<TABLE width=500>! [( a- ~/ ~# z/ Y! U
<TBODY>/ Q% K, j- j* L, ?, ^8 W0 u7 ]* w
<TR>
9 q& ]1 Y; q* S<TD><PRE>Method 01
3 Z. |0 ]+ O' a=========
0 ^9 [) w& |+ ?& K2 q; c3 R3 ?) g( X( B# o/ r+ s
This method of detection of SoftICE (as well as the following one) is' F. }" b: ]9 `& _2 k, }
used by the majority of packers/encryptors found on Internet.
: t; C% A2 h) o- t" i9 mIt seeks the signature of BoundsChecker in SoftICE
6 w1 s/ {) k" V' L. _# E$ t+ \; m: [& V. W- g. i
mov ebp, 04243484Bh ; 'BCHK'
. [# S1 ~# {+ R2 W; R' r mov ax, 04h9 L. N4 T" j# |( g2 P+ O% ^7 s* i; e: ]
int 3
6 l( l. }) B8 b0 U/ q6 D cmp al,42 h, b k0 _ Z3 h
jnz SoftICE_Detected
$ w. [8 O q k G; s
P! [6 Q/ l0 D1 ]0 l___________________________________________________________________________
( _! e, m3 w" i# ?* D& [$ O
e4 F. k8 [8 Y( E6 AMethod 02: i% H* B7 p. K I7 b
=========
* f* o- Z6 A( \" p3 R! ?0 H
3 }& J0 {& `; uStill a method very much used (perhaps the most frequent one). It is used: o4 ?0 z8 ^* G- M# k* A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& w) [) h: s/ D2 ^5 g/ l5 cor execute SoftICE commands...
: M, y1 G! G/ Y" NIt is also used to crash SoftICE and to force it to execute any commands
' r7 i# `& L9 _0 U( w Y$ d. B(HBOOT...) :-(( $ u* ` E9 `) G( O' P& Q* X t4 m
4 {% W) ^1 ?4 v( g6 O* r5 f; M
Here is a quick description:
- ~* [# }7 r2 J-AX = 0910h (Display string in SIce windows)9 n' t2 e; F0 K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% D% N& n7 B* ]7 ?; C* Q" o- x" J
-AX = 0912h (Get breakpoint infos)2 @- @& r: ^% r0 W
-AX = 0913h (Set Sice breakpoints)! v: h2 Q7 Z ?% P
-AX = 0914h (Remove SIce breakoints)
8 q% h/ p2 E% A7 A, k/ H" k) L, H: C- D* d
Each time you'll meet this trick, you'll see:+ u& f! ?# v2 g+ f1 N
-SI = 4647h
) u$ P' Z9 z+ U0 }-DI = 4A4Dh
" R7 i# I" ?9 |Which are the 'magic values' used by SoftIce.
4 X1 t# p2 r+ n1 u. qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- u, _4 k7 \/ s. k* r |/ _& |
# Q: C4 U4 `: s- }- sHere is one example from the file "Haspinst.exe" which is the dongle HASP
- x1 z8 i' @7 z" d7 b0 e4 A6 g$ P7 P2 oEnvelope utility use to protect DOS applications:. r2 e; n% s% @0 M H2 B6 Q
; u$ Y" Z+ K* S! b6 I9 j
, L* ^& c, n4 h: A5 _+ B
4C19:0095 MOV AX,0911 ; execute command.
! M/ f) L& O! u5 U: Z/ {" |( m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# D, u/ Q1 q8 p0 ?! k! E! [5 j+ E
4C19:009A MOV SI,4647 ; 1st magic value.
0 M) Q) Z# F0 ^9 ]6 V4C19:009D MOV DI,4A4D ; 2nd magic value.( ~- o6 K& M& Q! F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. n) r) y" X2 g- K2 D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 I, r% g4 k' g7 B# c
4C19:00A4 INC CX$ A% }7 T0 A2 x3 R0 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* N( j0 g0 E6 V; T2 W: K9 \4 a4C19:00A8 JB 0095 ; 6 different commands.+ y. E9 l$ S/ _, |1 n- X$ p' A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 M' i/ N9 y) x- A4 u+ _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 ]2 ]7 ]! V1 B4 \/ Y. t" r6 i
7 e3 b# r0 ^2 @
The program will execute 6 different SIce commands located at ds:dx, which4 `* U7 }* Y6 n- }" b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# l L% M2 P- {8 W, Q& ?8 U6 f0 w9 T8 {4 @& ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ }5 w! j! U3 q! E4 H% p& \9 b___________________________________________________________________________' K) o/ {, s2 h- X' D. x
1 S* I5 _1 N6 I4 u' E% F& e
9 o7 w, U2 a, J9 `2 qMethod 03
" ^- P, b1 B7 s- S; A6 I=========* L- g! z4 g, o" j* Z7 G$ Z
' n! P7 c; R" o9 q; sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* \. o3 N8 o) w(API Get entry point)
% B/ `" A3 H! ~9 R! j
' L+ i6 Y3 D9 L. {7 v3 p( n3 H* P Y/ l, K
xor di,di
$ V8 `; F. J# d7 _& j mov es,di
. g3 ]0 `" n, J7 p* n0 v9 Q mov ax, 1684h
. {; Q* L/ w& N% t mov bx, 0202h ; VxD ID of winice
1 R. S" S7 }4 C# \% P( F int 2Fh
/ u, |! X" C/ w, t5 {/ |) }! w mov ax, es ; ES:DI -> VxD API entry point6 ?* C8 E y; l. P, r0 `4 r- F% `: R
add ax, di' W1 ^# W2 c1 j5 M
test ax,ax+ N0 v- H8 ]( S3 g& Z
jnz SoftICE_Detected: I3 S S9 I+ y
$ O" U, @( _, h5 G% e1 L___________________________________________________________________________
7 V5 v o6 Q% u, Z5 e9 m, |# z/ n
. C: s- L% d/ F% s' T1 w$ nMethod 04/ t* X0 q/ ]/ i3 B; {- L) c
=========4 {" R, x8 j/ N% |/ f) O* |
9 x1 S( d; E- _' \. hMethod identical to the preceding one except that it seeks the ID of SoftICE
9 n% p% w( g& E/ OGFX VxD.6 A$ C/ P& I( f2 }0 |# h4 y
; W+ c5 O$ G( X+ P+ W
xor di,di6 ]: l' w6 j+ ^9 u* p( ^8 a
mov es,di
# {. M) F6 y7 u0 v5 @! K mov ax, 1684h
: R! \& s( t( A mov bx, 7a5Fh ; VxD ID of SIWVID
6 n T S0 b' M4 i0 o int 2fh
% w0 [% m, k6 J$ G9 t* Z mov ax, es ; ES:DI -> VxD API entry point
& x) W/ [' j. N+ N8 { add ax, di8 J# W8 q% j$ S# M5 s& G& S
test ax,ax
) U+ ^# K2 b w% R9 g, s jnz SoftICE_Detected5 H& s$ k( H, ]
# ?% j. z; R5 i4 W. O; ^0 T6 r, a
__________________________________________________________________________1 h8 E) j" }' [5 a% Y1 e
# m5 p; {8 Q0 A3 C/ ?
) E# Y, V1 B' W$ sMethod 05) w2 Y, `& C8 j' V
=========
g4 Z: w/ y1 c0 m+ A: R5 k h9 @
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 v/ X% w8 q* g. n5 Q( l
debugger. It calls the int 41h, function 4Fh.. | x/ }5 I& Z, G3 X& k
There are several alternatives.
" K' y+ D/ N! Y. |) }
% ? a6 b' U3 s8 }" sThe following one is the simplest:
1 H# u8 k6 X# e: g
" q- r2 ~0 k) g* L$ d; I mov ax,4fh- N, y$ s7 r: \ ]# N6 O* f' y: I2 r
int 41h
4 S& P# H) p; q cmp ax, 0F386' ?4 @% p) b0 r
jz SoftICE_detected1 B8 O& R. ]- A; t: N
! N4 A6 m- f9 h: a# o# @
: I5 \- J' U) j9 x
Next method as well as the following one are 2 examples from Stone's 3 m! z! ~/ M) B3 y' n
"stn-wid.zip" (www.cracking.net):: u5 `4 e' x) \% F
{4 L% \5 D/ E2 F
mov bx, cs
5 N& _+ Y: @9 m0 E i lea dx, int41handler2
( l/ K1 \" F2 ~0 j% B xchg dx, es:[41h*4]
f9 L& o1 [2 f; P T7 P xchg bx, es:[41h*4+2]: l/ C# k# q+ G& W. [. L0 {9 `
mov ax,4fh
& e! n) |7 F# P9 o int 41h, {) `4 g5 C! K5 v
xchg dx, es:[41h*4]
1 v% P0 @" |# B xchg bx, es:[41h*4+2]2 z, D- T+ ^& p- C% W
cmp ax, 0f386h$ Z& E9 S9 y( {
jz SoftICE_detected' K( f P t! g
4 i3 X; R. z3 d+ J( I" } s1 m
int41handler2 PROC" f2 W0 o4 J1 K$ R( x1 C
iret
8 v' K1 X& d: U. D3 U8 qint41handler2 ENDP
W, E+ I1 C4 Z$ d" a/ h. Q0 h* l4 N, b+ i4 s$ j5 z# K
8 Y$ n1 N* Q9 L" Y7 U
_________________________________________________________________________
2 L( C/ `5 r3 G3 n# Z% f& i8 ? a9 P8 o, r' v0 `
- a# d, |# v, H- C5 _% D+ R4 w
Method 065 ^# U& K1 o5 G, j `; F# H& u2 a
=========
6 G2 B* D) i: `7 `: ?' L0 i: X; }- l# v1 f; j2 s, w) L
; H* h& { q' J. |# f% t- O7 H
2nd method similar to the preceding one but more difficult to detect:
- G: a( n$ O5 x3 I/ x7 A+ [/ q! U' a. L& U4 s( w9 r# u; [( b v
7 e+ j# S( R* h( H; j5 @* V
int41handler PROC
3 m& J& a; x3 ^+ ~2 H2 X5 ^ mov cl,al8 _; `2 @8 C6 i
iret
- }. H* V$ |4 Q: j# Mint41handler ENDP
1 g7 W" a, j5 C
& V6 b; S1 A) z( _* i
0 n, w+ `' k; @. A* F0 ^ T xor ax,ax5 m! n- L+ |" ^3 C7 I( M* e; @7 E
mov es,ax
& U+ E4 x# l3 n9 e1 W7 ?$ |; o mov bx, cs0 l' x) {( V- }3 ~0 F/ R
lea dx, int41handler
2 Q3 k7 P6 O; L- z' L0 X$ B xchg dx, es:[41h*4]2 I& E2 `' Q4 \; O
xchg bx, es:[41h*4+2]
2 W9 t6 o0 J) `$ K; R+ y in al, 40h
5 y; c; `# k" M; {. I/ r6 F% w xor cx,cx
7 c: J' t& E f' Y2 t$ B9 ^ int 41h5 j# X# `) O: ]6 a! p
xchg dx, es:[41h*4]5 U; `1 D) q" y$ S, z
xchg bx, es:[41h*4+2]
4 ], E) M1 l- K' C# q cmp cl,al# d$ }, U" T( J2 v# S3 |5 ]& L; \
jnz SoftICE_detected
2 d* f) D! U( }) ?2 N4 `6 O; b8 Z, b, c) J& |: |
_________________________________________________________________________% q/ v8 f8 v* O5 A+ B% s6 N: U
! F- o1 H# s4 A1 nMethod 07
3 v. M" N8 E+ _( {% k3 }; m# y0 E=========% {' y" y5 Z& ]( ~7 Q4 w
( ]( Q* l0 v' W2 O& ]) qMethod of detection of the WinICE handler in the int68h (V86)+ g3 R$ f' H1 j( {9 a H' `
) |* Q; a4 s& Q! } mov ah,43h
1 U A* `: G$ c G int 68h
# J4 }9 n6 e+ l4 v5 g! u7 _8 ] cmp ax,0F386h
9 B1 _' z/ W4 w6 a( J, Q3 E jz SoftICE_Detected2 f: a z/ p6 F8 E5 |5 I' ]$ ~0 m
1 k3 Z( n; C2 _% W6 t4 i( h8 X4 b" K' Z9 n6 v2 e7 z1 ^0 p9 P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& _$ P! a1 P6 ^: V: o, q app like this:
0 O0 \6 E1 X' _! M: o8 K
7 E* p0 o$ e, B+ ]- h* Y' } F$ c BPX exec_int if ax==68
" T* o+ J5 G* T' v7 G+ U X: ~ (function called is located at byte ptr [ebp+1Dh] and client eip is) J! B" o6 ^1 L" L
located at [ebp+48h] for 32Bit apps)% ~. K$ h& b) v: R; ~/ f
__________________________________________________________________________, e: f: t2 } Y% m1 h
. e9 [; m" V- f6 `' r$ N3 ~
* J$ n, O+ [2 ZMethod 08
* M/ ^( X; w% S' s6 K=========4 ^" |- V# H' m9 c5 z
' C2 H) x$ W7 [It is not a method of detection of SoftICE but a possibility to crash the) _) Q6 ?: f4 D @
system by intercepting int 01h and int 03h and redirecting them to another
- K3 f j% @7 V( f: I7 }: Yroutine.
3 N5 M: W6 l# K q6 [7 q) \; ]1 O1 gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 J2 H0 ^$ m$ C5 R
to the new routine to execute (hangs computer...)8 X4 U' B; I. u3 V) Q; ]/ X
0 {+ O( }6 Y3 N# n4 u
mov ah, 25h
% h, J6 w( \" H4 K+ R6 r) ?6 z mov al, Int_Number (01h or 03h)
) W$ B) w6 Y' k6 M5 U$ g! T mov dx, offset New_Int_Routine
% p4 r2 K6 |8 g( g/ K7 T int 21h
+ E9 {9 j/ x, P5 {2 U$ H$ H) G) c* y3 V9 t! c' ~" |8 i! T/ n
__________________________________________________________________________- p4 c- J$ a" ?' z
' {. y% J( X- O( U$ |( hMethod 09 l i! @2 r7 i) c; a2 w. J# ?
=========
: ?; k4 M4 T, L* ~# N. o( f1 S, o: W$ P% t- n. v* Q( a+ L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. G P( v4 c# V* ^6 {$ c2 {# V# O
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ e7 C! [/ A3 P% t" ?The Get_DDB service is used to determine whether or not a VxD is installed% P. [3 z* a, q/ E
for the specified device and returns a Device Description Block (in ecx) for
7 {! v* Y; D: z) J5 J- w% b8 b' y3 Cthat device if it is installed.
* E# O9 K5 }0 L! c8 A& Z0 G
) p6 s! C, w* g; r" d7 g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 w. K: k' e3 M! g4 D& C M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% U' s$ z* A/ H: z/ [: b VMMCall Get_DDB5 }- R% V3 z( Y4 R! G& z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( o% v. t- F: @
# X% N. L7 a9 x1 T0 E: z
Note as well that you can easily detect this method with SoftICE:
: Q! `4 v: v7 W% [0 @3 O- n bpx Get_DDB if ax==0202 || ax==7a5fh5 v% ^4 o) P& A& Y
7 J$ p, ~ z$ Y( K, j4 G! C ?
__________________________________________________________________________
: `5 O, M3 k6 v$ b# Z* K" k$ x& Z! Q/ \9 N3 |8 w4 x' g
Method 10
8 Q- x% T1 z0 b4 F. `+ S5 z* N=========
6 a: d% W. N7 U9 G+ C6 I0 i( M. }9 `
=>Disable or clear breakpoints before using this feature. DO NOT trace with& f5 \) j, J( M
SoftICE while the option is enable!!
7 }9 r. \+ o8 ^ J J; A5 s
3 z; f- ], K4 |1 JThis trick is very efficient:1 M- w' o1 r2 K! S
by checking the Debug Registers, you can detect if SoftICE is loaded
# }9 ^: z- I3 v6 w2 X7 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( n( O8 H, T% y: k
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 L! t; ^* |( w: W2 `" }& S* w
value (in ring0 only). Values can be manipulated and or changed as well
' t2 F+ Q& x0 E$ `" r(clearing BPMs for instance)
2 f$ v4 H( B5 J7 j3 Y
0 M) e* b- e, C__________________________________________________________________________
8 ~9 C& g, C/ `7 [7 s6 Z( s$ i( l* m+ Y. l! N) y2 X! s
Method 11* k& W' p& s6 I/ ^
=========# j: f) O' o, P) b- ~: t+ ]5 S7 s
( I- q5 h+ Y4 `7 z4 U% }
This method is most known as 'MeltICE' because it has been freely distributed
6 h2 v2 L$ v! N" M$ i% k; W# yvia www.winfiles.com. However it was first used by NuMega people to allow
" M" L$ e4 a2 ~9 RSymbol Loader to check if SoftICE was active or not (the code is located
1 D" Q8 f3 ?& i9 h$ R, H9 qinside nmtrans.dll).6 f4 I1 ~8 J3 C, L/ e* v
! f m3 l9 z; p; X7 M5 S9 l5 i. c
The way it works is very simple:4 y$ ?8 T& F$ ^( l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' B& r7 j0 B0 ^2 _3 t, EWinNT) with the CreateFileA API.8 Y2 V% _/ w+ l( ^0 ]2 r/ H" Q
: P. w, E4 ]! XHere is a sample (checking for 'SICE'):, {) ^" i P9 s0 q( M
$ j- n0 G4 @7 Z# W0 z
BOOL IsSoftIce95Loaded()
! g- {% V/ z8 {, j{
9 J8 j* ~- q* O$ I* f& t HANDLE hFile; 4 V6 F, v9 B0 a8 l, H' V" |6 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 h2 e3 |7 x7 h5 s3 k( x" |$ w3 F FILE_SHARE_READ | FILE_SHARE_WRITE," N* c6 c) t, b0 i0 P3 x3 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& A4 H0 I5 d& w6 V if( hFile != INVALID_HANDLE_VALUE )- w" M" N* e# h9 R6 s
{6 v* I4 i/ m, j' [" h
CloseHandle(hFile);
4 m# g5 i" Z1 @/ X0 v return TRUE;
/ `5 t/ a* d6 o6 g9 _; Q }
# F& A# C( A% V! x. [, P& l return FALSE;' K$ n7 d# t: Y4 p3 m @( [
}/ }5 y& \/ ^" X
5 O1 n5 U- g2 X# } ~
Although this trick calls the CreateFileA function, don't even expect to be
) P( p' m4 J, m0 `able to intercept it by installing a IFS hook: it will not work, no way!! m2 L+ M' y. j9 c5 @! Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ e4 h( m6 A1 V/ I# a# |. nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); S* c `% [0 n9 O. |7 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. H" B9 H! i+ @: Dfield.( I7 W# L3 U/ b. b+ e9 j5 a$ Z
In fact, its purpose is not to load/unload VxDs but only to send a
7 U/ p; q* `: w% V' K9 wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 Q: i( R2 U. c% `1 N a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) m$ S& N* x$ x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ K- |3 b; a7 A; D4 J' l6 t# {If the VxD is loaded, it will always clear eax and the Carry flag to allow% ~: j5 u5 S! v# t$ c
its handle to be opened and then, will be detected.. l7 V* E% l" j( m1 y! T
You can check that simply by hooking Winice.exe control proc entry point
. T. J& x( Z# n" n Z5 Nwhile running MeltICE.
$ h9 V. f% c* d/ P0 t- v/ A7 F
6 u- {! {, o6 q' k6 f5 t* w
+ I; K# t( C+ d/ l* J" c 00401067: push 00402025 ; \\.\SICE7 {2 _' E' m, S
0040106C: call CreateFileA" X1 b( B' k( a5 [* H9 p8 X* Z
00401071: cmp eax,-001; J9 i; A% h$ N% l
00401074: je 00401091- n1 x4 n% C. k0 A1 R$ s
5 i5 w$ |8 D- x- [& B% [: m
5 ?3 Y5 L( A- c- g( A: z F) zThere could be hundreds of BPX you could use to detect this trick.
6 J1 Q5 Y0 a8 t7 ?1 ~" T-The most classical one is:4 X" t9 W! v! U6 C( h/ r- u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, ^# h' j2 t3 Z( P2 H( `3 C" i) G: c3 ?
*(esp->4+4)=='NTIC' Q& r5 r' }2 l }' ^, q
c2 }6 H3 @9 h2 E# w-The most exotic ones (could be very slooooow :-(1 f' Y6 y+ O& x2 K: P) W1 v" ^! n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') f' Y3 V$ r; w7 o9 h4 i
;will break 3 times :-(
$ ~0 a, `; x* h% j$ g, A" r+ U$ ]/ P
8 u$ b$ |+ G, x6 N( P# K-or (a bit) faster:
6 Y- ?$ ~* j2 F% T+ B. k; y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ a7 O2 h* A9 W( f& T" Y' F- @$ ]" V) e5 M6 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 b3 f( l, ]% j) j- ?/ c ;will break 3 times :-(
l/ k8 w" Z% I: U) p* n% H' s8 [- L" X V5 x2 u% S8 B2 S
-Much faster:
+ c( ~2 I' w! G# C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 K; m9 }( H8 `: }# \0 g4 N, y/ e/ s9 j- r3 e. S& ?5 F0 P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: a7 {) Y8 z6 Z% C5 {function to do the same job:7 K X4 n6 Z7 G7 r1 }
: o2 S; ~! ~4 | push 00 ; OF_READ
7 {" ^$ W) S Q1 @8 C9 P mov eax,[00656634] ; '\\.\SICE',09 o5 ^9 y* m$ e8 z2 j! P! i
push eax# @- A- G) F6 a: b+ P, s" F; @
call KERNEL32!_lopen# h& N9 f: s' h' |1 U& T# M, {
inc eax
$ p; V* E0 h8 [, F jnz 00650589 ; detected
5 X7 W: l$ i- t% o, |$ j push 00 ; OF_READ
% r. g& C* P4 W7 w' G. a2 ~4 @ mov eax,[00656638] ; '\\.\SICE'8 x- O# \; x! n4 v$ q. H R. b* g
push eax
1 A I2 j; T7 P4 Y6 e call KERNEL32!_lopen1 R2 @ m7 D I* j1 e f& }: B& @
inc eax
5 I }' w' x$ q/ ^$ f1 R jz 006505ae ; not detected
8 n- t. F" {8 s( c+ l- \: f y' ?. ?: ]0 S6 |2 m
$ s7 w, V. a7 x Q2 _/ V7 `3 Z0 q
__________________________________________________________________________
. j1 V1 V3 g- D0 [' z. {4 z, R0 E' `
5 B' c9 n" G, S& b' DMethod 12
/ b# o8 z, j4 x" H s+ T- n=========$ h& I0 C( e5 p1 W$ a
9 e6 f( W0 Q* J; F) p! i; pThis trick is similar to int41h/4fh Debugger installation check (code 05
8 S# E5 Z- g6 [2 t! X6 W, c& 06) but very limited because it's only available for Win95/98 (not NT)" n1 L) |( U( i* t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 U" p5 P' K$ n1 p7 b/ [! o7 K
* T3 n# _1 {# c q9 P/ \ push 0000004fh ; function 4fh H4 g ?: L/ J* J1 A% i
push 002a002ah ; high word specifies which VxD (VWIN32)
) K$ L" U" z. B: {) J ; low word specifies which service
6 g* W, b) B' Q+ ?0 U (VWIN32_Int41Dispatch)
^) M6 K! \9 W1 }% T& Y; E call Kernel32!ORD_001 ; VxdCall( I3 g4 \) g, E( P7 Y/ C m a
cmp ax, 0f386h ; magic number returned by system debuggers) h) L2 F5 n4 G. d. V
jz SoftICE_detected/ m' u2 b" g# T$ P! d$ ]: ?
# y. V+ ~6 f) ~) a; _3 X5 I
Here again, several ways to detect it:
) s6 U' v& o" D) k0 i' j; ^+ i) U0 c( t2 T7 @
BPINT 41 if ax==4f
; |1 Q d8 P2 T
! d$ k/ u6 V8 l5 q- n; T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, S& @: F; y# Q
. b" U- R! x3 Y3 A: Z" ]( [ R+ c- \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ E6 X: j1 s1 s+ [: m. {& I* n
. X- I" b/ x7 L' r& ?7 d4 Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 w, {# C2 w1 w
6 R0 \, K _& K/ s7 d
__________________________________________________________________________# a5 s, [3 ?" W7 j! m# V
7 P0 t5 Z4 m; J9 k2 ?" CMethod 13. c1 Q9 p+ Y0 i+ a
=========
" ^" \$ z2 i1 s6 U! t3 b0 x! t, Z+ X, W& D( y
Not a real method of detection, but a good way to know if SoftICE is8 `7 Z2 D4 H5 F: n: f
installed on a computer and to locate its installation directory.
; s5 D5 Z% Q5 F D3 R0 tIt is used by few softs which access the following registry keys (usually #2) :
, r6 H' A+ Z, G# Q- X i6 e# K0 O, P7 T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) E! U3 M( \9 c9 a+ m' `2 |$ q8 ^* a\Uninstall\SoftICE; `/ f! L" E, W, L( ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: ~2 m; H+ V; J, P- e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ y& s! Y' B \
\App Paths\Loader32.Exe
% q3 m8 r4 \- C
1 V( L! ~3 ]9 m I
: }% E* g" P0 Q' J+ R7 yNote that some nasty apps could then erase all files from SoftICE directory* g6 {% R T! @# G* E: |* Q
(I faced that once :-(
$ l& N# S. E/ U( e P6 t: I0 Q6 y( ^( k
Useful breakpoint to detect it:
% K7 \; z8 p; G0 x$ B- K% f; s5 C4 ?1 q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 A0 y( y$ M& N2 \, O
2 p( l9 M+ {% p__________________________________________________________________________
- B3 N6 L; A, c% `: k" e, ]" w
g, Q$ L! }0 t0 F. ZMethod 14 5 A8 S r4 K0 g
=========- h/ n/ E1 Q& O- i( s2 H
, l8 w' ~; Q7 e3 m( K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 P- `7 l/ M+ C5 o% U; f' C+ B
is to determines whether a debugger is running on your system (ring0 only).& a3 y4 @4 p1 t9 N7 L4 V ~
- \! W: x& V- E7 m3 b8 w7 M
VMMCall Test_Debug_Installed" `; {3 f7 [: y# A
je not_installed
J0 p3 v( Z, V+ J" z* ]! q, A2 K( }4 U. p/ H+ E" ^
This service just checks a flag.. x% B: X- n/ ?4 a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡