<TABLE width=500>8 c9 S, A. N, `/ {+ @
<TBODY>
8 E8 s. a& N8 k8 v* I+ {<TR>4 {2 r! u' t) a6 m* M7 {
<TD><PRE>Method 01 6 x- V# J8 E; v# Z$ ^
=========
4 l* k4 S: y+ i& F e2 ?0 l5 z) |# i' l4 e3 T& ]' c5 ~+ o
This method of detection of SoftICE (as well as the following one) is
5 `6 p& v2 r: M0 E+ k) ]) K3 j' z# Sused by the majority of packers/encryptors found on Internet.4 ~4 J3 L( N' m* a' o
It seeks the signature of BoundsChecker in SoftICE
* V7 z. b1 }9 K
; k( t* |* u, n2 n& c1 r) C) h W mov ebp, 04243484Bh ; 'BCHK'
9 r4 G1 q; |3 p+ u mov ax, 04h R9 p( X$ j7 T+ A) U
int 3
) }+ x* k% b3 s7 L" P' }3 V cmp al,45 r# h' a0 X% C L z3 `
jnz SoftICE_Detected
5 s- l, o6 k1 f7 z3 O/ D0 v0 j9 _9 W: i1 b. R# ]. w
___________________________________________________________________________
0 Y8 U" q/ \% ]6 i- Z# h: D
( t' _' s, y6 Y! y2 H1 ?Method 02# ]9 s5 v" N% b& n
=========
! R7 V9 B' l- F0 X' }4 d( _1 n0 K8 a$ z* @+ Y, {
Still a method very much used (perhaps the most frequent one). It is used: l# K- H# a3 O; A( I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, a2 H9 d/ R( H1 Eor execute SoftICE commands...* \6 F+ A, B7 f1 A. \* Z
It is also used to crash SoftICE and to force it to execute any commands
, m+ q) [" V+ w0 [(HBOOT...) :-((
! V( \- F5 T& c8 o2 Z; D* Y
) i7 w2 |2 T8 u) cHere is a quick description:, q7 U& x" N1 i6 o- a/ b
-AX = 0910h (Display string in SIce windows)8 M6 i0 g/ d: B# ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ r6 U) s: i% `& Q" z/ [; U Y-AX = 0912h (Get breakpoint infos)
) D L. X# D9 C# y& v-AX = 0913h (Set Sice breakpoints)/ M6 N- e; u' e% m. r9 [& t( S
-AX = 0914h (Remove SIce breakoints)# C% N. P# n2 v( i. c g3 L
, k9 I1 }* s9 N9 L" B0 S/ ^9 jEach time you'll meet this trick, you'll see:
: V. D1 x& o5 C8 n! z-SI = 4647h- {1 T' K& D: g
-DI = 4A4Dh& C7 k# S) T. \7 i& d* v' {; B
Which are the 'magic values' used by SoftIce.6 h5 ]. a1 Q$ f+ l0 s# [7 M3 U5 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 x) b' O7 \# ?5 A6 f& `* Q* S0 k
2 z, O- P/ o3 P" ]* F$ fHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 }8 g8 T9 S5 W+ u0 f7 cEnvelope utility use to protect DOS applications:% L1 ^. z! Z( F4 V
/ w! I- j5 o2 e5 A# n
& A; |7 T2 ^0 f& h# G4C19:0095 MOV AX,0911 ; execute command.
( W# n1 w$ N2 \) c* p. l0 `& [/ D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- @$ t$ o4 J z) t
4C19:009A MOV SI,4647 ; 1st magic value.
# B0 C, s/ H6 Z, I- w+ q& c4C19:009D MOV DI,4A4D ; 2nd magic value./ s F1 W" M" ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 V- A6 N! q6 @# v2 S# J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! V# A1 P5 c+ U& q4C19:00A4 INC CX
: [ ^' L- V2 L ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 C: V4 w9 Z# c0 x3 E6 ?3 d4 G4C19:00A8 JB 0095 ; 6 different commands.0 i- Y6 A: O( ]3 y5 `+ m' ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 q6 g8 Y: s2 b. b( k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) x/ \! D% s8 @7 z# i/ ]3 B4 \0 Z
+ }$ V" E8 f% J9 j" m8 o+ rThe program will execute 6 different SIce commands located at ds:dx, which
/ [" a Q- W c8 I5 E% ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. ]6 ^& `0 y' e) r
3 ?8 U' N" \2 n% ]6 h0 n! X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 Y# W4 }8 c, r4 z___________________________________________________________________________
$ c! R, j- X8 P# M1 C: s1 F& y# L( p5 D( ?
9 o" a5 @ ?# l- L/ mMethod 03
6 V* E: W% j7 L4 ]/ p# r=========5 ], K& o/ |$ C, ]
5 ?) C/ {* k) u; d+ [2 ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 x2 m) j! ]" m1 c' F% v(API Get entry point)5 y& z5 u+ y7 c5 f R5 S* x/ u
* @7 l9 g! o* d' L& t. ]2 |
, ~+ A/ P) h& T1 J" z0 t, }4 T+ T
xor di,di5 V9 X9 ^4 n& C% }
mov es,di
9 n2 l- C) m, y0 [: e" L* ]6 B0 d mov ax, 1684h
# H1 Z- @' Z# L1 E2 k1 b mov bx, 0202h ; VxD ID of winice
2 [+ c5 t* Y$ E! ]# m" [$ q int 2Fh" D2 ?# ?/ O$ q1 g, o
mov ax, es ; ES:DI -> VxD API entry point
6 u: P/ D- w7 F! Y& J# K3 N add ax, di
/ U( Q. ?# l/ z. `; Y/ `% { test ax,ax
' Z4 t6 m5 x* s$ C5 x b# o# o" o jnz SoftICE_Detected
2 ? L# b; J3 ~: X$ W3 b+ {2 R
/ I1 w$ g/ [9 x q# R7 j, K___________________________________________________________________________: |' \! y! Q+ V7 u
; k; N9 `; N; T# O* F
Method 041 K+ B& F) R' K! o7 Q, _3 u
=========
# m5 x4 C2 z5 D5 b+ e7 X$ E/ y& z% d; _
Method identical to the preceding one except that it seeks the ID of SoftICE: s+ t4 ^* ]7 I, F
GFX VxD.1 v t# t& X+ E1 {) M5 ~
5 _4 M# n: @+ f" k# l* Z
xor di,di& A6 e4 e3 O0 p4 ]
mov es,di U3 n7 q3 `9 R& F5 N
mov ax, 1684h J5 ?3 @/ k* w* {! R4 x; Z5 }2 ^- A
mov bx, 7a5Fh ; VxD ID of SIWVID5 E s& v; u, L9 Y# [
int 2fh
' ?$ Q# D) B- V mov ax, es ; ES:DI -> VxD API entry point# C8 n# W7 M! G# U% A
add ax, di* X4 ?# q2 B. a
test ax,ax
+ A P6 R; P7 D# q jnz SoftICE_Detected2 _% ]( ^+ w2 A
; h T' G: R M/ [
__________________________________________________________________________
! H! i5 r) j8 f( W9 p& n; f" M M6 [$ t+ N
5 K, M1 M! N" l+ X3 B$ T, rMethod 055 e9 V6 B* U0 ?7 \0 V
=========
y3 ~% R" P" L S6 H- c% z9 P% y8 A1 I0 l+ ?3 J, @ Z( b2 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system: H7 Q8 {& @* T
debugger. It calls the int 41h, function 4Fh.
5 }7 @$ U% c0 w' Y+ q) [. vThere are several alternatives.
g% N J, ~. I0 o& O$ Z) n6 J4 O7 n, m
The following one is the simplest:+ T2 U, V' C" O- i
2 K# G! w& t, J9 I3 y- H mov ax,4fh
2 e: h" g$ Z K& q5 A6 c% R# e6 e int 41h, [- W4 Z' V4 A2 ]
cmp ax, 0F3867 K% m3 \: }1 P! C; l5 T, E
jz SoftICE_detected2 m# p m* C6 `4 v+ h
, ], t7 r1 L/ }
5 E1 J0 T$ |. |- g9 r, o2 Y
Next method as well as the following one are 2 examples from Stone's
8 z* t" ]' h9 S"stn-wid.zip" (www.cracking.net):+ n0 n( o5 T, x5 X% e1 k* A
$ T& X/ o! Z4 E, Q mov bx, cs, d, o. m( [9 N$ t' T
lea dx, int41handler2; ^1 @0 w$ V2 W" E2 _' [7 }+ M
xchg dx, es:[41h*4]
% R/ J% U1 `. q. P xchg bx, es:[41h*4+2]4 }6 S2 A( g* }3 P: w
mov ax,4fh
, L L% ^2 n- H" i: c) P; C int 41h
$ u9 v0 b$ m" i) O, d0 e xchg dx, es:[41h*4]4 L4 B p3 J) r+ a
xchg bx, es:[41h*4+2]
' F5 C3 Z7 D$ E+ `! L) M; Z. ` cmp ax, 0f386h
- Q* Q! K9 ^& _' o* ]. e jz SoftICE_detected1 i$ ?) A8 f# l
F8 R6 W" j7 sint41handler2 PROC6 P: ?1 ~) h+ R4 |5 v
iret' J' O& q9 [8 e6 V2 J( I' p
int41handler2 ENDP y" Z& R; r6 P/ e3 y2 J
! Y1 v# c9 ?* o5 k$ o' F
2 ^4 e6 D2 Q4 j$ U. T, __________________________________________________________________________; N/ `1 S+ G; `# S6 L' K* U
' z# d% ~ l( \* \4 _6 N4 o5 g, e' d; \3 h/ b! O0 H
Method 06
. J& Q9 A" _5 k* Y1 M0 g) o=========1 T7 C3 p4 \! P |. {
; ~7 X+ j9 C: o
/ J* ]- |3 `; ~9 w9 T0 p' m! p6 e
2nd method similar to the preceding one but more difficult to detect:5 R8 U) |3 A1 r2 s5 d- b
0 N, p; v8 @" N
2 y4 a' M9 y" K/ o( T1 Nint41handler PROC& E7 H* |8 N k K3 U
mov cl,al
# n$ u& k3 g+ m3 n* N1 g iret
2 |& B: V4 ~; a+ [& L# H/ \2 Hint41handler ENDP- v% E; B# y! j. u, i) K5 J) O+ `9 l
$ F0 y- w+ G7 t/ j" v% R$ b0 K |3 H, _8 V9 _6 P& y
xor ax,ax
( U5 G3 C: a/ v8 B mov es,ax
z; B: j' w" [: a mov bx, cs
) F _2 k+ x, M/ [% } lea dx, int41handler2 J! S6 w0 j! M' Q# z) R; e: f0 ?
xchg dx, es:[41h*4]6 V4 h) v# }# F3 Y w9 T: D/ g* p
xchg bx, es:[41h*4+2]) T$ e# ^) n: d. F" R9 B1 Q
in al, 40h4 o4 }; U6 p) P2 h' h
xor cx,cx
4 \, m# }$ a7 M5 [9 }8 Z int 41h
6 r4 w3 c- \' a4 ^5 K( I xchg dx, es:[41h*4]
" p6 {2 [6 L8 x8 Y xchg bx, es:[41h*4+2]; `0 `* M$ m4 B$ v3 l
cmp cl,al% q3 L5 ?' w2 e# I7 t! W
jnz SoftICE_detected
. k, d& k5 Z8 }3 q( t9 R) i# m9 `* J, B/ Y+ e) l$ s
_________________________________________________________________________" Y$ a4 ~# d! q- h) `- g
, x8 p! g0 `" |) q& vMethod 070 G5 i, J8 Z/ x4 X2 @- W8 j" [
=========' o" X( B! t% F3 c! S
' _3 Q* _& |: S* ^( S: ?* LMethod of detection of the WinICE handler in the int68h (V86)
4 ^* A6 m7 z- T
( [1 r) F0 G# [0 F" g mov ah,43h
0 y% A6 L+ y. h8 `( v# ]/ m$ R) ~% n int 68h) O0 u; |5 g! s4 P! Y* `) w
cmp ax,0F386h
4 l/ v, ^% ]9 i, o$ I3 b jz SoftICE_Detected
8 W, s- Y+ W8 @& W
+ p0 d# k! S z6 B2 I
& [' I7 ]4 \! X% l0 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; k) X U- K( t, ^4 N) h
app like this:
8 R9 `+ J6 m: h0 `* R) Q" E8 E4 t5 a, s0 O% G8 M3 ~1 k/ @$ w% ~
BPX exec_int if ax==68
3 e% f) A. P6 E9 G% Y# r( A (function called is located at byte ptr [ebp+1Dh] and client eip is
8 ]7 L' Q; A" }3 l located at [ebp+48h] for 32Bit apps)4 L9 E: b6 v( ]2 e' E0 | c
__________________________________________________________________________
( z8 v+ D; \# J2 b: l
" J- Y0 q8 ]+ h* }9 b& j% @* W7 r* _
Method 08! S5 G6 r7 K+ z' F& Y2 j! r! u
=========- h: r* B1 F) ^
$ N2 [) z3 G: x8 B$ j) P9 k# l
It is not a method of detection of SoftICE but a possibility to crash the- D$ v+ l; D+ k& n# m
system by intercepting int 01h and int 03h and redirecting them to another
2 a B% p% C2 o! Q, troutine.
, z* w0 R# q+ t" o" Z4 k' VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 V9 J7 }: |% v5 i. L9 O+ Sto the new routine to execute (hangs computer...)
# E6 z& S; T1 t9 O0 X/ o& A: e( w( j( L a
mov ah, 25h6 W6 ^9 [- U$ \% I; Q
mov al, Int_Number (01h or 03h)7 S3 |3 ^. u- w+ O0 h* ]
mov dx, offset New_Int_Routine* y6 y1 N4 j# d. x: e Z
int 21h
; l/ n! j0 j+ D6 N. d7 _
) O1 L% Q+ C0 M& y/ l; r" H__________________________________________________________________________( M4 x8 Y( W# M0 c! N
: l+ X0 a8 {9 @5 h
Method 09 @8 z" Q$ c$ y H
=========2 w- b: c3 q' I1 ^ s. c7 _
Y& V5 p& o& C! f; H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* h/ X/ z) o5 G# A6 @0 m9 X$ m' Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
o# b7 [7 n* k% v, z. n$ rThe Get_DDB service is used to determine whether or not a VxD is installed7 n, p2 c4 ^# X) }7 x. e
for the specified device and returns a Device Description Block (in ecx) for7 ]- n( k0 T4 u+ g2 B
that device if it is installed.
9 ?: E4 l! d5 L4 z, q, h
; A+ k: h9 \2 w6 m$ C1 g: R' @; u3 P# x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 {* S7 \3 k3 \( j2 D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 G- \2 Y3 W$ \5 ?
VMMCall Get_DDB
, P: Y; m! K/ H% J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 [) N* M% F4 o/ N1 |
" i' t$ z) X9 L8 V$ l0 \3 M& G) C+ FNote as well that you can easily detect this method with SoftICE: i% c" M% t0 S
bpx Get_DDB if ax==0202 || ax==7a5fh2 Z4 S/ n: }- c3 c6 _, z- ^/ a0 c% @
) h, V% f, B8 Y3 ^' n$ g! B* H
__________________________________________________________________________/ i/ c& m- L! I6 [3 i4 Q
! v3 L( r2 y* ]7 g( Y8 r
Method 10
m' v6 z- p3 o! }% o% a/ t=========
7 J! _) D6 g2 h& A* ?3 w a2 |% `3 s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 W$ J7 b9 ~% f SoftICE while the option is enable!!
* @1 Q+ ]6 c/ S) s# |' \" K: \/ V: U& W) ]! l. Z0 O
This trick is very efficient:
4 p1 {* ~/ l0 r3 A- oby checking the Debug Registers, you can detect if SoftICE is loaded
; r4 C/ ~% i5 [& v N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" T; \1 E Z) Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! g4 H) }6 S: f# o! J) K1 ] ~value (in ring0 only). Values can be manipulated and or changed as well* J8 Y/ x, H5 z0 w# u7 V
(clearing BPMs for instance)
6 s" j) v- |' ^& A) Y3 R3 Z: m1 _$ a+ Z& B& j+ ?
__________________________________________________________________________) p1 P. e& ^3 E8 }
9 r- ~# v8 |+ m. ]: k% h+ j8 Y) s1 `
Method 115 S4 {# W" j0 V% G! O' z
=========
) K1 r4 k# g7 m9 \) c2 G
3 p# B0 k5 ~; G N1 [" q5 fThis method is most known as 'MeltICE' because it has been freely distributed
$ R( X: h' d* Pvia www.winfiles.com. However it was first used by NuMega people to allow& t ^( ?; ?" ?) c3 S) P) l
Symbol Loader to check if SoftICE was active or not (the code is located% a5 b. ]- ?# [1 N1 J4 t
inside nmtrans.dll).. X% S3 j, V/ O# k! ^- M, F
. t: X3 t- D Y4 O" ?
The way it works is very simple:
$ T/ ^% ^- v) O; {* K( _7 m# G3 _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ `8 }+ B& U9 L+ B- wWinNT) with the CreateFileA API.- S* w/ b4 f/ r: j, @. U- N
0 h* ]2 Z4 ^' L" j$ F" Q
Here is a sample (checking for 'SICE'):
3 r$ e2 H/ [, `' r- `6 W
; }3 |. J( Y- E" UBOOL IsSoftIce95Loaded()* c3 x5 L. o: j# \9 a* ?9 U
{
8 c5 P# d2 V# A$ N2 d( T4 }4 C% x& ^ HANDLE hFile; . t2 b5 Z$ M0 Q' K A3 s+ k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 Y( B% R8 {6 G" J% g+ g; w FILE_SHARE_READ | FILE_SHARE_WRITE,
6 I; ]/ G) d' c# k/ G: m, W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* O# P* X( D$ x; H# d$ v
if( hFile != INVALID_HANDLE_VALUE )$ {* y8 s+ V2 [& s: A- Z Y
{
$ a) L+ E3 q$ e6 V7 M ] CloseHandle(hFile);
, b8 F$ n: t G# r5 ~' F+ ? return TRUE;' M; @% i9 j X0 s5 m7 B0 T
}+ B: d$ `+ e5 H- P3 `1 Y
return FALSE;8 J! O# i% F1 Q& o- v# n
}; z: E8 u. r% \% P4 V3 e- f0 s. I
9 o2 j4 G) h) c1 c- o$ `Although this trick calls the CreateFileA function, don't even expect to be
( G) W. o( R# k5 b+ xable to intercept it by installing a IFS hook: it will not work, no way!7 b. {4 y( |2 {2 y9 I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- C( r+ u+ U$ d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ b( Q/ h; J/ K {7 b7 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* d+ j- K2 Y3 T$ p8 M4 w( U
field.
) J* W( W" ]1 D Y" C i& Q$ HIn fact, its purpose is not to load/unload VxDs but only to send a ; Z, V8 Y' ^6 l! s1 Y& i+ Y) C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), f2 X/ r3 w {2 Q4 k, k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 W K# B, B' g I" _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 V; {% u. @' mIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ ?' u1 X f) F% S2 f
its handle to be opened and then, will be detected.
5 }' `# ~5 \ J! f1 A; ]You can check that simply by hooking Winice.exe control proc entry point+ f% a0 p: {6 u
while running MeltICE.
# O8 s4 Y! y. J( l( D6 L2 i6 b+ H/ k6 U2 x/ O; P
" o- b3 x( C* B
00401067: push 00402025 ; \\.\SICE) D. u. H# U2 Q( p2 f" A
0040106C: call CreateFileA
" t' x4 ~0 h& R* Q6 h) d3 j* w 00401071: cmp eax,-001. o6 z( t* Z, c; Q
00401074: je 004010915 @+ \; q4 M4 c7 l. w( a
/ J$ h# I( N& e1 @2 u9 n0 u7 z: M8 Q3 `9 |) R8 H
There could be hundreds of BPX you could use to detect this trick.
: T8 ?9 J& \* T" N( B; E" P- G-The most classical one is:
* i( ~& h& s2 S5 {( a( _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ u" K% s2 j8 F u( v+ {
*(esp->4+4)=='NTIC'; f+ V) d( {1 ?# b5 t' F! G5 ]
+ j2 d0 F Y3 V
-The most exotic ones (could be very slooooow :-(2 E2 t' h2 A" K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
H( k& ^0 | N# r: ]6 Y- w% y ;will break 3 times :-(
/ i6 A& }2 t: x x/ v8 j9 h! _) Z3 P! {0 { T. m
-or (a bit) faster:
8 C" [; \) ^2 g+ V/ J* {) I; x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: x. H; _, Y: p7 U, q% x$ s( V/ s) d/ b+ M" s$ }. {/ H- B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) t5 u# y+ f$ A6 V: Q ;will break 3 times :-(7 Q* S+ U: H& C2 x& f
7 l1 }3 z- N+ Q& U; [$ P: F-Much faster:
5 m3 U, s& Y G+ v! Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 [- v; x! e9 w9 y
9 R7 B% Q! k: r) \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" W4 J2 Z# o' `9 G g- s
function to do the same job:
7 s' a$ C( h3 f5 o+ a \! k$ S, h+ F
push 00 ; OF_READ
4 G& y+ A. f3 t6 F mov eax,[00656634] ; '\\.\SICE',0" \/ H1 r3 Q" k% ^
push eax
% s; ~- L# q+ Y, F call KERNEL32!_lopen
7 X( m0 f8 `5 g& {6 M# K inc eax
/ \$ p7 F3 [$ x& F e4 c% Z) Q jnz 00650589 ; detected# }. J% n/ K9 g
push 00 ; OF_READ
! ?/ z6 I, w7 ` mov eax,[00656638] ; '\\.\SICE'' n+ [3 W) D' m( G( m. d
push eax8 n8 @, J6 D) u$ J5 Q* x
call KERNEL32!_lopen
9 P4 P3 _1 v: Z X( C# x. e- S; c, _ inc eax
* j& v3 u% M, x$ K% `% t5 P6 a! W jz 006505ae ; not detected
$ Z* E/ l$ G+ Y4 U0 k0 h6 I. D& s1 }$ ^& H
9 o" r- |1 `. U% t" w0 r6 m N__________________________________________________________________________7 L$ I: f o" n5 ^
& h i; k ]7 F2 b# Y
Method 12# l0 Q, j9 }# g" n' U
=========
$ I% M: I5 t0 h2 C, A" i1 k5 O. ~+ C$ n: S% b4 p
This trick is similar to int41h/4fh Debugger installation check (code 05
/ D2 i* {/ P6 b9 Q# s& 06) but very limited because it's only available for Win95/98 (not NT)5 ^* V w. ]1 ?8 A1 k+ l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 J5 r& @+ G# d) @& E& c
6 w2 g |# \, O push 0000004fh ; function 4fh
6 V, Q* ]8 r8 }- c push 002a002ah ; high word specifies which VxD (VWIN32)" j0 a8 e/ K- T: k, V+ q/ c
; low word specifies which service/ ^, `1 _6 T) V0 A: q+ j4 P) G/ I6 p
(VWIN32_Int41Dispatch)
% y" p( Y* O1 ?+ }; ^( X% ?1 u: d call Kernel32!ORD_001 ; VxdCall
2 n* j$ g+ g% q% H1 t cmp ax, 0f386h ; magic number returned by system debuggers
3 e6 b9 P N. V3 e$ c jz SoftICE_detected, |) O0 c/ l% v6 ~7 |
7 Z3 { c g3 w% _3 j
Here again, several ways to detect it:
" z3 a, I- C/ J' S' ^- c( V" O j0 M
BPINT 41 if ax==4f
@- f3 l1 I3 y) m! }: L# S; q+ V1 J: ]) R& ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 R" m5 J, f' e1 v1 B4 `8 i
! E6 k; q; w0 F; T6 T4 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 E I0 ?. y5 R! S4 h7 I9 G3 g4 q0 z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" P0 e" d* T% d4 x# J0 G
, W1 B' ?4 F% j8 }, c5 P+ T6 ]
__________________________________________________________________________
- v2 u* O k6 t" Q- B; U
0 x3 x2 Q5 c% d3 j3 y/ g4 dMethod 13
7 {, `7 P# K6 z=========
0 i7 q; h. J* }3 f$ t' Y3 V5 f
+ N4 R" m1 F, xNot a real method of detection, but a good way to know if SoftICE is' m7 U0 l! }: g" c
installed on a computer and to locate its installation directory.' h1 A3 M0 G0 L/ u
It is used by few softs which access the following registry keys (usually #2) :
3 |! B2 u: _3 j5 t1 L
, G# y, W4 Q/ L1 M8 k& [1 B- {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: E1 d8 y6 G: f9 Z# c6 h, T4 o
\Uninstall\SoftICE8 }- |/ {$ N! M G6 r" l* S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ W) A; [$ [$ t/ P' u' `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion v# `3 g" S9 `- M$ g4 t9 T1 d7 P7 K7 H
\App Paths\Loader32.Exe
F% N/ O' V4 S! A' B" T; S) v* m. \6 n
0 [% `4 J+ G) k4 J% X& r( y
Note that some nasty apps could then erase all files from SoftICE directory1 F& \) G- K$ l! s4 v8 c ]
(I faced that once :-(6 W5 H3 W! i/ G
) z2 ]: F! |+ v6 z% ZUseful breakpoint to detect it:
2 O1 c( m9 V; W7 d6 T4 v; o4 R% S2 m0 p. C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! d$ v) x, K% K& D: C; {4 w6 t' s
7 [8 s: [4 p. |2 T, V1 \0 B( X__________________________________________________________________________
5 d5 G- z2 q7 U" K( Q4 C/ ]1 |* e3 D+ U2 t6 s3 K1 h
+ T5 b2 n+ G8 g0 J6 nMethod 14
) C3 p Q" P9 ?=========
) A) P: S& w3 b. k
/ x0 L1 I! u1 w8 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! i1 r( r8 {+ F( b8 S! e
is to determines whether a debugger is running on your system (ring0 only).
6 K) T# O8 o9 \& { o7 b ^: f3 Y% C- |( D0 O. s4 ^4 e/ I; |6 w
VMMCall Test_Debug_Installed6 D3 N+ V0 r7 v/ u& |4 J B
je not_installed1 n. W$ y$ b3 u. n5 ?0 A8 `! R
8 Z Q( m6 @- c! k# c$ rThis service just checks a flag.$ G) m+ o7 [1 {4 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡