<TABLE width=500>2 e& N6 y, t7 }# d( ?
<TBODY>
* t; ]6 S: e/ c/ n<TR>
3 U7 d: _: k$ u! T% _* i- Y<TD><PRE>Method 01
9 ^8 X% L& e: S, h! p" g" }=========4 H" J9 l3 D! I# A
4 I+ H$ m0 d: p2 B4 `This method of detection of SoftICE (as well as the following one) is
" x( f3 ^3 {0 ?5 W8 e- uused by the majority of packers/encryptors found on Internet.
8 }- e1 \8 ^% W3 U6 V7 j1 g, pIt seeks the signature of BoundsChecker in SoftICE
8 J6 J" Q& E1 B7 k! E" M: J9 t
" Y; u8 q i* ~# V' K) o# | mov ebp, 04243484Bh ; 'BCHK' N i' B" I* O9 V& U7 S
mov ax, 04h1 v) s/ u: n: a9 s5 l, a) C4 ]
int 3 3 i, k( o5 M5 P9 y+ _) a- \) ]) h
cmp al,4- p: Q8 f+ A$ }% A! A8 n' l
jnz SoftICE_Detected0 D ]9 j' |0 E L2 i3 ^% m
8 @& H, L6 ?5 m. _
___________________________________________________________________________
& X7 ~9 L, Y" T+ e& v2 Z8 `: a9 I/ I, b) N4 H z
Method 02
7 y+ r; o7 F2 q8 }& k8 ~" L' _) H=========, H) a8 v! S# `1 @1 ^1 Z2 [; l
4 |) ^; K4 W3 Q
Still a method very much used (perhaps the most frequent one). It is used. C) n7 \; ~- y8 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( Z; N2 Q8 E* a4 p( h9 a. r. [or execute SoftICE commands...
; W, Q: K. ~ G$ p! H( ZIt is also used to crash SoftICE and to force it to execute any commands
% A) v+ [% v/ W( z* b t' @# Q, _(HBOOT...) :-((
6 k! I& T# l. j3 A( w/ j
3 K$ Y( l$ J3 [+ Y' j/ B& }( R/ [Here is a quick description:
5 g, m" w6 g* _2 h-AX = 0910h (Display string in SIce windows) z) n' b8 C, Z# s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: C! v k$ [1 [- G4 P/ N-AX = 0912h (Get breakpoint infos)+ M* G. Z& h; H
-AX = 0913h (Set Sice breakpoints)
% D9 S3 K+ C' f) s1 p-AX = 0914h (Remove SIce breakoints)/ ?, U, j, Y+ k& n! d, i
+ }; v; F3 _/ M% u8 |* xEach time you'll meet this trick, you'll see:/ E3 M% I, V G% Q9 q/ C
-SI = 4647h1 }5 D0 V: _" J2 K( S5 k7 m6 [# m7 g9 p
-DI = 4A4Dh7 r2 G$ n/ a- N' P! g
Which are the 'magic values' used by SoftIce., }" e. T. g/ B+ s* v/ z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 Z7 k7 q( Z( }8 C1 p6 x
! _1 R9 n( v) h, l* N/ w: IHere is one example from the file "Haspinst.exe" which is the dongle HASP
. F! S" A' H8 ^* L1 N; KEnvelope utility use to protect DOS applications:: E8 `9 ?2 E$ z- f' z* c: T
4 k. r+ f; d4 Z
" K& a/ c4 H# D4C19:0095 MOV AX,0911 ; execute command.
+ T& a9 y0 P# C. L/ v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 h3 P( X1 G) z" M M6 S4C19:009A MOV SI,4647 ; 1st magic value.
9 {. P8 H: F4 {0 p. c4C19:009D MOV DI,4A4D ; 2nd magic value.9 a1 Z0 C! b+ k* ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 b! h% j- Y' L& r% U+ u$ \4 y; {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 X& {7 ~. E' x+ k* t
4C19:00A4 INC CX" y* w' K" ^: d% E n. @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 a- u0 j; r B. A
4C19:00A8 JB 0095 ; 6 different commands.9 U, _& u- ~- N i5 r# b1 |1 G Q) c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* O% ~7 T# L/ h* `0 Q% F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 v1 L2 e$ s/ F1 u0 y2 P
/ F" i4 J1 r) \8 v. P) ^The program will execute 6 different SIce commands located at ds:dx, which
7 |* ~* p' \) R' s* oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
z$ q( {0 Y) q) t0 l
9 j9 ~. A; ?5 l) T6 B) T4 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# M5 [+ t0 }+ B9 O0 B9 l2 ^___________________________________________________________________________; u6 a- d% k3 U
0 ?# E+ |9 P8 r, `0 x6 v
( j& Q0 Q# g0 W ]3 @' ]( g# a) [Method 033 k4 {8 N0 A# ]; g
=========
. M0 [) H$ K* P6 \9 G$ a
; s& U7 v" I) e3 O- _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. k. ]9 j% X) \$ R$ y! D' G(API Get entry point)" q& r3 p8 J! [4 l* q# u
* K5 o, Y- r4 u& p" m
6 e! T q8 M3 i9 M. _+ \ xor di,di) w+ Q- v/ f+ X4 _$ M
mov es,di0 T4 b' ]( E9 n4 L
mov ax, 1684h ! Y- Q- E% Z& o8 l' t. I# U9 o5 a
mov bx, 0202h ; VxD ID of winice9 }: y( U+ Y1 a( G9 ^
int 2Fh: @8 k" d% p# D2 f+ X. l
mov ax, es ; ES:DI -> VxD API entry point3 X# P( D" c/ j/ Z1 i! p
add ax, di+ ~' m0 l5 B. M
test ax,ax, [- ~2 I/ w( P9 R* V
jnz SoftICE_Detected' }; O* s) F+ ^7 \- l
5 c$ X( F. L' K! m
___________________________________________________________________________* i3 M) [# Z7 C" m- q0 ]# _
: v p) M, u9 @2 f) J3 v5 S& QMethod 04
) x9 Q% g/ X. Y0 d4 H; l+ `=========2 B0 r4 g j. n# _1 v
J4 x5 Y; I" S) k" l: `Method identical to the preceding one except that it seeks the ID of SoftICE* F# [- ~7 o9 k1 o/ E, D7 Z
GFX VxD.* i0 m& }' ~6 V% _. i7 g6 T4 e; L
- v5 n5 r" V1 N1 k8 B) O! T! { xor di,di
) [) x8 \6 H$ ~ mov es,di
E4 X- F6 ^$ |1 t4 O! ~: Z2 i1 Z mov ax, 1684h
, ?/ i1 \* g9 k/ e% z& J mov bx, 7a5Fh ; VxD ID of SIWVID f O- f5 |7 ^
int 2fh9 i; [* ^2 R9 y4 F
mov ax, es ; ES:DI -> VxD API entry point
: j* D! E% ^: I D" `3 l add ax, di5 L2 n& v/ n8 d2 @( c
test ax,ax
* v; X9 e' d. X* O0 c4 g jnz SoftICE_Detected! y; s8 e5 |0 U
+ h( q, r! X/ a! i2 @
__________________________________________________________________________: k3 m' i$ U/ d
: Z3 V4 q$ {5 b- _$ _5 u
6 B% L5 P; m9 L& ]+ r9 tMethod 05
1 l( N- C& ~! r* x: y' p; l; b=========( V! ~7 ^' N2 K; v5 I
- N; @" K$ W5 @5 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. \/ w; l/ L4 P% P9 \) W2 i/ E% z5 k, Hdebugger. It calls the int 41h, function 4Fh.
) \& c/ C; v7 t4 Q( V, v9 A( J' yThere are several alternatives.
v5 E- c* Y- E2 `0 G6 R8 l: J) z3 t5 I+ `
The following one is the simplest:* b+ A7 M2 x( @. D' T9 W/ i
0 U; \0 Q9 t# F! y. r& R5 r2 H mov ax,4fh; D( q/ r1 J! x2 V+ T7 P( G" U h/ S0 I
int 41h
) L1 D) _5 b, f* t5 d- h cmp ax, 0F386" i, y6 s7 ^- D: V
jz SoftICE_detected
+ ?* L( F- L6 K7 f1 j @ ~- R
2 S6 k; y0 B. f7 R6 ^6 H6 \: ~. W! ~! v) W; y$ i: E
Next method as well as the following one are 2 examples from Stone's
% ~/ z/ s2 E' b* i" T _( N* v; B"stn-wid.zip" (www.cracking.net):) g- j5 g7 w" C9 N7 I/ `& }
# ?! `8 e; J6 G5 U
mov bx, cs$ C! \/ b* U6 I# b3 S3 B3 h# t
lea dx, int41handler21 t& M+ ~5 o) v6 Q
xchg dx, es:[41h*4]
. @1 R. y+ t( c9 U5 I) c xchg bx, es:[41h*4+2]
/ m( L. r1 A5 X" O% m* p# \ mov ax,4fh
. ~) @& m9 p) e* W7 i int 41h
( z r( s9 v" k xchg dx, es:[41h*4]; f& v8 l; W" g1 M4 z
xchg bx, es:[41h*4+2]
! e- e- `+ o, ?6 [2 Y cmp ax, 0f386h0 N, v( _; Y" w* V1 O9 d' x9 e
jz SoftICE_detected# m2 m( |3 T) m' n5 }: W6 T( k3 o
) h/ O, P; ~. C% ]int41handler2 PROC
s) w2 X! E8 g: Q iret9 a/ ?# K v5 F7 F v# \
int41handler2 ENDP7 H" Z- f+ d9 J. g6 b; r. Y; Y4 e! K' M
& L8 v8 u# i4 H. z4 g8 t6 r5 g. e J$ h6 e a, |9 D5 N
_________________________________________________________________________* d; Y9 C9 R; w& [. n- {# O
$ K% O" p4 T% X, c- G2 g& L
9 ~: G, i6 z3 i- c, \7 W! R2 RMethod 06, { a, D' j( d" ]1 D. @8 p
=========/ x0 z( R7 _/ P5 t; z( E' W+ i8 }
4 d% n5 m; E7 d; a
, U! U$ p/ G* j" S9 K5 b' N2nd method similar to the preceding one but more difficult to detect:
; c4 j b/ A \1 @+ o
) I1 m9 \4 l1 n0 k9 g2 i4 S; J- a9 U0 d7 h- u [% @
int41handler PROC
. Y# v) H }0 ^ mov cl,al
4 s# S' k2 n4 r6 l6 e# a0 S! b iret
- U0 k: a" R( p2 t" H, Dint41handler ENDP; J/ e4 a6 s, F! K* C
* Y: ^3 ^1 T- {2 }
; o8 V" M: i/ z0 v xor ax,ax
* S: B5 H7 h( d# \8 o5 e mov es,ax
5 c- q0 f9 Z. A1 j& H! k mov bx, cs# D) `& S3 { D' b6 ^" i
lea dx, int41handler
; y6 U4 M, B5 _. d" ]% i* P xchg dx, es:[41h*4]9 m3 O* H$ r; e7 M$ n% e
xchg bx, es:[41h*4+2]
: g: e1 x1 K4 V6 g: \+ G in al, 40h) ~4 s+ w, A5 N. K# I
xor cx,cx2 W8 _% | F7 L( A: n# y: |0 c( _: o
int 41h
9 f( }- |" g' M# F! @ xchg dx, es:[41h*4]
( y& w1 o. W: W* u e i5 T xchg bx, es:[41h*4+2]5 S1 \0 E) A+ U8 C' w9 H
cmp cl,al: n+ z2 | H9 ]' ^) f) t. G
jnz SoftICE_detected
2 J- Z; l4 N) m4 n4 T2 P
- U% q4 v1 b7 b- }7 [$ a6 X_________________________________________________________________________6 Z/ e9 r$ W! J9 u& o
b) N1 V8 Q8 Q2 w( o, ]+ K
Method 07
+ h8 m! M) T& A0 J) Z; z=========) d# h4 q" c0 @
8 m2 f! G1 {2 o+ L
Method of detection of the WinICE handler in the int68h (V86)
* x2 ]1 Y+ w" G2 d, _8 \3 m7 X+ ~9 W' @2 m0 E6 x% M. t
mov ah,43h& Y j5 |8 T; H9 N8 p5 q+ i% q i
int 68h
# m5 U% E$ G6 Z cmp ax,0F386h6 R; t5 V* l* o( V: G
jz SoftICE_Detected# D$ S! j7 y6 a" r: X: }
! q {- n% c% |1 g: y
5 y! I* _2 M& S3 A* _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* S( \1 G4 V8 R3 A. R9 H9 q
app like this:) H& H% @; v3 x+ v5 [
M' m( ~8 J7 v3 R2 V3 j BPX exec_int if ax==68$ H' i3 Y0 m" h# g* n5 {
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ {1 g0 [4 K% }- k; } located at [ebp+48h] for 32Bit apps)
6 C0 ~- m' x4 N3 j7 u__________________________________________________________________________
6 d" e" U( _, G6 x( |9 d o" a( p# }
( L5 @/ I7 L2 S7 u$ F& [3 h5 V3 l$ O1 v) \. g8 B
Method 08
b* _ }: |# a=========0 ~9 u2 n$ }8 g( M2 D
/ ~$ l5 L; `2 ]( tIt is not a method of detection of SoftICE but a possibility to crash the0 |2 M# O$ A1 n1 T, l) A! h
system by intercepting int 01h and int 03h and redirecting them to another
! a) g: v1 v2 T, i- G! Iroutine.
8 [, i5 Y& i$ } L. r% l) E }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 L. g7 m, y5 f( z( `. J) \- a' K
to the new routine to execute (hangs computer...)
& R3 w6 F& g' }3 ?: ?
4 T' G5 t L7 S4 P2 `4 `1 ] mov ah, 25h9 l. O9 T0 J; t9 Z( a3 ~$ B! a1 f
mov al, Int_Number (01h or 03h)
) i, e/ J7 c3 B' N. A5 O& p! ~ mov dx, offset New_Int_Routine
5 Q6 k) }+ d% d h int 21h$ X/ I* _# N; x2 H
% E1 z# k- r7 p0 F
__________________________________________________________________________
. I$ f1 F0 v% P$ W: R; Y) `/ R; M9 r
Method 092 p% N" v$ p9 D' p( ^ H1 `6 Q5 d
=========1 a. b7 {% x( T( x9 r
" z% a- n6 ?' h+ D. C& `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' c4 y N6 S$ w7 c
performed in ring0 (VxD or a ring3 app using the VxdCall).
" [) j1 v* j6 b3 i, l( i2 `7 CThe Get_DDB service is used to determine whether or not a VxD is installed
6 }, A5 x" U! I; {( @, w6 Ufor the specified device and returns a Device Description Block (in ecx) for
* l6 E6 E3 @# g1 t1 c0 dthat device if it is installed.4 \# k( u7 ~- [& }& Y
% w8 W! r ^+ i- u e" z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 s5 V: N) i/ w# q* m3 Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 e( M% W9 {4 O2 X3 w VMMCall Get_DDB% z, ]6 H9 [$ }5 T8 G0 K/ X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. }: p. Q% G% c* @" n
{2 @6 \8 C; L* n5 \Note as well that you can easily detect this method with SoftICE:/ H \- R9 y8 W6 ]5 D# D" G, j' L, Q2 s9 p
bpx Get_DDB if ax==0202 || ax==7a5fh
4 Z T/ E+ t1 Z/ Y
+ O* E: @% U$ d__________________________________________________________________________" D3 Q( e7 z# |+ ]! Q9 A$ Z
1 d. j! o% i+ m
Method 10. a$ P0 E V1 \
=========
! M1 ~+ r3 g6 u; U; L: u7 O& n- C* ~: N. M: m
=>Disable or clear breakpoints before using this feature. DO NOT trace with. I0 N6 N g5 x- ]* \- \, b M
SoftICE while the option is enable!!
8 N' M0 e5 C2 ^
# r0 }% X6 r8 o P5 e, xThis trick is very efficient:3 @0 N" w+ t3 G" d
by checking the Debug Registers, you can detect if SoftICE is loaded
9 g% c$ N6 N, j: @% y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( f5 T1 l! S8 {7 l3 F- B0 s. \9 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their( i6 B& w( W+ }" a4 s5 w- d
value (in ring0 only). Values can be manipulated and or changed as well3 c% s" _ B5 T
(clearing BPMs for instance)( ^1 O4 W, z6 r
6 E& r7 P" I1 x! |
__________________________________________________________________________1 D# c) e4 _) ^- t
# _/ U7 N% b c xMethod 11
8 ^4 a0 h: H" k; g5 |$ {7 A& M=========1 V( h! w P( b- i& `
' m6 U# ~1 N$ r+ O& V$ V$ Z' @6 y- sThis method is most known as 'MeltICE' because it has been freely distributed
+ `/ v8 s3 B6 X1 Cvia www.winfiles.com. However it was first used by NuMega people to allow, y" E" M& f1 Z8 j
Symbol Loader to check if SoftICE was active or not (the code is located
7 A8 v4 c! h L* [inside nmtrans.dll).. w! W) V; H5 b8 ~% P' ~' s, Y
/ A1 J0 G, |' r6 K) S% N/ h. J0 L
The way it works is very simple:! |, W1 t9 a1 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 C! a c# R0 c
WinNT) with the CreateFileA API./ K2 ?, \+ j- i0 u7 a" t# \
; G( a9 }1 T9 v8 {* uHere is a sample (checking for 'SICE'):7 M$ L$ C! Y0 c O
2 {5 ^4 f7 G3 C1 \BOOL IsSoftIce95Loaded()
! ?+ b$ |3 q% {- y# B7 @{
! B5 {* d" v2 ^1 o" H HANDLE hFile; 8 q& ~% H5 a$ d0 ?3 U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. Z; u* L4 W. |' |: d4 I0 r
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 _; W9 M+ N- y1 y! S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( c0 z! _' V' ^) b* y6 p3 f. Z if( hFile != INVALID_HANDLE_VALUE )
6 j/ a$ O% c$ ^; I$ `+ W0 X; p2 Q {# B' D- f8 u4 `+ E6 C$ ]& L. X
CloseHandle(hFile);
/ F* Y% n- A3 k( k( f0 U0 j# n+ v/ D return TRUE;
+ K% d. ^! q4 x$ T3 C w7 w+ @ }& y2 _; [- S# M, K
return FALSE;9 |1 [" j) J1 p3 l: o
}
& L( t2 J/ S; l2 f- x
( u5 O6 e O! t: f/ E3 e' u1 hAlthough this trick calls the CreateFileA function, don't even expect to be
& V* @: q, D! X( Q; o) ~able to intercept it by installing a IFS hook: it will not work, no way!6 \, P( W" @: D4 D6 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 r( j7 U7 }9 ]+ D+ A5 A+ ]- pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& G% [$ Y* L" i( J. G; F' n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 e) N# v6 e3 G) @
field.3 b0 K# W, M* o8 k: t3 A* e l0 X
In fact, its purpose is not to load/unload VxDs but only to send a / R, y$ r- k Y0 W0 [, T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; |+ q. q; u+ G0 v9 t$ j- kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ I$ U* _6 L4 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).* u! ^) y* E: H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 ?' Z$ [& m/ Z; iits handle to be opened and then, will be detected.
. `1 n4 ^ |- n: p4 RYou can check that simply by hooking Winice.exe control proc entry point' v( u" n" x! s" t7 v- a% B
while running MeltICE.
* W7 x7 l/ I& S! ? o8 X' l3 y( D1 `2 {' ^3 u6 B; z
$ X' ]- k3 |3 C: W- O' a! c 00401067: push 00402025 ; \\.\SICE
+ {+ E( x1 p8 _) N) j9 u# ? 0040106C: call CreateFileA
7 ~% X( ^! H6 W! I5 z7 D; E0 B 00401071: cmp eax,-0014 Z* C9 u. u A; n# q* n+ l
00401074: je 004010917 r! a- b2 P4 p0 h5 k0 h
* z+ ?3 @4 Y1 N$ ~3 }: m& i
, v9 r2 D8 x) j
There could be hundreds of BPX you could use to detect this trick.
3 o4 }. O0 n2 E f# I-The most classical one is:
5 t1 E: |) k/ ~ I! ^0 s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! f4 }9 D& x1 ~) o0 f
*(esp->4+4)=='NTIC'
4 L* O" | }* H* t4 b! n I, A9 s1 f' f" S' z/ U
-The most exotic ones (could be very slooooow :-(
7 I( V% z" Y0 i$ g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " l, I. s' S$ @
;will break 3 times :-(
/ B: d: @$ D( N# j9 i0 K, y& j' D* ]8 }& y
-or (a bit) faster:
5 K% _9 H3 j& s* ]2 _$ } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 s x% P) q% [* _5 T
+ b( F L) V6 y ~6 o" a# I" m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" L/ b* j8 V- I; g, I ;will break 3 times :-(# e# ]+ h9 b, i# P+ Y6 t# k8 x* F/ l
7 t. C* H( T5 e9 e-Much faster:
- W% w" e) E. n9 _; z$ | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! e! S/ \/ S* ]" O: G1 y/ U2 f8 G J) y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" C% g. R, F) I1 b% M3 I( q* e' Wfunction to do the same job:
% k7 C9 w2 g. n. l& k' V' u% t8 p3 D1 C2 y7 \" o4 ~: V# h
push 00 ; OF_READ' w" f4 I* N9 O1 z2 N9 h6 Q d
mov eax,[00656634] ; '\\.\SICE',0
3 F0 M6 g- _& K1 f4 v4 ` push eax2 e2 d7 P8 d1 \
call KERNEL32!_lopen
+ r, z4 O G0 ?2 O7 f) B9 B, o inc eax
( {' h; K$ A! ^$ P% j jnz 00650589 ; detected* W6 e, f Y5 R5 k
push 00 ; OF_READ4 v6 G, F6 Z/ N1 V8 L; g6 N' U
mov eax,[00656638] ; '\\.\SICE'4 m7 i! K7 F1 M9 Z0 I. _
push eax
2 x) H, {9 ?! L1 N9 {, t/ s call KERNEL32!_lopen" q+ C, q4 U: s: c9 Q
inc eax
9 d V9 H' q2 P" q; m5 z; K jz 006505ae ; not detected
, G- P$ V/ [1 {( `3 ]
* u0 E& m, _( J' }$ h& ]% f$ e7 H
' d9 t8 K0 O4 l__________________________________________________________________________0 }& ^- T: m8 ?! V/ @
0 R! t9 G: a- m* m' b; @
Method 12- U8 T4 P7 m# O' n
=========
3 z* Q+ \/ C- H/ g, @. J# B$ ^% {* u/ j/ [4 O7 t; }
This trick is similar to int41h/4fh Debugger installation check (code 05
6 K4 X+ N" X& m" n* V. q/ Y7 R2 w2 h& 06) but very limited because it's only available for Win95/98 (not NT)
% F* ]. Z. F- d# h0 B4 @$ Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 o5 P& l: D: h
; l m7 t9 o8 H+ f6 y$ m- l+ s$ N push 0000004fh ; function 4fh1 R8 @6 F* o7 d I+ A" Z7 H8 e, w. Z
push 002a002ah ; high word specifies which VxD (VWIN32)
0 u l# T; W+ N0 E7 | _/ ?& B ; low word specifies which service
( w8 Y1 X. e' I0 D, Q (VWIN32_Int41Dispatch), P1 A3 d: ?0 c, ?
call Kernel32!ORD_001 ; VxdCall0 B9 h# I* D1 Q3 k
cmp ax, 0f386h ; magic number returned by system debuggers
) Y4 b r x* |# Z* [2 W( X jz SoftICE_detected
" c7 R9 M2 L& R/ F, A
: F$ ~" ]& b5 u' K5 H7 hHere again, several ways to detect it:- `+ A+ c+ c* X" G
) j* C) j/ c4 J/ [! {- u
BPINT 41 if ax==4f
$ }" k! M8 P# b- J/ ]
, E( P% _+ t" X) M, Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% e+ `8 F: I3 q: i
3 S' P8 A1 G( V4 o: K' {4 e( u' ?3 G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 h9 L* ~% ?. e
- A( O/ j. _+ x' c9 ~, O, C/ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 ?, z: L3 r! S4 Z; e0 @5 L/ }3 i, E
- l7 |: L0 W- y# G__________________________________________________________________________) ^* i2 l- Q0 E1 C1 |/ W9 j" s
E: F6 x7 t1 `6 B; @. V; o" JMethod 13: T7 M) R0 r6 @: d- g
=========7 S; N& N3 y5 P7 i% g4 g
' g! x5 M( h( i+ r& [3 jNot a real method of detection, but a good way to know if SoftICE is9 n1 h6 @: Z" n3 ^: s
installed on a computer and to locate its installation directory.0 F5 G7 B8 d2 n6 j6 o* d" @% ]
It is used by few softs which access the following registry keys (usually #2) :( p+ s% ^3 c: ]# y$ ]: s. a
6 w L) j: a! P4 _6 |: o3 b8 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ d& M0 m+ i" h0 l# N0 p
\Uninstall\SoftICE
( R; r; ?. e w, D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* J7 [4 T' G) m! |2 u3 ^4 g- r) f3 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- a0 |+ k3 v6 K0 H `# S' O3 ^9 G% V\App Paths\Loader32.Exe' s+ c& v/ V; |$ [1 z0 {! D
/ w& f/ I7 b0 k, T, ~1 Y6 b! Y: M1 \0 u7 h N1 X) S0 f
Note that some nasty apps could then erase all files from SoftICE directory
, s# U, M: Q: n8 i" O2 e9 ?8 [/ b3 |(I faced that once :-(/ `% \& T: w" Z" n. k) m0 f5 P8 `
& u& z# `( z( e, J% Y. ^7 bUseful breakpoint to detect it:
! j; w( X8 j" _+ H2 I& D5 e. }8 B9 E6 L2 K, C7 Y& ~$ y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ f8 _5 ~8 Y9 m
$ p& c A0 k9 ^+ X/ x# w# \+ b3 e& L3 U
__________________________________________________________________________, l- |9 c" T8 U) a
9 `8 [" X' z% f* ^, g: f1 N5 E/ w3 ^
* M5 S% y# n# \' P( t$ _Method 14 # H, D8 k+ J% X$ \3 a# t
=========5 r A3 G5 k# E" \# O6 L8 v# n
: [6 n! _9 I: m0 R6 lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) u& a2 m' N) t0 x/ \1 {is to determines whether a debugger is running on your system (ring0 only).+ l4 C5 ^( ~" `& `
" A f3 ]6 B) |% t/ n- F6 a/ v VMMCall Test_Debug_Installed, Y" d0 I* `9 {9 F
je not_installed
+ t3 ^* B) {- q7 Q1 j9 Q* I
( L. c, z: v; Z8 R7 P: G9 ~* I6 KThis service just checks a flag.
1 [- B) m+ G3 F</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡