<TABLE width=500>6 S* L1 ?/ R. y+ h5 C
<TBODY>
1 t* G4 O# z" R/ U# W7 G<TR>3 ?2 b2 m; O3 e9 S( z
<TD><PRE>Method 01
3 n0 a/ @1 T9 r! s/ o=========
! `* q: V: S- T" M! ~8 _: b1 E C) W1 s
This method of detection of SoftICE (as well as the following one) is
# J+ ^3 p7 D+ g2 @: @& D7 v. @, vused by the majority of packers/encryptors found on Internet.
+ E) j5 n! ]9 YIt seeks the signature of BoundsChecker in SoftICE
2 F! m, K) [ u. _ E$ n# K- R
$ q! W0 [. a7 [. `. l mov ebp, 04243484Bh ; 'BCHK'- E& k$ y9 @1 p
mov ax, 04h
0 _( O7 J6 W7 k1 f& b; ~ int 3 * m: u: K2 J% w% u, O% J
cmp al,4' V9 D3 R' {/ v& [# R4 w" t, R1 B$ Q
jnz SoftICE_Detected
& L( n( P+ v0 Y" o2 h* l( o! w) F5 ~ e8 A2 h8 O) X+ i* q/ w
___________________________________________________________________________
" G9 k: N4 u. d5 P5 M r. t/ N* K* W. n2 @6 U* k
Method 02 J# k0 \9 d6 B$ H% g* H
=========
9 s+ b8 o* O6 t) q& A4 z
: V# K4 l% Q& `0 S% m) h( S [Still a method very much used (perhaps the most frequent one). It is used% _# n6 S/ y2 U1 ^$ D0 a& ?3 N0 m2 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ E% w t& r5 s# k7 L- R: s. ~/ l: t
or execute SoftICE commands..." d" H: [4 T3 e9 C0 C3 v7 R2 H
It is also used to crash SoftICE and to force it to execute any commands
( u: o' g$ b- U% B4 m: O4 H(HBOOT...) :-(( 4 C: ~ o* U3 O) {4 q
' \+ j4 D8 |3 B7 H- m$ f4 D M2 F
Here is a quick description:
2 y- K3 S6 j( V0 H; s& X% @-AX = 0910h (Display string in SIce windows)
1 x( B7 i5 b- D8 ?; N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ u# h4 x7 p- u4 @- c3 W
-AX = 0912h (Get breakpoint infos)4 H3 V; ^( p' \. Z
-AX = 0913h (Set Sice breakpoints)8 t# F+ F4 X7 d& v; r* ^8 w
-AX = 0914h (Remove SIce breakoints)( F% s7 |6 I# i1 K+ x+ r. m
2 S% Z7 L- i E$ K0 c j: P. L% UEach time you'll meet this trick, you'll see:
8 Z6 t; N+ Z! n3 E; k-SI = 4647h
- }( S0 o; G" y% D-DI = 4A4Dh6 i4 \( g5 _; G
Which are the 'magic values' used by SoftIce.
# W% }; X: Z h4 ~9 I/ HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 o( {$ o3 g2 b* s2 G3 Y* x% x
, r6 B! |) |9 F& d# |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 \' E3 z. D1 A: T |8 h2 J% REnvelope utility use to protect DOS applications:; D7 L" M9 N/ `4 K
2 {+ _& |7 |3 f
& V& @8 s$ F2 l' ~4C19:0095 MOV AX,0911 ; execute command.
2 M' r2 w( l& K+ r7 p" L1 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% I( A& i% S7 I9 @
4C19:009A MOV SI,4647 ; 1st magic value.
/ O* W+ Y" T1 }* a) c. O. x4C19:009D MOV DI,4A4D ; 2nd magic value.5 V1 {$ {* }8 l! F, b2 Q) @/ l6 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. v* _- ^$ _# J% b9 k( N- a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! \7 }0 x& U! b1 d$ Y+ b& d4C19:00A4 INC CX
4 J9 r* N2 G2 P, j. U6 W- N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
w$ {4 }# ~: w. d4C19:00A8 JB 0095 ; 6 different commands.# c7 j: {9 V: D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 p. o+ H) O7 j1 F2 L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 W1 E3 _! D8 b& D8 Y" i& x4 O: V& R r+ n; O6 ^0 Z# K
The program will execute 6 different SIce commands located at ds:dx, which6 a" u. T: K8 f4 _' p( k# l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% R# F- Z# o: t2 e
; f3 [- }0 R% a2 S. i& Z- C, k, `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X7 P S F4 B1 {8 M( J___________________________________________________________________________
_" M3 `$ c1 O2 Y$ p/ X
, m' x/ e% d0 U3 P5 o; Z5 _8 K5 Q) P/ n- q, {
Method 03" `: f4 m+ O& T4 W* z# ^% c
=========
' d3 z2 m& c m; P3 ^( h# m1 o: x- a$ m& e/ @$ K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" [" [7 p& p3 F! \9 U
(API Get entry point)
1 B& T7 V2 S# E; f7 _$ ?
4 ^2 w4 ]" H) J; m5 X0 Z- h7 n* D- E5 Z
xor di,di% [6 [ L$ I; R# j
mov es,di- F6 v& [8 |5 g+ L# o
mov ax, 1684h ; c$ W, j- {$ U; g: P# @$ n
mov bx, 0202h ; VxD ID of winice
" R2 L7 k& Z2 Z7 |" x3 Y9 j4 o, u int 2Fh
- S$ s5 }1 e$ @2 x mov ax, es ; ES:DI -> VxD API entry point) a& p+ `# P; P* C
add ax, di
* S' ]' h7 n% {9 D+ N test ax,ax' Y/ d5 c4 G2 ]5 Q9 B0 N' Y
jnz SoftICE_Detected
3 y" U8 n% I/ C* H$ L2 j' z5 n* R4 ^, f) m
___________________________________________________________________________5 f c. C( {0 i3 b( k
. ^2 Z/ |9 P+ {' u/ c Q- `* P
Method 04. s4 f+ I$ |* e# w. l
=========$ a. V" S2 X& ?& w5 a- E
& @5 A% O0 w8 {: H& D- |: h8 S$ E. aMethod identical to the preceding one except that it seeks the ID of SoftICE
' x# j4 L4 @: ?0 h R# S4 JGFX VxD. t! n5 t' e3 O+ x' L
4 L/ J! |9 I2 s- F xor di,di
" L+ ^' Y* n1 a0 l5 q6 a mov es,di
- L! G) [1 n# D; o" u# | mov ax, 1684h t) p) x. [# E8 V3 K9 V
mov bx, 7a5Fh ; VxD ID of SIWVID
# O, y+ o+ D: d. n/ U int 2fh6 N% r, s+ I4 s- r9 q/ A) Y# t7 {
mov ax, es ; ES:DI -> VxD API entry point: P# X5 j3 A Q8 s* O+ d+ F
add ax, di" y) Z& \5 @2 {1 T7 g7 x' I7 c
test ax,ax* N5 E( ?$ g& @$ B" M
jnz SoftICE_Detected$ m" X k$ o7 Y1 q4 d# A' t: z! \& T
* b! M5 x% c& W# [ y, `5 g# E__________________________________________________________________________
. V8 ~+ Q0 w( ?3 K) t9 P/ F4 v& @' b% }
4 d. H) K: A7 p$ W- y4 `8 {- c. T QMethod 05
$ q/ `! I' N/ i! ~ X=========
. ]" e6 f7 }2 |0 J4 z9 Y
' F& _9 o8 J$ `# ?Method seeking the 'magic number' 0F386h returned (in ax) by all system* u3 {5 s; |* v7 b1 J s
debugger. It calls the int 41h, function 4Fh.
0 W1 F6 n: p" k8 l$ b ?There are several alternatives.
2 q( l( P' Z! b3 o+ z
2 U& ^- d* l0 XThe following one is the simplest:
! b' {8 Y7 M2 B- I$ ?# N3 Y |6 r7 F/ l' X# ]; y
mov ax,4fh1 z* |. J5 V5 _
int 41h
, G3 [& V0 E* Z( n. V, G cmp ax, 0F386
' Y4 L, |( D5 U9 q1 V. Z jz SoftICE_detected7 ?4 X4 L$ V+ D4 a6 r" S% X+ O
5 s3 B9 Y8 L) |# W9 Q/ Z$ }- O. v& x( Z" ^. Z- W
Next method as well as the following one are 2 examples from Stone's 7 m4 `( `& c. `; y; m0 b
"stn-wid.zip" (www.cracking.net):
! p* h- j5 d1 Z& v" Y( } ~2 T/ M* G8 D/ e" F* e3 D
mov bx, cs' K$ N8 e6 \2 Z3 R
lea dx, int41handler2$ F+ Q" Y5 @& i1 F0 C
xchg dx, es:[41h*4]. D: e, k, y4 f0 H
xchg bx, es:[41h*4+2]" ?/ i3 W" O2 B+ p+ F
mov ax,4fh6 }4 H$ j0 h) `: E1 u4 i
int 41h
s9 ]- R9 v: v. L. e" f xchg dx, es:[41h*4]
% Y$ j8 W3 D9 t* N; r4 t# G" Q% {* v xchg bx, es:[41h*4+2]
7 Z. n4 T* p4 \ cmp ax, 0f386h
0 d2 f. q$ X% `" e( a* X jz SoftICE_detected$ f1 A5 i) U* B" O S# T! C* D" P$ U
- c) S5 C$ C5 i1 x
int41handler2 PROC
- Y6 c6 z* |" F. m8 n+ I iret( s& [7 D2 Q9 e7 Z0 N
int41handler2 ENDP; W- `3 k. I7 p2 Q; a. v; y: V
. W6 J B! Y4 y+ Y' R4 S3 e+ y
" g0 Z7 c9 Q6 n5 `$ Y+ z
_________________________________________________________________________4 g; J- S( t z
) [* G* t+ `- A9 t e4 y
$ A y7 U, g1 x4 T1 }# WMethod 06
/ ~& c1 D+ t- B- H: S=========
# |" p; H8 A) ?7 B8 C4 }" h
1 G& `1 i1 }; K& b z9 L! w2 B2 ~
2nd method similar to the preceding one but more difficult to detect:
4 p' E, \% G9 E/ n9 F8 `( a5 s1 A1 a* q! A D
i V" F; O* \+ x# m, _- w6 ?
int41handler PROC
8 A+ c: X" y ^, s) _- x, J; b6 o0 ? mov cl,al2 q$ \8 z+ k- e9 Y* P" w7 \, z
iret; X7 e5 V% @8 e- z5 s, t3 O
int41handler ENDP$ W: ^! B/ [' B# p3 D+ X2 a" a: s
* I& a; }' |4 V6 O( K; r& e1 e- [
. K% v. }2 R% b5 R- `7 M+ U xor ax,ax
- f5 Z$ h7 @- B$ `( ?/ M mov es,ax l K/ U. p' R0 t g
mov bx, cs N: y. u& s( p6 X
lea dx, int41handler. ~! |7 h" B \8 t% `+ z
xchg dx, es:[41h*4]
; b) F- x+ ]& K& ] xchg bx, es:[41h*4+2]4 ^! F7 Q& Q6 E, \4 G0 b
in al, 40h F% s- M$ w3 S5 j% B
xor cx,cx. Q) H* b% d0 z u; Q" }. m# J
int 41h, ? _4 S# D; k' y0 ~ Q4 m
xchg dx, es:[41h*4]
" ?( r8 Q9 y0 j7 v xchg bx, es:[41h*4+2]
d- Y5 f6 S" k2 P+ L; D% M cmp cl,al7 r4 Y) c9 J% c8 ]
jnz SoftICE_detected
, Y: P6 O n1 i: e3 V! u) \ ]
9 m2 q5 \7 Q6 N7 k" u, C_________________________________________________________________________& G" b2 e: j R% F. L- Q
$ Z( e1 [" ^& P; m2 tMethod 07
7 C1 ]% c$ a( ^" v! s& C" a=========
! E$ N, L5 O; E3 f- A/ ^: Z% p+ ?; _& ?" j. B2 ~- i h
Method of detection of the WinICE handler in the int68h (V86)
j1 b8 i4 S1 ]8 W% `' F- R
3 Z# _& j& K) {+ G* l& J mov ah,43h
6 E4 H o$ @" `6 K8 Z) S( C `9 ? int 68h% M9 v# }% r9 _ k6 S0 ^
cmp ax,0F386h9 t6 G( r& ?, v" F. X$ N
jz SoftICE_Detected
, b3 ?( \/ X5 ^+ c2 S4 f
8 V+ p! v+ \& ~) ^" ]7 {- ]; f3 n$ @& m
' Y' W/ g: q$ }( Q7 M4 e& v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 v9 j+ R* h8 x! t app like this:. z) T$ C; n+ L1 y- {0 U
2 _6 S3 S7 g C8 ?! ]4 Q, W BPX exec_int if ax==685 G" O5 g: N3 Z5 w1 F% a8 d
(function called is located at byte ptr [ebp+1Dh] and client eip is
, g0 r6 ?/ A# m0 l7 u located at [ebp+48h] for 32Bit apps)
* e U. c7 F/ j+ _& T" C2 O__________________________________________________________________________* F0 f1 u5 b; Z) s& h& ]& V$ @
) ]/ Q1 X3 |6 {: O8 M, J
" [; k! ^3 b y2 ]Method 08# Z+ M ^/ O( N5 C
=========% l# t7 v* @( q1 o
9 o- J1 y- V* d$ D* GIt is not a method of detection of SoftICE but a possibility to crash the6 v) e1 x5 M; ~- j r f
system by intercepting int 01h and int 03h and redirecting them to another
. v+ F; ~$ G3 K0 @routine.5 C/ h, G7 f# u0 }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 d# }! U3 v" Q
to the new routine to execute (hangs computer...)8 i, B; O# f6 N; L+ l6 }; E
" \( o5 D2 J( m
mov ah, 25h( \0 K# W, w& P
mov al, Int_Number (01h or 03h), C. [# H" N1 H6 R+ j2 Z
mov dx, offset New_Int_Routine% F* K9 l5 _9 v; n& u
int 21h3 X4 a5 j! j* @/ B% }0 Y- V
6 z+ Z( ?* m5 \" j: g4 c
__________________________________________________________________________2 B+ V% e" P% R
" V p# v) {: wMethod 098 B- i* A j, q5 M2 Q8 X9 y
=========8 i. }' y" y0 R) \. p7 I* _: r
# s' E' R8 t( L3 \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) I4 W! y9 o% M& q% Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
' b h8 Q% {/ K, s zThe Get_DDB service is used to determine whether or not a VxD is installed
) n% Y9 s- U% t5 Ofor the specified device and returns a Device Description Block (in ecx) for
8 U t- n$ h! ethat device if it is installed.
3 d; ~& I/ Q1 k* O# t4 R# x- E$ O( t5 c2 }! v7 U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: H; U9 K% x& L) t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). f: F+ i/ X' p8 v H2 @
VMMCall Get_DDB
) k9 c/ X: m }+ z% P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" I6 _1 G3 q8 g8 W# b
9 _ x5 C) G2 kNote as well that you can easily detect this method with SoftICE:1 c, o+ q* G" X- c8 d1 R: x
bpx Get_DDB if ax==0202 || ax==7a5fh
7 e# j O7 f' j# E+ q* P v" F2 k$ O, p
__________________________________________________________________________
+ o( ?1 A4 l# t
9 i7 k, _- U+ WMethod 105 G; Z5 G5 l! v6 v
=========2 U% I& A, z D& z
7 H. S6 C1 L0 _+ i2 T
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 V8 }- |+ _! k' I1 Q SoftICE while the option is enable!!1 _5 ^) Y! c! y: e# m2 @! x+ I: @
7 m- r2 W$ C+ DThis trick is very efficient:
5 k- M9 e9 `1 A8 ?' ~8 v6 I+ lby checking the Debug Registers, you can detect if SoftICE is loaded0 k' K# t% a5 t; r/ s/ z' j' G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, f$ I1 [, m1 ?) N7 R, g6 o: F: r
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' w6 @9 u1 z) v* t! Cvalue (in ring0 only). Values can be manipulated and or changed as well% L9 U3 R) u' h: l, a. O
(clearing BPMs for instance): t- l/ S9 W o% E$ O: @3 c
[1 A1 d9 m0 ?7 L% s; {* n3 c
__________________________________________________________________________
- Z0 p2 o- E1 u9 g! M
, \% f$ Z1 B' K; {; g: {$ }Method 11( X/ V) s7 V2 {% d; {$ ^/ V
=========0 i6 ]4 ?' S9 X) Z* @4 R i! |& o7 j, Y
?1 X. Q6 [. D9 O6 d) I2 j- CThis method is most known as 'MeltICE' because it has been freely distributed
* @ @; o( H. \ d+ \via www.winfiles.com. However it was first used by NuMega people to allow/ p& O/ p$ Y" c( {* U) O
Symbol Loader to check if SoftICE was active or not (the code is located
! i1 X7 n* X+ c# A% O* Winside nmtrans.dll).0 R U3 S: y; q2 ^' T
3 }8 `- T3 W0 F- }& P
The way it works is very simple:" E: y+ o7 J0 X# e" Q# Z6 u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ~! {1 i( X8 q% d0 i4 m5 eWinNT) with the CreateFileA API.6 j8 w! |1 T5 z9 R+ U/ Q
; B2 U4 R: T# \2 f- UHere is a sample (checking for 'SICE'):
7 v' \7 c( k4 T5 T I1 j9 x5 b5 A' r0 r; \* w* C
BOOL IsSoftIce95Loaded()' U* q) w5 Z. b* w# Q
{
2 Q8 V# ?" W( c6 m# H HANDLE hFile; " ^; ]9 L" V/ F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ B0 O2 I" D$ s7 r9 t
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 }5 ?/ j% e- }- F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 g' o+ Z* h1 v3 b1 M- [! O# R if( hFile != INVALID_HANDLE_VALUE )
r& b" `0 e7 Z4 s% f {. R) P1 z8 i# S4 M
CloseHandle(hFile);4 J( f3 v+ ~- H+ X0 \; R
return TRUE;8 g7 ]% N7 M" p2 y
}# z/ V4 |- ~- D" {) N4 Z" O3 ^* Y
return FALSE;/ `8 O2 D( n& }5 ~) n
}5 \. j+ ?1 F4 U" q4 O
# b5 d S8 |' H/ w& G1 X
Although this trick calls the CreateFileA function, don't even expect to be* m2 L! w# q B1 f
able to intercept it by installing a IFS hook: it will not work, no way!
( E. B9 l. m, j$ ]: l1 ?4 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 J- q% l6 v9 i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 W* b, t9 ~1 z, z* h$ f" r3 i, [4 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 d, E: b s. O! Z8 ~% Tfield.
$ O" u3 H& |- A7 v8 h. j( y7 b6 sIn fact, its purpose is not to load/unload VxDs but only to send a
- ~' P4 f0 X, }1 w) n+ l8 @' YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' i+ b+ c4 Y! \0 U# P% b; eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ O% s! a- I0 ito load/unload a non-dynamically loadable driver such as SoftICE ;-).6 j y1 p4 Q) K$ ^2 J0 \
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- w$ ~. k$ B ~0 Wits handle to be opened and then, will be detected.: v& \1 a/ W6 ^! A) k% h$ f/ Q
You can check that simply by hooking Winice.exe control proc entry point
" K2 v( i+ f1 n& K$ B% z5 Zwhile running MeltICE.7 g; {) u' C0 \8 h! _
4 ?* j! M8 z2 |
g4 V |. K. E* x$ p! q. Z8 Z1 ?
00401067: push 00402025 ; \\.\SICE* i9 |6 j7 Q1 H/ }1 q
0040106C: call CreateFileA
* i4 L: c2 g2 V& N" X% O 00401071: cmp eax,-001+ R7 x4 b Z, F: _: v+ x
00401074: je 00401091$ B# x5 C8 N- F+ x3 `* |
/ _, y8 k2 e/ b% ?/ C" G0 }6 @7 i; ?/ B; D* |- _6 \, S
There could be hundreds of BPX you could use to detect this trick.6 \9 r6 }' _/ g) }: x [: `
-The most classical one is:
4 x6 P; a% y1 t, X, y$ V @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- a# R4 W, \6 j5 O *(esp->4+4)=='NTIC': j2 E5 x J/ g) ~8 C* P0 T
& p% Z# S, A3 C3 P( H( R2 M& R
-The most exotic ones (could be very slooooow :-(
7 |2 k( ?* A! T* d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 m3 Z' r6 K6 @3 p2 {; P- \
;will break 3 times :-(
2 p3 O% m' @. h0 r& P" U. J0 G" Z1 h7 u& H7 T, [0 @4 e! @
-or (a bit) faster: 8 w% T! z8 e# x. k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# e: M4 g2 u) U& g4 l! k2 D1 Y
$ V+ D f$ T2 ~- U' N3 V! U4 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! Y) V6 p* ~7 M8 r
;will break 3 times :-(0 s2 O2 E# e$ R& L' @0 z8 p6 h. O
. {& y! b# ^5 a, p$ A+ x) m-Much faster:) U3 Z6 d- ?* [4 t4 m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# O- u6 C( n( h% _* Z* k; k% {) a
+ h( ~+ _7 g* C8 p i/ W$ m4 WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, T4 ~* [3 H( E$ p5 C
function to do the same job:3 q* j4 j5 r' B( `
9 t! ^5 D0 J$ ~9 N0 Z. |
push 00 ; OF_READ
2 x+ a, S; c7 w4 K/ Y9 P mov eax,[00656634] ; '\\.\SICE',0
+ A" \" U# |0 R) f3 }- G push eax2 k6 E l. K) d' f( ?% o/ _
call KERNEL32!_lopen; l/ r$ v2 g; u3 V
inc eax
* F0 p+ h+ o1 L7 z) A+ c jnz 00650589 ; detected+ U J$ M5 c+ {
push 00 ; OF_READ
$ @ h! `, z* d1 ^& [3 N) }& M mov eax,[00656638] ; '\\.\SICE'$ P4 S6 x t3 z/ n, ~0 W( y
push eax
: ?* N! K" q8 g call KERNEL32!_lopen
" m2 W d' L1 M& ~3 A3 _ inc eax" V' k3 q* e5 Y2 z! m- [
jz 006505ae ; not detected
5 c6 B0 T: b0 R ~, o5 j m
% R" r$ b, @- o( ]; B) I$ `9 q3 d8 u5 k7 y! u; N
__________________________________________________________________________% @) r9 l' K9 `5 v) F9 x
# @; K; M% ^- PMethod 12# O* n$ C: @5 M0 B
=========& I) C; l7 s* t# R, A% [
& A& Q' a) M E" h/ K5 Z) iThis trick is similar to int41h/4fh Debugger installation check (code 05' [3 B7 w0 Q/ D% C/ c7 F
& 06) but very limited because it's only available for Win95/98 (not NT)
% i* `1 I7 m4 t8 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 F8 G9 C4 Y& k8 L k8 }
$ h. a) H! [) ]. \/ k9 u
push 0000004fh ; function 4fh' m. r" v/ c, o& T9 n9 z
push 002a002ah ; high word specifies which VxD (VWIN32)
9 h0 f( N# C N/ \ ; low word specifies which service F, X! `- l: x4 R- |' F- m8 O
(VWIN32_Int41Dispatch)
$ z% _/ B- ^# O! e call Kernel32!ORD_001 ; VxdCall
( X- ?1 a1 B2 @, |9 W; O cmp ax, 0f386h ; magic number returned by system debuggers% K5 ]' a$ ~2 S+ P( z0 h, ?
jz SoftICE_detected
7 V) U( Q: A* ~: P+ L5 j, K j1 d" v2 A6 @8 O
Here again, several ways to detect it:% D6 p8 S( g7 w: J( H) D6 U9 D
8 N9 { M& p( [ v, A C, o BPINT 41 if ax==4f" Y6 C* T9 {' D4 h! T
# [ `" {. X+ Z- ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ O- M8 I4 l- f2 a8 k7 t" y; }
8 R, s! [% p% Y4 N$ j3 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' A: z% }4 y7 R9 I/ A/ Q
* p s( e# I7 w. u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 h, ~4 O( L% F, m
3 |- E" m% b6 I$ }6 B__________________________________________________________________________
. x# G+ Y O8 ]5 r
* k" B0 s. R* SMethod 13
. }; Q$ E1 `& ]! m" ? d=========
5 D; H @5 o# a- H( ]# F3 |7 H; _) F/ T' ]
Not a real method of detection, but a good way to know if SoftICE is6 D# U' Z) z' X, p6 Q
installed on a computer and to locate its installation directory.8 I# ^; ^& }2 X; a( ^' o: v4 F/ B
It is used by few softs which access the following registry keys (usually #2) :
" t2 ~9 P4 a" S2 }% b0 ]0 l8 ~9 ?$ w4 _1 y- o+ G+ ?( Y/ d6 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 f! B5 q0 D) ?+ `" b
\Uninstall\SoftICE
4 {* O" s9 W# H' b+ s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" c1 N3 I9 R8 R% `* H0 }* O+ Q8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ q; u: y3 x" i\App Paths\Loader32.Exe
4 A7 l' P( X& I) @# E0 E, Q8 S0 w. L/ c! P! k/ i- W. ?' ~) C) x
# g* [! d7 F: G5 y SNote that some nasty apps could then erase all files from SoftICE directory
0 e4 z1 R* W" K( f(I faced that once :-(+ }* p+ J3 ~9 K, O
7 R& @- `. V- cUseful breakpoint to detect it: @' }! B- ~3 M9 g
9 {" R: M) `6 J. d3 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ J$ k* d+ S2 ~7 b9 U8 r
( _7 u) I9 V9 k; c, G/ U* @" D__________________________________________________________________________) Y0 I! [* B' y
5 H3 P7 F( m8 w; K$ d' l
, \/ r' X) f8 j" u, s; lMethod 14 7 R. i" c4 [) f
=========
" C0 {3 x5 I$ u& Z
/ z [; _; {6 m, fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- N' a# G. [# g
is to determines whether a debugger is running on your system (ring0 only).& x5 m( Y0 ?5 k6 v
8 W0 W* h: R- o+ Q; j VMMCall Test_Debug_Installed
) g s6 O3 L( p je not_installed# \! E( S8 K: |
I |2 H- j$ x# H6 \# T
This service just checks a flag.: X9 N& X; \1 u3 Y7 ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡