<TABLE width=500>7 {1 r/ J: }- B* x3 e8 R8 p9 d
<TBODY>" y& u* M, d; p8 s. e+ C
<TR>
7 R1 c. F! H; S& B) r! v<TD><PRE>Method 01 ( g* }$ X; F3 W( h1 A% h
=========0 k+ u6 E& e. |" T6 ^$ y
7 Y8 \7 N6 [' S1 ^1 U1 s: q1 u, i/ Q4 xThis method of detection of SoftICE (as well as the following one) is( C. N+ q8 ?- m3 |2 a
used by the majority of packers/encryptors found on Internet.
4 o7 }- j3 b9 Z$ uIt seeks the signature of BoundsChecker in SoftICE
4 ^) \% R" P2 d: m% S& Y- u! M9 B# I" {
mov ebp, 04243484Bh ; 'BCHK' I5 G/ Y* }' y. e3 X! I/ Y# D( c
mov ax, 04h0 X- ^8 q9 Z7 ^) g0 A5 Z
int 3
7 N2 U" N1 | K+ A3 } cmp al,49 b- {- z7 M7 \9 c3 q+ e: X
jnz SoftICE_Detected% j0 U; i* }2 A @5 s3 t
+ U+ |4 q* x3 {9 M5 v: z$ P& n1 ^___________________________________________________________________________
# ^4 r. A- [+ }- ]* C
2 _7 [6 W* o( SMethod 02
. W+ h( M+ X0 E7 |5 }=========! O2 I6 B0 d3 ?8 Y% I1 n
" E) v% W, ~8 M# ZStill a method very much used (perhaps the most frequent one). It is used
0 n+ Q, [8 p2 m" T$ xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ v& s" B% |4 L6 w2 R% P
or execute SoftICE commands...+ u8 m" v( m1 K# R9 Q" c _5 f
It is also used to crash SoftICE and to force it to execute any commands( G0 I7 ?- I3 L
(HBOOT...) :-((
& H2 p- n& M7 Z4 @; C9 u" w
: m+ q- `/ s% T. i4 f7 ? j8 n: d4 LHere is a quick description:+ W% f2 W, F3 @
-AX = 0910h (Display string in SIce windows)' Y L: `% b9 r# r. a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! J* B, s: D3 |+ Q' X& g
-AX = 0912h (Get breakpoint infos)0 _7 N" D# x3 u
-AX = 0913h (Set Sice breakpoints)9 j' _2 ?* \* p: C, T
-AX = 0914h (Remove SIce breakoints)
) _& u+ ]# P/ [8 L3 H/ Q
) S; a$ F) I: g4 O% |' A X/ ]Each time you'll meet this trick, you'll see:
$ B3 D6 n2 b1 E! K$ ]6 p) N8 A-SI = 4647h
) g _4 p) ^0 J* v8 Z% Z-DI = 4A4Dh
( s0 |3 x) c( U( U# \0 BWhich are the 'magic values' used by SoftIce.
* r; I% w X Q& y) G( {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 N- _4 q5 q8 s, s# `' \0 q, T
^6 K9 v9 L5 j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 v+ ^" M7 p" `; J Z1 zEnvelope utility use to protect DOS applications:
& d& [$ ^7 a! h7 t6 J( {; u$ g
! Z, q% W( ~- ^& c# g4 p0 j& ]1 y: N \5 K1 s* ~- C
4C19:0095 MOV AX,0911 ; execute command.
# x9 w" p( z# e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; a+ w8 |% k) A' p3 K
4C19:009A MOV SI,4647 ; 1st magic value.
5 O7 N7 R) \! f' s: z4C19:009D MOV DI,4A4D ; 2nd magic value., L$ L' J, |+ ?8 l& Y" M, U
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 H3 L0 f" @4 F- x4 N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 K. _0 e, _+ g6 W5 U2 @! F
4C19:00A4 INC CX: p' w. S0 e% z5 S7 r$ u. |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- h* @) T* ]9 f4C19:00A8 JB 0095 ; 6 different commands.% Q. b$ X& r9 N6 d D6 F: d. A0 ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 M! d% h: I% _( L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
K1 B0 ~$ K' K1 V1 v7 c4 [ s+ @6 X! a+ H$ b- q+ c
The program will execute 6 different SIce commands located at ds:dx, which7 D0 l9 `' L/ Q8 Z2 E3 h5 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) z1 c4 ]: j( D+ [8 \
( J; w5 v( L9 b8 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 ]& Z( h+ n( K6 N K___________________________________________________________________________
1 m9 u6 D7 x n+ o4 D: |$ {, x1 V$ O7 q$ M8 G! G5 {
6 B0 B8 ^; G% O0 G, E
Method 032 ~3 G# z* J; D
=========
R6 f3 s/ S& d' N# z7 u# o
$ @. R4 O7 d3 F) t8 Z0 b" gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" N, r" Q) F* d9 `+ z(API Get entry point)" _# X3 b" J( _ ^4 Y! V, ~% t
- C" M' M3 x/ c
3 w# C$ J8 ~% N9 d" q5 b xor di,di* e" E3 @0 y* Z/ w$ d
mov es,di
$ Y, ?( i' \5 K$ a mov ax, 1684h ' ]2 y7 {8 W( @, F5 G, O( f" Y3 _
mov bx, 0202h ; VxD ID of winice
( R9 m) ?4 h. i) x5 k$ [$ R int 2Fh' E; n( U5 A4 S$ `
mov ax, es ; ES:DI -> VxD API entry point
0 J7 b% v5 Y6 x3 q1 W! W0 t' p* G add ax, di U8 y2 n) Q2 m( M/ ~
test ax,ax2 ?- S% M0 |: _9 r
jnz SoftICE_Detected3 x/ a S0 G( z: w" i6 ~& J
6 n) n' h$ i. L$ D8 _$ z
___________________________________________________________________________2 q9 |5 I- b, N) G, h
2 H, g! c+ b) v# P3 a& Y* YMethod 04: g+ r3 _- n' T, c. Q( |0 R& J
=========" c/ b8 p4 K; z/ k) |- S
8 D7 Z% U' O3 {1 U/ m- R7 k1 FMethod identical to the preceding one except that it seeks the ID of SoftICE2 ?; z5 ]9 E, [4 c5 h4 h2 k' ?+ t
GFX VxD.3 Q- y4 i+ z0 @7 A2 N4 a
* n) J, x+ \ I- X7 ~ xor di,di& G- Y8 D4 D/ ?7 K# d7 M5 A
mov es,di
2 d' l6 ~, ~- z( y" N' X2 P mov ax, 1684h
+ U7 |( R* j: Q. H5 V5 x) k4 \& c. X: O mov bx, 7a5Fh ; VxD ID of SIWVID
' U$ h1 Z9 H$ h5 J- \% N2 B) v int 2fh/ B& I! t1 m) z
mov ax, es ; ES:DI -> VxD API entry point
X) `, Y( }: ]7 l- Q1 B add ax, di
6 S& j! ?2 D& C- ^! ~ test ax,ax( L1 r7 I! W3 x) @- m5 {' D
jnz SoftICE_Detected+ p% D- d- c2 p8 x9 E& ]2 w0 ?
: P: k3 V+ L# U% j7 s+ R* e0 }/ U5 G__________________________________________________________________________$ R- s# G1 H- {) D, Z7 ]! @+ Y0 L
# W# X% B' [! @4 y) V
; n& e9 z/ i3 ]
Method 05" f! R9 O" [, C& a) Z e0 M
=========# u/ v5 Y. `" t! h% }" h+ a8 L
9 c( ?1 L* i% F) z. t0 A ]# U
Method seeking the 'magic number' 0F386h returned (in ax) by all system& n) f8 s: I/ ^, f0 k: p
debugger. It calls the int 41h, function 4Fh.
: l9 v9 N3 o: s( A" OThere are several alternatives. 0 F; {) T6 m. D& D
& O0 b. n0 L. G! c8 t& KThe following one is the simplest: k+ g; L, w1 \: o3 b
* C) s* P3 `9 _" p mov ax,4fh0 V% U( n; C. z5 @: |, t" K
int 41h
2 i% }* l1 f n& i9 J cmp ax, 0F386
* U8 `2 i. M8 e( P; M jz SoftICE_detected
* E. ]' p; X; W, ]0 Q- G; s
" W( `2 g0 d/ }0 ^
. w. S9 k' ?/ C6 V- e$ UNext method as well as the following one are 2 examples from Stone's
: ^7 S1 Y' F+ t8 }9 J"stn-wid.zip" (www.cracking.net):" N# E& F, S/ M3 ^7 T$ M$ q
8 y9 N' i$ E# k6 b* d
mov bx, cs
$ i! V. A/ i2 H0 D; q lea dx, int41handler2
0 O9 Q0 y. d. O; i xchg dx, es:[41h*4]2 f8 ]- m$ u& {% `* E" D) j8 U
xchg bx, es:[41h*4+2]( m h8 i1 e2 w( G5 h W9 X# q
mov ax,4fh4 F, g) \0 \$ _; z
int 41h
' n! G* o3 k" W; P1 U! t xchg dx, es:[41h*4]
: a, H/ s' H0 S: O1 y xchg bx, es:[41h*4+2]
( f' D) _1 e- o: v* @ cmp ax, 0f386h8 Y! P9 a8 `6 N2 i' _' V
jz SoftICE_detected
5 I: e+ x# e) _1 e$ W5 R. D1 O4 I9 s. U! j
int41handler2 PROC/ y6 X, c4 `2 C/ x0 M. B6 e
iret( G' P2 {) `- X9 h& L- R* Y* m# n, v
int41handler2 ENDP
( u$ g" L: Z" ?: v. M0 ~! b& u V) C
+ |% v+ Q9 d0 }+ k& u
_________________________________________________________________________
3 D5 z) n, v) i5 I2 u; b! ~
7 r: B) ?* {1 @% o0 B1 D ?3 z3 S, W' h# z+ X, J; u q, h2 M8 R8 O- c2 r
Method 06$ ? k% F8 q% ~" ~
=========) U! y/ q7 H6 Y9 P4 U$ ~' x
g5 ?/ f* L# A9 _2 d$ @
7 W- S% u- g B. N2nd method similar to the preceding one but more difficult to detect:1 `& H) S: r2 H+ \
# k. t0 s" {, H
6 \3 j# q4 H3 K$ ~3 G
int41handler PROC
+ G# w9 I/ e! F: _. K. ` mov cl,al! S2 n& r) U% e1 S* X
iret
$ M8 @. l" m( V* O7 Kint41handler ENDP
; ]9 T; {+ V1 @# j. z5 P0 Q/ |/ w3 K& o6 u0 k
4 y* ~. x: d% h, A5 J4 K9 U+ Z
xor ax,ax
/ z# a: e% B! J& @$ s$ r mov es,ax
, I7 Y! A. l4 S, v) B! n+ R mov bx, cs8 j* T$ B5 T, W: N
lea dx, int41handler, X" D1 s$ P3 u6 s" T$ @
xchg dx, es:[41h*4]4 k) S- y; r8 e- w) k# B
xchg bx, es:[41h*4+2]3 f; ?( X6 y+ z0 l$ |' \/ Y/ Z
in al, 40h
' D4 L/ q. B; N7 O7 {! |# h xor cx,cx) {' K M" e X! Y* u% C
int 41h
/ e* N: H% C1 h3 H* v( V xchg dx, es:[41h*4]
6 v: } E; w, E2 b" D xchg bx, es:[41h*4+2]
9 M6 [; q/ {- l cmp cl,al* [ O' Q8 f' E/ [$ M8 z7 a4 ^4 [0 ^
jnz SoftICE_detected
; O. ?4 l, g0 U' o3 G+ q% \
7 i) m4 U/ g7 H. \% e_________________________________________________________________________7 r9 |; e) g- E8 h' C
( {6 {; f7 ^, M
Method 078 N* w0 A7 K$ Y& i8 }2 F% x& z' `
=========1 F" z. ~2 \$ M/ q$ F
4 Q+ [- c5 A5 L8 }- yMethod of detection of the WinICE handler in the int68h (V86)& _; z$ X! x8 a2 m' s
+ n% F' j; W# i2 e4 f# B mov ah,43h1 k8 G0 R. d( t7 ?# b% ^1 G% C* m! ?
int 68h5 O6 P; d( N0 ]! m
cmp ax,0F386h! ?7 S: f1 k- L3 l* [2 U
jz SoftICE_Detected0 f" O5 i# Y! G/ v( {1 Y+ L, X
6 G, M% v+ N& K# X7 T3 h
- s9 s& q t* F2 E3 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 S, U. f R7 H1 U0 t7 p app like this:
% V1 e+ ]/ k4 }$ d X! V! P9 ]$ q/ `6 m
BPX exec_int if ax==68
$ p5 ]5 E [( f! X8 w (function called is located at byte ptr [ebp+1Dh] and client eip is2 k# }. d7 d3 ~6 ^1 h
located at [ebp+48h] for 32Bit apps)
3 ]1 M( d2 @8 ]- B* R; S1 L__________________________________________________________________________2 l# `6 a+ D; ]; R( O+ Z
5 N5 b6 p% _' f
3 }+ \( J4 ^0 E5 H' Y2 s0 N) ZMethod 08
5 c3 u# K+ e, I$ _3 Z2 S0 ~& o5 m=========' L% N/ h' X. w
, T3 I. V8 t' q9 m* k5 U
It is not a method of detection of SoftICE but a possibility to crash the
0 M, e" l9 p; C4 C$ W% b$ V/ }" Asystem by intercepting int 01h and int 03h and redirecting them to another
N$ `4 n7 {% ~( c' p# Froutine.1 z) D$ C9 X B6 d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# h# U( Y+ S+ u5 q1 M& h, v" Fto the new routine to execute (hangs computer...)
7 u: y6 Y6 G4 m s$ D+ `9 q9 R2 R) @, n' B: ^2 L9 l- A$ Y
mov ah, 25h9 H! t4 P4 {- p
mov al, Int_Number (01h or 03h)
) k0 f9 ^2 G1 E* m mov dx, offset New_Int_Routine
- M, W4 R! h; M int 21h
+ k0 w9 A2 k9 x T6 m
/ S5 X0 j) x k+ ]__________________________________________________________________________( |: T4 L% g6 M; H
" H9 R! Y, m3 C
Method 099 x) v+ ^5 l& d2 n0 K$ ?
=========
2 v' w) b5 |5 `$ i, |0 p
; Y2 n/ G6 ?' }5 z$ b1 l& Q% j+ nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 m! k$ f+ L" c* S" z3 w( J* t) Cperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 \ l* q- W8 S5 N. O0 fThe Get_DDB service is used to determine whether or not a VxD is installed
( B3 z- I, d: \) _for the specified device and returns a Device Description Block (in ecx) for
$ a5 Z6 Y2 G; \( q# M9 m; ythat device if it is installed.: G* _' d5 |+ Z+ k" v+ G5 H: g
3 s2 p! o0 v1 Q, z6 K0 D, [/ s! ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) i! X3 M9 c6 u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ c5 p8 y; B5 }$ X
VMMCall Get_DDB6 c# Y A* K+ S" `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ |1 n! R/ ?- J! {( |8 i4 J7 [& F/ e- g# A+ }
Note as well that you can easily detect this method with SoftICE:7 Y/ j0 j+ \4 M4 g p- x" L
bpx Get_DDB if ax==0202 || ax==7a5fh
; i( ]. i+ Z: o/ r( o3 s/ S# C9 [/ W0 e! Y2 T8 r
__________________________________________________________________________( {# J' ?/ b9 ]1 R+ C
% v$ w/ s+ _3 m9 W4 Z- S
Method 10
2 p0 G# ~! N8 R! t1 V9 X=========
! M4 J" {; Z( g4 T" |
) S1 Y- c9 G% l3 j=>Disable or clear breakpoints before using this feature. DO NOT trace with
) @( o9 ~/ W" P/ ^/ A: M$ ] SoftICE while the option is enable!!+ \8 S( S, I/ G1 M0 n/ ]3 c# L
f. |4 _& R3 y/ H2 C2 lThis trick is very efficient:7 l3 O8 ~; N; X% G% l
by checking the Debug Registers, you can detect if SoftICE is loaded
6 m& u; V! |8 q; m% P- i" @4 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ P$ W: T2 }8 ^+ l9 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ u' O% R1 Z( `9 `4 Gvalue (in ring0 only). Values can be manipulated and or changed as well; p/ G+ V& [4 r, s
(clearing BPMs for instance)
* O$ u+ k A/ E* {1 J0 \# [1 [: X, @: {* ]+ s1 J
__________________________________________________________________________. F& u9 u& m2 {" S
. r# f4 T2 G& v4 E2 [Method 11
. p5 c1 H3 x% H/ a3 _2 A2 N/ l# _% F=========! E+ @% ?0 o& h) N: {
4 {+ y2 r: G& r- g/ v2 q
This method is most known as 'MeltICE' because it has been freely distributed
5 F% m8 w; ]4 [1 e% \ i/ n$ pvia www.winfiles.com. However it was first used by NuMega people to allow
, N3 I" V( P# ^& a2 F, lSymbol Loader to check if SoftICE was active or not (the code is located
2 c5 n* W7 `, O- Kinside nmtrans.dll).
0 m/ w+ d7 ~- i" B5 K; r: M" J! F4 S" A% J- C' B
The way it works is very simple:0 `# X1 k. ^6 M# l# K+ `+ r! N- Z" w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- [" a) l& C9 B( S) E
WinNT) with the CreateFileA API.
6 u e0 m; w: j6 |+ D
+ j4 z! B- V6 v) fHere is a sample (checking for 'SICE'): y- u0 o% ~& \$ L' v d
5 L& C$ ]0 L& W7 ]
BOOL IsSoftIce95Loaded()' u" J# Z' T- u+ A' J. h6 h
{" O8 P% u0 H9 h; S' N4 M. ]# ^
HANDLE hFile; ( M. s7 I. I& c4 P* m8 r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 ?9 |) D1 @5 y- k
FILE_SHARE_READ | FILE_SHARE_WRITE,! q4 c J$ l" y8 u0 F6 g( p; E5 _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# H: k4 v- P/ K- e+ i" T* g0 C2 [ if( hFile != INVALID_HANDLE_VALUE )
: d' B+ h5 B( V: B {
) M7 ^# e5 D& }3 F9 d6 Z+ \( }+ M CloseHandle(hFile);
{) S0 h: l& H/ I* s return TRUE;3 q8 _0 h* g( i* {6 j% f
}
% a- u) P ]; ~9 ?. V) E return FALSE;, K3 M; O! \* `+ S& ]
}- b4 R( O7 i- o" V3 t! G$ O
. O9 c0 G1 H1 W- F
Although this trick calls the CreateFileA function, don't even expect to be
- D+ n0 V" ^% h* S6 lable to intercept it by installing a IFS hook: it will not work, no way!
0 t9 |. ]3 ? q! t& ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, I% x9 @ p) ]! E8 @" T; R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( k' f) z" X, K1 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 g7 X7 x6 G* q- S7 i* z4 N
field.
, N" S+ t1 v0 r3 H8 {) s( `In fact, its purpose is not to load/unload VxDs but only to send a # W2 u8 n( x6 @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 I9 [$ b6 p0 W( Z& Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try" o& l7 l8 c* O7 z9 [& E# Y3 X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
u8 E9 ?" T7 y' x$ RIf the VxD is loaded, it will always clear eax and the Carry flag to allow! k( B3 h4 c% }! x6 _' P( q, j
its handle to be opened and then, will be detected.) R, L( J2 q2 U7 x+ L6 ?
You can check that simply by hooking Winice.exe control proc entry point) J' \* _2 X% x! h8 Y
while running MeltICE.5 w5 Y! r! p& f+ ^8 |; g
6 S. A% b, K8 g t8 }& o/ s3 h4 E2 U3 u: _' q/ E
00401067: push 00402025 ; \\.\SICE/ w& r" B J- h: W1 Y
0040106C: call CreateFileA
, L- i! O; q& `" r 00401071: cmp eax,-0016 w; F8 A! X# N
00401074: je 00401091
/ M$ N& f8 G! M* F7 W' C' @! X& e5 e" y7 O J" |
5 v5 Y/ h% R { ~ ~$ \There could be hundreds of BPX you could use to detect this trick. ]% B/ a) _' F/ O: C1 x$ \6 G/ _8 z
-The most classical one is:9 O1 h( A, S0 a) A* o- w; v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 p8 }5 g6 g5 [; r+ D B *(esp->4+4)=='NTIC'
% s; i2 J- ]/ D! T+ _
1 q( W3 k% |4 z$ L-The most exotic ones (could be very slooooow :-(( d0 {* I3 f% h6 `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 N. D2 C" Q$ W# z$ K* \& w6 N ;will break 3 times :-(
7 m! P8 z7 b4 S( ^9 y7 \( e2 k% D/ W6 N
-or (a bit) faster:
1 e4 e+ X( q' g6 d6 E* j) T8 n$ V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' H0 A( I0 W# i% `, T% S
- L! z' v7 h2 E" | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ o% v5 s) i" `/ {! f- t X
;will break 3 times :-(
8 @ f; i* @% J3 j# y% ~! p# @( R7 u
-Much faster:
5 D M! a/ n2 g! D# s6 d, G- s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
Y/ O5 F9 |8 {& q6 [4 e" h, [4 R! V; R: z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, h5 Y3 N& @: Y2 U3 Efunction to do the same job:
z5 @5 d& P, U$ O' u' g
% _7 ~# U) g$ K) T8 e- Z7 v push 00 ; OF_READ
1 P6 O; h5 j) Q* A: ?% v8 F( |9 v+ S mov eax,[00656634] ; '\\.\SICE',0
/ W, S4 Z; p, r0 C; C" C push eax/ w" d7 H$ G, Z/ Z0 n
call KERNEL32!_lopen
; S; L& U3 X! ?6 O8 x8 \* ~4 O* { inc eax
: p0 w [/ k8 i$ E jnz 00650589 ; detected M; n) n$ c( O
push 00 ; OF_READ6 ^1 `% x, T2 V( e5 b
mov eax,[00656638] ; '\\.\SICE'; d% t; X# `0 e, B' C
push eax
6 M; q) c% P8 P0 N" {! P$ S, E8 ` call KERNEL32!_lopen. V+ V1 y5 j; k+ v" y$ n
inc eax& Z: ~; u! C, [: ~! a* P g
jz 006505ae ; not detected
7 o6 n1 h/ ?% z: H7 X: V8 x
9 \1 e# m: u( T: V* d% C! r( c" ?# Y! ?" t, r$ r( M" Y
__________________________________________________________________________8 O4 [$ p' s$ a6 n
, x. j' O" z) v6 c( D9 JMethod 12' \6 @! M9 P, N1 H+ J$ |3 J. j
=========' W) X, ^# U% `
4 w5 ], i: l! y
This trick is similar to int41h/4fh Debugger installation check (code 05
- W! h" V& o& Q% h- m- x4 T9 w; U/ X1 n& 06) but very limited because it's only available for Win95/98 (not NT)
: u+ [/ f. I! R: Y9 m8 l! x. K( sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ g' h; O* r$ @% Z. t; E
& c' ~) Y! ?& B% r# [$ Y push 0000004fh ; function 4fh. z- X6 e, t& {
push 002a002ah ; high word specifies which VxD (VWIN32)" J2 G( a- @+ m. x
; low word specifies which service
0 r" @. x4 ~, H; Q5 H (VWIN32_Int41Dispatch); ?, ~0 t+ Q# V+ y
call Kernel32!ORD_001 ; VxdCall) T( m+ K5 X1 B9 c3 I+ p
cmp ax, 0f386h ; magic number returned by system debuggers3 s$ `8 Q Y/ _% [) o
jz SoftICE_detected
) s$ `0 h0 u }$ c# T0 c% R( {1 V/ @1 @' c; { w
Here again, several ways to detect it:- W+ |: i+ u4 P8 n7 G% f* [4 T
( T1 r I2 M; o Z BPINT 41 if ax==4f7 Y' `! y' W* h& t3 @' a+ h
`" y, j8 W/ [: ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 _% R: F- d& `) j
I) ^' F* H% c% n% V+ A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 r/ _8 O+ h, n! Q: |9 @& i' L& B
( b$ I; B" K# {! p+ Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" J$ |$ D) x+ q
5 Q/ b3 d; O5 ]! B9 ~9 }
__________________________________________________________________________4 ~3 v+ C- C: v! `6 t- X; n
& n3 r6 E7 N' m4 o- [Method 13
+ d2 ?; v0 {6 U! M# g=========
; }/ o" v' q, M* r! {5 ?! {4 @
t6 O+ }3 S" K8 QNot a real method of detection, but a good way to know if SoftICE is# b) j' `2 } Q: V9 c7 t
installed on a computer and to locate its installation directory.. Z" x) s6 g! D' j
It is used by few softs which access the following registry keys (usually #2) :
! L; J, A8 c6 |" o6 g( v- e! s+ f. N- w5 M5 P& {6 D9 M( X; R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" l% n, S, I6 f: r\Uninstall\SoftICE5 Y6 N9 R7 ?" f; d F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 a6 N5 |* ]( w ~) E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: R4 x3 _. W$ s, x1 v\App Paths\Loader32.Exe
/ M, ?7 u& D. }8 x5 X8 ~
* X4 L- ]& s9 K+ ~: u5 i, H1 O8 U5 w; D. e+ ~5 N
Note that some nasty apps could then erase all files from SoftICE directory3 b2 _8 l# M' i5 I8 l; J
(I faced that once :-(
. h; r- f9 k0 H. x" b9 ?3 ~+ O7 X( _) V# M- y
Useful breakpoint to detect it:
- \* \# c6 `) t6 A5 k1 E- E
9 Z0 e8 i- D) C1 S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', ?% i0 z2 a7 P% a
7 f9 S: p: o# i& T |; [0 h__________________________________________________________________________1 d9 S8 _$ e' V6 ?* Z4 }: }% V7 M4 t
. `2 n! @ q* p6 Q. s8 u
4 R! U- V+ X0 W. x
Method 14 % O9 {4 p& H9 L# a. P3 C! o
=========. j* a4 ~$ o) D& W
% E* ~7 Z) W; }- X5 ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ e0 G3 U+ j) z) q* |9 F* L
is to determines whether a debugger is running on your system (ring0 only).
) l1 ~# r' N' N/ x5 m# v* l/ v$ x% x- Y
VMMCall Test_Debug_Installed
$ u! m e3 }8 N: G) W je not_installed
9 G) I" i6 s, ]- P! l1 N, ~9 o; D, E! C5 t, X
This service just checks a flag.! K9 x8 p) a- O' A- F2 {9 _1 O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡