<TABLE width=500>
( K- R# O' @$ v6 K<TBODY>( J& e& v' i- H. f4 l
<TR>6 o5 `! ?9 J& @1 H
<TD><PRE>Method 01 , B2 z0 e$ ^; R% x0 }! v1 U# J) A
=========
: I3 [1 _( _+ q0 F# e ~6 X( t' [! [) `4 T# i/ F
This method of detection of SoftICE (as well as the following one) is: r, B' o3 w" P! W8 ^. c
used by the majority of packers/encryptors found on Internet.
D5 o4 }6 I% R% F vIt seeks the signature of BoundsChecker in SoftICE
4 T1 D( o# F" e3 v4 o; [& ~( F8 @
mov ebp, 04243484Bh ; 'BCHK'! ]6 T* G" [: k) S( g# m
mov ax, 04h
7 `" T% v1 Q4 U I$ g int 3
E' D" a* O) O6 ^3 \5 j: m6 t" J cmp al,4
& s! b2 N7 ?4 I. @! r jnz SoftICE_Detected1 c8 S* N' H, \+ J/ y7 W, y5 U; q
% m: U3 t& l' P! F$ L( O& A___________________________________________________________________________4 N5 ^. U, |) i7 K; e; S% \
v, ^& L9 J& y+ V6 LMethod 020 j3 d4 J$ ]) u/ ~) ?
=========2 S( y. {( f8 T2 c, I0 ?
% T% c! v6 w( k6 s- ^; S7 g0 D SStill a method very much used (perhaps the most frequent one). It is used
' t) t+ K* N/ xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 v. }( Y% S3 l0 z4 ~/ C: }/ }or execute SoftICE commands...$ t( l) U* u3 C& }# S) Q$ ~
It is also used to crash SoftICE and to force it to execute any commands
' r/ S- U4 r0 b _) K(HBOOT...) :-((
& a$ Z- t' u' Z+ I" S, h. `% \' i5 }7 {+ T9 y# |+ V3 r: X) |; [
Here is a quick description:
' h9 f5 w. I, b! B-AX = 0910h (Display string in SIce windows)
; s9 o1 C/ F2 }- Y& i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 X; {: k% q8 u-AX = 0912h (Get breakpoint infos)) Z5 ^0 y5 j) m3 B& W2 e* P
-AX = 0913h (Set Sice breakpoints)
9 f. L1 Z9 B" L' ~* a& A-AX = 0914h (Remove SIce breakoints)
, J' n- U/ b6 K6 r& U# A1 m- | d% K, D" C9 s5 G' k& P1 E4 {
Each time you'll meet this trick, you'll see:
8 ^# ^# P1 k7 L3 x/ a! P-SI = 4647h
- u% F" B+ S$ |2 x' J& g z-DI = 4A4Dh
. N$ f( S+ Y' u3 B( G9 [Which are the 'magic values' used by SoftIce.5 f. x7 }- U6 Z4 J7 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& Z4 n; {4 k! W& v- Q; W' i0 H& {% t+ V& F: z; z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 {9 f' ^( [% }Envelope utility use to protect DOS applications:/ Y! @7 F4 X6 h+ p
& L: s) x. g) N8 g8 `9 f
$ L8 I& Y1 B2 C4 Y+ N4 r2 k+ {
4C19:0095 MOV AX,0911 ; execute command.
( S, Z, B; b2 _% I5 x0 Z1 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& W/ I2 H( `( S, s3 S* l
4C19:009A MOV SI,4647 ; 1st magic value., i5 z2 ~: Q* d2 h( T( `- c
4C19:009D MOV DI,4A4D ; 2nd magic value.
- }% {- A% J b" ~6 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 m5 J \5 k$ p' \) c: _+ \. I+ _ }% ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 l* A; I/ u5 k4 d8 {4C19:00A4 INC CX
5 N: f- ? q# w! k0 m9 H. ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 P' f+ E1 [# Y& ~+ o
4C19:00A8 JB 0095 ; 6 different commands.
: E2 K& B# r+ N5 ?! }3 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ g! H3 Q: N8 |- r9 s" L: h+ g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& O5 _2 q% n. M5 l- i2 m$ B4 Y$ g5 J. {4 E# Q$ ^3 a7 a
The program will execute 6 different SIce commands located at ds:dx, which
6 d# n- `& {: q$ gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 n# D* [6 j# D
5 A9 k+ I! a) u+ W/ @# f# ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: K# r' a+ P+ t* h___________________________________________________________________________
& e6 K7 s* p; P1 i
, p3 b+ c- E% H0 d, C" J: t
4 P& O0 q& J: |Method 03
& W, i8 j5 g E6 t( j* u, J=========* ~: d' G* ?& @3 L1 G! Y3 z
8 T! u6 _) }8 \3 f! ~0 y1 ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 E) w4 D% s6 s. g
(API Get entry point)7 g% t$ } d( q' {/ h
2 r( ?# c; p" F @2 \6 |
9 Q/ Z+ E- }( w/ V3 c9 q( y; r xor di,di0 h/ u! S% o/ X `6 d+ Q
mov es,di
! B K) M) j& {# e2 j9 Z mov ax, 1684h 1 `* `" `5 R8 M. |
mov bx, 0202h ; VxD ID of winice7 I9 ~# D8 U! g" ~
int 2Fh
. S0 J" K9 M4 G- X! P mov ax, es ; ES:DI -> VxD API entry point7 d; y& ~' s- x' j
add ax, di% ~0 ^5 c+ J( n6 v1 T
test ax,ax e" N) {$ K5 r _
jnz SoftICE_Detected( d4 m' A* o5 {$ e0 w
! z/ |& P6 f9 P! F+ t- c
___________________________________________________________________________8 ?0 I# L) n3 T$ l/ s# v3 {0 Z5 M
7 h3 H- y% {& I- Y# Z/ |Method 042 l% b3 [) {) F# B5 a
=========, v) D. w+ x3 h: n) _5 g" ?8 R, p- M
5 L" ` Q$ p" h1 ~' g9 V" `Method identical to the preceding one except that it seeks the ID of SoftICE
, C. @7 N- Q/ }! j1 h1 g$ S. ZGFX VxD.
' U/ s* X$ N7 \: f+ q& [, i" R8 i8 n6 m6 ]
xor di,di2 j7 O, W6 q5 N2 x- b
mov es,di
5 i# S6 ?% ]- { mov ax, 1684h ; R1 }7 d6 D% @- i- a
mov bx, 7a5Fh ; VxD ID of SIWVID
& S0 Y/ }4 N* p& l int 2fh
0 n6 S# @. I3 a; t! N) p" A mov ax, es ; ES:DI -> VxD API entry point
/ b$ Z' `6 h6 D% \ add ax, di
. e+ q& n! m1 F& v3 k test ax,ax, k0 P7 A: e6 r, i. X3 Z) T
jnz SoftICE_Detected) a0 o P; A+ t' u) N8 ^
+ S( y9 g5 M3 {3 T# D9 G
__________________________________________________________________________
3 S0 r! Q4 G2 Q, e9 }9 B
+ `& E1 S1 _3 c# \
! k! P; h* M5 }% S3 Y" ZMethod 056 `8 e" W+ A$ v. `! h6 A" O
=========
* f8 T5 C$ S4 t {2 U1 u! y9 j% [0 A+ [# d7 d" f/ L
Method seeking the 'magic number' 0F386h returned (in ax) by all system# B# e6 ~7 e7 u7 T$ x+ b+ K8 @ a
debugger. It calls the int 41h, function 4Fh.
; R. a7 ^5 b5 ]( Z: t1 J' FThere are several alternatives.
+ w5 P# u) S( R7 u. c; @8 \
: t8 T/ e: v, g0 `The following one is the simplest:7 {* b% \ m" G, t. O+ L# x! s
8 G4 E9 K# Z) ~2 I* H+ [, S9 U
mov ax,4fh
: z2 ?0 d: R1 \8 Q: p/ j int 41h
' t/ I" T3 ?0 A8 R cmp ax, 0F386* B, v2 ]( e7 \
jz SoftICE_detected
5 h: v* B/ w7 }% J1 u! f Q* f& ]1 N4 a; R4 _/ [& \! V9 f
+ r2 \0 U2 o eNext method as well as the following one are 2 examples from Stone's
/ @0 x* _# W$ B"stn-wid.zip" (www.cracking.net):% B3 p) u7 |: `2 Q# ~. ]. O8 L
" q# q9 K" a& s% f; Q mov bx, cs: ^$ I, A8 f3 m" n: j o
lea dx, int41handler24 k; j, M+ U i' d/ O& i) ~
xchg dx, es:[41h*4]
. r z+ Z* _) z9 B xchg bx, es:[41h*4+2]* T. X: v; U/ D/ e
mov ax,4fh5 |3 P# F( ^- \! Q. n, t% ?
int 41h
0 ^3 v1 g& v/ o xchg dx, es:[41h*4]
. Y) d2 h( x# t" u* f) a+ v xchg bx, es:[41h*4+2]! ^" i7 `8 p* _- ~0 F/ ]% H! b- p
cmp ax, 0f386h
' I y& \2 w2 a* y( E+ v/ v& y jz SoftICE_detected/ U$ B+ q5 f& L2 _# ]
4 Y% @/ a8 N# Z$ L& z, {
int41handler2 PROC a' ?$ _" p$ b
iret
- k9 Q+ @, j/ y) `9 i) xint41handler2 ENDP
& ^2 ~6 {4 `( y2 d4 k* a8 Z3 d
* O5 x0 j7 O' ]* `% R1 a" a/ N# j
1 _" ^( L. V6 f5 X- M" J% t' C_________________________________________________________________________
2 Q5 L& m3 d1 k" m" p* t
+ X. `$ q/ `; S; D; F- M
* b- m( |! T9 L: H- Q! JMethod 06
0 m: }0 }1 A( i5 \4 T=========8 k- l$ q- K, H T
, [7 r' R+ y' W6 K d$ R& k! b [6 H9 e
2nd method similar to the preceding one but more difficult to detect:1 o8 |/ A# j9 W. \
2 P& E; G, [/ R1 H& J7 H1 f
* N6 a9 L1 X2 iint41handler PROC2 Y9 @+ {# |" L, s
mov cl,al
; D6 I1 t0 S5 g) D( I6 h- m iret
& a$ m4 H( s" e$ q+ U, s: Q. R- Uint41handler ENDP g5 P( P, T4 O, W
z5 G1 ^. _8 J {9 f& J
! G- R ]. U# }$ x
xor ax,ax
B! D1 c9 s* _5 o0 ]& [' @ mov es,ax6 }4 t- t0 A2 U" t# S* [
mov bx, cs
; B4 ~+ X$ g1 A- Z6 b lea dx, int41handler: x* {, O1 v, E
xchg dx, es:[41h*4]
! n+ f* X. M+ V7 d$ m2 ^$ m xchg bx, es:[41h*4+2]
& G* V5 a/ Q0 m+ ? in al, 40h
7 l g. R( C% A* V' t$ r xor cx,cx: L! ]/ m8 B5 M) n# D) O
int 41h% `6 A# p, k" c2 m4 s% ]2 l
xchg dx, es:[41h*4]
9 I2 j& N0 ?$ w# s xchg bx, es:[41h*4+2]- m3 g1 u" ^: L9 \% c
cmp cl,al6 I- L: f0 ?# T; ?2 S0 z
jnz SoftICE_detected% V4 y* q, c9 Q+ f' Q
* y" i! B+ x# }& H_________________________________________________________________________
3 ], n! {. b+ D' x+ {7 i! S- X7 \4 o( j4 Z, J7 u* d
Method 071 [; i9 Y9 I5 H. @* w; j
=========
1 K" Y; I7 G4 i8 @
3 a9 P2 v. k: ~, j8 B. Y! s: dMethod of detection of the WinICE handler in the int68h (V86)/ E0 G0 F8 H$ q" K3 Z+ z
. u. R/ C0 F+ d; J" z1 v( |
mov ah,43h' m! r# B/ K/ \6 o5 f
int 68h
3 L/ I) N5 s* D8 k' l+ ]: k" { cmp ax,0F386h
' j8 n! ~4 f* f I: E9 O2 L jz SoftICE_Detected7 e) X" `" u; i+ U* t$ V
* I6 F& u3 w0 O; M1 F; ?
3 P4 _0 g5 t$ v. Y& V+ z% A- j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" U6 }& l- F# h6 v, I- I5 E; U app like this:: q8 o: G! x; K F
) L* w8 a" O7 c6 p' f: Q
BPX exec_int if ax==68: a) ^3 |( o' R/ `/ d
(function called is located at byte ptr [ebp+1Dh] and client eip is, H) M6 T# p' F" d# t" U* O0 T
located at [ebp+48h] for 32Bit apps)
" Q7 {/ M+ K/ [6 K( b p" f__________________________________________________________________________# y4 _. |7 T% X1 b3 s- O& t
, w' u( M1 @7 L# d# p. h% H2 T' j* k/ i) G9 X
Method 08; ~# t% b0 R: I0 n" s( d
=========
& K( Z- ]- l5 e* r, @; A) ]3 v8 V0 j R1 J* p3 k
It is not a method of detection of SoftICE but a possibility to crash the
) Z* }8 S' g6 s9 g& A1 i+ j; hsystem by intercepting int 01h and int 03h and redirecting them to another
0 S& P) i4 F% o) ~. J0 S- Lroutine.
4 |( ^* N/ n& n+ \3 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 i3 e+ M, i6 W; P7 Z0 Q
to the new routine to execute (hangs computer...)2 `9 J5 s& K) Y# }' A
) w* B- ]+ G. {
mov ah, 25h6 c; w! _$ L- G2 q4 C! ]* P1 H! T; l
mov al, Int_Number (01h or 03h)
6 W3 L: N q# a* _2 S) N mov dx, offset New_Int_Routine0 w: v! D/ l5 |/ J2 X& W$ [) X( `$ j6 D
int 21h2 v9 \0 K B! p5 z# G! d9 V. }
7 [, I! b# |* f1 M( r4 U- Y" Y__________________________________________________________________________
0 w H5 W$ o4 n
" m3 C k3 p$ J8 x1 |Method 095 s- w- ?! \+ s& d8 ?7 ~
=========2 Z$ }; R% N: }& `- v2 F* |* e `
( J6 U3 t' Y+ V8 R; R" x; xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% h$ n) X$ d4 M+ h8 Z- F0 G% Pperformed in ring0 (VxD or a ring3 app using the VxdCall).6 }! b# J3 `0 {+ m) m
The Get_DDB service is used to determine whether or not a VxD is installed
& n4 P4 A: f- r1 E6 cfor the specified device and returns a Device Description Block (in ecx) for
9 M* N& Z8 V* Y: L$ fthat device if it is installed.4 E# I1 v& i' o5 }8 q. v
9 S6 R, H9 E# g, E9 d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: A# V0 I1 M2 X" H% c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 K4 ?' n# D8 r9 n VMMCall Get_DDB
' z9 C c7 n1 H# u; W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 q$ l5 l6 h! I! n
$ P w; V% h4 x; O6 y! ]2 w
Note as well that you can easily detect this method with SoftICE:
3 I7 B8 F3 F6 Y1 Q1 P; w bpx Get_DDB if ax==0202 || ax==7a5fh. [0 ~2 U# S* _7 I" v8 i
2 b+ i3 N/ z" K7 P% M% ~
__________________________________________________________________________
6 \' c X" Z% u
3 D- B2 z9 J7 Q E. M: ]Method 10
8 [2 V& m1 r) U& N8 K=========
9 ]1 Y2 S/ r' a4 e. o7 D: }: G1 m
5 H. y6 G: A% D& `=>Disable or clear breakpoints before using this feature. DO NOT trace with$ V) Y. ?8 R3 w. }, K1 O% x# @
SoftICE while the option is enable!!
7 m% P: J& f! N% M# b) b# D! h9 B- y9 P) R; P
This trick is very efficient:
. N& Y$ F8 Q/ L0 uby checking the Debug Registers, you can detect if SoftICE is loaded3 A3 W p9 N9 a, \+ J" ?" j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 h* H! R6 p7 Q. i; Z* `3 [there are some memory breakpoints set (dr0 to dr3) simply by reading their% `$ ^7 K# {" T
value (in ring0 only). Values can be manipulated and or changed as well5 a& D" n% z* r. q8 h' o
(clearing BPMs for instance)5 G! e- u; A& r2 c
/ r9 i( t5 A3 f7 ^
__________________________________________________________________________
' p( L+ g- Q$ Y8 K9 F/ k$ @9 B2 P% q
Method 114 s7 U1 |6 N2 B7 J: ]2 Y+ {8 U
=========* J, Z5 A6 o3 [
- t; U E6 y) m7 n( G, Z& J7 U( YThis method is most known as 'MeltICE' because it has been freely distributed
$ Y" \7 Y$ D. j2 P' lvia www.winfiles.com. However it was first used by NuMega people to allow
5 J% z2 l1 [ E8 `' `: s+ h& ]Symbol Loader to check if SoftICE was active or not (the code is located& Z/ A6 i) {* ~ @
inside nmtrans.dll).8 N0 K' a8 @% o B
- t4 {# L5 `2 KThe way it works is very simple:
8 l8 ?* A& }6 @1 zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ Y0 n N9 p/ zWinNT) with the CreateFileA API.
: N9 _) x9 b/ S( V6 ]* v: Z
. s q8 C) R, ~% a: O( D& Z0 QHere is a sample (checking for 'SICE'):, K, b6 G* [0 f+ Q2 U- B
8 ~. M9 _& o# T1 f, E% M! dBOOL IsSoftIce95Loaded()' W: y+ Y7 m& u3 j1 b
{/ W5 f H' n4 R9 L" ]
HANDLE hFile;
+ Z" s1 N/ v" f- t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, w9 L6 f0 V- {6 q
FILE_SHARE_READ | FILE_SHARE_WRITE,
- y! Q0 k0 R$ g1 \, h! ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 ?7 ^) v3 s* o0 Q( g' M
if( hFile != INVALID_HANDLE_VALUE )' w1 z% p: q4 f4 q, q
{) ^6 R) X3 X/ i- w+ H3 g/ h# J/ r
CloseHandle(hFile);) n- X* {+ Z9 M1 d
return TRUE;% o. x! t( u( j% Y/ _ G- d2 x: {
}
6 V2 q2 d" a8 }( z, G0 O1 [ return FALSE;
- U' c' A% Q* L# ~! g& X}
0 A- b2 v& z2 z4 ?: v* N& @, F" m& U/ L2 I6 |( @
Although this trick calls the CreateFileA function, don't even expect to be
6 ^$ I' U$ L! p) H+ x: H# ]able to intercept it by installing a IFS hook: it will not work, no way!
" R8 t" W2 w, @9 G9 z% z0 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- M/ K! v* m3 o- n: J; Y6 ?; ]7 hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 w/ k8 y& S6 q, _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. U) I0 h9 v6 E, W- k: Q2 |! @
field.
3 u2 {2 }9 c9 EIn fact, its purpose is not to load/unload VxDs but only to send a $ X6 b6 z. @# t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" s# N. _5 {9 {8 Q N5 `1 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try, B# n" M Z( d t" k- b4 [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ O5 [4 B# `* d1 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" W w9 x) @; S2 mits handle to be opened and then, will be detected.
. b% j9 U# o2 b; T) U* C1 h4 PYou can check that simply by hooking Winice.exe control proc entry point, y5 [* V! y k" K
while running MeltICE.
0 [# A2 ?7 h; o6 H( i# R5 D- E" g8 q/ ?7 T( t/ T9 w$ ^! H, G
9 H; j1 ^( R" V/ Z% ? 00401067: push 00402025 ; \\.\SICE% k" l* N4 e% f5 U/ C6 Z
0040106C: call CreateFileA3 V7 z G) r" Q2 Q
00401071: cmp eax,-001
5 w% ?* `, O$ ^# M- r* M; ]2 N. p 00401074: je 00401091
6 m& L- l0 k; P) X5 L: a
4 I5 ]$ {) C$ X6 |, i: m# ]3 ^; `! M- ~( |
There could be hundreds of BPX you could use to detect this trick.
' u& c+ T/ S6 y- h: t0 z9 E* R-The most classical one is:
7 T& w6 w% \, q6 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 a& M. a9 H' C+ Y, C
*(esp->4+4)=='NTIC'6 X& n+ Y0 p8 i4 o! x0 }) w
% }4 B% f D1 G! E1 J
-The most exotic ones (could be very slooooow :-(
" J+ J S. R8 |. N( h7 i ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 Q0 R$ |) _: K6 T5 b% g7 M ;will break 3 times :-(
# i: @1 U$ X$ C. I+ s8 ]0 ]0 S0 u5 q" X1 r! g6 z: @
-or (a bit) faster:
/ t4 @( B! b( ~# a( h/ U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 k: Q% K4 F$ p2 J6 y. ]1 m' H
0 \2 o1 `* B* l2 S& X3 _6 R+ A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; U- H, x |) j" _% k* F
;will break 3 times :-(
- W: Y8 \1 D& {+ P, C6 ]" `( y" Z( R+ E
-Much faster:
9 R+ t9 r( ]# r7 l. X- r! @5 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; n: O( B; n; e6 U4 T9 Q" e# F& Y
& W" t1 T2 K* v7 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 M/ h2 } t. Mfunction to do the same job:
* W3 |( e# B# x: ^+ b
( E6 w( D" h$ _8 P push 00 ; OF_READ8 t# L L9 R- Z: @: [
mov eax,[00656634] ; '\\.\SICE',0
" e; V3 K* |" ?3 V, L push eax; n" E$ l9 R3 k8 @" d7 Q& N) H4 ~
call KERNEL32!_lopen' u8 s& d6 r( } ^7 ?( s
inc eax2 i- T& A' G) c* G
jnz 00650589 ; detected7 d8 _5 X+ \& z, k
push 00 ; OF_READ3 {6 j. e9 \: P9 S5 [
mov eax,[00656638] ; '\\.\SICE'
1 k3 z. j* p0 B' N" x6 I; l push eax5 p/ U. O G0 t7 o) H
call KERNEL32!_lopen
* H! K2 |/ }7 ^: U6 q5 x inc eax
0 O( ]$ U H$ H' i. |9 E jz 006505ae ; not detected. X0 K2 b B) ^4 m- h& _
/ I' ?4 f# z* `9 C
) V6 K. @3 W( E# ~& R__________________________________________________________________________
" i$ f' ]+ b9 R- e1 c
: @ `( U! v( V; g3 s" _5 PMethod 12
& d9 l; t; N6 l' N2 z=========
( | R% X( h' O1 A
) Z( {1 j8 q) F5 h0 zThis trick is similar to int41h/4fh Debugger installation check (code 05
9 l5 \) L5 a3 l1 n4 a5 j P& 06) but very limited because it's only available for Win95/98 (not NT)
5 f4 w. {% O7 Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( V+ G5 e2 @- Q9 o
8 p6 Q! Q k/ @9 a4 C* k push 0000004fh ; function 4fh
% Q0 {( v" B, t$ l9 d. b) M push 002a002ah ; high word specifies which VxD (VWIN32)( Z9 r2 w( I' K* R4 {9 H' b4 v! q9 W
; low word specifies which service4 l1 N; ` p" E- H4 l
(VWIN32_Int41Dispatch)
% H% j4 N" J9 V0 M2 O call Kernel32!ORD_001 ; VxdCall: q+ O. E; G3 W; q' [# ]) p
cmp ax, 0f386h ; magic number returned by system debuggers) @) h U# J9 @% P0 Z5 c0 y
jz SoftICE_detected
: l1 f: X! O( X: f9 B9 \. z% _( W! F8 J2 x' E/ d7 q# g; e
Here again, several ways to detect it:. A( E+ s8 t* c
* v8 l" X. ~- s0 X
BPINT 41 if ax==4f
2 w& a" k* Z) s9 @& H$ a% L
' F+ `7 g2 U( G3 k& v/ T! G$ @ j BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ ?1 ], z8 y) [' X5 g* `) W
5 R& R. L/ F& L" d+ I6 ]/ h; [ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 ?( v' C; N5 Z7 `) k' {1 W) a/ [; B8 P4 ~# @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 e8 f7 y7 x1 ?8 q
/ {* M, E8 U, |( y( j
__________________________________________________________________________" v4 @ Y7 X; [: U! H- F
S2 f: l% }* \, N' tMethod 132 Z! ]2 s( q! Z
=========
( U. _2 [, A$ a8 I
0 Y4 C$ y5 v4 z$ g; W/ V' x+ j* k% u2 PNot a real method of detection, but a good way to know if SoftICE is+ B- `' `6 Q4 W0 i) n
installed on a computer and to locate its installation directory.7 B( c1 N, o+ E# ?' P
It is used by few softs which access the following registry keys (usually #2) :3 m4 P3 F8 Z* D
' l, N) h# X5 X- ~% s% I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ t" J; N* T5 B* [: g\Uninstall\SoftICE
1 |2 Q4 g: \' S+ b. `. } {2 r- Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 M3 w$ N; w. ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: ]* w3 O6 A3 {\App Paths\Loader32.Exe' p5 T! G8 m% Z* {+ ~# z% s. b
$ n3 l9 C$ s p9 [! w' S- Q
, v2 s' J9 k# ~4 F! _$ INote that some nasty apps could then erase all files from SoftICE directory$ I- e/ Y# t; |( G+ g9 ^0 h1 t
(I faced that once :-(
5 y( e/ A( C; ~, h1 Q0 c0 Q
% Z4 a5 m- w( s2 CUseful breakpoint to detect it:
( S2 Z, y' d% I- c
8 X; r" ?/ ~. B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% ]9 x R. t, | K6 O
: n) Z# e8 [4 V: w0 `$ R
__________________________________________________________________________+ T! H! v' Z9 e4 A$ o& ?7 K. n( |
; e2 H Q+ j" D$ Z$ Q M) j; z2 W+ x# y: v$ f
Method 14
( x8 E. v' I# S! h X. g. P: R0 H=========! ^/ p* r5 W& ^
; ?/ Q, h! K% d6 B: J! h O+ TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) V) K% h. }/ ]1 C: W( h1 n: a8 X( a Qis to determines whether a debugger is running on your system (ring0 only).. U$ n+ ?; N, o' e; A* ~5 n8 s, {8 A
; |4 u& Y) g% o$ z* u# n! C
VMMCall Test_Debug_Installed" g% _1 x% [8 n ^$ N$ G1 |; l
je not_installed% @8 G8 k) x9 J3 ]
+ C l/ `& l! O$ K$ R# q3 NThis service just checks a flag.
0 q$ ^' a% y! T3 G2 H% i' k9 r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡