<TABLE width=500>
$ p2 t; M" N `" V8 u<TBODY>
0 z) E. W2 S* C$ f. j<TR>
% t( j/ h- w% T! S$ o& g" Y<TD><PRE>Method 01 . i5 i* f1 y9 K; Y4 e
=========9 ]* O; d7 T! P7 H- p! I
# ?2 t7 g! C$ bThis method of detection of SoftICE (as well as the following one) is
* o9 A1 l# l4 W, K- S& tused by the majority of packers/encryptors found on Internet.5 v: Z' f; H) s2 ]
It seeks the signature of BoundsChecker in SoftICE) s/ y4 W! D6 a) ~
7 M5 H$ [7 a% u* n$ q d
mov ebp, 04243484Bh ; 'BCHK'3 }3 L1 Q! u4 z
mov ax, 04h7 S/ n& S% v9 s. j
int 3
2 z* `2 R+ e3 X Z* \/ y" q3 \ cmp al,4: U* h+ [ X9 |* E: h9 f" C" p
jnz SoftICE_Detected
9 F" V3 l8 N+ X
) ]3 Y: _' U& b% r Y0 \___________________________________________________________________________5 m3 i) J" K+ G, |) n" x
* {' ~- k" m0 q. |! Z
Method 02/ i! S7 E! o5 I* J7 f- q
=========' g0 b3 l1 `4 q% i
9 y0 k6 d" `- v
Still a method very much used (perhaps the most frequent one). It is used
. m' c" Q* K. U+ K m$ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# J) F/ n" w, L% X5 gor execute SoftICE commands...
3 ]( }; N) C0 f1 f9 E9 m" cIt is also used to crash SoftICE and to force it to execute any commands! V, p5 \- I* x8 H6 p
(HBOOT...) :-(( 6 y h V# d" E3 U& Z
# x$ d" x* B: I- U# ^) ^: o: `) w
Here is a quick description:
8 z& X+ m. t; v0 ~9 n-AX = 0910h (Display string in SIce windows)
3 Q- I+ ~$ W* T4 j m) W5 p8 X8 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& |! q0 G {+ `7 e8 S9 q- a' t* E7 v4 D
-AX = 0912h (Get breakpoint infos)& ]7 G$ [5 v& f" Y7 j
-AX = 0913h (Set Sice breakpoints)
9 c9 W9 m+ ?# g" F: a& a" d-AX = 0914h (Remove SIce breakoints)
% s3 T& r6 R$ e+ { W
* D& b7 G- x/ ~8 i0 q8 y( @# @- TEach time you'll meet this trick, you'll see:
2 m# W0 _) |9 D4 D8 [-SI = 4647h7 h& Q7 [) v! b$ d
-DI = 4A4Dh
. D2 S: F; D$ r2 ]5 s$ M) QWhich are the 'magic values' used by SoftIce.
7 r+ K$ }; E4 B" B/ e* \ uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." t9 U' A" q! G
+ F* i. o" S) O* e( R/ O+ X" @4 {8 LHere is one example from the file "Haspinst.exe" which is the dongle HASP, W' u: c. p/ X
Envelope utility use to protect DOS applications:* x" D9 S: Q6 s1 E" u9 O* l$ r* Z7 e3 a
/ S- @" @, ]6 g2 A) ]
' S! C) D7 P7 T8 K: e- g1 x |' a' |4C19:0095 MOV AX,0911 ; execute command.$ t3 y; \9 J8 K2 ?) _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; s0 _" P! B( d5 N/ E5 C4C19:009A MOV SI,4647 ; 1st magic value.
D7 [3 `& h7 a6 s" O1 M5 ~( t& I5 i: d4C19:009D MOV DI,4A4D ; 2nd magic value.
! f. I% A4 ~# c- b: k5 A) J% }9 \1 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 Z, C; O' p8 a& I( Z' K% F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 \8 l, ^9 t( t% B( ?6 l0 b# c4C19:00A4 INC CX! {5 W* r# p& u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 ^, U( D, h8 C# U8 O" @4C19:00A8 JB 0095 ; 6 different commands.& y9 O3 S' d' }" y, c( V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 ~! k6 C A" \4 E+ J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 P q* c9 a4 T8 F4 a3 H( D W( J
& B- b1 ]8 S% y9 Q6 a A# B" DThe program will execute 6 different SIce commands located at ds:dx, which) i3 ~; X; m7 n/ @$ v8 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 b" q, N, i8 Y& a v% P3 _$ e; Y& Y7 y5 w8 y0 n, t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! {7 P: ^" u' z: C
___________________________________________________________________________ P4 S# H; I7 Z
2 [' Y2 q% S2 S5 m( [/ l: H% v
0 e: \( z% B& R+ V2 O+ i7 N7 D
Method 03
_. h3 U$ N1 `=========
" a8 [, r9 \% T; P- L3 p* b8 r- `* @6 v4 s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; [! G j9 I s/ \ b(API Get entry point)
% |4 A# n1 k0 \% M: ]3 Z1 J i) e
) a$ E0 Y- b$ F# ~$ |! [( j
- A8 q, _2 t' A xor di,di
5 F: m4 N' G! f+ _ mov es,di
3 e+ E9 Z' W" _5 |) I; G) J" Z" P4 s mov ax, 1684h
/ Y9 I" G+ g3 n1 L mov bx, 0202h ; VxD ID of winice4 u% h. K" m7 h; P. }- n4 i G
int 2Fh; j) q' N7 F# ^4 M d
mov ax, es ; ES:DI -> VxD API entry point# w( h# H2 l+ V
add ax, di& ^* q* }7 J* `" I: h G
test ax,ax$ ~; u5 ^3 f0 Z6 H3 R
jnz SoftICE_Detected
& y u* r @ W! t2 G- p q f2 |
/ `, G: T2 u# V! }9 c c___________________________________________________________________________
; {9 ]2 ?/ S, w T- c. g0 G, ?0 [6 E8 W5 l% p$ b! S. i/ S4 u
Method 04
5 T) M4 {, F( ]$ F* J* f6 [=========
" y; m' f* }/ V/ m6 B B+ ^3 K6 l
Method identical to the preceding one except that it seeks the ID of SoftICE
% h9 r4 Q+ [: X+ A2 x9 \' IGFX VxD.& R8 @$ {- o4 _2 J
# Q! L& p$ `3 ]2 }% N& Y
xor di,di; B+ P% e" t1 K8 q- R# E
mov es,di4 b l& }6 l. F4 m! r
mov ax, 1684h
& o# J8 t9 `6 ]; e mov bx, 7a5Fh ; VxD ID of SIWVID7 `: D7 H( K5 c- z! J
int 2fh" n4 K9 |) w. A2 f6 ^9 U3 c
mov ax, es ; ES:DI -> VxD API entry point' z+ _# P# ^: t" y) S. f. w
add ax, di
u, G4 G7 m6 ]7 @ test ax,ax
8 J5 |7 @1 X: {* V jnz SoftICE_Detected
4 ?4 K2 R1 V0 X2 e; e4 K+ e: k6 g( J" C) X# |; W$ _
__________________________________________________________________________( [5 a4 B$ Z- u* c" q
! Y+ C/ \; f6 a+ L6 _. x
3 B- r3 n# n; _ S
Method 050 z1 i" P( Q2 k9 [1 m$ n( }
=========
( H/ g- ]1 i, F) b' A1 I
0 |- ~& P$ e1 @% b* u; c9 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; P3 w& ]; _4 X8 y/ udebugger. It calls the int 41h, function 4Fh.
# a* W, }! t. WThere are several alternatives. + A' ]' v" C' ~5 Z7 |% k6 ?
- I8 ^8 `' U q1 Z* m$ I2 [ {
The following one is the simplest:
7 @ Z& j* L) a/ Y, ~9 N! O9 b$ h- N' s; N. |7 N2 m8 V2 t3 _
mov ax,4fh
* R9 K/ u5 ?; Q( B# m: I int 41h
: q( b2 i, J9 a+ u8 O cmp ax, 0F386
5 U9 d4 }( Q Q jz SoftICE_detected4 _- \6 w* e# K9 R
/ r/ C3 X; r! ~4 F7 z5 ]
+ S# d2 W( ?9 H* W1 C5 C) ONext method as well as the following one are 2 examples from Stone's - Q5 q6 s8 X% I! X$ W5 w
"stn-wid.zip" (www.cracking.net):
" _) ]2 ~( g/ ?( q
- U* ^/ ^& b0 \$ Z mov bx, cs
' p9 [3 b$ _" v) ~4 |# r lea dx, int41handler2/ {, ?6 T9 @3 T! Q4 }' \
xchg dx, es:[41h*4]) k; j5 _+ | L" ~; r
xchg bx, es:[41h*4+2]: ~* Q8 B& Z% H# v, U9 t7 Y! P
mov ax,4fh
8 o$ K$ J6 |6 ]$ x# c' Y int 41h
. G" U8 Q \. c4 ^8 p: U xchg dx, es:[41h*4]
+ M2 P- Z9 m1 ]8 X1 m" O+ A7 }6 r xchg bx, es:[41h*4+2]
; }! v6 t) h# h/ t/ `; _! i# P cmp ax, 0f386h
0 t6 }; a& y4 j) b, l& F! D jz SoftICE_detected+ Q: D( N0 ]9 S" t8 V
( r( n- N# o$ T
int41handler2 PROC
~, j9 m( K+ o/ Q0 }! B( _) i iret1 k2 L* P0 ^ q' r
int41handler2 ENDP# G) c& i( [0 i
" H2 A; n. w$ B7 s1 ]5 q/ W: S$ k
. O+ ~8 D9 ]: h2 ^7 Y- Q6 i
_________________________________________________________________________
/ E; f7 x# q9 E: N5 j% K! i) W4 C7 Q5 _! K0 R
2 f/ _9 A) X. `3 R. ]9 u8 ?4 zMethod 06
5 M% P$ `- [. J8 g=========
b. c ^7 @' y1 g$ I1 q& S J2 x/ y+ Q3 J" `( @8 P, H
. L8 d% \8 I6 j- V7 A1 V1 |3 r2nd method similar to the preceding one but more difficult to detect:" l: M! n# w# v% b% I( o7 G
0 z2 s# w5 g) U0 @6 n9 n3 F4 Y( X; X& a- A) ~
int41handler PROC
2 A% E7 g5 f* i( s/ n% o9 L9 V2 W mov cl,al* L( \% U0 I6 ~+ Y' F* Q) Y4 X. @
iret" ^" G; E( q4 s* Y. Q) @
int41handler ENDP1 d. m6 E% Y; o$ y
, a" }& k6 f' @3 {% s {
( n* x1 V. R/ O2 i8 p3 v xor ax,ax
+ u+ [$ i1 m: P* X q mov es,ax% _9 Y, m! ^* k- s- F' z/ B7 C
mov bx, cs$ B& Z' N/ v" V! s( S, [2 j, `0 [
lea dx, int41handler
0 _7 Q9 h& r9 R& v' Y6 j xchg dx, es:[41h*4]1 f, z1 e/ N% u
xchg bx, es:[41h*4+2]
4 G* w. w+ T! m0 d$ |9 m% u: ? in al, 40h5 x4 s2 e( \% p$ E
xor cx,cx
: @" n" N) p# e0 ^+ _ int 41h
/ M* Z2 }1 j0 w ^8 j# r xchg dx, es:[41h*4]
3 M! P+ \) {/ t' ~3 k xchg bx, es:[41h*4+2]
, z9 ^/ I5 G; h8 V6 }% l0 _% D" ~ cmp cl,al/ i! Z2 v+ p4 N3 K( p/ f% p" _4 s) B
jnz SoftICE_detected
. A! C& n& u, A2 z9 n. q( |& c' H- o- b% l ? B
_________________________________________________________________________
9 J+ A$ f, y( D: @, w% u) T$ O, I2 r3 B! w/ J
Method 071 h2 M; _0 ^- W0 Y7 X. ?* \
=========
. F" G- t) U4 S$ e% t. E% V* M+ R: d
Method of detection of the WinICE handler in the int68h (V86)
. g7 s! Y0 i; v. p$ m
4 C, S) Z2 F* } mov ah,43h
; C$ Y6 S( D3 F' [2 @* p int 68h6 ]* P6 ^% y2 @5 x
cmp ax,0F386h
: s3 a% c" m) F- B( _7 U4 H jz SoftICE_Detected
7 g" |" k' M: I+ C
; F% _8 m2 H" \ g4 G% @: A4 g4 D, M+ V! }8 \$ N# t, H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 |! R& m/ S1 v6 v7 B! Q. a
app like this:
' ^! R1 }! G( B9 {+ B- x
9 \6 C2 r1 v% T0 i8 N& r7 J BPX exec_int if ax==68+ N0 a7 `7 ?( g
(function called is located at byte ptr [ebp+1Dh] and client eip is% Z! ^& j/ |- N0 [; _7 x, |! _
located at [ebp+48h] for 32Bit apps)
1 a: T: U5 M1 C0 z; I; l5 |__________________________________________________________________________
$ N/ ^1 \& T, E
+ B$ k: L& L0 e, B4 f0 d2 w& E9 { q5 [1 T, U1 b! [8 p+ a
Method 08. O, G4 p1 X- G8 c$ l
=========
A0 j4 |* z5 O% ?0 m. W \5 ^# `1 T: b7 P+ ?! i1 O+ ]+ K8 n0 V
It is not a method of detection of SoftICE but a possibility to crash the* ]( ~4 s; Q5 y4 P6 j7 ?4 `6 ?3 J# p
system by intercepting int 01h and int 03h and redirecting them to another+ n* P% `& n G
routine.' j4 ^) t) d9 d$ m3 h- I, A7 H! b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 }$ d# o$ ^. n& x5 P3 [to the new routine to execute (hangs computer...)
% w; D4 g+ a( G$ K0 K+ f' y9 H) l
I5 s: R/ S0 |0 P' o1 v7 Q mov ah, 25h- g6 J: S2 s: u! f! K M
mov al, Int_Number (01h or 03h)
% Y% G# J4 z( Z) A mov dx, offset New_Int_Routine$ }: e' w/ d: M8 W
int 21h
4 k0 A' O2 \4 d4 p' G& {( K
" v7 f' X h2 C__________________________________________________________________________
) p) e- K9 o) ~# I
% H S1 E( a4 r) E R8 hMethod 09/ H3 S: [% V/ I7 R! v4 V3 m
=========0 J& M$ {; ?6 U( O$ M
[- k! s; e* x5 }0 q6 Y' M$ C" s) t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 m4 m9 d6 `: a7 cperformed in ring0 (VxD or a ring3 app using the VxdCall).
. p* C- X) W/ z# P# fThe Get_DDB service is used to determine whether or not a VxD is installed
) @) d- l0 K, A6 I5 pfor the specified device and returns a Device Description Block (in ecx) for: m6 u7 W4 R, ?# B, e! L; |+ H
that device if it is installed./ y# W- B" v: r$ x
3 f8 v- X2 C( K4 c0 s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 x) M7 E2 B. _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 g( M; ^7 j1 v, C$ X
VMMCall Get_DDB
* M z9 R, h% P3 }5 |/ Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& M. z% }; c+ [# d }. A
+ i8 W* G: `$ g5 E# J8 e0 WNote as well that you can easily detect this method with SoftICE:
- O0 n3 o4 f) C- c bpx Get_DDB if ax==0202 || ax==7a5fh u+ }! D& v9 D
0 Q" L# e$ f3 M! |5 u; |+ ^9 J5 [
__________________________________________________________________________
( L/ s; k8 C3 T) m* C, |# f' w- H
Method 10) j% E7 d0 x5 o4 L: c
=========) ]3 d* f- Y, T- g1 B
% d! o% l+ V L- ^3 d \
=>Disable or clear breakpoints before using this feature. DO NOT trace with( F/ T" h( e% T5 r
SoftICE while the option is enable!!
3 w* @2 g) r1 n+ i3 E8 t* n* q+ p7 F
i( _5 q+ |) q$ RThis trick is very efficient:
, B' Q1 p ~5 i$ ^3 lby checking the Debug Registers, you can detect if SoftICE is loaded8 C& C$ X; g) J/ C2 k: M( Y _) \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
z' l' s9 \# P, \2 @1 ?- X: T4 x# U* t# [there are some memory breakpoints set (dr0 to dr3) simply by reading their
% v$ j3 |3 O0 e# f7 ~: mvalue (in ring0 only). Values can be manipulated and or changed as well/ Y' o+ ^' U. `* Y" U6 V4 `: r8 Y
(clearing BPMs for instance)% L+ f% `5 K6 _9 E* Y
4 V2 e" M6 s$ p/ y$ l__________________________________________________________________________1 d3 m; w; K2 l0 Y1 u1 s. c
% a) o1 ~4 j& d; C' d% p7 N2 E
Method 11
4 @5 ~! ?9 J- D: y9 `=========
# P1 A6 w& W, v" ]* s# K% |& l- }4 q
This method is most known as 'MeltICE' because it has been freely distributed
2 b# Q# g: q7 F v$ Zvia www.winfiles.com. However it was first used by NuMega people to allow
8 `/ \% j# \, I* T& _5 T3 M* _Symbol Loader to check if SoftICE was active or not (the code is located3 | [/ p I* g8 k
inside nmtrans.dll).
7 A! @7 b q8 w' ^( P Q' H5 B5 l" _$ C
The way it works is very simple:* ], c! ~; h/ i6 B# C5 {3 _7 K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 B( A$ ^. K7 [& N5 L" n) aWinNT) with the CreateFileA API.
% f# n! N% f4 f# |
) V/ e1 R6 Q0 V/ Y8 `; _Here is a sample (checking for 'SICE'):
0 L4 ^$ D" W1 @1 m. @) T5 p1 E$ ~5 }( T2 g
BOOL IsSoftIce95Loaded()3 B1 O8 a: L( I
{
; b8 u) }2 a6 ~ HANDLE hFile; - n1 T9 k3 c4 H; j2 u; k$ @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. r1 B# N+ a7 r" @3 p/ a1 `1 p
FILE_SHARE_READ | FILE_SHARE_WRITE,( }/ v1 u ~* F* D3 J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 V, Z' u0 Z' C. H- [; z3 D) ~
if( hFile != INVALID_HANDLE_VALUE )
( V1 D+ `2 ~$ x2 t1 g" Z( s5 F {
W q+ \5 u) N! s( P5 D$ A CloseHandle(hFile);/ ~: l, L. L1 W1 p* T
return TRUE;+ j2 E* r2 N+ Y: D( G
}' r% \5 q& k& ~. R% w7 I' D
return FALSE;
& a0 }% t# l& h5 Z/ H" |}1 N' S0 Y" b1 K9 E7 y7 d
- I }9 y( a, n# ]; G3 y- QAlthough this trick calls the CreateFileA function, don't even expect to be
~) `: d: C) g1 `. q7 y/ B! ?' Zable to intercept it by installing a IFS hook: it will not work, no way!8 \; d2 M3 \6 ]5 ]5 z" E6 l, \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; ~' q# U; e- r1 ]8 D* ^* {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 h2 L' {; _! W8 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) @* y- v; Z$ D* ]* a/ o
field.
& v' ]% w; l% SIn fact, its purpose is not to load/unload VxDs but only to send a " O3 C5 G3 @) p% \4 R' ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 W: |# r* {' n$ t; B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" q* _2 o& T- n; x. \. I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- f% @ c. i7 G3 B! }. M D7 oIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ W" Q; U. a; U" T) ^* b! B
its handle to be opened and then, will be detected.
+ J- P+ |+ s0 F2 cYou can check that simply by hooking Winice.exe control proc entry point- U( `; i) `) v& f6 }2 y" r
while running MeltICE.
7 Y4 l5 F/ X; w4 B
+ u( ^# S5 W5 j B4 ^1 o4 ?, h% V* U s- D, W6 r
00401067: push 00402025 ; \\.\SICE" ^" \/ a# r4 H/ C" ]7 J4 o" R8 X
0040106C: call CreateFileA
% A, @! \+ p+ L/ ^$ y 00401071: cmp eax,-001
& I0 q+ m6 F$ I( t, _% Y 00401074: je 00401091& @* o; w" Y4 D$ e& W4 x$ ]( \
9 O6 U3 g& T: j' ]- @- t! e6 a. g. A
There could be hundreds of BPX you could use to detect this trick., r$ R; L% r3 W9 ^- p4 ]7 X' c8 k
-The most classical one is:4 G# R% Y3 R. j. i' D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ O7 A' n1 F6 ?: T% K: g5 R
*(esp->4+4)=='NTIC'
* b" D3 j2 {5 U7 [( x0 `) a6 n. y5 b
-The most exotic ones (could be very slooooow :-(
- b" |, {. Q' S0 O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : e* Z# D, D4 r2 S5 ]. e
;will break 3 times :-(
: s" L0 M. J7 m$ c9 M6 W4 E N) ~$ } e5 j1 ?7 I8 h
-or (a bit) faster:
" c) O# f) E' ?, ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ f; o F3 Y6 y% O* B
- x# J9 m) W' Y1 A9 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- y; s" |0 {% R& K! }! A& Q ;will break 3 times :-(
) x, e- m! G# i6 J( E- W/ t# {+ ?1 Z% l6 n5 q5 o( k: K
-Much faster:
+ }$ u' _! I# K( O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 n# G/ H( Z+ Q- [7 U* ?
, F! a$ N5 O7 |& N! G$ T7 j* f9 h, L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' C$ D9 e3 K6 h8 r6 k+ j# xfunction to do the same job:
0 B) @ L9 K9 ?2 `/ |2 X) }: X; d. |( H( s" ]6 Q4 V
push 00 ; OF_READ
/ N; K2 J9 `1 G! V: x% C' D mov eax,[00656634] ; '\\.\SICE',0
9 U' J1 ~ I) S push eax
; f. N; S% K+ W call KERNEL32!_lopen
+ b! i- M! t/ U, I# Z, {- c+ N inc eax
4 x8 _1 F) q3 t- H" a) h6 o4 Q jnz 00650589 ; detected6 @0 W! T2 |- p# _7 U: D
push 00 ; OF_READ5 [2 c6 \3 W( l
mov eax,[00656638] ; '\\.\SICE', K( H2 Q$ p; d9 i* m8 ^
push eax
* G2 o4 h# X- q0 {) B, V% { call KERNEL32!_lopen6 `4 h9 j9 z1 X
inc eax. e) ]5 D, x5 z4 y% |% q; U
jz 006505ae ; not detected
4 d( e7 Q0 P; O; Y- L0 @2 u" R6 t. S6 X8 q$ o
2 f2 @2 K! D* W6 Q) Q6 A__________________________________________________________________________
' k9 x5 E9 E6 i& Z1 m% K
7 f0 \& c% M. ~0 ?Method 12
; S! o" F/ i& i1 y2 _) V( r=========
3 h9 B9 |) D" Q. x- Z
4 m: ]2 ~# X6 X9 oThis trick is similar to int41h/4fh Debugger installation check (code 05
# h% r3 Z: Y G) D& 06) but very limited because it's only available for Win95/98 (not NT) i. ^. D+ d/ `+ }2 Y3 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 Y4 L; D+ p4 o4 H; D, @0 t3 ]; Y+ C( A- Q6 m
push 0000004fh ; function 4fh+ J, I6 {0 x+ b% |4 F0 t
push 002a002ah ; high word specifies which VxD (VWIN32)
. z4 ~: ~( x2 [$ e6 ]8 B! } ; low word specifies which service n, o+ E" h- a1 }. d2 \
(VWIN32_Int41Dispatch)* H5 j! ?+ {' T z& ^
call Kernel32!ORD_001 ; VxdCall
' W! D6 }5 L- ?! M1 t! s7 Q cmp ax, 0f386h ; magic number returned by system debuggers" F7 V; |* v( K, H3 }* R
jz SoftICE_detected1 N$ p# w1 p2 F4 O! X( b1 t
1 Y: @0 f+ C& d% HHere again, several ways to detect it:
/ s8 s' J4 q5 h5 }0 W* G; M
" n ]- u/ O6 s5 ?/ i) D BPINT 41 if ax==4f
" K7 y4 q0 C5 d' A, j" s& H5 i
6 A. o4 r5 [2 p, X& O# ]1 `+ J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 X8 d. Y; N% {) |/ v
! b# ~9 x- l- G0 R) W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- F' x4 v+ c3 x9 C0 l
( q2 w" f9 A9 A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% s, k1 n& ^- |( H5 I' `8 p- \3 a- B( y$ b9 G( \5 @" p
__________________________________________________________________________
& G. w3 J( d f" _6 G0 Z u2 V( |* g, V4 c! J' |
Method 13% X4 p$ E$ y, w- }4 j# q
=========# K* T# g% P2 a" `0 |
& F& k: T8 _" A* q: A# a; t$ SNot a real method of detection, but a good way to know if SoftICE is0 B+ D' f, c V2 m# Z: @
installed on a computer and to locate its installation directory., {7 J2 i& P- I8 ?& o
It is used by few softs which access the following registry keys (usually #2) :
. _/ C, S3 K& q
5 N& i% C. f* e) k; O. ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 Z4 O* q/ m) A9 Q, a: H
\Uninstall\SoftICE
9 h) e% F% f1 @% s! e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE r5 m8 S9 D. L" ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ d# G$ u* m9 |, y\App Paths\Loader32.Exe
& h n$ S' Y3 ]# }& Q
: W/ H* ^! b- z/ } V7 f# e8 X! z2 ?* F. ^1 \
Note that some nasty apps could then erase all files from SoftICE directory# m# l: n( q9 N; l1 c/ U
(I faced that once :-(
1 M7 c( {2 \5 a$ Y1 u6 G
% h. f5 `1 |2 x( v+ a0 cUseful breakpoint to detect it:
0 Z8 N" ]- T$ P; G- Z1 M; l. Y) z. r' B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% a" r) i8 `5 G @+ ^
4 r* r1 j4 m/ R- z__________________________________________________________________________
: m+ n6 L( K+ z1 A# M% j& X" [) D* e3 C9 ^
. p- }" ^( J+ j) ?1 C
Method 14
; u9 o# A [2 r* Z=========# ]( K3 W6 B9 R! l, |9 {9 k
$ a9 s, c: @. C/ r dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; w9 c& H) |0 I) W4 xis to determines whether a debugger is running on your system (ring0 only).
. f& c' h9 N1 P& s4 _/ E. u* U- C1 u& k8 O. x* A% f
VMMCall Test_Debug_Installed, o& b* f* o: Y! m% x4 G
je not_installed u4 j5 f5 l0 O0 U m/ C4 l
- l. M0 d( K( H/ [( y& W
This service just checks a flag.
# M) M* u- N% h q3 m i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡