<TABLE width=500>& s+ W* ~4 p4 Y7 w' U# Q
<TBODY>' D- ]% p$ C9 y" R" V, v
<TR>/ P4 t; y& X* [3 T; \! ~, W) X
<TD><PRE>Method 01 1 @( _0 c$ _: c
=========6 i2 T; P) u4 C" J
! E$ ~6 O# y7 Z% G$ t2 w) QThis method of detection of SoftICE (as well as the following one) is- g* L& @. @* `
used by the majority of packers/encryptors found on Internet.
' x" |+ \" V# h+ pIt seeks the signature of BoundsChecker in SoftICE1 a: t/ a) K" ~ ?5 D, M
* D6 d2 A. p# U# \: J. r mov ebp, 04243484Bh ; 'BCHK'
8 y9 h3 @/ s: v+ N1 u- e0 a g mov ax, 04h
R: y5 u2 l( f x! Z, g' N int 3 0 l2 | l" q; d0 S( r+ o% L ~
cmp al,4
d" R; Y3 z1 T( ~- T/ ]# J+ C) ]- P jnz SoftICE_Detected- |& `9 f) v V) `. z
/ C( E3 m, q6 R: L
___________________________________________________________________________' b6 o1 k9 y2 {2 U& Z% ?2 d. r
8 l5 D3 Y* L6 G( X6 b5 C; x
Method 02
2 g6 J* K$ t- c S=========! c I, D9 h7 D( w) j+ w
. I9 I1 x" ?3 t6 B
Still a method very much used (perhaps the most frequent one). It is used
7 C+ ?/ |# n6 Y" T" Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; T6 i, Q9 r" V5 s% H, Sor execute SoftICE commands...
8 q; `8 \2 }: ~% ~- GIt is also used to crash SoftICE and to force it to execute any commands
8 E! r. T; h$ p, N/ U/ i(HBOOT...) :-((
: a( D% Y5 \3 a: I# U, J1 x( m9 F/ ]# x# K! A+ V* i' D
Here is a quick description:
1 l2 Q8 w f& N. a-AX = 0910h (Display string in SIce windows)& h- O) S2 p* ?, ]2 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 {/ z1 m( v; v; C: ^6 c7 d [% b
-AX = 0912h (Get breakpoint infos)# e- Z) M" m/ X5 _* m& ?' I0 ?
-AX = 0913h (Set Sice breakpoints)& ^% s) `% ?- A& V y$ W
-AX = 0914h (Remove SIce breakoints)
: }8 b5 n. [1 O- m4 r
0 J2 J# {* N$ F9 k! B) cEach time you'll meet this trick, you'll see:# o1 @$ | M. q$ u6 Y4 S+ l* u
-SI = 4647h" }2 W: q" f4 h. L& R
-DI = 4A4Dh
1 u% M- M, ^: c0 N) @Which are the 'magic values' used by SoftIce.
- p6 r$ Z9 f" ~, \( WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 F0 ^1 ?2 C" S
- e! c" x0 B, E) E, s5 d: A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* J8 L% o6 g" _) v/ v7 \6 xEnvelope utility use to protect DOS applications:
5 i i( d, `- _
8 H; g- ~) ], K) R2 L- R7 V# c; D9 a8 O3 d
4C19:0095 MOV AX,0911 ; execute command.
5 a8 z5 S& g4 C# a- L3 M' O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." z2 W: \& R% E+ R8 L" [# A
4C19:009A MOV SI,4647 ; 1st magic value.
8 H9 j0 O$ @0 K, b4C19:009D MOV DI,4A4D ; 2nd magic value.
3 B4 a; _( V' U1 M) D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- ?7 j+ a% K, l) S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 I7 ?/ o6 O, \8 L8 U
4C19:00A4 INC CX
8 L- z9 y% B" W) S6 p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 M" R0 x& i! w6 w1 w Z
4C19:00A8 JB 0095 ; 6 different commands.: R) \) e: u( S+ T- p- e2 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 J4 b u* u! V C* D( V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ I( z% Q* v5 q6 j. {$ {# Q1 }: e) N) F4 H
The program will execute 6 different SIce commands located at ds:dx, which/ D5 Z, b: p4 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. o: }4 {8 l2 }. a0 }! i- P
( p- e+ ^( B2 ^2 S; Y& K' U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" |8 Z; N- I0 j- Y3 h* X6 f7 @___________________________________________________________________________* e, t& t, `0 q F! F, m. f. }0 t3 t' u
$ K. H) f8 e+ n( I" N( s, n0 V5 _2 P4 ?$ x
Method 03* p+ l- @5 l T) O
=========/ O! N: \3 l+ h$ B
$ {& F9 K; z' G% F- p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( T9 s6 m2 G8 a9 h(API Get entry point)' j; D4 @- O: Y* c0 v: u
1 \# x2 ^+ s" I! ^/ O `- V$ z9 q: J
xor di,di1 R) N. D3 C2 a2 w7 Y, s# I
mov es,di
4 J+ m/ l! B( R7 w g+ g% Y1 h mov ax, 1684h
0 R/ B7 e4 `, c# |& B( w( i mov bx, 0202h ; VxD ID of winice
; m* _% f" H* C+ {! d+ { int 2Fh+ L. o% T1 M0 g
mov ax, es ; ES:DI -> VxD API entry point& Z+ N) X. a ], _& H) o, {0 X
add ax, di
3 ?# M* ?& d: D- c" r test ax,ax7 O2 K0 V- g0 k4 v7 A& A
jnz SoftICE_Detected
/ r+ `0 f2 Y S# |! T4 p! w5 e
3 w9 o% R% m3 m. I& V___________________________________________________________________________
; ^' k' Q/ n$ U! c! G5 {$ v5 c; p% ], B4 Y7 q6 \) K
Method 04
7 X7 t* j7 g$ o+ Q: E! g=========2 s1 P1 U' Y; ^- @$ [3 f) A
7 l9 R+ f" K g% g
Method identical to the preceding one except that it seeks the ID of SoftICE- Q" E# ~5 A# ?+ {$ ~% |( P# m
GFX VxD.4 s" b' ]1 Z" S( O
' D( k7 @1 `! c1 J3 e xor di,di
1 `9 E4 [ E) t8 k& x" d mov es,di( w& s0 [' G: J8 ~6 q
mov ax, 1684h 8 s! H. [* V7 [$ \" R2 B9 K8 |8 }
mov bx, 7a5Fh ; VxD ID of SIWVID$ g$ V c# s" b8 ~
int 2fh2 B) m7 q: R/ R5 l, b
mov ax, es ; ES:DI -> VxD API entry point, t" i5 {3 \7 l' @8 C4 ~
add ax, di L: D2 N: x8 s; h
test ax,ax
% V8 a) j2 V- v/ T jnz SoftICE_Detected
. W5 W1 G" L. L# ~+ a, S) P2 W. Q! S2 f3 U+ P0 a; q! v
__________________________________________________________________________) ]$ n7 A0 ?3 N" n7 j
6 Y# F9 s+ T+ N! m. X9 V- D) S$ F' H# a6 p- K1 Y+ S% P
Method 05* W5 T- ]* K8 P4 a& r4 \5 u
=========' _) k* t5 F' }5 m0 i; ?3 r1 q
/ A8 A0 G' S$ _* W6 ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 y7 k% v9 D% Z$ |" u; k i! mdebugger. It calls the int 41h, function 4Fh.
% w4 p- X! _$ q3 [1 x8 qThere are several alternatives.
5 V5 Q* c1 E- t
! C* ^) k- L' Q/ @. m, zThe following one is the simplest:
5 q, F( |( F7 u$ _
9 t5 E- r% |: E/ n mov ax,4fh0 }- Y/ u& `2 b' Y- j `! _
int 41h' k6 I0 r+ n/ e& ?
cmp ax, 0F3866 t1 @% R0 t$ o0 k7 V8 |
jz SoftICE_detected
/ F" N) A" C p+ {% G9 b% O4 l$ l( q/ e7 d# a8 w* q0 O
9 X S# E2 c( V# h l% ^9 x7 X1 @Next method as well as the following one are 2 examples from Stone's 6 M" z/ Z1 Q- w
"stn-wid.zip" (www.cracking.net):
% A3 }- I8 Z! Z# g# B, k/ O
- @4 c# T+ D c; ~% p* \9 z" C mov bx, cs
0 q7 M1 c4 A2 C* u$ y8 r lea dx, int41handler2
' |0 w: q, U& w! e* A) R xchg dx, es:[41h*4]
$ e; D( @" w1 m xchg bx, es:[41h*4+2]
' D4 p6 x( Q. G4 b! Q3 @& U5 n mov ax,4fh. L; m: q( r+ z9 _* r
int 41h5 r! I) f. p f' ]2 V
xchg dx, es:[41h*4]
" a0 f; O* w7 e xchg bx, es:[41h*4+2]
8 `+ m" c1 Z4 e* m4 P8 G cmp ax, 0f386h3 I7 B+ K: f. B$ u+ b8 _
jz SoftICE_detected1 Z; i) ^' I. B4 M
( @2 J; f, `8 Z: m. L2 ^int41handler2 PROC7 [/ p$ Q' n& [& j1 I! U
iret8 R. v) x4 W0 g* C3 n q1 c
int41handler2 ENDP; c5 z! o# K; s/ {' k) G
! g) g& o# k( S! g) ?9 H4 y
1 N! J. P# i' w7 b2 w! _4 Z& F, s4 J_________________________________________________________________________ I9 x- j- n; }) s0 T I$ y* f- {
, f k6 t1 |' Y
y7 V+ o* |3 m! lMethod 06! v7 J! w" T" J
=========1 v* z# c( z3 Z9 e/ M u) |
! X1 M7 C/ l: h, U+ }% R. T$ T5 p% B% J5 F5 K
2nd method similar to the preceding one but more difficult to detect:
* q7 ]0 x# g; Q
2 x! ?1 p% M1 m* f1 q/ M3 s I* X6 Y: ]6 ]2 Y
int41handler PROC) h& o& V; [! }8 N& o9 P- r
mov cl,al
/ v) m* e2 K7 w* p) g iret: i* ]; d' @: ` U
int41handler ENDP e1 |$ }, \7 d5 J+ e8 ^5 G) T
4 @8 z( p' M6 H6 i- V# G2 ]5 y# I, q' b) Z# b
xor ax,ax. a% N' Z% G3 ]7 b# V7 ^6 }5 v
mov es,ax
# `" @3 u% f9 v/ v9 p- [4 c+ w7 X mov bx, cs
- ?0 }6 s+ H6 _. t6 O7 y lea dx, int41handler- O E2 _1 W9 j
xchg dx, es:[41h*4]( i* G! X I# `5 h- ]( V$ O$ [2 ?7 o
xchg bx, es:[41h*4+2]7 b4 o0 f* A5 H6 ^ I: s
in al, 40h
! P% C) g' u$ }0 G4 I+ S" | xor cx,cx
7 b6 X8 j. g, r/ W int 41h2 P. d7 D5 c, v1 }) [
xchg dx, es:[41h*4]
$ z# [( ?; a% I2 ?% l. C xchg bx, es:[41h*4+2]8 }& ]& }7 T* Y" s- {7 s
cmp cl,al0 k$ n" C* \0 d
jnz SoftICE_detected
5 K9 _8 T3 T9 Y0 f9 s7 \
, A* O( X& a5 f% v: l# K. p b_________________________________________________________________________( r8 n3 T' Q; S& j& V' g
4 y! E% N+ @" P. M3 M# B9 I" G
Method 07
1 O l) @$ \2 @, o3 k, y8 R=========* w" E% H+ S4 u: k
. ^+ X1 [6 ]% k/ R
Method of detection of the WinICE handler in the int68h (V86)
5 @7 v% e7 ]: }9 Y
% \7 a) a) ?0 t- ?+ g* Q mov ah,43h
( s3 [" s: _" F7 L+ O. b( v6 x int 68h( x: n3 P2 f8 d4 J% W
cmp ax,0F386h/ X1 [1 _0 l8 q7 d; u3 |% G
jz SoftICE_Detected8 w0 [ K2 I# i- k% G. F
' C8 K3 H; U3 @( u1 @: S
+ p6 [1 r8 {% M- ?- s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& j- m3 u8 b9 t( N0 \ D
app like this:
, r/ U; ]4 X7 C/ l; z3 {9 Z6 D& M
$ Z, G& e4 o( w# D BPX exec_int if ax==68$ m& ^- G0 A, n. g4 w( l/ T+ k
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ p0 c! }1 J: f) i/ j+ L9 ~ located at [ebp+48h] for 32Bit apps)
. n# B w, [# u/ b__________________________________________________________________________
* J3 k* Q4 X( F5 s0 T# }0 _7 Z
9 ]% X. t/ R5 k+ n. _$ [) s6 E7 f8 s9 j/ T Q
Method 084 s) H) q8 ?: _4 Q: d; \
=========
# J/ l* N' P; I5 f6 G, `& G* V' c# ?' v1 g$ x3 w
It is not a method of detection of SoftICE but a possibility to crash the
9 u+ j1 I* w5 g' Isystem by intercepting int 01h and int 03h and redirecting them to another9 ?) x( Z$ y# G! y
routine.
, U/ G6 p0 d$ C9 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 `8 X6 w9 Y1 `( F& t9 `6 q jto the new routine to execute (hangs computer...)
1 I$ ]$ o, c9 c7 B! i
7 }. A5 R" K; D- Z mov ah, 25h
6 _7 y2 w; \" o+ D! r! @ mov al, Int_Number (01h or 03h)
$ h" F/ w+ O0 U( ~. L2 ~3 u mov dx, offset New_Int_Routine
. S/ q4 \1 i+ V int 21h
0 U4 q1 D( Z. P6 z! F
1 x# z7 Q" Q! J__________________________________________________________________________
& i6 G: v- @# ?; e7 q/ _2 L7 G" g2 h
3 @* Y+ U" S* X) _0 ^/ Y3 FMethod 09
6 E' _ C; B% _; k# b=========
1 ]/ y- b' \# r: h: c: j1 N! z8 n4 r! a+ J8 H% ?, d/ _1 ` H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ h# _4 n' ?4 h( Operformed in ring0 (VxD or a ring3 app using the VxdCall).
3 w F9 W0 a' y T" t( s% WThe Get_DDB service is used to determine whether or not a VxD is installed* j, R" d5 D- T/ P
for the specified device and returns a Device Description Block (in ecx) for( l; i1 W: N, f
that device if it is installed.
5 R, Q' W- I" H; Z1 L' Z4 c; C
# n* o9 H: ~' o2 F3 j v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 W' t- \# c1 ?/ `% m: Y3 K( c( m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( P9 Z$ h( B1 h) s) }
VMMCall Get_DDB
0 i9 F2 u- O) U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' q# x3 V* q- w7 G, }5 e. l* J2 I. r
" Z+ H' P1 M- t0 [# b- A1 I
Note as well that you can easily detect this method with SoftICE:3 v9 ^" u( l$ Z" }
bpx Get_DDB if ax==0202 || ax==7a5fh
# F7 b2 D( U' l1 F" v1 p! f
1 T! S2 q% d: e; Y__________________________________________________________________________
- x/ [: x6 x8 H f* n; j! Q- i3 e
( S% R* y5 r7 YMethod 10! E$ W; \1 d4 G! j- D9 W
=========9 |. `# y7 \0 G* a' d0 S5 g
* d6 p8 o" K# u& T=>Disable or clear breakpoints before using this feature. DO NOT trace with$ J' o L6 [& ~- W
SoftICE while the option is enable!!2 _: k$ r" ^% Y1 Y% y" N. O
& }; M& \0 I7 W9 @' l4 ~- OThis trick is very efficient:
% F! ^5 |7 l8 w! v8 ~by checking the Debug Registers, you can detect if SoftICE is loaded
9 |; N& p0 V" o, K8 A% v3 B8 e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ K8 b: D M% ^3 F+ u$ wthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 H _( @4 o2 Q& ]) s, e8 U
value (in ring0 only). Values can be manipulated and or changed as well
. u6 Y( c1 j; A(clearing BPMs for instance)9 X. {, {5 V; l' v
% B# _$ Z- ^! Y" P0 J/ `; B__________________________________________________________________________
& f; d% U) @9 [3 c) {' l% M8 d+ L$ W; l& f' L* b
Method 11! p- S6 Q# b' n8 i: q8 u- q
=========
6 |/ i, B* v2 {# y
- C0 r3 S" h S( ]% o2 XThis method is most known as 'MeltICE' because it has been freely distributed
2 d" L( U" I7 E( ?7 m. zvia www.winfiles.com. However it was first used by NuMega people to allow
1 I4 k* }2 r' K t) ^; bSymbol Loader to check if SoftICE was active or not (the code is located6 R# u0 b3 z5 ]/ u5 j4 G
inside nmtrans.dll).
/ [5 Z$ w' z8 Q8 }8 Q1 {' y# I0 e! E! d X. ~9 p% o- `0 f- M- v
The way it works is very simple:
2 |3 n7 G4 k1 }( o7 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# ]. v* u" o X! gWinNT) with the CreateFileA API.3 s# c3 M- V* d. [3 u
- z) v3 t+ \. C4 W/ B- c x. o
Here is a sample (checking for 'SICE'):
7 _6 s8 r o4 B# ]& {0 F
9 o8 a/ Q4 E$ P. L% eBOOL IsSoftIce95Loaded()) B! E: ]- l4 c }: Y
{8 J1 j" [ c2 r/ E
HANDLE hFile;
8 {2 ^- Q/ N( G! Q6 h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ ~, G% W# H' g* e9 f! ^# U
FILE_SHARE_READ | FILE_SHARE_WRITE,0 d- o1 W3 D! H4 e9 \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% D* }, H* C+ } e0 K! L! c
if( hFile != INVALID_HANDLE_VALUE )# B6 B- \* G. A* _# s7 O- Z- J
{1 D2 b9 h3 V X, v4 W) k4 L
CloseHandle(hFile);
6 c W9 p+ R: L; E+ `2 I8 L* X return TRUE;! j7 d' O5 i" b2 ?5 L0 r
}
* o( o' d$ x% e$ \+ o5 j( W return FALSE;$ `& P6 }; i* ]9 _
}; J9 x6 @! i0 |7 e- j! K0 t% I+ [
: |2 j) J, Q; M. c. h IAlthough this trick calls the CreateFileA function, don't even expect to be
* S, G; o) G) U& F- Mable to intercept it by installing a IFS hook: it will not work, no way!
# \/ g0 C6 f6 ~9 M4 O) k. FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
c* s( z% m3 a" ?1 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; z8 a \6 J* T( {! T, u9 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 _6 ]4 W% A* p" F0 Lfield.* }6 I) q! o2 G+ u1 k0 v; `
In fact, its purpose is not to load/unload VxDs but only to send a k/ z" s4 H9 E9 D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 Y( o) J6 _% e# m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 x& O& j( |0 [% _8 Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" n# R. h6 W" l, h' [; C3 {6 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 H4 O' I+ U. z; E4 }: mits handle to be opened and then, will be detected.
- f- d5 r- B: M) |# SYou can check that simply by hooking Winice.exe control proc entry point
, u8 s' y, c9 P- G. a- m* fwhile running MeltICE." A' _" `, q! c* |" E
0 l( X6 R8 q& V
- F* J: ` l+ ^% Q Z 00401067: push 00402025 ; \\.\SICE
0 P3 H7 M. V9 [1 g( s 0040106C: call CreateFileA
3 G7 l! v# ]$ c' D \; M6 t7 D+ H4 n3 d 00401071: cmp eax,-001
% T5 A- A8 S) u3 ?) C 00401074: je 004010912 H8 u, n; W2 M% o1 n9 Q% z
, ?3 w( g2 W# v/ m9 Y( p1 z, r9 [
2 T' k, b( Z/ ^' B( @* N2 {There could be hundreds of BPX you could use to detect this trick.7 [5 _1 l* D l: P3 o' k$ D6 p n$ w
-The most classical one is:" X) M& |7 k) R6 h8 k" j8 l( Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& Q1 D& w) M5 s4 ]8 I/ u *(esp->4+4)=='NTIC'+ [( h; s3 k& F6 D# q+ u
( ^7 X! l8 `2 b+ }
-The most exotic ones (could be very slooooow :-(0 h7 g! R: @. C7 V% I; e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 K5 U: \' M4 \9 X' ?! T% D, N2 g ;will break 3 times :-(6 M/ {; t X- m0 [' U- W' E
4 L' ]$ h% E) u# i
-or (a bit) faster: 0 x4 o2 M* J3 n2 J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 `' Q, h( v+ S$ B
0 Q9 A& Y3 Z5 @1 Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) o+ N, Y/ \0 J& G* j$ R2 } ;will break 3 times :-(
9 H- c: f* T* g/ b( K' T# a' W0 O* Z( G; j' w& v. K6 @, B; c) O
-Much faster:
- W H* L n9 _8 ~2 y( `2 z& r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! n/ x2 E7 d, c5 [; @4 ^! U5 i- P6 ?, G; j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( `( p7 O% q! v% d! H) [
function to do the same job:
6 f) _+ p. y/ [) N. j0 B% G3 a1 g8 A6 B4 I8 W" X
push 00 ; OF_READ
' E$ B" y# D, D" _. ^ mov eax,[00656634] ; '\\.\SICE',0
2 g3 x4 z# n' Z- I* Q# \ push eax
2 N4 Z3 a% H/ g; F* G- Q" h9 J call KERNEL32!_lopen$ |/ Y* ^/ @0 a& f
inc eax
9 t* x }: ]" {) Q6 J4 n! M# K1 o jnz 00650589 ; detected
8 t4 y% W# C% L& q/ j& i; c& Q push 00 ; OF_READ* U1 A, `$ X: M: L0 ]+ F+ x
mov eax,[00656638] ; '\\.\SICE'1 U, y" ?2 {) D/ G; P
push eax
& [" u; H& R$ O& g" E0 c- r! Z call KERNEL32!_lopen
* c# ~0 \6 D5 K& u inc eax
; a, |+ o, n5 W c% b jz 006505ae ; not detected
+ F! Z2 w4 {: I7 W+ ]
( ]1 X1 I) k# F* S! g8 m
4 ^; t3 ?, h4 X$ G+ P; X__________________________________________________________________________
+ g( Q- u! h1 r/ K: P
8 ]( r! v6 }$ h& ?. S$ C JMethod 12
# P m" `6 w+ m3 q) n5 _& [=========
5 \' X b0 @8 [; g- s7 c" [# c6 z: y- {* D; W/ D
This trick is similar to int41h/4fh Debugger installation check (code 055 ~; {4 Z+ v- Q Z I. { d. L
& 06) but very limited because it's only available for Win95/98 (not NT)1 ]. E, d; O8 L* Z! B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# n4 f' K8 ]$ V9 H& Z1 s, z/ i5 D+ R( |* H/ r" @$ k8 B! B
push 0000004fh ; function 4fh9 [. Q8 }6 i4 e$ d' s& i! n0 X
push 002a002ah ; high word specifies which VxD (VWIN32)6 C3 P. G2 w& z1 Z$ h, z
; low word specifies which service( X3 h6 G2 v# B R& i1 T6 a8 C
(VWIN32_Int41Dispatch)4 M8 ?% c9 Q: |$ I* Y
call Kernel32!ORD_001 ; VxdCall
, U( _9 s! h1 U. J+ \( c; g" T cmp ax, 0f386h ; magic number returned by system debuggers8 N+ D, v$ ^- V, ^2 j9 _4 l6 j
jz SoftICE_detected
! V9 U/ M$ L* p5 B% o; G9 O+ u- x4 J3 m+ c% v
Here again, several ways to detect it:
; P T! B$ k& V! i
: d8 \" n8 P* H1 s0 h BPINT 41 if ax==4f# x1 u3 x- o3 {% n; P( D
4 S3 D4 Y$ i# K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! d9 Q8 m t7 l! p
, n6 l Q f: O/ {2 S/ Z1 x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! B0 L* g# ~) m" a+ f
+ h2 j8 I& E5 X5 { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 Y; z- f: S9 j7 [
# U9 S. p) p/ T__________________________________________________________________________
+ ^$ y" j* J9 | r3 Y
' `8 G) O7 Z% P$ B. ? N, z4 RMethod 132 N4 B5 h/ }# T/ w1 {% c) x
=========, F+ ~1 d2 X2 r7 v) y
+ I8 y, h8 ~% }' m4 d
Not a real method of detection, but a good way to know if SoftICE is
4 B/ B& \( j, O/ A2 [6 Finstalled on a computer and to locate its installation directory.* _, K3 L, V3 x% J6 r
It is used by few softs which access the following registry keys (usually #2) :$ t8 W. N! D$ f& @
; H& y- C3 }( |* |" {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 R3 L- ]9 a" K\Uninstall\SoftICE9 S) b' c k5 n3 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# \: d. Y7 @$ q! s* i) c7 E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" g: T) k o: M4 [. p0 T7 W
\App Paths\Loader32.Exe+ f D9 t8 ^( }
. Y- |5 A* m; N% t& o& m
Y- K( A g( m0 a* z6 iNote that some nasty apps could then erase all files from SoftICE directory
) P7 I$ o" d3 _6 i7 P2 _7 `(I faced that once :-(- Y7 r+ { W" S \! _, A
# L$ l0 @% O: u) y. S% a/ q3 s* c5 AUseful breakpoint to detect it:; q" D" p S8 V
6 X& Q4 f) W. w q* y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- S& I+ v' Z# h1 q& D
( g5 p: q2 P0 A! W6 m2 c, e C__________________________________________________________________________
. o. H. e# J$ M0 ~6 {$ h9 ^/ B! t! F( r) `
1 S A% s( @2 W* a. T
Method 14
( K' K1 ]& E+ D0 _=========* S5 ?3 s" r# Y/ r/ d. z2 L% C1 x
# [/ d& j. s) t$ h; v7 |3 cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* s+ G. y, a' _+ }& z: q' T! q
is to determines whether a debugger is running on your system (ring0 only).
& W, H) o' S# I; ] W9 D7 z5 [9 H" O; T+ ~
VMMCall Test_Debug_Installed
" @ P) A' S: H9 g3 J* g/ h je not_installed, ~" s) E% b5 Q% _& W4 _8 k
5 n( j1 X y. l5 W
This service just checks a flag.# g0 D7 d; q) B+ l& p& @6 D+ d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡