<TABLE width=500>+ R+ }9 k- l4 H* F* b8 w
<TBODY>
$ m* \5 L$ ^) X' ?<TR>
1 X' Q {# w3 h6 c3 F9 C. }<TD><PRE>Method 01
8 z7 P( F" Y, g) ?+ W========= D6 s7 @+ |7 o0 S
- Y0 n% x$ \) w6 I3 LThis method of detection of SoftICE (as well as the following one) is
! I! R7 K# }& e7 C+ c3 A5 b8 g8 Cused by the majority of packers/encryptors found on Internet.
* x' f% a+ t$ FIt seeks the signature of BoundsChecker in SoftICE A$ y. ^% W7 ]7 d. o' b) }: }- @
. t" F/ l9 f4 S
mov ebp, 04243484Bh ; 'BCHK'
$ f1 _0 S+ F1 ?2 u mov ax, 04h& h( A. I- T; r T0 U
int 3
$ i3 P C$ W+ k1 U! N cmp al,4 l. i1 i- n& B k+ A
jnz SoftICE_Detected7 V, @8 C# q5 M( D+ p" V/ r
7 x$ |% @6 {( }( l___________________________________________________________________________" u5 r; N* r9 O
5 B2 @9 m0 f' ]+ M: G% |Method 020 E, j+ a6 h- A9 o
=========- w7 c( P2 _+ r/ H3 t8 D/ g* |& g& [
1 `: A1 n( R( a3 UStill a method very much used (perhaps the most frequent one). It is used
+ K; ` s# I3 v- Z4 l/ |1 @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ V+ j5 u- z3 @2 z6 o$ t% M2 d$ K
or execute SoftICE commands...5 L. o- v; [6 _' |9 g: c5 k' \
It is also used to crash SoftICE and to force it to execute any commands6 [5 Z1 J) D+ W) s3 W- C6 r8 l% e
(HBOOT...) :-(( 3 ~: x# R$ ]( U6 @; Y
) N/ E% c. s; q" z( ^
Here is a quick description:8 z$ B3 t$ v/ T4 @
-AX = 0910h (Display string in SIce windows)( [( `; i# M) [7 D5 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% o! M0 ]) W* k- X' V
-AX = 0912h (Get breakpoint infos)# S$ x0 X4 D6 E9 B( d
-AX = 0913h (Set Sice breakpoints)
7 Z/ r; k: ]0 ?2 Q$ S-AX = 0914h (Remove SIce breakoints)
$ Z! Q$ r) p( W! q* s0 ^: _1 `3 S7 d
Each time you'll meet this trick, you'll see:, ~6 z( ^. A; Q: `7 d; J
-SI = 4647h
: a7 p4 r+ I" G' [5 y1 K-DI = 4A4Dh
9 b( s" s2 x/ D* W& _Which are the 'magic values' used by SoftIce.
: V- c0 V, a- Y! nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 _- }* G& @) z: C
* n6 d+ n& Z' h& k0 a# d3 y* tHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 Z& G0 P+ O/ \$ ?Envelope utility use to protect DOS applications:
& d) R7 L* z5 i0 p1 h* K2 B; I; Q$ t$ a8 N" f
" r0 l$ h- \6 m% G$ i, ?
4C19:0095 MOV AX,0911 ; execute command.# a2 F. P7 N2 h6 D$ V( D3 V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& ]) E6 y8 M7 W$ f* Q
4C19:009A MOV SI,4647 ; 1st magic value.. b% I$ c( A& z3 v7 p2 a6 W
4C19:009D MOV DI,4A4D ; 2nd magic value.6 u4 u3 r# @/ p/ k) M/ B+ {; o% j+ t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). q$ X$ O( i4 p3 ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 |4 v ?& f8 h
4C19:00A4 INC CX
/ X0 P& I2 ^1 Q& b) J. C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ U2 w. a6 A9 z8 k7 V" p
4C19:00A8 JB 0095 ; 6 different commands.
g, b/ A( M" _2 A4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 C0 u' H Z6 I F6 C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 K; n' Z* L$ u
" h+ ?0 L8 ~/ q5 M7 Q1 M- YThe program will execute 6 different SIce commands located at ds:dx, which
* y+ }' R9 }* P5 z, Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ R6 J4 |5 m3 ]6 O
2 Y ]6 Z; N9 k2 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 H0 F+ V+ U( h7 Y ^4 D/ x% X___________________________________________________________________________
% @0 }3 P) B: o% U" ~
5 W( y$ O0 D- ^4 d
/ I7 T" z+ @5 i/ h6 n; ]Method 031 \, W/ Y& W$ W# b& l4 ?
=========
! Z: ^, k( B' X
8 p6 R' F0 i3 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" z' q+ k5 }4 s, _% ]* g
(API Get entry point)2 w, R! `4 [2 L4 |8 J9 W' L) V" k1 }+ p
, B" } g- c$ g
; e" w/ U& L- n/ c xor di,di
) L; y$ c6 ^& H1 v# b A mov es,di
" f+ }9 k1 x6 S+ [1 F' c mov ax, 1684h
8 H6 ^ {. ~9 |1 k3 L mov bx, 0202h ; VxD ID of winice
- F7 V a6 L! N" G' L0 _- }3 S! G int 2Fh1 z* k& y/ q$ ?2 Y, v1 v
mov ax, es ; ES:DI -> VxD API entry point
& x1 B* D' y& V add ax, di
8 Z1 t, Q/ ^5 H, p+ @' F, n. s test ax,ax+ b" {4 W) D8 X( _8 }" {
jnz SoftICE_Detected9 k1 B7 e }4 ~- e* [! @
& C) } b* a5 v4 e/ ^" E- S7 ?# \
___________________________________________________________________________
4 `. H9 | U/ u2 ^0 c3 g
& P4 K2 S' a; }. l1 h3 MMethod 04
" E) Y/ z8 ?$ R% ?=========
- G4 f+ H U' ~ Z7 U4 A3 {$ C1 z# m: }/ q) N' `0 _
Method identical to the preceding one except that it seeks the ID of SoftICE
& G; Y. T# M( tGFX VxD.6 R+ j2 K1 p7 O* K7 L+ I
% F% G4 y) z. p/ M7 z+ Z! r
xor di,di" a4 k d z9 G+ U7 `: \1 }
mov es,di
$ _- B8 Z+ m$ ?; a mov ax, 1684h ! n6 X: r& t5 w! l6 y" Y5 {
mov bx, 7a5Fh ; VxD ID of SIWVID# U! o8 h) i8 e5 P Q$ R. z0 _8 o! M; \ B
int 2fh
t; a! Y* B. W' `, t2 p* Q mov ax, es ; ES:DI -> VxD API entry point
9 B0 L5 d* v4 U$ r" B% N: H% B add ax, di1 p) [6 W* Z) |* ]
test ax,ax1 P: V6 e% I- o$ j! n) W0 B
jnz SoftICE_Detected
2 H% C$ g+ I$ X f/ w$ `
( h' y$ n0 X7 W4 U__________________________________________________________________________8 o3 \- N9 T+ X! X0 Y- a* @
! W# M/ S4 W0 o% z) K2 h# h
& Q3 Y' G6 }* c [
Method 05
8 w5 M _5 ]6 n=========
; D: f& I) W1 T% q x' W
3 y. { g6 {. U* NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 J3 V8 J* K" u* O! @; H; D/ Ldebugger. It calls the int 41h, function 4Fh.
9 q( w$ w. ]) |9 NThere are several alternatives.
, k# c: U2 C: ?3 J' k9 n, W; y# i2 j; l; {9 v
The following one is the simplest:( E9 s, e+ m' M( r; r6 Y; e6 ~
7 f" J' ~2 b) N3 m1 a
mov ax,4fh
( O& e; _' w- d0 n int 41h
, {" g4 L( \' b% U cmp ax, 0F386) L3 L( B& L. S( Z
jz SoftICE_detected
# [; l' X; |% u& `% N' C, F4 R$ [' a2 S' c# @
, {; I% l2 {- _6 G. e6 s
Next method as well as the following one are 2 examples from Stone's 9 G. Q/ Y$ `( D& P
"stn-wid.zip" (www.cracking.net):
; h- L$ X- V2 H$ B V
1 g6 M! p' x }) m1 C mov bx, cs; e" z* n; H( [: |$ _+ ?, J
lea dx, int41handler20 o5 o8 ?- q5 V) n# E7 k& ?/ M: E
xchg dx, es:[41h*4]
3 C" T- Q3 v H& O' ~ xchg bx, es:[41h*4+2]$ l: Q. @0 y: |+ a
mov ax,4fh
3 G9 R5 x# C4 w: K( u, T8 t: {( e9 E int 41h
! `" E. T; |0 r xchg dx, es:[41h*4]9 Z0 {, X7 |2 J0 w2 h
xchg bx, es:[41h*4+2]
* D; ?% }" T: f7 C5 D% I n cmp ax, 0f386h
+ w* |: a9 p( _) G. Y jz SoftICE_detected
5 h& C5 ^% r0 G2 a& P9 J) A3 X- w1 Z" P7 L
int41handler2 PROC2 r9 w8 I+ q% c6 T5 m; k$ L/ |
iret
# ^$ X# ?) @8 n! n2 Oint41handler2 ENDP
& O7 ` \8 |; H0 }# G
+ U8 Q9 H G% k: l" g2 Q" q
; O& h* ?. K& V_________________________________________________________________________
7 K5 t5 L# E- Y
6 S: J$ Q/ p' a$ F$ Q5 ?" Y+ ?' m5 I* U& t3 u1 g
Method 063 p3 v/ k7 I) z( p- D! }3 J
=========
Z! b* q( \' K1 k& w5 Q+ z5 M, G' T# o, s$ f8 z3 e q/ o8 ~' c
# R# B: |5 H3 d- H7 ?. T2nd method similar to the preceding one but more difficult to detect:. z2 n" ?* V4 V. r& Y: y
& D" o# d* k; `$ b1 {$ H
* }" q3 p' V) E/ S7 L5 |
int41handler PROC
4 Z$ j4 a2 A: E* I* \. W mov cl,al7 L' F8 z1 j+ Q1 i
iret
! Z; i' n. [6 [3 Z3 o9 t- hint41handler ENDP( D9 ]; B! N: h1 f/ @+ Y, i* p
+ k8 M O" C" {8 a- W
/ h& J5 w' ^% i
xor ax,ax9 R/ C/ U4 t# J) S; G' a
mov es,ax; Z+ y/ x7 b0 { p# i9 b. w1 ?
mov bx, cs! l3 N' K. Q P- l/ W, g% Q+ x0 L
lea dx, int41handler0 o3 h N W$ H
xchg dx, es:[41h*4]) ~% w1 S7 b0 @+ z" o, `3 P8 R
xchg bx, es:[41h*4+2]2 `; B; c6 |. H, o' |
in al, 40h
# H& s) F: i U7 J) Q/ _( Q xor cx,cx1 B* [7 c+ T! @1 ?
int 41h! x( J; {7 v( g3 _6 a
xchg dx, es:[41h*4]
- y5 D& m: U+ M& i6 ^( ` xchg bx, es:[41h*4+2]$ G$ u# Z) g( r4 R$ Y: ?, w
cmp cl,al
, N1 @' U* r& b# c/ v jnz SoftICE_detected0 |+ y. k. D* }( W8 n
3 N6 y$ i' }; r/ g* y_________________________________________________________________________
! U( |: t9 r/ C% ]: }7 G3 T& _" c7 Y7 B& W( T4 D
Method 07
6 ~& F( |! Y7 g+ V* ]+ s& Q* S% a' k |=========
0 y5 m# `' c' i( ?( V8 x0 _# o5 l8 T, b: A; S3 J. l
Method of detection of the WinICE handler in the int68h (V86)
; Y: {! |. w& u7 b0 ?+ k( q# \$ v3 ~0 D' t* @/ t
mov ah,43h
: G3 ]% m- l: e. ~6 \ int 68h
; \; ` }9 P( w/ t# f# r cmp ax,0F386h+ e4 E p1 f: c/ o7 u3 n0 ^
jz SoftICE_Detected. z. ~! T7 ~, f+ {: p1 S
' E" I' o( h! @& A$ x; z2 d! L* T: D6 C6 Y2 {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. D9 i! G9 M7 A
app like this:: |$ @* R' h8 C8 }2 q% c7 F
" M p- @6 e( K& I BPX exec_int if ax==68# R# |$ D) K6 r! k- T
(function called is located at byte ptr [ebp+1Dh] and client eip is/ @ ?1 O8 m% ?
located at [ebp+48h] for 32Bit apps): F' U9 I" a) m9 q( N# U" U% \ A
__________________________________________________________________________
R0 x+ [2 y2 h
/ v# G; G4 ~5 m# A/ R9 E) @3 X5 `1 D* S: Z) Q
Method 08, I( W' A2 M) X' V2 {% [
=========
: L: c3 _7 i3 {$ h6 K4 p
! L) Z5 a7 i/ N$ q6 j5 ~It is not a method of detection of SoftICE but a possibility to crash the
3 F8 q% U H/ v/ _$ {system by intercepting int 01h and int 03h and redirecting them to another
, ?* V1 m2 m! q1 y5 A% d7 ~! Xroutine./ \' }# f( O! F( e7 H$ k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* ?9 [5 _" W/ M" f; B; i6 o8 fto the new routine to execute (hangs computer...)
* f$ I, {* K4 c( G+ K+ }3 O3 L6 a
) O6 y. _5 q4 Q2 l0 Q" _ mov ah, 25h7 _ \1 ~( I$ s$ [' B: z9 X% O
mov al, Int_Number (01h or 03h)3 f |7 F! l" W2 P, j0 a
mov dx, offset New_Int_Routine" V; ]) |# ]. p! w" Q5 Y9 a
int 21h
+ k$ G: F) W: L( m }- G4 O% f
5 b$ g# u- x$ V__________________________________________________________________________# l7 M. S j$ _4 E% k
0 } D9 j" W" |; o* WMethod 09
8 c' A' W+ W3 x. Y- F4 V, {=========5 m" @9 _6 D& x. t8 N# h \) i8 t
2 |) O9 p9 B( m% Y" R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 S5 g: Y( Z0 L( [
performed in ring0 (VxD or a ring3 app using the VxdCall).$ F% ?6 T+ u5 _" l
The Get_DDB service is used to determine whether or not a VxD is installed) Q2 H2 C1 L& n8 ]
for the specified device and returns a Device Description Block (in ecx) for
& B! Z6 \, a$ {; \$ Z i8 D3 ithat device if it is installed.
; Z+ l: s4 u) t8 m: E6 Z' w% X4 c0 T: m" S( K4 F" e+ I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) A( \9 E, o! W( H: N" C( ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 Q# m9 ~$ v6 O& w. v! J, A& ?
VMMCall Get_DDB
- v% |& z5 a4 S' n* P1 e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ S" X# X3 U( @
4 ?$ l) a5 ], Z% Q% c, v0 u
Note as well that you can easily detect this method with SoftICE:
) |0 e' e" Z) Y: q+ |% H bpx Get_DDB if ax==0202 || ax==7a5fh8 n" K, V6 N I- m# f: x1 E
6 u% O& w0 c6 [! J1 X__________________________________________________________________________1 N5 e& [2 N8 v
* h! f+ ^% Z6 Z `. sMethod 10
5 K% t. k7 z& Z=========7 }* E7 L6 `" l: {
4 J& p7 ~7 v$ W! M- j8 z=>Disable or clear breakpoints before using this feature. DO NOT trace with
% S1 I8 K4 J5 [. ^ SoftICE while the option is enable!!: Q2 C1 Q* o$ u. g
3 W7 F" F3 F" H1 L" |/ P$ \% fThis trick is very efficient:, O+ D6 O; `% E( V
by checking the Debug Registers, you can detect if SoftICE is loaded: k% B1 F4 ^$ Q1 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, O F% p& C- l1 w) f8 `9 R2 Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 X3 W0 J* |# i' a, Jvalue (in ring0 only). Values can be manipulated and or changed as well9 G) ]( b& _ w8 p
(clearing BPMs for instance) O4 W# S8 i7 _8 @+ b9 Z
# |1 G1 R4 G) e5 J) n" x! h
__________________________________________________________________________2 F- |; r& G3 I& B& E; q$ i; N
* E, z" U* A! b2 D4 _ N
Method 11* ?5 R1 K% M* Q+ Q. {
=========# e' r/ t w3 J) E, i; j
- ^0 ]. j7 e3 L1 E/ F u' `% }This method is most known as 'MeltICE' because it has been freely distributed' x8 s9 a% W5 x Q, u" x% i
via www.winfiles.com. However it was first used by NuMega people to allow
1 W! f! @ ]+ H- l, p6 O# r/ _Symbol Loader to check if SoftICE was active or not (the code is located
6 N0 _( w: \- w, u( T/ x vinside nmtrans.dll).
( f( b0 k+ {/ j* Y; i7 _+ ^3 }; e1 ^9 _0 w
The way it works is very simple:( D; [; n3 Y/ e( O& v9 A6 i, s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ {5 n$ Z4 Y0 {- b) ]8 b2 QWinNT) with the CreateFileA API. Z: j& M6 ]( m* ?' ] u8 |
$ P: Y& k/ T8 C: M5 O# z4 z9 U
Here is a sample (checking for 'SICE'):
; p g' }/ J2 k6 T: n: Y
- ^) a6 N7 O5 M6 B2 K- T5 v Q: ZBOOL IsSoftIce95Loaded()
& W4 P/ ]* x/ |& h{
6 a- {! |( H& W7 \9 n HANDLE hFile;
% ]' C1 r7 s# W% e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," W. o7 t) a* b9 m7 `
FILE_SHARE_READ | FILE_SHARE_WRITE,. H0 v* i9 x, `$ _) Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* N: N( Q( B: x% ~4 W, c% A1 j9 g if( hFile != INVALID_HANDLE_VALUE )4 h/ E2 G* @1 [8 Z0 P
{
1 |8 w5 I* U7 r" c0 G- J' w- H7 s! W CloseHandle(hFile);
2 j; e% W# ^% _" Q return TRUE;
% R4 ~8 K" k2 q) I! ^1 V }
! d. N2 s' _2 f4 x, u- @+ Z$ @4 X7 t return FALSE;
% c' O+ Z( k+ P7 {+ b. ]/ ~}! _% M: [0 `4 o2 z+ ~/ [' z
9 G' e8 ^! [# b H5 C. v% vAlthough this trick calls the CreateFileA function, don't even expect to be
2 v' G1 \$ W$ o1 c' a3 J' }3 j+ U- Vable to intercept it by installing a IFS hook: it will not work, no way! j& f E/ a. Q) h2 u5 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; d( ^8 F; X9 M$ ?" D6 t( t: {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 X& n! i- ]' ~% V$ \( @, X' pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. W% l; p! F4 b& Sfield.
, x! }7 i) G7 BIn fact, its purpose is not to load/unload VxDs but only to send a
2 r7 E) O9 y4 C8 r8 fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 r* V0 h$ V3 `4 R/ O2 b+ t- _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 O% c7 E4 u4 u3 J) Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).: N& y* ~9 A0 C% W2 E* P# v! v2 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow; N. M* Z w& U5 M9 n
its handle to be opened and then, will be detected.. t' w, I0 z3 p9 k% G7 |9 A
You can check that simply by hooking Winice.exe control proc entry point" s/ K+ x9 b$ _7 v0 c3 P
while running MeltICE.4 d! `1 j3 S A/ n0 I: S
/ g+ W" ~4 y% c2 y+ Q+ G
k; e* P( n- K( h8 F 00401067: push 00402025 ; \\.\SICE
$ t' U b+ }" R& t2 m' W: L 0040106C: call CreateFileA- R L, h, `+ M* C7 `1 q
00401071: cmp eax,-001, g8 i1 f- W7 ?% I2 r
00401074: je 00401091
8 T3 N$ c' U. B% ]1 M2 F4 C( o8 c9 T' L3 N1 H& d
1 ?! K* ^- ]% A" Q: k+ c
There could be hundreds of BPX you could use to detect this trick.
$ h+ u" P) H: O; M% x& p% s6 j-The most classical one is:! o; |. c+ e, L5 {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% ?& n# x$ b. d5 v1 @
*(esp->4+4)=='NTIC'
: N; [/ S8 x# s2 b0 V) q0 K; A! N8 m8 F
-The most exotic ones (could be very slooooow :-(( a, ]- E% U: M3 c( z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! H% c3 {: l" y7 L& p) r6 s& b
;will break 3 times :-(9 a3 L! H, p# R$ G
+ T1 T. n& g% A) b+ A-or (a bit) faster: / g6 R; e. _4 F2 m1 z5 x9 A* g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 Z& R) x) z# Y0 ]. s" q+ J9 j6 s. ~- Q
' ]% W% K/ N3 ]1 _4 F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- U9 B* h" j$ N! c# } ;will break 3 times :-(( |8 f7 n* F# ~& P' h
" u+ q; n! j6 D2 |; e& H( t-Much faster:
" O& I0 T5 o$ t! Q6 ]( G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' X* c" w8 G+ M8 \) u" v% m" F% U& X& Q5 P4 ]7 V3 ~; ^) {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ _. {4 [; x; [' i% ]( p
function to do the same job:
( Q! c& D* g7 }: P4 T! i' q" W
push 00 ; OF_READ
8 H) F( T! I. l% r2 M* W mov eax,[00656634] ; '\\.\SICE',0& j; ` m6 {; \* u, o* g/ o; L
push eax
8 s+ u2 D& c8 X" \: ^ call KERNEL32!_lopen7 |$ z' ]5 j5 z& W/ |
inc eax
: g$ j3 {7 d; F c% o* C jnz 00650589 ; detected K* x+ D$ n" W/ @$ j
push 00 ; OF_READ# a5 A `7 i& C% C; o# ]
mov eax,[00656638] ; '\\.\SICE'! r+ T& d* N7 |; }
push eax3 H. j' U9 M8 m6 M) p
call KERNEL32!_lopen
* C* D: S* v' P C! m4 o& I inc eax
4 k& m5 i1 q r4 P$ Z$ R jz 006505ae ; not detected
# J1 X) F! s7 V# @7 @# {: D1 k( z6 C2 X1 ]3 y$ O
- Y. h+ j6 m: T2 w6 R9 |5 v- o
__________________________________________________________________________
: u" Y" \. M4 g# |: A* N8 r6 e1 D
Method 12
6 @, N1 y/ Z9 @1 V1 ^=========
s0 I0 T+ f, n3 x/ [
. P$ g) ^7 ~9 K7 q/ `' Y3 g- XThis trick is similar to int41h/4fh Debugger installation check (code 055 X2 _: A6 R! V% R$ J
& 06) but very limited because it's only available for Win95/98 (not NT)2 A2 N R& m% G9 {. r/ G6 P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 @0 O0 ?0 D& B {* k
* |6 H Z. w: [" ` push 0000004fh ; function 4fh
' H7 ]4 Z6 u: j, r( h push 002a002ah ; high word specifies which VxD (VWIN32)
5 A1 v! j# u4 I' m5 j ; low word specifies which service; l/ S8 D7 S0 }1 ]! ~+ c
(VWIN32_Int41Dispatch)
' z( R6 ]1 S$ t1 X. _ call Kernel32!ORD_001 ; VxdCall
5 }6 M) r' n2 E0 w1 d) Y cmp ax, 0f386h ; magic number returned by system debuggers
8 G o4 O! ~" U jz SoftICE_detected2 ?; P( p( w& w4 v* @
8 i0 h& J0 u3 p6 qHere again, several ways to detect it:
" w1 V) ?% ^% s$ L1 n
+ q: g( h, `' x* e- l0 ~% Q BPINT 41 if ax==4f
6 q6 p/ A8 E8 N" z. p( @, ?2 \- r: p& S8 }# C; K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ { K8 Y8 ?# @% c& k% V3 y w* S8 ~1 N7 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 p3 _' e, P7 E& L5 P6 r
' Z9 Z1 X) X r2 i) Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# Z) w! ~4 ?' F- U7 z
7 `7 j9 l5 H- Z: ^# a w__________________________________________________________________________
5 m, w/ Y- s: X* ?9 V8 e8 ]3 i j
2 o( S' o- K- h/ iMethod 136 Q3 b2 Q, a7 Y$ v. G( ?5 J {
=========
, }/ ?# [5 t* ]9 q6 Q K# z- Y7 L7 D3 _* I
Not a real method of detection, but a good way to know if SoftICE is( U& s1 J4 I# L" y
installed on a computer and to locate its installation directory.
( D" T+ t( i. O$ F' ^4 Q+ `8 h/ aIt is used by few softs which access the following registry keys (usually #2) :
4 o/ H# k1 x: r6 c$ F, [9 g
8 h/ I. L8 R/ j; v/ N3 v& C. x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* T' o* u# w8 S, d
\Uninstall\SoftICE5 @8 l1 p* \1 R5 T/ `7 D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& H' p# D5 x, \& Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. `0 Q9 x% I+ ~0 ~, @3 V
\App Paths\Loader32.Exe+ r" Y, o1 X# x% M
/ f9 M% s4 S4 j
$ \# Q+ n+ o2 E4 ~! u' Q( E
Note that some nasty apps could then erase all files from SoftICE directory
/ J! _/ s% R0 L" k$ T(I faced that once :-(
2 m" r+ S" y" N2 P: i' e2 U0 {5 v }% p- ~* O
Useful breakpoint to detect it:
g. _' s4 a1 @8 ^7 @( X6 k
: Z2 i2 u4 z$ _1 D9 _+ k" J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* a. k9 r1 D; w1 j+ |! h( e. F! J- V/ ^ t: k8 }3 ?/ Z
__________________________________________________________________________, c, k7 Z: ~" S3 K$ ?; b5 `
/ c$ J7 ^. D9 K: m; D2 D
. A( v: |) ]/ f% X' r MMethod 14
' ?3 R; e P6 e=========* Q# ~$ |& P6 P1 o" q. \4 C6 Q8 k
/ a/ T# d. s- R) L8 n+ L: w# n( J5 r( c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 j- H4 j% M4 F. _9 j5 j
is to determines whether a debugger is running on your system (ring0 only).
- q; ?6 a& Y. ?: h4 s6 ~) K/ q( C/ g! ]$ H3 j, L! i
VMMCall Test_Debug_Installed
9 i G+ v% Q& f$ ]4 ^: R" ^" \: ] je not_installed
3 c1 U* P& n! ~$ S0 e6 J( x+ T+ s
* e" N5 f2 V6 @! p- }This service just checks a flag.
! F5 s9 W4 l. ]& x</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡