<TABLE width=500>% p4 t# Z! D i. s6 G" y
<TBODY>
( v0 o3 C: ^9 n<TR>5 p% N* J$ ^3 c ~
<TD><PRE>Method 01
5 A* V6 z8 a4 S$ c; x2 N4 R, Q========= S" _2 }& s& U% f
+ z. F1 B- c' N: M: i/ QThis method of detection of SoftICE (as well as the following one) is
3 B8 a, z# c" S% ]1 n. e4 Pused by the majority of packers/encryptors found on Internet.3 ^8 m: @. D; p
It seeks the signature of BoundsChecker in SoftICE
6 T7 q+ Q, Q* S/ h3 q$ Y
; o: S+ m& T0 `! j: } mov ebp, 04243484Bh ; 'BCHK'. H! @' f) k" u- ?
mov ax, 04h
2 H W4 `- w# n$ P3 t% ?. h% C int 3
, q3 y7 _9 o9 J1 k1 h% Q cmp al,4: b E5 f# G0 a- ?3 M: L$ }# T
jnz SoftICE_Detected% J) Q+ F$ {+ w
5 S( o+ [/ \( H- T; J___________________________________________________________________________- C. F9 ? z# u
- E, s1 D6 u- z. w9 j/ @1 XMethod 02- d1 M& n0 q5 y# H( W U
=========# ~' t7 W+ N: y9 |9 N8 @8 @
/ |9 v! ` f# f* X
Still a method very much used (perhaps the most frequent one). It is used5 f5 |5 ^+ t( w3 J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! g7 P* ]% l) ~: i" kor execute SoftICE commands...
0 ~5 o% V, n& R6 z5 f% FIt is also used to crash SoftICE and to force it to execute any commands) e6 c) v& i L: l+ I5 f
(HBOOT...) :-((
0 Z7 k c$ I' O1 |
8 z9 `. q" O% F! w, S! N# c- tHere is a quick description:8 _2 J8 ^* q. O& T. m
-AX = 0910h (Display string in SIce windows)9 I5 V/ ~/ \9 P, W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 w2 R" D' j8 b0 T+ T, ]: c
-AX = 0912h (Get breakpoint infos)7 e* w6 {! V# s P
-AX = 0913h (Set Sice breakpoints)4 c8 [# {; i* _* Q
-AX = 0914h (Remove SIce breakoints)9 L+ m% c3 d/ Z' _& t ~
! y2 a* P. B& _( z! c D6 E0 Q* n
Each time you'll meet this trick, you'll see:
' k9 I, A# }; u; Y1 `+ J O-SI = 4647h9 K+ P" m/ U5 y8 ]& q
-DI = 4A4Dh
4 h' ?" g) g1 u5 S2 E" lWhich are the 'magic values' used by SoftIce.
' X+ z" D: ~0 ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* F9 r1 C, j5 n
6 c+ O* H) P6 z: k; w; J# ^Here is one example from the file "Haspinst.exe" which is the dongle HASP s) [6 M$ \0 r# K- h& }
Envelope utility use to protect DOS applications:
3 d* ` k7 J$ l+ |; ]
$ V. W) g8 [6 U
( Z: B4 J8 z) k4C19:0095 MOV AX,0911 ; execute command.0 e2 W1 r6 Z* L$ r/ V( S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 \& c2 ]& \; J" }# C! a) S" {3 s
4C19:009A MOV SI,4647 ; 1st magic value./ `: q0 j! R+ J* `
4C19:009D MOV DI,4A4D ; 2nd magic value.7 _2 d+ l* f }2 H( h9 B& M" ^9 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); v. @% K1 n9 f) Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 w( w; W8 Q( e7 j; W9 G& \4C19:00A4 INC CX3 Q2 j' s; h9 @" j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 M4 P8 ?, @( H5 c5 N" W
4C19:00A8 JB 0095 ; 6 different commands.4 Q6 Z' z' T2 ?' t, Q8 |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; B, [) M H0 _! A, ^, d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- V- j- W! }# n' l: _$ h* O& e
' }; Q7 w* n! G& h1 A5 Q5 ?8 n
The program will execute 6 different SIce commands located at ds:dx, which
# T5 e& F: u, k2 u( F. Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& _1 d }; h7 B: }& d/ c
v1 E$ g3 r3 d% u0 O g& o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 L9 [7 t3 K& P8 d/ G8 r___________________________________________________________________________
5 D, {5 x& |& K5 ]0 E0 _7 u. C; F6 e6 z- S/ c8 |
% {! {2 [( O0 C) s
Method 03
( `/ V3 n# m" X9 z @=========9 ]& |& f5 {7 d
) b) y1 m3 [* G4 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, n9 i$ A: W! b9 }- a, k" h' [
(API Get entry point)
7 k) m4 d$ b" i/ S0 q& B& N8 g+ e
* @2 c9 q$ y& G( X/ n1 z" b4 r! H% T. q6 U
xor di,di% q4 \0 m/ T, Z8 q5 V7 ^. [% @
mov es,di
7 e4 W/ Q+ V( N3 E mov ax, 1684h 4 Q! F. r* c1 k/ U- b9 e! o
mov bx, 0202h ; VxD ID of winice% _+ B7 E" c0 G c# x2 ~
int 2Fh
3 ]" M- ]0 Y' i mov ax, es ; ES:DI -> VxD API entry point3 H" B" y' Q( ~8 v7 T. G- C, R
add ax, di
4 _+ S9 F' U) ~8 a- y! D' ` test ax,ax
M3 d f: S- v; E jnz SoftICE_Detected
/ Z) u" a x) x5 k: P( Y+ p
/ I" P+ Q% S7 t" N5 a# J+ r___________________________________________________________________________
) m2 E5 S5 ?% F* ~5 ?, E1 z+ w9 X( b7 L. Y' R
Method 04
8 ^: f+ q, [. U% J=========
% z H& |8 u* W# T9 |, H, I+ Z) d% D) ~2 \" @0 L" T1 P- h
Method identical to the preceding one except that it seeks the ID of SoftICE* V) s8 _/ p5 d/ S3 u7 ^3 X. D0 m
GFX VxD.
7 C6 h3 o1 W: @; k- D
, b* }+ R' A, F( {' q, x$ j! [' w. N xor di,di
8 \& h4 X6 ?2 O5 m5 i n mov es,di9 X0 @8 {4 W$ u8 x3 |
mov ax, 1684h
/ U- }+ b# R: c. a: z" z& n2 h0 j mov bx, 7a5Fh ; VxD ID of SIWVID# ?2 O" r; V( M( l' i% v
int 2fh
% k$ y8 f7 R* r/ Z mov ax, es ; ES:DI -> VxD API entry point9 C8 e6 j6 l( ^9 k# l
add ax, di" `" t8 N; q# V8 o
test ax,ax2 ?3 ^" [" {6 x2 x
jnz SoftICE_Detected/ B! ?1 {* J9 ]/ x! ~5 O* _, o0 P
5 U9 R& X1 g8 `$ b, C* K4 }__________________________________________________________________________' F7 O6 A' J/ @, z1 |% n+ L
' z$ g8 b4 K! Z; e
& ]" m1 h0 r/ m" A+ s* |+ |# HMethod 05
0 n- b! E a. J4 Y0 O9 f=========- j) t' j% p8 s3 o2 Q; E
! O: z! E5 V& D) ]8 c" p) j7 e" DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ b' k+ X2 Z$ W- Y" d/ `% wdebugger. It calls the int 41h, function 4Fh.
. ^; p0 e" r4 K( m0 g5 dThere are several alternatives. ; p9 D: d& ~$ e! l4 a. E7 v
" `8 T H0 O, |5 c
The following one is the simplest:
' S3 q% o& q' s5 z$ L: x( e
* s# p4 c1 y1 w! L! U2 N mov ax,4fh6 C: ~' q% @% z% c8 N
int 41h4 A5 v7 M! b( d( `; {
cmp ax, 0F3868 G- _2 `" l/ ?# {) W
jz SoftICE_detected
/ c8 q5 g7 t3 w
5 G" |) I3 g! b1 {8 q3 s6 t9 K2 K, ]. P: k0 [+ x- u$ @
Next method as well as the following one are 2 examples from Stone's 1 _' C( B2 d+ {, y! ?
"stn-wid.zip" (www.cracking.net):
/ d8 J* }% J8 t5 r6 u
7 @5 K% E1 @1 Q7 ?9 Y mov bx, cs
. e" Z. l! j3 |, q6 P lea dx, int41handler2
, B) K& u% e" `- \& Y9 p$ O' r7 c xchg dx, es:[41h*4]' ?0 g( F: n5 R) ]' R+ w1 s# V
xchg bx, es:[41h*4+2]
/ P' {# z( H; }( T0 X: e" g mov ax,4fh
5 K2 P% L2 Z3 ^$ W+ O" T int 41h# s9 l/ m0 t" f6 T$ V7 c
xchg dx, es:[41h*4]! m8 _! d8 p8 v% G- a
xchg bx, es:[41h*4+2]
; E& t; n' g! C: O- p c: |: l cmp ax, 0f386h
; W! c2 w9 B* O; {+ V) J) t' v Y jz SoftICE_detected- V! x' Y) b: B' b; E
T3 L* q. X# hint41handler2 PROC0 ^ T# i6 E# J
iret0 a/ p7 y% j+ C4 X9 k
int41handler2 ENDP
+ T J" N# a2 b# Q( ~% y) P: o' O0 g5 K4 m
! e. @) T# d( O+ _! K, Z
_________________________________________________________________________
' D; ~: K6 R: I# T6 F
: R2 [8 I' l$ g& f5 L$ A& i7 J
: G7 _0 Z9 [: d& v, y. ^$ ^+ IMethod 06
1 P" S& L8 y5 G( j! L6 M9 r=========
, u8 C b6 X% w1 d9 A2 }/ D( i4 ]+ s+ |9 m+ y
1 ?7 Y0 M, e9 Y+ g! m) z
2nd method similar to the preceding one but more difficult to detect:
( m) d) s0 i5 v q \- k
0 p& {2 K" k. M; P$ r$ H9 {& K
+ i0 M( {! p. K t; B# @: ^int41handler PROC" ^% g# ~3 u4 N
mov cl,al
! G, k' [% W- \: D iret
9 E! O6 _0 P' E2 N/ kint41handler ENDP0 M( x) C; g3 [; K ]2 A& {
$ D3 H) T) E' r, _" F% O1 I1 y) X2 o5 L: h( v5 r
xor ax,ax
4 F& ?: y9 \8 @4 y4 ]* R mov es,ax# \/ f- g$ I& h" S
mov bx, cs- D4 h, f b+ k4 z1 x1 T# G0 F P
lea dx, int41handler
8 \9 B) o- ] G+ F/ z9 h+ R: c xchg dx, es:[41h*4]
; q% M; }( a7 z! q9 r) W xchg bx, es:[41h*4+2]
/ |/ x2 _6 b" W6 j( l7 Q B0 r% v in al, 40h
5 W) q( _& s3 @+ W( g3 E xor cx,cx2 b- {6 l5 t) G$ v6 l8 O
int 41h& ~6 }/ h' q3 C2 A W/ N
xchg dx, es:[41h*4]
, \( Z: p% ?' T+ K0 v xchg bx, es:[41h*4+2]
0 P2 H# y6 K3 }' ` cmp cl,al: P3 e% w2 j) o) K# \3 v: U# D6 }
jnz SoftICE_detected
' r. i9 a& k: Q
o7 i' r& T5 M- g_________________________________________________________________________
) x% E3 d& Z6 |* K1 t
" {; E) o$ Y- W# r# b9 JMethod 07
- S8 }6 L" Q% `6 D=========
5 {- } Z) e4 H9 `
# B- K( y9 Y2 e6 NMethod of detection of the WinICE handler in the int68h (V86)+ e, A! U: m5 w! M' \) J U) v0 ^
; U) R3 G( k$ y7 r$ F
mov ah,43h! m# Y% X# ]5 `( ]9 D+ H
int 68h
) I* d( M/ H, B% B& A) _% Z cmp ax,0F386h+ K# u6 @' \* P! l% M3 \
jz SoftICE_Detected
. O3 n* y: G: i! L1 {% S
! K, D! H3 ^& R1 [. ]3 F) E5 x/ F; [3 J0 d$ _# ?& q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 j8 y- {% A. a6 M
app like this:8 y# Q7 V1 O3 J' L/ { G# g! G
: v; A$ h+ I/ b/ s9 U; u6 R
BPX exec_int if ax==68
( E% Y X. Q7 z6 l! n. ?8 J (function called is located at byte ptr [ebp+1Dh] and client eip is" S. J5 f# h! {% R- q, G7 v
located at [ebp+48h] for 32Bit apps)7 b9 d+ u) ?; D9 i. {- D
__________________________________________________________________________) g: W' R) y1 Z2 k; c9 ~
& t/ G& n$ e' z" k3 f3 Y4 ?$ }. z0 V) x9 C' S/ G6 l! t2 n
Method 08
/ e0 T9 I/ I9 j=========, p1 u8 R+ A4 P& W0 X) ~" |4 O
$ E) K' z- w' L# d8 kIt is not a method of detection of SoftICE but a possibility to crash the
1 n/ O: f8 ?% R/ J" d& ssystem by intercepting int 01h and int 03h and redirecting them to another# k( y- Q! h9 s' W# F! R6 p
routine.5 d+ F O- C* a. `) ]& ~7 k9 b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
m, H5 }' `( Q0 o) I( cto the new routine to execute (hangs computer...)
2 p) S: F* z, _) b6 x8 ^
5 D1 J: e- y4 Q; ~& J! w1 l, G mov ah, 25h3 C; R$ i( @7 p# m! M
mov al, Int_Number (01h or 03h)
6 l( k" s% y* |- r3 i mov dx, offset New_Int_Routine' _7 ?( @$ Z) B
int 21h: O* ?! L1 u( K3 d+ ?
8 G! X; Y; `. C1 _+ F__________________________________________________________________________- A" q, r# x9 b! j( }5 w7 U
; R- K5 E2 @) S' D. E: `
Method 091 \7 \6 q9 i& T0 Q
=========
8 h& |- R, A/ [9 R5 u B& V) b4 h/ K: P( R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only x3 }- l1 _# N5 y
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 b# k1 s9 c9 I1 A1 I$ B# A' m. QThe Get_DDB service is used to determine whether or not a VxD is installed
8 ?/ h$ g- g& _9 y# r3 ~for the specified device and returns a Device Description Block (in ecx) for, x/ k5 I- B3 c2 P' x
that device if it is installed.
3 ~# R4 o& g" {, ~+ k. B- C
6 s% k9 `* s3 j5 ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; {6 G* r- J4 Z+ g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ |. s, e# i8 l6 l* |8 e) x VMMCall Get_DDB1 }$ g* i/ s! L( ~$ K Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& D3 o U3 v. [( E" x
3 |. r" i# I- n- q6 _" m
Note as well that you can easily detect this method with SoftICE:/ x' e0 G# j* |0 y& B4 _* ~
bpx Get_DDB if ax==0202 || ax==7a5fh1 W. I! q" I6 f; z% R
6 R) c9 s3 G% M5 I$ o3 M6 Z O
__________________________________________________________________________
& d6 S( ~4 [1 g, C: n( W% L" R$ h" \5 x! z
Method 10
# P6 \# c9 ], F- k=========
. ? t) V% J- _7 C" Q4 a
3 I- ~, R! ]4 }) \+ J2 ]* s$ v) ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
# r! S- m9 m; W& k. S SoftICE while the option is enable!!& R0 G1 b% ]5 o" h, K, N
7 P" {4 B) @. D0 bThis trick is very efficient:
' S! a+ U2 g0 j+ w4 X; Iby checking the Debug Registers, you can detect if SoftICE is loaded
* t+ m# [" P* t6 X( G$ Z5 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, s5 r1 E$ {; Q. i* B) ^6 Q( Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 ^5 ^1 }. }4 F3 M- S2 P# avalue (in ring0 only). Values can be manipulated and or changed as well# ~5 Y) o- E; D
(clearing BPMs for instance)
7 A2 A# Z f9 u- d) y4 a9 R; a# a5 m5 T6 p6 T! \$ x( C2 J
__________________________________________________________________________
& X& z. C- {+ B1 T- J5 I! i6 o' r" o% m2 z6 C" Y( L
Method 11
6 I* U6 b8 `! m' n: Q% v# j=========) G$ l* g" G. p9 }! s3 T/ q1 ?
* O" h2 z3 H E% G' v$ q; nThis method is most known as 'MeltICE' because it has been freely distributed
2 O4 S: h8 R4 i8 y t0 I8 m0 Kvia www.winfiles.com. However it was first used by NuMega people to allow
- I0 | M/ I! `) J8 d1 A' S8 o, V2 l# ?Symbol Loader to check if SoftICE was active or not (the code is located- \8 b% G9 V% V! w0 D. l
inside nmtrans.dll).* ?& T( j5 k4 u" p3 `
, I) Y, c: P7 z) j* W
The way it works is very simple:
* T2 R( c) e, JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' \* s. L# J. C! Z' v( Q# B
WinNT) with the CreateFileA API.3 d. f3 w$ _6 s
! \( F, V1 d9 j4 J- n% y
Here is a sample (checking for 'SICE'):& z: \. a% A( L; O
# |5 W% f1 }7 J( o& M; b* KBOOL IsSoftIce95Loaded()+ ?1 K% W7 `& Z, G. j. o
{' h6 s* j; B6 k8 a1 O' y4 ^8 _4 V
HANDLE hFile;
& R0 \* p4 n- Q( u0 ~8 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, M7 w9 |' {2 j2 j$ g
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 o; q. H' v" ^$ O8 F7 r# o4 g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 N1 y; `4 U' f9 l# }& Z# f) L( K if( hFile != INVALID_HANDLE_VALUE )& Q6 M# F, v- Y V; f5 R3 G: x
{
5 T; I: M/ ^4 h CloseHandle(hFile);* U: W9 s' q% R; W4 \5 M
return TRUE;* ~1 d% s: e1 I* j0 x' q
}
& R s) C, k4 ?+ C" e% y& H' z1 l return FALSE;5 `+ z- ~/ m2 X& t) @7 L5 n; M
}% n; G0 x( r2 V1 r" ~4 ?
! s7 [$ t* _$ }3 o/ Y0 fAlthough this trick calls the CreateFileA function, don't even expect to be
) I5 x2 A6 B# A2 c6 d) F& B& Gable to intercept it by installing a IFS hook: it will not work, no way!9 ~# K/ z2 H- ]8 v9 x" M- W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( t! k! F( j1 d( \; F! qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! K2 t6 R7 D B* D+ _* N5 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) W( }6 [. `6 R. w' G: x0 Wfield.1 [ d* U- _5 h6 D5 p4 X4 l! w
In fact, its purpose is not to load/unload VxDs but only to send a ! F6 f9 m" U. W/ q) [3 T* o8 ? F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' d4 `8 u$ a* lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ b e9 p4 u5 M3 t) L& yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" e% R5 T6 g. f) M0 I3 }( {4 m1 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- i1 H8 j8 z( r; h8 N9 }+ oits handle to be opened and then, will be detected.
5 F8 [ `" v- ^$ F4 U! ~* NYou can check that simply by hooking Winice.exe control proc entry point7 W2 a1 t* v' b8 C8 W- a }
while running MeltICE.9 y6 w! Y: ^3 P( L& T7 D+ L
7 n) i6 K9 M* s5 U% d o
, j. c+ n: m7 c: l& R7 a
00401067: push 00402025 ; \\.\SICE
# k! E h( U- m$ r" d( D 0040106C: call CreateFileA
: K2 N( }! ]0 a& G) V6 t 00401071: cmp eax,-001% ^ Y- v) G8 V3 P
00401074: je 00401091
1 s) N+ D2 c( e- u2 N/ r5 }* C6 |1 B& V# k; B
$ D: d* p; B& L! O0 a# VThere could be hundreds of BPX you could use to detect this trick.: H2 V, S) h6 h. g6 V
-The most classical one is:
( n1 {/ V" f! }& Y5 c: ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- u" R) o% G2 u' c! ?! y% q f& a *(esp->4+4)=='NTIC'
1 j4 U+ u# S9 P% ~; v) r& c) Q" i
9 |$ w C/ X! {% R-The most exotic ones (could be very slooooow :-(
, U$ I; i" o3 B/ q- b2 A* |$ r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; i6 u3 E7 O* f8 v0 i1 H ;will break 3 times :-(/ |8 P3 @/ [, ] {# f' B5 W
6 P& k. s" e) E7 o$ i! N' Q' l% a-or (a bit) faster:
% h6 |5 F9 [* q- R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 V5 b* V" B9 y" l! g6 J. N3 l" c$ X3 D! m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 X% L3 s& c6 k; g
;will break 3 times :-(
3 [3 l! }' }/ u& D( v& {
4 O X* r# u+ ?, V( `$ K7 _-Much faster:: n1 v5 n/ A. j3 M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 M( s4 Z" |4 T4 K6 j" k
$ O5 \! t' m4 V( P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- N/ `+ x2 W1 {function to do the same job:/ W7 A1 T8 U# Q w8 I
9 E3 U) T3 F3 D4 t* G push 00 ; OF_READ
3 G0 }8 k# ?% \2 [8 W Q/ K* D# T# | mov eax,[00656634] ; '\\.\SICE',0
- n, ]5 ?$ }3 Q9 K2 u' J push eax+ Y6 F! A, o9 a5 w( M) S% B
call KERNEL32!_lopen
) B* r9 @: I1 R. o' u5 h I! o; D inc eax
R ?, r# e7 H4 j7 `5 _ jnz 00650589 ; detected: d% ?8 k) B0 I# B9 `& e8 A
push 00 ; OF_READ4 F2 }# s4 w; f
mov eax,[00656638] ; '\\.\SICE'
. l2 T& e( \ ~ push eax
4 J' T/ Z: k# f5 D1 v8 e call KERNEL32!_lopen, R2 U7 f" ^: U. X5 O% q- X
inc eax B5 ~1 z5 Y' A; Q9 M
jz 006505ae ; not detected
7 W8 Y/ I( J. O. b5 m
* K2 F8 A4 \0 }; R6 h8 \; |: z3 B* H6 \
__________________________________________________________________________# Z6 [: b! Z' N) G( ^
2 e, Y' N3 F% c) V% n/ u- w$ MMethod 12
1 n. D7 R) J& Q, \" C6 F=========
9 z, x' n' U* G7 J% ^6 F# r' N- H0 b7 K7 @9 o! `2 O6 @- }) R
This trick is similar to int41h/4fh Debugger installation check (code 05- @: M9 z9 R* [4 J3 e& F
& 06) but very limited because it's only available for Win95/98 (not NT)6 v5 x6 u; c# ?- K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 F* s1 y. R- H0 b
( S( J7 K# Y! q: R/ M
push 0000004fh ; function 4fh" r. R( V6 {% C: [' u
push 002a002ah ; high word specifies which VxD (VWIN32)% k3 k% b1 Z2 e) { {
; low word specifies which service
3 x3 r$ P9 V; I5 i3 { (VWIN32_Int41Dispatch)
/ p7 f: J- v# B call Kernel32!ORD_001 ; VxdCall9 L+ X" Q, q6 F# f, S
cmp ax, 0f386h ; magic number returned by system debuggers
+ Q( |% ` O M- o* P- i' r3 E# d% x jz SoftICE_detected
" u/ [! \6 e. L" z7 d! \" S* q9 \& I, h2 |; f% n4 z
Here again, several ways to detect it:
) O- N/ U# y7 y2 `8 g% X/ ]: x% i
BPINT 41 if ax==4f
$ U, I$ X) A- ?6 V# _
; ?' t- Z! d, m: k- t% w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: l# Z" K- J' J. N- M [9 B0 W
6 w+ E* K/ [2 [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& a+ O6 U. s3 D% |
7 F/ s0 ?; H) x( \- T& t F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( q& A2 p$ `) [
3 [6 j5 d" E1 v__________________________________________________________________________
H. `# [6 o6 U+ K8 W
9 B5 X3 W; x8 {' r9 H6 A# DMethod 13
- r4 J% }( Z9 j/ R3 [=========
# k g4 p- y4 X- T, ], g' `) H# x/ o# m
Not a real method of detection, but a good way to know if SoftICE is( o$ V- ]) v: z& J6 Z
installed on a computer and to locate its installation directory.
+ ?8 o% {. W9 l1 C+ dIt is used by few softs which access the following registry keys (usually #2) :" ]8 x2 X# S0 G
8 B2 r- I" P& ]. }) J O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 C Y1 \1 g/ P7 ]\Uninstall\SoftICE
4 ~# ?1 w6 G5 I* t ^! L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 ?; {4 }/ N7 w/ t: g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* y: w T% s u% B& Y2 `
\App Paths\Loader32.Exe# _5 f5 R9 y" Q+ C2 K9 l
/ Y! L# Y" v/ c2 @) Z, C: f
* C8 L+ X0 T. f3 F8 b, gNote that some nasty apps could then erase all files from SoftICE directory1 B/ ~5 N" p: \ T6 o* n
(I faced that once :-(; s8 w- t3 V1 A4 V9 G
2 W' R3 Y) u* q5 G9 [8 G, h. cUseful breakpoint to detect it:
. y/ m; D% q& }! R: i! @1 W- V& `: H5 Q. a) C4 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 L% J" q! [% k- J* C& z
9 ^( ~, n7 p0 C, @__________________________________________________________________________
9 j) r L! Y. C# }9 m5 c8 e$ j) [% g( y& n; d$ y$ z
3 M9 D/ c5 X; w2 g+ _/ k* E, n( b5 e5 N
Method 14
6 d$ h+ H+ O$ o=========
$ u8 P$ N* \' p* @+ m
u2 o5 [3 C" r1 i& g- PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( S/ s6 v. m2 K p- C3 @% y1 n
is to determines whether a debugger is running on your system (ring0 only).& s& ]2 l2 P% l6 p
' c% [+ S& A$ G& Q' X VMMCall Test_Debug_Installed( ^9 ]2 \8 J3 a" ?4 W4 w% G
je not_installed
1 I& m7 e+ k4 M5 a" A4 ?4 x
+ i, [# J3 }% K) A- n& `This service just checks a flag.$ }5 c: v3 P1 u. U; g' \
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡