<TABLE width=500>' V0 A) b8 C6 k" Y7 m
<TBODY>
6 {$ T1 ?5 }5 F, H- E$ H: _<TR>! R/ h4 B, T* u# h+ C
<TD><PRE>Method 01
! U" Z; B* I- {% X& J! f* b=========
" Z- D+ C7 a( m7 m5 @: P- Y' D4 H
8 X3 B* C$ l% _# }5 a9 @) T6 JThis method of detection of SoftICE (as well as the following one) is' x, \+ G' c# T( N |+ j; [
used by the majority of packers/encryptors found on Internet.3 o6 V$ k8 I# a: Q1 o6 c( v
It seeks the signature of BoundsChecker in SoftICE
4 E3 _' D( h! y/ _/ n9 x! _1 r: V. [$ \- c' y
mov ebp, 04243484Bh ; 'BCHK'
# N# |, ?( h/ M* u- ` H mov ax, 04h
8 F9 C. Z9 T" J! Q2 s int 3 ! ^. R+ Q6 _$ o) [( H! [7 ~
cmp al,44 i0 O% B' ]( l/ p% Z, E
jnz SoftICE_Detected
3 [. y$ q, K; I2 D% q6 h; K6 \
9 ]7 S$ ^8 J4 }4 Y% Y___________________________________________________________________________0 w2 p/ H9 V2 ?5 j: m6 J* @: y+ P- d
0 s, y& g7 v! n2 Z+ R
Method 02
( V% h, D& E( D3 J: O7 T+ f( ^=========7 l& b$ N2 O. m9 c/ h$ X
! E8 m0 |1 @ [0 t" k1 e Y: E# p( t
Still a method very much used (perhaps the most frequent one). It is used
5 Z9 H6 J* ?+ Y" j. h- pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 u! Y0 [& {$ w9 A/ Z3 v5 f
or execute SoftICE commands...+ M6 O% j3 i \# s
It is also used to crash SoftICE and to force it to execute any commands* C4 F' a: ~5 V* C$ {
(HBOOT...) :-((
B% ^" k5 F- t8 d0 \
( r& |8 n- b% H8 c# o' _6 d( j9 uHere is a quick description:; b& P$ Q0 L' h& K: K5 g1 x
-AX = 0910h (Display string in SIce windows)$ @5 p- I0 N" V. j, G( K7 Y7 c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 N1 m3 b. E2 Q8 M9 B+ |
-AX = 0912h (Get breakpoint infos)& t4 N" Z6 U, ^" D
-AX = 0913h (Set Sice breakpoints)
' q/ J9 `, l3 C* y) {. H8 i6 d, t-AX = 0914h (Remove SIce breakoints), } c# z) ` I
, {- h* W8 o& E5 D6 Z- f1 W
Each time you'll meet this trick, you'll see:
# B! o6 R! P, }-SI = 4647h5 i( C; Z* D* x: Q! h' I
-DI = 4A4Dh, B; L8 b( Z$ d% m! v# v" G
Which are the 'magic values' used by SoftIce.
( ~ {$ w9 l3 K- G$ O$ P, {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 c; [3 e, H6 \' e/ ]& W* u8 ?% E W4 P8 E- m$ f1 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP, j& p! C$ i; i5 Q. v$ v& E
Envelope utility use to protect DOS applications:
+ q8 x# s4 o/ n; Y- S+ Z2 l8 f, o d' J. z+ W1 W: E4 Z
& p# D2 i2 H% ?9 _# v7 G( \- ]- s4C19:0095 MOV AX,0911 ; execute command.
2 H0 b9 [& h4 D" _4 a, D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 S. c; F( H2 v9 O2 q
4C19:009A MOV SI,4647 ; 1st magic value.
" [/ O% z* ?/ u. f5 u6 z, _4C19:009D MOV DI,4A4D ; 2nd magic value.( c# l0 K! [/ p0 F4 w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 S# a0 c. A! J0 b: i9 q9 C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' m2 n7 a6 s3 p9 }6 t
4C19:00A4 INC CX" K9 ?& r2 C- s& ~: N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ ^' i- M* v" \3 t/ q
4C19:00A8 JB 0095 ; 6 different commands.
2 w& i! A, e( x$ E2 q7 ]/ q3 Q9 J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 s8 p4 c+ k8 f5 R) q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 j' j9 z+ K0 s* z/ k
B( R0 C+ c8 S; k# q4 MThe program will execute 6 different SIce commands located at ds:dx, which" Y5 z0 T: d7 n( A% g) r1 S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." A7 H2 U+ H. T" w0 A! l$ y( |. T
0 g9 E! G7 U; c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& C/ C4 r( l) s# z# F8 N* L/ E___________________________________________________________________________
* n, B# _. d X7 y- H; q+ a3 n& M$ N7 Y+ V( y7 p! n
" c( m9 X+ @" e+ d3 [
Method 032 s3 `0 e7 Q4 d& s8 b9 G7 Y
=========
' M* T7 d+ V4 o
1 \6 j( T$ z$ {# y9 I8 o" p! S$ FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" z, C0 H8 @5 t% R1 E7 M. p* v* w(API Get entry point)
& v* |* T0 [9 t3 y# J6 F' [* _
8 A4 v& i: P3 q( X9 h1 e3 I' l* S; f, U( V$ f5 E: L6 B
xor di,di7 P+ Q1 s9 y& i5 c# V9 a
mov es,di
( z, U( i' }% K2 q2 b; x- k mov ax, 1684h . R5 h$ r% Q7 G) X# f5 \5 S7 E
mov bx, 0202h ; VxD ID of winice" ?) k, W6 ~1 b: y( |, M
int 2Fh0 [, N$ x& J$ b
mov ax, es ; ES:DI -> VxD API entry point6 d! I% ]; x2 ^% k" h' s
add ax, di! {2 w5 N* X/ K
test ax,ax
9 O5 f% t4 l5 U$ p% o2 {& M8 `$ G jnz SoftICE_Detected
( |3 D4 R2 N, a5 s3 y3 Q3 e5 } @. d x d) ~5 r! q
___________________________________________________________________________. u5 {& F' s7 Q# p, p
0 ]0 _& u8 }" E( F/ {- wMethod 041 ~# Z1 ^7 W0 _" `5 L9 H. a
=========
( N# i- y& W: O9 Q0 K! g, v8 g! r1 a* B, p* P! N7 ~" \! a( Z9 \
Method identical to the preceding one except that it seeks the ID of SoftICE7 b! a$ F/ Y* L# N8 h
GFX VxD. S, c; h {; K3 k9 C
! |' H3 e8 c E/ S/ j1 i- @9 m
xor di,di
5 X0 F$ Q' J- C' u mov es,di# B' x8 \+ h& l5 X
mov ax, 1684h
# G* j2 j% |1 ^$ d/ W2 P mov bx, 7a5Fh ; VxD ID of SIWVID5 |) {- P9 D) q# l# r( R9 a$ Y
int 2fh
; X- z0 ]' R5 q3 J" K8 w5 r& e mov ax, es ; ES:DI -> VxD API entry point
9 i0 R9 E n" H; y5 p6 e0 y6 |9 p add ax, di
1 T' f. B' G9 b! Y test ax,ax
/ H, n; z0 \1 J0 F jnz SoftICE_Detected$ G& \" e5 V( b4 k M
( O" r* |. a5 `( ^, K__________________________________________________________________________
6 d# @" x: ~. d9 Q; T( h# w. |4 I8 i: ^: q2 W4 N
5 q6 q# R- L- V$ CMethod 05) i m$ M; Y' w6 w9 V5 m: I- y" Z/ q# A
=========
* K1 P) h$ h! D) ?7 z
5 E3 w; x6 ?7 N7 Q6 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
% e: [! ], g* c# L" Bdebugger. It calls the int 41h, function 4Fh.
/ A" Q% [' I8 Z; X+ eThere are several alternatives.
$ M5 W7 I2 Z( H# P* K8 v5 @: W% c2 g ~) o& k
The following one is the simplest:
3 l3 _7 i% T: b3 l+ x7 W9 H, J( R. v: |1 |8 p+ x5 k4 K+ b
mov ax,4fh6 l) G! R% u1 j( e
int 41h
1 n+ V* |% g: t# v7 D/ k cmp ax, 0F386# H8 W$ [) e$ Z* w+ s5 j
jz SoftICE_detected, j( x) K$ w6 Z8 }; O! z i
$ S# S, h2 |2 q4 H; y3 d j& p4 V* @' ]9 P4 q) f# h
Next method as well as the following one are 2 examples from Stone's . B* ]) ?3 K6 U8 r/ w% m! R3 s
"stn-wid.zip" (www.cracking.net):
3 ^( C# L% o4 h5 @, G( `3 {; u2 P4 l% ?6 F1 D1 I1 b
mov bx, cs' N3 k3 G: L6 k& V
lea dx, int41handler2
$ d$ D9 j8 \4 Q) N xchg dx, es:[41h*4]
8 F% j% J5 i8 ^- z# w xchg bx, es:[41h*4+2]
; I* Z5 [" @# B( Z mov ax,4fh
# \* B( @. }/ v6 ^ int 41h
9 X- v0 X& @; l! [2 ]+ Y1 Z% V xchg dx, es:[41h*4]. ~0 D$ e, @! R/ _7 ^; n- s
xchg bx, es:[41h*4+2]
" @4 f: f# `4 m$ s* E# H cmp ax, 0f386h( G; ^5 v* ]: G% Y6 \
jz SoftICE_detected. d- u$ u/ U: S# p S2 K( M% a
) f+ s+ l! R/ |& ]! a4 J
int41handler2 PROC
3 ^7 k3 Q ^$ M, g5 b& }: b iret7 Z2 e5 J( e, R z# b1 F
int41handler2 ENDP/ o/ T7 u9 K. B1 l
/ @1 } W" @/ v5 M8 T9 T2 g: C7 D4 o* n
_________________________________________________________________________
+ q- D- w6 s" x0 c2 F5 g5 s9 C5 Z" N9 c# w4 e# ^5 ]8 H" T
" K8 s. ~; i& q0 x6 d' c A( J+ `
Method 06
+ k6 w1 A) V% |+ [6 ?9 v=========( j1 a1 k: S+ f3 L n; [
6 d$ e. q8 V, Y' g6 f- C5 k
7 J; E7 \1 b6 ?# C0 T2nd method similar to the preceding one but more difficult to detect:
2 d, \" O N0 H; r7 N! a' W0 m& G+ H$ s/ K3 p* D
/ |# E1 z/ ]; O k4 L$ ?int41handler PROC D; |5 {3 M8 X6 w- P4 p: d ^
mov cl,al
; A3 }5 b. G" N# l8 T! D$ W' u) q iret1 s ]" S1 E% N4 W6 V; o- \
int41handler ENDP" L9 a0 p7 s% ~! g7 S
+ C+ a R. i/ B1 }
) A- Z1 G! ^9 j xor ax,ax
7 A; B* K+ [/ m4 W# u2 q: {9 _ mov es,ax% p, r' Y- Z; f( Q3 s( v/ n, f
mov bx, cs* _7 z f$ Q0 m- F
lea dx, int41handler* Z( A& E& l: z
xchg dx, es:[41h*4]* z" ?1 S5 k" w8 U
xchg bx, es:[41h*4+2]: H5 Q; b% @" i7 l" k2 F6 y
in al, 40h0 E; o% V2 U* C
xor cx,cx2 Q' \" c* {/ v$ D% h: `
int 41h
, H: ?0 X6 a! |7 T0 A" c xchg dx, es:[41h*4]. m7 t" X8 D( E( `7 @. ` w
xchg bx, es:[41h*4+2]% _; e* C& r# T6 ~5 H: b3 V9 E% {4 _
cmp cl,al y5 u/ ]4 c# { ~. R
jnz SoftICE_detected
$ @4 h8 @+ B/ r2 ?' C& J9 t" }# d. B
: F; {, y: J2 m/ F0 K( h_________________________________________________________________________6 A, Q. E' `$ {& a( A4 l4 E/ w/ K
@6 r6 \* [) {5 p: B1 a
Method 07
" @" [- s3 O5 y! d! t1 i1 d, m=========
# \, R3 S3 t5 f
7 S0 @0 H' r- z6 G6 i- Q6 xMethod of detection of the WinICE handler in the int68h (V86)9 e0 F& m% k, [! I% j- [& E6 b
- V& G5 Z2 X/ J5 k/ ]; r0 k
mov ah,43h
% c I0 g: f; ^8 j# v int 68h: g. `+ s4 B* U) @7 N# M1 t0 d
cmp ax,0F386h
. P! {8 \+ I. L jz SoftICE_Detected
! }% a3 J# X1 c7 D* ~" j+ Y: ?; p( K6 K: ~ R
1 C- f, x# Y- X8 y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ b/ D4 }+ e! n; n% _ app like this:
) @, R$ r- ]+ ~, Q7 o" I8 m3 S. q5 ?( d& P$ @" i
BPX exec_int if ax==68
6 j" o* G6 {7 t- |+ S3 i7 F* E (function called is located at byte ptr [ebp+1Dh] and client eip is3 E! q' }# E2 ~
located at [ebp+48h] for 32Bit apps)' T7 l! A4 C4 z0 T. C, g
__________________________________________________________________________& A$ m* \! X& I
- |! f5 p* R8 C: O$ R! U/ e* k! N: e4 n3 O
Method 08
& s9 k1 T3 p" F* \=========
" f" j- z. S% o; p3 C3 \0 x; d% r6 o
It is not a method of detection of SoftICE but a possibility to crash the. C1 i' a$ T4 f& a4 O# j! C& z
system by intercepting int 01h and int 03h and redirecting them to another
( D" S8 R; [3 croutine.
9 a4 {* Q# ~! EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 G: h3 ]6 K- a. z9 P8 N1 b
to the new routine to execute (hangs computer...)" C0 S! k M, I: {' ~
9 r" q+ _6 u, y2 Y8 z mov ah, 25h
. Z4 J! e4 @/ J2 i$ w t; b! ^. B mov al, Int_Number (01h or 03h)
) j1 }/ B: e( M$ d0 N. r mov dx, offset New_Int_Routine# V) ~8 n6 Y, o% \# u
int 21h
0 _2 g `5 ~$ R; l) w+ T$ K4 A6 i4 G8 N* x
__________________________________________________________________________
" u9 }, p7 ^+ d0 N7 Q1 ~7 I3 g+ h, M2 b+ C M
Method 09
7 \6 P" W4 l! h A1 G=========. U( k" K+ a0 U' N3 ?9 C
; Q2 Q7 G5 @* P7 M( P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- L/ T$ \" z: D3 e
performed in ring0 (VxD or a ring3 app using the VxdCall).
& i, S: g9 h3 _/ \& Q* v! eThe Get_DDB service is used to determine whether or not a VxD is installed1 M0 ?' H& P1 i2 V+ Q0 A0 X
for the specified device and returns a Device Description Block (in ecx) for
6 z: w% N6 ^& q1 r" U+ `4 U* |that device if it is installed.
1 g: V$ r- P3 e0 v' s# s( y2 x: @; J$ N; ]- |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* C4 M% \1 i0 B u" B A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); n% k8 q' ?# X1 {2 V+ U
VMMCall Get_DDB
, V2 O) N' Y- z3 p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: p3 Y& o1 `4 M+ H* e/ I3 m2 k
; x8 E! O: V, q2 GNote as well that you can easily detect this method with SoftICE:: x" I) i6 a9 ^2 s
bpx Get_DDB if ax==0202 || ax==7a5fh
" h/ I8 i% V1 k$ g! g" C- G$ `2 F
__________________________________________________________________________" I* V6 A1 K. H! p; G& H: g
6 V! W) c0 S( K
Method 10
) Z8 Q5 e* N- G4 j8 [/ ]* f! q=========
" d. \0 D! {- P* l3 ~9 c: l6 {0 z7 g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 d7 [" z& h" m9 v SoftICE while the option is enable!!; L y* l9 Z; K' A* `6 P' i9 j
! ^7 U& f+ f5 k& N/ O% M
This trick is very efficient:% U# M2 \% p) R: t$ O8 U
by checking the Debug Registers, you can detect if SoftICE is loaded! d8 V1 b# G) ^5 |% G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 g6 m: N# k7 k& v7 Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 X k, Z6 a Y0 Z; qvalue (in ring0 only). Values can be manipulated and or changed as well* {. M5 y9 Y6 }
(clearing BPMs for instance)
# g( B. c* d" J* z# U" P
! { c# {1 I* Y3 O__________________________________________________________________________
( C1 b* {& z* a- A3 u+ f" h1 k0 o/ }- ]
Method 11% L4 B2 ~) c+ i0 Z( i* S) Q
=========
! d, `9 A$ W( V$ j& w
+ U' D0 m& _) @: B' v8 _This method is most known as 'MeltICE' because it has been freely distributed# Y7 j3 w5 {! s) U3 Q) x9 }
via www.winfiles.com. However it was first used by NuMega people to allow
% ]4 H6 `& R* d |$ }# q8 V) A, xSymbol Loader to check if SoftICE was active or not (the code is located
; U1 o/ M4 ?3 kinside nmtrans.dll).4 Q U& r. n) w2 ~% I
# o- K3 d3 e; S
The way it works is very simple:
% K C- l, F% d0 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* j4 I' Q: j* J6 SWinNT) with the CreateFileA API.
4 I0 c# S/ V) h" p! h, ~6 V' G6 |2 D C f- p* _5 F8 c
Here is a sample (checking for 'SICE'):
7 e8 H' _$ l4 ]/ g
+ M6 F4 i5 D- | b! Z( V" xBOOL IsSoftIce95Loaded()2 e. R8 A; _! W' j/ ?/ Q
{) s# j7 r6 Z9 X9 M% m. G" |
HANDLE hFile;
- {/ a0 l$ f$ U- D( |+ w, r0 ?! L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 b, O$ A8 L% e; g8 `$ O8 k' D% } FILE_SHARE_READ | FILE_SHARE_WRITE,
9 G2 J, z+ a! e3 j7 `" T" h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 o H' q7 m/ z4 X: ^
if( hFile != INVALID_HANDLE_VALUE )
9 T0 O% U% |! H' m {
6 a1 g% O- R9 W1 Q+ A CloseHandle(hFile);3 [/ M) [; N# {* D& u
return TRUE;, ?4 @& v6 g+ k; R# e
}0 `) s. e" B3 J$ J; R
return FALSE;; |$ H0 ^, ]' q6 ~3 e6 n6 C f
}
6 }* d! s1 K8 U' e: K. t4 V x! g9 f( Y/ A6 T' N1 H8 h
Although this trick calls the CreateFileA function, don't even expect to be# d! E/ n3 r: o
able to intercept it by installing a IFS hook: it will not work, no way!- }4 V( ~. M; [2 }; \9 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* o9 N2 n0 f" a# y6 }0 [/ `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), Q4 b5 D( f) O3 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- h: d. m# y+ x0 M# D! ^& M9 Z
field.8 v' X* M0 r- z. z$ T2 C I
In fact, its purpose is not to load/unload VxDs but only to send a
) V. e* p! o) i1 b! E `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# D* x/ U" y/ a8 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ k Q8 U. l& v6 P1 k# I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% d3 M( u8 Y) O/ T
If the VxD is loaded, it will always clear eax and the Carry flag to allow* h4 v3 C7 y a8 G4 s" @. m; c
its handle to be opened and then, will be detected.
( V' |; i: P) d! b) o# oYou can check that simply by hooking Winice.exe control proc entry point
9 e/ F6 ~7 U& qwhile running MeltICE.
2 r' b2 L3 y0 n2 e L8 S' J2 s. ~7 P9 ^. L0 l- Q! S
- C e; A; t$ v x& ^% [4 ~
00401067: push 00402025 ; \\.\SICE
: ^4 y3 z* e& |6 [ p$ D 0040106C: call CreateFileA6 Y- [+ T1 @$ d5 ~0 s& z
00401071: cmp eax,-001. ?0 T$ Q9 M8 Z& q2 Y6 Z
00401074: je 00401091
7 \+ g& C6 _2 X. m& g$ A) q! {
2 D( s2 A% @# K/ n) D" R' P$ A3 ?% _. @" G4 f! d" V
There could be hundreds of BPX you could use to detect this trick.
( k: Y! q" L( k( h+ O8 q+ J3 o-The most classical one is:% v3 V c6 f5 D$ W( m6 m2 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 |2 C7 Y9 f- j- a5 Z; a7 w" S8 g; n *(esp->4+4)=='NTIC'
, F8 e. f# i! F0 p+ t+ q3 J! Q* @+ R' K; S4 J$ A
-The most exotic ones (could be very slooooow :-(7 p: n$ s* ^2 y0 y$ m* y) C% S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) J/ J2 y1 ]. {, ~+ L4 z- V
;will break 3 times :-(, C6 I- m8 x" h& e0 e( w
4 h% n- f6 ?! ?8 U( Q1 \-or (a bit) faster: ' n3 U! d ~6 o, q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! D7 I. s. K" v8 I9 L& k- N) U; ?5 J0 j# e" u' C0 D# x7 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# ~" g+ i$ |" d1 T* r ;will break 3 times :-(
9 y% `7 n/ O6 ]; o$ I# a# }3 w5 E
7 `) W' [" z7 h-Much faster:& ]5 H. g* n6 q" A1 w, R2 a/ ]: ?( X6 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# [; m* S c p) _/ m& l: I* ?; S/ `6 ~( y' b7 p' q: w2 a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ k. S) b4 B6 F( B, S
function to do the same job:4 c. n) V7 }0 N3 ~0 E
% e0 a* h, F4 s
push 00 ; OF_READ; z `, R2 G3 l& Z0 g
mov eax,[00656634] ; '\\.\SICE',0& Y* K- n5 `5 [
push eax
4 x* H9 N3 S+ w call KERNEL32!_lopen
& W& y0 l L' v( U inc eax* j8 ~) R+ V8 f# P M" _' K
jnz 00650589 ; detected
0 j& c! o7 o0 E7 \. N. j push 00 ; OF_READ
. C: C8 C+ u% I5 m! m% H% D) d mov eax,[00656638] ; '\\.\SICE'
3 }# F2 b- H! }0 H+ f push eax0 |* i* {; x+ ]5 c4 j C* {
call KERNEL32!_lopen3 n# U) J' j& ~% g: u
inc eax
) u3 q, E8 l, N1 ]) E jz 006505ae ; not detected0 F2 o3 ~! u* V$ S
- S: H( k `' ?& Q0 q4 w9 ~
# z3 s5 S+ i" V& e- y4 h, Q__________________________________________________________________________
4 {( z6 e) u: J! N* [* x0 ~& h0 _. u2 n, L9 ^: R: l0 V
Method 12; G. [3 K) e, ]8 D# [
=========$ {8 n% H( n( R5 h
- K, r3 z: q8 L: ?1 _! n
This trick is similar to int41h/4fh Debugger installation check (code 05: `+ W5 w6 N* q0 |( f8 D# V/ U
& 06) but very limited because it's only available for Win95/98 (not NT)& e( J$ T+ f2 d- F4 Y% c* h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ K: C7 h3 |* e& O
% \' N* K5 ]2 g; G+ u* p% j2 G) s" S# T push 0000004fh ; function 4fh. w: |7 W2 `. `& P- w
push 002a002ah ; high word specifies which VxD (VWIN32); W1 }: J. t3 s4 ]9 s/ O3 }1 C
; low word specifies which service% ]/ o# C. K/ O
(VWIN32_Int41Dispatch)8 b2 h* H! g6 I) Z
call Kernel32!ORD_001 ; VxdCall- r' @# l f8 G1 q
cmp ax, 0f386h ; magic number returned by system debuggers
" X+ Q% W4 ?- H: Z/ v jz SoftICE_detected
( ^7 X) U6 ]# Y) T' w5 m5 i+ \' S! ^# W2 ]
Here again, several ways to detect it:$ K, `6 E& B, R" _! n7 m
! ~6 \; z! j5 M1 U$ K
BPINT 41 if ax==4f; u: d9 [. ]0 j7 P" S4 U
7 D# Y* }' E" x8 W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" w/ i4 p' ]- k/ C) E
, q5 m8 _1 M2 ? v% r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' P6 T1 z2 G! G2 C4 p2 j& C* N- ?3 @
( H8 \; C+ ^5 d1 ]3 I$ ]/ K" j: r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# F8 n9 ?& ~% [. _+ l, T4 Q4 B; z
) _6 u; k# C0 d- A2 k# z" F__________________________________________________________________________
8 l* m! L& w+ Y: A& x7 C5 I" t- ~( l2 J5 z
Method 13/ b% `# w4 f. o. Q$ s/ s
=========
+ p# h/ U- Y% o6 J+ @+ U" c
7 {( \- Y3 z+ J/ l7 ^ n! @* Z5 N7 NNot a real method of detection, but a good way to know if SoftICE is9 I- t" z+ H+ F* M. u
installed on a computer and to locate its installation directory.
. U. ^9 ?5 J8 S* Q, k6 IIt is used by few softs which access the following registry keys (usually #2) :
# Y0 b, z! i9 j) \: T
+ l7 V, Y: X. d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% l! y$ C$ ]6 M7 |) S7 r
\Uninstall\SoftICE) V. N J6 a: v6 L; t) M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' l. h$ Z% J% N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 _. `4 b' s0 U0 L7 X& W! |\App Paths\Loader32.Exe
) S9 [& W* ^% T5 ~1 T' e) [. ]3 E% v8 W: H+ z; a& l
( j+ F* E, z" S: M3 h: L kNote that some nasty apps could then erase all files from SoftICE directory9 z9 @& |& H" [- T2 Z8 \8 E" A
(I faced that once :-($ G0 G. T* f% E
, D6 U) q6 t/ r* H3 WUseful breakpoint to detect it:
( X1 I. f1 a' ~) `$ f( S% V) s* s4 i6 @! J) \+ `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ d: J' p5 A& h9 T u8 o+ z$ R$ t1 N; N7 r
__________________________________________________________________________
! z9 W7 J) R4 G% J: _% ^0 U; d, Z1 {9 C) C3 l2 y
3 @- D- A+ Z, u N4 _9 H4 Q
Method 14 2 H4 ^5 T* B5 B" g: Q
=========/ X5 P7 E8 L! k( t1 B9 f! L
% Q. X# c! g: q2 ]2 E/ g3 [1 \; DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ F- R* p7 e) ^3 k9 l( lis to determines whether a debugger is running on your system (ring0 only).0 Q" Z8 w3 s1 H) D, s9 t9 B
+ _% b) O4 D! d( j+ s VMMCall Test_Debug_Installed5 m) h; ]2 x3 `; R Y
je not_installed
]0 M" q6 ]9 E+ a1 _
- K2 {5 _2 ]9 [( ]This service just checks a flag.
" `) y0 F3 g/ w4 X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡