<TABLE width=500>+ M! a- ?# z% \( z7 A% C
<TBODY>
8 t- V- W7 S, R1 F<TR>0 x# U2 x( z* [+ D( [& c8 _" J
<TD><PRE>Method 01
: X/ \* b5 i/ @. Y, x5 B/ f4 F0 Z=========
7 Y& O$ U' T( D0 z. k2 o: r
6 D4 w6 r# G" e' oThis method of detection of SoftICE (as well as the following one) is) Q1 B2 `5 I/ g5 k1 n. i
used by the majority of packers/encryptors found on Internet.7 ]: ~& s/ C( W8 M+ V% m( |: ~" C
It seeks the signature of BoundsChecker in SoftICE# c8 \) f5 u% u/ O
+ K, H4 R$ |8 N! h; F7 F% n
mov ebp, 04243484Bh ; 'BCHK'4 s4 v; R9 M! Q) [. ]. m! I
mov ax, 04h, |2 P) T7 ~8 m
int 3
7 O3 i2 j9 x8 @& W- ~: ^ cmp al,4& y+ x& e0 m0 A; J; I, \. Z" V7 `
jnz SoftICE_Detected3 P6 ?( E1 g! B
7 S. e {8 r! _7 ] S; J
___________________________________________________________________________
/ F: {. A. K& k( t% l; b/ Z2 C8 q1 o8 F- V# ]1 ?3 L5 l
Method 029 a {: i7 G8 {( t6 g* `5 e* K
=========
1 g5 r- H9 m- W& x4 E
# a: c7 `( C4 B6 }' GStill a method very much used (perhaps the most frequent one). It is used5 k; _$ ~6 ?& ]% E) r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 J' V3 R1 {3 I* a. Gor execute SoftICE commands...
4 I+ A* Z' ~$ MIt is also used to crash SoftICE and to force it to execute any commands
5 U1 x8 ], D# K% j; u( Z(HBOOT...) :-(( ) I" B8 |# l. \3 \( r" N
+ ^ X! [' O0 D0 T5 r1 o; BHere is a quick description:
# e& W7 e, B3 H+ D5 N g7 f. w2 J6 [-AX = 0910h (Display string in SIce windows)
3 ]) \% O' A# J( J( I2 `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 c3 b. Z, u7 M, Y% B& I9 z. T
-AX = 0912h (Get breakpoint infos)1 [8 z: m) a" t
-AX = 0913h (Set Sice breakpoints)
3 T$ k' E, n. _- W-AX = 0914h (Remove SIce breakoints)
) G) r5 A, q9 K; L- v: U5 ~
. t6 w# I) \1 K8 ^% iEach time you'll meet this trick, you'll see:
9 _4 N9 s& j: M6 I( F4 n-SI = 4647h8 W5 j h: A, ~6 ?) w
-DI = 4A4Dh( P6 j& m4 _+ r2 m. D8 N
Which are the 'magic values' used by SoftIce.
& {0 S8 C- V: Y$ a h( CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 h' z, W) h: P( `$ I4 _* x2 C0 G! A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" H, N' A5 o& y% GEnvelope utility use to protect DOS applications:
8 W! R# T8 j! m' D: [
/ a: c$ J! m4 s4 l+ I# P: y- Z% F" \) t1 |# @& m& U. f
4C19:0095 MOV AX,0911 ; execute command.5 z0 p8 B$ ^7 H+ l6 c$ J2 v1 X, }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." P+ i' y$ R- P1 S4 G
4C19:009A MOV SI,4647 ; 1st magic value.
" [+ o% c* { X \: S: d! k8 ?4C19:009D MOV DI,4A4D ; 2nd magic value.& K6 ^3 p- b) Y9 `' f+ F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 T1 J4 E' }3 f. \$ N, }( P: Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. m2 F; J7 X) U; i# A1 V8 ^
4C19:00A4 INC CX
9 o+ Q8 s$ t' u& b4 m" L! W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) B$ \8 I) c5 m- L" k# u, I& T
4C19:00A8 JB 0095 ; 6 different commands., A( E K- p/ [. [" x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 g3 V2 a1 _& o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 d) g% H A. o# v9 w$ u
' `/ [8 z/ w; E$ ~7 bThe program will execute 6 different SIce commands located at ds:dx, which& \* E' I8 A2 p3 Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: H9 F( B9 a! M: C. Y' z$ I* q! {3 o+ i m0 E1 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! N; T, B0 Y7 v- E) ~___________________________________________________________________________
$ @! s9 { Z9 _ p
/ ^' M- Z0 _2 K4 W: s. _
( @9 V( U6 g. L: \# m" ` W8 iMethod 034 p0 o r. k& ^, h1 _3 G, M; W/ ^
=========
' y# W! e1 O0 c2 b" ?
8 z+ P) _/ ~" M0 W, y& `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. O- v0 u n* d(API Get entry point)
- N9 B1 D2 E% Q
. y0 u! p7 y; m7 q* v: m* D8 k+ q5 m! ^) W
xor di,di. j* C) N) {& E* @* M9 @
mov es,di/ M! T) z# z. f. A3 y
mov ax, 1684h 1 W4 \# g; ?9 L0 `: a" f& k
mov bx, 0202h ; VxD ID of winice
, t r9 R. {" H, s int 2Fh8 M6 _' L1 S* z( a! l9 K, C
mov ax, es ; ES:DI -> VxD API entry point0 f, z: R$ U( p( |& F
add ax, di5 r( x2 B1 _- R- @/ l
test ax,ax8 O' t* V. f3 @$ x2 o2 H
jnz SoftICE_Detected; A# M/ s% Q3 ^) F* I
" ?6 D* o& Q# y' Y* @ D
___________________________________________________________________________5 A6 S' L0 P9 l; v8 K! H) Z
9 @. d6 l3 I, v1 y' \3 r& v
Method 04- q: [$ H5 S' |
=========
8 }5 z& m- H" q: j# ?# m, o; H- W9 y \* L4 b S9 L% x
Method identical to the preceding one except that it seeks the ID of SoftICE
1 F5 ?8 O( C/ A. z& aGFX VxD.6 r& P( U. j8 X) I6 w
% Q3 I+ W' K t2 s4 a xor di,di
; r3 d& k* ~( h: j mov es,di/ Q) c" u' k s3 a
mov ax, 1684h
! b& Y: F- R; L5 k: t' t mov bx, 7a5Fh ; VxD ID of SIWVID
' k! \: h' r$ H int 2fh' W0 j+ F" l1 J4 ?; b
mov ax, es ; ES:DI -> VxD API entry point4 J ~, N" u' `" K- `
add ax, di, z- i- `. w2 ~$ {# p
test ax,ax
' _- L3 A% z. L* W% u$ I' d jnz SoftICE_Detected
$ x& o" r, v& N% ^5 Y/ D
4 b+ f: e1 H- Q' S$ B2 u* p__________________________________________________________________________
* y- F! B: G5 A1 {" h% D8 o; b& A) Q6 w. }0 t; U
; z5 a' {# }! l M- y/ e0 M. I. n
Method 05
& ]8 ^, q# f+ E% |8 I; g; ]=========
( f [7 f1 P3 [+ ^0 c0 v
" P1 z4 x7 I) y/ P# KMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" A* U7 r4 r! C& N# {7 R, hdebugger. It calls the int 41h, function 4Fh.
1 C+ I8 P% G Q' y4 E* a' hThere are several alternatives.
# o: W" R" I( y. B5 R4 e
% ]) v+ n3 o6 k, w5 `1 R3 MThe following one is the simplest:
+ O' P! Q8 B- x7 P. ^+ @( Q1 s& F0 P9 |+ ^3 v& ?
mov ax,4fh/ o9 T+ f( S9 Z* @. k" \
int 41h+ `+ o. q) w! A( T9 M7 w
cmp ax, 0F386( l/ F3 Q5 l: P) |# O
jz SoftICE_detected0 E6 |, s; t! m7 \
3 c. I8 C7 B* C, T3 s/ P8 e( F; u' F# B, V( O' s* E
Next method as well as the following one are 2 examples from Stone's * }! }' s6 c& u, k
"stn-wid.zip" (www.cracking.net):( U9 t! w8 V; _
8 V! j: z* i9 J; X* N8 `1 X
mov bx, cs) M: u3 M9 V. P4 e' \$ j# G7 K
lea dx, int41handler27 Q! q4 X6 Z0 K7 R0 S
xchg dx, es:[41h*4]9 o# E; [: @0 y
xchg bx, es:[41h*4+2]5 F7 P) S A, l5 d0 \) `) K
mov ax,4fh
) O" |( e: Y2 w5 Y int 41h! G9 W$ \4 x1 i5 F" v8 ~$ W% j+ f
xchg dx, es:[41h*4]
; d& {- F: F/ X4 s' B0 |3 {5 l xchg bx, es:[41h*4+2]
9 \5 X u2 J) _7 a6 } cmp ax, 0f386h, u. X" M! |2 z) F: @! o
jz SoftICE_detected
$ w- y7 G/ T8 a6 p- f9 C M |8 s- f# c1 X, E1 b) P
int41handler2 PROC; o( [: ~" f( R8 d2 x2 g. `
iret4 y0 u/ W% I7 ]( O
int41handler2 ENDP
# W$ a3 j. c5 G0 ^& B. s6 ?/ I0 G, ~! x/ J) W, ^- ]) ~1 i3 u: Y
, V# M5 K8 b. Z8 q3 r
_________________________________________________________________________
4 I6 e6 ~% i0 L& U2 Q
+ g% E: I2 ~7 r: J$ o9 ^
& v% x! Y) T' [* DMethod 06
* T# P, T6 M: D/ u=========
. P7 ]3 ~' A4 d. f" a4 i, q" O8 y" S+ s, {; F9 N' X" {, y
. g, v& d! H9 A7 ^
2nd method similar to the preceding one but more difficult to detect:
M; L8 V2 q: G, X' b. i. b+ A0 j6 ?3 \* B
' v' C8 G [+ H# @! mint41handler PROC, H' ?$ k" w* M- Q' t1 s
mov cl,al1 V+ U+ _" l0 u% n; V3 @6 L: |3 z* b
iret
E E$ j/ K; C- k! l8 r- X0 Hint41handler ENDP0 `7 S- T0 L _9 X& S
8 z7 O' M4 Z* r8 P
8 t0 g( W t; f- T xor ax,ax
5 g7 A' y. G( v: a mov es,ax
7 _) t8 U9 R- U5 C- W mov bx, cs" ]3 t2 @4 P6 Q6 g3 ~1 ]
lea dx, int41handler
x2 |( ^" U' o; u& C xchg dx, es:[41h*4]) i7 H# w5 ` g; ~; I, x9 \7 T
xchg bx, es:[41h*4+2]/ K2 p! R7 C& X0 H$ n6 {
in al, 40h( \# k8 s9 p+ W' c1 U6 H+ l. a1 e9 h
xor cx,cx/ D2 I* o, W e6 G: L
int 41h3 U" L& I f ^2 f" }: | s
xchg dx, es:[41h*4]# Z( v( U# Q8 t6 M$ Z' L$ O
xchg bx, es:[41h*4+2]
- S7 T& ~2 O9 \) b cmp cl,al' E+ l: m4 u& ?3 y I- k
jnz SoftICE_detected
- w, x- t# r* g3 e) C0 n& K6 t7 c9 Z7 V+ U& R6 L9 `
_________________________________________________________________________7 M ^* j' O2 U6 L" P
+ y0 ] W' W8 |4 N- t& R/ {
Method 07
( A7 v9 ^; C# K, `8 i6 Q# t8 w+ ]=========
6 S# V1 J/ I- |) T- w$ Y8 r# n2 }! e6 B
Method of detection of the WinICE handler in the int68h (V86)6 L L: F" F3 t
' q/ e. {+ n1 V3 H mov ah,43h ?' m7 ~6 z# M* P
int 68h" F! M' w. _. m/ R3 g
cmp ax,0F386h! W$ z7 z9 K0 P' `
jz SoftICE_Detected
8 D3 D( g; ?) H% `
1 m( H# Z& u+ {6 A5 [
- f6 p* }! k! |4 e9 r1 x3 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 x5 V# w8 C9 A! p" v
app like this:
" G" I( U- H" H4 w5 F2 Q7 Y! L; I) I" a7 m7 }3 A/ M* U
BPX exec_int if ax==68
3 J2 W' q4 _# t6 S* D* M# Y (function called is located at byte ptr [ebp+1Dh] and client eip is$ y; j7 G2 N- `1 G& Q
located at [ebp+48h] for 32Bit apps)! ~# O r! K. f9 K
__________________________________________________________________________
6 |1 l3 i6 a' O& w) y) B. I9 N1 x; _& W# {2 q) g5 r& {( P
6 R8 \& G+ R5 k; W$ cMethod 08$ A' i4 A2 u+ @: N+ W7 |! l
=========8 q9 e. Q* ~% N+ K; s/ o
" Z! b+ z( V3 F% c' W9 V+ @' u N
It is not a method of detection of SoftICE but a possibility to crash the
$ [! W1 U- C0 Xsystem by intercepting int 01h and int 03h and redirecting them to another) w9 A, E# `. o: U" L0 f0 ?( U
routine.7 x* i6 \" n0 E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ F! {( o$ Y) {to the new routine to execute (hangs computer...)
, t3 n3 P0 y9 ^" o) H1 r0 O4 ~9 Q3 U. k, m
mov ah, 25h
: ]5 J# A" J- L/ T mov al, Int_Number (01h or 03h)' C8 q' a" h- n2 U/ ]
mov dx, offset New_Int_Routine5 v8 b+ R" B& ~+ r& L: f2 o3 c2 R2 _
int 21h! T1 W/ M. C! d+ T7 M- _% u/ X( X
1 z0 L+ E( a2 Q) |" w__________________________________________________________________________
! K$ w- f6 T4 X
; ?' s! V8 `" T5 O5 G( PMethod 09
+ `! {! K! _% X=========$ ^$ b- q# j9 {% |; y( q
7 L _0 m5 a1 ~* h: B' NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 f. e& I( A# I% l3 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).1 F6 _5 H) X: N0 n1 R; x8 N
The Get_DDB service is used to determine whether or not a VxD is installed/ u8 n5 r& s8 \' F6 e) ]- p- V
for the specified device and returns a Device Description Block (in ecx) for
H$ l1 P/ Q5 ?$ othat device if it is installed.
+ H- O2 e% j$ {4 Q) y6 E7 g+ q) l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 } k5 x; I: I5 ]6 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. j3 I% |8 G3 z3 u X8 w C; H VMMCall Get_DDB9 s: k+ S7 T' t, g" _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 N: u& v" d) }* I" h) \
4 {/ {: t2 l9 o/ yNote as well that you can easily detect this method with SoftICE:5 O1 r% E* U R7 v0 a1 k
bpx Get_DDB if ax==0202 || ax==7a5fh& b1 b1 I9 x4 U
8 B* y( y) U8 N: S0 ^
__________________________________________________________________________2 U/ j4 ?: c' M3 x
1 {- j* T1 ?. b4 B- h b
Method 102 }7 ^. i) Y, {7 h. C6 v# W+ V4 ?
=========
7 Y# f: ^6 u7 D" G) L: F1 K0 v. C+ C3 M. z$ q) H6 e' s/ ^+ ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 A+ X3 k. a9 P) w7 P SoftICE while the option is enable!!
2 H% Y. D5 o* A% i% K0 B3 Z3 B2 n8 @! ]# j% l) R4 G+ l
This trick is very efficient:$ a+ r2 P( v' N4 a( e: Q. T0 i& B
by checking the Debug Registers, you can detect if SoftICE is loaded1 Y h( N( Z9 J/ G$ R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ a; |# w. v5 Y7 k" r0 E, K! M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ Z1 f/ u& X, c: \) A+ hvalue (in ring0 only). Values can be manipulated and or changed as well
U+ a C' T1 |5 s0 L( U3 V(clearing BPMs for instance)( m' U9 D. Q, z' ?% a5 B$ W- w
8 x9 p0 c& ?3 ~__________________________________________________________________________. \# l3 r2 `( m5 \2 T" Q
4 ^! u/ C( ^' Q4 [Method 11+ k5 g* V/ Z4 \1 w/ \% u7 P) e
=========, ]- |: F8 [( x) g- s
$ }5 _& N5 O, `3 d4 G" p7 v
This method is most known as 'MeltICE' because it has been freely distributed
7 @1 ?: c9 Z0 `4 K) I4 ?0 |via www.winfiles.com. However it was first used by NuMega people to allow
" L% A- W) H) o, \6 D0 s8 ISymbol Loader to check if SoftICE was active or not (the code is located
{, H+ w8 ]- l) Q0 Ginside nmtrans.dll).
{9 f' @4 d5 V
9 @* b# G, R) u3 L: E- EThe way it works is very simple:
8 u8 T& `. J0 L8 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 S& J6 s& ^0 r- y! W7 J6 g
WinNT) with the CreateFileA API.1 Q# u) t& K# X O2 w
7 N8 [+ {+ a* r' IHere is a sample (checking for 'SICE'):# {; ~* z; E: Z. D( U6 V* [
& ~" F X/ H _9 H* L( q! W
BOOL IsSoftIce95Loaded()
$ G8 g9 F% J" K7 [+ T) T: ^{
+ [% ^9 d4 ^7 @1 E% N) k. v, S& t( ` HANDLE hFile; ) n9 {& Z4 _- h8 D" W; K6 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ z7 l( I: I0 k- ?, q0 v& f FILE_SHARE_READ | FILE_SHARE_WRITE,$ x5 O. j) [' f1 O9 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% W: Q7 c% H6 h* {& A
if( hFile != INVALID_HANDLE_VALUE )8 p! ?# s3 }8 u2 R: m. n% J
{
+ K8 b6 j8 \$ x CloseHandle(hFile);* M: b+ g* O6 T I) i& T( N* Q
return TRUE;* W( j2 @9 E+ B4 H3 z
}
# u7 X" m2 A8 l2 F- A- f4 i return FALSE;
3 K _! K" T. G" k- k& \}& r0 E2 m! E0 a( A1 B8 e
9 x( y; C) k8 ~5 q5 qAlthough this trick calls the CreateFileA function, don't even expect to be3 o3 A$ I1 @$ a: i' }& K$ H( g
able to intercept it by installing a IFS hook: it will not work, no way!
. `2 J/ t- E Y+ k% n' p; uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 `9 P- t: [9 i) A1 h( s( eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: h3 o7 d: Q! {0 z8 ^' aand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 [% ^" c/ j k" ~1 v
field.! O' M" G3 @1 D7 q0 H( @) c
In fact, its purpose is not to load/unload VxDs but only to send a
' `2 r8 b3 j' G9 B$ J( R g/ DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. F& k6 z; `) B) v- H- T: i) Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 D: h' o7 c0 \3 k, F1 m3 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! {7 \2 c8 ]) ]( E% M) DIf the VxD is loaded, it will always clear eax and the Carry flag to allow- {# h, k% T0 p. O8 K+ R& \7 X
its handle to be opened and then, will be detected.
1 G& K. m( ?! D8 ~- n( s0 }You can check that simply by hooking Winice.exe control proc entry point
2 @ a! ] W$ owhile running MeltICE.; ?/ c) y) q1 r' p/ ?' D6 T
8 W% i4 U$ \! |- R3 F$ z3 w, M8 n& H* _* t& G
00401067: push 00402025 ; \\.\SICE
7 g6 t$ K! ?" Z4 T8 h3 d7 L 0040106C: call CreateFileA
( L7 I3 A, y- c7 m 00401071: cmp eax,-0015 p3 Q% a9 l- g/ J
00401074: je 00401091+ Q) k) x. D: K& @+ k$ Q Z9 S) {5 C
9 W2 A4 b: u8 M6 }( K! p: M
9 B- @! g* K+ p6 G5 J( N
There could be hundreds of BPX you could use to detect this trick. x* _7 p+ H0 M7 i) b
-The most classical one is:6 M# y+ N+ k; C% z6 l- }/ I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ y, D: P9 w0 c& X *(esp->4+4)=='NTIC'
: a$ a( t4 Y& Z" @% e
; o" _% R1 E4 J; s* L4 Z; C) [3 c-The most exotic ones (could be very slooooow :-(
) C: r' m) S( z4 o* r4 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# F0 S& M- b0 U; b$ _ ;will break 3 times :-(' A# R: I6 H7 i; }* K# m3 w
0 I$ t* U/ L" A* q% ]* G& c-or (a bit) faster: ! p( K- o4 ?1 R$ p# B. R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 F/ v/ Y5 I- O: J
: t E& [, N( h7 s/ t. ?$ F% T4 }" } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 J" h5 y7 @' t$ L/ T5 J, K0 L! n9 U4 o ;will break 3 times :-(
/ b% C, d1 l+ t2 I4 {3 H
: ^& z5 W: j, l( ]0 X/ j" [-Much faster:
8 g8 c6 K$ B) r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 W) Y5 f* ^0 E) X7 l7 d, F4 t, C) a9 P: w% U4 c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ |; l3 N0 h4 k5 S
function to do the same job:
) ~; R5 k1 A4 ~/ f5 T- y U% u4 o- p9 e4 C& t: Q8 ?* {4 O
push 00 ; OF_READ! m& ]3 o3 E3 s: u( P |
mov eax,[00656634] ; '\\.\SICE',04 P9 \7 ]9 ^" A9 z$ h! q3 g
push eax
) u% e/ r# \; K" i. B call KERNEL32!_lopen2 H* l5 z" f! O
inc eax
( F* }; |0 y# ~ jnz 00650589 ; detected+ F2 r/ s }4 U, A# R
push 00 ; OF_READ
( c9 @( k1 v1 D( r% @/ v0 b0 Y: H4 v9 D mov eax,[00656638] ; '\\.\SICE'$ @7 Z k+ k: d
push eax
# \! V# [' b/ M& [& h @' C2 w call KERNEL32!_lopen
0 u3 P# r" f! T) ^4 Y" G inc eax
/ g( {; V# C1 D7 q6 j8 `1 S jz 006505ae ; not detected
; `2 X4 p- n- ]* X2 ]% o8 P, k1 |5 o, e, M1 F0 P
! {* w. |* s4 i) }
__________________________________________________________________________
. Q7 `# f% M; E0 P" n6 z/ @7 a5 `* O7 `9 R; b4 }
Method 12# D7 m. d- W3 o/ y; f5 j
=========
6 g" L9 n: I2 ^$ M: ~# z
* q9 _+ Z; E/ H5 S' NThis trick is similar to int41h/4fh Debugger installation check (code 05; y5 m' W9 u" @/ i
& 06) but very limited because it's only available for Win95/98 (not NT)
; X# G( z+ H/ o1 Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 M9 {- {' H2 K9 m A
- A9 f: J. |1 Y1 q+ V
push 0000004fh ; function 4fh* _0 F6 O; q% ]% L: I
push 002a002ah ; high word specifies which VxD (VWIN32)& w6 Z( C1 S/ h" ~$ w+ ?
; low word specifies which service
; J0 I3 J/ ]( t/ y (VWIN32_Int41Dispatch)8 G2 o! f8 N" I8 M# f0 p7 n
call Kernel32!ORD_001 ; VxdCall
- } Y. n6 @$ U$ G3 t cmp ax, 0f386h ; magic number returned by system debuggers9 F3 N7 |1 H4 k
jz SoftICE_detected
! ~& t8 L! a; ?- s2 B% @/ ?: I- |, o2 O3 }4 s3 U& J; S3 x; y- ^! T
Here again, several ways to detect it:
# {9 F7 H/ e o
! p6 h8 C. B. ]3 q, `6 ? BPINT 41 if ax==4f' S0 ~: V9 M; s% [6 o
; [5 |8 O/ B- @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 v- ^* p5 M% a5 r) t' j$ ?7 V" P
" H9 _4 _) u, ]1 H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: ]0 |1 U) L6 V/ i% w1 G
9 S8 n( q. X! R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 v: j% y; z# O; }7 Y
; M- n! P/ f* H Z8 W ___________________________________________________________________________
1 n5 d& I6 I8 O* }, F' q. p# b% q4 s+ ^( O! M( i4 I3 B# m
Method 13# y6 f- e- c& S" K/ u
=========
L& v$ C) }% ?: M$ I: r8 \& ?4 i* |3 e
Not a real method of detection, but a good way to know if SoftICE is9 a1 ~* S' ^. b, z4 X4 g: a( Q
installed on a computer and to locate its installation directory.
* @+ v9 X0 I; U" L$ P2 J0 eIt is used by few softs which access the following registry keys (usually #2) :0 A+ Y. p/ r* I
3 F4 j" B( l/ l0 ~8 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 L. W, K, x1 K3 a. R) _
\Uninstall\SoftICE
3 k6 X+ N6 p! Y9 @) Q$ i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE T& u5 E; Q2 m1 b- M& `( s5 b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! C( x: u5 B6 l: F' s' |\App Paths\Loader32.Exe% I* c8 n- X& t/ h6 D: x
d8 c; T5 @% r4 c
% ` X& `9 ]/ Z( `7 d2 A/ |Note that some nasty apps could then erase all files from SoftICE directory
' `$ Z4 p8 T: T9 m5 d% F) E# f(I faced that once :-(
$ Y9 Q, n8 L; U; x3 X( @5 D
# P3 }8 B3 o- \$ }4 t; n# \& W+ s; v8 J3 FUseful breakpoint to detect it:4 \+ P3 ]1 U. `' k( G
2 `9 ^3 e7 ?# ~$ Y* k3 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. [5 r) Y1 n) t/ T: R
. O3 r' x% Z3 B' d0 L, U__________________________________________________________________________
" F! \, t9 S1 ^& A! m7 U4 N. I
0 _0 [' M( h7 l$ B9 a5 ~$ K
" N. V. B/ n+ {5 i/ SMethod 14 f9 T5 S' G4 i) l
=========; ~- w: R* B5 K# A
5 C7 ?8 Q3 H) F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' ?9 H; x, L" P; R
is to determines whether a debugger is running on your system (ring0 only).
* `1 T# \6 u5 x' m% a9 L. ]# \
- j# N. a! n4 \4 l( ?8 H VMMCall Test_Debug_Installed) f( t: q% S& s
je not_installed
& [0 k7 d$ J, V0 t
% e" D+ Z" o9 o. l$ }9 SThis service just checks a flag.
Z7 \5 Z3 H0 r0 H) n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡