<TABLE width=500>( F0 Y( S. f$ h) X, f
<TBODY>' P9 r) ^: n3 X l) q' ]
<TR>
3 w3 H. X1 m6 ]' E1 v5 p% E<TD><PRE>Method 01
2 F# s( X) T! h2 f=========
1 g. x3 o0 s: V& W& j6 ~& @5 o! X6 Z) l5 E$ R9 I; K, K$ K
This method of detection of SoftICE (as well as the following one) is
5 e/ C) t1 }! g. F- o% Vused by the majority of packers/encryptors found on Internet.
7 G5 v7 v; [' [4 H: h' e4 vIt seeks the signature of BoundsChecker in SoftICE
2 q$ R# k! d8 R4 M) v& H7 I. H- \$ r8 T8 I$ j
mov ebp, 04243484Bh ; 'BCHK'% c% q: ^4 e6 e* P6 r2 J& T
mov ax, 04h
& k8 z! r. a9 V" U3 v5 h' h int 3 5 l2 c& y4 G6 o. y, t& J
cmp al,4
, a1 }# ^! x0 ~ jnz SoftICE_Detected7 Q8 n a; ]3 |& b7 M0 V' I
' F" w; ~* `5 S- Q: ^, q___________________________________________________________________________3 ~/ M8 P; O5 L0 y8 Q
- u+ W- T+ C( ^( a0 \( e8 z' H; N
Method 02
' ^8 p! H- c/ [" ]* H8 H=========
' {" K! G9 e+ i3 `5 ~/ Z/ a/ L
" P" Q' w- a8 V5 N8 f4 sStill a method very much used (perhaps the most frequent one). It is used) d( Q) | b$ @& G M- I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ ^* X! B) Y* c1 y' F! {" a7 u
or execute SoftICE commands...
/ F/ N8 t4 k7 a- Z3 r& n7 iIt is also used to crash SoftICE and to force it to execute any commands: ?6 X# r' I: c5 `5 b
(HBOOT...) :-(( + j: v2 W' ]$ v. |: D! P
( |: V* D( h4 @ M. b0 z* L, Y0 RHere is a quick description:
, L" Y3 y0 K* q" [-AX = 0910h (Display string in SIce windows)" a9 T0 a- w" g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 t$ x3 d' w8 d# c- O
-AX = 0912h (Get breakpoint infos)
! [$ M2 |4 b0 _7 Q. |-AX = 0913h (Set Sice breakpoints)
8 {& r7 E) J3 h8 \8 W-AX = 0914h (Remove SIce breakoints)
) V8 J' v5 J. J& F/ Y2 C3 ^ O
7 S! z5 A. h# e5 sEach time you'll meet this trick, you'll see:8 `4 m9 W; Z3 t$ w6 D5 ^% Y
-SI = 4647h
5 `% u4 l. o, }! f# t-DI = 4A4Dh
" q& P% H4 @) u6 MWhich are the 'magic values' used by SoftIce. m; g/ @) Y( n$ Z* k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., c! F: V* c1 {/ R* }# @
7 V) m" v0 b. n+ l6 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 T1 ^& B6 x9 _/ z! FEnvelope utility use to protect DOS applications:8 k' g" }6 S1 U- f
. D9 B k$ Q3 s# t
, G# J! l) |; g3 ~4C19:0095 MOV AX,0911 ; execute command.
9 B& L& C5 Q3 z) e9 |' o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( c3 w+ T& M8 T4C19:009A MOV SI,4647 ; 1st magic value.3 @+ v$ H$ u# |# r
4C19:009D MOV DI,4A4D ; 2nd magic value.- d9 m% n' p( i& ]5 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): Q3 ?2 t! Q5 d7 }7 y* R, E! k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ k4 q3 e+ b* v/ C- ~
4C19:00A4 INC CX; ^2 c/ U9 Y7 d% D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, S3 d. g J c+ V% S4C19:00A8 JB 0095 ; 6 different commands.
) U# R# V- N5 u* H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# z2 ~) o: h9 K( K5 q0 |2 G4 A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 j8 y' p* @9 V$ _8 Q5 w) M+ f: q) x/ J! o8 }1 \& F# p: C
The program will execute 6 different SIce commands located at ds:dx, which+ h# B- \5 x" Q5 B/ [- y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 L9 U' p3 z. W/ a
& F9 a" a3 s- ~ l) g+ e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) l, P9 V+ O2 m V
___________________________________________________________________________( m4 R5 X$ Z% G' `1 r0 j8 e
2 W& y2 M* ^( R
6 }4 t/ B3 _' a" J# _ HMethod 03
, n' Q- o8 `( s) `3 E0 [$ T+ W6 m=========3 Z8 \/ C9 k+ H( D; @: ]2 U
4 [: ~* p+ Q4 [8 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' M6 `: s9 o$ F9 t
(API Get entry point)- f# p- e/ R( g
$ N2 I5 t* Q8 m6 ?! V2 J) N; M% `- u) \5 Z4 Q4 ]" `0 y
xor di,di
# @/ H: a7 G. K" B' F @ mov es,di6 m# C" t7 E0 i" F
mov ax, 1684h 6 \# I2 u1 @$ o
mov bx, 0202h ; VxD ID of winice( K0 W$ z7 f+ F: Z0 |
int 2Fh! p# L9 D& ~: e9 q7 N( v) B% G' g' O
mov ax, es ; ES:DI -> VxD API entry point3 a9 e, F( e* D* ~, o
add ax, di' Y+ O; X! |( k5 B9 {# }
test ax,ax
. ~" \' k% d: F7 t/ J$ J- ]- _ jnz SoftICE_Detected
) j2 g( C/ b7 h" k) y$ L! F
: ?4 E1 Z+ u9 O; H# l___________________________________________________________________________3 g0 Y) E! c3 C t
+ ?3 G+ l1 |; H6 o0 \7 hMethod 04
L2 a- ]9 C: P/ f! T$ L=========# Q! v) S# h- F" p/ n' }
: a0 }5 _0 F. @; ? K6 S) L, z. vMethod identical to the preceding one except that it seeks the ID of SoftICE
5 y" P% k5 r& O u5 CGFX VxD.
! R' n! L; w3 I4 f+ g; s# y$ J F0 f' R$ Q2 b" T2 c4 u
xor di,di5 J/ k" m& a1 R- u: l; x; }
mov es,di$ Q7 Z j% o1 U& g; a
mov ax, 1684h " T" r7 f) j7 y; H
mov bx, 7a5Fh ; VxD ID of SIWVID+ Z7 o. O) ]9 D. a, l+ _
int 2fh
' q, {! H+ B+ G( G mov ax, es ; ES:DI -> VxD API entry point- e' D+ ?5 v1 M0 t0 ~
add ax, di) I4 d" _; n& _, |
test ax,ax. d! S6 H# ^. a! y \
jnz SoftICE_Detected% U# I- a, Y- `7 O- b
6 y8 {. L% M7 n6 M! y5 Q6 A1 W__________________________________________________________________________; L4 [! a" \3 s4 B
- d# E& C8 D+ F7 f& u+ Q* x! i& {# }: Z! p: g: `! a& Y
Method 054 {6 P. G' l( Y9 u
=========) ~* p; w- v3 a" k, y
9 `6 S& E6 J" B8 n( G2 j2 X+ xMethod seeking the 'magic number' 0F386h returned (in ax) by all system% l: r8 k0 o4 y; Z
debugger. It calls the int 41h, function 4Fh.
6 w% Z* v3 l' r+ t& HThere are several alternatives. 9 K5 m: e7 R( r# C
2 d' d# ?) F+ w0 [% H
The following one is the simplest:
2 h' b5 r# a1 {( r* x: J; o
0 [$ ~! T) ~. ^$ G( [1 D* g mov ax,4fh
w5 |7 ^7 O" Z3 h$ H2 |5 J8 i int 41h) L5 T5 R8 `6 A8 G* @
cmp ax, 0F386
- O% t6 _4 u6 }6 p% w jz SoftICE_detected7 r* t4 E1 K# H I! g# s( u( \8 t
/ t& D- T N, X
& o3 D# ^+ u& T6 Z. TNext method as well as the following one are 2 examples from Stone's
( c- R9 f( t6 z, h4 D3 B- ^"stn-wid.zip" (www.cracking.net):
- v }5 f: y! c X: H: s. B% M5 |! R5 L6 C
mov bx, cs
* r) N" c" ~6 b" @ lea dx, int41handler2
! ~3 f9 l5 g% I" n6 V z. U9 P xchg dx, es:[41h*4]- @( ?2 J9 Q0 [$ }
xchg bx, es:[41h*4+2]
+ e1 ~% o+ X- @% M mov ax,4fh
' Z G& f; Z1 ~8 g# v int 41h! ]6 [+ D, d* j2 l, b; C
xchg dx, es:[41h*4]* Y7 E% o& G) l' ~5 S. G
xchg bx, es:[41h*4+2]9 q2 l4 |3 J) K+ C1 [* S( d
cmp ax, 0f386h7 M% ?' W1 U+ F- {* v4 M
jz SoftICE_detected: \- [2 _- I. v' w( H% f" G3 [
9 C, R2 a8 A7 A, c$ R; V3 I3 hint41handler2 PROC
+ w: ^9 ~6 g: g1 t0 |4 \: `; F5 V iret) v" y* T% C+ |, r# P5 R/ I
int41handler2 ENDP
, d! [/ k1 u7 K9 _5 o/ Y
5 l0 P! C* t4 t/ I0 u' V; m7 D- J1 Y3 i, E8 l) R
_________________________________________________________________________
x5 R" N# r/ m0 j8 Y9 n/ B1 y( z4 w I6 s8 ~
3 q, W" D! |2 f% D: m4 V& {Method 06
* Z$ ?4 L6 U o) h' D=========
4 L1 I0 R a, f t& Y! d( @" u/ h4 d1 C& _2 a. x
: Q( x" n' T% `2nd method similar to the preceding one but more difficult to detect:
& ^1 U9 D. d! N1 o, C: m4 C
% j8 _3 c; B' [8 y* t$ p/ @, ?- N1 Z( V3 d, B
int41handler PROC
/ z* Z+ `! H. ] mov cl,al
+ |) N: C, B& E d. k2 { iret
: h- ?2 d6 T& h {9 l6 T4 B* Hint41handler ENDP
: j: V# I( ~: \# `6 f, f
3 u4 j9 [) r- ~# Z7 s* {+ \: O& c+ @( j1 i3 q4 q& S4 Z2 U) p
xor ax,ax
6 \* j8 i" Y5 s, R/ c H mov es,ax1 j" ~5 F6 A& v! h- |" C/ n
mov bx, cs& Z/ B$ e; y7 I' U% m6 ?) Z9 m$ K
lea dx, int41handler
3 U3 }2 K, L6 l( f' H! h xchg dx, es:[41h*4]) X$ }" s" {* _+ o( u
xchg bx, es:[41h*4+2]
# R" S0 x" K6 g: S0 ~. X in al, 40h& B: a& r9 P$ ]; {. E2 M/ D
xor cx,cx" b* C# t7 C- q* Q# E8 z! i5 X* Z: A" I
int 41h5 }3 }: @" E( J/ C3 N3 q% X7 s1 B
xchg dx, es:[41h*4]
8 H( j3 ^6 S% f3 V- { xchg bx, es:[41h*4+2]
( S6 |" n/ n, f6 A p# M. h cmp cl,al- n' j4 j7 Y/ m; C. Z# n; h
jnz SoftICE_detected
; y+ U7 z/ g. Q7 y' l# t( m# v
% M5 I& O' p: y0 T3 D_________________________________________________________________________4 [) u* H$ { |
2 J, n5 \% x$ O* d4 F2 g7 LMethod 07
`( J' l( e6 E=========5 }% I5 A$ b- H2 u% f7 [
) ^8 m; S1 f4 J2 p) V( k( h
Method of detection of the WinICE handler in the int68h (V86)7 o# ?6 }( i4 O( I* P' J
0 o* Q$ a- x" U* u mov ah,43h( [# p1 v( {' [, @- h4 s- O2 L# U0 f
int 68h
6 U" t4 H/ S2 W k' Z cmp ax,0F386h/ a' ]2 F$ s( h
jz SoftICE_Detected
: n& e# b" k0 b2 A$ `7 F3 v1 f8 f0 S! W/ o
& S' ^3 @5 B% i2 _; ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' R. u. A; H% z- Q
app like this:$ X7 u, ^1 `- V5 ]
. B, D1 ]4 d8 s: w5 N1 \ BPX exec_int if ax==68
6 W* W7 x/ S$ _& d j# K2 p' a* G (function called is located at byte ptr [ebp+1Dh] and client eip is
( Y8 b$ g/ v7 s located at [ebp+48h] for 32Bit apps)
- C& q4 Q# D+ R" v3 ?& B__________________________________________________________________________$ `: _) |: T" `& b. b. c7 u% f
6 |) e' R E, W' N& ]2 P
S* @6 {- \( Z1 c1 [" ]9 EMethod 08
7 g7 u( ^5 r$ x' n=========! X; l. Z' Y8 U6 Y- {" ]' X
4 ^% |% c8 o" q- z, u( k/ r
It is not a method of detection of SoftICE but a possibility to crash the
! w- P" F1 A4 g- {( X0 b4 Zsystem by intercepting int 01h and int 03h and redirecting them to another
0 j! F5 g3 j1 @- A" @ \# I: Z+ droutine.6 `: ?+ a8 p+ q% H; p8 d# V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 e9 ]5 z6 p! G) a5 g: ]1 ~+ n e
to the new routine to execute (hangs computer...)! k `0 d, I( P& ^$ S F5 r7 W$ T8 C
! W# |4 A- P; V4 Q mov ah, 25h
- q; I5 e- A* t0 p, B5 d mov al, Int_Number (01h or 03h)' G3 @ |: r% Y8 G% J
mov dx, offset New_Int_Routine5 p7 Y1 m: q! g1 M
int 21h1 |" f6 h! j% u! E& M
8 S! D6 I8 t2 |5 q. \4 y# e
__________________________________________________________________________+ Y$ `& S, g2 U. k2 W# r* M4 z
1 K/ G+ a0 s1 L% u; wMethod 09
( D0 i, m6 Y0 H' X9 d=========
+ V1 ?4 s2 F" v' y5 }& l0 D7 k0 } Q* R/ U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ t' ^# b& c( {3 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).3 G% Z# R' f+ r& n0 E5 x6 F
The Get_DDB service is used to determine whether or not a VxD is installed
( H# `. o7 K0 v/ P* X1 _1 ~* Pfor the specified device and returns a Device Description Block (in ecx) for2 @/ t8 {7 {2 l( U' |# w
that device if it is installed.
* ^+ i9 [. g. I: l/ f) H; p2 q3 q3 n% k5 l3 |0 |) b# j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 K+ @& M1 ]4 Q0 d) }! B3 A+ h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 w# a; w1 Y" b: i# X$ E
VMMCall Get_DDB
$ k) a: |2 h$ g: s5 {, Y; w Y+ {( X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" m9 u0 ?( n! n3 N; \2 L
+ D6 I, ^+ C& T" I$ e
Note as well that you can easily detect this method with SoftICE: j! u$ n1 L1 ^# ^9 H, c' T0 D
bpx Get_DDB if ax==0202 || ax==7a5fh: B: `) p S) q6 q) r
* u- n6 K5 M: N, w' Q/ X__________________________________________________________________________% V( U% b6 |: z" h- Z
8 M4 i$ W! ]$ y+ p$ T1 q% |7 Y+ zMethod 102 K( I( g% V- U! U
=========( k% [9 {6 Z0 d: R4 y) r9 T6 |: o
; ]4 N7 t8 w1 f=>Disable or clear breakpoints before using this feature. DO NOT trace with
A1 x. Z: G, m: j SoftICE while the option is enable!!6 E; P+ r2 W3 C; z
, U8 ?- ?, ~# }+ N \3 y3 [
This trick is very efficient:
0 L7 O! i- F% s6 l: E& }, e1 ~5 e/ Rby checking the Debug Registers, you can detect if SoftICE is loaded; u! i* `1 t% B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ v0 P% W/ l2 n! }1 C8 y. N5 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their# ]; m9 e/ x- U
value (in ring0 only). Values can be manipulated and or changed as well9 P8 u$ A& G6 {. {- r+ b
(clearing BPMs for instance)
" y( ?# W I+ {& A( w0 N- z) t& }8 A1 s4 f; H: S6 s& s
__________________________________________________________________________! s- }% h2 `% k4 h' a* q, Y3 b& D
+ I3 s6 Y6 d- d, m9 H% A7 ~Method 11
$ b% ?1 r4 n% T6 p/ x) ~=========
# U8 y; R6 u7 S& J; t" y& z
( n9 S$ I: {- a8 e' T: \) |This method is most known as 'MeltICE' because it has been freely distributed" }: Y. C) f+ o7 b5 ^& J( A
via www.winfiles.com. However it was first used by NuMega people to allow
$ C2 w- R# g% |' ~2 T" p+ eSymbol Loader to check if SoftICE was active or not (the code is located/ N. }; Q" X' x: e
inside nmtrans.dll).
4 D% |* y2 H: k h$ m% I, c$ n1 q! b) T. t) U& P% k6 e: @
The way it works is very simple:
$ P+ z" a* R5 X. F5 \5 f% xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& P* X* J% e( E1 H0 m/ D* DWinNT) with the CreateFileA API.2 k. ^8 X2 f- ` n0 H5 E
& T9 X* I3 @. I; E. j8 L
Here is a sample (checking for 'SICE'):) l) R9 H- r: |5 N5 M$ Q
2 s- N1 S: }9 R1 a$ \9 jBOOL IsSoftIce95Loaded()
5 j* Y; j# `* P{* h8 n- N6 K B4 u
HANDLE hFile;
2 K' s5 o& W( F$ R: ^! M$ Y% i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 u1 \7 R. @3 W: E: _# S/ W
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 e7 b% ~$ [* X \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ]3 @; Q9 n; J/ I/ ]4 A
if( hFile != INVALID_HANDLE_VALUE )
# `" B3 u2 N u3 X {
. J! F- M$ j1 S" m, Q5 j: |3 j CloseHandle(hFile);
# a, C* R( T5 |9 g return TRUE;& ^* U. k! j4 C0 v& L5 R" {
}
# @8 l. X7 Q( }# Y return FALSE;1 F& T @+ ?- c# `8 p* o% Y
}" ~% Y8 ?' f! x* R6 t# J
8 F3 L5 b2 a9 B
Although this trick calls the CreateFileA function, don't even expect to be
8 i. k1 j& `7 ?# {2 d4 Zable to intercept it by installing a IFS hook: it will not work, no way!3 v1 y0 C- b/ x# ~) o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# W7 m+ ?- K$ \1 k6 V) j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" I# ^9 F; P+ K# _+ yand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 x' B, D% n1 R; w0 \
field./ R* j, N [+ R* Y( g8 l
In fact, its purpose is not to load/unload VxDs but only to send a
5 A9 `" B5 l( U: x. r4 f/ |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 O5 R$ a- b- x9 I# K( u. I* J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) _+ X$ R/ J) X4 p% ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ t# c' y+ J7 R4 P- S& \If the VxD is loaded, it will always clear eax and the Carry flag to allow( x# G2 {, |, Y$ v8 x$ N7 X
its handle to be opened and then, will be detected.6 h9 n- P5 B9 S7 K- L3 J1 m
You can check that simply by hooking Winice.exe control proc entry point% v+ D' ?( E) J
while running MeltICE.
8 C. N3 @, _ e9 N7 ]& r
& @: m y' t1 `9 s6 q5 Y% t% ^) Y4 G6 O' r {. T: s
00401067: push 00402025 ; \\.\SICE
7 M$ u- p1 U, h9 X 0040106C: call CreateFileA
7 N. Q$ D0 R9 b4 Z 00401071: cmp eax,-001
9 v# V/ j% I* y6 ~" ]- O& O 00401074: je 00401091/ S& X, c6 y; K9 G3 r
! y& `* C1 T. f5 x2 l: x; y- v' P0 m
' f" d4 h/ \$ I+ x5 vThere could be hundreds of BPX you could use to detect this trick.5 |4 l4 S3 }( J: f1 p2 E- y
-The most classical one is:9 I8 u! _8 N' l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) ~% T e) k T: m" P# N *(esp->4+4)=='NTIC'6 }2 R4 X! i9 Z, S; s
5 l, m1 C0 ^ w; s, K2 @5 j-The most exotic ones (could be very slooooow :-(/ _: ~/ K2 R+ I, J2 v/ o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 s+ H0 Q" S ]5 }0 `' G, W ;will break 3 times :-(" v( m# \; s; u0 T
! g3 `7 ^+ X$ o3 [-or (a bit) faster:
( S0 ?: O; Y6 G3 v( |, N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 a3 X. E3 S$ R: h/ b( q6 X( u' U u; u6 d; v) r; n' o; _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( H. O" G, O9 T! ]8 @0 O0 a3 y
;will break 3 times :-(7 y+ c A5 \" D, \$ e! y. `- M
5 c" R1 T4 R6 |$ ?! \-Much faster:- K+ A$ ?7 ^6 C5 f* x) e$ m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 \5 c" @6 u g% w p; }
$ Y3 R, P) ^. B& ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 i/ i3 \) F1 |# |& ?
function to do the same job:% `, @, g+ o2 @+ E& _7 O
7 N* J/ u& Q0 f push 00 ; OF_READ4 R8 ~- L$ n4 ^+ \9 P
mov eax,[00656634] ; '\\.\SICE',06 |+ H6 i2 a* e d; M: v
push eax
' C D' N: l/ w: U& C! n call KERNEL32!_lopen' o& m: W3 E" f. S. k
inc eax
$ w" o; D3 a' k jnz 00650589 ; detected
7 F: [9 ^. O* t- U; f6 L v push 00 ; OF_READ ?, b6 Q& z# g' P8 ^
mov eax,[00656638] ; '\\.\SICE'* r. B7 p. _" n& e$ W0 R! n5 L
push eax; h) ]9 a) Q1 O0 l0 g$ J/ \: h
call KERNEL32!_lopen7 Z2 r$ V! P2 |: ]+ `5 C
inc eax
- t+ s& l$ A! K6 D; T. R jz 006505ae ; not detected
0 q8 ?1 I$ O8 w6 ?. K9 R* O) t1 }
# p# ~, _4 |$ G$ L O& X% A
__________________________________________________________________________$ w# R1 a5 {' V* D9 a
; s Y1 R: e7 i. MMethod 12
* G4 s+ W. q5 K; X9 l- U0 Z=========
- _) S: H- l; K. p$ R4 v
0 z- R- Z& P" J J: S6 zThis trick is similar to int41h/4fh Debugger installation check (code 05
) A0 B9 \% e6 U4 v5 Y3 y8 x. M& 06) but very limited because it's only available for Win95/98 (not NT)
( k$ W9 y [8 s* y* `. ]3 n8 {as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ O x' K- F' L, ]
9 x3 n- m D2 s+ }6 o+ z
push 0000004fh ; function 4fh
: G4 e3 t- r& D; H1 p push 002a002ah ; high word specifies which VxD (VWIN32)
& ?/ v1 I6 X% f- {3 c; s ; low word specifies which service
" O6 A; M7 s/ j (VWIN32_Int41Dispatch)
6 i. u! c& ^& h) i! ~ call Kernel32!ORD_001 ; VxdCall
/ h) Z: C% |1 E* j( w6 @3 O7 G cmp ax, 0f386h ; magic number returned by system debuggers
7 w; ^. [0 h1 Y3 G5 t; f- ~, X jz SoftICE_detected
. o4 I4 f8 V; P" C
% j7 L, U' _- J# k6 S1 VHere again, several ways to detect it: K y, R: E1 f+ o5 n# _0 ~
( t: Z) h, i, R BPINT 41 if ax==4f
, f* E2 n8 n% h9 r0 p9 X
( Z) x* |8 X) y# K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* ~- d* q# W+ U- Z* K
+ A+ t( j- Y' B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' ^+ C% F7 a5 Q* V, L. v
& p4 K# I( [4 S7 \2 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 P. \" f* p# o$ k. d6 L( ?7 W! u9 b: }. K. h
__________________________________________________________________________& r" U$ M {& t; c) ] m. u, F/ X5 N
" ?3 J3 J* f: ?" ]9 ^/ B/ K) H5 Q
Method 13: `4 ^. K" g* k3 W2 L
=========5 `& \3 b6 z1 E5 F0 u
" s# n7 g# L( p p. YNot a real method of detection, but a good way to know if SoftICE is$ j+ f0 d$ h7 o' u' j
installed on a computer and to locate its installation directory.
1 ^7 }5 s6 R: ZIt is used by few softs which access the following registry keys (usually #2) :( ~* C" _0 C( y- \. u" b2 p% _8 Q
& o7 i, }* v9 l7 ~2 \# S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ J$ m* u' u! w6 y! ]! J9 `
\Uninstall\SoftICE1 ?4 i* o! x( R7 l' M. ^ N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# s7 P5 r. W' F# E X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 {( p) x. C; ?) g& M9 P6 P
\App Paths\Loader32.Exe
3 p/ h+ Y& t$ x- ~" a' I% [( |4 Q0 f, t- u+ Y6 t5 ~8 c* c6 j
" f* q# I. j2 w7 VNote that some nasty apps could then erase all files from SoftICE directory* f$ R9 o, L `7 |
(I faced that once :-(7 S4 E- I8 w5 S% T
) \( G: d7 ~ G* R( _3 c7 ^Useful breakpoint to detect it:
: u, ]) _" d# z9 V5 g9 T% I! I+ Q4 \: n/ Y B: |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 T' p! V1 p S
* o- n& b# H9 L! H__________________________________________________________________________
# a# w" K, f& g# V! {2 l
9 ~: A% e3 l9 Z! i( c) k
" ^" i7 l3 \9 N& I$ {/ n: X' QMethod 14 8 M V D3 F# H" h! K: [
=========
8 K8 h7 a' J9 X
$ D4 g, u5 x" t+ R. O5 BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- x& c7 V' Z5 J4 [0 I) Lis to determines whether a debugger is running on your system (ring0 only).
% R; v4 B2 [! L( M. O- r) v: R
& m2 }, B0 j$ a4 H5 X3 c VMMCall Test_Debug_Installed
- I/ i) y6 m9 q, c je not_installed' R( @# F' R) n0 T
. }5 U# H$ \7 \; d: |# \& [0 a
This service just checks a flag.
) l! i! @! s9 E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡