<TABLE width=500>" f2 _" s7 c& C @+ J
<TBODY>% L7 R, a! j H5 F5 {0 L
<TR>6 s8 o1 [, u% I/ Q5 b. o; o( P
<TD><PRE>Method 01
3 M; E; @/ c- L$ ~: F4 g3 Q0 V=========
0 h' N8 o) Z, u9 L' t* w9 R4 M& K' v& G* {, u5 a4 E7 y
This method of detection of SoftICE (as well as the following one) is. m; L. \* t, @1 c0 u! {4 w- S
used by the majority of packers/encryptors found on Internet.# o1 Y/ {+ J$ u$ J; Y5 `* h `! B7 u" D
It seeks the signature of BoundsChecker in SoftICE: H- n' f6 }6 P6 _$ r7 N7 b
+ D1 b$ h- Y6 B6 R$ F. `$ B mov ebp, 04243484Bh ; 'BCHK'
4 V8 a4 p3 {/ p$ h+ K$ d mov ax, 04h
8 G! N5 \4 x6 `- s. z) Y% F2 o8 N int 3
- z* |0 A: _" M( I cmp al,4
( i2 ^: q6 q: T$ N7 H jnz SoftICE_Detected
. O7 [/ c* N$ E0 V( |/ v3 W9 y/ h, X& j& } ^
___________________________________________________________________________
0 A$ Z+ L5 k! y8 \) H5 e" R' X2 K" B. w7 j
Method 02. ~1 [. e/ \/ a+ n
=========
; A. \0 F7 ~3 ?- U) v4 L0 O- M0 L( z* O5 R, C$ K7 s( s6 K
Still a method very much used (perhaps the most frequent one). It is used( _! x$ W0 i% W0 Z5 a5 d6 o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 {) N+ |4 y5 p0 R
or execute SoftICE commands...4 ?8 c7 O3 k( w" z
It is also used to crash SoftICE and to force it to execute any commands
s+ G( @3 y. U. I# ^$ D(HBOOT...) :-((
/ h) v+ E* r2 o; l1 J0 s, y- |& ]: G- Q! t
Here is a quick description:* F/ H) z q' d* ]) L' J: |
-AX = 0910h (Display string in SIce windows): o, e. D! h' Y$ N' q) x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 q4 S8 N; o: q6 l1 _-AX = 0912h (Get breakpoint infos); R+ |( p1 N B( j% m
-AX = 0913h (Set Sice breakpoints)9 i6 r- U1 X. M7 m. q
-AX = 0914h (Remove SIce breakoints)
8 R# P, `" m- i% `' t% z
+ u [- e# G3 d" D, nEach time you'll meet this trick, you'll see:
3 e2 _0 ?5 H8 l+ }% M/ M5 |-SI = 4647h
3 z4 z) F: G" {7 d-DI = 4A4Dh
+ c9 l+ y8 Y6 nWhich are the 'magic values' used by SoftIce.5 |& c6 x$ N$ {1 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 o& |9 {: G* t4 B" n# \0 r
+ v. k" O; c: |# |) r6 q- yHere is one example from the file "Haspinst.exe" which is the dongle HASP4 p0 y) w6 [: W0 f
Envelope utility use to protect DOS applications:
% }4 `- e' u8 ^ `2 U( i
0 Z; f% d. f# Q8 U# [( f0 D
( a3 X' i0 S0 }: j9 t4C19:0095 MOV AX,0911 ; execute command.1 y& ?% I" P4 q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 F+ f U1 j# M( H3 U4C19:009A MOV SI,4647 ; 1st magic value.7 i! ]/ y f7 | O+ Q/ \. c: b
4C19:009D MOV DI,4A4D ; 2nd magic value.0 E6 W8 [) i+ b% X9 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 d- J. h" c9 _" u% n7 S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 b$ V" H7 h9 }. ~ y
4C19:00A4 INC CX. f* i5 i7 h/ \- A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! ?$ f* A/ n; J8 B4 q4 {$ O# X i# v
4C19:00A8 JB 0095 ; 6 different commands.) f! L) m+ \2 a. u1 a- n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# _1 g+ I0 x+ q" s4 O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* H" O* u1 k# l! t
6 f2 p7 o; ?; W5 i8 _0 |; bThe program will execute 6 different SIce commands located at ds:dx, which" p/ K# I" R; u8 O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 M) A" v- r: c. W2 I* \6 U! Q
$ i- @, v) I" | c- g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ m3 a" I1 [* Z6 y' _7 q___________________________________________________________________________
8 {$ Q* C/ n% A& C; j7 C4 A% ~- N
% n" _# K! T u3 TMethod 033 x( `* E% N, |# q" i
=========
8 k1 C& B7 R+ ]+ K" e* C, p+ T( |# \1 H( r0 E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h v% a; z: @( A" P
(API Get entry point)6 g( Q: H" P4 ]% a0 ^9 R4 Q% m
+ p0 C' R+ E+ u+ L \; d( p' I: W* |$ `& g% p2 s
xor di,di& w. h9 \$ Y( o3 o$ ^& d% I. ~
mov es,di; J% R% H5 k5 H* U+ t* Z
mov ax, 1684h " K* w1 w# l8 l- ^3 Y9 j7 y7 N8 U
mov bx, 0202h ; VxD ID of winice
3 u6 b6 m/ B2 g7 p9 A int 2Fh' y* R, s& @+ j! @
mov ax, es ; ES:DI -> VxD API entry point3 G, V6 m% {1 e/ `+ j4 x7 l
add ax, di
* K% x5 t6 W9 T- _ test ax,ax# p% X; ~* ^" ?$ S
jnz SoftICE_Detected
1 m& Z8 z/ v1 ~/ N/ j1 o+ _
. p+ Q( Y# z5 `! c% J, V2 ____________________________________________________________________________/ m& a, J' H1 o2 M0 a7 b/ ~
# m- V7 Z" I+ S5 a. bMethod 04
) R& I7 q7 d6 v# g========= e* e$ Z% Y7 ^0 [
8 ~- G/ S7 a( x" X
Method identical to the preceding one except that it seeks the ID of SoftICE! W# i7 ?9 E- g7 h6 g2 D0 s; I- U
GFX VxD.
/ E0 f3 |' A6 T; v/ y; y8 O* }1 P7 F" d
xor di,di
0 W5 C6 P+ M$ {1 k* D) O mov es,di
3 t' u* N9 l+ w% R5 O mov ax, 1684h - P0 a" ?/ c# n
mov bx, 7a5Fh ; VxD ID of SIWVID
# ~8 _6 Q2 @; `) c9 r int 2fh1 n. e$ E# T+ r/ s0 H, b0 o, e6 @, _
mov ax, es ; ES:DI -> VxD API entry point
, w B+ V& q9 A- q add ax, di
1 T) V4 d" \+ P! w6 ^2 d test ax,ax. y7 s6 H4 |% g/ b8 f1 i
jnz SoftICE_Detected' x5 j2 _( @( m, r. ]$ G2 }
4 H0 D7 ]$ o) \3 n/ a# d7 w
__________________________________________________________________________- t* N; O; J" k# V4 G2 }, h
* H9 n, F$ l3 N5 i# T7 K: O5 ]" }* ^- o$ T
Method 05; v A" {: R; \# O$ O; G
=========
' n2 Y, s& p; q! l( y& s9 x$ ? S1 t/ J O- A" }
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 j7 Q% u" p4 l/ k% Ldebugger. It calls the int 41h, function 4Fh., D& V$ r* i/ n! S/ Y4 P
There are several alternatives.
7 R! ^ O% q: {' T2 q8 h+ G0 D
The following one is the simplest:
2 M7 r1 H) @( ]" [" I# o$ C
+ p) k. c7 D) ^* M* I mov ax,4fh
4 r, m/ t- ^5 u- e, s int 41h
* H& z( s9 Z0 Y7 d cmp ax, 0F386. B1 j, A" s2 R$ Q2 A9 q2 H; v
jz SoftICE_detected* d6 f. s4 c6 z8 Q- O
* k/ P5 \. k% Y+ ~7 n* F- |, j6 g) T0 ^0 E" q2 F( U1 V0 }$ I
Next method as well as the following one are 2 examples from Stone's
( t( ]" w7 U# \2 f. }8 j# v"stn-wid.zip" (www.cracking.net):
( B- i6 @5 h8 y0 Q* j) i" z" j0 D7 K
1 w3 i3 g9 G4 n0 K# K0 v3 n mov bx, cs9 g. j) l5 Z I5 n' F5 i+ `% G
lea dx, int41handler2
3 X3 F! q0 d: k- J- V' a9 V( h xchg dx, es:[41h*4]
% e( c! _$ ]& \& g9 |4 z+ D xchg bx, es:[41h*4+2]4 z* S0 b0 i2 I1 E% j
mov ax,4fh3 Z5 h# E" c' E: @2 r3 n* N s
int 41h
; g- O! m1 a+ l8 y* V xchg dx, es:[41h*4]
8 q* f4 Z% ]6 p. {7 Z/ K7 O: O8 [ xchg bx, es:[41h*4+2]$ E; V j# ?; m: C; c# B7 U) x
cmp ax, 0f386h# P% V- u8 c8 e: W% a) t2 N1 T
jz SoftICE_detected4 W q) M% ]2 E* z% N7 S2 Y
( T% n' D3 ~, _: l7 N3 B; Y E+ V
int41handler2 PROC4 h( ]* g7 Z& n/ O: O
iret' G8 h' `4 o2 t
int41handler2 ENDP
; P$ M, R' n5 o3 V1 X+ j6 e0 Q6 ]) f0 E
?. S# y! s0 G' h
_________________________________________________________________________
& X9 ^. [# N* c5 C" x1 v
5 L; } Z) y; D3 E: s
1 y) q7 ]! H4 {0 \, EMethod 060 x. S6 I# a! ~6 q+ K R- e& u% o; T
=========* S0 h5 R5 {- G/ E9 ^5 y
- G% y( x- T2 l% K
# o7 A, I7 z" n8 q$ ?2nd method similar to the preceding one but more difficult to detect:
) C$ C' B# ^; q6 F- M* v$ T0 ~1 B
. `7 M6 x8 A4 E! J0 S$ T
int41handler PROC& p- X$ h/ m7 q- w6 M
mov cl,al4 w( P* g* J9 _# S
iret7 e) P, _/ m) F
int41handler ENDP
9 ^! B$ ^! \8 p1 H, |
- Y7 P% M8 [- y3 u. r/ x
$ |1 }! q( ]4 {* M/ D# K xor ax,ax& C- Q0 _1 r% v& A T
mov es,ax/ C* C9 _ d# f$ Q+ c. q) |
mov bx, cs1 U8 u$ y% U$ j( J/ H" P6 I
lea dx, int41handler* i8 O8 Y( @/ {) q# ~0 e
xchg dx, es:[41h*4]
# C P7 ~ e; m9 A xchg bx, es:[41h*4+2]
5 ~! e3 a5 a- k6 @0 H in al, 40h
8 U! u: d. I9 }" N6 z xor cx,cx& ]" S G. z/ e8 q9 A
int 41h0 W+ m. }: ~4 A, T( Z2 Z* K
xchg dx, es:[41h*4]
$ H4 f! l$ H/ E( G2 L xchg bx, es:[41h*4+2]* Q; X% O9 f6 I4 M6 P9 ?$ J: n' P5 A
cmp cl,al% O! y1 ]0 \& @" K6 P
jnz SoftICE_detected! i4 h% x! B" X4 Z( v2 o
1 V/ Z/ f& ^$ R8 Q5 S5 F) T_________________________________________________________________________5 ]5 @6 u% W4 n3 ?- x) h
( y* \' v3 ^7 g% G! o7 r! J; E. XMethod 07
6 F @6 h) x6 Q1 h9 d=========
2 v: ?% u* x5 m7 x
! ^9 M7 s$ o! T3 C0 m" g) U4 ~Method of detection of the WinICE handler in the int68h (V86)9 o. \4 Q# D* i9 n( d: k" Y9 `' y
: [" ~" |3 o7 k
mov ah,43h
4 G5 ]+ F# l& D. V0 c1 r int 68h! c+ O$ }" ]: s0 d. p
cmp ax,0F386h
+ q/ H; S! S1 U) r jz SoftICE_Detected. X: i$ {+ o( b6 S6 ? P+ m% p
5 }- E/ G, k9 ~2 T- Q* q0 T( [2 Z8 o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, e2 r; o& [7 V i& {. f* y' W
app like this:; U9 W& \9 G7 {# x2 r& F) i$ }! c
% o! L, a3 m! e1 p6 T/ h) X& N BPX exec_int if ax==68
6 S! c3 s8 ]1 e- P8 Z (function called is located at byte ptr [ebp+1Dh] and client eip is
7 |! B5 b& ~' a located at [ebp+48h] for 32Bit apps)
- Z8 s# W2 E: _( j__________________________________________________________________________; O. x9 T% g. @7 X5 A6 l
& Y6 @0 U7 M$ b0 w9 e3 Y+ B5 J0 r
& j M$ x: o/ l' RMethod 08# j+ x4 v9 ], H r
=========
+ c: p. v& R8 P* w3 ~$ g0 N+ a n; O/ I- a
It is not a method of detection of SoftICE but a possibility to crash the( Z, M; [7 z% z- Q) Y
system by intercepting int 01h and int 03h and redirecting them to another
9 C# V+ E9 E8 f3 i$ F# k2 E( Troutine.
; {% D9 w# Z7 X+ M* Z/ OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) ~9 `+ W o8 v7 R+ J: U7 w
to the new routine to execute (hangs computer...)
& x5 e6 c7 q: }" M* H& V/ o% ]( q9 y1 ~% K
mov ah, 25h! M3 }/ k' q& m! v' \+ Z+ `
mov al, Int_Number (01h or 03h)
% F0 }. m8 V* k+ c. y mov dx, offset New_Int_Routine
* w8 n: {- F: v; e int 21h. Q3 ?9 e& { Z9 v
, _! t& _( w# E$ y
__________________________________________________________________________
4 T. E* v0 o' |9 i4 V' X5 D! Y' L2 B; L6 S
Method 09
' r0 f3 P9 i3 J=========
. X$ t/ z9 m! H: d6 X* U3 s
5 K0 S3 F o5 U0 z5 x! JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 G0 z& W9 f5 A' S/ t+ Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 S) F9 y' T3 mThe Get_DDB service is used to determine whether or not a VxD is installed
0 V/ T3 R2 I4 ]0 _8 ?8 afor the specified device and returns a Device Description Block (in ecx) for
% O! i X! [: E& S* rthat device if it is installed.) v/ n' \8 k4 G
# W) L- r4 I d7 W* g& i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* f' ?, j4 l0 p5 C3 [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 m% {& r; ~, U. {' }
VMMCall Get_DDB
8 D1 A( x: Q# m( Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 }& h! E! |3 I3 U- J
: l! ?6 ~' o( `% e( N5 n5 g4 ^Note as well that you can easily detect this method with SoftICE:
4 l3 p+ j, J& i' s, L: j8 N3 {% S bpx Get_DDB if ax==0202 || ax==7a5fh
! z Y" ~( `$ }, z
( \3 h7 G" ]( ]! R' P" l__________________________________________________________________________
9 l5 V3 J( c( d. f9 ~& {# L9 O1 M0 P, n1 D
Method 10: P, V4 h' B, ]; g& d/ g
=========
! R! T/ {+ y, r+ O" ?6 K1 {
7 w; D4 p+ j. Y' L% B=>Disable or clear breakpoints before using this feature. DO NOT trace with8 |2 I5 q# ~3 R6 G
SoftICE while the option is enable!!
0 F( c" U$ f; J* k# ]% P5 u! f$ s) v4 A4 h j. T
This trick is very efficient:. b0 G3 {5 [! W3 _2 y) I2 ?5 |
by checking the Debug Registers, you can detect if SoftICE is loaded
8 [' v; x. j1 R) W+ Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" A: i2 K$ e8 V/ z6 U- v) V1 ]- Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! s }' v4 ?2 s$ Rvalue (in ring0 only). Values can be manipulated and or changed as well, `) Z7 M, i$ }8 d
(clearing BPMs for instance)3 V& I( {8 ? \3 }' g* G
" ?5 k4 f: Y0 i: Q# c__________________________________________________________________________
q. t9 N* u+ }. s# f
; e+ p! g" g5 U1 _9 i, J+ MMethod 11( P4 P- u7 Z. C- \, o
=========, j; z. S8 T# n, m, X' g/ T0 X. E
8 u4 }+ i( e' b$ j0 K, @9 YThis method is most known as 'MeltICE' because it has been freely distributed
! W5 p6 N0 [. a* F" }% f6 Lvia www.winfiles.com. However it was first used by NuMega people to allow( T4 k, h) t, z
Symbol Loader to check if SoftICE was active or not (the code is located
% e) _' s* h) U. K6 s# finside nmtrans.dll).
2 H# o' n3 L% M7 ]; P; Q A
4 M* ^1 Q3 I8 }: K ^- Y. B$ v+ tThe way it works is very simple:
6 [7 b6 K5 Z" y/ x& X/ sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ ~% }& `- N; |# \8 [0 zWinNT) with the CreateFileA API.
z: _' B k% e2 k7 z7 Q# G' A. q! M& [- a7 z
Here is a sample (checking for 'SICE'):9 T2 w5 X" J8 T7 I
) ]- w" Z' V8 _: ?! v1 DBOOL IsSoftIce95Loaded()$ k4 S+ Y; a4 x7 n
{
7 p9 P; I! b1 `" a0 J& S) x' ^$ e9 P HANDLE hFile; 1 B& N1 q1 Y! Y' _5 q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& i/ o* k0 w# c' N# h: P/ y
FILE_SHARE_READ | FILE_SHARE_WRITE,
( C. P* c* v" M) I# H3 A# ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 N+ Z. D5 B# ]+ i5 j
if( hFile != INVALID_HANDLE_VALUE ). W) e$ W# s0 U' W6 W1 M) j0 b
{# E1 Y/ L2 M; u- [3 J+ ]0 s- g
CloseHandle(hFile);; y! ?5 c) [: y1 B. K# z
return TRUE;
* k4 F; P. d' S( K% V/ M# ? }
7 u: n6 v6 D: I$ o+ U return FALSE;
% z% F, I; _0 _+ b3 D) _, q}
" W5 T- Y: r: x1 M
; L5 ^, i' U2 r6 H, A8 Q& t/ b9 oAlthough this trick calls the CreateFileA function, don't even expect to be
" a6 F8 H5 d1 E; iable to intercept it by installing a IFS hook: it will not work, no way!
5 r$ N$ p+ d) W! W( i. ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& u7 m7 x$ T* f- s4 y Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): G- Z# C$ V9 `8 C/ h3 \0 k0 \, ]$ c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% s+ v8 f( ~5 |! s4 ~! nfield.
, S1 j3 V% @7 C# z# q J. w: RIn fact, its purpose is not to load/unload VxDs but only to send a 5 s* t9 \. i% @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 s8 w7 g! W& F* F2 s- A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; r/ T( W( G8 o/ X- q. ?2 d1 y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 P$ Q" O5 t* v" V1 B: nIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ \7 \$ Y2 m6 F; S
its handle to be opened and then, will be detected.- ~# \5 V8 A+ K% x' V* _+ ^
You can check that simply by hooking Winice.exe control proc entry point
, Z( r- @5 f* l+ ]- `3 \) Nwhile running MeltICE.
6 q4 ^) V) `' v% ~3 _% E9 k! [, y" D* ?6 p3 G$ x
- C+ O7 E) r* A) F2 z 00401067: push 00402025 ; \\.\SICE
% p% T7 g! [$ T5 ^4 P& { 0040106C: call CreateFileA1 r* L( d9 ~& [) H. n. u- i5 }
00401071: cmp eax,-001
1 Q/ l* j0 u" {4 x 00401074: je 004010915 w7 N9 b1 {: n: M# |7 W9 R6 g7 M
0 _5 b0 v ^! L
, @, y6 m, t. \2 B8 OThere could be hundreds of BPX you could use to detect this trick.0 N& B* o& n9 [4 n* b8 m
-The most classical one is:$ L8 f* D( `. G0 L+ v3 ]' E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* ^1 q7 j; v, K" p
*(esp->4+4)=='NTIC'
4 |. K( U. h; d% ^! H9 }. ^8 w2 K: ?2 X) @6 A5 l$ k9 M' l* ~; f
-The most exotic ones (could be very slooooow :-(
3 O5 y, K- _; @" x" L i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + z( `2 P1 K7 L! G
;will break 3 times :-(3 k7 h4 U' g) b. |/ c P8 f, j
1 j9 J9 w5 P" ^
-or (a bit) faster: 4 P9 b. @- ^$ I8 k2 g. }0 A( [- N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ [9 k: h, \% R+ g7 i( q
6 f6 r# |2 u+ S9 c7 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : E" L1 e4 U" x( e- K" r3 C! s
;will break 3 times :-(3 m% L" m+ v' k7 }0 R# G9 p& q4 @
% w0 I4 L: b( D/ D+ ~2 O; {
-Much faster:
3 l8 p% Q8 U% A! h7 Z7 X8 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 g. \# H5 l8 m, T& T. `0 N5 @4 s' X9 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; V+ f1 H! l, Sfunction to do the same job:
- ~1 f- ]. K2 H- I. T8 F) _
( u- [4 q, H1 \0 l8 V7 @, f; i push 00 ; OF_READ
5 T4 Q% Q) f1 ?& a+ r mov eax,[00656634] ; '\\.\SICE',0/ u" H. l, \% A/ b+ Y! p
push eax5 b" \& }; y0 a+ b4 @! h: @ J3 ~
call KERNEL32!_lopen
/ K0 o, d" G$ s! n- k inc eax+ B u5 E. n& G- }* n* B% ]
jnz 00650589 ; detected! H+ V5 L. ^- g
push 00 ; OF_READ
& f- p- ^% @, n, X S. {. S mov eax,[00656638] ; '\\.\SICE'
+ Y5 s/ `; y2 N! [' N; ^- w: E push eax
E+ d G: t4 k. g& ? call KERNEL32!_lopen
! S( R3 H+ R7 S5 F inc eax
' J3 B1 [. j/ j6 ^. L3 T0 f1 ` jz 006505ae ; not detected
" R5 g4 p1 g# Q7 G+ B) ` s/ D( U P( Y
* w. f) T( ~0 c0 n' X; }% s__________________________________________________________________________6 \# F3 k2 E# u7 W( T" O) w
) n7 B, B( F, @& n8 ` f& a
Method 12" _% n# b0 r- U5 j8 Q
=========
/ a% W5 T& V5 P" Q' O2 |" W! }5 d" }9 Q
This trick is similar to int41h/4fh Debugger installation check (code 057 a4 P$ B5 j2 l1 |5 W- _8 S, k
& 06) but very limited because it's only available for Win95/98 (not NT)8 z5 g+ `! T* G$ l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 K3 \( i, a, O# ?% c+ o$ x. O- u* H9 v) F- J6 D
push 0000004fh ; function 4fh
4 C5 t8 w9 H+ ~! e6 | push 002a002ah ; high word specifies which VxD (VWIN32)
1 m) e4 D+ D2 M7 O: J) D ; low word specifies which service- ]3 N, {* _& V' m; G# E$ s8 f
(VWIN32_Int41Dispatch)
7 h6 Y" \7 v" ^ call Kernel32!ORD_001 ; VxdCall
* q, L# z) w1 w+ s" w" D cmp ax, 0f386h ; magic number returned by system debuggers J) S. r' M. Y! h" E
jz SoftICE_detected
. U/ I; y" k0 w
& M- \) w+ [+ E. |# U' Y' @% v- PHere again, several ways to detect it:
& b) c( {0 J! y/ b; `# V' j% u4 a8 S
BPINT 41 if ax==4f+ J2 H/ S$ e8 j) o4 e9 B
# B' v8 ^5 E# `9 J2 j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 o- x4 w$ |+ L- B+ a; a% W
7 U& ^% D* K/ d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A O% N; \) z4 C! m# p% F7 |& w% H3 N, P
0 g; i0 J: G: g. I+ Q V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, z9 Z$ F8 C4 M# t/ J+ W* F; E! m/ q% C+ r4 g) X0 s& s
__________________________________________________________________________
: O& C. `/ I+ [9 p1 K
/ y2 i6 M* }$ c) t `1 ^Method 13' W2 I# O! L+ h& a4 ?
=========
! ]8 g4 I4 {" q& u* G: T4 O- W' X2 s4 E: M3 J5 {
Not a real method of detection, but a good way to know if SoftICE is2 B+ W9 `; q1 H: h6 |+ r
installed on a computer and to locate its installation directory.
# L. E2 b2 U. k% n. @8 rIt is used by few softs which access the following registry keys (usually #2) :0 F( z$ c$ p1 l' E9 U
5 _) F. ]) x( R0 O6 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 w( ^: o$ q$ [; W0 Z
\Uninstall\SoftICE
3 @$ i: Q& A' C1 y; Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) g7 j H9 L6 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
d' T+ Q5 { P q( X# Q" q\App Paths\Loader32.Exe
) k; U* V7 A- L. Z( h; f3 F4 Z0 P2 u, B
4 v# X/ T5 {9 ~& ONote that some nasty apps could then erase all files from SoftICE directory
. i6 S4 V( u# P e6 |(I faced that once :-(3 v, w. i; _8 m# R% v/ Z! b( K1 {
- V1 i$ k8 T) g. ?1 |/ O2 xUseful breakpoint to detect it:) W7 ^- K% O5 K W0 X: H, F- a9 p
# ?" ^2 ? L- a5 E4 [4 s1 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 S2 Z: p0 h# `& c3 P/ b& X
; ?; Q+ d$ q4 S( |) Z__________________________________________________________________________: N6 D( U$ c5 s4 Q9 T
) }' ]3 @$ y6 E8 h# ?
" D9 J# |0 m( O L* S0 M$ E, n7 G, PMethod 14
* E3 w% X/ d' b" c6 B=========
" _. I W/ U$ F& L- V- E1 M" K; |- P2 R' n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 b9 ~ H" D# A, l; m9 ], Bis to determines whether a debugger is running on your system (ring0 only).
P# F( T3 x v. s9 g
* o8 n! A8 G6 ~9 y5 {2 l& _ VMMCall Test_Debug_Installed" m$ C8 ~: Z' I( L6 \
je not_installed
6 r- a" R- u! v( ^3 F
% m( |4 \1 @# l- GThis service just checks a flag.
' K& m& G; J& {0 s" h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡