<TABLE width=500>
+ q0 q2 J' @* x+ D, W<TBODY>
Y" S7 o1 o3 i; T S. V9 G" b: T<TR>0 w' f) l5 L% N0 G) Q+ R8 i
<TD><PRE>Method 01
& Y! _7 \: F+ ]* a6 }; q+ B=========
& n3 S) u# L( u" {9 \: D- |: \3 [! n, R6 L1 Z6 Q( l) W
This method of detection of SoftICE (as well as the following one) is- F! ~* j0 s @% z% l% {0 y
used by the majority of packers/encryptors found on Internet.
1 }- m4 f8 A1 s, L5 h* sIt seeks the signature of BoundsChecker in SoftICE
- ^3 U% C3 t- O
1 D: h/ h, ~+ P3 Y8 q# s mov ebp, 04243484Bh ; 'BCHK'
/ G2 o) S U6 c/ G- e1 P mov ax, 04h
2 F% P+ k$ g o( ?/ C) c int 3 5 F/ k7 b. O) {
cmp al,4
1 J$ e& D7 \+ V/ s* `9 K3 v S3 x jnz SoftICE_Detected
3 A: ]& L. a0 m( P' y
3 ]5 T% O4 x# e: g; [9 s! a! ^___________________________________________________________________________
+ W4 D7 g! T1 o& F- w
8 b/ _7 w g. _1 [4 D6 uMethod 02
5 q/ P& B5 i9 X" {0 A=========
% J) P# e5 H6 ]6 o* {* s
3 w4 |9 I) G4 s! g- k, k4 aStill a method very much used (perhaps the most frequent one). It is used
8 B- Y1 B) A0 g( g% E8 g) y1 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 v" B5 p, d% Y
or execute SoftICE commands...# L+ r' S: U' H+ B3 ?, b
It is also used to crash SoftICE and to force it to execute any commands
) S$ C0 t( U# m(HBOOT...) :-((
2 _" z7 X% T3 N3 [/ F1 H, i" i; z# p- g
Here is a quick description:# F8 [$ F! ]9 F0 K
-AX = 0910h (Display string in SIce windows)
0 R6 c9 F m3 H! I2 T! g4 S# N& ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- \) B, E7 C( r9 o-AX = 0912h (Get breakpoint infos)
9 L5 q( K. \, G4 r-AX = 0913h (Set Sice breakpoints)
% G, Q/ k8 ?# z) t# H) W% C9 [-AX = 0914h (Remove SIce breakoints)
7 Y8 f8 a) L+ h4 q5 s% D6 B
) @$ Z9 i7 S& l% y9 w! e0 B4 TEach time you'll meet this trick, you'll see:
8 S9 O, ^6 ~% T2 r-SI = 4647h6 l. W3 a7 {( X- Z' I
-DI = 4A4Dh
4 j! V; g' Q9 F3 ?- c/ M- _/ hWhich are the 'magic values' used by SoftIce.
* f1 f g' w6 o, }) p0 Z7 gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ I1 N: s4 F+ \
( e+ e8 E/ y A& JHere is one example from the file "Haspinst.exe" which is the dongle HASP1 G1 w) w) V: ?9 c c' Z. [
Envelope utility use to protect DOS applications:+ s- M9 d5 H4 r& y
& e/ R& u* U" W( Z; L0 Q! S q; {) n
4C19:0095 MOV AX,0911 ; execute command.* R6 u. n6 ~, @2 e' M% \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' f0 d. N1 A) Y3 g+ b
4C19:009A MOV SI,4647 ; 1st magic value.
2 I' R, ]9 S2 h" V2 k6 e4C19:009D MOV DI,4A4D ; 2nd magic value.; r* N9 W- Z4 D7 i0 K7 C- I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* w/ {' _' Y. Q: D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 A- f; S" Z/ u1 K e+ ]4C19:00A4 INC CX
8 F5 r6 P% r9 e$ j$ v7 x6 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( ~% _( z; q' C2 r3 ~( \
4C19:00A8 JB 0095 ; 6 different commands.
+ O0 S, ? f. ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.( a" B. G7 u- Y8 W d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( W+ b8 p9 @ x6 X" T9 d
1 f8 N: U6 k4 z; d" z$ @( t, N
The program will execute 6 different SIce commands located at ds:dx, which$ }5 E Z) i( G, b' _( T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 { z% T& `9 ]1 G2 U
/ M, O0 t0 a+ d: J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 s# B% w" \ N- |
___________________________________________________________________________8 B0 r* R8 w3 H, @$ S5 ]
* f) d6 B5 @2 v3 B2 Y$ b+ p2 b3 v" B6 w s. s0 ^' c) \ O( }
Method 03 {2 h) `2 f+ N3 d% |
=========* b9 o. I. B+ [- [2 U
& l/ l x/ m3 |3 [9 b7 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 }. q& x& D5 Y2 j2 q(API Get entry point)
# r! w& L/ J, m( e% u: [ 2 z4 I E, l* d9 |% _4 Q i* s) t
! E0 ?3 j" G/ R" m* B% }
xor di,di! {: z' M W2 w
mov es,di0 d4 M+ p" S0 t+ E/ b7 w
mov ax, 1684h
* k/ P5 o Q. I' a- k mov bx, 0202h ; VxD ID of winice
1 r, {: M( d. j c int 2Fh9 b4 L% W( _4 T2 C& }& }
mov ax, es ; ES:DI -> VxD API entry point+ K% o( Y$ [# o& T1 b5 j' N+ O/ E5 ]
add ax, di" @/ k- b( }0 B+ N
test ax,ax
, w }% {+ w! g: Y/ V8 c jnz SoftICE_Detected. N( o% b5 x3 v
/ G0 R) _% v/ D# u___________________________________________________________________________3 t" m( n: r. C& z; u
) {0 B' }- F, F7 q
Method 046 v0 q& F0 `4 U* q" X' s6 d; s+ H! M
=========$ |1 p) ~4 V2 C# t5 Y9 z$ Q) {+ H
$ B+ K0 y( X" g! LMethod identical to the preceding one except that it seeks the ID of SoftICE
: T* Y/ f5 T! l3 A. n" K- AGFX VxD.' e+ Z2 K Q* [4 a' r: j* u( d
s' t- Z- R" O7 O& ^( [ xor di,di
( F# g. i& |. |" x mov es,di2 G: H' ?1 @1 ~4 y, [2 W
mov ax, 1684h
7 J% O* r: T0 f4 A# Q mov bx, 7a5Fh ; VxD ID of SIWVID
" z! S- |5 y7 e. L. W5 ^ int 2fh5 g6 H/ L! c. V; |* d
mov ax, es ; ES:DI -> VxD API entry point) n5 k. V/ ?0 R0 ?. O1 {
add ax, di- E! d5 r. S% c: h8 y
test ax,ax
! N: C8 i8 ]0 r1 [0 J! O jnz SoftICE_Detected4 Y" z% I5 a& L3 U# c+ Z F! O2 x
& P$ O9 t9 a% T! O7 V' d5 Y__________________________________________________________________________9 o& ?* C, p! U) E5 \( D& {7 x# @
- q; A$ }& u. q# m3 U7 h# R! p+ ]" x" R3 s# ~
Method 05- ]0 p1 `6 B2 X- p) A
=========. x- x. G! V; O0 c* k: J
1 }( D9 \- B5 {# n6 k+ e
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; i! B- w) o# D2 L. T7 | mdebugger. It calls the int 41h, function 4Fh.( A8 u7 ^9 V( Q
There are several alternatives.
( d6 b! _2 r# D) L! {" b' i1 Z8 k# X* [- q1 m9 g
The following one is the simplest:
7 T* z/ ]. M3 ^8 n& e. V/ }3 ~* i9 ]( s3 a' Y2 j* c3 F: e
mov ax,4fh A N8 y% J- v% I
int 41h
. c" r3 Z1 r$ J( C cmp ax, 0F386
6 W7 x& N; w5 T6 l. N4 K& D2 Y8 h jz SoftICE_detected
' v% E" I* ?8 c# G8 r" D
}% b9 J8 `! b; j: b" H. Y/ l7 ^. g& q# J% m4 X* Y) r
Next method as well as the following one are 2 examples from Stone's
8 [- d j/ `/ z" U" Q"stn-wid.zip" (www.cracking.net):
& \$ j5 n8 P( n% F# Q
6 u! n. f* `/ k: Y mov bx, cs9 ^' F9 m( R" u: ]
lea dx, int41handler2$ W0 G) ~6 u, u- Y T: z, {
xchg dx, es:[41h*4]
3 g4 q) v7 d: l6 n3 w7 b0 Q. {6 R' { xchg bx, es:[41h*4+2]
! P( I7 B: w1 X( d. ^/ F8 A+ W$ n% _ mov ax,4fh
+ p/ l X8 Q8 E& b int 41h
% R: t4 b7 B6 r/ K6 m" i: R# C xchg dx, es:[41h*4]' _, E$ ?% e$ Y+ O* a9 B; T9 M
xchg bx, es:[41h*4+2]
, @, y' a( h- O# `1 b9 q cmp ax, 0f386h7 D! l7 {. `! T* s: m. {, M* i
jz SoftICE_detected" n3 P5 n& ]2 i8 p6 }0 \2 L+ L q) o
" ], D9 C5 J" Gint41handler2 PROC
+ F" Q' a9 b, C iret
2 P( L+ [- l. H, gint41handler2 ENDP: n3 l1 l$ u5 w% E$ _4 _
6 g7 Z0 j9 _! d" G+ Z' ~
) @0 y: H2 M& x$ {4 D3 j
_________________________________________________________________________
$ d) f/ q. J/ {- k ]) `4 ^/ {& ~$ `8 n5 A8 x% N0 I
3 S. e; f0 r. _: B0 z, I2 C$ y% pMethod 06
+ d- d3 Q9 ]+ `! n3 j- A=========: R% Y+ j" B9 L. l! C
& q$ C4 m) `4 g
M F3 d, i* W! @1 X+ |3 j2nd method similar to the preceding one but more difficult to detect:
4 j, k$ F- B4 ~2 g0 N# V: Z8 Q& o+ @" q! e5 v9 o
& C/ R7 k0 s9 \8 Z
int41handler PROC/ |+ U8 F E9 d
mov cl,al
9 H' j/ N9 t3 @# T5 g iret
: q' K; [& K l% @- d- I h3 rint41handler ENDP* c X4 m) E' ~/ t# ^0 G
+ l5 Y- M" S% o1 _3 e8 D5 d& D1 F1 e( i4 A t. I. c; B. |
xor ax,ax
3 f9 u& s9 M4 H mov es,ax4 `# ?9 B$ }" g: B. J
mov bx, cs
! W3 i7 h3 T) K' f lea dx, int41handler# h& S9 Y# a- Z+ c
xchg dx, es:[41h*4]8 L6 f* ` S- I9 z7 F& r
xchg bx, es:[41h*4+2]
, t1 ^7 ]" e8 X& W- m in al, 40h# j7 ^- @! G! s! h: L+ h, _1 u# G
xor cx,cx; i' I9 p1 u9 t' c$ H) p/ _: u2 j
int 41h' _) H/ A/ m+ r2 G
xchg dx, es:[41h*4]. q" k$ |' i; w# \& H
xchg bx, es:[41h*4+2]/ s5 S: l+ |' ?+ \) b' E( X
cmp cl,al- K3 \' E: K8 K6 e: i8 Q" J
jnz SoftICE_detected* I1 j, } N2 u# F
% d( _' H/ B' D" N- B! }9 X_________________________________________________________________________
4 L/ B& {4 x; C4 A/ `
: t. I [0 H4 V7 UMethod 078 W' X: V1 f/ c3 {6 d
=========) k6 C1 M0 w) e1 u# H
9 J* A" `3 X ?$ x% Y
Method of detection of the WinICE handler in the int68h (V86)
5 }- N" o0 I! Q/ J- H. \/ y5 I
O3 F9 j. U* d( `9 ] mov ah,43h" q, g. b* r9 U+ i- ^
int 68h/ x( u) i% p1 S! r" C; ^# y7 a
cmp ax,0F386h) z- {, t' `7 w( K+ L
jz SoftICE_Detected" ^' \) M& t8 f1 t: n2 s' @
0 `/ C% G) e. Q& X- A' ^* @
9 V, _9 C" P2 C0 ?8 Y+ U, G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* ? K" ^7 O9 V1 z7 ^1 B
app like this:
1 H& H9 s9 u' A, N( E
|, f9 A$ n$ ?5 b BPX exec_int if ax==68
4 w1 t1 \6 }# L& l (function called is located at byte ptr [ebp+1Dh] and client eip is
" w5 A0 o5 h4 \9 r' B* i+ ] located at [ebp+48h] for 32Bit apps); y0 n. m& [* `/ z% d0 r9 A% f; v. g) g
__________________________________________________________________________
" e+ j Q/ y% V. X" ?1 {4 o Z, o$ f3 B! [- d1 O3 E# i
6 R- o6 ~! [& z' x1 M4 ^7 B+ u/ GMethod 085 F& k- }; d6 I- s* ?+ K+ Y
=========
( |6 }; E- h% z) I6 ~) H* L
: L% s. y1 g! C% m( mIt is not a method of detection of SoftICE but a possibility to crash the* p2 |$ s9 ?& s6 z- i! C4 F
system by intercepting int 01h and int 03h and redirecting them to another. i' p% s M% R1 E
routine.# N7 v, Q: e* F0 @7 ^3 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, H" i$ E! g* Q) b- r! `+ y' Qto the new routine to execute (hangs computer...)) H) z2 T( G: d+ T9 ~& e
' [! u0 O, `& A5 o- a* f) u
mov ah, 25h1 S3 y, X2 Z8 a
mov al, Int_Number (01h or 03h)/ v- U6 L" `/ s# }
mov dx, offset New_Int_Routine$ D$ v8 P1 v3 I0 m; |
int 21h- u" ~+ j$ f: f
b6 z7 _2 y& i
__________________________________________________________________________7 N3 j7 M. _, L/ M
2 T- Y7 p; ?+ H( M8 PMethod 09
# @4 R" Y! m% O! |# A=========6 [7 W4 m' D6 J, k5 s
1 h! e4 ^ T4 j( m' i% [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 A, I- E8 O/ G7 r8 S
performed in ring0 (VxD or a ring3 app using the VxdCall).
" g8 B+ h! J7 IThe Get_DDB service is used to determine whether or not a VxD is installed
9 t, L. R6 y4 u0 mfor the specified device and returns a Device Description Block (in ecx) for( p" H0 ~/ X1 n5 h& h- F
that device if it is installed.; c v& d1 u* ^- h' o1 p2 n$ Z6 \
; u: v3 V7 o# D5 l# i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 R2 z+ f8 M' J( h o% e! Q% v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); v6 w$ C' d- R* Q+ y% J
VMMCall Get_DDB' i: _# r _+ Y4 ?2 R% w1 O7 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 O7 l3 k* l" g8 p2 v b4 H* d8 H
% g1 \7 u; z/ O- C) H7 H, JNote as well that you can easily detect this method with SoftICE:* U; h$ }. s/ k7 a% g
bpx Get_DDB if ax==0202 || ax==7a5fh% X& ~) k5 d ?& ^9 x: W
" A' j# `2 r% c9 ?5 }
__________________________________________________________________________
1 x; q- s& U2 A! ^5 \ [5 N
$ Y. l ]4 R1 L, ]5 Z, W' `Method 10
# B$ s6 F7 h3 e8 a, V. {6 w=========' z7 U4 J% Q+ M/ ?: v* Q
: o/ U6 i6 n v1 u" a=>Disable or clear breakpoints before using this feature. DO NOT trace with1 {) ^8 o3 H% _ p4 t6 L
SoftICE while the option is enable!!
H+ U' k2 R( ]& p$ H# E8 _ B! ^1 Z
This trick is very efficient:' }6 I3 B% K6 p2 a7 }; H( H- P
by checking the Debug Registers, you can detect if SoftICE is loaded* M8 l* ]' R* |( T1 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' G6 p* E( E$ Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their; a1 s5 l7 o8 R+ y
value (in ring0 only). Values can be manipulated and or changed as well
/ u7 L' o: q' W+ @(clearing BPMs for instance)) R! Y( I+ l) s/ ]9 _
/ P/ B- g, q1 _
__________________________________________________________________________+ y) M5 @0 c$ r3 D( L& Y0 ]
' w" ]$ v9 d$ }, s
Method 11
8 W0 X- {8 v6 B- V, B7 x# ~3 s9 {=========
! l1 [( Y/ |( h
' h' ~" ^) \. j1 t' g8 W5 AThis method is most known as 'MeltICE' because it has been freely distributed+ _5 ~0 A& d$ b+ i. G ^- B; ]' Y
via www.winfiles.com. However it was first used by NuMega people to allow
7 [8 c5 ^( J% k$ |3 \& GSymbol Loader to check if SoftICE was active or not (the code is located. J1 S0 k8 C1 ]) U
inside nmtrans.dll).
2 P) n4 R" ]2 D7 G* o& m
9 u2 b% x* u. w+ }The way it works is very simple:+ z1 d- t/ j) o, R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 r6 f6 l1 Q% [2 S) J$ Q8 }
WinNT) with the CreateFileA API.
: C; {8 Z! g/ \! s. N/ ~- Z3 l) A* T3 b, B7 n& G* H
Here is a sample (checking for 'SICE'):
I: g9 w& ^7 |9 s+ l6 k" U1 N8 Z0 p8 R! u& m* b
BOOL IsSoftIce95Loaded()9 I$ N$ V, v3 k) s4 N9 F
{3 z- c' L$ |+ L
HANDLE hFile; ( ^6 d n; h! h# P7 p9 l/ @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- U8 W7 E6 ~* {, e- U$ Q1 g/ {* N
FILE_SHARE_READ | FILE_SHARE_WRITE,# s+ k5 d9 \7 t4 D$ b; r# r1 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 _/ y- }: H! k. K if( hFile != INVALID_HANDLE_VALUE )1 f) f2 l: z4 O3 P4 T
{# s- P. w1 J0 K q1 f. k) x
CloseHandle(hFile);
5 g' C! f3 K6 D2 j& }0 `7 S1 q' H return TRUE;
. X3 v$ l( A% H' c }
9 x; P3 E/ c" X return FALSE;' L# j9 ] _# T7 k. h* H' ]- [2 k% C
}
0 `4 t' h% g: Y2 I- b! m- e2 C, j# R6 S7 K8 t/ u9 C( `8 {4 k
Although this trick calls the CreateFileA function, don't even expect to be
0 G* d( E2 O- ^" g9 y) p3 Qable to intercept it by installing a IFS hook: it will not work, no way!' l' ]' `' E5 k6 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" A% ~/ o7 C8 i8 {( r/ v2 ]: f8 @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ A4 p3 {2 A5 t6 @9 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" M1 C' |8 b. m# o& ~ p$ pfield.
8 M& j; }6 m7 D' e" ]In fact, its purpose is not to load/unload VxDs but only to send a 7 L" d/ K# Y6 Z! w) z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 \5 F: Z9 l' z. e5 w+ ato the VxD Control_Dispatch proc (how the hell a shareware soft could try. `' `% W, k% `5 D/ L8 d
to load/unload a non-dynamically loadable driver such as SoftICE ;-). z% o$ M* o# D/ X0 ]4 i
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ K' H; K/ r/ x9 Y' C- b. Y
its handle to be opened and then, will be detected.8 G/ b# X- p1 F& o2 T* O
You can check that simply by hooking Winice.exe control proc entry point6 R& n. W4 P- t+ `: v( j
while running MeltICE.
0 n) e! v3 ]7 X' c9 Y
8 o W/ `$ N. U' n4 R
" }2 V! q3 K7 v# g! m! I 00401067: push 00402025 ; \\.\SICE
3 Y1 | i8 f* W E" ^) u 0040106C: call CreateFileA
9 F! y- w: `8 r& O0 m+ z" _# T 00401071: cmp eax,-001
' Y4 A- p- S0 f! A! U( J 00401074: je 004010914 b1 V, H0 s; X; {- G
: K5 K; `2 N7 ^& _
: s$ o; N! J( uThere could be hundreds of BPX you could use to detect this trick.) b7 V, @! B6 i s, u6 M) f; v
-The most classical one is:* N) x5 w. R1 K6 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: y+ w- C" U) s% \- y( c' J; J1 p *(esp->4+4)=='NTIC'
. D' ^/ ^4 B/ |1 T9 \+ y) _8 D. W7 _# u) v6 N# o
-The most exotic ones (could be very slooooow :-(
$ {+ L* M; l( ^) l/ S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' }4 d) F, n9 a( y
;will break 3 times :-( v8 w; w* Z+ J- C! s1 K' R
; C- L" }' Q& ^% r8 a-or (a bit) faster:
% k% o! U3 }/ O# ^0 ^/ X/ H, l- z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ h/ f2 O. z: [/ X5 @1 I% y+ i
6 i$ a1 f+ _# N9 k( a1 B3 b% K% D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, }9 T; B+ g$ S/ ?# D5 C0 X ;will break 3 times :-(6 U. m' r: ]2 B V9 T/ R
9 E- ?8 ~% b6 w0 l-Much faster:
: K; a5 W L( }8 t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 Y" {; Y. o7 G, {; t. e5 D; j; d# q; O% n4 L4 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ O. @3 B5 @0 b: Q z5 u+ Ffunction to do the same job:0 ]( p# d' o. a% w _ r
8 \" A+ ]7 u: {- k/ V6 @& G8 S
push 00 ; OF_READ, |" T% j$ v& r% L9 Q# ]# n3 L
mov eax,[00656634] ; '\\.\SICE',01 H8 m( H3 `- W- r! _, S+ @
push eax p8 U5 Q' v+ T9 ^/ f4 _" X' E
call KERNEL32!_lopen
1 p/ g0 n/ h# f5 R8 ] inc eax
# y5 y8 A: Q# ^4 Y/ y0 V; g jnz 00650589 ; detected+ |: l3 E& e1 Q5 @0 U$ g' ?9 j/ ?7 e3 h3 L
push 00 ; OF_READ
5 v$ O# _ D+ D) Q mov eax,[00656638] ; '\\.\SICE'/ Y# z7 _( w X4 I& N
push eax
% O q9 y5 X3 }- ~ call KERNEL32!_lopen& \; M; o8 ?3 g: p6 u* [. j
inc eax
( C5 K" z% T7 a3 c4 c+ ^/ z jz 006505ae ; not detected
$ K6 | B( O" s; F% o
4 d9 [& K) B' f2 `6 ^, l: i' {' A, |
5 n6 F% p; p7 Y) b, m8 b, n__________________________________________________________________________
/ g4 h% P% q( r* t; j' l. H4 w5 R1 D
Method 12
7 I5 j& r4 L! p1 u=========
* w0 d9 y7 ~9 _) o; l# f' K( |: Y# O* A8 ?, F# Z
This trick is similar to int41h/4fh Debugger installation check (code 05
1 c* Y( R! m5 u7 M( |1 O) [3 ]& 06) but very limited because it's only available for Win95/98 (not NT)
- F" G8 W1 G9 Y5 u- C( E5 ? F+ tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: L6 A- C8 u9 c5 B3 n
- \/ O/ I7 E1 i- e9 m& [7 b% _ push 0000004fh ; function 4fh# Z# |, C0 W4 c, I1 A
push 002a002ah ; high word specifies which VxD (VWIN32)4 R* D2 Q8 n8 J9 D+ \0 U+ d& N
; low word specifies which service( {) X* j! e) m: T: w" ]
(VWIN32_Int41Dispatch)$ l8 W0 I& I! w8 F5 o
call Kernel32!ORD_001 ; VxdCall
! U+ ]3 _2 X' O" S' U cmp ax, 0f386h ; magic number returned by system debuggers
- _$ ], e) E2 M9 a2 |- o1 g jz SoftICE_detected
, _- ?; O" e6 O8 R% V: @- t7 x4 K. A! @& U
Here again, several ways to detect it:
+ J3 j/ k5 ~" V$ v( E) }- [% [" |2 _ W; W9 r4 X
BPINT 41 if ax==4f3 c- i8 _+ K* O2 f! @; h
2 M1 e6 l$ [: T/ L# @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, P/ G1 ]6 |) `% \' s
6 K- r9 S7 n+ G& L3 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* y, E. m4 A: D% {7 C
. E- t1 R8 |/ ?9 [4 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) G9 W+ A& N3 ?, q* k9 Q- n$ B9 Q: X1 |3 z& J0 M: O) ~3 Z) z0 l* _
__________________________________________________________________________( z( `! y- e+ t& p/ ]$ P1 s
" I7 ~4 s1 G" c( o% ^& a
Method 130 B$ L" ] z+ ]2 P1 U2 Q S, G& I
=========
1 i! {: {9 s C. @$ U0 N: A8 `5 ]$ I
Not a real method of detection, but a good way to know if SoftICE is8 K+ x0 l& F. q' c" z' [
installed on a computer and to locate its installation directory.
7 _, T# H' S2 t; S3 {, ]It is used by few softs which access the following registry keys (usually #2) :
2 `: \" e/ E0 v3 e) J6 J2 x8 G5 O% @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) o4 G8 x* b4 P# m' P\Uninstall\SoftICE
+ z4 ~4 q9 O' J$ p3 H0 B3 S7 E! x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 ? u5 @" {* ^( u: y7 F( a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 D+ m6 e9 k/ O7 I, l( q8 x" s\App Paths\Loader32.Exe
4 K# K5 H7 ^$ r. G# u; y
) a8 ~6 t9 K/ {
1 w( I$ N0 x' H3 n! vNote that some nasty apps could then erase all files from SoftICE directory
' l G/ E5 y3 }* ?, Q, M8 g(I faced that once :-(
5 Y* j" {/ i! l5 U" D, c; d6 y6 Q* u8 u7 D! i4 D
Useful breakpoint to detect it:
& _! c* {0 a( j3 \5 C0 f; n- w4 M. q% d; [, V5 y. h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" q* i5 ~+ R6 P) [( r
8 J+ c: ?: l3 O__________________________________________________________________________$ C+ E; {" a( k3 p! [! l/ f* u
4 R# t, c s$ l. h1 t7 b
" c+ l; N# ~. Z: @" x3 W8 ZMethod 14
1 O* c1 ]! m' X2 z3 b% U% p: r9 A=========
% c8 Y+ ^5 l9 a% q
' H% \3 k" t# u% {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" X; F u- T. g
is to determines whether a debugger is running on your system (ring0 only).
- @4 W: ~- S% r( H/ e5 a& i: r1 e Y: V( a
VMMCall Test_Debug_Installed
7 f- Y+ P4 s3 Z6 v: d je not_installed* t! e1 G6 Y( P( U+ O/ d4 J
9 v4 R+ n1 m; r) {7 x0 j
This service just checks a flag.
! I5 W {( G n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡