<TABLE width=500>) E& H4 D# n5 \: s* e5 x
<TBODY>0 s0 e% u. W" T/ K! E' f, o
<TR>& i* o Y) m2 @% s- {
<TD><PRE>Method 01 ; a" R. Q: \; g4 W& q
=========6 {" Y& ?) J& k2 a' s b0 D
: K2 W: m( U% C3 X. @
This method of detection of SoftICE (as well as the following one) is, }4 j4 k/ D4 h* m* S
used by the majority of packers/encryptors found on Internet./ O6 K) v! m# V5 c$ O$ q3 {
It seeks the signature of BoundsChecker in SoftICE
/ J" ?8 M4 U, c3 H: @6 l/ m9 a: e9 N/ c% J
mov ebp, 04243484Bh ; 'BCHK'
) | Q7 l7 V6 a5 G: I, X: W mov ax, 04h
) Q$ a" q2 ^+ X( D: @, ^- f( ~. n0 d int 3 - K- U' ] B" ^7 |4 Q6 C
cmp al,4
5 e: o' o+ Q6 }4 z- T% d( W* i% i: A- H jnz SoftICE_Detected2 E; z' [: U# w+ j! g ^$ `; z
: }: p3 K' H+ \! ^5 r4 M1 c___________________________________________________________________________
8 B+ ^( U% |4 T% Q1 b8 J9 J" ~1 g6 s# ?& `: u9 r% N9 I3 a
Method 02
3 V6 |( _9 a c4 a; M" z=========; H" W4 @3 c. R7 z
8 V( H4 }# p, \1 w' `2 t, M0 S3 Y
Still a method very much used (perhaps the most frequent one). It is used4 l0 H0 R O# S8 G }# U A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! ^1 n4 S) ~2 M* W: }. A4 ~
or execute SoftICE commands...
# g( _; k! S4 {2 {; F; KIt is also used to crash SoftICE and to force it to execute any commands
6 E3 L8 N* ^" V3 o4 K/ @4 j8 V- n(HBOOT...) :-(( ! P r" @: T/ @; E5 t
' U" W( f5 L' YHere is a quick description:
& g7 L# A Q# {8 c1 I! m1 r! |-AX = 0910h (Display string in SIce windows)
3 E5 F7 M9 _. ^1 r% O6 I* f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 P! _9 s) M k3 f- z/ R4 ?8 G: S
-AX = 0912h (Get breakpoint infos)# i( i3 s% O( T
-AX = 0913h (Set Sice breakpoints)
1 o0 ^+ d6 f( k; ~; | `( b-AX = 0914h (Remove SIce breakoints)
) N8 ]& @1 X9 K# T/ E8 M8 ]
" E: Z! R5 ]& L1 B. t, s s0 nEach time you'll meet this trick, you'll see:9 W# y8 p5 _- Q
-SI = 4647h. y u' ?& @) e _. E8 m
-DI = 4A4Dh' Y: Z- z, w4 }
Which are the 'magic values' used by SoftIce.* P9 K$ x. Y8 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- f6 \4 o* ^5 b% Y- F( G2 X
+ P, h: V" V' [) O* ~( zHere is one example from the file "Haspinst.exe" which is the dongle HASP& R8 Z$ `9 k& t( D; q+ j
Envelope utility use to protect DOS applications:
% P; v9 b! Y. ^0 M3 A0 ?7 @& I9 [+ A5 ]) t2 N' O
& o" e: ^+ T Q2 `; }: j/ o
4C19:0095 MOV AX,0911 ; execute command.+ V5 d r3 I4 ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 ?6 e0 O# v. X9 k( S
4C19:009A MOV SI,4647 ; 1st magic value.
; ~' i- {# D1 O' _2 ~6 o4C19:009D MOV DI,4A4D ; 2nd magic value.
v! o% [$ ?' N' n5 n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' y1 g3 w4 q7 ^7 H& p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" k6 x" s- {# z- ?' ?' j+ e7 N4C19:00A4 INC CX6 d- b9 {2 j3 [$ v. m. X$ i2 A0 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' A% i! g; l/ a3 M# }) F5 h
4C19:00A8 JB 0095 ; 6 different commands.
5 R( s. C- h1 Q C! ^7 |' {' \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# ?" @- h# n# B0 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* x1 d2 }# G9 F% |6 }# @5 \ K0 {# j9 h$ x. L
The program will execute 6 different SIce commands located at ds:dx, which
( t8 b6 @0 d3 X/ \3 Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ X( g3 l) O4 n! I! j$ S4 Y
/ n7 \/ H3 m' R4 d, J9 U) t. u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 y6 B& \& R. m9 D5 s___________________________________________________________________________
q e$ ?/ d2 p: |: a# R _) L8 [& f% t
B+ ~0 b p" \- G pMethod 03* l# k! A5 ]& ^/ _; j! E! {
=========1 G! X3 r( E$ c/ q. W
2 h+ r' d, K) s( u- QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 b; X: q4 a' h( U4 G! \(API Get entry point)0 D! X- o2 B5 _: O/ z8 j- l( b9 m
; M7 g3 i& C$ m( N
( V7 J9 ], w5 E8 d0 X xor di,di
* A+ L+ ?, P7 l9 v7 i4 i mov es,di
; s: w y& M2 t' J: H* ^: a mov ax, 1684h 3 W1 O# f* R/ e$ p# b
mov bx, 0202h ; VxD ID of winice; Y0 D1 P/ X; ]3 C/ n9 P+ C
int 2Fh( Q Q2 Z: E6 {% V9 @2 E& {
mov ax, es ; ES:DI -> VxD API entry point
, T8 S& D4 ^# l8 }# ^- v add ax, di
6 {! [, W! a5 v9 P; M* D. p+ A x& a$ A test ax,ax
# e" H6 ]) U- g$ v jnz SoftICE_Detected
9 Y4 j! I$ J2 y' r
& Y* ]4 i; I' l4 Z; b1 c1 x___________________________________________________________________________ V* C; M; o. i* J2 T8 G
3 G1 J" ~7 l- S' g: M$ E: BMethod 04
9 V5 w! o2 R$ [2 g' h, A; }=========3 s6 o9 T( Q! _9 Y4 V
& T) h/ K* h$ n& W M8 ^
Method identical to the preceding one except that it seeks the ID of SoftICE2 c6 K3 z' Q( k- D" h" T4 r; o. r$ _
GFX VxD.* t) S* \ s0 z S
- H; S# [+ d7 {/ o) u0 i9 d7 g7 m xor di,di
) E9 z" J6 T, H( E0 y# w mov es,di
; d2 V% i7 S* c$ I: D8 U4 j- ` mov ax, 1684h C/ @: Z r4 f& J4 [" n
mov bx, 7a5Fh ; VxD ID of SIWVID
6 q! {/ l; u# o- Y8 k3 P$ ~ int 2fh
7 u, b$ a0 m1 F I% z6 ^ mov ax, es ; ES:DI -> VxD API entry point
# I0 R, Q' Y* A2 q add ax, di
7 V1 N7 P0 [! I test ax,ax1 E5 D8 u( Q% n; n' |
jnz SoftICE_Detected9 J1 X2 s7 ~, c3 `2 H4 A
' K. a9 P; E2 Y: C8 D
__________________________________________________________________________9 s& @9 Q3 B/ k# ?6 T7 D
- F( p% j: w, H7 Z5 F" K V& L" H5 C, ~* b' d0 U7 O% B
Method 05
1 h; V4 s5 J# O+ I=========4 | q2 b: w2 e5 `3 f6 a
+ [! r0 G. \/ F X' K/ M: U C
Method seeking the 'magic number' 0F386h returned (in ax) by all system" H2 I7 N9 G% v' x1 O" ~6 R* x
debugger. It calls the int 41h, function 4Fh.
/ K( j1 z+ t: M) O" WThere are several alternatives. ) W: Y, K. K5 C3 X
, n# w$ p( @/ }) _
The following one is the simplest:1 j) x$ E$ ?! \2 X2 R$ ~. r
`8 g9 P) _4 `, l
mov ax,4fh
' l( w1 q5 W5 K5 } int 41h
" f: s2 c- T3 p: f: M' U cmp ax, 0F386
! Y( {: d2 n. D: h: u3 x jz SoftICE_detected; _7 R! }5 q6 \8 V9 ?+ z. w9 L
2 \3 }, l4 m& I& L' X: r
, B1 V! M, @# O) p) u0 o' g8 d7 oNext method as well as the following one are 2 examples from Stone's 5 F. p( Y* u' |1 ^* _
"stn-wid.zip" (www.cracking.net):
1 O% y2 h0 A( ]* N+ r- U" m
9 r7 s: |! k" U mov bx, cs2 {7 S' I P/ h- V1 u
lea dx, int41handler23 T4 U+ u, r" x4 {+ F
xchg dx, es:[41h*4]) `3 w; r: }& @* j1 W
xchg bx, es:[41h*4+2]
$ I' r& b: A8 K/ v+ c3 Q mov ax,4fh) b% ?: s k, O1 p
int 41h
; X0 i6 L, D }% ] xchg dx, es:[41h*4]$ S- R# X B: P3 ?# z9 m
xchg bx, es:[41h*4+2]$ d1 c9 }; M0 W1 Z, H! b; i
cmp ax, 0f386h" M/ V. i8 Z' t( ?3 [+ E t
jz SoftICE_detected
7 Y5 l! o* p) z0 I8 Z2 |1 O5 _
f# z4 f7 e! P, W! kint41handler2 PROC6 m, ]: K. o6 N: g5 [% `9 ?8 D, F
iret! v( B0 N; L5 v7 p! P+ {' b G
int41handler2 ENDP; t; ?( u* T) m3 ^
5 o$ C) v" I% o ]' n: Z' ?2 Q
. V, s0 s1 z/ ?0 U9 D; x_________________________________________________________________________
2 Y. G5 e: [. j; l- O9 R( J; a! N6 q, n Y2 i4 W
3 i8 b5 o5 v7 ]6 P. c
Method 06
2 a4 m0 S, _6 |% W1 U0 P3 ~' A=========% c5 z# b+ y. _+ |) y& U# R! b- x
% h- B4 u- _9 R- C1 X$ s
1 w2 a* H- t4 ~% Q; u$ T4 }* K. V. e2nd method similar to the preceding one but more difficult to detect:
. ]' Q c, w9 Q9 D! f% L$ A7 m, T
8 l& c, p* F& Y. f0 s; G9 q4 I7 Q5 F7 ]& p
int41handler PROC
/ c# y. X- r& W! \" e. D6 Z mov cl,al! A+ G3 h' f+ Z" D' I6 R
iret, A3 h" I5 D$ A
int41handler ENDP
) D- {% H) z8 i* I( [# L/ ~4 H8 Z7 ~/ z" k q
& V A4 g# J3 S: c xor ax,ax8 S% l% x( @: z1 L+ E; r* `. b
mov es,ax# O! {5 g2 D. m& H5 n( H
mov bx, cs
( T ?0 t4 O% w2 f4 Y5 q lea dx, int41handler$ _+ z) S4 j, [/ G( b. o
xchg dx, es:[41h*4]
- R5 E( k3 [3 \- T { xchg bx, es:[41h*4+2]
% ^6 X% c) U4 y1 Y in al, 40h
9 R4 b0 u: r; M: A8 n5 r6 f xor cx,cx. v8 j2 F0 y9 `: D* C
int 41h8 w; \8 Z; f# F9 v5 U% D
xchg dx, es:[41h*4]1 [4 v' v+ {6 }' e: e( `$ L
xchg bx, es:[41h*4+2]
" k9 p5 F; P4 H1 m1 z1 l) S cmp cl,al* ]) l' l2 J! P) s/ P' D/ g& T( r
jnz SoftICE_detected2 v% d5 I% x" E) O
7 s1 C X6 ~) N' @) b
_________________________________________________________________________3 h% k1 n* _! z/ v
+ K. v" ]0 M! U! L; C
Method 07
" { D1 d! l8 H! @: R+ P=========: W a# G- O3 h+ g0 Z& G
7 n [$ W ?/ ^: ~& f5 w
Method of detection of the WinICE handler in the int68h (V86)
3 M) J, v. z+ x4 u5 f. ^8 @- x" T4 T5 W8 q
mov ah,43h
; v6 F5 ~ p) K2 h int 68h
$ H n5 Z' G% t: h cmp ax,0F386h
6 y( s1 _6 h" ~! X jz SoftICE_Detected
0 n e, E9 W- u& o
$ u) E$ q7 Y3 w$ g% n0 s9 F, ]+ _( W4 W g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 A5 J" H3 d) H5 E. Z
app like this:' r' L/ I4 f+ ^
* ?5 i8 z; h C$ b! I) c% R$ a BPX exec_int if ax==68! C6 n. e0 ~; `- f! l/ j
(function called is located at byte ptr [ebp+1Dh] and client eip is4 N# }, r* F. S. c u
located at [ebp+48h] for 32Bit apps)
. m& m2 j2 P5 G5 d, @/ o( i# G__________________________________________________________________________/ v1 {! Q' X$ h6 y; x E A+ r* n
# c8 C, p/ H; Q1 b9 D$ m& b7 ]7 B. o
Method 088 n% j0 g! L4 P; o" s& @
=========
0 T0 ?$ S* j$ s ^/ |* r- B4 K3 c* E, Z' u
It is not a method of detection of SoftICE but a possibility to crash the8 {7 q9 [/ A' ?* l1 G4 ?/ C+ B
system by intercepting int 01h and int 03h and redirecting them to another. O7 i3 n! J3 K/ A: u
routine.
3 B4 ~* h0 \! R! F7 S1 a$ w) o' SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 R* {3 P% J J1 k9 G0 Qto the new routine to execute (hangs computer...)2 z9 O( q% A8 I [2 m) G
, o/ o& [ b, K4 p) A% a9 i
mov ah, 25h) _# l5 d0 ~' k5 v
mov al, Int_Number (01h or 03h)( L) Z) P' c" d# u% z, Y$ x
mov dx, offset New_Int_Routine9 _1 f: M9 a) q: |2 m
int 21h5 U" \0 `6 I& p& l: Y
2 v0 n7 V# ?; a; u
__________________________________________________________________________" f. B2 X/ n" f$ y# [
6 E C C( k) P: a9 A+ v( y, EMethod 09
2 W& L- f) p' g: u. t4 f=========
W5 c4 l, p9 o6 ^9 C9 j
. r8 ?* U# @6 ?, B# a7 ~9 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 X+ h* I. a! d8 u/ t- I. _' \ u$ |performed in ring0 (VxD or a ring3 app using the VxdCall).
4 t) ]; r' ?4 C1 `6 ], SThe Get_DDB service is used to determine whether or not a VxD is installed( n. w1 Y- J8 R6 ?: v+ \* I
for the specified device and returns a Device Description Block (in ecx) for3 Y. H0 j. u. F. x
that device if it is installed.
% b! L" j6 f, T5 B. H% a* i8 W# s# Q8 }6 \& w6 M- r1 t. s f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* X$ E3 \, i" d7 T% {8 r: P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 y2 U4 e& Q9 x, M( S( P
VMMCall Get_DDB
/ f/ n6 }7 N9 e0 T2 ]8 ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% c0 e4 Z% L( A: H* A, u" E# x. H$ S4 P/ V( k" l
Note as well that you can easily detect this method with SoftICE:
2 ~# R9 H# t) ]5 @7 y bpx Get_DDB if ax==0202 || ax==7a5fh
2 T: \9 O& p( e G6 O% d# j2 N: m* r; f9 u
__________________________________________________________________________# @# i6 f( |, [% o/ L: B4 U
/ P0 {3 o }7 j# R0 WMethod 10
5 l, o0 g) v( B" o% Y+ S3 R5 h# `=========: k4 A; ~ y* ~1 u3 i
& q. E* s" {# z0 C6 h% J1 W2 s ~& L
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 d2 g4 }+ p; e& u: J, a, ?+ |, I0 p
SoftICE while the option is enable!!
( f' }$ v- ^$ s5 p& [5 v$ R' w8 Z" l8 e2 ~0 ]9 g
This trick is very efficient:2 P7 k& M8 X2 m' Y
by checking the Debug Registers, you can detect if SoftICE is loaded
8 W1 ]- R0 u6 z6 r8 y( O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 t% ~) v- k) }1 i: t( ]there are some memory breakpoints set (dr0 to dr3) simply by reading their
- @# {; [0 ]+ i/ }# G @: T; xvalue (in ring0 only). Values can be manipulated and or changed as well
7 i5 v) c5 R" z3 n(clearing BPMs for instance)
( K! x6 H" m# K9 Q4 G0 P! g2 R( f5 ?2 J/ u# w6 c- A" [' X ?
__________________________________________________________________________
3 u" J* ?7 e: D1 D% o: g5 b
! ~& Y/ R* i3 ~, h( [& t2 KMethod 11! y% m) g1 B" z D F5 P3 t7 J- i) Z
=========
+ t8 I; ?( F0 [
1 l! c' Z+ b. G% d h# AThis method is most known as 'MeltICE' because it has been freely distributed
! I' A+ v: {( z. N! v$ d# Uvia www.winfiles.com. However it was first used by NuMega people to allow ]3 O$ j$ a6 u: M4 H; F
Symbol Loader to check if SoftICE was active or not (the code is located
8 m) k" x' W8 M4 ~2 x0 Ainside nmtrans.dll).
! B4 O9 R( O' B
0 D4 ?5 U# X/ S0 ` M+ FThe way it works is very simple:% z! O+ `& f, s) I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# P/ @, q! E- u% `. M! h5 ~WinNT) with the CreateFileA API.) n. v( G6 u* M* Q6 ^
. d B8 W9 q) [! W) M: d1 i7 k# LHere is a sample (checking for 'SICE'):
, K0 e/ T3 r* s& u$ O
9 k+ \+ O- i5 w, J3 n) qBOOL IsSoftIce95Loaded()
* i9 q. A( c% L" e; G0 W: V1 C4 H9 T{; |' T/ A3 m8 D3 r8 I
HANDLE hFile;
1 @, X4 y8 {- t/ N; } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! _& _ n; r( K* m FILE_SHARE_READ | FILE_SHARE_WRITE,
& A% ^ h0 A3 w3 s6 L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! t( L! o8 M; A# x2 T" Y$ P2 A if( hFile != INVALID_HANDLE_VALUE )5 T! b% f6 B# B+ i" B
{9 I& y" b7 P$ j* @
CloseHandle(hFile);
& Y% x S. Q } return TRUE;
- d, R: U9 R: p7 J' c+ [) @1 y6 m4 x }6 C! v* U3 e* @) ]
return FALSE;
7 K! M0 x; b! M; ?0 P6 D}
3 g* q X- K6 c8 R% ?0 q
" o P \2 ~: h/ [: \' p: dAlthough this trick calls the CreateFileA function, don't even expect to be
; C$ t4 H6 d# ]1 Zable to intercept it by installing a IFS hook: it will not work, no way!, Z4 P* n4 Q& V3 Y6 I- g8 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ~: _5 j4 ^' h/ Z& m; r% `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% ]2 E! W# U4 h& D( g( K9 n+ v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 A- ^* O& q& C
field.9 E0 W0 w0 v* w2 i* n1 n0 d
In fact, its purpose is not to load/unload VxDs but only to send a % s! U5 I/ j3 _& t: V t) v( E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& ^$ E6 _1 P3 ~! Q* Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# F, ^' H: L4 M5 S2 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 k. ]% _2 m1 _+ A$ `3 k: FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; A2 k* u( ~4 g) y: C1 |its handle to be opened and then, will be detected.
o/ }: o3 |. S7 j7 H4 FYou can check that simply by hooking Winice.exe control proc entry point( K7 N) {( L$ D& ?( g
while running MeltICE.
0 \) P9 o! G- f: q4 M+ }: f% V+ G9 F! J2 G
: Y& @# ]2 M/ J' X3 _ 00401067: push 00402025 ; \\.\SICE
% g/ n0 F) p6 J7 X2 `% x 0040106C: call CreateFileA
& K! H; @ d! ?" m" A5 Q" L 00401071: cmp eax,-001
$ x& G4 ^, \- O$ w- c/ U2 M% l" T 00401074: je 00401091" x4 O9 t& k w8 P* f! i T3 u* j
- [5 `5 C9 D4 ?. m) b: ^, X, x. M1 I: ^. {
There could be hundreds of BPX you could use to detect this trick.7 l. {# R9 d! j7 m k8 V9 s
-The most classical one is:5 z! [1 C! v: `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 V, M0 v1 P" o W8 ?
*(esp->4+4)=='NTIC'
3 W# V$ j7 l' V* u9 r1 f R& d! X" B$ ~! w# F6 }# A8 f
-The most exotic ones (could be very slooooow :-(
7 [9 c) p# S) V& [) j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 U d' a4 @2 G# m! j
;will break 3 times :-(
/ G* j6 n9 R: }0 y1 m6 L" }+ E" o9 `2 p
-or (a bit) faster:
: I# {6 e: _" Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 J/ b# y5 ]) i% P0 H: f# X- a' X. K, m3 Q' L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) a. K0 }% r5 k/ v4 p( B ;will break 3 times :-($ ^3 F5 D N1 _- C6 ~, {
; q# r" \0 { y( g: s5 ]% n
-Much faster:5 v0 K/ s) Z# A( q |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 m& \% N2 E4 ]$ |) {$ L6 K, I7 b
3 n( c" C0 f6 q& f1 F- U; PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 L$ L- l: V, Z6 ~function to do the same job:2 n5 N# N) U% k( \! o; L+ {
. b4 s! Q! N" g
push 00 ; OF_READ
2 Y$ @* r7 D. S4 ]+ V: x mov eax,[00656634] ; '\\.\SICE',00 N$ ? v1 E$ N, u0 J3 t$ l
push eax) M& d' i4 x. _
call KERNEL32!_lopen
' f5 E6 v+ I+ w inc eax
( T1 Y7 i7 v4 q( Q4 t3 l jnz 00650589 ; detected1 K! r6 T$ B; V% L
push 00 ; OF_READ
. [, Y; t4 l h$ g! x' I mov eax,[00656638] ; '\\.\SICE'
, @& h' V! r# I( P! y& V0 k push eax" u4 ~8 {( c1 n A/ ]* O9 g
call KERNEL32!_lopen
2 |1 y: x3 n1 q6 G+ u inc eax0 s$ j. _- X' f6 G
jz 006505ae ; not detected. Z9 o0 [& s. k9 Z/ t7 n" e* C
0 F' Q( g( c S1 t
0 o( y/ T5 O* Z, i! \, {__________________________________________________________________________
' x6 g1 G% v$ v# t- k. H& { p" l1 L+ Z8 c. P" [, E
Method 120 [$ h' J# Z, \4 e$ P
=========' G$ M. ]) l- m4 l! U! o
; N6 J( T: j/ `
This trick is similar to int41h/4fh Debugger installation check (code 05
; B" ?+ V( ?! O L' u% m! W. @& 06) but very limited because it's only available for Win95/98 (not NT)
& U6 C% S% U0 c, ~. c5 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 B8 p+ a+ M$ M7 V3 L; D6 \5 B2 [- |; b z( q1 [/ `. @
push 0000004fh ; function 4fh; S+ |3 Q0 p" J* b6 u+ f7 `
push 002a002ah ; high word specifies which VxD (VWIN32)
8 k% i& f) p0 D5 f8 s' G ; low word specifies which service
$ n `; {' d1 Q+ E' Y5 j- F (VWIN32_Int41Dispatch)
: E5 D2 v/ G0 b! O2 O call Kernel32!ORD_001 ; VxdCall
8 f* j, p( j' h* U8 ]* w7 N cmp ax, 0f386h ; magic number returned by system debuggers8 o; t' c6 p# X, ]
jz SoftICE_detected
0 L R* f; g/ f! k& q# ?! j0 n& }4 V+ T5 Z- Z, `6 k5 @
Here again, several ways to detect it:: {( O* A( Y) F/ H$ L! ^$ q
2 z- m& h1 L Q, c2 ~* {
BPINT 41 if ax==4f3 m, {3 t/ e3 D! y
, M" d% t. V6 h$ l s# r5 V" K$ n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, M# A5 v* ]- \* Z2 ~
0 G5 R5 M+ ?4 I* n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ \4 b |7 n' `- K U5 w$ {" ^
2 i6 a7 w' ]& h6 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, {$ W) `7 k3 s0 _( E# t2 l) p; a
: B m1 M, s( ]% |__________________________________________________________________________: u" N. H9 T9 }
( N. t9 c! D7 {- {Method 13; e% B0 `. ~ M/ a! j0 K
=========
7 w B1 a( X4 @1 G( d
7 G5 u. O. v W- G# @5 [, qNot a real method of detection, but a good way to know if SoftICE is
; P0 O a+ L1 J/ a; Z' j0 Ginstalled on a computer and to locate its installation directory.+ b4 B- V8 f5 Y# E
It is used by few softs which access the following registry keys (usually #2) :( P5 g1 x1 M( d$ H* n
1 V. k2 m* p' Y( [6 g5 z2 }% |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! A+ E) K7 A: Z
\Uninstall\SoftICE
/ I8 [; E3 s$ M! ^$ Q* @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 T: V2 e1 J" i* X/ J( g& A6 p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 u# j$ k8 ^/ G1 g( x\App Paths\Loader32.Exe
/ ~# o1 l- c& X, q+ e( _ O$ C5 Y- A' u' k2 e' @/ ^2 R. d2 P. O
9 s, Q0 D6 f1 a' o9 q+ `Note that some nasty apps could then erase all files from SoftICE directory0 O6 @2 H# X& e0 H) u
(I faced that once :-(' e$ g7 t! b( p' }! ?# o* F
1 ~& Q' N2 A6 o1 H) T
Useful breakpoint to detect it:
8 E: x% V2 D' z( ? r O' D4 h b6 I; B0 F9 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- B& Q. g1 Y1 @- \$ E* r
' [$ T+ h( L' [# ~; R
__________________________________________________________________________2 P: {: L/ x; U% d/ \' X7 c
X* V# n- v- k* f& y! q* }$ X
; O" b2 X& ^: C( ?$ a) OMethod 14
- r& f i1 s1 e; f7 W, t/ C, v=========2 l3 T M2 M j" U
" ^ N7 ]( G3 z9 Y! g% \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 z: h$ A# V* W5 L$ U
is to determines whether a debugger is running on your system (ring0 only).
: X2 B) {" @+ i
6 Q/ v' J7 F/ R: j9 @3 ~; b3 N2 v& N VMMCall Test_Debug_Installed
% L5 Z8 t4 _3 i" r# b3 o1 X9 V je not_installed
8 z- H! R2 T! q& M
8 @9 s8 `+ h$ xThis service just checks a flag.
% S; F; |( H* P) G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡