<TABLE width=500>& A5 {8 ^+ }* E2 M7 Q
<TBODY>
+ |1 K" P; ?! q3 W) o<TR>
' ^* R4 X3 F: H* J9 z! E: f<TD><PRE>Method 01
5 K4 |1 [" m* A, N# q=========
" r8 O' W2 d; }- M+ \* o7 z$ N9 a7 h( q/ ]) Z* G
This method of detection of SoftICE (as well as the following one) is
6 c" k+ M+ }7 L9 T$ S4 X* ]used by the majority of packers/encryptors found on Internet.! h: T! c E; O( s6 J* A# v4 Y
It seeks the signature of BoundsChecker in SoftICE
6 ~& X$ X$ f7 E7 v- s: D- I7 |
4 C, d4 c# x, p9 i. I! D' [4 X mov ebp, 04243484Bh ; 'BCHK'2 m% f! X1 a* g) m2 E Y. Z% ~4 }4 i
mov ax, 04h
4 |) i' X6 v5 e8 [% [9 q int 3
# f2 w7 V0 Z0 r2 u$ @0 E cmp al,44 {' u3 `' d) ` V
jnz SoftICE_Detected
- a- ?" w3 B E- v0 T* X7 O; J* d+ Z. R- M! B+ c
___________________________________________________________________________
$ v' |; y. s: C$ L0 o) P* a% ^& M8 J1 m: b0 b& u
Method 02
$ D0 z" q% X X9 f=========* n6 Z+ s4 W/ p1 q) ^$ M$ [
$ U; ]; {1 b2 A& V
Still a method very much used (perhaps the most frequent one). It is used9 }- q! i& f D" c6 ~! L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 y. e; Q; e) w" b* m' V
or execute SoftICE commands...
5 D7 N! U* F3 D4 L- T; T' \4 vIt is also used to crash SoftICE and to force it to execute any commands# s% \: T u1 w& B. ]
(HBOOT...) :-(( 1 [, z) [( B" t8 V4 [
) r, z- R& T0 nHere is a quick description:
5 H7 k# g1 W7 I' C* f. x( u-AX = 0910h (Display string in SIce windows)/ c! W/ G! w1 z; v% E" T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* E* G& O- T0 ^: G+ ^-AX = 0912h (Get breakpoint infos)
' a1 o% O- [' e; ^/ y/ o+ g8 J-AX = 0913h (Set Sice breakpoints)
. b: y7 Z6 r7 B* P1 C) D$ y-AX = 0914h (Remove SIce breakoints)0 Z1 t" g6 g: r
& j! I" U5 f# s
Each time you'll meet this trick, you'll see:9 {5 [* r3 K* h5 [( B: C$ c; `
-SI = 4647h
0 C. W7 L9 M% o; K4 I/ B: s. G-DI = 4A4Dh$ G8 S" j8 e0 ~% ?& N
Which are the 'magic values' used by SoftIce., Q" |5 A: ^6 n( ]; s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, v8 \) O! ?: Y6 F0 ] v6 o
6 X1 v$ L6 i& ` ?Here is one example from the file "Haspinst.exe" which is the dongle HASP2 a. Y) X# y0 C
Envelope utility use to protect DOS applications:4 @6 b' I. h. |5 ]) a: R5 k
7 I5 U7 Y# E; T' X0 g9 @; c' s( Z+ }* E) `1 | x3 }
4C19:0095 MOV AX,0911 ; execute command." n- a% ^( y& W- w8 |" f% R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 k! _7 {, E; {6 t9 |4C19:009A MOV SI,4647 ; 1st magic value.
2 o2 O5 P; y( \+ @9 I' a. ?) z) E7 k4C19:009D MOV DI,4A4D ; 2nd magic value.8 z) `4 y3 g2 _* F- |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 ~1 |! J+ n$ p) B s6 n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! |5 ^2 ]7 k) O. |4 W7 K9 X4 b4C19:00A4 INC CX# X5 \: e" `4 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 J" R+ f7 m6 U& B4C19:00A8 JB 0095 ; 6 different commands." U5 _. b$ N/ h% l9 z' W% Z; u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 K r* t, D, ~, w E: G" i+ h) a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 ~* E- z2 R. v0 B
0 b; C$ ~ C9 s$ l9 y
The program will execute 6 different SIce commands located at ds:dx, which# \( j. N" }+ p9 H" @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
F) W( q& N- ^ y) L" c g8 y. I% S5 h+ R3 Y" W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ u9 K+ D! J) Q$ U% C6 @
___________________________________________________________________________1 {, t2 w7 d8 g- N& T
9 D& u7 e4 D7 [' N5 C% l7 {
% k8 d" Y" j; }. dMethod 03+ _8 B/ a$ o. X4 o o, T
=========: s4 u9 n/ ?4 Y+ Y$ z
( w# a) P P8 N- M2 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- Y1 Y. Q! k) Q1 l
(API Get entry point)
! h( G3 \+ ^ a8 J# N
4 @, z% E3 M. s6 i4 Q4 ~) D, t# n
2 y& ?1 j+ m( |& k xor di,di5 e' Q. a# C9 w' M5 I
mov es,di/ z8 w0 Y6 G8 H' w. K
mov ax, 1684h 6 k6 S0 h p$ D2 L+ k+ T
mov bx, 0202h ; VxD ID of winice' s! W1 Z* ?, W! E* G& g; d, X$ {
int 2Fh
, v+ H4 X5 l9 L' P! g2 a* Y% }3 a mov ax, es ; ES:DI -> VxD API entry point7 m* Y) P, m& D* }# ~& V5 ]& e- @
add ax, di+ f$ f( e9 o8 y9 e/ K E8 u
test ax,ax
) d# f+ _/ b" W jnz SoftICE_Detected
6 [/ Q0 g' O6 @) t2 Z9 m8 q7 C) T5 q% Q. q
___________________________________________________________________________
3 N" v2 W& I) g0 S
7 e, o0 \4 e1 R9 z5 NMethod 045 P. ]7 b8 q" e! J8 I! T2 J
=========1 F7 l6 J, ~- ^* z/ [
# P& o$ d' t3 x. n$ v3 |1 x, bMethod identical to the preceding one except that it seeks the ID of SoftICE- K+ K& V6 c6 O3 W% y' ^
GFX VxD." `1 {+ r+ u2 H) {
% e* F# Y. c% K! N' j3 [5 k
xor di,di
) M# |$ O$ f! `2 c$ J) ?$ X mov es,di% A R/ G! ]. [) l$ W
mov ax, 1684h
# ~2 g# N+ }. T9 b) \2 { mov bx, 7a5Fh ; VxD ID of SIWVID
. |8 Y% ] q: B8 c int 2fh
5 g" E6 r' X# x N4 b* F- J- [ mov ax, es ; ES:DI -> VxD API entry point0 E( f* w8 r: N) }7 f2 [8 W; O: z
add ax, di8 S4 ^( ]/ D Q9 ~9 |
test ax,ax
/ z) M+ `0 P" s. u' E' S jnz SoftICE_Detected1 j) S' ~3 j5 f/ W' e" ]
9 g$ q5 _4 c7 d$ f9 Z/ V__________________________________________________________________________; |% s! |+ B# I
, Z1 a" {4 G: l# J8 n) @. G
1 y2 M8 G% t+ U* E6 H; W' ZMethod 05- _3 R& b/ P8 \1 Q ^3 c0 H3 @
=========/ N% E* t8 n) ^4 w N9 N- b7 T
; N4 j- t4 N0 o. V/ }7 ]5 t% H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 @3 u2 m+ ?& k' O m4 Rdebugger. It calls the int 41h, function 4Fh.
( q0 U& z* ]# ^/ J. _' FThere are several alternatives. ( z1 W$ Q1 ]- o* |) `! I5 i- ^
2 N5 H; Z6 x" a E1 M; n
The following one is the simplest:
: m: m+ z; I L; W! |! \# r& S, D1 U$ C8 {& ^( n$ _$ e. q# E4 H! W
mov ax,4fh
) ~/ w' m# z4 D6 v$ w' r7 E* E int 41h
; ~! I6 D5 J: Q0 o& q7 E( E cmp ax, 0F386
& Y4 O4 @8 x; |8 Z) F8 E. [ jz SoftICE_detected
8 [2 H" g8 ^$ M; c! L1 P
" ~" j S$ F, z/ c! X' u; L V: D; G6 J
Next method as well as the following one are 2 examples from Stone's
) I7 M+ @/ e; @ t4 H7 } J"stn-wid.zip" (www.cracking.net):" o" d5 V6 q1 B- F8 W
% {+ q% X X$ R2 p W mov bx, cs9 J2 K! _" C! d. _5 s
lea dx, int41handler23 x5 D- T& _# U( u! @8 Z
xchg dx, es:[41h*4]
$ G! X7 y. J6 U xchg bx, es:[41h*4+2]( V' {9 o5 G! z# l) o
mov ax,4fh
, q/ _- Z3 \1 X: r9 [ int 41h
) L: o9 \" H9 _6 D5 [8 d xchg dx, es:[41h*4]8 @$ a( s* @0 E9 V/ E& y
xchg bx, es:[41h*4+2]# J" B) o0 |' R7 w$ |# w6 {
cmp ax, 0f386h
, R! B. i5 R3 n C3 L) ^0 {3 [ jz SoftICE_detected- w& N& {3 O3 g- I* Y
4 T/ Z# h( L2 O2 F; j* H7 ]1 k
int41handler2 PROC
* X( J" [, J( k. h$ `7 Y( w6 s" i iret6 M. N) y' k* v7 B
int41handler2 ENDP
% a! K) w: Q" l& D, A& y% X) X. n ]/ n' p
R/ B6 x X9 G" s2 N4 _: A, i& ?
_________________________________________________________________________
5 o% C8 m. r: Z
, f3 }5 ~# ]4 [- b& b; h" p
& Q5 w C/ y* r# ~2 PMethod 06
3 H* ^+ D5 u- u=========
/ f) b: H& ^% z$ |) ?( l# R
$ l. n8 N: |6 O' H6 |1 Q a' A
0 ^0 _4 u0 i& V2nd method similar to the preceding one but more difficult to detect:8 |' P2 _! i4 l$ \" t* f& \/ G' K( H
9 g" S1 S ]/ v) w: w5 b* p. O
int41handler PROC
3 N9 P0 H6 [' l; u4 D' R( O mov cl,al0 ~7 \2 r3 v8 E+ z; [, f5 h% |* _% ^! v
iret1 a6 q: V, ~% s$ A4 x- M
int41handler ENDP
# s6 K3 D7 I% w% f" ^2 `3 ^ q' q; I. B4 k" U( a* i, R
P: k- E. |' ?
xor ax,ax
: M, @0 i" S, w5 L+ d mov es,ax
8 S. v( u4 l) c$ h7 S/ d1 ~1 V# F2 L mov bx, cs. W/ p9 y: K1 y6 D$ T t5 W4 u" j
lea dx, int41handler
0 o' K8 ~4 h" q1 g. [! F: X0 T xchg dx, es:[41h*4]
& V; v6 a& n5 f1 \! N xchg bx, es:[41h*4+2]
' e0 a" w7 ^; u \# J* U; N in al, 40h/ _: s. b2 Z- O; t6 H2 h8 r3 E
xor cx,cx8 r& Q" O1 ]6 v# p
int 41h
) H% d8 ]) X- Y xchg dx, es:[41h*4]. Y1 a' _. Y1 g, M q
xchg bx, es:[41h*4+2]1 E; |0 v \$ Y& P, m
cmp cl,al# m& B0 ^* @5 H. p2 k6 v* }0 f( m
jnz SoftICE_detected4 U7 Q5 j* o) b7 O( ]/ W
, ^/ C6 d9 l& W" k/ ~/ }. l, J( [
_________________________________________________________________________. |. b! B3 Q3 A5 C- V/ b
0 H* e1 d( o OMethod 07/ z* j/ `# d8 K4 ]! ?6 q# x
=========
6 i- g. r% p* ?
: @! j$ A. @7 ^& fMethod of detection of the WinICE handler in the int68h (V86)
; x* ?* s) z% |! o
8 m0 T5 F1 Q( k mov ah,43h
+ |: n# T. L. b r# W) g* | int 68h
- G4 t& C8 ]: Y' n- N( u, b- G+ p cmp ax,0F386h
* y) j% g$ r- x) i8 f% Q; w' G jz SoftICE_Detected$ k0 b; k2 w% r1 c- V( d" i/ H
* s3 W4 K5 s, ]" w& F9 z: C0 ~. R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 F& K+ R+ Z9 f& x) ?& O# o1 U, O
app like this:( E, |- f% }" t. D
! B0 L4 ~3 B# v! i) I7 L
BPX exec_int if ax==68
4 ^, q5 X2 f3 J5 O# w (function called is located at byte ptr [ebp+1Dh] and client eip is
" \7 D7 V: Z8 [, t1 O9 ~' v located at [ebp+48h] for 32Bit apps)( P3 ^. q. A+ N
__________________________________________________________________________
: \* r& q2 X' z# g; ^& ~ Q
. P9 X O6 J. ]7 \# A) b: R4 x
Method 08
3 e9 u7 n! b" ?6 P=========' T8 j5 U) ?5 d2 R; V
" ^( ?& S. z: B: P
It is not a method of detection of SoftICE but a possibility to crash the" y/ s1 M5 G q+ Z
system by intercepting int 01h and int 03h and redirecting them to another
| E3 B$ H+ B7 X/ M+ p H0 Yroutine.
, h6 J' F/ B" h' lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' {9 J: |7 W' {$ f' zto the new routine to execute (hangs computer...)
3 O: N" {1 V: Y, `. {
2 I5 [8 ]1 {$ y/ ]) A9 q# z mov ah, 25h
. z; n, t, g ?7 _) y mov al, Int_Number (01h or 03h)+ T( S. H9 T7 }3 _% n6 W
mov dx, offset New_Int_Routine; X/ [: m7 ?0 x* a9 @+ v4 R
int 21h; p8 A% k: V* o7 E
7 Y- |. M8 N" t) ?/ A& k V__________________________________________________________________________$ l5 r( B4 R5 ~ a6 `0 R9 J1 C
- Y# A2 [2 Y) n! y, L1 tMethod 09. P0 n* j& Y- R8 M: z+ R
=========
* j& }4 d% x$ v2 D* j' G8 i# ~( V. x# g& I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ p. O/ Q+ [' W6 r( c" H
performed in ring0 (VxD or a ring3 app using the VxdCall).1 c1 r* |7 u- r4 x4 N$ {' U4 A$ D
The Get_DDB service is used to determine whether or not a VxD is installed3 r( O8 n P8 B; s
for the specified device and returns a Device Description Block (in ecx) for
' o# J- L! I! T% N: C: {that device if it is installed.6 D$ i$ q* n0 T3 K5 j, z
4 [) R5 Y7 F* Y1 _5 }( o# a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ `" X: s; A/ \' r- O8 Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 N0 ?% t( y7 S3 Q; t7 p( R9 H; y VMMCall Get_DDB
/ p- [$ N# T, L6 Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 x2 T4 z" Y) f$ w! U- H% _6 m' g7 T: A' B+ U; q+ s) x- U
Note as well that you can easily detect this method with SoftICE:
; g- u6 M1 A( }& y% [1 _* H+ P bpx Get_DDB if ax==0202 || ax==7a5fh
, ?' o" E3 j" C) F" ~% i4 i! C9 W# r# y
__________________________________________________________________________" E/ p8 F V- @) a$ q) x# \
! u+ Q5 C/ R, \8 i% M9 R/ e( v KMethod 10/ m9 Q. c w$ D' }) D( }& H. v% W: k
=========
2 c" X k0 x7 S8 ~( u8 b3 V% C# z( z! i) ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; t+ u' M' e+ m9 W1 W) _6 X' U; q; R SoftICE while the option is enable!!
Z' `9 W7 x' ^! X$ m
1 U3 ?: Z& A5 N( r/ ^- j# b* l7 K9 YThis trick is very efficient:) q# z) h8 F' e4 W- h
by checking the Debug Registers, you can detect if SoftICE is loaded
5 \+ i. m$ Z. l @4 x" w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 m3 Q5 j% x, q# R$ |there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 q% _6 J# _) o; g! M7 G. Mvalue (in ring0 only). Values can be manipulated and or changed as well+ g. W& l1 k$ o- [5 [! r, {7 ]
(clearing BPMs for instance)
# p; d6 U! C8 g. ~# D- M5 U+ K0 c% S% Q: U& X) X9 c
__________________________________________________________________________
1 x9 e( u3 y7 r. o( C1 J% ?- v% m2 {+ ?! J3 u2 I6 I# X: C
Method 118 o1 U0 ]" m5 k; h/ k$ U
=========- ~7 B/ e1 w: T% ^4 ?* p
9 Z0 ~5 _5 F+ w" k7 F. Z: gThis method is most known as 'MeltICE' because it has been freely distributed
2 m* ~+ B% ?3 G6 l5 [5 y$ ~0 p }via www.winfiles.com. However it was first used by NuMega people to allow }0 {' n) Z' m! c8 X; a
Symbol Loader to check if SoftICE was active or not (the code is located
+ G' b$ u& D) Y, b4 A* ?7 @, g2 d9 winside nmtrans.dll). ^ j. C1 f! C8 E. b4 s \# o
- A. i5 e6 x- a, n) A) j
The way it works is very simple:
. B1 m% z' A% J" [ vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( b9 c! ~8 r* [2 h, Z6 r) q& ~9 oWinNT) with the CreateFileA API.% O2 G- A% b E
% W: B) N& v8 ?
Here is a sample (checking for 'SICE'):0 N# g; u3 F- p
* s) N8 D! n& }0 ^% W, Y" L
BOOL IsSoftIce95Loaded()
% g2 S# J5 c8 P' i{2 j+ f% }9 |% ^$ I- d* i
HANDLE hFile;
4 _: i8 R: Q6 e' @, k" C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 N6 H3 e- P7 x a; d& ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
a# S# L# [) h" D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); ` c' D7 c! g" i6 V( |
if( hFile != INVALID_HANDLE_VALUE )
$ K# x" {/ M+ v% Z" E {
) J! ~# o* s( `9 j) }7 A3 L p CloseHandle(hFile);
' D3 K% ~0 h/ @! a! j% F; e7 D return TRUE;
+ H4 E/ g+ U0 f* U! z }+ J$ S2 f4 m5 ?5 B2 Z. m
return FALSE;3 c2 Y+ G2 Z# ]: ^: _
}
. @3 q7 Q) A5 b! f* P, ?- \. A( C: _' Z- A
Although this trick calls the CreateFileA function, don't even expect to be: J6 u8 j2 z" k3 [( o! D
able to intercept it by installing a IFS hook: it will not work, no way!4 e7 H; ^- g( g- M7 `8 z P4 Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% `9 I# S& J. H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ I' ]1 A8 z+ c k" } f) sand then browse the DDB list until it find the VxD and its DDB_Control_Proc G+ F+ h; |! I( U5 D1 K) C
field.
8 @& B) { n { Y* YIn fact, its purpose is not to load/unload VxDs but only to send a
$ ]. M7 S) u* I6 q5 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 r) U( V0 v4 X4 K6 D$ k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, E9 k4 v- j5 R7 I n+ p& I9 [9 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. J& b: \1 Z) R {0 u( O' p6 h2 K* ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ s$ E W6 ], U* Wits handle to be opened and then, will be detected.8 q z- j7 z2 \. g$ O# Z# p9 W1 J
You can check that simply by hooking Winice.exe control proc entry point0 I. c% ~4 b0 ?. l
while running MeltICE.
& ?5 w1 E' @& K w0 z7 F- e7 _2 x t, i3 M7 H
9 p9 K4 y! H. s5 U 00401067: push 00402025 ; \\.\SICE
+ h# W% g' R0 G* n0 T! E 0040106C: call CreateFileA
0 w$ I6 {1 K3 i8 Y, Y+ H 00401071: cmp eax,-001
6 ^$ z% A1 I7 |8 I( ?5 E 00401074: je 00401091( R5 b# `6 }8 ]2 V/ t# n
2 J8 ~+ I% S4 \; C3 }
; J4 P+ m" i8 b( T$ ~+ [$ i% CThere could be hundreds of BPX you could use to detect this trick.7 ~- t6 b% A! u1 l5 l
-The most classical one is:
. Y4 e6 P( I$ s& U2 {3 v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 G! }& p( N7 _' d- ^$ X
*(esp->4+4)=='NTIC'
( t4 [$ i0 O! [ j/ W; f5 ]6 v2 m/ l) A. _3 f7 ]0 D, ]
-The most exotic ones (could be very slooooow :-(
; H# }( Y; ~$ w+ \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' f, E+ s# e0 A4 A, k; e ;will break 3 times :-(
# j+ `. X; ?# R, ]0 b! {+ Z( D" V3 Z, e/ I% j% z- f
-or (a bit) faster:
' i" u9 z- S( _1 w0 b) M* t" v: o* t BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ j; Q' `; T. Q, h& P- X
- I4 [" _! S1 R# P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 u5 P% B2 g+ j l( J# O$ k ;will break 3 times :-() w6 k" r, z1 w, Z
P& }3 x9 N+ r* V7 V+ S
-Much faster:2 K& L7 H2 V/ x' b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', {0 F: M5 C$ N3 s
. b* B7 O8 V7 f/ X$ o5 L2 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 r% p6 {1 O% \, f+ ?
function to do the same job:
- O3 B6 z- D& k
; @1 L/ l3 ]: v, x2 g, N/ W c push 00 ; OF_READ
4 d! q+ k" j1 d; b mov eax,[00656634] ; '\\.\SICE',05 G7 Z. e5 z" G
push eax
' ^4 D3 m, o9 z; L call KERNEL32!_lopen; @$ a2 |0 N; a( v) ]' S
inc eax
, ~; K' z- g; C; { jnz 00650589 ; detected
8 I- t, v g) }. H6 |0 r push 00 ; OF_READ
% u2 C! }8 u" B; R4 Z( f( G& t* I mov eax,[00656638] ; '\\.\SICE'* \4 d$ i' [! ~3 m/ M, J! ?. A1 b
push eax& @' [2 L& a8 ?: ^
call KERNEL32!_lopen- {! s$ u3 C: i. C/ Q7 a! k
inc eax& ]2 R1 Y1 x; x3 ?6 H
jz 006505ae ; not detected
! S- \, i( s' E! O
: j5 Q& D I4 q& D6 y# o* a- v. }) s' i2 d' j
__________________________________________________________________________6 k- g5 Q) q/ C6 e/ @
4 P! o) V8 i; S+ B! B) xMethod 12# ?/ ?- C7 M/ _( @
=========. v& v5 B, K/ x* p0 Z& x2 [
+ F' l N4 k0 z L
This trick is similar to int41h/4fh Debugger installation check (code 05
6 t) `7 }: \6 F5 W& 06) but very limited because it's only available for Win95/98 (not NT)
4 N+ B2 C1 ~5 f5 O' L$ l& W8 cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ B- m9 j, I/ f$ W! [
& \6 _, r1 m$ M% Q8 g/ I- p push 0000004fh ; function 4fh/ P1 L1 ^" y( x8 |
push 002a002ah ; high word specifies which VxD (VWIN32)
( S& F8 w7 }% x ; low word specifies which service" ~& D( d2 _! n, ^6 z* R
(VWIN32_Int41Dispatch)
4 E! {/ ^: W1 p$ x! R call Kernel32!ORD_001 ; VxdCall5 O. u. R9 B! G
cmp ax, 0f386h ; magic number returned by system debuggers
' R( r, G4 [- B/ L' b jz SoftICE_detected2 r4 H" A0 j- O2 R9 f& X, w$ H
5 I( a$ c- w. x1 V, U- v0 q7 o
Here again, several ways to detect it:9 H7 u$ L) Q d1 Y1 J5 C
) o% Y$ {' a3 W. n9 [& G C& A: }& }# x
BPINT 41 if ax==4f
6 R$ X4 ?9 b1 ~6 c' j1 ?7 d
m4 O# ?: r- d/ ^6 Q- Z/ K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 u @4 f7 g' M4 ]7 W, p+ N4 Y) b
3 Z' h, K! {2 Q8 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( f8 y8 \' t% D& R# z- y# {% M! M o. ~9 O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" w! M' o5 U J9 G! t) H( Y5 b2 @* g& n: c) f- s
__________________________________________________________________________/ V9 w8 |" @3 L# I, C
4 `) `6 X% [" c+ sMethod 13& A% r6 I8 G& m7 Q! H
=========
6 P; A7 y/ `3 P& N5 t" Q S8 `4 a. n5 i. Y
Not a real method of detection, but a good way to know if SoftICE is, O/ f/ w2 C7 f& s/ ]! R
installed on a computer and to locate its installation directory.
2 B$ b5 e/ o" i: s6 G# dIt is used by few softs which access the following registry keys (usually #2) :
' l. ~8 c$ G1 Q) v, H. }0 k6 U; h* w7 d$ I! e, T, K" x. x% z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, r" h- D1 B6 B s: s
\Uninstall\SoftICE' V$ a* D- \/ p9 e5 ]. A$ G1 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" {8 N9 m$ F \% I. B5 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- j* P) ?9 t- A* w8 f( x) y
\App Paths\Loader32.Exe% I2 R5 F4 O6 p6 N! p
4 D# S* t# N( h% s6 o( e* w0 O. d. P* ]
. W: |; E6 q6 \2 r" ^; fNote that some nasty apps could then erase all files from SoftICE directory- o- ?- |( H( l2 v4 P- C* ]! u
(I faced that once :-(
+ Q7 f$ P: t. w* T7 A- n
8 E4 {) M" I7 cUseful breakpoint to detect it:
6 t+ [. b& y0 P
0 M5 d8 ?, `& q T" O g' Y# l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ c1 T) j+ d; k6 Q' x$ z
$ a' A0 G' J8 ]+ V0 d$ l
__________________________________________________________________________) `1 }4 z. q' H4 ]5 G( _! X
7 N. d' x {7 X2 v1 T! F# n+ d/ C$ ~$ n0 ]5 }
Method 14 2 T8 Z, h6 C9 m: k
=========
/ B% w3 k2 F, M" l' T/ K/ e0 p: d, t w( v- @( a) [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& u' n: O% ^; X3 K# kis to determines whether a debugger is running on your system (ring0 only).
8 k1 }1 X8 p) R4 Y5 k& {9 [2 H1 {
VMMCall Test_Debug_Installed! Z# `9 o7 g: Q* V. t& E
je not_installed3 t! x" s- w# h* V4 ?' V; W7 b
+ Y ?+ d6 C( ]1 s5 g" T0 X' i
This service just checks a flag.
( I) ^+ E7 _0 p4 ]" u7 E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡