<TABLE width=500>6 k* F6 B8 `9 i& S7 [5 A
<TBODY>$ U* `* G0 b H1 I2 c- G
<TR>
& O0 Z! h% J2 r/ W" k<TD><PRE>Method 01
. g7 ?5 b3 F( x4 q=========
" s. Q e. ?$ |9 l# }; v
$ S/ ~+ \5 G# `; u4 D) uThis method of detection of SoftICE (as well as the following one) is
7 U3 @$ j+ l9 e0 {2 Sused by the majority of packers/encryptors found on Internet.% d5 Z/ z6 G$ ^* M- ?3 L' k- h
It seeks the signature of BoundsChecker in SoftICE
3 ^5 I" \7 K" ~) m! q) P5 K) N) ?/ k8 v: b% \- F' [- f9 q: J
mov ebp, 04243484Bh ; 'BCHK'
) U* ]7 n4 t- c. L$ e mov ax, 04h
0 A9 U* b, @2 L8 [; P' ^% u; m int 3
4 j4 Z4 {+ w' R/ J( ^7 h G cmp al,4. ^; l% {. B- M; U6 z- E2 i
jnz SoftICE_Detected( u+ c0 s, ~2 r4 ]
5 @! _2 P t, d( h; U___________________________________________________________________________5 Y4 b0 r; ]5 a$ s4 \
6 f1 y! }* I. Z- ?Method 020 ^/ z% ~7 q6 |0 }2 S K
=========' Y: x2 e9 e' J* r/ Y! h# O
5 N; Y7 h% n! @- W( BStill a method very much used (perhaps the most frequent one). It is used
# Y, }, C/ O% E! e! C5 Y2 U3 ^) Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. b$ V% ~$ d& z% P5 F6 U, I3 M
or execute SoftICE commands...6 {( Y) R4 u% T! y6 c: N" _
It is also used to crash SoftICE and to force it to execute any commands
: a/ a$ A, I3 s4 L(HBOOT...) :-(( / o; U8 X+ [0 e: _ P8 ~
4 Z, a6 J! W$ M: V( wHere is a quick description:
) X9 I$ w9 r5 o P0 s-AX = 0910h (Display string in SIce windows)
* Q5 D! W% v3 u& ~: X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 n2 w0 x( L. C4 q0 P6 m0 j-AX = 0912h (Get breakpoint infos)
/ g4 ^. D i7 q+ ?-AX = 0913h (Set Sice breakpoints)1 [% z/ N/ s0 t
-AX = 0914h (Remove SIce breakoints)
: }' C# {) M$ H) h3 n* h8 B4 k: p! c/ h$ O
Each time you'll meet this trick, you'll see:, s) ?% d, b) c. k" f( T
-SI = 4647h8 }' ]% U6 u' s5 a0 l1 W
-DI = 4A4Dh
" j' D @* S' D3 V3 E# WWhich are the 'magic values' used by SoftIce.
( m& L' q1 _* Z' Y3 O3 e4 OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 Y7 i8 a/ K7 Q" j3 ~) A( y! t+ b
/ t/ T# Y1 E2 @! R5 D3 nHere is one example from the file "Haspinst.exe" which is the dongle HASP' j% A: b" r. ?/ @6 w( I
Envelope utility use to protect DOS applications:
& J! P/ x* A) x) V5 F$ H6 Y' J4 ?, e# J& [
8 s4 l' u" ], r- N& ]# D
4C19:0095 MOV AX,0911 ; execute command.6 {9 x# q) L$ \7 p) y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 P: a$ w' O( S0 \/ k4C19:009A MOV SI,4647 ; 1st magic value.6 j$ n% N6 P! q V/ k& U. K5 L5 m
4C19:009D MOV DI,4A4D ; 2nd magic value.2 o4 t$ n0 ]* ^# q; K" b1 ^, G! \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ H ~8 m. u2 [. m8 c5 d* b8 z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ T! a; q1 u, | T1 s
4C19:00A4 INC CX
4 b+ L" B. e0 l: g" C3 W) c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 M% X& O$ s! r% C( N! A3 m( \
4C19:00A8 JB 0095 ; 6 different commands.
* s- k% K* \. l5 ^* w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 ^6 Y' X4 C. w' r( A$ @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" I5 f9 r3 V5 n5 h! h/ o6 n$ a4 y3 R0 K8 C% l4 J* {
The program will execute 6 different SIce commands located at ds:dx, which- g5 N3 B0 _: R! T8 F2 D0 |2 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ _# D8 Y% v; L+ ]; M
4 Y% G' h2 z# J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ u: q/ `1 U5 I2 x+ c: }# b___________________________________________________________________________% T q3 D3 J% b* s6 N
0 C+ u( i9 ~- Z. g- `! N& c% |3 Z' A- u( E3 J
Method 03
( k9 e: v7 a- Y0 T- W( [/ a) j=========
* l& B8 A/ w1 h3 y$ `# k5 L3 c' B, }# {( s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 d' d6 Q0 y9 H. L* `: D. w/ \4 z
(API Get entry point)0 c- w' H: e5 U! P
* V0 S" ^# _8 Y( K% _" k
! ?2 k* @6 i& f$ @/ m, u xor di,di( [( K1 N( h! P- X/ J% [
mov es,di
. V" y) ~5 h9 L0 g! r4 t mov ax, 1684h
) i% e H1 Y& C8 C d3 i mov bx, 0202h ; VxD ID of winice
. k; R+ k! O# \" V( R+ i5 ` int 2Fh
, ^" ]9 f+ ~3 c1 {7 ` mov ax, es ; ES:DI -> VxD API entry point
. C, r. u7 b$ I$ d add ax, di
8 _- [+ S# B! _3 p" _: u& z4 S test ax,ax. F3 s" o4 z4 K2 _: c3 O
jnz SoftICE_Detected8 s7 l! }5 t' g9 S- [
5 a' ~0 @ n2 ]+ X; Z___________________________________________________________________________
( C: G4 `" u5 F: D8 k5 ^
# y8 s$ k2 {: m+ kMethod 04
6 H/ R1 b$ f' v' R& R5 L=========
3 ~/ |7 U) X$ h3 G* G* Y1 y1 v' u# F! d$ G: h
Method identical to the preceding one except that it seeks the ID of SoftICE6 x( n$ ]; F6 f/ [& @% t
GFX VxD.
9 G0 f/ h b3 W6 D- o2 K: y* J, R3 K) W5 ^
xor di,di6 P& l6 _6 q- {6 ?# h) K2 A
mov es,di
; J) J7 l, N/ b4 j mov ax, 1684h 7 i [0 b7 m# h3 l2 r' L! t
mov bx, 7a5Fh ; VxD ID of SIWVID
8 g; z) [4 Q' v int 2fh
, M8 c* r1 D8 M" P u mov ax, es ; ES:DI -> VxD API entry point
+ c4 f" t2 j9 r7 g ^2 t add ax, di. g* u$ O& F0 `; q' B
test ax,ax
7 u! D5 G6 {# a% t1 Q3 [ jnz SoftICE_Detected$ _$ r( O) {3 Y
" B# R' x2 \" C
__________________________________________________________________________
4 \+ y7 q" r( @% E
( x; X3 a& W) M! b" M* Q7 f: h2 B( G" _6 d' T9 u& W- E
Method 05
7 C& W8 e6 s2 u7 I3 [) J=========$ k/ G! v$ |, [8 _2 y9 f- w
/ Q+ g& |8 t8 @. w4 O/ U. p# A! h( i8 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 U- I9 ^3 s g
debugger. It calls the int 41h, function 4Fh.
+ W) Q# i9 \8 N, _" }. OThere are several alternatives. t+ }9 u) B2 c& n4 _
) n; y) e9 ?7 c& K( sThe following one is the simplest:
9 g* a' Q, y) m+ i1 M9 o. I6 J" l
* H# f: y4 A& C0 O1 _ mov ax,4fh. J( q6 N9 D$ N+ J4 D- s. I* q0 C
int 41h
9 s! ^/ _. \& J2 b6 m1 E) E cmp ax, 0F386
& u7 X& B: z4 B. t) \8 `& z+ x& n jz SoftICE_detected1 @ @8 x- y0 r0 M t' S, h7 Y
! k$ ? r! b( w. p# x
3 s) k* l; F& j% w
Next method as well as the following one are 2 examples from Stone's 1 a7 P8 k/ R* ~: p
"stn-wid.zip" (www.cracking.net):$ {8 l( p2 Y) P7 T4 l9 K
% w$ k8 @8 f2 j4 [1 I2 z
mov bx, cs4 B8 ]9 Q( `. P& T' p+ L
lea dx, int41handler2
, f* Q5 N7 O( V9 g; E! h xchg dx, es:[41h*4]
$ \8 T3 u* d, T) H4 @ Q xchg bx, es:[41h*4+2]2 |8 ~; ?0 R) c' _2 F* W" o- {1 i m
mov ax,4fh
& e5 ~" D3 ~0 r' g( Q' o$ q! N int 41h& S8 P1 D- O; T; M! X5 L
xchg dx, es:[41h*4]
. ?( C: q1 ^4 x+ J' i- b xchg bx, es:[41h*4+2]- }- s3 \9 H$ m6 |0 E
cmp ax, 0f386h
+ n0 ^3 i# ]6 P$ Y( o$ i jz SoftICE_detected$ s8 S6 [) ?$ ~# t* \; u* B: T w
( L, y" e$ T2 wint41handler2 PROC
" e" ^( U5 q0 g+ m/ u4 e5 W iret, r* ^6 S! e1 s9 w/ L: D5 I
int41handler2 ENDP
4 _. S6 f2 R. g* |" N5 W4 V% \
. d+ {5 D- @, b- o4 Z$ Z8 U/ X Q8 r$ Y& M3 H8 D' n* F4 Y
_________________________________________________________________________( t( n0 B7 L2 d9 m
$ m0 A4 D7 M$ S3 z
% O& C2 G6 T' H8 S. u8 {; WMethod 06: ~% U' A% V% c Z6 ]3 t
=========0 C3 H' W- D0 V; o/ L+ k. L% ~* ]
+ b! h ^& j5 J) o) c0 ~) P4 Z+ [; `& T3 b% {( m1 b9 q1 a- g
2nd method similar to the preceding one but more difficult to detect:- }* q# h! Z+ @. o
5 J. |" N0 }6 b* C. j* W( R
" H; x6 |5 i3 p" uint41handler PROC
( J7 W! I3 w0 n6 G8 O0 V, j% U1 O mov cl,al1 t& \2 d4 m0 A& j6 j# f3 h
iret! l% H, d2 H0 l* \7 H9 Y7 ?; f/ q9 g
int41handler ENDP7 v' z4 ^7 A2 s) w2 Q& ^
* l0 T1 z: h: P8 n8 L
. h0 W) x/ e4 g Q% k xor ax,ax8 K9 G- y4 {2 W# T9 S; {
mov es,ax
K% [5 ^9 x6 R5 L& W" X# W# @ mov bx, cs
3 U1 a! {' R! W. Q+ S( V lea dx, int41handler
7 t7 G" j' N: t4 Y( { xchg dx, es:[41h*4]
3 w1 m! R! X' b/ k3 c xchg bx, es:[41h*4+2]3 @5 g6 y( p6 k4 }( q% L, L. W6 F
in al, 40h
; Z! _/ q) {+ k8 f! y: [ xor cx,cx% L% U! S# g& r* l& F4 f- ]& y
int 41h8 A6 u0 y1 e# ~9 M# s, z
xchg dx, es:[41h*4]" X6 u2 Y* K& \ P: {: B
xchg bx, es:[41h*4+2]: W( C/ t; }/ r
cmp cl,al
1 n0 F9 f N' \1 k H+ g2 y jnz SoftICE_detected' {& }6 Y) c9 H7 K
+ R; y( p( L4 h+ K- v( p- K_________________________________________________________________________
" Z$ X; g3 {" H6 p
, X0 p4 S( W8 j) JMethod 07+ a' ?( ]1 r Y) U
=========
! _/ l5 v9 M* F/ z
, b8 M C+ I7 WMethod of detection of the WinICE handler in the int68h (V86)
! Y& x/ l; A! ^: X+ C) j6 W; D3 c! B, t8 \
mov ah,43h* T' F% N* C- i& ?( |6 F# G5 P0 S) Y
int 68h
0 H8 m; |$ g7 K5 b. J cmp ax,0F386h
* k* K8 o2 F! y8 C) Y7 D& {2 y. ^' h jz SoftICE_Detected
8 W' ~1 z7 w$ B$ O r9 W5 O% y2 I) @) Q2 U; ]8 h) W# f
' Z( c. L0 l- G3 ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ h7 b, F6 Y* I% J app like this:% l. }9 Z. f; G# X, ~6 R- Z' Q l$ l
* f4 z" v+ M. Y0 O. B
BPX exec_int if ax==68+ k! n p; T& u9 L1 V9 f" `' n
(function called is located at byte ptr [ebp+1Dh] and client eip is s' y6 x' e7 K, v; c- Z
located at [ebp+48h] for 32Bit apps)
- O3 ]' ~! J7 j1 R7 E" k- Z__________________________________________________________________________! y+ f7 o) |! J# b2 o/ e# d
+ [ @- R$ @1 }5 w! `) N! j
7 H' N$ q, Z! H# gMethod 083 k" s, }& w0 h3 @
=========
3 }- @2 i( P2 j# u' l
1 A8 S1 j# h" ^( W" dIt is not a method of detection of SoftICE but a possibility to crash the3 G- o) T- O. r# {5 A
system by intercepting int 01h and int 03h and redirecting them to another, ?2 A' _4 a# S' J& i( l9 a
routine.
+ o e% Z9 ]6 _8 u2 a; E* mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% D. n: i% T7 }1 E2 h8 O# a( f" `to the new routine to execute (hangs computer...)6 n0 T* G9 r H0 E* h
4 z; B. P6 w4 j6 L7 a3 } mov ah, 25h; t8 N. L7 t' o0 L3 D8 h$ n
mov al, Int_Number (01h or 03h)! B3 P. R- l& R9 x, U C
mov dx, offset New_Int_Routine
. ?1 I" g9 ~/ a0 U1 s, G int 21h
( }/ B8 }: k9 {# d1 x
" a+ Q- r: L. C- K3 L__________________________________________________________________________+ M8 W3 l8 h; C! F/ v; s
% d- q) A1 w& G. {: Q# u5 G# dMethod 090 J* j3 R$ J9 l6 E; @' Q
=========
) K6 u$ P) M0 p5 B
7 N/ e9 }! l4 v8 IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 f, t/ y) [: t$ G; v
performed in ring0 (VxD or a ring3 app using the VxdCall).. W' `. s' D7 {, @9 z5 W+ u2 D
The Get_DDB service is used to determine whether or not a VxD is installed# O- q( i8 M! ^3 y0 ]1 n% l
for the specified device and returns a Device Description Block (in ecx) for1 ]6 A+ n4 L9 m
that device if it is installed.
" B" y2 f3 ~8 ^- X: ^9 x% q+ o9 o( Z- k5 b3 o, G& R& O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 c% H( }2 y# F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" D% q+ E/ o2 K* p1 X VMMCall Get_DDB
; c' o& Z0 q" c# ^+ h- e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 K, C7 M2 `9 T, e; O4 o# n) `0 p. |# Y) o; _4 D/ N9 Y- W4 |
Note as well that you can easily detect this method with SoftICE:4 X4 i, ?& b5 N
bpx Get_DDB if ax==0202 || ax==7a5fh$ q, ^9 C/ e1 T1 G% r4 K- ^
6 q- }* H8 \5 P
__________________________________________________________________________
2 g; r' A! [0 v* \
6 J3 f! n6 v: a' d; sMethod 10
& D4 _6 F7 T; B/ A" \=========
- U- E# ?" r8 L6 D1 Y( `! T. U# H3 [' N+ Y7 T4 M |0 t
=>Disable or clear breakpoints before using this feature. DO NOT trace with' i" x( p+ B( q) j$ \) W
SoftICE while the option is enable!!
1 h- ?( `' }+ ]7 l7 E1 F; Y! W5 j0 V
This trick is very efficient:
6 G" C# V* m: P! W+ C* M+ p- o K Wby checking the Debug Registers, you can detect if SoftICE is loaded$ S8 P( A4 L" E6 ~+ f( z6 O: o+ {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" U$ s$ i2 h; D+ j! d# p* ?: Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
& N( y$ S0 X9 l% [value (in ring0 only). Values can be manipulated and or changed as well- Q. L/ }' \6 X% K, x
(clearing BPMs for instance)
& N9 X4 x5 H( \+ P. g8 n: k+ z2 {0 Q! }- _- z: T/ c8 ~" N' G
__________________________________________________________________________4 b- _- q3 H' C" [
1 ?* l2 J, c0 B7 D
Method 11$ L& j; G p# u, p5 S9 X& f( ]
=========, ]) n9 ^7 N# ]7 q" j- z* p
8 h: [. F: ?1 |4 q8 b
This method is most known as 'MeltICE' because it has been freely distributed
- `( b" r8 v7 i' H6 wvia www.winfiles.com. However it was first used by NuMega people to allow" P' @- I5 z8 m5 z% q9 w
Symbol Loader to check if SoftICE was active or not (the code is located
9 q7 O* ~+ m& ]) r& B( Y3 |% l8 einside nmtrans.dll).
8 e9 K C+ U1 Z, E3 M& i
! ^" @2 j Z( ?* b0 rThe way it works is very simple:8 X; B& F2 I+ e, [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for R" L3 m3 ^) ?$ N3 B! y9 W
WinNT) with the CreateFileA API.
4 |1 I( {+ \- e2 k8 _4 }
2 t- R- ^- X7 W8 w1 hHere is a sample (checking for 'SICE'):
6 u! b8 p! _2 M* {) r3 H/ J8 @
/ t. h" I& @" e+ L5 QBOOL IsSoftIce95Loaded()4 m: e: A D9 b4 ^2 s" ?4 R5 i
{- M. l4 b, C, U$ p1 j4 b$ w
HANDLE hFile; / Y/ N% I2 q7 F* }5 T2 i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) I' }% T" }: h FILE_SHARE_READ | FILE_SHARE_WRITE,
- C3 q4 l/ @0 j6 s' B6 ?* d; d1 O$ o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ i9 ~! ~$ i9 |6 C) E" V
if( hFile != INVALID_HANDLE_VALUE )4 X) l/ i4 N3 Z; C
{
: P' b7 }1 O+ ]1 z* N8 d) N" B( c3 \ CloseHandle(hFile);
' e k* z0 P: T, G: F; i return TRUE;
& I; @- c) w/ C, z+ Q! Z }% ~! d& E7 [( O4 {; T7 ]. C* I
return FALSE;( S2 Z8 R9 C$ U3 w) b3 W& M
}* z) g& Y1 Q& B' e
2 X U) Z. F3 k4 @0 W$ |Although this trick calls the CreateFileA function, don't even expect to be R* P# s3 J- {, k5 d, j
able to intercept it by installing a IFS hook: it will not work, no way!
0 S7 u: O6 Q* S/ EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 X3 W6 Q; u& R. N* ^: H V' }7 w0 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 e, f. V3 E8 Y6 ], M! k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' q5 e4 d* g Z; a1 f( G" W* xfield.2 A9 m) O. `6 O
In fact, its purpose is not to load/unload VxDs but only to send a
& N5 ^& V, h, R1 p- {2 W& Y+ U+ }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 S6 i `9 w3 s# J. `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& S# k7 l" o+ q4 {* l0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).& F5 y6 k& w4 E' s* u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! d7 O f1 o4 E( |. i2 Cits handle to be opened and then, will be detected.9 ^! j2 W& E* U. i# A
You can check that simply by hooking Winice.exe control proc entry point9 |: g0 `# O0 B1 j- t: [6 s
while running MeltICE.( t5 n6 |3 v8 n7 i* n& w! _
6 ]5 e: \% K- }) y5 P, C: w! ^) Y$ q! a9 h8 z: [
00401067: push 00402025 ; \\.\SICE' V8 |. R# }/ s5 M- k- g3 c
0040106C: call CreateFileA
, y+ |8 Q- f/ U7 G6 N 00401071: cmp eax,-001
/ f. `- X, v7 t0 o% O 00401074: je 00401091) @( V3 d$ C$ L
: g1 G3 ~7 {5 o5 k3 C% S: d* o9 o6 Y5 e3 r
There could be hundreds of BPX you could use to detect this trick.
- p8 t8 d$ h7 S7 x8 f! }-The most classical one is:) i- w5 \2 n( W0 \' P7 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 ~ {, y) l h: F s. P
*(esp->4+4)=='NTIC') N, M z: R2 J8 S! G; ^, a: m
, s- g- Z% E5 S" |6 K. D7 l' L
-The most exotic ones (could be very slooooow :-(
9 }8 u8 H9 Q8 i1 } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * {; X; V, [# t2 `
;will break 3 times :-(! U; Q5 P) k4 h. O6 V7 Z
" o6 ^( [% N9 o$ R1 o% Y
-or (a bit) faster:
# U& P& L, s$ Y* p7 N3 U- W9 g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 k; x' y2 ]7 C! q6 b9 d) Q! i) N1 Z/ F2 s" o' \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( ?$ J% B3 h/ [, v
;will break 3 times :-(4 G9 S" S" q5 ?* u
- c( z5 k6 i' ]# }' f/ F; N
-Much faster:3 O8 `( Y. p0 a% g( p& f) P/ d: k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' r0 E4 m% {' P
; _: z- q9 r1 C' W+ b, A5 J( r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen I1 x, I, s% o" t
function to do the same job:$ M+ x! r: q; V' I% D Y
, n; T1 r% f/ [
push 00 ; OF_READ
( i* u; b; a0 K mov eax,[00656634] ; '\\.\SICE',0; t7 h& m1 b2 z b. @* }1 f. Z
push eax
4 Y- ]6 k* U8 q1 s$ h$ M call KERNEL32!_lopen! y( q2 V3 r5 y8 q9 P
inc eax
8 b m$ S) O& n) ` jnz 00650589 ; detected1 r- z) V e* e1 `. e( q
push 00 ; OF_READ
4 R5 |+ Z9 x+ `; ~, F mov eax,[00656638] ; '\\.\SICE'4 U( x. y+ H3 D% b
push eax% h# l, A6 s9 ]) F, Q, k
call KERNEL32!_lopen' p) g. y2 @% Q0 r2 p. Y3 d
inc eax- X3 ~, N$ V9 S+ R, p0 H% N' x
jz 006505ae ; not detected
& o8 F- B; a# c# v5 k# x' i, p7 D2 \' E$ ^
9 e* n4 a4 r7 m0 O7 u
__________________________________________________________________________0 ^) q$ X9 H$ V9 B6 {% o8 R1 d
$ x4 ~1 ]: I9 @) Q, RMethod 12
8 N" C* n: _" D2 }$ N0 o=========
+ Y* ?/ n8 b4 P
& P! t6 ]% h" C. A7 q4 C8 W; f& xThis trick is similar to int41h/4fh Debugger installation check (code 05! t3 O# R9 g" J
& 06) but very limited because it's only available for Win95/98 (not NT)% Y1 r( O" J0 T* ~3 i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ A3 m# U0 g8 A3 [/ u9 ^$ U3 x- [) T" X: p& h8 \3 B
push 0000004fh ; function 4fh1 B/ z& a2 b& [1 |8 @, T1 j& ]
push 002a002ah ; high word specifies which VxD (VWIN32)1 B5 S' K) f- B4 z
; low word specifies which service5 y8 W6 f4 Y, `0 e2 }
(VWIN32_Int41Dispatch)$ } C6 H6 `" |% i- U* c
call Kernel32!ORD_001 ; VxdCall! ?& P8 G$ R* ~" s! n. ^4 J
cmp ax, 0f386h ; magic number returned by system debuggers# u% d! u; b" l
jz SoftICE_detected
* Z8 ^. N. a; E _; n# B; g5 P+ q- |2 t+ N* v+ S) t
Here again, several ways to detect it:' M4 a5 C& `+ a! w) ^0 M ~
% Y' T; S; F3 @7 G BPINT 41 if ax==4f
) U6 a4 k* M- P1 b
: v9 y- P& D% I# N5 n8 B1 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( J- h5 O6 [- U6 v1 F: P& T+ H) q" }, F/ F, l. i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: n6 `/ Z7 z- D4 [
! m% v: Z* @' d/ y" _/ ]: q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& t1 ^$ t* ?- J/ g: g3 z7 j8 N- [! e
5 _' }# F( d+ v' T8 {# K/ A__________________________________________________________________________; D' t. r; b4 b6 `
' N2 D. \' a- uMethod 13# A1 s0 S9 x8 N! K6 _( y* h7 s
=========
/ m; u# a m8 f! J- F* E4 `
' P% J- Q$ w K; E8 XNot a real method of detection, but a good way to know if SoftICE is p: ^) R) y' d1 A$ q
installed on a computer and to locate its installation directory.. p; e9 F" [ M
It is used by few softs which access the following registry keys (usually #2) :
. L* K; i7 q+ ^1 T* x# [- b I: f8 P- t9 @! p# Q3 [4 O* o7 Q7 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Q( ~% e# i" C% t/ \4 H& V# U" z: j
\Uninstall\SoftICE
6 _/ R1 J# s' E: O5 [2 c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 f- ~" }& [. Y3 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. O6 d( { Y: d, g( W* `6 \\App Paths\Loader32.Exe
3 p3 n8 @7 U- G. s" K2 g/ U( `5 F! M! r; U/ f4 \3 ]
3 {3 e& z0 n' d
Note that some nasty apps could then erase all files from SoftICE directory1 n) E* z/ Q( C% Z) [
(I faced that once :-(1 ^" l2 A! P9 a
0 a( s' `# g! j) Y6 N$ ]! @Useful breakpoint to detect it:
/ C( I6 {5 S% i3 z+ c4 V
/ B( q3 m0 _# `# `0 F9 j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; [* j* {& E# j" g3 e# e. b' B4 t* S
' Z" R2 B& T. q: v u; {. F
__________________________________________________________________________
# o$ d; i$ i, y) ]* y1 j, @! J& ?" |2 W( Q& \
" {# ^. I6 g7 }1 N
Method 14
: s9 B1 k& U" r/ e=========! p, x6 m0 V( D* h) J$ g7 Q p x
& q. a* Q8 q4 \! T9 i% ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 ^- i) y: B! f1 q& sis to determines whether a debugger is running on your system (ring0 only).
6 _1 h" @8 A; I4 Q `) m0 ~. {( b" w
VMMCall Test_Debug_Installed) I. J, B: p. f* { ]* g4 r% j: O$ L
je not_installed
& g% r) H( H; a" {' W: ~8 p0 `8 {+ y8 m5 y/ K( }$ j4 m6 ~. z
This service just checks a flag.
) {# j. `* w/ i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡