<TABLE width=500>+ i7 m8 W. L8 B! _ H8 e1 \# `
<TBODY>" i& S; ~% [; k7 F. y U
<TR>3 `# r2 P7 H# O' Y; @
<TD><PRE>Method 01
4 f N8 _+ B, {" ^) R=========% O- {8 e, l, k7 z) |; f
" d3 d# D8 C! o. h- R! [6 ]3 R0 IThis method of detection of SoftICE (as well as the following one) is6 a/ Y2 w2 C0 ?3 t
used by the majority of packers/encryptors found on Internet.& G9 \- [! l4 I2 n$ `
It seeks the signature of BoundsChecker in SoftICE
+ v- j' `3 h+ z9 E" a: M, V
( m m5 y+ S% Y; Z2 U mov ebp, 04243484Bh ; 'BCHK'
+ P2 \" B3 J* @) f4 v) A/ R6 j2 ~ mov ax, 04h0 j6 T' Y8 K# H- h
int 3 / t9 b* h- F9 M! W6 C' n
cmp al,41 j) M$ W0 L( n6 h
jnz SoftICE_Detected0 E* K; L% }4 j* a; l9 S
* {/ u b/ K( k. R0 E1 C___________________________________________________________________________
/ ?, F' j5 g! d* u/ K# K! E+ G/ v) z9 g/ \
Method 02
9 {; B" H0 j6 E" H2 c=========
5 a3 A C+ o5 g$ m. U
" @' ]( b4 X) l7 o3 W2 W3 EStill a method very much used (perhaps the most frequent one). It is used$ C7 }( q& y, [4 c: Q0 C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
A0 F/ @3 t) ~5 `5 t$ Sor execute SoftICE commands...0 f" @% {9 N2 L( Y/ t6 |
It is also used to crash SoftICE and to force it to execute any commands( m: O4 t: S: w! Y. Y: n( X
(HBOOT...) :-((
" Q; Y9 B0 [/ }6 A2 j5 f% U' I/ V7 \' p( o9 r; b" Y; W
Here is a quick description:; z+ [. A% |4 t: Z& ~# \: r3 F
-AX = 0910h (Display string in SIce windows)
0 r: B( R; A6 |& p. G- }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 a0 c, p" x) g0 Q& j
-AX = 0912h (Get breakpoint infos)6 V5 O: y* R3 ?
-AX = 0913h (Set Sice breakpoints)6 ]4 M5 u& A8 ~7 T2 Q- a
-AX = 0914h (Remove SIce breakoints)# K+ s6 Z6 i- q( K
# r/ t( t z0 v/ r& v: Y
Each time you'll meet this trick, you'll see:
3 ?3 D2 m' i6 {' a9 n2 {-SI = 4647h5 q3 }( K7 g |: b7 w% }
-DI = 4A4Dh8 Y6 Z7 ]2 n+ }8 L
Which are the 'magic values' used by SoftIce.% U1 l- m* y9 X+ P0 K; r4 ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 j9 u& W3 e) x- D% I0 ^
' [7 w5 H9 Y6 g: L6 N! @# z9 N5 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" S7 U3 t5 w- K' f: K* W: BEnvelope utility use to protect DOS applications: h) A7 e, K+ O* U; M: M4 }) Q
2 p; s* e$ S& [1 g0 K. | k: Z" m
* M+ l [7 c" {: E/ f
4C19:0095 MOV AX,0911 ; execute command.
: ?% o G( v! g, C# R6 K5 J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 x6 [8 e4 ^+ B4 O1 z4C19:009A MOV SI,4647 ; 1st magic value.
9 G; M [* [4 E$ n G4C19:009D MOV DI,4A4D ; 2nd magic value.5 w# w6 \/ x7 G! f* r( K5 k8 j( e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 y4 J. s/ U) A1 R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 _/ q6 I$ @- ~- ?! X4C19:00A4 INC CX Z8 p+ d$ u4 }3 K* x, Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 ]( C' T- K7 F! Z! B+ Q: |8 Z4C19:00A8 JB 0095 ; 6 different commands.
4 j7 L1 k+ v' L7 J; x4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 Z r- V/ `3 w, A# u) S; B/ N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 j8 c1 `, r" c* w) D$ v/ d
+ j! s; P3 k' }The program will execute 6 different SIce commands located at ds:dx, which1 I8 N, @* f+ E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 O1 c. d! M+ q" Y1 E; u& g; C1 V9 h. B0 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 \& S: i' f2 n8 f+ S6 |___________________________________________________________________________7 W2 g0 O/ C( N# }, |
" Y4 S* \0 L! T& ~6 C' d
% e) [7 K( s- R- k) L+ E! Q7 ^2 E
Method 03
2 A/ V8 g6 l/ ?) n- X. C2 ]=========
+ ~+ `( D- g$ p% Y4 H8 |+ D8 ?8 J8 G3 b+ ]0 t( O$ i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ z5 I2 V7 H( A3 c+ Q8 y
(API Get entry point)# } k) L2 ]% E/ j5 l/ X+ | S
# B, J, r! `9 q% l4 s
+ N' ~9 d1 H% \
xor di,di
1 l' f9 ~" e$ @3 M7 W* ` mov es,di3 q2 g7 T) I( O. i& B$ D2 o
mov ax, 1684h $ P3 t5 A7 U- r" j
mov bx, 0202h ; VxD ID of winice
/ T6 t. \- x+ n# A* F% d Z% k int 2Fh* }6 w/ Y% p9 u8 {( u ?0 Y
mov ax, es ; ES:DI -> VxD API entry point
0 F* v& Z ]1 W1 W' Q+ K# M$ O7 B add ax, di* V+ H& s+ E6 U3 v
test ax,ax* w2 _& f7 B- I3 x
jnz SoftICE_Detected& h9 L0 O- t, I+ Y7 y$ J
4 F) L. @- w( g___________________________________________________________________________
+ g! _: a9 H; v4 ?; b i; @
/ a; v0 {6 e3 ~0 l6 `7 b- _% JMethod 04
5 E# U {( N) L( ?! ~=========
" { m+ b T: y" V2 g) n- d: f5 K4 i1 m1 h/ [7 p3 C: G9 M
Method identical to the preceding one except that it seeks the ID of SoftICE) X2 `- U9 K/ j$ D
GFX VxD.
$ `) n6 y- H" w& n0 n0 ^
- K$ @# j9 m3 A3 k4 w* b) P. b xor di,di
: W4 U& @% J3 d" d mov es,di
1 }! y3 Z) \7 _' l+ g! p; L ? mov ax, 1684h
! ~/ @( ^+ y6 S' B mov bx, 7a5Fh ; VxD ID of SIWVID% k. Q- l0 T# z" @( j; G
int 2fh
; G5 y3 N b) g! k+ O. N; i mov ax, es ; ES:DI -> VxD API entry point5 E% ^5 V; K& Q+ M0 @
add ax, di3 ]- O' H# I0 Z& K6 Z0 {, m
test ax,ax* P# l! x/ B6 W0 `8 G
jnz SoftICE_Detected+ F" I) u* n$ A t/ N9 \7 x
" D# G- q$ w- h `. Q1 ]% Z4 U
__________________________________________________________________________5 o. \) U0 C6 L( N' V& S+ `
$ j5 R6 e4 O* i
$ ~( W! l. F/ G- f" \, c5 _7 `
Method 05
* @ B7 b( Q4 H4 T2 }$ S========= d2 ]! H6 _3 t
! d; H: d! G3 i; D7 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 i2 ]: C# w8 f: q3 Q. }
debugger. It calls the int 41h, function 4Fh.8 v6 J& ?% k% r; G$ J3 ^: X8 N6 c
There are several alternatives.
8 z; |. H1 `; R$ Y. q0 o1 P7 h- @$ g) J M4 l; k; u" ^: F, s
The following one is the simplest:1 d; @8 M! z5 |
5 `3 r) ~ D7 m9 Y1 s
mov ax,4fh' ]* V; [/ c; Q8 C. Z
int 41h9 Q) _3 b* F/ m6 l# o e: H
cmp ax, 0F386) W5 m6 o. w2 R# }* y7 {0 O
jz SoftICE_detected O5 P$ [! V; @
9 Y+ G- v' E4 e5 D& X
" H! ?& F1 M5 O$ y# I$ NNext method as well as the following one are 2 examples from Stone's 3 S2 M" [; v3 k! H
"stn-wid.zip" (www.cracking.net):7 C4 ^$ h3 E# r0 s
: F2 h9 Z/ w) U& l
mov bx, cs* q8 I( w3 l) M5 F. ]
lea dx, int41handler2
' }* i j7 k7 L xchg dx, es:[41h*4]1 Q& E% [3 G& p/ c
xchg bx, es:[41h*4+2]1 m9 z9 ^! y9 e$ E" q% c
mov ax,4fh
9 Z) T3 \/ I) ~( j" A6 v* F int 41h
6 Z9 q( {- X+ _7 P5 d# T5 r7 G" ? xchg dx, es:[41h*4], r6 p! X& M$ p5 H+ H( r0 D
xchg bx, es:[41h*4+2]
8 ]5 M: H+ |4 ~& P4 O cmp ax, 0f386h
: G' O) ?" q ~! K* M3 X! i jz SoftICE_detected* c" y3 J' l. |) ?% Z$ \
. J* D+ o4 D1 |, _/ R3 ]& Tint41handler2 PROC% q7 Q9 P8 k5 S- u, `9 J+ z" I
iret3 a# j+ R. O- q2 R; j, L
int41handler2 ENDP
# v# Y; h1 u7 f3 c( c& l) X" ^
# k) r3 x( i6 J" F/ }+ {+ w% J' m H& @; h
_________________________________________________________________________
3 s6 J: Q% Q4 F! V" m/ ~. F+ K8 o- }* N
$ G' y, \. u3 v% q; h8 NMethod 06
$ u& f b# S( K2 A+ P. f=========9 j! p) y1 p8 y+ ~7 W
& x4 Y; E8 X: u s- ]5 M# @ w+ G( w2 V9 d; ~3 c. T2 W
2nd method similar to the preceding one but more difficult to detect:
0 v5 C2 l H: e- Z, K" F2 U
4 B% m" Z: T z8 k
- R1 @" F' I3 g8 V3 w8 y5 N, D7 _3 nint41handler PROC
5 @( A; _0 }$ Z- R- S$ Z5 n mov cl,al, @1 U, N% ^9 G
iret
0 a: @) |+ @, U0 g+ G( r# s0 ^int41handler ENDP
' [$ q' c: K+ n$ ?- G5 u, p5 q6 Y t$ ?2 T& C9 J3 W% Q
$ m0 k4 b4 ~& q; `
xor ax,ax
1 x, b L7 k6 A9 D! G" n* q mov es,ax
+ ?3 h9 M* D" Y% m7 j) N# j mov bx, cs3 r0 {( Y, E8 ~5 B# ~2 c- M
lea dx, int41handler
8 }5 t5 j% ?4 q& ` xchg dx, es:[41h*4]% j% u* \& T) x: B) p8 l# S: B$ E
xchg bx, es:[41h*4+2]7 l1 S7 }0 n2 ?: e
in al, 40h, A. `- k8 K5 b
xor cx,cx
1 g0 L- }. m0 C" m int 41h, N: Z& K1 ?6 U1 T
xchg dx, es:[41h*4]4 Y/ W4 `1 p. y
xchg bx, es:[41h*4+2]
7 z4 [' T; T8 D% D3 R( [: M- k7 j cmp cl,al
5 f/ `1 ]0 U, t7 O9 [ jnz SoftICE_detected& W' `) x" |9 q6 l% n9 t/ K
1 |" E% G9 T. V! k% Y
_________________________________________________________________________. \; {, r$ ]. G( r+ d: g
$ B5 f9 G. U( x/ d: b bMethod 07
9 d* H4 z' v$ E; [=========
( }* O$ l& s& v( S; p3 }' u3 u4 v# l
Method of detection of the WinICE handler in the int68h (V86)( U* R T% |# [1 ~" V8 f- b6 t. A6 [
- S7 N4 H0 U2 [) n# q/ q2 ] mov ah,43h
& Y. N: A9 n/ V0 {5 L3 }* e int 68h
% g: V1 C& V: e$ q cmp ax,0F386h
( _1 \4 x. Y0 d, I jz SoftICE_Detected+ M0 d. \1 R$ f2 w8 \0 d
9 e5 d p* c5 G/ D9 Y! Z; _" R
6 X) T# R" l9 Q6 U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- S* I- m8 {4 _$ s4 j' u. f1 U app like this:
0 j9 j- w# E( p& l( ?3 P& I ^5 ]# G5 l& v* M! X
BPX exec_int if ax==68
, f6 U) F; [' m* w4 a6 M2 n (function called is located at byte ptr [ebp+1Dh] and client eip is
: n& Y, m; o( `) |/ z/ { located at [ebp+48h] for 32Bit apps)
. ^/ p* k+ z7 ~' x& d. ?__________________________________________________________________________
) B! d4 z5 T; B8 @# W* Z, |9 `: L+ O' H* H: | P) w& K
# [2 s2 d2 s/ M" @Method 08$ [1 d, J5 r' n z
=========" Q! U4 d! J/ n
' U" d! I3 x# G! R2 F, @It is not a method of detection of SoftICE but a possibility to crash the+ p0 b- c) h$ [
system by intercepting int 01h and int 03h and redirecting them to another
# W( A7 F" Y& j' Hroutine.
2 }- a) U0 m& m1 F2 Q* \( |* GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* v7 s. }. r; @! nto the new routine to execute (hangs computer...)
6 B% }7 G8 j [+ U/ Z9 ~9 I6 Y8 E8 y5 h' _
mov ah, 25h! C7 y. |3 r" d8 L9 l! X' O @
mov al, Int_Number (01h or 03h)4 V0 L$ r1 |/ @
mov dx, offset New_Int_Routine" F" e, Q7 \/ P$ G
int 21h8 z& |) r/ ]: V7 d
! k' r6 x$ o& D* Q6 a$ t5 X
__________________________________________________________________________, S% D' K/ z& W( |3 D! V
- `8 Q5 ]0 O$ P% O7 h `; oMethod 09
a$ H4 z# v9 t; R* u, H% ]=========. a& _$ j/ X$ y" ^+ C3 ]( C
0 s2 @3 o) u8 I% G5 h% x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only C7 R: {! s( U# U8 j- A
performed in ring0 (VxD or a ring3 app using the VxdCall).4 @, D) {$ r$ Y6 v1 ^* i3 l- R
The Get_DDB service is used to determine whether or not a VxD is installed! X3 z( @7 h% v" C2 M, C; R" i# v
for the specified device and returns a Device Description Block (in ecx) for
: ~1 ?& q- I- j- C- t5 Y! }. h/ athat device if it is installed.
4 M5 h9 C$ ~* w) H% _6 B- Q1 W! a+ E8 h9 d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 y2 E1 Q1 p5 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 W1 E( o8 x4 L) E VMMCall Get_DDB4 U# Q2 t1 M ^7 V% H. p: R4 {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. `0 D; n& }" f2 w5 h5 N* c1 t. p+ a% z y/ V ?! V6 v
Note as well that you can easily detect this method with SoftICE:
8 O8 e, ^1 w0 m6 X1 p+ {: \ bpx Get_DDB if ax==0202 || ax==7a5fh: t- P) r9 U. q( {
0 Q" B" I0 u9 `: D9 J0 I__________________________________________________________________________
: A; h4 Z5 C$ w: B6 r1 w+ C" a
Method 10
/ J/ p& M; W L/ x5 p=========0 G1 C, Y4 i+ Z% _, M
' n( x, T4 h& b3 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% R- a# `7 @- q( ?: ]8 D5 Y SoftICE while the option is enable!!
% V8 S: D0 S5 u2 w- Q
0 d7 w& Y8 N6 M( bThis trick is very efficient:
Z/ z9 F# n2 xby checking the Debug Registers, you can detect if SoftICE is loaded
( U- j0 f8 e% G$ g' ^0 O3 _: B" e- [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; t7 W: {: `" tthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 o6 Y+ s& v7 s* D" ?! v. v# J8 h# P
value (in ring0 only). Values can be manipulated and or changed as well
7 t, C' g/ n4 y9 r. ~- W9 _7 Y(clearing BPMs for instance)3 I; W7 X! ?7 `$ c4 A9 Y& P
3 G3 z# b3 Q! C7 ^: A+ ~8 m
__________________________________________________________________________
* X4 o E# d0 L; i# o+ e+ E5 ^9 |' j7 {- Q; r( c! V& n- Q6 X
Method 11
: D8 F$ l7 i$ |" u, T8 ^=========
) _/ {6 R# D$ F* V7 U3 T
( ?$ X/ v, |- Q! a4 C& K% qThis method is most known as 'MeltICE' because it has been freely distributed
( H# X- L" p2 q; svia www.winfiles.com. However it was first used by NuMega people to allow
( L/ i4 y$ b. ?. T- Y( ?! jSymbol Loader to check if SoftICE was active or not (the code is located
2 p) J% D" X+ w; _: }7 c! Qinside nmtrans.dll)., Z. Q0 Z4 L6 S$ R1 h9 [- @' N
# ~7 o d; N9 C, q5 [; f1 ?) F, m8 t
The way it works is very simple:
/ n/ O0 B) x ?1 W2 h/ HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! b+ A- b1 |3 I; @1 D# g1 ^3 l; O
WinNT) with the CreateFileA API.8 e5 g# d' p1 k
( v+ v' D' g* K1 J% i% fHere is a sample (checking for 'SICE'):
9 f) t* x l% x: f2 d
+ x- W) }' T2 K3 E- @* ~3 h1 j5 wBOOL IsSoftIce95Loaded()
/ J4 V# t" v1 g2 W' `7 D* g* n# j{
3 N8 s. d+ C* [% m$ Z0 L& U2 Z HANDLE hFile;
/ j( ^ k9 P8 N0 C- z" C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: h/ F, ^& S5 |5 B
FILE_SHARE_READ | FILE_SHARE_WRITE,. ^7 j( u9 M9 J( W( l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 S5 [, A: q6 k
if( hFile != INVALID_HANDLE_VALUE )
U3 M s5 H8 D) ~" r- k {3 u2 c( h; t8 [" ?0 J
CloseHandle(hFile);8 q# I V) g: x. n; u& S( h
return TRUE;: [% @6 t5 {, n1 l+ v6 ]/ ^
}1 ^7 {! h) y: [( d& q
return FALSE;
0 ?4 j3 Z! L8 x/ ?' p% L' e+ a}( Q' {6 k5 ^9 K8 n$ e) V9 G6 i* v
4 J( g( p! M( ~% L; y3 u1 z; OAlthough this trick calls the CreateFileA function, don't even expect to be; [3 V, A3 a0 {& B
able to intercept it by installing a IFS hook: it will not work, no way!
% |3 O& G5 L0 V* J' E' NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ |! V! A0 i1 U# I" u _ w; }1 U. |$ rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 u5 s0 r1 T7 `% i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% |5 B0 {& w! ~( }2 V* k1 ^4 X
field.. K( }1 n( i6 U* x# N& T% e
In fact, its purpose is not to load/unload VxDs but only to send a
' p' O9 T: y) q% u4 |7 b/ u$ C# {4 t. FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 L& X @5 H6 x' o& i$ ^2 [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 }% z2 @/ T1 r1 k( u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 |! a6 m6 X% N6 P8 E# Z6 e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; [1 v/ L% ~) m; [- r1 c1 Qits handle to be opened and then, will be detected.
1 ^& a7 e9 \7 Q+ i3 S/ [$ e( OYou can check that simply by hooking Winice.exe control proc entry point
8 p" V# Y* \: v' }: @) Fwhile running MeltICE.
. i, r7 g# Q( w& O: [+ d- S& w) x( n- h6 l
5 e2 s. _9 l2 p9 ]0 I# X 00401067: push 00402025 ; \\.\SICE' a9 D" w& J( m; u
0040106C: call CreateFileA
) M! V! l( ~4 M7 G5 s( n 00401071: cmp eax,-001; Z' \* S. G" x, E
00401074: je 00401091$ @7 X" f7 w$ q
$ E. f2 h8 ~1 i3 G
- D0 K: f! ^$ n( l# P- OThere could be hundreds of BPX you could use to detect this trick.
& Y' r+ I! L# M8 l-The most classical one is:
- J% `5 V2 Z! T4 a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 ?3 G( X) i9 e
*(esp->4+4)=='NTIC'
' r0 y& C3 U: \+ w m% k9 C) A( d3 E& |! r( h; A5 @
-The most exotic ones (could be very slooooow :-(' F( H# g' s H* H& j2 O+ k7 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 c4 e7 u7 A) L# [3 k3 m
;will break 3 times :-(" \- `/ }3 r5 J' o! W% t. C
2 A7 A# ~# }& {/ ^, E0 M6 U! m4 A( p-or (a bit) faster: & R! Z) F8 } C: d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 a A; e% M/ G6 o. [% c _$ I9 C* s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % q; J6 Y! J$ s( X' U
;will break 3 times :-(2 \# N. @0 V5 v& q+ j! D
/ R, A- i2 q, C" I8 ^" L2 L
-Much faster:9 x: E# }* ^2 b- } Y" \& t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 u$ \: Q" M) }/ |% f. F
. _4 _9 N- i' B! m- _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# K* t0 L, y9 Z7 ]function to do the same job:
4 N7 [8 I1 v% h5 P: `8 e
0 m0 n# n9 G$ f* T s push 00 ; OF_READ
; @" } g5 M5 K% A* X/ D mov eax,[00656634] ; '\\.\SICE',0, Z% d% B. j& L& B. ~, c
push eax
& _+ ^" \* w' q- V0 Y5 N call KERNEL32!_lopen) r5 T9 O$ X2 \/ Q. J
inc eax
, p3 _7 v6 }8 u0 H9 @9 V( q jnz 00650589 ; detected
& J, c' t% K/ B P, y5 g push 00 ; OF_READ
7 X: ~; @& Y( I- K6 _ mov eax,[00656638] ; '\\.\SICE'
$ d& b" ?% T9 I e% r push eax+ P+ N: i7 l# A3 z
call KERNEL32!_lopen
7 y7 B' [9 \" e( e$ S2 f* W inc eax; N' S' \! I- q' u0 l$ V3 z
jz 006505ae ; not detected7 p- \9 y0 O0 ], v
% B! X; q' b# I) ]1 i( _! |- T5 o$ v" a T3 w9 f4 k; h
__________________________________________________________________________2 \0 x: u- |, o! l0 T" |' n
' f) G; j+ g' T) ?3 n( F% f: ~Method 12; S5 C1 `4 v' F! @6 O T
=========
8 _: Z _( [/ D. @/ u1 b) K! P/ j0 U% C2 N2 O! g
This trick is similar to int41h/4fh Debugger installation check (code 05
! T: r* p; B# a& 06) but very limited because it's only available for Win95/98 (not NT)
; e- F# }) ~3 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 g8 P- [3 C j$ K1 k. K- R. U( J+ i6 g
L- j" L ]. V x$ U" `+ ^+ T. V push 0000004fh ; function 4fh+ J) A" G% {+ [/ G& D9 d1 V8 S8 B
push 002a002ah ; high word specifies which VxD (VWIN32)6 C8 ~2 a+ \& f
; low word specifies which service
% M5 ~5 Z; {' E" _' C. `+ g3 ] (VWIN32_Int41Dispatch)
4 f; h8 m4 W; \. V2 y2 r call Kernel32!ORD_001 ; VxdCall
) ]. x$ v' @/ P) |) Q cmp ax, 0f386h ; magic number returned by system debuggers
. m1 W2 d |1 \$ ^ jz SoftICE_detected& r w# U. F' N, }5 f) N, ^% h
+ B( e. @' t) j/ P* NHere again, several ways to detect it:
4 {3 u, A2 O2 H; a+ j$ q
9 N" C# c+ `% _- v: E) X3 m% w: V9 X BPINT 41 if ax==4f$ T' ~+ H, ~2 V3 O# A% [& ~
; |" _5 Z- d# i, X, C! l( w: ?: y. N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) B) }6 w# U$ I
( K" R; E/ P+ Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 G1 c. j" K8 w. y3 j/ _) F- \! t; W' |3 w7 D! l G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# M, c3 d4 v8 i% C: ]# p4 `& a. Z% |( I. G2 k) q) C
__________________________________________________________________________* O! y# G5 ~9 O/ L) E
5 M& R. y' X. A+ |" aMethod 130 D2 ]2 p' W! r+ L* M' F
=========, {5 Q9 U. C" ~! X& T. @9 D0 |2 a1 J
% u1 a% h9 r3 X) y* t8 X9 MNot a real method of detection, but a good way to know if SoftICE is
1 _2 z. B4 b. y4 d* f/ G8 Z. uinstalled on a computer and to locate its installation directory.% M4 L( L7 B- f- H3 a) A
It is used by few softs which access the following registry keys (usually #2) :# @$ |& A' t0 a/ V1 i
# b# u8 R3 s# F1 o7 l1 ^' o8 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- o# P- m" P: j2 M- K; n3 `: t
\Uninstall\SoftICE% k4 z8 `2 Z/ j. W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ N/ K7 y$ O: C7 P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 e% b ~4 y! z. [. F
\App Paths\Loader32.Exe! _7 e& j2 v; R! {0 E7 V* p
1 g: [: a3 a/ h/ ]; q# D
$ l3 D1 ~' F9 F4 _ Y$ F- i
Note that some nasty apps could then erase all files from SoftICE directory
[6 y9 s; B" H2 ?0 B/ a(I faced that once :-(
; X, ^1 B3 ~) Y( R: Q) ^
4 r# c" R' z% o e P% |. o6 PUseful breakpoint to detect it:
7 G% Q7 R& k% ~+ [% Y* l- n2 T/ A) X- k( c2 U3 G% K/ l4 Q- R* j3 `9 o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) i) S+ }# U+ A- R6 y2 q8 F: C% R; k+ n: V: y) {
__________________________________________________________________________4 [& z! `/ b0 Q2 }4 o- f7 Y* I( X
* \% I2 t3 V v0 G7 F
$ e M3 q8 w: D9 R! p1 M0 u& G& b
Method 14 / D* c5 c" ^+ a5 Z' M W5 W
=========9 P* i, V' m0 ^ N
+ v e( K! |0 B) y. a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( E8 y1 u7 T3 q& m
is to determines whether a debugger is running on your system (ring0 only).# X# t$ G5 k; [" u
" u. R3 _2 g9 L0 h) g8 [ VMMCall Test_Debug_Installed
0 ?) X# Z4 m4 M) ?: _) S4 t. f je not_installed. e. E" u4 l6 E7 V
2 W6 c0 W2 i4 U+ W1 zThis service just checks a flag.: w( Y7 Y6 o4 n! k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡