<TABLE width=500>3 x" u$ O& Y' f( h3 P' }% o
<TBODY>
5 U2 \$ p6 Z% ~<TR>
( j9 z" I+ r, i7 a! a; O<TD><PRE>Method 01
5 _+ c/ x) g E4 Q1 h0 f=========3 ^8 K( k/ o' Z Z
2 ? ]! P: c- F* p# }) TThis method of detection of SoftICE (as well as the following one) is
7 m. B+ @; T7 s+ Q4 rused by the majority of packers/encryptors found on Internet.& i/ f. x( p; N2 V' z1 ^2 l+ l
It seeks the signature of BoundsChecker in SoftICE) ~. Q. J( q1 q3 [: s
3 x# M# u7 V; M3 \1 B" I1 ]
mov ebp, 04243484Bh ; 'BCHK'
7 ~( c! J1 e$ y( V- n mov ax, 04h
% @7 F1 y4 C& D, D% I int 3 6 H8 y- y! Q: C/ r G9 }
cmp al,4
5 O: z" R# A7 p( W: } jnz SoftICE_Detected
: k Y9 O' Y( i# k; W8 A* L# M
1 A8 z4 x6 w. s2 l8 i% }# G- j___________________________________________________________________________! P5 O; b N2 D$ }9 t* z0 w
( ]9 r+ E, t0 I7 F2 e) ?; e, e1 k, Z- A
Method 02 U2 X5 ]5 Y6 ^- _
=========
% I% J* m2 u( q/ u; d& r
' P$ a6 d0 S# }) DStill a method very much used (perhaps the most frequent one). It is used* X1 S0 d, `! S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, D; n1 u( t0 p) z( q6 x$ sor execute SoftICE commands...) Y5 C0 q+ u& N: C, J" E& f
It is also used to crash SoftICE and to force it to execute any commands
( V- d. ]+ s: f. B(HBOOT...) :-((
9 y$ @# N5 p; L
* v) Y- G2 A, D5 S0 S& I, V3 KHere is a quick description:
|4 B( j$ w1 u. x* F1 r. V7 ]-AX = 0910h (Display string in SIce windows)
, |1 y6 j/ G) o, q9 u9 [) H! c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; [" \" f2 r6 [! k! I; q& l-AX = 0912h (Get breakpoint infos)! j5 B" B- z& F m$ o2 b) M
-AX = 0913h (Set Sice breakpoints)/ {1 ^: u( W" o$ q) |# x4 Q
-AX = 0914h (Remove SIce breakoints)
% |! c% `& B& t: p7 ]( O5 {; V3 k4 ^# {$ Z. {: b
Each time you'll meet this trick, you'll see:8 R; j8 |$ Z! K) }# \
-SI = 4647h! e, p1 C) C6 o+ {5 v
-DI = 4A4Dh
9 l O6 X) Q& O% u: O6 A6 Z8 o. [Which are the 'magic values' used by SoftIce.
1 d. @$ q( R: q5 ^; m2 i2 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- n a3 Q% j% ]# u _$ s @) P$ S( M) _6 } Y+ s' Y# ^8 J* u
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& I- R; _7 r* Z6 y# EEnvelope utility use to protect DOS applications: U7 e+ e! r, }3 C5 Q# R7 \
5 _. E$ l. |+ U5 ~: h4 P; [
9 e) Q% b8 Z1 t1 G* N3 ^4 k4C19:0095 MOV AX,0911 ; execute command. r( B1 l' U4 D( \1 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 d& i, z6 D1 E
4C19:009A MOV SI,4647 ; 1st magic value.
# `$ Z; U( O% ~. G: o4C19:009D MOV DI,4A4D ; 2nd magic value.
6 F+ ^0 x8 K$ u0 y/ Q# \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" c( \5 p" n( c+ r3 M U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, W4 Y0 L9 Q4 U* T
4C19:00A4 INC CX# ~5 Z% s; O4 v( t' j: l) D* R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 }/ |; d0 \+ l+ A
4C19:00A8 JB 0095 ; 6 different commands.# N% u$ c Q) h2 K7 \2 V: G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% }' ] U) _- @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 j1 m- \* s+ M/ \
8 ?1 V& ]" R0 G5 ~) A" v5 U& \- h* yThe program will execute 6 different SIce commands located at ds:dx, which
! y+ s9 T, ]) S* N# lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) t1 o) _ x7 R* J! \% j
. v8 G5 N4 S! j0 _1 n+ I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! Z8 l% H8 O6 W! g9 D0 W
___________________________________________________________________________5 O3 N( y0 y: I$ F$ K5 f: e L
+ v$ B. h7 U: J2 m) b
% X8 Y% R; F7 p* _( k s QMethod 03% ^% b# z: Y2 \
=========
7 z, ~2 b3 n0 |3 D3 x( k0 t, t/ {% s+ c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h z. `, u, {- [: }. B
(API Get entry point)
4 U) m4 ]! q! H: |9 @" J4 ^ 0 Q0 t, |/ n% S9 Z# M4 G
' V# ~) c! M/ n8 | xor di,di/ v S! m" a7 V6 j1 x2 G7 g( y
mov es,di9 j( ^0 R1 s0 d2 Q1 W6 c0 C
mov ax, 1684h + c0 M$ _4 I0 n5 k" [
mov bx, 0202h ; VxD ID of winice
8 `9 G2 Z+ S8 G9 }; p; e int 2Fh
( x* O R1 d- r5 x mov ax, es ; ES:DI -> VxD API entry point
) [1 K: x- ~0 o7 ? add ax, di
/ B# {% `2 p4 M0 w, T3 u* \ test ax,ax9 O, u+ J$ y; v6 s4 i0 S- f
jnz SoftICE_Detected- ?6 A* @* d* P
+ L! s+ |4 {8 E1 P___________________________________________________________________________
% \% w- h* C7 T
0 S9 b& e9 S9 M- v# yMethod 04
& I# L2 D+ P) U1 Y6 A9 y3 z6 Q=========- F5 x* h6 i7 D# J! U# l r
" ~, k! b; p: [$ _3 g3 Z9 {/ A' JMethod identical to the preceding one except that it seeks the ID of SoftICE3 Y; e, a$ x8 {4 j
GFX VxD.' B& N9 }, c* i, I! `/ O, I
$ ^+ p' j+ B8 _8 J( k9 C( s- Q' m
xor di,di6 o! N e8 L ^, @2 o, t; Q
mov es,di1 k0 ?5 T! @% t5 z' Y1 W, b
mov ax, 1684h
I$ \" @/ g( {2 f) r mov bx, 7a5Fh ; VxD ID of SIWVID* ?9 A$ K. ^# O+ g: b6 [
int 2fh
/ x$ i% y( O& ]9 h' C* p mov ax, es ; ES:DI -> VxD API entry point, R/ c( W1 s/ X! k5 a5 ^( L% B
add ax, di O1 M7 N4 X7 n
test ax,ax
0 Z$ p/ C: O E$ H! |3 m; ? jnz SoftICE_Detected9 A3 R6 v$ g& h% K$ l
' f/ C; H6 U: O; n- }
__________________________________________________________________________2 ]9 I: K- B9 R
% D l% u* g0 m) b
% J1 [$ s+ c- P2 V' Q9 P& k0 W1 WMethod 05
/ B* N1 g# _6 h; x( H=========
9 b. q, e* G# _& Z" I' d- y; o- O& v& ?6 z$ ^* _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% k& @! G) i8 U4 gdebugger. It calls the int 41h, function 4Fh.
$ w( J* a! g$ w' u. ]" E }There are several alternatives.
+ x: k+ y2 e6 y) b; z0 ^) G
0 \, C: E7 _# f* m+ ]The following one is the simplest:( o& b0 |! v/ c& o4 M9 X
' E( J0 u8 t# H mov ax,4fh' K g3 @4 s4 a- t/ G
int 41h
, D& e& f2 q% [' U cmp ax, 0F386
5 a: z4 ~4 w& s% X) N' H jz SoftICE_detected
6 u3 {: [$ Q# Q8 P; L# `" {+ @2 K; k2 _2 S
" A3 I3 W# T6 o8 {
Next method as well as the following one are 2 examples from Stone's
) l; _5 f! d8 w3 D; [" D3 `, b7 {: P"stn-wid.zip" (www.cracking.net):
5 p; r3 T& |: G% B% p" t. X0 ?* k
) z% |& a4 j- J8 ], ^3 P5 L mov bx, cs/ J( l4 z+ \* d2 a' w/ A5 C
lea dx, int41handler2: U. |( w; W& Q; ?
xchg dx, es:[41h*4]
0 M# h4 y" d' W' a5 h xchg bx, es:[41h*4+2]) K& V; s1 t. U1 H, E9 z7 _
mov ax,4fh i- a# _ h4 W7 ]( U% R9 e* A' }* m, {7 \
int 41h
, N4 H2 k% u+ `+ d) V xchg dx, es:[41h*4]
4 |6 {( ^+ r: c ]# ^% y xchg bx, es:[41h*4+2]9 t, j' I& S3 q+ y$ k5 [6 W
cmp ax, 0f386h( l: k) J% K) b! P* h4 E
jz SoftICE_detected/ u" |, g- L J2 T# e) T
* n. v. S, `" d, Y5 Uint41handler2 PROC9 s0 u8 K+ f7 e5 L3 K8 P0 S$ L
iret
% V9 }0 { C' K$ `/ M4 I2 v2 H/ ^# Qint41handler2 ENDP
* `' T; |' t" F+ x: ` s
7 r( D# L2 v& Z. i' ~# s# l
8 i. Q: P% j d* D$ y( s0 [_________________________________________________________________________
/ D( B r' J% M7 ?0 U2 j
, z |" Z& n9 J/ }8 A9 v3 e' R s9 Z! r4 F ^8 R2 I7 [3 M
Method 06
. L: K9 B3 E, b( w0 u# v4 U* @=========
) J S6 }$ Q I
% ~( w4 E4 w$ t9 ^
: N- w- H9 Q- U `, Z% B' Q: ~1 H5 |2nd method similar to the preceding one but more difficult to detect:
p& q$ E+ q/ R( s* |
1 Z3 o( }0 R* y$ o1 J* Q
" a4 e5 }4 Y; i4 x+ u$ F2 aint41handler PROC
( B; p/ {3 w- B: ^/ ~ mov cl,al
g' C3 i' b! B% T! Y iret9 p- \5 v/ `$ l5 _' I" ^' q
int41handler ENDP
/ T. z/ J" q3 l! f& S. R- F& G# d; t$ E: q% N0 a9 a8 Z
& {- n4 Y$ L* Y- q/ L4 _ xor ax,ax
- G4 Z! {- S, Z% S t( D mov es,ax5 A% H1 } [4 B; z7 l1 }: ], C
mov bx, cs
: n, {& P4 V& q: W0 Z lea dx, int41handler6 a9 Q) A7 O& F. K d
xchg dx, es:[41h*4]7 p4 L7 b! [0 m" t3 h$ m- J/ K; z) Z
xchg bx, es:[41h*4+2]
: l0 `8 P; H" p3 k5 Z in al, 40h
8 @. E6 l9 _; j, \ xor cx,cx+ f* W$ b; ? P2 A `* D
int 41h+ Y+ j+ l4 {* f4 `8 @6 S: P
xchg dx, es:[41h*4]
4 p3 y# t( m$ g$ J f xchg bx, es:[41h*4+2]
/ C( ]0 E% Z+ P/ `8 M5 p4 C/ N cmp cl,al( K6 f' u4 J1 E0 h/ ?. n! r- T0 @. Q
jnz SoftICE_detected2 U, f; U+ Y: J- o$ t9 |
' o, x, V$ A5 O- B. x Y_________________________________________________________________________
H4 u3 B+ G/ _/ W0 n& L" ^4 B% @% `0 z7 S+ \3 [5 n
Method 07
5 s5 J: n w/ O3 \% ?=========
" x+ f- V& S5 Q/ |
8 n8 K9 B# t( g/ B$ ?& C) Z/ y. pMethod of detection of the WinICE handler in the int68h (V86)& e Y. c6 j- d1 p" a4 @* n" w# Y' }
8 U+ w. E: n: m6 U
mov ah,43h
; t1 m# ]& }" N# f& y- Q* K int 68h
) n4 ^, H% z- A* P( P1 E; m4 f cmp ax,0F386h
0 n8 o8 l$ n! q5 T% V- W jz SoftICE_Detected
6 {4 w' }9 ~! ~/ _$ j
/ B3 R" e) d h& C) t& E- {' b0 n# Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: D" \2 t4 N5 s3 x! A4 I1 X3 G app like this:
$ W6 I# t1 l7 c/ B8 W- ?
, [$ E* S0 [* k! I5 b# F BPX exec_int if ax==68% o. D) F* O& M% ?
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ N5 ?0 {) n1 n0 {' O located at [ebp+48h] for 32Bit apps)
2 I4 H/ p$ H( C, t( v+ P P__________________________________________________________________________6 W2 h9 l( M- Z1 h4 @( A+ R
7 K3 k. q% q& d$ ^& }: |
. D& I. |, Z9 w s& j t8 qMethod 08
9 c7 B+ i/ Z3 X=========
" G5 q. E& g7 U$ y3 i- U O
8 d; k9 o9 G& R2 O: C4 EIt is not a method of detection of SoftICE but a possibility to crash the' N Y! @8 q$ l1 w6 ^
system by intercepting int 01h and int 03h and redirecting them to another" Y' n( E, P" I2 \
routine.
" Q" f% w8 v6 y7 M% }* GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
r) h4 w6 m3 j+ L; f1 Kto the new routine to execute (hangs computer...); P1 h/ v' F% }+ v* _8 {0 p
# O4 r/ r! z. J& {, Q6 q, p+ d5 x( ^ mov ah, 25h
1 q& ~' g* L# S4 i mov al, Int_Number (01h or 03h)5 W& ^4 N4 o: S
mov dx, offset New_Int_Routine; T1 w$ V% n. M& c! Q! n
int 21h
4 ^' w3 _( A8 R' g: P2 F4 B( a1 `* C- U( i. Y
__________________________________________________________________________- I; |/ U2 [5 Y+ G, `7 ]
0 {( S) Z8 Z, {+ E! k9 B3 @; fMethod 09* u0 R2 e7 b) b9 I* f1 m
=========3 M# Y, ]) N+ P( [6 s. A( F
6 N4 }8 w) s. |+ F$ z1 q- SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! ~5 e2 G! ]2 z/ ?" b3 I: j; Q' zperformed in ring0 (VxD or a ring3 app using the VxdCall).
# I4 Z0 ]- q, U, k0 dThe Get_DDB service is used to determine whether or not a VxD is installed3 N$ N% h' C' v) R) o A
for the specified device and returns a Device Description Block (in ecx) for1 ~: q5 O7 k( \! |- m
that device if it is installed.
$ d6 |2 a! Y) ~6 _1 a- j" R& C- E& ~6 ]1 B2 u# v4 S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& B# D% b- | F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& g8 j% @ \ A% N" z" X VMMCall Get_DDB
$ \7 }* M5 b2 x+ h O! D% N* W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' q/ L/ \5 t# d+ o6 a
( X% b+ b2 x9 UNote as well that you can easily detect this method with SoftICE:$ ]2 C, E& c) d# n
bpx Get_DDB if ax==0202 || ax==7a5fh5 f3 h: B( L* ?- y4 I
& S: ^# Y" ~; ]__________________________________________________________________________ J# K1 `+ p1 W i4 s. B9 B
! m( ^( w3 a# ~* e& p9 D+ Z) `7 OMethod 10! z/ f# i& w' V) ]( f
=========; [7 _$ n+ M$ F% _% W0 y
/ S$ } F) z2 a" z9 ]. R6 m* @+ @=>Disable or clear breakpoints before using this feature. DO NOT trace with
% J. k4 s/ P4 Y0 y+ m u SoftICE while the option is enable!!+ f2 j$ w* U* d y8 W
5 N" }5 k1 ]7 _! {4 nThis trick is very efficient:
& ]$ {! {+ \& H8 ~7 v1 X4 ]. Vby checking the Debug Registers, you can detect if SoftICE is loaded$ c0 P- L/ s }- ?, o' }" K2 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ m, m3 _- W o* H0 _. a8 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 k. O- h7 @& h4 Y" _/ cvalue (in ring0 only). Values can be manipulated and or changed as well
- Y! G3 T0 u/ ^2 x(clearing BPMs for instance)2 p2 F: o4 E( v7 |
& M& Z: o4 B# N, \1 c9 t9 N__________________________________________________________________________' H2 ?* ^0 D5 g9 [
7 l0 t/ h7 x6 D* O; p( m
Method 11& S% X# K/ O% [6 d6 @1 ]4 B
=========; s( s2 u# P5 @( k' q
! g' s! D( H z% ~- l0 X5 N( [This method is most known as 'MeltICE' because it has been freely distributed- f H" B+ _) x
via www.winfiles.com. However it was first used by NuMega people to allow
, f) `- d" p {Symbol Loader to check if SoftICE was active or not (the code is located
% D2 ~1 N2 u' m8 o- kinside nmtrans.dll).8 D2 [5 a$ O! Q+ r3 b
' A1 f* m9 d# @: N) S
The way it works is very simple:
) ]3 O* B! F& uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 w4 h& |% }+ E& _WinNT) with the CreateFileA API.
3 ~1 w$ f4 a9 M) {9 O
. K. m) e# N) eHere is a sample (checking for 'SICE'):
3 {5 Y1 B. g; D! s2 {, s! I
& a+ l, H7 V# }3 XBOOL IsSoftIce95Loaded()/ \/ A4 Z" `2 f1 ~
{9 f5 F0 O/ D/ l% o! h p% R
HANDLE hFile; 5 x @0 B0 j2 W; I4 g) r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' g# i/ p* Q& i: Z' p FILE_SHARE_READ | FILE_SHARE_WRITE,
2 i: |3 X; Y6 i i1 v6 h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 v2 C0 ?* O: V& x7 I6 o+ b if( hFile != INVALID_HANDLE_VALUE )
% o2 z- X( U& K7 s u# J& `; ?2 d {. D) k' [2 c) Y$ G
CloseHandle(hFile);
) i! a4 H! z+ m) ? return TRUE;8 T$ y+ A+ R- P
}
& i: h2 E1 S$ Y% m return FALSE;
' z' ^+ u: G; A5 v3 U/ T( d}
) ~/ R6 O( Y$ L; L$ p% d# v4 W
/ z+ K2 e, _% @0 Q7 z/ UAlthough this trick calls the CreateFileA function, don't even expect to be; F3 s4 E4 f/ r+ o2 _
able to intercept it by installing a IFS hook: it will not work, no way!
7 T& B( ^1 W3 q, sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) b8 r( | w/ ]& g' Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), A; c% W; a1 ?! D" i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, g: v# U' H6 M/ \field.
# P8 \1 L6 c( L6 x$ d6 q' U8 hIn fact, its purpose is not to load/unload VxDs but only to send a ) R- k, l# M1 c9 j( o: B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 f9 i1 D, z) T% w `+ J; T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 C& ^0 ?2 `8 s* Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." e3 i ]9 b. L0 `! D
If the VxD is loaded, it will always clear eax and the Carry flag to allow) t+ }2 N. C3 S7 n: \5 k
its handle to be opened and then, will be detected. r. N5 @1 N8 U& X6 A- l
You can check that simply by hooking Winice.exe control proc entry point" D8 F7 ` W$ x& t4 Y/ U
while running MeltICE.
l1 G0 x# g. @" S% w+ Q; `
, R! w2 j0 w H: H' H. L/ V
, X, U$ e" j: z1 O; d 00401067: push 00402025 ; \\.\SICE
r4 r# l% K \6 G9 l 0040106C: call CreateFileA/ E7 D/ w! ~2 k0 s
00401071: cmp eax,-001
* D* B' f1 i( j9 T2 r 00401074: je 00401091$ ~0 H/ b3 T0 U3 |/ z
t6 `6 f6 v7 y1 d, L4 F' O+ r( _7 o
There could be hundreds of BPX you could use to detect this trick.' c( F$ q. |7 ]9 O/ N
-The most classical one is:9 K3 ~/ g q& R/ m" K/ C6 t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 [0 k! M' |0 U! c4 l7 P *(esp->4+4)=='NTIC'. n, e1 A* F# Z7 X! v6 t
$ n# J8 e1 `4 C6 O& a-The most exotic ones (could be very slooooow :-(! Q4 i( I3 i6 I5 U: Q r# L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
{) ~ @ N" ~ ;will break 3 times :-(8 y H8 w; f D
3 s# u. A4 [0 {! B4 B2 k-or (a bit) faster: 0 _' t% e# J* ]% S6 l% ^% n6 N8 Q+ \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' b+ }: p) z3 g! p$ v+ M
7 |$ ]$ n; u- H' k) l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 {( V( v& u" m& ^) m ;will break 3 times :-(1 {9 @: K" b0 y7 ~' d* M+ c: ?
9 L& S8 M: ~$ k: P$ n0 m2 T- R: x& V6 V-Much faster:9 |0 L% ~; w2 T. _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! {6 q t: [: P2 ~& l: L& b
7 w3 c$ z k" n% h/ N3 l& mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ |5 O+ }' L, R$ a/ \% _$ D/ ^
function to do the same job:6 W5 g1 I$ V4 ?1 ]
" U; c' ~. m; U/ g
push 00 ; OF_READ
" [; T h# J2 i( V mov eax,[00656634] ; '\\.\SICE',0: @7 `, ~- |# x* M; w0 {
push eax* E6 C: e% u5 A4 c
call KERNEL32!_lopen
6 `# y4 A0 _3 d inc eax
7 ?& L T5 q' J) X; Z jnz 00650589 ; detected1 t6 n% W g" r4 p1 h
push 00 ; OF_READ
* k% z% U5 e8 l. n7 U7 y mov eax,[00656638] ; '\\.\SICE'
$ S: D# k0 T. y7 g; P9 z: \ push eax
9 R4 c# V/ w; f% |7 X" X2 A call KERNEL32!_lopen0 v" A# z8 ?5 K) p- x4 a( s* B
inc eax0 a* ^# k3 q) N3 S! {
jz 006505ae ; not detected: W2 p7 D! j" B! ~2 p, }- g g
) Y8 z) r4 u. I4 j& }2 m
7 l( a8 D5 l# x__________________________________________________________________________
, p+ F( L3 Q7 f0 A2 l+ b
4 u! a- g8 w u4 ~/ c' ]Method 12
7 v6 z7 ~% y' O& i=========
2 l. p* y, F: Z' N5 s( {; [( ]) X2 L, ]; O, }" M
This trick is similar to int41h/4fh Debugger installation check (code 05 e& ?: @/ ?; k b
& 06) but very limited because it's only available for Win95/98 (not NT)9 Y6 s: V! q: X8 J3 w& N- x" D. ]: z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 j3 m* f% H, o2 l
# q8 L/ u. q2 T6 W push 0000004fh ; function 4fh9 Z! @2 ~( e" J# d0 u
push 002a002ah ; high word specifies which VxD (VWIN32)+ |0 N8 l* F% L) X/ w
; low word specifies which service
- p: _: M- F1 V9 F (VWIN32_Int41Dispatch)0 _. J' w- ?" ~. T
call Kernel32!ORD_001 ; VxdCall
8 F8 C9 Y1 M9 [6 Y" K3 v cmp ax, 0f386h ; magic number returned by system debuggers
* x3 T% _( g+ B5 t jz SoftICE_detected9 K( F6 p V+ m6 J' K' _5 G
0 A5 t9 Q: \+ q( c' \/ |4 q6 y1 bHere again, several ways to detect it:
+ L7 g" ~1 l3 H, V# V8 }
! b; Z2 Z. e& q BPINT 41 if ax==4f
$ U4 V: }( f' a, H1 G% F( G* O2 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ c( N( D0 V6 x3 b8 s4 S
s% C( Q6 Y t/ q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 Y5 Q) q! p$ G5 N6 v- C
# z8 L1 l2 }: z( O+ f* u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ |3 w5 X+ {$ s, Z5 G: ?
" }& i' I `* x8 A" x1 @8 M
__________________________________________________________________________
4 M5 O* g& q0 t/ x* t# Y
, V+ M' b. ^& o% z/ W! ^Method 13: L" k. R0 c v
=========
1 d) g! _# y$ `
% h8 M# t& f/ Q* bNot a real method of detection, but a good way to know if SoftICE is% V" X% F% j5 T5 F1 @
installed on a computer and to locate its installation directory.
& N: ]) l: P, X7 R5 ~1 |+ @8 y) {It is used by few softs which access the following registry keys (usually #2) :1 z! y9 u! k+ [% Y
" i3 P$ E% h4 P- D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* G( g" G0 Y; |3 Y\Uninstall\SoftICE$ Q ~1 d) O4 B& F! s; k1 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; d' V/ R. r$ E; D* _" e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& G6 M3 s9 L, ^$ m% F' S2 ~
\App Paths\Loader32.Exe+ N! D, L3 H7 ~" K0 E
8 F5 H; I0 i2 r9 o0 C z: `( l0 a% n% b. i. G- ^% Q3 e
Note that some nasty apps could then erase all files from SoftICE directory
9 C$ [% a& z; X& T1 ~(I faced that once :-(4 d# A: J7 u' E2 j+ p5 p" @
1 T( ^! A8 u% d1 W wUseful breakpoint to detect it:/ r4 l2 |, R6 m$ g( s
/ f Q x0 \# z: }+ b' k8 c5 W) g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ k M8 m% m \: g2 o
6 k) c; W5 y/ y7 n4 D2 t__________________________________________________________________________; Y' k( P: Y, v
: Q/ I1 N& ^8 J7 V# y% x+ T9 _
! B2 o X0 c" t: t) ]* i8 ^Method 14 " S9 _( o2 ^* d
=========
0 [# U, L" ~: o" J+ i# q* M6 {6 n9 Y3 o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 W) F2 u3 L$ p) \: Xis to determines whether a debugger is running on your system (ring0 only).
0 b: ^* u T, e& B9 f* ?2 g/ `! Z; S* d# e) v o
VMMCall Test_Debug_Installed
; c1 C; Q9 L; X: {" U, Y1 I1 N9 y je not_installed
1 }/ y$ w2 ?, B; ?, N9 E5 R& U$ d3 m( [ w9 K; Q/ h0 s) z
This service just checks a flag.
( W/ x7 q- T5 D9 j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡