<TABLE width=500>* d2 }! R! |- ?
<TBODY>
8 ~' {# P7 R# _9 X6 g0 }* U6 A<TR>
( O- K& g3 ]9 w, c<TD><PRE>Method 01
! G1 L5 G7 F6 E& s; N=========
+ P4 J( H( I2 N/ [- e! y
' G2 Y" H- m8 o0 U% cThis method of detection of SoftICE (as well as the following one) is
: r! A3 ?: v4 S7 j6 H2 C- U1 qused by the majority of packers/encryptors found on Internet./ k: h6 e x7 Y9 Q, K) b& D1 z
It seeks the signature of BoundsChecker in SoftICE. V4 w8 H$ T, b; e1 P8 ~& T
: x. x* z7 e+ R mov ebp, 04243484Bh ; 'BCHK'
/ @& T. d! i, n% E mov ax, 04h
- I& a' p& G: t int 3
1 P; x; J& n6 Y$ f2 l4 w! i cmp al,4
7 `0 p" V* `" _- T; J8 | jnz SoftICE_Detected
9 W) F& m7 o3 S. D( e
+ P u7 y6 Q1 B( d___________________________________________________________________________- u' l; \9 H/ g6 I" O* c
3 V; e# q+ H: V9 A5 mMethod 02, g5 C% M6 R( c: h% J; J1 @" p
=========
: c$ q9 K! w* @" [+ j5 U) ~& E: v7 A o! c/ f
Still a method very much used (perhaps the most frequent one). It is used
+ a. i# u1 g, ?- L$ v& k9 L; y. A5 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% m, o2 N: f! l' sor execute SoftICE commands...' x) ?8 Q3 `' ]+ ?3 K! ]3 w, `
It is also used to crash SoftICE and to force it to execute any commands
. f" z/ y8 a8 f: n: V; o(HBOOT...) :-(( % z; j& b0 E% j
5 a+ }* o4 C% _! D4 ]
Here is a quick description:
0 b }& \' S5 w-AX = 0910h (Display string in SIce windows)( C$ k: a0 e m. x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 A! q) _2 I$ E+ U/ L
-AX = 0912h (Get breakpoint infos)1 c% m) z8 w4 s; e
-AX = 0913h (Set Sice breakpoints)
1 f/ U$ {4 I; t4 B7 |5 K# P-AX = 0914h (Remove SIce breakoints)
1 s% c* A. t$ W; K, n* h- C. ?6 e; D1 E$ c
Each time you'll meet this trick, you'll see:
6 N8 \( e/ Q3 F-SI = 4647h
% ^4 S, _" H5 s) }0 T( k+ t5 z-DI = 4A4Dh: u1 B" m4 i! j* \- i9 ~$ n. W) ~
Which are the 'magic values' used by SoftIce.
! |! o1 l( K$ @3 j1 R( oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 Q( w; V5 _5 |* r* V4 w8 l) s6 z
* ^3 E }0 C* F* G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 s, T K5 H4 m9 I4 S2 `Envelope utility use to protect DOS applications:
- s% c3 v2 `& F
" k4 v( [5 y- g8 f, E. n9 V0 c, [5 `: ^) |
4C19:0095 MOV AX,0911 ; execute command.5 n" g5 ^1 r* ~/ o. K* l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& h+ {2 b- K2 }0 o
4C19:009A MOV SI,4647 ; 1st magic value.
4 v3 O" l$ P8 H" ]. ^. M4C19:009D MOV DI,4A4D ; 2nd magic value.
' F1 Y1 a3 p5 n7 @% v. d V/ z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 u3 N; V; Y6 D. J6 S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% B" X0 T1 H; t4C19:00A4 INC CX6 r9 `) `! V: `0 U! ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 {6 H' {4 d4 K/ U# _( U$ R G4C19:00A8 JB 0095 ; 6 different commands.: L2 c9 V6 O7 P5 G- B4 W$ }: a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ J7 R$ Z! @+ }6 @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), A0 W/ E o. J- f& t
; t7 I4 m& X- r' F9 L/ F( S, G MThe program will execute 6 different SIce commands located at ds:dx, which
" L/ t. V) Q6 K% oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! n {+ F0 U2 c/ S# y% o& K Z
; x% q& _ _8 E) [. ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 ?1 {3 J$ O$ k. T( b/ a6 ]3 b# K& C___________________________________________________________________________
1 F1 N' E4 u. w, ?* G' ~* o9 v1 F4 D$ N# r$ f: E
2 n: [ w+ r) s4 w: S# @* B: r
Method 03
6 J' I3 x& I/ q) j- m" x' Q; Y `% _=========; T# M' a6 z& e
( S( \) j- B/ Z9 ?4 F1 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 n0 O. T" W' Q! A; H1 i(API Get entry point)
( y2 Q. ?( V8 h; {/ D 2 C8 A8 Z4 d. K9 b+ u
6 X% m+ B8 d' X" l+ M8 w7 c
xor di,di) r% E3 I. z( z" W' d
mov es,di
& ?6 V; N5 A7 V# s+ a' w mov ax, 1684h
: l# [/ P2 K# g1 A2 t- Q mov bx, 0202h ; VxD ID of winice
+ E; S8 e/ N+ `/ W+ t! v0 K8 u int 2Fh
2 O! X8 G: E) V mov ax, es ; ES:DI -> VxD API entry point4 `$ [3 \- n$ l9 H
add ax, di
3 L, e. Q8 u/ t0 L. f& Y/ d test ax,ax
7 S1 _# }% Q- ]- I& { jnz SoftICE_Detected
w) h$ u% k/ d$ E, h5 f6 \ q8 |/ L, C0 X# @
___________________________________________________________________________
0 ^9 M$ r& c" P- L$ \9 O) X
) C4 l" N7 n* b( O+ c9 GMethod 04
- P( B& A0 n3 I( v7 J, J=========3 O U7 j! C6 @' X7 T8 w
' N0 O0 W8 Q. x0 t5 pMethod identical to the preceding one except that it seeks the ID of SoftICE( z& @6 v5 m' c" |! F6 \ M
GFX VxD.1 {: j' u. c7 C: X
" v/ }" B8 Y1 g4 @ xor di,di
7 R: b0 k9 W- D+ c5 V9 `* C mov es,di: |+ k3 Q! R9 ?; y1 b
mov ax, 1684h
1 j$ J, j5 s1 Y' k mov bx, 7a5Fh ; VxD ID of SIWVID. ^2 m3 a7 {2 ]
int 2fh, u3 ^' d& t6 J8 u
mov ax, es ; ES:DI -> VxD API entry point
4 p7 V1 f N. R. S0 ` add ax, di( N H r% M0 m' g$ z" @
test ax,ax. z$ t+ y% f `: t4 e4 V" b
jnz SoftICE_Detected
# W% f* R8 l+ I8 U8 F3 `# b9 h) f7 \1 p. I r2 P7 b* G. L
__________________________________________________________________________
$ `3 j1 s/ K0 t& Z) N& U1 Q( `/ g0 f
U$ c* C! c% k3 E: yMethod 05& ]5 c& J, A. ^* I$ y) E; w
=========
+ b4 v+ @0 R( _1 m/ y0 m
' @1 h2 _6 M+ {! {/ L1 ^Method seeking the 'magic number' 0F386h returned (in ax) by all system
% d: I9 c2 {% g% ldebugger. It calls the int 41h, function 4Fh.
* v/ M3 H: L7 l4 a" zThere are several alternatives. ' ^8 w, a( o0 I9 b' k
! h" I) i2 g( m9 U. @! S" s) WThe following one is the simplest:
# \5 E: U* w5 g! F6 G$ Z
0 ^8 O7 T6 _2 I" f3 T# h7 x mov ax,4fh
$ u, t' z5 d& l/ H g int 41h$ e; h; Y7 ^' @
cmp ax, 0F386
1 m1 I- N* ]6 ]3 w0 f jz SoftICE_detected3 A3 [* L( [+ q+ P$ ?8 t
+ `+ j1 s4 ^; g( q/ Y3 ^" {+ F1 ?; a. L' j- J3 Z+ ^: }( u
Next method as well as the following one are 2 examples from Stone's . p- x) X/ T) y' N/ {1 X4 t' |
"stn-wid.zip" (www.cracking.net):
0 n1 Z0 z. I `$ y2 E$ V4 O
8 o9 o; Q. u4 i! K mov bx, cs
5 S; Y8 E1 |0 P1 ^, i lea dx, int41handler2
* c. D; A% K; N1 S2 N ~' i0 i1 Y xchg dx, es:[41h*4]+ H$ {% s+ ]7 w! L3 m' f
xchg bx, es:[41h*4+2]
4 f* S2 q' Y) P6 i9 N mov ax,4fh
7 U- x7 [4 m: J* o1 H. f) c int 41h% j H& _/ @* ~# i, V1 U9 ?
xchg dx, es:[41h*4]
7 W& t6 a$ F! u& x& `$ W: e& w- Y5 c xchg bx, es:[41h*4+2]
0 X0 u* v2 i" {. F4 |1 `1 A cmp ax, 0f386h+ o- V! C8 w" x2 q/ `' F- j9 k0 ^
jz SoftICE_detected
& r; M N3 r0 W& _0 j: Q# w6 [+ y4 }8 v
int41handler2 PROC( L% N0 v$ i s* s
iret
7 {! M T- M, i3 e0 E/ gint41handler2 ENDP
/ c+ i6 F( z/ R Q$ v! s/ ~8 v3 ]0 W1 m" i2 E$ z4 h3 h* p+ r
: q+ k/ L9 g/ ]' r6 m) e
_________________________________________________________________________
$ S. E- W& Q9 U. t# p9 N- R/ _. u1 k) V; e Y8 R
9 W$ E' G' g$ ^9 P4 o2 M- i3 LMethod 069 o! C+ v1 ~7 T- c7 U# p
=========" Q; b4 d7 o! g+ z; p
( e3 ?# r3 H9 F6 w8 v# k
H5 L, A5 s1 [6 [; u7 n: e4 u2nd method similar to the preceding one but more difficult to detect:
# u; J" N# o- c" C ]/ e, j/ {
: L; b9 b1 @* f& ^# a% o) O
% g. P9 }4 {0 l" {3 D- E1 ?$ eint41handler PROC
. m2 ~0 W0 M: Z* w$ x! K mov cl,al
$ p( c1 X, T- Q8 A, G- ` iret
$ v0 E# Q5 i9 c: u8 r, |int41handler ENDP
0 z0 M" n4 y" T7 ]1 j- ~' j' ?# d5 }1 `: Y& T1 y2 n
; u2 ^+ z# O. d1 j+ Y) P xor ax,ax
6 t/ Z& }2 n# s, N4 q mov es,ax
, I3 J! P% L5 t9 A% m/ q/ B7 N mov bx, cs
$ [1 W' e9 R+ ^* B C lea dx, int41handler
% N! p* Q' t/ _; A* j7 V xchg dx, es:[41h*4]
( z& a( s! f) I! a xchg bx, es:[41h*4+2]0 q. _- P/ ~" }/ d3 L6 u
in al, 40h! X& \( S' X. h
xor cx,cx
' F9 o' r1 E8 p! m! m3 a/ h+ E int 41h
, W9 _5 Y& m% h3 c xchg dx, es:[41h*4]
# e9 } m7 _4 r& P+ p+ r$ j0 D xchg bx, es:[41h*4+2]
# q# y9 m! h6 k4 x# ? cmp cl,al
1 j+ C d5 r1 `3 x; ? jnz SoftICE_detected2 s* c2 Y2 t. Q* m0 I- I
- C6 j+ _6 r3 `1 t1 c1 b
_________________________________________________________________________/ `+ T6 z3 B n# q' O
' @1 w A7 [7 b
Method 07
7 ]2 n Z4 Z6 F=========
6 Q, `8 a4 t" ]+ D4 X( R
( k. y3 B% c, u) r9 ~5 n1 Q! xMethod of detection of the WinICE handler in the int68h (V86)
, Q, w8 F) T% T. \; C! T3 I5 }) a4 h$ p7 Q" i
mov ah,43h
% l1 G8 | i# I int 68h$ O; W* k6 |6 U5 G+ h8 |- K$ a
cmp ax,0F386h" x" a1 e. E7 h
jz SoftICE_Detected
# ?9 a/ W3 `% w' ?) Y( j. L6 R# v8 Y
7 U# P, Y) J$ b( \ `& t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) K* B1 E2 E" n
app like this:
9 B* _4 t B; k" k }; l5 n, T2 v0 j5 [
BPX exec_int if ax==68
4 z7 i% K6 p: k (function called is located at byte ptr [ebp+1Dh] and client eip is
. f1 v0 @6 w9 J+ A+ G, b4 Y4 V B located at [ebp+48h] for 32Bit apps)0 K2 y; k: l* Y& z9 X4 U
__________________________________________________________________________
" k) q$ A* S' k, e' s
: V2 P1 S4 R% n: X- Z4 Z7 ]1 L$ \4 e, {0 Z& @$ j/ C# {
Method 08
3 q+ o& \; s/ J& h9 y2 J=========
1 g7 j+ A5 E5 {4 Y* n! l( }
+ D( B/ i9 ?+ v, o/ X0 s' nIt is not a method of detection of SoftICE but a possibility to crash the
# n& N) z1 _; K$ o G9 isystem by intercepting int 01h and int 03h and redirecting them to another
|" {" C% X$ E M% B! B* d& [routine.
- K4 T, l! [, V4 Z6 U, h NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! {) p; t4 u& O- Q8 I+ }! k+ ^% V: C
to the new routine to execute (hangs computer...)
) j. F& ]* _6 z4 ]2 _5 H/ e6 c) L+ s" }
mov ah, 25h
' S: [# Y! P) j7 c# Q mov al, Int_Number (01h or 03h)2 V* x, K7 I3 i# H% Y, J
mov dx, offset New_Int_Routine
. _2 q, w: W- ? int 21h
8 x4 z, r$ f# J- `$ l# L2 n7 ~ x
' f6 L* I/ O& ~( P__________________________________________________________________________% \5 m. `9 V* U0 @9 P
% G5 e* X7 m- @Method 09
0 x5 R: h& ~& B=========6 a, J6 K& q T! N" E
& I% G/ A1 f* ^$ Y, w. h3 N5 t2 l5 AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 T$ J# d) L0 K7 o7 p, dperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 r1 ~7 d6 a( d/ O1 j/ r3 aThe Get_DDB service is used to determine whether or not a VxD is installed
4 O/ A3 N0 _/ I& t: @for the specified device and returns a Device Description Block (in ecx) for
2 b1 [8 P" l, q! Rthat device if it is installed.
- L- Z% c# E) z( b0 Z
9 A4 [, m* |6 k$ p5 c! \% @+ R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 S- b6 p/ n6 N& b, M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 Y4 G8 ~5 B& C$ V. i# M
VMMCall Get_DDB
8 J+ W6 Y+ W8 i$ g- q0 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 \* m" Z" p& f5 ^, P0 P8 E6 A0 D7 c/ c2 V, O ?5 d5 L
Note as well that you can easily detect this method with SoftICE:
B: e1 r3 c: O% ] bpx Get_DDB if ax==0202 || ax==7a5fh$ S5 T- H+ m5 X Y
1 x7 P9 q! T4 m% X4 T
__________________________________________________________________________, O. d3 c3 t, X% X( i% q
2 r7 j2 D/ X/ H' n& a+ _
Method 10
" ]5 N+ m" i0 h' Q8 L=========
- o: r7 S/ N/ T" }2 ~
" |" {# `: x1 h- S* M+ |* R# u ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
" r( h7 i1 |/ @& f- t. v' |; t& G SoftICE while the option is enable!!
m$ {( E% B' W2 e" d+ E* c
* P1 m. t! V6 w- ]/ a$ K* q/ n5 h3 VThis trick is very efficient:: s; ^- |% x y
by checking the Debug Registers, you can detect if SoftICE is loaded; |; ~3 y# C( j5 e/ Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: N3 P2 R9 O( x9 a! ]there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 O3 S7 c9 F. z, pvalue (in ring0 only). Values can be manipulated and or changed as well
& A1 g G5 l+ R! r c) B(clearing BPMs for instance)
, ~. [2 y! Y6 Q/ Q) @) M9 S% J
/ \5 o. [5 ?8 B: r2 T% [0 A& F9 ?* v# N__________________________________________________________________________
' m3 L; h: f, L) I. P4 ?8 X; c9 J" J$ P& X# J/ i4 r& Y
Method 114 \' k- g) }7 Z% {
=========
" h0 a5 h$ a P" ]+ {9 @/ J$ a; e' q1 ~- ^" v* v. z: L- s; a
This method is most known as 'MeltICE' because it has been freely distributed
1 G; ~ ?% i' `. F9 lvia www.winfiles.com. However it was first used by NuMega people to allow
3 h- C% ?2 q" iSymbol Loader to check if SoftICE was active or not (the code is located
1 K& A8 {8 }- R+ P2 ?& h* a2 k# Y# a1 finside nmtrans.dll).9 D+ o6 h# m/ s l/ g
( q$ o- B7 P# c, w! R# L
The way it works is very simple:0 O' o1 n- H& Y% a. R2 {! o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 y6 O( Q/ @5 ]; xWinNT) with the CreateFileA API.
! F; j' W5 F/ |% z' h
~0 J7 U$ E$ n$ PHere is a sample (checking for 'SICE'):, f# b/ n( |/ d; p
$ @' q5 e7 a3 V1 m" KBOOL IsSoftIce95Loaded()
- \! z" f6 Z, G' G{% n9 T, D, u- q& V, q+ u
HANDLE hFile;
( q0 H$ } }% w! b( Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! `2 u9 K. o- B FILE_SHARE_READ | FILE_SHARE_WRITE,
' c2 _* H" D) r' N! V( R3 ^( F' N8 k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 K" G- d; W7 |8 G3 N8 p& b
if( hFile != INVALID_HANDLE_VALUE )
8 W2 |, i: x, @, M( _ {
* i# I# P8 K% q" G# F" p1 I CloseHandle(hFile);3 i- x* ^; P6 \& d0 ?
return TRUE;! k" P( p7 j& P; w$ l
}9 }+ \' [( [; n; ~! }; O
return FALSE;, C4 T/ j7 }% U
}9 s! H% m) c8 G8 x& g$ P
0 f* D1 X3 Z$ P" Y, _
Although this trick calls the CreateFileA function, don't even expect to be9 V2 j7 H7 y/ {( R7 O, C
able to intercept it by installing a IFS hook: it will not work, no way!
& F, Q: c+ x4 j* V- v/ nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 Z9 m' z! V3 i, B0 ~. ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 S) O0 P# a% Q0 V0 \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 s' o9 }$ z: Z/ W3 Q7 |" b/ kfield.: t9 X: h/ n. U
In fact, its purpose is not to load/unload VxDs but only to send a 6 g& @* s( u9 t3 B7 @- R* k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( D m- Y8 e/ w: \& I& \, {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 z% b+ E% k3 P# ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. m, q; T& D$ G {8 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow" q, p1 o8 [6 p6 c/ c. P; x
its handle to be opened and then, will be detected.
) p* c- E/ e# K9 L+ H: CYou can check that simply by hooking Winice.exe control proc entry point2 k" E2 n0 r# O
while running MeltICE.
' [6 f4 t4 L) X; J6 n8 U+ q% m* b% b! z# ]$ a+ R- Z, b. _" @
/ k6 J4 V: ?) }) R% p6 ~2 N& | 00401067: push 00402025 ; \\.\SICE' q# f, v0 v3 \; U! G
0040106C: call CreateFileA6 S+ R1 h1 ~8 l# \2 s% n
00401071: cmp eax,-0011 V) x6 T9 }: C8 ~
00401074: je 004010911 T! q3 |% v- s5 Q: X
, C3 v1 J" p3 r, h+ z
/ x3 `0 y, a) h0 S: S
There could be hundreds of BPX you could use to detect this trick.
1 X$ i5 w# |5 f' ~& i. l6 I J-The most classical one is:+ L l4 c5 G9 X+ \% m1 N( W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) J' @9 q L6 N# U1 x
*(esp->4+4)=='NTIC'5 I9 U, d% U8 U( T6 d( L% W
5 }% [4 v- m/ o. j5 o% Z
-The most exotic ones (could be very slooooow :-(1 B' s, a# ?: T# B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! Z+ E" M S U; O4 J M& C2 J
;will break 3 times :-(, ]! [3 ~* h! Q5 K c) `, N( q# A; U
# n: p2 a0 C9 u: @6 Z
-or (a bit) faster: 5 e1 k, b4 @( l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 U0 f6 U3 n! r5 b
( h1 a; R! W; R- R. D, f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 y& \0 {5 t/ d* |6 j* R ;will break 3 times :-(+ {6 t/ h: X0 u8 `- N( e
7 ~2 P) u) Z4 v+ {0 [; j
-Much faster:
1 f e- C5 l8 A& b6 a, }2 b3 g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 ^" x- F( W. Z% r; R
8 M* T6 z% E, d! v o! f4 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 T1 A1 R' X. }% V6 i4 D( ffunction to do the same job:
$ M" Q- \8 p2 E3 m8 `0 ~- T3 s8 y, c4 S+ p; ]/ e
push 00 ; OF_READ
" k/ S; R8 f2 x9 t( E! n+ ?5 H. k mov eax,[00656634] ; '\\.\SICE',0
- e# Y. E- K' W5 g# E' s* D push eax* s6 U* y$ ^. i, r* N# {
call KERNEL32!_lopen
2 ?. Y! q' ]5 F1 _* @ inc eax
% o4 j5 j0 N& o0 p jnz 00650589 ; detected. o1 p) i' h" X9 B5 q, Q
push 00 ; OF_READ
! O! W0 L6 m6 ^ mov eax,[00656638] ; '\\.\SICE'
& }' q7 {& p% b/ o1 |9 x7 X: s$ ?% ` push eax8 ]- o- r! b1 Y
call KERNEL32!_lopen1 s( s2 O+ \; @, {) X
inc eax
0 r0 r, E% H+ P2 D7 P9 i" y jz 006505ae ; not detected
2 n) Y3 f6 ]9 \* P8 P2 t5 F" @
8 P* ^0 o; ^/ A7 A8 z* w& W9 N8 P
6 Y* V! q; l1 u, P$ D( l__________________________________________________________________________
* n4 z5 I, @" c3 L6 R/ m# p& k. q' p* E& j+ A7 g, |
Method 126 I6 ?$ N! t# ^5 V0 Z- r2 s
=========
! F9 c0 f, Z/ f- {3 r2 F% m5 \9 F, f% j- x4 B+ V4 G* A) q
This trick is similar to int41h/4fh Debugger installation check (code 05( C9 F9 {' c, p& b" E/ q. W( K
& 06) but very limited because it's only available for Win95/98 (not NT)- |3 s: O8 y6 b+ V2 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 Y" ]) p( S/ ^. l& A0 h
9 L9 @2 m5 S8 s
push 0000004fh ; function 4fh$ {/ x- |% G) D! h/ }
push 002a002ah ; high word specifies which VxD (VWIN32)
2 k# _ `9 Y8 g. |9 Q ; low word specifies which service
' a8 O: y2 Y0 w) f (VWIN32_Int41Dispatch)& E! {- a* U& W6 A
call Kernel32!ORD_001 ; VxdCall
* i& J" k# Z4 i+ }# n$ d cmp ax, 0f386h ; magic number returned by system debuggers
8 m5 d: e$ [$ d( e jz SoftICE_detected
9 N* y& u( f- D* q
( y* ~( i( }' b* ^% }: T9 G2 `+ eHere again, several ways to detect it:# B. w# J+ p5 T. u9 v
6 `1 e' j3 C3 ~) G9 f BPINT 41 if ax==4f3 N2 |( e5 f$ {- B. u! K# [
$ T- |( `$ b. U' `$ C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ y8 T7 s' F6 t
9 C9 ^$ F% @0 `0 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 c6 e' `# P5 z2 }/ v; u* p7 M
( j( T, I7 o& E+ r( A+ J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ l0 F$ \1 q( u' m! Q
+ N# [) c0 [/ ]5 a) e& i__________________________________________________________________________8 Z% I5 r# h# @. j! U8 }8 k0 x0 U
* m' c* l" }, ?6 e
Method 13
4 O; r0 p9 n! g5 [, O, ]=========! X ^- b0 _$ [3 C0 V, s9 P
) [/ g1 y( ?, {
Not a real method of detection, but a good way to know if SoftICE is
" y$ F" J! v( D6 Vinstalled on a computer and to locate its installation directory.
5 w6 ^1 s+ c8 d: y& ^" HIt is used by few softs which access the following registry keys (usually #2) :
! ?" ?+ u7 ~$ e! ]: D7 s5 n. _% O/ E( A' A6 I6 |* X. Y9 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 n# F+ y5 O4 O* x+ S
\Uninstall\SoftICE# d2 Q" r8 P& L2 u6 ~- ]% o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 u7 q' o3 `7 E" o { Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) u, N- G6 w6 U8 x6 L: ~9 C# B\App Paths\Loader32.Exe
* N+ `5 L8 d V& T7 }. b% M8 h. \9 |) \/ V* y& w; l
# ?" l0 w( j) Q1 I1 V- H- _Note that some nasty apps could then erase all files from SoftICE directory: W9 \0 |' M) c
(I faced that once :-(" z, K H$ S3 |: E
. W- V& g7 I: n/ ?Useful breakpoint to detect it:8 n c; b7 V7 L4 i" y
7 t: v k% o: y, ]& k6 j/ o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& A: V- }" V& p5 V& |0 P- C- Y: j
* E3 C L+ \& P v/ `6 F h__________________________________________________________________________, }! w5 T/ V5 z( f4 w
9 |# o0 [: c# N) d
0 b4 V1 e' d; i/ I- M! u. W2 NMethod 14 , l2 H3 E1 _8 [
=========
. L- H. L/ q7 k5 {% `6 J& l4 b% K& E0 k/ v! E) S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; k- }) @; I; K9 l
is to determines whether a debugger is running on your system (ring0 only).3 k: c& {$ D2 ]. I
& `3 b1 C0 s/ G7 j0 ?5 g: x8 L VMMCall Test_Debug_Installed! a7 m2 [: d7 S7 F
je not_installed4 f9 R/ X8 l9 K; @% Y1 N+ b, M, a
- J3 S1 F# V' h; j0 ~$ GThis service just checks a flag.* l, s, F. X3 p) [7 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡