<TABLE width=500>
, D2 N. ?5 q1 [$ G4 K: W8 N, @$ Y<TBODY>) {: x% W$ N$ Z4 l6 a* W9 {9 B
<TR>3 m6 [7 B: J* }1 I& I
<TD><PRE>Method 01 9 ?+ y9 T( H9 A
=========
# k% f, _. V7 H9 }. H1 ~
+ t0 [( J; f* W1 q0 O* l; S6 rThis method of detection of SoftICE (as well as the following one) is
6 Y: K1 f) M8 r9 A+ Z. ~8 bused by the majority of packers/encryptors found on Internet.
0 U/ k* V; o6 J, I+ N+ hIt seeks the signature of BoundsChecker in SoftICE
% n5 m) J/ m: h% Z# n7 C1 Q" ] x4 p6 m! O4 |; m5 T X0 b
mov ebp, 04243484Bh ; 'BCHK'! B" _! k: Q1 z, u
mov ax, 04h2 d' |& N- F3 ]6 s" H9 N6 E
int 3 " y+ C; p" ^- L
cmp al,4
. g. o* l o1 T! o jnz SoftICE_Detected. t& k m, o( y `/ M: H- K4 h
, r0 Y, ^8 R) f- U" ?( v* {
___________________________________________________________________________
2 N1 C0 r3 [2 R) C
. g0 e- c; F' l9 ~8 Q. p8 p8 ?: R2 ~; f; rMethod 02% W: ?3 X* J" ^% ^8 T& v; s
=========
5 `9 l0 F* J/ l5 s- a( s/ n [$ r+ s2 L8 {) y- Y
Still a method very much used (perhaps the most frequent one). It is used$ Q9 B% q9 w3 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," E5 l. p' V% v6 r
or execute SoftICE commands...
5 x, j# J9 x# H- k8 M$ xIt is also used to crash SoftICE and to force it to execute any commands
8 r G. s8 O1 m5 j6 E4 i(HBOOT...) :-(( 7 d7 U L# K9 B) d- E. z
( ?0 g+ Y& ?0 R# t4 Y! @Here is a quick description:: b% T0 |) s! w, G
-AX = 0910h (Display string in SIce windows)
q* D5 S. B# E/ m) K4 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); k/ L5 l& x4 r& F' C; P- e9 |
-AX = 0912h (Get breakpoint infos)
8 t, p5 n+ A9 s. ? T- }-AX = 0913h (Set Sice breakpoints)
& Q7 N5 d% m9 g: R- x/ n) Y-AX = 0914h (Remove SIce breakoints)( o' q: J% g8 l0 n! P2 M
! w" c3 `+ k2 `' a+ }0 lEach time you'll meet this trick, you'll see:- i3 F2 M: M- }, G) t& m$ l
-SI = 4647h
2 Y1 g2 i! h; P* G, Y' q( F1 `3 R-DI = 4A4Dh! b2 m! }9 ]. `: `1 V
Which are the 'magic values' used by SoftIce.1 @ A2 \1 u$ z {: W- W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" ?* {! Z! L4 T2 u/ E3 y: ^. A3 u. \1 u, w4 \ W6 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ u8 c* N' e. O4 w$ n
Envelope utility use to protect DOS applications:
+ b3 ?) k6 V0 c r9 [& z
% J1 q- x. L) s' h& ~
/ |: j2 ? S7 d3 v* N4C19:0095 MOV AX,0911 ; execute command.- m, r! ]1 D0 N8 |/ ~. l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. V- v& r: u- |0 b3 R: g0 d
4C19:009A MOV SI,4647 ; 1st magic value.9 k( r& T, E- k
4C19:009D MOV DI,4A4D ; 2nd magic value.% o) h6 m& _* N* u/ r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
P) ^; Z7 n4 R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; v& R& J& p0 F9 ?
4C19:00A4 INC CX
* D3 u9 {* Q8 ~. w& U) w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" |# f! F4 |8 I7 x' o* I3 Q4C19:00A8 JB 0095 ; 6 different commands.
. D) H0 O% p% W9 e4 C1 f2 {" e8 X4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 b7 k4 Z1 p6 s8 S- V3 O+ H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
T6 E5 T, j0 q- ]/ E3 v" \( x
$ c+ V3 e* \: m5 Y' gThe program will execute 6 different SIce commands located at ds:dx, which' p- H- ^* m7 c! O+ a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 y6 p4 m7 N1 p' _1 ?3 H6 a# Y ~' f [. v3 S, E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 g' s" K# o" O___________________________________________________________________________
4 m/ t% D6 z% T! P$ P1 m m- Y0 D
* Z0 Z. p" o$ i# t
Method 03
9 [+ f) \! ~8 ^% P9 m3 ~( k9 N=========/ S/ z+ t/ k; ?3 [ R5 j
4 ^' p7 h8 W' K- U r- GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 W3 [- z6 A9 k
(API Get entry point) c8 j1 U8 w7 m( t! W7 {& h
6 ]: ]0 l$ g% g: J% w
# j4 E' [) {' c1 v8 g o xor di,di
~8 R& J2 Q9 v* f' x mov es,di1 x( d* ~! A$ G% O/ V& C
mov ax, 1684h
* F" m, Q( w6 m mov bx, 0202h ; VxD ID of winice! R" ^# V8 o j6 m/ T
int 2Fh
$ \0 t1 l# C! U mov ax, es ; ES:DI -> VxD API entry point5 [2 l. P3 d% m+ S7 m, B* I6 M
add ax, di* u" U+ k4 C7 o! U/ y6 t
test ax,ax
# F6 \, V5 z1 ?! {' l9 y: q# E9 o1 W jnz SoftICE_Detected
& r8 v k( M* N) p. f! v) z% l9 u# }" O8 K6 T1 |( f: [9 D7 {4 {- H( d
___________________________________________________________________________$ B) q* ?8 U7 p, O7 Q2 B6 {
C+ k0 Z* ]) d6 p/ c9 i/ H7 t5 ?# V
Method 049 R# {* }7 \9 P& G
=========
: ~9 q' F6 d! A" q; \ T' F1 C
! q) G0 H) F, {4 M1 YMethod identical to the preceding one except that it seeks the ID of SoftICE" H6 l5 y7 s1 m ?- ~$ i- D5 ~
GFX VxD.
! [. e2 x' f/ f
' d. b' O& [9 X/ G9 t- N xor di,di
' g' X. p# U: q X- D/ q mov es,di% y7 e, I( z: _
mov ax, 1684h
7 I- |4 `; w9 ? mov bx, 7a5Fh ; VxD ID of SIWVID. a- x2 B( p& j" d ]+ C, R0 Y6 I
int 2fh
4 r7 `8 c* a# ~$ s mov ax, es ; ES:DI -> VxD API entry point5 ? o4 j7 Z4 Q
add ax, di
+ \6 F @: k3 v# c6 \ test ax,ax `/ e: m% F/ C3 Z4 m$ P
jnz SoftICE_Detected
9 ~3 h+ T7 h0 l* j3 u9 P! l
# Z& K0 ^) ~7 k, h__________________________________________________________________________1 I! G& e! @$ j: R: e. m5 ]
2 s, l5 V2 |& m9 ?5 v7 N
. z' |- R4 Q4 WMethod 05
6 E0 ?; p6 @5 a# d9 y4 l=========+ C- N( L6 \# ~# y
8 ~: B) `* e5 ]/ u3 S( ]6 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. K1 G4 ?. l8 U4 x# L! S) r/ d- rdebugger. It calls the int 41h, function 4Fh./ z7 E& U4 j: ?* q) X6 E5 X
There are several alternatives.
8 D5 E5 R9 y" }' \0 E2 C8 E
e0 X) O; r- i4 YThe following one is the simplest:+ K% ]' b: ~0 h6 \4 p
: X- k5 N. J+ ?$ h; Z mov ax,4fh8 h2 V7 m8 I: Z. V$ a
int 41h! ?: U/ a; \ Z/ j/ B
cmp ax, 0F386+ r; b& E, A5 R- }/ ?- J
jz SoftICE_detected
0 }8 ^% E; j! R8 s. _8 |4 |/ h b7 e T) F+ R
( q& c# W% m) k6 jNext method as well as the following one are 2 examples from Stone's
/ y! J3 _& p, B4 y4 ~# B"stn-wid.zip" (www.cracking.net):9 P" ] ^" {# Y; x- Y+ [9 u8 L
& A0 s: e R. l& P0 k( m' M mov bx, cs3 }0 l4 I- b( [9 W& U7 W
lea dx, int41handler2& O1 L# H# c6 r7 h( Z! I$ Q
xchg dx, es:[41h*4]
( a' g1 d+ r3 }9 ?1 N" f xchg bx, es:[41h*4+2]
2 e$ {1 c' `" `3 E mov ax,4fh) y% \8 L! z' U( z1 E$ V& H
int 41h5 S& K; m8 ^; ~: H9 E9 J
xchg dx, es:[41h*4]5 X8 _( H) u4 r- ]! i
xchg bx, es:[41h*4+2]# f. J! E! i3 E& ?$ S
cmp ax, 0f386h
' Y8 V* o$ E+ x L" ` jz SoftICE_detected7 k X' H6 n1 z q ~" w
! e- A1 }4 S, D! w m7 M' wint41handler2 PROC) {) s+ ^( w2 `5 W2 S* Q, v
iret
8 y, y! K+ i# E9 nint41handler2 ENDP+ [! a' W/ g/ E! X6 a
& }5 Q; j& ]+ o p
, l6 I% Z6 n5 G; s* {+ `
_________________________________________________________________________6 X8 F# h( U4 Z- F- m3 C3 I
( k- o0 {, C0 s% W9 q
* m* g2 k0 s3 T
Method 06! K4 i' X( L! D+ R1 H" M9 |
=========" u8 X5 B7 t. ]0 g+ U& l, b
3 n* V9 M6 k t; X
( n& P6 d7 P/ S9 J8 _. q/ i5 m2nd method similar to the preceding one but more difficult to detect:, D( S0 _$ g+ h, i6 [
% G# B# H) i' x: p$ V& V8 f5 x f @- F, E# K# z
int41handler PROC, A: c* _5 S, x. h1 i
mov cl,al
9 u4 P7 L( D1 {5 ?9 a e iret8 g7 S: D9 v5 r2 h* B& X
int41handler ENDP
# {1 o0 v, u1 \# i) b. k0 I8 c/ a" D+ Y) n' w; D; h
: |7 c. }5 i2 ^. D6 ^. r7 c
xor ax,ax0 F+ d8 ]% `$ b/ W2 ^2 T
mov es,ax- b8 [5 `4 k Q; h# w( Z& X# S
mov bx, cs3 d# }" |' W4 Y; _& l; J
lea dx, int41handler( }' ]5 V+ J2 \; |/ R8 a% d
xchg dx, es:[41h*4]+ O, l2 F4 y* Z$ v
xchg bx, es:[41h*4+2]
e4 I H+ m; W* G- o in al, 40h6 d1 V# k- x" \ x3 F5 t1 l% [
xor cx,cx
% U' i. k# q7 m& W int 41h7 g. ]: Y; o3 q4 ^; o
xchg dx, es:[41h*4]" ~$ ?$ b. Q9 x0 P3 b
xchg bx, es:[41h*4+2]) U+ Y0 m) B4 k- k/ Y
cmp cl,al
2 @1 a9 d# K: P# x. y jnz SoftICE_detected
& h$ {, Y* `0 T0 S3 I' Q& q+ X1 {, ~9 ?7 O1 |: z
_________________________________________________________________________
% G) M( n: }( Z5 T3 z, l4 \7 {6 y" T7 q/ ^. `) q8 z
Method 07
! k8 ?+ b. e) G4 U=========
# K0 \+ B& ^+ M8 p. S0 Y! ^/ F
Method of detection of the WinICE handler in the int68h (V86)2 g. j$ h" G* q9 q- ~1 V" q
3 R; N5 T! M3 P% B mov ah,43h: w% S* H6 t3 s
int 68h
% r5 [8 P' }% z6 D7 l cmp ax,0F386h. l$ Z- w F0 k. f, ?* c
jz SoftICE_Detected
0 Q! g0 l( A$ p/ m8 I% t
! t# e9 a; k$ m" ~7 L7 |) l }( O$ O4 {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, p% z; K W2 A2 c# D* V# T- t
app like this:1 h: Z! G8 b. v% E! Y) d4 q
8 W2 u8 _9 a# s2 @: G2 p
BPX exec_int if ax==68
7 @/ B4 d, q7 t6 Z& [, r (function called is located at byte ptr [ebp+1Dh] and client eip is
$ A! z# V+ c" O% x8 d located at [ebp+48h] for 32Bit apps)
0 l# [% N# X1 v) D4 I% ?6 n# Z__________________________________________________________________________
+ O+ S+ L6 w4 d+ t% Z
. E* S- L* {5 j0 ~, {6 O0 G( `" u
1 K0 e3 D+ S; B m$ eMethod 08
0 _1 P" d+ y1 N! u) _5 F! S5 h=========
& E' S5 |, s1 G; k) Y! k
5 f2 c* D, z* ~, YIt is not a method of detection of SoftICE but a possibility to crash the! C0 H3 V R8 \' A) k
system by intercepting int 01h and int 03h and redirecting them to another4 t: O4 l1 _/ S) b* b- }
routine.
$ K, V0 z, L- N- J/ VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ f! ^2 T* B$ Hto the new routine to execute (hangs computer...)
2 B# b* i3 @, `0 F7 Z1 t: y" e
% B; K. y5 {/ I3 p: L. C/ \ mov ah, 25h) l$ U) t0 x, Y
mov al, Int_Number (01h or 03h)2 d m; O! Z! J7 M& H
mov dx, offset New_Int_Routine. G$ y& ?" b/ b) }0 G8 C
int 21h7 K4 ?0 W7 T2 [
$ j. `9 d* g0 ~2 ?8 x) K, X
__________________________________________________________________________; n; E; E. H) W- o4 S. g
/ `/ V. ]1 y( @5 UMethod 09
: F0 a X. k9 v3 _=========
+ C5 W b9 R# y1 A) ]$ Q
: D5 H& W g( Z) w1 P4 c' IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 c" Z; W7 w% V/ I: U8 S1 t8 _' q
performed in ring0 (VxD or a ring3 app using the VxdCall).
- ?! w/ t2 h( Q+ {) a! TThe Get_DDB service is used to determine whether or not a VxD is installed
1 c0 |# Q) z) k6 kfor the specified device and returns a Device Description Block (in ecx) for; w: I+ x5 P0 U$ |! C
that device if it is installed.
- s% t4 t2 G# M: G1 f& _/ [
/ u3 ^" a. G1 _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
?, s: W9 E/ [: _5 O, d- e+ m* z+ M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. ^2 n, O C: D1 T7 D VMMCall Get_DDB. F& a: w% k/ X% a# I y$ S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( p6 m8 O/ X4 Q, @2 ^" e. ]* x
. m7 J' ~- G6 k9 P7 R4 tNote as well that you can easily detect this method with SoftICE:5 Y. Y ^2 B6 B( [& B
bpx Get_DDB if ax==0202 || ax==7a5fh" _& J2 h% r) V% z$ p+ c
7 J8 k8 ` I. P: ?: K8 V' N' c
__________________________________________________________________________# ^7 ?/ B6 ]2 S& v: y$ F' _ \7 I
E- c# {1 A# e
Method 10: j' S5 {7 B* B* p
=========
" Y. r- R2 I8 B7 D: C5 t# ~) T; q! a# b
=>Disable or clear breakpoints before using this feature. DO NOT trace with
Q! y3 F/ f/ D: q' t SoftICE while the option is enable!!
. i! A5 R5 C0 d. m% k) V7 t
8 Y9 Q4 r8 H) h+ j# @# QThis trick is very efficient:
' m* e+ x; F, H/ h9 p6 K$ Lby checking the Debug Registers, you can detect if SoftICE is loaded6 e; H% A, a- I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& b$ d3 @" S' cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 x4 v1 L K9 z! L- `. x( ?7 u9 Dvalue (in ring0 only). Values can be manipulated and or changed as well! Y9 ~' @9 [" Y' F% G/ l4 }( n
(clearing BPMs for instance)
# I4 S: D, F- \, H4 q' B& `8 P5 A6 `% n1 g/ |1 W( R
__________________________________________________________________________5 d; T( }; y5 O0 A' h* Z
3 k$ [6 A. A' ~2 ?2 oMethod 11
; W2 J6 o( h0 x=========) L- G8 @1 @7 g
- Q0 r4 D7 G9 i* A1 Z$ S
This method is most known as 'MeltICE' because it has been freely distributed' {: o2 X/ h+ w% a, j6 \
via www.winfiles.com. However it was first used by NuMega people to allow0 ^8 h# \& z6 P7 P6 b5 G
Symbol Loader to check if SoftICE was active or not (the code is located
r( j3 ~2 ~% f# i6 H/ u3 C2 j1 \inside nmtrans.dll).* m, V/ Y9 Z7 R6 r
$ Z4 ]" A3 w, B4 h" M6 VThe way it works is very simple:1 d- J2 Y7 k) b; h4 y- } {, x0 ?" ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 w f. s+ r& P KWinNT) with the CreateFileA API.' m3 e! \ n e. i' O3 Q
1 M7 K( ~( M# C
Here is a sample (checking for 'SICE'):
' S, u" @9 H, I u% M- e9 z+ E8 v3 O9 d4 \
BOOL IsSoftIce95Loaded()
8 q6 b/ v" y6 ~- l/ ]3 T) s" ^; n{
( G2 X1 m$ W' V4 E5 B HANDLE hFile;
3 G7 l) w T! p: E# M( R& B, R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& M# x& i1 _7 J! p' Y FILE_SHARE_READ | FILE_SHARE_WRITE,
+ a6 y! c, P+ j7 \/ G# [! ~4 X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; e0 q. E* q8 [: c
if( hFile != INVALID_HANDLE_VALUE )/ u8 w# C0 l; x9 X) h
{
$ A5 c* ^- h6 A+ U0 } CloseHandle(hFile);+ k9 |1 F* p/ u5 u$ K/ W( ~) u
return TRUE;
" t) Y& L7 Y: S7 t3 N5 b }3 k9 i. m. A* n6 y& z( g2 Q$ `
return FALSE;5 v8 H6 |% x6 R0 p9 o
}
( N9 _( ~% K6 \8 o+ m2 L1 N' L" q; z/ E9 O) r3 X8 M; V
Although this trick calls the CreateFileA function, don't even expect to be
2 H+ Q$ s1 b& Pable to intercept it by installing a IFS hook: it will not work, no way!0 z; c0 N v7 `# L1 Q9 b7 A$ M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 P: a9 @& e' `( e( U2 ~0 w: R/ Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 _: k- t( e- a8 H* J _/ A( g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ C2 \1 d l7 z# X2 ` hfield.
* I& x( ^- Y3 ]In fact, its purpose is not to load/unload VxDs but only to send a
8 f, Y a! z+ r3 C0 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# H" N! I. D3 [: C2 Q) `: m8 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 F1 [* I7 j! ?6 Q W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 r" j6 q K* }. X$ I- ^If the VxD is loaded, it will always clear eax and the Carry flag to allow# N1 ~7 `% [) N% l- `! B
its handle to be opened and then, will be detected.
4 X% y- _* |2 e9 b, ^ `- ~You can check that simply by hooking Winice.exe control proc entry point
( `& i/ n4 x3 N& R2 rwhile running MeltICE.
* L+ ~, C' Q. ~* H% T" d/ _& Q, q% P0 q ]
( A G0 @. k% l2 n* [
00401067: push 00402025 ; \\.\SICE
* h1 q: b, `$ z 0040106C: call CreateFileA1 S; [/ A& G, d% I' k
00401071: cmp eax,-001
$ d& O1 F2 K; `2 I2 J. v9 ` 00401074: je 00401091
+ z$ y6 _9 ^* G; @; l6 b
\8 K- `' `# j& p7 f8 X4 o- U. O# d( R7 Y4 k) A) C
There could be hundreds of BPX you could use to detect this trick.
: A2 D$ x/ b; L+ ^6 E* t( ^8 _-The most classical one is:
9 l& c" m) z; l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' A! s O" r. z* X. H7 i+ y *(esp->4+4)=='NTIC'4 E4 r; w5 L- U5 f: `# ?+ I
8 m7 B( p3 R. l) E
-The most exotic ones (could be very slooooow :-(% o# @* C! T( b! Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% o! u8 N& K6 J; q0 R ;will break 3 times :-(
5 y [) E) t# w7 L2 L/ m; }" R0 B0 z, z/ R. i4 Q$ o/ G
-or (a bit) faster:
* O. Y" F! G* {3 j& ]$ {+ ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" e4 o; {. s7 W7 v
6 h1 H: q$ M9 z3 | x2 I7 ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 f. }3 Y% F9 S% o: {4 O ;will break 3 times :-(; L( j5 h/ y; Z
3 `* ~8 u5 u) V- h( K" M' n" u/ k7 e-Much faster:
3 Z/ Z1 G* {1 _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 l3 v- n( @ P3 s9 g, N* w* `7 Z! `) I3 T4 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% A- b5 s/ L" D+ d4 ^! Ifunction to do the same job:$ N) D3 E. S3 h# L% ~0 \1 ]
: G, L+ c1 m/ c2 l: k
push 00 ; OF_READ
: u/ ?+ D8 h) N) L# s- k3 b9 m mov eax,[00656634] ; '\\.\SICE',0
5 C1 M8 }$ N: p) E" e$ Z6 i: Q/ p push eax/ D6 l2 _8 }0 U6 `
call KERNEL32!_lopen
) K! p5 z3 C( x( V* d inc eax
( L( V. `% }8 b2 m! e1 I jnz 00650589 ; detected
: f5 f; J+ l: d0 Z/ ^' M push 00 ; OF_READ `! q2 I$ y* D9 l5 w1 c
mov eax,[00656638] ; '\\.\SICE'1 N7 L, c% B0 u0 ^! ~5 t4 ?* ]3 p5 A7 N
push eax
+ S2 M/ ^ z% p$ ]" T' { call KERNEL32!_lopen2 ]3 F g5 F7 W( u1 S9 s
inc eax
9 C; P2 U" J0 e2 f3 _ jz 006505ae ; not detected
0 S$ w6 L$ f! n4 o: v o& W# X
0 H0 F7 ]% I7 \" M7 }- \+ Y6 D) Q2 p8 q( I6 {4 H
__________________________________________________________________________- T. O* k" k& `; ^
" j% D% Z, F* ^" \; Q! t+ S4 H8 {7 [Method 12. z' i$ ], u2 E+ a$ M( W
=========
5 v& |% I4 @/ C9 Z) _* b% L3 m1 P' O4 G* a8 S& g( r. k0 d
This trick is similar to int41h/4fh Debugger installation check (code 05
* t' d* f7 `& q" S" m: k, \& 06) but very limited because it's only available for Win95/98 (not NT)
* j( j5 R) z2 Y2 R8 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 M( ^% N8 M1 ]+ w" Z0 y: T2 \2 }: [5 V3 F( l. s
push 0000004fh ; function 4fh& ~" @# I; ~+ \! e
push 002a002ah ; high word specifies which VxD (VWIN32)& C4 v: _1 z w& J. j: M* ?1 L9 m
; low word specifies which service% [. \6 S5 F# x
(VWIN32_Int41Dispatch)' r) X% n! Y6 `
call Kernel32!ORD_001 ; VxdCall
3 k; G0 x( v9 \0 ^( K, f cmp ax, 0f386h ; magic number returned by system debuggers
7 T3 M, h+ N# F/ g) h8 i4 P jz SoftICE_detected; ?2 z" H8 ]) d
+ K+ B/ G# L0 V/ W/ q: J, NHere again, several ways to detect it:% M5 ]: J D6 }0 j2 K# S
7 Q0 t" [, n a& o1 O# ~ d) @6 ^6 R BPINT 41 if ax==4f6 p; S, Q4 S. U
/ r: C3 c# q$ U/ b4 k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 e2 P6 U& t5 r( Q9 U/ H
! ~/ M; `2 R1 E2 u; X" k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 N3 \) Q+ ?0 U! E: E2 K! y3 G! y3 i9 R+ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, t' \- H2 w4 i
+ S! b) ?+ k( O! a8 h
__________________________________________________________________________
" i) P( C& }/ _3 I& Y* G% l: u( {
' ?# T$ t7 |3 ^% AMethod 13
$ R" S- c$ ~: }) S- D! y=========
" m# w8 m7 p3 c/ ?- |$ x) s0 d7 F9 W+ @7 q, x5 x& @
Not a real method of detection, but a good way to know if SoftICE is$ o/ U+ n5 ]2 e5 s5 G! H% Z# X
installed on a computer and to locate its installation directory.
6 H1 `' _! t) [8 Q# PIt is used by few softs which access the following registry keys (usually #2) :
3 N' N* k$ G' W" Z. p: r1 _& d! n
3 l+ E" A, o: E; v+ W) E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; H6 E8 o5 Z6 C# W\Uninstall\SoftICE
/ {; D$ v5 v& L8 V2 c- A6 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 c. @) S4 Z9 N# a8 }; J5 v1 H p& v1 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 ~# K# Z+ o! ~1 L
\App Paths\Loader32.Exe( v- t) Q; g4 e' q0 ^( o
x# `0 k$ Y) P t+ i. l! L% m
' J+ F; j. f/ a2 [. V# gNote that some nasty apps could then erase all files from SoftICE directory
6 _" b" g! f# t. W( _" H, y" p+ e1 j4 h(I faced that once :-(& k( d b4 [/ [
$ L0 F, B- f; e, P
Useful breakpoint to detect it:
( }2 [ ~8 m# P
% Q" ^- z( o7 y' X* Q. k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 ^5 b; Z$ ~7 O# J
9 P C/ @: P8 [4 J& \, M. c__________________________________________________________________________' @3 l5 ~; S: h
- F& i8 k2 ]3 _& G
! S" ~+ q5 i: [8 w. Q% pMethod 14
2 b" `3 ~4 L" `* x/ M7 m9 n4 o, B=========
- V& |+ h- K) k% e
4 D8 U1 s5 k f( T( \+ VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& [; o# W9 |- r( n
is to determines whether a debugger is running on your system (ring0 only).7 F" e4 X. K. n7 U. Z1 r% l2 U5 }
. x6 g/ _& e1 {& x& a
VMMCall Test_Debug_Installed
1 M$ y; I: v: ]0 q7 ` je not_installed
1 {" S2 |/ }0 Z- [ n$ k: m
6 }0 u; O0 ]3 Q" [0 pThis service just checks a flag.
+ ]: s0 j0 Z2 x0 L2 D& M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡