<TABLE width=500>" e v. z0 N( T3 O
<TBODY>
: s8 t- Y5 q# d8 ]<TR>
3 _) N/ ]5 ^% }8 Y5 O<TD><PRE>Method 01 9 Q6 L6 v- W3 r0 M- a
=========
! y6 u" Q7 X3 d `
) i7 y3 H( l* \- @# R4 N+ X6 |This method of detection of SoftICE (as well as the following one) is7 b* s1 v V9 D) E
used by the majority of packers/encryptors found on Internet., K0 q" J0 Q& X- t0 Y! U+ L
It seeks the signature of BoundsChecker in SoftICE+ C( l7 k) Y8 }2 T' F% A
7 `& j% k1 ?6 k) V+ r: D( F mov ebp, 04243484Bh ; 'BCHK'* O& ?- R3 o; d
mov ax, 04h/ R& ^5 | ~4 T4 r* I
int 3
# n# B/ ?" V2 \/ j cmp al,4 ?. w7 q" A/ L( ~6 c0 J
jnz SoftICE_Detected
n. O- } I( r
$ ?0 }8 D* \7 g( D, f3 A___________________________________________________________________________: J$ M/ G) |' U: r3 L6 `/ w& u
8 |" t5 W. B6 SMethod 020 t0 E: n" n/ d% a2 y. x. ^& [( A6 O
=========) a' T& Q1 [9 c; ^
5 y$ }4 B5 h7 CStill a method very much used (perhaps the most frequent one). It is used e: X: ]) u4 q) c$ F' y7 c' e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 T* z$ k/ B2 M1 A! p7 n8 I
or execute SoftICE commands...
2 W4 @! ^2 V0 Z3 X4 S+ j+ Q1 XIt is also used to crash SoftICE and to force it to execute any commands
( j) i0 m4 q0 O" c# ~/ a3 @(HBOOT...) :-(( : `! f/ N# B. _7 [1 Q* v- p5 i
1 N2 d9 a1 J. i4 G2 ~$ x
Here is a quick description:4 j0 m; [' ^" k/ s
-AX = 0910h (Display string in SIce windows)3 G5 M" y/ H) z$ ?8 V( ^) i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# [) C# v+ O, }/ O# o3 E& a9 R-AX = 0912h (Get breakpoint infos)9 ] r1 |/ _& \/ U. b+ d" ~
-AX = 0913h (Set Sice breakpoints)$ d7 j" b( m- H; d) O, b' i
-AX = 0914h (Remove SIce breakoints)# E. E m) A+ [* n' R% P
) W& K- ^ A5 V3 xEach time you'll meet this trick, you'll see:5 |8 K& H( l8 S% ] s8 W" V6 L
-SI = 4647h
3 ^5 J- @6 ]+ T3 }4 E& c# ~-DI = 4A4Dh2 C; ^6 ?* t3 U0 k
Which are the 'magic values' used by SoftIce.
) D$ ~( i6 k& S6 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! K7 n$ Y( [' J: R( x- Y. u/ ?8 x5 k. {7 k0 }' ]! a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% |9 ^( k6 |1 PEnvelope utility use to protect DOS applications:' C' V3 G: T8 v' t3 v
" k* X4 F2 G7 o$ g1 m2 ~6 O
# { E) ^# @2 s& p: G4C19:0095 MOV AX,0911 ; execute command.- }# Q) f G" R7 O" {/ Z3 S! y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% g8 u) q% n" h8 [. G
4C19:009A MOV SI,4647 ; 1st magic value.
" b3 I7 |, F4 r9 a. }7 w4C19:009D MOV DI,4A4D ; 2nd magic value." l% @7 D3 \" W+ I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ V# E$ h1 b, K* B2 Y" ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' H \8 U9 V9 `1 ?) [
4C19:00A4 INC CX
0 V, }% P$ Q8 T# N2 X: R/ w3 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 W3 U% ~1 I- u4C19:00A8 JB 0095 ; 6 different commands.
! `; x" M+ g9 [( }. @; A! m# h4C19:00AA JMP 0002 ; Bad_Guy jmp back.( q7 k9 r3 ^8 p( J9 G# A/ f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! O" n" i% [7 Q( m
6 p2 L9 j% b- O3 a/ F( ?
The program will execute 6 different SIce commands located at ds:dx, which
6 U6 _; Q; E( l; |4 @3 `8 @% T4 Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 u, K# C/ P! t2 ? z7 C
' G$ G3 o+ {: B$ A5 T: c8 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: g6 M$ Q" y# w+ z0 S
___________________________________________________________________________
; Z$ W; S& V, v1 J4 d" J6 z! |; R, F) {: |: s3 y6 R5 x' A# |4 c
' k/ h1 z6 w* Q. ^9 r; FMethod 03' H4 E0 q* g" [8 {- z
=========
7 y d: t' D e- d& b4 s# ^7 {5 G2 A! M3 s. u8 n( @3 s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: }/ G* O! V5 |; S0 G; S
(API Get entry point). U8 Y; s; ?2 C) J5 r6 P
1 M5 y9 }+ |9 K
6 S8 |+ [3 \; q- G6 |- A xor di,di
6 X& [, k" v( ?* ?7 { mov es,di+ B4 l. y% r. l, R E. }
mov ax, 1684h
7 h1 f+ I9 k+ ^# s+ ~ mov bx, 0202h ; VxD ID of winice
8 O# y8 P4 N1 I' w6 m int 2Fh
3 C, c" j) t3 d, N% _ mov ax, es ; ES:DI -> VxD API entry point6 z9 V% l* I8 k
add ax, di% k4 T+ H5 j! L( D9 k. N
test ax,ax
1 `6 [+ B: Y/ \+ C' O6 u" T/ R/ P e jnz SoftICE_Detected8 v/ X! C* K; m/ L# B! b7 z
+ L: `) B. ^: R7 S
___________________________________________________________________________, y& O) w; p2 `! b$ G! F# E
2 N5 \; T/ E8 H; a' X
Method 04" X1 e: G3 {7 N! W- o
=========* }4 i3 R: y7 j
0 C$ `! l; I$ q2 u. C7 fMethod identical to the preceding one except that it seeks the ID of SoftICE
9 [7 H) w' z. F/ }* ]" A) t" y2 jGFX VxD.
! |7 a6 J! \: [+ W# d0 s6 F7 H; x' r! W
xor di,di* P- j6 [. a% O1 k, S: t- ^
mov es,di
' N/ l! M4 b& Z" y- K! n mov ax, 1684h
& u) [2 U. h% h$ g mov bx, 7a5Fh ; VxD ID of SIWVID4 [1 D+ o$ M% l
int 2fh5 t6 ~$ n8 N4 D/ a" v/ R7 |
mov ax, es ; ES:DI -> VxD API entry point
$ i- s* T0 l6 a6 ?4 d! X s add ax, di
" E. H N+ v! B: r' Y test ax,ax
. S O v- O( q9 V$ ^" S jnz SoftICE_Detected
. K0 p2 R) a2 Q G0 W$ a: |
6 g3 X( T. `, G# O2 ?: m__________________________________________________________________________4 d( E$ ^1 n. ]
. D, F1 ]- j6 T6 K4 W
0 i F7 P8 t9 y( n! k# k& Z
Method 05
1 A$ [8 o7 X; n' L=========
6 M0 l8 P3 y" c* u1 H- J6 D4 H7 q# u7 \! H! X& W7 N" r
Method seeking the 'magic number' 0F386h returned (in ax) by all system: p- j: s; \7 Q" Q8 y
debugger. It calls the int 41h, function 4Fh.7 Y% I9 ]9 m/ ]( [
There are several alternatives. 2 N2 d1 n1 y$ j( H# l
: W/ |6 Z5 t3 I/ d' j5 p
The following one is the simplest:8 n6 w& Y# [8 U9 r6 i4 M2 j. Z+ a
0 ~/ D7 m0 j; e& Z: n! D% \) I
mov ax,4fh. o& t3 c) y$ q- Y- p7 c
int 41h. e7 @' Q( t, C# z* T# ?
cmp ax, 0F386" C0 g/ z- T. I
jz SoftICE_detected
, T$ u- k$ a; g7 T* _/ }0 s1 N% X! k, f
! r+ i& s C: t9 J; z7 jNext method as well as the following one are 2 examples from Stone's - N$ s" e: g( C) L
"stn-wid.zip" (www.cracking.net):
( \6 P; K+ y9 M9 @( v& ^* e9 h2 r; G+ ` b4 s) n- ]+ A9 w0 o
mov bx, cs
2 S$ Y" B9 C5 @' `( V* g7 V6 P lea dx, int41handler2
; L3 V$ y+ L- @+ o" l* _8 F) X( l xchg dx, es:[41h*4]( I2 [& [5 C% w% v, j! P3 W, G
xchg bx, es:[41h*4+2]. B3 T2 h! r4 C
mov ax,4fh
; ?6 I8 m" {& [; Q, ~* X5 x# _ int 41h: b- N% ~* b* K l' o% J1 {& u
xchg dx, es:[41h*4]
4 J0 r: p4 b1 h0 [ xchg bx, es:[41h*4+2]
( b9 g" H( c1 ^0 J cmp ax, 0f386h
3 @4 ^9 |6 ?5 C# G/ k jz SoftICE_detected
* U0 S0 b( @% [+ z$ e$ `8 r4 y' p0 }3 N" F" B3 k. Y8 E
int41handler2 PROC$ A2 u& M9 K2 X" L z5 t; \5 v ^' F
iret
% a6 B/ c8 a$ {4 P7 C4 p/ kint41handler2 ENDP
2 n' g7 o# e; [
8 ^( G" P7 K2 G$ Y; r1 t- f2 r, D/ q+ |) l- k( J5 G6 O% u
_________________________________________________________________________
: w; _3 G* b9 ~/ V3 N$ |$ [3 U9 D# g. E2 ]' N8 p
2 M+ E- F! M0 ?1 r" ]/ l3 F
Method 06: L& ~9 t- L: O0 q2 h8 Y: I
=========. \1 B; m5 g$ s
* K+ o6 E+ z% R, N! P
U5 y* T4 I0 ^6 r. P2nd method similar to the preceding one but more difficult to detect:5 J6 @$ ?$ \( h/ F, C
, o: k. h) W2 B. E9 ]
2 [( m' K$ g- |- R* ?
int41handler PROC
% t0 t" H @ w" h4 t c mov cl,al
3 C6 D( {( X: z" V! I; S iret
5 ^( P {+ q; f' B* Zint41handler ENDP
5 J9 m& P% L8 z& Q& I7 E" N7 T9 y [" f8 y
% d2 u& U+ x; d2 p3 k* L$ v xor ax,ax8 \- x, ?% o" l$ P e
mov es,ax
; K) |* N* n9 C/ z$ Q3 l8 s& j/ D mov bx, cs/ `: C9 i$ e# Z8 d/ g
lea dx, int41handler
% V6 \+ B$ B* z* r" g xchg dx, es:[41h*4]& H. h7 J1 c# r# ]
xchg bx, es:[41h*4+2]# j. u4 v. C' @% z' b
in al, 40h/ D* B6 |! r& C, X- l0 B: ^
xor cx,cx
# r" l' V% F0 v int 41h9 G' q7 k# p; I+ w$ U- Z
xchg dx, es:[41h*4]* s9 u, q& P; q8 C9 o: \
xchg bx, es:[41h*4+2]0 v9 S# W" m/ }9 c0 u! D8 K( a
cmp cl,al
) I5 o7 j, o( o/ O4 J jnz SoftICE_detected) l% _2 [! j: }* `% p7 H) }
4 E0 b) k: V/ g4 R$ A_________________________________________________________________________
, w9 {1 T. }: n$ j! h, b
* d/ ^( H- l& l1 zMethod 07
' M! h" {) H! E: ~$ x [6 Q=========
( c% j- K0 @# f0 g
' }2 ]7 {9 a1 w- U) O5 F2 d/ b u, EMethod of detection of the WinICE handler in the int68h (V86)
; \, s$ B- D# F" Y8 \5 z' Q2 Y
' U" l& N9 c, C) f1 a" D. e, A mov ah,43h6 l7 z7 E2 u+ k5 r
int 68h8 m2 _/ I" ?7 g
cmp ax,0F386h6 ?. g( F8 v8 s, Y# X6 j
jz SoftICE_Detected
2 w# C) N) e# C4 ~+ l/ A9 d, W6 l9 P" j) ` P/ X
2 H, W+ B9 W5 w5 }2 k n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 L1 Q3 |) k: F app like this:
' j/ Y. S; {$ ~( K* m3 B
- s6 p( B" o0 {8 { BPX exec_int if ax==68+ p0 J) R9 F; g
(function called is located at byte ptr [ebp+1Dh] and client eip is
! _+ _6 H' C1 ~# S9 w2 H located at [ebp+48h] for 32Bit apps)9 @/ Y1 h, L( }* U2 e0 d6 M) p
__________________________________________________________________________( b7 O( `; v" c" I6 l5 ]
, N1 Q) j8 f9 d/ o
6 O# h; |: Y: k& l
Method 08
6 k$ ~% `' k. [) L# O/ Y% x5 l=========
, b& ?/ `1 j2 D2 s3 @
0 K2 \1 ]: r4 H8 Q4 r, k$ c! T5 `, |It is not a method of detection of SoftICE but a possibility to crash the
) x4 ?) Z+ Y8 s8 |8 z2 e; H. S9 Ksystem by intercepting int 01h and int 03h and redirecting them to another1 f8 o0 ~( @4 Y1 v8 t
routine.1 h# [' {1 [; V: {1 |5 Z+ H& ^+ ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 U& C- ~6 b/ z) ?$ O3 I- u2 ato the new routine to execute (hangs computer...)
+ {6 i* ~& c5 {: C5 O
# n1 \- l& g! n: m mov ah, 25h. ]5 I5 {/ l+ e, `" D2 T
mov al, Int_Number (01h or 03h); |9 B8 W/ M' B" M9 h/ G+ w# K
mov dx, offset New_Int_Routine
; w5 v( p. D& V3 f, E# [: M int 21h4 w( N( X" Y0 ?% s+ G) U
/ V2 I Q! x" ~6 l; t__________________________________________________________________________* G6 j0 U- C P1 w' r
. ?' m& L5 G+ D" z+ z% j, j4 G, ^
Method 09
/ D4 a0 e, E' Z* x3 X9 m8 Q& i* |=========( w% i# _& F" n3 p4 J6 G
1 x: s3 E2 |7 b9 Q6 y. }2 j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& x1 u4 Y# z% z) ]/ t
performed in ring0 (VxD or a ring3 app using the VxdCall).% k' V' {8 {/ m5 J: \* Q" g3 B+ Q
The Get_DDB service is used to determine whether or not a VxD is installed
% q# N0 T. f$ |7 F+ ofor the specified device and returns a Device Description Block (in ecx) for8 X( v9 T" {$ j! ^, ], p% O
that device if it is installed.0 P5 a+ {4 _3 o( c5 ] |0 l: [
. j) F2 P, M: d9 S) c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# V9 G8 p6 a: F mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ ^3 [- |* e/ e& B! \: i
VMMCall Get_DDB
& `8 @. U4 r+ Z- n$ G0 Z4 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; {) F: q1 w3 f& r3 h# U$ N E% t+ B6 G. }& u- p& t- M) p7 D
Note as well that you can easily detect this method with SoftICE:
p' I& J* M. p" r( T bpx Get_DDB if ax==0202 || ax==7a5fh& u2 M" \! E! l% W8 A+ Q( o
9 P7 l3 O+ ]# O8 z
__________________________________________________________________________4 U d# Y. B7 P1 n! u n
; n' H5 O2 U: @# D8 Z
Method 10
7 B' D6 ], }) [' E# ]=========" a) }8 V0 u6 Y& V
. n+ s( Q/ J& {/ g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- }* @: J& y/ z" i; S1 G6 H SoftICE while the option is enable!!
5 y4 t; X) n2 Y- Q# {
y2 j2 c. d3 f" d: Q( y, cThis trick is very efficient:
; X7 Y# z5 ]6 l5 }by checking the Debug Registers, you can detect if SoftICE is loaded5 u/ X3 l( }+ ]8 u; p$ ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ t* r# u9 T1 b" h% J2 R/ K! S$ Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& Y s3 ]" {1 c, [value (in ring0 only). Values can be manipulated and or changed as well G* _2 \- G: q1 k
(clearing BPMs for instance)
$ s/ W/ ?2 A9 j! N U- w3 g9 G, l6 v5 j
__________________________________________________________________________0 y/ P; t6 [# K( h i3 \
! m; H, s" L7 l4 K/ f+ R9 y% W1 A0 aMethod 11 |# |5 G2 i" o+ W1 q$ i* u
=========: `. m4 T! U K z" M
; q3 ]5 Y9 d5 l: D/ p9 Z' tThis method is most known as 'MeltICE' because it has been freely distributed
( X& y5 D g- Z3 T! g! c( Avia www.winfiles.com. However it was first used by NuMega people to allow3 w, n3 {: C/ G P0 B! S
Symbol Loader to check if SoftICE was active or not (the code is located; T2 c: t9 f- s3 b5 y3 X! D0 u
inside nmtrans.dll).
. a- b# E+ |* ^8 V1 i8 }/ f) s
1 _5 Y$ ]3 F# ~7 ~6 ZThe way it works is very simple:
- G3 ^- c4 H# {0 j2 |+ x" gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 X+ E: y L; |. a4 r* u% ]
WinNT) with the CreateFileA API.9 @. J3 L, W: k+ { P0 w) S
/ ]% k' t; P! U" {. m
Here is a sample (checking for 'SICE'):3 B, D, W3 S' W4 I" S, e3 e
+ i7 Q1 ]* k5 q1 ]8 L( fBOOL IsSoftIce95Loaded()
6 \2 l$ f* K& j* C{4 N6 H7 o* y: @- c8 y0 o
HANDLE hFile;
6 r' z' H/ a( Q4 n$ u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# \+ T2 N% W4 u FILE_SHARE_READ | FILE_SHARE_WRITE,
% @5 Y; V0 R0 }0 c$ T% M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% o" }, L5 H9 `& w' w
if( hFile != INVALID_HANDLE_VALUE )
; P( w+ d1 a- I" S% e3 h {
' `" R4 F$ _! h9 i CloseHandle(hFile);' u0 u8 _/ I( \2 U
return TRUE;) Q5 Z) U+ e$ h' h
}- y. X& L: `- E/ x) O# L
return FALSE;( [( k; G9 \. c( t9 C
}
- p5 f6 r6 p! ?7 Z- V/ G/ l# s) S g% Y/ {! N* k: }# q
Although this trick calls the CreateFileA function, don't even expect to be) z) a( Z$ h* z7 |/ Z; N5 w1 ]( c
able to intercept it by installing a IFS hook: it will not work, no way!
9 r3 F* l. l IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 z% U# E2 b4 ]" S; r2 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 Z& B& [( |) \* ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 l1 z' f: U/ q% v! W
field.+ ` N- s9 R' c* _
In fact, its purpose is not to load/unload VxDs but only to send a
0 }% w8 Y! h! k$ g) W( L- tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ h0 h" n3 z" l) s( @0 f7 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- R& R9 p% G, g! e! V3 j, U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& U. d/ G& V/ C0 }( @0 C* {4 x% S
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 y# Z6 |6 U! i+ W7 O
its handle to be opened and then, will be detected.
$ J# k, e3 p1 AYou can check that simply by hooking Winice.exe control proc entry point) C8 [3 ?7 B1 d- I# i' Q
while running MeltICE., p" J( P' O! \( u. J) T |9 Q
; K i" P( `, \# L# B" w3 |4 o1 B! X( j, C: L o4 x- M
00401067: push 00402025 ; \\.\SICE
z% m. T; ]: h 0040106C: call CreateFileA
9 j2 k1 y' i- f 00401071: cmp eax,-001, m: [; {, `" c6 R& e2 h
00401074: je 00401091
; u% D3 C% U1 c4 H. o( Q9 Q& |7 K
) r( G) C! i. `9 s, s# v# X5 `3 u
There could be hundreds of BPX you could use to detect this trick.+ h1 X$ l: P% A( R" B
-The most classical one is:$ S! Y- s% K9 j8 L4 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" m7 O7 D8 i6 f3 B7 u
*(esp->4+4)=='NTIC'
; ]' }( j# K* S" z$ c% Q
) ]6 P! o4 x- n1 n* q) q$ _ Q-The most exotic ones (could be very slooooow :-(1 c7 p' y J+ A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 J) }! k+ L- ~
;will break 3 times :-(; y7 l% o9 E# S3 [8 ~( K- f
0 q% I# J0 s E) a-or (a bit) faster:
7 d" O% Y% }7 r! M! m" [) L* k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 Y9 F3 m: C4 |* A
8 a2 n6 d* D5 P/ ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) ?9 |( I4 o' N) E1 n1 K
;will break 3 times :-(, u$ { A. H( ]; Q
! A- ~# Z C8 [- L
-Much faster:4 v# ^4 R2 A( p' P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( ?5 o( ?: E& s2 x9 C
! u* _# Q8 N6 G7 _' C- \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 L2 Z& ^2 E9 J0 ?( Ifunction to do the same job:# T# G1 [+ Z6 p- F
9 J5 E& `# p+ _: G
push 00 ; OF_READ E0 T* c2 L$ R! c" m1 D) v9 Y6 y
mov eax,[00656634] ; '\\.\SICE',0
9 n. \" o1 O( a" E+ o& @ push eax
7 X/ U% Z# h" q* p, J$ ]0 A call KERNEL32!_lopen) k' k+ P/ U# f$ y' r1 j% F
inc eax7 ]2 U/ F0 J7 b1 c( Y9 e0 {
jnz 00650589 ; detected
! e2 c2 E: n: E/ X. l" n0 Y push 00 ; OF_READ
& o6 r5 O+ W6 G* z' } mov eax,[00656638] ; '\\.\SICE') U7 |8 Q+ ?+ t, S4 A9 t* F. j
push eax m0 O* E8 c5 F, r" _7 ~( A" ]& f
call KERNEL32!_lopen
3 h7 w8 A' M6 p Y0 L! {0 r2 ~ inc eax
* {4 h: A$ }* f: a9 W jz 006505ae ; not detected* E/ q! K" W( @4 O$ j9 M
4 Y ~* J2 g# i3 k1 M: r, J8 u
__________________________________________________________________________
k- r/ ^5 z7 p: u1 A* S, I9 y$ E1 h7 x5 M
Method 129 \+ ~% I* f4 S: `( N2 z+ h
=========
7 s, `. P$ ?* U5 A: P+ s; l- b7 D, N. {# n/ C: W. n
This trick is similar to int41h/4fh Debugger installation check (code 05# o1 z0 o% Y" [" |- X4 ]) v+ R$ L2 u
& 06) but very limited because it's only available for Win95/98 (not NT)
% t" Q' C% M# l1 J# J R* Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: g$ B, l2 a( O: d% C/ K, w
- d$ {; E6 ?2 z0 Y push 0000004fh ; function 4fh
0 e* p! L! p* Z push 002a002ah ; high word specifies which VxD (VWIN32)
) [) X& c. m8 E5 i& U) G! H ; low word specifies which service% \+ W- |2 F' G1 W9 |4 S! m3 a
(VWIN32_Int41Dispatch)
& R; Y6 ^2 ]. y9 I call Kernel32!ORD_001 ; VxdCall
5 |+ b4 Q' i5 W1 Q7 s cmp ax, 0f386h ; magic number returned by system debuggers/ H. L7 F( f9 a5 r2 l; E+ ~6 U
jz SoftICE_detected# U; ^, D* b8 k1 b1 K
9 y7 U% o% w, | {% Y" x' \2 W* oHere again, several ways to detect it:8 V' B" Q+ _4 g8 k: G. Z- ]
1 s/ B% C8 w! E! _/ j
BPINT 41 if ax==4f
% a% k9 {& ]# o+ v- K
3 D2 x/ K& `) z9 i0 b7 K2 U2 m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: m7 [: }3 ^/ ^
" [' x' }1 T* n) A) F( b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) `- i. I1 O2 p
% H2 l" z; D' h3 F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 F+ J5 @$ @' Y" ?
+ b6 g5 U2 s3 ^( S. \! `% D+ S2 u__________________________________________________________________________
$ H) O" S. ?) o
+ O) v; q# x! k. G4 r$ _Method 134 _/ x8 [! N: V; Z
=========" j! Y% R' ?( [$ z: `7 `
, e7 `9 _/ e) Y# LNot a real method of detection, but a good way to know if SoftICE is0 S0 `# K% ~0 M+ u, k2 K! L
installed on a computer and to locate its installation directory.
K5 a. V( x! z' j ^" H2 cIt is used by few softs which access the following registry keys (usually #2) :; p) c/ g8 m4 p t
, f* H1 ^8 S. i9 y% e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 U1 G1 X8 s" I( E& M
\Uninstall\SoftICE( b, N$ S7 k# C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" y) ~7 L! _# \% ^( `' E8 t$ Y+ R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! B8 z: G" Q8 _+ N) S
\App Paths\Loader32.Exe
, h# d+ E$ a' v! i) M. @' C
0 y) E( q, n9 h3 F; e. M O2 c& T
Note that some nasty apps could then erase all files from SoftICE directory9 D# b+ C" F, G: V t
(I faced that once :-(
/ v! U$ z' t* e7 ?2 Z. @) v- ~0 Z4 {8 R F( E
Useful breakpoint to detect it:, @$ t+ E$ c- {1 W2 I
+ Y7 b, R u5 V# g9 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: S( S' O4 {+ E: ^! r! c4 |" n# ]$ h" X9 M5 J0 r
__________________________________________________________________________
$ f& x' {. Q+ q" Z% h0 R5 Q
0 W, W' o3 I2 I; a7 H3 g. }1 N; z ?
+ I/ w" w8 S! J& J U- KMethod 14
# o1 R+ t/ c" E1 D( w5 H. h5 @=========
# l: s8 t& S7 R/ o4 X% |3 X: R9 K( f" f. _+ T7 X2 ^+ [! V1 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ n8 H! p( W* W- T/ K8 U- I
is to determines whether a debugger is running on your system (ring0 only).+ j& N5 z6 q! _# G9 E i5 K
- E3 N) G- \: C1 P) o" I
VMMCall Test_Debug_Installed
5 w: s' V. D' m+ b. Y je not_installed1 |: @ S) A; d2 p5 W% E& K
: _' z% {) _( K9 P1 q! o5 r
This service just checks a flag.
: ~" [* r5 ] F1 ^6 I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡