<TABLE width=500>9 ?% e% {/ N j& g0 O
<TBODY>
0 C8 t+ w! g7 X' Z$ R& B8 z+ j7 C<TR>5 I$ o' E/ V4 t x5 X
<TD><PRE>Method 01
7 q1 k! |1 N! d, M6 n=========
4 {9 `: U7 h2 f; ]- R0 u4 v5 |% q5 B* O/ |' A' E- r# i/ l
This method of detection of SoftICE (as well as the following one) is c. w4 M* d" {( X/ i& |
used by the majority of packers/encryptors found on Internet.
/ Z* O2 T' l+ E) \; PIt seeks the signature of BoundsChecker in SoftICE
! D: E% _% y- v: c% H" O0 D8 ]* P6 q; O' |- X5 Y0 y
mov ebp, 04243484Bh ; 'BCHK'
7 Y0 L4 `6 |2 Y9 u/ k0 @4 n mov ax, 04h3 Y& ~8 ^ W3 |# w0 S/ ?% B/ S+ b
int 3
4 P9 o- z6 Q h I$ V0 r cmp al,4; c& q* i1 O( k. j1 Y* p5 q
jnz SoftICE_Detected6 d: ^& u( X1 w& q5 W& J! u
/ [* t7 [# h, w1 v) g4 f9 V
___________________________________________________________________________* j3 g# v" V" n% s; W
1 o2 w$ R" S, N. S' q+ O, g
Method 027 i1 G; k2 L1 F5 _
=========
( H3 L) \4 P+ b3 \" m1 Z& M3 D+ \$ j0 t" e% Q, ~/ _) Q
Still a method very much used (perhaps the most frequent one). It is used
6 T) K+ p2 ~" A9 J( Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 @9 l6 A; c, G$ c. H" Yor execute SoftICE commands...
4 t+ d1 k9 `7 V- z7 pIt is also used to crash SoftICE and to force it to execute any commands- D! K: @2 R$ Y5 @% Z: S4 o# U3 [8 E
(HBOOT...) :-((
6 C4 \9 R$ Y" W0 z$ E* y4 g0 {6 Q; E, u2 P$ v* _
Here is a quick description:
2 K" V# z' D( M; B-AX = 0910h (Display string in SIce windows)
: V3 j& f6 j% B3 |7 Z0 _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ c J9 I: c& M, W9 O-AX = 0912h (Get breakpoint infos)4 b/ `( R8 g+ w. T9 N
-AX = 0913h (Set Sice breakpoints)
* q/ Z5 ] f# N& c# j6 @; h-AX = 0914h (Remove SIce breakoints)' a0 _, F3 D2 U# m: j( m
6 e2 d: t6 Z' j; _1 M
Each time you'll meet this trick, you'll see:7 I! d- }* h7 j1 m& D3 _: Y' k
-SI = 4647h
- B+ e$ h: l$ k! L/ ]# N-DI = 4A4Dh
, c) ^' Y! P/ z1 @$ O }Which are the 'magic values' used by SoftIce.
4 g. u3 p. S8 uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) H1 b6 B" h+ ?5 P2 [
- r/ x/ M7 Q. k8 {) M lHere is one example from the file "Haspinst.exe" which is the dongle HASP2 |; b( M; j3 }/ a4 R
Envelope utility use to protect DOS applications:2 g% I% f& K- Y! }6 s0 D* I/ x
5 }; y- o g, p/ k& q
( N1 k7 J4 o' J# T/ u
4C19:0095 MOV AX,0911 ; execute command.
& ?# }/ X; A1 l+ ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 A& |. k6 h9 H
4C19:009A MOV SI,4647 ; 1st magic value.
h0 v" u% P. U _4C19:009D MOV DI,4A4D ; 2nd magic value.$ B, {+ a1 B9 u$ p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 ~) R( H( z9 I# o# w2 f( x4 i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 _2 ^1 \* }; N4 O4C19:00A4 INC CX
7 d6 J9 l2 z+ K% }; X* ~- ~# M: ?9 S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 a9 N( [( a* ~7 Q6 ]9 R3 @- u; ?7 _
4C19:00A8 JB 0095 ; 6 different commands.9 k, ~* l+ S/ _$ \# J( ]' b( Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
V7 I3 x: q/ [6 j; m6 m$ b+ d3 ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 u5 l% j- ~/ ]& D0 N3 Z4 v9 f" {* d
8 S/ E2 O, M2 @$ B1 I! TThe program will execute 6 different SIce commands located at ds:dx, which
, J% u' e$ y( ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 u& i7 v. \; K. U6 z
& _0 j# a5 X* Y# y7 p9 o- X8 Z/ Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 w& R; t8 P) ]4 d6 |6 L___________________________________________________________________________5 {) i- V, b" ~4 A% \
4 G5 x3 C4 h$ m! W% Z7 }. S+ H4 J6 J Z* j( ?8 f6 |9 f! ?: {( {* B
Method 03
( x; O: [0 k$ `=========8 _9 ]6 M& p& [
8 @; [: Q, K: k( a [' R2 o( I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( R4 H8 n: H7 N. V( Y9 O(API Get entry point)7 |% D0 D; C3 _8 I
7 f: J8 w9 I9 R7 v- k" c3 I
9 ^, p P8 W1 F9 v( ^+ c9 q xor di,di
* D& S4 s( O% x- N- C r. F mov es,di
2 a4 t& U" f. M+ t4 S* C mov ax, 1684h
- ~+ \, w# u6 {0 s mov bx, 0202h ; VxD ID of winice
$ k x i, O, n int 2Fh
) P6 ^) f7 g! J! }) E# F% F mov ax, es ; ES:DI -> VxD API entry point
|. F* X8 S- E* ^ add ax, di0 V/ a9 K, ?' c5 _1 f' t1 N& R
test ax,ax9 y) `6 D8 D9 g4 n$ N
jnz SoftICE_Detected
+ u5 h+ O' A" R, A3 K5 m
" r" C1 m# `- b: s___________________________________________________________________________% U9 L4 w& F$ X7 l5 }3 H
! l7 b J2 _9 O6 I) O0 C3 s! `Method 04
: i( b: u8 |7 \" e=========! `1 c( r- ] E) p! E( Z
$ h+ g# p G8 c+ Z) F) Z- A" W
Method identical to the preceding one except that it seeks the ID of SoftICE* y4 r+ V/ |& w k1 q- `! E
GFX VxD.' f4 k* U9 @1 [
3 O( {! T& m: E( T) ? xor di,di6 C, f- \4 e) z) x& k1 y% p* r
mov es,di
0 J: G! y. t4 J1 O! h- r mov ax, 1684h 1 y. i2 Y) I) `9 s/ Q
mov bx, 7a5Fh ; VxD ID of SIWVID0 U3 M+ s) C7 t; h
int 2fh. a1 J) r4 t8 B4 _ b/ Z
mov ax, es ; ES:DI -> VxD API entry point0 W$ k) k7 R& G" Y7 s
add ax, di& J. J5 h6 @( J8 p( T" P0 P, D# _
test ax,ax( k' k% t( F6 \! W8 `# t
jnz SoftICE_Detected
) s9 K) W0 s. H: z; M# I) T
& f5 S- [ P6 i! l" I__________________________________________________________________________% Y( {8 D- C9 u7 O
4 q7 j9 R; [" ?+ `
1 X; y* k4 g; ?8 I+ }2 C Z: dMethod 054 e, y2 P! u5 K6 k' Z- N
=========
3 x' A( O- l& [' |
, M8 C n' _. I. p% Y$ [2 i9 F2 p5 c+ UMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 A+ I% S" S' L! ]
debugger. It calls the int 41h, function 4Fh.
3 M! A! y- B4 T* C5 P9 L! ?# UThere are several alternatives. ' |% f3 K& O' g0 J/ h8 w( l# s
- [% K7 k+ k$ M+ p8 E+ t) `% h* ~( H
The following one is the simplest:( f. E) h" e. U g& ^, x5 [
" d8 I! T% Z1 z ` mov ax,4fh; o8 m. T. F7 @: p) C, k4 S! o- @
int 41h3 c9 S" ~& o0 q! ^; E7 m# L) A1 O
cmp ax, 0F386! h" J$ P& W2 U9 X. j* Y
jz SoftICE_detected; ?0 ]: d: U- M( W p
+ a B [: o! W+ c, W5 n7 R2 z h' I b" C+ i+ h0 l0 J
Next method as well as the following one are 2 examples from Stone's
" V# X* p# s/ F" ?+ ~! V( D" J"stn-wid.zip" (www.cracking.net):' _* @& k3 K9 S5 \) A
* C* \) H! Y6 r5 g3 t* h3 u m mov bx, cs
% D" O! U# {8 y* z9 b) v lea dx, int41handler2# T Z6 b1 {" v, y2 e5 J N7 p
xchg dx, es:[41h*4]" l$ z$ r( X& J# Q/ J' m5 x
xchg bx, es:[41h*4+2]2 Q! q6 v5 [. N' I1 C2 L: B
mov ax,4fh
6 Z8 m, A& n6 X$ j int 41h
3 v) f* w8 `* B { xchg dx, es:[41h*4]+ ]6 l' T/ E# p# J) I9 t9 G
xchg bx, es:[41h*4+2]7 z9 G( a# n; N2 s0 v
cmp ax, 0f386h
9 P( p) @+ q- Z& h: } jz SoftICE_detected# v& v% R4 d$ ~. u; w5 I6 W
- E7 A' B9 S" F1 i: U
int41handler2 PROC; S+ H+ i; @& P6 E
iret' |& W6 B( E0 J& C T# h/ R
int41handler2 ENDP1 m. R' F, a, T0 l+ ?. h: f& B0 S4 k) s+ @
! o% V, b$ Q2 U0 w; E/ e0 c: x# w# s& r
_________________________________________________________________________
! g2 R# j( o1 d b- L% C' c' ` D( Y3 `
& _4 f, M l: R y9 v* bMethod 06( _/ ]5 _ d0 d3 F% i# b
=========
5 ^8 H9 u9 a# ~# |; I) M
7 M& x' Y) ^8 u3 u: c5 [
: k- ^8 M, ~6 j) i4 W; [: {5 M1 {2nd method similar to the preceding one but more difficult to detect:* \$ d# z+ `! {
4 u( O8 T: D+ Y# b- K" u; } F% U
$ g5 d! M& y. x9 e0 |9 P/ Lint41handler PROC8 d& _; [9 M7 F) D, b4 a- u, h
mov cl,al" V& y2 h8 x3 c
iret+ F# _+ b# Q' D6 ?
int41handler ENDP
% h5 c i$ q0 T |" J/ V" a
: ^ G E) w g2 `) l) B" r9 t2 e' w
xor ax,ax, V1 i# X' Q$ a1 ]& F; s9 A
mov es,ax
0 B+ O( ^/ G3 s( N! ^# C; g: d mov bx, cs
/ k) g! B' U/ J7 d( [0 t9 A lea dx, int41handler. B9 o5 k9 { K7 F* q
xchg dx, es:[41h*4]
# D1 [) _; q! A4 }$ F/ p' _. E xchg bx, es:[41h*4+2]$ W. ^- M# C( U9 T& q
in al, 40h D' g0 L" P9 p
xor cx,cx3 @$ U3 O; n7 N: Q
int 41h; S5 v2 p+ z/ `$ ^$ Q# I) A4 R7 H0 Y
xchg dx, es:[41h*4]6 Z1 j* z% l' _, F, n9 c( Z
xchg bx, es:[41h*4+2]
( ?0 w; I( v; D cmp cl,al) {) A' E* r" \ j8 O
jnz SoftICE_detected+ J% o, S/ v( R2 @# b9 E
& U' ]! R7 `( z4 s9 E( X+ F_________________________________________________________________________' i4 Z; g! M) ]0 i) v7 O
: e3 |/ w! E0 N9 B# }+ q3 j: OMethod 07* Y7 [' G$ X+ T1 Z5 J: O
=========6 @+ v- M! ~; ?/ M* R* I
& b3 ^# \2 q/ u! O& U& IMethod of detection of the WinICE handler in the int68h (V86)& W0 x/ D0 S4 q8 H7 @9 W; U& S
2 U8 j# C/ N0 N
mov ah,43h
# B/ s. `5 v% u int 68h
# O/ t7 a( Q+ V/ @ cmp ax,0F386h
8 \- r' l9 O# r& }) B# F: M jz SoftICE_Detected8 b4 P2 n5 T1 ?
0 U+ ^# ?) |) \( r( i+ z8 B0 F- j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 a% q' k3 `2 k% } app like this:& ` f5 U N& \# O- P- `
. r: }( Z: A# I2 j( ^) y BPX exec_int if ax==682 O: q5 a# L( d: J- O! k
(function called is located at byte ptr [ebp+1Dh] and client eip is
' k! ?8 n! [4 R) K4 |' h located at [ebp+48h] for 32Bit apps)
5 e" y/ ^+ L* ~( ]__________________________________________________________________________7 x7 k( T3 F7 M5 Z% P8 s+ X5 J
* o8 C' W7 j- ~/ f, d8 A# x5 i) r) ]
Method 08
) G6 f3 S+ I+ S+ b, _' Z" S- I7 E=========
: P2 y# _+ x* O3 |6 \5 F% T0 Q; S. h7 ~: Z" X* I
It is not a method of detection of SoftICE but a possibility to crash the" C0 k2 E% E) v$ I2 [$ X7 L8 W- u+ X" R
system by intercepting int 01h and int 03h and redirecting them to another
N$ I, D; k) Y) i1 m9 H" y2 groutine.
' Z0 C$ |) u. |! H0 V8 M/ PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 f- u5 @7 a S# B, f- _; ]6 Jto the new routine to execute (hangs computer...): q- h& T% N2 `4 s
8 w, K! n, f+ S! S! U mov ah, 25h
5 Z e$ ^7 V# Q. G# m9 P mov al, Int_Number (01h or 03h): } N! r0 g: H5 t& \/ Y V' ^
mov dx, offset New_Int_Routine" @4 I! B8 h( I: f/ e* @
int 21h
( g% u. i$ V5 H; G6 _+ E7 k V- B3 U. {! ^1 g
__________________________________________________________________________
7 i8 \ S% k5 c) @
7 w; X- [) j$ k+ FMethod 09
: i" `. }( n9 E9 \( d. ^: O- j! w2 h" d=========3 ]5 E+ k! L8 R3 |
) o. T, y+ H1 [$ a# L4 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# J. O1 \7 V: T5 p9 [* hperformed in ring0 (VxD or a ring3 app using the VxdCall).1 N8 w* t+ C/ {9 ?$ n
The Get_DDB service is used to determine whether or not a VxD is installed
4 Q: y% M4 s4 x5 }- }: ffor the specified device and returns a Device Description Block (in ecx) for
" L( p1 N0 w: W( T$ P4 ?. t! k5 Fthat device if it is installed.
0 f# v! M# L! X- }
: `: k q5 f/ h- U# Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: }# C8 L$ p$ `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 ^" w" F- a! X. C) V c5 R5 Q) Y) \
VMMCall Get_DDB4 D( I$ |4 {# E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 I+ Z, E' a1 ?' G. L9 ?) [% f- y& D3 {0 ~" N2 j+ _7 _
Note as well that you can easily detect this method with SoftICE:' J/ n, U0 @ F8 ~- E
bpx Get_DDB if ax==0202 || ax==7a5fh( d, ^) l0 g; T* D
_8 `; d0 Q/ H" r2 Y+ z4 K, S6 p7 j
__________________________________________________________________________# L3 P2 V2 Q9 s/ b3 @
) m! q: A4 [ `; t. H) |. @2 }Method 10
7 r& v2 n' t. Z6 p$ f2 O========= t( m; p3 {1 O$ f! r7 ^
$ `$ k% N u5 m3 A" ^8 v=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 [# f z2 K- |- j SoftICE while the option is enable!!7 {( l0 v5 H& f K, {- L+ A& x1 ]
1 D! w* s( C; c/ j3 v+ BThis trick is very efficient:2 l/ u2 E) w' ^* v7 V
by checking the Debug Registers, you can detect if SoftICE is loaded
v* {8 y9 `; l" C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* @0 J/ q# @7 e, Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( s* ]7 |0 t$ Z" Fvalue (in ring0 only). Values can be manipulated and or changed as well
/ l$ u6 y! s) n$ z+ e(clearing BPMs for instance)( B- C3 a! ?! W, N% E2 r5 b6 f
- c/ f6 x4 J+ `+ _, S9 d( ]
__________________________________________________________________________
5 [& e9 m2 z* D- B/ m2 S9 v/ }% V1 G) B8 l `
Method 11! ^% a5 X- k r- d; _
=========
/ A* F" c7 u1 L1 V) u
) j: m4 a& ^. I6 F( p) \This method is most known as 'MeltICE' because it has been freely distributed3 D8 n+ P. W0 j& w& t
via www.winfiles.com. However it was first used by NuMega people to allow
8 R4 F6 @* h2 J' R6 A4 ESymbol Loader to check if SoftICE was active or not (the code is located
5 c* s- q! S: b K/ finside nmtrans.dll).
- Q6 p# g0 p; ?$ G& e; |- v" V* X! c" N5 ~' {6 L
The way it works is very simple:
2 m( S( N" ^/ G5 q# L) I- z8 f: `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 ]+ f' J3 L5 K6 {( D% M7 K+ @
WinNT) with the CreateFileA API.
8 p/ k8 g! W# T% T4 A8 u t
% S5 I7 q% d& wHere is a sample (checking for 'SICE'):, X9 W3 |) b$ ~7 l$ Q
2 }8 A% _% ]# j7 Y
BOOL IsSoftIce95Loaded()( ], f" n- D5 |4 g! E
{* P& R' i# L: i) f( r
HANDLE hFile;
6 X* u7 R/ d; u! }/ @; N5 M5 Y! V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- N3 t3 @/ o7 c: n- w A5 h FILE_SHARE_READ | FILE_SHARE_WRITE,# F& b" j: ~- Q: n7 ~& H: p8 ?7 f2 X( I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ w' g6 V: \% e0 l% D8 s+ d0 y; F
if( hFile != INVALID_HANDLE_VALUE )
" ]. r; C5 L, i: \" J# ]/ B {
; X4 S3 a! U( w0 V+ \5 P0 `' G CloseHandle(hFile);: N1 {* O" l% z0 d
return TRUE;
M3 s! i z3 i }& }; g U4 }* y: l
return FALSE;1 F' j4 n+ C* v
}
8 n$ v& l0 U+ x( x- `: b4 c# D9 L) v5 a. {( ]1 h' o# _
Although this trick calls the CreateFileA function, don't even expect to be$ m& K' G4 N' H9 q! E# o3 e
able to intercept it by installing a IFS hook: it will not work, no way!. x- b8 H3 B0 i7 O; N9 U# R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- t) M; U8 W% B# k! i8 a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 H" o! X* f2 M4 H+ | R$ rand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ ~6 l, Y/ q6 N
field.
2 i0 r; u# w( OIn fact, its purpose is not to load/unload VxDs but only to send a
U8 Q: Q2 G" u, h0 F) G2 JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# p6 p; H5 t$ H& |3 {' lto the VxD Control_Dispatch proc (how the hell a shareware soft could try! ?- N( R* J) A* P; g* H* q9 R! ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 ~6 d! R6 W9 |+ y7 D. A
If the VxD is loaded, it will always clear eax and the Carry flag to allow" S+ `3 D: J4 {# @' q# D# V
its handle to be opened and then, will be detected.$ ]. T& ^6 m7 O
You can check that simply by hooking Winice.exe control proc entry point
, i0 g" e0 t* H, Iwhile running MeltICE./ A& f G' \+ I* k/ k2 t. H" |) _
- `/ _, i% L, G
+ _! T9 _ j0 M U 00401067: push 00402025 ; \\.\SICE# T( z3 L' u% i% T2 U9 F: i
0040106C: call CreateFileA1 H1 C0 ~) Y( R) ?/ H+ U O
00401071: cmp eax,-001
3 ^, b0 k% m/ p2 ^* h& r1 { 00401074: je 00401091
$ H" F; K3 B3 e% _7 \" m) i0 j" Z4 \, Q" B
. h! E: _0 m4 u' l5 s4 f
There could be hundreds of BPX you could use to detect this trick./ ]- Q* @5 C. e* J; p) e
-The most classical one is:! A: ?! d+ ~# J2 a% I' _ t+ C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ Q) i9 e% o4 h5 H$ F1 _- Y
*(esp->4+4)=='NTIC'& B2 |6 c4 n% O1 V1 \! P+ r
9 I: j2 Q3 y/ V3 Y
-The most exotic ones (could be very slooooow :-(
) q% H. `, _1 N0 N3 H( u/ Y, S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; Q) f( l3 l8 M2 }2 G9 o; B; d ;will break 3 times :-(
) h* k" y/ U! l" U. J, I4 P3 w" n' f6 A9 B+ H5 [" M
-or (a bit) faster: 0 e8 z$ u; @* o) E' O$ D& Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 s a: b; p( p( B+ w+ W& D
c1 N: D' I( X! b; S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% I1 t# c+ g. ?) i0 B; O ;will break 3 times :-(! c! { y7 N4 V- l, d
% T9 R) m9 }5 E% }: h$ |
-Much faster:; \9 _+ [* W6 r$ B8 A4 T0 |9 |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 K0 W+ w( U6 U h5 T3 E: M4 |/ t; {' V3 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% T" x% x, Y" @3 ~( d+ A' I0 Y. P9 Kfunction to do the same job:, E( B* t2 D% q- g5 v2 s
# V6 P' J. E" h push 00 ; OF_READ" \0 k0 Z( f. y; L$ |
mov eax,[00656634] ; '\\.\SICE',0; k& D0 }. U# I# K: _
push eax- I6 k- `% d: K( Q# R; [& P- X
call KERNEL32!_lopen
2 ^& y# p$ L1 T3 u% K inc eax
4 i. h4 y& f& E/ i; }$ O jnz 00650589 ; detected% F% T" a# ]) G
push 00 ; OF_READ' e4 J" U' k* z7 B% @( i/ Z
mov eax,[00656638] ; '\\.\SICE'
8 g% J. a) g1 l* f/ ? push eax/ F% b m* G7 b7 V5 V
call KERNEL32!_lopen+ G/ G6 W9 o, {& b' N7 j% j& g
inc eax) P/ W' P) S; V7 `# B
jz 006505ae ; not detected
" n$ `3 Z" F& F) `' D7 x% ?
$ J8 K, X& S s2 ~7 h. a: Y% z# [. A5 _
__________________________________________________________________________
* O. y' n4 T4 a: }1 D# r! j+ ?- [0 O0 F* w0 [' d
Method 12
% a# |, T6 h8 [: {9 T$ M=========
6 [) ?# j5 s9 h- k- d5 L
- i1 U [' y6 IThis trick is similar to int41h/4fh Debugger installation check (code 055 p% E6 K' I7 M/ M+ a# m8 Y4 |
& 06) but very limited because it's only available for Win95/98 (not NT)6 e! X( q4 ~9 C; X: k# K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ^+ u8 H* L7 V/ b* K! P4 }6 m% O) s1 }) v
push 0000004fh ; function 4fh- U7 o y* w2 D* L! r" J8 p9 O
push 002a002ah ; high word specifies which VxD (VWIN32)
# K7 f7 H% ^1 v' S e& L1 h' j1 J ; low word specifies which service* a% }0 s. A: \4 l$ v2 h3 e* |
(VWIN32_Int41Dispatch)
, J' w( D5 l$ P: z* c+ W& \ call Kernel32!ORD_001 ; VxdCall
- W+ D9 ^8 E) J* Y cmp ax, 0f386h ; magic number returned by system debuggers
( S* L8 |# K6 U jz SoftICE_detected' N5 M& `: O2 ^) u. W% ]. z# s
& R. ?; ]" U _Here again, several ways to detect it:2 [! X& t% _ D8 z5 e4 b
* W4 h7 Y# ^6 D/ y4 D# H4 \. `- z BPINT 41 if ax==4f
: V4 o( S# c# u$ N6 I/ M& u+ h0 ?+ y$ h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 K! ^! `7 \ H$ L- @
) {2 w& j' E/ N3 h* Z! @! t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 n% w$ b8 o4 g) V8 h, u! e0 Y, a+ c9 |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 n- {+ M7 F; ~ f3 L% X% J2 L! o
__________________________________________________________________________- a! z1 W2 U5 h% A7 a- y
* D* U' ^. p7 MMethod 13
- Q+ d: T3 F. \# Y5 {=========
( b& S: J! e0 w, r! b. p5 r- t5 `' L" ^, E
Not a real method of detection, but a good way to know if SoftICE is9 n& l/ m" G" B( }
installed on a computer and to locate its installation directory., [2 m+ `6 v0 B( L
It is used by few softs which access the following registry keys (usually #2) :# c3 Y' s7 Q, Z/ g
" n3 [/ Y0 f. m) i: ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 ?- y5 E1 o& A1 L- l" u2 ?
\Uninstall\SoftICE- Z1 P* i) D0 {, ]; \2 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) C P0 ?" j; a% `9 ]5 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- @$ C7 y4 S$ p) M& w$ m
\App Paths\Loader32.Exe
( {1 g! |! o8 P: s( y4 H/ X
0 U/ k Z: j% ~! g# Q
0 r# g; ]" Y; r3 c: l. y! h$ dNote that some nasty apps could then erase all files from SoftICE directory: m& w' |" M% L6 K* R; I' T
(I faced that once :-(
$ z% T! d- g4 x2 k1 t% S5 i* P' U: `7 o2 o2 R2 S' M. T; |
Useful breakpoint to detect it:: h# z( z# w8 _# L# Y; s
V: t' x1 R) \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ p" l% i( |; r- L, x; l
8 n. ]+ j& c. U% I4 ~, w__________________________________________________________________________( }2 F/ F$ {( R3 y6 N
; h2 v! |: p8 b$ v n& z
8 q) ?; }$ m* Y, i+ Q3 R7 J' T' mMethod 14
" _8 z) d: N4 R* ?: S1 d0 |=========( W# }$ E- I, {3 i
7 |" B- T% X: v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" s0 i4 K0 C% Y2 t% R
is to determines whether a debugger is running on your system (ring0 only).! ^6 e( B' c- a4 j
; j3 t/ G: G8 ]- w _* ]+ O
VMMCall Test_Debug_Installed4 d. u$ M4 ^' W3 W
je not_installed4 S8 X x, u% v$ V
, l+ M7 b4 z5 I! P3 A1 d L1 rThis service just checks a flag.; a- j5 I7 P. E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡