<TABLE width=500>7 v2 D, i/ t, F
<TBODY>. w% G7 ?7 \ x+ T; J4 G8 @' |1 [
<TR># z4 V4 j" h7 [5 D7 ^4 C
<TD><PRE>Method 01 3 N4 d. P: _4 y$ c4 F+ \ R
=========- [& D' f- }3 t
( T- }0 q# v5 ^# `0 m3 ]$ O2 L+ P1 ]. cThis method of detection of SoftICE (as well as the following one) is
% T+ N a' {4 P) l5 }6 u. jused by the majority of packers/encryptors found on Internet.
2 i8 D$ C3 o; I% a% Z; j# XIt seeks the signature of BoundsChecker in SoftICE
. m1 p0 _& l6 A, |2 \
6 c u5 x; c: ^/ t- Y8 V9 j mov ebp, 04243484Bh ; 'BCHK'; g) D% L+ Q# k, A5 L( J
mov ax, 04h
0 _& D) [7 u. x' v int 3
2 i# H( X" }0 D9 C' u cmp al,4
; S2 }: i: t9 y) {6 H5 A jnz SoftICE_Detected3 r& R$ V$ w a( }5 |
1 A; i" f2 C. B1 t0 e: p$ m
___________________________________________________________________________
' x% ]2 }7 `: V
( [& Z0 d1 e7 @- jMethod 029 H) t; Y" ]0 k2 A9 I5 _: i- q
=========
9 B) M- _) h! J+ ]% Z0 m* ]% L7 i, j7 X# ~3 K9 d) Z9 d
Still a method very much used (perhaps the most frequent one). It is used5 v% }# K/ V. X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* m( A, D5 @* D
or execute SoftICE commands...
7 j/ i% D% R2 vIt is also used to crash SoftICE and to force it to execute any commands+ @& k. E7 U c2 [! V# j, K
(HBOOT...) :-(( : E' ~) f3 E* v1 Y: Q
# Y3 ^' C& F9 a9 z, u: WHere is a quick description:" r5 H! t/ I- @
-AX = 0910h (Display string in SIce windows)
/ g) `+ b9 q$ B) W- Y3 e& [5 G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 t i$ F1 y0 e
-AX = 0912h (Get breakpoint infos)2 J1 }. V" D3 o4 r
-AX = 0913h (Set Sice breakpoints)9 J. e/ A' j# R& m
-AX = 0914h (Remove SIce breakoints)6 y. b2 z- T; T. G. Z d
! e( l/ m2 c9 @2 ]4 r; G0 X5 J
Each time you'll meet this trick, you'll see:! ^) y1 b: F% {1 b- j
-SI = 4647h
6 R j$ b' R$ ?1 @! M- S3 h+ Z-DI = 4A4Dh( b7 U7 R, ^: {" p7 y+ v
Which are the 'magic values' used by SoftIce.
# m, j( `" j* h* W: K, yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) Q V0 R$ O+ ?6 a3 z: m( Z. b) P, u2 l( l' ^ b% y( e# b+ `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- D7 y- K5 T% Z3 k0 x, v9 [Envelope utility use to protect DOS applications:: b; c2 r4 g4 @ ]7 t! _5 o5 Z1 u: {4 Z
- I3 q. g* h: a5 ?, H3 R; E
1 h1 V( r. W5 I* i0 C
4C19:0095 MOV AX,0911 ; execute command.! w4 w/ ~" _: G9 R( p. W2 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 l( O( Y7 P0 R) m
4C19:009A MOV SI,4647 ; 1st magic value.2 D4 T" L$ }3 v
4C19:009D MOV DI,4A4D ; 2nd magic value.$ R; |: \, V; _+ G6 f2 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# _6 g1 ?; `3 \5 F7 e9 e* R' o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ Y$ `1 m# m! D8 |
4C19:00A4 INC CX; R4 Z! H5 D4 S) x) K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 N% k6 ~4 G6 E. O. i7 k/ p+ i4C19:00A8 JB 0095 ; 6 different commands.6 Z) F U& R0 U8 m5 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" d2 I0 _9 J' s! L1 D8 F- {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% j- }4 I' ]' m" O; ]* ~
1 o$ B, _! `% ~$ v; zThe program will execute 6 different SIce commands located at ds:dx, which! F2 R9 ?5 m- \5 s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! [% V' s+ E! Q0 Q' m4 o; X, _, H1 b$ ^, _& c1 Y6 `+ F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! F8 K2 l# h% Q) s
___________________________________________________________________________' ~! R9 u4 f7 f, z9 H1 ~
0 m) ]; g& X, U( U
7 f9 f3 P1 ~: @) W8 ]) CMethod 03, O% C/ b3 V* q. p6 `, q
=========
1 b. M: D: M) W5 T" `
/ t! y2 L; f0 U( v- `0 |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ }2 X% A; O! J" F4 B(API Get entry point)
) g) \! `5 ^) F; |2 x: V
: {! g* [' m/ b: ]" G
8 [7 O" u9 l5 y2 G* w xor di,di: a" ]5 l8 k0 L4 a1 O4 Z: ]7 p
mov es,di8 X6 _1 i8 L$ D1 {
mov ax, 1684h
2 P5 u9 k4 U9 i! s4 c. ^2 d mov bx, 0202h ; VxD ID of winice6 J4 q; X. q" S' u( o
int 2Fh$ T& s2 ]( R5 z8 l8 O# D. @- E0 s9 `
mov ax, es ; ES:DI -> VxD API entry point9 ]! Y% K# `" n4 y7 Z |' F
add ax, di/ d& L! T3 _& \( ]
test ax,ax5 d* a$ L" O4 a; l/ W
jnz SoftICE_Detected3 b+ T: V) r1 T3 @
9 A9 j+ d9 v( r5 M9 W
___________________________________________________________________________/ y" d% a5 l* {) g& n8 ?
5 R. }; y6 X8 N2 U) y
Method 045 W5 R! H- t8 ^; f% b
=========5 `) |+ y7 r2 m9 P
$ B4 t( E5 S$ ?# RMethod identical to the preceding one except that it seeks the ID of SoftICE7 }$ q/ T5 y. y% Q9 |
GFX VxD.
; ]- O$ x. C- H: g N: @+ d" R/ W- u H+ Q5 c* J# i) L2 h
xor di,di& W4 ]4 X6 `4 G. m8 J
mov es,di" K/ `' Q- T7 x8 S
mov ax, 1684h 2 Z/ [6 V3 i/ s! m8 z
mov bx, 7a5Fh ; VxD ID of SIWVID
7 g/ ] V% g$ F3 c$ T, X' `" H" Y int 2fh
4 `/ W; q. w8 t/ h0 q1 U6 ^, b mov ax, es ; ES:DI -> VxD API entry point
# ~, Q. f2 N& H9 L n \ add ax, di
" W \% I' Y* b1 W test ax,ax
* P& n' t/ `! r8 w0 w jnz SoftICE_Detected
* I/ Z1 k1 E. W/ t/ q) B# b F f2 j, v! h
__________________________________________________________________________
4 h- b9 k& f' @, R7 ~/ \7 |, ^% o" i/ _" R [
4 X$ K2 j6 t. b# o9 z4 HMethod 054 n w6 M8 k( f" H
=========
* r: m, p1 L- f9 U0 G! T6 S. V' a7 C7 z; G8 f; l+ I, e3 [5 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system# y% V) s0 w5 P7 n
debugger. It calls the int 41h, function 4Fh.' @( c. \6 [( l H
There are several alternatives.
0 u" E( b8 v- S. V5 f6 I- o$ b: D+ a( B: A5 y
The following one is the simplest:
9 w+ @6 w# O$ b) S( ?
0 s3 c$ M6 N4 [; _ mov ax,4fh# m. x x/ X- t5 F, e0 T# {
int 41h% p( z3 S$ ^% `9 G4 n6 Q# q
cmp ax, 0F386
& a# a! w1 ?# D0 U, z- O6 N jz SoftICE_detected7 n5 K- E r2 E9 T
0 W* Z6 {, {# d8 d- X
3 B7 r* e* E7 S: w. p* yNext method as well as the following one are 2 examples from Stone's ! U+ R# @. |: E# ^' d: t+ i6 k
"stn-wid.zip" (www.cracking.net):" {2 |, @. E9 [5 K6 a9 b9 M
9 g+ r4 q8 W- e, A: b% D mov bx, cs+ S* _- @: s6 }: @5 z
lea dx, int41handler2
2 U. i; I) _2 V* ?5 l: ~ xchg dx, es:[41h*4]
9 o" B6 t. j* V( `4 @ xchg bx, es:[41h*4+2]6 Q8 _# ^2 |3 }
mov ax,4fh1 N- d$ ?% x% i$ {& T
int 41h3 D' ~& B2 U% |) s* f8 f7 f1 P
xchg dx, es:[41h*4]4 Z5 I6 H* `% p3 S, X% z7 s
xchg bx, es:[41h*4+2]1 O3 t5 j9 c& k6 V5 ~6 ^1 K9 f# {/ L
cmp ax, 0f386h
6 v/ P. y1 a v3 q6 I @0 G* c jz SoftICE_detected
7 Q; l& D5 f% m, g/ F, [$ J" f1 l5 `: J2 s6 r
int41handler2 PROC. d5 G* }5 O% G& O' [/ `
iret% P1 d5 z/ @' g8 ~
int41handler2 ENDP
. @3 `/ Z2 Q$ V" V0 Z8 q
( r- v) P- h) A1 q( N
) t* p, W8 {( G- n1 _, b_________________________________________________________________________8 [) E$ g; d9 |( x
8 K3 p3 {& [3 I8 x& i# O
4 n' a* C* _( W, g& J2 ?
Method 06" h: ]3 |3 C/ {' A: i' T/ b- A
=========4 l' o5 Y4 K! V/ G8 z2 v+ |
7 _) n1 {# F0 M4 \- H% Z
- A3 G; q6 j8 U- F; }$ Q* r7 M' T! o2nd method similar to the preceding one but more difficult to detect:
1 ]- @! B. d8 K; x# O* |
/ G- w$ L6 M$ R$ Y
@/ K" g2 }6 Qint41handler PROC
& m8 ]0 R5 u& o o/ j mov cl,al
/ K+ g( C) _7 f7 h4 b0 @% Y# ~ m iret: Q, [- X e* o& s
int41handler ENDP
# [, g7 \6 T# n* T! D" [7 u& Z4 a
x$ [- M3 o+ E& n* Q7 @9 k5 }5 S) t: I
xor ax,ax
3 A1 S6 |( i% g( x mov es,ax
5 n. o$ Q# s$ ^- H) Q: j2 i mov bx, cs' M0 `/ N3 X W* h) ^7 x
lea dx, int41handler
" h6 }" D7 l- g8 B2 M( E3 `; _ xchg dx, es:[41h*4]
+ a, }2 l5 @* A& r6 n! N8 X xchg bx, es:[41h*4+2]3 L' P' k) `3 | o& K, a4 w4 P6 J7 \
in al, 40h
# k: r4 s4 O$ D xor cx,cx
. ]1 Q9 L0 s j3 i. `# Z/ A int 41h! s) C# g$ X( _
xchg dx, es:[41h*4]4 ?! y' M2 f* ^. ]" M
xchg bx, es:[41h*4+2]0 p7 L- j* T. q' d8 q* Z
cmp cl,al3 Q4 h( [ [) z# x+ b: W7 i* o6 ]
jnz SoftICE_detected" Q7 a, V! x% v6 k
, F- j$ m. Z( r, ~; J( j, E_________________________________________________________________________. t4 u4 v- G- {# O
7 l+ N D' q: C. z- E" j
Method 07
5 y+ c* ?2 F2 a8 S3 B=========
& U/ i& B: S) h4 g4 N- J* T
1 N* [. m, X: T1 O2 r: [Method of detection of the WinICE handler in the int68h (V86)
- O; z; ^1 t o) b5 I2 m
! e/ M. N& a a+ q% \6 z mov ah,43h1 h9 M9 S( @ {) C( F1 |
int 68h
5 E' t' j1 s) e cmp ax,0F386h5 P" _1 X" ?: |
jz SoftICE_Detected# R8 g1 Y @8 W5 G4 b0 Y
: x0 I" j8 @4 T
9 r5 J0 O7 c2 W. G- {# H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ \8 ]# j' S) f. [# ~' j& I
app like this:
$ ~3 t2 q1 y* P( S1 A: m, ]$ I( K- {& A: Q( x" v, g
BPX exec_int if ax==680 K/ H/ X* {6 d: _ e
(function called is located at byte ptr [ebp+1Dh] and client eip is, O8 D' Y8 Z7 _. u N* \ ?) G1 F
located at [ebp+48h] for 32Bit apps)! w" ?) @& R9 h! y4 O9 O3 r
__________________________________________________________________________" E0 t% w& }7 {3 @/ [8 v1 |
+ R$ D% n& D1 V* i7 x6 j+ t8 W- m1 J. Y; Y0 r& S% {' \
Method 08+ T% n% }. r& I7 ` B& p' m
=========
1 N; C, j. ]0 ~+ e+ U& @( S: @, J2 z' D, [/ g( `& G$ B
It is not a method of detection of SoftICE but a possibility to crash the( i; I3 J& I, [5 o# _) E2 d
system by intercepting int 01h and int 03h and redirecting them to another
5 J' i5 Y5 G$ [7 e% U- K e/ Troutine.# w: w: K- D8 W. i" I4 ]+ U- d: m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% r( v6 B$ Q4 Eto the new routine to execute (hangs computer...)- \% C Z- c8 P9 |: ~5 Y
. A2 J5 B: O% Q0 _# I
mov ah, 25h
2 s% q& R3 N4 s! {2 G7 d mov al, Int_Number (01h or 03h)
# u* v: k) |: ?. M7 L; {0 S+ z mov dx, offset New_Int_Routine
& I8 t+ C. V7 D2 p+ K int 21h! x- v0 E' ^& S# o
& ]) _* X5 `7 Y3 z: e__________________________________________________________________________
$ _- z: g7 @3 ^3 e' r; [- t5 C9 [) c/ w0 F8 d
Method 09
- h0 T3 {/ F- j* M9 Z=========* U8 e _$ }3 p: O% f
- a! b( G2 M: }4 b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- w! M9 A% _' ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
! B5 g2 \; \+ l3 }1 Y7 u. WThe Get_DDB service is used to determine whether or not a VxD is installed
- |1 E# w/ e" ~; q: ?, I$ }& H, ^for the specified device and returns a Device Description Block (in ecx) for2 w$ ^4 z# C5 Z! a
that device if it is installed.
, ^. B9 q/ R5 r3 u" M
: f1 G) H2 D' n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ }' P' W, m5 u- {0 m9 Z, r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) p" g* N$ x, i1 t, D M; M VMMCall Get_DDB
( q% o& q t" b8 B: f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 [5 A; D' c9 L7 D' d+ b8 Y8 e' u& u
1 U, D3 Y2 Z- |Note as well that you can easily detect this method with SoftICE:3 F4 L# r: A: Z! s
bpx Get_DDB if ax==0202 || ax==7a5fh/ T2 |% p; B' B3 T
/ }9 R" V' V" ~1 D: c2 U) P# y" A__________________________________________________________________________
$ i2 _. s$ _& X2 X1 u
w4 O1 `' a0 |( \8 D. @Method 10
# l( k7 j4 P, e' N+ p=========
0 D6 @5 R9 j+ I, D8 ^6 p
' b, n6 l0 D% u=>Disable or clear breakpoints before using this feature. DO NOT trace with
! b& r5 W# w' H6 S' \" a SoftICE while the option is enable!!
' y3 K( s1 k' d/ q& e$ _
' J2 L9 X7 j. p# Y( OThis trick is very efficient:
1 I# e* P* b& F! c- Iby checking the Debug Registers, you can detect if SoftICE is loaded
3 d$ E" M! K+ T- d, _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ }* V1 I S! H* _5 {9 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) ]$ Y0 h/ A0 Ivalue (in ring0 only). Values can be manipulated and or changed as well) A& X6 {* ]7 o; o9 \& w" e% I5 h
(clearing BPMs for instance)/ i# X% p2 j, v& `
2 E) k' \/ m1 @% c* j3 d: Q }6 J__________________________________________________________________________
1 H9 R( p- t( o
' e' j! H: N U. j7 ]9 _Method 11
( x+ F$ ` r2 M3 m: `. i=========! {: F/ ]' x" c* W7 B C8 Z) S
! R0 S( u' @' D; b, [
This method is most known as 'MeltICE' because it has been freely distributed& O4 }: b4 j+ C# }5 d# g6 D; S
via www.winfiles.com. However it was first used by NuMega people to allow, E/ E$ i, x% M0 o6 B* A$ b
Symbol Loader to check if SoftICE was active or not (the code is located
* Y8 a+ G8 m+ U# M6 d; q) v# A; [inside nmtrans.dll).
4 S/ K+ ?, V6 [3 j3 `5 B& H* O8 T! W D3 J I# H: d8 Y
The way it works is very simple: R5 _) q0 d' R9 s' k$ B3 R; Q9 B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: c6 {' d$ A( }# @$ \ n
WinNT) with the CreateFileA API." h2 X* l7 @! N" T+ l
+ U$ B6 A% Z" z9 E; w# NHere is a sample (checking for 'SICE'):2 i) A" ?% G8 _& \- ?/ n2 j2 c
6 J! x& z4 R! yBOOL IsSoftIce95Loaded()
. Z& u h( i! D) `{0 @% M2 y5 Q! ?8 x8 S) m
HANDLE hFile; 5 M# q+ t& N4 Y8 ~, t$ F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& z0 H( k1 _4 }0 M. {( p4 |
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ y" @) Q* V; F) m! U; m, v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 h8 I! [- E6 u/ m, \
if( hFile != INVALID_HANDLE_VALUE )9 w* t# `4 H6 `+ P
{
2 n% G- J- B2 Z" `2 D4 n CloseHandle(hFile);
/ ^# j' v: ?: q) w return TRUE;; X% ~( t8 R$ K, r( @2 o0 i0 Z# z
}
5 p+ f' K; i. _# A return FALSE;
( C3 W" a) B- r/ ^}& o6 \( t$ O% p3 i+ g0 k: z/ u1 D+ Y
7 |0 }9 v. F8 Q6 [3 RAlthough this trick calls the CreateFileA function, don't even expect to be% _- k5 @0 h7 \
able to intercept it by installing a IFS hook: it will not work, no way!
1 l7 t3 M8 K& V. j6 e7 \( X2 t; IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ p( `! H- w2 V( U0 `, x) Y. D% U3 r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); b% i8 {" O6 |. q' ]' }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 x0 y# b1 B) Hfield.
6 V: L9 Q S" Z0 r% ~In fact, its purpose is not to load/unload VxDs but only to send a
( M. x: Y( R) F7 ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
s0 x: Q) A0 n* Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' M4 A7 A2 M( F' ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 p0 O S7 r! O) qIf the VxD is loaded, it will always clear eax and the Carry flag to allow# }0 Q3 b5 W/ p6 |9 y8 g
its handle to be opened and then, will be detected.
. t4 `. Q2 S* X1 f) oYou can check that simply by hooking Winice.exe control proc entry point$ B4 K; ^) o9 K& M+ f! v+ \
while running MeltICE.
; j4 k, R7 h$ ]9 M
* w! E& e: `4 q3 f
8 X5 a: J$ s& N% ~4 K 00401067: push 00402025 ; \\.\SICE
; N6 ~+ w l7 E! ?. m f t8 S 0040106C: call CreateFileA
) k3 o# H- z6 v! I/ y6 w W& F0 e 00401071: cmp eax,-001( W3 L9 p0 C8 K8 p( p
00401074: je 00401091; r ~: t- _5 M! |
! c/ A6 ]4 p. I0 y% n8 ^
+ O* _4 o: t4 B5 d- ~
There could be hundreds of BPX you could use to detect this trick.
( H. Q7 u6 W( A Z& Y& q-The most classical one is:
: B; J' d# z8 E! ]- s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# E) M4 D- |+ I$ A) t4 D8 G *(esp->4+4)=='NTIC'
9 q( ?# k' s$ V
! @2 ^6 m1 b9 Y1 V2 j-The most exotic ones (could be very slooooow :-(
* f1 W' U, ^* R% I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! m/ C/ y0 `, }' ]0 w1 h7 S
;will break 3 times :-(' X" a3 K0 ] r5 t7 G S
. ~1 N9 s/ l% c$ X' g/ _* ]7 m% a R
-or (a bit) faster: 8 p6 t7 X# a7 @9 I9 z6 |; m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 A& }* _ N. w2 T+ r( J2 t! i2 x" A3 k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' H g# \8 S0 S! c) J `3 e A7 C
;will break 3 times :-(
) B( W/ I! x: Y! S! f* H
, S0 ^5 D0 r0 p: |# |! A u-Much faster:3 F) P0 S8 x# D( s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 Y) P4 N$ o# n) B7 l
) F6 E! |7 E8 |3 y' F- @. n, ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, w7 v8 m! J, @0 H7 [0 K) X' ~
function to do the same job:
6 C2 m1 g8 i9 V3 s) `% c' z
& o# a$ ~* M1 ]( q; J push 00 ; OF_READ
. e# _% P, q% z+ N0 ^1 Y5 X" | mov eax,[00656634] ; '\\.\SICE',0& U" i* y( ?( a
push eax
9 ^ ]! B4 x& ?: m, L* L6 q call KERNEL32!_lopen; O. [ V: T' @3 [. j* p: t5 W! t( Z
inc eax
8 ~$ ~' x/ z: E* h1 Z* d jnz 00650589 ; detected ?6 v" R+ w5 R9 @3 L0 W& s/ A- E4 n
push 00 ; OF_READ: P7 \& B8 |' E2 _" j. [( Z$ g# V
mov eax,[00656638] ; '\\.\SICE'! l9 m+ ?& H- D
push eax
7 [3 D% Z+ f8 a$ c' @! E call KERNEL32!_lopen/ J3 \ E. Z8 q& e) p! Q s: ?9 _/ P. f
inc eax
2 Q# D/ ^+ [5 h6 E/ f jz 006505ae ; not detected
3 |; D: ^4 X$ g w2 _: T) m. U$ C: a2 C8 l- E& D! o
8 P' V8 Q3 i! r! W5 f
__________________________________________________________________________: c1 N( o, R7 i- h- y0 p* R
: T3 n& q, a1 e% A# h/ g% x" h( HMethod 12
' K- ?# S, O+ D. z=========
! Y( n& ~* p [3 E3 l5 j, J$ v7 u! t6 A9 ^3 y
This trick is similar to int41h/4fh Debugger installation check (code 05
. T6 t- y5 u- F0 k+ I- ?& 06) but very limited because it's only available for Win95/98 (not NT)
. y$ V: w; f ]$ L6 [2 b* Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ @ B; U- j( E# T% k# P# j7 y0 Y
* G0 E& V7 P8 s: D push 0000004fh ; function 4fh U% [6 l8 q+ S
push 002a002ah ; high word specifies which VxD (VWIN32)& }4 [5 J' p4 d8 O( t
; low word specifies which service
9 s% U0 z+ l5 n8 X8 A' W b: B (VWIN32_Int41Dispatch)
: t+ a* S+ c, W" q call Kernel32!ORD_001 ; VxdCall7 H, V0 w( _2 C X3 G
cmp ax, 0f386h ; magic number returned by system debuggers; t! g: f+ k H
jz SoftICE_detected
3 Q6 Q3 h s j) e) p
) E% r( Z& X- b/ g* F" M. H& PHere again, several ways to detect it:
2 d% L$ e. `- y% C% R# y5 u" G9 L- w8 P# E8 j1 V5 l
BPINT 41 if ax==4f+ w6 r% _# d `, h
: A9 k' L: ?% o5 i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" q u: f2 Y; r4 Y' y1 I
- }3 @( g# b) c- R# @' u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. D/ K9 {: [2 I
6 F4 u# b, ~0 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 k6 v* p1 E8 q5 v% M! e/ n* W3 ?( E# E# ]4 @
__________________________________________________________________________
0 t' v& e! v8 A% p% N
7 O' i, m* k2 k AMethod 137 I( r5 r. P) h% d+ {9 j1 \- ^
=========& @; g$ g3 _. j$ d+ N- F* [# a% w
& f! q- k. V( h& Y; B6 `
Not a real method of detection, but a good way to know if SoftICE is* @; Y" S8 |7 |3 W z3 B
installed on a computer and to locate its installation directory.
+ d( b6 O& k1 P3 UIt is used by few softs which access the following registry keys (usually #2) :
* ~3 G* E: c) q" A0 W4 M0 a ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" s6 P# S% }4 I' b6 x, f- Z9 ?\Uninstall\SoftICE
: q) J6 W7 V& S* @, S T+ o3 z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# K* I9 j( D2 Z. {* y5 R* N/ O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
a: x2 C1 @) H- h/ X7 @\App Paths\Loader32.Exe
# p6 f1 u5 C1 ]' N1 X5 ~2 G
^% W' ]5 b$ N5 W5 T
) D$ Y6 q& \, f; J8 g9 kNote that some nasty apps could then erase all files from SoftICE directory& ?1 k. z0 R5 p3 y9 ^" T1 n
(I faced that once :-(; l ]1 \$ B/ D9 b, x
$ v: }" K4 W* h& KUseful breakpoint to detect it:: @+ X" v$ F. l% U P
! Q7 `, r% G4 e6 l1 | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! x) ]. J0 s9 D: ?* Y
' z8 j/ G0 E6 \__________________________________________________________________________$ w o# b+ a \( { Y
0 Z- q% o ~7 I! e3 b" u6 Q$ g3 ~
3 j. V. T# i, c tMethod 14 & ` A0 t2 y4 ~9 v3 J0 a4 d4 u
=========- @" a( k! d' t& y
8 W" A; X# D, k+ m1 O$ oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% T! V& @3 W$ J, H# z$ a8 h' t
is to determines whether a debugger is running on your system (ring0 only).; U% r j, N& l' ]7 Y- |0 A9 f
U( C' P+ `; g/ b
VMMCall Test_Debug_Installed5 f7 t* h$ B% P1 G. v. H' q# }
je not_installed+ U O, x8 I2 u4 j4 ]
, k. K: n* A9 D2 T1 w& @. |' b6 sThis service just checks a flag.
7 I( L N+ Y& d1 }2 a3 A O</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡