<TABLE width=500>
& W& T# Y3 i+ J {5 `4 Z6 B<TBODY>6 y5 U* g8 r0 }8 v/ c6 |8 H
<TR>$ Y4 ^5 L- S( n& o- N+ j) q' j
<TD><PRE>Method 01
, O# o+ f0 d; ^! X: T0 Y1 B=========
% e. ` H7 L6 J: V. o! |1 s5 d6 t
This method of detection of SoftICE (as well as the following one) is
, G) C/ g4 { g5 o. Dused by the majority of packers/encryptors found on Internet.- S' B# ?9 b* O* E' ]# o
It seeks the signature of BoundsChecker in SoftICE
7 j$ Z! E0 y1 B9 ^: Z8 [
: F. Z4 L$ q/ K' Q. j2 C/ E; r W; Y mov ebp, 04243484Bh ; 'BCHK'
' F6 a: m4 Z: C: i* }1 ~ mov ax, 04h( P* s2 F( U$ V
int 3
- b$ I* A$ b# T- Z# n) ` cmp al,46 m2 M u) l$ J1 L" f; U% |$ {- [8 y
jnz SoftICE_Detected6 s: @9 _9 P. c, ^& B' T% l
/ l% g: W I Y }, n! O u
___________________________________________________________________________; J; C+ z- n$ h1 B
, c6 B2 i5 s0 P1 s, l) n8 JMethod 020 N8 v4 ]8 e4 W
=========
+ l* o7 \3 M6 Y& V$ }5 n/ [3 a: n! t1 [# L, \7 O4 x# x H
Still a method very much used (perhaps the most frequent one). It is used2 x* T' g4 r% E" ^& }. Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ d) E; n2 n/ ror execute SoftICE commands...% {, v- K2 G6 q' B; B
It is also used to crash SoftICE and to force it to execute any commands
- V& c) F$ Z9 E, Q7 @! K/ t& y(HBOOT...) :-(( + C5 w/ \$ ~! A- V; l
7 m, E7 j I: i; rHere is a quick description:
) q) g2 o; E1 R8 d6 i t w1 \-AX = 0910h (Display string in SIce windows)
, E, l% U/ s6 k% Y/ L$ f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" \: j" n( i7 {$ g4 K+ q; g+ L-AX = 0912h (Get breakpoint infos)
( v% @# R/ }+ d$ m8 ~3 G" P% Y ?-AX = 0913h (Set Sice breakpoints)8 s- p3 F& _) ?7 F3 M3 w* w" j: ?
-AX = 0914h (Remove SIce breakoints)
- u7 t% r" n$ x
! y/ ~0 w/ j' k% y3 E. ~) KEach time you'll meet this trick, you'll see:
" y7 c- B$ p3 H g: y8 k/ s8 d-SI = 4647h2 i6 g0 [# o) v- B" ~ N
-DI = 4A4Dh# @, H# t' q; K- H& Z% A
Which are the 'magic values' used by SoftIce.
* f9 [% A( `8 P& m! q! |1 K) yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ x/ |/ i; p5 t( C, K2 E& B
- B) ]# {2 w+ V: D" DHere is one example from the file "Haspinst.exe" which is the dongle HASP4 ^- p" G5 a: K/ j
Envelope utility use to protect DOS applications:
. _4 u0 K: V# S4 |. ~3 v, ^% ^& O
+ M& n+ h3 Z! m# ~4 `' S& }/ t3 R! _! h7 S
4C19:0095 MOV AX,0911 ; execute command.: \* P# a, \7 {2 ?% g: V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 A9 \8 f$ a. c0 h) P/ b
4C19:009A MOV SI,4647 ; 1st magic value.
/ Q* W' t/ y# N7 {4C19:009D MOV DI,4A4D ; 2nd magic value.
1 i4 W! a* H& c2 x( q& {6 q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& P5 C$ G! q5 G# h6 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 h. o3 O7 ~6 x$ S U" G4C19:00A4 INC CX: E( y6 L% u1 y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" |0 V$ }3 f. F$ ]1 O4C19:00A8 JB 0095 ; 6 different commands.% A+ j0 |* t9 d8 c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- |3 [% k C Q+ P3 R' a- w8 O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). ?+ f n. z6 v1 z' y
/ V' o! f) ?% f, x( y4 rThe program will execute 6 different SIce commands located at ds:dx, which9 j( m9 M8 x3 } W, V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, ^+ P# ~3 Y U; r7 U9 I) H) q. m/ q' x# k+ W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( p6 c! K8 g) v4 \% e8 j___________________________________________________________________________
; ~$ W# \: d0 E) x
. k+ F) q J: s
! V2 u! i1 D% v( z% V, J7 fMethod 03 B0 ~/ K' h+ `0 Z! q. x
=========, J" K6 _% O" C7 K8 Q
6 q& w7 \ K( r/ u- t* J. _6 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& l6 v i% Q' P8 t
(API Get entry point)
: @* O$ G# e, ~/ f 9 }- I. u7 |3 h4 a, ^# _
* p- |$ r( c4 E8 I/ Q
xor di,di
2 I* I3 |$ E: s6 Z3 `, h mov es,di
4 \8 `' D5 U- H mov ax, 1684h . U2 }2 x+ f* s: O
mov bx, 0202h ; VxD ID of winice8 C% d7 d5 E; [( X# Z, V
int 2Fh2 p( Y- m! V' _6 R
mov ax, es ; ES:DI -> VxD API entry point
% B2 G# \* m7 }, Y$ P1 h/ f add ax, di
) q3 k1 }9 z* a0 |" D& `3 B$ {# L test ax,ax
( V; x/ @: |4 g/ b0 j jnz SoftICE_Detected6 S- M2 `. O5 i( o5 v: p& ?
4 r1 v% B8 g3 f, T: e( T
___________________________________________________________________________
* N+ v* B7 U) ]0 \( c7 z8 m- D$ F6 @; P1 G' Q3 ?
Method 04
; _+ {1 k9 o7 N1 f, C- C- p1 s4 e$ M=========
& b! C* Z" G4 m b7 B* U4 f6 ]! S6 a; S; @1 [+ i+ M' G( d
Method identical to the preceding one except that it seeks the ID of SoftICE9 u( n7 f6 K4 r' ~+ h
GFX VxD.9 I- G. X2 |+ }3 V% d! ]- T% h
1 a4 s* P* f z" M! k' E' e$ E xor di,di
P5 ~, V% E9 v5 l4 @4 u; \/ ? mov es,di
+ H) N$ D: O3 m mov ax, 1684h ) s4 s8 F2 q4 O, F
mov bx, 7a5Fh ; VxD ID of SIWVID
" C, ]4 T% Q1 |0 g int 2fh
2 J' r0 ]0 Y, E" e mov ax, es ; ES:DI -> VxD API entry point" U8 N. X- J& [3 B* H' Y* K* D3 ^
add ax, di
& A3 I; e: t) ^6 V. K2 M test ax,ax3 I+ O, c _ |% `- ~5 Q7 J9 v
jnz SoftICE_Detected
! S' e- h7 y' z, d2 E- O6 Z8 q t6 r" d( S( c: y
__________________________________________________________________________
) Q# k0 P4 Z+ F/ B- n' Y$ l; A% }9 X
4 {: I7 t7 g t- @# g% e4 b& |
, f# [' b* ]( m7 B2 }5 pMethod 05
# N$ m, Q7 |) m8 s* d=========2 E. T9 p% J, m2 O& o2 k7 _
! ]$ C! M* k' t4 D1 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% L# i" f# c5 _. tdebugger. It calls the int 41h, function 4Fh. J3 n- @* j: g/ \6 g
There are several alternatives.
! W: P- ^+ ]/ d- c! m J8 F# H5 w. N
The following one is the simplest:5 O4 k& J. _+ a; T1 d1 O4 ]) f: a
z: N6 J% Z7 D4 S5 {
mov ax,4fh w" z- l4 {- v2 h
int 41h
2 {, N2 J( f3 k9 S+ T% A cmp ax, 0F3865 c* G: _6 a- o# B4 m
jz SoftICE_detected/ h3 ^4 Z) g) z
& f+ x }) f. }0 v5 {; U3 U% z7 E; z- J
Next method as well as the following one are 2 examples from Stone's _5 j" V% N7 [4 p5 H8 ^: v
"stn-wid.zip" (www.cracking.net):4 ^8 y0 J+ @4 Q+ x- ~4 g! y8 T
! |5 R4 \& }7 {" ~8 o3 Y
mov bx, cs1 X! E% S3 k: P4 X2 p" Q' g
lea dx, int41handler2
) D p- O8 I1 U9 k1 l9 B8 M xchg dx, es:[41h*4]
9 t3 F% M( e1 U$ o+ ^# C xchg bx, es:[41h*4+2]
: Q( b$ ?- x! G+ q# m+ @ mov ax,4fh( p: Z3 w4 S6 @- Q$ E: ]0 e
int 41h
: @8 W) L0 u! l xchg dx, es:[41h*4]
2 `0 l# t/ @& u3 Q1 ~- ~) G xchg bx, es:[41h*4+2]4 ?- W" f' \# G
cmp ax, 0f386h
% R1 L0 @: P" L0 c$ ~+ W jz SoftICE_detected R5 r- D4 [/ w1 B
: q& S4 b9 y- Y+ K! R/ Z
int41handler2 PROC# z8 G6 t$ a( I$ m- }7 b
iret
r9 }+ }- K0 w- {: h7 Gint41handler2 ENDP
5 Q! Y# ^& z, x, B6 W3 j" q' i
( C; [% U/ S+ M( F3 ~3 b& W u- u5 @3 p* H' ]! e% J9 T/ p
_________________________________________________________________________
+ E! G L3 H$ D) [/ u, q
8 b, [3 K, d% ^, b) P- W3 D- e7 ~$ f( ~) y }& @) S( r% g2 t* E0 I8 U, S9 d
Method 06
8 V! w; ^0 G3 a=========. O& Y6 V4 L* T( g. ?
% _7 J2 o% I$ D2 S) _ L4 l! m1 ~% Q" Z: c& a1 W. o
2nd method similar to the preceding one but more difficult to detect:9 O4 k L8 Y+ d
! X( Z) q, d5 c, `. N E O0 x: n* q* j( r+ C' c% x
int41handler PROC
- J5 T0 }- N: H* Y5 x, C mov cl,al
" S* G/ M2 A K; J( H; n iret* X" H' c6 O- \
int41handler ENDP5 u- _' T0 k F* m
1 p |! O1 ^/ ?# M# A3 S( E/ A. j4 u( r1 ?' R
xor ax,ax
) X8 {9 l/ x: T9 e, B( R, F- ? mov es,ax* s) i/ N4 y1 O$ t; J
mov bx, cs# U4 I: [! v" F" |
lea dx, int41handler+ M0 U' [) [* O! d5 O. R
xchg dx, es:[41h*4]( w# s3 O$ n% l
xchg bx, es:[41h*4+2]
" k; H/ j9 A( ~* a6 Q in al, 40h" y4 L( a3 T0 N
xor cx,cx* A& ~2 d! d& J/ W% J; ^! d
int 41h
5 E9 q4 ?0 j$ a/ n2 ~ xchg dx, es:[41h*4]0 s& n% K' M& o9 l; Y
xchg bx, es:[41h*4+2]
/ E* j. x- x- e5 T) b cmp cl,al, d4 _: x N( K3 o! `+ i
jnz SoftICE_detected
7 [& e g1 H2 z* J' R. Z
' @5 i& G: O( X( ~) k$ {" ?+ D* }# F_________________________________________________________________________
3 t, y5 d* j7 T, w: {" G9 L/ E* O7 Y s0 D4 V
Method 076 N( ?- L9 x+ S S2 X `9 v' G8 R! e2 n5 t
=========0 z. s% E! Q$ g0 S$ S* e( f
$ I& o, C' G5 sMethod of detection of the WinICE handler in the int68h (V86)
' `& I( D7 f; g/ ~ \
/ T ~/ \. E2 T; a mov ah,43h) n/ R* u! v' l, ~4 @
int 68h
6 [6 k& N5 x9 Y" f$ E) t cmp ax,0F386h
! r) D* O! {* H. e: n jz SoftICE_Detected e3 k# D# {6 Q! O2 @7 }" E
: @' i w* k2 e) A8 `$ O- @; p7 z6 \0 d) b) n8 M& H0 ?/ {! j3 t; B* X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" u$ c. l! H( d1 E app like this:5 q7 V% L$ {0 \5 v! w* T
J* w# T7 J4 R6 C) @ BPX exec_int if ax==68
/ s, d4 ^! d& ^1 ?* E& s9 C8 X (function called is located at byte ptr [ebp+1Dh] and client eip is
2 u, F+ i( v1 y+ ^ located at [ebp+48h] for 32Bit apps)7 z4 l9 C4 r2 R5 B
__________________________________________________________________________2 y: Z1 _* s% i; ?
4 H% q. ~% S" ^; @1 @
* R% G/ U! D# x, E8 TMethod 088 G7 q! W3 L- l( b& k9 A
========= N+ C* c2 F4 d8 y @: F; N
4 j* X- n: j5 h1 I2 m( U# r5 fIt is not a method of detection of SoftICE but a possibility to crash the
+ Y5 r `$ I5 i# n/ |system by intercepting int 01h and int 03h and redirecting them to another1 z7 V' e+ r$ l+ r, E! p% N2 ]
routine.' V, `& c9 _+ C- P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& U5 s4 b. i; h' w1 s+ P
to the new routine to execute (hangs computer...)
+ s, L5 j% U7 f8 e$ q
, N; `% Y! d* x9 S5 @( |4 X+ f mov ah, 25h
# {) K( U$ g, c- X: S- s/ O U mov al, Int_Number (01h or 03h)0 V+ D6 s0 q( ?% h1 \
mov dx, offset New_Int_Routine S7 f# P- X4 q5 ~( b
int 21h
?! z9 u3 \8 c0 M$ Y( d% Y3 V \/ w1 k
__________________________________________________________________________
. B* v& o3 T; t( j: k9 h/ u( H" L( e. o9 a" [* W3 ]
Method 09/ d( ]6 d5 r* [0 g4 ^3 T k
=========4 N( R! B3 x' B
5 c( x5 B3 B8 s, x( o+ lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ ^8 \7 u0 ~; y! T- u: d
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 |" O) k& A5 y" V! G6 G& A Y2 pThe Get_DDB service is used to determine whether or not a VxD is installed m7 z) X; e4 T$ r
for the specified device and returns a Device Description Block (in ecx) for
- u' X$ g1 f& Gthat device if it is installed.% @! l" v d2 j) q+ L5 _. i0 O
+ d: N% p L1 [; y+ l, R# b' U5 O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! w& G- O, c, A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: \" M# g5 H- L6 u1 u; M VMMCall Get_DDB
5 W" Z; @: t% q {% {2 p. I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 R6 T6 \+ k$ b3 N0 K
# I( e" B3 W. O8 }; Q$ s8 ~( Q
Note as well that you can easily detect this method with SoftICE:. s/ V) R7 M0 @! {" g" D" B
bpx Get_DDB if ax==0202 || ax==7a5fh
* B- J. D( E/ g1 ]* i; V6 s. ?! b1 C$ E; p4 w0 U( m, n
__________________________________________________________________________
: u4 B @6 X4 ^+ \' H4 }: A2 \; q% @& x, z: ~4 s. f1 G2 W9 ^3 H' p
Method 10! }- ]" j, [% A1 c2 S
=========% [/ ]* Z3 W) J) r5 B
% k; Y- d4 q- @$ n=>Disable or clear breakpoints before using this feature. DO NOT trace with6 D1 J, k/ J, m: Q( Z( `9 B+ T
SoftICE while the option is enable!!
1 w7 X+ W" n& n: E9 @' T' a3 I7 v1 t. g0 V% s
This trick is very efficient:, @9 M' u" u& L+ ]5 E- k3 R
by checking the Debug Registers, you can detect if SoftICE is loaded! r# n. |1 d2 v/ k1 {, t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 M8 Z/ g r6 S6 l" Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their- y0 @; [8 T( \
value (in ring0 only). Values can be manipulated and or changed as well
; b* u6 W1 g, x" @8 o0 Y' o(clearing BPMs for instance)
/ v& \! V7 s' T: H9 H* q0 P3 w( n! x; s$ b2 Y2 C
__________________________________________________________________________
/ l+ k1 ?" V) ?1 L: N \
3 Q/ R0 F! g% k4 zMethod 11' \+ T+ L, a2 l! k4 m. Y) V* }; c
=========
% y U% l9 S! J3 A$ U7 |% [4 @0 ~& Q( r% q4 g' n
This method is most known as 'MeltICE' because it has been freely distributed
5 L7 J9 a& c% B8 yvia www.winfiles.com. However it was first used by NuMega people to allow$ W, `# ^. X/ q) D
Symbol Loader to check if SoftICE was active or not (the code is located- L, @% @5 ]5 a- K v7 W* l8 Q
inside nmtrans.dll)./ e, t8 I2 y" X+ X' A
# t* [- I9 c7 r* I% LThe way it works is very simple:: N1 @ v @) H" U% X, W* A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 [" D* D" W5 N+ e6 X- _
WinNT) with the CreateFileA API.2 |# _7 ?1 A+ N* P$ v
8 m: f) [1 y, N% ^Here is a sample (checking for 'SICE'):
' X& J; t/ Q. C8 o" K6 n {4 P
" B3 X' `! r: Y9 y6 ZBOOL IsSoftIce95Loaded()" ~) C0 }3 Y; v, s3 u* U
{0 K% ]# x7 a& \+ O
HANDLE hFile; 0 {4 S5 T1 y& k0 W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' y6 l: c2 A# r. Q, M1 J2 p1 F W FILE_SHARE_READ | FILE_SHARE_WRITE,
# f! F5 Y" a+ L' l* {+ s7 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" B) c; [+ X6 h' S. j4 | if( hFile != INVALID_HANDLE_VALUE )
% R1 ?: X: @- v% m; N( H {
( ]. S* R* V4 X9 k& k CloseHandle(hFile);* n3 ]; Q/ y: u( |2 S; O
return TRUE;2 x" p: m% l; {; ~, t3 F
}3 T# Y/ Y, m3 K7 e# L. ]
return FALSE;
" L, Y* z3 S6 k$ l% _# |5 f0 D3 @}5 h" Q- m6 }: J2 W/ H( t# W4 D u$ t
7 G# L2 [0 u5 f& J" M* ZAlthough this trick calls the CreateFileA function, don't even expect to be# P4 n# i% H g9 f
able to intercept it by installing a IFS hook: it will not work, no way!& ~6 B D! G5 C+ C' r5 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( h: ?% ~" _6 R: t6 W1 r8 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! u3 [% X9 _) p/ u( @2 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 y: b2 f9 n/ e }# Y$ C1 m
field.( I, B. \2 m) S8 r9 a
In fact, its purpose is not to load/unload VxDs but only to send a 6 n) s6 ~ Q! e# m' g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 k# L% D7 B& K4 h5 R3 {$ Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 |1 @. [! n* {7 F# \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 V: ^1 P9 r0 r7 a d! c7 c3 @/ \3 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 K" S0 H. f) W* y9 K
its handle to be opened and then, will be detected.* [2 K1 l( d3 G
You can check that simply by hooking Winice.exe control proc entry point7 e" e2 e- r. q' R' m) K- ^$ O. D
while running MeltICE.) j! p8 ^4 h5 Q$ `
& b9 X' l) C0 h! E$ I' X" H" d
1 V0 c& Z; G$ U* `. ?/ I' A/ t3 e' Z
00401067: push 00402025 ; \\.\SICE
/ y8 ?# C; P; G9 u1 Q/ B$ S 0040106C: call CreateFileA( z1 S& W, m$ `# l% D
00401071: cmp eax,-001
3 Y# b( H& U' H: @ 00401074: je 00401091
( p# |- J& _1 Q+ M2 k- f( u" A: I9 t B: c. B. ^
/ a3 W3 ~4 ]8 E3 _* zThere could be hundreds of BPX you could use to detect this trick.
& D4 a. I) ?" a( y+ T' k-The most classical one is:2 l* P$ T% T+ M9 U& K1 v: I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 B# i5 x8 J7 ~; o
*(esp->4+4)=='NTIC'
( \9 m* p$ p( C* G& O( O* U! d6 ?7 D* l; ]* x& S6 a
-The most exotic ones (could be very slooooow :-(9 q k, D6 h" O |9 v2 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 p* `. W$ i; _* z5 t' D) w
;will break 3 times :-(2 G! ^- U. S7 A
4 E' h5 @- p" a
-or (a bit) faster: 0 I9 a$ C/ [: G L' ~# m1 ^. F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& [! Q5 s b f" S
! B# I9 y6 a7 V. n* I) s3 J: s5 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) z G6 [% T. G, C& V
;will break 3 times :-( [4 @- p; \6 x7 ]" t0 c6 W5 H- ^
8 ^! k0 s# K- D$ I' h' R" O# h-Much faster:
4 S) d* T! M, _ I6 d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- n o; v' n$ o' C8 D
! V3 J: u: V6 K1 t: ?+ NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- P8 l6 `4 m9 [; m
function to do the same job:/ w# u+ m j2 l) b z, A1 \
# U4 Y. _7 ^; p% ]( Q push 00 ; OF_READ
7 K' n/ j( m# t* C: A0 s$ x7 C5 t mov eax,[00656634] ; '\\.\SICE',01 {' v3 [( {, T" A( r9 y
push eax
" [, ~/ m( c6 L0 y( p2 G call KERNEL32!_lopen
7 _" s9 R: `, o6 U3 _: A; C0 y inc eax
/ C: V% y ^$ P1 f8 q$ M jnz 00650589 ; detected
* ]* I \$ k! \7 E$ z6 l1 D4 k push 00 ; OF_READ
# y, l+ u! [' l8 J mov eax,[00656638] ; '\\.\SICE'& I/ E g6 l7 f4 Y
push eax& G5 H* ?0 A, I: k8 P% f: V; ]1 w& M
call KERNEL32!_lopen6 `6 I' f0 f1 s* h7 p
inc eax& ~: e1 N! B. G6 A1 F! @7 p: R. \8 ^
jz 006505ae ; not detected- n3 f2 y7 r/ ]5 _: l& V
, I ]0 G: X2 X: O/ v' L- _
# H8 \4 ]1 m0 |2 e. S__________________________________________________________________________
1 ?' J' v& y, S; _- C7 k) G6 q& J7 E/ y/ r* [
Method 12
- K+ [' C5 i* [" f: k=========5 i2 H1 j$ @5 g( Q! K3 ^' V4 f# p
: F& ]2 W' R- j1 [5 M# [4 ^
This trick is similar to int41h/4fh Debugger installation check (code 05
/ N, R3 H$ r& `& 06) but very limited because it's only available for Win95/98 (not NT), l- Y6 o: m( P7 [/ j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; Q$ R) C- `' o3 ^4 S& t4 G; f" _7 D( r' z8 Z7 M
push 0000004fh ; function 4fh
9 c( M' \9 X/ N m+ d' l% [0 d' E- Y push 002a002ah ; high word specifies which VxD (VWIN32)1 n- n9 Y% \- d& b- U6 z6 r
; low word specifies which service; S) E! r; l/ e3 H3 v( s4 J% S: d
(VWIN32_Int41Dispatch)4 Y: T% o9 }$ S0 L
call Kernel32!ORD_001 ; VxdCall6 W, [; s s. _- g2 o$ l
cmp ax, 0f386h ; magic number returned by system debuggers6 f+ z3 r% f6 o8 `0 {- `" V
jz SoftICE_detected0 i! ^! b3 B; \7 z$ H7 f; H
5 j, z7 h" \1 z# b# e9 [5 ^( ]# c
Here again, several ways to detect it:8 e5 S3 F5 J% o2 s l
( K( J( h: Y) v$ R- G/ r
BPINT 41 if ax==4f; o! f4 A9 U, C W1 p3 ^: d( ~; C2 A
- E" X- R. o7 ]3 Y7 o3 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- a! s- j% |0 y2 ~) L
% \1 L( H2 ]2 `3 h6 }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( _# [' N) [8 h& i+ D* J, A' ?, x' T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- A$ {& n! ?' U
; Y0 \ `# j' P* D# `__________________________________________________________________________ e c4 r8 D; S3 M( T
! W) v8 G/ {& L, W
Method 135 V6 a9 d8 ]& N- D5 N3 n
=========
# I! q z% K* r7 }$ R, r
0 h, K% Z' `6 y3 y, ~Not a real method of detection, but a good way to know if SoftICE is! ?$ B1 [, J3 B; N5 Q- @) z
installed on a computer and to locate its installation directory.
- W) f% w: p Z- Z9 gIt is used by few softs which access the following registry keys (usually #2) :
4 B! A. R# e5 s# g9 V( H+ b/ d. i; x/ }% d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 Y `: y2 l, A8 P\Uninstall\SoftICE
, ]1 b: k8 G0 Y. c" {, {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* z' _/ p7 A* H" ? Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" j* w0 K" f8 J- p; d5 O
\App Paths\Loader32.Exe1 i- X( b, _" s x9 [5 e5 N6 {
( y- V& ^. l% N$ g3 X
3 n8 C: n1 K! n6 F9 Y: e& j* f# p3 BNote that some nasty apps could then erase all files from SoftICE directory, k) W1 x& L# D `$ Z* b, e
(I faced that once :-(
9 Y$ _5 v! M6 E- Y3 B% B$ `! m f
Useful breakpoint to detect it:& b, _4 h5 _5 b4 N
+ D) z* X. N2 F/ z N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 V% g w& P2 O
' B" r a& z: ` f! G! E__________________________________________________________________________
( z) m6 I, s% d; e$ I/ r+ A/ `
9 @0 s6 W A2 B1 x' Z4 X( _$ Z, Q
/ f4 g! n1 A7 ~- d! F2 ?Method 14 ) i9 ^3 x0 c) G. T& B, `
=========
1 d- _2 B9 i8 U) ?4 N2 J/ n1 Y! @7 c; K) g# ^4 Q3 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* s& F" u6 z" w9 ?! ois to determines whether a debugger is running on your system (ring0 only).: l& w. L3 C9 W z; ]$ K* o2 ^
( e. E( T$ ]- F! ^
VMMCall Test_Debug_Installed0 _( ]+ u& g( e- ~3 k
je not_installed
3 b E8 N& N5 m+ c' U" f6 h( e0 S3 {2 ?7 ?3 L0 _
This service just checks a flag.
! m: [9 K/ e# n; d! |$ @. _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡