<TABLE width=500>
. ?0 e# i3 F( s( ?4 f: }5 d1 Y5 U% M3 l<TBODY>- ^* q; K: S9 j2 Z' m+ m" n2 r
<TR>2 l# }2 o7 m2 U, n2 B. W
<TD><PRE>Method 01
/ G J3 D. Q- h9 M* F=========
) J3 x$ y$ J4 K
) y- W( d0 W* t% v! ]" F, gThis method of detection of SoftICE (as well as the following one) is
. J$ S9 h9 G% a) ?& Wused by the majority of packers/encryptors found on Internet.: P2 @2 y% h1 y+ {5 W
It seeks the signature of BoundsChecker in SoftICE. l6 T) ?+ x+ a
7 t! |! R1 C8 t Z# q
mov ebp, 04243484Bh ; 'BCHK'
9 R0 [# T% K. L mov ax, 04h+ R( X/ D. v5 q1 d \# `2 V
int 3
0 q4 f( _9 k- ~# U' ` cmp al,4
2 X/ t$ Z- c, S, n jnz SoftICE_Detected; b) o2 i n- o& T( C/ ?; n
% D# _; X, ]8 w
___________________________________________________________________________
* K- W( Q- K$ i: f/ t# k
/ i' M! V9 k# d& ~Method 02
2 A" |& O6 \$ J4 X4 G=========( }5 d. l% e6 a u) j" |! u. ~6 Z
, |8 y) N- @$ s$ x0 X8 s7 hStill a method very much used (perhaps the most frequent one). It is used4 ?1 U" A( i4 @; S1 y5 X- f7 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) s. L" n" f3 x! b5 S: T" zor execute SoftICE commands...
* K6 p! n- B8 |, y& HIt is also used to crash SoftICE and to force it to execute any commands1 e$ y% B7 T1 I7 J# o. r# m
(HBOOT...) :-((
* m& @) }6 F7 o, B2 n$ |4 A; {; m5 F# i, t1 v1 O8 i( s
Here is a quick description:6 @* M3 o2 N4 P, \
-AX = 0910h (Display string in SIce windows), n+ Z6 G$ ^: t9 A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, N4 ]5 y, F- Y# P-AX = 0912h (Get breakpoint infos)$ o! Y1 ?; g! v* ?
-AX = 0913h (Set Sice breakpoints)
0 c, n7 \9 D: p-AX = 0914h (Remove SIce breakoints)
& F; `2 r; S3 p1 G Z& s7 [# A# S# L% v4 K+ Q7 C9 R
Each time you'll meet this trick, you'll see:
# Z0 X1 y( c$ a2 s: d- B b-SI = 4647h
5 v& e% ^/ O! N7 a-DI = 4A4Dh
0 q/ W7 ]7 I: @ }) x6 GWhich are the 'magic values' used by SoftIce.5 @$ Z* @4 X2 |8 i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 H% k. `/ N* r9 B( \
1 H/ k' l7 m2 Q' iHere is one example from the file "Haspinst.exe" which is the dongle HASP! ?7 F( y: w7 s: o" }- t" O
Envelope utility use to protect DOS applications:
/ |7 s0 l- E! x( \ m$ S' e, M6 Z! v: U
* |5 I9 y" U. n2 p0 U4C19:0095 MOV AX,0911 ; execute command.
( a+ |9 u9 I$ n1 t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- E) V: V# i' z( N( B d
4C19:009A MOV SI,4647 ; 1st magic value.9 t2 \" N( S" P: h5 B6 E
4C19:009D MOV DI,4A4D ; 2nd magic value.
! G7 h# Q n: g0 |0 r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 X/ ~# F, F4 G1 M, y, _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 \+ H/ c1 X7 r% ^
4C19:00A4 INC CX, z* t- O' }7 p; a G9 ~5 m) t9 D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 H- A# g |' N& h6 ^: M& c; D+ T4C19:00A8 JB 0095 ; 6 different commands.; u! X; F$ |6 h' A- D$ ?6 j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# n5 ^& C7 B% u4 p* t: r8 _* m% \5 B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 d `) \! f! [& s. ]2 d/ B1 X
+ f3 N1 F9 N8 P X# {8 T
The program will execute 6 different SIce commands located at ds:dx, which1 o; S: O- k) T% X/ J( m) D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ n, O+ m) R7 K( c C" X9 V/ v# [1 r m8 A+ `2 f- E4 H( c- {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# D+ z1 Z7 y( E3 R
___________________________________________________________________________( {9 \( w3 p2 m9 g
; T* X+ j- B; L/ X7 }$ k I7 W$ O8 E( y# J6 W8 F
Method 03 f: ~3 {, c8 w% `# o
=========+ ~. I5 i, ^ `
/ O( S" ^& F3 M, U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ C$ b! S% i" G8 b$ s7 K/ a9 e
(API Get entry point)' e* M8 a% B5 G! U0 x
% ?4 o) P# Z! l1 T- r- ]
3 F U" z9 d& b8 X3 x; Q xor di,di
1 p+ i& o/ p3 _. ]/ _) c mov es,di5 L% a5 G8 t2 y" L! a+ |2 E
mov ax, 1684h & K* A- X7 f& f$ R$ a- G+ @& J- \' J
mov bx, 0202h ; VxD ID of winice& E( ]- G; W! Y) P/ t* u/ U# G
int 2Fh
( k: m- \; Z1 o1 O/ ]' N4 h: f mov ax, es ; ES:DI -> VxD API entry point* M: e6 C3 Z: w; b3 f0 n
add ax, di9 b P I1 S3 V$ ~* G7 p, \ ]
test ax,ax
, E& E% Q3 A% u G# O- s) r jnz SoftICE_Detected
+ M* J/ P& J* ~! ~3 N! N0 v: S$ R# Q5 f7 b2 [* u
___________________________________________________________________________
2 i; B! ^9 d% S) a- `
- i9 z. Y2 A0 n; dMethod 04# \! c# ]# a3 T+ D0 t2 T: z
=========9 s1 B7 t4 q+ p2 M( L$ k7 w: W
; ^& N2 W% B. U! X
Method identical to the preceding one except that it seeks the ID of SoftICE
7 n& @# z2 b( q' @- S' mGFX VxD.
8 M: n2 `6 O- a7 w' b8 s" l% a9 b0 Q. ?$ k5 p) W* l
xor di,di
! o! A/ f4 {+ o7 B' t mov es,di
8 U6 i5 v5 O! ~- K. ~ mov ax, 1684h ) o9 Q" W: x4 O
mov bx, 7a5Fh ; VxD ID of SIWVID
+ m& ?$ G2 ^0 r- E: N4 v1 X/ H# q int 2fh1 {" J! e$ V) J& h% R
mov ax, es ; ES:DI -> VxD API entry point$ o* y$ m2 d1 P3 b8 y! y9 n
add ax, di1 S* t1 T* s( x% q- a$ e" h
test ax,ax
9 i3 H( y- d+ P J" Z5 q/ X jnz SoftICE_Detected4 W* c' t/ [. A
% u% j* P) \+ f: O7 v( B- i" p
__________________________________________________________________________+ [/ ]3 |: S9 F! D, t Y( i+ s+ o
7 W. H6 ]# Z' p3 i0 O! ^8 H7 J7 T. M
Method 05$ O# I, C/ O6 ^/ R) H5 o
=========
, I9 k$ k2 s& Z6 o: l9 R5 M7 l$ v. ^2 g% U
Method seeking the 'magic number' 0F386h returned (in ax) by all system& W; G3 _: L+ }9 X- b2 t) n
debugger. It calls the int 41h, function 4Fh.
5 `5 W) b0 E5 e& i% z5 x& BThere are several alternatives.
5 ~- B) R6 J6 e8 x3 ^# c
8 @0 x) t- G9 OThe following one is the simplest:
3 ^1 S# | y, ~
& R- H0 `- s" o; S& m7 L mov ax,4fh
" l1 I. N2 S8 A& L& B. z4 } int 41h
9 l+ `( q5 ?" j% Q8 H# A* B cmp ax, 0F386$ ]3 x* d- x" E1 q- n P9 y& r
jz SoftICE_detected+ q, m' ~5 T# P7 J
O5 H) T, }! q
1 S9 W) d, N* y+ c' s6 q( t1 a! R$ h/ e& B
Next method as well as the following one are 2 examples from Stone's $ J+ @1 E5 Q. b( ?& |
"stn-wid.zip" (www.cracking.net):
6 l+ H& j1 I+ @
8 m2 E! ?& T5 J5 q2 Q: G mov bx, cs
# q I9 K5 J6 n0 K9 m lea dx, int41handler2" }# N6 l+ S$ z5 N9 W( m: W
xchg dx, es:[41h*4]
# \7 r% p. h# c( I9 @ xchg bx, es:[41h*4+2]
. j6 j$ ^3 P) z4 {$ E r5 P6 v mov ax,4fh* O# e8 v/ r3 t2 p# [1 M
int 41h
& z8 v8 G1 _! R( J$ h; G xchg dx, es:[41h*4]
9 l* C% [' n6 ~( b% [+ `& Q3 O xchg bx, es:[41h*4+2]2 D/ ~$ o2 a1 U" D5 ^
cmp ax, 0f386h0 p" s1 R+ o L8 r0 s% S
jz SoftICE_detected
: u R \+ S$ m; }
) [7 l0 Z6 ^5 b4 fint41handler2 PROC
, f W/ X# j! I2 Z _% m# P1 ]7 z iret7 H7 K, o1 n; _) Y% G9 y
int41handler2 ENDP3 G5 [% i2 Z6 }8 e
# T: G& l( k2 ~- x; z
) `+ y K" j8 d5 F% I_________________________________________________________________________
* o- |% B: ]5 D& H- q5 @& A: m
; D% L' X" S1 ~' m' p) s. X
9 ~+ z, u( w2 L9 {: V3 T! n G; TMethod 06
- a" U. H- v. u$ t& }=========4 R- @" X1 Q! \: P0 P2 d
6 J$ z* R) E# ~9 c" j& v
1 o" S3 X+ y- T% V0 `: V
2nd method similar to the preceding one but more difficult to detect:
# M( n! V' V$ Q8 R3 [) W4 v# k7 P2 w9 i) y6 P& F
' c, E1 l, \( [- T, r/ f6 Yint41handler PROC( y8 R4 f( i/ c& p) D0 e% E1 [8 F
mov cl,al! L9 t7 W; f v+ v5 ?$ O, Q
iret/ l, f$ y- ^- T
int41handler ENDP
9 o- o% H0 V1 L0 A/ V4 ?2 o* k; ~9 w- ?5 y5 _# j
! i; V/ E$ |1 M" J( G% t xor ax,ax
' J# Y0 U5 M; ^* k* X0 j! a* s4 @ mov es,ax0 C& |, G9 K/ J" ~0 D0 ^" }
mov bx, cs4 l2 s: F/ x/ m4 X$ ~
lea dx, int41handler
+ K% F/ \. e2 E, C6 s xchg dx, es:[41h*4]6 B9 W a1 u& E5 }
xchg bx, es:[41h*4+2]
6 _, }% T: ]4 E3 g1 W in al, 40h" m' U n: b% G/ Q
xor cx,cx! r8 h0 K" w9 R+ b0 k5 h9 O6 H
int 41h1 X3 w4 E: G. |. ^7 S0 E" S' G3 V
xchg dx, es:[41h*4]; E) \4 c' W+ r8 p' b; ]) F
xchg bx, es:[41h*4+2]& a2 Q$ F% c7 O- p. q: c D
cmp cl,al" k) A J+ n5 L( m5 w7 \
jnz SoftICE_detected: N, O4 Q! Z5 b! o/ b0 i* ^, ~4 q h
b2 K# Q- s! P+ d! }$ D' k8 x
_________________________________________________________________________
' {# Q% D) h) g( k! n& H' u7 f; |. }9 R) j
Method 07
4 M4 M1 S. w, w5 Q=========
& y% }1 N3 Z! K5 h( c% {/ }
3 M D: g7 A5 |# D( {/ }7 N1 vMethod of detection of the WinICE handler in the int68h (V86)
8 [" X4 h& Q V8 {7 O
m4 ?! [9 E4 z, }- ` mov ah,43h
% Z2 }! b7 [* d& [" o int 68h) x3 T: p, G& m
cmp ax,0F386h
4 d! G/ X3 V0 r" o jz SoftICE_Detected# y0 X4 `$ l4 U; M' `* d
8 L$ c9 u$ V W0 d) Y9 l& S1 }2 n. w% Q" o$ {* |# B- K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) w% ?, z- h: |# d1 W' p! @/ v app like this:
6 {% w3 l3 z2 ^; m5 }* Z
# }& f9 k; O( r+ ^' }" E2 F z. o2 \6 { BPX exec_int if ax==68- T, t* D8 \9 R4 k6 S
(function called is located at byte ptr [ebp+1Dh] and client eip is) i4 @) C& X; T, Z+ p
located at [ebp+48h] for 32Bit apps)
( j' o% ?4 S1 u$ T3 J. R__________________________________________________________________________) l; O5 a6 v$ Y) c, \" q
* t7 E0 I0 z6 d* y9 D- a* r9 S
' x( w1 ~! A1 Q2 w9 R
Method 088 J6 C# Y4 Z9 Z+ l1 z
=========
+ |8 q: q$ Q. ^. r1 o# G5 t( ]& G' g. K, H: G5 D
It is not a method of detection of SoftICE but a possibility to crash the
+ [* I; c8 w8 Q! z3 C4 csystem by intercepting int 01h and int 03h and redirecting them to another) z5 l. c! N. L) }* S8 i# H; L/ i
routine.2 j( e, h/ @9 y- K. [8 x- e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
X9 c- [) @$ i6 Q6 I; p7 `: M" jto the new routine to execute (hangs computer...): ^+ K9 e. l4 {* f
0 `7 X( g- C+ P( G2 \
mov ah, 25h
* I# V& k6 O( J mov al, Int_Number (01h or 03h)8 H5 @! k# Y1 y
mov dx, offset New_Int_Routine
7 a( b3 ]3 r# T3 ?* w int 21h4 S$ {( v! u1 I7 D5 P
/ W I2 m% d7 }; ^3 a% i K5 \__________________________________________________________________________
* k9 y+ R9 y8 e4 J. y8 a, z9 w4 L% o3 n
Method 09' G, ?8 I8 a/ f2 e/ ~5 ?
=========
, B( _" y% Q; p* ^: C% A. ]0 c7 Q/ G+ p5 P" S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 X! g7 w% `' x5 |9 d/ l3 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 i7 ^" R% q5 o; a- a7 cThe Get_DDB service is used to determine whether or not a VxD is installed
S5 J8 v+ M5 G wfor the specified device and returns a Device Description Block (in ecx) for1 P5 L, B& @/ M( O6 |
that device if it is installed.
$ ~5 Y, u0 T7 M6 u( C. ~7 t: T5 Z
; S+ C7 k. x; `. y' a( l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' P b. ^! o7 X3 e- @4 l8 k* M; B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 L3 q" d: w" `5 A7 s' }& G) s
VMMCall Get_DDB) v+ s* h: ?4 k0 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* \5 M7 u- I' `$ a+ T. b
8 d* U9 s$ C, B/ n4 @Note as well that you can easily detect this method with SoftICE:; I$ N" ~8 q' } ~
bpx Get_DDB if ax==0202 || ax==7a5fh5 ^% T% U. d/ U0 c: a
2 N9 m- z* y7 c( }# c8 r__________________________________________________________________________/ |4 c5 o9 S8 q! n6 T
8 x. o1 e; }4 i
Method 10$ A4 k3 |. H0 U |1 \6 R- {( t
=========: v+ _( k- ^" E0 j1 z$ f$ c
7 o! Y; }% G, O. l, \+ g1 u5 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 s) a8 E% k* [) }+ A# t SoftICE while the option is enable!!
* I7 C. V3 o6 D& D1 E; x: V; s& R4 {
* d, k# x$ W' {3 S0 l! U) ^This trick is very efficient:5 w& {0 o$ y' v1 @& E
by checking the Debug Registers, you can detect if SoftICE is loaded
2 {, \: D+ U; E6 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 ~" l/ ~! Z1 c* P+ C1 dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' ]2 ^* u/ A6 H: Q# [& v1 E0 Rvalue (in ring0 only). Values can be manipulated and or changed as well
X5 E6 O. H7 }$ |2 }(clearing BPMs for instance): C2 Q+ Y+ {2 W+ \" ^* a
. [6 q5 _# ?) P1 V" h' D
__________________________________________________________________________
4 _ ^. a% r+ T2 q& c
5 D0 f5 y% [! b% pMethod 11
. N" `9 `# {7 L) X=========9 P) h } e6 P1 X& |. v9 u9 B4 q
! b+ E: P1 A# |# r; \This method is most known as 'MeltICE' because it has been freely distributed8 N7 ~0 a' ?; J2 {1 b. e
via www.winfiles.com. However it was first used by NuMega people to allow# v3 j2 d! T3 {! r9 T
Symbol Loader to check if SoftICE was active or not (the code is located+ R; w! Q$ r0 G# f
inside nmtrans.dll).6 b: B5 L0 K6 k% @' r
$ R; p. b, w' G4 T0 v! z# F. T/ y
The way it works is very simple:* l+ y! C8 p4 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( q; g; B7 a" L2 n4 v% A9 d# ^WinNT) with the CreateFileA API.* g( d* L5 M( t j2 N' X4 W5 a
9 G+ j, P k! w$ M C2 jHere is a sample (checking for 'SICE'):
8 B: ~- [( t$ f2 R0 [" g/ N; x' U
# Z6 d& z0 C6 t) t) ~% A& eBOOL IsSoftIce95Loaded()
, q% O9 w- H/ A. w2 B7 n{4 o0 G4 U, x. E) N
HANDLE hFile; 5 H$ S3 j. j5 G. x6 H6 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 N4 D! K5 r& a# c+ f8 z% ?9 l
FILE_SHARE_READ | FILE_SHARE_WRITE,/ z: W2 S; Y* h# F9 I+ @3 L/ `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 c5 t: k% M' J5 f, _ g, p
if( hFile != INVALID_HANDLE_VALUE )$ o% r6 j1 ^! B/ X. m# ]( S/ a
{8 ~$ B5 O+ n/ _# |7 H0 A
CloseHandle(hFile);* [. l" z5 Q& s$ E7 ^# {
return TRUE;
8 M; B! m9 E3 Y* I9 N }
9 d8 p0 }9 G4 G return FALSE;, L( G. Z+ X* s# i
}( b4 s- g+ @' p' O& G
" r' L5 j( U7 _
Although this trick calls the CreateFileA function, don't even expect to be4 s5 D4 \0 j) N3 p; B
able to intercept it by installing a IFS hook: it will not work, no way!
" s% o9 A) z" v0 Q1 G" `) bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" r U. Q2 H+ m; f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 E; r/ X9 G4 G: e( W/ S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ T6 O, F( Q2 j3 q% u- [! s
field.9 n7 t" Y7 D- A
In fact, its purpose is not to load/unload VxDs but only to send a 1 ^, g4 n% f4 U* [2 I' N1 `0 X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 }* m/ `, p3 G; F Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) P0 p: k* O; {! ~3 i. B zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% ]( X& Y3 N* N" y0 Y4 ?1 y' i! iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! k" Z) J; T' H* F$ g8 r6 ~its handle to be opened and then, will be detected.
1 X! r- ]" [) S8 q& [; xYou can check that simply by hooking Winice.exe control proc entry point
1 D& s1 b) l1 K9 Z x% kwhile running MeltICE.
# y; C# ]- v6 U
. c+ {! q% U" G u7 K, ]3 A" I' e( m5 e# l
00401067: push 00402025 ; \\.\SICE
9 g2 s4 d O0 R- |# H$ O4 N5 G- h 0040106C: call CreateFileA
0 k% I2 ^" F. b' |- B' n 00401071: cmp eax,-001
# a- T( V# B" m+ Q- Y3 V& v 00401074: je 00401091
" ]1 b$ m6 l: N7 r. _9 k
/ U% N3 m7 V. W6 O3 B* C; r* Z/ s$ L, Z2 b
There could be hundreds of BPX you could use to detect this trick.8 e$ Y. k# Z: q- P, r1 c4 i! L6 v% ^8 D
-The most classical one is:% t& E1 N% R2 I* z" }9 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* v6 p1 ^& O) t& Y *(esp->4+4)=='NTIC'
U9 T) X) q' H, D( f
+ r, ?. m& ?7 N' I7 U) v-The most exotic ones (could be very slooooow :-(9 { i, F+ {8 n# Y7 U6 x3 M: K- x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 R4 r) n: W2 Q A% T/ S6 P
;will break 3 times :-(/ a# u ~9 N* D$ H4 L
$ ?0 s2 W0 H% l$ R5 T) N% ^-or (a bit) faster:
! V: V% r0 W5 p- J; ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 c3 {! @5 M/ x- B5 j& I
) |# {+ q* F8 w M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 R- @: ]: h! t1 L8 q7 K/ b ;will break 3 times :-(7 _" q2 |& L! n3 [3 H
$ @. J: @* i5 Q/ b [-Much faster:# V9 v0 u ^3 M M/ o9 X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' W+ p( V: t( Z W/ k. c8 q
# B/ F6 ^: o0 o3 ?+ Z, `/ WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( h3 O1 }6 D! m, a, C9 ^3 X& _. i5 j
function to do the same job:
% ?* R# `$ O/ W( S& F" }( A
: Y8 G+ f+ r D+ @. O; M push 00 ; OF_READ
& t4 i; P" d% u mov eax,[00656634] ; '\\.\SICE',0- @' s0 b$ m; C P( Y
push eax
0 v5 T& g' z( M, b9 N- A call KERNEL32!_lopen* i# l, O/ A: j# m
inc eax Y) O* x0 C6 H6 O4 q1 h+ A) G
jnz 00650589 ; detected
0 O$ i0 w# T9 U7 ^% s8 j7 y% w' Z push 00 ; OF_READ5 G; ~0 t& s# s: K {. M! B
mov eax,[00656638] ; '\\.\SICE'
2 a2 M9 ^9 k w/ ?6 q* r push eax$ h8 b5 _* K& E. M9 q, J
call KERNEL32!_lopen
' G; A0 X, W2 b0 u/ M2 |5 W inc eax
$ T( o( I. {$ o9 }5 f jz 006505ae ; not detected+ c5 i6 n& f& D0 `
; |/ W0 h& Z/ D! D+ d$ Z/ X. B4 D* |. d8 D! L7 R
__________________________________________________________________________4 c+ b+ v0 \' D* t0 x- h$ _" W, `
0 D1 w3 a. v D' q
Method 12
6 _: @# z9 x |1 ]) b \1 t1 j=========/ I' t! J" z3 D$ E0 ~
R5 n' v/ x; C5 q4 b
This trick is similar to int41h/4fh Debugger installation check (code 05
3 a7 i7 e1 L. |$ @7 {7 \& 06) but very limited because it's only available for Win95/98 (not NT)0 c- q& K9 [1 u1 I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- i" A; q1 e& O( F7 N3 K; h! Q
0 Z) J3 {, Y6 M( t* E W! A
push 0000004fh ; function 4fh2 l2 U& S; r, V, `. l1 o
push 002a002ah ; high word specifies which VxD (VWIN32)& v7 B4 J) [7 }4 q' N
; low word specifies which service$ Z. c' O! p+ T! _' X$ n
(VWIN32_Int41Dispatch); m+ \! S4 U' [/ c
call Kernel32!ORD_001 ; VxdCall4 r. j% E8 p) B2 W! e2 z
cmp ax, 0f386h ; magic number returned by system debuggers
1 X# P ?0 u3 ?9 W! B8 j7 } jz SoftICE_detected( I, C; ? c q, }% L3 E ]
& Z+ m: ~+ {. P% J, }1 C3 X" a$ \
Here again, several ways to detect it:" Q# m3 w7 W8 `5 F, Q% c: \) ~
4 J/ X* @( o: M" I: \8 H BPINT 41 if ax==4f. r4 v! C' j, Z$ h3 F9 K' J5 U
0 C$ c* ~2 o4 W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; @5 z: D+ B/ `0 o b* v6 |- W* U
9 L4 Q3 c6 V2 w P! d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 {9 {7 x- B( p
$ n2 {) f* |6 g! A6 e( ^ E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 x5 S7 n2 p# K s7 b8 u
0 }' W* r# L$ F2 i1 ], Y4 z [& I__________________________________________________________________________
; Q6 t ^: `2 N) M& h7 T9 Z2 v( [$ I' j
Method 132 h U# v) U( R5 X: \
========= G5 a: S. {# z0 ^. v; q
# M" B, c. q2 I6 zNot a real method of detection, but a good way to know if SoftICE is
: L( n: @. _9 C8 V+ }/ A7 |6 f& Vinstalled on a computer and to locate its installation directory." R; P; l* t) q
It is used by few softs which access the following registry keys (usually #2) :' O2 {2 `, p! V {: b) t* a
) P; O6 j" [5 R% g' J2 O6 Z! }4 s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( }3 J8 f7 y% t2 i1 W
\Uninstall\SoftICE
~/ O: K$ h4 \) m% N" G9 n* ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 U! Q! U1 J& a* H, }. `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ~8 @2 I% F" R5 d) ]6 S) ]\App Paths\Loader32.Exe
$ \6 n) x4 D5 D! s( H7 s9 j# s" z8 K/ W8 `6 i" Z
# L6 i$ T: j+ g& o4 K, [$ j; Y/ K: CNote that some nasty apps could then erase all files from SoftICE directory9 Z/ J/ U( T. H7 u
(I faced that once :-(: y% B# E# h3 g- x9 W6 `) ]( C
% k* f8 Z8 ~6 @; {5 p* Y [5 I" IUseful breakpoint to detect it:
# a$ y6 w+ o: I8 R( N# b2 K
) D6 R* g0 D: F) q9 I7 ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. V R% f& q/ l7 k& S& a& x7 s, O
__________________________________________________________________________1 c% O; F: H! I3 B) S
% t+ G. D* g- ^( O
& z2 y7 |: p" [( l. X. HMethod 14
' E O5 x1 v7 [6 b$ O' Z6 _=========
3 @: t* Y4 ^5 k2 T! l9 x# H3 X# O3 ?/ G6 w* G* }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, H, j0 H* `0 g' H0 t4 B2 q3 }" _
is to determines whether a debugger is running on your system (ring0 only).. j R' {" P% ?/ x* C" I- t
* _/ T! E: ]. g w/ ^$ v6 A VMMCall Test_Debug_Installed
" N* s& j! h* K" ^0 N$ W( v je not_installed
$ k' R1 w! A2 L, b6 j l; Y; [6 l% j" o7 s# _$ U2 K8 Z6 r! Y" M
This service just checks a flag.3 z& H, Z" i9 X. T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡