<TABLE width=500>
6 I+ t) ]! O: K, y# a8 p<TBODY> @' I8 L# e1 t' [" Q7 F$ C9 w
<TR>
7 p7 C& n( |% N/ @<TD><PRE>Method 01 . M5 z% V6 _+ M% ^8 }
=========
1 J7 E" E0 G y: ]) j4 ]* v( S( s% B, X- f2 c$ m/ r
This method of detection of SoftICE (as well as the following one) is
. f: g2 }+ `; w3 N0 v6 B, Iused by the majority of packers/encryptors found on Internet. k! u) F) c9 i# u1 X
It seeks the signature of BoundsChecker in SoftICE6 U; A3 K) \! M) q- y
" T3 \# Z% |3 S. x- J0 J- Y/ D
mov ebp, 04243484Bh ; 'BCHK'
/ @; \* y1 h" b5 M4 J* R mov ax, 04h4 E- i2 v2 P6 m
int 3 P; Q# k# E* T9 y5 k; M
cmp al,4# r, u- ~- D8 T8 s* H `& y
jnz SoftICE_Detected
/ g5 r& q6 Y' t8 \: p
$ t' E6 @! g4 M3 }7 N! N___________________________________________________________________________
7 D( Y! Q' c- l7 T- l h9 B
5 Q# p/ C) t1 oMethod 02
7 e" N0 A# c6 R, ?1 q" t=========" ^5 c& l& i- G0 Y% b( f
; G V9 `6 N& l9 m2 q
Still a method very much used (perhaps the most frequent one). It is used. B. I$ Q! t" W( U6 t! C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 |& s& {3 L T) O4 H7 B; m
or execute SoftICE commands...' A' B& F# P4 g# r
It is also used to crash SoftICE and to force it to execute any commands. a+ {/ K4 ~; z
(HBOOT...) :-(( . Q/ `& g* n& _3 w! E( k3 J' K
( s* l9 R. P7 @8 O& GHere is a quick description:' a, a( {, w/ c0 `% U9 x( m' h
-AX = 0910h (Display string in SIce windows)
3 q+ k* I* M2 r9 _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ S* s1 X0 _# G7 S* n- K d) A+ A
-AX = 0912h (Get breakpoint infos)* r- N7 U7 z9 k" G: }( r
-AX = 0913h (Set Sice breakpoints)! D0 H, u4 w2 A8 i
-AX = 0914h (Remove SIce breakoints)# {7 d! I# p, \5 E, Z4 U' _$ N: z' I
- L' T8 Q2 F6 X- v) d( b' k
Each time you'll meet this trick, you'll see:8 Z+ a# g% G8 e5 W ^7 R3 N
-SI = 4647h5 l9 s0 E( t, X) P
-DI = 4A4Dh( o. F: z' ~+ S* V- d# a+ v! A
Which are the 'magic values' used by SoftIce.) ^$ F1 K/ |6 r8 j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 K6 C* R6 H* |) O( X
4 H! z. U+ i `" RHere is one example from the file "Haspinst.exe" which is the dongle HASP Y/ ^+ }" j% t5 Q8 R
Envelope utility use to protect DOS applications:& [* s5 [! c8 u: t% n
1 j9 ], [7 p G3 ]; c: e' r
* B8 N: V5 C# l# J6 [
4C19:0095 MOV AX,0911 ; execute command.$ o2 H- N" V9 ^' Q, n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 n1 c- K7 @/ i4C19:009A MOV SI,4647 ; 1st magic value.
% O1 H( T O C4C19:009D MOV DI,4A4D ; 2nd magic value.
2 ?" L5 |4 t7 T, i6 q! q0 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
j0 C0 M/ X7 C% G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 E5 R; `: H# l, l1 p) z5 Y; l z" m
4C19:00A4 INC CX' y; o6 o) G6 V$ j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 x' `8 Q D! O; y1 N/ G* p' R' U
4C19:00A8 JB 0095 ; 6 different commands.5 K/ O9 E7 f: q/ _! a) y) e/ M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 A* ?- q0 }0 q, w7 R& S- h- q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, {0 A6 F8 ^; f* t$ H( W8 B7 n
1 d) [, _6 F1 M# Z$ G, J& [9 F$ BThe program will execute 6 different SIce commands located at ds:dx, which2 j6 N# f( j( c* v9 u( G o. I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: |7 y4 E: ~8 H+ h- W
i) K5 y. u% m- C: R* B# b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( B0 H6 N( f& I i- [5 I
___________________________________________________________________________1 i/ n" n% M- f& v1 Y T$ r
5 B( R/ R0 n+ ?. S5 F/ A
' t1 `8 o5 Z% p7 p; l; e
Method 038 }/ R! u# \- e2 m" V
=========' i1 {, L A1 x: @
8 l& g' N" [0 A2 ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 D/ x Z! z; v4 D/ E1 k(API Get entry point)
, r `( I! O& c$ y1 B
! b/ }# I# K9 S' D+ x1 [! V
# i6 w' y0 ?1 R8 N xor di,di: D1 {* H$ L( e$ N( |7 I
mov es,di* P' l( ]* c0 c! n1 @) Y
mov ax, 1684h 1 i# J2 c4 F F0 J4 T- E6 _ A
mov bx, 0202h ; VxD ID of winice, C! y$ [# U5 e& Q( J
int 2Fh, b0 ?6 k9 M9 u: T l
mov ax, es ; ES:DI -> VxD API entry point
; F7 u* j: k8 Q1 e, k* a2 v add ax, di
" E* }+ A$ S. v* | W test ax,ax! H4 y4 b( I$ P1 D8 ?
jnz SoftICE_Detected9 w$ ?, n" [0 ]) ]" K
6 M4 p5 G2 ? V" L___________________________________________________________________________0 X/ J2 P2 n6 S4 e5 }# ?/ i
; h8 H I& Q6 ~Method 04) B9 q3 P( A3 e, T1 d( `/ Z
=========
$ E, d1 s7 V. [' p! z/ s' q, S, O% U; A0 c8 I* Y. H/ E
Method identical to the preceding one except that it seeks the ID of SoftICE, r! E, l; t8 ]$ M
GFX VxD.
6 V# V2 s; O- ^
& D% a* ^9 X9 Z- t5 ^ xor di,di, r Q5 c$ G4 J5 \, F1 O* n8 Y
mov es,di" J3 O7 T' V( x. N( n) E/ B: U
mov ax, 1684h 5 Z6 ^: d' w. E) d
mov bx, 7a5Fh ; VxD ID of SIWVID
4 [! }; K3 r K6 z int 2fh
( b6 Y' x% D3 \+ C mov ax, es ; ES:DI -> VxD API entry point
\- p1 t1 A4 p6 e/ m add ax, di
9 i3 _1 d' h6 F/ K' d1 N- ~7 ~ test ax,ax
/ c( c5 S( X/ p% n: @, a jnz SoftICE_Detected
3 ^& q& k7 J! p. ?% p8 f3 p2 |6 z K9 g5 z* ^2 d: j; c+ _
__________________________________________________________________________
) @% D. q7 ^5 w/ m7 b8 g: p1 ~; t* H; M# H5 l; @
* t0 h1 g/ B, A
Method 05& B( i. Z: ^# L1 D
=========: l) m% X7 Y! M+ Q+ {' B
4 k( f6 n0 n8 B0 v* _, K1 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 T8 I9 j( Y: c0 i( r+ D5 N- D9 G
debugger. It calls the int 41h, function 4Fh.
5 e" B# T) V6 ~7 v' u% }. W8 [There are several alternatives.
# b% s$ ?. V+ W0 _6 V% \0 T) s( r" |" I3 t" u& E* ]3 p
The following one is the simplest:' @" a% ?. E( g' A
% C# [" P' N. V# k' g8 z mov ax,4fh
2 R$ x4 J J5 ~9 s1 ^1 V3 K# f int 41h
* I# z; e$ O) {: W cmp ax, 0F3866 x; D6 ]6 ~" P! Z" E; d
jz SoftICE_detected0 [% ?3 M+ V. Y9 Y: \0 ]5 Y# g( ^
& b3 H8 d1 _, M" A
# j# }) O. T% o
Next method as well as the following one are 2 examples from Stone's 1 {* Y: J3 a3 B$ e ?
"stn-wid.zip" (www.cracking.net):7 V+ q4 R6 W) p: N% a
' ?+ n5 c+ n) F9 P& j& M# S mov bx, cs
3 Z( K6 o- C* A, E% O lea dx, int41handler2 x/ v& u! C7 z3 u2 N" E' [( |9 t
xchg dx, es:[41h*4]
& v- ~; k f, g* ?5 U xchg bx, es:[41h*4+2]+ j6 r2 d @. V7 z8 ?
mov ax,4fh
: u& ]6 W5 q0 A" ` d' n# \ int 41h6 L Z: d) w, y- s
xchg dx, es:[41h*4]! L% H& o }9 a5 `6 s4 A& R/ ]
xchg bx, es:[41h*4+2]
9 J& {% W/ p: i d* O( _ cmp ax, 0f386h
& Z/ _' U! H2 K0 s1 t. Q( r+ V, u jz SoftICE_detected
4 V8 n! G$ u: O$ G5 k" U0 D! m$ e( H0 }
int41handler2 PROC1 `: m" y5 ^; L+ Z) x
iret$ I8 s) D) ^7 s* a1 w- k$ [
int41handler2 ENDP1 H* K0 W/ F# d. g# ]4 U
# c' n k9 ?4 d8 Y8 }. n x( r& X3 ]
_________________________________________________________________________
1 ^/ a# \) u0 R" P$ t& q
4 o& H u& V7 \2 v
5 {4 ^0 P& | i S" K" fMethod 06# i% q8 \1 H; y
=========, Q. g# D2 T: {$ T9 V- G
1 q( {; B; B/ n: g0 h0 |: w' z
9 z! n% F3 u' c/ I; z! _; C# _0 M2nd method similar to the preceding one but more difficult to detect:
( G% U- U) Y8 b4 x1 Q, {
8 v# H% c; a0 p
+ g! S: W2 h2 X6 Xint41handler PROC$ y8 p% Q0 j: p6 \7 Q! s+ x( ?
mov cl,al
0 G8 q- b, R' l0 y( E5 t; L iret
- o& J( ?7 _6 E& t; q6 lint41handler ENDP
+ l" j, s. a" H. R0 C+ _& O1 N9 p- m2 X1 J
& d: v" W6 ?( }
xor ax,ax
1 Q- M9 l4 l" T* c. z mov es,ax# Y0 U. Z4 t O Z3 `9 n1 f
mov bx, cs$ j, f0 z- f' Z. S6 r
lea dx, int41handler
* w3 k5 A9 A5 @ xchg dx, es:[41h*4]
8 D _" H4 ]$ y2 C xchg bx, es:[41h*4+2]6 v5 ]4 a5 D6 ?+ o# O" P
in al, 40h) I0 ?! k9 s( \% b% L' ?+ D8 ?
xor cx,cx
% ]: M1 [: F- k/ g: U# u int 41h2 m3 R" I/ t; d9 m& ]- ?! O
xchg dx, es:[41h*4]3 d! H% F- j# ]: D2 F, [
xchg bx, es:[41h*4+2]; Y/ k, d* x9 C6 r
cmp cl,al
0 s% x! y% L8 A- G* p/ T5 F5 A0 ~ jnz SoftICE_detected
& ]9 j( u g0 U$ d* C& K* {# Y4 A, m5 y/ ~' ^) R0 x/ v0 g: V( R% J
_________________________________________________________________________
5 y# D; G6 G, {% `" O, z3 K3 E' K
7 E3 L3 E" b3 S' I( C4 f: D7 I. I" xMethod 07
6 R1 u/ d8 @& {8 [2 {. e# R* |=========) S6 }* P" b) e" c# O3 q% A+ P
) h7 X, X- A! D4 X
Method of detection of the WinICE handler in the int68h (V86)
. {5 S, D# s- }5 q- R: C4 r1 R j4 S3 Z$ d* m8 Q
mov ah,43h
2 l" G( Z) B. N- e3 [ int 68h
1 z* {: x% N; [$ {4 Q5 T8 w cmp ax,0F386h
% [+ {" H. z4 n& { jz SoftICE_Detected
, i* l9 T; I' W6 e4 q
4 M! u$ P4 W+ Y. R; S9 M3 B& t. H4 ^" t: q- e9 o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- Z, E$ _5 F9 {( c8 _
app like this:
" d/ _& q9 b% b( W3 |8 a' P+ ~5 @' }( y9 ~, s; n# Y
BPX exec_int if ax==68
9 C: `* h3 Y/ A1 h (function called is located at byte ptr [ebp+1Dh] and client eip is$ f- v! H; N# M& d
located at [ebp+48h] for 32Bit apps)
9 F1 M4 ?; n! i8 G5 L+ h3 K__________________________________________________________________________
6 _- { c% [, Q J4 }, j+ B& E8 u, l+ u. c7 }
* X P; r4 I. `/ H7 x- E7 E) EMethod 08
; K- Z- p' _# ^3 b4 X* |=========$ |# h% x! X% ^8 [" x3 m ~( v. i
8 ^* ?1 h1 G" \2 }It is not a method of detection of SoftICE but a possibility to crash the8 P/ A4 ~7 o# Z" Y8 q z& K3 H
system by intercepting int 01h and int 03h and redirecting them to another! x& p! K- |+ {3 M3 W, d- }5 e6 y
routine.9 {- |3 w% O9 g2 Q. r6 u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ C2 U. b" h- {8 B8 y+ s' Lto the new routine to execute (hangs computer...)# B- ` P& M! V8 h
5 e$ y. t$ C) t& \$ e
mov ah, 25h# N1 R$ [' E" t/ F$ t6 b
mov al, Int_Number (01h or 03h)
" k& P' S8 c; R mov dx, offset New_Int_Routine, s# i. l7 o5 a3 N% e2 i
int 21h
. Q" A3 H/ z/ X0 K8 G3 j2 `0 \! H& W( @" i, [3 k- z
__________________________________________________________________________
$ F: v- w+ _) }0 Q+ e% W0 x2 q$ o8 D$ d5 g
Method 09
2 O1 O; a7 |: H& F=========
: h0 F4 c: k5 [2 `4 I0 z3 R/ {7 n* [" [$ d8 @3 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 x% N; i7 a. C; P$ a1 Rperformed in ring0 (VxD or a ring3 app using the VxdCall). S" \) Q! I( o9 L& K- `/ Z
The Get_DDB service is used to determine whether or not a VxD is installed r, f7 S' E3 ], O5 ~
for the specified device and returns a Device Description Block (in ecx) for
7 F9 u4 H2 f& p" b2 A' lthat device if it is installed.$ L4 R6 c: O# x1 K
+ N4 g g+ n( Z' ^8 t! n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; }! X6 S' w* Q5 `- o0 [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); |! O9 k/ E% `% R7 ?! v8 v
VMMCall Get_DDB
# ]) M6 @# \: j: ?' t: _/ i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 E# L. L4 E/ V* G8 R' b9 l; A, S! U4 u2 g
Note as well that you can easily detect this method with SoftICE:
8 z4 O. P$ A9 e0 w9 S bpx Get_DDB if ax==0202 || ax==7a5fh
/ e3 ]5 O, v" g! A9 b8 t# ]+ ^" V! N- b. Y. }* y
__________________________________________________________________________, }4 M" r F# w) A4 |/ B
# E, y9 {6 l h$ h' wMethod 10* w9 g+ m' @/ v, ?
=========
7 D0 M' D& t- H8 D. G- Z9 r6 l. G
5 @* c$ C3 p8 Q& ?=>Disable or clear breakpoints before using this feature. DO NOT trace with6 S. X8 P$ Z3 {/ o6 c8 |% y$ S& D
SoftICE while the option is enable!!: P" n, C4 `) f4 m' u* k
4 Y G* }/ c, n( v: A# ?1 h
This trick is very efficient:' w/ A. f2 }8 ^$ W4 x4 W! R
by checking the Debug Registers, you can detect if SoftICE is loaded! ~' s: g2 d/ F! O) ]1 U. ^) P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& k! a! e4 Q7 K. [. ?there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 p+ u/ `7 E8 i7 L0 j! p; T8 {& Fvalue (in ring0 only). Values can be manipulated and or changed as well
1 x6 I' x* ]8 \7 q" D8 p- H Z! d(clearing BPMs for instance)
1 D/ `5 k, T R% v! O0 j
: i3 n% o6 R4 `# o1 w__________________________________________________________________________
; ]5 ]' S$ S4 ]$ q9 [* B9 Q3 \
( v5 y8 ~6 T" RMethod 11; |3 \6 J4 j2 @$ @8 t
=========& b; K7 a9 Q; @; ^* `
% Y1 T; l) g) A
This method is most known as 'MeltICE' because it has been freely distributed9 b& G9 ]' h7 F. p2 {) I$ G6 [
via www.winfiles.com. However it was first used by NuMega people to allow
3 R7 D0 H+ r' Y7 lSymbol Loader to check if SoftICE was active or not (the code is located
9 R3 O0 {& I' i: v- `" }. Vinside nmtrans.dll).. I j$ h. r$ h: p% C
- Z0 |. ?' I4 _4 }1 v" p1 k
The way it works is very simple:
4 e& p! N4 g9 |2 Q+ \7 } zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 W! m! r- h9 W" o4 L9 ~
WinNT) with the CreateFileA API.2 d v5 y8 [: P; v
8 \5 Q5 u+ v5 o) z
Here is a sample (checking for 'SICE'):% I: K( D5 M3 O8 c/ W2 X! L
% S/ k) Y& ^% @3 p( ]4 o. J: c7 f$ `BOOL IsSoftIce95Loaded()( a- k w* L3 n, R* ?
{
|5 A0 Q$ l" u$ |5 w HANDLE hFile; " c: r+ c5 @5 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 }3 h0 b# |" C# J5 A" j* e! v
FILE_SHARE_READ | FILE_SHARE_WRITE,
]% k& u" E7 c8 K4 N) H5 c) l# J$ ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! h0 b+ f4 X* D, r0 }4 y+ Z/ z if( hFile != INVALID_HANDLE_VALUE )
9 h) n$ x8 F2 T8 @) v; [ {
9 e" \) N% L' _! _ CloseHandle(hFile);
! ^% |6 [$ `: ?, v0 H return TRUE;
$ ~$ t" \% n+ R. x0 U5 F1 ^ }* p( S& Z9 `4 E* V* G+ \
return FALSE;8 i2 r2 `+ K0 F8 f( T/ g
}, U! S( O7 H6 J
3 j+ h$ m9 y9 D7 Y3 }! e: I- gAlthough this trick calls the CreateFileA function, don't even expect to be" U; I; D$ X" k: r# r
able to intercept it by installing a IFS hook: it will not work, no way!( B7 T) P: J! G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# K" ^0 t* Z+ m/ v7 `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 b" C {1 @7 e( a. _' \8 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 t0 Q* F& X: W/ Cfield.
4 A, h, @1 V2 A) kIn fact, its purpose is not to load/unload VxDs but only to send a " U7 g/ t- C2 O4 ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 M$ a4 n! N2 R, L( ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try, Y1 \ j/ k3 H* a9 P- G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) h2 d( ^9 q* k% [. jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% `& h$ x( a1 N: ]6 l* p7 @4 kits handle to be opened and then, will be detected.6 ?. [2 M+ Z+ L, b6 g& ^8 |- T6 J
You can check that simply by hooking Winice.exe control proc entry point6 j( Q7 O5 F9 q
while running MeltICE.) j. R R' m' L6 j, G
. p' C1 U) m& e8 p
! o) W+ I" N& @* ]8 k. G2 k 00401067: push 00402025 ; \\.\SICE
0 |+ z- T! t6 f4 L* ^3 k 0040106C: call CreateFileA3 e( D; K n7 S
00401071: cmp eax,-001
- k9 F& L1 L0 s$ K5 E W8 ~ 00401074: je 004010910 n0 p! x7 }. C0 l) x0 p
' P: e# z! W. }3 L: ^, T# j
1 `4 ~6 X& c: T8 f0 M2 z6 ?% VThere could be hundreds of BPX you could use to detect this trick.2 }" x1 ]8 n2 i" _
-The most classical one is:3 V! |0 u0 ^. E% I1 f( M/ b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ x0 Q5 G/ `, b2 W" u1 ^% Y
*(esp->4+4)=='NTIC'* X! e0 c4 @% N: L5 m a4 k
, u+ T( R0 ]2 p6 s) H
-The most exotic ones (could be very slooooow :-(7 C* E0 I# c, h. f. A6 }: U+ M" Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 X& F0 J# |1 T. b, O) y+ Y0 i; L
;will break 3 times :-(
! B: g" B7 w5 G' S' W4 t
" G5 T. L) c9 R-or (a bit) faster: , ]. M8 b, G+ G6 S6 D; X3 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), `& x2 A7 H- [+ i) C
, B+ _9 R5 |0 n+ ~1 D+ v8 s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 n8 e+ h( w% G$ J) B3 l+ D0 z0 E ;will break 3 times :-(
7 A T7 O1 ~* V' b3 K3 q: \) l
' w6 m- ]+ W9 l% m-Much faster:
@' ?" L! ^6 h& b5 E7 Q9 X0 V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 ^3 C f+ u' z5 I- W& r
4 O8 M& w3 R {1 ]' n' j* ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 Q% x. W* {3 B0 ~' @, U" `& Ofunction to do the same job:
$ s9 \* N1 _* Z p" C- s" Z
) [; t. _9 ~- x0 S2 R9 a) m5 I push 00 ; OF_READ6 z0 S! E$ ^' A0 @
mov eax,[00656634] ; '\\.\SICE',0% ]3 }+ K$ ^* u0 M6 \+ P# H
push eax6 y j: j4 [0 p* F
call KERNEL32!_lopen
; {! r4 _; Y1 ?1 H) [3 ? inc eax
1 a+ Z0 r- j$ R2 q jnz 00650589 ; detected
. F0 d) ^9 e2 s n, k push 00 ; OF_READ
, ^1 o% l' k! b" r7 ` mov eax,[00656638] ; '\\.\SICE'# r# k" H/ f+ ], N. r$ l7 n% B
push eax, m2 T/ A4 W7 D T
call KERNEL32!_lopen# e8 V% j' m$ B
inc eax0 A" s6 M3 H& o8 l! |- `2 t
jz 006505ae ; not detected6 b9 J7 d: Y0 ]2 [$ V0 N' R+ C
6 M; G6 B T6 K. c( L3 e
: n/ ` ^; T; U% S- b__________________________________________________________________________
3 C0 u2 N2 m5 e. t6 e" d' G+ p' x/ n, H( h4 ]
Method 129 Y3 r% y$ F: t3 ?
=========
4 \( V7 E0 d- a8 J& O' t/ s. _4 N/ ^# Q6 N, C+ S4 \1 D* x& b9 d
This trick is similar to int41h/4fh Debugger installation check (code 05
# c9 L' _( \, T4 F6 v8 \& 06) but very limited because it's only available for Win95/98 (not NT). Y" _0 }) J$ P+ L7 {& M, G, m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 u4 R/ t; }# D1 |2 x. A
/ M! u# V) _+ W3 V2 Q; l5 L
push 0000004fh ; function 4fh+ j6 ]' P! ]. M- S! b
push 002a002ah ; high word specifies which VxD (VWIN32)3 ]% x" z' V( s; q7 ?
; low word specifies which service0 k2 E) w$ G) Z6 r+ E& H" U$ n
(VWIN32_Int41Dispatch) c/ f$ [9 f; e
call Kernel32!ORD_001 ; VxdCall( Q2 H ?3 _& Y9 ~6 ^9 {
cmp ax, 0f386h ; magic number returned by system debuggers
! B" _0 i, C% p; w6 @ jz SoftICE_detected
* v- M3 R9 Z6 b3 ]: I# X1 E# B- l
) a* y3 A" h; q: AHere again, several ways to detect it:
) _( M) R( Y5 t9 ?- P* T. n: O7 U$ G: f, q; H6 i
BPINT 41 if ax==4f2 K8 M: h. G! _5 v" b$ L* ^0 Z' C
7 w+ W. B3 v8 X. u' D/ a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( V$ V0 `/ @. X9 J6 ?& s7 u J# b3 M4 E$ |3 _& |5 w- i0 J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& {' c' x% h% Q+ Q
% K2 b9 P. R( C1 }. ~2 h& d* G. z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ Q, B- [8 Q! s$ k, O Y( ~' T$ l% e6 M0 ]$ v
__________________________________________________________________________2 y- U9 t7 o( d
! H( M9 f8 u% Z1 w- G7 z! y/ I( }Method 13
8 e, C @8 G2 V* R; H$ l- e=========
. I% f6 t- `( {- I
+ |. O! E- ^! j9 {Not a real method of detection, but a good way to know if SoftICE is/ R+ [0 K& Y- V! H9 N
installed on a computer and to locate its installation directory.8 N& w7 A& I' P+ \( d
It is used by few softs which access the following registry keys (usually #2) :' m+ J. E# |6 p* v1 G7 A5 d
( Y5 C2 _! V0 {" |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ C5 r, ~$ {+ y; E- C\Uninstall\SoftICE
! g: W; L& p; Y. K @" O1 q% |) ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
t& x6 A+ Q- Y% H3 `5 m Z4 d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& t6 z* t/ y6 l/ i# t\App Paths\Loader32.Exe- L& b6 Z3 i: I9 `0 Y0 `
! z! w. M% M! h! C9 L Q
; Q- q7 }8 b' N3 X
Note that some nasty apps could then erase all files from SoftICE directory
- W' q0 n2 k0 E7 z( s(I faced that once :-() c; T5 r7 |, O' G+ n8 b
- x, i: p+ T: W. j! p0 KUseful breakpoint to detect it:" P. R% P* h" Q) @" U
8 @6 L3 n; f( F- y# l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 n4 c% @0 X7 b9 o9 q! L! I2 M- B# p3 g% A4 d$ H% Z
__________________________________________________________________________0 ~" ~' p- k( I
- A8 V- { p3 P! v: [6 \
# P O! b5 D4 _8 ^7 d. E$ s
Method 14
. N& ^2 @$ }- L3 I* P. i! h=========
9 k9 i' n% W; k7 G
" Q/ g* |+ r$ i8 ?; G, QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 ^6 |1 j! z' z" a5 q8 ?0 M) E9 ?is to determines whether a debugger is running on your system (ring0 only).6 n& [, o( @. `3 N+ S
/ o( F# B8 _5 m" U/ {; _% E
VMMCall Test_Debug_Installed5 \; i: p" C5 i/ l
je not_installed! n% o6 O6 Y P! x- N, j/ o
) h+ N- D) y+ A1 t7 B' EThis service just checks a flag.
; ]' h$ [9 S4 a$ C& t4 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡