<TABLE width=500>
+ O/ Y; m6 [8 L) g# v<TBODY>5 T" p7 T2 a' ~5 a2 V
<TR> b* O0 ]) E! W0 x- s8 N& C& e
<TD><PRE>Method 01 + y# Z* U M9 s. q% g% W
=========
! M! R. x- w* k6 b* z
, F' W" l! l) ~, f% x0 FThis method of detection of SoftICE (as well as the following one) is
" V. W" t0 K, Gused by the majority of packers/encryptors found on Internet.. V) F2 v6 Q) j6 R9 e( H& B
It seeks the signature of BoundsChecker in SoftICE
7 N ~$ c/ Y% U8 D5 @& h
S. Z1 x- [5 I" J4 Z4 n5 ] mov ebp, 04243484Bh ; 'BCHK'$ b, b( X1 d6 ^* q7 o" o, L, z8 Z' P
mov ax, 04h6 z9 y1 ?6 L4 I( ]8 q
int 3
/ U6 E7 f3 ?3 y' p9 N. _ cmp al,4
l/ D- o3 E/ K& [ jnz SoftICE_Detected$ \0 x- j; j; T }! l: w
) P) `& {2 Q+ ^* H___________________________________________________________________________. O S8 q/ N( ~; x0 F9 f* o* ]
( N; L0 A7 z0 ~# s q# U5 x0 ^
Method 02- @ x( ] M9 U2 {2 p8 `8 {
=========
& l1 x U; Q% i( X, O
+ g- b" i" `, O- U1 E+ ]- [8 O+ a1 jStill a method very much used (perhaps the most frequent one). It is used4 p+ m% }& ^* E. M) D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# q# o( r$ _8 f; u9 R
or execute SoftICE commands...4 u; M& l/ M# j) V
It is also used to crash SoftICE and to force it to execute any commands
* P4 r8 l6 x4 c, t1 V8 M(HBOOT...) :-(( 0 \! t- e5 ]3 c1 S5 g& L
/ H0 I: M, p. {1 h; t' D0 {2 Z1 ZHere is a quick description:
) g/ u/ w4 W8 F3 A5 ?5 N& G8 p-AX = 0910h (Display string in SIce windows)
, C6 [& G* O5 l1 `0 l( Q) T4 l6 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# g+ a, e7 G* m5 m
-AX = 0912h (Get breakpoint infos)5 T, f. M6 u, }( `: r
-AX = 0913h (Set Sice breakpoints)
3 P1 l7 d( L, W-AX = 0914h (Remove SIce breakoints)5 j" }" R3 S! O; g
0 M' C3 E, \( _& D* K- j
Each time you'll meet this trick, you'll see:' R$ l* a- M- Q3 z% R% q$ j( s
-SI = 4647h3 z! Q% u7 R6 D+ A* b
-DI = 4A4Dh) r% V: @* a& {$ t. o$ |& F$ @
Which are the 'magic values' used by SoftIce.4 b& D6 T; |# `( {0 O" @2 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" m9 n) k. w' V1 q9 P) g( I
5 T5 _, V( F3 B, C. {$ t: iHere is one example from the file "Haspinst.exe" which is the dongle HASP
% O, A0 S. J- ?Envelope utility use to protect DOS applications:
7 z$ P3 w$ A3 [3 |( q
" X; h* }! q$ b9 u7 W" O6 o9 T( `- f3 W6 M8 b7 u3 ^$ \
4C19:0095 MOV AX,0911 ; execute command.
8 q' i! Z1 |3 b* Q7 {+ L0 c, q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ R _2 j6 {7 M0 r, y1 e
4C19:009A MOV SI,4647 ; 1st magic value.
9 `, e. O! c! u5 u7 {7 Z( I8 \2 z4C19:009D MOV DI,4A4D ; 2nd magic value.
' x( y% C5 [2 T8 y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) h( U, h7 C' y7 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& T* ]% c' [- [ k4C19:00A4 INC CX6 k- F/ j0 w- h* v: j8 e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 | S! t& ~" Z' ~0 ^) S4C19:00A8 JB 0095 ; 6 different commands.7 a- z6 s# e& e! `) L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 g3 n, d* H% Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. n7 Q7 Y+ \1 O1 R$ U
% V. L. M0 m I1 R" `* Z& \The program will execute 6 different SIce commands located at ds:dx, which
* `3 F. N- S V$ `4 Z) Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. |- Q5 f! y, g/ K# b8 k7 Q+ G
2 _! l8 G1 Q* m5 _& S C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 ?; ^( J* p8 d# J
___________________________________________________________________________
* c5 m8 a3 F0 k/ I. n4 ?: u
1 S- a# o9 g6 P5 B* c
7 Z, k# I; Q" ?Method 03
4 B3 P2 ~( h3 R0 R* N0 I0 { N* y=========
# z5 f) t& i+ Y6 Q$ u0 b) i& s8 H; \$ {% ^8 S3 J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" B- b) [1 E; X2 Q6 R4 z
(API Get entry point)
$ J/ v/ r6 l' J! b7 w( _, ] & f2 s( Y( T0 h3 T) g2 E
1 A8 ?- Z7 m- Q" i& r3 l xor di,di3 E6 E s$ @# y$ ~$ F
mov es,di
5 q& J6 ] M7 O6 u1 D; F mov ax, 1684h
$ F5 y9 e4 }9 N+ L# V3 } mov bx, 0202h ; VxD ID of winice
0 x3 v" t$ X5 X int 2Fh
) B% I" D8 U; b' L/ G$ }) B" d6 m mov ax, es ; ES:DI -> VxD API entry point3 H" }8 @6 m! T2 H2 Q5 | T# I' i
add ax, di
+ I4 v. q4 l4 [9 v test ax,ax: S& M/ H! O$ X7 c: @* I( V
jnz SoftICE_Detected
7 I, o: b: W& l/ z; D+ X
! w! @8 n# P( N6 Y& h___________________________________________________________________________
9 y, E. m/ O( g: I1 g/ V) v, G
- E* f: a8 P$ g5 T9 r* JMethod 04
) Y, t# |9 T- b7 q2 M$ i=========$ L: F; i" R$ t- F2 ~
, p! w% Y" Y9 j$ ~
Method identical to the preceding one except that it seeks the ID of SoftICE% P+ r# [7 F* y$ Q& `' ]
GFX VxD.
2 G$ x Z# i* S1 i2 p( M3 U9 A4 @6 u, K9 t. l. P8 y4 Q+ s5 y, H3 h' q
xor di,di2 g4 i2 T1 u5 {4 ]! |9 P0 s
mov es,di
& s: Z' |) m' w/ K! {3 \' { mov ax, 1684h , \9 M W/ X$ c% L3 e/ Y0 F* |
mov bx, 7a5Fh ; VxD ID of SIWVID C& l* W4 V x1 @4 A
int 2fh
* R+ n$ P* ^. b4 S, `4 B9 w7 ] mov ax, es ; ES:DI -> VxD API entry point) O: p2 A; b) F
add ax, di+ N9 M: ?6 O. I2 v. K( B0 `$ B! @
test ax,ax
1 z7 e1 a- p2 L/ }1 g$ S jnz SoftICE_Detected
: x, i, E7 c8 Q& X/ S. v7 P
5 K( |( D+ s. B' }__________________________________________________________________________
8 e/ [2 f$ _! q# z5 I6 c3 X# g" W& O5 ^7 @7 r) F1 |% b' z( D
; }6 T2 ?0 U. J' G% y! ]Method 05
* R) K9 S5 \. Z: s6 C4 b$ T0 b=========4 Z# p$ q- e& l& l
2 \1 G: [, y% Z# p- @: r7 C! J
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 V5 f. P( H' `. K+ L
debugger. It calls the int 41h, function 4Fh.1 e1 S: o+ ~# \7 |" _9 F4 D
There are several alternatives.
! [5 f% e) m0 N( }
+ d! S3 [' P. [6 X6 y' w: _The following one is the simplest:( E. F3 n, w! o+ Y1 i/ s
: \) O* e+ ^: ?5 k: ?
mov ax,4fh
9 F) A" n. ~7 b! Q$ N- W int 41h! }; M! I0 t/ y5 d' `- G# T2 Q4 G! [
cmp ax, 0F386
4 R; e" o1 r2 i" A" k! G! G% ` jz SoftICE_detected
" k; A0 ]5 o @1 K
. d7 v z& K! V E. M, J# y; @! ?7 S! G
Next method as well as the following one are 2 examples from Stone's
& h6 C2 Q ]" r"stn-wid.zip" (www.cracking.net):+ G0 C, y0 y8 d
, N( V+ h. o9 L5 T7 \7 c
mov bx, cs
1 k, @) S; z+ v& R( A lea dx, int41handler2
7 d- J) O' \! | xchg dx, es:[41h*4]
& B8 ?8 O- v5 g1 W. p/ \+ ? xchg bx, es:[41h*4+2]
: G/ d, i9 E' ?5 q2 a+ L( u' b( f mov ax,4fh
7 N+ S `) c: `1 ~4 o. W% e int 41h
0 U0 B d. e0 i! ` w c xchg dx, es:[41h*4]
6 m' \5 S/ ^" O3 o j- H xchg bx, es:[41h*4+2]
' h! v- @0 c, \5 `; N cmp ax, 0f386h
" V4 f% G% I$ X jz SoftICE_detected& ` S# X3 ~: Q6 U' y* A* l
, e. l7 [: i0 e. m `0 o
int41handler2 PROC
8 d9 }+ t5 k6 k3 M3 B# R iret
" W- o! R7 ?. t3 R* D/ G; }int41handler2 ENDP6 i) z0 ]5 P4 V/ ]
. v+ U9 l% n; f+ f2 M0 u7 ~% `
* i% r. _% W. U$ `, d_________________________________________________________________________! N% f! C5 H/ i3 P: Q+ G P
0 ?# {/ i3 u5 n* I) j% }2 T" j; p
7 P0 p, W/ _' g7 r) P, kMethod 065 B( H- g9 I7 o: m/ l$ P, M
=========
- F6 ]" z2 h3 D) N9 ~6 R& z% z; g# ~: W, P6 X
1 b! z Z8 U1 O3 l4 p2nd method similar to the preceding one but more difficult to detect: {2 b8 t! f' ?1 Y
$ T4 P& E5 L- @( p* s: B |
+ a1 |+ A4 v1 K0 {& ~$ Tint41handler PROC' w, \* q. E" i
mov cl,al
6 O6 L# r2 p; X) @' e iret8 {+ Z: {+ U# g5 S# C' }
int41handler ENDP$ {* z2 l2 u+ r6 \9 Q' }
% r4 |' _4 Z5 g6 `9 h: E0 O
* j8 q& N3 g; b4 m8 K$ J& \ xor ax,ax
8 l _! `) B$ F# [& d V mov es,ax4 N3 k8 Z0 r) o- F
mov bx, cs
$ I, U E2 N y4 M" S) g lea dx, int41handler
4 S# [: f# L% m6 @ xchg dx, es:[41h*4]
2 O$ z! y' Y+ }5 d- h xchg bx, es:[41h*4+2]3 J( N; M$ O% A
in al, 40h
! V; B5 r0 K- P% Y xor cx,cx
7 S! U9 t7 K, Z1 m( { int 41h/ z' X1 l* r9 t) l7 D
xchg dx, es:[41h*4]
1 x/ L' O \( l7 T6 w3 r- f xchg bx, es:[41h*4+2]8 g- C( i( V& j6 O- b: r& T
cmp cl,al3 f+ s% q! t0 Q! V) \) E0 h- B+ ?
jnz SoftICE_detected
2 U" K* e4 ]. j# E6 Z- B3 f, M! t( g/ _3 o8 r4 K
_________________________________________________________________________
# j2 ~. r2 B) W+ `! H$ j6 e' W- a9 y; g, S) `
Method 07
9 j- Y; c4 L. G6 o=========7 W3 L( D' M- ^& ]3 l5 J* I9 e1 z5 n
( q* T. t& t g. U( d9 v& ?
Method of detection of the WinICE handler in the int68h (V86), s/ m5 \: _ T! b- D1 g( T+ a6 T
) C0 B5 k6 u% T6 @" S2 g+ i
mov ah,43h
( |1 p* E. f( Y; q# a int 68h" S- _% F. v+ P
cmp ax,0F386h
( ~* q! c# P B" |7 n5 ]' z jz SoftICE_Detected# y, z) X5 a# c. b3 R
2 w: g: x: w' s0 G! [; q4 y% [( ? j& A1 l7 A8 G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' _; l7 a1 |3 ] c0 Q6 Z app like this:, }; Z2 V/ @% E g0 l1 C2 ~( m
* o M+ r" Q; o* f BPX exec_int if ax==684 Q- V: v- A5 ]5 y) t- q
(function called is located at byte ptr [ebp+1Dh] and client eip is, @4 B: g* m* _4 ~0 a
located at [ebp+48h] for 32Bit apps)2 Q9 W0 Z- z- j" t( i, j
__________________________________________________________________________- U: v/ [$ W8 e- h" Q* c
2 {( Y6 f6 A9 I: l0 W
9 A1 Y3 ]. U; @! P7 oMethod 08
; o+ u7 F& Y$ t, T* w=========: `$ {! K( l/ v" T
7 s# P, }3 a! V+ _$ J0 u% ~9 ?It is not a method of detection of SoftICE but a possibility to crash the; L1 T, G) j% \: {* ]& t$ n- z7 d- O
system by intercepting int 01h and int 03h and redirecting them to another
& I; e) k! ^9 V3 m- {routine.
2 q& n P- G: R( O! A3 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, U. b- D) c$ kto the new routine to execute (hangs computer...)
9 R' s# k8 r/ p8 w/ O0 @! b" d+ L$ V% G0 Q- w1 o8 b: ?
mov ah, 25h
; g& _% T! P% k- g* U5 k mov al, Int_Number (01h or 03h)7 `+ |* h: a/ v, @. @: n- I& p
mov dx, offset New_Int_Routine2 ]& t' b( K: _/ J7 V }9 n
int 21h
1 H( w; E( V" q* g" c! a6 n- _! y2 I3 e' g" w
__________________________________________________________________________7 W* {4 s) j9 m3 U
y( l7 N, y* t# Y/ h$ u3 t
Method 09
" n2 L0 c9 C; t U$ h0 f=========' t6 [* n* r3 L
" m( W5 g' Y1 O: d- Y& s9 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 F7 ~; W$ _. G' A4 L9 x3 C
performed in ring0 (VxD or a ring3 app using the VxdCall).
, U& h5 x: H1 `% BThe Get_DDB service is used to determine whether or not a VxD is installed$ f+ b& I+ p3 }' `7 ]& }
for the specified device and returns a Device Description Block (in ecx) for
* \% t( @# m: l- x; Bthat device if it is installed.
) I4 H- n' S. h- N/ y0 u9 W& Y
. c9 g3 B9 B( J% p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) u' {) g, D* u- c; J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# C0 X3 y1 j2 X- v1 B$ Y6 A
VMMCall Get_DDB9 j' s q. g1 c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% ~/ n ^2 ^ T6 T8 { F- y% Z: D3 g
Note as well that you can easily detect this method with SoftICE:4 i- E3 ~) v0 F0 d# Z' P2 \
bpx Get_DDB if ax==0202 || ax==7a5fh* r5 E/ N, Q8 ~3 [) L3 W, p
2 ~# r; i* c4 s4 @/ H9 Z5 |
__________________________________________________________________________. s$ |( k) }9 c# `$ y) \* r; O$ x) j& M( N
7 d5 N1 o9 p7 j* L `( N" S
Method 10- G1 a$ `: L7 | s
=========2 Y8 z: j9 k! S( V) @
+ I- I! M# g0 `4 a {! |3 X& v
=>Disable or clear breakpoints before using this feature. DO NOT trace with, G: h8 M4 `+ K. n3 D# b
SoftICE while the option is enable!!3 O# V- e! a- b6 _; s. `8 i6 X5 j2 u6 t
, C8 g8 h4 q0 d1 [6 E6 \& MThis trick is very efficient:
6 ~/ z* N K' G. I% tby checking the Debug Registers, you can detect if SoftICE is loaded5 T2 \) u# {" _# K6 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: r: U3 e1 d' z9 b% D1 l( \, Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ g2 K% M& B3 h9 j7 ^value (in ring0 only). Values can be manipulated and or changed as well) Y+ e2 Q: e& G" K; s
(clearing BPMs for instance)
: |0 M0 u! ?: J' v) g
( q$ c1 L. l7 D- J, C__________________________________________________________________________ x1 s( y' i0 Q$ q
4 X4 [& R' B3 M7 |9 g. J
Method 11
, h& L' @% J2 Y/ {6 S- e" h7 y=========4 o/ u; ]9 M4 M7 @4 Z
- ]" ^* P) ^+ a `+ R3 W
This method is most known as 'MeltICE' because it has been freely distributed
$ u8 K% r u; ~1 b i e, @9 hvia www.winfiles.com. However it was first used by NuMega people to allow: R0 W; R* b+ M
Symbol Loader to check if SoftICE was active or not (the code is located
4 j7 H0 q+ W8 v c6 q$ n; Minside nmtrans.dll).# q- H# h. n7 x3 @3 N Y
; x9 y$ c# P c) \
The way it works is very simple:
7 C) c# P2 \: ?; j. Y; lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, a+ Q9 `+ u/ G* r
WinNT) with the CreateFileA API.& r0 J* Y/ }4 Y: C9 z/ U& m
% \" b$ Z8 w- o) [% [$ R
Here is a sample (checking for 'SICE'):% M# L. s( @, }* Z$ c: }1 Q t0 ~
; [5 `8 w8 `' {9 K" \# LBOOL IsSoftIce95Loaded()
6 L. a2 e- v3 y% |{
3 N8 ]9 X! [ n1 Q HANDLE hFile;
& C' W! n2 {: U( D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& S6 |) W: C+ @' u8 M8 D; {% ]+ i7 [
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ {& U% {' o G' z2 | U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( G0 }# ^- _ _
if( hFile != INVALID_HANDLE_VALUE )1 p9 S! k( y$ a
{6 @9 i- X+ z& x$ b" P+ P
CloseHandle(hFile);
- [: U& O) o$ [$ o4 h& X+ ` return TRUE;" r0 W6 W9 Z6 v! c2 y9 @
}
- |- m, V* \3 V! u- p' \) Q* b5 a/ G return FALSE;0 c8 @4 A2 {) H4 i' |- `
}
2 o; |7 s6 J% d7 ^! @( P
: b4 q: I' [' CAlthough this trick calls the CreateFileA function, don't even expect to be
5 ?1 d4 w: E- U! n) ~% n7 [able to intercept it by installing a IFS hook: it will not work, no way!# \0 Q9 ? T e6 o4 \( O/ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( G4 o! e, D% G" m) Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), b# _* T3 a5 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# f2 y( C0 V9 }: Q7 z* o1 _; A
field.
* o2 o$ r/ n! i# _In fact, its purpose is not to load/unload VxDs but only to send a * l1 I4 ]/ W: r, |+ ?% b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 G$ v0 i. Y6 y, g' q, Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' L& w4 e% t; r! f! fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ [/ q6 m9 E, j `2 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 `; L$ \$ z5 A
its handle to be opened and then, will be detected." z) }3 e4 m4 u
You can check that simply by hooking Winice.exe control proc entry point" X; U1 z; H- m
while running MeltICE.0 J7 h$ W s& ~ O
+ t' A$ h" l6 V/ k# f' y b: z/ `2 P9 a
00401067: push 00402025 ; \\.\SICE
/ K4 D- P2 C( R/ ^3 {1 A 0040106C: call CreateFileA
5 u6 e2 \$ r( ~4 m& j 00401071: cmp eax,-001
- M' |( w4 F* ?. N 00401074: je 00401091; F$ S+ c4 [5 U
) a* K8 i% z7 d6 _ V
7 L) K& D, U2 G! B( \There could be hundreds of BPX you could use to detect this trick." s* H; ^: P0 e7 q$ O" o! A
-The most classical one is:/ J/ ~4 t# v- t8 }, V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! O# v! a. w" J1 l4 X# m
*(esp->4+4)=='NTIC'
$ T5 A+ ?$ K+ I/ p U5 N' [4 @' G0 }* n/ K$ N% U3 I+ s+ z, T9 b
-The most exotic ones (could be very slooooow :-(, N4 K6 z2 P: S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / Y9 D. u) x1 q$ o2 ^7 t
;will break 3 times :-(# \' Z" Y) l! r$ V
1 h3 n) l( Y2 R. ^4 h: y-or (a bit) faster:
7 w5 k* E, g: D) h& U5 W" { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) f% O* \2 l0 F6 d$ T4 a* w% J
2 u7 _8 v" Q" `4 j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 t N2 H6 E- N* ]6 y
;will break 3 times :-(
' e; L1 G H+ c6 y9 B+ Q
5 P8 \) s) H! K6 ~# L-Much faster: `& u6 i# i7 B5 p8 c1 |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', O" x) E( P0 v: x
! N) n/ Q* m3 x$ @/ J, p2 @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" |. `# M: ]1 S' y7 z) {9 W+ z
function to do the same job:
! [- c3 {2 Q2 t; X) [6 M' F) ]. l) u
push 00 ; OF_READ: y2 m: N U$ [% m. e; ?# n/ \
mov eax,[00656634] ; '\\.\SICE',0
1 r5 k( E3 |( W+ Y& k" v7 d0 F push eax
% ~4 c6 ?" M V7 I) H+ j9 { call KERNEL32!_lopen( B0 d6 x' v5 G; M' c2 A- Z4 \ a
inc eax2 W I ]9 C- O- F! R" E$ R
jnz 00650589 ; detected
5 @8 |, F9 N$ j/ ?2 X push 00 ; OF_READ; i8 x$ g6 F* r! |" i" K( `7 L) g
mov eax,[00656638] ; '\\.\SICE'0 O8 v$ i4 Q: E+ B) W Q- P" G8 m
push eax1 }7 I* [8 r2 Z
call KERNEL32!_lopen
6 r* ~' L1 N5 I inc eax
* G- v/ f0 [- H8 d4 ]2 T1 ?: F jz 006505ae ; not detected
+ S/ f3 D3 U4 |
& {/ f$ k# v) a$ ?# V5 d) k. E
) l0 \3 A4 n X4 J$ c__________________________________________________________________________! Q* y' R9 d2 ?$ s
& J8 \! h% B; z, A
Method 12, s) `4 n P# s/ T7 ~
=========+ h6 t l! f- e; I6 a% s
- g3 h5 A0 ]& j; l4 ^( K# Y4 JThis trick is similar to int41h/4fh Debugger installation check (code 05# C+ {" D0 B% n' V$ e- I
& 06) but very limited because it's only available for Win95/98 (not NT)
" j8 T4 X( x5 Q/ K+ J `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 J' i( K* i, Y
3 G- d* Q. e+ \2 g" A+ t push 0000004fh ; function 4fh6 }* q5 d4 v% b2 d! W& b9 f
push 002a002ah ; high word specifies which VxD (VWIN32)- m; Y3 D* u& C
; low word specifies which service
# m, s. a1 k$ j (VWIN32_Int41Dispatch)/ H% D& S: p7 W. r2 f
call Kernel32!ORD_001 ; VxdCall- c! W) A: i/ i! C& p
cmp ax, 0f386h ; magic number returned by system debuggers
! X6 X. X3 J+ W1 n& @3 u jz SoftICE_detected
t7 x' d1 u3 r) b, J) u5 ?
$ T; P( E1 u8 ~3 T9 A+ ]: YHere again, several ways to detect it:
# v9 k5 d. C3 a( U7 W5 C
/ V# B, Z7 K0 G" v, |6 e- f BPINT 41 if ax==4f
* \5 A( J- _' k, L% `
5 e. a# n: T! g& O& D- ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ D0 f; G( T. O8 K4 l
" b( p: \* B' s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 k' ^! Y0 u8 h1 q4 w( `! B, d1 t3 @$ o9 x/ G9 h9 b( i0 }5 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& m6 ^1 ~, A( T6 i; |7 U1 D S2 h+ F6 |( K' M- X: z4 W
__________________________________________________________________________# l- `- T! W& x8 z8 a- F7 e! R$ V
: b( d7 M# z7 k: R6 Q2 Q( zMethod 134 Z# e$ X6 a) b9 D! O7 j
=========$ m7 \; f7 Q4 @) F
3 d8 J; X. |0 o3 M9 m/ O. l0 ~: qNot a real method of detection, but a good way to know if SoftICE is
1 N" l. L# f6 l+ b: u- S) _installed on a computer and to locate its installation directory.
4 r/ L* T; ]* b+ _1 i$ yIt is used by few softs which access the following registry keys (usually #2) :' a* X" a, Q, Y/ f' @8 s( Y9 W
. F7 S9 M, ?9 ]; `7 m% K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 i7 M9 ^8 e( t2 h7 i\Uninstall\SoftICE
, r9 H6 v' r" ]1 I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" m! s$ R/ w9 A# x% h! Q+ p" M4 @3 f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 o( O b) X+ k$ h6 ]' ?\App Paths\Loader32.Exe
) s3 Z; x) p8 j0 [- y& W, K$ x& t& ?
- \4 e7 J7 B6 Q& B" Q7 v/ \" }( }Note that some nasty apps could then erase all files from SoftICE directory
- `6 F& d. ^7 o" D7 u; }(I faced that once :-(& K, `! n3 g; x8 G# H
& E, |1 d1 Y* o% D+ CUseful breakpoint to detect it:
t! O. a' w5 f/ b7 ^' ]- S2 F% W, b4 z4 m$ j& B& i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% u. b# y, N: o3 Q. A
Z. o4 r" k( b( @' ~* M/ s
__________________________________________________________________________5 W0 E$ ]4 T1 m6 z ]
& a/ a( y8 \0 ^1 `' c$ E7 {: t
& M8 I/ } _0 ~# E# \3 L* vMethod 14
( i* ]! o* T7 i: V% w: E- F7 D=========/ b; ?7 e; u5 v$ [, u
9 R& i, Y1 T% C0 c4 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! r! y. h( i4 H& P: m
is to determines whether a debugger is running on your system (ring0 only).
- J _) {1 {4 T% y9 k) s9 _. Y5 j( k" X) q# N+ t1 z( l1 ~
VMMCall Test_Debug_Installed
& d: a% l x; Q* [' Y2 Y6 Z je not_installed1 s p- `! f/ {3 t3 R0 T5 z$ Y
7 C, B& a- A0 ~% B# R; P6 c& JThis service just checks a flag.7 u8 B6 ?% b. B) h, u5 \
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡