<TABLE width=500>
+ }( d% R6 m* v0 A; }<TBODY>8 C) G z @5 q
<TR> {! \ l/ A2 V1 z% o0 V6 O6 W
<TD><PRE>Method 01
" @5 m- A7 o: N, N. r* L# y+ e=========8 w) I( y3 v6 h7 N5 c8 J
" R" x- \" M# e% j$ [, AThis method of detection of SoftICE (as well as the following one) is
& l1 d7 A/ h t" n( rused by the majority of packers/encryptors found on Internet.
. `& V& o) L4 m8 E" k0 A; o/ fIt seeks the signature of BoundsChecker in SoftICE
2 M: T4 s' r& k- ~; p3 i4 { Z
* ^$ a c M* d7 O# r( e# h mov ebp, 04243484Bh ; 'BCHK'# J" x, B# ~: G4 F! C7 q7 D
mov ax, 04h5 ], m9 R0 t2 W/ X; I
int 3 / F; T& c7 h. B( W6 G+ L v" O
cmp al,4/ y5 F7 V* @. ]9 f
jnz SoftICE_Detected
4 E# [# G1 u0 K9 Z, o
8 |8 ?9 v3 J; w2 o f) ]___________________________________________________________________________
4 i* k9 `9 l" _1 t; e% k0 Z$ N* y4 I; a G
Method 02( f' j. l# }. b3 }! W
=========, V7 b9 v3 W3 ?6 l9 A6 o4 R p
/ f1 @# n, T& a3 g9 Y7 y1 KStill a method very much used (perhaps the most frequent one). It is used
6 `0 r" Q5 U c7 n+ j& S$ Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 Z3 c) A2 u2 g0 u% m
or execute SoftICE commands...
1 M' n) [2 C$ P9 B$ t; C5 S/ ]It is also used to crash SoftICE and to force it to execute any commands
) Z- y3 c; |6 H(HBOOT...) :-((
- I4 P/ T6 Y) {' T
# ?6 k0 |4 t v# {/ t }( e, F! KHere is a quick description:7 d3 R, g4 Y( Y# a- b
-AX = 0910h (Display string in SIce windows)
& E: y6 ~% w" j' Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), F- @, b; N9 g
-AX = 0912h (Get breakpoint infos)! P( X* l) |. I& H
-AX = 0913h (Set Sice breakpoints)3 P" a, m& E9 X5 j; ]; ~+ H# s
-AX = 0914h (Remove SIce breakoints)
. Z0 u( m0 R- U! C- G0 u6 G S8 y: s4 Q* d" ^0 F3 Y
Each time you'll meet this trick, you'll see:) ?3 w! n" {2 D3 i% P( C
-SI = 4647h
F6 x; Q/ v: V* ^-DI = 4A4Dh/ r; N0 l5 N- f
Which are the 'magic values' used by SoftIce.
5 R- C% G) n4 P% MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 t1 e$ \( ^, C* O8 X% L, o7 O \6 g" M ^4 I" u
Here is one example from the file "Haspinst.exe" which is the dongle HASP* n: \# r( r$ W5 ]( H, r5 b
Envelope utility use to protect DOS applications:
# Q" ~3 j9 ?& n( K+ K% @; S% Q" E% [- `* e: b
8 V; m. e( ]5 Y0 e5 Q4 u
4C19:0095 MOV AX,0911 ; execute command.% U" W; Z; u5 x3 K8 Q5 o- B4 P( E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% D( A' Y2 X1 O1 [) b4C19:009A MOV SI,4647 ; 1st magic value.
' K7 @+ _# T' [) e0 Y% i4C19:009D MOV DI,4A4D ; 2nd magic value.
% i+ V# X d4 O% B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! E- u" z- r/ q; `# m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 U9 D. s% U- [; g
4C19:00A4 INC CX+ D8 V8 X! G2 {4 [% T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ \' V y4 c1 C& [) W$ A
4C19:00A8 JB 0095 ; 6 different commands./ B# _- V% o) O: o. q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 I4 J" B: X7 ]3 H# e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. F- E! s u$ `3 d* m6 ]: |, l+ w, `# q% l$ [/ j
The program will execute 6 different SIce commands located at ds:dx, which
* {0 T. y- ]! V6 n) \, c8 Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
d& L+ Y7 Z- k4 I& n% P2 V0 x- D' z" P8 |! X* y, W% ^) N1 q/ m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 R- b4 y$ G7 ~$ o: c6 N
___________________________________________________________________________
1 \0 n6 g% `$ |; o% x5 q9 y+ a' K9 ~9 V7 g6 H- I9 E
! ~# b1 o/ @5 g9 e0 \: XMethod 03: {7 Z! l4 O l" q
=========
% i b, Z* q6 u" m4 u
: H/ T, T. V6 YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 l% A" n8 K( y# g; S, R(API Get entry point)
2 |0 k j9 ]6 ?4 F b( B. t9 e ) I* c9 N- a- O, B8 S" [ F# a
: ^4 v# G; \2 n: L6 o# d
xor di,di2 C2 |( Z2 G( I! M; ?
mov es,di
* m( k, e. \+ g0 K5 G7 s' ` mov ax, 1684h
. q* ~, `$ H! A4 e# y( y% O' \% D k8 F mov bx, 0202h ; VxD ID of winice. z. B7 U9 R; b6 ~5 M
int 2Fh" s4 B, k) p/ L- a9 K2 q
mov ax, es ; ES:DI -> VxD API entry point2 V! I5 Q7 ?+ d
add ax, di
U4 \: M) K. K1 P* I* `8 u test ax,ax
" s0 |, M; V; s jnz SoftICE_Detected* o+ g0 g2 R$ [2 K
' _ p; W6 ~# s2 ]
___________________________________________________________________________/ s/ K7 d9 y$ f( ]
; A& T. R5 [$ T8 a6 l
Method 04' Q$ ^! b. T Q ^3 ^# N2 J
=========1 D8 c4 e" y& X' w+ @: i
0 P% }* _4 W% h/ }( d
Method identical to the preceding one except that it seeks the ID of SoftICE
; e8 ~3 X+ P$ oGFX VxD.- A z' Q3 m8 Y9 L5 O
7 h: Q8 [6 f' Q/ o8 f9 ^
xor di,di- Q4 \+ N9 w! ?7 J/ ]
mov es,di
3 N! n3 Y1 t5 v3 z, i% j: B& P" B mov ax, 1684h ( _6 j1 v1 @2 t7 E6 N+ d
mov bx, 7a5Fh ; VxD ID of SIWVID6 d* {9 d3 m) O
int 2fh1 A# M ]. p' n! ^0 M
mov ax, es ; ES:DI -> VxD API entry point
* C# C+ \/ z8 S: |- H. A. ^7 J add ax, di
# ? p" a Y# z- D7 q! J3 G0 `' e# i8 A test ax,ax% p0 D: D0 {/ Q" ]0 {
jnz SoftICE_Detected; w$ b8 y3 F* g9 g9 |, P
( C) O- P8 w7 q/ W
__________________________________________________________________________& E/ D4 M5 U2 M1 y2 a" e
+ e, D- a! O" j5 D6 k
$ [7 N: u8 n( K, v( W& A* e; u
Method 05
9 B$ c$ a4 {, ?=========5 |" N$ U- D: W( H+ u
& d0 l. y8 `% t" S% J$ r2 i: B0 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. G" K# }/ o7 Y/ J: o# Edebugger. It calls the int 41h, function 4Fh.
6 k$ M3 Q8 |2 o) g1 _' tThere are several alternatives. 4 U* J7 M e* @
7 \. C0 l& ~% b9 i. @
The following one is the simplest:
! X. t& ?8 x, A# ?( ^
3 t# L5 B/ Q+ W3 o! y4 m0 J3 Z mov ax,4fh
2 y2 |9 c- L# \8 ~0 z# n5 Y2 U int 41h
' G( Q5 L: ^. a1 J9 D. Y1 _% S# o cmp ax, 0F386
0 [$ F* W, L- M# s4 c4 A jz SoftICE_detected3 G5 i$ F0 Y) Y" t0 J
( y; {* F! X1 r' x, A, D6 e9 j/ {/ E2 E H8 s' d; w
Next method as well as the following one are 2 examples from Stone's
. J& B0 ^2 j N/ U5 l"stn-wid.zip" (www.cracking.net):
; j! ~+ o% v/ O+ @% @, g4 P9 v
) _0 c- b8 |; m; c8 Y mov bx, cs
$ M% {: _ {$ G& G4 [. a: P lea dx, int41handler2% @( ^! ^! W9 i7 d7 Z/ }1 X+ G
xchg dx, es:[41h*4]2 ]% o+ P' ?6 v+ S, A- W1 _
xchg bx, es:[41h*4+2]8 O$ D" A/ ]% |+ G# z
mov ax,4fh o+ J/ _) x! V, Z1 ~) W( z
int 41h; V7 A; E( [, e/ H
xchg dx, es:[41h*4]( I7 X8 B) T: m0 { U# V& \" E! }
xchg bx, es:[41h*4+2]
+ I" r `& b; A! n6 z3 i, B2 T# D cmp ax, 0f386h
% C/ ] j" k7 W' U: d1 ^ jz SoftICE_detected
; k( `7 Z; b) _2 g1 g
$ j8 S! R/ O* k; ?8 l$ H4 e0 N* mint41handler2 PROC0 h7 u% L& Y" E, H+ p/ v0 W
iret
1 H. Y/ {# E: d, d* y6 dint41handler2 ENDP; V& ~+ a" j# h5 |8 P- u+ C' |2 _
, R8 p: {# c% m: p+ o- M
5 ?6 t+ [2 h4 T6 S; w+ a# m" I2 @_________________________________________________________________________
& F6 t- `$ h2 \9 M% Q; }4 C
5 n9 @- } c& Q; ?6 ^8 y7 U
0 {& a2 Q" O, |5 P" K' PMethod 067 D4 M% j* d1 }
=========/ M" E5 Q+ m& o+ D
y/ M f! x1 M4 {% P% U) E& W7 Q
, ]. E3 [1 e' B. z8 }
2nd method similar to the preceding one but more difficult to detect:
9 d# ^5 ?3 U& |2 }7 D) r. I9 B, W z* z! q. E
' L6 r* Y2 g/ p5 w) wint41handler PROC
/ f# w+ i, r! T; N/ s: i mov cl,al
" R7 g/ z6 K4 h0 F& e* R iret
" |, h0 u! q2 T' n. eint41handler ENDP" M3 |5 _8 Z+ E8 b% t7 X% V- D
9 L4 l: b/ ?+ B b( C {( |
5 y' _/ ^9 }& d8 t+ L
xor ax,ax
+ i' r" l6 k: o5 Y0 S% s: I/ [ mov es,ax( a; o' K5 N1 `, A3 Y
mov bx, cs
* X# l) s6 H# q- n) _$ u lea dx, int41handler& I- p; z' q7 j
xchg dx, es:[41h*4]
9 T5 y/ j& u3 F" P+ X @ xchg bx, es:[41h*4+2]' y$ G. S- v# i
in al, 40h( P# [0 {' k2 K) c" B0 d$ m
xor cx,cx1 Q5 ?7 h0 F8 q0 ^( Q# W
int 41h7 w' Q2 t ]4 p- r+ H
xchg dx, es:[41h*4]
8 s8 z2 i4 j+ q4 _: k$ u5 U# n( W xchg bx, es:[41h*4+2]
( N* I2 b# m0 u cmp cl,al
' c6 ?2 I, `, ~+ W* y# J3 E7 ?4 Q jnz SoftICE_detected
4 \0 {1 [: F- \) ?+ |4 b& e t
1 d5 r5 | ]! ?7 F+ q8 q, y_________________________________________________________________________
3 D6 ~) k" @. v" ~8 E
2 a/ \, p6 j: k3 F) ]5 u: jMethod 07) T8 r( O8 M0 I
=========
' y Q5 p4 ~0 z
3 I1 p, k2 ~9 ~/ F& y' MMethod of detection of the WinICE handler in the int68h (V86)4 F9 \1 c. ]( M$ F$ r/ c
! J% O! B1 c Q
mov ah,43h
% ^! g& W2 e' i) K3 c int 68h
l) g- E* h* \/ H cmp ax,0F386h. f$ j, B% F! ^' T" I( _4 A
jz SoftICE_Detected' k( Q, A8 r4 r
4 a" e# r3 | ^. }8 o6 M$ l5 o2 J
3 O$ E( O2 L9 x: D( b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# P! l1 l4 N' k& a0 F' R
app like this:
( q2 _0 I, o4 x
7 l2 P& y$ A {0 I7 x/ @ BPX exec_int if ax==68: ^! k: d0 ?1 G2 V% @ l9 K
(function called is located at byte ptr [ebp+1Dh] and client eip is
- D' ? f; M. q. L2 y( V located at [ebp+48h] for 32Bit apps) h; u" h# {% q" T
__________________________________________________________________________
: D! X w6 z" g. B3 a ~
2 c% u. {5 T4 X3 Z2 c9 w* h( t+ V
Method 086 J1 C3 {/ ]4 ?
=========
: \3 l3 P2 X/ B) _
2 {( M k$ p. a1 P2 L2 `# c! Y4 O- _It is not a method of detection of SoftICE but a possibility to crash the
$ G1 ^. \5 v3 d+ d5 }" msystem by intercepting int 01h and int 03h and redirecting them to another& o J* w3 x* o" j
routine.- v9 B" C4 k5 _% }3 P3 @+ o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 T5 q2 P( }1 I; {7 {. Q/ ]to the new routine to execute (hangs computer...)
) u" I$ E& h% A" i5 m8 Q* u. D/ h M
mov ah, 25h" ~4 h/ n! b% B* v
mov al, Int_Number (01h or 03h)
# D5 O9 y, W8 ]* J8 _. ]6 n mov dx, offset New_Int_Routine
; P8 ^+ [; O3 F9 S1 F int 21h: n9 Y! W4 z9 U: Y
) `* M7 B* l+ |* ]__________________________________________________________________________* [! z% c! A/ O& a' Z% S3 s- s
. K2 ~# N5 S4 t5 H8 I/ ?
Method 09
+ {( W8 P, k" W- M=========9 v& x9 }5 G3 z* N) J
' ^' G0 ]8 t' ~% } e+ e. U0 w. K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 E- {9 g& L% ^7 U9 N; s
performed in ring0 (VxD or a ring3 app using the VxdCall).
# }2 M1 Q8 g3 ~% DThe Get_DDB service is used to determine whether or not a VxD is installed
: u% \# |8 I& R0 g! Qfor the specified device and returns a Device Description Block (in ecx) for
7 G D e# |; w( h3 _ Dthat device if it is installed.
+ ^" S1 U/ l5 b/ E
8 k/ O8 p( {# T' j8 G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 c9 s3 m# e5 }6 q% Y% c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ X5 y9 j; R+ R: t$ ^% X. {+ L VMMCall Get_DDB# V3 w; w( V7 }" ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' v/ g* v5 T9 F" i& Q( Y5 j
' X$ ~1 T" H x9 I% k0 ANote as well that you can easily detect this method with SoftICE:
6 f u( V, Z9 e% s: Z5 X9 P/ h bpx Get_DDB if ax==0202 || ax==7a5fh
, m! e2 h/ d: V0 e+ A- I1 D
3 r" b7 s0 u6 l/ c$ N* n- K__________________________________________________________________________! s% S \( t4 t( g( r) Q3 K, y p
( h4 H- w. K2 O/ OMethod 10. [# P' V0 O( b: t" `+ [4 e4 h
=========. ^$ G# y6 Y' ]
& _* D: P8 s+ X, y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: s, x! Y' u, _# e9 r SoftICE while the option is enable!!- p# G5 n0 @: \# P, w; j* D
) f6 D' _ z$ ^/ K
This trick is very efficient:
# c$ H0 s6 ^6 @9 h* {1 x2 p) Eby checking the Debug Registers, you can detect if SoftICE is loaded
* S+ ^* H9 M6 R$ S3 |3 u1 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ ]: y6 m" u& ^4 K; K/ r/ ?0 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 B) `3 L# O/ r
value (in ring0 only). Values can be manipulated and or changed as well6 Y/ G7 I* j" {( p/ f/ h% a) ?1 Y
(clearing BPMs for instance)
* H8 W p+ l) p" {9 J
$ C, x$ S# J: _8 L' J: \5 [+ i__________________________________________________________________________
4 L! c3 f% H1 Z: S* R( ^ x4 _2 p$ t& ~6 M) W- o+ A
Method 11; `8 L1 W2 ~7 \) N) M( C) ` P3 F
=========
( f( c0 d2 W5 J2 y# t# g4 F% h8 F
: y2 a& m* L. s7 |This method is most known as 'MeltICE' because it has been freely distributed
$ j7 t6 ?* I, I& Uvia www.winfiles.com. However it was first used by NuMega people to allow3 a" X' _2 ^2 @* W: U( Q q3 t* H
Symbol Loader to check if SoftICE was active or not (the code is located8 C- y1 \. f$ E; V+ w' d! g4 \
inside nmtrans.dll).
4 |8 ~) _7 m6 ^; I M: n- j9 P7 K. u) t! c- O" I* C( J
The way it works is very simple:9 ^; e' s9 Z. a( D" d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: t) ]7 u! n% A. o# ?4 W$ x9 [WinNT) with the CreateFileA API.
3 n* i. ]1 Y9 J) D* X" x
8 g4 i% \2 O4 k6 {2 tHere is a sample (checking for 'SICE'):
* l @# {2 K, j4 U6 z( m( ~4 s9 m& E$ e* P4 R1 \. l3 c! d
BOOL IsSoftIce95Loaded()
5 b. M2 I9 K1 J; p+ e9 ^2 l{6 Y% g: ~3 g$ { H" Z
HANDLE hFile;
0 r8 u4 U8 T$ Q0 B4 I/ a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, ?/ t8 X& J# p" x FILE_SHARE_READ | FILE_SHARE_WRITE,
. A, @& q% j6 y3 R( n8 ~; v% J6 o1 l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ n' p/ i4 N# y6 G- j if( hFile != INVALID_HANDLE_VALUE ) N. U" L: H0 U7 W. h, O- f
{
8 H" R" ^' Y9 e* w4 u( P8 H _ CloseHandle(hFile);( o6 R' K, _. M; G
return TRUE;! W' m+ }) H! y( i
}3 S# l3 [$ F6 Y6 @5 s
return FALSE;
9 `+ |4 U; y a% c& ]9 _- r9 P4 R* o}5 V O0 D% ~; H7 l; O" z7 N+ s. N5 O
- D4 m: Z# C0 J; p. e! U
Although this trick calls the CreateFileA function, don't even expect to be
' e% h' y1 o" V2 d: b! c+ g( L9 Oable to intercept it by installing a IFS hook: it will not work, no way!8 j. b& p i' j% Z% v; G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' Y8 J" \2 q! p) t7 n/ h( I: T' iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ i/ T3 z# f+ e( T, `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; g( x3 F# u2 c5 z% ] T0 b2 Jfield.
+ L) i: M: c9 d4 X; l; y) W4 s3 T6 AIn fact, its purpose is not to load/unload VxDs but only to send a 9 ~4 }8 M% \* g& O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 C$ C) n. Z R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( R s4 _+ x; R9 ?% P* I$ C- sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" \4 r# j" S3 O4 x" q0 PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- {% m- `, Z0 W7 J& ~its handle to be opened and then, will be detected.' A# u# S. Y$ l* x ^& A+ R
You can check that simply by hooking Winice.exe control proc entry point( `+ E8 @1 U% s
while running MeltICE.: [' g p2 b" F1 C/ _
( b" D$ G \3 l C; Y1 I
5 e- ]* R( }6 w3 H& [6 R5 ? 00401067: push 00402025 ; \\.\SICE
4 d2 q+ F7 c- M9 k( M 0040106C: call CreateFileA
7 `! q8 A# g) h$ v& K' Z 00401071: cmp eax,-001
$ u( E2 Z y- f- Q( J0 i- m" R 00401074: je 00401091
, s8 ], J$ a% f
- {! C* V7 J! X9 g1 _- x1 E. r0 R' `
. c- b& R0 e1 H* H' EThere could be hundreds of BPX you could use to detect this trick./ f0 H$ {; c4 _; T+ V# U
-The most classical one is:0 }- a5 P& ~: z) d4 ?( {9 B: N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 N; n' \& }! g/ ^ *(esp->4+4)=='NTIC' m, ]0 G) s% _& ^! D# {1 k
* t* X/ f$ Y( {0 ?+ i6 ?7 h
-The most exotic ones (could be very slooooow :-(
" I3 t4 a I# q' G1 j4 u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 n& [6 ~8 C5 Y; y$ f) _8 m% P
;will break 3 times :-(5 x+ L" P- t& ^6 C Q7 @6 z/ ]' h; ?
2 ]3 Z/ z; M7 S3 n9 M V U) _6 z! L-or (a bit) faster:
: r/ i# {/ Y" z$ l, q; I" ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 \6 z9 e& R' T/ ]' ]) G4 h" U
; e( Z& \' x) Z6 a8 d* B6 m2 e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 j( f% C( U, W" i1 {
;will break 3 times :-(# p* h3 m8 J: A8 q
$ G% w! X( O$ N7 }4 C-Much faster:
- H6 \! X1 y7 _* k4 r6 q5 y% L5 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) {6 g1 N2 T$ s- X; V) s7 ?& u1 k: q9 ]' P0 ~8 M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 O- P1 d% ^3 j9 lfunction to do the same job:6 P* C( P% R5 {# m" V. b) _/ h
3 N; X t+ X9 V& @7 c0 s7 i' c
push 00 ; OF_READ* E! C8 ?1 \- z7 e
mov eax,[00656634] ; '\\.\SICE',0
5 i. |/ b8 X9 g$ l push eax" g) i5 E4 j2 r4 b0 E/ L1 I9 B
call KERNEL32!_lopen. j) S1 F/ r& E" k* r0 P R
inc eax+ V! z& D" z+ s4 [+ u6 ]
jnz 00650589 ; detected
- ?3 S1 l$ Y q+ O9 W* b push 00 ; OF_READ
' P" C' {6 N5 z+ D, h2 S3 K% u- p mov eax,[00656638] ; '\\.\SICE'
) ]* b1 G5 O8 Q. j1 Y2 d. Q* g push eax; e& s8 e1 ?/ l, `+ h
call KERNEL32!_lopen, r# E! a: n9 f% n
inc eax) d8 A$ k1 _$ u+ V! a
jz 006505ae ; not detected
) e- y6 a) F" N: }( w; v$ s
5 v. p) e# R2 q0 [: `+ ? Y2 j; L. U& e) S( F0 ~9 a- |* [+ g' n
__________________________________________________________________________! p" Y. s3 Q0 }" C4 [: K
5 ]& U* Y! h) l- a5 x0 e
Method 12
' A& A0 q; k" A5 I=========
4 b. Q- s. h; G6 U$ B0 a" Q8 Q( y! Z: m2 ?+ R% T3 \
This trick is similar to int41h/4fh Debugger installation check (code 05
) V2 J7 Q) ~& M9 a' ]* L5 f& G9 L& 06) but very limited because it's only available for Win95/98 (not NT)
* c$ Q$ e0 J5 {. p) c/ Y* }$ Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ P7 f8 u4 S( \4 t6 K
: ~) {8 ^5 p$ t9 p3 w- S; e( P! e
push 0000004fh ; function 4fh
4 ` y% d; `0 s! S, n' W push 002a002ah ; high word specifies which VxD (VWIN32)
0 z. N, k! Q' x& b9 C. o9 J* L ; low word specifies which service! v! l9 X+ v& Q& ~0 D) C
(VWIN32_Int41Dispatch)
. l9 u/ J$ D9 i0 Q3 W" I2 i/ f; {" ~7 b call Kernel32!ORD_001 ; VxdCall8 A# w; F$ T: j7 q$ f& X
cmp ax, 0f386h ; magic number returned by system debuggers
9 y2 V. g; c9 T! \, s jz SoftICE_detected
' F( L5 F: ~7 _6 M2 T0 ?1 w/ c* V, \# Y( u
Here again, several ways to detect it:; C, J: e% t# s1 R1 U
* K' n4 a- B8 `1 ]- J4 L; b BPINT 41 if ax==4f! q v9 _, M# l- F0 E, u
5 Q7 E+ i4 \. m# z% H+ R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 B- ]) j0 e9 r/ j% m0 x; P, h
3 D0 n1 I: } t, A$ L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# ]: f0 E7 H/ }4 Z6 b0 I, S
3 O) n: [* U) W" Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! W1 ^( s* K! Q# h8 |* `7 W* w% d1 H& U: x9 |
__________________________________________________________________________# J) ^( ^! }) T7 D: k5 f
; e! m) c. `& }! zMethod 13
) C3 u0 S& N/ N6 G' c2 c' T=========
: \9 s: r+ I* _$ ]% l# S7 ]. ~; m! |' P; K* R# G
Not a real method of detection, but a good way to know if SoftICE is
; Y- E7 @" m* n% jinstalled on a computer and to locate its installation directory.: a/ k e; m9 h1 u
It is used by few softs which access the following registry keys (usually #2) :
% ]; I) K% r5 }+ R5 w- B/ _* l: S, z* X; _2 U! C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ l2 ^6 v6 c0 p0 {\Uninstall\SoftICE
! |4 t' I" s& X0 `5 w8 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ N* _9 H& m+ i2 K! d, ^0 v$ X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" H/ {. U3 I {
\App Paths\Loader32.Exe; }+ p3 P% v9 B- p+ b! c3 g( K
: X7 q E; E' y) O3 B. R
5 t* f' {! Z J7 p0 f, zNote that some nasty apps could then erase all files from SoftICE directory; q' G! s9 @2 y& j, h: r! p
(I faced that once :-(
- i6 I6 b0 R4 p: ^8 c2 w; I( e! n2 [
Useful breakpoint to detect it:
' j( [! W) p# Y; p% { H3 S% M3 ?7 h! |1 x0 A' S& E1 ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% }$ N+ s9 o2 o2 r) x6 c! X* Y, J& P j4 W# l
__________________________________________________________________________
$ C" o& k. G1 E
+ ^3 k. L( \8 f, N; p
5 R) P! j5 W, W6 ]& z( f8 @Method 14 , i- S1 f: Z" u0 B
=========9 K" G2 i7 d7 A% I& t, p8 b
1 T. G( y6 [, L; V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
L; a$ a- Z1 his to determines whether a debugger is running on your system (ring0 only).
2 g0 R$ f4 o) I J% C+ a( T" T$ }0 G. Q
VMMCall Test_Debug_Installed
' B5 r4 G, M) [6 k) |2 _; m je not_installed
" U( ^4 N# v- ]% W5 E* q9 s$ F# g' v, i( @# {
This service just checks a flag.
: j7 k" F- R( c* j) _ t2 C0 @; S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡