<TABLE width=500>
; {; z5 p7 E E<TBODY>- c) t& B( d( b9 F+ w' z
<TR>7 K- w2 ^; i% v1 W' {/ B3 q3 s m
<TD><PRE>Method 01
q a& ?. T# z% F1 X- p7 C. S5 o=========% y$ x$ T! {9 t! @% G( e5 m& w4 Y
7 e. a2 d' I. v) z1 b$ z0 J+ AThis method of detection of SoftICE (as well as the following one) is! B3 ^, U6 L8 q$ Q. a
used by the majority of packers/encryptors found on Internet.
; `! R8 i- `$ C6 q( hIt seeks the signature of BoundsChecker in SoftICE
4 I) K, A! M# ~1 y" s. v/ _5 [# D9 ~( O/ m9 d
mov ebp, 04243484Bh ; 'BCHK'
8 }) V8 B9 p( o: }2 w% g mov ax, 04h* p$ K" [. Z. U* T- }3 X
int 3
' o' b6 f b" J) H4 c2 Q cmp al,4
* F3 ~$ Z/ I8 X( m jnz SoftICE_Detected2 Z7 L6 z& j. j2 e/ e
2 `$ y- a' N( I$ p5 O___________________________________________________________________________8 q4 \+ _1 i( T. m3 R" L+ R1 [* K
& F% r' Q+ D0 `* ~8 u* N! V4 c% E
Method 02
- t$ P9 r( Z$ E=========# w8 }. s/ z% s2 r* x
7 d/ v1 o4 J! s2 Z
Still a method very much used (perhaps the most frequent one). It is used
2 M; C2 v/ j! B4 v" [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; M3 `5 a) J0 P+ H$ T k
or execute SoftICE commands...5 L3 R% I- `! e; w, g$ L4 J4 c
It is also used to crash SoftICE and to force it to execute any commands4 O D' u9 U3 b2 [% x! r3 g+ _
(HBOOT...) :-((
J! k1 e/ N* T' I9 t# L) [# X( J
: z0 O# B: d: R+ p5 I' ]/ D$ ?2 }Here is a quick description:3 C3 U+ R) E! p/ G8 g
-AX = 0910h (Display string in SIce windows)
) q' p: P( ~# L6 }$ X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 i+ g" J; C5 i! ^1 Y# @7 e! n
-AX = 0912h (Get breakpoint infos)4 Y W# p7 B, z8 T. n5 Y
-AX = 0913h (Set Sice breakpoints)
: O$ {' Y5 l" |6 f* ]8 ^-AX = 0914h (Remove SIce breakoints); |+ l, @: ^+ L1 i4 I
- m5 r! R- B9 u, qEach time you'll meet this trick, you'll see:
: ]% R( o9 u T/ K# H( A-SI = 4647h
/ \ O( d5 d3 J' ` ~-DI = 4A4Dh
2 I0 T2 d C$ }3 y4 n7 O e/ hWhich are the 'magic values' used by SoftIce.
$ _9 M% R6 \7 [* D7 E. @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 i7 J6 u& W8 Z( x" T5 d
, T$ t1 w3 r, f9 W' ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
& M; h9 m. [. z0 @: e) u( YEnvelope utility use to protect DOS applications:! O. p( O y3 t. m
; d3 E4 M# {: f: ?% Z$ H' {4 E* t, a2 F `! j
4C19:0095 MOV AX,0911 ; execute command.# G) I$ }; c& u3 y+ s8 n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- f8 c; w* f& T5 L+ K4 E; t4C19:009A MOV SI,4647 ; 1st magic value.& b) n. l# [+ @; x
4C19:009D MOV DI,4A4D ; 2nd magic value." O, V: z' e2 h8 i. W% t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% {9 ^1 D5 h Y* T* f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( Z$ F4 ~: i, m. E5 Y7 z6 d4C19:00A4 INC CX* k/ J# ]0 F+ g1 e @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) E% o+ h5 o7 C8 s( h: e! ~% P
4C19:00A8 JB 0095 ; 6 different commands.
3 W! D( T- E' _' J9 F4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 [. |! i: M: V7 a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& D/ O- M; d$ _0 a) G9 {8 ^( G$ M$ m& D2 z5 I! h9 q* T
The program will execute 6 different SIce commands located at ds:dx, which
& A0 [6 L- P# Z* r! S1 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 K0 L7 q+ {: L0 `) {8 Q) @5 M( G; x) S3 s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# d3 w4 ~8 B' i* R" P
___________________________________________________________________________
7 P$ V* [5 F" ?7 N6 ]2 T( R l: w% I. L& l( ~5 J( w4 w
" z) {( a/ p+ e! C5 tMethod 034 W# R C: ]' X/ v
=========
5 g M7 v4 r# o ^
. k$ c% U7 u" Y- F' R; \' sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& U3 D' p \# W8 v7 s(API Get entry point)1 Q6 f6 g" e! f {4 {- K" @
+ ?4 L( ?3 H u3 t9 [) Q
) l+ [7 y8 k4 S) W/ p4 {7 F xor di,di
& `/ E9 y3 i# m) Q c! X mov es,di
: c3 B/ a+ d, n! a9 l7 T {# L mov ax, 1684h
" n4 ^! c2 J2 I+ M mov bx, 0202h ; VxD ID of winice
& X7 ] n$ k, m2 G int 2Fh
U' Y& S i. m& o* {) i5 w' ~ mov ax, es ; ES:DI -> VxD API entry point
! }6 x+ d, S E( J+ b add ax, di' R3 ?$ j7 T: o3 g/ B! F1 R
test ax,ax% |7 J* X) I6 s1 u/ b9 \& d( e
jnz SoftICE_Detected
, Y# }0 D( L5 p) S2 Z% ~4 i$ B( E) a: f8 \! `2 d( J2 H! i" \
___________________________________________________________________________9 x' G0 o$ r4 j/ m( @7 K
1 E, m; g6 f% `0 H8 C6 n2 k- ?, M- c
Method 04
- X: D+ z) X/ O n6 `1 m=========
; P$ ~3 i( N5 A5 j+ ?0 c/ d# C' \7 ]8 B! e. q# F* K3 }. |* {0 t2 I
Method identical to the preceding one except that it seeks the ID of SoftICE8 L8 }. V" [- \4 p' f
GFX VxD.
K" F8 R8 L! t# R' ?
u9 x4 B7 _$ D* {/ |* D xor di,di
' W f& L6 x. P: E4 M7 j& J: r mov es,di, I3 b6 s+ h& J) J" k/ V
mov ax, 1684h % f1 a8 b; K P2 V; X% G- v
mov bx, 7a5Fh ; VxD ID of SIWVID# U, p U$ t2 u7 |
int 2fh$ r4 `# u0 H. s( s. ]9 G
mov ax, es ; ES:DI -> VxD API entry point8 E; @: n& N7 j
add ax, di H: C, m2 M+ w& V6 x
test ax,ax. T% P0 |- r6 G/ a" c0 p ?
jnz SoftICE_Detected$ O* }9 `/ s5 C; O3 R& e
5 I% ~& ^8 U& u/ c__________________________________________________________________________# T4 x" ^* G0 X( q
0 W+ W8 X+ E" L( m% N7 \5 I& B! L
w0 b+ u" T* `0 GMethod 05
$ x$ A+ f) f/ _( `0 N=========7 z5 [3 Y5 `+ S& D, H
9 @3 I! y2 Y( ]7 b* ]0 s, kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! |0 C8 x5 ~% o. A( g idebugger. It calls the int 41h, function 4Fh.( K8 z2 ?% b4 e F' h9 A
There are several alternatives.
' I* b, n& J5 p- [' X" J
2 N+ b! l6 w0 A' |The following one is the simplest:
6 w3 P: j9 E# u* Z
$ e6 w( H- V$ r) K# ^$ `* @ mov ax,4fh, h. G5 q- Z6 [
int 41h
/ c% V8 ^' Z Q# D5 o4 J cmp ax, 0F386
% e* l) g/ Y! ?) d/ m2 c2 N) K jz SoftICE_detected
! j9 {" R+ d- d8 `; u) d& H
# b- _, X& }- H6 ^ W1 M5 q+ ~2 L
- m$ J2 z0 \9 }! x, G" gNext method as well as the following one are 2 examples from Stone's 4 c s( W, R! `) [/ K, ~& O8 c
"stn-wid.zip" (www.cracking.net):
3 R9 w3 n( g, \: }% L
^3 A' f( z+ u) y, ^0 J; ~) v mov bx, cs
, C4 ?8 i1 x2 D1 [' N1 v lea dx, int41handler2. x, V% ]! }# r3 z# C9 i; v
xchg dx, es:[41h*4]
! N( d6 I* Y' Z8 f xchg bx, es:[41h*4+2]- r5 f; f7 L9 l: X2 I/ V
mov ax,4fh9 g# y; k. N& c
int 41h
7 b6 a1 {% j6 Z8 W* N1 K# Z3 P xchg dx, es:[41h*4]
4 f5 d0 ?2 v4 O: U! U xchg bx, es:[41h*4+2]
. _; P/ G7 c9 u, W7 y cmp ax, 0f386h+ T8 `" d) g0 i$ q
jz SoftICE_detected
# Z+ i/ J5 K: e& S$ P
! A3 r2 ^5 ?; i" E1 ]6 S0 @* Jint41handler2 PROC
0 y. G8 R. g3 V; E+ a4 J& {" G4 \ iret
; N8 D q5 p6 J( n- rint41handler2 ENDP
, [* m! O* Y; y1 q& h9 i8 I F$ x% X: o( w5 l! v* ]
2 o5 L x, e; s2 j% W. r
_________________________________________________________________________1 Q8 X- q/ A3 g) b& I
0 B! L; S/ m$ w7 S0 f( H: }0 O( F
( B8 B) `+ }/ X& ?' fMethod 06( I% {% \9 f7 y% [. i& \
=========
& o0 ~, K% V" ?8 ^+ f% r) Y5 i: \6 v% L" p+ g8 ?1 g
5 E+ T9 m. l' H
2nd method similar to the preceding one but more difficult to detect:7 h- i, P0 u1 |/ U
+ R& n0 }' `% K2 [
2 x+ w) R$ ]0 h1 k# \" y1 s) m% g
int41handler PROC
6 H* p: u( n G, g8 n% ^ `- U mov cl,al
' V8 L* `1 y7 A% w iret
. `" E& q/ v$ c1 q: @+ }int41handler ENDP/ J( C# l8 Z7 A8 Z3 w O
: x% P8 \& G, v' L' m1 I
7 J: f* o; j" q8 M8 N7 q xor ax,ax, d9 \ F, T% X) m1 S
mov es,ax
% O& J' e4 f( ?; _0 m/ L. E" g mov bx, cs
8 Y( D% _' p8 y* a- A+ m lea dx, int41handler
: T" G& I9 o7 z1 S1 w6 \, U9 b xchg dx, es:[41h*4]
9 k' C" W" V$ P; ?4 i2 ]3 @1 J xchg bx, es:[41h*4+2]1 F8 ~: V1 }; S2 k
in al, 40h1 f6 y$ f0 b! a+ |% e- X: g' J
xor cx,cx
; L4 F/ f2 s; ]6 ?. P int 41h
G8 X4 ] C. ^" h( ]+ j0 s4 N# K xchg dx, es:[41h*4]
: s9 Y' r+ q' Z7 N xchg bx, es:[41h*4+2]
: \' z4 G+ f; G* j: | cmp cl,al
+ H* i$ z9 k4 ?; O2 d3 N& i jnz SoftICE_detected
% H/ B$ x" c+ J X6 t% ]0 }& \1 Y# E% D) ~
_________________________________________________________________________! I( S' q0 F% m% H0 ~+ ]
; `3 a" M2 _2 t! g, F, U) nMethod 075 Z1 D0 t( k& ^: C* s! p& m
=========( A B; ^7 T( _# Y% c
1 o; f' ^1 C3 j6 j3 @- i
Method of detection of the WinICE handler in the int68h (V86)* i- A: j; A: d7 B9 H
5 a; e9 j" R1 ^ b6 M7 e
mov ah,43h$ S9 H( C1 W7 j6 v: L
int 68h4 b: q: n6 E: A& E6 i- Y3 I# ]
cmp ax,0F386h
1 b$ l# B# e4 [! L, ?* k0 A jz SoftICE_Detected M5 i; ?9 h$ D b( \
$ i4 Z9 b1 H8 _. [
& @' U( c- @# ?! S' W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. J. e% v. Z1 }' t app like this:9 M1 U( d( t0 _& C
7 C1 y, c" `! T& Z* |) e+ E, W2 c
BPX exec_int if ax==688 Q [7 d# B" V/ r) P/ C6 @
(function called is located at byte ptr [ebp+1Dh] and client eip is9 C6 X2 X( x) q# b! |7 f
located at [ebp+48h] for 32Bit apps)
9 C, m% p# G- E& |__________________________________________________________________________: R0 l3 c( ]) N8 F) q9 ]+ K
: ^. t3 H0 n6 b: }3 ]0 e
# {9 u9 M+ y. B: E& o' H3 xMethod 08; R( ? U0 S, p$ V( ~
=========
, E' g. y; c+ i. U8 Y% G2 a$ c; `4 y' o3 e
It is not a method of detection of SoftICE but a possibility to crash the4 G* o8 ^, O4 N- _- ?4 h3 H
system by intercepting int 01h and int 03h and redirecting them to another8 N8 M4 T2 |8 N! i" J% q
routine.( \1 n1 w X$ ~$ K, J- G4 R3 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, f% K; [6 B5 e. y3 E+ j
to the new routine to execute (hangs computer...)0 q/ `7 n1 n1 t+ b
2 @* E5 g2 G: |; z; I4 p9 T mov ah, 25h
% C8 I4 f0 y! D3 K mov al, Int_Number (01h or 03h)' J( u Q; H- X7 Y# ]
mov dx, offset New_Int_Routine/ r( f) W) q" t( |8 H1 k
int 21h
& [% c' G9 d& T w& Z0 N
/ x P$ M6 U; E# I8 f__________________________________________________________________________
9 l; k$ Q" ~2 A! O6 d* G% Y* o
4 j5 X4 C- x% r' p, C; H* a5 o: RMethod 09
; g0 u0 D" `/ c, S1 N6 j1 M=========. c/ D: C, Q8 Z1 w8 p' l9 T2 a
$ e* a. b8 x7 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 w6 Y; T. `4 m- ^
performed in ring0 (VxD or a ring3 app using the VxdCall).6 d& ~- J4 H$ h& V% P p3 ?
The Get_DDB service is used to determine whether or not a VxD is installed
# H2 x8 U; e& {5 B; T4 m8 C0 {* dfor the specified device and returns a Device Description Block (in ecx) for8 m+ J) l# O" p: N/ H
that device if it is installed.1 D( p4 T+ L6 B
+ {" K8 {( W4 Z1 m0 n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 M C( }- w6 c2 h' w3 E/ ?; n C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: p$ e6 y }' R( n1 H VMMCall Get_DDB( m# W( l P2 ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# T7 m& l9 H9 m. Z! r b8 T
( d$ ~) l4 N5 _; _$ x* LNote as well that you can easily detect this method with SoftICE:
& `: _' s g& Y0 a0 e5 ^- u/ V bpx Get_DDB if ax==0202 || ax==7a5fh
4 w- s* g' S( B9 W+ P' t5 i- @* Y# s" L% G5 z/ N1 e
__________________________________________________________________________
: Q; D9 I5 x1 ?! u( S& }. s4 m6 S/ Y) E5 S0 }' B
Method 10
" L( D6 c# J6 m3 y5 g) a=========. D# ]" ~. q, p3 w3 U
; b; L# Y# d: ?# D7 T$ Y8 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% M1 t2 _$ H2 x I9 f SoftICE while the option is enable!!# T0 e$ v9 ^3 j6 u( _
7 Y! \& T! a. |- V. g8 qThis trick is very efficient:2 I" Q3 M3 s! x' ~/ Z3 ~: _
by checking the Debug Registers, you can detect if SoftICE is loaded- z& s# g$ @6 y) M9 l# h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( D" C h, h$ N4 O5 q- d0 L6 s; |there are some memory breakpoints set (dr0 to dr3) simply by reading their: \# v1 I7 @6 t# @! w0 M3 }* u. A
value (in ring0 only). Values can be manipulated and or changed as well
9 y6 y( H- R. V* I* f( f, }(clearing BPMs for instance)
% f9 N- a% u) A% u1 E% @3 x0 D* M, b
__________________________________________________________________________
5 W1 v, ]" m& I& X7 Y$ g5 \; z+ h- G5 U- p9 @$ ]
Method 11& Z% A, q6 W# ~; p1 l/ s
=========6 g7 D+ y( W% M7 a. |# [2 A; ?
# n7 U' ]0 y1 p* N
This method is most known as 'MeltICE' because it has been freely distributed. a( e5 d+ W+ a# C5 B8 o l0 Q
via www.winfiles.com. However it was first used by NuMega people to allow$ p d) C5 T _! f7 J! ]
Symbol Loader to check if SoftICE was active or not (the code is located
7 d4 B# z* a+ f0 s9 f. E6 X$ Rinside nmtrans.dll).
+ K# h+ |# u4 k# r2 Y8 t' l! a) C) D) R5 p6 _+ e
The way it works is very simple:7 F4 r1 Y5 l% C L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ k$ ~- C7 A7 B& j @+ `/ _1 f. D1 DWinNT) with the CreateFileA API.
; v$ _- [9 U5 d% g+ x6 y6 Q" k
! O5 M/ L( [. F5 yHere is a sample (checking for 'SICE'):
8 w5 O' F! o; A+ ^. [! a
7 T/ G! P$ t. N8 Y# e5 t2 }% DBOOL IsSoftIce95Loaded()) V+ l, u6 {5 F" n
{
5 c$ ]( j' B& J( G$ Z1 j. v5 A HANDLE hFile;
- N; T F) J' U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. G* Z _; S" u) H2 p. R FILE_SHARE_READ | FILE_SHARE_WRITE,
4 a6 J4 H3 C# |9 ^8 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& x6 X5 L o/ ]0 D9 r6 l2 g; m2 p if( hFile != INVALID_HANDLE_VALUE )
5 j+ B* u8 z# e; B. z/ W {3 C0 n9 F- l8 P# m
CloseHandle(hFile);
# N2 O$ A! r" e2 W% R return TRUE;$ h7 X2 U: n+ P6 d# _
}9 G- D# E( {+ e& v2 o0 I
return FALSE;
+ @! b% h& q2 i4 @6 P) H8 c% `}" n3 S0 O8 Z+ v
4 d- I+ o! Y8 L- m, i1 o/ H
Although this trick calls the CreateFileA function, don't even expect to be, B& n" b# s) b" P
able to intercept it by installing a IFS hook: it will not work, no way!; C T6 S, ]. U: y# ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 t5 v. T" h6 p+ fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 c' q& C( M5 v. Q \3 R* K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* J9 B1 }" o2 M. _0 Y9 C/ kfield.
9 t0 ?& b4 }& g9 X! B1 {In fact, its purpose is not to load/unload VxDs but only to send a ' s0 J2 P2 S( n, V6 q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 [$ @% \3 q, [ ~- E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ a$ U3 N+ U9 W. ?2 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& G: x; v+ A0 o* u Q7 k# W, u
If the VxD is loaded, it will always clear eax and the Carry flag to allow; o- B7 ^6 s+ Z& u, u7 }
its handle to be opened and then, will be detected.0 S+ Q. X0 Y6 \: S
You can check that simply by hooking Winice.exe control proc entry point
K! c; _8 S. T( U( c3 o% I3 owhile running MeltICE.
7 l' X5 u$ e# Y# T, s" w# B
. @! D: H! U$ U% b5 M+ P8 _/ o2 p4 E2 c" ` w9 F2 Q
00401067: push 00402025 ; \\.\SICE; ^8 X8 Z7 C5 d
0040106C: call CreateFileA
& @: S8 |5 a8 h" v7 [! O4 g: F1 R 00401071: cmp eax,-0013 }! \) c$ g8 P1 e: i/ `6 e* \
00401074: je 00401091
1 Q/ h8 a K9 c% ]. f1 E; T2 \' ~& P# U
4 }/ K/ S4 V: D, ~+ B+ oThere could be hundreds of BPX you could use to detect this trick.9 R. W) q/ Z# P
-The most classical one is:
. I: n, t6 q0 C5 Z7 V& s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! q; r; Q' s: v/ ~) s *(esp->4+4)=='NTIC'* J- Q; W* t" R, c5 \: O
, ]8 Z1 q* F) l/ K- z
-The most exotic ones (could be very slooooow :-(
0 \7 l+ l% ]8 Z' F6 u) e) Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 f; _& S" O# W: u
;will break 3 times :-(
+ K& L' B Z1 K& p
) A W2 h: \- \% L5 p* d% E$ `( E-or (a bit) faster: . j% R/ z* }8 Q$ |, z n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 e @/ N( d& t: I) T- I
5 h4 I4 x8 \3 N: g3 i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' K+ r$ L2 m n# { ;will break 3 times :-(( `: z s2 M# Q& i, a; M
! W7 d: R" G( j! ~* F0 b-Much faster:$ a5 O+ W K% y7 R, O9 Q# w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 p7 o! q$ j( B
" {/ } p1 k& }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' K& L$ S: r% O/ `% f
function to do the same job:
: L6 x9 |$ Z" w# V
z) O% K5 d, [8 H: v& j' ], n* R push 00 ; OF_READ
' i" {* y* V" a6 o+ M8 I' j: F mov eax,[00656634] ; '\\.\SICE',02 G" |* r9 H7 Q" F! R% x9 l
push eax
0 H, s. Z7 m( p l) ` call KERNEL32!_lopen
4 q3 c* J$ O; P# I- ?4 z8 [ inc eax
u" Z# z/ H; b( E2 I: n2 e* ] jnz 00650589 ; detected% H" U/ X4 K( R! R5 A8 V
push 00 ; OF_READ
2 {! R0 K9 y! H; ?; R2 F( W mov eax,[00656638] ; '\\.\SICE'5 d: @7 _! \. Q; h5 q T' l K
push eax
$ _3 y; M" L3 S; J2 H call KERNEL32!_lopen4 h+ D5 Q0 G c& R
inc eax1 Y1 w. Q$ j8 v- B& T
jz 006505ae ; not detected
1 c. F2 q- N, O2 \; b1 `. `8 I. p& [- ?& n% C3 @# m
+ q9 X/ x# c. l# u__________________________________________________________________________
I* h# n& {' a* S4 o& {/ b. v1 Q* |/ {* ^% V; S1 ` J
Method 12
" f8 f; S( i# n% Q# u6 W=========
/ `5 g! l/ |! s& s8 Z0 _+ o) s L* E1 n" S w5 c# |
This trick is similar to int41h/4fh Debugger installation check (code 05
( H+ A7 h/ V# F' R% @- q5 a6 l& 06) but very limited because it's only available for Win95/98 (not NT)9 l& I9 i' e0 b/ P W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# G; R8 a2 t8 C# M. e9 c* r7 q
' W. E% u* T2 L9 j y5 G push 0000004fh ; function 4fh
6 D/ r) ~7 h$ u: T- z5 D push 002a002ah ; high word specifies which VxD (VWIN32)
2 ?; O# V6 ?$ X+ D! V. v# E* v4 ] ; low word specifies which service
( b- _& q8 f1 D3 \/ l j (VWIN32_Int41Dispatch)5 D1 x! A0 o3 Y$ r1 j! F
call Kernel32!ORD_001 ; VxdCall$ C6 P1 }4 R" r0 W8 P4 N. @
cmp ax, 0f386h ; magic number returned by system debuggers
" b- ?2 X! ~6 a% U( O- R jz SoftICE_detected3 o+ B& S! Y! `) A, `% `) q
( T/ n1 a# T* {
Here again, several ways to detect it:- |' G0 X$ ?2 {- N/ x5 l
, | o `% J1 m$ L% A6 }
BPINT 41 if ax==4f1 N. p# }6 V' L" i; j
8 Y' g6 M: o6 A c( B% F& E9 j BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- q: d3 {9 P4 c% B0 j8 ^
7 F5 D) O7 f6 P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) ?# G R- d8 }6 }! b* N) O! f
6 \ _3 }" w6 v7 L( E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) j8 d' F' c- T8 L- A+ B( Q/ X: E' b$ k( f6 _/ {
__________________________________________________________________________
* l* w8 f( f) H: i2 M& |
6 H) M5 J4 d8 a) zMethod 13) {) [* N- [9 i
=========
' a/ `7 W8 T& x s; O( ?& T# U$ T9 H5 o% [8 V3 y2 N6 g" p, I7 D! F1 T' ^
Not a real method of detection, but a good way to know if SoftICE is
# c% |5 I0 _* c3 f, r6 R, W9 minstalled on a computer and to locate its installation directory.
. ?9 a3 D! ]5 O+ b4 O" {It is used by few softs which access the following registry keys (usually #2) :
7 i8 B8 O2 n. X" \! k9 r. ^* O8 q# H! f! _" A2 g7 K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 A- b3 ]' B3 r
\Uninstall\SoftICE; [2 i: M; _) G# j6 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 h8 a+ @/ c8 R) ?" R+ |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 s8 c+ E6 U- x& w, P
\App Paths\Loader32.Exe
6 } N+ E. p0 m( ?! G
6 X- q" C- e3 q
; P# [/ }: k5 ?Note that some nasty apps could then erase all files from SoftICE directory3 J; L$ s$ j# z! q
(I faced that once :-(
4 ^$ d: g1 Y: Q1 N2 Z& s) b: F# c: p. j' c
Useful breakpoint to detect it:
& ^( Q. {7 A6 ^# C
! e$ i# k G" ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
O; H, ]1 {( M8 b5 o* s7 P4 d6 h! R3 v/ X
__________________________________________________________________________
; i/ j& o. `) C. p
5 @0 ^2 n& ^! K( a4 e4 Q( k- |
% L9 H0 ]3 B& OMethod 14
7 I) ]& V; Y" ~" n! z=========' G% u/ X. G4 |4 {& [
0 J* C8 ^& \4 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' M0 E5 Q; M* [, F/ _is to determines whether a debugger is running on your system (ring0 only).$ R. e9 X$ m* j" S( _) _3 Z
6 h1 W6 m8 ]" T3 Q8 J
VMMCall Test_Debug_Installed8 O3 \# k- S1 n- T) `
je not_installed
* C2 T4 i4 @8 P" y& s# A0 U& P9 H% Z" O) g; A( Y" {
This service just checks a flag.
; y7 w% _; W" I: N" E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡