<TABLE width=500>
5 G3 {$ k9 K6 z* D8 t& Q O1 Y% [<TBODY>
0 `0 y# H- }' ?) n9 ^7 b% {<TR>6 u+ ]( ]) X- k1 z$ e0 Y7 W
<TD><PRE>Method 01 6 o! V& G1 g+ ?; M. F
=========& @! q/ Y/ x/ E8 l6 w
' y7 m+ R9 Z, ` E
This method of detection of SoftICE (as well as the following one) is
: i: Y3 `( I, {, g4 ^% Xused by the majority of packers/encryptors found on Internet.; _* [: [5 y% f0 R; V1 d; ~/ {
It seeks the signature of BoundsChecker in SoftICE, z0 Y, v9 q% o& c+ H
2 ~ Q2 n7 Q" z$ Y4 p; H5 Y- G
mov ebp, 04243484Bh ; 'BCHK'- F+ k5 O1 R4 f b" { L
mov ax, 04h
$ f/ J% f( Y! o int 3 , [# E$ u; e. G7 a% {# U+ g) \# F
cmp al,4- K/ S- e7 _9 }$ u& V& r
jnz SoftICE_Detected8 K7 ]% @+ a" J9 u& |1 X" e0 _
. b" E; |, L9 c9 p5 @- j___________________________________________________________________________3 l1 w- T' W( ?5 I
6 x5 H5 G. \6 u: k
Method 02
# z r* G! T- s8 w=========+ q- D* P( B/ V& K
7 |& n& O! p, H7 A6 Q3 G
Still a method very much used (perhaps the most frequent one). It is used( |, j+ e+ ?; U3 L* Y, g6 e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 s" U3 X4 G2 @3 o
or execute SoftICE commands...* U& S2 O5 c! m4 t. P( ~$ ?3 a! O) ^- n
It is also used to crash SoftICE and to force it to execute any commands
2 a4 n8 ~% R! ~3 @! b0 f4 t* K(HBOOT...) :-(( 6 K' F" Q/ u) J
% w0 z A" t% K8 O( aHere is a quick description:
& Q- R5 F2 Y! e* o2 ]-AX = 0910h (Display string in SIce windows)
: k* [0 F8 R4 z7 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 R4 Q4 [, i$ J5 @/ X, l-AX = 0912h (Get breakpoint infos); W& Q3 z: j+ A# U! K) f
-AX = 0913h (Set Sice breakpoints); T7 y; b1 k, n" ]
-AX = 0914h (Remove SIce breakoints); Q6 g$ L( i% z0 _
: H5 }/ J2 b4 N. ^$ GEach time you'll meet this trick, you'll see:) N4 m% q% `! r8 k7 s: t* K
-SI = 4647h
3 c, m6 u3 g/ F( a$ G2 [: Y5 z-DI = 4A4Dh) n6 M t# I! Z6 U8 O" b$ G
Which are the 'magic values' used by SoftIce." L' B* I5 ^# B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" t4 Z: V! x( X2 L3 I; Y' [, p$ D# W1 W; g% V! o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& e1 z! n' l2 iEnvelope utility use to protect DOS applications:
1 T. ~, s) U" N% ?/ f, I
$ B1 X+ x7 P d$ ~
: k. U; @4 |/ j% p/ I! p4C19:0095 MOV AX,0911 ; execute command.
: O0 V9 \+ f, V) ]- \6 m: _4 u& W1 [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 n& ^* X: d- W4 J- \% H
4C19:009A MOV SI,4647 ; 1st magic value./ ]" m. X/ h+ N1 Z( C
4C19:009D MOV DI,4A4D ; 2nd magic value." O t- h. O: ~6 Z$ B; d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& V2 l0 p) C/ L' t- h( C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 q0 `5 p* J& z# A4 E4C19:00A4 INC CX! j# I2 c: \: M" u) p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 J" K. ]1 ~, M' o. X8 `& {& ~
4C19:00A8 JB 0095 ; 6 different commands.
& F2 l$ y. B/ A$ w1 Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( o. ~: l* y8 q0 l: T0 ?0 e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# f9 f2 {5 `* g2 G; B6 a5 O4 J+ I; H7 v, J1 a- k
The program will execute 6 different SIce commands located at ds:dx, which/ n% E& k9 V0 s5 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" U+ ?/ K2 W4 h9 @& K! Y0 j; D) u7 ?$ m0 c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) J! M! Z( q& r \. z# F% r* L___________________________________________________________________________
; D' e( n2 U/ G1 ` _# J/ b# N9 C
. ?8 d* S. d0 g$ ~- d/ k/ b( \Method 03
& U* B! w- j9 B. x+ ?+ X=========2 v/ F2 V! m' [2 s' X: S
4 P+ k8 M3 }3 Z) mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; w$ O8 I) z1 W# ]; @5 g2 w# _- a5 }4 O
(API Get entry point)
" e4 x% {2 G: s, {* r * ]1 f1 o6 E! T0 T& M1 z
% n& R% }; F! H! t8 h4 T) X3 Y xor di,di2 V! l! }3 O7 i: P' b3 Y; R
mov es,di! U$ ^- z; V: ? ^
mov ax, 1684h $ s! W! `, s+ V+ P7 l% R
mov bx, 0202h ; VxD ID of winice
( k/ \2 C( F* y" R9 w int 2Fh J; {6 B8 c! }& G# R& R$ R
mov ax, es ; ES:DI -> VxD API entry point) B" u; Q8 g3 L' Z
add ax, di
, y1 ~" ^4 R1 }& ]! X6 [ test ax,ax- K& D7 j3 S: M7 u2 O7 i. z! [+ c- B y
jnz SoftICE_Detected8 X- r5 k' S# K' q4 P
7 J! ]7 i" @6 {) E) v) Z; M
___________________________________________________________________________ e; m$ k) |8 T
) Y+ _! f# V% O+ w
Method 04. s9 B+ ?6 [* l/ e) s
=========
, l- E m5 T. x1 y* C: _4 x0 X4 P% Z4 ?9 @# {# c/ r! g" A" ]: N! t
Method identical to the preceding one except that it seeks the ID of SoftICE
! {3 E3 n3 J5 M1 [5 p Y9 d8 sGFX VxD.
) Q7 a" l; w- j, E5 g2 y# u, R! o" D
xor di,di% V, w& q, G, [- b
mov es,di
) B. z. C2 v7 ] c2 v! h2 { h mov ax, 1684h 1 N3 V. L. w: B: u& H; i4 r1 C
mov bx, 7a5Fh ; VxD ID of SIWVID
' X( m* e! Q: q. m int 2fh- c" ]$ P8 h, n, J, a z" b
mov ax, es ; ES:DI -> VxD API entry point' D6 B: S( I+ h) e8 y9 e9 ^5 V: w( N
add ax, di. @8 p: J$ \( J$ _ E& f
test ax,ax
; D) I# a0 x4 K9 q jnz SoftICE_Detected/ G: X4 Q; m2 k+ `. C# [- F" |. A! s
+ Q* _7 n" j& n6 s
__________________________________________________________________________; q8 j& w* Y- l
( ^8 B6 ^( Y% F1 o% Q
+ |& R0 C" s; ]# {
Method 05
/ W6 R7 G4 e, p- D& y=========
& h {( J# q& J: G! c, u0 k* w: p/ Z/ ?, r; `: l* {9 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
l a' C" u5 Q8 h) ?debugger. It calls the int 41h, function 4Fh.
`6 [ J% t$ R1 ?% Z4 H# TThere are several alternatives. & I7 }' |8 l& v) M; Z% E5 \+ j
1 j/ X, v! v+ _: s( aThe following one is the simplest:
9 }; l8 {5 |9 ~ y3 @# m; E) {! q* t! a5 w# N
mov ax,4fh
# o& [* K7 F8 y! w$ f, ~ int 41h1 @( Z. g+ q8 o! Q
cmp ax, 0F386
5 r' B* |3 m6 ?3 `2 o jz SoftICE_detected1 Z4 b- M3 N) j0 D2 z: Q
9 E! `- Z- | N9 C
3 g- \! _; g- ?4 W2 b! v, dNext method as well as the following one are 2 examples from Stone's O. D' c9 r$ h L7 B
"stn-wid.zip" (www.cracking.net):
2 U6 A F0 K! T1 C0 Y m I7 J
. G2 M: F% y( ^ mov bx, cs5 V }) L; y* t8 i5 k! r7 l
lea dx, int41handler2
% G0 s$ m7 Z# z* Y7 P: Z& _ xchg dx, es:[41h*4]$ a0 b5 |/ w6 ^% L" [9 v2 T! m
xchg bx, es:[41h*4+2]
" O( j' g6 K$ ]+ s9 P mov ax,4fh2 F9 l$ S& B8 }1 Z+ {; Q8 t( K1 Q7 L
int 41h
+ g) `; _% m: _, J" }! @' m5 J xchg dx, es:[41h*4]
7 c, m. q/ \( [ Q4 N8 A xchg bx, es:[41h*4+2]: \2 \& G. y2 ]( H" U5 a
cmp ax, 0f386h
9 H( g: g5 D) d- _ jz SoftICE_detected
+ k# u( |) @* y, ~. K9 w4 c0 V
* z# s* |1 @: D3 W g5 \/ j `int41handler2 PROC C: t0 Q2 y! S& g- n5 U3 h
iret0 E) X7 V# f1 I; ?+ Y
int41handler2 ENDP
" l; `8 V2 J& j) W3 ^
4 Z" T" R$ q; D- U" F% {/ h4 k) k6 d/ Q+ ~) B- S& F
_________________________________________________________________________4 q% v# t% w8 t4 j) u& Y
3 @) ]% Z/ w1 w' a6 J0 q
g( ~9 ? a1 o a1 A/ A v' K
Method 06
Q5 F3 h% s! y% t5 g* b0 l7 t V6 W=========# _3 P4 R- Z0 k( B# }0 Q. p
) j `. L1 U8 K/ d5 D5 D& i& @4 J3 m" _; I
2nd method similar to the preceding one but more difficult to detect:& i$ m2 Y) m/ ` Q) j0 T5 h t
( L3 ^: S9 H4 @$ {4 t
9 n. f, ?7 N& T# eint41handler PROC2 a' w; A& C4 G# j
mov cl,al. r/ {+ A! r: o, ~- x, s9 [
iret
- k1 w* ]1 {4 Z. c' Wint41handler ENDP% O* R3 S* ^6 E3 q* ?9 _
" T- R5 G2 G& H. C& H, {6 \/ ?! H6 B) ]8 H: i& c$ s. ^. H$ G
xor ax,ax; X% ^7 t8 `) q# Z
mov es,ax( ?3 A. I7 R+ ~1 ^- K4 j- Z
mov bx, cs7 X0 u- _7 w# z* U1 b. J4 l
lea dx, int41handler; j& A c R% z
xchg dx, es:[41h*4]
% v2 Y! s% I/ V5 f. }6 ] xchg bx, es:[41h*4+2]
, J8 s$ h- g( w$ n* f in al, 40h
" |- p. D6 a: B( I6 K. o xor cx,cx
7 ]) l* {. l% C7 [ int 41h
* H# s7 {2 p7 N8 O: \, M- a xchg dx, es:[41h*4]! V. \- @' D: m. s2 y3 b! s+ Z3 U# q: _
xchg bx, es:[41h*4+2]
( G. ^3 I& ?* ^0 S& E cmp cl,al. s5 O2 U( G9 t8 ^: P$ G1 J$ C# l: C/ C
jnz SoftICE_detected
% a0 B/ A1 z* ?& P4 F' D, h' _! {. |" N7 [$ @5 O( i
_________________________________________________________________________. K Y2 C6 W3 m4 {
$ F/ E9 p8 B. ^3 T
Method 07: t: _# }9 g J/ J; [9 e
=========
1 n! g0 E' m/ P% X- \8 e% o
$ h( v0 A1 ~6 z' fMethod of detection of the WinICE handler in the int68h (V86)6 _5 V5 h3 R9 H8 N3 P9 F: X
+ E/ t* E7 X8 C4 O L mov ah,43h* _ ~4 ~& c& g+ p
int 68h
9 u5 h8 G; A; A2 S8 G cmp ax,0F386h
- g. ]0 v3 E( O, `2 `: [ jz SoftICE_Detected
0 l- Z8 ?1 \; @8 T% h0 N, a. g2 C" Q2 B
. r6 Z c: b3 E( y) C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 {+ L; N9 @6 A) c app like this:; \( l7 q4 ]: ]1 h
: ^- g, t1 Z. s7 b
BPX exec_int if ax==68
8 w, c) R' g( `9 {# B4 f4 l (function called is located at byte ptr [ebp+1Dh] and client eip is
) n$ ?$ L x( v: z located at [ebp+48h] for 32Bit apps)
5 h# u- f/ S0 m( n* g__________________________________________________________________________
! w3 ?6 s! N( f, ~; N5 o0 E! N& o. X3 s: J- H) I
* S5 ^4 W5 n) X5 W
Method 08
7 q, _& Q( Q5 t1 \ \=========
; O$ d0 b6 J- g( L" M5 G7 R; Y3 \" N8 p
It is not a method of detection of SoftICE but a possibility to crash the8 w0 C8 a# C) l+ g6 Y
system by intercepting int 01h and int 03h and redirecting them to another
$ b$ d* J( E+ j8 L9 Xroutine.
3 }% L' s) j* rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# i/ Q4 H: T( d4 ]7 [
to the new routine to execute (hangs computer...)% \' c- V2 Q- O1 S. w+ ?4 s- s9 e- c
8 @* S7 T( L2 `# g x' o; P+ E mov ah, 25h
: x) A! Y$ i+ e mov al, Int_Number (01h or 03h)! r" J$ G; c1 n: s$ b
mov dx, offset New_Int_Routine/ L# E& a u8 T3 N- O
int 21h
( [7 ?7 k. G3 O5 X" W+ Q+ p5 t3 d# Y8 @9 O6 \
__________________________________________________________________________4 P% Q" v4 f. }- {/ N$ X
/ i% ^0 f8 W& o4 |4 s
Method 09
9 _, A' C6 E f5 P' G=========0 F" s( l, c- ?! |
Y2 V# P( p" q5 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 q6 ^% K1 S5 E: g+ L3 O% G' sperformed in ring0 (VxD or a ring3 app using the VxdCall).6 S! O( l5 E r0 Q+ q* y G+ l
The Get_DDB service is used to determine whether or not a VxD is installed( i. n! A0 U0 ]1 e. C4 x$ G+ w
for the specified device and returns a Device Description Block (in ecx) for
5 D) s3 q9 j# K, W. mthat device if it is installed.
% { S! D: r* t7 d6 M
6 Q) @8 ?" q5 N+ Y- x% G! _( q9 p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, A4 C$ ^9 b8 _" t7 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' m$ i' ^: i. X8 L! T7 G3 I
VMMCall Get_DDB, i- c- }# s; B. m+ N$ S( C8 ]5 v$ ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( ^7 H& |7 X F% i4 d2 D5 T( J% Z# J3 k9 o& u
Note as well that you can easily detect this method with SoftICE:! Y% \5 k0 z- }" X
bpx Get_DDB if ax==0202 || ax==7a5fh9 I+ T) {+ D9 W' m1 k; v' \0 z
8 ?( b% J0 ]% J__________________________________________________________________________
2 m. \" G, D4 _$ B3 ~( p0 K- C
) z# R9 d9 T; N% i' Y7 PMethod 10
& N' v4 T4 v# |! h( G0 s- |7 `2 ?=========( ]* V1 J, ?. E$ h- U
) O' M% ?" M& _- L8 M9 s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* M; Z, |! C' ?8 P) T SoftICE while the option is enable!!1 @3 j3 N) B* J3 t
/ h/ z2 u L4 |5 o% GThis trick is very efficient:
; w# _7 f W- c, A; c8 Cby checking the Debug Registers, you can detect if SoftICE is loaded
7 p& a9 g6 k. I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* ~- }9 ^# m3 }. i, t/ R# Z$ sthere are some memory breakpoints set (dr0 to dr3) simply by reading their' H/ K& g, B# P& W
value (in ring0 only). Values can be manipulated and or changed as well
% [: e5 r1 t; U, g(clearing BPMs for instance)
5 t1 Y$ F. V/ e+ ~3 U
) {, g8 ?; F& g- \, w: ^- m( h__________________________________________________________________________
1 o# a0 ^5 }# ]7 a; q# H+ R# m1 I# T' X8 e6 R" @4 U6 `
Method 11 n4 R6 `9 I. b9 _
=========
! g& M8 D0 m( l5 t" v' K i: w. w8 [7 I$ G% l
This method is most known as 'MeltICE' because it has been freely distributed7 j h) ]/ N# m& X. v& D9 }
via www.winfiles.com. However it was first used by NuMega people to allow
6 P( @0 B9 i% m, {! |( oSymbol Loader to check if SoftICE was active or not (the code is located
6 \; ]% E! y4 \5 ~0 W2 V; P$ \2 Cinside nmtrans.dll).
1 z& E& l: L9 s# `- d8 x+ z; E4 J f0 X. o! L/ A4 S2 v; y
The way it works is very simple:7 M n5 [7 P' v# ~- v7 M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 {& [4 w5 S' ?4 F4 E- T
WinNT) with the CreateFileA API.
5 }$ `+ f# h0 i! R/ H& l' z* O2 [' j% q/ s$ u# `
Here is a sample (checking for 'SICE'):6 F/ p1 J. |) Q0 U. U) S& p4 y/ b
8 H: w8 s7 `3 K2 ~4 T# [5 _# r4 J
BOOL IsSoftIce95Loaded()
' N% C1 J& J; Q$ n4 @{
1 d" m, W5 l9 z( @9 e. W2 l HANDLE hFile; ; w5 H0 `% g" p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) M/ F) M; E& O7 `+ Y
FILE_SHARE_READ | FILE_SHARE_WRITE,. _; E9 ^' N+ O( m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( @; @/ z* n8 g* I7 V& c0 l if( hFile != INVALID_HANDLE_VALUE ), ^$ y% [5 s1 n4 t7 I, q
{' Q, \& I9 M3 y: q n
CloseHandle(hFile);
6 ]2 \1 {& N; j6 W+ j9 x0 R @/ M return TRUE;! V% g7 _" w) y% ~
}: V3 X6 ]* Q! @( t, o2 N, i
return FALSE;. v+ O( P o+ N& X% F' U
}1 U9 A2 T; O1 r0 B" R' y6 G0 v
( i8 T; x, F; l& X7 h
Although this trick calls the CreateFileA function, don't even expect to be
0 N( |! K! G3 t" ]able to intercept it by installing a IFS hook: it will not work, no way!$ h! y+ _2 p- n7 E2 E& T5 o& _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' ?& C m3 e; @1 s- H# Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 G, J* ^6 v B# M( G7 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- I5 \. L8 V3 L q( f; ^, Dfield.5 ^7 l u/ ]" d+ S" y4 H
In fact, its purpose is not to load/unload VxDs but only to send a 6 P3 W( |3 K' j- O8 M6 `0 ?/ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( y- U4 j$ B. p. t6 h' r- V0 D" @* h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; @9 R0 X, L/ h* nto load/unload a non-dynamically loadable driver such as SoftICE ;-).' X. K5 c# v2 T* n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! c3 \7 L6 y. O9 X8 kits handle to be opened and then, will be detected./ f7 _: P5 Y |3 A$ {" g
You can check that simply by hooking Winice.exe control proc entry point- r! ^' w& u$ i6 g: ~$ x
while running MeltICE.
' C; ?/ h& B( S7 |9 J
& U" Q9 `3 P" p6 a/ L' s7 q3 V$ }5 i9 \
00401067: push 00402025 ; \\.\SICE
/ v% Y+ [3 `4 a) d1 V/ a, Z2 }, s2 W 0040106C: call CreateFileA
% P) a' \6 X# D/ z; X 00401071: cmp eax,-001
/ r$ b5 ^6 h6 F+ b4 M g8 O 00401074: je 004010916 i5 A& H8 I/ ^! |' ~
6 h- q4 L6 W; u& W: k; [& {: b
2 U [7 I2 A; }0 v6 ]
There could be hundreds of BPX you could use to detect this trick.
a6 d V: A; p. k& q" J: x-The most classical one is:
0 v) k6 h4 N7 B/ A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ t4 [# ]( u8 _& C *(esp->4+4)=='NTIC'5 A9 ^9 x# }6 e* Z9 {7 a
# c9 _9 o8 o O* z1 _+ l-The most exotic ones (could be very slooooow :-(
/ I3 k1 t$ } @, h# A. Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( H- Q8 U7 \" p! P
;will break 3 times :-(
! M: N4 V: x* e
) G: q3 Y" v$ G" F-or (a bit) faster: ' C4 v# \ D: W$ V" E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). w+ `4 @. c+ H, ?) l( V
1 b. y8 F: K# g5 \6 `' W8 z2 i3 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" A7 @$ J) z; Y, j ;will break 3 times :-(, ^* c7 M* _+ `6 X- R$ R
- S. P; r" ?3 S, n ~-Much faster:
1 }7 k+ E) b$ G1 j% i# T& q; S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( {# n8 ?; ?$ e6 \/ e
: F. j6 D1 ~ ]/ s- ?- xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- i8 G- T$ Q3 _, Z; A! Vfunction to do the same job:
9 G% B7 ^$ U2 B; H
- F& [# T j7 R6 i' M+ f push 00 ; OF_READ
5 I1 D: b5 ^. {- i& s mov eax,[00656634] ; '\\.\SICE',0# g2 P" N% e/ L1 k3 l
push eax& O9 D! j8 Y+ A4 x
call KERNEL32!_lopen' }1 O3 y) K/ F9 }8 |2 ]* h
inc eax
# `& b% Q0 D% n! Y5 V+ f5 C jnz 00650589 ; detected
' s0 q6 E* ]% e9 ~% x, C! |, M push 00 ; OF_READ2 g1 D& H2 |5 T* n" F z: z$ O
mov eax,[00656638] ; '\\.\SICE'
3 t( I4 ]" L! w; k) F push eax3 Z* X5 C- h' s2 r
call KERNEL32!_lopen
9 c5 i, {" N' g' K3 \/ U+ c inc eax
* P6 a6 V0 R1 K, N jz 006505ae ; not detected
: y0 N5 r( R" j4 U! m* q8 m2 _3 D ^" v) c+ E2 `: }4 p
8 g7 l0 @4 B0 k: W# \9 E7 N
__________________________________________________________________________3 l* N+ s2 [+ T8 g
, Z, n' e) v1 y8 i
Method 12) h, \. f+ s2 E
=========) U- u+ P& g4 Z( E9 g4 M
$ A" h2 n. B4 z( v; p( XThis trick is similar to int41h/4fh Debugger installation check (code 05
, R7 w$ l7 t& ^9 ~ X' s& 06) but very limited because it's only available for Win95/98 (not NT)
3 m& A$ L: o3 L0 [8 las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# n P! N$ d9 G- R9 V1 G. d5 e3 W+ [5 r: C( c" Z% E1 ~7 H
push 0000004fh ; function 4fh+ r8 y Y( w @* u2 n
push 002a002ah ; high word specifies which VxD (VWIN32)
- V- | j- j( p" Q( T( y ; low word specifies which service, ?( H; c3 c- c: B5 r: u7 g
(VWIN32_Int41Dispatch)
1 s6 ` [% H ^- o& M5 C6 q3 U- r9 z call Kernel32!ORD_001 ; VxdCall, i* N! O. e7 l
cmp ax, 0f386h ; magic number returned by system debuggers
/ p4 n: g3 `# E1 Y$ [ jz SoftICE_detected" n+ N7 P2 Y) h/ Z! F: Q
; {. T3 C7 i' j2 h* v _: THere again, several ways to detect it:2 G7 Z, s. q# X' ?
1 U! b% `; Q" U; ?6 A
BPINT 41 if ax==4f& _ Q9 S$ L3 r0 w
2 D3 B: b6 e- F! e( f9 d( ?$ n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 \( j3 b# \! T0 |1 l4 d# j
2 x" l1 N' Z4 G h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( \9 D1 e" J8 C$ Z% Q% X y, Q$ \
( m4 q" O" }$ B s$ v9 q9 w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* ^- I7 H* `; |% Y. b' ^; `
4 A/ h2 J' E7 D( i5 R__________________________________________________________________________
5 {3 K% `0 ]" w6 f" `: {6 r" ?( e0 p8 [% Y, V$ l4 v: y
Method 13) c I' y$ C g; W6 e) p3 @- z
=========( q) Q5 \2 n4 D% e* y& _
; A% j$ f% D0 [& D# x \: l: {Not a real method of detection, but a good way to know if SoftICE is
' O/ Z% Y& u, B: O6 f1 U: \installed on a computer and to locate its installation directory.
$ ]" X& ?4 F- v( a! i/ yIt is used by few softs which access the following registry keys (usually #2) :
' _. u9 _* Y: H! k$ N& L
& H0 y6 s+ I( _2 ?; j) B6 j' Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 g( O. x9 \8 G3 e\Uninstall\SoftICE3 n6 ~+ z* D, \* m5 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 Y. |; h; c/ Y3 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) F: W( T+ x4 k8 V
\App Paths\Loader32.Exe
2 A4 j4 }2 Z& `) n' L" J% S8 H8 k" @5 f* Y
, G* z3 }& q% F: n) LNote that some nasty apps could then erase all files from SoftICE directory
$ @5 R5 W6 V; H, C/ R, Y! _(I faced that once :-(
3 X$ V1 ]0 B8 c5 j
8 V: g4 E0 k+ M; AUseful breakpoint to detect it:
& Z* X3 Y% |) S1 i" V. m3 G& w+ ~1 `6 i3 l w [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* m8 s0 y0 c/ }, Q9 v. j
7 q0 [, p* Z, N__________________________________________________________________________
5 q. X- j; Y0 P$ X4 l( j, _) y8 m4 O- G. f6 h }
, |! a5 N1 k* @
Method 14 7 o }8 H0 P" D; _( C* o f
=========2 T8 h* D* J6 w( `
& [- c0 i: x1 f; V( n* L8 _# HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 o" [. {( ]; m6 v* C6 [
is to determines whether a debugger is running on your system (ring0 only).! w) N* m* C# ]: C \
2 X0 H! o2 F& `3 }* }* V4 J VMMCall Test_Debug_Installed& x# I5 h2 n0 E [
je not_installed
$ D) z- |1 j1 y2 Y7 d, t7 x3 `
! \7 g3 b- @* CThis service just checks a flag.% S/ S/ j9 f9 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡