<TABLE width=500>& |& a. Q0 J, t; {' Q1 ~1 I
<TBODY>% }) u( {+ K3 [! v# M2 ?3 P1 c8 d7 t
<TR>8 q2 g2 d: L+ Y" ^ H6 o0 O1 K) w
<TD><PRE>Method 01 ( c4 j! c$ e1 ~# a1 t9 ]( A
=========0 F4 ~7 A4 x# ^/ Z# l, ~
2 t* `! A7 v( ^3 p* \1 S
This method of detection of SoftICE (as well as the following one) is/ @( ~1 s+ N2 b, \
used by the majority of packers/encryptors found on Internet.
2 S+ E7 ^6 [( Z- nIt seeks the signature of BoundsChecker in SoftICE" v7 R% y4 p1 J+ u- l' Y
: v5 }4 C* o# A, d& D. X+ U mov ebp, 04243484Bh ; 'BCHK'2 N5 a/ H. R3 _ R, }' W& `6 {
mov ax, 04h
& B' E C" Y' }0 l1 D; i8 {) n O int 3 1 F' G8 N3 @( p6 O( V8 o6 R
cmp al,4
8 H- W8 J: O$ m/ Y1 ~ jnz SoftICE_Detected
( a3 w! V A4 t9 U5 r. D: X: `' r6 y! m- k4 B
___________________________________________________________________________
. e" M5 s7 A/ V' y ~ e4 q2 J3 ^4 C4 o/ s8 }
Method 02
4 c7 M+ Y( k5 G# C; ]3 H5 k0 L=========
$ S9 X" X. G6 A5 J# f
5 T) y. i3 t- S0 h; ~Still a method very much used (perhaps the most frequent one). It is used
8 w- \8 g$ ^- O: H% G; U6 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( X; _. Z3 g3 X: N) j
or execute SoftICE commands...
7 l4 O, z5 w! f+ g( a1 uIt is also used to crash SoftICE and to force it to execute any commands- W! O1 a4 L; M% A/ m; z
(HBOOT...) :-((
5 x1 N( x, S4 ~5 F( m5 q. W- c9 K j" j, D! O( e- V
Here is a quick description:. y/ i9 n! ~$ L! Y4 k2 D
-AX = 0910h (Display string in SIce windows)
( \7 m! c& k% Y `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 ]' Q. x- ~* u- }# D. w) b-AX = 0912h (Get breakpoint infos)
( s0 Z( i, |5 n; H5 M6 z, R1 p-AX = 0913h (Set Sice breakpoints)6 R6 p9 G! G2 p( h. K+ J
-AX = 0914h (Remove SIce breakoints)
% j/ D. ]9 h: E4 d' E4 ^/ _- i% H5 I7 p1 y
Each time you'll meet this trick, you'll see: ]. l* F$ B; B: v+ I
-SI = 4647h' |: i. Y7 Y1 [( a( m
-DI = 4A4Dh0 i0 Q3 D/ o4 b1 N
Which are the 'magic values' used by SoftIce.5 q* e! x: S r# h- z- O1 B3 e8 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. {' ]3 U E U5 F7 G9 s _
$ U4 j) W$ ]6 f8 |& bHere is one example from the file "Haspinst.exe" which is the dongle HASP
! M8 ^- ]! `; z8 s$ k4 qEnvelope utility use to protect DOS applications:: t# Q. u5 l: W: N4 c2 \2 j/ Z
; Y4 F, A. Q1 I5 U
( s$ a* n/ [, p# F4C19:0095 MOV AX,0911 ; execute command.
$ s0 L a5 P! h0 v) n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' J) O. k1 `7 w r8 H4C19:009A MOV SI,4647 ; 1st magic value.8 M8 {2 R7 b2 o+ y5 u! t
4C19:009D MOV DI,4A4D ; 2nd magic value.5 f. K; f! w- l- V4 P5 K. M7 O6 s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). K2 S! X4 N* h* _+ L7 K9 E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 o& k5 |. z+ o0 |: N4C19:00A4 INC CX% ?; E/ x! O$ V0 R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 [# `4 q& z* Z9 n+ \4C19:00A8 JB 0095 ; 6 different commands.
3 U! ~9 |! i% n2 E4 S+ d6 r' Q7 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ Z% [1 S: j1 d: y$ |, F& x1 p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" u" m8 u9 b' C7 V- f& q0 y
; x1 b6 E9 L0 h+ q7 q' wThe program will execute 6 different SIce commands located at ds:dx, which
5 [1 L1 h4 N; G( Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 u3 U9 I& L- D* W! y5 k& u% X* a
" d9 }2 r/ q% H3 |: Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& X' v$ d) E% V% D& u2 l$ g1 D6 g___________________________________________________________________________. m) p- h5 l, ^6 \- J, ~
: m% v' c* i5 z# Q! `
0 p5 C3 [% |( R% W7 I+ ~9 w
Method 03
; Y* Z; V$ ]* n5 y# J=========
, H9 Q; _1 W0 @, S7 U+ ~
3 f% U% |! X, c# xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: i7 H% J6 N/ y# N(API Get entry point); X" s# X. [+ m9 _+ {
$ ]/ e) w0 X; K' _7 ?0 f5 s
" {3 A+ r! m( Z/ u' L xor di,di, A+ f5 ]7 r$ E0 |% h/ j
mov es,di: \: w2 v' `9 I' q
mov ax, 1684h
$ g+ z9 R8 V) ~8 P mov bx, 0202h ; VxD ID of winice* A8 v- X5 S: s3 h D
int 2Fh
# \, p" e Y( Q mov ax, es ; ES:DI -> VxD API entry point
# l1 k! Y1 P0 s( D* w* _ add ax, di
) {2 D* v2 g( n! e, ^8 S test ax,ax0 e/ U+ @; c/ {$ h
jnz SoftICE_Detected# R$ T! S: L5 [) a3 ]* _: o+ [& R
& }8 z' `- [8 S) |$ o___________________________________________________________________________. ^, D' |9 |/ G: @# u* j" v
" D" d1 s3 m' Q9 H, A* p1 z7 p
Method 042 v1 _# |4 j# I/ o7 @9 D" y5 s
=========+ }! P3 S4 p, K9 t% A$ j4 a; E! n
( ]$ ~/ w, C ]4 m0 QMethod identical to the preceding one except that it seeks the ID of SoftICE+ R( e+ y# Y B9 T [
GFX VxD.
$ a8 {1 _- [. y' m$ J( X/ R
0 G! v" a& m9 A1 V" L, ^ xor di,di* q6 e0 E, S E7 p* R0 J; I8 v
mov es,di" S, Z+ Z- e$ u
mov ax, 1684h 3 U0 k9 q! M* _- p
mov bx, 7a5Fh ; VxD ID of SIWVID) W$ s" Y# f3 v" N" k
int 2fh5 I, ?* {$ x8 r' J
mov ax, es ; ES:DI -> VxD API entry point
1 T% D% y( L t; d$ r5 \) y' p5 A add ax, di
+ {2 P' \" g6 z/ O1 ^( x9 w test ax,ax
9 r( m- e* y2 P, |8 V0 T+ r+ a jnz SoftICE_Detected
" H' |- K# }3 ?6 R) y }
# {( `0 g, y1 b3 K- Q4 l__________________________________________________________________________
; [3 B" c% D" W- i+ {/ X3 F2 k
* F" R) j, E% O8 z* i/ Y
; v" `: l3 `5 a2 N. A) R, V: _Method 05
% {/ C- K$ ? m! i5 b7 |=========
: o f5 Q/ R0 w8 `8 T3 @7 [! u; a0 v d! X: M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 B# c, S) b+ [9 v: x1 R/ e: F& [+ tdebugger. It calls the int 41h, function 4Fh.( E& {" B" @8 ~7 U
There are several alternatives. 3 Q j0 K9 e! ?% K5 p
0 M( J: f1 o4 X% } }
The following one is the simplest:/ [3 S. \9 ?2 s2 u1 H) f0 U
0 e8 A( H! Z2 U5 R0 j mov ax,4fh
& Y$ ?. t' d3 I4 s0 A3 u int 41h
: s9 `: T) y E# ?3 f2 z3 ^0 X cmp ax, 0F386
8 @7 D9 _5 L' U) f% } jz SoftICE_detected7 D7 ^5 Z2 z9 x( K4 v6 ?
/ D- k. N# @5 ]% `; p6 Y2 [
4 n# n. @8 e+ I$ d4 d
Next method as well as the following one are 2 examples from Stone's 2 H- M' f0 q% |( K9 W
"stn-wid.zip" (www.cracking.net):
9 T: L* n* W9 Z$ L
2 r4 G y9 F) R3 M4 P4 j3 Q mov bx, cs
- k+ R+ O' a2 ]7 }8 q) u& ] lea dx, int41handler21 [! m/ D' T3 n) n$ O
xchg dx, es:[41h*4]( Z& P( D$ y0 c
xchg bx, es:[41h*4+2]
1 s- G8 K' \6 w! u! _1 i8 Y mov ax,4fh
2 q6 I' {6 C1 ^$ J int 41h
/ n' u0 Q5 t2 x- Z9 o xchg dx, es:[41h*4]
: E( w+ R* |+ j# F! [( K* P xchg bx, es:[41h*4+2]
1 S* g I# U" h' z cmp ax, 0f386h
+ ?& ]0 |5 ]; m0 U jz SoftICE_detected
$ c5 B% c/ m/ }3 c; o/ v. N4 R; e l, A* M2 H( d0 e
int41handler2 PROC
" n* S& a3 k, ?- o iret# A( @! M) k( w. j7 a3 f; Z
int41handler2 ENDP
/ b5 f, _, d- j2 V( P8 T* _1 ?- h4 p; P s0 E" q; l. P5 T5 x
n, ]$ g0 e3 R_________________________________________________________________________7 c5 N/ q# c) C& L
/ Y7 i/ p- R$ h; {3 ^! U% n
; F. _( E1 h1 D1 Q# R
Method 06
& h1 X; _% ~! t7 E=========
: @2 z: X% |. k! X4 q/ q# }5 |( J4 H, J9 V( u
* Q% H! Z* q9 p' J7 S
2nd method similar to the preceding one but more difficult to detect:4 t( g4 G5 X& j- |; u2 Z7 y7 [
/ G: k3 e: [) \+ x: |
' L, r# l* M7 u) zint41handler PROC3 _$ b* K+ }2 F6 ]; a4 Q
mov cl,al
4 `/ r( d6 t- T% r4 _0 n iret
9 f( Q h$ C; @: `7 w/ N" jint41handler ENDP
4 e3 S7 ]9 o7 o1 i Y) n; a* W9 w7 z# v
4 u7 f0 K |3 d9 W xor ax,ax2 G* g% h4 \( ~: G* a3 Q
mov es,ax# Q0 J$ T# h! x7 y3 R( ]+ Z
mov bx, cs* E4 [! g; G! e/ r2 Q$ ^8 l7 N
lea dx, int41handler. q- a0 `1 B$ S0 Z4 O% J' u
xchg dx, es:[41h*4]) O: D+ C8 f$ \1 i' d
xchg bx, es:[41h*4+2]
! L3 U3 |) ]' @& u2 l q in al, 40h! E6 R6 V+ @) Q$ N) L7 u, B+ N
xor cx,cx
1 w' t! u8 |! Q( B w int 41h; q; N$ _" L" r' A
xchg dx, es:[41h*4]$ Q* F. G4 `$ K" B% z9 h9 y
xchg bx, es:[41h*4+2]' r) A2 M. n/ w
cmp cl,al
% [" D Y3 v* e- c jnz SoftICE_detected" G% l m! N8 f8 Z/ H7 M% E; D
7 h2 Z7 W, X: I" N' `_________________________________________________________________________
; i0 _; W+ D/ I+ @& y. Q2 e
% g+ E$ X( j& x% LMethod 078 ^6 _( P7 m7 B6 D5 e1 g- C2 O4 ^* l' }
=========
& F5 L: f( ?* G- q9 C/ n# Z
, K0 y1 ?" G1 H* ^Method of detection of the WinICE handler in the int68h (V86)
, ?& Q6 a4 \# W1 m6 L, d8 w( q: E' ]
mov ah,43h
7 c S, x; U: {7 {. S int 68h3 d# A3 D* r& c3 R
cmp ax,0F386h
. V( O) B. n# t: f3 J! E jz SoftICE_Detected
6 w. m1 w7 h: ?6 G
9 i5 h" x6 W. F' N8 W' Y2 U, P; Y3 T( Y! ]7 V2 N/ g2 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) K- C' C7 N+ b+ E
app like this:% [/ }* ^% V8 d z
5 H9 K( `- M! x, _3 ^
BPX exec_int if ax==683 o8 @* p5 G) a7 S) L
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 [3 h* X, {$ I \ located at [ebp+48h] for 32Bit apps)& I3 x5 U& T4 l( D1 K0 [
__________________________________________________________________________
2 Z* W! U) [+ }
: @/ I1 K, L2 d7 a2 a" y. c/ @% i* g* S) w
Method 088 H" T9 L+ ~2 K) y2 O
=========; o/ a7 l. J+ i4 E
& p8 e# @* u$ u; I- j
It is not a method of detection of SoftICE but a possibility to crash the# ^! l" _0 M! I" b t8 K
system by intercepting int 01h and int 03h and redirecting them to another* x; | V6 Z- @3 Z6 c) P: _
routine., ?# l1 d0 O6 s) ~, w/ O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( A# ~5 g/ k U; \0 y# ]/ Vto the new routine to execute (hangs computer...)
) M7 v; _, P) v7 e8 I1 b. K, u2 l# ~. w- B" ^6 b
mov ah, 25h: T: N; b* x' y+ e) x
mov al, Int_Number (01h or 03h); v1 O! ~3 M- ~' V
mov dx, offset New_Int_Routine6 k4 z' Z! q4 D/ o/ G
int 21h
+ ?* p# u( d8 s& ]$ [; \
: K$ L9 r" ` O$ W: \__________________________________________________________________________+ \: I7 `" N( a- ?
. ] @2 G% k1 s1 h
Method 09' q4 T: d* F( t; O d) p
=========
; M* j3 ^8 ]: C3 q% o h
' x# n' c! b7 Y+ w3 N0 a8 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 [7 r" J, J% ]* V4 Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
* I; i: X m w$ zThe Get_DDB service is used to determine whether or not a VxD is installed) q. R. d6 e& [* ~( {- y$ S! F
for the specified device and returns a Device Description Block (in ecx) for) \. T$ }+ k. L) k/ {1 S
that device if it is installed.
3 d' D1 y) p& H) G d- a' P9 @5 t* \4 ~. |& \6 v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, R" m/ C6 a+ k! Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 t& h8 o6 i0 S) q! e. i* O
VMMCall Get_DDB
- S1 ]/ _) S5 p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# w7 ]% @6 F" ]7 x# Q9 q* ]
7 ^- r U7 [5 w+ TNote as well that you can easily detect this method with SoftICE:
# g0 I2 G+ a) k% Z0 M bpx Get_DDB if ax==0202 || ax==7a5fh
% Y: E. Q+ g: c3 L, O. i6 D/ b. j/ I# W; W) L
__________________________________________________________________________: @: ~$ U$ u& S0 O3 O2 G8 [( C4 n
; f3 w, J D& {6 n+ {& h: lMethod 10
! _) R6 y! z8 Z. |/ [1 g1 W=========
1 b: C! b( C6 c5 O& x& k
6 l" r1 I. [$ M3 ~6 \8 p=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ o8 f# {) c- ~( r2 P2 u2 K/ }2 K SoftICE while the option is enable!!7 B- t/ r D. g: Y4 C2 j
6 \' h) r) V, ]' K2 m, k1 n6 d
This trick is very efficient:
: K* j( ]; O4 t( p0 Cby checking the Debug Registers, you can detect if SoftICE is loaded
8 O4 t/ ~5 C* Y% I8 {, m6 v8 F8 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; g0 r. j, G9 c( v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 J" r" u' l" ^value (in ring0 only). Values can be manipulated and or changed as well
" ]$ X( w, e; N1 x7 K8 p* v) x(clearing BPMs for instance)
0 m) J( `2 M, ?5 ?& R, v: y/ h
( Y8 l+ [2 b! ], U__________________________________________________________________________
1 A: O- F! h! S/ R+ k; A# d; f8 s& d8 T
Method 110 P c' m5 p ?- U! `6 E. l
=========
9 {+ V' V* h% r) v+ G
* v, d, E7 s- W) P7 B% E/ e' lThis method is most known as 'MeltICE' because it has been freely distributed0 O& V. k2 E4 p3 N' L, F" t. X8 l- c& L
via www.winfiles.com. However it was first used by NuMega people to allow
' O- ?! v' S) P3 o8 ?! w3 J& CSymbol Loader to check if SoftICE was active or not (the code is located0 o$ \1 }" o/ f6 W* S
inside nmtrans.dll).$ F$ J/ w, G4 v x; P0 b5 W
( p" I) D4 Y: `# ]8 R; d
The way it works is very simple:
' v& Y" R3 V% `5 O; n2 MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 \3 F" Q6 c9 v7 a' Y
WinNT) with the CreateFileA API.
/ K" u8 @( z+ E, c2 f4 p1 @2 ~2 F0 I9 ~4 P. ~
Here is a sample (checking for 'SICE'):
& [7 T" I# g% ]" v9 {- F, M3 s5 u0 Y. d$ y \9 P, _
BOOL IsSoftIce95Loaded()
6 }- p0 l8 f1 D& ~3 d7 G+ c% w{% e3 V7 Z' ]& r7 U9 c: s1 i4 K2 D$ z
HANDLE hFile; 3 a# j& j* Y$ ?7 I- I) C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) T/ N* } S0 l) k. J+ [
FILE_SHARE_READ | FILE_SHARE_WRITE,! W$ |. c- O; H8 Z. N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 ~% s0 I; x$ t2 n: f if( hFile != INVALID_HANDLE_VALUE ): ~, h- |7 R& C
{/ I+ m; U2 n6 J
CloseHandle(hFile);
- D. h8 J/ i6 ] return TRUE;9 o* q) c3 i9 }& v$ k. x2 W* t
} i: b+ e6 f7 `+ Z
return FALSE;# l. J# b4 e' O/ Z
}9 o2 Q; r' h: R, e& D
- b+ G6 s2 B% n) F
Although this trick calls the CreateFileA function, don't even expect to be
1 c1 d$ F+ |0 Q. J/ ^able to intercept it by installing a IFS hook: it will not work, no way!; ?2 r/ \/ e: G7 _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- P9 ~' ?! t- s2 ?0 {4 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 d' Y' y$ I; \. `and then browse the DDB list until it find the VxD and its DDB_Control_Proc' R/ L; z3 L s% d
field.4 o& r! [$ {5 [0 z6 F h+ P: x
In fact, its purpose is not to load/unload VxDs but only to send a
, h# G. _2 A* t; PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; L f) ^0 t! nto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 H; b) U. T( O R3 _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# A9 S5 l/ b" @& AIf the VxD is loaded, it will always clear eax and the Carry flag to allow; \7 o9 B- o- z
its handle to be opened and then, will be detected.
8 K3 X% ?" G" `# ZYou can check that simply by hooking Winice.exe control proc entry point
% Z; k$ Q5 o: c twhile running MeltICE.- N1 v. T+ B/ J8 { _- e) x4 `
( f6 ~( O$ c0 w. Y- }% x- z) d8 u0 s. f+ q( B. `
00401067: push 00402025 ; \\.\SICE1 G% D( ]* {! ^( C( b% s9 H; M; e
0040106C: call CreateFileA- ?/ }7 }. g5 Z: R; J- _. E7 {2 X
00401071: cmp eax,-001
& B$ q1 z R5 X8 ~6 i 00401074: je 00401091
T7 L9 ]' s& I4 P/ X# }. O, X" F+ \$ N; `' w# X% a0 P. v8 B( I8 J
: ^1 g3 ^, w5 B$ RThere could be hundreds of BPX you could use to detect this trick./ R" t' V0 t/ D& X/ v1 t4 o$ \; ]
-The most classical one is:# h- q6 n. p% K" z* G9 Z+ w% H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: ~) v( c# _# P8 v: q *(esp->4+4)=='NTIC'
7 G2 {$ O# z) O8 [) y! g* w, a Y0 _4 l1 r- E" m
-The most exotic ones (could be very slooooow :-($ o: e6 c" p# x' m* G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; \- Y) O- v' o9 `) a2 Q7 ?% ? ;will break 3 times :-(
, a9 @7 ]: W- {% H
( G5 ~4 i3 O. o& f" B-or (a bit) faster:
- N" G& ^6 f7 Q8 y8 P. c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ {6 D$ A7 g3 A! f J9 X
: u# n$ y) ^: M- R; j! J5 r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " N- r( C1 s( A* u: K
;will break 3 times :-(1 @# K/ L' ?$ |) I4 O
. W6 J/ e# |: B, n2 L( j1 X, S-Much faster:
! B# m. A3 l8 n0 k' x! y; }+ c( {4 g( g+ s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) o: M3 L( S9 O( |3 Y/ H" @) S, d- z9 [7 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: e' S9 B* o* ~, b) Q4 A/ Rfunction to do the same job:/ }, L" g( p+ g* H8 k" K4 f
" A2 P+ F% F8 y7 R0 T* p3 x+ F push 00 ; OF_READ. j" d( i" H$ {8 j0 k+ v2 z3 d, B) o
mov eax,[00656634] ; '\\.\SICE',0, D, {" S/ h: v8 q( ?
push eax
b: R% V/ V5 V0 \3 e# u0 _ call KERNEL32!_lopen
0 x. p' h' o/ U$ k/ e& D* S inc eax
% F, F; E5 @3 F5 `7 n% S$ { jnz 00650589 ; detected
" ?# Y" p( A) z6 ]* {4 m! a1 [0 t push 00 ; OF_READ }' Y' ~9 |" K" K a h4 m
mov eax,[00656638] ; '\\.\SICE'
* e3 L' f, O# f9 j( C# o2 f push eax p* B# Z) a# e; D
call KERNEL32!_lopen3 j1 @5 U D4 I& |7 d; s
inc eax
) |3 t. n7 H: {6 A2 Q* W jz 006505ae ; not detected @" N6 o3 m0 t$ N( a) s. L
b4 e( @' x# r* [ W4 k0 b2 }7 B4 W% J* M
__________________________________________________________________________0 R! A1 \* K; O" q6 \# f$ d
3 N. S0 h. k7 I! f! ]. OMethod 12& @, N5 K4 k- Y: b- q5 Q* { E
=========
7 l2 X4 T( W9 l
9 M, x5 P3 q$ v4 o7 j/ Y# |% EThis trick is similar to int41h/4fh Debugger installation check (code 05
, k! u3 m9 L* D v4 z7 P ]( ^9 o! S& 06) but very limited because it's only available for Win95/98 (not NT)* i( @" \1 F) T$ H$ ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 Z, L7 d! }) d+ r
4 D3 X: t6 ~; |0 S push 0000004fh ; function 4fh
0 |5 N% {# `/ g+ ?; S5 o& s push 002a002ah ; high word specifies which VxD (VWIN32)
9 g7 H* X/ `6 y! u8 ]$ P ; low word specifies which service+ B( D& z) E9 U2 g& s
(VWIN32_Int41Dispatch)
- {" T- W% d* b2 D$ V call Kernel32!ORD_001 ; VxdCall3 d2 r$ C" j0 |$ J! @
cmp ax, 0f386h ; magic number returned by system debuggers1 q* @7 r' M Z5 i5 L& ]7 |
jz SoftICE_detected# k* A* S. F6 Z" c- {
! g1 l1 S; O: `" p5 J$ }8 Z3 gHere again, several ways to detect it:( \: }* U4 i* c5 ]
* E) i+ r' I& l0 {% e* S+ L
BPINT 41 if ax==4f
2 l1 ~- f" a3 _1 Z
1 G6 G: ?. D' T) y/ E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 E, z' X4 W H4 g7 ]
}7 y* ~8 n/ \( M% x# V% @, P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 n$ s: x6 Q8 D( \+ s# N
0 Y4 k- A, B2 z/ i" H) x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 V7 o% E/ T, w+ p
* `/ F8 L$ @ R$ _9 `% {__________________________________________________________________________* s) `. E5 O. {7 g
/ Z" w0 W0 D$ Y3 wMethod 13/ k. p0 u) r' h" ]" Z6 [9 W
=========4 [, ~) u6 R3 M4 C$ z6 V- p" ?) T; _
8 c9 C5 }8 G6 \" q- y% p4 mNot a real method of detection, but a good way to know if SoftICE is1 q( X* d0 N. x; M# e
installed on a computer and to locate its installation directory.
) z" c8 L+ c5 s1 u' tIt is used by few softs which access the following registry keys (usually #2) :
+ N/ U2 E k0 m) K; J$ K2 z
* p1 E1 r8 Y1 G6 Q$ ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 t& ]. c! Y( P+ B. ? c
\Uninstall\SoftICE2 l" k3 b8 u* d- g$ s% M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" `5 S( X I, ? l) i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 _8 Y7 C8 ]- D6 R) V
\App Paths\Loader32.Exe
$ r3 z3 y# V4 K* g3 N+ y4 {- W9 p7 r7 e/ a5 Z& J
1 y7 Q$ Y" P" g3 L8 Z
Note that some nasty apps could then erase all files from SoftICE directory6 k6 {1 X( ?6 D* C: Q" m( ^: ^
(I faced that once :-(# J% p$ A+ M: r! T0 n
8 f* o2 R6 w* m* n, n5 }Useful breakpoint to detect it:. O# E$ w2 p W" |
' X& I0 B7 k4 a4 D1 D I4 z* U9 q$ s- `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: ~; A* ?4 L; _+ T4 u$ ~& ?4 R7 ]1 d7 m, m/ J
__________________________________________________________________________
5 V) K9 t# { n* V2 [1 h
% f! C1 t7 G/ O' y3 v8 w6 m+ e3 f- j# `9 U5 H
Method 14
- `# K2 B8 o( u6 r=========# P: A" s; m' i
; a, s; x# w# {* s) ]* f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" u( L/ |9 @1 h8 q; @/ @
is to determines whether a debugger is running on your system (ring0 only)." e% e: U, H8 l- ~4 P, y9 s: v
9 k; c8 q. O8 Q" g* e0 H. `
VMMCall Test_Debug_Installed
, A3 @6 T4 W2 F, W6 p6 j je not_installed/ g& z. c. a6 m& `% J2 q: ?
4 y9 \ s4 y+ e9 a* T# T9 XThis service just checks a flag.! j0 I5 r' Y0 W+ ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡