<TABLE width=500>2 a3 g' e) M. k$ {- k g
<TBODY>
: ?( r( Y9 j# l/ ?3 P9 v8 V7 I<TR>; S7 y5 l# F6 P4 e3 T) x+ V
<TD><PRE>Method 01 9 n8 l! T5 D# ]9 k2 I5 ]
=========
' D1 G- j* R; @) w7 A: Y, c5 _2 S0 s3 m) B$ k
This method of detection of SoftICE (as well as the following one) is j m5 K. r) z0 Q6 e i( I, I
used by the majority of packers/encryptors found on Internet.
% Q" V+ Y( l5 L8 O- m( Z+ ]6 _, pIt seeks the signature of BoundsChecker in SoftICE+ T( A2 t/ @: o; ~
9 e4 ~+ ]8 \4 q% P9 ? mov ebp, 04243484Bh ; 'BCHK'
, `3 y$ v* [( Q2 l$ T$ c mov ax, 04h
& ~; c7 d9 f$ F# M3 ~ int 3
- |! q$ R' P9 U0 e cmp al,4* {4 U$ D. e6 X9 T5 B- g
jnz SoftICE_Detected
U* I/ ?4 J. H9 n' `7 N4 p/ |# ]; L
___________________________________________________________________________
6 r% Y. h3 L7 T, l5 p N+ d) E6 n/ k& |3 D" `
Method 02( r5 ~/ P& w* U* d: K, @
=========
6 w: j3 l! k2 y+ ~9 g' [
8 p' X, d$ L5 t- b! u- e- _' Z ?8 oStill a method very much used (perhaps the most frequent one). It is used. s, K7 X$ O, L# q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& ^& O1 e( S/ S7 z+ d& l
or execute SoftICE commands...
0 \# M% h% V* g2 K. LIt is also used to crash SoftICE and to force it to execute any commands
" \, Z0 q9 e3 H+ I) U2 {9 l(HBOOT...) :-((
# M6 l* y5 _6 N3 ~9 g B+ j8 J0 I' l
Here is a quick description:
. M" I! F8 N4 w/ |1 }7 p& g5 ^! S-AX = 0910h (Display string in SIce windows)
/ A' s6 c4 b/ q' d* b! o) e2 s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ _* x! p6 X) V/ k6 |! K-AX = 0912h (Get breakpoint infos)) ~; J% J/ S0 C8 q
-AX = 0913h (Set Sice breakpoints)
9 x; C0 P) B6 b-AX = 0914h (Remove SIce breakoints)
8 a; U1 q% V7 A2 R9 s1 O0 b7 J* d3 D" M% s
Each time you'll meet this trick, you'll see:
) r4 U# W3 w& `9 y4 X-SI = 4647h! X1 J" ?3 E. X' K4 Z" U
-DI = 4A4Dh: t2 Y4 A7 |# P E* k, `( _
Which are the 'magic values' used by SoftIce.
# n( K- m. k/ Z8 Q/ pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 K8 b! x* s; o6 N# A! n# D u+ u0 L% q/ _6 A8 i5 S0 F i+ b
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 c: L7 b0 x* N- ^& KEnvelope utility use to protect DOS applications:$ r3 V, u3 b% t/ T
" w5 H; q5 k! m; h1 W7 I4 y* }
8 H, C' t& o1 A$ N0 _. O; I) V
4C19:0095 MOV AX,0911 ; execute command.
: F) t% h V0 u# \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' t, I# ]' m+ R: I7 |) g. N4 ?2 Q
4C19:009A MOV SI,4647 ; 1st magic value.+ y1 i) p+ l+ `8 b
4C19:009D MOV DI,4A4D ; 2nd magic value.
M5 w- s/ {6 ]- W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ V/ \; W- t9 O& X6 u) Z l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: ?8 E! j+ l9 T" a* L* [1 ]4C19:00A4 INC CX
; X7 j5 ^ B% q6 R1 [ d1 g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) ^% ]. c3 P' v0 H6 b
4C19:00A8 JB 0095 ; 6 different commands.
; _# M! Z/ @- ?% A: T% W* x4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 \: @% e3 r( L8 h4 w: O7 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) Q2 Y; w* {) J, g
$ d# W9 z7 O( c- E8 aThe program will execute 6 different SIce commands located at ds:dx, which
! g: Q* t( I' W" ?, B8 w" {6 zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% i- r" J/ Y2 J% i$ {0 p
. L( Y. s9 v+ L) Q) I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' O; @ K# Q0 M# ?* H# g W9 Y1 p) ]___________________________________________________________________________
# O" W$ U+ ^4 p% N1 U# f5 M5 s& X" b# G) N4 S0 ~
9 E0 m; n! E1 ?7 Q2 A- ~
Method 03; Q; S0 A& z X" L0 C
=========
8 g3 u3 }9 Y8 ^& X1 Q. Z8 Q5 E9 c8 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 K; A" m$ A3 N/ C6 @
(API Get entry point)
$ i% V/ R( f3 _& |, S( D* o ! v4 F% E2 P* M
: B( K, O. |/ S5 ` xor di,di. t' T; \, F4 q' O$ Q4 W
mov es,di! T% K- q# S/ U& U! ~: N
mov ax, 1684h 1 q, C- s4 D5 i: L1 ~+ Q; V
mov bx, 0202h ; VxD ID of winice1 D$ t2 g9 D4 G' N
int 2Fh# B. \$ D4 p/ p6 r. ~/ A9 G
mov ax, es ; ES:DI -> VxD API entry point
. v8 h5 q9 j; S9 P4 ?% Q R0 N6 U add ax, di! S. e; d4 Z- ?4 K0 ~0 D9 V
test ax,ax
3 i f( O$ [" ~4 n! ?+ f5 I& p jnz SoftICE_Detected2 E) l. _2 r6 m6 w) {
, C- S% X" r$ H( i8 ^1 t E K5 A___________________________________________________________________________
9 C* w c4 e9 h6 Z- C. G+ z
8 l3 @0 w {8 \6 G8 tMethod 04, R' E# p" N7 b2 d9 v
=========3 f3 H. Q" |) M' C: f- q8 l
' f5 \3 C8 z) ~. I6 V+ o
Method identical to the preceding one except that it seeks the ID of SoftICE6 m, C6 a( e$ b
GFX VxD.0 b6 |- z4 a6 \: L
# _% H& O! i/ U3 E
xor di,di) o4 r# _8 ^4 X: b! v$ O/ ?0 ?
mov es,di$ d, Z0 z$ z# t7 N* x
mov ax, 1684h 1 v2 S, w$ m/ b7 j
mov bx, 7a5Fh ; VxD ID of SIWVID4 F; [- v! p5 ~ e W
int 2fh# W% j7 ?" H7 i+ e M) ] H7 T- k9 |
mov ax, es ; ES:DI -> VxD API entry point
3 E. D3 m% _6 U2 q2 n3 w add ax, di, r; l' ~( H3 v1 {- i
test ax,ax5 Q% r4 V! k# {; v, v7 q' |7 b
jnz SoftICE_Detected
$ [$ K/ U6 ]. u
& d t% X5 F# }& n2 W6 \5 B% u__________________________________________________________________________
& A( k/ b$ d1 x$ O+ k l9 M; K7 _* P* x3 k3 X ]6 p' Z- s$ e
% ^* ~1 g' m. k' @$ f2 Z5 }
Method 05
7 ]4 e0 [4 q& X( a' ~# X=========
$ ?3 h2 ?% i( _$ G2 h* J- }- L
, ~, T8 J0 h* |; q! c, IMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ X6 @( \6 L( O+ N6 c
debugger. It calls the int 41h, function 4Fh.8 m. ~4 F* a. P; M2 r6 ]0 q
There are several alternatives.
8 [1 F' Q8 ]- x. g: q+ @' }1 G0 N) C3 `$ m3 q
The following one is the simplest:# j5 c4 Z: K+ g5 _% k
/ R7 ^# F7 F- }1 h( g8 B( \ mov ax,4fh
. L# a& U( T- A1 L4 |3 ? int 41h! M( c) Z9 Z8 e# W% X( ^1 m4 b
cmp ax, 0F386
7 k1 a# E% G: S jz SoftICE_detected
7 g2 X* V+ f& p3 |+ s
# ]( k6 O0 t- o# u( X/ m' S5 \0 P3 X* S# X( o# x
Next method as well as the following one are 2 examples from Stone's % }7 m' }7 K7 K: }! F
"stn-wid.zip" (www.cracking.net):7 @# i. P+ }: ^' B! e1 i
_# @ Z/ L6 Z$ g8 B' F
mov bx, cs
" Z+ b# _' B, S# I: U1 _3 Q lea dx, int41handler2
$ ~( j3 m6 M* @ d; w7 [5 v xchg dx, es:[41h*4]
' b$ g* J; i0 ^' t! k5 B xchg bx, es:[41h*4+2]
: ~2 N* ` p% H- I& B. J$ a& U' l$ n: [ mov ax,4fh
t/ Y& t2 F8 l! x int 41h
& v: z) N: c3 ~" ^, q xchg dx, es:[41h*4]
, }' ~) | T( e! Y xchg bx, es:[41h*4+2]- H9 R+ g* R$ @# x% T
cmp ax, 0f386h& w0 D3 j, f- W& [
jz SoftICE_detected# z& u( p+ H5 G: h, u
* {; W& ~$ d6 O# f
int41handler2 PROC
. [6 T Z. u0 B9 U- J8 R iret
6 O2 k$ s, |& Y, w( Y/ A: m% Y0 v0 ^- Zint41handler2 ENDP
6 Y0 j: i7 ?! n( J& I! w& i. f- G
0 G% v! T9 T* O. _8 R4 g# u; [
+ i" e1 U- f: r4 Z. @) v3 J! f_________________________________________________________________________
7 B& E' f/ z' I$ [6 F! G. P6 ~
3 e! b' l9 K5 Z4 v2 P
9 m4 `* s! d+ Y/ Q3 ]+ \Method 06
9 `7 V8 ]4 w* `6 S5 c$ k7 H=========
2 g4 V1 k ?" s# D: [
2 N' @) u/ [& W: Q% D7 |
& o+ T/ {& Z4 Q( h/ I; Q' Y$ D# f2nd method similar to the preceding one but more difficult to detect:6 j+ o5 X6 R( y9 G2 m( _* U
9 P8 a6 w) {+ }& s! s; C' l0 f
2 ]& [4 g1 O5 \4 o* }0 L. y$ Vint41handler PROC: n& k9 o$ ^7 t0 N
mov cl,al1 W# f$ ]/ w1 p3 A# e0 _. P& f
iret) ]4 ]- h$ r2 ]4 v
int41handler ENDP
1 r6 `% b# S2 m- q+ A% b8 C. b0 L. M
2 m1 Y! [# M" {, h2 I
xor ax,ax
7 u6 B+ Q k. g: z8 D& v3 x: u mov es,ax
, m5 w' V) ^. ]& K l. ?0 D mov bx, cs5 l+ T8 M2 x& l
lea dx, int41handler
$ Q" I2 Q. ]% H1 x/ L' m3 L' v xchg dx, es:[41h*4]* w4 _% K. X# K( H! ?- M
xchg bx, es:[41h*4+2]
. E6 ^9 O1 _2 d l* @+ k2 L in al, 40h' s6 J5 |5 W; N
xor cx,cx
9 G" g I7 M" A) M3 I/ { int 41h: x8 T6 I. b7 n' K5 U& v
xchg dx, es:[41h*4]& \. Q7 b, X0 e' j! T
xchg bx, es:[41h*4+2], y3 |! W" N: E5 \% c9 d: ]! y
cmp cl,al
- ~$ J" O0 l& I- f8 k jnz SoftICE_detected8 e4 @: C3 ]" H3 \0 w$ E5 B
; q0 N8 Y; ^: B2 X: r) z1 U
_________________________________________________________________________/ s, [% W2 L- Z. }5 b
, a2 c: o* }1 ?+ b5 j
Method 07* K" V$ P. x. u# v6 r
=========
4 U* }+ i* P+ {# C
$ q$ C5 [3 _! S/ O* z$ K% dMethod of detection of the WinICE handler in the int68h (V86)
4 R0 p, B: H4 z$ q
, `/ V5 O+ B G% a* P% F$ U( X mov ah,43h c+ ?) a6 T+ X3 n7 {
int 68h
3 n" H o7 \& e cmp ax,0F386h/ g) o j" o( R, H
jz SoftICE_Detected- y; ~1 `+ |' ~
1 }* v6 S! B; O2 K# T
& V5 K9 R0 l. d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 n, Q% l( }0 h4 D/ `$ e% T app like this:( s8 R6 ^5 q; s4 c
6 v- y8 X* c; U) F" T. _ BPX exec_int if ax==68
- O, |2 Z7 x5 h9 ]. J$ d (function called is located at byte ptr [ebp+1Dh] and client eip is
1 G- ?* K0 s" U0 }3 @6 `' N) v7 h located at [ebp+48h] for 32Bit apps)% K0 t5 r k0 M+ I+ O' x
__________________________________________________________________________
) C# q0 L4 O( g; j' K
/ N$ O. \$ U; V* m5 ]4 B+ t1 V8 s; Z, Z
Method 08
2 ^; o1 r# i3 k( x0 N=========6 T8 @* S& |$ |2 g* [
4 [: P9 I0 q( t6 F
It is not a method of detection of SoftICE but a possibility to crash the+ T0 i5 O6 m9 O2 R) j9 _
system by intercepting int 01h and int 03h and redirecting them to another y9 G9 t5 e3 N J* P, w
routine.
4 _+ |( i5 L/ z7 F0 n; |7 a3 Q0 }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' x6 z7 v# j# S& T$ _ S
to the new routine to execute (hangs computer...)
# h- f6 n; n8 v2 n# M1 R, q
$ `# w7 o3 d$ S3 k' r mov ah, 25h
. T, h S$ j& ]; Q7 @5 [1 h% R mov al, Int_Number (01h or 03h)
- c+ D% A0 t5 Y0 p. [5 j: Y mov dx, offset New_Int_Routine9 K6 j! k$ c+ T0 r0 K. y- Y! X0 I
int 21h
' c0 T4 y; s9 h' l
& A3 D6 Y" O* y* g! ]+ g. |9 ]__________________________________________________________________________( n8 c4 T1 {# H$ Y l
+ k# F' Z2 m2 S/ l/ w5 A
Method 091 M, j4 W& Z+ v* \6 E
=========4 Q$ L9 z! @: m
$ c" h% v* G( T4 c6 }* a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' D2 u( G8 ^- F* C' iperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 ^8 k; E( C: ]4 w, m/ KThe Get_DDB service is used to determine whether or not a VxD is installed6 Q! u. ]. u v0 w
for the specified device and returns a Device Description Block (in ecx) for
1 t6 M0 Y8 O# B' G' b& }- f( y$ Sthat device if it is installed.
( D1 c" Z$ n4 e( p$ R
/ T& o1 {% s' j1 O' f9 S/ S$ O' a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% J$ [0 F5 ~: h: v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) p' S1 R% p! c+ W
VMMCall Get_DDB
" D |. H% V( j! Q4 { n7 Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( w( L# b; v1 A2 J2 t
2 Q0 L' [8 I( R, A
Note as well that you can easily detect this method with SoftICE:
- B: q1 I2 D7 c. h+ l! e bpx Get_DDB if ax==0202 || ax==7a5fh
. f4 j/ r7 r6 [9 J* f* R, u
9 L3 D. d- Z. B: K% o__________________________________________________________________________
3 X1 P* t, Y' ` q7 @
" a) ~ f0 ^$ \Method 10
1 I- l9 P i' s: c( r: t=========. ]) [+ X0 I! p; W8 @& \1 ]
/ H3 D& r5 N$ p7 @4 Y3 t8 ]5 W=>Disable or clear breakpoints before using this feature. DO NOT trace with. d8 M% `# ?5 J$ e
SoftICE while the option is enable!!5 A% M u' ~) a/ _
0 w+ ?3 s/ x; n: A
This trick is very efficient:
) f, y% Z& { U2 s1 R7 Aby checking the Debug Registers, you can detect if SoftICE is loaded
9 V* z |1 I( ]* I& w6 Q/ d) U3 Y/ p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' c2 D3 R* t* P" v* E) \+ Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 D( T, X1 p5 v/ g8 hvalue (in ring0 only). Values can be manipulated and or changed as well: s! W/ M. M2 l* }0 o+ o t8 B
(clearing BPMs for instance)
9 S. W, p) L; ]1 M& N( v) t2 W* Y% i/ n: k( \3 R) X
__________________________________________________________________________
, ^5 {$ n& q' z7 x) l$ A" r# y! l+ A7 d4 ^8 |& C8 x9 J# ?* H# ?
Method 114 v/ c/ C0 {2 b7 I3 X( S2 y
=========7 z4 d: h9 ]. p1 a/ C3 T" u! r
& ]2 ~9 O0 b qThis method is most known as 'MeltICE' because it has been freely distributed
6 ~% H3 r, {; [) xvia www.winfiles.com. However it was first used by NuMega people to allow, e% G- }$ T @( @- W3 }
Symbol Loader to check if SoftICE was active or not (the code is located" S# N3 }, N- [# B( P% |, d
inside nmtrans.dll).) d! i4 m P6 X% u r5 H6 A+ ?' I
% C: r8 [+ F2 y7 W U( G6 g2 T2 [1 x+ qThe way it works is very simple:' }( |/ {2 L3 P, o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 b* D' k( Q% w3 N ^
WinNT) with the CreateFileA API.
. D7 a" k2 Q& \( F. Y- }0 x; Q u, J, ]$ U! Z" R
Here is a sample (checking for 'SICE'):
3 i: ?, f7 D0 {2 B( |
& J) N9 q5 C- p1 ~! @BOOL IsSoftIce95Loaded()$ Q. k1 f+ Z$ {, c# C! g
{; Z# ?3 C9 @' u; c4 k7 G
HANDLE hFile;
. p. n R6 u7 w. Y* Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 w; m" e+ H) ], q; _" D
FILE_SHARE_READ | FILE_SHARE_WRITE, ~* Y8 Q$ K3 P; X; J( y8 J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( ]0 J: w0 _2 }: q
if( hFile != INVALID_HANDLE_VALUE )
+ y) U9 r( i: v5 y- c) Z {
/ `3 v- l& P1 o5 A% v CloseHandle(hFile);
- S. A& m9 R) I4 I- e return TRUE;" d2 m) J9 |$ c4 p7 P% L S
}4 n7 ]7 { Q2 ]- u0 p9 \- a
return FALSE;% q" C# i$ D {& e6 m9 _0 @& {
}. D6 V1 F+ G, e5 O
! x! O0 w" {0 Z
Although this trick calls the CreateFileA function, don't even expect to be
( ?2 V; b: p K% W& e1 O4 Aable to intercept it by installing a IFS hook: it will not work, no way!6 W; J O0 N' |. }/ ]" `- s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# ^& w8 O: n/ e* p2 ?$ m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* V: w. E0 [7 a6 L# D4 @, wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 U, Y9 L. S7 w( O; kfield., u/ w% I; d2 e7 n- K
In fact, its purpose is not to load/unload VxDs but only to send a
, I2 q# u" M, `$ S& T9 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). Y; {, b( f2 {/ E' ^' L- e& K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' q' ]: ~7 O8 g4 S9 O+ y; |; wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) B5 \" }2 G' n4 [/ ]; R2 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 F- v6 h7 y" k0 M/ h6 |7 d! lits handle to be opened and then, will be detected. h# f& j3 n9 l6 O& h( Z0 y) u
You can check that simply by hooking Winice.exe control proc entry point3 V! K9 e7 u5 O1 Q3 }
while running MeltICE.+ ]; R) ]4 l! ?- ~( U" r3 j7 _
1 H& S0 W; p5 \9 }
5 v W# i' I7 j. Q* r1 ~8 ^ 00401067: push 00402025 ; \\.\SICE6 H" d- s! L3 N" o
0040106C: call CreateFileA
% p$ ?7 F: c( y. Y2 l: B, t 00401071: cmp eax,-001" {+ h m5 ]$ d6 r6 l
00401074: je 00401091
; o+ p* i, I3 `! |8 ?1 v3 l* Y$ ^$ m( N+ {. j. e2 Y2 }3 i
Q7 Y; g" [% r) j% f$ s$ [There could be hundreds of BPX you could use to detect this trick. Q' w2 J8 ~# I
-The most classical one is:
/ P& ~ p1 J7 Q( w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 G2 B% \ k k$ ]1 `* b7 e *(esp->4+4)=='NTIC'
* ?+ ^2 w5 z$ {+ m5 p6 [& n2 a' [* o6 I' @; o, |7 v
-The most exotic ones (could be very slooooow :-(' w+ q! V) t# [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: e+ K1 _% j6 v( P, p ;will break 3 times :-(
* s6 d# V2 n, v0 } H
2 Y' o$ t! _$ Q4 e-or (a bit) faster:
* [3 P( o5 _- X( k0 w8 t BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 a2 p/ K8 m. b. e5 j
3 w; H7 `4 J7 \9 d/ W$ h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . q3 i" S, L6 R) k# k6 R- w$ m1 A
;will break 3 times :-(
5 C1 a( _7 V# W$ L/ U- q
9 a/ L7 z; e, E1 J5 h! {-Much faster:0 h8 _! b$ A% Q Q0 M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 P: x- y0 d) `% ?$ K8 d% A" S% o) ]6 d0 X* p/ F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! O/ G4 p/ i' j1 tfunction to do the same job:
' m `4 }1 K5 f1 x' R/ ?. v9 H8 V: r
' M& y) _, M/ N push 00 ; OF_READ/ S! u, v. U j. y r% |$ N$ l
mov eax,[00656634] ; '\\.\SICE',04 [1 U- y; B# Y: b0 i
push eax
3 l9 v1 \" b! p9 w9 D3 _ call KERNEL32!_lopen
; k! W8 D: G/ Y& V b4 d inc eax5 I1 P$ M6 Z, w& n
jnz 00650589 ; detected
9 N @3 B( C; P push 00 ; OF_READ0 b' l' b5 }/ S. t6 v$ r$ I3 m
mov eax,[00656638] ; '\\.\SICE'6 h, x3 B; x2 l+ P0 w1 t# |
push eax
: {9 t/ ^4 w" d; j$ Q' o# R R call KERNEL32!_lopen
; _! d; }( p5 @7 |: ~; v& L inc eax$ ~# a% V0 e- a. {
jz 006505ae ; not detected7 U; l4 X# N" f( s
1 q7 {9 X3 n' }$ X" Q# B$ r- Z7 h. A' N" K
__________________________________________________________________________
" {5 o9 T- U4 B2 w3 E7 S. g* Z+ z) @' @
Method 12
i2 n0 _$ r! D7 P4 B=========5 |6 _- x1 I( U9 ]% _1 ~
# {5 ^ O8 J8 V
This trick is similar to int41h/4fh Debugger installation check (code 05
- ]! R! e5 b" V& 06) but very limited because it's only available for Win95/98 (not NT)
% N) x" ~9 t4 b. t+ D1 sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& i5 P( |4 M3 m1 x# n9 m8 s4 u7 c/ t# y. ]1 S( t# R
push 0000004fh ; function 4fh
/ e( g8 N4 m# s5 ~ Y7 q$ l, a* W push 002a002ah ; high word specifies which VxD (VWIN32)0 L9 t W& V# q0 i5 A4 f% {5 p
; low word specifies which service' M4 @, @3 t1 X5 N3 |
(VWIN32_Int41Dispatch)
& q! r( K" E( m& A P) f5 U# z call Kernel32!ORD_001 ; VxdCall! c1 K2 r2 ^! _
cmp ax, 0f386h ; magic number returned by system debuggers
. n$ b6 `% q& P! ]4 K6 p jz SoftICE_detected# b q Y( h9 ]4 v/ }5 F
. D* ~6 P5 S1 y- q0 d1 vHere again, several ways to detect it: {. J- J; x8 a8 t
$ c0 M) M4 s# j3 s
BPINT 41 if ax==4f4 l* R" ]. {6 T8 V' i9 z& P
8 F y4 {! T8 [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) l8 i3 {- \, D4 l0 v3 j
" o. \3 d8 c; u2 M) L0 O8 I. N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: ^! e; C z9 L) m" \! x
/ e$ i) s, t% _' Q" p. t, l. j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, H6 |# |3 F2 S9 I( z) I' Q6 {7 Q5 n3 [& i# r* p, ~
__________________________________________________________________________
- i- n/ b$ B0 ]' k. H; w' F. Z2 M0 n+ Q
Method 13. L+ G7 }3 B( S2 q
=========
- u7 o: a/ M% N; y( P7 b* y7 T: H2 ?' M1 @" ^$ U/ ?+ H
Not a real method of detection, but a good way to know if SoftICE is# D4 m; `& R1 q
installed on a computer and to locate its installation directory.% a4 z7 H% G p( N" o9 R' B
It is used by few softs which access the following registry keys (usually #2) :. O. `! R- b9 l! U
$ ~; v) k$ h5 y6 l; ^0 [ v# K! E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' X2 j6 @4 N8 }2 H$ i4 x8 t, S\Uninstall\SoftICE
, Y |/ [7 {$ S( U( P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 e6 D$ `+ S3 y% J$ l& w8 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 B7 V" d* E$ M( B; J\App Paths\Loader32.Exe
0 k* Y$ D3 Z, {# q: I# h+ f$ Z7 z- i* E2 k |. |
8 `% }) H: c# `$ q9 N/ I2 S0 C3 o# GNote that some nasty apps could then erase all files from SoftICE directory
: P# D' n& J0 F3 @(I faced that once :-(' I+ _7 G& O& \4 K$ k* W- m8 s
: _ A; k. Z, x' f" qUseful breakpoint to detect it:
7 \* D/ O% p0 g* T1 o' ~8 G3 U) O$ \& d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ |: [; ]- d+ L9 U5 V
! z! H8 B, `& Z/ F__________________________________________________________________________' u4 x/ ]3 Q- o* Q! H2 W, @
# t1 @+ R) c5 z! C* e
; L& q) D) L6 ~/ H1 VMethod 14 % {+ j" j0 |3 Y5 f+ j" e
=========; ]; s7 {/ D4 h9 d0 b2 P1 E
+ ?: D" Y t) L5 N8 I$ m/ `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' e1 ?6 Y0 Q; U9 O1 a1 w, [
is to determines whether a debugger is running on your system (ring0 only). C7 Z' e' v/ ^1 K* r4 a7 K
2 ~! u+ l; N( t1 p# H, C& { VMMCall Test_Debug_Installed
' m9 C% W0 B4 G, t/ {* d" F1 x je not_installed
4 B+ J. y+ A) G& e5 O( o; S) K) r0 i1 h5 K" R
This service just checks a flag.
! q6 c: G. @, y1 P( S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡