<TABLE width=500>
2 u0 R0 @( |6 l5 l: X1 J( d. o<TBODY>
' _. v \- F! m5 k& _<TR>
( _3 H+ l: W |; a5 N% q7 u4 A<TD><PRE>Method 01 V* E( Z$ ^, N8 K3 h! a
=========
" e# w2 I% H2 ^3 V( @- M5 m, O, f( h. T* u! a( X5 L- ]. w: N
This method of detection of SoftICE (as well as the following one) is9 u: [+ o- \0 ]$ n, ?1 `2 E$ E
used by the majority of packers/encryptors found on Internet.$ O6 t# Z! L0 m& w% T k. r
It seeks the signature of BoundsChecker in SoftICE
" {$ Q# f0 G7 Y& d$ z+ |9 o% \! F# h% d5 Y" F2 v. Q& e2 ^
mov ebp, 04243484Bh ; 'BCHK'
/ O4 |: Z6 `& l: f" ? mov ax, 04h% g% v" k% C/ T. ~, |
int 3 }9 `& |* u8 G
cmp al,4
* ?% R7 g% V) G1 X) Q { jnz SoftICE_Detected) C0 S2 K2 ^) p8 ^: f
5 O" q" ~: E% `___________________________________________________________________________
' u& }, g* r" Y: ~2 x1 e8 _& v: F! m' u/ S) |" e& m
Method 023 p8 t1 ^3 R' n' M+ y, _+ C1 C
=========, T& D2 I' s# ]& @" _9 e, U3 w
& D1 _. M. t F0 bStill a method very much used (perhaps the most frequent one). It is used
, I- ~/ v) _/ [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# G ]! G% G0 r+ s; h; {or execute SoftICE commands...
% l) k3 U( e6 g9 O. UIt is also used to crash SoftICE and to force it to execute any commands
( C, _1 l5 l3 v, Y; T. O8 j& v(HBOOT...) :-((
6 d9 f& T% Z2 C, n+ P2 h8 ^+ ^2 }6 A6 E# {
Here is a quick description:
' m: } v7 |* h# Z C" T ]-AX = 0910h (Display string in SIce windows)
7 _7 w( I5 g( G9 G5 I) y( p& q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 l' y, A& e; z5 P' }-AX = 0912h (Get breakpoint infos)
% K4 [/ y7 r2 i' Z6 i-AX = 0913h (Set Sice breakpoints)
$ s6 {3 t2 r. P& l# f( K-AX = 0914h (Remove SIce breakoints)
$ ?+ p% C. ^ B- V( H0 L Y1 \
. A9 F4 A* h; ~Each time you'll meet this trick, you'll see:
& ^# `, L& B& ~1 u/ t! }9 w7 s-SI = 4647h% d2 _: o! x* C: G" W
-DI = 4A4Dh( i+ Y; }& g( i* f
Which are the 'magic values' used by SoftIce.
3 B" j! K' p8 `& X! X2 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ J; N7 ?0 I4 [- ^
5 t) Z: V' J _: G6 M4 ~" ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 F; R; T; I6 N, P/ ?) i) H2 n. YEnvelope utility use to protect DOS applications:
5 f! G/ ~4 U0 \- b, c& w' E
5 s( i$ U$ _- A- i8 V5 B
1 X4 K# r8 ^$ m9 k7 s7 c4C19:0095 MOV AX,0911 ; execute command.
3 `/ M1 R5 U/ _2 _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ ?! @9 R% Y# F+ M* ^
4C19:009A MOV SI,4647 ; 1st magic value.. _# u2 N2 o/ u/ a, g$ @1 {* h
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 k1 |* a5 _* U. n9 v% ~$ c6 M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): ], x& v! r- j) N0 S1 C3 T# @, s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 e% q I+ Z V7 @, x, ?( b
4C19:00A4 INC CX# [ d/ {; \% w- @1 `- j$ T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 H9 }) Q# s8 j1 n* J* A
4C19:00A8 JB 0095 ; 6 different commands.
L- f+ _, R6 k$ t3 p i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ [# j2 b4 d7 C {& _0 Q }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& ?9 ^5 m- \: J% u! J" i. g
' q% H" e" b8 P @0 BThe program will execute 6 different SIce commands located at ds:dx, which1 O/ U& F, c U7 e" t% y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 [. d8 S4 H0 }% G2 |
7 [/ u! v; F) w" D4 G$ Q7 i& j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( _9 r. p5 p" K# d. v! k$ }
___________________________________________________________________________
7 A i: X( g. _6 ]3 h4 b4 w, }
6 b- k! h7 E9 _2 V& Y, n1 t. `: q; s: _7 r' @7 y1 v0 f2 S3 p% x
Method 03
! t5 b1 X1 j; C% d+ `) N=========! b/ s- _2 [ m+ g" e p& [
5 j* |: [9 O" d3 H& ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 {% P& c T) \% k" E- a
(API Get entry point)4 \1 O( P( t4 B1 ~: V
j9 [/ Q% w5 R [: @# o
1 s. [- o7 N( J xor di,di9 @ I7 H9 T/ u0 p0 {8 Z0 W3 e
mov es,di+ H% ?% x! P8 }) K% r5 O$ s7 w
mov ax, 1684h
; P; Q+ x3 O! D' [3 v# m mov bx, 0202h ; VxD ID of winice
- m& Z! c# v+ } int 2Fh
6 F- V0 _( U( z9 S mov ax, es ; ES:DI -> VxD API entry point
+ X& o; }# Z4 K6 [9 m add ax, di4 G9 ~8 M8 e t# x
test ax,ax) I H/ K4 v3 Q& x& Y3 r" V
jnz SoftICE_Detected
7 S* {, l6 F- ?* _& t0 j: m( Z# x2 A1 @) ?! l$ \% g% N6 A
___________________________________________________________________________. h0 x4 n- {7 z M" n
1 K$ y/ u' L( m' y! K1 eMethod 04
; C) a c- {8 d3 Y' A, a# g, l- _=========
+ {3 |7 K! n$ M* @$ i
/ t1 b8 V* P. d( ~Method identical to the preceding one except that it seeks the ID of SoftICE
2 v" K& X! c- q8 z2 T9 vGFX VxD.
; j5 A0 f, q" j: N/ t5 u8 y4 C- X' m
xor di,di% e4 U# n; l) y: c: z
mov es,di+ C( V" r9 X$ Q
mov ax, 1684h 6 w; q' a6 g# k% X5 [2 i! F' j; E
mov bx, 7a5Fh ; VxD ID of SIWVID- O5 M7 x- o* Y( B$ z6 J
int 2fh
( D7 d4 D; k5 A# l; } mov ax, es ; ES:DI -> VxD API entry point
; r* y; v4 `, R. D" l add ax, di' L. x2 \$ `# B! W
test ax,ax
2 t6 Y8 B6 Y5 v6 P/ f jnz SoftICE_Detected
; u: O; Q- l; v* ~5 O4 B. W: |3 o$ w
__________________________________________________________________________* w/ T6 j; I! j2 [
9 t* {- j/ ~3 ^6 h
_$ Z- w0 b. TMethod 05. s! p* I8 [* t% F4 b6 T2 d
=========
. }6 X z4 c9 }' m6 B
# }( R7 i* J/ [& s" uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 z4 l8 \& R. W! gdebugger. It calls the int 41h, function 4Fh.
) |* y/ S/ ~7 `There are several alternatives. ! H4 x. R8 q0 [1 ?# _# `
) n: B; i* k5 T9 T
The following one is the simplest:( I7 M4 U7 m. N9 f7 G
1 W3 q; Z: g o$ Z5 a# G# } mov ax,4fh
- B4 w! t q2 c9 B int 41h
, R: A) g J3 x" v# W% O( f- ^ cmp ax, 0F386
- v" j# h/ _) r7 n: r' g1 O jz SoftICE_detected; K$ D% B! e( q X: a
2 [& @ s! C2 s# {0 T6 i
2 R8 X% j% k8 g; jNext method as well as the following one are 2 examples from Stone's
4 P! q+ g7 g& M! U: W! C9 y- R9 A"stn-wid.zip" (www.cracking.net):: J. N% F2 m6 o9 Z3 `- q
1 `/ J7 p$ x) W4 O' f* W
mov bx, cs
) t: X! E, m. E lea dx, int41handler25 ]8 T% T6 D# v; [) a
xchg dx, es:[41h*4]4 f7 |# \0 c9 c6 ~* X- K
xchg bx, es:[41h*4+2]
) n6 b" j$ @4 Q7 _1 b mov ax,4fh) z$ J3 B t, W( O( O9 z
int 41h
[* c& x9 J5 x/ v/ ^$ D/ o( j8 O* ^ xchg dx, es:[41h*4]
1 C$ k4 u/ [! Y xchg bx, es:[41h*4+2]* y3 W8 @- M _
cmp ax, 0f386h
7 L: R" B o* _* s5 ] jz SoftICE_detected# }0 X' u& ]8 x
* c1 d1 g( R7 I# I6 N: u. D2 {int41handler2 PROC7 B5 o, x+ L( o* `9 Y7 q
iret+ X- L: ?3 d, b: H, b; c
int41handler2 ENDP
$ L O4 O& t2 V& A: N
3 g5 a2 t. i# ^4 F
8 I: q; _5 G; s_________________________________________________________________________8 V2 i/ F8 n7 C3 H" ^
1 F+ Z& \2 z7 H/ F' [4 {% ^; S
" S: R1 Q& k0 \& Q" W5 M2 O6 e/ @3 A, F' kMethod 06
1 a! `+ C) z6 d=========
. n8 w6 ~6 F, V. V6 ]# o
9 z" o# [1 ~) c3 H$ A+ Y# y( W
" Q% U* R6 [" \% Z- ?4 a2nd method similar to the preceding one but more difficult to detect:
& w$ v% A, U% v
6 M/ X! Y, ~: }9 o: r. E7 T0 v& }
/ O1 L6 J7 V q8 @* N; b; J5 vint41handler PROC( i; o3 \: _& R
mov cl,al& t- ~# z3 F/ R5 ]+ v6 |" h" Y8 U
iret/ W: q4 H5 f4 L0 J! v, ^! g
int41handler ENDP1 s& ]' d A0 i) l9 N0 Q
- V/ D4 F$ o- x: z f9 \
4 C. I. J7 d4 s( A) K xor ax,ax
) B1 Z* J5 |! Y4 u mov es,ax
1 I; P1 O! }. E0 Q, w- Q mov bx, cs- m! H* y7 T' D, V4 ^' s& [6 \
lea dx, int41handler
2 v# ]" k; M1 Z) _ xchg dx, es:[41h*4]1 Q6 g; {: B. D2 V( y- o6 X# B
xchg bx, es:[41h*4+2]
$ j& u$ I( a; C: y in al, 40h
1 K H. `: W' S0 ` j" Z- n xor cx,cx+ y+ a+ U; }6 k& @. ~
int 41h# S1 z4 ^9 Z8 J& o3 n2 {
xchg dx, es:[41h*4]
; e- H r7 @. T+ }& v% L3 o xchg bx, es:[41h*4+2]+ _) a' o* w) F7 i% o
cmp cl,al$ ?% F9 p0 S# d$ w) \% m" V y
jnz SoftICE_detected
- I" V4 _4 i$ _6 O8 {! x$ w' ~7 H, C6 D3 e
_________________________________________________________________________/ N* {0 P4 g* z8 ?$ b/ X
0 P O, }! v) X Q0 IMethod 07+ e$ A! B4 d/ b6 {- w
=========8 p: @8 P- @3 v: @
4 g& v- N, O7 b9 F" ^9 I/ ?6 p
Method of detection of the WinICE handler in the int68h (V86)
4 j7 d& b* v4 ~9 }- {/ c# b. `0 Q2 I, }* _
mov ah,43h9 H7 D$ |- R) M0 [
int 68h8 ?* {- L8 p# I6 {- f6 p
cmp ax,0F386h
1 Y( ]2 p8 R1 Z! \, ?: G jz SoftICE_Detected
0 s) {* c0 O$ |; U7 a2 H/ A# N% R# N# {9 d0 @) R
9 h3 @& m5 [- |7 C% s$ Q1 q4 T" O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# p( D* `% l. o7 p app like this:
7 L1 O% b+ E. z7 h$ J7 V# u. I3 u' ]2 z7 P& A( r- }, I
BPX exec_int if ax==68
/ V: [/ Z3 T: s( q- D (function called is located at byte ptr [ebp+1Dh] and client eip is
1 Q+ ]3 p3 N" R, c* U/ G located at [ebp+48h] for 32Bit apps)
M, l2 }% F% Q% J__________________________________________________________________________
) ]6 y# J& |) x9 y3 A5 ^, R. O6 c9 s: a- h
" Y" V0 ^. K* J" UMethod 086 k# U3 e7 B+ e& U* S6 I! B
=========
: q3 H8 ~. k! l5 b% `0 k9 `' j$ Q6 F7 Q2 m6 L' z
It is not a method of detection of SoftICE but a possibility to crash the- ]/ F. M0 M' t
system by intercepting int 01h and int 03h and redirecting them to another0 {: F8 C/ X6 F% w& p9 R
routine.
) t5 w; i! o) R2 u' ]2 Y; [4 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 ]5 V6 I J! f- s/ E5 X
to the new routine to execute (hangs computer...). \' Y4 j0 |$ H& t1 G) C+ L
1 B, [9 Z/ Y) x1 j! s' r mov ah, 25h
& M7 W0 ^' @( G/ y2 [5 P. O mov al, Int_Number (01h or 03h)
! N4 d2 R% J9 q# h mov dx, offset New_Int_Routine
, ^5 z- v8 o b! u) A int 21h
% @9 U: I2 T0 {8 P) f
' D# F, L& P$ B+ L- Q7 w6 y3 U. N__________________________________________________________________________. L6 T9 R) V4 g9 d
+ C: D9 a* L8 b% u- o6 ^' oMethod 09
1 d, Z; Z) G& u" a& r' I& c. ^=========
: E1 o) n, `4 T# P! p" {" H% {/ ~+ Q( H" }; z. v8 s/ N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 s) V, _) o* u$ F9 Gperformed in ring0 (VxD or a ring3 app using the VxdCall).! k5 M L+ O0 h1 y9 e; i) z
The Get_DDB service is used to determine whether or not a VxD is installed
6 O3 [# d. E) V/ |* s' f1 M1 l" x7 Afor the specified device and returns a Device Description Block (in ecx) for
; c- C. H% y8 m* ?0 mthat device if it is installed.
/ Z* |/ e/ Z& H+ K l ?6 H% g' R6 I6 {. c3 m+ i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 U) k: J9 v" b& J: z9 Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ d7 V' ]- Q% X0 k: s VMMCall Get_DDB7 U# U0 Z" u$ o. s1 E' w0 G2 ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* L; S# T. x6 \4 K' D. D9 K/ [$ |. V2 k
Note as well that you can easily detect this method with SoftICE:0 L7 C) M* J$ ^
bpx Get_DDB if ax==0202 || ax==7a5fh
9 ~: R) b' L; u9 W3 {3 _+ p- u, F1 `
__________________________________________________________________________
9 e4 ]) \- K, Y, H( Y/ f
7 ?- d0 ~6 x$ \5 yMethod 10* r) {& H2 k/ l. O1 k% @
=========. O* x% Q/ r$ d; Q4 Q- X3 O
3 Q2 ~# v7 I% T- f
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ ~' K' D# C/ K( F& G. }) O4 u% A
SoftICE while the option is enable!!2 F8 O$ k7 U# `1 X
6 z! m' s7 ?# w6 K/ m$ F3 N- tThis trick is very efficient:1 P/ F. L- \" r2 [( A6 V0 i
by checking the Debug Registers, you can detect if SoftICE is loaded
% D& `: W5 Q% s: w' B. a+ j- m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* a& v0 T1 x0 E4 h
there are some memory breakpoints set (dr0 to dr3) simply by reading their( Q& S5 H$ J' F# t* n% @6 N
value (in ring0 only). Values can be manipulated and or changed as well% k/ K6 p' s% p) N5 I4 ~' Z
(clearing BPMs for instance)8 k; `5 g8 D, O" @
/ m L3 I, n$ V- W* B5 B# C
__________________________________________________________________________
& Q& }& w" Q7 b9 p
1 s3 `' h2 a% \4 R2 ]& E4 T. U; jMethod 11% j1 G. Y n$ v) A, i9 |' E
=========
c! t+ g4 O. k4 p6 p' Q
- I4 R% n# s" f, t) s$ |/ p% a3 aThis method is most known as 'MeltICE' because it has been freely distributed
4 ?. N! u6 `! y* J/ D/ kvia www.winfiles.com. However it was first used by NuMega people to allow
: }( G n6 o5 u: R- r# \Symbol Loader to check if SoftICE was active or not (the code is located
0 n) M$ ~& n, R6 U- s3 i/ U1 finside nmtrans.dll).: T% W8 Z1 x' g- I* E$ o' h
, ~# v# _, H7 ]3 [0 L, }
The way it works is very simple:
& D- |; z6 P( y2 |0 M& g% n9 yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' l( A, t% n+ ^% X8 {
WinNT) with the CreateFileA API.
" G% d3 K; }3 v I* A" l( S
( k. B; Z& f( n/ J$ l) T" THere is a sample (checking for 'SICE'):
! d9 E9 z4 L) ~, H
' R% v& d1 g3 @8 \% `5 {! aBOOL IsSoftIce95Loaded()
# E) a+ a; h+ i4 ?7 O# y1 b{# m4 }6 Y, k7 B! M1 `3 F
HANDLE hFile; v% t; r1 s, l. e5 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 h6 q2 O: @& E8 w9 V" j FILE_SHARE_READ | FILE_SHARE_WRITE,/ {3 o {0 x$ @' p; E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ O) d4 x0 C, ?; p( t+ w6 v# W( L' U/ z
if( hFile != INVALID_HANDLE_VALUE )9 r- d7 q, ^1 h* W. }0 Y
{
2 K, |" C) \# h" g. |* B CloseHandle(hFile);7 w+ c5 c, P) F0 a' S3 J% Q
return TRUE;7 p4 {% d' D. u0 X. |
}
c* O: _& P% W) Y2 d return FALSE;
5 A) B; u+ N: t' V4 D$ g: Q) z# J}1 Y% w. h' `* g2 d; s; v: N# g
2 f& u% l# E$ S; u, JAlthough this trick calls the CreateFileA function, don't even expect to be/ I5 I8 D) W3 g' w$ }1 g
able to intercept it by installing a IFS hook: it will not work, no way!
: \* ^( w7 R j: k! e) k ?" V6 lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% t# p) p* J, L) h3 ^# g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" w5 J c% F7 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 l% Q# J8 r2 P3 Z# Kfield.: Y) G; \' R, q/ Y m6 K
In fact, its purpose is not to load/unload VxDs but only to send a
: v/ l8 w4 t. `6 n: V& MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 }& f1 b1 }. [to the VxD Control_Dispatch proc (how the hell a shareware soft could try% c8 [- V9 } {1 K. C' k6 b( _5 d: M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" a6 z. F' ~3 s" NIf the VxD is loaded, it will always clear eax and the Carry flag to allow, h- T' I) n% T
its handle to be opened and then, will be detected.
5 J: e2 x; b+ Y: J7 f3 k4 n! A5 s: uYou can check that simply by hooking Winice.exe control proc entry point
( o" P. Z9 p9 l! O: [while running MeltICE.+ v2 p8 p$ T, t
. W1 s" e% S0 D2 B% U- Q$ P; i4 x6 X- G9 j; d2 d! t5 J! j: p" z- K3 x
00401067: push 00402025 ; \\.\SICE
+ d4 N d$ S) `4 E0 ]8 o( V, t: C1 f 0040106C: call CreateFileA! _' u7 j& X9 z( ^+ @1 h! d7 `
00401071: cmp eax,-001
/ c+ i: ~+ W9 g' I! H 00401074: je 00401091! M1 r3 @ a% h: Z; y0 i8 S. D
( [" Z( Y- J: n+ n" L: G2 p! L
8 V8 N3 [0 _. G( ?2 u, v
There could be hundreds of BPX you could use to detect this trick./ X( A- B5 e. t' L
-The most classical one is:+ \& A) Q0 `9 s1 q: f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 B& i# D8 m- E9 k2 |6 O( p *(esp->4+4)=='NTIC'
' j! O( e9 Q) W% @, Y9 _; m& d$ \% Y7 x
-The most exotic ones (could be very slooooow :-() H7 K! C0 ]$ n' ^. n" } Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& |/ P! q/ q$ O( t ;will break 3 times :-(
9 `6 ?& E+ m* c$ R9 f9 Y% O* ?. ]/ B2 o5 `8 M
-or (a bit) faster: 6 B( Y! c+ q4 |) E+ \0 D" g3 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ R5 T$ r v5 U8 a/ [
' u5 c' J! J; [+ Q3 f+ q5 Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 J C" r9 w2 j; c! q" C: O8 Y: }( X
;will break 3 times :-(( ]9 N9 L% ]( E2 V
4 t1 M F! `& A( H* A z- |
-Much faster:
% I* N3 p8 w% f2 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ Y; B$ V: O% q/ r) q
* T- q3 Z8 e) \* T( l! V8 }6 |& XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" E- g) ~: s# c$ rfunction to do the same job: N2 ?% W) N* _' J5 s. d+ u
1 L) F8 J; q- I; j push 00 ; OF_READ
5 a1 o& j- @' S$ F! L( f mov eax,[00656634] ; '\\.\SICE',0; e0 \* E/ `- C; c8 j5 u1 q; E& n
push eax
* S& d9 a0 m" f A2 i call KERNEL32!_lopen7 U3 r. x! A9 }9 Y
inc eax9 n# w# ~8 e+ s+ r1 y) ~
jnz 00650589 ; detected
U: f0 E+ i P% ^" I9 T& m4 Q( T push 00 ; OF_READ
0 k& v7 I* M# \ mov eax,[00656638] ; '\\.\SICE' x/ F- `. {$ B
push eax
' r2 t# C+ b( q1 t call KERNEL32!_lopen
6 \- ~9 Z9 Y! `1 m" X% x inc eax
: n7 k* Z' w" n5 E jz 006505ae ; not detected
7 g. V1 G4 ~6 v/ h* T' b3 j3 B$ Q+ N' g* |3 h1 E1 Z+ T5 m
, o" Y: }, }3 o; X
__________________________________________________________________________
+ d* S5 M( h0 c+ H2 m
, ^* N- }. z& k/ a* Y5 ?0 QMethod 12
5 o1 M) C6 m2 A$ X=========0 t: O0 i8 F, |' e; n
9 O2 l" k% i6 R1 L, Z4 ]This trick is similar to int41h/4fh Debugger installation check (code 052 c5 j0 R. Z- `& n( Y' k
& 06) but very limited because it's only available for Win95/98 (not NT)' t: `6 O* |+ S2 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! d; t4 r5 @' p7 X7 \. Y
+ r! C2 C/ ?& W8 W1 Y( E# Z
push 0000004fh ; function 4fh
3 J+ I# C- L7 K& g$ W+ F push 002a002ah ; high word specifies which VxD (VWIN32)9 A6 y5 n4 a% {& F/ N; E4 x6 D
; low word specifies which service
/ C [$ C8 e5 A" M7 | W6 b0 f (VWIN32_Int41Dispatch)
# x& |, w( ~5 s! r; w9 L( q call Kernel32!ORD_001 ; VxdCall9 g5 ^& \! A0 X K! }/ L
cmp ax, 0f386h ; magic number returned by system debuggers. A6 Q* t8 Q* W7 v, a4 f
jz SoftICE_detected
0 r- m" V7 b7 v, m0 h) [/ p3 ]! i6 w3 l0 a0 O
Here again, several ways to detect it: ^7 P8 b" t4 I$ c
4 L; x" q4 G7 B! g. z BPINT 41 if ax==4f& s4 ~* c1 I' k7 A }$ O
, N7 l% E5 C9 |$ [7 R) a" Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" b* e2 e J% n3 b
% P k+ K( R' k5 q& V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. h& G; S) {0 \1 M
) P3 m% |+ E/ h7 w- j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. I4 l& ~$ |# }( T) J4 F
' E" _) W1 _ ___________________________________________________________________________5 H' p5 {) }: [! n9 R2 t. V; Q9 r# m: f
) p g& p2 R$ z9 E7 T/ L3 {Method 13
# H) x+ u& N4 G! L=========
: a& }4 W& D; H0 Q# `/ }
2 I; S. C8 h5 N9 V- B$ }Not a real method of detection, but a good way to know if SoftICE is) i, L5 |1 O) X0 q! R5 H* h
installed on a computer and to locate its installation directory.% o6 ]- e- {5 Q# r/ Z3 T! q
It is used by few softs which access the following registry keys (usually #2) :. }9 T. ?& b6 ]' d7 x0 p
9 @' l+ {: o2 b. {1 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 [: @6 \% p# I) E+ F8 M& ]
\Uninstall\SoftICE
$ g0 o- s# D& W2 b0 ]9 P( ]3 }7 [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! K/ ~9 z: Q, `) h0 \0 S& Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" m; }) `% S' k' J3 c$ `# j/ }
\App Paths\Loader32.Exe' ?) ^3 z8 B$ @8 X
7 @. P# s \% d; d: n6 p* }( d `% R
/ Q V/ [) S: L' `* J
Note that some nasty apps could then erase all files from SoftICE directory" }- B; N* B" }9 G
(I faced that once :-(; C+ t) b1 H7 j+ {! n; C
' z$ i: q- Q% E( yUseful breakpoint to detect it:' N* R7 `% @# S# X+ Q" O
8 {7 E0 S; d8 j. |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 b. f5 d0 C0 c! j/ T4 v5 B+ G' Q( a+ m- Y% y# N
__________________________________________________________________________- N6 O) q4 N7 j% I. L# A* D% g9 z" ^
+ [4 o! F+ _+ s6 r3 k; M8 T7 \1 @% o: P
% K1 F8 \6 R4 L
Method 14
1 L1 e4 T0 t, N=========. n) Y, i9 i) {) C; w+ }
# ?4 G4 u+ W4 n2 O+ nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" E; E2 Z2 U0 [0 n$ d
is to determines whether a debugger is running on your system (ring0 only).7 ~, V& h; c6 {* N
5 q; w; X: B7 L5 E7 v8 m6 T VMMCall Test_Debug_Installed2 a r3 h2 w8 f7 \- I+ \7 @
je not_installed
Y" M v0 @# h O4 x! k7 x6 j" W+ d
This service just checks a flag.3 H8 K! r& n9 P6 ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡