<TABLE width=500>
, q' `3 k+ C3 K% ?<TBODY>5 |1 j; t3 h" a3 ~
<TR>
% j5 r+ _ S. |" U2 E/ k<TD><PRE>Method 01
2 y! X; R! `2 k* R=========1 n0 T9 }% g4 v' G
$ F Q- k" I: k q2 q3 Y
This method of detection of SoftICE (as well as the following one) is2 ?- p, M; k3 X7 |+ D' @9 M/ v
used by the majority of packers/encryptors found on Internet.
# _' T8 Y3 t7 tIt seeks the signature of BoundsChecker in SoftICE
L, U% K4 Q R4 l6 H
" B& Y9 Y# [. ?, d" B mov ebp, 04243484Bh ; 'BCHK'
: o5 j& R' B9 T$ a" i, L mov ax, 04h6 q( B0 \5 C8 D( c" |4 s8 a6 N
int 3
/ A& z5 z+ e# x$ p. p6 ^ cmp al,4+ f. x* w; h8 l5 L1 y2 P
jnz SoftICE_Detected8 b, \. J$ h- d! b
1 ?2 L9 X4 i* [/ E' w1 q/ U& I/ F1 u___________________________________________________________________________9 K. U: s* {# W- d( P; E4 p
: O: R$ g- r( hMethod 02
( I& F) H; u$ y# V ?& q& g=========0 S3 _! q' H- M5 ?
3 i$ W. K+ ]3 z% c7 x5 `6 @' h
Still a method very much used (perhaps the most frequent one). It is used; B, E0 f% Z g5 h" H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 b" G- ?( _+ d0 R: N; For execute SoftICE commands...3 l q* r9 k v: ?- v/ N
It is also used to crash SoftICE and to force it to execute any commands
- \+ L) F- L6 e: z) Y4 o0 j(HBOOT...) :-(( 0 P2 C. }' ~* k+ ~; ]1 S' t
) i* Y/ A# H$ I0 `% y8 xHere is a quick description:
7 B6 |& b; R' N: P% u-AX = 0910h (Display string in SIce windows)
3 C$ U/ g: l: \& m. A' g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): R! ]/ C. F$ M7 R$ }6 \2 h0 r
-AX = 0912h (Get breakpoint infos)( a) E, a% K# P; g. F( T
-AX = 0913h (Set Sice breakpoints)9 _' _ O4 n$ d# Z1 r. _
-AX = 0914h (Remove SIce breakoints)5 Z! u/ [3 y# @; C- e H
\2 M* k# [: i) ]" O9 N3 B( KEach time you'll meet this trick, you'll see:
3 F |: O% i; r& L" k# z-SI = 4647h
1 V8 I" ^9 [, C' q! e. N; }-DI = 4A4Dh
& N" F: b2 d7 u& kWhich are the 'magic values' used by SoftIce.; e# W- s3 g2 S5 e$ l% R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 m9 w9 W4 `2 d; f l
' u# X! @! O' n* g1 X; @5 l7 v, Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 [ k7 o O% J& J& q/ C iEnvelope utility use to protect DOS applications:
: y6 W4 D, C3 m7 I7 `& I2 x
( t7 E2 [7 r/ Y$ ^# q7 p+ H% g8 q/ H$ O' p
4C19:0095 MOV AX,0911 ; execute command./ S% @/ m W- e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). ?3 X, r0 q/ z1 _2 E; z
4C19:009A MOV SI,4647 ; 1st magic value.
L7 O o; x9 M8 G# N! F4 C$ J4C19:009D MOV DI,4A4D ; 2nd magic value.8 |; o; J& g% m$ q# n* c ~7 Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- D4 d5 D& v: A9 h5 I1 k6 C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
n% X( H! A: \4C19:00A4 INC CX; }; Y0 \& b0 ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 |0 L2 s# P1 H s; f
4C19:00A8 JB 0095 ; 6 different commands.
+ V8 g- l, Q& j& q- e0 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. w% B& J5 k, k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' V; `6 V- {, N$ V1 U! s* _$ V; ~$ R N6 E1 i5 x% N$ w6 u$ T
The program will execute 6 different SIce commands located at ds:dx, which5 n) ~( i1 B y# B1 f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) O6 H& A' p) R. d8 ]4 G9 V/ J+ e# c( Y4 e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% O9 Q5 j8 e. q" N
___________________________________________________________________________$ ?: s4 f% Q* P1 g- B) ], J! D
; e: U# f) M% Z" d: w
8 h; `# G$ z. p9 A' ~Method 03( H/ D- e+ `( Q( U4 T
=========9 Y' n5 D( o* I' E+ m, d, ^# X
$ u! S) {" v0 h$ Z$ j2 G# F2 BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ n1 R3 s9 O( Y( p
(API Get entry point)
^/ w; E) U0 e # X8 |3 l( O+ ^$ y
& K$ Y$ w3 P& Q$ z+ Z xor di,di5 p6 y J, `) k) A: g, M3 i7 y# }
mov es,di
8 K/ {6 N6 g7 N0 Z6 U" t2 A7 K8 s) e mov ax, 1684h
" w& s+ n2 q" o( ^2 s mov bx, 0202h ; VxD ID of winice
0 N6 R& E. R+ p9 c: v! e+ n int 2Fh
6 Y2 u- C% {- L7 y mov ax, es ; ES:DI -> VxD API entry point
# u; b6 ^. _! R: H* t7 Z add ax, di
2 I0 {" I) t( R1 _& w test ax,ax U: O8 {( C* Q' H0 `1 a
jnz SoftICE_Detected7 t) e( V& L9 m+ L0 \1 H
9 r. l# t6 N B- p___________________________________________________________________________
! \ j+ n, l& ^! ^8 B, g3 ?. r! @+ {$ c4 Q% T- g' t
Method 044 `1 z. q; _7 _' J F' o2 D3 z
=========
/ l) _. \, F( f
* n6 k M8 I: t+ t4 Y! ^Method identical to the preceding one except that it seeks the ID of SoftICE7 L; |0 A6 U) L2 U7 \
GFX VxD.
0 x" F8 r1 Q% d2 H# Q# k4 y3 t
+ _* t% B h; i7 Y2 R, P: t) W xor di,di
8 _2 ^7 q& [5 d: w- [ W mov es,di/ ^% r/ y% P# G7 z( }9 A5 \0 g
mov ax, 1684h
3 w/ h& `$ Y( x3 G- ^8 r: E mov bx, 7a5Fh ; VxD ID of SIWVID e1 J! r' D: o1 c( ? o. Y
int 2fh4 j" `' l0 f8 s7 d* E: l" ?) Q$ K
mov ax, es ; ES:DI -> VxD API entry point
' t8 z5 Q0 ]0 a add ax, di
1 W( P5 ]: A7 z test ax,ax
! L7 q6 t" h3 l# F jnz SoftICE_Detected
}& a {# d5 a3 r( F( }2 D0 B" x& _( L1 c. [5 M5 b- ^
__________________________________________________________________________: C& N9 }+ k: l/ e) l. `3 m
2 i2 \9 ~; w8 `$ z- N, k
3 N+ I2 Q* }" B. t s8 F- s) B/ uMethod 052 G$ U3 {( d9 _& v/ `. _
=========
1 P9 }6 e) q1 u ]
( D" I9 o% H& _& ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% u9 t: |; L& R* {9 N$ R2 bdebugger. It calls the int 41h, function 4Fh.9 H3 D/ i- N$ |/ k
There are several alternatives.
# K. n- M4 w( a8 ^( C! n0 E) H4 k0 d: V- V- K
The following one is the simplest:
2 E9 z; U5 D5 g8 J: }8 M* d; j' b( H P1 X
mov ax,4fh0 a' A+ Q+ v/ |& C- P! h
int 41h/ s% G. |) z! h" f9 X& m2 E
cmp ax, 0F386
# b4 m. t! p: q3 _! V jz SoftICE_detected B* d& p. _2 X7 q; B% g
; `, j5 S( E& T* i4 }$ {+ n: ~& j
: X. _- M' Q, V2 K6 |Next method as well as the following one are 2 examples from Stone's 3 }8 i4 G: M4 S8 a: R4 ^$ E
"stn-wid.zip" (www.cracking.net):
3 b6 t% P# a- x' K, j
0 O, O# @( a- y6 n! N; x% F mov bx, cs3 c2 {- z3 H- l# ?1 T6 H
lea dx, int41handler2" i( a5 W# ~/ p. O, u4 X5 x; Q r
xchg dx, es:[41h*4]
4 r3 d) C. h# C/ ~3 v xchg bx, es:[41h*4+2]
) E' y" E% w1 I5 S% w& c7 a3 w, j8 Z% A mov ax,4fh. p( E7 o" [- K1 j" ^
int 41h& b$ Z8 ~" Y) E+ w. a' t& [
xchg dx, es:[41h*4]
- [+ a$ V2 Z% e$ Y5 S xchg bx, es:[41h*4+2]6 n0 e- C# N6 L* F
cmp ax, 0f386h& o: z; Z) W W
jz SoftICE_detected
1 W1 ?6 q" Y( Y2 k
) C3 @" ~1 F5 o. W9 U5 Bint41handler2 PROC; `" ~ x# \% f9 z: z' w4 x
iret; g& d# `/ `1 a
int41handler2 ENDP S8 p! s( ~* r) u z$ }
3 n. i; ~' J5 G$ A% [3 v" ?. p4 u/ K$ N6 V1 y. X
_________________________________________________________________________
5 ?& k" R1 q) C
* x4 j2 |; m8 y8 |/ y$ R
6 p; h! {) V# dMethod 06* t8 X- K/ t3 Q: ?. B L1 p
=========( U* G$ s9 D9 T% S) N
* _7 ^( A; R* @2 N3 v* O( [2 t
( z+ ?2 f8 Q- V2nd method similar to the preceding one but more difficult to detect:
. g2 W, {- @+ V" B* K m5 K% }6 p* F. F: T; M) V @* P
# X3 @0 S, O$ }* z" R: iint41handler PROC Y) n+ {8 X3 ?# i! r" [, N
mov cl,al$ {, n3 T8 }7 b# N
iret
4 l- h. m3 R) I( \int41handler ENDP6 L' o8 y% l. N/ |
$ a0 N( l- A! K" P. t+ }% ^2 F6 K
+ D- Y( }! @1 S9 v# X! V$ R- e+ [ xor ax,ax
2 e4 f( I3 F2 ^# \ mov es,ax
! c3 U$ J/ |( g. o1 x5 _ mov bx, cs
7 _8 n2 W, X4 x) ?( { lea dx, int41handler, n9 [" g- s. G+ F+ A% X M
xchg dx, es:[41h*4]
4 K( t; c. j- Q. j xchg bx, es:[41h*4+2]9 u2 j" Y+ g0 N; {; j: T& d
in al, 40h" A) }% ]3 O/ r- x
xor cx,cx
; a; Y$ {& u' v7 \/ Q int 41h) L' |( J4 b' Z' V
xchg dx, es:[41h*4]" ]3 _ k1 r; `
xchg bx, es:[41h*4+2]
# w. b: I( z0 B/ Y! g- z3 C& Z! L cmp cl,al5 C3 h& q: N; m5 y
jnz SoftICE_detected0 d3 W, a' C9 W% N6 d
& U' f7 P6 b. X. i0 |. M
_________________________________________________________________________; o) z6 g/ j) j* c% ^4 J( t
2 a) B9 Q( @$ R8 @1 \Method 07) H5 V9 K9 Z3 K3 @
=========
1 D1 T3 @% d+ H4 p2 t, y* C# i: N, R1 a! t$ n' G
Method of detection of the WinICE handler in the int68h (V86)5 p, y$ q; d$ i" C! V' C( E
+ q$ n+ R. j. Y Y0 K; w mov ah,43h
Q, @# ~; }& c& P5 y1 P int 68h7 s) `, r0 G; m' v7 n. O
cmp ax,0F386h" b; t, L8 r2 a! z6 c/ W3 g
jz SoftICE_Detected
4 ?" E$ ~0 S% g$ {* ~1 \: z* ]4 ?9 S+ E7 |( t- s; H3 T# i, H
, B% s0 b8 T3 Y( Y6 Q2 t5 z. m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 f! q8 f5 \$ W* ^. b" w* ]$ F app like this:: V" ~8 v$ B5 J1 }- B) r6 ~, K
; t0 z% X- h% z2 _& u! g4 }; j! m
BPX exec_int if ax==68; N, [& R. d4 H- G- N- ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
- N# ?9 ` f% P8 A3 Y; ` located at [ebp+48h] for 32Bit apps)
3 ~- |7 R3 f- I4 Z/ R/ ?& }# k__________________________________________________________________________
0 M9 O) |4 a& _( l% M( k3 v2 Y9 T3 A) y V, D9 ? N' E
% p l2 D" ^( C- wMethod 08
8 ^! h! ~0 V4 c( l4 e6 ~8 _- U5 d, D5 P=========
# l; v" I2 X$ E# H4 ^! }* B: z$ X" G' I6 x- q t& A
It is not a method of detection of SoftICE but a possibility to crash the
5 V, f" C d/ ~ `" {system by intercepting int 01h and int 03h and redirecting them to another
5 k: \6 o8 l( \8 \* l/ Zroutine.
" a7 m1 l1 Q8 o0 j7 U6 c) _6 U/ zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- y1 B% R6 u9 y1 t8 c$ f
to the new routine to execute (hangs computer...)
' M6 m" H2 k9 U3 j3 Y9 ~2 P+ {
_3 D! {6 Z; D' p( g6 E9 E1 ]1 e mov ah, 25h0 {/ Z2 J) z" x+ M
mov al, Int_Number (01h or 03h)- S/ }0 `) b0 q* B* I
mov dx, offset New_Int_Routine- d5 h( Z8 ~6 v/ i$ W0 |
int 21h+ J8 e) z! U$ ^/ x" T$ y
6 K5 A% v5 h$ M' F7 M z% o__________________________________________________________________________
" n* E& k) I6 e; \8 y1 `/ g
; e; l- A1 ? t4 \7 R xMethod 09; r+ C8 e7 N' K* w Y: `
=========: P8 O: C6 {9 U$ q9 Y$ E
. c [. h) n+ P) ], I( bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* `8 V: R- ` {# _0 j% f4 |/ hperformed in ring0 (VxD or a ring3 app using the VxdCall).3 |2 |, f& l$ _
The Get_DDB service is used to determine whether or not a VxD is installed) H! c$ E4 Y$ ^
for the specified device and returns a Device Description Block (in ecx) for5 I! m9 L. b# m; _( }; k8 Z
that device if it is installed.3 |7 n+ t2 k% Y0 k4 _
( @' B% ?2 z# L3 S w1 |7 [, v! f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; ^ t8 M) e g8 M" n0 k/ ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& s4 U( w, s, m! D% `- T4 I! o VMMCall Get_DDB9 b7 `0 l+ `# Q/ m: i" U4 f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! Q- J% ^, k: e
7 k. n8 I4 p! xNote as well that you can easily detect this method with SoftICE:
" F$ C: ]6 M9 Q+ M' L: U" \ bpx Get_DDB if ax==0202 || ax==7a5fh
- p4 s% R6 j, y4 [* J$ t0 {& R
0 \! X5 {# s+ ^__________________________________________________________________________$ G8 Q1 P, I' e1 \
% k4 s6 ^ \. @8 j& |" l
Method 10
8 q6 a9 }" Z1 d9 i4 O) {=========
4 l. M$ m4 j+ m3 u4 `
! G8 |; f8 d8 p/ Y- d) S=>Disable or clear breakpoints before using this feature. DO NOT trace with# I3 a8 S- Y& E5 L: c6 K" \7 T
SoftICE while the option is enable!!0 c! k+ ^2 w% \1 l* Q* }( @
! h! _+ P, r8 `This trick is very efficient:7 a; t4 B% |7 J. v+ _; j. u
by checking the Debug Registers, you can detect if SoftICE is loaded
( h( [' G" Q4 E6 I; D5 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if P& m: b, A/ X: [$ w: R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 x0 e5 H! F0 Q" \; T( @* D% D b1 ~value (in ring0 only). Values can be manipulated and or changed as well- j7 ]. L2 @6 T5 ]; F
(clearing BPMs for instance)
# {! h: D+ x/ F: W' l. \6 V) r+ c8 K) R. i9 T N
__________________________________________________________________________
! U. K Z9 `9 U, n. C& U; _/ \+ _; G% @/ O& U3 @* ]: w# ?
Method 11. T/ o. r: X4 q8 R9 Y8 E9 D# n
=========
) u6 \- O+ k# }( }1 i% |% g7 u( r1 W. d* Z) ~3 W$ B
This method is most known as 'MeltICE' because it has been freely distributed
P$ L2 r6 L1 t6 J b9 l, ?via www.winfiles.com. However it was first used by NuMega people to allow* t5 u. e0 b" U! q& E' b
Symbol Loader to check if SoftICE was active or not (the code is located$ I( s1 M& O: m4 C, B7 j
inside nmtrans.dll). R2 A% E9 k. |* ]. h
, G, x5 i. l, B( nThe way it works is very simple:
$ c- w8 \9 T n* M( bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# i4 N# H1 o; [( W4 W$ TWinNT) with the CreateFileA API.
& [( ?3 r! Z4 w) d' c+ p" E, ^
8 H) w7 h1 Y6 L: \Here is a sample (checking for 'SICE'):
j$ j5 P' a' l% S: h
* B5 [# r; f6 R; n: aBOOL IsSoftIce95Loaded()
0 P2 ?3 o! Z0 {; q{
7 Q. m) i% O" u" _0 s- R' J HANDLE hFile; , l$ h1 k6 m& I; m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' l' X# Q( O$ }, n
FILE_SHARE_READ | FILE_SHARE_WRITE,
- [6 R' G6 Z0 Z4 N2 S! I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- F& |6 @! |: U: C& j6 W
if( hFile != INVALID_HANDLE_VALUE )3 M+ ~& e- @, ]1 L' Z" ~- t- y9 D
{
- v$ [0 g7 i# `9 G1 u& e P CloseHandle(hFile);6 ^3 o6 w$ M1 P3 I! o5 @% p! K( v
return TRUE;6 P! N( M `2 p' M/ `) n: C4 f" e5 `
}
" Y- V! v, m3 [( S return FALSE;
, n; r0 n# a; R}
. T, D3 o( w/ p+ @9 \: W D6 @ q- K7 G, [
Although this trick calls the CreateFileA function, don't even expect to be6 x3 H* |; H! _6 |5 [ m
able to intercept it by installing a IFS hook: it will not work, no way!5 R1 v8 h4 Z+ y# C, d% E; o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* B' [$ a0 q2 h& Q* ~# b$ c- Z! t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* H1 w! `0 A W- K5 v7 j4 a- E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; V# K4 B0 H: |3 b0 {" C
field.8 X- R8 ]9 R* \* t% U2 [! Y
In fact, its purpose is not to load/unload VxDs but only to send a & I& D0 y# B" {2 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! O2 D4 F& g p; J. w/ [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! w& b! P4 i8 ] v2 H7 i7 Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).- b) N# X8 h( q7 \# K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: A+ j' u0 |' F! y7 \its handle to be opened and then, will be detected.7 q5 f ], E: v h# i
You can check that simply by hooking Winice.exe control proc entry point
8 U0 Z$ X: b" i6 N! hwhile running MeltICE.2 F6 |2 t2 v* [# y' Z8 @
5 b) g: u$ q' ~4 I; C' L" g' m7 C- S5 L( W0 j
00401067: push 00402025 ; \\.\SICE( p/ N: `. m9 N! L6 P9 @7 Z
0040106C: call CreateFileA, g$ J. i: T' o C, O( M3 ~
00401071: cmp eax,-001+ j% V" s2 i9 F4 G4 S5 @+ O1 s7 j8 k F
00401074: je 00401091
0 z3 v+ V- E) t! X5 ^, L4 m8 j' {# J( ~1 ~
5 X, d: x2 P$ \8 KThere could be hundreds of BPX you could use to detect this trick.
* A6 T/ G. f- u7 q0 O-The most classical one is:
1 Y" V, d2 ]+ h! {1 `7 J/ @0 _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 s( A# K, x1 R8 \0 s1 k
*(esp->4+4)=='NTIC'
( e$ z* j1 Q) l$ A p/ { d' c. c: y( |) ~9 y
-The most exotic ones (could be very slooooow :-(
/ C) x1 @ s! \' {4 z/ V r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* H" b. P& E. Y7 x$ t$ a; k ;will break 3 times :-(
! K& A# p4 x Q7 D" |# |) H1 F6 x; g" T6 ^/ T
-or (a bit) faster: + \. s7 K& ^# h+ F3 r' b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ }" l/ m# D' a, U! t% n; k) n( Q+ `2 i* x. L% y% m, D8 W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 v7 ~. N% T$ m/ Z
;will break 3 times :-(( u( @; h( v) G9 z# C# \. E% l
; w+ }. o* r: d
-Much faster:# d2 i- d. d! T' \: _9 I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) y0 o D. z$ U' g) `+ A) I
; ?% O( H" E( H4 q; A2 M' hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 }0 ^+ N# x- z' D& o8 Q' Xfunction to do the same job:" E. S: t5 C- E" C8 r! u; ?) x
3 f* r9 z4 I% U' z8 g `
push 00 ; OF_READ; W0 W( [! Z! n$ E. n i1 B
mov eax,[00656634] ; '\\.\SICE',0
0 }, j; |* x% _$ s- e- r0 m push eax
* Q2 I1 H, P% Q* l" i# b call KERNEL32!_lopen' r! i0 Q6 J5 w- o
inc eax
7 s4 F" I; Q7 Q' q V; W jnz 00650589 ; detected
9 m" P' E* E% S$ X4 ?' b- r5 ` push 00 ; OF_READ$ _5 x% F7 }4 m7 T: @( [( ~
mov eax,[00656638] ; '\\.\SICE'! l% y! c- u1 k- Z7 Y% {
push eax
, N- Z- o' f1 U2 u call KERNEL32!_lopen
5 L" x( v& E* v# A- [6 o8 K inc eax4 u3 ~6 @4 x" j, a3 [4 R( }
jz 006505ae ; not detected$ t2 K9 f0 f9 u) ~& f
2 P( I9 } ^: C; F
; e0 ^5 h* o+ n$ B8 G__________________________________________________________________________7 R0 Y( s3 C& j" {; f/ V6 d
3 v S+ e% J0 O+ | x( JMethod 12) w9 d1 c5 ?1 w# d7 ?' K N5 q1 E
=========5 \2 [% L7 |8 y* v. f5 M7 C) z+ c% p
& a' ~7 h+ j5 t$ J; a% Y
This trick is similar to int41h/4fh Debugger installation check (code 05& j1 P7 C9 _+ r5 S
& 06) but very limited because it's only available for Win95/98 (not NT)0 h9 q% ~" b+ G4 a7 ]1 D" ]( i: u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ w; W$ `! P5 R; Y; E6 w
% Y0 d1 V4 P% h5 c. ? push 0000004fh ; function 4fh) q \ Z, M$ T/ q# J
push 002a002ah ; high word specifies which VxD (VWIN32)
- d/ x* L0 A8 P; ?+ N ; low word specifies which service
* S/ [) U. k" `' n" y1 x+ k/ F (VWIN32_Int41Dispatch)
7 h$ Z/ z: Z6 E9 w call Kernel32!ORD_001 ; VxdCall ~8 i% m0 |. z" ]+ o% h
cmp ax, 0f386h ; magic number returned by system debuggers
$ k8 G! V- I) K9 P0 v, R jz SoftICE_detected
, E% C- y9 V4 N/ T% O I" M
7 {% p- w* n& I, ], M. eHere again, several ways to detect it:2 o0 T8 Z$ u: }0 r
+ q$ G9 Z! q2 H8 { BPINT 41 if ax==4f0 v/ x% f. k, O2 p# R! r
0 _( q; X' u. h3 b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% `. F$ @% ^% l% {& S/ v$ V) O ^" K* l2 F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( q8 U" V" C! q+ [+ j T% P( X
7 W- j3 L2 U" N) ]' F7 |/ u) A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) _+ ~7 B' J5 @, x/ J5 W# q! v$ Z7 T
4 R( h+ L: Z/ h, ]: D( R__________________________________________________________________________
2 e/ G9 O3 W d/ Z
! v$ b1 M; h9 J' W, L1 g! lMethod 130 N8 g2 a( m! u
=========# E/ j8 B7 ]% \0 r! p
- H+ P* I0 H1 L( @/ w; `9 q" F, q% VNot a real method of detection, but a good way to know if SoftICE is
* a: i8 f+ F, n7 U8 Uinstalled on a computer and to locate its installation directory.+ c1 q9 q) D/ }! B5 ?+ ^
It is used by few softs which access the following registry keys (usually #2) :2 ?9 t' ~! l# g/ b6 E! x; b
& P" H6 R6 D; G1 U( A, l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 K7 V5 n: H. u\Uninstall\SoftICE
+ o5 E. g6 \, ~ A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. V8 g0 w, o) [7 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. @0 ^( O* r0 W& b; o
\App Paths\Loader32.Exe
" b2 _5 }- [7 v/ C* O, D0 w! a
5 o. Q D$ u2 j& L7 J, B- b
) s! O4 u8 |; rNote that some nasty apps could then erase all files from SoftICE directory6 \3 k& |: T9 X$ f; B# Z! Y3 m
(I faced that once :-(, T y5 x5 j/ L: m9 l
# K/ ~% J# k2 N* B1 h
Useful breakpoint to detect it:8 Q+ l! f+ o6 G$ I1 V. n
3 g5 ~- X$ f& K8 D3 i& [0 G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, E- |* ?* L" Z) n
& }* W# |! T* d! O P( ^4 B8 t__________________________________________________________________________
7 Z1 B: H8 x* Z* p0 N/ V$ `4 M% Q* F& c: {# {/ @ N+ a
* O5 w# G/ `4 J' v5 GMethod 14 & d5 z2 @. h' O7 m
=========0 i1 C4 p' g& t0 L! K, J1 w
O8 R5 E3 c/ M1 A- i! [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 E5 T: d% j ~9 k: S8 tis to determines whether a debugger is running on your system (ring0 only).* \$ L8 B' S' p" K. P4 a
5 D! ]" a6 B. t' l- @& A VMMCall Test_Debug_Installed
5 p6 p- O: d8 e' y7 J je not_installed7 d/ @) e& Z' \5 B, q
, b! A" Y$ _3 I& K% {
This service just checks a flag.
( g6 ], H% |7 J9 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡