<TABLE width=500>
) O( F: N+ I+ M1 v% |<TBODY>
. D! C5 x z" ?6 ~; L' F$ w<TR>! `9 q R- k! _7 `& j* ?
<TD><PRE>Method 01
4 F0 `+ j( C) q) A. S# V- \2 c7 @=========
: l& G7 E* v5 H& V, \- M7 M& t, b- s- w+ j" Q
This method of detection of SoftICE (as well as the following one) is y8 E! H# i9 t# S* g
used by the majority of packers/encryptors found on Internet.
, j! G# }9 O' J$ |, Y( y' lIt seeks the signature of BoundsChecker in SoftICE2 f9 A7 A1 [2 b6 y1 @
7 G1 H) u% w' u- V& x6 h mov ebp, 04243484Bh ; 'BCHK'
& \, E0 [. C8 u5 @" h! W mov ax, 04h
5 e( ~) n# E% X" N/ f int 3 V# [, E" F( c7 v6 i2 n% r! [. Q
cmp al,4
- W% J3 ?. n1 p( p% D jnz SoftICE_Detected
( H; L. T" T7 r8 i* V! `2 C& g
+ f0 i" r+ u O& N9 s+ f2 Z___________________________________________________________________________
( j4 o1 X1 n' A! M
7 [% U8 }5 |% ]Method 02
' g- B) V% Z, q- t1 D! M=========
$ s. n9 l$ Z1 o' @7 t/ ?: }1 ?- S0 g+ o+ b$ l/ ]3 l$ O+ t( |, U
Still a method very much used (perhaps the most frequent one). It is used/ R, w- N+ B0 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ w) o0 Q( b$ |6 G' W7 \4 b
or execute SoftICE commands...
4 J$ x; m% N0 E/ HIt is also used to crash SoftICE and to force it to execute any commands! j4 i( p1 i* X2 Q7 V
(HBOOT...) :-((
# g! L! D, C- G6 Z7 x
! q; b5 l& {3 d! L" k$ nHere is a quick description:' `! B" r. b& G# x
-AX = 0910h (Display string in SIce windows)3 e# t! J0 C6 T* w
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); d) k) y' P7 t9 Y9 W
-AX = 0912h (Get breakpoint infos)
. @. h2 b& t5 r0 |- ^: P4 I8 `-AX = 0913h (Set Sice breakpoints)
) y# l# J2 e1 q5 o# W7 f! `-AX = 0914h (Remove SIce breakoints)
6 d' |6 X( u% n3 s2 G
. w$ x6 s* q5 [. OEach time you'll meet this trick, you'll see:
) w8 r7 }" I/ w8 b-SI = 4647h
8 d8 e8 ]9 I, E) r" }-DI = 4A4Dh
" J, T4 c3 L) H2 WWhich are the 'magic values' used by SoftIce.# T* u1 H3 ~4 c3 Z$ r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- h0 E3 [2 f* l
1 O. u- a1 O0 z& k. l$ w& h) R
Here is one example from the file "Haspinst.exe" which is the dongle HASP) z! D6 @; A/ m8 f7 H: a$ V
Envelope utility use to protect DOS applications:$ r. }7 y3 l, G
7 D; a) ?: ?- ?; l8 E, |% m
6 i) \9 \4 |# b" S' o4C19:0095 MOV AX,0911 ; execute command.) P0 M H2 F+ }, s. R. K" ]) Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" a4 p! } Q) j( t" L6 a) @4C19:009A MOV SI,4647 ; 1st magic value.
# M1 h; P$ S! |& d' b" i# h; B! K4C19:009D MOV DI,4A4D ; 2nd magic value.6 P. N$ o; }* o' V* I; m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& V6 v' s' s3 [4 Y: g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 C( `7 p, D6 m
4C19:00A4 INC CX
1 }" |. k" D0 |1 E4 K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; q) N6 t* N: S5 t2 Y# l) ]9 P" O2 a$ h4C19:00A8 JB 0095 ; 6 different commands.
9 F7 P3 n& ^8 H( `4C19:00AA JMP 0002 ; Bad_Guy jmp back." Z7 X4 _1 e4 u0 ^% b. d" W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ U, d! o) r- \8 s/ \
/ ?* z1 T. ~* w; Z9 eThe program will execute 6 different SIce commands located at ds:dx, which
* y7 Y/ N1 Z' f6 H# @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# d3 S! m- x" o* k4 P( o
. f* Y1 J- S1 `9 O# W+ O( m# B! [% _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* v9 Y! C: W8 J5 I/ R! }7 _& Z/ F8 Y___________________________________________________________________________
6 }8 p0 a( [. e7 @; c$ n8 x& [# y0 B
2 j V0 t- @' j0 x( v' T5 o% {
Method 03
# c5 F# c& R; ~ N6 Q5 u, M6 J=========
' S+ I4 l2 O5 _; N( B9 _$ e# B# g( X' P7 @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, E# b, S6 e9 n4 [
(API Get entry point)
3 z* u8 p8 L5 T) F4 [, ~ E1 L 8 S) p, l, ~: T- c
; A3 h( B. O) P- ` xor di,di6 o5 W$ g$ w/ t" @
mov es,di0 U) H* ]: z% C$ k. O5 q2 V
mov ax, 1684h
; x$ O6 @$ Q! b; X0 s0 `, _ mov bx, 0202h ; VxD ID of winice: p- ]% F. I2 E7 B: r' X
int 2Fh
/ R6 ?( t$ Q; k mov ax, es ; ES:DI -> VxD API entry point
" y3 Z7 E1 R M/ y N& W% Q add ax, di; J9 q( ~4 l3 y$ ?7 u& W$ @
test ax,ax
# r9 J) E( r/ H# E1 l. N/ | jnz SoftICE_Detected
* f5 B6 L* I3 m, R
# z4 ]8 P% y; h' c F9 ~___________________________________________________________________________
4 M8 |9 S# q" S# Y3 p, t( P" r# g3 `% ]- a; _/ z
Method 04! G; e. U3 ]# Z0 U( w
=========
^$ Y8 p d2 C, J# P+ W3 v* F: }4 A% Q9 B: a: V" L5 K1 G
Method identical to the preceding one except that it seeks the ID of SoftICE
& Z9 n5 q! U# u8 A0 F0 fGFX VxD.
6 Y9 }/ o! W$ r# k5 s
. @8 Q1 v) M4 A; | xor di,di/ Q% i @* K2 E* r; e
mov es,di
1 O3 Q( [0 a& W7 I mov ax, 1684h
% w) [' m* k q mov bx, 7a5Fh ; VxD ID of SIWVID
+ J8 d; d7 B$ z+ x4 r int 2fh# g+ Z# i- e8 O& a
mov ax, es ; ES:DI -> VxD API entry point& e0 V- D* ~5 l
add ax, di
' E. k- {8 a$ P) [* J: _9 z test ax,ax8 e$ a5 x1 ^! |6 m1 E) V
jnz SoftICE_Detected
\# E! x7 ]5 z# J3 i
7 Q) Y, y+ z& ?" X7 ~1 j8 b__________________________________________________________________________/ j. t0 Z3 {6 n+ p% I
: c* x0 n* g. _. `' V D; S$ [0 P, w! A4 u( Z& E& z) U
Method 05
6 T$ G! r% e, b, D; u=========+ d& ]; i! r9 J9 S M) L7 u6 x0 Z
3 w* k( {+ U, x- Y9 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- Z9 m4 @0 `3 G! P$ J* Hdebugger. It calls the int 41h, function 4Fh./ B$ K+ U' p& |* v- H
There are several alternatives.
) v( y" S2 g6 u
3 W# U/ i& W, }# [The following one is the simplest:* |* n( ]% N" _9 Q
* M. m% B- P; o& |) G+ j
mov ax,4fh" W/ |4 i# ~& z" g
int 41h: g% \& y4 U7 G8 G0 K6 x( E2 }' D0 }2 a
cmp ax, 0F386
% F' r' \# d8 F3 _( s: R5 i2 J jz SoftICE_detected6 ~- m/ }/ c) X K, }& C3 O
' R! T8 h$ ]+ U5 c
- E% U! }2 D' |! b7 S+ P1 GNext method as well as the following one are 2 examples from Stone's
, }5 f! K" l4 }3 o0 R"stn-wid.zip" (www.cracking.net):9 d1 i8 t; F9 w. ^0 x( \. a# t- Y
- p, i& ^- z0 u+ L( m% P
mov bx, cs
, v( K/ ~6 A4 v, b lea dx, int41handler2% ~( c: ~. k& z) g' _
xchg dx, es:[41h*4]
1 R4 [$ m8 a$ i* Z' i; | xchg bx, es:[41h*4+2]! S! H% Y% i; D# w) u( |& h+ V
mov ax,4fh
" X& D8 u* s$ |: z/ o int 41h. |/ b! D: U% O* u
xchg dx, es:[41h*4]
6 D' C0 _* X( @. W& J7 N xchg bx, es:[41h*4+2]
y [& b" a+ j" H cmp ax, 0f386h
& c p& g. n1 l8 m jz SoftICE_detected1 x/ e( |- x) M
w' u1 {2 ]0 ], y7 `int41handler2 PROC1 w8 |! H7 ?. t0 h' h* y$ `5 _- D
iret# Z( H4 j4 m6 q. ~
int41handler2 ENDP2 {9 _2 M: F9 g( E
7 e$ q; N1 j9 G
# I- [5 L# u4 T! y: ~& M_________________________________________________________________________) Q8 q0 r/ }6 S9 U9 E' V O! G
7 L1 {% S A, }/ h3 n; E" K
! y# b" M! l% j2 \6 D2 i9 U# OMethod 06
3 q( Z" m+ ?" j: L, @0 n" f9 p( Z=========
+ J0 X/ v9 P8 R; x `+ a& w- Q( M D) k' i7 A3 {
, W, P1 N0 L+ z# _
2nd method similar to the preceding one but more difficult to detect:
! h* {6 A5 s; L" R# R3 `4 |
/ F2 P/ a N9 s% y" m4 }* P4 I' `$ e" t& k
int41handler PROC
- \- \: W" t' u) [! {6 ^/ C: s mov cl,al
, X0 {; m( R( H5 ` iret/ g9 I8 x+ s( R8 z
int41handler ENDP
G8 q1 _2 R% J8 g4 q1 ~' v9 J: d3 H7 H0 `5 Y* Q
6 O+ w, K* n! [9 N% Y" \
xor ax,ax2 i) R) C+ ?; C9 U, d3 i
mov es,ax! a7 C% t, H, m2 ?
mov bx, cs# g- v: d/ J d& z- e: ^
lea dx, int41handler
7 G! _$ S( L5 V, I, n4 g2 c6 B6 Z xchg dx, es:[41h*4]
% ?% h+ U) }% G- P( |. _0 m) @5 u xchg bx, es:[41h*4+2]; Y: r- ~; B! q: v6 {$ U. B! N
in al, 40h
" V6 s: o4 _4 U w6 d) |* S: ? xor cx,cx6 f" Y3 h8 g3 ]9 h4 G8 v: m
int 41h+ t+ L1 q( v+ J; J) ^
xchg dx, es:[41h*4]* O; b7 r2 h2 J& y; Q, j+ L
xchg bx, es:[41h*4+2]
) E6 t2 s; `* F cmp cl,al5 o" ~9 h& t# R$ n. p
jnz SoftICE_detected
_. z; o0 R+ A' {/ B! q/ G/ e0 I/ C3 S8 y
_________________________________________________________________________
1 h' L! ^; ^. v) W r' Z
/ [; b0 z; Y1 H$ cMethod 07
0 _ F0 c! ~, ]! R=========; p7 a8 h; l# ?( @) n% _
( i8 N, X4 r& `/ ~- |1 kMethod of detection of the WinICE handler in the int68h (V86)4 D: o- X3 W5 ~# Y Y5 X
+ O) M, W" X$ B9 l mov ah,43h {" A0 t& v! _% j" |4 z# M
int 68h: ^, x. {2 y7 D
cmp ax,0F386h
; K" ]0 K+ B. V5 i/ x- @ jz SoftICE_Detected9 Y' u& \+ w$ N3 M1 d7 q6 l8 M
2 j O/ j% p; S1 L9 t# l- v' u9 l; z* M, h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& z. B3 u' O! D- n" {
app like this:
: _" @- x9 X. h8 Y! n) |$ |
" e/ Z. P3 t/ N" O" i7 v6 v BPX exec_int if ax==68
+ r# o# u6 s+ k (function called is located at byte ptr [ebp+1Dh] and client eip is' [2 B1 I" P8 y7 Q, |; R; W u
located at [ebp+48h] for 32Bit apps)
$ _0 m# ^0 _) G: U: f9 N" t__________________________________________________________________________
: f% n5 Z! u$ p Q% i5 m7 K# L
1 d0 Z x; s, r# j& P! X6 ^! U( q. m1 V" X5 g" k/ A+ }
Method 082 F% w8 V) q, \, d& i i0 b6 I
=========
! Q+ X! G" d6 p, |" y+ D# y i) k8 R& D+ @% D0 C( d
It is not a method of detection of SoftICE but a possibility to crash the
1 d4 ~# E4 ]+ F4 w, D0 qsystem by intercepting int 01h and int 03h and redirecting them to another( `$ {# h$ l& `5 |% ^* J, @1 z
routine.
0 N/ ?9 {8 ~" A" F, T2 c8 y8 {) [1 nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 \ k% [ d1 l, f+ g* I6 Eto the new routine to execute (hangs computer...)
" U4 t1 b8 F8 c1 X
[1 a. E: L1 ]* T) A" U$ s; A mov ah, 25h8 A8 E; @7 ~' j( ~* s! _9 k
mov al, Int_Number (01h or 03h)
( i* L v, K$ B& C mov dx, offset New_Int_Routine
' q! ^' z' O& w: |2 X C/ E! |6 M* T int 21h. Y/ U# K1 ~& c: \& Q3 O8 S. ^( S
c& _$ {* z) u5 p. I* [) |__________________________________________________________________________
) K: g0 A" L i* n7 u
, I7 E% Q) ~. _9 GMethod 09
6 U2 ^5 M8 n+ u! g* b+ S=========2 T0 l5 d2 m) y" Y H. S g
2 N; Q5 B* z2 I& W& A( Q. M1 T1 ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; B( ?( c s2 x8 v* D) Qperformed in ring0 (VxD or a ring3 app using the VxdCall).( N# i: a. Q- w# f# j
The Get_DDB service is used to determine whether or not a VxD is installed
* y2 n0 X! M* o: h* b. a: ifor the specified device and returns a Device Description Block (in ecx) for) S! p/ H0 G: h, p& H! Z; t
that device if it is installed.6 x; X4 \8 k+ X2 Q& z" E8 K
. J; y( G' A* L0 B+ z/ }7 p7 {0 f1 ]7 b% Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID p; ?+ T8 Y& G# d9 z6 I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 D+ R; A6 T# ^( t9 h* L/ h) O! ^ VMMCall Get_DDB* x0 i) Y- {# k# H! K$ a) d2 H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 m% I# m5 t: U7 t+ ? f+ ~: |& R H) v2 I* ?; K! K
Note as well that you can easily detect this method with SoftICE:6 Q' J& f( h5 m/ l
bpx Get_DDB if ax==0202 || ax==7a5fh4 h4 A+ q/ S0 `% i
& y& ^7 M6 w+ p6 W/ L__________________________________________________________________________
$ P2 i. p* O, a# o* G n
; |+ U( h1 i; n; OMethod 10
5 L1 K. Q: ^% m=========
& W0 H6 A4 v, V* L
7 \( }3 }9 y7 }6 b; R9 ^=>Disable or clear breakpoints before using this feature. DO NOT trace with7 L; Z9 v- z; O5 e" b% P$ i$ h
SoftICE while the option is enable!!
) e e0 j# `6 a% j. b: c
: X8 z$ d) N6 _/ j' @: ^) M) @This trick is very efficient:3 @$ {* ~: G, A
by checking the Debug Registers, you can detect if SoftICE is loaded# O, | d. q3 T) W/ X Z' w! y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) X1 }5 D9 B+ W. i2 ?5 A, I0 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" t# I, O. U, O% f9 x' Gvalue (in ring0 only). Values can be manipulated and or changed as well
) g3 \5 W3 m+ J2 R(clearing BPMs for instance)
) G5 K, @6 m6 L$ R, s# p- j1 p1 M$ G3 }8 @+ g# a0 H) V( U, H
__________________________________________________________________________
* a* H8 y- r+ h# X5 F3 w% L1 b$ F# B* a9 `) z& e; B( \% a3 a
Method 11
, q$ f _$ o: R0 O: K3 E b=========
6 q5 h5 X, l- s% d, \6 K& O+ G6 R6 |" f4 X, r9 ^) ]- |
This method is most known as 'MeltICE' because it has been freely distributed% w3 a1 {. H4 E" e% _& s# D) Z
via www.winfiles.com. However it was first used by NuMega people to allow$ l+ o; A7 Z$ o; O) @" W5 M$ S& u. k
Symbol Loader to check if SoftICE was active or not (the code is located/ K- l2 m+ x& t3 v" n) p
inside nmtrans.dll).
1 f8 _/ v! Y- S9 ^6 J$ D M+ f: a# z: Z7 s; M: c1 X, o1 v( o
The way it works is very simple:
( [5 @2 B6 {2 N3 _( \% x& UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, |# K1 x& m; J# r# UWinNT) with the CreateFileA API., v1 H; K( H- H2 g
7 Y. w2 W7 n6 {! Q0 F' q) c! vHere is a sample (checking for 'SICE'):+ b$ N+ D) K; |7 G) u
, C! b/ J. p% XBOOL IsSoftIce95Loaded()
4 l8 a4 t0 V- R3 o& c{
" n1 T- I( T3 b4 V6 O/ B9 A HANDLE hFile;
- T& A3 [4 d- q+ p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 J3 g) p2 }& e FILE_SHARE_READ | FILE_SHARE_WRITE,7 A. V- I, R9 N$ n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( U# h+ D# N9 q if( hFile != INVALID_HANDLE_VALUE )$ _$ x2 a0 Z4 f( X) _ {
{" L$ ]% ?2 r* D. Q, x- t6 b) e+ a! ~
CloseHandle(hFile);
( ^0 P, s/ w: P8 [5 e- T) Q { return TRUE;
) a$ _0 I( z6 V C }
' p. L& D2 O2 _# w+ t7 ~7 ?% G return FALSE;; ]- N4 T) C' D2 H
}
3 y3 E5 B( s6 V) N c& N) p7 p& V) e& o/ V- [' p& D; O( t
Although this trick calls the CreateFileA function, don't even expect to be
0 I+ V) B, V' w @7 J5 i9 |8 Mable to intercept it by installing a IFS hook: it will not work, no way!
6 k* t6 P& D, J7 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ W4 O9 S( N, }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ ]0 L# q5 k! R( f8 j3 B, Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc: d( N4 m. T4 l' U7 A; ]
field.
) t+ L# |: s0 a" ]In fact, its purpose is not to load/unload VxDs but only to send a
6 ^1 _( H) j' \1 y" VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" {- p* J; o' B7 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try' }) J9 ^# ~: E3 Z, H7 W+ y1 {+ Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' b! h" i: a: X( N0 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 w& k# `$ L9 \7 {% ]* P- x4 A M0 N
its handle to be opened and then, will be detected.
. R, q9 {% C5 C1 j% eYou can check that simply by hooking Winice.exe control proc entry point
4 F4 z; @, D: i+ Q! c3 G2 cwhile running MeltICE.' O1 ?- N# t) v/ l. }* ~
* c% b$ P" o0 ^
3 R7 V; m9 w, B9 s; J 00401067: push 00402025 ; \\.\SICE. i, o% S$ S8 ^% D, H- r# j
0040106C: call CreateFileA
" b! ]% b& T8 Q2 v, ] 00401071: cmp eax,-0016 _# v8 G& q3 y8 i: |5 i
00401074: je 00401091
& i/ l F% s; ?& Z) @
" ]$ @" G4 A% l U7 O; \% e
8 P( p+ D8 u5 b% ^8 V0 ]There could be hundreds of BPX you could use to detect this trick.
" i t& G$ V6 \-The most classical one is:
7 O- n5 U- _: q$ M0 d+ m$ a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; B3 q9 {$ Y1 h7 B
*(esp->4+4)=='NTIC'
; e w' |+ f e, W! w
9 B" P6 Q! k" W! O- B0 `9 o/ V-The most exotic ones (could be very slooooow :-(2 T# L' Z$ s- m: M4 n7 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 |5 {2 A' ~9 U" Y) ~8 {' y& K
;will break 3 times :-(
1 L, }/ `1 ?' k8 n7 B) K# y3 X
( R, ?4 R* o7 i( Z# C, x7 t4 y-or (a bit) faster: * B+ W, j% N& f6 ?, f0 ?1 @% Q e6 |. U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): `% }1 o- w8 C% ~( {
# H: G$ u6 F/ D$ o2 S4 s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: Z" }# H( G" Z i' } ;will break 3 times :-( ]" J" s3 D+ z3 G
: H, l" a V$ {4 h% g
-Much faster:
: Q3 W7 s; z, h/ L* H0 v( d3 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; \9 [' w; i! M o$ b
9 H G6 ^3 `5 {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! ^6 f) E( C6 s9 F
function to do the same job: t0 y+ q+ M3 B# d R
6 J+ S" T0 e4 k: F( Z6 s. ? push 00 ; OF_READ) n, {2 R4 L$ ]) O, E' a2 c
mov eax,[00656634] ; '\\.\SICE',0. I- \8 [, ?* I7 l3 \4 }& k
push eax8 b! x1 g5 Z- k
call KERNEL32!_lopen! k2 |% q& @4 `1 B+ q1 E" f
inc eax
4 Q/ i/ z2 T- y3 E% t5 { jnz 00650589 ; detected
|7 E2 M; c Q' e, O$ \ push 00 ; OF_READ
3 J" Z# P! y/ Z. T/ i mov eax,[00656638] ; '\\.\SICE'6 p0 \! x/ [$ M
push eax
; u: H5 l, u' p' o3 A call KERNEL32!_lopen
) V5 V7 @% \' D/ Z5 P' ?! d" P inc eax
) b0 M1 r0 o# V4 M! O3 A jz 006505ae ; not detected
! A6 j' [( l* A ^3 Y+ r, Z% h4 \1 X$ Q- ]
2 t, G/ N: v- Q__________________________________________________________________________
1 J7 p6 c3 j- r: K) P* @* m& R& O: K; E
Method 124 Y4 \3 c( A) K4 V: |6 @
=========
) p/ v3 p! r. U. N0 I# \0 J* V9 W/ k9 e/ R k" K0 u/ y3 R
This trick is similar to int41h/4fh Debugger installation check (code 05, }: u* v9 A1 I; L8 [9 q
& 06) but very limited because it's only available for Win95/98 (not NT)- q& m* e" Y: [0 P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 L3 p+ s4 ^+ u* W. Y
* G$ e; R. K" p' m& Z! a
push 0000004fh ; function 4fh5 ^4 T; j+ b$ q# c4 p5 p
push 002a002ah ; high word specifies which VxD (VWIN32)
% t4 T: I4 k5 _7 O8 w ; low word specifies which service Y0 B% q* O# `
(VWIN32_Int41Dispatch)
$ h4 N- G: O+ { call Kernel32!ORD_001 ; VxdCall6 n+ j/ I# M. O: }9 V4 @
cmp ax, 0f386h ; magic number returned by system debuggers0 v( [* K; K( z# ~% e2 o. d+ W! O
jz SoftICE_detected9 k/ a, }" N6 m$ y7 {8 \7 C* l+ R
$ s6 x; y9 Z6 ^( Q/ ]: D
Here again, several ways to detect it:! B! P+ C# B" _: I+ w8 x: `0 @; {
) I, K% V! C2 [8 U4 z/ | BPINT 41 if ax==4f
8 M# v+ }7 l7 o: |! s) U' [: w v* c6 |' |, i4 D3 c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ y- y: Y8 K. ?
* f- } J7 }# h2 s* N6 ~$ r6 l" h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* W$ ], R. y8 Q8 {
5 ^( K) K1 M& k9 G s! m. \" O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' F$ Z, g; U- M5 [3 f9 u' x& T: p/ P. ^( C$ R( Y" R9 F1 w
__________________________________________________________________________0 }8 E" j) Z( B, i6 i
9 |( U4 z5 \+ l0 p- n, y4 S
Method 13
* i8 z3 t+ I8 M=========
! c" p2 C. P5 A ?# s0 i( c
. Z& a' W6 g! o! v& t QNot a real method of detection, but a good way to know if SoftICE is
' ]* D- @) O8 h$ M: k: K% t' e) pinstalled on a computer and to locate its installation directory.8 X ]4 `8 Y$ ~5 H
It is used by few softs which access the following registry keys (usually #2) :5 f& ^8 n; r9 P3 f' C. J' ~
+ z. z7 k0 F3 o2 ?6 p3 ?$ \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- [; p: s3 F6 U# m8 g0 \\Uninstall\SoftICE& F7 U+ b8 A$ e0 w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ^& x6 G. u' ^: Q. k1 c L' o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- x8 G. x$ s* Y' Z# C8 _
\App Paths\Loader32.Exe3 L. D6 U0 r& F! U+ s& \- l5 x6 `7 y
& F% R0 I$ i* f/ B
2 L& l! C- {: i, s2 c; N4 p9 ONote that some nasty apps could then erase all files from SoftICE directory/ ]- n3 M' h! ]- f4 y: b# B
(I faced that once :-(5 l& }* ~+ w% R3 M3 ?3 u7 A
8 r- {- z% f; u( V; ^( @4 D" f c/ CUseful breakpoint to detect it:$ m" E8 d& l2 O( q* y
/ l, `0 f6 R+ F& X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! \9 F* I1 }3 ?. a' ~
* m5 g0 ^' i% C& I/ V( G. R__________________________________________________________________________
( N! ]0 @+ \ C& d1 |# R( M! ~
6 t% G7 [4 o4 g3 ^/ G6 x# q9 Y! P8 K" Q& s; D
Method 14
. ~4 e" m1 B* C) f- L1 K2 r=========% \+ \/ {$ d8 w& T5 Y' K
& X. H4 f0 t' DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- N5 S2 B& q0 o' Y' c
is to determines whether a debugger is running on your system (ring0 only).2 H$ Y d8 T" f; O& x& O
% b8 E' q9 F) `% t4 | VMMCall Test_Debug_Installed& ~+ i3 v" {% C3 e/ u3 |. F
je not_installed
4 I. I' t6 c% c7 l* ~6 K
( |* ^* C" C% O+ m; ?# VThis service just checks a flag." J4 t, D2 C: E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡