<TABLE width=500>. D: B- q* S0 b8 a1 q
<TBODY>
! g3 m8 I Q6 B* ]# w<TR>
# c9 H& z; V5 h: W& J0 W<TD><PRE>Method 01
+ j& N% R# \: @; a# E1 N3 Q=========2 b5 L( X' b: j& B- \' {; X7 }
( j* U7 M. S/ C" IThis method of detection of SoftICE (as well as the following one) is
/ Q' l2 a" N, A# |' h* g$ v- kused by the majority of packers/encryptors found on Internet.
" v/ k9 g* j$ y7 Z. H! ~It seeks the signature of BoundsChecker in SoftICE
% C8 f c* r' t J& Z* O. a5 O) Q5 l* y) B. {
mov ebp, 04243484Bh ; 'BCHK'
( q/ j( K' u+ q7 t- e7 B% ~ mov ax, 04h
$ a# G! {- A! }7 r# r7 r9 R int 3 * y. X# O: Q2 x7 G- C" E4 p, C
cmp al,43 I9 b7 D- W- p* u( c: ~- j, Q
jnz SoftICE_Detected& q7 Q" z m4 u% |5 s
: c5 J x; W+ c \! @ y( j
___________________________________________________________________________
: ~9 ^9 i$ T9 u% }. A6 L! A
' E) \) i: H( d0 f0 CMethod 02
8 C5 O, X+ V% }' Q( h8 F" ~% K& y=========
/ t/ S7 K. E1 a$ j2 ~6 G! f* s p* B; {& }& b
Still a method very much used (perhaps the most frequent one). It is used9 B t" D: v( n% _9 Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 D$ a6 B3 P4 k- H9 ]6 o* X1 h
or execute SoftICE commands...
0 E4 A$ E7 D# M# b% h* A e# kIt is also used to crash SoftICE and to force it to execute any commands y& R, k+ F1 i9 r8 y
(HBOOT...) :-(( + r& P+ D( B5 A! H
- G: W# v2 t) @2 G/ ~& |
Here is a quick description:+ u: _% U0 {2 l1 ^; n$ x
-AX = 0910h (Display string in SIce windows)
5 V& e5 y, K! P* h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 d1 t% W# G( g% C! U-AX = 0912h (Get breakpoint infos)
% F0 q9 e. c, U' E1 N# ]-AX = 0913h (Set Sice breakpoints)
, O& p& f6 p) B% f-AX = 0914h (Remove SIce breakoints)
6 B8 U# U% U( J! W/ U8 q
2 o6 b. i- E) n3 n* A. s0 Q# lEach time you'll meet this trick, you'll see:
9 g& [. \9 j# j$ L: c7 Y, o-SI = 4647h
5 ?) f$ }; [; a-DI = 4A4Dh0 K I9 c0 D# q" p% ~ c
Which are the 'magic values' used by SoftIce.
* ]% V& ]1 G% O/ dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ ]( r* B0 v# r" R
6 r8 {2 x! N! y9 ^* u8 D$ j5 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ ]. Y2 E" z3 |Envelope utility use to protect DOS applications:3 c- c4 ^8 N3 n2 ]+ O0 n
/ s* Z) c- M$ ]5 g. _1 V' F2 R4 A; p4 k9 k6 v. C i
4C19:0095 MOV AX,0911 ; execute command.
" W% c7 q3 w1 ^* _5 T3 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 J' X! \) b3 t9 S8 L9 M, r4C19:009A MOV SI,4647 ; 1st magic value.
: E- ?3 F' x$ E& Y. H4C19:009D MOV DI,4A4D ; 2nd magic value.
; d3 Z7 L6 H0 a) N z" a) d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. B5 S8 V0 u/ |" K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; g7 \3 Z4 L* N0 }- o9 v8 Y
4C19:00A4 INC CX% c) G M- H8 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' H% i+ B1 D& [) D+ R6 i
4C19:00A8 JB 0095 ; 6 different commands.& N0 {$ ?) h$ f! t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' k9 r+ b- K# s6 Q% V( n/ ~8 U( p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! v3 @8 I" T$ [% N
9 A6 ?/ q" C; Y* c4 ?% u) |1 SThe program will execute 6 different SIce commands located at ds:dx, which
m0 @% @7 P" g' j8 C' ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 a e; p+ b& k( t
+ @3 @, ?( M2 z. y, {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 v# r9 Y% B, F+ ]: q( L" v
___________________________________________________________________________
2 b+ K, r0 v5 B% v# m( I
5 ~ [1 X5 F* _- |5 I) o; O2 ~
/ v: l* c5 y& S8 BMethod 03
( a: P/ @. X* D$ |=========
0 X/ E, W! F2 Z) [5 b8 v5 g/ `4 D% h
4 q2 V9 p g6 ]% [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 L5 j. M. r/ k. @$ K(API Get entry point)' Q* @( `. n" y5 ?* U2 H+ g
, p; Z2 B& g. h( r% r5 O
: _1 ~9 R& |7 T# u9 V3 C& v L xor di,di
: d/ `9 i, Z8 \& z/ W mov es,di
* ]7 u0 k& T: b" A& m" x2 Y8 c mov ax, 1684h 2 M$ w# I6 b% O! m/ l& R" i
mov bx, 0202h ; VxD ID of winice
7 G) o& b3 }6 l% ^1 v# g4 m( ~ int 2Fh
8 H3 \5 N) G9 F mov ax, es ; ES:DI -> VxD API entry point
$ p/ V* i$ Z0 G9 d& A+ h add ax, di" I0 z$ J1 U; {- l6 ~! t5 a
test ax,ax' ?1 z4 R0 M) `; g* y
jnz SoftICE_Detected, }" p/ J/ K% i: b( [
. n' }4 v% U2 C' }5 K
___________________________________________________________________________
* a* X. o; Y: o2 c5 h4 ^' E+ Y. A
Method 04
% r& W6 K) M c7 b6 s+ L5 H# C. S% l=========0 @- X% o4 E$ [* c" X$ g
5 G. P% m1 L, Y. o! ?5 ~" b( _: X
Method identical to the preceding one except that it seeks the ID of SoftICE
( `" q, p6 W+ o: mGFX VxD.
5 J1 [3 x5 C# Y0 E4 y% A& a- \+ O7 w0 G ]3 [8 T1 S# C8 G- ?
xor di,di
5 G, t; L. p( [. R4 o mov es,di
* |% q% D K, i; [% S mov ax, 1684h ' z% r. \ R- I* _
mov bx, 7a5Fh ; VxD ID of SIWVID* |" B2 y' a ?; q8 P8 S
int 2fh
$ n2 n* g. ~! I u2 @ mov ax, es ; ES:DI -> VxD API entry point
4 z3 t' F1 a7 q add ax, di/ R/ U* n( L( o9 G5 `8 ~+ X
test ax,ax
# @4 X4 I( P/ o" z jnz SoftICE_Detected
; a6 ~- Q7 k' T' y/ z Q5 ^" a* O- j9 v% y/ J0 |. {5 }
__________________________________________________________________________
1 i7 E5 o! L0 N: a0 ^% d$ p* }" `( ~/ p/ K5 h9 B& Y0 |% }
. f* W0 |. @6 W- i M8 E, L% v6 Y8 _3 qMethod 05& L2 T$ g- q1 {) k! l8 e: Z
=========8 z# o# o) ~% j" d/ ^ T/ t
8 d* Z5 t7 P0 e; R' w- s9 X, _3 S& R% IMethod seeking the 'magic number' 0F386h returned (in ax) by all system" K! a0 O. `/ L! m& V
debugger. It calls the int 41h, function 4Fh.- v% ^, m+ r1 R9 o) o. U
There are several alternatives. ! U, K& m1 U' d: y4 G, r
4 u( D# w( [8 A# d- oThe following one is the simplest:. g0 N1 ]! I7 o
% o0 H+ o U; J6 g1 l
mov ax,4fh7 [2 Y. H7 W6 d' W
int 41h
O' f, S, ^* x }( Y# B, u3 O. ~ cmp ax, 0F3862 H8 m5 |0 A' p) q9 L
jz SoftICE_detected- P0 [! F- Z9 S) t% Q/ r
; P# i8 U, z- o, ^0 Q N( b
7 c$ P) B9 |8 F' ~0 \6 t4 d+ hNext method as well as the following one are 2 examples from Stone's & H5 t- T R' }" Q4 t( v. V$ g- B7 Q
"stn-wid.zip" (www.cracking.net):
# e1 Q! w% G* Z# b) h' ^+ Y! {9 a) S7 c# C/ p3 ^
mov bx, cs
+ I9 I, v% F$ A+ s7 o lea dx, int41handler2' c7 V0 a; P7 Q9 k
xchg dx, es:[41h*4]; ^4 V0 O* X6 ~1 g6 ]
xchg bx, es:[41h*4+2]9 U, U V& n9 ~5 ~: g4 t
mov ax,4fh* `8 K8 R8 y- m; b) n- y8 m
int 41h
( C& U2 i8 P$ U: O7 R, i3 _/ d xchg dx, es:[41h*4]1 y+ Y& H2 A6 y4 I" W
xchg bx, es:[41h*4+2]9 C6 y( T2 w+ @7 i9 Z# I$ S
cmp ax, 0f386h
! l+ _* U3 H h+ B9 G+ i1 e jz SoftICE_detected
! W2 X" f3 k# R& j+ e, y4 b( _, _) q
int41handler2 PROC% }8 F4 W- X/ J3 _4 J
iret
" D2 U& \2 Q( }7 f7 nint41handler2 ENDP$ { `! v: [$ O6 S9 V5 x
9 i* f F" D5 m" b; v* V* }/ a; e7 t* K
_________________________________________________________________________
( @. G+ C4 q# _& e- R$ d& v5 ?* I, ~& O8 b
6 h, v$ a X' g- |' c* H e
Method 06+ ]7 @: E( r) f5 B6 V5 [
=========( F) D0 U8 A8 q9 ]2 X) P4 v
1 f* b& f% `: E G% M
& v( W4 | e, f, s. x3 n4 B. s" z2nd method similar to the preceding one but more difficult to detect:
8 C7 j1 l; ^2 w3 q1 o/ Z0 [0 v* M7 o: m8 e7 a2 t# m) L
* B0 h0 O; n7 t+ V5 y/ Z
int41handler PROC
. N' N& Y) I1 y& h. Y& ~ mov cl,al% J, @- i+ v+ r" X
iret
+ A7 r v2 |9 T' a0 a) D# p' u6 Gint41handler ENDP
" y& ~. e" @% [- a& U
& a9 k8 P+ V+ z
* c; W3 Z; P! |6 V- S' l- a# H xor ax,ax
( l* }5 L# p3 L mov es,ax
9 N0 k f0 N' @0 f mov bx, cs
0 h2 W, z: L6 ~$ N; H g W lea dx, int41handler" B9 I9 X( b3 F+ _/ Y
xchg dx, es:[41h*4]9 j! b' W3 [$ A7 s# H
xchg bx, es:[41h*4+2]
2 j0 E; a, z0 B+ C! m% j* @ in al, 40h7 O- A% S2 K- X2 C
xor cx,cx# V% i& v6 G# `1 D. D
int 41h9 \3 }3 X0 L6 p5 p
xchg dx, es:[41h*4]5 _ [$ q$ V3 e4 P" p) ^, i/ F
xchg bx, es:[41h*4+2]
0 w( l0 e' e- {5 R cmp cl,al$ o' H+ q) v! \) }# J9 w: \1 @
jnz SoftICE_detected% K* K- |3 G q j( W
# ?! M0 F3 `2 D9 H, Q_________________________________________________________________________ G7 k. Z( L5 [" o; n. u
; l: F, p3 |( S9 F3 \
Method 07
" c- J, b* x% G/ i4 m8 y=========9 E6 P e: f% @ Q' t
8 W8 L5 a( D/ W: [1 x7 j* j
Method of detection of the WinICE handler in the int68h (V86)
9 q4 e* u$ g/ e; k" L) U/ C6 n: p* N H8 K) Y* ~# i
mov ah,43h9 H; i& S! w/ t
int 68h
) g1 M0 d0 W6 ?6 y$ H cmp ax,0F386h- U) B7 |7 N% n* A7 A
jz SoftICE_Detected$ J8 g0 B# G( v& k6 m
0 S3 x) T& w+ {3 b3 i. j/ [+ L% H8 o0 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ _# B3 Y0 Y3 P1 }- B2 w$ ]
app like this:
$ D+ [6 P- U9 Y: R6 O: c5 t7 `+ y( a6 t9 }6 y/ b, d' r
BPX exec_int if ax==68
/ y! ? O8 E/ Z6 z) v5 F (function called is located at byte ptr [ebp+1Dh] and client eip is8 \0 m6 j8 n9 z$ f
located at [ebp+48h] for 32Bit apps)! z* t- Q+ W; ]( ?/ o) }& r, n
__________________________________________________________________________& h8 C5 n' w" c, Y- f! o
% P# o. p" | D- T' ]0 [% y# r9 _5 P; w9 e4 E8 e- v) T7 n
Method 08
" H9 O3 ^$ O- _# |, r2 ^0 j=========
2 j% s% m) g2 b1 W. y
2 }. x5 ]0 ?7 W+ m: _5 y5 CIt is not a method of detection of SoftICE but a possibility to crash the J3 G% E1 t Z/ U0 N& J# N- }
system by intercepting int 01h and int 03h and redirecting them to another
& ?* p1 z" }/ ?3 ` T* P+ n9 g7 |0 Yroutine.. ?! \( I0 A5 }7 F; P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# u0 {. S5 x3 O( }6 n
to the new routine to execute (hangs computer...)
# ?, h" u& c; e% p0 y$ X5 B
% X6 h8 Q) i/ Q+ \: D6 ` mov ah, 25h8 t9 k$ g. {+ d2 ]2 T( F8 \
mov al, Int_Number (01h or 03h). \: P7 P' f( c! t
mov dx, offset New_Int_Routine
6 [, O; @: i2 d, q: j int 21h. n) o; w: H) G) _
* b6 {' ^( t, j! R$ t__________________________________________________________________________, R I0 b+ T5 D/ @+ A1 X6 @+ R
+ ?# T2 k3 x$ F' U5 k
Method 09" l7 |& ?( q7 E
=========
* {1 [7 l4 e# \. D$ ~
& N: [: n3 s& zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ n& L1 D% j2 `3 \8 U( h
performed in ring0 (VxD or a ring3 app using the VxdCall).# v3 b$ o7 K, [: x# N
The Get_DDB service is used to determine whether or not a VxD is installed, K/ |6 c% A* b0 V+ y! X- j: z7 q* o
for the specified device and returns a Device Description Block (in ecx) for: b( R% B( h; V% u6 p1 [8 }
that device if it is installed." u' v$ Y! s0 c( @% r
4 w1 }* O' L* M. P: q ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: e6 J% t" a/ {. Z- I! l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 } Q$ F; [$ O; y" a/ V1 i1 ] VMMCall Get_DDB7 v" F$ n. i( Q. N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 w/ {! j% E; {0 k" T: g* a
1 t+ z: @" q! y- Y9 v. _
Note as well that you can easily detect this method with SoftICE:, V1 G P/ A+ n2 J5 R) u) u" u
bpx Get_DDB if ax==0202 || ax==7a5fh. O2 Q6 z7 ]: R3 g
) x/ C% H' S: k5 f
__________________________________________________________________________
3 a* Q( M5 N& ^2 L% n) D
$ }' Z1 i5 [! ?! }6 W4 v, g% UMethod 10
( m% P' m9 U4 A# r3 D=========1 p6 m/ \& F2 k* ~1 F) l' s
0 @+ Q2 g" t8 ]' y: D6 G3 Y+ V
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 f8 `' S8 e3 Y, J" B$ I SoftICE while the option is enable!!
/ Q! n1 M4 \* |0 h& v/ K# D
2 q6 Z1 d5 K) l5 k: z# Q6 OThis trick is very efficient:
5 `6 u1 L9 ^) V* Dby checking the Debug Registers, you can detect if SoftICE is loaded1 i; O4 ]6 h& {& i& w, {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 W7 u0 l( g; {& M, mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" q2 C3 ^/ A4 e( k8 q; j. Tvalue (in ring0 only). Values can be manipulated and or changed as well
, m* \. c! {' S(clearing BPMs for instance)+ b6 f1 G9 e5 A; }8 b
9 F! u) A6 T) s, D9 ^9 L__________________________________________________________________________4 d7 }2 F w/ Q, J
) J( g) w/ f1 K) [3 y0 I! F
Method 11
6 T8 }9 W% }# b+ L) A9 T# R5 Z=========
1 ?: n5 a! O7 K9 Z: Z! e7 w/ A, J5 ?+ ^
This method is most known as 'MeltICE' because it has been freely distributed I4 p. i" T+ d3 G; i- C# Q4 |
via www.winfiles.com. However it was first used by NuMega people to allow7 O- F/ m! Q. {0 ~
Symbol Loader to check if SoftICE was active or not (the code is located t9 P/ U( y' t3 p# U
inside nmtrans.dll).
; U% x2 Q% p# I8 N
0 n' j9 O6 G5 m, X4 c6 dThe way it works is very simple:
& g* a' y; l9 Q. C! b3 m' m' UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) O* V7 ~5 C; }+ V5 v3 }0 }WinNT) with the CreateFileA API.5 K9 N, K4 Q" y( w9 o, |+ {
1 Q, R! |/ \9 ^7 LHere is a sample (checking for 'SICE'):6 H; H1 c! k# B8 s6 K% S
* O. e/ c5 ?4 D, {% T6 [
BOOL IsSoftIce95Loaded()+ W* O C5 z+ o9 R% T
{
5 s* l$ E6 E7 l; \- [! y( X4 ~. B: s HANDLE hFile; 4 D+ D6 p! E) j1 o6 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% M9 D( Z/ G s7 b0 p, c
FILE_SHARE_READ | FILE_SHARE_WRITE,* a* G. _6 W U9 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 Q$ `8 i* J" E8 f if( hFile != INVALID_HANDLE_VALUE )
; f/ i. c$ W3 x1 {9 m {, i' Q- X+ u) ?8 {) d% H
CloseHandle(hFile);+ U; R3 f2 y7 p9 G% v; M4 r; H& j! m
return TRUE;
9 Z" Q7 A2 M- a- n, E4 e- ?* o }* D# A- Z7 i7 B
return FALSE;
, T* i0 O3 K* C}
" d x/ z2 {. z- i* _. I D- \. w2 s* S
Although this trick calls the CreateFileA function, don't even expect to be" X0 S1 ^- a6 h6 Y6 I+ I+ u
able to intercept it by installing a IFS hook: it will not work, no way!8 g3 E1 W5 k1 \" d0 l$ U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ^# Z0 b2 g- F" L: Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ X3 }: u, k x$ l" I, e0 L" i) Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
v( B7 l' k( mfield.% H/ u0 J5 d8 s) E9 I* s( z$ L
In fact, its purpose is not to load/unload VxDs but only to send a % [+ n Y# Y; E1 f" V7 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; S2 ]' ^6 e, ]* w* g0 t: D8 ]5 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try* U$ N6 Y2 F" U, m" z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' f( x$ m& g- O! D8 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow) Y+ k1 l# C0 L: c+ C7 z
its handle to be opened and then, will be detected.
& H% |: a. H J: GYou can check that simply by hooking Winice.exe control proc entry point& O3 U7 l- n5 [. R% t0 d, _
while running MeltICE.$ ^6 r |# j) `' N3 w
) _+ F" u& H# l8 H
7 B6 f n1 X. J% ~, S; V7 _ 00401067: push 00402025 ; \\.\SICE; r9 L8 k" h7 O# J& H' y1 n
0040106C: call CreateFileA
& j* b6 W( g$ ]6 T, j- \ 00401071: cmp eax,-001
* c4 I( J9 ]% f8 K 00401074: je 004010917 {/ M8 a3 W9 K0 Y
. X' V& ~" j( \4 }2 b9 s) _4 C9 Y
% A8 Q+ b, Z. Z& A
There could be hundreds of BPX you could use to detect this trick.
: e% S. a8 x! Q3 M8 `/ b" G( M-The most classical one is:
- {6 B* J- h3 \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 O6 g7 w' }4 C5 o; u *(esp->4+4)=='NTIC'
5 O4 x$ y2 r& p" a1 `0 S/ s t! v) ^ j$ w: O% X6 M
-The most exotic ones (could be very slooooow :-(
: @! a9 V2 G/ o8 @* q3 x7 Q" H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 V7 p _" {7 }9 N; T+ l9 Z7 | ;will break 3 times :-(
- f% |; t6 p( V0 P& ?! h. P( A+ p
-or (a bit) faster: % ]7 r9 o/ W, J" b1 W$ Y+ T; {7 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 a1 G5 m! ?; r0 u
# S* X# j% }/ ?$ x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; K2 n) t. { x9 K j( f5 _' ?5 h ;will break 3 times :-(7 z6 Z# ?8 ]/ x. `$ Y
2 E" _( a' R$ p( j! j
-Much faster:
$ W, }+ c) `, H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: M A# m2 j4 B( Y) |- z# m" w0 z7 p' Y9 x. ]- H; c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen \" q+ A4 ?, b
function to do the same job:
$ J* y; J* f" ?) b# B' K
1 u% q1 K* B# I" q* Y$ Y; @ push 00 ; OF_READ
7 \" K$ ?/ F$ Y- k! D2 l mov eax,[00656634] ; '\\.\SICE',0
8 {# m' [0 |4 v8 P+ t3 I0 i. \1 m push eax
, k1 y8 c- Y/ w; F: |4 B" W call KERNEL32!_lopen `" K. c3 M( O9 h* y. |3 l
inc eax+ g" {0 \9 ]! K4 w3 I! u
jnz 00650589 ; detected' \, F! Y$ C3 u: f& e# L. T
push 00 ; OF_READ \* \1 p6 e- J1 N9 k# K9 a, H
mov eax,[00656638] ; '\\.\SICE'
: w$ I% K' p2 s, [3 l push eax
( t! V2 H$ j& S2 l6 Q2 \ call KERNEL32!_lopen
8 B6 z8 ^ Y. O inc eax/ R+ E1 v- p- m8 _
jz 006505ae ; not detected
- V3 Z: |" X" s
1 P7 Z& R! v" p! N+ d( ?6 f2 W* X; n# J2 E
__________________________________________________________________________, T! P5 p+ m. X9 S1 J0 v
* }& O- h4 T8 |Method 12
; Z% A8 m/ i" |. [% R7 I( U& D- J=========+ F" n3 h0 O3 ] p) Y" a% c
" }2 o" E4 V) M: j% y# p) d3 eThis trick is similar to int41h/4fh Debugger installation check (code 05
; E3 H6 |/ e+ l7 ?& 06) but very limited because it's only available for Win95/98 (not NT)
2 v9 P+ h% ~9 P% g6 @. p4 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; a/ `; M" G* |0 j' w, E+ M
; v4 M, ^* V c1 M+ ^ E push 0000004fh ; function 4fh
8 u, _, x0 i' s6 z. i5 p push 002a002ah ; high word specifies which VxD (VWIN32). F* b5 I4 Z6 K6 T) l4 a! S" l
; low word specifies which service W3 {! Y, m" G
(VWIN32_Int41Dispatch), f* w& |: d* j. f$ l3 F; U3 `
call Kernel32!ORD_001 ; VxdCall
# ~+ k! |! n+ O# ] cmp ax, 0f386h ; magic number returned by system debuggers
9 x' j* M- D+ N6 B. N jz SoftICE_detected1 k# U6 Z! l7 m# i) j( m/ g* V
# G g, W" }1 B. ]Here again, several ways to detect it:
6 V! x$ f. a+ O/ {- x* \3 U Q. v$ k$ h/ l/ h2 H3 _8 Y) \
BPINT 41 if ax==4f
! g! i, V7 e& S2 i+ t2 J
3 C2 R7 m! ?3 L# {7 b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, @' w/ l0 ], E+ M9 k: H r
) @/ f+ s, t3 {. G# W% U& f; Y/ r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 R) |' u3 A5 U/ V2 p! c
: S. y+ U* I/ U' \* ?4 S$ R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- l3 v. Z8 [% R
) D) {. ?" r: R$ [! L! K1 }8 `__________________________________________________________________________
/ z; e- i b/ H( o) d
2 n5 N6 h# L# P8 G+ A& P9 q6 ~Method 13- C- l& _. i. [! d
=========. w4 {% S* e1 _
~$ w. ]! A: p4 D2 W8 t$ t
Not a real method of detection, but a good way to know if SoftICE is
2 G- L4 R% { W) E9 t3 S, Linstalled on a computer and to locate its installation directory.( L1 |8 |4 i- e- `! T; `$ k Z1 l
It is used by few softs which access the following registry keys (usually #2) :# I' P- c$ S4 s5 E4 z1 X
0 d ^# D- a5 b" N4 b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, L! R+ ]8 ^% z3 z3 N, E\Uninstall\SoftICE2 N( i+ p/ D$ M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% i L" W5 M% j, T: Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" F) y, ]: X& S5 f O
\App Paths\Loader32.Exe
/ S) m- [! [) q
& H3 Q0 k- P0 C+ @. I- O
* Q$ p) L( `$ D9 w& gNote that some nasty apps could then erase all files from SoftICE directory% x; z3 P" b% D6 k7 I3 C$ J$ M
(I faced that once :-(7 h! {; D* ?2 c. s
. K# Y6 S3 `" \$ H
Useful breakpoint to detect it:
( x0 J" k! E+ t! }: M& V! [( K5 ^
: ]% I3 K ]: ~: K. H k& x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* H3 q6 A; ~. o% i$ k7 k+ y
3 U% m: C2 O, A5 l( \
__________________________________________________________________________& c) W" C5 R5 z
# M* ]" }$ W, {6 @" H$ n5 B( I
5 P# K' ^2 M- o5 c4 L2 e% R( d/ @Method 14 1 G9 d: F0 P: ]8 y) W" ^: F
=========
/ g6 d' I' ` f* l8 Z Y6 T Y
4 ` n: @# j4 i8 M* W+ UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 m1 U' E( E. g& }! N8 H
is to determines whether a debugger is running on your system (ring0 only)., d' ] `5 J! w# [8 n
N6 K7 P$ z s: u5 Z( n; C VMMCall Test_Debug_Installed, R9 ?- G# V! j, M8 z! i
je not_installed
- D( n/ L/ C* O# n
( T. O; @$ k1 P1 o: K+ }* r: b! c. `This service just checks a flag.( L- r/ M9 d; x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡