q( h1 M4 ]
-AX = 0914h (Remove SIce breakoints). f# D) i- `$ R5 M3 `( |, @' z
2 _5 K% f1 c3 ]$ G5 R8 P* G2 lEach time you'll meet this trick, you'll see:( A5 ?# F T0 L$ X `
-SI = 4647h
9 M- }( V# A7 v5 w! t8 u( e-DI = 4A4Dh9 K7 `4 h: Y' {
Which are the 'magic values' used by SoftIce.
( n; N& U8 |# l* y& W3 y! a5 R3 FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 q2 `! z) W5 Z% S" X$ g4 q# t
% ^) D$ v4 W6 L% [" MHere is one example from the file "Haspinst.exe" which is the dongle HASP/ k* v& p+ ]5 K0 m( U
Envelope utility use to protect DOS applications:& T. f% m0 p# ~0 B# p& _4 L0 d
; e9 h6 |5 h" u1 f6 X$ ?8 P9 N% e
" n/ s1 P3 ~! U4C19:0095 MOV AX,0911 ; execute command.# r# d; {/ m* X f" D& T3 V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. s, x$ r4 _; |9 v. h5 e! t; Y4C19:009A MOV SI,4647 ; 1st magic value.+ T! Q7 V E' K# v8 V( U9 a
4C19:009D MOV DI,4A4D ; 2nd magic value.; N1 W" n# h7 G; h# h) x7 L, F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# q2 C7 J/ T6 S6 e) U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute K0 t4 G% a0 S9 m; X
4C19:00A4 INC CX$ e5 [ S' ~: m8 u$ D* a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ V: Q X- @& j* O# G6 s! e4C19:00A8 JB 0095 ; 6 different commands.& l0 f- n0 ^! ?6 D2 _9 W* d4 y
4C19:00AA JMP 0002 ; Bad_Guy jmp back., F- F9 n% ]7 v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* J, f U, J9 b% A1 {7 D( |
. K$ ^2 a- D1 I2 j* u5 K. q; rThe program will execute 6 different SIce commands located at ds:dx, which; F( b, L: Z& }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 J- j! |9 R6 k i8 y1 \# f2 L9 S0 V5 W; U6 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 P0 H/ Z9 }$ R, D8 U" f___________________________________________________________________________" y! t H4 G# m, E8 H: X8 C
' l; n6 k5 D% O+ U
# T% N$ a2 s( f3 c4 f& r4 L9 K7 cMethod 03
3 r# I; x6 C `2 j5 B=========
# k( |; y) S i# i' \/ p7 j" y6 q* [+ ?2 l! e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, F: T# m# s1 y' P
(API Get entry point)0 g- h$ @' l) N/ D) t1 \, b
8 c7 w* x+ I) |2 u9 R% @
8 e0 r. ?5 f v0 j# ] xor di,di. Z# h `. I( E' O/ S5 Q
mov es,di3 e( C' q; {# E
mov ax, 1684h
A6 Y- @2 M6 ^; g. G1 k mov bx, 0202h ; VxD ID of winice
* y' ^: R' H, \9 C int 2Fh
6 W! W+ O( l# P0 Q# ? mov ax, es ; ES:DI -> VxD API entry point- {: y9 j% c' _, T, d" T l
add ax, di3 z5 N4 M. n/ g* p/ p, q5 \
test ax,ax
# d( K: ^* S& a& F jnz SoftICE_Detected
8 |) }1 m7 M' U5 \/ y8 D" K& ^
) _* @7 B- C V9 }___________________________________________________________________________) G" n+ c% Q+ ~% p( z
5 t" z: m4 ^+ w: T( I; y0 S W" aMethod 04
: G8 S& x. m/ |2 W2 _1 b* } ?=========1 H7 D1 N* F Z* e8 s% \
6 W+ Z/ v- i2 R2 e6 s: ^Method identical to the preceding one except that it seeks the ID of SoftICE6 z! V" b" w. l- M
GFX VxD. i( C2 z8 I" R+ I) X* \
+ J. B* P, t8 Q# y xor di,di
# C( f7 f: [4 Q& p+ c8 @0 ^6 x+ ]/ Q; F mov es,di
?6 X$ H3 k# d4 g. t mov ax, 1684h
2 J+ d6 H+ N) X0 O mov bx, 7a5Fh ; VxD ID of SIWVID
1 p5 K; e2 ?! d2 }7 z int 2fh- |8 ?: z1 x. V
mov ax, es ; ES:DI -> VxD API entry point0 q# }6 ]/ j5 L& E
add ax, di: V, m" R$ {: ^: a% j& U, b
test ax,ax
v ^! H. U: D* _; ` jnz SoftICE_Detected
+ A; r; y' i0 D8 _+ q4 w4 o7 F# D+ ]* E" I8 C4 ?4 ~
__________________________________________________________________________" u1 b& S4 X* ~. x4 }1 \
; w6 L- y+ @& g$ x
$ d4 m" ^' C1 zMethod 05
; r% Y3 ~ h* v=========( t! W1 E) D' ^7 J0 q% \+ F
: {0 ?/ {: _/ e2 l+ m& W* g: fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 b; G1 z2 o$ i* Edebugger. It calls the int 41h, function 4Fh.
4 O" @5 }; `% ^& S, ?1 S1 q$ cThere are several alternatives.
) K) K; v( E7 B' i7 P4 v: O; P
0 {3 ]1 @8 [% kThe following one is the simplest:% ]8 N7 |; m( D& S# m. u
& W; w% }6 n) D& s6 J$ i: N
mov ax,4fh' x, O! I+ B. I5 ?- q: k+ W5 S
int 41h
4 A# m0 j6 i5 g# A$ s cmp ax, 0F386
* c5 Q" ~* |7 @+ ~7 ? jz SoftICE_detected
( [0 H5 T2 w0 s7 O8 L9 U# l1 p' {) R& j) s
$ b& A f6 E' l* H9 J0 p/ [
Next method as well as the following one are 2 examples from Stone's
* Z4 L Q6 d+ p$ q, l"stn-wid.zip" (www.cracking.net):
6 l4 Y7 m1 j) x" m- t1 B+ _& d2 D# G8 S6 \' z4 F( P
mov bx, cs3 c+ W b. ^. D; k/ | C
lea dx, int41handler20 j9 f- v$ ?; g3 p; V' V7 v8 z
xchg dx, es:[41h*4]
8 C3 a" w) p* i% g8 u9 U. ` xchg bx, es:[41h*4+2]7 B+ k8 N" M+ F! h' W) M/ x/ E
mov ax,4fh
U! \; l' I) r9 Q1 i `0 q4 \ int 41h
' _4 b1 x6 `6 V6 u xchg dx, es:[41h*4]
, w4 g& p/ n7 U* J xchg bx, es:[41h*4+2]- h {$ b6 F' ]* y: s. c8 E' i
cmp ax, 0f386h
: @6 X- d2 X; T& |) H) T jz SoftICE_detected
. Y8 B: Z1 M( Q! U
5 L" s5 |6 o1 Z/ C% ?int41handler2 PROC
/ x$ J: {+ _1 }3 B0 b/ v4 i iret
7 Z- Y& o0 r$ R8 m; D5 _int41handler2 ENDP
' |( `( K5 N- b# {1 K `
, ]9 ] x: F8 H# e$ L3 ~& _' p
/ A" m, x/ |- k" `5 M; e_________________________________________________________________________
2 g2 d% V! r+ _% m( p* w
" ?$ n, X5 e& d2 H" W- Y$ P: @
! \0 b9 `) n2 t6 LMethod 06
) `! T( O# H/ R. ~! n=========" D/ X `( O' K8 t7 R2 L
4 ~3 n6 c8 }- S1 b" @8 i4 V4 [4 k- h+ \. _( h
2nd method similar to the preceding one but more difficult to detect:
+ E2 Q, A. _7 l- Y
0 P& o I/ M& A
2 J: I( `" I; A2 R" [0 W0 F$ I& J- {int41handler PROC
7 X9 ~1 h2 K* t mov cl,al
; Y: s4 v) j" c5 B, s2 n# E iret) m$ W. C9 [; Q
int41handler ENDP
2 X# i/ ]# _4 ?( ?& C4 X: C- _) k6 N& b0 r7 ~: O' v
. u8 v) E- i8 d- F2 x! ?9 w& ^
xor ax,ax
& V. X3 e0 b' k mov es,ax
; e$ P! K! H4 l3 T) H3 i) N3 @ mov bx, cs
1 i" F s( b5 ~+ h" W lea dx, int41handler% H8 A9 a! k4 q: v) K& `8 d& V5 V1 L
xchg dx, es:[41h*4]
; {& _4 p7 v& S3 f4 \ g xchg bx, es:[41h*4+2]
4 }$ A R& Q z" y* k1 ^ m in al, 40h
5 W; _& q" A: H' n ]& o! U xor cx,cx
5 W5 P6 {4 r8 j int 41h
. K- o: `0 t5 k( o( S xchg dx, es:[41h*4]2 `. ?# ]; j A( J
xchg bx, es:[41h*4+2]) ^" _$ h7 |0 q8 a& z7 R
cmp cl,al5 R+ f9 H* U# `! |, ~# g: X
jnz SoftICE_detected0 s. W j9 n9 a* F& u/ Q Q) j
% y+ h: ], k% U7 S5 W: S: g- b
_________________________________________________________________________! q3 Y- W: @. K( ] W3 Y! A
+ W' l4 Y' m( N# ]
Method 07
! A% [! T4 M: `$ w2 \ N=========
8 S) N M' I9 X5 K- ^/ r. D% [ x7 C! j& J" d+ `
Method of detection of the WinICE handler in the int68h (V86)
! a% {; [+ h8 B w, f0 v- d% `. c3 W" j) {% U. Y; ?- _- w* ^6 ^1 q) k
mov ah,43h
# H9 i' g' o4 J0 ]* `' r3 K6 f int 68h; v, }3 F) t9 Q7 D+ S7 F4 L B
cmp ax,0F386h
Y( g5 @# T# O( S, N I2 { jz SoftICE_Detected
; @" Q4 J5 H3 P2 Z, \/ Q! I) M+ h: k; g) q" h# D7 Y$ {+ O. \, d
7 t) \0 ]+ o6 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 A6 A2 w: E5 a- T app like this:( e5 g) _7 O3 k* v2 m8 ~% N
0 F2 L4 }# A$ |; M BPX exec_int if ax==687 B- m" _1 p- |
(function called is located at byte ptr [ebp+1Dh] and client eip is* m8 [. e2 D* }3 n
located at [ebp+48h] for 32Bit apps)) G V! j1 \* T" T Z7 Z
__________________________________________________________________________
: c! Q! i* E1 T7 J* n& v' y4 F: j2 w% G
) a+ T0 n5 D; H) \: c
Method 08, r4 `; T& q7 l% y% f9 N/ K2 G7 `
=========
9 ? w5 y3 w! Z1 ]7 a8 w! ]2 c4 }- \9 X8 ?$ h1 t+ N
It is not a method of detection of SoftICE but a possibility to crash the8 L6 {. f( c5 f$ K7 s
system by intercepting int 01h and int 03h and redirecting them to another
' c8 K+ `0 q; j4 T: eroutine.8 o1 ^' C2 K' d0 w3 y* H0 [; X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ g! y' y& s' `to the new routine to execute (hangs computer...). i) i. }9 L# j7 h
) J: g K' ?' w7 E" X& }: } mov ah, 25h! l3 f; f1 t8 g @( O) s3 g; U
mov al, Int_Number (01h or 03h)
7 L( W5 U$ ~8 g5 ]7 W! N) j/ O( ~, _ mov dx, offset New_Int_Routine
* d4 ?8 n1 D. a: T$ ]9 U8 f N int 21h
2 A, k2 Q) ]; B. }2 R2 U, X4 i, N" \* B
__________________________________________________________________________5 o1 p5 q3 S o! p' s& w) [/ D
/ R. g/ X* e' ^6 D
Method 09* G. a! y* D4 k4 M% `- L: ~4 K$ A
=========
6 L5 |: \# ?2 W/ n0 i" f, L7 [& E5 p7 M. q0 r4 ?! q4 {6 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. u" R' h+ x; H1 b
performed in ring0 (VxD or a ring3 app using the VxdCall)." x+ X9 q7 \2 a0 ^0 H
The Get_DDB service is used to determine whether or not a VxD is installed8 M$ a# s: C% d K# @& N
for the specified device and returns a Device Description Block (in ecx) for
. B# K; i% ~1 r# S# T$ q: Lthat device if it is installed.
/ L! C' u* w3 {5 d/ V- J# @7 o! t: l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- n" U3 B3 t; B* s% ~* }- l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) o; F( a% u' Q9 T VMMCall Get_DDB
1 K, H- L6 z1 h: I. O7 i8 Q% D5 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" I5 s2 k' ^( A; _5 `9 B
V' M4 q; }# A1 H% p5 d) e
Note as well that you can easily detect this method with SoftICE:
" I9 g3 h1 v" D C9 ~ bpx Get_DDB if ax==0202 || ax==7a5fh
" h% Q0 m. D- D. W+ R1 d; X
9 A+ z8 F* c* x. P" r6 ]__________________________________________________________________________
0 a; t- t" x( x% }' E. `" w0 _) A* s+ ]9 P* Q
Method 10
4 A: G# m; \- ^/ }=========
8 _* D4 ~: B$ o6 |1 J) w; @; c0 F: e J. Q, |' }* Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' y! m4 B# G) Z/ L- D SoftICE while the option is enable!!
2 g" F! b4 }* j5 [5 W. s6 N
1 x5 m' |0 j" }7 @This trick is very efficient:2 [) d" A$ c3 I A2 }
by checking the Debug Registers, you can detect if SoftICE is loaded! c* N; u$ Y* u$ o9 l v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 G5 \, E4 b2 Q+ c" m) y* R
there are some memory breakpoints set (dr0 to dr3) simply by reading their- l; R: }' g6 s2 B; b- F l4 W5 K
value (in ring0 only). Values can be manipulated and or changed as well3 Z( `4 T6 U0 n; P# r9 k
(clearing BPMs for instance)
' E# c5 {+ ]1 C3 T \+ T
, c. x2 g; j. q# \- a2 e, b! h P__________________________________________________________________________8 I7 e. n p- l; L1 U
) t" `9 K" ?4 \2 ?1 PMethod 11) S. D8 |) O3 |. X4 F( [
=========" {7 C; B0 ?% c5 j: ^
1 f( L _; h+ n, q
This method is most known as 'MeltICE' because it has been freely distributed4 I7 e9 G+ E1 e. p, G( D
via www.winfiles.com. However it was first used by NuMega people to allow. _3 b0 {) B: D! \
Symbol Loader to check if SoftICE was active or not (the code is located+ O; s6 Q% J( V4 V' u. [ Q
inside nmtrans.dll).
& U/ G J) h/ P. ]7 H$ d! ~1 |- X" Q+ _- ^7 V: T
The way it works is very simple:
, B2 J9 u6 U8 \* DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 p& K# A2 e5 ^WinNT) with the CreateFileA API.* n' z5 p* s9 g# _1 h* X, L y1 w
. J8 K$ Q( k! G( P9 B% e
Here is a sample (checking for 'SICE'):" P/ D. V. u1 v
0 p) d* m- s! Q# sBOOL IsSoftIce95Loaded()9 m0 Z7 ~$ ^6 o4 Z; {4 ]
{
. O8 x2 `4 N x9 k HANDLE hFile; * f3 z' ?$ O( u7 x- Y7 A2 t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. I2 H6 e" p# z* `) N: F FILE_SHARE_READ | FILE_SHARE_WRITE,) N _) P2 U0 O. v! I0 W5 m9 ]* R. c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% c; j2 g5 x! @0 w if( hFile != INVALID_HANDLE_VALUE )
! B3 b8 W) p) H6 ? {
3 F* r. v1 O, T+ A. l CloseHandle(hFile);* }% t: i8 L- B4 y9 E
return TRUE;1 q* P" I- @' \* Z
}5 M9 p J, b7 ~3 y
return FALSE;9 p/ \0 B5 s( p7 b
}. V3 A3 i( f r* J" z/ Y! W
+ ]/ s- x0 |7 V1 OAlthough this trick calls the CreateFileA function, don't even expect to be
2 \; N! }& U' J, g$ ?0 Gable to intercept it by installing a IFS hook: it will not work, no way!
9 A7 `3 r" ]6 ?% Q/ W1 P8 KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; [' G$ @, Q( p' w3 c0 j' uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; q* o( j0 D; m; X3 \$ x) Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 k* X/ v& _0 ]+ D& M
field. ]( {& Y( ^. ?; x3 V
In fact, its purpose is not to load/unload VxDs but only to send a
: i- t6 D2 p! ?$ @$ X& Q7 I4 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% r1 k; ]: s) i1 ~" J2 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( n1 N3 l$ z2 m* Y8 b2 Y/ c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) N& _/ C, N2 X/ M
If the VxD is loaded, it will always clear eax and the Carry flag to allow# o8 i& |3 p; q# e
its handle to be opened and then, will be detected.: V9 |! z3 R1 |0 ^
You can check that simply by hooking Winice.exe control proc entry point
& m- C! r+ Z, i4 g$ ]0 ewhile running MeltICE.9 d9 `* N3 @2 `- r H
: N' H( U6 t! b' K/ Z0 X" s1 y5 D' m8 A8 r% B1 z; ]# |
00401067: push 00402025 ; \\.\SICE# Z1 g5 U3 ]- V, w( t8 e
0040106C: call CreateFileA6 \0 x. d# M2 Z0 N Z2 O
00401071: cmp eax,-001# c& b/ O$ L( z7 Q9 }$ M# [
00401074: je 004010918 z/ c2 r5 r" M% K" E& \
k* k5 [4 t1 S, Z1 H% k" a1 O6 w
There could be hundreds of BPX you could use to detect this trick.
# Z# E; A8 a7 c, l-The most classical one is:3 T0 ?6 Y1 d; s( G% X8 U& f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, v3 V7 {- G* u3 w
*(esp->4+4)=='NTIC'
) f! G" }3 f. J( t) ~
& H! }0 g. r& n4 o a-The most exotic ones (could be very slooooow :-(- i. H( L! A4 J& }. e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * X' M! y+ f; G A3 u
;will break 3 times :-(2 J% C( l; [+ n8 Y" A5 E
8 R4 w8 A8 V% \0 d' I h-or (a bit) faster:
" H. K3 S! s' j8 y' x7 { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 o0 e2 @( v! ]# N; M6 V% y
6 @) P3 G$ A. r& L4 O) Q/ g, q6 h2 G; \2 A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 b) O3 u7 y: a9 C# o5 v( q6 L" Q ;will break 3 times :-(
0 P7 m8 d p( g+ H9 l4 D
7 M- ^9 z# n% L; C3 A" ]2 C-Much faster:
' {6 s2 ?$ {! l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; l5 j! T/ R3 o0 o% B
, k" G! b& L, m/ {# J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! t8 D: ^9 y' D* d, A# t2 F7 Ufunction to do the same job:
9 f8 j& x6 H/ ]4 N. c5 x
7 S0 T7 {8 q" g1 s5 K2 s/ A push 00 ; OF_READ
6 s0 d3 q6 ^( A ` mov eax,[00656634] ; '\\.\SICE',0 [, ?* G$ A" `* ]
push eax2 V! T# J+ m4 b; A0 V) |7 O, A6 C
call KERNEL32!_lopen$ e% p$ ]2 `7 L7 G+ h- b3 C
inc eax
" k. t- |0 F2 c/ d jnz 00650589 ; detected7 u9 C3 h- E( O
push 00 ; OF_READ
( z; ^ S, z+ g mov eax,[00656638] ; '\\.\SICE'
5 x" V& V' N; F& m4 D* Q& D push eax A# ?. E; d5 P% ~$ x/ P) ?# k
call KERNEL32!_lopen
, j1 I2 |- T0 j- a# q1 S inc eax# v z8 K5 p8 b8 h6 a
jz 006505ae ; not detected
# Y% I8 J5 [; E& X3 O6 z4 s+ | @* [1 Z3 t2 m+ j
. d1 `- L2 x8 ?7 S" U) j5 k__________________________________________________________________________5 g# o1 Z8 i; A7 C2 L
* m- ^7 a* L: p
Method 12; q$ K1 j& x, p' X' a- h5 C
=========
: c) y! h2 h8 l. p q
6 I7 ~$ @5 ?# Q& v. X+ R) R- tThis trick is similar to int41h/4fh Debugger installation check (code 05
9 ], Y; N5 C" a& 06) but very limited because it's only available for Win95/98 (not NT)
; W# M3 Y' ^. Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo., E! D' ^# {0 O% \/ ?
& u! D# p# B+ u0 W push 0000004fh ; function 4fh
& ~/ ^ U' c9 d5 }6 U/ d push 002a002ah ; high word specifies which VxD (VWIN32)
7 z7 x% m8 n C ; low word specifies which service$ O. s0 Q2 z4 q3 O8 a) A
(VWIN32_Int41Dispatch)
8 d; P% p; s1 l, r2 Q% U call Kernel32!ORD_001 ; VxdCall
& T# E; K& }+ W$ N6 R cmp ax, 0f386h ; magic number returned by system debuggers; H% j& p+ D; p" c- Z
jz SoftICE_detected
`% ~7 a* S- J; b3 g
( n- U: O- l7 W/ X* EHere again, several ways to detect it:" `/ W% K1 Z3 v& S0 r
v O- j; ]! d' K; [# G! r3 G
BPINT 41 if ax==4f
( f! V6 s: K5 Q- v3 p3 D! f3 I$ i9 x' J2 x+ k' N/ m; R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 q* n) Y% ^2 ~4 [4 z
5 G, h2 g+ B( {! d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 w+ u$ c0 r2 G7 V
, C9 F8 W/ N- G& B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: B1 R. w7 G& f) d1 G5 Z
& |; t1 l) r/ R3 v__________________________________________________________________________
* b( M/ G$ s* g4 s
5 O/ T; s* c' O3 ~Method 13
- q" G7 A$ A2 B4 G% t* j, k7 ^- S' K6 e=========9 p7 V( ]/ j! e6 d
; `8 I1 {, Q$ n/ { p s
Not a real method of detection, but a good way to know if SoftICE is
9 {& q& m/ Z3 X0 h3 ?1 Minstalled on a computer and to locate its installation directory.8 ]8 I" t' |( u& \9 ?% ]4 u6 m, G
It is used by few softs which access the following registry keys (usually #2) :9 k1 L4 P) C* l& b, |; ~$ U
( Q8 {' J' T/ W5 U3 d, R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ {% K( U+ y7 g' y\Uninstall\SoftICE
# i- N# f) I7 p4 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 c. \9 @* s, m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ h7 \+ Q; \$ v\App Paths\Loader32.Exe
6 t. ?* l7 D' m5 D, ]0 V# i/ h4 K! ]7 @
3 O+ N. V5 V l7 C, i. M% \9 t4 E3 E( j$ i+ y7 p
Note that some nasty apps could then erase all files from SoftICE directory: j7 l, J: E3 h( [5 u
(I faced that once :-(
) w. X: Q J8 K. b/ @, N/ h9 l4 v- o9 M) Q, R0 I. Q
Useful breakpoint to detect it:
. O, X2 ^2 ]" N- \9 ]+ k$ a# I( ~1 f ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% `9 R- G' Q, |* M. i, ]9 @2 y
v5 p4 l2 g( o__________________________________________________________________________5 A, g Y' u x5 _" K
# C: Y4 c, b2 U
. ] _$ |9 ?0 s, B) d, c" rMethod 14
9 Y: g* x$ V% E=========5 G( {# v! U/ K1 m
5 |3 X, p" K9 e- K8 u. i' x4 @1 P! jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" u( V+ h2 W, w. A: ]0 \5 ^% D
is to determines whether a debugger is running on your system (ring0 only). N' \) \9 v2 t, O
7 _" v n5 L1 {, V% s. a, Z4 j3 S& [2 W& a
VMMCall Test_Debug_Installed
! u9 ]- h7 Q% n7 Q, Y je not_installed
( r8 U" V7 \- s9 ~: L+ s& n4 C: U8 q. U
This service just checks a flag.
" A! ]! A3 \" N7 N: U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡