<TABLE width=500>
$ D( n$ f% N+ E5 M- Z- L+ q2 w<TBODY>/ r/ s- F8 j7 G' G* V- A3 ^% X
<TR># a3 x$ F) }! H$ {* U- B. b
<TD><PRE>Method 01 / a& p6 P7 j% `1 f" b+ g- e
=========7 s4 u# F- s$ @8 b
3 k+ W( m) K, G; h0 _! g/ E2 {
This method of detection of SoftICE (as well as the following one) is7 _% A5 n: T9 a$ u7 n8 g
used by the majority of packers/encryptors found on Internet.
6 E; e4 }" K. g' s7 K2 oIt seeks the signature of BoundsChecker in SoftICE
. ^ v0 s; f$ C* {6 W/ [6 C5 _/ q
mov ebp, 04243484Bh ; 'BCHK'& u! e# @5 V- H' i6 _ d3 J
mov ax, 04h& s s( M1 O: n8 G- c
int 3
( b3 Z/ s/ B% Y6 { cmp al,4
9 d* i8 g. w7 ?1 p! A0 M R jnz SoftICE_Detected1 [+ o5 c; M" F; K
7 o# I" m& V# U0 i l___________________________________________________________________________" S" p4 ~4 R4 [# x p
% Y( y7 V' W' }2 S
Method 02
" m8 L- o8 E$ _) ?! t! ?) m=========) I+ D' k; K8 ?" Y* G
- P4 {5 t, Q' K' S: ^# R; A
Still a method very much used (perhaps the most frequent one). It is used# h; L5 K2 J3 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 V/ ?, E9 }. d5 g" u/ ]1 tor execute SoftICE commands...* ~7 @/ G% {; @( q0 \. Z! R' k& U$ F
It is also used to crash SoftICE and to force it to execute any commands
: ]% U) @7 ]' u7 |4 b(HBOOT...) :-(( ( U) I* E/ A# k, C' a$ J
$ e5 Q0 {; c+ J' f! m8 cHere is a quick description:
4 n1 e% Z" X9 \) G-AX = 0910h (Display string in SIce windows)( A0 ?) O ~$ O8 v+ f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& P, z; U$ T3 O- c6 P6 c% P-AX = 0912h (Get breakpoint infos)
$ q7 |. ]8 b( w, I+ y8 U-AX = 0913h (Set Sice breakpoints)! {, C3 W- j7 B9 I
-AX = 0914h (Remove SIce breakoints)' h* D; [3 n9 {. c9 @( E8 K
1 L8 X* v4 O% W Q/ S, q `, y
Each time you'll meet this trick, you'll see:
" E6 ?- J$ a7 b S: D/ L2 I+ o-SI = 4647h. S6 r" z6 s9 i* a, f) Z
-DI = 4A4Dh# n- g) a& c$ `6 r
Which are the 'magic values' used by SoftIce.
, Q9 l" G& t( |* I# U$ r7 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& _3 k( B: z* N* \
' F. u% i& N5 i. K/ [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 X, u3 G5 ?* w, M2 t- `Envelope utility use to protect DOS applications:- ?# m" ]/ J4 B& p3 |) \0 z1 j
5 H% H# u* h) u1 w6 ^, H7 w4 h
; Z. d- a6 J) R4C19:0095 MOV AX,0911 ; execute command.
4 M3 E( S/ {1 P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 `6 V+ ~" u i* P% S- r( \4C19:009A MOV SI,4647 ; 1st magic value.
9 V7 {, t `0 A0 K- u4C19:009D MOV DI,4A4D ; 2nd magic value.
) q2 S% o o* T3 W& b0 }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* {. u( i4 W+ X( Y) M& o0 s) j2 F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 Y3 y$ B, _) e% G4C19:00A4 INC CX- E. {+ j+ f7 i7 G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- p1 Y, O D$ l. H# Q! m4C19:00A8 JB 0095 ; 6 different commands.
& u: ~. ]* _, `2 o' s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 V" i# x2 p- v4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, @ N2 T7 {3 B" V, V+ g1 J+ _" E) d+ i4 \5 }( X: \! F- \
The program will execute 6 different SIce commands located at ds:dx, which# k4 V; Z) P" r- Q6 _" ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. R' c; F% m) M
( ]1 ]4 m# o5 b0 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 ?- j* _+ C( B b___________________________________________________________________________% r8 X5 @( O$ X
% |. C) v8 C1 l% O5 Z
4 s, p* w1 S# B- `5 F/ tMethod 032 p9 \8 c. d1 A6 f; ? l
=========1 W+ F; R4 L* [% c" t6 e1 G
7 m. Y! ~: o. i8 R$ O% n3 ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 ~, |& E l# {: D; x R7 G" q
(API Get entry point)9 ^2 N3 B! K3 X4 Y4 w5 }% W2 @3 s; _2 _
: D9 N: T$ {/ e8 `
K$ M+ P5 j5 O/ I xor di,di) `( A2 ^$ f9 K1 J
mov es,di9 e, g$ Z- @: q7 m1 \- I- q
mov ax, 1684h
- Q, D5 U/ L) z5 _# }" C9 i mov bx, 0202h ; VxD ID of winice
0 k0 ]- t8 S% p int 2Fh
6 d+ \# w) i" ~0 ~9 x) x0 w mov ax, es ; ES:DI -> VxD API entry point! E5 G! ]/ a( j s; i; W
add ax, di) X' f( f' j* ?; ^# |* F% j
test ax,ax
5 ]2 N& N5 L6 y G m jnz SoftICE_Detected
4 h; K! n& c! v. U. A% H9 S7 B, R! P$ D# G
___________________________________________________________________________
' s* v2 C8 R2 |; b- U. J; ]( d( m+ ?9 k) f+ _; J
Method 04- H6 h* S2 n# d h" [ G5 l. \
=========
% V! R) a0 F, ` r/ j1 K) N' d& H5 T& u+ Y7 Z' p3 g2 S
Method identical to the preceding one except that it seeks the ID of SoftICE$ V" c* a; s7 | r# y- j, M
GFX VxD.* S+ j' c/ G" j/ S# O
: ~% c0 v2 L) S# @0 g! z- ^3 ? xor di,di
* H* n2 e2 f0 S' u0 ?# N9 K mov es,di8 n+ ~" B9 k6 ^' s9 F0 ~
mov ax, 1684h
5 ^/ w& }5 c3 q' n7 L) n' l2 c mov bx, 7a5Fh ; VxD ID of SIWVID4 `* ]$ w& K9 C3 D7 ?7 p* c
int 2fh4 f& Q7 K; I: V8 E
mov ax, es ; ES:DI -> VxD API entry point
6 x- L5 X, F0 m3 n* s. V' m6 L add ax, di
* W& z7 q) P' M0 O: C, Q0 } test ax,ax2 k3 Q* h* e' u) ?% W+ @+ f! [
jnz SoftICE_Detected
; j- r9 w' e- e6 ^: ^" i
. Q( c; a% m. E7 s! X7 `3 B( w__________________________________________________________________________. u# v( {2 h/ C# q, l. r5 D) y
4 Z I# b9 }- t9 z U' B9 A% f$ \9 G: H9 M6 U" U* o" b
Method 052 x B5 M! C$ z
=========. @' H: J. G( @2 v) z4 D9 o( p0 d
1 f/ R+ k3 I# E! V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- D+ J& X/ L) Q9 tdebugger. It calls the int 41h, function 4Fh.* C" R( n4 [! S4 S4 z
There are several alternatives. % @) \& Z* [& @ K
" [3 c/ h8 ]1 \* `
The following one is the simplest:( M' r# j# v# H/ L
7 @3 l2 z0 Q Y" h' S$ L: m- a4 o6 Z mov ax,4fh
6 _5 D% c, _ m int 41h8 B" Y4 F, ]+ s6 a- {8 Y; u
cmp ax, 0F386
$ B5 M5 J' [4 v3 T! h" v7 Y' q jz SoftICE_detected
/ u5 o0 V [0 c0 S4 i" b
X& K/ L$ ^3 d) {2 n
5 G* G7 S7 Y( a* C/ c4 YNext method as well as the following one are 2 examples from Stone's
% M; F9 C& o) F/ j, T) h"stn-wid.zip" (www.cracking.net):# F: n# t/ P* k3 R
' q; Z8 i/ [% }7 Q" F* x7 o
mov bx, cs
+ q0 M3 v8 _+ y4 d; D5 O+ Q- v- O* z lea dx, int41handler2
* S8 G# K! a$ J' [3 B$ o* W xchg dx, es:[41h*4], @3 K- i! Y: x$ [7 b: Y" [" P
xchg bx, es:[41h*4+2]( ]$ w3 }. ~( U1 o9 z1 R
mov ax,4fh
4 s5 S% g, I( |# b4 O int 41h0 _8 A; g2 n# M0 i8 S- O" K* z
xchg dx, es:[41h*4]
* J. ^9 _& d. T; z- X xchg bx, es:[41h*4+2]. |; K0 I: q- m/ c
cmp ax, 0f386h
. c/ ^& w1 x; c$ @: r, I( X- D jz SoftICE_detected
. k0 F1 x, Q0 R! d& c0 b! a* C8 n9 b3 K; _$ U
int41handler2 PROC
9 z2 ~6 \$ r& w* h" V1 B! g iret. t; ~2 i; V& j9 Q! D
int41handler2 ENDP
( F1 T4 }/ H' d; @2 d9 u# {5 X0 F4 }$ N
( ?0 Z. X8 I, |; j1 b_________________________________________________________________________
8 S' g2 ]: f! M3 V2 }* B
: N9 r$ V S0 l% ?9 y% g/ Q: M) M1 _9 y) C
Method 06
4 B- Z& S8 e1 P+ ?! H=========
' E _8 g; X, M Q2 w
6 b% z* [# ^! F3 t% G
/ f* p. N0 j" x5 |2nd method similar to the preceding one but more difficult to detect:% T; }* F6 g. U
' y. g( a: T9 M; o: _; z7 s
+ s5 c7 F0 E0 J; Lint41handler PROC
1 q) F+ O! ]/ q% I7 A8 _ mov cl,al9 o$ R% b1 L9 k/ b1 C, ^3 U
iret
. m8 b1 i' E4 m7 k! {$ _* Cint41handler ENDP
; a. N& p) I; Q+ n5 d, f! ^7 S5 t
5 ~" q& U8 M( ~! N: `0 ]/ J& V8 s
, _( r7 {9 Q2 t& F* M# Y5 H3 v xor ax,ax
+ }; c; _! c& g: _4 l. u2 v mov es,ax
' q' K& \- E% b. G' r# L7 W) W& i mov bx, cs+ i* \9 m5 T8 c
lea dx, int41handler
7 q$ w: m. K, G6 b$ i6 N- P xchg dx, es:[41h*4]
% f2 b% \# X/ }6 c" t5 a, n7 U4 W xchg bx, es:[41h*4+2]! Y+ U+ S. A- n& Z
in al, 40h
& g6 ?( x9 b$ |) z: ?; _+ _1 Z xor cx,cx
, x5 u; d7 `' s, T int 41h
; d; @' ~ f {$ k a xchg dx, es:[41h*4]
) M, Y; `3 g9 ]& _8 w7 G) A xchg bx, es:[41h*4+2]
) Y, K& X/ S* }. W- ?# G4 \9 k: ? cmp cl,al7 V: S% I' q, H% F' A2 p. ^( x
jnz SoftICE_detected
# i9 ?: D: e! f& J: {2 ]' I3 Y2 H, U h R0 E% |& Z" g! H
_________________________________________________________________________) k& W2 T5 P+ N( V, n9 H* L$ w9 d
. @& }" A8 m2 L! _$ mMethod 07
3 x8 i4 n% W& h# n U! w=========( m# g M" W0 S6 H8 _' H& Z9 w
2 R5 i' g. g/ J5 }8 P6 R2 H" Z5 j2 {Method of detection of the WinICE handler in the int68h (V86)' s% |$ g3 f2 Y# O
# w7 [2 V8 @& @; e1 H0 l! N- p mov ah,43h" f7 G7 ^9 C- F( G* R) [5 J2 Q
int 68h
: ]) O/ q. }) [) \) n) h/ S% f cmp ax,0F386h
7 j: |" a/ c8 A' w: I! d jz SoftICE_Detected
8 P: Y1 i! J" m5 f9 A# o5 p
3 w& t. x1 \7 {% \9 H
$ T: p( h9 \( `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 s, Z! U& M+ Y
app like this:
, L% Z% U' N6 \3 J ]2 c# {0 i4 | H- ^! R. W5 X
BPX exec_int if ax==68! }) }% N, ~7 \7 {+ |9 @
(function called is located at byte ptr [ebp+1Dh] and client eip is
: F1 P- Y8 {$ Z9 @- \) o6 o located at [ebp+48h] for 32Bit apps)0 W3 _% _9 q0 m: ?* C: G+ l
__________________________________________________________________________6 V8 `+ P$ Z; i" ]1 |
2 H8 H6 k. u; X& _" b
$ |+ h5 ]5 t k6 Y4 C: @
Method 082 L+ W. k! a4 ~$ d6 S
=========. a2 S- u9 Q- x6 C, P+ U
# E5 e2 K8 c* F, p) B: QIt is not a method of detection of SoftICE but a possibility to crash the3 J8 {% p- ~* g% O, t
system by intercepting int 01h and int 03h and redirecting them to another
& _; L" c& t8 A- m0 n6 Q1 }% _routine.# V9 ?6 d2 `+ x" J. q/ Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ {1 u: B% s) C' r1 ]* `) ^8 n7 lto the new routine to execute (hangs computer...)
* m+ l$ ]3 E9 o! ^) R2 }
# c' L: d! Y+ e$ e& W7 I) O9 J$ W mov ah, 25h7 k- F8 `# V6 t' X) N
mov al, Int_Number (01h or 03h)! r& l' I/ t1 l! H7 n: g* R
mov dx, offset New_Int_Routine" x2 {& ^7 {# R0 A" a$ ^! C! B
int 21h
# u+ Y$ h8 R% B+ ~8 S7 V7 A- J8 E! t1 J* e: e8 {& {' u3 |+ Z
__________________________________________________________________________
5 Z" ?+ L- h( N/ [9 H
7 i9 v4 I7 L1 e& _8 _9 {Method 09
" H7 B2 I! R, E7 ^0 |8 g( ^7 [=========/ Y1 J, f: U, V" ~
% w1 }# \; b0 }' F: C, s0 VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' M; i3 \5 N# \ F
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ L* d& w1 J. {- G! {& Q2 y; dThe Get_DDB service is used to determine whether or not a VxD is installed
o; ^9 r. ~# x. S' Cfor the specified device and returns a Device Description Block (in ecx) for2 i4 U$ r$ u+ |, F' j
that device if it is installed.9 o6 X5 e( k$ J, B& A" c, n. C; X
3 h0 C8 M# L: A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 H. k" o8 l5 H! O" s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 j" C. [3 E4 ~# B( a# v VMMCall Get_DDB7 C. @" z" G" w6 m, T( k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 F+ {! ?# b5 |& D- Y
4 v9 n; F8 u$ Y4 aNote as well that you can easily detect this method with SoftICE:
3 w9 g0 B/ F; g# o. P. w+ M) k bpx Get_DDB if ax==0202 || ax==7a5fh2 E3 Z6 y" s1 ~4 E! m" x7 ?5 y
0 p- s6 T2 W7 S, i- H- g8 {6 P3 V% U__________________________________________________________________________
* F- v' W. D+ d, }- t) A
# r8 f6 [: ~* V5 D+ X- [Method 104 H; j, U6 U$ m
=========9 n/ u' N' V/ w7 |2 N5 I% ?! E
' z) v; C+ B$ v- f/ `/ D/ \=>Disable or clear breakpoints before using this feature. DO NOT trace with
" k3 q" S3 k3 V2 J7 I SoftICE while the option is enable!!
' Z/ P% v" _3 K8 a4 r
; h' [' q2 C2 sThis trick is very efficient:
( F5 C# n; X' v" f( y' T0 kby checking the Debug Registers, you can detect if SoftICE is loaded/ H' k1 N+ z1 E% j }1 A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; B, J3 V5 m$ x# l& M# Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 T7 N/ G: r3 m# c: z, {value (in ring0 only). Values can be manipulated and or changed as well; C" ?, o+ ~# K/ J
(clearing BPMs for instance). G8 u! _, N+ Q9 ^1 k- ]3 p
B% }' N8 c& ~" e
__________________________________________________________________________ E* r, U' s; Z' o) |
; t! w, J1 Y& L* j# A2 w
Method 11
) M# O3 y6 d& m' S) i) I4 V# _# x=========
6 R6 ?1 N0 H9 r- m! C, i+ a7 r% B
' ?3 @. ~ ]) B8 kThis method is most known as 'MeltICE' because it has been freely distributed
2 U7 W2 l# ]" @* \1 B/ k2 @via www.winfiles.com. However it was first used by NuMega people to allow, [8 e V. f, \/ c2 ~
Symbol Loader to check if SoftICE was active or not (the code is located
9 ?- Q9 V# @, p( [# j6 F5 L4 C5 Binside nmtrans.dll).
9 ]& A+ W; b2 J# X4 _
% F1 K% i: N9 Y/ t# K/ Z; X5 xThe way it works is very simple:
Q. m3 f2 x4 c# u9 g8 YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ m* I6 x5 @8 k- t R
WinNT) with the CreateFileA API.
( D6 n0 K& P3 a, I3 O+ {7 r
( A1 s4 n" o' V7 Q; s5 t% VHere is a sample (checking for 'SICE'):% U' Q. U3 y0 i6 O
# A2 i7 a% [ s0 R
BOOL IsSoftIce95Loaded()5 y7 H% v. @4 ]6 j$ U
{: x5 a$ Q9 t% Q8 s3 P6 ~& W
HANDLE hFile; ' T3 X+ ^3 S* C+ {& @' ]; k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ u. @% f. P6 r' w' m
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 D1 c: |1 v! R. Y+ }, t7 n4 v8 N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: H+ {/ a% s3 F
if( hFile != INVALID_HANDLE_VALUE )
/ K. L6 x' k0 d7 `7 [* V4 X {
6 @- }) `9 G8 c: R6 s CloseHandle(hFile);
3 S0 Y) g: N, U, R1 K$ W return TRUE;
9 @1 c1 P+ y: \& z( T }& e3 {0 o2 w0 ^: v! S" D
return FALSE;0 X# b8 F( m' J. W9 s: A9 K
}5 g9 Q! o' u4 a4 E5 w' e/ k! n6 \
4 h$ {( O7 ?1 I3 c/ d( i$ bAlthough this trick calls the CreateFileA function, don't even expect to be8 f" X) P) U* H8 A
able to intercept it by installing a IFS hook: it will not work, no way!. V: R4 i: O3 b3 |9 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% P! Z5 ~: {! M6 z6 }9 n. Q& j8 Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, Z7 ^1 \: T" qand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 [* [, a5 J& K9 z2 U& X
field.5 y$ s6 k4 q/ K: k: g9 v# h; d* V
In fact, its purpose is not to load/unload VxDs but only to send a
; O$ ` J3 R& K' V2 BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 O! I; Z, k5 n; Y: R2 ^- S9 M& ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 [4 H" B+ U% F; c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 c& C2 X4 s) {% h) G* rIf the VxD is loaded, it will always clear eax and the Carry flag to allow: {1 `9 ?6 _) W6 n$ H- h2 _
its handle to be opened and then, will be detected.& U7 l3 x+ T% \! b7 C: Y. D) C
You can check that simply by hooking Winice.exe control proc entry point/ v* E, z4 H' {
while running MeltICE.
% _3 g7 [) Y$ B
: K% B. C3 N1 C9 q" y' O
% ~( O. t& P O$ K8 U1 A 00401067: push 00402025 ; \\.\SICE- f% x- H6 A: I6 d5 W# h; S( F
0040106C: call CreateFileA
4 d- ]5 c$ w T4 B) }6 J3 y 00401071: cmp eax,-0019 @0 C5 }) H, c. J9 `9 |0 s# h
00401074: je 00401091* b& [$ K/ _4 L
6 Q- E. x6 {! u5 q' q; z, t
$ i S c8 D' `* yThere could be hundreds of BPX you could use to detect this trick.! e; j/ y* c5 E" N! Y0 `( E f4 U
-The most classical one is:' H% g! {) I' p8 v1 u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) B7 H2 d/ Q9 S0 r& q *(esp->4+4)=='NTIC'
9 G+ }- O& \! `% R9 f" }3 F% ^6 d$ D f$ b) L
-The most exotic ones (could be very slooooow :-(
' O* N1 E/ ^# p9 \: k6 ~& z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # R" }. M+ o) h, d
;will break 3 times :-(2 d) o) w4 K: i7 G8 X& H
4 O3 Y! G ^+ f& N# o-or (a bit) faster: ' \2 @# G# ~- B! ~- {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: Z/ r0 a9 I+ Q- T2 R( u! ~, [5 n [+ G! {% m+ \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! I4 r. x! y- }& \ ;will break 3 times :-(
! y {+ d# C9 y# S" F* E; ?, u* \$ o& W. x
-Much faster:
/ H( M2 L! x9 x! b" v- i; f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: O' g/ U0 q8 O: f- v3 ]' w7 A& r' a# A# r0 i @9 E: F+ ?1 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% ?0 g l: C: C/ i+ x# s( g4 F' r! `
function to do the same job:9 C+ F& C$ O# C% t6 F
# ?1 I8 K7 u. V+ F9 t push 00 ; OF_READ' W; V: k' p0 m' Z" b+ h% e# \
mov eax,[00656634] ; '\\.\SICE',0 m. v4 Q, |$ T9 c2 W8 M
push eax& \: p/ U$ I& D
call KERNEL32!_lopen
9 j/ x1 u* G' W. J1 b inc eax
" g' u* s) X, z jnz 00650589 ; detected
" A& A: u" d5 u& ?( m4 k7 l' v( @+ Q push 00 ; OF_READ
5 F( E ]; Z, E& l0 [ mov eax,[00656638] ; '\\.\SICE'6 G7 {/ I7 T, d! ~1 }: g
push eax5 e }; |1 q' ~6 w
call KERNEL32!_lopen+ J# D; W$ ~' }: i8 ?
inc eax
* P/ v2 W$ F( R) U' K! X+ p jz 006505ae ; not detected
; d" X+ {" [( h# i" m
7 v0 V% x# H. v& L L+ X
! _4 @+ i! y( r" `__________________________________________________________________________# a% m- ~! K& E# o% W' n9 P' [
) i1 q" O/ L' U& F$ w+ D+ A6 O
Method 12' l+ D4 z' U) W& Y5 ^$ C$ R
=========
' i7 ?+ ]1 p% |, t7 S# R% \& p& h1 i; e5 {( A, G* `
This trick is similar to int41h/4fh Debugger installation check (code 051 H. K' W C" ?# v% R
& 06) but very limited because it's only available for Win95/98 (not NT)3 A: Z4 D/ A( d5 C$ ~! e7 c) n: T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# q- |0 X6 z. u% ]1 ~' i
# }* A2 T+ X0 A+ ?0 ^
push 0000004fh ; function 4fh
+ ~' {, s6 W2 h# v1 T0 ` push 002a002ah ; high word specifies which VxD (VWIN32)
* N3 n6 T- J! q# `, @ ; low word specifies which service
3 i1 k3 f1 u: \, b3 h3 O( [+ o% j (VWIN32_Int41Dispatch)3 U! x, |/ _ F, \6 S6 I
call Kernel32!ORD_001 ; VxdCall% y' Y: D: A# R
cmp ax, 0f386h ; magic number returned by system debuggers
: X" g$ p# s9 o jz SoftICE_detected7 R9 m8 K: \/ }
( b! f% c, s1 |, P& iHere again, several ways to detect it:7 `& U' {/ N" u6 a( A6 I
, L7 I7 A. f3 ^1 W M BPINT 41 if ax==4f
( {; Q; a1 K! r* _8 F) n9 c! P: P
+ u; d2 n: Z; A/ b8 D8 o0 B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( g* b4 f$ O _ j! c& A; h& W
* X: S/ N* r: A# S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) l7 Q' H/ x) M$ c5 L3 _# ^ A% x
% F, n' N$ S. ~9 y* R6 H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 Q: L. F9 ^* H+ A
& b1 p2 c% q( ~% f
__________________________________________________________________________
2 G; X/ K. A" n, H2 u; i
& z5 c6 y9 v% J; n) lMethod 13
' t2 p/ N, O# l) j! Z: C9 n) n=========
7 l: [% g7 O6 h$ N6 |4 g) o4 ?" R$ h) q3 u( Q
Not a real method of detection, but a good way to know if SoftICE is* r& }: X$ N8 x$ b
installed on a computer and to locate its installation directory.
! ~0 C" D; N: c6 xIt is used by few softs which access the following registry keys (usually #2) :
. v; W Q0 h( e, u" W1 q- `5 \% a/ d) J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! M c& B/ i% C) r5 \) N0 N8 U\Uninstall\SoftICE8 u) h# C [, @& ~' e* ?4 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. F" F/ @# H- A+ I' ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 c$ c/ { U5 Y) k% Q
\App Paths\Loader32.Exe
6 y* [. `1 I) J9 U1 ~* S3 ^
! }3 w* d3 j8 d3 @% | W" Y, ~
8 Y; O+ ]8 ~% Y0 g7 Z# MNote that some nasty apps could then erase all files from SoftICE directory
5 l, u+ r( `0 e* y(I faced that once :-(! l! J' W" q, y9 k$ V
" u, h; N- n4 T( T8 ^
Useful breakpoint to detect it:
- f* m$ l8 y) |: x3 u* z+ w
2 q+ l7 P+ E' j* P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 S/ t" _* K: ?8 q+ y, ]( v# W
& e; C; d0 m0 z# i O, J__________________________________________________________________________" A8 ~! Y1 D- N$ j/ V' \
9 m: b' i- G1 J3 e
8 y1 w v- l8 ?) E5 R1 s% b
Method 14
% U4 B6 T' q Q2 b# Y- G=========! C# r9 _% X- I- L' d7 H
9 E7 O0 Q5 r# I: {8 A( u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" S9 ~$ \, K# Q- O7 C3 `' r
is to determines whether a debugger is running on your system (ring0 only).
! W- z% D( ` a7 D' e3 Z6 Y- j$ R0 U8 t1 `0 A$ ?1 n% m/ Y' K& s
VMMCall Test_Debug_Installed
7 [5 N/ k/ ^9 Z6 ~/ m je not_installed
2 a" v+ C. W3 W# W8 }6 C i; K) m4 Q
$ A8 l+ i/ F& P4 O S6 C' j1 BThis service just checks a flag.$ o4 |$ I+ K1 X* y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡