<TABLE width=500>+ \# O3 y5 w# v: R5 r
<TBODY>
% `+ z. I" N* i3 z- C' h8 H<TR>
( b2 ^$ D7 Z/ O$ }: ~<TD><PRE>Method 01 , T$ V, A o$ J# k7 `( p
=========, U: ]! F6 H1 @' s
& \( h$ Y$ R! E) w! h# ?0 |* FThis method of detection of SoftICE (as well as the following one) is( @% ] r! b' x, z" g0 \0 Q# D& o
used by the majority of packers/encryptors found on Internet.* C0 y! v8 {+ T
It seeks the signature of BoundsChecker in SoftICE
3 M- w! g( w0 M; |8 S k5 S2 B4 r9 O% a3 C: e1 y# l0 Y" w% [0 d$ V
mov ebp, 04243484Bh ; 'BCHK'5 ~5 _3 o9 \+ h6 Z5 }3 t3 i( `
mov ax, 04h
: m3 @, @/ v2 d1 n int 3
7 }9 }2 D* w* D0 c) ?: g cmp al,4
7 S. E$ |/ w" \ ]8 | jnz SoftICE_Detected
% T+ c$ u3 j/ M! W$ T/ g
2 U) ?, v2 P S7 G9 I4 D___________________________________________________________________________$ y% {9 `2 \8 H; s# b) ?+ e; |
8 E0 b0 e3 H k6 [ t( B, {Method 02
7 ]+ l- f; E9 l$ ]4 F4 K=========" E0 z5 b9 ~- h+ g
7 n* f. a. G% n/ x' m+ r. d& r! l0 g. kStill a method very much used (perhaps the most frequent one). It is used
+ I& R$ r3 f# g; e) W" rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 }% y( t8 S0 t; tor execute SoftICE commands...% `8 R }2 `1 E2 z
It is also used to crash SoftICE and to force it to execute any commands
, g/ k) `( ]' K1 M- p4 d(HBOOT...) :-((
* \) W" n! U1 z2 R+ [- [. y# n6 I# o9 T! L- j8 M/ k
Here is a quick description:7 ^4 g: ~2 d- H# t6 I- m" F: U
-AX = 0910h (Display string in SIce windows)
2 Z" q2 o& k8 t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 k( h. w7 I7 ~5 ^
-AX = 0912h (Get breakpoint infos)
% w7 m" ]/ u+ g I" T" n-AX = 0913h (Set Sice breakpoints)
7 {& a9 _% u1 A) M2 W$ t-AX = 0914h (Remove SIce breakoints)/ @' J3 q/ k2 l
# S9 O# }4 |0 W6 ^7 g- I3 ~Each time you'll meet this trick, you'll see:
- A4 w3 a6 H' U5 r* o3 h; S4 j-SI = 4647h
5 S8 i; W7 p5 D) q3 b% `-DI = 4A4Dh& s* @ @, N- O' N& A' P
Which are the 'magic values' used by SoftIce.
4 j: s& f1 q) `8 {" ^# ?. ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 Z1 G: H s9 s% ]0 z5 R8 c& Z1 t5 |' h. i, B. i3 u
Here is one example from the file "Haspinst.exe" which is the dongle HASP& N# \' Q( P" i% y0 Z
Envelope utility use to protect DOS applications:
- ~ o+ u' R3 A4 V) o# x3 o
! j! a- y+ W8 ]( V5 K r, p% k9 a5 y9 w0 C, ]
4C19:0095 MOV AX,0911 ; execute command.
9 a3 Q& j% p. P4 `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! _' i5 M$ i: u. @" |4C19:009A MOV SI,4647 ; 1st magic value.5 } s3 d3 R$ t6 A( a" {
4C19:009D MOV DI,4A4D ; 2nd magic value.
; u, ], d" e/ Q2 q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& `6 l' q0 _5 ]/ C& ]- A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 R) F/ u0 @& s; n; k- q
4C19:00A4 INC CX$ i' w% }7 W4 h' M/ K; S4 b& B( H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 K- A/ M0 m3 y4 m
4C19:00A8 JB 0095 ; 6 different commands.
& y% V" R# ^3 Z4 a' Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.' X5 m s, ]+ T+ A: I& G5 v* A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% k6 J" n+ U" y: `/ v; m% N0 F
/ b9 C) a6 D" ^The program will execute 6 different SIce commands located at ds:dx, which
/ t! e, L' ^# _/ Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# `( {$ m! D* @" X& \
0 C! ^9 N1 c8 D& o0 R% ^1 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ z& N7 N$ f9 x' r O- y7 k9 {. M___________________________________________________________________________0 y' g( W: o& M7 F3 a" \4 {% d
7 t5 [+ b/ {% X* L" |3 g! w
$ K$ o [' b, X S1 o o8 i5 A) C
Method 03
% b u+ Y( ]- M* D=========
: C& N% F) Q: B: Y1 f/ Y4 X
/ R/ B: W2 _$ O) ~6 N& H/ ?7 L$ pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: @8 s4 }4 h! g1 i
(API Get entry point)
. ^) C# |. ^3 X# ?
2 `' z8 U0 u- f$ q: F A
- s6 i$ C( m9 N xor di,di
$ T7 B; i) {+ ~ G, E7 }' l2 o7 ^3 ~ mov es,di
! s& ~5 Y- T$ _. [! j8 k' } mov ax, 1684h
8 t+ ^3 P: V e: Q; H$ S mov bx, 0202h ; VxD ID of winice3 j$ M4 ]$ s. j7 Z$ ~4 f6 U
int 2Fh) K4 E! i# y; d9 O+ k2 \
mov ax, es ; ES:DI -> VxD API entry point8 N# X1 Q" V: W- z: f; I( a
add ax, di( T& A% p$ |9 @: F- z* Z
test ax,ax0 e& W. T% Y3 Z5 b
jnz SoftICE_Detected( U- Z; X) T* ^) q- ^. O2 ]( s
N) X# E. L5 r4 ]# I___________________________________________________________________________
+ V! I0 K8 J9 q! J. t1 ^+ ]8 {5 k+ `5 J2 @: U
Method 04
+ h' q3 u' _. }: v! ?+ L/ q9 N/ F=========- y( ^6 K+ B6 M: c" E. z7 I9 [
! K3 c6 ^) l( s% d" G# v' w
Method identical to the preceding one except that it seeks the ID of SoftICE) L+ X" R; u" ~1 b/ y& m
GFX VxD.' E1 b3 d; L2 O
1 L2 u" a+ Q7 d2 Z xor di,di
7 J$ U! `9 A4 z8 p8 y" t; g+ ?) ] mov es,di9 c, h& _7 w/ U6 _" |3 K3 ^4 D) f$ j
mov ax, 1684h 6 g r1 C! u- Q+ |* i0 \& e
mov bx, 7a5Fh ; VxD ID of SIWVID
! v: r. O" S0 W F6 M int 2fh0 d3 F; P8 K) e# I2 _5 z# P
mov ax, es ; ES:DI -> VxD API entry point
\7 V" \5 ^" i add ax, di
* m& f Z) T# P test ax,ax
1 m. P% S6 i( Z; M jnz SoftICE_Detected& g0 ]/ V3 w4 P
' {6 G5 M8 a1 C5 h7 V__________________________________________________________________________
6 D+ @2 U8 V9 B: h# N( D) f; T1 }$ g; ^- W
1 T1 S: u0 r( ?1 ~2 ~. aMethod 05$ w+ \) W3 l% O) m9 F0 J
=========
1 c, [2 r7 [& \$ x' ]
' T" t* C8 ?: J5 `( ^, Q9 ?Method seeking the 'magic number' 0F386h returned (in ax) by all system0 U* }, _, w# V
debugger. It calls the int 41h, function 4Fh.
4 A, }9 _2 f- @- u! c5 tThere are several alternatives.
7 U4 B8 g( l9 l3 P; q: x0 Q \5 u1 w: V0 `
The following one is the simplest:
# a9 T0 ? H2 a2 E+ x, C+ ]
1 Q% U2 Y, G8 Y# b: v3 S1 e mov ax,4fh
4 O6 a- h# z9 k9 p- G int 41h
) {$ V! Z2 H0 y* P! n cmp ax, 0F3869 A0 k/ z6 k8 f
jz SoftICE_detected1 F" y2 H, ?4 {& {
2 z, N( \4 }$ h# z$ I
& j, s9 t) K- O+ R" T( Y, q0 N
Next method as well as the following one are 2 examples from Stone's
. p% D0 m4 o2 {8 J- }"stn-wid.zip" (www.cracking.net):- f/ [1 m# }' }1 M
* B& K+ [" M. N% E& P3 A
mov bx, cs
5 P. E8 J. C7 s) o$ C; A8 a lea dx, int41handler2/ r1 \- e+ l, b
xchg dx, es:[41h*4], j" d/ D1 g0 A$ W
xchg bx, es:[41h*4+2]: w5 J0 G6 i6 s! _
mov ax,4fh
- F& v ?3 q/ F, y# S8 |7 X6 @ int 41h
& K& P$ x/ A6 j7 v% [; U xchg dx, es:[41h*4] Q: U7 U- P5 X* b& p g
xchg bx, es:[41h*4+2]4 D6 e( C7 F) C9 P5 ]
cmp ax, 0f386h! V/ w6 x' n& l! m6 j
jz SoftICE_detected
; T% Z Z" ~# i; ~! e- ~; {
9 U. @1 l/ F0 ]# sint41handler2 PROC
* B8 p. C8 K. D+ w2 f( ]4 Z5 L! ? iret% f% ^7 }2 e) ]7 a; b
int41handler2 ENDP
: m: M. l# ?% h& |+ M$ b
! e2 ?, M ^( d( V5 |( i# a0 N/ M9 L, T
_________________________________________________________________________ ?% E7 p6 X) w* r* A
2 G5 W `. b! @! a2 o6 |* x, X+ k' j' B- p) W: c6 r7 w ?
Method 064 L" \' y- J, X. M( L1 h$ W/ A6 J0 q$ L
=========
- v5 ^+ l3 P' D! ^
7 M2 k l0 t3 ~: {2 O) v: {) E' T- v4 Z9 N0 \1 S; l3 p2 u* ]/ y0 U
2nd method similar to the preceding one but more difficult to detect:2 W. Z/ ]$ ^+ \( c# {; B% m/ W
4 U( m: O9 j- M1 H$ M2 z& G$ H2 U }- }3 Z# u: K( q
int41handler PROC' C- Y4 Y l6 S, h# X- K7 R5 ~
mov cl,al: C$ B3 F$ ]9 Y2 i8 n, u
iret* o3 z7 n2 u6 _" ^: O& o
int41handler ENDP
Y+ @: s4 h; G; q+ f1 q
1 \; z. x& E2 C! q0 m( I0 J
: T9 O% V4 H' E3 S# e1 W7 ]+ A- n; a xor ax,ax
c. C% r& N% E7 H$ W- `" r mov es,ax' V5 a) S1 l% [. l
mov bx, cs# W1 K/ {% q+ T
lea dx, int41handler7 ?$ ]$ `# J- M: q1 F. z* x- ?% D
xchg dx, es:[41h*4]* I5 {# ?9 t4 R" w! z. s6 [. d8 [
xchg bx, es:[41h*4+2]
$ s/ S0 ~9 y5 M$ r# W q+ m in al, 40h* {/ `+ R# n* T
xor cx,cx
8 V9 v' x7 q0 _, g' `, n+ z- O int 41h
; D. @* B. t; T xchg dx, es:[41h*4]
% L" V' _* \) w j1 h0 U xchg bx, es:[41h*4+2]
6 ?, x, Z+ a7 K# U2 u- u( Q cmp cl,al' x: y5 R1 W9 F3 w9 U' \
jnz SoftICE_detected0 |( Q v/ Z8 ]% F
% `/ u$ A/ N( n, d' W! H, B9 E+ g
_________________________________________________________________________" L" d6 U$ x" Z$ k
5 t: v; D( Q2 y9 Q8 g, g
Method 07
* j- `0 W* h Y=========5 N, ?$ `- }( z' b7 s3 }' E
% x6 t3 m+ a- A6 WMethod of detection of the WinICE handler in the int68h (V86)# T7 |1 P+ V) e- v
6 S9 P( ?! c3 g mov ah,43h
+ ^8 f$ P, o4 p* s& D int 68h3 H, m8 c2 A2 Z3 n$ G
cmp ax,0F386h/ S4 ]6 x; h; }
jz SoftICE_Detected7 ?, V3 Y, x! X! e1 T+ ~
' U& u. [: t5 Z8 J: u* y) S9 o4 W" r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ T8 x2 }0 d; b p4 X" J$ a. b app like this:
9 ]( b( e% B0 d- l/ n" i# ?/ p" N; k1 L5 \# y' N; E9 v: k
BPX exec_int if ax==68
4 e5 M* |$ ], s3 U* W% z (function called is located at byte ptr [ebp+1Dh] and client eip is
/ L) W7 ^. M' p# i located at [ebp+48h] for 32Bit apps)' C6 \+ ]9 D$ f' Z+ k) f9 J
__________________________________________________________________________' j* {: O7 c( R3 e G& H! w _* m
d3 a( }% _ ?
! A8 K* a d6 g8 k9 P+ x! x+ nMethod 085 \( G0 W( M2 m1 `% R$ Z1 H% k& A- N
=========
2 z$ _0 ]2 w7 d, B! A1 U
! G1 q. W+ g5 F7 Q- V. i+ t" R mIt is not a method of detection of SoftICE but a possibility to crash the* Q- z$ G# u$ F, t2 m
system by intercepting int 01h and int 03h and redirecting them to another
6 z- ]0 t# V1 K) wroutine.6 P% `3 P: Q/ D7 i: z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 u0 ?2 K x3 z6 L: h
to the new routine to execute (hangs computer...)4 k. F* F# q% ~+ C1 J
# v+ y, Z- h. O! n0 _
mov ah, 25h/ b5 [$ T$ U' t8 h
mov al, Int_Number (01h or 03h)5 H& J5 g( U" S1 r. s$ i2 x2 a
mov dx, offset New_Int_Routine
( q: X$ T0 B7 d7 N int 21h
7 ^* @& h$ e# M0 _1 V6 P# R1 M6 S
0 j* J1 P. A' M: [+ p! i__________________________________________________________________________
) a5 s8 Q/ f1 u* U1 f! E3 n0 I3 b& z" j6 i6 l* |: V
Method 09' B. J) Z+ L9 l G
=========
, S9 x/ Z( j: {" U- D
$ m" T/ T( R. ~3 T8 @$ c" F3 kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. l8 Q+ a8 o- ` y/ ^1 yperformed in ring0 (VxD or a ring3 app using the VxdCall).: X4 s! b. b+ l4 K9 w2 Y- `6 x; w
The Get_DDB service is used to determine whether or not a VxD is installed' t& B8 \5 [9 s9 i
for the specified device and returns a Device Description Block (in ecx) for" }; C1 |: c. ^/ |
that device if it is installed.
Z, c; k% e$ }. h6 n7 l4 o
+ G3 v' B8 Z: C/ [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) ^/ z/ X$ p: y( _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 T" d' u+ k9 }; v' O0 X2 Z VMMCall Get_DDB$ q0 g% A0 V% w7 ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& ]9 Q/ Q X- Z; ~4 ?1 X
# j- |. }% X! _4 B: ?Note as well that you can easily detect this method with SoftICE:
& k1 ^* o! l4 u! f" U# r( m bpx Get_DDB if ax==0202 || ax==7a5fh" P/ _5 ~$ Z' X7 B
& `4 @0 L$ H P8 X1 \
__________________________________________________________________________
|$ r9 J8 s, s0 O" t3 U& E! x6 D* }& t
Method 10 f: `' X' m2 O# s% m' _3 Y. l' r
=========
x0 \' ^$ Y1 p0 c+ z Q( W- S: W f8 L$ ?+ |
=>Disable or clear breakpoints before using this feature. DO NOT trace with& E. b5 H0 s9 x/ F: v
SoftICE while the option is enable!!5 H0 _% y. K- h# S, ~& B/ N( _9 u5 \
) O# n2 J- ~. }: Y+ @* y* OThis trick is very efficient: i5 f2 t# ?( p) K+ L4 ]
by checking the Debug Registers, you can detect if SoftICE is loaded& E! q1 W. p1 k' t. _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 I* N1 f5 g' Q% r: s7 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 N# j% D2 F( Z, m
value (in ring0 only). Values can be manipulated and or changed as well
) j( O% D- `* y4 [( _- w v, m' Z(clearing BPMs for instance)
$ @# |9 v6 U3 w, }0 q" b; f* |# s7 s/ g9 J
__________________________________________________________________________" C1 G/ O& |0 \; \+ |3 p, I/ R
. D4 F9 w# l; r& o6 Z
Method 11
) N. Z7 R4 G& h3 N# [& v% V=========( W8 e& f$ K4 J, g4 ]
) f& j5 e% s1 U( CThis method is most known as 'MeltICE' because it has been freely distributed
# L G! k. P! n: S3 _1 k9 I) @$ Uvia www.winfiles.com. However it was first used by NuMega people to allow. M$ `4 x- J% |, W4 Y3 c9 {
Symbol Loader to check if SoftICE was active or not (the code is located
7 } m" p% S0 F" T7 p' minside nmtrans.dll)./ E6 L3 h7 o5 k9 Y, Q
" m4 B% u6 _1 R' i; OThe way it works is very simple:; f6 e7 s0 m+ a4 f& ~. V! g. T2 |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ w, l# h- B/ r9 V$ y
WinNT) with the CreateFileA API.
E) o/ u9 [* I5 f, n! K. Z7 R: r' @2 r5 o% W
Here is a sample (checking for 'SICE'):: A2 F E- m3 Y8 I
1 S* t0 R8 J7 I: JBOOL IsSoftIce95Loaded()% N3 t/ `7 H$ w7 ]6 o. m! g( g( Z
{9 n2 i2 L8 U% Z/ |9 h% G
HANDLE hFile;
4 E9 a# l% g0 d' k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- w/ L5 }5 ~) \, A# ?3 z, k FILE_SHARE_READ | FILE_SHARE_WRITE,/ q5 a3 C* N8 E" r! W1 V% u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! Y/ |1 ]9 a$ O0 A3 B if( hFile != INVALID_HANDLE_VALUE )! J: N0 f& O$ R8 \
{3 H% _ q$ _+ L5 m2 `& W& a* |
CloseHandle(hFile);* R8 ]( l" U4 m6 B& L2 x( D# I& _/ X
return TRUE;
+ d$ \0 q% |2 w; S7 i( J7 h }
7 b5 A B% j5 O, Q8 O return FALSE;
, Z) ~ P- b* J+ c1 V9 w x9 u8 P}7 Y x- H8 t$ r5 j( l3 i
7 r/ |) a5 _; i" F7 A
Although this trick calls the CreateFileA function, don't even expect to be. E5 E) Q. Y$ K! A9 o: i! ?" M( S# N
able to intercept it by installing a IFS hook: it will not work, no way!
. x i; T( [# ]1 K6 l9 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F H$ Y3 \! a( ~- N7 y" M$ c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 P4 K9 L2 M% T( Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( z) }3 E( x' H) `6 B/ q
field.
4 S( U' `% g: t, JIn fact, its purpose is not to load/unload VxDs but only to send a 3 d! E. G7 |. Q: Z! ]+ k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). D* A- K4 ^( g, a# K g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 U ]' ?% e) x$ Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).- z- l) Y) c2 D0 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow& C' |, ~0 s2 D. l6 B
its handle to be opened and then, will be detected.
' o+ |0 _& J& Y; tYou can check that simply by hooking Winice.exe control proc entry point+ l! J: t/ f: h* A+ y( X
while running MeltICE.: d O( _, W' U* ?- m
A( c3 m* X& p. Q! X, Y* p+ A6 q( X1 ~/ q
00401067: push 00402025 ; \\.\SICE
5 I( Y# O! e9 N- n: e2 H, h 0040106C: call CreateFileA
0 C \ o1 }6 \7 m) S. w0 K) o) c% { 00401071: cmp eax,-001, v+ @: Z$ v; g- r* O
00401074: je 00401091% o/ l) z4 g: X1 ~- e
9 g( ]9 {* ~5 q
+ N1 d' D5 g8 [6 iThere could be hundreds of BPX you could use to detect this trick.
( n: i' Y: O+ k% V$ ~ y-The most classical one is:$ I% y1 y# h7 |! |" b8 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 w$ a3 L+ ^3 h5 i *(esp->4+4)=='NTIC'! i) P8 L5 I7 u; ^
3 t3 Q& ~6 c& Z0 c2 ^# f- x. C
-The most exotic ones (could be very slooooow :-(, f2 q2 M9 `9 e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 Q* P9 F, D7 T1 Z3 q$ ]0 ^ ;will break 3 times :-(
/ b# h! C+ f: B9 i2 L" {# R; G* C, K# g/ a3 R; X& l/ O
-or (a bit) faster:
1 r4 k8 p$ E6 h0 B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
p0 u1 P3 e6 k- A) P( B# r: }4 e1 |$ u0 `5 K1 v. \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( F/ G. r2 n4 F* t ;will break 3 times :-(, G9 I' M8 e% ~% O* |: }# R
! @9 |/ T8 j7 C& V f3 ?7 F-Much faster:
3 M9 ^ J/ y* c5 _* C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% T8 i4 q/ p+ i
/ Z9 ^: d7 m2 \: L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# Y; T+ X' U' zfunction to do the same job:% }: N; r# [& W( a7 Q
+ |9 w1 @8 s. b/ T7 d push 00 ; OF_READ' B; Q6 D: h, m+ {1 e6 f
mov eax,[00656634] ; '\\.\SICE',0
2 u: M8 C8 x* s0 N3 Q5 O push eax
i. Y' Z6 j% g1 Z call KERNEL32!_lopen
/ D: Z# W: b7 d4 T inc eax
$ \1 d; @! k& J% \' I* ] jnz 00650589 ; detected
7 m/ m, Q, f/ K6 T v6 a8 B- e# ? push 00 ; OF_READ
; a( h; k& U" G% @% W& S! j mov eax,[00656638] ; '\\.\SICE'+ @ e7 m" i/ V0 T: ~8 h% w M
push eax3 E3 c) ?* d' x- O5 \% w7 y O! U
call KERNEL32!_lopen+ a! | `( d# }3 K/ b
inc eax9 n0 J4 b: q3 t7 T. d4 S1 |
jz 006505ae ; not detected3 U& D; X& v' Q8 @
% s5 v& \1 T4 K; x
; x5 i9 a8 O( N+ H( J$ x0 i1 l- P* Y
__________________________________________________________________________* _$ n$ Y* g" ]/ d0 \' o& B1 B: X7 Y' z
$ r1 f p; v eMethod 128 s; r" N/ N' p' v, U
=========
9 @- ]# @; e9 k% ], g7 Z/ {, H0 x, ~) V+ c6 K( y1 q0 C
This trick is similar to int41h/4fh Debugger installation check (code 05
# h7 D" A( c" X0 x0 X9 b& 06) but very limited because it's only available for Win95/98 (not NT)3 F5 M* g: D: U2 ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! E) w5 l7 G _1 @% N( O2 C
- j# y7 p* Y1 y) ~ push 0000004fh ; function 4fh; U3 S. W/ Z6 Z5 X# p7 J
push 002a002ah ; high word specifies which VxD (VWIN32)
0 B E% H2 J% c* y7 u* V* g ; low word specifies which service4 j2 X& o9 t3 p- a; e% V
(VWIN32_Int41Dispatch)2 K6 C0 H& [/ s' n
call Kernel32!ORD_001 ; VxdCall
% p3 n1 ?( G$ C+ {- O/ v cmp ax, 0f386h ; magic number returned by system debuggers. _: r5 P9 p+ b/ i! f/ r. h
jz SoftICE_detected
$ G2 I! |# q, V+ L( W! X! m/ ?$ p P; |
Here again, several ways to detect it:& K |% j" B- ]
* g/ F7 X# B9 N% X; Z1 ?# a) H
BPINT 41 if ax==4f
* a8 c% ]) ^- N( P9 v
0 M6 J4 ?1 ?0 X7 W& V' R. A! P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; g; P- f1 Z, ~- m U- v; [0 E5 O* `6 |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( {8 t5 u$ D0 t& G* v$ N8 R0 ]7 s( q! @/ w, U2 t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% M) C, x' a. X& w2 @" ^
3 D% P( }0 r& ~% _8 J; [9 ? L
__________________________________________________________________________
4 x% I9 x( c5 ~6 i+ _2 i1 \/ ?% T6 v& b& Y
Method 13
! B1 C* N7 `+ A. n9 H=========) J: M: ^9 b! {7 {# k9 _. b
3 v: E. g* I N% lNot a real method of detection, but a good way to know if SoftICE is& j5 K. R) t' ?/ `( o& p
installed on a computer and to locate its installation directory.
& C+ ?/ V" A3 y4 JIt is used by few softs which access the following registry keys (usually #2) :) y# m% p/ o7 \2 p( T# k2 e6 d: w
% U6 ^+ ~6 Y: b' d1 I: V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" H+ n/ d7 k- Y6 k' E9 _; F) [
\Uninstall\SoftICE
% }0 |& h; _9 M( `6 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: B, i, D! t6 b7 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" T. K+ W1 U, j( k: C+ t
\App Paths\Loader32.Exe9 B- P4 z. ?) I' F$ H& C
2 z) S- }4 l" s1 \: u, {& s& u+ ]$ V) t i" x( S
Note that some nasty apps could then erase all files from SoftICE directory8 J' A4 X1 {, L" R5 r" u
(I faced that once :-(& E% O. l; G7 b
q F3 d9 `$ V5 X* h2 F! eUseful breakpoint to detect it:
! u- |+ Q: }$ X% `
! |2 h C8 M: p$ M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': S$ n4 `+ K7 l& E. K6 R
0 ^. j! N4 |. ]. b
__________________________________________________________________________& I" k, K1 G" B( o$ q
]! t( d2 P: H
' i1 n) ^3 x2 B, b: x9 dMethod 14 ' D2 v: P- v2 D; V; `1 N4 E! b
=========3 @$ B% U3 o9 ?) I
9 Z5 R" x7 R5 j' O) K7 d5 ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# ?* O1 r3 M/ m8 u. g/ t" D; c
is to determines whether a debugger is running on your system (ring0 only).4 X( V& ~) k1 v/ R5 S
$ \9 X+ V0 E2 d$ e8 x( u
VMMCall Test_Debug_Installed
" R. E) O: |2 L+ E: A) E je not_installed0 I" A* [& c9 Q4 I) |& c
{7 A/ V- V6 z S+ I8 D
This service just checks a flag.' p0 i* a: c2 g. v @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡