<TABLE width=500>" T8 j1 }: g+ j% y" K( r
<TBODY>. M9 m* r, U( @+ y$ v
<TR>( J+ Y: A; R/ e7 \" i5 q
<TD><PRE>Method 01 $ Q4 Y5 T- R, ~" O$ J1 Y+ n
=========( m; R# J+ L7 G9 s% O& [
( n, b# z& Q# ?# |; p/ J- q
This method of detection of SoftICE (as well as the following one) is% e1 [# \7 c8 T- m( J/ Y/ o, G
used by the majority of packers/encryptors found on Internet.. i$ z8 _+ |$ }6 M) _5 s
It seeks the signature of BoundsChecker in SoftICE
5 X2 P Q# e, f- h5 h
5 t; \& B/ e0 f: p4 K( [ mov ebp, 04243484Bh ; 'BCHK'! v3 F" w9 l$ Q& `8 h
mov ax, 04h* n( B" m0 u* r9 y3 b( H0 Y
int 3 ( B) _ I( Z* m
cmp al,4
1 R" `% }( {6 U5 V7 x# c, M- n jnz SoftICE_Detected
9 P4 n o; y+ p- r. p7 E: J& H: i# B0 W1 v' @: D
___________________________________________________________________________
: P* i9 S! t, m% q5 K% t$ @: ^) P# x7 g/ ?$ X* h
Method 029 _$ n5 ~* N- h* U" o3 b& \) W
=========; w! a8 V3 S4 q8 M
+ _5 j4 W+ S( C% t. XStill a method very much used (perhaps the most frequent one). It is used6 k1 N, [+ u1 s. ]9 B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ A; {4 l3 Z( U" K# s* v- U, dor execute SoftICE commands...0 [! z: o6 l* K! ~9 c
It is also used to crash SoftICE and to force it to execute any commands; @3 o; _# h0 ~# e {& A0 m. `
(HBOOT...) :-(( 3 @; q& n5 \9 ]8 v! N: p8 N3 [) T) K
& {" n8 D' o7 _' sHere is a quick description:, ?5 ]1 y7 \- k, y* b
-AX = 0910h (Display string in SIce windows)5 G' r# V& d% c" y# U6 g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ m1 P# f; H2 {7 f# Q4 R- l
-AX = 0912h (Get breakpoint infos)7 A2 {; x/ F3 X. J) Q
-AX = 0913h (Set Sice breakpoints)
/ D- v& |/ G, u7 |$ z-AX = 0914h (Remove SIce breakoints)
7 H6 R0 M/ g6 z, B% |; l8 V9 X! {1 m7 r, C0 @- r+ G) u& m3 V
Each time you'll meet this trick, you'll see:$ f0 x O1 T( O- v$ Z3 T8 R( _. L
-SI = 4647h+ g O% H( t6 V: ]2 [. [
-DI = 4A4Dh
9 Q6 E+ [4 h8 w0 r5 o* ?, xWhich are the 'magic values' used by SoftIce.$ v: f5 [8 n- {$ G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 J! K3 @4 Y, } e
- u9 s/ c" }8 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! v0 h) _) y( R* \7 v7 Q$ J- @( S( kEnvelope utility use to protect DOS applications:# U8 m! K4 e- {/ c) w. d
; a$ _* N' p6 g6 k$ h& A: o
1 p. W( G8 l) s* k6 k l6 @: K
4C19:0095 MOV AX,0911 ; execute command.
: o5 F+ b' y, b/ z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ l }3 |1 g* I& _0 ^
4C19:009A MOV SI,4647 ; 1st magic value.5 {4 E+ d' a0 D
4C19:009D MOV DI,4A4D ; 2nd magic value.
) D) x* N7 t# k- A4 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; a9 R% c: O. ]6 Z0 A7 c* z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 w6 `, |- W# ^/ X. D9 n( Z" K6 x
4C19:00A4 INC CX7 o, Y# p+ N, `) h' F- U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 w3 e) X3 R. l+ O) }
4C19:00A8 JB 0095 ; 6 different commands.: u0 m5 e& G% ?" b$ v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
q: o* h/ @# [5 C8 T/ F2 I! R; h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" N/ A" N2 t, \* R; G" r1 E
2 A, ? \ j* [7 T$ R: ^; [
The program will execute 6 different SIce commands located at ds:dx, which
~& Z# |: ^" p c ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; R$ w- r6 A2 U V" S
6 |, J s! L, y# v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 W! t/ d5 t( b- E___________________________________________________________________________
" k# T7 I& C! S0 Q2 i
2 r$ v& G% X0 s
8 q! l0 t/ \9 @. e1 F0 MMethod 03
7 p. E# N) t& g) s8 ]1 p=========: Y- J- _' P" O O+ J/ |
$ U5 V c$ P1 ?! [1 U! ]0 _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" \ F `8 K# D, h6 ^(API Get entry point)
3 V6 @# ^+ [1 d3 B0 ]; S
- |1 K/ F, ?% x4 V; t8 X0 m1 z) p, P5 g; X8 ?- Y$ o. u
xor di,di6 b0 B: S5 \8 @5 z! T
mov es,di9 \/ g- g& _" C' m/ Z" S
mov ax, 1684h
+ m) p' o0 H2 y# w$ m mov bx, 0202h ; VxD ID of winice
& G$ ~8 P- O4 G2 a# F5 z int 2Fh
, Z0 x5 X' v7 a mov ax, es ; ES:DI -> VxD API entry point/ ? ~* i- l9 |
add ax, di$ _8 Z2 b' ?# V, a, a6 a7 o
test ax,ax) Z- t5 \ \- J9 d
jnz SoftICE_Detected
0 n' I0 x; _' y" o7 U( j. b& {$ W( @+ }; {
___________________________________________________________________________
4 e O$ q' y. x' j- R
: b. a- g7 o& \5 m+ c( ]8 ^( W8 PMethod 04
6 v* W& N+ s) @=========8 q. G" U" ]$ Z% A( [# O8 k6 l
- o! I' @8 Z& ?! [6 J
Method identical to the preceding one except that it seeks the ID of SoftICE
* R9 a/ X4 B1 P7 T) M4 ~) E( tGFX VxD.
8 E0 \% [! d$ |! S: b- }( D8 S8 ^. C! n0 W# Y5 `
xor di,di% Q# j3 G; ^: \5 n
mov es,di* K! o$ r! N" T! _5 s, r( B7 T
mov ax, 1684h
# p* B! }2 x% i5 o6 P mov bx, 7a5Fh ; VxD ID of SIWVID
; p, U, ]: J( Z int 2fh
2 Q- r1 R( g/ R* }! [5 x' k mov ax, es ; ES:DI -> VxD API entry point
! U% y( \4 K6 Q add ax, di
@# K! Z0 L7 a4 _8 b test ax,ax- h8 V/ Z3 @$ i1 B* K( G
jnz SoftICE_Detected
8 G. A8 b8 M, r# H5 ~: Q
; X* w# T7 {+ y3 ^__________________________________________________________________________
' D D6 B5 Q& H+ ?) n* [* K
" { s) p/ Z2 f1 z
! O) M) _9 }; yMethod 05
6 [: W$ _6 h" i2 w=========& F3 i, @4 n9 g9 M& L- P0 A
; l$ [+ a- l; N+ nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 q- u) `. B) v3 ?: Adebugger. It calls the int 41h, function 4Fh.# \8 h1 v- @! Z# f# V% J
There are several alternatives.
( e% E- o7 L6 ` e) T" X3 i( X7 d ~/ a8 V. `; e: l/ N
The following one is the simplest:6 m8 g s, | C
: M& X+ X6 f7 H+ w, v1 b ]: s6 Z mov ax,4fh6 r3 H7 O0 O3 ?; e/ ?8 n. [
int 41h
. m- T1 L& z$ v e; a6 s/ l cmp ax, 0F386
' S( z1 q5 `8 f1 d* H, z jz SoftICE_detected( S( ~2 a$ Y7 v" d" Q! q' B; x" O- h
$ l: v3 E- m9 }8 @4 J F" g. M
N9 }! o( U+ l/ ^* I3 SNext method as well as the following one are 2 examples from Stone's # Y- h) g. r7 a2 w
"stn-wid.zip" (www.cracking.net):
/ q$ {7 a- M5 B/ X( o
2 \) G( T8 Q! F8 n9 P$ V mov bx, cs
* Z& w* u! J5 P- U( V# n lea dx, int41handler2
6 N# R; ]$ Q* x0 K) ?! ~ xchg dx, es:[41h*4]
% B: _2 L# w* M; F xchg bx, es:[41h*4+2]7 q; w* n4 A5 L n3 I% I3 Y9 [6 s
mov ax,4fh
- v0 t* d/ |1 H' f. t* j7 C int 41h
, v9 \$ Y0 [* J# p; o0 @ xchg dx, es:[41h*4]2 H$ p. x1 x( W4 J7 C. w4 n
xchg bx, es:[41h*4+2]3 R; ~/ v; Y. U
cmp ax, 0f386h8 d$ E9 V& E; S$ m& `5 W5 t, ~! q
jz SoftICE_detected
+ C4 o# J/ e% L) `3 F: s8 E. n: `; S% @: `! u, _5 |+ G& }
int41handler2 PROC6 W2 p, t U, D3 f
iret
8 `8 f- N- W7 d I* {& Eint41handler2 ENDP7 ~# I, }5 q, B; X0 Y5 ^2 z' b
0 G9 S. w7 k& X$ g# P. u5 \( O5 I P
2 j3 P, { p' _7 R
_________________________________________________________________________
Q2 }; h1 S5 D9 B9 C/ f
[1 ]9 h" }: M2 Y
/ k; \: w! Y! v9 j7 W; _' UMethod 06. w* _, `% ^% C, Q; [) D
=========
3 I" u9 b7 r" T% `3 Z, G
* E7 f% @; w z4 \. D8 R
& U( U& ^4 k9 C% B2nd method similar to the preceding one but more difficult to detect:0 D. B# ^. X0 I9 U9 n
0 A% G6 s# g+ g( Q2 E+ q2 M' N6 y- |" n
int41handler PROC8 K5 U; ]! u) a3 Y
mov cl,al' {2 B$ B' e' a
iret! P5 Q2 {4 T& p# t$ d6 u2 F1 F
int41handler ENDP
9 c. S7 _7 g$ }" ?3 L" X
- m" t, O8 v1 T2 \5 @5 n; u% j: ^- U- B- y) n7 b
xor ax,ax
, G& P' G: a- V- l$ s mov es,ax
: X h+ E/ J. y' b7 I mov bx, cs
1 a# g* P1 [ M- t' }3 `3 ~5 M6 U# ] lea dx, int41handler6 m/ m2 Y; x5 J8 j- n
xchg dx, es:[41h*4]
% B# w/ {* r1 ? xchg bx, es:[41h*4+2]! X7 N3 t& ~& Y9 j1 Z
in al, 40h3 m' u: J& e$ C3 O7 p+ N
xor cx,cx. {" d. T3 ~8 H: l, x9 u7 w7 E
int 41h
, H; U( l- z8 {7 g: z xchg dx, es:[41h*4]/ k8 r7 t1 Z# [6 ?
xchg bx, es:[41h*4+2], L6 ~, M" z# C5 y$ \
cmp cl,al
7 ^" O: p: `( b( F6 N jnz SoftICE_detected
$ F. u! p. `5 M% m2 b1 }, r, ]5 w( Y1 K0 @9 c( }
_________________________________________________________________________8 a( O- q3 P# G: K+ c$ C
, C" |( f# P0 _, ZMethod 07
]9 }8 H: h; o+ g& U) c) t+ Q=========
& H5 L% M5 J7 P
+ q4 K8 } s$ EMethod of detection of the WinICE handler in the int68h (V86)
( I2 Y1 F6 |' W4 Y/ H4 G
8 n( I. {% i. D, y5 J; {/ X mov ah,43h6 M" o# M- r% [
int 68h; P7 F: n# i j' M5 R' w
cmp ax,0F386h
* r" q {1 L2 Y: r! @8 i: s3 X jz SoftICE_Detected% d+ O4 Q0 U; _, X* ~4 p! \1 C
9 U% |( |% l" a% B# m
0 |. I+ s6 @( Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 T1 S" ]/ c) |' m( k6 I
app like this:
" c0 ^: S$ J/ \: O; N# t
' Y6 ^' q- s6 M* j# B; r1 f BPX exec_int if ax==68
- v$ P$ e0 h& m( M- |2 x! M (function called is located at byte ptr [ebp+1Dh] and client eip is: W8 H! a0 J; q+ J* h" F0 Q6 T
located at [ebp+48h] for 32Bit apps)) X9 ^2 i9 o2 S5 ]* ?
__________________________________________________________________________
% m! r5 e, P$ \& H2 u Z' D
9 h8 x, U5 S R) d
; v! T' F: `1 T6 |# q4 wMethod 08$ r0 v4 p \ a" D1 S! \! D
=========2 [. r' M& a; d) P3 Q8 f
6 f! l2 I8 e4 [! @4 N
It is not a method of detection of SoftICE but a possibility to crash the
# E: o& V/ o: L9 N, @+ Vsystem by intercepting int 01h and int 03h and redirecting them to another
. h" H; p/ G! _( d, Iroutine.
* V$ L0 X) W5 U$ Y4 y7 n" uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 ]( K# t% ^) K- rto the new routine to execute (hangs computer...)! t. o; U W5 ?) R5 y
/ q' ~0 i. \$ U' w: C
mov ah, 25h$ e& i' O( r: q% x& T
mov al, Int_Number (01h or 03h)8 k1 f6 N+ | a. M5 d
mov dx, offset New_Int_Routine
! y, G. E' V7 A+ t. M% D6 i R- c. t" y* m int 21h
5 z# d/ ^' u# w `! P
( F0 b+ X1 Q% {. ~# q( a__________________________________________________________________________
5 Q6 s) y s3 j" Y) x' F* l
& o4 [+ w4 j2 v9 B. q6 eMethod 09* z! Q6 a: U9 I
=========6 w' u$ C) O' N& d6 }- D1 t
( D/ P' v; t6 l8 P. lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
S7 }: n' O5 D! xperformed in ring0 (VxD or a ring3 app using the VxdCall).( j# ?) `- R# ~5 |, w
The Get_DDB service is used to determine whether or not a VxD is installed# ^+ h8 i6 c8 |3 V. g6 N/ x
for the specified device and returns a Device Description Block (in ecx) for
+ G; U ~$ V* @3 r# f: {that device if it is installed.. y8 c, m/ f2 x, ]- `7 s
8 h6 C' ]7 s# b/ ~! P) _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) p( ?( S4 }$ t; `/ k. E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), Y* @& |: o' P& [- G) r7 Y4 j
VMMCall Get_DDB- a+ o3 z3 _, i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ s4 j& _0 W( U7 E) S" k
$ f0 N% I P/ l" t7 `5 d2 rNote as well that you can easily detect this method with SoftICE:6 n: J t% q9 u. d/ y, n
bpx Get_DDB if ax==0202 || ax==7a5fh
' C- k# j2 Z# V) ?4 r6 D2 a2 V# M8 N# j
__________________________________________________________________________
) W0 D5 P. G6 u: T8 n
: |' e' @7 R& v. FMethod 10
: t5 O( h; e' F" R/ Z=========) k3 `5 }7 w- w5 F
2 `7 M9 K# f/ n5 Y" L. f- G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- j% _: ]& F8 T U0 I/ J3 q SoftICE while the option is enable!!9 {$ Z4 R6 x! O* s4 T! ?6 y$ n: R4 v7 E2 Z
8 E- L4 G: X. f! M
This trick is very efficient:# m4 @9 T$ F" N6 F" R0 @
by checking the Debug Registers, you can detect if SoftICE is loaded- i5 R1 Q& }8 h$ R2 i$ w$ N! W& L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; W, `0 R4 B4 S; g; Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their# f9 n( S8 T6 [
value (in ring0 only). Values can be manipulated and or changed as well
4 Y7 ]! M: O0 W3 b" v" x1 O' H(clearing BPMs for instance)
$ |8 r4 p9 }' a: W' B/ e9 H' `/ Q8 e. B9 b- q) `
__________________________________________________________________________
2 T& P7 }2 u- A9 D9 E' D% {' t8 ~. T7 u* V( b
Method 111 {" f% y t" X) H( k3 T! u1 U
=========
5 n3 v7 x2 y2 ~" [, N) o, ^' y( z" ~0 \$ Z# S7 H% K& m2 X
This method is most known as 'MeltICE' because it has been freely distributed& N) l2 ?9 J2 J3 \
via www.winfiles.com. However it was first used by NuMega people to allow0 k8 h L9 D; K8 @ ]' F
Symbol Loader to check if SoftICE was active or not (the code is located
. G, X/ ^* Z$ @* D3 z% M* ninside nmtrans.dll).
3 @* m/ T& f, k% z: Q# u/ P
2 V) t+ u7 D3 b, T9 R- [3 l' JThe way it works is very simple:1 C7 i4 C/ H1 \7 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( R* e& S+ w0 {+ k& V0 [6 B0 x. [2 [WinNT) with the CreateFileA API.
) d5 p. {4 I' ^5 p* x' N1 p3 _
% T. i" } ~% X: F! rHere is a sample (checking for 'SICE'):! C/ B( U! B" {% r6 |2 v! ~
" c: G% X/ y( I' h) O& \5 d
BOOL IsSoftIce95Loaded()3 C- D+ q& X' o" U5 F
{) r! E% @/ S' _4 Y
HANDLE hFile;
7 H% @3 h9 ^+ @2 s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 _7 ^1 k* ]2 {) R9 m% o: V8 _* e FILE_SHARE_READ | FILE_SHARE_WRITE,. J5 G/ f: ] e) Q# O& ^0 x g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# t" u( z, s+ G7 s: J2 s* | if( hFile != INVALID_HANDLE_VALUE )* y$ b6 y5 @0 J# c! ]: [6 _( |
{; m) Z" Y; Q' X4 ^, a' _# c
CloseHandle(hFile);3 s' C, Z+ t' ^- v9 k- x- K5 G
return TRUE;6 Z3 r2 y: x# @5 R3 v; M& x
}5 Z# i( H3 m- O) d K
return FALSE;) U% p; w/ w g2 n) T0 a+ [
}
3 U) ^0 m% Q6 |8 _$ \
) F; ^/ G: L4 B; KAlthough this trick calls the CreateFileA function, don't even expect to be
6 i& @. [ I( qable to intercept it by installing a IFS hook: it will not work, no way!
. b+ O" Z6 X" bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 n H2 l1 I% ?5 J% a4 ?; P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), R- K+ f0 U& m0 z5 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 p* B0 `, S& p# e7 {
field.6 k/ ?1 B+ q$ {( q4 E
In fact, its purpose is not to load/unload VxDs but only to send a & g- Y8 K P- I, L% i' h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ z% o6 v* b- o- \2 [, c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) r, c2 o _9 ^1 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 a; A6 Q6 x$ ? U# j! L& ^* LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" P+ _" Y& B2 a4 ]4 m0 lits handle to be opened and then, will be detected.
9 z7 K( Y8 _3 k. L* k: eYou can check that simply by hooking Winice.exe control proc entry point: q9 X* z$ o3 Z& b P
while running MeltICE.% M! A6 K; {2 M0 O/ `) Y9 u
8 |! ^; y0 Z8 u6 O1 R; T. R$ M
! G# X' D' c) e) O1 i3 t 00401067: push 00402025 ; \\.\SICE( g" s) s& r. l3 Z/ t3 E: O
0040106C: call CreateFileA
) u/ n! a" b, T( u$ _ 00401071: cmp eax,-001
+ V, b; v0 h: {6 f2 A 00401074: je 004010910 d3 B, g8 l/ m& @
, G; G3 D' s5 Y# f1 Q2 S
8 y; r9 A4 x& R$ w
There could be hundreds of BPX you could use to detect this trick.
3 B8 v: ^7 S7 x c1 G& i E7 r-The most classical one is:1 ~+ G J1 N* D! O3 b* V# y2 N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 \0 z! h2 u$ Y) G3 X1 o *(esp->4+4)=='NTIC'
8 K/ F6 \' N. J. A: ^4 i. `0 r$ n% c- n9 J; C
-The most exotic ones (could be very slooooow :-(
/ l! G4 N: k; @- l, X2 u$ Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - K$ s9 r0 B. J9 X
;will break 3 times :-(/ f! ?( w2 l7 W1 z1 K
# m2 q6 c9 a; w; [5 Q-or (a bit) faster:
( h7 }% |" q1 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 Q5 q) T& e/ r: S9 c5 r# s5 y* z0 E2 T7 b1 X4 z- `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 B. E; R, X* U$ p1 d1 h7 Q( W ;will break 3 times :-(
3 K' r1 ~( y/ g/ n
: Q: H+ ]' T- y D-Much faster:
3 m# y: [8 l; a$ q, z3 f6 `. v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ K( W" |8 C2 N4 z* {! Y
( K+ ~7 q. f' {4 r) ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 Q% v5 ]' n7 @1 c9 P, P. d
function to do the same job: N" w9 d0 v3 h9 _' {3 b9 u5 D" C1 @
( X& {, _+ F# c5 n. a$ [2 Z push 00 ; OF_READ4 r4 _6 X' ?/ S: k6 P$ p1 y5 ^$ f
mov eax,[00656634] ; '\\.\SICE',0. K' u9 k) t: }! a
push eax
, k$ v2 ?+ Q) Z" V0 M" _( a call KERNEL32!_lopen
& s- j% g) z$ n9 h inc eax. I4 s# Q% J0 e/ w7 V
jnz 00650589 ; detected
0 e+ d3 Q& T) b9 G* d+ d push 00 ; OF_READ
3 n1 Z, J% E f4 H X' H mov eax,[00656638] ; '\\.\SICE'7 n% u: M, M6 h! d% {
push eax
" m: O E' d e2 q% `; v; z. | ^ call KERNEL32!_lopen
& I& J/ D$ k! J0 d inc eax
4 ]: i8 H0 V _; [; c3 s jz 006505ae ; not detected
# Q$ \- i' x) [: Z4 W1 |2 @( Q7 I" _! W/ }, O0 Q
) Y9 p+ x; F' y+ q" ~; P1 j) c" X__________________________________________________________________________5 p/ p: _3 p- ~' a5 m$ f" a
; V) |9 e2 |/ i% Q) T6 H
Method 12
' i: a! C9 ~% S. `=========" f; o f3 N% N5 g# G( ]' S
6 l, F; \3 A: y# lThis trick is similar to int41h/4fh Debugger installation check (code 05
6 `, d D* u3 U. J& 06) but very limited because it's only available for Win95/98 (not NT)5 q, p& K1 U9 s$ h; N0 r( u8 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, J3 `! X8 `: _, l# I2 R" E% i9 S8 w4 e" u" S% S! o; u
push 0000004fh ; function 4fh( _/ }( f0 D" \' x4 u
push 002a002ah ; high word specifies which VxD (VWIN32)
0 R0 }! } P' m% v ; low word specifies which service
- P: D% }+ j/ F) Z (VWIN32_Int41Dispatch)$ W- E% V O# L+ |, w x+ j
call Kernel32!ORD_001 ; VxdCall7 E! g2 S: A7 T1 |8 ~ z
cmp ax, 0f386h ; magic number returned by system debuggers- ?4 p9 [/ M! D3 J# Q' y5 |4 Z1 R
jz SoftICE_detected" f. s8 f" \# }3 [7 ~$ C9 @% X' z
$ e1 a# j& x0 P
Here again, several ways to detect it:
+ n4 u" j0 {+ T! t! ~
4 c+ D* `+ q( q, B BPINT 41 if ax==4f
8 ]# [' e7 s$ _# E! N% F
- R9 b8 i; P, ?, w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 \4 L. X. S& U$ P! G, y5 C+ W/ r. M1 R& a( {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) x" R9 T4 r! X/ w! K
: ^0 Y# K* O1 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ k& G- I1 u% ]9 A
; O z' z! U- m) t1 a, Z5 ~
__________________________________________________________________________- V# U7 R- |! \( Z; u
2 E. u0 n/ S) j* t8 e* x& G0 r; F( ?
Method 13
8 w7 \) Y9 |3 s) i=========
7 \- E4 O. R" v' f+ o' r. j- D* v- p7 \( A m
Not a real method of detection, but a good way to know if SoftICE is) g6 `( }7 e8 b: h& x
installed on a computer and to locate its installation directory.; N4 Q! o1 L. P! B. W& r: Z
It is used by few softs which access the following registry keys (usually #2) :
; M0 e9 v# b& N7 q+ z& W5 Z& J2 Y# s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! q5 |' O- P8 Z
\Uninstall\SoftICE
% R( R$ f( z+ k' O$ J% ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 C4 k, a' O3 O2 Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion ^8 D: h1 N# [
\App Paths\Loader32.Exe0 ?+ v& u, v( e
* [$ q U" q! q1 O% {9 n0 k( A0 x4 ^+ o* J
Note that some nasty apps could then erase all files from SoftICE directory
1 ^) O( h5 {' s4 J) p2 d(I faced that once :-(% V# F5 ]3 _1 x
" D9 p" q+ P. O) u) P1 a
Useful breakpoint to detect it:
( @' b9 ^& R0 s
& A9 j% L0 H* w# P% D2 Z. X: Z$ d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% D- _+ C; k v' I, |! p
7 l5 h/ N! N- B1 e; @ R
__________________________________________________________________________9 O3 A3 r5 y) ?5 L( t, i _
3 [$ [# U0 {/ L7 }4 N0 ~! W
3 N& W1 `: I) v8 h U; `
Method 14 2 r/ L- E0 W) p: U: W
=========( F8 k# g1 N7 _* g3 W: Q
K/ j9 a R" h v( F5 w. x8 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, ^7 N, H; R1 G& E* `& m( n
is to determines whether a debugger is running on your system (ring0 only)., t2 s; ~* Q* \4 N" g \4 `
' k0 j4 g# H( O
VMMCall Test_Debug_Installed l9 I" q7 P! X# n' T7 N. v; M
je not_installed- z9 B" Y l+ F2 J: }
3 S/ N/ D9 ~7 A! Q% w7 E; }This service just checks a flag.
3 @- y& _% r% G, }9 _9 T# y" q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡