<TABLE width=500>$ Z L* A8 W1 K! O
<TBODY>
/ V. Y% _' X) a) c3 c9 t<TR>
# x( Q0 g7 r( x! X( O3 `<TD><PRE>Method 01 4 \- X4 A5 _" z9 y! }
=========
! f- H& |& m" L) Z% V# T2 N5 R2 A& } l1 `
This method of detection of SoftICE (as well as the following one) is: d6 g2 Y7 K$ g8 Y/ p3 L8 ~" z. S/ Q
used by the majority of packers/encryptors found on Internet.' r# }3 g1 ]& G8 l( p& P5 b
It seeks the signature of BoundsChecker in SoftICE
8 J, e* R' |- p; [7 h' o
. x2 W2 ^6 S) }! l9 B% O+ d mov ebp, 04243484Bh ; 'BCHK'" Y8 J/ A3 O" P9 ^
mov ax, 04h
4 s# g4 M- g; { int 3 2 {& t# _: e$ Q) s7 Z+ L }
cmp al,4
. `* s& J( Z4 g1 N: g jnz SoftICE_Detected
/ I! m. r1 M( D, s, O: Y# D! y$ I3 @+ d& {1 u) j: Z
___________________________________________________________________________
/ |" Y+ |0 ?# ?$ o, w5 ^+ K e8 M$ {8 p) s* p' s0 U; C
Method 024 A! K( p/ ]6 f& l! D- f$ @# Y
=========1 p4 V" u2 E, G) K% O
, i/ t# _1 t2 Z! R) M- |
Still a method very much used (perhaps the most frequent one). It is used
8 {" d- g4 ^, _" Y. Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 s) X; w; a/ ]6 c
or execute SoftICE commands.../ u/ b3 n: z/ U* `* W
It is also used to crash SoftICE and to force it to execute any commands
. d0 x1 c* P; U5 K(HBOOT...) :-((
! X* L5 z B/ W! o1 z4 _8 W. T; t* x, Z" u9 o( ^, }
Here is a quick description:
. W3 q- T$ d3 `( x6 E-AX = 0910h (Display string in SIce windows)5 I- ~4 T- T" o8 v5 g7 g/ o' O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ {) f. p H5 |5 t) s3 R
-AX = 0912h (Get breakpoint infos)* b5 e8 \8 E- A% [1 D4 H& ^% H
-AX = 0913h (Set Sice breakpoints)
2 N r) n/ h0 I1 n1 S2 {& ]-AX = 0914h (Remove SIce breakoints)# ~4 V7 Z4 ?: U( ~
' W4 u: l$ d+ }* g. T9 H, c
Each time you'll meet this trick, you'll see:0 K7 r2 w& |. j: Y0 m
-SI = 4647h
+ o/ m8 C& @* V* u-DI = 4A4Dh
* s8 P' M* l9 _* q3 oWhich are the 'magic values' used by SoftIce.0 {5 C8 u6 B) }+ ?& ]. f8 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% T- Q- y% a* C3 ~. A- i
% \* y8 }, }4 i7 o) nHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 X2 d+ F9 l6 u8 M5 J) ZEnvelope utility use to protect DOS applications:
B6 d$ b2 `) h6 F, Q2 V6 S+ g! B8 E8 o
4 V5 L: E" E& F% I3 Z- L% o; I. F4C19:0095 MOV AX,0911 ; execute command.- } A. p/ X2 j( j/ P" t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ h; M! @. f- C2 o5 T$ n
4C19:009A MOV SI,4647 ; 1st magic value., C* h1 f, m" ]/ ?# k+ P
4C19:009D MOV DI,4A4D ; 2nd magic value.$ k+ S* f0 y7 H; u; j9 U
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 @: @: z3 |& ]& [) }, V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 R- m' B% M# A( O
4C19:00A4 INC CX' h2 o$ f3 V4 K, L5 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" ^0 U0 f" g1 j
4C19:00A8 JB 0095 ; 6 different commands.
6 l" p. A8 ]) Q# {0 c2 P4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 Q* B1 l; E8 i) z( D2 v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; h8 x3 a) n/ g
1 x: K; D# p9 |+ z2 z5 v/ tThe program will execute 6 different SIce commands located at ds:dx, which
, O8 G n. N* dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* \+ R$ R+ \0 S3 p$ Q
* B/ o% H: ?$ i$ Z! O, o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* r6 y0 N% G Y7 f0 J2 J- c( _1 F; W
___________________________________________________________________________
5 e* |& O" T6 P) R/ N* \3 L* s& J! M$ R8 I
3 a* H; h! ?: b0 D) d- K9 RMethod 03
% X P% d% ~: K2 F8 `3 K2 @=========- f4 V7 H0 h% `5 i! R, l
9 K( Y0 w$ w8 h- H# ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- G2 E/ g- B w M/ K(API Get entry point)
! J' ?+ C: U& }0 x! T" t8 I
6 m3 X7 e9 C: H7 |, N+ H ~3 c1 ?
xor di,di4 W" S5 G" M& _. f4 f* G' g/ o; X
mov es,di
- F0 \9 U9 O6 K" M) [ i8 z mov ax, 1684h e( W8 f* I* P5 k" q$ b4 k6 a
mov bx, 0202h ; VxD ID of winice
3 X! t- A2 E1 X( V h2 t int 2Fh
( p- a6 O) j! q7 t3 N mov ax, es ; ES:DI -> VxD API entry point, C! n" s4 A: h* F& Z% b
add ax, di) d* d* }; j1 Z( o
test ax,ax
1 t$ N4 \: d+ n! X8 h5 I: _6 _ jnz SoftICE_Detected
L1 w6 z3 j$ U1 p o( [9 x7 v d' K. [! {& h& ~
___________________________________________________________________________
! B9 ]4 a+ L$ m" r& q/ \& G4 Q! }/ R
Method 04
2 T* E+ d4 ^& y% F* M=========9 u& \' }5 K& Q8 o$ b+ r
( v" n8 C% P- S2 X; ]7 M! LMethod identical to the preceding one except that it seeks the ID of SoftICE' r: @+ }9 o, q M
GFX VxD.+ d; h1 r3 C; |+ m# V0 x
. R7 Q6 B6 }& L xor di,di
" g7 f" ^; B8 X q mov es,di/ F9 S" g8 _0 n! J2 L, S
mov ax, 1684h : f. p2 D4 }8 W; S6 C
mov bx, 7a5Fh ; VxD ID of SIWVID
) D5 D$ C% x e8 w1 _ int 2fh& C4 h7 o6 V8 c, T$ X- A( b
mov ax, es ; ES:DI -> VxD API entry point
- s) }$ u" I7 e i8 \2 ?, b% F add ax, di
) h# h8 S: R6 \7 ? test ax,ax( K# M8 G' Y* ?8 ~+ y7 X8 g
jnz SoftICE_Detected
, y% m# W9 n+ i B' Q: A3 x1 p) K2 {6 ]1 x1 X& `( m4 ?
__________________________________________________________________________; M( G) ]' _. y7 ?
4 u. G) K! f* `9 Z# Z) P% P0 \+ \0 w+ F! Q% r" [
Method 05# U4 e9 D5 ~ }( C! C& r: w# e
=========7 E8 M2 H! `/ e% y! \
: _6 {8 h! r/ y% X' nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 }/ B. M1 k5 |9 B x3 |debugger. It calls the int 41h, function 4Fh.
7 a- k S' v* o, r9 ^' i) _There are several alternatives. / y, x6 `- s* K' [" b
' G- E/ T' @ f) Y( B: d9 LThe following one is the simplest:$ F2 M. ~" L6 I) U; ]4 z
9 X2 Y9 X" s& p! J5 `6 o) g2 ^3 O% M6 b
mov ax,4fh# _- n* z, s) \, T j8 d$ d1 ^- I
int 41h9 `7 r& g' O1 L; s+ M
cmp ax, 0F386
2 V5 O$ }+ e) B& S; U jz SoftICE_detected+ @; \+ \% H, e; @1 ]: ~
. U. h' L2 X3 S7 g/ Q/ O
3 N* C8 v+ T# V, ?
Next method as well as the following one are 2 examples from Stone's & u2 {# _6 G% G4 G# `
"stn-wid.zip" (www.cracking.net):
. @% k+ i, r5 r+ |
' U% m: \2 C6 t0 K( ? mov bx, cs9 F' k- _1 [# v$ d" V. C
lea dx, int41handler2
+ G8 R6 R8 w' Y y8 O$ V xchg dx, es:[41h*4]
- o: n0 U9 B+ ^( }# Z0 a xchg bx, es:[41h*4+2] y4 g0 E& B' e4 ~9 p3 e x, O8 _3 y
mov ax,4fh
! S5 A8 H7 Q0 | int 41h0 V) r2 n9 }6 v: J; L' Z
xchg dx, es:[41h*4]) s3 z5 u0 |5 K2 C1 w" ]+ S5 a
xchg bx, es:[41h*4+2]/ H$ {2 \+ u* P* c5 g. U7 q# O) c. J
cmp ax, 0f386h3 K% D- `+ G/ W4 m
jz SoftICE_detected% q0 J* A, F6 t9 s l2 Q
1 j6 ` o% i* n0 W" H( Zint41handler2 PROC; d7 X# r4 u1 D- h
iret- @3 }5 B; z$ w" X3 v5 n2 H( s
int41handler2 ENDP# _! l* h. a9 |& I D; n5 I
% R ?+ x: h9 @- {5 ~8 ~: T* ~' }
6 S L# j! m2 T+ \, R% `_________________________________________________________________________
/ x7 v) U- ^# F9 T0 v; f
0 `. {9 b3 A& M/ O8 ?8 L3 ~9 C& O. D! J, | E6 U" O' h2 ]) L2 K
Method 06' t8 j9 D# ?0 S
=========! P. \+ A1 i! }
) {( Y# X- a7 \9 g' y, V- \; E+ L( m" m$ Q8 F
2nd method similar to the preceding one but more difficult to detect:7 a$ `6 P2 p" a! }" R6 ]2 q
2 b7 C1 D9 f: ]1 o- u$ H, @8 f7 T6 ]
int41handler PROC& ^5 {, z# w: ^0 H
mov cl,al6 D$ e; P6 S! u g" M' v/ A
iret/ L, O* b$ ]- {- g0 l: O8 |
int41handler ENDP
" |* w! s1 A" R. ^
$ A/ y+ e8 U( _) b5 r
# S9 T3 M, M6 A0 O1 n8 \ xor ax,ax2 c/ o: S! W4 G9 ?) B
mov es,ax5 p' i2 e; D G& U# l9 Y5 q
mov bx, cs, K3 d% }( x! t/ h7 e, e+ Z% w# Y
lea dx, int41handler
- r: q- i6 D+ H5 z3 y xchg dx, es:[41h*4]: M& M/ p: e3 d* r0 }6 n
xchg bx, es:[41h*4+2]6 q! `' W4 K5 h* D( O1 L/ y
in al, 40h
" H6 l* p5 s" \- y xor cx,cx. r, }# |! ~+ y: ?- Y' Y4 m9 I0 j
int 41h; p- w0 C% f) t0 D( D% A
xchg dx, es:[41h*4]5 {) E$ V1 G3 m7 y" G2 r6 M
xchg bx, es:[41h*4+2]
3 J @, G( n* F' G- b( u7 G cmp cl,al% G# G0 W! ]3 e- t3 J
jnz SoftICE_detected; \( ?; u' U i9 _* s1 e8 O
# Y, Q0 @$ w. i. R_________________________________________________________________________4 s7 [ V* I" `8 E
- I G2 `( U6 Q& `
Method 07
! f* C& Y9 ]- n; Q+ _=========! b$ E( h$ n2 A6 O. ` x
$ Q2 z# u5 b, t3 [" F/ ^
Method of detection of the WinICE handler in the int68h (V86)7 O, g1 t" {+ \5 ~ ?- d
" b8 M2 p2 I( n K" b# s$ M3 s
mov ah,43h9 \ \' O& o$ }* n' i
int 68h
& b. k7 i5 K* Q. c' S; a6 e cmp ax,0F386h
9 z: P% k& L3 n: u1 c! g jz SoftICE_Detected
7 k3 J5 s" h* o3 X7 e
. s0 g5 W0 g( U& h5 b9 z* Z% o N! L7 `$ }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 f4 R c+ Z; x; n) Z# H; ^
app like this:
1 k v3 g2 U* A8 K- b0 y4 U9 [, y: E: Y) W
BPX exec_int if ax==682 V+ G% |" j p C _
(function called is located at byte ptr [ebp+1Dh] and client eip is
' E# n' n, t: r9 L( ^ located at [ebp+48h] for 32Bit apps)% T" p, C1 w7 R: w2 {; j
__________________________________________________________________________
4 H5 y2 C# z }% {
" `/ @( m" C3 G+ d) g& \. X L/ n) \+ j$ e$ v
Method 08* ^3 [, ^) X c/ Z' S) q+ _
=========5 u! B# J) C" g8 s; _8 C' h
2 f1 C/ U/ U* S) U- f. n! p/ ~ M" JIt is not a method of detection of SoftICE but a possibility to crash the1 \( h0 o: S3 w9 \2 X7 {# a h
system by intercepting int 01h and int 03h and redirecting them to another
( K5 M5 A2 J5 s; Vroutine.
7 m! E; U! B% u& `4 s3 p3 ^3 \) }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, K& \; m q5 V% D$ ]to the new routine to execute (hangs computer...)! P, ^" z' Q$ Z* |
& Q2 g5 ~1 T- L) Q2 {! J mov ah, 25h/ R* u! O* j. Q9 I
mov al, Int_Number (01h or 03h)
) q. L& A! O4 J7 D+ r1 R/ r) V mov dx, offset New_Int_Routine: L2 Y5 ^6 ~2 [# J; {4 Q* X% l" Q m4 ?
int 21h& s! Y4 ~* L( f. v, t* I
8 U4 Q' U7 s: I0 f6 W
__________________________________________________________________________. A* r, V& f, I- ?8 ? T8 o6 O4 k0 `$ x
, C* l; I9 w& l% ~ \Method 09
: z* N3 x) ^# n=========
. |8 b( L, g' X- ?0 j' w' ]5 @2 W/ ?& W0 { X' A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% ~) c+ Z- [+ o+ e
performed in ring0 (VxD or a ring3 app using the VxdCall).: V' E, X( Q) l$ r
The Get_DDB service is used to determine whether or not a VxD is installed
" a$ S! y+ a( i. i( X) Efor the specified device and returns a Device Description Block (in ecx) for1 i* J; ]( |+ W/ k* g
that device if it is installed.! i! f3 l, s. g" w* i0 C% B
$ C! Y. W* ^5 ?8 h% x7 |0 u* z, l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 `6 {. C( V, R3 w8 e& v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# d0 X' e# V E. w. C7 I% a VMMCall Get_DDB- p7 \2 {9 P8 v9 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 v1 x3 M0 E3 p3 G' j7 A; [
9 [, u x" b" u3 m/ u0 P
Note as well that you can easily detect this method with SoftICE:8 n: q8 J1 T# V+ s* c5 ^, Z
bpx Get_DDB if ax==0202 || ax==7a5fh" |2 Q7 H) }0 d
$ v+ S, L, \9 H
__________________________________________________________________________
2 J) ~9 S4 R7 t2 @6 i5 e r) j
8 T! y0 r q& Q C b# GMethod 10) G& Y6 \1 E' j f
=========
4 f9 I6 q3 W8 |" G. m2 Y' |: x/ f0 w* n; E% H" f$ ^* Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with @! c- A& F1 X# Q3 q1 B
SoftICE while the option is enable!!. L; k/ V8 k. C K# S
) W, {6 z. K6 Z: K4 i8 w% U BThis trick is very efficient:( G* m2 B% ]7 r5 m3 J2 @/ B
by checking the Debug Registers, you can detect if SoftICE is loaded
+ y5 K/ k& Z6 J. C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ M3 ~- t( a, v* C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. ^* U+ T9 B3 z% H9 |. Jvalue (in ring0 only). Values can be manipulated and or changed as well
7 f, H! {& M. o7 w+ W+ a s# I(clearing BPMs for instance)5 i3 v' {8 a2 }0 b2 J
8 D. a- ?. O- D- K2 N2 h" x$ `__________________________________________________________________________
7 u1 {/ c0 T8 V8 O- d+ u* @. R" v5 u: C
Method 11
6 f/ p3 H2 B; U7 W7 I=========
# v+ D2 Y$ R7 F! M& b0 J9 t1 O2 O
+ J: U4 H4 ?: z8 E9 n8 kThis method is most known as 'MeltICE' because it has been freely distributed5 t% D. g! U% C5 Q8 s; E: @ j
via www.winfiles.com. However it was first used by NuMega people to allow
7 N+ ]$ A$ t6 N$ DSymbol Loader to check if SoftICE was active or not (the code is located
( ^+ G& e) a+ F. K! Winside nmtrans.dll).8 |/ w+ c3 E% C7 \
1 f; R. m8 V8 B/ f- y5 }% n
The way it works is very simple: T; P+ t; ?+ p% ~4 S* S" O$ p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
M$ F" i F% B: |; ?" IWinNT) with the CreateFileA API.
. M2 r- V& w' r. d5 {! ^7 ^& q4 B) l1 a
Here is a sample (checking for 'SICE'):
5 D; W, L# Q* M" P3 G% d
$ d5 r2 e, m# V# @: w: f* |& N4 \BOOL IsSoftIce95Loaded()" R+ L2 ^5 \' L6 R8 x7 S1 c
{
5 |8 J! ]( j H* k- ^ HANDLE hFile; 9 u$ O) w" j7 Z( S& e0 \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. H: P* i0 q3 y& M, J! v
FILE_SHARE_READ | FILE_SHARE_WRITE,
) j) `, S6 w9 \+ P: j! I- u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 T3 M( `( y" q if( hFile != INVALID_HANDLE_VALUE )
; C8 q) D1 `2 E6 U; |- O* F( h {
2 j! X2 [7 y' p* r0 s1 V CloseHandle(hFile);
3 M ~, T; @$ g' V2 e: s' r return TRUE;
) a2 e: d/ h- X+ {8 N6 P }: O4 v- w w5 v' h5 M
return FALSE;& G$ M# ~- H9 H# z4 ]1 c
}8 D6 @. P8 l) V$ i& B5 L! o
3 P2 g* T8 }" ?Although this trick calls the CreateFileA function, don't even expect to be
1 E7 w/ s# U- h( [/ b6 D' table to intercept it by installing a IFS hook: it will not work, no way!
+ }' D/ I' u9 x9 |3 _4 r! e0 wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 W" {& u+ @$ ^: g: Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). q7 k$ f, g* S2 l3 u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 a! }3 s8 m: F' Q" `0 qfield.* x/ d: t% b/ |+ v% A
In fact, its purpose is not to load/unload VxDs but only to send a
8 f8 M% J( {/ h1 u, ^* f* c" k# X$ lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 K/ B$ w+ o) _: H/ Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ A6 s- v( M+ W3 Q5 ~4 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 e# Y3 D3 e4 Q# P3 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 w N* y; n: ?
its handle to be opened and then, will be detected.5 Q6 `4 B! ]" z0 `" u5 K3 e, v
You can check that simply by hooking Winice.exe control proc entry point
8 t& l! n0 ^( ?8 N6 `7 B F: Swhile running MeltICE.; g3 k! E# t# i6 V, U: _% P
- A$ s# S/ [* y) X4 N9 r! Z4 n1 N
0 A( \; O1 N$ G) f5 e 00401067: push 00402025 ; \\.\SICE' y" [# w i- ^$ {9 r
0040106C: call CreateFileA
$ d: }6 R, x; { 00401071: cmp eax,-0014 j6 v" K ~" h3 P% f7 R
00401074: je 00401091
* ?+ e; g" `9 ~2 U* x R6 A+ n. M1 [$ N/ K; f
+ n _( J0 f4 R' g; E
There could be hundreds of BPX you could use to detect this trick.4 Z$ q: w# Z y; {' O! e" y/ h
-The most classical one is:
1 m$ f. R5 n+ Q% j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 N& c6 ?( W: h9 k
*(esp->4+4)=='NTIC'
4 J- q! s- a. d+ b* Z7 ^7 k& l0 g# O; x' c3 w8 G% ?
-The most exotic ones (could be very slooooow :-(
- r: h2 x) M$ A' k8 l- T u3 O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 K! \0 A8 ~0 s( P
;will break 3 times :-(& g+ O6 ?& S" ?$ \5 `/ ?: r& q
# m* y* h* Y o% g) v-or (a bit) faster:
$ D( e1 i0 z0 h: b; c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& C+ T4 o/ M" ^$ {
, I2 Z6 P4 p9 {, A1 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . ^8 |2 t; S, o# g1 } Q. o, f
;will break 3 times :-(' U e$ n- m5 g7 N
4 r. o/ [; ^; r4 j
-Much faster:9 Q8 |# |# N" L8 G& R5 Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) q3 v* X1 M0 t. U8 v, z/ | a
8 b, J$ ?1 D& `- \3 Q2 jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( f" W: v. v3 G" o7 W! I& g
function to do the same job:& i5 @9 Z$ \: \
1 j( a d' p" a6 P4 m6 L7 u push 00 ; OF_READ4 E$ g2 ]4 B8 w: M- g# Z8 \; I6 \
mov eax,[00656634] ; '\\.\SICE',0, o+ ~. ]! h4 N$ S j8 Q/ ?8 N5 f
push eax) W2 D/ V) Y+ e& ^9 t; O4 ]/ j4 g
call KERNEL32!_lopen' I0 [7 C5 `% z) a5 _
inc eax( ~, b8 \+ g( ]
jnz 00650589 ; detected& ~1 _2 }0 ]7 q1 l
push 00 ; OF_READ9 y" P* w, S5 n1 [
mov eax,[00656638] ; '\\.\SICE'
. S/ v" I& {* T# r. b push eax
9 C4 M# E$ G$ X0 d call KERNEL32!_lopen
! N, |1 n" l- A+ P; m" X inc eax4 U+ f7 M. G1 J; \
jz 006505ae ; not detected
7 T3 f, d2 A# S) m$ A5 p6 J% Z5 F$ `$ B
0 }' y7 P3 \' Z# _' H4 b
__________________________________________________________________________8 _, [1 w3 l& I# m6 J& q& p
) w( k# Q' E9 Z2 l) @; |3 D0 S
Method 12
! c6 J9 G% x& w: `% L+ e! _- F' I) W=========
5 [) A7 v6 B& `( I! i2 K9 Y. q( J
This trick is similar to int41h/4fh Debugger installation check (code 05
( f0 q7 r. Q5 J/ \+ Q' u! o& 06) but very limited because it's only available for Win95/98 (not NT)
" N) Z" t0 q6 m3 E0 {7 O% |4 las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ |6 M$ g# s1 {% z8 ]7 q
) n* Z- w" ^* `4 V9 g4 Q& [/ _ push 0000004fh ; function 4fh
! J! A0 x4 H& Q2 ~7 r) s9 A3 V push 002a002ah ; high word specifies which VxD (VWIN32)
* [- `. x$ `( X; V$ C ; low word specifies which service
! J. h$ I3 y& U' ]. O2 q (VWIN32_Int41Dispatch)& `+ B3 g) T% s$ L1 S9 W |/ }
call Kernel32!ORD_001 ; VxdCall
: W; e' u8 f6 \( Z% q) V( u9 ~( ? cmp ax, 0f386h ; magic number returned by system debuggers! W8 y$ ~! D1 O, x6 f1 G
jz SoftICE_detected
1 U/ c8 r8 q2 ]
& n4 ^3 f6 q/ F2 c# W& h1 @Here again, several ways to detect it:
" Y# p7 Q+ L2 [+ l% N6 ?; l0 c- c" u; e& y: Z3 m. X# q' R
BPINT 41 if ax==4f
; \ t0 r* J- |. T4 f; J! K& S, T( f/ S* \; R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 r" g# f/ O$ G
9 l4 W; j: ]& a. s0 c$ q, p4 V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* N) z3 w& l- }# T2 }- v: p2 Z+ W; K. q2 F* `2 n9 Q5 T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 f) k( t: K. s- s/ C5 z% D: v
! T% @8 C4 Q# H0 n) v" W
__________________________________________________________________________$ R+ C' q+ _) N8 s3 G6 L' s/ O
- a3 ]6 K9 @, m3 ^Method 13
1 T0 P4 B( O5 L0 }& D=========
8 O% c! t: w0 q7 ?! D% A( B
# Z9 x5 M3 P$ k) Z, tNot a real method of detection, but a good way to know if SoftICE is5 E9 v% `: P' a1 O7 V+ E' C3 }$ S* V S' o
installed on a computer and to locate its installation directory.
/ x' v; M: [ a0 MIt is used by few softs which access the following registry keys (usually #2) :0 Q; [5 j7 n& r6 y$ H
/ n3 u' Q; q5 ~ d$ e$ t6 {- J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: D6 r# ~% Y" P* f6 T\Uninstall\SoftICE
" D+ v% S# x; s) C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 x; V8 W' z! @# N& g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 s" r' h+ u5 e( L2 \5 i
\App Paths\Loader32.Exe
1 l( S+ A& ?& C* M8 C# q7 K6 v* Z: I# F
" e$ e! y2 k& Q0 \
Note that some nasty apps could then erase all files from SoftICE directory
, e; S' w6 v! r" I8 A2 i! a(I faced that once :-(
) Q$ Z n- \ @ R' n! P' j7 t0 |) N
( n) o4 a+ J0 ^' I$ cUseful breakpoint to detect it:
: ^. P- A5 T7 J
& p9 ~) ?7 v9 Z0 `4 h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- ^6 e- c0 r% Z" Y2 y
) }1 u2 Q3 v: j, |1 P% q. F__________________________________________________________________________
' @0 d$ c/ |5 G z
# ?; p3 _! j. w5 w
) l- l ?7 W+ v! N9 F3 L# S: KMethod 14 3 y- O- Y* S' z* H0 W, M
=========& a. I3 n2 U/ S3 B5 @2 ?
7 z% G6 \) g& ~9 {+ ]5 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. Z1 s O6 t: U% c1 A. e$ ~
is to determines whether a debugger is running on your system (ring0 only).
! y& I8 z' b; z" F* n4 W
6 I$ v. B+ k& E( A VMMCall Test_Debug_Installed
: |' o4 M* { d: w1 _! f& { je not_installed
8 x* b# Q2 k, X$ s% @6 q7 y" R
1 U4 W4 j; G( BThis service just checks a flag.
* E! B; u5 W9 H% N `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡