<TABLE width=500>6 I9 P1 z3 i/ d y3 T# d) G
<TBODY>
8 A& a; f ]9 }% T<TR>' G8 R: }/ p5 d6 d
<TD><PRE>Method 01 / L {4 p" x& Z$ f- F
=========' b) U/ d2 x' {2 v* u2 Z6 _
9 S5 P$ m ? X* p: ?! JThis method of detection of SoftICE (as well as the following one) is* N% t0 |) D" {$ i! U Z
used by the majority of packers/encryptors found on Internet.
7 @+ j# S: @- u! u* q5 W* `! zIt seeks the signature of BoundsChecker in SoftICE
* q0 G0 p' z6 K) D, b' K q# V ]1 u+ i3 |3 g2 y$ v) @
mov ebp, 04243484Bh ; 'BCHK'6 l( Q3 }7 u$ ^4 Q; ^5 j
mov ax, 04h
' c; ?+ o6 g! f$ d" [ int 3 ; p) ]/ R, s/ @" ]
cmp al,4
. X+ f ~9 Q; `$ t2 L s8 I: t: x jnz SoftICE_Detected
0 t* @3 @* s3 x! I3 s7 K/ A2 Q% s
1 k: c7 g' J! O/ F___________________________________________________________________________# h3 w8 K! ~1 S: }* S
6 B/ {4 t9 I z8 m
Method 02# |( ^5 b( r6 y. g
=========. u, c+ B; ~) V4 N7 s
/ Q( e* D8 D7 ]$ d
Still a method very much used (perhaps the most frequent one). It is used% }# l9 P% k! l4 R& ~8 t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- y: b7 W# N: T' j+ U- }( l$ qor execute SoftICE commands...: T% ~: _ r3 `. C0 _
It is also used to crash SoftICE and to force it to execute any commands: I# B& [9 f( R! F: C+ s
(HBOOT...) :-((
: s2 t4 I1 D' w$ q% i" v' [& B- \
/ `! u9 f# _) y5 \Here is a quick description:
u' [5 M0 }" c-AX = 0910h (Display string in SIce windows)
8 `2 c t' U4 w9 C3 I# W9 `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), Q2 u+ d; | ^
-AX = 0912h (Get breakpoint infos)( `0 t6 T* \& V
-AX = 0913h (Set Sice breakpoints)
4 p8 q! y, d& U4 Q: Z' S8 U3 K; k-AX = 0914h (Remove SIce breakoints): H& e1 u3 ~6 e: T1 m* h
5 i- D5 P" }5 v
Each time you'll meet this trick, you'll see:) d5 ~* d: r# F0 N' @5 n
-SI = 4647h1 y. r8 `( R4 S6 j0 _8 N9 D8 j
-DI = 4A4Dh9 K& {6 F! z& ^2 _
Which are the 'magic values' used by SoftIce.* x4 X* O+ o+ V" G/ n5 q( ?( M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 r n. Z( d; a/ m$ y0 A o: Y" ~0 t
; }. [; `& X1 G3 w& ]7 YHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 i3 m8 Q3 Y9 B+ N1 r$ I8 y6 h3 yEnvelope utility use to protect DOS applications:3 l3 y! s% h. _8 ?
" d5 I' R0 Q/ ^! k" F0 M9 t2 I4 A
8 @2 z& T1 o% u9 P4 ~! l+ w4C19:0095 MOV AX,0911 ; execute command.
3 F: R3 \; z6 ~8 _" H( O' W& c1 n3 t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' V0 l6 t" i/ l0 w( E4C19:009A MOV SI,4647 ; 1st magic value.
$ {' |- ?4 G9 ^; _. ^4C19:009D MOV DI,4A4D ; 2nd magic value.
$ j) j+ q1 _4 H- j1 o, ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ V& g$ E5 Y9 u( q( j9 A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& V# G/ S& }$ |" [; l& A
4C19:00A4 INC CX
. [9 |9 V' W1 b0 l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( O3 l& a' b) y2 \: C
4C19:00A8 JB 0095 ; 6 different commands.
+ n7 w9 @6 v# ^6 w6 N( W4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 r; ^$ G/ `8 ~: v) [# d# G# F( L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 @- K6 i. ^9 N
6 l) P. C1 M* w iThe program will execute 6 different SIce commands located at ds:dx, which2 _& Z% f( M) ~4 d$ e4 s8 l/ U+ X4 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* }3 C, q3 L4 m9 W, X1 X. ]
7 [* N$ B z/ S+ |! x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% x; d! {3 m! h
___________________________________________________________________________
& g: H9 J8 D% N$ u$ j$ b: M, f0 C. A" r' Q# J
/ f# R O |/ O3 X3 ~
Method 03
3 x( m3 A* O. p8 ?" |& Z/ f=========
( p8 Q" E. m6 }1 i5 \# s9 l. Y8 H. l) ?+ J) h: H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 U; e: j6 l- H) K& b8 j
(API Get entry point)
! ?, o; f6 J# F/ \8 O
3 k9 S$ U+ z. F- |& Q( Z8 c3 o! q6 X6 c
( t/ s. m* a. e ?2 } xor di,di
5 o; m3 ?2 A+ X& y+ v. L mov es,di
s3 X* v: h9 B8 R/ q" W8 Q mov ax, 1684h / e8 X* \& l* v/ J( {5 s
mov bx, 0202h ; VxD ID of winice2 J$ N! L. q: d1 p# Y# S
int 2Fh. x Q" K. O! w& J
mov ax, es ; ES:DI -> VxD API entry point
2 _ ]' p$ Q- P2 m add ax, di* Z8 i3 c) {* N% N' z; Z6 {; g% J
test ax,ax! X5 \ g. g: y, c3 P G
jnz SoftICE_Detected) J* h1 z1 @. R2 f- s7 L+ |" y
: T7 V9 B2 x6 q# \
___________________________________________________________________________
' W( z* p$ d' D8 h0 G+ Z0 K" J( X
Method 041 d2 J2 {5 o5 M+ Y$ X
=========
# R% |/ Q5 S2 M
, W0 p+ e$ M8 {9 u7 m# r7 t- hMethod identical to the preceding one except that it seeks the ID of SoftICE$ W6 z7 R: {+ `
GFX VxD.
6 U5 f; Q! N, `; A) D5 {4 v3 n% ]0 R, O& d& s; u1 _1 n# K4 d% e W
xor di,di$ s) H1 H9 i" U
mov es,di
0 P. d* x/ w8 k2 j" n& B mov ax, 1684h # v* c% i4 g- ?1 Q+ s! Q
mov bx, 7a5Fh ; VxD ID of SIWVID
& l3 d2 x1 W: v2 { int 2fh
7 U3 N, P3 O2 k- y0 D0 O! j# w1 ~ mov ax, es ; ES:DI -> VxD API entry point0 V8 c* C% O' @- R& x" x
add ax, di
( {) O( M2 v+ |! e test ax,ax0 N, s/ L; r& o5 F# r
jnz SoftICE_Detected, J9 V3 w4 D% v0 Y/ F4 z
; G/ S7 X5 c. X& V' q
__________________________________________________________________________
! x2 i; d0 v0 |$ Z' m( O1 _+ r* W* V: i; T0 S7 E) r \
+ m9 P( @# [5 s/ q. v
Method 05
' m$ X5 L" ]6 j: w=========
7 j3 e5 K3 ]: p* @) R
" @8 Z# F k0 v' X! \0 j4 mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. m; R, c0 |; U% I! fdebugger. It calls the int 41h, function 4Fh.% _$ x! n2 L' s
There are several alternatives. ; G/ h5 r$ C* n0 v% U& [
( {' R. j* Z5 D& D5 f; XThe following one is the simplest:
/ ]3 V( W8 r6 n3 G* P8 ]; I# t+ B; F: h9 C3 K9 c, p( Y) {
mov ax,4fh
, M' p* i0 j0 g, v int 41h9 ]5 x& }% Z) C0 b$ ^
cmp ax, 0F3862 ?8 J9 g7 [1 c. s0 _2 i3 z+ \% c
jz SoftICE_detected/ Z! i! E3 h e* ?5 U- {% e( J
6 O/ t8 s7 M: v' K9 E- F# d
) ? \( p8 j8 u) c2 ]
Next method as well as the following one are 2 examples from Stone's 4 L9 ^: @$ t% p, k5 Q
"stn-wid.zip" (www.cracking.net):
+ W, b8 Q, S' U* I) O" M N1 D4 Y- [" ^* V
mov bx, cs
( o! ]0 W% O1 m/ U) E0 ` lea dx, int41handler2
0 i! N' X) R4 v/ ~/ O9 c, w* r xchg dx, es:[41h*4]
3 l9 y/ r8 ~4 W x9 g xchg bx, es:[41h*4+2]
1 d% Z; P: N* D* c8 q; t mov ax,4fh/ e- s2 b" W2 T6 Q; r( _9 K: E3 j
int 41h, }) G2 c7 b5 S b6 p* U! B
xchg dx, es:[41h*4]
( J9 S: \5 R: {5 ] xchg bx, es:[41h*4+2]
2 ]( Y; e+ U& s. d! ^ cmp ax, 0f386h& O: k& G+ ? A$ i$ U8 v; X' ]
jz SoftICE_detected9 {0 j+ ] a6 e3 T1 z" w' ]+ v: k
* w2 d8 |& o% P
int41handler2 PROC4 f$ O" F( l) h4 D, x: V! y* o# a
iret
+ O6 |0 `* f0 M! O0 ~/ ~int41handler2 ENDP
- j) v% V2 U( } r
' }6 C; H$ V" M5 S6 Q0 J; t: j. ]6 m* p" O7 e/ h+ M
_________________________________________________________________________8 L/ r& _ O8 N( e5 g
2 Q- O# c. j1 k# Z
! `$ L8 d" c1 EMethod 063 }4 Y1 m; ^* a; q& e! w
=========
2 t8 g N' X1 I- W2 |/ Z
1 f9 U+ Q" o$ ]6 C0 Q5 L
Y* ?& p; ~, T2nd method similar to the preceding one but more difficult to detect:
: |+ ~. E4 R3 ]2 x- G3 x- M) U- j
% l* d, E9 F; H( Bint41handler PROC
2 \# u# }& Y* B* F9 D$ D/ B mov cl,al
% h; F0 t7 x$ K% w+ p' a6 x+ {8 v iret
- q! G$ ^+ t# t. b" |int41handler ENDP# m( W/ d- I( d' H
" i% @9 p* x$ ]
' @8 ~, D& @& a. y, _8 \ xor ax,ax
5 D4 R: e6 ?, z' i* F. U% } mov es,ax
4 H4 U7 n z$ O8 o6 I mov bx, cs: h" o% S, ]5 m( ~2 W( C
lea dx, int41handler
9 n2 d! K5 `- \% I& ?; A5 i xchg dx, es:[41h*4]
' q- Q3 S4 ?1 r. b# ]3 y) f xchg bx, es:[41h*4+2]8 ~2 F; q$ q3 r' K
in al, 40h
% R" Z: E1 T+ E. R& D1 s; h" V xor cx,cx& H1 x! P8 n; d. v
int 41h0 n5 [8 S0 a5 [$ B
xchg dx, es:[41h*4]
& x( J4 A( F1 m' `6 j t# P xchg bx, es:[41h*4+2]
* e4 a9 H o" T% W8 c' i: \ cmp cl,al
: Q' a w( @3 V) [ jnz SoftICE_detected
e+ l6 R1 g& W: h) J
. u! D5 x# Z+ T8 i- X m9 d_________________________________________________________________________/ t' q, `/ F7 W
/ G/ i- y! G: @Method 07
7 p+ R* y% n8 S1 s5 _% _=========" S5 [4 j7 O# }& Q
# W0 P6 l( t3 zMethod of detection of the WinICE handler in the int68h (V86)5 ~+ b. B, Q. b
0 y) E! ]/ ~- I) x$ h* }7 P, u
mov ah,43h) }+ C2 a4 D6 c+ X/ v
int 68h
1 E# P' |, [; ]# X8 { cmp ax,0F386h- ~: Q& [5 ^2 W& L, Y
jz SoftICE_Detected
% |' {/ o1 T; _ h5 g3 p+ b
! o$ e; _+ l/ p7 Z* }
$ d1 e- z/ P/ x7 U& r: O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; r: E& m. j" l
app like this:9 Q8 T9 r0 i& [! Y( p% i0 w
. v/ }* h! k7 F/ [. Q
BPX exec_int if ax==68
8 Z+ y+ j2 |5 L9 H) }8 o. e5 @. H (function called is located at byte ptr [ebp+1Dh] and client eip is8 B$ L7 L8 G- G* v. @
located at [ebp+48h] for 32Bit apps)
* G% T% T) `; {" V__________________________________________________________________________
3 ]/ z& D- e- Q, M5 W
0 p+ ~5 ?6 F0 U' G. A r
# Z) Q3 w+ ^$ p0 C* @. ~Method 08
+ Q$ _- N2 o* X0 z6 F& R" k. o( n=========
, x8 U/ O( B4 I8 Z* x- h( d: A. v6 E. z6 E. ^
It is not a method of detection of SoftICE but a possibility to crash the
. @- H, d9 ?! W7 s) o. e$ Qsystem by intercepting int 01h and int 03h and redirecting them to another# p4 \) `' d4 j% q& {* Z9 Y- u
routine. ]4 [3 j6 S1 p% S( X$ d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; X- I4 E: p$ S P$ N% c
to the new routine to execute (hangs computer...)
* P3 P3 i6 ~" r" H' P
A% z. o) R6 `/ {- b: g mov ah, 25h
9 y5 z3 Q; {" J! G6 a r mov al, Int_Number (01h or 03h)
. Q4 u% g5 ?. ]0 L1 f mov dx, offset New_Int_Routine
/ V9 P$ O; ]0 F9 ~: S int 21h$ m- G' W$ N9 h
% ?. H4 I. u* l
__________________________________________________________________________, E8 I d& i4 Z% V/ \# f
4 H; l4 d" P0 [2 z8 z: |Method 09- L- S* M/ N1 {1 J8 y; k
=========! v3 l- u/ h, e2 X" }' _7 {3 P1 |7 U7 i
9 l0 d& M& W2 O3 R1 @) G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, N! v& w( d+ o3 A: m9 M
performed in ring0 (VxD or a ring3 app using the VxdCall).7 O# _: H3 q& t! f# ?: j4 N
The Get_DDB service is used to determine whether or not a VxD is installed' w* e3 x; p, q2 j; u
for the specified device and returns a Device Description Block (in ecx) for
3 G" Q/ E# x0 B9 c9 {6 N4 [8 Dthat device if it is installed.1 s, X- K8 E" j: W6 q, N3 T
9 Y a# A# q* d; c5 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ p6 H `4 e8 T# H) ?# J( p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 k A# k) b9 } VMMCall Get_DDB
3 F- d$ o/ } _7 v0 D! l: u3 r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; y M1 ~6 G5 e% J
! U' X1 `6 P+ r, Z& o
Note as well that you can easily detect this method with SoftICE:
( ~/ w3 O5 N1 w2 h+ e$ v bpx Get_DDB if ax==0202 || ax==7a5fh3 s2 E3 p8 m# |1 ~; c5 k- p# j
7 o) F' g. | O9 c7 P( f6 L$ ^
__________________________________________________________________________
/ r2 o7 O% Q" W8 S. U0 t9 I D% B$ G' a* g
Method 10! J# [0 ~/ }/ B. Z: p& Q& F
=========
" i* c# Q# }1 p# j9 e5 S. r% ]* Z: g* C* W* @$ x
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 U3 @" u& @9 P) h o, g1 _ SoftICE while the option is enable!!
+ M. a" e# ]% p0 E! Z
5 N: s2 m0 }; Q/ N2 FThis trick is very efficient:
3 Y7 U% I T3 J) N/ d) O5 @by checking the Debug Registers, you can detect if SoftICE is loaded
$ Y% Y$ F$ z8 w g: o3 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& M. ]; |5 v5 c) M3 y% F' _: Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; O+ N$ s0 }% g' i0 S) l% T/ D2 Ivalue (in ring0 only). Values can be manipulated and or changed as well
. b# G6 `3 _8 l( O(clearing BPMs for instance), T+ u. G/ ?5 w' O- _
1 n# {# k' T1 _! Y2 \, r
__________________________________________________________________________
8 |$ H; q0 J7 s I1 A. r# e
2 _: y. R: v8 B$ d: {Method 11
0 q+ I1 G7 l! c9 m- }* ?=========
8 M& d2 s& p! Y+ W7 G+ C. U1 T8 W6 W3 D0 q1 m |
This method is most known as 'MeltICE' because it has been freely distributed
7 c+ {6 d2 T# m, B# I% b2 zvia www.winfiles.com. However it was first used by NuMega people to allow
2 m# P7 n) Z9 CSymbol Loader to check if SoftICE was active or not (the code is located
. u+ R4 q! G6 k7 s) H' Linside nmtrans.dll).
4 `9 B( b4 @; _3 f
: i) S0 M3 D: y6 t ?* X6 t& o3 XThe way it works is very simple:
: O' M8 a0 @+ @. a) N( N7 U+ _/ EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; o& j- k! z/ ^WinNT) with the CreateFileA API.$ Y- }" F4 e$ |' R
% p- c" ?/ s1 ~8 H) s. b. qHere is a sample (checking for 'SICE'):- }( o' k0 f+ C7 Y7 O! w0 i H) {1 v
# n# u8 b- `+ ]( k: w
BOOL IsSoftIce95Loaded()
8 N9 i" A+ U4 ?( B* }9 `! q{
: l, B; i/ c3 m8 f6 v- Z HANDLE hFile; . m8 \, T9 b% _2 ]& j7 y8 N: _4 n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 M5 K: C8 r& Z9 s& A
FILE_SHARE_READ | FILE_SHARE_WRITE,: j( V: ~; o' Q+ J( A8 c1 q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, c- K+ \8 e6 z! q8 q& H9 Z
if( hFile != INVALID_HANDLE_VALUE )
2 T$ I4 l6 L& R {" g9 J S" a* A8 o) u% A/ x* Z
CloseHandle(hFile);- B* U H" k3 [
return TRUE;4 r+ O* ?" a' l8 x* E3 v! \
}
. B4 d1 c0 Z" r% F return FALSE;0 A9 | {. z( A+ z4 }; t& v
}5 r9 U) S- e9 u1 ~; v% z
% x6 |% }( T# ?+ _/ R
Although this trick calls the CreateFileA function, don't even expect to be, o- |, m8 F. \- b2 x
able to intercept it by installing a IFS hook: it will not work, no way!% b" X+ j. d. |9 H8 N6 }* D/ w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, l* E4 P7 C: f6 A3 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): K; r* V8 Q1 c# E2 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! r b; X8 k7 Y- ~# wfield.
5 Y, \ O. S! x [3 |. i. D- gIn fact, its purpose is not to load/unload VxDs but only to send a
, n( _' }8 h O! o9 OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ S- C' t* V1 o% Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ g# I2 a1 |) N, rto load/unload a non-dynamically loadable driver such as SoftICE ;-).: C2 J/ E: K0 ^1 y3 G. h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) X7 b1 S# u, B5 O* Hits handle to be opened and then, will be detected.
4 S Q: J! x, m# Y2 J( t/ d3 [You can check that simply by hooking Winice.exe control proc entry point
- M: H2 i' k! Z9 q+ T; wwhile running MeltICE.1 n+ Q) k' @: c* P. }# R8 P
) k/ b* Z1 _+ l4 U. B
+ O* E6 i2 j, C' L( v- o, M 00401067: push 00402025 ; \\.\SICE
_$ w6 F0 i& v9 h$ U. T5 [/ z 0040106C: call CreateFileA' g7 l! G# G9 X: V0 x
00401071: cmp eax,-0013 Q1 E0 m) z$ S8 ~3 i. O
00401074: je 00401091
+ b) j$ J4 B) r8 U& j$ u r R- f; g
+ m* F. e7 q" n0 H8 ~' l e5 C3 x
There could be hundreds of BPX you could use to detect this trick.' a, j2 \$ W7 w& l& X" g5 Z
-The most classical one is:
) b" o1 O: s8 r2 ~* ]( R8 G6 e* D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" [' ~' u: t+ o- U5 ~ *(esp->4+4)=='NTIC'
5 M* a1 L- w; M1 k6 W5 P1 z( O( i# u
-The most exotic ones (could be very slooooow :-(7 k5 _7 p2 {: q9 L4 d, E: e) p, K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' `4 G2 ^# R8 D+ P: r ;will break 3 times :-(
6 Q7 B( y i6 y7 {' y0 P9 u; c! d' D1 l7 O
-or (a bit) faster: ' O( H( C1 R8 ~; V! s1 T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ T* Q* i% U% ]9 x+ ]6 @0 `: q, D% p7 |# {( X; ?" B8 X* Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& Z! O# d7 G% l: A ;will break 3 times :-(9 b; A8 k0 C3 ~# G! g6 ?9 A% I
" Z% f$ _( U" S0 }( J
-Much faster:
6 P5 K) r% R# o* q1 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' F2 n( \, e4 V: {; n; L: `# W0 a
/ M" g& R# O6 d- p3 S6 V3 V! v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 w: z. a5 d1 m) e8 \
function to do the same job:
# z) h: @! n9 t+ I+ h
3 O2 a) a+ P8 j% J F9 t push 00 ; OF_READ$ i1 a g7 R3 y" Q* N8 i
mov eax,[00656634] ; '\\.\SICE',0
0 y6 \- Y i1 s9 w. t5 H) ~; ^( z push eax1 R' r4 K3 |# N
call KERNEL32!_lopen
# o9 t' Y7 ]- ?, m- x inc eax* ^0 ^6 p$ c! z' M( X% c/ M4 x
jnz 00650589 ; detected
) n) C. Y( Z9 \ ]* _ push 00 ; OF_READ
' U& ~; f8 m1 V5 ^7 ]. R mov eax,[00656638] ; '\\.\SICE'
. I+ p# E% Y) ^# a0 t- ` push eax+ V1 e+ V0 t w# ~% `5 z
call KERNEL32!_lopen
% `% B; h3 V: w) Y4 ?& w: R inc eax2 P6 J5 V* W& p% r% q! E
jz 006505ae ; not detected
$ {% [8 @3 a0 @; ~# l
1 v$ I8 a5 N( g9 l: C' Y: A8 n% o7 @8 m# @! F0 V( _
__________________________________________________________________________ I1 E+ }5 q! ?
8 w, B Q# w& b3 P* u
Method 12
2 O, c1 i& ^9 {/ H# |6 S7 u2 n=========2 H. D3 w6 ~+ U9 H
1 ]( V- w& W/ R- ]7 ] }
This trick is similar to int41h/4fh Debugger installation check (code 05) } c1 j! o! v
& 06) but very limited because it's only available for Win95/98 (not NT)9 _% u( [ q- q$ ~! \/ P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! P& a& I+ x' s4 H. [9 D
2 ~# w3 L1 o5 A# p: |% a- x
push 0000004fh ; function 4fh
+ x4 X4 y4 M- o, o push 002a002ah ; high word specifies which VxD (VWIN32): ~: K* m: c3 {3 M3 K
; low word specifies which service
# u4 D; P& J/ ? (VWIN32_Int41Dispatch)
9 Q1 _* h0 O5 ?- b/ M, } ? call Kernel32!ORD_001 ; VxdCall6 D/ |% h! V" v
cmp ax, 0f386h ; magic number returned by system debuggers
9 \: x8 ]0 a" I- x: q3 N# F; h jz SoftICE_detected
. ]6 _: Z/ A- [0 z4 A( w7 y5 x; t" t" X$ J
Here again, several ways to detect it:
% g0 L* c, C2 p- y( t( F4 |# X4 m3 {' { ?0 Z0 e
BPINT 41 if ax==4f, R- J9 y6 H9 X6 n+ m, e' ]$ x
2 i% L: z. V* p* \) ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* L% T" |" ]$ A6 h" |1 k4 y$ ~# h$ w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
p0 Y1 l) n }- f9 Y- x9 ^5 e. t2 v$ A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! R4 z3 j. P8 o& \7 v8 d, O, T- m% ]7 c6 j! r
__________________________________________________________________________
, x6 W4 `7 ?- c( {7 c
. A# h# ^6 o p7 X* f6 j. YMethod 130 U# t6 W5 P' r1 g) {# ]2 @9 {
=========
! \- i2 Z9 Y1 H% j1 M
& N' M& [) a5 `6 b H% yNot a real method of detection, but a good way to know if SoftICE is# d) K0 Z. A1 G |% N% R/ B
installed on a computer and to locate its installation directory.0 h# t3 E. \# {) @
It is used by few softs which access the following registry keys (usually #2) :
4 q$ M/ G" p. f) D, z6 K2 x: U
) Z" v. P. }1 I4 j1 P" f0 i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" q! P5 A8 l P% e, S; U- y( g& A
\Uninstall\SoftICE
2 k, w2 d- N0 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! J5 ^9 X4 l; ?2 O" ?' Q( J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" j) H+ P- v4 e\App Paths\Loader32.Exe
. l8 y- x+ E9 \5 _0 A
! \/ L- U8 X* q0 J6 B9 o2 @
7 p$ c4 n3 x+ |7 FNote that some nasty apps could then erase all files from SoftICE directory
' }& k! b' i* ` k" |9 D) K2 I(I faced that once :-(
$ t$ G9 J- I# K; w
# G' T! Z2 l' ^& o* j& fUseful breakpoint to detect it:1 k$ N+ D6 v& y+ {. v. }$ x9 Y6 T
: O2 r" k& b0 Q6 a1 C4 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( R+ y8 Y3 d7 a( \+ s8 b6 p: c
+ R+ V2 D1 n" e# j% c. ?: N# @__________________________________________________________________________
. g: r+ F5 W- w1 ~9 k1 Z* ^9 p& T5 \5 ~" N; N v' W1 k) p
& T7 q( M3 g0 J9 b* U) r) i4 y$ o" w
Method 14
3 g, Y. ^, N L$ k; W, D8 N=========
/ i7 x, F3 ~/ s0 u4 Q4 O: b: F: H! N; g# y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 }1 u) _) l2 k' A3 X' C. G$ Q
is to determines whether a debugger is running on your system (ring0 only).
4 c1 j3 l2 X8 i; q4 X3 C3 F/ p
# {+ B2 |+ r1 t0 U$ F8 p" V VMMCall Test_Debug_Installed2 I g; w1 o4 ?( v, i* N$ b) O
je not_installed4 l7 V9 v) c2 m% D. D6 B
4 V, A* T* i# _) A3 d! r9 I: _6 QThis service just checks a flag.
, M2 d7 D! l* r8 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡