<TABLE width=500>
5 W; `0 I; t" t<TBODY>, S4 u+ I9 h& Z8 o+ g5 a
<TR>
1 R! C; _5 Y$ ^<TD><PRE>Method 01 3 w7 U' C4 w% f. I9 g9 a# G
=========
3 q' S4 c0 j& L( I" u; d: R
; g3 `2 F! P$ I: L! q4 _This method of detection of SoftICE (as well as the following one) is
3 ?" v" ]. ~3 d! l" [- n* `) ~( Eused by the majority of packers/encryptors found on Internet.( G3 {5 O; y- ~" ]5 e! T6 n2 x% t- l
It seeks the signature of BoundsChecker in SoftICE9 N# I# D% L" Q. A0 E+ p
* e. n/ W% f* l% L( Z( s
mov ebp, 04243484Bh ; 'BCHK'6 U$ b1 P& c9 I/ [: Z! m; I
mov ax, 04h
& E' h$ ?4 i& q& G int 3 6 X8 ^: p" N( S: q9 N2 ] ]
cmp al,4) Q3 [& a4 j8 s4 l
jnz SoftICE_Detected
~- u4 Y% A$ m3 D3 R5 J/ ^% G1 C: Z
7 \3 F m/ y9 f5 h, c___________________________________________________________________________
4 d. K) x& O% L( r7 ~) P) G! P, K2 y+ f0 r Q+ R& ^
Method 021 F- P9 ] q' t6 X8 ~& @ ?3 F: w
=========
) T/ F/ u4 J7 c) ?8 N3 l$ B' |& b/ a8 K
Still a method very much used (perhaps the most frequent one). It is used( f2 b( L7 N' u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 ]3 I9 m' h* y: n7 z6 \; ?" M* f
or execute SoftICE commands...3 i& E! ^; {! o' x3 U3 l: c
It is also used to crash SoftICE and to force it to execute any commands, C: K i0 j6 h
(HBOOT...) :-((
! L3 X7 ]6 I g8 y3 ?( L4 m2 w7 c6 S7 G# t" a- K
Here is a quick description:- Q5 V1 m- d' }- W+ B$ x$ h
-AX = 0910h (Display string in SIce windows)
0 I+ K6 M4 ~& f4 M7 G8 B+ L9 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! g1 l1 L( _* K2 T/ a, X& ~
-AX = 0912h (Get breakpoint infos)
( G% \- {4 Q0 r0 Q-AX = 0913h (Set Sice breakpoints)
% }9 Y; u4 W0 r-AX = 0914h (Remove SIce breakoints)9 p; C- k* D' \3 [& \! S
( t b; e) N. _5 F f1 A: ~8 p) pEach time you'll meet this trick, you'll see:
6 j5 T$ i# X) Q-SI = 4647h9 M n5 C4 G; W8 q
-DI = 4A4Dh
5 S2 k8 _0 m xWhich are the 'magic values' used by SoftIce. J2 o3 M5 f0 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ T. j; A9 {, z. x& b) c+ C
3 d3 O) u8 v# n; e8 r2 r4 E3 GHere is one example from the file "Haspinst.exe" which is the dongle HASP# N! P( T+ W+ r6 e0 }- @* C
Envelope utility use to protect DOS applications:
- H# T3 z, C; y: b' Z5 h) }9 H z* t( A) R# s' e5 D
* R# J# a0 ]' Z8 X4C19:0095 MOV AX,0911 ; execute command./ j3 i8 m/ }0 a3 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ V5 i6 X1 ^- b: h' ~4C19:009A MOV SI,4647 ; 1st magic value.( u" H$ a4 c: E
4C19:009D MOV DI,4A4D ; 2nd magic value.
& X: G8 B0 \* {4 w3 ]1 N3 \; y% e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): U+ |" `, r0 o" h8 r( |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 G& @0 H2 o" X+ o v( x1 |4C19:00A4 INC CX
* W7 a. ~) }- Z1 V* s1 h! V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 M* R) Q% i" g# q, B; u, t4C19:00A8 JB 0095 ; 6 different commands.7 ?1 n/ |7 F- h5 y9 N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 N/ m, h# j: Y8 a& z* D* \4C19:00AD MOV BX,SP ; Good_Guy go ahead :); F6 }# D: F/ E: d! {
/ C+ `9 I: Y0 C& A9 Z
The program will execute 6 different SIce commands located at ds:dx, which
* P# X) Z1 u+ j- [9 y8 E3 B# Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 m4 b! D8 _) k: C* K; N7 h X& z% n8 D T2 Q5 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., T# u/ m, _ X! ]4 o: x
___________________________________________________________________________
) z2 B, [1 F% l! h( D+ E5 v$ u3 o7 C/ t! i& M7 X
7 E- O5 b' d; }7 Z* j
Method 03
) A6 h; A2 t t1 }) @% h: k$ b$ }=========
# |( [4 h. {7 v/ A5 r- s" m
7 c" u/ }, [7 o. hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
}: S9 @5 O6 t9 P5 M/ ?* V(API Get entry point)0 \& W- G# k$ n5 ~8 ]( f) U
" r$ K2 U2 q; [9 b2 L8 J0 P
( R' C; L" X/ s2 W3 f: @2 M xor di,di
& J8 [0 D. R8 A/ e5 u mov es,di
N" y2 g3 z: R1 H$ ]/ e$ V mov ax, 1684h / x$ M# c. Y! J9 U! C) D. n0 v( ^& ]
mov bx, 0202h ; VxD ID of winice
! g) r" d$ y8 j int 2Fh) |' ^* i# v* z* F! V
mov ax, es ; ES:DI -> VxD API entry point, a4 S) c# q$ p% i8 q7 f& n
add ax, di3 T1 n) B; o/ Q
test ax,ax9 F: _8 U& O1 n
jnz SoftICE_Detected
; F: Z- g/ z H8 F2 ^4 ?; Y% i# \3 L m+ a- G4 q$ ~
___________________________________________________________________________. D' a$ u& S* t: z) z2 {+ h
% Z( ~/ U7 d) S( R: U
Method 048 u9 p2 T, ]7 a& q
=========
# g+ i h, v- l+ o
5 ^5 k6 N s2 u! U; ?+ c3 z3 BMethod identical to the preceding one except that it seeks the ID of SoftICE1 g1 A+ y! \- K- o9 b
GFX VxD.$ r" i, E- T8 I
- {' q+ R' _" R& n
xor di,di/ X" f3 B8 I# {! }$ A) ~0 E+ d: c3 J, u
mov es,di
2 G8 x2 ~8 Q* F" q mov ax, 1684h 4 J! o7 _, k2 @! F* t) e6 J9 B
mov bx, 7a5Fh ; VxD ID of SIWVID
" P7 o$ ?1 W5 \$ r, N int 2fh
, k+ Z/ p2 O; s mov ax, es ; ES:DI -> VxD API entry point
4 {- ]0 U, j7 P0 S add ax, di
" @, I( B1 {+ O test ax,ax
1 _5 N2 l s2 C9 e( _6 W4 p | jnz SoftICE_Detected
8 y+ G8 I. E& s4 `( m+ Q
( v$ e2 B+ {6 E5 B4 C__________________________________________________________________________
9 Y) M. p! O8 F& @- y5 g) ]) B. L5 N9 g# W7 t: `' N8 A" ?" a C& P# A8 s
0 E6 Y- W! s5 u
Method 05
8 [/ P) \7 _1 q. d6 [; \9 x=========/ |0 V( w" j/ \+ e& ?
! ?% S& w, ^, ~8 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 k1 N9 c% w$ k: \1 O0 Tdebugger. It calls the int 41h, function 4Fh.
* x1 z+ N- }4 [. u3 U& V& `! qThere are several alternatives.
+ ?7 ~ {/ T6 Z) v3 v9 r, s B. L6 k
The following one is the simplest:
/ p4 v) X3 t f N3 x; I
7 o% F1 W0 F7 y% P9 E- y& ] mov ax,4fh
* z+ |) f: T4 \8 N7 o* Z. Z int 41h
. e6 o2 i4 X6 i4 u: S2 ~% H% b/ }) r cmp ax, 0F386
+ @6 |) X3 X. @5 z4 o' a5 B jz SoftICE_detected3 p1 p' b ~, ]. Y* M
( b' Z6 ?2 u4 |% m' y5 c$ |3 P/ q, r, j+ r O
Next method as well as the following one are 2 examples from Stone's 7 z+ k3 W ?' Z3 U0 d
"stn-wid.zip" (www.cracking.net):# X; J W* r6 p, U
& t9 M$ f$ _4 f2 X. l
mov bx, cs" C" t3 c# E1 U& x, h
lea dx, int41handler2
# d# F( o& Q8 |/ I6 f xchg dx, es:[41h*4]& d" [; d3 d" w% k# J# d2 s S) i( I2 d
xchg bx, es:[41h*4+2]. o8 V: Z7 J: |! ~3 Q$ W Z
mov ax,4fh g+ U* `( L0 P1 N- c" Q
int 41h
7 O" C) M% K1 k xchg dx, es:[41h*4]0 i: r$ I N' T& y1 D
xchg bx, es:[41h*4+2]
) M9 d9 W2 i- j; A/ P# n( K! z2 p cmp ax, 0f386h0 m$ Y# O4 [" ^- y/ W% h+ z
jz SoftICE_detected! u1 p) [4 i( }3 w2 o
: @, R G1 ]: y* a& [
int41handler2 PROC, k6 \, e" }1 V" b0 I4 D
iret7 ^8 J; G6 ? K; ?5 N% H) t
int41handler2 ENDP# k0 C' e N; w/ U ^ G" k1 p. v
% D z* [6 N$ O1 c* w( d1 D( p! g
7 F) x+ P+ ?6 u/ M8 H0 H/ r& H
_________________________________________________________________________
1 k* A4 n: s; V# U! m
8 k% o% D3 n6 e9 E y; O- e
( q( |- u+ P! p0 KMethod 06" }+ w( N+ I3 f5 r& m
========= b7 \0 Q+ g }3 W- v% L) m8 B
% M& M6 M1 Q4 Z$ S
/ V) ]# z, W) g" ]; \
2nd method similar to the preceding one but more difficult to detect:
2 h, ?# i, f2 U/ U" m. D# l/ j" A* j1 U; v: d5 f& y9 z
& h$ s9 v5 f3 ~1 mint41handler PROC+ f; n! f# K* t
mov cl,al
, y2 Q+ I5 T6 @* L& D1 W iret
- c! [9 h, [! |1 z3 Iint41handler ENDP
1 O$ Q: i( ]2 N8 A4 `: o4 n4 w7 L/ S2 Q; g! x0 g
! h- f% @; m2 N xor ax,ax
, l* ?$ ?( x3 x) A mov es,ax0 L# ]3 G7 I' _& p
mov bx, cs6 u/ x- A" ]: ` A8 ?* A* ~6 i
lea dx, int41handler$ r8 \$ z# W/ v1 T
xchg dx, es:[41h*4]/ K) E1 e( o" x
xchg bx, es:[41h*4+2]
! i* ]0 y4 C3 c% E' H in al, 40h
; ^8 q/ j1 ]0 t% p3 Z xor cx,cx
% I* |# D5 q; {6 m5 g int 41h3 h. T9 b3 `: q6 n
xchg dx, es:[41h*4]9 u, V" a" ^. N2 p, y) p
xchg bx, es:[41h*4+2]4 N% Y7 m" j8 {6 e! L: X& Q
cmp cl,al5 P0 m; o* b! S0 y/ }
jnz SoftICE_detected0 I# m0 v4 i' g$ Y) L& z' @* j
* j# j1 y, m) }/ Z9 C1 K, {
_________________________________________________________________________ v3 @* _$ c( z. `0 `
3 W9 _2 G+ O( x/ Z# K: m
Method 07
4 E( s7 q) P4 a i8 Q=========
2 B3 H4 ~( X$ T j+ Y _1 Q+ I8 d1 }+ o' e# a# F. n% I
Method of detection of the WinICE handler in the int68h (V86)
3 s) S/ ~& p- \) |
, X4 u" @1 I3 L: [ mov ah,43h
+ {& S' g s6 N5 F& r int 68h
, C1 j* k9 @0 n cmp ax,0F386h
/ k2 Z7 k6 ^* h jz SoftICE_Detected; `" ^7 i; F( [0 J9 G) H/ J
$ O" m% w/ E: p& Z4 O, u: y% U
8 ^0 E' w: I! K4 {7 B; M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" l! r" B5 v# O: L
app like this:
: z! w: P! Y% E8 Z+ d6 n& \( \: ^
0 j7 K- ]+ [* h3 f* p- T BPX exec_int if ax==68
3 p6 T$ A5 M* Y3 x; n& X (function called is located at byte ptr [ebp+1Dh] and client eip is
8 b- Q7 |7 X# t) t) Y4 v located at [ebp+48h] for 32Bit apps)- p8 B1 ?; [5 A. d! k% t% ]- k/ b
__________________________________________________________________________
9 K8 x$ h( _; c" l! u
* ]" {5 t! p# M1 N' w2 c* J& Q6 h, b: D# l1 Y* N7 k
Method 08
+ h$ I0 G, R" O: {3 Q! B5 }# ? i1 Z8 m. r=========8 f9 ~7 x. M* e: g! K
: A1 M+ ^4 E/ F& b$ k4 ?9 P/ \0 GIt is not a method of detection of SoftICE but a possibility to crash the; Q* L* Y0 I* a6 [7 n
system by intercepting int 01h and int 03h and redirecting them to another
! J4 e4 F6 h5 ^; T( Q: F- Wroutine.( x7 k9 _. k" M8 t, K' Z' f' k& _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ Q2 u& b5 l4 e9 r+ J
to the new routine to execute (hangs computer...)6 E: N9 @+ C0 R/ P" ~ C* F
0 s. P* N. v+ x5 v# l8 Y mov ah, 25h7 b1 c3 m; P' f, l% a2 o; g) g
mov al, Int_Number (01h or 03h)( S Z. r6 X" Z" E# }8 A
mov dx, offset New_Int_Routine& L% X9 ?+ ]3 N3 L1 n9 S5 H: T
int 21h
3 m) }- l6 k4 P! K! ^1 G5 V- ] _
. i: j& H( n; T- T0 b5 B# }: z__________________________________________________________________________ ?8 D4 R' C# A" O5 E- Z- W
8 a/ n& h# O' B( x5 {& ?Method 09
2 Y8 H3 N9 ]. o [; f3 \=========5 \, c3 W0 z2 m4 r7 Q! m$ c1 |0 w
/ j6 ^0 C [5 Z6 l6 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ b1 c6 \7 p7 d3 f" @% wperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 [$ I }0 m# V, ^4 c& q: iThe Get_DDB service is used to determine whether or not a VxD is installed h8 v# ^# P& J8 r' d) X
for the specified device and returns a Device Description Block (in ecx) for
$ c0 [9 H% }2 h& H' p: hthat device if it is installed.
9 H g' p0 i/ J" v4 O* W# v
; P. }2 ?5 t- c1 b$ |) ?* Z6 a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 V9 _% ^ r" G4 Q) o# }( z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 N) H$ C- Q1 j6 B% e; Q, A s; A VMMCall Get_DDB( A; A" w: C) e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. _5 k& z, H* |9 C6 H7 h8 U* v$ F
/ @- N; B3 a8 R6 J+ K. f: uNote as well that you can easily detect this method with SoftICE:
) }4 u# f2 w8 Y bpx Get_DDB if ax==0202 || ax==7a5fh
% l. g* }; i6 z0 C( J+ j4 C+ o' q. o( h2 u5 p5 G: a
__________________________________________________________________________
1 U2 Q# x0 e2 t5 J& z
) k% n# ?; D" t6 L! OMethod 10: Y; t+ ~' m: q( G) ]. c
=========
9 \+ n o& k9 y, v! V, k
! E; _- k$ x S% i4 v=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 i4 k2 I2 J5 Y9 `; } M SoftICE while the option is enable!!( Y+ @0 w6 x, _$ J! r
' O# {- z7 a, _# o1 \
This trick is very efficient:
- ]/ v6 j/ s) D9 w6 G5 Nby checking the Debug Registers, you can detect if SoftICE is loaded( m5 G2 Y, I0 a' H* Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' e! Y$ J- j, k( R) e, F. a* ythere are some memory breakpoints set (dr0 to dr3) simply by reading their% S8 l5 `9 C7 f* m2 e0 }3 V. O. t
value (in ring0 only). Values can be manipulated and or changed as well9 ^/ V3 ?! {6 f+ K2 E+ ?
(clearing BPMs for instance)
- W- G9 q8 p$ z$ T$ ?# k* k" U4 p# p3 q6 { N: U& z
__________________________________________________________________________
# w' Y r( Y$ m0 o( @& U
2 c: F2 O$ K5 SMethod 11
0 v* D0 B: V& Q* Y# I$ W=========$ ?3 Z3 I2 Z8 Y8 t2 H. v0 S
7 m0 o1 ]. U5 Z! o8 l8 z* I1 g
This method is most known as 'MeltICE' because it has been freely distributed" w* b3 p% S9 t- \
via www.winfiles.com. However it was first used by NuMega people to allow
3 C. P- N1 ~, nSymbol Loader to check if SoftICE was active or not (the code is located
- `: S+ B( `. u- o( t% jinside nmtrans.dll).
8 W o6 q- ?& Y8 ]. ~* I4 a# q5 y4 \1 A
6 D1 B4 A a. d& CThe way it works is very simple:9 q5 F2 ]" c5 }6 w6 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, T; r) D- N5 V% S' |, O0 }. x! Q
WinNT) with the CreateFileA API.# N& q' {, x+ { p( [; s
) y. T5 w! D6 O, |. v" A
Here is a sample (checking for 'SICE'):
* C; s \! {0 [+ c) O f
* f! w) {& H" EBOOL IsSoftIce95Loaded()8 J( C& z% X3 l" }6 V m9 Z
{' o6 h; y' t- K: j$ y$ @3 {/ i
HANDLE hFile; . h* H6 P C, s5 B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. e7 q8 H$ ?1 P# D1 T* p7 N FILE_SHARE_READ | FILE_SHARE_WRITE,
. z; y: l/ s" U5 e' s. s C8 ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ a) P5 `) L+ B8 W4 W- R2 V/ ?1 V
if( hFile != INVALID_HANDLE_VALUE )2 y1 A5 Q C2 e( p* o
{
9 f5 T1 n6 I* I8 d: J0 ~ CloseHandle(hFile);) [7 a5 e; U' A. z& t! ~6 e# d! ^
return TRUE;7 a3 T' _4 R: y8 R
}. a0 U# M5 x+ }9 d* C
return FALSE;( o- y( `% X+ o/ l2 [8 B9 o U
}
" ?& ?8 H. S, _4 C, ^2 F# B
: b% y0 C1 X2 S& H5 R! ^/ QAlthough this trick calls the CreateFileA function, don't even expect to be
8 K" H M o* _. Kable to intercept it by installing a IFS hook: it will not work, no way!
' |4 Q9 M+ j/ RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 @+ j9 d2 z2 ^0 d3 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, @+ q5 q* V6 U3 F/ Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& k; X, n7 d* K, f& Kfield.: {( T0 V3 @. b- h
In fact, its purpose is not to load/unload VxDs but only to send a 7 F5 I( O) |/ Q1 w' j' |- j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). e5 p6 O5 _/ t7 Q! {8 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# M: |3 k: i, q# W' C# J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 p, _/ g3 R# F- R& t; hIf the VxD is loaded, it will always clear eax and the Carry flag to allow- v6 N/ r' s! l3 T7 [* H0 }+ Y- G
its handle to be opened and then, will be detected.7 O& s% E+ _1 O* [5 Y
You can check that simply by hooking Winice.exe control proc entry point
9 @6 F; ?2 ^( h) O, R5 {while running MeltICE.
5 h* t! Z1 R( E( [" ~2 L9 h
3 @5 o5 |5 I( [# D1 v p+ Y" L9 F5 U: i. A( O1 R
00401067: push 00402025 ; \\.\SICE
- y+ K j8 L0 g0 _ @- c7 t# S3 c 0040106C: call CreateFileA9 |2 S _1 F9 `# t* l* F) _" ]2 s
00401071: cmp eax,-0017 m5 B# A$ ~3 a/ Q7 X# V0 w) c
00401074: je 004010911 a2 j! H6 H% i _% q6 m2 d) J2 w
. ?7 n( N$ P+ O9 k L" ^
/ y z$ E9 e9 M) I
There could be hundreds of BPX you could use to detect this trick.7 C. N f* `/ l1 r
-The most classical one is:/ `4 K/ k! m: D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 r0 z" r- A- B *(esp->4+4)=='NTIC'
" C+ Z% D8 B* d0 ^; u/ L4 I6 I C/ k9 l* k( Y
-The most exotic ones (could be very slooooow :-(9 Y. y9 ? Y$ z6 _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 u/ v) b% i$ n q F. X2 Y6 S& s9 a ;will break 3 times :-(
- v+ d! m( |& s
- B1 r- d, u9 a! J' R* G! u-or (a bit) faster:
6 [! f; _1 q+ w# L; r2 V: | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 q! x) u0 D9 f$ b7 X* h
' a$ e z$ ]" h9 D% |) Z1 S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* L; a$ I) I5 ~% v0 |7 m ;will break 3 times :-(
7 X$ T6 z6 I# s3 q" F! A2 T, G# t0 Z7 M4 q% X
-Much faster:( M9 G7 _6 {; K$ R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 O& D# w4 h9 A2 h6 i+ p! V
9 S8 }8 u3 {: v4 y# wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) Q7 Y) ~/ i; C6 s/ s
function to do the same job:
4 L2 Q! f" Z( s
7 \( m) {9 S q2 s) e push 00 ; OF_READ
- `4 N C. |9 q9 O1 V, H* U! Z mov eax,[00656634] ; '\\.\SICE',0; i" w6 I5 H( E! R2 S
push eax
0 P% d8 Y, a6 C% r6 l8 G6 r% P call KERNEL32!_lopen
`' y- j& G- Z5 U+ U+ B+ @ inc eax$ e4 W6 d" I+ n+ [: ]6 |0 u4 }
jnz 00650589 ; detected4 l4 b' N+ R# S8 ^
push 00 ; OF_READ
$ @- y" T7 @; I- }1 h# l8 @ mov eax,[00656638] ; '\\.\SICE'
1 ], R1 H+ T7 I3 I9 \0 |( v8 Q# U push eax, Z" v0 j+ e( H0 V' w1 k
call KERNEL32!_lopen
5 A8 l( J# }; O$ @$ J inc eax
, m! X6 y; w" q$ z6 \2 w4 j: w jz 006505ae ; not detected
7 o* }) O/ \8 {+ E6 N6 g8 k; V. n' Z5 v% e7 K ^
& n/ W% [1 g3 ^5 r__________________________________________________________________________
# R% T7 M, X8 q
7 j; o$ b& m& `' n: T: `' b$ aMethod 12
2 ? O- A3 j1 V% o; g" x, H=========9 S; Q4 k2 ]5 ]" {( {3 q: [4 A( w
. V3 a5 o; G9 }0 @
This trick is similar to int41h/4fh Debugger installation check (code 05
' k: H ~3 i, x& 06) but very limited because it's only available for Win95/98 (not NT)
, ?5 P3 c6 n+ z; v- l c8 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! u; i I7 O' W5 Q8 E
" F/ y5 V( c) `2 v& s, G0 L& r% _- D push 0000004fh ; function 4fh2 C& [5 j2 Q* w* d! X7 i6 U
push 002a002ah ; high word specifies which VxD (VWIN32)
2 G8 e2 ^9 Q s+ Z! q. [. e" u ; low word specifies which service' X+ ^' l. ~5 R( U
(VWIN32_Int41Dispatch)
- @7 [% Z' p: D/ | call Kernel32!ORD_001 ; VxdCall
2 o) j# C4 }9 {% o cmp ax, 0f386h ; magic number returned by system debuggers* C' ?' q1 n3 \) }1 J# e* B
jz SoftICE_detected" w# e3 `' \: i8 n
, u$ N) W1 i3 B1 N5 w0 m
Here again, several ways to detect it:) }, \2 @( U8 j& F5 f7 \, s- x
" g; u# l6 Y0 G, l3 Y6 m3 H$ \
BPINT 41 if ax==4f' V- r' i. L! D
; @1 d, A2 }" \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 J3 Y& |3 a& r! U4 \8 l8 w3 n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& F) p5 x- f5 N
* [. Q- X, C& _; g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 `& \# L4 C B' `$ G$ z
) D+ K; q5 x i6 }* u7 m
__________________________________________________________________________3 U( I8 O; m* \, ^: V8 l% W
! n G G& b$ R2 P# X c0 d
Method 13: B5 x [9 @5 g# o
=========
+ p! i4 D$ P" n5 x$ K5 _" n x; K8 d) @
+ a% e4 H$ d4 x9 [* q" f" GNot a real method of detection, but a good way to know if SoftICE is
( y4 m; M% G0 hinstalled on a computer and to locate its installation directory.
1 o5 M7 D* j# s; V) ]It is used by few softs which access the following registry keys (usually #2) :9 w" n. q; w: e( c& M2 \5 t! ]
9 E% b4 c0 B; u: v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 D, o5 }6 @. F, _! |\Uninstall\SoftICE
* g6 L4 ?) g7 J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) b( y9 B2 G2 `# }- L! l) L( A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 ~+ c; l9 s# E6 j1 g7 ]- f) m
\App Paths\Loader32.Exe
+ z# o/ H; F4 x, G# |. q; a' S
& |) K# k5 A; I$ \8 S
! c6 t/ W' Q7 j1 F" y1 TNote that some nasty apps could then erase all files from SoftICE directory
6 n+ L6 q% f* s1 S: e( q(I faced that once :-(
4 Y2 l$ R0 k, \: _: Q4 V
9 L7 P3 @7 \* w% y& W0 L. ?7 cUseful breakpoint to detect it:
; l b3 T+ Z, C3 f- b6 u( Y; M6 r+ V6 z( \; I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' J9 J# X0 P- l8 m: |& t/ K+ I
: {% M/ P" y- g" _; C$ y8 |9 Y
__________________________________________________________________________
3 D5 c& Q4 K E% [
% e" a1 ?1 J5 N" C& T) l @
) g+ x# L- w0 ^" \4 p6 i AMethod 14 5 q3 _2 b5 N: |% u1 W
=========0 s9 C6 C5 e1 E
# e4 e# u: D; t" CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ M+ a; g6 m. D8 Cis to determines whether a debugger is running on your system (ring0 only).; |" V ~) @% h) G2 q! X$ Q
, J% |* k3 |7 x1 t# t8 r- w VMMCall Test_Debug_Installed! U% b! Z( [3 ?$ I) P: \ k8 E5 u
je not_installed
7 I1 A7 d# m3 Q) f8 Q$ D+ g
! |6 t6 ]# W/ M ?' \7 j" |This service just checks a flag.
) g/ z$ x+ Z5 |( U, v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡