<TABLE width=500>& `4 X% ?9 f' z2 x3 B
<TBODY>: S) c i: s; e u. ` e
<TR>
3 d5 q* [6 Y7 Q5 q<TD><PRE>Method 01 3 v9 q: W- D9 u! Q. b4 ^$ p& h
=========
! o0 s1 W0 Z' ~
6 o& K! v5 ?) D8 R j) cThis method of detection of SoftICE (as well as the following one) is' o9 `1 h" Y) T& {8 @- p
used by the majority of packers/encryptors found on Internet.
1 C2 n a- K) U1 xIt seeks the signature of BoundsChecker in SoftICE9 J% N6 G* ^, Z! E" |
' j; E( v" \$ s, \, p/ M1 L3 v& h
mov ebp, 04243484Bh ; 'BCHK'
, a: a$ n% l: o$ u- s5 C# m; y- P mov ax, 04h6 [1 q0 i! \4 l5 T
int 3
. R1 [7 u6 S6 C+ V4 B! g0 a9 M8 V cmp al,4: h8 I% P/ Z0 C J7 b
jnz SoftICE_Detected
' m) n, `4 `2 x6 Q7 b% R' d( r2 e# \: G. }& I
___________________________________________________________________________- v$ j- t* O0 L! s" m/ n
$ a E! k \" A% [0 z
Method 02' A5 n5 @1 w; n4 D
=========# P: h4 n& Z8 a/ C0 A3 D
6 N# k! t% O; ]4 A% OStill a method very much used (perhaps the most frequent one). It is used
+ R; n% Y, p+ m6 x4 r/ h( Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, O2 }0 Y" F2 ^; Q) y; m
or execute SoftICE commands...
9 _. [0 k, O- ^; X {3 kIt is also used to crash SoftICE and to force it to execute any commands
; g' e$ r; G5 @2 k2 \- a$ b7 t(HBOOT...) :-((
+ j; e; ?# ~! c5 T3 h/ U s/ }
* E0 {' S* K! i1 U: s6 n; O, OHere is a quick description:
6 ]4 ] k" h5 U- P% a# Z-AX = 0910h (Display string in SIce windows)
5 q6 t m5 @5 O0 \. z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ x! @! K* r% q, N( _" b-AX = 0912h (Get breakpoint infos)
9 E" e& ?+ }9 M1 o& A5 \9 @-AX = 0913h (Set Sice breakpoints)( |3 @2 N& F+ F6 F
-AX = 0914h (Remove SIce breakoints)
1 P; A2 k5 [6 V! p+ C# E" l; T+ {1 v- A" `% h
Each time you'll meet this trick, you'll see:- S- C) V( H W/ B M
-SI = 4647h; H2 f8 t7 k% j% f/ _
-DI = 4A4Dh
m0 w) r+ c+ g- S( z# ^Which are the 'magic values' used by SoftIce.
9 X- L* G3 L; H' zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* \( Z7 g5 d! i+ z6 Q9 x
; e0 ^. Z7 m! ~1 o# O7 m1 s, d: ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ M! Q- _% e. W2 C+ t
Envelope utility use to protect DOS applications:
$ A9 q' S+ p# Z: y5 o" D% D+ ^; v3 w
& y3 S7 }, T$ p6 e
4C19:0095 MOV AX,0911 ; execute command.- C N/ Y4 A9 b" k/ y W$ _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ t' h! `1 Q" g# N3 @3 N. R
4C19:009A MOV SI,4647 ; 1st magic value.
* C0 k# Y4 R1 Q* L8 Z4C19:009D MOV DI,4A4D ; 2nd magic value.
! y6 P# k" t. f; U. ]" c% ^) \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 f) x5 {" P# E4 B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 i/ m- l' @) k; \& `$ f9 d
4C19:00A4 INC CX6 Y/ s4 w, V+ D3 P% D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 Z5 F6 O& a- u2 S: X/ L0 z
4C19:00A8 JB 0095 ; 6 different commands.
7 x' W$ E( [; f) c$ p# C/ e* i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* s) T# O: f/ U& R6 j" [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) L2 E9 a; ?+ q
5 @- M$ `8 w3 j1 M6 n9 D
The program will execute 6 different SIce commands located at ds:dx, which+ y9 K( u% |% `5 S( ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ ]" `! R, l( Q& k
) q% ]$ z3 h9 x9 G2 k9 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" f7 c. v/ j2 w" W* O___________________________________________________________________________
7 Q! O8 E9 L) Y2 D2 W5 {
7 ]8 q; G) P% e$ B/ H" F) z8 j( ` Q3 F9 ]1 H1 k. B( A' Q
Method 03' E; e3 |" N. [: \7 S
=========
/ y( j# E' h7 |9 m4 l) t
: c, s @- M# L9 eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 a8 }& L2 P+ m* ]6 [" p+ o7 @(API Get entry point)# I7 \0 t7 [5 y- l7 `
E3 w$ B6 ^9 N, v u# E( _1 J5 y' E
! J! N% |5 m9 L9 Y' f
xor di,di4 w6 Z' N# }; d) F) Q5 w/ d f1 M
mov es,di
; Y7 C- m" |, q mov ax, 1684h ! r# d, p+ I3 S4 I/ h! R
mov bx, 0202h ; VxD ID of winice
# A1 S. }2 F# R+ i, e5 Z int 2Fh
1 T0 \5 M, X h% e5 |/ G mov ax, es ; ES:DI -> VxD API entry point4 ~- g& ^' `4 b" h
add ax, di
) A' t8 h! |) M, V0 v8 _; G test ax,ax' K B+ {# Z: }4 l, a* s. h
jnz SoftICE_Detected/ e+ k7 ]& U( o5 ]: v0 _8 o
+ W" Z4 G. }/ Z6 ]& S5 J2 }) a
___________________________________________________________________________) R$ _ x! h, ^) o2 }3 l
% l, L0 J* Q. [# Z- |) O6 N
Method 04
" V& B5 Y) F1 M=========, t) q- ^9 J- A" f( E6 |+ J
6 O4 ]% Q. j* j) s. t7 S
Method identical to the preceding one except that it seeks the ID of SoftICE
( F, `1 k9 C- R' F9 wGFX VxD.5 w9 A0 g" X. `3 I! Z
: G! J c9 ?" m) {
xor di,di( k9 e2 r$ k8 t# S* h# d/ ~2 N0 a
mov es,di
v! {0 D. q& u3 u% W E mov ax, 1684h
" K3 y: K& [: c# s% _+ [9 [ mov bx, 7a5Fh ; VxD ID of SIWVID1 G% ~4 Y7 S& A0 c5 w
int 2fh
3 W3 h) A- I' k mov ax, es ; ES:DI -> VxD API entry point
# g! b# V9 U" k7 H- h add ax, di: I# L7 Q/ F" k9 K
test ax,ax
) }/ S+ e/ S/ T5 l jnz SoftICE_Detected; h2 w4 {& |1 }) _
7 f! N9 J, A2 ~: F- ^6 u__________________________________________________________________________
$ l: s! c% G& O$ M, Y
- w8 \0 `" i5 \
4 J. x/ T9 K; d# i+ i8 s5 [4 KMethod 05( d4 w9 |. Y5 l2 g/ f8 V+ x
=========
4 U8 X& ]6 o* h1 N9 k; ?# k
" @! q. t0 e9 m4 z) xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 b: Z5 K% I: F* i! F, ?3 Qdebugger. It calls the int 41h, function 4Fh.; [- ~1 ?! W8 J3 m' u" o7 ^
There are several alternatives. , S0 L% x) A" o3 J: A$ b
$ f* o5 c1 t6 |& BThe following one is the simplest:
4 \# M7 ^6 a8 L0 C# F7 o3 l: v8 X' Q( t' a+ z
mov ax,4fh" O* ^9 A3 G; W; `0 T+ `
int 41h
' E7 N: v* [* l% [% J& }0 L. ~8 Y6 E+ { cmp ax, 0F386; H6 u' I/ y' J3 R T
jz SoftICE_detected5 m7 s& T/ v1 h0 S) h7 z
, s& e I+ X" [
$ d6 H7 x5 d$ U$ m! n9 G8 r% S! `Next method as well as the following one are 2 examples from Stone's
7 K7 W7 ^' `. d4 V5 Q0 Q$ t"stn-wid.zip" (www.cracking.net):
* I2 e" f# ?# W! M) N+ L0 O/ s2 q5 Q2 t' \; m) h
mov bx, cs+ n& R/ t# C0 t5 x& k0 e
lea dx, int41handler2! _3 g3 c2 d0 @* ?1 u2 p0 X
xchg dx, es:[41h*4]
6 t% ?7 {9 P' u* x9 Q Z xchg bx, es:[41h*4+2]5 m2 z v5 j0 G1 n( p
mov ax,4fh# S' K' H8 r1 N0 `0 x; W
int 41h# v4 x- Q( ?+ r! u, K/ c# {: h
xchg dx, es:[41h*4]
, q! o% {0 D" B* p* g xchg bx, es:[41h*4+2]
0 d5 J9 F: [+ ~ cmp ax, 0f386h% k L. i1 P7 {" w5 i" u9 }2 }3 g
jz SoftICE_detected2 Y. i8 G# ?6 d
" |7 L7 P% c y, q4 L! M
int41handler2 PROC& l2 V$ f; b8 s( q& r; M
iret0 {5 f2 z0 I4 |/ f# e2 o: @- p' I
int41handler2 ENDP5 P7 o3 @) H: W$ L1 r
$ B& ]0 @3 _9 b* [( M0 C, j8 Q1 O" f0 K; w
_________________________________________________________________________
, Y5 ^8 A% L/ Y! q
2 C6 W$ n4 t( M. T; e0 z y4 O7 m0 T/ @; G
Method 06
& T5 Y% W8 V) `* z' Q=========4 M0 D2 e, c8 T$ i6 |$ N
- K" E- S8 I$ c5 x h
% B5 C9 W4 x6 ]2nd method similar to the preceding one but more difficult to detect:+ q9 z; }1 x" |" J& G6 W
4 ^ Z4 z( ]$ M
. I7 d( `2 [( j6 m6 Aint41handler PROC
* r+ z8 I3 r3 p+ G/ m6 G mov cl,al
- E3 F. j o( ?2 r- g% C) m iret4 L, p! P# g6 @$ {! u. N
int41handler ENDP
4 H: _8 X2 C' x/ c& F
! `3 u$ {( z; B0 b+ y; Z. b3 }. g9 H- Q I) g; R
xor ax,ax
" e# h& @4 I# u9 d: _ mov es,ax% p4 w7 O. @6 a3 ?1 C2 w% d
mov bx, cs, b) N. x" T. N! C( j) i: l6 o
lea dx, int41handler' M7 B4 f# c0 i
xchg dx, es:[41h*4]8 [1 c7 p) r' G8 u
xchg bx, es:[41h*4+2]
$ Y1 }1 `, F/ S; h2 x, Z1 A in al, 40h6 q. q* J; j( @& u
xor cx,cx5 z1 w; y. P/ f" I$ c1 V6 a
int 41h
. K8 Z: p( u& b& j( B xchg dx, es:[41h*4]% Y- k% [' i' E4 O4 F) p
xchg bx, es:[41h*4+2]. U! A7 u: s* \
cmp cl,al
. m' `, ]% f3 K7 n jnz SoftICE_detected
$ r( {. x; l2 O
8 |8 p- z) R. D& I% [# J L' n_________________________________________________________________________
, {) h) J& v* s
$ |7 }8 \, B+ U. RMethod 07
9 l* r( w% l# j=========
4 w- j- }' ~* x/ v& e }6 I
2 y# H f1 C) J! x3 i6 FMethod of detection of the WinICE handler in the int68h (V86)
$ M2 Y* ]+ Y! x. e# i1 L( Q- K7 m
' H- @# }) E1 X9 {7 |+ z mov ah,43h
- j7 n V8 J* E- \5 B- _6 _* t int 68h
* ]7 D. ^9 S% ~ n( K% ^3 h. l) U3 H% T& r cmp ax,0F386h
; h" r. L+ Q- }2 ?5 K6 t* V: L, m" U jz SoftICE_Detected
% n8 s4 {4 k+ H% c9 {, y) W2 i$ x# N& k# f3 \# {7 B/ _% m
: V+ p9 v' W( Z* _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& Y" @1 V" n6 @ g1 q; z' q( \
app like this:' ]* I* J2 s7 ]6 ?, F9 a
+ G, I8 j, W" O2 ^" J1 ^+ L# A
BPX exec_int if ax==68
! X/ ?1 J+ r& p, G- K) d! p (function called is located at byte ptr [ebp+1Dh] and client eip is
* V8 ?% ?1 Z a* V located at [ebp+48h] for 32Bit apps)' D/ X. y7 |) o
__________________________________________________________________________; ]% w/ g" y- Q9 S
: w- T# \1 D* U: H7 Q/ `/ y
8 x$ u5 ?7 E, E' CMethod 08
# j! y7 {$ Z) X4 e5 ^0 T0 {=========
9 B. I" q' j7 c
; Z, O$ l+ `' H( {8 @8 t/ ]/ yIt is not a method of detection of SoftICE but a possibility to crash the% y! b$ C+ x% J0 \+ p* q3 E* l
system by intercepting int 01h and int 03h and redirecting them to another
! i* U" m0 g, \routine.
) |, Y' h/ Q) p P* u/ ^2 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 ?/ P& Y# P$ T$ P. i
to the new routine to execute (hangs computer...)
1 y1 B/ s0 Q5 h" }. j1 r% C* \! _3 c% ^) o. \! m A
mov ah, 25h
7 ^- ^; T" G. B mov al, Int_Number (01h or 03h)
; j" Y" G6 n9 U6 X, r/ M mov dx, offset New_Int_Routine" T# X& f2 r- P, ~4 b* `$ R
int 21h
+ U! \# ~( I& E3 A3 s
' Z2 e d1 _% n, R__________________________________________________________________________
0 B1 c* i9 @. ^5 ~$ d+ z" E% F* z* @' ^+ s0 e# z8 q- o0 w# k
Method 09) Q6 f3 V2 @, W+ [4 g8 l6 |
=========. m+ B( C G6 ^* V- Z
$ l) E I8 J- D0 q% I2 c$ T6 W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ T+ t0 U4 k2 ~5 @& c
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ j1 h1 h8 ]9 s0 ^$ J; A( y& ~The Get_DDB service is used to determine whether or not a VxD is installed7 ?1 o) S C+ X8 u1 _# Y
for the specified device and returns a Device Description Block (in ecx) for
4 s0 v" q; k' J9 K& D/ Wthat device if it is installed.
9 b2 A) P7 ^/ g3 ?) U2 u* r4 v8 C
{, y% k3 Y8 N1 ^" E& {, o" K, e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 f! Q2 X8 _" e+ E) t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
B3 A( M8 \/ i/ ] VMMCall Get_DDB
- w' q0 {0 ?7 u9 ?. |1 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% F7 ?5 T2 K; j- ^& z2 ]6 y
) d- |, T- T3 o. J; J) HNote as well that you can easily detect this method with SoftICE:
! A5 G& h. ]8 _& _# d( i bpx Get_DDB if ax==0202 || ax==7a5fh
) G/ n5 v b$ `. d! A. }8 O" `- N% A: C. N9 u, A
__________________________________________________________________________
% T4 p; t `; L2 y4 H0 f
* X- q8 `" T9 n; t TMethod 10
( ?/ O/ C, g" c! e+ c. X=========5 i% |' W/ b- c M. T! G( a$ s
: o+ K6 g) _+ g% |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* q7 ^. { m5 z8 y& J% S' S' S% ] SoftICE while the option is enable!!
2 E- T$ }6 y V; q$ R6 S; O
[' o$ p+ I: {- x( f! U3 cThis trick is very efficient:
- B4 G# }8 v2 m' b. W( vby checking the Debug Registers, you can detect if SoftICE is loaded- ^! C' e1 U1 ?: p2 F1 j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 f4 x" x9 _. b1 g4 `there are some memory breakpoints set (dr0 to dr3) simply by reading their
( {1 t8 S" ]9 e$ `value (in ring0 only). Values can be manipulated and or changed as well
( j: R3 ~- ~) j& p(clearing BPMs for instance)' S0 W9 t! i9 c: W) Y( P+ V; D
! Z" D' n1 L2 t6 p0 V2 J__________________________________________________________________________! D- s, i9 k, O( k. `
7 Y) t9 h4 p: l" _
Method 11
7 \& ]7 |. P% D _& G" c- k=========; X' B$ N0 ?$ ] d! N- D
' b. S* x; `6 [) | v
This method is most known as 'MeltICE' because it has been freely distributed6 W$ W$ d7 b$ j, H6 L% F
via www.winfiles.com. However it was first used by NuMega people to allow% \$ b7 X# F. V7 L6 P
Symbol Loader to check if SoftICE was active or not (the code is located, Z. ~3 h! W& y
inside nmtrans.dll).
& ]- x7 _( S- l: w9 |) G `1 r
{: P. i& f8 r9 V2 ^8 k/ B9 cThe way it works is very simple:
4 J. r3 p& Z1 b3 j: hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 Q# H; g0 f7 V$ d! t4 @- ]+ J) ?
WinNT) with the CreateFileA API.8 w* W' Y x s7 N) L( X; b
' c6 o- I% \( N; z6 u
Here is a sample (checking for 'SICE'):9 \" N- {3 N9 x0 a0 h7 D
) W" N+ j$ R; `
BOOL IsSoftIce95Loaded()/ r+ y- n5 _9 `" @, M4 |
{& m6 R" p' `) |1 x
HANDLE hFile;
5 q2 X- B+ }; s- b' @9 s5 \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" S/ I1 \! x% a. j& B, p FILE_SHARE_READ | FILE_SHARE_WRITE,
" D9 N* s! D; U& W, t3 u. a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ D( }1 ?, Z' A% h if( hFile != INVALID_HANDLE_VALUE )
2 e* D3 \$ e4 \1 B7 Q7 ~ {
' u" {2 b/ c; P9 ]' R2 J CloseHandle(hFile);- q; F" h" B9 W/ [. F
return TRUE;$ G) T% w! T" O% n! l. ~. o% l
}
4 Z. h' L5 l- u9 F# |4 |0 K return FALSE;
# N- K H7 w+ k+ x% J$ o, R}
9 U& c" _( o7 @3 g& t" J/ i9 L6 o' d, j/ r9 [+ j, z
Although this trick calls the CreateFileA function, don't even expect to be
3 R: t) [2 s4 h/ K' Fable to intercept it by installing a IFS hook: it will not work, no way!+ b9 d% t0 G; {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 q% z. q v, M! {9 A6 J2 Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 G& d- Q: Z* `% ~: @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% r* Y. h( x" V' t, Q% d( Ufield.
( t* f# l* r- R QIn fact, its purpose is not to load/unload VxDs but only to send a
+ l+ ^5 s( a& s& B; | @: AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 t0 Y& f+ B# R6 }4 G. b$ O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 I2 p) S5 m( P* K1 d5 w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: Z; g4 W# }- G0 U& MIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 `1 H+ B# W' R k1 [
its handle to be opened and then, will be detected.
% A! K4 H( c4 F% Q6 q3 y' |You can check that simply by hooking Winice.exe control proc entry point# Z& s; _$ S' w) o' F
while running MeltICE.7 R$ t3 t: H8 g& |7 C1 r, h) U
X. u. q8 g" G9 o1 L
" @ X, s# z" V 00401067: push 00402025 ; \\.\SICE( T' N% T# T3 V
0040106C: call CreateFileA# u# P8 G" u* U, r
00401071: cmp eax,-001
/ U' W& l' v9 M1 q 00401074: je 00401091: L; V5 f8 V: x1 O- Y8 ~) ~# t
. J4 u9 [5 r. x( S \7 i; }5 c( G/ l5 c( ?
There could be hundreds of BPX you could use to detect this trick.
: b8 |& x/ @% f' d7 P" i-The most classical one is:
1 p( C) e; z! S( ]6 a! u3 \/ k3 b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 c6 O8 F& } X+ F6 h5 w9 h *(esp->4+4)=='NTIC'
; Q$ w- S2 Z7 Y- n7 J7 z/ w$ [
% w- q, m% @5 Q9 |/ R' O- H-The most exotic ones (could be very slooooow :-(
; r8 z# t' p8 U9 ]5 v$ g$ I& j0 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 C, u) x3 }( x% ~: ]
;will break 3 times :-(
2 |9 ?6 K( h5 L4 n/ d4 ]1 N8 h5 i' u# q$ n3 O! u# M
-or (a bit) faster:
: m4 s/ Y( h$ i6 N" J4 o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' a3 r+ _" x& h/ m" M0 |7 I( w( i. Q" z3 a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# A( e, r4 Q5 l) i4 Z1 ` ;will break 3 times :-(; b! m1 w5 z' g& B; v: P3 t
9 R4 B7 `" Q' s6 Q S8 \5 W
-Much faster:% w0 }0 y7 d6 H u; b* U; n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: }' K& `: k7 }$ q. m
* g$ X o0 y4 ?/ Z) Q hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( k: A; Z; B9 U! A- F
function to do the same job:
% `: U) F' d8 {/ @& W: |! F4 E1 D) u) B. T3 Z* f$ @# S, T8 N
push 00 ; OF_READ
& p' u+ s2 a' L5 _9 W mov eax,[00656634] ; '\\.\SICE',0
0 C5 j4 C/ Q% B" T7 S push eax
9 k) {7 A7 C' ?( O" t call KERNEL32!_lopen
3 C# n; ?, x: l o inc eax+ r' a8 g# U& t' r" S% F
jnz 00650589 ; detected
6 G5 l" G6 r& H! ^ push 00 ; OF_READ
- S% o4 ~8 s+ P$ G- N! ]' e1 `: G mov eax,[00656638] ; '\\.\SICE'" ^ c; R4 M/ W! m: m( n
push eax2 B5 m5 C1 R, u- E
call KERNEL32!_lopen5 F! |" M* X/ f6 \3 W
inc eax$ H9 Z2 t( i# w; n
jz 006505ae ; not detected
+ F. J6 c: v4 T* r0 M, q7 q# A
# A3 u6 s7 C: x& [7 J# Q l% l8 a% ]* c6 t2 @ |6 ~+ @- O$ D% ]
__________________________________________________________________________
6 S6 n! z* v5 M( E& Q; W3 w! j
3 g5 j0 x5 I3 ^- N% S1 q2 y+ vMethod 12$ h+ L) Q6 ?' o' O
=========
w5 \( |! D7 U4 a. \, ?" X% [* P3 _( w. V# d& Q7 O" @
This trick is similar to int41h/4fh Debugger installation check (code 05
$ P, T7 P$ D; s$ `% T& 06) but very limited because it's only available for Win95/98 (not NT)
" B! A2 U5 o4 Z% Y: Q. v k! X! cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. t6 C7 g: l. J, D4 S& [
& q, |1 C5 m5 ^: {9 j push 0000004fh ; function 4fh9 h3 \" T# p7 g5 g
push 002a002ah ; high word specifies which VxD (VWIN32)
& z; n0 T( |# \3 i' p& b# @ ; low word specifies which service8 {8 s; `4 N& m: B, X
(VWIN32_Int41Dispatch)
8 I0 g( V8 L" ^7 {+ }0 O! [ call Kernel32!ORD_001 ; VxdCall
% D5 m- S) m8 D T cmp ax, 0f386h ; magic number returned by system debuggers0 O! W% d# t E2 b9 H' e
jz SoftICE_detected
$ f0 m$ u) s! U3 H: n4 j P
3 k5 L' ^3 s( v9 n9 b, L% p! _Here again, several ways to detect it:& Y0 n8 L# M( s
. r e+ P6 s7 ^7 o" w
BPINT 41 if ax==4f+ s. s% o# R6 D$ h! r
1 ?7 \3 G2 {8 r+ w; M0 b/ y# u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 `3 T5 A. |5 I# g6 D3 N# a
; r5 B& P+ J/ f& O2 }3 P$ {2 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# _ R9 B7 { x' b3 j
" W, G2 U1 _" t: y1 _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 f; H$ [& |% @5 a4 P' F( h, F( ~8 d- l1 }2 A7 `" i# _, y
__________________________________________________________________________
- P1 V0 z/ V4 a6 N4 n# o- W6 m! g1 r8 e F; N8 y/ d- g& d
Method 13
6 ^, N. }. l! k @! B, h! F=========; G& j$ m, Z1 D. c1 j9 ~
. d' k( w) m8 n. Y( _2 v
Not a real method of detection, but a good way to know if SoftICE is
( Q2 t/ S' c* Jinstalled on a computer and to locate its installation directory.! [: i# z" e7 G% F q6 F, j0 v
It is used by few softs which access the following registry keys (usually #2) :6 T7 j6 ^9 ]1 ^ ^4 U' P" h: H- U
6 `8 {% U0 r7 q% w7 p: M0 \4 r* \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion M. q# X& s2 _, f7 |, h
\Uninstall\SoftICE$ ], W4 d0 o+ E- {* h9 ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. s* K& R7 G y, ^4 \* C' y M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, `; d- B: Z1 e+ }
\App Paths\Loader32.Exe5 P U" {4 G0 r3 r" k4 D+ F8 X
, c1 S8 U' Z& X) n5 C3 ?! b
% m+ ^* ]( p, N! t RNote that some nasty apps could then erase all files from SoftICE directory
2 J9 q' x3 ]. }3 h* n. z% e8 e, {3 \(I faced that once :-(
1 z8 a* A, n" {. }
( Q$ q% a' R# U) _- xUseful breakpoint to detect it:$ h \4 A3 x1 M" P
6 F2 f# A9 B. Q+ Z# R$ n! m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. {- \' Q+ @" v+ H9 W% R& B8 B
$ v# Z, }' d- ?3 ?8 y3 z7 F__________________________________________________________________________+ s! \2 K5 g7 _* t; g2 T* I
6 z1 U# N; L& p7 y! `4 b4 @3 a
' l4 ?+ J/ a" X2 h. c6 N. dMethod 14
# y4 z( G8 S( L=========' f- U3 y$ S$ Q/ q8 C- n& s L
' N5 o$ L" k* F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. [' `" P( [5 ]& A6 W3 I4 bis to determines whether a debugger is running on your system (ring0 only).
5 R: S2 l; B9 d3 W8 I1 b. b$ U \- H9 ~& Y% M
VMMCall Test_Debug_Installed- }0 D+ T) R9 S( f7 e+ B
je not_installed
6 o7 p. l+ Z. a) f& M% c8 J$ ^& B
This service just checks a flag.
`3 `) M8 b- H5 S' \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡