<TABLE width=500>: L/ U$ C* Z! _6 ]
<TBODY>
- t+ O# i& [' W9 w7 W<TR>/ P C: C1 d; V# U$ F6 ?' B
<TD><PRE>Method 01
$ B% k2 p* b) x- y7 q) ~: {=========9 A: k8 Y& D6 N& c9 L/ g |7 N
H' V+ `5 Y% B; f) @' Q
This method of detection of SoftICE (as well as the following one) is
6 e; i0 x! ?* G. V/ K |) ^used by the majority of packers/encryptors found on Internet.
7 r9 J* n$ ?& s. m5 }/ _" @8 bIt seeks the signature of BoundsChecker in SoftICE+ N$ ~, o X5 A% r+ j( Y
l B( e# [) B/ ~+ R mov ebp, 04243484Bh ; 'BCHK'
7 P. Z# `& l# r( M# R0 V( w mov ax, 04h8 d0 Y8 u" m2 X$ k
int 3
$ f0 ^2 B3 U1 u' I5 c cmp al,4& m; _6 u3 T& p4 c9 j& |
jnz SoftICE_Detected" r% H. f9 ~* f* i: ]) `
- |. B: Z6 W; f) G a
___________________________________________________________________________
+ F/ {, I/ Z5 l; u+ T: r# t% u j9 J: [. N
Method 02' f; @0 @/ B; T* a0 @
=========
5 g* T( u, E M$ p; ~" S
7 d+ L1 M, {- S3 ]+ QStill a method very much used (perhaps the most frequent one). It is used
1 m2 H8 L8 M! L/ E Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 m8 N2 A8 Q. J1 Z0 c) M. `
or execute SoftICE commands...
) e7 V( l6 V; q% U# KIt is also used to crash SoftICE and to force it to execute any commands
a% k4 x- Q+ }$ l+ V8 [(HBOOT...) :-((
9 w8 l) X0 m) m5 J/ b% M" b' l; T
Here is a quick description:5 ]+ A1 f& S A4 P
-AX = 0910h (Display string in SIce windows)
/ B* E, F* @3 G0 u0 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% F6 M; F# ?" l! G8 U P-AX = 0912h (Get breakpoint infos)9 z& a; G* p: T5 N1 o
-AX = 0913h (Set Sice breakpoints)4 [! s# s* @+ P5 x) q
-AX = 0914h (Remove SIce breakoints)
" @2 E& p. L o9 |1 v2 y) D/ I; d+ B
$ a g/ v7 G; K2 DEach time you'll meet this trick, you'll see: r. W' W3 e, S# O" s Q
-SI = 4647h4 k3 N1 o) B ?2 @8 \+ p
-DI = 4A4Dh
$ L9 o" M" Y$ O# FWhich are the 'magic values' used by SoftIce., t) q% @/ i- [* @; }2 G8 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 y6 k, H& T" p6 n8 w
! d& m! {2 @6 L8 U) v
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# w1 n6 E& A+ P2 uEnvelope utility use to protect DOS applications:
7 R; N8 F8 {# h, r' r; C7 p$ ~. E8 y6 `
9 W/ P* Q9 T) |- K& w# r4C19:0095 MOV AX,0911 ; execute command., |/ R! B3 f/ I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* O: M' G& S5 b# v' q+ K4C19:009A MOV SI,4647 ; 1st magic value.
2 `5 y/ f0 Z8 C! x) |4C19:009D MOV DI,4A4D ; 2nd magic value.) G! N$ p3 \ o& }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: n+ m3 R2 X3 k# _; U) `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 y" _3 w: C* z$ R
4C19:00A4 INC CX* G, M% B5 o; V7 y6 B1 \* X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) ]( V ]& K3 K2 I
4C19:00A8 JB 0095 ; 6 different commands.; g2 f) e6 C" u( P+ W; c+ A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 r" d' g6 R2 }# M/ B- |2 q/ D( V$ h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) W* I0 _/ ^$ z# F$ p0 w7 ]3 ?% y* m. b! N) o/ U7 ]6 H
The program will execute 6 different SIce commands located at ds:dx, which7 I9 O& T; ?. q! [7 K: C; i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 ^$ I8 L' E2 ]6 v
8 Y2 \) Q3 p( V. x$ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 a, P; z2 Q9 W___________________________________________________________________________8 V# C( q: z4 Z( `
7 k# y! N% }; Y! {6 f( g. F r: ]" n2 f" `" R$ N* @
Method 030 p: B( u8 s' _+ h/ w6 P9 g' ?; I% o
=========, u u2 w6 T5 T
9 Q% t1 Z- X9 F, {7 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; G' v$ X" j6 _ l+ T3 J4 H) T(API Get entry point)
9 C( o% L6 B. K) ^7 r: F: } 4 |: k, Y6 o- W/ K2 j
/ T. S# y& s- s. O xor di,di+ a' m5 {6 C$ O3 I+ J* T* T4 Q4 q
mov es,di6 A/ H. y. n4 w0 K3 C( J
mov ax, 1684h 8 w& y3 K: M+ E1 r' [! G
mov bx, 0202h ; VxD ID of winice
7 l; V0 x' [1 s6 X int 2Fh* Y8 V1 J, R: j) T$ x
mov ax, es ; ES:DI -> VxD API entry point# X8 f6 s# T% n# [! \. b+ w
add ax, di
, {( v) w6 y- O1 b" t+ H8 P) Q1 t: q test ax,ax8 \- S- u9 C& G1 z' l
jnz SoftICE_Detected( c7 R$ ^# g( {& X( I3 j
( w0 `* M, E4 k1 A0 Y- Q
___________________________________________________________________________
4 \! b/ ~) r E8 `( r0 l& j
/ s. M- ~! T6 [1 A! rMethod 04
, _/ L6 ~# c' t4 I. S8 R5 Z+ O=========
# L7 K1 y( F: B' F3 G1 I" ]3 Y) M# p' } P' i1 M
Method identical to the preceding one except that it seeks the ID of SoftICE
( s! l( |: _# T" h& F' M& D0 sGFX VxD.
: M" c! Y' Z/ C# ^7 ~" P- ~
- f) _5 L+ c- R E* _3 \ xor di,di
0 Q0 p9 Z! N: M5 F, z mov es,di
& @, P1 B& c0 a' M mov ax, 1684h
% j' ` `) W$ j mov bx, 7a5Fh ; VxD ID of SIWVID( ], y9 E5 w; S$ y5 I
int 2fh
& l# D$ r" j8 L% ~4 k mov ax, es ; ES:DI -> VxD API entry point
+ E0 M8 f I1 a1 l# t add ax, di
* Q9 h Y2 W: S4 g- ]7 | test ax,ax
4 O5 I% e8 w) ~9 w( t jnz SoftICE_Detected+ B0 n R- e6 S# k: l7 h R
' ^% q5 w* ?7 E; r2 u) Z__________________________________________________________________________
& ]2 B0 l% X: E" N9 T4 T' e+ _' S. ~. U$ U+ E4 j- L8 r5 T+ r$ F
$ H; j; Z$ \8 J F+ GMethod 05$ \; m' A, @2 L, l2 R. \8 N. E6 ]
=========
( A; Y& }# m% {- ^, o+ F& o# @* A) @* J1 @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* m; `& C9 q+ @" ~' _/ G+ ndebugger. It calls the int 41h, function 4Fh.
. A) H9 D- z E/ d! v4 `7 {There are several alternatives.
8 P: q6 {3 ?* B4 h. j2 k9 E% W' e% |
The following one is the simplest:
# F' @( y1 r7 U5 o1 y7 |+ @- u
, ]1 x3 W3 j: Z6 \, K2 \ mov ax,4fh
5 n/ N7 H7 w& d3 t1 `' g int 41h. o j7 M' y9 @/ W1 `! T& S
cmp ax, 0F3865 x9 a1 P; w0 w6 x4 ? V! K. y
jz SoftICE_detected
6 _6 Z. o) Z* m( O/ f& I" J0 {7 F, b' d1 _+ F; r
3 `3 ]9 c8 w9 Y) Z# }8 DNext method as well as the following one are 2 examples from Stone's - W5 i6 b+ J, f
"stn-wid.zip" (www.cracking.net):
8 Q, I \: `: r1 k3 b& T3 r' d& T
d3 b$ z- M* m, M" u5 A! K4 V' I$ u mov bx, cs
' k. k! C1 q" [2 x+ Z% u3 ?$ g lea dx, int41handler2. e# u8 g8 D/ l8 d
xchg dx, es:[41h*4]
; ?8 w$ M% T' l( B, T1 S6 I xchg bx, es:[41h*4+2]
' {! b* \* F' I! a' u mov ax,4fh
) q: e% T& J" b8 W7 a3 Q! B% c int 41h
; L8 f9 g0 Z. r3 I1 O9 B1 P o xchg dx, es:[41h*4]
z5 ]" y, b0 S xchg bx, es:[41h*4+2]% O! B; d" A' c' J4 T, v% ~0 V+ \
cmp ax, 0f386h
8 ~3 @# @, x: g# n- ] jz SoftICE_detected! I4 e, x8 W6 ]5 e5 x& ]' X9 g1 Q
& V" K4 M6 H4 n" N9 D$ m& \int41handler2 PROC
) U0 d4 i! t$ M3 x0 B$ @ iret& U; i7 i9 C) [3 m
int41handler2 ENDP* z* |8 J& R2 x4 f- d& e) J. q
2 @% }: ]6 ^- Z* E+ ~# O
# J% E$ p) t8 }9 D/ l' x J" R0 F. y5 i+ r_________________________________________________________________________. y% Q! M1 }& `4 n r
6 l8 R1 n/ h* t. L; C0 ?9 D2 D$ `! L- p" x6 i8 ^
Method 06- B' E! j1 A" j6 D' X& M
=========
" N5 _4 b N* C* y2 c2 {
- ?8 V/ N7 d7 c0 P5 I, z+ j; H9 H: [0 c5 n; E
2nd method similar to the preceding one but more difficult to detect:
4 o5 D' H% J% [, F0 ?
# j8 p$ U+ \3 f# A1 l( M: Q" v6 {9 g4 @6 d! o \3 f
int41handler PROC5 ?9 @& E- _9 a& T
mov cl,al. g# q) ~( {; y% r6 j3 C
iret
: c+ Z$ g5 y; k, h# Eint41handler ENDP5 @% L$ E- v, l: c6 p" ~
0 t; U, l' j# t# n! Q: w/ g. t) M# [( ^) \, v
xor ax,ax- M" Y0 ]: h7 B+ o
mov es,ax: } l f: |6 L& \4 ~7 \/ n) o
mov bx, cs7 Y( l7 T- v5 _# Y \& p
lea dx, int41handler5 `# k& I; p* q: ?: q4 {
xchg dx, es:[41h*4]+ u. k( k3 [8 _, D
xchg bx, es:[41h*4+2]7 U& f8 a1 L! [) t/ I# v2 _
in al, 40h
" N$ g$ S* c3 ]8 r xor cx,cx
* b/ Q( V! t5 w int 41h3 f+ z+ D9 {; x9 _ d Z# Y% i
xchg dx, es:[41h*4]
0 r; d" P. n" k) F& A/ m* G xchg bx, es:[41h*4+2]8 R0 f8 j0 W8 O# x7 U
cmp cl,al* m5 \- ^, f& _6 m: q
jnz SoftICE_detected3 U6 Y" A# X9 s) y# W# n
. U1 e4 L1 k. f9 }' v: ~_________________________________________________________________________* e6 Y4 v5 G0 E9 A9 @
! g0 d4 h1 |3 ?1 W( y; e
Method 07
$ l: Y/ ^7 w5 f" {/ u v$ n=========
" ?$ J/ m* |" Q1 z3 C4 R& _
; b( ?$ }. X: d1 dMethod of detection of the WinICE handler in the int68h (V86)
. g( M ]3 c( q& S( R5 x: u
: U) t* U1 Q( f; O- u3 b* n2 J! v mov ah,43h7 w v( @( e; p' {3 o1 M! c2 V
int 68h' B/ Y6 ^7 h" v* \- E$ y- R
cmp ax,0F386h
8 q5 U/ n& b) n! Z! Z jz SoftICE_Detected
, n& t( j! R# H1 I; a3 Q* F3 ?2 {7 |2 ]( Z S
4 P. a* V! b. A7 M" J' `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" T9 I* G+ D; O$ Y
app like this:; ~9 x! E- O( v7 X8 v5 N
1 l# P3 I- J: c0 G# A/ ? w/ v BPX exec_int if ax==68
1 h, a9 s$ t Z. G& N9 T (function called is located at byte ptr [ebp+1Dh] and client eip is
1 R5 W1 O% u' L9 I8 k3 Z located at [ebp+48h] for 32Bit apps)3 C3 u) g+ {% Q& o% m- N0 O6 R! [
__________________________________________________________________________" K# }, Z% H- `2 h8 o3 U
) k( y, {! J- O" \( Q( ^* \8 Y
( p/ n" {3 G1 f0 @! r8 wMethod 08
5 I, C6 @# X" {( k- k) Q=========
; i7 s# p$ H8 @( T) {$ ]8 U( Z! q( F3 g9 i2 h% s
It is not a method of detection of SoftICE but a possibility to crash the+ }3 B$ u. T# q
system by intercepting int 01h and int 03h and redirecting them to another3 U9 M U. t. _; x/ T3 A% p
routine.
4 B# M: e9 ]# ^# `( jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 f3 Z# L9 M7 V
to the new routine to execute (hangs computer...)
' I$ ?6 S7 o( B3 h3 w. I4 Q
7 h: L5 `+ K4 A& E# |% @+ ]- }/ D8 e' S mov ah, 25h
0 d& a i2 f" O/ { mov al, Int_Number (01h or 03h)1 f' f! o7 H( j& x% q3 }
mov dx, offset New_Int_Routine, G. V: _5 S- @8 P
int 21h% ~2 B# A6 g, o8 E$ W
2 d# X: s9 F/ e: B__________________________________________________________________________
& V) U) T7 G3 Z; u* k" Z6 v. E, T1 F; q' _
Method 09
- S9 s. ^1 A2 h( b& T9 U! I3 ^( |=========5 d1 I! H; P% ~" ]
/ ^3 A# J6 S K, s5 F& l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" Z2 M X4 ~) z) U Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 B: B, j( J- i& d. qThe Get_DDB service is used to determine whether or not a VxD is installed
% i, m+ J; e" ofor the specified device and returns a Device Description Block (in ecx) for
) \( ^" J% D8 D+ A% Ythat device if it is installed.
5 _2 o$ L. d3 Z
2 K9 K* h% Z; f6 V4 I/ y. d6 } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID M2 i! j* Q+ m% t7 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ E$ B, ^# \% c$ p VMMCall Get_DDB
5 g1 b1 j, p3 `# z$ L% R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 K; n5 [ P5 |* O
2 o4 r4 b B+ W. u- G' t$ \( V) NNote as well that you can easily detect this method with SoftICE:
% j9 Z) |' I# @8 B bpx Get_DDB if ax==0202 || ax==7a5fh9 m) `& M5 f% ]* s! }+ [' [
1 g! \+ d4 Z# f
__________________________________________________________________________4 X [8 ^* J0 l _, O' J
5 N- G- s0 x, i8 L! u( WMethod 103 H% F6 d7 F+ H: e6 C% {
========= F! d# Z% o2 V2 |& p$ Y: K6 C( t) G
* N ], J. \+ I% P2 a1 m! N=>Disable or clear breakpoints before using this feature. DO NOT trace with; S, T: H9 K% x7 n* Y1 \
SoftICE while the option is enable!!
& z" j/ E3 U) Q* d
3 [( ~; F! x4 C# k' c, wThis trick is very efficient:
/ ^9 E3 M; B8 i* ]4 n# q1 g+ ]& gby checking the Debug Registers, you can detect if SoftICE is loaded( Y, o( j0 B) p3 F/ U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( S7 e' E. B1 d- d
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% m' x6 N6 K! s+ Pvalue (in ring0 only). Values can be manipulated and or changed as well
4 @* ~" C+ x1 F9 ^. G6 ~(clearing BPMs for instance)
& ~. }2 D4 }+ I6 C
' s6 G" s8 j3 p2 H" O) b ___________________________________________________________________________/ ~& p* n) n/ A: p: s* ~
+ i, i( C& m+ \1 U1 s6 |8 aMethod 11
7 Q0 v6 T' f3 X5 S=========
' h9 @! S4 R' e! ^7 f& Y8 \ j
$ Q5 r( C' _/ NThis method is most known as 'MeltICE' because it has been freely distributed6 O2 j6 N* a0 j4 [; e7 V0 g, F+ ]
via www.winfiles.com. However it was first used by NuMega people to allow& k2 C5 T/ v) Q2 {
Symbol Loader to check if SoftICE was active or not (the code is located$ s( y5 h3 A# X, m
inside nmtrans.dll)." f+ e8 N1 v7 Z, U" g& f
0 @8 D: J" [2 u3 P8 n5 x' zThe way it works is very simple:2 @% h7 }9 s7 i- b$ B7 D" E7 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, M9 |* c0 c1 U$ U- h
WinNT) with the CreateFileA API.7 r1 f; G5 A u, e4 C5 G' `* e. q
4 O- V5 L/ O5 I+ q% ~0 {$ M7 Z( [Here is a sample (checking for 'SICE'):
$ d' i: S5 F% `
) \" V2 o- }. C3 m6 I/ pBOOL IsSoftIce95Loaded()" ]; g3 ~' @" f; ?
{, [4 ]3 Q& s' Y% s
HANDLE hFile;
+ E1 N! Z7 v! B* v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ x/ d' {9 ]7 E# F2 r7 H4 |- Z FILE_SHARE_READ | FILE_SHARE_WRITE,
# E' a, H: q- j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ \, g/ `7 o% Q7 w" J' Q+ {! T
if( hFile != INVALID_HANDLE_VALUE )
( I- q9 O1 |5 R {
. A2 ]9 y7 G8 Q1 u% t# i CloseHandle(hFile);. C7 Z) M% S- @+ L
return TRUE; Z" [8 b, b& C1 L
}
; X# Z; S6 u% p9 A/ m7 h/ [! g# J return FALSE;/ x! I+ V s. s( U
}
" }) b2 U5 {& y$ S, j7 {9 [/ _$ S* b1 X$ u. m* E5 Z9 x
Although this trick calls the CreateFileA function, don't even expect to be
% m$ J: b7 l3 l! C$ D+ x) Aable to intercept it by installing a IFS hook: it will not work, no way!- S" X9 j+ u6 t7 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& |% D3 H3 i5 Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# Q8 s* t! @ d& Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: q$ p4 B$ s# i% A) }field.4 e. c9 Z& {8 y/ Z6 ?
In fact, its purpose is not to load/unload VxDs but only to send a
( w: H" c* `! y4 R5 e2 a# mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 z4 t1 L6 [0 R: C0 |' t d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 f2 X+ v" t/ o4 r cto load/unload a non-dynamically loadable driver such as SoftICE ;-).! A# ^% k+ J: |3 D1 `. F1 ]* V* k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' M+ w9 O7 P( U4 n7 b: bits handle to be opened and then, will be detected.* z0 p& ] `8 I3 V; e
You can check that simply by hooking Winice.exe control proc entry point& ~" t: f+ F; ]7 p1 P" b/ U- |
while running MeltICE.
. Q R4 ~8 Z! V0 Q+ P, f; @1 K
2 }2 s6 q+ M" ?: D+ U
f* f) v7 H* O, `% v! s 00401067: push 00402025 ; \\.\SICE
1 ^/ v' b: D6 U: ?; {% }2 G 0040106C: call CreateFileA
2 ?+ H/ M. Q$ H/ F: C! \ 00401071: cmp eax,-001& ^3 V8 x2 T, x
00401074: je 00401091
! g" ~" o# j l' h3 ~% i) {, n) r6 l
% @+ d0 ?- b8 w/ h0 x0 W7 O, C* X7 _( p: y
There could be hundreds of BPX you could use to detect this trick.) N Z0 a3 z$ [1 x& E! U7 b
-The most classical one is:# N( W6 g. g5 n5 C; z. d7 W4 a- L4 t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ v! }* E; L3 O, y6 z: t9 b5 D, h *(esp->4+4)=='NTIC'. i L3 L+ |& S4 M0 M* Y6 `
I- y- w) E9 ^, [' |* K
-The most exotic ones (could be very slooooow :-(
2 x# a5 L) E( J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , ]2 j, Z1 w4 Z# ]( T8 I$ ^% k" \1 u9 n
;will break 3 times :-(! B, h9 u- S; y5 q3 j
H5 b1 j7 g6 K9 s$ m& b* Z-or (a bit) faster: $ m4 x7 C! }! x( @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 O- w& ~0 U& g' q5 r) O, b6 q; |0 u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( t, h0 f. h0 G4 G3 p
;will break 3 times :-(
0 @6 U$ v9 ~. `! N3 @; a, N& G u7 p. r& b$ n( D
-Much faster:1 b& \2 A2 c8 U4 V& a2 M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ k( R$ y; a3 H1 z9 q
( c( \/ U2 X0 D/ M# @, v( _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) j. V7 j1 e% T3 Vfunction to do the same job:+ v* J, @/ c8 m
2 l$ {+ J: D' f5 B( C6 m+ G( i
push 00 ; OF_READ
% V$ m5 h5 x* R! D$ J& W0 k mov eax,[00656634] ; '\\.\SICE',0
, E- t0 [+ A/ e. n& j8 K( l H push eax
! D) i' |* f- q! @ U' j call KERNEL32!_lopen) G+ u5 G; K3 o' Z" C
inc eax
/ c9 x8 m6 `& \% b$ J% @ A3 b( U jnz 00650589 ; detected
; c- m( }! J+ C0 x- x push 00 ; OF_READ' M$ Y2 G" ^; x+ j/ G6 t
mov eax,[00656638] ; '\\.\SICE'
( q' c3 H9 L1 A) t% { push eax
4 M& U* F9 D/ t. v. l' g% u call KERNEL32!_lopen
* z8 {! m+ e- }# }" L inc eax
/ g( L5 O! C# f8 W$ I: p jz 006505ae ; not detected
+ o: [# W9 r y# O
8 \8 a2 L3 H( A" I& P) w1 t/ v& X) R$ X; @/ R* H
__________________________________________________________________________9 f, |. E! ?' Q1 [0 c4 x n6 ~
# x5 l, z7 u' ~9 d" XMethod 124 O; A0 a; ^/ @- H% c
=========) N4 w W; d8 Y$ I8 [
' q( O/ \. C9 d% l
This trick is similar to int41h/4fh Debugger installation check (code 05
$ \+ M1 u* j0 A# {( K/ d" w& 06) but very limited because it's only available for Win95/98 (not NT)
7 c7 {( n; Y9 ? K0 \% x8 Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# }$ l4 y5 [- o# v& }0 ]" c0 Y
3 P+ {* S+ b+ _+ e% i/ J, ^ push 0000004fh ; function 4fh
. q+ g' q$ o% A0 r1 z8 a: s4 M push 002a002ah ; high word specifies which VxD (VWIN32)
. C5 d" U$ _: \+ J. I% ?0 \" @ ; low word specifies which service
8 p; \, P+ B. E" m* O* H (VWIN32_Int41Dispatch)3 Z% |1 G6 d. e q1 l+ P {
call Kernel32!ORD_001 ; VxdCall- K! c* J6 N6 `$ f. K
cmp ax, 0f386h ; magic number returned by system debuggers. y8 C2 M" F# E9 r6 u" W; l. R
jz SoftICE_detected+ n: G1 P5 C5 S2 c* Z( Z% y
. Z, V+ J: `" d4 d! [( i
Here again, several ways to detect it:
% v- z2 ^5 s" x! @7 z9 G- F) u0 m% i5 h
BPINT 41 if ax==4f
8 D8 g! Q* h0 R! b% _+ \2 B) Q- f8 Z" L1 V, |# }; o* N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. s$ p w9 F/ W5 j2 [; X G6 x; ~
* Q* z: h$ R) ?, O4 m) O& J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 ]9 R! h0 g) i( d# F1 c6 Q
- r4 E1 o& s3 f; @/ h4 Q. x! y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 f8 @2 l1 m; Z% d; e
3 P4 E- W8 Q( t Z
__________________________________________________________________________) I. v/ v! W) X+ J8 m
( s7 ]! z" ?% a% I9 L
Method 13. e6 D: Q' v7 z: ?7 P0 `: V
=========& T; l0 `6 R; w. i ]
3 v% c3 S0 N) V/ zNot a real method of detection, but a good way to know if SoftICE is5 Q3 N+ p8 ~8 c3 n$ V. R
installed on a computer and to locate its installation directory.' O1 [8 X w) S8 H4 T% n" o
It is used by few softs which access the following registry keys (usually #2) :
# v4 t' X0 t; I7 E
9 Z( s; N/ d/ O. O$ n$ E# _* U! r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ O! p. x4 l: h, i. e% |* v
\Uninstall\SoftICE
' J! m4 @- `+ S F1 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) Y9 O( Y! r9 _5 ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& [ e4 ?5 y* h, N- z a\App Paths\Loader32.Exe
! f/ d+ V7 }3 o7 k3 `5 K
# ~ ~; b4 |7 D* m% A5 H0 J! E& a6 h; [( k: x7 v
Note that some nasty apps could then erase all files from SoftICE directory
" {, ~* g; {% z3 U% ~(I faced that once :-(
( V+ J' i6 R- ?7 e. s" H+ E$ P5 H3 C/ u$ c
Useful breakpoint to detect it:7 E# c( E2 g$ i
) n* T/ T1 O: `+ Z6 f3 ~* \& S+ A- g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ g: }& L9 a, _7 B g1 L8 t8 f: d g( w% w$ c% e
__________________________________________________________________________. d% Q' G3 J& [! w' n
* ?' c& [) I# o5 d( d$ o; [6 _
j- e) A2 A. a/ ^2 \7 @Method 14 0 `9 Y9 }2 A* k
=========3 d( I8 }* X5 ~( [; n) _# ?* [; x
6 q' e( B% B9 Y4 c1 W( V% ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! }: g3 N# b% v' Vis to determines whether a debugger is running on your system (ring0 only).0 S+ y1 D) T2 V& F
# D- R( W2 }5 u& H) [' G VMMCall Test_Debug_Installed* w/ e) ~9 n* `; b% A# H
je not_installed7 L4 Y: m6 a, E
/ J8 F' @5 j* u3 B* HThis service just checks a flag.7 D4 U6 x$ Q6 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡