<TABLE width=500>
% Q0 g* T+ S5 [9 I<TBODY>
; f2 B7 x; @' m1 T+ U; Z3 E( M; G( t<TR>3 |9 P+ X1 D. {
<TD><PRE>Method 01 3 C8 m; {3 U" O6 Q7 k, E& v
=========6 l0 y, z6 _ j5 `' j+ S6 k1 ?
- t R4 R) C! l" aThis method of detection of SoftICE (as well as the following one) is
0 k9 d) } x/ Y0 B7 Kused by the majority of packers/encryptors found on Internet.% D9 G- }, [4 Z+ d- |, h% Z3 x( V
It seeks the signature of BoundsChecker in SoftICE6 {+ I9 R2 a- `' n$ R
8 |% O" K5 B' C( b0 d2 [& w mov ebp, 04243484Bh ; 'BCHK'6 J4 s j4 _6 i' Z
mov ax, 04h
+ H, V" T% p" S/ T0 B int 3
0 r1 A$ n6 D# B6 O0 ]# H cmp al,4
$ \* Y' Z8 ]6 B1 K3 s' P2 m1 _2 E jnz SoftICE_Detected: k. i( R1 d( G9 C( ]0 ?+ z
P) o; @. ^* D& I___________________________________________________________________________
) ?2 y. K. b" ]' ~4 |, H N2 Y8 {( x( ^. @: @+ Y5 H/ M
Method 02
9 ?& _0 n% z' M# A* S0 a=========
4 y' S% K, ^$ M; b
3 [( Z' e% z/ ^& Z. V. e) x- zStill a method very much used (perhaps the most frequent one). It is used
' R* g3 Q- o8 g0 j9 j! J( |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' j- C3 C L* i6 e& H- o* L7 Aor execute SoftICE commands...
4 F% }- l. ]/ ]- P4 H) t. S: ]It is also used to crash SoftICE and to force it to execute any commands
( B2 G+ ~- o+ f3 P(HBOOT...) :-((
9 H! k6 P5 O, j5 w& t: [' o+ W2 }. F5 `% P
Here is a quick description:& w. P4 o. c+ B( @6 }1 z
-AX = 0910h (Display string in SIce windows)
3 M8 b8 e7 [; j8 h6 R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) M4 m5 w3 m: h; v q- R0 X( S
-AX = 0912h (Get breakpoint infos)
+ ]8 @+ p7 Z; x) s5 X. c5 W" w$ }- O-AX = 0913h (Set Sice breakpoints)- K5 E! g, Y6 g, q( Q. G
-AX = 0914h (Remove SIce breakoints)
- [4 t1 e0 {+ |, B7 [% x- ^* w7 B" w; m! M& }! M( {5 W' I9 e& h5 x& s
Each time you'll meet this trick, you'll see:, {$ T& A. @ Y1 z7 E
-SI = 4647h
5 Q1 Z4 B+ f+ \0 t8 k+ A-DI = 4A4Dh
1 H8 [. V7 y. d0 E' C& B: sWhich are the 'magic values' used by SoftIce.
$ Q" D+ I4 a$ c8 p7 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; a0 j7 f+ k: i% i: \
* ]( e( _, \7 O3 Q1 ?! e6 p) W
Here is one example from the file "Haspinst.exe" which is the dongle HASP( T4 I$ ^1 _, \* M" w% M
Envelope utility use to protect DOS applications:
! H( |; @5 K% s8 M
4 y+ u# R: X: W$ S" {# ]3 J5 l4 o. G# J' t+ w* s7 @# s+ }
4C19:0095 MOV AX,0911 ; execute command.
8 j+ S6 w- r: k' r5 ^9 h5 q$ p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; p+ E5 ~$ l0 r/ I0 j4C19:009A MOV SI,4647 ; 1st magic value.3 t9 \: p% {( J) }7 Y J, s
4C19:009D MOV DI,4A4D ; 2nd magic value.
! R( t1 x) w' g) [; _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 |: g1 X# [# ]! O) q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 g+ D7 A9 p- Z
4C19:00A4 INC CX
2 o$ |7 m& ?3 E" y* R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% k9 B' F2 U1 [
4C19:00A8 JB 0095 ; 6 different commands.5 s8 q( C5 E) H- \6 f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ @, k" _" O5 i( ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' \" F9 P7 z6 w9 \. y q* k8 n8 S4 x. f# F; @9 K* r4 v
The program will execute 6 different SIce commands located at ds:dx, which
& |$ E7 ^3 z% T1 y$ z g# r7 vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ y& G& T- ~7 q
8 ?7 m* ]- o$ F& A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 P I7 r9 c+ a' e2 O( M___________________________________________________________________________; N7 u4 X7 {. j. Y0 v5 w
4 ~ x. Q; W' P* o
1 X( h8 s4 \9 R" MMethod 03
- j' e& F" _$ u7 X/ I2 u=========
1 s& q2 J. y1 }* D' A& t9 u
; M9 W/ _4 p2 V) @5 j RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 G$ X, f( x" v( s5 J
(API Get entry point)9 M" _5 `2 ?3 E9 w
/ u' Q# u9 o3 v5 z
9 ?. ?' n- e( l' G6 ~2 O4 i2 q xor di,di
) P1 F6 s# r0 p% Z2 o" o0 k" ~& T3 ^ mov es,di' H7 n2 ^4 B; T& U' Y0 v
mov ax, 1684h
9 w1 n+ c, J& y mov bx, 0202h ; VxD ID of winice
) e* J; I w, M- y) n2 y6 X int 2Fh
/ B9 s: Y0 t" K mov ax, es ; ES:DI -> VxD API entry point
8 y$ o$ c" z8 J+ T0 S% ]1 x! } U add ax, di
+ O* D) D0 Y8 b test ax,ax
% t K; |3 n6 x5 y- `7 Y jnz SoftICE_Detected* P& L- u" s2 U7 u' C g* R
$ S8 B3 o2 P6 r0 J+ g* U
___________________________________________________________________________. N7 b; ]5 D! M7 i0 o' y8 k5 I
- M3 Y% k/ l% u9 D
Method 04
* O1 O. Z: o* d9 ]4 m=========! T$ {/ z9 ?& Q6 v
4 t2 f) w8 H* H1 ` l/ wMethod identical to the preceding one except that it seeks the ID of SoftICE0 e6 f% Y6 ]" a
GFX VxD.
% l1 @5 h7 Y' L8 N4 \$ R4 U: R% D+ Q+ o. @5 _
xor di,di
& i3 j0 j6 z4 f$ X* }* W% ~, y8 R mov es,di
" r; h0 f9 ~* D/ `$ S* C mov ax, 1684h
0 n b" ]. e; `- x mov bx, 7a5Fh ; VxD ID of SIWVID6 R1 r, T9 B. q1 r% @
int 2fh
; p3 U x7 r- a: F& {$ r mov ax, es ; ES:DI -> VxD API entry point
' q3 {8 @- s$ t; J0 C. q& q add ax, di
; A( B6 P2 _2 h test ax,ax
! _# x/ P3 T, ]( j8 R" Y3 l jnz SoftICE_Detected5 D: v7 e0 z7 B, V
' }! S( L5 i+ @. T L6 e
__________________________________________________________________________* [/ e, x$ ?- i( O9 G" r/ [5 O
. D9 i' U5 e D& n* R+ J9 Y7 H2 @: ]1 H3 @
Method 052 Q! o4 W) {/ ], y0 H3 _
=========
7 w; ^" f! ~0 M3 `; t8 z: s% c2 \
- g9 r* Y1 q+ Z2 q8 G eMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 A! v3 @" k" P7 V
debugger. It calls the int 41h, function 4Fh.
& ]# @1 D' f# K& @; R* u% YThere are several alternatives. 8 s. d7 Q" W3 | {
) i* u- T0 K6 P; S
The following one is the simplest:, ~$ u3 m ?% P/ z8 T1 o
/ s' A( U& s( ]: v J mov ax,4fh) @& P) n W* F1 I8 i) R1 x+ x; q
int 41h
3 e& `- O: y) @ cmp ax, 0F386& F4 N1 y5 A8 y& ~% p# z* W2 p7 Q# o
jz SoftICE_detected9 ^. k; x* G7 z& W1 k
; c. B; r7 | t
$ ?/ e0 R6 ~+ {, [9 C# q# _Next method as well as the following one are 2 examples from Stone's
& y3 `4 M: l4 [; E( P& k& Q; f"stn-wid.zip" (www.cracking.net):& g( D5 B/ {* G* s( A
* X2 d# c$ ~" F) N- l
mov bx, cs
1 \- i! I2 t" ^; H2 |/ s" o, m, l lea dx, int41handler2
( L* m) h: c9 Q5 C Q xchg dx, es:[41h*4]
2 W( N" K, N' l2 r3 @0 e xchg bx, es:[41h*4+2]- m" y" W/ E& K B* \% A
mov ax,4fh
8 { U( V" X+ Y+ C5 S: B int 41h
4 i/ T5 w4 ]( ^, w# @, D$ j- i xchg dx, es:[41h*4]
" [" ~4 O) f$ g$ q; U+ L+ Q xchg bx, es:[41h*4+2]
6 r( L9 _! ^8 k cmp ax, 0f386h! ]+ I/ X: H/ j9 U
jz SoftICE_detected- p, K: w5 j6 K! U3 j% p# f
' B4 N3 r7 e. \
int41handler2 PROC" e j6 y2 y3 b6 i
iret
1 a1 j: ]. n+ s2 X( C" a! ]int41handler2 ENDP
1 z; P( a/ v( q# z8 q0 M" U
8 S" u& o- h8 N5 Z& e
& G& B, B6 V; g9 Y1 j0 s7 V_________________________________________________________________________
0 m0 w5 } o% B, m- p7 p
* a; |$ D& F) g% T* a$ J' B0 C5 X# N2 Y
Method 06
t0 w# o/ i& G: _2 @=========
) A) u( X, S) k! F8 g# L' B& ?. r3 v1 G5 m ~* t( c- w, ]
$ O6 [- f8 g( l) A' a6 M+ U
2nd method similar to the preceding one but more difficult to detect:* P# }+ q' E. I" z6 e( V( V8 Z& E
2 B3 x, o/ Y( S: G
5 V# V- n/ ?/ q4 e
int41handler PROC( W. z' F+ I- \, J
mov cl,al) C# ]9 I3 b) x' u3 W! r; g
iret. _ b/ T m6 C. S$ h
int41handler ENDP
1 B; M5 t+ b/ H
; @" ~$ x9 Y$ d9 S$ Z) c
, c( ~) F6 D K& ~: ]) M+ W7 _' d xor ax,ax$ \$ B* `* M* n4 h
mov es,ax! ?$ [. f! l* v: W% k" ~
mov bx, cs$ b* S$ E+ d" K% T5 y
lea dx, int41handler- ^: u$ a# J0 _) ~/ ]
xchg dx, es:[41h*4]% P5 p: T" C# H# d. M
xchg bx, es:[41h*4+2]
* G2 J* C8 a2 j" r& F5 a) A" o in al, 40h
/ C+ b9 e7 O+ w1 P7 x xor cx,cx
# Y0 \$ K+ a7 J7 D5 R int 41h
: u/ A7 n& E' T' h- k: j% Y xchg dx, es:[41h*4]
1 n4 Q: w- Z$ S xchg bx, es:[41h*4+2]
3 \$ H+ q5 L. T2 t- g8 J9 [ cmp cl,al! j. v2 |) H5 x# V/ M
jnz SoftICE_detected+ g$ s: y1 H& ?9 [
' L7 P7 m# T, T! D D4 m' F2 j
_________________________________________________________________________
; ^; q# U1 W) m1 @( T! h
! C+ T+ ?, e s7 @: ^Method 07
( f9 T0 }) M4 E/ J9 y' u=========1 C( x% V4 G3 V: ?- e [5 E& ~# ^0 I
7 K. B) t0 d2 @5 R: B, @; I1 y
Method of detection of the WinICE handler in the int68h (V86)3 ]$ Q% f4 s j8 X$ R! t
* g* G' r' Y2 r. n$ c# v mov ah,43h5 L6 U! {# ]2 Q/ ^
int 68h
& o* ~7 g9 _: p4 D) l& T' X cmp ax,0F386h2 k. s& W8 i1 l; ?! M- }# l$ W
jz SoftICE_Detected: f& ]+ o9 {! \& m
3 E# Z5 m% [* R& o! q
, d: M! E5 R, `8 K5 w; D, f' k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ D- h3 M M1 F
app like this:
" v& S' B% e0 m1 `! s6 [% {% R ], E
3 I, m r3 L" q3 k( q, o: d BPX exec_int if ax==686 Q( y( Q6 ~+ n" g3 {8 ]$ R4 h
(function called is located at byte ptr [ebp+1Dh] and client eip is5 ?4 f: `2 g% g2 G2 T X
located at [ebp+48h] for 32Bit apps)
& X* o5 I% _3 w- v__________________________________________________________________________
' x7 j3 D: ~6 B; P z. q0 C
+ N$ j' R- b7 P: g, I2 @! O) m
. {- U* g1 h% e$ D1 D* gMethod 08
, S; ?5 G) ^0 v% u: d=========
$ q2 T, |0 p- d* ]4 W
1 @ o0 X( {+ D5 v5 R" L4 K/ e- N# uIt is not a method of detection of SoftICE but a possibility to crash the
, n2 w$ `8 t3 F8 I, T5 r4 esystem by intercepting int 01h and int 03h and redirecting them to another- }0 p2 T) k @/ p
routine." k- R5 J# {# U+ [, Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 B1 o1 o i4 }: m) [
to the new routine to execute (hangs computer...)& K/ p/ Q" R' m5 P2 \9 I0 L
7 O7 Y7 f# k) f$ i mov ah, 25h
; g0 V+ o0 E- D* q2 } mov al, Int_Number (01h or 03h)4 e+ s+ B; a* L& ~/ [6 U
mov dx, offset New_Int_Routine
% H; C" J3 o- C int 21h
' ?1 ~) A" _5 ]% P( w( l) x8 A* m2 A3 }9 h( y8 [) d* }; f( V& F! x
__________________________________________________________________________
2 Z/ I; v7 J) p$ Z9 C, r6 i7 C- | y/ r& d2 L
Method 09) W8 j0 T- u5 @: D- t6 o$ c
=========
- [& c5 c h3 [8 e+ m) I
% ^9 t% a3 e- Z# IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( v' f: a3 N1 n8 H# g/ ]; fperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 l6 s! T6 ^4 _: E2 W7 T- zThe Get_DDB service is used to determine whether or not a VxD is installed* Y! q0 @( V' x9 R; `9 l
for the specified device and returns a Device Description Block (in ecx) for
" F- T6 w1 s% l) d- nthat device if it is installed.: l( c7 K6 J3 J: g
5 c [: L( [; v! P `. x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# g3 I3 o( ?! S! X g9 @. f: i; o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ Y( O+ F4 V: D- p5 D, \0 W VMMCall Get_DDB
# i$ m3 U; n$ q+ b2 m6 L% x- I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; r6 N6 l9 V! k, V
3 ] W# t) `7 P: i5 eNote as well that you can easily detect this method with SoftICE:
0 o0 ]* R, R! k- \' A- r4 O bpx Get_DDB if ax==0202 || ax==7a5fh; E* H# p z) \/ q2 `' z
. V0 g/ [) J/ S5 ?8 |) \& }+ q__________________________________________________________________________
; M. }, y+ k! }, M, M
/ E: c3 i, y5 d- f: I- |9 q0 ?& aMethod 10$ D8 S K1 C" S. @3 j/ ?" m
=========' V7 d+ F! o/ v8 g& m
, C, V. K) ~0 S( y+ x9 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ |0 e% l5 n+ X) }9 F
SoftICE while the option is enable!!
- j, F3 B% Y% W$ a; w$ F# S9 d- b& O: e, y
This trick is very efficient:$ W. X1 |( t0 A8 c+ W9 E. @
by checking the Debug Registers, you can detect if SoftICE is loaded4 A% [& k# o# {. C" t7 V* M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, B8 L4 v8 v7 y, p1 m& h' x. f
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ J4 ]4 F0 @% Y, O5 \value (in ring0 only). Values can be manipulated and or changed as well- a/ u, w5 W, o" r+ d. v, M0 @$ `
(clearing BPMs for instance)
5 r+ G0 T( @6 O6 T5 \" A" K7 b" x' ]" e9 W# P) F$ r
__________________________________________________________________________
2 i! L. X# \% j+ G k, r
: q6 j1 e: A6 L! J) t! ?Method 11, K u. }! D& N
=========
1 ^- r0 _0 v" w' g- Q# x# |
0 ~1 c. q! j) f7 h8 R/ XThis method is most known as 'MeltICE' because it has been freely distributed
+ L5 H$ k }- ]) k; jvia www.winfiles.com. However it was first used by NuMega people to allow
" o1 m# m* W. m% WSymbol Loader to check if SoftICE was active or not (the code is located4 s, z' N) M3 a- X7 z
inside nmtrans.dll).* Q! D- W- I d( |. @% o1 R
2 L1 g; \) K3 z, h2 r; u
The way it works is very simple:0 X) ?+ [) ^, s/ I. _8 o% b$ R L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; k: u" Y2 n' OWinNT) with the CreateFileA API.
* J, F1 r8 R `+ f# ?. w* e L4 {2 a4 l# G: e7 H1 o; l5 ~
Here is a sample (checking for 'SICE'): u. \- t! t4 i! |2 ?9 l |! P8 N
. J/ O* L- Z, R$ p* l' `
BOOL IsSoftIce95Loaded()
, g6 v/ {5 V* U{; x, p4 O6 b- T6 W
HANDLE hFile; & n& J/ V4 t% b2 d3 T+ S# m1 c. t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. a% i$ @# q/ b/ `% q+ P) n3 E4 p
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 T# w1 E9 S# ?6 K, `+ Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' B Q, w: i1 z3 ]
if( hFile != INVALID_HANDLE_VALUE )
N }& L1 S6 A; M% U0 q& a {& ^$ `/ E2 [# M6 Z6 c0 B
CloseHandle(hFile);( R& q: X2 X3 U! B
return TRUE;4 w- K1 X; z8 D1 M
}
9 ?0 }; N0 ]8 S/ T return FALSE;% U8 v! Z1 z9 K- Q8 b
}
- d' ]2 E( @( I; l- E- s
8 R, M! k% B9 n0 P; W* KAlthough this trick calls the CreateFileA function, don't even expect to be
4 Q [ a4 {( B9 Sable to intercept it by installing a IFS hook: it will not work, no way!1 B. Z/ V, a- \, P1 p& u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. X& W4 i+ s% V5 E8 m$ d o0 A Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! b" {/ W" E6 y8 {! uand then browse the DDB list until it find the VxD and its DDB_Control_Proc& B1 S# T3 y2 K8 M1 L
field.$ R* {' o& l; @, g: `
In fact, its purpose is not to load/unload VxDs but only to send a
) o/ c8 U, Z8 A/ |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( q! e2 f' R+ {" yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& R! q; S- t" G( V' J+ {to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 H5 }1 G; C0 @: G& F+ q
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 X* ~- h# Z/ V
its handle to be opened and then, will be detected.
% H. [+ w% g* g. E) y3 ?7 G' XYou can check that simply by hooking Winice.exe control proc entry point8 S% B. g5 \& m8 Q2 g3 Z
while running MeltICE.
2 `3 V- x6 H! x& L) b7 h# Z0 ]
9 ^8 `: a6 i( ]& t. M9 }
3 a' U6 D0 O/ f: Q ~4 ^: J% s7 l 00401067: push 00402025 ; \\.\SICE
1 d, E. D v( C2 w* z4 x# z+ P E) k! T 0040106C: call CreateFileA
' r3 v5 _- b0 d( b7 x& q 00401071: cmp eax,-0016 R9 c& z. x, x. ^2 k. I
00401074: je 00401091# h' G5 V! B, l& j
& ~2 u l# }* m* B- U. ~; o# o
3 w: ^! y/ t- }+ n+ GThere could be hundreds of BPX you could use to detect this trick.
' t9 b1 m, x& Z1 Y. S9 H: @! e-The most classical one is:
1 u9 ~" L0 p* F3 W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' i! t% c. Z: Y" Y3 L *(esp->4+4)=='NTIC': G; @* R& i7 m& s# v' K% \) o4 S
4 \; \6 {" O+ O/ g% e) Q% W6 S( O& K
-The most exotic ones (could be very slooooow :-(
) @' n, h1 S- F+ x1 q2 n: u% y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 R) i9 k0 a8 G' V8 F% q [
;will break 3 times :-(( j' `* e( a B& a3 I+ K- P
) @- g6 ]3 O/ X* f- R-or (a bit) faster: 2 I7 ~; I2 G* f& H6 s1 f Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' Z# s6 b" `7 ?3 B" [
, l* \! e3 h: i! h, x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / ?" q/ M7 d' [' f2 h$ c" y* u
;will break 3 times :-(9 K# ^( e1 g. U% ]
* I q5 K% m2 f+ n
-Much faster:
1 @5 I E0 f; L9 f3 D6 _3 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 z) u( S4 {- |: B$ T3 K4 G
0 S( W% s* N. f3 l: _$ t1 h3 {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ e- K6 @* a0 _3 W7 j9 D$ f2 x
function to do the same job:( u8 @) D$ \! {7 F- G# H" e
2 n* z9 _' z) R5 J: c' p9 C/ L$ O6 d) ^
push 00 ; OF_READ4 p8 _4 P5 e: x" ~. T! E
mov eax,[00656634] ; '\\.\SICE',0
. q7 @, | p0 F3 A' z3 b7 \ push eax
0 l8 d6 F. H/ H7 _' k call KERNEL32!_lopen
$ A' A ^' F( ^1 S; W( Y9 z inc eax* Y: o3 y' s9 |( R8 i
jnz 00650589 ; detected
0 C. T ]& ?+ P6 B) r; u0 c push 00 ; OF_READ2 F+ z$ k2 j# f
mov eax,[00656638] ; '\\.\SICE'
4 G" Z+ o+ t- D n0 k push eax6 D6 r% g. b: C$ A
call KERNEL32!_lopen. ^5 m/ t, g& h4 l6 Y
inc eax
4 E6 N. K8 m; Y0 \ jz 006505ae ; not detected
4 P% _8 t( ]/ y) p
3 y4 Z" }0 }5 |3 c q
% Q* ~& }6 r/ R! Y__________________________________________________________________________& {1 U" D, M0 o; @7 R) |
; b: k9 y6 p$ w; J ]5 \9 |; i7 TMethod 12
8 E( {2 f5 }' r9 ^% b=========
5 y# j' Z8 B4 D5 x- b
0 L9 ?2 W. Y: J+ i" N9 m ZThis trick is similar to int41h/4fh Debugger installation check (code 05! X5 |- d* u9 D: F3 R, r& x: Y
& 06) but very limited because it's only available for Win95/98 (not NT)
* u) p0 H# Z* j4 e# bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 I6 ^0 t$ o2 i, y. g
" p+ F$ o7 S( @ push 0000004fh ; function 4fh
& [4 A( h, }, G' {0 v5 e push 002a002ah ; high word specifies which VxD (VWIN32)
9 M9 O- g& {8 E ; low word specifies which service2 O9 g: W1 ` U0 b6 _ t- S3 l
(VWIN32_Int41Dispatch)
' L# Y1 \- e3 K( @6 b# a) a, e call Kernel32!ORD_001 ; VxdCall
* J( |2 ?: T# [6 q4 W/ u) c cmp ax, 0f386h ; magic number returned by system debuggers. g. s7 z- K+ t
jz SoftICE_detected& r3 q% i& I8 Y8 D
8 L( {9 b- C2 ?. H( AHere again, several ways to detect it:
1 ~0 r1 I, G2 x: K8 J$ `5 w4 r- G; I) d' o m
BPINT 41 if ax==4f
9 R, p( O2 L! Y% g6 T
1 R7 Z) A- t: V) c1 F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 f. y: i% a0 T, H+ |9 u0 I
' I8 `. v+ v9 Y0 Y: h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ M( k2 Z& i+ |( V+ G3 C
6 J) Q+ H1 Z- l6 f: a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" ]' x" y2 ^2 f
! j! c# ]+ }3 x__________________________________________________________________________) \& w6 W6 h1 Y! | d
2 }' g1 e( l8 g- n% HMethod 13# P9 u8 Z7 y( k c0 q
=========# e: ~4 f) E8 {+ o
/ o4 V) _0 v1 d+ X$ s iNot a real method of detection, but a good way to know if SoftICE is
6 }1 }3 c, ` r' b- j3 q* N6 tinstalled on a computer and to locate its installation directory.8 g" T" s L3 E: r
It is used by few softs which access the following registry keys (usually #2) :
, u8 M0 w" s, y3 w9 v# ?. b1 V5 ]- h L) d9 Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" {# M4 A' N* e4 N\Uninstall\SoftICE( S2 F! H% G/ k' V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- R9 v2 I0 ?6 |4 X+ m( K) O- r: G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 p( t! Z$ A& Y! k6 e# p$ Y
\App Paths\Loader32.Exe/ ~! v. |7 u4 _/ S9 N$ x+ d
9 c) ^3 h1 w3 Y0 h, x% ]5 p4 n1 f
Note that some nasty apps could then erase all files from SoftICE directory9 S* o, O) E: L! o2 ~5 Z! v2 N4 X
(I faced that once :-(
/ L, q4 G+ H% n8 m. J" K1 K$ ]3 k5 M% h
Useful breakpoint to detect it:
0 S" G2 M6 J# k$ A9 ?
. u9 B/ @5 z. h V. i" U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* b& C5 z0 v$ A" g9 _) w8 g
8 M4 G( m# F; t p* y2 }__________________________________________________________________________! b6 @, n G$ ?
: r, ]& r: T4 I
+ q. y$ A% |: K3 v# |* E2 k( n* rMethod 14
w' {9 W: N2 a+ }=========
. Q! h+ H- ?. J( A5 B% U4 @/ @! s1 a) H9 {3 B) c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 I, Z& S3 E# l% zis to determines whether a debugger is running on your system (ring0 only).
7 J- u) D/ I. R' b8 K8 g o
, X, p# u8 ^- l4 D1 @ w$ S' B VMMCall Test_Debug_Installed
$ b) S5 R, h, f* @9 Y1 v0 q je not_installed
" }; V" _6 t' N( J4 Z
5 `$ L* M e2 r1 D' g% [& m( V* xThis service just checks a flag.
/ `/ ~ J9 n! V. c( ? X- E/ p& B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡