<TABLE width=500>' [7 a/ H8 F+ X4 ]
<TBODY>$ T& F _& B! o
<TR>& T# [6 q$ h J' } K, A. N z
<TD><PRE>Method 01
8 d2 g4 K, u7 j4 \% y- v" W=========
- E7 T g1 d/ L
' Y$ G+ ?% r6 b2 l2 C0 q; OThis method of detection of SoftICE (as well as the following one) is p& l* [, F/ J- a& v6 H; U
used by the majority of packers/encryptors found on Internet.
9 U# k# k/ i1 v0 q5 rIt seeks the signature of BoundsChecker in SoftICE
8 _& B: {2 W7 Z2 J8 t! m. M
1 S6 {5 q2 [6 J" M# w+ l5 O b7 e mov ebp, 04243484Bh ; 'BCHK'
. h& m$ C3 ?8 i# w2 L) u/ z) Q mov ax, 04h {' k. Q6 g1 P. L! B* C
int 3 ) m( [& D1 I+ h+ R" v7 N
cmp al,4
' D0 L1 s( E4 O; W, }1 Q! @" A jnz SoftICE_Detected
% t' c4 D6 Q5 B- z( V `, ]$ w
7 T9 }$ T4 j2 a% ?7 f___________________________________________________________________________- S4 i- ]4 J3 L9 c
- N7 I: p+ T0 X3 a* x: d9 D r; ~
Method 02' h! [- g, n: g+ o* A
=========2 q' H8 `& [$ p, n1 V
3 f+ M5 @6 T5 {$ b; J- u1 j1 t$ g4 d) ]
Still a method very much used (perhaps the most frequent one). It is used
* f9 |& F/ z5 r) u6 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, b, O! z! s5 d ?) _: G
or execute SoftICE commands...# _% X; G! c$ \; r* }+ N
It is also used to crash SoftICE and to force it to execute any commands; {5 u. @- O0 F
(HBOOT...) :-(( ; t" Y; I6 o( O, ~1 }
' @4 K# Z$ j; O% q( S3 A0 lHere is a quick description:( t$ |2 |" A& B' b5 U
-AX = 0910h (Display string in SIce windows)
9 N9 q4 ]1 S; ~3 d1 [& k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) I3 h ~+ K) Y-AX = 0912h (Get breakpoint infos)
+ ^( \( C7 D( N; r; N' _9 _-AX = 0913h (Set Sice breakpoints)
1 r `# ]7 c7 J& e-AX = 0914h (Remove SIce breakoints)9 k1 X/ n- o4 R1 M& E
: z" J8 l; R$ Z* N0 c3 wEach time you'll meet this trick, you'll see:
& ~( x* n! Y4 M4 ?) I7 S-SI = 4647h
3 B- v- D* F, W& q. d1 K-DI = 4A4Dh
4 w2 u: U3 u% M+ |) d- y% m& SWhich are the 'magic values' used by SoftIce.
7 [4 n' |0 ^' {$ U6 \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 J `5 ]! g7 s; \3 |" }; y7 \# B# O1 k1 ^( }2 o5 B7 j$ R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( @, r6 y( h7 qEnvelope utility use to protect DOS applications:$ Q. y/ h2 ~( e6 }! S. P6 b+ C
! B) ?4 p- }$ M3 Q; s4 u
3 N9 Y% Q4 L& Y" S! ^! r8 s4C19:0095 MOV AX,0911 ; execute command." U- a7 A. c1 u# b6 p) k: `7 U( G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 Q5 ~9 R, G& m. d! F y4C19:009A MOV SI,4647 ; 1st magic value.
1 c5 o% W/ R# K. Y, M+ f) F$ N4C19:009D MOV DI,4A4D ; 2nd magic value.4 y" A$ |8 H- |! X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 X8 F- H. C6 P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 j: P7 J) R* N8 j
4C19:00A4 INC CX$ L5 U L8 u# j& P2 v j4 P) d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" w+ R/ @$ m) B% e
4C19:00A8 JB 0095 ; 6 different commands.5 f9 h; c' j* K& A4 W6 X: Z. }/ r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" R$ r5 W, h1 R, o% A4 \, S- ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 R' }+ w! F8 |& R* Z
+ O" P4 }7 P3 R$ [
The program will execute 6 different SIce commands located at ds:dx, which$ }3 l7 {' X6 c/ a5 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ Y$ Z, h" y ~) h* k
% s4 H% U3 E p- ^1 P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, H" n: k) B6 z1 W___________________________________________________________________________
- H0 W, r) @7 O/ Z. j$ r
: J% Y9 K" g+ C3 p8 S! [4 J E5 z5 A @$ |
Method 03& T# U+ ~9 C7 c4 R
=========
( n* ~! j7 n) X; s' c9 S- U+ Y0 o5 A
0 c, C* X/ O0 |4 SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 A, E' I8 Q7 V- m2 R. _9 I# I(API Get entry point)8 Z0 ^' z; t! }( T* V, k; I' v
3 ^2 H( w1 ?$ y2 |
8 W) I& D8 {* \+ j* }! x& L xor di,di
, r6 u* Q5 K" H2 B" {! f mov es,di
$ \ w! m; n# X% S. d) B+ Y L2 k mov ax, 1684h - C( \( }6 S4 D% j- b$ {# y
mov bx, 0202h ; VxD ID of winice; t6 }/ \, h) _' n5 {3 M* J+ f* W5 S
int 2Fh! J* l* J! i3 e) C1 b+ f8 @2 _
mov ax, es ; ES:DI -> VxD API entry point( I4 Q1 L+ `1 }4 s9 v, [3 j
add ax, di
) I- }; i9 e8 f4 A. J+ a8 V6 X test ax,ax7 `2 N8 p0 M7 e: J* N( S
jnz SoftICE_Detected5 n8 H8 n3 v4 X- ^+ E7 f
: k; `8 O! K; v. b1 a8 P___________________________________________________________________________
6 K- I$ g3 N4 t) W
3 b# D. T" t& Q3 A' XMethod 04
4 D$ j1 d" F- _/ J5 U! O; \. W=========
7 |; l0 W1 ~; ]" t% |0 w" O+ \
* o( ]. Y/ T' LMethod identical to the preceding one except that it seeks the ID of SoftICE
T+ q/ C0 O8 k7 n2 c- U: Q4 KGFX VxD./ i6 z- N8 l- G+ Z0 D
" D: ~: e G6 v5 V0 b; W' ~
xor di,di; u" [ ^1 M" z' `2 `' q, H
mov es,di
+ c5 y0 P. Y# E mov ax, 1684h
" K5 D" V2 [ q: }! {2 Q mov bx, 7a5Fh ; VxD ID of SIWVID7 y: ]6 T$ ]3 |. \0 y
int 2fh% V# P" K; z# n3 X
mov ax, es ; ES:DI -> VxD API entry point
" I7 c1 s4 Y/ X1 w; m1 i | add ax, di; P$ ? k1 w* n9 A, e
test ax,ax
9 }9 [# p' ~! Z C( {) Q jnz SoftICE_Detected1 `8 E# [: p! ~! \1 G) F/ Z0 K- Y: U
3 M1 w: f- x* ~! D8 z, @- |__________________________________________________________________________7 H$ b7 W" q( `6 ^8 N2 V3 g
7 {! K$ u9 S! y
$ |6 c' G3 } Q( d) r3 O/ S; g2 O. xMethod 05
" C9 Z+ P& L$ E/ d. u=========
! F: i' a& f r# O6 E3 I. }
2 N% }4 A/ f! @ C1 yMethod seeking the 'magic number' 0F386h returned (in ax) by all system! p j6 C/ }! _! ^8 t8 j
debugger. It calls the int 41h, function 4Fh.4 r& Q. D- w, B
There are several alternatives. , N. C4 i( ?4 } b& t0 x
. u' g! t5 ?9 m/ q7 T
The following one is the simplest:
1 r) F$ G7 a) ^: X
1 [; Q/ t, w) A1 S8 m( \. q1 V8 d* k mov ax,4fh' \0 ]5 w+ p- \6 e# \1 @0 Q. k1 \
int 41h
5 ^6 w: ? }: H cmp ax, 0F386
9 w, G8 P F+ o7 X jz SoftICE_detected
- `1 T3 v# F. _1 q3 ?# m2 \) |0 p" Y0 b" F j6 ^* A
- M# W3 z+ Z6 x: INext method as well as the following one are 2 examples from Stone's
8 `& r5 `9 q+ q/ e! z5 o* Y"stn-wid.zip" (www.cracking.net):9 V' } \8 Y# g/ y$ f
4 K+ `* a8 P3 ]' W' s5 A5 C
mov bx, cs; I4 U7 h4 s/ o b, I
lea dx, int41handler2
- b3 W+ `* C% d) J xchg dx, es:[41h*4]
+ \1 i9 C( [7 m3 M7 H& M/ i xchg bx, es:[41h*4+2]
' W3 `' X/ Y: Z m. ?- @: _- L mov ax,4fh
0 w8 k/ P7 y7 c+ M3 i& o int 41h
( q8 @4 f& t1 D6 W, m xchg dx, es:[41h*4]+ y8 n6 g* R$ J& k9 x. C
xchg bx, es:[41h*4+2]
3 Z- ?" _/ x1 r( h6 y6 D# F8 Y( v' V cmp ax, 0f386h9 W$ c: U* J9 c/ Q
jz SoftICE_detected
# K' s; Z$ G$ D1 C3 Q0 k
* W0 Q! b4 s4 ~. Wint41handler2 PROC; W8 t5 H6 ~6 X6 y5 m
iret
. o( y6 y2 x7 m* U9 Y. Z& z# eint41handler2 ENDP
8 T. I1 [% f1 Y& ]2 F; m
; n k( z8 a. X6 N1 b
Z& }& ?3 Z3 T+ b1 S! @3 E# ?- x_________________________________________________________________________/ n- x& u; D% X. i: m
5 G* U, v: y+ x
+ ~3 ~& Z/ _" D( v7 e" g
Method 06
. |9 u; z: J" T" ^, L' w=========5 G5 J" u+ a' m6 T6 {# K
/ V+ t7 t( X& K/ C1 S: m; l
, r2 C9 p \7 s& U9 N3 N2nd method similar to the preceding one but more difficult to detect:. e3 I) z0 J4 P/ u0 ]
, {- U, Y8 l1 `7 R
; k9 f9 C) d( n0 F1 g' s0 dint41handler PROC, N4 `# s% x6 C0 I* Y
mov cl,al
, ?+ i/ B& ?& d* D5 { iret
$ v7 i3 x2 B$ y" bint41handler ENDP& y/ q7 Q& _. ~% N& t% q5 K# a& F. ]; f
, V+ F q6 n. r: `2 m, F' O) F: _5 q
xor ax,ax9 Y0 Q7 }- ~0 j5 f% i
mov es,ax5 l8 g' H5 }0 f2 p
mov bx, cs
4 M4 \( N$ N6 F8 Y% f lea dx, int41handler
! f; `% V+ s( U6 U$ t& B- j xchg dx, es:[41h*4]- y* ^& s! A9 b( e4 v
xchg bx, es:[41h*4+2]
5 J+ |% d- e$ b6 l: r1 ^: W4 x1 x in al, 40h7 a u+ A7 U: E$ z2 @) Q
xor cx,cx
- G( ^) b( y1 P# o- q- ~2 z int 41h/ b; x. x% N2 @+ a5 O7 ^, y0 y
xchg dx, es:[41h*4]) W; o9 M8 a6 z4 B9 {
xchg bx, es:[41h*4+2]) ~. x% h/ n! p& T# [" N. W
cmp cl,al
* z$ R, A) ]( u" | jnz SoftICE_detected
' G+ c- M5 m5 y# c6 [- N4 K# k/ O3 T1 I u x4 j$ y( f* q9 X
_________________________________________________________________________) C! K* A& T5 k% s7 X
( Y3 D% a3 e" W/ r/ W
Method 078 D2 \. V9 D9 F% r a" H! Z0 H1 ~
=========2 r7 ~& F/ o5 h, k& J
6 W8 f9 _8 t: q' c2 s% Z' Y
Method of detection of the WinICE handler in the int68h (V86)5 |+ y% R5 f8 Q
9 l; `) q' p3 M
mov ah,43h# @/ o6 O+ H, |2 W. c6 c M
int 68h6 X& G7 o# B1 X% Z% P
cmp ax,0F386h9 h7 v, A: {* j: c
jz SoftICE_Detected9 Y' K- G9 C2 U, U. A: u4 c
0 U; ]' P* s; U3 k4 C, i) P4 |+ Y
' X3 V3 c6 ~3 d& U/ W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; Q8 R+ ]$ z0 O/ ]- m
app like this:9 ?. H6 W( R# z7 V9 L
8 e4 f) C5 _8 e0 l* M" m- n' ? BPX exec_int if ax==689 P6 j! [0 L6 [. n- [% O) R' h/ b
(function called is located at byte ptr [ebp+1Dh] and client eip is: }" Y! u' K1 u
located at [ebp+48h] for 32Bit apps)3 A/ L% N% n/ H1 N/ }! J$ I: B
__________________________________________________________________________
+ c5 i# K! }2 B7 C- W6 K/ P6 S
- @6 B( U4 z7 R' n; l4 w: ~, P- ?, O5 s
Method 08( ]' W! p# [% J1 H6 @% `
========= H( J+ E* i& u
3 o0 L& Z) _/ B. q$ ~6 a& T" A& |
It is not a method of detection of SoftICE but a possibility to crash the
! o% o+ \2 P: J' ^* A _' m2 Msystem by intercepting int 01h and int 03h and redirecting them to another
g/ R! }6 R0 K1 }2 `' e# K$ Z( ?routine.4 ?1 | V9 m3 y* {3 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 Q* x, s8 ?% n4 ~; ]7 q1 K' f
to the new routine to execute (hangs computer...)
; Y3 N" u) @8 V
. C/ B$ v) I! B) p _ mov ah, 25h
& A. B% ^ s j+ _ mov al, Int_Number (01h or 03h)- o; i" K: z" g9 {2 X- }
mov dx, offset New_Int_Routine! ~/ y3 |9 h% R- g7 u
int 21h
6 F) F; ?' M) H3 j/ y0 W2 Z. Q% j9 x7 ?: p
__________________________________________________________________________
7 L7 a# S. X; p9 M7 G- c8 ?7 v
9 ?* @. z/ s- K! SMethod 097 s: Y& S Q3 c7 L
=========' b4 @) ]/ Q4 \$ w6 y# m4 F
5 n1 J# ]$ d+ ?9 J6 g7 z& S' q1 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 t0 `( w8 V) P. S* K+ j9 i
performed in ring0 (VxD or a ring3 app using the VxdCall).. k* G% l. ~2 l1 B/ O5 j/ B
The Get_DDB service is used to determine whether or not a VxD is installed, @* V d t/ V, r9 p9 Y+ F. I8 E$ @
for the specified device and returns a Device Description Block (in ecx) for4 W; S( d2 L; O/ X. t, R
that device if it is installed.3 {' K5 M( K/ Y' `6 g
) n2 ]/ t! v- @- ` f( F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 ^/ T, Z. |2 m8 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; l: v% }* i: c4 r5 m5 m VMMCall Get_DDB
! {6 K7 j! t, g x6 Y$ |) A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
r) N* w3 x8 s; B
. V) f/ _% Y6 q; r, s+ oNote as well that you can easily detect this method with SoftICE:+ ^+ P8 O6 g( {; t1 |2 } ]% V. U
bpx Get_DDB if ax==0202 || ax==7a5fh
2 P/ d( g' J% @& o8 e0 D
% A9 @1 N+ v! j3 N8 D8 W__________________________________________________________________________
( ]6 J" W" T3 I( I! r, _. ^& N: ~: t( [& R" z/ {2 H( ?
Method 10
1 `" O$ ^6 u4 t, A% W=========. K* ~# j4 O! E) r/ a# [
! H( c' O' j; H' u=>Disable or clear breakpoints before using this feature. DO NOT trace with
) C2 @3 I, J: ?7 y6 ~2 x% M SoftICE while the option is enable!!
) E$ }7 a$ m+ J: U: w0 \. w `: l$ D
This trick is very efficient:- ^. V$ n2 L# c
by checking the Debug Registers, you can detect if SoftICE is loaded
! _- x/ f5 _( b" I; r n% L# c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' R9 ~' K1 I" |6 R; Y. A0 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# i1 ~; t) }/ |) P9 e$ c% Bvalue (in ring0 only). Values can be manipulated and or changed as well( N4 `2 }5 e% t" \, O
(clearing BPMs for instance)4 _% i. i# w$ @8 T* x: Y
2 x: U" }5 S; M' g( ?$ ~6 V__________________________________________________________________________* R2 V" P) M# q0 c. w9 H0 l
6 h3 v) l$ E( kMethod 11
9 } Y! W) P7 R8 V9 K' w=========
; @. s! ?5 _9 g7 E6 e$ R/ j6 ?" Q @) J# r
This method is most known as 'MeltICE' because it has been freely distributed
9 N% j0 d5 J' Y" @) ]via www.winfiles.com. However it was first used by NuMega people to allow
; B6 }% u3 t5 U& I+ WSymbol Loader to check if SoftICE was active or not (the code is located
: i- \' A' d! T' ^0 r9 rinside nmtrans.dll).
3 Z' [! X3 b( [) I( z8 K9 c2 g- O3 y' ]; b
The way it works is very simple:
% }1 R' [- e; H$ jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 [ ~! X7 R8 i- S
WinNT) with the CreateFileA API.
, R$ t4 @, w: o+ w: Y" h1 Y& m( J, m6 X6 R0 _
Here is a sample (checking for 'SICE'):
8 e. L" |; Z. ?) n5 b/ g) _8 k- u$ J( I& Y# f/ G
BOOL IsSoftIce95Loaded()
8 D) \" T# m" D/ \$ z% ?8 Z{
/ O( k# x. S r HANDLE hFile;
4 l$ Z% D% M& z- {+ F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 O; J& U' v* R/ C6 Z FILE_SHARE_READ | FILE_SHARE_WRITE,9 [' s" c4 m0 Y- A* G; d
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: z' z, G) e0 Y9 Q+ d% x8 X if( hFile != INVALID_HANDLE_VALUE )" b8 p4 ?# d8 i3 V
{& L- F8 U7 T" Z8 e$ X
CloseHandle(hFile);
' h" B* @: q/ T2 v7 Q return TRUE;
O5 A) x1 P8 b4 f4 @+ O" s }
. K2 ^+ U. T" u2 [% [' X5 W% D% K return FALSE;/ z3 f# S& r+ t: F8 ?% m
}
. x$ O2 i6 a2 v+ e3 C i* U
: @1 k7 q. A" m6 S0 [$ [: DAlthough this trick calls the CreateFileA function, don't even expect to be
' C; a* ]) S( E" m8 J' O2 F$ mable to intercept it by installing a IFS hook: it will not work, no way!1 U& Z+ ]" p& A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 r0 @5 [ J N2 F1 k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 O% ^9 c% Y2 }+ r1 H; i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 e8 A W9 K( z
field.
$ E/ q& w* U* b) Z# O5 H' F! XIn fact, its purpose is not to load/unload VxDs but only to send a
, U: o# i7 e) h# ^0 l7 N7 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ ]( h+ ~' Z3 L, y; x& R2 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 a7 Y# ^) d$ q+ Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).. q" j8 c7 K: d# v- f
If the VxD is loaded, it will always clear eax and the Carry flag to allow( I1 Z, E: x+ X1 y6 ~" R; y& ]
its handle to be opened and then, will be detected.
; V: {, r" z" ]$ I; C, U$ x+ S5 lYou can check that simply by hooking Winice.exe control proc entry point
6 P& q* X, Z" o; _$ kwhile running MeltICE.
) R# }7 E6 E! e! I
5 D) ?( ]+ X) q, [# C
; n0 g7 `) e6 C/ J5 ~+ j, S 00401067: push 00402025 ; \\.\SICE& I6 f. a, L; E/ _ U& h6 W
0040106C: call CreateFileA+ s- b/ S4 p. I, |! E
00401071: cmp eax,-0014 x' D8 Y+ I7 o8 c" o
00401074: je 00401091
: t7 ^8 e. n/ v. i- A7 S' v' f0 M$ D
; Y) y$ ~/ |% D5 f. U# O
There could be hundreds of BPX you could use to detect this trick.* N5 J" E4 [: m! E
-The most classical one is:. G/ i4 z$ N3 R, t8 Z" r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" C" n" k K# X( J& \5 F *(esp->4+4)=='NTIC'
! I( _8 L+ i6 Q: w$ R7 c9 ~! l" O9 A6 L% M
-The most exotic ones (could be very slooooow :-($ V8 Q& F4 C1 Q- C' {1 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 ^& Y5 C, ?0 h: @8 v E
;will break 3 times :-(; k, i& B1 e- i; f+ P4 G
q t+ s ]8 _# t v
-or (a bit) faster:
# V$ ]- V: t8 v( D- S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ q# B) J1 e* Q4 \: h" s- n+ `/ _5 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; q% c( n, I0 A! P1 g4 Y4 h) H' F% i ;will break 3 times :-(
& u( w) y( S3 G( g" j' j
4 i5 y# Y. T2 F/ u5 y-Much faster:. V" s; A- W9 ~ x) H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') \+ e+ c9 d) F) ^& F; E$ b
( b* z% y) z/ l& Z4 C* Z5 [# F* vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; p8 {. L6 N1 Z7 m
function to do the same job:
* g7 p1 t) n6 M
# R0 p; A5 M4 A' _* R push 00 ; OF_READ
0 g! v7 v. y6 F! B' J6 [ mov eax,[00656634] ; '\\.\SICE',0. \7 q* o1 ^0 Q" g% U1 z
push eax( m0 o: {2 \" |" X2 N; q; j
call KERNEL32!_lopen
3 {" J! g, P: J* U" ^! l inc eax; s+ i' ^8 H3 i7 u; A
jnz 00650589 ; detected, o$ x" y% f* c, q
push 00 ; OF_READ5 H. H7 P% q( d q, O, J' q
mov eax,[00656638] ; '\\.\SICE'
; B" Y2 a% d1 n/ y( F push eax& w0 h5 J' ~9 s
call KERNEL32!_lopen
+ b3 \% N1 A9 n. _; r9 G# U' q0 B inc eax
s0 T& w$ x) e0 o: Q, b jz 006505ae ; not detected
+ I, V, x) D' d$ u8 a' ?0 i+ E/ i; x" `
% Y- y( q. E$ l8 _2 K7 @__________________________________________________________________________+ q, @' @' {) T1 \7 a7 w2 t' o
; `+ R; f& ^, ~* t( L
Method 12
7 T$ \; f9 m+ N=========7 a. ^6 o2 ^9 G' j
4 K S9 }3 w9 r* z, x- ~
This trick is similar to int41h/4fh Debugger installation check (code 05
. H$ A& D/ V5 m# t) p5 A4 r5 P& 06) but very limited because it's only available for Win95/98 (not NT)
. W: i3 C6 s9 m; `5 |# x. Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo." t. E: d, j1 ^6 b9 O, _
1 u* _( i0 e- A/ m8 i! G
push 0000004fh ; function 4fh
- \* M4 N, D5 J4 C/ ] push 002a002ah ; high word specifies which VxD (VWIN32)
. a r t0 E {3 q ; low word specifies which service
7 M; ?# A2 i, |; C& ^ (VWIN32_Int41Dispatch)
1 Z8 }5 g' e8 m8 G }$ R call Kernel32!ORD_001 ; VxdCall
2 ~/ T7 `: b, t, `0 T l7 B cmp ax, 0f386h ; magic number returned by system debuggers
+ U( J7 V8 \/ o jz SoftICE_detected
- H; I* T- B# l8 L( h8 F- i! \3 r- [& x' d
Here again, several ways to detect it:- D4 R$ g& Z7 {5 @6 ]! r
6 |$ t6 J7 F8 s* s
BPINT 41 if ax==4f
( ?7 L3 h6 @8 d$ u' _' o: s6 d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ o1 m; S, t" J. k
, W, f' o3 V9 j7 L, i* N, l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ m5 T- k" i: ~! k& W. D8 W# h' V$ t" s" @% `# e! P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ j) ]3 v- A( K; |5 X e1 l
2 I9 o q; i! I__________________________________________________________________________
9 V! C/ K ~6 U5 c3 a: C
- s+ u: C9 K, JMethod 13) N3 R1 I) L7 X- E( K
=========6 L! j; n. y. @* Z. S7 ]6 W
- o4 S" y8 E# _0 }' k
Not a real method of detection, but a good way to know if SoftICE is
& `1 l8 g1 s3 I" cinstalled on a computer and to locate its installation directory.
# |+ F" O1 Y2 ]4 |It is used by few softs which access the following registry keys (usually #2) :: Y% G" u. K# S
" X( p- {2 U4 R% l# a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 o5 s+ [5 R+ g" ^4 j' t# }6 D
\Uninstall\SoftICE& r! z& e& B' [* b/ @& }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ k+ f* n8 T6 \7 w& W5 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 L2 @( M" c0 ~4 ~
\App Paths\Loader32.Exe
- {+ y5 e: W) J( C& v( w/ R0 W' M% b; M7 V, p' G. W; B5 m
" u4 r% ~7 w" B M4 m
Note that some nasty apps could then erase all files from SoftICE directory3 J& o1 O9 Q! K9 V, m
(I faced that once :-(
# \: y; a$ \' v; b; d0 N8 k% Q- S5 l1 v# E; u1 S" t% Q
Useful breakpoint to detect it:% ~# S7 u. g% V4 v
: Y4 ]: X# J! j: N- Z5 b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 d! R/ B! w) o8 @3 R! c
0 ]+ p* b$ G7 S* g__________________________________________________________________________
/ b/ y2 E% p3 t# x
. a. ]9 E' c' M
$ P9 |0 |! W' @6 E: AMethod 14 , B0 F) B+ G; f; A H( e
========= w- _; m( `3 }
& v) |1 ~$ i+ g u9 L8 Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# C2 R- t* ^2 R5 m7 sis to determines whether a debugger is running on your system (ring0 only).
4 m& [4 }6 k/ [) \8 S6 B' T* B
5 H" s7 l3 f9 j3 o VMMCall Test_Debug_Installed
7 A' s' q: }, A" t+ d6 x% ^ je not_installed: W' T7 S, K l
7 b2 I, P4 {) u+ o2 [3 D+ P `, OThis service just checks a flag. ?! S, n- Q u% V+ g# x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡