<TABLE width=500>- S4 ]0 q r3 V) \2 @, k+ h# p8 \
<TBODY>
$ r( y) W) |% R( E<TR>2 [- z9 V9 r! C7 ~5 E9 J" K! ?
<TD><PRE>Method 01 ( ~# D' w0 S" r) @
=========: d' E3 p2 a, q
- B5 u$ w* P+ Z) s$ d# yThis method of detection of SoftICE (as well as the following one) is
1 f( O+ q" N, k! d' `- H$ tused by the majority of packers/encryptors found on Internet.
5 K- e& g0 j/ U7 cIt seeks the signature of BoundsChecker in SoftICE
7 d; F3 S. }) k$ t% [4 N+ L9 V5 w! w: L2 P6 ~0 F5 ~# p
mov ebp, 04243484Bh ; 'BCHK'- U! I; c- g& K4 p5 y
mov ax, 04h
6 q: Q: f8 j. I% ~) q. T/ \4 W int 3 0 P7 M) s+ U/ ~9 g) K% Y
cmp al,4
3 \5 K P8 B4 V' H* S" O4 \2 n jnz SoftICE_Detected5 |! P% T+ W/ c6 g4 A. \0 x- S
& C" b! s0 R' m0 l" ~0 u___________________________________________________________________________: r: U" p8 V1 G! H9 f1 I1 z: w
" K2 q- r: {; U9 F, s1 d( E- n, _Method 02$ u/ J0 t+ L9 Q) N8 m
=========% L( d1 Q+ r. G' L( z) ` {; [0 X" f
0 q' P; u9 \( W/ \: @7 T
Still a method very much used (perhaps the most frequent one). It is used
2 j. G/ _$ V# u7 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: g6 p7 _! F* ~. o0 W) \0 Kor execute SoftICE commands...5 r4 h6 q8 O9 F) b! Q, B$ T
It is also used to crash SoftICE and to force it to execute any commands
+ X( P% L; Y5 q" f4 z0 Y4 `( }7 h5 X6 ~(HBOOT...) :-(( - L% X W) C6 C3 r6 G7 m7 a
r0 {0 Z3 r* LHere is a quick description:. A: s. G5 k1 B R" j
-AX = 0910h (Display string in SIce windows)
2 G$ U/ S3 A4 f0 ^5 V5 Q0 A: C4 G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 R5 i$ `( h6 V( k-AX = 0912h (Get breakpoint infos)
0 P0 @5 m7 c) W$ p-AX = 0913h (Set Sice breakpoints)8 o; S/ g& [, T3 X% c1 g: h4 n
-AX = 0914h (Remove SIce breakoints)
& ^0 h5 i6 T! `, B5 P9 t( y& U. q# p
Each time you'll meet this trick, you'll see:, ]# {8 S) X0 B( m! v5 W3 ` [3 Z
-SI = 4647h
% b" R, G4 |6 R! d5 N* m-DI = 4A4Dh
t* S6 b" w5 \" ZWhich are the 'magic values' used by SoftIce., q; g2 c/ X- { V& {3 D6 D Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; C# W5 \" G; t3 N
# d" Z; t P. f# g
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: e& V, y7 @7 S! u# i' x9 Y2 k/ J7 d6 xEnvelope utility use to protect DOS applications:
! h. Q) [# l( h" z' n& @. Q) q z& X; T9 m$ v& `2 m- [
% |+ p" W) C7 q; f/ h4 ]
4C19:0095 MOV AX,0911 ; execute command.
4 U2 z* ?6 C3 H: o5 ?' v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 G- H/ I2 w- V6 G
4C19:009A MOV SI,4647 ; 1st magic value.
I$ ~% b# n' u% f7 W4C19:009D MOV DI,4A4D ; 2nd magic value.0 ^; z+ o% ?8 y- f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' C8 ^* {/ X; ]+ U; R2 y7 s' P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: N+ Q& g6 i4 x
4C19:00A4 INC CX
/ ?& u' I' M5 \9 Q/ b1 Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) q+ J4 q% p; U& F
4C19:00A8 JB 0095 ; 6 different commands.
" d) k7 X3 r$ p3 g4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% w \$ C6 d* q v# w& T6 j, p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 m2 \1 ~" A. ~! E) c( q) W
N0 ^7 `' X" T- ^
The program will execute 6 different SIce commands located at ds:dx, which
1 g( d3 a4 a! i. |$ O$ z2 Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 I; ^$ G. Q9 V9 M4 ^
1 M* Z, n- \' p2 p9 k& }8 Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% u0 B/ _, [3 T
___________________________________________________________________________; ~; e) D; h6 L
1 V) o; P5 m8 l+ X
: B% E5 G: Z7 }' d$ L6 E
Method 03
3 I, J! v5 x P) Y2 j=========2 z! ?# a2 E9 G @7 n8 F5 |& A
$ }' E8 ?+ E5 S3 T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; h- T9 |% n1 j6 ]8 H9 l+ P
(API Get entry point)( Y- {9 i0 J, }# P
8 C& t2 m' N8 _; }4 k8 Y
- F9 U/ f1 H2 S1 S+ L xor di,di
1 h/ s. H! K% \( A1 E mov es,di
4 P; l5 ^! `& i! ]" | mov ax, 1684h 4 _( J9 {8 v8 k, o: l
mov bx, 0202h ; VxD ID of winice
: Y. g3 O6 D1 A' t+ y, R* w0 J: V int 2Fh
2 Q8 e% Z& X9 g! M3 n mov ax, es ; ES:DI -> VxD API entry point9 a( T) X4 u& ~. t5 f- z4 d
add ax, di4 j4 E& M9 x5 F
test ax,ax( W1 r. [% n( q
jnz SoftICE_Detected
4 l: u' p5 M* N6 _6 V9 e/ c5 ^2 d
3 s7 `! S, s3 N. y0 E0 G___________________________________________________________________________
, X% f: |# N3 L
3 N. ~1 @: R- q' rMethod 04% b4 b! `# b6 ^5 a z4 E( N
=========
f. w: U5 f1 j; T5 {' \) s: a" b, ?) K% N, Z
Method identical to the preceding one except that it seeks the ID of SoftICE
$ @+ F( i5 \. S! n/ rGFX VxD.
! C3 k8 p1 e' s$ r) {) e5 h8 S/ S+ O8 Q9 Q) \5 q- i9 l/ e6 e4 T( {, @
xor di,di4 Q. G/ M2 D- q
mov es,di
9 m2 n# v9 y& l5 j( @/ u1 } mov ax, 1684h ) \3 J$ X0 [9 n7 r: |! e; S; R' ?
mov bx, 7a5Fh ; VxD ID of SIWVID
8 [) K! Y S$ K int 2fh
1 s2 P! Y! E5 B- Z; o. f mov ax, es ; ES:DI -> VxD API entry point: l; S3 ^3 c3 g, v+ I
add ax, di$ E; }% d- V7 `2 `
test ax,ax
! q9 o8 O9 p: B- W8 s jnz SoftICE_Detected1 E2 C$ j1 d8 H5 e1 x
. ]0 `6 Z7 y9 e- ^% b
__________________________________________________________________________" i9 z" {: J) u* N4 Y/ B, x- ?1 a
2 L' I6 [: }: P3 j: `5 Q* `
- C7 I' S" c' `/ F( g' Y+ i
Method 05
- |+ B1 [% R g2 R5 |=========
; w* {0 z, L$ l! N
4 }7 c+ E) t0 e5 G3 N7 x6 IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. ]% g+ Y4 J/ ]$ @4 Gdebugger. It calls the int 41h, function 4Fh.
1 H' q- r0 W/ r/ d7 r _There are several alternatives. # ?0 h8 j, d, T- o2 I2 l2 u. n
3 l( g5 q" u) v4 u( M% `
The following one is the simplest:
6 p1 G/ k0 A. F5 u1 R5 }6 f2 @- T$ v5 k* u: v% |
mov ax,4fh; Q( A! {! s! R/ w! E5 Z
int 41h
" u; u' g" t: n [8 c9 T cmp ax, 0F386; I- U/ o9 T4 h
jz SoftICE_detected8 f2 l' R) P# [# X. a
5 Z5 q4 V* Y# w
8 l3 ^% Q" p+ A6 ^" qNext method as well as the following one are 2 examples from Stone's # |1 `) x8 z+ b0 {3 q
"stn-wid.zip" (www.cracking.net):8 Q+ O% z& `) Z0 P- F
" E# I, w8 `+ c$ M* P
mov bx, cs$ K* U/ s7 v1 D4 m w
lea dx, int41handler2
& z8 E* j% h2 m7 `/ R9 }3 m8 [ xchg dx, es:[41h*4]
6 R: ^! @8 S8 E( `- H xchg bx, es:[41h*4+2]4 N/ B: N0 x9 }2 S, y, Q! ^$ k4 q2 q
mov ax,4fh9 Q. @- }& n* T0 ~, G
int 41h$ e# s/ }& q1 N/ y2 m% M, d0 t3 i
xchg dx, es:[41h*4]1 c& h, K% h8 s3 J
xchg bx, es:[41h*4+2]# V q( F2 l, j- J$ _/ v, ~
cmp ax, 0f386h: b3 R: D; N! X1 w: |( W' ?
jz SoftICE_detected
' h: N' S7 X, W4 W7 _- ~ X* u. |* G0 j9 _
int41handler2 PROC
/ i; e" q* d7 O2 q8 o, B) ^ iret6 v2 J; V) X9 W/ N4 w
int41handler2 ENDP: q: K2 i/ L9 _; y7 c
) T) x' S& R% t3 p6 K, u, ]* @6 Y
+ X+ D4 E( c! I& e; `2 {_________________________________________________________________________9 @9 }" T3 v9 [- m- g
8 o; f% A6 A: y
8 {- G+ B* F8 s* C' d( f) y' k7 GMethod 06
! E% |5 Q0 q# l4 W |/ i=========$ Y$ j5 F$ r' x+ O4 R, X$ T7 E
! H4 F4 R) ^9 O; h6 Y8 z/ ?# j' d) _
" O7 \0 k' Y& V: S- T5 Y! W% s4 g2nd method similar to the preceding one but more difficult to detect:( c- V3 n: ^; {
& h1 ^- @+ V1 z4 D: C
0 g6 m3 F$ r. `1 O1 B# ~int41handler PROC
& E" B; D" Z( l ^ t; z mov cl,al' y3 H- b0 U; H/ @# J
iret2 v: ?, a! B2 Z& I+ @- a
int41handler ENDP5 u* }9 d! E6 H. ?8 R F
& M( t' g& q% I& O$ ?
, r! K E5 A+ ?7 f" C' q' v, p7 e# x xor ax,ax' Q h! B4 j E/ B9 f7 Q+ T; u
mov es,ax
1 N8 M A; Y: `/ R# f4 ? mov bx, cs4 l2 {1 x" m: ~
lea dx, int41handler$ Y1 w3 g$ v5 M- ^* q
xchg dx, es:[41h*4]6 Z* U' a3 }' J
xchg bx, es:[41h*4+2]3 }: Q( T/ b& P( L) m" v# G
in al, 40h0 G3 d# O" {, q& }/ U+ T) n6 S `
xor cx,cx# [7 l& A: z" O5 p$ E
int 41h6 s- o9 Q% n* `% P! G, t/ B
xchg dx, es:[41h*4]
% F* B+ \) a: r$ t Y& H xchg bx, es:[41h*4+2]
1 X9 E1 p. W: n0 S7 l3 G* m/ [ cmp cl,al/ V2 x+ w8 Y% K( _
jnz SoftICE_detected( {3 {. c) \6 n y4 l0 E, j0 N
; F9 g+ p( ^* i8 S7 i_________________________________________________________________________
8 v5 J7 Q2 f/ p6 Z5 m: ~ Y1 y0 E2 ?5 M# q3 l
Method 07
! B2 w M3 T6 Q7 Q=========
- D! t1 t) d1 p, @; F9 I$ q1 E$ e& Q8 p' o- a4 p7 s
Method of detection of the WinICE handler in the int68h (V86)7 Q1 Q0 C3 P# X6 n
2 T% s3 q* ?: _* O, } mov ah,43h# n+ w2 b/ _2 j+ @6 I
int 68h* y+ h2 x O. X, J! w
cmp ax,0F386h
6 m, e/ ~& {0 ]7 F" Y7 m3 i8 G9 b jz SoftICE_Detected
5 E/ p; d$ w1 J& B* Y1 A: ]) Y2 @* i
y- c" x6 ^" _6 P. j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( \1 g( Y9 v+ K( {3 H$ N app like this:
0 M! y; k, \; e1 p# P8 @2 H
, P0 z. f- M6 b2 @6 H3 M BPX exec_int if ax==689 ~ l( n3 x# t# g
(function called is located at byte ptr [ebp+1Dh] and client eip is
- l$ K( n9 f0 K R; D located at [ebp+48h] for 32Bit apps)
* ^; e Z& |3 \2 d/ r R__________________________________________________________________________7 V9 P3 d" r/ L8 O
0 k( g( _7 t8 ?! |. ~ L& I' A- J# W" _% ~ [
Method 08
; P, z5 w2 y8 l/ x8 K=========
^! L" c5 G9 U) M/ N5 S5 L
# t; W$ c3 S. n7 y$ s+ v( C$ T! cIt is not a method of detection of SoftICE but a possibility to crash the
8 q; x! f/ @8 ]system by intercepting int 01h and int 03h and redirecting them to another
3 [9 @" d4 h) U7 Q5 g0 h7 T1 Eroutine.
/ @* @2 I+ V) E: |( p( {7 d) |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 r5 Z2 N% ^# A9 a" q2 C0 _" {3 vto the new routine to execute (hangs computer...)" Z* L1 S( D, ~
$ C. u8 z# d. a! l0 p mov ah, 25h
" C4 X1 I2 w9 z: P! z8 c6 _ mov al, Int_Number (01h or 03h)
0 k* Q# P* k$ s. H" ^ mov dx, offset New_Int_Routine- F- k6 F$ `+ k9 l& W$ d
int 21h
/ p4 u$ b) O7 J% I
/ e, u4 n, L! |' O2 L# Q__________________________________________________________________________0 N8 ~$ f3 g9 E/ b# J
! F4 ^& ], I2 c
Method 09. T3 N6 P4 e! F% }
=========& j$ [$ c- [" h, _: J! y
( ]! b3 d c- M# z- l- j7 T( T& iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 `) P) F% S% i/ g- h: O6 w
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 z5 E3 M' \3 x* N, d8 ]The Get_DDB service is used to determine whether or not a VxD is installed
, z1 K! {2 E, wfor the specified device and returns a Device Description Block (in ecx) for2 Y: G% K2 e0 l- d
that device if it is installed., K; S! C5 J1 m9 ?9 p0 s5 T
% ~' K, J4 Z* b t( }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 u+ O% c- O: B" E* W5 p) s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 Z5 q9 c+ P1 h VMMCall Get_DDB
* w2 }2 K4 u' C8 z( ]- Q: Y& B0 n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, {% _0 R3 D! }: b4 j7 k s9 |0 d6 Z+ j8 s n5 H- g
Note as well that you can easily detect this method with SoftICE:
% O1 ~) R! c( T( p0 | bpx Get_DDB if ax==0202 || ax==7a5fh3 v4 |! h s# P- C
; b* I( z' d& r' R0 w
__________________________________________________________________________
/ v' g; t- l+ M) q, V
/ g% K5 C& u3 {5 y# W9 [4 eMethod 10( e0 O0 v0 P! Q7 x1 @
=========
* F6 d# M! f+ v- A. Z2 W* U5 O6 x4 j# I+ D# L0 u+ I
=>Disable or clear breakpoints before using this feature. DO NOT trace with# _, \. ?/ ~, C# Q/ W
SoftICE while the option is enable!!
3 E o6 q h/ l# b6 ], V$ Q/ r( _9 a8 {
This trick is very efficient:+ \6 }3 S0 Z5 M1 W0 U- y/ I; r. `
by checking the Debug Registers, you can detect if SoftICE is loaded# x2 F8 r7 N0 Y4 C$ ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 O. T) q, Q: G3 m+ H: l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, i6 c7 P, d$ `value (in ring0 only). Values can be manipulated and or changed as well s( B5 u& \+ v
(clearing BPMs for instance)
- d8 i, Q6 \! e* R- l6 }& Z2 {0 Q. ?# a5 S ? [8 m
__________________________________________________________________________
8 s `& x) |7 t# B$ t/ M. f5 E% q/ v Z5 e! j0 }9 X: L' d
Method 11- ]# ]! {! ?4 [" n5 i, e0 y7 ?
=========1 {$ |, }+ `) d) P6 [" _4 j
M6 T, }) W% Q1 L0 uThis method is most known as 'MeltICE' because it has been freely distributed# n! m. N4 Q, }# U" A( Z$ _
via www.winfiles.com. However it was first used by NuMega people to allow) s. }' Z) ]( D" H9 m L/ x
Symbol Loader to check if SoftICE was active or not (the code is located
6 O0 `* G/ ~( V3 G7 T7 h8 Zinside nmtrans.dll).2 u* i9 F% c, |7 q" q
1 h. i& E4 T8 \4 e/ }' D* _% O% jThe way it works is very simple:
0 i/ X" ]8 y1 B3 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; m- u/ z$ B1 }7 _* V- NWinNT) with the CreateFileA API.% S( z. |, p6 ]5 f* V% q
/ ?! A5 w& Y7 s* |$ E" h- RHere is a sample (checking for 'SICE'):% J) [5 u3 B/ L- ^5 ?% ]4 z+ y
- d C$ P4 x+ Z/ l( f/ p5 ^
BOOL IsSoftIce95Loaded()
0 }1 |; @! T, Y8 d# D{
: x+ `6 y- y' F HANDLE hFile;
, I1 }3 U, Q4 r/ `. n! K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) j+ ^3 M5 ?' P2 b H- B FILE_SHARE_READ | FILE_SHARE_WRITE," @1 Y a$ d9 F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& o3 e+ O4 G% o ^. Q: b# f2 N
if( hFile != INVALID_HANDLE_VALUE )
% p$ W4 ?0 q2 b" F; r" d {
9 A5 o, ~$ Y8 }( g8 \4 c CloseHandle(hFile);! f d/ j5 V8 y) H( b: ~9 n
return TRUE;: I0 R+ F# H! T9 A* e- J ~7 Z
}
$ ~( p, G2 M. V1 [) P1 ^ return FALSE;- j4 X6 L7 P- y* U
}* }: b4 u8 _; l0 F7 z. z
; `0 s* V, R! D1 ^Although this trick calls the CreateFileA function, don't even expect to be! T' I) Z$ C6 [5 F3 }: m' p l" b
able to intercept it by installing a IFS hook: it will not work, no way!
, r/ A" N( ?5 W; p, ^" o& W3 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ Z# Z( X1 `, O& ~4 B4 R6 V# R7 p" lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) d ^ x. i4 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) ?; n5 f2 l2 s- g2 {4 ?field./ T ~& K, u$ h4 l4 E6 q
In fact, its purpose is not to load/unload VxDs but only to send a
: U4 v" p% {' G4 }/ TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 T7 ^8 E- [9 `; U, pto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 x% z$ r7 r" z) [. L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# y2 ~$ v0 I+ j$ Z$ E5 B- `
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- p8 H" w) i6 X$ o Mits handle to be opened and then, will be detected.
8 v1 m3 z+ ]! k3 t0 r" kYou can check that simply by hooking Winice.exe control proc entry point
8 W9 m1 v" R9 Vwhile running MeltICE.
( Q& t( e: J/ q. R& f* C4 {$ |/ R, ]$ F1 c' A
1 z3 O4 c9 f; _, i
00401067: push 00402025 ; \\.\SICE& @$ e' U5 m6 h+ @2 R7 |
0040106C: call CreateFileA( i8 N' [% J& L/ p. o f
00401071: cmp eax,-0014 T- h8 [( K5 Q: ]
00401074: je 004010917 o* Y& z; h& y4 n$ Z' ?% p/ U
- F8 w) M& o& z! ]
7 `4 X6 B; b" k+ XThere could be hundreds of BPX you could use to detect this trick.* g: U3 |! J' a
-The most classical one is:
$ P5 t" ]2 N6 }* y( V* R T4 t9 y7 f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 }, n$ n0 M0 \ F0 C *(esp->4+4)=='NTIC'
" I: a: }; G' p6 c. L# Q. o8 b" Z8 _. e6 ~
-The most exotic ones (could be very slooooow :-(
2 ~0 N% P4 |; T" Q- j% X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " P0 F5 I8 B" D
;will break 3 times :-(
( e( w0 E. E; M
$ o7 A5 R& n. Z' J) S-or (a bit) faster: 0 {3 G7 D9 [" `0 e; h9 ?. X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; P: f p4 h) Q: i0 |* A/ m$ |" ] l0 z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 r6 P6 Y6 _; O5 m1 s5 F, _ ;will break 3 times :-() i( Z }9 D ]3 w# ^
. F9 F5 j! A1 c: w4 n# s-Much faster:3 ~& I* N' Q7 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- M2 q$ ]! P8 A# p6 R& P+ L+ ]
+ r0 z3 ^$ K. }$ N% [. T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# _9 w* G, j b5 ^/ F: k9 y
function to do the same job:
, W2 t# j. S" m' e: w' I; \3 \8 I. u
push 00 ; OF_READ( n5 [, n% L* z/ X$ _0 p
mov eax,[00656634] ; '\\.\SICE',0; r7 W$ B' |) J1 h9 E. \
push eax1 z# {% z- T" u
call KERNEL32!_lopen2 D0 i8 m! P3 d( }! ?2 V# J
inc eax- F. w0 \, ~. ^9 j ~6 C) `
jnz 00650589 ; detected
+ S5 i. ?9 v; x: B0 D push 00 ; OF_READ1 b2 \& d2 z- f) y; g# z8 z3 g
mov eax,[00656638] ; '\\.\SICE'
5 I7 {; C" U/ ~& Z { push eax
: j. d! n3 O) _3 p3 p( I2 u call KERNEL32!_lopen
9 ` J* V; z6 k inc eax
R, V4 i7 \; m, F jz 006505ae ; not detected$ S* }7 j5 H! ?
4 S& z B( G9 t$ v$ B- Y* Y; r
/ `8 l/ D. _0 O a# Z0 Q4 I__________________________________________________________________________$ W& S& [' C) P/ ~
4 Q5 W) s' U' x+ T5 @Method 12
$ k0 d) ` L, a- y: Q i1 T=========/ Q' T& L- X9 w, I9 p
1 F9 t5 F) ]+ k' R. _+ H, _# {
This trick is similar to int41h/4fh Debugger installation check (code 05
_& u9 ], A. t1 d) x) q4 h8 y& 06) but very limited because it's only available for Win95/98 (not NT)( ~! }: }; g: L* m5 P. C8 F9 @. ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 J4 o3 I) \" Z
* U" S& p8 k# o1 }; L push 0000004fh ; function 4fh
0 e- C. J) E- t( M( Q push 002a002ah ; high word specifies which VxD (VWIN32)
8 E/ H9 |- {/ d, g: \ ; low word specifies which service% m5 s9 r* D* Y6 s- {4 _- `
(VWIN32_Int41Dispatch)
6 J) `9 q7 h# z% @8 Q4 Q call Kernel32!ORD_001 ; VxdCall c. w0 i( G+ e4 X1 J
cmp ax, 0f386h ; magic number returned by system debuggers1 K# r e6 q/ A$ I
jz SoftICE_detected
- P/ e" r0 m% g# _5 V
- n, |4 n" h$ f) m0 k- u8 L6 zHere again, several ways to detect it:" Y% ]- `0 b4 v( {2 {8 f6 ~+ f
7 k4 x2 ^$ e* G
BPINT 41 if ax==4f# d2 {) u0 y# u2 J
/ c1 J/ T# m- W) N9 x- c& [0 z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% Y* d7 p9 E0 [3 V- M' X. a6 }8 x
* {5 u' d/ A* g. Z" G5 O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ u, x; ?$ g/ b& ]% P0 _
! T2 v; _/ [/ z2 y% G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 c. W' K$ Z% |2 W$ F+ c+ D3 \
0 q% h2 A7 I+ ^$ x* A
__________________________________________________________________________
8 I5 p# ?! N% f5 [6 p
8 X U& m% ^* {6 PMethod 13- s. S5 c v3 T% j* _% u Q, L
=========. }! @% S( Q* j3 h/ s5 r, s4 y2 h
( ^* q+ L# y1 D6 [/ |
Not a real method of detection, but a good way to know if SoftICE is
# C1 d* S& y9 sinstalled on a computer and to locate its installation directory.1 [) |* e* A2 g7 E: r8 e6 E
It is used by few softs which access the following registry keys (usually #2) :
8 W+ Q" }$ k" H4 g; Q: @! N+ d% t& @1 i: D0 @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# x- R$ [0 k/ h" J( s
\Uninstall\SoftICE
8 F0 t3 b C/ M0 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: X) \" _3 C% d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 `% q- b2 R) Y+ @' a# L" ` U9 {\App Paths\Loader32.Exe
0 }) A' _: |1 I) I: x E: A
2 v" G! R. n. e# v0 f! J4 @ {1 D5 a" S4 r
Note that some nasty apps could then erase all files from SoftICE directory
7 F7 }4 b: n* {8 u+ C(I faced that once :-(
2 q1 ?/ X9 X2 E, \
& W0 e. R7 q" u/ c* FUseful breakpoint to detect it:9 l% B0 u4 v3 v! p' P
$ Y( m3 ]$ ]' D7 ?. R1 r% E; ~' K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 ~( f8 k. H# h
" g' n& Z& j3 P2 V! I__________________________________________________________________________
& g" J! x6 {9 @: _5 l& }9 w. h( y: L' E
8 K% r' ?8 I% U, b; Z
5 X- I6 C [1 M8 K) P) s' c) zMethod 14 . T2 p. N) T" t$ |
=========
+ Z7 ~( z6 \7 y# ~# Q0 h1 l4 k7 W" v7 \: }; U; C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 U8 F3 G. l. F; f J$ ~/ z1 V
is to determines whether a debugger is running on your system (ring0 only).$ P# C0 W9 Z' K/ T
, u/ o0 ]4 k7 n; `: N
VMMCall Test_Debug_Installed8 T, c: Y9 F3 D1 O
je not_installed1 m. P" C1 f) u" A
9 C+ o4 ~5 u, h' [/ j! M, UThis service just checks a flag.
: m( w( I7 L/ L. H3 {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡