<TABLE width=500>
7 k" s U% W( ]+ Z9 Y o. Y<TBODY>4 c4 V( X4 j1 m& B/ A
<TR>
7 }9 _! v% c# m9 r& W<TD><PRE>Method 01
% y+ P$ t. T/ x& o$ O- B& f0 l=========
* R; M$ u3 r6 s; X1 T3 C, G
: U# a' n: c' {( c0 t1 i! _This method of detection of SoftICE (as well as the following one) is) Q) E# J& y: D* N+ [$ Q4 f( m7 u
used by the majority of packers/encryptors found on Internet.
, u, [( E. R8 X4 d. aIt seeks the signature of BoundsChecker in SoftICE8 l; W3 f, d* W; M7 @
* _7 @! ]5 z# O
mov ebp, 04243484Bh ; 'BCHK'
4 e T0 P* o& z" N: q5 E mov ax, 04h$ G4 L# @1 V' N. i5 Y- r$ \- i! I
int 3
* T# a+ f1 W, O/ y! c cmp al,4
, Y3 [6 ]- F- V$ P _ jnz SoftICE_Detected4 I! @8 ^/ z) U
( J8 O% ^, V+ U. C8 T___________________________________________________________________________/ Z: v& ~0 C5 V! v# Y; x8 Q
! }, a- C4 k2 d- uMethod 02
2 p3 I2 b5 o1 G: N=========
( M7 J$ Q2 W! D. a
4 N8 c& }. I9 v/ v- } \; m. N7 KStill a method very much used (perhaps the most frequent one). It is used
+ v* v2 f/ P5 h" l i2 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 ^/ x+ l" @/ {) B) |
or execute SoftICE commands...: _! f( n6 ]* k$ h
It is also used to crash SoftICE and to force it to execute any commands
' F& S- A# j- o" o* }7 o) Q( W(HBOOT...) :-(( 8 \- A' P! ]5 L) A- b
# b7 f( d: m. e2 R
Here is a quick description:* P; g! Z" t: q, M# `& {! Y$ f
-AX = 0910h (Display string in SIce windows)
( _! _4 a0 Z- A2 t5 u* x( c; {- }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" _( a: L1 N, K9 S+ R; T-AX = 0912h (Get breakpoint infos)
: `( n. |( S5 g8 d-AX = 0913h (Set Sice breakpoints)
' n7 M: ]4 j& w$ m! Z6 ^% P-AX = 0914h (Remove SIce breakoints)+ `7 K/ Q, \; Q3 _* N! T. |8 Z/ `
9 e8 Y2 p* I! y- r" B E- qEach time you'll meet this trick, you'll see:
i E; K/ y. M. L-SI = 4647h
' V( v6 C! c/ P- F0 E* J-DI = 4A4Dh4 ^0 }* ^- W1 u2 S8 v8 \7 Q
Which are the 'magic values' used by SoftIce.
/ n: X1 r+ v4 K- c& KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 D2 u( l) o6 H0 ]: Q5 b$ E& _
* |0 x* h/ q( |" H0 Z0 J1 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: b* Z6 W* m7 Q1 l* {8 C6 g% qEnvelope utility use to protect DOS applications:
5 M% u9 k: l( `( K' K! w
! n+ c+ [) |5 l
4 I. s j5 P S6 E, D/ E4C19:0095 MOV AX,0911 ; execute command.9 p( c) q, ~9 L% O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- `, n5 O u6 ~1 s" F" {4C19:009A MOV SI,4647 ; 1st magic value.+ a8 q7 D, L7 Y* I/ z
4C19:009D MOV DI,4A4D ; 2nd magic value.: W, V3 w$ T8 Z) e5 r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); h5 I2 K0 R/ X7 i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: o+ j1 b* T" T3 T; I$ ` ]0 ~4C19:00A4 INC CX
# _7 d% x Z, k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ v. q* b4 N0 {. n5 h: T L4C19:00A8 JB 0095 ; 6 different commands.- ]* {; X4 j% b+ W$ ?& c& b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' ?2 R! z( U' k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) ^( q# ~% d; h' l6 ~
% G" K5 N" Z! O1 n( @8 e4 E) a" D2 ]) W* nThe program will execute 6 different SIce commands located at ds:dx, which: L! M! W3 l5 l2 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% }: z- N6 }$ c: A; _; f( L) _0 z+ r5 Z2 V! L* {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 B4 H& F3 ~2 q) i: W- _1 x___________________________________________________________________________0 m" M9 `8 K o' r
& V M# s4 i5 P$ E2 _+ r& C5 b: t# ]
Method 03
# v4 {7 q: k" i=========1 @/ i/ [* ^4 l! S1 I$ V, }
* q. h% m6 \) T6 n: n% S" ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ Q$ K( \' `2 T1 C(API Get entry point)' ?2 c- @4 o9 E9 S$ |& C
/ C/ L7 a0 ^ }+ N. x$ f
1 l! z# q4 v |# L; R xor di,di6 m+ F/ k& V7 s0 b9 U3 i: ~7 l. D
mov es,di
- _$ R- _- ]- L) j+ } mov ax, 1684h . o1 V$ |; c( \: n
mov bx, 0202h ; VxD ID of winice
; T1 K$ C0 f! C2 [. U, ] int 2Fh
6 ?. Y, @% ]! n2 w3 ?% A9 t! `6 d mov ax, es ; ES:DI -> VxD API entry point8 P8 B5 {# E8 r: c* I1 x
add ax, di1 {; h! ~4 n! \: _7 U
test ax,ax
* e5 N: }! c! M$ @0 } jnz SoftICE_Detected- P/ ^1 I. a( F3 ~1 [
2 t) O! o: N1 ~8 C9 u8 g- U___________________________________________________________________________2 N+ q! V! P9 U' ]9 w
5 K7 c5 x3 H8 ]5 F$ ~! o8 e( p
Method 04- u8 d# M9 v% a
=========, z. B) e7 x7 [1 p+ m3 U
- b$ ~) w) {( j- J# s* Y
Method identical to the preceding one except that it seeks the ID of SoftICE
/ v& R$ Z4 e5 t6 S, @# e: q! }' gGFX VxD.9 w- l7 ?- a% w; ^$ v( `
, S' a; C! V w6 I0 ~4 D
xor di,di
9 c' R% y0 G7 E2 ~4 h5 b4 K mov es,di
$ Q) L8 q# b7 l8 V: T mov ax, 1684h % H' a& X4 T* u; u; h! S
mov bx, 7a5Fh ; VxD ID of SIWVID* E7 S/ r* E3 l k8 C
int 2fh8 Z, \6 L" ~0 f+ }
mov ax, es ; ES:DI -> VxD API entry point5 o! _7 S# m* t" h: F
add ax, di
% J' K( t( [0 r7 y. o test ax,ax
( r6 x) j2 e: u. j jnz SoftICE_Detected3 ~6 g+ I5 P& ~! O
1 f5 h$ I# h- j" y& a
__________________________________________________________________________6 Q3 v0 M+ D( K/ w# p0 ^
8 z& M7 N3 e( t, |; G8 g
8 C/ u8 f8 k0 ?' r2 k! o
Method 05
6 R2 d, v ^& q5 q=========: `' `5 C. Y' ^* U, I: l
g( m0 R8 Y" G3 r9 _
Method seeking the 'magic number' 0F386h returned (in ax) by all system: h4 f8 _1 J! T
debugger. It calls the int 41h, function 4Fh.
4 S- S- `- E7 i! tThere are several alternatives. $ C! _6 @ H/ g3 f
, ~0 `* _) G& r) q; d7 t0 h/ `. N
The following one is the simplest:
' f9 B3 z0 s) `, N0 C4 E5 s6 k- t7 M0 T
mov ax,4fh2 S: r q, h/ s A. P+ m# g! l$ `
int 41h
* P1 K6 i! b2 I& J7 Q cmp ax, 0F3868 @4 |& P/ X z( L
jz SoftICE_detected* J& t6 Z9 h6 _2 |; n/ e8 x
' c+ K8 C% J) [1 j5 v6 Z! C
% j. X9 e: w8 C+ VNext method as well as the following one are 2 examples from Stone's
/ W8 p; Q7 T8 `1 z) A2 m9 b! R"stn-wid.zip" (www.cracking.net):2 R/ r5 l( V# R5 ^7 S" t
$ T+ o/ ~$ e* x
mov bx, cs( C. ^" p0 h# M# N: }1 `
lea dx, int41handler2
0 j' i5 K# c% b. ~" }- B& s; M xchg dx, es:[41h*4]
1 w5 z, g8 ?6 v6 V6 ^4 L9 W xchg bx, es:[41h*4+2]# m- l0 E) r+ z. L; a/ t5 I
mov ax,4fh
- \* d+ k; H& ]( F: Q int 41h- s4 g" q9 d3 a' b' P) E' ^
xchg dx, es:[41h*4]. ?# P* c( ~: f. J6 ^; @) r
xchg bx, es:[41h*4+2]
: ]& E, G. s& ?: H4 Q6 F9 W cmp ax, 0f386h
# c& i: @6 M. @5 {! n jz SoftICE_detected. t% t0 _$ U* D8 i) H
0 T2 ]( Q- q+ P4 G# `2 |1 f
int41handler2 PROC
/ N C) r( t3 J) h0 v- @ iret
' V& V2 ^. C0 F% G- {! J3 sint41handler2 ENDP
! [) e, H; T3 W0 z9 ^/ @
. J3 x! w9 _4 I, ^$ Z3 o1 K/ Q- l6 { ^ R1 L# C D# \, `* l
_________________________________________________________________________
; e% v* j/ C; t0 b) [
* a" s9 N- M: [1 w5 c& V
( w' ]3 R- t3 O9 M2 U0 E3 d* Y( ZMethod 06
: z% e$ M% d8 w6 `2 s. c, J=========
' R2 T2 U5 z: H5 @$ K
4 X3 a" q5 G1 H, r; u8 r; O |# _; ?) I7 l9 j' c8 l
2nd method similar to the preceding one but more difficult to detect:: v) |' {# C; c
! T, M& v. w; n! s8 i! b# B8 Z
" C2 D3 h) p; }. G6 `2 i7 W
int41handler PROC0 o4 E, r+ Z; g/ L# g0 \! a+ q9 O
mov cl,al
+ S0 E$ U8 p% n iret1 @; W- i7 |- _1 z% O' y8 d; V* C
int41handler ENDP6 z$ c; \& t: j3 h9 E
g1 n2 A4 g* W3 D$ G3 L
- N! f3 o Z$ h' J
xor ax,ax; g0 A. [5 w% H q* W
mov es,ax
5 B7 Q. E: U9 {- P% e/ q4 F/ X mov bx, cs
6 L. {' e) R5 z( V9 [ lea dx, int41handler; ?8 |7 P( y# N
xchg dx, es:[41h*4]
$ A) E, D3 Q1 Q# s& x xchg bx, es:[41h*4+2]
6 C5 z# g7 A, |) S1 L( n2 r# M in al, 40h
, q- v6 \* ]6 \/ z xor cx,cx
6 s M k1 g$ p int 41h
. e: m9 W9 ]1 P( `/ _$ }6 v xchg dx, es:[41h*4]
7 `5 ^: _" W2 Y5 j9 X xchg bx, es:[41h*4+2]" d% |, @' n, q! [9 E5 l
cmp cl,al7 R( V& r$ D0 P) s+ E5 i
jnz SoftICE_detected
% e& X! E! v0 {' T, v& r/ N4 R. K7 z( N. k" s2 X
_________________________________________________________________________& W& P9 ^0 a% T+ O4 M
' ? U! U, ^3 G( n0 W7 ]+ CMethod 07. }3 r) s7 [; m" ` d& l
=========
8 K6 u# J: y9 ]1 ?. s4 i0 d9 e0 T# D# i( s- o, W
Method of detection of the WinICE handler in the int68h (V86)
* S( B3 T) f% M/ D8 j Q2 Y, l( L, H
& a- `- ~5 U2 r! ? mov ah,43h
( p! L2 k# f. k1 L: W int 68h! L+ e8 M. C! E1 P& W# N8 o
cmp ax,0F386h
) X& a6 _4 l. D" j5 ~0 U, H( E jz SoftICE_Detected! l" H6 K' y! S! I v& D
' R+ r! E! i+ Q- n" S! m) G0 S7 X9 g) m3 F4 `' O. R6 b8 l+ v9 I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 H- m$ r" d2 u+ q, M" f) {
app like this:
7 R- L8 [# P( B8 P) k% w# A3 H
BPX exec_int if ax==68
2 k% B# I# `5 C; Z4 i (function called is located at byte ptr [ebp+1Dh] and client eip is
; |" d) p: r, X0 R* W [ located at [ebp+48h] for 32Bit apps)
. ^+ j' Z+ Z# I4 Y7 \. |__________________________________________________________________________+ K( W: J; V8 W$ ?2 V
! @3 c) `& j1 |8 O7 @! `0 y* I) r
9 @* Y! f. Q5 b) H, M i2 I1 CMethod 088 y+ H4 P8 W K
=========
( N) O# B; Z1 I- R& t6 U0 x2 \ v' H- H5 O9 Z# p
It is not a method of detection of SoftICE but a possibility to crash the
9 k+ w/ H6 Q' N* _: W2 d+ q5 tsystem by intercepting int 01h and int 03h and redirecting them to another2 O9 k3 V# v* H6 S8 h
routine.) _+ p2 Y4 M& F: E. o4 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& n8 D: [9 I ^/ ?& L& x* Mto the new routine to execute (hangs computer...)
/ Z" r" i# D% a7 c: J( X1 c9 X2 n, `! B; G* [+ i
mov ah, 25h4 N+ P) x: i! q6 k$ ^
mov al, Int_Number (01h or 03h)
+ N8 B" q4 `) ?, F mov dx, offset New_Int_Routine
2 i* ` _/ V! s5 E int 21h1 [9 ?3 ~5 ?2 D* H
: a8 T3 s. M/ t7 @) {0 b& |2 E: |( E__________________________________________________________________________
% ~" A, z9 i1 p9 E
; X" I/ p3 p% w7 l: ^" a7 }Method 099 U7 B. ~- D, j J7 j
=========
8 ]/ r u8 C. P* j# `, X+ n
/ m; f. l- w& ^+ z$ ?' oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 m8 Q( u# ~/ B% t0 aperformed in ring0 (VxD or a ring3 app using the VxdCall).& R0 L5 B, p/ Y9 v" T
The Get_DDB service is used to determine whether or not a VxD is installed4 E; }5 @, Q0 b, I' p4 p. ~
for the specified device and returns a Device Description Block (in ecx) for8 p( u( o* I, H5 d% m. O
that device if it is installed., u, i5 X I, c9 E' c2 T
' w2 y- }- H6 W! R8 i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" l9 d8 _) U+ n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 B% H. s( }% h6 c7 u VMMCall Get_DDB3 E( \* t& |! k/ \ S9 V( {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 V2 L1 `% U+ T* v1 Y2 M5 a# Z& \2 G5 Z! J$ J
Note as well that you can easily detect this method with SoftICE:% C# m+ Y( v: k
bpx Get_DDB if ax==0202 || ax==7a5fh/ ?( C* K# R1 p' R
) e3 G% e# S" u# h% x__________________________________________________________________________
$ s y. r% [; U6 z3 T% O- a( r' p
. E' F* z9 l, q5 R& [% ?Method 103 g$ _/ g2 o/ P( o
=========
- {8 O {% A' w. |
3 s8 O" O/ f, F=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 F1 }& v# t# P/ Y8 Y! B1 r3 D9 X SoftICE while the option is enable!!5 q! P6 j5 Q: I9 f& `3 T
! H& X! z5 H s- w5 N
This trick is very efficient:0 W* \, g: Z, Q" Y! g7 h9 i
by checking the Debug Registers, you can detect if SoftICE is loaded; p: [; F3 x E/ p5 i1 q) ?( B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 W8 f8 |5 F8 }- Z" vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) d3 e3 L) B2 C2 N" p$ Mvalue (in ring0 only). Values can be manipulated and or changed as well
/ d2 n& t. W! X" p* O(clearing BPMs for instance)
/ A0 o' }- E8 M/ F% o0 T" A! n5 r- V. N* _" y! n B
__________________________________________________________________________6 i7 ? E, s q9 F7 q- P
& c) f% @+ X; E, l/ w/ a/ @Method 11
' I/ K# I. x+ e+ i! d1 A5 J: j=========: ~5 Q2 n; ]- e9 Z( I: Z3 L
" |( t4 q" ]; v+ F+ D% O4 Y
This method is most known as 'MeltICE' because it has been freely distributed4 J/ C& B( B( x: }
via www.winfiles.com. However it was first used by NuMega people to allow
7 A, W" S2 g' I( n, FSymbol Loader to check if SoftICE was active or not (the code is located
5 _0 }+ N5 C* Q' n oinside nmtrans.dll).
- L% x7 w( x6 z7 B8 @# d: w3 @ b% _+ T6 ^% l9 |" z) _1 ^1 G
The way it works is very simple:
2 b/ B6 N1 N- r/ b; EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ S9 h6 ~; U! K2 wWinNT) with the CreateFileA API.
( W5 p3 ?7 E) f1 H5 X' O' i) ~: Y+ b9 X
Here is a sample (checking for 'SICE'):+ v, r0 N; q9 O
$ @; i6 n" L6 e* |" [! h" j) S
BOOL IsSoftIce95Loaded()
1 K5 k `- J% N& K3 ^{0 |# R$ B0 t% ^: f. j- P
HANDLE hFile;
% ~4 q+ C* t% c" ^3 k, p4 |2 w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; F3 y8 r) U2 U, L* C FILE_SHARE_READ | FILE_SHARE_WRITE,: j8 y( A; ~7 z6 p! z! ^3 e7 m, S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 g1 l7 }3 I+ o$ F" u3 C0 ]2 m if( hFile != INVALID_HANDLE_VALUE )" D8 q3 ? J8 I
{0 _( A e& r# U! ]: G! j, r
CloseHandle(hFile);
+ S$ t3 E2 L3 e3 ~7 X2 @ return TRUE;' A( i, i2 F. @4 ^; E
}
, q8 I8 u) F! M) _6 L+ A# h8 f% z9 E, ^ return FALSE;
' b2 p. s( ?4 H5 S+ @' G}
# S N! r- O8 U4 o4 P: ]& t$ a2 S b* p+ {! A
Although this trick calls the CreateFileA function, don't even expect to be
4 H/ p4 B) p; x$ _8 u1 mable to intercept it by installing a IFS hook: it will not work, no way!
; R8 ~+ C5 s: g7 X6 H( TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. V3 n: B1 R# k7 b' l( m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ k2 _' p+ R" land then browse the DDB list until it find the VxD and its DDB_Control_Proc
# Y9 W1 W9 I% Y* n5 U9 [/ ~field.8 t7 S& ~5 K+ `6 k/ ^8 e* H
In fact, its purpose is not to load/unload VxDs but only to send a
$ B+ R! ^0 \( [0 UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 O# B5 E- c8 P1 b j) Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ h* Z3 M% F. M# D2 @- u- v* L' v
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." a$ C1 \( h) s T% G/ E
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ?4 ^2 I* C0 Y. {% k" W2 C9 Z, Wits handle to be opened and then, will be detected.
' l+ @/ m P4 y5 |" J+ }+ X% \You can check that simply by hooking Winice.exe control proc entry point+ g& D' n) V) z" S$ Z, Z% ^! H0 L
while running MeltICE.
4 y( Q8 p+ d# K: d: `
' u3 Q- H6 R# u: ^$ Q4 v+ `" V: \& I" S* C/ b' ~0 _' p+ Y
00401067: push 00402025 ; \\.\SICE, s; x* h7 m7 B# e; e, [$ ]
0040106C: call CreateFileA
( ?$ H h" K5 }) E- @& E 00401071: cmp eax,-001$ ~3 ` S% Q0 ] ?7 j4 z
00401074: je 00401091
- J+ |6 z/ ^. z2 a- f" L6 V9 I2 K" F" ~7 [4 I6 R& v5 _9 f" k$ G
( x( J+ G& L' ]. q+ d4 BThere could be hundreds of BPX you could use to detect this trick.3 f5 |$ |' W' T0 }* S
-The most classical one is:
! N! A$ u; i% G: Q# A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% U/ ]/ E4 h* U" y4 V& c- f
*(esp->4+4)=='NTIC'
/ ?5 B: B5 N0 Q- y& M3 r0 d6 O4 C) A7 ?/ m& W
-The most exotic ones (could be very slooooow :-(4 H2 |' k F" |# T) B* R; U- z- o$ |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 X& y! f) Y3 q/ z+ R9 a0 @% i
;will break 3 times :-(7 b( a- z; U; O3 @
" Z! i1 U# u3 a9 r+ l-or (a bit) faster:
; J! Q3 c, S" I4 p. O6 T3 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 e( I Q0 t" \4 h/ f1 D5 P* x: a1 H8 K* |+ m$ C0 A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / |6 U6 j2 D# q/ P
;will break 3 times :-(. y) \" ~3 _9 P6 j% N! p* Y
, _: Y% R3 E0 ^$ {9 Z-Much faster:
6 p8 e& h# J! I) s7 W- m% [( C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! Z- b- N$ w" p' a% j
. d5 a" _. X( p# \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 i+ D& e0 d, z( b/ |function to do the same job:
5 B+ O& J+ b- H
, B Y2 s2 C7 Y push 00 ; OF_READ" h, h$ j# {+ j t, ^
mov eax,[00656634] ; '\\.\SICE',05 ~3 Q4 l6 w5 {: q5 X9 P
push eax
' W* j. O4 I( m" X8 }# x6 @ call KERNEL32!_lopen2 ?9 o; a2 Y! e* H: _. ^0 T; E
inc eax
+ V! y! n x- X" }8 I# G jnz 00650589 ; detected
, O4 r3 n+ V3 j7 k/ u push 00 ; OF_READ6 \4 E" H7 }! C1 G. g
mov eax,[00656638] ; '\\.\SICE'
+ R9 Q* q) M% N7 n( z$ z7 p# V push eax% Q; ? e8 j0 i2 m0 I# \2 M. V; @
call KERNEL32!_lopen( r5 I7 w4 r: J
inc eax/ l- v& }0 f& g
jz 006505ae ; not detected
5 |! n/ A2 \# N/ ^" o
0 a* \: E* k$ [% ?( T2 E
, e2 a. V# z' N& A m, }__________________________________________________________________________
7 j/ B4 u' ^7 v" ^2 n8 l6 ~3 H9 J' \
. ]; o6 [* [1 @Method 123 W9 A7 U" _0 C/ M: w, \! L' }) a+ ?
=========2 A* I8 h: ~7 W' U3 G5 B& K2 P
6 q' K* S' @5 u. G* q2 Z
This trick is similar to int41h/4fh Debugger installation check (code 05
9 k5 b, p: D8 y5 K& 06) but very limited because it's only available for Win95/98 (not NT)
6 N# N8 a! M2 S6 G, [) Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo., b4 R+ k4 Q. t0 i
; I1 B/ }7 }# v: A9 o* B
push 0000004fh ; function 4fh- n6 q# A- |) a
push 002a002ah ; high word specifies which VxD (VWIN32)
* R% l; a k3 X3 P- m! U+ ^9 u2 v ; low word specifies which service
2 D0 Q" ]9 q1 T4 M (VWIN32_Int41Dispatch)( H& q' t# \. v8 N
call Kernel32!ORD_001 ; VxdCall
# t, I6 _8 s! g: P cmp ax, 0f386h ; magic number returned by system debuggers0 ~4 m4 f" u3 n9 [* H1 F8 |6 F
jz SoftICE_detected
7 R6 [8 Y; H% _0 ^2 Y9 j& x( E* x" T. ]2 g- x
Here again, several ways to detect it:( J/ V1 b! _! f7 S( F" S% z
& `& S4 l! V3 ]& ~
BPINT 41 if ax==4f% R Z' A p- K
: s! l2 y U+ p7 ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; {+ [& I8 z7 @* v
1 D. f- {7 d" J) @ c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ Y( P# F* E8 M: c3 C. b5 P
9 E$ `3 u3 J0 n% Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 E! i- c+ V' q5 [9 P+ Z* m- K p8 S# q3 H7 o. _3 A% Y! G
__________________________________________________________________________! F" e- F# X7 C5 k( e
$ [2 b2 T7 s0 u+ EMethod 13
# |/ V) e: s- a/ q: W8 q=========
" ]8 t- V2 s1 f4 ~8 [+ w4 p
, h8 u+ v% C- A" a8 KNot a real method of detection, but a good way to know if SoftICE is& R Z: R; i |' V7 E2 F2 q
installed on a computer and to locate its installation directory.
, a8 Z, z+ j+ P5 A0 z8 ZIt is used by few softs which access the following registry keys (usually #2) :- X! O* P V) g2 x& J
1 C7 s6 P6 u+ p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. q8 y; ^% s( h4 _% s$ @
\Uninstall\SoftICE4 }# D# S$ \1 h) N2 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 ~) l( P( w8 n" C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% |1 N5 t; D1 T: E\App Paths\Loader32.Exe! g9 n! V, F" v# \! h& [& K, ^9 \, J
7 O9 _2 \: }5 q5 P$ _9 a% x; {( Z$ b
/ ~3 q0 K$ }4 x, @Note that some nasty apps could then erase all files from SoftICE directory
7 g* m* \' S9 T1 C(I faced that once :-(
2 c. Q2 ~- f$ @3 K# `* z; N2 x1 A4 h: Q; v5 T4 c5 v
Useful breakpoint to detect it:
& H: `$ A& E" }$ G; k( d6 }" l2 X, O' { j% q% X/ K
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': r8 q8 w6 m% u3 P/ x+ g5 b9 M7 n9 I
1 t5 M! M N. A8 ^8 }1 ]* s__________________________________________________________________________
7 `. F. \9 K3 C# ~: w6 T2 z
* L# H6 l2 Y2 ^% x
9 e& k2 H4 q% g* d, z1 E% ZMethod 14
$ x3 ]1 ? C7 _3 |; p8 n& d) j=========
3 |, ^- V' T: ?' f
1 ]/ \+ m& V6 W% W2 m! Y; |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. `) E0 d. b- L! A1 S
is to determines whether a debugger is running on your system (ring0 only).2 k5 X5 R$ L% Y% M' }7 J- s1 k
$ q! V% o5 e R0 _! c VMMCall Test_Debug_Installed9 _. i0 E7 o" T3 W8 x y
je not_installed
' w2 U: O, Z$ Z* \# @/ Z' o; b$ u8 c6 H) v
This service just checks a flag.) \9 C$ V! i0 i) c& V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡