<TABLE width=500>
; `9 x2 }' I" V. j1 t<TBODY>: w2 g0 F: M0 A1 x7 r
<TR> l% C* \, E7 \8 J+ T
<TD><PRE>Method 01 " \8 e# \0 }# ~3 P* G
=========, o2 `- }9 x% m2 F
: u0 R, o" G0 y5 r4 z
This method of detection of SoftICE (as well as the following one) is
, H3 k H9 d# }7 cused by the majority of packers/encryptors found on Internet.
6 a, W: A3 F% x: |& l' ]It seeks the signature of BoundsChecker in SoftICE
/ M8 l9 Q9 a, M; ]5 Q3 e8 S
# Z/ i/ v% l Z" P9 k0 I8 { mov ebp, 04243484Bh ; 'BCHK'6 a" p- P$ l: W8 Y" H% o
mov ax, 04h
5 ?6 ]! W/ s+ I3 w+ _/ k int 3 / ^4 E5 [9 s* T, V0 E/ A
cmp al,4
) o3 z+ K2 I, H' b% Y! k- H jnz SoftICE_Detected, a! P, @8 L% n8 D4 A& D
8 P- h" n* M' V' P9 C' X! V
___________________________________________________________________________5 J' h( f1 n8 H8 K s# V) p
( q. M$ X+ g1 f7 KMethod 02
2 R* R' i' o' o=========
% g5 j7 Z3 }7 p6 a, H {3 ?, q0 r; t9 d. M" @' s
Still a method very much used (perhaps the most frequent one). It is used4 c& o+ V6 I* O n* G; T' m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 O9 `3 }8 e, U+ i' J# j; Jor execute SoftICE commands...! B$ r/ e# Z$ F+ b7 a; U+ Z" |: j
It is also used to crash SoftICE and to force it to execute any commands( b9 i4 j) G6 ?- N" A. J
(HBOOT...) :-(( * P2 r$ [3 W+ ]5 M, \" V$ n, J. Q. a
+ H/ P$ {" J* B
Here is a quick description:
- Y/ [" @! H: K-AX = 0910h (Display string in SIce windows)
K2 N5 {, l; R# f8 u& M! K! N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- W3 L2 r- @8 p- Z+ J% z
-AX = 0912h (Get breakpoint infos)9 w1 {2 x8 @& z
-AX = 0913h (Set Sice breakpoints)$ u4 X" V1 w* s, u
-AX = 0914h (Remove SIce breakoints)8 C8 l9 l! u- P
9 o: H! U5 f1 f5 w7 q
Each time you'll meet this trick, you'll see:. c2 f6 Q+ S; |: b
-SI = 4647h
- X5 {2 ~$ n0 O5 h: J$ F3 o4 L8 \-DI = 4A4Dh, k; L$ U; H; P7 ~4 c2 q# D
Which are the 'magic values' used by SoftIce.
+ w+ \* j+ D7 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 U5 q: R7 j. A2 P+ k4 e3 d' \9 E d5 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP! U/ o+ N/ K( I+ N) B, Q
Envelope utility use to protect DOS applications:5 t; j* A) \9 I/ U
7 m; L6 a3 r9 R y+ d- H
- k2 b; Y. k C' Y# s+ E1 F4C19:0095 MOV AX,0911 ; execute command.
: \0 ?+ {2 d& G0 L. \ K( a8 d" A2 O3 h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* r, Q: B: q0 j" f9 Z( D4C19:009A MOV SI,4647 ; 1st magic value.
; M& X9 ?6 s" b3 s k2 P T4C19:009D MOV DI,4A4D ; 2nd magic value.: l& I5 s( Z3 g! P1 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" k w, X" v# d" L/ h% [3 [2 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 h- d; j# h9 R; S1 I' t% I
4C19:00A4 INC CX
: B+ o- ~! s K+ ?1 y8 r! f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
R# Y b) [& f4C19:00A8 JB 0095 ; 6 different commands.0 K/ D- V7 b$ t8 w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: T, ?& f. q: _' t5 W9 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( D$ g% {' Q% }; C. T) m
' T4 o }5 U x: _1 ^) j! m
The program will execute 6 different SIce commands located at ds:dx, which+ K" ^' o( \' H8 v: n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 s1 b4 y' }8 K9 s- H1 y; ^
; ?& A$ }. G9 }: w5 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# B0 U( M5 U M5 `4 _0 c% ~9 m___________________________________________________________________________8 f9 J: d- ]; G7 I- R
" ?% o6 ^4 A( n% H) f% j
. a6 U. [: m0 l D, O
Method 03+ a' `8 J. Q+ q- \8 X- x
=========# N5 ?% n0 F! `- e0 c
3 M# i3 y' h5 N" n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 {: d) `* g+ k& g) z$ [# e; l+ d
(API Get entry point)0 u( ]3 {% _( J Q- D3 Y# G9 D
1 J! |4 y$ ?( S+ G& d1 Z* \ m5 U7 T; ?7 c& N
xor di,di
6 r) P" a7 y: `& q8 N mov es,di' @4 p0 A' f' I3 w1 k
mov ax, 1684h ) {; Y, p( y, L, p9 }" ~ \
mov bx, 0202h ; VxD ID of winice
9 n5 | H# e* ]7 Q* C int 2Fh
+ ^5 F4 p$ z0 ^! y# Y mov ax, es ; ES:DI -> VxD API entry point; i# e; G+ c- Z, e) G
add ax, di/ v, T+ r% I5 s8 J
test ax,ax
. e8 V# H& v, Q9 I3 ` jnz SoftICE_Detected
* R6 w. h" Z: C2 v. n! ?" Y# ?0 W
___________________________________________________________________________
" ]7 C9 S9 W6 j0 E& ~# ^
7 O9 b, {% g* hMethod 04
5 `) G- K' w1 M9 B1 r0 {3 t. V=========9 O2 v% w! {, J/ l* X" |- E
8 v G" H: m4 ]Method identical to the preceding one except that it seeks the ID of SoftICE" q0 ^1 x% O0 @" y8 m# G# |, n- B
GFX VxD.
5 C/ s m7 ]- h7 M
1 {# e8 e& O1 s* B xor di,di
. O0 G6 C1 H1 h# F1 O: y7 B mov es,di
/ x% u' D! R1 ~9 _. w$ Z" | mov ax, 1684h
: K* V8 H8 u1 Q5 \) y5 \ mov bx, 7a5Fh ; VxD ID of SIWVID
2 `( b2 m2 G M5 U9 W! W int 2fh
9 p' ?) Q7 z- [) d. P9 e: e# B+ m- o mov ax, es ; ES:DI -> VxD API entry point
/ t6 v9 ]1 E# b: h w1 m! f' V add ax, di- O* {2 u" V, i8 I* Y7 r4 `
test ax,ax, c" A! N/ g: R) s: b$ F9 d
jnz SoftICE_Detected
/ R7 B6 s& r( M) v) E9 H0 }. ^
& X4 } r" I% f, h__________________________________________________________________________
$ \& r7 J/ P0 x2 J/ g# V/ V3 @; ~+ H+ X6 T2 F+ h9 J
4 c9 y* D: p$ G4 W* L8 ~, k. O0 aMethod 05; p( h2 f: E& G/ y
=========8 t- O, t; b$ K. j/ S: ]3 b: p
- m8 j& b% @5 I( n2 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 x: v8 ^2 f2 m8 @debugger. It calls the int 41h, function 4Fh.* j2 n3 ?6 ?" q2 P
There are several alternatives.
+ s& r o) \# s' @' _2 t+ M( P. r; y5 ~5 k
The following one is the simplest:
, Y1 j2 P/ ^: N) Z) [! r
3 D" x q' R& S' ^1 p9 R8 W mov ax,4fh
" h% x. C4 z( ?* @ G- i( N4 C int 41h
`, k6 y2 F7 M# J8 o( J. ? cmp ax, 0F3866 r( i4 |1 U7 J9 l5 e8 F. f; Q
jz SoftICE_detected6 ]( u5 n9 b8 j9 x1 H# F
" ]. }8 X8 F0 t! {& U2 F! O$ _& ]4 o# r4 V0 P+ m+ c) q$ O
Next method as well as the following one are 2 examples from Stone's , |# l5 L. N2 W3 P
"stn-wid.zip" (www.cracking.net):
2 h6 q9 j+ w. G# M8 \
+ ~1 W y0 z) b9 m" X0 p/ r mov bx, cs, g1 h- g$ I! `( A) C
lea dx, int41handler2
0 A# n2 O h" e. D xchg dx, es:[41h*4]
0 A$ U- t1 {0 h xchg bx, es:[41h*4+2]
& o- \" g4 {7 d8 M: s$ M mov ax,4fh
3 d$ o0 f4 u3 m; y# y int 41h% ?0 L( }1 p8 V/ m. @; o" F" h* k
xchg dx, es:[41h*4]
. S5 d! X7 E3 }; d, B- u) n: T xchg bx, es:[41h*4+2]: l- x) U) g5 _% I* O, n
cmp ax, 0f386h# {8 C/ O' e' j6 l+ u; R
jz SoftICE_detected; J- L( k1 [" ~" C
; I0 z/ C/ O: ]# Z6 F: w% H$ I, Z1 N
int41handler2 PROC# H5 C- F# G6 [
iret* _5 L0 m2 \* ^& K: w- |/ a
int41handler2 ENDP
% r4 T/ L" }; v2 J a: m/ o
1 ?4 A7 G7 o) y+ ^. v7 ?" ?" Q9 `
; Q e0 I% z5 e# f+ \4 z_________________________________________________________________________
2 G5 T/ k; O# c7 I+ `( N1 s
* ^5 C7 |; s1 V8 B& N* w1 |$ v+ L2 N3 X; U# l% C$ F
Method 06* v: H3 F* ?# Y, I4 G: w
=========9 k1 N' H- ~7 X. C
) T. C, m8 Z% V5 c9 {! R) W+ v( t
4 y+ a6 l- d' v2nd method similar to the preceding one but more difficult to detect:2 v. O) v2 A3 V
9 G, C& M$ k6 w( N9 ]1 w) M1 j5 {4 @9 J! i9 d
int41handler PROC; }( p8 W$ S4 V" S3 i$ n9 c
mov cl,al
4 ~8 B) D* A% o iret; {3 \+ H1 l, r- v: }4 Q; Z5 b
int41handler ENDP$ j$ o* j+ d2 D
. x2 a: o6 ~. b2 L1 i8 S. @, R
% j3 S" v; t. C7 [ xor ax,ax
' {- q/ k, v6 |2 U$ T/ t mov es,ax
! A' e3 \* a2 F0 g$ p: }! V) O mov bx, cs, N$ m* o5 y( U1 T9 B5 M
lea dx, int41handler2 v8 \/ D9 W. T! G+ ?* `' T
xchg dx, es:[41h*4]
m3 a8 A2 v0 R+ a2 g7 \1 M xchg bx, es:[41h*4+2]$ l8 I8 v% @* Y
in al, 40h
# f @* p5 ^4 ?/ K$ f xor cx,cx: f+ Q2 Z/ q; t, [2 Q
int 41h
0 L% o! o' @5 J9 n$ [- Y: h xchg dx, es:[41h*4]0 ?; `. p+ u$ o0 L# r& A: \
xchg bx, es:[41h*4+2]
8 ]0 P& I3 |) z) l- P* q) o6 p, b6 b cmp cl,al+ D7 X, X4 k7 J, w6 Y# Q
jnz SoftICE_detected
, m/ F# {- y- e7 I. K! C$ x8 a& F. u
/ D5 Y! q1 _ v" o, P, {; W_________________________________________________________________________( `% g+ A% s% d; c o; t0 A* {0 l
" ~8 Y. R0 V J
Method 07
0 v4 }) Z- h5 R) N1 W6 S' L, x=========
2 s1 J& l4 w5 M, p
C- M% \2 b0 O8 | w4 d: XMethod of detection of the WinICE handler in the int68h (V86)
( B: M' n# v, V+ ?! F5 ^0 h; b% N$ ]2 c- D, q
mov ah,43h9 t- K7 c) a7 Y
int 68h
( X, J4 t* b8 f cmp ax,0F386h
`2 T9 x2 d) J4 s: S! a jz SoftICE_Detected
3 }( i3 N* o( t( g% K% c; K# J
1 L# ]6 E& ~3 `+ t& k# c" Y3 |% e9 `" d, U" C* n4 L# e8 h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; n6 O" q: @, L; y) n/ V8 n7 a+ c app like this:
0 ] | I% N; W$ p: V+ C
* b* }3 @; x4 X0 Q BPX exec_int if ax==681 ]5 U+ y1 k5 a# P0 \" | {
(function called is located at byte ptr [ebp+1Dh] and client eip is
( y) x+ M, E, a' I# d5 L! Z located at [ebp+48h] for 32Bit apps)
; z7 K( U( S7 K& x- ] `* }__________________________________________________________________________' d8 P# ]0 ]" s& l( M) t3 ^
) F5 d+ p" U' v1 V+ P0 V5 G( U
Method 08
1 P0 W1 B$ B. \- P$ k' h4 _=========# S% @2 K' o% R5 ?! l9 u
- Z) D ~- i( L
It is not a method of detection of SoftICE but a possibility to crash the$ z% v" F1 M( t0 G; r V
system by intercepting int 01h and int 03h and redirecting them to another4 x2 z5 @# |# Q, s Q1 ~
routine.
& C8 U& E9 r r: B- p! oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 Q& |+ u- z* n- P( I8 w# V
to the new routine to execute (hangs computer...)9 d8 d; x5 {! R! {
3 f! h5 d% P* i! G' Y
mov ah, 25h
0 q* {1 g9 j8 W, x$ z6 x mov al, Int_Number (01h or 03h)
( }" D4 S1 T5 m# C9 e mov dx, offset New_Int_Routine
. T9 U! V8 }/ }8 H% M int 21h
* J7 A7 b( k6 `) |' n7 m' a' |/ s5 q' @. Z
__________________________________________________________________________" `* d2 }1 E* W8 l/ J5 W
* G) `5 P4 b- b" ^: o
Method 09
! G9 `5 U3 u( \% x=========9 J7 Q- \) V1 h* F9 Q( b. t5 g* y
$ d( h) _4 I( I! d7 p. VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. d2 D" Z, d& z/ ^' b; E$ j/ O* M( `
performed in ring0 (VxD or a ring3 app using the VxdCall).
( A& o/ {8 r' _3 p/ z. PThe Get_DDB service is used to determine whether or not a VxD is installed! e3 @% U% x N) `) h; \$ \$ n
for the specified device and returns a Device Description Block (in ecx) for
' O" @( t. d6 U! j( Othat device if it is installed.
q0 W8 {; g( N3 x$ D. T' j, K8 _
2 e3 S% C4 t$ d E6 P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% _3 g8 u5 k3 o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: J! g2 v8 s: {6 e: ^ VMMCall Get_DDB1 G r1 k4 K0 s9 H) u, P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 V: L/ f( A7 q0 V& p5 a+ s: F( F. Q; p7 |1 C* J" z
Note as well that you can easily detect this method with SoftICE:
1 W& a4 g- w# p" u" C6 }& N4 Y bpx Get_DDB if ax==0202 || ax==7a5fh
+ w& Y- b# r- b$ x/ A( L" U2 _1 w9 [; P/ P$ p. P; @4 j
__________________________________________________________________________
5 K' n' c& m) S1 o; ^. M3 d; t* }8 l0 v; E/ f" w. s3 [% I
Method 10
7 _: S" `/ s) f1 B7 D$ f6 S( e+ P% F=========- d. e+ p( A2 L6 l i5 @
: E- v, K( w* e+ D& ?" M=>Disable or clear breakpoints before using this feature. DO NOT trace with& f+ G' `2 n9 @1 h7 N
SoftICE while the option is enable!!
g' K# H2 A* W6 C8 U; c
+ ^+ H; X" X# d' z; @This trick is very efficient:" ^) ]$ X6 g- l6 Y8 J3 Y! @
by checking the Debug Registers, you can detect if SoftICE is loaded
) ]4 Z1 @6 {7 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" B' |3 Y4 f( Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( W9 d* ?! Y# o0 P' x, {value (in ring0 only). Values can be manipulated and or changed as well
4 {/ v* j1 K4 f(clearing BPMs for instance)
6 \* f" c) W) s3 ^% U* d: R6 T0 M, J1 z/ w, }4 O' b
__________________________________________________________________________
7 S7 v$ R E/ n4 l
; ~; u* ?$ K' s* e$ D; r5 KMethod 11* \6 Y& n( w. A( q
=========
" G; @( ]2 y g7 e { F" a: V
2 w) `2 m& O5 G7 _6 `This method is most known as 'MeltICE' because it has been freely distributed2 U! U. ^* ~+ z3 f: [- W, s0 j
via www.winfiles.com. However it was first used by NuMega people to allow: m& D- g2 n: M* z5 a2 a
Symbol Loader to check if SoftICE was active or not (the code is located* M6 c' E( ]) V) a. S, Y+ t
inside nmtrans.dll).
: e+ o" f; e4 ]
+ m* l. @9 i4 l9 N' r" _; sThe way it works is very simple:- E' c0 Q6 j- v- S5 {1 k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% u0 g w# a( R) L# O8 B
WinNT) with the CreateFileA API.# v+ h, Y. i0 @. x+ g
0 {; n% F Z6 W6 b, }% s- {
Here is a sample (checking for 'SICE'):
8 e/ @, l) r0 p- N, t8 `8 Z r$ M1 t& B
BOOL IsSoftIce95Loaded()4 ?1 G% x0 m2 A: ?( W2 G
{: q+ J( a, D! q: ^" \1 I/ i
HANDLE hFile;
) z: J* h9 N6 }. w1 U# P4 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: v' J, f3 M- W5 k' U( D0 f6 _ FILE_SHARE_READ | FILE_SHARE_WRITE,
4 u& I3 E; z* t/ J: Q* x NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 o7 V5 H- @$ E# V
if( hFile != INVALID_HANDLE_VALUE )4 z V8 S9 h2 f7 f9 p5 V9 o$ q
{
8 I$ ]+ J/ M+ f2 u CloseHandle(hFile);
4 o( Y" `1 N9 R' d' o return TRUE;
- n. x; S+ D; r% g; T0 D3 W }
$ Z2 N/ j y1 E& } return FALSE;
: K/ E2 [6 f& M( C1 q; O% X}3 Q# l2 o# k U( w: U5 x
/ A/ _) m$ U9 y
Although this trick calls the CreateFileA function, don't even expect to be
, E1 O6 ~" M* \able to intercept it by installing a IFS hook: it will not work, no way!
, L F" `+ `5 q2 L8 _' ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 z9 E- c$ [: S. t' R- N! Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 |7 @3 s) D. w- A& fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% M+ X. F5 [# L8 E" e! D5 Sfield.
; \% D0 J6 p4 d# _& P* G: e. ]6 jIn fact, its purpose is not to load/unload VxDs but only to send a
+ K% O, ]$ Y' ^" o* B1 g1 qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' C4 w1 Y1 d, {+ f/ n' n- zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" S! s6 v1 A9 Z2 B" Y1 T6 @, rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# b" a7 Q2 O* R/ A, G, PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 D( J$ |% d& L! n/ `* dits handle to be opened and then, will be detected.' @( n9 j2 Y9 }1 I" B
You can check that simply by hooking Winice.exe control proc entry point
" E ^1 P5 R+ G' Q4 Q, ^while running MeltICE.
8 j: A' g. f8 T7 s. c2 D( m# q7 |' S! j2 N# b) Q, T( T
- R2 C( N7 y) f 00401067: push 00402025 ; \\.\SICE0 ^2 {1 k1 W/ z2 g3 `
0040106C: call CreateFileA& P! x5 ?- b) ]
00401071: cmp eax,-001, g5 q+ [0 V* S3 h( ]1 L
00401074: je 00401091
5 D7 S2 p% V3 j1 a; l+ r1 i
$ T% m; L% r% Y/ l: @
2 X1 @5 J2 l, [There could be hundreds of BPX you could use to detect this trick.
9 v) N" x) N/ s8 `: |5 T-The most classical one is:
) o! z. H3 k- j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 H$ _ b& D, N+ `: y. J6 j/ G
*(esp->4+4)=='NTIC'( u# q: {' f, P' A2 T# |
4 B( |7 H3 }0 f+ W& o" C; ]8 ^
-The most exotic ones (could be very slooooow :-(' Y: {; m0 I, P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " V) c. o' o" |; I2 f& G& G
;will break 3 times :-(# Q6 p7 r; h* y, o2 p
5 z# J0 q8 z+ h% l6 j( m3 B
-or (a bit) faster: ( d- j1 v0 y5 i2 [1 u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 g: t% M" K. o4 O+ p) d% m! Q
- K" m% p2 ]# {) ^' i$ J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
w! W, A# w* J* g2 p* m& F ;will break 3 times :-(
0 j$ M s0 W: K- e9 D/ N0 K) T4 {3 h
-Much faster:
3 o1 v; t. I2 m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% q1 [6 h- |% G4 J
8 k# S* f3 a6 CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 Q# K8 Q: T# i. R. y3 Vfunction to do the same job:6 N% z2 ~( k+ p; v- W% p+ `& t
U* |+ r3 U8 c
push 00 ; OF_READ+ y+ V( ]9 U% b' ]$ ?. U, f! ^
mov eax,[00656634] ; '\\.\SICE',04 @( u; D0 b. J% ^2 L# d7 u
push eax
* D, P0 K% [0 }6 C call KERNEL32!_lopen
- ?/ m% ^. g$ X8 a inc eax8 N2 ^+ ^2 g8 W+ r! n/ j9 v, U n
jnz 00650589 ; detected
* S2 ] E( y2 d6 d) y& d push 00 ; OF_READ% Y. E% [: Y9 ?$ T/ P% g$ f
mov eax,[00656638] ; '\\.\SICE'9 l3 E* n& @5 U2 _: u! T% r" J h
push eax
8 v3 O2 Z, f! S2 R8 C( s call KERNEL32!_lopen& ?% X% O/ V, {3 ]/ q4 G* F
inc eax
% n9 ?6 m) E' B1 u2 z+ e jz 006505ae ; not detected# X: ]7 y |" w0 t+ u( J3 {" g
$ K5 N8 T! W/ u' x( O( g
) G5 g, J" D9 v+ \
__________________________________________________________________________
! ]* ~; d \1 i4 y ~# A: U2 b" L0 r& X/ l; _; q
Method 12
% E2 u5 K2 `- e- i1 }=========
, @% C+ r, P( _% i/ ?
) g. i% I+ ~7 R, W# E: p0 W3 W4 vThis trick is similar to int41h/4fh Debugger installation check (code 05
& |* p) q# q3 n, i: K% U& 06) but very limited because it's only available for Win95/98 (not NT)6 j6 Z- o6 W2 }( R- y# f: C- [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; J; [' j( V) T9 m9 q5 Q
. t2 {5 j+ O$ X* x push 0000004fh ; function 4fh
$ Z1 s; @8 C1 _ push 002a002ah ; high word specifies which VxD (VWIN32)1 W8 g7 g7 {! E- o7 N
; low word specifies which service. W" G' h; K6 r* F8 t a, Z
(VWIN32_Int41Dispatch)9 c5 J9 h) s. t
call Kernel32!ORD_001 ; VxdCall
8 s5 A$ ?: Q$ h; O" Q8 ~ cmp ax, 0f386h ; magic number returned by system debuggers
, o* c$ A, o6 c5 t jz SoftICE_detected
- ~0 L3 f5 Y2 D- ^( X. w( R
# ^0 g# Z) S8 h% F1 n' _% f6 UHere again, several ways to detect it: b9 a9 r! h7 c
/ r1 L) X/ U! I6 i; C% N" c! z BPINT 41 if ax==4f
' H. K) A5 u. n7 p
7 K1 h; B' C% K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 \! Q3 S2 l' ?; t i( R# G3 b
6 g) `1 `7 b: m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
p) p$ `; o! r* o* J: X: [3 I2 h$ j3 @& b+ m1 P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! B# y p m$ H! ^% f
) \! Z6 z7 h' j; w. z2 A3 t__________________________________________________________________________/ j5 k' D- M! w$ _; t( A; @( f
4 o$ m0 [; e) J& N
Method 13+ e* A, g, O7 j1 v2 N" r& d7 y6 p4 }
=========
1 t8 r$ ~, e v; h J5 n
' z! ?. m0 G& T8 V- r5 ANot a real method of detection, but a good way to know if SoftICE is
' P" d4 [4 |( v* G+ c: g7 h9 Rinstalled on a computer and to locate its installation directory.
1 f8 w: W. T7 [( vIt is used by few softs which access the following registry keys (usually #2) :8 t. {0 i- E. a* d
! p% K0 ~; N0 L! b- k2 a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, J$ q5 N0 i# h3 P. G& L* x' Q0 n
\Uninstall\SoftICE4 f! k/ p9 w9 { e& \5 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ o8 e7 T {" C( D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ [( d8 c" R! C: f\App Paths\Loader32.Exe# E0 Q% w/ O' J b. L
2 `6 ~1 w+ ]2 f0 J, c8 V
8 W' S# [' w% ^) A* S- |8 T
Note that some nasty apps could then erase all files from SoftICE directory
b4 W7 X5 u) H+ r) o: n: ^(I faced that once :-(
9 W" q c. ~0 U8 z3 Y7 ]; Z+ W6 u
Useful breakpoint to detect it:1 o7 m: z6 ` V, n+ ^
8 l% S" R/ [. p/ ~% P2 i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 i S4 C! Q' X+ B8 O
6 X1 h3 S2 ~8 M$ O- M. }2 u
__________________________________________________________________________, z) m& K" s" a( z6 s4 h
0 f& x, i0 p/ ~7 z0 Y; w: y
9 t; B, e( i- d$ |3 hMethod 14 # \6 E4 l! C' G1 V
=========
4 A2 o9 M! w7 m0 m' ?3 |: u' ~
/ _( @$ t( S) }; y: I; QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 q2 C" Y+ u' t* x/ B5 a1 Ois to determines whether a debugger is running on your system (ring0 only).# T! L5 r$ x& J4 n
# Y7 e9 h% R8 z* L; I0 ~ VMMCall Test_Debug_Installed
0 v0 ^( n. {! W% L& O je not_installed
. ?: h3 m5 ]: ^' H) {$ H- v! \" U# D* Y. U) R1 w' `+ H% a
This service just checks a flag.
0 h+ z! E1 i2 C! Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡