<TABLE width=500>
- }7 M4 [0 a8 f% t6 [2 w<TBODY> K" H9 V F4 c6 W. V6 F
<TR>. M0 a( K& q u, u7 g% \. Q0 O
<TD><PRE>Method 01
+ n8 F2 m5 }2 d# O3 s% Y=========
" Y e9 @ [0 w
, f2 `# A0 W5 j0 W2 M7 ~! |4 _7 ^This method of detection of SoftICE (as well as the following one) is
% s8 R/ E% ^" [# l, ?7 P; \used by the majority of packers/encryptors found on Internet.4 _) E; w4 [3 q. h6 {
It seeks the signature of BoundsChecker in SoftICE
; x8 f& _/ N) m6 e2 f3 F. w$ ~8 W& v5 A0 K! t ?# Y* A
mov ebp, 04243484Bh ; 'BCHK'1 h1 O# y7 I! ]! l* k2 k
mov ax, 04h! @# d9 S+ ]0 g: f) o
int 3 7 K. Z# e! q! q
cmp al,4
) L K7 s9 P& f jnz SoftICE_Detected
" h* @1 r" p* q& k$ J4 E& _! e B
___________________________________________________________________________
* [+ N' W5 ]1 B H1 s- O8 L
1 x& F/ K' ? e) ?7 cMethod 02
4 K N( Y' X. T3 G8 E: Q, d; L=========
) e/ C3 M6 }* P' g
9 R/ x- Y9 e6 a! [Still a method very much used (perhaps the most frequent one). It is used
0 x" m" z, M2 m; b: G! r* ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 M; w; _' I; f+ s$ `
or execute SoftICE commands...
& Q& D2 }: r+ t4 _7 E1 F+ `, nIt is also used to crash SoftICE and to force it to execute any commands; D4 R4 F' L4 |) `: A
(HBOOT...) :-(( * l8 A' m) z, j6 ~2 x
# S; E) }0 [( w% H: OHere is a quick description:0 {# N5 ~6 K8 {- P# T( i
-AX = 0910h (Display string in SIce windows)( A4 U9 _) Q/ A% f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). x- T" r* \' G n" d
-AX = 0912h (Get breakpoint infos); v5 W) e& l" K+ X
-AX = 0913h (Set Sice breakpoints)0 e7 }0 a2 m& l/ Z1 s
-AX = 0914h (Remove SIce breakoints)- t3 `5 v- ?3 r4 m/ y5 t3 M. ]
: p/ Z( o! q9 \3 ^Each time you'll meet this trick, you'll see:% i% }' B5 z: Q/ ]6 B, c
-SI = 4647h: E# [9 j$ f6 |+ e& Q! Q- ^
-DI = 4A4Dh+ H0 f8 ~: @8 \2 }% t
Which are the 'magic values' used by SoftIce.
G$ H* D0 N8 L" ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ i) I. i" X+ B- X. v7 T! |4 F( W5 b4 C5 }! W; ~& f; {
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 F+ y0 K- M8 [: N
Envelope utility use to protect DOS applications:
& M; N2 b2 Z' j/ r( J: w+ n+ j/ y
2 a# K# c! O1 {5 o% L, O: w [8 o) c
4C19:0095 MOV AX,0911 ; execute command.
) D; i* h/ p* u# s6 `" h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: {, r9 U0 f' e: |( @7 _4C19:009A MOV SI,4647 ; 1st magic value.
4 O W6 p! P/ `+ x1 w* x6 o+ r4C19:009D MOV DI,4A4D ; 2nd magic value.! A& _4 J: I o! @* J; e8 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( P7 J8 Q+ l" Z l& s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 f' i& p% N% F5 g" W8 A0 Q
4C19:00A4 INC CX$ a) X5 \# n( f& J; N, V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: Z E) F6 \6 o1 ]6 K* a5 [
4C19:00A8 JB 0095 ; 6 different commands.& Q! g3 K9 C" Z: V1 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 R- x+ P7 I( c5 J& K" b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ l% \- o( L. I4 Y# p7 {0 k; Q" |6 H- U- f4 l! B
The program will execute 6 different SIce commands located at ds:dx, which9 w4 `% ~8 s6 N" j6 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& \* R# ] n8 W" [
: Z" Q+ O( k8 j! J) g- {4 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' C7 Q, R! c9 s+ {& q* e# ?
___________________________________________________________________________
; v/ b1 B) W2 J
* |) V0 t S! ? t1 T1 s$ p/ I
4 F5 q* q7 _/ C! ]+ J6 k7 A* AMethod 03
0 \4 J9 X( o% q# @% d=========
$ I6 D3 Q# y* z" r: X4 s
! v) r; a: L: m" s: |! tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 D: b! U8 Y+ Y% E(API Get entry point)
$ x N" p7 [; ]2 r5 p( ~) q
2 I; Q) S9 m: {& ]* v
5 G, B Y' ~: Q. g {$ T1 k( Q. s xor di,di9 ~' ~: b8 |( c4 y) P0 P4 B
mov es,di: g7 X& F% ^; \
mov ax, 1684h
, Z2 N. p0 s/ N6 U mov bx, 0202h ; VxD ID of winice7 Z9 d( I; K. u( o$ f" I( u
int 2Fh: z4 u$ x4 n( y8 M
mov ax, es ; ES:DI -> VxD API entry point
6 a; G# Q2 b" U- c add ax, di
- d1 o- o4 U( B7 w7 i+ P. t G test ax,ax# t0 e4 Q' e) `% M7 Y
jnz SoftICE_Detected
/ w( }' a: U* D, I9 B0 M- ]7 L! ]4 c6 e8 M! I, A
___________________________________________________________________________3 W$ T) \8 d/ A) f
+ h0 A: s: A, lMethod 04& A; u- }* _) @, d( i. P
=========7 G' Q2 p: G5 }8 [4 Z
3 L% \" W/ d& v" x
Method identical to the preceding one except that it seeks the ID of SoftICE
& I5 ?3 z/ w* }) o" [GFX VxD.% [- g/ r5 b/ L5 Z
7 H* T- }1 G+ p$ z% s% h xor di,di
6 s6 Z7 m5 W! y/ n& V" c& X' J# |7 f mov es,di7 I2 _9 M5 K" C' {3 G! V" n) N
mov ax, 1684h % Z) {: a' a% p; s2 u
mov bx, 7a5Fh ; VxD ID of SIWVID5 s5 E v! n0 u4 A* w
int 2fh
( U' b5 ]) Y. A( v4 D* x0 `+ J mov ax, es ; ES:DI -> VxD API entry point
2 L* r, K5 H/ A2 V4 q/ n add ax, di9 i3 }* \ f. O! W( T
test ax,ax
8 P/ Z7 j3 G( N5 {6 f p3 n/ ~: Z jnz SoftICE_Detected
V E$ y# w; ~) Q
, D6 w) N- d$ U, f5 j- U* X' D6 |) e3 K$ O__________________________________________________________________________; j4 c7 i0 V. L" z+ V/ v
5 K+ Q# R/ M- s' c9 S2 _0 o! t$ q: W) w& o% f
Method 05, C0 e; G: W1 o2 @0 l
=========$ ]4 P5 c' V5 }# `. U
4 i! E; Y# Z2 g$ B* o- ~ X- l% DMethod seeking the 'magic number' 0F386h returned (in ax) by all system; x, r3 f! ^( C' p/ c
debugger. It calls the int 41h, function 4Fh.) ?# }% d) z% u- R' a& C
There are several alternatives.
0 q: S& P, c5 {$ A& v4 \8 c- D8 F j5 |
The following one is the simplest:
* w( }4 ~7 N3 D2 k( `
4 t6 Q/ M* f$ @1 B1 h! r# S mov ax,4fh# k0 |1 [2 z y$ k0 D5 }0 @
int 41h
9 A( X2 |2 @7 @8 s1 n cmp ax, 0F386" R& i$ F+ M. Q# |" _) q
jz SoftICE_detected/ ~" K# c3 I- f4 z) L& }
7 u0 l) p/ M2 ?4 z& Q
5 j3 _! P! v0 x: b* V0 VNext method as well as the following one are 2 examples from Stone's
) z. k( L) ^8 X/ t0 P& w" j" S$ b4 l& \ j"stn-wid.zip" (www.cracking.net):9 z6 m# ]1 w+ L8 J1 P6 m
: k# a* S3 ]' l7 D7 x0 e% z mov bx, cs2 p$ N) D1 t' v' m# ]' Z! u
lea dx, int41handler22 g c: _3 j9 j+ M9 B
xchg dx, es:[41h*4]2 ]# U3 d% {5 C K( {0 H8 d
xchg bx, es:[41h*4+2]
5 V( n" N5 A$ y1 b9 }. J mov ax,4fh
2 S3 u6 p, M* v1 ^/ r% ~% b int 41h
9 G/ C9 _* j) d( q xchg dx, es:[41h*4]8 M$ B9 H8 T* ~
xchg bx, es:[41h*4+2], u" I q' e1 E" `0 R4 w
cmp ax, 0f386h
! o5 i0 I4 ?# C5 V1 A- _3 ?+ @ jz SoftICE_detected, u m$ w3 U8 `( b# x3 t. M& M' w
% S) R( ~: n( G4 y
int41handler2 PROC8 q, a7 j- J3 T: `6 O9 m
iret; S+ M8 w; m7 u' K+ N3 | b: X5 J$ g
int41handler2 ENDP
9 r w3 y7 b' t0 V9 {; k
% g/ ^6 H3 J2 Z d$ d
( J* A; Q# [9 t8 o' e3 Y) p_________________________________________________________________________
" |3 v4 M L0 E9 a! P/ X8 c: f* U$ `# }$ p. w2 x) r, ?
+ g' `* d; }6 K$ UMethod 06
7 P) o1 F$ \( R+ g. s=========
/ g9 A; J" T0 U# s+ I+ c
0 {& H3 \3 j7 r; i6 a/ q; C1 `: [% Y* Q
2nd method similar to the preceding one but more difficult to detect:; A* f$ V3 s k1 P. Q( m
2 F! l& Z+ @1 @: h
8 U: d# a4 _' R2 G5 f2 p
int41handler PROC5 ?3 o/ g; m# {- c4 h
mov cl,al
0 H+ {0 T" g8 k5 ^ iret
+ ^3 \ I# R' I1 x4 d4 w% Q) }int41handler ENDP
+ J% _# Z8 B1 m) T+ K0 \) G( ~' x5 Y( H
( Z# W8 O3 n1 U6 i6 @* L5 p( T
xor ax,ax% X# i' _6 E& H* h) y9 `, ]+ `
mov es,ax+ d% K, X, b$ T. x# ^$ D; p+ z" x
mov bx, cs) k+ K' _0 _' Q" E5 U
lea dx, int41handler
2 v# l6 H% I+ Z7 T9 Y4 h, i xchg dx, es:[41h*4] [% z+ n5 d0 o1 ?
xchg bx, es:[41h*4+2]! q3 H1 |' Z" u" ]* k+ m) J" S: [
in al, 40h
% @- V! o) F% z) H$ B3 Q. b+ t xor cx,cx
' L; w! @ \% y1 L4 d int 41h2 W1 ]/ e9 q/ Q- D! b! |
xchg dx, es:[41h*4]3 G3 s% Z- B `7 H# }0 P# t
xchg bx, es:[41h*4+2]5 h( G( n4 j8 L/ C) B
cmp cl,al
* M) s6 U" ]- J7 S8 J1 z& W% ? jnz SoftICE_detected0 A8 t3 ]( l) g5 i1 J+ O! F b5 \
2 H5 P ?- n8 D7 L5 p6 B. X_________________________________________________________________________! z2 {# z0 V, c9 y) j
+ W, f. m. u( I7 t! Q8 W
Method 074 P1 Z, d. ]. ?; k. Q9 X3 |
=========
( X4 ^, t4 x% d
) l5 h+ z% a0 N4 t x0 H& UMethod of detection of the WinICE handler in the int68h (V86)" l0 v; O! @: Z; q! E" o( R+ V
7 K" S9 |% E; \4 M# G9 a6 r& E mov ah,43h
" r$ O8 Y7 n, K- J1 I# ~ {5 @& R int 68h2 W5 N7 L& e' F/ }4 A
cmp ax,0F386h5 ]0 t. M4 O# }2 r. `$ k
jz SoftICE_Detected* A3 ` D5 p& p
/ S- o8 K7 g' N+ M& y
1 r1 A$ g/ F8 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; d j7 h) U: s$ d, s$ c* u9 N
app like this:
1 q- F/ Y+ M/ n( \
% p- v K" f7 H5 O! ~: v3 t BPX exec_int if ax==682 N7 Y( ^( B3 b Y; ?5 q7 f- ~
(function called is located at byte ptr [ebp+1Dh] and client eip is) ]7 d2 w6 x( r0 c; D( S4 R4 X
located at [ebp+48h] for 32Bit apps)# {3 _1 R3 j$ Z, m! q ^# L$ X
__________________________________________________________________________; s7 n0 Q E' H J4 o- a3 f/ k: I7 Q
0 Y) V. t+ M Z. f4 B% |
4 j1 z$ Z' k4 @0 B( Z+ C6 r g
Method 08
" E( h0 P' {* E, N=========( |) e$ Q: u( q6 ^- ?5 Q9 _
0 }4 X! F' P% \( c( _
It is not a method of detection of SoftICE but a possibility to crash the
' C% |5 R' P' O: V+ j5 {4 Ysystem by intercepting int 01h and int 03h and redirecting them to another' I4 N- F# S% P$ W! O
routine.0 p& q9 m8 R( m& }' C7 a' ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 n. `/ `/ n8 n2 K: b! K9 B9 |' J
to the new routine to execute (hangs computer...)
: [( K7 H+ `9 z' n
0 P* m. C4 z, E mov ah, 25h
6 ^9 c# H% g8 e3 g" T mov al, Int_Number (01h or 03h)- K7 z1 I4 e$ J2 m, C: W: s
mov dx, offset New_Int_Routine
1 E+ w: C2 m$ a% \/ L k int 21h/ B# j# M2 q: e& s1 h4 Y
: P4 u3 c; M" _' \' K `. k
__________________________________________________________________________
1 `+ @7 C; H, E+ B1 l! `+ D# P
0 V9 ]" f9 t7 t. y/ iMethod 09
/ y1 B5 g# c: l, W=========0 v. y7 \: h6 G+ Z6 o9 L1 p
5 ] P+ f* V5 y( N/ ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ K% E: C4 p D" n) n: P: Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 m2 C6 y. g8 P: J" V# T6 zThe Get_DDB service is used to determine whether or not a VxD is installed
1 w4 M/ c. @3 U9 g0 L' Vfor the specified device and returns a Device Description Block (in ecx) for
4 z- H, S f, j/ a5 O$ qthat device if it is installed.. U* w+ M. }& [4 j
/ e# G- O9 e; M. Z! w, I d# r; A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID o6 J" L8 P1 Y- {0 `7 Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). ]( p2 M7 w% U3 O
VMMCall Get_DDB
& Z* l' R- s$ p- C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 o: {7 r% w/ i, I5 W
# {0 W- Z& s2 {- \" j$ ANote as well that you can easily detect this method with SoftICE:
$ Y Y: ~ h7 C! o bpx Get_DDB if ax==0202 || ax==7a5fh
* W* n) S9 B& l5 j3 I
8 f- E2 J6 i* g2 z& X* k__________________________________________________________________________5 k# I" A6 }) w& i
6 o; S4 [& j7 B! ]& ~
Method 10, @5 f8 Q" W2 M5 Y/ v* w) T
=========1 |' n/ N4 |$ n$ A6 V
% z0 u, y: z# r/ j/ s=>Disable or clear breakpoints before using this feature. DO NOT trace with
. S5 m* {2 `& U* y# j$ q' P Q' R+ r SoftICE while the option is enable!!
# P* g; n9 m6 T7 J" E L) ^# \4 X# m9 ^6 z- \; r5 b
This trick is very efficient:
$ i# V+ S m3 n9 ^, l8 Q3 vby checking the Debug Registers, you can detect if SoftICE is loaded
% b% Z8 o# I) g$ m/ O4 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ }3 ^, F$ n+ Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their' X. M" }+ Q" _. }1 \4 i. R& h
value (in ring0 only). Values can be manipulated and or changed as well
5 A# Q. U7 e7 ]: V$ D9 Q(clearing BPMs for instance)9 U- Y; e" ^9 s* C! L
6 R! b$ E8 i0 o7 W& P3 L__________________________________________________________________________
- g ?0 j- o& k+ R1 W4 c/ ^4 @& [2 T
+ b8 y* |2 a, K* u: \ I- M3 _Method 11+ L# I: l9 I4 |6 k2 O5 D% N
=========
8 {! Q: H/ z- c; h: U- h$ C1 T/ z# p" K( Y. B$ h
This method is most known as 'MeltICE' because it has been freely distributed
- K" T: B) e4 J- x$ mvia www.winfiles.com. However it was first used by NuMega people to allow/ Z& k! e3 t5 _
Symbol Loader to check if SoftICE was active or not (the code is located
4 [4 o6 w! p% x# E- M# j8 vinside nmtrans.dll).
. C/ X3 t- `& o# \
4 x+ b3 y; g- `0 z( ~The way it works is very simple:
6 t5 e/ R5 A7 C2 v6 A2 E4 VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( |2 H- Z4 e, v$ c6 U8 NWinNT) with the CreateFileA API.( a, Z* ~ T9 _* H" ~
2 ~/ w$ b, r& X$ |# |Here is a sample (checking for 'SICE'):* M& r5 E; o# O) Y; D
2 I7 @1 o6 v8 ~
BOOL IsSoftIce95Loaded()
; \! d- C U p0 t2 B4 z8 I+ G{
% |, t1 ]8 ^) R- F/ { HANDLE hFile; 1 C7 o/ K& z; Y+ y t$ }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( M' v, F# j% i Z% v7 f9 `- b
FILE_SHARE_READ | FILE_SHARE_WRITE,
s# c5 _" F3 R. C! c8 l9 z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: z9 y& {( ~. I1 O if( hFile != INVALID_HANDLE_VALUE )& i M u! N C" I# J* Y$ I' H
{; D8 B4 F7 \% g& j* Z1 V- O5 j/ P
CloseHandle(hFile);3 x9 _, {* [5 w* E4 C* V8 {$ S$ ?. ~
return TRUE;3 {% C. A2 q6 G
}
1 b( A" o5 ]$ q/ e# [% R7 n return FALSE;4 k! j' D: X; H* |
}
) j; C+ H1 }9 J# a S6 q* K; E* N, x" t4 z- `2 \5 c6 R
Although this trick calls the CreateFileA function, don't even expect to be0 y. D% V& e# g6 s
able to intercept it by installing a IFS hook: it will not work, no way!/ b9 U. o- N- k* ^, D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. U5 N- j4 O8 L, o3 d: ^0 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 }- v4 `% l: ]1 y9 k0 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ C* D \& }* M) |& Q
field.
. B& @# C r% S* qIn fact, its purpose is not to load/unload VxDs but only to send a
8 L k( @! U8 U, }6 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' T' A4 D& T- y6 o& E' P% ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 N* D% r g; |% Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 x, S6 G, j$ J6 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. S9 {0 i* M7 ^* m. g, x @4 Lits handle to be opened and then, will be detected.9 }0 `5 J% a' b4 I5 w4 I: M
You can check that simply by hooking Winice.exe control proc entry point
4 x4 O" |$ M/ A. e9 ?3 S1 N3 Dwhile running MeltICE.4 s* m' z7 N& | J6 _0 _# }
3 Q# k, e8 z& ~9 M( A& e* U* u
0 R% ^5 W( j7 m( [: n' T8 z0 U 00401067: push 00402025 ; \\.\SICE/ ?+ u. F4 V* G* T) |. t6 A
0040106C: call CreateFileA
: Q5 m+ v$ @3 b, a$ m7 Y 00401071: cmp eax,-001
5 F: J, d. K& j! P( |: E" V( ?3 x$ c 00401074: je 00401091
: M* l: a( F9 \; {, `) c
" N8 H) `+ ]5 i/ ~/ |2 i: P# \1 D
+ B: u' i, B4 ^; rThere could be hundreds of BPX you could use to detect this trick.
- ^3 M, Y) O, r+ c, x-The most classical one is:
& O* V2 @5 |( C5 t1 K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, p# Q& J- b. L* K+ `. }2 q *(esp->4+4)=='NTIC'! y, g0 v) N- Q! t4 P
: o* g1 o. o, u% e% z N0 I-The most exotic ones (could be very slooooow :-(7 M; F; \: \4 h7 J4 `4 t7 T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! c! Z `/ ]& a6 q" T. H
;will break 3 times :-(1 ^8 n. v' n, U+ L2 \$ J
2 E; k3 Q7 G! w0 y+ E5 A$ s
-or (a bit) faster:
1 a( B; @3 a1 ?+ q+ r! M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- i, C# z* B# u& W
2 J! |2 a; q* E% ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 S+ z$ H. d8 D. m& `$ G' p' V ;will break 3 times :-(
7 q1 M- ~% _7 R2 F: {( J* U5 |5 u; B3 c: o2 y9 f9 y9 i
-Much faster:
$ O+ b; r* s e# T+ M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ j; u6 G2 w3 L& T
0 R$ i, Y$ W3 S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# W4 \ X0 \5 O* |6 Y7 y7 O4 Gfunction to do the same job:
" p$ x! j8 Y: d# v0 a+ Z0 E- g4 i; f9 B$ _7 Y5 v+ A$ @& G, d5 k
push 00 ; OF_READ4 z. v5 b# I# [5 N4 K6 z' Z+ W
mov eax,[00656634] ; '\\.\SICE',04 h. j, h3 g9 `. d5 N7 d4 ~9 _1 Q
push eax3 }" F* i* s9 d/ m6 n
call KERNEL32!_lopen4 L P2 \* L) I. ]) w! U
inc eax
7 L$ t) j2 s- j/ d jnz 00650589 ; detected& `" {5 ~7 e f2 _9 M2 h
push 00 ; OF_READ: U ]- a3 J' y! l( |
mov eax,[00656638] ; '\\.\SICE'
9 d$ b Z, b9 @- ^$ D9 D push eax
0 q; @5 i q" Z/ r6 D: ` call KERNEL32!_lopen
% E" x, ?& v* n2 W2 ]4 x& P inc eax7 ~4 o3 h- Q% Q
jz 006505ae ; not detected
8 q# ^1 W# v9 L2 e' X% P3 {8 ~, a8 o) }" Z k
) G5 ^0 V; I# Q+ `* x% Y" n( A
__________________________________________________________________________
5 R* C5 a# @1 g N" t$ Q0 J! Z- I9 ~0 o/ C; h
Method 121 U5 {# ~7 \7 N; i/ z) T
=========( p3 k* L6 U9 V" ^
8 B S5 x) f& @This trick is similar to int41h/4fh Debugger installation check (code 05/ i+ o3 t- F) d; M7 i
& 06) but very limited because it's only available for Win95/98 (not NT)* \6 E4 a5 u# W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 P! e& k! N! @% C* A2 Z ?" G/ r
7 t9 S* K- a4 d push 0000004fh ; function 4fh$ m' I; b+ n. }# i4 D
push 002a002ah ; high word specifies which VxD (VWIN32)
, w W) ~/ x" j! h0 O8 A. H ; low word specifies which service
) U- G: W& {& M: H: e# Z% [5 M (VWIN32_Int41Dispatch)
( q/ I3 J- B7 K$ E A( d call Kernel32!ORD_001 ; VxdCall
- z* L# [ S" m4 x7 W+ A! i! } cmp ax, 0f386h ; magic number returned by system debuggers. {. `' Z2 i7 s( Q5 M$ S7 R: _
jz SoftICE_detected. p6 c. Y' {" R
" e2 n! o3 a; jHere again, several ways to detect it: g- a C9 P# z
: S' x C8 j+ d; N6 {# _
BPINT 41 if ax==4f
: s" b% e/ x4 j2 Z0 D% q) m
' Z( ~7 D& U7 }+ R( U; W4 s0 A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 B) ~, N* C1 B8 J( k6 @, w% E
, @( z: E/ K! d; W- s6 ]6 ?; d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 I1 V2 h" u- t/ j) V: C
' Q( e# Q& s* L i+ E6 g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 r P9 v. ^6 ]" |0 \! i; O4 x
& h _: i& k4 I. U9 C8 E, y
__________________________________________________________________________
1 n# h/ ~: A4 H% D9 Z: p& G$ t; Y& ]4 S. f; q: x5 Z+ o+ ~- |
Method 13# A) R3 l2 S- b! |, V3 v) m
=========
6 ^. M" j5 _ `6 `; y4 m6 y2 A( Q. y0 E7 [0 j7 v% i
Not a real method of detection, but a good way to know if SoftICE is& |' T( c3 `8 n q' J3 P
installed on a computer and to locate its installation directory.
3 {$ ` x0 o# G8 O1 sIt is used by few softs which access the following registry keys (usually #2) :
; h$ [+ ]8 |% Z* n) p a" r- O9 l% k6 x: P+ U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- @1 B' K2 F! ]& x; t# u; |8 Y+ X\Uninstall\SoftICE- }, E3 M8 M' E. `: M( y! ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! U* x- @; l8 s& \5 W: l. ^" W9 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 @" |( ~7 S Y5 ~: _; U" G! ?5 c
\App Paths\Loader32.Exe( a7 \/ I( m/ X" `# B
8 d7 l. _$ T9 ?# H7 Z% P$ w1 }8 }. |$ }" s- p3 p6 w
Note that some nasty apps could then erase all files from SoftICE directory" [8 s' g* D; A( p! v
(I faced that once :-(
, D: m( c2 p( ]; F3 J
" u' F( }) w3 e( z: WUseful breakpoint to detect it:
6 P( X g$ Z- [5 S; x0 K. A9 F; W# N+ Q4 E7 i! v/ y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') C( R1 \, d3 @& H
0 p7 K! _% A1 S
__________________________________________________________________________7 [0 H; z! Q& [
. o z0 l( w) V: W) n: P- C
. {( r- L$ H1 W) M& P
Method 14 : l5 _$ f( F3 C9 N" M/ u& n% v
=========2 u. O2 s; I# M4 G; i
$ \/ d9 Y/ O |, J7 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- C+ p; \+ B) d [" T8 m- D4 ]
is to determines whether a debugger is running on your system (ring0 only).
6 F& M$ a5 @3 a) ~. U3 k4 e; ^9 j: Q8 ~7 L+ \3 F
VMMCall Test_Debug_Installed
- ]8 _) l& ? a$ r. j2 v je not_installed
u* X* j# k; h0 ^
% \. U! V! H F* q8 QThis service just checks a flag.
" i( K/ H* R; d! h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡