<TABLE width=500>
& h; \& p# } }$ `) D<TBODY>; b; p& i& B4 U0 C2 _( E
<TR>
% K( ? t+ J: q4 X% b7 m<TD><PRE>Method 01
* b2 i+ m. s( Q- ^5 G=========
6 K( u- k$ @: u0 d' i x
3 m4 v+ _9 s" I% w7 SThis method of detection of SoftICE (as well as the following one) is3 ]2 U6 [. w: t, U7 x( l
used by the majority of packers/encryptors found on Internet.* e6 ?; I/ [$ k
It seeks the signature of BoundsChecker in SoftICE" |8 i+ i2 m2 |* n1 ]/ {3 x+ e
9 r9 j5 S( C: b i" f5 g+ e
mov ebp, 04243484Bh ; 'BCHK'5 A( b: x2 }; ^0 H' N J% S4 r3 j. x/ f
mov ax, 04h8 d2 D3 E) ]& c: [ @: E
int 3 - l! {& m2 \1 f/ H
cmp al,4
7 S7 ?2 N# Z6 R) R' ^ jnz SoftICE_Detected# p+ D; ^9 s }$ A+ n9 i/ M1 ~
; z7 z+ y# K6 }- u$ h. Z0 U8 b___________________________________________________________________________' Q d/ ]* x/ ]% W
# V) q* W4 i4 n- W' rMethod 02
9 L8 A( i/ L$ V# R2 X5 \=========
- M" J# k4 f9 u8 ~% {3 N
# g# ]5 d2 P; ^6 a. o) c4 WStill a method very much used (perhaps the most frequent one). It is used
1 Q! Y; ?8 O3 l( L+ X' wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' E' P) r$ ~/ J$ m8 p% Oor execute SoftICE commands...6 X% [9 a% J& r% A
It is also used to crash SoftICE and to force it to execute any commands N; ]! K4 a0 e$ X8 t& W8 H: X j
(HBOOT...) :-((
; R5 e# K0 [, T# V8 l( `# A2 I. {0 l% `
Here is a quick description:# V0 V% v* m$ M
-AX = 0910h (Display string in SIce windows)
" T' f; _ ^0 B9 s6 q/ m) l$ j3 ~$ O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 p/ W3 G1 o* M$ J$ ~- H3 G-AX = 0912h (Get breakpoint infos)+ u* ?0 ~# T& \
-AX = 0913h (Set Sice breakpoints)- h; M! Z3 u+ o5 Q: c4 y, x
-AX = 0914h (Remove SIce breakoints)
; X K9 `& S6 d7 b$ p+ T3 g; H$ \$ f' B2 X8 U& F
Each time you'll meet this trick, you'll see:2 @7 Y1 h7 T( D4 Z4 D9 n7 c
-SI = 4647h6 e8 r, x( @4 @9 z' w: C: X
-DI = 4A4Dh0 B3 |: s% l6 _8 l: E# U: S- S+ ]; p
Which are the 'magic values' used by SoftIce.% f+ r* S+ h; N! W: ?, W* [/ U/ ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ r- B; ]$ A' L% y
* ~4 y* j- _3 A! _. rHere is one example from the file "Haspinst.exe" which is the dongle HASP$ k' K: N3 C- X3 [6 T/ z7 d
Envelope utility use to protect DOS applications:3 e! p l; }+ E( [8 h8 c; ^$ `
: ?8 n4 Z- Z9 T2 |/ m: R% |
1 h" ]9 B' K$ J& A! X) Y+ ^8 d
4C19:0095 MOV AX,0911 ; execute command.
0 r0 F% m9 _& w! N4 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 _; `) Q: r6 ~; P$ \6 P V4C19:009A MOV SI,4647 ; 1st magic value., ~4 R/ `7 p% W
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ m' |5 t+ g, y4 S' Z4 Q0 Q/ }2 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ W! j [4 P- @* Y+ P5 p$ @+ C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- K/ V/ ~1 R* d4 t7 a! e4C19:00A4 INC CX- ?4 D( s& q! \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ g- x2 `! {! d {$ M, c4 v: q
4C19:00A8 JB 0095 ; 6 different commands./ J4 C+ D& P# f# W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- k* r3 j$ a# o7 P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. m! q4 q4 z# [: h4 g! }7 \$ ?0 ~- c T6 T& Q1 {8 Y
The program will execute 6 different SIce commands located at ds:dx, which
# I/ k. e! ]2 {0 Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 ]5 s$ R" B/ ? [% J# _ z2 z- ~) ~8 Q9 B; S3 F: ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 f) p, M9 u8 E0 s- }# y4 U
___________________________________________________________________________) k" _$ h8 Z2 C' F" r1 {
8 V' @' @! P0 e2 ^8 X j3 F5 b
4 b% j" P, E7 q9 N& K9 l# V* v' D; rMethod 03" e, d8 O! C. W% W6 t; q3 I
=========& Q* z: {& K5 j6 H- A
8 S- [( ~1 { B: _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& W# u8 C' Z4 I* O, Y8 q6 H(API Get entry point)' b) m" m! Z9 ^8 n% Z
, {+ Y: ^ H4 ]+ f4 d7 k! |+ y
+ R! w- L: r/ o6 Y& y( @
xor di,di
/ h6 s# w, Q+ [/ q9 o mov es,di7 w0 f7 c+ o, u: q
mov ax, 1684h
) i; Z: c; {. [+ O* Z mov bx, 0202h ; VxD ID of winice0 S: K$ {- E' l W @# G
int 2Fh, c* b; z& [: @% t
mov ax, es ; ES:DI -> VxD API entry point
+ a5 I1 u& j/ R. E, x( J6 d add ax, di' s1 M& \* i2 d. R% {, L! }: E! n
test ax,ax
$ L1 N1 e4 N$ A T! w* h+ ~: _% I jnz SoftICE_Detected
' V5 i( S% t4 c* o% e$ D% C! h9 y* Q& ^* m8 i2 C- n
___________________________________________________________________________' x8 {; H* X3 Z5 z0 u
9 @0 d8 |6 P( h
Method 04
4 z1 d0 _+ E9 V! T7 I=========
) E, L) [( o2 d2 E% A' K1 D
& q% V F' W4 u! }9 f, h+ OMethod identical to the preceding one except that it seeks the ID of SoftICE
$ Y5 d! h% R0 b& Z% @2 p5 N0 ~GFX VxD.6 z$ t4 z& b% `! L
; P8 w" Q3 j/ S, D- _8 m
xor di,di
$ ^: r4 B) M0 X/ Q* ? mov es,di
' C" F) G% d$ a2 h2 [- a" r3 Q0 n. O1 M4 q mov ax, 1684h
]4 b& K- [% S9 @' b$ d# R; T/ x mov bx, 7a5Fh ; VxD ID of SIWVID
- \5 P& w) _6 J3 I int 2fh
# I% k" S; ?. a mov ax, es ; ES:DI -> VxD API entry point! B2 R, k. U. h/ [0 ]: A" ?2 x) k
add ax, di
& v% W5 [7 m; @+ Z3 ~ test ax,ax. V) f: {' N" G6 P
jnz SoftICE_Detected$ `0 e. _' z* Q l' b
T" P) d# T5 i__________________________________________________________________________
+ \0 }2 y! |1 E2 ?% a y
( g" [& H' m) ^9 |0 u9 S# B1 @* s
# a& R# E' A- f" _% r( R& JMethod 056 E0 c: i4 a/ T8 M
=========# ?" U/ t+ y5 P) {; D5 X
5 ]4 R- `" q8 `% J/ M+ n: x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 R7 K4 Y7 h9 adebugger. It calls the int 41h, function 4Fh. C9 \7 m" L+ d7 |) L# [
There are several alternatives. 6 d) H3 v9 R, T/ |$ M3 ?' U6 ^; _
! `# ]3 @, b- ]) CThe following one is the simplest:) u4 v. t2 Y9 l: {
# q8 m3 n# v( j6 M& i
mov ax,4fh: z# a7 z2 l! F7 }; M
int 41h
+ V. C A9 b+ I# [ cmp ax, 0F386
6 _; G: F4 x& A9 C! X# [ jz SoftICE_detected/ p0 i6 P$ M* Q
" ~0 W y8 g) L! N4 h" ?6 `* y5 u' E9 g. Z, ]0 Q- @
Next method as well as the following one are 2 examples from Stone's 6 Y: Q& Y& `4 ~* G$ z8 n
"stn-wid.zip" (www.cracking.net):, W. f% V( ^1 x9 W7 N
. N! E0 G. Y# [& w2 E/ j/ K s mov bx, cs
( K6 U [: |# n( y/ s0 a lea dx, int41handler2
; \* W H& q' v; e, W: T xchg dx, es:[41h*4]
6 e7 W! _0 b6 U$ H. W; e( \ xchg bx, es:[41h*4+2]
. p; w+ s8 U: e: l! f: e mov ax,4fh* n2 `4 x, a% w$ [7 Z5 F6 P+ b0 B
int 41h
8 V* t' _1 k3 L; [# v1 V xchg dx, es:[41h*4]/ F& U/ P d$ q" m
xchg bx, es:[41h*4+2]
" L( u4 b! R8 L0 Q/ ] cmp ax, 0f386h; s6 U( A1 O; t3 Y% i5 N
jz SoftICE_detected6 v2 X, k% O+ v+ l4 x
8 K, _, Q) d9 [7 o9 E1 ^int41handler2 PROC
7 X* m: X0 m$ [" Q+ a iret
, Z& C% z. @1 g7 j$ iint41handler2 ENDP7 Q& Y% L A7 f4 R3 p: [
8 [. r# F8 D/ i/ E4 p+ Y0 P
. f. O+ [3 B( E* }; e6 i: e
_________________________________________________________________________
+ E+ b/ C/ s: s. f, d% W- w" L7 D: |8 K# H+ A8 R G7 R2 z( ~
# N; [' m& a0 J+ m/ g+ k' ~: K' {
Method 064 L/ m1 _+ E; j, s
=========6 a! k0 g7 b5 u# }! }
. \3 l: q- n7 \6 k5 x$ J0 U7 P# J
" j7 @, x& b, S0 E% b. T- L, `) o2nd method similar to the preceding one but more difficult to detect:* a; L+ C# a: J6 d+ r6 X1 b/ ?
6 ^) @( M' ~8 W3 @5 Z, M2 P& H+ [: T
# k* `( z4 L: f" U) ]0 y! R- @& ^int41handler PROC+ f2 d- g# Q' G4 {; ^! @
mov cl,al
, z8 \7 K% M7 W0 q( k iret
1 h+ m$ ]3 D; {) H2 Aint41handler ENDP
+ V7 C \1 `- p, Z
( w7 ^0 P) H& y- ^! o! N$ v) } D. D& F! d/ b6 I1 S
xor ax,ax
* G# o, h/ Q: X: G7 m. i, C4 |# ?, \ mov es,ax
8 F' n. j2 u" C1 W8 H; T mov bx, cs3 E q, { k0 v1 E, y
lea dx, int41handler
5 A Z& Y$ d2 }, p' t xchg dx, es:[41h*4]
' l, u" |$ `% s( q1 d' Y! p! t xchg bx, es:[41h*4+2]
3 U) w5 @9 P' f in al, 40h
" Y( e- n: m9 u; U9 W0 r4 ^3 | xor cx,cx
8 ]6 t% @3 V$ N# o- | int 41h5 M+ J W. N/ \+ o& ~, e7 \
xchg dx, es:[41h*4]6 r4 j, B: s" c' x. h
xchg bx, es:[41h*4+2]/ }1 K/ I. w/ C3 r
cmp cl,al7 I& t7 o. K! ]3 G5 M' X
jnz SoftICE_detected
& q+ j4 p! }/ `8 V+ k2 I5 R, N$ w) Y# O+ {% H! b" O# I# |
_________________________________________________________________________& Z* h" M9 J3 Z# e! ?
1 ?7 u. Q/ g2 D! i% ?- B
Method 07
+ z2 ^4 U( M1 C' N4 C3 e=========9 E9 P) `$ ]2 f7 E
1 ]6 K, W1 Y/ KMethod of detection of the WinICE handler in the int68h (V86)
! ~" x. P1 d; }+ ~, C2 v. A- v6 \( z, q3 ^ a; @
mov ah,43h; \4 q& H, [6 j9 V, ]# D
int 68h6 g- s% I) Y9 Z X6 |
cmp ax,0F386h
( T+ I8 A1 B' u6 o# Q! ~5 x- A jz SoftICE_Detected
2 e, o) W z+ V$ E! M+ u6 P% c
) q I; o4 J; H2 |) u$ ]+ H
, _4 F6 H! @3 d3 Z! G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, s# d/ s# j1 X& o
app like this:
" O6 f4 a& g. M& y8 ]$ D0 r9 h- p3 h, _0 F& k
BPX exec_int if ax==680 y' N5 v; v* U# ]2 ^6 F9 S7 n
(function called is located at byte ptr [ebp+1Dh] and client eip is$ Z( _9 g2 h$ `( X& G2 N
located at [ebp+48h] for 32Bit apps)
3 \0 {4 x+ @( h) C__________________________________________________________________________
0 y7 r2 G( b4 s
6 d- }1 x( B1 e; P# V
+ d3 }) w0 F3 v, t- U7 c$ AMethod 08
9 G4 `( w, ?2 {1 Y4 g" F- p! z' v=========
2 N2 o7 _% d, n- [9 g; V5 E* f
9 p" y t; | t* SIt is not a method of detection of SoftICE but a possibility to crash the2 x. H/ e- \% n x
system by intercepting int 01h and int 03h and redirecting them to another
. ?9 }- u9 _% l( W4 n3 hroutine.
; i0 Z& @4 U2 K4 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; } c5 ~& `! Mto the new routine to execute (hangs computer...)
- J0 T4 o6 E3 R7 r
; A3 O W1 t j& E$ C9 r' J mov ah, 25h9 Q* C. y) Z. B6 `* [: \& ~' y! d
mov al, Int_Number (01h or 03h)
* E7 S2 u5 t6 Y: F4 _/ w5 c: c mov dx, offset New_Int_Routine
% a6 R, j0 N9 C# s int 21h
( ]; e; N7 V) b6 n5 z$ _ C( {5 _3 U
__________________________________________________________________________
* q% z6 W# _8 E( X5 f
) s5 J2 Q8 C. s( ~( ~( SMethod 09
1 p' H& @. O2 {* L7 A/ f1 j========= F* j1 x) X+ ^9 j9 ~9 ?/ I( O
/ r# w2 B1 f! x- D7 R" o( O# OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& a" Q, t1 W8 q( tperformed in ring0 (VxD or a ring3 app using the VxdCall).4 r# S c0 C2 z3 S) p# d6 V
The Get_DDB service is used to determine whether or not a VxD is installed
9 B- c: a" i. C5 I! Vfor the specified device and returns a Device Description Block (in ecx) for$ X' [3 E" [( k) f R% w
that device if it is installed.* q3 f+ ~% S$ N& }4 D) v
) z" m1 s. h3 t5 Z# w/ n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, D( N7 F; w1 R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 D. S7 ~; C! ]9 \) S; k# `
VMMCall Get_DDB ?7 N! d4 q/ s' A% {2 r0 ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( q( x" ~0 o" c0 s* s. A
& n3 t. a8 O0 B$ P7 LNote as well that you can easily detect this method with SoftICE:
+ n1 k; {. F( ~2 p! X bpx Get_DDB if ax==0202 || ax==7a5fh7 l! Y% j2 f+ D: ]- ?4 J3 s2 o) n
* P0 t$ D" Z! `$ S* i
__________________________________________________________________________8 S$ Z9 s) ?& |& E) Q! y: i! Q# V
( p( C4 o. p9 I. \6 P
Method 10
! O1 r% o& c$ P, P% ?=========: ~4 d7 f0 `8 g* A* {, T
, ]- k+ w# v. D% Q( \=>Disable or clear breakpoints before using this feature. DO NOT trace with' I3 l- d0 a$ z: v& L0 B- b; k
SoftICE while the option is enable!!4 y/ j( O$ l: f) `* a: A
7 F$ E) o# I- k: B2 P% z
This trick is very efficient:6 f( U0 J, {# l1 o5 s7 T
by checking the Debug Registers, you can detect if SoftICE is loaded, O% Z( R" ?) @* c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% `8 G* Z" ^6 s: Othere are some memory breakpoints set (dr0 to dr3) simply by reading their+ G+ k! y# D S" a
value (in ring0 only). Values can be manipulated and or changed as well
$ u7 g3 s o) H. z/ n(clearing BPMs for instance)( c4 H8 J4 n- m) }
. Y6 }+ M2 ]& r% N- f/ y' |
__________________________________________________________________________: o$ z9 H# r, R
, K; U! |6 z8 s0 R$ o1 |" I* e# SMethod 11- K8 }9 G; g& `3 }, K% \
=========6 M% N- |4 ?5 s3 u# Y) i* @1 A) I
2 K$ l& m* `/ x2 C' K. gThis method is most known as 'MeltICE' because it has been freely distributed. m A/ p( p) D' c% ]
via www.winfiles.com. However it was first used by NuMega people to allow
3 x2 A3 U) K' N& f2 |% k4 tSymbol Loader to check if SoftICE was active or not (the code is located
" M' D5 w O( T, L: z$ ~8 vinside nmtrans.dll).( |) | o( P' \5 z2 Y* a
/ K- A# e8 V( c' [# L* _. ZThe way it works is very simple:( H: U- M @6 y* @1 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ S! v v1 H# `- e9 n Y( q
WinNT) with the CreateFileA API.
& z7 n; B1 V! _* X3 c9 W
. o3 L$ ~' Y) @5 }* p; `Here is a sample (checking for 'SICE'):
% I( {- C6 {) C, y+ C# A
, d7 E. ]7 r5 l T: _! ^BOOL IsSoftIce95Loaded()
# l) ]% h4 t( v' i( v! c3 _{, x4 m1 q5 o& F
HANDLE hFile;
$ o* Z3 B# e) X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ `* c+ t" s8 H6 W- Z9 _4 l FILE_SHARE_READ | FILE_SHARE_WRITE,2 k% s, L- t* n m$ u+ ~1 y r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 N* I! U) w0 ]
if( hFile != INVALID_HANDLE_VALUE )- N+ l( U: l) X0 i( j8 }
{
0 L w4 _: u, s! Y5 d CloseHandle(hFile);
2 C; M0 n, G9 o# l0 e7 j$ J; t return TRUE;
1 }/ ~4 K- V0 D0 \2 h1 z }( l9 v2 D; ]8 Z, i# V
return FALSE;
4 G4 ~9 a7 N f4 m" L}2 Z+ y: Z0 `' P/ M& ]. ]7 B# a
" y) h9 k2 q2 b& r9 b
Although this trick calls the CreateFileA function, don't even expect to be
, X3 g7 \2 T" }able to intercept it by installing a IFS hook: it will not work, no way!
! n9 N0 L, M, \0 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 f# y2 [- a: e# \; ^. I) r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) B! t& o% q5 [" i; O0 ~) w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
a9 J5 l& l; T; s) p* u; Lfield.
$ u D( h8 ]6 ?7 q; V3 UIn fact, its purpose is not to load/unload VxDs but only to send a
2 B+ K/ J; Q# D/ I% [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 g$ m4 {" ]7 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ O1 H- I( S9 a$ ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* E& f7 [9 j+ P0 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" v# F, d5 |0 E) ]6 m4 s/ jits handle to be opened and then, will be detected.
5 ?( ?- n8 T$ j# M9 c+ aYou can check that simply by hooking Winice.exe control proc entry point) O" T7 k N( a
while running MeltICE.+ l0 H( l1 [9 R8 f; j
" `& X% f7 i4 a& u! \# c0 G( s) q7 c4 T6 {: Z. ]$ R( h2 i
00401067: push 00402025 ; \\.\SICE- d$ O4 n7 r. Q: C5 M1 x0 s' f
0040106C: call CreateFileA
/ u) c$ k4 Y& K; ]) W% I# A 00401071: cmp eax,-001: u& E4 }* B' y1 p' T
00401074: je 00401091
6 c9 h/ v' V$ X% x& _9 a+ G9 G( J# l
7 T7 E" t5 N3 E/ Y5 x6 \' N" oThere could be hundreds of BPX you could use to detect this trick.
, L5 [3 x. V {7 D+ b+ n-The most classical one is:5 ~: u1 C: A" p, E+ X5 C2 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 k* M( d2 g( C# K *(esp->4+4)=='NTIC'
8 I) a+ k C/ k" l* {5 @9 o0 U/ [+ i! e- z; }: d% j/ W
-The most exotic ones (could be very slooooow :-($ k' W3 ] S3 D' M9 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 w- E4 J* O" H4 q$ j" @- W
;will break 3 times :-(& c+ h1 n }* W! X4 w1 O0 ~, F
2 H x' f+ j) ]
-or (a bit) faster:
8 O& T0 G' f0 c% O6 p2 g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* u( ^$ O5 o. I; h5 G9 q
6 A% L# j3 `' I- w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 E x% G: D) I+ I; ~: u% N- j1 n
;will break 3 times :-(
* s3 _; s2 z2 K& n
7 D- L5 ^8 b/ ?7 Z/ H-Much faster:
- b' L2 n) f2 b3 h5 M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" Y- P$ g, i! x/ [
* u% g. ?: b% D5 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ M$ H, \4 z0 L! _function to do the same job:
2 q* o. @% t7 G _5 @! y v
: Q) B/ c( F7 P( C! q, O push 00 ; OF_READ
: m4 Q/ V5 a; [# w! M3 T mov eax,[00656634] ; '\\.\SICE',0
" ^2 W4 m* O* A) k push eax
" e# k5 F! F C2 E0 k2 _) p0 W i call KERNEL32!_lopen
0 t3 e) H$ T0 V: J4 e) m/ C0 g inc eax
: `" O, ^. l3 P/ J; i: ~# W jnz 00650589 ; detected' Z: q: A7 p. X2 K+ `2 x$ F
push 00 ; OF_READ
& \' e& U# F! z7 T. Z mov eax,[00656638] ; '\\.\SICE'2 y7 F7 _2 y. f2 r& d
push eax. O4 l. h, N4 f! X. p
call KERNEL32!_lopen
4 h0 D1 E6 ?4 K5 j3 _ inc eax- z( V$ f) |) S+ J+ K% f4 L( [
jz 006505ae ; not detected
0 y. T6 r0 D; Z! H+ @) Z4 y" T. r! k$ ]+ I" h4 e5 V$ b- d
& i& B2 b% }: H__________________________________________________________________________- l4 B' o% z3 s# p
|( B3 g; z0 w) u: o$ W
Method 12
* L) [: B/ n! }' O: f1 X/ F=========
- \3 N+ U: I o" d+ L3 p3 b! q- `; o+ A8 U3 x" j3 j1 R
This trick is similar to int41h/4fh Debugger installation check (code 05
) Y; q6 Z6 x6 l) v6 v6 x; A& 06) but very limited because it's only available for Win95/98 (not NT)
1 s, F- p: P" `: a; pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% K- f; G+ O+ T+ a9 @* x# Q
: p7 x, q* R- C, P$ | push 0000004fh ; function 4fh
; ~; G+ Q( I4 m push 002a002ah ; high word specifies which VxD (VWIN32)* x( f0 ]/ f. R7 K8 G* C- C7 ]
; low word specifies which service& F9 X q: v* W d$ `
(VWIN32_Int41Dispatch); Z- J% p& U3 q; E( E
call Kernel32!ORD_001 ; VxdCall3 J( q& P+ _! ?4 j, x7 g* J
cmp ax, 0f386h ; magic number returned by system debuggers( c6 e. w7 j( | D# {" b8 |
jz SoftICE_detected; o% U( G4 Z+ \( ^! ^5 W
' q, V! t3 T: n5 }" {9 | u3 C
Here again, several ways to detect it:
3 R- r0 Q, j# c5 K- Z- }5 `' K
. G1 B7 ?. E4 N! g# ] BPINT 41 if ax==4f+ e, S( i4 L, @8 r
4 {# d7 b% W( P% s, F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ \8 M2 X X* @$ V* l" V6 b
/ [& [9 ^! `. x0 w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 g$ C, A" s) m, i/ T* I. O& d7 V
, {* c- K: W4 G E7 z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; u; k2 z) i' @) y# x
. l; S; ]# [! B% k- c7 H__________________________________________________________________________9 p$ u% H! ~2 ~% Y
" q% j& t& _" B, e1 `' k" ] W5 J3 VMethod 130 h1 V7 }, v! B2 H
=========
. Z1 ~! L i' K. J# o& J' r2 f9 z5 F5 z1 H
Not a real method of detection, but a good way to know if SoftICE is& m( U6 b' ?% F
installed on a computer and to locate its installation directory.+ [) [' k4 x6 H
It is used by few softs which access the following registry keys (usually #2) :% @# | s7 ` A8 y! k- a9 n
" L; z/ a3 c5 A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 n6 M! w6 g7 C+ p) m& ]# z\Uninstall\SoftICE
. ?/ t9 z1 |& Z( J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 H2 S3 n4 X: `7 r3 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
a+ w/ C7 B' |5 r\App Paths\Loader32.Exe7 f7 s. r" _) M1 w* p
3 K5 Z; {3 a' k2 j, o+ ~. }; t4 X" c8 {: O M3 k4 \ u
Note that some nasty apps could then erase all files from SoftICE directory7 t! f3 ^5 [7 ?+ ^
(I faced that once :-(1 t5 Q p* Q* A1 N: [% C2 h
2 \: U+ l7 [1 lUseful breakpoint to detect it:+ H& b0 G0 r: N/ a
! A3 ?3 N7 L7 g( }/ A. A% j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& Y4 m( s5 s4 s9 @; j z7 q
/ w4 B2 V/ }; u__________________________________________________________________________; G2 O+ c+ z2 u: [/ U5 e' \- G( j' |
- D, o: x; W* L& f" s( i
8 F$ ^2 Y# Z/ o$ a% o' G) x% ~Method 14
. ?. c: c. v! \$ j7 g0 q8 I4 n=========* B" Q: f2 O& a6 t, t, U$ ?4 c
" m; _7 q+ J# k- C3 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) o1 W `- I8 F, ~- cis to determines whether a debugger is running on your system (ring0 only).( z( u" {1 C7 e- I! |5 R( v
" U: N' H0 h% A3 `5 [1 c VMMCall Test_Debug_Installed% g, A' @' r' V7 Q7 x5 h8 o
je not_installed
7 Y/ d, l# P: _* _2 B* |
" n8 r( p: b# h4 B: ?$ ?This service just checks a flag.
8 f+ d5 [0 o p- V2 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡