<TABLE width=500>1 n! G' }& \8 ]- {& K
<TBODY>; h/ t1 Q. }" \3 `+ n
<TR>
7 i' T6 H, W3 v( n<TD><PRE>Method 01
2 y0 ~1 h/ U$ b2 u: R=========
- k5 V+ w6 g2 u+ F2 o7 o
6 q8 I( a! ^ e1 S- P3 H }2 v9 RThis method of detection of SoftICE (as well as the following one) is8 \$ |7 ^0 j. P: H
used by the majority of packers/encryptors found on Internet.
; u; i6 M0 l. R3 z! Z4 V5 sIt seeks the signature of BoundsChecker in SoftICE
/ K! g2 y7 G$ ^$ f! S5 ^1 M5 h( H; ^& Y& ^% @/ @! ~* ~' X
mov ebp, 04243484Bh ; 'BCHK'& ^% n9 T \2 _' F( O
mov ax, 04h6 q: k: H8 T8 H5 J3 K! m
int 3 ) d9 v7 i8 @+ L: }
cmp al,4
7 q- G& [7 R% A jnz SoftICE_Detected |& k# I& c! |( x
) a2 W) g, ]/ v4 d___________________________________________________________________________
# X$ K# @% d$ m P& }# A7 n# O0 _7 ^5 \+ u) w% R
Method 02+ F0 b. v( e+ Q3 e
=========+ ?% c/ ?( r' R \: X
; L5 T! D [ u" O- z8 k: [) WStill a method very much used (perhaps the most frequent one). It is used1 ~8 r3 h5 |( p8 ?" y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 R8 B# ~6 W8 j ?9 c F. T! r2 eor execute SoftICE commands...
' p* T, n: v; F4 o3 RIt is also used to crash SoftICE and to force it to execute any commands
6 n+ p, g- N+ S8 i. |+ {(HBOOT...) :-(( 1 Z _- J7 G) }# P: B8 b! @# P
0 A! N' t' ^: Z9 i
Here is a quick description:
: ?1 L5 N& u, ?7 o/ h-AX = 0910h (Display string in SIce windows)* \; c8 Q3 e: A% j( ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: c# W$ m; F1 g) K+ u5 ~-AX = 0912h (Get breakpoint infos)
) A) G7 ^' V0 K& D, W9 o-AX = 0913h (Set Sice breakpoints)) g8 e+ q/ q- B5 B$ \% u# j* e
-AX = 0914h (Remove SIce breakoints)
; |; A1 P; Z v- |& M/ X; ]
# b* `" K# s2 mEach time you'll meet this trick, you'll see:3 p- Z5 [5 ~; \ k6 [3 }: @# v
-SI = 4647h$ H8 {( L% v H& J% n" C
-DI = 4A4Dh. L h) t; L3 v" h t
Which are the 'magic values' used by SoftIce.
7 \' z8 `3 _8 ]* vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 w n9 k, {, x; a- v1 q6 V: d m! E- p2 N% u: s* T4 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# s% d8 L& G* h! I7 x" aEnvelope utility use to protect DOS applications:5 w' P9 j3 s5 f) b0 Q4 ]& R
0 \% E- `% p4 W2 Y% Z
- U6 G/ f4 g& n% g0 D, V w$ _
4C19:0095 MOV AX,0911 ; execute command.
+ ]# y; {/ p% u0 _+ m7 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 K/ K* D# K; Q1 c/ h1 {4C19:009A MOV SI,4647 ; 1st magic value.
# A6 _2 b/ {2 f: f, v4C19:009D MOV DI,4A4D ; 2nd magic value.
0 _4 W; F7 S4 x6 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( i6 F+ a: L4 {% z) `8 t$ g2 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. G" H; O/ w* ^+ F+ @, ?9 k7 |
4C19:00A4 INC CX# E8 y3 s- O, p' u$ n+ O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& x* Y: \- w K7 Z" E" u: x4C19:00A8 JB 0095 ; 6 different commands.
" \! Y% B% f' k9 ~$ {! ?4 I5 r- O2 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) Z$ Z/ h" U5 I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% I) p9 M$ f. ?
~7 a/ C! Z# O, A
The program will execute 6 different SIce commands located at ds:dx, which" A( O# u6 k2 q+ ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( D" W/ |+ U' r2 Y
# u$ J& b% N$ `* d& ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. j7 R# `: F, K c___________________________________________________________________________9 D4 V9 p) ~/ |( [8 j( y8 A4 c
9 Z6 d6 s, m, G! `
/ o$ U( Q. a) \. G$ ^: kMethod 03" }6 n( A. Y" r8 s& C
=========- K8 G$ n" ]" B/ r$ x, m
4 x8 u- S% `3 G! e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, I( d" }+ M3 Y' _
(API Get entry point)! t+ \ n, L6 s7 X# w
8 r$ K1 j2 t3 c+ t. ` q) e3 O7 w; a, P* I/ g) ^+ l
xor di,di9 f# ~( l' P8 h% R" K% B) T8 E
mov es,di8 J* k% {0 Y* T; N9 y# Z5 g* x3 D# y; w
mov ax, 1684h 8 c6 p( N8 q5 Z- g
mov bx, 0202h ; VxD ID of winice
* ~! {, y% g$ M t) d1 w$ |! z. U int 2Fh+ E) W) l& j( [9 D
mov ax, es ; ES:DI -> VxD API entry point9 `) z" R+ c; @/ p2 a: Y
add ax, di. a$ Z/ G! X% S
test ax,ax2 g) V6 I! ^6 t5 F8 J5 o$ t
jnz SoftICE_Detected
0 [* {. n. J1 M5 @$ A
! [, x1 m2 I# A___________________________________________________________________________$ K5 E) v1 ]% u( M2 Z# L! Y
9 c7 j5 |% [: s3 [
Method 04
) Y' L" w! O! |/ F$ X) A; Z& V=========+ ?% _2 S5 ?' Y a1 _. C/ Y
* R' M. V8 v" Q" W& ^/ EMethod identical to the preceding one except that it seeks the ID of SoftICE0 b3 r2 f/ z$ Q3 S2 L5 C2 b3 J
GFX VxD.
* `+ i3 e9 A( y; C: c: m* H
* N7 e& F- o0 H xor di,di
# [2 D( y% m3 S. P* J mov es,di6 F! g4 D, k9 I! m4 {
mov ax, 1684h
( Y, u7 _$ l) B2 H% v mov bx, 7a5Fh ; VxD ID of SIWVID
3 `" K+ U" W5 P4 M7 {+ g7 |, A int 2fh
1 d' H/ w! ?' r& \0 ~& G9 Z mov ax, es ; ES:DI -> VxD API entry point
( S* m3 t. [) s add ax, di2 K) _( X! {0 ^5 g' d) j+ ]3 c
test ax,ax6 ~9 \. c. b/ K3 P; ]4 s0 h
jnz SoftICE_Detected
& @2 c1 E* k3 Y. X: y0 b! M Y; T# ]% l. a
__________________________________________________________________________ Q3 u {# e9 \0 h6 v+ e
, U, u8 x Y2 R, ?9 n
; {0 D9 s N/ q2 a5 ]" d$ z
Method 05. v- {% i1 T; I
=========* u3 G5 Z5 K* O' j9 ^ X
2 e1 Z! c( F7 ?9 q
Method seeking the 'magic number' 0F386h returned (in ax) by all system: [! o/ v- z# P! }% u) `
debugger. It calls the int 41h, function 4Fh.- ]4 \* d2 X, R$ n, H4 q( F% i
There are several alternatives. ; ~( R( H0 S( c" e" v$ h
/ L* H8 [, X' WThe following one is the simplest:9 F, P7 @) `8 ?/ m0 F+ g" h2 l5 |
' o8 i3 d: _) u) ?' e/ M* `
mov ax,4fh
& s$ ]3 [. l2 X; u5 ~2 ~& B int 41h
" e8 ?" _" k" f# H$ B cmp ax, 0F386
( m0 F/ I/ j/ `, X8 u" S& E! ? jz SoftICE_detected
; `; y" a3 z# C3 Q- o4 J- I/ D! P4 d, C- x: T! W: ?
; ?- q2 i" R( o1 G. v- |Next method as well as the following one are 2 examples from Stone's
8 _' L" N0 m8 p: I"stn-wid.zip" (www.cracking.net):2 @; {% }" R$ J7 p) Z. e9 S
[9 i- u/ b9 c9 U' ?3 ?4 _
mov bx, cs
. i( y& M' y" ?/ ?" P0 v6 M: O lea dx, int41handler2
& X8 I- {$ q: f+ z5 u7 P2 e$ c( L xchg dx, es:[41h*4]# d0 k; l) s; |& ]$ w: I+ U
xchg bx, es:[41h*4+2]
5 r1 b9 F) J8 Q B2 |' ?' [ mov ax,4fh- @) L2 [# Q9 c- q# X
int 41h9 w2 Y( l1 F2 d( {* X$ p' e' G7 ~# f
xchg dx, es:[41h*4]
; _( k# E# b, {2 f+ R" ^ xchg bx, es:[41h*4+2]9 }, h+ i, n# r; K2 o
cmp ax, 0f386h' X# p( u4 i- M3 Y& n/ B8 }& _3 z
jz SoftICE_detected# W1 q# g6 p& `3 E7 H# G
! Q8 ]% S! {# ]7 v; S% V8 eint41handler2 PROC
* J" N: C: x) A0 F/ l iret
6 c8 _* P' s3 c% L" W# a' sint41handler2 ENDP
/ h- G* {2 e6 E! w1 ^0 l; s
5 g3 G+ l* F$ e3 A; D" p0 Q j8 U9 \* B+ z3 d$ {
_________________________________________________________________________
3 Y8 j) ^) w+ ]& S+ w/ j; q) U# ~. _' Y4 s1 [
4 B* W5 C( ?5 QMethod 06; B' E% l( g4 s" y W3 X! `
=========0 _; {; O, S+ J$ y. l9 c' w
7 |0 Q" S+ [- Q. `; [/ g7 d
4 q7 o0 B& d9 t$ r/ _. X ]2nd method similar to the preceding one but more difficult to detect:' v7 P1 p( R' K$ Y( p( K
& s/ Y$ }4 [# }/ `' B0 T' U7 }: }/ H+ I6 h" _& O3 [" Z
int41handler PROC
. j; O" v" a6 C mov cl,al% |3 A7 y# S4 e6 H: B7 D
iret4 e1 I! k6 `+ s* z2 ~$ G
int41handler ENDP5 Q( d5 ^7 j# M) b6 L
/ s, L J9 k, @$ L+ x4 s* `" ]
/ X7 c6 R$ D4 t# p. x1 H& P3 M8 p
xor ax,ax b0 ^( \. i9 C) [' t
mov es,ax+ I* [# V9 Z- k
mov bx, cs6 S T$ A6 X2 c, G2 L
lea dx, int41handler/ v' ?3 L8 V/ u" o. l. \, e
xchg dx, es:[41h*4]
# R0 @# l8 n$ X) o7 I/ d! D, g xchg bx, es:[41h*4+2]
; h8 K8 c- |# H! g+ b in al, 40h: d; J. D+ @* M
xor cx,cx
, ]0 n7 s# Y# [; ]( w& R/ k int 41h
6 x2 v# C5 a) M) @$ v" z xchg dx, es:[41h*4]
) N. {& m! Y/ D) w2 ]( F xchg bx, es:[41h*4+2]
% {* ?- b: |/ E9 Z5 T cmp cl,al# T+ [0 N" j- U6 T0 ]4 {
jnz SoftICE_detected- p! c7 n2 ~4 }8 t9 X
* i6 n+ g) x9 u0 j! [- ]
_________________________________________________________________________
+ V- t( v0 \2 v* M) p: D" g7 l& V1 h( t& h- r
Method 07
8 O' L- C+ w4 Q=========
4 B- G# O9 k$ J! q- y. m5 T! h$ Z+ E
" c; A3 ]5 L h; e2 u3 J; PMethod of detection of the WinICE handler in the int68h (V86)
0 y& T! I9 Q3 W f4 e2 f7 D2 q, n Q- H/ S' [
mov ah,43h
& }' A- n9 ?. f% n% _% K8 _ int 68h- a1 p8 I H7 _& ]3 ]6 U
cmp ax,0F386h
$ r- U- ]* u8 G2 ]: b) K( D* Q jz SoftICE_Detected
' P" r1 t, W. C3 {. t2 u/ c6 a1 T" F$ `* [7 H0 b: `
* ]( U; c7 Y C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( M! u/ { }4 l# o P8 G% r+ n4 e app like this:
. |( P j: K5 }3 m$ w2 a c% @1 U1 A1 s& e8 h
BPX exec_int if ax==686 y! i& ^1 U& r/ ?3 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
" k8 e6 u+ m) A located at [ebp+48h] for 32Bit apps)
' Z, ^4 m; x; B, q__________________________________________________________________________( n+ W3 s6 o1 U2 R: c& B% c* S- V; n. B
* C8 r/ v. M! z+ e
- m9 Y4 C) `6 `, v$ R9 r2 |1 `
Method 08
9 H& v$ f/ {4 \2 F5 Z5 U0 N. d=========# U$ a5 H' P! ?
0 T+ J& e4 A$ p8 F- m
It is not a method of detection of SoftICE but a possibility to crash the
5 i, g. F' M# _$ q6 [( g2 c( wsystem by intercepting int 01h and int 03h and redirecting them to another
/ x& \% [3 g/ y- P/ X: Lroutine.
' U* w' _1 ^( p* g, h# y) I" a* uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( _" } | o2 Y1 b& d8 |
to the new routine to execute (hangs computer...)
& J' I/ X, y; B: N
/ U$ V2 P, {. y' V* ~1 S' b mov ah, 25h
8 p% z; J& t3 s7 V! A; c; s mov al, Int_Number (01h or 03h)
6 }6 }6 _8 Z, i) ]6 K n( T mov dx, offset New_Int_Routine1 V3 w9 `, j7 z5 E- q
int 21h
1 _" i8 l4 b. W7 S, _
' q/ D/ C6 z# q( J- A. M. Z( N% z__________________________________________________________________________- x% g) Z1 l3 I) V/ \
% R: S( P m" x9 t+ _# ^5 S
Method 09
) z) f t9 X; ?+ \) S, l" c9 ?=========
+ ]" j0 q4 u& ]) z) o5 [
/ ?# S% _1 V8 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; f2 p3 C! ]& p9 X0 U6 z' N
performed in ring0 (VxD or a ring3 app using the VxdCall).
# Z, j. `" W; X! Y0 j' O1 _The Get_DDB service is used to determine whether or not a VxD is installed; R9 D0 T0 X8 H. n) J9 l# b1 s% p$ H
for the specified device and returns a Device Description Block (in ecx) for# A6 s( f% z" s& R& O% q. p
that device if it is installed.7 @% g# F, V3 a0 k" M3 V" q
% E: d' G8 [2 t) X; G; K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. t; V0 W) V! d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 ^7 n1 _6 X2 j7 B3 Z2 ]8 I3 X& w
VMMCall Get_DDB
/ f3 g9 [6 u- i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! W' s$ W6 R3 U0 K' F
" D/ T- c! t* v7 fNote as well that you can easily detect this method with SoftICE:# T- T6 ~* ^4 \" B$ G! ^
bpx Get_DDB if ax==0202 || ax==7a5fh3 y" `! A% A2 F3 O$ x, t% T' I& H* {
7 w. s. q) x5 m* `
__________________________________________________________________________
5 F0 S1 X6 t! {6 X A* V/ w6 t3 t) e
Method 106 N ]) {4 B" E* N
=========0 h0 ~" D2 U9 w5 @8 h" V3 b5 F! V1 Y
- u a+ w* _% q- L. \/ v=>Disable or clear breakpoints before using this feature. DO NOT trace with& o: t E) l. ? ? Z
SoftICE while the option is enable!!( h. [/ m8 l$ x/ W1 K
+ D8 B, w7 Z. B# P% ?# S- H( {' p
This trick is very efficient:
3 X, _* ?% m" P% S3 m% h4 ~! kby checking the Debug Registers, you can detect if SoftICE is loaded
: V. |, U* f( Y- S2 T e/ A2 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ E; a" `! J2 T$ _7 B) V+ _" B! E- Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' f2 {* Z' G3 }' R0 Vvalue (in ring0 only). Values can be manipulated and or changed as well, e: `2 o' J- q$ @% ?7 y
(clearing BPMs for instance)
1 v% r' p# c3 d( B A u, g* J/ o; ^* `2 [
__________________________________________________________________________2 o& Z! F# D+ J5 f# Z8 P
+ Z" D. O, V1 |8 R' }% w# AMethod 11
0 X i% \9 k) d=========
% a+ d0 S( X* K9 l. _' B
6 p! Q4 @1 V( a, g$ x! iThis method is most known as 'MeltICE' because it has been freely distributed
4 ] ~* b7 L2 k: m2 ]$ Rvia www.winfiles.com. However it was first used by NuMega people to allow" x, S- O# I' ~
Symbol Loader to check if SoftICE was active or not (the code is located
% h' g' |* d1 f- k+ K' u$ ~/ Qinside nmtrans.dll).
- ^; ~6 b j1 G* [4 c$ M; q# |8 x" B/ [$ P
The way it works is very simple:
8 B8 T7 h Z2 B% }% K& I' tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& w% s$ _9 @' o! J4 w
WinNT) with the CreateFileA API.) y1 c3 |$ K/ k* f7 Q Z7 B
1 I5 J; P* z- j; T+ u$ O
Here is a sample (checking for 'SICE'):" A- g7 `) S/ _5 G; m- X
8 ]5 d0 L; h: S* c; GBOOL IsSoftIce95Loaded()
; e, V4 h# Z2 K% a1 I{; p) m* L* H) c
HANDLE hFile;
. K& U% Q3 a" T6 } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 Z" v- {. p, Z# Y6 f3 ]. A
FILE_SHARE_READ | FILE_SHARE_WRITE,
, l0 h4 r, z) s' n0 [5 t1 j5 Y0 b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 U7 y p+ t8 l& S& }! l5 N+ o/ j+ `
if( hFile != INVALID_HANDLE_VALUE )
5 j/ ^0 _ s3 g1 M8 q4 z$ y {. @/ ?+ M' y- Z5 w) S
CloseHandle(hFile);/ W' q* k% Z6 ?$ n( X1 t$ w8 w" e
return TRUE;- S' a+ w* `: T1 [1 D I
}/ E( C/ c8 S! c4 v* R/ u
return FALSE;' n# o# t4 N$ C0 q0 j- q
}
: E* B' q+ I; z+ |
9 h7 {' Y5 W, Y8 t p5 {- ?Although this trick calls the CreateFileA function, don't even expect to be
, ~, d2 x5 y/ }, R$ fable to intercept it by installing a IFS hook: it will not work, no way!
' c. v V8 d2 D& xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 {' K9 s% v. T+ K0 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* k8 x, }2 U' l& w5 r1 [/ eand then browse the DDB list until it find the VxD and its DDB_Control_Proc- K5 T4 `+ X o' N2 l+ |5 C
field. `% T" q) v8 H; F' u% q" N
In fact, its purpose is not to load/unload VxDs but only to send a
$ i0 E( d b7 n5 q; FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 Q; X8 M" }$ @7 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( b# i9 o0 {: w' D; Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: }* k" q$ A' y9 k2 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# q( m- }# }: t! A8 J1 b" I/ d5 ~8 V J# nits handle to be opened and then, will be detected.7 M2 K& G4 _* Y4 r' t+ u
You can check that simply by hooking Winice.exe control proc entry point
1 @# r1 s7 B1 a7 ]+ Hwhile running MeltICE.) ], G; Y1 d% \1 M5 [/ g- c
- C! ~: r- T" ~+ `
* S0 W) ^4 \! ~& c
00401067: push 00402025 ; \\.\SICE
% {3 d" ~; Z# R3 e$ t k! } 0040106C: call CreateFileA
9 c8 N- S4 c) }" R" R 00401071: cmp eax,-001
* u9 A( g z- ]* V4 V 00401074: je 00401091
! I& S' l l/ s
2 x# |5 z3 V: j% K- P4 h' S$ X+ K# E4 y4 C% s) l2 M+ \6 S
There could be hundreds of BPX you could use to detect this trick.
& ]9 Y, n1 c1 T4 u-The most classical one is:
( h, t# H0 L! Z& W1 x% @, u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ u3 {6 w7 C& N4 N. } *(esp->4+4)=='NTIC'
0 D) L F8 ~4 B/ I% O5 s7 R9 B( g1 a8 N3 ]3 h
-The most exotic ones (could be very slooooow :-(
- g4 _0 E6 _+ D; u. }9 W4 s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % t7 B. ^9 u5 O& X
;will break 3 times :-(2 M, o2 C; f3 ?, v
f0 i' A8 {. B+ b+ v: V1 Q6 ]-or (a bit) faster:
# k% }9 ]% X9 o% \ H2 T N( k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: r6 F$ T* {$ ]4 ]% ^0 W7 Y/ L/ ]) E' H# V8 F o+ L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 A6 p" R. t8 \; E" } ;will break 3 times :-(: i0 m- o# }* l8 O4 L
) a. f4 o8 G; @3 ~7 w
-Much faster:
/ z+ }5 n7 c$ z, o# C. F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. g# |2 N* K5 Y' E8 J0 }
! N. Q5 c5 J0 O0 L1 p6 g8 S6 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 G1 V& r; F4 o
function to do the same job:
7 t) _& m# b. J& B2 y9 i0 i* C V$ T
8 F6 c" \8 i! ~5 o7 b- U push 00 ; OF_READ5 ~0 c5 d4 a& W7 D. s8 j
mov eax,[00656634] ; '\\.\SICE',0
5 V: b1 W# N- N( n( o1 ^! ^0 h push eax6 z; X9 A8 H( ~
call KERNEL32!_lopen5 P0 C6 m4 k% p5 Q& d
inc eax
$ b* V$ z+ @ b jnz 00650589 ; detected) m5 T+ @2 F: c
push 00 ; OF_READ
8 [& u/ s6 d* p, O# A& u6 K mov eax,[00656638] ; '\\.\SICE'
- K2 B, k, J6 T. c& a; j push eax" s5 c0 W2 ]- b
call KERNEL32!_lopen
6 T9 E4 u- P5 w5 S. Y! p inc eax
, C9 R3 _9 j! D9 v1 L+ q+ g; b- V jz 006505ae ; not detected5 p$ u. m9 E4 L+ T! R+ m6 d. y3 v
3 X, o9 C* P7 k9 ]
4 q. _ d$ J/ x7 O, l__________________________________________________________________________8 e h' E( O1 ^$ z* w
. U; Z* c- f2 N/ jMethod 123 `$ P$ f2 y: m Q& Q7 u# U0 r
=========. b7 L" p; S( |1 D. ^7 T
* S% L$ n4 t+ O8 e, |! W( b
This trick is similar to int41h/4fh Debugger installation check (code 05
k7 r6 c2 L! q. d* H( n u/ v& 06) but very limited because it's only available for Win95/98 (not NT)
7 {: p- K+ i6 ]8 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& e" I9 H6 x% {+ q0 D& h( W/ O9 R& w, l: `
push 0000004fh ; function 4fh
8 P: B& V: k! c' ~9 n push 002a002ah ; high word specifies which VxD (VWIN32)1 n& ]- b' b( v: ^- K {/ j
; low word specifies which service/ V' p( m0 K) f
(VWIN32_Int41Dispatch)' |; j* U- `; a4 N1 h+ ]! x. r& S
call Kernel32!ORD_001 ; VxdCall
+ e- g5 |3 X$ ]6 _7 o cmp ax, 0f386h ; magic number returned by system debuggers
* a3 Q5 w- u# o jz SoftICE_detected9 s3 M8 B% c+ _
9 i% b$ g% n# I- T6 l# Q+ lHere again, several ways to detect it:6 |5 \( C$ E. \% L& J9 P# L$ v
: o T% P$ u, m( r1 d" }* T% h BPINT 41 if ax==4f+ c- q, D: V' g: ?
5 p }( o2 e4 i! _! K5 ~8 G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( ~6 Q; N8 _4 t2 ~$ Q% O, E2 _6 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- T8 W) ^: M- Q) m
: C$ P8 |1 O# K; U* w; J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' }- M, R2 Z% b1 i. t. A% Y+ `
' J% C1 I# x$ n) B* _/ v0 @; [ v__________________________________________________________________________) r. p& [ Q# A8 ^/ a6 H
; R! p7 ]8 ^8 VMethod 139 [( E& {; n+ W3 m/ F7 S
=========
( w. U* Z& n" Q/ a- F( o( E2 `* _3 b1 c6 }0 w
Not a real method of detection, but a good way to know if SoftICE is
- U: g; M; f) b! qinstalled on a computer and to locate its installation directory.7 n! c0 B$ w( F+ o
It is used by few softs which access the following registry keys (usually #2) :$ }" l) U8 z% T/ W
( s8 m# G( K- v5 B$ z& |# X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( K! z1 v8 K7 u+ q; i\Uninstall\SoftICE% t8 U- F* o4 c2 e: t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: i% Q$ j Z# B& {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 \7 P ~, Q3 y _$ D\App Paths\Loader32.Exe
3 Z. F7 h7 {8 z9 A5 Y$ \8 V }7 ~# R+ P4 R6 l
" e7 V, v# t' I1 `
Note that some nasty apps could then erase all files from SoftICE directory
# a8 J+ ^2 N/ j0 j(I faced that once :-(
, |. @2 E+ Z/ O7 M8 O
+ P: S- K' }. g l* L, mUseful breakpoint to detect it:
1 T) m- o5 G& B& _" `
; O' D3 h1 h+ o Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') q+ u: E$ W4 N6 F3 r/ g4 N
; i+ Z8 Y4 b, o$ L; R& c
__________________________________________________________________________
! m( E8 u$ l: q3 J1 \* b8 F
: V, i+ }: r% _0 ^2 W* N' E" V
! A }5 d- ?/ ^: Z) U$ RMethod 14 7 V; P3 k& u! n6 U8 j
=========/ w3 R2 O) b0 P! S, _
( B1 k+ m' Z% c+ w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 e3 E6 @4 w. I2 J& Bis to determines whether a debugger is running on your system (ring0 only).
1 ~/ i7 ?) {4 e- x4 ` r- m6 o8 ~! m5 d
; P& q" b3 J; g) Q6 B; ` VMMCall Test_Debug_Installed
7 W2 r- R( S0 C/ ?6 M! S je not_installed
9 h, h8 o& \$ L) E. Y
* j* n/ w1 R# ?4 e* X( C+ b1 }This service just checks a flag.1 t9 Y' H F$ B z; t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡