<TABLE width=500>
) Y" E( }/ u: G% l" d% o. X<TBODY>
& L* v. d$ c9 C8 o. H: r<TR>
+ {: A+ K/ K- W' t5 x7 _<TD><PRE>Method 01
* z+ A8 l F% w. L: o* U9 C=========. O( `/ o3 O& r- s2 j C
7 m% W: ?( j" }8 i
This method of detection of SoftICE (as well as the following one) is; |$ ]0 w0 v' x4 I" k7 t
used by the majority of packers/encryptors found on Internet.- W* F b1 v+ Z: k+ ^, P
It seeks the signature of BoundsChecker in SoftICE
' d9 I) K4 c8 \ Q r6 H5 c
3 L5 }0 B$ F+ V7 l3 r mov ebp, 04243484Bh ; 'BCHK'4 @! N% S2 X; S% o( A6 }# ~' k1 c
mov ax, 04h
! k8 {" i# ]1 [! Q6 H3 H2 P1 `1 r: [ int 3 / G R: {- }: i& E6 B. J# m; {
cmp al,4' ^5 e% w! v6 ~( M/ j
jnz SoftICE_Detected
& V& F1 k8 m# r& t1 J6 ^ h& e. Y+ z# R( S
___________________________________________________________________________) L$ v; X% H3 t+ U/ S6 C
4 ~' q$ r9 [) ]; qMethod 024 i: Z. w/ D9 B. Q! g) n2 D
=========! a6 ^+ w; W! i9 [8 q
/ o& u$ F8 P# R' ~Still a method very much used (perhaps the most frequent one). It is used' M: u: [6 g! K, O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 m7 x G, k9 l* For execute SoftICE commands...
3 r2 I4 e9 H0 e, [It is also used to crash SoftICE and to force it to execute any commands
( k4 @! D' n/ F$ t5 S( E(HBOOT...) :-(( 7 w& R/ P8 _0 R4 t
/ { x- o3 ]: q, o8 yHere is a quick description:9 h( Z. S% Z* k9 K8 ]
-AX = 0910h (Display string in SIce windows)
. `. l) ?( e {7 j( a8 _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' o7 y+ V& {- I8 W$ J+ j-AX = 0912h (Get breakpoint infos)( O7 S* `: G: T, u( ]+ k
-AX = 0913h (Set Sice breakpoints)
( g j& P& [2 v3 }-AX = 0914h (Remove SIce breakoints)% ]: {* q6 T+ s" s8 E$ ?3 o
! K' Y0 O- `# |0 E3 Z+ H: ]. R0 Z' {
Each time you'll meet this trick, you'll see:
n$ G7 E$ b7 m/ u6 o% v-SI = 4647h
* F$ L- E3 a- ~0 @8 V) I9 K8 i9 Y( J; W-DI = 4A4Dh
. |. N# Y3 h" u) P1 P5 xWhich are the 'magic values' used by SoftIce.3 c+ U( O1 \% H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& \( t' S; g0 T l5 n# r1 s( `0 m" }( C4 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 X9 V( ~5 Z I: `* j: J) YEnvelope utility use to protect DOS applications:
! y1 o9 p- s* ?8 U0 X
7 W& e7 X' E: Y/ {" d3 T+ y6 R5 W# T( ^0 d
4C19:0095 MOV AX,0911 ; execute command.9 u% J% |+ W4 u9 A) a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 u% J& q; @% j* V, t0 D
4C19:009A MOV SI,4647 ; 1st magic value.3 P, _( |" \ ~7 O) |0 w
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 c7 c6 H9 n- r3 |; g, u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! F# V' O2 X, E* T5 t5 Y$ V( b3 ?1 ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 h' z: y+ r$ n$ A! A" H4C19:00A4 INC CX
* T- w9 R. a- N: g. W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ U. ^: y/ r# f3 w4C19:00A8 JB 0095 ; 6 different commands.7 m2 }; k6 j# f# b2 f1 E% |6 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& z) o8 Z3 e/ p7 D& E) g7 t, S2 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 \( @: A0 ^- L+ R0 ]- W* C: c% l4 a' L9 }
" B8 S7 b3 K* R! [. w& v/ gThe program will execute 6 different SIce commands located at ds:dx, which; G. S% V4 U: b$ U, G# i* ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 H5 t* _. @" f. \/ @6 P
7 O- r7 t7 j' X5 w' Q* n+ y+ D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& X- u" ~2 v3 \6 ~5 U; ^___________________________________________________________________________
) N& V. ~# ?3 c; R, I. O2 H Q/ f* s
# x9 i+ a4 \3 `2 kMethod 03
! Q* y* y( ~" ]4 b" `" R. i. ?6 ^=========7 v" {! s" }# o p7 [3 v. s
9 }/ K/ h6 p( o4 G) j. ~$ n' JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- `& K+ @6 c0 h% |# R2 j
(API Get entry point)4 R6 ^: f9 R) w$ F
5 C& O" o: n+ |+ K0 K% ?
2 y: h8 K R1 { xor di,di+ S8 `% t- L- i% v) o! A
mov es,di+ C( ?# c/ w. W: I
mov ax, 1684h & O1 D4 r( |& b: u6 x
mov bx, 0202h ; VxD ID of winice
, F: w1 ^0 u# W. p int 2Fh2 f& z2 o. I, M6 y" i$ t$ f
mov ax, es ; ES:DI -> VxD API entry point1 R4 o# ]- V4 U2 O
add ax, di; r( M& z# L, \
test ax,ax, V! O% V, I$ R, q7 \" O4 T
jnz SoftICE_Detected) i4 z7 S& N8 s4 K$ V
! Q: V% b- N9 P; n$ R___________________________________________________________________________
: d+ |/ U' D V" j" b3 m7 `& T/ y
1 U: y8 W+ u- Q7 c4 ^% Y N0 AMethod 04
5 j9 w- r9 T/ \4 c% x; ]=========
8 Q) H* X$ F0 K% o% M" U3 K% }
2 V$ X$ K: J% S# wMethod identical to the preceding one except that it seeks the ID of SoftICE
! D9 P& Q, T$ S; BGFX VxD.) h0 Q! O# p" J1 c! [* X# q, |6 a
$ T0 i) y; S- d& p6 \" B/ P& S. U- J
xor di,di
/ h% a6 B+ \7 R* y6 a- Y mov es,di) ^7 J/ g/ f& S" _& Y9 K* d
mov ax, 1684h 1 \8 y2 [( ?' d
mov bx, 7a5Fh ; VxD ID of SIWVID) n2 d9 f2 ~% ]8 t6 ]1 _6 E6 R
int 2fh+ k# Z6 |# M u; c K) z! [5 Z
mov ax, es ; ES:DI -> VxD API entry point1 Q8 M4 N+ \3 x# M* x: n
add ax, di
3 q" q) C: ^! r) t% I test ax,ax
- N( Y" R3 j ?( M" n jnz SoftICE_Detected$ I5 d+ t) N7 m- d6 N
, B% H# f( N* M% z
__________________________________________________________________________) @& I2 I7 w' m( t( {* Z: n
: G) {7 Y/ }, D4 o4 v2 S t( ]/ V
$ O7 x% b6 \, ~; V- X' ^% GMethod 05
y$ C: ?9 b6 @4 ?=========
3 C3 m; M' d/ w6 B, x) T" T* Q; @3 L" B# U+ P! B9 w2 |; V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, h7 P5 Q% N3 T' P/ q- \debugger. It calls the int 41h, function 4Fh.
' d- G! [! Z4 o4 v2 s0 E6 bThere are several alternatives.
6 z U- }/ p7 s/ u; }
W- X \% u( y; a# UThe following one is the simplest:
$ a( V0 G4 D1 s( U. k1 x; Z' T4 q" O
mov ax,4fh
6 v6 p( I# d( W5 z/ J0 Q' C int 41h
% h: j. E$ t; C1 ^1 z8 ~ cmp ax, 0F3864 N% a9 U' b! ?0 E
jz SoftICE_detected
( u" ?; @' s* O5 @2 s+ I, L+ |. ]9 _& ?/ l
. N) G! n# ^4 _& r; Q
Next method as well as the following one are 2 examples from Stone's
`4 ]* @, E: c7 g! i"stn-wid.zip" (www.cracking.net):
3 @! S4 @/ G: @5 F
' U7 K& b$ N. P0 i, u mov bx, cs- @9 k1 D2 ^& C1 Z, I8 m" T
lea dx, int41handler2
# ~! s. N' q5 W8 r xchg dx, es:[41h*4]# G- t s, K. k6 S+ {- I
xchg bx, es:[41h*4+2]% T) v* P6 }" N9 r, X! G; E2 g) b
mov ax,4fh
8 m0 x M# Y; a5 Z h6 I7 s4 ~ int 41h
) C# q+ l0 |' _1 o, i0 p xchg dx, es:[41h*4]
# l ^: W O/ Y: K xchg bx, es:[41h*4+2]
( z5 s* r( M+ e1 X. @! k cmp ax, 0f386h7 \" j+ P" h4 ]
jz SoftICE_detected
4 i* r+ |8 T4 k0 ?2 {& B
; e* E& T1 F9 W& n; K- l$ qint41handler2 PROC
4 x$ Z% l( l+ {' r) k$ n iret
5 @$ U7 P: ~. ]8 C kint41handler2 ENDP
. X5 _$ d) \6 [- a1 u/ A" L3 b- `. j i& k" l4 v5 w
3 N3 u i5 w6 l4 \4 K! x
_________________________________________________________________________
! d( P2 C2 \: o& p
" P1 i% u0 `8 C& X4 T9 T+ w, o: k( E- ^5 ~: t- ?
Method 06
3 ^, R, {6 B1 |9 C/ F( Y=========
7 D' z! ?# n1 X! Y' @( z2 E( R q* J6 m2 {( {# y% T% [1 q2 M) u$ ?
* B7 f: Y6 Y1 N( n
2nd method similar to the preceding one but more difficult to detect:
) k! y2 n* |5 f8 q4 o C$ ^: F% {: }" B
* Q j1 _8 y$ N# f& c/ nint41handler PROC H, b! ~& B3 V& _/ k" ^5 \ t( R8 m
mov cl,al4 P( J2 C3 [& U8 o" l0 G
iret
) \* s& L7 J& n' Z5 o! yint41handler ENDP: f: m; E( K9 u% j5 V
8 D0 k/ K% i, Y7 _1 B8 T0 s7 r
7 J! u1 C# i! P# @8 H8 j
xor ax,ax
! Z0 ]+ J" t" w. _8 Q mov es,ax2 I, T- @: b+ u
mov bx, cs; S1 c4 I% y5 T5 Z# f/ d
lea dx, int41handler
+ S! [& x* M- _0 E0 S+ f xchg dx, es:[41h*4]2 R6 Q! B6 v1 W' t5 ?0 c
xchg bx, es:[41h*4+2]
- |+ Q3 P( K7 y- l. k( R9 j in al, 40h i/ f: J# }) p4 w
xor cx,cx; L( o% |6 S" E' X) z; o: E
int 41h( x. h, P3 P7 R/ e6 \2 n
xchg dx, es:[41h*4]& C, y0 V$ J; r" ^ t7 Q; v7 t
xchg bx, es:[41h*4+2]
, I! a( [9 K- U" w6 g+ B cmp cl,al* |$ S+ s* e: L6 \9 b& q3 i
jnz SoftICE_detected! L% m0 H+ u: p/ t
/ k1 s- o" W/ j/ J7 D8 @* v4 o_________________________________________________________________________
: P+ X3 Y3 q% b8 ?3 x K" ~; A) _0 q) H. k) u: @5 W0 s
Method 075 y* f( f- [% n7 @
=========
0 T' j; K. x; s' [; N! `
/ o% ]2 ?. O; n! Q- j; ] m: rMethod of detection of the WinICE handler in the int68h (V86)
1 }- l1 h) V; b# H& [- h# u% A! X H! M; W( q& y. h9 X
mov ah,43h P4 V0 ` ?: z9 D" @
int 68h
, d3 c$ V+ ^" r8 {# _! c7 C( P* M5 N cmp ax,0F386h% F2 H: b/ J [) s& w* s- S
jz SoftICE_Detected% r4 t" N9 h7 g0 k6 F2 K0 s
5 I" \. a0 H+ N3 ]- N* f& w
& U% D3 ^4 l7 R$ r8 z( o: w; K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 |4 k3 { |5 D1 G( r
app like this:
/ e- a* Z, V8 l' U2 x% d
+ ]' o$ J) j+ {! R; Q, r7 p+ J BPX exec_int if ax==68' v; O) z# b2 V" B
(function called is located at byte ptr [ebp+1Dh] and client eip is0 k( i) h- V) U1 H8 ]; {8 d
located at [ebp+48h] for 32Bit apps)
( \! |4 g* ~* `) h% I; h! T__________________________________________________________________________
# U; y: z3 N% z5 N$ s% z0 G% M4 a; {& y% E$ W9 K( z
7 @/ b# E A e9 E
Method 08
& {7 }: @3 U& e! j A0 @1 L9 |=========: f2 q8 u( d! d' ]3 i
8 O# D4 @, O( }) L. E0 ~
It is not a method of detection of SoftICE but a possibility to crash the
9 C# p) N8 x8 S0 ]% a) B6 Usystem by intercepting int 01h and int 03h and redirecting them to another; W( e; R3 `0 Q" O/ W, h6 h5 x
routine.
R& k8 o" I/ uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: d1 Y3 z* _& V* }& @' P; V' J# [, [to the new routine to execute (hangs computer...)4 ]/ \( Z. _4 i8 D( ~5 R/ m9 c
4 m; g1 Y* Z4 R2 N mov ah, 25h* M' ]" p7 R# c, _
mov al, Int_Number (01h or 03h)5 @0 n5 Q7 C& _2 P" z
mov dx, offset New_Int_Routine7 Z: j3 b. Y/ r7 X8 T* Y( J- m$ }! b3 J
int 21h# z8 g% ^" q6 a- y
1 E" N" W" f" r__________________________________________________________________________0 e; _7 V# `. T- M2 {
1 P+ e) }* Z; E2 N0 o' EMethod 09
1 E7 o5 q2 q, I2 j3 u8 n=========
3 H d9 ?, S2 e8 j0 t3 m' B1 d8 T7 K2 U! |1 ~. Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# X, E) ]! f9 q3 j0 X" }
performed in ring0 (VxD or a ring3 app using the VxdCall)., Z2 h0 a5 f2 t5 W/ I
The Get_DDB service is used to determine whether or not a VxD is installed
( z& O& S% i7 ]. q. X- h9 x, k" Jfor the specified device and returns a Device Description Block (in ecx) for, Z9 h$ B2 A; i) {& A2 c1 p
that device if it is installed.- z- l! E% k7 b8 ~" i# A
% e6 T% R1 N( [2 |- @2 j; j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 n% U# o; J* c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 ^( p, R% k) A0 i3 ` VMMCall Get_DDB) T+ C5 N0 ?! }' r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 m4 }5 \$ J; ?! x
* i, a$ B, c6 o; r6 S
Note as well that you can easily detect this method with SoftICE:- U. Y1 d4 i! f A( r% v
bpx Get_DDB if ax==0202 || ax==7a5fh) z9 ^# S- Q* t( r% _
6 g, T" M/ S* k- z5 ?
__________________________________________________________________________
/ u* @0 F {) i: K/ @0 I/ z! h; k( o
Method 10/ o7 X, [% q, a* ]) u* E! Q% A
=========" B8 {& e. M2 u \- D: u
0 b- L1 | ]3 d8 M5 I* I$ u=>Disable or clear breakpoints before using this feature. DO NOT trace with5 Y3 ` C: x/ T: d0 j6 ^
SoftICE while the option is enable!!* [" W1 z9 Q3 T! H) \
6 A+ E O# O6 D! N6 z( T
This trick is very efficient:
: ?9 Y5 u8 S, ]by checking the Debug Registers, you can detect if SoftICE is loaded
6 h* g @ ]7 l5 c9 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. A2 Q+ n$ c* }there are some memory breakpoints set (dr0 to dr3) simply by reading their
! D; f6 d4 d8 D$ p3 Vvalue (in ring0 only). Values can be manipulated and or changed as well
- ]; ^) j- L/ V; `5 M0 q+ f7 O* O(clearing BPMs for instance)
) X5 ~; u( K& F
8 M% W4 ?! x- n+ U' G7 i, o- Y7 V, h__________________________________________________________________________, N/ O7 Z' j* ]! W( [* |
& D9 H0 F3 S7 yMethod 11# I5 k$ j" i. Y2 y$ V
=========4 @+ K( o9 j5 P+ @. b
6 d6 o' q4 M: C: X/ GThis method is most known as 'MeltICE' because it has been freely distributed
7 U( Z* k3 h+ {! z7 tvia www.winfiles.com. However it was first used by NuMega people to allow4 }2 ]; t- z; \8 m
Symbol Loader to check if SoftICE was active or not (the code is located
% M: ?+ w: L/ x4 vinside nmtrans.dll).
6 R: l( Y8 K; V7 K' B" I, H& h; {% Q) D4 U! L+ N
The way it works is very simple:
4 ?0 f" Q" k$ o; M% L4 L, mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* I) \$ x& T& ^: P, V+ K7 N. O, V( TWinNT) with the CreateFileA API.4 d: a1 a% j+ Y4 I1 \( w
% @0 I' o' F; T! o n$ x
Here is a sample (checking for 'SICE'):
9 D" y: v0 q2 t- @$ E: H# x/ B# T7 ~5 k+ T3 k) V& S; ~
BOOL IsSoftIce95Loaded()5 y ?! z& f$ D5 }: x4 l$ @
{! w& s$ h* n4 \( z8 X* M) z
HANDLE hFile;
/ l# b. m6 ?" ]. G0 @4 j( ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( w, U2 z& ?+ o1 l/ ^/ ?5 I7 z FILE_SHARE_READ | FILE_SHARE_WRITE,
) C7 N2 o4 o5 B: O2 D& U% M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 z& I* }. i, U" Z
if( hFile != INVALID_HANDLE_VALUE )4 ]& Y5 P% S" g# j' U
{" G+ u! p7 C; e' h: P! v
CloseHandle(hFile);
n& V) Y' ?6 k! ^/ Z return TRUE;8 g2 W6 A/ n8 h# m" e
}
/ r% W1 ^: t, J0 h- n# q return FALSE;+ ?( }5 H) M6 C# G2 g4 v
}
( l* x& L# D1 e/ Q! o# J
0 a8 V9 d7 f; \. Z! N k0 AAlthough this trick calls the CreateFileA function, don't even expect to be
# s8 g( B2 Q5 _able to intercept it by installing a IFS hook: it will not work, no way!
9 n8 M* `1 x- C% R) h- |& JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) R! l% K) T- E9 Z7 D4 t- a' e2 d+ Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 C. D7 ^6 c: u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' i1 s' a8 m j8 M8 z" P/ g) l4 Mfield.+ ~9 k2 I2 O% J/ @: g
In fact, its purpose is not to load/unload VxDs but only to send a
0 p3 I, x% L) f1 @: X/ R/ Q6 v hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( Z: b9 u% }. l3 E8 B- x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 _! Q W) k Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 ~; ~7 J2 W4 b# h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ F$ t* X$ R7 q9 z* lits handle to be opened and then, will be detected.
5 \8 i- S% C1 U" eYou can check that simply by hooking Winice.exe control proc entry point% v5 q( ?3 \' ^- j: U
while running MeltICE.
0 b. b: ~9 @ X2 B9 F3 v+ ]' z" {- D! z4 v7 \: O
& q$ d' N6 ]1 f' p9 V: v 00401067: push 00402025 ; \\.\SICE
# q/ f6 e5 [5 V$ u0 p 0040106C: call CreateFileA8 k, c: q& `) j- |- b
00401071: cmp eax,-001
' S# O& X3 L! S- Q0 x4 @8 O 00401074: je 00401091
1 B, s( m# [0 k! N0 c* V$ v5 f$ g2 {$ Y# p4 E, g
* L" z* |9 a5 t! _& M% X. B4 XThere could be hundreds of BPX you could use to detect this trick.
/ X0 d- x% u* x4 r! v) D-The most classical one is:
( ]! I3 O! d7 a. x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 ^; T: x9 Y2 E: b- Y *(esp->4+4)=='NTIC'
2 x$ M4 C. b( f# w! a$ ^0 ?( E( S0 |0 T0 d; P$ a
-The most exotic ones (could be very slooooow :-(
8 C% F3 L) e( ~! X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, \. T$ x0 f9 p. R8 Q# K% G ;will break 3 times :-(4 m% [0 G$ r' K2 B
/ C+ H, L) X% O-or (a bit) faster: 8 ]. v$ X! h2 D, x5 X' W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' s2 B: ]- M5 O1 H% w% `
: X; }( J% }& W" F+ j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 }/ S. Y- K( G8 c K ;will break 3 times :-(% L. S0 g8 Y. E9 [# J
* j& P4 h' s8 r4 H7 L
-Much faster:
1 j1 f* L$ a% i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 K) O7 D7 E f2 `7 O
K. x3 L: s3 J9 z% w1 }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 u, h* ~" E9 y
function to do the same job:
2 m" k/ R; }$ |* g+ e5 @9 ]: {7 k" ~8 h6 |& W4 I! c0 w
push 00 ; OF_READ" b6 o- r* X2 d3 y" V; C
mov eax,[00656634] ; '\\.\SICE',0. {8 v8 Z3 |/ J; M
push eax
. j3 g; k0 `" i8 W2 @- F4 ] call KERNEL32!_lopen# D* ~5 @5 i; r1 a3 _" \$ T
inc eax
' x3 x5 {# \2 t5 H9 ~, E jnz 00650589 ; detected& s3 r. \# z8 y9 P2 ^8 q
push 00 ; OF_READ6 k! P' C+ q7 h
mov eax,[00656638] ; '\\.\SICE'! J4 E5 k l6 M; _+ l
push eax
( j# u/ u9 g0 Y3 a call KERNEL32!_lopen
% c) ^$ s2 n- @( x2 K: i inc eax. d. s* P7 ?$ q8 d
jz 006505ae ; not detected
5 p3 T# P- W8 G2 d" P& J( e; N2 s# W1 E8 g
: q( z4 d5 s" a, }3 h& J8 q4 I A
__________________________________________________________________________9 M. I8 H3 ]0 @% E% Q
& Y/ z9 U" P8 e, c1 a
Method 12- E3 a: I$ m, |1 [7 |6 }- o
=========
3 z- m' V X3 i, w+ {# }7 D
) [# f& N5 L1 H5 r+ _This trick is similar to int41h/4fh Debugger installation check (code 05
! {% ]1 w5 ?6 d! B5 z U$ J8 A1 N& 06) but very limited because it's only available for Win95/98 (not NT)
6 l- m- O; q o( F: ^5 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* m$ i, a$ o! M: g6 b! `3 ~- L$ l: k* s2 h1 F& y* s1 J
push 0000004fh ; function 4fh
+ b+ g: W6 K6 t/ o" \. X push 002a002ah ; high word specifies which VxD (VWIN32): H2 ^- V* Y) g( b/ Q
; low word specifies which service
- [- \* O! j9 S' ?4 R (VWIN32_Int41Dispatch)
+ R2 Q3 P* x0 E4 Z- `) a call Kernel32!ORD_001 ; VxdCall
. b) D1 @7 n3 O: L1 r' n cmp ax, 0f386h ; magic number returned by system debuggers
& |& ]9 f5 R6 A5 I/ V jz SoftICE_detected
7 @/ l7 t3 h2 R3 `
3 N( x7 F2 {" {* {% s: ]- RHere again, several ways to detect it:$ C; g$ c- }7 b# H1 R
- K. R0 ?; N2 B BPINT 41 if ax==4f) r. [4 d( |8 U a/ |" u
' r& o* D5 u: \! E! T# p# v O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 p3 y7 v0 E/ e, c) B0 x1 b [
0 G+ X6 R j. R. W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 N" G4 [ Q7 o8 u( Z' l8 M, m; G* a: w1 N& h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* x! k. Q! |8 n, W2 H; z( B# ^* Z
: t9 b: z; N3 j7 d) F: {* V__________________________________________________________________________4 [6 D, S$ y6 F6 }# T B
# r9 m( k, i2 b0 V# Z, x: vMethod 137 d2 N6 J5 s! u0 S: U
=========
0 V# ^" U: l1 U n5 R9 `5 a; q5 {! G h. ^1 }
Not a real method of detection, but a good way to know if SoftICE is
, u; N( ], o( q) Rinstalled on a computer and to locate its installation directory.% K1 y% o3 G' f
It is used by few softs which access the following registry keys (usually #2) :0 Y% {( |: V7 s2 r, }& N
8 \% t! U! k/ R8 T% w+ ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 Q# v+ W% Q5 Z
\Uninstall\SoftICE; I% @/ |' e$ X0 U; f" T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 P) U* ~+ K2 {5 a+ g( e: r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 E7 Y& ] G- f9 y7 w2 P- g' V. [1 H\App Paths\Loader32.Exe! A& Y: S; @' j" s& s
# d- Z4 z% O8 j! Z( u3 [
2 v/ R/ y- n M7 ?Note that some nasty apps could then erase all files from SoftICE directory( I% ^. _. a+ d; f0 L, s
(I faced that once :-(# W6 t; T) T U+ N
% `5 N! q3 X$ @: pUseful breakpoint to detect it:1 n+ f; g6 H- r5 ?, ]
+ s4 D \( R1 n6 }7 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 B. e, R! l+ t) f4 h
9 s* J& ]6 H: W__________________________________________________________________________% R) g9 X6 q% I9 I# d; p% k
8 _3 C# M* }& e" [7 G+ C K0 u
1 T' _9 Y; Z9 z) c5 T0 F3 |Method 14
; ?8 g; e5 g# O# ^0 u=========+ {- }' c+ Y% x3 A# k W5 |+ c2 }
8 o; G: l- w+ \( M5 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 A6 n0 O! l# H# F+ G) B- Ris to determines whether a debugger is running on your system (ring0 only)./ r$ \/ d( g; z! D3 H
* t# ^! e0 c% K3 B" r
VMMCall Test_Debug_Installed
$ ]9 j. R1 |* u" Z$ {& p: t5 `+ V3 S% d je not_installed
/ Y# e: c& A' _1 D$ {; }) ~, U$ @( Q# A0 F* s! E: E
This service just checks a flag.7 s3 k0 N- R4 C+ o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡