<TABLE width=500>: H9 P- A& y6 ^
<TBODY>
, m3 g; }: q/ a8 D<TR>% `; H& R; p# V& b1 i6 p% Y
<TD><PRE>Method 01 $ w1 b" k/ g T! K( Z; O$ I
=========; K% q4 q7 P9 n$ G
`3 x7 b; a$ `6 jThis method of detection of SoftICE (as well as the following one) is
) n& k5 `- H9 J% _8 S! aused by the majority of packers/encryptors found on Internet.2 s9 B: f4 ^- G, z* h+ S) I
It seeks the signature of BoundsChecker in SoftICE; Z2 p0 q& O" v1 H( y' @
& }0 U! R0 H9 n) Q6 w$ z
mov ebp, 04243484Bh ; 'BCHK'
" ?! ~2 {" |, O0 ?3 f4 H8 V mov ax, 04h
6 [$ v; D0 F+ N% h1 x int 3
& [2 P$ {( p7 }8 } cmp al,4 C* c/ s' {1 n/ W P
jnz SoftICE_Detected
: _) W8 K& h* M- v$ B4 w5 s' N) k& ]& X. i+ J
___________________________________________________________________________5 ~% x- K5 i) y% b0 C& [. }+ k9 O
: T9 R- Q8 Z n1 _3 K9 _2 ]
Method 02
: U ~7 E1 g% Y" p+ [' p$ v=========
* h% X/ x, }' w8 D. {! q8 o# r; h
9 j0 U' V0 B/ b9 u! C: Q' hStill a method very much used (perhaps the most frequent one). It is used. M& \+ B( r9 M* B9 K! l3 z/ E1 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% N% v# V- O2 H3 Por execute SoftICE commands...
# k2 K3 @6 |. s( ?' jIt is also used to crash SoftICE and to force it to execute any commands
" T3 C( r" Y# J7 d3 Q7 S(HBOOT...) :-((
: P5 }. v9 t0 @6 M$ Q, E. @: h+ x/ Y' F" |4 L M# i
Here is a quick description:$ l+ `' t/ T( l! e6 a" g1 }
-AX = 0910h (Display string in SIce windows); _& n% h( U* G6 }/ d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ x7 y9 \& n. J# q/ M-AX = 0912h (Get breakpoint infos)- V. x/ [( x" W9 d1 W; J9 A
-AX = 0913h (Set Sice breakpoints)4 L5 l3 T0 B+ u: Z
-AX = 0914h (Remove SIce breakoints) Z# v3 F' C1 s2 ^8 D ?: r$ ~
# |) k7 E5 ]' { v/ q bEach time you'll meet this trick, you'll see:
+ Z5 b8 g- f P6 k1 K" c-SI = 4647h9 z7 |4 E) C0 D' C
-DI = 4A4Dh' Z& _' J4 c: A) r8 M- M8 p
Which are the 'magic values' used by SoftIce.
7 l3 [+ q' H, d! v z( [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; m5 q" i9 [! g6 N8 C; c+ ~; }- Y
$ ~# v" e! y) ^& m; a, r! zHere is one example from the file "Haspinst.exe" which is the dongle HASP8 z: k- g1 M. x# P
Envelope utility use to protect DOS applications:% h" y% O+ Q0 r. L/ q h
% P- p l9 c! b$ Z8 H5 J4 V
* X' \0 q m4 z* z
4C19:0095 MOV AX,0911 ; execute command.8 Y6 K L* Q H+ U# p8 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 \1 j2 Q+ K9 l, K' A# T4C19:009A MOV SI,4647 ; 1st magic value.0 r: K7 a5 N1 O. p" o! Z
4C19:009D MOV DI,4A4D ; 2nd magic value.
; a5 F8 n" [) T( v" G/ y* _ ]2 i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 j$ T( ~' a# x$ t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 O$ |* M A( }" f5 o' b' E4C19:00A4 INC CX
: U9 y+ k2 D# f' [# p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( W; a4 D1 K( @! X4C19:00A8 JB 0095 ; 6 different commands.! D, ?0 y w- @# F# O% B" m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% H2 p$ h- l: _; e7 l" p/ F% ?9 m$ s7 \, r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ G1 r/ y- I" ^0 M$ K* ~
' P% I" ? a$ \) K4 f3 NThe program will execute 6 different SIce commands located at ds:dx, which& u, Q$ Z- x4 a ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 ~' T% i+ R% f; _
6 E: i$ D/ K9 m! `. A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ X: j' }, M; }$ u
___________________________________________________________________________
; T9 ]! l) @7 f6 `6 ]" P# @6 M/ `# M4 Z1 _# G" q0 L
4 L' |3 N, A9 iMethod 030 w' r# _/ b8 k3 t
=========
: E" F2 Q- |; D& N- P, i1 m0 R( y6 N4 Q( O% Z7 q+ u) e+ j2 r6 M; e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 |/ g- ]- o' u6 Z8 U- i(API Get entry point)' E8 {- C1 _( G& u0 d1 {1 c. A& U
) Z7 i4 J' s+ p0 |, v* n
: i/ l/ c/ w& K( z8 e# k
xor di,di+ C5 ]% N; A' _( V7 R
mov es,di
& r4 |% F- g4 L* o( D3 q5 @ mov ax, 1684h $ V* A, q# ~6 K7 E4 ~6 O8 F& [
mov bx, 0202h ; VxD ID of winice) K& z* P: a; |
int 2Fh
8 Q' ~# V2 n8 A m0 Z, Y mov ax, es ; ES:DI -> VxD API entry point
' q2 v6 z! k+ D& Q& |! v7 { add ax, di
! h2 `: r6 L$ C" R: G test ax,ax. g- }- }/ ^ I1 K8 E: i, s
jnz SoftICE_Detected3 h; U5 m/ y1 h
5 M6 T, P2 ^; A% M8 }! a___________________________________________________________________________- t6 d8 H9 T4 @7 D1 w* \
/ b& y" h. j1 u$ j9 J
Method 04
5 M" o/ R4 ^$ q v=========
8 q( E) J) ?: u6 l
, Q9 x) x, K% v/ ~% T' gMethod identical to the preceding one except that it seeks the ID of SoftICE
* p) n- z$ U5 f/ ~5 pGFX VxD.0 {9 V0 }$ y ~4 w5 d- s& D
( U M& L0 t' J! V: d5 o$ Y
xor di,di
: S0 G* v7 l' v3 l mov es,di' ?$ F* ~# Q! w' G2 K* l4 U2 V) t
mov ax, 1684h 2 Z- M/ n) R1 v# n" o7 e" j9 b
mov bx, 7a5Fh ; VxD ID of SIWVID9 ]. i/ c+ u. }! z
int 2fh
& M9 E4 ?; `% U: j, j) J mov ax, es ; ES:DI -> VxD API entry point9 ^8 [! W$ U2 k. g5 ~+ S( ?- L
add ax, di+ B a' @- v+ ?. g" p& |! a
test ax,ax
* ^9 C2 J& P3 o/ l% |; L* x jnz SoftICE_Detected; v0 p S- `1 Q2 O4 Z) k& T
: @( @6 C8 P, c5 N3 r" T' E( ~
__________________________________________________________________________; } f+ ^$ @: a5 Q/ E
4 u+ k: U# ?' N4 }! X( O4 v
( [# F" q& D' w* A2 M- FMethod 05
% L3 l y c9 V4 f# }5 k# d; ?=========
( P( }8 p {: `2 u
. K" b- Z u+ D8 x9 x. J( jMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 k2 U% ?; q, ], P5 F5 Z# k4 K
debugger. It calls the int 41h, function 4Fh.
$ b/ ]& l% B( ZThere are several alternatives.
: T% @! V& A! q
, w$ a) i: `5 P ~+ p- I- jThe following one is the simplest:
% G) j; Q% b/ p! ~
# r9 q! F; Y3 l! Q& i6 Z3 O7 T mov ax,4fh
* n% F) ]$ F0 d5 G. i7 f# K int 41h
' E, D* w6 e* E1 a+ ~$ d7 @/ m, j cmp ax, 0F386
) d% F. O7 W/ a6 I- m5 A jz SoftICE_detected. k+ F0 [* W$ t1 ^6 e; p7 J$ p
: m/ E' s! {6 V. n8 l! }* d6 K! r- U% J% S4 x$ H& }: W' b
Next method as well as the following one are 2 examples from Stone's
8 W, `* Z0 D9 {+ a6 ^"stn-wid.zip" (www.cracking.net):
- g! B9 r9 F' W' C. x0 ^# i8 O9 ]1 l+ m
mov bx, cs
: y& {6 Q) b' s( W7 H5 b& E lea dx, int41handler2
/ S, A8 s. ~% p# ] xchg dx, es:[41h*4]! q( W4 I: j: L& t5 E& q- K# b* c
xchg bx, es:[41h*4+2]- \# t& x6 c4 z: Y( {
mov ax,4fh
% Y- e6 q0 a! }- J5 E5 o* \ int 41h% e [& }/ Z3 m0 v
xchg dx, es:[41h*4]( a, S4 h9 r: ^, s0 i' |
xchg bx, es:[41h*4+2]3 N% _& L D( h
cmp ax, 0f386h
; [5 R7 i g4 p" o P jz SoftICE_detected4 X* j7 D6 x. b& [+ n- d7 O& X
1 S5 S( ~, }; v/ N! u$ a, y0 }, g
int41handler2 PROC% D4 \0 L7 i4 Y) d0 g
iret6 f- W, U. }7 G9 e2 J: P& N
int41handler2 ENDP
2 c% B6 A3 J6 Q3 O* t2 I; M; s3 y! x3 I/ }+ o+ O
' u8 f* V6 P( E* a: `
_________________________________________________________________________5 U% |% E+ D, l
+ k* X; [" Q1 A% z/ R
% D' x1 Z1 x/ L. i1 l, rMethod 06
& x9 B% @8 z; c6 \ V* q/ o=========
( C7 P( h# b" B* ]2 M' D( V. h) z
! X0 g4 u4 r' i
1 z) c5 g' P0 V; ?; e: ?6 Y9 Z% y5 t2nd method similar to the preceding one but more difficult to detect:
/ E% i+ l Q; l( O1 c" a4 Y1 A) i
. Y m8 h- ?- Z* D
$ b% `+ T* O Y/ s8 Q1 W: {int41handler PROC
- o3 Y$ K7 r: A6 h4 g1 E! `* Z mov cl,al" F0 r& ] r4 s& ?9 @$ q5 Q2 P$ Q
iret
' i6 J% U4 x' _( N$ n/ Y, K! s% gint41handler ENDP
/ V: t6 z* c4 Q" V9 G. N! o+ Y6 @5 Y
7 Y! L/ f' K+ @9 {
- Z4 ]9 F! E e0 c0 y! p2 y6 ]& J xor ax,ax
- V6 M% t0 ^; e mov es,ax
7 X. g1 u: n A D8 H5 h mov bx, cs
* L1 c. R7 Q2 f. j9 O1 Q; \ lea dx, int41handler# ^7 i! k. H% b6 h, s3 _
xchg dx, es:[41h*4]
. G/ W3 @+ J8 H/ P xchg bx, es:[41h*4+2]9 N# B% ~3 Z/ q6 d$ p
in al, 40h% f1 h E5 p. H7 W( c5 \
xor cx,cx3 b* R6 w2 c' ~, K- X9 d1 z4 g
int 41h
2 C& b( f5 o* ]& L xchg dx, es:[41h*4]
& [& l o2 G( y xchg bx, es:[41h*4+2] o0 I6 u2 A" J7 ], X* {7 d+ Q
cmp cl,al
; v, o, y& a6 F$ [/ D2 O. O jnz SoftICE_detected
8 q: G' V; v% K5 d! g) O0 m$ @" F5 b& O/ ^& @3 @
_________________________________________________________________________ d" ~% l. \2 w1 u9 W/ O
$ k9 J: Y3 Z; C) [: R/ Q3 p/ ]
Method 070 P" C" \# r+ P3 c* h& V
=========3 U: ^# T, t$ N& N
) c6 @+ Z9 E9 ~ h+ KMethod of detection of the WinICE handler in the int68h (V86)0 }" j5 b( [* z) f) W3 `
* j& x3 X& L" k. U9 Z8 x) B! u6 [ mov ah,43h" Y0 P; u# {' g. N# X* t3 ?
int 68h
! ~! @' j" u9 O/ m cmp ax,0F386h( W4 R" r! D5 d8 S0 `5 Y
jz SoftICE_Detected' V' j+ l* I4 V% J8 W, X& G. Q
3 v8 I0 c' s3 y( \7 }" H# Z7 }, v& @
2 N1 e- j1 B2 b3 c2 i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- w8 v( }* C7 u7 H7 @3 O
app like this:; ^( X* } @& R- j* m
# \" k4 o! |0 |7 m/ c7 Z. @
BPX exec_int if ax==68
4 K I. U7 }/ ?) c0 ]; I (function called is located at byte ptr [ebp+1Dh] and client eip is
0 J) T' V; S. Q+ k! I' Z located at [ebp+48h] for 32Bit apps)9 g7 F/ b ~1 J c
__________________________________________________________________________
: c) X9 b( d% Q7 ]6 C
* {$ K- D9 u$ b6 t4 v M( T
. l# }( |* C) h3 I3 ?Method 086 s [. k! d; U! F" h
=========7 k0 |( D q! K
& z. B) M2 @1 L) ~
It is not a method of detection of SoftICE but a possibility to crash the9 A, P+ Z4 a+ o2 B r0 u8 q% \9 _
system by intercepting int 01h and int 03h and redirecting them to another
. U! P/ k2 ~) C4 ^" J" a$ Oroutine.
5 y. i; i+ I8 P K; o# {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( B0 Q/ ~4 u4 K# ]4 o# _/ M: V9 ~
to the new routine to execute (hangs computer...)$ ]8 z F* y9 ]6 C1 o+ i
, ?, s4 ]+ Y0 }6 b% ~/ l9 \' c- y
mov ah, 25h) Y9 n- c$ ?4 d* S8 t5 D4 N6 J) \
mov al, Int_Number (01h or 03h)- |5 ~1 n1 \9 {* F& U
mov dx, offset New_Int_Routine
7 D ? o1 Y1 B& Q9 S3 T; s" U$ [ int 21h
3 Y4 V& i( N7 F& e: `& D0 B. z7 J0 a4 }& c
__________________________________________________________________________
1 @5 C; `, u, B4 [
1 W' h' A! f8 }( G7 g4 hMethod 09
0 R: e7 E7 G! U8 N3 F=========
/ e/ C! S9 Y9 p" f4 y( d4 V
) t* [7 U5 N `& L! j, i, BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ X/ C* h% n; S! g4 r7 n4 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 w. k6 _6 j2 a! gThe Get_DDB service is used to determine whether or not a VxD is installed
/ X& e$ U7 Q- x- F5 ^* a3 `for the specified device and returns a Device Description Block (in ecx) for
$ A9 I7 x& F' Z& gthat device if it is installed.6 m; h: h! n! u3 j
+ e4 _0 x- w9 m% m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) U2 k- |( |( g* @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* ^: M) v' R+ e u( Y
VMMCall Get_DDB
$ v. B' n+ |# f( A, j* r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 |0 v/ g2 S# h: v7 y3 y
) E' r& P4 @0 d8 Q r( V
Note as well that you can easily detect this method with SoftICE:
& ^, L/ u" b/ ? P' i3 y8 w bpx Get_DDB if ax==0202 || ax==7a5fh8 Q& F4 o0 G+ O/ o) O" t1 W
2 k' j* ]* W9 M \__________________________________________________________________________, J" O# c8 `2 V9 g
7 A& S% h4 }) q& V/ nMethod 10
; E/ w" H) v$ h+ }=========- }% `7 |# f1 c Y+ G; G( A1 `
/ i7 n0 v& W2 I7 w+ _. U
=>Disable or clear breakpoints before using this feature. DO NOT trace with
r) n$ X, P% }( R7 w( _9 M- q SoftICE while the option is enable!!# P# w) w9 c8 N8 R: V1 L9 a
_8 {; ?1 P2 l' B) A' FThis trick is very efficient:3 n) ?! V7 I) A2 Q1 E
by checking the Debug Registers, you can detect if SoftICE is loaded
( O* w& ?+ z- b% y7 L4 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' u9 j4 I) l7 v# J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 \- x6 w( w, g' g4 r. C/ jvalue (in ring0 only). Values can be manipulated and or changed as well
$ ?; @. k1 y" ]" R/ w(clearing BPMs for instance)
0 k% J( W }4 E5 y. X' e! b2 b' C- V; m
__________________________________________________________________________0 K; ]9 w; A3 r- B- E) f! h8 S' X
+ N+ o/ Z/ [; a3 ?& y: k3 NMethod 113 O7 V5 w8 H# l
=========
/ p# h7 y- \3 _4 {; U4 Q, s% C: G3 q, x
This method is most known as 'MeltICE' because it has been freely distributed, v" i5 m4 [2 S4 N4 L, l# J
via www.winfiles.com. However it was first used by NuMega people to allow
1 X! Q5 P2 o! Y* Q; c. {Symbol Loader to check if SoftICE was active or not (the code is located
4 T- S$ v9 S( Hinside nmtrans.dll).
4 W0 c) @+ O$ }7 p( A
0 L( i4 ~- Z+ G1 JThe way it works is very simple:% k1 p$ `8 H: k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* D2 C1 c# N ]3 g6 vWinNT) with the CreateFileA API." t: y; }: J+ _( W% D* p% Y* e
& {; M5 q( T* i1 T
Here is a sample (checking for 'SICE'):- `9 _+ e) l7 W/ t0 u- O
4 U1 M4 N( f6 m8 ^: @1 QBOOL IsSoftIce95Loaded() n6 I9 d/ p7 s; \. L
{; A5 N* x" t3 j( N" S
HANDLE hFile;
# |+ L w$ o5 u9 Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, w$ t; p# y8 o. y [. B: R' B1 ~: k
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 ]& K/ D! G9 ]6 |3 v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; Y! ]7 Q/ D$ M1 H! }
if( hFile != INVALID_HANDLE_VALUE )
3 d/ g$ w# |. o5 p: p2 N6 S8 B9 d& f {
- A! {; p; y2 A8 ^ CloseHandle(hFile);
/ v( N/ j- k! F9 @, p return TRUE;% U4 `* u$ j4 {% [4 D
}6 T% w9 e: [3 f4 y5 e
return FALSE;
# P& c) l6 T& b" }- Z8 c}
. I6 U3 }5 e' v( H2 `. m+ U7 I2 t
; E3 Y2 b, a. t5 R( V5 C! ZAlthough this trick calls the CreateFileA function, don't even expect to be
6 r X" Z4 A, s+ X- Vable to intercept it by installing a IFS hook: it will not work, no way!
8 E4 q$ q9 A9 A& WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. ?. K8 X+ T6 `+ vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% y6 w% [; n# _3 }# B5 J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, P9 Y* l4 N9 ]+ N4 Pfield.) `6 q% [4 d0 d: }# r7 _; @ R
In fact, its purpose is not to load/unload VxDs but only to send a
/ A( b9 B. E P ^% b) rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) v1 D V8 Q4 d. t1 x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% \0 V3 S4 Q2 J6 Pto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 ?$ v5 O! X. z4 A( O# |9 A$ A
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* M" C+ o D$ a2 O% B: bits handle to be opened and then, will be detected.
4 b( s9 U! w, p& a1 S, b! pYou can check that simply by hooking Winice.exe control proc entry point" o! X- N- J# q. J& J' M9 r
while running MeltICE.
8 W+ [' m3 J7 ^. `. c7 |; |
/ g7 \& X7 x8 o7 X9 l3 t0 L, @1 I4 h& }# b
00401067: push 00402025 ; \\.\SICE
* K, t, \- `; O5 c$ l' v* h0 j 0040106C: call CreateFileA1 }2 }0 [% A$ ^! c! j
00401071: cmp eax,-0010 L+ s+ j1 l) Q% }2 L+ s3 B6 m+ G
00401074: je 00401091
% K* H& a% r" C* ~0 z3 M+ ^$ ^9 J8 x3 M$ b$ _$ Z8 l, N2 h
& j( ?6 M2 n+ F. E+ u. [* f$ K
There could be hundreds of BPX you could use to detect this trick.. \* O- k3 H8 d8 o0 q, C, u3 L
-The most classical one is:
/ S/ l$ |, @4 |3 Q, H4 [5 q( p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 {7 A' Y/ n M) f/ V/ H; ?1 f
*(esp->4+4)=='NTIC'. W! \9 Z8 p7 Z9 c! E
* M" U! Y0 j) ?7 S( Y0 `/ i
-The most exotic ones (could be very slooooow :-(
1 a- }6 w# k* E4 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 Y0 @; O+ _3 T. ?9 L) @2 s ;will break 3 times :-(
+ L, ` d% U/ ]3 _' Q
# C; `8 M. g4 i6 E+ ?- `+ v/ P-or (a bit) faster: " W' h" h$ A4 i" X! ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 R5 c8 L- j( j: Z# m0 T
1 Q7 t% l, ]$ q4 N8 k5 v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , L4 b) S# @2 |3 }' y H+ H
;will break 3 times :-(
( O& E* v; }# i" e! p% ^, ]+ O3 t& b" P9 m* }! c! \! ~5 \# O5 l$ G- n
-Much faster:, ?- `4 |. h8 [: ?* x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 X3 O" i! |* n4 a6 x$ G, a; O8 [( O: [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 I% ]4 ^* v7 e/ i4 n+ ~function to do the same job:
+ c5 B5 `: h. r2 k
) f/ [3 }( }- u push 00 ; OF_READ
3 }8 `, X; g7 {/ j, R mov eax,[00656634] ; '\\.\SICE',0/ b7 }& n4 Q5 p/ ~3 ^8 o; D) |& f. A
push eax' d' k( g) h8 [! _" V1 C
call KERNEL32!_lopen8 K/ v, F: @! ^6 ^) T
inc eax. B b6 p0 k% h- A, }4 e
jnz 00650589 ; detected
, W% n! g4 `% n7 T$ L push 00 ; OF_READ
( F" ~, _% q8 B mov eax,[00656638] ; '\\.\SICE'5 P' |* h6 q$ w" M
push eax0 @- C: H/ L; w/ V
call KERNEL32!_lopen# [1 b, b+ S. I
inc eax
+ { Z( L I5 F7 L2 ?( L jz 006505ae ; not detected
( h# X( ]( {4 {$ x0 F0 D: _1 j5 w9 x) Q% `
" j' r6 Z/ L% M4 @1 e- H5 F p__________________________________________________________________________3 @5 V; ?' ^3 k9 t1 h5 h& h
# M# g: r3 ?& ?2 \Method 127 I; z1 ]) y# }" x/ B' m% M; r
=========
8 i& Y$ a. o9 @2 W" g) \
) |% {8 v: F5 H) }: [) c) kThis trick is similar to int41h/4fh Debugger installation check (code 05
; q9 }) L9 w( E9 I& 06) but very limited because it's only available for Win95/98 (not NT)
6 Q) g% u `/ [; e2 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" A2 Q" Y" W& Q! v7 v
7 k. J$ G6 @% S6 Y push 0000004fh ; function 4fh
! ^/ w: b4 v G% M; p( b push 002a002ah ; high word specifies which VxD (VWIN32)- q. ]! V4 L% D# N' D
; low word specifies which service5 X7 O2 T0 d( g6 S& X3 y" V
(VWIN32_Int41Dispatch)
+ {1 _2 n c; n call Kernel32!ORD_001 ; VxdCall
9 Z* I# Z/ N0 l# R" c1 i. h cmp ax, 0f386h ; magic number returned by system debuggers; y9 X. w' F& }5 J
jz SoftICE_detected
- `7 n9 w$ U! r* U6 L {4 y- b+ g# p. D- X
Here again, several ways to detect it:( M& G4 r/ k# D* ^) t) A
$ M* S5 a: q7 E4 u( _ BPINT 41 if ax==4f! \0 a' T% y! r0 W5 U. J. m
! S1 u" ]/ j7 a' {* ]# W! r& c5 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% Q/ c: V2 n5 {* k0 X* u$ u; C: u
* S. D, v0 L# }$ q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! R0 G. C, b) q3 N6 C* \
/ L# e: s k- ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* h: y( |" l, H2 Y2 x5 \
f# @ R9 G& J( r: A4 J__________________________________________________________________________. B' [6 A# }1 B3 a
4 V% R; j$ j0 p0 _/ B! l( c4 vMethod 13
1 O" G' F- P5 R=========, l6 V" `6 K' M1 X5 U' Y
( ~, n* ]; [; }! m6 K; U3 M* I5 H2 tNot a real method of detection, but a good way to know if SoftICE is* R& E. t7 [4 \* u' s5 V& T8 }9 m
installed on a computer and to locate its installation directory.8 n4 u1 z( x/ P: o/ A# _5 v' Y! n
It is used by few softs which access the following registry keys (usually #2) :( K6 j3 V' Y6 a) }. c" E# P* z
) |- Y' e5 `" Q& p. G) q, j4 v! l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ ?7 ]" v5 ^6 S" O3 Y" K2 w8 |\Uninstall\SoftICE
" U% E$ l% A" u$ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* H7 F1 \! t9 E) E* r& v5 W: f5 F( x1 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( Y8 b3 H- \% `1 B: V2 V\App Paths\Loader32.Exe- `7 N \* f: z4 ]. ?! p7 o0 k- N
$ t$ \) \. J8 O
) S1 X& U8 R. _ B- ZNote that some nasty apps could then erase all files from SoftICE directory# E% c1 s' t9 t6 c, y. C
(I faced that once :-(% ^) X% w& ^; [ p
( j, U2 k- ^0 C* q
Useful breakpoint to detect it:* k; N, d2 [, @9 D2 _
% A9 Q1 r8 s: b; n1 X8 w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') B2 a5 z) Y3 E
3 [2 d& D+ c4 b% t3 f/ }2 h
__________________________________________________________________________1 u4 r; A: m/ o6 S- B
1 L( L; V* Y" y% B/ T
6 S4 g, _. D% W9 g! lMethod 14
) T* |( b* v5 ]# u/ B7 J. d9 w: ]=========
0 X3 m+ ^( i3 t4 \. u' q$ y
. u) q. X0 Y/ }& { H1 h! B0 l& ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ F* f5 w3 ?3 ]/ B u" t
is to determines whether a debugger is running on your system (ring0 only).
9 ^ D+ Y' G; I; U
! F0 G& I& U2 W! @- @2 ?3 L VMMCall Test_Debug_Installed
1 _, E j6 R5 M9 i- w# J je not_installed
) C+ J T4 A$ X( m, g1 K, ^+ v) w3 G1 N$ i
This service just checks a flag.+ n6 b$ G4 r( `+ w" I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡