<TABLE width=500>
& W/ V! a2 N$ f" L$ R<TBODY>4 l4 e2 N( B: {
<TR>3 b2 g) G+ H6 L2 u- U
<TD><PRE>Method 01 2 @3 V: c2 p9 _
=========" J, u/ D% j r' D
" g4 }1 Y5 a( M3 t! h4 J" A! K
This method of detection of SoftICE (as well as the following one) is6 V7 e% x% Y* R4 t6 C4 E; R- c- j
used by the majority of packers/encryptors found on Internet. n3 g1 o5 a% G6 h u
It seeks the signature of BoundsChecker in SoftICE
- L. w2 W3 S* I. s# W. D+ y9 `* f! ]* ?. @) U& L' g& _6 ?
mov ebp, 04243484Bh ; 'BCHK'6 a- o& b7 j4 _. P% y9 E$ G }8 `1 p% a
mov ax, 04h9 B# a& O0 o0 S/ j( N
int 3
/ t s# Y4 [ r5 R6 ~2 H cmp al,4, L3 ~3 e) D) W# e
jnz SoftICE_Detected
, r5 v& Z$ r9 U, X1 }: ]$ G' S5 b Y2 m( U" a$ ^! a% A( @
___________________________________________________________________________, [4 ^1 e4 C. y: z
* ^0 _. G5 }) t# I ]) n7 w& q
Method 023 ?/ p W* r: ^% d' j* H
=========
3 s' D1 g% B) K, X8 U6 g2 {9 P' z; k. A) Y- g7 J3 i7 L
Still a method very much used (perhaps the most frequent one). It is used$ z9 J& _5 B$ w" m4 i( W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: d! g5 Y4 J% g8 S3 ]2 ~7 w
or execute SoftICE commands.... r' K% c$ l! ]( j3 \. }3 }1 I
It is also used to crash SoftICE and to force it to execute any commands
* g4 t, w9 M# e- c5 S$ M(HBOOT...) :-(( $ O; n" h( C$ a. w
9 Q6 q! ]8 }8 J7 v- dHere is a quick description:
2 W7 s6 c# | F+ ?$ y, } O+ q) S7 _-AX = 0910h (Display string in SIce windows)
* X; a G6 C& |, {" f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 I6 O+ n# P2 g3 i0 D
-AX = 0912h (Get breakpoint infos)
- B3 u4 c9 C2 V: G# o+ l-AX = 0913h (Set Sice breakpoints)0 j0 F7 Z4 h# \- C5 K
-AX = 0914h (Remove SIce breakoints)
6 `1 Z* y2 P. w' C* i" ~
8 _8 O/ ?4 e, A4 IEach time you'll meet this trick, you'll see:* b; _% Z# n( ~- E3 G }" i
-SI = 4647h2 a" w. _( ^5 r; Y5 e# @# v5 \' ^
-DI = 4A4Dh
9 t4 y( \0 Q. W+ k4 h% U$ MWhich are the 'magic values' used by SoftIce.
h( K, ^* |! R' ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ g# Y2 c5 S4 ^# L/ O: E
* R( G$ B5 y! U" N1 ` v: }! }5 mHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 k8 P( u* q$ R( P8 ~6 o$ XEnvelope utility use to protect DOS applications:0 j5 x, |7 \& N) ~( h; _
# h6 u; ~! M/ z. H% ]/ \
\! E# J3 W) l: a" T+ s: S3 X1 i4C19:0095 MOV AX,0911 ; execute command.
/ U% G. j: A6 o" s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, K. G9 o' _1 ~, z0 ?: f4C19:009A MOV SI,4647 ; 1st magic value.
! n! m) s, r8 G( K* |8 Q" x# R4C19:009D MOV DI,4A4D ; 2nd magic value.( |$ K% O& f9 M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( Q1 m1 j. G% }$ b9 _) B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 Y+ j0 C! Y* |8 C
4C19:00A4 INC CX
. `% |) g: R u6 Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, c' r8 i5 {2 D4 G+ `5 _4C19:00A8 JB 0095 ; 6 different commands.
% B# k7 t- }- ^! R' | ~9 s/ F4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: p4 ?# C7 a( v- i* Y/ M5 x# c4 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ e5 ^. [& r# j7 j! l2 E
' a% p% h: B: _, l8 x/ z5 f
The program will execute 6 different SIce commands located at ds:dx, which
. b% {1 d" h, @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( Q8 h/ i" v. w- [: A
# h! f. L5 n, U4 T) t' |8 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ]$ Y4 ?! C) N& r% n
___________________________________________________________________________
i7 a, |/ u$ i7 M7 }
6 _4 g* z% `: D; m4 b: P$ `/ t0 l0 H/ Q* P, w- X& A7 z$ E" d/ d
Method 03* V& n$ l( a, M$ V5 k9 U5 z
=========" |+ E. n4 b8 R0 |0 z! Z7 C
; i! s a* n3 g0 ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ ^! h# P: c9 I" h7 Z' o; e/ [
(API Get entry point)
8 h2 S) p+ ]8 K / e( J( `5 D# L5 J' q- z2 q/ Z
3 }9 _; T6 ?6 W* A: d- z8 z xor di,di1 ^+ h! a, s: T3 z
mov es,di
: U; z( }! p- b0 Q2 M4 D% M( E; O7 M mov ax, 1684h
7 a0 p+ h. p+ Y+ ]+ `/ K mov bx, 0202h ; VxD ID of winice
; ~4 ] g: {: S* W1 E8 j int 2Fh
% M' j, f& @0 [" S/ B mov ax, es ; ES:DI -> VxD API entry point
* v0 L+ A/ ?( p- A0 A6 [, K) k0 ^ add ax, di
! R9 |9 ]1 M, c& p- t; D8 U test ax,ax
+ t5 f' W% Z8 a( f: j" e' f5 A jnz SoftICE_Detected1 \- o' l$ j: B( ^
2 ~4 I6 p8 V# C___________________________________________________________________________
0 {' M$ P3 q- ~; E3 K& E" ~4 c; w. p" d
Method 04; H5 s- g B% ]4 Z' s/ k/ k' ^( U
=========/ V" s$ L, q" \! |7 K
+ v1 v- i* t; GMethod identical to the preceding one except that it seeks the ID of SoftICE
2 H2 e0 U' _/ I. m& VGFX VxD.
0 d$ @0 o/ a0 f+ [: A. c+ b1 F
5 q# p w" ?+ Y. ` H1 ` xor di,di
: k% O: Q, E! k mov es,di
9 h* x) q& K/ s1 C$ b mov ax, 1684h
& C1 `5 ?8 ^3 N mov bx, 7a5Fh ; VxD ID of SIWVID E- L7 ^" Z" U! o$ K
int 2fh3 f5 Z0 p- @8 Y& m9 }7 z
mov ax, es ; ES:DI -> VxD API entry point
5 f* J5 G7 J4 ~ add ax, di
' H4 A8 Z2 Z$ ~, i test ax,ax% M* \ h, o6 e. d2 o% p8 d1 U/ B
jnz SoftICE_Detected( I1 R* g' F5 a
" Y$ ?4 F6 S4 I, J+ Y! d__________________________________________________________________________2 ?* N# F( b5 u" ?0 V1 q
' y6 _+ h3 D0 }) }. G
# Y1 y& I5 a! t* q8 i" s/ \Method 05
& c- h/ j) `7 p=========/ c) k$ K4 h$ h- E3 N8 a, z. D
2 w ^% Y ^+ }1 z0 G+ q) yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; {2 E9 z: B0 L* X' Ndebugger. It calls the int 41h, function 4Fh.7 d _) l9 R+ z# ?5 n
There are several alternatives. $ e5 F; O4 I; v
; }: Y3 [2 V, Y' J% [$ f* a
The following one is the simplest:
% ^" J. Y* q* `- E, k5 t2 V4 @) d
mov ax,4fh% T7 k; G" b6 `" W: R& \5 u
int 41h
$ _0 G9 s; _! u h" R: ?3 B3 J cmp ax, 0F386% M, i, j& r' k7 d4 u
jz SoftICE_detected
& P3 S$ i7 f/ b$ _! v) ]9 W
V4 d' ^6 }* M5 {1 {! W: u, a/ v7 b3 G& c6 z
Next method as well as the following one are 2 examples from Stone's
" q7 A1 Q6 k. v* y# g( c" V: U"stn-wid.zip" (www.cracking.net):
& ?' \* G, K. z. j' X! o7 H6 q
+ ~ @6 g- M1 o3 W+ E5 | mov bx, cs
8 ~! y0 A& F2 N8 x" ?1 w8 @) R lea dx, int41handler21 L1 p: H' m% u! v# S9 y
xchg dx, es:[41h*4]; G3 Z3 \% o R6 u" B5 H7 V
xchg bx, es:[41h*4+2]
' U! U) e! z' M* P2 r1 b mov ax,4fh O9 {4 `# g% w4 M# c% }: q
int 41h: k3 ]$ ~' D7 o" I
xchg dx, es:[41h*4]
. H2 p! g0 `0 Q xchg bx, es:[41h*4+2]
2 J& ^- q7 u# C5 z! {1 `5 {/ {, ~. Z5 ] cmp ax, 0f386h) Q. r/ V; F: f, i( ?, T. U5 s
jz SoftICE_detected
. {5 G, L8 N7 x! }3 Z- A7 V8 B) A7 B* D) B* `' t& E
int41handler2 PROC
) M: _) C. p# x% \4 d iret
8 w4 a: |' S% R! [, gint41handler2 ENDP
7 d( k+ s" t9 z) L3 k- |5 P8 c7 \3 s- l1 a8 B1 y
1 }7 \4 J2 {3 _7 P8 k6 I5 P- q_________________________________________________________________________* k# a/ i2 h% o2 n
) l2 H2 r3 f7 S/ u
. t0 d& g z# e! c. rMethod 064 n9 ]# B N' F" R$ I; ]$ S8 G
=========
/ V! H, V+ F& p% N/ C: a4 I3 m5 r) V
$ y5 \) ^, A2 O ]+ {- |2nd method similar to the preceding one but more difficult to detect:
" c/ g8 P: k: E2 o6 v8 B; ~ y( R- s% ]8 z
g0 n+ ~% q( l& g7 D' @. L' L' O+ `4 Tint41handler PROC
& P& J6 [2 U" r/ g: {- l3 k mov cl,al& g7 l9 e8 F" ~0 J5 j
iret
: W, |/ ]- M& x; Q! l% Lint41handler ENDP
# e) |! \" ]! O& A7 w/ o
/ X( h% q8 v4 F$ J) r( z, c, I% |+ t _0 |3 {3 l
xor ax,ax) J Y' q$ o; G [
mov es,ax% D c7 x5 g3 c/ Q' p
mov bx, cs7 I4 d4 x, b, q
lea dx, int41handler
2 i& h. ^9 m8 T* J2 {3 w0 V xchg dx, es:[41h*4]
9 A5 Y. Z, Q1 I' l% C8 t& R5 p/ B xchg bx, es:[41h*4+2]! s" r2 r1 ~& i( G" N; v4 _0 D. z
in al, 40h
6 d, _- `% o p0 i8 |( z# b Z xor cx,cx. c% H. K0 @' m7 k/ L" p
int 41h8 A; l3 [% k' d. Z1 \, e- u
xchg dx, es:[41h*4]$ x' V% j/ v) Z5 j
xchg bx, es:[41h*4+2]
& }! s( A; j2 O. E cmp cl,al% G& b" N5 U: q0 P; d$ b
jnz SoftICE_detected5 {4 P! O8 D# ` s3 h& `4 q; ]
! w/ H1 B9 j9 N, X' u- t
_________________________________________________________________________: J; C8 @" P# _# i
8 u2 \ V- X9 X1 i2 W$ f
Method 07
% k( u3 L( ?% c# T Q=========- a, K `9 Q/ F. S, [0 w
# ?4 O$ z8 }6 e4 ^! L5 d+ K
Method of detection of the WinICE handler in the int68h (V86)0 {/ Q" E$ o! E# y9 f7 n) B& ?2 b) @
. y8 `' e# T8 Q4 | mov ah,43h. x+ I3 q' T' ^4 ^9 X
int 68h
) {6 T7 O6 m `/ ?3 @3 ], x1 N) @ cmp ax,0F386h: s2 q4 g* h d; Z; D
jz SoftICE_Detected; s1 E0 @: ~, z
4 p( m/ v# E) F! J8 W: R
: H8 Q4 t* r+ ~( k8 m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* L8 C }* i; m- S- v# [ app like this:. s2 u# `2 t- Y+ A4 z4 q% G* Y U) L! ~
0 q B( L C$ ?; b! h0 K9 h BPX exec_int if ax==687 L8 D, h; S3 G: F: x6 _
(function called is located at byte ptr [ebp+1Dh] and client eip is
: n0 Z- q1 P: R Y- f) @$ x located at [ebp+48h] for 32Bit apps)
0 W* ^2 q% f. y__________________________________________________________________________/ D4 c$ Q# r1 r: v d9 p" R4 x4 l
6 ^1 M- B$ e$ ]$ S. I( T
4 r8 O$ `- l1 b9 g3 f. p/ o! r8 @Method 08
, X) P+ _* \5 s( G5 y, W=========6 m" {( e. z. L+ `# N, M: u
; P1 Z# v7 q v6 V" b+ @& U
It is not a method of detection of SoftICE but a possibility to crash the( v3 Z3 d( X" J2 M. y4 F# r/ i3 Y
system by intercepting int 01h and int 03h and redirecting them to another
$ g7 \+ `3 P6 f" Groutine.$ x: t6 c0 N0 y8 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- c- f4 G6 t$ e$ n
to the new routine to execute (hangs computer...): d9 J# P' |+ M! L
/ w( u& k; [8 N0 T2 Q5 {/ ~
mov ah, 25h
1 V5 [! k/ M: ~- A4 V- i mov al, Int_Number (01h or 03h)
; \, I9 B7 H2 H mov dx, offset New_Int_Routine
$ f) S) n) q$ S, y int 21h5 V. u" s7 {! K& F" Z4 |7 j
- N U1 a$ S/ ~1 v4 A5 B' s4 i__________________________________________________________________________. l0 S3 t9 L) R. W4 Z
7 p9 T3 C2 Y+ T' w
Method 09$ {5 J+ V3 r) Q. p7 p
=========
% m* z+ E( U. D7 ^. d; M# M$ {6 U: R5 O( q' {6 r4 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 R# p# c4 Z$ v% f4 f
performed in ring0 (VxD or a ring3 app using the VxdCall)." s9 H/ \+ [8 ^. b, P
The Get_DDB service is used to determine whether or not a VxD is installed$ T A3 M" r( |' o) r
for the specified device and returns a Device Description Block (in ecx) for
: x" Q5 j+ f4 P1 n3 V7 @0 Mthat device if it is installed.
# \# @" z& E+ C8 K9 B! Q1 d/ A2 |2 |" k" S, q- a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: J B+ D$ T2 n) q5 c* E& J Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 \) h0 H2 H6 e' {& N
VMMCall Get_DDB
' x! E6 s4 `$ E& p1 F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ a! C+ g2 t- K4 A1 H# d
{9 F; @+ i, k& i; ?8 O; o3 ~4 VNote as well that you can easily detect this method with SoftICE:
5 W- _4 H) o( `4 H bpx Get_DDB if ax==0202 || ax==7a5fh I' K5 D& v$ U% A
% w0 w* u. C d5 n7 F. e2 {" h
__________________________________________________________________________
+ D7 c! T2 {8 _4 o% ^- ?2 d% ]3 M2 l8 i# B7 }& r
Method 10$ y% t5 n# N, E0 A
=========5 {8 a0 V6 Y0 Z! w" T, b
7 W4 A8 r D# a! {2 x1 a9 W=>Disable or clear breakpoints before using this feature. DO NOT trace with
' h1 |" l5 a, n, G% L SoftICE while the option is enable!!9 V$ V0 U: [5 }2 p. I, }
% U+ W; J5 ]/ f5 D ]
This trick is very efficient:' N! u" B/ z0 G9 |; z$ n
by checking the Debug Registers, you can detect if SoftICE is loaded
+ N4 l# c3 w% v( o1 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( n3 L4 z5 C/ v* @, dthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 z- ^5 O! G5 s R' N+ A9 d/ ?
value (in ring0 only). Values can be manipulated and or changed as well* H( h! u! N4 G& E
(clearing BPMs for instance)
! y& j, j+ `* S9 l
; J& Y/ z5 M! D% I__________________________________________________________________________
Q q5 ]7 f6 g7 } t3 u, n; u7 n# K2 D) H8 i: a! |
Method 11
$ m Q5 }$ A9 f" v' q g& h=========9 B6 C" s1 `! z V* \6 z- B. x
, z. g- ` {! d) m; ^' q0 C7 d
This method is most known as 'MeltICE' because it has been freely distributed, C% C; [! B- n6 J9 h' f' O
via www.winfiles.com. However it was first used by NuMega people to allow
1 k+ ~; u5 U( G% A- w& mSymbol Loader to check if SoftICE was active or not (the code is located
7 ~ i: n: L7 P! |' tinside nmtrans.dll).
. Z9 b( A6 T, o7 ^2 ^7 x! k. g
A q2 l" I9 t4 G% G% k4 Z) [: BThe way it works is very simple:; Z! a; Z Z' M v! u* u3 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 s# w: }8 z, DWinNT) with the CreateFileA API.
; q6 z0 a; I5 i$ e' i- {
( e* j7 Q1 `4 AHere is a sample (checking for 'SICE'):% f, y. U R& N' R% }
$ J0 p9 r/ V! HBOOL IsSoftIce95Loaded()
2 N4 C! X9 W# i2 a' e% m" P{ q7 l8 `8 d1 P3 h6 b$ a Y
HANDLE hFile; 5 Q9 [3 a( W( e# }' G1 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 @5 N( w( n6 [" }9 u# K FILE_SHARE_READ | FILE_SHARE_WRITE,
* ]# ]3 \1 L& N8 Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* c( a i# k: X& k if( hFile != INVALID_HANDLE_VALUE )3 Z# b/ D% ^6 s ]& Q5 N$ m
{9 o+ F( ~& c' f5 f; }" {' V" w
CloseHandle(hFile);
: t' G% y( B' h$ h return TRUE;& R* W' u+ v2 y3 ^$ M M
}1 h! J; H8 j+ [0 ?
return FALSE;. u8 ~' ?8 t0 W: c" C% T
}7 R( V- w9 l4 P% {4 _7 O- Q
8 \! k+ \2 N& |; v3 aAlthough this trick calls the CreateFileA function, don't even expect to be% ?+ l I- _& | i% r" ~
able to intercept it by installing a IFS hook: it will not work, no way!
' c, ^! N5 p5 N# p) k/ T4 o! vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' R, |1 l) N% K/ H; N3 _& ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' E6 T2 \* Z! v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 C3 ]9 T; m6 Z8 C a' p
field.
: |* k. i% b; m$ A' t9 R1 [In fact, its purpose is not to load/unload VxDs but only to send a 4 n, g" E- `. D2 k. A5 h- Y, L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% f! j" o) B0 a8 w1 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try. q2 v# j! _. Q% g X$ l) c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( \; T. V: x) p$ p1 F8 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ l* M% d( ?8 }0 V/ W+ h# ?its handle to be opened and then, will be detected.
* Y6 d/ G, D5 R2 {. XYou can check that simply by hooking Winice.exe control proc entry point
% S7 |1 H1 |7 z% ?1 R/ S( ?while running MeltICE.$ m% G# G2 l& M4 F! {, E4 E6 l
- ~3 S1 N! q* ~( ~& E7 U
# X: p# D V! |8 J$ \7 N 00401067: push 00402025 ; \\.\SICE
4 Z1 F4 F* |- |% g. b: r. l 0040106C: call CreateFileA
7 ~& `* u, L d2 z& D, N! A 00401071: cmp eax,-001
# r: P( w5 D- C4 @ 00401074: je 004010910 @' ?6 ]! H" s/ S# @$ i
" X# m8 B9 ~+ r6 v! R9 X* v; s1 |" s6 v, X
There could be hundreds of BPX you could use to detect this trick.: ]( X Y6 c) y7 l
-The most classical one is:
4 M8 g& G9 j& [. n- `1 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" j# T7 M, q$ C4 n
*(esp->4+4)=='NTIC' X% `% B1 C: V( r, ~
3 ^* K$ |5 m9 t+ j
-The most exotic ones (could be very slooooow :-(
0 P) [% `' m' M# {" M0 c" F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# i3 p0 \) f% {) G ;will break 3 times :-(
& n; K' e9 ~# i6 u; e& V
- B2 c% }- l0 B! O-or (a bit) faster:
. n2 N5 ], ]' q/ H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) D7 D- k( V e/ s2 h# q* ]4 J$ q3 U8 g- Y' i; Q" i4 A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( c1 B6 {: N: X; j5 p ~8 I ;will break 3 times :-(
7 U* T+ O6 {9 z4 d$ K. Q* W# g e; o5 H, e9 `6 h7 f; G! z, U
-Much faster:
. y8 A( Q% @# ]7 X. {; p, b9 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 h/ g0 M/ a) f7 I) V
" x: h: {7 s; c* K$ VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen% K5 x9 \6 R2 d" t: H6 @
function to do the same job:
0 T# p8 H6 `. H. B: R# ~" T2 p& l5 n" u& z4 y. H( A) u
push 00 ; OF_READ
' W2 B' ~! q# A8 r+ ] mov eax,[00656634] ; '\\.\SICE',0: h; x* H' @! m. v0 |: n
push eax; g# B {9 x' N6 }$ ]# n: _
call KERNEL32!_lopen
5 j: N" ?& a' B+ q* d inc eax: n6 k# r1 N6 H& N) q$ U1 r, O5 A* Z
jnz 00650589 ; detected t* o+ V+ q% ~) ?2 @( _+ q1 \ X
push 00 ; OF_READ
: @& B7 _9 l1 h+ Y7 y/ C& X mov eax,[00656638] ; '\\.\SICE'; i3 V/ \$ P, h! W& J3 G
push eax
: l6 F: R! c; w4 Z4 m1 A$ b call KERNEL32!_lopen" h6 W: K( `! c+ I+ L) W
inc eax
3 o% e6 b& A; U' i0 y; } jz 006505ae ; not detected
0 Y! c3 `5 `' Y/ i, G: r
0 w, E/ t o- ^# e
! ]+ @' k8 e6 a* U__________________________________________________________________________
% d! v" c7 a7 G$ ? V2 a# B+ K* G# a+ m# A6 } R
Method 12
1 H" v; B: `3 Y. I2 |! S* k6 p=========! t+ }' A, j8 T% S+ C
4 d" N* u O+ c! G8 a% D
This trick is similar to int41h/4fh Debugger installation check (code 05
$ j7 Z# y1 [5 u1 Z& 06) but very limited because it's only available for Win95/98 (not NT)
+ P8 w4 F6 _" y. c6 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo. j& w6 ^- c( O' m
( z$ Q% ]9 t3 F) k* M
push 0000004fh ; function 4fh
/ @. _ p( b2 {: ]% Y Q push 002a002ah ; high word specifies which VxD (VWIN32)
5 y7 ^8 M* A/ Y ; low word specifies which service
' c( X0 h0 A/ h Y (VWIN32_Int41Dispatch)
- w1 ]8 n9 c( F/ d call Kernel32!ORD_001 ; VxdCall6 v, `3 x, p. v1 O& l
cmp ax, 0f386h ; magic number returned by system debuggers
( x- R; z% A. s1 I3 O! a* t jz SoftICE_detected
: O. p1 i4 F! ~5 v( `9 n1 V b) ?- H' _4 B- U
Here again, several ways to detect it:- l$ x; i/ }5 E4 T0 ~
3 x j: s2 m# F) o8 N) U; ~ BPINT 41 if ax==4f
& ?1 K8 {* b# [
5 F" ]: z9 }: @: }3 }! N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ v( w! M7 E$ E
4 D; o9 P0 \- m' i( Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 ~* H, }. a% ?
( S9 v1 a5 J+ Y/ A" f) o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 `4 p& H( K ~9 i* _ v f: C2 O9 y/ o2 m
__________________________________________________________________________3 Y' P" c0 [ \. ]( }
# c' J4 f3 W+ M$ c* D
Method 13- O2 | `- B- G+ Z5 j
=========
" k3 g: y' I( D9 F3 x5 k6 I$ T. k, h6 ?
Not a real method of detection, but a good way to know if SoftICE is1 v( z, J3 C) V% s
installed on a computer and to locate its installation directory.
, @2 {" C: S' x: S2 RIt is used by few softs which access the following registry keys (usually #2) :4 F$ \2 m! c" w$ o
- K' [2 B9 y/ d5 g, u. }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ O( G- y2 }' H# q2 u/ D' P5 n! l\Uninstall\SoftICE
& ]3 L- B7 `- ^ x4 L' }5 s, }. V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- a& f- h3 C8 h6 m* l, ~% r( |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ c2 L4 j" a" y* Y3 Y
\App Paths\Loader32.Exe
$ k; e b: A' W8 o/ D
8 ?. _: m- I! I" i, h! b
% f+ C. |. n$ r2 V6 ~Note that some nasty apps could then erase all files from SoftICE directory
* q" {" I. H# o9 A- ]" q(I faced that once :-(
) m) R4 F% C- e" D8 M; y1 f" \5 y
# B) T4 f j d( w! L$ \0 I$ Y# DUseful breakpoint to detect it:) g7 |' ^- p" K2 W2 Z9 R0 `3 D
6 D2 N$ l M* I* E8 v& G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 d6 C" w+ q2 r2 o$ X5 M0 V! }! b2 s
7 C. d* n. g7 u2 ^/ t__________________________________________________________________________* y! u- N* ^& H
( Z6 F4 c% w1 K, r
; m5 B2 z- W% }4 H8 E' L8 Y1 J5 oMethod 14 , D( d. z' k; n: b
=========
& D" T% [9 y# ^0 U, H
/ @$ U' N7 z; L0 h D' ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* t. m0 R5 O% W6 d* }! S0 i- w5 S
is to determines whether a debugger is running on your system (ring0 only).+ c" s: q2 q( c$ @( {+ q
" w4 D p1 T9 a" [ VMMCall Test_Debug_Installed
" H7 `. J3 n1 a0 w je not_installed
; z( U2 T+ ]6 K3 h7 d3 a+ U
) q* U$ I3 U7 N0 t- uThis service just checks a flag.
3 Y7 A4 Z+ q5 i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡