<TABLE width=500>
" u G k/ C, e) |# L; M<TBODY>. k% ?* H: x1 L! p, \
<TR>( t: A+ X$ S/ _# M7 Y3 y
<TD><PRE>Method 01
, W! J+ G/ E0 L=========
& d7 @6 C3 f# d7 T; f, E5 J8 Z5 g* ?( c7 M( c/ G# G/ G4 H
This method of detection of SoftICE (as well as the following one) is! p W/ E0 @9 h
used by the majority of packers/encryptors found on Internet.
! Y2 A' Z' i9 g, |5 ], e* `/ Q4 kIt seeks the signature of BoundsChecker in SoftICE
7 s" z! J/ \2 h8 G. m/ i
+ w% c; v* q$ L; H; t) N- \ mov ebp, 04243484Bh ; 'BCHK'
5 b5 q3 q$ K* n mov ax, 04h
, a0 U$ b% m v1 r, S int 3
8 _; b5 H2 G ^7 e cmp al,4
0 F$ ]& C# b; ]3 ^ jnz SoftICE_Detected! |+ s) q( ~% x( s+ n! ^( v$ ]
8 ]0 ]3 S5 j$ R2 M2 G; s___________________________________________________________________________
1 `( Z6 N+ Q7 Y/ v% a$ h+ L
L/ B! }! l, o& C6 u% vMethod 020 g- w5 x7 W! Y2 S; x8 l
=========# D& V7 B1 b: H6 L/ i) D" w
9 w' G+ P* [! i* @: w3 z; y
Still a method very much used (perhaps the most frequent one). It is used
( z( w' s& b: B# L7 W9 [# g( w2 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 X+ ]. S7 X9 T2 a" h, W% Uor execute SoftICE commands...
9 o; L. j$ P0 j6 W& @0 A/ AIt is also used to crash SoftICE and to force it to execute any commands
% G7 A2 k0 s! \9 Q( F(HBOOT...) :-(( ! [- X! O2 w, F7 P* l/ X1 `. I
9 J/ w4 e% n+ i( X
Here is a quick description:
9 ]8 b& w; h& y1 x-AX = 0910h (Display string in SIce windows)
! h# H5 L+ Y9 k5 {& M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 x+ h" c3 D3 F! ^9 I; Z" @-AX = 0912h (Get breakpoint infos)
5 i2 n8 ?1 ~9 n' Q+ Z! U-AX = 0913h (Set Sice breakpoints)# z7 ?* R+ @' D
-AX = 0914h (Remove SIce breakoints)
% H) M% z. e% w6 E. z, i( f0 L+ e/ F# ]; w! P' [5 [0 _
Each time you'll meet this trick, you'll see:3 O' ]. A0 V+ v- i* e
-SI = 4647h9 M' ]5 R" p! L
-DI = 4A4Dh& Z' B7 C) @* x
Which are the 'magic values' used by SoftIce.$ _' ~0 m. D6 N9 U3 k6 ^: f) \- e% E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* P' _- K* E# d+ j( H
0 W) f% y% ~! p6 pHere is one example from the file "Haspinst.exe" which is the dongle HASP# D( C6 K. v$ N
Envelope utility use to protect DOS applications: n/ j4 r6 \' v0 x% M
9 q) h0 H0 q( O' X
7 j9 S" w8 m: I! { `4C19:0095 MOV AX,0911 ; execute command.; e7 N+ E, j+ P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; e8 K. g0 a% M4C19:009A MOV SI,4647 ; 1st magic value.
" j8 n0 _! i4 P% f9 E7 _- g" ^4C19:009D MOV DI,4A4D ; 2nd magic value.
- e) H7 U4 u/ W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 a# X0 h( K' G% F/ @ h* u+ k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 i# |3 c0 L V/ l3 V. t4 o1 y4C19:00A4 INC CX" O6 q2 c9 w. ^4 I# u: s1 |" K0 h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% e: c: J) \0 T3 ^( Q, J. T: G
4C19:00A8 JB 0095 ; 6 different commands.$ u+ X" ^+ D0 m2 q% |- [" q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 l5 Y% h4 c+ v# _1 r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) ^; }+ ~, G$ E9 [ O+ ~
8 l4 Y, k1 _( Q& w5 `
The program will execute 6 different SIce commands located at ds:dx, which
m- P* g/ s) |; T( v' @$ Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 y8 a) Z/ X ^% W+ G
: t7 X* ]0 a) Z1 o, p7 D+ R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# Z: @1 [3 a7 ~1 i3 D: B
___________________________________________________________________________
, \; G! T5 I2 m2 e+ H( S3 i/ Q2 q# |: W% _: t! _4 n
6 V! ]; T/ S- u% z, ]# _) _
Method 038 L$ m6 U# T; @5 h" i4 S
=========; _& {/ j, j' O" t# c1 Y4 f5 ]* P
; _, M. e7 b# o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h \; x5 L6 G4 Z
(API Get entry point)
- e* L+ u! W7 c; t3 k $ r( ~' S2 A! ?" w0 w
& r" S% B7 q+ `5 R) d# a
xor di,di* ^* B A# E- \! ~6 G& d
mov es,di
+ _1 ~! ]5 I& j2 j! S% L mov ax, 1684h . C9 ^9 A* c5 \+ i' f! p' k& u& b
mov bx, 0202h ; VxD ID of winice
" Z: m" `5 Q& J" Z; v$ ~/ i int 2Fh5 L2 l1 f4 x9 U( ^
mov ax, es ; ES:DI -> VxD API entry point
' ~& H6 X7 [6 `, W add ax, di1 f- r9 S* j7 j& z
test ax,ax) @3 H0 Z7 B- W8 s. i) v
jnz SoftICE_Detected: H+ r* A& S' L, l; j) o
) @; @4 V) p+ x8 z; s" i
___________________________________________________________________________- v' q! r3 w0 h4 g$ [
: N6 M* Y" k% e) O) d
Method 04
8 T, b: f2 u9 a) [' q5 P" I$ R=========
4 E6 L# W, i z; _9 h8 j) U6 j0 d7 z: N8 _4 q% s( V
Method identical to the preceding one except that it seeks the ID of SoftICE
# K0 R7 O; d9 ^( d ?6 X# T* [5 U9 k% CGFX VxD.
0 V! i% M1 z. o' E
% G, W$ A* Q' V" J+ H9 L xor di,di; u3 L$ t9 x; A9 s
mov es,di' N# n7 i K! i( i2 n* l
mov ax, 1684h
! b3 a8 }, X* W0 K8 H# a8 A7 A mov bx, 7a5Fh ; VxD ID of SIWVID
: h* P. t& a4 n% U int 2fh$ z( W2 \; r6 d1 h- n( j
mov ax, es ; ES:DI -> VxD API entry point
6 ]0 |! r5 j) a add ax, di9 K" Q. I; b4 H" a
test ax,ax
; D! R5 a: s ~: z9 W jnz SoftICE_Detected g$ \$ y; K0 e2 V
4 m- l) w. ~: [. O3 B
__________________________________________________________________________" j# Y$ F" m# e" k2 _
# M0 |% U8 r. M$ `0 x& z( Y. c/ V$ k
" W5 Y; E% w3 Q. q$ E @Method 05* u0 N1 R. k5 Q" I n6 x% H0 Q
=========
: m9 H! |! Z3 l9 j, y: L2 |: r8 `- k1 t. G+ p4 w1 R9 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 W z: q& U) N5 Sdebugger. It calls the int 41h, function 4Fh.4 r7 O, }( j- g( I/ O2 ]; I6 `% c# S6 F- j
There are several alternatives. ; J/ N% O' d; R: e& F
3 Z' w9 S' `( [! `) N2 ?The following one is the simplest:; V ?( b- s+ Z$ H' b! M! h* G3 T
, m) u% b& f" K# ~
mov ax,4fh1 k( ^' K- B$ o% ^- E
int 41h
) B& u* g, o3 V( k cmp ax, 0F386
% M M. T& \) }- ~ jz SoftICE_detected
$ R! i. E4 @3 c5 B& B* O
" g# ^) I P! B( B4 D2 ?3 j1 d2 [' m! m% T6 {; \" U
Next method as well as the following one are 2 examples from Stone's
) `8 Q- @2 X4 E; z"stn-wid.zip" (www.cracking.net):
, L7 Y/ I9 s4 H& k# {6 S' F' v# ?. R. [, a" ?
mov bx, cs& C& s1 o/ M, n' T
lea dx, int41handler24 \& H a- x+ A4 ^; Q4 N, m7 b* I
xchg dx, es:[41h*4]
- b2 ]2 Z1 v: ]* N xchg bx, es:[41h*4+2]
. m, A5 ]% ~; X7 L mov ax,4fh
b6 @, y. d3 s/ m9 |% V3 L int 41h5 F, |! }+ W T8 @: k
xchg dx, es:[41h*4]
5 f: J- a/ x: p3 C% K xchg bx, es:[41h*4+2]
; V1 i" O* d t; z& @, n cmp ax, 0f386h* Z. s! `. D/ H5 E
jz SoftICE_detected7 [$ _$ N+ T9 \- k V/ m
+ L8 Q' S1 V5 P; hint41handler2 PROC) H4 l) M1 {6 N c; ]/ D
iret9 q6 ]' n. U# H4 I- D* [9 J
int41handler2 ENDP
7 ~/ f& O: E* A' \
1 R, t/ f2 m. r- r# H; p, c6 A% R
0 t7 i) b7 C8 n' J9 M_________________________________________________________________________' F$ C$ k7 h. b1 W
/ g7 d7 K$ A8 u* i1 S$ ]/ x y, x) {* [. K8 F, [6 l) j1 ^
Method 065 q( K) d6 F+ R( b& A
=========& M7 e# c8 k9 z& m" {6 m/ `$ \
" {8 Z7 m6 z8 n7 V) n+ Q
0 Z- G, G. A+ J9 V+ f2nd method similar to the preceding one but more difficult to detect:) w3 N( D7 h' @5 h) Z: P( d0 s' c
5 p. V; `3 q2 Z$ \# S
" B* O4 ]3 |& `5 `6 [, \' W1 X
int41handler PROC
; g$ C: q% ^* T) p3 k mov cl,al
0 x# P$ _* c2 E+ i5 j# B/ I% e3 v/ G iret8 K C/ _ X( @6 m; R) d5 F
int41handler ENDP- l, A! O" u- Q, ?$ N: o4 {
8 i9 W1 B0 u6 ?: t: h3 b2 P/ g
5 V. G2 r# F C) `' F
xor ax,ax
' w: g7 o" l% F, D4 \ mov es,ax/ |) i0 [( F4 [1 W3 H, `4 r. B
mov bx, cs" c5 o/ x4 A8 t- J3 N% z
lea dx, int41handler
1 M' _: G6 Z0 n. u xchg dx, es:[41h*4]7 T w" S- v: L0 M3 [) z8 ~
xchg bx, es:[41h*4+2]2 j! L1 n; f' C! P1 ^5 f
in al, 40h' A3 R# E6 t' K9 B9 Z( i& c
xor cx,cx
9 c- @6 R1 N7 A R: r) T( @* W- C/ b- t+ [ int 41h
9 K+ {& }1 e# ^% q5 J* {" ^ xchg dx, es:[41h*4]
; c* ]" ^- e$ f* j" w- d9 c xchg bx, es:[41h*4+2]! s6 C, C4 Y# i5 `' y0 u
cmp cl,al
/ m' Q {4 \6 R# g6 U# x- i7 @ jnz SoftICE_detected6 {- V; o' C1 Y
' c' t+ K$ `$ f_________________________________________________________________________5 W$ \0 p* ^! U* d' W0 r
" i! B/ Z* K" R1 p; ]% Z0 i
Method 07
, ]) j2 v8 C5 h: V% `. H=========
. C1 d2 U( t; t$ g( S
" @: T5 A) S1 _0 X; l! eMethod of detection of the WinICE handler in the int68h (V86)
/ j9 m; i7 N; T2 _0 o3 o9 u( A) ~; |) r* e) B" B5 V% ]
mov ah,43h
: ^0 p, v- K/ E' [ int 68h7 J% Y- ~7 Q& A+ h$ M$ H
cmp ax,0F386h+ r, N+ i+ z4 W: q3 U
jz SoftICE_Detected j! k0 u: T% k) d% z4 r
3 e; k, k9 c' f6 N. C
8 ^3 O3 A/ Z+ s' ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 k" [, }3 R) P9 R G$ B3 @- K/ D( S app like this:
* O& v/ ^ p- v4 \, M# P0 W3 z7 [9 g
BPX exec_int if ax==68
B7 z( h6 C0 `2 p. L2 |8 Q/ y* ~ (function called is located at byte ptr [ebp+1Dh] and client eip is% `9 T4 C7 [1 x( D3 \% R
located at [ebp+48h] for 32Bit apps)
$ d$ P& A2 a' y: {) B" B8 x, j__________________________________________________________________________" ^; f/ r. m4 j, R+ w9 Q
0 P- f o n+ P! G% c. S8 D" x: F
v* T+ R/ `6 o4 {4 ~Method 08
" o5 b+ ~$ _- o$ X9 p) h7 Y=========) q, ]3 G* t% C4 A, ]. E: N9 u
0 W5 }; g* m! Q2 R( K( _It is not a method of detection of SoftICE but a possibility to crash the
; z( _, S$ J8 r! O- n; J8 Rsystem by intercepting int 01h and int 03h and redirecting them to another7 \1 i% u8 b {) ]2 y
routine.- D+ ]/ U+ V1 c9 c* U0 O f9 b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: j5 p0 r5 b" t* |& U! P( f) Fto the new routine to execute (hangs computer...)
# Y0 a* K) R7 {# T7 I0 \, h
+ E0 \$ k( f7 e9 e! e# M/ v mov ah, 25h z/ }8 Q% _2 ]" Y0 [( J+ _
mov al, Int_Number (01h or 03h)& ?4 ]; n6 C' z. s# R7 I6 j
mov dx, offset New_Int_Routine8 _+ F: o4 S+ J( }1 e4 |
int 21h7 N, D/ R7 q! _ |% B1 {' P) t/ D
; A& k# J1 f- g) B& V: \__________________________________________________________________________
! Q$ l5 R" G" Q H
' w2 t3 Y5 E. v" y; }- d* lMethod 09
/ P% a3 `* h" c! C$ c& e {=========: \5 \2 `. b+ w4 O0 P
. k$ R( f! `8 d1 J0 i- rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 V9 ~+ e$ L- t& Y) ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
% H) s! u; _" N7 X6 x# f& D0 ?The Get_DDB service is used to determine whether or not a VxD is installed
5 t& N0 c# S' u& F- f( F' A$ bfor the specified device and returns a Device Description Block (in ecx) for# ~9 l, G! O6 F0 L9 s, ]. ~
that device if it is installed.
7 `7 ]" j/ _* v% h* u' R' d' M& `! f5 A3 f2 C8 M- r; c& h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* |3 E/ L5 `0 x1 h; \- K) ^/ V# o1 T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 A0 D! u" D2 `; {3 a$ d9 G( }# t VMMCall Get_DDB
% c/ g$ T0 v' b7 T( n( }7 r" K1 E* r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! m0 h }/ R$ u, B* w6 B. g3 m
: S2 F8 P) G5 [# W# q) W; r; FNote as well that you can easily detect this method with SoftICE:
5 M. X S E O; i$ Y+ X bpx Get_DDB if ax==0202 || ax==7a5fh
3 O( s6 Y( V) v1 H, ?
# m4 z% C- k$ R__________________________________________________________________________6 Z8 c1 D& `9 A9 l* y3 D
% x. I0 D5 t7 `% s4 H5 P: g) I
Method 10# F3 ] F' O6 T) m5 o
=========) _. ]3 f% b, u5 G6 c0 ^7 H) Q
6 h2 i+ h% ^4 ^; O=>Disable or clear breakpoints before using this feature. DO NOT trace with$ R' D' e# ^4 y
SoftICE while the option is enable!!. |% s1 W/ f( Z3 a, n
" M; c) M7 ]( d2 p, w" P' K" xThis trick is very efficient:
0 ?* Z# {! V: x5 w+ V+ S) Oby checking the Debug Registers, you can detect if SoftICE is loaded e. e! V C8 ]) c0 K) u4 a3 j9 h3 ]
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( ]; J: i8 x! ~8 @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* `, B0 P3 _0 z, hvalue (in ring0 only). Values can be manipulated and or changed as well2 c$ J: m! M/ {3 l7 q
(clearing BPMs for instance)
5 V6 \9 {( O' E" ~6 }( X9 w2 ?
4 c2 y- W7 ^- @7 t. r7 N g/ a( f9 g__________________________________________________________________________
# N4 e( _( x( J, _% q7 m8 c$ U; q: l# k, K+ k4 u
Method 11
0 e5 s& }- ?. F; q( Q8 z5 T) \=========
5 N* j, W# _* T' o
5 \2 L& L/ I0 p2 C6 dThis method is most known as 'MeltICE' because it has been freely distributed
; D& o6 P( j/ r( Z/ i# qvia www.winfiles.com. However it was first used by NuMega people to allow+ {2 V* U! ]! A0 x/ K
Symbol Loader to check if SoftICE was active or not (the code is located. A- j$ U" u& Y, g1 N1 y* p4 b% T
inside nmtrans.dll).! |: U% p4 E- k' ]& X# \0 j/ K
5 p, o# {6 D* e2 W+ U( m; IThe way it works is very simple:7 H1 z$ w% k) [1 ~1 @" w+ e) [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 |- S- B" Q1 v# N; eWinNT) with the CreateFileA API.
2 Q5 l: d# E9 S0 _
7 K/ q) [' P7 Y# v S: uHere is a sample (checking for 'SICE'):' z ^ M' _* I+ ~* m
$ i) F* G3 J/ u* U
BOOL IsSoftIce95Loaded()4 ]5 ~9 R4 _; ?: S
{
" q3 q- L) l. D6 y- _ HANDLE hFile; $ r- D& `" R5 _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 I2 l2 X7 g3 f4 Z3 V; B" ?& a* T8 @
FILE_SHARE_READ | FILE_SHARE_WRITE,: @9 j7 q u& |3 ]4 d! o7 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 ^5 o8 ?9 g1 P7 A- W: F9 |3 A
if( hFile != INVALID_HANDLE_VALUE )
: h$ x7 E; p- z& f$ d6 ` {
: `3 V* c1 O; \1 U' S( E CloseHandle(hFile);$ y" p1 _& T% D* S/ ]! a. u) r
return TRUE;
" ~" F( u* O& F; V9 D: x( M3 r/ @0 o }
# i( T! X' I# _! z4 {% k return FALSE;
! j" |# s! `% s3 n0 }) b}
+ R: c4 A" a' O* v+ V* J
; z4 ]( H1 _" w% sAlthough this trick calls the CreateFileA function, don't even expect to be
. n2 A- V% O+ @' I9 Xable to intercept it by installing a IFS hook: it will not work, no way!
5 m' r9 w5 g7 d5 [( X: \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! p& u. L$ y# C* p( z: ^% z/ Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% C- M) j4 K9 aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 w; q. ?/ L5 Jfield.
5 _ B# \$ U: _+ i. I# N! fIn fact, its purpose is not to load/unload VxDs but only to send a
. v/ j4 ?6 U! Q) P' v* ~+ Y BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* h/ [8 l' P' o. ]$ @& H, H5 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try% I; b$ f. T* b+ |% C& W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) Y9 I) j6 g6 O1 d- ]; p/ n! {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# C! `" d- N5 oits handle to be opened and then, will be detected.
( z, a4 o0 O$ Y! rYou can check that simply by hooking Winice.exe control proc entry point. G$ X9 s; D( ]6 ^' L
while running MeltICE.. _; c; C2 q& s/ O' H/ s& X
: f/ y3 R( ]* L! j: q" B$ k$ b, ]$ N( n. d
00401067: push 00402025 ; \\.\SICE
) ^) e( |. k3 V0 N0 B. `$ m: g7 K" V 0040106C: call CreateFileA
( |* w$ h, `' W: I3 Q* b& W) k 00401071: cmp eax,-0010 Q/ N, i! y6 S1 E
00401074: je 00401091" I I) [1 Q7 T7 \
( a O% P( s) c9 s4 @
! x. S) I! q5 A) W0 E2 cThere could be hundreds of BPX you could use to detect this trick.
9 h) C2 O- H/ G-The most classical one is:
D1 \' E2 Q2 y" ?3 o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 F( f+ I" W9 f; b9 }
*(esp->4+4)=='NTIC'3 K' ] h) P7 v/ Y W4 x5 R
7 N2 D# w ^) b: r8 Y
-The most exotic ones (could be very slooooow :-(: B4 i' s, G/ L6 x. b' o- A0 d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: T; I/ |6 k6 I# Z7 r ;will break 3 times :-(
% s+ C& ^' o2 B" Z( k1 g9 Q# b ]3 a. h; m3 o z1 @
-or (a bit) faster:
8 N8 Y& W8 j' Z) O) }& o7 } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" G6 a# c& _$ r- n& Z1 V D( c# v
! ~! s* I' j( h5 B( i5 Q# g/ D0 w) Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , o% P9 r8 x1 Z; L3 ^
;will break 3 times :-(
; S6 {$ G2 k; O9 I; J
5 C8 U( M. c" m. a. r-Much faster:4 f; c) g+ V) G, Q% }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ }& l6 k: ~9 e$ R( t- K' ~' B$ Q S& R! C0 V* [/ Q; F( s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 l4 J+ M( c u. i( G3 ^$ D
function to do the same job:$ [: F* h2 N# w g
+ J5 _' S* P& i# [% A push 00 ; OF_READ
- P( m/ a+ i* M mov eax,[00656634] ; '\\.\SICE',0
& L( i4 l' x4 r3 A. d8 h push eax
1 w4 Y% @: V( Y call KERNEL32!_lopen) \( q( i- ^/ c- ?5 V4 |. l
inc eax
& d ^& Y6 @+ e; D c2 w$ j jnz 00650589 ; detected
& h9 M/ L+ z* ]+ m9 u push 00 ; OF_READ
" ]& m, J7 N4 I" f1 j. V mov eax,[00656638] ; '\\.\SICE'4 A) \$ e9 B4 }
push eax
, c* _+ y4 q1 ] call KERNEL32!_lopen' V( F2 G( r- ~# o
inc eax% s5 e6 D* Q/ P/ g" Q+ X
jz 006505ae ; not detected3 r1 E) y( [$ A# S) q
; P6 S, j j# H- w) i
: ~6 B s, V5 ~% E
__________________________________________________________________________; Q5 J' \! w& ?. J9 v* F& z
6 m+ x$ t0 n# N, h) C1 ^' w* a* f
Method 12
' n- M' @( R' S7 N5 A/ a=========
u) f+ K) z. c& z& i( T5 w5 }8 f( ]4 {' k
This trick is similar to int41h/4fh Debugger installation check (code 05. l* X5 d9 }6 m4 l/ Y' ^
& 06) but very limited because it's only available for Win95/98 (not NT)
, X5 s# {. L" }0 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 z, z9 v3 c) W. s0 p
3 v$ ?6 n( @$ i$ y* W push 0000004fh ; function 4fh% D' {5 d" c& W/ Z8 a
push 002a002ah ; high word specifies which VxD (VWIN32). n# @3 l& b* v0 Z. L
; low word specifies which service- \, c0 `/ Z; e9 o7 @) y
(VWIN32_Int41Dispatch)
7 _9 d8 S/ ?+ z3 H call Kernel32!ORD_001 ; VxdCall
' f% |6 s4 g+ Y+ z$ g cmp ax, 0f386h ; magic number returned by system debuggers' S: v8 Z H( W
jz SoftICE_detected. d: R' r5 K8 }6 j9 ~! ?
$ x) ]; ]0 Q, k. N$ tHere again, several ways to detect it:
* K; Y0 Q6 T1 h( C1 o0 O5 k* r' F& C- x, z& m" c
BPINT 41 if ax==4f
4 K" e c: q) E0 b" [0 D& i1 J4 \- \) C' y+ ?2 v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 f( j7 T# ]7 m$ H F2 k6 i& j/ _2 d- W% k# N( R* x6 |- _' [8 }6 \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 o' h6 B5 ?+ @ }* [/ k- c. C1 U
3 X+ G8 t& m8 S4 e1 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ Q! y" C9 I$ `1 i
; a F6 }5 {1 G* P+ a3 A" `$ Y
__________________________________________________________________________
7 J& C# i+ M0 y
0 E. t+ t; G" Y7 `. UMethod 13
: H/ `: N6 k! Q3 I# u=========
8 s( d) m+ n9 _: Q
. G3 e7 ?4 g/ v; w; Y) J* h% ZNot a real method of detection, but a good way to know if SoftICE is# G# Y# t9 W! m6 V! l/ ^
installed on a computer and to locate its installation directory. c0 ~% |& f) f% J( h( X1 p
It is used by few softs which access the following registry keys (usually #2) :% W$ m+ s" J1 F$ [! R
1 C" _* [7 W' S! P; l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! \( K0 C" h" a; l\Uninstall\SoftICE
% L2 \ n9 F8 r7 U D2 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 S0 v4 b9 k8 _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" z7 p/ ]" y" Q5 u# i8 ?4 _\App Paths\Loader32.Exe
. s) L! S, O+ A! @
& k0 Y( g' U0 o7 {, D
& z7 }; l2 ]7 h$ YNote that some nasty apps could then erase all files from SoftICE directory C" u, c& ?# q% O
(I faced that once :-(
) l. ?' ~) q1 d) p f
2 m t1 B. P' \+ oUseful breakpoint to detect it:
* t5 \' _, W3 c( ^
% v4 n8 J K% U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 u+ N7 P8 q3 `
) O+ e7 a4 Y& \0 B__________________________________________________________________________
, M0 E" r. l* G6 _) g4 }
. Y# }5 x1 Q7 }* d* \
( H& k4 m1 [+ F0 o2 PMethod 14 / |% e1 p3 k1 G g; n
=========5 O1 u, _; A% ^( E5 X( q* P- I
8 j+ a) V* {: v6 q* V- P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: s( i# e0 w. [, p5 Jis to determines whether a debugger is running on your system (ring0 only).& Q) ?. v0 \6 v/ v# W3 F8 y
1 d* }0 F/ f' w/ b. Q
VMMCall Test_Debug_Installed
: A) o8 h) h" g/ U; r0 y8 Q je not_installed& D1 a8 W- j& [$ v
5 l' U; b" D5 B1 O6 h9 ~; _3 W1 x
This service just checks a flag.
9 {' u9 \ N5 }$ Y1 u( ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡