<TABLE width=500>8 M7 f- [, X; Y2 {2 N
<TBODY>
$ R5 N+ n. G. w8 P8 D2 n( [ X/ B<TR>1 e& f/ ~) \$ [. |- R* e5 C+ T* ?3 o
<TD><PRE>Method 01 ) T" z$ h, F" G+ t0 d/ @9 B
=========/ X0 v4 A) A+ S3 }$ X; z1 w
2 ]: z4 n/ A8 o% EThis method of detection of SoftICE (as well as the following one) is
' z. i) x1 i/ c4 P# I7 Aused by the majority of packers/encryptors found on Internet.7 D& h3 Q! L1 w; g; e
It seeks the signature of BoundsChecker in SoftICE' o3 w1 O" t# |2 M/ o1 u& \! j" L
, P1 d" q7 i4 l. H8 }5 e
mov ebp, 04243484Bh ; 'BCHK'
' b. z! h1 }+ o: X+ L5 h$ K mov ax, 04h) J- U0 h) S2 t2 `, z" J7 {1 _, N
int 3
2 F. ]5 F) a) n: ?( h cmp al,4+ o+ z1 p* ]) D( `" b, e
jnz SoftICE_Detected7 b. E' B* I8 ~2 ]* K* ?$ A& ^7 Q
4 M9 C! h. \! B; J2 D$ D___________________________________________________________________________& u4 _0 Y& M+ A% H7 ]
& O% c6 s' ?$ G* K: G/ E+ N2 YMethod 02) d/ s* q' q: T' X
=========
' k/ C- s$ u6 q4 r l; ?
% o4 _' t' O* s g8 V' }, LStill a method very much used (perhaps the most frequent one). It is used
! E# {: p$ K$ x4 H- H( pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 K0 T8 ?3 m: K9 {" v: N3 d
or execute SoftICE commands...
( L `9 ^1 I ?* DIt is also used to crash SoftICE and to force it to execute any commands
/ B+ Q" }. E) J8 K! \+ |& H# K f(HBOOT...) :-((
$ Y2 F: p: ~. _. T' i5 u
8 w6 z( @& s! y; n- h: bHere is a quick description:: B4 n* ?/ N& h
-AX = 0910h (Display string in SIce windows)
3 b) e' V2 Y$ B4 s& v' N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): R1 F% k) X" R& P0 B
-AX = 0912h (Get breakpoint infos)3 z) ~# R- P+ {: ^2 n2 k$ @
-AX = 0913h (Set Sice breakpoints)1 V/ c& K9 q8 q6 m! N, X* F
-AX = 0914h (Remove SIce breakoints)
V. _5 m+ |( t/ o, U8 I5 ?" w l
7 l2 V) E" k1 JEach time you'll meet this trick, you'll see:
4 j4 R" n/ w q+ f3 Q4 i) Z-SI = 4647h
; h/ n, ?- t; P. D4 F1 c' R-DI = 4A4Dh) s2 _! I8 c9 _8 L1 A
Which are the 'magic values' used by SoftIce.
- X# @& H* \, `8 Q4 m( mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- \5 l5 |0 ^/ b( W# n% `
/ l. U7 `( [) m( ^( [/ rHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 r$ ^3 L1 i* i* d0 EEnvelope utility use to protect DOS applications:* X3 W" a/ d4 a) a- q! `
1 }3 w$ c( J% `; @% a0 D1 V/ W& f
: }+ D. I+ W$ G4 X. k/ I/ n4C19:0095 MOV AX,0911 ; execute command.
" N. w' e( S, Z; `" p$ i$ m+ t- g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 T, g7 g! M+ i) f+ ^3 p% t# {* W- W
4C19:009A MOV SI,4647 ; 1st magic value.7 S; ]6 }' T- {1 y7 {
4C19:009D MOV DI,4A4D ; 2nd magic value.
U, k% r" N1 \) J# _* n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# S! a3 C. Z& ]$ K7 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 q& ^ s; J5 z! k% P9 e
4C19:00A4 INC CX. I0 T' J0 U1 \/ o% _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) b* U9 Q: A: h; ~0 k4C19:00A8 JB 0095 ; 6 different commands.
4 b* W8 b( }' `+ }; m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- J* }/ }: G6 n+ I9 x/ z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) [$ T* Z/ Q1 E
0 d8 ^ d" i8 Y# }
The program will execute 6 different SIce commands located at ds:dx, which. x* @1 C: L# Y9 v6 f3 e( @8 Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 Y% s: a) ?6 G4 ^ j* C
" E( M' ~0 \1 n2 c' v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 _8 z; o; B# G___________________________________________________________________________2 f$ {; b2 G; B0 P+ ?4 G
4 B+ F" A& h# x6 H& d4 N& ~
, I6 i! h' v$ g1 V! V% {3 B
Method 03, R0 b5 \5 E4 p: G. r
=========
5 |$ D! \- J( ]7 n% S( i& @! |1 d- I% r! r$ `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 I+ }3 M( G8 b& Q6 W
(API Get entry point), s t. j6 L- ~) V9 E/ X
; h( y$ j, Q3 X
s8 @3 K/ u2 n- f2 Y) _4 j
xor di,di2 r7 W. O9 x5 W2 ^, F
mov es,di! n, H6 ^9 ~* ]4 f5 ?2 D
mov ax, 1684h
* G( S# V/ k% X mov bx, 0202h ; VxD ID of winice
; A5 P7 g4 N, J+ n5 F int 2Fh" e; K* X' R0 @
mov ax, es ; ES:DI -> VxD API entry point8 s4 O3 C; _, ?2 A/ r
add ax, di3 @% J3 b& a4 Q0 `, P" {9 Q* U
test ax,ax
# a0 E# v1 T: F# T6 I# x jnz SoftICE_Detected0 ~. Q8 R) B" Q5 d7 ~$ E
7 u c- s! \2 w) i1 ]: W___________________________________________________________________________
1 c5 n+ L5 K, u: W
$ d) X5 n3 Z4 u5 tMethod 04
& ~/ o5 ^& P7 m u( ?5 z=========
* ~4 g5 K, _3 i% p4 |$ Y, V. I4 f6 w2 u3 d8 O
Method identical to the preceding one except that it seeks the ID of SoftICE% F+ j% A" q* o a8 R3 C( H# z! s6 ]# o
GFX VxD.; [- L' p! @" u. X
# M! Q+ b7 L& {' e xor di,di
8 m# V* W) H* @6 Y2 J7 H mov es,di7 o' G d1 _* x) t& L3 p
mov ax, 1684h
, W$ e; x9 ^9 {$ W* G; F mov bx, 7a5Fh ; VxD ID of SIWVID6 C; ^% c& k& c$ z, E
int 2fh
& n5 `$ h, ~2 Q/ v. U2 M; f6 Y9 D mov ax, es ; ES:DI -> VxD API entry point* b$ h1 B* }4 Y
add ax, di, U$ G+ b. _ t$ K/ l5 ?' i
test ax,ax
! \3 o$ Y D2 W* k! N; f2 k7 h5 B jnz SoftICE_Detected3 B- i6 s9 s+ _2 O# r8 T5 V8 o: n% W/ {
" G8 M: S1 ]% ?& |7 }
__________________________________________________________________________
% p) ]3 t/ X( a0 O5 b: W% R
+ }' `4 p: d8 ~8 x6 Z% h
; d) k& r6 a3 F; aMethod 05. d" ]' p# Z& T) m$ q
=========" c$ W3 x% M: l0 P A
3 B9 Y: [4 f& \5 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 Q2 b/ M2 w+ Z+ p- G$ e2 r1 t! ~debugger. It calls the int 41h, function 4Fh.! e# |9 r; q0 s1 ^' D8 l' C0 N# N/ {
There are several alternatives. - N! k, `7 ~$ `, F! U+ a, z
$ n1 g4 D# ~' a9 ~" G K$ w2 |# pThe following one is the simplest:
& u5 K6 x7 r0 I' g2 Y9 R
4 B8 } X3 [! g( o, @# _1 v* U mov ax,4fh" a9 b( q& V* A8 Y
int 41h, @2 D! A1 C D% n
cmp ax, 0F386! t% i) y: q: w$ Y# J
jz SoftICE_detected
7 m! |* S8 ~& @- h- C [2 p! N& k5 a+ w9 c! x0 u
5 p" }* r6 d% h, a. d% LNext method as well as the following one are 2 examples from Stone's * T; Q% a& ?: n$ f. ], k
"stn-wid.zip" (www.cracking.net):, C/ L" E' x& m5 i7 g3 Z3 R
: k6 d4 z! [( r3 |7 d( n6 c
mov bx, cs) L, Y1 f$ F4 |) T8 u1 w I
lea dx, int41handler2
; ?: }' \" e) [1 [! E xchg dx, es:[41h*4]
" z+ D1 } b0 O5 r$ Z xchg bx, es:[41h*4+2]6 j8 |# \" N ]9 \3 w
mov ax,4fh
$ P; a/ Z+ a- Q, c/ D- l) l/ W- E int 41h: n, y3 v9 X* j" A! _, Y+ Y
xchg dx, es:[41h*4]
+ H$ N: a' |( _- L# @7 ^ xchg bx, es:[41h*4+2]/ ]% u |% z* U# L& O: T/ n
cmp ax, 0f386h
6 h) l! k4 A- x: B4 r# T jz SoftICE_detected0 {9 n& }: W, x o+ E G
, E. b' v6 I8 L
int41handler2 PROC+ e& e8 E& ?% A6 u' K
iret
b# C7 H3 Q* b5 [6 mint41handler2 ENDP# x, A* E8 I0 M! j+ n: c
: @; G0 z4 I5 ^4 k/ x
! g e* C( }1 b1 J% N_________________________________________________________________________
h& ~) H2 Z! a; z9 u N8 [; D- s" ~- [! V- \
8 W$ U+ @7 `$ C6 G
Method 061 f6 j7 Y* e q& [
=========! j6 B0 Z9 ^9 P! ~/ W! T
' N! K8 G. C3 w% L0 L
/ ^! n' R, ]. m. }( [2nd method similar to the preceding one but more difficult to detect:
( R. c3 G, A; G3 R8 }8 R4 x2 D
% X0 {7 ] g% S3 j$ I( E
) |5 L/ r0 E) b, ]. j6 b9 pint41handler PROC" R/ p/ ]9 r$ I0 ^& c& F" i/ P
mov cl,al; V: o5 L$ ?% c8 t6 W
iret5 U6 k1 n8 o) ?. { W5 d6 C" \* h' i+ S
int41handler ENDP) c, `- n4 o0 u
3 f! u- J$ Q2 T% C& }
: @/ F+ H& A/ F* U7 {9 u7 j xor ax,ax
9 d' p/ W4 s/ H, x$ k mov es,ax
* Q4 }8 K j* E: _0 }8 | mov bx, cs) m8 }) g# i5 ~% E! Y
lea dx, int41handler1 z( D& k5 S4 V: J" P; H7 ]
xchg dx, es:[41h*4]/ g" b; s# ~4 }9 G
xchg bx, es:[41h*4+2]6 g( `; m, u+ r( O) e
in al, 40h% ?- U; } A. n9 ]8 _6 C! x4 u
xor cx,cx" G& x5 }. | G" _- K' s& ~" t
int 41h8 H5 ]! O4 s" T% v
xchg dx, es:[41h*4]5 p6 k( A% J8 u2 [% ^* G+ o) X
xchg bx, es:[41h*4+2]# b) x% G1 x! p8 `& r5 w
cmp cl,al
+ Q" ~4 y8 W0 p4 d jnz SoftICE_detected. o. d( m/ U2 s6 q" O% L
4 S+ {/ a) g! ]5 a* S4 m, G_________________________________________________________________________, v D8 v/ P$ @3 }+ x
% F4 d2 F4 ]; }2 T# {- E3 {2 Z K
Method 07
`! `, |/ Q8 J. ]+ u3 v=========( M) z$ u: u* g& g1 X1 N3 A1 {) ?0 P
# H) }; U4 V0 H2 _ o. \+ c: p. b
Method of detection of the WinICE handler in the int68h (V86)- R3 `! H* H# |0 B+ Y# j
- \7 u' I* t$ T' ` m8 d mov ah,43h& |7 A. o9 x+ l. G
int 68h
* M3 j# q0 ^* F* G# q+ n; C! l cmp ax,0F386h3 J2 D) ~; _2 d
jz SoftICE_Detected
7 L: l& W' q- u( e( T5 _6 D+ m+ U: {) f# o' b4 T1 `1 N) e! [5 |
) Z6 V) {+ @' B+ o- z, l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* M$ @3 e# @) G- d7 V
app like this:+ E( ?1 T6 y0 g7 E+ \7 r, o
- G5 B) q2 g% f! v+ C BPX exec_int if ax==68 n: H) _! W; H8 y$ T
(function called is located at byte ptr [ebp+1Dh] and client eip is" H! ?1 P! T8 t" h) Q4 _
located at [ebp+48h] for 32Bit apps)
4 v4 E, @4 S+ K# d__________________________________________________________________________
8 _% e% A3 }5 Z9 H4 }; J+ u6 T; l, ^* Q2 C
7 x$ B9 k; w) Y
Method 08
3 u. w G2 B3 p4 i=========0 o5 T! M: S2 ~0 Q
2 l% t; p! Z/ I6 G7 L# U
It is not a method of detection of SoftICE but a possibility to crash the7 |7 l% m7 {% K- Q% s
system by intercepting int 01h and int 03h and redirecting them to another
2 _2 k9 u4 n4 zroutine.
9 M) h+ }$ B F9 VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& E1 S$ { u8 v% k
to the new routine to execute (hangs computer...) L" _; W& |8 a
" Z% `( p, c; j. i: o5 P
mov ah, 25h
4 v6 L! g/ Q' y4 |* ~2 l mov al, Int_Number (01h or 03h), M! p- W3 S6 u/ V. k3 y2 A
mov dx, offset New_Int_Routine
7 h; ~ w x! D1 w+ G: l/ S int 21h
0 c2 |, u( x% T% Y: i* S* t+ C4 e
2 O7 K: H% M& h7 M__________________________________________________________________________
0 O, W$ j2 c9 j& f8 Q) _7 C. R0 D; d' m& }
Method 09( F$ e8 A+ o/ |7 ]* Z
=========" \6 ]) J, D3 F; d% X& G- V
2 F+ X H/ Q, E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 d# ]7 Q( m( }/ U7 v1 ^+ h( {, C
performed in ring0 (VxD or a ring3 app using the VxdCall)./ ^$ g; j$ ] p! d0 i! p4 Y
The Get_DDB service is used to determine whether or not a VxD is installed- \( e% M/ I7 }: R2 n4 ?9 v
for the specified device and returns a Device Description Block (in ecx) for
8 [; o( I3 f1 V! ~8 G8 Dthat device if it is installed.6 X9 F/ `/ O% h! M& r
! M4 M: g# K. Q' Z! s$ S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- S: p0 A8 L4 ]& x$ l+ C C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, l% p4 \3 v- `, c, T+ c+ N5 T$ ?6 T VMMCall Get_DDB
. |, }: N& F$ G9 I7 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. j: d2 n' H8 m( e. y
/ `' r8 H, a. N+ b: i/ `* \. l7 S2 A9 \
Note as well that you can easily detect this method with SoftICE:0 t" c8 {9 k* d X; o2 ^5 e: {9 b
bpx Get_DDB if ax==0202 || ax==7a5fh
4 F2 p! U# H& `) Q& U6 Q; F+ W# M
7 P( ]' d/ T% `; ~6 v__________________________________________________________________________- F8 E/ w# |* Q/ Q
$ Z4 w, M3 n7 _' p: m9 S0 g8 Q$ v3 @Method 104 _# p# l9 Z8 p8 K( V: U
=========
* l0 j z6 e# Y' U, c9 ^4 }* M5 L+ H' ?1 O- s* {: ~, b8 i2 |) X
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 d$ Z# f" S# f% H
SoftICE while the option is enable!!2 X" F( P3 w$ I- d& r
( ]3 A3 G) e1 C. j1 C$ AThis trick is very efficient:
' o6 M/ r' }1 ]1 M$ ?1 u: P3 v5 Jby checking the Debug Registers, you can detect if SoftICE is loaded' [5 E$ I/ I/ Z: B. O0 }) |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 b: N& i+ U) q Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 O; Y* N* n" t$ c: y) Y- x% ]value (in ring0 only). Values can be manipulated and or changed as well
6 l1 x. d, d* g4 \(clearing BPMs for instance)
! \% A5 |- c! Q& `1 ] a7 F' r8 v8 H: S
. n( _9 u; k$ r' a, R% F__________________________________________________________________________
" e7 L9 k* T3 o& R8 Q* h1 w$ p! R6 F k1 g2 ^
Method 11+ {$ _( C0 w2 ?8 G3 G
=========
% O, `7 U9 Z+ g8 e# S2 T$ L$ w
0 u- }8 I1 j/ l( n: Z I9 FThis method is most known as 'MeltICE' because it has been freely distributed: `% R. P( f" u$ ^
via www.winfiles.com. However it was first used by NuMega people to allow
) U s$ B3 @+ N3 J7 z- fSymbol Loader to check if SoftICE was active or not (the code is located0 H+ _3 k" R: Y$ Q- ?
inside nmtrans.dll).2 @0 J9 L6 R/ ]. o& R* M; m
/ _+ o& P/ m" q3 Q
The way it works is very simple:2 b( o! `) K# X- [" a; E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' A' P a- z4 y' x" I( e- n
WinNT) with the CreateFileA API.
/ c, x$ q7 T# D. e% P) [( m$ z v1 H" m( P0 X" R0 m
Here is a sample (checking for 'SICE'):
( p X- o+ o( |& a( R
5 E, [2 ~& q( q) T2 mBOOL IsSoftIce95Loaded()7 h% L: M; H; |7 C9 F, ]: a: M% F
{
( s4 v) a) ]0 G HANDLE hFile;
; l# I- ?. k4 k7 H5 r( \& A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) G+ p7 ]2 u: W2 u9 _$ x# W
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 p0 M7 l' H9 O7 F4 C% T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; e/ _8 ]! O, q9 e if( hFile != INVALID_HANDLE_VALUE )
9 ]/ n3 e$ [( J9 V9 c {
9 N0 f+ w; V2 h" L) Y CloseHandle(hFile);
! b0 b; }; ^- l6 r) f9 r, h3 K$ { return TRUE;
, [) D& ^4 X% V* }; R. A+ c }
' {: Z0 X5 z4 o; a1 J& t! F/ W return FALSE;( r3 W2 v3 N/ Y% w; @& z
}
4 N, T. p1 N& T3 q& }. b. `
A1 V. f. a& C$ F; x7 P& uAlthough this trick calls the CreateFileA function, don't even expect to be5 @+ m" v+ V# Z9 N3 P: M8 \! @
able to intercept it by installing a IFS hook: it will not work, no way!
- S3 p+ P# [% wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 l W) V% i8 r4 p* Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) x+ X! q2 Y: }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( I8 h# T* A5 M" G% f/ g
field.
/ O7 q$ k3 r& N/ Y" W2 S7 o- rIn fact, its purpose is not to load/unload VxDs but only to send a 4 P% K0 h% L( D- i1 L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# v4 V1 ]5 S8 @% M5 S: R7 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try* l% N0 D; R9 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 C2 y/ U( T' f* `: a0 Q9 k% v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 V9 S+ X5 d1 `1 [its handle to be opened and then, will be detected.
2 B% Q$ E# j* A# W2 A% O' y' K+ v6 GYou can check that simply by hooking Winice.exe control proc entry point; o* D- Q/ u+ T- C& y
while running MeltICE.
3 C) A7 X6 Q! y& _5 U* z- b/ N, O7 R4 q8 w$ P% M* H( P
1 v% L9 f7 T+ `9 E3 u 00401067: push 00402025 ; \\.\SICE
" m/ u1 ]& J, h* Y! S- i" _ 0040106C: call CreateFileA' o9 m( ?; J, V+ a0 [# Q
00401071: cmp eax,-001
0 O0 B; R( N1 e4 Y 00401074: je 00401091
( J7 b& C; v( t9 z0 L+ \; |' x+ Y
8 W7 ~" h, O% h" s3 x2 Q, ?. F) P6 J4 I3 a) ?! O3 b! h$ A* v: F. }
There could be hundreds of BPX you could use to detect this trick.
8 Z4 J2 I; X$ Q, x; u+ |-The most classical one is:
* a3 d2 f$ O" @8 Y- U' [; | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ j$ _: m: l& t7 F8 v, c% d* N
*(esp->4+4)=='NTIC'5 i4 G* ~& r8 }! F
/ q9 ?4 s1 B6 ?+ O. |-The most exotic ones (could be very slooooow :-(4 s3 h/ F( Z8 K# h; S' `# ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 i: I1 q* d8 b/ Y; Z
;will break 3 times :-(! v; B1 L0 \" i6 ?% G! H& K; E
$ [' s% g) j% B% s+ p; i+ {-or (a bit) faster:
, k1 n& s7 h' \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 V j/ v; l. p9 l& s# l2 V! w' k: o* v. b$ c' ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, _/ j9 c! g9 N) ^; c4 Y* ` ;will break 3 times :-() L( I% A6 Y8 U1 _3 [# O& H
: A" x* w# X8 ?+ Z2 D-Much faster:; M# s+ U, R8 M4 L, q+ J, B$ z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 Z7 j& Z/ h9 F
! t+ F3 Y" A: INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 d/ l9 E9 J- Z" Xfunction to do the same job:0 g$ ^; K' i( B% V. Z. r$ H" E
2 f( d4 J/ m. n# T3 ?3 M
push 00 ; OF_READ& |0 e5 l( e6 a' V: _
mov eax,[00656634] ; '\\.\SICE',0
( j' G1 ?; p+ t: b push eax
$ c0 n7 `" r4 R1 ]% Z, o& L call KERNEL32!_lopen+ ?( f8 o; g+ h" J+ Z) [
inc eax! T3 ]3 t- y8 R0 t
jnz 00650589 ; detected
0 b0 A# x' U! P6 J/ H2 g8 J push 00 ; OF_READ
( ?5 u- s$ a$ @( d+ O+ u mov eax,[00656638] ; '\\.\SICE'2 Q- {6 p9 `* y/ D/ x) v1 `2 [: n
push eax
9 R! E# m. O6 t6 s0 \" z1 [0 w6 v call KERNEL32!_lopen
% \9 n* y6 [: |8 G3 H5 g inc eax
% T! t9 I; b9 W# S( p jz 006505ae ; not detected
/ T& u- @! m% q- V% X1 Q5 k7 E$ F1 y/ p& t/ ?
, H: i3 ]0 _0 t" M- Z; P. h" R' C' A__________________________________________________________________________
- {& @$ e! y/ p+ }
8 J* _& I* t, ~' y4 A) qMethod 12
, R, ~, f9 L- [, |4 @/ p=========( ]9 i; s8 T* j
2 j2 O" W5 t/ k
This trick is similar to int41h/4fh Debugger installation check (code 05" H, {+ U# [# l
& 06) but very limited because it's only available for Win95/98 (not NT)
; Q+ w- q9 ~1 t2 ]& V* E) j# gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! ~5 k1 d# Z8 W x
3 p: P9 ^1 y2 v push 0000004fh ; function 4fh e6 H- d( e- J" S/ Q
push 002a002ah ; high word specifies which VxD (VWIN32), _! R- F4 w7 K* h6 c* L
; low word specifies which service
- M3 J+ h* _' p6 f$ D/ o% i& O s (VWIN32_Int41Dispatch)7 q! [3 A6 P/ ]
call Kernel32!ORD_001 ; VxdCall4 \7 R9 c6 [" l8 j7 c7 n
cmp ax, 0f386h ; magic number returned by system debuggers* n# W: P! w. Z* l3 U, u2 J) W' a
jz SoftICE_detected, U' y6 |8 X r2 B- }' F# A% h6 [
4 _& D7 ?8 ?" g, g9 eHere again, several ways to detect it:. ^" { W0 Z, @+ f, ~" p8 U: W/ ~1 j& N
& a/ K0 m7 _1 b; b" T
BPINT 41 if ax==4f
8 O! R7 H" K8 F5 F2 H. }
" f( V" Y X8 e: T" |5 j BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' z: U% Z' @4 f# R& j. i- t5 u2 m4 v O. `! ` D* Z( R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 [ v8 Z6 l- U5 O8 a; y. H$ o% i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% u" t, Y' {* L# y/ T. c
, C$ T6 x4 h+ A) b) i% X__________________________________________________________________________+ {8 D( a) p3 v# ^& R# Y
' P) J0 N' E% K/ iMethod 13
x* J: Y" _' c=========8 e/ N8 C `. ^) n
) C! m8 Q; C/ Z A9 v
Not a real method of detection, but a good way to know if SoftICE is
/ L) `7 y* u/ r* }* j$ T" O* ?installed on a computer and to locate its installation directory.0 B! ^ e* c8 M/ d; S
It is used by few softs which access the following registry keys (usually #2) :! N2 U+ v+ N2 a1 I) E2 J& p$ q
5 t6 ~0 ~, @4 E/ v1 Q# o3 q9 q# \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, k4 U1 }: j# S
\Uninstall\SoftICE+ F4 n* S$ E t- d* V) z, y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- s) ]. A# y( ^7 Q9 ^: C9 {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 k# }# ?& _2 p, e+ H
\App Paths\Loader32.Exe9 k1 _) A7 k& x/ r W5 f: z) C# f
/ C: u* d9 ?/ @7 Q5 m% Z' a. T' T; v6 Y4 R; ?* n' U6 |0 k
Note that some nasty apps could then erase all files from SoftICE directory) n( M2 r. m/ I( P7 E% Q" o
(I faced that once :-(, F8 z& n9 ^! a% T# D9 d% M1 `& w6 P
4 R$ a$ G3 {0 \1 o0 P- W
Useful breakpoint to detect it:5 o% t# {/ M: B$ ]6 m; V
; c/ B; @8 h! A2 f; x6 ]' A* X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; u% ?7 {- g1 x- H5 a% v
# S! n! z( _$ u! ~__________________________________________________________________________& Q0 l- a- F/ d$ g3 d$ [# G
- b, }- Z, X0 T$ N2 T( b _, N, [& o& H+ N& j
Method 14
( k: M5 Y/ ~( U& f9 M3 x z5 P; ^=========
; r' {1 P& v6 O6 q9 E# ^# z
% ]: z7 M) Q7 I4 e$ t9 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- s! e+ u2 {$ i1 }3 |9 \is to determines whether a debugger is running on your system (ring0 only).
. ]! K8 y6 |+ Y4 u, b; [5 U% y" d" K1 i/ x7 C5 H* G; }
VMMCall Test_Debug_Installed! w) v. ?$ a: O$ s
je not_installed" z0 _& e! `* I' c
. P( g' [( Q |, H8 C' x' f! ]This service just checks a flag.8 y) z0 x U4 i/ _' y9 H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡