<TABLE width=500>8 K w9 o8 C) W3 r4 h; a
<TBODY>
3 g6 s/ W. M( c$ d- f8 e' c<TR>9 p8 L* d9 {8 |- h% X2 {# f4 q
<TD><PRE>Method 01
: u: f! ]' f/ n9 r=========) a) b! h( F' r9 g% B/ n
5 H; H, Y& g9 p- Q8 h+ X5 v7 kThis method of detection of SoftICE (as well as the following one) is
5 Y/ s) r4 V8 [: f. N2 ^used by the majority of packers/encryptors found on Internet.
- L; U* T; E5 D* y4 x2 b2 D% h7 XIt seeks the signature of BoundsChecker in SoftICE
* z3 K m( [' ^/ h9 B
/ f" a6 e: @( H6 _# R* O3 `: s( f mov ebp, 04243484Bh ; 'BCHK'( ~0 A1 X7 n/ ?; r( |
mov ax, 04h4 b) e. l7 f) S
int 3
8 B6 L. x& k [6 d cmp al,4, s/ P0 k2 n$ }
jnz SoftICE_Detected
1 @: _( h) e7 A0 Y- E( O% D; w* E
; Q' W& a5 {; M( j___________________________________________________________________________) M/ p- S+ p* }* g) D
: z, A% R. t2 B. A0 H1 M
Method 028 ]7 D" I) g P: s
=========8 L& ~1 a+ n3 _1 i7 K
% C& P3 J! i2 d- V( N
Still a method very much used (perhaps the most frequent one). It is used3 M9 }! f4 k+ r. e+ I7 n! k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; X* j3 T2 e6 y
or execute SoftICE commands...# q: |3 D2 w; H. \' r& j, Q
It is also used to crash SoftICE and to force it to execute any commands4 }. E, d. S- ?9 d' Q
(HBOOT...) :-(( ( ?* k0 J+ |! w
F* a. g( f# G, k" O3 E. `Here is a quick description:
& |6 H0 R7 y: g/ p( J- n-AX = 0910h (Display string in SIce windows)" t, [" w, T) m0 H R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( t1 w# r0 K( Z" j! e
-AX = 0912h (Get breakpoint infos)
) \' w9 Z# _; ~* s, `1 n2 W-AX = 0913h (Set Sice breakpoints). I. ^+ Z& A% M: p7 r( S1 l( q
-AX = 0914h (Remove SIce breakoints)
' F) q8 j. G6 J1 P7 |* O. i1 B: u3 f% K T4 b
Each time you'll meet this trick, you'll see:
% U8 q8 g$ b$ t! s" a! W% D-SI = 4647h, e" |; q; d; c5 [* O% z
-DI = 4A4Dh
; s, R3 p% g- A; cWhich are the 'magic values' used by SoftIce., m8 r Y0 t7 f" h9 [; I) Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 [( C- Z6 q/ {1 ~6 J# G6 }# @; P
+ m8 i4 p3 q: F8 d1 o UHere is one example from the file "Haspinst.exe" which is the dongle HASP
, c$ G' ? X; U. |7 Z# t' j. TEnvelope utility use to protect DOS applications:% ^" A% j9 D N1 Q: w" B
5 H6 ^3 t0 D5 L( [
2 x- P# J5 M' @6 ^) `, ]4C19:0095 MOV AX,0911 ; execute command.
& Z1 i9 o# h* F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- f Z5 o+ C- u* f+ \
4C19:009A MOV SI,4647 ; 1st magic value.
0 C2 b2 @% h/ k/ B+ [4C19:009D MOV DI,4A4D ; 2nd magic value.
, q. ^3 A" p3 {. d3 Q6 Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% A9 i/ i5 t- [% N0 |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ U5 P) s. H' j! b4C19:00A4 INC CX7 P& Y$ n. h/ Q, C7 f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 s8 q) |/ n. ~6 B8 T3 A" f0 c( N
4C19:00A8 JB 0095 ; 6 different commands.# ~. d* j9 @. e6 x( f8 r% h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( }) g* }3 [9 }& \3 R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! x: b) z8 t6 @+ ^; m. q
" K4 b C, n# v( E, K
The program will execute 6 different SIce commands located at ds:dx, which0 l! ^1 n6 K7 u% k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- \0 ~& y; Y6 t8 u6 L+ u6 J6 `, U
7 k2 J) p* S3 A( u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. D/ i O9 g. \* l) F! \4 w; l
___________________________________________________________________________- e+ Z& ~& e3 k4 I6 e- [- `
6 m$ L9 ~8 | e$ X* O x( n2 C
+ B/ r! l7 {1 L' J9 v1 M/ }Method 03* X9 d, I1 p! K4 _6 U
=========
1 G; r$ `- z) r! Z# X- x5 q3 A4 G/ j! z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. J) p+ {% k& c5 p$ z; Y# d1 m(API Get entry point)+ K8 d! t& O8 `
' p3 N3 ]4 q- h" | [5 u7 ^" S5 C' l# K0 b H
xor di,di
9 F' O2 b1 Z/ b; `/ A5 r; W/ ? mov es,di7 S4 R3 c3 i2 ?
mov ax, 1684h
( J+ X4 F5 \* ^: _# ~4 T4 ~3 ? mov bx, 0202h ; VxD ID of winice) x0 v- W' V, o; W% o9 c
int 2Fh
* k8 `4 {( b* j/ H; Q2 J mov ax, es ; ES:DI -> VxD API entry point
6 O k- V6 k$ p4 j; v% [1 w; S add ax, di
" D# k4 K" {3 G) T7 f test ax,ax- \* k* @, c$ E) Q0 [/ H* }; L
jnz SoftICE_Detected4 U5 `9 `2 k. D
* V J5 [+ O( m5 O
___________________________________________________________________________9 J6 Y" R5 r/ I" c
7 t( P$ O6 R h5 k1 bMethod 04
% H8 q" u$ b! T& a3 b$ R=========
! R9 ?' S$ K& h. n" p2 _7 \" w i6 @2 q _. f# [) h
Method identical to the preceding one except that it seeks the ID of SoftICE
' d3 R5 S/ b" d7 h& DGFX VxD.
7 B) X9 \1 d: B+ R& {. @; F' _# s" o! ^3 i8 Z3 L
xor di,di
' T3 V+ s, f c0 U/ | a5 M mov es,di9 @. S/ Z) V {+ I- H$ q! |) D# Z
mov ax, 1684h ) R9 ~1 l1 g a+ U
mov bx, 7a5Fh ; VxD ID of SIWVID' X: r. r m( ? x j1 X$ S
int 2fh$ f- g3 x$ H2 k- w
mov ax, es ; ES:DI -> VxD API entry point
' j" b/ l9 m U; q& l add ax, di
1 @, U* ~, U6 Z* s0 i test ax,ax X4 I) z6 g" P3 E( H
jnz SoftICE_Detected
8 U N. x- O/ e8 u+ F9 J1 @% V+ |; Y* T, f2 I! W$ b
__________________________________________________________________________
. e' P! L- |6 I5 p, S+ I: x9 o! v" F Q1 G2 w
. g# ]% N; G+ x6 |Method 05
, I s6 W, t2 O/ B0 g$ n! l=========
' J. m* f; u3 ~, @3 A' s! ~. x6 D" R! G7 c @8 p4 J, U; f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 d. |2 S6 ^# Q( c' Idebugger. It calls the int 41h, function 4Fh.
2 t+ K m. y9 s& g) ?There are several alternatives. 1 |6 p+ Y. [4 r3 r' o
8 @7 t5 R" T8 L+ UThe following one is the simplest:
* [9 W4 Y: a$ d* D2 \5 {, k# a/ x! K7 \/ _% ~7 K0 t
mov ax,4fh$ e( o- v0 i! ~, U" y+ q b1 p
int 41h5 M9 ?6 @0 S" Z3 ?2 R$ d, o2 i" r
cmp ax, 0F386
, M8 P$ s% s* L' w$ n q* c! f, A jz SoftICE_detected5 U- K7 W3 K# y0 W P2 n0 B
& m& ?6 y' ]8 ^+ h) l
) j7 _. ]. @. ~3 U7 J% g: BNext method as well as the following one are 2 examples from Stone's
6 k9 Y8 g* Q+ }7 b; {"stn-wid.zip" (www.cracking.net):
6 |; m2 \1 G0 U; C% U# _0 a% a
9 e' Z( k! h2 f# M* r mov bx, cs2 Q' Y3 K7 N* t* e
lea dx, int41handler2, W/ b& V0 G3 V: K3 \
xchg dx, es:[41h*4]2 A$ y8 L- B. f, ]7 e
xchg bx, es:[41h*4+2]5 X2 Y* i. q' C! A
mov ax,4fh! _: d" I$ n0 y2 @
int 41h3 k5 `! X" ]8 g
xchg dx, es:[41h*4]
( Q$ R* v2 W+ r0 K% D s xchg bx, es:[41h*4+2]5 X1 x$ [1 _# \* A
cmp ax, 0f386h1 o% j/ z- C2 K9 y7 v) b
jz SoftICE_detected( X: D1 i/ g6 i# K8 `) A; A- g) k
( u* K6 m8 q# e9 L9 f. A
int41handler2 PROC {; {0 `/ P) u8 \
iret
+ a+ j9 y$ `. T6 j9 iint41handler2 ENDP G/ i# _* m9 y( K5 i
) L) G$ D2 [$ R1 Y) d0 H
- E4 a2 I1 i4 D8 K. m
_________________________________________________________________________
, [: o2 ~9 J9 z. m3 w- I
( l/ \$ e3 [1 m. w4 o% S4 T2 B7 _! J0 o& i+ E2 Y+ h
Method 06$ M/ V! k7 {1 L2 v
=========" o6 `; m, D! k3 @( e9 K
/ {5 u( T5 e9 p/ E: Q# p# }
( B6 M# w7 L9 W% Z) L6 x! f8 C2nd method similar to the preceding one but more difficult to detect:
+ B% \3 S6 m/ ]2 D6 K0 m5 W, C/ a1 ~, ]' J } D& }' ?
! |5 a' F# k2 y6 f- ]$ c+ X6 oint41handler PROC
) e1 W" O8 s4 R3 G$ Y+ }' G! m0 p mov cl,al8 b( x0 v8 B2 W* R& c' X
iret C! s& @1 _3 K- u4 q( V
int41handler ENDP
# f1 `0 k; ]) q' j: j$ }
, H: r& q( T1 h% F9 F- u: G
' r- u" q4 |8 Z' f# F xor ax,ax
1 H; b2 X2 X3 y* u5 ~ mov es,ax* k$ d) i) g8 K+ G
mov bx, cs
j1 F5 t& E9 T. o k lea dx, int41handler( _) n# X+ c }- Z- F2 X' O, C
xchg dx, es:[41h*4]
; m/ m" I$ ^; C4 ^3 d$ @ xchg bx, es:[41h*4+2]
, J/ w# L5 ]9 y7 H2 P' { in al, 40h* W9 ], h d1 D/ ~5 ~
xor cx,cx
/ |# v8 F0 J7 i* H3 j# N! j' @" s int 41h5 m1 C7 z# w" t3 U3 }0 _5 U
xchg dx, es:[41h*4]
. S1 m. M' y: M: z& w xchg bx, es:[41h*4+2]
. X. {: M; \$ M ^7 b) G. Z9 x6 ~( _ cmp cl,al8 @. G0 ^# j' G W
jnz SoftICE_detected
& ^/ X+ ]5 N6 ^6 p3 y0 ~, H @
5 E8 w3 _( n' o8 n* Z_________________________________________________________________________
1 i' p# T2 F7 ^1 F) s% f
# X) j" I( E! F) u1 SMethod 07
% K" r: p, s5 q# H( t* P$ V=========
) o/ d" T9 l# x3 k3 `3 Q+ v& B/ ]
R6 i9 s( V' Y' |. J; KMethod of detection of the WinICE handler in the int68h (V86)8 }/ M8 p2 S# @
$ w) ?# d3 o0 ^ z
mov ah,43h
! P* ?5 v( u, N2 m) J2 X( [: j/ M6 f int 68h
5 j0 z9 h3 c2 |( Q! W6 S9 s cmp ax,0F386h
. X( L; e1 v1 J6 a n% I. W jz SoftICE_Detected( Z, l3 J3 `9 D6 O5 n+ P
0 v# m+ u7 r& w, B9 b
0 o' Q9 d6 ?+ Q* U- R& Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! `! C, z1 V Q2 J. G2 l% E1 ] ? app like this:
4 Y2 K1 l) C5 P$ a- ?* Z) y' q# c, X1 a) N- [+ O8 r5 [
BPX exec_int if ax==68; L6 d" _7 S6 m* H) c8 V
(function called is located at byte ptr [ebp+1Dh] and client eip is) }, @- o6 \* @7 w1 I
located at [ebp+48h] for 32Bit apps)' N; J* A1 L& S3 h6 D4 b( L2 `+ G0 h
__________________________________________________________________________
/ K5 ] m+ ]. R0 @3 R5 b7 e# k
* U' m8 L1 K' e: F* a) ?
/ `: T. }, T7 @- u2 h* h. TMethod 08/ M7 l+ ?5 A2 U Z5 h/ B
=========
* m& f! K9 ~& j& Z, t, x
" L; ?& N/ N& J4 g/ B$ T2 OIt is not a method of detection of SoftICE but a possibility to crash the; ?+ L9 @ C6 |4 J- u, t M
system by intercepting int 01h and int 03h and redirecting them to another
: j( m+ o0 _' e! g4 _) proutine.* G+ {* k( h; E8 r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 h) s2 O7 A: B" Rto the new routine to execute (hangs computer...)
; u7 _0 t0 j3 V2 q% Y7 \
7 r5 g+ N, @; W mov ah, 25h
- r, L ^. g, X- k mov al, Int_Number (01h or 03h)% g/ {9 r4 r1 Y* k
mov dx, offset New_Int_Routine
: a( p9 w) ]' d7 b3 l/ b2 X" x int 21h! k( v% {! q, [3 \7 |& K" R" e
. j& i! w2 o& p# q1 n+ ~% f m
__________________________________________________________________________$ ~, k9 q1 M7 e" }1 E- E: l
. p; A, }. c8 ]Method 09* Q9 j; m& ]/ P: N* Z1 V0 {' }9 ?
=========
, w0 \6 ~ F3 {3 W+ \. }8 [+ g7 n4 V4 }& X" s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 F; [6 N) D2 _2 |performed in ring0 (VxD or a ring3 app using the VxdCall).
~" a. L9 M3 k6 VThe Get_DDB service is used to determine whether or not a VxD is installed6 {. }7 O2 r; s6 f* n
for the specified device and returns a Device Description Block (in ecx) for) y4 m' s, B5 d/ A" }
that device if it is installed.. @& h% |5 |' I$ `; J: x
+ \; O. i3 ]9 ~! G) P$ r% g$ Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: B1 q# g$ E+ r' j: j' m) w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 K; J/ n6 B' C5 ~- i9 V8 u
VMMCall Get_DDB* A, s8 J* A5 A! w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 t" \5 g1 d) c& @
7 x; Q! }8 D }
Note as well that you can easily detect this method with SoftICE:
2 A# l& K0 {$ c9 u) a- R bpx Get_DDB if ax==0202 || ax==7a5fh
7 b3 s! R h' h5 S' p8 n5 u$ ]& x" ~5 A) T$ R- J9 G1 M
__________________________________________________________________________
`/ Z! l W1 T5 A; ^ m9 ?! Q% i7 W: Q- s5 a
Method 10$ }. |2 I B) q8 n& X7 U- |% V; n& p
=========7 c) W- k# L6 ]- z
- @# D; D E$ {) \, M) m=>Disable or clear breakpoints before using this feature. DO NOT trace with! P: p' S6 }# S8 G: u0 H! B2 W5 k6 G
SoftICE while the option is enable!!4 x0 O" |& O# P
% @8 y5 j( }2 W; I% Y7 z
This trick is very efficient:
- }+ }5 B- X8 ~ y Sby checking the Debug Registers, you can detect if SoftICE is loaded* r1 Q, w G. ^ ~0 J# J5 s4 Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 g: I$ g. B. w! M9 G4 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 e* G% F8 S7 D; _6 a
value (in ring0 only). Values can be manipulated and or changed as well
' w! O! S2 U* k(clearing BPMs for instance); U) i, t9 Z+ d: ?6 C: O, h
4 x) x, w$ A0 b, U; U' t2 e! [
__________________________________________________________________________- W# ~# e$ R! g
6 n, r8 `, }8 F9 A# {
Method 116 U: o$ h& K' ]2 w6 e( {0 T
=========
. q) u% s l; U/ c- {
$ V) d4 A: w* J. d3 |3 MThis method is most known as 'MeltICE' because it has been freely distributed
m5 X6 V4 U7 H, t& dvia www.winfiles.com. However it was first used by NuMega people to allow, {& W) |- s/ L5 _% f; F
Symbol Loader to check if SoftICE was active or not (the code is located
a |% X9 i7 j+ A2 `inside nmtrans.dll)." j: T9 U- K" H/ d7 ?2 ]
/ A/ s1 b1 w; }, A) ]7 k( t" ~% X, Z7 C8 z
The way it works is very simple:! ]: @: ?$ b# X) |8 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 b: k% i' n: A6 M3 M" [
WinNT) with the CreateFileA API.' Z; M& h. @8 ]( c* c6 ?6 x
( P8 b5 d. @% M) }) v+ c
Here is a sample (checking for 'SICE'):
! ~3 C% X; k7 z9 `9 H5 a
. u) |7 F: F5 _! |* }- HBOOL IsSoftIce95Loaded()" X( J; H1 l) h0 h
{
- A" A7 G) W$ @& t: n# W9 ~0 h HANDLE hFile;
; \9 Y- s, X5 M8 i' L$ @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 R9 D2 B4 c; P# w% Q FILE_SHARE_READ | FILE_SHARE_WRITE,
u0 r* ]8 X1 D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. Y7 k# U& H; d+ M; J if( hFile != INVALID_HANDLE_VALUE )9 e3 G0 } A7 c
{
* |1 ?% L9 y3 o- I$ H CloseHandle(hFile);
+ S9 W' u! H8 x' {1 h4 G return TRUE;
i9 I1 Y, |, r+ |. d }
! w, J0 n0 V, S6 l2 p return FALSE;
I8 B/ k: l+ m w1 Z}
# ?3 f1 L/ ]2 ^8 ]$ ^2 E3 t
% h" W! O' n- k% ~& M) j, xAlthough this trick calls the CreateFileA function, don't even expect to be
* Q/ v* z+ h3 U3 D) Y% X" l) X1 uable to intercept it by installing a IFS hook: it will not work, no way!
0 P# O) e7 J6 I" \0 U0 i" kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) G9 U" b/ ]/ b4 }6 B7 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ T/ o% j/ v: Y7 K) F( O7 t6 w: Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 n- Z7 T, H+ @field.
: \$ ?0 u3 y6 ^# ~7 y9 jIn fact, its purpose is not to load/unload VxDs but only to send a
6 N. K5 o, |" pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- [( b+ { d) j( W: L2 W8 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ z# M% m1 w( |# K+ \to load/unload a non-dynamically loadable driver such as SoftICE ;-).; c' H* D9 m) {4 K
If the VxD is loaded, it will always clear eax and the Carry flag to allow* X6 @" z, A/ \ B+ M; J/ ~! ]4 V
its handle to be opened and then, will be detected.
+ o- o! K" x) j+ }9 e' TYou can check that simply by hooking Winice.exe control proc entry point# K- f/ F" e/ Y" T! d: R' r9 @+ B
while running MeltICE.0 w! Z2 ]* M8 g" E5 }+ p
+ w1 i1 U! a4 D3 U7 C& l
- |6 A% g) J9 ]7 i- u3 R) {- x1 o* b 00401067: push 00402025 ; \\.\SICE6 O# u' m; J: ~0 x1 X( s: \5 E' h
0040106C: call CreateFileA
7 ], C( X/ w7 G' ?3 d 00401071: cmp eax,-001& n& e6 S9 V+ ?+ j. e, s' z. b9 \
00401074: je 00401091
7 F' Q; G4 R7 A8 H
( U6 k# N' m- a7 Z- i, [4 X! T) u% \6 h
There could be hundreds of BPX you could use to detect this trick.
0 W, t; R6 }: H& Y* w9 E% P& Z9 ]$ [-The most classical one is:3 P2 l: F6 M( x. Q& _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# ?% R( Z# ?, S H$ a; c4 G( Q *(esp->4+4)=='NTIC'
" q g% i$ V1 w: @" h; ]: E- t: E; B
-The most exotic ones (could be very slooooow :-(( [! ?' w8 R* ^) H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- V( t& K) g* o' Y$ Y! {8 [0 a4 F ;will break 3 times :-(4 J& E: ]( A- W% \+ z' c- b/ s
# H v6 a7 v8 Q" R! i-or (a bit) faster:
3 R3 W% N: b0 @& V) M5 o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( J/ O4 _& m/ R+ C3 u- O. Y
! F, `6 M' V6 W5 F! b; y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / A ]. f$ k- n8 x
;will break 3 times :-(
1 v' Q9 S; a; F) Z' C8 P$ o# F2 b1 m; r, v+ E( u
-Much faster:
+ B" h5 S" p9 w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- z5 s4 ]" m, g: Z0 e! V& I5 Z9 Q5 c! e5 O/ L* ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 G1 c. U: |# q `+ b
function to do the same job:
( s4 u; o/ F4 E2 a7 g% ^5 t7 v* H; Z) [2 c9 \# p* H9 z
push 00 ; OF_READ
& M Q8 `; X! U+ }* e2 C' ~# \ mov eax,[00656634] ; '\\.\SICE',0% e9 u1 C4 U1 A6 R2 O
push eax
) y) {6 H. |9 g0 Y9 }& r9 v call KERNEL32!_lopen
0 H! E, \# Y( J+ V inc eax
, @* }7 y1 I) U+ s, R8 o3 i jnz 00650589 ; detected3 C0 o6 j4 v8 `
push 00 ; OF_READ
: E, u4 U, s# R mov eax,[00656638] ; '\\.\SICE'
4 C- ?( A3 d" Q push eax* Z* |8 \, [) K( T, K& i2 g
call KERNEL32!_lopen
) V$ ^$ S, r: E3 y- m: e inc eax
( y& I1 \3 r4 O0 I* ?* N0 c% j. ? jz 006505ae ; not detected8 V; I$ N. ^( b0 j
2 p7 R3 Y; B, V! |8 H2 k! k# ?" ], {: }3 ]2 U
__________________________________________________________________________) V4 Z- G9 @' Y* M9 ^
, q2 Z- G+ ~! }. Y% |Method 12
' z; T7 Y- X" |- ?=========
8 |$ A9 n0 K% Y+ i% \
* _% v6 ]; q9 S- Z: A* H2 sThis trick is similar to int41h/4fh Debugger installation check (code 052 H0 q2 O. b4 P. `- z! T G4 T7 W
& 06) but very limited because it's only available for Win95/98 (not NT)5 | B) d) F2 }# d/ s8 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 o' b4 P, a' N7 D" S3 X6 {
) ~( y# |, W/ Z: S push 0000004fh ; function 4fh! ?! F0 q& ^, K$ l* V R
push 002a002ah ; high word specifies which VxD (VWIN32)
) w: [* u$ R* y% F- n ; low word specifies which service% _+ u7 q- t+ R" x: p9 m, d
(VWIN32_Int41Dispatch)
) j( N1 S, B6 O0 i# S call Kernel32!ORD_001 ; VxdCall
$ }) J' `* r, L& v8 z cmp ax, 0f386h ; magic number returned by system debuggers' ?6 J/ B5 ]' ~3 _
jz SoftICE_detected
' A; ^! r; f4 M9 @, x7 m6 _* ?$ h$ m# V* E+ r
Here again, several ways to detect it:& a9 J1 P$ k: ?& }
. H$ g% w0 B; B BPINT 41 if ax==4f
0 m3 J; z' ^/ e- s# O0 e! T$ Z1 O' n% z5 i4 t4 ^* F, h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" P/ L) Y" k! S6 ^. e
% ?2 g+ K* B! y) J: o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ I0 t/ |: Q: l3 [
* [2 X) X2 O: ~% W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 y# F6 `3 G8 y; }) L
4 t' @* D' w: [; g3 q+ d* ]__________________________________________________________________________
; Y6 Y. z5 W6 l' h% q [
, S7 ~0 T4 j+ K1 U# bMethod 13% K7 X& I2 \& a \. n6 P
=========
1 i3 Q0 i$ ^- b% e4 _& r
7 l$ P+ e5 M* o8 RNot a real method of detection, but a good way to know if SoftICE is/ t* N2 q+ V% ^6 s- ~0 ^
installed on a computer and to locate its installation directory.3 W# k4 z9 X0 F# _. Z& b" F
It is used by few softs which access the following registry keys (usually #2) :! a4 v# ~5 I6 P. n
# g V8 `& j7 f# G3 f8 I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 J. w# i4 b7 a4 M3 Y9 ]) X
\Uninstall\SoftICE
8 T2 ]0 L- ?1 d5 c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ b0 g4 m) ?$ \. x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ F2 _: I" g& R6 |! ~\App Paths\Loader32.Exe$ e6 ^# y2 z$ \& J9 n8 _
9 x/ Z& [9 ]4 {7 z% J) m5 M0 J
" q) p" R' q6 t: D3 K% sNote that some nasty apps could then erase all files from SoftICE directory2 P& j$ K8 K7 ?/ a# R2 w+ Q9 T
(I faced that once :-(
% L9 N% w$ `7 ?8 y- h$ t$ c6 t9 m* V
Useful breakpoint to detect it:' i0 }' S: k7 J' I
! Y3 a; I n5 k$ P p6 X) ~$ e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 p2 I, k: L6 P- T. H9 T
: f3 W$ e' j: S* a__________________________________________________________________________7 p- }% z/ n9 ?2 [
/ D! ]0 s# s3 ^1 o# a! i& U" U$ y
0 Q' s+ g( \9 S# {$ mMethod 14
, o, g9 B6 B8 x) q/ h=========
# G- ~2 e: M' h) V) [5 N& G4 q0 P9 ~! s8 O8 P& f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* M! z$ K0 ]. s! l3 U) Z$ Lis to determines whether a debugger is running on your system (ring0 only)./ N, B6 g% |' Q+ t
. O2 j$ O. x y: {" T# [- Y- R VMMCall Test_Debug_Installed
' Q1 T0 L% X- v: _1 t je not_installed% _" x8 g1 m& }/ A# p7 L7 j( E
% T- a; O1 e. L. G, X
This service just checks a flag./ B1 t7 s$ c1 P: u& z" k( ^3 t+ d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡