<TABLE width=500>
% e0 E8 f/ V; ^7 s1 V, ~1 e f<TBODY>
4 O- X) \3 W- Z# ^2 d, `% N9 C& d0 I<TR>
7 c! ~$ v7 ?% _6 u' f: y' x<TD><PRE>Method 01
1 n5 s* \7 ~) x" L=========
" D# m k# K" e% p" T* Y' r- |$ @
+ Z/ R6 g: I! m: P' y, QThis method of detection of SoftICE (as well as the following one) is- P) j1 L1 n9 o5 s: r# \0 q$ v" z1 S4 o
used by the majority of packers/encryptors found on Internet.1 ]! O+ o3 @ h; w; z
It seeks the signature of BoundsChecker in SoftICE
3 [4 @% L; n1 a* G% `5 q' s% L0 C, Y2 z0 m; x
mov ebp, 04243484Bh ; 'BCHK'
* v3 t, }' M. H: N5 h" R: C+ | mov ax, 04h+ G. [% ?& g V7 Y) q; x. P
int 3 , H. O" P7 T; u# E0 [4 D; O: G- F
cmp al,4, T; m& w* K+ n9 d) i/ }
jnz SoftICE_Detected2 q( b) V% _$ Z! G2 a5 I
2 R' x$ E( N9 y7 D) V; Q( l, S___________________________________________________________________________
2 P2 c0 n( ~% d5 _# ~
, M7 J2 b, p& e& z' o% M! J$ n8 Z/ LMethod 02- J2 q% B; M4 |$ I: _$ ?
=========
% b m+ _+ D+ }, J
+ t& N5 d+ |6 h+ C: v. C( eStill a method very much used (perhaps the most frequent one). It is used, m" o( |& F$ ` j8 \6 B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 k3 p v$ N8 }3 V
or execute SoftICE commands...8 W; ]2 t2 J8 `7 v3 Q m8 ^- ]
It is also used to crash SoftICE and to force it to execute any commands
) H+ y8 [' s. f) Y1 [6 u; L(HBOOT...) :-(( 7 u, W; q0 ]4 T# P" S7 J
2 E9 d2 w) i3 a7 E2 ^ H, sHere is a quick description:
3 K# U; q8 Q' a p* {7 u-AX = 0910h (Display string in SIce windows)- J$ z- P4 u. |, _' z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' @$ w) P6 T, l-AX = 0912h (Get breakpoint infos); W8 B2 }/ ^& ]' W
-AX = 0913h (Set Sice breakpoints)
3 d i, s! m' J-AX = 0914h (Remove SIce breakoints)( _ R! w& S$ p/ J7 w1 c
% K6 Y' f% ]: H0 B9 V- ?/ x
Each time you'll meet this trick, you'll see:
4 W$ N5 {& C E# R c6 v-SI = 4647h
4 G" ` Q$ ^4 b5 C" Z-DI = 4A4Dh
9 H- T' ?) @% L3 |Which are the 'magic values' used by SoftIce.. _1 D3 A/ [9 K8 I# `1 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 x* S* r9 k( k" x0 ~# b' Y
$ R5 e+ E& j& p" d8 g- e9 h! O1 MHere is one example from the file "Haspinst.exe" which is the dongle HASP* W5 K2 ?( v& v# y3 ?4 `; d
Envelope utility use to protect DOS applications:, V2 K k% K3 D' @2 @
) T' L- P3 z8 _- R+ m
6 ? Z1 g+ {+ Z% F6 ?4C19:0095 MOV AX,0911 ; execute command.
2 U* p! y0 o. I: E6 O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 m, _5 Y! }+ h A9 U4 V4C19:009A MOV SI,4647 ; 1st magic value.
" f* J: L, E; p" K3 X& M- }+ j4C19:009D MOV DI,4A4D ; 2nd magic value.
# e( M8 s( A& K& }/ ^) k. l4 V8 [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): E& P2 B: Z4 y; p7 F) S9 q1 ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 z2 F0 _) A2 N% s
4C19:00A4 INC CX
1 R0 F; n1 p: {; Y( T1 Q$ z' D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% B9 s6 G( q) k- k& a2 G2 v
4C19:00A8 JB 0095 ; 6 different commands.! [+ \& t2 L# ~2 s- w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 a& ^) w4 S `; L: M# H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 N. O6 ?; @" H+ g5 E" x" H
0 v2 z! ^. b& ^% hThe program will execute 6 different SIce commands located at ds:dx, which& ]/ N6 _* E+ c2 S% C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! f5 p4 p, A' s/ {( W; N4 } f5 J! S8 r4 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 O# G6 p' P0 e% e0 Q* K* N& R___________________________________________________________________________
# K3 } k0 A+ N$ R& M3 v3 @" [" Z5 |! D
8 J, B, [ g0 c/ I7 O) E
Method 03
7 i8 \% V7 H% I# Q5 q=========
; p- j, O6 C3 m
& |$ q. ^6 B7 n W* eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 d1 s+ |6 f: [$ l! U+ h
(API Get entry point)/ K q& o6 C$ T; I+ i" m
/ e4 ]' e1 o. [/ i0 r; A
3 {, I, t+ E# @9 n; X* n0 N- @; O
xor di,di$ {) C- p- S; ?+ i' v
mov es,di
5 F; ]5 H# p" T9 U5 }! U mov ax, 1684h
- s. w) e3 g' K5 s& J4 H+ r. r mov bx, 0202h ; VxD ID of winice
1 D }; D6 ?/ t4 S0 @$ {! g4 E int 2Fh
1 a9 N2 ^3 V @/ h" J+ V mov ax, es ; ES:DI -> VxD API entry point Q8 J7 T) P1 `7 `6 Z* C$ u
add ax, di) g* c5 @, K+ c2 ]
test ax,ax
/ ? c" t9 n3 Y# C, P' V jnz SoftICE_Detected
1 @# I0 K0 F+ L% D9 M4 V% Q0 V/ `1 z% |" l
___________________________________________________________________________) M; e: h1 L$ j d
^* ~" e+ ]6 u, z% s' fMethod 04& y! W0 e/ N& l4 B$ G) f! b
=========
2 ~8 F5 Q/ G- z6 y! w3 b$ `4 Y. m2 u5 ^' Z
Method identical to the preceding one except that it seeks the ID of SoftICE
3 P# d% n$ }8 ]. k2 \2 d mGFX VxD.; ]) A1 D* b9 [5 W' n
4 |$ V+ a1 e; \! \ xor di,di Q! A1 r5 ^6 d. D: b I
mov es,di
2 M, _" X$ u5 [0 K& D9 t+ T mov ax, 1684h " ]; |* t$ u/ q
mov bx, 7a5Fh ; VxD ID of SIWVID
! y4 l% m# U' p5 c int 2fh
* l/ H/ v8 x; X5 L% O6 j mov ax, es ; ES:DI -> VxD API entry point$ x: t; h+ @7 Y5 p4 @7 `, }- p
add ax, di* h$ G0 X% a; m3 {* u( F% `
test ax,ax
! N& ~* U' t+ f' V E, u; z3 p+ q& ? u jnz SoftICE_Detected
3 b5 i6 ~8 H k: ?
5 U& X: n( P+ L; L1 h; |3 S3 D" G__________________________________________________________________________" M- G, }" u, U# N2 b; I
, M* U# i6 D" j( }8 J& ^1 o
' F7 s. f3 i5 J6 p3 rMethod 05# M0 b: Q. }/ [! L4 b2 K7 ~
=========" g- @ O' {2 I4 d. P
* s4 C! f" R; ?2 @0 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ i0 i8 S/ f. K/ \: ~, T% tdebugger. It calls the int 41h, function 4Fh.
( K$ t5 [/ q1 C/ [2 ~: CThere are several alternatives.
' I) D @5 a! h$ M' h4 K8 W) ?# M; M; |6 h& N1 {
The following one is the simplest:2 N0 R Z0 Z' k/ E" a4 ^- ]6 u
. ` Y' g# Q7 e+ V1 T mov ax,4fh k" O/ T$ A; j" z! Y6 n
int 41h
6 \' [* X: _ U cmp ax, 0F386
# q8 s [. r' \3 b0 } jz SoftICE_detected) d+ k f6 k! U8 Z5 G
1 }9 S; T! s% }" Z
6 O4 g) x; \- n; Z
Next method as well as the following one are 2 examples from Stone's 0 G) {- `5 M% u j+ S1 X6 b( W! j: i
"stn-wid.zip" (www.cracking.net):
) o: w1 i$ w1 g' A/ n0 i
$ a2 b* {3 t2 _: u mov bx, cs' D! @9 V% ?+ ~9 n
lea dx, int41handler2) Y. k) ?5 W# e& \, k& _) U) m+ F
xchg dx, es:[41h*4]
- R' p: }$ j6 T5 s8 h7 K0 S xchg bx, es:[41h*4+2], C" H ~# T4 Q. T" w# W
mov ax,4fh
3 G8 b' B) Q$ N+ G' O8 t int 41h
+ p' W9 B7 N) k! b xchg dx, es:[41h*4]/ q7 X& l2 R3 {: z1 ^# C; y: V
xchg bx, es:[41h*4+2]- N# _9 I* ?% S. Z& ~$ _
cmp ax, 0f386h0 S4 x" z% j* W1 L
jz SoftICE_detected
1 A( ^* b4 b- F! w5 P+ R/ y" K; K' \& [$ q0 D6 c: r/ u. }; Y! _
int41handler2 PROC9 P: ]! g; Y) R: `# ]
iret) K) G" ~6 b& G4 \
int41handler2 ENDP
. {- C% n5 N% x7 a6 ?
! W7 z+ W# D' p" L8 D! N
2 J% r, l$ p) t$ s' a_________________________________________________________________________% _4 |' F8 }$ G
. S# e) ?1 e! ?2 ?2 z) r7 X
- @: W% n' ], p& T% p% |
Method 06
0 S: N+ g. T r' [9 c) u: F( J7 K' q=========% \2 Z- R7 Z8 _' |) `, K0 h2 [
6 ~+ h i5 M( v+ D% r d/ M
) q' N5 {0 V: ^) [% K1 Q9 T( x2nd method similar to the preceding one but more difficult to detect:0 a& a" P# v: A- W0 V
5 P9 V) w- v* C, q! S: r/ I# J, R
$ `6 Z8 q+ i x) u# n3 l
int41handler PROC$ \! K1 B$ H! [9 n7 n9 j
mov cl,al: ]$ Z$ W) y+ L0 C/ i
iret/ c! c# n, `3 G Y3 q/ P
int41handler ENDP1 y9 J1 Y/ p0 a! f8 g
+ w8 X1 j0 ~2 y l! ~+ S6 W# I
1 ~- F2 C! }/ I% N xor ax,ax+ Z" d+ y! Y- s- B) j
mov es,ax- G/ R- u6 K8 e: ^0 W+ ^
mov bx, cs
" Y$ Q, l) S6 A, ^1 j8 q, o lea dx, int41handler5 G, x1 [5 p2 I4 B6 b e- j
xchg dx, es:[41h*4]/ }8 I) a( M* r! h( F# D
xchg bx, es:[41h*4+2]
, o6 j" ` L6 h in al, 40h, G- @, y7 L' @5 L& g
xor cx,cx: E, C' q3 m0 [! T0 u
int 41h! ^4 i/ N6 ]. ]' `* E& C
xchg dx, es:[41h*4]9 o1 c9 T" l, z+ f/ X# ~
xchg bx, es:[41h*4+2]* E4 b# z- F. a- R: L$ K& _
cmp cl,al) g _% \# _4 c1 p- I$ E
jnz SoftICE_detected
h" i+ q3 l# U* j' N
0 |) D$ v: v0 y$ Z4 q_________________________________________________________________________& `( c) g3 p* D% i$ ~) K1 v) H8 }& g
! ^( p8 I5 r1 @8 U/ A6 H( K0 {
Method 07
/ Y9 U% _5 Z9 o0 e( S( ]=========& v* z3 Y `9 u% Q, s, X
9 R0 p7 l* ?+ x5 i, g6 T5 [7 kMethod of detection of the WinICE handler in the int68h (V86)
* a4 x5 J) a. P0 E1 c$ }( Q. F+ `
mov ah,43h
2 j0 r& n/ m( A8 T int 68h
F4 Q' h* P# q. B- t# `7 j cmp ax,0F386h) b* G/ @8 K5 n2 K1 A( M
jz SoftICE_Detected
& |" Z4 G/ ^7 d/ s0 B( A+ r+ k. D4 O4 V- B* u" }
6 r! A6 f; m9 C/ v+ W: L A1 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 p3 N6 Y: |; S& P* S& i9 E
app like this:
. G3 k& q% J1 o' W p
4 e2 I) [# ?) O- \1 ] BPX exec_int if ax==68
6 `3 B1 @* W, A& w (function called is located at byte ptr [ebp+1Dh] and client eip is# [) o" R4 L1 |
located at [ebp+48h] for 32Bit apps)
7 |8 R* V N# |/ }& S4 ?__________________________________________________________________________, n: S1 q8 `9 T U2 ~8 s
% B9 [- `4 |0 |0 j) s. r! u
5 x( ~" d6 |" B7 p, uMethod 08
3 C9 \ K7 m& N! E" v=========9 ~) l4 N5 I+ m* U% u. a
' y& s; j. B" O, c2 G" q9 N
It is not a method of detection of SoftICE but a possibility to crash the" X; g1 k1 A9 p0 b
system by intercepting int 01h and int 03h and redirecting them to another7 L0 j) J: K! {, C5 L# R
routine.$ d( H7 U/ V8 x8 x1 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 V$ i( T7 @) Y# s# |; w& @! [
to the new routine to execute (hangs computer...)
7 a& t B0 w/ G7 h6 @% [: d6 u" G" X( q1 Y
mov ah, 25h9 ?2 c) m& B& ], l- _/ k
mov al, Int_Number (01h or 03h)
( l; w7 t1 B7 H- R( X9 J mov dx, offset New_Int_Routine2 M! {+ g: j* V" |( g% Y0 N" v
int 21h/ ]. ~2 R9 o# c: j
) [! y6 n! w* J( p' i
__________________________________________________________________________
! v" y. t9 x2 U/ E( a0 C6 o
! a' y& {% B, b3 yMethod 09
: x) S/ W" ~& r=========
5 L' z# A7 `. I) X4 s5 N! G: ?8 q% }4 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 R/ K7 i: p- B; A7 Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 \9 |- w Z5 ]+ ^6 hThe Get_DDB service is used to determine whether or not a VxD is installed
/ E( M+ S3 o1 ?( Z$ X" rfor the specified device and returns a Device Description Block (in ecx) for/ U' S% w# S$ ~' J( F7 b' _1 `+ a
that device if it is installed.
5 ]+ U. S' E# Z
# w% P( p }$ J1 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ t) d: D$ g, S- A; S& V" j! [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% B' A Z. q* L VMMCall Get_DDB& ]( y9 H( U' {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, t2 a& w0 y! Q" ~3 }" { V
2 \0 ^, n$ L) r6 UNote as well that you can easily detect this method with SoftICE:
# k( d& ?- B: ~: g! u* V bpx Get_DDB if ax==0202 || ax==7a5fh% a" p) J. s+ O5 F* ^2 M+ W# [
% u! X2 j) c5 {* n1 a; L1 u$ W+ E
__________________________________________________________________________! \6 E* c" b. z o C, [
+ X$ y% z. s1 T4 J& t5 Z
Method 101 b) C% X( U4 B0 Q0 S: F* s
=========/ V5 u! U/ {0 @1 e2 J0 q
9 L- \+ R+ g. x4 I- o=>Disable or clear breakpoints before using this feature. DO NOT trace with/ z% w6 c) J y) d- ~
SoftICE while the option is enable!!
3 f$ Z) O2 F. P0 {% o# R0 B+ M
" ^- P+ P: b7 r3 HThis trick is very efficient:
$ S0 E7 l' x' f+ \5 j8 c) eby checking the Debug Registers, you can detect if SoftICE is loaded
: T% Y7 D( @4 T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ Y! j; c- O/ o9 X! z. T }5 {; [there are some memory breakpoints set (dr0 to dr3) simply by reading their
* u+ r! E) w& J7 D- o+ h1 S7 jvalue (in ring0 only). Values can be manipulated and or changed as well: `+ [7 U. D8 Z, X$ ~5 Y3 h
(clearing BPMs for instance)4 |( Z/ q* I9 U+ |
) r7 D, U2 j, J2 Z
__________________________________________________________________________
% {# M3 _2 y! k5 e" h3 P* J: ~. D# Z3 `( h) S5 _. r7 n: L0 l
Method 11
_" B0 e8 @4 N9 Y2 [5 j' g=========
& u2 W2 N' E9 |1 m9 Y0 F7 Y5 H( i/ _! w3 n0 @; s
This method is most known as 'MeltICE' because it has been freely distributed$ I x( n$ X) r
via www.winfiles.com. However it was first used by NuMega people to allow
: _6 _/ [" u* P- gSymbol Loader to check if SoftICE was active or not (the code is located5 x7 n, [$ a. X; D
inside nmtrans.dll).
5 s6 B# [; D' B, o7 X% K
3 P6 o1 d8 [; P3 k/ o+ JThe way it works is very simple:
$ R0 R: {" R2 c: w5 r# ?) K" O. bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ s1 l/ F4 Q! YWinNT) with the CreateFileA API., _2 d& B- C+ G7 }. x) S: _: [
6 l0 ~: V1 }& J0 e3 e" P, [Here is a sample (checking for 'SICE'):+ j& f3 c, V( I6 D5 [
; o, J$ Q9 J: N$ _# \BOOL IsSoftIce95Loaded()8 @$ Y* H5 p2 _0 {2 F) F" P
{
2 j5 p2 p* m4 ]& L5 M# f HANDLE hFile; * h5 p! ]1 [% j# G* {8 }: @) m2 F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. U) L. w" D3 Q, e! y
FILE_SHARE_READ | FILE_SHARE_WRITE,6 L- W1 O% x2 v" l, N+ M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# c {1 p, y5 j: y6 u( Y3 j if( hFile != INVALID_HANDLE_VALUE )
% s# {# k8 G% T" V: |. _- Y {+ ^+ u/ s: u; q; W
CloseHandle(hFile);5 {/ r8 s6 ^1 ]3 H) w% G
return TRUE;) G4 t/ l$ [$ D! B
}( n& o. ^! D: q m2 P
return FALSE;
; E% d( E4 _2 R0 A: g; `5 j5 g}$ e$ G$ q* ?" B: m& |1 G! Q* e
9 g- N/ M* h1 T3 C$ h3 Q/ B
Although this trick calls the CreateFileA function, don't even expect to be+ [. o m1 h4 I/ ~2 i( ?2 m
able to intercept it by installing a IFS hook: it will not work, no way!
1 C0 Q, h- c# ]# v6 k) C6 v. C- DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 e, I) f2 v* {/ ^) g( p: a) k* dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ i' P) U1 z. s/ ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc) H3 {1 o6 P( T& e& W
field.* B3 f- f+ F6 j0 ~( g& [1 o# l
In fact, its purpose is not to load/unload VxDs but only to send a
* B% @* j3 b: K8 |8 l, o9 U* ]( YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 @, {# n' ?3 R/ d$ sto the VxD Control_Dispatch proc (how the hell a shareware soft could try# w2 l( J4 Y* R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. b. U- {8 `$ ^: N# H2 G1 JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 C0 F1 T: k9 F% \its handle to be opened and then, will be detected.
4 U- D$ J8 U2 v9 p+ b, w' o" [You can check that simply by hooking Winice.exe control proc entry point" |. q$ u; H/ V0 ~8 b. |- ]
while running MeltICE.2 d! l) a$ ?+ h8 m5 h, H
6 G( G+ e# j6 H' t! }4 H4 x- ]% e8 U
$ c6 {& f& e5 l1 z) s+ d$ \ 00401067: push 00402025 ; \\.\SICE
- H. h. P) Z& _0 e) G+ q4 C. [ 0040106C: call CreateFileA( |% {, D- [: |8 O8 B
00401071: cmp eax,-001( o" R0 ~/ |! ]# e
00401074: je 00401091+ J# M/ p' ^- L# r
3 V& N7 e v7 B4 D
1 I1 Y6 V% }5 U& Z! V' q% S( p) O
There could be hundreds of BPX you could use to detect this trick.7 U C/ J( [# M# K* R* z
-The most classical one is:
1 m2 _# N& T E$ p6 e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || w5 Z! }6 E' u" q$ Z$ E5 s
*(esp->4+4)=='NTIC'% ^$ G# k, h5 k& W- X/ a8 Y
( M" O) q3 p: |
-The most exotic ones (could be very slooooow :-(3 X/ n6 ^4 S5 w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! S" y+ M0 v3 v l$ S# g
;will break 3 times :-( S/ P: t- Z6 q
6 T4 Z& Y0 f0 T8 s) c* T) _% `
-or (a bit) faster: Y5 i! T4 T! E" i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 l9 q, @! W% `6 Z1 c
0 p# p& k8 m# d' v2 Y, ^" r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, G7 s( ^ \# k& i3 Z ;will break 3 times :-(' }9 o& _. d) M3 X
2 n! H. u+ G6 y9 x! @ X2 u-Much faster:
1 U6 m0 K4 c8 Z7 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* M% U6 @# m% z9 v; K) D1 A! e5 @
`; R. B) P3 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ t2 f b* P# s3 d) E* G; B7 Nfunction to do the same job:* o0 p0 J/ D0 v% j: W
' {! z! Q5 i' S: r1 s push 00 ; OF_READ8 V. p' @- |- u
mov eax,[00656634] ; '\\.\SICE',05 j1 ^6 e$ R, b/ |2 d
push eax
9 P" |+ H6 d/ c. c call KERNEL32!_lopen
5 J7 n, i C7 V$ T( [3 Q inc eax- {1 `1 M# ~$ x
jnz 00650589 ; detected
/ q+ g( H b- H3 t push 00 ; OF_READ
" C( k# U7 B2 G4 X' k3 R mov eax,[00656638] ; '\\.\SICE'6 B' p* F9 n- ]/ c/ r
push eax
: X3 x( _1 B, u/ j# V: S5 j& I: @3 D call KERNEL32!_lopen$ T# J3 M. [7 }" m2 i) H, J
inc eax7 o \, [" h4 A6 \. `# {
jz 006505ae ; not detected
x. T/ P6 B- v4 d. [
! m# E+ O3 M& u/ K% o; E; r/ Z7 ^- D7 j
__________________________________________________________________________
, w2 g, M8 h( \: n, F0 J u! k2 P3 n; U0 t) B
Method 12: M- E9 G* G# O0 K2 R
=========6 b1 Y) \5 r" l% i* ^& \: B
" u& ?4 E3 n& r9 g! vThis trick is similar to int41h/4fh Debugger installation check (code 05
+ O$ N6 i' n6 f/ c+ w& 06) but very limited because it's only available for Win95/98 (not NT)! x* ]( \4 p+ S3 e. Y5 _- t6 R! `: I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 z6 [6 p; P5 t2 w4 S5 l; U* J. S e
5 D2 ? ^4 g9 [2 b/ ]( B4 x) I, Q8 M push 0000004fh ; function 4fh
h- g; P; ?. m9 @. `; A" q push 002a002ah ; high word specifies which VxD (VWIN32)9 W% Y5 D; R R3 e
; low word specifies which service. R2 d6 V: O6 L% {$ g' U G! Z: k# B
(VWIN32_Int41Dispatch)- W# I5 ]3 ?$ p$ ^
call Kernel32!ORD_001 ; VxdCall0 {5 u) W. K8 W
cmp ax, 0f386h ; magic number returned by system debuggers
2 V) @9 W) }! O# ^ jz SoftICE_detected# r4 d3 N5 C; P- i8 C+ Y% ]* _
0 Y) A: J" n U2 FHere again, several ways to detect it:0 a& f- W5 l7 Y. c7 n& u
' t% [# ^+ H( O! s: m. x' D" a7 w BPINT 41 if ax==4f
7 y/ w* z, }& o( J
# S) [& K7 s4 E" U! t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 _+ T% Z' h2 v8 S6 h6 A. k! T6 Z, s% T8 I0 R* W1 C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ i8 S6 K! C) M
( w) T+ z1 q% {6 h9 l# |, T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. C1 j" I& P" x- o! b2 q
+ s0 f- E6 n; s& l5 f* M
__________________________________________________________________________ z3 U" Q$ x8 ]. H
3 N D% ~7 `; j4 U8 `7 VMethod 13% Y! i0 J4 [+ A0 b' r5 v" i
=========
I9 U+ p7 m; n2 k( {* I
, j! y c6 X+ w7 W% N$ c5 h. [Not a real method of detection, but a good way to know if SoftICE is
* w% S( y7 J% i/ u- Ainstalled on a computer and to locate its installation directory.
$ z' P, l; q1 f! O! [0 |It is used by few softs which access the following registry keys (usually #2) :; Y3 \ W9 T9 i. g/ y, G2 z1 `' C
* w+ K7 u# B" F) j* i% n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* T9 C' Y: v) T7 t) h! w8 |\Uninstall\SoftICE+ q7 D' f0 @* w# X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ H2 T F8 i5 h) O# x* J1 s. t s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 c/ m" g: X: ?: l/ s' G\App Paths\Loader32.Exe* B: ]/ t0 A7 c4 j& \
0 M/ [- m% ?* [& C6 \" M
" E& e( ]3 O& F( J: [Note that some nasty apps could then erase all files from SoftICE directory' t9 b3 E$ V- O8 F
(I faced that once :-(
0 l* K: p8 P- v+ h' u5 V, ^
N6 \' Y2 R$ p% p) E4 D4 y/ r: aUseful breakpoint to detect it:# j% Q5 {: b; R* k% j
8 e1 f4 }3 a& m" m" d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. d9 F- T+ |& p. E% U
0 g4 Z9 p% b0 T__________________________________________________________________________
+ V ^1 i3 |$ e: ]6 z b0 j1 K+ j) U% S" q4 c1 {! T" a7 {
( u8 E' n( `' l1 I: u3 J4 ]( ^Method 14
) r9 q, q$ `) F4 O: v, u( M' Z=========
+ v, j5 Z2 s" z6 S- p8 S+ e/ T9 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! ]; s9 {0 Z( ]0 q* Vis to determines whether a debugger is running on your system (ring0 only).* }" E/ j. g6 {5 b& r0 Y5 o- C
. c* u& V4 `3 o" L) Y: y) V
VMMCall Test_Debug_Installed
; B1 z% q4 w( s1 x# K je not_installed; }9 M' j" o* {) b( M" x, U0 d& I
. K* I+ D! r& L3 ]! V6 p4 HThis service just checks a flag.5 k Q l( S5 D7 k% H7 K5 C
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡