<TABLE width=500>
* N# o4 K) j5 L# U6 y3 Y! A" F3 e<TBODY>
8 j' V8 B% T# i9 o' f<TR>
( p+ J$ s$ k! C7 h3 {<TD><PRE>Method 01
) S4 z b- U# d/ ^# j9 b=========: Y. D) J6 q* p. L. ?) ]/ w
}7 n! B0 ^/ k( i3 [
This method of detection of SoftICE (as well as the following one) is
9 m4 n' f5 U: e4 z2 f7 A1 r4 o* m& Uused by the majority of packers/encryptors found on Internet.3 i7 S# f2 C0 u6 i; u) O2 O
It seeks the signature of BoundsChecker in SoftICE
! `% q9 H# |4 I7 t( y
0 |; n) K! s# E mov ebp, 04243484Bh ; 'BCHK'% L, s" f2 ?( L; A$ g
mov ax, 04h8 v* m: w2 Y6 W8 m" z- T$ _* c
int 3
# u' L' [* _- n8 P; p) p3 A4 W% p cmp al,4
& i3 I8 J& p, v6 ~ C8 f/ s jnz SoftICE_Detected& g0 r! V {' D. h. o2 H# N( i
. m# S' C) @9 @ n7 B0 z* p
___________________________________________________________________________- G8 @) K& z5 [& J, L' L% G( `
' _0 g% J5 a" H2 BMethod 02) F/ ^5 L! S0 S" H; L5 o
=========/ H0 S0 o2 t3 M' L2 k. p
1 z/ |. K! m1 T- HStill a method very much used (perhaps the most frequent one). It is used
9 y3 k7 q+ ?* D8 J2 I/ vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% X4 s( L7 p, a2 m! ]or execute SoftICE commands...
: ?2 v- |2 B2 ~% V) ~( zIt is also used to crash SoftICE and to force it to execute any commands
( s, x6 K# P# g4 e4 ^: b8 k(HBOOT...) :-(( 8 j0 f: M3 P" k; p+ e, s
0 `; d! O$ Z- k5 oHere is a quick description:
3 N# }% ^& A0 M& U* v-AX = 0910h (Display string in SIce windows)& f! H/ F! o! R' Z0 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' b! b1 Z. R4 f9 v% `-AX = 0912h (Get breakpoint infos)
7 z: l4 W) O& L+ w( D. `3 D-AX = 0913h (Set Sice breakpoints)
. G) o$ K. ?+ c, Z. _-AX = 0914h (Remove SIce breakoints): C- L* v3 V- o9 e8 P2 i
; }% w/ {& g2 z9 ^$ k* }3 zEach time you'll meet this trick, you'll see:
9 H6 k! P( f5 U-SI = 4647h
9 m# F. W7 L/ V-DI = 4A4Dh/ t) f5 c5 W+ K+ R" m% k
Which are the 'magic values' used by SoftIce.; e- _$ L( k- a) S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 v1 I, e6 d" s# |0 d1 ]
2 z1 L. e% c* F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 N7 _0 y" r$ Z! R' QEnvelope utility use to protect DOS applications:
8 U& e* |. e( h3 [) ]
0 S( t5 Z3 R* u5 J6 W
6 s, i9 g& p0 W4 W1 R) g* w; h4C19:0095 MOV AX,0911 ; execute command.+ U" r, _5 P/ y7 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% {* F5 v6 y+ w; b1 h
4C19:009A MOV SI,4647 ; 1st magic value.9 R! ~2 E3 G6 V6 }
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 V$ p( r% k) S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 a1 @( g8 Q- n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& V, q2 K# O, g7 o9 b
4C19:00A4 INC CX
, g+ ~! d- d, u! E( Y* F* ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 c9 O( G/ l1 m$ z% w! ]0 S
4C19:00A8 JB 0095 ; 6 different commands.6 S: j; Q; T* D8 ^2 @1 o) D% F1 g; K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& a& C, Z- A5 W! R7 f& J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 H- |, h9 F& C" T# l l( y
- M F# f* O8 u V9 _# j
The program will execute 6 different SIce commands located at ds:dx, which
0 A# D% Z3 G7 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& |& N/ P% P$ q0 Y( }7 Z
* w9 u5 d( ~7 m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 e. `! R' Q3 {& J2 U; g___________________________________________________________________________- Z: a! K9 x2 D( y
/ H0 ?7 a2 n8 e3 E6 X3 K
* S% f. v6 W& V
Method 03
: r# E/ w* b) W( ]1 N/ S# V/ H ^=========
& y4 ?3 `" x3 @$ ]) F' } [) a7 `4 X' O0 G3 Y! j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; A& s$ N9 B4 V: K% Z(API Get entry point)
( g+ q3 S: I' l% m6 V . e q+ x F, h/ Z+ T& ?
7 ^- q9 y: N/ E2 a" T
xor di,di
. n! }" e1 `- W! ^ {4 o' H( p mov es,di
5 @' `' |7 k: g) F5 `9 _+ D mov ax, 1684h ! ~# A) Q/ D6 i5 O" _
mov bx, 0202h ; VxD ID of winice4 j. [; I, P M3 g/ ~* V' t0 ]+ ?
int 2Fh
; v- f l7 }% ?" v5 V, A, V3 {9 N! U1 O' X mov ax, es ; ES:DI -> VxD API entry point
4 B% A# \. @* B% c add ax, di
% `3 @6 W& O/ F) [& V test ax,ax4 F2 \0 m Y% m9 d5 N
jnz SoftICE_Detected3 {2 ]1 n( e1 P. B3 m$ V
5 y8 r+ u2 s7 i% S6 V0 k. K. |4 W% R. O2 w
___________________________________________________________________________8 ^) {, c+ j: ?; N& E
. q& ^$ J0 w& {1 _4 c0 MMethod 04
" {4 t8 {- q0 B6 A2 }=========9 i; ]; R& N+ j) C. \ [, w1 ~
. D$ o) `" f8 i* O' K! ~2 I2 m dMethod identical to the preceding one except that it seeks the ID of SoftICE
- @. @9 g+ ^. j$ I9 {GFX VxD.) e# x+ C; w: k D( k* f
( F0 w5 t9 Z! a4 E3 `" F7 ?6 p xor di,di
! i/ \ X. H8 t mov es,di: s/ _# q9 n+ G0 j1 L7 f
mov ax, 1684h
' T7 q8 s ] |& F mov bx, 7a5Fh ; VxD ID of SIWVID
_; ?6 d' i" f int 2fh" ~6 U" L) Q$ z0 Z- _6 K1 g
mov ax, es ; ES:DI -> VxD API entry point
5 ?/ t3 ^0 Q0 G, B5 w$ t add ax, di* M& ?7 a: F- ? b# B6 }6 [
test ax,ax
, K7 R0 {% R: j# z jnz SoftICE_Detected
% f& m4 c$ F+ n7 N* a; l, Z0 G* U, @* {
__________________________________________________________________________
# F6 q! I+ K7 g+ S3 J R0 R
* J, o. l; h6 Z0 O* s) x# U6 y9 p0 A. Q/ w" f+ G: Z4 U
Method 050 F; l% t+ e b# z9 }
=========( B( j' g+ p- U: ^
, N& q, P: d1 U; ]$ `
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 [2 E1 z1 @/ n, K* f6 x
debugger. It calls the int 41h, function 4Fh.
, c/ ]- z& B: j: L8 XThere are several alternatives.
- N+ U N9 s% q' |% s* n D" z4 Q3 J
0 S% g8 ]# M" v$ j4 V9 O9 p/ [The following one is the simplest:
5 F) n1 E- s3 t
8 s0 y9 d( n+ N6 q mov ax,4fh
8 m$ l3 w' x7 z1 M; D: Z8 H0 M5 U int 41h3 |- r9 [2 ^, o
cmp ax, 0F3868 L! Q' c, W. k, E2 _ @6 T; u
jz SoftICE_detected% @2 r/ _( h4 P3 |) Y
6 T: o. x1 K' c0 ?: g
8 B; Y, }7 h- ~4 RNext method as well as the following one are 2 examples from Stone's 0 h3 }# j$ y/ h: K- D% Q& z
"stn-wid.zip" (www.cracking.net):2 V7 L# v6 O: W$ u r5 |& R; j
; X7 p' a ]; m mov bx, cs, l. H8 F% g! d
lea dx, int41handler2: }$ \, P$ ~% p: w: s
xchg dx, es:[41h*4]
1 j* o" A7 B4 o+ W) N# W xchg bx, es:[41h*4+2]
6 O2 c5 ?4 C% Y0 l4 i3 `0 F5 \ mov ax,4fh3 N5 F; g4 ]7 x9 g) J& _
int 41h
# q: T5 A9 m: K! x \ xchg dx, es:[41h*4]
! U5 z% c6 U" @- [ xchg bx, es:[41h*4+2]
6 I! F3 l" i+ ^" A' O ?& c cmp ax, 0f386h+ t& n+ ~9 }" q4 }0 Y5 t
jz SoftICE_detected
4 J u8 g9 W" A! k4 J
( `9 w1 a. L8 a, w% oint41handler2 PROC; W9 }5 n6 t: [$ Z& E3 _. H
iret) |8 Y1 D9 G2 M' A1 b) a2 E
int41handler2 ENDP
, V0 X9 y, d0 p( w; g
1 i8 H8 i; z$ C& T
/ v! {, B: Z0 W; t' p4 }% ~1 \_________________________________________________________________________
* T( ~( h9 l m# B( I) G
/ T0 J. E. ?) S7 f0 N1 j: ~& w0 J
1 }5 B( z# w( Z- X* W* n# ]Method 06& q, W5 o5 V6 a% P0 O5 i2 Y5 |
=========) D" |% e: x# M& E7 Z" P1 c& [ }
1 v4 g1 V* I( w/ J; P$ v
0 I5 w7 B- H9 D9 d% x. W
2nd method similar to the preceding one but more difficult to detect:0 r9 Q% G+ g& K, c: J6 [
3 W" e/ h- e+ k% I1 u# `# T. y4 c1 T
& W, E% J# o3 F* ~$ E" x+ `- f) e1 y0 I' sint41handler PROC
9 b' x* y* X. I3 s: U mov cl,al
( c2 t2 B$ |1 Z7 V iret" ]9 A1 K$ z! O$ q0 k" |+ {
int41handler ENDP& a: q. E0 _( i8 j: g
1 K+ ]' L6 i& J7 A+ r1 o* d3 p( {9 K; ^1 h
xor ax,ax: P3 z c8 L1 h, U; |" C
mov es,ax+ o4 w% t( Q& m0 \9 C
mov bx, cs
$ \0 u! F; h7 j9 F lea dx, int41handler' o: D M2 q3 W9 V; @
xchg dx, es:[41h*4]5 L( J: n8 _8 l
xchg bx, es:[41h*4+2]
) |! T4 n- J) q6 U in al, 40h8 l- t5 Q0 a k H: ?" Z9 S
xor cx,cx
1 _ u2 X6 o* @( x" W* `2 D0 _3 H int 41h) b0 f- b2 V" g/ ^3 d f4 i
xchg dx, es:[41h*4] [; f1 o- E2 c/ M6 O
xchg bx, es:[41h*4+2]
. a% _, |( f5 N: M- b: m4 V cmp cl,al
/ {2 J8 t+ r+ b' S" C: I jnz SoftICE_detected9 X D; Z* I2 A( V1 I+ q# f9 g, Z
% G5 D6 V* `! F* Z( F2 q; t7 q% v_________________________________________________________________________
# [7 c) p% C2 @, a: y4 h8 @* b' G, I% w
Method 076 R+ ?8 D" K% ?+ u/ g9 o
=========
" H9 z6 g& X2 {8 n2 l; e8 @3 x( i) U' D$ {/ v! q8 B
Method of detection of the WinICE handler in the int68h (V86)* l0 a: P% R9 W& b2 w1 t0 w, }; P
# g# I) v6 N1 k- Y" i
mov ah,43h
1 O, `& X2 k2 k. B0 O$ M! f int 68h
" e7 z* V7 H' I+ T# _5 q Z! I cmp ax,0F386h
- N* _. O" z; ]( n jz SoftICE_Detected2 n9 {4 t6 C7 B# s( S
; |$ Q$ k+ P1 ^/ H0 f/ z
. z; \6 T, N+ w) F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( k: |' d) O8 f/ S app like this:& b. M' f8 P! ]* [
: `6 x* {- v, R! t+ \) u BPX exec_int if ax==68* ?9 y* k* g+ Z! @9 Z; U
(function called is located at byte ptr [ebp+1Dh] and client eip is" _ F6 I7 U6 V6 J/ {* s
located at [ebp+48h] for 32Bit apps)
8 ?, o! \1 E% L" ]+ i- Y0 `__________________________________________________________________________
. f+ z7 m6 ]- i. h2 {' W0 m+ }7 [( \0 F2 c" c. q4 M' L
# b. B) p+ o6 {2 i
Method 08
3 b& v3 Q8 I. v8 A. p=========% K) W4 S& i8 U6 J2 R' u
5 v, O9 H* ~7 ]& I
It is not a method of detection of SoftICE but a possibility to crash the0 Y9 ?; m U5 A% S
system by intercepting int 01h and int 03h and redirecting them to another; m1 ?! |$ M$ |3 d9 S/ u: S
routine.
0 f p; @1 u6 y. ?3 P% t6 D9 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( W! ?& A+ C1 K% _* h4 c
to the new routine to execute (hangs computer...)! O+ C8 V; Z/ h8 e' s+ W
0 o5 k- h! D( [, [' V! Q mov ah, 25h( a3 a o# G* o8 _; p& q2 d) P$ j+ o
mov al, Int_Number (01h or 03h)/ j. H3 E. V/ k/ J
mov dx, offset New_Int_Routine
( s# W7 X7 s, }; f int 21h1 h1 F( Y4 C) R1 W5 C) W, A
. j! }* L: C. C: y
__________________________________________________________________________
1 @# e; l: @4 _8 u! T {; z% S, N) E" ]5 ? E$ M8 I) @6 z' C# q, y1 c
Method 09' O5 d4 T% x W2 P6 s7 i2 t
=========
6 L) W( d+ H+ ` U+ @+ H9 J( w* u5 @: T& i8 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 \ p/ g( P0 r( t2 G
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 I' M, s# I; Q2 g7 U; ZThe Get_DDB service is used to determine whether or not a VxD is installed
# z& w* ]9 z7 W+ A$ Lfor the specified device and returns a Device Description Block (in ecx) for
' I3 u C' a4 c. zthat device if it is installed.* H% {: N3 S5 T% ^+ F! ?0 p
: B8 l7 k4 _9 D/ C6 ^$ }( I- Y! ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' d6 x% a, z3 X; _5 N6 k. n: V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# C) s5 t6 M: W3 u z; T: e
VMMCall Get_DDB2 n. y1 \) L& [6 @
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 _1 l$ x9 F# ~" d- ]/ c" ]% H$ P M# ^- e
Note as well that you can easily detect this method with SoftICE:
: b3 j+ {. p" W/ n6 I b' @1 ] bpx Get_DDB if ax==0202 || ax==7a5fh
; u- J3 i4 K, [) Q& Y- m3 D5 k8 U) W6 b
__________________________________________________________________________ p) M; D/ c$ r+ V8 C9 w
& C; P4 A* |5 A6 F( P. XMethod 10
6 ~$ b4 q; R3 c. u- ~( @=========
9 a* p$ E* ?5 ^
, s2 s/ H# W8 w1 `* D8 N: r=>Disable or clear breakpoints before using this feature. DO NOT trace with
" S' K/ _ X" U* |. H6 F) i SoftICE while the option is enable!!% t" ~. J; G+ P! k, k
: H( }' i V# h! M$ j" ^, RThis trick is very efficient:
0 q2 ~; w/ M9 j7 z! Vby checking the Debug Registers, you can detect if SoftICE is loaded
3 P3 S, l$ ~9 ^ n. M6 x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 [+ x/ g+ y' Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# }+ z4 k7 v: e& ]7 @5 s* `3 Evalue (in ring0 only). Values can be manipulated and or changed as well0 e5 ?5 V* t6 @) L: a. d# ^
(clearing BPMs for instance)5 P3 Z8 ?7 h' M4 [" ^: |
, o' c* ]- p" L; b
__________________________________________________________________________
/ u; P& U6 U% e3 f) |" Y+ D
# F8 H9 c( Y. [( O5 IMethod 11
' F1 y- H, D, w=========
3 Z/ W$ I$ w8 z {! W k) t5 D0 J% D. x1 Y" i) J& k! A
This method is most known as 'MeltICE' because it has been freely distributed* W, Q: t( |# P9 Q: y) p
via www.winfiles.com. However it was first used by NuMega people to allow6 ]2 ^5 l% ?7 H0 f% U. A$ I$ w
Symbol Loader to check if SoftICE was active or not (the code is located. C& c- I/ A* k
inside nmtrans.dll).
; z$ f* n+ F6 [& B( e
: v- a: W2 ~6 p. y! T8 ^7 l6 @The way it works is very simple:
$ p% Y1 X. l6 D0 A* yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, V5 j3 J, ?( z4 N: ?+ \0 \6 Y+ y
WinNT) with the CreateFileA API.+ z/ ~- P$ l! M7 Q6 P4 w
$ e2 r& c% W+ `6 a- _1 v4 tHere is a sample (checking for 'SICE'):
+ p2 C: y& b# W) a* T4 K! z% {; U
b( d3 u+ v9 Y' Z# Y; ?BOOL IsSoftIce95Loaded()& |( y# P+ s, b& P2 s
{
% L& O* `, K! f; l7 s. ? HANDLE hFile; ! D7 N& t; Z0 d/ v- X3 o1 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& }1 b2 s3 v0 j$ Y% q3 g FILE_SHARE_READ | FILE_SHARE_WRITE,
/ U/ k* ?5 K2 {$ p; C P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
u! q$ a7 i+ I9 a4 G! K, [( B# E if( hFile != INVALID_HANDLE_VALUE )
; b" t2 h. W0 H. @; e- v0 S. @ {4 o& {5 N3 f) R( h& E
CloseHandle(hFile);
( D& U! t% ]2 {9 [, `; J0 } return TRUE;
7 {7 H) j) y- Y }4 @. [" j1 I( x' C
return FALSE;
# }# v# T+ l- u# v: b* V' j1 x3 f}8 k+ e, v+ L* ], s5 o. Q2 m; Q
9 n, {% l5 A8 V* \
Although this trick calls the CreateFileA function, don't even expect to be9 a4 y) A; F @* U
able to intercept it by installing a IFS hook: it will not work, no way!
# G! w) W# u8 x, e5 L4 M8 B! gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' y5 `, D) v: f( t/ c1 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 l V0 `0 s' {' V j0 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc A" a5 F- z& P$ x8 P6 Z' ?4 e
field.7 R9 ~6 ^# z1 p+ C3 d; I
In fact, its purpose is not to load/unload VxDs but only to send a 5 |. Q9 r5 ^. J* }' r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* q# A. T7 _6 u2 D" V) K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 ^1 O8 @8 u1 ]+ s6 g: I9 ^8 K- `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! N# G; Z# H& r% VIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& r, X q% e2 Y( _4 j7 T8 q" ]6 F4 Jits handle to be opened and then, will be detected.
' {/ D( u" Z) p& PYou can check that simply by hooking Winice.exe control proc entry point% z" c6 H4 U7 b3 Z: l, x$ b
while running MeltICE.
% }7 w e' A9 `6 R' u$ o; b
2 @: Z) w! U: E+ T! T G) q! z2 a; i4 x! Z3 p6 P
00401067: push 00402025 ; \\.\SICE
" l7 z& A% `2 a3 f0 E3 O; ^ 0040106C: call CreateFileA
6 T; m9 e$ e6 {5 o9 t, {4 U 00401071: cmp eax,-001$ M6 x' w- g) H( v
00401074: je 00401091
5 B, i% ~7 ^& j% x0 U% s1 ^8 @- P' Z
1 x R( r+ t$ K) i- k$ _3 r( B
There could be hundreds of BPX you could use to detect this trick.
. o0 B. p' Q4 l- f' v-The most classical one is:1 \" E3 z8 H; m/ t: ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* H) b1 T6 S; d$ b; E *(esp->4+4)=='NTIC'
8 n0 }8 G T3 z, f- H; N3 y/ x! {# E6 f R9 Z0 H# `
-The most exotic ones (could be very slooooow :-(- q7 V# a# l* A* N; I: _: [0 C* b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( X1 \0 b4 f" `3 H5 H& K3 ? ;will break 3 times :-(
- ]3 K4 e+ G* a9 b& A" N& \
! @: H7 `4 X6 P5 e' b* s u/ s-or (a bit) faster: # _* {6 q" p2 A9 t8 X- r( @8 i2 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& `- D# C1 @9 z# b$ x
% ]9 ^1 t' E1 M: D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) D& ^9 c$ |6 g* ^3 }6 Y
;will break 3 times :-(+ m4 o$ n, j% n+ L0 R" q
* n1 H7 f3 j1 n O: u5 O/ G
-Much faster:
. e3 ]/ E$ h/ g) X# F. G% Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 f. _" Z0 @ `
' Q; P' T& Q, g6 C6 X1 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 _8 W5 B* }* v) Mfunction to do the same job:
; A* q3 ?. t: P: [* H, R6 i5 {1 D* _* p1 j' Q, n( y
push 00 ; OF_READ
" @+ M& r' Q8 q- T mov eax,[00656634] ; '\\.\SICE',0. W- l2 H/ y) |+ V# `
push eax2 x7 w0 Z5 M- X! t) k# u o
call KERNEL32!_lopen# F2 ^- @' k y( A' b3 u0 I$ Z1 ^
inc eax7 E- c0 O* @+ B9 y* X3 J
jnz 00650589 ; detected5 p L+ c# p' z1 B* K! l
push 00 ; OF_READ. @" U. R. c; I! E8 s6 X8 E, ~
mov eax,[00656638] ; '\\.\SICE'
% p! s4 t# |2 ~& Q) @" X push eax! I f8 e' b- y; ~8 } o; d
call KERNEL32!_lopen
; F& s2 D6 M5 A+ m$ W! w* W inc eax+ f1 N0 c) F) l ~
jz 006505ae ; not detected
& A3 W" `8 c5 b$ j# s% D* ?# W1 s' {0 X( t% V8 S. y, v
' e/ y9 @8 V+ l$ V" u" ?__________________________________________________________________________
) X4 I% C; f4 b- X+ k/ g3 r7 K# _! Z5 E! s, u8 E
Method 12
( \: E+ k5 M/ n7 X=========/ `( \ B( X6 n8 D* N/ j, L6 p$ e6 ~
# C9 |8 e0 H% ~. e( Z
This trick is similar to int41h/4fh Debugger installation check (code 05# H1 s5 E! ?) x8 q
& 06) but very limited because it's only available for Win95/98 (not NT)
/ J: S- j; H1 \; aas it uses the VxDCall backdoor. This detection was found in Bleem Demo." r# _- N9 W8 l& H- J5 t7 Q; `5 x, m
: x* U& {. A& ?1 o" k+ a
push 0000004fh ; function 4fh' n- d0 h( N1 o- y( B+ \ ~
push 002a002ah ; high word specifies which VxD (VWIN32)" B; E( m1 L( Y. D
; low word specifies which service
5 t- T" ?3 N4 J (VWIN32_Int41Dispatch)' N4 _3 q0 y1 c! f6 t
call Kernel32!ORD_001 ; VxdCall
# L p& v7 b6 ^( w& R& ` cmp ax, 0f386h ; magic number returned by system debuggers; B; b0 I8 Y6 }( Z( }( q1 o5 n
jz SoftICE_detected
, r& Y2 D6 w5 z4 j, O3 _( i6 Q5 M6 m$ b& T: e! O% g B
Here again, several ways to detect it:
_! h( Y& b4 `6 R9 P \) l; B% T& G; T" U% G
BPINT 41 if ax==4f) j& o, J! D* i, K. v0 d, X
( C \4 h! F( ^7 E3 E' C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: _/ | X& ]5 }6 K/ d1 X1 k; x1 d: n' u1 T" v+ F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; W& t; R* \6 u; M/ _/ w
% ?, j( B, h# b0 p3 F3 @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ J$ e* r4 I8 v- m) d
" t9 e- |7 h7 F9 T, \4 |__________________________________________________________________________& D/ C( q% K) g# `
6 ~0 U# l1 Q A* u! v) ZMethod 130 [0 J% |/ j9 ?; k! ~) L6 \
=========
5 ]/ x' j' j3 J" i
( @! {. }. j2 l$ nNot a real method of detection, but a good way to know if SoftICE is
8 x' I) G8 B; o7 ]installed on a computer and to locate its installation directory.6 \6 @" l7 X# K6 s8 X
It is used by few softs which access the following registry keys (usually #2) :
; s7 i+ r& e8 ?! y; \! W& i3 ?
6 Z7 f5 L6 e* f: f0 `$ `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 }7 @+ T: W5 ~: w2 O* E- Q- [
\Uninstall\SoftICE
9 a8 [; B: d; |: [: t& X% I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! U, l" K' I3 i3 j2 X9 d) m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 {) D; N- [5 [8 r; s* Y$ _\App Paths\Loader32.Exe
2 h. X! z4 K$ B, T, V5 V/ d+ U$ p/ [* W( e% D3 K e: U
& K6 \2 Q0 G* k+ ]1 ` L6 l, LNote that some nasty apps could then erase all files from SoftICE directory; M8 U; ?9 d+ U; P
(I faced that once :-(
; A$ N$ G6 t2 a9 i& W8 t% s9 k6 i8 s& O% N6 l, C2 n
Useful breakpoint to detect it:6 G7 E! h( F; G" K- [% k X" K* A
2 X4 @* A3 V' q0 j' e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. Z9 T& r) X9 M3 j: k( ]
2 U+ H- T& `" O__________________________________________________________________________
& f; z5 e" x* n
. l6 Z2 N y% K8 \# s, N* B) \3 z* ?+ N6 B- u" i
Method 14 3 }9 I( B% i' ~7 T3 E7 S, q9 E
=========, v" @; [3 f9 p; R8 _
2 F0 z7 |& F2 ^0 m+ h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; Q* J6 S' b9 z: b' W: lis to determines whether a debugger is running on your system (ring0 only).
6 }) `3 z, G- _+ }, a9 E L m: v1 ~' \& ?# M
VMMCall Test_Debug_Installed
6 B4 l1 W! v3 `5 G" ^ je not_installed; m3 l2 o0 N& u$ _8 I
/ I/ i& o, T1 Q+ x( CThis service just checks a flag.) d2 }+ ~* e Y0 X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡