<TABLE width=500>; I$ y0 X/ I$ @# Y: d+ L. c2 b
<TBODY>( J& s2 I! @; c" k9 K8 x% J
<TR>$ K3 l4 J0 w% x6 E
<TD><PRE>Method 01 5 N$ u3 _9 C% c5 J
=========: D! d5 {: Q, N7 N6 M
, B( }9 T* o' FThis method of detection of SoftICE (as well as the following one) is5 \' x0 m. `# f
used by the majority of packers/encryptors found on Internet.
: m* \, ~ N3 j. _It seeks the signature of BoundsChecker in SoftICE& V. {# Q4 d* _
* ^' l1 @; ^, }" f* u9 `! ~ mov ebp, 04243484Bh ; 'BCHK'
, ^5 U+ R2 F# D2 H mov ax, 04h7 h9 U2 v/ k j7 n6 u* h
int 3
1 O4 R5 W8 o& R2 X9 m+ }3 y5 W( n cmp al,4
7 |5 b4 |/ I/ O5 d \& M jnz SoftICE_Detected
& K9 P3 M7 B# [
. `5 ?8 | G, j: u/ c# v9 o- ]$ c___________________________________________________________________________) F3 o5 k9 y% K
& W# g2 S: l" d2 c
Method 023 p) m6 m% U5 V# \: |$ c
=========3 G, n# X4 T' v8 k7 ~
: G! ^1 `7 s. n. d( k# {# LStill a method very much used (perhaps the most frequent one). It is used! d/ N+ ]+ u' ]( I2 t/ X" K, E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& T* C0 S0 J: v+ s" d+ x3 L2 U
or execute SoftICE commands...1 M- H$ L- m3 T' ?, C* y5 B
It is also used to crash SoftICE and to force it to execute any commands
/ V, L7 Y' J7 |6 n5 j(HBOOT...) :-(( 1 P ^2 @% ~9 J: m
, J) Z4 t& j+ G' G: Y7 T% \$ D
Here is a quick description:) H) l. X! b7 K1 Y, L
-AX = 0910h (Display string in SIce windows)
9 v- Q( X( I7 Z1 |0 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 _* T/ V* @ W. \' u, S8 Y* ~/ I! H
-AX = 0912h (Get breakpoint infos)0 C+ @- n. y9 q+ k9 r# m- M! Z
-AX = 0913h (Set Sice breakpoints)
/ S/ d0 W$ x3 K( \! D-AX = 0914h (Remove SIce breakoints)
3 Q$ [4 R' E7 e
2 P3 D$ s! f3 GEach time you'll meet this trick, you'll see:
' X. F" R+ |( I0 D6 o# G8 k3 G7 F-SI = 4647h
9 S8 G. R6 c4 o3 a8 y B9 _-DI = 4A4Dh; a2 i0 F4 c! W; s1 J% W. P* y
Which are the 'magic values' used by SoftIce.
2 W* |8 G) e6 `For more informations, see "Ralf Brown Interrupt list" chapter int 03h." ?& j% m0 Y) |8 B% l
' w( P' |/ S3 Z1 F1 f1 f7 A/ YHere is one example from the file "Haspinst.exe" which is the dongle HASP
, ]7 r& Z; S+ E0 R* O0 m$ _Envelope utility use to protect DOS applications:; ]1 Z; D2 I1 O4 Z
9 B1 A4 R3 x8 c2 ^ l
8 P8 g" O6 o) a* a
4C19:0095 MOV AX,0911 ; execute command.
1 n8 X6 b% p5 w: W" o7 @" y% W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 b# u4 ?. I B2 b
4C19:009A MOV SI,4647 ; 1st magic value.5 E T8 [% R6 R6 X/ K" W
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ d6 \1 W6 D5 d/ b/ T% a4 ^6 n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& m; ~$ }* r' |" N+ M9 C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: o5 X6 A3 g Q5 w$ S9 q
4C19:00A4 INC CX
: L1 V- u: r8 U. I# V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% w/ w. ~9 o* t, c9 V3 e0 R2 l3 m) p' P
4C19:00A8 JB 0095 ; 6 different commands." y. v& b: \3 t t/ g' z( s" [ K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 @; [" C! O' P' c7 V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! H& }9 z; D) @& A4 u, Q- E
$ _/ e/ P. \$ ?9 d% yThe program will execute 6 different SIce commands located at ds:dx, which
. q! {1 N3 d7 F2 care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% g0 v. L. J7 G9 V/ V u; A
4 e9 w% w9 `( R6 @6 P& L3 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. F. j# ~ R/ Q
___________________________________________________________________________
8 f4 y+ {) t9 u2 W3 n
% V7 U% }5 v5 }( y* G; t- d0 i0 h) A7 D# Y6 g5 C1 e" _/ T8 p1 Y8 \
Method 030 j+ p- Y* E, c, q7 I
=========
$ `. W" }' s1 D% E/ u: v7 g0 u" o3 R# d% K3 A7 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: n+ {0 L! g- Y6 g- w; ?
(API Get entry point)
+ S! r, W F) P, j - o" U; Q! O0 {2 B
% y! k* t6 H( ~% q0 e- j/ |& ` xor di,di
( r2 S! P: o) z; L( V+ u, h mov es,di
4 d$ ]1 Y2 ^3 n! F: P mov ax, 1684h
) Q2 P* P: l5 m" s mov bx, 0202h ; VxD ID of winice
: q* n: w' Y5 h8 D, g int 2Fh% ]4 v+ G% J! E
mov ax, es ; ES:DI -> VxD API entry point
9 }& r# M* j8 k add ax, di
5 M2 z) @2 b6 J3 U3 h test ax,ax
, v" Y' `0 y' b0 W+ \ jnz SoftICE_Detected
3 o# l! ^ C1 n# k, Y" L* M
) b1 S% U( K1 K, O2 M9 K$ E1 @___________________________________________________________________________
- N8 O, e- q! x1 y" L# s0 ], U7 s. L1 R. S) n/ g
Method 04
5 p* q4 Z' d8 k* t/ _=========
6 y2 I4 l Q# P" `; V% v- P4 t0 H+ I- ~( p& ^. z
Method identical to the preceding one except that it seeks the ID of SoftICE
. L& c7 U8 X+ q* j2 h" A: Y* V8 kGFX VxD.
8 |0 E$ R- F( N0 e# n4 c. h9 O' A' i2 k
xor di,di7 K/ C9 L! F# \1 u1 K+ ]
mov es,di! r% Q8 V* x! @0 Y) ~) e* ?: ?, n
mov ax, 1684h 4 [0 m7 x0 ?! E, u$ V4 P
mov bx, 7a5Fh ; VxD ID of SIWVID
5 Y; S: w! `, |8 j) @( P. m1 ] int 2fh
2 c8 r* V6 E6 [3 j6 ? mov ax, es ; ES:DI -> VxD API entry point
r: @2 I Y# A$ f `6 B add ax, di* E( {! Q7 |' @( P
test ax,ax* \4 v: q0 o5 p4 h' c3 l: A
jnz SoftICE_Detected5 N+ U, Z3 E+ w8 B8 x R4 K; U9 p
+ X7 @" f9 E$ l* M/ Q0 L
__________________________________________________________________________
% ?. Y6 `" a0 `* {) [$ ]3 t
, H9 Z, u0 Q) J. S% _8 k% i0 h ]: |0 G. H0 Z
Method 05" g4 [/ z8 k4 X* H& L1 z
=========
' y8 ?' {9 S# X, F
0 R' Y, I( K' g0 ^6 E8 y yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 M' g$ C& s7 b3 c4 v( x% C; jdebugger. It calls the int 41h, function 4Fh.! }7 s9 W" N5 a& J+ b6 Q: x
There are several alternatives.
4 k3 M. W3 Q1 X
" z/ x3 q% s1 G/ j4 d/ U6 p5 w% WThe following one is the simplest:8 r% x. |7 D' d, T. U; A
2 v$ K( H; G' ~8 X" Z* P* O
mov ax,4fh; f8 x7 V2 R" c" ]5 X4 f% u9 m- I
int 41h+ a$ k: D) Q( s, }+ W+ `
cmp ax, 0F386
7 I, ?3 }* k* c1 M' H jz SoftICE_detected* i' Q0 z& H9 v; \) G
: ^8 E. R, W# [) Y7 {0 M
- x9 u8 ^/ I" {# eNext method as well as the following one are 2 examples from Stone's 7 b; _) _+ b" p7 R0 m+ K M- K" e! R) k
"stn-wid.zip" (www.cracking.net):% O& E2 G$ T# O* F! m: D
# e0 W3 u7 N) _( e6 Z
mov bx, cs
5 ~4 W( U3 N- X% M1 b lea dx, int41handler2 ~+ ]) D3 c! n/ k* J( ?
xchg dx, es:[41h*4]: m5 m; i- _1 b8 S5 a
xchg bx, es:[41h*4+2]
! J: L% d( C) U8 M+ C: t mov ax,4fh
* {, Q. P9 [: d% J3 X int 41h
m3 c2 X' P6 F xchg dx, es:[41h*4]
% K- y. N/ j! Q$ O3 |/ U& l xchg bx, es:[41h*4+2]9 ]9 i, _. b) |' g8 Y2 _/ ~" Z
cmp ax, 0f386h5 v2 b" [0 @4 u5 H' }# \8 q/ F" Z) y
jz SoftICE_detected
: ^/ ?8 }4 ]% G! ]' ^3 m# \7 [5 Y- I y0 R; O# m7 j
int41handler2 PROC
- `5 n) ]& L5 ]7 f iret# }" f% J% w# A. H' k! w2 m
int41handler2 ENDP
- G- R3 h3 V0 R. ?) p* ^% v8 p( A% q% e' b2 v# {: e
3 ~5 o2 G( o% q$ A4 ?# C7 u( f( Q; A_________________________________________________________________________9 K* i1 p8 u- m8 o$ }7 E/ S z
# e5 f. r; \9 G/ l1 e. x
& @# I V J0 Y: `Method 06: w5 ^" @+ R, h* q" f3 Z$ Q
=========
# v" d/ N% G# d0 h6 w: s3 P8 e; A" k8 E G; p
, l. ]9 b0 N3 q& r2nd method similar to the preceding one but more difficult to detect:
- T- b: `0 `& v$ t9 T& S! _3 o/ X' u* h4 [% q2 X+ L
- w* A7 }4 Y, O
int41handler PROC) ~: A# P' v; t% v- W3 B2 k: K
mov cl,al* F0 A' I8 G( d( k- X3 M* x9 b
iret7 M, y; ^( @* ]3 {
int41handler ENDP
: ~8 S4 V3 L+ h( y6 x9 \7 P, A% f. i0 D2 T
7 w" F, [7 `( r9 c5 M. W! v
xor ax,ax. F7 f( O& R+ i b$ I& i8 M
mov es,ax0 M8 T2 K8 Y( y0 \
mov bx, cs6 O3 |+ s$ x. S+ s) g
lea dx, int41handler
0 z; x/ y9 a% r4 U! A xchg dx, es:[41h*4]. }6 e! k! k0 z r( g; S
xchg bx, es:[41h*4+2]$ H7 y4 M6 Y$ ~
in al, 40h
6 [* c! Y- g7 B: }( z# v1 @ xor cx,cx
, `. t2 {) N" ]0 J; ^9 L$ b int 41h3 d, V0 ~, K8 g) f
xchg dx, es:[41h*4]" Q( [+ ~& O. e! e2 Q, Y
xchg bx, es:[41h*4+2]+ g2 T7 r% D: H- h- x
cmp cl,al+ S$ D3 E3 K8 I. `* q& ]) S
jnz SoftICE_detected
$ l. |' u; R5 V( P8 e+ `
0 x1 A4 a- \+ x% w( d1 S_________________________________________________________________________
/ x5 T/ ]& V; \5 ^2 Y/ J: |0 b% Y& L5 x
Method 076 R7 {, d4 }6 m1 A% o
=========& I( @7 ?3 {* ]" h5 K9 G8 o
& P/ V8 P( m8 h: tMethod of detection of the WinICE handler in the int68h (V86)
+ p, z/ e2 D+ {9 m3 ? R$ } x e1 o2 u. \) M' d7 w0 a
mov ah,43h+ q9 h" V9 N" X! \
int 68h8 f% c' c: J- [# T7 i+ o- ?$ ^/ a- g0 z
cmp ax,0F386h n t. W0 g/ n$ @
jz SoftICE_Detected
* C: P: M. W! ?" f1 Z& }3 m9 q1 k2 E. }4 ~' m# t
& T8 H# ~% I( [4 F/ |( d0 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 t$ b; p/ m8 @6 E+ c/ m, w app like this:
! W- }) m9 v, z* s- ?1 v0 F0 `4 U7 v
* `4 F- ^- ~: p% a" G4 N BPX exec_int if ax==68- |0 n% g- P" v$ b R" r q
(function called is located at byte ptr [ebp+1Dh] and client eip is4 A; V, k* M9 b0 o& ]& p
located at [ebp+48h] for 32Bit apps)
( l3 p) y" Z% [% |% f9 `2 z) R__________________________________________________________________________
8 g; l2 H( P/ v2 G, N8 z8 o! P) c' P/ X$ ~
* k- W4 }9 A! W, IMethod 08$ O; `; q7 S$ S1 X& Z& C% d
=========6 @% Z1 z3 j8 y& ^
0 D k1 G% v/ n; zIt is not a method of detection of SoftICE but a possibility to crash the+ d9 x$ v8 x/ \. r2 S1 `4 g$ c3 H5 g
system by intercepting int 01h and int 03h and redirecting them to another0 S4 F* `* ?. G# r
routine.* V+ R; H( g1 a1 F7 c0 h& L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) t! B7 a& F# k3 R4 x; I( Kto the new routine to execute (hangs computer...)
& w: @' [/ G/ c5 f! \$ v7 b3 s, W& U8 {9 G+ C- E, Z/ R) \
mov ah, 25h
1 _$ F2 L# [' t: A- p mov al, Int_Number (01h or 03h), E! S1 B' `5 @ t! [( h+ y
mov dx, offset New_Int_Routine- f1 |* H8 d3 {, D# x7 H
int 21h: r- [' T! Z* w" ~3 m8 S
3 \$ F8 Y) c5 m; G' a- d9 \__________________________________________________________________________
: }* q* w, p e, m" [8 `5 L0 C+ t* V9 j
Method 09
8 d: }& [ p; v- A# ?. F o=========
* U. J" h/ Z6 C; P7 ?0 f
: d' p1 Y9 T; [7 QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
x! D8 w' e3 operformed in ring0 (VxD or a ring3 app using the VxdCall).
6 ~" D2 S- G7 D, {$ W) i0 e$ cThe Get_DDB service is used to determine whether or not a VxD is installed e" l R, Q# ]* k, y# g- W. D
for the specified device and returns a Device Description Block (in ecx) for
) `: \7 i$ U+ P, b3 x5 _( {that device if it is installed.8 `' O4 l' x' }/ n- c* M
+ o' H* ?2 p9 i6 Z0 r1 C% X& V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* a4 }6 f' y: V4 `: D8 | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 n7 Z0 j; ~% a* @
VMMCall Get_DDB
; p1 {1 l1 G! E" O% m: o8 K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& ]1 [0 Z2 n" i8 f5 w6 U
* a0 U# N$ N5 w; I! NNote as well that you can easily detect this method with SoftICE:, ~2 i, Z+ t; k7 v9 H6 e1 i: Z
bpx Get_DDB if ax==0202 || ax==7a5fh
5 b" l, E/ j: G9 |
, q: k7 }; S/ Q1 m; z( K9 C( P* H__________________________________________________________________________* ]/ |: P- K0 c8 D! L
7 P, [" l; A6 s' n* SMethod 104 ]6 ?- P& ]+ j
=========( }7 @* b8 ~7 R8 n
3 L {# a- J' p/ W# _' a7 r" b
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 @3 L* o9 ^$ T6 U9 ^& o P# D6 s SoftICE while the option is enable!!
0 A4 ^7 I9 k! O/ I& H" v ~" L1 M! @
This trick is very efficient:$ h7 x q# u! C) j& n
by checking the Debug Registers, you can detect if SoftICE is loaded, I' n0 c+ E: W0 ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* v/ X+ ^4 _3 a8 Q. I/ a
there are some memory breakpoints set (dr0 to dr3) simply by reading their I' Z9 ~3 |6 @6 S2 N: y, v o
value (in ring0 only). Values can be manipulated and or changed as well4 k! R$ |4 z' ]% r- ^0 y
(clearing BPMs for instance), g( }9 v- ^1 U+ I7 b' ^- x5 X
" T( c- z# w- e
__________________________________________________________________________
5 S- @2 y0 D2 |( x% \# ?) c. b1 U# R/ I5 {) u8 M' V
Method 11. O+ z, s2 S" K' i! M- L, j. I
=========
5 u/ k! Y: A$ ?+ [+ \$ Q
" Y4 e. Z& P M, L8 |9 T# ?, i5 o& o5 pThis method is most known as 'MeltICE' because it has been freely distributed
9 n6 g2 x" @3 U6 n( ^via www.winfiles.com. However it was first used by NuMega people to allow
6 o O* m! g9 N, cSymbol Loader to check if SoftICE was active or not (the code is located+ ?( z' N3 F; R. v+ o" E& _" k
inside nmtrans.dll).; ] X; q3 _' p; v. h
5 v- c5 X4 ]1 t$ R
The way it works is very simple:
$ x" n* D3 u% S. ?2 \1 g+ j1 w8 Z2 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( Z' R2 o0 }/ A, y# s }WinNT) with the CreateFileA API.; p, j: p; D/ ~6 p1 D4 f# t
" @, _1 d7 C& {; u
Here is a sample (checking for 'SICE'):
. {9 c+ f% n" ^. ?: l
8 q- K! z8 @! B: x3 h/ zBOOL IsSoftIce95Loaded()
! O1 s7 r3 E: o* \$ ~9 x{( a b9 j/ ?# C8 _. T1 T0 ]
HANDLE hFile;
# `* a3 k! }( j L" R: x" c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) ?3 o3 C* }3 ]5 C# d: q% b0 q
FILE_SHARE_READ | FILE_SHARE_WRITE,- E( D, m& W# ^, L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 M! @7 P O, x Y
if( hFile != INVALID_HANDLE_VALUE )4 Q) J+ z. Z( T: l
{
! k9 c& \2 Q3 o! ` j CloseHandle(hFile);% ] H5 v; Z5 U: x4 P4 @2 v" t
return TRUE;2 s% r) D0 i% p% D/ b8 f% Y
}
9 x! W9 t; n g; Q return FALSE;
4 i7 M0 B. X' [8 |- ?}
, F- |/ }6 g9 H" R# B8 @9 M" R$ B
& p9 v/ H) U8 F1 CAlthough this trick calls the CreateFileA function, don't even expect to be
0 d" _! y- E- s, ?6 e" B0 `able to intercept it by installing a IFS hook: it will not work, no way!- _- e" v6 Q' _5 f+ L2 T- j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! R! w$ X3 v+ \+ k) w/ _9 ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 p1 v* `3 V* J. I O6 J" L( C" q+ fand then browse the DDB list until it find the VxD and its DDB_Control_Proc' A$ l; T9 B n# ~9 ^! E8 n
field.1 x) [8 W' b7 }6 Q$ P) M
In fact, its purpose is not to load/unload VxDs but only to send a
. O3 V4 N# q6 W# M% t( _) y0 E3 xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 g. I- S% g6 E7 }+ \to the VxD Control_Dispatch proc (how the hell a shareware soft could try# w+ `0 b/ H5 T) }
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." K* e4 s. L* F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 R6 Z" \. d) _) ]1 e3 fits handle to be opened and then, will be detected.7 \* v6 B! ^: q* \$ B
You can check that simply by hooking Winice.exe control proc entry point
4 C3 i8 }2 r, twhile running MeltICE.
. F% S$ ], w" z: D, F* D }( _& [3 c# T
+ s: I$ ]2 I B" K- K+ c 00401067: push 00402025 ; \\.\SICE; s4 l% v1 ?& w
0040106C: call CreateFileA
6 c+ c9 ]' I0 x4 k( i6 H7 U 00401071: cmp eax,-001- q! Q1 T! e0 ~! R2 M* p4 }
00401074: je 004010916 p+ {& D& i% G
+ a4 g6 G8 B J4 J: O' a; i2 \- j9 q$ Z! N8 U0 U
There could be hundreds of BPX you could use to detect this trick.
& ~! S, B$ \! U7 t( l' S1 S% [2 s-The most classical one is:" D9 O8 i" K- ^& N* c9 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ f7 t2 l( Q( X7 b5 L
*(esp->4+4)=='NTIC'
# E3 K. t6 D# q4 M( k
) A+ v" Y7 P7 m" R8 e$ l2 t- [( y-The most exotic ones (could be very slooooow :-() @( K" r5 E, i# ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" X: {" l2 L$ l. d5 h( Y ;will break 3 times :-(
' s& ?8 @) |! _% h0 F) y9 |& D4 c9 @
k+ s8 \& Y' I8 u& z4 y-or (a bit) faster:
: c6 @$ W! L3 w# i( {* u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
@+ e. u. W; i) B' K5 N# }) F- d$ ~* Y# N" p+ T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ d, W G- B" \. i2 U w; A
;will break 3 times :-(1 U% B; t* A2 |2 t7 h. I$ \8 Z
4 P% H8 a( Z4 A5 j( c-Much faster:; @) i1 A' q7 _! N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% @: Y& z) b" _6 Y5 Z0 `
+ O7 c( F4 U {- b" x1 L6 W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 k. ^1 b4 C) S9 D1 ufunction to do the same job:+ |; b8 H" R) N! F7 D. Y. Z
, d& c( H5 Y1 d4 E# ~6 n
push 00 ; OF_READ
7 j, J0 D# t W5 D; X D; T mov eax,[00656634] ; '\\.\SICE',0
7 L; p+ V6 Z0 z' M& ]3 E' K push eax
2 }; G3 i9 B7 {" ^ call KERNEL32!_lopen
9 `6 X% b4 w2 k; I- Y, n inc eax
) `8 u# G7 v4 m, S9 Y jnz 00650589 ; detected
3 {" y/ x/ `. m- T8 }% }- L' B push 00 ; OF_READ; O1 {1 W; S" p% g) x2 A
mov eax,[00656638] ; '\\.\SICE'8 L$ R" \6 m$ D+ I
push eax
) Y- q) D$ R8 _8 Z* R0 b* V call KERNEL32!_lopen
* R. e, n; G: B3 ^- t2 J inc eax: U4 _+ a+ d! V5 n
jz 006505ae ; not detected
1 V' V0 ^' k8 L& D2 \
" ~3 A% l) m0 P
4 V1 t2 z1 H9 E7 d- Z__________________________________________________________________________6 E2 ^4 X, s- J% a
4 N+ u! g0 }3 j' ?/ X. Z+ e
Method 12: U3 F, B8 {" i) u! v% H* z* s$ L) z
=========$ |* o& X& ~- A M7 G* E w/ [; f) Q
; [* O! I' ?4 O0 L; ?
This trick is similar to int41h/4fh Debugger installation check (code 05
9 t9 i) ]. j) q( o# v9 u$ I$ z( @& 06) but very limited because it's only available for Win95/98 (not NT)1 o9 p! [% p! w1 g$ ]# U. D+ U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 Y' y0 M. ~8 t0 r
' k( C7 I" j( K' p( \/ r1 c3 _
push 0000004fh ; function 4fh# a( d& ~; d6 }$ i; u" P
push 002a002ah ; high word specifies which VxD (VWIN32)
) K2 w& z3 A) J4 J8 V ; low word specifies which service
4 W, s2 `" F! ?, T (VWIN32_Int41Dispatch)+ i3 m/ |+ D0 T
call Kernel32!ORD_001 ; VxdCall; q' |! ^/ L- h& }
cmp ax, 0f386h ; magic number returned by system debuggers
+ o. [) |9 a/ ]0 h+ E jz SoftICE_detected: J \; l @' E r, b7 e
/ b+ ?9 |# ^+ R& |Here again, several ways to detect it:
2 @8 h O# Q4 \- p! I9 p5 w9 A/ c. w+ ~5 \! O
BPINT 41 if ax==4f
5 X: l+ V, J! O5 x4 _
) n! h/ Q7 T; T3 L" o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" E. `0 l" Z1 e
9 X# X# P# d; L1 _: F( `, R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% a' v* X. v) N' j. [' N. B4 j! a) o x$ _ J: y) s0 ?- f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 N% v; G6 b& n' I# y
$ R3 l, Q' ^9 |) H' b d+ g b4 g__________________________________________________________________________- h/ f# ?, t0 c& p- I6 g& ~( X! c
7 d. \2 i' m! u5 u$ b/ x( [
Method 135 s- P/ S; I7 ]- y7 s+ y" a
=========& g/ ~ P7 J7 k. n$ d7 s
! u2 C; q% _" B- j7 P% T' \$ FNot a real method of detection, but a good way to know if SoftICE is
5 W# f. i" {2 `2 }/ Xinstalled on a computer and to locate its installation directory.+ `- D, [5 H4 o' V) W$ c
It is used by few softs which access the following registry keys (usually #2) :0 X4 v1 d) {3 u; D' l, I/ r0 F7 W
3 d4 y/ w8 I! r# |6 o! t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 b# v* w+ L3 r' U\Uninstall\SoftICE
. @" p5 h3 R" @7 m$ r+ F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' T7 h' [% E' k9 J2 O6 L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" u Y4 Q0 Z4 Z0 e& d, e1 [! q\App Paths\Loader32.Exe
. a' H$ X. e# r2 H3 T- a4 y" Z- F! E4 U
+ q! B7 O$ _3 p- W0 pNote that some nasty apps could then erase all files from SoftICE directory
) S5 {3 I- e/ I& f" H/ P(I faced that once :-(
" Y% P7 g: R7 G6 Q; t! g6 E; }; p0 g, K; o# S
Useful breakpoint to detect it:
, |/ ]/ h! @- g0 j8 f( N
# V X# t# P2 b! m1 v" E" Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 Y- j3 Z; j8 `) A8 O9 R
. A) y$ ?6 J4 e4 s/ I__________________________________________________________________________! ^* F$ v: N; T2 \" f- [
. x3 i0 e( B6 s; s; r3 U
7 L4 h* ]+ I' f$ C! f- @Method 14
, P( `0 ?" J( e7 j# h1 B* u=========( O5 C3 S8 a. e6 W" b- s
) v) z( h( R' s# DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ ~, K- ^3 G3 ]& e+ e9 |! `is to determines whether a debugger is running on your system (ring0 only)." q4 u. J& J8 A, `
: C% O3 Z0 e' T d VMMCall Test_Debug_Installed
: q! [; j I% b je not_installed
! ~! R5 j6 T/ O ?' M: P( R- C
/ e$ z& u6 }' [5 C, v8 f$ RThis service just checks a flag.; `! L k1 r- I+ {
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡