<TABLE width=500>) q# x, v, y9 H. r/ B
<TBODY>) r, A4 c y2 }
<TR>3 L) k. X* M$ x, m+ w8 P3 |
<TD><PRE>Method 01
* o0 W; ^& T0 F; O Q( [=========
- a# j2 y, z* \& u
# Y, q9 z9 l9 h2 Z6 K" ]7 ~This method of detection of SoftICE (as well as the following one) is
% M# U0 m9 d2 N0 i/ `' fused by the majority of packers/encryptors found on Internet.
$ x; u# G& A1 s: l; kIt seeks the signature of BoundsChecker in SoftICE
3 x) _3 h' U8 z5 p; ]" v
+ T+ V* E% y3 Z: D mov ebp, 04243484Bh ; 'BCHK'. p9 U* D1 J3 X2 Y5 K3 Z9 V! _# s
mov ax, 04h2 {0 V4 U% {$ r/ }
int 3
9 T# W1 Y5 u5 ~- h( |; ~4 M. k cmp al,44 ^+ E& c% N+ i: @6 Y
jnz SoftICE_Detected& Y7 W3 B5 i7 z/ W
% ~& T: y( @* O# o5 L7 S
___________________________________________________________________________3 l X! H: f: A
5 _9 Z$ e, s0 Z
Method 02
2 |% l* ^/ T! A' u' R=========
( r; i) S$ N- r4 v; G" M6 J6 ^, R5 H- X1 [3 b B" n3 i% o) `
Still a method very much used (perhaps the most frequent one). It is used5 {/ H+ F" e9 L! z9 D' F% _+ p$ W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 |# a( y( }6 q6 ?: Y+ E2 P4 r. |or execute SoftICE commands...
! m: d, h- c% j) O0 Z$ cIt is also used to crash SoftICE and to force it to execute any commands
6 `8 N; j D: R; E(HBOOT...) :-((
/ T! [5 z, \7 G) l+ H, b x2 N9 Z3 {1 r3 t+ A+ u/ @0 Z5 B* d/ `) N
Here is a quick description:0 `6 }! [2 O: x6 p; _+ B
-AX = 0910h (Display string in SIce windows)1 O) U( @$ G' c) s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) |5 |" L7 ?8 F9 `* R" J1 w/ Q" |-AX = 0912h (Get breakpoint infos)! u3 Y1 q& y6 C9 V+ f: J; \
-AX = 0913h (Set Sice breakpoints)
. L5 e9 |5 i) ~: o2 r-AX = 0914h (Remove SIce breakoints), s8 R* L1 X3 c y. p. |- t
' {! V4 N/ g, {. D
Each time you'll meet this trick, you'll see:* E9 t A$ t; n9 `/ U+ x" B
-SI = 4647h8 j: o1 P5 f' t1 {- J! g
-DI = 4A4Dh5 F2 i" L# e2 L+ z/ u: U
Which are the 'magic values' used by SoftIce.' y1 N+ t2 t* t+ u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% a7 W) o3 c3 x( {& L0 v
" e; ?( }8 e" T4 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 N) ]3 B6 W4 P+ ^2 F `Envelope utility use to protect DOS applications:
0 k8 U( ^& _0 ~% b4 {3 }
4 e6 F# R8 l# Z) s, V- b7 @( N
5 P* Z9 V7 B A B K6 f4C19:0095 MOV AX,0911 ; execute command.
i3 D5 H! M6 r; b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ Q1 A, v: D1 a. y3 w$ m' S- z& V
4C19:009A MOV SI,4647 ; 1st magic value.
4 z/ W! }% D. P4 ]2 ^4C19:009D MOV DI,4A4D ; 2nd magic value.* M# Y( g& u$ h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- C( }) G w; u0 K2 V# _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 x9 n: U5 a* R4C19:00A4 INC CX: v |3 M q, Z" z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" Z; `& J5 D: g4C19:00A8 JB 0095 ; 6 different commands.
+ g& [% W# ~! ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ k- m3 I9 ]3 d% S, m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 G" |1 Z6 Q& D6 r1 }! c2 l9 h* v. m0 x
The program will execute 6 different SIce commands located at ds:dx, which( K# D7 \6 s ?' @3 `' ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) N3 j3 P# A3 b" E2 `
+ u$ K Q. v, x1 F' o4 x. X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 o: {2 V/ g3 O, U$ q___________________________________________________________________________3 X- f1 c- \2 m7 ^8 X2 V; O
$ l0 z7 r! m& ~5 w. ^. E
4 Z# _: Q! M$ T3 j& j% z
Method 03
' {) \# x( ?5 s=========4 t, b: D7 R+ h5 Q
: h+ i' e2 d1 \. b# aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( O* }# l2 X+ e9 B& n
(API Get entry point)
) Z# h0 N/ s( Y7 ^' r# A' _ _
9 A% K2 D8 t1 Q. R
7 e( }7 X! @" {- I1 \ xor di,di
! S, f6 t8 ^8 s& o mov es,di
( v* P- k# s0 |: m3 U mov ax, 1684h , b, ~3 X; _! B; l J0 F( c
mov bx, 0202h ; VxD ID of winice
, h3 A! U1 [* @ j- Q- m& ?* o int 2Fh
* u( H9 i! R1 c9 C/ Y mov ax, es ; ES:DI -> VxD API entry point
/ O4 ?7 z8 D! T; e( r add ax, di- z, Z& d0 k' @6 o0 X* e5 |# |
test ax,ax
" F% j% w0 a) Q3 Q/ E& h jnz SoftICE_Detected: g- A8 e" i& K/ l. D6 Q& T
; P ^- t$ ?& M
___________________________________________________________________________
7 ]' [" _0 Y" n2 m# c3 G' q/ P J. f
Method 040 `5 @2 f0 `2 y+ H+ i, G% T( e
=========2 v" n7 `' {# s& ^
3 ~. M6 o9 C& Y2 w& EMethod identical to the preceding one except that it seeks the ID of SoftICE3 A% z' O. h! _9 I" I1 d
GFX VxD.
3 j" [3 F; \7 M0 Y9 g- J
1 C, w. o/ J9 a4 k4 {8 K# ]/ A xor di,di' M8 ]/ d1 x( K. Y
mov es,di
2 U2 s0 ?8 F. D; F. ~: C0 r' d5 g mov ax, 1684h
t, `/ [8 j+ C! |6 N( Y/ w mov bx, 7a5Fh ; VxD ID of SIWVID2 a; k# @1 T d% {# @: R' e( C
int 2fh
4 R S# H' V5 q* [. g- Q3 W v/ c3 ] mov ax, es ; ES:DI -> VxD API entry point
+ n: k3 ]5 k- ?& R add ax, di
2 d, c ?: h! F& Q% w" u; Q test ax,ax9 m% z' S/ E2 ?( r5 x4 m6 Y
jnz SoftICE_Detected
# w' L* I D( v% k( X* h+ z) \. d6 n4 X m7 c9 q
__________________________________________________________________________. L: f% K* p( U! O5 ^/ H; S
% U/ G* L# J2 E) R* I7 H
# C3 Z5 X' C _& d y) M% NMethod 05) @/ } \# ]1 [9 `9 E2 ]6 B) n
=========
& y( O9 N6 L5 m# f K$ v4 o5 [2 z- \3 F7 T
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ q9 N+ S" S; |- r- I8 k
debugger. It calls the int 41h, function 4Fh.
6 {4 O+ W6 O* x; {9 \) U% oThere are several alternatives. ) `; d0 X% [( @; Y2 o) N% P m
# K) p. A( }3 K- z) F9 l
The following one is the simplest:2 c% B5 S5 i+ H/ o- d
0 P) t' L) T6 z/ e2 [, g) Y" y) L- P
mov ax,4fh8 w& t7 O0 u: |8 I
int 41h: u* n: d. e, A+ n! d+ \5 Q6 D. C
cmp ax, 0F3861 v# t/ o4 Y o, }8 m2 Z- Y
jz SoftICE_detected% ^$ A/ {: \- w; z" d" u/ ^
9 w0 M" B' n8 N
3 X2 `$ c F& O" B) c4 \3 j2 U" C3 kNext method as well as the following one are 2 examples from Stone's / D. g3 }/ u& c+ V4 J
"stn-wid.zip" (www.cracking.net):( F4 C: ~) ?+ f8 m
+ @) Z5 |" ]+ W# O" n
mov bx, cs
: z& u' e% A3 S U1 Q Z lea dx, int41handler2
+ G$ n% x; T- h4 \3 l& B4 n+ L2 C xchg dx, es:[41h*4]
" F+ T" Z8 Y! p2 c xchg bx, es:[41h*4+2]
4 Y6 z7 e3 C% r" ~ mov ax,4fh
# F/ H% t5 e9 W% {8 F int 41h
& d9 r( E9 C8 {* t xchg dx, es:[41h*4]+ R) w. t0 {: d2 V& x6 d1 r
xchg bx, es:[41h*4+2]
: {' U7 Y! z5 X- j6 ~$ `5 t cmp ax, 0f386h
* c7 p' x7 ?+ d* h& [3 x: d5 \ jz SoftICE_detected }- E4 v* O0 s3 f$ t9 O
( b/ O2 S3 U6 Z% q8 w5 q
int41handler2 PROC
5 n$ Y; I. m5 \( `$ G/ P8 m5 v iret F" v- }/ `! ~ {( o3 n) T& _! @$ D
int41handler2 ENDP
. t: h5 g. n6 c
. W* y/ u: M& t- N9 K# N3 |" |4 [3 u* l6 p2 b# }
_________________________________________________________________________, [; F! [( r( X2 v5 d& ^ @
6 z! _! ~% G `% C3 R# W
3 Q% O6 q! h, i2 R' d6 p( _) j* bMethod 063 \" B' F' @* e9 \2 ^7 _9 k4 B
========= O$ L; u2 ]7 W" m0 h
2 P' T `8 G0 ?4 a9 f
3 Z/ Y$ J( J0 @# X8 T! O/ u2nd method similar to the preceding one but more difficult to detect:
. v! b6 P# d* Z' I5 }9 d) n2 V( u2 ]4 w' G( C% Z( U% B
. c7 h! H; q. M6 ~0 x
int41handler PROC: i: k8 ]' J& U; }- Q& t
mov cl,al
/ }! q8 J; ^9 a! j3 m8 O F iret
2 s2 ?) |) s3 b2 i- Kint41handler ENDP
. |8 X# C5 r- q9 v9 `/ y' {/ `: K6 q- g5 w* c Q2 p! z
. M9 o# V+ v% W4 F: H$ T
xor ax,ax& \ ?# p; S: G' j k: R( W
mov es,ax! b/ \7 q: E$ u& M7 v
mov bx, cs
q0 Y. U- O( D. A. Q E lea dx, int41handler X/ F# E! O2 d6 C4 Z
xchg dx, es:[41h*4]
' Y, T1 {& P* \. g7 v xchg bx, es:[41h*4+2]. j0 Q- k* l0 U D
in al, 40h1 r6 \" u: @+ ?3 N0 ?4 {
xor cx,cx; b" z3 m/ [7 v3 W
int 41h
" [# n' n% g: Y8 P xchg dx, es:[41h*4]5 T" H8 C: `2 _9 d5 H
xchg bx, es:[41h*4+2]
. Y6 L% j6 q9 I2 h cmp cl,al, Y1 {6 q0 d" [+ G$ n" X0 d
jnz SoftICE_detected8 Z8 D W$ o' p3 x4 s# C
! K( Y" y4 }* T* S_________________________________________________________________________
# s2 n7 i1 P' | ?( R# i, b
X$ n, B: [ ?* s. E+ o2 iMethod 07" Q* U7 `2 q! m8 G( I; G. R( ]
=========; E1 f6 [) G! V( R
8 X/ |& b! I) l
Method of detection of the WinICE handler in the int68h (V86)2 {/ Y; w; `4 V7 H' ]6 c
8 y" E8 L& I: Q! |( P mov ah,43h
$ N1 y: j$ r) [' X( j% v: {& B6 J( Q& ~ int 68h
4 N+ i# \8 a; G$ f4 D; E cmp ax,0F386h
3 T7 B3 v$ a# e! F5 n jz SoftICE_Detected
1 z. H2 _) }+ E: ~! ^$ W. J* O/ D( O, _
; [1 i# A* R" g2 n4 K- S" J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) O/ s/ \, [! i; @. w" d, Y
app like this:; m* S* i$ I6 e# s
* T- v( k5 k0 {
BPX exec_int if ax==68
! n' t0 h; M, [7 e, I (function called is located at byte ptr [ebp+1Dh] and client eip is
2 G3 M* X" g9 G# x located at [ebp+48h] for 32Bit apps)
. Y7 U# a+ x& w# Y) \& N__________________________________________________________________________- N. q6 e$ k2 e7 ~
* }6 A1 p1 L- i
' Z8 E; l7 O0 D H, k s( ]Method 08& S2 X9 N+ {1 A0 l( i
=========3 W2 q! R T; n
7 W8 c' ]& G1 C Z9 k H: V
It is not a method of detection of SoftICE but a possibility to crash the+ M+ b- V/ d' M2 N; F$ t# Y" g* V
system by intercepting int 01h and int 03h and redirecting them to another* E; V' H7 e2 c" p+ ~" F: o
routine.+ k$ I& \8 a0 h; `+ C( p ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* { ~# X6 O3 |& c2 P0 _0 C! _to the new routine to execute (hangs computer...)% ~7 M( H4 z( M2 H
5 I' x# L0 ]1 J+ i8 z( |
mov ah, 25h3 Q z- k( N( z$ k& m
mov al, Int_Number (01h or 03h)
' ^+ U9 Z1 _! s! X9 N mov dx, offset New_Int_Routine
; u: M2 a; R$ Z5 s" I int 21h
7 P9 P' O" R, H% `1 D5 I* M) p `( {" Z/ X, L
__________________________________________________________________________
4 c2 }, n& v1 P# G7 a7 h- i+ o+ |
6 c( n6 `4 l7 c- A4 lMethod 09' {1 k6 P Y; m
=========8 G A1 ^: C% K
! P U; I' y8 R6 D" \5 }( ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ r+ K% j: d% E
performed in ring0 (VxD or a ring3 app using the VxdCall).+ _. @* @$ R0 `0 b/ B6 z% b
The Get_DDB service is used to determine whether or not a VxD is installed- S& ]) }& q8 Q
for the specified device and returns a Device Description Block (in ecx) for6 I3 E1 B& Y4 P) ]
that device if it is installed.
! E( e: z1 B" m. W+ d% I, F# k
; x, I$ R5 _/ ?$ h7 ~6 r0 R1 F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 c! f/ R4 Q6 L* G- q# S0 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); I C' K. b' v4 q- \
VMMCall Get_DDB
0 E7 X2 d0 ]5 S# R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 N c4 _$ X% y2 r2 \0 F' w
6 Z" w% C; d+ t1 X$ L; rNote as well that you can easily detect this method with SoftICE:
1 _; Z: T: T2 g: U* O bpx Get_DDB if ax==0202 || ax==7a5fh- g, ^9 Y' ^9 s ]8 y1 h
e' ~* r3 D( s' J8 K) P# T
__________________________________________________________________________
T E6 s# D8 F9 V. _. a r- X* l8 k# s6 j! n7 [: F; |1 T& {* L6 n
Method 10
( K" T$ k0 Q2 h/ b6 R========= G- @1 c+ f8 Z6 O/ `0 A) W8 e+ U
& k9 ]4 e# Y! g$ J6 X0 z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" q6 g0 [+ ]& c SoftICE while the option is enable!!
! I* I5 E; Y! }4 l0 r9 ?
U! a4 x" @% j! T% D, ^This trick is very efficient:
' t/ k o) x" L$ ~2 \by checking the Debug Registers, you can detect if SoftICE is loaded
$ i: C4 A2 S' [2 [$ s! k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; c7 k3 u, b; A) F; z) Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 J, ^& Z1 h% F% wvalue (in ring0 only). Values can be manipulated and or changed as well
) D4 k$ l8 s5 Y0 c$ H(clearing BPMs for instance)
- g# [' b9 g% U! O A1 [& m) Z) |9 ~4 e5 l! M+ J( v
__________________________________________________________________________
# m! f$ K2 p+ T3 w! M
* E" ]5 X2 l: y" j1 AMethod 119 _& I5 B) ^' [ p9 u
=========( q& i' G" l, E( \2 M
$ ~: |/ I2 Y- ?1 Q d; l" ]; W
This method is most known as 'MeltICE' because it has been freely distributed
o0 x V0 w |, }. k, c4 y+ Pvia www.winfiles.com. However it was first used by NuMega people to allow- q- L/ F* N) q
Symbol Loader to check if SoftICE was active or not (the code is located
1 u6 O# {) J6 C! rinside nmtrans.dll).
1 M5 M; O/ g( ~# S$ M; h( @* A: l$ L6 O) p
The way it works is very simple:2 w& C$ T, |( q+ l% a6 j, A; B3 @" n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 M4 _$ O; G& V( `) ~! A! ~( X8 XWinNT) with the CreateFileA API.
5 g/ N1 B8 A/ g& P- a8 M! P$ t& F) x5 b: i
Here is a sample (checking for 'SICE'):
9 j5 _9 `* d- ]2 e* U2 Z
. o, P E; }7 ?* RBOOL IsSoftIce95Loaded()- P2 @4 m! A" W7 t5 J; B
{
# w, D3 V& M1 _- z5 ^3 s HANDLE hFile; : L9 q% Q. y7 x% E; I/ [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: W" H$ f c9 x" k' x7 i4 f FILE_SHARE_READ | FILE_SHARE_WRITE,
* Y1 I( R5 r; p& R0 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 c4 a0 l0 P" z" [2 b6 Y
if( hFile != INVALID_HANDLE_VALUE ): u) {6 i9 m) g5 d+ b2 ]
{$ F# I6 B/ c; E3 @! [# q7 k
CloseHandle(hFile);+ ^7 R; Z4 m/ _
return TRUE;/ Z2 X/ H6 G* Y9 U. u! |9 l8 J
}+ X2 J9 b, m0 v" }6 x* {& x
return FALSE;
' T" @/ P+ O) E3 t}
& L ]6 T; n/ _: h1 n; g0 x6 m9 s! U( A- K, @
Although this trick calls the CreateFileA function, don't even expect to be
3 c1 h# }! w' c) x" N1 H! Wable to intercept it by installing a IFS hook: it will not work, no way!
6 G+ H+ {; R4 c a" ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F* O! y' F- V- P- L3 i+ S. {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
X* |9 {6 {* v9 I& H$ Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 q3 w0 u9 M, m; Y, r1 d
field.
$ C. ^5 v- ?+ @9 \& w1 mIn fact, its purpose is not to load/unload VxDs but only to send a 4 j l, \! v* q0 N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 `. f, P: F( B a/ p; {, U4 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
^1 e4 L+ g% w. l p4 l! u' m0 R3 k3 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 D9 p* I$ R8 }( l2 n7 ?4 O* KIf the VxD is loaded, it will always clear eax and the Carry flag to allow" q, T: v) @" m2 a" \$ v
its handle to be opened and then, will be detected.
4 {9 f+ t6 L3 G- D8 p3 l& K* @You can check that simply by hooking Winice.exe control proc entry point" Z% e- P! y9 Z7 w. w K2 b
while running MeltICE.
, j. J8 s- r- @0 L8 a0 I6 d8 |
% Z: j m( q( c3 e/ |: Q) R) {+ x; W5 n% p
00401067: push 00402025 ; \\.\SICE
1 y, b( \* t" g' Q 0040106C: call CreateFileA
$ ]' n$ |6 ]" u9 O% ], s 00401071: cmp eax,-001
3 W: u4 R4 d' s2 v$ P 00401074: je 00401091/ B7 E6 j( P+ r2 j" B
6 L! Q- q( D. K' j
3 j) J2 H5 p9 C( O. o) k
There could be hundreds of BPX you could use to detect this trick.
) t$ }1 k2 T! j3 y: M8 Y: }-The most classical one is:
: c* L+ e/ q2 L+ }; O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ q/ K8 @& w! s5 u+ q( q
*(esp->4+4)=='NTIC'
% x) D& M. I" _: t" E. V& r) a- Q* s9 k# @
-The most exotic ones (could be very slooooow :-(1 o* }+ ^' p2 S% B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : @: y0 w$ L r" P8 }: P0 i9 w2 D
;will break 3 times :-(: t" x% R6 h. ?* G) Q5 n+ n( F) g
& ?3 K, T0 B9 v( ?1 r- Z-or (a bit) faster:
- V3 W. M/ M3 q9 N8 ?- a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& ?8 d7 P( D, G% u( w x7 ]3 T% E
' {) w* U7 t8 f0 d' W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# ^7 K$ h# g% q- c& i- [5 l5 a ;will break 3 times :-( `$ s1 r. e/ F0 @- ^! x
9 y9 r9 @+ R" s% \-Much faster:2 c5 r/ H2 Q$ p. p3 H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') i/ T7 S7 }: V0 E# u# _( Y
" R5 o" L7 D3 T9 \7 yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 X, }; j, l) H6 O" O1 v' Y
function to do the same job:
8 ^- U2 x" m+ h2 \ _+ c2 Y6 G1 F2 h; v, p% ~5 ?0 T
push 00 ; OF_READ
4 y0 |( v7 \% C+ [/ M4 B mov eax,[00656634] ; '\\.\SICE',0
+ b' v! q! M6 z9 Y push eax) b! e- f- G$ o8 w2 t# m" a
call KERNEL32!_lopen
! i4 b! \7 g* T; ~4 M- s inc eax- I' O( Y, W6 c% K/ F: N; F
jnz 00650589 ; detected* Y+ {4 v) }$ @+ ~
push 00 ; OF_READ
" P6 a2 {6 D" X- \' E, ^$ s: Z+ e mov eax,[00656638] ; '\\.\SICE' z( K; S, O% ]. r
push eax: [0 }: n5 W5 J" I3 R
call KERNEL32!_lopen
) T! q, r! D* N) k8 K0 ? inc eax
, l4 K$ }1 _" T: Q8 N" B" s jz 006505ae ; not detected8 H+ d3 l) ?. B7 \* \
7 P! d; ]% a% B5 X- c! S
8 U' o6 u! D0 L# u" { x__________________________________________________________________________
: X( h6 p+ y# _7 R k, I1 v' t a2 F+ I$ v
Method 125 U. X+ L! X+ M# _3 e
=========( U t" p2 i; p7 u4 n
: Y- ]# C% t- q& y7 d# ?This trick is similar to int41h/4fh Debugger installation check (code 05
, c- @. y' o% F6 L& ^& 06) but very limited because it's only available for Win95/98 (not NT)8 h( T0 N, S0 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# s. M) ]9 T5 Y0 L
4 O- o9 ], t! q- g6 @ push 0000004fh ; function 4fh$ c6 w0 s2 o, ?$ i/ F9 ^
push 002a002ah ; high word specifies which VxD (VWIN32)/ I9 D2 [. }6 W
; low word specifies which service. n. _7 w! N d( Q! z
(VWIN32_Int41Dispatch)
3 o8 e2 } t8 N5 M" m& y call Kernel32!ORD_001 ; VxdCall
& h8 c2 U% B4 S, v cmp ax, 0f386h ; magic number returned by system debuggers# a2 P2 q( [2 O8 Z+ \6 D3 x# Z
jz SoftICE_detected
1 ]; O( z% y# b6 Y
, \8 d- R$ o) p, \; GHere again, several ways to detect it:
6 f: [( S' h/ T5 A* ]/ i- f
" {: A2 E' T2 J! T BPINT 41 if ax==4f' p$ ^+ m, F, c$ P. l* R
1 \7 l6 E8 L% N# q* v# d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ _& p; {7 E Q8 o3 N+ p/ o
4 K9 C: \5 c0 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
W W- ]. r; A9 _. J$ @1 I( C/ }5 _# U. Y1 z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, R8 I- B6 w' o: L' ?) K/ g. p. [" K% A# ?
__________________________________________________________________________
# H8 S5 K9 @! X' U. W# ]/ v/ M# L2 L* k5 a, _ {" f) {
Method 135 c6 k+ ]- L z- ^1 x; ?' o
=========
( Z# H0 m+ T6 i# C V
! M1 i0 g. m2 j. e" \7 o0 Z I2 yNot a real method of detection, but a good way to know if SoftICE is
i' u8 F0 ~0 M3 j5 ~ ginstalled on a computer and to locate its installation directory.% f: N; B& ]; g) a% z
It is used by few softs which access the following registry keys (usually #2) :
: V! \2 ?" a3 H5 C! v6 k5 W4 |$ v4 u2 x/ M, t4 u) u5 w" l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 f. w8 Z8 C* q7 C* @3 B* p
\Uninstall\SoftICE& E0 v7 h" P* B- Z: g0 A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- U' {( I" |/ J2 u+ {% i4 @* t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( j( R6 B# I$ q& \\App Paths\Loader32.Exe
: ]/ B% w! A' M+ ]& u; n' {/ X0 S9 i4 |) w6 d7 p1 D
0 A4 I' ^3 ^ L. b% ~4 e
Note that some nasty apps could then erase all files from SoftICE directory
+ ^7 ]' n! L3 L! H(I faced that once :-(( h* E8 Y% N# Z
6 P7 R& w' T- I1 R) BUseful breakpoint to detect it:
! _; ~3 r* w0 e$ K3 B
5 ^' g4 G4 M Y" b/ m) ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* X2 b0 i! {& f6 U9 z' O2 H" J3 y9 {
__________________________________________________________________________3 y; w3 x& N3 b; ?" r5 \- w
6 {" L+ _8 B: T6 A0 \& _& C$ j- w+ c+ T% E$ X& l) z
Method 14
) p$ j" [" c8 ]: f; O& K5 x0 ]/ {=========1 j4 a* z: w# h) w9 c) T% D
; B8 g4 a" p" _1 s, {. W7 W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, ]& n; G5 T) L& V% j9 _is to determines whether a debugger is running on your system (ring0 only).
7 P" k8 n C _, m& v6 z5 J+ s- i8 n
VMMCall Test_Debug_Installed, x! h% {$ d% y1 H" k _
je not_installed
4 a% E$ e$ r7 [; }1 E/ v9 B1 M
5 q* p- L2 T$ ]This service just checks a flag.
' {! U- W8 Y! d8 }( J</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡