<TABLE width=500>
* ]% u$ t! {5 q: x' H$ B' m% E- Q<TBODY>
, d# I# w/ ~+ {1 D<TR>) C4 n1 Y6 \; S+ T: }
<TD><PRE>Method 01
% D! v: z5 e, L+ e* z) }1 f=========
# Y/ ]' p; c/ E. \& n8 E' X
) k# [/ W3 L: ], cThis method of detection of SoftICE (as well as the following one) is
: s6 O1 W4 B2 u; O1 Tused by the majority of packers/encryptors found on Internet.9 ~( i( U& Q) D; O; R1 p9 G' J
It seeks the signature of BoundsChecker in SoftICE
W+ y1 ^" V, P- W/ ^. C; d
$ n* p% U2 q6 ]7 A' {% m mov ebp, 04243484Bh ; 'BCHK' [# b R8 ~5 A5 E) {* L" p
mov ax, 04h
+ M$ f8 }. q: L; E int 3
) Z! s" z0 ]2 T& u cmp al,49 d4 a, e: ~/ [0 Q% ^
jnz SoftICE_Detected/ I6 D* y0 {: p3 _4 q
( u' K' S" K% F___________________________________________________________________________1 e* e2 {6 x2 r0 {4 r
2 D# ^5 r( V9 n) L* W. s2 J- nMethod 02' X' |' Q1 r( s0 S) a
=========
2 S5 p. `% g) i! F! P F) q" K
' ` `+ G# s* p- q; Q5 A7 P( O" E+ dStill a method very much used (perhaps the most frequent one). It is used
2 s+ i8 N+ U$ W+ zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 n1 u& |7 k" l" q9 J6 f; n6 sor execute SoftICE commands...; X/ A( K) P3 C) {% T6 ?
It is also used to crash SoftICE and to force it to execute any commands
4 z3 ~5 {: S: i, [" U( b; J2 f(HBOOT...) :-(( % c7 ^( I i% `( K1 f1 K
1 J) c: {& Q7 x, I. VHere is a quick description:
- a# t1 m& Z q: ]-AX = 0910h (Display string in SIce windows)4 r8 I0 L$ W4 `4 V8 a6 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 j4 v8 |5 ^' N& Q
-AX = 0912h (Get breakpoint infos)
& M8 Y, R8 ?' h$ a* G3 Y-AX = 0913h (Set Sice breakpoints)
8 d; k* R! @8 w7 D2 t-AX = 0914h (Remove SIce breakoints)/ r/ v, g. |# d: f+ L
; J" Z1 g+ k0 o* E; a
Each time you'll meet this trick, you'll see:
+ X( q2 B- T) f# T4 x8 ]) i-SI = 4647h. G: t; n; q9 }+ H9 f. X
-DI = 4A4Dh
/ [! ]5 u; [/ q; I, \ }! HWhich are the 'magic values' used by SoftIce.# n: q! j7 x5 \& u5 o i4 i. g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. @+ {% k5 {6 J# ]9 F6 W
# Q! I$ f; ~7 J: R) K' [Here is one example from the file "Haspinst.exe" which is the dongle HASP- Z2 Z6 U4 \( M; I
Envelope utility use to protect DOS applications:
! B$ m. @" c9 Y
$ ]8 }/ i* D/ o& q& J. F0 A* s- t- ^5 O) A5 Z
4C19:0095 MOV AX,0911 ; execute command.' J: q* Q/ z$ t, k8 N8 @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). Q3 V1 M' u8 K) h
4C19:009A MOV SI,4647 ; 1st magic value., F- ^4 f" g$ s3 p, p& R9 h6 _$ e
4C19:009D MOV DI,4A4D ; 2nd magic value.
# W/ U, K# m( v9 W: R% p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 [+ c7 s C- b/ U: T1 c: H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* t. E! s4 w- c9 o/ S" g4C19:00A4 INC CX
! N0 b9 p0 G% K6 I% u6 _/ {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" Z1 j- [. n! h2 O4C19:00A8 JB 0095 ; 6 different commands.
' L* Y) g1 p2 B, ^& E4C19:00AA JMP 0002 ; Bad_Guy jmp back. P# C- r* i d; f' d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) z- e, @& `' `5 Z, o
" L+ S9 h+ H( l
The program will execute 6 different SIce commands located at ds:dx, which% i9 v4 j2 U' v- C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ v3 I+ n: P# T* \) K H9 U
# x1 C0 w: }6 W* s+ E# `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; r9 C9 ]- y' p' _' U___________________________________________________________________________
& k' Z0 m1 [; T" h" T/ E3 t) N! _6 x5 K. j/ s1 f9 b5 q$ h
# ^8 J j3 m- I$ Q& f [( |/ S0 TMethod 031 b, |9 C& Y: d
=========. n. W8 e5 L- @, T1 d
+ r. A) s* V; Y2 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 O& c1 a8 ^3 s(API Get entry point)
9 i4 \8 Y& T; x, k * `6 p. S. |; f- N. I3 S
2 h. c2 C8 `% v0 I* G' P xor di,di
3 k. w' M, b. {" J6 @1 ^ mov es,di1 y `5 n* @% _* w
mov ax, 1684h - n7 a/ d1 V# d$ e
mov bx, 0202h ; VxD ID of winice9 o# z6 _+ f1 S1 U
int 2Fh
5 J5 L% @. S, B! }/ j9 ?: A3 N mov ax, es ; ES:DI -> VxD API entry point
0 O) s9 ]8 h& Z }8 R add ax, di+ ~0 b1 l# X$ W& Q+ w
test ax,ax
; \, x5 X) B' i$ f5 A8 k# S jnz SoftICE_Detected7 ]+ @( S8 [$ I% V5 B1 |1 z
$ ~7 @3 S' a- a; {" ?% {1 W5 h
___________________________________________________________________________
# i, m8 z. J# Q" c* c$ f- R, x1 _+ z& J+ E
Method 04
4 n7 y( S: s! Q1 C3 P7 t4 D* H=========
6 [- x6 x) L9 Q6 w ~4 L y
% t$ V; a% I6 u* eMethod identical to the preceding one except that it seeks the ID of SoftICE
+ @: i# m! F7 V$ g, o( a, s9 wGFX VxD.
) F M, v5 a% _: ^; u$ ]3 i8 N: \ @3 p! G
xor di,di
8 D: n' n" L, ^( Q mov es,di3 s0 j( Y. |8 Y8 P/ J4 s
mov ax, 1684h
( }" ]: i. ^/ W5 ~' { mov bx, 7a5Fh ; VxD ID of SIWVID
2 p# H6 }) ~; u. U- X$ G int 2fh
, l8 J" p1 Y& \% a7 z; ^8 U7 [ mov ax, es ; ES:DI -> VxD API entry point" M5 C9 S' V1 J9 B3 R( U
add ax, di
9 [$ h( x1 Q# Q# @6 i test ax,ax
% @5 M, C( L9 F( O# l& K* U$ B jnz SoftICE_Detected
. C. c$ w0 S, Y2 Z0 r v; L2 K- x/ C# A8 L, p1 a
__________________________________________________________________________
+ p2 |- H' ^5 p$ e, M% F
, }8 e% }8 Q% v4 Q! G
; r0 W; }2 ?0 y$ j! M: Q# dMethod 059 A N& S9 b" Q0 R6 k& S& ]" B: K
=========
- U+ y; N5 W( W, F6 Q& _& M5 F+ B
/ F8 P4 R9 N) Y( ^) O+ lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* K* m7 K/ _: q2 o8 F9 N) ^debugger. It calls the int 41h, function 4Fh.
. x& x6 E- M' B% X2 T4 lThere are several alternatives.
, G' r4 s+ X, a# u
2 ` ~$ r$ n# {1 ]$ Y( DThe following one is the simplest:, ?! y0 L# R" v8 d7 w4 f8 o; x
0 c2 Y" m# w2 D9 ` f2 J# ^$ F mov ax,4fh$ f, P# d4 H+ r7 g
int 41h' O. c# `8 N$ _- S% C# z9 [( i
cmp ax, 0F386
0 q) F6 E2 v! G$ N0 G2 Q* t jz SoftICE_detected2 w7 v# }/ w' @
$ m5 R& t! @' T; ~: s0 t
, g& a0 G) I7 {Next method as well as the following one are 2 examples from Stone's
' ?- B* z+ o( X+ ~& T"stn-wid.zip" (www.cracking.net):8 t! s, B. g/ [& X1 }" k( L7 J
& O& `7 w# B2 D8 H R
mov bx, cs; p3 Z# B$ l* \( G; u8 V6 }
lea dx, int41handler26 `, a# k2 q* D" B! k8 |& `
xchg dx, es:[41h*4]( c8 a9 U) O6 n* x2 }; q$ |
xchg bx, es:[41h*4+2]* [4 j" h& o! D( N+ M. I! ^/ T8 E
mov ax,4fh
' x x. @+ G1 M int 41h
. s+ w0 Y4 z# ~9 C9 x2 z xchg dx, es:[41h*4]6 U, D7 f6 k/ r. K2 Y3 Q9 |7 T
xchg bx, es:[41h*4+2]
+ R6 B" P# M: M cmp ax, 0f386h
6 u% p( B+ \+ Q' y% x t jz SoftICE_detected8 T% G8 M Y" p/ B4 a9 J$ D7 Y
) E' d$ Y1 A* c. o, \9 @9 P
int41handler2 PROC* X* @3 r5 Q7 F- M( f3 h( _
iret
: m+ C X5 i ^' g9 y/ jint41handler2 ENDP2 L5 [4 y. H: c; l2 j$ D( G
; |9 J: N" P, u% {+ i1 h% h, H/ Y7 R2 b7 i# _+ b5 H1 B1 v
_________________________________________________________________________
$ L: T/ N" V! d4 c( W5 G, K, e/ x1 m7 w( t
9 _1 [" |6 B; S ~% o0 [8 ^6 b: C7 i
Method 06
7 z1 s5 f3 z- q3 V7 ]; K' D=========! S8 g" Y- b" D5 B, _% a
b; E& a6 m' [
; R% X# U2 z6 \8 W( p4 S
2nd method similar to the preceding one but more difficult to detect:2 Y; V$ p- |6 b8 R& Q, b
; s3 v+ f( w/ x5 x1 u( p+ \: z) v. ~4 d, }
int41handler PROC
0 ^ F/ e+ b, d" \1 x V mov cl,al0 u- d; r9 w, [& N2 L S4 G& y
iret
2 H9 U2 L5 I* d6 T, U4 hint41handler ENDP
' J+ S( p: b; K1 F( t# ]2 T: o x
7 K0 t$ W0 x$ N) x8 S p xor ax,ax h2 ?2 j! G/ E- q: @6 \
mov es,ax9 X: r% _% ]) v. r* I, D) h
mov bx, cs
, b- H3 }5 q. i; r5 Z, b lea dx, int41handler) z% [+ i; {& ]- N" M" ?' @4 p
xchg dx, es:[41h*4]+ N9 f, f# }+ g: p( b
xchg bx, es:[41h*4+2]! v8 G& i, Q4 e* ~
in al, 40h
$ I9 F! O, O, t4 l# g$ h; S xor cx,cx& t% u2 }+ w2 K& K) }+ g! v, {& N; B
int 41h1 v/ R* `. M- Q- j: e+ W0 h
xchg dx, es:[41h*4]
2 x, ?9 K! M6 M- u* p xchg bx, es:[41h*4+2]
4 ~1 A: ^8 F5 E. B* h cmp cl,al
0 Z/ L; }5 Q" ~$ f, y jnz SoftICE_detected/ q# e& f! q& v
) ]. u; X, Y, j" \* H3 E
_________________________________________________________________________
5 K$ K0 U+ L4 y' r/ L* {! X' o% x! d$ Y
Method 072 A+ @1 z0 Q+ N& G; Z0 l7 Z
=========
6 U/ `+ A3 @# L p$ C* T
0 A' t. ~" w$ [( VMethod of detection of the WinICE handler in the int68h (V86)
- E/ q8 X0 M% f7 m; m) K. E7 E% b( \2 O/ I% m7 \3 `4 k
mov ah,43h* C% P i# j& Q& L
int 68h
Q3 \8 E! I. [: z- ~9 m cmp ax,0F386h
3 }8 `1 I4 k* N, d, _4 A jz SoftICE_Detected
: g. Z# m% _- b& U
6 k. N& J8 v: X. T2 ^* r' n) }* o5 @( q* N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# {( S( V0 B! q+ V' O* S/ e" b8 U6 |/ W
app like this:1 ~( ?0 Z |! X3 `
) v# ^$ Y4 }/ G2 S$ P" g: j# m" J/ R4 _
BPX exec_int if ax==68
; Q3 f/ W3 {' y" Q" t (function called is located at byte ptr [ebp+1Dh] and client eip is# [. R7 f3 E* i: m9 G: v
located at [ebp+48h] for 32Bit apps)
7 W+ ]& d5 a2 @$ Q/ P; K__________________________________________________________________________
2 Z/ N9 `9 D6 a2 b3 p
; U$ {& t7 ]6 L O( F$ v/ R
: \# G9 D! J7 k& \ [Method 08. p6 h' p8 s* ?$ u
=========9 W' C: z8 `; H
8 l7 [4 F# U' U& I+ F0 `" CIt is not a method of detection of SoftICE but a possibility to crash the7 E, m6 ^; ?5 g3 o
system by intercepting int 01h and int 03h and redirecting them to another# [* L* W9 T, b$ ^- ]4 B% Y
routine.
9 k+ g' x+ B" M% ^4 K( _+ M) tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( |8 A1 v# q. E! ?to the new routine to execute (hangs computer...), q0 i0 J+ i6 G/ |
5 a3 w1 J {9 `' d% g- i
mov ah, 25h6 }0 f$ j# U! P
mov al, Int_Number (01h or 03h)' v- r9 k& m5 Z2 i7 V/ C
mov dx, offset New_Int_Routine8 R) h1 j5 q5 c6 T
int 21h
* y. i5 Z& P! X# f- A- j* T! i
+ S( B6 o; k$ b- o. W__________________________________________________________________________! |0 C$ P* I% D& f4 t( C
4 P1 m* D% {! K# v6 I
Method 098 P) Y7 y" B) @! T& E5 u( ?: U
=========5 r( b' `0 n( R: y* N
2 k/ D; y% M5 u* n- x! k2 W) xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only y% c B5 @" d G. G3 @4 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
! c* i! t5 |) P9 SThe Get_DDB service is used to determine whether or not a VxD is installed# D# v8 c8 p$ b, ^
for the specified device and returns a Device Description Block (in ecx) for
; g5 }, g. r- Y& L% l! o4 |that device if it is installed.8 ~2 ]% x7 O8 @. J
' X9 h4 I# T$ R4 d3 _4 c. ~+ p. |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' M/ P9 ~$ H7 d" c8 A( I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' n ^6 I. B9 x K1 Y6 ?7 v
VMMCall Get_DDB
5 q& ?/ n, |; k5 y2 F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 K$ |6 g' M! j- H) e* W1 S3 D4 n0 u
Note as well that you can easily detect this method with SoftICE:
) B2 p8 i6 Y! _) V bpx Get_DDB if ax==0202 || ax==7a5fh3 a/ U* i/ O; q* H1 ~# _
% I: f) m* I1 _$ i( m8 n__________________________________________________________________________
: T$ V' ?$ ~) e; _4 S
g; p* y" w9 w7 O0 [- X2 {( [+ IMethod 10
* a, `8 ~* S7 m5 Z4 A7 [! \* R=========5 H$ t+ ~! K$ N& \
, g8 X3 u- D% B=>Disable or clear breakpoints before using this feature. DO NOT trace with: S5 v0 [( ]; `
SoftICE while the option is enable!!" [" M. ` F; ?
8 L& e1 Q& ]: ^- w& hThis trick is very efficient:# c9 x4 L; y& V3 \8 [- G4 F
by checking the Debug Registers, you can detect if SoftICE is loaded
5 U+ V$ R+ M# D7 h: y! ?! x3 g/ K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* Z$ r4 P' {+ ?2 W* D8 @
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ n$ S/ N5 t* n6 ?! T
value (in ring0 only). Values can be manipulated and or changed as well
8 D# e+ c3 [ I6 h(clearing BPMs for instance); _& @7 o, k; P7 z7 o6 [
- H2 F8 z" i3 ]1 q__________________________________________________________________________
2 {$ l7 ?6 o2 q# x" G# V3 {6 L1 }
! {. ~, }( k2 B$ b& P$ L) ^" EMethod 110 U+ r* e& N$ L# z. t) ^
=========
/ k- p+ i1 K0 n$ w$ h7 R7 d" O3 c6 T/ x* R5 Q3 L
This method is most known as 'MeltICE' because it has been freely distributed
' c S( e% W1 G2 R6 B" K. {via www.winfiles.com. However it was first used by NuMega people to allow5 B4 ?( @6 G4 z) L! d- r
Symbol Loader to check if SoftICE was active or not (the code is located- A1 ]4 [3 |# o$ V9 H
inside nmtrans.dll).
: }# @1 Z# x- j# Z& n& R( @; k
2 {, [& Q0 ? e! OThe way it works is very simple:
7 e& [' ]# }6 R% |' W' `2 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 G& j- E/ }4 Q5 @
WinNT) with the CreateFileA API.4 C# m/ \, N C) Z# b- r
$ }8 ?; u' x8 }/ b1 YHere is a sample (checking for 'SICE'):
G* d; c0 Y% R/ w) x _; O8 p
/ e( @) }$ N0 {6 {& K- ~ {BOOL IsSoftIce95Loaded()
, E$ ^, a% d5 ^4 z+ B4 Q% Y{! u; p5 h9 Z& u0 z& l# }3 `
HANDLE hFile; ; T- E5 S& Z( C2 k# ?9 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 |* M# w9 n) _4 r' n: q
FILE_SHARE_READ | FILE_SHARE_WRITE,4 Z4 |2 d3 l, X0 i4 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! V0 Z2 ]( K7 S& u. d& U
if( hFile != INVALID_HANDLE_VALUE )8 ?& J, L: k7 m( M. N
{
d6 q. V4 f" r0 u' Z% h CloseHandle(hFile);
$ ]# j2 N! D! l0 @. w5 ^0 k4 I return TRUE;
' g. \! p3 O; W V5 ~7 V }
1 ~7 v! O" a( I* A return FALSE;
7 k2 _+ a p' n}0 u+ v; r# K0 C
$ K3 A9 u6 V, R% f1 S) w
Although this trick calls the CreateFileA function, don't even expect to be
* F) I. m" Q I5 L- s, ?able to intercept it by installing a IFS hook: it will not work, no way!( w$ F: ?" v5 \. {* t8 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- G1 w# P( @2 ]) {) P! Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! w# E8 t3 a/ n }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 R! g$ g1 F) J. ]" Bfield.; X) o- M2 a- [9 V
In fact, its purpose is not to load/unload VxDs but only to send a
& e0 Q- \% G, j% |" tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
t* |. r+ M/ P% _0 r4 @9 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try, s7 l1 m/ ^" _8 \ K3 \+ o, J) b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 ]( c+ B% z3 w9 r) P
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 F+ D q. Z# x
its handle to be opened and then, will be detected.
2 V8 U- D% k% S4 G: k* Q( nYou can check that simply by hooking Winice.exe control proc entry point0 }0 N: g" \0 l9 M) T
while running MeltICE.
+ P# w" V2 o( @8 t5 h1 Q7 l: ]. ]; ~0 E8 Y5 t. t
& N' z5 J3 Y- j 00401067: push 00402025 ; \\.\SICE
4 Q* }- z; J& |; k/ } 0040106C: call CreateFileA2 |: {7 N# ?! J& D; C$ v- x% Q, \
00401071: cmp eax,-001
4 z* Q8 l7 _, p# T$ T8 f 00401074: je 00401091
+ U9 h5 M. b* U9 i' a' W1 ^2 p L+ ^* R9 T. T8 E& |
6 d2 V4 w( J6 i5 x* mThere could be hundreds of BPX you could use to detect this trick.7 C, f. X* N6 l# _
-The most classical one is:0 L) V. s% J% ^0 Y; S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || b# i. O# @. D1 M
*(esp->4+4)=='NTIC'% \+ L# K+ O m) H/ J6 _) e
, s, j6 F' c+ k# p1 L) o
-The most exotic ones (could be very slooooow :-(
: D% d; T5 t3 r5 T/ o+ |# H' p* m4 i9 j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& s8 C2 ?+ B, a! q! U ;will break 3 times :-(
7 E3 }: x" y; a0 f0 A# O) d- W U7 C8 N+ Z' [
-or (a bit) faster: 1 |0 e3 c, N( [2 }8 e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 O0 ?/ O7 k2 H0 d: k) ], R2 t* \6 E4 s/ A, j3 ^; s) P1 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 X- _! |% F" x
;will break 3 times :-(0 ~0 A t% r7 D2 a* e3 f. A# q( s
6 y5 o5 o6 _4 `8 Q, r5 ]8 R3 J-Much faster:
+ W: ]% S! t3 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& M' i* Y5 \+ b6 B
" M x5 H! R+ [. N# H1 y$ @9 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 s( b; A1 ^5 e1 g$ r5 qfunction to do the same job:
$ K K0 n7 S5 E7 r. p5 n" F1 g7 L0 K' m$ p* q) p. \* n& V
push 00 ; OF_READ1 p& B; j; G p1 A1 B* k% ~
mov eax,[00656634] ; '\\.\SICE',03 M1 m) p6 n$ f9 x4 N
push eax0 ^1 E- d/ z; D/ l
call KERNEL32!_lopen
+ U" V! ^! g8 R5 L1 o* x- S9 \ inc eax
6 m1 m6 y6 J, ~* T3 Z jnz 00650589 ; detected" i6 N2 ]. a5 v6 c+ _3 u+ f) u+ Z* v
push 00 ; OF_READ
2 w3 W8 T8 ?) Y; S9 U& ^ mov eax,[00656638] ; '\\.\SICE'; C* q! r& d8 ]" ^
push eax4 D- {0 x: F2 s* D' ]
call KERNEL32!_lopen- a- ^7 A2 p- p' w
inc eax
$ ^* ?# z5 O( x! L8 I- h" h jz 006505ae ; not detected1 n; Z4 r1 C+ i) V1 y
. k1 L6 T+ I: N2 A- R4 r" y
6 q- w7 n2 i7 g3 F+ n2 r2 s__________________________________________________________________________
, {5 _. `+ _( [( J! X5 [, f2 C' O: u& J4 H5 \
Method 12 E/ w e$ c) E U" y1 N+ \+ Z3 x
=========
! Y1 M! L6 p& |) A' ^/ b
, H1 @" Q1 z! p! h9 p/ RThis trick is similar to int41h/4fh Debugger installation check (code 05- `; @: q8 U1 z8 e0 H* R7 o0 y: C0 Q
& 06) but very limited because it's only available for Win95/98 (not NT)
2 H; `0 p3 d E2 u& nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* D( M7 J" [/ k% D) v. @; |1 Y
1 c2 y5 }5 i( ~9 ^/ Q9 r) g" m push 0000004fh ; function 4fh( L; i! n- L$ X. V
push 002a002ah ; high word specifies which VxD (VWIN32)/ W' B) [& S/ h8 Y) z' d0 a
; low word specifies which service6 F) W/ C3 w3 T& l6 h
(VWIN32_Int41Dispatch)
8 I" e5 X. b2 H2 K call Kernel32!ORD_001 ; VxdCall
3 o3 _9 \$ P0 \" p cmp ax, 0f386h ; magic number returned by system debuggers
6 A( _9 Q3 {/ q' E jz SoftICE_detected5 V% K6 e4 g8 c5 x
3 X# [/ F% l/ T! O b: [Here again, several ways to detect it:$ }8 d H2 N# B: y* u$ | S
' w3 O* I; x1 g3 L9 V, f0 i1 x
BPINT 41 if ax==4f
' S! f9 o$ P6 O1 V% F; L5 ?, K- o+ X/ q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. ~; [. W! O4 a
& x" \& V$ ~0 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" e% D2 D2 u& @3 c- S+ }, q) O F! z5 `! R' e# k; ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) R6 a$ `. D. X& K+ C
- s f! [5 I7 M2 l; e* J2 g. V! \
__________________________________________________________________________; P! {; d' c) |/ `
$ O5 u/ p2 a1 J: d7 B. }
Method 13: g5 o9 w1 S" `
=========: l% ~& p1 F9 j$ z. r z7 {- j/ I
; Y* u: s# u4 N! Y
Not a real method of detection, but a good way to know if SoftICE is5 V" B/ x$ \8 Q' d6 ]) y9 E# P8 i6 z
installed on a computer and to locate its installation directory.
- n% }# h8 f f( j) p" z( WIt is used by few softs which access the following registry keys (usually #2) :* J: a: F1 g5 |! J: S1 a2 L0 Y7 x
; R+ a3 \" j; P3 _9 S- w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' t7 n/ u, h# c0 n; n$ l9 L. J, n\Uninstall\SoftICE
. w* E q' P/ m% U% P- A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
r# V6 c+ N9 u4 S" P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- G0 b' g1 P3 {4 \\App Paths\Loader32.Exe
1 I% n9 `' t# N: a5 Z6 m- M$ N- ^ C5 _
# L3 ?% u, g \5 g0 F
Note that some nasty apps could then erase all files from SoftICE directory
* ^ J* R# b/ k" ]% h; ?. \ N(I faced that once :-(
4 A! o+ y" N2 {
$ v$ q7 m) x# t$ |" Z' W$ G' TUseful breakpoint to detect it:
- v# j8 b# S( |; j" b& i, E* k( Y3 P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 k( w- }; y; r i1 b: E) n3 l$ ~3 w( q
__________________________________________________________________________
. L: r( p; u5 O8 ?3 M$ q& w. t: S
8 k; J. \* E# e9 M+ E9 K0 ]. L* p+ S9 @3 u4 n8 j5 P
Method 14
, Z# ?( M- d: |7 Y' H=========7 G5 Q+ ~: ~3 e1 H6 Y
7 |' K5 |: \2 ] Q' W9 y# n1 GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' X1 F% E9 ]3 Ris to determines whether a debugger is running on your system (ring0 only).1 n$ q) C6 f: a7 M1 M, X J# x5 c
. y5 {# a# }# m; C# c/ l8 @/ x VMMCall Test_Debug_Installed" P; O. f% T$ p( _/ S }/ |
je not_installed
9 W) R; z2 q. }. H- C7 ^% V- n& ^/ ]* `9 G7 X" _3 g
This service just checks a flag.) _2 G ^9 T5 H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡