<TABLE width=500>( k8 b e( M4 \/ g
<TBODY>6 k" R' y a! V: a* h! z
<TR>
; h a" K# U3 r) H& }<TD><PRE>Method 01 5 M& b) j" `. e9 W0 {
=========1 n* ?/ H" v6 A; w8 Q
f2 q$ p) Z& F: L& {! sThis method of detection of SoftICE (as well as the following one) is; B8 F6 W9 J' E u; y+ ^8 f. i
used by the majority of packers/encryptors found on Internet.; {* Y( d& O O4 \# |( p. z
It seeks the signature of BoundsChecker in SoftICE% p+ Q7 ]+ f! v8 h) e1 t
, `" i9 Y2 J4 H8 l8 ?/ O# H& C mov ebp, 04243484Bh ; 'BCHK'
, u X) I3 G: j, e6 |3 I. Z7 ]* ? mov ax, 04h
6 ?% `7 x& Z! i" p! [/ ]$ a int 3 / S, a* P3 N) }( J
cmp al,44 Y% ?1 a4 _4 c" m1 S+ {
jnz SoftICE_Detected3 @$ g4 q% ^, ^: y/ U$ ]; w
0 t5 ? W6 H4 R4 F$ |___________________________________________________________________________
& ^! A! T2 J* c) c5 u3 R9 l& H: }* y+ n* O6 _# w
Method 021 o1 ?; N7 ?; w- m5 Z
=========
/ o, E* `2 {6 j0 c7 r
9 a/ y: B D$ C3 \/ @Still a method very much used (perhaps the most frequent one). It is used. ~$ k2 v/ z) j/ S& j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* \8 Q( H9 }3 ^3 P. Y/ T
or execute SoftICE commands...
8 Y/ R4 h4 a* c' P9 OIt is also used to crash SoftICE and to force it to execute any commands0 n3 N* h; y& X, D6 k
(HBOOT...) :-(( 4 ?9 [/ s0 s/ C6 l
% O9 S8 g6 N9 U' B4 j( M. ~Here is a quick description:: R7 D5 c. \$ ~! ]
-AX = 0910h (Display string in SIce windows)* ?0 U* J5 B- ]. H. C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 r& C! O# A2 u$ R8 t/ P-AX = 0912h (Get breakpoint infos)3 B, J% \3 v. T$ A# ]8 n0 i# k7 ]$ ?4 V
-AX = 0913h (Set Sice breakpoints)
. ]4 L: Q+ K" b" D! Y0 n-AX = 0914h (Remove SIce breakoints)( q. w0 W3 A2 ?8 S1 `
/ o+ f1 s$ \: c; k6 P/ y0 \
Each time you'll meet this trick, you'll see:9 Y |: ~8 D* [+ n+ U
-SI = 4647h, d0 a7 h* ^# w" M8 }6 `' W3 s! |6 V
-DI = 4A4Dh
4 r1 q! `8 x' V) oWhich are the 'magic values' used by SoftIce.$ P5 L) `- n2 P* X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 D5 b6 ?) }1 I! T( g7 `5 M) g* G( j& }4 E3 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ a- P" v0 H; Q0 P: @0 m- aEnvelope utility use to protect DOS applications:
, R- V9 D+ ?4 \4 B k+ o& K \' @! B: b, u' }# `' w* k W
# k, t/ G2 R. A3 h( k/ y& B
4C19:0095 MOV AX,0911 ; execute command.( n1 M) J5 \& ]) }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% a* U/ k( o. w+ O# @4C19:009A MOV SI,4647 ; 1st magic value.
) n: x5 I3 H) [! A4C19:009D MOV DI,4A4D ; 2nd magic value.
( K o( A" @& q. h" h4 _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* C3 V+ p) n' A$ a0 D% x H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ _ l) E0 \4 k+ Z: C4C19:00A4 INC CX
! |7 c0 @/ Z! c# T' `4 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. P! l' ~2 U( Z0 I* y, w4 ^
4C19:00A8 JB 0095 ; 6 different commands.) `; A5 [2 @. L$ g4 L/ @, t7 ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) w, d9 l( p; b2 j$ }/ p. X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* H6 L4 ?" A: S- H0 I
8 B. N0 j$ l5 z7 F, XThe program will execute 6 different SIce commands located at ds:dx, which
2 a2 B1 s) U( u7 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 q7 Y' y+ y6 O' I2 P J) A4 t$ z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* i! H$ f; ^3 s! \2 ~( W1 E___________________________________________________________________________3 m7 G" S: g0 t9 A4 d6 o7 v
0 r1 h7 j0 F3 {" P! D
n" q I$ k+ ]7 M4 q
Method 03
6 H; T# S0 ?* c( {=========
! V% o$ `5 g+ H$ U- t) ]3 b* b
! ~! L4 q7 o( b" }/ N: G; V) gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) E7 ~) X- i) g# q- U' ?(API Get entry point)% p" U0 v3 z6 ]/ ?
4 _; V8 _! k7 T+ R, [, U% h3 h0 j/ Q0 H6 y% ^" w
xor di,di q7 @6 U$ b* U$ x
mov es,di
6 E9 s, z2 _1 P; b" v; N, H; T- S mov ax, 1684h
; u& r8 F* G& l& n mov bx, 0202h ; VxD ID of winice
; ~: `7 F- d0 T3 V8 E int 2Fh
: ~+ R3 Z1 v }+ G7 O# S mov ax, es ; ES:DI -> VxD API entry point! b) d1 w9 c0 r* ~, ~$ B
add ax, di; M7 \$ g0 [& a" v# j; C
test ax,ax" }" r& o2 G3 @6 w2 K' f
jnz SoftICE_Detected
$ z/ s% \9 b4 ^% T1 T, K8 p' i9 r
6 c1 L/ _# I' @5 t5 p___________________________________________________________________________
( L7 k( A3 U: Z7 o. y) R+ |
4 n! j8 H' p! ]/ |' G% `Method 04
% m, l$ ]+ J8 B. v8 e=========' ]5 E2 r- X! M% K! m# m) ]
+ i: V5 l. F. r( P
Method identical to the preceding one except that it seeks the ID of SoftICE2 o' i! ~7 I _# `$ e
GFX VxD.. H9 {7 H/ P$ x$ U# Z
$ u7 J' H# K" V# y! k8 R; T
xor di,di7 l5 d) C! @1 l
mov es,di
9 {5 I. F) X" D! X% c mov ax, 1684h 1 U$ h. e" I; w3 c
mov bx, 7a5Fh ; VxD ID of SIWVID
# {- U( z' {* g" |$ Z; b* @ int 2fh
. B! N4 L8 ], d+ _# r8 s" {, z2 d0 D mov ax, es ; ES:DI -> VxD API entry point
* r: K, N, y2 L$ L add ax, di! s5 N% A, T* n) ]6 |$ s c4 y
test ax,ax
# ]$ W& V Q* m$ u1 O( U S- t9 \ jnz SoftICE_Detected
5 C' f; T& V' a* h0 A: v
# ]. R* B$ a" G! a6 y6 [( `__________________________________________________________________________
6 @3 Z9 k) m! M [; @+ n( R a! Y6 K# K
: }" y t, S2 G
Method 05
' C0 A% N6 G8 F=========( a; m9 m& t& \0 z7 S0 Y
8 q" Z5 U1 N! T- ?7 B) x$ IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" v: ?/ | y2 tdebugger. It calls the int 41h, function 4Fh.$ q% D f3 G9 Z7 e5 m. s6 x; b
There are several alternatives. $ k/ j; U1 [! T! X/ h6 Q
0 K. W( p8 Y G+ a# g z( SThe following one is the simplest:; N8 ~+ ?3 L1 }* B
# J# d* o% S% j+ `1 G mov ax,4fh: V8 P6 H& C6 N" |7 W
int 41h
, D/ N# z5 ^& y; ` cmp ax, 0F386
- [( I, o% h2 {/ N2 p, _5 I- k jz SoftICE_detected
' t3 `& t$ [5 w! B0 @8 @: Z$ n8 Z" a: ^4 O1 Z# x% h8 F7 E
* b) N, i8 D" ^% O/ V8 K( H
Next method as well as the following one are 2 examples from Stone's ; P& Q8 J# b: n# |
"stn-wid.zip" (www.cracking.net):
$ p7 T9 \% T1 }9 k6 l4 a
& s/ {) h, {* O" `' Y mov bx, cs
: N0 V( |* ?! V3 H- C& B9 v- J lea dx, int41handler2" a1 ~( \; ^' z+ D2 B
xchg dx, es:[41h*4]0 Q/ }( {" m$ h- o' x( F
xchg bx, es:[41h*4+2]% ~* j x* h) q; `; v
mov ax,4fh
9 f3 H/ x' Y. w' C) f+ L int 41h7 D4 [, ^/ t1 D# T H
xchg dx, es:[41h*4]* |. M6 C) l( A n
xchg bx, es:[41h*4+2]
9 v) v+ @& F, L1 z cmp ax, 0f386h! g B% K5 h# S$ c5 ^0 z0 g
jz SoftICE_detected
, a6 B1 \& \5 g6 ~2 t; [0 p" A/ m* f+ G1 c* k: L( G3 w
int41handler2 PROC
% z2 m! K7 u/ |, \! Z iret
) ^" c2 t! f! C2 V! c! Yint41handler2 ENDP
" L, \3 `! t8 W( \& {) q* m7 T% q
8 K' r( r+ s5 Q! Q4 w
_________________________________________________________________________
, O! k: U& }2 M% [- p+ L& f/ e9 I- k" |9 d* ^0 ~& k
6 i% C8 V% D6 w$ ]& ~7 y& C1 m
Method 06
; \. z/ f: I7 i; Z=========( l; K% _3 q3 b0 l' \ S
, @; R5 @- T# r8 Y4 e2 q. c- J" F, a. o- |5 ^' ~- Z* v/ }8 L
2nd method similar to the preceding one but more difficult to detect:
0 ~/ t4 B M5 J" Y2 {3 ^% d! v0 L% m; C+ w+ Q% E7 h
) v6 ?8 ?8 _/ S" |
int41handler PROC; w. W# j6 h5 E% o+ ^
mov cl,al
9 x" |3 v( {9 Z' M. h6 F- q) { iret
" a* x" o* @- Z2 b! z% X1 w5 {int41handler ENDP4 r# M; d8 B+ }
( [% R3 ]2 W1 J5 G3 d3 o
% _3 j- D; D8 X5 } xor ax,ax
% F3 F/ l8 O2 _1 Y mov es,ax
_0 r n7 z, W. j mov bx, cs8 d! b$ }4 M, o+ q+ u, |
lea dx, int41handler# i l; I. s5 K. E8 Q, v
xchg dx, es:[41h*4]
. v- p: {% i$ k' m7 H2 B! _4 U" I6 K xchg bx, es:[41h*4+2]
; U) c& [* e! P+ d$ o4 q2 E in al, 40h. E# y% l; \" w/ t9 @$ F
xor cx,cx# M5 j% Z" I( ?% M' t
int 41h% d) S- X7 u5 x
xchg dx, es:[41h*4]0 L8 b( Q0 S, g7 V
xchg bx, es:[41h*4+2]/ T; M! H. Q4 z( C* @2 [
cmp cl,al5 `+ `: x/ i$ R
jnz SoftICE_detected
1 _. S! k# O+ J A3 M$ K: g) L0 M9 Z. Y+ V# U% o
_________________________________________________________________________
) [* a8 ~2 ^' k1 R7 R& f) Q: l1 m* ?: W7 U2 W/ I4 X3 T/ b8 R
Method 07) h6 y+ a; ]6 V
=========
6 P3 {) V9 z; T" I0 O1 ]* E6 ~; E/ d- m; ]* t
Method of detection of the WinICE handler in the int68h (V86)
5 ^( y2 q& r1 \- W. B7 t) i2 m3 _6 j5 @4 x5 W
mov ah,43h
& A# E+ e, K+ \/ X( h4 E8 D2 i int 68h
0 c8 u$ y( x: a2 K, a4 Y$ | cmp ax,0F386h
3 o, j0 S) v. s) r jz SoftICE_Detected
* u, h$ _" I& x j( M4 q u' ?2 X( d; j5 ^9 e. T1 W7 l6 t- k
4 V+ L8 T( w* [$ L$ |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' H/ D1 r' ^* w8 g+ |) O* ^! W; f app like this:4 y* l; n M" P# @; T' }
" W+ @' }% k; `6 x# L) D, D BPX exec_int if ax==68
& H' |$ R/ z$ v' \, k# s! l S (function called is located at byte ptr [ebp+1Dh] and client eip is( t( P9 p. v$ n7 u$ k+ v
located at [ebp+48h] for 32Bit apps)# P+ l) o' [+ x' Y! w" f1 m8 `
__________________________________________________________________________+ W0 D9 w" ? \# ?( e
0 S! \" e, U! ~$ x
( `* q: h/ f' R& Q$ e6 C* n
Method 08" a2 w f% r; H0 u3 F8 \
=========
+ {- m; b" T) n; z" n1 I
+ r: i" L7 _! p7 p2 h, WIt is not a method of detection of SoftICE but a possibility to crash the- E+ q$ {/ k) E5 }
system by intercepting int 01h and int 03h and redirecting them to another
4 D9 F4 m7 L; J! Droutine.
8 R4 {- _+ |6 y3 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points {: B Y" c. E8 v- Z2 C6 B& N
to the new routine to execute (hangs computer...) x6 e* [$ a( u
5 V' G$ l A$ w: g4 O! b
mov ah, 25h M [7 _' j& Z1 r
mov al, Int_Number (01h or 03h)
1 k* S8 Q4 ]9 m( ~ mov dx, offset New_Int_Routine
3 p! w$ s3 F# a, x- u$ S' z0 z int 21h
$ @2 [7 A2 ]/ \; U+ e; _7 T% M; w7 e6 _- S7 w# ^7 S# w$ o; ~' H
__________________________________________________________________________8 c/ |) f9 z+ g
9 g$ U; X1 [: Z6 x1 I
Method 09
" j; T/ b ~$ p) ~4 N8 e' A2 Q. g2 P=========
% ?* G2 J9 T& p: ^
% Y; s- K; R" Q/ q1 D. C( aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. S! v( G, E/ Q+ E$ ?' e# O& H% D, Z0 u
performed in ring0 (VxD or a ring3 app using the VxdCall).2 E! {1 e% L+ F6 s4 P& x* G
The Get_DDB service is used to determine whether or not a VxD is installed
+ @2 s* N# s( c1 x& Ofor the specified device and returns a Device Description Block (in ecx) for5 R: r- R; o/ _/ s
that device if it is installed.
/ h; o" D2 w& m) \: H# y' i7 {4 ~# a$ I7 R1 a. ]9 ~( m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# `: W% b1 }! v# x5 U+ Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 h( [% i) t- v4 o9 B- [* q7 s/ P VMMCall Get_DDB) t5 i9 Y9 `5 }! E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% I& j5 `8 n$ l; S( S! J) F. k" V3 k
Note as well that you can easily detect this method with SoftICE:
& f. `/ {3 l) v4 {( F bpx Get_DDB if ax==0202 || ax==7a5fh1 o2 Q6 ^7 n$ \; e+ R8 k4 t$ O- r
' _! B$ P) N6 O. Y6 W__________________________________________________________________________4 n+ \2 A$ a( r" g( p
& |$ l% O) L) m% d6 H- R; H% G8 O
Method 10
5 \3 b+ i, Y. J* _=========
) I! ~; T$ |6 ~
- F; o" J, N$ h9 C: D=>Disable or clear breakpoints before using this feature. DO NOT trace with( E* [% w6 G" O# Q6 q0 r. J
SoftICE while the option is enable!!
9 C, u/ L4 Z3 ]! m2 M* e7 c
# P7 p9 O8 R! q5 E: L+ FThis trick is very efficient:
4 U+ \/ F( T8 e* Q, ^3 b/ vby checking the Debug Registers, you can detect if SoftICE is loaded/ u0 Q9 C9 W, u' [7 I" [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
g: l2 q: o3 [2 W+ H7 s( }. o- _there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 s. {0 b0 [0 v Z' W Gvalue (in ring0 only). Values can be manipulated and or changed as well) a' R9 X! d/ F3 g
(clearing BPMs for instance)6 |: T6 }( u P6 D1 M; q
6 D: s. E3 D7 [' }* ^1 p__________________________________________________________________________& P( B! m9 G6 O
; m, K8 D- R9 S2 y$ Z! {6 SMethod 11
& h* G! A$ d3 C=========; L/ R& m8 |6 l! V4 ^; ~4 D
+ p. O. ?8 }* l; Q& s- N
This method is most known as 'MeltICE' because it has been freely distributed
7 L. L6 p u) a* s. z3 ^4 Yvia www.winfiles.com. However it was first used by NuMega people to allow
( G$ d, S3 ?% |/ [8 q8 A% J# U" VSymbol Loader to check if SoftICE was active or not (the code is located# K5 M8 i4 b F2 ]& Z" N
inside nmtrans.dll).0 j3 Z3 ^5 u% M; a( o5 I+ m9 R
- B3 ~$ j* x6 \& F1 YThe way it works is very simple:4 q1 ]: b7 L5 b+ j% c6 h5 `$ j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 Y% Y0 p6 P* C
WinNT) with the CreateFileA API.
, l) z4 c9 e4 g- p" V0 x W
$ s+ @8 i& u3 c7 P8 lHere is a sample (checking for 'SICE'):
0 Q: \1 T% T, ^) j s
6 @ w( C6 X0 p; I( e3 V1 `* ?BOOL IsSoftIce95Loaded()' M8 _3 {6 Z9 c0 u t( Z. }
{2 P |. E4 ]) a* ?0 O' G
HANDLE hFile; " v$ m4 {% G: a' e: N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. x: K' a& c5 H0 }" b/ y- j5 D
FILE_SHARE_READ | FILE_SHARE_WRITE,2 ^: d. }! w$ p$ N2 [$ d
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ @3 ~$ H# _& S) W& A if( hFile != INVALID_HANDLE_VALUE )$ v2 u0 _0 k7 x8 B' }
{
0 |$ ]5 m9 ]; ]% M CloseHandle(hFile);4 @/ c0 d( C) q- b1 F) k6 t
return TRUE;
% Y' x3 m4 w& S+ L' d5 q' ~$ \5 _ }- j% V6 L! T7 V3 @! C
return FALSE;# N: k& M% c; y9 I Z: l4 v! f
}$ p3 e( {% M& R6 I& m
( {5 h- M4 a' {! S: ~; N
Although this trick calls the CreateFileA function, don't even expect to be" W" w6 R: P. G7 J* }" r
able to intercept it by installing a IFS hook: it will not work, no way!
0 ?; h+ w6 }6 V% c' V3 QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, ^" g2 ]/ E) ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 d {) c% i- g; m, R4 e5 v( @8 W- x# gand then browse the DDB list until it find the VxD and its DDB_Control_Proc: ?1 v- ^, }) j6 @+ M( ^% R
field.' M8 [$ g0 z3 Q" g. P/ J5 x# r$ K% b8 J
In fact, its purpose is not to load/unload VxDs but only to send a
* I0 R. u3 H' f, a% NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- i: u% B; A; ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 l8 b' y# N) `- Z: ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. d4 l- h2 T- W) N. }+ iIf the VxD is loaded, it will always clear eax and the Carry flag to allow2 w- C+ n% U$ Y8 |- M( ~
its handle to be opened and then, will be detected.
! \, I/ z! z, T% o! n" r: HYou can check that simply by hooking Winice.exe control proc entry point
8 r: a0 P6 H8 i3 I2 g+ mwhile running MeltICE. x$ _/ m+ d& d7 T/ E% D
+ G+ {2 o: N. K
/ X; k" ] t/ a, v
00401067: push 00402025 ; \\.\SICE
, W2 _( L7 m! M+ S$ I 0040106C: call CreateFileA
! S9 L7 t. L% w7 [" u+ e 00401071: cmp eax,-001
7 ^! r3 m4 M/ [4 H 00401074: je 00401091
/ h( I- i; F/ | ], V7 K4 W- F9 E
2 t2 Q- u' ]3 n+ ? x* E+ N5 X/ d7 v5 f( ~& ~
There could be hundreds of BPX you could use to detect this trick.
$ q( {" D0 K* d7 O-The most classical one is:; e9 N3 Y6 X8 i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" B8 w' u$ d) {8 [5 |2 p% X *(esp->4+4)=='NTIC'
4 K! ^# L7 V$ V) J$ S$ t
( o* x- J- j1 S" s0 H. d-The most exotic ones (could be very slooooow :-(
/ B1 d! F3 h& O1 M/ i5 E0 @' E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 }) @: Z2 b0 e8 v9 D
;will break 3 times :-(; w% E t& m- N- |6 m) c" ]
5 S: N9 L; A/ Y9 |" H+ V" f
-or (a bit) faster: ; [( r/ M& s" j6 I0 N6 A: u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! y2 ~ c5 D5 p, ^. W; N1 y% e: c4 Z K0 ^8 Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * y4 E0 S$ Q5 E1 C, J
;will break 3 times :-() f( d( M: h8 y5 q
9 x Y c& f/ g( l1 z& r4 }-Much faster:
0 M/ V+ S: g7 k. j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) }1 v+ B8 s6 ~
* D0 |2 ]6 c( E# N4 x2 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; L" A# i) @1 `1 n! R6 e/ S+ w% O
function to do the same job:) f+ R5 J/ x' J% n* w. I0 C
3 C6 j$ N6 L8 g9 D& G8 {6 m
push 00 ; OF_READ
. W3 v0 @+ h- E6 \ mov eax,[00656634] ; '\\.\SICE',0. O1 X( j h' f4 p
push eax
* C t8 w% }) ` call KERNEL32!_lopen
1 R7 E, H# }9 O) t: e" [ inc eax
4 n& n- ]; a5 [0 C, y jnz 00650589 ; detected
2 f" f" |2 Y5 S, u3 h, Z; F push 00 ; OF_READ; J9 e9 R! p7 o9 K
mov eax,[00656638] ; '\\.\SICE'
5 U& g8 x9 ?& r- {$ l9 ]- G+ Q push eax( U. D* H* T1 A! T1 n$ ]+ e& h2 Q
call KERNEL32!_lopen
/ a% b$ X( Q+ ?0 J; b1 Y inc eax
c0 O) q! P |. t/ u7 N jz 006505ae ; not detected
5 G0 ?. R+ [1 E0 D; g$ G j' f( Z
% Y/ e! }! b9 q6 H& q; k__________________________________________________________________________
3 P0 a, n v' l6 G
# A' P* m | XMethod 12
2 u$ I4 M5 [6 p8 ^: F9 @=========* T0 Z$ ^( ?2 q( M% A. y
: k0 i# q# w. d2 e9 n/ s/ C
This trick is similar to int41h/4fh Debugger installation check (code 05
q. {/ |- x1 T) j& 06) but very limited because it's only available for Win95/98 (not NT)
# d7 K0 K% J1 o) v, _% t D+ mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; u" K, Q! S& c$ q m0 r# B
* b2 n8 @; L8 D push 0000004fh ; function 4fh
/ @! A! H1 [. E. Q; x) ? push 002a002ah ; high word specifies which VxD (VWIN32)7 G7 Y5 _, H" Y3 S, i# X6 x
; low word specifies which service
3 A2 z8 T* n! l7 Q0 ?1 o | (VWIN32_Int41Dispatch)! p N$ M# g) |6 g; i
call Kernel32!ORD_001 ; VxdCall
* z9 b/ n$ r H cmp ax, 0f386h ; magic number returned by system debuggers
+ r/ ~$ {+ X* D9 d5 \: z7 M6 M; p jz SoftICE_detected! F& b6 \# Y | ~( N2 \- p
+ o+ z- y/ h9 I7 z7 s$ U
Here again, several ways to detect it:
; ^7 c& h/ c- k2 ?! t! }1 J# C, c4 r5 F8 i$ w: a
BPINT 41 if ax==4f, Y+ n" j- W! ^1 P/ p5 s. a% T
7 v) B8 d. Q/ {! E( D: Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 {. p! } m% L: j* Z" P5 J- |
8 z" @4 ^+ H* s, x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 r$ _0 J; j/ ]) w6 K& V
c* r4 w9 e( P! H: ]) J0 Q$ F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& u. T5 B) g5 l n; y- o0 w5 V* C0 W' F# `/ A
__________________________________________________________________________( C4 E. B6 D h" A# T
6 B1 e; N% a& i5 }/ C" w5 kMethod 13
" }$ f, N/ B3 l1 N4 u=========2 U' Z+ R9 I: _6 a
* V% A4 Z9 C% J: g
Not a real method of detection, but a good way to know if SoftICE is3 q6 Z5 x( p( E. o7 E3 U9 q1 k" L
installed on a computer and to locate its installation directory.
% B* i( V2 s# H& C( ZIt is used by few softs which access the following registry keys (usually #2) :( ?( ~1 q8 ^7 q
: o* ^# F! `2 |& K5 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 t4 q6 v7 s' B6 `\Uninstall\SoftICE. e. ]6 [9 w6 ?! k) N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) u0 Z1 K: @3 r6 C0 o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( K) t8 L" h. `& y) F$ |\App Paths\Loader32.Exe
" N& h' g- J1 q" a1 G% D B5 W
" t5 P* Z, j9 n* r s2 O+ {* C
Note that some nasty apps could then erase all files from SoftICE directory* s/ y$ x/ y- w3 F' E
(I faced that once :-(& P) V+ o O* i5 B/ I
. r2 w8 I. y( C% i
Useful breakpoint to detect it:
7 g& j1 Y/ M. a& J- H1 w9 N) q$ y/ u' R4 U% b7 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ J4 l: y- \9 V
4 s8 R! p0 y( h& q5 f# I) G
__________________________________________________________________________
! P- a5 ~$ t J$ w
& t& V5 u+ y& k/ y! Z
* M0 G9 z& T) M3 ]6 m& uMethod 14
& Q. s9 u& y+ R0 J+ B% ^* ~- a=========: E R8 S8 D4 ?4 @
- T7 o) _ V4 q0 Z6 @8 BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( K2 |4 S2 F" v3 F, b
is to determines whether a debugger is running on your system (ring0 only).
, Q2 \+ F6 j4 {- Y4 W# I
& B; w; c& ]1 t1 s8 J' c7 b, w VMMCall Test_Debug_Installed
1 Q- M) U& t' m; L2 I$ z8 d' S je not_installed4 P' G: ]& V# |6 a
6 _" f- v0 z2 }. d; TThis service just checks a flag.
& i) E$ z* Y# D% e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡