<TABLE width=500> r0 X8 g8 t$ v6 T$ g; o
<TBODY>/ o0 N+ K2 ^- N& C; D' x J
<TR>0 k# C: x" m/ X. {0 k8 r: X4 J
<TD><PRE>Method 01
! P9 Z y8 D! i4 e) C) V=========
9 }0 B1 O3 [5 R0 |; f
, d& d" k" [4 F6 S, T* OThis method of detection of SoftICE (as well as the following one) is
- M4 o8 {8 H* Yused by the majority of packers/encryptors found on Internet.
) L/ P9 f9 w/ x5 n* |It seeks the signature of BoundsChecker in SoftICE' k- e* V( [; v8 r' s2 ]
- K( z" N! O6 b y9 Q
mov ebp, 04243484Bh ; 'BCHK'
- R/ n( R" [! `0 J! ^* g mov ax, 04h
5 U+ v6 l& Y9 A4 K6 J int 3 3 }( _' v, C- M1 M7 Y3 D& I- }
cmp al,4, w' ?8 @0 S+ j3 s1 b/ A
jnz SoftICE_Detected
8 L _9 R9 |; A; T7 X# Q) ^3 r* c5 Z! ?( X* Q
___________________________________________________________________________" p) y+ d; G- Z2 R) x
7 j b0 E: w0 u5 y6 j. Q: d% qMethod 02
9 I2 Q' ^8 @, L4 V=========3 E: Z4 V; b, U0 N/ g. e
1 Z7 |& A& e' z4 V2 m+ E, ~
Still a method very much used (perhaps the most frequent one). It is used2 ^4 p# H2 x; R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; @! @9 J3 c3 f) _& {
or execute SoftICE commands...* W. q7 {0 \" N2 W
It is also used to crash SoftICE and to force it to execute any commands
( y7 ?* e0 m1 m" D( t" Y+ [5 _& e3 ^& @(HBOOT...) :-((
9 U; I) y6 M6 y/ \
8 [% x/ j4 w) D! nHere is a quick description:- X, g8 ~# {9 Y- v
-AX = 0910h (Display string in SIce windows)
+ b. ]7 g& A* Z/ m+ r7 M. G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ q; g& o; F) X5 K7 }% |6 P-AX = 0912h (Get breakpoint infos)
. h. t5 w7 x b/ O-AX = 0913h (Set Sice breakpoints)2 d( E9 W2 f5 I7 l
-AX = 0914h (Remove SIce breakoints)
" |5 {* u& B, j3 X5 a5 p/ k% |- ^. Z7 ] P
Each time you'll meet this trick, you'll see:
% _/ W/ N. [/ R$ K w; B7 m0 b-SI = 4647h* d# O- s7 v& X
-DI = 4A4Dh1 R- F7 `1 x2 g
Which are the 'magic values' used by SoftIce.
: B% V2 M d! R) C# pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 H: C, S, [# g4 [2 S+ ?& e1 X! p% {" R" z: E; X
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 V2 C7 P+ R, |+ ] D
Envelope utility use to protect DOS applications:5 K% |* S* }" d' ]/ i5 v
+ k. Q/ S/ H. r3 @( ]7 N- l
( i7 Q. e) Q) ]& G9 D+ P! o6 q4C19:0095 MOV AX,0911 ; execute command.
& W! D. K8 x9 Z2 z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 f* z, l! }# |
4C19:009A MOV SI,4647 ; 1st magic value.
( B' [. m* d8 U- x4C19:009D MOV DI,4A4D ; 2nd magic value./ ]* Q' h- _' g1 L, R, q/ D, d* d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! a; X1 Y3 n9 ?- {! }! i" }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, }+ k* a/ E9 J+ p) }0 [
4C19:00A4 INC CX5 k: l+ I+ A: y/ ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 o, k# W6 u% ~4 ], L, i2 s
4C19:00A8 JB 0095 ; 6 different commands.( }: c: L' Z! c" q. `, L* s0 p
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* L8 q7 _* k* N2 r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 c2 S& I5 c8 }. o. A" I. W9 ?" U' ~
# Y0 q4 ~$ L/ Z0 w' DThe program will execute 6 different SIce commands located at ds:dx, which
; f3 N' `7 {' X* {' fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 V/ p5 @- ^1 p% Y7 Z
4 i- h/ |! u U9 ]& ?" W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: N5 j2 I% d3 E6 Y6 ?) ^3 B___________________________________________________________________________
2 K# l4 `' U' w( e8 v) x' Q, `7 ~; A8 ~& I8 ~& z3 M, ^- E, n* A2 v
+ Z1 s$ L5 ? q) `6 uMethod 03
0 ~) E) O+ F' {" x4 b2 s=========
7 b# O0 X( U* B# a# @! H- u7 E4 I" w6 R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ {6 f& a. e) u
(API Get entry point)2 V+ u( j7 n" a: ~, D d1 R
- ~& [' u8 W6 f9 w% X; b
2 L- o- v6 v% ~ ~" N0 S7 T1 I xor di,di
+ g3 Z3 E6 d% P* Y5 J1 W, h9 u mov es,di
' D) Y1 W0 O* O mov ax, 1684h
3 Q# ?2 V" U% O mov bx, 0202h ; VxD ID of winice! P( ~! O/ J& f4 ^9 n2 {
int 2Fh8 ^4 v# v" d$ V" |; i, K
mov ax, es ; ES:DI -> VxD API entry point
/ I1 W* p; {8 S" p$ R" E7 S add ax, di
5 m) @; ]9 [7 h& A test ax,ax4 n1 s. _$ r5 F6 V4 q' v' [0 x
jnz SoftICE_Detected: H1 k# C& H# V! Z/ a
8 h) |+ H D/ D/ Y9 u$ V
___________________________________________________________________________
3 W) G& x- @, x- P5 @/ k
& O9 h" `- b/ O* ?" g# t6 YMethod 04( m( D- |( T5 \) `2 j$ x0 V* j
=========* R# w3 G, X5 h+ R
M ]- a3 }5 d8 L# l$ m
Method identical to the preceding one except that it seeks the ID of SoftICE! S- L1 R+ w$ X4 e' F" q6 m
GFX VxD.
; E/ C4 V8 e+ S
# o( F7 t8 q$ K8 {- g, D xor di,di
+ q* }% c' g1 g. } mov es,di
( D3 I+ E9 ~9 S mov ax, 1684h
8 q6 }+ X9 o2 p" p0 b2 d mov bx, 7a5Fh ; VxD ID of SIWVID& h$ h' t9 L# x" i4 G
int 2fh
/ k6 b, C. d% |/ ]3 ^# p+ Z mov ax, es ; ES:DI -> VxD API entry point" { u! g3 ~& s3 Q# ]+ M
add ax, di9 T y6 b# s" Q- O
test ax,ax
0 D6 E3 i: ~$ S+ U jnz SoftICE_Detected
4 f* f* n7 H1 I5 B( r: z8 \9 W+ K7 L, i
__________________________________________________________________________
, H/ [( {/ S: L* T
4 x! I( T4 |* P: w5 r8 _
6 S+ ^% J- j% _5 `+ |; y8 F& cMethod 05
! L7 c1 Q/ t8 M$ W9 _$ v=========
# P4 s9 [1 m" \: D& G" l1 \( M$ x5 `& ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system) W, F& g8 |# V" i6 ^" P
debugger. It calls the int 41h, function 4Fh.
; M& M0 x# x& I' w* u" O# \8 d0 EThere are several alternatives. ( c/ f. D2 n1 } F
# ~8 Y2 Q( }. J; i/ I
The following one is the simplest:0 O; y& A. F2 ]/ Q7 }* d5 {$ ]5 m
5 O0 x, O. @: n6 v7 S0 y# V mov ax,4fh( M3 b5 r6 \* W2 O2 m- e; H% ^
int 41h
. v# i; H/ w1 W# ~5 ^9 k, `( j cmp ax, 0F3862 O1 d, Y% n% s; a) d9 k3 V
jz SoftICE_detected
4 `: d# p6 ~- P/ r6 g8 e6 R2 u9 `# i% a% w. R
q; Y* g& N2 O: B: r. _: |4 W
Next method as well as the following one are 2 examples from Stone's
- P& V/ n& o: o: C"stn-wid.zip" (www.cracking.net):
G* p6 O3 A. }3 L9 }! L
/ o8 a, N+ x3 [ mov bx, cs- }5 [! Z, |4 ?7 p
lea dx, int41handler2
9 j" q9 Q' I. k/ q$ @& ? xchg dx, es:[41h*4]: H9 U1 b V7 Y2 F; H
xchg bx, es:[41h*4+2]# H- J7 |) x* L- ^4 R" v. s' e' }3 {9 u( r
mov ax,4fh
; a" M+ j* |. }/ j1 r! i int 41h* F7 K6 o) _3 K5 i
xchg dx, es:[41h*4]1 X9 _* a) A' h) D X1 r3 N
xchg bx, es:[41h*4+2]# G5 G2 k$ l, v2 b% C
cmp ax, 0f386h
2 B2 d# h5 _' t8 h: I# B) S jz SoftICE_detected
& `8 Z0 F, k! R+ W& N0 r
3 b# f0 }+ e1 ?: s1 Sint41handler2 PROC
- O+ F$ R3 z; l% K; A# x6 v! W3 y iret8 Y% {" t4 P9 [$ K: @3 q3 ]
int41handler2 ENDP0 R6 }/ f6 T. n, P" O4 E
% D h1 q- Z/ p5 z6 m( n! \* V
: O5 e4 z H5 m) S- T8 g, ^_________________________________________________________________________7 m: g/ J9 e% a% I9 S9 W
0 z, T3 |$ t/ J& q
. \- B# S7 X0 n5 N; ^' tMethod 06; F# q: k9 p; M, M% {7 [
=========
1 P0 f& Y- m. n$ I( O& F, I, g6 S
8 Y& f* y6 R7 s0 S0 k5 [2nd method similar to the preceding one but more difficult to detect:5 n7 T( v8 J* _# E& p4 L7 F! j
, @8 b8 f3 Q8 b& ~2 n2 s2 X
2 Q: T/ J. s$ d( c
int41handler PROC8 O4 d; T, B: G0 Q* u$ v% ]
mov cl,al
' a- L% n1 H. f iret; m: E" \ H, o6 P! m% G& a# D! i
int41handler ENDP* F% j0 G9 ]& U) P
) |5 e E9 `/ U/ M. c1 Z" P
@; p% q- v: w! U$ _
xor ax,ax0 G9 o3 {( }8 U* A" N, i4 A, P
mov es,ax
+ j0 j! u0 y6 V) F' E8 L5 L mov bx, cs$ F. J% \7 q1 D+ C9 t
lea dx, int41handler( `( I8 q `8 M# @' L7 n: @: M
xchg dx, es:[41h*4], J1 J& m$ u, |' K* u7 A
xchg bx, es:[41h*4+2]2 u2 R+ H I# r+ f1 A* c
in al, 40h
3 l* U# a& ~4 p0 t" [& \ A2 o D xor cx,cx
1 W7 Q+ \; L6 N: x7 ?7 ^ int 41h
" ^8 f% S! M3 G, ]( B xchg dx, es:[41h*4]: X/ w6 |! d* c. u$ g3 M1 R
xchg bx, es:[41h*4+2]
( j' C# H7 T3 m6 k6 T5 [. c" ^ cmp cl,al1 |8 d8 m' \/ X. G
jnz SoftICE_detected
! N+ y4 P0 T4 W7 D5 l7 C7 ~' f" @+ |
_________________________________________________________________________7 B( l L g# @& u5 Z
; V, O& W- `0 L6 f1 i( UMethod 072 x3 s, L* M3 w: I
=========
' Y! J8 ?6 `6 Z. l& O; J$ ?4 o6 x0 t0 |, X
Method of detection of the WinICE handler in the int68h (V86)4 J$ X) g, u8 `0 i3 M+ g
- c2 s0 p7 W: g- ]
mov ah,43h' o$ w6 G5 R- \+ \
int 68h
. D5 R' {: C) ?; ~ E. u cmp ax,0F386h
) q) X( x* j* p1 c6 P9 F% P, T# G; \ jz SoftICE_Detected
/ j1 Z* i I3 L0 _* \+ a; q) {) q+ i1 _2 T) N
4 G* F7 G; C. x$ v8 k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 w! |0 {3 d# q' g" }. i6 O N app like this:
( q. j* z" _4 y/ r+ L: i# f% \
9 ^: m# ]% A% k! |( S' a BPX exec_int if ax==68
. x' m5 I+ Y9 \7 |. Y! X& ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
; b7 P- I( C$ D, \! b0 `2 W located at [ebp+48h] for 32Bit apps)8 J; P- H1 V2 y/ t
__________________________________________________________________________5 z- r/ F' n9 D. }0 M
$ _9 W) K, \% N8 y/ b) O/ w% w; J; H& B7 e/ O1 p- p
Method 08( M7 h5 f, u, d0 r7 v; k
=========
1 ]% q) e" p+ c* Z9 o/ O3 A1 E# @2 ^0 }4 @! }
It is not a method of detection of SoftICE but a possibility to crash the
. K6 S$ r! s9 F) U& o) {# Vsystem by intercepting int 01h and int 03h and redirecting them to another6 a; m5 l- ~: j: B! d
routine. X+ T q# K& w5 F) l# I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( b: u( ^/ P3 n# s' w5 A$ ito the new routine to execute (hangs computer...)" Z/ E# d- ^: d8 {# U, b& j
% l7 v# V. ~0 Q+ j# F1 j2 W mov ah, 25h: c. \1 W2 } f$ R4 }9 r
mov al, Int_Number (01h or 03h)' d; N/ ~) u2 l
mov dx, offset New_Int_Routine
/ ^1 N8 e. D2 w; d$ ~5 i8 s# n int 21h
( o9 w( ?6 z2 l; v$ H6 ]+ o
/ o. k9 J. D6 B% g__________________________________________________________________________
- E( k+ h* P; g$ ?$ H; x2 }
* }/ p$ K5 F g# B) f, R# AMethod 09
! D: E4 A/ K/ @1 a% e=========2 i8 G {, k, p1 ?* n
7 l1 _6 Y* ?( c6 p } R1 B. E1 x9 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ y3 J6 f l2 P7 nperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 T( v; [) v, w8 K9 g4 d* BThe Get_DDB service is used to determine whether or not a VxD is installed
7 o1 Y- Y2 \3 jfor the specified device and returns a Device Description Block (in ecx) for `( X7 W! T2 h- ?3 {9 H/ R8 n
that device if it is installed.
/ ]% l! m- \( G* N/ m7 f
) r6 L; r8 N: \1 U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 O+ n, b8 f% W* n2 ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* \- a! S' ^ X
VMMCall Get_DDB6 a( H r& b' {9 p( l$ Q) d" l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; D. y( V$ Z7 |
N, ~+ w/ W9 t/ o/ B- C3 ]
Note as well that you can easily detect this method with SoftICE:) d0 b3 C; y6 H1 P9 r' r2 K5 J
bpx Get_DDB if ax==0202 || ax==7a5fh
: n+ x" m' N5 g; l$ H8 t( ?( q8 l0 H- |8 i; m
__________________________________________________________________________
; y7 g$ P0 V0 L( r+ {) n! g' x8 N# ?
Method 10" U' V! N0 B# f Q
=========6 R9 N. K) l5 i+ ]8 {" Z' `
$ D; E1 s. b) G3 v) H3 W
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ f q4 g: T- w& k; l" ?) V4 J SoftICE while the option is enable!!
- g! O6 ?. \! P7 v( v3 {4 T' {/ _: `0 v6 u& n( M
This trick is very efficient:2 y, @3 Q4 q: }4 Y8 h
by checking the Debug Registers, you can detect if SoftICE is loaded( f3 r) V" y# z1 Z, x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 r% h$ A, d* h& W
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 l8 t. f" m/ m
value (in ring0 only). Values can be manipulated and or changed as well
. B. s2 |2 j+ g3 g+ F(clearing BPMs for instance); @: u) ]# I& C: }- n6 m
: a7 T3 d; P: N
__________________________________________________________________________
, {+ i/ p' m$ S: K& u" y) f- w
! ?* j# y5 T a( y- c! r* d% kMethod 110 V$ h( }, R" }' |" z7 }4 m
=========
: L3 ?+ w1 j& Y) b+ r) H5 Q1 q! ]% _0 D! P
This method is most known as 'MeltICE' because it has been freely distributed
. I4 m( S1 Z. r' S& ivia www.winfiles.com. However it was first used by NuMega people to allow
) c4 N0 m7 z" I' W& DSymbol Loader to check if SoftICE was active or not (the code is located+ T v5 M& y$ W+ t5 C) W( j
inside nmtrans.dll).; U* Y$ d" ?! Y: j3 |/ V2 l# R+ o
9 a! C; z: {3 ^' d# E) _& ^# b0 IThe way it works is very simple:
6 u% j( f6 L. ^% c0 MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# k6 v) w/ S- S" h+ x- WWinNT) with the CreateFileA API./ t' y; ^4 _3 ^! A6 T' [
% `0 ] v6 _! b/ X# w6 O3 AHere is a sample (checking for 'SICE'):' s6 z) y3 G' n7 X/ w! N
- e f9 O, s6 I- e2 v( y
BOOL IsSoftIce95Loaded()/ D* @/ u3 @: n/ ^8 J+ |( U
{2 v5 Z- l2 i4 _. W2 a: I
HANDLE hFile;
; r I+ w3 A2 O i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 v* t e& N/ k& f V; F/ A6 l3 C
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 i. ~% P( ` [% Y$ _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' F6 `9 A( C6 ^9 m9 W$ G7 D if( hFile != INVALID_HANDLE_VALUE )
$ c ]' P: ^" P: a1 D/ t- T/ a {
* G! ^; W+ R8 X* U S CloseHandle(hFile); }7 @9 X+ F9 T0 E8 c4 p6 m
return TRUE;
3 o* a& N; @4 X4 m# @ }8 \* F/ U/ G" U3 ?1 \5 Z" Z+ M
return FALSE;8 _- h* e1 N. M9 n9 I
}
( `9 L) ]0 T1 [+ y% B# M: Q
* A/ ^) [ y6 n$ K" C4 n% eAlthough this trick calls the CreateFileA function, don't even expect to be9 j$ ]3 n6 M3 {) U
able to intercept it by installing a IFS hook: it will not work, no way!7 V; `. c1 E% W5 u3 Y' _3 }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; y) o3 I5 o4 D3 v0 uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ x1 e5 t6 r; c% [- n2 K, u) E5 N* y: s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ U* {# V; R E9 P2 D$ e
field.
@, K' a; \% C/ J5 L0 ~% I: zIn fact, its purpose is not to load/unload VxDs but only to send a
2 J- x5 `+ t, k8 [) [8 `" O7 R' EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# U/ g" c6 F: {8 t3 S; t* |5 Z! Y/ B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; Y% d @8 R2 G% q2 [8 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 G9 l& q# {. v! z% e( y
If the VxD is loaded, it will always clear eax and the Carry flag to allow) G& q) C" L9 L7 s
its handle to be opened and then, will be detected.' i4 Y/ I) f9 a+ \7 r2 Z' l3 y& h
You can check that simply by hooking Winice.exe control proc entry point/ w) p" {2 S- G' q o* R
while running MeltICE.
0 U/ s0 u+ \# @0 i6 u3 s
3 P; Q* A( L3 e2 k, J$ ?( c0 `; ^
00401067: push 00402025 ; \\.\SICE! K" h9 d, J8 v& u
0040106C: call CreateFileA
1 @! _: h- Z5 s2 E# H8 E 00401071: cmp eax,-001
8 l( D. C( c; F 00401074: je 00401091
9 ~4 C$ S8 w3 G* I0 B5 ~
. |$ R) X) ? e2 b& D% i0 B4 j$ n. ?7 G2 j
There could be hundreds of BPX you could use to detect this trick.
! f5 C' u2 @$ C$ j4 j-The most classical one is:
& b$ e1 H2 W: I- h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ d4 v; S* c" b9 f
*(esp->4+4)=='NTIC') M% J ^; o; x/ U4 ^5 O
/ c$ ^/ |' p( W/ x
-The most exotic ones (could be very slooooow :-(
) u4 z0 t& F6 Q* Q. k# n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 u% z1 Q1 v+ w- Z1 B1 D" m
;will break 3 times :-($ t/ D' a7 Y$ w2 a' Y7 f! O
! d1 A9 A- f6 \. G7 P' J
-or (a bit) faster:
+ P& j5 n+ s; G7 U' q9 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 T6 W7 ]+ ?& U0 J: K p- T1 V9 T* z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 v3 C, C/ c6 Q
;will break 3 times :-(6 d- W! I7 k& j6 k$ X
' k( b0 G i2 j$ r5 T: U) f |-Much faster:$ |9 B$ q; @: o/ m. Q7 t" A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ h( _. `# c; ~1 w7 e# t; ~
8 g5 ?$ ~: x4 P& [; |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 D7 M: j$ _, w
function to do the same job:
' e0 c, Y9 G* P- Y# p+ l2 a! |5 s9 f; c* p/ c% c7 ~
push 00 ; OF_READ6 A- h3 [1 G' n$ w
mov eax,[00656634] ; '\\.\SICE',0
( d1 k6 V+ X: H push eax
, a* B: I) W0 ] call KERNEL32!_lopen1 g( V( p( H) m5 X% H; G! U& n
inc eax
5 }# v4 O% O: P8 A) y jnz 00650589 ; detected& i; [& @' J+ Z8 a {: x
push 00 ; OF_READ
# a7 [: D0 n: U6 i3 x$ X mov eax,[00656638] ; '\\.\SICE') a0 B7 p9 x+ X2 e
push eax) R- o9 L0 k. x% z- V ^/ f
call KERNEL32!_lopen
5 G8 u3 i& n8 s9 j- L' z* Y inc eax
3 k0 p' o( ?+ J, O jz 006505ae ; not detected
7 Q8 A6 m6 o9 u$ i, W7 a Y: ]# ]" ]
: ?' w% ]. e6 K1 G! r
__________________________________________________________________________
# p4 S) T2 J! M; [: l# |8 ~0 i2 j2 @6 N) \2 t% r
Method 12# ^- @6 @( ~) I d/ L2 v6 ?. l. Y
=========- F4 \/ R; L! H, O
9 u2 H- X% ?3 O) D3 w5 N) vThis trick is similar to int41h/4fh Debugger installation check (code 05
6 s: r2 T' ~$ ] D& ] z- B4 E& 06) but very limited because it's only available for Win95/98 (not NT)6 n0 z& H" ?2 O7 q5 M& i* ^+ S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 j( ? P4 u8 R5 m+ z F; K4 A
' u$ a7 b, h/ k6 A7 M push 0000004fh ; function 4fh
2 d1 [: i" [) K( J push 002a002ah ; high word specifies which VxD (VWIN32). n/ S, t4 J. M/ G
; low word specifies which service' S! ?# M5 k6 x
(VWIN32_Int41Dispatch)
( t2 R! [/ l6 |% e" |8 [( A call Kernel32!ORD_001 ; VxdCall" ~- Y' Q7 ^. j9 k
cmp ax, 0f386h ; magic number returned by system debuggers
9 `0 h7 `7 K8 i6 W- d jz SoftICE_detected
$ {. ]+ a' x# s& l) D- q0 `2 `4 |% i5 F7 [- u5 ]
Here again, several ways to detect it:
8 u. j! P( K! l. z% [, ]& G: s' ^# K6 f
BPINT 41 if ax==4f
! G+ F( s' D+ [8 H/ b. u; o% i2 S* f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 [% y1 x: y- C
5 J( M# ^7 i, k9 Y$ B8 x2 e8 W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
h7 _' W$ Y$ J. [3 Q1 S
: p$ Y* [/ v0 h; A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) l, m2 `' s- S7 j& a
6 R: R2 ]0 H, x__________________________________________________________________________
9 [2 x2 h& r4 G3 c1 g3 j; r
% k) r& Q3 r. @& V+ k, e' GMethod 13, N) R/ C3 r' E- ~+ m. g9 N
=========1 C( O" L) Y/ u, @
. k) Q( D% \; m4 D' E9 {7 \
Not a real method of detection, but a good way to know if SoftICE is
3 f4 j& h2 r- M2 X- Dinstalled on a computer and to locate its installation directory.
" j, D7 h# i# a7 J ?7 pIt is used by few softs which access the following registry keys (usually #2) :) E2 P# Z# }% ?2 E
: K2 k: n0 c1 c4 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 Y7 U( k1 V3 i1 f8 s8 R5 W n
\Uninstall\SoftICE( _# ?( y8 {- z& {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 l& D6 x1 W3 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 L# H% K x8 v8 o\App Paths\Loader32.Exe
# T7 G, e# ? B$ j3 [4 Z: ^' P( V& n1 V/ j9 {# u6 U
/ ^. d$ l/ s! f6 w9 o, m# I
Note that some nasty apps could then erase all files from SoftICE directory, J, I5 @4 ]/ |6 d2 Y7 h ^
(I faced that once :-(
, Y8 j) V, `: w. k- n0 f; c8 \0 L# j; a$ E0 F0 I: C
Useful breakpoint to detect it:
+ k- g7 A( M v; b
! _; k9 x3 Q: P. b2 w6 k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 L# G) k5 i. F: `# F$ d' u
+ T; S% H& q! Z* X__________________________________________________________________________4 e( }* }. |. k" ?# @
4 e" `- P5 ? \* |2 U, Y9 q) E4 B) {# k) h( {# [! V: Y, O
Method 14
% m" \& l' g( K2 C1 x- H=========! {" T8 F8 D0 Q& f) P- }8 v6 @" a
1 @& u" F; D. {' s+ T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 k# @6 X; U! i/ m5 Bis to determines whether a debugger is running on your system (ring0 only).
0 a" t9 _+ g+ o _, ?- V3 |6 l& k, J( e) E. X
VMMCall Test_Debug_Installed$ h8 Q g: b$ r; W& _& u7 m3 ]
je not_installed' O4 ~8 z- I4 T7 ]
[7 ^0 _# W# y( ]4 d: m
This service just checks a flag./ E" m( B2 n4 w# ~ ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡