<TABLE width=500>
* d$ z6 G) S) j<TBODY>
1 I5 H8 I1 i9 N7 x<TR>
* c5 i# }5 G) u<TD><PRE>Method 01
$ o: X* B. ~1 B, H T/ F# T# f4 K=========
% S2 ]7 S$ S5 w: n! K+ O3 H7 L& L
- F2 h4 U2 g5 |* [ m% E3 r' W( [This method of detection of SoftICE (as well as the following one) is
! h8 N' l# j# ^; V6 c$ xused by the majority of packers/encryptors found on Internet.
7 t1 `( T# S+ K( G" r2 i' kIt seeks the signature of BoundsChecker in SoftICE
! |3 K- y, k& S$ f5 V
1 t4 L) q3 [& S" V9 F n9 j mov ebp, 04243484Bh ; 'BCHK'1 W. w. z8 C! R3 ^ v% [% L, G
mov ax, 04h$ O- N* m$ p! E E
int 3
^* B2 E8 I( o! v" L, i: ^8 z( y cmp al,4& ~, D0 A/ X. e1 Z; c
jnz SoftICE_Detected
8 O: f! V1 L: C, D* g% O2 L F/ r0 t( f4 T, S
___________________________________________________________________________
5 u, Q0 [+ I$ t
: H( E* A: K, T" D `) K' [: RMethod 02
. J! ?4 n+ m9 i. m=========5 E5 S/ T8 F7 Z1 o8 s+ h* F5 `( g3 A
! E6 A- z3 C+ f Z2 u( A' D, ]
Still a method very much used (perhaps the most frequent one). It is used
7 i; y N* {1 r2 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 e/ s2 P" @0 x" V' M0 [' H4 R9 ^
or execute SoftICE commands...1 Q% l- P7 {' e4 M: z1 U1 A
It is also used to crash SoftICE and to force it to execute any commands
* F% d9 ^9 B$ q# i% u7 ](HBOOT...) :-((
- y: \9 |( V3 d/ O( ~+ H" U4 Q; g( l" T! m" d: u
Here is a quick description:
$ L. N( k3 R" g }' t) y-AX = 0910h (Display string in SIce windows)( g' }, x% P y8 T" S) d! C9 q% ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 h2 M. u5 R% C-AX = 0912h (Get breakpoint infos)
5 r( V5 G5 T$ c( B# Q: F5 s: S-AX = 0913h (Set Sice breakpoints)6 k2 f. G* h, U8 Q5 e; S S
-AX = 0914h (Remove SIce breakoints)
& F1 n/ r' r, \. O2 X* T |& R( O- n
Each time you'll meet this trick, you'll see:
4 b8 h7 x Z) F-SI = 4647h
6 h6 h* y" k+ a* f6 I: D-DI = 4A4Dh, Y6 Z o) o8 S/ Y9 W
Which are the 'magic values' used by SoftIce.0 h+ O+ H$ V" \6 k# g6 ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 A' z9 q4 W: l; `7 h+ c8 ^
) I4 \8 ~- V1 T7 i- G- J5 VHere is one example from the file "Haspinst.exe" which is the dongle HASP5 F1 ]( R* v, l" L3 h6 K
Envelope utility use to protect DOS applications:% i) \9 F! c7 }
- c1 ]# _6 ~" m- `; C8 K! J
4 }" z# ~& z8 I+ b _6 E
4C19:0095 MOV AX,0911 ; execute command.
0 ?: T9 Z, z7 L, |* n, }! r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* `- m2 R2 ^+ D0 B& \
4C19:009A MOV SI,4647 ; 1st magic value.
5 b' { t- y. Q" n- y, Y% A& ^4C19:009D MOV DI,4A4D ; 2nd magic value.
5 I) i+ {7 r+ _. W' C, E( {6 ^( b- @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; {6 y8 z s0 T9 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" N+ t# }' J! e
4C19:00A4 INC CX
% S( K2 F; w) t! G0 Y) {* h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' O1 R0 R1 J2 m. S( I1 \" U; G
4C19:00A8 JB 0095 ; 6 different commands.3 \& n, i4 `: k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 r/ D0 o( N3 S% N6 x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ h3 j. L, F& v9 L3 i# t+ J/ I
. Z% Y. ^3 y) R) z: r$ K& Q
The program will execute 6 different SIce commands located at ds:dx, which
: L, a/ T3 C4 B% zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 {$ n. j6 W8 o* H) Y% C7 v" C
" j/ w; d+ [' r/ h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) \/ C# }2 c1 P6 M. S. b! V# W- F
___________________________________________________________________________
0 g3 e V' k7 {/ U# ?9 |. `& n
4 g( W) N* g7 D+ _/ x9 _2 w
1 T* g5 T% g; Z$ pMethod 03
. w' t2 w' T5 L=========: |; X! w I ~* @
9 h% e/ S5 u# o' Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" L9 f+ ?8 t1 l
(API Get entry point)2 g; F3 F4 g& h* h* }" t
/ t9 T6 D) H' _3 P* F( V+ t0 D3 S/ o- U! ]) u1 C' R# P; v n
xor di,di' l3 F4 G" i' O% A$ }, u, C: I
mov es,di
. ~( L# i7 k7 F& ^) A6 { mov ax, 1684h
. Q S' c; X% M4 c mov bx, 0202h ; VxD ID of winice! ?# t3 J0 U2 U, N' i0 O# H
int 2Fh& c9 {. O+ v9 S" f9 v0 _ P+ {4 p
mov ax, es ; ES:DI -> VxD API entry point* c* e0 H" O" W w2 V5 E: e8 A
add ax, di
4 f: } _* W, i7 v" r' C- H test ax,ax d+ u; m" _' }/ o+ \
jnz SoftICE_Detected2 u1 B4 T& V2 D' X
! y* c) O2 Q0 m( o$ F# F# s
___________________________________________________________________________
5 P7 u' k( J5 u" k0 r$ ^
, |0 e& p9 W' D4 d- K: bMethod 04# y5 |- V5 |/ I- T" T
=========8 R- V7 A( O7 G
# y: o9 k" R, D; U' Z) ?; d
Method identical to the preceding one except that it seeks the ID of SoftICE4 F: R" x N) @5 X0 Z/ }
GFX VxD.
) C. b5 K, p1 j# e1 ^: B
* K) q& e7 h. @. h+ N) D xor di,di
0 |) {$ m8 m' t mov es,di
4 g, T# o" g8 K: {1 I mov ax, 1684h . Y4 C; }6 }4 ?3 n) ^6 h4 G3 f4 Y
mov bx, 7a5Fh ; VxD ID of SIWVID
^' W# x. I- ~( a int 2fh
5 O' h a( A0 D( k7 Y mov ax, es ; ES:DI -> VxD API entry point
9 Z2 e( g1 D% Q; b# O; a+ g& J7 K add ax, di
: z) y: |. o/ M$ u1 P! Q& \ test ax,ax0 j6 v* h$ f6 P; F
jnz SoftICE_Detected! T* S4 ?: c: e3 ~6 j
[/ x4 B: z' c( \7 e+ q__________________________________________________________________________
! K8 c+ I4 c- q5 q! b8 ^( l3 ^4 n6 W' l, C( z& p& Q5 q% N3 S, q( D
0 j: W8 U) Z( b- w, RMethod 05: j; y$ J0 m0 P- \& ^
=========: l/ u/ M2 b9 |
, E7 F* b' D1 l) E6 R2 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 B7 B3 B' ?6 s+ v+ X$ O
debugger. It calls the int 41h, function 4Fh./ Z! z% C! O% @) L
There are several alternatives. 9 u! r6 H; z$ g) J0 ]* @. J+ P
0 ~1 h: w3 i3 F( b8 u# |# t
The following one is the simplest:+ A; f+ o( k$ N# c; A
+ O) W+ C/ ]% ] mov ax,4fh
8 C' e4 c& }4 Q8 P! G int 41h0 h/ M% w9 O+ t5 |' G
cmp ax, 0F386
" F, c/ s' q! R, G# J q Q jz SoftICE_detected
( i4 s5 Q$ ~8 \* {
* H+ x% A9 K% Y& R$ O z
/ P# M# | C3 B3 RNext method as well as the following one are 2 examples from Stone's ; h9 K+ i9 u7 ^; i+ t( j$ F+ e
"stn-wid.zip" (www.cracking.net):/ q0 b8 B, W4 `8 x# P# V2 p, _$ O' K# k
I9 Y: V! j: T9 `0 b% R8 j' b
mov bx, cs T! J6 I; a3 a
lea dx, int41handler2
* d1 L8 a8 J- o) J( O: S xchg dx, es:[41h*4]
+ l$ ^, j# b0 r j5 T xchg bx, es:[41h*4+2]
& B _' s8 ]/ A' n6 m. o% G. k mov ax,4fh
5 `( |" X7 ]4 e& ?/ e4 U# u int 41h, S: U6 n4 \: K5 k' \3 e) m" ?
xchg dx, es:[41h*4]% Q3 ~! Q/ F8 O" K, z, k" ?
xchg bx, es:[41h*4+2]* ~2 {% c; @# H) g. s7 Q! B. l& j
cmp ax, 0f386h
# i8 ^3 ?: t9 k" b* b! p! G jz SoftICE_detected# m0 x( z: e$ L, m
0 x) P( a$ P( M& {3 H" i: Y* z
int41handler2 PROC
- h$ h% v# C# E$ B# J0 i9 Z iret
& i7 f/ o1 k& K. sint41handler2 ENDP9 @2 s/ X9 ~* q% R& n: @' \7 F
( }. G! Q) F$ A; c5 i' i7 E) a7 K! ~' N' M3 [
_________________________________________________________________________2 U' \- C5 B8 M9 y8 t
' z. X; N2 Q9 g7 E1 t& `* U8 Y! l$ Z
% }; ~4 V5 I* e6 G# l1 Y) {
Method 06/ q: ]" Z M( Y5 d* ?
=========
* S7 e, }; V7 Y7 _+ C- Y
- A7 o/ F' ?3 _) |& l: j
; w8 q; q4 a+ l2 c7 S& |- F6 b# c2nd method similar to the preceding one but more difficult to detect:: I/ ]. q( A- _9 A9 X
8 `+ O, K) G( ~( { X2 A) K) f/ P# g/ {, ^ R: w3 v8 m
int41handler PROC6 O$ J1 \3 x+ D" E9 \4 }# P# n: T6 ?
mov cl,al# M3 [& n# H4 U/ \
iret
; E+ S/ n3 k+ ~& k; x$ l1 B9 }8 }int41handler ENDP
0 Y$ ?- e" d" E8 T* N- q0 C# G1 o% ?7 g, L9 Y* U1 ?+ M+ t& `
! Q5 Q7 {( M+ S, ?0 x# [ xor ax,ax: K5 c/ c5 h" A& I. \6 f
mov es,ax
* h; N0 @* M' W5 J9 a mov bx, cs9 m% X3 c5 J0 H2 w' H! @
lea dx, int41handler$ L2 p7 S Z5 Q0 J2 ~
xchg dx, es:[41h*4]
- m: ]: y& U# K0 d xchg bx, es:[41h*4+2]+ @! K _( ~: Y& C' [) S' u$ M9 _
in al, 40h; {- t0 a4 V: l1 x4 C% V$ k
xor cx,cx% X% d) O* w h/ ?1 t: G
int 41h6 e: j1 ?% K: \
xchg dx, es:[41h*4]
! z% H j: w% C# j) ^: p xchg bx, es:[41h*4+2]
6 x5 `, X X- }. E6 g5 C cmp cl,al
- b) t6 e2 L+ D# n jnz SoftICE_detected
- Q' [' r6 L; u p f+ Y0 z* N
_________________________________________________________________________
; e/ S$ g4 [) o6 i9 M0 W; d8 O2 `: k0 ^) X8 Z; u0 _3 m0 h( n/ y
Method 07
6 z4 [0 f, @( k; Y=========( a. s3 \6 {) o3 g! q) Y
" X3 r9 J4 b% A$ t0 N
Method of detection of the WinICE handler in the int68h (V86)
8 Y$ c( ~) `8 v$ Z( B/ w1 A% C# ^8 @' g5 ]! a# o' \
mov ah,43h9 h6 ^' `! F# s* o" [/ ?- H8 s1 I
int 68h
+ K0 h [( P7 T/ n2 v& T cmp ax,0F386h: s) Y; q/ M9 _1 ^+ {
jz SoftICE_Detected. F1 |2 B+ K e
; `- k/ s2 K* a8 @% }! E! m e3 M7 `) @6 a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* J* z" z6 D' A2 K. P9 W1 ~5 T
app like this:' R9 Q! }* t \2 ^6 O
; D; ^1 b, F; |- I; Q8 U BPX exec_int if ax==68
6 o+ G8 `" M5 g6 y( H# x (function called is located at byte ptr [ebp+1Dh] and client eip is
9 ~* {- ?9 m! t# s* c4 N% X8 a( k located at [ebp+48h] for 32Bit apps)$ o% b, ^$ L( i+ N" }% Z$ q1 P) Q
__________________________________________________________________________
4 x, g" I8 f0 c# C" P1 o* W" ~" o& z x
$ i" p7 T: E( d8 @0 p8 y
Method 08
: Y2 I, w4 }5 |9 ~9 V( B=========) O: M% a" n7 `- y0 H+ Z& {
3 I9 ~4 ?' f7 z6 d* {; d. G0 o
It is not a method of detection of SoftICE but a possibility to crash the( l7 }8 e* M1 y; }: R
system by intercepting int 01h and int 03h and redirecting them to another
5 G9 J$ z0 r# X/ \3 S0 a9 m# @routine.
4 P) E; d/ |$ l5 H# G" n# {- nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' I4 r7 R, l6 ?8 b( D1 q) V
to the new routine to execute (hangs computer...)
% Y; I5 q8 x7 U6 j
5 |/ T( J7 i8 u6 l8 f* z4 M mov ah, 25h
! Z) c/ O( s# f" P- s/ D mov al, Int_Number (01h or 03h)
6 i& U0 b% s$ p9 ? mov dx, offset New_Int_Routine
. C- B5 Y$ A m& D% L. y& f$ y9 n/ T! A int 21h
7 ], {4 `2 x' W6 }% j# ~& w
{# |" l+ i9 T__________________________________________________________________________
, r7 h3 m# c0 I
# l+ U9 c* K& ]Method 09
, |2 S' g0 I% C X5 f=========
6 D6 Q- u& }/ d4 S, f: x& S! K9 {4 W4 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ z7 E0 S# A2 X8 k: L
performed in ring0 (VxD or a ring3 app using the VxdCall).9 V7 r' e( R7 ?. R, ^2 x
The Get_DDB service is used to determine whether or not a VxD is installed# W( }! g! `5 ]6 b& \: K
for the specified device and returns a Device Description Block (in ecx) for
/ m( H, x* F W" |2 Jthat device if it is installed.
2 j3 _3 X" x9 E) {5 J, t& ]! `" M+ b0 R/ ^4 N% ^2 A( t6 B9 w- `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- I! p( [0 R8 J3 k; |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! B! ]( O. f% a/ v2 k' v4 o e
VMMCall Get_DDB% k4 Q+ k/ U6 n$ I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, I( b' H6 f, T% y5 A! v# ~
0 K; s# i4 ]+ [ H5 v4 n \$ B0 v
Note as well that you can easily detect this method with SoftICE:
2 d4 y3 |9 u1 u2 D) l% j& w3 b& n3 s. U bpx Get_DDB if ax==0202 || ax==7a5fh
3 e ]3 q* `7 v( Z; s3 s4 `5 E/ ~) }% M* V. F$ B- }/ t! n
__________________________________________________________________________! }; v1 Z3 A: l$ v
6 q l! |/ _( x3 p# L* K$ v
Method 10; Z" z. g) D# _, P+ v+ ?
=========7 T) D3 V8 `2 g1 Q& m: T
* X3 v4 D7 X* T3 \% |=>Disable or clear breakpoints before using this feature. DO NOT trace with3 h, V6 H# y2 U0 u, w
SoftICE while the option is enable!!0 A( q8 r9 i! ^
0 _: ~1 s. Y7 |) k( N
This trick is very efficient:
& g5 F0 p$ x: Z, q, `0 Vby checking the Debug Registers, you can detect if SoftICE is loaded. i$ N! Q5 e5 i( {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* |% t& n$ P9 u. Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 y$ @6 u# F$ ]0 q' p# Svalue (in ring0 only). Values can be manipulated and or changed as well* R$ b, }" }+ \7 U# @
(clearing BPMs for instance)/ l, W$ L8 J* m: S3 O4 N4 R' q
}2 {, \& c/ D$ K' p5 q6 R
__________________________________________________________________________- y+ Q* q; V% ]- r
: D9 i9 h; F( X' a5 `/ r/ FMethod 11* f2 A3 F2 s, A. x
=========
! J& g& R# Z. e
; w- a! x" I3 V" w! a9 l3 HThis method is most known as 'MeltICE' because it has been freely distributed- Z) h0 z; d* g( ~! ~
via www.winfiles.com. However it was first used by NuMega people to allow* O5 r4 \; B5 e* b
Symbol Loader to check if SoftICE was active or not (the code is located: O# c9 C `" B( [7 H4 V
inside nmtrans.dll).8 w) v2 @$ |& g1 q0 d
0 f$ v( N! O1 m
The way it works is very simple:4 D6 ]& T% K$ q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" T) O% S; c+ ]" z- lWinNT) with the CreateFileA API.
: p. r/ j% o3 {' q6 G6 A# `% q# ?& z1 e: N+ y' E$ l8 c& l0 i3 d
Here is a sample (checking for 'SICE'):# U0 `; ?+ @+ O/ U5 M+ }
0 N9 u8 \9 j. n$ T' h8 yBOOL IsSoftIce95Loaded()
7 ?! u0 v) P" ?6 T" ?{
- G3 \# x( a: k9 E' P HANDLE hFile; ! h* d- q: I. Y' }5 D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ w( l% \" P0 n% p; U
FILE_SHARE_READ | FILE_SHARE_WRITE,
' l# U6 w/ F1 U8 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ P/ T. i& Q, p$ p5 h: v7 @ if( hFile != INVALID_HANDLE_VALUE )8 b4 {. J6 V, n r& v
{
}% \% Y2 D/ ~7 M CloseHandle(hFile);0 i+ d; T; S1 s/ z: p7 \
return TRUE;8 [% N! E5 o/ @' |
}
, }4 c3 y! d' D) \: U return FALSE;
2 b# o/ a. K$ r, U}: N& Q! _4 O% ?. c7 i6 ^
3 x/ }( `# S) W5 {0 n
Although this trick calls the CreateFileA function, don't even expect to be5 K! N( t. n. o/ X E6 z& r$ p b
able to intercept it by installing a IFS hook: it will not work, no way!
7 b# n' {! f# ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F, G* Y9 n4 t y4 d; k' |: @& m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 X+ r8 x0 H- i, S9 C, u6 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 _9 x, D5 r+ I
field." D! v9 h c4 z& E
In fact, its purpose is not to load/unload VxDs but only to send a 0 |: S6 \$ U: d3 e4 x- T5 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 T5 m7 I# s1 \4 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 W- k$ F, L4 K e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 S: f5 \6 n/ [3 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 x/ ]( C6 B f/ l8 V6 T# m% cits handle to be opened and then, will be detected.
7 y$ N% j1 E; e! m' K! ~" aYou can check that simply by hooking Winice.exe control proc entry point
, h+ U: E& u( k$ owhile running MeltICE.1 @$ M! S! q1 B- n, t6 h$ p
8 Q. N: N7 \# J( H6 K2 @/ T; O
4 a2 M! g; r, M* S( Q, _8 y. x" a, { 00401067: push 00402025 ; \\.\SICE. ]. y/ h' q$ q4 F. D0 u
0040106C: call CreateFileA
/ g! `' H" Y; _ d, J 00401071: cmp eax,-001
$ s# S3 }1 l5 C3 ~& W* w 00401074: je 00401091
3 Q+ N. M; O2 j9 I, A3 x
# V; d* N' g+ i6 Q- U; D
- z8 X7 M* z1 `7 }There could be hundreds of BPX you could use to detect this trick.
) b m/ {' L) j3 Z-The most classical one is:5 S, |3 G; E& f/ v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& V/ q" C% Z0 G1 E5 g *(esp->4+4)=='NTIC'3 d2 B" U/ F2 W( ~
7 N3 {; H4 r8 ~( ^-The most exotic ones (could be very slooooow :-(# | _. m/ U6 o, X7 |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / t& c4 S; q' E$ B$ }& ~' b
;will break 3 times :-(
8 N5 s" s: c9 A, H/ y
( |6 w3 ~/ K" ]) B; n3 Z6 K-or (a bit) faster:
( |) X1 U/ E3 {2 N. M, x7 A4 E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 f0 N& w# y6 }- f( N* I- u1 c# S
0 s) p5 m" C C. c2 O9 |6 p. n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* P* B8 S9 b) F7 Q, D! Q% R; ? ;will break 3 times :-(5 N. f( s) ^: k( k! l
* x. l. g9 O9 k( ]! e/ _! g- k
-Much faster:$ k2 K$ d7 a" \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 J- M" M: Q0 d7 f( U3 b
* U: r) N3 q/ w: A% q! M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 x P) m9 S( e& p
function to do the same job:( H+ {1 ~' \0 }8 P, m
8 N3 d/ S" Q5 K; z push 00 ; OF_READ7 }& z: u% G- ~
mov eax,[00656634] ; '\\.\SICE',0
' i) O! ~. R. I- _/ g push eax
$ w$ |6 h; E4 M$ N3 N1 l! [ call KERNEL32!_lopen3 i' K y, \6 C5 W$ T1 _* l! y
inc eax
' Y' _# y+ q9 I5 \, M# q jnz 00650589 ; detected6 k- t4 O( w( Y. Z4 C# O
push 00 ; OF_READ! w" v) }3 n" {3 ^1 O y
mov eax,[00656638] ; '\\.\SICE', { z* u) f- S/ T+ [" H" t+ x# d U
push eax+ H4 t4 A+ N- U; G. a* i
call KERNEL32!_lopen5 D0 `5 y$ a+ |0 I; I& A9 ]
inc eax
+ t( V6 L+ Y, l* n# u2 S+ j/ `2 Z8 e @ jz 006505ae ; not detected; K# }" C4 G& K' U
1 O" Z$ W, |# c! [' e
" g p/ `: ?9 C! n7 A E
__________________________________________________________________________2 e" r' k/ |8 r7 V# T
9 H8 _0 ` f) I( ~+ l
Method 12
% r) V$ Z p, S0 |' }& {=========7 p- ^0 I6 y. t3 J. j X
" F! @5 X' b, G) I9 A
This trick is similar to int41h/4fh Debugger installation check (code 05' w5 y' b/ h t+ \ w+ D
& 06) but very limited because it's only available for Win95/98 (not NT): v- y q, D) w& }4 a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., D* b; H0 }/ l, x+ g
( [# X; J! v5 H9 g$ G3 j" \ push 0000004fh ; function 4fh' T& y* K0 `% t% \* F3 N/ }3 s
push 002a002ah ; high word specifies which VxD (VWIN32)% d5 a t# l; E( T7 O$ d: v H
; low word specifies which service
% k7 G3 z e1 H (VWIN32_Int41Dispatch)2 i. L' e1 u7 q* g
call Kernel32!ORD_001 ; VxdCall& \: e/ \/ ^9 l m3 _
cmp ax, 0f386h ; magic number returned by system debuggers
+ w1 |0 D( w3 m* j jz SoftICE_detected
+ H+ Y$ q8 \* t4 B8 _) K \/ O$ ?$ }
Here again, several ways to detect it:
" y+ A6 h2 v! X# B, E
( Y: r8 M( t) s5 j2 a BPINT 41 if ax==4f
3 D, s/ i) p8 e$ i, |# c1 r
# k s) y- U# [3 ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' q; W- G0 l3 {8 _- O2 e0 _, ]* V' V, w, R" U+ C) J, N* p2 i' X* v; R4 Y9 G7 m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* O+ C; u! u5 j/ N4 ]5 R
, P8 F. y4 ^' H9 D& @3 m( j1 ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 O3 u F5 p3 C; ?# Z
9 n! y( t8 G4 v3 H' q U, d9 T__________________________________________________________________________
: `0 T# [3 k+ }' r
( @# G+ ]+ V2 S8 e' b7 V! |Method 13% p* J, a+ r! V; R
=========, q: J7 w* X' S2 V9 K
; q( \' V" o" P: |5 |9 m1 s5 yNot a real method of detection, but a good way to know if SoftICE is
1 o! x" l% E: O4 S# [5 Vinstalled on a computer and to locate its installation directory.
. A% p2 E& g- n2 c: xIt is used by few softs which access the following registry keys (usually #2) :0 N, b+ b3 k9 e4 t% O, U+ [
& \0 ^6 r v' Y3 |. f+ k7 p0 e9 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ~5 ^1 C: Y) v$ L- `8 u
\Uninstall\SoftICE
$ ]9 Y$ b1 E, s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 B* X; L. @2 P6 Y0 ?+ K- y) W" p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 I* B" @ c" Q6 z2 s" }
\App Paths\Loader32.Exe
& ~1 z" f7 ~! l4 i% e5 _ X& q ]# w% E7 P6 o
( i4 {- J1 f9 j% W& U3 ~8 FNote that some nasty apps could then erase all files from SoftICE directory
: u! }+ j7 I h: q(I faced that once :-(6 s. F( P' ?1 X6 ?7 y9 }
0 \9 Z! Z [; @+ s6 J* j
Useful breakpoint to detect it:4 f' J: s/ X1 _! g" \( A r. F
3 w/ D; x' i4 b. a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 S: v% c, H- v
# G8 A; Q) d" N4 ~__________________________________________________________________________
7 K. v, @: F H% r% M( d$ v+ M% }+ E- c- Y* ?/ u4 c
( T1 h' U; X" G3 pMethod 14
" N& C. }7 U2 f) T=========
5 k$ i" d p u( ]; o5 n" W' u- W7 N0 Z4 h$ p7 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 \% [: h: u- Z: f4 p8 Ris to determines whether a debugger is running on your system (ring0 only).
5 `* G& {$ }% q7 B
2 T8 m0 c3 `) ]8 U: o. { VMMCall Test_Debug_Installed$ _" j+ F* \" C/ M( c
je not_installed
1 f/ r9 d+ x4 B8 x3 [! @/ L/ H9 O
This service just checks a flag.
1 i1 _4 g3 w1 @7 |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡