<TABLE width=500>; g& j( W5 I7 b$ k. [
<TBODY>
! E4 [$ b4 H# Y! h0 T<TR>
9 L: q8 O; n" q8 ~4 l- \; H& D<TD><PRE>Method 01
8 w" v& e2 U5 ^9 j=========0 D. k @ }! _0 o, R: z; R# {! y
7 a3 P2 C7 ]$ V4 c
This method of detection of SoftICE (as well as the following one) is5 F m* V7 \. E# `; { O
used by the majority of packers/encryptors found on Internet.# s# I1 g: O# A! O4 w6 t y
It seeks the signature of BoundsChecker in SoftICE& M0 L, J/ B |- w. J# p' h
( a0 b' X6 S- Q mov ebp, 04243484Bh ; 'BCHK'/ ^! }9 V# N3 Q4 Z j6 O$ J( g
mov ax, 04h8 a9 N8 E* I- D5 B
int 3
1 [6 Q) B5 I& ~* x- J" C% s cmp al,4
) g* n( L2 n! K1 [& ~/ e1 ]! Z4 A jnz SoftICE_Detected+ ]$ z% y# E. I# J
& b; H, ^( c3 T+ P1 }" D, [
___________________________________________________________________________5 v4 K" ~4 Q4 M4 U
# T/ m# O9 O) _1 _2 l" L* P9 t4 \& vMethod 029 a% I$ W- O3 f2 S, \8 o4 i, s
=========
5 ?1 ]8 U: X. H$ {7 z$ f5 W' F% a1 s1 v) E: `' h7 e: u
Still a method very much used (perhaps the most frequent one). It is used* x/ F1 A/ l, m/ I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 e) ~( _5 k; Y8 q p' v& M
or execute SoftICE commands...
6 e; y; ^5 ]4 w7 o/ ?. EIt is also used to crash SoftICE and to force it to execute any commands
* p+ w" W N' Q(HBOOT...) :-((
& L2 @2 C2 X. |
[- T' m& N" H$ O$ |- tHere is a quick description:
% `1 i q3 X/ g-AX = 0910h (Display string in SIce windows)
+ f9 c- f( F" W9 Q3 P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ A$ e+ v% N/ x& I-AX = 0912h (Get breakpoint infos)
+ u6 N5 @4 Y; x: A" P; C4 ^( x-AX = 0913h (Set Sice breakpoints)( I, ~9 f% H- }1 |
-AX = 0914h (Remove SIce breakoints)2 N5 _* F S0 Y, F; I
% b# d. U- Q0 i* l X
Each time you'll meet this trick, you'll see:
/ L) {$ l: J& i0 e-SI = 4647h
( @, s+ Q2 T( ?" ~1 `- R% V-DI = 4A4Dh7 O5 `+ a4 N6 f8 Z" P
Which are the 'magic values' used by SoftIce.: V! ~# k( f0 o0 f8 [7 v, {' k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* y, E _7 k/ \7 w/ j
. I9 t/ k: [2 v5 c% A6 u, j' e+ F. HHere is one example from the file "Haspinst.exe" which is the dongle HASP8 E6 K% }1 T/ k# T
Envelope utility use to protect DOS applications: Q; B8 h# K' o# x9 ~9 v8 w m
) ?0 W3 N8 q$ y0 ^% Z7 F- g2 {
) O4 c- A4 T7 W2 C3 X4C19:0095 MOV AX,0911 ; execute command.5 o4 j" O* |) ^" D. U/ O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! k& v' D1 h& W
4C19:009A MOV SI,4647 ; 1st magic value.9 C9 r8 Z( E3 y# G3 ]4 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
& K8 b6 [( ^' _/ s* T0 V# y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" k! j$ T. N" X* ?3 x4 Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ T% M5 l" n3 O
4C19:00A4 INC CX
5 s, W* Y z4 x7 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 j% ~5 s& e! g- a4 R: g
4C19:00A8 JB 0095 ; 6 different commands.3 u* k- ^ X9 P3 u7 q: W; E2 R! v8 H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; K+ y/ i# T- @% T8 D F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: Y6 d% b, r5 K# |! x* u" _1 w2 [' i) C& l8 b" R
The program will execute 6 different SIce commands located at ds:dx, which
! K" O% @1 r9 W# e- @3 [: Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 [: q' d7 o& a
! j' { |+ v# N$ s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# p+ e% B$ r b0 Z! U e# e
___________________________________________________________________________
& S1 b, Q& e8 a& ]* K# K
* ~, p( R0 z4 }4 b8 R$ R' h2 I, |! V. M
% n$ y6 M' q% \' s* Q- C9 Y; M7 vMethod 03- o$ q3 s. b7 ~1 Y3 C6 G& ]
=========
- a+ g. Q \6 w* { H
! z2 Q- l- U5 x9 N7 z4 V% gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ S* u+ b! k3 n& O2 `3 D(API Get entry point)) @) Q9 v$ |: U3 W* F! f) S3 @
7 h6 w I7 V$ r; X2 L1 M3 ~" _3 j6 u
xor di,di0 z1 j! X$ K5 B2 K$ A7 i
mov es,di
( q7 Y. z6 `6 z% N8 m3 n' y mov ax, 1684h
8 \5 ^/ o" ^; |! v4 h" _/ o mov bx, 0202h ; VxD ID of winice# u# u% X- H4 ]- S3 S: L A
int 2Fh
0 k# h/ o& C# V Q: f7 c* s mov ax, es ; ES:DI -> VxD API entry point
$ m# y! v+ C& T+ B' J add ax, di
" @7 V. h1 R* F' b) _$ p+ U. B test ax,ax2 |: ~5 X( ?) V! a8 G0 E# Q$ g. r( P
jnz SoftICE_Detected" b- l. Y& a3 e" G
0 ~+ y% N; V+ N8 \0 d___________________________________________________________________________
0 E9 |8 D2 o- B% h" L) m- P. ^! Q3 W6 U1 P. q4 S3 Z/ f1 H
Method 04
8 t4 q! F( s( A, d9 V) h& y=========. T7 V5 Y! O/ _+ n4 [9 h/ w1 V
( \. C8 N! R: F& F0 K" T u9 vMethod identical to the preceding one except that it seeks the ID of SoftICE
' O" p9 k9 p3 g3 t, o8 [; J/ mGFX VxD.
: P( [! L6 [ W
9 d, q& v) D3 s& A xor di,di
g7 x1 ^9 V7 o1 ?, ~4 s4 P mov es,di% N! Z0 N* ]0 ?
mov ax, 1684h
0 u4 Q1 i3 L% A) _: A }/ E7 ~ mov bx, 7a5Fh ; VxD ID of SIWVID
3 y: U7 c0 v5 x) ~3 v int 2fh$ t: c- W5 n5 ?1 I9 _( F* l
mov ax, es ; ES:DI -> VxD API entry point1 d a1 E; G7 v
add ax, di" ]; L+ Z4 B% [1 z7 n- b. }8 H
test ax,ax' {" P/ z) w* }9 I5 I
jnz SoftICE_Detected
' U8 _5 F; V& n1 A. @- Y4 B8 `1 r/ x* H' {4 Y$ U
__________________________________________________________________________" N% g% y+ n) ^- n$ _$ y2 r
: n- ~' e1 d9 b. S
/ m: s) O# @9 v! W& m1 u0 J' EMethod 05
# i4 t2 }7 M, x$ I) r6 K: w4 [=========; x1 e0 ?+ q1 |' M
. P8 K) L; s; K: J0 V, q1 R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, Y& N5 _ y; ]" gdebugger. It calls the int 41h, function 4Fh.. i+ x+ v7 }1 v9 Z7 C- b
There are several alternatives.
# W; [2 A" ^7 i; `+ f7 s3 y1 c+ d7 X' h* w& ]+ z% j
The following one is the simplest:. c3 j- C- l5 n( \0 s/ i" l) B
" O( J+ o9 @/ b1 m mov ax,4fh
& E8 D, b1 d$ Y) n) R) I int 41h% o4 R u1 F& a/ W1 w
cmp ax, 0F386
6 n2 n3 T" G# N jz SoftICE_detected9 ?* V, E5 s1 r& c9 `% a2 M
% V; f8 R* g" Y. [: X- x8 m1 H D7 D% g1 T
Next method as well as the following one are 2 examples from Stone's
" l3 V4 Y- x$ e' e* z- r! n"stn-wid.zip" (www.cracking.net):
6 H, T6 ?" `; ]' [9 L9 N( Y9 U& z! X& ^. F8 ^8 M0 Q0 d: l9 U
mov bx, cs
3 a+ n* r/ a/ _ a" @# \- ]! o lea dx, int41handler2& G4 L3 O/ t$ K8 o) k6 `9 h
xchg dx, es:[41h*4]! p+ e* L2 l1 T
xchg bx, es:[41h*4+2]$ q% y' O/ k6 o$ s4 R- Q
mov ax,4fh% ?" n" S+ F$ I. K
int 41h/ [' J& U4 N4 o1 L/ H$ y2 f' s
xchg dx, es:[41h*4]
, a3 U) V, m: |, t, M( t4 Y xchg bx, es:[41h*4+2]
7 w: r# M# _/ q+ _2 G cmp ax, 0f386h
- a8 [: d6 |& ] jz SoftICE_detected& _$ ]* t% e% E& y- c9 T, @
9 `+ P/ @% G, L0 y, R1 I0 pint41handler2 PROC
5 E# }# S- T8 R8 ] iret* S) f* Z2 I6 ~# {- @9 j2 q5 E
int41handler2 ENDP9 U: N" ?1 W# G
4 g: y' M2 ~; G6 V, Q9 w+ Y2 {8 _4 F' g& _+ `5 p1 Q9 @. z
_________________________________________________________________________
! y3 z5 `4 ~; O% F7 _ t: i1 a v9 L. m6 a1 \0 A
# c/ n% _# W9 BMethod 06! Z, `9 _, b Q
=========3 ?: |+ N' r' P, z+ o/ ?8 q8 `, J5 C% d
3 B% {% a: E& ~; {0 P
- s$ z& b- Z, ]3 i6 S8 ] g2nd method similar to the preceding one but more difficult to detect:: K8 p% Z3 Z6 m, Z- p* {
& R- ^& R- L4 a7 w1 K$ R* k* ]: t% L7 x; E# O
int41handler PROC7 r! U3 I" J8 ]% T
mov cl,al
# c" d' Z8 N: f1 E* L2 U iret
# P7 S, r9 w9 i1 ~+ Hint41handler ENDP
% u. C) \+ h, M" c* o3 j# v- [, [6 N1 S
/ X/ ^2 N, G+ j9 x7 h7 e' Z
xor ax,ax- e) i+ |4 y. E6 G" h
mov es,ax
0 |5 E7 M- g% [" D- v mov bx, cs
$ `. k$ }& D9 x7 W lea dx, int41handler( [- `4 q a* {4 C$ i6 _
xchg dx, es:[41h*4]
: _- k# G6 Z% Y xchg bx, es:[41h*4+2]. D5 U- d! C5 }
in al, 40h
9 S. F1 Z3 {. s xor cx,cx% I' @7 I0 q U6 v
int 41h5 b# `7 l0 o) x4 l2 ~# D) U& j
xchg dx, es:[41h*4]
) g8 D( Y7 U9 Z1 U xchg bx, es:[41h*4+2]& w& u( {, z1 {: Y* ]0 E# o4 y( s
cmp cl,al
( u0 {9 u8 x; w. w* E jnz SoftICE_detected$ S% E4 Y; [; @% x( a# K4 u* g% I' w. h# Q
+ ~( Z& f) ^3 j9 y) k& g
_________________________________________________________________________
; B$ {" U3 C0 q2 g# U1 @, N1 l' P! W% ?6 s. M
Method 07' H! _/ M" ]. y, o; W8 [
=========: ]* H1 d1 F3 j+ X6 F9 j) E% l
/ V! K8 n8 Q7 ~( D2 N3 i; VMethod of detection of the WinICE handler in the int68h (V86): k& q E# P1 G) L! G+ T0 ~* ^
! E9 W' |( j. Z# h5 Q. m( n
mov ah,43h
! R8 M% r7 E" Y. a, c) n int 68h5 H2 W- ?4 c0 u/ g9 g+ | D! J
cmp ax,0F386h" x3 k( D) w! B% l+ u( P
jz SoftICE_Detected
4 j6 J. B1 H, X: y3 F0 w( F& ~" d& E9 o9 c
3 E, H# \3 M8 @1 @' a4 l) k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 A! F- E) {3 o2 P( G8 X2 ] app like this:/ f. A6 O7 J) e3 b. @% G
, K/ x4 _8 Q) p" v8 ]7 @ C
BPX exec_int if ax==68
/ Z8 k8 C$ [! [! g) ^6 h. { (function called is located at byte ptr [ebp+1Dh] and client eip is
1 \: R, R' s; O% L located at [ebp+48h] for 32Bit apps)
; k! [: o `8 q1 @) a__________________________________________________________________________5 |" g, f8 S7 e* m5 c
7 y6 y: ~! S3 K6 ]0 i+ Q# I% f
% [2 g" k9 |" B
Method 087 u. p7 W* z- W1 v2 n, w
=========: X& n, s* q. X [9 U. k' J
; ]/ B% _2 E1 g5 P \( L
It is not a method of detection of SoftICE but a possibility to crash the
- E: m" y1 @+ ]& |/ g0 Rsystem by intercepting int 01h and int 03h and redirecting them to another
/ r( s7 z' v7 [. Nroutine.
: r3 D% w8 I! f! j& N& u3 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' M1 F$ Q% p) h v2 wto the new routine to execute (hangs computer...)* G, e2 V& F1 w/ o! G; i
- L' L2 f W- u
mov ah, 25h
; w9 W, G$ ~ E# b) @6 v; E' N mov al, Int_Number (01h or 03h)
7 Z( @4 _! Z P( r f mov dx, offset New_Int_Routine; C- N4 R/ w6 W6 ?7 o1 A8 e* E% ~
int 21h: k* V7 H0 w4 S$ r+ ?! e, }
. H: r. F# c! X* c' X
__________________________________________________________________________
: ~2 k; }4 }) d U. y
: s" H7 B* g8 ?1 A Y$ ?Method 09
' E; g) y* L& ~$ S=========. r- F5 B5 n1 W8 m
3 ]" H+ u( I5 s$ u" F' e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ I% l: w# z d0 f% P+ ] Operformed in ring0 (VxD or a ring3 app using the VxdCall).
/ v! |. n9 t) I6 Y; a+ q3 g% ZThe Get_DDB service is used to determine whether or not a VxD is installed5 _4 w! l/ O, ^9 g8 U
for the specified device and returns a Device Description Block (in ecx) for
9 b! n/ W* ?. o& Mthat device if it is installed.1 |" K% y' j# C
* V' `2 J7 K4 k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 g8 R% e3 a0 `8 z: w* b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 v9 a8 P: _* c. ^8 d
VMMCall Get_DDB/ ^$ `6 O2 |; |1 g- m9 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; I& s( Y" m' K" L" h
+ U% B% D4 ?4 {& B" i$ \+ ANote as well that you can easily detect this method with SoftICE: j* ~( r8 a" M# U0 N" {* n
bpx Get_DDB if ax==0202 || ax==7a5fh& o, `# H4 P* O" m! t. Z
2 O1 V! [4 |( X% K, H& @/ n
__________________________________________________________________________& ?2 a# O7 n8 j* E/ L) s
% |( {. h: y& k9 P9 x; u; K* d/ yMethod 10 j2 @1 y& ^/ J0 w
=========% I6 k0 Y8 J- G$ c. P5 @
( {5 A4 ~) o9 O" G
=>Disable or clear breakpoints before using this feature. DO NOT trace with, A/ N. p: d' d9 V$ I5 ^
SoftICE while the option is enable!!
4 Y' a: F4 n- l3 i) @( D( v. _; O& M$ r$ j/ i
This trick is very efficient:
- z, R7 z- Q5 v4 ~, D7 hby checking the Debug Registers, you can detect if SoftICE is loaded8 D7 h. O3 q% z: D8 Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" J# r i' _5 t o0 F% vthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 z+ c6 ?' S8 V
value (in ring0 only). Values can be manipulated and or changed as well% n; Z# o9 C0 I$ w# O
(clearing BPMs for instance)
}3 i5 W3 h* l% X8 W, }" g* d2 l! R. }3 z* U% q
__________________________________________________________________________
4 n! {1 K4 y% K% g, L+ `# `* z) K# |( W! a: {3 u
Method 11
3 p) h3 F: h7 I. l5 e7 o4 R=========; h9 u$ S5 c n
- o- b1 [# H9 G8 h( c8 O4 lThis method is most known as 'MeltICE' because it has been freely distributed
+ t% ^% c- G" p! Dvia www.winfiles.com. However it was first used by NuMega people to allow
1 [4 K7 ^2 b% FSymbol Loader to check if SoftICE was active or not (the code is located5 M3 ?$ _+ p, Z0 N: W- O
inside nmtrans.dll).
) v6 a6 e9 c, \9 a% f
. s' y4 \" Y6 y8 I$ r+ r$ MThe way it works is very simple:
. ]) B5 t+ b9 x! E/ s5 ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 i5 J- u* y: h; O- Z; U8 G$ ?9 B
WinNT) with the CreateFileA API.
+ v1 V; f8 Y% `* @$ w7 z" H3 Q: r! v6 _. d0 r7 Y U
Here is a sample (checking for 'SICE'):0 G# r. T7 q- \* e! t8 m
7 E( M2 Y6 I3 n" C |5 M4 n& c! ?/ f
BOOL IsSoftIce95Loaded()
. ~5 `3 B$ J( r# w( K- j3 x{ N: }6 N! }6 E5 {/ z
HANDLE hFile;
7 B4 R; h) Q0 ^* z2 ~; A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ r" a4 I; v# k- ?
FILE_SHARE_READ | FILE_SHARE_WRITE,
( E% K1 P/ p M% h3 w NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ x) ]0 U6 I1 |: S1 U6 B# w3 t( d
if( hFile != INVALID_HANDLE_VALUE )5 I1 Y" T% T7 M1 r
{
* |; [+ Y$ H" w( C9 _, K( a& {# z! F CloseHandle(hFile);
8 {- |: R+ ?# ]/ |- R2 ^ return TRUE;
2 g/ d- h& C: H- B }
8 ?: X! O4 p$ M% B5 W4 R/ U2 {7 N' @ return FALSE;
& e: x. {( X s; Y# z}
5 r) w% G# q- B# K8 W; ]2 C
8 z6 I, L" k& S5 S% I. NAlthough this trick calls the CreateFileA function, don't even expect to be2 t& D2 m* A8 F4 ?
able to intercept it by installing a IFS hook: it will not work, no way!" Q. x/ @' t! H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 x3 ^# q6 c4 [/ Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. a4 B1 @. T$ Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 v# b8 z. s! J8 A2 B! i4 w0 G
field.7 H- B" Z1 }: T1 h. r% H
In fact, its purpose is not to load/unload VxDs but only to send a
$ N0 I$ _! o. ^/ {! s/ rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 c! h5 W7 F. H4 d7 c/ G( T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) o9 Y' c- k( M* Pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 N$ {. E- Q s; c3 h. u$ E* [If the VxD is loaded, it will always clear eax and the Carry flag to allow; a" I) Q0 c5 f; k& p0 ?: J
its handle to be opened and then, will be detected.6 {. }3 e3 ^, \; t7 a K
You can check that simply by hooking Winice.exe control proc entry point
0 O- k! Z! f) i1 G% a* N1 {* i/ uwhile running MeltICE.- ~! H" S8 R' d+ x4 C/ A
; ~% r5 V9 c5 |
& y6 t9 q' i7 E/ k( P6 g$ f
00401067: push 00402025 ; \\.\SICE3 u7 H+ F8 L. O* f
0040106C: call CreateFileA. X' C& C Z/ ]' R
00401071: cmp eax,-0012 a5 m$ }. K3 d* o0 o
00401074: je 00401091( L* ^$ f0 m4 F
: W: }9 g- x$ L8 C6 c/ m9 ^) Q& @8 S$ ~1 c X2 R
There could be hundreds of BPX you could use to detect this trick.
( I7 U2 w0 j2 I: U* I, o1 h7 J4 o-The most classical one is: v" }4 k a ~4 w' V4 Z3 S4 f, X
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* z" e9 ~! m" o4 g7 W. k9 q* A: ]* M *(esp->4+4)=='NTIC'& Z7 E- ~4 m7 a0 ^& h! ^
+ Y2 h$ G' V: `/ g
-The most exotic ones (could be very slooooow :-(
( p$ ]& }7 w7 V# Z% C, T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 q6 O0 c' V: ~1 `" M
;will break 3 times :-(
8 W) g$ ~% J+ P. X# u( S: s ?; O0 Y7 t; U: W
-or (a bit) faster:
$ U. W( P! l& a) I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. u% q+ l/ q2 t9 M/ ?$ f
# x5 _. F. J' {/ W# r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 f/ A X4 C5 [, Y) t6 ?" R" @ ;will break 3 times :-(6 V$ i+ ]4 B9 U/ L2 T' B
8 I) M) o3 F- M; O- H$ r6 `' b3 w-Much faster:
8 ]! U% u* Q( @. C6 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 {* r( m2 A0 l& q C: M0 V: {
5 Q5 _5 H+ X3 o' t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 r% W7 |' k0 {: F0 A1 v0 z. ~) |$ }6 R/ r
function to do the same job:
, X$ r! v, B+ `* a1 w) }" ?( Y* Q. b: r4 J; ?3 Y& t9 r" O
push 00 ; OF_READ2 D7 e, b8 a3 `2 z0 Q
mov eax,[00656634] ; '\\.\SICE',0
4 m$ g6 s" Y5 j c$ a" b) W8 M( L push eax
! r) X% h) x3 k. t call KERNEL32!_lopen
- Y% I3 n2 I( x8 m* A0 ^ inc eax2 V$ x9 K( \' E
jnz 00650589 ; detected* _, w; A# w8 F+ ?5 K0 c) N0 p
push 00 ; OF_READ
# f% I% T1 J. |' Z5 v" b mov eax,[00656638] ; '\\.\SICE': t% v0 Q8 ^5 ~9 N3 N
push eax9 B0 I. h& f7 T; L) ^% R
call KERNEL32!_lopen% A% V. b2 T8 ]- M# Z
inc eax# m& v5 T0 ]0 j
jz 006505ae ; not detected
* R; i7 F w4 Y- F2 o8 e8 T$ x% J* }+ g8 G0 R$ N0 V) a3 `
0 c& }, C9 n) Z) M
__________________________________________________________________________
6 H1 f7 T2 s; p1 s" B+ k# n; N+ t+ @! }5 [; ^& A6 y0 Y: F* b0 x
Method 12
+ y+ _ M9 Z y0 }. [, W=========
3 C/ v8 M- L. A9 m) c/ u, d
* ^4 k2 Y3 i1 i. iThis trick is similar to int41h/4fh Debugger installation check (code 058 _: [# e! |; c+ ^ ^
& 06) but very limited because it's only available for Win95/98 (not NT)
0 v, D0 J4 A+ V, P/ }. Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 s' p. i$ g* N( q3 `0 V) d
/ z' {- x8 i& ~9 Y0 L
push 0000004fh ; function 4fh
; ~4 |' w7 G _ push 002a002ah ; high word specifies which VxD (VWIN32)
& O) N& X; E; m8 j ; low word specifies which service! ~! ~5 Z1 ?1 k! F
(VWIN32_Int41Dispatch)
4 v: {. h4 R& X1 f1 y0 V' j call Kernel32!ORD_001 ; VxdCall. ?, _+ F* m9 Z1 z7 A3 o
cmp ax, 0f386h ; magic number returned by system debuggers
8 ^# b9 v7 c1 R jz SoftICE_detected0 M/ \: V3 I! X
) O, i# A% k' sHere again, several ways to detect it:; u; T7 g1 a6 s4 Z% j3 R l, G3 g* X9 R
" t& k) k2 |, |$ {) z2 V1 M6 q BPINT 41 if ax==4f
# B# P1 I; t, j( R! d5 r
" ~9 I4 b) B# [9 M6 K- R7 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one Z* j0 S0 z3 ~' @" X" ^
- r' ]. d, r1 s, d0 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 W/ m7 I7 L+ Z) t- D$ }: J
, P3 I& C& _2 [/ V4 F& g+ P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- D. J+ ?" z8 n; d* Y( z7 K. D
3 A/ I5 k, {& c r* O) B4 F
__________________________________________________________________________
0 v% }- V/ u" I- o
' D- [" M0 y4 U G6 K0 yMethod 13! i+ M' J) O+ e7 f5 C) ]: K
=========; H2 E8 e8 l) t
# H% P( M, Z: F; R" ?, {Not a real method of detection, but a good way to know if SoftICE is
$ S2 n' U% \% w$ W. Zinstalled on a computer and to locate its installation directory.
+ X% n2 O0 d" ]: i6 }% I1 tIt is used by few softs which access the following registry keys (usually #2) :2 t$ e+ B& L, @: e2 u
; |6 H7 }7 u/ o" ^3 C& ^2 U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" p/ s# {/ V+ |+ G! O$ K3 L) z
\Uninstall\SoftICE- c) d, X7 J1 u2 U: T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 W$ Y% I$ {# e2 s7 { X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ p6 N: \* u. z' c3 D6 ]
\App Paths\Loader32.Exe+ P. Z; ] q3 ]) a7 _4 J
3 Y! j6 Q7 H- o8 X' L( V8 l$ g! a
0 E; a5 \( z3 H" h$ x" z
Note that some nasty apps could then erase all files from SoftICE directory
* L/ n3 R: O2 O0 j/ O5 D3 h# l(I faced that once :-(1 t: d( A' V1 N8 f% {
; b2 ]# B' T5 k+ b1 y oUseful breakpoint to detect it:
2 v# O: {- w* Q- I1 `7 M( S4 Z3 ~0 W2 |2 t I6 _* J, [" ~& H; Q- A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 A0 P$ Q7 K3 p7 H$ F; c- |7 W+ _$ z- D$ v: y
__________________________________________________________________________, L3 u6 S$ Y$ X0 n5 b% p
3 u3 _3 k' L8 E
& V; f6 D H+ uMethod 14 % r. f' f, T: {0 w6 |
=========
% ^7 y* q$ L4 n: Z
, s5 O. Y0 B7 i; W1 U* cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 c, V3 C! b' f0 H* Q0 f. Q
is to determines whether a debugger is running on your system (ring0 only).
9 j8 j+ `* z: z6 R' d3 N C0 q5 v0 c T0 u; U( E7 t6 r
VMMCall Test_Debug_Installed& u+ L2 D) L! V
je not_installed1 Q+ K1 @; F3 B( b" }) \
$ d c3 _! \9 I
This service just checks a flag.2 z0 O4 `4 a* s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡