<TABLE width=500>
) q4 z1 [- U% q4 m0 T7 H' ]<TBODY>
3 d' E& Z" k* {' n& J' z6 x: j<TR>
1 x, e8 U7 v" V f" z<TD><PRE>Method 01 + r5 h5 }4 h. }5 `7 k
=========# Q8 [+ M) r A+ M
. O0 p* z" ]% [; V3 ~5 X" K
This method of detection of SoftICE (as well as the following one) is
. ]$ ^0 E+ D/ ?+ i: m8 |used by the majority of packers/encryptors found on Internet.7 w" }; a7 ~( G. O% c# M
It seeks the signature of BoundsChecker in SoftICE
9 F% ^# h# g/ m6 c6 g) k% R7 U+ l$ C) a" C' {2 R- N5 n
mov ebp, 04243484Bh ; 'BCHK'0 n2 \( `1 l& S
mov ax, 04h
6 r8 [1 [# s* R) e( [* s0 }8 a: G- q/ I7 R int 3 " ]0 [3 d0 K0 \ q
cmp al,4
5 S* x3 f- P7 `4 Z, Q" S h0 | jnz SoftICE_Detected
8 C7 d$ H) U; k4 Z2 M
5 R7 a# i- f O___________________________________________________________________________
% y0 v" \3 {- I& T5 z
; f1 Y5 B& \; k' F& }Method 027 R4 w M% {# w1 e( S3 \
=========
$ N, d X. G* E1 g9 n& r1 M \+ X5 p" A X! \3 b) k! l
Still a method very much used (perhaps the most frequent one). It is used
4 X V6 a4 I: x! k$ S4 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! u' x8 p2 a: K1 B0 D; r# [! dor execute SoftICE commands...
: |- j0 G0 ^& J( P% v0 ^/ \It is also used to crash SoftICE and to force it to execute any commands5 _* U) ] i9 c2 U$ s9 f6 P
(HBOOT...) :-(( ' d& h% m4 c _ f- o% c4 k
( P$ {& A, [ c" Y* UHere is a quick description:
7 ^9 X9 T6 k0 P+ H% k( |-AX = 0910h (Display string in SIce windows)
( d9 P! Q+ r$ A l9 ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* ]. p2 s" j" ^% a$ n-AX = 0912h (Get breakpoint infos)( u$ r& u/ u1 [2 [1 ~7 d2 w9 @
-AX = 0913h (Set Sice breakpoints)
7 ~5 @8 N) \+ g7 K* W; [ |0 _-AX = 0914h (Remove SIce breakoints)- [; K4 ~$ r/ J, J, j {) m W5 W
# Z' s# |' G# w. cEach time you'll meet this trick, you'll see:
' o8 J- I4 _3 A) e-SI = 4647h1 C, [' ?! H+ o6 D
-DI = 4A4Dh
% p. J- ]2 u! L" H/ lWhich are the 'magic values' used by SoftIce.. t0 r! Q, R% O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' R3 H2 f" H3 U: y3 ~3 |; f; g- j
# ^8 B% Z! [' v. x B2 K, u) Y* mHere is one example from the file "Haspinst.exe" which is the dongle HASP
' |( P1 b3 V0 C/ HEnvelope utility use to protect DOS applications: W) y. B5 `0 N: U' o( |& {1 q& |
$ x" e& f$ O2 o" Y2 w) [" l& o& r& P; @3 ^7 n: y
4C19:0095 MOV AX,0911 ; execute command.
$ @; c, I1 o( c @. Y( d. T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 Y' c3 ?. f9 p; G t' X
4C19:009A MOV SI,4647 ; 1st magic value.
. i- E* B0 \0 q: e& |' m4C19:009D MOV DI,4A4D ; 2nd magic value.0 z8 d6 v# ?% q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 V& C) ^- N) w& ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* ?8 L& ]% }3 _ e4 A n
4C19:00A4 INC CX8 D3 A Z- e$ V& ]& ?. e$ V! Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 n/ c1 y5 C; k2 B) T( l9 N
4C19:00A8 JB 0095 ; 6 different commands.
. v/ M1 ^% }+ W; ^5 \( F6 S- y4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 m: g" v+ O; ~+ o& C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) F4 U y7 S* P, J5 m' U( N. Z% M7 l
: s1 x" u I8 i" p2 p" AThe program will execute 6 different SIce commands located at ds:dx, which K' w0 L6 [( Z9 k: v: {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
w$ G# M: l/ ?# I. v2 g) l, V+ l8 i5 J0 O4 Z7 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# [/ D, S+ K8 H. i___________________________________________________________________________
3 J- O; z& z. r3 L7 b% X" \
/ R, X5 t& C% y! K4 J; p; t* t$ m2 q. J
Method 03
9 t l; C) D* \% V=========
5 N7 q: l1 G6 z1 N; Y: I3 k+ F- h; C6 T# r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ b3 L+ H# a& Y(API Get entry point)
4 A; l/ z* D) P
5 ?" h1 ]2 M: c4 _& u2 D' F
) ~8 A ]4 E7 y/ G xor di,di
9 g' G/ T @+ V% H Z mov es,di
5 x1 }) F" O; a mov ax, 1684h 4 _3 W. J. |1 z/ } V
mov bx, 0202h ; VxD ID of winice
" `/ T Y. u; u: }( i- G6 d! K int 2Fh' a3 ~/ C( X Y q
mov ax, es ; ES:DI -> VxD API entry point
8 s% I- C. p& t2 u6 M add ax, di
: ?" [. i1 h7 b! K- h6 q test ax,ax* F3 Y8 e* X7 J* a- `+ j7 W8 |& ^8 V
jnz SoftICE_Detected
2 \/ M w5 E0 y7 }
+ A# D. \% {: Q1 M2 r___________________________________________________________________________
5 f' t5 p0 t* b) e+ t0 \: I
3 m# ]2 I0 l" d/ ?1 ^* yMethod 04/ K p' {; \3 d+ }
=========( D* k4 V4 x1 K' j, S
! j0 N) p4 D$ r! {' ~Method identical to the preceding one except that it seeks the ID of SoftICE7 [- g) N7 ^$ v7 b0 x
GFX VxD.- K1 z1 J/ s+ Z3 q" f' |6 o
% w4 G* v* [ c. U# q xor di,di
- i. f: \7 g- e! Q6 L0 E; l, o mov es,di
" q. f6 a8 h% G! [; r mov ax, 1684h
1 _, x' P) C4 u6 \* s! r mov bx, 7a5Fh ; VxD ID of SIWVID3 n% {) K" ?+ U9 c. O
int 2fh
4 U* z/ P" h3 Q mov ax, es ; ES:DI -> VxD API entry point u$ k$ v7 ?& I: e6 Q p8 o9 M& @) r
add ax, di4 a1 A4 d/ `- B7 z0 X' l
test ax,ax
& g& U. Z5 D6 P+ B e' N jnz SoftICE_Detected- w9 Z5 U0 o3 o. D5 M6 z% K
' s: P- Y# ~* p( ^
__________________________________________________________________________
: r7 E1 ~2 C5 n- ?+ G+ v6 O' Y# o' \* v) u7 B) @
- m4 j3 F6 h* g
Method 05
( w+ ~4 a0 K; W$ c5 b=========0 Z8 _5 Z9 k3 K. B( p+ Y
% ?0 M9 [6 M$ {2 KMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 Z' l7 d7 F5 R0 Z3 h! q
debugger. It calls the int 41h, function 4Fh.
6 N' Y% k! v) \7 \9 W6 I* R+ YThere are several alternatives. 6 [& G9 c1 }* _* e
! O- ^" A/ M3 N& r2 }6 X) j* a: z
The following one is the simplest:- {, o) a, O/ ^7 d! L9 |3 W
+ n# s; d7 G' U mov ax,4fh
3 m' z3 c) j4 n) ^: {/ W; I int 41h
6 n# k* w* k6 }. R: N8 z& F cmp ax, 0F386- o' t; J5 @; Q) c( o
jz SoftICE_detected
! i7 N) ]- Q" i H: j5 a4 H C2 Q3 u. U
0 ?1 p& R' \' g! j1 k+ e9 T7 `
Next method as well as the following one are 2 examples from Stone's
8 |% X7 w i% X( y" U"stn-wid.zip" (www.cracking.net):9 I/ p* d7 b) Q$ `* h/ h+ G! c( z
3 C0 R# S' @! b
mov bx, cs7 Q) h9 r% |4 _0 X; {
lea dx, int41handler2
5 N8 [# f3 @/ W! d xchg dx, es:[41h*4]
; [' [0 ~4 q( B6 b6 C; P4 a5 } xchg bx, es:[41h*4+2]
, s9 t1 e$ s. h. F' u mov ax,4fh
: l0 C7 @$ G% U& d int 41h
" D, T" j; H, ]/ } xchg dx, es:[41h*4]
5 [2 [/ y& |5 [/ r8 H; X xchg bx, es:[41h*4+2]8 R6 _0 t. g4 p- T0 o) F
cmp ax, 0f386h
- J( v) d1 z) M2 U' t6 u0 M5 A) _ jz SoftICE_detected% C* \9 v' }4 ]0 Q, H7 Y- K U
+ v: M( W# ^0 l( ^3 R; Z+ Y8 b5 R
int41handler2 PROC
8 Q" c' g& P6 I4 M iret
4 V3 I6 B( Z+ P' g5 y3 Mint41handler2 ENDP
1 b' P- C" D3 K" `# @5 d" z* v& { u
$ i- V* A5 _) ^_________________________________________________________________________
# d% m5 l+ U- O, s0 E0 [) J( @% t) Y9 Z8 O' X ~! r' i1 L
) u" Q6 N$ d+ h. ^1 F& {Method 065 h$ R) O0 Y. r$ F' y
=========
$ C' C0 `% j- t: {8 w" {4 ]" i4 }
^: C# @- D# _7 w
5 L- J7 y4 [/ I3 i4 o& Q0 L: N9 _2nd method similar to the preceding one but more difficult to detect:
) `: K$ F2 T0 a' [/ d2 Y) X0 C9 t0 p4 v/ ~7 |$ `3 H
& ^# h+ {% X, M+ J1 R
int41handler PROC. S, I g) ?, b( T! N
mov cl,al$ b' p/ s% [# R( q B
iret
' r$ d! q# x* _+ g% h1 @int41handler ENDP, X$ ~- n" V0 v8 Y+ ?0 h
/ j0 C& Y: r( W' p7 a% {- I. F: ? j1 N: U5 W$ o+ _7 g
xor ax,ax9 H% ]& w% H% N7 Q5 ~7 N
mov es,ax! \2 T+ {* C! `$ u: }% d
mov bx, cs! Y y0 y* L8 p) ^1 y. i& S0 X2 z
lea dx, int41handler
. V( z# S K4 b0 n5 t% T xchg dx, es:[41h*4]8 K% S/ _+ h( x7 U3 ]# }! g
xchg bx, es:[41h*4+2]) P% t8 D# [9 V- N' ?
in al, 40h" i l+ j A: a z1 B* O
xor cx,cx
, j6 W( g$ X$ b int 41h1 C4 v+ d+ T0 @, {7 U1 V3 i" v
xchg dx, es:[41h*4]* h3 {1 Q& X' o5 D' b% [0 t$ M
xchg bx, es:[41h*4+2], l) I7 p1 O: y" R0 a
cmp cl,al+ q( G8 B9 _2 F
jnz SoftICE_detected2 n# D% S, D2 X4 H$ ^
/ H q. i0 c9 H. k4 U% c$ r- U_________________________________________________________________________7 q# n7 U# }: n9 L+ M
; K2 w' {* F: M! M! L2 I
Method 07
0 K- W- C! N: b$ x* Z2 V6 a=========
t" W) d. |3 L( N" F* ^
) D; a) m" o9 z, v6 hMethod of detection of the WinICE handler in the int68h (V86)
) Y) {% s2 T6 \6 ^$ w: d! U; Y6 y0 a c$ |; F
mov ah,43h" r& G. j1 |% p: H# \3 u6 s
int 68h
5 `/ |" a# q' [# ~ cmp ax,0F386h! j1 ? s5 m1 P( _5 E
jz SoftICE_Detected9 s& \! t" s) D& j" a
, i* z- k; o* q; `- P) Q0 m6 C
( K& a7 c9 R. M: L8 M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& J' d# C: D* K" ?" G1 v8 v1 j
app like this:
" T4 ~# f. Z# t8 _9 \; y' v+ S5 x. K+ u2 C4 b! n: Q8 o
BPX exec_int if ax==68
' e r+ d. o! ~9 r0 j1 y# U (function called is located at byte ptr [ebp+1Dh] and client eip is" A P1 k" D+ K; f j
located at [ebp+48h] for 32Bit apps)
: ~2 Z! Y: Q. E. n6 o' B__________________________________________________________________________& p! Q* T( ?. C7 _8 {; ?
( L( k0 }; ]8 ]& A# z! \' D9 @( ?% @
) b) g& Z( {, S3 G8 ]Method 08
% N- e; _2 ~3 y z$ E9 P( A- Q7 f7 m=========
6 Z/ ~" J& K- R; G2 }; x5 ^3 f9 U4 R2 h( v1 m
It is not a method of detection of SoftICE but a possibility to crash the
9 ~$ c2 C% T- W* t. lsystem by intercepting int 01h and int 03h and redirecting them to another9 {% D$ S) o" z( G3 V
routine.1 q& H( J6 b* Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 M* S" Z: k; I+ x6 k9 p2 a# i( Y4 S
to the new routine to execute (hangs computer...)* A5 X+ B( v4 M% k
) C2 ^) |$ B7 q: s2 J mov ah, 25h# ] a# Y9 c2 C5 A* Z& ^% g
mov al, Int_Number (01h or 03h)
T" \* f0 Y @ mov dx, offset New_Int_Routine! C+ c1 L* [7 p* L
int 21h
4 D, E8 u( ?, ~2 M2 v% G- M$ W
6 S" r. J; m+ Q% m$ A1 @__________________________________________________________________________( U+ x6 O1 I4 m
" M2 J5 R( L. C5 h/ g( Q
Method 09! I L2 }" l- h- s% E1 t4 B' E
=========; n" l) ]( u" K
* f& L4 y1 e$ ^& cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ W9 n$ M2 V' \1 operformed in ring0 (VxD or a ring3 app using the VxdCall).
) V& k7 Q4 C8 k1 e PThe Get_DDB service is used to determine whether or not a VxD is installed8 v0 {) B0 U U5 q
for the specified device and returns a Device Description Block (in ecx) for
7 W' D |3 E$ A: i6 Jthat device if it is installed.) Y; f: c$ w' a) e
; J- n( ]. |2 \: Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* R0 L8 ~+ p* \5 k+ L5 R _/ D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 l# w# _0 e2 x; t6 y
VMMCall Get_DDB
! X+ e/ j" g! v! w' m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 S2 N1 y5 g. {" ]$ Z* W( D0 ^- ^4 q2 q. B) T! K
Note as well that you can easily detect this method with SoftICE:
0 F) N) m+ s* {/ k r bpx Get_DDB if ax==0202 || ax==7a5fh
+ L7 r' U- e, A0 r
6 @6 s7 v4 K! \: F+ k7 p2 O% f* O__________________________________________________________________________
k" Q$ _. |) n& T6 s
$ Z2 F- G5 |3 j7 jMethod 10
2 b4 ?7 c, o8 T( W=========0 }8 M+ l$ z- f, ~
2 Y8 x7 }/ K9 y; @% p4 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with* x" U. `% H4 h4 R) e8 }) z% g; c( U
SoftICE while the option is enable!!
; G" s2 q8 [5 S- }% |0 m; Y: p
3 x0 |8 C0 X8 }# }& n, Z- N3 VThis trick is very efficient:
/ X2 p9 ~4 I& `+ O' P h+ cby checking the Debug Registers, you can detect if SoftICE is loaded! w# S- I$ M7 {% u! Y v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 f+ Z2 x) s1 `3 t9 s) J
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 c7 {0 `6 x* g- Z
value (in ring0 only). Values can be manipulated and or changed as well
" [! V. p2 A6 ?9 P) b. I, i0 j) i(clearing BPMs for instance)1 g9 P5 E" h7 {' C
8 l# Z! Z8 a7 h4 ?
__________________________________________________________________________
9 f( s7 v5 B" |0 ^5 I* M* M9 r) ~" G& z# a4 O! [! j
Method 11
. p8 P2 _9 g2 ^7 g/ f=========1 x' z8 A/ B! i
5 b* g. L: T- r4 m- {2 S2 V
This method is most known as 'MeltICE' because it has been freely distributed
- o9 R5 S0 j* o6 U7 l e0 {7 n$ f4 B) bvia www.winfiles.com. However it was first used by NuMega people to allow0 ?/ T$ V( T2 p1 m. I5 Z1 u q
Symbol Loader to check if SoftICE was active or not (the code is located$ q _( l# d5 W4 _
inside nmtrans.dll).
# n. D& e, ]* a* G
( t- \3 |& F+ Y6 T& g' EThe way it works is very simple:& u% d4 v8 Q7 d% j8 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 T/ H/ @* g" |) p, [8 \8 G4 T
WinNT) with the CreateFileA API.4 J. o# d; M' B2 S" _7 z) [
1 b/ V7 y: q' a3 t4 S& Q$ U
Here is a sample (checking for 'SICE'):
4 D/ ?5 g- _* g( P" v8 M* `8 }" D+ P# r& ~
BOOL IsSoftIce95Loaded()0 I" E7 r) d& x- o3 R
{
, u2 ?! E" `1 g- U9 Q( M# a7 K HANDLE hFile;
1 V1 x( U% a# b3 v* \4 {# u- |" { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 M' m2 E. q, \% y
FILE_SHARE_READ | FILE_SHARE_WRITE,! x0 w! [5 R, }9 l: ^5 G( a8 |4 L$ q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 S" Q w) u4 g V8 g( X8 W3 o if( hFile != INVALID_HANDLE_VALUE )
; Q. E" P3 p) q2 c; S" I+ r" _ v {- q) {; K7 K- q' Q, H, S I9 h2 y4 n0 |
CloseHandle(hFile);- M" @+ P/ X5 {+ n9 {+ x- d
return TRUE;/ q. H" ^' ~4 p. A! g
}
8 T- D% x% ^) B6 i0 i) N& h8 n return FALSE;
! A7 I0 G; v/ y3 M y}' x# ~- u/ l6 }) N9 n
8 U+ U" A4 v* }. [% DAlthough this trick calls the CreateFileA function, don't even expect to be3 J& _# o" i/ n2 q6 Z/ k
able to intercept it by installing a IFS hook: it will not work, no way!' B7 C' A: H1 ^% Z0 T6 B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* x+ d/ G8 U( Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* s9 u9 a5 k& A2 V5 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 V: [# F: j, ^4 q" S
field.% m9 v2 z3 D; ~9 P& k& R5 [( _2 }$ k
In fact, its purpose is not to load/unload VxDs but only to send a
5 j1 o4 P+ c7 F z) w" D( pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. N& O& k" `- U% g d8 j# A, ?8 X8 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ ] o. v2 s; m4 S0 }5 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 i' T. j+ a- d) P4 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow5 x' {8 y. f* O" e
its handle to be opened and then, will be detected.. g* H2 Z" @+ Y$ E& `
You can check that simply by hooking Winice.exe control proc entry point
* x9 i r8 C F0 r$ lwhile running MeltICE.
8 w3 m, @' |$ `( y& y
% e9 q. F' p" n i% D4 o6 @ Q8 \/ O2 V; Q5 \
00401067: push 00402025 ; \\.\SICE$ s* K: z- b3 ?( V( K2 G |
0040106C: call CreateFileA3 t* u& ?, J2 g0 o( l- A
00401071: cmp eax,-001. e/ b! z% Q$ ]2 N( [
00401074: je 00401091
. S. I; [; F- p- n p2 n; B4 D" M+ s }( F# ]" I* V3 j# U' t/ M
, \8 n8 \+ d, d t+ NThere could be hundreds of BPX you could use to detect this trick.- S. r4 l8 L1 ^# ^
-The most classical one is:
' I8 n- B6 ~7 r3 m# s, T) P- y# F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" s" ?* m0 Y/ m/ A0 {5 y *(esp->4+4)=='NTIC'
) t( X' A( F0 k+ \. ]
1 T$ ^. H: m5 ?-The most exotic ones (could be very slooooow :-(
; j- h! _7 y. p1 O+ B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + a- ~4 v, U: Z: M3 c
;will break 3 times :-(, `, B8 q7 d( e4 [' l
5 t. N, H) e9 S% c3 [7 T
-or (a bit) faster: * M8 t: j+ V9 V. u( N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), W2 [ |1 o/ P
+ S; n8 x* L5 M) T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % @ z% o8 s1 ], i. v5 R7 m
;will break 3 times :-(8 M) ?- b$ O. R4 L/ z2 I2 d5 X* u& Q. I! }
% d6 L6 {- v2 ?, ^-Much faster:
$ ~3 h4 R0 [3 [/ v& s" W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& s! N1 U1 P/ Y: A; ]" v
3 ~+ p9 P& C6 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 g2 a2 ]# Q$ D& j3 Y( D
function to do the same job:
2 l8 x3 k; v, ]9 I- M- z/ j! c0 h6 {* Q3 n( p) }% b
push 00 ; OF_READ
4 a2 n2 O3 F2 C3 d5 o6 h mov eax,[00656634] ; '\\.\SICE',0
6 k0 {; [5 L6 a push eax. t# y- b. }- C( _& I4 T, h
call KERNEL32!_lopen
9 J7 H( e6 K# T$ n- j8 J5 t3 D8 m7 K inc eax
) I5 R7 Q: r9 j3 |: ^3 ]$ ~8 ~$ A$ f jnz 00650589 ; detected4 S/ g! C# ?: X- o& {0 W% ?/ }
push 00 ; OF_READ* z1 v, c5 ?3 \) z
mov eax,[00656638] ; '\\.\SICE'
5 }! Z9 D+ C9 V( V1 e push eax8 Y K/ D3 b6 Q8 q
call KERNEL32!_lopen& a; U) o2 ~7 o
inc eax
- P0 f# h* x. H: ?, M# j% w: ` jz 006505ae ; not detected8 ?# \" @9 u( {! R' t: j
) ?& F+ a: z$ s6 W
, ?3 T, i5 I. N. W N__________________________________________________________________________+ v3 C' I2 ^3 ]
: }% A4 l8 v% y' LMethod 12: p0 V. ]( z$ r8 @$ @& r" z, ]
=========3 b: w( O, B% y. d: H
0 H; O4 M' M: `# u9 P
This trick is similar to int41h/4fh Debugger installation check (code 05
: J( F3 G5 ?; p+ N& 06) but very limited because it's only available for Win95/98 (not NT)
- I2 h5 W1 F+ _3 P$ S2 q' vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* u J1 l# x7 W
& Z4 f5 {, a: g: x/ J+ J6 c
push 0000004fh ; function 4fh. n$ m3 y8 V7 ~- b: z S& E, f
push 002a002ah ; high word specifies which VxD (VWIN32)0 e' M6 [/ k& V6 ^5 R
; low word specifies which service
/ v e' \7 |5 z* H (VWIN32_Int41Dispatch)! u4 A+ |9 J8 f Z+ j; ~
call Kernel32!ORD_001 ; VxdCall
6 v2 d5 n* ~; x3 l. \* `4 | cmp ax, 0f386h ; magic number returned by system debuggers
7 K4 q' ]0 w( n jz SoftICE_detected$ y! x; S. O& \* ~' e" F
/ m6 v' p3 i o
Here again, several ways to detect it:6 t7 F/ l1 ~! m
% L7 K. _$ e0 ?3 n; \1 u
BPINT 41 if ax==4f/ g( b% B$ ^+ A1 C
' G, h' A5 r3 P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' z6 i" j; k: j7 T8 H. W9 s# `
$ Y. G! f! q6 n+ V* G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; P ~( R7 I0 h; m
% Q! Y5 y6 [' d9 Q* \; p5 c. i9 d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, a1 v. \6 e+ C; O( i. @9 U
1 C& L' V7 R" g$ n* f, O__________________________________________________________________________1 R& X% d& b* {$ k5 L
- ^; ?$ W$ H9 h/ X$ Z+ w+ KMethod 13
# U* A1 ?+ {1 a# d0 A& \% q=========. @1 e; ?" Y; {- ]( _, ~1 y
9 W2 n7 y' h0 Y0 K& [1 H1 j. zNot a real method of detection, but a good way to know if SoftICE is0 _/ s) u# v' g- r
installed on a computer and to locate its installation directory., L2 K J1 L2 q, c
It is used by few softs which access the following registry keys (usually #2) :5 H* m$ U4 v" Z
5 _& f1 C! a5 I0 v; ]/ C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 z$ [. Y0 a) E4 H0 S9 o3 D
\Uninstall\SoftICE
5 _" S6 `5 \# h1 K ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* `6 I% F5 J I* g2 P) q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" o" S5 L6 H: g" _# Q' f( U
\App Paths\Loader32.Exe
( ]2 C# @ C* y) F* s6 g# {4 g6 o2 w7 g: R
/ o: \6 m K q2 zNote that some nasty apps could then erase all files from SoftICE directory# y) t4 G, S5 O& ?& {
(I faced that once :-(2 X+ S ^1 }" v7 i8 o" I% D' }
+ V. z( p6 _- {Useful breakpoint to detect it:
7 u" `0 G& Z/ H) w1 B$ J9 ]8 n% M7 y% U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 S0 H! `. m3 v! e
8 }: K8 N, Z% x! T. F& N
__________________________________________________________________________' J2 C/ V2 t" s! h
1 d: d$ V( r2 ?! O; l* U* A1 }) F' O- E! J+ F% d3 f u
Method 14 + k" G* x( U- u+ a
=========# i: o5 a# J8 A8 i7 W
) ]( h; }. t8 _3 ^' W5 S f* S- T) n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! O! V/ N9 h/ t4 {+ F
is to determines whether a debugger is running on your system (ring0 only).
# N- U" ]2 @7 m; W/ k) ^. k
, T* b5 g) Z4 I/ X9 n% p VMMCall Test_Debug_Installed9 j8 W6 t2 K2 ^' H( {9 k& J: F [
je not_installed
# K0 q& Q1 R, D' g L8 P3 _
) Z. b) j! V QThis service just checks a flag.! @3 T; O7 f9 f
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡