<TABLE width=500>
( G, V9 M! e+ K<TBODY>
* X& ^6 u: C0 @2 i<TR>0 A- W$ N, W4 g# i5 ?4 o3 Y! l; E
<TD><PRE>Method 01
7 _" l+ K! p3 T% H- z1 C=========
, i4 W# i9 n5 b; p: `1 i3 o8 b
6 { i! u( a( \% GThis method of detection of SoftICE (as well as the following one) is) F7 K+ L8 O2 V3 j8 B' t, b1 N) B9 s! t
used by the majority of packers/encryptors found on Internet.
* N* N% j9 W- N1 x2 @# ^# i' XIt seeks the signature of BoundsChecker in SoftICE4 ?) q e# d8 O! N' U2 Y2 c9 S
) T5 x- l: J' V
mov ebp, 04243484Bh ; 'BCHK'8 r- y+ I# ^8 @7 i5 L. ~
mov ax, 04h A. p: Y) I* s2 h5 d V+ b) ~6 j
int 3
" S- U) f% q0 r: {4 ] cmp al,4
- t3 j* g6 E! Y& c jnz SoftICE_Detected- [& X" d" y, i1 {7 i
# Y% k3 }. A4 h) _* i) c1 z
___________________________________________________________________________
' x, q+ A- |4 u6 m% ~ P% J! z9 k9 ?- D0 ?$ H# [- `8 U' {- o
Method 02
# m, O& f+ `' \& |=========+ i O) B% v* C
; O% K, O" Q; }Still a method very much used (perhaps the most frequent one). It is used
! C8 a6 L: o8 o' M0 ]8 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! Y! B5 r& q; c7 N$ }
or execute SoftICE commands...
5 x6 \) y% U7 lIt is also used to crash SoftICE and to force it to execute any commands7 t$ A' [. q! b- A
(HBOOT...) :-((
7 |9 }6 P$ l/ I8 ~7 O- ?' [
% B1 s- T) q! g& c! i6 X! l: ZHere is a quick description:, d2 |6 |5 g: V$ F! s5 V
-AX = 0910h (Display string in SIce windows)
/ k2 d( S4 e: d: E. I* ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! w7 s c; h; {7 @6 C) l) J) }
-AX = 0912h (Get breakpoint infos)3 ?; ^7 u8 Y; {
-AX = 0913h (Set Sice breakpoints). M) C+ l+ }& G3 `2 F% G5 ?- x
-AX = 0914h (Remove SIce breakoints)" a* I7 Y% ~+ _/ i" C1 S. p
0 h/ D: \' B7 B8 W# ~! w
Each time you'll meet this trick, you'll see:
7 Q0 w% T1 M: D. @-SI = 4647h
# E% o+ V' H- s* L4 `( M, M! z-DI = 4A4Dh* h4 P% ? O+ s( }
Which are the 'magic values' used by SoftIce.
E/ w! M, D; }3 ?% _2 j2 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# b2 k0 w0 k9 s7 J" A3 W) Z. N
( a$ `; Y \- t7 i: L% x
Here is one example from the file "Haspinst.exe" which is the dongle HASP. {0 z0 L3 D- [( d
Envelope utility use to protect DOS applications:$ |: t) @5 q F5 L4 ]: o) u+ d2 x
- o) e3 S1 P( Q9 i& o- {
7 x; m/ a9 G2 d4C19:0095 MOV AX,0911 ; execute command.7 x/ I1 w6 a2 v8 `0 x$ {& U) A5 Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& D3 l5 Q( ~3 Z$ k4C19:009A MOV SI,4647 ; 1st magic value.: ], I- K2 F5 F, s' z: P3 B( t& O
4C19:009D MOV DI,4A4D ; 2nd magic value.
- T* N' {) M, l* v5 q3 i4 h$ p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
?5 s4 p# W% y# j: {0 Y9 m. K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 O' X' U; f7 q" Y+ {* [: q7 U
4C19:00A4 INC CX4 p q2 D( q1 u. W4 o& c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ G) u) M; T% p. N5 ^$ z
4C19:00A8 JB 0095 ; 6 different commands.
4 R6 J# ^5 p! D# N4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) g% B, [* d- f- q, k9 w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ m% |; e4 [- M e4 d+ w& q
- D; P$ _3 v6 E& XThe program will execute 6 different SIce commands located at ds:dx, which7 I y9 U7 w: c# R( l/ u6 H9 n/ U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 W4 h/ Z. ^4 D% p- [( t( i b A/ A# _- C& \! _ ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 V0 m2 A. @, K ]- B___________________________________________________________________________
% L/ s* T( a7 ^( [. ~# Y& U4 F5 o* v" m6 k) ~( E; P% b7 f& o& @
Y8 ?* o* I$ q+ _ F1 o; |3 p8 O/ h' wMethod 03 l$ U, r: o: f' N( W- q* y
=========( s. K* u8 ^9 D
2 q: o7 O& b3 r; Z. wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 C( ?( d6 z& }8 r2 x" q3 V" I
(API Get entry point)2 U! ]0 ] U. ~( M& p" h
! x0 U, T( _9 x4 B. Z6 l! R
3 v! d+ Y R6 P: I" L \ xor di,di: G9 {$ g( I; u8 @
mov es,di
3 w7 S8 e- L7 O- \9 W; I' k mov ax, 1684h
. }6 t/ b# I: U mov bx, 0202h ; VxD ID of winice) m: n, i i9 i. {9 V' R; ^! g
int 2Fh
" k$ J+ c1 _' w1 [ mov ax, es ; ES:DI -> VxD API entry point6 q. A$ K; i( I c8 Q( ^. D
add ax, di
1 J% U3 y# v. U% k test ax,ax- L$ t, P" {, E! k
jnz SoftICE_Detected+ N' Z7 a& T8 H
# X' k' E" B# |' `
___________________________________________________________________________
' r7 I& H+ i& ~
. H% N7 g8 ~1 H% l E5 ]Method 04
0 n) v3 _/ I/ ~6 [! F, x+ x=========) {- q& p9 b3 x/ R% S& f% ?
3 P" F* w) R" gMethod identical to the preceding one except that it seeks the ID of SoftICE
( I8 R4 Y( J: H) P4 u7 X- WGFX VxD.% T' q* `4 H0 B% P1 a
& |3 O9 }6 Y% m' P9 b2 ?- W
xor di,di2 x" q+ `9 S; V! l2 h9 y
mov es,di" g9 k2 `7 g, c% ?* N
mov ax, 1684h
5 ^, h1 n1 l6 ~. S, b mov bx, 7a5Fh ; VxD ID of SIWVID
$ R* p' t7 n" O7 S1 ~ int 2fh; n' w% @6 \7 _
mov ax, es ; ES:DI -> VxD API entry point l* d9 m. c0 I1 t
add ax, di
& c+ ^. h" z, ~9 J4 q; \3 A7 S test ax,ax
; q6 T5 b) c. P. c+ } _2 _& b jnz SoftICE_Detected$ j0 b% u4 y( N( J$ c
" [4 L a/ C5 X
__________________________________________________________________________! Y) y: c/ l( F: Y! f+ Y8 b) D
! _2 o4 v1 H n
0 |3 d8 t2 v/ f+ E0 D3 T8 dMethod 05: T2 o$ Q: S5 E8 E0 T
=========$ I* b0 [/ M o6 {4 X
4 k! \' n; t5 u1 {8 p
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 H& P7 e ~# P/ a( q+ w. n
debugger. It calls the int 41h, function 4Fh.
. a7 t( K8 w7 z8 ^There are several alternatives.
5 p% [7 y% |5 \1 y( i8 I E* m2 v5 H9 [4 N9 z
The following one is the simplest:
. M9 i9 A; u; G3 {7 w7 J& o3 ~2 ?" O& w1 g- e) v0 ] L6 J& w
mov ax,4fh
# I, I: E8 [& a2 j1 q7 Z int 41h( Y" m# B, x& r% v+ I
cmp ax, 0F386
6 q3 Q7 l, M' F- D" R& T3 ? jz SoftICE_detected0 _6 ?: q; P1 {7 S
3 A1 d' m1 M( I" `* ?4 y
" }' t! A( E/ B3 A/ a; eNext method as well as the following one are 2 examples from Stone's
4 J x7 c, U" f"stn-wid.zip" (www.cracking.net):
" t* y1 G$ l4 |
n; m' s9 Y1 p! \) Y mov bx, cs( F0 p5 [8 V" S! S1 I& Q% s
lea dx, int41handler2% p9 P" n9 P E. P
xchg dx, es:[41h*4]
% }5 P3 l& D+ M9 [) n; H' `& O xchg bx, es:[41h*4+2]
' @9 c" G& q8 @; \% q) C5 c% `; K5 q mov ax,4fh
2 r2 ]/ `' F" j: {$ y int 41h" K$ a/ H8 R3 E. j
xchg dx, es:[41h*4], V$ H1 @- ~0 O# x
xchg bx, es:[41h*4+2]2 i) U3 \7 A5 R+ W) F0 H( Z' c
cmp ax, 0f386h/ e$ J% y, w+ g- D
jz SoftICE_detected7 H- `8 j, l9 F, _1 a. U9 Y( }9 ~
; d, O5 B9 m, H/ j0 \& t) C
int41handler2 PROC" k8 l' O* M. @+ K4 Z+ c
iret
; W/ @3 Q) G3 Q9 c0 Wint41handler2 ENDP, B+ ^+ u- E! i0 K! m) W( B% ?
# I2 E0 m2 S( Q8 n, ]- X
. e) C- M2 s& K3 ?, \_________________________________________________________________________
" ?/ ]5 |) q4 Z. Z2 E1 I
; e" L- r. L; R5 T0 ^9 H7 D' l9 H( B7 Z; I0 [
Method 06
# E: K* N6 s% _0 J9 @# l=========$ X- D5 s6 x+ l* v5 z
3 \. \ F* \) b9 N3 @2 q6 M1 _
0 B' T7 P' T$ @" u# ~3 f6 W
2nd method similar to the preceding one but more difficult to detect:
) j7 o2 o% N# `" a- F! O7 B& I6 e' C- X4 a. `. B6 F; u x' y
$ B$ b& p9 w# t& j) N7 }* }7 Mint41handler PROC W8 U0 s: r* u# C+ Y! |2 I# k
mov cl,al1 U- R& o9 s: L; q4 ?
iret
% d6 W" D7 N& } G( a' J! b9 Cint41handler ENDP2 E! a' c! _! g8 o8 ~, t! l' B
* C# ]& @$ X* l) O- ?. W! }( g1 a. S2 T
# z' N( ^3 z& S: j. j; H, d
xor ax,ax( h/ [- Y6 n3 u) d" P& m3 U
mov es,ax/ r. c4 G X" I2 \, x
mov bx, cs& `2 G: x8 _4 x& D f: N a$ L" s
lea dx, int41handler
7 d- R* B" q) X2 Y xchg dx, es:[41h*4]- S% r- h7 ?: O, H/ J; `* @8 |
xchg bx, es:[41h*4+2]; k$ G+ ?0 U3 {" B8 V) A
in al, 40h
/ |- i# w: i5 E, a) S8 V2 c" i xor cx,cx; D2 I2 A8 F2 s6 |& R
int 41h. M4 V* [) M8 a* t8 X0 v. \
xchg dx, es:[41h*4], `2 N p" g! b3 [1 Y$ A
xchg bx, es:[41h*4+2]# W+ \+ a, d2 E" S
cmp cl,al
5 O2 W( j6 \3 c q5 @1 k jnz SoftICE_detected
! D+ i3 D0 A$ M9 u7 c, ?
( K7 q/ ~0 \4 U' O: B9 F8 G o' l_________________________________________________________________________. l" u4 m: `; I7 r6 {4 v1 p$ w
) i8 a V# @) z: x( V$ A# i( f8 x2 `Method 07
' O# l9 K, a+ q6 ^' [7 Q8 X$ F: k. B=========
0 R, O9 o3 I& n7 v7 z0 j
" g/ ?* m7 s) |, U- AMethod of detection of the WinICE handler in the int68h (V86)
( ]6 _0 v4 l6 \) }: s$ e% O; \5 B& r( [3 @; q* A2 I
mov ah,43h
* Y) V4 _6 N" o* `$ u int 68h) ]7 P" O- F/ l$ L0 o
cmp ax,0F386h# h+ j. ^- `9 `2 T$ t
jz SoftICE_Detected
- U8 x T0 H2 X" S# M4 s
, Q- M$ Y: `, V- w! d3 ?- P' s: E, I; L( i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 S, q) ]* \" N( w" t- v
app like this:
( X6 P4 D9 S0 L: e4 N) d0 K
3 x2 O, |- ~8 R9 G- P/ E BPX exec_int if ax==68( M% ?7 Q0 S2 ]7 S3 }2 D
(function called is located at byte ptr [ebp+1Dh] and client eip is. o% O' E8 V" V! @3 i
located at [ebp+48h] for 32Bit apps)( I. z% }$ ^4 A; Y7 j$ f, O
__________________________________________________________________________8 j. ]) I, A; u: T
! ^8 Z' E9 E5 l
1 g" h1 k, T4 c
Method 08
2 |7 h3 I, T3 o) ^9 t1 h1 F=========
) \* C* k4 t% k+ g/ e8 K5 l9 g% T: ]6 \: {* ^6 e ^
It is not a method of detection of SoftICE but a possibility to crash the- I1 S) L/ B( S
system by intercepting int 01h and int 03h and redirecting them to another
2 S. \ v7 Y* V( g! ?0 @6 troutine.
; N* Y8 w3 }7 w) x3 S6 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' s# U3 O2 F- W5 v
to the new routine to execute (hangs computer...)0 f; }; I1 v) O3 p' ^) s
/ O! ]& S) n Z7 p* J0 T9 x
mov ah, 25h3 e' R* R' m$ T4 C a
mov al, Int_Number (01h or 03h)
: K6 S1 ~( T8 V mov dx, offset New_Int_Routine" N9 _8 h" W& X3 j) f
int 21h9 Q! i* Z7 q& V8 ^% [6 M
- \1 }5 ^, j3 R+ y# Y6 }' R) _. m
__________________________________________________________________________
9 z( d4 a8 A, [
1 F; D- s' b) r5 D2 v& t( _) z4 n1 lMethod 09$ g) }* _- u1 \) R4 U, ^+ v
=========
8 _* }* I: o: F& @
0 w' k$ k p$ z/ \9 v& T* m* u4 L LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! z. u4 b" K( H$ m; v& r% H% |performed in ring0 (VxD or a ring3 app using the VxdCall).
6 n3 i6 c( Q/ }. d! S/ g# eThe Get_DDB service is used to determine whether or not a VxD is installed' Y3 \1 U, T5 S3 N) B
for the specified device and returns a Device Description Block (in ecx) for
! R' @6 j8 W4 _& m0 jthat device if it is installed.) d6 E6 W- W0 q5 |4 P! u4 M/ q& w
8 U3 W, H: y; Q- Q" { y5 P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" ~# ?% o, G1 I& t( m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
Z& {+ W3 V! a' Y% x) {* l4 y VMMCall Get_DDB
$ t0 D ~& V+ |( O# J1 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, x7 B7 z" j. e2 d
+ w3 ^- N" U t" V5 |( S2 vNote as well that you can easily detect this method with SoftICE:) \( m, u7 a4 q8 L% h1 y
bpx Get_DDB if ax==0202 || ax==7a5fh! C& U( m& p$ j" I0 S9 t' M
0 H$ H$ F# m" N, u2 I" z3 Y* P__________________________________________________________________________3 ?# @& n- v2 ^8 g
% O. Q- d v5 t2 R: o$ S- b c
Method 10
) n" V' u, `1 ^2 C2 n=========# d. A% z c+ G$ v
6 j; P% |1 j) ~$ h# Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( h* F! y+ q# V+ Y SoftICE while the option is enable!!9 L2 i6 y3 ^2 f, G7 u: z
& y5 P9 P1 f3 _6 m2 x7 V) y
This trick is very efficient:
& U+ E1 P7 K$ x% T( Vby checking the Debug Registers, you can detect if SoftICE is loaded
6 A9 s- Z# i: C4 K$ w, _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% n7 e) j2 j, ^, w8 b2 Z" o
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, B0 e' p5 ]# `5 q( W, qvalue (in ring0 only). Values can be manipulated and or changed as well
' r3 w4 P) C' l" @0 {) L5 R) z6 t }(clearing BPMs for instance)
) P" i, H0 }' S* `8 ?" l, d) h& J, j& Z
__________________________________________________________________________1 D7 q: u- R/ ~# @7 }: L
4 f$ S( D% j' a; I! B3 _% F0 R/ HMethod 113 W! Z; _! H9 C" G: }; K- j, @, u
=========! q; G( c# u, r. B3 p, r0 U
1 V, K: K: I) l+ G: R( p/ e2 A3 ?& Y% \, x
This method is most known as 'MeltICE' because it has been freely distributed
6 ]$ j, R# Q a& M& Avia www.winfiles.com. However it was first used by NuMega people to allow
/ u& R2 J+ ^6 o L5 f8 DSymbol Loader to check if SoftICE was active or not (the code is located
& c" e1 l6 A: Z7 v7 Hinside nmtrans.dll).: f2 a" q9 V- f+ B4 A
: S/ }* y. p# t. m7 q5 J8 O# ?The way it works is very simple:, ?/ [0 x C0 } m- T4 Y& F Y5 M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ @ Q& R; D& F9 [# fWinNT) with the CreateFileA API.
, F+ p, i& z1 R9 e% D
( o$ K/ }4 N% _! D5 K: b3 N/ XHere is a sample (checking for 'SICE'):8 Q9 m% W+ n9 R+ Z4 C2 g
0 g b! ?4 X+ c2 h' bBOOL IsSoftIce95Loaded(), M& E. S0 u# u% g# \5 K
{6 v8 v7 ]4 v( C9 Q1 L
HANDLE hFile;
! `% g% R, E; d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. P$ s, C5 u- i9 K y
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ }3 n& O6 s( j5 g w' R' _. i8 [5 k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 J5 n/ M {, |1 b' y3 p if( hFile != INVALID_HANDLE_VALUE )/ s3 `4 S5 M0 w* G9 z4 c
{+ k& G+ n4 e P! l
CloseHandle(hFile);& `+ Q5 j- Z3 d
return TRUE;
- Z8 x& I8 {, |, Q: _ }
; w3 ~) P( n8 O# ?+ o! ~3 x0 n E return FALSE;
2 w# I: f8 \- T}
* g5 _' }$ S" g8 Y# G2 M+ |" S+ D. f, L8 {4 d, q
Although this trick calls the CreateFileA function, don't even expect to be
7 N" [ n! ~: m0 C, wable to intercept it by installing a IFS hook: it will not work, no way!
]- p4 B6 \& O1 y* X: sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 v; y2 d! t+ S7 K* n1 L$ i+ G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ ~+ w! P; B* u3 R4 Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 a$ T# f0 Z4 s+ A+ F& w
field.
2 o3 v/ u- ?8 M, A* lIn fact, its purpose is not to load/unload VxDs but only to send a 8 J/ A6 E2 ]7 J B$ A7 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' S, c: A5 Q; R' n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 d8 G5 ?* J( ^4 Y$ r+ O( O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 Z8 f, u* p) ?; f4 {# j ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 j: v: d, ?4 q* K( @# c9 j% e9 K
its handle to be opened and then, will be detected.5 [+ s+ e8 |( u, C, }! R1 i9 n
You can check that simply by hooking Winice.exe control proc entry point
9 p2 V) s$ G5 u' j1 }0 mwhile running MeltICE.
4 }( T p- X0 I# }
4 H/ d. U/ B# ?+ [7 F
W. i, b. K) M& B: }, I/ v# l1 P 00401067: push 00402025 ; \\.\SICE
/ X- C+ e3 k6 F4 { 0040106C: call CreateFileA
5 ?" k- \1 T+ N( X* m 00401071: cmp eax,-0016 [' n4 W( @) D" s
00401074: je 00401091/ h, f7 z% p( [: Q
# @# j2 \; `1 e+ b$ d% p
- b; E% i7 P% ?" W' @+ z9 ZThere could be hundreds of BPX you could use to detect this trick.* r" S" ]0 O% T; z* T
-The most classical one is:
% J; k2 u8 G" N5 q$ F( ^, g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( |# |0 h# x: ? *(esp->4+4)=='NTIC'
7 p |" w3 J6 ` T% n2 P1 i7 q" g% m; L! ?; F
-The most exotic ones (could be very slooooow :-(
, W- d* e! M9 }" {" \7 s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 k+ \6 K0 h4 i9 j& o* H: V
;will break 3 times :-(
! m. y7 ]/ v* B0 |
3 Y% p2 o. h/ ?! W }-or (a bit) faster: 8 {. f j) o4 ~. Q% ?+ C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: h* @) e9 A3 V0 ^ j2 B' n% {% r3 Q- B! q& o6 j% @' U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 `) [6 P$ j6 }
;will break 3 times :-(
- _, [7 T1 n8 w, @0 I( q: r0 h6 y9 u, r! m4 [0 V
-Much faster:
6 u1 b1 G8 l7 z* q7 _1 h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 H4 P2 |& a% H) S4 F3 z$ u: f4 q0 n% q2 u8 J. V( t9 y+ D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ ?. t7 {& A' Z% L
function to do the same job:
5 t1 f/ f+ d5 p* f- A& K5 ]0 A
2 x+ W+ x6 e8 O! g push 00 ; OF_READ
1 o' L5 v( [$ |/ v mov eax,[00656634] ; '\\.\SICE',0
( }5 D6 t. i; ^8 _ push eax
5 o$ R8 F$ g1 R. I call KERNEL32!_lopen
3 V3 D) v1 E4 Q# k inc eax, y" K% d- F9 ~: c) X. Z8 P
jnz 00650589 ; detected
; K2 b$ G8 V9 {1 O( _; J W7 N* ] push 00 ; OF_READ1 F, `9 T' P3 A8 f0 j
mov eax,[00656638] ; '\\.\SICE'1 v7 a/ W: W2 n
push eax+ x- x; M1 ?( K* ]5 ~. w
call KERNEL32!_lopen
: ~$ b' ~8 R* m4 q inc eax
3 z+ y# E7 t3 _$ G/ a4 g& w9 p# H jz 006505ae ; not detected
7 C4 D p# C" l' r* M; S6 B1 ^) S1 ?, @6 _
( w6 }0 z4 p8 t# E# _& I
__________________________________________________________________________2 V" D0 E) z2 x
! z4 V ?+ J0 p9 q2 {1 E& z
Method 12/ [5 g% q0 r& t: a! k1 @! l' C
=========( }' J1 i' f( o( T# L1 o( m9 N2 r
/ D U) C6 ?7 Q9 R* P/ ^% FThis trick is similar to int41h/4fh Debugger installation check (code 05
. O q7 Q' t( M, F: o5 e2 D& 06) but very limited because it's only available for Win95/98 (not NT)
1 P8 n. v( e/ ~- T% J9 s7 {. Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* d% r( y% e& {5 O! m
2 u+ u) V8 W) O6 B
push 0000004fh ; function 4fh( {' u/ o' z- k) c9 O' O. o
push 002a002ah ; high word specifies which VxD (VWIN32)$ B3 f9 @# ~# x* Y) i& {* @
; low word specifies which service9 _5 E1 g' S- B9 z5 O
(VWIN32_Int41Dispatch)% b4 O& O- k+ m- r
call Kernel32!ORD_001 ; VxdCall
+ H; S& d- T- V& d$ p cmp ax, 0f386h ; magic number returned by system debuggers% x+ d- T% p) p* {5 l
jz SoftICE_detected* e7 T/ K! }6 C# X' W# b& Q
, N; b4 T7 A( p8 ^Here again, several ways to detect it:
9 y; b* u. |$ ~* m6 B2 a: T1 n! {5 ?1 P) ^) b5 R
BPINT 41 if ax==4f
4 V O- h. F! Z# {3 f" Q0 _8 A! y( C" N. T* U2 t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) @) q: e" R5 {! o0 ] T3 z/ W
7 }/ W; N! D) ~" [* y: h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% t+ X* t$ B/ I* L
9 y4 m( j1 w: ~0 I+ i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" @+ p( X* u' x. e E3 @ o0 R' s! q8 q- Y! D
__________________________________________________________________________) v! g. i* N; I
6 g" K% D. f) ?3 p: a/ XMethod 138 P( ]5 L5 u& Z5 ?/ Y
=========
) n- ?, z2 R4 L) P3 `' K" q+ R, r& q; f5 k- P& s
Not a real method of detection, but a good way to know if SoftICE is
1 j! X3 k* ^3 S7 D3 M' Tinstalled on a computer and to locate its installation directory.; D/ n$ ~& X: ?' | X X
It is used by few softs which access the following registry keys (usually #2) :
, K: {( b: l6 [+ Q
5 r i2 H3 B; O& N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# K% K( v/ @- |( C+ Q
\Uninstall\SoftICE$ d, U7 e3 {, E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& l6 y! m4 V: r# K- R- }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. t6 m. ]: n8 O/ O7 J3 `+ B
\App Paths\Loader32.Exe
. P. n8 [# S `; H+ Z" V; m- o( `7 H9 B
& w+ x$ c1 r9 q+ @+ ]0 N; G
Note that some nasty apps could then erase all files from SoftICE directory& t% }0 |3 y. w/ Q* K& w, t
(I faced that once :-(
3 W3 W0 k) `( n
0 E$ \. x }6 |3 j. x& sUseful breakpoint to detect it:
! _% W9 d4 p# L! i0 L) f) N. j2 @ O5 s( F! S8 y `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ k9 k5 }* n4 [ l) u% {8 l0 w. n2 z+ k/ h: q) r) Y1 M. p
__________________________________________________________________________( }5 v# ?( J( J$ o8 t' f1 f
3 s0 e9 e. ~( S' ~. A+ ^$ X8 J
& ~% V# S+ |( aMethod 14 ' R) [4 n) K! S; G9 D6 w* J1 U
=========) m# _2 |* b& @" r, P8 [4 O( Q
; t E9 r8 X+ e* a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, d' I" _' G( F. M# t
is to determines whether a debugger is running on your system (ring0 only).
; b, @: O* `1 K6 O- a# k! h1 [, X% E; _
VMMCall Test_Debug_Installed/ g( {9 o7 L4 t2 L: [! @
je not_installed
8 S" o! T( P3 w/ B! ], [, d i C5 C5 P
This service just checks a flag. I' w2 C6 F0 J9 @' B) L- d) B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡