<TABLE width=500>
5 e% g# i# `5 H2 b9 L" J" c<TBODY>
4 a" `0 v4 ^! W- z# Y<TR>
~5 }1 W1 Y* F' }6 K0 m u" E<TD><PRE>Method 01 : j2 ~; Y8 F1 j
=========7 z+ O/ h: c. E7 X0 e; i9 q6 D
1 w4 u! P) M& W9 s
This method of detection of SoftICE (as well as the following one) is
0 t0 m: ], J/ h8 T$ o$ m$ ~used by the majority of packers/encryptors found on Internet.+ w" |5 D, S% z. x2 j- X, M! `
It seeks the signature of BoundsChecker in SoftICE3 c0 k' h1 b' C& z: p- O+ C" t3 ?
& o L( `, I+ H( z3 n' Q, s& `! l# Q
mov ebp, 04243484Bh ; 'BCHK'# A2 g( |6 z1 U! D A* D) v
mov ax, 04h* b) V4 ?0 t. K8 [4 U
int 3 $ j; ]+ z. R" F$ ?1 B4 O( n2 c5 p a
cmp al,47 ^6 W5 b7 j+ m- `8 G5 n$ K
jnz SoftICE_Detected& Z, q4 n* S k/ U2 A6 z1 t
9 @2 f6 W* y2 Q: F' G" v p
___________________________________________________________________________
6 y$ \) U/ t: v% Q- x1 o
/ d( ]# u$ H: h) h9 |Method 02& d, y( Z& k2 s% x& g4 M
=========
; Z' M: w* D! r7 q
" ~# D b5 j) s- T. vStill a method very much used (perhaps the most frequent one). It is used
( R Q5 u. y1 G! n; ]3 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: ^: u3 p s7 O E' v
or execute SoftICE commands... c% s0 o: m2 Q
It is also used to crash SoftICE and to force it to execute any commands ]3 z8 \+ f6 h' j8 g7 ~. F
(HBOOT...) :-((
m8 `, ?; ~) u0 I& q$ Z
; a- T% v# K" t6 S4 EHere is a quick description:# y5 S' \9 N& |: f+ k
-AX = 0910h (Display string in SIce windows)
& {3 g& F: |; l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- @. R1 I, s$ ^-AX = 0912h (Get breakpoint infos)
- ~, ~0 L: z+ F-AX = 0913h (Set Sice breakpoints)
$ f% J$ i$ g8 f& {; M4 ^-AX = 0914h (Remove SIce breakoints)
! r4 w# m; _- s/ l% K S
# {! f3 U- D. i* v1 o# G' t1 iEach time you'll meet this trick, you'll see:! I$ O3 r% A0 a+ _( d# c1 c' f. ]
-SI = 4647h2 d, z. I( g o i
-DI = 4A4Dh
" T4 q8 i' [; o5 M; X# ^$ \! oWhich are the 'magic values' used by SoftIce.
/ O3 R& l! |' u: @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 \! l. N3 Q* o* m
. c9 `( }; H( H- {) J' V$ B
Here is one example from the file "Haspinst.exe" which is the dongle HASP% P7 F+ c G& y" `" c# ]2 D, q
Envelope utility use to protect DOS applications:
9 t$ X& T' {4 r" p `+ B/ p3 v' V) `( u4 B+ N
S0 G" W6 v: o% h# _; j: a/ ?/ O7 m
4C19:0095 MOV AX,0911 ; execute command.9 [- V" H; b/ P: _; T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 [% ?! @. d3 K) f& w$ c0 ^$ ^, J4C19:009A MOV SI,4647 ; 1st magic value.7 v* g; \- n2 z$ X, b# R& z% M$ c2 G
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 C/ `) s. s1 j8 ?% a9 Z! _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ Z9 u9 j1 A' m/ J1 t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 v/ E3 W3 ^6 E! l0 r4C19:00A4 INC CX4 e8 y' }$ i9 @ e Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, b% q" W2 W# k8 V4C19:00A8 JB 0095 ; 6 different commands.
6 t# S% z; _# F8 Z+ a4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ B+ ?5 ^* U1 ]$ s# l$ O* g ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) n2 H! s5 y: u; f# P1 ]. ]
) }& c+ W: S) J* n8 x# z6 \+ zThe program will execute 6 different SIce commands located at ds:dx, which0 `% ?- D' n( r/ G c% a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" a" k) K) J* r
6 G1 Z$ M3 q$ {- z( T1 f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' g+ V/ g/ X, j9 d; O
___________________________________________________________________________# w4 E' A( n( C9 E& V
' ]: |' E* N5 `6 z6 q0 ^. t* l5 w
( B2 U0 G5 `) RMethod 032 @7 D# T# H* n: Y# d0 l
=========
) W1 P4 b6 N0 X# n+ m) l% ?0 d! H8 q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 p7 ~1 }* Q) P- b- q! ^(API Get entry point)
" x0 O3 d6 q3 ^% a! Z0 I
- j" M* S" A+ v/ N; B0 w. P$ n, Q7 A3 E# R. I
xor di,di: S d2 E" s4 A6 C% V2 w4 ?% Q( L
mov es,di) C9 L8 t+ S( ~1 h; r) i
mov ax, 1684h ' L1 K) Z! b- i2 ` q% ~! {4 a
mov bx, 0202h ; VxD ID of winice+ S/ v7 j; y4 B, w
int 2Fh
4 H7 D! }0 H6 \. I mov ax, es ; ES:DI -> VxD API entry point
5 M2 Q, k) ^0 B: O, K add ax, di
. o1 u# p5 E+ Z! W* C3 O test ax,ax
7 @! K" c# \+ `- Y- k( ^ jnz SoftICE_Detected
e6 b4 X! O) H/ ?
3 e/ T' C9 Z; J; v( x' T# W___________________________________________________________________________
' D _7 q4 k) E2 g0 z2 q* h/ f- M* g, z) q) S% o# n
Method 04
, k0 |# ^/ b9 w8 e& Z, L9 ~) j=========
* A/ D& X7 N: F5 D @4 [
0 C" [ f% u3 N' y0 R9 Q wMethod identical to the preceding one except that it seeks the ID of SoftICE8 R- B0 y- ]' @0 @# U9 L: p* v3 \
GFX VxD.
) r* H7 G ~9 L' m/ ^# b( {2 v( G- K7 Y' i6 a" B+ l; V0 v% a/ x5 A
xor di,di, l5 y2 r& p$ y$ F/ M& [
mov es,di
3 n& `( N! Y) V V! H+ S mov ax, 1684h
( o ~; Y; K Q$ j W mov bx, 7a5Fh ; VxD ID of SIWVID
( y+ ~' j$ ]& S% G: A1 K% A1 v int 2fh8 x. K% P$ [. p1 a+ o% b* h6 M: D
mov ax, es ; ES:DI -> VxD API entry point' b6 ?* b0 r& R! E) \
add ax, di
) e: P8 e6 @& c/ s/ q test ax,ax: ?# f4 y h% F* S |. l1 N9 a
jnz SoftICE_Detected
; ^1 w. F% h: c# G2 u
/ B. V; }+ d3 Y__________________________________________________________________________' t# d s8 {+ d' Q+ t
" h" b% N5 {) v: @: M$ s9 r6 F1 H
( {; t9 D+ O. N: @. }Method 05# P4 v# ]% F$ ?% L" B9 y1 d8 ~
=========
7 I5 x* u P0 |( v3 p; X3 J' C1 N; H* S# S& e$ U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 n/ Y- w+ j, J* Fdebugger. It calls the int 41h, function 4Fh.' s* Z; _7 E. T0 t+ x- ^
There are several alternatives.
) x' j2 K' p& L1 ^: X
e3 u! P( g) VThe following one is the simplest:
/ `* e% n/ Q) `& o% L2 j' Q. Z5 E, [8 C+ a
mov ax,4fh
' R4 a/ y7 b& v/ A! y* G- \# p+ h int 41h7 E. v$ L D9 [& x; Q
cmp ax, 0F386
7 i4 d8 T* n5 P1 q, ]- r$ I jz SoftICE_detected
; x' v& [: c8 _+ r _# ~- z/ x+ X' c3 e, N
A9 ~7 ^, L) r0 zNext method as well as the following one are 2 examples from Stone's
4 n' x* K$ V" q# _2 o. k8 b" {9 c"stn-wid.zip" (www.cracking.net):
- G% }0 a3 {) l" y# J, a3 N* y- S4 X+ J1 i' k
mov bx, cs
/ ^) z# X4 c! }" z lea dx, int41handler2
& H2 |% Y( ^! |4 g( J xchg dx, es:[41h*4]
% j {" I9 n6 [4 \ xchg bx, es:[41h*4+2]
/ y o7 j& _ Z$ _ mov ax,4fh
+ P0 E8 i- n: ^- X) c int 41h
U$ |* u3 f& t0 Z* X xchg dx, es:[41h*4]
- D4 C1 y: B" U1 t; a3 s4 m xchg bx, es:[41h*4+2]
# t; P @ T# c- q5 W2 [ cmp ax, 0f386h
* U9 ` ]+ l- g- L jz SoftICE_detected
3 L' u1 q s' ]0 S, }) t! N8 f# v" _8 Q* `; w" U3 D
int41handler2 PROC
2 B B, r+ g! R, n2 j. Z iret
( l7 B6 e# E T& y7 h+ ~int41handler2 ENDP5 F {$ \1 H6 d8 P3 O
$ ]7 {. r9 E7 a, I3 z4 m2 U! I: H# G
( X( t0 [' V5 Y a# g_________________________________________________________________________1 d9 J; L6 j M B
0 S" t' n: c" ~0 y' I* b
2 s3 x# K3 G; o. ]* w
Method 06
6 L q' h0 Q& Q& c% w1 Q+ D( V! X=========
0 P1 ^- _6 E8 b I I6 C- Q: Q
. {+ O1 R4 `- J2 l# z2 ~% \) w/ d# |6 W) B I6 v" }3 ~
2nd method similar to the preceding one but more difficult to detect:
$ f) I5 O; V* M
/ c3 m5 j# P2 W5 e R
" A# y) Z1 b3 y+ G8 M5 |; G5 |int41handler PROC' z: V' G& K1 M C$ P$ \, h
mov cl,al
7 F$ o) ~( j. o7 W( ?- m iret5 I8 n6 z' i; {: }
int41handler ENDP. \) J7 f, n0 c' x; T
4 ~. y" t1 ~: ^9 Z; E0 t! v5 [. k) y$ E. o8 B: D6 N
xor ax,ax
8 }6 Z: g, j' k8 q8 M8 U& l mov es,ax; s0 D* \' `6 o3 U f
mov bx, cs
! m$ U& \( m1 D: L1 `+ h' q lea dx, int41handler
! z/ H: L" B, ^6 _: f- \, N xchg dx, es:[41h*4]
( }6 }& [/ w/ K k/ R' c' M xchg bx, es:[41h*4+2]9 V. {: d7 m) R! W
in al, 40h/ R* k/ D, d# }4 b" S, L
xor cx,cx& k3 t% _3 w+ q/ {: c( f
int 41h0 Y) g: W, S) v! G$ E& n0 y9 [. M
xchg dx, es:[41h*4]
) i7 I5 m5 u- I: o3 ~; W3 a xchg bx, es:[41h*4+2]0 L2 |( B4 O+ q4 k2 B" u N- I
cmp cl,al
6 w9 n0 K2 {% |: N. K# s; c) k1 d$ I" o jnz SoftICE_detected
: N* T' ?; ?2 w. ?& M7 ~
2 w/ b6 w# z& [! E5 v_________________________________________________________________________) V; h' T5 L" R( c, ]: i
! c" ]* \- V7 i- p+ KMethod 07, ^1 a7 j; t! [, `' O% c/ v) K
=========0 `' ~2 w! e! G$ D4 Y
+ j. \0 u3 X. l! K9 \
Method of detection of the WinICE handler in the int68h (V86)" ~8 O$ i k" U4 N
$ s* A2 N# u; M1 A
mov ah,43h4 q) _3 M6 W/ b/ J* I( \
int 68h. a) n. Q% Y( t2 ~; _
cmp ax,0F386h, I$ b* v3 u9 a* n/ o
jz SoftICE_Detected3 @- q2 Q+ I: d _3 e- Y* H: D" M
5 j8 Z2 h& O9 G! E
! O+ x+ O* C$ X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) g* v' ^" ~" e4 M
app like this:
; h+ g! w- `2 s, z; s
& ~; y1 J& x6 X5 Z( Z V4 G+ l% I BPX exec_int if ax==68
9 A* A. U; V# l3 u ]' Z; G$ J8 |& K (function called is located at byte ptr [ebp+1Dh] and client eip is
5 L7 X |3 S+ q+ j1 l located at [ebp+48h] for 32Bit apps)! ]) l- E. C8 Q7 I% d6 r! @, n! ~, U
__________________________________________________________________________ Y6 M& `( |$ h
% d5 n! y( Y) m
7 l# R9 @+ D' M% Z8 e8 MMethod 08# g" P% E1 z+ v" y+ C" Q& T3 d# N
=========1 d. X. q$ d; \, ?3 V
) o4 S. C" z7 s% e" {
It is not a method of detection of SoftICE but a possibility to crash the
$ O7 ?) r8 _- ], msystem by intercepting int 01h and int 03h and redirecting them to another" g: W: U' `( A% F' W$ M1 V" g
routine.
6 u% a$ z) R6 j& ?% i& Q0 q) vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 R* n; [( s. T m, Y. [to the new routine to execute (hangs computer...)
* p: I: O' w0 N* f' U3 f" J6 P
' f: V2 F" d1 F$ t7 E mov ah, 25h
. D5 `# }4 U7 R. ^* X/ R mov al, Int_Number (01h or 03h)! T* ?' v" E! j5 T( U2 |
mov dx, offset New_Int_Routine
$ M/ g; k3 C8 m7 g- w" `& r int 21h- Z1 s' E a8 v
# \4 r* O" ~; _( D$ R
__________________________________________________________________________, u: g0 ?$ ~( p+ s- O" F
' N% I( g$ [2 Z: L
Method 09+ A5 O% J/ E5 w& w4 n- k
=========
/ l5 \) d4 T3 ^$ l9 K" J% z6 K1 c2 U" k7 ]7 Y. Y$ `3 K: h* \0 P. w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 p) O. S4 C1 X7 m3 n0 N* n
performed in ring0 (VxD or a ring3 app using the VxdCall).& _- Q4 n) E9 V4 K2 A3 ?
The Get_DDB service is used to determine whether or not a VxD is installed7 r' A, u1 T( w: s) D M I: b
for the specified device and returns a Device Description Block (in ecx) for. Q( f; X1 z: l6 n6 q; K3 R
that device if it is installed.6 X7 l- S% m$ X% L7 S+ P6 h
' |+ A6 C0 D" Y, J# i, s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 t9 \# F- s% A4 I8 c3 y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- W. V1 }9 w& [. t VMMCall Get_DDB
# `& t% u. h; S" n7 S2 I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 `& o k! I$ c. z) y: K
+ s- N8 c! x, W5 JNote as well that you can easily detect this method with SoftICE:
/ X' B, s; x% m bpx Get_DDB if ax==0202 || ax==7a5fh5 F# |6 [2 K; F% _
# {6 h2 C# k# ~
__________________________________________________________________________
! r& h& g6 P9 X
5 |1 i7 `; O* zMethod 10
8 e8 Y4 j% V' i0 \1 U- C=========
+ ]5 a; ^0 o( C
) G% h! I: D; G9 x# l, `# Y. A5 t=>Disable or clear breakpoints before using this feature. DO NOT trace with
# S N, ]; d2 m1 y, g0 m. w SoftICE while the option is enable!!6 V. d1 p4 c8 K' Y* o6 ?
& o/ \; {, l4 f9 e" c. C( D: fThis trick is very efficient:8 s5 V3 Z0 M+ D& A2 |/ ^+ X/ |
by checking the Debug Registers, you can detect if SoftICE is loaded8 B, F- n8 t4 I+ b) \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( p4 F& G& H+ c# W% C- Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 f0 L8 S' Q* p* S6 a$ \value (in ring0 only). Values can be manipulated and or changed as well# q v u! T" |3 R- g" ?: S# h
(clearing BPMs for instance)' y! h9 t( \/ l
( Z0 F6 u' A& q2 q+ L+ }8 Q* }__________________________________________________________________________4 d$ Z7 P: o) X }2 r1 ~& _
. ~1 x1 f3 d: z# b! C3 ^# }Method 118 J# j, M; g+ `7 ^. i4 `
=========
0 v. J2 u; |/ p( h2 V" g1 e% I. D! v, Q) y
This method is most known as 'MeltICE' because it has been freely distributed
+ s# q5 ]2 ^/ Avia www.winfiles.com. However it was first used by NuMega people to allow
: m6 R2 D/ N9 D: \Symbol Loader to check if SoftICE was active or not (the code is located+ a8 {% G6 E( A: c
inside nmtrans.dll).
3 s" H% ^' I, {, I; s% w3 q
% C* l6 _6 z& G7 o/ O; EThe way it works is very simple:
( j) |* Z; |2 w0 G1 w- t0 }! rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" A! ]2 \2 S2 P# X0 J7 O/ D
WinNT) with the CreateFileA API.
, @2 d5 O3 {5 v. e( E! q. ~+ R2 ^5 J) T. f$ _) k9 n
Here is a sample (checking for 'SICE'):8 e% L! s1 a' H I) u
' t6 [7 L4 P* \+ aBOOL IsSoftIce95Loaded()0 z2 d- E8 [" E V. R/ h+ A# j/ u s
{
" s( N- }; `' b' s* L HANDLE hFile;
" S: Q4 g: _, e) \& k7 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( Y9 @$ S* D, a2 j FILE_SHARE_READ | FILE_SHARE_WRITE,1 |. e( G# H6 u/ @% a1 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* f% w+ n9 l& d& _ if( hFile != INVALID_HANDLE_VALUE )
3 z6 ?7 o9 ~6 V0 ] {7 l& x7 b) D5 C( @! } y
CloseHandle(hFile);" \3 X1 u' d. o6 \, C( s2 U
return TRUE;
9 v4 F% G. M4 { E; Y }
0 C1 {$ G% u7 p* A5 o% ^ return FALSE;, C5 N+ O3 Z* |3 C: e
}0 l) g) [5 R6 @) M0 v5 |
3 D# ]* {- @, }* {* e
Although this trick calls the CreateFileA function, don't even expect to be# J1 q: S+ C& R2 V( f9 ~! |
able to intercept it by installing a IFS hook: it will not work, no way!
. V, l( u% f( i$ c. G& @6 W9 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; c% z1 p( w! g* l+ d" x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! v. E/ R7 I' ]9 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc! H; } |, A. n
field.- u6 o+ S; E' W! z, Z# b$ [9 x( b& p. j
In fact, its purpose is not to load/unload VxDs but only to send a d$ {/ ^9 }* n1 L" @- o% S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! M* X7 X \+ i; @; F! @; T! k) ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
W! ?' @; \% X% k2 ` T' P) ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).: j+ n6 P$ N0 b t! W2 U# }0 D
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 R2 }$ ?; b, R* Z) }& kits handle to be opened and then, will be detected.0 v2 x3 B! q/ Y L
You can check that simply by hooking Winice.exe control proc entry point( r6 E# \& r: b% T
while running MeltICE.; f) I& u [! l# I/ T
+ z8 W* x7 [) {5 r
. w9 y! D& K( p3 J$ l! X T
00401067: push 00402025 ; \\.\SICE
- m3 H1 i4 ~# C$ f2 E+ v 0040106C: call CreateFileA
( f7 ]6 a! Z$ g+ E2 p2 U8 U 00401071: cmp eax,-0012 y7 j6 i' t6 C* U
00401074: je 004010912 q9 H# p- u% f5 I. k% `6 P' u/ ~+ K
1 E+ R+ C5 X. R. P2 b5 M
/ S' F$ N0 Y8 K# w# i+ Z- M/ _There could be hundreds of BPX you could use to detect this trick.! u/ M2 ~( h& `6 B0 Q
-The most classical one is:% t5 F! n7 ?/ u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 g4 {2 Z: p% Y8 a( n: f& M
*(esp->4+4)=='NTIC') ~7 C8 ~, w# B; p( c P3 H
$ c' W' ?4 U& O) _2 Y8 G-The most exotic ones (could be very slooooow :-(& ~; v8 S# W/ J% s6 a% J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 R0 Q" E3 k2 i" M$ y; H$ l
;will break 3 times :-(, J: h- f# Y E2 u
7 N) h: o$ B$ B+ B6 X# s* l7 M
-or (a bit) faster:
" W% V/ Y6 \" z, D( Q6 V# n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- b0 @/ P- i# a7 e b' x" Z/ O% a; ^2 i1 o) L( L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 D, Q& c8 t+ J" E1 L
;will break 3 times :-(
( d- d) |- A( Z* ~& N
. K1 ^ T. G6 g2 ?-Much faster:
G% H+ x: f. Q/ O0 o7 u. Z( ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( r% Y7 F8 _( g; i& ~" a) C2 o& c
/ W. _& V: B y# JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ k: @. M" r2 Q9 B+ ^% g" i0 Y& l2 Sfunction to do the same job:! K* D6 U: n' i* v4 W+ R
' e+ ^4 Q9 \& b! P% z2 P+ w
push 00 ; OF_READ
9 r# _: y. @% w0 D8 w- F* g mov eax,[00656634] ; '\\.\SICE',0
@4 B5 I, o2 T7 A0 @ push eax9 w' N. K2 @0 \
call KERNEL32!_lopen$ K3 T1 p6 S" ?! ]
inc eax d0 c' ]# V! X: ]
jnz 00650589 ; detected7 P( k% q* v/ Y; P& g% _3 G
push 00 ; OF_READ
4 f$ f2 n& B1 I/ M mov eax,[00656638] ; '\\.\SICE'
9 i1 f8 L$ N6 {1 d/ D" r# I push eax
/ s/ u J/ S7 i2 g- v call KERNEL32!_lopen
3 U, b1 R3 x' Q$ M1 o inc eax
" I) m5 p' Z6 r5 x: ]" h jz 006505ae ; not detected
0 `0 c: j( b5 e' H. q9 K9 N& C- J% ]
) V$ m% u$ F+ g! k" }+ R0 |__________________________________________________________________________
# `1 r, S% X" W* X$ m# _/ `
# ~) J8 B- o/ `( J# w0 n8 j2 K# S) w* mMethod 12
& e" r& \2 H, ]" S4 d% {3 q=========: U" Q% A, s3 Z, e$ ?% `; l7 Z
1 s6 u% w9 G, E8 M" U- rThis trick is similar to int41h/4fh Debugger installation check (code 05
0 W! V: U/ A5 n6 b. f& 06) but very limited because it's only available for Win95/98 (not NT)! Q7 b! E% {8 x# e! W. z% \: k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' ]/ y0 ^" X: a% Y% g5 o! h9 X1 y! k) h
push 0000004fh ; function 4fh
|. U; K8 k9 n6 \ }: m2 e push 002a002ah ; high word specifies which VxD (VWIN32)$ F" v- g H1 M1 U) P0 D! X
; low word specifies which service
8 D. d7 l& U/ F. H& r: G (VWIN32_Int41Dispatch)$ n% [; s0 u1 q* E7 [: m4 [/ [
call Kernel32!ORD_001 ; VxdCall2 r. }1 D& ]' c* T& \6 o
cmp ax, 0f386h ; magic number returned by system debuggers
; Z5 Y; j* V! U7 T jz SoftICE_detected
+ G! n# D6 b' }5 v6 h# n' f' M
; T; x {- j QHere again, several ways to detect it:) \( b9 Y- g6 I6 [& b* |: B' c# T
7 s. C5 E) |% ~7 [5 b( D9 k' j6 [ BPINT 41 if ax==4f& f( S2 l% p& D3 E6 [6 i) h
: e* K3 y2 o3 X' o2 G8 }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& y. O% I' c8 x3 ~/ F9 s: v& Y
* X% |/ ~# C' {: {. Q3 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, L2 s$ z! `5 L7 l( H3 p. u
! \1 i: I: |, Z/ g/ [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ B* `. L9 A# @4 Q' |. a
" ]8 ^* c1 F* h! R__________________________________________________________________________
5 O* C% L) W6 `; z* S
8 @, X! s# j. J- I4 }Method 13
$ E `. ^. V, s$ H* W1 q) Z8 j: v=========
2 B9 n4 {- B6 c& j# H7 C9 Z) {, D
" v2 M/ k6 r* ^- p3 C3 rNot a real method of detection, but a good way to know if SoftICE is" F: X3 ?/ A& [0 ~: @
installed on a computer and to locate its installation directory.
: X1 F5 Y6 \/ L. r9 l6 W- TIt is used by few softs which access the following registry keys (usually #2) :/ _! y5 ~/ i6 H6 ?" }
. x+ |2 t7 T+ T2 s" V0 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& A A9 w! `* L- I# M: _% m( R2 k( v
\Uninstall\SoftICE
& l! D: e1 {0 G0 |- h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 w2 Z" [# H- E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 ^0 f I. c4 v$ ~7 v5 J\App Paths\Loader32.Exe' a |7 K3 T# J0 _6 G% m4 Y( B; y6 ]
2 p+ P- n* z) @- k. M: d
( N$ A" c: C% X0 o" g, J
Note that some nasty apps could then erase all files from SoftICE directory! M/ s. C, k' W+ ]) h4 i2 h, R
(I faced that once :-(
" o' \; ] a |* H* A( n* P4 ]- C6 n4 A+ S
Useful breakpoint to detect it:' d& H y1 }; ?6 h: V6 G- e Y1 u
' f+ J& m5 @1 {5 w5 |8 _# k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 M7 B) X A5 V. `3 Q, ]. L: ]$ e% D0 U/ F3 j3 X
__________________________________________________________________________
4 F z/ r# Z. M2 J) @
0 |& B# E! r, |% Y2 T" M
: B: ]% X! u% f3 pMethod 14
+ ^4 l8 Z9 n1 g" c, `=========
& {( ?, ^5 g# B: o* u1 H
' Q1 `% Y8 |9 W9 Q9 fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ F6 @/ Z$ |' K1 H0 F9 Z: r( y dis to determines whether a debugger is running on your system (ring0 only).0 q+ `0 Z/ g/ x1 K
* h% N `7 }% ^6 q/ Y: r/ m VMMCall Test_Debug_Installed; W6 Y$ T8 ^+ i. w/ y
je not_installed7 Y# H; ]) X* k7 O& E' E3 O7 S
" K6 @' T4 Z b9 Y& U+ \
This service just checks a flag. M$ B- t- r. T# ] M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡