<TABLE width=500>6 c& n/ x- \6 U3 d7 Y" ]
<TBODY>9 g9 l% p& ~3 {) F2 r! c. R# I8 l
<TR>: A' R9 c3 r" Y+ i, }: f
<TD><PRE>Method 01
6 p! n& J4 j/ @! R9 m" I: g9 L$ |=========
& r2 s. o: A" X! d" V. f# p( l
# A( D1 D6 w! \$ M9 p( ZThis method of detection of SoftICE (as well as the following one) is6 a5 ^* }% k: ~/ K0 n! s+ e
used by the majority of packers/encryptors found on Internet.' ~, n5 l! X- w$ ?% |! O3 e
It seeks the signature of BoundsChecker in SoftICE+ y- d. Y" o3 V! M% O, T" s% v6 \
1 W7 y# @2 }* `1 l+ a mov ebp, 04243484Bh ; 'BCHK'
. {4 P+ P/ j2 B6 M5 T ? mov ax, 04h8 H0 c) N; {- L! v" W( Y8 w
int 3 1 T) _/ m! O3 \5 g' x& R- D
cmp al,4
% D/ L: o4 |+ f2 U jnz SoftICE_Detected
1 E& E. @ i" f, ~
9 P F7 i/ p2 s5 O K___________________________________________________________________________0 Q9 q/ ^1 h: k5 ?
0 U r' ?5 d9 Z1 J- v% E
Method 02
]2 a8 U$ m0 _- X=========
/ ~ z9 I9 Q+ y% }8 M! [2 g! z0 v% F% y6 c) u* j
Still a method very much used (perhaps the most frequent one). It is used
4 e1 J, T8 L ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 Z& U J1 F: j' o' C# _1 c+ r4 yor execute SoftICE commands...
# B7 i0 J7 S9 j+ XIt is also used to crash SoftICE and to force it to execute any commands
! L5 y7 \7 a, J* \1 b8 W, N1 e5 |7 t(HBOOT...) :-(( ' p' N/ A! g4 ]9 R+ Q- c
4 O2 b0 a: g! b6 U. dHere is a quick description:' V: X. u5 b# t7 r; `0 D6 G
-AX = 0910h (Display string in SIce windows)
1 H' ~: C$ J$ G# J% G8 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 c f$ q( h; }, ^) t M
-AX = 0912h (Get breakpoint infos)
4 c: m: }% \2 J& q7 Y+ j-AX = 0913h (Set Sice breakpoints)0 p1 w; L6 k9 y8 `$ i1 u' P+ ?/ p
-AX = 0914h (Remove SIce breakoints)" l' k1 K; Z* `) O& I$ @$ J4 h4 J
* h6 G3 M3 N1 Q4 Y+ T. UEach time you'll meet this trick, you'll see:% V; ~. Y9 ~, ^0 E" J7 o
-SI = 4647h
5 @! k7 R: f( W1 B-DI = 4A4Dh
6 w% d3 T( S9 e, n8 i9 g* X' cWhich are the 'magic values' used by SoftIce.$ v- F# ]7 |1 s+ Z, d5 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ n3 h. _% `) L0 |
+ m% l3 ^5 s" X2 Z6 s: mHere is one example from the file "Haspinst.exe" which is the dongle HASP
- t3 \! o6 A# X8 lEnvelope utility use to protect DOS applications:3 d+ g( m' x3 B! e2 Z8 c
4 v0 }/ B# [" O q* h: k" m2 Y. t. {& v# ~9 v. J0 y* u- W, t
4C19:0095 MOV AX,0911 ; execute command.: U6 Y3 g/ h6 m% j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) W6 _5 F, f2 v* Q7 R4C19:009A MOV SI,4647 ; 1st magic value.
* J/ j, d9 s, _# c4C19:009D MOV DI,4A4D ; 2nd magic value.; {; g8 d0 W4 o7 p6 k2 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). V, d a, y. t6 R5 q' {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute L! C3 g" d' i6 K: q4 J1 N
4C19:00A4 INC CX
% E' M- Z2 ?8 V* X# D' `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 ~2 v* ]" }% X9 E; x
4C19:00A8 JB 0095 ; 6 different commands.9 X. D3 ^: [9 }: ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 z4 X! q3 n' e* I2 S4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ T1 D% o1 F5 @
' D( C; s* O0 e5 R7 iThe program will execute 6 different SIce commands located at ds:dx, which6 n& f' \+ B+ }8 z* p* u3 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 \( u. ]5 l6 _0 W7 t3 \
4 W& m. v/ O. h [5 H6 c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) N! _$ M5 f. a/ X___________________________________________________________________________
4 l0 G* q' Q7 l6 I3 }6 Z- |& U2 ?7 @; k2 M* e1 \
% s# ^! I) z3 d2 x' R: N) s% P
Method 03
4 ? N, L; |5 W/ ], R8 k) g4 o=========6 b# C. r$ B( c8 L* ]
6 G# u0 [& M: k+ Q7 ]: p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* u3 F3 T1 b9 w5 P3 C(API Get entry point)
4 V) z( f3 d" O1 u6 k/ k ?0 \- T
; d J n# _5 z9 r2 l" w# W5 E3 Z% @2 I
xor di,di
3 }! b) w" ~. B, e- M2 n' C mov es,di2 U- i9 q, L% b& \4 d/ E- C1 h
mov ax, 1684h 7 P k, t! M% e6 G+ m( [$ d6 v
mov bx, 0202h ; VxD ID of winice
8 P- h2 y. V2 v int 2Fh
! K9 Z* ~; w w mov ax, es ; ES:DI -> VxD API entry point) P1 S9 N/ W' f8 t4 d9 Q. x* d
add ax, di
2 M. y1 Z4 H3 a+ q* n) K test ax,ax5 D6 k/ y3 x: P7 r! ~. k' O
jnz SoftICE_Detected
% L& S- E: T& @+ U q# U! G' b: I% b! I- H9 {4 H$ [
___________________________________________________________________________
. p7 {$ u- ^2 U9 j8 B' l0 x2 C$ s8 V$ o2 |, e& w- r
Method 04
4 t6 ^3 w) v9 f=========- v( i$ l5 t3 E5 Q' q9 v
# ~# @3 ^- G* L" v5 \, x& D) g
Method identical to the preceding one except that it seeks the ID of SoftICE
$ h8 [) [7 e, b9 wGFX VxD.: S( F9 \' p3 e- h8 h5 `/ r
- W! a5 d1 y* t1 q+ I6 c xor di,di
- J6 ]# `- j& Q6 ]7 J mov es,di
( C. g z: E. Q* e, x+ t3 k, k mov ax, 1684h
, z6 S) U* q0 s; i mov bx, 7a5Fh ; VxD ID of SIWVID( n9 \$ S* Z& H" F: O
int 2fh+ O' {' \1 r* L* } q2 e
mov ax, es ; ES:DI -> VxD API entry point
& U+ F" r% \/ R) r& y+ s add ax, di8 R' E) o4 [5 D3 w b" ~4 v
test ax,ax# _* P; Z2 U. D" s9 P
jnz SoftICE_Detected
6 ^ n# U2 q$ p
* r; p: v6 ` h9 {2 k8 U__________________________________________________________________________
% h9 R7 q y; Q- y9 O1 h X0 x3 `: \5 `5 t( V
% o* {; L! U' F# X- ]% l( D
Method 05! T/ z: H$ ?! l) L+ v T" u
=========
3 f" L% C: Z0 h) D( E# a2 w9 y" x( }; N, c( c7 s% E V+ p6 e3 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% I( Y% c: E4 J: t- Xdebugger. It calls the int 41h, function 4Fh. P: O% T& j0 t$ R, R: ]7 L
There are several alternatives.
2 w* r6 B1 J8 C9 b# @
, s. B! a1 D. pThe following one is the simplest:5 @6 |$ a; L1 @9 {. ?3 }
/ ^8 c/ Z! R/ X- [ n3 `1 V
mov ax,4fh
5 f1 V, z; |# A# x5 n int 41h
. c N. m- ^7 A/ O- c- S( a. q cmp ax, 0F386
8 `9 g( _( a9 c; C/ i/ J1 L: N jz SoftICE_detected
& X7 I7 i) n5 b q1 f7 T( I, k/ p' i( q( U4 z* y$ W
h. J. k1 _% ZNext method as well as the following one are 2 examples from Stone's ; e v' p4 d- O$ ~4 r
"stn-wid.zip" (www.cracking.net):
p3 d S4 D4 g% A1 X( F* ]) Z, N( E" f
' Z% d8 `. |4 {, M mov bx, cs# [6 ?, m: \9 f9 G4 g+ D
lea dx, int41handler2: w+ S5 G2 w4 @! J
xchg dx, es:[41h*4]
( N1 G* W: w" I1 R1 M xchg bx, es:[41h*4+2]
/ i( i* ?6 S) @7 C* I6 @9 C9 b mov ax,4fh3 E4 _0 T. @: u; C* O
int 41h
( J3 D/ D/ E% S# \ xchg dx, es:[41h*4]
9 H. ?& p- q5 [' T, z# N7 u; H9 F8 M xchg bx, es:[41h*4+2]
- Q. W1 n* g8 v" I cmp ax, 0f386h
7 d/ V7 x( S# s9 }! q jz SoftICE_detected
# k% Q4 n1 j7 Q9 E0 @" O3 a5 i0 g7 R6 @: l# m
int41handler2 PROC
( z5 ^- N6 `" V6 r iret) g& X8 D8 t% p
int41handler2 ENDP4 f; t: z3 {+ ^6 ]- B) {2 V: j
; ]; r, t2 E& E# c: w( E
$ E/ L' v) [ P3 S_________________________________________________________________________/ d. m2 e. J- Z# L
' `; S' z- l! H- g2 [4 x
1 j$ b! p7 q K, h5 C- |3 uMethod 06' ^: o5 I& U. L2 h+ C7 G( I
=========/ o- x% |' A; I, f$ u, ^
3 @9 d8 c( `5 a
( A0 F6 a3 H! V4 R" b* e; G! F2nd method similar to the preceding one but more difficult to detect:% I q% Y. L; o, e3 h+ h
3 ]8 _6 g" p9 P# _1 P( x
- v9 ~7 g3 p* l
int41handler PROC+ r q' c, P6 a+ N2 [
mov cl,al
# k$ u" f$ s: O5 p0 x iret$ q! o; O1 w3 ?4 h% e4 l4 m1 M& p
int41handler ENDP8 g! _1 t0 j) n4 k6 v6 G# b
0 L- R& r- ^0 L1 D
s5 }) a' m" ?3 K: [ xor ax,ax, P6 Y/ E* M+ N
mov es,ax+ _3 I, z) T5 I( ~; p$ `) S7 f3 N, G
mov bx, cs: m7 x) A" [5 |, J: n/ a+ Z
lea dx, int41handler
" C) Q E0 w2 l6 Y8 P0 c xchg dx, es:[41h*4]
. C1 Y$ l2 @) p0 @3 N# i- c xchg bx, es:[41h*4+2]
4 G" c; b6 R, {1 f, a {+ S in al, 40h5 r- \ Z8 o2 V2 H
xor cx,cx" E3 @- L9 e; _4 L \1 c" _) f
int 41h+ t0 n0 \6 g8 P9 H3 Y4 s8 w$ ~
xchg dx, es:[41h*4]7 k @$ U% u) Y, E
xchg bx, es:[41h*4+2]
) i( D1 n& ]/ y" x O- y4 T, G% [ cmp cl,al
4 `5 y. s5 g, ?7 o3 R jnz SoftICE_detected
W; x0 J* @4 }, }% _+ n
. w+ e$ r. M- A% x' d* ^_________________________________________________________________________
, K' `+ t C7 Z+ |
8 h, L% r7 W1 g0 j& d" _9 t' VMethod 074 b! I- T5 \# a+ j R
=========; X# F! X; ]( R& Q [
1 D) @2 P9 Q! N) K# PMethod of detection of the WinICE handler in the int68h (V86)& c f$ H# y# a' a# v/ d
* C' c# r# P$ w. V
mov ah,43h6 D7 j3 [5 S. |" Y4 C5 e6 `
int 68h
" \+ d: H( B9 R% e+ `" ]; Q cmp ax,0F386h
) t A# f+ L) s$ u0 j% Y, s jz SoftICE_Detected/ P0 y; m$ @: J- i6 E
( u' B( a) U* Q3 \& r M
! `. ]5 m) f3 T/ @7 F8 K/ F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 z! `; Y4 B( J# R- g8 I app like this:
0 k) Z$ z- V7 c# a7 S# S- u" w+ H" u- ~/ t" `) A2 M! ?+ [
BPX exec_int if ax==68
) q) z" F8 x9 M/ u3 ^ ] (function called is located at byte ptr [ebp+1Dh] and client eip is# h0 E: X( {3 d4 V$ u" f7 C
located at [ebp+48h] for 32Bit apps)) a/ p3 n' i! h' J+ V/ `
__________________________________________________________________________
- Q5 Q8 [; `; G( i7 X( v5 w! U
h- c2 l& A9 { R: R; f( x9 z
. @- x5 K V5 \: ]( wMethod 08
# u ` G, `# E) r3 M% k6 g=========
* }) t$ L) Y Z+ s
) v* } _2 F% s" M& C/ f, ^It is not a method of detection of SoftICE but a possibility to crash the
) f! J) U1 p; c* [system by intercepting int 01h and int 03h and redirecting them to another
3 J7 Q8 q$ z6 f' [2 @6 |routine.
' Z5 N9 V5 v$ ~" MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points [5 t) s& a7 i T
to the new routine to execute (hangs computer...)
& k& {7 n+ E2 o7 p6 P& V: Z9 M. d. N- ]' C( c5 }
mov ah, 25h4 ?$ i7 d& ?1 Y3 M* r( ]' T
mov al, Int_Number (01h or 03h)
' B/ U1 Z! g5 u6 J mov dx, offset New_Int_Routine2 j- W% v. b7 I- _9 R2 j0 b7 B! ^
int 21h3 Z. a4 n) f2 l, l/ ]
( G) j3 l5 U; f0 q2 u' d; L3 F2 i__________________________________________________________________________; J9 C% l3 \; N& K. p _
; [* D+ _# Z" @7 }$ m! y) L
Method 093 i+ ~1 V5 j" M* C
=========: S7 G& `4 a6 t; J+ E/ O
" w; ]4 W8 B; Z9 }7 b+ l1 {: U. W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 r' e$ u: p5 L* o5 Q0 J/ }performed in ring0 (VxD or a ring3 app using the VxdCall).
( c7 H- x$ F' {2 L& \- ?3 c6 g% _; lThe Get_DDB service is used to determine whether or not a VxD is installed2 b: e0 X8 T2 c# n
for the specified device and returns a Device Description Block (in ecx) for
$ X. R2 M) u$ m5 a2 ~that device if it is installed.' s1 [+ Z) \! C
' ]' p5 w+ _2 Z( P6 v/ O% K" L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ l& \7 h9 |2 X4 Y3 H, N3 u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 b% a9 A3 R( I" C {4 \! v8 M
VMMCall Get_DDB* o0 S, y$ C+ B: i' \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ i! a' H9 ~7 o* l1 W Q+ j' i8 ?
Note as well that you can easily detect this method with SoftICE:
2 n, H4 e- Y5 u; m0 I bpx Get_DDB if ax==0202 || ax==7a5fh7 i2 N( C& \. i* \. H" I* p
" a9 I. d5 n, ~5 v, z- k
__________________________________________________________________________
- e& M6 e7 U( W D7 k' P! v1 s* R: f/ z: k
Method 10
6 V& z- |# s7 u+ m( i/ A. A=========
+ L1 z5 W, a( [, I8 p" ?/ m- z' p' V, y5 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with- m" F0 s4 b1 h. W, _
SoftICE while the option is enable!!
2 s! o' ]& x( J
1 t$ n+ H+ n+ B' E' @# l& mThis trick is very efficient:2 {8 q: u( m H3 x' K H, M
by checking the Debug Registers, you can detect if SoftICE is loaded
! o) w# ^8 I7 ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ g+ `7 ?5 u3 C4 Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 E! O9 ?8 h$ M3 V/ O. p8 y' m3 Y
value (in ring0 only). Values can be manipulated and or changed as well( R- Q; o; d8 b* v
(clearing BPMs for instance), H5 |- u- J, d3 b. S+ l# P. v# R
& {0 r1 u9 L0 J- U# v__________________________________________________________________________ o* [: y7 K- e. @; V6 M! V& R
, }7 m. d9 [ f. LMethod 111 ]' _1 [; ^7 E5 ` S
=========
: c$ p# C8 O8 n% ]: H; U y3 W
3 x4 r; i# {7 g r0 UThis method is most known as 'MeltICE' because it has been freely distributed
* J- K l5 T& \5 z7 w xvia www.winfiles.com. However it was first used by NuMega people to allow6 x# {; }4 Z, B$ `8 [6 a. e
Symbol Loader to check if SoftICE was active or not (the code is located4 y' v! O0 q- f4 _ C6 C
inside nmtrans.dll).
/ H% R, H& y; V
7 }( L9 F# T2 f+ h) I" x. s& EThe way it works is very simple:
& \% B% B ?1 R$ d' }1 e; PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: {8 G* A+ k# D, i ~ I6 v
WinNT) with the CreateFileA API.
, g4 O. N1 U7 V3 \) G, T B% j( G& U, u4 K( a- K/ I- m5 B
Here is a sample (checking for 'SICE'):
( K% p4 s; N1 v$ b- R
: ]) G5 H* h/ V0 R7 \BOOL IsSoftIce95Loaded()
- I& n7 U6 I) ^3 g a! [8 r{
% k3 b8 k- p# q3 ]& v; p/ c HANDLE hFile;
/ p' r; ^! g3 k) I! f/ \& {0 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 M& C. n2 e% m% n7 u3 n! Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
( A4 U( |. S# G, t. F/ p% @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% G4 Y( v/ O" T2 f, k" L if( hFile != INVALID_HANDLE_VALUE )6 ]# }% |. I9 V# { S
{; ^# |3 K; p4 ?
CloseHandle(hFile);
$ ?# e4 U9 V* V return TRUE;4 Y/ h9 {& m Z$ B
} N0 a2 {" {" q$ Q& Q
return FALSE;
; _* b6 Z: p( m$ P- E% F}& f. T0 ]# X. h- r' D: y
% G" a' r- [# I6 M1 `+ A6 Q) z/ ~- p/ ?Although this trick calls the CreateFileA function, don't even expect to be
* t! z8 t _! T, N( k) @# i# aable to intercept it by installing a IFS hook: it will not work, no way!3 I2 |+ ~; K; V( L' B% k! y$ u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- r& B$ y+ a8 @6 k0 x% d+ Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 Z, i: [) d9 G7 o! a% r% F+ u% eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
E( j, [: x- `) |% ]! c. o3 rfield.+ n6 E% M6 e s, S
In fact, its purpose is not to load/unload VxDs but only to send a ) ~6 M) S2 W$ n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% B/ x/ b8 K t( D- V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# W$ }/ X- ~' [$ ~3 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 t9 e B" i) e. X! [
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 w% Q. c8 B$ N2 t& w& W* z) n( Q
its handle to be opened and then, will be detected.9 @8 a d! f8 c% n/ [
You can check that simply by hooking Winice.exe control proc entry point
: d$ @$ `( z) X) t7 Z$ Swhile running MeltICE.
9 Y+ [& ~: t6 {+ i8 P( T1 q
2 y6 s. {% y8 {; s3 v! B0 \ g
7 R1 X% o, ^. M. J% g- X7 R0 D 00401067: push 00402025 ; \\.\SICE7 \; P# n$ N; n0 L7 ~8 k
0040106C: call CreateFileA: |- }4 m8 E4 Z7 A9 l w8 |
00401071: cmp eax,-001
9 R4 n1 q4 B% e& Z6 F% C0 b6 `) H8 f 00401074: je 00401091' O/ x( J6 c$ n x5 {
3 h$ o0 H, A' l0 z8 C/ V
4 J7 a, N* v7 p; ` j T: A* S4 I' E) CThere could be hundreds of BPX you could use to detect this trick.5 y( T' e! n/ G5 L4 t& b6 f& P$ q
-The most classical one is:
, ~; L0 a( m1 k4 W' A3 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, T, p* X+ Y; s1 W4 p$ A) C
*(esp->4+4)=='NTIC'' ~( t s/ P# s# T* A
. w6 @! x s# r! d" {0 l8 g-The most exotic ones (could be very slooooow :-(
+ Z b5 R3 k3 Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 a" B& D& O( B" f( M ;will break 3 times :-(. ?3 G# }$ L, q# i, ]2 U! Y+ J; Z
8 T/ G% S$ p3 H8 i, M% s-or (a bit) faster: 4 W- P Q, [3 l3 T' L; R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 O: Q5 g" b( ]4 k3 Y3 R3 k1 y
! J: r. V) p9 Z- Q' U$ t/ ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. [' E/ l |) }: j; O; F1 C8 O ;will break 3 times :-(* `: j/ e% v$ B: H7 K
' R- E/ D* m: c. n# i. Z6 n! T. c-Much faster:, }; Y+ _0 S) X, h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ s0 Z+ `( `$ R6 t h% x" L
; ^6 W* A- V8 ^; e: ~: m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! D4 H% `9 B& n8 {/ vfunction to do the same job:6 l' s& f: @ A( Y
- H& M e6 Q' H1 r
push 00 ; OF_READ4 q8 u9 r7 K" s' x+ j: G* t0 j' B2 V
mov eax,[00656634] ; '\\.\SICE',0
`5 Q6 y- N: \ push eax
# ]' Y7 y9 \; L F8 v call KERNEL32!_lopen5 O" z2 L5 I& `! G5 ]
inc eax
/ d& L1 R9 W# Q7 `4 e jnz 00650589 ; detected
) i# U. M8 ^ q+ ^0 B push 00 ; OF_READ
1 p$ I4 g/ s- C* G$ Z+ x6 ?& X mov eax,[00656638] ; '\\.\SICE'
9 y) A0 S4 c a push eax
+ Z; X/ z0 L* K3 X1 x call KERNEL32!_lopen" ?3 ~! Y) U0 W1 R7 q o' N
inc eax ~) @$ @4 A1 v
jz 006505ae ; not detected
* l/ r4 A1 R! _4 h& w- A7 m! q
7 V% L4 W& O( e
, a/ B0 q# D- P7 t4 n__________________________________________________________________________
: n$ i$ r6 ~; L; R7 Q: t0 O3 R
; M- R1 P# P6 B/ BMethod 12 E% b+ N. o; T
=========
5 I6 M" j: {/ I8 g6 o# M/ h! {( e r0 i$ w2 b$ \
This trick is similar to int41h/4fh Debugger installation check (code 05
& P8 i, P9 N1 u, m; F& 06) but very limited because it's only available for Win95/98 (not NT)
( x% C- N2 F# m% [ Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ Y# a9 d8 O* m+ s# P2 U) |. h1 t) q/ q" U; C* Z& ]
push 0000004fh ; function 4fh
) V' z0 [# u- T" `: y+ X push 002a002ah ; high word specifies which VxD (VWIN32)- W2 c$ Q/ T0 L. z. ^6 C
; low word specifies which service
* }0 }9 E1 |, t! A! m* m% z2 a* c (VWIN32_Int41Dispatch)8 y) U! ]: @0 J. A6 v1 F, L
call Kernel32!ORD_001 ; VxdCall
; C1 e v7 R/ }8 h, G cmp ax, 0f386h ; magic number returned by system debuggers
: z* h6 x9 P& |. _ jz SoftICE_detected- n7 J6 h, U n; y3 V W8 {
8 ?+ S0 U+ m' g" p3 f6 Z
Here again, several ways to detect it:
: B* N4 s* }8 z5 E& z
+ u' t( G' n' b; ?2 a BPINT 41 if ax==4f& ]7 A, M! [# q1 e0 s: ^; o0 Z
, E& L3 x8 j n7 W R8 a* }( i6 z' t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" _4 ~& F( m4 I( K# Q# l5 F8 s
0 \8 h: c- }) u- N" k8 h4 Q" N }0 U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 j# M) l7 c& v) T3 k0 d# }/ q: K+ P* l- V+ X' k' o( `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# O! H6 p. a2 W8 Q7 U! V6 t! Q
/ x- O9 k+ A/ {0 }# B0 d% I__________________________________________________________________________- X: O$ i* H8 I$ F+ z6 F1 j
' ~8 ~0 i: t" b" [
Method 13. o6 n4 d: B. ?! K9 v5 i& E) q" _
=========
+ l- [; H$ B" ~8 r7 m+ p; c: g E
Not a real method of detection, but a good way to know if SoftICE is
# r% B5 M- t( c9 Rinstalled on a computer and to locate its installation directory.7 p7 U2 H2 T# ]* C$ v
It is used by few softs which access the following registry keys (usually #2) :/ E' k5 D# p. X8 I9 P, N
1 q( }* w; c1 E( w0 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ^ t- R* s' D; A# R\Uninstall\SoftICE
7 b$ V* h7 G g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% T" k0 c5 |: A$ g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! }3 _ R+ Q6 h7 ?2 F) n: G' n4 @3 J, j\App Paths\Loader32.Exe
, q; ^% T* A& n' {9 P# i7 C) A* J( P# y% G( U% O7 E0 B
& @% H# I+ a% _1 L! Y
Note that some nasty apps could then erase all files from SoftICE directory
$ Z4 ?# `* J! K0 s P(I faced that once :-(
* K' T) @" P5 @9 a
; g- J, K1 _5 I8 i# _2 E4 GUseful breakpoint to detect it:
4 {( A/ B4 Y5 [) ?3 K$ s& M
`- L" ]. O+ j; o8 ^' | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ j8 L4 S- t3 {, R
2 l3 h: U& v' ^. c# |__________________________________________________________________________
9 M) t3 s9 s+ ]0 j# x) h4 ` x2 V2 ~$ b, F6 @9 J) E
) g, R( X N% M0 V7 |' A
Method 14
8 [0 r0 m$ P/ M* o7 J=========
, ]% x" C1 x9 ?5 o4 U7 z, r
; d3 Y; G) f( k: gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ F& K; X- {7 z2 R$ xis to determines whether a debugger is running on your system (ring0 only).
& N: V, s% b% L# Y/ m
4 @' S0 Q9 v- i5 E( y- p VMMCall Test_Debug_Installed V# a) d8 C, z0 j
je not_installed
! c% j" b, b" Y% g8 V5 g7 x/ s% x0 O8 r8 j6 n
This service just checks a flag.
1 \7 d) T5 X- W- u; } l/ t. L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡