<TABLE width=500>
6 ~% n" r8 o' k# L2 u<TBODY>3 M' X& N* w+ W) r q' v, _ d
<TR>
# x% ]0 Q# n+ b$ H* c# z' @<TD><PRE>Method 01
4 `% [7 k7 u* }0 P( w4 j=========& n+ F6 W3 A' O7 w
+ j& J) a. @9 g* L+ y! P' K
This method of detection of SoftICE (as well as the following one) is
) u4 h; p( Q$ I5 A7 Iused by the majority of packers/encryptors found on Internet.! x0 `# W( u9 ~/ T" E
It seeks the signature of BoundsChecker in SoftICE
0 J* I7 [ s( w9 k7 \
) c4 t- g6 L0 f8 {$ O/ M mov ebp, 04243484Bh ; 'BCHK'/ b4 q6 c+ M" ?' A5 Z" X% m' |
mov ax, 04h
9 O( C. R% m0 f! c int 3 / y7 J' v4 h7 a, y4 ]
cmp al,4 j9 r5 G: t. Z# y8 G3 g
jnz SoftICE_Detected
6 j2 B+ h- e/ _- B9 h. B W1 M! Y
# \$ D M0 |8 v$ o, Q___________________________________________________________________________
3 f @; h' q7 N4 |% F
+ ~2 C5 h! n- H" T# N6 _* {Method 024 a% y/ ]: m' z& M X4 G" ~
=========
; ?( S x) ]6 M% L1 F( _) C/ v% u
Still a method very much used (perhaps the most frequent one). It is used
9 w) c4 H: i F2 Q1 P1 gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 H V& M( Q/ s# s- h
or execute SoftICE commands...: a) [9 Y ]5 u
It is also used to crash SoftICE and to force it to execute any commands
8 K* w( [6 q9 d7 h5 }1 H8 C7 g0 t(HBOOT...) :-(( + |3 \' ]+ @" X- ]# F# [
( J- `) `$ ^# y- ?- ?# |Here is a quick description:
( P* C! n! \9 V# s" p" B3 A1 \-AX = 0910h (Display string in SIce windows)
' \. B. D" M& K& g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 B6 M# q* L+ K8 t3 y-AX = 0912h (Get breakpoint infos)0 e9 a9 Z/ ^( Y; D: m
-AX = 0913h (Set Sice breakpoints)
/ a5 j7 N1 T3 U4 O0 X. i; H9 G-AX = 0914h (Remove SIce breakoints)
7 F7 G# O+ p) L1 ?2 T3 s9 d% |! O# o0 p( ]" u8 O" P: K
Each time you'll meet this trick, you'll see:
/ ~0 c4 {) H6 @-SI = 4647h
0 I! @5 n; z9 T& v9 F+ a-DI = 4A4Dh; [3 L5 `% L: F0 n4 g9 |
Which are the 'magic values' used by SoftIce.* d' m( i( o- E/ ]$ E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 \2 ]- Z+ B% N* i
5 b! _: D6 Y' [& n6 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; c2 G' J4 o r. X" d5 i. j, LEnvelope utility use to protect DOS applications:
, ?; q2 C1 Z2 J) P/ E0 ]/ I4 {, u* N/ S- G& {1 a& M, u0 X4 K
. O3 E7 o2 x6 E
4C19:0095 MOV AX,0911 ; execute command.
Q( F; U2 Y$ W4 F6 { t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ {5 r5 E/ f7 b5 E. A, W+ s4C19:009A MOV SI,4647 ; 1st magic value.
1 c; G: ]4 z) d. y+ j4C19:009D MOV DI,4A4D ; 2nd magic value.% D0 a& h2 {8 x' m& L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 `1 g$ X( U1 ^6 h8 w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 f, v# w5 ^! A% W$ ^4C19:00A4 INC CX8 Z! i& q! z, p0 C5 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' L0 f6 C7 K( x d3 i6 j+ T/ x4C19:00A8 JB 0095 ; 6 different commands.% G1 b2 ~6 ^' j9 ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' ?! J( c) `% c+ y) o1 j* s$ q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; T6 e4 u! n0 p) a# Y6 y' ?, e4 o
l+ T2 j8 f6 C* J9 AThe program will execute 6 different SIce commands located at ds:dx, which, }0 v1 j2 D" `' }: @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 R9 _2 Q3 f A2 i2 b% I. |
" { ~8 p1 N0 d) E# z+ S. a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* N1 `+ N! V( I! P! Q, g% r: e: `
___________________________________________________________________________
! G5 p% R/ k% i0 N0 b
# Y0 s8 P. |# d1 w, Z0 W$ ^% u) J9 _: n
Method 03
# t7 Z" ^ W) k=========- n2 y) Z! C; i9 p$ @4 m
: D& n( a8 i# g& C! dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 b6 ?/ I* T+ _; Q, l1 r2 \(API Get entry point)# @" b v" |9 f& e' N) o& r: X9 b1 c
/ e% u* K$ u0 Y, Y# y' t
* ]$ p; @' S! i( {+ L; a2 e) r
xor di,di! J# i* A# L. w# H+ I- D- K
mov es,di
3 D ~( p) A- |" l; \) s, |/ h' ? mov ax, 1684h
, [6 s/ X. q$ Q/ I5 _, J3 i mov bx, 0202h ; VxD ID of winice
' Y( E" i6 l( E int 2Fh
3 J' Q9 i, R+ @; k- w/ _/ H; u mov ax, es ; ES:DI -> VxD API entry point! c- |2 s6 F. G+ C# N5 G4 P
add ax, di
7 {& ^9 d1 b1 f$ u: U& N test ax,ax
3 T ]$ I/ Y8 H jnz SoftICE_Detected. V0 m' y, a' x, X5 p/ z& l5 B
I0 P) o5 @% c
___________________________________________________________________________
2 S( R/ N8 m) H8 X$ C4 I
% X2 \, s& W4 L' M( C/ nMethod 04; m0 E) e4 @8 q8 I" K" R- |
=========( y1 ^- h1 n" o" ]- c2 n
) g, O1 @3 _* f7 A1 O0 o5 O
Method identical to the preceding one except that it seeks the ID of SoftICE
# O! g! z4 y0 h' M& j( {GFX VxD.( O. [" `6 G; i$ K4 ]' m( \- ]* H; ~
/ Z) f8 Z, n$ K7 X" t
xor di,di
( G+ Y3 l& E* n mov es,di
# b, q0 f* ?# z mov ax, 1684h
, A7 O+ C) \, j5 o- r6 n+ ^ mov bx, 7a5Fh ; VxD ID of SIWVID
?) a4 k/ S0 b+ v& Z int 2fh
, F( n) z/ A- g- u. E* ]& b& Y$ p mov ax, es ; ES:DI -> VxD API entry point2 y4 a) c/ B& e1 f! k! z! c4 o; e1 Y
add ax, di
% i- I) x- D/ p7 d4 S o test ax,ax
; p- H/ M% L7 n; m; A! ~ jnz SoftICE_Detected; l7 a4 Q- a1 @' |8 R9 q
7 D q0 q' l8 ?( L__________________________________________________________________________
7 `* o) r5 p* _5 a0 G; i4 I9 T: B
7 g) V9 B6 g i( k7 }
/ y) E; d8 e+ P/ F% p( RMethod 059 a: |: }+ v3 n; r
=========
; X3 s& z8 r5 e$ z4 U$ R/ i0 l2 y) J, e" {5 b2 O3 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 y- _9 s7 V3 k h Ldebugger. It calls the int 41h, function 4Fh.. P. t" c: u& u
There are several alternatives.
! `/ H2 t( a1 b" ?# U" D# V4 h, ^) ]+ q0 |" W
The following one is the simplest:, k* J3 w8 i! M$ p& E* ~1 \( y
7 N3 r' G% h6 _ s$ r+ p
mov ax,4fh; D5 F# O# P% O- K3 l5 b0 Q
int 41h
; \1 |5 g; x% C! M cmp ax, 0F386. t" X( ~( o7 M4 b; N7 _
jz SoftICE_detected# O: \2 o9 a! m3 M
& H5 i- _) R+ a3 t. k% b
4 `$ O7 Z( g2 W2 p# l; M/ `Next method as well as the following one are 2 examples from Stone's # j. U7 x- R9 m; O
"stn-wid.zip" (www.cracking.net):' D/ O$ D/ W0 }0 H: W: w
) `. |; ?# S! u mov bx, cs
3 n# e0 J$ X4 H" k& n! }; B% h+ V lea dx, int41handler2) j% ]( s; i' h$ l1 f
xchg dx, es:[41h*4]
$ K8 C, A* A9 s- X0 } xchg bx, es:[41h*4+2]9 q. r) C* K; V/ z
mov ax,4fh. P$ J. ~2 s: g/ A M0 M. A$ j% V
int 41h; J% y% h' J/ R7 k0 z9 {; V" y
xchg dx, es:[41h*4]3 K7 a+ G& ?- U) ]% G7 Z+ Z
xchg bx, es:[41h*4+2]
D/ c6 i. k6 w# ]" j cmp ax, 0f386h
* j! _: r3 k7 i7 O jz SoftICE_detected: `7 ]1 [ }% N
K, s6 ^4 F( l% Iint41handler2 PROC
9 v! A9 U- ^$ Q; e iret( M' {3 O; \4 U
int41handler2 ENDP
* |0 j/ K N5 z9 P- [/ S3 @: v+ ?5 z( \
9 S) C8 |& `$ R+ o9 g2 ^
_________________________________________________________________________7 h' \0 C9 i' e& w+ j4 c
8 {# Y W' a+ U7 H0 S' A4 g$ I# O9 k8 e
- |' {9 y; w4 o/ R$ R/ AMethod 06* }1 C3 H2 |2 w
=========
6 X$ F2 e) j! K# S% J. y3 U3 B- Y, A
+ z( _# _) ?, u4 w# p6 B" N1 S m2nd method similar to the preceding one but more difficult to detect:
% x& [; y; x9 z1 Z, ?( V% }
7 v3 M$ u" s: B/ b" c& x8 T+ q A; U- t& s, T9 s2 X2 x
int41handler PROC
1 Y5 e5 Z% i7 l) m4 C) @ mov cl,al; L8 n. d2 t6 o y/ n
iret
9 k- ~" b* x9 }% ]! v3 gint41handler ENDP
3 w; j: t; k9 }6 c* Z! T( k4 o. |$ d; y$ f3 U3 ~! N
+ }- [4 I0 D( A9 v: h
xor ax,ax+ ^; p" P# O1 g6 q9 Q" C
mov es,ax
) H; z& H) C) h& H: a& h mov bx, cs z! ?$ p& |+ ~3 y/ J$ S
lea dx, int41handler, H0 s2 z/ q2 l; }% h0 E* n- d
xchg dx, es:[41h*4]
- W7 z( O8 Z* p xchg bx, es:[41h*4+2]" n3 D# p3 r h1 ^% }
in al, 40h* C8 E$ L3 p0 @. i2 a( E; e
xor cx,cx
D% w& r% C5 f int 41h
0 g- a4 M( _8 q# ?/ m xchg dx, es:[41h*4]
3 u+ z4 s5 w" ~* i! r1 Z1 u' H: i& T xchg bx, es:[41h*4+2]# t( u6 G* n/ s; `/ R6 |
cmp cl,al
0 X" |; f* k: x* c- n% t jnz SoftICE_detected
. X/ w* M) i, c* p1 S
! B( c3 }1 U, J- ^! O_________________________________________________________________________
$ O) t5 n6 W! w+ y. w# J$ P
+ U+ V' J& L& [Method 07) v( E" e3 W9 i4 \& y" r/ v1 l- d) w
=========
% D. ?2 g. r* z6 h
# H5 o. `0 f, h2 J8 VMethod of detection of the WinICE handler in the int68h (V86)5 K) {0 ^2 I: T: Q1 K3 o
5 m' w0 [! T. T$ z8 r- e! {0 Y mov ah,43h/ a$ Z$ n# e5 q6 r4 w7 G
int 68h3 L4 k1 j& g) \9 m+ C% g
cmp ax,0F386h
4 }0 b* E# b! N( k3 [! A6 H( u jz SoftICE_Detected
( f9 [4 Y) k. L1 c
' y0 K- m- b* _1 ~4 l; G
# N/ F* Z2 D- M( |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' o' y9 U# T5 \) _4 K) p
app like this:2 F! u5 M- o7 h* B* P2 U& @- F
7 L8 ~+ b1 y6 ^) X
BPX exec_int if ax==68! k+ N: k# o- g( G5 H+ N
(function called is located at byte ptr [ebp+1Dh] and client eip is% o! R4 q u4 F& a2 u8 s
located at [ebp+48h] for 32Bit apps)* u! Y# Y: {8 N& R. I
__________________________________________________________________________& {0 k' U2 q& K, h) v* z
r! y1 I) Z5 R, D% u( h' E
r# ~) V- m! O1 O) s a$ [7 B) dMethod 089 Z- C* N- }, w8 f+ p) ^& }* i
=========% L, O7 Q( O* ?, u, S2 a/ t2 C# Q; \
, n5 t/ o! w1 D. N' D) TIt is not a method of detection of SoftICE but a possibility to crash the
3 n8 @6 h* l" U" k1 I! ]system by intercepting int 01h and int 03h and redirecting them to another. t, g6 d: C% u# l
routine.+ W( k4 y# S! W$ p" u3 Q/ k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ v/ U9 c9 A- j l$ ~0 ?+ \to the new routine to execute (hangs computer...)4 o5 C+ P0 D; }8 j0 F6 a
% |5 f4 L% `* M) ^6 r6 y$ N8 A mov ah, 25h) l) }& i' D6 k9 Z7 m0 l2 }: E5 e1 R
mov al, Int_Number (01h or 03h)
- X z- `/ _* U& w# e mov dx, offset New_Int_Routine
% B$ h+ a( r4 A1 f+ {, _( ]( V: B int 21h
& i2 q, Z7 {( R0 A2 b1 r9 R" P; c
__________________________________________________________________________1 q* A, l) }, Q. O' W0 ?
+ t5 w& u6 v1 L$ V1 JMethod 09 Y, A1 z: ^* [/ B7 i
=========
' _' t3 T4 L# X- Z* [. V6 p6 i+ j9 s! Y1 x7 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 e5 e. C6 v& m, ~7 I0 \) z, g
performed in ring0 (VxD or a ring3 app using the VxdCall).
: k2 X n; J" k H9 }4 M, {/ LThe Get_DDB service is used to determine whether or not a VxD is installed& _. {" u* i* E: |! j
for the specified device and returns a Device Description Block (in ecx) for- b7 N, O" f8 m3 U2 h0 u
that device if it is installed.
. B1 t0 L; Z' c0 y3 ]& J5 A
: g# V: {6 T; K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' `1 F7 M2 i( D4 n! W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" F4 T8 x1 A1 y" u# m2 F3 {( k
VMMCall Get_DDB: _$ }, d9 b" g1 A/ e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# G. m( e4 a d8 a/ \ G2 a
6 V$ s, M8 Z7 @# J; C! uNote as well that you can easily detect this method with SoftICE:
8 w0 h5 [, b( L! }( S bpx Get_DDB if ax==0202 || ax==7a5fh
% F! o6 [. j$ z$ @9 d; i/ s: s7 M/ o( ` h" k
__________________________________________________________________________
: B0 u1 m5 |4 S# ] h# a
0 S" \3 y2 @7 t" d5 P) [! ZMethod 10% R. H& m' Y% C3 }5 L0 `3 V
=========
) J, Y1 O) s! O" }1 G: W7 q1 l% O6 R6 {. @+ i( l& [9 `1 @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 `" O1 \1 |% G SoftICE while the option is enable!!( }9 `. p1 }$ }
$ k/ z5 V0 A" o x3 T n' [This trick is very efficient:3 `# ?) o: w2 x7 ?
by checking the Debug Registers, you can detect if SoftICE is loaded
m6 ]6 z* u: j2 C( }; ^2 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% ?$ m. g% P5 g* u% ^2 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their$ f- J* d7 w3 U9 ]% @1 g
value (in ring0 only). Values can be manipulated and or changed as well
% F6 a( c. m/ t2 b+ E( P(clearing BPMs for instance)
. h- s6 ^: U; ^0 X2 Y+ p5 R! I7 G9 q
?' t( F# C* w1 W r& P__________________________________________________________________________
5 s- `, v# W; ]7 b% W* v, N1 B) S1 m/ w/ G$ d- ~9 o4 H9 x3 g! Z
Method 11
! a: N `; O Z5 M% @=========/ V# G5 ^7 f. \3 ?
) k: `9 ]( {6 h$ T/ ]+ ?2 \This method is most known as 'MeltICE' because it has been freely distributed
% t0 y. v8 v- [; n! jvia www.winfiles.com. However it was first used by NuMega people to allow- F/ [9 g# X5 C3 B q( g# c
Symbol Loader to check if SoftICE was active or not (the code is located
0 M2 i& R( C8 R, O: Uinside nmtrans.dll).
7 |! `( |& c& _& k8 P4 {: B: T- X" D' R1 ?% x* B/ T4 |' H
The way it works is very simple:) |$ z9 q2 S! Z( Z4 n5 w" O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 H& d8 @4 ~ B4 A; B4 E; s; AWinNT) with the CreateFileA API.. {4 u3 {4 [7 m# P7 _& N* l. _
. Z- H8 Q, O2 \: e9 ~3 `8 H# {Here is a sample (checking for 'SICE'):
/ w2 |- ~$ z/ w8 c& S
& k k( L5 o3 Q/ S F* WBOOL IsSoftIce95Loaded()1 l' {5 f/ m- j9 p
{
3 G" {( {$ D6 p HANDLE hFile;
+ J8 B) J _3 K: K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 w/ p: F6 e, |% G6 g
FILE_SHARE_READ | FILE_SHARE_WRITE,4 ]! T9 G; z4 O9 k, B3 z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 \2 G! A7 b. }( t2 ~5 I) c if( hFile != INVALID_HANDLE_VALUE )
. w' p9 V; S' E) O. V! B {
/ {. }8 H, ]) V* b& w0 G CloseHandle(hFile);
6 m6 @( H9 r4 ? return TRUE;
1 F" C1 B: }5 |1 I }* r! g7 L: }4 g, L
return FALSE;
x$ r1 C5 O7 H# y6 ~- B: [7 ^}
6 z9 z l+ ?: C W! t; q( C9 Y: {) @/ S# u# }
Although this trick calls the CreateFileA function, don't even expect to be
" B0 [" z" {& V+ T3 a/ H* i5 Pable to intercept it by installing a IFS hook: it will not work, no way!
8 ` n+ J E# Y2 m) T# i+ qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 q k& A9 ~$ k* `' z! ^+ fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 O9 c3 D" x/ P) u' R/ ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 S9 b7 E8 Q' r1 U
field.
% g" Z5 K4 \, J, T/ |In fact, its purpose is not to load/unload VxDs but only to send a & b6 ?: Z! V( n) `" D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& G. {3 C) C+ u% X' E! h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- b% H9 G& U! ^/ z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% a9 V( P2 P V. p$ k
If the VxD is loaded, it will always clear eax and the Carry flag to allow J4 E2 [1 w# {2 f# [
its handle to be opened and then, will be detected.
0 ]/ J9 k2 M& u: d$ vYou can check that simply by hooking Winice.exe control proc entry point3 G5 }% }$ |0 I( Z
while running MeltICE.
$ x( d. Y2 w# J$ e- @ `( \' m# Q
0 S+ N0 f7 a7 H) {
00401067: push 00402025 ; \\.\SICE" u* @6 r& D0 @- k2 ^ t
0040106C: call CreateFileA
- r( F3 P7 h' C7 d1 L+ ]: W 00401071: cmp eax,-001* [# U2 Y$ k" R1 ^) |# E
00401074: je 00401091
5 t+ L+ A/ `$ v) ], X! B: k' W/ a3 g0 H1 B6 K1 ^9 ~9 X7 D, @. x
, s' |; v1 y' N$ T7 G$ Z, a: T
There could be hundreds of BPX you could use to detect this trick.! ?0 e* e% f5 p$ K, }8 ` y0 U
-The most classical one is:- n4 r( A8 X! E5 l ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 J6 o' C1 J! M' `0 I *(esp->4+4)=='NTIC'
6 p1 ^: Q6 t8 g: `, ]- {; v. _) f0 {7 Y
-The most exotic ones (could be very slooooow :-(
, Y+ R# A& y8 O/ y, f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; F5 v3 Z) J g* j$ H8 W
;will break 3 times :-(
+ O+ U0 k1 O6 a7 r+ a2 n
8 g9 p; l5 v- v. |# h% M-or (a bit) faster:
/ h# n% j/ E* b; v/ X( t& ]0 N" H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( l& o1 F A4 u- f
/ u& W* g7 b+ K; q6 P3 }1 _- s9 r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" H% \+ V: L$ \7 l$ C ;will break 3 times :-(% u) T9 ?# T1 u/ g7 a, l! L* P' j
- |2 w3 t8 z1 b) K* C: t% R% f% ]-Much faster:( g8 @' m. X/ ^. t Z+ t( F% `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% v- d; k: K0 l' K g( n4 c
8 Z+ X' h9 ?2 A+ y x4 J4 mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& Y5 @% ~. f9 ~3 m" s4 N' v
function to do the same job:" N/ w5 v) o5 g: x9 \! J
) Y- }! }4 r& K0 o, o! d push 00 ; OF_READ z) I5 o) z6 \. r5 q4 }
mov eax,[00656634] ; '\\.\SICE',0
( o; v* V% [ A$ Q' ? push eax
1 Q3 O: j- @4 f1 N1 K: G call KERNEL32!_lopen! M0 E0 Z4 C/ a) D7 w
inc eax
, O$ T6 [$ ?/ B3 p$ o2 l jnz 00650589 ; detected
! W5 F1 R6 b2 `5 @ push 00 ; OF_READ) K9 T1 g L" P( U$ J0 Q. d* i
mov eax,[00656638] ; '\\.\SICE'0 ], x' m6 a4 j. F
push eax
' R) u4 s2 ]9 }( a1 F3 ~. l" B call KERNEL32!_lopen
* a; N& h. p7 h; r' _ inc eax
/ s ~. D5 L* ]- ], `! r8 ] jz 006505ae ; not detected% k& W% W' W0 L
5 U( j. A6 Q, D' @/ Z+ ?: Q4 J
+ G; f& l! m* Q* N9 h+ f4 G
__________________________________________________________________________
. B. g) r' s' G! m; J/ Q# Z
2 p, H) V2 a* t6 xMethod 12
' Q5 U* s' q: a9 j=========
6 I/ e$ g) V* k/ |! f( e% m
* P9 _- w$ R3 L& lThis trick is similar to int41h/4fh Debugger installation check (code 05) M( ^+ w" G- ?" ?
& 06) but very limited because it's only available for Win95/98 (not NT)) Y5 c* J. F8 U8 x! W1 O7 o6 u+ T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( {% |) ?& b+ q* B5 O
: ^+ t# l9 G3 n" o H7 i2 T
push 0000004fh ; function 4fh9 J D3 H; M& n( ~7 h
push 002a002ah ; high word specifies which VxD (VWIN32)# E/ L0 t& c9 p
; low word specifies which service
- x; ?8 l9 W; k1 @ (VWIN32_Int41Dispatch)0 c+ I& f' b! s4 [5 _# A# A" B
call Kernel32!ORD_001 ; VxdCall
4 H5 ~0 h8 I; K# @9 Q. F& D cmp ax, 0f386h ; magic number returned by system debuggers
$ w: I0 A6 h0 a1 f5 I, r+ N jz SoftICE_detected3 J/ t( U0 \/ j- y: [; P
, S# d! Y; n/ f1 u; u; a4 x4 E cHere again, several ways to detect it:- [3 Z2 u3 g: A/ }4 i1 B7 ?
1 ~* c6 L# S4 e) U5 P: Z n: }7 O BPINT 41 if ax==4f! m- O/ W7 I4 U# T, l9 j/ J W4 k
: R. _3 y9 @5 Y+ R0 B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- Y. t. B2 M9 Q/ P
, A- t- y( ]( P& ~, e6 ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' c: R' f+ W* P8 p% h D
$ a9 P8 `& |9 S- m5 V4 |% g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) Z. F; L, a5 J: w% f
0 s; e# b+ D9 k+ _" k1 |& ~+ l__________________________________________________________________________
* P& S; s2 c1 ?" U
! i% R% G# w% [( W3 L+ iMethod 13& v5 g+ T! S. n: Y4 G
=========
9 a. i* n7 a8 t, k# S) I
$ U+ x6 }7 }; W. U* F8 i' @/ RNot a real method of detection, but a good way to know if SoftICE is* J" W( b# y \0 W( p1 w+ Q2 O( t
installed on a computer and to locate its installation directory.
0 q) G) \2 D+ x5 B0 K8 T( ?+ N% vIt is used by few softs which access the following registry keys (usually #2) :
h( |7 K( x( ?+ h; S! d% l- _! a8 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ~, z5 f2 h$ U" ^\Uninstall\SoftICE
" y! X/ v) M& r1 R" ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
L0 `4 m5 a) r& F! K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: A2 s) Y0 }2 k& S" H9 X3 i
\App Paths\Loader32.Exe( P# I2 u7 |$ t; w
) ^& v8 l/ R3 o$ D h) a
7 Y) Y' j2 y4 e. o
Note that some nasty apps could then erase all files from SoftICE directory
$ S4 ?2 M; |9 M1 d, H& Z(I faced that once :-(
0 U; O* B- m J* p& u5 o& y+ J6 S8 L5 U6 a9 s
Useful breakpoint to detect it:
) \7 I" G% _. D- J3 h0 @( |
& h" W7 ~ A5 g: s* a7 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 f5 q! F1 L# }9 F: \9 r8 ?5 A6 q+ v/ n) I J" Y
__________________________________________________________________________
6 H- W) l6 u2 V$ t
. D3 a D$ g& ?$ w- B* M8 y
& t) P) u, T3 m1 eMethod 14 ! J" i( B* c: e$ {
=========
0 R$ h! l+ c2 u% C* y, s) [! Q2 ?0 W3 n3 |/ J! C$ r7 r& o' }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" C& O# p. Z/ J! B; u8 o1 Bis to determines whether a debugger is running on your system (ring0 only).- I2 a5 s0 C/ c6 `# v/ d' B$ [
5 B7 N$ l8 ^. Q8 L7 } _& ^$ I0 W
VMMCall Test_Debug_Installed! ~1 H/ v6 Y2 A
je not_installed
# b9 H2 }7 D8 z/ c& [" U7 \7 A
7 D) a8 W' C9 Y9 V( W# N( qThis service just checks a flag.
j4 J) h0 o8 W/ @3 {, H( y p5 }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡