<TABLE width=500>
6 I' w+ u! h/ M3 j% v/ w+ F* a7 r<TBODY>
" I2 k& N. ^1 e" a<TR>
- Y9 }- J% S* A3 T$ W. x( ?<TD><PRE>Method 01
2 O! S( N$ U& l+ M* E0 M- G" j% X, ~=========, Z$ E; V5 f l6 u) \. y5 a
' M, m$ P1 [4 j7 X6 |4 z1 ~9 l
This method of detection of SoftICE (as well as the following one) is4 n" Y/ x( e- A3 q( y6 f
used by the majority of packers/encryptors found on Internet.
3 [* l6 x5 x% m" |It seeks the signature of BoundsChecker in SoftICE1 t/ h1 y+ P5 u; W" q/ Y3 R
; w" n C. n _ ]
mov ebp, 04243484Bh ; 'BCHK', k; N8 p9 ]2 H3 W# k" r
mov ax, 04h' K2 K: A- `" U; I3 ?! |# ?/ X
int 3
6 s5 z# L J4 v4 c( K$ ^ cmp al,4% q- e( w7 V7 S {, x* N) `
jnz SoftICE_Detected, ]: ?, K" g; m4 H# d) a
' i" k. _0 v ?6 w
___________________________________________________________________________
+ a2 |6 s5 ^1 r& s
- J3 {2 ]7 Q+ H5 ^ KMethod 02
! N) I$ Q- T& A" F# W=========8 C/ V8 w8 X( `8 N
' S/ I# @: D7 `( C g$ }, z+ l9 |8 _% p
Still a method very much used (perhaps the most frequent one). It is used
" q7 W: M& Q7 J+ gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. E3 H7 n3 b6 U/ F8 x' f* ]/ q: p
or execute SoftICE commands...- R+ t! k: H7 m( X& C
It is also used to crash SoftICE and to force it to execute any commands) P% X0 k) G, I+ {7 r. ~
(HBOOT...) :-((
4 l& ~% \, L z
H$ ^; Z& o& D' Q! XHere is a quick description:: z; R; s1 W" P$ [- ~! {7 z
-AX = 0910h (Display string in SIce windows)# j0 D- s$ R' n) \' a% n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), `6 Z2 ~7 O4 g- F+ W
-AX = 0912h (Get breakpoint infos)
. J- G1 q m7 H# r. P; G% p-AX = 0913h (Set Sice breakpoints)# Z1 W% K, b% {. i% j r# f# S' l
-AX = 0914h (Remove SIce breakoints)
2 p7 I) y, ~+ e
l0 k! c" H# s+ n$ {) GEach time you'll meet this trick, you'll see:
$ Q/ K( i' h, m/ C: c; t$ j/ D-SI = 4647h8 G/ N8 c2 Z' x1 N. M* s
-DI = 4A4Dh" G7 N5 }8 u6 y
Which are the 'magic values' used by SoftIce." V6 l/ z- s9 `8 |* e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" d* @7 ], |+ K, P0 n- v2 _. ^" o; @6 H' [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" U! N% L4 Y' iEnvelope utility use to protect DOS applications:
# | O) F+ s$ m7 l: F, B t5 C$ ^3 @) H1 ^6 ^/ R/ j
/ S. R1 R2 t2 D" F
4C19:0095 MOV AX,0911 ; execute command.
; f9 @: E9 i/ R- I; U% [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 X. W& V- E, Z0 L6 R1 j+ ?' h4C19:009A MOV SI,4647 ; 1st magic value.$ H& U* h& O5 g$ W6 ]* K7 A
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 v4 d# p: D/ `$ S2 q# ]$ e9 ~; P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. k$ q% i, O- I" V8 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 U5 s/ |0 \0 k" v3 k4C19:00A4 INC CX8 ^# e1 |7 ~) D# G& E- c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 y+ b, K3 U, J4 e0 Z$ w4C19:00A8 JB 0095 ; 6 different commands.
( y0 ^& l9 [+ d7 |" H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" Y- v9 G$ b( u2 G5 J0 ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 s; b% a. z3 k9 Y* D8 w9 ]2 \; [+ t
( A! S! ~8 B& i0 B2 L7 N
The program will execute 6 different SIce commands located at ds:dx, which# p: [: ]9 N/ @' i: L: L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ n0 D2 h! b+ S9 h, q9 Z5 L# b
( \' r8 s: @1 @, n6 D$ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( N1 i" z) v; X7 r1 a2 a8 }4 k
___________________________________________________________________________0 ?" c J5 u5 G3 J; i
- I& p- b8 x* P4 I( K5 k% `$ `5 |& m% k
Method 03
4 K+ h. Y0 ]9 k=========: S" f; R; }+ C5 i5 u) u( I" ?
+ p3 M; Y! O" HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! F* I( @* @ T' m* Z* j
(API Get entry point)
& B) u1 d" t5 _# x
. b. z+ U& ]4 o5 L
" P, d5 c- H9 C+ Z: A$ M( s) g. I xor di,di- d D! I6 j6 Q3 C6 C$ ]$ U9 a
mov es,di$ B( s( ]" e4 e* Q3 o1 x& c
mov ax, 1684h
9 Y& S& W0 h- `# v$ d2 P. T7 j3 C mov bx, 0202h ; VxD ID of winice
- C( a" N4 Q7 x; r& g int 2Fh/ K! N0 W) e6 b* L
mov ax, es ; ES:DI -> VxD API entry point8 R4 I6 J2 ^' R+ ]) n
add ax, di
4 o- k& {8 \& t9 Z: ]' k test ax,ax# t" K3 H V! J8 F1 P
jnz SoftICE_Detected9 H9 {, M5 i+ Q6 I6 Z6 w
3 K p; T: S p# q& |8 ?
___________________________________________________________________________
! `0 L# r2 W% F, \8 {, p- P4 I5 N1 \' }4 u
Method 048 b0 R+ K) @2 j2 W
=========7 z- K' e$ r: u/ S
- X# ^/ }7 v! |$ E8 U$ t l3 K3 ?% o2 |
Method identical to the preceding one except that it seeks the ID of SoftICE
/ i/ c3 \% g) c; MGFX VxD.
2 h4 N! R- R- G# L: N/ r1 m( t0 t3 n0 k3 b
xor di,di- S/ E, g$ G' U3 v
mov es,di
. Y9 L0 C( U6 F1 a1 f* u$ T; h mov ax, 1684h 0 T6 x5 H2 f4 {/ ]- `. c& D
mov bx, 7a5Fh ; VxD ID of SIWVID
# S( v) d9 Z% `8 ?1 o% r0 U int 2fh
# ? k6 L! Y2 r$ _4 D, V% _ mov ax, es ; ES:DI -> VxD API entry point
+ V# G+ M" O) ~7 c' W' x5 { add ax, di
" Y1 g% c. d2 n" I6 L4 g test ax,ax* w0 p! S E7 A( j2 j
jnz SoftICE_Detected
8 j5 y u% O! T& I
/ r3 W! f$ c" h* I( n! K__________________________________________________________________________2 u* @' S* h4 u1 e, I7 f
6 E7 r. A- R# J# W
7 y, N( o" U. T0 b- x) n( _6 \- l/ l4 RMethod 05! ~' n. m& t" c& T3 S4 v$ ~
=========: Z8 h+ x8 e7 |( |9 z& j
8 _& H8 g! o0 ^3 X! ?7 d+ sMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 D" ~9 Z1 e2 M1 p8 y2 q* c+ H0 u
debugger. It calls the int 41h, function 4Fh.
+ h8 f/ b9 @, v3 B3 lThere are several alternatives. - N* P Y" v, ?) Q4 F% ?
( [( ^8 T' s ^
The following one is the simplest:% ]3 ?; e4 G" K4 i
8 i; I! G, H* I+ h" X0 O. M mov ax,4fh7 @ c+ V, Q3 [
int 41h
8 i+ f4 Y1 @( {- D2 J1 _% M6 O cmp ax, 0F386
9 P$ S2 C+ q1 A1 ]# E4 L jz SoftICE_detected1 w) J# K! q$ M5 \6 H+ ~
7 _$ V2 [. b9 A, R! k. R* U2 n% \8 A% L3 `( t9 Z* n
Next method as well as the following one are 2 examples from Stone's
5 X( F9 [; ?4 v"stn-wid.zip" (www.cracking.net):
: h0 r( P: ]- S$ L9 |7 t; F
1 L7 W* b, \2 C2 g( r5 ~, \ mov bx, cs) d" x8 |$ [8 v3 @
lea dx, int41handler2
6 q/ p8 L. c& [9 g xchg dx, es:[41h*4] a; Y- x+ ?1 b( s
xchg bx, es:[41h*4+2]
' k3 O8 ?( V9 O* d1 b- p7 f( ?# B" l mov ax,4fh! ?9 |" h3 R3 v' ~. h! L3 S
int 41h
6 W& I! m3 D# I, R& ` xchg dx, es:[41h*4]+ }- |( X' ]) X( Z7 Y
xchg bx, es:[41h*4+2]( Q6 _/ s5 r; Y; v$ b1 o- s
cmp ax, 0f386h
9 a# U$ T$ S3 @. a/ }9 c jz SoftICE_detected( _- E( g- g+ P. ]: Q4 ^$ F% B
6 t5 e8 j9 o$ u4 wint41handler2 PROC* o) Y5 @. C/ V5 o7 }) f
iret: C6 V# Y% [% o
int41handler2 ENDP
( i4 g2 L% L+ C1 I# W7 J7 [. ?, s$ [) F# S6 I. A
% {0 [5 D @, ^3 W( T_________________________________________________________________________
7 g/ O ~' d/ m1 j% t0 B0 b* [( O) W; u
5 V, _3 ]" O' _ Y, T$ a FMethod 06
9 r7 p9 G+ q+ G7 m5 h=========$ g8 O2 m3 V% m/ i' R" ^8 r
6 q: m" o. c1 Q) H5 y l6 S) x
& q. T1 x1 J6 @! M0 S3 q6 `
2nd method similar to the preceding one but more difficult to detect:
, x- N9 h! F3 J+ b2 F
. j. l1 L3 i1 I$ c& D0 o1 K
8 N, L, z+ W7 f8 X! q0 xint41handler PROC) k& @# u! R# [ k; ~
mov cl,al
1 Y0 {$ N; T5 Y3 u1 z2 _ iret
2 y3 X5 {1 U1 C, a. h" M& iint41handler ENDP
5 v2 M8 f0 N8 \% M, ~8 I. f
) K ~/ j- h6 z
3 Q. e! Z1 ^8 I8 Q xor ax,ax
) q- K& _1 a1 ^( P4 b$ P$ c mov es,ax
4 P+ d O$ t1 N7 T mov bx, cs
: u& {3 n* h- h* ~ lea dx, int41handler: ~6 @9 E" h& ?( [. E
xchg dx, es:[41h*4] i# D/ ^1 t0 j( W. H
xchg bx, es:[41h*4+2]
& i0 A2 u3 P5 K9 d! m8 s in al, 40h
# M$ _. s3 _- x) r7 b xor cx,cx9 p, D) O) f8 ^% ^. ]
int 41h [8 R) w- C9 z0 d5 R
xchg dx, es:[41h*4]5 Z9 B! X2 v1 f" y3 Y3 ~ |2 R
xchg bx, es:[41h*4+2]' J4 G. g# q! W$ V: R
cmp cl,al
" w4 ^7 u; [: ?. E5 r jnz SoftICE_detected
% l5 p* _4 m4 j5 {5 D) x2 ` ~; _: _% `7 J
_________________________________________________________________________8 t. D5 C' {; ^8 o e8 R/ @' V
8 C5 Q) y3 _7 P2 k1 r% f
Method 07, N, L I! Y/ p2 o2 Q7 o
=========1 ]- ^ Y* X5 ~7 J, H% P
: n/ Q) s; h9 p! h1 w/ F
Method of detection of the WinICE handler in the int68h (V86)5 ` [ \4 j9 u, r
% q* Y$ Y% m, S; K) G" G# X! J
mov ah,43h
7 W" x" }9 h7 U5 z6 I7 v6 F- B/ T int 68h
) }3 t; X' j$ J0 X2 i, ]. s0 o8 o cmp ax,0F386h9 v' s7 a$ l$ S5 c) {' I4 U) h* f
jz SoftICE_Detected
, Q# Z( a6 c: k2 |7 V+ w u! C# }
3 j l/ g. V3 J* \/ } w
/ D! y; Z h2 T3 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. X8 Y2 \9 ~: Y5 X0 k" Z, _
app like this:& Q5 z/ K# \* Z0 s# d
8 `2 `, x8 W7 u; K: z! m BPX exec_int if ax==68
3 N) I# o* u4 W; }+ H (function called is located at byte ptr [ebp+1Dh] and client eip is
. n: r; q5 i6 A H7 _9 k7 o located at [ebp+48h] for 32Bit apps) c, J6 g, a2 l7 N; \4 G
__________________________________________________________________________' P: g/ V7 |9 P2 P4 K
/ B4 c' B- h; q# I3 P+ J9 {$ R
- _7 b) x: U- F2 m) D& sMethod 081 ~) a3 A9 F, O: |! k8 d
=========
. k4 o9 m" x$ J4 z
! |% ?2 `) A* b# U; s5 O( Q1 `, m' jIt is not a method of detection of SoftICE but a possibility to crash the
5 ]7 c: R& P& {9 B+ m/ ]3 q; Lsystem by intercepting int 01h and int 03h and redirecting them to another
! G( J4 C$ x* G3 F" broutine./ o+ f, P- \2 {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 [# }$ m$ ^& r$ o, q* w( q
to the new routine to execute (hangs computer...)
' v- R1 l) U! Y/ X- p: F3 Y% R o/ M. W! x) K
mov ah, 25h
# _; M y$ X' c) F- w# j. ] mov al, Int_Number (01h or 03h)6 y: L. u0 L. _/ ~8 m
mov dx, offset New_Int_Routine
! ?% p; y7 Y- D; r' a( Z7 R6 V4 G int 21h& ]- Q! q! E* p" @; p7 O
9 \* S3 _8 J; v( ^7 L+ M8 @$ ^__________________________________________________________________________
0 [0 J2 k. F. x) n# `' n: O' L) g! z
Method 09
; q/ i _+ R o# @=========$ G7 T* v, B) c3 H2 G5 I
! E/ c( _0 s4 q. [" }1 {5 q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( _' v( T$ r M0 E! x+ Z" u1 d" N
performed in ring0 (VxD or a ring3 app using the VxdCall).6 F3 P9 V( j) L% e9 Y" u5 y8 D
The Get_DDB service is used to determine whether or not a VxD is installed2 _) j6 X4 g3 e+ @- p# G! p4 Z
for the specified device and returns a Device Description Block (in ecx) for
" h# l+ N6 }+ |( f: E- ?1 Mthat device if it is installed.
1 l* X. o1 ~4 I- ]
( s2 l3 @+ u# M3 t# a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: H/ } d2 O5 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 [+ S# _, a) _3 _! s% b" M VMMCall Get_DDB: X( G* j4 K% |2 }3 e$ H9 e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& |% _% f2 R$ w! p; y3 d# m
. \: S0 d0 Z0 X& W6 HNote as well that you can easily detect this method with SoftICE:' W1 Z, C: { y0 x% E
bpx Get_DDB if ax==0202 || ax==7a5fh( f r: z! O$ @- f2 _6 g
. s% K* {+ b. [
__________________________________________________________________________
8 |) a0 L, @2 H5 U1 Z% M
) K6 t O1 s6 \/ h# y* MMethod 10; P: N" {4 [! Q
=========( {$ c- n, u4 ?+ Q/ i
( w g& o. Z5 y |" m( ~6 B
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) r+ I7 p) A8 k; B I SoftICE while the option is enable!!: ?- D5 e p) M9 }) o
) z# N+ L0 @6 {+ ^
This trick is very efficient:
L+ y0 g; U/ ~# Mby checking the Debug Registers, you can detect if SoftICE is loaded
9 h2 W8 P( c% T( x7 n \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* T1 c0 S+ ]! L( `& K
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. J) _( I& y7 j9 a! D8 ?9 n: Nvalue (in ring0 only). Values can be manipulated and or changed as well
$ {. c- B* E4 W, L5 b9 o(clearing BPMs for instance)
# A% [* R0 y& N8 ^4 H' U) f4 Z, J0 U$ `
__________________________________________________________________________3 M v0 r ?1 L2 f# x
; W5 M& o2 e# l$ I9 V$ T/ TMethod 113 G) v4 f- a; { w/ X) P" U
=========
/ M) |2 n& @& [
3 N! n, V5 O. RThis method is most known as 'MeltICE' because it has been freely distributed
) R- W+ I. T* \# J" ?# l- zvia www.winfiles.com. However it was first used by NuMega people to allow0 ]: {- ] A* v$ [& a7 w
Symbol Loader to check if SoftICE was active or not (the code is located7 Q/ s$ O* A. t6 Z( y5 u) B2 j
inside nmtrans.dll).# i# h7 \# B/ w4 A
7 z1 D( ?% n @3 [ b* N2 m
The way it works is very simple:0 u- Z. `' l, v2 V& m+ R5 d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 e6 W1 D; Q& u/ B( E. sWinNT) with the CreateFileA API.
2 _4 J: ~6 W9 D5 S( D+ ^" W" D! D' ?3 i# o2 ]7 i
Here is a sample (checking for 'SICE'):5 l" A! V7 N; E \6 f. G
: {9 S0 D6 H2 x* z! `) u
BOOL IsSoftIce95Loaded()
! P3 i) ~; M7 m9 F{
- x* J$ N# U6 o4 o5 _9 \' v HANDLE hFile;
) T7 S. Q: ]. z' l7 s3 M5 D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 p) T6 A& C) Q; Z5 s
FILE_SHARE_READ | FILE_SHARE_WRITE,. K4 a4 a; z/ ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# r3 K4 k! C- |. N
if( hFile != INVALID_HANDLE_VALUE ), w# d3 L9 H+ h) Q* I6 f# `
{
% u- u' b5 X1 c5 c" x3 F CloseHandle(hFile);' ? O; r$ U& D: O" \$ H" C
return TRUE;2 x1 G; @2 u4 ^2 ^& V# i
}
! L& V# u" g, S" @$ [ return FALSE;# e! | g8 x( I# p; b
}6 o9 b' _! w5 x$ `3 `# P' U
$ L2 V6 R5 G$ j* @4 xAlthough this trick calls the CreateFileA function, don't even expect to be }' Z) _% \3 W1 i. S
able to intercept it by installing a IFS hook: it will not work, no way!. ?' H; `0 o' u: C! `1 O
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: C4 f. x& g j! k1 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" J) p9 N7 A0 I9 ?- xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
k8 a2 u6 X; Z' | \. @field.
0 h4 h/ e7 X* [$ YIn fact, its purpose is not to load/unload VxDs but only to send a ! Z4 u1 `* T& r6 y0 a" H* [* s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 k" v" `# K% Q- ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. P6 A$ I/ Y( ?5 z W: y( R9 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. Z) I! J8 i/ _: p8 c% j* l; QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' j, r# Z/ q8 }( @7 T% p u+ Uits handle to be opened and then, will be detected.
. X2 i+ X! h1 v1 C4 v& j5 FYou can check that simply by hooking Winice.exe control proc entry point
" I4 |8 M( F# c( ?while running MeltICE.
. {' a% K% v% C5 a$ h1 W5 c% W; w
5 u0 k9 `" Q$ b, D2 f+ H
# l0 c, ]* [/ H* q 00401067: push 00402025 ; \\.\SICE
1 I. n4 s( r& H2 G9 L7 l9 l5 U 0040106C: call CreateFileA4 n) W: r4 t: k2 B9 S# v2 u
00401071: cmp eax,-001
" k5 g( \$ L' y9 a 00401074: je 004010914 t* r2 W' M' U; l- i; ^. C' Q
3 H3 r# V/ B" P$ |- B% J: Q( D @/ P% T- A1 q4 f) e0 C
There could be hundreds of BPX you could use to detect this trick.* F4 f* f0 ~8 V, Y8 p
-The most classical one is:" f/ x- I$ d/ I( ]+ ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 O& Y2 c. A5 g/ m
*(esp->4+4)=='NTIC'- }! {7 q9 v I) a B4 z9 b
9 K3 m: H9 X- T- r: c1 h/ ?
-The most exotic ones (could be very slooooow :-(
- U: ~5 `7 a7 q2 E( { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 o: L* p5 O9 v+ k; ]
;will break 3 times :-(
# X' S/ n }; f& M1 t: Z' C8 ]8 B" f! `
-or (a bit) faster: . e9 w4 n& X" W$ w5 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ L c0 H* s" }& s
; {( m: w6 v" c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) o* U# S, k1 B4 V
;will break 3 times :-(( n3 F. [. k3 z0 w3 {4 D
* h4 C' T3 y! i8 B& L5 Z3 k9 B
-Much faster:
1 h0 Y E ?2 W1 L$ q" c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. o M. @; p* a/ K1 Z0 O3 l) @) A8 \ }% e" G# W2 P ?! t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 N. a" y6 P- [
function to do the same job:
: U8 r4 W% ~# ^$ Y
3 R7 `- [# w7 m6 N, t push 00 ; OF_READ
( [; Z8 m% X+ F9 U/ A mov eax,[00656634] ; '\\.\SICE',00 Y; c ~& v! j; ^
push eax
. k% d% w9 X! n+ q call KERNEL32!_lopen5 i5 R: |3 }& S6 N: r. j
inc eax
" x: ?6 t' P; v6 ^ jnz 00650589 ; detected
2 F/ L' y: z, U push 00 ; OF_READ
) {9 k1 v3 ?; ~ @# {! m& ^ mov eax,[00656638] ; '\\.\SICE') Z3 y, M, |2 X% y' |
push eax
: B$ C8 q1 P- Y/ T Q call KERNEL32!_lopen
( R$ o- t6 `5 k! }* a8 m' L inc eax
/ S+ z. I( x; v% h9 K jz 006505ae ; not detected1 W% V J% Y* G
/ L; i- A' v: h! u# i% D/ R
: E9 k( V* w& f+ W1 R1 I__________________________________________________________________________
, a3 ~9 D: z" z: b2 T6 t* ?; s7 \- k! K- [% u
Method 12/ \/ o: G) M1 M- t0 ~7 w9 y- T
=========
+ S6 e3 ^8 ]/ d) v9 X) S* }
9 b4 g; r2 A3 W9 ?/ UThis trick is similar to int41h/4fh Debugger installation check (code 05% V. |8 A8 f1 g+ l
& 06) but very limited because it's only available for Win95/98 (not NT)# g6 V8 ~3 F3 a6 f" z( @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) c5 ~- [ F# ^% y4 d! g
0 a" }2 H* {- L' { push 0000004fh ; function 4fh
. _7 N4 }( c1 f: X: U( [0 q+ M push 002a002ah ; high word specifies which VxD (VWIN32)* T* N. y0 e& w! S9 |
; low word specifies which service8 N* \0 y' _. {- U( z3 l7 \1 C8 p
(VWIN32_Int41Dispatch)4 E( a4 g$ ]( n! J
call Kernel32!ORD_001 ; VxdCall5 A8 b8 Q ]7 X, S
cmp ax, 0f386h ; magic number returned by system debuggers* q7 ?: n! j" J4 h
jz SoftICE_detected7 L( U9 C. n- A$ @+ A% h" R
9 C! s2 \* y3 P( }8 V% zHere again, several ways to detect it:
+ ]: r1 J# H" Q
7 l/ J( A$ i0 ~7 j, B BPINT 41 if ax==4f; ?9 T0 @* }) O
$ g# O1 [6 p6 T- {" u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ I" _+ M' s, s& [( x5 S5 y% G; z( v* P$ ~, A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; L" @) o$ D) x, Q
3 d9 U, ]/ J3 ?+ ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
}* U: V! G- H ^
0 i7 U! p, d+ X* B4 ~__________________________________________________________________________* v J. s H4 x
3 f! `9 N3 H6 f: F! j" a( v( FMethod 13
' a( I, H2 a; s* B U=========
3 p9 v# ^0 m" I5 L! T4 E# r
5 ]# E/ b2 }8 PNot a real method of detection, but a good way to know if SoftICE is8 \9 l1 m; B' d1 u D% V
installed on a computer and to locate its installation directory.: | B7 w3 G3 c+ @0 H) Y" o( @
It is used by few softs which access the following registry keys (usually #2) :' G- |. X7 ]$ w# ^5 ]! r
* [* k" x- V3 S( b* d- q- S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. r2 p# c+ d4 B( [' \" u
\Uninstall\SoftICE; g" a$ ?# ~/ K* G- E0 f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 ?$ |. H% T0 W4 U& s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 x3 _1 h4 K1 Z: L4 N1 y\App Paths\Loader32.Exe
1 R) Z) r) _" S4 f- w
* Z8 G# H4 o! [7 F; A) {
9 X9 o, J9 B# u! m" [4 e5 INote that some nasty apps could then erase all files from SoftICE directory6 S9 e8 E* \+ ?% I3 f& s4 y0 C
(I faced that once :-(
8 d7 R9 } q# a- J; r- k$ Q% O5 n1 [% g# w, `
Useful breakpoint to detect it:7 t5 P9 C6 W" v; n
% a- R, c6 Z) ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 Y% J2 V! Y0 j% T0 n
" Q0 Q9 v6 J2 z- |__________________________________________________________________________
5 j9 m, V+ ^% c, |/ f" L! M! [5 Y0 f8 [" A) t; b
7 `' Z U0 h/ ^8 R7 `9 D7 P1 U7 aMethod 14 + ~8 b8 J2 Q5 l: u9 |' G
=========+ o% w5 Y) {( Z
1 i3 p: w" m: q& n' bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% G8 D( Q8 F+ B( G9 `% k* |
is to determines whether a debugger is running on your system (ring0 only).
- r: a( S! Q7 P# Z- \( G+ r; h" a+ H) B3 C4 E8 T; L8 x
VMMCall Test_Debug_Installed
0 I, K" O8 Y, s je not_installed
0 J2 _- v1 E6 C* p1 r' f S! O5 v9 h8 a+ a8 h2 E
This service just checks a flag.
; Y* k' U6 P8 i2 T5 y+ p+ Y' o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡