<TABLE width=500>0 e+ e0 F9 A2 L! G
<TBODY>* q7 e. H5 m* Y- k* A* o
<TR>
* x" E8 l. V& W. r<TD><PRE>Method 01
% o" P: _2 ^ h! }3 c( q=========) M3 q1 p3 q: N4 r, I- ^
- _. h- r$ n7 y. bThis method of detection of SoftICE (as well as the following one) is
: Y8 x7 x" N" p/ @+ v Xused by the majority of packers/encryptors found on Internet.
2 R5 e3 f4 M6 {! F- r) i% nIt seeks the signature of BoundsChecker in SoftICE
) P m ?( x& n' U/ ~3 j3 o" `7 W/ c# i2 Y" j( e& A& H
mov ebp, 04243484Bh ; 'BCHK'
; R6 i$ A" G. w: k; C7 C. h- c+ Z mov ax, 04h* B* u( z" ^* T2 G* v
int 3
) a6 t! m3 U: n& N& m" x- ^" y cmp al,4
) U# {: l# [8 i" {; F jnz SoftICE_Detected" m& l3 O" f$ E
D+ ^8 Q& T& ]( |3 t___________________________________________________________________________
& ]5 P a8 a X" b8 b1 {' r. b0 x7 g: V9 `" _
Method 02
" u. M" \- B1 g2 F' d H* z=========. {, d9 ]' w N+ a
; e9 [" j9 c& D" U8 P+ Z" \4 D' c
Still a method very much used (perhaps the most frequent one). It is used
5 E$ I- U+ n; b$ ~; y- A \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 B9 z* Z/ k, D f; K% Dor execute SoftICE commands...7 Z7 E% o8 F% b4 s, I4 {2 k5 K+ S
It is also used to crash SoftICE and to force it to execute any commands
2 h! N( M0 E2 v(HBOOT...) :-((
/ e; O( r- M, o' ~! G
4 ^, }8 A* D5 T& e6 @Here is a quick description:* Y2 x' G/ _$ C6 x m3 ^9 ?+ B
-AX = 0910h (Display string in SIce windows)2 W S7 Y" }& q+ `1 U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" A# j& e2 D6 j G* [-AX = 0912h (Get breakpoint infos)% T# q) M3 `: ]; }5 z- M
-AX = 0913h (Set Sice breakpoints)
7 E i' c% \3 H( e h. x-AX = 0914h (Remove SIce breakoints)- F( q, a4 M, O8 e- H `+ D: S
/ x. `( v! G( o4 [$ W9 o
Each time you'll meet this trick, you'll see:, s5 `6 a5 O$ ~5 Y. @$ j# X
-SI = 4647h0 u G" x: p2 L- J
-DI = 4A4Dh0 Y4 x1 j7 J' y" k* K0 [. }( @& K0 p
Which are the 'magic values' used by SoftIce.
4 O6 u j2 b2 V* T! Z' c2 xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 Y3 J f. H+ u
6 M# J7 c4 \+ e' s* {' c, t$ Y* NHere is one example from the file "Haspinst.exe" which is the dongle HASP. Z$ [' F) [) l3 i8 x" X# p
Envelope utility use to protect DOS applications:" `7 e7 \- g& {" H+ Z1 I4 ~
* ^) C0 @' f) C6 q
" n) F) T* Q3 z4 C4C19:0095 MOV AX,0911 ; execute command.
$ g, Y9 k( n6 n. y" b! F" O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( Q( S3 i/ i/ u! C$ |3 N4C19:009A MOV SI,4647 ; 1st magic value.
' z" \2 k. T- e& m* V* x# t4C19:009D MOV DI,4A4D ; 2nd magic value.% T9 Z4 m2 e; G i1 F5 n- x6 P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 J# u; l, g% A2 P' F6 Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 _; R: v+ d) X; h4C19:00A4 INC CX
& Q- Z$ z+ Y' ?2 u- y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 \* ?0 k1 o& ^2 p2 `7 ]0 h1 k4C19:00A8 JB 0095 ; 6 different commands.; L6 L, Y M3 W \3 Q5 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ [! V7 y) S" }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ s( {( \8 X( G: |+ h8 Z* x- o
* ]6 q. ~& M: S- e7 D! V$ uThe program will execute 6 different SIce commands located at ds:dx, which
" T1 l0 Q4 f6 S" s* B; X: bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, S3 N& X( D+ ~. `7 V$ r! G1 i' K |# D5 r3 o9 }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ `/ {) Y2 L$ d8 h* [5 z- p, c
___________________________________________________________________________& b7 R; @+ z$ p9 _
( A3 { [( w. E: B
5 i8 ]7 l. @, v9 l9 A y! z& Q
Method 03! s) K3 W2 P$ Y! H, V5 ^( E- _" J
========= N! i6 d! C O2 R: I
9 f( L, [9 N5 _& Q7 k! d$ U" L1 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 i2 T- m; @; U: S, P(API Get entry point)/ n! w7 D( Y! k# c
; m1 Y7 t0 q! G; }% G
$ X% m/ n" c) P. v( e, n
xor di,di
; }* F6 I' c3 G' x: |1 b mov es,di2 l0 Y9 |" M) g" \; f
mov ax, 1684h
_/ u* a+ o' I) ^: S! N mov bx, 0202h ; VxD ID of winice% p2 F8 o3 N1 m" k- F0 l. ^
int 2Fh- J4 T# q8 c4 x6 V! p
mov ax, es ; ES:DI -> VxD API entry point
/ _- Q4 B- b9 E$ T add ax, di
) M+ V2 V, D8 A4 \- P3 k test ax,ax
3 `% V/ N$ x6 U, S- A) w jnz SoftICE_Detected3 Z+ K0 T" Y1 q$ r3 [+ L8 m$ }: [
2 Y5 t' d1 H. v. x. R7 y {
___________________________________________________________________________
: k1 x2 l# w8 C0 p8 R' @/ V
- N9 M( X( z- S0 T fMethod 046 t6 O$ o8 {( A
=========
; j! A+ P% a6 l4 z7 y$ h. p2 O+ t( V2 {
Method identical to the preceding one except that it seeks the ID of SoftICE. L2 P) E& b% O3 G, ] }
GFX VxD.7 @* B n$ v& B a: _
, {" b" j2 c9 K0 U! m xor di,di8 Q( U! @8 Q, U; U+ B( y7 S
mov es,di
2 }$ N3 ^' ]7 ^- c& m mov ax, 1684h
1 D$ ~- X4 Z3 t. G0 N" k+ @3 i+ {* K mov bx, 7a5Fh ; VxD ID of SIWVID: `( \8 D8 h, ?! @- w; ~
int 2fh9 S! q; j1 Y2 j
mov ax, es ; ES:DI -> VxD API entry point& e% u6 B, Z# Y; D1 p v3 @; C+ T
add ax, di) k* s) g3 I! j4 E& ~- e) O
test ax,ax8 g) P7 P( p& L' R" U+ X7 v1 b& t" i
jnz SoftICE_Detected6 Q% z6 h1 u" I# |9 `4 s
1 }$ m3 E- r; O( m__________________________________________________________________________
4 y7 A7 u* F. o! E" }, D9 ^3 ~9 ~, \1 N7 B6 J% l8 ]7 E& \
# w- I6 K( b. W) o% C- ]# o" OMethod 05
$ n' [+ b4 I8 ~. Z/ ], P. V=========
; Y. N9 k g9 P8 ~$ V& w, @5 T9 [3 F% r7 i0 o2 H, r' v7 q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 b1 S+ W; c! ?/ ~0 ^0 zdebugger. It calls the int 41h, function 4Fh.
q7 _+ C6 Q( b* ]6 oThere are several alternatives. ( |6 P* d* Q( D. ?' G7 n9 F E; `
$ x. w. t; K/ [" x3 v
The following one is the simplest:
3 r- Y% t `9 D3 d1 v5 q/ C$ J5 I# ^" F& m+ n( T8 t
mov ax,4fh
) P( x$ _8 K$ J int 41h; K D5 e8 \& p& z1 r0 X' B+ Z
cmp ax, 0F386
4 }- b5 H0 z/ R6 t. `1 f jz SoftICE_detected% A" H/ {2 @1 i: m2 h- [) w& e
2 O, J+ `7 Q+ [$ ?/ s7 @/ R& h+ H
: [' O3 a5 b! S. ~+ b5 z7 G2 E$ eNext method as well as the following one are 2 examples from Stone's
2 E1 @+ `- {' H4 x; W" j8 W"stn-wid.zip" (www.cracking.net):4 f7 a& U. m1 b* L- c
: N1 a a. O! \# @
mov bx, cs
# d* T! z8 k9 d3 J" {6 y. } lea dx, int41handler2) I" W8 \& \/ r! U% j$ s( W
xchg dx, es:[41h*4]
! v) m# \' O5 R xchg bx, es:[41h*4+2]
6 ]% Y# q% G; n; h2 G/ |, w( s$ r mov ax,4fh) M8 Z* p" s) x- [ C. m& E
int 41h
8 T( {8 g2 [& j xchg dx, es:[41h*4]
; x. P) Q& s# \3 ^ xchg bx, es:[41h*4+2]2 c; }; h T& p* d. I7 k7 v; ~2 l
cmp ax, 0f386h
% s5 v! v' J8 p7 x3 ~# c jz SoftICE_detected8 k b- _7 y- A9 o2 b2 ~0 X
$ F2 d8 {: G$ R9 J- a& w2 I
int41handler2 PROC6 F8 S, R8 U. w; o0 Y
iret6 K: B9 }2 o+ V: ~ B& S
int41handler2 ENDP
# Y+ z' c: S8 p4 m
# p3 R6 ~4 C4 i( a$ S+ p$ A: z" Y4 U4 X% S, R
_________________________________________________________________________3 t8 N1 \* v' B9 i) J
" J6 @4 Y; x' ~
' E7 e- E1 c$ r3 V6 `
Method 06 G& V, a0 W3 \0 T9 X+ w
=========7 N& v: F! B* i6 A
8 \, A/ L F ]3 ^% x
0 G/ @3 v7 ?7 u+ [; W, Q2nd method similar to the preceding one but more difficult to detect:- z1 R" ~# p5 e# p( S& K6 y
! b5 u8 R4 O/ `
7 t# B2 O" V" S3 \6 f1 C) q0 mint41handler PROC3 Z" L4 @/ L3 b! P7 I& J( ^: C% {" E
mov cl,al
$ E W3 u* D$ \4 ]& ^! w iret
" ~# c* x9 |. T! T* H; X% E7 uint41handler ENDP% S0 A, b7 N5 J3 M+ p
; X* W; e8 ~; @
9 d1 n: C# T/ ?0 Y9 X, o% p5 x xor ax,ax
5 u4 Y7 l2 S" x mov es,ax/ ?& N- H9 u/ Z* P/ q
mov bx, cs
- F) }: e) I* Z' d lea dx, int41handler
) U8 v- s5 x% g6 o$ W! r2 L9 }+ C xchg dx, es:[41h*4]
" t) F+ z2 v8 `( c% G( v0 l xchg bx, es:[41h*4+2]
5 h4 f3 u5 Y- _3 m9 `9 o% U! [: a in al, 40h' a" W2 M) V' G7 y. W2 V1 ~+ X
xor cx,cx
; q2 O7 Z5 f! c# ? int 41h3 _% r4 |8 |: p7 A3 S
xchg dx, es:[41h*4]
1 G2 @* u' S/ Q& r. V+ Z3 W7 Z xchg bx, es:[41h*4+2]
1 ?9 m& U7 B! w- j! L$ u cmp cl,al
K- q. i0 U9 H7 S6 l$ v jnz SoftICE_detected2 w3 @ M0 i/ _( E' T
9 `+ P; S# z7 d0 s& I$ }
_________________________________________________________________________8 H7 y P/ i9 O
# O- Q# p, }% [/ v$ {9 {: }Method 07
, Y4 r: g3 D- y1 G4 L7 w=========
K2 a* ~! m+ M: u7 g
! ]5 r! F$ A+ R! J9 wMethod of detection of the WinICE handler in the int68h (V86)
7 g2 k# U3 k4 t8 F$ \
' ^8 r/ n0 A: \' U7 } mov ah,43h
) ]/ F' c& J& _2 P: V int 68h
" _; }# `! @' r1 w3 M$ J cmp ax,0F386h. X- N& G/ V5 |6 X2 f. p- r- z& N
jz SoftICE_Detected
0 K+ C' b, f4 S# Q4 c, A4 M! M" s" q+ H. f5 P* Z+ d4 g
1 }$ s) i2 v7 w; b% x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! v2 L3 n( Q& N5 h4 b3 o5 C
app like this:
5 N1 u3 X) A% w$ d0 P' u
' @% ?, ~3 F* x$ L, D BPX exec_int if ax==68
3 Y6 l% t& j5 \, G) F- r1 T( A) T0 }0 J (function called is located at byte ptr [ebp+1Dh] and client eip is0 }0 u7 H$ c# j. B8 G6 ~, K( y
located at [ebp+48h] for 32Bit apps)% y5 _7 E' w7 p& U
__________________________________________________________________________. d! n# Y: F8 J2 B, h0 g
+ _* Y: D6 F+ G1 t# S# D5 e
. O. [# p- x: x& O \ t
Method 08
: X. Q' Q/ O8 x( p i0 i/ R0 O# I=========/ l! o* @% Q, D: H* i% z* @9 U9 z5 W
5 N8 [: z% x* b( s% N
It is not a method of detection of SoftICE but a possibility to crash the' y: u: D4 l- f
system by intercepting int 01h and int 03h and redirecting them to another, C$ N4 j! |# Y( X! E9 x
routine./ ^# E1 F6 |& P2 ~$ l) d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, z2 w9 R3 y. r' k% N3 Nto the new routine to execute (hangs computer...)5 B2 F% ]; ~# \1 d* S) j. x* {
) E; M; p! M3 y mov ah, 25h
6 s5 q q# S5 t( U mov al, Int_Number (01h or 03h)+ H/ l& A9 e* z" s, x
mov dx, offset New_Int_Routine4 r# g! w+ O2 \; ^
int 21h
2 x9 N5 ^: c# R4 L6 U6 I% \2 a
* V- {+ @2 z4 n2 q__________________________________________________________________________* [/ Q/ g: K S/ a: G" P
, K: ]( L1 ~$ l' H1 K6 tMethod 09
3 O* ?2 K, x) D% s/ e7 y=========
, {* \% m! \) J& c9 Z P5 {1 w
+ b% [/ I! ]9 g: T9 QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: Y/ M, f N) t( O* i% ~( \performed in ring0 (VxD or a ring3 app using the VxdCall).
, f+ j( R) }& @0 |+ b, `% M8 fThe Get_DDB service is used to determine whether or not a VxD is installed8 Z' _( ~& E) g+ S
for the specified device and returns a Device Description Block (in ecx) for
# d' p# V) z: K0 e$ f: Ethat device if it is installed. D/ `; b9 F/ g; Q. W& w
) T( a8 b; ~3 r' w* q+ w6 r1 p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! G# y1 u9 t7 N7 E# {; z! `; y; Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! v: |) A+ V" t+ m VMMCall Get_DDB
& e. A" G2 h$ t( b$ x. V* K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' a5 N4 t+ w F# J' W' Q5 h
8 T- J+ S+ D$ \0 M9 I& k* E- s7 ?
Note as well that you can easily detect this method with SoftICE:
5 _7 Q% d8 {+ c+ J) F bpx Get_DDB if ax==0202 || ax==7a5fh0 _$ u; ]; V9 m* Q7 X
( f- D5 O) W- B" d$ p1 N3 q__________________________________________________________________________9 N! Q5 i1 m4 @. \7 z* ]
4 u) n) m$ J( z V! l0 T
Method 10. r7 V# V N& B R
=========
, C M: O6 P2 U& y5 ?9 L# N C- ~; F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- ~+ W, T* j7 D0 D! {( c SoftICE while the option is enable!!" ^; N0 N. S7 F/ P' A) X$ ~& Y
+ \5 [0 B/ @* e# \" U5 _
This trick is very efficient:
1 O O1 ?8 m7 g9 ]2 e' h0 u0 Q4 ^# lby checking the Debug Registers, you can detect if SoftICE is loaded6 `6 k4 X- `! ~$ D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 F+ [- h8 V2 }' g( c5 j2 X/ l1 k% r( sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
# U1 Z! m) D$ P! ]4 Q0 Wvalue (in ring0 only). Values can be manipulated and or changed as well# @" {4 e2 h p+ \# H( H
(clearing BPMs for instance)# w6 K* x. t- v
; {1 b5 [: w/ a* Q/ x: ^7 B
__________________________________________________________________________
2 v( T0 R) m) [
4 i" x+ n+ h) W$ N2 w* |- bMethod 11
; Q0 ?2 }- I1 l6 u( X s5 Q=========
6 U* P+ h1 U! X/ S' j+ g; R/ q. }9 I" D- U3 [
This method is most known as 'MeltICE' because it has been freely distributed; K- U1 e' Q: J) X0 V: t+ r! j* h
via www.winfiles.com. However it was first used by NuMega people to allow
1 g" |' }0 U8 S8 oSymbol Loader to check if SoftICE was active or not (the code is located
0 e1 ]; K7 `2 Y9 Einside nmtrans.dll).
6 x2 y+ y f, O" `( c
# C& P3 U a* [1 h' F% n, _The way it works is very simple:
! x8 S X$ j& |4 L# s* gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 n' M+ ^$ R' RWinNT) with the CreateFileA API.
) B6 G+ F' q8 O" a! F/ g3 ?5 T
! m3 ?; c7 y vHere is a sample (checking for 'SICE'):
; E; D c, T8 R% [: Q1 \' C2 m$ t4 r- w; g
BOOL IsSoftIce95Loaded()
+ T, f* X! @" h/ n8 [. k. U{
. A; i$ b i2 V7 B4 j( y& J HANDLE hFile; / \) b) D* z) `: k; A: d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. J& y$ g+ F( [) ?. ^$ O FILE_SHARE_READ | FILE_SHARE_WRITE,
9 J" n" `0 O. @, D y/ R; B. e ^2 ^3 q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); ?; J& z' ?9 X3 m/ T" a9 s! l, U
if( hFile != INVALID_HANDLE_VALUE )
+ w$ u; A" C g$ u {
$ _# W7 X- T( S/ X CloseHandle(hFile);1 Y) N) `1 e! E
return TRUE;$ z/ N* y/ l$ P H, g
}
) W8 u b9 i0 p3 ~: d return FALSE;
5 ?! p% M) @- _: w}
3 A& F9 L# ?+ w
1 z/ {* I: B& ~; }9 N+ H% CAlthough this trick calls the CreateFileA function, don't even expect to be
: X' x4 }& q2 g' v4 L& Eable to intercept it by installing a IFS hook: it will not work, no way!
% J5 B" T' s; V& RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ h3 E9 g2 s/ Z: V/ Y) yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ r3 m$ D5 r# jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# f. j0 ?4 i3 Qfield.
2 i( G& X0 S3 t7 m. \7 VIn fact, its purpose is not to load/unload VxDs but only to send a
. h4 ]) g% M# _0 |: tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 f9 z H, o5 S7 ]6 n) g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! b2 F# N3 Q1 F9 k/ Q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( Q( J% W6 b( |If the VxD is loaded, it will always clear eax and the Carry flag to allow9 F5 F$ b8 u( _: m+ u; ]' V
its handle to be opened and then, will be detected.0 }! u3 K$ m$ U
You can check that simply by hooking Winice.exe control proc entry point2 @* E4 b, O- u, P
while running MeltICE.' R$ h- i$ R# O3 Y0 w
z5 e* ?4 m0 o; E; R; z0 }
) A/ L$ B. u+ Q- |. U7 |1 D 00401067: push 00402025 ; \\.\SICE4 q; L; P. I/ z$ x
0040106C: call CreateFileA- R1 n; u% T) ]" n# }
00401071: cmp eax,-001; a+ s6 P7 t! l1 @9 S; [
00401074: je 00401091
+ ^- [: k7 A/ s7 I2 |- L+ S0 \* n3 t3 {: V+ ?
0 O, S5 t+ A Y( z0 f" L1 X7 g! y' uThere could be hundreds of BPX you could use to detect this trick.
6 W+ y+ v6 P( e0 Y% w! x2 A-The most classical one is:
/ T1 y, `7 P" P$ J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, |2 O0 o s5 ~& I/ s. r# Z+ l *(esp->4+4)=='NTIC'
" u/ y! i, E& g( d: Q4 v
6 T5 F3 M& I& T6 i% J0 k( w-The most exotic ones (could be very slooooow :-(/ s2 Y9 A0 b4 [2 J% i* R. L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ Q ]- _2 p/ b, k( ^9 b! |5 Q
;will break 3 times :-(
- N: w) w) f4 |/ ]+ t& u+ J' |8 W/ p: Q3 W; W+ H0 `! j
-or (a bit) faster:
( V9 Z: ^- c/ V3 v y2 a9 s3 Y3 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( N( o9 ~0 _/ c _; @2 T) d. d) ~3 r1 I! p; k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ m' o9 P5 o9 I C1 z) G
;will break 3 times :-(
; Y: H e9 j: X2 {
$ V6 P/ K3 f1 v5 \ k5 p- ~: }4 e-Much faster:
5 V7 h5 } A0 @+ f: y4 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 n( c4 G3 P: a
4 i) T' m, r+ h P0 BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 ^4 ^! o8 D0 `+ ?/ k3 s0 @function to do the same job:
; i9 K5 I% w- w2 Q! K
: @1 z. M7 \: d+ ~! m( K push 00 ; OF_READ
" D. l) O" ?0 {5 y8 {2 [5 a mov eax,[00656634] ; '\\.\SICE',0
" t% D( ]4 m( y5 Q! B push eax
. ]2 E/ [5 Z8 V/ ^. b3 K call KERNEL32!_lopen
* ^& f) t0 r& q/ t& q! G" K inc eax
5 y. I# I4 J. U jnz 00650589 ; detected
# {% E) e5 Y P push 00 ; OF_READ
- d: d- k: _7 ~( ~# h7 {. p mov eax,[00656638] ; '\\.\SICE'- Y1 \( K5 e& c) v7 D
push eax, ?. A% _! B" P4 Q5 e
call KERNEL32!_lopen% T. C- Y! Y7 d1 X- q- s' ^
inc eax
) J1 ~( S: W; S7 n( ?/ {; t+ L jz 006505ae ; not detected
. _( z! Y* H7 ^3 {2 D: P7 a- e; W% L, d7 q& ~
5 M' l& Q. J" b! }* s* h
__________________________________________________________________________6 [7 J8 M, r$ \/ f. e7 Q
# D) E3 y3 o6 Z" _Method 12
2 D: _3 t9 P7 n, U=========3 [3 n1 ~$ E8 J! e$ V
# R" W a$ R$ X# ?# h2 `
This trick is similar to int41h/4fh Debugger installation check (code 05
* O- Q" O9 P9 k7 t& 06) but very limited because it's only available for Win95/98 (not NT)$ S5 X* k' B9 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." }$ }4 U# y. E0 Z
, P* u. N0 q l# P, A
push 0000004fh ; function 4fh
6 W. I; }2 d) [, x) N' D: p! t push 002a002ah ; high word specifies which VxD (VWIN32)
7 x- ?/ s# E$ g$ ~3 s& e ; low word specifies which service0 \1 F, {% V# @. {) o5 Y
(VWIN32_Int41Dispatch)
* u- ~- N; }2 f( C. z" I call Kernel32!ORD_001 ; VxdCall5 U# C8 P" }' H l
cmp ax, 0f386h ; magic number returned by system debuggers, f1 B5 b( `' x% B4 b) ~
jz SoftICE_detected" ~0 \' C X- _4 F
2 {4 b+ ~0 t5 ?Here again, several ways to detect it:
7 T( c" X! V6 q. P+ x- Y# v/ L$ }5 y/ x& m9 {2 u/ [0 b$ v2 h" s2 M
BPINT 41 if ax==4f; C" U( F2 `/ l. X8 c# f
/ C, n# g" P* W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 T: p7 u: W% b6 Y( ^% H4 i
2 y4 c1 B% u( I, k6 i; \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) e* X* j+ R5 v* d" W' v0 t6 Z, }- X3 ]
, L: L) t! x5 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- i+ Q. s0 @! C
, P" @0 q, s( B5 W. z/ E8 C__________________________________________________________________________
, u7 d6 H. ]; C& c0 _
: d3 f+ f" ^" x! p, D4 B3 uMethod 13
/ o& q- _) w, r=========6 t: z/ `5 B9 U6 j* Q2 e& U, o2 y# I
4 Z1 N" z0 Q0 _4 }& s0 ]Not a real method of detection, but a good way to know if SoftICE is4 _ Z0 k- r* Z) C# c3 o/ O1 U7 W
installed on a computer and to locate its installation directory.
f- q `6 ^ d0 hIt is used by few softs which access the following registry keys (usually #2) :
3 E( O6 \- o) |7 a( l3 Z# Z0 V/ C+ F( h) ]6 k) Y( P. Z# ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ f q) [! n: y, `$ T
\Uninstall\SoftICE- F) C: g: N2 }( `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 H ]- r' w6 u2 a3 q5 T$ M( x: h8 c8 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 ]; t- \( H& S- h4 q" R\App Paths\Loader32.Exe
3 b' l! I3 Q+ B) d8 F- V2 p" E% @4 c5 L; P" L; Z
/ x9 E6 G" o# ~ j8 v- b# ?
Note that some nasty apps could then erase all files from SoftICE directory% z% U' W6 z3 q% g3 l
(I faced that once :-(* Z+ j" q1 b+ r% I
! Q- J( J7 x8 f& m7 f, A
Useful breakpoint to detect it:3 _0 ^, U9 ^0 T) H5 ?1 G6 s1 K6 i
j1 S% ~+ r* S o- A( p8 l) V( p. l/ } BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( v' g; C" b. }, e9 W- H
( j' H& I: k) F, K( ]__________________________________________________________________________
5 _3 y" l/ s# W' x) V7 K) R
: C( J: Q5 b* ^3 P& m) V: I& z. j) w$ s) v! M
Method 14
! K4 [6 E H3 v' r, {6 P+ N, z=========
5 U$ b' N4 f! Z! j/ o9 \! v+ o* f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- J U8 v* Z' i3 l# f7 \0 @2 K0 \is to determines whether a debugger is running on your system (ring0 only).9 S/ ]1 G* }2 I% B* l
% { h4 R- o n, D VMMCall Test_Debug_Installed
~) Y6 Y9 j" z2 d9 b+ g& Q je not_installed
5 S; M. H& h& S5 n7 K
4 ] i v; X; U8 W4 OThis service just checks a flag.
4 W6 S8 }3 D& Z$ D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡