<TABLE width=500> x" G. F2 J# _. H7 C& f
<TBODY>
; b @( e; S& W+ I<TR> Y! G' x" c6 ?, O9 m
<TD><PRE>Method 01 * g6 _. o2 V) `6 A/ e9 `7 {9 t
=========; p& `! u2 L1 w9 @
- S i9 e% t7 {% {$ J4 e
This method of detection of SoftICE (as well as the following one) is
. }+ [/ F* f9 b: v3 O F, Jused by the majority of packers/encryptors found on Internet.
2 [0 `8 W) [6 @+ FIt seeks the signature of BoundsChecker in SoftICE1 F$ G2 t* Y( n- D; |3 ]
6 }( k: F! q5 ]1 N4 C) X mov ebp, 04243484Bh ; 'BCHK'
' \4 f7 q( Q% a- n mov ax, 04h
# \9 C. x0 |6 Q2 u# x3 B& P- \& h8 o# O int 3
: m0 P7 L8 T6 ~( n- e8 _ cmp al,4( E$ x- R5 |& ^: w4 U3 `# E
jnz SoftICE_Detected( W; A4 R) O3 o' S! z$ q0 o0 ~
7 G) F* L. P5 t6 s
___________________________________________________________________________) S2 y" R& U8 _, l$ o! x9 F( H
( r, `$ M0 K5 {9 C8 b6 m9 j( L
Method 02
3 P( U) l$ h' d4 H7 V& t% E=========
* _% M. u% ~$ l* O8 d7 B Y, H& K. N
Still a method very much used (perhaps the most frequent one). It is used
4 q8 C9 R- X; ~. O: b: o' v1 ^: Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# r% G! y0 ~- d
or execute SoftICE commands...
. X) A# i8 m8 X0 {' [6 qIt is also used to crash SoftICE and to force it to execute any commands7 \( c1 ^: s$ r w* A- q$ r. Q: s
(HBOOT...) :-(( ; g5 w6 }9 y( F6 @6 L
7 Q+ E4 w! L' R. g. ]7 T/ A$ fHere is a quick description:
/ |" G! i; }4 b+ Y5 T% m& ~) h-AX = 0910h (Display string in SIce windows)% a4 Q* {6 m5 a8 P* f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): H* m* K! y! F- o% u
-AX = 0912h (Get breakpoint infos)( g9 J7 J* T( [: B
-AX = 0913h (Set Sice breakpoints)( L; c+ z% {3 {" a+ U3 n% t
-AX = 0914h (Remove SIce breakoints). m# v2 S0 B1 j: J" B$ L
3 K( e, y, t1 D; M1 [
Each time you'll meet this trick, you'll see:% w- N+ U4 D. x E: G
-SI = 4647h
% \4 N5 n" O5 E) i5 T2 ^" x% U) C-DI = 4A4Dh3 K5 E7 X3 d* U; c6 N7 R
Which are the 'magic values' used by SoftIce.
$ M# R8 P$ K, W* n+ MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; H. x3 g: {+ D, {# V6 Z) b, e# M+ e3 }( m/ e/ v
Here is one example from the file "Haspinst.exe" which is the dongle HASP- V3 s% s7 D# Z6 ]4 C- ^+ K
Envelope utility use to protect DOS applications:
( a. Z5 Y* U- r
; M; i) S8 M% x; n( Y% x. M' l! G" c) ?: o
4C19:0095 MOV AX,0911 ; execute command.7 y" {1 Y- P# z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' ]* M, C$ T5 D7 l" L4C19:009A MOV SI,4647 ; 1st magic value." j. l! c2 X( _% m5 S7 f8 e$ d
4C19:009D MOV DI,4A4D ; 2nd magic value.
; O3 c2 c+ c: a, X, H N. L; j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% e+ Z. i6 v- c+ V$ X+ X5 J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; n0 w3 Z1 N, G$ c- R4C19:00A4 INC CX2 z ?5 e* e+ x8 M" ~, `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 q1 [2 h' E8 W. D" E3 [9 S8 J/ V4C19:00A8 JB 0095 ; 6 different commands.
4 t. ~* U/ g) |4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. ?3 f5 ^, R* t; U4C19:00AD MOV BX,SP ; Good_Guy go ahead :); H& Q$ @$ I; d' n$ {
0 Q& g1 r* S0 ?3 [
The program will execute 6 different SIce commands located at ds:dx, which
2 F( ~2 j+ j2 ^0 e5 v5 o9 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 H: R0 ~0 t3 X. ~. M
8 M4 v1 x4 ?7 j: d7 z4 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ y' K9 d. G9 ~* g, x
___________________________________________________________________________* L3 Z! n5 M: S. @" n0 _" y
2 }7 n0 q* G0 N' i9 z5 M
/ t6 y k' }5 ~7 X% {2 P) WMethod 036 c" I+ R# p8 z# ~, G" i
=========; E# `2 @/ P8 U" B" {& n% A3 z
8 ]. {% V: x% D+ xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ d9 }% E ]# n2 Y7 m* K: K(API Get entry point)3 X) v$ A. B; E" ]
0 P. o8 t& c6 ]/ P
, r# c/ s: L, Z! o5 W! k$ r8 G xor di,di
1 w5 F/ Y' D8 m mov es,di
7 [+ U, ^* l5 Y) z' w5 K* m! j mov ax, 1684h
% B K3 Q1 Z+ l2 P mov bx, 0202h ; VxD ID of winice: h* w, |; l6 K' \: E4 N
int 2Fh' {/ Q- H# \7 \! D$ J
mov ax, es ; ES:DI -> VxD API entry point7 t R5 v8 U1 d
add ax, di
9 L6 M8 N! ?! k- Y test ax,ax
, H9 B; p! _) ~9 w( D) g1 Q jnz SoftICE_Detected
: M! Q- ^2 V7 Z( o1 V# j, S
! f% g& e4 e: r$ _. x G% y0 u___________________________________________________________________________
$ ~2 z( ~+ G( l- G2 e) d6 S
. i7 X! b8 _' j N! h' D2 u* a/ AMethod 04
4 E6 M4 @( L- j7 @1 ]+ P=========
: n+ n) j% t5 L' I5 G; q* K3 v2 o* b3 q; Z/ g* s F: F1 D2 I: H+ H
Method identical to the preceding one except that it seeks the ID of SoftICE1 g8 @; m7 t5 w7 f3 U. S
GFX VxD.
8 \" w9 H; r; J$ V' |
- _5 r& o6 ]& W7 A, j# E xor di,di G5 R, i$ @5 U' m% D
mov es,di# D) @+ v+ J: x* H7 Z/ N; L
mov ax, 1684h ) Q8 ?( z5 c$ x& E' y+ V
mov bx, 7a5Fh ; VxD ID of SIWVID9 u. V! z3 _% L# n) L
int 2fh6 H6 d: ?5 l( R# ], ~
mov ax, es ; ES:DI -> VxD API entry point( b: H% t" Q$ Y3 d
add ax, di3 y4 ]' z% U7 i7 }& s& J9 R
test ax,ax
9 ]' p- ^" _) G8 g jnz SoftICE_Detected% N3 a6 d9 _( s; {& `
: N7 g. `4 C- K1 _/ e1 n0 c- |__________________________________________________________________________/ B) L/ p5 I% E: q2 p2 S! S' E! g. H# j
( @( v% \* e. N. T( Q, v% k4 @3 K8 v# ?7 q; w/ h M
Method 05. J0 J! ^# z, ~. W
=========
1 H+ w* @0 O c) n" l2 S* `
( J1 K7 ^6 F8 O# S' t+ WMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 j3 [9 g$ m( o9 z9 a* x
debugger. It calls the int 41h, function 4Fh., c6 U( e+ W7 B# N; P3 r
There are several alternatives.
( E2 g8 H9 x% F9 N" z$ o3 `$ {( f$ _5 m7 O& n+ R# D
The following one is the simplest:) a% p- p/ e0 z1 s- I+ j
/ c" i2 p% {0 H, h mov ax,4fh
s3 L( q @: D+ X1 b int 41h. M A7 B' p( B9 H& {
cmp ax, 0F386
( I- ^/ B& x, b) i! R+ o jz SoftICE_detected7 `- `* i$ ]1 j) m8 @* M7 `
& Q' G$ Z2 h- e( G
" O, _4 C( \: S' kNext method as well as the following one are 2 examples from Stone's 4 L( B+ w9 l8 e5 X/ a
"stn-wid.zip" (www.cracking.net):* l1 T# Q, y4 |0 B+ ]. b) k/ `0 A
U) l# }; j* r; t" B6 a8 O& C
mov bx, cs
3 z y E( K+ r: {, k6 j. ^% f$ r lea dx, int41handler2 M9 f+ |2 \. g# i; R# I' r, M" n
xchg dx, es:[41h*4], W/ F( I1 R2 q5 D) s
xchg bx, es:[41h*4+2]
; O0 C5 ` b7 k- ^- E% ]) G: i4 t mov ax,4fh
( o/ R, q: C% F: s4 o; \ int 41h
5 Z0 s$ O* d6 W0 J xchg dx, es:[41h*4]
: t/ E+ ]" Y! Q1 i( x7 r xchg bx, es:[41h*4+2]
" e! l7 a6 q1 R F1 W* V cmp ax, 0f386h
, ?6 O; ?; l$ K, `" m, @" N! W jz SoftICE_detected& R W9 Z# _9 h% X3 B
# A( O9 r. W0 ?) K) M- }
int41handler2 PROC1 t" f& t2 p) G5 i- G6 r3 q+ `
iret! W" g- a) w- E! v1 n3 B9 B. Y
int41handler2 ENDP
+ t/ l4 p7 c+ N" W" C1 T4 P
! F5 c8 O* P; N( p$ I# M+ u/ W% [; c* P4 F* d' l2 M( q4 G
_________________________________________________________________________
0 E$ e! x6 Z; M% K8 t6 b& f1 \, C g, K/ ~ N3 b4 m* `' `
* y* Z$ t4 k! _- D- R3 b0 ^Method 061 C# {. }" S. p$ X5 g
=========6 v7 x2 R) m. Q$ E; g( N7 V/ n' W
1 ] o/ i+ O' u' |
9 W7 a, N% e$ a- \2 d# R" n2nd method similar to the preceding one but more difficult to detect:
$ h5 G k9 o/ q2 A2 j! {; x s' P0 Z9 H7 p/ [2 p
/ @# h: B+ X' ]+ J
int41handler PROC
5 M- o* y- z, M, R8 x mov cl,al
9 Y6 i' r% {4 s- h- } r& D iret4 z6 u" g) Z7 ^$ i9 a
int41handler ENDP) f& W; B3 Z5 D* v$ ?9 W; F! n
/ h2 S0 x$ S% ?8 h# N- v5 f; K- b5 @; x3 l' B% p4 h
xor ax,ax; C: I+ \5 |3 z
mov es,ax
( i! z3 x3 A8 I6 f! v |( _ mov bx, cs) R5 v9 R. X/ k f6 r; Y
lea dx, int41handler% K0 t" ]+ Q% J4 _, {
xchg dx, es:[41h*4]) c$ o2 C" f# ?6 g' U/ U
xchg bx, es:[41h*4+2]
$ ^4 M$ x, Y8 Y L) u in al, 40h% s, Y, B& W) d+ g) p
xor cx,cx
+ F, c- i4 S8 T5 i int 41h
; k9 p3 h9 }9 _9 n: z) r xchg dx, es:[41h*4]9 S- z3 `2 z; I% C5 U* Q d% H
xchg bx, es:[41h*4+2]
! q/ ]1 c+ L5 E8 W$ i; f cmp cl,al
2 J+ n" K$ o9 c7 e jnz SoftICE_detected: M7 ~& I6 ~# D8 P
6 d% I7 E- c) {1 K' __________________________________________________________________________
' Q, d. p0 J: @, r2 W
6 |1 \: n; f! |( dMethod 07
6 O! F0 P. v6 i: H7 A=========
% H8 g+ V/ R/ T. b* t& D6 B3 ^, v% ^+ x0 [2 w
Method of detection of the WinICE handler in the int68h (V86)4 [+ Y0 z- |4 ~4 C l& |0 ~! w$ N
" c* W6 Y$ a& Q& A5 d7 R$ ]
mov ah,43h% G, ?2 i; M2 |0 ?0 q) U
int 68h
1 F4 L% ~7 [* ^ cmp ax,0F386h
+ f# L4 C+ d2 I# M! l, J- T0 T+ A6 H jz SoftICE_Detected
; }- A! a/ ~% D, E3 g( M' j
# H. o& x. O4 u1 D% ]% {4 g: N* ~; x. h: J4 j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! k. }* v/ q. f& Q- x; {$ v app like this:" p3 e! |# S" B( ]' x+ R- ]4 |" a
/ E- i5 N3 K6 t4 C4 J BPX exec_int if ax==68; g/ D* |7 \7 I% S, u- Y- k
(function called is located at byte ptr [ebp+1Dh] and client eip is& M' [7 v8 U: S5 s5 X
located at [ebp+48h] for 32Bit apps): b, m: x" w( ]* H# Z" P# x
__________________________________________________________________________
8 |! f9 m% ~7 X$ _% R9 v5 f/ z$ _$ T7 U5 l7 D2 p% c
0 K! E7 F+ Y7 OMethod 08+ m; ]+ y# R N6 m9 b& g, i; e
=========' Y; @ R; E2 W8 |; s, b
1 M4 m* G+ b: A6 mIt is not a method of detection of SoftICE but a possibility to crash the: i7 C6 C. x# f* u7 U0 s
system by intercepting int 01h and int 03h and redirecting them to another
) N6 Q, m& D! @9 xroutine.; Y* _' e+ |5 ~) d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! e7 b5 k/ A4 H- C4 h5 O, D9 g+ d! hto the new routine to execute (hangs computer...)
. A+ j2 ?# N# Q( `6 j0 N- R( Q- }* I. s( i2 j
mov ah, 25h
7 @$ j" _* A; b4 l S! Z3 _! ] mov al, Int_Number (01h or 03h). Z( r2 x1 J" ?/ ?
mov dx, offset New_Int_Routine, ^" }$ E) k4 m H) W @9 Y! P& u8 k
int 21h
' T. t# u( {6 h+ r$ ^" g" r2 ~0 v& T/ w2 q, F) P) z4 z( j/ L, _2 N, ^% A3 u
__________________________________________________________________________, c# w: N$ L+ o# }/ ^
/ y7 P' _7 G; a; @9 `& D6 n k9 \Method 09( }2 l: j: `* l8 q. o- p" S/ ]$ V
=========% \5 n% z R) B% n h: T& [
9 B) Q! {9 V7 l. T& fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ X; [$ c' F. _& O5 N3 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
' @: W# r1 m: o2 T" EThe Get_DDB service is used to determine whether or not a VxD is installed
5 ?/ C1 ?8 [" w) i8 F: D7 ?- Mfor the specified device and returns a Device Description Block (in ecx) for
: d) V" ^6 P5 P& G, ^that device if it is installed.
+ v, G% b. y; C; C1 k/ f
% V# e# Q- ~1 s2 {; y# w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ M I: W6 g7 R! S, D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( Z8 w. X1 l/ s3 b, H
VMMCall Get_DDB6 c) Q' S0 `6 R# A# [0 o5 x$ g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# Y2 ]) M- p' e, N
# u, T e2 H- W) N/ ?Note as well that you can easily detect this method with SoftICE:
2 f3 ]# O( o. \& g! N8 y bpx Get_DDB if ax==0202 || ax==7a5fh
5 V& I2 C& N0 Q; l- [' Y6 ~& C6 |2 O' R3 P
__________________________________________________________________________/ T! ^! O" V4 w) F
9 |' C& C5 F8 Y# j$ UMethod 10, r; b5 G# |4 c8 r1 W9 C! K
=========
5 _4 V5 Z) z8 g @9 F. X+ H5 V
+ @3 R- o. M" p) ~) q( V1 W=>Disable or clear breakpoints before using this feature. DO NOT trace with2 ]7 c% W3 z# \2 A D+ r. ?4 w" S
SoftICE while the option is enable!!7 \9 P+ J3 \; V, c* K9 }
# P) O4 j( o8 ~8 l O' q! ^This trick is very efficient:: F2 v. y) L }4 M% _0 v6 |' j
by checking the Debug Registers, you can detect if SoftICE is loaded
6 A4 R+ Z$ [1 D. z4 [, K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: i/ j2 ~- A7 ~) Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
! j+ \) I0 N1 |7 U3 N- D5 @value (in ring0 only). Values can be manipulated and or changed as well
* {+ G2 {. Y/ w5 U(clearing BPMs for instance)
y3 |, `! J9 \+ ^- s5 S
3 D: _7 w) p4 z6 o, c__________________________________________________________________________+ V( }1 u& y, Q7 F- r% W
7 }2 K, e0 q% O6 O* q, v8 TMethod 11, F9 G/ r/ M- j+ ?+ h+ }
=========( ?6 ^! H3 n* r# C: n8 h! Z! ^9 \* C
5 K2 A- T3 O4 w( X) Q3 M
This method is most known as 'MeltICE' because it has been freely distributed
" |6 ~! A& j; g$ }0 [& p& h# ivia www.winfiles.com. However it was first used by NuMega people to allow* B6 |% t$ B; I z4 X9 v
Symbol Loader to check if SoftICE was active or not (the code is located- C" s5 p v0 i! I
inside nmtrans.dll).
3 S i5 K9 [1 K) L5 o% O5 R& T7 A7 U, }3 w# X0 F
The way it works is very simple:
3 f3 @# A( z7 ` _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 T: d3 U" z; t% t6 _% ^' K
WinNT) with the CreateFileA API.
( B/ z4 t6 I* W' b: T
D0 t9 u5 V. o5 I) j- R" CHere is a sample (checking for 'SICE'):
# T( b! ~! x% ^ m& x& M
7 Y$ x$ `& R" V5 LBOOL IsSoftIce95Loaded()
, O: p8 D. ?- |7 ^( y' a( W{' n$ x) C1 m! |9 Y. o
HANDLE hFile; ! I9 m$ k$ p; Z+ c1 a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ j+ C' Q- L: l& J$ b- Q
FILE_SHARE_READ | FILE_SHARE_WRITE,3 K/ b+ v H* c' Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) a, X# j2 v7 w' t2 h if( hFile != INVALID_HANDLE_VALUE ); s5 J# b" R. A) i+ _4 ~
{* l6 t# }3 o \; \+ @
CloseHandle(hFile);
* P+ Y* o' K% } return TRUE;$ s: m$ K& g0 ]! w3 ~: Y! z6 o
}! c! s9 G u+ a
return FALSE;: x- [' s" Z" A+ I9 z u- d0 F$ R) l
}
- J( q- S( W0 T. \. ]& X7 S: o" ~; Y9 X1 Y' }" x9 I
Although this trick calls the CreateFileA function, don't even expect to be' ~* y K: c7 P! Y! e7 d
able to intercept it by installing a IFS hook: it will not work, no way!
8 `" y0 m7 A* pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 V% B& v- N e5 I$ H4 zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) Z: W A' j; S2 }1 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc# d! a5 y7 e- Y
field.0 B1 _; m; c# w3 Y
In fact, its purpose is not to load/unload VxDs but only to send a 7 L3 S R5 M# M E! o: H; t* ~, c- s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' d/ O, F* E4 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ o' u3 N7 b9 a' W0 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
U3 i( v/ e: AIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& f+ H/ ^' }( m% D1 a! zits handle to be opened and then, will be detected.- g( s8 Y. `* ]# p" x6 A
You can check that simply by hooking Winice.exe control proc entry point
! c, w! X& n7 T3 O8 F3 y$ |6 S# @. xwhile running MeltICE.8 W# l0 c% Y" \/ g3 y$ P
; p9 n* b3 G/ @+ _, P W" Q" g, A+ Y# N' ^& b
00401067: push 00402025 ; \\.\SICE0 W) A5 p1 f" [$ g: U! a P
0040106C: call CreateFileA
3 X2 t4 ^! F Q 00401071: cmp eax,-001
+ w0 X' q2 g. O8 ^ 00401074: je 00401091
- ]. e& f }7 j, Y+ n" Y: f1 I; Q2 b$ G( l% e" y1 Z* J
4 j. C% A _* w! Q5 F: a
There could be hundreds of BPX you could use to detect this trick.% O4 j6 T& s; l; K: @6 g. `4 D
-The most classical one is:& ~2 Z; L% K* P2 C6 i/ |4 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 \3 q, T# b M1 y W
*(esp->4+4)=='NTIC'
" L& n7 ]( C* \( H0 B# f) ]* C0 K& @" h! ?
-The most exotic ones (could be very slooooow :-(4 } ^, V; B0 |' w2 G w, o! R9 H5 W- \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! n. E, {" r+ H: y
;will break 3 times :-(
( i1 e' ?; e& N; J8 p7 e' \! a+ j' l7 m$ i3 U& t1 y, v3 d3 `
-or (a bit) faster: - M% q5 e5 F Z+ u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' {% q" N5 H* m
: |. x- [5 q3 w& c8 S O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' x: V0 X! {2 f8 e/ o6 E/ m ;will break 3 times :-(, |4 Z" f% C* S' x# D: o( V
" {. z6 D; {0 g( p-Much faster:+ _% ^; g* u$ R$ m* Q" s6 K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* x/ U6 g8 ~, p V$ c) P4 A2 l( e' k$ v( b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* | M# U) g6 P( {
function to do the same job:8 T; w9 F A4 z& p2 u) P
7 a+ f, c/ n! d' o- G$ z push 00 ; OF_READ j( S+ d+ X& r
mov eax,[00656634] ; '\\.\SICE',0
4 F( P' H. H4 J! G/ Z1 L push eax4 [! O0 L) I7 I0 E
call KERNEL32!_lopen
% {. b. g% |/ W0 P+ d+ { inc eax
. L2 b+ v% n( J0 ~2 \ jnz 00650589 ; detected' v. |) L* g# k2 R1 b4 m d
push 00 ; OF_READ
6 f- ?. U9 V" Q/ S c mov eax,[00656638] ; '\\.\SICE'
; J% q% F' |& W. [0 Z push eax9 _+ ?, U) s, Z, P
call KERNEL32!_lopen5 M+ C( p/ Q! Y- B# B- M
inc eax9 Z# N( G8 U! {. W" k( E' T
jz 006505ae ; not detected8 o- c, s% J, U
8 p8 V2 p2 w m7 C
# S6 S. W2 E. {( i% ?__________________________________________________________________________* {( Z) K5 \$ M/ X0 Q& `
) s/ l3 h& v3 {* q5 C2 CMethod 12
8 K, R. p1 j, J+ l9 h& o=========$ I) g0 N9 [& T, r# Y- a) g0 C
( ~+ a/ U8 o; E. e
This trick is similar to int41h/4fh Debugger installation check (code 05& E5 J7 O; ?: D9 x6 k7 l, o: u
& 06) but very limited because it's only available for Win95/98 (not NT)
. d- I! I6 p- y2 [& Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 K% E+ i! @7 w
' ~/ d- I( ~. v- h" ` push 0000004fh ; function 4fh# H( E) V1 C) J. `3 Z5 x. `, n
push 002a002ah ; high word specifies which VxD (VWIN32)
" j+ R$ ^% }1 w* z ; low word specifies which service; N; ~# G/ x3 w. {4 [3 }( ]
(VWIN32_Int41Dispatch)9 ~5 R( l& v9 Y) a
call Kernel32!ORD_001 ; VxdCall, T1 ]( S4 E% J: ^5 z- C p" i
cmp ax, 0f386h ; magic number returned by system debuggers- J% h1 I5 ]0 J# R5 x1 M
jz SoftICE_detected& e; J% {; R* O9 j3 f
7 J4 G( C( t. u& kHere again, several ways to detect it:9 }! o# w% S1 U O" Q& x' Y ?
8 G% P i( A" l BPINT 41 if ax==4f; ]9 G" o/ Z( z5 O5 n1 m
" l. C- h$ X4 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' U' [! Y% f6 W
; |7 a9 ]6 s$ T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 x- b& L+ X U% ]
" d( t5 ], \1 U% b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 I Q# z7 F' g$ {# ~
; p4 i) Q8 G- h7 @5 {+ G- U" q$ P
__________________________________________________________________________4 P6 A1 n8 T* A: a- Y3 _7 j
& o( l, ]* Q3 ` b# W2 _1 v' }# SMethod 13
) i9 s4 |) d: x/ X5 j( p- I=========
: S4 k8 y1 E# e& ~) }) u ^( l
7 _1 ^3 I. J1 }: fNot a real method of detection, but a good way to know if SoftICE is/ u& {3 d6 h5 t( y6 W
installed on a computer and to locate its installation directory.- `+ T( i% o3 V5 ^" w: ~* u# d( [# [
It is used by few softs which access the following registry keys (usually #2) :* t2 S" U% q' n
* ~ y% x0 H+ ?9 v* k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 [+ Y/ t/ m: E9 [" |. F( w! v\Uninstall\SoftICE
% ~. l- v* g5 E. Z0 o7 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! n6 ?3 {+ o0 ]# e t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* \6 f, I h: a' o, {7 x# e1 n\App Paths\Loader32.Exe4 a! Q" \6 u2 l# u9 A0 t$ Y
4 a7 k ~7 ~5 v8 \! p4 Z8 Y7 F& F% C# R8 P% H
Note that some nasty apps could then erase all files from SoftICE directory
: x" S! S8 z; a) `1 V* A+ O(I faced that once :-(& s" z7 l- T/ j. Q5 q
/ L3 p2 z U1 z/ A! J0 O( _
Useful breakpoint to detect it:
2 @! `% r; `% L# Q4 E9 j' N' f8 x0 I. `, y& q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 R% F8 w! g0 |! A4 t& F7 z, H1 M L- ] k& Q0 }) j, L
__________________________________________________________________________. ^. |- Z6 t- f+ X( U" m
2 d6 e5 c+ p( D; j
2 z) F: N5 e$ e: _Method 14 * y8 k! O* P# E3 M6 `$ {) m# g2 t
=========
2 A% q* B& E/ T' g4 d2 Z2 e1 q: [. { ]8 v* {5 _! Y7 Z% w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: x8 Z- U/ ~4 T; S( l
is to determines whether a debugger is running on your system (ring0 only).1 N' ~$ C4 J" j5 I, h* e
5 X1 o2 _5 q9 v6 P. ? VMMCall Test_Debug_Installed3 d0 V) b. ^5 {
je not_installed
1 K; U- P6 I# X4 L1 P, P% a1 ~% j+ T! ~: f- W
This service just checks a flag.. Y6 ^5 P, v B% d+ a# m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡