<TABLE width=500>$ ?, b7 u5 t3 @5 \9 @
<TBODY># t, Q8 k$ h. s
<TR>
' F4 ?2 c1 J. ~! t<TD><PRE>Method 01 - ^- p2 o" \3 K4 B: Z
=========9 w$ O2 V" ~* }; M# d7 `
8 U. X9 E7 n2 h* g9 |: {1 T! f9 d
This method of detection of SoftICE (as well as the following one) is0 I+ B$ K& ~, e \9 x
used by the majority of packers/encryptors found on Internet.
, Y( U- ^$ L* f% a( D" Y VIt seeks the signature of BoundsChecker in SoftICE
, y3 E" l# K8 v: U. c8 a6 D) t+ z$ Y" G" C* c! W+ R$ j
mov ebp, 04243484Bh ; 'BCHK'
1 R$ b: g7 d) L mov ax, 04h$ v$ Y: C8 h \- g. T
int 3
; ~$ [% G' J# X# {* e/ J: J cmp al,44 {) e/ S' Q: V/ U9 L% P0 N
jnz SoftICE_Detected
7 f* f; x0 A% X2 E" a0 n, E) q7 O \+ I% t% [6 }
___________________________________________________________________________7 M+ d7 r/ q$ o
! v. Q6 W# X5 Z7 h# |, q. P b( y, QMethod 02* N% K% Y4 n0 S- h* t# }
=========
, p' ^7 x' Z+ d. a. ^
+ p4 x: Z% W7 I" o SStill a method very much used (perhaps the most frequent one). It is used
+ r8 A/ y E1 r- _% E+ Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ N3 c/ Y# y, z( zor execute SoftICE commands...9 U$ p! F# D9 }- b! g0 E
It is also used to crash SoftICE and to force it to execute any commands
7 ~ a3 }: g: t8 H8 g8 Z' d$ Q(HBOOT...) :-(( - j: w$ d, b0 A Q( J3 Y
% d8 W1 z5 f- N8 b7 iHere is a quick description:+ z) S7 H7 m/ ^
-AX = 0910h (Display string in SIce windows)
: p! h$ o; i. j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ v+ | n( T1 L: g9 \
-AX = 0912h (Get breakpoint infos)+ {6 O3 q5 [# d; ?+ v
-AX = 0913h (Set Sice breakpoints)
( X% Z4 Z; D) j; s* O2 w9 @4 u- a-AX = 0914h (Remove SIce breakoints) L( K, x4 D" \% W/ g4 W, s
/ g3 b. J) U8 _/ r. J; b6 u- U$ [Each time you'll meet this trick, you'll see:+ @* p2 z) V7 Y* q! q! C2 q
-SI = 4647h
3 @+ P" z: K! r: W" O-DI = 4A4Dh
Q5 q* w5 k# B0 h, tWhich are the 'magic values' used by SoftIce.
. l; n7 l4 v5 E& x" E' n9 U0 @! n! pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 ^9 w; z$ i! z! Q# |. Y
6 q0 w" S. e* a" ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% D" [3 B5 o; `3 w, G$ T' w3 gEnvelope utility use to protect DOS applications:
( P5 Q' m; q7 w! i# L7 F6 O7 K# V5 y- l, S! ~7 I& G% f0 J* y
4 S# q2 E3 v* \, y; X. R4C19:0095 MOV AX,0911 ; execute command.
& o7 ]) f. n! N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) ~; `! `# e9 @) v! v2 ` I1 q
4C19:009A MOV SI,4647 ; 1st magic value.5 E: {# u0 V5 m/ G5 d
4C19:009D MOV DI,4A4D ; 2nd magic value.' y" r7 @$ F& ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 o: V! \/ W% r0 g1 ^& }0 o. u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 d5 V- k' \, y$ ~" g
4C19:00A4 INC CX9 m: a# l& P: Q9 K- c3 D8 g5 V$ M0 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- A2 ~% ?9 A% }4 X2 v' W4C19:00A8 JB 0095 ; 6 different commands.# h! O7 |( O- G* E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& ^4 E; y7 T8 U1 G, e3 S4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& S% l% Z2 x: L- u
. _/ X; s. h6 q6 i3 I) \) S
The program will execute 6 different SIce commands located at ds:dx, which
( v! U" A1 c- X$ q" S* Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- i/ B4 J' C' o' B3 A- q9 |! a& s/ Q9 v$ x. A* {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# D4 r# d* l5 h# Z% `/ I0 A! Z___________________________________________________________________________% J X+ N; L1 v& T% b
) j% b) c: B: f4 B% r' j8 R
5 E/ }7 A2 o5 kMethod 035 Y* x, X1 z" i, C# M, y: w
=========. Z! M3 s# E2 K, ~* K% {$ S
6 s$ ]2 W# _) kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* _! X8 r6 n0 G* w- B2 j9 \
(API Get entry point)
3 k7 p I/ ^0 X1 H, ^ ; I M# I# D. N: ?- w; ]3 ~
2 l' M1 V' t6 Y( G7 V4 L9 @) } xor di,di( `) ~* q2 D7 Y) n* A
mov es,di' B5 w7 [9 e; c F
mov ax, 1684h ' G$ w' M) ^4 b+ i( `
mov bx, 0202h ; VxD ID of winice+ G$ t3 Q' r( A& o
int 2Fh
# e6 u6 C8 @& v6 j. A& k9 ]" K mov ax, es ; ES:DI -> VxD API entry point
4 c, |2 T) Z1 _, z @* N: O add ax, di
0 h7 q2 A3 C! M: G( g! N, @7 H test ax,ax7 R' f! X1 t6 r: C* `$ G
jnz SoftICE_Detected
/ z. g; A a8 M* T A+ |1 p) L5 V m' P3 L
___________________________________________________________________________8 u! Q1 v+ }) Q2 Q
% c, `: g3 j" F, d- CMethod 04) e: V8 q! m* k) s4 L
=========9 m- G `, [# r8 |
+ G$ }9 s) U- V; h) C7 W y
Method identical to the preceding one except that it seeks the ID of SoftICE' D3 r# h5 ]* a! P& R4 O7 a# n6 x! q
GFX VxD.
# N4 a8 n8 g+ v. s3 |0 K' e$ ^
: P8 x: d, }3 e5 o' A/ H0 d) H xor di,di
0 B- S. w/ J4 H5 J# f& Z9 X mov es,di ^( ^* z' f8 V# K% i
mov ax, 1684h
( v; C- Q6 H' H* m, X! w7 g mov bx, 7a5Fh ; VxD ID of SIWVID
5 o/ C1 B5 ^* y+ o8 m4 E G int 2fh
X* K: P; g. C$ ?$ t mov ax, es ; ES:DI -> VxD API entry point
' I5 C. S4 w0 o( m" j' o* f3 v& D add ax, di
: ~7 q, W6 N! { test ax,ax' q4 A! n0 h8 J- k
jnz SoftICE_Detected
( Z( W1 Y: b( q* c. l) C5 i
' C- h( T- [) v+ d C& _+ q# L__________________________________________________________________________. u' K! Z) l" b
: }( v8 l( |8 b3 [6 [
% Y1 }7 c5 }6 GMethod 05
" ^3 v8 z3 O3 h4 c=========
/ a6 ?. @; W2 R1 s% _2 e* j s9 n$ J5 K& k! z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 X. n: W5 m# R# d7 F8 g( I9 mdebugger. It calls the int 41h, function 4Fh.( \2 j' ?( C3 ~3 v8 A
There are several alternatives. 6 u$ Y8 X" g. x
! B( m$ h4 q5 `% ]The following one is the simplest:- p0 @2 ]& H; d% y, r, ~) W1 _
1 o) \+ s$ n- ?* U6 T6 O- q mov ax,4fh
5 _+ }4 V. n3 S0 l9 u9 H int 41h0 j [1 n0 p D4 d, R+ @8 _% B& h3 A
cmp ax, 0F386( i/ M, y( z& S& s
jz SoftICE_detected) {, d" ?7 n" g& T( \9 P
" Q, F. u# y0 d6 M) j) F3 N$ D7 }2 M) C) l% q% \& d
Next method as well as the following one are 2 examples from Stone's * b( k4 }& W' a5 Y& x1 Q6 l- U( K
"stn-wid.zip" (www.cracking.net):
: p7 p- f7 u D4 I9 @$ u
' o# M. s X, O4 {# n+ |% y mov bx, cs. Y! }6 ]7 S% F( J! C, y
lea dx, int41handler22 E. R9 V+ ?" i, E. `; u5 i: j
xchg dx, es:[41h*4]
: ]6 k3 X- A$ h- b; ]# g xchg bx, es:[41h*4+2]+ W6 M4 U. t7 w7 w. \4 q
mov ax,4fh3 o) E, V5 c5 N$ M2 o: R
int 41h
! [4 _5 r+ d. J5 ] xchg dx, es:[41h*4]9 Z8 u( b& m/ s L; i
xchg bx, es:[41h*4+2], m0 D, t" V4 R; W9 k
cmp ax, 0f386h
/ R* s' P0 G" m; _ jz SoftICE_detected7 N9 z( g# N6 Q" X
2 {+ K7 V% R D, xint41handler2 PROC- a" W/ q \1 M; b
iret$ W/ r1 p) r1 Z1 W6 S
int41handler2 ENDP
1 d+ b. h7 K- z- x* G$ y& i/ I6 p- I1 w. @% L1 @' y
' D2 k; O. l5 t" Y6 s8 e! M_________________________________________________________________________
$ J @% Q; I5 @3 r# \) n- r* l2 m8 |2 P/ A
+ U- }" }( G; Q0 ~' T. t6 C
Method 06+ V( l4 l! R! T% o: |7 {, D
=========' `+ i6 C$ [" ]" n. P- E5 L
4 B: M% i% ~, P5 r! H
. H1 y. g* Y! e. [( [( h$ Q
2nd method similar to the preceding one but more difficult to detect:$ ?2 {7 f/ Z# h9 W1 p' O5 O
8 e& C" n+ r" `5 j7 ?/ B3 S$ Q9 ?
. m5 r0 q; Z9 {1 |& L; `2 ~
int41handler PROC8 f# B( l4 | y m0 t3 E9 p
mov cl,al/ A, ~( p K3 e/ |
iret
+ \5 y1 {! b& N+ o; M0 v" t1 I( lint41handler ENDP; m* M' O4 H: J3 O) F- v; S0 n
4 \7 [: B6 r4 Y* a+ F- ]. @' h4 B' ?8 I9 X
xor ax,ax! X5 }! l9 e' W* u
mov es,ax+ i4 q9 |$ t ^- B/ }. ~4 `3 q
mov bx, cs' T3 s( B5 o" x/ r3 k7 _" h5 C
lea dx, int41handler
5 l1 x$ S# i, k6 u Z$ k+ x xchg dx, es:[41h*4]- o; y, { z* x0 j
xchg bx, es:[41h*4+2]( s( C! B; s+ l- q+ ]: s
in al, 40h
% H( I9 D, a' E0 Z xor cx,cx
" G% n( M" @ w2 `3 K8 w3 m$ s7 u int 41h
- I& }9 E5 J% F+ E0 K xchg dx, es:[41h*4]( y! W5 B- M0 d4 i
xchg bx, es:[41h*4+2]
. V% e- o. Q: i( L8 r E cmp cl,al
3 P$ }2 Q, T5 `5 _# g jnz SoftICE_detected
, V! Q7 s/ `1 I* v9 [" m* d
4 z4 C. D" R7 W9 m: o; M& R_________________________________________________________________________
+ C$ l6 M& G5 ]3 Q
& e/ x0 o$ q/ M4 {3 RMethod 075 \2 S# H" ]9 x
=========; ~0 M2 ]% W, e7 N% X \
1 B* l9 g3 k: o& R
Method of detection of the WinICE handler in the int68h (V86)
7 p( i$ l! j9 t
/ ]- Y8 n# X3 t. Y7 H$ C7 D1 ^$ e mov ah,43h C, a/ U+ p4 P# ^$ S* ]9 y, ?
int 68h& g5 Q/ K9 D! V& { G/ r
cmp ax,0F386h
/ q, @$ I' y4 u8 h' U jz SoftICE_Detected, W E, R* }/ V) s# c. i; P% Q0 }
3 v- J8 _( Z2 D0 Q6 J5 w% K
! m* R8 m2 U# ?& ]) l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, E. p8 y4 j0 E& e# l
app like this:
# y) ~6 i4 x* z8 X" k; A
8 T) t# y4 U; I BPX exec_int if ax==68
7 V$ s" q- |; S" ? (function called is located at byte ptr [ebp+1Dh] and client eip is
' A, U: c! f- g8 n b7 n1 q1 v located at [ebp+48h] for 32Bit apps)* {' c6 t/ k4 @! C2 R% a" D
__________________________________________________________________________
X. [% N6 A$ f' @( h) [# \8 h, B5 R* V- G* c$ u# \" u
! ?9 G: l7 G/ X9 H" S
Method 088 I3 o' o" ~3 i' [, {3 ]; |8 ^
=========
7 J1 T6 L3 o) V; }/ c! x5 g5 h; `! N3 T5 w$ }+ E. y0 T
It is not a method of detection of SoftICE but a possibility to crash the
+ i* |2 E- x2 V- ~5 Ksystem by intercepting int 01h and int 03h and redirecting them to another# ]8 W+ ?/ s8 r$ q
routine.% J6 G2 U3 Z7 [! j( ]4 ]2 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 k/ j' w; E) h5 L1 [* u
to the new routine to execute (hangs computer...)7 ?, U5 k! }) ?* `
! q; |& c1 p* v/ F. L# O0 y mov ah, 25h* P- d6 b& K) k% a, `6 Y- E3 T$ R
mov al, Int_Number (01h or 03h)
7 ~& j9 i) V5 r" X% [ mov dx, offset New_Int_Routine
1 E% t" e# u2 H; r int 21h
0 w' t3 h! ]. k' Q9 B( M
( A) j8 M) t1 V1 @4 z% J__________________________________________________________________________
1 k; \9 i# d( j2 [0 v7 u) A, x
- O/ P/ ]; c" x+ F$ m4 |* yMethod 09
2 v d* i8 {* L8 H: Q=========
5 u0 O4 K5 t2 v0 |7 l3 ]
1 `) E. K$ T' W" u* _, u2 w6 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& r) @. a" [, h p3 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 r, J& D2 t; q4 d) |$ t; @5 RThe Get_DDB service is used to determine whether or not a VxD is installed; y5 u# }) l/ s
for the specified device and returns a Device Description Block (in ecx) for
" d$ Q6 c6 i, P1 B& Zthat device if it is installed.5 Q& r; o2 O& v1 ~7 Y+ P! Z1 s* l
( t8 V* j8 E% O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 K- M" v$ e/ A5 S! r$ q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- }& C5 e( q7 @3 h
VMMCall Get_DDB3 ?. m# n* \9 g% P: N- Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' F! f0 V! } Q3 {' B" X. V* j
$ [0 `% z6 f% [+ ?1 VNote as well that you can easily detect this method with SoftICE:
( f9 G$ k7 b8 s5 r8 U6 t bpx Get_DDB if ax==0202 || ax==7a5fh$ K9 a1 j- V1 I8 _
$ X4 U4 c- E% V4 Y, f7 o" K__________________________________________________________________________
9 r, {$ r5 ]. O M
9 y9 l, ]- k' a; x6 p1 |Method 10
4 U4 r& l5 Q. i* S9 G$ m# @=========3 w1 ^. _: F$ G/ T1 }6 u
7 d# D" N, R8 u- R' ^$ V' p=>Disable or clear breakpoints before using this feature. DO NOT trace with
- N" y2 Y& h7 v0 k# }/ G! Q SoftICE while the option is enable!!4 F6 K" r, q/ j3 c4 |3 u r. D! J
. \' j" {3 M0 E, ]8 C" b$ ~8 }
This trick is very efficient:
r) j- e3 B7 v( cby checking the Debug Registers, you can detect if SoftICE is loaded
9 N2 ?, F# f/ f' g. z8 L2 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. W& B3 W. N9 U) Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 ?# k ^8 N6 }3 ~" i7 E- gvalue (in ring0 only). Values can be manipulated and or changed as well
" r# B& ~ \: |& c4 [0 K(clearing BPMs for instance)+ d" F% a% }( n6 r' B/ k
, X& q- j, I: v4 O! L__________________________________________________________________________
2 t. R( H# Y' q \9 F3 n- ]! H. q# Q4 |+ t* h3 M% o. q* K
Method 110 _+ O/ d0 o5 }4 z) q4 Y
=========
7 o/ B' A. e* G8 R, `( Z0 P' i& l5 Z# m9 z+ Z& d4 h& i( D* f
This method is most known as 'MeltICE' because it has been freely distributed& [: D9 `+ H* \
via www.winfiles.com. However it was first used by NuMega people to allow! h5 g) D$ k2 _9 U Y
Symbol Loader to check if SoftICE was active or not (the code is located
1 h) O0 B( k5 ]7 Yinside nmtrans.dll).7 n/ m; {) {0 \4 N( L
6 U0 n2 ~ t0 C+ e- I+ O
The way it works is very simple:2 G( D7 j! I2 a1 F5 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ] Z }+ E) o6 ^( f n7 t) p1 v0 LWinNT) with the CreateFileA API." l8 u! n3 o- E3 ~: N2 W
9 y: A, l* w; W4 @; Z$ u) F! G; G- x
Here is a sample (checking for 'SICE'):' [2 f0 K3 J/ U& O! C- ]9 Y7 z
6 M1 L. z7 F% o9 T" K; Q
BOOL IsSoftIce95Loaded()5 g* t [% {. h4 Y' v- G
{
" o \# V3 d/ e# _ HANDLE hFile; 8 K. f$ t3 X- Q" z0 J$ r! W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 D! J1 D- r+ o5 l. n1 r ] FILE_SHARE_READ | FILE_SHARE_WRITE,
" R4 ?9 q' v; y( C7 f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 w( d7 w# P5 T: H/ Z& M
if( hFile != INVALID_HANDLE_VALUE )7 P5 \2 b9 D+ U5 Z" p" N# F k
{
5 D( O( `( C! V# M CloseHandle(hFile);
1 c% b, g" U0 O* e7 X9 e$ [; u$ B return TRUE;6 ~7 w0 s9 }, c; _* B
}
$ `! R: Y( o! U+ E1 O7 w9 w" E return FALSE;% {- z/ B4 ?7 b# Q1 k
}7 u$ D8 A7 |5 d% ?7 h
+ r0 F% m. i6 Y5 N, ^. ]' p* |
Although this trick calls the CreateFileA function, don't even expect to be/ a) [6 K3 X/ l5 W7 Z- L+ J
able to intercept it by installing a IFS hook: it will not work, no way!
" l* I$ ?/ D3 c1 o- [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 s8 }2 i- l4 Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: }1 S U. l L, }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ W+ v' K6 S# L& o# ~2 R pfield.
4 j" R" G$ E5 S: N. S4 q, hIn fact, its purpose is not to load/unload VxDs but only to send a 0 ^; c- A5 Y5 b% D- q6 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; H; d. w' i1 q- Y( \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 f3 X4 n0 Z( N: c* w. X4 q1 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 t0 ^4 W% H/ j) \0 G% r0 O% H
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 H V) {$ g) X; I; S2 k
its handle to be opened and then, will be detected.+ Z K6 v& X3 B: w) x A
You can check that simply by hooking Winice.exe control proc entry point
$ q* w* ?! V* w) X2 F- { U1 J0 lwhile running MeltICE.
" A# G1 ?; p, I: F+ K7 J" ~8 r% z/ D" M8 ?* r0 d5 Q8 B2 E
/ [5 @2 S( `% v5 w$ J& {. ]$ A$ W! }3 ^
00401067: push 00402025 ; \\.\SICE2 ~" Z, i" r: A% q! ?4 \% E' A' p
0040106C: call CreateFileA5 c2 C l7 f C* M* `3 Q' C. u) k
00401071: cmp eax,-001+ I& H& F& E" d I; T
00401074: je 00401091: G3 I9 C; G' j" P* s9 x) }" [
" b: _7 x, c8 I4 N% k: W: B- @/ }1 h6 q- m' ?- F; n
There could be hundreds of BPX you could use to detect this trick.
/ j! }" X. M0 \3 p o7 t3 O4 a6 G-The most classical one is:
& C) q8 I" Z6 J: u& v9 ^' V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* N2 p$ k' C, @( K *(esp->4+4)=='NTIC'4 `9 s4 o, g- d6 F! m
9 S3 s) c% h% ^; D- }
-The most exotic ones (could be very slooooow :-(. x5 {+ Z- ]9 H& }3 J+ u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 f% i# h) `) B$ m4 H
;will break 3 times :-(2 m4 y4 L0 T f$ }: k
+ h8 A7 G$ b+ w9 t% \) o
-or (a bit) faster: $ i3 x/ @' X- d, B) ^3 G5 N# v* l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') R$ p+ F1 e& @, P3 ]( g
; M, M) i# D9 \8 c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * w* L5 t3 ]7 W9 M8 H. @
;will break 3 times :-(
# t; A$ d5 S: |8 o
- ]; j( Q6 T/ R, }% l; d: \-Much faster:
, B) S* u+ m7 u4 w$ ~6 G- H6 z2 [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ }+ Y2 D. g$ c8 J
: A$ P( Y7 Z- d& _* R1 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ E7 D6 X2 O- X" Tfunction to do the same job:9 E! O5 _% p# }, _: Q3 P
3 B5 ]; |- }5 q
push 00 ; OF_READ
: T# d H* x" M; J% }5 r mov eax,[00656634] ; '\\.\SICE',0* c. V/ s5 O8 Q' e* q& b
push eax, b' e4 Y* l2 v& T1 n
call KERNEL32!_lopen1 @' l/ a, q) T& Z5 `2 y/ G3 C
inc eax6 j. q/ ~* W$ C( N
jnz 00650589 ; detected' L- I, l3 i& ]% e
push 00 ; OF_READ
2 p* p0 ~* k7 q& ?% Y) I7 F mov eax,[00656638] ; '\\.\SICE'
: L& ], j# [, ]( a push eax
# H4 W7 ~& |8 i0 n9 i8 E% w6 S: e call KERNEL32!_lopen5 W8 h# M5 s7 Q4 T0 P! E0 Q
inc eax) p1 b$ }2 I2 J% H/ c7 e
jz 006505ae ; not detected
b- ?* g8 G8 u: \& J
, `2 J; t4 d0 m3 Q1 J( i, E4 H6 ]7 r2 d7 S, p& h5 k9 D, `
__________________________________________________________________________
+ N. P) r/ h/ P( d$ |- l |3 P4 i, ^8 j# A7 J& f
Method 12 J F4 F' w# y$ z' `! h
=========) ?; i7 `- g) h
6 F+ _/ [4 X! `! C% \
This trick is similar to int41h/4fh Debugger installation check (code 05! C# I$ ?6 V! f% t9 d
& 06) but very limited because it's only available for Win95/98 (not NT)) v# P1 V2 C; Y. U+ }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 P- s5 N3 }4 [- d' q, I; V( h/ n1 H
8 B1 ]/ @6 ]4 d8 I push 0000004fh ; function 4fh- Y4 u% W7 q/ n- B) [
push 002a002ah ; high word specifies which VxD (VWIN32)3 I/ ]" C& F- o# ~2 C* d
; low word specifies which service
8 Q$ D/ n5 a G, U- S (VWIN32_Int41Dispatch)
2 G3 ^& e) C7 d" B3 ]( x* I call Kernel32!ORD_001 ; VxdCall
7 Z8 n; N3 _ R$ B9 \5 X I cmp ax, 0f386h ; magic number returned by system debuggers
* o- `6 L- E: m1 `" Z1 M$ L/ z jz SoftICE_detected
4 W5 \ N3 K! t7 L1 Z
# O( f9 F, `3 g1 THere again, several ways to detect it:0 Z1 k( @2 {) \5 W7 x0 ~
; ^9 W T" E2 T H8 c( O' Y
BPINT 41 if ax==4f
9 r# y, Z! w7 i( y
% V! l; d. _* T( a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& Z: I7 y/ d% c! W: U; o7 P! t
' X' _6 c3 g) g9 z# M, _) f- \. p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: Z0 f+ n# [* z1 \% w0 g& W- Q* M: R3 D, H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 O* N( `. e+ @" V1 `+ _ o' {/ s- E- V" D% m o l( ~: k
__________________________________________________________________________& v: r, g2 T! o! b
9 H+ J! w: w. t* b7 Y) p; GMethod 136 [' g9 n, P4 `0 Y8 P
=========
, P1 G9 r& f' ^0 @9 y& A9 t8 Z, o1 o! \8 R; j7 Z( d1 l9 C
Not a real method of detection, but a good way to know if SoftICE is
( I8 [) K4 d- }- g0 Qinstalled on a computer and to locate its installation directory.: A P t7 L/ Z7 n( I+ ]% t' n: S
It is used by few softs which access the following registry keys (usually #2) :" C0 z$ R. E8 E
/ `' e' M3 |: |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ K% M' f- a3 |: p, F\Uninstall\SoftICE q6 _7 w0 T5 K3 Y! T' _1 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 Z. K4 K: j) T: @$ M5 a3 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 f; F' ^& v( D, _4 v\App Paths\Loader32.Exe
5 B! }* q- C% E4 E) k
0 N6 h D, R: b& I. x# s! ]
2 g# C, m( O9 S2 R$ {Note that some nasty apps could then erase all files from SoftICE directory1 p& A4 {4 P" }0 \) h# k
(I faced that once :-(
9 a* I. O) q1 B& G
3 X$ _5 w+ M4 V$ c" j( e9 `$ {Useful breakpoint to detect it:* h# O/ [: |+ m& X) t- w. C
4 z1 w) u8 N" q( g5 b9 l, A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# h' o( V, P- |' N5 D! f$ C) w7 s
# \: v3 }/ z; M% G0 S
__________________________________________________________________________
4 V9 R+ Z. q+ s- I, d6 q. }/ q+ h. N7 F1 m* S; i$ u9 W
0 L+ _- E0 x. `# B. @$ M
Method 14 ) j0 p" D5 G. h# \
=========
; O; \; B5 {, ^ t9 a4 D) [: ]* a0 E4 W* ]. Q% {+ d' j7 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ K0 @/ @' L! R a1 g" ]8 `
is to determines whether a debugger is running on your system (ring0 only).
( A( s7 W. q1 v. N/ T+ w
) e3 D* m7 q C4 X; k VMMCall Test_Debug_Installed
2 T4 A& J6 l$ a( d& y je not_installed
1 B) r i. d! i5 d1 X. s) s/ }8 _ | K- m1 Q
This service just checks a flag.
1 a4 c2 S0 F5 c2 E G {, r6 o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡