<TABLE width=500>
; `8 `0 X3 W# o) b+ r& X0 i) m% u/ U1 A<TBODY> i/ Y6 }) ^' q8 ^3 ]( w, ~6 P
<TR>9 }/ s0 w2 Q) l2 J' \
<TD><PRE>Method 01 : v+ s* X& D6 _$ v1 b' a% ?
=========
9 f3 a' I7 Y( @# p
6 R0 N7 F9 M3 r' s7 y, O) _* }3 CThis method of detection of SoftICE (as well as the following one) is5 w+ K+ w, i" [/ Q0 x6 v/ H2 \
used by the majority of packers/encryptors found on Internet.* B. i' x1 u. `6 ^1 {1 n2 L* h
It seeks the signature of BoundsChecker in SoftICE! i+ T/ u* |7 z2 g/ M
& s0 K4 F: L* |: G
mov ebp, 04243484Bh ; 'BCHK'- d8 \4 C0 A0 e1 P5 m C
mov ax, 04h/ `( H M8 Q% s. @" o
int 3
- {5 B5 ?) T/ X cmp al,4' t9 F% f; V! C% N) I' I
jnz SoftICE_Detected- y' _1 P( a" _" U+ r6 N
, R3 O6 M2 e4 @6 k___________________________________________________________________________
" l, Z$ ~/ i0 B Y5 F: F7 ]( `$ l. B! o5 f: `2 i+ m1 B( e; ]
Method 02
2 [) J F9 ]) K: s; Q: |) G=========
Y7 z7 T" k3 @9 R" n% O1 X* m. \+ ?' R* M
Still a method very much used (perhaps the most frequent one). It is used% ^! g8 i* C K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ _& S2 I" t: A! u0 Gor execute SoftICE commands...: w9 k+ |: M) _3 A# L
It is also used to crash SoftICE and to force it to execute any commands
# i3 O- G4 m8 j4 ?3 t; ?(HBOOT...) :-(( 6 Y0 |7 C/ c4 D0 f- A, U
6 Z [. E+ \- g9 O: @Here is a quick description:
+ ?0 h- a" b: g( Y- m-AX = 0910h (Display string in SIce windows)
9 W! ~/ a8 O4 m9 }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* E% C) m/ E3 {3 G( y! S7 q
-AX = 0912h (Get breakpoint infos)
2 ]1 k/ x9 d q" R( u-AX = 0913h (Set Sice breakpoints)3 C C& s$ U* d+ t9 w! r
-AX = 0914h (Remove SIce breakoints)
9 f5 V! u) j5 B+ Q2 z7 s; ~! v3 U- [( c$ j$ b, j. f# b
Each time you'll meet this trick, you'll see:
" n; H/ h" g, b5 o# E t8 N-SI = 4647h
' a7 |# y. B, x, k-DI = 4A4Dh
& l' {0 N: z( r9 I7 \8 d2 `Which are the 'magic values' used by SoftIce.
/ G. e" t1 W% i4 ^6 x# X9 w6 h9 qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& |: V5 l4 y: V" T
* Q1 P& j4 L" t* M% T
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 L/ d5 J& D% B' K3 ^* O
Envelope utility use to protect DOS applications:
) E% ^8 n7 X- q4 c0 P2 g1 Q, L; r( q
1 T+ g2 H7 F2 i/ V
4C19:0095 MOV AX,0911 ; execute command.3 c! X3 ?' k3 G6 z0 X9 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 I0 |. F7 h& O7 M8 V6 T4C19:009A MOV SI,4647 ; 1st magic value.' r/ {; |5 s7 b" T E
4C19:009D MOV DI,4A4D ; 2nd magic value.
: c8 m2 E' Q3 F& q3 F8 _- ]1 v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 n8 J" h4 s7 q7 k. k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% M) j7 u. o8 z; V8 J
4C19:00A4 INC CX
9 {4 z/ X. W& A( C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ q7 _( Q2 m$ D/ r1 R7 T( ?# A
4C19:00A8 JB 0095 ; 6 different commands.2 T# d$ u/ ?2 C" E9 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 x O' W6 r' ^ f" \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; x+ E( q( u1 ?, x, n
2 o! e8 Y/ f2 i* T- ~. t) nThe program will execute 6 different SIce commands located at ds:dx, which' _- R, d% D; D6 ?0 P+ Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( a0 [/ ^" y& V2 M B1 U6 [. O" G' u) q6 j. ]$ K0 L$ d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 g) ^4 s9 x3 k, n
___________________________________________________________________________+ a; L3 J" @5 D% e1 k6 H
% N/ ~6 @! {* K1 p, X" }4 P
# B3 C3 n* @+ P. N+ ?$ o, M HMethod 032 c2 `9 w5 Y6 R( r
=========; H) J' l: j- d: q! W2 ~1 b# m
+ d9 C" S+ U- ~: {5 W/ M/ a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* |' T1 D- {9 z2 u
(API Get entry point)
0 Q& i2 r/ M) y, U0 S m3 `; \
8 `9 u6 P/ K7 q5 J9 a
( z) P. l( H4 O* K' y xor di,di5 B; u# j& `& w0 G4 j
mov es,di a, k9 f7 e( q; b
mov ax, 1684h 6 E8 W! g: E4 f6 B, }2 b. {
mov bx, 0202h ; VxD ID of winice
; @* U( i" {! X/ m) N) { int 2Fh
4 `( b+ c& B, W! Z5 L7 i2 U+ K mov ax, es ; ES:DI -> VxD API entry point
: O3 `: }- w/ W. W9 ]* f& u" _, e6 N add ax, di0 f9 Z) d+ Q3 s% k2 z" X1 |
test ax,ax, d4 y: C" B6 l- c" e4 L; s4 \
jnz SoftICE_Detected
5 \1 F$ \: U% {' b1 B* d- W. @; J8 Y% i( x: o( r; d
___________________________________________________________________________
& m( l! N( K" @( t+ }- B" q. W2 Z5 ^
Method 04
2 F* _; \) j6 }4 h' s$ w: a& q=========7 {2 F1 ~9 X, o8 g) p( Z! |
2 m3 D a2 Z" @) l' h
Method identical to the preceding one except that it seeks the ID of SoftICE1 _' N0 n" m# O/ N
GFX VxD.+ B# v" G' Q2 r5 ^* F9 J) {9 ?
3 ]+ z K3 |- z, ~: T* g4 i# p9 k xor di,di
! f% b( _- H- G5 w% S- W0 w mov es,di, | W' b0 W( l/ R
mov ax, 1684h 2 V6 Z3 @! a4 R/ \* y9 ^
mov bx, 7a5Fh ; VxD ID of SIWVID) U6 h' T) x! z4 ?6 r
int 2fh
1 ^2 r! q1 {2 e% t; [- o( k mov ax, es ; ES:DI -> VxD API entry point' L* g9 ?5 i5 T8 ^
add ax, di- C% C- ~- N3 I& @: F9 g1 w
test ax,ax2 A' q4 G4 _# S, |* n% g' j9 W8 [! p
jnz SoftICE_Detected
" B. V% m6 j9 p ]1 x0 g$ [
5 }6 _4 Q3 B6 }6 _) v' X__________________________________________________________________________* Y8 k, g- M" H0 W3 a5 c- _
6 U, L/ d. g$ u2 X0 s
: R5 x% T4 P* g* a' G0 N& n) R8 OMethod 05
4 ^+ K$ [3 q L. {=========
* G( T+ E6 y: G3 @! |+ M2 ^" a
) m% e1 b& s& y* g8 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( D5 f7 i/ B! Jdebugger. It calls the int 41h, function 4Fh.
]) A9 S3 ]+ I' G8 QThere are several alternatives. ; m6 i) s8 G; z1 a$ ~. F! h, ?
1 m& y- Y# j% d1 d0 k L2 ^The following one is the simplest:
& t7 C/ `) |$ p) b
5 A7 O7 M2 ^0 z: K: w! W/ J mov ax,4fh! W6 }. H% W" z8 r; Q( I3 B
int 41h; M: v+ `( C% _ k6 Q0 L
cmp ax, 0F386
5 g$ T: y. G, s c2 d4 n. O jz SoftICE_detected. N& s0 |5 U. P" N' X' V
, J+ Q2 ?( h* Y3 t; o8 g$ M
, @: ]- Z4 N* S* I2 ~0 J1 |; k( T
Next method as well as the following one are 2 examples from Stone's # L( F6 ?9 t5 ^$ e: b$ J
"stn-wid.zip" (www.cracking.net):. q s8 U; [) q* f
0 Q- y. D! g2 e' F7 b8 Z! q; F
mov bx, cs
, g" y# Y# n# {# @9 Y lea dx, int41handler2. ~0 E$ h! Q5 z4 H1 s2 d
xchg dx, es:[41h*4]3 c# {3 V! A' Y7 ~) G
xchg bx, es:[41h*4+2]
5 ]- A0 E' K. J! I/ @0 H7 K- j mov ax,4fh& z& d2 ~$ P+ v% \- m0 X
int 41h* x& r# f$ Z4 a1 y9 u
xchg dx, es:[41h*4]4 z% Q5 k# k9 H
xchg bx, es:[41h*4+2]
- x# H) w( Z7 d2 f' N2 C- I7 L5 x cmp ax, 0f386h" O+ C+ e: c+ z0 U
jz SoftICE_detected; p% V2 a0 S3 |& ~+ l, h
6 ?3 M% x1 \% K7 Z5 R+ C" H# Q( {4 D
int41handler2 PROC
& k0 Q! `" u1 ~ iret4 [! j8 J* I2 g k* L) l6 }
int41handler2 ENDP
6 ^1 b8 h- a- O1 \) B7 C, q+ p: c% l6 d8 ?" l" w1 _
$ v9 L S' S7 W& {
_________________________________________________________________________1 Q! B7 _6 r$ q2 O
N }1 Z8 ^( {) s- k' p' L$ o
9 e7 `: R/ J" k- J/ RMethod 06/ ]! Z0 _7 c& }$ y4 t0 h& g! c+ a
=========
# P$ k7 Y0 _2 e* C4 e
+ h# i9 o8 }! v3 A* P2 y0 u7 i+ B2 O' F2 W8 G& X/ Q7 n( q4 Z Q
2nd method similar to the preceding one but more difficult to detect:
+ o# N9 ]" X: u. Q$ m7 P5 \% { j$ t
( F' H* q3 B- Z, B6 k& _5 [) A; Fint41handler PROC: V; U; I" b/ D) _6 C% G
mov cl,al6 E7 q! `. Q1 a( u! U
iret
6 A* k- @, f$ Hint41handler ENDP
9 A9 H, G' o/ x
- T X+ C! R! `) `8 T2 N% t+ F4 _% ~# W
xor ax,ax
9 O' d5 F( i' i0 k2 w; j4 }/ V mov es,ax
, B; }6 C; m% n& g mov bx, cs5 Q7 Y2 P7 x4 I/ G
lea dx, int41handler
' R- W( g- m2 c% @9 W$ ? xchg dx, es:[41h*4]1 a t9 ~% @# q1 ?, S5 \! g
xchg bx, es:[41h*4+2]
8 v' _% q' w7 M4 M! [$ U/ R' S in al, 40h8 ^2 a1 M' C, J1 T6 V
xor cx,cx
) g% Y5 a) t: G% J int 41h
' f1 e% W3 V( |7 n+ U$ V xchg dx, es:[41h*4]
$ i& N7 E6 o5 E xchg bx, es:[41h*4+2]
# R" B( G4 V% u. V9 `/ `4 O cmp cl,al3 M- H- h# _ s" N5 q
jnz SoftICE_detected
! J" a ^( j4 I/ o i* l
! T. R9 _; H' b5 I, G2 Y_________________________________________________________________________
7 ?& X4 a8 s- w$ k/ Z) S, @
+ @: ~. O) Y2 K. i( |Method 07
+ P* _$ M( o# W" k- ]=========
! w9 l! x. |, O/ V9 o+ j' L0 |1 \& @
Method of detection of the WinICE handler in the int68h (V86)4 I/ G8 P* h+ x; r
^$ i: D6 L" c* i
mov ah,43h
- V, t! n; Q% k) ?% F% Z5 E8 B int 68h
" _( n( _8 H" i, ~ cmp ax,0F386h
6 T' k% s+ q* S- G* D* X jz SoftICE_Detected/ t% Q2 r+ p8 |8 N. N# y+ j
' x7 B' A+ Q" k
6 [4 M! I/ ?# ?$ B8 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 A# v) I N- P( o2 r
app like this:: c1 p Y7 D" h1 Z( G. E
; @& q' u, {, p O- r
BPX exec_int if ax==68
) O( ?) Z; K3 ]# Z: {! Z6 X7 B (function called is located at byte ptr [ebp+1Dh] and client eip is+ ~/ p: I W) w A
located at [ebp+48h] for 32Bit apps)0 g4 i( M( `8 [5 f+ N2 Y
__________________________________________________________________________
9 b: s0 i! `! n- e/ | y( R, y" J H& l& Q5 ~( D% D4 c0 k; u
/ g! N# V. `2 R4 W# L# yMethod 08
* D/ a* ^$ x5 k/ N1 R4 Q=========- |5 m' T+ Z4 Q9 r5 K. D
" g. o3 L! ?4 B) aIt is not a method of detection of SoftICE but a possibility to crash the4 ^7 j q0 t- ^! p& n
system by intercepting int 01h and int 03h and redirecting them to another8 E4 g+ v& ]! \; |1 k1 F: ?
routine.
$ B, N( x) \5 b0 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# Q4 A8 W: i, w( y+ nto the new routine to execute (hangs computer...)
: g2 J/ P- }2 }, u: E
0 N) t4 l4 D. ]. a; m7 |9 D! y( ~ r mov ah, 25h
% ~! q( a8 ^9 z& K" S/ e0 M mov al, Int_Number (01h or 03h)/ @ s* [# U' w& p
mov dx, offset New_Int_Routine
6 E/ y8 Y5 \" q" E; v, u int 21h
. D' E# b# a# v; r w; @/ C+ q1 j: h
__________________________________________________________________________$ }6 X+ `$ M6 J" v1 f& L
' f; c# `1 I0 q4 rMethod 09" y2 x+ a) v" D7 a
=========9 D3 {! X4 {% Q3 _4 X; H
( C1 \* X9 U4 o) PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) \3 c9 b7 A: K* t, E) V6 [8 Fperformed in ring0 (VxD or a ring3 app using the VxdCall).: t7 O/ P7 f* \) S+ E& m$ i4 K
The Get_DDB service is used to determine whether or not a VxD is installed6 @- Y f/ V+ p$ z) |
for the specified device and returns a Device Description Block (in ecx) for! c( g& A" c: e/ f! I3 U
that device if it is installed.: G5 ]# d/ r& l: I; H/ H/ W; c; y- G
" h, D/ ?) e+ x. L2 L9 Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ D: r9 K ` c# {% e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ E" _) r3 \8 O( g VMMCall Get_DDB, b; r. b7 ]1 o$ y Q; _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 f( `) C% c' h( |% V' |
" M+ k a& a6 D& T7 e
Note as well that you can easily detect this method with SoftICE:' h4 ~( ]( _" I7 q8 ^
bpx Get_DDB if ax==0202 || ax==7a5fh. y5 J' i2 {8 x( Z4 B/ x
1 _7 b# ?. `/ r9 g* z7 W+ a0 g__________________________________________________________________________0 d$ L' @ V+ F. K6 b
$ v- _* W: T1 I2 hMethod 10/ ]9 u* n# V2 B4 Q
=========
& u% F/ ?% g0 H: m( P
2 j. h8 M' y( [3 J0 O=>Disable or clear breakpoints before using this feature. DO NOT trace with* U+ W2 n2 g* f8 o( `( h! L) r
SoftICE while the option is enable!!
, g! `: s; f$ l# h/ j) \
; \/ F2 j l1 [ DThis trick is very efficient:: K$ |/ C% q6 }- |% u8 }+ @6 w
by checking the Debug Registers, you can detect if SoftICE is loaded% ~: e9 r8 d/ n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 w m. E. K K2 g+ z }/ ?there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 X7 S) v |$ mvalue (in ring0 only). Values can be manipulated and or changed as well/ T& V* s& P1 [- k0 a- s
(clearing BPMs for instance), Q! E! N0 ^& s: O ?- C
_, p* t0 M$ @
__________________________________________________________________________" V& h+ I# C2 Q( [* S0 w6 M
' Y; H6 g0 A* b% Y
Method 11
% t; u9 F4 V! R5 o/ k4 l=========
1 R/ T' J; X2 s$ _" \
& _0 x {( |; ~3 ~* V2 `( eThis method is most known as 'MeltICE' because it has been freely distributed
- s! v. v& L" J a/ Tvia www.winfiles.com. However it was first used by NuMega people to allow4 S$ d! y ]2 A# X& }9 \3 o7 e
Symbol Loader to check if SoftICE was active or not (the code is located
$ J4 T& c$ H k2 J5 h' B6 _9 f% @inside nmtrans.dll).
2 z) `$ t4 W/ F+ v, A5 ?/ i! I5 y9 R! M( V) M. D3 }4 z R" U
The way it works is very simple:
7 d; W. F' g; e" s$ B) F; l8 kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' O M) s+ D2 N8 L; C! BWinNT) with the CreateFileA API.' R' h, d7 j) k7 N/ k* v+ ~
! Q0 A9 R* P6 U- K' SHere is a sample (checking for 'SICE'):
+ V U2 K" n) E8 p3 Z
& e$ o0 h; R; d% S/ mBOOL IsSoftIce95Loaded()
6 x! G x% w; k1 V+ o3 p, U3 b{
2 _% a& d9 E6 C HANDLE hFile;
! a) j* p- M1 P9 d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 {, j( w, x9 A0 p7 `
FILE_SHARE_READ | FILE_SHARE_WRITE,' k: [" b# U' a9 e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% e) N, h- b7 t. l$ S0 P
if( hFile != INVALID_HANDLE_VALUE )
9 H0 r$ |! B$ U# e {; I$ s' W5 k, u+ x2 L, m' [8 X
CloseHandle(hFile);- d% h9 U$ _; d ]) t+ w
return TRUE;/ @) J8 O& i6 X9 _
}
; |) p; h( ~$ v/ h Y return FALSE;
5 g% Z) H6 I! ^: O, v# m P" I}' s+ T; g0 {" r, g
- [7 r! E& u" h. Q- i& tAlthough this trick calls the CreateFileA function, don't even expect to be6 M) K4 }! O' _( ?0 O# A/ s5 w6 m
able to intercept it by installing a IFS hook: it will not work, no way!. @* S/ }) G' m5 J* W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 N% ]) ^& U! ^" o# ]& Q( iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 e' O$ K8 |& N2 E( Y1 `5 B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) z$ _3 F2 h8 m3 y7 ]
field.
" l5 ?" D( D$ T+ v7 \, MIn fact, its purpose is not to load/unload VxDs but only to send a / T5 X) z. C' H: o2 R, B: @9 N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 R C& M' s- U7 n& |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' D/ ~: E% i fto load/unload a non-dynamically loadable driver such as SoftICE ;-). Q1 [9 J. c) E. m
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 }" G: I0 ~5 V3 P: T# b
its handle to be opened and then, will be detected.
, T* a: W2 J1 U+ ~8 O0 v4 e/ DYou can check that simply by hooking Winice.exe control proc entry point* w$ k5 D, ?) Y3 u9 k
while running MeltICE.
e2 [, f0 A+ G+ n+ _2 ?! I( v
& |$ N9 w7 q9 }: ^; U5 v, q* j6 ^
00401067: push 00402025 ; \\.\SICE
5 ]0 ~# f3 D2 t: }, W- l 0040106C: call CreateFileA
+ ?/ G' j0 j0 l5 U* b 00401071: cmp eax,-001" c. m) A5 X% k- k
00401074: je 00401091$ A* O7 x6 z3 k4 k$ F9 y: j! r
3 ~+ l6 A/ L T, n) @( y* F% v- F
9 x" N. X" A8 i5 a
There could be hundreds of BPX you could use to detect this trick." `; X- ^9 q& J8 i9 S, n
-The most classical one is:
* L) x0 ]6 o& O- e8 [ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 j2 M8 {" P5 a- q- V/ d6 v *(esp->4+4)=='NTIC'
9 k8 _8 n, ~" q- d1 y
* J( P% |. \9 w3 a% G8 z-The most exotic ones (could be very slooooow :-(
2 [) p( y3 X' N! ?/ R+ q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : B+ O5 ]9 i' j
;will break 3 times :-(
6 M* Q! `3 @/ W$ M: a" k/ B
# ?7 j& U3 N" o. x/ d) Q, G. Y-or (a bit) faster: z3 a9 }% z6 F/ K+ c% F* M) l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' g9 Z6 B* M4 X' z+ n4 z* ]& U
$ ^, G' j0 j1 ^/ q' x' o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 c' l; B0 d2 c) }# K
;will break 3 times :-(
( N0 I# O9 g7 P7 E P! R) L: P! E0 l1 ?% S% s
-Much faster:
0 f8 f( m, s" G8 g8 x! [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 {0 d0 h+ j5 f- Z, C9 o
$ _# }5 A8 b, {3 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; E- q# f" G! H1 k( ~& ^4 s* Ufunction to do the same job:! z" K @) @- I6 t* J0 i$ v) N
8 K M; q5 t4 m- w push 00 ; OF_READ) y3 |, [, Y2 e$ G/ F3 H
mov eax,[00656634] ; '\\.\SICE',0; T. n6 D+ c f# k' Y% B1 E6 w* H# k) R
push eax+ T2 q1 a' x- v
call KERNEL32!_lopen
& j6 \ Q' [& b2 I; H inc eax" z" d b4 w5 @8 c, L
jnz 00650589 ; detected8 J# o" |! y! n ~0 l
push 00 ; OF_READ
/ R; i4 V& d( k/ v. r( p) j! b mov eax,[00656638] ; '\\.\SICE'1 n; Y- f+ r0 W3 ?4 W
push eax
5 s1 s* P0 @7 e call KERNEL32!_lopen [3 Y8 |5 f( s0 k9 }$ q) b# A9 j
inc eax3 Q& B+ ]" E5 G% \& w
jz 006505ae ; not detected+ S. a" `; R/ [0 X
i( J, X4 F9 C4 F! o4 U. Z
# y3 H9 p1 g* i* \__________________________________________________________________________( ^' Q b$ e, c3 m. @( E' A
& k7 f( Z* ]2 f6 e6 k; R- N7 Y) _Method 12. r; U$ n- M* y& I2 T- }
=========# c; i4 k( `- U( l: U
; U n0 c6 S# d# e" O
This trick is similar to int41h/4fh Debugger installation check (code 05
$ Q* Z1 v+ M' o! V* H# b4 M" D& 06) but very limited because it's only available for Win95/98 (not NT): q5 \; m0 Q! A, H' Y! E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: T. @$ T: v4 k; X* E9 ?9 X; c
, p* c# `5 w% e
push 0000004fh ; function 4fh$ e: w, u/ D3 z- V# `$ \0 [8 r
push 002a002ah ; high word specifies which VxD (VWIN32)
" V9 u& H& ?3 I0 A' q; q ; low word specifies which service* r/ C* Q9 \) R0 N( ?
(VWIN32_Int41Dispatch)
0 w0 l6 l& m% M call Kernel32!ORD_001 ; VxdCall+ I2 s8 `. l d2 k. B* r
cmp ax, 0f386h ; magic number returned by system debuggers6 n+ b! P2 ^ o o b( m3 \
jz SoftICE_detected8 h! m0 e4 `1 J# _4 a' s
0 C( D& Y* q) C
Here again, several ways to detect it:
5 g6 c$ d6 t* m$ h2 q9 {$ F5 Q8 W: p5 z$ |5 f/ G
BPINT 41 if ax==4f; G0 m( r/ u2 q; W5 {
0 v) \* a( A. v4 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# ]0 j* D" A9 |4 {
! M& p: ~5 W6 ]3 A2 [2 c& P! h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 y- \: d# k9 v! u
+ i$ R8 i6 V0 o0 l+ C0 A! {$ S7 V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 r2 O8 x Q S& @( I
) t( A: ^! U( R. J/ z
__________________________________________________________________________; k# t+ }9 z$ R8 Z* T* L
5 Z, t6 |: p) v3 H1 ~6 W0 u9 |
Method 13. C! F) }( x2 K$ u+ w2 F# H' H. b
=========
) q, b# |# G2 I4 [9 I9 o% i! U) N; X7 e0 R: i, A
Not a real method of detection, but a good way to know if SoftICE is* E! I5 S! w X
installed on a computer and to locate its installation directory.
* D& E6 F2 h4 c1 nIt is used by few softs which access the following registry keys (usually #2) :
" X$ `$ P9 p. b/ L, ?, C" F6 @ ~& @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: a" Z4 ~2 N0 }' F2 Z2 @\Uninstall\SoftICE
% b: Y6 R" L8 ?' {) F7 k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 ?1 B) X# j" a3 _0 F1 S* Q) E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! ^/ b& @; N: G) F* |
\App Paths\Loader32.Exe0 K1 `$ S! P4 X
! c5 H( D5 [) m& v0 r: w8 y' B: B) d$ W
Note that some nasty apps could then erase all files from SoftICE directory0 z5 D$ C# f$ w4 Q. u, n
(I faced that once :-(
: j2 p0 j2 ^+ o4 h V- ?+ ^& S
$ h, l( X. ^5 r+ {& M. Z6 VUseful breakpoint to detect it:7 n u* B% ~4 X) ]! F! H
4 H( {7 ]5 b- j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 V; p( t- P/ E3 u% B y, Q B$ f3 i! U; [) z i2 [ H2 y
__________________________________________________________________________
1 n. i2 e- F% Q& X6 P: {/ S- k/ {6 O1 [9 ^
" o' ~! O- [! g( D
' R B) ?( F' Z; eMethod 14
' O" q' \. o( K7 j% P: A=========
0 ^ l v! @5 ?7 T2 W2 k
/ l. v$ Q5 Q2 p- R1 X2 i: l9 U. d' g) Q+ j* dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose _0 Q3 |$ h6 \: d4 p' c
is to determines whether a debugger is running on your system (ring0 only)., F2 ~4 u% g8 U) Q6 w" _
" Y3 i- e5 M5 i5 l& l! X- N
VMMCall Test_Debug_Installed
& I& L+ E7 K7 o' r2 z; F je not_installed
( _' U) f; z0 |' C- k8 S
8 g: n' c6 X& w, X4 c* VThis service just checks a flag.4 L; T+ @! b6 K: Z( F9 U9 w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡