<TABLE width=500>6 `7 @1 l; j$ t& O+ X
<TBODY>
& M% p+ I- C- D- S% Q<TR>
7 H) K3 T/ d% C7 g2 V0 c; u/ K<TD><PRE>Method 01
n+ m- s }9 D" H" b. U=========7 F! W' m- ]' I$ Z& p
0 H6 Z/ z, L* x. D( xThis method of detection of SoftICE (as well as the following one) is1 A% ` d5 g+ V& H7 V [$ Q. k
used by the majority of packers/encryptors found on Internet.! d4 M" y9 b" u& X7 @! X
It seeks the signature of BoundsChecker in SoftICE
! W1 B6 t; ?3 X
( W0 p3 ]3 I' A4 K mov ebp, 04243484Bh ; 'BCHK' J6 F$ z3 I) h5 C8 y" Z
mov ax, 04h
& p* s# j f0 k, y( q- c& P1 f int 3
/ I( m/ I; |3 b- u% G+ ?% Y cmp al,4! D. a4 ~1 B! h3 _% M, k
jnz SoftICE_Detected# o( {8 a9 f( X# x( ]+ e
/ W1 p5 a* h8 u# e. `: K- R6 ~___________________________________________________________________________6 D9 h3 e+ d% \9 M( p4 E* q; J
9 h& D; S( G- {5 U+ Z- PMethod 023 s( a. Y( l& A9 }$ T6 |
=========
) h& v/ D- R# d: Q. O
% g4 A. W: c$ [ J5 Z% pStill a method very much used (perhaps the most frequent one). It is used% C4 q$ ?6 _! ?9 G& I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 X3 n1 q: L3 ^2 k
or execute SoftICE commands...: a, @) Z- f- B+ u+ L- X6 y: X
It is also used to crash SoftICE and to force it to execute any commands
. }, _3 ^) ^6 v* E, E0 d(HBOOT...) :-((
. P8 ~( [: a' a4 b9 N0 K. ^
$ M7 z, y' x" Q# P; _4 pHere is a quick description:
4 l' R; E F. }! u2 T-AX = 0910h (Display string in SIce windows)
! z9 ^* \4 Z% I3 s" i- u6 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 P! H# @7 X0 o
-AX = 0912h (Get breakpoint infos)
5 R$ V- T+ c+ u, {7 O0 z-AX = 0913h (Set Sice breakpoints)2 a9 U ~: S9 z1 i j" r1 g! n
-AX = 0914h (Remove SIce breakoints)8 S+ S2 q, K8 M: Y: v% U7 {
5 g$ X; t7 F# j' h
Each time you'll meet this trick, you'll see:1 j2 X, S% c4 E& _2 |
-SI = 4647h
3 z! `9 |$ [3 ]6 r-DI = 4A4Dh
* r# @& j( _/ P) w4 x9 MWhich are the 'magic values' used by SoftIce.1 N5 K0 I' _$ E# |( v, \% m4 `- U$ J5 M t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! s$ J) G- U& o' W' z- I
: X" n o2 D! I2 ]$ a3 E+ qHere is one example from the file "Haspinst.exe" which is the dongle HASP4 s, C1 \$ R. c7 G4 _: p
Envelope utility use to protect DOS applications:* f* r; O$ w0 f
& w8 f: U7 p0 p. r4 _8 O& o+ f% Z J
0 R! d2 g' L" I+ S2 H' S( l% P5 f4C19:0095 MOV AX,0911 ; execute command.- v6 w! v1 b! i/ e, r( L, z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) h+ F7 C3 N1 h5 O. N- y, U, f
4C19:009A MOV SI,4647 ; 1st magic value.- ]# B1 { m5 Y1 X
4C19:009D MOV DI,4A4D ; 2nd magic value.6 @- V# b) m/ i2 o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 N! h- X% { N( h( ]6 o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ I5 w+ H) K) m- H: l W& a
4C19:00A4 INC CX
4 L2 S# v! {5 M; \! G$ C$ G7 f K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 x& H1 d0 m0 {/ R; `4C19:00A8 JB 0095 ; 6 different commands.: I. b, q! E/ f6 j: {( u
4C19:00AA JMP 0002 ; Bad_Guy jmp back." \: U2 w' ]* [( z7 {* _% g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 [$ n. I# d: @$ p4 i, ]" f
' x l5 Q0 |% }1 p2 a, W- }; ~The program will execute 6 different SIce commands located at ds:dx, which5 Z2 O6 A6 { v/ b1 h, F. M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
M0 R1 e4 S) [' g; A) U) E
$ B: J8 \$ g4 m/ J- R n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" d# t+ c- W+ l1 y___________________________________________________________________________8 E/ g6 i- D2 Q- s5 w8 X8 k
^% E& x7 K% w6 F' _
0 E8 O* g# }, w0 D0 Q3 r! l
Method 03
# z# _* m4 E* o7 J. x% W=========
7 G4 g* o( q# J8 B4 j: b
, a5 x* k/ Y7 q" J1 s7 B, e0 jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 g7 h* B/ k, L
(API Get entry point)' B" w& u; U$ p( q7 j' w7 N6 w
. {3 X7 B. A. {) P
2 I) M& [* ~ }" n9 h: k, C) A7 X xor di,di$ G" A% A5 ]- f* a7 Z
mov es,di R# z6 ~7 c# q% `4 f
mov ax, 1684h 1 `* P1 o3 G( [5 G' S- U
mov bx, 0202h ; VxD ID of winice
6 k: |$ Q2 u( X9 h int 2Fh% V% A! N# M+ U" U8 W2 L
mov ax, es ; ES:DI -> VxD API entry point# {+ u' a! @ e9 p
add ax, di
: j- M+ T7 q# T0 A8 o+ _) C test ax,ax
. J0 N* P5 O T jnz SoftICE_Detected
$ Y8 e2 g# s5 \9 H5 c$ G) E+ O+ q6 k2 J0 v6 m$ q# i& u
___________________________________________________________________________: z% v3 o8 {% Y* s. X C/ }
# b$ V' i2 p: z: V2 J% }/ J) E% RMethod 04# b! t& Q% h/ @5 x# A
=========+ m, m# Z+ G W
& x; L6 m2 E( oMethod identical to the preceding one except that it seeks the ID of SoftICE
9 G. M- h! }+ HGFX VxD.' G4 q/ W7 C1 V% @
9 ?9 f/ V! W( V7 k* q8 d9 }/ C xor di,di4 X5 ^2 K2 j4 e- T
mov es,di! d6 A- v1 o: W5 r4 K! ]3 v
mov ax, 1684h 7 S4 ^; q2 Y1 [. c! ~
mov bx, 7a5Fh ; VxD ID of SIWVID; Y& I$ H0 P4 t; h
int 2fh
/ f: h0 H( F, b4 ?7 B D3 o. y mov ax, es ; ES:DI -> VxD API entry point. h/ n* A2 q& k5 d0 V& G7 K. d8 h
add ax, di& `3 ]. I( a3 a9 x/ `( ~4 h
test ax,ax
( o1 `7 ~: p4 i- G3 ~0 s jnz SoftICE_Detected
. l3 I: R9 S* M! e; i# [" R' m4 c/ R4 E1 G( j% E4 a) D
__________________________________________________________________________
, T' B8 f- T) o3 E/ g8 \2 k
) q- w6 c/ n! G, s$ R) [
# T( p2 \6 _2 [" k I X7 f( J+ F. FMethod 054 _4 t$ d4 @; h8 F+ O* H% I1 n
=========
1 J. M1 @4 r0 ?& I
- v; A) l4 t. |* p }Method seeking the 'magic number' 0F386h returned (in ax) by all system, ^: M5 k7 b% j4 e7 \( X
debugger. It calls the int 41h, function 4Fh.$ x" A6 m, Z- _
There are several alternatives. ! G& w4 v I0 R
; |: A( a) ~% p7 I4 O* sThe following one is the simplest:! s/ i a9 |7 l! d
' S+ h3 l! G6 _8 w& P8 ^3 ^6 A( N
mov ax,4fh
$ g! T3 Y1 g8 L2 M" o int 41h
3 g% v" p! B2 o& I$ g; \3 [ cmp ax, 0F386
& }; I" e4 z9 r" J/ B7 v) d1 I jz SoftICE_detected5 d3 D8 Q! y) l7 U% A1 H
1 ^9 Y+ W0 T" a: o9 H5 G% q. {7 Q4 t+ `
Next method as well as the following one are 2 examples from Stone's $ G0 f* R. ?" O# Z" S- s8 E3 V
"stn-wid.zip" (www.cracking.net):5 ]1 f$ Q$ T) P( |. V
# e) H. Y) ~, g% `
mov bx, cs7 X6 L1 B9 P* u7 c; _
lea dx, int41handler2" L* T7 q, i. T' y
xchg dx, es:[41h*4]
0 ^" e' ~( u2 R5 S xchg bx, es:[41h*4+2]
+ b4 I* ^& Z& Z$ \: \7 h* i mov ax,4fh
! o: f$ s# ?* y, |9 H1 b int 41h% o( k& f+ a" f4 Z4 P4 {
xchg dx, es:[41h*4]2 \. o s7 l" L% V$ r
xchg bx, es:[41h*4+2]
' |+ q H1 ?9 u0 ?, f cmp ax, 0f386h+ s! F+ B8 W( K* [1 S
jz SoftICE_detected
A4 ^- N4 R, s$ p1 k5 | w% a+ t9 M4 U2 L/ n
int41handler2 PROC% e9 p8 _" }/ E, ` M
iret( x5 {- F* A7 ?5 D% C) W
int41handler2 ENDP
! {, v% B) \; `2 _$ o# v, T: Y: [ J/ V8 Y
1 o C, E$ n5 h! {* B0 Y_________________________________________________________________________
/ F$ z H. }/ C7 ]- O7 q7 o
' e! x. O& o2 L
, Q7 l; W3 n* PMethod 064 U) j, j3 G# l0 ^1 y1 s: p' c6 ~6 ?
=========
) h5 V! e" J% h& i. W" U9 D* h" H( ], V
, a- h* I3 t" ]& w8 U, l$ I
2nd method similar to the preceding one but more difficult to detect:8 F6 d7 I9 _, O5 z3 @% l/ x
: H4 y# _0 {, X% `2 a
' }; d) z! G/ P. u
int41handler PROC
" R# h- v$ F E( e- p mov cl,al4 U8 q, B# u" _/ k0 P* l9 m
iret. O' U7 u5 m5 c& Z( s5 F: s6 C z
int41handler ENDP
+ X/ D" U7 t6 e. X" N5 S" W7 U$ b3 A6 p' j8 Z# r7 ^
6 ?" ]1 Y6 x" R9 v; b8 D2 i xor ax,ax
' [" L" y! c! S2 ^, l' s. O- x mov es,ax
5 j) M$ {) c8 Z/ s: X' v3 h( p5 U mov bx, cs
4 v+ ]* m3 H% ~" z" g8 `- b& y# l lea dx, int41handler# Z: u7 t$ N1 H! N9 O
xchg dx, es:[41h*4]# E, I* T7 o1 s& J& \2 p( V- h, z
xchg bx, es:[41h*4+2]
! e: A, ^4 [" ^/ z in al, 40h' Y9 ~. ]6 U* ~" w! b7 ?7 P
xor cx,cx
. g0 N' Q- a7 U: ~6 n# |" d int 41h
{- K. Y, {/ t7 |: e+ h+ x xchg dx, es:[41h*4]
, `% Z5 a- U y xchg bx, es:[41h*4+2]: u/ N; u7 ?; W
cmp cl,al4 M p8 ^+ b8 X: j8 J9 G
jnz SoftICE_detected
- m7 v+ E2 X* v$ m
4 C! t" M5 G: X2 z0 s0 d8 H* G_________________________________________________________________________9 x1 l- A' P2 u5 ^
, C6 S" W9 K& r" d2 Q5 q' e+ NMethod 07* |- _0 h6 l- [" P7 P; \8 H
=========
/ H, I$ [# k/ f: {
+ I1 U" Z5 _& i. K# cMethod of detection of the WinICE handler in the int68h (V86)
! ?4 q: t. g. I. a& ]; f- H$ F' p
* p+ ~) F) v# f5 i mov ah,43h7 P8 o4 g* _3 m( k0 d: i
int 68h
8 I ^: E. Z- t4 v) T5 e cmp ax,0F386h
# @, e0 C$ n2 h2 s# t; Q jz SoftICE_Detected; K& o" h: g. Y5 R8 G
# g9 I- V) o0 N9 L
( Z. P2 N1 R1 ^9 u+ U' }+ s4 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- i% I' u3 X% V
app like this:
" V" }( {1 U1 W$ [' |
+ M4 B% g* O6 x5 I* q% |) r BPX exec_int if ax==68
: T% O3 }6 u" V7 I; }% b$ G5 g! c8 C (function called is located at byte ptr [ebp+1Dh] and client eip is# ]/ Q& G9 {( l5 ~$ ], R: Z0 j6 h
located at [ebp+48h] for 32Bit apps)6 r& N5 l" Y4 T- a2 X
__________________________________________________________________________% c& i! A( u- n. b M, O* {
. i5 T7 ~7 }( m& D( T( [1 K- \6 K
0 A9 |' U* }; }1 v' U; k0 EMethod 08( q5 X) e. h# p4 J! N
=========# ?" s, \ ?' [
0 z0 g; u; G# C* I yIt is not a method of detection of SoftICE but a possibility to crash the+ H, u% I! ~3 T. b# _
system by intercepting int 01h and int 03h and redirecting them to another& n S, R- t& F2 I
routine." y V/ m6 f: v& q& _! d y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& P w# K. ^# R* {to the new routine to execute (hangs computer...)
+ R8 [1 K& u2 `; _3 U, F B# D4 s0 O! K d4 i
mov ah, 25h9 F3 d% N0 m* k8 v
mov al, Int_Number (01h or 03h)
`1 U* k1 A% x7 k- v- E mov dx, offset New_Int_Routine! O: S7 j6 n" ~) m
int 21h6 _/ ]: j& R, p$ U
: Y6 K* T9 X1 V
__________________________________________________________________________
: T# G5 X s6 v7 Z$ W( Q, Q, `. H5 x( H
. k" ~3 a, l- v, R4 yMethod 09
$ R$ R- x! Q8 x( k9 G6 L=========
; }3 J: ^1 `+ V: a, q' l0 ^4 f5 s6 X/ Z; S/ D; Z! g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 j5 Z9 j0 H& r2 iperformed in ring0 (VxD or a ring3 app using the VxdCall).
. T. X+ J- C- ?0 i2 p) MThe Get_DDB service is used to determine whether or not a VxD is installed
5 S4 I* y# d6 H/ w" L7 K" [4 Ffor the specified device and returns a Device Description Block (in ecx) for
/ Y- H9 g3 [" o; f4 f- Zthat device if it is installed.
8 u% P8 Y9 a$ D0 Z7 S. }' o# x8 _4 n$ V. z& v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) P* T- `( ~9 ?3 g& Z$ m& W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 U( W1 T3 Y* b5 |3 E% k( I
VMMCall Get_DDB2 d+ |7 F2 I' k0 c+ c3 U9 e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' f9 p7 f5 y) x' g3 v5 w# C$ v/ |( T/ T6 |4 L
Note as well that you can easily detect this method with SoftICE:% Y8 T6 o8 }0 W8 m: z% j/ q
bpx Get_DDB if ax==0202 || ax==7a5fh4 C/ R' ^: S' ?& p4 S
1 N0 P0 E& I2 C: N
__________________________________________________________________________6 `2 g+ D' e* h) r
' K+ X# ^+ X4 G, }0 T" e$ ~' {
Method 10
( l. I. y" x& v _=========/ h% {5 ^: K9 s3 W/ b: y% A
$ r: S; w ?0 ?8 j: r/ [( F=>Disable or clear breakpoints before using this feature. DO NOT trace with
* v: G. G8 ~; S& B! [: T, U SoftICE while the option is enable!!0 I( Q- l- N3 U! v. T. Y/ Q
% K: O* @2 _% p. RThis trick is very efficient:
; z" A% x, |& f ^& bby checking the Debug Registers, you can detect if SoftICE is loaded8 E+ G% v _+ i4 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: k V" ~9 \+ ] Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their, ^, _9 `0 i! _7 Q7 Y9 ^
value (in ring0 only). Values can be manipulated and or changed as well
" t; W2 N0 q: q- @( d(clearing BPMs for instance). y9 m4 P+ X7 w0 p5 C9 ~9 S
- _- [! d, V. R" h* u2 d w* c4 P__________________________________________________________________________. p; G2 m$ s3 H1 \9 [2 }
9 \* `( x& y, b i. D4 t
Method 11 Y" t; U1 k3 r8 f; A$ a
=========& Z' A2 S% q8 s& O a3 v
* B9 k. V; s. B; A; v
This method is most known as 'MeltICE' because it has been freely distributed
0 U% `! N' K8 T( W; lvia www.winfiles.com. However it was first used by NuMega people to allow
3 o& m/ @3 o& T# l( S7 \Symbol Loader to check if SoftICE was active or not (the code is located3 j2 T+ J8 T* G2 o: X
inside nmtrans.dll).; _, A- ^0 C# z+ T, q+ o
/ Q3 F4 W+ @7 Y# M9 G/ U' Q4 N
The way it works is very simple:. ~/ T$ x% b. {0 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for J, a3 N4 J5 `: n8 z
WinNT) with the CreateFileA API.
2 z: \6 N& T: Z* x2 k" o5 V4 a
/ C+ g0 n4 e) R3 EHere is a sample (checking for 'SICE'):
- P g; q: G7 H$ |
% E' K- h- F: V& t, u5 sBOOL IsSoftIce95Loaded()
% W! {2 H" f; o1 R( m{
+ f; d2 j2 J( t/ n. @8 U' ] HANDLE hFile; ! j' g K6 s) G* m1 q2 i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ o/ |0 N$ ]0 A" c% D( F) ]" Y- J FILE_SHARE_READ | FILE_SHARE_WRITE,
% x4 | z; Y& ?0 ~: l- i, s E5 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ O( [0 ^, O- }- X3 M; [
if( hFile != INVALID_HANDLE_VALUE )
& P. ^( D2 e9 S$ `/ W% t {
+ V8 z( a5 X5 U; Y7 Z* o! @+ E CloseHandle(hFile);
/ U8 b6 t# d, } j1 s$ t; { return TRUE;* t; F7 S6 v6 |1 R& c
}7 M2 v3 R' p/ c
return FALSE; h* A/ w+ g7 q$ E/ H- {
}
: o" k" |; L/ r4 X `% Q) B3 o% z7 W# I) J5 ~+ t) ?
Although this trick calls the CreateFileA function, don't even expect to be
8 [! u [; {5 v' l) y- pable to intercept it by installing a IFS hook: it will not work, no way!( ^4 w I/ v" D1 u' [! {) e8 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. k; }( e/ h1 O& pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ ?+ \& d( m; v( Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! y% C! U$ k& e! r7 V$ `7 H6 rfield.
6 D/ ]) L7 ]9 A- }# cIn fact, its purpose is not to load/unload VxDs but only to send a , r) b6 d% W3 f. r" D" R- f, I. q: f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 `/ N: J$ b7 k; zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ]8 Z' n% F9 G. @8 qto load/unload a non-dynamically loadable driver such as SoftICE ;-)." X) W$ Z9 z0 ]5 M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 Z( u) y: V& I5 @5 D3 Lits handle to be opened and then, will be detected.6 w. z5 w# z; D" W
You can check that simply by hooking Winice.exe control proc entry point* x; x+ n; Y# T. j0 a4 I
while running MeltICE.
/ y3 X5 c+ r0 h! b( }
, W0 V @ Q: y: `* F2 v z
1 b2 r" G; L O8 i 00401067: push 00402025 ; \\.\SICE
) Y1 w+ D' v" E 0040106C: call CreateFileA
' w d6 ]' R8 _3 f8 j# l# Q# C- z* ~' j0 c 00401071: cmp eax,-0018 z* h) z# Z+ L1 Z( K t
00401074: je 00401091
; }' e# |( K9 E0 c
$ K2 @& r% W2 E3 L" h" V3 A
; d$ X* B4 R" v+ Y2 y, @9 VThere could be hundreds of BPX you could use to detect this trick.) h) j9 a: [7 b4 B0 A- _7 F3 f4 t) u
-The most classical one is:
) C! K5 O; u& `- ]- x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 `# H3 q9 L9 ?% l$ _- Z
*(esp->4+4)=='NTIC'
6 J) P8 q6 G9 r! N: F# C
; r9 Z4 \; w8 [+ o* N D. K$ C-The most exotic ones (could be very slooooow :-(3 ^" {1 j$ F; V% k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# W8 z& A) E- n: S8 h ;will break 3 times :-(
' h5 ?# M" J; X# W3 `+ C+ g. W/ ~! s- m/ o" x
-or (a bit) faster: ! I6 F* G# T$ F5 w# W% Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% J. D8 t4 C# y' w, g, k+ P
) A1 u' Y6 G" \' q7 H5 |3 p9 s( O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ H+ A n. @" _+ h8 C" h$ n
;will break 3 times :-(6 ^0 N$ x- j% z: p! n' W7 W
" Q9 W& T- k. R! C- u-Much faster:- x, j0 Q% S+ w$ g" } K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) _$ L h, M7 W
6 ~* U' x2 A0 I* \8 WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 I5 Q- b, b. N3 O. ffunction to do the same job: o1 M% g! E1 e2 l# ]
$ w/ p: h) d) \2 g4 k: q
push 00 ; OF_READ
! ]5 M7 d* S' ~( ~ mov eax,[00656634] ; '\\.\SICE',09 n' E: B" B- U9 s8 \
push eax9 A |" G, N9 h2 n9 g1 L* N
call KERNEL32!_lopen
" n+ J7 h% w: ?* i; f! Q inc eax
4 Z4 a9 d1 f9 v$ e6 ]9 V jnz 00650589 ; detected
- |5 v$ N9 b# u; x/ `- h& i' i push 00 ; OF_READ( ]9 X, B. N7 M: E8 K
mov eax,[00656638] ; '\\.\SICE'$ H( I8 ]$ C: `
push eax
0 \, B7 ]7 N' n5 C6 h call KERNEL32!_lopen
. X8 ]6 i" K" } g* @4 e inc eax5 ^( t/ n8 V9 S9 s4 S( D
jz 006505ae ; not detected2 A2 o, ?( M4 C1 j u4 _
" z# S' j/ V. C, L( q
: `$ ~6 V- T. G; o# P: _9 U0 b__________________________________________________________________________1 m! `! [. ^8 R6 ]& d; b
; }, ~' @7 F8 K* Q
Method 12
5 P, [# b. g' c; k( T=========
, @+ U% U) b6 B+ T* U: @. l% j# ^: [
This trick is similar to int41h/4fh Debugger installation check (code 05* L' m: }$ m5 R9 ~! X
& 06) but very limited because it's only available for Win95/98 (not NT)( f v- y0 s4 X/ @: W6 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% s. h" a: J2 T$ J; y6 S
9 k; Q7 S" L/ K0 }% Z' |: j. e push 0000004fh ; function 4fh% f6 d- s: h' s4 D- @2 H
push 002a002ah ; high word specifies which VxD (VWIN32)
. C& b' J* e8 g! _* |3 U7 V ; low word specifies which service
5 U) e. H; @5 M- P (VWIN32_Int41Dispatch)
. q2 N! v+ ]$ O9 k# O; P call Kernel32!ORD_001 ; VxdCall
/ |% Z1 L; N! w7 m cmp ax, 0f386h ; magic number returned by system debuggers
$ P! t3 ^2 e9 {8 t7 p/ q4 f jz SoftICE_detected7 c7 W4 P# j. ]0 Z+ v
" r3 E1 M& [4 Q) X0 w) B
Here again, several ways to detect it:: ]6 C- W0 _! a1 ]. M& L/ K( {
7 p! v6 j3 d; v$ Y, e, k b8 x8 Z
BPINT 41 if ax==4f
0 T; z7 o9 o0 q; F0 h9 k9 Y3 d9 z' W0 T0 s. M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 w: {$ B3 u0 e! ]) W
) P3 t N8 Q/ Q5 i) g+ c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ U0 K2 o$ N, F$ \% M
}& @6 u8 G, A- A0 C( p# Q9 g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ O b5 W, I F' ]6 }2 o
) f) S4 k, p6 M; M__________________________________________________________________________
% T& Y: {, R( M2 V, D. y
7 y9 d7 v5 D( w. |Method 13
% I, W* {7 V0 q6 F) n/ u4 H* J8 H=========
+ Z' F; l: L' a! v% ~7 I I
. {) c' Z& W# \! w. O+ ]. h' bNot a real method of detection, but a good way to know if SoftICE is
, a+ |8 j: m0 q" Rinstalled on a computer and to locate its installation directory./ q$ E; b* B& a G4 |
It is used by few softs which access the following registry keys (usually #2) :0 e2 A3 _$ r7 [) v
4 t' A# v1 `0 C" E7 E+ _" R, y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ^& v+ k: T7 o7 U! |\Uninstall\SoftICE
- }+ d# p5 r% o# J* T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ Q4 Q4 j9 B. N$ e5 E; [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& j. [6 |. a8 ~( E\App Paths\Loader32.Exe
f. a7 v- P7 k4 `6 C$ P* r! {' k* S5 ^% v
! D+ U, U% d- D6 E
Note that some nasty apps could then erase all files from SoftICE directory* X3 m5 E" s/ [
(I faced that once :-(
# N5 k! o7 v! y
$ u* W* {" k+ ?, kUseful breakpoint to detect it:( C# \% a& m% N8 I
, l; c+ T% O6 o5 h" R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 u. b+ N/ M: Q/ R; h% o) ?$ i8 T) Z$ Y9 N; z- O
__________________________________________________________________________1 V- R- L! [2 o% Y: Q) E( ?
# @9 Y$ m% V9 b
" V( }; c6 W/ s! g0 NMethod 14 # n6 n5 C( B% n3 g
=========
; C$ g) J$ u" n0 f! q K1 A
" l) s- ?" X3 H. ~3 N% y5 GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" K- ]' W+ Z7 Zis to determines whether a debugger is running on your system (ring0 only).
6 d; [/ w3 O) C$ |" ^
4 R: [6 V, A1 t+ a+ b) I2 c VMMCall Test_Debug_Installed# A+ [7 l8 v! h$ |/ P6 j1 `5 i- m1 P
je not_installed9 T M* p& s4 D) F* q
! V3 k( V; M# J3 R9 y+ x
This service just checks a flag.
8 P$ G6 a# m: x: Y2 d9 {8 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡