<TABLE width=500>5 N' x) u$ y& X1 u5 R1 ~
<TBODY>- Q! [* s1 K4 X* O$ Z8 v( J; e
<TR>
0 B: f7 x; m6 }: {: r1 m" g<TD><PRE>Method 01
$ C: S8 C" |& A# i8 m q=========, a: [) H$ r a1 [& G" ?& L
9 P" u1 J: w, O: QThis method of detection of SoftICE (as well as the following one) is# h# ~& m' E! Z' B$ F
used by the majority of packers/encryptors found on Internet.
( S* ~+ G- h, a7 yIt seeks the signature of BoundsChecker in SoftICE* a$ ` p: a2 v/ U
# p7 i# T' l% C7 k+ Q mov ebp, 04243484Bh ; 'BCHK'
1 [1 _3 w0 r- c2 X mov ax, 04h
% Y i& p6 E& B( B' @. n0 }. W int 3
" g& v# r/ w% e! N' g cmp al,4
& s2 x0 g5 n& F& Y jnz SoftICE_Detected7 g5 S! q2 M3 c
. w N& \: ~/ h/ q___________________________________________________________________________+ M; u9 H5 J+ u3 q
# R! g/ q6 K3 Z. |# L5 ^/ r. iMethod 02
+ N9 I" c. L. f7 |# k1 d7 S1 z=========, q E/ n- T( C% n# a4 `9 W% f& e2 ^
. f1 p# V" U7 I' j6 J+ q. sStill a method very much used (perhaps the most frequent one). It is used
4 N9 }+ _( I' b) Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& n1 N+ k4 T4 M# {0 a9 h( Por execute SoftICE commands...
( K% F9 e, [1 k) }It is also used to crash SoftICE and to force it to execute any commands: c/ E5 x6 y- y) u- M! k! {! B j
(HBOOT...) :-(( + J2 m" j1 a; w/ C
( ^6 a5 ]" @) k( F' Q: q* k' vHere is a quick description:
; } y8 l o+ @ n: C-AX = 0910h (Display string in SIce windows)5 v6 A2 g5 G: z6 t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 B' y+ D5 c2 [+ x6 G
-AX = 0912h (Get breakpoint infos)# @7 Y& R5 M f: K/ T/ T# [( L
-AX = 0913h (Set Sice breakpoints)( J/ p h7 H9 D$ }$ I% |& _
-AX = 0914h (Remove SIce breakoints)
, u w3 z, |: a
+ _9 o3 y7 ]4 V& j6 w" F+ V- H8 HEach time you'll meet this trick, you'll see:
7 `, d) Z7 c- U' b+ p( @; U-SI = 4647h$ ~+ H8 D# H) W0 k& {( w2 L$ Q7 o
-DI = 4A4Dh/ ]* \7 e( ~: S" L) p9 F" O& F
Which are the 'magic values' used by SoftIce.8 N k" H) {( H. T; ~/ _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; q0 z, H7 a4 q
/ \3 L3 u8 l' {+ LHere is one example from the file "Haspinst.exe" which is the dongle HASP8 X; }4 \2 K3 X, y
Envelope utility use to protect DOS applications:
. ]9 b0 T( Y- s, z/ s$ B! d1 V6 b( [( m* ]( ]( o" k
# B: W4 `! L) p, p7 F4C19:0095 MOV AX,0911 ; execute command.
7 h: B) g Z. e, D1 ?- o n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., T: c+ N8 b4 Z3 v* r
4C19:009A MOV SI,4647 ; 1st magic value.
5 G7 x' T, r7 `) M' ?4C19:009D MOV DI,4A4D ; 2nd magic value.0 z5 P/ N0 T( d. F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) m7 K; {: F- f; i7 k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! H, j% Y) g9 I0 f" E* l
4C19:00A4 INC CX! A# c6 M( h0 t' v. w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 [+ }. i4 x2 q# G
4C19:00A8 JB 0095 ; 6 different commands.8 Z4 R7 a2 b- U: j
4C19:00AA JMP 0002 ; Bad_Guy jmp back." b0 J# l% D, U: e2 L" V! V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 S2 v. I. ?5 d4 U) m: t) |
2 V0 b' i+ ^3 i: I# q2 |The program will execute 6 different SIce commands located at ds:dx, which+ `0 M/ n/ H; R5 R) p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 v A7 O' w) M
! M. f, }- S& C8 w% j, Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 s& K; B+ E( x7 U9 y. A4 }( t
___________________________________________________________________________1 B- R5 g; } N9 X5 Z; y
( `" v/ w; F% |( h1 |4 M& l" `# q; |/ Q
! D% Y; r/ U+ H" rMethod 03! w8 I+ `0 K& l3 v) f' A) L
=========
) @5 h. H# r9 d1 j7 ]% ?# J. O4 b: W z8 p# `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 S& i1 u2 t4 a; Z5 {# t(API Get entry point)
/ `: W% K8 f- O# Z1 T
; u4 r% ]$ e: m6 B% h! b4 R
1 u8 x' x& Y. k* h6 M xor di,di
: r( u( Q) k3 V7 [/ Z) L; W mov es,di" G5 f/ T" [+ [5 d+ B
mov ax, 1684h
1 o( U `" t7 H1 u& y# D mov bx, 0202h ; VxD ID of winice# ]" Y) z: B5 c$ r4 g
int 2Fh% k+ t) O( h, ?& D
mov ax, es ; ES:DI -> VxD API entry point
- v3 j( F" \8 e( l add ax, di
9 ^: H& v5 v1 Z- ? test ax,ax
3 y" v4 \/ ?! w$ ] jnz SoftICE_Detected
7 K1 ?) r9 E0 Y% [3 \
5 k' c3 t, e0 c8 \___________________________________________________________________________2 d/ O: h6 g g. b9 A/ T5 F
3 l; {. n# n# R' s! Y( ~: a
Method 04' M* y2 O/ v' f `2 u
=========
: F# T6 s6 [$ @' g
. ^7 D, x' c. J" F8 G9 PMethod identical to the preceding one except that it seeks the ID of SoftICE
$ c; N4 e3 f# |: X; AGFX VxD.
) ~4 r7 u7 J, J/ K/ K: M+ C7 a) h+ `3 w. {9 ?. U' _
xor di,di3 K' j8 p" q: W7 F3 l3 m7 q
mov es,di _, u- a2 B7 |7 k" L! y7 \
mov ax, 1684h
+ Y+ H# k$ y+ R, J6 E5 s/ p mov bx, 7a5Fh ; VxD ID of SIWVID
7 j5 N9 |" y4 u int 2fh) H$ y$ I+ o% \2 B7 L
mov ax, es ; ES:DI -> VxD API entry point
- J* ^+ v, F1 B% h add ax, di: T% u# P2 _6 x) g5 I4 n+ |
test ax,ax
/ f& P6 g6 d3 l2 q* O* a! |6 U) z jnz SoftICE_Detected* D( H$ c* _& j) y# W; h+ _- R
* z+ q1 ?2 I. ^# h. R, u__________________________________________________________________________
3 l; a( X, r: ?& D1 U/ B/ {& P$ z& W; ^1 W
2 Y2 i8 l p1 JMethod 05
- t! v2 c2 ]& g=========
, j! ~$ _& m& |7 R( f3 B4 L% [* L
: S$ P$ ~ v- p7 _Method seeking the 'magic number' 0F386h returned (in ax) by all system. y+ ^# l$ z. [: ?* Q
debugger. It calls the int 41h, function 4Fh.
9 v) {( }* I3 l( o7 Y6 ]* O( EThere are several alternatives. 3 B1 n& _4 [5 f1 z: \ `$ ^
/ r* P6 _' S Q( ^9 q, g0 \The following one is the simplest:
2 p8 q$ {4 o) b. A( j8 X/ N7 J) d* V1 i% ~" s5 ~& ]7 C
mov ax,4fh
* B7 K! f) f4 U& W4 o int 41h
1 k, _/ E" z C: V cmp ax, 0F3864 B9 H3 j" L) L/ ^2 s; r# w% x
jz SoftICE_detected2 s8 }6 H; I( T" n( c- I
9 n b- Z3 W) \) ~$ ]1 A/ M+ q* p" V. u& v3 L& P, b% D) h9 G5 v
Next method as well as the following one are 2 examples from Stone's
, f; Z0 S q8 R8 K' v7 ?"stn-wid.zip" (www.cracking.net):
: _& _2 p3 c5 F9 }8 J/ }+ H2 G5 A1 z+ }& Z0 ^
mov bx, cs
8 X! |+ C- g* u2 {9 z; {/ E lea dx, int41handler2* ?; ~9 Z1 D9 L% n2 R: a
xchg dx, es:[41h*4]" [; E# y; z# I$ M/ H. K
xchg bx, es:[41h*4+2]
8 U( \. J1 @4 O: g mov ax,4fh
1 w# d; D: S( t7 Q0 n( o2 o int 41h
/ T1 d( }% @; D4 _& f# }$ p xchg dx, es:[41h*4]
/ K! f. ~, ~# O+ h xchg bx, es:[41h*4+2]
+ A+ @8 R/ a y! J! ?2 Y# S. k cmp ax, 0f386h
4 z" O, B! [0 g, w9 D- v jz SoftICE_detected
, u: t# V( N4 y! I+ Z4 s" A3 C' _) d- v$ {# {$ H2 S
int41handler2 PROC
/ p# _( U4 I, O5 B6 G. C iret2 y0 o& H7 ^6 ` r4 h# C# d4 z, b
int41handler2 ENDP
: N% y4 V( U @5 J7 J' P, m0 s
7 {+ C" w6 U% L% G" K9 k
$ @# y+ i' P6 K( C7 f_________________________________________________________________________9 [" H3 D& O+ w) P, i$ Z0 j
& O8 V6 L9 s. p
. P& I# ^' M9 X, Z7 m4 p0 }2 H! RMethod 06
9 ]0 d7 |5 G/ V* a% U% z D" N6 g=========+ J8 ]( f. `" {
4 f) g/ E7 x% p& j0 t" e
0 J$ [) l% {# `' Z4 z2nd method similar to the preceding one but more difficult to detect:
4 H1 D- x6 _' S) y; t0 K7 x3 p' f7 u3 ~: M- J
9 h2 H1 G) _4 E8 Bint41handler PROC1 `2 b9 j+ }1 O9 t+ M. ?; T
mov cl,al
9 r: [. S, m7 b iret
$ E1 J8 d2 b1 y/ ]3 y/ cint41handler ENDP, M1 \$ I2 H1 ~' c% k! y) H/ Z
% |- X5 B9 m$ ?* a5 q8 c' s. O! g3 n2 Q
6 G5 ~5 i) d" O! x; V7 R
xor ax,ax/ K; a" I1 ?+ d+ w- Y" L5 J
mov es,ax0 I0 j. P+ Y4 g! F$ p) }% t
mov bx, cs1 n( f% B! J" h: [8 J$ Q/ O
lea dx, int41handler E9 { O4 H' d3 a3 h
xchg dx, es:[41h*4]
2 H2 `1 g. G% C6 K xchg bx, es:[41h*4+2]7 P6 }. k0 z& \# k
in al, 40h
. q$ x9 x2 `7 W0 l. q xor cx,cx5 d, e) |+ U/ s2 s3 V2 M
int 41h% _7 J2 z2 A9 d: O- k: L2 M
xchg dx, es:[41h*4]
+ c0 ~0 x* y) e* E0 G3 Y xchg bx, es:[41h*4+2]
% p5 m, u; E( a) x5 ]* Z* L( B" G1 a cmp cl,al
8 H+ G ^3 y/ V( Q" `* w$ H) \7 S jnz SoftICE_detected
+ I* U% }5 q; h( S) x; A C
* z* e0 F9 O; ^' B_________________________________________________________________________
& |. @+ O% g, p3 O$ c7 v4 p, Q, ^* ~' y# R% E. k
Method 07" @7 L$ r. m" ~+ {, o% C
=========# k6 F7 O4 k% k
3 w! s0 q& O+ q7 Y: a! d2 s" [
Method of detection of the WinICE handler in the int68h (V86)8 y" O3 b$ Q; h1 n! P
/ S( _( A4 f t4 h/ ^7 u
mov ah,43h1 _, q7 X6 G+ W' C; a9 I) j
int 68h
+ {" }5 }6 ?7 F7 G$ i0 }, z- l1 V2 e cmp ax,0F386h+ n& a' t5 B. |- V, [3 L( C5 S
jz SoftICE_Detected
. N& ]9 g R' O3 }6 R3 h1 [
: d' t+ `2 @* z. o @$ J# q; ~2 z8 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 E% l7 c0 W E0 K) g app like this:
% [1 @$ f/ Q. I
3 H6 _/ L2 K% ? BPX exec_int if ax==68% I8 d7 ]; Z$ `, P8 p Y7 D
(function called is located at byte ptr [ebp+1Dh] and client eip is A, I* {, z3 l) N
located at [ebp+48h] for 32Bit apps)
% Y0 S, y) W ^; P$ [. |' u4 K__________________________________________________________________________: B8 V- A4 Z- i, c+ `; |& m
- G* E0 R5 f0 K% _8 `( S6 N
4 o1 R0 W- Q# [8 f9 h; A
Method 08# b7 i* D6 G; Q6 J4 |
=========
% w7 c! ~( a+ T, {
6 m! m7 ?# p$ q- t0 j$ uIt is not a method of detection of SoftICE but a possibility to crash the
) C" u- z r) N, h; C* n usystem by intercepting int 01h and int 03h and redirecting them to another2 ^$ H; J" h5 |1 z9 j
routine.$ d/ ~( g- q/ J" P6 i* o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( m) L6 W* Q( @* mto the new routine to execute (hangs computer...). b) {: y3 V9 Q
8 t4 K) L: C/ S
mov ah, 25h4 b. Y( Q9 t& M8 g6 y0 g
mov al, Int_Number (01h or 03h)8 [9 P& @* h; }$ D
mov dx, offset New_Int_Routine1 p- s, `: J) \& ?, X# z5 n2 p( X
int 21h
+ q1 `2 `3 p2 k; `# @( N7 J
/ Z% W8 n& D9 V3 W3 V% `__________________________________________________________________________, Q0 m: s$ K) y7 S+ J1 }5 Z
4 E$ H0 z$ h# ^! N, ]" f9 e! T3 DMethod 09/ b9 `1 _1 @& |8 O
=========
9 u7 O" J3 @( {: | C6 c2 f$ l
, q( P `' {% KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 v( [$ O( \; i K9 t. h1 f
performed in ring0 (VxD or a ring3 app using the VxdCall).5 c9 |/ l. b0 r4 }6 s
The Get_DDB service is used to determine whether or not a VxD is installed
$ s) j/ L! T4 p) H' x( t! Gfor the specified device and returns a Device Description Block (in ecx) for3 _ \0 p$ Y* y0 X0 B$ }. X
that device if it is installed.
) Q( b; X h( l8 k: h1 C. v4 V+ I5 r% D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 t% S+ [- n6 Z: B6 _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- {9 \6 t* A r: y4 T
VMMCall Get_DDB/ f% I# ~( f0 t( w9 \% n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! }, a, J5 u7 V& L; h; R
' ]) h2 b! k" @2 ANote as well that you can easily detect this method with SoftICE:
" A# C5 g6 f$ r, { bpx Get_DDB if ax==0202 || ax==7a5fh/ D4 z9 v/ @# ?. \$ v
0 X% e4 r7 M' P__________________________________________________________________________ u7 j; E4 m+ ]2 P9 p3 |
. T# j8 H( @2 d) A! ?$ K9 `& P
Method 10* o4 _$ V( b: f. y
=========( r2 I0 D. V i- E/ f, r0 V
4 v* Z" o# n8 z- x4 `' y' C* [
=>Disable or clear breakpoints before using this feature. DO NOT trace with
K5 c+ D5 e$ x3 t SoftICE while the option is enable!!
6 o# A' J+ j8 p. k1 N( g9 C9 r1 G* t( g, s$ ^
This trick is very efficient:
: B! T5 e/ B* D( p/ y& H; h! \by checking the Debug Registers, you can detect if SoftICE is loaded% p" i6 W" K7 i$ O7 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 \0 _3 B- v" k3 L9 @; a
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) i5 y. t% o+ X/ A3 Avalue (in ring0 only). Values can be manipulated and or changed as well5 E! P" l3 E6 P e9 }) }; J1 V
(clearing BPMs for instance)
. N- p, e7 w8 {, H
) t; j0 {3 k7 m0 t$ J- J__________________________________________________________________________
+ w# J3 E% }% x9 C) m8 H# @) J3 L0 W$ w( x
Method 11
0 e7 C. w0 D# x+ }5 ~=========
; H8 F @8 |" L7 u7 A/ k4 I' x2 Y- Z5 x. C5 w* F: X
This method is most known as 'MeltICE' because it has been freely distributed/ A0 v, M2 C6 i6 b% s, M
via www.winfiles.com. However it was first used by NuMega people to allow
; F- C7 ]1 t; ^2 l d# ?' m/ hSymbol Loader to check if SoftICE was active or not (the code is located' ^! J p1 V/ o& |8 ^2 C
inside nmtrans.dll).
! f+ W, [) q" t% i' R* q( b: W+ I$ p& e) Q
The way it works is very simple:) L( s2 r' A# O* h! o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 O+ U+ F! C/ z. Y/ n# \; n* L& YWinNT) with the CreateFileA API./ ~) H; N: z* `/ \
+ v0 \5 d2 q- ~4 Q7 V: O0 {
Here is a sample (checking for 'SICE'):+ k/ x5 s1 T7 ]0 v" z# O7 l
( a& v$ y$ |+ p/ ?0 Z. A: w8 C3 l
BOOL IsSoftIce95Loaded()& A8 y5 p" B% [8 b _
{" M7 d; G! P' j) ~: @. q. p8 E g
HANDLE hFile; % c$ w$ T" }, O: }6 v5 Z# W, p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 [( O) Z3 I& \$ y- p
FILE_SHARE_READ | FILE_SHARE_WRITE,! D" Y( L& i, p9 b/ p2 I* u/ Z) t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" a- N# `1 x4 C6 T2 O if( hFile != INVALID_HANDLE_VALUE )6 G) g* G7 }! n: D
{
/ G( v; H# |' Y& A CloseHandle(hFile);( [. s( l7 }% m& R4 x W
return TRUE;
. |8 ^- _ c- r0 \0 K }1 D4 H1 f* F. X+ v
return FALSE;
0 e% v( k4 t! j% f+ @( X}
* T; U; F& g/ L, F5 S# u' K& a7 @
2 c8 F* Z; z7 U7 ^( s# o8 lAlthough this trick calls the CreateFileA function, don't even expect to be
. W, n( D5 x) Y% {. `: wable to intercept it by installing a IFS hook: it will not work, no way!
4 i+ _6 ^8 f( D9 D. z5 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. }3 R, f( @- |9 E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); A, J: v' ~" d, B: [$ o- l. [4 r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: |9 E# D2 F# b( n" x- k
field." Q/ t# B/ V7 e. x, z; ~8 p
In fact, its purpose is not to load/unload VxDs but only to send a 8 I+ N, t0 G6 [8 _ B: l/ `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 A* p; ]1 ]$ j$ T ?6 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 {. ~8 g7 o/ k( Q5 wto load/unload a non-dynamically loadable driver such as SoftICE ;-).& u( ^5 ]. I8 P% w7 d- A/ _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 ]8 F4 L0 ?3 }its handle to be opened and then, will be detected.
7 s" ?0 F/ d5 w/ c1 F" NYou can check that simply by hooking Winice.exe control proc entry point
6 G0 L0 T- Y7 o; N7 Dwhile running MeltICE./ d. V1 c. r- B N
9 |6 Q0 A& ?. A. I* j b% D
# c) n9 a% }: a3 x. X# u$ t J 00401067: push 00402025 ; \\.\SICE/ C8 D; ^" @8 ?, z$ q& ]1 T0 c% Q
0040106C: call CreateFileA
) \* [* P& W0 z9 E) R# w% m 00401071: cmp eax,-001% U0 ~1 U e7 V: D! z: }- z
00401074: je 00401091
5 }6 h6 [2 ~2 R5 z1 U5 j; m0 w0 b. U% b. u, V
# ~+ @, [# g+ z
There could be hundreds of BPX you could use to detect this trick.
$ o7 v$ `5 W0 k-The most classical one is:* I \4 Q- ^7 q' I0 H& W7 |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 L8 m1 S* p9 j [( D4 }8 m *(esp->4+4)=='NTIC'8 }+ w$ ~6 z- D
, {1 s/ S# z: i& e0 I
-The most exotic ones (could be very slooooow :-(& m6 i4 O5 t: p' N/ x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') X+ L! N% w4 B8 n. y9 |
;will break 3 times :-(1 m6 o D/ n& m( }4 b- a! t& x
* b" i2 K, Q2 ?0 m
-or (a bit) faster: ( F0 c' |0 U1 y8 ^" _0 ~, Y6 N5 a$ O8 ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ e, x, I% s6 o' Q e9 Y: `4 w. G L- C1 Y/ }! R- [, ^% a% h+ f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 N) F: _" W! |/ L; _+ w8 H
;will break 3 times :-(8 a' s1 t/ ]% i, ]1 {
, ^! V) M. I) d$ p! e j-Much faster:
8 v% ~6 u; J) F9 k4 @5 K8 `8 A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# _' t5 }5 P$ J# G( I& Y5 L4 \1 J
2 @3 C+ j' S1 n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. t x- |9 R: e$ c5 Xfunction to do the same job:
* u4 R! H; q* [( L2 g' |! C* r: V& k. [! B# t/ U6 G* ~+ u
push 00 ; OF_READ/ |2 X7 A/ j4 d. `# ~6 I7 b
mov eax,[00656634] ; '\\.\SICE',0
, v( [& ?* ]0 N3 v. q push eax% g$ l7 m m1 S8 s- [9 }. z v
call KERNEL32!_lopen, C! m* x* O9 M
inc eax
: N9 p& q* E: T8 T jnz 00650589 ; detected
6 [! {3 R- Y# p3 S$ n, C push 00 ; OF_READ8 X j; `0 s; w! o
mov eax,[00656638] ; '\\.\SICE'
* c2 R2 K# g" \7 O push eax4 B# t b9 }) v. g
call KERNEL32!_lopen
1 g) b0 Y, Z- w( u2 p6 i( z R- ^* e inc eax, P$ ^" A% N- m0 }/ s- E% d+ P
jz 006505ae ; not detected+ e$ ~# ~0 B1 Z3 e: A8 l
, q4 U+ h, o2 I! {* Y- A& |) H
2 P& Z- M. c. L% |$ ^! `__________________________________________________________________________3 g8 ~% `7 y/ S0 a
( {: ] O0 E1 z. L( {Method 12
u# ^+ E D! Z0 n=========
Q# T0 c; c6 Y: ]; j: L8 M# @* L1 v: C* V% Q5 m3 M2 ^4 y5 Q
This trick is similar to int41h/4fh Debugger installation check (code 05
9 L: v! |- M; `0 |/ E& K- b3 f& 06) but very limited because it's only available for Win95/98 (not NT)7 E( x1 v6 n8 p% p- \) c- a4 f v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: x: |( |9 w0 {! H4 g( k- g, m$ Z# `, X+ X
push 0000004fh ; function 4fh
3 [* D+ `3 j9 A1 s* j+ `& N* c( r push 002a002ah ; high word specifies which VxD (VWIN32)
" ~: N7 C/ J) }% O m# r% i( o ; low word specifies which service/ C6 b3 E* ` [1 p
(VWIN32_Int41Dispatch)+ D9 k2 k/ [& n
call Kernel32!ORD_001 ; VxdCall" k1 u4 u3 m& v1 t2 A: r
cmp ax, 0f386h ; magic number returned by system debuggers3 k0 P# k" n" L# j4 \
jz SoftICE_detected
4 C& z% E, D0 L; ^" Z5 ?5 C9 j; v
6 m) Y' r- b A/ UHere again, several ways to detect it:
% N3 X5 T1 M3 j& U
* j t( [9 A& @" V4 g" f! z BPINT 41 if ax==4f
z8 D( B) B1 H; M0 U u( I: l' b, ? U9 ^1 y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 @+ y, U/ ~9 h9 D. t
& e( k+ z8 f2 _; T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 Z2 f- k1 e% b) F: R
- R3 s$ S1 v- v# h6 X8 V9 p. t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* X/ T3 d* T/ I/ ?) u2 `2 _
2 [( v6 [0 i o/ k
__________________________________________________________________________
( o' R& U1 \( h) F5 c: a9 V4 ~0 P( j% J
Method 13
4 v! p. W. T+ J( n; T. p=========
, p- K6 ]/ ^! R+ q, |
_* I# ?( R( [6 W: w7 u/ ?Not a real method of detection, but a good way to know if SoftICE is$ \$ q4 S2 X& r' M/ A
installed on a computer and to locate its installation directory.: p6 K$ \$ k4 y# f4 H
It is used by few softs which access the following registry keys (usually #2) :& k2 J2 x0 \: b& n3 m6 d4 T# T0 w+ [% R
% J B- B# ^) a* G8 j# M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ?6 N+ T7 K8 O4 E5 y\Uninstall\SoftICE" A- \7 p( A2 f& B1 {* { W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" ~8 i* {: |; j/ z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 u& e3 q: r+ A5 X I; _\App Paths\Loader32.Exe9 L( O0 \- X' z) z; c. h5 v1 b$ }/ I3 Q
8 e. n; E( }# o* L
8 U$ b; u2 u$ M8 c% M* zNote that some nasty apps could then erase all files from SoftICE directory( l! Q' J, ?, c
(I faced that once :-(
( f7 R/ N3 S& y w6 }5 ~* U- [
7 j |4 u1 @5 \) L- aUseful breakpoint to detect it:: M+ W. i/ G( U! k1 `. k2 i
3 g+ H8 H' x: Y; I6 N% N6 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ z4 v L- E0 ]0 f. r! q
9 U0 h. H4 Y6 _; k3 F__________________________________________________________________________
3 l. D9 h" B e+ L/ x/ g: @) ~' V& Z, r/ }6 ~
: {6 n1 M- r, V( Y! N0 D: ~ R
Method 14
7 l+ v: x4 c9 R4 x# E, Y% N=========
, t" b4 Y( s$ N' x8 e% o5 q5 A( U% [2 F- I: h% W+ D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 f0 j& o* [ G0 a! T- mis to determines whether a debugger is running on your system (ring0 only).
3 d' O( B# s, ~, X( B
X# j' u8 U1 l8 x3 U2 ~ VMMCall Test_Debug_Installed
* {3 L, i0 G/ J' g je not_installed
w$ p* a2 z+ e9 k6 f* @# G V% c
. ~5 {, f6 P3 ]7 GThis service just checks a flag.
2 k8 n( B4 y( ]1 i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡