<TABLE width=500>" h0 B5 u5 w7 ^; ~
<TBODY>$ I2 u8 q1 I+ N+ ~0 Q, G
<TR>1 D! i7 L; M1 L5 e
<TD><PRE>Method 01
! q; E% j- x. M, `7 a=========" k& V$ h- k- z" B( Q/ O" Q7 m
2 Q- L! q7 u6 |- n1 z w
This method of detection of SoftICE (as well as the following one) is
O: b0 e" L3 x# eused by the majority of packers/encryptors found on Internet.3 q9 o7 Q/ w( A
It seeks the signature of BoundsChecker in SoftICE
c O% ^/ \4 a! @8 D) Z* W' G2 H! Y
+ A, M% n. s' d F& h8 d$ a: k" { mov ebp, 04243484Bh ; 'BCHK'4 Q3 R" ^+ l- l3 a7 f: [3 w. U
mov ax, 04h
( u, U1 x( x( p/ C int 3
+ d |, r1 A5 o% p# Y: X8 [- Q cmp al,4
% r) o6 g: u4 ?! M/ f/ ?* { jnz SoftICE_Detected/ m7 g" @1 s7 A; i5 Q# D1 B5 ]
0 p3 V1 R5 `8 r! a. N- U___________________________________________________________________________, g! o* U' y0 K( u: ^- S
$ k8 _8 w8 [. y: B7 B; k; w- N
Method 02
4 L) Q! N$ ]+ X3 V' I, W2 ^=========* e+ |: S* P, g* _
; W: S- Q# W. C: u& N6 r. q1 WStill a method very much used (perhaps the most frequent one). It is used9 }! n2 [+ F* E% X$ {; E% x( q9 {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& e+ d7 }3 ]' i/ ?or execute SoftICE commands...
4 F$ g" I8 O+ B. y6 iIt is also used to crash SoftICE and to force it to execute any commands
( D) @4 L* u) b0 j(HBOOT...) :-(( % d+ q9 y. h8 v: W: G
# j9 N) ^! d5 z E4 T" r
Here is a quick description:& f \8 ]9 N' s" Q0 r* y) c! d' w$ I+ a
-AX = 0910h (Display string in SIce windows)
8 u4 R1 j, }! `. R+ l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 [; r% u! Q3 n
-AX = 0912h (Get breakpoint infos) d9 f- h- v- K. C! m
-AX = 0913h (Set Sice breakpoints)& Z! N: v$ |) i8 i/ {
-AX = 0914h (Remove SIce breakoints)
0 t5 z. E# ]( E: m4 E2 |
& I* `% s; I6 K7 |; s' jEach time you'll meet this trick, you'll see:
: `( X. e/ D+ ?/ {7 Y. f1 v d-SI = 4647h
% O# q5 l: W4 x/ ?0 o8 Y-DI = 4A4Dh" ?/ K" f" o5 [' }# H6 ]
Which are the 'magic values' used by SoftIce.
# I1 T3 y7 H2 Q: c7 J& qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- K, w3 k u* g& e
& k' H1 q8 G$ l2 z$ U0 z+ G. eHere is one example from the file "Haspinst.exe" which is the dongle HASP
; j# j l7 c t, m( y4 }Envelope utility use to protect DOS applications:
" J6 E7 r. [) V6 w: a& ~3 O1 g; U d# W( ]' E
: J4 l, y% t9 s2 W0 [9 `
4C19:0095 MOV AX,0911 ; execute command.7 j2 z y0 R( r7 T" ~1 T7 [* ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 c) k) n4 I8 a7 B7 F6 [8 T8 K
4C19:009A MOV SI,4647 ; 1st magic value.: ~4 ^9 Q/ }+ G5 f, N5 }+ p0 Z
4C19:009D MOV DI,4A4D ; 2nd magic value.3 H+ E, ]5 o5 L6 P: l0 M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), l5 f% o X/ n" z: [* f ]+ X% L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ K- W' S% S- x7 D* a9 M( s4C19:00A4 INC CX
' m2 o/ X2 ?3 U6 K$ y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 A1 o2 u; p/ \4 U4C19:00A8 JB 0095 ; 6 different commands.
1 C) ]2 g0 P& C# C5 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% I0 G7 y* b6 S- ^0 H5 n+ D: _4C19:00AD MOV BX,SP ; Good_Guy go ahead :), E9 ]6 m J9 ]9 c4 D* Z1 z* Y
& V2 I& V/ |; l9 fThe program will execute 6 different SIce commands located at ds:dx, which$ g9 l& P+ K2 n) m; T- u, T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 {3 H* Q/ o' l+ _7 D* _1 t- X4 I
! S/ c( o# d* ?! ~7 O6 Z2 g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% Z% H% f" R, X3 J___________________________________________________________________________ g# q5 w+ h9 n3 K0 U- N+ }
) R6 i& a7 t& `; `- |# @/ v3 p0 d2 r# U* M
Method 03
& P+ v/ L" x% T' L b=========2 m4 [3 @' `2 Y, i
8 A" g9 J: i3 a2 c4 V4 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 D$ F7 ^: r" b
(API Get entry point)
+ h/ s" C2 w7 ] * `% B2 u6 z0 W7 b& L
" F1 M) R$ Q' c xor di,di7 M0 A; m! T) ]! f, w8 e( K( h
mov es,di( S) X1 N% q! ~9 s+ w4 T3 Y" r5 T
mov ax, 1684h 1 e5 E4 Z/ s* R' |0 A
mov bx, 0202h ; VxD ID of winice% v, m' X1 P. A: l" N
int 2Fh8 X5 ]5 n- J; l6 J) E6 l
mov ax, es ; ES:DI -> VxD API entry point
, E. n. |0 p5 d. r" l6 K add ax, di
) H8 h. u" e$ K3 I1 J+ o0 z test ax,ax
?; z8 a, X8 F) |: ?+ m% T jnz SoftICE_Detected
4 Q& _" t: C; [; L
% k. J& e& _1 h$ Z8 m" c___________________________________________________________________________- d( P* ^; Y1 G `6 x# u6 f
5 E) Z0 g. ]$ W7 w
Method 04
3 Z( j# x n/ K5 S- i. N=========
1 C( L9 K j2 @9 b/ j/ N, Z) @
+ ]" |/ X1 s; _; y4 O8 i6 `Method identical to the preceding one except that it seeks the ID of SoftICE" ]8 L9 b4 V4 m, P9 h
GFX VxD.$ k1 D0 {, x: s" l) C
g6 q% w$ O* s: N' Q xor di,di
+ L+ I7 g% j+ S4 G1 Y mov es,di
+ k" G: w5 K- o# ^0 {% V/ P mov ax, 1684h # [9 G9 Z7 e6 Y2 `$ _$ |. X5 a
mov bx, 7a5Fh ; VxD ID of SIWVID. \# i+ C8 v# ?4 V- M" _ `
int 2fh
0 Z" `4 [" C( E1 J+ s# G' @ mov ax, es ; ES:DI -> VxD API entry point
6 Q9 ?% |% i: I$ W) {8 O add ax, di7 J8 c, k, } F" M( [0 k
test ax,ax r- ?! @ U1 b3 n
jnz SoftICE_Detected
. l' @2 o9 S) q3 e _% h
6 F" q* U# ~( o( N! l__________________________________________________________________________
8 M0 ? {9 O6 J+ J5 p, J. p0 q
6 I% y% S! C# t& q3 l" { I* \6 {
Method 05 C& {+ |/ l: E3 ?
=========2 j% L& Q, k$ x; Y$ [$ S
, n4 N. o" `1 O+ y* j5 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 K& u& @: M* V" |9 qdebugger. It calls the int 41h, function 4Fh.+ |/ m! X+ _, M" |0 D8 I9 I
There are several alternatives. 2 W2 R8 `. f8 ^6 ?0 ~ P
: r9 m0 }. P( X2 q
The following one is the simplest:
# Q L$ A% W# r. t+ Z5 p& [) l8 n6 Z3 n' x
mov ax,4fh
9 U9 h6 M8 `. c6 T5 y0 N int 41h3 {5 f5 W( L2 `+ j( K
cmp ax, 0F386
3 E- p# x, C2 ^' ~2 F; ^ jz SoftICE_detected
3 ^2 h/ \/ ]+ `2 F* B
' g6 P% k7 N. H4 m, N) x, Z G( ^2 k7 |+ L8 c
Next method as well as the following one are 2 examples from Stone's
8 E! K# t# v" F" k7 s"stn-wid.zip" (www.cracking.net):
( ?1 m- t$ q# T; c c! ~0 |
3 d0 Y7 p+ U( Z2 ?9 Q mov bx, cs: }8 h. l8 g1 B* }
lea dx, int41handler2
* {4 Z+ `* U- K& a8 G+ m xchg dx, es:[41h*4]* s6 K( j( {% i
xchg bx, es:[41h*4+2]6 z8 b" Q+ `' C
mov ax,4fh- [0 H4 _3 O9 \ }+ _
int 41h
8 {# m, H- \+ a( M. D1 } xchg dx, es:[41h*4]9 `( P8 P8 ]$ M9 k2 W, d9 \
xchg bx, es:[41h*4+2]
1 \, D! L* P9 c5 X% |8 t cmp ax, 0f386h
6 }' |) J2 y( Q, q% B( V/ y jz SoftICE_detected
7 S# H) Y$ X% H: k& I: ^' d
4 S) R7 P) @% X: u3 P$ Nint41handler2 PROC8 L% k, _ U3 D* K. {( v
iret
$ \' }; y/ r1 H7 \9 b+ ?int41handler2 ENDP
& [# x1 W! v. }& q
3 W/ o+ G% p s5 I
6 x! G7 l1 J6 x$ P- h! G6 R+ W_________________________________________________________________________
+ h7 a4 y }" E: ^8 V
7 C5 z j) N- r, d0 d. e
4 S3 f n) J: w7 M' ]Method 06
/ z% j# R4 [/ N=========* ^ h8 N. Q" W" x& O3 F
8 ^8 ]+ R' Q: }6 q
1 L+ D( |+ [4 ~" |/ a2nd method similar to the preceding one but more difficult to detect: o6 o8 M# `% u- f# |5 |
; ~& N" d0 p7 F* o+ m0 v6 F/ P& p1 C# u
int41handler PROC
/ |& V$ w- O8 c% B" R& r) J mov cl,al) A- P" H; @8 a: j( E+ C
iret: o- d+ V: `3 {" | G. u
int41handler ENDP
- d- J! S Z& L; ]1 v" k
. A! Q9 `3 ?- Q: a' z
2 r/ {8 F" N! x4 `* o, ]9 Z$ `6 Z xor ax,ax
. k. C2 D8 |; Z! Y/ }4 D& d mov es,ax
, A6 U- ~- P: L, C mov bx, cs; X/ @& |' Q8 O: C7 P
lea dx, int41handler
: m& H3 n, ^3 f xchg dx, es:[41h*4]9 d- `! K8 N$ O; J& p( w
xchg bx, es:[41h*4+2]0 \2 X5 K( b; {/ `+ F* f" U
in al, 40h3 a( u2 }% d6 `' }* c" a( [, p% N
xor cx,cx
, X0 c: a5 _3 m. ^& l+ I( L( w int 41h7 O# K7 V# e; K0 v" `
xchg dx, es:[41h*4]
* a0 z6 s# [9 Z. z xchg bx, es:[41h*4+2]& ~0 o( B+ e" d
cmp cl,al7 l8 u9 w0 \; @7 r: P
jnz SoftICE_detected/ o% `& T: ^! r8 ^7 L
7 L" r1 c0 l* }8 d% G8 x2 p
_________________________________________________________________________
& m: B4 _: m9 y
0 ?0 N+ m3 j+ n3 J4 h4 F. RMethod 07* T+ P0 C8 Z' A0 J
=========' ^0 W. g0 q5 K; B) ~5 f6 Z
; W2 C s3 K2 N5 A6 x* V3 oMethod of detection of the WinICE handler in the int68h (V86)! K8 j2 }" E5 k( Q
- A2 i* R/ m* t; p, Y1 ?0 |! Q mov ah,43h" Z* S! v: L; I3 A \8 Q* ?) L3 W6 b
int 68h
% v' e9 o$ U9 z P3 R- X( Y cmp ax,0F386h
8 J9 o/ G `; O; k# p! j jz SoftICE_Detected
Y/ X) a/ H5 y
1 }/ A/ w) C3 X$ B6 r
5 \$ h# G7 ]9 u4 K4 w+ n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- @3 `& @0 I4 n5 s
app like this:
. t/ |8 r9 u7 g3 W
' t% b7 L! j& H( \# l6 V BPX exec_int if ax==68
, E4 x7 {# R7 ]5 i( F& w/ x7 ~0 Q (function called is located at byte ptr [ebp+1Dh] and client eip is
; ^# l" G) i) M2 I5 S, b. ]% d located at [ebp+48h] for 32Bit apps)
5 w! J7 P6 [7 } y__________________________________________________________________________' N2 A% K* `* b% p- `8 A* v
" h4 Y: H( {, l) P) a/ [ x" @
' C% B: w; K( N' t* N0 ]3 k3 P* ]Method 08+ \& g5 ?0 e4 P: v+ {
=========
& G% [" ?% n1 J$ N( k
4 p3 D3 ]1 n/ K# T2 uIt is not a method of detection of SoftICE but a possibility to crash the5 e& O- r* C5 v8 n/ I0 A
system by intercepting int 01h and int 03h and redirecting them to another
, l: x1 S) y; l/ l& O* hroutine.0 e- L. P: d4 G2 P% B% K3 Q! N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 _6 y0 k, b a, s+ j3 t4 Sto the new routine to execute (hangs computer...)
6 y6 ~6 L6 O7 k0 J) J. i: h- l1 O
' \$ p; _6 D& L* i' f7 U# \ mov ah, 25h
' v1 Q2 T( M! C- [ mov al, Int_Number (01h or 03h)0 Q; c6 a- u0 O+ D3 w
mov dx, offset New_Int_Routine
. Z+ H/ t* K; O& a int 21h+ d; O/ ?9 H4 f! e% }! h
6 V4 T$ N( V" R$ P0 K# \
__________________________________________________________________________% j0 M( V) X" U
) p& q* a8 B4 b' `2 s; j& b
Method 09: _# j2 z$ C W# @ k
=========
" d$ D( S. g" `$ s" i- K$ v4 B) `, e4 T: y% Y- y( `, ^1 O: b8 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 C" p$ Q0 y, M4 ?6 V, I* Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
: ^! v+ j: n* r0 `The Get_DDB service is used to determine whether or not a VxD is installed
" i$ Z4 P. ^( S, b% \, v0 yfor the specified device and returns a Device Description Block (in ecx) for
0 `' N( q X; a$ D/ ithat device if it is installed.- C5 b v# d8 t( ~" i& P
8 L, `- ]4 I# X& r1 } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* U4 O" r. V5 O8 h) r) Z$ K. }# D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ n. t0 W2 x. q* @, l
VMMCall Get_DDB$ V4 `, i$ e4 h3 {5 D1 W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% ^+ H$ { K1 x0 z; ^7 b7 M
2 a) |* Y" _& I, Q5 c: U' n# lNote as well that you can easily detect this method with SoftICE:6 P' A I" f! W( |$ E- B- m! c
bpx Get_DDB if ax==0202 || ax==7a5fh3 m( g6 c) F1 \
/ |5 f4 A5 r) Y1 s__________________________________________________________________________9 q9 Y) z$ y; v6 H. m: S
9 n4 ]7 ~2 _9 X+ k3 ]Method 10
& {7 x# d9 }& W6 T! h# `1 J7 y=========
( f& e5 f, d. h9 Q2 F/ R: B5 s# l' k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) n9 x! E8 c; P$ O- O* u" t SoftICE while the option is enable!!7 I8 F0 ^+ t$ ]# A* j4 y. X+ c
7 Q+ K3 N5 `# B. aThis trick is very efficient:
6 j0 X" S6 u# J9 [3 s/ Wby checking the Debug Registers, you can detect if SoftICE is loaded
2 I5 h! Z+ W0 ?0 Q. T% |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; O3 a8 X8 e) ]6 X! I1 G1 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( V2 U9 Y* s6 G$ a" cvalue (in ring0 only). Values can be manipulated and or changed as well$ C& o( v; n* h$ s# i
(clearing BPMs for instance)
7 o, ~0 B7 z0 Q' r# P3 {0 K, d K! ^, M0 J& m* A9 e
__________________________________________________________________________( i( ?. ?5 @$ y, K7 F+ R0 E
4 Z* [- `/ W1 F/ k# ]7 x. B
Method 11
, d5 W/ ?# V" {% o7 Y/ d=========' S- v1 K7 F7 a4 }
% r# S7 ]4 s! f) Z& k
This method is most known as 'MeltICE' because it has been freely distributed
6 s& P& L0 z7 t: zvia www.winfiles.com. However it was first used by NuMega people to allow
" B# }4 S$ V' D* \# PSymbol Loader to check if SoftICE was active or not (the code is located! |9 q6 r5 F8 G- \6 ?; o% t% ]% b
inside nmtrans.dll).
: G, o$ n) a& e. }/ Z# S8 v) }
: R' Z, V# U: {$ a: n3 l% M5 O4 D0 mThe way it works is very simple:
$ u, n+ O7 S" o' L+ [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ n1 N- L1 ^9 @9 E
WinNT) with the CreateFileA API.
" g1 \- T7 T V8 I0 q m2 T
8 T; b$ h- h( ]Here is a sample (checking for 'SICE'):
( X5 P* q0 U4 t% V6 S) r
. c4 A7 g7 w2 e4 S% ZBOOL IsSoftIce95Loaded()' h, S1 Z4 ?" [8 v0 B i, x. O
{4 f0 S' }* T8 `
HANDLE hFile; / A, Q; Y' v8 ]1 B. {$ ^4 l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
C& x. b# J1 H5 w4 A2 C. A i6 U FILE_SHARE_READ | FILE_SHARE_WRITE,
; _- j5 @! b$ u' V1 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
e- R; L: }0 \, v if( hFile != INVALID_HANDLE_VALUE ), K+ d1 o( G$ i* s3 ?
{! O" {/ {& l( J+ R
CloseHandle(hFile);1 ?! L6 P5 R) N1 ~! z( {9 b
return TRUE;
* D9 i1 `# u% M }. E7 N1 @ r9 W! M0 J0 b
return FALSE;
! U- R z) I" I( c4 f}
9 g+ {2 Y* V7 |' x% v0 O F) a! _+ `7 ]- u; Y. @/ j J
Although this trick calls the CreateFileA function, don't even expect to be# l4 u' F( ^) {- l- q
able to intercept it by installing a IFS hook: it will not work, no way!3 ~* K7 p# ^6 f2 p: U4 d+ b6 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 V) t( E0 U" _; |* V2 y8 r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 C+ X* i' G2 b) f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* \, i6 B7 |2 k8 H( T4 s. [field.% }9 Q2 I1 M9 p$ G
In fact, its purpose is not to load/unload VxDs but only to send a 8 Z' v) w- u1 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) X* A; q; ^4 C+ i u; W7 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 ?* Q4 y" N. ], tto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 p3 I: i" v- H: U( D4 g/ P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 m g' ~( D# ^( \3 T# vits handle to be opened and then, will be detected.6 j# e9 G5 J$ a" u9 x
You can check that simply by hooking Winice.exe control proc entry point4 O8 r( Z* \8 n8 r
while running MeltICE.
4 |8 E* l8 j% I" @# j/ Q% q. S- s3 R' ^9 }0 y% W+ f* s% ~: W
8 W1 ^4 H/ V$ ]0 W! P9 L9 B) Y2 ^6 {
00401067: push 00402025 ; \\.\SICE5 ~, \; ?& g- r; J8 C9 v
0040106C: call CreateFileA9 k: L8 q/ @8 j; x# f3 f
00401071: cmp eax,-0016 j5 U+ k2 f: d! k" ]
00401074: je 00401091
; s$ a$ B5 g6 F* i) |" E
) c9 \7 ?# k0 I6 X& A8 F: C1 T" z" {) V! _' S; f& I% G! v* Y# T6 S9 a
There could be hundreds of BPX you could use to detect this trick.9 A! ?# T" q4 R( ?
-The most classical one is:
7 p- |# @% h( D9 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" @; Q" d% X5 I. a' x, v/ D
*(esp->4+4)=='NTIC'
! j( m* G0 |, H' p2 @& W5 E
6 d' N( w6 I- u- g' ~: Y-The most exotic ones (could be very slooooow :-(% e/ s) m! x! a6 t1 |6 B6 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; L/ M/ X3 p( ?; z' u ;will break 3 times :-(
4 ?! [$ e8 Z2 z0 N* [, t3 ~4 W9 P" k* g4 l' d0 q" Y
-or (a bit) faster: X: Q; t* b( p* h5 _/ T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 x0 c% X/ t( `3 R
( G$ ?3 |. T: U0 u' h3 m, l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 e* u! n# [! D6 @: l5 U ;will break 3 times :-(
( E' m; f/ p7 q$ d& ]1 H& T) N% J
* s2 Y4 u- G/ `6 k-Much faster:, [# i- [# |; x# h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ M; w/ c9 @) |. |- k; d- V/ t/ Y' M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 t: r6 X* \7 A- S
function to do the same job:1 Q& v$ e: E& C
. @* s8 M3 h; g" Z, O push 00 ; OF_READ8 Y0 u! [% ]* u/ b8 D4 k+ ^; A
mov eax,[00656634] ; '\\.\SICE',0
, v3 N7 |+ Y4 `5 Q7 q8 g push eax
' n2 U' H g, I; o' s, X call KERNEL32!_lopen
6 @6 [/ q6 m" q0 o- ? inc eax. \8 F. K* g `# [/ C1 c7 l* G
jnz 00650589 ; detected. \% b. s* S+ p8 U9 H/ m( j% W
push 00 ; OF_READ
( @* n% a- k1 o4 X mov eax,[00656638] ; '\\.\SICE'
: g: C# N& S. }1 ]4 m push eax
* {+ p: E( T' G" C( A call KERNEL32!_lopen
4 [9 J2 ~* V |- T0 f2 T! v8 O inc eax
7 q( M1 C/ I3 W jz 006505ae ; not detected
( k9 m# m0 v# F7 T5 N8 [) [( h/ {- I8 `/ e1 J* X, b7 z
) ?" V: z" R/ h1 Q0 q__________________________________________________________________________
j* p" X/ `; i$ ~9 j4 U9 H7 }+ Y* B- {& n& Q* ?
Method 12
" h2 s7 `2 R# r( Q% S" ?+ T=========
" d, M" ]3 ]- u7 n% i/ V$ I$ S2 `9 O: I
This trick is similar to int41h/4fh Debugger installation check (code 05. l' U5 ]% w2 r3 _9 O
& 06) but very limited because it's only available for Win95/98 (not NT)
I2 C' G) V9 Y4 E e8 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' T/ F5 c j i7 n K) B
0 `/ W9 s" O( |) Q7 m1 {4 x push 0000004fh ; function 4fh! a; y: E1 {8 g( b% c
push 002a002ah ; high word specifies which VxD (VWIN32)
& Q8 D. t, E$ @4 l' N ; low word specifies which service
1 l$ m8 a8 ?, y& W, ~ (VWIN32_Int41Dispatch)* Y4 e i1 x) j( S" X3 `/ b
call Kernel32!ORD_001 ; VxdCall4 Y0 E+ V% @- i- E
cmp ax, 0f386h ; magic number returned by system debuggers
; M6 e) c7 F% g' n jz SoftICE_detected( W* Y i% g. X7 M; \
0 f8 j* _8 T# ]6 o8 S5 ^
Here again, several ways to detect it: E* x1 h% F" a* R# V. @
8 G& ^* q7 m/ }0 b; }0 |
BPINT 41 if ax==4f
) o; |3 ? V3 Y$ P
3 j+ C* _) g9 I _7 ^/ @% h# S, x, h" \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! v+ H& F; v9 r1 q. l# C0 q4 |$ I' o
8 J8 X0 t6 f8 r M. y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A J' k1 n$ w1 H0 _
D) |! D$ V' q( o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 E- N& G, _% y S( P5 ]- ^& T
' d3 C* m! U% }0 H& ^5 h
__________________________________________________________________________9 w, J; a% ~( ~% F
4 `4 x1 b L$ b3 a
Method 13
& z4 v% o0 t; y* C; V3 |: ^=========+ @/ H$ b% A' P% ]( N
+ e3 j5 X1 o+ s" s; [$ KNot a real method of detection, but a good way to know if SoftICE is
; T6 H+ q! _6 c" l' sinstalled on a computer and to locate its installation directory.' j& N9 y8 x( f3 ~
It is used by few softs which access the following registry keys (usually #2) :
0 c: F, s- `! Z( V ]
; J" u ?' L8 b; z! G1 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 }' E! p; H3 h1 E\Uninstall\SoftICE* n! }6 {( D; c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; J& w# b% S; o. U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ e- M" \9 z4 P0 O5 i# p" o
\App Paths\Loader32.Exe
0 c" n! f: `7 \4 e1 j
1 \4 O6 Y: o( B. s9 a% z4 t4 \, G2 z7 U
Note that some nasty apps could then erase all files from SoftICE directory0 @5 A; f7 F5 H% }+ |) u& W! a
(I faced that once :-(' n& u7 q$ I+ M2 d( ~
5 A' |) `8 d* {* aUseful breakpoint to detect it:
* `7 x0 v# K; [' q1 I( A2 ~& }+ c; \/ W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! e% m6 W! t( y1 k' a* K
9 A1 I$ W* `3 }& {: |4 C3 I- y__________________________________________________________________________
) [' O4 M1 K& m0 U6 S6 ^ V4 B1 g1 _7 O0 N: K2 D4 V V
: v: P; D$ M& ?" Z q
Method 14
0 V% w/ ]6 f. Z+ y% L=========8 L2 |- K( l" _! }5 H
5 Y) h3 Q7 P3 y( ^. x' i& @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 j; C: u3 k- E& R8 O
is to determines whether a debugger is running on your system (ring0 only).
' b0 q$ i) M1 |3 U9 b5 I
^: p0 `. R" j4 x1 r p2 i( M9 E VMMCall Test_Debug_Installed: ~. k$ u4 T3 t5 e+ E. |! b T9 a
je not_installed
" q/ w5 `& W: H. Z7 @
1 T; }5 ?; F, T! \" L+ M, G9 AThis service just checks a flag.
5 Y" u8 \2 t' X* ^; C) a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡