<TABLE width=500>8 n% a2 E3 u' [$ s+ J* C* Q
<TBODY>
+ i( R& o) |, v) R9 E; m" |<TR>% V8 N, M. O% I t
<TD><PRE>Method 01 0 s% ?* B6 y6 p! ^! p0 S0 q" s
=========
9 A5 _3 u) g' C0 j: x
: j+ ~- `$ W5 ~" R( m0 vThis method of detection of SoftICE (as well as the following one) is5 ]! J: q \2 x! C7 ]5 Z+ J
used by the majority of packers/encryptors found on Internet.4 o/ ^2 K" A3 O0 T. ^! V
It seeks the signature of BoundsChecker in SoftICE
0 W9 k3 Y. O( q2 ?
/ x L# |3 M5 m/ z* [( Y: a# c8 d mov ebp, 04243484Bh ; 'BCHK'
+ j! i* W' j8 _: s7 q; m0 x mov ax, 04h
5 ~6 f& z" O; F6 U& ~5 D& b7 \ int 3
$ h8 e. a7 f+ t$ d/ E/ K cmp al,4+ ?9 e5 x+ m3 _& u! `
jnz SoftICE_Detected; X- B8 j- n& j# d# p1 w4 }
( J! D2 i7 D" W. c+ _' r& L8 Y6 S
___________________________________________________________________________, z, B2 f7 o/ s
5 [7 K9 v( c, c, ]+ `Method 02
! h0 ?( m2 z! ~' A6 M+ m=========! `8 k: |4 T, n$ k! _) H
1 y T' ?7 r/ A/ A/ W/ ^Still a method very much used (perhaps the most frequent one). It is used
, G3 ~3 r8 @' B1 |$ c2 Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 X( P* K* p& K6 Y9 ]or execute SoftICE commands..." k* B5 J( M$ B" K0 I
It is also used to crash SoftICE and to force it to execute any commands
6 x# t1 \" S9 X1 T" t/ a(HBOOT...) :-(( $ W/ d+ j6 n% h% I
$ ]& W* @0 K: H c; a
Here is a quick description:
. j! |/ R- e$ q7 }/ g- r-AX = 0910h (Display string in SIce windows)
& k- _6 _) T% f9 U3 \& {( Z( r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 R- y% R+ z5 N* G0 }+ l9 a! C-AX = 0912h (Get breakpoint infos)+ T: x* M' i$ z- D# p
-AX = 0913h (Set Sice breakpoints)
0 L- v3 N! f* ~-AX = 0914h (Remove SIce breakoints)5 O. h7 b, ]0 | t
- L& L+ ~ r# m# {6 `+ AEach time you'll meet this trick, you'll see:
6 e! ^4 a2 M" I% N-SI = 4647h: W, o( v; ?7 q! ?1 I, x4 |- q- `
-DI = 4A4Dh/ b% j. e M3 _( G' v! b( ~
Which are the 'magic values' used by SoftIce., ]2 X/ W. H' ?; C) `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; j! B' k5 s* V% H! B' m
, b! N8 p2 ]3 Y6 s- ~9 SHere is one example from the file "Haspinst.exe" which is the dongle HASP4 l8 ~& k1 j+ s: L3 N( P5 ~
Envelope utility use to protect DOS applications:( D' Y! q% W7 l& v$ E
2 D A0 W: {% O6 i+ a
. Y5 N0 l) P* v! C6 D/ F( b4C19:0095 MOV AX,0911 ; execute command.5 }2 _+ k" h1 ~* x9 E/ t; [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ R& F; T" T F0 Q6 f Q v4C19:009A MOV SI,4647 ; 1st magic value.
0 L! }1 v! J ?$ t: ]4C19:009D MOV DI,4A4D ; 2nd magic value.; M# S/ K) r. H7 y. ^# j) v# H0 ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* y& w0 d) o$ {1 S+ Q1 J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* C, l3 N0 K- x
4C19:00A4 INC CX
6 I4 v2 m3 D, q% M3 O& a- j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' `0 d% q/ J; F3 r4C19:00A8 JB 0095 ; 6 different commands.
% Q1 T) o( p& `# E' U1 k& x4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ u& w* b4 }. r+ O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 [ M, V; k0 A9 e; Q
5 d, M: Q3 [. z. ~The program will execute 6 different SIce commands located at ds:dx, which% R0 U" {1 i' |( g- U( J \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 _) \! Q5 D* |3 ?: W0 g
( {2 h+ p; e1 d) h# n) k. ^, _. w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& }+ \, L! ^3 I0 b: U" ~% k$ ?# e( ]___________________________________________________________________________
8 c# ^) [$ }: c8 A# z5 V* q- C: R Q) Z
# R9 q3 @# M1 W+ O5 o
Method 03
! W0 z5 ?) G. ]) ?8 Q' J=========9 k' V# B3 j8 f6 x" M$ k
# K7 U9 a" f5 P1 k. u! W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 }4 c1 s$ B; L. a
(API Get entry point)1 u9 r0 n! E1 r w+ e
2 E6 g# q0 H. [9 N! B) {4 m
- t& c& s8 J" |7 y2 u
xor di,di/ b0 Q( X! o& _* h C, G
mov es,di0 a* Y" `& ~( n4 O- e$ h7 n" x
mov ax, 1684h # X- H t0 a* v
mov bx, 0202h ; VxD ID of winice! s8 n: M1 k! c( s: u
int 2Fh
/ Y$ y% _: ?' }4 E' i% z mov ax, es ; ES:DI -> VxD API entry point* u; m3 Z% t! ^3 D& E
add ax, di+ @0 @! w$ f' k' Y! i! y% Q
test ax,ax
8 M$ ^ l2 [- s8 _ jnz SoftICE_Detected7 T1 E. P( E' q7 `7 V( Q
( X) F- x7 `7 O6 ^1 {
___________________________________________________________________________
+ c" ~$ @/ x/ X8 S3 E' b. p
) A( H: ?6 A7 c+ a4 g1 ?, L+ CMethod 04
$ Z1 Z! Q& Z5 Z- \. G=========
, d; ?5 B$ v4 L
0 V( T2 J' `3 R0 {Method identical to the preceding one except that it seeks the ID of SoftICE
2 k+ w8 u3 P5 J0 i2 k. ?& VGFX VxD.3 }; a- o) V& A9 E4 Q9 B
6 x+ x. ~: F+ j: f: Z& o xor di,di
: v; |5 C! U+ k mov es,di3 {8 @$ g8 \' ~) \
mov ax, 1684h ) S7 i3 X4 y; e" z- O. T5 k
mov bx, 7a5Fh ; VxD ID of SIWVID* j5 T" V6 n6 o$ X' U
int 2fh" {$ [9 I" ]! @% R; w; T3 Z
mov ax, es ; ES:DI -> VxD API entry point
' C; a0 q/ I! d$ h# K7 C2 D0 I add ax, di* I( Q. \8 g7 b3 W# U4 @
test ax,ax
( O: t' I m1 f) }! M- d jnz SoftICE_Detected, x, r- `! O" J8 q" O) `6 P, I
4 i$ R5 G$ B' T% E! _+ j) |__________________________________________________________________________/ D- R6 _: V9 V9 {3 |) V
9 N3 ~2 ?; _/ m) L+ f! Y/ L$ ?4 S: I7 \& l1 s3 o+ x( o" v' h/ C: B
Method 053 o! E4 R5 w. q8 B9 v% ]7 _1 O
=========
5 {) {3 l, r' D: |4 _, x' a/ K5 Z5 M2 }, g) G+ W9 t* O, r
Method seeking the 'magic number' 0F386h returned (in ax) by all system) B R/ s& E) l
debugger. It calls the int 41h, function 4Fh.1 X) p# [9 h; @0 E& C- @! t+ {" }4 ?( z
There are several alternatives.
4 d7 \' b9 s& S* Z
5 K: Z: L6 ~% T) T2 LThe following one is the simplest:
5 V8 M9 x n( i& V9 n) {
3 V6 `; ^2 F) {0 g% i0 M mov ax,4fh U( ^" a, {6 u4 _7 r
int 41h. ]# J. W! T. m) o5 k) D
cmp ax, 0F3869 q" Z0 E5 y" ~6 X. q
jz SoftICE_detected' N* [) m1 t8 l5 P4 i
6 l% {! e3 @3 U4 k! E
# S b3 `; r9 A5 {1 \) ^0 JNext method as well as the following one are 2 examples from Stone's ! X# g, d: [$ V d$ A
"stn-wid.zip" (www.cracking.net):8 y4 z, a3 e3 k6 f& N5 x
3 \6 }1 Q3 q, E, G) A
mov bx, cs! c# j% G$ X) P& ]6 H
lea dx, int41handler2
; ^+ B0 s8 a* _6 I xchg dx, es:[41h*4]
2 l1 X8 m. P5 k# q: W* x/ ] xchg bx, es:[41h*4+2]5 Q4 S* G1 p8 i2 ^) l7 W6 ^3 W
mov ax,4fh
% Y+ j/ S% d& q1 j6 N- b int 41h
; ^3 O6 n9 ]7 s" c8 e xchg dx, es:[41h*4]
6 h9 l. A$ t4 b* j xchg bx, es:[41h*4+2]. n& G, A1 x- K; |2 H
cmp ax, 0f386h8 E- e* |# S' ?4 v0 p& l5 x2 I
jz SoftICE_detected2 O2 R# P: ?$ @: Z1 k
2 k$ m+ c8 a6 @- o6 Y4 y. b
int41handler2 PROC& j' V! g! [4 G3 G ]( k
iret- `2 a. C' V) _! j" ~. i
int41handler2 ENDP
; m! ]. M8 c. P5 J$ I, {# }' ^, o8 s& z
* v! e# d9 X( k_________________________________________________________________________: b& m0 s. ~' `/ E: B) z
) S2 ]: x* M9 P% ^7 m1 y3 H1 y3 R# ]: D( Z- R' O
Method 06$ O9 ^1 |9 V+ E5 R; v) Y F
=========
7 t! j5 r7 u' G8 z: Z# }/ N1 d9 p
1 P- q+ k" T+ \, _$ I+ G" ~2 x1 I& Z) f& V8 S" E# P' O: L
2nd method similar to the preceding one but more difficult to detect:
& E) j: W8 L) n; o9 ?% @2 G Y2 B% F* U n* C
+ s6 E5 u* j( h3 g$ D9 Yint41handler PROC9 c$ o+ i5 a3 q# j* O: g; z
mov cl,al; v3 ]. _2 H: Y) p% n" m
iret0 y4 ^+ r9 b" ~1 d. z2 r6 ]7 a( Y: y
int41handler ENDP* i2 [8 \. C7 @! h
5 U- N& n o& ~* K" c
7 i7 d2 t. s, S, [. H; p2 Q
xor ax,ax
0 T: {9 @0 R* {7 {: ^ mov es,ax ?' @- i, H; r7 X, T. K1 E; s
mov bx, cs3 _3 Y8 c: L) e
lea dx, int41handler% d% u, @4 ?. `! D2 }+ z2 g5 E9 ~! m) t
xchg dx, es:[41h*4]8 e4 X5 d) W2 @' a+ o% J4 `1 s. H7 S
xchg bx, es:[41h*4+2]; k* g# x* x- A6 p( ]3 V2 R
in al, 40h
9 w+ C2 h. i# ]$ t/ ]9 H7 @6 h/ X xor cx,cx
0 i( j, V, m& L5 W int 41h! j9 I' y* A! w8 b8 z
xchg dx, es:[41h*4]0 n" F. u( O; o5 I, q
xchg bx, es:[41h*4+2]
1 Q: _4 q/ Y5 ]8 J' A cmp cl,al
W [9 n' {0 {# r jnz SoftICE_detected8 r$ I. I \* A; x0 J B' ^! M" G9 ?+ R, ?
3 M; Q( }) D4 o* x_________________________________________________________________________
' N8 A8 x8 I. s& D8 }9 J! s/ r* [5 Y
Method 07) Q5 F1 s1 ?4 W- L2 O3 r
=========/ S! B0 S: k1 {: u9 d! t& H4 ]
z! f" u! U. M2 [( [
Method of detection of the WinICE handler in the int68h (V86)
: q6 I0 ?/ l; e% Y1 O- `
, ^3 ]. X( x; u. ^4 l* @ mov ah,43h2 D; ^+ b# B9 c& v n6 S* c- p& K
int 68h) _/ O9 z, |, c8 n5 o( t- i
cmp ax,0F386h
: d# |; ?3 m* L9 w( K jz SoftICE_Detected
' y, o- v1 `6 {& y# _5 p. C
* e, I5 S7 f. _& q6 R" z# \+ k4 P
3 J, ^8 R( S& F d6 R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" d4 _* R0 U6 e2 P* p1 u6 u$ @
app like this:
, Y, p s- A; Q7 T) S! }" N2 N+ x6 y% S) t+ w8 K" L: @2 A
BPX exec_int if ax==68) G+ ] R. ^, h+ t
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 Q& r+ Z/ @6 w' f1 k located at [ebp+48h] for 32Bit apps)
9 ~+ _( n7 D. w' q, v__________________________________________________________________________
7 e. }: X6 j d$ A0 q$ Q, z5 U! ]: f& }8 @/ D3 E& U$ v) n2 a
/ V. a/ z) _, }5 y: u
Method 080 T* R- g6 M+ p; ~) C. p8 N. r
=========
Q4 j- Y/ I3 s: q* t Q" f9 o L0 m2 m4 M& C- l
It is not a method of detection of SoftICE but a possibility to crash the3 M5 L5 C( x: M& {) M& y' { T
system by intercepting int 01h and int 03h and redirecting them to another
3 ]' x: R8 P; E8 [1 x. _routine.- `; H* l; u0 M/ V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ T* i7 F* P- B
to the new routine to execute (hangs computer...), a7 ?5 g0 A% j
, V! T1 B5 Q8 ` mov ah, 25h
0 y9 x7 Y; ?3 S mov al, Int_Number (01h or 03h)% V* i4 W9 p6 i: T' F
mov dx, offset New_Int_Routine
, b+ u' h! W) Z! ]/ P int 21h
7 X9 M3 y( G7 k9 \2 q7 K$ q1 W' D, r6 E0 q B& @ \3 W, j
__________________________________________________________________________
3 f; C3 o. u$ ?9 f* t1 B
7 Q7 q/ G& H* g/ N# bMethod 09. `, q5 B5 f) c
=========
' m8 I! G7 ?- j2 r! m! ~0 c! T' x, r7 m. ]& o$ ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: t+ t3 b% N1 Y8 q. rperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ {) Z4 v- G, u% ~0 J/ IThe Get_DDB service is used to determine whether or not a VxD is installed
$ a3 `( Y' S6 _" o0 H" U4 Qfor the specified device and returns a Device Description Block (in ecx) for v" f/ D+ j) p8 X4 ]
that device if it is installed.
2 W2 t# }7 C( @! }# P
! N: C+ M0 |6 ^9 G9 R7 ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! j$ [- I# z: w) w+ F' W$ N$ v4 @5 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 p/ \) s0 ]/ X6 |. w- Y2 l* ` VMMCall Get_DDB1 ]( \: P( E+ s* |' G5 l% Q* z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, E: e' `# I# K& b! t6 H
% T* k7 t5 {7 p! h/ m) l; v VNote as well that you can easily detect this method with SoftICE:8 y3 d( @1 ~, K( V" O2 M
bpx Get_DDB if ax==0202 || ax==7a5fh2 x* F+ O$ ?7 d: X4 n/ ?
- ]. X" k0 ]! x3 C/ Y% b# H5 v6 k__________________________________________________________________________, D# c4 Z8 O2 \- ~
; r' L8 Y/ h0 d8 S/ e3 H+ Y
Method 10, V F$ U% o/ _
=========
) I8 t3 w c4 v' ? Z
9 v8 c- D- r H# V! ]# i j=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 L/ w6 ]' g% @! P SoftICE while the option is enable!!+ Q5 r0 o9 A D
! K% Y- V- K/ M; G# WThis trick is very efficient:( S8 `7 H0 B( T
by checking the Debug Registers, you can detect if SoftICE is loaded' t# C, J3 U9 R& t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; t4 o. V J1 o
there are some memory breakpoints set (dr0 to dr3) simply by reading their. M) \! R. C- M# s( Q: t
value (in ring0 only). Values can be manipulated and or changed as well5 y& v: R" Y" ^% e( y
(clearing BPMs for instance)
s3 J7 _7 t. P" G4 ^9 {/ ]5 `& u( k
__________________________________________________________________________
" L0 b$ W/ R6 V. D7 }3 M
0 j6 D) H; i( T2 z& f$ i2 u0 yMethod 11- O6 O0 r* ^( _. {
=========
* Y' s h* u5 e+ V. y2 @9 {- C0 P- y' u. \
This method is most known as 'MeltICE' because it has been freely distributed
/ a& j4 R3 A D+ K1 M. ^% n, M3 |( kvia www.winfiles.com. However it was first used by NuMega people to allow2 H9 z+ z7 _* F8 C4 P
Symbol Loader to check if SoftICE was active or not (the code is located
6 {: |8 q$ f' vinside nmtrans.dll).. E4 O# B3 ]7 a% V2 W* K0 M
' H5 x. G, z; K8 ]The way it works is very simple:
( A y: r( c- \& kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 H J7 O: G8 NWinNT) with the CreateFileA API.
1 h6 J2 c' z) u+ c; j4 ~6 v0 L# m2 k( [# n( x: d5 P
Here is a sample (checking for 'SICE'):
( e- b7 F: H) ]4 ~4 {. S w9 b* f& j- Q- ?1 `- ]$ e8 {
BOOL IsSoftIce95Loaded()
8 m3 w3 M, j, U& z2 Y{6 a, O# d( K; J) E/ v
HANDLE hFile; 4 h8 B+ E; d+ G5 X6 o0 ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ s7 H. `' H1 [( f( v
FILE_SHARE_READ | FILE_SHARE_WRITE,! p, f" |- \ ?8 [; Z4 U6 h' _. t2 }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ?+ P h+ v0 ]0 ^5 v1 R2 q
if( hFile != INVALID_HANDLE_VALUE )
" h) s! T) y5 k1 N( |9 B {; R) m( ^1 V5 f1 X
CloseHandle(hFile);: X5 j* a! k g. j% l1 Q1 `" Z
return TRUE;" h: g/ T1 L& G; @! i8 U( h
}0 Z" q( }9 [2 ]/ Z
return FALSE;% E# i3 m$ k, G; M+ R( [/ p
}
) b" }+ {" h+ `7 V( S1 `# w' \5 ?
/ y+ J! x, u9 f) ]Although this trick calls the CreateFileA function, don't even expect to be+ `. c- G. ]4 n6 g. F' W5 V8 @) {
able to intercept it by installing a IFS hook: it will not work, no way!
2 e d( n& B6 L: ^6 Y! sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 [/ k! L. j- n# `- I. Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 _) w5 V; |7 P4 `6 M8 e1 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 x6 b; ?/ d' W5 Y* r% ~2 nfield.6 H Y; d$ f% {; b; Q- ?
In fact, its purpose is not to load/unload VxDs but only to send a
* J% o# \& |* C6 N @7 i* RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; [( r2 g4 p9 u8 z+ @to the VxD Control_Dispatch proc (how the hell a shareware soft could try& ?4 v3 x* o s- j3 M+ v2 f) m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 w O. F6 z- ~ y! o
If the VxD is loaded, it will always clear eax and the Carry flag to allow" S4 `+ G+ I% m% f9 w0 P: ^
its handle to be opened and then, will be detected.
5 G$ l( @' t& eYou can check that simply by hooking Winice.exe control proc entry point" I4 X" m, w) Z
while running MeltICE.7 A$ v% O( Y1 D) h& v- | x
+ I9 X9 d1 q5 Y" i' T$ Q# e; H. B" U$ X3 y% A
00401067: push 00402025 ; \\.\SICE9 E) K3 J! J x+ p: @8 [# t
0040106C: call CreateFileA8 I: Z. k7 d# ]# o2 S: E+ c/ C
00401071: cmp eax,-001
" B5 {4 p+ P+ e' _ 00401074: je 004010913 J9 C0 J7 I# |0 w0 y
% Y) p x/ ^0 U% Z" Q. L9 g' Y" C3 ~( m. o5 L3 `' b
There could be hundreds of BPX you could use to detect this trick.
% N9 ^+ C' L! _4 K-The most classical one is:
4 H0 c! L/ W# d3 \. e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 G f2 S& B1 i1 u9 S+ n/ ^+ {! D *(esp->4+4)=='NTIC'' Z8 L- ~# K- ]! [. K4 @3 F, J
0 C; l5 C M( Q" J4 E8 w) B
-The most exotic ones (could be very slooooow :-(9 {6 a0 p) X; O, j! _& I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ f& P7 |8 X5 m; B
;will break 3 times :-(' b1 \2 h0 h& L" x
4 @1 p2 l# I0 W t2 k- p8 h$ {
-or (a bit) faster:
/ B9 t# \5 Z6 t8 |4 m; J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 Z5 ]- k/ o$ U; b# y
. ]% o, }( R5 d8 D* R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 U' H; z) t n" o2 o! D
;will break 3 times :-(2 V' c7 K! c6 [# F3 ?" z
$ G& x( C4 o. e N1 w n& {
-Much faster:3 D+ f, p$ \) }. P# U& i$ C% R/ T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 N4 i5 |1 E( p" [! \: O% N
" [/ f% m+ A1 u& M! d$ c. d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# @2 G' e9 C W; f" [" R% }0 c
function to do the same job:
' K. S* ?! z! Z# B) z% D' B& j, f- c; U! v" I2 P
push 00 ; OF_READ
+ `: c$ e9 y& J- u mov eax,[00656634] ; '\\.\SICE',0' i0 m. W8 z, s3 @/ I
push eax
1 I' p3 x5 z1 E3 S/ ]' S7 ^ call KERNEL32!_lopen+ r" b% U; g' H( L1 @8 b
inc eax2 m/ P! V/ Y9 G
jnz 00650589 ; detected
3 J5 w5 a- Q. b& j! | push 00 ; OF_READ$ W- C( ?! E& e( R9 r R
mov eax,[00656638] ; '\\.\SICE'% G; u0 }' u, e+ t8 W& x, L* T9 y
push eax w* s) K6 o1 g
call KERNEL32!_lopen6 ]3 s' o2 y9 F5 F- n
inc eax7 H5 ]* W1 h) z) D' ^/ V# c1 ]
jz 006505ae ; not detected
" Z `1 Q3 ^0 }8 ~; p7 N4 q: Q4 z: \, @: |) x- W1 S- W; W
( u9 t8 x: w& Z; @3 {
__________________________________________________________________________% U9 x+ ~0 e: f4 K8 z/ l
: ]/ i( t5 U2 b: L& p' U, u
Method 129 Q, U2 p% D) K- s
=========4 Z# c7 _" W/ Z- u& Z2 U8 i8 b: n: H
4 R4 E* O5 F9 h" v# q1 AThis trick is similar to int41h/4fh Debugger installation check (code 05
" g3 R, @7 P: F- n' \9 |* |& 06) but very limited because it's only available for Win95/98 (not NT)
& q ^2 z! B8 _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) F9 k, V( x2 b o& Y1 r2 U
+ m1 t% R5 `: f push 0000004fh ; function 4fh
0 U/ V4 X- E! C- z( W5 E2 h2 e push 002a002ah ; high word specifies which VxD (VWIN32)5 e" u9 |5 U4 n! d- \ D7 a
; low word specifies which service
8 `: b) j3 l4 B. N* w (VWIN32_Int41Dispatch) `" q3 r7 l" G% ~- S
call Kernel32!ORD_001 ; VxdCall( g. b* q& I0 k4 A) B- `; ^: \
cmp ax, 0f386h ; magic number returned by system debuggers$ i2 K+ [3 G- p7 W; L/ F
jz SoftICE_detected
) \$ J6 v- w- f9 c5 o& q5 `7 ~
2 W4 A8 u; i' l0 B- o! I1 EHere again, several ways to detect it: N4 l0 M+ D% \! a- ~; P
5 Y9 V3 k* \9 F+ t/ j! R4 ]" W- F BPINT 41 if ax==4f
, Y2 H/ Z# @8 E+ ]
3 T! }6 t3 X- L- D1 u8 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, [ E/ o; U u( K
& T7 h( z' ~4 y: i2 r d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 b1 k. f# a+ q0 D0 l7 H
, X) P5 E+ m/ p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) M% ?6 R i7 u, W
v8 [& s% o7 x3 L0 f$ U__________________________________________________________________________! [2 i% y0 q( Q2 I1 g: W. |: a9 \
/ g; U! d k. F0 ?# W$ ]Method 136 R/ s& |1 _; i# H' m5 h* r
=========% E2 [+ Z! C! O0 j: u/ H
: h. N9 p" t' t; fNot a real method of detection, but a good way to know if SoftICE is
! t3 k; _4 p0 k0 R; Zinstalled on a computer and to locate its installation directory.8 s7 o" h+ Z* K3 B, b/ }3 ]
It is used by few softs which access the following registry keys (usually #2) :- t4 T" v y& G) s
/ @0 M; J9 l, O/ G1 |5 e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: C: k; z5 I: I; o9 m
\Uninstall\SoftICE/ v. i! J! P3 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- z5 V$ F, Q, G8 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ p+ h+ ^) i. G+ S+ \( A; i! @, ~ W
\App Paths\Loader32.Exe
8 V5 |1 D+ J$ A! g& j5 Y+ s7 c% g8 t0 Z
6 ^1 z0 s1 I7 Z# w
Note that some nasty apps could then erase all files from SoftICE directory+ J" q6 K0 Q0 c4 I8 m. L' E
(I faced that once :-(
3 G) l+ X7 N7 v- A2 i
- F1 q/ x% E, @) F9 GUseful breakpoint to detect it:
- N+ d/ s n' _' e ~, j/ S; R) b- C1 E, |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 S. p+ K8 ]1 G) s0 h
8 b0 l% S! |" c" U1 w__________________________________________________________________________
- U( ?2 Z, B" f! T1 ^6 }8 p: S0 Y5 i4 ^
8 J U# u: c+ A+ IMethod 14 ( {0 S5 A6 u4 `; Q; ~6 L
=========- M3 J( C/ S( Q! t
7 f \# ]2 u- f, I8 YA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# F3 w$ }. d# Nis to determines whether a debugger is running on your system (ring0 only).
% _& ^5 _* J, Y( ~+ t) x2 F& d) G; J- y( h5 M" d: C5 G+ u
VMMCall Test_Debug_Installed
, Y, P9 z7 |! y+ [; V; o/ M je not_installed ]/ c: @% T/ k3 F8 `1 ?* s
- e+ Q5 H4 m1 \% V9 e+ E4 }This service just checks a flag.0 X5 |2 [4 D! d4 Q- O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡