<TABLE width=500># Y: c% G. M2 p# q
<TBODY>' s0 M- Y8 S) x( _4 i0 [
<TR>& v r; `( O3 b/ V; f+ O" F0 b
<TD><PRE>Method 01
6 }: `) H" h( Y" x=========
H% K A. n( p2 M6 K/ N
0 I( T! j/ M% Y" |4 bThis method of detection of SoftICE (as well as the following one) is
6 n" r, o- b- aused by the majority of packers/encryptors found on Internet. ?$ O* V0 k$ I# a1 \% k( J/ } w
It seeks the signature of BoundsChecker in SoftICE& h2 f8 ?8 K! V6 U
: q9 h5 |6 X6 _7 Z5 l9 T f mov ebp, 04243484Bh ; 'BCHK'
6 d" I3 E0 Y2 d" J' ^ mov ax, 04h& P. {% ]& x% l$ S* l
int 3 ! K3 c/ S3 K; L: t, G" s
cmp al,4, O: Q9 U9 t+ y m& I' G$ ~% C
jnz SoftICE_Detected
" i0 w2 F% o( x [; T
( a B; }. `8 W+ O/ O___________________________________________________________________________
/ K; c; S3 O2 |6 C6 a0 F; j# z6 w
' h. K" k8 d$ _' {3 HMethod 02! }4 k7 L( s+ \% S9 M6 z% _9 E3 u
=========
) M+ _8 o D* _+ c- j' W' S6 A! I) Z! g4 V9 m4 a! w$ u* c
Still a method very much used (perhaps the most frequent one). It is used6 k' u, Q+ G v* ?2 d L' V% f- y9 ?, |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% l% G; y* @0 r" c
or execute SoftICE commands...% D4 e% i! [+ a8 Y6 r1 H0 U2 k/ K
It is also used to crash SoftICE and to force it to execute any commands
4 B' z! n0 M7 Q+ R" W4 v(HBOOT...) :-((
, @2 t8 @1 J/ F8 X+ ?0 c9 b! X9 l, K7 W; z7 {9 }" v
Here is a quick description:
" r" K5 i2 f& v. ^8 W3 D-AX = 0910h (Display string in SIce windows)
" r( r% \! m; {' Y" P# h2 U3 C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). T4 a3 F/ n6 W- S- Q; s7 h
-AX = 0912h (Get breakpoint infos)
9 E0 F0 O' H' z& ?-AX = 0913h (Set Sice breakpoints)+ r, h9 ~% }; U5 B
-AX = 0914h (Remove SIce breakoints)2 F& L2 d' |5 `0 U5 y6 n# N, ~: Z
1 w1 q$ s% L% z/ j1 ^
Each time you'll meet this trick, you'll see:
: x5 _9 Y) O0 |4 q/ H, j-SI = 4647h5 L; ]5 q: N3 s5 I
-DI = 4A4Dh: G$ q. p' b+ t: l- a
Which are the 'magic values' used by SoftIce.
3 Y* h; o+ u9 M! ~; K' |" bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 ~% o6 \/ S3 o) {6 z
; x6 P/ H3 ~( S" Q- R" kHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ t3 G3 N4 P% |! n8 |1 W; mEnvelope utility use to protect DOS applications:* r$ ?. b& b" o x4 D- E. v) Z+ S
+ H r3 ~/ o1 _ R7 o) m
# f( s- m- z) w: b# ~4 O, u4C19:0095 MOV AX,0911 ; execute command.
3 j' M) J5 s4 @# M9 j$ H/ i7 ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% c w# p% i% O8 b$ ]
4C19:009A MOV SI,4647 ; 1st magic value./ e" {) N+ I" b( G* M
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 w0 Z# w3 u) C2 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 m( I2 u3 R+ M: Y0 D. r9 t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute Y! Q( D0 P$ h+ w
4C19:00A4 INC CX
. s$ n4 o1 h5 i% _) N% p D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, C- c% C( S0 \5 F
4C19:00A8 JB 0095 ; 6 different commands.
, q3 z" u, w/ T2 r+ ~7 v1 W% R3 E4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 M9 A2 A* b+ l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) d4 x2 G# q3 k1 m5 v
1 a, m* B1 B4 e+ ?6 J4 p+ V- t7 ~The program will execute 6 different SIce commands located at ds:dx, which$ C6 ~, a, X( o' ?) h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 m2 h! u) l2 B* O) l
0 K3 f* p7 M: |% ^& M/ A' w/ H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, F9 q! M3 o6 N: \; F6 [9 [5 z" f___________________________________________________________________________
L* A/ M# ~+ G# Y( P$ E5 r& {9 n
6 W4 g+ j7 P7 P' G
Method 03" h# X% l) E$ Q2 r4 n2 ^
=========
- e6 X! ]2 l4 J9 h' w4 x
% l: s3 |7 D; q4 l( ]2 |' oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' L1 D$ L! b) {
(API Get entry point)
+ j3 o& Y9 c! ^1 n( Y2 l : i, J+ A4 F; s& R+ ~8 M8 c
! I+ E3 e8 @" j7 J8 G xor di,di! J4 C* @2 r8 Q% H* R2 X
mov es,di
" b7 S- i) ]! { mov ax, 1684h
% L. \2 p- s1 A; y mov bx, 0202h ; VxD ID of winice4 M2 c/ ~2 U: `
int 2Fh" p. D0 t/ W7 o8 F, A
mov ax, es ; ES:DI -> VxD API entry point
5 Z: }. i" {) X add ax, di [& Q5 l/ B/ v1 F1 i4 v' S9 \& F. X
test ax,ax
7 X5 G; t5 {" H! _0 b jnz SoftICE_Detected/ K" g! q, l! j, p4 k$ x8 B/ ^
' K4 y$ w. G8 i1 H& r+ l
___________________________________________________________________________
+ j/ A3 d8 u$ i8 b* {
6 m" F/ N8 @! Q. f4 ?: f% _6 FMethod 04
! W1 f6 Y4 m0 v0 {/ `=========1 K/ q6 Q6 Q9 V; K
6 ?% F- ~# [3 xMethod identical to the preceding one except that it seeks the ID of SoftICE
# I% E4 Y8 f. sGFX VxD.% ]8 d- d: r3 v6 n, k
$ A& q# z R& |: v- e7 Y
xor di,di
1 U8 ?& p3 E6 C+ Y9 G* Y; z mov es,di! Q, J6 c% H1 u0 ~1 k- a- b; R) u' H; o$ @
mov ax, 1684h
# I2 Q8 ]5 V# M. b mov bx, 7a5Fh ; VxD ID of SIWVID
% ^- X* t o( N/ ` int 2fh
6 S8 R# {9 s, o7 x2 ]4 W3 t mov ax, es ; ES:DI -> VxD API entry point
, P* b/ n3 D/ a! [5 E add ax, di5 x- h0 g x' W2 @
test ax,ax a, c' N2 W) d2 a F, ~) X
jnz SoftICE_Detected) F/ g7 ]4 r4 x+ k: D" r
7 i) I# z& o+ g, i8 W4 x7 }__________________________________________________________________________
$ L) A W8 ~1 }( y1 w7 V8 A
5 w& ^; K+ S B4 _( s( r1 p) {; k
Method 05( X2 K. L- f, Q: I# N
=========3 O5 ^- _2 ^/ }# h3 |
1 c0 H. _: T) l/ H9 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% n. ^) ]& x8 Ddebugger. It calls the int 41h, function 4Fh.' ]" Y* i) L9 s1 S* i
There are several alternatives.
1 l9 g2 D3 h# T3 D! d" p
. g0 U7 C0 w7 s/ C+ k4 Z/ x2 O- C- AThe following one is the simplest:
, [: Y8 e/ L- O, _4 {0 X8 O0 x* L+ M$ O7 Z4 w5 p9 ~- h
mov ax,4fh
, g/ z$ l/ W5 ] d) p" t; c1 p7 X int 41h
- X v8 m$ n( O K cmp ax, 0F386! o% L5 W0 Y9 G
jz SoftICE_detected
4 }; c( l" N" @$ e9 j, P* K
% N! x5 \7 `2 Z5 L, k/ ?2 F. F& K% @: g/ e+ P
Next method as well as the following one are 2 examples from Stone's
" q) Q6 R% |) Y7 v2 }"stn-wid.zip" (www.cracking.net):/ l6 T8 x1 M" h2 U, D8 T1 x7 S0 ]
M2 ?( m$ ~/ L' ?$ \2 S- Y5 V6 t; c mov bx, cs
. @; h; k$ O* Y' Q lea dx, int41handler27 I8 S6 j. B1 n5 p; O' a; X
xchg dx, es:[41h*4]
( B3 w: O+ P* [$ f& h xchg bx, es:[41h*4+2]
0 b6 z" H0 s) g6 Q7 @+ h mov ax,4fh; H r; R9 M) K. U* ^0 C/ E0 w: m+ @
int 41h
# M$ G( |0 S- E0 D xchg dx, es:[41h*4]! ~: M) L6 V$ t) z( N* o$ J" X9 o7 R
xchg bx, es:[41h*4+2]
) J9 Q6 Y+ T# f; |' n cmp ax, 0f386h
9 n1 q1 [# k! Y" O jz SoftICE_detected
3 G, o K _: E# p/ f, z" l R' q* r4 z4 Q* ]3 [3 \
int41handler2 PROC
: y* s P g# G* c. O/ f iret
3 y* U* J2 V, Gint41handler2 ENDP# e$ D$ p+ t1 w8 b z
8 }; K3 s# C7 k% c2 j, b! K! y% v. G N5 B' w. W6 Q" ~' b
_________________________________________________________________________& a/ b i+ `. w' a1 n! {+ E
$ X: X* K8 X5 P/ e
1 d* y! q$ a0 F Q. vMethod 06
+ w* {6 h% z9 y8 {" l" w- S=========. L% ~3 J: p% `$ E L
3 Y4 o9 T6 p) Y' N4 `5 C7 A n( v2 @% a
2nd method similar to the preceding one but more difficult to detect:
8 v6 G# n! m; l/ p; o' |
6 Z4 S& z& H" r7 R. d+ | E: b2 @; N
* \- A% O7 M1 P# B n4 U, n. Iint41handler PROC0 s; f7 o8 ]" c/ T3 H: N& n
mov cl,al5 M0 e+ e3 N& i( p& y" s
iret* Q/ z# b/ n3 f0 S! \# _# z- S/ c
int41handler ENDP2 G2 y' L" {2 l; g/ b/ S! K6 q) U% A* f
; j7 k1 t" A" c1 X& Z
. G# J( [' N% a9 o1 T0 w! Y xor ax,ax
' g; a) j. P9 m; k6 k2 p' ?0 e! F5 n9 h mov es,ax) m1 w+ c6 c3 y# }' t
mov bx, cs. s5 j7 Q. p* A, U0 M
lea dx, int41handler# c5 P9 ]6 O, F: i3 z; g
xchg dx, es:[41h*4]* G# B& v) \0 K9 T4 ?. W
xchg bx, es:[41h*4+2]; s( }5 {8 b5 W& N- P+ k
in al, 40h$ a0 W9 ?. U/ P4 d" ~, @
xor cx,cx
( @. c+ m4 \* {4 j" D* x int 41h
. V7 k! v# v. h( y. ]" x. i9 ^ xchg dx, es:[41h*4]7 L3 w- q/ X" Q' u! e1 a3 M
xchg bx, es:[41h*4+2]; [6 D* s0 S) ?7 i8 k4 M1 @2 {, d* r
cmp cl,al1 C2 @+ u3 V0 E. r" H) ~
jnz SoftICE_detected+ S# y ^( z% g* ^
; s- G9 c- |5 `2 l( Z! E; P
_________________________________________________________________________* ]4 g& R. ~# {4 h# \- N: ^
! h6 x3 j* [5 I4 SMethod 07
4 ]) [# _" w7 N: Q=========
/ d/ Z, A7 _. ~. q: W5 Q. K( a# w' p
Method of detection of the WinICE handler in the int68h (V86)
* E# w1 v1 `& r, {: i R2 Z6 _$ |% _' l0 k) H
mov ah,43h7 `' p. I! a, N4 i$ a ^4 a2 ]% c
int 68h z/ F" j2 G' z9 Z7 J
cmp ax,0F386h% i& u; j0 [. ~% R6 ?
jz SoftICE_Detected' H9 A& f3 z. ?0 l- m) Y' t/ ~" o
7 k8 l2 n0 c7 N
1 s/ Y* G) B6 k$ p8 ]1 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" J8 ]: i) B" O9 S app like this:
+ ^& ^6 ~% ?1 X7 C/ [: w* b2 S$ d! J
BPX exec_int if ax==68
" R% M; b3 x$ H) N$ F6 _ (function called is located at byte ptr [ebp+1Dh] and client eip is# W* r; b/ A) V9 `% J. o8 t! j
located at [ebp+48h] for 32Bit apps)
. v/ B( B6 U: k* B__________________________________________________________________________' Y% A, O$ _8 U0 N# Q
1 N2 w- T& z$ F( ]
! h' B: F$ ?: a! M* ^Method 08
4 x3 Y1 B& b, l8 O' ~& T* v i=========; {; z$ P! C [. a
1 x1 s0 h* T6 z5 a" ^9 ]1 rIt is not a method of detection of SoftICE but a possibility to crash the, D2 q6 }3 H" o: E% ], P: L n N
system by intercepting int 01h and int 03h and redirecting them to another! O9 o/ J5 H: c8 A0 a) X( ^2 i7 K
routine.
0 [* y+ `) q2 p. |8 i% GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 b2 b* L0 C; y4 j
to the new routine to execute (hangs computer...)+ w: \& C$ M% b3 v8 E' m1 U6 R
" F. C- B+ N# L6 [6 M# u: y$ g mov ah, 25h
3 r- d! }9 p. i( J6 t mov al, Int_Number (01h or 03h)
+ C2 Z/ E% h+ K mov dx, offset New_Int_Routine
& _' G. c6 K2 q, A2 Y K. Y int 21h9 `- r3 I/ u) ~3 s/ x* u0 Z) J
& X1 u f% T" l/ L__________________________________________________________________________' Q; m2 d2 W+ {. X5 R, z. C
' K2 ]$ a5 v) z, S5 Z9 _
Method 09# f" ?5 c9 t* C% K
=========
/ p7 M8 |- [( ]9 V/ R; f( W
% Z% C: J! @$ @. @# wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 K6 ]/ y: D* H: pperformed in ring0 (VxD or a ring3 app using the VxdCall).( N6 t: R, m8 w6 J# n
The Get_DDB service is used to determine whether or not a VxD is installed
0 I8 r2 W& J, Y/ B! e' rfor the specified device and returns a Device Description Block (in ecx) for( J1 j- \- r a& J3 w
that device if it is installed.* u# X ~3 ~! o5 x7 G% ^
6 }; Q, N) Y N5 l! d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& I5 a7 x% n8 t$ R% }; h2 M& _" ?+ K& W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 s. \2 F `: U VMMCall Get_DDB. K5 ~3 J/ Q2 }1 X0 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# T" _! H/ U t0 n; u0 t* L
% A' X8 \5 F) N" J6 X1 Y) H7 C
Note as well that you can easily detect this method with SoftICE:( t P9 V2 d" E4 ~2 |* \0 r7 t& d
bpx Get_DDB if ax==0202 || ax==7a5fh
# f/ l( u+ q, f: I. W
# d: X' o! D) G__________________________________________________________________________& [% S" ]; ~# _) v- a
! V/ a/ g+ d* JMethod 10
! z( _! U0 C5 s/ i1 v=========- Y/ E( F' b) ~
$ y' c, J5 w2 ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 @- u% q' F0 T
SoftICE while the option is enable!!% ]0 G7 d* |3 ]) n7 S
" P9 }) K& W0 @5 I! q
This trick is very efficient:2 `0 |) N( ~7 S1 D5 `+ F
by checking the Debug Registers, you can detect if SoftICE is loaded- i$ [/ [2 x0 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% g8 z% h- j5 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* N+ ^/ p u3 K2 Vvalue (in ring0 only). Values can be manipulated and or changed as well
# P& t4 e+ O. b% l; P S(clearing BPMs for instance)
3 f o5 C8 a/ A2 e% b6 S
, x( R9 Q$ o7 R) z__________________________________________________________________________
1 r" S: B# x7 |& g7 N, K* ]% t( o4 }( [" w7 F
Method 11
! ?9 g; J4 M' ~4 j/ \=========4 T, L" ?; m3 ~ ^- z% C. g/ T
" p( r6 ^4 q. E" q" y' F
This method is most known as 'MeltICE' because it has been freely distributed7 A3 l' G7 g4 h0 h# o+ ~
via www.winfiles.com. However it was first used by NuMega people to allow }; r4 x- G2 i0 b2 f' o
Symbol Loader to check if SoftICE was active or not (the code is located1 E. R4 H4 Q$ x
inside nmtrans.dll).
) [# X0 B6 I4 J7 R- D' A" _2 h6 Z/ k3 `' `4 y8 i, u2 G' E
The way it works is very simple:" g* R, W# y) s' g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) a0 o! E9 {2 h$ l' Z
WinNT) with the CreateFileA API.2 u$ @* [! W5 u9 b B6 l0 H
; b# d) s) T- x8 R* F4 ~& s/ u
Here is a sample (checking for 'SICE'):
& E/ U8 ^6 X6 V; u( ]1 L! Q" L$ k j$ ? d$ F
BOOL IsSoftIce95Loaded()
0 p/ L( b0 u2 U i ]* m{( l+ L0 ]9 P* ?6 A$ T
HANDLE hFile;
' b& Q& I- N2 A. w7 f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 U; n8 E9 p% R
FILE_SHARE_READ | FILE_SHARE_WRITE,4 x* f O" {& c! T+ H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# E7 }. B. v! p8 V3 g if( hFile != INVALID_HANDLE_VALUE )
`, ?5 S+ _5 |# I5 _1 F2 H {
0 F; [3 w3 @* h J3 S+ p CloseHandle(hFile);# e( F" H U& K/ K) ~
return TRUE;
6 \6 f/ p- [' F0 t- ^. \0 v( \# P }
% L6 {$ `! L9 J% Q' T; T3 K return FALSE;1 w, r$ R) D- x p7 C, E8 Z
}3 N- Z+ z8 V4 E' |
. i2 F/ K8 e W, R" nAlthough this trick calls the CreateFileA function, don't even expect to be, K0 Q7 q+ M8 Q1 m
able to intercept it by installing a IFS hook: it will not work, no way!
7 V; c; }1 `+ m4 RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& L7 B& P$ B2 r- j+ D; Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 I# C* m( P# ^% A0 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: I6 T- N% }* V/ P5 X1 efield.7 I7 m7 r- S" r( M: v- G
In fact, its purpose is not to load/unload VxDs but only to send a
& c K/ b3 d9 p9 i. _/ ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) R% x& O4 d% I5 N" F% ]3 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- u! t8 `; p+ D( g4 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 S r- L! o: e* qIf the VxD is loaded, it will always clear eax and the Carry flag to allow# R) k+ o2 L7 V
its handle to be opened and then, will be detected.$ A1 w8 ` t/ g/ ] [; G& A
You can check that simply by hooking Winice.exe control proc entry point
4 s( D* B9 U/ O+ g7 G+ p9 Awhile running MeltICE.! J" [4 d) O# g3 T
" F+ Q1 N7 w2 G* v3 `* a' L' y$ l
8 I# T( |) r6 v. j 00401067: push 00402025 ; \\.\SICE
% x# M) Y/ p" A, k5 U 0040106C: call CreateFileA0 r% {; P* M: c
00401071: cmp eax,-001
G; p# A$ S: k" O7 I 00401074: je 00401091
3 U/ S* y7 I9 e) ?% \2 n$ k }) s5 B
9 b% x. l4 ]- b! N& L! S; Y& n3 P& F0 e9 l3 `- q `
There could be hundreds of BPX you could use to detect this trick.
7 v, I6 ?6 N4 U; o5 [-The most classical one is:8 `* z# h: K5 c; s" f3 f, D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 j( M# w5 ], ]% X8 I! ? *(esp->4+4)=='NTIC'
3 i- b I9 L; H$ i. o& p* ^
6 N& T2 \# w, D/ v9 f-The most exotic ones (could be very slooooow :-(
4 d z; [: [+ K) P0 G, d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) w5 _* }& v2 P# S1 Y% f2 s
;will break 3 times :-(
4 M: l( E) `. p( S& D
! Y+ F+ Q# j4 J; u9 @( M- T-or (a bit) faster: ; ]( G5 N! P# U9 t5 y5 Z5 T8 y/ e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# O+ t2 g% d6 k, Y3 }3 O2 M1 s- O$ j3 X% z4 G, C( g: _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / b/ a: P2 p0 m% F
;will break 3 times :-(
& z R9 N" w% U% t, G
$ D( Y5 E, j8 s$ n& O-Much faster:
# G$ q$ I; R4 x. ]! K. X+ p2 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 F) ?: z& o0 |) O! g! n' e+ |! T
h h5 Z" U3 ]0 _1 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 p" m- e" M) f. t
function to do the same job:
) D4 ~ b7 P4 g3 O$ k
6 _/ _, Z4 I2 F- e' G, i p push 00 ; OF_READ
- G; G7 U4 |# P+ ^9 f" [7 m7 Z1 H- q mov eax,[00656634] ; '\\.\SICE',0
5 k+ o# R3 Z. l push eax
0 B% Z2 z. X7 i0 f call KERNEL32!_lopen5 o: Y3 m+ S% O o0 f- \$ ?9 }
inc eax1 a8 e- }& i. P' i( `) C; z
jnz 00650589 ; detected
0 X, ]& o: E7 u# h% y; C push 00 ; OF_READ
$ }8 Z. k% ~6 x& V2 Y& N mov eax,[00656638] ; '\\.\SICE'
* \4 |( c- t" g# t* c0 A/ _" V8 C0 m push eax
1 A6 N! @! a Y6 P% @$ Z call KERNEL32!_lopen: u( V9 i& a. |$ `
inc eax, {+ u. ~- H- D. T5 e5 _1 O7 E: l! i5 N
jz 006505ae ; not detected
3 W) e8 X) w9 x" W$ w2 N' g2 y
+ r) E! H% Z* L! d7 Q( v) h+ P8 y$ {8 r N5 l9 ?8 \
__________________________________________________________________________+ j; U0 I# w% A( B7 f' h
% Q& x h9 @% i+ k. c6 h+ I
Method 12
4 @8 ]8 q+ z; G/ q6 S=========
~( y# G0 W& ^; K
, b7 ` i% T! P3 E$ E4 p2 nThis trick is similar to int41h/4fh Debugger installation check (code 05
K# r6 \) y! b) G# j; B6 @& 06) but very limited because it's only available for Win95/98 (not NT)
* `; P, y# M* u. \. o0 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 A: w& F2 @% l n
2 J- r( P- S) v) n1 D9 k4 `
push 0000004fh ; function 4fh+ Z! I8 V( g% z
push 002a002ah ; high word specifies which VxD (VWIN32)' o0 j: i, x. g( ]9 g
; low word specifies which service
' V. A; R/ j( q5 r3 b* e1 s (VWIN32_Int41Dispatch)
% V+ T# e4 f' I& p) _+ A$ T" x call Kernel32!ORD_001 ; VxdCall8 y; {: ^. d3 V; n, Z8 v' J2 P8 S
cmp ax, 0f386h ; magic number returned by system debuggers& K. O. {6 c7 B' T. k- i. X/ t) g
jz SoftICE_detected- O% z2 P, a6 N4 k
, ]4 P% I' y- r% g9 k
Here again, several ways to detect it:
]4 ]" v' K. B8 \7 N* n! |" h+ A: n1 z: }- [* Y6 }: g
BPINT 41 if ax==4f3 n& R* D# j( _% @
- [0 A, X# O2 ?, a9 n" Y( ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 d- y4 B r# Z: f7 L; s, E7 m
4 G1 p8 Q! }4 m; q4 I* C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 L i4 f. T. n- t- t$ _
: B8 ?1 l/ |5 q2 S! v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 }. y; C0 T3 b- u5 a: ?' u- S( }& b4 x6 |: A
__________________________________________________________________________
0 q+ c6 U) D; W7 a- Q8 \
1 F+ {) a {/ H5 s8 p4 s, TMethod 13% s" I4 O) J) n7 C# N8 x) s6 t O. k
=========
/ k! G8 R9 ^* l1 W9 y2 P
, I% v1 @# Q' Q& K+ ?2 dNot a real method of detection, but a good way to know if SoftICE is; M5 I: _! l8 q E v: o( d5 k. O+ U
installed on a computer and to locate its installation directory. q: n% X, S# ~4 a P) n
It is used by few softs which access the following registry keys (usually #2) :
* X- c) T8 ]) W7 Z
# W6 r- Y0 `" x, g! K) l. n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 b& ]3 M0 _" P3 k+ t4 r
\Uninstall\SoftICE
& Q' Q+ y8 V. b% h1 E, x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, m4 z2 ^2 `2 ?5 K' n6 F7 U& T/ }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 \6 W6 H- n5 v
\App Paths\Loader32.Exe6 a1 B* J% x8 T6 U
# T# a6 W7 _; N# H
( B+ N0 @0 _" s/ L' I8 h) ]Note that some nasty apps could then erase all files from SoftICE directory1 ^& X" d, C9 U& [# n
(I faced that once :-(7 H* A0 o5 p- `
! [7 i1 Z/ H$ j' j/ v4 HUseful breakpoint to detect it:3 [2 j- {! M1 |' [4 l
7 u) J" ~% d# ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' d- `, J: d8 }/ s4 }- A% z, _9 y2 q
__________________________________________________________________________
3 }, Z" m0 l) j3 U5 O' ~# x: U. i x- l2 m" R
: V, r* f. a" R6 Q
Method 14
1 a. O$ _" Y" D0 d* W. z=========& p' O5 w% Z. u6 z
- K9 h: O2 B% @8 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. D: l& S4 a9 x0 P& q% }( @: } ?is to determines whether a debugger is running on your system (ring0 only)." c! r p7 y u( ~; g- n) ^
- [. L L/ C+ r% R. ~1 k
VMMCall Test_Debug_Installed$ `. Q% d+ D2 t7 h4 U
je not_installed- z5 U( s" r1 a J5 I$ y
2 Y j8 k' ]8 T& X2 z! Q
This service just checks a flag.* Z+ ], y2 p# I9 [ F( z9 h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡