<TABLE width=500>: U# `0 i' v3 V
<TBODY>' d v4 {2 z8 }( w! g2 P8 i! M
<TR>
' Y: b7 T, h. H4 `0 ~' @<TD><PRE>Method 01
* c6 y/ j0 P1 m' f=========
& Q0 U+ P+ c8 S( o6 G( o# w& S3 [2 ^2 a0 M2 s7 H
This method of detection of SoftICE (as well as the following one) is
/ J G5 \7 P, e# f( k- Tused by the majority of packers/encryptors found on Internet.
8 S, P; r9 {, |0 U1 n& `4 t0 I3 g _It seeks the signature of BoundsChecker in SoftICE
h. v2 y5 p ]7 x) h$ X/ o+ V. V
! P: P* ?2 ?- X mov ebp, 04243484Bh ; 'BCHK'
/ w2 b1 G' `) }5 Y- m8 o mov ax, 04h( @0 l6 [( {0 _6 e
int 3 , q9 N; u/ `. L* i6 r* S' g
cmp al,4
5 c) Y, @0 I* R1 I( Y O jnz SoftICE_Detected3 d9 u& h @' e: M8 q; L
' f7 o6 U/ h; L. z& y/ v
___________________________________________________________________________1 ?* N2 M) }# e! E, k2 Z @
( p4 E, A; q- ]/ V& Y% ]+ uMethod 02) k" Q/ G' X' U" R* [/ m4 V" }& ]
=========
# O) B( y4 a3 o6 E3 Y9 L- R% _: [4 B1 A- q" x; O1 C% P" I- D. k
Still a method very much used (perhaps the most frequent one). It is used
$ {, y+ e! i0 @+ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& a7 a1 N9 Z% _, Uor execute SoftICE commands...* t" A' q' b; E8 R
It is also used to crash SoftICE and to force it to execute any commands0 a/ i/ J; I4 T
(HBOOT...) :-((
: @) U* N8 R5 Q4 \5 |
) f; N/ T' Q- ~8 UHere is a quick description:5 U* W1 o6 ^ y' T
-AX = 0910h (Display string in SIce windows)( Y* s- Z5 B: I! ]0 u# ]/ U0 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 L' n/ m5 r5 i, O4 Z-AX = 0912h (Get breakpoint infos)4 l" B: {. Y/ n. U1 d
-AX = 0913h (Set Sice breakpoints)
9 h$ U; k5 O- L! P" d0 |7 @-AX = 0914h (Remove SIce breakoints)
V+ E7 p5 U. h" @6 M' ]) ~# Q" ` t' j# ]. M- R, \1 p& ]* R
Each time you'll meet this trick, you'll see:
2 a: f% e2 D- F: M-SI = 4647h
- g/ P" U/ T) c% @" U( E, w; D. X-DI = 4A4Dh+ D- I- q' A# l O
Which are the 'magic values' used by SoftIce.5 N$ P& x% @" _& d# C' _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. k6 r" K1 X* v" t5 s
# T% w7 I- b0 B0 o1 v* WHere is one example from the file "Haspinst.exe" which is the dongle HASP
, j$ H0 o% O6 n3 u+ FEnvelope utility use to protect DOS applications:
2 U) f; ~# M! T) P: X8 F) [
2 I, A! k! `$ G9 |) d, c
0 e$ F8 U0 e+ C* Y4C19:0095 MOV AX,0911 ; execute command.. S% C3 K/ K Y+ o0 F8 ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 B! f& p- k: |# U n6 Y
4C19:009A MOV SI,4647 ; 1st magic value.
+ H4 ~1 ~3 f2 l) R( f& Y; F$ {. i4C19:009D MOV DI,4A4D ; 2nd magic value.. {6 }& B+ H/ N/ v5 H! |; ?9 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 O c. {' s2 R' _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 ]. d& ^7 ]) ?- Y& O m4C19:00A4 INC CX$ E( k" P* a4 b# {4 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 u; f+ B. r( v3 i, a4C19:00A8 JB 0095 ; 6 different commands." J: K/ l& `0 }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& c' l, T( K- z' \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 z$ o2 n6 o D6 H+ W+ A
' I: ^1 @0 Z$ N# ~* ~# q' T
The program will execute 6 different SIce commands located at ds:dx, which
# h3 z& ~* Q, Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ F5 A0 f8 Q( M% K. v2 E9 M6 a" A/ M( w- r5 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ f# ~) e# T) E* f5 i& I+ S
___________________________________________________________________________
0 s7 p1 {5 x z% a7 y8 K
2 O+ a. Y! N! m0 D( H6 `; C, ~) Q) A- q* P6 b
Method 03
& L6 I# ~7 m. Q; O# T! S% z=========
7 u" [; k* Z' S/ y8 ]9 x3 Q3 r0 n* \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 Z/ [, K0 w! ~/ c8 C5 k) p
(API Get entry point)1 D0 b1 T$ ~* g' {* `1 \% u! }
' g: y6 [( A8 P( a, b
5 D" T! Z7 N' ?+ P xor di,di
, X9 ?( A5 i+ d. _# { mov es,di
# r; r& t5 o2 N9 B# I4 k3 S mov ax, 1684h
. ~/ O' G9 e' \4 \. y mov bx, 0202h ; VxD ID of winice
! m* }- p" X; U% k int 2Fh
S, R- O3 J$ v8 K mov ax, es ; ES:DI -> VxD API entry point
1 Q; F# z; n8 L; n8 X8 e8 m! b add ax, di, j0 p( `5 |/ o/ P, R- ^1 x1 s o
test ax,ax
/ u" M9 Q2 h" w3 Z, y/ X i jnz SoftICE_Detected
- R, ?% p' f( }$ S- }* L4 ]
3 _4 q* v7 s& G7 z___________________________________________________________________________- ?! l: j r+ X$ Y
. p' A2 i- D- j- L$ h" [* d7 dMethod 04% q: g6 G* U; ?) j* b2 b
=========
& h" f' ~ e8 o$ H6 g/ w z+ f0 r% l% v9 v# z! q
Method identical to the preceding one except that it seeks the ID of SoftICE4 j5 z$ [, H8 _, g( W2 i
GFX VxD.
9 w- U! Z: s9 H3 `6 k( ]1 u/ V9 ~; V+ d9 I0 `, H4 j
xor di,di
t1 f( U" Y) p" j# x5 i/ \" X mov es,di
4 `1 s: ~% F& m- G8 l+ M% d G mov ax, 1684h ; M# G; e; @# ?- J5 p
mov bx, 7a5Fh ; VxD ID of SIWVID: U7 E/ V* A! U# h. B: H5 S$ Q4 f
int 2fh
# f. v- F. c) V# u mov ax, es ; ES:DI -> VxD API entry point; W# b/ ~6 ?* F9 ?0 A6 y/ l: m
add ax, di
+ {8 K' E$ ^3 h4 i* c test ax,ax' R- h& k; B9 g' H- w! L9 T% A
jnz SoftICE_Detected
9 o( s6 K7 U9 h% E' p! s( O/ a8 U5 d' Q ~+ r
__________________________________________________________________________% q c' j/ F! \9 U
r$ C$ ]) ]& o. A# F2 D
; Z; u5 i! J. |$ J% l3 V, DMethod 05
/ m+ f% p" [& _! ~=========
+ x) b& k# _) p1 j5 W" e; k0 N* A1 v
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; C- o& o1 P1 x& r! X& tdebugger. It calls the int 41h, function 4Fh.
C5 T; }& T. g; N' LThere are several alternatives.
( T. I7 r \' Z5 {. x) E& S6 |' S! \8 R* o) ?3 Q% b* f: r- A! l& U$ n5 T
The following one is the simplest:
: D4 H! y* Z2 x0 p5 I
9 B) q4 B% ]1 d5 @' Y$ p) w( n3 r) f* U2 ~ mov ax,4fh
, U4 i: o8 o, S0 }8 e3 m/ w int 41h
) @$ U! \+ A+ n# ~8 \% U+ u cmp ax, 0F386) X; L* y, }3 u7 L
jz SoftICE_detected# h ^6 _5 a% }. E
7 h" B6 D: K" U S
* f+ O1 y. R: j- T
Next method as well as the following one are 2 examples from Stone's
1 S' C1 ?& U. ^' q* V& j: `"stn-wid.zip" (www.cracking.net):) ]" D! p- D1 \# m& e9 ^ E
2 T9 N* b+ a0 `/ @4 }0 u0 F( w mov bx, cs
4 K+ I' b p$ B: o$ } lea dx, int41handler2, S! W4 p0 J4 f( J
xchg dx, es:[41h*4]
* |6 {1 v6 M5 S3 s* w2 X8 [, y xchg bx, es:[41h*4+2]
" D5 ]/ w/ @ C% z mov ax,4fh/ L) @5 F6 ? f/ b1 a; v
int 41h
: D5 z4 Z7 B: b! g% } xchg dx, es:[41h*4]
# ?# ^) N& u( U' M/ b, W5 x" L: q xchg bx, es:[41h*4+2]
/ F4 ~3 K$ n0 @# i: ?) t cmp ax, 0f386h, _( G% H% `2 |+ v: r6 x% I: O2 H C
jz SoftICE_detected2 R; P+ Y; d7 A# i; o- }7 J
5 ~. R, W' A( ^: v( K( cint41handler2 PROC
' k2 {( g H9 d) W- _" p iret
- I8 E# S! _' B; }+ Yint41handler2 ENDP4 F5 z T+ z- G8 v
b, E$ F: u/ e
( U1 b- V( ]: Q" Q' Z' n_________________________________________________________________________
- a2 h3 {6 E$ `5 |6 U2 \* c& M: J0 Q" x7 {3 p
+ H; s6 t7 |1 v5 B/ q/ {6 nMethod 06
+ a8 }" o$ r1 b1 V8 F=========$ ^/ D l9 x5 X/ h" C8 d
, q; p0 m7 K4 A& U
8 `8 |" y) J7 I* k( \2 \
2nd method similar to the preceding one but more difficult to detect:# v+ ~, F# `# W& o3 H- w% {5 U
) B4 n3 C) }1 @" @
9 D& Q' i' z2 U2 a4 |. X, Q$ ?; fint41handler PROC2 Q4 k5 L3 a4 |& d2 y
mov cl,al
. [2 Z- |( M: v6 v3 ]# j! r iret
" c8 f0 a2 K a3 g/ f3 @( mint41handler ENDP# i0 R7 e/ o% b- [ p
n) `- k" f' e7 B3 u3 z) y& L' u
t9 B2 x: o/ E
xor ax,ax3 Q4 v2 D; M! x5 ^9 P% d8 j; j
mov es,ax" R }% ^3 P" a3 B8 {3 o
mov bx, cs
# W9 S+ z, R: z* M$ X6 } lea dx, int41handler) _: i/ F9 o0 [
xchg dx, es:[41h*4]/ n# k% ?, q9 S! [0 v" ?
xchg bx, es:[41h*4+2]
- M9 J! h- W8 s' i+ R! m/ Q: n in al, 40h6 `- p# k' K, Z1 l; E8 U1 K. U! B( N) T
xor cx,cx
! j& O. i* `" f int 41h
& H' g5 b; F( g, y* w9 B" O% F0 {' ] xchg dx, es:[41h*4]/ G! d, A% |8 `. |/ C" [4 N
xchg bx, es:[41h*4+2]
. S. z7 K; e5 J9 S/ e6 E; c: z cmp cl,al
) c( P1 {* H" Z jnz SoftICE_detected% D! U+ P1 o$ k( F! X3 ^# l
& _; s8 P% b+ R: v9 q! r# t6 b
_________________________________________________________________________* @9 x, P* S/ o2 ^4 H* }* x
0 `) H3 s9 T2 V1 ?Method 07
. Z5 r, ?8 I0 c: ~: E$ z/ z+ u=========
( W7 z) x! V3 ?/ Z: d9 {/ ]1 X# s: B% ~
Method of detection of the WinICE handler in the int68h (V86)
6 f3 t7 N8 g3 `9 g4 g" [7 @" _7 @. \3 |
mov ah,43h
) A, H' U, M3 f- b9 y1 _$ w# v P int 68h
3 r) x' N8 u# y# Y( h: n4 @ cmp ax,0F386h. Y2 Y1 A0 B& q5 }' @
jz SoftICE_Detected8 v! a3 Z0 p2 g# k u+ |' {
/ w5 a; C/ k% E, F; {/ Q
" L2 S# y* W3 b. Q: j: }8 h* P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% \9 `) u$ S1 q) {! j app like this:9 X y9 v7 Y. @ S
2 q, ^( V8 z: J* \. U( ~6 r BPX exec_int if ax==68. W% b7 j* n* X/ w% E
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 m `8 z& Y- l4 u$ ` located at [ebp+48h] for 32Bit apps)/ y0 _7 x# d$ |" E4 ]4 G" l9 m
__________________________________________________________________________, j- R+ {" P+ o# z5 D! \# |' q0 l
$ f- B, H) g; {7 i' {- R* l
( B b* O- ^+ LMethod 08
. d \& A$ q4 m1 {$ z8 b" s/ `=========
: s% m: w# a* \/ o% x& C# ~% P" Y3 d* { j/ q+ F: }
It is not a method of detection of SoftICE but a possibility to crash the
% x4 B6 ]: ?! Y4 nsystem by intercepting int 01h and int 03h and redirecting them to another6 ?& y" c( ]. F7 n" k- y2 B: ~
routine.
& G/ S: j8 F9 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 A/ p. V/ d# }3 k9 X6 [2 ]
to the new routine to execute (hangs computer...)
! t6 K+ U" Y/ J4 o8 ?; f
9 v: G6 w! W9 x( N mov ah, 25h
8 l6 R* h: F# W# e3 U# i1 V0 W% N, n mov al, Int_Number (01h or 03h)& y" g' x% [& v5 _4 R+ D
mov dx, offset New_Int_Routine
6 i9 ?/ p, Z, q& M' L int 21h ? g& h9 T; w
8 q& }6 n ]3 t- O2 J__________________________________________________________________________
/ Z# V! Y7 e/ V
X, X0 T3 X8 x/ jMethod 09
: g# H) w, o8 F0 r& ?. Y& m=========& G+ r+ {( I- U
; K: o1 [2 o, l1 X s& C- {" k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 R0 Q7 X! d2 L& s( |) V5 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 D: U7 q" H( ?0 E# j$ ]6 DThe Get_DDB service is used to determine whether or not a VxD is installed) ?9 X# |3 z7 q+ ?
for the specified device and returns a Device Description Block (in ecx) for
5 I6 h5 ^2 o; W lthat device if it is installed.$ _6 x( w. F3 f# A+ u0 N
8 \7 c ^0 B8 A! ~/ d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- b0 z: W M7 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 x- k6 M% C. o4 Q3 I& O
VMMCall Get_DDB
* `. [: |3 V3 L" Z* ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. `. A8 u+ q; D) i, V
: O+ s+ k- r$ u- F) A2 M/ G
Note as well that you can easily detect this method with SoftICE:
2 ^/ t$ a% n0 k' f j bpx Get_DDB if ax==0202 || ax==7a5fh: f- O; [9 Y: `* M/ @
' D9 A9 G' _5 @
__________________________________________________________________________; O. a# C& J0 d9 p3 [
) F% o/ d$ H0 w9 m5 i8 `' I8 O* S, b- J
Method 100 u9 a6 `' |6 M
=========
* F% W$ z9 p6 }* ^# U8 H- _% t( L1 _& s+ L5 h9 c
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 P6 k: `9 `. n, T+ Q% m$ H9 Z SoftICE while the option is enable!!7 j3 |7 D; f+ I0 @1 F( l2 G, [
. X& d# v* I" }, l7 |This trick is very efficient:! x2 T# J$ C# F
by checking the Debug Registers, you can detect if SoftICE is loaded
7 M4 ], p8 g" y2 N8 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 {) {3 f6 P% V/ B, V( ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 a W _' j( l) u8 [% Wvalue (in ring0 only). Values can be manipulated and or changed as well8 T* l" `7 d# n2 U+ v6 O
(clearing BPMs for instance)
$ v5 |# v3 ?; v d3 t& `4 Q: _! A L
__________________________________________________________________________
9 ^/ R$ J/ n) K, L6 _/ s, E- u! [: Q1 I. u9 _( |$ m
Method 11
% |+ j! p4 D6 r! y$ H3 w9 ?1 R=========
5 z9 e% D+ l$ J) v8 c7 o/ X6 E5 l- p7 I3 a
This method is most known as 'MeltICE' because it has been freely distributed2 B! n/ }* k. o: N+ K$ R
via www.winfiles.com. However it was first used by NuMega people to allow
3 m% j8 |9 k' I" u) d& o$ `* FSymbol Loader to check if SoftICE was active or not (the code is located% J, a. h1 H$ ^. ?5 |/ ]
inside nmtrans.dll).
T2 o! Q1 c( {7 |( R0 }3 d
$ y# `1 P4 p6 N4 I2 j" U' V S+ UThe way it works is very simple:: s6 q) [0 N; V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ K6 D/ |: H4 VWinNT) with the CreateFileA API.) }* G/ n& K( i: r3 s* X7 S2 J
$ ^) X, }! l' _( ?3 Y( ?8 `8 [0 b! dHere is a sample (checking for 'SICE'):
9 I. g7 j+ Y4 L
4 H7 W |4 D8 ~% UBOOL IsSoftIce95Loaded()
* K0 Q$ p& \' n# m6 ^{
. q# H1 D; N" X# n HANDLE hFile;
8 ^6 [8 i: \" E- e& F, k2 U, ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 c4 I2 b: G1 p/ \; F
FILE_SHARE_READ | FILE_SHARE_WRITE,8 P3 b4 x4 c# e7 e8 }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- N. T$ g- l1 k' c, K0 t% g
if( hFile != INVALID_HANDLE_VALUE ): y( c0 S, ?4 _9 k4 p4 G
{
- w* P- v! w6 V, q9 w: s( k; g CloseHandle(hFile);
) I2 w7 C+ H7 ]: E& U+ [1 c2 g return TRUE;
4 C, V+ v" g* Q6 X0 w }0 H* q% t; D* ]2 a, G
return FALSE;
: h, W/ s( m0 q} z" t! G: K5 C, Q* x. U, j% H' k
( d3 T( u0 p ?
Although this trick calls the CreateFileA function, don't even expect to be
7 c* f x( n P* P, cable to intercept it by installing a IFS hook: it will not work, no way!3 d( H, r, ?* H2 T& N e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 ]7 ?( S/ Z! y) l& k( |* m& Z! N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 R" N7 b" [2 a# t* Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) T: P7 _" b1 X% A: L, ]field.
$ V5 ~+ ^1 G* _In fact, its purpose is not to load/unload VxDs but only to send a 7 I; L0 E: A, C: Y& u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- o1 q) p% y( R' qto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 Q; G: ?0 F$ c) _! r! |: p9 v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 Z, S0 U8 {* rIf the VxD is loaded, it will always clear eax and the Carry flag to allow; o3 J5 Z2 G4 `; j
its handle to be opened and then, will be detected./ x, z/ J" \. D: J* h- C
You can check that simply by hooking Winice.exe control proc entry point
2 x- }5 W6 z' u6 y- bwhile running MeltICE.; p: l+ A4 {* L% r4 K
' D: S8 p* G4 U( \5 J# y! H1 |
+ U0 ` @6 L: C% A; S
00401067: push 00402025 ; \\.\SICE
* Q3 n$ |0 X7 l1 y% U W5 k 0040106C: call CreateFileA8 ~9 w L5 N! q% E( C* u% f. `
00401071: cmp eax,-001& f! j! A. P, M7 |# ?
00401074: je 00401091( j/ q4 q; w! L3 M9 H+ G; B6 E
- q: ^ k0 Z9 X2 n4 b$ M, J
* Z6 L! t" w( ^ Z; h- bThere could be hundreds of BPX you could use to detect this trick.
9 y7 S( l9 d" ? ?: j-The most classical one is:
! {+ C1 S! S O2 S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ s/ C6 |, y5 N {6 s9 j; J. x *(esp->4+4)=='NTIC'
) N& v1 k6 Q+ [2 E3 }# F9 n
A" k; e7 ^; u5 o-The most exotic ones (could be very slooooow :-(
% R6 o5 k2 O( u( |# b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ U9 V. e( { u7 H ;will break 3 times :-(4 l" l3 i' a B! D/ p8 z# g( V
; a- r0 j" n) u% Y8 S# H-or (a bit) faster: % q8 @3 _. i7 [4 s( i9 j, c3 }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- i9 g g. ~# Z# g* s
4 @6 j% c1 D5 @, Q9 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 @6 k" o2 J% ?+ T. Q
;will break 3 times :-(
* m1 z8 g; G. q5 Z: O- I; a7 r4 q: C% J5 n. v
-Much faster:
3 _. t4 L' S( e$ P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' `0 u9 u+ D( K! a! L1 L0 L
. s& W! Z7 L7 U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" j Z- |3 X! P7 s! u
function to do the same job:( B6 g; m! V% t4 m4 A$ O8 p* y
! m6 w4 X1 ?% B* | push 00 ; OF_READ" B) Y: H/ I- f0 z* n5 f0 m' i6 ^6 G
mov eax,[00656634] ; '\\.\SICE',0
, m% X* n U; v( D/ F push eax
: ]& x9 v4 }) Z2 j$ V% }, x call KERNEL32!_lopen
$ P! ^( e) V6 D! g6 G inc eax
: t2 z7 ^/ Q, N$ L0 D: t8 F jnz 00650589 ; detected
: ]' {' H8 t1 g8 u$ R; E# x* {0 C& E push 00 ; OF_READ
3 W: n; b2 c8 n7 H; {+ w1 l4 Z mov eax,[00656638] ; '\\.\SICE'# Q9 r3 A! n1 e; j4 B" |6 N
push eax) a1 T. N# l3 h' ]. V( R3 ]
call KERNEL32!_lopen4 x' B9 z7 W* j5 q8 w7 z9 w0 ?6 ?
inc eax) x( m' Z/ N5 i: h: y
jz 006505ae ; not detected
. J6 C$ g9 {' G0 R1 O: Y/ c0 w% \' Y) F& @$ Q# }2 ]
/ l/ U, O w8 b& T
__________________________________________________________________________. I. W) E% M& [" @1 {6 l/ b
8 v* p9 M% ^6 l7 r$ wMethod 12
. N5 s2 \$ l5 X- _7 D=========
; V: u. Q& {- i* I9 L- \0 q7 z; ]7 T# ?8 a5 d) }
This trick is similar to int41h/4fh Debugger installation check (code 05
- X" L, T9 f; `. ?& 06) but very limited because it's only available for Win95/98 (not NT)4 k( F( _, D. ?0 L" c# A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., X: e7 ?2 i/ ~% y O0 ]
* u% }3 H1 M- H( e
push 0000004fh ; function 4fh7 b6 V$ u* g) k& x( @/ O
push 002a002ah ; high word specifies which VxD (VWIN32)) r7 c9 C: l$ a4 i, _3 a
; low word specifies which service
: s7 G+ C, ^& `2 e (VWIN32_Int41Dispatch)% Z. Z( b/ n: f( t
call Kernel32!ORD_001 ; VxdCall
( o, i! n' ~. M5 t cmp ax, 0f386h ; magic number returned by system debuggers
. a% F# P. `" ~! P$ Z jz SoftICE_detected/ o, g% M3 Z2 [& Y, p/ U2 l
4 y' J. f. W$ YHere again, several ways to detect it:+ u1 w. ?' j9 T' E4 _6 d
$ l. ^" t& k! x+ D
BPINT 41 if ax==4f1 m. ]. a: Q( [1 ]9 [3 p! I( q6 B
$ ~; z! g9 I: ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; V& c" S! f: O0 }" i- V, d3 C3 Q P% T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ M( P! Y# r8 V: [# Z0 L+ `- I9 L- S Y- D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# ]: G$ {6 z: Q% m) F" ]4 a6 i8 S% @: U
__________________________________________________________________________' o' h7 C* @. j: m
2 }* {" t' T i0 M! N/ DMethod 13
, n; J# T# u" Y: ]' H=========
& i- Y, }' |; T9 O( } j @
# S1 q$ q8 ^ W$ s1 P5 W# eNot a real method of detection, but a good way to know if SoftICE is
& Z0 I H d" G( Z8 e5 binstalled on a computer and to locate its installation directory.
1 o* G) Y: T. w4 DIt is used by few softs which access the following registry keys (usually #2) :
Z9 H0 Q+ n: t% ^( @1 o
7 o, ]' x, W: c' b4 V/ V6 X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ w' g& v C& }6 H" W( T5 x/ |: o\Uninstall\SoftICE
/ \- F# z3 W) \9 ]' ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE p+ Y# C7 G: N' L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ?0 E" y' ?! s6 `! T
\App Paths\Loader32.Exe0 h7 D1 y2 J. `1 f- m- j% k
_1 f1 g( Y! k; n' R/ g
: z1 [+ o- c; E0 K; F) Z. xNote that some nasty apps could then erase all files from SoftICE directory
( X# ~ y0 T! n ^(I faced that once :-(, V0 F; I7 H; R; B4 E/ ]
6 ^( N! R% z# H6 h+ z0 S' q( `
Useful breakpoint to detect it:
7 _1 R: S, ^5 j; A4 x. u, P) t- m: x: ^, p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" Q& J6 ?) _2 p* c0 h
- `" P$ f' M4 T% ^( G. D v. T# K
__________________________________________________________________________4 Q2 o) V+ u, W2 t) a$ X$ d+ r
/ [$ c9 L# @$ e+ {/ m) G; k3 z
% x! F0 ]. j/ H( L7 V
Method 14 5 x9 z& Q4 a# k) j T# P9 v: w2 \
=========
) G! h3 o X5 i0 n0 F! F$ R% a# p# x$ e( b4 X/ f( l) a% C" o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. E3 E' V9 Q+ z& C; O ]
is to determines whether a debugger is running on your system (ring0 only).
. [. t( n* V& H' U9 A& p( N
7 Q/ k5 g% _( d6 o! U' R" ? VMMCall Test_Debug_Installed
- D8 O0 |/ j8 v4 x& r7 n) ^. Q! T je not_installed3 `0 E6 ^6 D8 u$ F- Y: p) o
/ M; B) l7 A4 B6 X6 pThis service just checks a flag.
1 {+ \0 d0 m$ Q- p0 z7 n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡