<TABLE width=500>7 y: f3 @8 M5 C6 n8 R
<TBODY>
: J7 p F& }* K6 Z4 N<TR>
+ Y# j. R b1 N: H8 b& F: x. B# }2 {<TD><PRE>Method 01
% P7 H1 t- z) c Z+ u=========( k0 g; O' f+ s; N3 ]2 h
; R6 Q% n1 T4 i5 l; v7 @This method of detection of SoftICE (as well as the following one) is2 ?4 e6 n( V, Q4 s Y
used by the majority of packers/encryptors found on Internet.
8 N5 A# p2 x4 n" a% p0 L% k. ?% rIt seeks the signature of BoundsChecker in SoftICE
1 s. P8 Y/ H: k. u5 s A) c& V% q# H( x
mov ebp, 04243484Bh ; 'BCHK'5 k$ t; q# ^9 }) F
mov ax, 04h" ?: v& v! n# g4 |* V
int 3 # R0 g6 s8 i5 t4 V" L" x% z# _
cmp al,4! Y6 ~+ e2 @% H. [% F2 ~7 b
jnz SoftICE_Detected( R5 X6 s1 E4 I
6 I5 w" l: T% D___________________________________________________________________________6 F4 l- ~( H. U3 k' n) e
7 Z9 @: p- D9 L
Method 028 t) U% {1 o4 N9 P9 o2 y
=========
. G; Y d' n9 I5 ?: W2 O+ L5 q! t
Still a method very much used (perhaps the most frequent one). It is used& \2 M/ [/ \4 E; L+ ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 i6 [" i& X; J: S- ^/ ~or execute SoftICE commands...
. N+ I9 S0 ~& a. M. [' k8 cIt is also used to crash SoftICE and to force it to execute any commands
X8 P: D& P; a Z. D: t9 |0 c% R(HBOOT...) :-(( ) l1 Q# n: y' J% o* {
1 ~. X2 Y4 S' R3 ^% t, |
Here is a quick description:$ k% l9 z8 q8 D7 \) u% W' T6 E. X& @5 N
-AX = 0910h (Display string in SIce windows)
6 t. N7 n, t8 ]% T" ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( S) k `- u$ o) P3 [- \-AX = 0912h (Get breakpoint infos)! a+ q1 J1 t. i& C# Z" E. s7 ?
-AX = 0913h (Set Sice breakpoints)$ y3 |' U7 ?* O* |% v7 ]' E: Z
-AX = 0914h (Remove SIce breakoints)* U9 a4 E7 X5 R- `; T: ]
) _) B6 U; E$ f4 A3 U
Each time you'll meet this trick, you'll see:3 ?, Z0 k" ~! b# t' D( C, B& p
-SI = 4647h
- f2 O; n& r: d! f. t6 V-DI = 4A4Dh' B- F% u9 H" M
Which are the 'magic values' used by SoftIce.
0 ]- d+ h3 D4 I0 w# eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 S6 F* q. ?8 Q8 E3 e
: a3 m* A, J: q/ w8 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP# y1 N! n" X# G$ K9 @
Envelope utility use to protect DOS applications:
' f& Z9 i4 J% E" N- e3 z9 H3 J8 [9 E& S, F, h( [
0 {, b/ {* V& } q4C19:0095 MOV AX,0911 ; execute command.
% q6 g, D/ N- h5 z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
i5 ^% z' D1 V. t X4C19:009A MOV SI,4647 ; 1st magic value.
: ~! X# e0 j) Q3 F% n4C19:009D MOV DI,4A4D ; 2nd magic value.9 T- e) i- `' \5 J) x: B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* R* |/ W/ V0 t% F' a) [5 a" }5 C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 q7 k1 o9 v# y) D4C19:00A4 INC CX
4 E# F6 i l& [: r& q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 P1 U8 O: n8 l. a4C19:00A8 JB 0095 ; 6 different commands.
$ w% g0 [$ f1 @ |, x2 F6 x0 s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' t( w2 |6 p5 w9 M$ f8 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 w7 X; v7 _. l8 e6 B! K( U& Y; W
( G0 \5 I8 Q# \9 k. n* k/ bThe program will execute 6 different SIce commands located at ds:dx, which
+ H/ w+ p) Y0 |! l7 ~% Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( _& {$ r A1 I
' U) G- N; E* ?' O( v9 p' p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 U& I. P% s+ \* L, U
___________________________________________________________________________% F1 }1 w1 w% n
8 f1 x9 v9 Y4 N S
. Q3 V+ L2 R# h0 ^+ E( ~# @; HMethod 03
! [6 ]3 |" r; v# G% t8 D, Z=========
/ G1 }' k8 S4 l6 T/ m
( ?! y' o6 O; x# |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' P3 m$ s# @ t5 r, `(API Get entry point)
. ^0 r8 B6 s6 A t" W3 S" T1 G4 W
, n2 Y- [! G, g& d
3 e* u6 ^1 o0 c xor di,di; W3 d( [, x, K3 z0 i
mov es,di( c6 j9 V; C1 L' {
mov ax, 1684h
& Z! E+ d5 t# h9 ?0 H& V' f mov bx, 0202h ; VxD ID of winice2 L7 k" q# f" w7 |
int 2Fh
6 x! C* S- c$ | mov ax, es ; ES:DI -> VxD API entry point# D$ |! \. T8 b4 X$ f0 x! s4 N* C" ]
add ax, di G5 \' o8 V9 A% ~# t2 F
test ax,ax$ {% t _5 }/ V! V
jnz SoftICE_Detected% ]% [2 z9 L0 f
f, ?5 ^% ^9 _( c___________________________________________________________________________
9 _8 H) v3 b) G4 C4 h) B: o V' E F" ~: a
Method 04
6 J' Z, s9 ?9 h! J. ~% }========= \5 i- |. w# K0 R* I5 u
# V! [5 p1 B$ p
Method identical to the preceding one except that it seeks the ID of SoftICE1 D/ z8 p F* d' i* O+ h; I2 f* s
GFX VxD.0 X& q1 y2 Z! f H
9 E4 x) u/ e4 D5 S$ M0 N xor di,di* K5 b; t+ T6 ]2 p0 X5 \
mov es,di8 a& x; R$ W3 h0 Z5 b
mov ax, 1684h 2 y. N1 C/ [! f) I/ Y1 s
mov bx, 7a5Fh ; VxD ID of SIWVID7 | x7 g$ S5 R3 v, P
int 2fh+ b! S x3 y- j
mov ax, es ; ES:DI -> VxD API entry point2 N# ~0 [% H5 d3 c% I% O8 Q# n) y
add ax, di8 F; S( L/ j7 }! `# Q7 Z3 j* g) ~
test ax,ax
) u3 V1 {& G; E/ n K jnz SoftICE_Detected( `. `- [! K$ Y/ b6 ]' F. i
# m5 g0 F, J9 b__________________________________________________________________________
5 `, ~: o! h) r0 N- |; Y+ d" w! h# m4 p. ?4 W
" E' o$ M0 P/ |+ l+ _5 \7 _Method 059 g8 _5 I3 L) X1 p
========= h3 ^' l. ^$ s+ T: @+ }4 i" B
5 n9 ?+ Y: _1 `7 M0 E8 q _Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 V. J$ O- }7 N \$ g8 Rdebugger. It calls the int 41h, function 4Fh.* W9 L+ V: Q4 G P0 T! E
There are several alternatives.
7 {3 m) g) _6 r9 M4 J% c# {: V `, H7 \3 n2 V) L
The following one is the simplest:
; `$ s1 K1 J' R" K/ M3 S7 M2 G& b' W+ o4 b( M) b
mov ax,4fh( u; P4 H3 }' K+ w& C7 D, |' L
int 41h. j4 m2 B8 X) x
cmp ax, 0F386. ~. l/ W5 o) g/ g' X
jz SoftICE_detected' P; b6 H/ ?# t0 N+ L
% c4 T0 w$ M. @2 G. _( {, `' B1 T0 O/ r
Next method as well as the following one are 2 examples from Stone's / d: @" h% Y& I$ e: J
"stn-wid.zip" (www.cracking.net):1 T; k/ y9 R7 `' p# c6 _
' {& p+ r) i7 V0 j1 @
mov bx, cs5 J) c# W: g+ z3 Y: H! B6 n% u( T" E7 F
lea dx, int41handler2
6 ?5 K; q2 {1 O ` { M4 w7 X9 r xchg dx, es:[41h*4]# y2 W1 C% b7 A8 T* [
xchg bx, es:[41h*4+2]
9 i. j% i: n0 R& C! Y) w% e mov ax,4fh
( Y! T' z; {( F: ]& v) e0 m3 N int 41h/ k, L2 z7 l$ ]+ }
xchg dx, es:[41h*4]3 N6 R' k z9 R; T& X
xchg bx, es:[41h*4+2]
. z* x5 i. `0 A. s5 ] cmp ax, 0f386h
+ m! y/ B" @, P U jz SoftICE_detected$ G! n& t: u1 ]6 W; R3 l" R$ m
2 j* {1 I1 H4 C- t4 q# b; W
int41handler2 PROC' p) q5 D9 P7 y7 P: P1 K8 G
iret
& s3 i7 T9 ^8 pint41handler2 ENDP4 B6 |. u: G& h
: l& C9 x' a8 F
' K) `+ m$ c5 B- ]" {. [4 `_________________________________________________________________________
& `7 d! i5 K% w/ V* \4 l5 q" a' h6 k- h
0 ~! U+ h7 e) [% m8 KMethod 06
0 e# e, E- H c0 ]8 M=========' A( M4 N0 |; J+ Z, l' U2 W$ ?! |
3 r% p7 N0 [9 }9 ?7 e
* K+ k! a5 k# F) ~7 `+ K* X2nd method similar to the preceding one but more difficult to detect:# H& i( M' i$ P2 d3 {
9 E: ?$ l [* N+ z/ n, B, h
K$ R3 }! l" `0 ]6 _9 U4 }
int41handler PROC, u' e1 ^4 S5 X# x. V c0 i
mov cl,al
% |; z" u' J$ q. f$ A; X6 ` iret+ ]1 H8 m/ f' ` K+ a3 V3 e
int41handler ENDP! }6 x! j8 c/ _ n2 ]
9 V _+ B! s; M3 }* S
! z5 j! z$ X ]3 Y d8 F
xor ax,ax+ Y4 j9 `* k) N$ Z# n
mov es,ax
& `3 j/ Y0 a `/ g, y' Z mov bx, cs0 I. h$ d) |( N
lea dx, int41handler
2 \2 @6 {& v' r% }5 \ xchg dx, es:[41h*4]1 Y4 q4 ?" y% T' @* `2 H4 ]
xchg bx, es:[41h*4+2]
* `6 R: i- J# H7 s% x in al, 40h! x7 L& z+ |8 r" K- ?$ Y4 Z
xor cx,cx
3 T- h/ d) k" B7 C2 ^8 x int 41h
Y3 h) L4 F- x- J& D" g3 {( g. v' y xchg dx, es:[41h*4]
8 R! Q, m- @1 {7 ~( c xchg bx, es:[41h*4+2]
+ v6 P. O5 W; x& g" l cmp cl,al; ?, U, @* | g3 @/ S! Q
jnz SoftICE_detected) l U# V2 f7 V* m% F
8 f& e( Y8 O( n7 p1 d! n6 I# D_________________________________________________________________________
% U3 [4 A Q7 n6 w# L- c: h- ]6 K/ R$ B, i1 t0 f3 o* `( p4 G
Method 07
' g4 G( K$ B& r+ `9 C! R; u/ r=========
* J# c+ _+ P+ ^0 h. V: i8 \
4 f d! B0 g4 j9 t' q/ s1 bMethod of detection of the WinICE handler in the int68h (V86)
- F) s5 ~- d7 Z6 C
4 g2 O0 |3 d& b" Y) [7 t/ e7 d* I$ { mov ah,43h6 m% g: s0 R% E: a5 W4 U+ b A( }
int 68h
Z5 B8 Y8 F! t9 O cmp ax,0F386h# z2 ~5 t; K; t5 \
jz SoftICE_Detected
+ l3 N: _5 k2 W, T- ~# k
; p, Y; G3 O9 U2 J( T4 c* b: u* p. z; T; k& t9 h+ A& u; t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ e: J/ ]# M2 M$ E
app like this:
1 j+ [5 n% c& C2 T6 r* Y) f4 T0 s2 E9 q0 W2 W# f& ^7 I
BPX exec_int if ax==68
& t" P( l: L. _4 Q; c (function called is located at byte ptr [ebp+1Dh] and client eip is
4 ^7 C- C2 V' P/ N- r+ C located at [ebp+48h] for 32Bit apps)
/ K0 T5 x2 Y+ S0 k/ G0 N6 M% Q, k g__________________________________________________________________________, Y3 j+ }9 b! ?
e! b+ ?% H/ Q* {/ b3 f
! d% d) W& o0 y4 H* `* n Y9 M2 XMethod 08
1 W0 O" X1 \, }5 ?=========; e$ A/ Y" _8 X1 H; j
' |0 G& [! X. M2 R# Q
It is not a method of detection of SoftICE but a possibility to crash the& K9 R) j- D: C' M Z0 j% D6 d
system by intercepting int 01h and int 03h and redirecting them to another
) |1 D* a# k) X8 J3 d( x5 }* Rroutine.
" E8 Q6 v5 j' o" }3 |0 H) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 H! V% ^) ?* d( w, T' U, I! nto the new routine to execute (hangs computer...)" O( [6 M7 @0 Y( J% i+ I1 J5 M
# V% a! n& h% n( _: w* V( v
mov ah, 25h
* H+ W! x1 F3 Q- d8 ]" l mov al, Int_Number (01h or 03h)
0 ^; P4 X) y9 L! t. G! s: L. }; A mov dx, offset New_Int_Routine
) j6 P7 y1 r# f# L int 21h
7 s! z) m1 g% a% P" Q. d7 g3 Z% Q/ U# T8 R/ G
__________________________________________________________________________
3 w! \4 O3 F" g* ^
# x% k7 [$ N& m t8 GMethod 09
, r V. W( c. g2 J& o& ]=========! E9 T0 y+ Y! Y: Y9 a Z' R( i
) [9 w, ]5 }5 |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, S# x$ H5 {# R% F/ v1 S: operformed in ring0 (VxD or a ring3 app using the VxdCall).
/ u9 U0 k5 t4 w* o% f& M. M; cThe Get_DDB service is used to determine whether or not a VxD is installed
; q. Y5 K6 m4 U0 D# wfor the specified device and returns a Device Description Block (in ecx) for) l$ E3 Q( e$ [$ m S* n
that device if it is installed.
/ t, S0 [) Q" W4 U6 _8 ^/ O9 D/ u5 l* R6 K8 o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' c* f8 @9 c6 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ A1 N+ a8 }: F) A5 F' l. o' [ VMMCall Get_DDB5 l! L* K" K5 P) ~0 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; z' _6 k/ _( _, L2 q/ b% s9 g. d" U; v, L
Note as well that you can easily detect this method with SoftICE:
+ D' W9 f( B6 w+ K8 \ bpx Get_DDB if ax==0202 || ax==7a5fh
- g/ P/ k2 k$ x" y$ S0 k }% W2 C! \# m; x
__________________________________________________________________________
* _ l: C% R Q& x
3 S/ {% O' [4 A! n' y# XMethod 10# r r- X# W& V0 P" K% E
=========
* |5 u* T# ?/ F2 Q/ ? k: m# n/ c- {% l5 G8 u
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 ?/ q: A0 s5 a. p8 B/ ] s
SoftICE while the option is enable!! _7 ^$ i) P% @" P8 U- L
& [2 p7 ]6 p. ?6 N4 o) t) C8 x% L, ~+ VThis trick is very efficient:
9 G& ]0 K6 w0 i- @# n" a& Xby checking the Debug Registers, you can detect if SoftICE is loaded Y2 c, w$ i, Q" q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; k( {6 T2 t- t' ], B Z3 \0 {
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 A# e" D/ i$ @3 C- _6 n
value (in ring0 only). Values can be manipulated and or changed as well
4 P1 G8 ]! W- _1 G4 ?) c- @(clearing BPMs for instance)& A% M5 V+ G. S6 ]8 S: r P
' M3 v5 y& q- D1 t( S
__________________________________________________________________________% U6 H* C4 e8 v; W
0 [# g _2 j' g7 P% y- y
Method 11
/ M; ~$ T& b7 y: A8 B=========1 _& X; m" c5 [5 R/ y
- r: N2 S, j) w0 [5 dThis method is most known as 'MeltICE' because it has been freely distributed3 S! @7 g5 Z6 w( C3 D9 \6 l2 w
via www.winfiles.com. However it was first used by NuMega people to allow
8 G8 i& j% q0 l, F" d3 k8 t0 k& iSymbol Loader to check if SoftICE was active or not (the code is located
0 R9 x. E! m% l6 c; a7 z8 Uinside nmtrans.dll).
" ]8 D' g: L4 ^: S$ z9 j" b4 v
6 G8 m) Y+ p& W1 Y. A' JThe way it works is very simple:
1 ~1 v$ D1 a4 V& \% ]2 A/ z$ K. lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 Z! Y2 Q7 V0 J: S! _2 ? G/ G' MWinNT) with the CreateFileA API.
& Y% u. Z. w2 l- s
5 ^5 b2 n; Q+ Y& X; U2 B) ~Here is a sample (checking for 'SICE'):
& N# K* O- M7 A3 Z/ l% w
) v( ~# B+ ^" C+ A# k1 ABOOL IsSoftIce95Loaded()
$ ]$ b/ p; a' |' K$ q4 z# r{
+ G6 J. n% C/ k4 F( P+ x: v HANDLE hFile; ( o3 M9 R- @7 O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 H! V' K0 E& W/ J) C3 j FILE_SHARE_READ | FILE_SHARE_WRITE,) e) P* ?$ }! y& p, f) F! }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, N9 n, z' u: C6 H+ w if( hFile != INVALID_HANDLE_VALUE )0 @( U/ M9 _& R8 h: [. F
{
5 t5 `/ _: W5 f" Y. T; { CloseHandle(hFile);6 v3 ~9 F8 F6 Q3 k4 D$ w3 O4 q
return TRUE;
) [ ?" n5 D9 ^" g- N3 @ }8 H+ [8 e& m9 a# }- Z! U! U/ D
return FALSE;
8 F# x3 }4 j; T7 @, x}
& R/ z4 {( l1 J0 z2 x6 @6 Y9 h* ]% q8 D' F
Although this trick calls the CreateFileA function, don't even expect to be
3 [8 @1 l4 i1 f- V) ]able to intercept it by installing a IFS hook: it will not work, no way!8 b* n* i7 w* O c6 a8 q: r, D4 h+ Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; t7 X5 c: B! T( b; p7 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 Z5 I% s+ B5 q3 C) Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc& Q# i1 J1 P* v0 |+ M8 Q
field." [8 ?8 g6 \7 u" e @) z, V, N
In fact, its purpose is not to load/unload VxDs but only to send a " Z1 X+ u- a+ W, X, a: S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# L" p1 M* O0 J/ X3 x0 |' t2 I6 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: s3 p) _) H0 Y- ~! w8 k7 I# _8 w) rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! Z( D7 n1 ~% {' a/ ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
" B+ s1 }/ C( M7 d @its handle to be opened and then, will be detected.
$ O5 \) u3 P0 S' [, nYou can check that simply by hooking Winice.exe control proc entry point
7 U) s W- a1 r% twhile running MeltICE.
* u0 ?. E( e, t% p0 z! u% J7 E
; T; u e- L- T0 X) ?6 w5 a# Q; f& @
00401067: push 00402025 ; \\.\SICE6 o" X/ ^! \5 Y u6 ~& w1 ]# [" D
0040106C: call CreateFileA$ R' B7 w' W; K" B- i# P) @
00401071: cmp eax,-001
9 [. |3 g& A3 ]+ `6 F1 S) Y# Y& L 00401074: je 00401091
4 S1 P& r, C# Z9 J* f5 r: s8 s E3 e" {) W
2 y" U w( k& d: U! ?! R
There could be hundreds of BPX you could use to detect this trick./ G: a3 r# A0 j" \" m; ?
-The most classical one is:- O" J2 y# s0 A! T8 F9 Q# X5 n( ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ m h2 |' o5 O/ i1 q6 x6 @ *(esp->4+4)=='NTIC'
4 u+ j( k; M4 p& F& w
# Y9 L5 d6 V* V2 \& L: p4 w6 }-The most exotic ones (could be very slooooow :-(! K6 h0 A' m1 T6 U- e/ C0 z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & I( G/ `# a, A+ j: T/ c
;will break 3 times :-(; V. K9 D6 K L2 X+ U7 _
- X( ?% k9 ], E5 | n3 r% E! Z-or (a bit) faster: 4 [4 G( Z7 [- ^6 n. y& c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 ]$ a( d! I0 f' l1 ^
' d. X8 L3 w# ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 [8 B/ @( \- d! y# `4 c: N: f
;will break 3 times :-(
3 a4 {3 g) }- }6 Z7 z) j+ v$ K5 b/ _& a7 `, n: ]
-Much faster:/ g; V) x( O8 t; v8 ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( v3 m. G) e( G {% g& r. b8 i, |3 t4 o0 r; [- N9 a# o$ \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. b& o7 z& ?, h5 o/ F. Xfunction to do the same job:* T4 F4 o H) Q& Z3 v. E2 v
+ n- z% [( D" r2 W
push 00 ; OF_READ2 J" p4 M2 t1 {6 V, [- s5 F
mov eax,[00656634] ; '\\.\SICE',0) ^2 o. i. ]+ v! y {! o
push eax& S* H) B4 f9 `
call KERNEL32!_lopen
. Z2 o) W8 |# L4 q inc eax2 t9 N7 ]% J& z
jnz 00650589 ; detected4 q% ]6 E; [$ D; V1 x0 U! H. U
push 00 ; OF_READ
5 l# a( Y/ w4 ^3 Q) s mov eax,[00656638] ; '\\.\SICE'
# J9 W: r9 J7 Z push eax! B& s/ S: G5 m' `0 i
call KERNEL32!_lopen9 f2 y4 [" h# C. g# c9 I+ A
inc eax
& a% [. R$ W8 n' h1 A0 C: M jz 006505ae ; not detected
! E& i7 u# J: ?+ f% j* j* n' Q/ g3 z; ?
* z7 _# B8 n8 e# K' j, o$ X
6 x' c# L; W: d4 O" H, l7 M* h- D__________________________________________________________________________* W) V5 P+ T3 Q3 K5 |" \% D
" H4 i! C+ P* `8 {7 F$ y
Method 12
; {$ }, N9 }: d9 W' B3 L6 e7 ?=========9 C7 A2 z3 r" ]' s# l2 K
" v, l, E) @8 X8 Y- n4 z8 i- oThis trick is similar to int41h/4fh Debugger installation check (code 05
' n' _% U, I4 a! G* q& 06) but very limited because it's only available for Win95/98 (not NT)/ `" F& Q( r& U$ y8 Z3 L! F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. a1 {' l' `& G" ?8 @( w
; j( [1 q! `6 ?' `
push 0000004fh ; function 4fh; z* r! Y: B9 @
push 002a002ah ; high word specifies which VxD (VWIN32)
# _/ B& Q- y- W5 K ; low word specifies which service! D; @- q0 h* ^2 m% ~4 m
(VWIN32_Int41Dispatch). j, P8 D, l' ^, h
call Kernel32!ORD_001 ; VxdCall
7 L3 E4 K) {/ ^/ { cmp ax, 0f386h ; magic number returned by system debuggers
3 @* Y& E2 C0 M& Q jz SoftICE_detected
* i# z/ A a$ A; q6 J8 M! e4 h3 ?. w9 W% L# i
Here again, several ways to detect it:
, M2 c) {7 m Z( k1 r1 [. M9 o' x1 \ @; u
BPINT 41 if ax==4f
( ^( G1 w& h" W. \/ N% q1 D
$ a* z; C, r) Y2 ^/ c$ ^& V' ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, B2 Z( n' P4 G6 i) R7 k% N4 o
. \1 M! q1 Q* K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* `8 E& i$ h0 Q1 r4 Y" }' [8 K- s. c2 T! u: T4 P6 ~
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# L% N; M4 s8 P F* `
: k1 C/ W5 c4 E1 T: [( W4 H3 F3 n9 K__________________________________________________________________________
* v1 t" N/ a- } w9 t2 C6 @4 w2 b- {9 o8 H5 F& ?& |3 a
Method 13: C1 j& q& u2 \$ ~6 n \ s
=========& L) I( |7 W/ o" z) z) }
' P2 {- p9 Q" vNot a real method of detection, but a good way to know if SoftICE is& m9 W3 j: v0 z
installed on a computer and to locate its installation directory.
# t3 B$ I4 ]% T) }9 Z l' kIt is used by few softs which access the following registry keys (usually #2) :9 d2 H4 a! Z. c: _, V7 l8 ]
5 `1 n$ L& V+ L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, m6 {, i# f( s; f
\Uninstall\SoftICE
9 C9 R0 J+ s2 X3 V' u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. Q, Z# ]% p# w5 ?* w3 [# d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ?& }' i) H, V. J H$ p% y\App Paths\Loader32.Exe
@5 B* P' ^% m$ P" N4 f, F/ m1 Y) @( T+ G7 i; _
+ B, R5 Q7 c5 `9 {1 G4 {5 DNote that some nasty apps could then erase all files from SoftICE directory
4 D5 ?6 V. u$ t/ `6 A(I faced that once :-(5 d2 N J$ ]* i5 P2 \1 o/ p
( T6 V( W0 y( p0 w$ v& GUseful breakpoint to detect it:" O" m4 H% B6 O( b1 w
X. u7 Z0 y, p9 B4 Q3 `3 C5 a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% P( S C6 p, [- Z+ g( J) M2 z
% f' H* ?! T9 U" X__________________________________________________________________________
% p5 K% E8 s! d% N6 f; [/ x U$ c7 E9 l( ?0 h: t" A
! M) a g s9 u1 x% |7 T8 i
Method 14 / {* M! [; G/ J: o4 {7 A4 p
=========
& T) a, \0 l9 }
& ~9 J9 C: ~' X, V* Z, qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 Z) k, h ], d- F
is to determines whether a debugger is running on your system (ring0 only).$ k! _2 ]3 t- I% `1 r5 Y
' F5 e: v. ^+ z
VMMCall Test_Debug_Installed
6 N. S$ e, }% E! G, g je not_installed
! ?6 W5 Z) B2 L5 o v" [; c: I) p; j i% A/ z
This service just checks a flag.
4 r9 D% f4 A2 c, L# S# w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡