<TABLE width=500>
$ ?5 m8 D) [9 I, z8 m4 O<TBODY>& {6 ]( I" r6 u' |% Q
<TR>$ ?- x1 ], F1 m" E6 _% W
<TD><PRE>Method 01
6 R2 F, b' j7 v- S. `=========
2 X* A1 O7 o( d3 t/ y }( Y. U4 W( V+ m* o
This method of detection of SoftICE (as well as the following one) is
" K! I; }3 z6 eused by the majority of packers/encryptors found on Internet.0 q" S5 `( Q" w/ p3 |1 |. p
It seeks the signature of BoundsChecker in SoftICE
; S* c* F& f+ c% d6 O/ f1 g5 {% |+ D; ?+ L* ~
mov ebp, 04243484Bh ; 'BCHK'
, B8 E, f) b$ p' P9 Y8 o mov ax, 04h2 F1 V2 e4 [* g- l" e9 M: F
int 3
8 W( D( a( |: O5 ]9 n) k+ g; U cmp al,4
; P' ?. Z. {* d0 N5 v# P jnz SoftICE_Detected
" Q+ {% S" ~! f D: U9 E7 r5 F2 A$ x* t
___________________________________________________________________________& O3 @$ K% N n2 K$ ?
' [1 u& O G% ?7 E
Method 02
$ C: A. h8 A+ u& v5 I=========% h5 j3 Y/ d$ b. R& C
7 p- V7 J% F4 j
Still a method very much used (perhaps the most frequent one). It is used
) W( I6 y; a) c# z3 l# ^, a% Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! u& F4 X, U+ c9 I$ X7 dor execute SoftICE commands...
1 \% v( b! X D/ ]/ zIt is also used to crash SoftICE and to force it to execute any commands
! R* G7 ]+ l3 p% G; v3 y+ G E6 Y$ C(HBOOT...) :-((
& q R9 ?$ D. O- ^. B; E! ]3 g( W0 _, ~' ~
Here is a quick description:4 i$ c4 y3 R" F; x! h
-AX = 0910h (Display string in SIce windows)
3 H) H6 S! B! T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 D& j( }3 K% s$ s0 q9 O; k, [3 w
-AX = 0912h (Get breakpoint infos)
9 d7 C& i6 V5 Z-AX = 0913h (Set Sice breakpoints): x- W6 o, R0 Q7 }/ W0 d
-AX = 0914h (Remove SIce breakoints): C9 L- H" O6 [6 l7 d- \2 M
0 D1 ~; S7 H3 B: Q* q+ EEach time you'll meet this trick, you'll see:. B8 ^- O6 D- U, V( E8 a
-SI = 4647h: R# {6 s, J0 u
-DI = 4A4Dh4 [- [, R- [/ w" a; C) Y
Which are the 'magic values' used by SoftIce.2 [8 h5 Z2 ]( X% t; }8 I. L( f6 u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 b# [( i3 w! U8 q/ j0 c
! v0 s! }. t" @6 [& E- n2 b* r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 J. g9 k7 U* H; _% `# ^Envelope utility use to protect DOS applications:
! b" Y% |" n* p: O; T/ d9 k! { n4 X+ u k" l) h' {- c
1 [! W8 F2 L1 r( V& ~9 r9 a' s! P4C19:0095 MOV AX,0911 ; execute command.
& |- M2 e" G' i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 a, p& p& j& G: G+ O- {' D8 f
4C19:009A MOV SI,4647 ; 1st magic value.
8 }" y/ V# }6 X2 p1 c4C19:009D MOV DI,4A4D ; 2nd magic value.
5 Z+ P' N+ F _' r2 E2 I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 {5 h& I6 t7 u: q* e2 t* y, |' m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 \+ n/ m+ X; z9 I4C19:00A4 INC CX3 ^8 G7 k7 m" i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' C# ]( f+ _3 I+ h ]. |9 M; ?3 _4C19:00A8 JB 0095 ; 6 different commands.
6 ]3 h+ ]' @# N. m$ u4C19:00AA JMP 0002 ; Bad_Guy jmp back./ E; Y6 z' {: A. D. @8 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) J6 Y. K- y3 L* p+ j5 o6 |
3 [& W4 H5 h" I
The program will execute 6 different SIce commands located at ds:dx, which
4 G6 Q d% z. i2 r' Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- D ?$ I7 T3 l+ {. V
% d) g Y0 H! e: p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 u# n3 D- C- P& z
___________________________________________________________________________
; a* |" C2 o; P$ [; i1 L& n2 [. e
/ ]2 c4 P% P3 [4 p r; o# {
Method 03: m. m& p& s% J+ M; f
=========( D* d$ l& O8 V( G) n9 \0 c
( G4 O; H9 s4 w# I& V ?/ KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ H8 G4 K& ^( Q" `- {(API Get entry point)4 x" R6 B8 q9 b9 I% B
2 e- H; n: I3 O/ P/ j& B( S5 [
& n7 F, P* o$ w- L
xor di,di
0 p. f* H1 _- b" ^ mov es,di
4 E& X: c }- a! w2 ?: K3 {1 M% O mov ax, 1684h
5 d+ N$ M8 p# k8 O4 j mov bx, 0202h ; VxD ID of winice8 g2 _2 `" Q9 S
int 2Fh
" r( k: ^+ G* F6 m4 p$ l* [2 L mov ax, es ; ES:DI -> VxD API entry point
! x5 V5 P/ W- E( I8 ~ add ax, di0 j& d+ l" w, ?. ~/ N5 s
test ax,ax
% r; J" h1 p/ X! H7 ~ jnz SoftICE_Detected
/ C `# E7 a; I0 C7 B! R' P5 ^& @/ b4 L
___________________________________________________________________________: E) h& ], p: t r
7 P* Y$ D3 k% m9 B7 o) KMethod 04
) A; O! y( w; F/ M# q& }% [========= T. a7 l9 w5 o3 g8 Y9 g& s
- S) {8 m% n* l* x$ A: L/ zMethod identical to the preceding one except that it seeks the ID of SoftICE5 Y! k7 _ E9 Y$ S% x% M$ w' t
GFX VxD./ L" u1 c4 y' H7 o( R* i8 n
/ S$ v0 N! Z. x( Z- G! d m xor di,di
. T( S9 V5 L6 h6 b+ p/ N mov es,di
. d! a ~ u2 J& e; \2 w mov ax, 1684h
/ Z5 {* V% Y! D: q) \ mov bx, 7a5Fh ; VxD ID of SIWVID2 y' `2 H0 t1 _5 V2 O4 w) f
int 2fh) n( z: Z5 N- C+ B g
mov ax, es ; ES:DI -> VxD API entry point
. w- {/ b% J$ K, M8 L& U% m add ax, di, K' ^3 s. B. h5 i' c; U
test ax,ax
! J3 K( N7 o8 e9 u/ M jnz SoftICE_Detected
- m( C1 {: p3 D8 H% y3 j# }7 @; U6 j, T, I: m
__________________________________________________________________________7 O+ ?3 i( B0 m: F
: v3 q( B% J& i7 J
1 e6 F, W& F; G7 z/ F+ x9 aMethod 05; W o; T4 I/ G% k
=========
% k: P! h; l/ w' s
I) [6 P5 t. O5 k( JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% J% E/ `; C: K$ J1 wdebugger. It calls the int 41h, function 4Fh.
) z1 _ s" D; W' [$ v! |9 y/ h. EThere are several alternatives. , o. r$ X1 z& v( K8 U
6 p4 K1 f# ^) R9 x) `) t; @The following one is the simplest:7 u3 D* G- V9 b2 w2 F P1 k
& @% C) J0 _2 l& i$ F6 a L! D( e
mov ax,4fh
& a; m1 i" e5 J6 N5 ?2 u% E/ W; k int 41h1 q/ b! y0 D1 `4 m7 i: m& x
cmp ax, 0F386
" L: M4 } B6 C0 i; d$ ?0 y. e: n jz SoftICE_detected, Y9 c! k3 j3 T# A# g' S
- a# K4 J' k% \ E/ W: x& V; m7 ^8 K& K$ v
Next method as well as the following one are 2 examples from Stone's
- ]1 v- s9 \2 K; M6 T% Q: B# L4 c"stn-wid.zip" (www.cracking.net):
; ^/ ?9 K( R4 O: p9 x: v+ S; z8 B' V, C; y3 ] D5 k- G1 k
mov bx, cs8 X5 r- ?" E4 T. \& r0 R
lea dx, int41handler2
2 C& d& F; a! k/ Q2 n xchg dx, es:[41h*4]
! v8 G3 k% j2 A r2 v. I xchg bx, es:[41h*4+2]
) A# r2 N3 w* H) m6 P# g# D mov ax,4fh) V+ w5 v$ M7 `/ l# V4 F3 p
int 41h, O& [! \9 I' K' d
xchg dx, es:[41h*4] I. J8 E- m% _* r
xchg bx, es:[41h*4+2]
0 \# y- l) W9 m cmp ax, 0f386h
w0 l1 m( O1 U4 n jz SoftICE_detected& l" Q3 ]; D7 Q! z' g! r2 D
5 n# {8 \8 H. W, n1 C2 R/ C' U: l
int41handler2 PROC
: i( A( u+ q$ T1 r' Q$ v4 t2 v iret
' C: _$ v5 c" y$ u/ ^8 O+ E% W+ Tint41handler2 ENDP( u/ m! n0 w% @
2 I. ]+ A, {( o
$ d6 [* V) R9 o4 Z% G7 _" \
_________________________________________________________________________7 d4 t. d* x& r/ G j# c
( |5 N5 m' m) z, c! N; T
+ Y6 F( P8 r$ ?0 |2 x) {Method 06. ~' G- g7 J1 ^' V2 G) K0 L1 Y5 w
=========
' I2 h- k9 H! A; |4 @2 |& E* P
8 @) S; T8 ?/ h2 ?0 W; r. H! U; I4 p& a# q: O4 F. t3 i
2nd method similar to the preceding one but more difficult to detect:; r; z2 S! G0 W" B4 q
) B5 V8 Z' W3 @( E4 R7 p
' t3 }. P+ j& J6 q. v7 Zint41handler PROC
5 q& w( [- T7 w; c0 g mov cl,al
( Q& M7 I& N& ?% G9 m6 u iret
2 ^4 ?4 z/ G/ N8 @3 rint41handler ENDP
% G' d1 l8 P. W/ [- k& Q, J
" v. O1 X( N" B. ~! M
t1 B0 l6 \3 N; ~4 E7 W4 Q xor ax,ax
+ }" z( x/ p4 P- v) x) c mov es,ax/ ?$ E6 k8 w# ^4 i7 l& w1 O: Z6 L
mov bx, cs
- g! n, B; O( Z8 X2 U4 Y- C lea dx, int41handler
& x* F3 S9 }3 [! e9 ?- w xchg dx, es:[41h*4]8 J+ I1 U. {/ E( G6 i, w: a
xchg bx, es:[41h*4+2]
; g' x1 X: `6 D2 e' Z in al, 40h
6 j$ v# ~. k8 m- y2 |- H2 ` xor cx,cx0 h! Z' b9 L: }+ c/ N# b. P/ l
int 41h, R1 I& M# Z$ N& I8 S
xchg dx, es:[41h*4]* R) l: D8 w0 R/ a* @0 f
xchg bx, es:[41h*4+2]% D( N' X$ l& P J: M% }6 } d
cmp cl,al1 m, H* y) I9 [) c0 W
jnz SoftICE_detected) v3 O, x. V6 J4 b! ?1 B
6 S% C2 y) x# M2 ]_________________________________________________________________________# f3 L$ [6 w* O9 G2 F9 p" i! O
. P0 J6 p, Z4 @3 v! L; UMethod 07
8 @$ n* E6 u+ U7 s8 J& j% L=========% B4 G2 H- j n% Z: a0 y
- j8 D' o, Q0 _Method of detection of the WinICE handler in the int68h (V86). t" e0 K7 t3 Z5 K" \1 ?
& K+ S% L6 r i/ w5 ]" ~# U: P# q mov ah,43h
/ X. ]! _* ]4 Z. B# j+ o$ ?* Y int 68h
; ]3 z# R7 d3 ^; q5 R cmp ax,0F386h) q$ Y% r: n+ c7 g( ^
jz SoftICE_Detected
1 H k3 R v5 n( [ l4 {/ {
. b4 d+ x: g' v1 Z7 d
- F, {3 Z8 ]" C; C1 }8 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ]8 {9 J% M% K: ^7 A) s9 ~$ Q* P! T app like this:
! k$ m7 F6 k' i9 M
. }( P( q0 I2 b4 I BPX exec_int if ax==68
u* k: a& V9 B" D& I* s (function called is located at byte ptr [ebp+1Dh] and client eip is& Z3 {9 B, ]. j) o
located at [ebp+48h] for 32Bit apps)1 ~1 k: j8 q: l, w5 O% T: p
__________________________________________________________________________
0 f; M3 P9 P `$ t4 ?! } P; i- j! I* p. i0 _& ]! K$ H0 ~" L
3 u. V& ?# s* hMethod 08. d/ }+ y7 h9 f( t% n' B P; a, `
=========
; I4 ?3 A7 D$ q8 |* x6 U, e: J I/ w! r6 w( W
It is not a method of detection of SoftICE but a possibility to crash the1 B; Q R' B, Z. m5 L' g* n0 g1 n
system by intercepting int 01h and int 03h and redirecting them to another
; ]( r- d9 B2 I$ j) d, xroutine.5 q- M) x# J6 o( w5 c7 l1 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ n/ b& ^( d) N8 G# O; F+ r6 v/ s
to the new routine to execute (hangs computer...)
# P- x+ o6 c* ]4 `9 L+ l$ s
6 e4 N, U8 c9 F, S- c* ^: t" a' ~ mov ah, 25h
& y- o; C5 N* z( p mov al, Int_Number (01h or 03h)0 `/ k* M% o1 S9 z/ ^1 b
mov dx, offset New_Int_Routine& H1 ?& E6 H& v& \$ n8 A
int 21h
r2 n" c$ k% ]1 l
+ q* ]+ w& Z8 ^; F! B7 T ]__________________________________________________________________________
* P+ r: [; K. r, @0 Z# F% ]! h$ g4 v3 j! q# B& ? g; j
Method 09
) w2 w; w& J- s. y=========
; _+ U. C8 k! X3 N4 x
6 b- D0 c* W# q/ n7 X; RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 k* \0 j; r. b$ h
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 d$ U. V( \2 X, w# D8 ]The Get_DDB service is used to determine whether or not a VxD is installed
9 s" L/ Q. S, ~* Pfor the specified device and returns a Device Description Block (in ecx) for$ e' u9 q, A9 K$ ^4 y
that device if it is installed.
- P- L" b. C1 @4 Y7 j' e6 j
' d4 R2 R6 y: k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: x" g$ @1 N: |8 b B5 o1 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! N# c! P) W( g) Q. X1 w VMMCall Get_DDB
% P. W1 b. }/ H- T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ {! b# I3 R( U1 h7 z
! w. W& F% t, b3 d$ g7 O2 t8 f gNote as well that you can easily detect this method with SoftICE:
: D% ^! }- W! g! B) a2 g bpx Get_DDB if ax==0202 || ax==7a5fh/ @5 P5 n% v7 j: ? n2 |8 h
, j- p: N% x4 l+ _
__________________________________________________________________________
8 K" K' L" b- n% a6 I% c# x+ j5 p) a( e7 i- b
Method 10
. ?7 y, K1 l* A/ w6 N6 I=========
+ Y' U( w5 P. Z, I* o
% U% c0 P& L$ }4 X4 q=>Disable or clear breakpoints before using this feature. DO NOT trace with" v3 Q! Y& M9 y; j6 \- B
SoftICE while the option is enable!!
& C; L+ Q4 u3 {9 |/ S# m8 j) C; N
This trick is very efficient:1 s E" W9 y5 P* ^
by checking the Debug Registers, you can detect if SoftICE is loaded1 P$ P; g T. O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- w+ x; d! y( Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 B0 w3 j# ~ g" zvalue (in ring0 only). Values can be manipulated and or changed as well
3 \' |* f" M$ W3 X2 S(clearing BPMs for instance); J7 \ c0 H' b
) l8 |3 N3 L/ R$ ?$ F5 G+ z
__________________________________________________________________________" P, P4 |. w# ~! q
7 m, p* I o0 s# C! G
Method 11
" r A: W: N4 h5 P I- E=========$ W/ {$ c7 r; E7 N2 m/ @/ w- Y
) v! g. b6 Z' V# [( ^
This method is most known as 'MeltICE' because it has been freely distributed
% ^2 r1 D- ^7 wvia www.winfiles.com. However it was first used by NuMega people to allow/ k$ v! U; J! n5 o% S' L+ Q
Symbol Loader to check if SoftICE was active or not (the code is located1 O3 e6 p9 t4 Q- `
inside nmtrans.dll).
9 d6 Z6 `0 I i9 g0 }: D; E- a. s3 \9 e$ ^" Y) \) \* M
The way it works is very simple:, R' c1 b" p2 @" y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% p% G$ I3 _% [4 P. m
WinNT) with the CreateFileA API.
4 U/ [8 t% ]. z7 |# u* O& l
0 Z% A# L4 P) M0 @Here is a sample (checking for 'SICE'):! W- q- t: Y% ~' ]7 Y* K" K
. ?) P$ ^( {8 r' D! tBOOL IsSoftIce95Loaded()
! R# ~2 S6 u: y$ ]3 R! t! ]{2 K7 T3 A2 J- T) x: x1 k
HANDLE hFile;
# _) R# t4 V) p; g$ e& T) M+ O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 r' G6 y$ @' l6 e" A( X; K6 e FILE_SHARE_READ | FILE_SHARE_WRITE,
0 }# u6 S6 b/ m5 ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. G8 f4 `1 V9 F! J
if( hFile != INVALID_HANDLE_VALUE )
6 X% `4 n' V1 i m9 k, B2 Z7 V {
* Q% s/ R* k5 \% g# f' L$ @' {0 c CloseHandle(hFile);
. n; b* r0 Z7 O- p3 `; ` return TRUE;
& D( x. r1 q! e5 c+ P }
- G9 G" }$ T% o9 R i9 P/ W1 e return FALSE;' m+ q9 @! Q/ d5 M' g$ H* R, G
}+ O' L& B( |, [1 y9 I
8 p3 f( H4 I( n3 x) j, z
Although this trick calls the CreateFileA function, don't even expect to be
& K4 V. z7 I; h+ N) Kable to intercept it by installing a IFS hook: it will not work, no way!
0 }; q. d6 ?1 d3 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* q" Z. W9 ~% e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 L' s9 O9 R& L) r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& l! u2 f; c1 c* Q
field.. u6 `6 c- `) {" _+ K8 i; m
In fact, its purpose is not to load/unload VxDs but only to send a
- v0 D# I Z; m5 M+ i) G! OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 u% n" }% c4 F: U8 Z) H3 d+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" ~5 `, n/ f$ ^1 L7 T1 e9 h9 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).% y# Z" a# s" b5 t( r" V, u% K
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 q- a3 |% T0 }/ `2 w- M o
its handle to be opened and then, will be detected.* i1 x; Q- \0 h7 |& _! e6 [( y
You can check that simply by hooking Winice.exe control proc entry point
0 @+ m& V& o- q0 D- lwhile running MeltICE., a0 G! _0 ?# S# u# Z* e
1 F/ R- U" N. S8 H
1 K! L" ^4 @! H- b. z; J& ]- C
00401067: push 00402025 ; \\.\SICE; u3 F" T. Q$ s2 [
0040106C: call CreateFileA' F7 Z) ^; Q2 U# {
00401071: cmp eax,-001
! n& F$ Z6 J& w- X1 L2 c 00401074: je 00401091
" N) \1 x9 [0 Z- c( B$ P9 ~; P+ ^5 k, q7 @
0 Y6 ^- i: o; J4 X. ]1 ]* }# H
There could be hundreds of BPX you could use to detect this trick.
4 n" K& W; w( Q9 p$ t3 b' ~-The most classical one is:& h! g7 N. T$ g: b* b$ u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) J8 n. L9 z8 f* S
*(esp->4+4)=='NTIC'# B5 t# a% ]1 h& J3 L1 z
' v6 k4 K) W6 {* m
-The most exotic ones (could be very slooooow :-(5 j) ~3 k# m0 R5 F8 \. M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
}3 ?& P/ ~3 C- k' c' b" B! I ;will break 3 times :-(2 h) \. w I ~* O
, a/ F3 F2 [% E" H% {3 Q8 u7 e-or (a bit) faster:
: z2 v/ d% A) } [4 o* \$ y& w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" j" l5 \: D/ `- [9 t3 Y
9 t: N1 s1 o/ |0 s! M8 i) _7 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 s+ m# F0 d" A# r; S) S: z* q
;will break 3 times :-(
# A! }3 f* f! \' c. {0 a8 r
/ H4 j; Z; T7 } J-Much faster:
2 C6 Z. M& N( k8 T5 o/ p5 J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ W7 o+ a9 w, f5 W; ~: r2 `) }, P) M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ^1 R0 P7 l/ I! }7 j2 mfunction to do the same job:; j+ j& q1 G! {% S, O' x& {4 J- H
9 |8 {+ M, K( a' V$ D. H! Y8 P
push 00 ; OF_READ% H/ c9 C0 J$ c( \; z' A/ n% k# P
mov eax,[00656634] ; '\\.\SICE',0
% u, T: D/ _0 Q7 ?/ l push eax7 z* }9 [2 T# ^: j
call KERNEL32!_lopen: b1 B6 d3 j2 I. n+ @8 C |
inc eax( S) ~) P7 `: Z* M. g
jnz 00650589 ; detected
6 D: `7 F, m2 A4 ]0 c9 [ push 00 ; OF_READ
8 C7 L. x$ r* [4 ^ mov eax,[00656638] ; '\\.\SICE'& n4 x, N! \/ M
push eax
. @2 R+ F( K$ R( u- E8 z call KERNEL32!_lopen
$ y- u: g, b; x! W/ c% [$ { inc eax; ]$ L' z7 x( j* x; H/ V3 F
jz 006505ae ; not detected: [$ k$ y% X. r5 M, c( U
2 b9 \" v$ p5 Q- @
2 r" O6 v' w9 N__________________________________________________________________________1 u" I# k; b1 K1 g3 a: ?
: i6 l3 T* W$ R- Y0 Y6 _6 S# \- V& s' H
Method 122 q6 d4 t3 _1 `2 Q
=========
- \: ]6 I& f: J4 d6 ^
7 u) u( `, m+ z6 bThis trick is similar to int41h/4fh Debugger installation check (code 055 A# }8 W# U: Y) |& g
& 06) but very limited because it's only available for Win95/98 (not NT) N4 \, M9 u$ f% O0 O$ p" J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! ]1 x7 s: V r& p+ h9 X0 l. b$ o
8 k8 R( d5 H; n
push 0000004fh ; function 4fh
% Q" |# p# H- N- b9 c& g8 u push 002a002ah ; high word specifies which VxD (VWIN32)2 n" K& p' M/ D$ c3 O
; low word specifies which service1 E) v4 \7 L: V; q; j$ n4 `
(VWIN32_Int41Dispatch)
" Y( P% h" J$ i, F$ Y- a h call Kernel32!ORD_001 ; VxdCall
! ^: S; w' e1 [& R- V! { cmp ax, 0f386h ; magic number returned by system debuggers% Y, [$ I. s9 a; T. B
jz SoftICE_detected
3 E( y2 ^- ?+ S: I! S
; n% t3 r& m& S! B: `Here again, several ways to detect it:) A3 h" `( h; ]
0 c$ }- a- {( f6 H% w
BPINT 41 if ax==4f
Q% k& D8 X/ `9 X+ ~( V9 Q+ g& ^2 q6 C; S2 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; }/ U5 L2 ^6 ~& N r! w
+ a( y5 e/ f4 n- \- \" F1 j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% U# s& A9 H- U' B: r+ E
6 \: k4 ?* r# X4 ~; [# G3 v A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! L1 K1 k/ L3 \) c. z
& a% I+ I' h7 M' f @* \! Y__________________________________________________________________________! F' j" h1 L6 q# ^1 E- s2 m
3 ?$ h0 B/ M7 }- p
Method 13" ^4 d8 p6 a4 U5 C2 Y3 h# n
=========& Q" F1 W" z6 z
' k- c9 C- S+ a( iNot a real method of detection, but a good way to know if SoftICE is2 f# s+ f; _: A4 P" c6 G# L3 K
installed on a computer and to locate its installation directory.3 X* L- D' J. h" m
It is used by few softs which access the following registry keys (usually #2) :) s2 T9 l' v9 j" e4 D& R
- r m. a& e# ^2 d1 o6 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 D) _" q. E7 M2 V5 u j\Uninstall\SoftICE
1 ?1 E) n, S5 p" |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
a$ J0 g [( B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 \* W& S+ u, w3 o8 Z
\App Paths\Loader32.Exe C- {. M) {0 _1 O' v
e) n2 h4 ]( t
8 H4 H. h7 G7 P/ G" Z2 d
Note that some nasty apps could then erase all files from SoftICE directory( A# z: B2 \/ _1 X/ ?9 b
(I faced that once :-(
4 {" |3 O! f% L9 K* K6 j+ @) o, q9 D5 T+ c
Useful breakpoint to detect it:
' L2 O4 U" R4 f0 M+ y
9 h8 `" ?, J& ?- C* { R# d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* \6 ?0 \" p/ }) |' U' e* ?; m3 Z% r6 i
__________________________________________________________________________
* O/ a \4 ^# S2 y1 r% t+ [! m0 L/ a3 r( V8 X9 J
7 n. s6 Z2 e' ~* S! e lMethod 14 - ]/ m% G \% ^# ]4 M. q
=========
# V/ ~. A4 i1 u' ]. u3 E0 x% q% {5 w4 \# f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- |& d( u# r4 K& F
is to determines whether a debugger is running on your system (ring0 only).
) E u% X" P* k9 F: D" m* ?& r3 C0 c" l
VMMCall Test_Debug_Installed
' i" i# ~9 m& U8 B1 q, @2 i% ^7 O je not_installed
) [8 y9 j, _9 C7 i
7 C% y( J6 T) C+ ]7 R% I2 oThis service just checks a flag.
/ Q2 T/ z2 l9 {& H8 H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡