<TABLE width=500>- C& K+ ^' g( a+ e, G0 r
<TBODY>/ u- P) t; N3 G% b" B/ O
<TR>
9 I6 P, G$ t) A) _2 k+ @( p<TD><PRE>Method 01
7 L' ?6 Z7 J+ l6 [! e- t [3 J=========0 ^. |: l0 g& _1 ~
. ]4 U g( s) YThis method of detection of SoftICE (as well as the following one) is5 ?* n; T3 V3 T* M& G2 T
used by the majority of packers/encryptors found on Internet.) y4 m9 A& ~" F% i1 K8 g" r
It seeks the signature of BoundsChecker in SoftICE' z* l* g7 M# W0 F: R% r
7 |/ X1 P _+ Y% I
mov ebp, 04243484Bh ; 'BCHK'
2 P5 V; j4 }# U/ n! @ mov ax, 04h; L9 D! y ^! F1 M, v5 d( F
int 3 " n; d- A: R; Q$ w$ p6 M
cmp al,4
' ^4 c0 d) m, k6 R( }& ^( | jnz SoftICE_Detected& X6 a) V9 F1 R# C* v/ @# v" ]
# b: t g8 s# v: B3 U& ?
___________________________________________________________________________
9 x" O, x! B' Z" |) \) u
" p( m% C8 ^# X `% mMethod 02
2 P0 I7 z# V! }3 X1 R* K( X=========/ ]* O1 L7 x9 ?4 i5 U \$ V
# _8 z' Q6 \' m9 x% \# N
Still a method very much used (perhaps the most frequent one). It is used
( _7 R6 X# `- w& F! eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; K( W8 S8 A1 S, A2 y/ ^or execute SoftICE commands...) `" W& L4 h, ], ?/ q
It is also used to crash SoftICE and to force it to execute any commands
& u0 u; ~1 S9 a" m(HBOOT...) :-(( , s# w6 ^& M5 v8 {+ r/ Q2 W
& D/ X% w% V* U# F5 _, dHere is a quick description:8 h8 f! d! j& J& D' R
-AX = 0910h (Display string in SIce windows)
n8 S" m x: a, C- W: E5 V. k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 ~2 ]. v0 ], A' B' R-AX = 0912h (Get breakpoint infos)9 W r! b+ C( a- r) n3 [; m
-AX = 0913h (Set Sice breakpoints)7 r" b8 |. C! @6 a, |" \& `! A" f
-AX = 0914h (Remove SIce breakoints), L: M/ E3 q# `$ ^
* }+ y2 [5 \) `- B& Q+ pEach time you'll meet this trick, you'll see:" ?% f+ o! v$ S9 y- y
-SI = 4647h2 V# v+ S" }$ S1 j1 U
-DI = 4A4Dh1 N: B1 l/ v, X
Which are the 'magic values' used by SoftIce.
# o2 r4 G& U/ RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ j5 O0 N# b& h4 v7 W
8 s; U% L1 Z. B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: ~8 z8 n# y' u/ U$ fEnvelope utility use to protect DOS applications:
H2 N: R5 V: ?
9 R& w* h7 M5 C1 P6 D# x2 a9 Z
0 z6 n2 ^8 F4 \+ d* [# r0 A4C19:0095 MOV AX,0911 ; execute command.
0 f. p: m0 P+ h: Z( @' T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: g1 p: n8 Q3 e: A5 `' o
4C19:009A MOV SI,4647 ; 1st magic value.! n* H2 g, T# Q0 Q4 u' s
4C19:009D MOV DI,4A4D ; 2nd magic value.) C3 e0 f4 t' w7 r% D$ E/ ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( s p* f$ W" i5 z- A b6 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 c3 Q" c0 `7 |, I
4C19:00A4 INC CX1 c, u q: d# l3 S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' j. x! [+ j$ S1 S' t1 T4C19:00A8 JB 0095 ; 6 different commands.
1 d3 y& W/ N, h# |( B4C19:00AA JMP 0002 ; Bad_Guy jmp back.; H& x A8 I- i$ f* Y6 |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 z7 o }8 ]( q, w2 O4 ]" J. l6 h' p2 _3 E4 l% [
The program will execute 6 different SIce commands located at ds:dx, which
* D- j8 z+ x: \5 r, jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# p$ T- f7 l: k5 _+ [( k% u; }( E9 Y3 ~7 ~/ T7 v2 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 f7 T1 T* ?4 {; @___________________________________________________________________________( |8 h! f; R( _4 `' {6 |7 v
- |; s6 |2 `2 Q& W7 k. y! F9 m& C9 H+ h+ o# [
Method 03! A/ Z. l3 H; M3 V& k
=========
; o0 R- {; l1 Q8 a/ x( S p. N! e4 p8 \7 \( k$ m( I6 a* m1 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% n6 P9 ^% a* W! k) H. L. r5 y(API Get entry point)8 i) C) r% H; P; A1 `# S! m; F
" b2 ^. I! E1 `8 ~0 {1 I
) v I" @' W3 C0 R% A( _ xor di,di/ n7 H+ k- e" L9 t6 ~1 E
mov es,di# v/ p! U0 ` r. c5 L; j. g& m* w
mov ax, 1684h 2 G) A' R+ `, @( m' `% F5 F J
mov bx, 0202h ; VxD ID of winice: t' u9 y3 y, _7 c$ H! @
int 2Fh( G: A: B2 m5 X8 n3 G4 f
mov ax, es ; ES:DI -> VxD API entry point. b/ U7 @ @, L9 N7 d. i$ T; |
add ax, di
7 O5 J/ n6 i% P test ax,ax
$ N% M3 X ]# z+ b. g/ c jnz SoftICE_Detected
& b( Y/ K; X; Y. Q4 \8 J6 f
3 X5 b2 I" ~7 i3 i3 k___________________________________________________________________________
}* A7 ^9 Z* s/ E* h7 Q. x5 \7 [$ C5 @" Z- n" O9 z* X
Method 04. W+ U$ @; b0 d5 j9 ^/ T6 Z
=========/ Z/ O5 o1 Y- D/ n1 g+ {4 l
4 z- P. L/ ?/ r
Method identical to the preceding one except that it seeks the ID of SoftICE
3 y2 F c+ P9 w$ z& Z- H! tGFX VxD., E M* S( n9 v# i! V# ?
5 O! E: q% N/ d L% `; N xor di,di
4 f, o. d% W! k" w- m1 J$ C mov es,di
/ j) Z9 z4 q, L( r: n mov ax, 1684h / \7 w3 \) M: g; E
mov bx, 7a5Fh ; VxD ID of SIWVID S. r4 E- s' }, M
int 2fh6 f4 i7 g2 f# ^" O6 M/ ~7 r
mov ax, es ; ES:DI -> VxD API entry point& |. y. z, U; W( O: E
add ax, di' O8 H9 V1 j' n1 r
test ax,ax
: _+ X( l( F9 Q; Y$ A4 g1 k0 W jnz SoftICE_Detected
- M# G4 H# \( P! u/ A2 n$ R. q! W2 e
__________________________________________________________________________
7 i0 S8 G9 X+ T8 P4 g! j' {0 w I F1 F- E4 Y( O
: I- f3 ]4 l( q5 Y' L' k8 wMethod 05
# W% U3 _9 D. c3 h% c4 v=========8 }/ L$ n9 \+ M' j& j0 T) Q
- [( X! W8 U5 U. _5 WMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 K1 g* o7 p- D% @' c0 `0 t0 odebugger. It calls the int 41h, function 4Fh.( b4 r) j1 w; E
There are several alternatives. : J5 j* J. [9 W( e8 N
u7 N- j/ A/ ` W
The following one is the simplest:# l; p4 f @# w' h7 j* j8 ^5 V) a
- B, l3 r0 }0 o mov ax,4fh) m. ~3 e+ y6 ]3 ~4 [8 r
int 41h# Z% W, |! I5 i) b) S+ l" a# y2 B6 y$ `& B
cmp ax, 0F3861 V9 q" w( R% {1 \" F! }9 z& N
jz SoftICE_detected* n* q) r/ s8 G+ B3 [+ ]
6 S- t) Z' M6 k1 i$ I( B; b4 l- P: L* ~! x
Next method as well as the following one are 2 examples from Stone's
) v/ d# i* k5 a% p* T4 G3 Q! R"stn-wid.zip" (www.cracking.net):
3 Y& t$ a7 d2 Y/ H" E7 w
9 |2 U5 Q# @* q7 _8 S mov bx, cs+ E3 G& W2 u- |0 p. N9 y N; K
lea dx, int41handler2, p; Y' ?6 H7 ~' g0 k# s; J# T1 q
xchg dx, es:[41h*4]
" M( d. C0 w4 n, @ xchg bx, es:[41h*4+2]
) x; S1 W; q* B" P2 e4 C2 k mov ax,4fh
9 b1 T1 i! B9 h8 z) ?. r. _ int 41h% [0 [7 x! p# ]
xchg dx, es:[41h*4]
9 l" f- y: P. X9 | E& z xchg bx, es:[41h*4+2]9 d5 [! G% Q K9 }( T8 q
cmp ax, 0f386h
: u# G' k. v% ` o6 A7 z jz SoftICE_detected# `& | s; S) L% W5 y
, D4 [, \ y9 T6 m/ |% W
int41handler2 PROC
1 {4 W4 E9 }5 s, {: n; U7 q iret% n! N: u+ `" x0 F$ n7 u) u
int41handler2 ENDP( b* c7 }, ]# e4 ?* V3 P* [( g
O, `! z' [+ u5 m
5 e( W0 k0 V& U A9 k( h" c! J
_________________________________________________________________________
3 D5 W* e" N% B Z; I' D
: T: d+ W- D: t( @3 i- [8 S/ H. U2 D) X, a, k
Method 06
+ Q4 b- s8 U( Q0 V: w6 J' C=========* ]6 N+ L! N4 I' H' I
3 I: L( M/ a8 v' W$ g' v
6 p$ @, }) Z( \4 @& X! |0 v% q
2nd method similar to the preceding one but more difficult to detect: u- U6 T' A3 f' n& F+ g
4 J+ d6 q, b l( ^ j; R
p! ?$ @) D* N6 w3 G
int41handler PROC# J# L x* T; s" K+ F& `+ `5 u v
mov cl,al- m- U8 b9 ^# o
iret; ~% Y9 [8 r7 ]9 N2 `3 l
int41handler ENDP
/ E# K# z; v3 F4 h8 O% T, L1 b1 e5 w. l) P( e, f
# R. d" y9 [- {: x( i xor ax,ax
$ } d/ s3 k* b% v1 a( C/ ]/ Y& p/ b mov es,ax
s$ L3 [ w3 r0 F6 V2 y mov bx, cs( j# Y8 Y8 }. V6 ?6 A
lea dx, int41handler# O. _3 B2 D0 u* J
xchg dx, es:[41h*4]9 S* f( Z. V! s) U
xchg bx, es:[41h*4+2]
6 `: C% f. a( l1 W% n) x in al, 40h
5 C' r( o/ X I! Z1 t; { xor cx,cx
/ d6 `, @* G ~: g4 j5 Y+ ^2 S int 41h
4 V' q2 L7 u' p4 b9 d$ { xchg dx, es:[41h*4]4 d+ ~( `) H) ]+ L
xchg bx, es:[41h*4+2]0 T2 W- W6 q1 G5 J
cmp cl,al
% [8 q: M& Q7 t2 A jnz SoftICE_detected6 y0 {1 L D7 f' p/ ]" c8 z9 v7 ]
. s1 b8 l/ _' F
_________________________________________________________________________
* ^1 O u2 S1 Y) |& e6 E1 W% F1 a9 a Y u- x
Method 07+ y0 V$ A Q( G6 M5 K' r; l2 R" U
=========
; q) o" |' K: l7 ?, L, J# ?3 a6 j& R/ W: _ k( L6 |( t
Method of detection of the WinICE handler in the int68h (V86)5 H$ k! K0 v$ B& _3 o
9 k* p. B4 z# q mov ah,43h
' \0 Z! T( n7 \! G) u1 B! ]9 Z int 68h
, j9 S) t. W/ `5 u1 z/ i( c cmp ax,0F386h
; O; Z. g# n. s _, ~4 r: l jz SoftICE_Detected
0 t4 b5 L4 i' _% D7 y) i) ^+ k. K$ \: m ^5 @. j
: t+ D8 q) O% S$ N$ B. }/ C' V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ^8 A4 j6 `2 z0 x3 Y+ R
app like this:! R2 \& g; R: H5 ?: A9 `. V
! r. J# A- r9 t$ w9 r
BPX exec_int if ax==68
) c" ^1 b; g: _+ p (function called is located at byte ptr [ebp+1Dh] and client eip is% { e4 |) d0 ` ?, ^' g' Y
located at [ebp+48h] for 32Bit apps)# A0 [3 [- I/ I6 T& W; b% g$ E7 d9 G5 x
__________________________________________________________________________ L) C( J- v! E1 @% E+ v( H( ^4 ]
$ W, B# G# p& E1 o/ t
" s' m$ T1 D3 ^+ f
Method 08
' r- H$ b; o$ i' N0 q=========2 ^/ l$ m* K3 q9 \' b
+ e' f. q& ?3 K1 M: A
It is not a method of detection of SoftICE but a possibility to crash the) S' L# |. i+ C# O2 h+ o( a
system by intercepting int 01h and int 03h and redirecting them to another6 a8 l6 F/ [1 O! A# o
routine.
8 E2 o8 M" x0 ^1 s5 G- SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) L* A9 m' [+ j+ l( P
to the new routine to execute (hangs computer...)+ t a9 p; q; {8 |5 x# t
0 n) ^( S, B$ }2 }& j3 | mov ah, 25h$ x3 h& e6 ]/ P) ~4 r- {7 j$ q! H# A
mov al, Int_Number (01h or 03h). `& @8 ?' E! V9 X
mov dx, offset New_Int_Routine
# r( R2 Q1 ?6 f. ?# O* S7 [ int 21h8 l0 [4 z) o) A0 c3 q
2 x2 p' @0 i7 {$ F9 R: F
__________________________________________________________________________
+ Y) H% {2 K3 F/ c. _/ Y0 o: I
# X5 b' T- S! O( x# S' j; T# o* l7 d8 TMethod 09
, [; W9 n" h1 ^=========: ~, a! w% S+ z3 Q. K3 W) p' {$ ^& a
m8 K* S+ x+ c3 H9 c% M G2 M" [, ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 }2 ]' m+ E/ `) ^- a
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 I5 v ]& t' u0 P* o3 aThe Get_DDB service is used to determine whether or not a VxD is installed% ]: m$ F7 t( h# k& d3 d5 Y
for the specified device and returns a Device Description Block (in ecx) for+ l% e1 x7 |- Y- v6 N3 z% Y7 W
that device if it is installed.
4 T3 ~ y% Z |4 d) @, z* q9 ^2 K7 [5 R8 Y* W G1 @$ |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ F3 a; X0 Y: G% p( O1 g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- l0 ]- ?" E, _- E VMMCall Get_DDB
# L9 d, s+ r: f) e4 B9 y% Z! S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ \5 _, f4 F% e. \, n; A9 q* B$ Y- O" Y( h8 c! I Y3 q1 U
Note as well that you can easily detect this method with SoftICE:
% N+ @% X! P# o6 p J; I Q1 ` bpx Get_DDB if ax==0202 || ax==7a5fh3 Y$ |6 R$ U5 D! ~
+ n/ i- A# D& J$ ?( n' n
__________________________________________________________________________" [$ \" x. L4 ]+ Q2 y) g" x7 F
; k9 F; k# Q& n+ j
Method 10) o6 D: J2 ^. m
=========8 n" {9 T/ ^$ z
, J% r# E+ r' l' Y- l0 A" y$ u6 g1 |=>Disable or clear breakpoints before using this feature. DO NOT trace with
" K' w/ w6 ~% r: E& Z5 c SoftICE while the option is enable!!
. U' y" V/ e6 }9 y3 A0 z: D$ y6 C6 m/ K' w7 Z' o) w
This trick is very efficient:
. h" }3 z- E% z8 k& b# [* Aby checking the Debug Registers, you can detect if SoftICE is loaded2 x4 C; ^* t( \. M( e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 i5 e4 U: c# g! v2 _6 `4 L+ kthere are some memory breakpoints set (dr0 to dr3) simply by reading their! @( x3 O" e+ F! `/ [$ V5 D+ u
value (in ring0 only). Values can be manipulated and or changed as well- p& ~* m$ o* W2 z& l
(clearing BPMs for instance)8 |+ {; ^( Z7 _( s
7 M; l& Y) q- h3 \. z' ^
__________________________________________________________________________
! v' P" w; o6 M
3 B' X5 y& I" U+ F4 m! G r1 v! J" rMethod 11
: E% N& Q6 z) g: i0 n: K=========
% t& F1 [( e' [; K! n! |/ O6 ~0 N
This method is most known as 'MeltICE' because it has been freely distributed
9 S' }+ P# e$ W4 \" V. Y: S0 rvia www.winfiles.com. However it was first used by NuMega people to allow4 p& }) s# q0 q' S+ o h7 M
Symbol Loader to check if SoftICE was active or not (the code is located$ b" W7 Y+ \2 E3 r. o. X+ ?
inside nmtrans.dll).5 [0 w, I6 t c9 m2 j+ N
0 h! q/ A+ T! y. E
The way it works is very simple:" i) x& o* } V& [- j9 k y7 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
o3 |2 z1 n+ |8 u+ C' aWinNT) with the CreateFileA API.3 ^( l& s8 C; n. O: I9 E
; W# x/ r: }& f8 ~0 I/ O6 yHere is a sample (checking for 'SICE'):
/ z) y# I0 L# d2 y9 w, Q6 ~1 w! ~+ r
BOOL IsSoftIce95Loaded()
( X& B9 r% Y3 r# @1 x+ n{
& v3 ~2 V1 F$ _ h$ l. E; G: S HANDLE hFile;
$ M- w* ~- K" y: X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ B, m: p0 d- H, z
FILE_SHARE_READ | FILE_SHARE_WRITE,( `1 f: x" q$ @% e3 x1 k% a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, ~: V; M6 f# o/ a7 O1 V; P7 { if( hFile != INVALID_HANDLE_VALUE ) ^) D A6 W# l
{
( R9 C) ~) I- O% Q9 t CloseHandle(hFile);
) j3 Z; M* v c' b6 N: V4 L$ |$ ]7 n return TRUE;& l& \3 I1 K7 Z. l( k/ n; Q$ C
}
4 f d, ~- m' P- V return FALSE;
/ Y" l0 J+ y: d l4 u}
# F6 n' D/ `; D, Q
, `1 M$ E- @4 j% ?) UAlthough this trick calls the CreateFileA function, don't even expect to be0 G' D6 U* i6 u4 `: S! {
able to intercept it by installing a IFS hook: it will not work, no way!1 L& W/ x% K! j( G+ n8 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. h( p" G/ u8 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( ^2 @: `; y3 X8 h5 v! Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 |( Z/ \2 V) h5 W+ a4 j: f m
field.
' x1 p& Y# _' a# p8 vIn fact, its purpose is not to load/unload VxDs but only to send a 5 v" J; N' M: E5 z1 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% b4 r+ W* S: [! O4 }+ _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; B4 X- r! Z& x, J$ p9 ~ I/ j% }to load/unload a non-dynamically loadable driver such as SoftICE ;-).( `$ f n' V% b, a- ^* n. ~; v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 j2 [4 m- x# W$ Eits handle to be opened and then, will be detected./ Q: @* A# ^5 w9 a( ?) X
You can check that simply by hooking Winice.exe control proc entry point/ a3 k% ?: e" a
while running MeltICE.% ~( |# Y' @6 i4 U
% A5 j# E7 m/ [# x- S3 X
7 G% E4 G& C7 V- c' f, b
00401067: push 00402025 ; \\.\SICE6 s$ v: o: O& Q: E2 n- p: v6 `
0040106C: call CreateFileA
: o Y2 {, y; X( j" `( x 00401071: cmp eax,-0018 H$ {; n% L0 p. H- y
00401074: je 00401091
" R, N9 m, h$ s/ I! z( |1 Q( b" \3 Q/ p: z# Q3 h& k q
0 p! |8 Q% g4 }There could be hundreds of BPX you could use to detect this trick.
; z, V) v) ^3 r) |-The most classical one is:4 F, b# q+ ^% h/ b3 g0 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) i' H) Q% c: |: q; [! V" J
*(esp->4+4)=='NTIC'
8 W2 x2 M* F/ L0 \$ R1 K
' }& e7 U- E( B9 p4 i-The most exotic ones (could be very slooooow :-(
_ g/ ?% V5 T+ K- | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* @: b6 T8 `- \, K" F ;will break 3 times :-(
' M2 Y) _* u# J7 \6 N4 F# ~7 Z, a3 K, U4 L0 n
-or (a bit) faster: ! E" o4 q, g N9 B# ~0 h( ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
T7 O0 h# v6 f5 E; d( a0 [
) X7 m0 }2 N# S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # W( Y$ \# ?) C2 n
;will break 3 times :-(
( p9 J0 K: Y$ Y, N4 O0 K2 ]6 W5 a, l7 ~7 M1 n& j6 o; K
-Much faster:; K* _$ _7 Q( [8 a! Z& |8 A+ t" I/ o! d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 U- n v6 f8 u8 h; k8 o: }1 q2 O
" c2 `$ H" `* r; f5 f. C% B: pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) M4 |/ D' H |( R: I
function to do the same job:6 W( w, G3 H/ ?5 g2 l
5 h- U7 L$ | a! r! X& V( G push 00 ; OF_READ
( c+ {" C5 d# S1 ^& ^; q9 ^ mov eax,[00656634] ; '\\.\SICE',07 |, b4 k3 E$ [3 Z7 a# h5 C, o( H1 C
push eax- z" Q$ V# h- T" ~9 T% ]8 {
call KERNEL32!_lopen, S6 {& J% T5 X' f2 C! p
inc eax" s1 _! ^' F p5 F
jnz 00650589 ; detected
/ M1 w/ S- ?3 m$ n3 h4 g% v push 00 ; OF_READ
0 Q5 h G0 a2 h) z# q( N- r+ ] mov eax,[00656638] ; '\\.\SICE'
/ r. S1 T3 \0 a/ |% I push eax
6 A: e" h3 U7 O' `4 w call KERNEL32!_lopen. N8 Y3 h0 _& C" f
inc eax
* b7 D, I! L% e) P jz 006505ae ; not detected
- c& @) u# X/ `+ u4 w* c9 ~" J0 _8 d* Y
1 b6 r7 Q& u' \6 L__________________________________________________________________________
1 X! |5 O/ L$ c- r( m/ `; c
% G q/ Y' Q x, R+ m# H1 eMethod 12
' v" s; L: D- _0 T3 R=========
. S: r9 L+ E; M: O, A9 z! L- s; X
+ v2 E$ Q4 m0 O* n& X4 v3 xThis trick is similar to int41h/4fh Debugger installation check (code 05) v: ^7 o# a! ~
& 06) but very limited because it's only available for Win95/98 (not NT)* E: A$ A: }1 N V) P+ B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 w2 w7 t, f% t: Y( k! y
) g" b# i3 i3 w2 x5 c; w4 l$ v
push 0000004fh ; function 4fh7 e" ]6 v7 z7 l
push 002a002ah ; high word specifies which VxD (VWIN32)! A! O2 M/ _% C% d; H6 v
; low word specifies which service
! v$ e5 s% M& c) g# y8 U (VWIN32_Int41Dispatch)
& {" c% F1 z3 o! w call Kernel32!ORD_001 ; VxdCall" g' a" N ^5 q, c9 u
cmp ax, 0f386h ; magic number returned by system debuggers) {1 @5 C/ ^3 H2 O
jz SoftICE_detected2 k& t. u, ]6 K* j( ~( v% `
9 e4 ^; [2 e% U3 i+ _/ h1 `( rHere again, several ways to detect it:4 B& c8 w- K7 t$ b/ Q P' d% v
; X0 d0 G; [6 B, {; s$ e2 O BPINT 41 if ax==4f
. a4 [+ L9 K0 E& j e
% Q/ p5 U6 U/ e* ?/ p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, u* ~5 {/ P1 P1 d
* S! D$ C+ ?. X8 @, I0 R! q3 P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" O& O/ ^1 N) F- \8 w/ J0 e
5 n" }1 w$ N& C& C/ B8 u4 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' t8 b9 |8 w2 x, e$ T) W) f {6 {- I' O! r. L
__________________________________________________________________________
* F" ]: [, }' X) S
& [2 H8 j7 j% XMethod 13
3 A1 O V7 o% X% A/ \* m. k=========" `* }1 i4 ]0 ^1 |. V1 a
8 Q; @4 y2 }7 Y4 [8 c) D
Not a real method of detection, but a good way to know if SoftICE is
8 o& ]9 r# c8 b7 ]installed on a computer and to locate its installation directory.
( G+ U5 V7 S! }7 D$ \1 N; nIt is used by few softs which access the following registry keys (usually #2) :/ s! \5 X$ t7 A' f3 J# P
) M) D3 ^2 x5 b6 P( N2 }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" u9 l4 ^+ ^) ?) A' k* _
\Uninstall\SoftICE! P0 l2 ~+ w: e: J) W1 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ?! v+ P- Y+ ?9 @1 ^* W( P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 c' L+ Z1 R' x4 v; ~
\App Paths\Loader32.Exe/ P8 R. {! Y& q* f2 l- i' i
7 x; R4 o6 G) s- ]$ W5 {
/ M, f( ^8 z7 u2 f' e7 ]Note that some nasty apps could then erase all files from SoftICE directory* U* y6 K# r, T0 j
(I faced that once :-(
: v( s& J( O' s4 j' f5 _9 a
; l4 a9 I; L0 I: s5 G& j& ~Useful breakpoint to detect it:$ `5 s" u' o8 m# Z) ^6 V K
/ ^- g1 \# T* R/ |& k3 c9 B6 X4 h# m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- p" J E; _; T9 _4 t. V9 h
3 G. }' A5 F) A- T L4 L3 N: |- ^__________________________________________________________________________4 r8 `2 n1 k1 r0 s/ t6 i+ ]
' ^9 R p: t$ }( j/ d* U5 X" v% E
% v: b: N% a' B% fMethod 14 , E; M& e$ U; z. T
=========
9 C: h$ z4 p* w) K" N1 B3 r! z9 G/ N4 n A6 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& x$ \6 k' v# J) Ais to determines whether a debugger is running on your system (ring0 only).
5 W# B2 F5 u" f# Y' F4 @& Y9 Q9 U9 l: K, D, j2 w/ }" @+ `' C
VMMCall Test_Debug_Installed
( g" K# b7 ~( u# \: e' K' E1 Z7 D je not_installed
0 c8 r A1 r9 n. e$ x. |2 z! }/ H/ c4 w: k! [4 M5 R
This service just checks a flag.
9 }3 T9 ~; _3 y# A+ y9 V% [</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡