<TABLE width=500> l) J( W2 o. q% h7 c( `2 E5 q2 c% X
<TBODY>
/ C3 e1 x6 K" w+ {( y( D6 c. |<TR>
( f+ A- z/ |6 o6 [! e& ], q/ s: y% l<TD><PRE>Method 01
$ y3 B& n' D( |=========
! O! A3 e5 w1 C- `1 r% m X. \& u! b
This method of detection of SoftICE (as well as the following one) is
& E5 V1 E" B. _# C( s2 f5 c2 B- Fused by the majority of packers/encryptors found on Internet.3 I$ W3 t, o" p& P* ^1 j1 c
It seeks the signature of BoundsChecker in SoftICE1 w3 S: [( N* H6 Y( |! P" X7 q
9 `2 m& R8 [/ A j- L4 h( k: W
mov ebp, 04243484Bh ; 'BCHK'
" Z& v' O4 i- I( V) W& v mov ax, 04h
8 B! V& t# g# P( @4 q" p int 3
( Z1 b) z, ?; ~- b( ~+ ? cmp al,4% v& Q6 r( ~6 B( ^7 `
jnz SoftICE_Detected
% K/ d% T% `4 B3 x+ w/ {1 O. J% F
___________________________________________________________________________
+ c3 q7 |. h0 r7 B+ G$ P( z% K$ H, e) |
Method 02
7 m2 `: _8 ? p! A=========
8 H/ ]" F# d, S9 w( ~: {4 R% E
5 j/ J; O0 }8 `/ o$ K$ q/ SStill a method very much used (perhaps the most frequent one). It is used
; E& F4 ?3 x; m- U' Z/ \1 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,' T6 x- _! q ~# d/ `
or execute SoftICE commands...
% S6 u1 t6 m( f: D: g( F) YIt is also used to crash SoftICE and to force it to execute any commands
; z1 Y# t- z: `6 m) L' g(HBOOT...) :-(( : A: R# Y. s' u" ~1 D3 b; d4 y9 e
; X) T: B! R( Y( s6 H+ \
Here is a quick description:
: ^7 q! P3 l/ e+ `1 o P2 p-AX = 0910h (Display string in SIce windows)$ F/ V( i" }/ E) V. @ y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 _8 o; m5 @0 l/ s! F* C$ G3 z-AX = 0912h (Get breakpoint infos)
2 m2 f2 |3 F! }& A8 j G! o/ B-AX = 0913h (Set Sice breakpoints)
$ V2 [* h" C+ j" N$ i% h, t-AX = 0914h (Remove SIce breakoints)
$ g" u/ _* N" J$ e4 p2 g
4 F( z, { _% U5 @5 HEach time you'll meet this trick, you'll see:
# L5 i% e8 b- l+ A+ F, k0 Z# }-SI = 4647h
5 ?# ]( o: E2 D: N8 _7 h! z-DI = 4A4Dh
: F: ~' T0 w% Q3 Z& \ B4 _3 N7 rWhich are the 'magic values' used by SoftIce.6 J2 y# [1 F ?0 B4 c+ \9 }6 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! C; C! B! X9 u4 R5 o3 j9 _' K
/ Y% m& A0 {4 }5 L* V# ~% L
Here is one example from the file "Haspinst.exe" which is the dongle HASP; Z+ ^# e! k1 i$ t3 R
Envelope utility use to protect DOS applications:
q" Q r" W5 J
) }. x3 v% ^; C! z% O/ ]- w3 J# t( _" \0 L5 ?. ^
4C19:0095 MOV AX,0911 ; execute command.' x# k7 V3 }* H8 h! T( }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 a! U& B1 t8 w
4C19:009A MOV SI,4647 ; 1st magic value.; A% ~7 T3 ]5 P1 K/ I
4C19:009D MOV DI,4A4D ; 2nd magic value.
- E( D+ h5 [; V- K0 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 P& H( x5 b% D; O/ u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% i( r' A+ [9 f W7 {8 V' e
4C19:00A4 INC CX
) O+ z' e* G$ q2 c/ M' A9 L6 Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) e C( [+ K5 d& i
4C19:00A8 JB 0095 ; 6 different commands.7 c: P0 Y, r: l8 @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 D5 l( M7 o3 S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 i) h6 o: k0 S' ]* g" ^; `' o
# V8 M l' l( U3 [+ s" Q$ P5 q- ~' DThe program will execute 6 different SIce commands located at ds:dx, which
1 `& e) D' }1 V5 s, w0 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! V) h/ y7 |* X( P; Z: Z o: e! r- B$ i M* j! ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ s( w, ?. p) O( B3 F+ Z& t- ~
___________________________________________________________________________9 N- l# s$ {. [
4 G* u) u% ], a# b
) c( I. o2 l3 K0 X8 I4 }5 fMethod 03
+ J2 W4 H" X9 ?% J4 F: q& v=========* f$ {4 Z+ C% L& f! o
. ~' r; U1 T( S- _6 Y; v: z7 @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ T% [& N8 d* T7 I' c7 V8 W(API Get entry point)
. R0 A0 P$ M! I* \- R1 P# _
2 F! r- f& U6 e# ^4 _* k3 e% f8 C' r8 ^
xor di,di
4 m- M9 S* h" n' A mov es,di
# u( R7 z. T) N2 t* v2 r% r mov ax, 1684h 0 C! v( n7 N. ^( _9 |9 X
mov bx, 0202h ; VxD ID of winice/ A0 J7 x# @ h U4 |
int 2Fh3 w3 B* \) K! z. X& G. m& z
mov ax, es ; ES:DI -> VxD API entry point
: z0 U' O! y/ }8 `; R- m add ax, di% J2 [! ~- o) @8 m2 | b. T
test ax,ax# w6 ^5 ^4 X$ g8 Z4 \8 x
jnz SoftICE_Detected
/ ~6 a9 B' i, C5 l+ t
; k0 w5 R: n' v___________________________________________________________________________
( I( @& t6 R" @: X7 ]3 a
. W. ]) i8 @5 q+ T! |0 b7 fMethod 04
; \ V: l7 g4 m=========+ M. {1 S% P" ^% [. q
* c, h$ K. A- R9 D5 S, _
Method identical to the preceding one except that it seeks the ID of SoftICE
; `( G, @1 W, G [8 Z' bGFX VxD.# ]5 [9 J" K& l9 g
6 H/ S# y' L2 \/ X Z
xor di,di2 @0 i' t- b. }/ o$ z$ S
mov es,di# M/ j0 d" O; Y$ W! W( ?1 f7 a9 q' Z
mov ax, 1684h & m( w; ~: f1 ?8 U/ v0 Q
mov bx, 7a5Fh ; VxD ID of SIWVID9 U' q8 b! d' p; u1 B4 ~+ F
int 2fh8 S8 T* Z( V; i% t! T
mov ax, es ; ES:DI -> VxD API entry point
! Z+ h: z" S3 L7 z8 P: L, Y8 ^, I4 G add ax, di% i; ]0 a- R3 t9 L& c% C; i! j5 \
test ax,ax
( ?9 l. ~% z$ r' y2 } jnz SoftICE_Detected
' y) i# |. S2 e* z* }- Y; O' U4 |5 s: ^6 l7 v
__________________________________________________________________________! F, |( x/ r4 c+ G
1 M: _" O% f/ q+ F, K3 Y. g1 i; S) ~4 B4 C! I1 d8 l6 @0 q1 l
Method 05
$ x' Q9 z; z2 Z( Y% F: M1 K+ U& R=========
- c) s2 Z; F9 N5 }& t9 _% ^. [4 T7 V W! G+ i
Method seeking the 'magic number' 0F386h returned (in ax) by all system [6 l9 w2 ]0 }3 x$ T
debugger. It calls the int 41h, function 4Fh.: ~3 d6 M6 k0 a/ @( n0 v
There are several alternatives.
" D+ h. h3 S6 a& w/ h
7 s: y# I5 g( d: V$ uThe following one is the simplest:" @, e: T1 p8 l( ~2 g" q5 w% K5 c
0 T" B7 J1 `& ^/ j2 P7 F
mov ax,4fh
- G) ^' Q2 T X2 ]; k5 @: \ int 41h
5 M) \( u" b& z; C3 O cmp ax, 0F3864 I7 m' m7 J5 f( w( b6 p" W
jz SoftICE_detected% V: X+ P% x* q- q; N0 u9 ?8 y
: B% l) F7 P0 M/ U; m
5 }% I% ?! J# M: T7 r ?# x
Next method as well as the following one are 2 examples from Stone's
0 a2 `7 ~* p5 D6 }$ B"stn-wid.zip" (www.cracking.net):
( o. t( _6 w( H/ N9 y
. i7 o: E# s7 |2 U0 U% t5 [3 k mov bx, cs
8 R( U( y3 j) V% ~/ l lea dx, int41handler2, V9 x& a/ o, s6 _$ c t
xchg dx, es:[41h*4]
& H+ o: z) \: x p R: b xchg bx, es:[41h*4+2]
; t& Z/ U2 y# F1 D+ \& y mov ax,4fh
. h: s2 ~- _, ~2 E1 B# A& b int 41h* y6 o2 p& K: y/ J$ [, m8 U
xchg dx, es:[41h*4]# c5 c/ O& v; L6 a( Y7 Q5 [. T
xchg bx, es:[41h*4+2]% s C) H( j% S
cmp ax, 0f386h$ i! ?4 q" B7 H
jz SoftICE_detected/ @6 m* E0 A0 }# K
5 P9 S, ]( {* Z7 F. Q& J
int41handler2 PROC9 o+ E+ u. r, G9 Q" T3 l1 i
iret6 V- S) s6 I- b7 E4 n7 b% Y( b
int41handler2 ENDP
: ]5 T5 n9 F/ l! S; ?7 t! U
* X* O) P( N* u7 s0 V! |: S8 |
$ e7 B1 F3 r6 C3 v% o_________________________________________________________________________
% I2 j6 ]5 y3 s! j( R+ L, { t2 ^
0 S+ O6 s# R* Z4 i ]! _/ ~9 |/ m! W' S3 w T
Method 067 A# {! e* r3 B# x: t
=========
9 C3 \- \- [) y; r. K" D S0 r
5 g. q- ]# D- p/ S* o$ c9 _; z- i) K/ `0 G/ z4 }
2nd method similar to the preceding one but more difficult to detect:6 w4 X3 v9 t- Z
8 n4 K8 X& J6 e/ ]6 e% |8 \
- R# y# G2 A1 @) |- E Uint41handler PROC
Y* o: ~3 v6 B) _$ W. y! j mov cl,al
: L' g! }! ^/ s iret$ ^0 c$ j M. e, ?/ B& H; `# f
int41handler ENDP$ n7 g$ o& B1 ]8 t
- F x6 c6 {1 E# t* [
1 H) ~( E% j( F# B xor ax,ax" j: P6 I3 i3 ^& O# }3 w* [1 s9 v9 r
mov es,ax) U0 f" W( @; h8 x# ~! {
mov bx, cs
) ~( ^4 g; ~+ H& p lea dx, int41handler, X! r3 ?8 N8 \2 `
xchg dx, es:[41h*4]
( j8 s' J0 b7 G3 ? xchg bx, es:[41h*4+2]7 A& F: _9 g8 ^( _" t
in al, 40h
# \# }* S" g, V; u# ] xor cx,cx/ C+ c1 E2 D7 ?- T' D
int 41h
+ h2 y- a3 Q1 I xchg dx, es:[41h*4]/ Y4 D* X* t$ Q# I' H& T
xchg bx, es:[41h*4+2]. |. U- D* e, {- S5 X
cmp cl,al
6 I$ ~% n. q. N* @ jnz SoftICE_detected
" y2 J/ G) J, K- N0 W Q5 a+ A
/ M" }5 E6 |/ t) k/ [4 v_________________________________________________________________________
* i! o+ E! o) }1 W
' }9 P: i# c0 ]& [, y* S0 p9 UMethod 07
2 M. X* X6 g0 p6 f _- f$ e3 `3 ?9 I=========
$ K/ b6 T) O. D! l" ~# s) e4 v: i& Z
Method of detection of the WinICE handler in the int68h (V86): c: u% ?" V) H5 j+ W6 J0 B
6 f4 X, A+ k5 l8 V; h' t mov ah,43h9 v& _. j) o3 ?9 K. T* K5 X
int 68h. f- n# ~ w' C$ P' i J
cmp ax,0F386h% T8 b9 N1 N. Q( y
jz SoftICE_Detected/ h! H) D/ i1 h2 c
- J! j: P& n$ J* r
' j: [$ {% s+ w2 J6 Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. P% o0 |2 B) I6 p! T6 ?. P app like this:
, X j3 F. X& y$ s8 h! F, K9 f
! U) E& N) \% M- O9 ^; ^, Q BPX exec_int if ax==68
5 O0 x' c; y' m. g' _4 o (function called is located at byte ptr [ebp+1Dh] and client eip is. M0 a- }) F) t, ]2 Z
located at [ebp+48h] for 32Bit apps)
8 y4 o/ e0 L( C# q__________________________________________________________________________9 h5 c! K5 G8 j: `1 I9 B& u
! K! z. M5 P6 W* J
`2 N" U; k, i% XMethod 083 g0 Z3 E% ~+ y7 L- B8 O. { V
=========
( {9 \% T4 b1 x) a
0 r2 w; H* H& `( cIt is not a method of detection of SoftICE but a possibility to crash the& Q2 r8 T! S% L
system by intercepting int 01h and int 03h and redirecting them to another6 k/ C! K; X; y0 X" V6 {5 C
routine.% t# ]! f) K( R+ H% H/ F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 ?( ~: @# B" [) f9 gto the new routine to execute (hangs computer...)
) v: H* @0 G+ o# a( w
+ I) Z8 p+ w+ ` mov ah, 25h
) E! `/ `3 A: }1 n2 X mov al, Int_Number (01h or 03h), H( u$ |1 _/ p. B; E
mov dx, offset New_Int_Routine& N' e. c* J8 [& S8 ~6 u- F' N
int 21h
- l U& m; D5 u) r, d' w6 d5 C
& V; Q- \ T1 G1 Z5 u4 i__________________________________________________________________________( v; {6 j" m* d: n
1 u% ?' ~6 d: L Z/ G9 R
Method 09# h5 R1 b9 p* g
=========
9 ~3 R4 H7 g+ z7 c
/ M- e" R" l8 g7 J Q# AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 c' z [, \+ B& c% n. [8 }/ Jperformed in ring0 (VxD or a ring3 app using the VxdCall).& P6 C+ d- m4 B5 y5 B9 [% c N
The Get_DDB service is used to determine whether or not a VxD is installed6 Z3 ]9 n; W. K: k: N- s
for the specified device and returns a Device Description Block (in ecx) for
0 ]" I( p* p6 H. @3 Nthat device if it is installed.
) |5 p1 V, @8 Z! X1 b) n6 x: |! j/ o. [# x+ K; d# v! _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 j3 n. f, u1 R, X2 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 ?" L$ l6 w' a) K
VMMCall Get_DDB
3 b3 M& _. |# l1 w( r9 K3 Q3 S. } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# I1 s9 s+ a% |6 a3 ^( y
i" K( | t( [& \Note as well that you can easily detect this method with SoftICE:, f: g" R8 j) `6 A; {; ?
bpx Get_DDB if ax==0202 || ax==7a5fh
# ~$ F5 t4 N2 ^; Z2 Y! [9 A
! [' B( l: ^1 B- K, L! }__________________________________________________________________________/ Q1 G- O; Z6 [
; s4 Z; j# F, a& \Method 100 q5 t) q! z$ D7 [$ \* G
=========
1 g; F8 c. v# T; p, `* \
' @3 i7 \2 z! x# m6 a% x( q=>Disable or clear breakpoints before using this feature. DO NOT trace with
, D. n" t3 @. L& U! B SoftICE while the option is enable!!
$ U* U1 q/ s3 U1 A. G# Y, o0 _( R5 |% S; i
This trick is very efficient:
" R; L, I; y, O3 aby checking the Debug Registers, you can detect if SoftICE is loaded* n9 }/ n; u! ^% e5 e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 V# y% S( E: V% f8 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their* e3 N3 A; Z% L ~% O; d4 u
value (in ring0 only). Values can be manipulated and or changed as well C/ g R! q9 m& L, {
(clearing BPMs for instance)& z+ ~. C l" S: n E3 }. o4 P
4 D q7 l; m8 H# [ Z0 ^) K6 A n
__________________________________________________________________________
) s! w( Y5 m& @6 v
2 d; {: x: {& b) J8 ]Method 115 j" h' g( J5 _- v5 Q4 J
=========; c2 _# T; b8 T4 X- S" f2 m
% N. \0 C+ c/ l5 N6 s: yThis method is most known as 'MeltICE' because it has been freely distributed+ `" P/ h! |# b
via www.winfiles.com. However it was first used by NuMega people to allow5 r7 y& T7 I; R4 @7 ^; S
Symbol Loader to check if SoftICE was active or not (the code is located
. B s+ U" @$ a) P+ U9 G' }4 Uinside nmtrans.dll).2 c8 J! H/ m$ s3 v* Q
& G; j; `5 V& Z. I
The way it works is very simple:
1 w) F7 p8 K0 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 C" |/ X* D- |9 B# rWinNT) with the CreateFileA API.
( |8 z- }( o/ z/ e5 i5 S2 a. z) k7 A) ~% A0 Y. u. y# l1 I
Here is a sample (checking for 'SICE'):
- e9 w, w. z' A6 K( ?0 o) I. b. ^1 T* Z5 Z/ N
BOOL IsSoftIce95Loaded()
. a9 }! G4 |& N- d{
i$ ^ D& p; D; U HANDLE hFile; , \. G4 |, ]( ]4 ]; L! m) X7 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. X8 W7 X3 A8 _4 j$ `9 y
FILE_SHARE_READ | FILE_SHARE_WRITE,; @7 x, U4 `" ^) ~. O0 p- L0 L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 R8 b4 k: b# q0 Q9 V' L
if( hFile != INVALID_HANDLE_VALUE )
: T! C: x3 _% Q9 N {
% u; S- P! \6 S( V CloseHandle(hFile);6 [! x( ^3 d* L' t. P O6 o* {/ e
return TRUE;7 P# E1 w4 X3 l9 V# W/ D7 P
}
. S/ F# `0 U/ c6 t6 C9 M( A return FALSE;
6 x: _! W8 @2 s# q3 i9 b) b2 H}
" c1 O1 Y1 J: i8 F5 t+ f
% G. d! L7 B2 z! O& VAlthough this trick calls the CreateFileA function, don't even expect to be) a& y8 {/ B' s6 C6 P3 H
able to intercept it by installing a IFS hook: it will not work, no way!% K/ W$ I1 p- @! v. J# _( i U$ }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
s$ P c1 @$ Q$ c, ?' k5 W+ }: ~2 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 Q: B$ m4 z% ]4 ~ m! ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* B# J- J) r2 t5 A; x( hfield.
) M2 f& j( P. C# p( I# A3 E* wIn fact, its purpose is not to load/unload VxDs but only to send a $ u7 U2 |- @' `* K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 t- U! @, k) Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* X% D. c' O. Z+ v3 mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 n" h7 V" u2 Q6 |% k0 W4 @If the VxD is loaded, it will always clear eax and the Carry flag to allow
& q, ~3 C5 R+ n2 l5 @its handle to be opened and then, will be detected.
% m% `" I$ q: E+ z& iYou can check that simply by hooking Winice.exe control proc entry point* X6 F: b" Q/ J' U1 a
while running MeltICE.
" L( y. w' d# Q/ M- Y( t% z3 ? [) l& `% C$ v
" |6 h, ?2 s6 T6 i1 v9 N# Z' ~ 00401067: push 00402025 ; \\.\SICE m' I3 M5 @* a7 Z: k6 \1 q
0040106C: call CreateFileA
9 w0 C+ X2 |' N2 l/ x2 S. ? 00401071: cmp eax,-0014 i* _; ?* p: W9 X
00401074: je 00401091
% f5 o0 w% R# e2 E0 Z9 M* n( Y+ I- L0 A) v. @3 N5 x! s! S
) n5 f4 T D6 Y- r/ X9 _
There could be hundreds of BPX you could use to detect this trick.& W K! x _2 p2 A9 r$ v
-The most classical one is: F5 [! g1 r; _" J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 Q9 }, p; n! T7 F& H; P. R7 C *(esp->4+4)=='NTIC'
: ]( h2 @+ U7 E( f C* m5 ~3 G1 C9 S
-The most exotic ones (could be very slooooow :-(
2 a/ N9 S, K ~. o! H O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 X1 k) j5 F3 S3 B8 J
;will break 3 times :-(0 S8 M' @5 N s
7 h) I9 x# h5 @: N
-or (a bit) faster:
+ N. y: P' r+ D+ M0 D6 O1 ^/ R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 C; k( n$ b D! Y4 v, m! D' F8 j+ a" j8 i* {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 u4 a2 I% ]* Z" t0 O. v! K ;will break 3 times :-(+ w3 ?" j3 T8 P- v ~1 n
B0 R& Y; R$ e: o, W) `0 n3 K
-Much faster:$ b/ F' H; h( O8 s6 `$ P) t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 q5 A4 p# J% l
3 |6 Y; v4 |5 ?+ H7 S5 H; G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 D" \" J- K: F/ m1 t
function to do the same job:8 r1 M" p! z) c! z
+ k, P7 Y$ x. p2 j
push 00 ; OF_READ
5 K! g1 _ f6 S5 C$ C mov eax,[00656634] ; '\\.\SICE',09 c2 T1 |, y8 I7 G- N
push eax
/ w: `3 N2 q4 F4 S/ i6 l call KERNEL32!_lopen7 r/ \& l+ W* ~; X
inc eax; K: B. j% m6 o, v2 T( P
jnz 00650589 ; detected, J% S9 {" e8 b. X1 `! A7 F3 V
push 00 ; OF_READ2 N3 }6 N% O' L$ y: a5 H$ W
mov eax,[00656638] ; '\\.\SICE'
, F/ \4 m0 L' J4 V, d$ {' w push eax9 U3 B6 O1 K6 Q" s, V2 O) M- D
call KERNEL32!_lopen( H: F/ s; L9 v3 Z
inc eax7 x1 a. c& o) ~2 \
jz 006505ae ; not detected
9 Z8 J: E: O3 r8 s7 _1 I
! c' t! J2 X# b, r5 u0 n2 j- Z- s% q; z% ?6 J# z4 P6 _3 D z
__________________________________________________________________________" m4 f( o7 E9 j' z5 B
" ], B7 i6 O7 R9 D& P
Method 12
: f; w: _( x) ]4 J+ z5 h" u=========7 [1 D; k F1 V5 x
4 ]! P# O) y2 Y% cThis trick is similar to int41h/4fh Debugger installation check (code 05
# a- k' a1 R% J! B$ S. C1 O& 06) but very limited because it's only available for Win95/98 (not NT)/ ]4 Y1 s- W6 L, \2 x) o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' w* x \& L7 T' m
- e: f+ D# e* e# c" J2 |+ M. M1 O push 0000004fh ; function 4fh
7 h' s8 P" \) I! [8 u# f5 S push 002a002ah ; high word specifies which VxD (VWIN32)
1 | E0 q+ k& h* T ; low word specifies which service
" E$ L2 Y+ `7 i% {5 u9 [# C (VWIN32_Int41Dispatch)% ]' o+ C6 b1 X% b! h Q
call Kernel32!ORD_001 ; VxdCall# T0 {$ ~! G# z
cmp ax, 0f386h ; magic number returned by system debuggers! R. K/ r. \) t; p1 i# P, i& n7 c
jz SoftICE_detected* B3 m/ [7 W0 v0 ] K, g
% p N, e; H4 [1 u, @) }Here again, several ways to detect it:+ i+ O1 `& J6 |! {5 r
. b2 {$ O- X! I0 G1 l
BPINT 41 if ax==4f8 T4 p- s! z, ^; [
5 o. `4 {0 E; u8 v! ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* }! f2 I$ ?/ x+ g5 Z
) g" t- K8 j' |3 `5 |; p1 f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 ^5 v. K* ?) I4 {; G8 c$ ~- A
( x* B, ^; i9 q7 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! N. F1 |( n& R
: n+ X3 O- F! V& P6 F6 D5 P2 t__________________________________________________________________________
8 g4 ^. s8 b7 W* a. C4 |$ B7 n+ K5 Y1 _7 n! ?* G8 T$ ?# ]% o
Method 13# R' M9 g/ R ]' F0 c5 E3 a, ~" f( I
=========
5 P- Y* u! l+ I( H) ~$ w3 o9 Q i* ~% E' @9 ]6 i
Not a real method of detection, but a good way to know if SoftICE is
w& p8 |' l# p8 J: g( ninstalled on a computer and to locate its installation directory.
3 S$ a8 S$ q* @0 f2 }4 IIt is used by few softs which access the following registry keys (usually #2) :. U' B$ V- c: m9 T& ?0 \
* G2 \# p" L0 Q% h) ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ R2 W4 {# T: y" t/ m
\Uninstall\SoftICE
9 y3 j2 J8 [8 q _# a+ @" u9 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 \( Z: V* Q7 m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& u+ Y6 b2 r0 g\App Paths\Loader32.Exe+ q( W# m% t0 Q
9 |7 U6 H( Y0 b$ N
" M- c7 ~) c9 K2 [: }Note that some nasty apps could then erase all files from SoftICE directory; }) `/ ~$ k/ S5 l, G2 s! ]
(I faced that once :-(
5 j1 i+ g- Y; I0 k
" Z' \2 z$ C/ Y( B2 X1 E, vUseful breakpoint to detect it:
a# B7 B! U) z% X" N
; @; ]/ O, ~( r) M- }8 ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ Q q. k5 I/ |9 v% x7 r% l; r5 F0 Q& x6 t& Y
__________________________________________________________________________
% b _- j8 h+ [! n' r+ Z3 L5 z; ~" \+ H$ P w$ R6 x; i2 G
! n) ?8 t' d& r* _1 I
Method 14
1 z3 Y, U' U% [2 A5 w=========
7 N1 \- {! a" W( c& G; h7 s4 u8 R( t1 _& A0 d, `1 l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose v, r$ b8 R5 z& @, u
is to determines whether a debugger is running on your system (ring0 only).
0 k5 j4 s1 k2 O! w% ~6 T+ V. f' G0 m
VMMCall Test_Debug_Installed; }$ y; u0 X. D- ~8 K
je not_installed( C" H0 }5 a- `% s
; j& b/ {( b. P0 r5 C; \# w2 ?This service just checks a flag.
3 k" x; R- t( i+ y) u) l</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡