<TABLE width=500>1 ^8 {/ e8 N6 Y1 T
<TBODY>
7 \9 _$ @& _- ] X; Y" C<TR>
! a8 k4 r. M! C0 L0 Z9 y<TD><PRE>Method 01
& j8 A' n! e4 Y( i: l& z+ ]. a=========
* a& Q4 `5 w7 }5 o& ]3 F* _
' [/ Y7 e7 }9 }/ f" B! aThis method of detection of SoftICE (as well as the following one) is
( h0 q g8 B4 V4 A5 lused by the majority of packers/encryptors found on Internet.
" o; M' ]% u; m3 vIt seeks the signature of BoundsChecker in SoftICE1 C1 v2 @6 K( Z. N$ }/ ~3 p+ z
) s/ _2 J& S+ q
mov ebp, 04243484Bh ; 'BCHK'
, P4 L- l+ T- G mov ax, 04h( @; g; u' W" r/ n2 _4 \
int 3
) }! d0 a7 C9 b! d9 ]$ |, ^ cmp al,4
/ y4 A S: G9 q! a0 _, X3 M jnz SoftICE_Detected
4 D& D+ V3 G+ r$ j) M) l I
5 y1 A3 | k( ? n___________________________________________________________________________& s: \* f1 c- p6 v' @ h; `+ U
; o3 i2 K6 t( ~* wMethod 02+ ^6 v) u1 x) b2 L! Z
=========
2 Y5 a( t7 B/ k+ F7 ^8 m
1 H$ J$ p' z0 L f: x, QStill a method very much used (perhaps the most frequent one). It is used) n2 \! @6 y* r. f+ d% _* E3 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. a4 ~7 U+ r! H% ]& w& s" nor execute SoftICE commands.../ b/ V' C; S) ?; R( @+ P8 j
It is also used to crash SoftICE and to force it to execute any commands
8 Y$ P0 \8 ~# l7 }+ A0 o( L: C- @(HBOOT...) :-(( * \: ~3 W0 g# a* h1 o+ u7 o# a3 T
) t! A& G- R5 m- g z
Here is a quick description:
# D, h# S' r# J3 ~-AX = 0910h (Display string in SIce windows)
G. L! s3 D' M5 _3 `$ W8 x( W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' u C! C, I& B
-AX = 0912h (Get breakpoint infos)
5 j" C- d5 c6 S2 X# B-AX = 0913h (Set Sice breakpoints)! q. W7 Y5 @2 X5 Q- U
-AX = 0914h (Remove SIce breakoints) O6 r6 P, A% A. n3 \
) h: O% s2 c2 z5 B( @: C; F! c
Each time you'll meet this trick, you'll see:9 ?9 u8 p& o3 Q% t O
-SI = 4647h+ t* l& [8 n8 }" E- l7 W; W/ e
-DI = 4A4Dh
# k5 v- R+ ?* b7 Q3 XWhich are the 'magic values' used by SoftIce.4 u: x1 }5 _. _) G2 X5 U8 {; f6 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- L3 S2 ~8 F" X- ~2 |( i3 Q
8 n- T* v& H' i m% T8 ^ x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 h: a1 G; r; |3 ~- B$ rEnvelope utility use to protect DOS applications:: g+ F8 k m* o; a
2 K! m& z3 q6 C. C9 |
4 ^' k; m9 R$ B1 P; ?* I* c8 |) ^5 p! O
4C19:0095 MOV AX,0911 ; execute command.
* B, ^/ I; R4 F) f7 w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ M* }" z1 P9 b) g. z4C19:009A MOV SI,4647 ; 1st magic value.
' t# B$ v$ y6 d6 ^$ n9 a4C19:009D MOV DI,4A4D ; 2nd magic value." v8 t$ t2 m* `6 l6 a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 _, K7 T, U/ W& t- P; W# l o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 k% q5 }" ]! T* g' D
4C19:00A4 INC CX
* B& c$ T4 M9 y9 w/ G; @1 O0 b7 q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, I! d3 Q' t4 N. ?" g
4C19:00A8 JB 0095 ; 6 different commands.( U n4 \' G' x! M' S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' ^1 P- [8 v1 @% D4 \' @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% Y: Z% f0 L6 S% A, I
2 ]: P# k- a, | Z B
The program will execute 6 different SIce commands located at ds:dx, which4 i4 I+ |+ w! v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 z% }: z0 u5 E1 x- J1 C
_! C- I; ^7 a! K/ D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 K$ h+ f& i! b' ?" U% P
___________________________________________________________________________
) w9 K, x3 H# P; g) ?2 B) Q
% n* y1 J" F, n/ F" R+ x/ t, b# Q
Method 03
2 Y" j3 p+ y; z' B' C=========
4 b# F# X+ O+ N3 i, a3 R" }3 }% r; S9 s9 j% ` v2 h' `: ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; H. y/ w4 _. P4 [0 J(API Get entry point)
6 J6 N5 s1 o' {1 j6 T- l4 m- V ; C2 w. C, ^% O% \
* z$ D: C9 F- ~0 D0 Z( _# z6 e' U) B9 e
xor di,di
: S4 c' J& g& P. \% } mov es,di3 @# ?* f5 e4 o6 z; H
mov ax, 1684h
: D# a7 r* p0 }& V: ^4 x mov bx, 0202h ; VxD ID of winice
4 d5 K0 n3 z3 p int 2Fh
, \$ K& X6 M4 e mov ax, es ; ES:DI -> VxD API entry point
8 }- ^+ q. u# o! O8 N add ax, di$ m4 o& S9 p5 c( H
test ax,ax
8 A8 a; c- f U$ q& A jnz SoftICE_Detected
* X, I8 W$ Y# W0 o8 {+ k% _( ~2 O, S& Y2 _) h" N ]6 i$ j( X
___________________________________________________________________________" x1 _) p+ P, D) g. F0 f) j; G
% X t! t$ p9 K- h! Y- i; {: W
Method 043 J( d h8 K. @9 d8 l
=========: L( B3 a8 K# S/ r. K9 K% t% `
$ I5 E5 `! {2 ]& m( K. l- \3 lMethod identical to the preceding one except that it seeks the ID of SoftICE ?3 x1 Y$ k! t) Z
GFX VxD.
; S: [' {1 i% ~6 t+ R: |
/ P0 R H/ ]8 j4 k6 U2 g: h$ B xor di,di
. N* Q. E( V. V! s8 T mov es,di0 q6 m8 Q" \3 A k
mov ax, 1684h
$ o: Q5 \5 a, y0 ~; Y. o mov bx, 7a5Fh ; VxD ID of SIWVID8 c; e# P* @; K6 ?
int 2fh/ K: L; B* D$ M% j4 o4 O) y9 h6 w& a1 _
mov ax, es ; ES:DI -> VxD API entry point
/ A( v+ W: O4 V9 }* ^* M add ax, di
( f1 q: p0 `" p1 g) C7 o8 E test ax,ax3 L; J/ _; F% }+ d7 ]# D0 x* x
jnz SoftICE_Detected& `+ C+ a! f& h# Z
: k. O% V9 M3 w# I/ q* ?8 T8 s4 M__________________________________________________________________________
) A8 S- z9 t& E
% W- x, b% ^6 ?% u* E
& @# f* o+ ?! |) U& JMethod 05! G2 T- |% C2 }! ?# f
=========" S, |( l" E6 U8 c* K
) W/ V4 M6 L+ Y% H2 C
Method seeking the 'magic number' 0F386h returned (in ax) by all system* H. ?# j' |1 q# k( {( P
debugger. It calls the int 41h, function 4Fh.
) V" t% D, y- u2 k' U! d' `5 P4 cThere are several alternatives. + d, q' Y1 p: z$ m9 L+ H
" E2 l/ c" m. K( J1 sThe following one is the simplest:
( e c; ~9 k: q, g% V0 F; g2 ^0 {) ^; p5 g8 z( T
mov ax,4fh
* C) F( Z2 W, A9 A# q0 p int 41h
* K, B2 B( Q# a0 _1 i cmp ax, 0F386, _: r- S. w \) y: @
jz SoftICE_detected8 r O, y1 ?# ?, o
, R O8 E8 ?* y4 Q! b0 F! X
& ^! r: @ b! Z# E2 DNext method as well as the following one are 2 examples from Stone's
4 Y0 m! {- J4 S; m0 B"stn-wid.zip" (www.cracking.net):- J3 S3 ^" K# `: F
; o+ ~; l7 Z3 @' f- S) o mov bx, cs
3 I3 A& V! j: B$ i* B7 G& w5 M+ P" F lea dx, int41handler2
) N8 W5 t7 m r+ V) C0 k# j xchg dx, es:[41h*4]
& ?7 U' l2 S" ^! o( S' c xchg bx, es:[41h*4+2]- J8 k# ^+ W( b% y: D. \( G
mov ax,4fh v4 y. U& K0 M" D
int 41h
$ r O$ p0 \# C7 T xchg dx, es:[41h*4], Z9 B. k- i0 ~, i
xchg bx, es:[41h*4+2]& `9 I9 R( ^8 T9 ]; e3 }
cmp ax, 0f386h5 d5 O4 }2 V5 A# t" x3 T
jz SoftICE_detected
3 @7 C& m5 F& ^7 n8 z3 I9 ]
+ E( g. S4 ^1 n4 l$ iint41handler2 PROC
) j: t8 P4 I* M# ^4 [+ m9 T2 g: Y iret
" B* h/ O0 S2 e( B# ?( d, ?int41handler2 ENDP9 I& u* T& s7 b5 [7 F
8 r& D6 @5 R4 q; r1 x9 a. a% }
/ C: ], a' K1 H3 ~_________________________________________________________________________
" M( i' }& ~7 Z( }3 G' ]3 M1 Z6 ~0 h( U8 G
0 P4 v: }9 f, e" Q5 y7 `* {Method 06
9 T6 l9 t3 S6 P=========) ?0 J% o- \- a0 V# j! J' x' G
: c7 X- C0 H ?
) j9 w6 ?; I7 f7 D" C9 s+ W; ]# V2nd method similar to the preceding one but more difficult to detect:
1 Y1 F& a: j9 D, }3 |# x; k4 X6 k
: h* V3 j+ j- d4 l) K* X$ ^9 ?( T9 Z6 o( g; @
int41handler PROC
% ~9 z0 l9 Z A mov cl,al* b3 \" |; }/ @, v4 b
iret
+ F$ Q0 b+ d6 B: r* W4 t- f/ _0 n- S" c) |int41handler ENDP
, l# Z! A# j, v+ q" h# N/ V2 s# K4 ]
$ u" B- B' Q- ?& B, b- }& Y) M* |1 m) i
xor ax,ax
: d* y1 d8 q; t5 |* z+ s mov es,ax+ a3 L7 \% v6 p4 G/ Z5 I4 ]& w3 A
mov bx, cs8 j8 N( D3 B" m$ w4 e5 g1 A1 ?
lea dx, int41handler
0 @; h! ]( \9 P+ p1 A5 L, ` xchg dx, es:[41h*4]
" L/ T# ^& T, W+ ^* q u4 i# ^7 j xchg bx, es:[41h*4+2]
; ?4 Z* v* }* I6 A2 T3 L2 g8 Z! ` in al, 40h! n: n3 O! }! a8 g; F9 v# k2 f2 P
xor cx,cx
( f. i+ w' r$ u1 u+ \, H* B5 A @1 H2 T' h int 41h3 \6 X9 |0 } T: b4 L
xchg dx, es:[41h*4]) `) c D( ]5 j# q+ ?* e4 y
xchg bx, es:[41h*4+2] p9 C* r+ U# ]! s0 c( o
cmp cl,al
7 Z% E% C3 P s8 j jnz SoftICE_detected
) D; s& |5 p, E( J
, _, b0 a7 |6 }, G- z9 I_________________________________________________________________________
0 S7 T6 R+ s; d7 e# N) Q- B
/ M$ S U, s O' z& l8 d* C; LMethod 07
2 E6 |& R+ o$ {5 H) ?" x=========
0 I2 a1 N' c0 F7 \ e. U
: a {- M) W2 n* kMethod of detection of the WinICE handler in the int68h (V86)% X1 W6 ]) ]4 V# |. R: c
4 g) V k- e: E+ z2 c' f mov ah,43h, q3 C4 A Q# W
int 68h1 e8 o# [9 K0 m9 g/ C& ~' F
cmp ax,0F386h
$ @5 `* y: d. G$ O( i$ D1 I/ K2 q jz SoftICE_Detected
* f8 P4 R: Q9 P+ B
) x/ _& O+ ], L; K' }8 n. E, t2 D* D# E) J% X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. f# a9 ^. L& K% r
app like this:, v# ], d3 G: }/ }* ]! p- L- }
4 e/ ]/ W6 ~8 J3 a" I ^
BPX exec_int if ax==68
; j/ G2 a2 C& A# v5 e1 K; j, m8 O" d3 N% v (function called is located at byte ptr [ebp+1Dh] and client eip is
8 |! a9 Z% x' [ located at [ebp+48h] for 32Bit apps)/ n2 a# S- R& x0 @ l% N
__________________________________________________________________________% Z. P9 N w* G) p) R4 j( D
3 {' K$ x6 N$ U0 U5 ?6 S, p0 z4 J$ o) N: S2 ?$ y( ?
Method 08; h+ ~9 p' y( I3 o
=========
: L) K/ V( |% w5 P; c v( i3 P& n0 W% `3 G
It is not a method of detection of SoftICE but a possibility to crash the* d+ Z' ?# d0 w& @; ^- b2 E
system by intercepting int 01h and int 03h and redirecting them to another% z; p6 x$ g' G$ k$ Z
routine.# d6 M# x/ Q% H8 u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) |! U8 h. ^$ l9 d" j
to the new routine to execute (hangs computer...)9 f& v4 b, J2 A- x& q
, a8 t9 ~$ ^ v" y- p* A) _
mov ah, 25h5 T7 J" G) c- @2 f
mov al, Int_Number (01h or 03h) p8 K; F+ K3 J2 L5 |5 ^9 C' y. L n
mov dx, offset New_Int_Routine2 T+ F3 a% m S, F- L/ Q: v
int 21h$ a2 M2 Q3 \7 V% a+ F9 v `( K' {
; O4 `0 |" i8 I% q% \__________________________________________________________________________$ L! X# R8 |3 |& n& A+ O/ B' X
7 g/ V. t5 l! d9 B( ? f2 EMethod 09
" K) {1 n& a3 q" S" I8 \=========
3 \5 _9 e5 E( e8 B) r. S. N, Y+ ^ W8 D. _# t" P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 w( b3 q- s0 a5 ]
performed in ring0 (VxD or a ring3 app using the VxdCall).5 W, R$ g, `) o
The Get_DDB service is used to determine whether or not a VxD is installed
g; L3 J7 O b- F, gfor the specified device and returns a Device Description Block (in ecx) for3 A" l1 `7 Z. q: z# J8 s
that device if it is installed.5 \: [& y% b0 z' {
" b* E* L% s; Q E" b" \/ W+ ]- I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) c( P9 C, X" X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ U" C. T3 }" o# Q2 R VMMCall Get_DDB6 W/ e2 P6 b6 A2 }& b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, s/ S! p |+ e2 a9 N$ f
! i6 X2 [; I5 t5 F0 `' ZNote as well that you can easily detect this method with SoftICE:
# E" q& h; V' I& j: n0 @8 i* K bpx Get_DDB if ax==0202 || ax==7a5fh
6 Z5 r0 O$ B% H
* K5 I1 Q M, Y8 x__________________________________________________________________________
" o/ D. s1 L! k+ }) i
0 z7 `$ Z! P; r) M. F" tMethod 109 G' o# r5 f# T \- ~
=========# U* ~6 X" C$ F& O
6 E" v G( Y7 n# O9 ~, V/ N) M& w+ `=>Disable or clear breakpoints before using this feature. DO NOT trace with# b1 B( E g* j' w
SoftICE while the option is enable!!7 ~8 I4 U9 \% X- u
6 `3 U, V2 ~5 l- l
This trick is very efficient:3 u5 v1 c8 D. ~5 f3 K, I
by checking the Debug Registers, you can detect if SoftICE is loaded
) \3 q1 e/ O* j6 ]) c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 O# u9 T8 ]. S# @# }9 k3 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- L+ d, N% |8 C! L$ G4 |+ n0 Lvalue (in ring0 only). Values can be manipulated and or changed as well$ C3 h! e2 O4 M! y: |
(clearing BPMs for instance)/ u/ j/ j5 [' B& V6 Y0 C; T
" X" G% r. L i& R: K__________________________________________________________________________
* f5 b5 A5 w8 O. P5 t+ J M; K2 A, [- G9 x! J. ?" I( k: F) T! f
Method 11
. H" ^2 v5 i0 V6 L6 g o9 O& n=========
9 @. s$ a2 d! B) _& a/ W8 K
& U, |2 Y/ U6 ~/ t4 \% c! O( eThis method is most known as 'MeltICE' because it has been freely distributed$ r# f8 h: B8 Y+ v9 I+ Z( ] O
via www.winfiles.com. However it was first used by NuMega people to allow# A9 O0 r& ]4 u+ f2 H
Symbol Loader to check if SoftICE was active or not (the code is located
# K' J& \. _, }7 P: L6 B& |: k. minside nmtrans.dll)." X) x% V2 T+ m5 X4 r3 N4 v
_# x2 o% n3 X( Z. Z3 a5 [1 z; SThe way it works is very simple:7 L3 {" K& ] m5 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ b q5 { |1 p6 D4 D" U( M& K! s
WinNT) with the CreateFileA API.! d* l o, J' ^5 c8 U& C, A
+ X+ Y+ T; U- I3 j) l. NHere is a sample (checking for 'SICE'):
, z7 ~, x9 m: B# o5 \9 D7 G7 m! V7 Q: [* l7 s
BOOL IsSoftIce95Loaded()
: }: y! e% W: Z9 ?) L{
. \; h9 a& ?. q; k7 K% q0 | HANDLE hFile;
, y/ b% b" S" ^# V: k$ n7 C. E% ~- x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 K/ Y J, \/ }3 d2 I FILE_SHARE_READ | FILE_SHARE_WRITE,
: n' I& o7 R- ] _7 O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ ^+ M5 q% Q* O' w( F) O+ T0 H if( hFile != INVALID_HANDLE_VALUE )
j9 s: @- T2 F6 { {7 i) @3 U( y7 n: J6 L: h2 O
CloseHandle(hFile);! V4 v) E5 ^4 C) b& o& a1 p" @
return TRUE;* L" v1 S# m9 U2 D* ~
}
2 U3 m X. s! X2 K. }4 Y- c return FALSE;4 R- R) W" L. q$ T, P" g
}; M: i% [# A, P9 X' U
' B2 k) ^! ^* O9 q% H1 nAlthough this trick calls the CreateFileA function, don't even expect to be
1 \, N1 C, w, \" pable to intercept it by installing a IFS hook: it will not work, no way!0 Y% u# a( n$ C% X' x) L( M8 A! W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' {- b" K2 u9 [) f4 g+ sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 a+ r8 Z0 p/ t* Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 F9 Z: m4 q" {% W9 q/ j* e4 K% w' ^
field.
3 ]& D0 }* ^* R0 {1 ~# LIn fact, its purpose is not to load/unload VxDs but only to send a + h8 l: _. p, w q6 i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, Z& y7 m5 G4 E3 O6 D! Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try: s7 H$ H8 e# [+ _, |9 e" }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) s( W! A3 W) W O, d' Z9 d- }
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ E% J7 p* m; E% e+ v$ r pits handle to be opened and then, will be detected.1 g4 e; ~5 p( ?# |. x
You can check that simply by hooking Winice.exe control proc entry point ?- r3 x* _& X/ _5 l
while running MeltICE./ w# E% P. r' W* L) I e- U* P
; l2 i. t- f% N- O
$ b: K! s% |" _. D9 e8 k8 H 00401067: push 00402025 ; \\.\SICE
3 i m9 K* ]4 }" J& G* y6 [2 k1 z* h 0040106C: call CreateFileA7 G% w& |! C$ M( L$ n5 ~
00401071: cmp eax,-0012 `& D) F6 q( {. K: b: O/ K
00401074: je 00401091
3 X% P6 ]9 a) e$ \! f3 y: O1 K2 \! |7 h$ o% L! @
8 N& b9 S" J' ?+ Y" ^: {
There could be hundreds of BPX you could use to detect this trick.
/ m. E$ `7 x; c' o" y x6 ?. m-The most classical one is:' n: S; D" a4 s' P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 }: {8 L$ B+ }
*(esp->4+4)=='NTIC'9 B2 z* k7 k- ]3 `& h: G
3 d F R) P5 W
-The most exotic ones (could be very slooooow :-(
8 _; h$ B+ B+ V) Q$ Y& o$ [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 \% i$ }2 g% p2 b+ [2 v ;will break 3 times :-(2 g# {1 h; }5 w( ]# `% ^
# n- B7 i0 s' S8 ]
-or (a bit) faster: / Y4 Q' }8 S" m5 a- t7 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). ~- ?- A. i7 D; k% x3 c
$ m" p' P0 X" I) j. F' v6 m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 a4 T: F/ M% S
;will break 3 times :-() a- A) u, n+ [
K T( A% i- e O' F
-Much faster:' Z. M3 ?5 K6 i& ^! Z' E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 {* z0 H0 d7 `# K: I. B8 L& I& q, r" d; W3 ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& B/ i2 A* r! k4 r/ r9 d8 Y
function to do the same job:
N# K+ w, ]! m% m2 A: z3 F' G; L; O; e; a" {* R B
push 00 ; OF_READ
8 p" d1 P# K9 h3 W mov eax,[00656634] ; '\\.\SICE',0
% e% }! ? h% O6 o; J% T/ x0 v8 M push eax7 P/ o# f1 s4 q( X: w1 v
call KERNEL32!_lopen
5 Q- d3 e- e" p3 K2 c- } inc eax
* u5 r; p+ h1 T+ p% Y5 n: K( e3 N0 ` jnz 00650589 ; detected
) f# j( M' O5 T push 00 ; OF_READ
2 e/ x6 `' q/ p- I4 V# B mov eax,[00656638] ; '\\.\SICE'
- X1 u% W+ |% N, \0 t1 e7 b) U; u1 e push eax4 W. i3 t' s% o
call KERNEL32!_lopen
9 a% [* G5 l$ t/ L4 A: u inc eax9 ~" L; g$ T: k+ ]
jz 006505ae ; not detected
1 y* a' z1 D2 c' o5 t
- @9 F2 i/ R# C, B! N! p4 \& ~2 E& }. J% U" _2 ?, ~
__________________________________________________________________________ O* a- \' Z; P. l" B; V6 x
3 _1 F& d& E- y2 P; I3 a x* v! |Method 12
* h% |, \8 I6 A3 F, K=========$ T1 ?* D& {) H* }5 n, {
, U1 f+ {1 D# v/ k9 Z" R z
This trick is similar to int41h/4fh Debugger installation check (code 05* \ S B! K; F# k; {8 Z, @
& 06) but very limited because it's only available for Win95/98 (not NT): Q' d6 p: W: z! U M1 \7 S9 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! }, r5 `6 }. _
5 w9 h4 }8 V2 f$ v5 a4 e/ P! _$ F
push 0000004fh ; function 4fh) I6 C3 w- t4 y7 U2 B
push 002a002ah ; high word specifies which VxD (VWIN32)) |) [$ ]. C, |" ]7 T! F
; low word specifies which service
^: q0 p- _9 `9 g (VWIN32_Int41Dispatch)
2 U; Z6 K: @6 S3 { d( w call Kernel32!ORD_001 ; VxdCall+ y1 e4 q r8 l/ N2 K( n1 d
cmp ax, 0f386h ; magic number returned by system debuggers
: I h. O/ s: k( m1 e0 j% v+ W4 z jz SoftICE_detected9 G; V! f& K, \: N% b$ t
! o. M# D, a+ B. `Here again, several ways to detect it:
( \+ V/ ?' P( A4 u( X5 e7 ]/ }& l( k& E0 Y
BPINT 41 if ax==4f8 I: N6 U+ G# G( V: g' H+ q( R
9 Q& M6 }% O; K. |2 W8 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* \1 V, H+ J( \. R* u
* z1 j' j4 i: s1 N% S- J! E0 { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' \# z0 r, x7 o2 X3 p# e5 q
6 f0 B; Q, C3 Q- `% p: w$ ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, ~# Q( L! H9 V# N1 b6 `* }1 x& i3 v
__________________________________________________________________________4 V% s1 f' e1 e$ x1 ~. i
- P) h3 y( d: t7 F( p9 tMethod 136 |$ d2 y6 }; [. ?
=========' z6 d- `6 L, }* N
4 A2 c- L; Z3 E9 ^$ f- `Not a real method of detection, but a good way to know if SoftICE is$ H! I+ v8 x- q
installed on a computer and to locate its installation directory.8 T% J, ^1 B5 {" { J& G
It is used by few softs which access the following registry keys (usually #2) :0 w6 \2 F# ]$ G2 r: s# P6 S
$ E- B3 w5 n8 p( ~2 q# H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 _5 o# F: J& y$ p6 J! c
\Uninstall\SoftICE
6 O+ k9 D6 w, n1 N# B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 P" b& ~1 G9 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- h8 [$ g8 ? Y4 {3 h4 c1 A\App Paths\Loader32.Exe
) O0 f# _7 P+ P1 O6 ^) U- A$ L- [3 Z2 n% Z0 _2 f
5 }2 g! x% @- A0 ?6 K6 H, ]
Note that some nasty apps could then erase all files from SoftICE directory$ B( g" f# [; V- {+ d9 w9 U
(I faced that once :-(
6 _7 e% N) X0 m7 f3 u g1 W L7 V+ a+ s1 _ N! F; T7 k/ h4 K/ j- x
Useful breakpoint to detect it:( ?: E; g& b0 o( [( }
$ i3 F$ t! q- w! ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 y( v+ i1 J9 c% V6 H' a5 Q6 G: n8 M' ]
__________________________________________________________________________
6 H4 k7 \7 H7 s9 Z) v
% P- X! j2 H/ I$ k. o6 r3 z9 d0 C/ }! l/ [( w$ s! H$ o
Method 14 . v2 q6 M0 d7 C% |; \& i
=========, {/ g" J% f& E0 ^
3 V( o& V3 j: x3 M8 f, {+ U" S1 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; u( v* u& m6 ~- Q8 r8 U* x/ cis to determines whether a debugger is running on your system (ring0 only).8 r& \6 U8 J* l6 g* X
3 v7 Y1 P4 k$ C$ O
VMMCall Test_Debug_Installed
) w9 w' r% k* a0 p( ]0 r2 t je not_installed
9 P& G7 w* a' x8 y! ]# O
" R0 r, c: m) d4 S+ z! p4 nThis service just checks a flag.
" y$ \+ A5 w# h+ |1 i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡