<TABLE width=500>+ h) |3 Z" d/ C! `) C
<TBODY>( p8 ` u h6 V& q
<TR>
; P8 t; ?$ P) f<TD><PRE>Method 01
8 ]1 `6 z: ]( ~6 d+ Y. F7 c=========
0 z: D8 ^8 C( [; z- z% o; o# E* q( D l* ]7 h
This method of detection of SoftICE (as well as the following one) is+ d; }( K9 s) @/ s9 q
used by the majority of packers/encryptors found on Internet.
- a6 t, l$ y- ?$ _1 vIt seeks the signature of BoundsChecker in SoftICE- L; d& |* G( |( e5 E
# L7 W( w# @6 q9 r6 T; R0 E mov ebp, 04243484Bh ; 'BCHK'
3 {, K: z4 I7 x: n& o9 ?( J" f mov ax, 04h$ z- t6 l! _6 N5 v$ ?
int 3
7 w) k! t9 e( ?; ?" f6 k' a7 I cmp al,4; L& |9 r" c+ [1 |! Y+ u
jnz SoftICE_Detected
2 Y8 F& X! O2 C0 Z% k8 z# v& O0 l( K: w# [7 i) W
___________________________________________________________________________
8 P9 z0 r2 x! h |6 K! [3 L8 u+ F
Method 02
/ {, f4 y; V+ w3 j" ]. ]/ x=========8 x. H" A8 E* a8 x1 K" w( u
# a6 y7 L" S' ] l9 mStill a method very much used (perhaps the most frequent one). It is used
3 l2 C5 S/ [4 b) S. ~% l* dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 |! Y h: ~3 B% \or execute SoftICE commands...+ y2 u8 U% p+ L" ~
It is also used to crash SoftICE and to force it to execute any commands# [, Y* R) D9 A, g- o, ~) g
(HBOOT...) :-(( ' \( [. [$ q) E( J' D
* l+ _# l1 S9 F" KHere is a quick description:1 u+ F. k) F7 F
-AX = 0910h (Display string in SIce windows)4 b: D% ]+ |/ X, e& X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& _; d# F, `( @" M
-AX = 0912h (Get breakpoint infos)
* N, m- y- V. |3 Z$ p-AX = 0913h (Set Sice breakpoints)
0 D5 p3 ?( ^2 S' ]/ q-AX = 0914h (Remove SIce breakoints)
l: `2 \2 D3 I, n/ V, ]# q% v( v# a6 @5 V e6 g
Each time you'll meet this trick, you'll see:
1 R9 a T5 ?' ]+ y- q6 m. R# M-SI = 4647h( ?9 C1 E! o, w/ i8 h
-DI = 4A4Dh3 g; h4 D% E5 L1 F3 G' j: @1 O: `
Which are the 'magic values' used by SoftIce.( d- y F" K& S8 S# S& ]. W! ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 j# S( h0 ~$ z7 g+ u
0 q5 F' `3 y0 r3 y7 _1 M$ o! {. Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 x7 h$ U& f& V
Envelope utility use to protect DOS applications:: k. C6 c. y6 `1 _
# Y- }1 E$ ?# z5 X
" s% i' v- Z5 o8 k% `# P) }! S' N" V
4C19:0095 MOV AX,0911 ; execute command.3 g: F5 o2 P/ c; O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* J( \# U$ L3 o7 L- G4C19:009A MOV SI,4647 ; 1st magic value.* G" b3 A& r7 I6 \+ A
4C19:009D MOV DI,4A4D ; 2nd magic value.9 |2 S, q: e3 B3 d1 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& @& ~9 d1 q5 n2 i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ P/ p3 I' o4 H$ c7 ]4C19:00A4 INC CX
7 V5 k5 _' C* z: ~0 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 [9 z5 P# [2 | ^6 Y
4C19:00A8 JB 0095 ; 6 different commands.
/ S# i7 W8 F! ], O8 Z( ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 B" H. E" U! W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 e3 N. c1 S1 W% q
6 A6 V4 E: P, l+ h- }
The program will execute 6 different SIce commands located at ds:dx, which
6 {4 M6 ~$ H1 }/ Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; U$ j/ ^- e& o+ @/ P' r$ D
- \0 i9 U) C( G/ m! ]2 E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& x4 J; F5 Y" A {# j7 M( s___________________________________________________________________________
$ x" \( k0 m" b( B. e$ Y7 k' u7 n% C# ^. ?/ s8 x. D+ W
1 X6 L. B/ L9 g8 g1 x' e
Method 03& K) `! v) @/ c4 `, V$ T) w& V
=========* }9 Z1 H0 e; R& W. I; M
& l4 g9 W% a5 v" ^; t( u' Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 s$ Q4 Y5 e: {( _& {
(API Get entry point)
( L' r2 c# i8 |* u" X
) X i: r5 t6 L$ v+ C
! ^ o$ U4 m# i xor di,di4 }. s# s7 w" x( B; W
mov es,di
, @5 ]- m$ A+ o& k$ F" r mov ax, 1684h 7 }' H) Q3 F( [9 I8 D2 \- g
mov bx, 0202h ; VxD ID of winice. P0 l* E8 s5 f1 @
int 2Fh" n6 S* a2 X0 G" [
mov ax, es ; ES:DI -> VxD API entry point
7 @) |8 {2 F5 m9 d" @! _ add ax, di1 V+ j# ]6 y' X+ e& Z C# K
test ax,ax
( \) {, ^0 ~6 Q8 T, [2 k jnz SoftICE_Detected7 o; {8 L/ C& L1 y5 w7 u
$ b9 [3 E) F2 R! O& i$ u5 W3 ?___________________________________________________________________________
$ S* G0 N5 D$ d, {! C4 a3 a$ z6 ]; b8 e& ~% c
Method 049 I$ w) `& G- L6 n
=========
1 t$ F: M1 z0 e5 ?7 {2 v: `' f
: W# p" ], Q4 N* f$ c+ EMethod identical to the preceding one except that it seeks the ID of SoftICE& a) J7 C2 f1 E- w' O" F9 q% Z% u
GFX VxD.7 ~: o/ i/ ~- a+ |* o$ @
1 A+ ~& G& g M4 R xor di,di
; b# J; f! l+ ~. H( _; c+ P. k. k mov es,di
, Z. w$ ^8 e0 o/ Z& Q8 x mov ax, 1684h
" f0 V$ w7 Y6 l8 |! ] mov bx, 7a5Fh ; VxD ID of SIWVID8 k3 X4 }$ k1 U8 o1 _, t6 G
int 2fh! c" k# z8 o- t `2 m
mov ax, es ; ES:DI -> VxD API entry point
) D$ L2 B- k3 n1 n, o& b add ax, di! ~& f; A' k5 `% p# S/ x- u) F/ k
test ax,ax
# R$ j4 j4 c% S. U+ ]( [ jnz SoftICE_Detected
$ W" I7 U- Z, Y& O4 d8 c" B
% A$ \) ~4 N* {' Z__________________________________________________________________________& A( L, j; R9 h4 S5 B6 r! D- m/ M
- X0 `3 a8 [" x' A% Z( I; W+ \3 M4 [) P) r
Method 05
8 R6 v0 a6 \4 H) N=========; A# x. @! G+ r2 y. p5 O* A
. s+ u+ A: e4 O& [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 [* f8 K+ ~' Q1 f: \+ Edebugger. It calls the int 41h, function 4Fh.
Z! U2 x6 ~1 ?7 `+ oThere are several alternatives. ; B! O, M: C5 S, j, O
# U' ~3 e1 n$ O$ s
The following one is the simplest:- A. V- W d9 r% Z9 }
' H+ S7 b5 O9 b5 x" c" n4 U mov ax,4fh
4 g, I5 ^8 q0 v3 ?% U' N# z int 41h9 ]& V! O; m8 D1 f
cmp ax, 0F386
' _) \' k" e9 {' J jz SoftICE_detected
2 H# L( {, ~7 Z! \6 H+ {5 L0 R, B) \4 s T
$ t) q8 y/ R2 c- p
Next method as well as the following one are 2 examples from Stone's : @- ~8 f! Y! r9 P2 o
"stn-wid.zip" (www.cracking.net):( u0 Z$ \3 Y- w8 U# s+ K
- z( t2 ^9 M1 o% q" K0 U mov bx, cs6 q* q: t1 b6 ^- x8 a( w3 ^0 c1 x
lea dx, int41handler2; p9 W. [9 i, j5 `
xchg dx, es:[41h*4]' J4 }4 I" P7 J, W5 u+ H9 i
xchg bx, es:[41h*4+2]
# u: Z$ E; q; f0 ^ mov ax,4fh
$ S% M3 | f# `" ]2 |$ ?' b J* o' | int 41h
, U+ k4 N, f8 `0 Z" {6 V xchg dx, es:[41h*4]
) R+ B$ \2 U' X0 Z xchg bx, es:[41h*4+2] _/ ]2 z7 J- l8 A7 C5 B1 y
cmp ax, 0f386h8 ]$ G1 B/ c! |2 k% ]! @
jz SoftICE_detected( h. S$ k2 J# E2 c( ~! P
X0 a: ^' @8 |- h. Q& V
int41handler2 PROC' x: o# m& k, l9 G& e" p. @: b
iret
}2 a3 o8 V( z+ L C0 G. iint41handler2 ENDP
/ @. m3 Q( J$ W R. ~2 w- f+ y% q. S, C9 ~/ R4 G
2 L4 z4 x6 i5 W; {2 s_________________________________________________________________________
9 G6 e2 |! C. e. {( V+ w4 q: h" G3 u7 J
$ Z. R) f; q7 [: R0 R; m
Method 06 E8 p z. e3 b0 U! \' M3 D Q% ^* M
=========1 h! b& \8 s; j" U$ X6 o; e8 \) Z
& G; K* Z; p4 }8 w
) L) }/ y$ _0 Z2nd method similar to the preceding one but more difficult to detect:
( u. f# V! I7 F7 m6 ~6 K4 Y4 B0 `; T% v) n% d: k
( ~0 @6 M* r5 f- M s, l5 j5 ^int41handler PROC
* L2 `, D# A4 A, `/ ^4 f C' a" ?; n$ N mov cl,al/ q% A1 n6 _2 h8 l( Z. t
iret# v/ G* i' @8 @7 E5 r
int41handler ENDP; R& M) ]; M+ j* A' Q% I! V$ g
S( e7 R: z& t" }* K& t
& c6 u1 F7 B$ i# Y xor ax,ax6 K# G' J0 Y" ]6 ~
mov es,ax9 L, N" `* _- q6 _) ?
mov bx, cs9 ] d0 B+ Z/ ~; \3 g6 Y
lea dx, int41handler' j+ u0 Q6 q7 ~ }
xchg dx, es:[41h*4]. ?: _. d- d2 r2 }
xchg bx, es:[41h*4+2]. o- T2 g( y4 J9 n+ h) W: [5 t
in al, 40h
$ b8 m* [) l! H8 Y) ] xor cx,cx
( u. w7 G' m i7 }7 k% A int 41h E8 }8 t3 M6 P. R& F( W, q
xchg dx, es:[41h*4]
7 \- q) w+ ^/ X, J" { xchg bx, es:[41h*4+2]. X! U4 j+ l# i- I
cmp cl,al
! K! e$ D$ [/ U7 X# P jnz SoftICE_detected
4 }5 F! p, u; g5 _$ A0 N
1 K9 E8 [$ `# G1 X2 J_________________________________________________________________________; E- i9 o. [! {& n
/ q( N9 @5 w. t7 G$ ?
Method 07
1 ^- f J z! B1 l1 n. r6 H=========
. _$ Z3 [5 E6 `4 U* b) r' d
B& J2 j9 w* i, ^5 ]/ n2 CMethod of detection of the WinICE handler in the int68h (V86)
1 N) W1 m6 N* D1 `( `" g2 k5 z t) w& t( X# K' W, A. P
mov ah,43h
: I0 }" ]7 M9 I/ N5 A3 j5 R int 68h3 ~5 m# v' s& V7 W6 ]- @: g( K( h
cmp ax,0F386h! X& t: x% X _+ L; g5 ?/ H0 I6 ~
jz SoftICE_Detected4 N& P/ b7 B( \3 v0 i, X6 T) B
: E+ X+ L* p: U
) k" j# n4 o% O8 p; f& q9 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" C7 L1 J/ E. @* p
app like this:0 c$ B E' A( m: Q; a# Z! v
- q8 a. V1 S5 U4 L9 f- ~ h
BPX exec_int if ax==68
1 E. u$ q ^) ^( p" { (function called is located at byte ptr [ebp+1Dh] and client eip is
$ l; g: ~+ a- ~/ T located at [ebp+48h] for 32Bit apps)* S/ d3 ^) z& N' Y8 z$ W
__________________________________________________________________________5 J- d# v( a% v# q9 i
. U6 h% p: g$ m& z0 i* R
& d. T, I5 ^! B1 ~Method 08- | F+ M' ?8 l
=========
; f. g/ r0 V, _0 s9 V
. E, v+ I g) I& JIt is not a method of detection of SoftICE but a possibility to crash the; [. U7 z+ \: P; V/ v+ ?
system by intercepting int 01h and int 03h and redirecting them to another
! ~1 J) [3 y2 yroutine.
. Q2 l8 R0 R, k$ k" G. z! ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& e( @9 m- N* j' b, ^1 ~to the new routine to execute (hangs computer...)
8 C1 @0 o+ o% F" M- d! }
8 N2 Z: u: q6 H1 r mov ah, 25h
' T' U" A& }1 y# j* [$ c% G mov al, Int_Number (01h or 03h)- C4 @& g* l0 f& j0 ?& F
mov dx, offset New_Int_Routine/ I! R; W8 D* ~, Y
int 21h$ B1 L) m* I% p6 ~* @
3 m7 j0 j. B3 F0 |' e: X5 p) E: d__________________________________________________________________________
; V( N) ^% [1 K% ]0 Q# u. n
- @1 O0 z: V7 lMethod 090 Z* i- m J( u* z' @2 A! Y
=========
( o( P; ~* N; n5 R3 ?9 ]+ S9 I- W
. y% ?! r4 n/ a$ k' O }- JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. ]" Y$ d5 L7 u5 d% F: j5 C
performed in ring0 (VxD or a ring3 app using the VxdCall).6 P, X: ^) e- X) p- y
The Get_DDB service is used to determine whether or not a VxD is installed4 t" M- f$ J% L" A: K+ Z
for the specified device and returns a Device Description Block (in ecx) for& T. m3 H* E1 M) B' r* h+ Y
that device if it is installed.
4 D# i# d3 f8 O& v) |8 L
' C. Z! e; c ~* S8 D, c7 c6 H! ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ s* i% f) p! Z g0 N8 i2 Z! }. } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), @) Z4 ^) ~1 r
VMMCall Get_DDB
* H( Y) O0 }! e5 i" i# ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 v$ o3 D) V8 D* k0 S7 V! G; s& {
: i" e; h- |7 ]- H- FNote as well that you can easily detect this method with SoftICE:& K. g- D$ b7 A% c
bpx Get_DDB if ax==0202 || ax==7a5fh0 T, P- I" p1 h
2 E" [3 \ K5 N1 `) Q2 F" T__________________________________________________________________________
' f. u) s4 Q. _- G0 h5 t/ ?
$ D6 Q. |9 G7 BMethod 103 V, V3 }! L' i4 I8 V
=========" W1 f4 [" r4 z2 K3 Z
/ Z: ?9 f0 w) B& G/ @6 I( A
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 a. v( X5 k4 S. e! o
SoftICE while the option is enable!!
* a4 r- \$ x4 Q1 L( y3 h; t1 u, a$ Q1 v( q& `% F% Q
This trick is very efficient:
/ H* e2 R) f5 |4 |# Pby checking the Debug Registers, you can detect if SoftICE is loaded9 ^) S7 V4 A r+ u1 m* _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" F0 ~+ m, j9 F7 R" Q% F. o
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" s0 c1 M$ L* \3 bvalue (in ring0 only). Values can be manipulated and or changed as well' I2 K6 {- }8 L0 Z+ j) r
(clearing BPMs for instance)7 @7 _7 g8 c) d8 }+ j; o
3 s( T8 \+ q- f6 P2 \
__________________________________________________________________________) a! _( Z" q7 \+ X3 ^2 ^( X
$ ]4 c& q1 j1 U* y
Method 11( P8 C$ P8 d" [! l
=========) T4 T) D3 `: t0 v$ Z2 T/ z
" D: ^# v t1 y# o& U. P
This method is most known as 'MeltICE' because it has been freely distributed
( y+ _$ G' F8 T8 ~via www.winfiles.com. However it was first used by NuMega people to allow
_" M I! p% l: x. ?( t I8 ^Symbol Loader to check if SoftICE was active or not (the code is located
/ j7 D% C! S8 b: Z8 F& Y& G, |5 iinside nmtrans.dll).- U6 a9 L% U* r; E6 P' ^( Q$ ]$ I
9 N2 R5 A- p8 {. f7 U
The way it works is very simple:( i# A8 d, D8 ?$ P8 M, k/ W* a) q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 G" ^! G3 O9 ]& \* S8 A- I1 _# R3 R
WinNT) with the CreateFileA API. ^! ]3 B1 m& n% G+ I
2 t3 V. i$ A7 O5 JHere is a sample (checking for 'SICE'):5 q( Z0 l7 E# R( Z3 J& ^( ?: e
) r$ ?( Z! f% [9 v* M- g2 C% hBOOL IsSoftIce95Loaded(). i: b& @0 P8 W, p( j& @
{
& p" a6 L6 U6 w2 E1 @/ t HANDLE hFile;
/ Z& J, t$ [! C3 g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 O9 m/ U/ x/ X# T. M+ t
FILE_SHARE_READ | FILE_SHARE_WRITE,2 J; j2 a- W Y8 R, E& I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; f4 Y1 q" l% ]+ E4 Y+ Q: C: f) I# e
if( hFile != INVALID_HANDLE_VALUE )
) F' M" A2 V6 H1 H {0 x+ a4 D( w& |8 f0 V& _
CloseHandle(hFile);
3 d, \3 J% o9 w: H( ]4 s% ^ return TRUE;, K' e+ w4 d* L# C& T4 V5 G3 `& P
}, h1 }1 v: k( d7 b
return FALSE;
6 C7 d! D$ ^& {) g}- T9 w$ y4 C! i+ M5 Y
: g9 j, r4 A3 h5 x e, Z: sAlthough this trick calls the CreateFileA function, don't even expect to be7 K9 U l* _( Z( z+ B
able to intercept it by installing a IFS hook: it will not work, no way!
) f. o# w9 ?, y/ Y: k0 K! D. WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) u1 F9 f9 F+ f7 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ G3 E9 w4 Y0 e8 e3 @& cand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 \6 r3 ]5 X0 n2 d. L
field.9 v- W* G1 e" b- N# I+ m
In fact, its purpose is not to load/unload VxDs but only to send a & ~0 d- f/ h9 H6 S3 e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 _! ~$ N) b: u' Z% J5 | q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 V' \4 X" |, h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 C. e ~4 R! J3 N" _
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 e" V2 z2 Q7 ?: t! q
its handle to be opened and then, will be detected.' Z9 S- A5 l; p
You can check that simply by hooking Winice.exe control proc entry point
2 [) {& Q$ k- ]0 w2 L! i8 q1 wwhile running MeltICE.
; T, C7 V6 p' f4 |8 U. g8 H/ b. |5 ^; r
% O2 X0 N! F8 K0 s# q) d 00401067: push 00402025 ; \\.\SICE
+ m6 b9 L [" e- w( s& \2 o 0040106C: call CreateFileA
X7 ^/ j" u" _. E 00401071: cmp eax,-0014 Z% T0 k& \3 w- _
00401074: je 00401091$ v Q8 L1 n2 v* U% [
2 N4 X7 p+ k4 I+ k8 H5 J8 ^9 |3 I: G& G: s. P; K5 y
There could be hundreds of BPX you could use to detect this trick.8 S# I9 e! ^9 V2 P- U7 D
-The most classical one is:
- m" r: j W5 a7 h( { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: A) P# m" X; v, r3 ]% _- a9 x- T *(esp->4+4)=='NTIC'4 ~$ [9 C- n4 r. Y2 ^( }
2 w; c; g# a+ G-The most exotic ones (could be very slooooow :-(
) L. w% L" ?9 Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 G" w- k l( C* I O* A ;will break 3 times :-(+ Q" K% h) w2 z8 A; o. C5 G1 N
" y* u1 c5 W* c, q! d* W4 H-or (a bit) faster:
( g2 [" F6 v% s d6 v. R5 D. p BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). c1 ^/ V2 F- j7 y9 x7 g& ?8 T! }; ?0 r: w
/ Z$ H( f( V0 ]- e9 U6 a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% H8 x; W: q6 t6 i* g+ T# V" F ;will break 3 times :-(- V4 j+ L+ j& F( j
2 y8 U: o( v+ B; F, N9 C1 l* E& s
-Much faster:5 A' [5 j8 f5 u2 I" f- y% b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 ] S5 G8 p& m* L6 i/ ?1 o( B
' W3 u$ e4 U/ {5 K1 G1 V) O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 }, B/ x6 b* U3 |function to do the same job:4 f) A+ b* I5 }1 H
8 O( T+ d' t6 u+ j6 R" b; x push 00 ; OF_READ t- |5 G3 a- G9 S% d) B. ^0 {
mov eax,[00656634] ; '\\.\SICE',0) [# o( `# }, T
push eax6 L6 z- h2 O8 t' U/ E" ~
call KERNEL32!_lopen
5 j7 I9 U# L8 Z; A* ~& i$ U inc eax
% |( S# a; G( T9 T' Z1 D jnz 00650589 ; detected
" ]- t6 a# E W+ d! l push 00 ; OF_READ3 Q7 [! u3 I3 r* K: l; U
mov eax,[00656638] ; '\\.\SICE'
" K0 S; }( ?( n push eax
3 p7 \+ t! k* Q6 w) c2 L8 m. E1 ` call KERNEL32!_lopen5 g; l+ g5 q' A' v2 K# r
inc eax
+ C( J4 A& U- Z' m( L1 N. d jz 006505ae ; not detected. l( g2 A4 v8 |9 s z4 x$ ?( R
& t) G$ D2 i \
/ h( e# s! N6 Z2 Q- b* B* H__________________________________________________________________________
' P' B# q3 b0 F/ \- S) W; p: Q" j' @7 z. Q7 C
Method 12
$ K( P- b, n5 k% c) i=========$ q5 Q" ~! y4 V) }
- Y$ g: @1 e4 i! H* g% A
This trick is similar to int41h/4fh Debugger installation check (code 05% K3 Y3 c6 U( }! ]: e H+ g
& 06) but very limited because it's only available for Win95/98 (not NT)3 l7 z* n! l( L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 s2 e( ?- V/ {/ |0 c
0 o2 `; a4 E2 T: a. E) Z2 C
push 0000004fh ; function 4fh$ \) c* z5 x' z" @
push 002a002ah ; high word specifies which VxD (VWIN32) [$ P& I4 [/ u
; low word specifies which service
& E* w* B, j: h- \ (VWIN32_Int41Dispatch)
- _# q& i+ E2 Q# c9 a call Kernel32!ORD_001 ; VxdCall
. p) O. u* V' x7 j- a cmp ax, 0f386h ; magic number returned by system debuggers4 t. w: Q% N. O
jz SoftICE_detected
/ [4 u8 b/ f; I2 w
: y* l6 y# a4 q- E- w9 B* x$ W$ dHere again, several ways to detect it:7 |# n! f) T) x, y+ N; r& A
& T' W8 I" R* `5 v8 c1 U
BPINT 41 if ax==4f
?. A+ _9 r' m! P8 B0 @
4 z. `& j u7 Z& ` t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 X" q& `2 N7 u! N' {7 O+ r, s' `8 Y0 A7 }7 D4 l& d6 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ ], x7 I. k1 `% O
1 Y, m" O2 }9 ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! V' h8 c" p- i, ~7 P9 j! t
7 \/ s$ s" m4 s, [
__________________________________________________________________________
1 y" C$ j% f5 E7 Q
& i3 b3 Z( m- _ pMethod 13" ^, e P# g1 o
=========: _! E6 \4 L6 H6 [" ~' o& B" U
F/ a8 ? N& M" \& s GNot a real method of detection, but a good way to know if SoftICE is
+ z: N' u) H, w" K1 m' x9 Ninstalled on a computer and to locate its installation directory.
3 K" H- R0 h, H2 R, tIt is used by few softs which access the following registry keys (usually #2) :7 t; {9 O9 }5 x. P
% i; a5 p2 f, q, @( _% M8 _. P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 W4 x5 j' V% m: L& j\Uninstall\SoftICE
9 J: y/ c; X' j" y; D" b$ H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: E w! `7 i/ z. `) o1 N2 k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 H7 q# N1 P# m1 i/ e
\App Paths\Loader32.Exe2 `- g' \* j9 h9 q
/ v+ i. n6 R3 p3 Y9 M' {: c( D# Y4 u. ^5 @( g- @) Z- R2 `
Note that some nasty apps could then erase all files from SoftICE directory
0 ~4 a' m' b r# C/ h: \, D# Q(I faced that once :-(' q5 G# O; T; D2 }: q; o0 W
& s, r% B7 r/ |9 HUseful breakpoint to detect it:
& ~' _/ k5 T4 T+ F. \, X" d( v: v) e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# [5 S3 Z" T* I, _9 g4 Y- n
4 m& N* X2 k9 f. K5 O. v" ], D! s__________________________________________________________________________4 R4 I. H, r$ f$ ?3 I4 @5 M6 T
4 z M- g6 Q: T* B) t/ N% W
5 M- G C3 ^; A) e: T( {/ ^' JMethod 14
* ]; m8 x4 a5 O7 t* q" o=========
$ c1 t q9 v0 h, C* a
5 R/ H: d* ^6 h* S8 A @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" p3 E# o6 M- g9 N3 }( @ h! y
is to determines whether a debugger is running on your system (ring0 only).
. D1 O G7 h/ e. H# c: K3 L( \+ a1 A
VMMCall Test_Debug_Installed. k% X6 t! w; ]! [
je not_installed
+ p5 }6 @2 Y# p5 y& `0 v" V, w" t
This service just checks a flag.
+ _# X; Q- V6 k3 T9 N% \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡