<TABLE width=500>
/ ]+ P F3 y, Y6 F% q<TBODY>
' J# R5 _, Q( [& y) c<TR>
7 Z5 q, }+ p) b" k' B+ B( s<TD><PRE>Method 01 $ F( f& I2 H( b+ C
=========5 a, B$ h; z# v2 u7 z. P$ x8 s
9 V$ {' p. {% DThis method of detection of SoftICE (as well as the following one) is
5 l) x* m( a* @/ v8 J( A. G) Aused by the majority of packers/encryptors found on Internet.
0 n" E& A4 e2 P( f; z% f; c$ DIt seeks the signature of BoundsChecker in SoftICE/ b; t( G( ^8 ^; u) ~( w8 @: j
/ C7 B y. a2 ~# F mov ebp, 04243484Bh ; 'BCHK'
2 O0 j, ?% W5 `! u mov ax, 04h3 v; y3 W7 t1 W [, I
int 3
3 i# \' g- Z# D L2 G _- _ cmp al,4
; B1 ?. @9 ^' ~! b2 }: d* }1 | jnz SoftICE_Detected ~5 I7 _7 I C, q) g
: v/ f0 x) Y5 i: D* @, z4 R0 S___________________________________________________________________________
6 y# X. G$ d6 ^* t
& K# }: y& r% E4 _Method 02
( w0 w0 T# m$ C2 {' x5 Y=========
8 L3 Q S5 h; p' E9 K: b& n+ b4 f' z8 J( G( x9 c; _) M N; T
Still a method very much used (perhaps the most frequent one). It is used3 P8 i8 @, ^# ?& c/ p% Y' n8 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- M& _. L2 D$ ]- g: w7 a
or execute SoftICE commands...# V% d2 G2 A5 m
It is also used to crash SoftICE and to force it to execute any commands2 M, e5 c# o, q* I- J& {7 [/ e
(HBOOT...) :-((
% F' l' g% g* F5 p9 `4 n5 {. a" V, l( c3 Q- Z2 N2 |. u8 W
Here is a quick description:
) f" e$ R. C) v7 g# n% V% r7 W-AX = 0910h (Display string in SIce windows)
8 R" f5 N- e1 |# |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 z# ?: m( t8 W+ Q
-AX = 0912h (Get breakpoint infos)
, I5 s: K3 X/ L9 c-AX = 0913h (Set Sice breakpoints)" u, a; x% N S& g8 e8 A) b
-AX = 0914h (Remove SIce breakoints)
' F4 y0 { _" |* D7 E ]4 T0 N$ s: _5 z- o I5 `
Each time you'll meet this trick, you'll see:
) I, g$ g6 o" a6 W. E0 E-SI = 4647h
1 }- J8 |/ z( N/ ~-DI = 4A4Dh0 z/ y2 Q2 B0 N( M3 H Y
Which are the 'magic values' used by SoftIce.
. x- |7 ], D' o* H% GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." Y7 b2 e( f" J/ L3 v7 z
" w$ p. ?1 @+ d% k$ L7 ]# P+ s" c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* L* s, z% L8 Q5 i& `Envelope utility use to protect DOS applications:
6 h" E3 }; ?2 A$ }
; k, `* J9 @4 _; g+ x5 Q6 n' v6 Q! u+ o' Y
4C19:0095 MOV AX,0911 ; execute command.
* ]& l+ g; f) P) B* N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( Z2 ?% `! h+ n' Q" }' C
4C19:009A MOV SI,4647 ; 1st magic value.
3 |: x) k; N r! t4C19:009D MOV DI,4A4D ; 2nd magic value.9 Z" G& [0 v$ o- |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). c* E7 n( T4 x1 k. E7 c( H$ J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ h t5 _) X& t4C19:00A4 INC CX: B/ }, b6 Z+ a6 q! } h% [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% p% h) Q; g6 I4C19:00A8 JB 0095 ; 6 different commands.* Y* U* {) U; J# a& E) n6 O3 T0 V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 V( h$ N# K" ~& h2 ~' ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 y6 k# o5 |; {4 x( D! Q/ Z
, ^- s. c+ ~- d
The program will execute 6 different SIce commands located at ds:dx, which
$ m5 W! P9 U8 m+ d$ M( ~8 fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( V1 A2 H" ~9 r6 ~1 m0 g
& A$ Z' E( ^- p' y8 q3 D4 ~3 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# T& C8 C# ]5 g7 g( W- A
___________________________________________________________________________
/ m$ [# l2 B4 ]8 k5 N. r& [
4 @; `! o0 C: B& x1 C2 x* X
Z( x. i$ h8 a8 l7 V& iMethod 03
, D' v. k2 Y. ? ~4 a=========
3 `' p0 u d$ h( y, g: b+ ^
- n5 D+ h8 \' C: k. hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 O1 o* p) v8 K7 n(API Get entry point)
* y$ g& U7 D, Z% }" k; M
$ `7 Q+ n: N# k2 D9 H- U7 A# \
! C/ R% r, k D. E xor di,di( y% f* D7 T" B+ }: D$ {( w; g
mov es,di
7 X, Y" O$ S2 r. X mov ax, 1684h 1 X# R5 @8 A+ ]9 o. P' b
mov bx, 0202h ; VxD ID of winice
. K L* a" {9 E$ n8 v- } int 2Fh0 X* A7 x1 f8 T8 n( U3 \& Y
mov ax, es ; ES:DI -> VxD API entry point
" @2 J* ]- F7 \, H+ F8 o6 D6 b add ax, di
& s6 Y" [1 e& B* ?" ~# m test ax,ax
/ h i# p3 Z/ T4 { jnz SoftICE_Detected
0 d9 z" K( V/ H+ g9 y" h
7 H5 L, P8 c; I- ^1 I& k# N2 O___________________________________________________________________________
& t5 | o2 c% `+ |- v8 Z6 `) h' @" p8 k
. R5 K) F+ \4 m! p& {; SMethod 04
1 g# z5 ]: Q" Z2 D! k: @! f6 p& V8 a=========
( o- G |+ j* U
* A7 x+ s" y1 n4 K' U8 M/ B AMethod identical to the preceding one except that it seeks the ID of SoftICE! Z* @' B" C: `9 R
GFX VxD.
" Y- b" X1 H1 H# c6 |% j
9 K* P' {& x% q, C! ?* z( F! l) ? xor di,di7 h8 A3 i( x& ?+ o9 k0 t' [
mov es,di% B, ?1 d3 O7 j& R( r0 O& ]
mov ax, 1684h
# D% K" f9 o |0 w4 ^. G% H2 e mov bx, 7a5Fh ; VxD ID of SIWVID
: L7 u; d' v6 d3 |# x( m int 2fh
& ?8 S# ?5 o5 |/ \, v mov ax, es ; ES:DI -> VxD API entry point
/ a/ f9 f6 M( @6 X$ ] add ax, di% m* S6 Q. n# c+ z
test ax,ax- m3 Y- t, Y8 E/ O6 c4 e
jnz SoftICE_Detected
. r8 O1 y9 x7 {. o7 w) O' J! p4 `
__________________________________________________________________________
! I( U+ M# J c+ {: ]4 c7 c) r- P7 `# W3 D6 E! e, S" |
% C- g8 g- T" L8 O4 E. X: s
Method 05
! l; ^2 a o7 I6 j4 f=========8 p: ^& S a( M8 V( n4 O5 \
$ e2 `6 f5 P, [; |" f4 S) w
Method seeking the 'magic number' 0F386h returned (in ax) by all system% D0 M% G6 L/ {7 V5 T4 _7 {
debugger. It calls the int 41h, function 4Fh.2 x. e+ _, k& c; Q; e3 \
There are several alternatives.
' o7 v v# [& \3 R* R* L" X% ?! j+ Z0 S" X- y7 l0 x
The following one is the simplest:
2 ?8 r! k: f% b: c
, `5 N/ t: G& w! K, {) _0 c' @ mov ax,4fh
+ F( j9 o# Z& O4 A, ^ int 41h
& s/ ^. y$ Y" q6 g cmp ax, 0F3860 G5 ?# j M2 F$ S3 O8 [/ x
jz SoftICE_detected9 x$ H8 R. k) T' M2 m
: m7 |8 t3 u6 D5 S2 R+ A7 P2 L
) `- U# ~9 j9 O3 ?/ X
Next method as well as the following one are 2 examples from Stone's 6 z2 W( {0 y5 ~' o, G+ Y8 H
"stn-wid.zip" (www.cracking.net):
' l6 h; f: X* E$ c8 ]; W* O! w5 Z+ a: g8 {6 X- t
mov bx, cs& G2 {/ K. b6 s e; ]
lea dx, int41handler2
# F; h9 P0 i+ M: E v" a6 A xchg dx, es:[41h*4]0 L# O: W. y( M: q
xchg bx, es:[41h*4+2]! B" I4 _7 O+ ], o! `4 z
mov ax,4fh
% {7 ~* @4 ^8 g int 41h2 x$ k. `( E' M3 @1 \* S0 h
xchg dx, es:[41h*4]; |: j& r) p2 L1 D; P
xchg bx, es:[41h*4+2]
1 e% P8 e. b, o% V) s- P cmp ax, 0f386h
9 Z" a6 C2 I1 r$ ~$ m jz SoftICE_detected
' f7 n- i2 K% e5 J+ h- ^# w% I. K# c! K3 C8 P
int41handler2 PROC
% h- O0 ], p$ M. V$ I- p iret
c( q2 N& O( G6 t' U7 X% R, pint41handler2 ENDP
5 n. {0 H3 n: W. Z* u3 c/ i: }. ~) a% x( ~
6 m) i* O! a1 N& V; Y* b
_________________________________________________________________________, t" |6 X8 s5 w/ F
2 W: m g& S1 v3 _; |
; ?0 @. X- s& s$ e- l9 g: L) KMethod 06
/ I0 v& I0 `( ?2 l; V0 M=========
8 X. @! D. K( H5 y5 w4 F- W! u4 H3 p: `! i- [% z2 U' M
1 {8 r9 [. H: \* h4 |6 S
2nd method similar to the preceding one but more difficult to detect:5 ^5 J" Z6 ?1 d- U2 q
- g% f8 D7 p. g* b) m i$ q* C7 w t# }( W" p8 k3 Y: L
int41handler PROC4 r2 s9 R* \) l" |3 j# D" i! {1 E
mov cl,al. {& Y0 O; C9 F4 m4 c( B
iret) w3 `, f/ y4 ~* z- N) D
int41handler ENDP
7 C: M: f; i1 v4 M( V- g4 h
4 [5 t \+ A9 s/ Q( \8 U
/ ~; V- A+ Y; l2 P, [ xor ax,ax1 V8 A& B) A6 S$ o! v& W
mov es,ax' A% @3 O1 m0 X7 [( y6 [0 U
mov bx, cs
p$ E3 S1 z- W6 U3 i lea dx, int41handler, c/ c3 ?5 d, V
xchg dx, es:[41h*4]
/ ^' p' ?4 j: ?, l' j% z xchg bx, es:[41h*4+2]
6 S0 E" O W- M; x9 p! q6 q in al, 40h
+ L! e8 L1 `: X5 M* c8 | xor cx,cx% f: h: V# E2 P8 R! i+ L
int 41h
' m+ o3 O, a: }$ L, S* }- N xchg dx, es:[41h*4]/ U4 u" ]5 G; `
xchg bx, es:[41h*4+2]
4 J' E2 y6 C' ? cmp cl,al
0 `' L8 N& S9 }# h jnz SoftICE_detected
* I4 E k: n" K- F
! H; @. m# P9 a d! I_________________________________________________________________________( I' j- d! b" k1 o9 A3 M( b+ c1 _
_: D/ F$ j' {$ i& G6 R' l4 JMethod 07
& S) c) w! d; v8 ~0 z0 M. V7 @! i0 C- g=========) t1 `- s: H/ M( p& x. a( b w
; H4 N7 V+ _' J1 q! L1 _) {Method of detection of the WinICE handler in the int68h (V86) O7 q& k8 a2 Y& }5 N4 e- |5 } q9 ~
& d1 c. O4 K+ v6 k% k/ e mov ah,43h( M6 Z0 k8 S1 W! c3 m& o* |, P9 n9 D
int 68h o5 H! i X+ U. T! s
cmp ax,0F386h
3 m: K+ p1 k! [/ G4 ] jz SoftICE_Detected7 x) p/ [6 O9 n' r7 \
" G9 d9 l6 s3 B+ `) c) T" J9 u R
6 m4 c( i V! m; b5 q8 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; K8 m* O+ Z9 W+ y5 Q4 ]( o- X1 c app like this:
& u% |1 _) J1 I/ o8 F/ I. ?9 W8 ?5 r$ C* r8 v6 C( C7 i
BPX exec_int if ax==680 H& h/ S1 V/ y9 v- `
(function called is located at byte ptr [ebp+1Dh] and client eip is8 j' [ f5 a- b1 G% F" R
located at [ebp+48h] for 32Bit apps)! Q# L; V3 j9 u0 @% i
__________________________________________________________________________' G0 t' E3 l5 I, W1 F* D7 }
7 e. }0 [( {" e' g" t
4 G7 x& X0 b2 E# ^- F$ LMethod 08
' \# B6 E4 S+ j$ `: L=========: d0 i5 B( G7 ?2 i5 q0 G; Y
( r Y$ L/ u6 T
It is not a method of detection of SoftICE but a possibility to crash the- n0 ]7 T# y5 n. }; k R* E* S
system by intercepting int 01h and int 03h and redirecting them to another2 A$ \ b9 p+ U% w
routine.
! ]$ P5 y, L5 Q8 C3 z- cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 F2 O" q: b5 z; a( g0 H+ B
to the new routine to execute (hangs computer...)- V% ^. Z$ S" S8 F0 o6 d3 A6 w: {4 L' n
( B. q1 o" f( p mov ah, 25h
+ S' L9 K1 [; |: U1 Z+ X2 l( Y mov al, Int_Number (01h or 03h)/ g# T- e1 L( S( ?' H$ h
mov dx, offset New_Int_Routine
* g- |( M. U2 ~2 W int 21h
) R: T- H- w5 _! c1 S; n3 j1 @" ~/ m/ X4 p. m% B
__________________________________________________________________________7 O. A0 e( O+ I' G- K0 ^. {
+ E! Y' p. s c
Method 098 R6 s3 B5 V3 o4 f
=========; [! ~& H$ s5 ~$ X" g+ O7 j
) K5 N; E! R3 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 g) Q9 U- C \! Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
! k6 T9 Y7 d' y, n, T( lThe Get_DDB service is used to determine whether or not a VxD is installed
) j* \8 ~- \4 yfor the specified device and returns a Device Description Block (in ecx) for
. W6 ]& ]0 S4 f; F% g2 Othat device if it is installed.. C- W' p( c" f" h' p* {! D
' { l' Z6 z- j4 X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 G$ w P1 i! |- \/ Y0 }( a6 Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, m$ D9 `. y G/ J) G8 N6 R) K- J VMMCall Get_DDB0 }/ b$ v5 A+ K, C* V0 N( `6 s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) ]9 p- y, c2 @; T* V9 z( N* u3 K# t5 m! O8 e; r3 ~7 r
Note as well that you can easily detect this method with SoftICE:. x2 U" o+ `9 W! [
bpx Get_DDB if ax==0202 || ax==7a5fh+ F. K: t* O; c6 }/ X( B" p* T5 e( z
9 ?, H% D2 P- K" ~5 B__________________________________________________________________________
" r# S, }0 o8 H0 G9 S$ k
( t5 f8 G: ]* d% l, F, sMethod 10$ p- @6 }. G; {. x f
=========4 L& n& J9 |6 B! E& N5 r; ]
4 J9 F7 r! c, W) O+ l# E) u2 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& O$ ^+ |& v$ B: ], O# a6 b& `: ^ SoftICE while the option is enable!!. @# m9 R8 [: u
! P) _# E5 M4 ?& t- n" E% H& xThis trick is very efficient:
& u8 u5 `; A; l4 d) f, Q8 ?/ Yby checking the Debug Registers, you can detect if SoftICE is loaded
8 g& J4 w3 D0 o0 a% }6 ]* W0 P! j3 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) z7 K; J& c6 n7 R( }# A1 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ ^) V% c& Z- Y$ yvalue (in ring0 only). Values can be manipulated and or changed as well
1 d o# l. M2 r R u" A3 b" Z(clearing BPMs for instance)
0 ~) M/ ?( I, y- g! U( p* u% q5 n, z- d- R3 g& o! R
__________________________________________________________________________
1 c2 C) f7 c: h! H( b
Z; E. c7 O% vMethod 11# I9 p( ?' g! k, [5 ?
=========/ R4 z' M c4 g z; L' S) F$ O
6 Q- X/ o; x" I& z% HThis method is most known as 'MeltICE' because it has been freely distributed
+ y. A& X G) K: I( r- l6 evia www.winfiles.com. However it was first used by NuMega people to allow4 p- ^$ h0 x5 W0 r
Symbol Loader to check if SoftICE was active or not (the code is located& [/ r( ]$ G( m! j( n& O" ]0 A: X
inside nmtrans.dll).
1 B7 B$ D" u- T# [$ }- {; [" \. H" R6 K$ Q5 {: @6 [% j3 E
The way it works is very simple:
5 C( s" D4 ]4 K* }; iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. @/ B8 T! |% f6 d% ?0 J Q1 A7 tWinNT) with the CreateFileA API.6 ?# h5 K# u+ ]7 S# E
4 s5 l$ g& O& RHere is a sample (checking for 'SICE'):
' `1 d/ U! Q2 ?3 @: C! ]$ O& H3 V
BOOL IsSoftIce95Loaded()
9 p: U8 V$ D7 P, L* w8 d \{
+ C3 x9 m9 [# a; x HANDLE hFile;
' z2 f' D$ q! M- e/ Y0 { \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( u/ V1 s, m/ Z+ C" d FILE_SHARE_READ | FILE_SHARE_WRITE,
! i( C# M% L8 o4 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 z2 h: ?) @" v% o if( hFile != INVALID_HANDLE_VALUE )" S- z5 `- n. S1 k
{# {) }8 G- V- w1 | w
CloseHandle(hFile);
2 y, _" L$ d8 q& }# z return TRUE;2 x8 |" M, `$ A* I- u, e
}
- I( X+ U, R5 |8 S2 u return FALSE;
& N" B" c' X: L" q- D}+ T& x% o8 h5 X8 E3 g5 n' ?
/ t# G: M, e" d
Although this trick calls the CreateFileA function, don't even expect to be8 w" B" z, f2 c5 ^3 y" R7 G& c! R
able to intercept it by installing a IFS hook: it will not work, no way!, J. E" A% B O H k" w: b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* |, U9 w1 W/ ]/ o' \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ Q8 r$ s7 V# Y1 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( p. P( l+ ^2 x& V6 o3 f, s7 gfield.
6 l- y0 ^$ ^: ~4 H, h& V, rIn fact, its purpose is not to load/unload VxDs but only to send a
; y8 E% n0 `, q/ T7 ^5 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# q: J7 |+ U+ M: x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- U% P5 P* h9 c4 R( I) G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 B' p) D% ~' Y7 y5 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 k& _& b$ L9 n% Y8 ~# a9 I) wits handle to be opened and then, will be detected.- a- V3 b8 u/ m& l/ m; O
You can check that simply by hooking Winice.exe control proc entry point3 F9 M, G7 P7 f
while running MeltICE.
2 W N* P& q. m( g9 P1 V w; I1 r& N3 Q' Z3 Z( ]# c' o
- D, Z! n. s8 A, R
00401067: push 00402025 ; \\.\SICE
4 H6 h5 Q4 w( @* N: L 0040106C: call CreateFileA& k1 A( ]- k$ O0 o' Z9 ^4 v
00401071: cmp eax,-0019 V8 x" @/ \, N! M6 z2 `
00401074: je 00401091
5 { [: {, o J9 \4 j3 M* V1 \1 z( s
0 E, ^4 `# {& d5 i4 G3 q9 Q1 P/ Z4 p: K& m" |- n1 J8 o+ }5 Z
There could be hundreds of BPX you could use to detect this trick.
2 i) X# Y6 {) a; [- ?7 n-The most classical one is:' C, j% t D* M& u2 Q$ K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 j8 S& ?7 l. Q- \; v *(esp->4+4)=='NTIC'+ L4 \' S9 B# ~! Z5 Q
! j0 B8 g3 ^! q' ~-The most exotic ones (could be very slooooow :-(
3 _: B' z2 ^2 I ~+ o7 P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # I7 n* R7 d4 C B: t: B$ l
;will break 3 times :-(
$ |3 l' W9 y; N- i7 p% ~, t! @& _; V" ?# W2 e0 ]. i
-or (a bit) faster:
$ d( N k& {- w9 ^' {3 y- \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; k3 `. ~( S/ I' u2 C8 t8 ?$ u
& e, y: ~, R* s# M: t3 { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 ]& m$ J$ l: }+ J# e( p! q z
;will break 3 times :-(
5 J4 y6 j& y( k
2 K1 h: x* [. D' R6 `* c! ?-Much faster:0 O& u$ l4 ~ ~" u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ R6 J0 y% T4 M! f+ z
- p0 I* `# {3 ~' E$ s1 P' M: L! CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 y8 }! i. `2 P- y
function to do the same job:
6 q% a& j# y& a, c6 A. ^# z2 |+ Z: ]( @2 ~+ t; Y! u; o
push 00 ; OF_READ
- {% K" |1 Q8 a0 l& c. L2 F2 A4 S mov eax,[00656634] ; '\\.\SICE',09 [+ C4 s7 e, d& e
push eax
) r# S h" r8 _, k, L" X call KERNEL32!_lopen1 e, l9 O6 k6 W7 ]5 S: @. c e8 l
inc eax
) D( P/ y: `5 I( z jnz 00650589 ; detected
4 u: Y) {" R! H! Q% N3 t4 `/ e push 00 ; OF_READ1 K9 V4 w6 q/ q" N
mov eax,[00656638] ; '\\.\SICE'
$ @! e" e* j: p4 k push eax5 u/ g, A& u, b4 F7 _/ U- U3 p
call KERNEL32!_lopen
! o$ T& B' [: e+ J9 a inc eax
' f( ^' I* Q7 S: z; Y6 ^4 s* C7 D8 q jz 006505ae ; not detected' g% c+ X% C. N% [/ v. L
{9 I6 S% p/ b7 y c4 ^5 N
e! V9 H8 w" p, y. L) x* D' \__________________________________________________________________________
4 w; I* r: i/ _4 A0 \, J) @' H' U2 Z. g4 s) D
Method 128 }! h" ^0 G; G; U' b
=========7 I6 D1 ~4 R2 s+ q8 ^
. t0 x- }: ? P7 \+ c
This trick is similar to int41h/4fh Debugger installation check (code 05; {1 I" Y- p& e: z& w
& 06) but very limited because it's only available for Win95/98 (not NT)" l w3 h$ b5 a n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ c$ j! c9 Z' Q, j- X! K5 ?9 G: g1 O2 V2 O) ]% L" O1 g! [ D/ F, A% U% i
push 0000004fh ; function 4fh
3 b% L" v- T9 m8 N' A+ R# M push 002a002ah ; high word specifies which VxD (VWIN32)4 ]1 g, k# G0 e0 {- C) P
; low word specifies which service6 Z2 w5 I: V. N' V0 J) ~! o6 {. C
(VWIN32_Int41Dispatch)
+ W' [- M9 w* Y2 n6 `* c8 w call Kernel32!ORD_001 ; VxdCall
( l- q/ t' M0 l7 u2 t5 Q cmp ax, 0f386h ; magic number returned by system debuggers
0 |+ C4 Q6 Z5 I jz SoftICE_detected
' u* y( l. A: o& p
9 d. T$ n4 ]5 J7 \1 A) `" O& dHere again, several ways to detect it:$ W6 v/ }. }. n4 c- p6 v# `1 o
* P& ^. `: B k' t0 E BPINT 41 if ax==4f
; Y/ W9 z' P& l, i6 c" P5 d4 ^3 o1 C: ~( e+ b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 o0 `3 Y/ y& @8 _, K6 {, P( k& P) U
B, T; V) @/ t1 D+ I6 \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! F! J! b& y7 n5 S% b3 [# |& j2 ^, n5 F5 M& l8 x3 P4 L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 x$ Z: C/ F) ^: x
% t0 j% Q- Y4 B/ T
__________________________________________________________________________2 E9 u/ y: g/ K2 a0 X
& D* ?- w. F( jMethod 13
% I* D7 @" y" B. \=========9 k b/ M4 x$ l( w' Q( p. P
- f( k0 |9 ~% X, D) X4 A6 }
Not a real method of detection, but a good way to know if SoftICE is( i4 Y* n5 Q. `
installed on a computer and to locate its installation directory.* S6 u/ e7 ?5 u6 t8 O2 T# l% o
It is used by few softs which access the following registry keys (usually #2) :1 _0 p: M3 Q& N% E7 F# k
6 R. U z8 ]% X# T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ K t3 n8 J$ g& Q
\Uninstall\SoftICE. C" w W L; ]7 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 R* r* b% K) l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ y( H' n8 i4 o: y3 O$ G9 s
\App Paths\Loader32.Exe
$ v( ]; p6 m, v! w# V0 T: r z$ n2 J' O% a8 D: D, ^
; t0 e2 `+ N8 l$ r& w. H5 i! S6 ?Note that some nasty apps could then erase all files from SoftICE directory d) T$ t; l+ R7 p/ x7 V" n$ K
(I faced that once :-(. b* E3 k' B# D5 ^0 ~
9 b7 g- i- h& V0 hUseful breakpoint to detect it:
* \+ l8 P3 ]6 q! N; Z1 Y( E
5 u1 V. L" ?9 i/ T" X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': d' D; K6 J; k! M6 W
2 R Q' H. B7 H, i- f& \ K
__________________________________________________________________________
$ g7 X6 Z: c, \
: D% D5 y% W5 @$ M4 j$ ?2 w+ z8 s9 \# O: w
Method 14 : J) g$ S6 c4 f
=========
0 `3 y4 U/ c4 M/ |$ G, ] S+ t5 W0 R" L! M+ `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( S: E+ \. r6 [* s( e8 Q
is to determines whether a debugger is running on your system (ring0 only).
! S! R4 N! S: T8 ^( p# [
+ ?/ c8 r. y' ? VMMCall Test_Debug_Installed
* {9 l8 e, Q- S1 g1 `8 u0 {9 B je not_installed
. ]' t3 p* t& \; `7 g" B: [, E$ @, g0 I9 ]* p' |
This service just checks a flag.7 m* F2 y1 I0 l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡