<TABLE width=500> W6 r3 @/ W9 p* P- `
<TBODY>6 ]! H6 m" \% K
<TR>
d5 ~3 V- b+ u& o. c4 m<TD><PRE>Method 01 / A N# }2 s8 U6 ?: D2 v) _% ~
=========
, p& l0 k5 G. W6 ^* M+ ^
; `, Q+ n4 h- pThis method of detection of SoftICE (as well as the following one) is+ K& [3 U# M0 K& `. E& \
used by the majority of packers/encryptors found on Internet.- U1 J5 N3 D U$ C i A6 u
It seeks the signature of BoundsChecker in SoftICE
3 }3 J' g: e; ~* o, J8 e6 P; ~3 h2 |
mov ebp, 04243484Bh ; 'BCHK'
) ^: r( d) ?# c( r8 J& L mov ax, 04h
/ @& y" B' N7 _$ s3 T int 3
; M3 ?2 o3 V" G; j1 |: a9 R cmp al,44 G z+ `$ O% F( i" q7 Y9 M
jnz SoftICE_Detected
* P, u1 i" x- T
: r% `& }) D: h% G3 A+ o( [6 k___________________________________________________________________________1 P5 |( E+ @0 B- @# `7 c/ L s
; f7 x2 V D3 v* [! uMethod 027 p+ `/ K9 {3 y. A
=========
& ~9 c% W9 C- J1 k" [- c1 h. V7 P) J, R6 G
Still a method very much used (perhaps the most frequent one). It is used6 V) ^& j! H2 d/ a1 [, P/ P; z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 a. n" t6 I+ ^2 t3 q8 u
or execute SoftICE commands...
% Q$ ^+ G ?. M) x7 nIt is also used to crash SoftICE and to force it to execute any commands
6 V1 ]; G3 `: F; ](HBOOT...) :-(( 9 o2 y3 d* W5 u* N2 k
, {. k: W, h7 |( N
Here is a quick description:
/ [- N9 R2 e! `; R5 a% h0 S5 x; E( ~-AX = 0910h (Display string in SIce windows)& t& C: m" S, R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) C& x+ A {0 |2 U/ ^# ~
-AX = 0912h (Get breakpoint infos) M* B3 p ~2 o5 ~( e& g r
-AX = 0913h (Set Sice breakpoints)* O# Y' B9 @8 D+ g" _9 d/ v t+ T, U
-AX = 0914h (Remove SIce breakoints)
" V+ b- _0 m- L% w/ t
) g+ I7 D7 M! J0 t+ u- q K8 Z# |Each time you'll meet this trick, you'll see:, H/ z( e6 j ^( ^
-SI = 4647h+ t' w l+ v% W" S2 T# r+ G# X
-DI = 4A4Dh
* l2 m9 O8 N8 YWhich are the 'magic values' used by SoftIce.
& q, m3 {% Q! [" nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# J! ^' |& z, Z' g7 |% @) X. b* V" o8 O
$ Z4 h; I8 R. vHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 X9 P0 Y$ E) K, W9 }. A7 oEnvelope utility use to protect DOS applications:
6 k; d6 b$ k' L/ ~& n" i$ N4 |2 K" }4 s5 F* _
; g$ k# b$ l! H3 h* r) \4C19:0095 MOV AX,0911 ; execute command.
1 Y( W5 a; a) C/ O) i/ H1 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 ?4 w2 v- k$ Z/ M$ b
4C19:009A MOV SI,4647 ; 1st magic value.
( f3 o- X' q6 I/ w* O4C19:009D MOV DI,4A4D ; 2nd magic value.5 H* K0 B" I$ D9 |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% R& l6 p6 Y- D' }8 q; t/ i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ r1 B9 F5 m' n- F
4C19:00A4 INC CX
, [9 A& b+ n) a. |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# T! m! T3 }6 }3 w& S+ A, N6 d4C19:00A8 JB 0095 ; 6 different commands.& }& z- s9 L8 t; _/ u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 o9 F, Q ~: W( c% z7 v6 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 M, J# b( k: ^6 r: x t, A3 I/ g4 U5 p7 P3 }% ?
The program will execute 6 different SIce commands located at ds:dx, which
" V" {5 \6 I; t# J( Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& i- C% g2 |1 z) w' `3 _
7 m* l& i; l0 i5 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ R7 M) o* P8 Y K- F) U
___________________________________________________________________________: n! e9 b) `" e4 z8 k
: ~" k5 _% X _0 _! a: q ~
+ K+ }' p5 \* O& d) X% ~; D
Method 03
' o$ n% t9 c7 L/ S* w8 _5 ^=========
. s4 f5 E8 d8 t* o8 z
3 U' P" L" s4 p* a/ xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& I5 v% A3 v5 T(API Get entry point)6 r0 B+ R" ^' q+ U$ R* S e" Z
' C+ B# H, l' R& X9 z0 d9 m- r
, p) C, c5 M( V9 N" s) `+ w" X* t xor di,di
* \8 j& P3 _3 V: N, j+ y mov es,di% i7 z1 X0 R" }2 z+ m3 Z) z
mov ax, 1684h / B* L- _2 }% F: l
mov bx, 0202h ; VxD ID of winice
/ Y8 f! m7 b( ^ int 2Fh
, L+ ~/ l2 s. g; o) G# Q7 H& D mov ax, es ; ES:DI -> VxD API entry point
* R, _& v" D+ T0 F( U add ax, di; [' ` N; Y* ~: K X" G9 ]
test ax,ax) m: @( Y5 s% p6 I8 i
jnz SoftICE_Detected
" E+ {- ]/ u8 ^) r: v. @& Z) y. y! Z4 ~, s y
___________________________________________________________________________
& c" |% M U, U1 }& T1 o; p( d; Y- w; c) i7 F. P9 J
Method 041 W: H/ E+ m: E% \ R8 A
=========% [3 b# X! T2 F2 |- N
& c5 x# |+ J- W! A% ^Method identical to the preceding one except that it seeks the ID of SoftICE
. l- D7 x3 p8 w% IGFX VxD./ ~& W3 l. n5 W, M
: P4 V5 V' b) z' }" ^* r+ I5 @ xor di,di/ R. I, a7 v9 r/ t$ F
mov es,di
: G$ y D6 j3 _" e mov ax, 1684h 9 c# Q9 U# m# Q3 N
mov bx, 7a5Fh ; VxD ID of SIWVID
; [- j$ |0 F5 g8 }5 j# U0 _/ E int 2fh
" D2 Y, g' W& p. n mov ax, es ; ES:DI -> VxD API entry point) ]- n0 r/ E3 }% Z
add ax, di$ I) |) }" M) F
test ax,ax
+ ` I! p% Y1 c jnz SoftICE_Detected
' y- d$ z1 l- c/ A- `0 O$ c' N9 Y5 w; [$ x. ^" l1 m3 @8 h* W
__________________________________________________________________________
: \9 r2 b- |* l# r: u% X5 @9 d
, ~8 c/ a# T" d) N8 E! M X' t: @4 l$ j
Method 05& M6 F: a7 ~2 ]3 e- l9 [6 p
=========
9 m$ g2 A% s& J, u- m5 {; U e) U9 T& O) C' B [4 @0 V7 f* U
Method seeking the 'magic number' 0F386h returned (in ax) by all system% @. s3 \/ O; C* A4 N* ]1 R; }
debugger. It calls the int 41h, function 4Fh.
% ]! ?# t7 D! \6 {% lThere are several alternatives. 0 P- ?* [. X, B. |/ h
: H5 _; v+ x4 t Z* V0 Y1 A1 F
The following one is the simplest:- p/ P( m) a* S1 `. }* c
) l x3 C7 J; O9 X mov ax,4fh$ P8 T+ N( Y e4 \
int 41h6 n% x# }- t- G
cmp ax, 0F386
1 ^2 A K* P) m! w7 i1 n jz SoftICE_detected
' Z6 B( \ q$ |( @
; p; c% k) e: R8 Q- X0 @. P4 D' ?- m2 E) Z/ K/ G# H( m& b
Next method as well as the following one are 2 examples from Stone's # @2 M8 v& v- `/ `% _
"stn-wid.zip" (www.cracking.net):
7 N0 X9 x7 g' Z) m8 k" n! M
% K( e( f/ S$ t, {8 A. d9 q mov bx, cs d* d/ a* k% K" c/ V$ p8 K
lea dx, int41handler2
: o+ r1 a/ r: D- J1 p xchg dx, es:[41h*4]6 O8 u$ R1 V# ~/ u$ E* `$ e6 Y
xchg bx, es:[41h*4+2]/ ^" t G* y" e& p3 M
mov ax,4fh x/ P$ E% }, P- V( z
int 41h
) A) N1 p8 i8 I, V+ ] xchg dx, es:[41h*4]' k. t1 k, w, ^* g( f
xchg bx, es:[41h*4+2]) R; e$ s; Z% Z7 t- _' Q7 I
cmp ax, 0f386h7 ^; `1 g& B* o" r
jz SoftICE_detected5 x- H9 S8 h- f8 d0 n2 n
4 n$ b6 m& n! g8 g8 g$ V8 P- Eint41handler2 PROC
. M( p9 m$ v+ M0 l2 r- l& E. d7 P iret
* x4 j& b: Z- `+ l7 W! wint41handler2 ENDP
9 c/ K- ^: D6 s4 v3 o, D) I+ c
) }, K; e8 ^+ g) e. y; s5 c+ h_________________________________________________________________________
! B# [2 u* \ @0 ~ | H* k$ e/ g, q$ F+ h
" w0 U, J( s- D* [5 ?) W5 Z
Method 06/ `, r5 q) T) {
=========
0 \" o! K3 S' l; X1 n9 K3 \3 J8 A! u
7 P. n4 Q) Q& k$ U4 S2nd method similar to the preceding one but more difficult to detect:+ B0 j! s) T5 o) I8 N3 v& k
- |4 h$ z1 V& H
# q4 `7 X$ O$ Z/ \
int41handler PROC
% Z( r# B$ u. V% [7 h; n mov cl,al: P( `5 c/ x' W+ d( R" Z" \( f9 v
iret+ x- R D; E* a5 q& c4 B* o/ U% Z2 f
int41handler ENDP
% v( N# f) v6 n' b4 N I
/ [9 @( u$ f3 R' H) c9 R
) c* T8 x+ }- q3 A7 o' y7 v3 U' K xor ax,ax X/ }" N. J1 [0 R+ a
mov es,ax/ d, q. M( Q$ p5 _9 d( S X
mov bx, cs( l. O: q1 k( W4 B0 U/ I
lea dx, int41handler4 M' H4 ]9 U1 H# M
xchg dx, es:[41h*4]$ X. Q8 C$ y T f9 Q" V
xchg bx, es:[41h*4+2]
8 S- s/ r* |- Y: t3 R7 [/ b in al, 40h
n' v3 T5 E! x) V xor cx,cx
- u% e+ W% u: J7 Z. t2 H2 i int 41h
/ c/ [8 g$ u S7 R9 G5 o+ s xchg dx, es:[41h*4]4 t9 X- B1 h9 Z3 w4 `
xchg bx, es:[41h*4+2]
5 o% Y3 G! S5 x4 l0 s cmp cl,al+ t3 h4 @: e7 _ ]. Y- T# y: P) z
jnz SoftICE_detected9 V, J" K" [1 a; J
8 y" I- w# j& h( F% I9 m1 c3 _6 u_________________________________________________________________________" L7 y: F& h7 l* ^- R/ C9 e
( `- S. c8 _7 R' }% aMethod 076 D' K! n( q9 k) P, j
=========/ p( Q& g2 G3 E( j
% r% a% Q& Y2 ^. G+ o! oMethod of detection of the WinICE handler in the int68h (V86)
3 K+ _. C1 U; H+ `' Q4 ~3 {: N& I, e" d; ?3 ?
mov ah,43h
$ E1 [1 r. {* W3 A4 e, q int 68h
# q9 ]# _9 q' M+ @. ? cmp ax,0F386h0 ]! A) ?8 C. p& d
jz SoftICE_Detected- u3 k% U" s* u7 o) b# L# o1 q
9 u3 _9 P/ Z* y- W3 k$ {/ M% L
" S! A; T `3 f G. g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# C5 F7 C$ r! Q) n, x* \
app like this:, [) P6 m% c. h, D0 [! g
( x k+ C( ^' V+ |& Q
BPX exec_int if ax==68
( R5 d4 B" \3 ^$ o2 W' `. A (function called is located at byte ptr [ebp+1Dh] and client eip is
7 S6 E# ~. j* Y; }# A6 e) E% l located at [ebp+48h] for 32Bit apps)1 I$ Q; \+ s" i3 E
__________________________________________________________________________* S0 K4 t# v. L) N6 {; C" ]# I
7 |% Z9 G; I# ^7 X) q
* m; p0 m2 c4 i- R7 Z, h% `
Method 08/ l9 Z4 \) h9 u" Z
=========
, t& ^ ^- _* K# r1 T6 C5 ~: v& E8 j( W4 j" ?5 P/ d/ L! @
It is not a method of detection of SoftICE but a possibility to crash the
6 ^% z3 O6 ?1 N6 d9 ysystem by intercepting int 01h and int 03h and redirecting them to another
( t Z; o7 l: ~ `% Eroutine.
8 ], {4 V0 C- g' K* p! e _$ n4 ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) r5 \6 Y! f- c' D# I
to the new routine to execute (hangs computer...)! _$ w# z/ T. W+ U" {2 ^3 l/ t! Z
- c3 x- k& P# T6 F
mov ah, 25h# m( e- A- l$ `2 F. P: V# E2 o
mov al, Int_Number (01h or 03h)
' f8 u; B2 Q4 A" ` mov dx, offset New_Int_Routine$ b6 G2 W. s1 {/ j9 ]& x+ n
int 21h
4 ]6 p! H+ S% C- M6 `5 A* U/ r0 d. x$ g5 Q) x9 i1 Y4 M3 d, }# T
__________________________________________________________________________
2 |5 d( Y; C" @6 D- L- i2 I4 w! J1 b1 f& |+ V+ C% j4 ~
Method 094 [6 n# q% j+ F! T+ \7 |1 a6 ^5 N
=========. ^$ m( p+ m/ ~3 q- A5 G
$ {- x Q7 H& IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 _; E7 |% q& v7 X) }performed in ring0 (VxD or a ring3 app using the VxdCall)." A$ m, a* B7 j( I! q; y9 Y3 R1 T! A# ]
The Get_DDB service is used to determine whether or not a VxD is installed! p7 g5 m6 m% X& x w3 }. C
for the specified device and returns a Device Description Block (in ecx) for
6 \, ?( H5 p; A! y$ W; T4 ~" @! jthat device if it is installed.- G) E1 y( ^" h1 G( }1 s& t6 e0 G
- E( \0 X; }* f. i8 [1 s Z% D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 k- B# j$ e5 q# J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 Z1 X! K/ n7 y% ?6 J. w
VMMCall Get_DDB" P5 A: P- Z1 J; [# |2 D3 c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ u6 X8 L8 B+ N9 v! \' L
1 O/ h1 Y0 A D5 d5 v3 ZNote as well that you can easily detect this method with SoftICE:, v6 H1 \, ]1 ^ u
bpx Get_DDB if ax==0202 || ax==7a5fh
2 o) X. I0 R) p! s* f9 n
5 g) F, E8 i% Y# L7 g) ~& l3 ___________________________________________________________________________- ^4 d Y- k1 |7 i/ g
1 F# b" ]$ b9 g& p8 w+ lMethod 109 H, B! R% j& l5 q
=========3 V" d/ ]5 ~% a0 F- e B
2 Z5 t1 B' b$ l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ ^8 ?; L+ u: ] SoftICE while the option is enable!!0 a4 n, G& w) y: d( ?0 Q
+ K5 _9 i) ^. b7 W& |$ ? K
This trick is very efficient:8 V! \% \+ b( }2 ?
by checking the Debug Registers, you can detect if SoftICE is loaded
/ t% p) j- t/ C+ ?/ [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 ^! C+ c; N C$ h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 p/ P5 Z; J7 l1 o9 Evalue (in ring0 only). Values can be manipulated and or changed as well( }$ J- U+ ^% p
(clearing BPMs for instance)
) J; s1 R* f; a9 _% H! Q* _
7 i. O& x x( a9 N; s__________________________________________________________________________
, A0 E; E, w' P9 ^8 j
% e4 \' Q6 e3 V9 r7 Q3 i4 W9 D* c) mMethod 11
) e7 ~: c0 w. J6 o+ k% O: ?=========
( ~" P/ _5 r2 T A3 L; q2 {$ @0 M
3 O% n" o: H% B& p8 I9 r: L* {This method is most known as 'MeltICE' because it has been freely distributed
5 o, p, k O* _& Yvia www.winfiles.com. However it was first used by NuMega people to allow
3 `$ r$ V- J% @ e0 RSymbol Loader to check if SoftICE was active or not (the code is located
- r# Q5 c$ j* `+ ~0 L! M( z' N% o& \# L* ~inside nmtrans.dll).
; b- _* u1 N9 a5 G
& y( t% k2 F7 I" ]The way it works is very simple:
: d. a+ l- ^+ q1 n8 AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 I; N$ W2 S$ D- wWinNT) with the CreateFileA API.4 O1 l, s8 T0 u
9 J$ S' F+ p0 _Here is a sample (checking for 'SICE'):: o/ d' f5 e( E% {
+ J/ X; V' s" b7 h8 \7 |9 D
BOOL IsSoftIce95Loaded()# L: F( V- Q3 w5 a4 i/ Z
{
) r$ `; ~1 ^0 p" T2 x$ I) A3 z HANDLE hFile; 5 }$ }6 j' S2 g% q2 M: X- n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ P& Y% p# v& Z+ r
FILE_SHARE_READ | FILE_SHARE_WRITE,1 o/ E; L9 k# X( d8 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. m' Q9 ]7 r- H! R u
if( hFile != INVALID_HANDLE_VALUE )
& I9 G8 x. G/ I2 p {# R; G$ S1 q, r5 M; l4 ^
CloseHandle(hFile);9 p1 J N7 o% [9 [# t3 O) u0 {- T0 S
return TRUE;
~1 E1 _+ G4 W0 U( b1 i } @# y/ V1 r/ _5 Z% V7 T ?. b7 ^
return FALSE;
3 _. @* v2 f' V0 R: ~}
* W1 J, _- c/ W& u0 k( H8 P% \% b h, V+ }0 V- e
Although this trick calls the CreateFileA function, don't even expect to be
6 Q9 m3 s3 b$ I) ?able to intercept it by installing a IFS hook: it will not work, no way!
& f9 N; E: @7 C$ aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' u& J9 R* q4 l) v3 W$ B5 j/ gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 B, d- |6 h1 V8 h( d- x# y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& q% s4 N6 [) u! A) I
field.
' G0 f8 r- s, ~) t( R2 b$ ~In fact, its purpose is not to load/unload VxDs but only to send a 5 N- l; @: I: O0 U9 Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 ?7 Z8 r! h2 v x+ fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. t: [7 n5 [ @* Z$ h- Lto load/unload a non-dynamically loadable driver such as SoftICE ;-)." U) J5 Y0 U9 R1 {3 X& O
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 H3 d% q! z0 U/ M2 N8 y5 A- a
its handle to be opened and then, will be detected.
: {2 B+ n, \( C* {" m$ rYou can check that simply by hooking Winice.exe control proc entry point( S! b M0 b, O9 k) z( t
while running MeltICE.- k" S( E+ C+ z* }. T3 h% Y4 V2 ^
/ t, N1 w4 Y5 c+ |* F- R7 Y: s9 s5 t( w7 o `6 m
00401067: push 00402025 ; \\.\SICE
2 M* C- e/ x, ?# N+ K. f 0040106C: call CreateFileA
3 f z4 H% _3 o1 L" B3 X) z& v7 Q 00401071: cmp eax,-001
- O: M/ A; B- s' E4 h8 |5 ` 00401074: je 00401091
5 I8 B& F u8 V& ^5 @! |4 ?+ N0 }
1 {$ V0 x$ g- U' N( Y9 Y* ?* [: p* ]2 D( v3 T& d3 H5 e4 I
There could be hundreds of BPX you could use to detect this trick.7 |! K# ]3 m7 v$ y. X) ]* Y
-The most classical one is:
, Y. X0 Z% n# B2 j+ D5 k( \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 V* X6 H8 k) C" z2 i& j *(esp->4+4)=='NTIC'9 K& ]% j& P6 y. F% r
1 C8 {5 W* Z; y/ y) x! j-The most exotic ones (could be very slooooow :-(+ w* B5 M' W1 z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ k2 ? ~/ p7 ?9 s' R) `4 m ;will break 3 times :-(5 ]" K" L) N( s
; [. U3 m- O& {; G/ T( b1 L7 c
-or (a bit) faster: : e$ `2 q1 p4 i6 e3 A7 b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% Q" t4 O t9 o$ f T' T) l/ I2 v, _& c( y6 v2 M7 ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) B2 |+ r2 z# I6 J& v* g ;will break 3 times :-(
5 Q0 r& O1 b- x0 G$ G X3 ^2 w5 V0 G" X' ?/ W9 P g4 p7 ^
-Much faster:
5 v# k$ {% }0 z, m) i% F# E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ y/ @. i& @! F: M ^
8 t! k3 Z3 d: ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ S! f. X. m" z6 p: L
function to do the same job:
; W. z: ]& K0 v5 O2 A& B3 _4 V. i6 N! o
push 00 ; OF_READ
+ D, c# A5 q+ y& R5 [ mov eax,[00656634] ; '\\.\SICE',0
6 H4 ]+ @- g1 b1 n! m" ~" W push eax6 V! n- |, P4 y; }1 ]( U8 a
call KERNEL32!_lopen
0 k0 _' l# [3 V+ A inc eax$ T2 j; p1 `/ u6 Y* U( I
jnz 00650589 ; detected
: z! S6 R( p' o3 _ o push 00 ; OF_READ
/ ]; O7 _1 q6 g& r5 l0 C) R3 i mov eax,[00656638] ; '\\.\SICE'- g8 y6 B9 B5 C: N$ ^0 w8 u7 [- g
push eax9 U* [8 s& o/ c3 L7 O
call KERNEL32!_lopen
* \4 g3 k5 N; B$ U2 s inc eax
/ e$ ^. y, I* {- D" @: F. y jz 006505ae ; not detected
/ E* h; g3 ?. w4 a/ d- S- D4 e3 g' h3 z7 l% t! R8 L
: Z9 {+ V! ?+ _% T a1 q
__________________________________________________________________________
4 |! x; E) D2 X6 X& Z' I6 ?4 f4 V$ ?4 I& X7 p
Method 12& y4 Q1 F* U2 c
=========3 v. n" l* j$ } N, L
" t7 G6 h6 S7 ~1 T- `4 K/ A
This trick is similar to int41h/4fh Debugger installation check (code 05
3 T) f' z+ t$ {/ X" }* p W7 r+ t3 g& 06) but very limited because it's only available for Win95/98 (not NT)
4 C; n0 U9 _# x/ L5 E# zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 e2 f( M/ D- ^
* u; U8 L# ]/ x1 X push 0000004fh ; function 4fh
; \( Z: j6 S% _; B push 002a002ah ; high word specifies which VxD (VWIN32)2 Y+ T7 D( |7 T: F: i" a* p
; low word specifies which service& v' y* g* S! [4 |
(VWIN32_Int41Dispatch)
6 Z+ N- y# B; P2 } call Kernel32!ORD_001 ; VxdCall, F; b j! o( n9 |9 c+ B% W
cmp ax, 0f386h ; magic number returned by system debuggers; I% D0 [0 U1 u ?
jz SoftICE_detected
; B6 l6 S; W: @* F" {0 T. W6 j. [1 r; p. W% y) Y
Here again, several ways to detect it:+ l, v; G( w3 v: q% f8 V* i
3 u8 i/ x# \1 M, R9 w
BPINT 41 if ax==4f+ x: T8 X2 m1 B- Q6 h. V
y( H* O5 `1 T1 j9 ?% ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( _. Y% S- q+ r! E% Y5 v" _
! O. \7 k, C6 i6 H. w9 q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# c; i. R' {: t! M0 y* M. V6 B5 T; }0 b* ?4 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 B4 j" {+ K2 J. I8 g: g) F) U3 h! S6 E7 ]# n
__________________________________________________________________________7 [8 R3 S& |* a) n$ l, ^, u% X
3 ~3 N, |4 ?! ~' F
Method 13
/ z% q* {2 y1 v, R" I=========; N) ]& J4 K! {% W
( `9 _% V* Y5 X+ JNot a real method of detection, but a good way to know if SoftICE is
3 w5 e6 E& a4 b( B @4 o9 zinstalled on a computer and to locate its installation directory.1 I( r; ?- x3 T, O4 D
It is used by few softs which access the following registry keys (usually #2) :( K/ t+ M- n1 q5 W
+ P" s u1 p. p$ G9 v w" {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- t2 E5 `- M- S* R
\Uninstall\SoftICE! @, \* w2 d5 |. i5 f! m1 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: Y/ P8 u* O) V$ o( h& }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" g8 W# r7 Q" n\App Paths\Loader32.Exe
! a8 e. J1 T, O: ^8 N7 O4 D m/ G1 s
6 W8 B* ~- G) o+ e
Note that some nasty apps could then erase all files from SoftICE directory
. O( o: c8 k; s' c" Y! H6 L p(I faced that once :-(4 j, a N6 T, G7 s6 h
" @2 e$ {1 A# ^' V6 ~$ B4 [
Useful breakpoint to detect it:: d+ z' k9 G( L X6 d0 w
) v$ O: x4 i E/ L9 o$ p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': ~& z5 F, B! t# k2 L4 k6 J
& `4 M# `' M& h+ w+ @% b" ]__________________________________________________________________________- a6 W }4 `3 s- W% h. s3 U
. E* V) P; H) X9 q- Z
4 G: \+ u9 I3 ?
Method 14 4 w5 M% k0 |! h# t. }
=========4 |- V N$ J! W$ [# C: r: s; X+ ^1 }
0 P8 {( t; _+ ?3 O: D& \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ z( c" d- k# o0 @! jis to determines whether a debugger is running on your system (ring0 only).
/ I: e/ V% z4 h0 r& h
2 f' l( D1 @9 n& A3 \' f) c# e VMMCall Test_Debug_Installed
& Q3 @; |7 |$ h( E1 G' W/ Q je not_installed
* e# g' E" ]! ~; \3 M6 [) ~2 [/ N3 y1 M
This service just checks a flag.+ e' M1 ^# n, e" {4 r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡