<TABLE width=500>9 _$ M! n2 ^! Q- R7 Y
<TBODY># ~3 e/ C% S( R4 L$ l3 y
<TR>2 E/ Z* F# q, A, U3 V3 U6 P
<TD><PRE>Method 01 ' U9 b+ a# f! s$ ?2 s
=========
0 W. u! o8 n; t0 B% d
5 d3 k2 ^( p. w/ H1 s3 R# Q& sThis method of detection of SoftICE (as well as the following one) is2 T% l* b4 ?+ F
used by the majority of packers/encryptors found on Internet.1 V7 B5 @6 Z. B% ~& m$ X/ B7 x) z
It seeks the signature of BoundsChecker in SoftICE
; k2 L" A' F" t3 T* W: v6 k% m6 d+ R* x1 k, C
mov ebp, 04243484Bh ; 'BCHK'1 u5 f4 c: e6 R. ^! j* @
mov ax, 04h
$ J9 i {* }/ [$ p j int 3
9 e. @3 [! n8 u' O6 k. o7 n cmp al,4
: t) Z+ \; R5 |' N! t jnz SoftICE_Detected
/ V; X7 ~9 ~+ \, {- a3 U4 s5 _- N3 {# J6 x o6 T
___________________________________________________________________________" f, ~5 k2 ]! Y6 Q' ~& x
" ~) H, ^; g% |& ~
Method 02& k N! }. x9 J
=========1 }9 B8 }/ X4 O e+ F
: X- W+ `2 `. _7 B+ R& T3 e+ W6 \
Still a method very much used (perhaps the most frequent one). It is used' D' r! ~4 }- f2 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 Y1 c7 a' u* Lor execute SoftICE commands..., |6 \: J! p1 W+ D
It is also used to crash SoftICE and to force it to execute any commands, W, b/ ~# d6 I# \: H- M! L
(HBOOT...) :-((
& [) N; G* R- l7 t, ?, B4 r9 e7 Y* _0 Z0 a. I9 ~
Here is a quick description:( N7 [- u( \* O) W( H; R) ]
-AX = 0910h (Display string in SIce windows)$ S, X9 s3 m, n. ~ a3 h/ E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' e" Y* X" z1 S# I b6 H-AX = 0912h (Get breakpoint infos)
5 v/ l* j, l, O! b-AX = 0913h (Set Sice breakpoints)
/ c2 H, v* L" T' B: J-AX = 0914h (Remove SIce breakoints)2 ]5 z" G }6 @* g4 E
9 A/ U! z5 V E2 b8 I3 ?. N
Each time you'll meet this trick, you'll see:, z7 l% Z' y; F3 y$ f u( {
-SI = 4647h
( z0 h7 Y8 Q, T' t2 f1 H T8 r-DI = 4A4Dh
6 B ]- o# C9 N6 o1 EWhich are the 'magic values' used by SoftIce.5 o! j8 X/ o' ~ p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ q6 U+ f' Z9 M& G$ T2 t$ H- ]) k; k _ M
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ u H' k7 G5 ^) M1 O
Envelope utility use to protect DOS applications:
$ F9 s0 D1 a* n; c" ~/ ?! x! k, I7 J1 c* n! n6 H& W
6 c: L, k q' W- ]/ \4C19:0095 MOV AX,0911 ; execute command.* Y5 i2 l1 g/ s& X$ W1 m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 @/ y6 L5 g. v! x
4C19:009A MOV SI,4647 ; 1st magic value.5 Q7 f$ b1 O8 `- Z4 z1 f0 G: B
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 B! `- x8 L4 C7 \0 o2 ~. [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 p# h+ C5 Z- `5 ~, N" \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! Z+ e. P$ P* q3 V; P
4C19:00A4 INC CX- w$ ?! l. h: p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) Y$ H. \# d1 H0 }* t; z
4C19:00A8 JB 0095 ; 6 different commands.
5 ]( }. _ }% S- B4C19:00AA JMP 0002 ; Bad_Guy jmp back.( q$ t6 Y* z1 P0 q" B% n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 E2 E% I( E; @& U0 u) R
/ @: v! Q/ ~$ S5 fThe program will execute 6 different SIce commands located at ds:dx, which$ Y7 k5 a3 Q. x4 \- G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) F {9 T- A/ Q3 w$ X. ^
7 y! }/ c- \& b2 v# _3 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 u1 e( r+ n1 x- ^; K7 b
___________________________________________________________________________
% z b6 ^% V' p$ i. o, B% z* h" F f' N" |6 a
5 u( t" x# i* z- _/ f
Method 03
% p2 W* D5 e+ w% E/ ?5 U=========
# q' X. { p( \2 {6 S9 E
3 T p- [$ Y* `: m1 mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 r+ [' }: `+ ^ `1 t6 f(API Get entry point): Y; s% O, ~/ F7 b+ D4 v
: V9 i; Y2 _" N9 p/ X5 R' j1 X& w1 k( U. i+ k# O* P3 ^
xor di,di1 z, O( V3 d: l5 J1 C
mov es,di' E. U) q$ ?7 i6 m2 s. Q, t
mov ax, 1684h 0 K8 e! d+ p8 p6 s
mov bx, 0202h ; VxD ID of winice4 N6 g% t: r6 w3 U% H
int 2Fh- u7 | p7 s' q4 b# ^$ T& b% d% O2 }
mov ax, es ; ES:DI -> VxD API entry point, ~- s/ m* m# N8 R# U& w+ @- R
add ax, di
8 u7 D% J. F# | test ax,ax+ q" J2 L5 P4 t: d( l( O+ g
jnz SoftICE_Detected
6 j! y: E; j8 u% F, B. `; `+ ?
T# ]7 Z. t/ U5 P1 \- i___________________________________________________________________________9 h; g# }) { k0 ?* u& ~
$ l, y/ [1 n/ b2 B; N7 I2 c t; I3 w
Method 04, O; Y2 [2 { y" @4 e
=========
+ {5 v6 M! t: k
8 F' ?8 m$ f. u# k5 J7 u. h2 lMethod identical to the preceding one except that it seeks the ID of SoftICE" F$ F) Q# e! B( `# @- f
GFX VxD.
+ Q& B% ~0 f! w7 Y9 y9 M+ j( |5 R% m1 [" |& ]) r; k5 R
xor di,di
' [' A! r V3 j mov es,di' d* z7 j! I5 Q0 z( h5 B* Y, e! ~
mov ax, 1684h
# Z6 I& Q& i; d- l' F mov bx, 7a5Fh ; VxD ID of SIWVID0 |1 J) P' ?, e! W0 Z9 R9 J
int 2fh" ?. ?3 X. z- C' t f6 z: V
mov ax, es ; ES:DI -> VxD API entry point) Y) k7 Q6 `/ i" H. R
add ax, di
. T: v" J. e0 e( ^% ]6 @ z& S test ax,ax5 Y- t r9 X: n; V; z4 Y
jnz SoftICE_Detected, c7 f- `2 v+ D$ b, m
) C( x4 A `% }! _
__________________________________________________________________________4 t; {5 h( f$ Q J. t
+ a: X* Z0 o _; C, f0 C
! u9 C; `7 z! W$ j- u2 I( NMethod 05
$ |, ~9 B- a+ c% ~0 r=========
( {! S. n S% O7 `; e5 @0 }+ q5 O8 p, N4 n3 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ y: y$ e; y& Z. @5 q: ?9 bdebugger. It calls the int 41h, function 4Fh.
9 Q+ C; w2 v1 N( i2 s* |/ cThere are several alternatives.
' ~* J3 f; w9 H( F/ K! u' N# k' ]; Z) N
' |! D& s* s$ c" TThe following one is the simplest:
) g* Z" ~1 c# C# c1 ]/ K% j8 @; X
0 k; [/ [9 C' }3 o$ c4 N! U mov ax,4fh
: f4 O. C) ]. B/ n, r8 c int 41h
& D$ N$ N/ J2 x: E9 U8 h1 M cmp ax, 0F386
( ^- G" A) b2 i3 F7 Y3 ? jz SoftICE_detected, Y5 E ]( `4 O
. k7 ~: C' ]0 B" E7 s b1 b
. `, |% ~/ A. e
Next method as well as the following one are 2 examples from Stone's
/ q; R" W$ }+ B. D, A( Z* f- a8 Y6 l- V' |"stn-wid.zip" (www.cracking.net):' E' Z. g( R* l& r
, u- l- ]& |4 a mov bx, cs4 v, {$ M6 v" p" u8 R: w; n
lea dx, int41handler2
2 Z2 H( z, q9 Q& w4 v) q& v& N* R xchg dx, es:[41h*4]
3 F% a7 X8 Q5 N* n xchg bx, es:[41h*4+2]
) B( }* z3 n/ Z$ m# n mov ax,4fh
' o0 n- r1 X! g6 o int 41h, J& e( C% i5 m+ a
xchg dx, es:[41h*4]( G; Q5 N* e3 l" Y
xchg bx, es:[41h*4+2]
# z( X& u) V% M% R- v J+ f% { cmp ax, 0f386h
/ S2 A/ [% x" C, Q jz SoftICE_detected$ V _, I- E: s0 l2 y
/ Z: n- [, n- `) Z" [6 T8 gint41handler2 PROC
: H9 ?7 w1 w, }( B8 `+ j) L7 M* E' H iret5 J5 L) J' Q9 x; ~1 }8 ]% n
int41handler2 ENDP0 \+ \1 z" F( P- a/ D
0 X, f3 G( S( @/ P5 d p+ s1 G( j& o \! n
_________________________________________________________________________
- G8 t! v5 @0 f u5 |+ B0 l, G& Q5 R' D6 i6 x5 H/ M. F6 H
9 V; H# C5 z" R5 i2 v4 b/ H3 kMethod 06 b% ?1 @9 N* b% a
=========8 x* h9 I, ` e9 I: P
2 Q, s L4 m2 k0 B
, Q; |4 ?0 |" n: ~7 a2nd method similar to the preceding one but more difficult to detect:
+ [$ C/ ?6 U- ~& O7 w$ J. G4 V& h- P9 }! Q& D
* X! _1 j' N4 N |( H3 |2 B
int41handler PROC
* v, M+ j" i1 ?6 R3 A mov cl,al. L, q* r% p' U6 v" }& U
iret
1 x; J2 p" A/ i. M7 k Jint41handler ENDP
/ S5 W+ u: T: z% T! s( G$ q: b7 L T; @" R% p
2 v; {. D( v* W3 S xor ax,ax: _1 o# J+ q8 Q
mov es,ax) U$ j T$ K0 x4 i0 o. n5 v6 H
mov bx, cs- F- d6 |; P5 q& g
lea dx, int41handler5 o- {2 d. u( ]8 k5 ~; ?4 Q& n
xchg dx, es:[41h*4]1 z% g! ]8 W' v4 S5 {
xchg bx, es:[41h*4+2]
U- r9 G, o3 n8 {4 e4 P in al, 40h v- k! {. X5 f9 g+ m
xor cx,cx
3 g! G {( i2 a s1 v int 41h
7 F \( j' i l, e5 T: p xchg dx, es:[41h*4]" E6 S, Z. F9 x+ ?/ r( k* [
xchg bx, es:[41h*4+2]( f4 p% `- ^$ z. }$ N; O
cmp cl,al
9 U* G# Q& X* w jnz SoftICE_detected
0 ^9 y8 P' m: t. `: J9 _
" B* m: W0 J6 j. ?. h$ y' E6 O6 p_________________________________________________________________________
( O* S/ M* c& B6 Z V+ `) d+ [ a. t
Method 07
0 J/ O* V3 z; c/ o* B' i1 Q=========$ b" Z6 J( e# p4 G R! w* T
b! \5 d- M8 g ]) I' V, y m2 f
Method of detection of the WinICE handler in the int68h (V86)
: o' [ H/ u. S+ D5 k0 P5 R7 _3 x% f) N& |2 ~4 T
mov ah,43h+ p( ~- F# p" M& Z3 b, g& q. ~% l
int 68h7 I9 Z# \$ W$ K x3 D% G5 ~
cmp ax,0F386h
' V+ C$ {8 x; u; f3 a jz SoftICE_Detected% J! c4 T: `: ~* v0 q/ z: {! u% W
$ Z- `0 E z4 Y
* O0 j, ]% N: z! G; y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, l/ l6 f7 t9 f" ?) a/ Y' ~ `
app like this:: c# R( D( c& l+ _2 o( T3 x
- P6 ?8 J' z$ z: a% j; ^
BPX exec_int if ax==68: H2 L' ]$ |' ~0 R4 N
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ u; C6 Y! b( i* E; O) F; W located at [ebp+48h] for 32Bit apps)
' o L& |* g# W/ @. t0 z/ L. n__________________________________________________________________________
% `2 g' J! h: q" V$ X$ s( K! F6 S- S1 {8 C" n
. c, I) o6 W* U% w1 ]Method 08
. s; C3 Q1 e5 p6 s( l: o. Y=========
, M0 b( n* |" G5 T1 z( \& R' w- y n" Z& m$ g
It is not a method of detection of SoftICE but a possibility to crash the! p" n( e. [) T0 i. J
system by intercepting int 01h and int 03h and redirecting them to another5 l6 ` l( L* P
routine.
1 w* X5 E2 C4 g, B7 q) C) A$ a, eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' q e: D/ z( U1 b4 r
to the new routine to execute (hangs computer...)
$ T# x) w6 Y* t) ]+ @) c, f
4 h7 Z' X+ Y5 _7 k8 H4 D2 i3 i mov ah, 25h4 h5 V+ F6 z/ C6 R
mov al, Int_Number (01h or 03h)( P: m! X$ e( U
mov dx, offset New_Int_Routine3 B2 C9 z }7 @
int 21h3 M2 ?* ?2 ?- @# e8 d; H, x7 q
2 G. ^* [. v( p3 K$ ~2 c5 P
__________________________________________________________________________
+ @* y/ N% G8 k: j$ R* G( Z/ ~4 a1 @% b( y
Method 09" R5 M0 g( a9 P ?
=========) ~: D: W7 N! }. a, e' o
" T; a; [3 Z; b. G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, \* S! i# `. q% X& l6 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).# @% q( v b- S1 S2 Z& X4 Q
The Get_DDB service is used to determine whether or not a VxD is installed, P w, R/ _( y1 }
for the specified device and returns a Device Description Block (in ecx) for
) g9 b* {( Y4 |8 Uthat device if it is installed.
4 }$ \5 }: {! j: y4 N
; U9 F, E, u3 B; ~8 [+ x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# v( n: ~3 ~4 J+ C; g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 y) ?0 m/ F4 k. D0 N
VMMCall Get_DDB% \, }6 X2 a+ D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 \0 m, d$ A2 C6 Z7 C
- @5 j! U( ~5 I* ]! D& R, kNote as well that you can easily detect this method with SoftICE:% F, a M+ I" x4 l+ ?. q2 ]+ e, j
bpx Get_DDB if ax==0202 || ax==7a5fh" y8 r) Z; a3 x( S1 [
! ?" x, k' j, [& g* I. Q, @
__________________________________________________________________________- @' v3 s! |0 V; t" o
, w# @% H5 j$ Z, ^# \. w: N. ZMethod 10
1 \! [$ Z; S# W! J; W=========8 F7 O. z0 H4 P t0 b4 i1 ]3 J
+ p( K9 ?& g$ R4 B9 g; H6 Z=>Disable or clear breakpoints before using this feature. DO NOT trace with$ w# T3 c. a8 a8 J
SoftICE while the option is enable!!
, c6 }; ~/ I2 K) n8 z6 k8 Y, d
s' O. H! @6 i4 ]3 wThis trick is very efficient:8 I6 N6 v" a3 u3 g5 D$ T2 x" j; }
by checking the Debug Registers, you can detect if SoftICE is loaded
) i5 B* m% n: }/ W( w3 c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 r# j( |% T/ x# m, l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& n, z$ H" D: w3 C" E u' Hvalue (in ring0 only). Values can be manipulated and or changed as well
- k: v* D2 I$ t% `& |8 F(clearing BPMs for instance)
+ n7 Z* O% S; t( U
& [& @) B; @9 k/ G+ f) m' w__________________________________________________________________________
6 H9 q& h6 \3 J: A# X$ o2 m
# T* s: y6 Z& ^0 F' XMethod 11' I+ l4 A& A5 U# y
=========
$ r& Q& q5 J9 K, c+ `: r' }0 J
$ n2 X1 U$ m5 _ q+ EThis method is most known as 'MeltICE' because it has been freely distributed
+ j' E O% z0 S. Z6 Gvia www.winfiles.com. However it was first used by NuMega people to allow" i! L$ _" [. S1 i: W- a
Symbol Loader to check if SoftICE was active or not (the code is located
- G4 u- t) R9 i2 g' E% ^inside nmtrans.dll).
" \6 G: t2 O0 G1 H. ^& q
# J* G! z8 ^% W& C5 d6 ZThe way it works is very simple:8 T* X+ A2 r' x/ E2 ]: f, C) v! I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. ]! \, s4 w, }4 I
WinNT) with the CreateFileA API.$ P& }3 t2 \1 j. d5 _7 T" Y( L
2 S2 H/ v! y1 I7 V6 u/ N6 V
Here is a sample (checking for 'SICE'):. t8 \ e0 p' E! a# b
, l' v8 s6 e0 |! W0 d& u- TBOOL IsSoftIce95Loaded()
6 O1 H" w% P& b$ o, b; K2 q4 r; D{
5 ` X" U8 r! G HANDLE hFile; 4 \- L9 d1 D9 H9 z' U- C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 h& ^% ~) s5 @' I; Q2 W: s
FILE_SHARE_READ | FILE_SHARE_WRITE, w9 k9 a0 y2 F3 G, E& E: X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 f' r- k8 M2 ?* H, T4 E/ i% g
if( hFile != INVALID_HANDLE_VALUE )3 t7 p/ Y/ [7 L# Z
{
0 b7 l4 q4 w: l1 ^ CloseHandle(hFile);
1 P" `& K$ C7 ^1 Y return TRUE;
! {: I/ f/ | z; g* C }( O# B# F7 F. X$ w" y: w$ J8 {
return FALSE;! \6 o* I% z S, v S" L$ a- f( H
}1 f% G; l% t# M. x. ~2 t) Z E7 d
9 X$ y8 r0 b' v/ ~+ ^! \
Although this trick calls the CreateFileA function, don't even expect to be
. w2 H# S: C. x4 e) }5 Kable to intercept it by installing a IFS hook: it will not work, no way!
( I% U; P' f$ dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 k/ y5 Y$ U" \6 b: Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 W! ~% d0 U! V3 r$ i4 ^4 Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 K, z5 T2 Z% Z5 I& l! s6 ifield.
5 X0 z: N& v* {6 L, R9 A+ n3 lIn fact, its purpose is not to load/unload VxDs but only to send a / l9 P, S" o: _* ?. i1 ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( u( p- N1 F# L H0 e& Y0 p1 fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* o9 B1 N$ `% A5 kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 l: e0 Y& K/ a* `/ J M# nIf the VxD is loaded, it will always clear eax and the Carry flag to allow, n& {- f) H. w' `
its handle to be opened and then, will be detected.( f: X, ~8 P. s+ c0 K3 ~6 |5 e
You can check that simply by hooking Winice.exe control proc entry point
: p. K- I3 H( X$ u7 Z8 Swhile running MeltICE.
9 `# ^6 C+ Q. u1 [" W) p5 O! c& R: w& l; b1 m! |- w$ B( f5 @6 n
9 h6 W3 A( O% b
00401067: push 00402025 ; \\.\SICE
/ X9 y( q" u0 P# @, U: O 0040106C: call CreateFileA
( ?2 H9 Y P8 G5 ] 00401071: cmp eax,-001
y4 A" T; {( @$ {- T! O 00401074: je 004010915 O& f% l% t) c V# n
0 |; ^. I. z0 `. h* G& M" j3 B
1 U. V) Q Y6 [! xThere could be hundreds of BPX you could use to detect this trick.
" _' E4 N( P0 d/ k, v-The most classical one is:
( n1 a4 d5 j2 s! d+ d n2 _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* K, g; `* u) E0 d4 L6 T *(esp->4+4)=='NTIC'+ l6 b- L- J; O9 }8 e r- t
0 Z: K& ^9 Z- ~3 c-The most exotic ones (could be very slooooow :-(" J# q. f, R) E$ d- l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + J B$ j$ z( P4 N+ m$ ?" N
;will break 3 times :-(9 a3 F: G& ~4 [2 v
$ D- w" D$ ?+ p1 j
-or (a bit) faster:
`/ ~. {! Y# d: m7 p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) W* G. O) U3 T3 l; A' N4 C/ K) X; M6 v0 |3 v( C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 O; p8 a2 S4 i7 r( p+ Z) r8 n) B4 e) J
;will break 3 times :-(1 O0 P1 d1 h6 m$ H* B4 b0 Y
1 f! Y) Q/ |4 s0 E) R-Much faster:& v: v+ o+ w# ~: F" X) z' A* Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* c: k" K. x+ p$ c
% b; q; j( r( W+ l3 \1 RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 ~) D2 A2 L. q: m3 V4 X9 ifunction to do the same job:
: q' S5 f; B; x( g0 n- q
1 ^6 I( V* N2 i0 l push 00 ; OF_READ
7 b9 Z3 P+ `9 |9 l. s9 i$ w8 U) X5 W mov eax,[00656634] ; '\\.\SICE',0
8 R/ u4 A: W- v; a0 t5 z push eax" u: q/ {% |: @- u+ j v1 M, }
call KERNEL32!_lopen- Q |/ _9 O. b% x
inc eax7 W- H3 [7 G, ?: R* r7 z
jnz 00650589 ; detected
# V! e$ m( V: j; E push 00 ; OF_READ, I; } {$ D% k- o. E# `
mov eax,[00656638] ; '\\.\SICE', L. J6 O* [1 l( T0 U8 L, i* `1 }/ b1 H* m
push eax
# _3 W4 L% m) D6 b$ I call KERNEL32!_lopen
H8 R, Z! k! n+ m7 I* h inc eax
% K; S4 J- @$ x! Q" b9 C2 B8 k jz 006505ae ; not detected) ~' X; `7 B: f0 {& v9 y( N7 N
' F3 w& f, |: {& j0 G- z T
/ [9 m: E+ e4 ~, }% l9 R
__________________________________________________________________________
- {# d& R( j4 H; b" l7 C! ]! ~
, v( D- p. K6 H2 Z j8 @Method 12, g( Y/ \) o" `% o$ b8 {
=========
. t. g+ N! R8 A1 W) _ t- v* d7 C# A5 K) X
This trick is similar to int41h/4fh Debugger installation check (code 05" m/ \6 u! ?( Y3 M) P) }
& 06) but very limited because it's only available for Win95/98 (not NT)
" i, E3 j! N4 b9 j8 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* _: j& u8 B, R- k
) C d/ _/ P. f3 H push 0000004fh ; function 4fh2 j( b* m5 w8 ^: z8 O# q
push 002a002ah ; high word specifies which VxD (VWIN32)$ z/ W/ p0 f$ P2 G( @) p& o
; low word specifies which service
% w% ?* q& l0 A( J (VWIN32_Int41Dispatch)
( C! u# H( M& k' F2 O call Kernel32!ORD_001 ; VxdCall$ C+ u: |% I8 I) \# N# e
cmp ax, 0f386h ; magic number returned by system debuggers! [$ @8 A7 U+ ]9 |
jz SoftICE_detected' p! i# K1 N. M( v% r+ g/ f; V
: r- s3 O$ i/ |: SHere again, several ways to detect it:+ s9 m; ^; O6 A0 m) z& |
6 |, b( f( Y W
BPINT 41 if ax==4f- L/ d$ d' {; j/ [: `
7 N0 @- [. K1 a" o, L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 q8 d& s9 ` X H2 E# C3 m
' \" s* I' y0 [8 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: S& R5 V1 L, x" A+ v3 F+ N
6 b# A! l5 `; J4 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- B9 Y0 U; `! T; G
- A4 v! d7 ?$ L5 ?& s! g__________________________________________________________________________, S. Y: `7 i$ B. U
& x, @4 N+ V( k- j
Method 13
5 k8 E! Q* w8 a/ y=========6 |) c; t9 p1 V9 ? c% f
, ?* ~, [2 a8 b$ q1 T7 |4 i: Q; xNot a real method of detection, but a good way to know if SoftICE is. g* E6 J4 `. J# p% C* [
installed on a computer and to locate its installation directory. c, W& R+ q- D& G5 o% C# h
It is used by few softs which access the following registry keys (usually #2) :' y) n4 u" _2 }
! m2 T6 f5 K% i$ b4 {$ z' ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! a$ c2 ~2 I: k$ z' H; C, L0 r\Uninstall\SoftICE
2 t, L# _( t3 h6 s, [+ R2 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. i. D2 X/ ^2 H4 b# d) K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* f, y5 j2 M M\App Paths\Loader32.Exe
. R" ]! b. l& E) W1 H' r0 W P, P* [0 H7 p8 i- l
7 A% I" t' _7 K3 z# D6 h7 S0 kNote that some nasty apps could then erase all files from SoftICE directory
- L' R- F: T- @! S( u% r(I faced that once :-(3 }8 o8 P0 ^' T6 P: z6 r i( k5 l
$ r' c# @7 }: G2 z+ MUseful breakpoint to detect it:$ A/ J4 T4 F* F; L& P5 z/ n
5 j/ T+ v, v. s# {( y; R$ ~( ~! n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 Q8 i1 [& A; }4 x9 i
/ k$ x' Y5 p3 O# k& G- o) `. s__________________________________________________________________________: Y' U( d; x6 ~2 a0 i% o
7 j! c* S' U6 w& C7 T
' @; v5 \; C7 y/ M2 S% _- B% {$ Y) p3 vMethod 14 5 @( _0 d7 {" y9 N0 p1 @
=========
' d$ f5 @8 j2 r- b
% l) o1 S; |" }+ i- [' |4 W. ~3 }/ O% eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 U3 j/ h. e" @; M1 Z1 R
is to determines whether a debugger is running on your system (ring0 only).* ]# J: M/ K7 q, \6 J" F% X
! W0 O- j/ o$ Z3 p- @# J VMMCall Test_Debug_Installed; [. ~* h5 x, q" b4 R6 b* }
je not_installed
3 g6 |- P, i- w$ q& L. r2 M; g# f5 P L( a# ^
This service just checks a flag.5 n4 S7 c2 q6 d r% E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡