<TABLE width=500>6 o/ b' E! L, D0 ?8 H% t" G) |5 R6 M9 H
<TBODY># n+ ^6 n; n1 ?# ?6 O. W
<TR>- I% f1 Z6 t- f( _" B% N
<TD><PRE>Method 01 ; X1 s* Y' S) O
=========0 ~8 |8 r$ d; v" Q$ d! D8 k/ U
8 H) b1 R. ]+ F# I8 JThis method of detection of SoftICE (as well as the following one) is( k7 A |# F8 F& J O8 P
used by the majority of packers/encryptors found on Internet.% H5 q3 i n- |- H" m
It seeks the signature of BoundsChecker in SoftICE
8 i* j# m3 Z$ ?0 \% N1 X. q! c9 d I3 d. Q
mov ebp, 04243484Bh ; 'BCHK'
& ]1 B) \, P1 O, R mov ax, 04h4 c* [ |1 F3 m
int 3
o7 A! L3 a! S6 J cmp al,40 a' p9 }, n) f! V) `
jnz SoftICE_Detected% \. Q- p6 u9 r- ^
3 T/ I7 U3 t% ?( I$ y
___________________________________________________________________________
X' g7 z+ J0 q! F/ A p: g" b/ {( J* p8 b2 ^0 S7 p$ e
Method 022 y+ m) ?/ s, e j
=========
! I2 Q o# J2 _" a0 w
' q/ u2 P8 ~2 O6 m+ ~$ bStill a method very much used (perhaps the most frequent one). It is used
( g+ F3 U4 l5 w6 U1 O5 D. tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 ?- x3 B$ n* }+ d/ d) `1 [
or execute SoftICE commands...4 T# U0 W& V* `
It is also used to crash SoftICE and to force it to execute any commands4 G4 ]4 A+ f8 b* T
(HBOOT...) :-((
) ~( @1 l' J" ^. }1 D/ Y3 T* n4 _3 m: p/ m! \+ `; A: {) N
Here is a quick description:2 u- c- ^" M5 a; h; ?
-AX = 0910h (Display string in SIce windows)! d. ^. `- a; S- n& R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); {" p! j( h7 H" ^
-AX = 0912h (Get breakpoint infos)
7 R Z6 {% M/ N$ {0 i' V6 |8 R6 n1 F-AX = 0913h (Set Sice breakpoints)
1 ]8 N9 f7 M5 d' j Z4 D7 u- b% v-AX = 0914h (Remove SIce breakoints)
* u& D/ O0 b N- ^$ b3 n: t5 d* M5 j# E0 T6 {
Each time you'll meet this trick, you'll see:. F, k# k5 K& w( b
-SI = 4647h# o5 @" X+ h, F' }' X# z
-DI = 4A4Dh
1 K( x: T" r/ w' Y+ q& C( {Which are the 'magic values' used by SoftIce.
* A3 H8 x' k7 q6 D* LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' E/ v+ u$ b$ W% b$ z8 Y
5 w6 U' \! p" M9 J2 B& e6 L, G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ }1 C3 r; m2 l- l4 }Envelope utility use to protect DOS applications:, u! F* n v$ @( S; I
) ?$ e, p5 K4 s& P- D! G8 a
' z) x, B( d/ f" D% q U4C19:0095 MOV AX,0911 ; execute command.
9 [3 x) |1 j4 w f' P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* z2 M: A0 ^# N; g0 c- R+ s
4C19:009A MOV SI,4647 ; 1st magic value.
# u8 O/ b! l& ?" `4C19:009D MOV DI,4A4D ; 2nd magic value.' i3 ]9 O) l+ E- s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ x4 t H6 [2 ~. C# w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 ]: a3 X! {' L' |) ~' b5 s
4C19:00A4 INC CX" _% x1 s+ L: U/ N- L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& P6 T- K( X- e
4C19:00A8 JB 0095 ; 6 different commands.3 I e# W# a2 x' w0 S8 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back., p% S d7 C( o) Q7 Y' N3 h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
F3 f0 m$ m0 [- S. f# ^2 j
6 f6 p9 a! n+ _, x) uThe program will execute 6 different SIce commands located at ds:dx, which
$ D0 H% T' G1 h0 R. V: care: LDT, IDT, GDT, TSS, RS, and ...HBOOT." w+ _8 z% U! K$ N
% o: Q- {1 `; Y2 V7 e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 q- n k, X3 z* N% z9 B- T" I! ~- w
___________________________________________________________________________
- w) J1 D$ s9 L4 G5 g8 g( a5 J' B/ b1 i. r$ x- `
+ g3 U4 s8 B+ gMethod 03
' ^; U. f% s( B=========$ @+ V) A' O5 g) w
. ? q5 U6 C/ RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; m2 x8 O/ o6 x
(API Get entry point)
, i- |" @; M; Q
) d: y: Z5 z, H* I( e5 W# y) ]) j* y4 c, J Z* l! B, o
xor di,di, ~; N( L1 P+ V/ r
mov es,di
3 q& ^* R8 Y0 b mov ax, 1684h 2 e' z1 ~; Y. |
mov bx, 0202h ; VxD ID of winice! W3 D+ r b; e. X' Z/ l! p9 u* I5 T
int 2Fh4 x$ A7 h# ]3 \1 @5 q7 |
mov ax, es ; ES:DI -> VxD API entry point/ v" V {5 b7 K) K3 s% R
add ax, di/ z* ?# ~5 J5 _- \* z* R! N
test ax,ax3 f- z4 M+ u7 D9 ~1 j4 u4 N3 v1 C
jnz SoftICE_Detected; ~2 F, @$ n) ~ c" S
" z$ p) F x# ^5 W+ }5 G2 @___________________________________________________________________________
6 f% Y% m9 [- [ C( l2 z+ [
& L0 B6 m+ r: ~( r0 c/ P% BMethod 04
" J8 r2 t) F6 b. c1 B: S=========% q; ~7 ~" U( a) g) f
9 y. P% ~9 u0 j# A! \* \Method identical to the preceding one except that it seeks the ID of SoftICE
# ]& D% v6 S% LGFX VxD.7 E9 |$ o/ u M/ w7 E
# F- E' z8 A' D
xor di,di: y9 |1 z# b* o7 m
mov es,di
' [8 E# P, Y1 Z3 x6 u7 G* J mov ax, 1684h
- c/ {8 y8 O* x- I& x$ b mov bx, 7a5Fh ; VxD ID of SIWVID. d$ _+ O5 l" E4 \1 M, I
int 2fh8 K# o5 y9 _( b; O' d
mov ax, es ; ES:DI -> VxD API entry point
: r8 T' u% F3 w; V# i9 t k add ax, di
" e- w7 z7 d9 @' Y4 ^ test ax,ax1 P ?8 W, W) B# T# d6 L
jnz SoftICE_Detected
4 @5 N7 C, G1 F( G& ?
2 {5 s, u' D8 C7 C7 y: ?__________________________________________________________________________; l' [% ?1 t4 B" \, O* k
& v8 K' o/ e6 N* m- [7 E' U
- n4 {) z4 g0 v7 s7 F+ ]0 FMethod 05
& s2 y0 |4 y& d' T5 j' R=========
: Q- p6 l) I V9 X7 c9 K
: K; P' R X$ u" \" l( IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 [& f/ c( f+ V' I7 @debugger. It calls the int 41h, function 4Fh.
t* L4 H* W7 t5 N; hThere are several alternatives. ! ?1 |3 k; p- n
- _8 _) [5 P7 e. |5 kThe following one is the simplest:
% H6 @* i6 A, c/ v
0 U! P7 m9 M$ b; g mov ax,4fh) \2 E* F4 x8 s# A( H3 j
int 41h( n9 K+ z* Z3 Q. e9 g
cmp ax, 0F3862 N# a e* r$ x; D% K; g
jz SoftICE_detected
" `/ V) Q9 H* n+ q+ E% r
& m' b% Z4 d8 ^4 A" W' J" y
5 u! f6 t2 }: D# F' XNext method as well as the following one are 2 examples from Stone's 8 o& E4 [5 L$ _" s. u2 n
"stn-wid.zip" (www.cracking.net):
1 g4 K0 w/ S8 n- Q$ {3 t2 a+ A$ k { W2 E, J
mov bx, cs1 i. J' Z+ U. \8 E9 v. a( a' O
lea dx, int41handler2
2 p9 \( L) D" R xchg dx, es:[41h*4]8 {$ ?! ?7 _9 B* X" a0 p4 U5 T
xchg bx, es:[41h*4+2]
4 d& `# a1 E$ R8 I9 Y3 l' Y mov ax,4fh
) E. @( { D' Y int 41h' ~$ [! l2 ^- ^* {1 x/ A0 X
xchg dx, es:[41h*4]
6 R7 m# Y1 O9 q" Q xchg bx, es:[41h*4+2]0 o X+ Y5 j9 a5 L2 X
cmp ax, 0f386h) m0 b) `" o, ]. q# f4 O$ G
jz SoftICE_detected
& e; L9 S- G% V+ `: X1 W( m. F" r" F/ x( z% d! m$ L; ]
int41handler2 PROC3 H: H6 b0 K. d% X& W2 h. r1 [- \
iret
* Z9 _1 `( O& ?2 j% j8 S) u' Yint41handler2 ENDP' A- h: Q" ]. {- R2 H6 i9 I) g
1 m6 `( N/ L7 ?) x* I! s% D
/ I8 R+ `$ N) @+ }1 Z, k
_________________________________________________________________________
& F: i6 s) z+ ?# a- u
$ h/ Q k+ K) L# i
+ X) x( p; t# s5 NMethod 061 T+ |; z5 s) r5 _9 k5 H
=========
7 N1 m: _' S/ l. s' ?+ s; w7 R( c; s# ?- c
; r; ^4 r1 F1 | U! ^2nd method similar to the preceding one but more difficult to detect:
! y2 Y7 Z" Y( ^: C! F6 o+ P8 O+ `1 M8 O) E
1 x* o2 c& c* @int41handler PROC6 q; }# k4 a' }6 s5 h
mov cl,al/ N" ^3 @: A( _3 y. R' ]$ }8 n9 D& z
iret
' z/ K4 @0 g: v9 m# v! f* O5 wint41handler ENDP. M& d7 u) |. j% I& q4 ]/ C
9 ^+ |+ F/ D' x
. \) J* ?2 F3 E0 [ xor ax,ax
/ U; N3 H5 B" i, L0 H* N mov es,ax
) _' a( d4 X& R) R! l5 P4 @ mov bx, cs& R7 t# I9 O8 }. Y/ E
lea dx, int41handler8 u0 l# m+ T. ?/ r" p) z
xchg dx, es:[41h*4]
" E* m2 }% C* z0 k: X xchg bx, es:[41h*4+2]- A- ]5 o. s7 O) e* r# m+ z
in al, 40h) {% k- ]4 |$ j' s4 B: l8 Z
xor cx,cx
u) J! Q t9 b6 {7 X& p2 |0 Z. J int 41h
3 h/ E6 A* W) A xchg dx, es:[41h*4]9 u3 q5 e( N& W2 c4 `; O
xchg bx, es:[41h*4+2]' j* e4 u" D& t7 B6 u% ~
cmp cl,al* v, @1 p7 @ C T2 M& Z- [6 \; I
jnz SoftICE_detected0 ?. w5 O5 f$ ~/ o1 p" y+ R8 H8 _
. D! \% J* |( X_________________________________________________________________________4 L! U& Y3 }6 P1 X V& g9 C% H7 F/ O- _! `
, D7 E" B# H _' V
Method 07
' s+ U, p0 X' p6 K* {+ E=========7 P2 _! ]1 U/ t) b6 y: _! b
# ?, k8 [: h" \( z) [2 O" `
Method of detection of the WinICE handler in the int68h (V86)
P. R1 I' w" Z' s& {' ` e. v& T; [( N) H& t( R" n& _
mov ah,43h
. L# p" K" w# `" k) d( B8 ?; T4 W. ^" G int 68h
4 R# B! x& v3 N- _4 q cmp ax,0F386h) ~* G3 C$ `+ U5 y* p5 u) {( k0 Z
jz SoftICE_Detected
7 ?0 f3 Z) u& {7 G
+ ^) x5 j+ T8 V. h$ A, c5 i2 l! ~9 a" L% k/ I" C! x6 a% B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 s7 [$ W) |6 a' _/ ^9 ]8 v) J app like this:
" i' B t/ Q. z
, ]4 B9 ~" K0 A6 r$ M BPX exec_int if ax==686 \3 w* n- _. k) @
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ Y0 s- j. ~9 V7 |( _ located at [ebp+48h] for 32Bit apps)' r) H4 Z; D2 M8 t* }! ?
__________________________________________________________________________
$ o, j8 {# P& D" f2 {: Q1 L5 p; k" G1 [3 B; I- h% e1 T: @! ]+ y+ j
* c+ k0 C3 |3 b4 u
Method 087 U ^; C- q/ a8 d9 Y4 O
=========+ T- z: U; N5 g: A1 k! k4 ?6 v
9 B0 V$ T# s& c* f' o3 B0 FIt is not a method of detection of SoftICE but a possibility to crash the
- T% t8 _% \3 P! {system by intercepting int 01h and int 03h and redirecting them to another
: Z- ?/ x5 U& ]routine.$ {9 s" f% Z( Q1 S1 ]6 F1 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ V' S! _; h. w6 r3 jto the new routine to execute (hangs computer...)8 R2 {! x. {. _# s0 H
( u& @! b! r4 Z$ N: |- S' o4 o mov ah, 25h
5 M* t) \6 X) P mov al, Int_Number (01h or 03h)
8 {( O) D8 k! m$ D3 p5 n( r, e mov dx, offset New_Int_Routine. \9 H# \9 w) i' F5 m# S8 |+ N
int 21h) M" T G6 [8 k
, K9 x# ~, J5 [
__________________________________________________________________________8 V5 j: d' G$ F) s o+ h: d- n
) F N; Z$ {+ D
Method 09
1 b+ W! N: C8 O1 x8 ~! a% w& B; r/ B=========/ g+ b8 {7 R/ U5 Q) j1 U0 ^2 I
2 t4 o, n6 H# L. c/ k* W' w' d8 FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: i& X1 G& Z/ I5 j0 M0 G0 P
performed in ring0 (VxD or a ring3 app using the VxdCall).6 v1 Z+ X5 l# A5 j
The Get_DDB service is used to determine whether or not a VxD is installed
. [/ T$ i' ^5 Ofor the specified device and returns a Device Description Block (in ecx) for- |" Z0 s) v, k1 V8 ~$ Q7 A
that device if it is installed.
# l" l/ R6 r" o# `: B/ B& C! }$ i
6 C% V4 r2 N9 Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! | p, O0 P" ^$ o* z# ?. C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 D* W6 F& [& j( H/ G" U5 Z- U
VMMCall Get_DDB
8 Q6 c$ E: d9 w9 n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 [9 {- z4 S! v% S0 [: R
. W. z# t; v! _$ ? D2 W
Note as well that you can easily detect this method with SoftICE:" V, s8 `8 d5 l2 X' a
bpx Get_DDB if ax==0202 || ax==7a5fh) B6 i/ i% F* r& A8 F8 G ]0 G
' a$ V7 W: E% u# A2 e5 F, g" e
__________________________________________________________________________ f! ~, i& m# G2 E, Y/ w
4 ]$ z. A1 \7 ]2 m& _! B' ]Method 108 ]9 X& K$ T X# K' y
=========4 S9 E! U' u* v2 f" Y
6 e# g" y( \* o7 X q
=>Disable or clear breakpoints before using this feature. DO NOT trace with, G: R) i; G; e/ K
SoftICE while the option is enable!!& A" ?4 Y3 k! O$ I, b) q" g
6 {0 b- Q2 _9 g& m, n
This trick is very efficient:
2 u' B8 z) h$ I1 w, Lby checking the Debug Registers, you can detect if SoftICE is loaded9 u+ q; j9 a& a M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. ?; C) L! @& i9 h( ^7 K, Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. U; `. h3 M( X2 P cvalue (in ring0 only). Values can be manipulated and or changed as well
7 W6 L* Z5 C4 c: g(clearing BPMs for instance)
4 t) J* j1 [& b' V
$ t* m! H: u* e& m# h+ g__________________________________________________________________________
) Z8 b; ]8 t% E
* [" @2 Y: K9 p3 H" y4 {7 P, t6 Z/ hMethod 112 C( a2 X: O$ ^* i3 }3 I
=========
" Y4 t! Y0 q0 q+ F9 X% ]* N1 }* e8 e/ s: \( x, e1 G1 B
This method is most known as 'MeltICE' because it has been freely distributed
. Y7 N! v1 T2 Xvia www.winfiles.com. However it was first used by NuMega people to allow+ b( V& ~$ o9 |1 K* T" Y+ D
Symbol Loader to check if SoftICE was active or not (the code is located
~! P1 A5 l! v2 [1 u: oinside nmtrans.dll).0 f. c1 J+ R" X2 f8 D% U V% a
: ?' M4 Y6 i# H. S
The way it works is very simple:/ {! d3 V; y f \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 G. ?; z; H" q; d; L0 CWinNT) with the CreateFileA API.9 R3 u+ ?7 D2 ]) p2 p! V
; X) f' ~& [$ S/ G5 P) _! [
Here is a sample (checking for 'SICE'): d1 ]5 Y+ q! u0 V
6 T9 S/ o8 t( u( P ZBOOL IsSoftIce95Loaded()) ^2 {$ q9 r& p0 {
{
; `. z. l; }, l: J4 G HANDLE hFile; ( v% N5 J0 q/ m1 @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* t( ]0 W- c0 w& E+ \3 M& n
FILE_SHARE_READ | FILE_SHARE_WRITE,' M7 @( c' U% i$ E' q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; V8 v* N6 y* \, u) d" a0 h
if( hFile != INVALID_HANDLE_VALUE ): t {, C/ i$ r
{3 Y9 N0 ]( s" w0 G" ~+ D
CloseHandle(hFile);& @$ M9 i q% U) f
return TRUE;
& P/ i A+ A: Z9 _2 w" n }
$ m, V( X+ ~, |4 P- b7 H3 o. [ return FALSE;
* N1 H- L+ e8 ^}. u" A( }& a) m7 p) m i
0 j1 U2 k4 r# P2 J- D) l: y
Although this trick calls the CreateFileA function, don't even expect to be
% `2 P) d/ s( N- P0 g4 c" Hable to intercept it by installing a IFS hook: it will not work, no way!
& N) Y5 U) l' ~* ^1 _! `/ WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F G" M# X3 h# A$ {; y/ p( v) |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ }8 T$ e, v$ f9 u' N9 N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* {3 B* n2 W9 j2 V/ k% f# xfield.% j! a7 S6 l2 f* @
In fact, its purpose is not to load/unload VxDs but only to send a
* I4 C/ h- q+ ?5 B% V0 s* @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 b2 ^) C6 X( \7 e; S$ I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( [# A$ S. x* x+ N9 Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; G( Z+ `/ ]) j2 V( C" i+ oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 A% M% m# x' |! Yits handle to be opened and then, will be detected.
Y- r n. m6 ~- {8 A X# YYou can check that simply by hooking Winice.exe control proc entry point
$ O: O' l1 n3 J+ d3 j' U( B# qwhile running MeltICE.
% q5 J w N" Y2 O( ~& V0 X4 j/ \& T( O! Z/ W
0 e, ~8 ^5 ~7 E+ L* f, J! A 00401067: push 00402025 ; \\.\SICE& V$ A5 k3 l" M3 U# _2 ]5 a
0040106C: call CreateFileA$ X, c# l& f! a1 b! e: i# a
00401071: cmp eax,-001
0 s2 p! ?/ k o7 d( t7 R- d0 g 00401074: je 00401091
6 }( V% N! d% y) O$ u! Y5 { u1 p( b5 Y
; t _. r' ~2 S7 N/ j! j2 H9 a z) v, s
" m/ U7 B# w& G L3 CThere could be hundreds of BPX you could use to detect this trick.
5 ?2 ]! P2 a4 W# r$ n" H-The most classical one is:7 } f8 y- b4 s: c+ h3 {( ~+ n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, A3 E( c6 g3 I- ^5 k3 G
*(esp->4+4)=='NTIC'' `% r9 B8 L t* b* {4 u3 @
# _9 e( b2 l" g
-The most exotic ones (could be very slooooow :-(
- V+ _# q, f9 k/ I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * t1 m# d, u& v7 N- m
;will break 3 times :-(! A( ?4 X2 R) p1 W% w5 O8 y& N
* \2 X/ v5 Z' {( _; y9 C1 K$ [" q-or (a bit) faster: ( s G/ r3 i: c# ^, E, f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* h# ~4 z* W! b: [! r0 y y, N7 b/ J
5 r4 o0 V; ~& R7 V- m. e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; E% d8 P4 S6 {5 z5 { ;will break 3 times :-() L3 d. U1 s! a0 z, S- i- f( L
; |3 s- k) z! s2 x. F* P/ u
-Much faster:
/ U0 s$ e% [+ G% G3 ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( W* S) }, V1 J
0 Y0 A3 w2 n. M/ y- _# L: R& E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( K- i& O0 a7 ]4 t' Lfunction to do the same job:
/ o( @% d$ {2 o6 j8 Z
: s- G0 a4 \( V& S! J push 00 ; OF_READ
/ _, F+ e7 Z; K4 g# l, z; c mov eax,[00656634] ; '\\.\SICE',0) y% E8 `5 d7 y8 T' T
push eax. R1 i2 \ d1 ~& j, P7 C
call KERNEL32!_lopen
1 l4 }- X& \: i8 h% J S* J% a inc eax
+ q8 K) X' ?* X( U( i" u! K; s$ f jnz 00650589 ; detected+ N6 t" ] y2 r* x8 e
push 00 ; OF_READ0 a8 ?7 k' a( {7 }
mov eax,[00656638] ; '\\.\SICE'
6 ~* p' e$ b; Y' F. ~ push eax1 {0 M# v: e; K& W% l; v, n
call KERNEL32!_lopen& D9 s6 B! ~5 b" ^9 Y
inc eax; m/ `8 j: c( r( h/ l9 }$ t
jz 006505ae ; not detected, L0 D, q$ v4 u2 [
% j' J4 T2 t" e1 r% ~- h; y
. Q: K* _) t0 H% D& I6 V
__________________________________________________________________________
" @& Y3 W2 o/ N
+ Q1 Z* k3 D9 }5 S. nMethod 12" l9 M2 N& T4 K3 Y4 h
=========: W2 m: c4 ?. D& n
1 A1 d0 l$ g8 l+ r, L. I
This trick is similar to int41h/4fh Debugger installation check (code 05& g% ?: z# h, P5 x9 ~
& 06) but very limited because it's only available for Win95/98 (not NT)
" N. g9 u, C Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) {/ h4 g/ l: l( `2 i1 u- a/ W- t; ?: v% x
push 0000004fh ; function 4fh( O0 l9 G; C; p( ^ b h% F% Q
push 002a002ah ; high word specifies which VxD (VWIN32)& Q7 [* f0 q/ A& ~7 Y" R* J0 @ g
; low word specifies which service
- w4 T: V" b1 Z (VWIN32_Int41Dispatch)' \" F; _8 a2 {' g& p s/ G
call Kernel32!ORD_001 ; VxdCall
9 i" i+ k# b/ x: @ cmp ax, 0f386h ; magic number returned by system debuggers6 u3 Y( q( ~4 o H4 x
jz SoftICE_detected
2 R3 ?6 N$ T7 W4 d+ o/ z
7 n0 G0 b: j: _4 h1 a' [' s& T, SHere again, several ways to detect it:
& c# l% }3 U8 a+ m* k
* N1 C c6 l; r7 y5 z9 w: q! Q BPINT 41 if ax==4f
- q2 P/ X# a! G, Y$ u! ]9 n& }% o' I1 z9 w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 _: i& o$ v* }
2 E8 K8 g$ a2 f) J/ `" p& o$ } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 j, m, c- M$ ^5 ^7 A, W* O$ l0 l/ E: R6 D1 e! ]' M% Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 G5 v& F# e9 M/ } x8 c
6 H4 S+ D" E2 c2 U+ v, k: ___________________________________________________________________________
2 ] N! `; ]& P: O3 }) l/ a" Q8 g2 O/ H6 t/ _
Method 13/ b1 M8 \2 q, d, C
=========
- t {# ?; t4 j V1 }' i# I
; B# T% M5 h( ~0 _* ` GNot a real method of detection, but a good way to know if SoftICE is m: m2 }0 h; r0 p4 Q6 I
installed on a computer and to locate its installation directory.8 d/ j8 d5 Y3 p1 _! h
It is used by few softs which access the following registry keys (usually #2) :
( `% m1 B+ O8 b( M
& G* {4 _% o+ Y) W8 i/ ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* S; N3 e9 w( M& o8 U\Uninstall\SoftICE; C$ t6 }! Y$ ?8 C ~! o% E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 b: @1 ^* v, u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
_: ]: ^9 ]! w4 S+ _ g\App Paths\Loader32.Exe
+ ~: E9 u. R, o, _9 l7 K2 ^3 K. ~7 `% S- Y/ d
% X2 ^3 |/ }6 B) h2 o! Y, KNote that some nasty apps could then erase all files from SoftICE directory
5 i- I) A( R* |0 _4 p- p7 o1 _5 s# f(I faced that once :-(
7 a" c( R( `9 s4 R2 G; Z A- Z3 B# [; v' s! v
Useful breakpoint to detect it:( p' @3 ~" A4 J# M/ v* d
* Y& P. g3 }7 h- K/ B9 a( j f8 P& ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 c l4 L) j. \3 U# j2 G& K) ^6 A
2 s; g6 K5 Y; q# t) h/ u__________________________________________________________________________
, @! S$ _( A/ C, s" e- l7 G0 H1 l3 ~
% f1 L; S3 }4 d* e* E
Method 14
" |7 ]- v, _# j0 } b, l=========+ b) R, V* K2 s1 t$ L0 M5 G
3 x! z- l) I; _' ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose m% x$ F' C8 X% F: K
is to determines whether a debugger is running on your system (ring0 only).3 r n5 N; x7 t) W1 }! a& H$ I' i
/ Q: H5 k. h. Q VMMCall Test_Debug_Installed
$ L, B' c2 U& b9 `! J1 J je not_installed
( d0 B- _5 m) F! q/ S5 t- g
2 n5 P4 s5 j8 d& h/ YThis service just checks a flag.( S" h, R0 @! o- T3 r7 g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡