<TABLE width=500>
9 P H, h2 F* y) ^9 M<TBODY>
- X: R" e" d: Q<TR>% A0 b; |. E2 k5 ^ t% w/ j- r. X. Z
<TD><PRE>Method 01
0 a) \, ~- K- @" v=========
0 S! _" m {9 e( R* d0 e& a+ b( @/ ?5 g1 }
This method of detection of SoftICE (as well as the following one) is8 Q2 @, \4 f1 U$ ~0 n. E& ~
used by the majority of packers/encryptors found on Internet.: J( i) P/ u- d9 l9 {
It seeks the signature of BoundsChecker in SoftICE
- C8 a, R1 y. B
/ C" \% p: e- |) e mov ebp, 04243484Bh ; 'BCHK'" ?# Z% c* n8 f O4 |
mov ax, 04h
' }# `$ e7 i9 S2 A/ y4 ]" u5 y int 3 / f3 o* Q- {5 h- R7 [4 Q) h: R P
cmp al,4
* K$ P$ K) U- L) v jnz SoftICE_Detected
. z$ e$ n1 Y: K1 y _* H1 |0 ]6 q- d* Y
___________________________________________________________________________1 {8 U1 k; x% X+ t# ? s. ^
# h ?; I8 z! f7 A$ U
Method 02: N D3 x* ?7 A; ?9 z1 R$ }$ D
=========$ ], U0 q( ^1 J9 ]
. W/ [ E: O% h3 }( z7 w: G \
Still a method very much used (perhaps the most frequent one). It is used
7 L3 L6 A+ y4 ~5 t4 `% u( n! h% |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" F9 J0 |& }$ nor execute SoftICE commands...( l: i) c# N9 W- b4 {6 y! @' C
It is also used to crash SoftICE and to force it to execute any commands) C; A) A1 X% b" f* T6 Y; q& o8 Y
(HBOOT...) :-(( 2 m- S" ^6 X2 M# O, {0 E8 K
0 m: P5 S; H/ r* x, h- r* ?' f
Here is a quick description:
: d) Q8 q" M9 R' E. s$ e-AX = 0910h (Display string in SIce windows)
" x! r& u8 G' a* s! Q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 u+ w7 u3 }* Q' I3 z, ~
-AX = 0912h (Get breakpoint infos): X; w! j9 D# G. J7 p3 y2 j
-AX = 0913h (Set Sice breakpoints)# F# F, _1 H9 |9 D/ {+ j; O3 Q
-AX = 0914h (Remove SIce breakoints)
g' Z8 q" v0 Q, g8 g4 o
4 _ [+ E* j4 M! e# [, f9 GEach time you'll meet this trick, you'll see:
; |* z- s( M3 q# h, W% o-SI = 4647h
/ {5 }. q5 S6 h: f, L v-DI = 4A4Dh# {0 b1 q# a- T7 i/ c# r3 f5 z( t, W
Which are the 'magic values' used by SoftIce.
4 y0 W; {" ]. I) W, K8 \ }! iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 H% ^) [+ k0 N+ N7 X( Z( w
, I9 W3 ~2 q/ E* [6 {. X
Here is one example from the file "Haspinst.exe" which is the dongle HASP& T1 N9 e, ^ w" S
Envelope utility use to protect DOS applications:
* ?! q6 {3 ? ~7 }" P1 c" `$ y2 k3 ]! i3 }
& K9 S. N+ ~* B# d( v: [, k
4C19:0095 MOV AX,0911 ; execute command.0 K* E8 j: {2 u3 q5 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. {! z" X4 u3 _+ [4 B
4C19:009A MOV SI,4647 ; 1st magic value.
4 d5 B8 I+ |+ g4C19:009D MOV DI,4A4D ; 2nd magic value.
5 \( k& E. }4 q0 g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 d8 R6 C) q; t' O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" o" x, K: y2 T1 a0 m
4C19:00A4 INC CX/ j- E; E* [7 G2 f" {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- b6 l5 q7 v& Q9 u4C19:00A8 JB 0095 ; 6 different commands.
2 m% }! s: F+ ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 x; u; ]6 `& M* y* @7 `- A. t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( W' _5 k. s8 y* v' E% J. G
" z7 }* x9 [. o. k+ S6 ]0 jThe program will execute 6 different SIce commands located at ds:dx, which/ p4 Z8 y) N4 O- \/ d" s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 a0 E) I n% Q; S7 y
5 H9 B( r8 J6 O% S+ }' S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( i( i7 K+ i ?% L( E. D1 e
___________________________________________________________________________
3 |0 R) |& X! {! \+ _( O- o' n9 D: Y* `" E4 A X1 n' R A% G
! Z9 ]0 W" O) h( DMethod 03& O6 b- f( U/ B/ k0 i
=========1 e( @- H7 c l! m2 r1 r: V
8 @, B2 Q2 l. A1 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 c) @9 _* w) `2 ^! u
(API Get entry point)4 \! w( M8 @8 f8 a, Z( U7 U
0 u( V; W3 ~' }& `, s
8 U& E/ k( I. l! u: ` xor di,di& a0 k0 h, w* v0 @
mov es,di: U1 ~4 z2 L! S/ c& R: c
mov ax, 1684h
) ~! c4 Q( b/ S' O: D! [$ X! U% X. ` mov bx, 0202h ; VxD ID of winice
( v) E A' T7 H. ^% m int 2Fh9 d0 ^" J; J7 o& T
mov ax, es ; ES:DI -> VxD API entry point
; t$ k( [; c- a$ D- x2 V add ax, di% r3 m- b! |& ?" t9 u5 L# `
test ax,ax/ o- t% p% N6 m4 V8 E- n9 Z
jnz SoftICE_Detected9 F9 h2 `3 t- x$ G U
6 E& d: v! J- |8 r! J+ g' V
___________________________________________________________________________/ ^/ ?- R- _. Q) v( a" @
+ L4 K: }% K. h$ w
Method 04; V3 F8 r* V9 M/ O# W2 D0 A
=========
N) v' o2 U# c) E" `: ?; a- ]7 _. c" w1 |+ s4 e! c7 ~
Method identical to the preceding one except that it seeks the ID of SoftICE3 ] P% h7 e$ b, ~8 u9 l2 S% \
GFX VxD.
7 a. s d% M3 @# p% n$ j X6 f# R' P6 L' ^0 d
xor di,di8 {( ^- u2 G% `( C( U
mov es,di2 j1 T3 p+ p$ p) y8 A3 \
mov ax, 1684h
- u; `- A K8 Q mov bx, 7a5Fh ; VxD ID of SIWVID
) Q: e% z' i0 b- h% Q6 k, E7 ^2 m int 2fh1 W1 N5 A; p4 n, d
mov ax, es ; ES:DI -> VxD API entry point" k* B* C2 c% e" |' \1 b' b. n T5 w
add ax, di
$ y* x3 ]6 \- P4 ^3 d5 k( a% B# G, p test ax,ax' o: j9 W: B3 U. [$ |9 {
jnz SoftICE_Detected; a( S' l: X- z& U& I/ r& y$ B. Y
8 O6 L# `" N U4 H6 k
__________________________________________________________________________
' {, e$ c! N2 j2 b
: d/ M/ `4 t6 ? M5 f2 n
0 X5 r0 L! f2 g0 a3 KMethod 05
. ]6 i. `6 [, H=========1 @. v! S) I) g( P: v3 m9 D
' O$ @6 s% k0 Y' Z, y- b4 w! gMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 s* [/ e. y, v$ b7 p7 T
debugger. It calls the int 41h, function 4Fh.. D9 q1 d( B5 x1 D7 Z& q' [
There are several alternatives. " P4 T; m2 P l& n7 ^; d D8 ?
, {" J" T; V' v) k2 [- F" w
The following one is the simplest:* N& |0 u {) M& L! b5 i- T
, X2 a/ [: N9 \3 A3 Y mov ax,4fh$ P' |# b+ e% Q% Z/ ~6 Q
int 41h
. z, }. W+ Y/ I cmp ax, 0F386
+ T8 _$ [7 D g- O' d7 Q jz SoftICE_detected
+ P: y$ c! p" J( x+ q
0 N) K" \0 c$ U! q% ?
8 m0 T, ?. L+ ^ Q0 u0 e( R& yNext method as well as the following one are 2 examples from Stone's
& y6 `1 ^* T6 B$ E"stn-wid.zip" (www.cracking.net):: y1 f+ ?( ^1 ~9 Q$ h8 h
# ?5 x O" O, e, m& _9 ~ mov bx, cs
" T: F' Y: H) ^1 q$ X7 _ lea dx, int41handler2$ Q$ d# M* {' S$ N
xchg dx, es:[41h*4]% [) ~0 `9 F1 l) M+ P( H
xchg bx, es:[41h*4+2]& {) G5 N3 j* x) k7 n
mov ax,4fh
a, `; p1 b2 V1 V/ N: i7 M; F int 41h! _+ B5 u/ ]' \0 @
xchg dx, es:[41h*4]
- R+ \1 ?7 C8 K+ ^' x xchg bx, es:[41h*4+2]
% F0 y0 Q" s8 x5 c' ] cmp ax, 0f386h
g0 Z$ Q- `( t$ M' B jz SoftICE_detected
- H0 J0 Y- }) L6 e
+ _( f, b) B* S: r; Kint41handler2 PROC3 T6 z) y% j! b$ s2 `* e
iret. B' B, \/ z& w" D
int41handler2 ENDP
- J* w& y7 E/ R5 M) x, T! R! _% S7 i }2 u
3 d3 P" ] s8 [
_________________________________________________________________________$ Q7 h( H, Y( p5 Q5 |& S
; H$ g, _$ j/ u$ s$ n( U2 [. r
% J' Z+ \: f/ f1 C7 B- Z% ^
Method 06% Z+ m: O* L7 u1 e N
=========/ L+ ]5 p/ q& }7 ?
+ P3 ~. M$ Q6 B4 p4 {3 j. I
- [$ s z. S1 ~* L J a& k9 S4 I2nd method similar to the preceding one but more difficult to detect:
& G R* }; z5 H' O2 z/ e. m$ K2 Z; N
4 X7 {5 F! j, z: O mint41handler PROC& P8 q8 V1 X' j/ D
mov cl,al0 ~5 E5 u6 ~3 N3 {/ ?. |: q
iret
0 b+ I& e& s" ~; o! k. Uint41handler ENDP
( f: N' u2 J. }, i7 p5 w! `% d0 O, |6 G+ U% V( G( W* A; C
+ x8 O8 `% Y& `; k( i9 B
xor ax,ax
/ j* \! k3 w% [7 ]9 d3 R9 U mov es,ax
8 R$ G5 D& h1 [: H, F/ ^4 x2 f# m1 x mov bx, cs b* k5 H9 _5 I
lea dx, int41handler" k! J# b; u& Y; ~) m
xchg dx, es:[41h*4]
, B8 v" Z( U/ J6 J1 z: i1 k. T xchg bx, es:[41h*4+2]4 n8 ]# W) ]. H
in al, 40h
" f* E8 _7 j" A* _- x xor cx,cx
/ g7 m) @/ c0 E3 ]0 ~2 f6 a- e int 41h
: w; o/ x" \) |0 l# n7 I xchg dx, es:[41h*4]
k( T: a# f3 ~) d, A1 G# _ xchg bx, es:[41h*4+2]
) l1 I p9 s1 J5 R5 w# M9 @# K cmp cl,al7 N6 n2 t' v; n
jnz SoftICE_detected! _. H4 ~) A# V8 M$ }
7 E* W$ P8 y1 s4 s+ q8 X
_________________________________________________________________________1 Q' }2 {( }2 w$ N9 ]6 \3 j
! }6 w1 _5 _4 m. r
Method 077 u4 ~* i2 Y/ l
=========
0 l3 \& n$ h5 E# y7 ? W+ x+ b/ T6 q2 e b
Method of detection of the WinICE handler in the int68h (V86)
% w) M' Y5 s( D% Z" w+ N6 t
; B0 z2 {0 ]) |% a! \% W% E mov ah,43h3 `: h, F6 {0 Q
int 68h% L5 k U5 D% p% ?% ~: ~( s* O! e. ~
cmp ax,0F386h
6 Z2 p8 [1 e( P! _+ | jz SoftICE_Detected1 C# z# r1 p) S" [9 F- P& M7 P; D
4 p2 j3 E, S. z' ?" P3 k
& ?5 n. W' o$ B: B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ y: H& O6 w4 M) K8 c
app like this:
+ w, }: ~3 |5 K# \6 B
6 O$ z1 k; t1 J# Y8 \, m% b- V BPX exec_int if ax==687 C2 Z% r. Y j3 K' y% T
(function called is located at byte ptr [ebp+1Dh] and client eip is) h) m; @8 \* O5 ~; x
located at [ebp+48h] for 32Bit apps)
, Z0 J7 ?5 q% C$ T- [, i1 ~__________________________________________________________________________* R) G6 z: P Q! m3 D8 y0 {
! u1 E4 l0 J! @6 }: c3 R1 D6 ^# j
" \* o# `; r& v1 `) U1 I$ zMethod 08
- |: U( o) Z) m" ?) C) h! f=========
2 [, l4 y$ m- [* _. x
/ ^1 w3 G* Y+ H/ \, X+ xIt is not a method of detection of SoftICE but a possibility to crash the# P; {% C; q* w) e
system by intercepting int 01h and int 03h and redirecting them to another
( B: z0 S' H# [! lroutine.$ N1 |+ `/ L C) o: x: I8 ^ h2 L/ a+ P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" M5 `0 B$ O; V# [8 j+ I6 y9 X
to the new routine to execute (hangs computer...)
% h$ u8 [0 p, m0 W2 } g
. y% G& G# c$ K6 x7 d- u3 [ mov ah, 25h
+ w: [2 d' r1 m' j1 l; Q: I mov al, Int_Number (01h or 03h)
9 p& |$ j5 H; y3 C3 z1 ^ mov dx, offset New_Int_Routine
" H4 ]8 A* ]/ S. v! p; i1 w int 21h
( M( e9 ]/ l3 W) b5 m
- s' r6 m0 {: [3 F' J__________________________________________________________________________" X# L" f" y$ `% g% [$ H! x2 f
4 l) J" G$ Q# t, Q" n! IMethod 09. m* N+ p/ i% J/ ^: W s+ l8 q
=========
3 j+ e0 M. n( L, L6 q: w( J9 K3 s: T" M) q- V: P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 V3 X8 ?2 a& U$ m7 @8 [+ f
performed in ring0 (VxD or a ring3 app using the VxdCall).* \/ o6 m) H- A& C8 V; X- K8 J
The Get_DDB service is used to determine whether or not a VxD is installed5 l0 R- X6 Z, d& D% \+ M; v
for the specified device and returns a Device Description Block (in ecx) for7 X* s. X2 X* z" g$ V& a% Z
that device if it is installed.
1 P3 T$ l8 V% ^. ~8 B& v2 }6 |) m( o5 N8 l( u0 i2 A8 ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 k; S( m% J$ G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), J1 U8 O) a: Y$ R& a: o9 B
VMMCall Get_DDB! {1 z |; ?" l: J5 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 u! j. t) @2 Q2 d
7 {* [* q1 F) E, a8 d1 N! r) @Note as well that you can easily detect this method with SoftICE:
3 l3 L- l; j8 K' v0 n: O) D/ W bpx Get_DDB if ax==0202 || ax==7a5fh
; y; n& C, {" Q8 B: `* i) p6 l( y6 l0 b0 f' O' Y
__________________________________________________________________________
- x( J' O7 V$ F: _; r
" L9 Y% E( q8 i5 EMethod 10' j* ?7 v& K$ j5 O* L) g. l+ I4 `
=========+ P9 M4 W1 r) n2 G0 ]0 i
4 t5 r% @$ P! C! E6 v2 m=>Disable or clear breakpoints before using this feature. DO NOT trace with
* p+ p- u" U R, p, b, D0 n7 B SoftICE while the option is enable!!
9 d$ ]: S/ g0 G4 x
/ D' F9 G# ]2 n: |) }This trick is very efficient:2 [4 L% ?- R V, a
by checking the Debug Registers, you can detect if SoftICE is loaded |* z2 M, Z' ]2 B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 W( m6 ]: D" E n, R% pthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 b6 y6 f7 t4 c1 a/ f" n# [
value (in ring0 only). Values can be manipulated and or changed as well
! m) F+ }8 `. B; z: f: v(clearing BPMs for instance)
! V4 x/ g' k) {3 v0 [$ s
% o" e* X; M# O4 V+ g__________________________________________________________________________/ ] u+ N% N( X; O5 p* {. i' k- O2 v( J, @
8 n' W0 r7 U) r8 D: Q% tMethod 11
, d( R. V; Y, \6 Q=========
2 m0 O- f: L8 B- C0 N2 K! |" I
, u. W( f% C, uThis method is most known as 'MeltICE' because it has been freely distributed1 b% F8 R) r. E7 G/ D2 ^- w
via www.winfiles.com. However it was first used by NuMega people to allow
0 Q, _9 M! q' v. V/ M( ?Symbol Loader to check if SoftICE was active or not (the code is located
9 ~1 Q& X3 l# Y" linside nmtrans.dll).
/ n# L% I) |, @# U6 y1 B
& \- |- e; _: f. GThe way it works is very simple:
! J* r" o+ s5 fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 r! O# {& G+ ?. s7 |% O2 h% V9 _9 o
WinNT) with the CreateFileA API.
$ E" o; W; `5 j# q6 k8 i: N. K7 B; w: r3 f7 K6 }! [
Here is a sample (checking for 'SICE'):/ B- z- v1 Z$ s, {- @+ ]
2 o+ T$ p# Z- g( e% M0 U. w. |
BOOL IsSoftIce95Loaded()
9 J2 K8 R4 `' G{6 g3 h, p4 \1 t( C8 l
HANDLE hFile; . R' `0 ]( N/ m0 k/ e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 I F F8 L4 b3 j FILE_SHARE_READ | FILE_SHARE_WRITE,
7 T7 K( g9 J( Z2 Z& i3 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ v& a5 ^2 \# x' l% x# k# M) q! ]; T+ z if( hFile != INVALID_HANDLE_VALUE )
% E& f v: m! n& v {
* y6 O4 L- y7 R8 G: L CloseHandle(hFile);1 U0 Z- d* Q; P" f
return TRUE;
8 [% o% r! U( G) X/ n" j' E, e }7 y! S; w$ t |) \( U; y
return FALSE;
' N% X0 I8 I0 |: K}1 Z+ U6 k b* V- k7 U2 }
" h# L$ R6 @6 r' D1 M) r* w4 b
Although this trick calls the CreateFileA function, don't even expect to be# X Y% k) P0 F* n* B& K
able to intercept it by installing a IFS hook: it will not work, no way!
; Q* P8 e) |8 d- e/ v% V& b! UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 A! n6 h- v8 c/ Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 Z* N- m: T9 [# U* l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 Y7 [; n! l2 Y# e
field.1 E5 _/ N: W- D: {
In fact, its purpose is not to load/unload VxDs but only to send a 8 b& A8 O1 K( [; e2 _% W9 l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ Q, H8 o; f2 I( v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 @( `; c$ L; W6 V$ n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& s7 s9 B. ~2 U7 d" E4 }
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 x- M; A, J! z9 Y$ x
its handle to be opened and then, will be detected.
( X0 [4 b+ {! {0 u0 A7 RYou can check that simply by hooking Winice.exe control proc entry point
. Q6 [5 N5 `- T! P, c+ Rwhile running MeltICE.
# {" `6 m: z9 ~+ z6 I! m8 ]& Z+ H1 M2 ?3 K5 _
2 c& \4 `! H. @: g5 y m1 ~
00401067: push 00402025 ; \\.\SICE
9 ~2 }. E2 Q' s4 a! | 0040106C: call CreateFileA, u) K4 _, Q& K2 C- ~ d
00401071: cmp eax,-001
" } O1 p1 b7 w$ j0 j W+ c 00401074: je 00401091
v' H; T9 e( m
0 x# T- O; i1 P6 z4 U8 k+ e# a+ C4 ~
8 g: [& B3 E% |There could be hundreds of BPX you could use to detect this trick.
3 U) T4 e- z% d$ }9 X4 q+ H* I-The most classical one is:
: m5 X; _! z2 S7 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 T* b5 `% ]5 n; H' {+ t
*(esp->4+4)=='NTIC'6 P+ x; l4 J3 \2 P1 K
7 t( p' G9 v, i( C' @/ ?8 `-The most exotic ones (could be very slooooow :-(
$ `( p$ p8 o! s6 B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( c# N+ J$ m+ j) s8 }; _' @ ;will break 3 times :-(
1 _) U. b2 V1 s
# V d. I+ I& H3 o% ]5 U-or (a bit) faster:
_$ |: w) a8 p7 U2 s- _% q9 n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( V9 e" [( j# n5 h& ~
8 M+ `! K2 l9 |- W. R, Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 |% R, n1 b; k# J
;will break 3 times :-(" U% U- I2 G2 l6 I2 p" {
) p" Y4 c; V- j6 m' o-Much faster:
8 b4 S; h- A% Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 b5 N- C) o+ X+ |" B
8 y G+ D- U, ?5 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, e+ O3 G6 K- W3 V; O/ Rfunction to do the same job:
1 d1 `5 t1 p! J$ v% h) _
1 P" i: S3 V% t+ h push 00 ; OF_READ3 S7 ^/ Q; G4 w& r6 H# R
mov eax,[00656634] ; '\\.\SICE',0( l# e! V5 I8 q; ^/ V6 z
push eax! J: ^* s; S4 A l
call KERNEL32!_lopen
, Z+ m) K7 K$ S. z( P inc eax
0 z0 `1 [( U) Q( B/ U' V jnz 00650589 ; detected
: [& {$ `( N; x) _% |) } push 00 ; OF_READ
0 R7 u/ h& H! t! z" m mov eax,[00656638] ; '\\.\SICE'3 @6 M, i* ^+ q3 o( |
push eax. ^3 L, l, N, h$ O) h
call KERNEL32!_lopen) @) W* [1 D7 M# g
inc eax$ R z$ a8 o" p: T. j' u
jz 006505ae ; not detected. p9 K! g9 p) n/ j1 o0 c+ M6 B2 E
- T+ N9 g* G3 b; o! w3 d
/ W2 ?. N& H! y/ @' n/ v
__________________________________________________________________________! a ]9 A& C1 i, \& C- }; b9 Q+ A
9 j' _8 |4 N/ ^7 t4 iMethod 121 O/ U) A) L$ w2 _4 m3 ~) T
=========/ t5 ~- ^! E* Q! r1 ^' K& N( ?
4 F2 }6 E7 n+ ?; K5 o c
This trick is similar to int41h/4fh Debugger installation check (code 05) ]! w0 S+ `7 h1 H- e
& 06) but very limited because it's only available for Win95/98 (not NT)
: D+ W8 Z/ A; H$ W: Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 p& K" D3 i& `2 J9 T
' w/ S: V( h7 \/ g push 0000004fh ; function 4fh
2 J0 w. u f( ~* c3 T( c push 002a002ah ; high word specifies which VxD (VWIN32), @7 y0 t1 C6 z7 k6 M0 A5 s h
; low word specifies which service
( O# H p, F+ l (VWIN32_Int41Dispatch)
, D+ F3 t6 f7 K7 I call Kernel32!ORD_001 ; VxdCall- X9 ^! z* m' e o: j) v1 r
cmp ax, 0f386h ; magic number returned by system debuggers, @3 P; z2 {4 m$ h _
jz SoftICE_detected3 `5 \( h! V% e3 @# b0 t& z
8 n% q/ r( q O& @
Here again, several ways to detect it:
9 u$ \) W. c8 H/ d4 r( S$ l5 a
BPINT 41 if ax==4f
/ v6 [, _, ^9 i, x5 z3 x9 c( e& v
) W/ _, K0 n a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- y( G. O: n7 R: z* ]
: i7 { s% h: U* t0 ^4 n6 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ p' @5 y4 K- z8 \# F( `; f2 S9 N1 j Z- h1 P+ p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( z. s6 A) G$ k% w J; N+ B! e# A' R- J% u. b
__________________________________________________________________________( X) y- Y: q7 h& {
/ Z U- V/ B+ o) c) T# ]9 `4 IMethod 13" y6 b. i, C: a; I4 L6 ]
=========4 J+ b) k: N, e6 W& F
9 s: w5 u! r1 D, j
Not a real method of detection, but a good way to know if SoftICE is% A' H/ J* m/ m. x. l O
installed on a computer and to locate its installation directory.! a: H( b# I( W3 `4 I; N
It is used by few softs which access the following registry keys (usually #2) :. _; V* ~ y7 G$ q7 l" Q; @1 R
7 |* U5 o r" ]6 k: I; L0 e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, G7 I3 x& _8 r- K) e5 t4 A9 i
\Uninstall\SoftICE2 \$ N9 }+ {7 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( V( k1 b) V: ~) D# r! h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% @4 i8 o0 c5 u
\App Paths\Loader32.Exe- p/ ^+ u0 x7 b* u
$ |' T; S3 D$ w" V6 a) v8 Z3 Y
' p- N9 f/ X7 J& rNote that some nasty apps could then erase all files from SoftICE directory
* H7 {7 D. q% X$ @* ]/ I(I faced that once :-(
8 B0 T: S4 E! n+ J) B
! x4 p. Z, x# |$ @0 ^: Q9 BUseful breakpoint to detect it:( H9 J. {9 ~; x* Y4 d: o0 P
% ^0 W" @8 n: G7 r, [% W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 O4 v) e$ ^5 w8 ]4 b8 Z6 O
' i6 W$ L0 _9 C5 ?: u q( h
__________________________________________________________________________6 Y) p1 N c0 @! Y
4 C" `- u1 q! ?2 ^2 ^6 m
2 I, y. f! e9 s/ i, I8 x
Method 14
/ b1 c$ S# r3 H/ _1 F! S=========
4 b7 q7 F1 Z% ]& E) g9 j1 T4 L; i, P- U0 P' D- ~2 P* F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, d( V y \/ F! A$ k$ p
is to determines whether a debugger is running on your system (ring0 only).( d1 q, L% s' p6 y
* Q6 u7 c3 n/ ]& b0 x VMMCall Test_Debug_Installed! M! I+ W, P5 v( f' D
je not_installed. J0 P/ ^; [9 d }" S* \) q# j& ]
$ x2 m6 T2 X6 r7 ^
This service just checks a flag.
- Z* Y" f) {* t9 z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡