<TABLE width=500>. e7 Y3 N3 W3 g- v D" {6 E/ g/ Y$ J
<TBODY>; d2 \7 E* i. z W' i
<TR>, @6 f: a6 _+ {( L$ [
<TD><PRE>Method 01 3 u' h. ?8 H) M, q/ f4 _
=========3 d3 u5 C; k' D& [: r
7 W& V" |# T: f1 M+ Z" K
This method of detection of SoftICE (as well as the following one) is- }6 n: d5 m) B- j
used by the majority of packers/encryptors found on Internet.: ` `( q1 r; q1 c
It seeks the signature of BoundsChecker in SoftICE
7 J& _! S, U) E& d2 w; |& `. }
' V$ M9 I3 p! }% Y+ M! d& R- M _ mov ebp, 04243484Bh ; 'BCHK'
9 O$ D* }6 W- a2 w mov ax, 04h
5 s. m0 r0 O3 O5 k- H. O5 i int 3
4 O1 a) j4 j4 E5 h' S! g$ j+ z cmp al,4: v& w! Q, c$ Y
jnz SoftICE_Detected
" J, O, Q- h, W' ?, ^
8 i* ?7 | v _& k$ ____________________________________________________________________________2 G3 Q; l6 w$ E" H& u7 |5 l
* d6 y7 Z' C0 L7 p( b5 i
Method 02
. a2 q! b7 ~* u* M" P=========1 e$ F% q0 ~% P, e# [, h: s
% z# r9 h" ?1 W4 pStill a method very much used (perhaps the most frequent one). It is used' p9 ~; q9 b h ^+ U7 y6 c6 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! i/ c0 h. g) ?2 b/ }% ]4 q% a
or execute SoftICE commands..." q2 u5 V4 M/ J( @
It is also used to crash SoftICE and to force it to execute any commands) H# g& N6 X2 M4 W- x* B- Z0 v
(HBOOT...) :-((
. F! [/ L6 y% L
$ ^ d' |( T4 X" u4 n+ l6 GHere is a quick description:
( d. h! n' X8 X! x( x3 i9 r* O-AX = 0910h (Display string in SIce windows)1 }% r: ^* N E4 A4 i7 ?0 b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; K2 K; [$ {3 K" E1 A6 K, E: ^# H, H-AX = 0912h (Get breakpoint infos)
0 c+ I! {' I. Y$ k* P-AX = 0913h (Set Sice breakpoints)
' i- w% E3 ]$ @. S9 }6 ^5 K-AX = 0914h (Remove SIce breakoints)3 F O; f, I# {9 ^" p# i* k: X2 E
" c% H4 p$ P# e; ^Each time you'll meet this trick, you'll see:6 B0 k4 j; c5 i8 w; ^$ V
-SI = 4647h/ S. y0 O2 a8 N9 Z. D# F) \
-DI = 4A4Dh
* u2 t, O9 J' y* c% bWhich are the 'magic values' used by SoftIce.- M! R( B4 n: `" |+ O7 x/ v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( y3 s4 f5 D2 l5 |
. h2 }( n r% xHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 d* \0 _. z8 U' x; N5 j3 {! V2 UEnvelope utility use to protect DOS applications:
O/ W' M( q# x0 V
# M( H- J! j% o0 p. m$ _. b( h
U$ [; }7 F9 o; F- W. F: V! R4C19:0095 MOV AX,0911 ; execute command.
0 O' }* ?0 B$ k) g5 _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 R: L4 n2 l2 E9 {) H3 ^
4C19:009A MOV SI,4647 ; 1st magic value.* y2 |' R6 @$ L' z0 p0 l- K$ ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
, }! [! ~. W: E" q1 i4 i/ L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 c) n0 j( y. B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" A/ j9 O1 @) x; v3 d0 C- D4C19:00A4 INC CX
9 A9 [7 n% @- A7 s4 ]: {" E @! K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, R" S- `* i% c* o7 m. f( l
4C19:00A8 JB 0095 ; 6 different commands.! k: q6 \5 q0 W U8 L/ _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! _2 b2 V+ y5 a& \4 p* w8 n2 \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# R) X6 v2 a2 ~, ~- A
8 y$ A/ }. N. L0 L0 |The program will execute 6 different SIce commands located at ds:dx, which r% d" s; f! _' x9 ^- J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 O( V, l" e2 ]6 Z+ j6 t6 Z
" @+ X8 x N/ U8 L! |' M9 @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; r4 r0 m, U+ T/ I7 d8 ]* J___________________________________________________________________________
/ s% W% q0 q& t, ^+ D
# M, e/ H/ p# r3 @" U2 K9 p9 o3 T& S, P9 U
Method 03
1 J+ H% @7 W: d* H/ x; x3 C=========' H, M t6 u Z/ k# Z8 e6 ], p8 O; |
& [" R# R8 o& y$ m! [# nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' p) T: D7 O. _& o( Q1 ](API Get entry point). Z% R5 l! @( d, o5 W4 @! l
4 s/ \" n( V% w8 r. a
0 Y- Q: v# `. ~3 h( X6 q& t/ I( x2 e xor di,di) ~) _) _" u5 h
mov es,di3 J9 I: T- u+ S+ I2 ?( c
mov ax, 1684h : x+ c& B! r0 @# X
mov bx, 0202h ; VxD ID of winice# m& O% M3 ]" X3 N( K! a
int 2Fh
0 g5 H5 j& L! N0 m1 z( k6 h mov ax, es ; ES:DI -> VxD API entry point% c9 t- `) a6 p0 U8 C: Y) p) v
add ax, di
& x+ S1 M& t/ |$ s: z+ Z9 g test ax,ax
) ^7 e, B( T$ j5 L/ R' {" r jnz SoftICE_Detected
! t* u: v6 k9 a
7 W% N& V" B' J9 Y: m7 M4 r& a3 d___________________________________________________________________________% A. a$ c6 ?* r& _. x# y* p
/ |/ M- ]6 D; K' H7 aMethod 04
; Y C1 K E% n$ T0 u) M% t. N=========* `$ E/ ^$ w& o: e
; D, [8 L) e1 f8 a. w& o4 u
Method identical to the preceding one except that it seeks the ID of SoftICE
: X2 T- e# T9 N& mGFX VxD.
% v& X# Z* f7 ]: w; B2 O9 B4 ^" J, I) y& j' E3 F
xor di,di
- M2 w/ _6 C* C2 Z$ y$ c/ X mov es,di
- L; N4 A- [+ W. l7 b$ J mov ax, 1684h 4 U2 }0 Y7 C: E! V# | }1 i
mov bx, 7a5Fh ; VxD ID of SIWVID
8 h& g" U2 T. x, R3 ` int 2fh: c9 ]4 Y; u- m B' c9 f7 {
mov ax, es ; ES:DI -> VxD API entry point
8 _, q Y6 g+ v# M* b" l7 U add ax, di: I) `. x9 p; i$ L
test ax,ax/ Z7 w8 ]9 R- I0 s8 }. G
jnz SoftICE_Detected! n" A6 H( |# ]$ V4 Z3 M& ^$ k
- j4 o: f* u( h7 h__________________________________________________________________________" e; {9 C% m3 I+ X
$ ^5 j' l0 D9 w' j5 [+ N& U M
$ [: p+ m2 E4 d, X& _" ?Method 05& a7 B% E, @9 @4 w' s }1 ^; E: ~- @2 t
========= X. L* @) [; m& i" T4 N) g2 `
8 _; s" Y5 L& u. f+ C( H" U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ J" J% q. S+ }$ C$ }# z* }debugger. It calls the int 41h, function 4Fh.
- x0 Y; \7 J! y3 [There are several alternatives. ; N+ [$ Y, t! }
3 c+ I/ @9 W# g7 f' Z' kThe following one is the simplest:
6 ^5 s7 a* S/ s
4 E9 S" N% _/ b2 _2 u mov ax,4fh
, F0 ~ E" K4 y0 d4 B" d- w" P& M int 41h( W! V0 T+ z0 U, S9 G3 `+ y8 q
cmp ax, 0F386
4 w! H* k7 A1 R9 x Z! ^ jz SoftICE_detected( U" r0 v' f; y' U# v. ?
" M3 J. k! ]1 S* I% J
l7 M" n" k) wNext method as well as the following one are 2 examples from Stone's
1 t# s/ ^ @# H T8 ^/ Z, O"stn-wid.zip" (www.cracking.net):( X# s+ }# p, q( _) u/ m% u- _
& Q/ S# {) P- g mov bx, cs& G, T7 W3 A) l5 r% n$ G8 Q2 X8 i' S
lea dx, int41handler25 x( o- g. f) q& w+ u, Z
xchg dx, es:[41h*4]4 j% {9 b: k, P
xchg bx, es:[41h*4+2]4 q: M4 {) ?# ] s4 k2 m6 Q; i- R
mov ax,4fh
: `( g' J! V$ `8 l! y4 d int 41h- E+ o+ {3 @$ B4 s! t) {, l
xchg dx, es:[41h*4]" U& U. w! c& A8 ?2 }2 P- z
xchg bx, es:[41h*4+2]$ T! a+ \" v* y4 Q- i" u
cmp ax, 0f386h
/ I0 } r3 q8 D; X$ M jz SoftICE_detected
$ y/ _6 u- {$ u) t7 d' p3 E+ _: E' J1 |% T, _+ t5 W2 `
int41handler2 PROC
0 b# [: i0 \3 o& b$ x2 e' I iret. y6 B! I2 {! p: j9 ]
int41handler2 ENDP
# J& c' Z: I: z F9 l8 I7 N
3 ~8 [/ }' {' r- W% q: s" T7 U% U) X& G6 @- }8 A$ Y; M6 T
_________________________________________________________________________
6 c. C* W; Z; o3 c1 |1 |- N, n* i3 {+ ^! _" L
/ z0 I9 e4 t: T' eMethod 06
# I* w4 Y/ z9 ~$ k' j5 g& ]=========
- n% D" J8 @- g
: d; \) M+ |: l- w3 D# l/ |) s% g w8 l8 I, b7 p" |7 C6 {$ e" k
2nd method similar to the preceding one but more difficult to detect:; h$ E, R( d$ Q! Q5 Q9 n
% T' ?8 [# F8 H/ w$ m c, n2 L+ A" f3 \+ V# ?' Q7 `; K
int41handler PROC
& K! F( H( T3 C6 X* q( e mov cl,al
/ R0 ] p( K& o- z1 f$ U- V9 s' Y iret9 a( p6 m$ u8 Q3 B; x# V1 m
int41handler ENDP6 K J/ o. R [, {
9 ~$ c( W& b. V/ X' O+ T E) K& P) V" R4 c1 J
xor ax,ax8 P1 {% a/ b' ^- w! r
mov es,ax. w( ?( l/ s0 L0 r
mov bx, cs
$ W. B% N8 x# j lea dx, int41handler/ L+ g; L) O( F W
xchg dx, es:[41h*4]
1 ^! r& C8 p! ]4 W4 _4 P xchg bx, es:[41h*4+2]6 z3 E5 P* ^3 X* }$ E" c
in al, 40h1 _9 }# `0 V3 q4 U, K4 s; b
xor cx,cx
+ ~) k! |1 {5 T3 U9 e int 41h* E: ~4 u0 z$ O7 |" H/ M1 n
xchg dx, es:[41h*4]; v5 ^4 ?4 I7 C% ?- A- Y
xchg bx, es:[41h*4+2]5 ]- b# u# t) x+ B& f! h* q
cmp cl,al* h% W4 ]4 X# Z, I* J: S" l
jnz SoftICE_detected
' \0 V2 l" R3 g; R2 r
) W" w; l& k& F4 M* Y5 ]_________________________________________________________________________
0 i7 C1 B% B3 N4 }) Z
; s( U4 R9 H1 W( A- H( U9 p/ U! aMethod 07" ^* l- _; P% A* B3 I
=========2 T& C8 q& |! p0 [5 w: C n. B
7 ~. J' j3 ]- |Method of detection of the WinICE handler in the int68h (V86)3 q' |/ y9 t4 {$ G W) L3 G
$ _$ ]3 b7 S* b4 j mov ah,43h
8 @' X5 I7 V/ ~; H/ ?' H int 68h+ ^. t. D8 y7 L- \8 e0 L
cmp ax,0F386h9 m; t( Y! d: w/ i4 ~/ M
jz SoftICE_Detected- U. W9 o4 i) b- v: E3 c
0 Q4 {+ |& J% k% Z3 D
' X& e5 B, }# g( k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; c4 H( q! `; v; B9 [ app like this:6 |2 C, @4 w- x
9 I/ v$ l, R1 N( \) ~* v8 ` BPX exec_int if ax==685 v- O5 J D# p% v5 [4 g
(function called is located at byte ptr [ebp+1Dh] and client eip is+ M5 t8 M; X1 d% J* A
located at [ebp+48h] for 32Bit apps)+ C. w0 @. r9 A8 r8 `2 I
__________________________________________________________________________
/ a1 _5 Z9 s" M9 ]. S% p
# J9 Q! A2 D4 i" O7 A
3 p/ K6 o, ^" y4 @Method 08! y$ {2 ? F, W D* h8 {
=========
Q6 {. ?5 ~/ b' W: p8 K
' I, z5 g. W f t* O5 v: Z3 A$ SIt is not a method of detection of SoftICE but a possibility to crash the0 O) h _& c/ x# b& Y9 I7 G7 ~; k- n/ k
system by intercepting int 01h and int 03h and redirecting them to another
) |% E4 l9 S# Lroutine.
n# ]- M" ]! x1 I9 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( P, o A3 B; F1 Fto the new routine to execute (hangs computer...)
/ G! c7 M; {0 L# f. U1 R/ O
8 u) M3 N. d5 d. b6 w1 H! y$ K" Z( w mov ah, 25h
+ I$ k: ]/ @; f% B4 q mov al, Int_Number (01h or 03h)
% L" J8 r$ x4 u, S% B, B* D mov dx, offset New_Int_Routine1 K) F5 f* s7 p" G6 f |
int 21h1 [8 ~6 y0 N- D0 _' Q. a& B
4 p$ ~- T4 ^# Q& g, h- y__________________________________________________________________________
5 K% e+ P; G# n% N1 p' g* y
/ Y1 J d9 i* ~" X: H6 ^5 Y; BMethod 09 F! U) @/ c: I
=========* e/ k* b' t' `- _# q7 n
+ j) V3 H6 {' I; ~( }- hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 M# j8 x; a( S. m6 w1 F
performed in ring0 (VxD or a ring3 app using the VxdCall).
% i& a0 S: m9 T2 L) _6 pThe Get_DDB service is used to determine whether or not a VxD is installed1 p9 J- i j) Z9 m
for the specified device and returns a Device Description Block (in ecx) for2 E$ X7 w+ R5 O, a: T
that device if it is installed.
6 ]( m' |: Q# ^, E, J; [+ W) P: Q( w, a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 L" a! E& q" m$ p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; Y: j) R2 P. w' @6 d* Q: V8 _5 w) F VMMCall Get_DDB: c0 Q. Y/ d" e \% R- V: w3 W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 F4 Z5 c- {5 V# `) H% ]
9 [% L0 A6 q' @" j4 z" ^& VNote as well that you can easily detect this method with SoftICE:1 T/ d+ |* y- d, Q/ L$ j9 ?
bpx Get_DDB if ax==0202 || ax==7a5fh# ^7 a: C* k0 o
5 X4 {& ~; v& A2 Q- }4 Z
__________________________________________________________________________! Q! O4 x* Q0 c) W
7 v2 ]3 ^- ~5 w+ T% y8 a4 zMethod 10 x- c! @. x4 z8 u& D, F
=========
) I& a* Y( e4 O: y5 L, f& {
1 R9 N* ?' v5 G& w' d$ Y=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 t+ j( Z; q) ~& l) P/ E SoftICE while the option is enable!!* E n/ f9 {1 ?% x
4 Y7 ^' W/ P2 L3 kThis trick is very efficient:
/ M' u0 R5 O- X" a- y5 ], L# \by checking the Debug Registers, you can detect if SoftICE is loaded
6 Z$ y, n& Q7 K- W U s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- x5 F$ J, b- D: U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
o0 [$ ?% I% Vvalue (in ring0 only). Values can be manipulated and or changed as well% f" @6 u1 \ k8 }- I& g. p, r% A
(clearing BPMs for instance), i" n( X1 ]% D x9 ~$ d
+ P" b3 F0 G+ V& E5 M__________________________________________________________________________
7 j8 w/ f& [% A7 C
. v4 i! e% U7 J0 Q. i% k( SMethod 11
: p4 n, W3 z- [: T& F' Y" m=========
4 M. y8 ~5 \; t
, L4 d* J( e8 V" A5 S r `; @This method is most known as 'MeltICE' because it has been freely distributed; \6 P, T4 `: B3 f7 e! H! `
via www.winfiles.com. However it was first used by NuMega people to allow
) r1 v* R$ l0 E. S& _Symbol Loader to check if SoftICE was active or not (the code is located
. W" U0 a3 Y1 v f4 d* V& Rinside nmtrans.dll).
9 P# F+ c* ~7 @* H' w: D. p5 Z1 w, m/ B
The way it works is very simple:
# W; T2 U; {" WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. X$ \! w. D" f0 o# g [% y
WinNT) with the CreateFileA API.
5 f* `+ z9 O( M9 g l1 m7 Z( f+ I
Here is a sample (checking for 'SICE'):$ U: @) q2 q. h5 z# S6 t+ x
) y: E/ r! D. k0 n/ k! d! H; Y& o! fBOOL IsSoftIce95Loaded()
( y: S& x5 Z9 e# i5 A: R{
$ n; m) \, P0 w; k9 ^! i! C HANDLE hFile; ! n. J: ^* V7 b: T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; q- \. x" Y/ Q) b
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 C" ]( j" w |; {( x, h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ C/ Z Y$ m: ]- G8 B
if( hFile != INVALID_HANDLE_VALUE )
, l% l4 u, G& v: ?; p {
$ U) B1 ^/ A0 C. B$ ~( |' H CloseHandle(hFile);& J4 W# }( j& U$ p
return TRUE;
, E2 a3 Y7 u9 y }5 s" c: o2 q5 ?/ S6 b
return FALSE;5 l. E% U& w8 x" z
}
: Y& M. i2 {3 ~, \- @+ Y
& O0 C' z, A F) fAlthough this trick calls the CreateFileA function, don't even expect to be
3 V2 C- m% e2 V( lable to intercept it by installing a IFS hook: it will not work, no way!8 g: x. m/ t H/ t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 l5 p+ _3 ?. j3 _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' P; _9 l$ [ H3 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( Q* y t5 u: Z9 r6 Efield.' a' w2 A; x/ y5 j% B0 q* u
In fact, its purpose is not to load/unload VxDs but only to send a . o8 d" a6 T( b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 ~# h% ]# h. Z+ |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) W p. L! P6 `5 m. \0 ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ W+ w3 g' J- C+ ^If the VxD is loaded, it will always clear eax and the Carry flag to allow, Q; f! C* I; W/ k; A
its handle to be opened and then, will be detected.
, v/ h0 [7 g/ a# eYou can check that simply by hooking Winice.exe control proc entry point4 I U' Q& {7 B+ e/ v( @7 m6 G
while running MeltICE.
1 s* m2 i( Q; {7 U; F) X4 \9 K7 b% h( `& x
7 l. P6 \2 `# a4 _& q* K: Z
00401067: push 00402025 ; \\.\SICE* ]0 P. M* _6 Z2 g9 Y" Y4 o
0040106C: call CreateFileA9 W! y8 k1 n/ n D! }
00401071: cmp eax,-001' h* N# k6 d, O$ G
00401074: je 00401091$ |. w4 c; }2 X/ C8 x" f
0 P" s0 B$ z- I' ^ w7 X8 N4 q0 D4 g
There could be hundreds of BPX you could use to detect this trick.0 H9 A# }; f4 w! }" V8 ]/ E
-The most classical one is:
1 N# i: K! c" O. `9 e! c! |/ T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || u4 \. u7 f3 v+ ?
*(esp->4+4)=='NTIC'. s |1 N9 W" W- S0 p& Z' I
/ b. \2 O; x4 Y
-The most exotic ones (could be very slooooow :-(4 A% t/ L- U+ k0 _; B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" P) U1 e+ u4 }$ G: b* T- Y ;will break 3 times :-(0 b' ^0 }! A A2 c# U4 B
8 N4 X6 D( c8 X. w5 g/ W- M! N- n
-or (a bit) faster: 9 A" w! {: g" m7 m0 y' O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 M6 x( Z' X+ C) l, _/ t
+ I9 {* Q& g- N+ }7 U- i/ d+ P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / S" i# ]/ |5 Q& X8 O3 G
;will break 3 times :-(
1 h* @/ Z" d% p% D5 J1 } {% i; Y: ~; g0 y# J
-Much faster:1 R2 g5 z: N( R5 q# d7 n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! E; W6 P+ F7 C7 ^; `
4 P& y; X1 J- _3 A6 H; e, L) z9 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 ^1 r4 `2 g) G% _' S; I/ ifunction to do the same job:
' z" K. z1 ?) L: ^0 \
3 S- e$ R+ R7 E! D push 00 ; OF_READ
8 e; N s. U2 w% _# w$ F& R: _ mov eax,[00656634] ; '\\.\SICE',0# K% M9 W/ M1 C" z! @* A! b
push eax6 h9 x; Y; N" Z4 v0 l
call KERNEL32!_lopen
" x1 N- t- R0 [1 N3 c inc eax
- x+ a! W5 z- c3 N" E jnz 00650589 ; detected
- a% r9 b2 q. }& P push 00 ; OF_READ$ E% S3 ?; l# Q- J) F, u
mov eax,[00656638] ; '\\.\SICE'# o Q# B- _: E; U' z! q0 }' ?
push eax2 G2 h* ?- V0 i& p) ], T4 @* M
call KERNEL32!_lopen# U ^) W3 G8 X& m! u- r
inc eax0 s8 e. X9 w- ~: S
jz 006505ae ; not detected
0 c& t7 A6 D/ V& O' F, q2 R" C* w! T+ b7 S! } U
2 v. A7 O9 H+ w. @1 z2 s9 e__________________________________________________________________________
! n5 w n9 J8 w6 z$ T, z4 `4 q w; t/ b6 x1 P+ `
Method 12
; u; ~$ B/ t# A! P=========
" L6 H9 L; K) G1 S6 d( z: ^% g: W* ^( `5 u* g8 z% T
This trick is similar to int41h/4fh Debugger installation check (code 05
* s9 W1 s- s, N F* }& 06) but very limited because it's only available for Win95/98 (not NT)( [1 g! h1 c) O, U) }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 q# L2 p6 e. f; F% R
8 E$ t! E _ J- N3 M% Q push 0000004fh ; function 4fh
% Z9 \' y# c6 ~0 @ push 002a002ah ; high word specifies which VxD (VWIN32)
( w' A+ [- K5 k0 Z ; low word specifies which service9 P' R* U+ |% Z% P
(VWIN32_Int41Dispatch)
5 B, v/ J1 D0 s4 U1 Q* N call Kernel32!ORD_001 ; VxdCall
) L3 ?/ P- y! u7 s4 o cmp ax, 0f386h ; magic number returned by system debuggers
* e. P- n$ v. I% @% _ jz SoftICE_detected l v: _9 J8 N# V8 ~
9 e' ^" l) q" t$ ^1 SHere again, several ways to detect it:
* g. a5 e9 n, ~# D* Q8 y3 P) \
5 S$ Q7 Q+ U( B BPINT 41 if ax==4f
& X- G! `# j2 h' \2 ^4 M3 N5 _5 ]& f2 r. J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) ~' Y. |# L3 `+ K* A
) H3 O$ ?8 n5 Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; C, Q: x, [ [ w3 n2 c/ V
6 c; W) L) [* }7 T7 C; p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* J( N4 H8 P; |/ f' t6 p/ `5 w3 Q! h" q2 _3 e' p, T' M) d
__________________________________________________________________________( P5 i% P3 n2 N' ]( D1 Y3 q
- H: ^, l& s8 i) \
Method 13. V4 [+ i# v* p. |( b4 Q3 \0 E
=========
! B! O: V6 a9 n. v1 c t! ~( v
& Z8 {( c3 g. Y0 vNot a real method of detection, but a good way to know if SoftICE is, C3 o1 R* q; x( {
installed on a computer and to locate its installation directory.
! g2 g$ F3 T4 b" I; CIt is used by few softs which access the following registry keys (usually #2) :8 K0 X0 ~$ A, a7 F+ y/ M. R) [5 W/ f
@% C. ^) P: l' t0 l7 b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) T2 o* p0 N! m- H7 @0 U\Uninstall\SoftICE
% m" V8 h {6 t$ i! ` `7 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. o+ M1 z1 j- E* w7 `- G: u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% A( O8 ?4 F, s- o+ P\App Paths\Loader32.Exe5 ?2 }: n; |2 V# S8 }
' _+ p: y% p/ g/ u3 i
7 q+ ^. ~5 l* ONote that some nasty apps could then erase all files from SoftICE directory
, d. R$ b5 \6 N4 T' u% U(I faced that once :-(
4 z; ^, Q" }0 s9 j
! I9 v3 w" V* O9 `; iUseful breakpoint to detect it:
+ L7 `: {2 g2 u
" B9 h8 T) U& j6 f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 M4 h; n% D& b: r1 [
+ B& W1 w& ]+ r__________________________________________________________________________* Z* M L0 {: c0 V" {
/ i" G; w' |: l7 {! j8 ~$ z& `
. C& ]6 |7 p8 |. [8 K( {7 A8 K- a3 g- u
Method 14 4 C8 j& m: p% k4 S! G* N* Y
=========1 W% M/ H+ [! D
! E. [7 K3 R# Z6 i+ `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 D! s) X" R/ lis to determines whether a debugger is running on your system (ring0 only).9 g% Q; i. `& |. H2 f6 E
8 I* s( w# l; W
VMMCall Test_Debug_Installed/ a B( f4 T, H+ a
je not_installed
* Y& N% v3 g+ D' _4 _ f- x0 u' P' d5 Y8 y) @* S) I& Q3 v4 ]# ?
This service just checks a flag.( e! [9 p U3 R- K. Y( r ~ r- J! L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡