<TABLE width=500>
! P" M5 W9 V' l3 ]3 U/ h<TBODY>
6 V8 V4 d, }5 O; z' ^) f. |5 W& ~" w<TR>% H: T4 E+ |. D% ` S1 V% f1 U# n+ i
<TD><PRE>Method 01 & E# w1 m. V3 Q# y0 q( p+ l* q
=========
5 d3 M: ~/ X1 C6 \' |8 w1 l: h& ^8 g4 r% ?
This method of detection of SoftICE (as well as the following one) is
9 E" G0 p/ [ _, d: j) r. p$ Kused by the majority of packers/encryptors found on Internet.
6 S2 X x8 [+ ^8 tIt seeks the signature of BoundsChecker in SoftICE
3 q; U% r0 l6 b. _$ V$ b; n' K
! {# ]) ^/ N0 y* b! \4 U/ Z mov ebp, 04243484Bh ; 'BCHK'
) s7 M& ^3 \. E5 y) h1 j/ c mov ax, 04h m9 t: B6 x z9 l
int 3 8 D4 d3 x7 a8 k9 s) x# V
cmp al,4. O/ g, G! V1 [6 f
jnz SoftICE_Detected
. Y/ ~0 Z9 T7 A
. W- e8 l" D- F$ x2 N& v___________________________________________________________________________
% c* E( l) P& j' M# M h
- L r/ j1 t2 I+ {9 R2 b7 @$ TMethod 02
5 _& f2 m% L5 z2 X=========
3 w2 r# e& B; R( a5 d
# g5 V! |' C( S1 RStill a method very much used (perhaps the most frequent one). It is used; P# W, q6 o% J0 `2 U. ~5 [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 G7 z& w4 S3 I% y8 n* q3 q9 E% U7 M. H5 Kor execute SoftICE commands...4 C6 Y# O1 C( C4 b, A. j
It is also used to crash SoftICE and to force it to execute any commands+ A- g& `- x, W4 R
(HBOOT...) :-((
5 A9 L7 v- ?$ o9 X0 e* I/ H& t2 ^' U% c; q
Here is a quick description:- \( b: Z) a% _0 c3 R
-AX = 0910h (Display string in SIce windows)
) ?. i! ~% l' {) ]: s/ o/ a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ a% a+ F; \) S% W: d2 t
-AX = 0912h (Get breakpoint infos) e1 M- j1 f! A
-AX = 0913h (Set Sice breakpoints). U% a+ l. T: l& m% r9 g; Y
-AX = 0914h (Remove SIce breakoints)
1 D- ]: y D. }- ]- E& W4 T- `/ @$ ^0 j* f
Each time you'll meet this trick, you'll see:
7 q5 K( W* h# u, Y- n1 S-SI = 4647h8 }8 n* k% O D5 k2 o7 c& w
-DI = 4A4Dh
' }4 C9 Y# q: K! l s6 JWhich are the 'magic values' used by SoftIce.
! }, n( T; D( W1 z' DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& Y# R( a7 O) H% p* K
0 u. s: P9 K6 a" U" u1 ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
V! @) H- p8 u* _Envelope utility use to protect DOS applications:, ` R4 r! w9 F6 \1 z( p
4 G+ J+ R9 b8 ~; g
- F" f; F; C; ^9 F+ l# g9 f9 h4C19:0095 MOV AX,0911 ; execute command.
6 ~( H* v6 s' u' d* K- T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& D7 C3 P; n' ]' J" \2 i4C19:009A MOV SI,4647 ; 1st magic value.
! I3 z5 o, @/ K8 ^% A* P4C19:009D MOV DI,4A4D ; 2nd magic value.
. p9 N R: _/ B. }+ v$ o5 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( |4 \/ t' R1 H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 N) Y' b0 D* J7 D1 B( q& i1 X4C19:00A4 INC CX1 a& {, Z0 E0 h6 O/ [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, A8 w: [6 w, F0 y& x4C19:00A8 JB 0095 ; 6 different commands., k8 _2 S- ?, v' S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; L6 a& }: A3 G+ X0 i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* A" l0 @% J, P) W2 O. b- D
1 g8 n* M7 h; Z4 e$ FThe program will execute 6 different SIce commands located at ds:dx, which
& b1 N2 ^0 X# Y( W4 P' b/ _1 b# Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( a- W0 h5 {, c- ?
- I( m! I( o" o2 e7 g: m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 s& Q7 Y& E% [5 f$ [ Y& |___________________________________________________________________________
9 ^$ ?2 u5 d5 c
$ e+ N% O) |0 |5 N' S. O9 ~/ I8 m
8 g5 c6 F g* A) }" G, fMethod 03
0 v7 B! u5 v7 g% B/ |6 `5 F5 m=========, C5 q7 p x+ }1 i9 q) t
5 u9 S6 v2 l$ l; f# LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
R8 w9 e5 @& j0 }+ G4 y(API Get entry point)
* _ h$ \8 ~% ?: D6 i , o. \ I5 \" o/ m
, z2 U6 \- k# {* G
xor di,di
5 ?+ i/ b: \( z4 \ I- k mov es,di: N# e; \7 E% c1 i6 \4 T
mov ax, 1684h
D9 Z+ I4 u( q$ @9 I2 w# O- `1 ~, a mov bx, 0202h ; VxD ID of winice
/ r6 o( Q* u; y7 y: U int 2Fh" a5 I& t7 _" T) ?# c! g, [. Q
mov ax, es ; ES:DI -> VxD API entry point
$ t8 E6 L! F" I add ax, di
& f7 ~0 |; v0 c test ax,ax1 {) W1 `0 E; U
jnz SoftICE_Detected
5 Y/ O9 V' X8 P0 t& X8 d. I
- Q3 ]9 x5 U! B/ G- ^9 h: I$ \) T___________________________________________________________________________$ b9 b q5 A: s$ X
/ g& s7 A% ^; o- ], t( iMethod 04
' p1 ~4 d# l8 F7 H/ e. t* r5 Q. I* H=========
3 W0 z1 V9 m5 t& `; q0 h9 Z9 R) d; b* J
Method identical to the preceding one except that it seeks the ID of SoftICE) q0 c4 ]5 W" G
GFX VxD.
5 e+ a9 D5 I, g& b) g0 v) O. B
. u- ?0 y6 |. ?2 A! Y" S# H+ X xor di,di
# V0 f: L, ?8 ]% M/ x+ T2 Q& ] mov es,di
: y: ` N/ V5 I: x) A" L mov ax, 1684h : l! A4 \4 E5 Y# e
mov bx, 7a5Fh ; VxD ID of SIWVID) ]; ^8 w/ p$ Y! x4 q3 Y: J) k
int 2fh
7 U5 \* h5 s: s& q' @) G- R mov ax, es ; ES:DI -> VxD API entry point
9 y* s2 m% e/ U add ax, di
9 p) a: M; c6 E [ test ax,ax% g. s u, ]2 l# q1 s6 J
jnz SoftICE_Detected
" ~: T. a1 a* {7 t# Z/ v4 t
W9 h* O6 x# B; W__________________________________________________________________________
4 w6 X9 V2 R4 }+ s c$ F1 U% c N- G$ k' ^$ o+ B" O
9 \* W% A% q; ]8 W$ \
Method 051 W& x# W7 n6 E0 s: w& _2 g
=========
9 R, m4 b4 f. i% T/ K0 A: ?& p# v. x
$ z6 a' T) P! \( @& B+ x& aMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ @3 q$ L5 n0 `* v; S
debugger. It calls the int 41h, function 4Fh.
$ H s) b! @8 A& d; SThere are several alternatives.
3 H3 A) C, k2 M: m) U) @+ I/ n8 ~8 X7 A) n3 z
The following one is the simplest:, F* c% ?+ r: s8 W! E. J+ u' S, [' x
8 N( \- ]7 S: ?- E. B; l! ~# W6 X mov ax,4fh
' N T: ?1 t1 \5 \) _ int 41h* d1 h; x2 [( o
cmp ax, 0F386
) o1 W3 [ ]; [) Y jz SoftICE_detected
3 T8 j( ~9 ^! M5 E* V; n7 c4 K2 y# O. ^
3 Q; ^+ f Y4 n# s8 d4 ~; ]Next method as well as the following one are 2 examples from Stone's
$ }: t8 v* I3 }: W$ X* ^"stn-wid.zip" (www.cracking.net):
3 p; \# p# N9 M Z& `9 ]) c
! L/ g- }0 P9 z0 F5 l mov bx, cs
4 a# H/ e' ?5 q' o U+ B1 {9 v lea dx, int41handler2/ V, G. G H) x s* b
xchg dx, es:[41h*4]
+ C2 @7 |( R5 Y, J0 D8 v4 C xchg bx, es:[41h*4+2]
# y- A. s/ W9 A9 o mov ax,4fh% |3 |& X' n" Q! C2 N8 o
int 41h0 |: p9 N: I8 {
xchg dx, es:[41h*4]
; K4 p/ i9 J2 v& @1 J xchg bx, es:[41h*4+2]
2 ]/ C9 }4 F0 q/ e cmp ax, 0f386h0 w9 u: L2 R( [ a0 a. x, H
jz SoftICE_detected
/ L8 {, n8 K7 Z8 N6 ]% A# {* y9 \3 ~- S3 {5 V
int41handler2 PROC
u) T, }# I" I6 b/ ^- L% o6 i iret
* D, P/ a5 H6 U9 j' C& ?; Tint41handler2 ENDP
$ F6 s. b# x. d% ^# B4 ~4 P. M( n5 D3 ~1 F( Z9 F- Z
! f. g. O- P2 Y8 U
_________________________________________________________________________
! V; r: k F$ V% ]) w2 Z* R. G0 U5 @7 U! t
1 h& h$ _4 f. b. OMethod 06
( V$ H' P: v8 z# K=========
( T# \& G0 B5 r) `3 W) T: R2 |7 v3 f3 t7 S; l
3 k# e# U3 |% s6 B. ]2 C( q
2nd method similar to the preceding one but more difficult to detect:( M9 q) w% H g+ `9 J$ e/ C( ^
+ f' g. Y5 {! o/ r7 f
. P. e }4 W$ K7 v) x' w: l- A yint41handler PROC) y; B( I! G- m9 I
mov cl,al
* y/ S" {9 G3 y K iret
( a- P" N: ^2 `9 V; h# G) h# ` nint41handler ENDP- j% s7 j$ V* Y$ X3 e: V% W c
$ J/ k) Q, @% k' y5 ^
% l& M Z' _( k& l6 o" P" W ^0 _ xor ax,ax! u# b5 Z" |, W" @2 B' I/ O
mov es,ax
9 s9 C; a, \. a4 g4 { B8 b, d8 J mov bx, cs! M2 k8 ^: M, {$ u+ L- I
lea dx, int41handler
% K' E6 x3 k% @ xchg dx, es:[41h*4]
$ O6 G% m. t8 Q8 ` xchg bx, es:[41h*4+2]
9 V+ x8 k* V- D' p1 m Q in al, 40h$ \8 ^, R$ e$ i0 F
xor cx,cx
|7 ?+ D% P$ V. s/ b" b$ M int 41h
* T+ R6 }2 E% c0 v& y: F xchg dx, es:[41h*4]
: p$ T4 ?2 ^4 W. R& F' m% x% ?" ] xchg bx, es:[41h*4+2]
0 T& V, }/ \8 i$ @' h, W cmp cl,al5 s/ T5 c( [0 _, K
jnz SoftICE_detected
N8 I: h4 ]& ^/ a! S6 v1 W7 q* X% y8 {, ~$ f4 P
_________________________________________________________________________( K, C( ?# Z8 i2 f5 h, o, `9 k
! o! @/ H$ o- q t HMethod 07$ C$ a# u7 j. r1 C
=========# \( G8 {' w) F* N1 `+ h
& K$ a: Q- C( N7 @( WMethod of detection of the WinICE handler in the int68h (V86), t F: L3 D7 |5 |3 X) c
+ S" a) ^8 ]9 Z4 Q M7 S7 E mov ah,43h
2 N6 d H/ i* A: a( a- ~! ]0 R8 [& D; c int 68h" v. v) V3 E P& [; ~$ l6 Y
cmp ax,0F386h
/ N# h% x1 H0 D5 T# q jz SoftICE_Detected
# L, j# V2 O9 O6 ^) c! H; n* w- S( H- p* r
- {& U) U/ f' k, s0 r8 G- R. \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 N( d. D m+ @- t; r, s' H
app like this:
* N6 P3 ], }" Q! w: y3 t
- y1 V7 N7 }- ]+ @2 V: B BPX exec_int if ax==68
, O, p) ~6 i, y4 W; P+ G" } (function called is located at byte ptr [ebp+1Dh] and client eip is
( @, `$ Z- E$ U' [ located at [ebp+48h] for 32Bit apps)( ~9 M% v6 A& v: [& L
__________________________________________________________________________: A4 h5 }+ I) u' G+ K8 G
. ~* f5 ?4 Y: k
/ H3 G& A) B: X5 @0 N5 U) ]
Method 08
8 T& I/ f2 z" W1 h0 R=========+ o- n& c& \/ c" H* ~) `; U
; Q7 w }& u; L/ I8 F) U
It is not a method of detection of SoftICE but a possibility to crash the
) |9 Q( A9 u5 {; m* Asystem by intercepting int 01h and int 03h and redirecting them to another- G. L; z$ s* f1 ?' N; m
routine.9 Y, h( ?+ v9 L% _: z( X l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 U3 m% ]! J7 D
to the new routine to execute (hangs computer...)4 p# w3 r2 I" \$ D% a" \" w
: ]8 a/ E# S- h6 m: a mov ah, 25h
# D8 w0 g6 p ~, c6 E' ] mov al, Int_Number (01h or 03h)
9 ], L! v+ f S mov dx, offset New_Int_Routine
% q5 b( z/ h: ^3 P9 D int 21h
1 u0 U' Z( I `+ H0 L5 i' q+ f; _
1 e0 ^3 J) |. y2 _/ g5 r__________________________________________________________________________
; O& z" {5 o% v* O& u& L! x! g0 {4 M1 K" @$ |# U+ i0 p0 I. p
Method 09
( h' w" P) x5 ]=========' d5 }( v; W- s$ Q! w1 y. N
! y- [+ Z4 y! z1 I: X3 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ W+ M0 L& } H1 y. {8 D+ _
performed in ring0 (VxD or a ring3 app using the VxdCall)., D0 b. d; a/ O. F: U
The Get_DDB service is used to determine whether or not a VxD is installed
9 V1 i3 ?1 Y) }3 M7 a: W: Tfor the specified device and returns a Device Description Block (in ecx) for
8 c" ?: A0 S- b4 n* W/ mthat device if it is installed.
/ N; Q7 M* P( n* f& C4 y# B6 l7 \% F& D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) I0 y' C+ O; } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: f, ]: t3 q- o& D5 w) t VMMCall Get_DDB
% e! T& W6 Z5 o; j% O3 ~8 b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 z* h3 r a% I6 W0 f x4 z5 m
) W* c, u/ v$ B. sNote as well that you can easily detect this method with SoftICE:, M% T: D2 j, Y2 |* E
bpx Get_DDB if ax==0202 || ax==7a5fh( V& R" y: W" Z: G8 G, ?% l
6 C9 }+ K6 B4 ~ e" a( h$ j__________________________________________________________________________
* P9 F! C' d8 r. Q$ {
6 L) g0 O- n6 R8 \* pMethod 10
: u) O4 s# G& L7 y5 p0 o=========( l! h- B z$ N8 S
0 F. N" f$ u& C) V! E' S6 v=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ d2 @' P& I; C5 _0 I$ q& u* p$ b$ m% g SoftICE while the option is enable!!: C% i+ G/ N" P7 Y
/ r/ [% l0 x/ c; n
This trick is very efficient:
4 R ~6 o0 Q2 j; \" }" g! ]by checking the Debug Registers, you can detect if SoftICE is loaded) B u% G3 F& k' |# h! m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 f$ m) F7 k/ u% wthere are some memory breakpoints set (dr0 to dr3) simply by reading their! q" O- ^3 q; {; R# p, b8 x
value (in ring0 only). Values can be manipulated and or changed as well2 c8 X" {# `: p7 E y
(clearing BPMs for instance)
9 Z i n7 @& [6 \+ j3 `9 H1 d
__________________________________________________________________________2 ^- |" B# m4 @! L6 v$ k' Y/ r% W
9 {$ R, ~) h f5 S% W0 j$ D
Method 116 I p, c x- L* _- h# ?
=========
- S- a0 i0 [1 @# P$ H3 p U" F1 }. D
This method is most known as 'MeltICE' because it has been freely distributed P/ M" a6 |8 L. Y' o/ |& F n, b
via www.winfiles.com. However it was first used by NuMega people to allow$ M2 G- ^$ ^; R1 V7 G0 l7 Z$ H" }
Symbol Loader to check if SoftICE was active or not (the code is located3 v) }8 K) C. n. C! }4 n/ u
inside nmtrans.dll).
% v* e' B* o, ~, k# Z% }: N* f3 d' j1 h: R, R3 s5 K+ J% F3 v% Q5 m
The way it works is very simple:
6 z ^0 H/ {4 G6 f1 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 W% V0 j" l1 z, A6 W0 ?5 xWinNT) with the CreateFileA API.$ V% I' w4 Z4 m& V: D8 V7 H/ g# T
! e, ?$ C" R/ a- t" kHere is a sample (checking for 'SICE'):0 L0 b8 Y8 r k) z$ q
+ H! A) w4 }; X# ^
BOOL IsSoftIce95Loaded()
# r* z- J0 p5 O9 ~$ S4 P3 E{
; x7 B3 Q: Q' w/ f HANDLE hFile;
6 P* g# B0 D& Y4 j. Y9 t% K! j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
Y- b1 _: T) a# X+ @9 b& j FILE_SHARE_READ | FILE_SHARE_WRITE,
- l: w- G$ v& Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 R1 i3 h" C& I, t9 F
if( hFile != INVALID_HANDLE_VALUE ) Y4 Q- _/ F# Z+ `6 E/ S8 s
{
/ j' b0 c! s4 x6 L" l' ?" `( `+ z: b CloseHandle(hFile);
+ _9 X2 F3 s; c9 n* d return TRUE;. I e# y L3 P
}8 S* x9 ?/ Y) H5 O$ m7 {( {
return FALSE;
+ e5 z. r5 K! \ ]}# [: P: T7 G1 ?9 J9 I+ ~' g5 h
8 @. G) X- s7 y) ~Although this trick calls the CreateFileA function, don't even expect to be7 w+ R& l/ c- j O
able to intercept it by installing a IFS hook: it will not work, no way!' i9 i- o: e8 Y3 m& N2 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ c+ F9 s8 J. Q r1 Q' S. K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 t8 ]# J; g5 Q- i/ \/ u6 R7 x, H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ t: q l' x: u, ?
field.
a& D$ _8 N$ r8 P' _! z$ @In fact, its purpose is not to load/unload VxDs but only to send a
9 p) ?/ e0 ]+ L$ m, Z- aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: A: p( A T7 s" m8 o- Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: c/ J! I2 s5 h9 h7 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, U8 n: f/ W3 V3 hIf the VxD is loaded, it will always clear eax and the Carry flag to allow; q1 P4 y# e4 t. V
its handle to be opened and then, will be detected.' {7 k' \" n* c& f: `: D8 @
You can check that simply by hooking Winice.exe control proc entry point
& E/ ~4 {6 q+ y: B1 m6 W8 | |while running MeltICE.
! M2 v& P, ?* h( ?7 ]3 B6 q2 R8 `) b& F, i7 Q- v
4 X$ D7 ]! q; K9 w! r4 C
00401067: push 00402025 ; \\.\SICE- g, j! ?% l. j% v; Y, M8 _/ o4 ~
0040106C: call CreateFileA
5 I- }2 ~, f8 e3 t) R8 j' r 00401071: cmp eax,-001
3 H/ u9 |: `( e; f& j1 Y3 a8 } 00401074: je 00401091
) O" o% x% T* N9 O# Y6 d* D
2 f$ J- L( I6 v* W# ]2 {
: E% c2 E* O% S. o1 W% h# x9 V/ ~There could be hundreds of BPX you could use to detect this trick.9 }) G: B1 Q* S; g
-The most classical one is:
6 Z' U7 H. d! P" |3 t% Z9 Y1 H) o; { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 g& T& d% a5 P) w) \) b: M% I
*(esp->4+4)=='NTIC'7 `6 P) B6 i9 r; M2 N1 b) N
% ~: \3 H% d0 n" ]6 T
-The most exotic ones (could be very slooooow :-(: o( m x0 g6 w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 y4 z9 @. n* k8 Q ;will break 3 times :-(
3 Y2 o, M# v- l# }. o' m) Q8 q5 i* `
-or (a bit) faster: & k, n5 ]2 S8 j8 y$ F' N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): s' M. w2 `0 C8 x
4 D3 s4 S$ [, e! I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 C, }9 ~1 q# N: a ;will break 3 times :-(8 ^/ L, s! k4 {# Y
1 e$ z, o& t0 k
-Much faster:& D3 B5 T& ?" |& P8 J0 Q, @0 k# o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 j5 r8 v- k4 c5 H
) y0 ^: G1 L5 ?) h3 tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, g3 P4 r+ F% m- c6 ]9 j1 y- ] ?
function to do the same job:
' G1 s; C; G- D# ~
, l$ u! w8 f# H& x H& { push 00 ; OF_READ
( [9 V$ K9 Z& e5 j$ f }* r mov eax,[00656634] ; '\\.\SICE',0
6 y$ J+ h! j( Z push eax
: h6 C% @- g5 }2 @; b7 A call KERNEL32!_lopen
$ L2 I' h* D9 S3 M; Q# w; Y {0 J inc eax. S C. u8 A* ^ l
jnz 00650589 ; detected1 x3 b# x N5 I1 w! u
push 00 ; OF_READ
% g' f- u: r9 |' E mov eax,[00656638] ; '\\.\SICE'/ Y/ M5 M- z9 W3 `, h( {
push eax! ?( |0 w# c" ]& x; o
call KERNEL32!_lopen
) d* s1 N0 z J/ o+ ^ inc eax
6 c% W6 s- K1 ^6 W+ p jz 006505ae ; not detected
9 b/ b- A7 h ^6 b2 b+ t- p1 x
6 X7 a# }9 V) e/ B F6 o6 l. K5 E% W3 t! _3 B' M' x0 d7 N: f
__________________________________________________________________________
% t T) i7 `; s; `
: g! }6 U9 |& w2 e3 W% b% ]+ eMethod 125 e% ]" j% t$ V3 _; q) h( a, b
=========4 I1 R$ t/ S' A
]0 H$ ?( C1 N) |# R# c1 S
This trick is similar to int41h/4fh Debugger installation check (code 05
) G7 U: x4 q( u& `* |& 06) but very limited because it's only available for Win95/98 (not NT)
9 n1 a' h6 A0 V5 h* mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 V2 f! Z) J8 x! A ^+ P- I) ~2 b# r
% L8 O. `; r# N; _+ N" B# J
push 0000004fh ; function 4fh
: \% {$ e; {( ], N1 C6 f. L/ l/ l. k push 002a002ah ; high word specifies which VxD (VWIN32)
6 }7 i9 J0 w; B8 O4 C2 E ; low word specifies which service0 L. {* O2 n7 k7 v1 | u
(VWIN32_Int41Dispatch)5 e; y+ m+ m+ a1 _8 o
call Kernel32!ORD_001 ; VxdCall" w) r. e/ {% r% K* Y% K7 Y$ ?
cmp ax, 0f386h ; magic number returned by system debuggers$ i8 J- d8 J4 ?" r
jz SoftICE_detected
5 O) _, W/ A* U6 }/ L) S
8 E6 [" Q+ f- y5 xHere again, several ways to detect it:6 m2 F& O) e, m" ]
9 S( [7 I( I0 y' ] e8 V# O" V" O BPINT 41 if ax==4f
9 L9 Y" ~( R) _! h& U5 h$ K6 h: _, x$ X3 r, R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 ?# p8 P* n f5 S/ G
: S; l1 d7 D8 @" X6 I* T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- M" C n" M! H- _3 k8 R
2 D( |9 y2 I2 X$ |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 v/ i1 L1 e4 f: \: m! y& \
+ ?% @7 ~# `' g
__________________________________________________________________________9 B* O2 h' N0 p. ^* ?% V; V) T
( ^$ r6 E4 G6 n& R1 z* D
Method 13* ~$ I* C" P4 T3 V" H8 k
=========8 ?5 e. h, m1 @+ O! T
# N' Y& r7 }4 E* K! G5 @Not a real method of detection, but a good way to know if SoftICE is
# U- [. d) Q# e/ i9 J9 `installed on a computer and to locate its installation directory.
5 S+ V& I- n( b8 ?It is used by few softs which access the following registry keys (usually #2) :
1 R0 b" d; w1 j
& C' F, h9 @5 A2 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 R' j" l0 D+ X8 X; m& q7 Q\Uninstall\SoftICE# `3 E( g2 c& }# V E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. r. ?5 E! t& g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 O3 R' E. a4 M7 }' n( w L. R0 N\App Paths\Loader32.Exe: q! Z5 m* B6 r
; i8 c/ |) \6 S$ v6 ^1 ?
# K1 [! V& q; h2 k$ R% J
Note that some nasty apps could then erase all files from SoftICE directory5 O. `4 t0 u# F7 G; M6 X! T
(I faced that once :-(" @8 I: a3 \& `, o) S4 ~
& o3 u2 w" E8 w2 EUseful breakpoint to detect it:
! X, e# }+ o5 t- ?) J0 v0 f: V2 T( G: {5 e4 @+ w$ U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 u- Z# S3 E# ^4 x' T) e
. q. Q; z7 \5 i# q
__________________________________________________________________________& h5 i+ K- `4 c
7 I* C. q: i4 Z, M3 F
% S+ w# \6 \! N, G S3 aMethod 14
* F' d1 B+ j& W ?& q2 d=========
8 E( A) a1 ]5 m. p# U
: a) ]- P! \+ x. V4 c/ U' i: |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 d" N4 P6 C" l9 f& j% s
is to determines whether a debugger is running on your system (ring0 only)./ k' o0 b8 J+ \% c
5 h) h2 m! P- c7 P( W3 z8 l
VMMCall Test_Debug_Installed, P: ?4 J; I( d3 _! }% S7 y
je not_installed
9 y# D3 ^. e- g+ G$ w/ V1 m2 j0 S0 {/ e
This service just checks a flag.
7 _4 \4 z7 a0 s6 o( z9 w0 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡