<TABLE width=500># L" U/ E2 X A" J2 L
<TBODY>; }7 ~2 V- }9 E' d; i2 }) L- i, h
<TR>
: p8 m T1 X' _) v<TD><PRE>Method 01
" f! `. m2 S6 D=========5 Q0 i0 a& W" S+ P' s8 B+ a
, E7 _. _- T% v6 a) p" q! ?1 v
This method of detection of SoftICE (as well as the following one) is: ~& G+ D. i% J. s4 n
used by the majority of packers/encryptors found on Internet.
* ~& r9 H9 F4 B# ?' iIt seeks the signature of BoundsChecker in SoftICE1 C1 }% e5 Q$ c; x6 @& E
8 t+ _, P+ `5 K" I7 N! P7 o mov ebp, 04243484Bh ; 'BCHK'
T c9 N" S/ M* Y3 m7 y3 p1 w. E mov ax, 04h% p" A% V- W3 A+ D4 K6 R
int 3
( i* f0 ~" L1 P: ]: J; ] }7 L) z cmp al,4( ~7 F3 i+ y8 B; |$ o$ e& u
jnz SoftICE_Detected& W3 \1 Y r4 [2 {' ^* }% H) y" H
& M1 l5 G: t/ @% W+ l
___________________________________________________________________________
+ ^" K: b3 l+ A/ j% A( f3 b+ \$ O8 a! a( T0 W% j% h5 ?) O' N7 {
Method 02
( U' z& n0 H, {4 Z0 _1 n' z6 O# s=========( {+ \7 Z4 m+ B/ \; ?7 b
7 m/ o8 t9 o# p o% C/ Y0 YStill a method very much used (perhaps the most frequent one). It is used. ?1 X8 c/ }- L9 Y+ e7 S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" H' V m% U* Yor execute SoftICE commands...8 g# s, ^' H! \+ A( y$ I4 o1 c+ F
It is also used to crash SoftICE and to force it to execute any commands; }; \* N+ o0 a) M" y9 U Q
(HBOOT...) :-((
4 u( t; I" O d" M' z7 x6 F3 U) L! b$ w
Here is a quick description:
7 {/ t. u: E' v% A, F-AX = 0910h (Display string in SIce windows)& a0 f; V& E! i( l2 Y9 u: @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" A7 E7 ?, X, q) S
-AX = 0912h (Get breakpoint infos)
9 a$ U* Q) e4 ]& ^$ l& { K-AX = 0913h (Set Sice breakpoints)( |. r! S# H5 G+ N; d
-AX = 0914h (Remove SIce breakoints)2 v5 V" O9 u7 B; B2 s
2 g$ Y" W/ u- ~! [Each time you'll meet this trick, you'll see:/ h) W5 i6 D) i( c. `) ]
-SI = 4647h
$ p# v2 `, H* U-DI = 4A4Dh
+ N1 K8 F1 x8 W7 |Which are the 'magic values' used by SoftIce.& j3 k+ Q3 ]" j* u/ i0 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# ]* W1 l- o6 l
# T( B: \# a" G+ v/ V# C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ T) a% e; l7 l- ^" [9 ?+ aEnvelope utility use to protect DOS applications:
5 q2 P6 o9 D" \- Z
% C& O _0 j# R( P% h. u$ q) g! `. O- a* @! G; _
4C19:0095 MOV AX,0911 ; execute command.1 y6 G0 k1 ]& b- J# U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 m# F7 r _8 e |& ?+ O. F
4C19:009A MOV SI,4647 ; 1st magic value.7 Q4 Y9 Q+ Y! n! J
4C19:009D MOV DI,4A4D ; 2nd magic value.
, t Q4 L) T1 ?, [$ F1 h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* g( l$ N/ M% [. J+ c# D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 O6 Z* |/ B1 D1 Q: M, ?: H
4C19:00A4 INC CX4 X0 k* G1 A) X% J. ~/ l" R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- X: u. v) o8 z. n" h- ]4C19:00A8 JB 0095 ; 6 different commands./ V+ D! u* M$ |1 p, n9 e3 O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! s$ O. C1 Z, v8 Z1 N! w- Q% P2 R" g5 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& U, f$ t# @, z; N* o0 O4 I9 e
0 X) K4 d" O* K* j, r0 xThe program will execute 6 different SIce commands located at ds:dx, which6 G3 ~3 e" k- }2 b8 G$ O( X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 N% s7 }' X6 {7 A! U# u; G( |& r, q8 d4 v& _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ R7 n& B0 w9 M___________________________________________________________________________' H* e7 k5 E& \# F. o! c H1 Q
; T) V% d' S0 r+ }1 S- k
! j4 g2 T- R. k; A6 L# M5 c. WMethod 03
' U# _2 I+ Q1 B6 ?* h! r=========
$ u+ a& I# v3 y5 B z9 y# ?% Y! ]8 p& U4 h) V/ d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ @/ R6 ~0 {8 @, U(API Get entry point)5 f8 x' y8 u$ k% J1 t! N" B
* P- h7 P8 u' @! d6 V. v+ M
& j. B8 `* z/ G$ g$ n& {
xor di,di8 [9 ~- D' B+ x' H; ^0 L
mov es,di: [8 r* v1 Q. {8 p3 \
mov ax, 1684h
/ r4 D9 m. \9 G! W' Y) A' a2 @0 y mov bx, 0202h ; VxD ID of winice
8 k' b/ |% ?7 ~1 I8 ^1 g) `% u( Q int 2Fh0 s$ F; n% ^% X9 W2 Q3 J* K
mov ax, es ; ES:DI -> VxD API entry point0 r o( m" m: w4 c, T, @
add ax, di
8 s: T/ Q/ C+ P. N) K+ l* j test ax,ax( e0 G0 j6 G' j
jnz SoftICE_Detected
, G) m( `" ~: p( [& c) K; S% L& d% b. c9 S
___________________________________________________________________________! `0 c3 s S; K7 v8 C4 n
8 C& V/ L6 p8 s* h6 |
Method 04; j3 ~& v: [- y3 ]1 o3 v
=========/ }) G, f. f9 y5 p
% T! Z6 G- N, ]7 u+ RMethod identical to the preceding one except that it seeks the ID of SoftICE
7 x% A, ^$ L0 C3 F2 f, [+ Q8 \GFX VxD.* G$ f0 E- q# a% o; d; D; k
4 L% X0 d0 n& \ xor di,di& a* v) F) [: t+ ]
mov es,di
, f* c5 M% C9 y+ C/ g* C) v mov ax, 1684h ! S- G# q1 s. N/ q
mov bx, 7a5Fh ; VxD ID of SIWVID
3 v; F) h; l r; T8 S" ?" F+ B! } int 2fh
2 Z7 Q: q' A9 r* g mov ax, es ; ES:DI -> VxD API entry point$ I! X' o+ z. ^8 z
add ax, di( r4 E3 U2 x9 L& @* t
test ax,ax
: l$ B! k. h' P( q' M$ |, ?) @, ^# e jnz SoftICE_Detected' t, Z; j& g# \/ k5 H# J2 U
/ a9 ~2 s# Q! B8 a& n9 H7 Z' ___________________________________________________________________________
% H0 O! ^: U; `( A* M/ I! M$ A& _5 c2 ^* R9 f1 V+ o" p
8 J6 u+ v) n! G& r8 _Method 05
* `" g1 J4 i7 q6 Z: z% k' l=========! u, F: @: f3 H" P1 `" e5 @5 t
0 i! @8 Y( s8 B: n1 g# S" |/ N* uMethod seeking the 'magic number' 0F386h returned (in ax) by all system: G5 Z& O& P$ K3 l! ^' j
debugger. It calls the int 41h, function 4Fh.
3 p6 |: x" Z2 w9 a+ pThere are several alternatives.
0 b! f0 I0 g7 w6 b& w/ x; T# j
7 v- l" l6 m5 W$ C2 qThe following one is the simplest:! v9 p, Z Q) Z* y+ z) V
0 k* p0 R, y' Z! R& W mov ax,4fh+ v+ B! p( \: ?
int 41h
+ O0 \, y' G# G: m- b7 X, u; @ cmp ax, 0F386
! d) ?8 f `) l( l% A+ z jz SoftICE_detected' K: Y2 M, Y$ t0 T
! h1 ]: C Q& z1 R
, R) |6 v/ [# t& d. M; X* i
Next method as well as the following one are 2 examples from Stone's $ S. ]3 E' d) @4 N4 p
"stn-wid.zip" (www.cracking.net):
4 h) e$ Z) [" ^- D: Q! ]& u' W/ {: W) d8 v0 y6 z" X
mov bx, cs
* k+ u O4 {& z# _ lea dx, int41handler2
/ {; l( v8 r0 [" _4 n# n, k xchg dx, es:[41h*4]
8 p. B& I- C; v* u6 _: @5 i xchg bx, es:[41h*4+2]3 S' L, D& g. t7 k3 x+ y/ Y
mov ax,4fh$ u2 a3 M6 i! \
int 41h
: L9 E) T1 [# l3 y5 ^0 a! A xchg dx, es:[41h*4]
+ Q: G) z" C8 A/ ^" t# H xchg bx, es:[41h*4+2]- z* L% e8 b4 y
cmp ax, 0f386h
* x1 d7 V' @7 S. U9 N0 O jz SoftICE_detected
9 w4 z" {/ t* ^8 G0 y1 S4 f# s {, x1 }
int41handler2 PROC$ L A/ x( C; I* L2 L& r; Q
iret
' B2 u p# P- t8 U8 d9 aint41handler2 ENDP
" t7 M- b6 c, l, }- H3 A0 c# ]" e/ e+ b: y' F
# y/ F7 Y7 ~; D! u. z7 S_________________________________________________________________________9 f7 @6 H7 f; B' R; F9 g; l
& C. K& e4 f1 r& M, ?
9 n5 p1 ~) @7 e" ]5 JMethod 068 \( p K* t" X' B0 [5 c2 t9 g
=========+ K y7 p. s7 ?$ r6 B. H$ R3 I
% r. n( I# I( w4 n x$ ?) }/ e
2 e( Q, E/ {* y( j$ r, K2nd method similar to the preceding one but more difficult to detect:
! Q( g8 i5 ^' Z- z; i9 \! R: ^1 O( w# x2 z
8 u# r' Z4 G, C/ Xint41handler PROC
/ x3 o7 z8 i, W mov cl,al
& i4 H, m9 X7 e6 e iret# \; T7 S" E" z. Z6 [8 O, d/ V& _
int41handler ENDP
! H- c7 d9 ^5 o2 f
1 v9 x: H5 i7 b; a9 H# W" t
1 K: W6 ~$ R; W! Z1 L xor ax,ax2 m9 K7 P6 G* Y8 a& N- h
mov es,ax; p E% ]& X+ ]0 V$ r
mov bx, cs
! w, }" A1 ~+ n1 K' n- A( }4 G9 P: |6 Q lea dx, int41handler1 _8 c- j% ] e R( j
xchg dx, es:[41h*4]
7 z3 l. C- K3 [% z xchg bx, es:[41h*4+2]+ a0 g7 T ]1 ^$ a) ~
in al, 40h2 X, C. B4 h( I7 z
xor cx,cx8 ~3 ^' h3 S: A U
int 41h
6 p: u$ B, ~$ w/ J& O6 G xchg dx, es:[41h*4]8 x* X, }6 p7 G: D) s/ R9 g. \
xchg bx, es:[41h*4+2]
( d: O% r! j8 Z. _; Y cmp cl,al
" M% Y: Q' ?) Q$ u7 b5 X jnz SoftICE_detected
, C7 s) w/ J* D+ i7 \3 _
* V: y( E$ y1 S0 |& E3 S+ x, r3 n& N_________________________________________________________________________4 i3 R3 U6 R6 b4 d9 E
; z& S: \! k: C8 l) A$ I& P! t7 l
Method 075 a: M4 W! N/ X( m
=========* J/ c- U2 M3 s" z( T
* N# l" Q, w( |; _' |- }! s
Method of detection of the WinICE handler in the int68h (V86)
& l% |/ D3 p; m. r, @9 G3 Z$ f/ y' e& s0 w/ U& c7 y1 E% e
mov ah,43h8 a% `4 m" n1 U" }
int 68h
: A' p O* Z& g1 i9 G- [ cmp ax,0F386h
7 B+ \' ?- d" r* M/ ~2 n, D0 K jz SoftICE_Detected' i2 |! {% A' P6 v# C. n
- Y5 J/ }3 P# |2 l+ f2 b5 X
2 U: I4 S4 V1 A; u7 H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! M$ M4 g' P9 `5 d& T6 ]
app like this:
& z% T) w/ g4 Z5 N5 I: P- y! ~+ O. _3 t: ^
BPX exec_int if ax==68
" g; e: @: K" x$ q) F (function called is located at byte ptr [ebp+1Dh] and client eip is% c" V* n" R. \1 N. k" M D! L$ y$ @
located at [ebp+48h] for 32Bit apps)
$ K: \1 ?) |' W! Q$ j# Y% |$ J8 R__________________________________________________________________________
- i, H* j$ N* R% r* o$ [. s; y9 _6 A: x* x' K- E0 C
1 }& a( S# V' ^5 ]4 {5 [
Method 08# m% {0 }6 @" r+ r. p
=========
' a2 x: C% A* H8 K9 q" r% b- [5 e1 c6 I& [6 I) F0 l- X
It is not a method of detection of SoftICE but a possibility to crash the0 ^' [/ G( \$ S M
system by intercepting int 01h and int 03h and redirecting them to another
: v/ g' I0 R8 I& Xroutine.3 [0 S) p3 H) z' u3 _, S0 B! }; h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- V1 \! P9 C. f, Q( l) A
to the new routine to execute (hangs computer...)
+ b! N8 j8 u6 x! u# ~$ `
" Y5 B; Y; U# A3 w# [0 ~& X mov ah, 25h, Z' y8 L+ Y+ L6 U
mov al, Int_Number (01h or 03h)0 ^# y4 k8 s$ Y, D
mov dx, offset New_Int_Routine8 }6 n! z1 v5 ^! g& `$ g. | H2 d( S
int 21h9 w" ?' i# B9 @3 p- y2 G
4 D' s5 M# L) j, f8 Q/ [4 }__________________________________________________________________________
6 G: w6 T. z5 X; V8 u4 [/ K6 w1 ?+ B" q
Method 09
, c# G% c( k/ U q=========
! b1 \% l: ^. N7 o1 l% R: T6 s6 I) W& i. F7 q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* ~1 C( [8 o% p4 \9 C1 _
performed in ring0 (VxD or a ring3 app using the VxdCall).. p4 y1 C3 x' e
The Get_DDB service is used to determine whether or not a VxD is installed- K7 F% E. _$ g2 M
for the specified device and returns a Device Description Block (in ecx) for, @/ J. }, y+ T( d
that device if it is installed.
# e; C6 a3 ^( I
+ D$ E3 e ~7 H4 a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 x, K0 B I( n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 N) m$ P* \. e VMMCall Get_DDB1 u! p3 H+ b; X! I5 l+ F9 n- Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 d( T9 a$ y% x7 W- k
1 x3 \4 x7 n l6 h% M
Note as well that you can easily detect this method with SoftICE:! Z2 m* E! s7 z* |
bpx Get_DDB if ax==0202 || ax==7a5fh
8 x5 X2 y) A- M, r V# c; d2 ~0 B3 [7 ?3 K& Z6 X* C. {0 E
__________________________________________________________________________
( k- F6 A7 s2 I/ r! M# R5 T* x- T4 d, R$ x/ j! S
Method 10% K5 d9 g; T8 V1 m1 j+ ^2 c1 `& Z2 i
=========
* S$ ^& ]7 Y- A/ h3 n& k/ K( _8 X" w" O5 p5 q+ e# u5 h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' ?+ H( Q4 I: W" e3 v SoftICE while the option is enable!!$ H6 m8 R) u8 k5 O5 I/ A: ~9 K1 Q
, [5 W e- c5 j# N8 I3 z
This trick is very efficient:# B" L, n8 t y
by checking the Debug Registers, you can detect if SoftICE is loaded1 e" Y+ |! x5 G' Z& X+ Y- s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* [! x8 p1 M1 C* @4 [# \- k9 V0 W1 dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 d1 |/ C1 r5 m: ]: h- Yvalue (in ring0 only). Values can be manipulated and or changed as well
2 w( W9 S ]3 o9 S% s0 I0 I(clearing BPMs for instance)
3 R8 \0 A% u9 f# {+ t
* E! r( w% |: \" U) g; }" c: `% R) G__________________________________________________________________________
$ h2 |: b6 J+ j& ^% R3 M4 a7 b% b' W; w" C2 \9 w) ~1 M
Method 11
! g' j/ }$ p: x0 ]" R% T" `=========7 s1 f. q& ^. b3 R6 J) t* d, X' A7 b
4 q% k4 L; Q2 z/ M
This method is most known as 'MeltICE' because it has been freely distributed
Y+ I2 i8 y* z+ ^: Jvia www.winfiles.com. However it was first used by NuMega people to allow5 M- l; v& m' i1 Z3 O |- }
Symbol Loader to check if SoftICE was active or not (the code is located
7 d4 c7 H P7 D" ainside nmtrans.dll).- |) B i7 B. J, \/ e/ p0 [
& s, J s* i' Y. ]0 I" AThe way it works is very simple:6 g0 w N5 f- j. K3 Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 l3 C* Q0 o& Y! z, zWinNT) with the CreateFileA API.
' D) \: ?% ]' e' U, Y( m# z5 P1 ^. v
Here is a sample (checking for 'SICE'):5 a0 z( U+ j- M. l' l4 u* @# ^
5 p4 D: k E" l& x* N* L, ~ d
BOOL IsSoftIce95Loaded()( p+ l8 ?, O4 Z/ ?, t* n: H, t& Y% t
{2 K3 ^: ?! f$ l3 k7 q1 ^% Q
HANDLE hFile;
* T/ m$ P/ [' d. D8 {8 _; D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- }% y! x: P( r6 `% Q, y$ p% ] FILE_SHARE_READ | FILE_SHARE_WRITE,6 Q! w8 g" L1 {! w7 N; ~- ?: B9 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- F* |7 O" f' N: x# M
if( hFile != INVALID_HANDLE_VALUE )
/ h5 w% I1 W& F+ Y' u0 h0 L0 V {
5 s3 t; h, l. S( m' B CloseHandle(hFile);
( ^$ Q, ?/ B j, I return TRUE;
/ d: _$ x/ A" M, C2 Y }4 C$ ^ n3 p. B3 f
return FALSE;
% {' i: h; N0 d9 \}
# p! [2 k4 p, l3 l7 K2 t6 ~9 x" H* L# \/ s* J' r
Although this trick calls the CreateFileA function, don't even expect to be
& G8 c; {" o- y% \. j& m* iable to intercept it by installing a IFS hook: it will not work, no way!
, j5 l0 ]/ o2 h6 N1 F7 b8 L. ~; MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) B: J# _4 S8 C( w3 m1 R( P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 ?2 d' I: P+ G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# n; f# A# R$ }/ N+ q: b
field.% w; X( ]9 {4 x7 W: k5 }9 P3 R
In fact, its purpose is not to load/unload VxDs but only to send a
: G1 H0 p0 g1 J6 C8 L) bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
^# g+ l) b5 o C- pto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 X" }5 U- N2 }7 V# {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* }: ^2 @' x1 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 Z1 l. {% h) N' f" w
its handle to be opened and then, will be detected.
3 t8 P* [1 I9 x, v* _8 w+ nYou can check that simply by hooking Winice.exe control proc entry point
5 v$ N9 q& X/ d- X1 B6 Wwhile running MeltICE.
0 w9 i% f; L6 |1 C
# j& D$ {8 r: Q2 `2 u
4 G& k% s Y/ c" y. V' Z 00401067: push 00402025 ; \\.\SICE0 D( ?( l$ Q0 g7 f
0040106C: call CreateFileA( F2 j1 y; g7 R$ S! E% W
00401071: cmp eax,-001! p0 f% E$ s3 J9 x
00401074: je 00401091
( q% D/ t+ A% c* x! P
# t2 P ~; J: A4 E @- Y+ c t) `! ^0 H
# z* V9 P) @) Q/ g, m6 rThere could be hundreds of BPX you could use to detect this trick.
- V% V. X7 c. _3 K, |% \-The most classical one is:
. x/ d# g M8 f. k H0 |. r3 D$ S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' I' _' C/ s: ~7 h1 H *(esp->4+4)=='NTIC'. h# w! F0 X8 G5 @5 I% E1 \
( K7 _: o' B5 ]5 T8 ]* V# Q; v) w; V/ ~
-The most exotic ones (could be very slooooow :-(
8 Y {) E2 v; S1 b! g [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + h; H6 o" U7 r$ j3 U1 j
;will break 3 times :-(
; P4 F( _! V) f1 m# \" i
5 e% [- s4 Z6 |0 B$ |: D5 f-or (a bit) faster:
% L- F% W* C; E2 H8 U( @) e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 d1 }. P2 |$ C* m, @; ~
( R, r! J0 y) s, i. }" u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % t9 _$ U! W. z$ m
;will break 3 times :-(
% m' X# o. j+ s0 C& o! N9 `
" r/ ]/ d2 Y. `) ^3 G3 k" E3 g-Much faster: V+ v' d5 i. X0 m: \+ b3 Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% }9 x0 B+ z; X- Y& h% ^5 T5 y& c6 |" K; N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 P# `. [8 L% F M5 yfunction to do the same job: [; \7 S2 Z2 B( p
8 R8 X& O; V5 u) O) a/ Q
push 00 ; OF_READ7 y1 j1 N5 C4 f8 k
mov eax,[00656634] ; '\\.\SICE',0
# a6 J/ n/ _" k! i push eax
3 \1 Y g3 v- M' m call KERNEL32!_lopen/ }/ ^0 k) O D$ q1 i" L( n; Y
inc eax
/ h' k8 W2 y( _2 k" y jnz 00650589 ; detected$ Z4 f5 W, e$ e6 I. a2 u N
push 00 ; OF_READ! c3 L: {' U& a) @6 T' }; ~; i
mov eax,[00656638] ; '\\.\SICE'
; O5 R8 E) C2 p) K/ s5 Q push eax
4 r9 P! i' }1 h3 V call KERNEL32!_lopen5 n/ b0 w, n; |3 I1 _
inc eax j( m0 d; H( b- v: c, D
jz 006505ae ; not detected- r w- Q. P9 j& s% C# Q
: n, `% ]. ^ t9 H' X3 i7 a/ {# ?) k
: q/ ]1 a' u% c3 e% S
__________________________________________________________________________
7 l: W6 ?6 c: P, t& [( t% Y; {- r4 Y$ C( | O; T7 l
Method 12
( K4 p! V0 P. B=========0 S L8 D( B2 J) @5 Q
' r' | H. ^2 U7 b5 q) h e1 F
This trick is similar to int41h/4fh Debugger installation check (code 05
0 d& b; \5 d% V- J) A+ S' [& 06) but very limited because it's only available for Win95/98 (not NT)
+ W/ B6 J( B, t5 V% N9 y; Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- {) K9 ^2 G" g0 A4 z
. Q) }) j& g9 N0 L1 m# E push 0000004fh ; function 4fh
9 ]" o& {, d" \& F push 002a002ah ; high word specifies which VxD (VWIN32)
+ ?- J! @' B9 k& [0 O ; low word specifies which service; X# d, Q8 Z1 L# F) E
(VWIN32_Int41Dispatch)- l8 N7 v }: ^+ ?
call Kernel32!ORD_001 ; VxdCall, G" {' y) Q% _2 E5 F
cmp ax, 0f386h ; magic number returned by system debuggers9 f+ B2 X _6 n4 k
jz SoftICE_detected. Y: t- t$ A2 s6 A7 O( ]9 M
- C2 p+ ^ O4 h4 ^) GHere again, several ways to detect it:
7 {' y3 o+ g* G `% R/ v, C- c U5 x+ g& ~, w9 v
BPINT 41 if ax==4f* ~ q) a/ P5 F1 |# u# |* R
O1 f6 G9 X3 \; O) f5 d, A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ `3 g8 Q( e4 V- ^% A7 G) x" w% Q" {: U; i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 |' a$ S8 T3 i% Q- S w
; U0 ~6 P7 G) j! ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ \' O) b. r) D( k
+ M# \4 I/ T" |4 W
__________________________________________________________________________7 n4 E2 G* j: Z( E6 A
3 [+ r: }9 N5 O1 z; `' q
Method 13' D$ g- J9 m, l+ n
=========
$ D- p; b2 D5 T! N
7 l& S8 h% a) O, z& T: oNot a real method of detection, but a good way to know if SoftICE is7 Z6 D2 g* B- f2 t) k$ t# L
installed on a computer and to locate its installation directory.7 S- p) e2 V7 f/ F7 w* F
It is used by few softs which access the following registry keys (usually #2) :! @1 h+ q' k1 u2 @5 q" [
& D$ N' I1 ^9 R [. O) N# @3 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% A6 G# `1 Z0 f( W\Uninstall\SoftICE
: [- P/ l' I% J2 I a2 o/ S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ [! ^1 U6 D$ ^( @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, q. K: u* d) S6 G# t# P
\App Paths\Loader32.Exe
- h- s1 v7 D C5 h' r& F. T; D
/ R8 }6 {* q% c
$ R. I5 G; z8 e6 fNote that some nasty apps could then erase all files from SoftICE directory
: X" r! l" z, M: ?(I faced that once :-(
' x7 T8 U( l* [, I/ Y! T; G' i; v+ a" x
, s% H+ \0 R+ J" G3 iUseful breakpoint to detect it:
1 _& S* e3 d _' T% }: h
' {) b0 f! W, O0 e+ W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: r" ?# \) v R
; g% Q" m: S' \$ u( g1 \7 t__________________________________________________________________________
$ i4 {8 X. j1 T' e8 @9 D# N8 o6 A. t; v
3 ?0 }2 I% }6 R1 h# ~% l; E5 dMethod 14 - ]5 V/ X" s: b7 m& K9 k4 g
=========
) h# i) ]5 \+ [! z: E x9 O
0 T- W3 n0 J; i$ p* u% K: m5 nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) t' `4 F- j, L9 d! f, E6 k# @ g! Sis to determines whether a debugger is running on your system (ring0 only).3 n9 z6 {* E6 P+ L. ^0 k! J8 w
/ q* v) G! F( }7 G- ?5 B
VMMCall Test_Debug_Installed2 s+ w9 m+ h+ D& m% f
je not_installed
. L0 g r6 f, u# e
0 v* {0 P3 k' y# [5 C7 HThis service just checks a flag.
; V# i8 |8 n- I& Z s: k& g- {- \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡