<TABLE width=500>+ f/ w6 G* {, T1 t( c
<TBODY>
. g" Z% c8 J5 ^1 H3 ~' J4 p<TR>
5 G$ B) u, F2 ]- u) L1 {8 r<TD><PRE>Method 01 % \8 o' i+ l& B, B6 d7 r
=========7 W3 v4 r9 V) Z: B
+ G# q& f, _) a0 @8 t/ E
This method of detection of SoftICE (as well as the following one) is
- Y& w1 F- O+ b& Eused by the majority of packers/encryptors found on Internet.8 S F: U2 T9 x8 g) L% t
It seeks the signature of BoundsChecker in SoftICE
9 a# ^0 f$ k# J4 e
# f! `/ k- Z" i mov ebp, 04243484Bh ; 'BCHK'
q9 }8 u- U. n mov ax, 04h% j1 r+ l; l) C c
int 3 8 b5 @0 N! }* V7 s
cmp al,44 `, W' ^% N& E3 p; t- B3 y& y8 A% c( A
jnz SoftICE_Detected
. d& Z+ p# d0 y! b6 B. R4 ~% Z! z- s" D* C! m) b5 S
___________________________________________________________________________+ u( a$ W% ?0 e' S0 C) o- ]6 r. l
' K3 h% z* T5 r4 wMethod 02+ w1 Q! q1 `% T/ h4 ?* X4 i
=========
% T5 ^3 n3 @. C" Y. o) i( A+ K% T: [/ P- y9 r8 ]9 N5 P2 N$ Y8 Y* K
Still a method very much used (perhaps the most frequent one). It is used, ~6 `- z4 E7 H: C' m$ O8 L8 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* P0 t8 W3 n- ~1 H, |9 R. o* o2 d( o
or execute SoftICE commands...+ ~# i: j1 q0 j
It is also used to crash SoftICE and to force it to execute any commands
# |6 d: o. n. D. F/ Y) g3 |(HBOOT...) :-((
* I1 x }0 w$ X1 a/ u( ]0 L* D
: o$ B; d* \' s/ mHere is a quick description:& W$ e! y2 M' I. t
-AX = 0910h (Display string in SIce windows)
% X$ S% p7 j, [/ m( x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 u, ?; I* i9 J. d9 `
-AX = 0912h (Get breakpoint infos)
4 B/ `, r+ _3 S1 v$ |' @) o: D-AX = 0913h (Set Sice breakpoints)
4 F& `0 \) t3 E- \1 q& S$ [1 S-AX = 0914h (Remove SIce breakoints)
8 B: w: J5 d Q. ~# Y" ~& {) ?; y
' x/ ?4 _4 _. | K( kEach time you'll meet this trick, you'll see:9 v% }, d3 P$ r; V* Y7 ?" O" b9 Z
-SI = 4647h
4 b. G. O# Y: Q* ~-DI = 4A4Dh' K4 ~/ @- i# I. p
Which are the 'magic values' used by SoftIce.' V5 N+ C8 b- \7 J: b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 Z. o; K9 ^+ i$ s- y
, O$ H/ Y2 C# \Here is one example from the file "Haspinst.exe" which is the dongle HASP
, D' o- D( g7 Q# CEnvelope utility use to protect DOS applications:
5 s9 Y/ a) ^' f+ J A' K2 O
8 e7 ^- ]7 Z( K5 w5 O
6 @7 r7 ]) k# ]9 W& F# J2 {. M" `, R) _4C19:0095 MOV AX,0911 ; execute command.
# d0 M4 D7 |$ v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ V; c k; A. b d4 f% W
4C19:009A MOV SI,4647 ; 1st magic value.
: O+ I6 w6 P# ?( n4C19:009D MOV DI,4A4D ; 2nd magic value.1 w9 {) q. \6 G6 k$ \" a/ s4 _. I% t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ ^( d0 g9 M6 l% f* v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, E$ a2 ?5 ]1 @; Z- e: K
4C19:00A4 INC CX
, p0 b Y6 G1 S3 e9 V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; x6 v2 p; Y6 J) x4C19:00A8 JB 0095 ; 6 different commands.
# A$ D, N9 i2 m9 D- ?% P6 I# t& E4C19:00AA JMP 0002 ; Bad_Guy jmp back.# v; {$ A% ]& i( C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), [0 x% ~ L7 f( L& u! U, j
3 m' n3 t: @% u$ \ @, r' I
The program will execute 6 different SIce commands located at ds:dx, which7 G& r' e: i4 S9 Y+ m; |- h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% K* c/ U3 P" D* T$ p9 L$ g2 U6 p$ a1 z+ e. d8 G1 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. H0 M' D3 f' I" w3 f4 C# m" o___________________________________________________________________________
3 t" f! X+ y2 ?
/ d+ H2 N X: ?; r
4 l9 E. C5 [! OMethod 03
0 ~( Y9 f* `/ J$ n/ Z) q=========
9 u& s+ ^+ k3 ?% e4 M8 ~8 ~+ f
g* q, \( N7 KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% a+ g* D. L" ~ u4 j(API Get entry point)
9 T4 k- s# Z$ F. f9 g: y 4 w% c. ]' {6 `( u1 ~* w
+ n6 \, k9 j3 f5 k xor di,di* u# S# R: @" F* K) T$ V9 n* X5 A
mov es,di' Z7 I- l- X) g1 w+ J; ?8 \
mov ax, 1684h
1 \ g- e7 p# @: P mov bx, 0202h ; VxD ID of winice! E2 i. x) V. ~2 T2 ] h; ~/ ], d
int 2Fh; ^! v4 G Q4 T# O3 j
mov ax, es ; ES:DI -> VxD API entry point
7 _. X" _# M$ e. i. I add ax, di
6 N/ U) P' h3 S2 Z8 @; b test ax,ax7 R, b$ r# y, j( Z! e
jnz SoftICE_Detected, \" s, k$ o! R2 G' U. ^5 ^5 c" c' `& b
# j- a* m9 G, J6 e
___________________________________________________________________________
2 }) [/ J9 q5 T" Q- _8 \8 s! u2 q3 U) ?4 `& a4 t/ N, k# ~8 n
Method 04
# U$ y$ u$ F- T& e) R. z=========: P8 P- o' V) w' X4 j" Z
( v5 s9 }# Z7 E- ~' p, d
Method identical to the preceding one except that it seeks the ID of SoftICE
, \" v# |' S% R# O- ~( Y# E/ UGFX VxD.; n8 T, P# \: A% c
# K0 M4 o5 t8 t( ]/ @
xor di,di
' w) k4 V& ?4 T6 v mov es,di
0 C) D2 q& y3 z mov ax, 1684h * c# }' U: y" y* @; _7 b# R
mov bx, 7a5Fh ; VxD ID of SIWVID
8 A. B' \5 P/ Y6 G& n; R int 2fh+ s% z1 M; S. C$ B) Q
mov ax, es ; ES:DI -> VxD API entry point
3 z( f# w* S- X; `- x add ax, di- T) G S1 m7 @& \5 U9 Z1 ]$ B
test ax,ax
# k0 X% D9 k/ r4 V# Y jnz SoftICE_Detected
) A" |, e0 P) _5 h; M+ ^3 g/ l2 y) p ^+ B! L# Z* }
__________________________________________________________________________; X: [' s. b/ l3 m) t
$ E, u1 X! ~. K. J
( b# }1 f/ _) p! D' O# x/ HMethod 05- k s# u( I" d/ G; S# ~
=========) v6 J1 W& Z5 ~3 U$ g, g/ I
. V& D9 W& o% a$ K
Method seeking the 'magic number' 0F386h returned (in ax) by all system& Y# P5 P: Q4 Z E G
debugger. It calls the int 41h, function 4Fh.. q$ N2 N2 E% ~9 w1 \: a8 T2 Q4 K
There are several alternatives.
7 S0 P) U: n% _) H$ L% j; u3 i3 }, Z) H: Y! {# j) j9 g0 ?% X
The following one is the simplest:
: A2 M! _' x9 {3 a! d( k! n' d9 d9 |$ G; N' j/ v& G) M/ D( g
mov ax,4fh
5 Y |) Y, F* o0 _) K) Z int 41h
8 ?" O$ a* k! l d cmp ax, 0F386
0 ?' f( _7 Q) |/ R, g jz SoftICE_detected
5 V* q7 j& {- x" f+ j( i$ n2 A& y; F; Y/ E3 C
3 n7 ]* b$ u ^' Z; w- s9 L( Z: nNext method as well as the following one are 2 examples from Stone's
1 S( Z% f, P7 C7 D T F+ E"stn-wid.zip" (www.cracking.net):/ v, ?: l4 s; Q! S) c5 ^! J
% f% R1 Z* C. q1 [: _3 z( i6 w; F mov bx, cs
! W# q2 o% k+ O7 T: q lea dx, int41handler2
" H4 e- z2 j5 E( O7 M xchg dx, es:[41h*4]3 J4 Q+ ~6 R4 j' L4 @. n% I4 h
xchg bx, es:[41h*4+2]
1 i! l4 _2 ?5 o. G6 n; ]& u' e mov ax,4fh" U L2 U% a0 n& `* D7 |
int 41h
; D# b% L* r7 [: G0 y5 _ xchg dx, es:[41h*4]
1 U( C7 i4 s) x xchg bx, es:[41h*4+2]
& r/ \/ s$ n% S4 o/ j$ x cmp ax, 0f386h% d. [- z. J, Y+ |+ W$ q
jz SoftICE_detected
" ^& b3 t h4 g% @5 f. _4 h1 B) \$ f3 u5 |# H
int41handler2 PROC
% d; _) e# A: \! K3 [5 e( c iret
- {: _1 D1 }# Dint41handler2 ENDP
& R1 Q( Q3 T( B, d+ Q0 L* k6 Y3 F% e; l: E7 b1 ~
7 Z5 o3 f" E3 j1 R
_________________________________________________________________________: F2 s6 U2 b& n3 a
; E$ E1 ?6 ~% Y( x: f
& \3 ~# o( u% H$ d: q2 Z0 i* A8 YMethod 06
& s- ]6 k( y! ?: h=========6 Z6 v; H' r0 I3 Q
1 h5 n4 i) v# a4 s8 p; E: p
* x$ M O& P. x2 }4 d
2nd method similar to the preceding one but more difficult to detect:
2 {# N: p' `- v' l# D( \# v6 ^ i& q4 P, g8 ~- j
2 q% ^5 X% Y5 \, @; [: X# D
int41handler PROC! V8 x$ i# Z* h. z$ s" f
mov cl,al
% o9 W; n( b' D3 V- e% u- @" n: y iret* {/ m. o' J3 o9 W' F/ x
int41handler ENDP
" [0 [" i0 T: u& O
# v* q. B! a/ v) g/ R* h4 W' U6 B4 q. t3 c" Z* r6 j
xor ax,ax6 Q' s/ k, b! A s5 K$ ~2 G; z
mov es,ax
* Q1 ]3 T+ l8 j5 H+ Z& Y# N: m mov bx, cs
& g6 X# _6 W2 n c- h lea dx, int41handler! z& I& W0 y f6 }4 B: K
xchg dx, es:[41h*4] K1 r0 L E/ [
xchg bx, es:[41h*4+2]
/ J6 G% s5 q. J; {* o/ n in al, 40h
2 x5 y" j+ V+ y4 t1 i- o xor cx,cx
* Q$ Y) o6 r) X+ a; A int 41h
6 X0 |5 D# f4 V5 P/ `0 l xchg dx, es:[41h*4]4 P! {) |3 o% W# u* i6 O; j* U" W
xchg bx, es:[41h*4+2]
: Z2 I1 Q9 N: E8 T cmp cl,al
4 v1 j3 {% K4 T, v jnz SoftICE_detected, }4 j" r& `1 Y- l
8 o7 x0 ?1 L, ^ W
_________________________________________________________________________
6 b4 ?3 n. `9 ?/ y$ I
& t5 ]+ m, @( \1 f8 R( ?" z/ N3 nMethod 07
: E$ b7 w" Q2 h' Z+ d=========
1 V# Y' N9 n4 T$ ]5 s7 R0 E! N2 A. [, e3 f! Z: l* S
Method of detection of the WinICE handler in the int68h (V86)1 k$ q- r3 a7 z9 \' k" `9 ] o0 Q
, {% d; r' c& y3 E
mov ah,43h% L( A _3 ?9 K$ I% x) s8 q C1 q
int 68h, \! d1 @! P R$ j& i
cmp ax,0F386h
7 }8 X0 x& T$ q6 Z ]' ~ jz SoftICE_Detected$ y& U9 [3 e8 E+ h% c. I' x
" R( H( Z3 P8 u3 \4 F! i ?4 M
1 D. M7 v. n6 k8 E" W: u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 M. Q: ^: m4 }9 g app like this:) W: C) H7 }2 F$ g$ {3 H1 Z
3 _6 b0 d% k+ Y" R BPX exec_int if ax==683 y; ^8 t8 b, H o
(function called is located at byte ptr [ebp+1Dh] and client eip is
' ^2 N0 q- D5 i9 C P, h located at [ebp+48h] for 32Bit apps)8 q3 ]( }+ J" |; V; l% w5 O
__________________________________________________________________________
5 \! X! p3 B; C! w# m5 g0 D6 a
' A/ I# ]- l4 B# b: \
6 C8 E" @8 P5 CMethod 08
% F" D3 v0 I6 \9 D ]2 \=========% _; E1 @* u# O
, O( v1 f# D( F6 C- H( ?3 ]1 }It is not a method of detection of SoftICE but a possibility to crash the
/ p- ], m0 g, i9 S+ R) ~system by intercepting int 01h and int 03h and redirecting them to another& O9 n& i! C* g4 N
routine.- Q+ Y4 N3 d$ Z" ^+ H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* [1 A5 C, b: Q( \. r
to the new routine to execute (hangs computer...)
; R# O1 X$ j |* y7 A7 R
$ y+ h! Y( ], Q M: V mov ah, 25h
@6 E- O( g# ? mov al, Int_Number (01h or 03h)' r z, e5 G' b3 C6 ?3 W( z* z
mov dx, offset New_Int_Routine
0 h# ^0 X* ^+ v0 l2 E int 21h
, W1 j- U5 W; ^6 i+ |. W
* d9 o6 L. T2 X: U__________________________________________________________________________- z: j) R$ E. D
0 o" F! u$ @6 u3 _* n/ WMethod 09* {- s7 _( E3 f$ n, m L |
=========
- N1 v1 _3 H: w2 G$ I1 u; m8 M+ g) d
" R, g C' B. V! d) L3 TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' G8 E: A( O" f8 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ n3 c. w" P6 F$ q: M0 S. p" }The Get_DDB service is used to determine whether or not a VxD is installed
( b! j3 I: F qfor the specified device and returns a Device Description Block (in ecx) for% {- X! |- ?- p8 c3 y; ?% B, U
that device if it is installed.
$ Q2 Z# ?/ g4 g3 Y
8 V7 I, b+ u8 N6 X0 ]& C: T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; k# @; E# `# p0 b4 y) I3 W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 H3 x- B( ~. W7 ~1 W' a+ T" a
VMMCall Get_DDB
/ \* S' V% ]2 {) n! x# ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 Y4 r: Z5 I# r6 J% d+ g
! w, l' [, I( J/ r" j J# ~9 gNote as well that you can easily detect this method with SoftICE:
( \4 a! X1 Q1 H* M( Y' W% Y bpx Get_DDB if ax==0202 || ax==7a5fh
' C8 ?3 \7 K$ v8 @8 r; u/ F- l" x+ N; x/ T! E" }
__________________________________________________________________________# d+ N" D, s. b* [* @
& {# \1 }/ T+ D8 r1 ^: UMethod 10
2 D8 z/ U6 h6 N' E=========
" y3 A% X% x* f: w% ^; U+ I
9 ^0 H. k* ?2 | o=>Disable or clear breakpoints before using this feature. DO NOT trace with* z4 V; [, j& c; W) V; y2 D5 U
SoftICE while the option is enable!!9 h$ i; @0 u3 R& R/ V5 m+ ^: q- }
* R7 [/ n) F- p, G9 g/ i% BThis trick is very efficient:
2 j! j9 o9 v; Bby checking the Debug Registers, you can detect if SoftICE is loaded
1 f' _" `. _4 j& M4 ~4 H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" ]' @7 ~& K- v Z/ h$ s6 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their I$ r* Q- K5 u. Z& T
value (in ring0 only). Values can be manipulated and or changed as well
$ u, T8 z! W- b" W; y2 T9 M(clearing BPMs for instance)7 j3 S; H9 b4 q5 S# t, r
+ I$ P: M6 [: @" F% a6 @__________________________________________________________________________
) Y5 ]3 D! S, d( W6 M& {
! f% I0 T" Q% c/ K" AMethod 113 W' I0 n w9 s# I8 m a
=========# r/ j2 z }# e) ]4 o* N( U8 ?( L
! L1 s1 Q7 y8 h& C3 Q3 @0 q) B) `) CThis method is most known as 'MeltICE' because it has been freely distributed( @) n& D L G% H% L+ H) i
via www.winfiles.com. However it was first used by NuMega people to allow
4 b; C8 w# f/ t* B* G% ISymbol Loader to check if SoftICE was active or not (the code is located
* V# d- L. @$ p& s9 H" {1 {1 einside nmtrans.dll).
1 v. p' C' o4 o. C' z6 d6 i* a& g6 H: ]! `
The way it works is very simple:
9 c/ M; b* {% l+ ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& P }" B( k% a. S
WinNT) with the CreateFileA API.
0 m7 }& N- W; X! K7 J/ Y* N3 X t( ^
( V9 K. n" V% M. \1 g! k. }Here is a sample (checking for 'SICE'):
7 d) ]$ G; t' H/ x' L# s3 D6 [+ N& b" q' b8 B
BOOL IsSoftIce95Loaded()
$ `* y5 O( D2 O3 M0 @& `: t, s{! Q: D1 ^( O# X7 E
HANDLE hFile;
3 i* a, k% N2 p4 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# x& k" E; M q S/ [/ c FILE_SHARE_READ | FILE_SHARE_WRITE,
7 e1 x# }1 ^. n r- T( k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- w/ L: S, j6 B. C( m if( hFile != INVALID_HANDLE_VALUE )
. Z' ^$ {5 |' w4 M% }; M7 ~ {% L: s8 X* |) C# y2 m# L
CloseHandle(hFile);; }6 z1 J) q& `# R3 j) G
return TRUE;; R( M: C9 }7 F0 s
}
+ m/ u0 [$ v0 ]" U return FALSE;
; `% H4 e. G. v9 E7 L}3 t8 |/ V' p, V
4 I; M( V4 C4 w+ p6 {( e0 }
Although this trick calls the CreateFileA function, don't even expect to be" P' C! @$ O. r8 P/ `+ L; j6 i& c
able to intercept it by installing a IFS hook: it will not work, no way!
! V) R" b) P9 U2 t, a' E9 PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 B9 Z0 P7 w) k0 k! C$ b# Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& k- Z- L) N& v& W* Y( `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* E8 h- G$ F6 Wfield.; G. V7 {9 k1 d, {2 T9 I( W8 K
In fact, its purpose is not to load/unload VxDs but only to send a 2 ]" e; I! Z8 A# ~% t1 g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 y4 C( w/ ]5 |' D' S: Y3 [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 \* c0 h/ t% ]9 S3 `3 rto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 H- Y1 _+ X2 Y4 K
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ V# T$ ?- a3 j/ n
its handle to be opened and then, will be detected.: G7 \1 T4 Y+ n. N: p
You can check that simply by hooking Winice.exe control proc entry point& x3 Z; n: D* K X
while running MeltICE.$ U* h8 N! m- K, R% H" I* ]. e9 J
[3 Z9 z8 W1 p4 Y5 E, A. E
% \, p" X* f! {& W 00401067: push 00402025 ; \\.\SICE
& }$ D9 z7 I. q6 }, R% z! n- X 0040106C: call CreateFileA
; e: c' H3 v4 p 00401071: cmp eax,-001
( m: s6 J, l$ t U/ L4 h" a0 [4 u 00401074: je 00401091
( R n1 v8 `" H5 S8 n, t$ F' @& @/ @8 j
7 \, \0 ]$ J" g6 i" s r; l& O# L
There could be hundreds of BPX you could use to detect this trick.
3 q* ^4 E: ~) ]5 F& X, `1 `-The most classical one is:2 b( k" n, J. Z+ d1 t" k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- m* k& B$ X4 E$ @ u
*(esp->4+4)=='NTIC'
& Q7 @+ G( \5 f, T; o" Z& A! H2 }- |4 U1 x* L: r
-The most exotic ones (could be very slooooow :-(. b4 p4 o+ `% j4 |+ X, P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 k% t6 B6 n& A5 M. `2 p ;will break 3 times :-(
# ?% o8 p. D6 w" Y* @0 y2 ]* H( e! P4 B* W) p; ^6 ?# Y5 o- h
-or (a bit) faster: . f1 p4 R7 }- R! Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 ], m3 s6 D: o3 ^5 @
6 [; E6 _5 v# e( B, A' Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% d6 B! K1 \4 u$ U, r7 k ;will break 3 times :-(, H. w' d1 A2 K/ c
; _- W: `' S, u$ x1 `$ r) b
-Much faster:- \$ C8 N' I' k5 U# P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ x7 i* d+ z2 G) f% U# Y; O. ^
& T$ n e6 f* e: t. fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! G1 ?- [1 Z3 c* l6 c$ R+ O
function to do the same job:
7 w, T+ e }3 [4 u; b, A) z1 u7 }4 N& a' E& R$ z
push 00 ; OF_READ
% s9 g* {) y% \% D2 g mov eax,[00656634] ; '\\.\SICE',0
* n+ T6 y( i4 P+ H/ ]& V" c- R3 f" f push eax
1 r6 Y- P3 C; x. T! b call KERNEL32!_lopen
3 R3 U1 L5 q" R: H& K2 o" u/ ^ inc eax+ X! F" ^7 H( c. y& t
jnz 00650589 ; detected% m9 q7 s- @/ i/ D4 E
push 00 ; OF_READ
! U! @9 b! q# \ mov eax,[00656638] ; '\\.\SICE'! c/ r; t Y5 r8 G
push eax
% l! {& N" T( U! @/ A call KERNEL32!_lopen7 b/ B. N: S" `
inc eax7 V# { B& ^( k6 `" v# a: f
jz 006505ae ; not detected
" `: ~+ i; Q$ q5 O2 A; K
5 m1 G0 }/ m* e% g. Y4 l X# @* v# ]/ i. M6 q; c4 }
__________________________________________________________________________
% a# ?- ?* d: U* Q
( n! N4 ?. p4 NMethod 12
# l- g9 v* k4 ?6 o+ S/ d=========, R8 t% y9 m0 a# w
! E( O8 y" k4 Z* {' }This trick is similar to int41h/4fh Debugger installation check (code 05 d# L! N& H; W% a8 k' s2 D' F. G
& 06) but very limited because it's only available for Win95/98 (not NT)- ]+ r/ p& V3 N' @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, i7 x+ ?6 T; [0 Q( D% w' c7 o
/ X& r" e. R) C8 T, T push 0000004fh ; function 4fh5 ?5 W. g3 j0 C. w
push 002a002ah ; high word specifies which VxD (VWIN32)
* ~2 B, ]$ d0 m- A/ g& c' d ; low word specifies which service
' B7 S' S) {* H1 [' c; e (VWIN32_Int41Dispatch)
+ z& s; m& v; |3 i/ i( S. s Y2 V call Kernel32!ORD_001 ; VxdCall
2 _. A2 v- j. n cmp ax, 0f386h ; magic number returned by system debuggers3 ?' G( D3 n. i. M" Y
jz SoftICE_detected9 j8 A e- k4 B/ N$ }" C3 ^
1 L; o/ W! Q* T7 W- I, p2 _Here again, several ways to detect it:
6 e+ o1 C- {% f, ~* j" T# S# d |4 {
BPINT 41 if ax==4f7 t6 z7 u0 ~7 q1 K. @( g! R
4 \6 D' Z0 O# Y4 @3 q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 v v5 t% |* _; \& o2 ?/ X
- X! o2 P* K+ w7 ^# y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 B) B) J& H- T6 C0 H
& R2 h, |' x: V( Q; i! I1 O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 m0 \$ o& g \7 P A9 n) Y1 Q
3 `* A2 M; J8 ^* i$ h; s6 R2 Y__________________________________________________________________________6 |4 k# G+ \4 Z8 \$ h& E+ c4 S
$ b: E& J% S" j: @) {) {% V5 o3 U. n. V
Method 13
; @5 L0 x( z) X$ i=========
9 g, d5 _2 v$ V: Q
( G I! e+ o. [) s) w6 K' gNot a real method of detection, but a good way to know if SoftICE is
" Q% M, K. O3 B" iinstalled on a computer and to locate its installation directory.
! T" V' B. n7 M% _1 s8 `5 BIt is used by few softs which access the following registry keys (usually #2) :
+ G+ M" h' J9 k5 M- \* J6 Z! w l" c% `4 |/ j- _5 M. p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 G2 ]+ q! q' f# T0 c4 A; R\Uninstall\SoftICE5 h1 H& e# D/ I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! d: v& l- f, \% t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 L, b2 Q5 |- g/ P' P4 S\App Paths\Loader32.Exe
# T- I% d1 }) n q
$ \4 c' ^# [, W. O b6 W1 X- k( M# i, m' L0 Q- [
Note that some nasty apps could then erase all files from SoftICE directory" S4 {& i; ]/ ]
(I faced that once :-(4 l+ B7 c% n) Z
% O* M8 ]% P. b, [2 j
Useful breakpoint to detect it:
' X+ C: r: T$ ^ n) }5 A7 b
+ A# ^0 y8 G) e* f& g4 A& T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# B& f) V7 r5 @# h ~% O8 V
& A X0 k( X8 W. Y8 B, P/ G__________________________________________________________________________1 q) Q8 r0 T- d. S7 M
# e H" \: D# _6 f
" N3 X' l$ p8 B+ G/ S) R& q' W, aMethod 14
, n1 {2 Q" X- M O5 y1 \=========
; h5 F3 }* j6 r8 b* _4 }0 r! a7 q6 O5 g4 H, e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( ]& J4 K: S9 Fis to determines whether a debugger is running on your system (ring0 only).
' W) k Z8 X. _4 D8 R* L( k7 v4 C/ ~( q3 F/ T/ i; q8 ~2 u z
VMMCall Test_Debug_Installed d/ D# r* ?$ }
je not_installed
, S' d, {' c0 ^% k' ]7 @. G/ Z, ^3 P
This service just checks a flag.
4 w# M8 h1 p; ^4 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡