<TABLE width=500>* F7 O/ `7 E+ Z9 Z- ~
<TBODY>+ C. U, `$ E" q6 p, {0 }& m
<TR>
8 V. J& ^ l% q$ T! I5 t1 c<TD><PRE>Method 01
) O% ~' g- e6 z* W" L5 s/ H7 e=========( K) @) m7 t8 [ I7 Q" k0 B$ a
9 v. V) B0 P2 h4 u. d# T
This method of detection of SoftICE (as well as the following one) is+ P0 S+ [9 p3 `- }! w8 ]* I
used by the majority of packers/encryptors found on Internet.
5 n! C/ x/ [3 Y2 i# EIt seeks the signature of BoundsChecker in SoftICE
% l9 ?" G2 |. y7 s n; }$ | |; w0 I& a4 J; b' ^$ @
mov ebp, 04243484Bh ; 'BCHK'6 d% a! g' f, Z0 v2 [9 m9 A1 b& M
mov ax, 04h! @" P [' l7 y* \/ K
int 3 ) i' Y$ e% G' v- X
cmp al,4
( R' S! X! j$ z1 ^) C jnz SoftICE_Detected
5 J- ~+ Y9 X0 V9 g, y- }
% [& u) O' o# w3 s3 l4 R8 ^___________________________________________________________________________" w: T7 {& J! V* @* @, V, F
; _2 E- m6 T$ E% u! \Method 02& [% M8 Z5 R6 N6 \5 b6 ~' u! T
========= K0 F1 D4 n: ]- f P2 v
Z2 i, Q \5 SStill a method very much used (perhaps the most frequent one). It is used9 ]7 U! o( W. F2 J9 c" w8 q7 E* _+ J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 K0 s8 p0 S; {
or execute SoftICE commands...
0 U- |# K: J2 @8 `$ G3 s' q2 e( TIt is also used to crash SoftICE and to force it to execute any commands
$ p/ ]* N3 y7 y2 f/ h4 w6 M% D(HBOOT...) :-(( 4 \8 h8 |4 B; R S9 l
r% j J4 H) u' THere is a quick description:9 ?4 t8 d8 K9 C5 h3 e8 d# F
-AX = 0910h (Display string in SIce windows)4 w% J+ _1 T) B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
r2 B K6 q# ]-AX = 0912h (Get breakpoint infos)& f# i6 J: G; u" u1 l. d4 z
-AX = 0913h (Set Sice breakpoints)2 n7 [% t j& D4 i
-AX = 0914h (Remove SIce breakoints)
' A: h4 o* ^; E8 C) W S( R1 [
% O% Z: g9 Y- c# XEach time you'll meet this trick, you'll see:
6 o+ Y! W2 S, u& U3 q* c-SI = 4647h6 N* |5 O- y4 S1 l& R' x
-DI = 4A4Dh
1 t+ }; R' A) d- n/ x# J0 E4 cWhich are the 'magic values' used by SoftIce.* [! u* k4 [0 ^7 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; ~0 Z7 ]# M! r6 b3 t
c- A0 V1 i1 B g) T7 Q# m# b" iHere is one example from the file "Haspinst.exe" which is the dongle HASP
_' q" K$ {0 B* d! G* AEnvelope utility use to protect DOS applications:& `; T; H- `% m
$ x+ n4 s; A7 F: |8 m8 e* Q6 O1 H
& C+ B/ G2 t: F" o6 a7 _4C19:0095 MOV AX,0911 ; execute command.
/ U3 P3 K" Z7 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 R6 e! ], i) i4C19:009A MOV SI,4647 ; 1st magic value.. i6 V# A; v' Z
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 j) @3 r9 p7 D* e. U) c4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 {6 m" G7 j0 e4 w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ E6 j) S' b2 p, c2 w" C5 O; b2 H2 d4C19:00A4 INC CX
4 C2 A ?; X% I' v z4 w" N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% e# L# q% y+ n
4C19:00A8 JB 0095 ; 6 different commands.
) F7 m- ]5 j- G$ C, ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 A. L x3 j8 B3 J! I* H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); n3 b4 N# P0 d0 w' d
- Z/ f3 Z3 J y, dThe program will execute 6 different SIce commands located at ds:dx, which7 R# R7 T; A8 c. U7 J L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 l5 q5 w4 b s& n, K/ L
7 a" `0 ]2 v" s: {/ Q3 d1 I/ I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# `) `) o0 k& |# u& c
___________________________________________________________________________
7 _8 z5 M9 s9 z# {. A* @5 L" \8 Q% w2 ]& _7 m5 }+ V! j% i6 z
# n# }5 T' T7 |1 q+ O
Method 03
4 B! A2 K; B7 Q! _4 `=========/ z# O. P* ?# k! r" p: j% j
$ ]8 N. G4 Y! ^" _* Y- t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& g$ k9 X) ]& Y5 u( v
(API Get entry point)
' _) A1 u$ W3 w0 Q1 Z
) M9 t* V3 \* F" q! C2 O4 P/ I& M
: e8 G$ H0 l7 {; {; a% L7 A xor di,di
8 n1 l Y. V# P& m8 P& w* r mov es,di
. o2 p! d& C7 j% r mov ax, 1684h
& r3 d' @5 l, V mov bx, 0202h ; VxD ID of winice, e' @- q/ u6 ^. P B$ Q- L
int 2Fh
4 [0 }* Y( h' _# g7 E3 l mov ax, es ; ES:DI -> VxD API entry point+ F: \) o, [' j+ R' l5 U$ E6 i
add ax, di
+ H% y( K6 q [7 C- h4 n0 \ test ax,ax
q) S, u- n" W2 `. T* R! P jnz SoftICE_Detected! v2 s; v4 A, {8 `
2 F1 C$ W& D6 Y5 u
___________________________________________________________________________
7 P! v8 C' m! o( U' { I0 f t8 w- J' s$ |$ k/ {5 X4 o- @8 w% F0 G
Method 04& `, D' _( Q% a4 @ u
=========
* r* t+ b1 y: j6 [* h9 C" u& N) K& C2 L
Method identical to the preceding one except that it seeks the ID of SoftICE4 p0 \% @: x5 Q3 l4 _+ \
GFX VxD. P7 H3 T9 J) v0 d$ [9 P
2 I8 o0 `" [! Q9 `) \# s7 I
xor di,di# G! j& ?1 }2 }2 e) K' R2 p
mov es,di9 d& \6 j4 x% j! [) X
mov ax, 1684h
* @- M2 o |8 S2 e8 T0 Z g mov bx, 7a5Fh ; VxD ID of SIWVID
3 X# v. a# x0 @3 E4 G5 E8 g7 ~ u0 i int 2fh
3 i) S, r. s1 Z8 h9 o mov ax, es ; ES:DI -> VxD API entry point
- Y1 Q' @! ` z" {3 c add ax, di
# \% B# L& C3 V, `$ d- N2 y test ax,ax* O8 C8 d$ e- B/ ^; C' e
jnz SoftICE_Detected7 S3 ~$ M( \: g: ~# \
' f% x! `( i" |# U4 T& ?; T% l' z; c/ N
__________________________________________________________________________
6 O- U4 v, P- m' B, B m# u: q, r5 e/ D* V
% ?: t5 C2 V2 z; S; A, \) d
Method 05
# T: g5 X2 L% N6 J, W' o=========2 q4 u( P- e6 f% s
2 P. V( ~) _3 b! ]4 L- B) ^Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 X1 K- \* J# o% h( E. sdebugger. It calls the int 41h, function 4Fh.
" @- B% W5 H; V8 UThere are several alternatives.
2 d' y( a0 Y$ a* {! F' l
& Z& a4 S) X4 i- ~The following one is the simplest:5 X# B: n* _" H0 }7 e/ l& |( \1 ]4 i
8 X- L; u) n" V3 R* U
mov ax,4fh
/ h# ?& r5 S* O# K8 V int 41h
. O+ x* b3 h9 W5 W' H8 f cmp ax, 0F386
3 Y/ J7 a1 D" \( [( { jz SoftICE_detected2 ]- _0 S N6 m
, C8 p0 F$ v5 f' ~
1 Q4 O% X0 h. `3 n
Next method as well as the following one are 2 examples from Stone's
8 _* R' b F) O$ Q"stn-wid.zip" (www.cracking.net):
$ I0 a! u% W+ ^4 t" q. b7 p7 J3 U
mov bx, cs K1 Y3 m2 f8 |+ V, C6 y2 _' P6 e) n
lea dx, int41handler2
3 V7 i/ T' s7 z6 t/ H: Q! \ xchg dx, es:[41h*4]& r9 C* |; y3 R/ s' v
xchg bx, es:[41h*4+2]- V% ^2 b% r# m0 I- I6 b5 C
mov ax,4fh7 Q, ?$ _& p- V- O3 q
int 41h, ^$ f" v7 ?( Y8 u" w3 I
xchg dx, es:[41h*4]
7 e% ]( `2 O# s/ x xchg bx, es:[41h*4+2]' n$ c6 F: j1 ]+ z3 s* y% L; m
cmp ax, 0f386h6 ~" b3 N$ E/ m0 i
jz SoftICE_detected
; Q X; D5 U+ h: F# Y; H1 _& }$ m" T
int41handler2 PROC' f( D4 d4 p2 e+ p2 M
iret# _0 C, v) G: I9 k; B! F2 |( O7 g" i
int41handler2 ENDP: l, r4 o$ s8 K
' u: [2 P. l: b) e8 o# {# E* M9 b
* Y. @+ q2 y, V% H% o6 R2 ]_________________________________________________________________________, X \( A/ n! z
; g) i; b/ b( A( ^4 o$ O' O
8 m! C* b3 z; ?2 S+ F2 e) q/ | Q
Method 06, }7 T, ^* B/ c/ A
=========
( c( ]/ W/ j" e# D& t! q
' f# j- Y) Z& b" n" t& p; L. J0 k' f @3 ]! r' A
2nd method similar to the preceding one but more difficult to detect:
5 O" U/ A; m Q( h9 m
8 E, Z% d! Z/ a2 W7 {9 o' l' S! \+ P z) v d# e! S7 B Q
int41handler PROC
( ~6 J9 x! J0 s- E0 w/ S mov cl,al
/ ^' c" g/ b8 ^; B, S iret
, t5 C. v* C+ {: |1 hint41handler ENDP8 O, |4 n9 P% }
" j1 ^/ q) `$ r: G
/ A; t7 H& {9 O, C xor ax,ax6 A7 S7 g5 ~ d7 K' A" j* i
mov es,ax
# X& R. r7 K9 \3 X; Q. y mov bx, cs9 I( G5 S, b5 `& ?& z) V
lea dx, int41handler
b; Z: |+ a5 u- |% P1 S! g# T* y4 R xchg dx, es:[41h*4]5 _& Y4 }) d& W+ a9 S
xchg bx, es:[41h*4+2]
1 @+ r5 C0 W: g& b2 ~0 `: s5 W* f* K in al, 40h# X8 _; V+ y! ^$ q+ p8 a8 j
xor cx,cx* h+ u4 T* N% J0 d. U+ D! h4 p
int 41h
/ b/ H) h& p- I$ W- W; e xchg dx, es:[41h*4]
$ V. J5 p8 R+ e& A6 { xchg bx, es:[41h*4+2]
( @3 d s9 O9 s" s cmp cl,al
$ K* k& ]# o- M0 L' K jnz SoftICE_detected
8 q, n) T4 m0 G# i* a$ H0 l% X$ `- w3 [; F' c& o& L
_________________________________________________________________________! m5 p; }; U& f6 \1 W. H! w6 a3 r) A
; F8 [& i2 R, ?; s% M/ v$ ]. h" M* gMethod 07
# l3 h% t, S1 ^* q8 S S5 Q& V- D=========
1 X7 A# A. r' v' [
3 f0 t- ~- D5 k5 B6 m9 ^4 YMethod of detection of the WinICE handler in the int68h (V86)
+ u8 p* s# q9 Y& V- K l( g8 d2 l
mov ah,43h# V- K( P% P/ L& Y; ~- G
int 68h
! k; ]+ ]1 n& I1 d1 M H% B2 o cmp ax,0F386h+ @ w, t/ T! c/ _$ c
jz SoftICE_Detected
% g j' q/ F! k0 q( ?0 R! D& ~* P& G% [$ Z* D
+ \2 \& J( Z& Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ Y/ ]3 z3 g4 v* l9 A! x1 s0 ?
app like this:
9 {+ q3 l! Z/ Y+ j& I* f+ [* B9 D" r$ W9 {, w5 T3 _
BPX exec_int if ax==68
; i! `' _, M& w& T (function called is located at byte ptr [ebp+1Dh] and client eip is
2 i% g+ D8 R. d: W( Z located at [ebp+48h] for 32Bit apps)5 ~3 |8 E* K+ _# f& I. Z0 v
__________________________________________________________________________
2 H' r' s) G5 h( `! p: e3 P p# L, x( h( a$ x5 @" D
& W9 e5 }5 o3 [: XMethod 08& U- L, g& t* T! y" s$ Z/ `# {
=========0 b9 ?# I# A2 |+ d k$ g
1 I$ o; f# d+ ~ \- \( L( aIt is not a method of detection of SoftICE but a possibility to crash the# U' t6 H8 y. ^+ d; J
system by intercepting int 01h and int 03h and redirecting them to another
, G8 ~# t, x' {+ g5 {2 `: aroutine.
+ c6 W- g: P; c; |0 l3 P, h3 j2 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 Q6 s7 p8 o) l$ `! @+ w$ K3 `; F0 f
to the new routine to execute (hangs computer...)
! R; n) e7 S3 v6 L& i6 D# N, G* w8 Y; b W
mov ah, 25h" z0 U" v0 Y! ~9 R3 k. k0 X
mov al, Int_Number (01h or 03h)
/ F1 s- ]3 J6 j mov dx, offset New_Int_Routine+ }6 h) O E0 j. l# l% ~6 I
int 21h& N5 w& {5 ]' y4 g
, r. G/ k% B- U9 J5 c__________________________________________________________________________
) u# Q( H/ E7 T$ k
3 u0 M/ S Q, S- V4 {, n" I6 C( eMethod 09# I! B- {1 M9 L& b' j( v
=========( D- A, f9 a5 ?, p: Z6 |
3 e9 ^) m4 Y" f8 ]& Q) XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( n1 ^1 i* P2 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 p' g( z0 F. l8 u3 ]The Get_DDB service is used to determine whether or not a VxD is installed- E$ d( g3 p6 L- k
for the specified device and returns a Device Description Block (in ecx) for8 A7 e' H5 W6 s; l. N0 C2 {
that device if it is installed.
$ v) p! }! O5 S: t9 Y
: G1 u( t% R% c! v) d: A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 Y) r7 U% z; j* e) D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% J" B: [: U4 d+ r: @" ^ VMMCall Get_DDB
) R: R! J0 i u2 Z0 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 H5 D( O" q6 h
: \9 B: O) ]" ?4 S. fNote as well that you can easily detect this method with SoftICE:( X9 v$ |1 C+ [- ~' b3 f t
bpx Get_DDB if ax==0202 || ax==7a5fh! I. ^3 H$ s' Z" @& q7 S4 P5 _/ u$ _
3 y4 [6 P. Y0 E: N9 e
__________________________________________________________________________
1 {3 |0 ]1 B4 X1 \) t/ {& k& J1 P9 C' O, y' E
Method 10. M! b$ R- s$ u, y
=========! E/ a7 o+ Y8 H. A3 O6 B
$ l& L1 l2 J- B W* w3 s# C
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 Q* x+ i3 }4 e8 P' ?* q SoftICE while the option is enable!!- Q& ~8 l# Q; e6 |
3 G- D6 V5 d+ W' A7 D. n) {This trick is very efficient:
2 t" U. A7 A) H2 Q8 f5 Sby checking the Debug Registers, you can detect if SoftICE is loaded4 i B! d1 i2 c( H1 C% G- K: Q1 m- x$ ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, f$ M I+ b7 c1 s: ]! I7 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" ~) h& h1 g" ~5 j( |6 }( S6 J( Gvalue (in ring0 only). Values can be manipulated and or changed as well2 j9 j6 I% f ~3 X0 q- K
(clearing BPMs for instance)
: T! M7 o Y; k) M
: t9 j/ U/ z/ b1 Y. P& d, D2 f__________________________________________________________________________
4 S/ J9 M' F4 G8 j, w! ^% c, ?, w6 V+ V( b: O3 F* [
Method 117 A* Z6 `0 {, d6 \2 \; M
=========
- e" ]) y# R7 w _* Y' j% p/ e" S; n
This method is most known as 'MeltICE' because it has been freely distributed
+ ^( O/ Q+ K2 r% y1 Evia www.winfiles.com. However it was first used by NuMega people to allow+ t3 c' x6 H) Z# I+ u; K$ o" D
Symbol Loader to check if SoftICE was active or not (the code is located
2 J/ g$ B+ i: S( Ninside nmtrans.dll).
* m( a' L& \$ W v0 J/ y0 G* G& ~5 P/ U; l6 G0 D
The way it works is very simple:
; y8 i' U1 L% D& EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 ^( {6 x4 ^# m. k* g' f( J
WinNT) with the CreateFileA API.
: {; R# Y$ `7 ]! I6 } h! z
# o) i# M4 N! }, }: p# BHere is a sample (checking for 'SICE'):/ t+ I2 F9 P6 ~ D
! }/ m' ~8 |. C; mBOOL IsSoftIce95Loaded()
/ \- ? C8 C2 V{1 s2 F* p! G1 k( v
HANDLE hFile; * G8 o. z: G$ d, B+ i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" s+ F1 u; ?! U) k% w4 l5 v FILE_SHARE_READ | FILE_SHARE_WRITE,: i* X2 E5 G, J3 R3 U6 G; H3 u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( G; S6 z0 Y; {& n" L1 b6 y" d9 ] if( hFile != INVALID_HANDLE_VALUE )$ q. C( t8 y: [2 i4 N& t Z1 l
{; v* m# u" `3 ?* y. E' u2 E1 u$ O
CloseHandle(hFile);
5 l1 ]" ]' I: Y. ^3 a! | return TRUE;
( q" w* p% p: g5 u1 Z' n }2 S3 d9 d; C H g) V5 h
return FALSE;
" l* W$ D3 L3 d. q- v* h" t4 l}
. r1 E0 ?4 A' F
# A6 y) b1 P; Q" v8 \8 MAlthough this trick calls the CreateFileA function, don't even expect to be0 e" H) {; E6 z0 X% k$ j6 X
able to intercept it by installing a IFS hook: it will not work, no way!
2 j$ `9 @, o/ m! U5 y! lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% N6 o8 f8 E4 C& d7 F$ |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, L6 C S# C X( C8 u. ]/ n# X; p2 aand then browse the DDB list until it find the VxD and its DDB_Control_Proc( T& {6 H* a0 o; O) k
field.. J8 X8 d) f ^4 q; l: G5 F2 q
In fact, its purpose is not to load/unload VxDs but only to send a 6 J2 |. Q) Y$ b' T) @- p# M* O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. {: i# z6 N' |4 ^) u: k$ rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 G1 N/ S- }3 e5 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
G; H( J% M) C5 uIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ K9 F; U# |$ M: t) o/ k, W% N$ S
its handle to be opened and then, will be detected.
( R' D* p2 U: ~+ V! M8 HYou can check that simply by hooking Winice.exe control proc entry point$ y9 j$ U3 o& [( p6 S' P0 j8 M
while running MeltICE.3 ^ u0 T" h- z( c9 B" U
. K7 c, @# M) g3 P% A
$ P: ~2 K% a& g7 Q 00401067: push 00402025 ; \\.\SICE
0 H* j T4 B' ]# @ 0040106C: call CreateFileA! H% X2 ]" J, n) E
00401071: cmp eax,-001
; h8 c: M3 n4 c 00401074: je 00401091" @9 Z3 D9 J5 j: [, n
- t X3 \7 s: Y6 w, ]. A+ D: o
9 F! {- F! h: C& M( d: F$ Y" uThere could be hundreds of BPX you could use to detect this trick.
. W3 K3 u& z( t-The most classical one is:
; U( @% }% O* z- I. ~$ b8 V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 F4 D2 q5 u( j: q$ v& p, X- C *(esp->4+4)=='NTIC'
8 f* {5 W4 e" m0 z+ V' u
3 r; O2 l x ]& ~-The most exotic ones (could be very slooooow :-(1 \& d, S# n4 r* {5 K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ p F: x, ]3 {7 k ;will break 3 times :-(
, {+ d" B" {2 _( E. S* j3 X; s7 B. |6 R) @" E+ o& }3 a9 [8 Z
-or (a bit) faster:
- @: X+ b; s5 O) Q7 U; f1 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" K8 h6 b p& g0 H, \0 k
" H! K! C* Q k$ F) z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 [! e$ Y( H2 R$ Z7 H+ f
;will break 3 times :-(
6 D! X/ {, D6 _% E# U
i2 K* F0 z6 m2 y# u- y9 D) |-Much faster:' a( A/ l1 h4 T) G8 P2 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
]/ |& Q9 h1 G
% q! a9 K0 y9 I* FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 r9 W! B0 u0 n6 X' J6 {' z }function to do the same job:. B% s( Q: E3 x3 ` Z
9 x5 T- `) y0 E3 ?! `5 G push 00 ; OF_READ8 ?) z' K; a/ Q+ }5 D9 l% U
mov eax,[00656634] ; '\\.\SICE',0! a5 S7 P, z( b
push eax. B- p( }8 U0 p" q$ {! Y
call KERNEL32!_lopen
0 z' ?' f# Y% [+ T. B& Q inc eax0 X7 c/ Y" r8 u" q/ l& B) c# s8 _
jnz 00650589 ; detected
& g K4 Z- v6 p/ O push 00 ; OF_READ
" }! n) Q+ J$ x) r+ i' i mov eax,[00656638] ; '\\.\SICE'
+ x, W/ h0 e4 j9 j- C+ [ push eax
) ^: Z, S3 J% R6 r# g. D, E call KERNEL32!_lopen
: N8 }. L0 v' J/ R( ]8 D+ d# E inc eax- s' r/ M( u2 Y, o* i
jz 006505ae ; not detected
9 x( }% i& `/ X
! y3 f" w: N# p( x) [
. I$ K* P2 z+ B% ^7 {3 H__________________________________________________________________________
5 n; c% G- s3 ~2 p# o+ t
& p6 H' C' k% M8 zMethod 12
6 x8 `; k3 X* u5 _' A$ R=========
0 ~8 _, ~% O0 r+ x9 l
4 ~+ f L, @) [- N) D1 y3 TThis trick is similar to int41h/4fh Debugger installation check (code 05
# h& Q. Q1 u4 j Z! Z9 T& 06) but very limited because it's only available for Win95/98 (not NT)) S& f: ~2 X2 W9 [. W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( j3 T4 ^- _ s) H, `* @1 n; u- t( E9 q
push 0000004fh ; function 4fh
/ ]* i- T5 y3 G0 x push 002a002ah ; high word specifies which VxD (VWIN32)
% @$ M8 W, {+ j/ X: q s: m ; low word specifies which service
3 ]" W/ {$ K4 k( h$ K. G (VWIN32_Int41Dispatch)5 |, Y- }: B4 A% j9 O- i
call Kernel32!ORD_001 ; VxdCall& q" D$ h% g" L5 k# \ d! ]4 I7 {( e
cmp ax, 0f386h ; magic number returned by system debuggers
* n9 `! ^4 d' p# u) N' A jz SoftICE_detected
! N+ ^2 ?& Q$ c5 m0 u0 W! n( _* ]; M3 `' q o% g9 f' J
Here again, several ways to detect it:
+ ]2 z9 G0 W8 L( y. Q' ~
) d M* C: M9 V' J# q! y# S. x2 I BPINT 41 if ax==4f
6 Z0 ~- l- V' u7 k
5 P | ]; P1 L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) A1 D6 D9 w7 x; a9 t/ V5 c. \3 W- `* d0 \ t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, Q$ ]; A, C1 R0 n# l
# ^7 L7 D: Z2 s5 d8 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* V9 l/ L$ X0 R' S2 ?& u- L
! k/ e) L# ^6 W$ H" s3 C/ L3 a; i0 D
__________________________________________________________________________% t# b) w% Z3 T$ i
. [7 n9 z3 X, C5 a
Method 134 g' v: S& }. a7 P$ N: ~
=========5 K v5 _3 P: r5 b7 b& B3 f
; R* ?* j1 ~ d2 m* q* CNot a real method of detection, but a good way to know if SoftICE is: e# z. D* _; A: Z
installed on a computer and to locate its installation directory.% I3 ] a+ j* r" h( \1 I
It is used by few softs which access the following registry keys (usually #2) :1 Q/ N3 Y: G. a' K& y+ ^/ L
5 f4 ?4 z) v" w1 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ h3 T5 @7 `- m q0 t\Uninstall\SoftICE% o1 s( l3 [% f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ ?5 ^ s% d* |/ {1 y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 h6 [8 [; f1 H; y/ }( ]2 C
\App Paths\Loader32.Exe
( i3 C$ C; |- P. ?" j( z4 f
# t2 F/ ^0 D9 l5 Q0 z, {' ]
9 P/ U7 E6 w% X* @9 p' l7 NNote that some nasty apps could then erase all files from SoftICE directory% B$ L8 Y1 g+ D; H
(I faced that once :-(, N5 r3 d) g- p: `) c6 {7 i
! k3 f% q5 |9 hUseful breakpoint to detect it:
7 v- d: |$ P+ n* e
9 `1 Y, r* Z/ M3 T, f# z) M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 I I1 w. v0 z0 P$ U$ Y! T/ c9 W7 B! z4 n+ H
__________________________________________________________________________
% b( Z& @* n0 A/ ~0 \2 c8 B2 {/ X) K2 ^) n3 J( s
. ]7 e5 r7 P: J u% Q0 B7 Q
Method 14 , ?/ m% E8 y8 w7 m' s9 o2 z3 O
=========
/ P5 f1 j: W' m( e, T5 n3 m0 H' t- G: _- H0 M) V( E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. z0 A9 O) c/ }# I! {/ Z
is to determines whether a debugger is running on your system (ring0 only).* Q3 F- [' [+ H h' e# u
" v5 \, }9 C9 I% v: m
VMMCall Test_Debug_Installed
# Z# ^" S& _: u je not_installed# ~0 ]% N/ l+ l1 i
6 T2 L* ?7 Q& | u( W( l% VThis service just checks a flag.! Q+ }' K0 T# u- s. G; [
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡