<TABLE width=500>
/ S" |; o- [- @' S: U: a: c& K<TBODY>
" N7 f4 [7 Z; D! e" _ }* L<TR>
( r7 G' }1 r9 c& J( a<TD><PRE>Method 01 & _, t- _9 f% T8 V7 K* l: s
=========
/ l# z6 v2 U3 X& Q+ M- C$ `$ u# G- }4 K- I# a) ~4 `# n8 f2 V
This method of detection of SoftICE (as well as the following one) is
, a+ U1 S& K e& h4 X4 Hused by the majority of packers/encryptors found on Internet.
/ _$ p' r1 _1 M. K* v! rIt seeks the signature of BoundsChecker in SoftICE
' M6 n8 [% B- W# z( G( s7 j
# D; _9 h- G/ D5 d0 h1 M; l mov ebp, 04243484Bh ; 'BCHK'
& z8 i7 L$ Y- j" m }8 Q' I) @7 T mov ax, 04h% D& X m3 o* L
int 3 ' {9 N* l" J, ^" U
cmp al,4
1 z/ o6 q1 S" d1 x9 D/ r jnz SoftICE_Detected
# ? ?3 S2 f, Q9 B8 ?" p" D* I: r0 Z" n% @5 k* G
___________________________________________________________________________# a5 K7 U7 M$ ?
4 U% `+ {- T9 o# zMethod 029 h( S, c c8 m$ ?
=========# w2 e4 J; G9 J' ?$ l$ V7 g
3 n- n. f* E4 U' @4 O5 S
Still a method very much used (perhaps the most frequent one). It is used6 i# H5 N V( ^1 _" m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; {, _/ e9 b {: N) D4 O6 y
or execute SoftICE commands...
1 w; a; l/ B9 ]" yIt is also used to crash SoftICE and to force it to execute any commands: K4 s2 I L4 _1 h. o0 l3 D
(HBOOT...) :-((
# |1 S( i) _! B( m w. X
- T; j: P4 v9 u# E- t5 sHere is a quick description:
( I+ q$ R6 ?1 H. `6 A: y' k-AX = 0910h (Display string in SIce windows)" t) j# Z. m. M# v8 @$ ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 y' R* w# X" B% O; N3 a-AX = 0912h (Get breakpoint infos)# p$ Z9 x# \+ D( x1 s0 ?5 L
-AX = 0913h (Set Sice breakpoints)
) b7 b8 i+ j( s T( O-AX = 0914h (Remove SIce breakoints)
5 M& }2 o( l8 [ s5 f% w1 c2 A$ N, H' x2 C# }" ]# }& f4 z. M
Each time you'll meet this trick, you'll see:
' k0 e; C% U$ a8 r: N/ {6 z4 ^( j* a-SI = 4647h8 j9 V+ S/ B" }3 N
-DI = 4A4Dh
6 U3 S$ ?# }* u3 j+ c) ?Which are the 'magic values' used by SoftIce.
1 K9 K2 f9 i5 e: W3 |8 s" j. G5 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 `& {% Q: N$ }
( o% I9 Y& R. J9 p {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, T/ Q: S! g5 [9 \Envelope utility use to protect DOS applications:
* B0 r& a; X+ ]( R4 f' ]
8 K3 D, ]5 t+ Z! `
, ^2 S; L/ Y& B; |* d4C19:0095 MOV AX,0911 ; execute command.
9 l5 {6 z6 { A* T/ c: b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% b: y H% K, C2 ]
4C19:009A MOV SI,4647 ; 1st magic value.
1 k5 l6 |0 c* s G( G- N* |: F! w# B4C19:009D MOV DI,4A4D ; 2nd magic value.
( t# v6 P" R+ ]2 u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 X M! P' I4 E9 w: p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ U+ G( p" r- E8 d2 H2 ]( f
4C19:00A4 INC CX7 y: Q- D- B5 b9 G S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) y! u$ ~1 U+ C9 s! ]4C19:00A8 JB 0095 ; 6 different commands.% {; ^) t% t8 N( H% N. n+ g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- z2 s4 o+ s& e: h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: g2 q) l; g* y# X2 b' ~; ? d. r
. V: ]3 R# V! i3 e& e3 u( hThe program will execute 6 different SIce commands located at ds:dx, which1 B/ s& E3 D2 u. M& B* X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ N) T( s9 l4 X
* {- S6 L3 ~% a/ I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 W- w4 O6 X) r1 t4 Q& A
___________________________________________________________________________+ n% ~6 \3 ^( h5 k/ u' k
G8 s6 O% p O9 d5 p
2 ]9 s& \/ K3 a/ @Method 036 R4 F- D; i4 G* o' v, b- T) q
=========# y6 p# ?8 O; G7 S, C
$ N' w( m$ J- e! d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; Y# Q" s+ A9 s. c& B) q% H. M/ i/ H(API Get entry point)% n& O. H0 b$ k. W
; o4 F' P& }" A6 T& \; U/ h+ ~
6 {) j2 s" _' P( k# C/ L( J
xor di,di& r0 g6 U1 L( c0 A
mov es,di: ~6 p7 X* \9 I) P, q2 l+ Q
mov ax, 1684h
0 F# _3 O3 x% V1 `. W mov bx, 0202h ; VxD ID of winice
* s4 f8 [, }! u; |, j int 2Fh
+ R4 n& ~9 ^& |. w7 ~ mov ax, es ; ES:DI -> VxD API entry point
5 S6 w, a- w p* T9 C; P6 E1 r add ax, di
% C5 r# j+ i7 |* M5 V/ _ test ax,ax# \ s# N) c# L% Q1 n! q
jnz SoftICE_Detected
- _/ Y- A3 p. @& }2 G# X
! t/ N$ b% R# `$ W___________________________________________________________________________- E) ]& Q; N& }6 e3 v }$ ?
; a2 l4 G. h5 q. b5 XMethod 04+ E& }$ Z- m" \) W
=========7 I* l- K! v# c5 u
0 ^% S3 S* E7 Q: U* b
Method identical to the preceding one except that it seeks the ID of SoftICE
8 Q R5 A+ g) P% f" g. GGFX VxD.
3 q1 _$ K1 {9 Q9 @8 h2 g1 J" V L# v0 W
xor di,di- K) s6 X0 _3 E# u6 {- I) q+ {
mov es,di- y8 Z( ^/ A8 S7 G
mov ax, 1684h
: E; h& C6 k5 T9 v2 @ o mov bx, 7a5Fh ; VxD ID of SIWVID4 M% W0 S/ L/ S5 F
int 2fh: T% A- K$ U% S5 C$ i
mov ax, es ; ES:DI -> VxD API entry point5 t- }* b4 _9 R
add ax, di" D% t* J' V& ^1 i6 l6 `
test ax,ax
" y. g! N8 R/ Z; W7 e/ ^ jnz SoftICE_Detected) t8 ^) \. t+ t( {, e3 E/ \
+ u! \ ?0 T( a
__________________________________________________________________________# O- |5 K- |( v( |! ~% ^# W
6 R8 S4 ^/ L; J2 b* z8 {& w, @
3 }5 [% E/ X, C0 jMethod 05
& N, \3 W& n% b* R=========: o, b- i0 i9 e7 t- l D
" g# V9 r% o1 ?2 BMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& }$ f! e; L ?" ~7 F: rdebugger. It calls the int 41h, function 4Fh.
" K# n( m/ Q7 x' k9 N. lThere are several alternatives. " d4 c& z( S# I% G
5 ~& l' m3 [$ Z1 d" Y' d- K: f! d3 r* f( `The following one is the simplest:+ T! h0 {, H6 J( m
% X: t$ V9 f7 ~' X7 d mov ax,4fh" o' z( X2 i4 Z9 G
int 41h; i, E$ A$ e) C/ y; J. [
cmp ax, 0F386* W/ D+ O* Y' F& |, j) I
jz SoftICE_detected
7 Z. D4 a) x$ W9 J* `: l- L' M' i- Z
) i8 ^. f! }* v$ @+ b o, JNext method as well as the following one are 2 examples from Stone's
( {6 b! P4 k6 D; Q) j7 `+ |7 d J% j"stn-wid.zip" (www.cracking.net):0 M+ T8 Q2 M! X3 {) Z) j
5 G( W6 F4 ~# j) f7 Q0 Z; U
mov bx, cs
8 m) \/ p1 Q% q lea dx, int41handler2
' @. w# e- C6 G- k3 t8 i xchg dx, es:[41h*4]
8 W) E1 g N- K, H/ O9 y2 [. K xchg bx, es:[41h*4+2]. u0 D2 r1 P9 z7 ?' v
mov ax,4fh; |1 W+ B c) }' b8 {! {: d
int 41h2 H& U: L& W. F
xchg dx, es:[41h*4]' ?0 {& O2 n9 L* E, J
xchg bx, es:[41h*4+2]
3 Y2 e1 y- c# _/ M( t cmp ax, 0f386h
) V6 o9 o0 Q5 `, _1 w jz SoftICE_detected' `2 I! m" H. l& I& }' K
$ Z4 h, d2 v0 n. `
int41handler2 PROC" @/ D" ^0 t3 V) d- p
iret G& g5 w8 V/ k Q. l1 q
int41handler2 ENDP
0 Q# W7 `& U4 U7 J% q8 m' g0 a' W/ {6 y" X) y9 b3 W( p7 q" ?3 `$ s
7 x# r7 U7 n$ u0 }_________________________________________________________________________
o4 x4 _% e# [# z! v
* R# d% J& S6 V. t/ s) T' e9 X6 z6 U5 ?, f- c
Method 06
/ \6 e; b# i' Z8 U" Z5 E2 l=========
' j% m+ O% @3 a$ e5 j, s* E# t0 \& m3 o9 ~
7 R# U- _+ s, C* H4 j9 ]
2nd method similar to the preceding one but more difficult to detect:
7 |0 m; ?3 k( {7 `# G4 z
, Z# ?; j7 }% s" y! G! O8 h9 Q
d4 V3 o) _* T) \# F# qint41handler PROC
8 [+ Z4 u$ B7 \/ {: b4 L mov cl,al. B) R' i- \+ O. b4 m
iret
' m7 {# B4 f" l+ ]1 A/ m4 gint41handler ENDP
. u" T6 \, {8 p) f$ P8 F& g( y6 n9 j! ?1 F2 T' Z% e! l6 S" ]
8 M& _, W7 `$ z xor ax,ax
+ X+ `( H0 f: Z) N mov es,ax6 k3 J% X& S+ w9 O) n
mov bx, cs, `3 h8 i, p, V! ~5 Y- s; A3 W1 V- i
lea dx, int41handler
?& Z/ r* T/ P o* y xchg dx, es:[41h*4]
" {3 c+ s3 h! R! Q5 A# W9 r* r xchg bx, es:[41h*4+2]
* J3 S) \( s, \# \ in al, 40h
, t5 R* a4 S" k4 v7 J xor cx,cx
9 T( P/ Q" ]. M' `7 t int 41h& O+ b" B3 H; `" ^' ~6 L% }
xchg dx, es:[41h*4]8 i) f/ A+ d6 l. }
xchg bx, es:[41h*4+2]
4 C0 L' c$ P' F* I2 J8 z! j cmp cl,al
- l6 j) \% l0 d4 ^ jnz SoftICE_detected! k& Q) [ }$ f; H# X
4 i! d. Y# K6 X8 M7 e$ I: x_________________________________________________________________________( \' g5 D- \7 o0 {9 P a
8 a) i8 d( V) { A5 A) K
Method 07& F4 v* b& J. o: v0 ~. ^: L
=========$ g1 s! S3 E8 \+ l( J" }0 k
. a! T2 w! ?: Y2 L+ VMethod of detection of the WinICE handler in the int68h (V86)
9 e9 `; B7 h5 r. e0 ^+ U9 \1 _
5 B& m5 u* J" J1 t$ m4 e, D mov ah,43h
5 Z9 D; H5 Z1 m4 n9 ]6 u int 68h2 f0 E. [5 ]- h3 @ l$ w3 j: `" b9 S: s
cmp ax,0F386h
, S9 {2 _4 Y" K jz SoftICE_Detected- Z5 d% D ~% Z9 |
0 E+ T' d+ Y3 H7 k9 m) F2 C
B/ b: r3 t! H) Q: U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" k6 h' h% v! Y- c0 [; _- z app like this:
" a& \8 M- T" y$ O5 V7 N/ J
4 k4 d( Z" q8 Q! q1 e& g BPX exec_int if ax==685 M" H' j7 \) S( r; g
(function called is located at byte ptr [ebp+1Dh] and client eip is6 J7 ]1 @. K* D/ t! z: [
located at [ebp+48h] for 32Bit apps)6 U7 p9 U4 o2 \" C7 P; y4 j4 h* @
__________________________________________________________________________* v- I8 x! Y+ ^; b: h
# X' m4 N# H5 @- b" K
! R# d- h6 l( y& {9 M
Method 08) E( T; O4 [9 y
=========2 p# q1 x6 @0 T' c3 }- L
) j0 r; h) }7 I, B* b- h& o5 A/ wIt is not a method of detection of SoftICE but a possibility to crash the1 I9 Y1 U- l! O# b% f& J+ \
system by intercepting int 01h and int 03h and redirecting them to another
" K2 W N) D9 n6 s5 Eroutine.1 E6 I& B( r# }9 i. X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 A0 U) h( O$ I1 s/ x" h1 r
to the new routine to execute (hangs computer...)
) A( A; a. Z4 O$ p/ [
8 d/ v) [/ h: @) g- G. S mov ah, 25h
0 Y9 `0 y8 ~* Q mov al, Int_Number (01h or 03h)1 P: Q0 n6 }: D
mov dx, offset New_Int_Routine
) |& q, f: L7 H0 z- C# w int 21h
% M. K- Z! w$ L2 o2 c' I# S
( i2 k5 D) d& ?% U8 E4 [__________________________________________________________________________
" e0 r+ h# j& j: b8 Y7 ^; W" R; z' X, r; ?/ i m8 O! t" t
Method 09
: x$ l M$ o8 p=========$ c! o: t% ~) m2 [% v8 _
6 ^+ ]5 m1 [0 T( ?8 t _- r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 L, b3 X! x$ Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
# W3 m2 L% I f. ~, nThe Get_DDB service is used to determine whether or not a VxD is installed
' N+ _9 J& s1 Z5 h" l1 rfor the specified device and returns a Device Description Block (in ecx) for( ~) C6 \& Y% L ?" a2 Y9 Q. L/ \7 v
that device if it is installed.
2 d1 Y; e# f# P- D+ P1 ~( q" j: `5 c0 M' I! O" Z0 I, B1 x0 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Z6 e* @( i: u4 T+ w1 ~& ?# o7 [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ K9 s* ?" z ?. G2 ~" i' q5 p- w VMMCall Get_DDB
w" @: g& C6 {1 ]# u% g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# ]! @ f6 I/ d# M# }5 W J( s, a8 c y1 [( v2 G# {
Note as well that you can easily detect this method with SoftICE:
0 ]/ w% r8 r1 ~& V0 T bpx Get_DDB if ax==0202 || ax==7a5fh
0 p5 V6 P' H7 n$ E- k& @- s4 g. G7 y* ?" i, p6 U, Q$ o
__________________________________________________________________________3 p! m9 T6 [9 t: ?
( w# d# ?9 `5 X6 ^/ b/ o+ hMethod 10& A/ w7 }, Z, b |5 u/ J
=========
4 K, T. G1 V S3 C# B) J: M* {# E* ]0 z8 K8 M7 M& \8 ~( I
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 Y7 W& j% t- a8 c3 l% f& N
SoftICE while the option is enable!!( d1 q* W1 }. }- F( x) J
9 c8 z. b2 X5 k4 vThis trick is very efficient:
0 a2 V) G Z# b( a) e; x3 M; lby checking the Debug Registers, you can detect if SoftICE is loaded; g/ ^: ?5 E6 S0 I0 C! E# r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ ?9 K5 ~# g1 E# Z% h! H! A
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 t- z1 n0 l" t+ `. G/ w/ m
value (in ring0 only). Values can be manipulated and or changed as well7 f9 I; V* U* Q; ^* ?
(clearing BPMs for instance)4 N( C& M1 k# T5 g8 S, e
: S( @- V/ O0 q: H: y, t2 P# G: {
__________________________________________________________________________
3 r7 X/ l! m% Q% y2 {- f) S& f2 O, l. h) @1 K8 {
Method 11
# b- L. `. h1 m1 k=========
( {% D/ B! y: W) H8 O9 I* x& o# g9 _5 s; @" ?9 m3 ^
This method is most known as 'MeltICE' because it has been freely distributed
, J+ X# h, ~. K7 b( i; K1 Q) ^via www.winfiles.com. However it was first used by NuMega people to allow
0 L. T; m2 V) Q; S: A7 y% tSymbol Loader to check if SoftICE was active or not (the code is located3 x$ i& M0 f& m6 Y! B
inside nmtrans.dll).
, s. ?% ]4 r& q, d u) k& @- l
. H, U( _4 Y$ N& J4 oThe way it works is very simple:7 k0 Z% v1 L9 ~7 b$ B0 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 a6 o5 O/ G M
WinNT) with the CreateFileA API.9 w1 u& f* x J6 r; x: i7 {
+ r. p% X- z( pHere is a sample (checking for 'SICE'):
+ h' {% Q, _1 `* n7 w6 G) P1 G5 C( X; a" ~! V& k$ W
BOOL IsSoftIce95Loaded()% \, a; t! X# l" Q( h7 o
{
: [. {; P2 i2 n, }$ G HANDLE hFile; " V3 g& h1 R8 j( j& M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, e! d9 j i/ J$ \1 Y% X" g
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 L) k3 @0 Y9 B, o9 U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( ~/ A2 ?: e. s: ~0 U/ S6 t J if( hFile != INVALID_HANDLE_VALUE )0 o' U0 G4 V$ r1 `: i$ b# L
{; k- n/ i& n& \2 n3 J! E% h
CloseHandle(hFile);
4 [8 M2 z6 j5 o3 S return TRUE;1 w5 @4 x, t# h' z
}
0 K O. J0 C) ~3 l& E& R3 Q return FALSE;
, t+ }7 U7 A/ [; ?5 Y}
k8 m' n5 t4 Y+ r) b9 P
& g& B. u& f+ E. U- X6 |Although this trick calls the CreateFileA function, don't even expect to be
9 W( v+ U+ g3 p8 f Sable to intercept it by installing a IFS hook: it will not work, no way!5 f, L7 s) _+ ]$ S1 J$ _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" J3 b& Z3 f* x d! ]; R1 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); m) k6 y$ q0 T7 _* ?' v" i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( r3 t, Q( F: v; e! y& f0 |field.
F- p' L! r9 c* {In fact, its purpose is not to load/unload VxDs but only to send a
' g e1 w$ r/ ^% ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 ^) Y) U3 M5 z2 `' Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 W8 x- _ m$ ~ a% l1 xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) H0 n; z1 L3 Z, UIf the VxD is loaded, it will always clear eax and the Carry flag to allow" o! D' w2 }& p% ]' z
its handle to be opened and then, will be detected.4 j, N# Q: }& V+ M4 A# a
You can check that simply by hooking Winice.exe control proc entry point2 y4 \/ e3 f/ O* V2 K
while running MeltICE.
2 y- d+ l# N' e2 R' I8 L. g8 k, u/ g/ G0 J$ y7 B8 {
8 F' I0 T3 m. ~
00401067: push 00402025 ; \\.\SICE
8 P( O" Z, z1 [5 ^8 D7 L. q/ R! L2 p 0040106C: call CreateFileA
4 k/ J. P- M/ f% D 00401071: cmp eax,-001
9 t. i* o/ C& [, u- [# _ 00401074: je 00401091
6 X8 P, k8 k- m( T2 z
5 G! p, K' P4 i1 O6 G! x5 [, R# y1 \7 k& X! t% _/ \! f+ K2 h
There could be hundreds of BPX you could use to detect this trick.7 F; q V0 i; e6 R
-The most classical one is:
+ W+ ]/ L& x0 c% W4 @' q: `! p7 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! f6 E# o9 V) `! Y *(esp->4+4)=='NTIC'
& W% [# v2 ?2 q3 B8 n( h2 ]9 I! P: c6 r+ C$ c- ?8 E
-The most exotic ones (could be very slooooow :-($ C/ \9 w0 _5 g; u; w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ z+ F7 u3 M6 K# {" L4 c ;will break 3 times :-(
$ p, h, c" l8 L# s0 o% [) n- ~/ |: g1 k& v6 z d
-or (a bit) faster:
* m% M( Y; D0 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. T+ q1 O R* K* I4 h; m4 _1 H* o/ G4 }- l8 a, J4 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 F' a& S, B( q/ ^& n( W. E ;will break 3 times :-(% [1 |- V, F8 W
) n5 `9 }, Q& i- s7 l-Much faster:9 }) _/ C0 ^0 i$ I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' t+ f' U. o4 ^- \5 B
1 y" f' k# {* `: T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& e9 g( ^) E6 ^! n; j/ t q: a5 Ffunction to do the same job:* L) K1 X8 w# g
" c ^: q9 `/ G% J! @2 m- ]
push 00 ; OF_READ3 V! b% _. E1 {+ S' f/ s+ M$ v
mov eax,[00656634] ; '\\.\SICE',0
7 P( |9 }( h- l" v% ^- O push eax$ M5 a8 S$ `9 @6 I9 }
call KERNEL32!_lopen c. r) i3 F2 @
inc eax( h* h' w) V8 [2 g' q( F! y
jnz 00650589 ; detected
: g8 a1 ]5 G+ M* S* ? push 00 ; OF_READ3 L4 O, v& y0 w& F7 h
mov eax,[00656638] ; '\\.\SICE'
: `5 g, c: f3 v7 z+ U: B. q5 ] push eax
' z# {$ N z% G call KERNEL32!_lopen7 p! B; J) P2 a' a# B' C
inc eax
) D6 j6 @% n3 m' a3 S jz 006505ae ; not detected
! W' Y0 u) A# |6 {8 P7 p/ a4 V, f: m7 V' L0 \
" C, O! [% y5 ?6 w# A% o
__________________________________________________________________________! `/ g! X, l7 a1 I$ h6 m$ j# M
0 x% t* [ D v( M s6 W/ h6 \; xMethod 12. w% u% N9 N. k+ A
=========3 g, q5 f/ ?- U, D
0 z1 v$ S: X1 H: C
This trick is similar to int41h/4fh Debugger installation check (code 05: Y4 }( c1 y( J" e6 ]0 v. t
& 06) but very limited because it's only available for Win95/98 (not NT)5 \- d' S9 I# |$ F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 R/ }3 [' H7 ^- U. r0 B. n0 \
3 d; {7 O' |/ S3 i$ [, u- ?
push 0000004fh ; function 4fh0 V7 {- b+ u5 a
push 002a002ah ; high word specifies which VxD (VWIN32); L( N- J" [/ t% ?: F2 ^$ c4 r
; low word specifies which service; U* A/ t8 p2 ^) i9 |" h6 I! Y
(VWIN32_Int41Dispatch)8 y' ]% @& O: \
call Kernel32!ORD_001 ; VxdCall- \2 r( s. N% P# m+ o! p. T$ v
cmp ax, 0f386h ; magic number returned by system debuggers
, @$ e' L! d5 k! u+ k jz SoftICE_detected
! w. c/ { x2 c& B! \# c
, G# f0 k( Y# d& D7 t/ p( ?Here again, several ways to detect it:1 T: N X3 Y" K3 U. p* u1 x
2 a; o8 O$ f; w. N' V- D0 b( e" S BPINT 41 if ax==4f7 Y1 q7 j* ~+ | \: P+ s5 k; a
v! u( X: k1 ?. m' h2 l/ f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. ~9 B, W- l6 [9 ^
; g5 p6 I% K1 H, T: A, H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 T1 { `. P* r0 [
) H# ~' d1 l0 _9 k6 q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, j/ J% ~, }# C3 A; [
+ P2 d3 a. y# }# b. z( C) ___________________________________________________________________________8 X o3 G: R6 h( ]
5 S' B0 L/ l" g2 c( W- K
Method 139 G( N' y( S W/ b
=========
F! \# o9 j2 x; j8 K$ G" m. O" y
4 D5 ~# B! q3 l9 e( d% ]- ~9 h3 uNot a real method of detection, but a good way to know if SoftICE is3 E* D3 O6 a1 ]( `7 w5 r6 V
installed on a computer and to locate its installation directory.
$ L0 G% H1 @' o9 o1 `It is used by few softs which access the following registry keys (usually #2) :
8 g& q" M3 Y5 j6 ^" H. \5 e7 K; @0 C4 c4 p3 Y) d. n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 D0 p$ }2 f6 a* K# {\Uninstall\SoftICE* b# ~' n: W7 D/ E+ C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ @- ]& m7 {, W, l: R7 ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: X( F: Q" H) h\App Paths\Loader32.Exe
0 Q% W. |$ w! U1 P& ^ T
/ J7 t" Q2 ?% l# A- F8 Q: {3 \. R: L P! f
Note that some nasty apps could then erase all files from SoftICE directory$ ~4 T$ N* j. B: ^% }2 M- W; B+ \& J
(I faced that once :-(9 U" {* ?6 i6 y" {" S# h
" M3 t& j, n# ^) LUseful breakpoint to detect it:
$ E7 b0 ]! V) T: ^: M9 S8 d* ]. P0 L w* C/ [2 x5 A( }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" t' ?1 |3 H! [: u: V
|8 F; H/ Y2 h c; e" d
__________________________________________________________________________2 Q7 [% c6 I% J# S. n7 T# Y
6 w. v% w* _& R" e4 j/ j/ Q! t' V! n! U% D9 W* f) e" j' j! \- ]' @
Method 14 - \) u+ d8 Y; T J
=========
( U5 V3 R5 i6 }8 E3 b0 v- S3 w0 { t" {& ]& F$ p& x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 \( o5 [' T: y: W6 B0 ^% e- n
is to determines whether a debugger is running on your system (ring0 only).5 _1 e; X( L* w9 Q0 R/ [3 e+ ]
+ {9 H7 ]) e& c6 K1 V: K" x VMMCall Test_Debug_Installed
7 F. o. n7 r' ?2 j) R7 k je not_installed8 g: l+ t, x% V7 X
% o H1 `" _8 J. }- u
This service just checks a flag.8 u; F8 J9 k- M+ ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡