<TABLE width=500>! g( R: C3 ]( g5 z. E
<TBODY>
/ L$ K# ^ e1 y. ?# j% ]<TR>
0 N$ t$ K9 f1 U/ I3 u<TD><PRE>Method 01 3 I# x/ ~) Y+ q7 o
=========
& D7 K* ~5 h3 o4 C, j( u5 f2 W
6 N+ B6 `# `) K, ?This method of detection of SoftICE (as well as the following one) is3 H* w- \* z- C0 }* U. C0 z
used by the majority of packers/encryptors found on Internet.
+ ?/ J+ q4 e, T# T6 S- e$ VIt seeks the signature of BoundsChecker in SoftICE
& b) g9 N3 L* l' H) J X
/ t* U* }# ^+ p) n mov ebp, 04243484Bh ; 'BCHK'
; K5 j* L1 _# {6 b) N7 D* S mov ax, 04h
$ r7 p( ~1 j: r! C9 a; | int 3 5 m2 C+ X" G6 J' K/ ?
cmp al,4* C U& k% l P- ?! V
jnz SoftICE_Detected" G' G1 }) d# u
$ Y$ a! i: L p' V9 T
___________________________________________________________________________
: f: l9 z' w9 L1 \ C
) X' `3 c$ b5 j" u$ }Method 022 Z- `0 o% {8 m6 h! I/ m
=========
m8 S3 \. ~4 M( U) g2 j1 v
' y+ @8 V9 T+ I$ `Still a method very much used (perhaps the most frequent one). It is used
' F) n3 m2 I. I) M# Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ l. e* _3 a1 Por execute SoftICE commands...1 S7 u( |) \. m& ~
It is also used to crash SoftICE and to force it to execute any commands
# q) L: G$ ^, q; s(HBOOT...) :-((
. x5 e5 G# m6 n7 m2 c' J ~" X& B5 X6 g) g. W2 m
Here is a quick description: N$ R# k% E# @/ a8 }
-AX = 0910h (Display string in SIce windows)
h0 v/ D! [+ x3 ]! F9 ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) |0 `- ^/ e( X! x* j2 \4 {# U9 M
-AX = 0912h (Get breakpoint infos)3 ~- `- [3 ^4 M2 n9 g0 X1 }
-AX = 0913h (Set Sice breakpoints)
: D1 s! U% @1 c% @, h9 g2 Q-AX = 0914h (Remove SIce breakoints)
& E: ]5 {; n) i4 I. f% @' P- c% |+ X6 J2 V9 s% b
Each time you'll meet this trick, you'll see:3 j5 ~9 H3 I! n6 O/ ~0 g* ^: B
-SI = 4647h/ c" q7 K \7 E" o8 I
-DI = 4A4Dh: H( _' C/ G! \4 @4 R
Which are the 'magic values' used by SoftIce.
, E. W) Y: e& O# zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- w2 q3 b ]0 \
S8 c! m$ n0 E+ pHere is one example from the file "Haspinst.exe" which is the dongle HASP5 m t; `9 o% q. W8 A6 m
Envelope utility use to protect DOS applications:7 V9 y, x; g8 `
% S( o6 t, Q- ]2 f. \ ? M) H0 \4 \$ {( c# {. \8 i
4C19:0095 MOV AX,0911 ; execute command.
( f3 B; v% [4 g: X8 m$ O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ r/ x/ e3 m7 K! p: z
4C19:009A MOV SI,4647 ; 1st magic value.
$ j2 [: W# P( U* @5 S3 s. p- S2 Y! ^4C19:009D MOV DI,4A4D ; 2nd magic value.
& M2 `) [7 q! ^ w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ x# Z8 R% X: Q4 a) S" ]3 ?+ i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' B% H. e% X2 Z, B+ P. A
4C19:00A4 INC CX# M! I& q# X* J* J7 t( w1 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ ~$ ^3 m; B7 d. V* j
4C19:00A8 JB 0095 ; 6 different commands.
+ r+ \* p/ b5 N- y/ I1 a1 d# y2 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. M! h1 x5 Q. m. c, L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ H* i5 B* w! z$ x
' A$ _6 q. H3 X5 dThe program will execute 6 different SIce commands located at ds:dx, which" N/ Q1 ?) C6 ?0 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ E; p. g6 B# N9 L4 c2 h8 {
' g! Y5 b/ o% B7 N# W1 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ k' m4 q' O/ u% |
___________________________________________________________________________" b0 s1 v( T$ K& q$ F3 z
+ w! V4 @! t( d4 U
/ J6 V. \% Y2 ]& x6 v2 y0 a4 l3 wMethod 03+ g- p0 j+ G7 W' W; @6 M: s$ Z! n
=========" [+ O3 w5 j0 \/ l- R
2 G# l# E5 @% L: z3 S" vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; C: z6 E: Y9 w8 ?3 S; i
(API Get entry point)
0 \7 O2 E& x! M0 x+ E& D2 m
# z6 O$ f9 m; y& }/ W" }6 v
@. W+ \# }" E6 I& g6 f xor di,di& R) o+ l6 T: \' [1 V2 p6 u
mov es,di) b4 t, C, @! }0 g
mov ax, 1684h
6 F p8 S6 u. f+ {& h mov bx, 0202h ; VxD ID of winice$ D! o) _, @. f4 e# i! K* u
int 2Fh
' S) q3 g3 X. s mov ax, es ; ES:DI -> VxD API entry point
8 u9 T6 c Z1 Z: V* J$ M add ax, di
+ g$ P- N4 E0 I: O% y1 Y test ax,ax6 G/ o& ]8 P9 v# t
jnz SoftICE_Detected
8 f$ r% w. r4 _9 K! S8 g/ E& R1 a) k" m3 ?8 E1 X7 N* i2 W
___________________________________________________________________________
1 C( ^ y9 h- o4 [/ c1 f
5 M2 X, ?8 b* X3 n) `2 h: uMethod 04
& G+ B8 ~! i! i' I. m=========
& A) w+ f/ i+ y" j9 h$ k% b6 |6 ?% U2 s' J: f' f2 I; h0 O! `
Method identical to the preceding one except that it seeks the ID of SoftICE! r- s1 B6 G1 Z1 H Y; [
GFX VxD.
5 v; @( }! G4 V: i' B6 M8 o0 ~/ c
7 i! r2 ]# {# w/ a D xor di,di
" Z. S/ m0 I! l; E4 ?1 W7 Q. u9 m, | mov es,di! E2 a; N N9 d6 x3 A' C0 [* y
mov ax, 1684h
- N' Z, ~ O" D/ X/ S, `; f2 H mov bx, 7a5Fh ; VxD ID of SIWVID
% U4 V ~+ J0 }4 d } int 2fh
( k4 n( J* a: i b& W mov ax, es ; ES:DI -> VxD API entry point1 C; z; d! ^* u+ F2 L. i
add ax, di1 N0 ?) U( ^) q. |7 [5 u `6 r, ~
test ax,ax8 _" P/ l- o8 W( L* X+ A8 V
jnz SoftICE_Detected2 w3 x( j R2 U( _4 j
$ @$ k9 T, M" r8 k3 f: {
__________________________________________________________________________% q6 d' m3 |9 e3 d1 `
/ m. c# X5 I2 N( B& U3 H% e; E* a
8 l* ]) \7 Z1 c! c
Method 051 M# @2 F/ s+ r W/ `
=========/ N4 s! i5 {$ [* _1 x: \+ A
! v5 }3 Q; K+ k! H
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ J$ ]5 r6 _: Z; p; s5 a0 ?2 q; r) k
debugger. It calls the int 41h, function 4Fh.
7 @ \& M% Z0 ]2 u: M! l+ d1 A, u# t BThere are several alternatives. . N; p& a+ }7 K1 |" `$ B1 K
9 O% t& z. G% Q1 v: R, j L
The following one is the simplest:
: k' Q( `. e% g+ O5 |$ c/ `
0 O! p$ z9 E% K# g9 |/ G6 y9 L mov ax,4fh
% e$ I# P1 X) _8 f0 P int 41h! N; b! p9 B i$ [( H6 j( x
cmp ax, 0F386
/ c4 d" Y; [9 }0 y+ P' K. }% _/ B* D jz SoftICE_detected
9 k# G8 z; u; k; y/ o% t
5 X# Z1 _* J1 I- D% c. p" c: y A$ F& |2 O) \ h2 _: C
Next method as well as the following one are 2 examples from Stone's # M# V6 V2 c2 [- _+ q7 l
"stn-wid.zip" (www.cracking.net):
: v2 Q& X2 n- K- t, }; a
# A0 T9 l/ M7 D' E, _7 V mov bx, cs
2 O& a1 {, U+ a. x1 N* H1 E lea dx, int41handler2
+ ~7 X) P, | H xchg dx, es:[41h*4]' W) L1 l; o% R' ^0 g- J
xchg bx, es:[41h*4+2]
0 z1 B# Z4 T1 m. R7 u/ l" \ mov ax,4fh
2 T% t$ V( f2 x5 r1 u! z int 41h
/ i# m+ y! r1 u xchg dx, es:[41h*4]
- f$ S* c& \( C0 j xchg bx, es:[41h*4+2]# K4 c- r" O$ t L1 y$ V! z( k
cmp ax, 0f386h
4 e: N( L) ?8 w% q2 A jz SoftICE_detected
7 K6 r+ ^. c9 i
. R8 F8 o' w* R+ W& b2 H' @( _int41handler2 PROC3 D4 J/ u) G% N
iret
% ~2 _7 _" B0 L0 g7 Q* Iint41handler2 ENDP: _- E( F( I3 D+ B7 e% U
; e. Y( V5 E# T1 m+ h: I. X! u1 `/ E
1 K/ x$ c+ E m$ b% F
_________________________________________________________________________
+ T2 a- L* s6 C7 o5 v8 T
" ~* _( _# x8 h q/ L# l" _* a3 N5 _+ f: q. A( C( Z6 ]- x8 G; U0 D( W
Method 060 Z2 u6 T- Q0 a# ?7 y* @+ c
=========
. _& q& x& G4 ?, A! h, o+ x* O' X6 Q! i8 L7 y
8 b, W7 Z$ I6 V& i9 Q7 O7 _7 f2nd method similar to the preceding one but more difficult to detect:: X# e: Z8 }3 Z$ X
' Y' z! G6 v4 U! [1 ]4 T
4 Y$ J5 T9 R+ k# s: E3 k/ j+ Kint41handler PROC! O0 q2 m. p9 I* M- i: P
mov cl,al ]' ^6 S W, s* x
iret6 G2 k0 K* G4 F Y, B- r
int41handler ENDP
: e. J, P; x. _' _! Z% v
( g9 {( c2 v. Q# A) D
F" X4 F4 H: N: R9 B xor ax,ax
' o# Y& K$ O/ j J5 f( h( ?! } mov es,ax
' O- p' l( D6 E0 `' ?! ~ mov bx, cs* S8 D, e2 L: u& x9 a2 J1 G, o5 d
lea dx, int41handler
" |) N2 o) D4 f" S$ c* X xchg dx, es:[41h*4]
+ ~9 Q- ~+ F+ u xchg bx, es:[41h*4+2]
1 q, `1 }- o4 A( O! i in al, 40h# m$ T, E* D k( n+ {
xor cx,cx
6 Q/ |& ]; I) T int 41h
$ K( u' r. ?. ^0 v' [ xchg dx, es:[41h*4]
5 J x5 Y# w3 i5 y xchg bx, es:[41h*4+2]
0 o2 f u* h% R$ ^ cmp cl,al9 H3 N$ j% S7 M8 P
jnz SoftICE_detected
9 N! U5 a- I7 h5 y. n6 j" v# D
7 U( ]8 s! z8 J: _7 r_________________________________________________________________________
{( r/ l, K4 j7 N! {2 X3 \$ u9 N+ {8 g4 |9 z
Method 07, z4 ?1 s, t- Y' D8 q1 n, W
=========9 y1 I/ K6 k# _: ~9 |
7 u! g7 p; X2 j
Method of detection of the WinICE handler in the int68h (V86)
3 Q2 S* [8 k. c9 R
' N4 }. c* Q! Y/ _( { mov ah,43h+ W6 T# t9 h' O% t! Q8 ?/ ?) P
int 68h4 I& g* k, h5 W8 q- {+ H
cmp ax,0F386h
3 r( V! J1 o% }. P2 N jz SoftICE_Detected
) H. ]7 X" ?& t7 U) }
0 `) y4 d! P/ n3 ^1 F: D+ x4 U( A6 q& l, _% N7 H/ f9 E+ @5 I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 ^0 M2 X6 x7 S9 t app like this:
# Z# J! y' z& }2 x/ Z* \; b
c$ O8 n$ m" [% w# a BPX exec_int if ax==68, y4 h/ p$ V, |. b$ _/ X
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 b7 ]" C" c) W4 e0 U8 | located at [ebp+48h] for 32Bit apps); L9 a8 K3 a5 Z A. L& t
__________________________________________________________________________
# o( k$ U( u/ ^ Q7 h% c p/ v6 o* w' h$ Q, [
1 l' Q+ J# P$ _2 c- B! \7 u
Method 08
, O( u( Y) J: |=========
" x; V i0 Q1 ~) |$ C- I' r$ q
( k; n4 _6 o% U; n; B! \It is not a method of detection of SoftICE but a possibility to crash the! W0 I+ s6 M, |6 H9 W
system by intercepting int 01h and int 03h and redirecting them to another& Y m$ c5 @1 ? f( l# x7 j
routine.: V" m2 J" a: I, K- y; s4 p9 }% b$ I0 f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 X: H3 C( Q) T4 U, \to the new routine to execute (hangs computer...)
% y4 z( j4 @3 ?7 l
8 `4 c# C7 y+ }$ M% Z- n mov ah, 25h
# j4 U& Z, j5 @1 J2 K2 z/ g2 h mov al, Int_Number (01h or 03h)
( i! Z7 _3 V) W6 }- A% u% Q! T mov dx, offset New_Int_Routine
) p- k9 }) m* _* C6 i9 V2 G9 D2 R int 21h( }0 h4 u( }' y' I
, S0 r, O, @& Z9 V# K# Q2 R
__________________________________________________________________________: x% R& |, y S, Z- [5 s$ y& E7 p& i7 ]
# x, o, `2 H% _" j2 e6 P+ d1 ^8 dMethod 09
0 J. |+ C U3 R=========, w. G8 }- S5 `3 e% E( p# a
1 t9 Z- l* `/ d1 Z( ~) R# E, l. CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ X, @. a# |3 i6 I! Rperformed in ring0 (VxD or a ring3 app using the VxdCall)./ H$ ^( U" Y% @7 ^7 A1 n' s8 z1 J
The Get_DDB service is used to determine whether or not a VxD is installed
+ K6 ?- v0 ~9 K. x! k5 rfor the specified device and returns a Device Description Block (in ecx) for5 _3 @ V; x `* F4 O
that device if it is installed.% `4 C9 R4 m& ~0 Y4 \
- J2 @$ e9 ~! |5 R) ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 s4 S( J# \5 ~( c" V, h! d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 f3 d" ~ ~ _! C0 m VMMCall Get_DDB
( Q9 u& Z9 ?& c; Y0 D _0 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, s) {: P- r0 U
1 X0 B! ^+ i" ]. `Note as well that you can easily detect this method with SoftICE:5 P3 o0 A; O, S w# a# |
bpx Get_DDB if ax==0202 || ax==7a5fh% K; j: W0 e! N) `
# \8 x# p' y* }" M; W9 c
__________________________________________________________________________
) X* ^+ f$ ~8 c* Y
2 z2 s J& P# s+ S7 aMethod 10
( r ]% D8 E' `6 S' e3 B=========
+ b& e3 W3 O5 E" y9 G" ]
! G9 V; z+ {0 @- K: J=>Disable or clear breakpoints before using this feature. DO NOT trace with5 K0 H4 x( v2 _9 X0 k& N' [) d _
SoftICE while the option is enable!!; j0 C' V3 L7 e7 ]1 `
/ E# R% @5 M0 @5 b% c8 f! qThis trick is very efficient:' H" A; q$ p- _6 V e2 U
by checking the Debug Registers, you can detect if SoftICE is loaded
/ b: a% j% T& I. U/ g( L- H) Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" G7 L7 o4 ]) ^+ n; R9 R: B8 F& i1 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 { N# D4 l% k3 D0 Fvalue (in ring0 only). Values can be manipulated and or changed as well1 T0 ?3 p/ U2 e! f( t" Z3 ^ j0 e
(clearing BPMs for instance)
* T( P! f0 U& u
7 T7 h8 a! w1 D; {__________________________________________________________________________! A6 ^# b0 Y1 o
' s5 v& }/ |" u- MMethod 117 o9 \1 u: |- Y* I# d
=========
2 ^8 b( c* Q( f7 S
! n5 v; k/ `' h* yThis method is most known as 'MeltICE' because it has been freely distributed
) Z( \; \7 O$ m/ t/ ^! w, yvia www.winfiles.com. However it was first used by NuMega people to allow* w% h) {" T* L7 Y$ M) W: r% A
Symbol Loader to check if SoftICE was active or not (the code is located$ t7 b+ ]! @" ~! Q; _4 {" G3 l; g
inside nmtrans.dll).
, I7 d$ ?; {: c& m6 W
3 q+ W" a0 n% M' l3 ]& a/ JThe way it works is very simple:
( G, a! O2 `7 H0 l6 |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# \$ m1 B: }7 U% a0 R
WinNT) with the CreateFileA API.
* z+ J9 G3 \' C7 T
/ ~1 Y" e- @# oHere is a sample (checking for 'SICE'):! r2 c8 i/ {) d3 ^$ d
2 L6 Z5 J6 W9 v4 o0 d' ?
BOOL IsSoftIce95Loaded()) N1 [: X: d7 ~
{
: H8 m% D3 P" Q1 @1 m5 j$ u$ c HANDLE hFile;
8 _$ I9 Q8 @/ Y# w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! A& o: g8 p6 W& t& L9 |4 L FILE_SHARE_READ | FILE_SHARE_WRITE,- F g; s/ I, _- |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 g. \) W; k1 T9 f
if( hFile != INVALID_HANDLE_VALUE ) ]; H7 {$ c% ]# f9 [3 |
{" N# }5 g- T- S: m+ W
CloseHandle(hFile);
) w0 j h1 v# u: r9 L# ^! ~ return TRUE;: v5 i/ m4 c) ^9 R5 v
}
u& K( v& B0 Y) F4 g1 j v return FALSE;
5 X( x7 R8 O ^" i, \1 Z}
: x# x5 P: L8 I5 B9 E( [
d, Q6 G( C! V \* V; oAlthough this trick calls the CreateFileA function, don't even expect to be
7 d' y6 }+ X% {) r' ^3 p0 v% Table to intercept it by installing a IFS hook: it will not work, no way!6 F" V k) k- ^6 b5 }2 M. m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ G6 X. W1 d/ h$ ]0 V- ]& Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( ~5 d& u, H' m! j: M3 \' yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- y& ~& |3 q: [: h0 Vfield.
, j( ]& r n" K* u- sIn fact, its purpose is not to load/unload VxDs but only to send a
! z2 @4 j! e- x8 z S5 r/ A' |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) N+ [2 Z6 y% l9 U( T3 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 m7 a. R% H8 \5 ~* G# _1 K9 H1 F8 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ m* O8 b( ^ L3 p" E2 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" ~( t5 R0 `% B" I/ D: T, Sits handle to be opened and then, will be detected. T( {- i. Z2 l: E
You can check that simply by hooking Winice.exe control proc entry point
$ ~ _, `( u7 _& jwhile running MeltICE.
# Z5 d4 b. p& h" d; b/ y
' F3 u! q. f% M2 }: n2 V/ T% K& j Q L# g" G' p9 _$ d' x8 p
00401067: push 00402025 ; \\.\SICE
& ^; p( ?3 r" }, c 0040106C: call CreateFileA- }! P. ]& k$ x z5 Y3 O
00401071: cmp eax,-001
8 R8 M) G: ^; t- b' r6 u M- [! ] 00401074: je 00401091
' A' h6 K8 `( Q: j) R
! A5 a5 `1 L# b [5 z# T& Y4 w \- F! Z, v: L5 [. ?6 r' Z
There could be hundreds of BPX you could use to detect this trick.9 `0 K, u9 U& U4 {
-The most classical one is:' z2 |+ `$ S4 W+ z; O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" l" s7 v2 ? w. T3 F( b$ Z% v *(esp->4+4)=='NTIC'
; a! O8 _6 y" X2 A+ t# f$ j8 n- f4 D/ z( {/ H( D
-The most exotic ones (could be very slooooow :-(" E$ a+ J+ ?& q) t$ x* b! _& \; v# r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 c) G, q, S# A6 r0 {$ C
;will break 3 times :-(" U# o" G L+ C& u
. M8 s) L( R+ h1 g! L; {4 i6 _2 ?-or (a bit) faster: 8 y- z- i7 W; q `5 T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 `) V+ o* `+ a1 p7 z* N
& ^; g$ U8 T5 a6 I. L# N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& W/ m. d6 ^# @+ r$ q ;will break 3 times :-(- [- g+ W# l( H. {! U
: l" n1 g0 @- B-Much faster:8 m; r; z1 H0 g! j4 o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. j6 ^) ^3 A- O
# F" u! i$ f3 x gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* L# N* C$ D; I7 n. Jfunction to do the same job:: h3 {2 l% w/ |4 x+ r
; q1 i' y2 z; k4 g, m4 M
push 00 ; OF_READ
' ]* c9 E' X$ b$ G" ?) j) I mov eax,[00656634] ; '\\.\SICE',0
9 c! z7 m' {5 b( J3 G& x push eax- d- w* p) M s& Z
call KERNEL32!_lopen: m& `! T3 N! f$ M2 A( _9 O
inc eax- h$ x; {0 b8 r# d+ P+ k2 u5 t; w
jnz 00650589 ; detected
9 Q/ V- M9 B( W) h' r push 00 ; OF_READ
, D. E. i2 Q$ m2 n Q* M mov eax,[00656638] ; '\\.\SICE'
0 P) F- H1 I3 ? push eax
( a& `: ]0 k8 \# |3 e7 ~/ Q call KERNEL32!_lopen+ R* u1 n9 Y) b. V( N% F
inc eax( @4 Z1 }6 T. T2 }* E
jz 006505ae ; not detected( O4 ?% D" C; b) ~$ R/ O
* x1 t2 f7 j, E& n7 |- Q8 N `4 c
" G% P6 U. ]4 P; }( ~. Q__________________________________________________________________________! Q. X, P# H2 y6 ]$ \
6 p3 l/ Q8 c& r1 |4 ZMethod 125 A8 H. ^ E7 m: ]' I% b3 h
=========7 L o x2 ^0 m4 ]; t) }+ M
4 V8 S9 x7 {# R& q. f
This trick is similar to int41h/4fh Debugger installation check (code 057 ?( E# Z( I/ ]: l+ P
& 06) but very limited because it's only available for Win95/98 (not NT)
1 q. Q+ `/ I8 {$ V, a3 M9 C- S/ tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 _- n, f$ O% `- o z0 z% J, ]2 T
( E6 D& q% G( w% E) z0 J8 J! I. v push 0000004fh ; function 4fh
# f( y( D7 C% t, X0 z9 J s3 `) [ push 002a002ah ; high word specifies which VxD (VWIN32)
& z# t0 h7 \# k# s5 _9 D ; low word specifies which service; I. B6 N+ P/ v- P
(VWIN32_Int41Dispatch)
9 f3 d; [7 m M: Y5 c/ p$ x call Kernel32!ORD_001 ; VxdCall5 ^3 O7 u) o# I3 Z" a% M" L
cmp ax, 0f386h ; magic number returned by system debuggers
# ]$ b; u! |; j$ I jz SoftICE_detected
1 Z: S/ U6 _/ I, x9 ?- }, S" ~# K; V
( e. P' D5 S4 S4 I* HHere again, several ways to detect it:
' B, ^: u/ Z" D9 N; l. N; u* ]$ ~% }# P" I2 u
BPINT 41 if ax==4f+ y, c: F+ z8 \& z' o5 M( A3 z' k
' M- M1 j( b0 O& k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ f! P! y* C5 w9 V2 R8 Z7 M
, O0 v9 R# U, s2 Z5 }/ j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 d1 n, B5 q- y3 j7 g
# @# W# S9 P1 [ P, b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 e B# f5 {( S: q0 _4 j6 y: l4 F6 s0 T3 M! N( O# E
__________________________________________________________________________9 V' U# O0 T2 Y! R) D2 ?# P
7 {! C( b, |7 cMethod 13: d9 O9 P1 m8 |
=========" t8 o4 k* D( ] R5 `7 ` X
, g! }" |+ X' z) O. `+ xNot a real method of detection, but a good way to know if SoftICE is
2 J0 J* o6 @! V7 H5 B3 x2 D5 Sinstalled on a computer and to locate its installation directory.
* V' e! P# C( |; SIt is used by few softs which access the following registry keys (usually #2) :/ |3 }& k5 _9 L/ v& D9 |
$ [" v n5 W5 t6 n3 R' u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 m/ p) q: _/ m; X+ q; L7 Q0 ^\Uninstall\SoftICE* V. F% l3 v+ B. n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ R2 L. Q3 B+ M( O2 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( v+ u# ]" o* R+ E, m
\App Paths\Loader32.Exe% U" _- p1 Z) M
6 Y& S7 c( [: i5 m! ?, d" s' ^; [8 T
Note that some nasty apps could then erase all files from SoftICE directory
; @0 L, R8 |2 o! N(I faced that once :-(
- e+ J8 t/ l: \, e( S( w5 q& X
: r4 c t& p) v% nUseful breakpoint to detect it:
" \* B7 Z; p. [% H. Z* P9 ^! G; a6 p6 H. R& i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* N. r& D7 H3 ?
" z# j5 Z9 N( P/ \( A4 u__________________________________________________________________________
' c9 {8 J/ ~$ f. b2 g* Q7 y, F
6 ?" }) b5 k# S7 U$ a4 Z! m: g. C; T4 F, D. R7 |2 [5 r
Method 14
- [% S2 t, a+ K$ e& x: E=========5 J- f6 V1 u: _/ w! h+ f8 T* \
/ ^1 H* W% p) c2 r2 r- f9 fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 m; ]( S0 [* C; N* y3 Q7 {" V
is to determines whether a debugger is running on your system (ring0 only).
. |8 E! k3 `; Z8 q- T! ?, J# `9 \6 ^; n
VMMCall Test_Debug_Installed
3 c6 @5 `$ ]6 Z3 J je not_installed
, |5 J$ M; m1 l) @5 @+ V
% `; `2 y, S! U8 N, gThis service just checks a flag.
0 N: Q/ I8 k; H) ~* \" }8 h0 f4 ]: v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡