<TABLE width=500>0 |# _$ f z" S9 u( C: o6 h3 X
<TBODY>
: k- l' J: E. M* x, Q<TR>8 D: `1 U# a( ^6 t8 e( o
<TD><PRE>Method 01
D! q/ H6 H' b9 f, {=========
* H! G* ]' h3 p
* ]; d8 L+ F$ ?% ~' @This method of detection of SoftICE (as well as the following one) is) I: @, E& t7 U1 \
used by the majority of packers/encryptors found on Internet.1 ~+ Q; p1 Q: t. ?. D) ]$ t. X
It seeks the signature of BoundsChecker in SoftICE
i3 Z) ]0 `+ W# j8 d' V* ]3 i# ^8 p3 e9 B3 u8 L
mov ebp, 04243484Bh ; 'BCHK'
; [( `5 m. Y1 h1 e* ? mov ax, 04h
" E( A4 A8 _0 n( ]3 L int 3
1 U( M& x6 n& W cmp al,4
9 B" W8 y4 S' c5 g" e8 r2 L jnz SoftICE_Detected
. y9 ?$ Z) U! ?4 W! g8 X, V! \1 B: W2 D/ {' D& X) N+ V' T& p+ k: K
___________________________________________________________________________
" S0 B" W8 P( V, U5 f' l$ t+ A* T2 I: f: t# | i% a% V+ I& `
Method 02
, A" m1 `3 y: _% ^" ~1 b& o. I2 D=========
/ z5 }# `9 h( V7 v; [- c/ E; x% k4 w
Still a method very much used (perhaps the most frequent one). It is used% |. v1 R& z z9 ~; W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( ?4 _. m% {7 B8 j9 o* o4 ror execute SoftICE commands...8 s6 l1 w+ W% F9 S& x- x2 r4 u
It is also used to crash SoftICE and to force it to execute any commands
* x! h# O# W* E- @) W* D(HBOOT...) :-((
- s6 S9 h9 r5 T/ q& B1 w7 n* }/ O6 u( S% V- n
Here is a quick description:
3 @- S3 m4 V& B4 a$ j% H+ ]% O; j' [ \-AX = 0910h (Display string in SIce windows)
: c* ~ Z0 b9 a2 U, Z7 M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. c; b) ~( `/ p1 y-AX = 0912h (Get breakpoint infos)
( k$ U0 j; b4 r5 P- r-AX = 0913h (Set Sice breakpoints)
" J6 @+ O/ W3 {- ~3 r1 z# A. w2 P9 N-AX = 0914h (Remove SIce breakoints): k/ ]9 b' o9 \2 T0 u; M
2 B: ?6 C+ r4 D' i2 B+ d4 t5 s' ^
Each time you'll meet this trick, you'll see:1 i% v& k2 A& [9 h$ a( o4 Z
-SI = 4647h
# `1 r) h/ n D# y-DI = 4A4Dh6 F6 f! M( W& \3 w
Which are the 'magic values' used by SoftIce.
/ Q) D% u8 k% H2 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) n+ Q3 d- p/ a* B; G' ]6 Z1 |
/ d9 w! `8 S$ k" [8 SHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ z& H! I$ h, {5 f6 f' GEnvelope utility use to protect DOS applications:& r' f8 s) Y! h; D4 S9 |
D+ t/ b; d- y
8 s. J$ A1 B# @ J( @# n8 I8 v7 [4C19:0095 MOV AX,0911 ; execute command.
" S* _; c: P+ G& g) x% g" H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( Q2 `% d& @+ _( Z; Z4C19:009A MOV SI,4647 ; 1st magic value.) e, ^2 f( @* [, q2 e' p
4C19:009D MOV DI,4A4D ; 2nd magic value.
. i: b& f* G- `+ u$ |" ^) Z2 S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 Y/ T/ x0 ?4 f& {. j# Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! D6 v: |. @% i) e" B( u0 v! O
4C19:00A4 INC CX M! ?9 t5 }) ?: z9 |( s: e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" L4 f Z7 }, D* C. r+ o4C19:00A8 JB 0095 ; 6 different commands.
8 e6 @# U: m9 Z! _# B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, Q- i& s @1 v& d0 z7 v4 G N! X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' w$ G/ V1 e d% c5 {1 h( |! Y' ^4 T' l4 i6 W, b4 [
The program will execute 6 different SIce commands located at ds:dx, which/ t5 N% G$ }& ~7 P9 H, t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ ~ ?+ Y9 a$ B. x3 _2 Q7 J
8 b6 l3 v+ g. U9 Q$ m- e; b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: X& G% w/ l4 Q9 n. @
___________________________________________________________________________
$ C9 u& |* u$ y% g
, d# s. v$ s) L3 ]! r4 S9 |' g7 @6 S. r
Method 03
) `) o" v5 c# S. L1 m7 b. f=========
_8 i, L) J$ H/ ~
8 ^" p6 m; F1 P" R1 T4 ~ `9 n* v% qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% @: M% x* o/ \! v( _* m, K3 @(API Get entry point)+ }) d+ q$ q( @9 C
) A$ e# `! J/ I8 F- U3 y
0 |: ^$ e. P$ Z8 g3 W. y* b- { xor di,di
* y4 }4 Q1 r7 S- D. I mov es,di
7 j. l/ V9 ^# `. e4 A mov ax, 1684h
+ b6 h8 J+ e2 n f% W6 ~* ^ mov bx, 0202h ; VxD ID of winice* r6 `! P0 }2 l' E1 X
int 2Fh E0 E+ Y+ M% E+ A0 `3 P {
mov ax, es ; ES:DI -> VxD API entry point
\- u. `/ k5 [; X0 @ add ax, di
# j$ y! ^/ X+ q' Y" I3 |7 x0 ~; _ test ax,ax
% h' D b% D* z. a1 S jnz SoftICE_Detected
6 `) k5 j! b P! y ~# r+ _# @: T% @: Z8 ^9 d3 Z0 d& j1 N! O! J
___________________________________________________________________________
" F2 V) p( k6 g& `# Y
: X4 D( q) h3 {. ?Method 04# m+ t! N% B4 l0 R
=========
o9 X$ l/ d. P+ |+ J: P
, x# i: v1 ~, r2 y* }( b }Method identical to the preceding one except that it seeks the ID of SoftICE' `! y* Q2 m9 R! S$ U. j# \
GFX VxD.
% m3 l3 V6 _2 Y3 x6 A- U! {" `- \" k1 S/ d' c/ }. S9 N
xor di,di: j7 K5 i9 Y3 X1 Y6 v3 H
mov es,di- K4 O, L& @. ^ F, T+ {
mov ax, 1684h
; q. `; K4 }: J7 @ mov bx, 7a5Fh ; VxD ID of SIWVID% ]4 N+ y% S: r( p; R( \
int 2fh1 I( M! s# l) ?% R; `# A5 z/ l
mov ax, es ; ES:DI -> VxD API entry point
0 s, [3 V% E( V7 X9 { add ax, di
6 M) F! q7 N; L# a( Z: r' b6 c$ B3 W. t test ax,ax
# D4 x! p# P8 T2 q8 E+ k jnz SoftICE_Detected7 _- b# u2 Z4 ~4 m, u
$ B, k+ Z' P7 `3 z- P
__________________________________________________________________________
2 W1 ^! v8 s D) j
+ i; V: w% [. O9 A4 {" ^
8 j* ^% V! s f$ _: |Method 05
1 C! n7 D' _) [# r! M+ H=========- `, I6 j- @( y9 j0 g" E/ {
+ ~' ^7 Q! i: a) F2 ^) ]7 A" I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' H! s7 v; X/ v9 G) Vdebugger. It calls the int 41h, function 4Fh.
: |/ j: U. |7 lThere are several alternatives. 6 A9 `: N" N, H6 K. `4 z
- w8 V4 ]7 m- A: {1 Q
The following one is the simplest:# h2 p" P4 _6 v4 t* U
" g* l) D: z! f' k; t
mov ax,4fh2 N! M, p: N) p) i) g0 w: \
int 41h
( G: q+ R0 i, I0 C. o, a cmp ax, 0F386) J& T! M) z% F
jz SoftICE_detected6 x$ Y3 z/ Z/ ?& P
2 H! x; d6 A U6 p9 P; U6 w. {: {" S7 L6 o
Next method as well as the following one are 2 examples from Stone's
' t8 Q4 u! L# w9 J L# x, M"stn-wid.zip" (www.cracking.net):
3 m9 A3 Y' W7 q* L: ^+ g" Z0 ^: a+ X5 V' D) Z) o) g2 c/ \
mov bx, cs. a1 S: `7 {" M. o. t0 w
lea dx, int41handler2( M3 C- D- c% f
xchg dx, es:[41h*4]! E$ f- n: F+ v3 [
xchg bx, es:[41h*4+2]: a" @6 ]& p& D
mov ax,4fh
- l7 [. D0 p4 e6 ^ int 41h
8 b; }9 I& n+ Y5 b xchg dx, es:[41h*4]8 ~# `: }% U( C2 J: A8 y
xchg bx, es:[41h*4+2]
$ W5 d1 ^" f9 |4 ^7 g" I cmp ax, 0f386h/ i& ]! j: q2 q$ h- f) B
jz SoftICE_detected
5 @- i W! z/ x" R
; Q, }; c# }7 s' q% yint41handler2 PROC; B! ^6 j( D! B2 }+ g4 s* ?
iret
; p C( q1 e2 D. Cint41handler2 ENDP
1 _, d% m! e$ |) s- ^+ U! m: y; Y% d( x
6 ^- }7 u9 o, y0 w4 l_________________________________________________________________________% q) f- _* y+ ?: k: Z" H" m
5 ]/ W' `/ V% ?2 |3 Y
6 l5 H: w# q8 e! C. l# C& \, K, dMethod 06
' I# V4 Q% k. b- t3 J: p5 A=========
0 {6 x# s/ b9 O3 i: T" y4 [
! {7 R O S0 l7 a5 u& B4 ~! I+ k
2nd method similar to the preceding one but more difficult to detect:
* j) w, i! [$ Y2 g+ z% m
; s n1 R+ `2 `* [4 r9 |
+ `8 b) ?+ Q- `3 y: c" Jint41handler PROC
5 G) J- ]0 E% _6 n mov cl,al
( `9 e c+ ?9 ~/ j7 x9 j% g9 D) Z/ M, x' J iret0 h f7 G! m% M; Z
int41handler ENDP
6 |( h+ P$ C2 o. M+ V) q) _& a6 E y: _7 {" P$ K# k4 i2 E1 m
7 K# F# k) p5 _5 g8 p) K
xor ax,ax8 j! r! n' y% c$ |1 N3 ^
mov es,ax" ] @% J/ _# x/ r4 } T
mov bx, cs
' q, }0 y* S' | z. e lea dx, int41handler J w) F; p2 A; e/ I
xchg dx, es:[41h*4]8 p+ e# {, }. R* v( p/ I2 a
xchg bx, es:[41h*4+2]2 q5 c6 @+ C' X
in al, 40h
9 [. `+ Q8 b1 v( o) { xor cx,cx
~, z* V+ S T0 H) [2 L int 41h/ {7 \4 b2 D4 a
xchg dx, es:[41h*4]
5 k* g4 F. j+ h( r xchg bx, es:[41h*4+2]
# `3 ?" g4 `2 i1 y- x cmp cl,al
& g6 U2 P* I' d' F jnz SoftICE_detected A- S+ N* ~3 a% l8 |* A
$ t% p! W. k% U5 b4 j
_________________________________________________________________________
( `/ @$ w F3 a) \: Z6 {2 y: N
, h% U: C$ f( \ S" |# N$ |3 CMethod 07
3 D' E! L. M' h" ~1 D$ u0 z# D' S; O$ B; s=========
4 E+ [2 {" m- ^- ] E' h' t( ?& U4 S& g2 _) O- F4 o- V
Method of detection of the WinICE handler in the int68h (V86)0 T: Z: O K- S% v+ M
0 F( u5 Y9 [8 _7 z+ m2 w' l% n
mov ah,43h
: Y$ q3 @6 ]9 D/ }1 ~ int 68h; o1 N( n3 J( G1 S- @8 F" K
cmp ax,0F386h+ z% i$ ^3 Q/ \) S
jz SoftICE_Detected
3 x' s D" [; h7 l# K3 w3 t' B. q) ^7 _" [: x7 P6 [4 n
( Z& H9 W- h- z4 B* |8 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 O' R2 ^1 |$ p9 R9 ^( W E; Z app like this:
5 t1 |2 q* K+ q0 t) [$ M9 f I- l5 N
8 G& g; a; T7 C: Q3 r& m BPX exec_int if ax==68( H5 N4 z! f2 |" f3 y) L8 D
(function called is located at byte ptr [ebp+1Dh] and client eip is
) A2 V! Q- P5 i: c& W located at [ebp+48h] for 32Bit apps)
* Q }8 W3 R* u+ I2 B__________________________________________________________________________
8 B. \0 b: U4 ]3 |2 P* x
7 t# @" B0 I' f+ B9 ?, x
# o. J3 ]" ^2 CMethod 08
7 K* E3 M* }- q5 I7 r+ t=========: U" O5 [' K8 z: R
' f* l. A5 A+ j; `: S/ p7 I% eIt is not a method of detection of SoftICE but a possibility to crash the
( ~, G' U9 J0 u7 P% v( Tsystem by intercepting int 01h and int 03h and redirecting them to another; u, n" E: y. C5 `$ d$ L
routine.- `, `. X/ q& m$ k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. M% S( s* |# b3 j5 Dto the new routine to execute (hangs computer...)
- |' ]6 c4 q# L3 m
8 L8 {+ \8 A9 f ^3 ~* i mov ah, 25h* |( c# x7 k# w2 L8 I+ K+ J5 m
mov al, Int_Number (01h or 03h)# [$ s7 V4 @ Z1 l, j- K
mov dx, offset New_Int_Routine
$ P* h+ g; G3 d" o' | int 21h
! y5 |! \5 W, v+ t5 p4 D5 {$ H1 F. L; _7 _) R
__________________________________________________________________________
' [! j6 f( P, h6 x2 p6 i5 r N4 v. a" E* N; V# J" O- a$ M
Method 09% x% \, O6 N" ]5 W$ o6 P3 a( u
=========
" I- G+ `/ K& n t) r
5 ]; s$ I) F- }3 X; YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- |' r7 i; t+ }8 Jperformed in ring0 (VxD or a ring3 app using the VxdCall)., }$ f" R9 v6 @! G; V) m/ d
The Get_DDB service is used to determine whether or not a VxD is installed# H. Z7 t; S8 I
for the specified device and returns a Device Description Block (in ecx) for( @& C! p% V2 c8 w' j5 b2 M
that device if it is installed./ U- t3 l2 ]4 J- i+ V
) j6 k& Q0 \$ h: T3 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" N7 ]! r, V0 t! f; z+ o0 V) m3 H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ ^9 ^7 ~0 A3 A# f
VMMCall Get_DDB
. a+ J d0 W% o6 d& k- F! w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 Q' U% F5 j+ H1 Q1 H i4 o" f3 i9 }" l1 G) l1 {7 J/ @
Note as well that you can easily detect this method with SoftICE:" A1 W, L5 J8 y1 X8 A
bpx Get_DDB if ax==0202 || ax==7a5fh( x9 x" U7 c& P$ r$ F5 l1 C
5 A7 ~3 Q( Q9 {' n__________________________________________________________________________
9 I( j9 W d+ o% ^
. M E# }# P K, I$ k9 R# V. _ _Method 10% s8 ?5 B9 B5 N0 @& z! t
=========! B8 R: X8 O2 q2 t4 h9 C
/ ~( V6 Y5 H+ d J=>Disable or clear breakpoints before using this feature. DO NOT trace with
# t6 T- V! d# p# y9 M8 p* d( J `) y SoftICE while the option is enable!!
$ I f' i. K4 w9 ^( a/ |
6 y- i8 U" a* Y# fThis trick is very efficient:7 ^% G4 p/ V3 z3 K2 d+ X* c
by checking the Debug Registers, you can detect if SoftICE is loaded/ m7 D& h) M l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, N. v: x0 W, J6 F& y
there are some memory breakpoints set (dr0 to dr3) simply by reading their: w: v: p% S, l7 E, A e
value (in ring0 only). Values can be manipulated and or changed as well% E% W+ {6 V8 f }$ w& g
(clearing BPMs for instance)0 l+ _* z W0 E" E3 z# ]) d4 j
% Z& n# d- x2 @. @% M
__________________________________________________________________________
% `6 _5 N2 r; c8 `: u
' a$ P$ l( \$ ^( \0 `( u% \: E6 nMethod 11
3 A2 v9 s/ C; d7 }" d) t. b, d3 s=========
( X/ S- `! D" {- a9 X1 ?# ^& E: p- N6 J, V% |* E
This method is most known as 'MeltICE' because it has been freely distributed. K! c9 O& o/ Q4 [
via www.winfiles.com. However it was first used by NuMega people to allow* L/ n4 }9 Y; t5 B7 G- N
Symbol Loader to check if SoftICE was active or not (the code is located0 B- j1 ~0 g' u4 S I/ t: u
inside nmtrans.dll).
! y/ [' P. [. L+ \9 P7 W# }1 P$ F) K$ d; \" I
The way it works is very simple:
# B6 J+ i0 f8 n) A3 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 j' x# _1 N! o/ s3 A- F. J/ @WinNT) with the CreateFileA API.
) |: |- N7 P! e5 g( Z R, G/ m" b) W, T) F
Here is a sample (checking for 'SICE'):! u( B# P( [2 C6 L* i0 J9 [
0 c2 I7 D- c8 `" n/ l3 Z) i- b# \' aBOOL IsSoftIce95Loaded()
: n. y$ P$ ^ K3 G* D{ e6 y) g& }8 Q2 R/ r3 `4 v2 p7 |
HANDLE hFile;
7 c# W6 \8 f3 D/ a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ y' M4 N1 X/ I6 f* t FILE_SHARE_READ | FILE_SHARE_WRITE,
' m. T3 s: K) D& S: n6 _ K | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ K7 u& D0 S5 G
if( hFile != INVALID_HANDLE_VALUE )3 \5 J8 B+ L n" C r
{& ^4 V) b4 l' P" ^/ m
CloseHandle(hFile);4 ], j' \/ A S* I" D$ X
return TRUE;6 A; b w* Q' j+ b+ n# ^4 a& k+ C' b8 J
}
. w& ]+ ?) l2 Z2 e9 @) A4 t return FALSE;
# X6 u, S, r1 a% v- q0 E}
+ b; `# \" c0 C) O, Z4 m+ m
% n! V4 N+ h8 s! f7 C; d* bAlthough this trick calls the CreateFileA function, don't even expect to be
) z$ u- ^! [7 a; D2 o% ]able to intercept it by installing a IFS hook: it will not work, no way!9 n! {( L0 n; {, ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& I9 U4 E5 B, |. h$ n- _) }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ R3 z% m& T: O1 k3 U& ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc" R" r9 h6 ^3 Q
field.
6 L( u. c* z4 b+ [; PIn fact, its purpose is not to load/unload VxDs but only to send a
1 y# c/ U& Z2 r$ h7 |) i A: V( [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) O+ @' {- j$ r; t; l; [6 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 R3 g {# y5 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ T) \' l3 n' R& E: n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: Y2 I9 X/ v4 x1 a$ W& J3 H$ Zits handle to be opened and then, will be detected.) T0 @! \1 q& G
You can check that simply by hooking Winice.exe control proc entry point) s$ b+ _' d: C! H9 B
while running MeltICE.& _ u* R0 l& F2 G! d5 i1 n* M
- A% _! Q- k+ P3 p3 ?, m
8 o* c$ N7 f7 j! F- [! F 00401067: push 00402025 ; \\.\SICE" ]& p+ A4 P# @; h: s% i e6 F
0040106C: call CreateFileA) t& ]2 M6 n8 H9 b0 ?1 @3 r" q
00401071: cmp eax,-001
& r3 a- B- J, Q: [7 ` R6 N- d 00401074: je 00401091
7 P+ j/ h* c! a3 F/ u \, V9 ^! C- A, @; B \+ i$ Y' r* R% G
I+ B+ L7 M6 X) i* n* h
There could be hundreds of BPX you could use to detect this trick.8 l- n& D- I: H! E6 z. R* o, a
-The most classical one is:2 O9 s# |5 c5 L: O% {6 r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 D* R# W; ?" W4 J! T *(esp->4+4)=='NTIC'
, a% y) ?3 b6 F/ Q) w* L `3 A# p- x# p
-The most exotic ones (could be very slooooow :-(
) k, c7 I/ |: m0 a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ Z0 G/ P' G9 L0 n/ T
;will break 3 times :-(
, ]# Q- q$ `6 q6 u' u
2 Z$ k! g: S7 b-or (a bit) faster: 7 V, d- Q2 t3 e' U9 p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* N; }1 y- M9 t
: Q3 D' P- v! m: D! A4 x6 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 C, u: i" w. f1 @2 ^5 q+ A ;will break 3 times :-(0 M% r% W" d! D+ a
4 r0 ^ Q6 K6 b/ W% R. P" \5 g-Much faster:6 s& H4 R7 v( A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# B% O! e% T% P" r
) P2 M* G, b9 \" B! c, FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 N8 ^* t/ f+ h$ G5 K6 V
function to do the same job:
7 M. G1 Q( m9 P& S: I
0 G5 j: r/ q3 m0 K push 00 ; OF_READ3 N' |/ K) m3 c* N" D7 Q- G
mov eax,[00656634] ; '\\.\SICE',0( X0 `/ m2 Q4 Y7 ?4 h
push eax
' G0 u& U) y. @1 ?+ q call KERNEL32!_lopen
) {) G: I2 y2 B) O* _9 |4 @8 N* u inc eax
9 `% b( N; r6 [9 G6 ^1 d) ]! j jnz 00650589 ; detected7 C# l, q) |. M$ ]/ B4 a
push 00 ; OF_READ, p. l( Y$ v3 k9 J1 a, e, u# U! m
mov eax,[00656638] ; '\\.\SICE'
* I+ y$ T# g& u6 f push eax
3 G- _% o/ m5 U6 j5 O: D call KERNEL32!_lopen
; S# m. B: F1 G+ d" W inc eax
6 P4 ] B/ R; U/ _4 h: E( i, |1 R jz 006505ae ; not detected
. b' ~6 ?9 w9 b: h; I- N3 n
' d" }" ` n- w, y* l. b4 a
/ f4 ^# C/ y( [8 t2 a2 r- e% c__________________________________________________________________________* z' _3 U" J% R% }9 _6 P, B
1 M* u7 X% u4 }6 S5 Y& `% tMethod 12
# R( y" B6 f# `: H=========- e& h- o4 C3 V1 d" B' n# A: ~
/ ]. o! E2 U4 O' K0 fThis trick is similar to int41h/4fh Debugger installation check (code 05
* A# w5 f) K, x/ {0 T/ H& h& 06) but very limited because it's only available for Win95/98 (not NT): j5 r7 Z! Z5 V# T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
k: X* h. h2 [* ]1 y2 p- h6 d% f$ y
push 0000004fh ; function 4fh
( E2 i' y# t: w1 Z' e9 H! `; Q5 Q0 D Q push 002a002ah ; high word specifies which VxD (VWIN32). h g# c' [ }3 p$ z' K; h; w
; low word specifies which service' P/ [& B* L; ?5 e+ t6 i
(VWIN32_Int41Dispatch)
4 J" a/ N" @. A7 G. ~ call Kernel32!ORD_001 ; VxdCall$ q$ N+ R/ P$ J0 R$ C7 R
cmp ax, 0f386h ; magic number returned by system debuggers
! M; f& h& n$ s' t8 [4 u jz SoftICE_detected
& d" l. Q# e# q' i; Z0 [ w# D& w; A3 i* X* P3 S; y
Here again, several ways to detect it:
( A+ j* ^ x/ w# Z# E8 M
. b' R7 F C+ p+ @; f3 j z BPINT 41 if ax==4f
1 w9 O4 k4 B0 \% s$ w" h9 r/ H1 j% S& O8 c! I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ i% [, ]! l, j8 w# O, [
% Z( X" C n% s' I' x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* r3 K- n- g! |& j& G3 [9 E& X( A
3 b, [5 p/ a/ E" d% B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 U9 @2 j/ p6 \8 m3 p0 ?8 P3 [ }- Z( L1 f/ r5 m9 r
__________________________________________________________________________
- r0 }3 S9 ^/ t. ~4 I! U3 q6 I
+ d: I- z* O8 m' C! M/ h/ h9 dMethod 13+ V3 ?" J' ^% {
=========
% [6 `! `2 R6 o1 |4 H* i2 M+ o" O l3 ~/ Z7 ~5 ]/ @7 ^( H: o
Not a real method of detection, but a good way to know if SoftICE is
1 I' ~, G$ z9 b' |8 G" Xinstalled on a computer and to locate its installation directory.
" G; M. T# a jIt is used by few softs which access the following registry keys (usually #2) :) f0 c9 ~( s! q1 f7 Q
) c6 \. t2 ]7 ?* d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; {: S" m% {. u# W+ H
\Uninstall\SoftICE
u6 e$ k. G* J- ~" M3 w% g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 k7 f# M5 j% |" ~, }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Z, x5 A6 s# ?! X% F8 y\App Paths\Loader32.Exe
- R9 S E3 w, s& B, E# z. J+ f" }' b7 i( X! h* Y2 a8 f" o/ L
8 G5 L8 b3 M% ]1 gNote that some nasty apps could then erase all files from SoftICE directory
5 m+ Z" `5 ~& G* u6 Z5 |(I faced that once :-(1 S( d7 a# a7 E0 K
0 z* p* p- C' k: V. H! iUseful breakpoint to detect it:
2 V4 d6 {2 Z+ K+ C+ d3 o' k/ z9 h8 L. F# ^4 O3 v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 _7 G7 G$ V- J$ ]! I0 Q' P) t
. l( S, n7 M9 F; u& ?__________________________________________________________________________5 H% w" m1 _' Z% j
: I# o- j+ f- e8 Q, [
) n: d, m* s4 E: C7 l4 ^$ z8 o# G
Method 14 5 F1 n2 o2 C8 E7 G2 P
=========& m0 C6 R- }, v. N8 i
6 }# D& R! ~* H2 N/ J+ T' w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# f( b* _2 n4 L5 B; p
is to determines whether a debugger is running on your system (ring0 only).) B; _# b) z) Q8 V; v
+ V3 r6 g5 a* _$ l
VMMCall Test_Debug_Installed
' y- c1 R( M; W7 d% ` je not_installed
7 n% s. I( D; R; G) Y6 J
% [& U c7 C" a. G5 ~ TThis service just checks a flag.8 E6 T8 D6 V& R" ~0 M+ c' M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡