<TABLE width=500>
7 J6 U/ T( p" `) ~<TBODY>7 o# O7 S& }+ ~# G2 p
<TR>
( H- C. a$ C8 D+ f4 C<TD><PRE>Method 01
8 p$ a4 S8 }6 \' y, N=========, q0 U% M1 G: D7 i `
% P0 \) r, l( z4 u, u' S( lThis method of detection of SoftICE (as well as the following one) is
) E" r2 Y' J2 e; zused by the majority of packers/encryptors found on Internet.- u5 `) }9 A! W2 ?
It seeks the signature of BoundsChecker in SoftICE
& N2 F5 V0 \0 E D# s1 Q% v9 N: `+ d( s0 D& O. ]- M3 b
mov ebp, 04243484Bh ; 'BCHK'5 X7 p+ @1 }4 }7 H6 F/ q* V
mov ax, 04h+ x+ H1 C& j/ Z8 n; i5 P g
int 3
3 q* F- N% q) V1 }" x cmp al,4
4 J7 _% c; m6 D1 M7 I" [, z* h jnz SoftICE_Detected+ j" A# \$ o% `
: _* J: Z, b: S6 v9 |# s# h6 L___________________________________________________________________________9 l5 O: a7 Q' n# f. h' N
2 Y, W h0 @" u! G2 H; H& Q/ q
Method 02 o3 s1 J; V7 a* ] l7 G, A* Y
=========2 ]7 F3 k1 q0 [
: x3 T F- [, @, X+ R. c
Still a method very much used (perhaps the most frequent one). It is used
6 R9 D! J/ r! r' j E" xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 x; C8 i3 i& \- r% b/ Q. p; d6 ~
or execute SoftICE commands...& t# e( w. Y2 l$ _3 w3 ?
It is also used to crash SoftICE and to force it to execute any commands& o% L8 j, S; t3 O; _' U
(HBOOT...) :-((
% ?& z1 c% i3 M# V5 ~4 p7 F- o9 @/ ?; L7 G/ O% x
Here is a quick description:
* d* W' a1 y8 j9 B-AX = 0910h (Display string in SIce windows)
! J/ C8 V, o( [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ p9 A8 C7 q- P [9 x. S8 a
-AX = 0912h (Get breakpoint infos)
* k) Q3 Y3 g3 k5 c5 U L& @/ d-AX = 0913h (Set Sice breakpoints)
; s: I. r9 w/ G0 E; N-AX = 0914h (Remove SIce breakoints)
, }. O8 k- ~5 P# @, D2 }( S( I
( V [/ i7 g4 O( PEach time you'll meet this trick, you'll see:$ _8 f. i& a* I. i
-SI = 4647h
- d& N6 t! i* s7 W5 ^-DI = 4A4Dh# k0 m# z, O" k! ?; _" o
Which are the 'magic values' used by SoftIce.
, T+ ]* w! M4 p% A! SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 p$ x2 k& y, i2 j+ {
) n/ v1 H7 O! ^5 q9 Q& A; y2 UHere is one example from the file "Haspinst.exe" which is the dongle HASP* K& {' J. w" u+ V8 ^
Envelope utility use to protect DOS applications:
6 i( w J6 P& s! J% `5 v0 `( O
0 O. i' @* C, @, d
5 A/ H; l# H8 U4C19:0095 MOV AX,0911 ; execute command.. W6 l' p5 I. Z! F! i5 G; D' t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: P& k5 M8 `( H6 m( Q1 f3 w( d
4C19:009A MOV SI,4647 ; 1st magic value.2 Y0 t- s/ ]; G+ u! k+ a
4C19:009D MOV DI,4A4D ; 2nd magic value. X5 C$ W+ i3 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 e2 h: I) W7 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& @/ R2 _5 o0 ~9 D
4C19:00A4 INC CX
$ V0 S( J7 W( x7 l( \; [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 e3 e( Q# H3 |5 L' [, [( R
4C19:00A8 JB 0095 ; 6 different commands.
" n6 }6 R+ M4 P$ S" a+ C) ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.' {5 N: O% W, {8 w% B, D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, M" A6 b; I% V I( ^- m. F; m3 W4 I9 }4 M: `; M9 J" F( @
The program will execute 6 different SIce commands located at ds:dx, which
% x/ v: D# Y2 X3 s! i* g$ f& qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ j' _( i; T. H3 E1 b, y: z3 v
3 k3 y7 g! t) _1 h- e `5 s" Z4 C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 p9 l. e- G& }+ @
___________________________________________________________________________: ]8 i$ ]8 N3 [5 Y/ f: `% i. W, y/ P5 |
% K7 O3 C/ V2 z. W5 s3 K1 o
, H$ R1 D* {1 z1 R6 c
Method 036 }% o/ z6 f2 f& n+ H7 d
=========& L9 _, x0 l. B6 n: a0 H
: z0 ]6 s' G6 G. Q, W, y1 |# [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& {! `5 ], h2 V \: |5 Y& @& z0 j* q* o
(API Get entry point)
8 \ ~) h2 [; q" b" k
: `% a; \% n* P: D6 e
2 N$ T. R/ B% c, F- z' f, G xor di,di/ }6 A7 S9 F- t9 P; t! t" z
mov es,di
0 T5 a$ ^0 s4 \& f* r' S mov ax, 1684h
9 U, N6 Y. M/ J) r* F mov bx, 0202h ; VxD ID of winice
9 R6 Y) g3 e6 g int 2Fh' I9 J$ \2 Q/ p% i( d2 q m
mov ax, es ; ES:DI -> VxD API entry point
5 W% x# a. U: W1 B add ax, di5 e4 c+ v1 I, [5 p/ X n
test ax,ax
% ]& x; N4 x f$ X2 z* a& m* M jnz SoftICE_Detected+ R4 ?/ M. Y( r8 v9 i9 f" N# ~
6 R2 X7 c/ a$ D___________________________________________________________________________8 h# b% ?- D6 o
0 N4 j: `8 F# q4 O5 o0 u0 E
Method 04
8 [- o5 P' W, u0 ~" P. Q& B=========
4 u8 T% _3 ?2 q+ A" P: I; x. F
- Z7 j, e8 x' u2 IMethod identical to the preceding one except that it seeks the ID of SoftICE3 w5 s) q) I# @5 l8 \
GFX VxD.
4 L1 m# `3 ], M" f2 Q( t/ s
5 i4 T1 x# p' P& g: q/ G$ | xor di,di
8 @. O2 m. W; \" l+ H mov es,di
# A) v. ?9 Z6 B& C6 e mov ax, 1684h 0 m: X6 L: Q1 ~% G8 U; J
mov bx, 7a5Fh ; VxD ID of SIWVID* B: n7 `/ f) D H
int 2fh
/ b% x' N3 g7 m/ x mov ax, es ; ES:DI -> VxD API entry point' {& L- ], p, v6 a( h; J+ R
add ax, di
F! }6 b! y. x X b: e2 } test ax,ax
) Q( z2 i; ?7 j4 u) i; v1 ? jnz SoftICE_Detected: x6 `! H/ j0 Z6 g' b
: e) ?8 }% p$ }, m6 X
__________________________________________________________________________7 c/ n% R, U( E9 H `1 K3 w) z, s) _
' {# [6 }5 ]1 q8 S, ]( _7 h( a3 ^
$ m1 @" c# n9 p9 S3 P- i3 fMethod 05- i, R0 ~; X9 F O
=========
: D! W# Q2 ?" j# f" @: Z
5 w$ Y, t' v3 {, U: W4 V TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* ?" p! P% q* m. N/ i" P9 hdebugger. It calls the int 41h, function 4Fh.
/ w) a9 Q9 @' pThere are several alternatives. ! C0 n4 a, E1 \, e$ _$ q( V' E
) u( e7 o& y* d8 ?3 ^% iThe following one is the simplest:
' H4 _6 c1 ~$ j3 T% |
1 f2 D9 P& N/ o9 U mov ax,4fh
3 l* l+ F6 z9 v8 T6 g7 j1 ^ int 41h( Y q) P( w8 \' w% D
cmp ax, 0F386# G+ }4 {9 r m: t( V) [9 Z
jz SoftICE_detected! `5 k+ _, C: k, a4 Z
/ i) q5 l( z4 \& P" B" j9 m. u
+ k i" z" p( P2 ]9 x5 j. uNext method as well as the following one are 2 examples from Stone's - Q( P9 A" q5 ?: i7 o# y
"stn-wid.zip" (www.cracking.net):
" I2 W6 W$ F( b$ A; s' j9 _* b$ R5 ^5 ?2 R! V
mov bx, cs
$ m1 k( p% Q' s$ G) ~ lea dx, int41handler2
; J, L5 V( a$ I% S: E: s xchg dx, es:[41h*4]
) V5 D) w+ {0 _+ X/ U$ r xchg bx, es:[41h*4+2]9 N& g/ U- z9 s7 u6 q+ B- m
mov ax,4fh
4 `$ {9 k2 j' R' \4 U int 41h7 ?6 B4 e' z1 o# ?( `8 e
xchg dx, es:[41h*4], t2 h" a U' K# a, x* Z
xchg bx, es:[41h*4+2]
" k/ \/ D3 I& W. w cmp ax, 0f386h
- P- W6 b1 Y+ S8 R7 Z jz SoftICE_detected
. ~- O* b2 w6 W. t
. g* |4 \2 w0 @int41handler2 PROC* Y1 }3 ~6 ?% k) d" i7 a5 d' o
iret
# J( r M% I- E6 hint41handler2 ENDP
. \6 @! j; V1 x" Z& Q0 N; w3 g
: {( U E3 X4 R8 V2 p+ @8 [) A l
3 m7 e$ F5 c5 i& h_________________________________________________________________________9 N. X" E: [ e7 `
& E1 ]+ H; I- W. D$ N+ j' y
, \1 b! E% \$ x, u- b# u9 WMethod 062 S/ d& R6 _/ E! ?0 x! }) N. n. W
=========4 L. @. m c: r% s+ Y% [
. M# ]# a2 E* a5 I- m
/ E' c h0 P: W& {" A# r# X( G. V
2nd method similar to the preceding one but more difficult to detect:
8 D" H; O/ b4 g; c4 E4 d. _* V! S) J* f$ f: N) B8 }7 l$ C
2 }& a4 N7 h& Z' r" @. Mint41handler PROC; V9 m Z6 q" |, }$ ^1 z. c
mov cl,al# ]0 g3 i5 l; y/ c$ M0 j
iret9 V# e0 L( u5 a; @- S
int41handler ENDP6 \/ Q; X7 ]% z
0 ? v6 m+ N4 m5 ]9 w; z. l# R3 q. K" C
xor ax,ax
8 o& O: ~) M* G9 u2 c, L mov es,ax
6 W: C1 ]3 ]7 @ mov bx, cs& y+ y! w- c/ [
lea dx, int41handler
R( V1 `3 `0 \5 O xchg dx, es:[41h*4]
0 E, S/ Q4 ^% ?, I xchg bx, es:[41h*4+2]4 t3 Z5 s2 A5 Q
in al, 40h+ O: y7 n- ~- N- O( o. j
xor cx,cx" c& Z+ Y Y8 b) g: j
int 41h
]- q$ X j4 F; g xchg dx, es:[41h*4]
. H2 Q) v) p. ?) i/ _ xchg bx, es:[41h*4+2]& P% Z' z8 @+ ?8 C
cmp cl,al
7 z: `( Y$ s/ Z# T4 |' f8 Q3 N jnz SoftICE_detected
4 Q4 |% V6 ?. J5 W6 E
: l& K8 e1 [" f& R" i_________________________________________________________________________+ x3 B! F) Q- x/ ?& \8 @7 Y* w% g+ o
! V' Y& v+ J' K2 O4 P! A! r
Method 074 [- y+ j4 _; k5 z* O4 T" B* a+ Y$ n
=========
' N X# v! C$ i f) c# f& E" j% L% u1 H1 F2 l' X- t3 c
Method of detection of the WinICE handler in the int68h (V86)
8 z) {) H- v, O+ O
0 |) G: y9 p( W- U6 d) o mov ah,43h9 W' l- }& `5 J+ L/ B, m
int 68h9 u: m( u# f7 w6 x) n
cmp ax,0F386h, ?' X6 Y6 q# j4 e$ R
jz SoftICE_Detected
* W& e$ s- c- d4 s8 l0 T4 o5 f& i* D# a( p
1 H! |/ ^1 i' W8 q% }% p/ W0 E4 P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% M6 B5 g, e0 H5 l
app like this:. D5 ^- R/ @& T# J$ a8 W
# [ S: C. T5 j3 n* H BPX exec_int if ax==68
7 q5 n6 i' U `) B" K t (function called is located at byte ptr [ebp+1Dh] and client eip is
! `* T. V/ y5 x. @/ ?7 f3 s located at [ebp+48h] for 32Bit apps)/ d* D4 V* L: Y2 _! Y
__________________________________________________________________________
" S7 Q. y Z9 a! L- l2 _# I; w0 B
1 Q4 L$ ^" p& O0 B" bMethod 08 Z8 @8 W! x, h7 I5 x
=========
; h/ T' G8 h3 ^3 q! }3 D, n' [5 \5 ~9 m( v4 n, o0 C- H) L- P
It is not a method of detection of SoftICE but a possibility to crash the
" k- H" E: j* I- s! |" F( }4 Rsystem by intercepting int 01h and int 03h and redirecting them to another
2 k: l P: s7 R# V7 sroutine.' J A0 }, F3 D: j6 h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 d! f; e. f" E1 f9 {) Y6 U
to the new routine to execute (hangs computer...)
. S, D9 A3 Q+ l( P1 Z3 j1 f m8 |" P& D
mov ah, 25h
4 x, W& J' b2 `7 R8 _& n% w H- X mov al, Int_Number (01h or 03h)9 v! d9 X& k+ E! e' L2 N: O
mov dx, offset New_Int_Routine$ z% @1 @% ?6 Q
int 21h- U3 W- j6 c' V6 h1 H! u5 T: M! s
- r# O9 V' E9 I* F& F
__________________________________________________________________________
4 F% @* T+ P( w$ q
2 s5 M# P; `. _( h4 y$ L) |' t- H' ?Method 09+ C8 R+ M1 O7 X( L" y W' D8 Q
=========+ k, m- x5 o& g I
! X) F5 u# \$ V1 ~+ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' h V. V$ ^6 D. m0 H
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 [! _1 x: I# J0 }1 C' S! eThe Get_DDB service is used to determine whether or not a VxD is installed
/ @/ p0 ]: J$ J1 @" tfor the specified device and returns a Device Description Block (in ecx) for
+ D. w% j9 h# H+ Q$ q0 qthat device if it is installed.( y( d) c c' [+ ~, l2 M3 w" U6 K
- G) m5 O$ `& f; f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 `: l( ^* b: C) C/ j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) @. d; s( C8 y$ R6 d* i c
VMMCall Get_DDB
0 e I' | H" q( b5 Y( T# r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" x, l/ T; u! T
8 X3 _ `# c4 H* T( QNote as well that you can easily detect this method with SoftICE:5 |" O u& q, N8 J1 s4 q9 s
bpx Get_DDB if ax==0202 || ax==7a5fh
; `+ @/ T# R$ ]% E: b- K2 l
6 v: |% _5 y2 S9 C* t__________________________________________________________________________
0 i. ~4 c/ X) e5 q$ W. M7 a4 C" m% V9 m' {: s7 V
Method 105 s6 H( |9 y0 B9 d- H6 i o' b' b
=========
7 k% o* z$ y w1 [% L6 k5 |! d O4 g# g L! _& o. P; `
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 Y3 j+ y; x6 Q+ I SoftICE while the option is enable!!
) q* W* C" K- b8 `8 ]) }3 E+ h4 T, c9 m: r4 e1 D
This trick is very efficient:
; e& [$ ^& }; G r- {* w; fby checking the Debug Registers, you can detect if SoftICE is loaded$ A5 S o8 ?$ l! o# ]7 q% z# ?9 ]7 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ n( z% v, t& l; R5 G% E! J( h
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ ?, \# J* r# a
value (in ring0 only). Values can be manipulated and or changed as well
5 d) G* w# ^( e7 n# z5 m9 d; s(clearing BPMs for instance)1 w, F9 c0 Y) @) ]4 n% V: m. q5 Q/ v( |
: U% `# _* [3 I; `9 B__________________________________________________________________________; h. |, P. N3 v9 b* a
" @2 c+ s& m7 |$ h" IMethod 11
D1 o: t0 v5 M& s=========
+ r! M ?/ C! r0 d9 ?( Q
6 | W0 J4 P2 K0 F1 O; `0 lThis method is most known as 'MeltICE' because it has been freely distributed. V* M: _! U; p% n9 L3 j
via www.winfiles.com. However it was first used by NuMega people to allow
& J# U4 l, D: ESymbol Loader to check if SoftICE was active or not (the code is located
+ _( y7 I# ^, B/ y7 n) Qinside nmtrans.dll)." _% Y3 H' P5 p+ ^9 k5 i. \
/ L4 j0 F: p" }/ t) R, @
The way it works is very simple:. B6 C. p" d" G8 D. p0 [, U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; h- M- b& d) S$ U$ X# `WinNT) with the CreateFileA API., L3 N+ e" o9 P; W& e+ `$ n7 N7 o, ?
1 a$ V1 }2 R t u" l2 n
Here is a sample (checking for 'SICE'):
! K2 w7 y' m1 r5 T% _1 K$ `8 O+ o% F* P* ?! ^2 k
BOOL IsSoftIce95Loaded()
; ?+ g2 N2 ~/ T# q{1 ~7 e- ]' u7 i8 i Q# P
HANDLE hFile; - s* a1 ^$ ~- D5 \( G4 p7 u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 y; r5 y, R7 F FILE_SHARE_READ | FILE_SHARE_WRITE,5 l; J' b7 A6 l: m' L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% b) z y; C) Q! y% r6 W O
if( hFile != INVALID_HANDLE_VALUE ) S* U4 M/ f& r; \) R) \2 U( h
{' r) J7 h$ K5 z, Z V
CloseHandle(hFile);% W& q7 K/ C O! t
return TRUE;
$ h7 q; B" d/ x u b: G' I9 N) V9 f }
$ e4 W% B. h' D# Y return FALSE;
t P& ~* v4 K3 p7 n}8 w# J0 P& ]/ T- _/ [8 u1 I/ a
$ O0 Q3 q0 t* L
Although this trick calls the CreateFileA function, don't even expect to be6 F( Y c% n, ?
able to intercept it by installing a IFS hook: it will not work, no way!
! H4 Q- F J! U- A T8 Y) @# IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F Z- D+ g2 o2 \% [# @+ G2 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 Q! i O: X3 ?4 V! Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 }: L% e4 J3 b( M' l
field.
$ {" c1 l" t, \2 N, `In fact, its purpose is not to load/unload VxDs but only to send a
; X' c% o* R5 A- L. I5 y2 O/ G% kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, ?* t! d, X* s ^: y: `$ C, f* f# Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 m8 v5 b* k( F' R0 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 W. c- X7 B" W
If the VxD is loaded, it will always clear eax and the Carry flag to allow; U/ F' Y; Q+ u$ R' E
its handle to be opened and then, will be detected.1 C, [3 s8 Z* }; V
You can check that simply by hooking Winice.exe control proc entry point7 y: A* E# r$ D& s2 @
while running MeltICE.. A3 _3 M# Z* f8 u, P) Q6 d' {8 X
7 R$ r1 b% r6 H; ]
6 u2 I" C4 A) A) m; C 00401067: push 00402025 ; \\.\SICE; j% |5 y0 i7 m! D
0040106C: call CreateFileA
* w/ m1 n" X9 ?6 R1 ^, v9 v; T% _; B9 Q 00401071: cmp eax,-0017 f" B2 M' ^0 u4 G0 s% S5 l
00401074: je 00401091
% q6 H4 `" O' t o' u
8 T- Z# G8 o, C. M" G d- P& K
) J9 R7 ]1 s" @. V) cThere could be hundreds of BPX you could use to detect this trick.# f, @; E$ v- [& g
-The most classical one is:
) |! {9 u& @3 }9 [ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: Y9 C L9 e- I) W- B7 v6 Q! O
*(esp->4+4)=='NTIC'$ @: z1 u ~+ ~+ d9 B
! T7 J$ @& [% g4 g& A5 J-The most exotic ones (could be very slooooow :-(
# R8 X8 s# i9 [1 Q; j1 W1 A3 f6 S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 h# X4 p5 i. N) W5 y
;will break 3 times :-(
* E" i. }6 u2 l D4 Z# `9 l) y+ w5 e( C8 i0 x7 a: y6 {
-or (a bit) faster: . n) H- i0 Y! f. @% ~7 R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 N ]$ u/ b# u t1 {8 _+ r
8 t. ], {- z/ c8 s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* b9 e. D8 v# S. L$ x" c ;will break 3 times :-(
0 B3 H) d& i" w! O5 ^' N& f" c$ P: u- U- h
-Much faster:; ?1 o. Y5 P$ N! u4 ~0 D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 x+ O+ K; f9 O
+ f6 D* ?6 f- b; i. d- Y9 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 F! Y- M, m; R9 M0 P
function to do the same job:
# Z m- A) b4 v( K- w6 h
y+ g2 z+ `# |! k8 c% ~( V push 00 ; OF_READ3 l9 s* P+ V/ S0 l$ J: q9 N
mov eax,[00656634] ; '\\.\SICE',0. G! {9 N- H/ K( }
push eax1 _ P; x7 _! i9 c9 F4 Y8 {/ ?
call KERNEL32!_lopen
$ R* i- \) @+ {3 d( v inc eax! ^3 |# _2 y/ R! M
jnz 00650589 ; detected
8 B% |# K1 t- s2 O+ J push 00 ; OF_READ
7 H$ L6 y- n: }/ u; ? mov eax,[00656638] ; '\\.\SICE'. `6 j3 k, Y4 P6 A% y
push eax7 e3 | T9 h+ ^. i9 {' _
call KERNEL32!_lopen
3 s, `! [) J: a+ F- \ inc eax- f$ u; S+ X; D+ \0 K) z0 \
jz 006505ae ; not detected6 j- C7 W. \* P3 j& K& G% [2 ^
. v1 A y4 E7 p# ~$ @5 Q2 r, E
, y4 a6 o6 A6 F; O& ^6 }' f__________________________________________________________________________, I& H- D! E1 e, r
' V8 S& I# J, T% y0 U ^& P$ n3 a( C
Method 12
4 G4 {8 ~- {* M! R6 e) |=========
$ u% ^5 n' b/ \
; } m0 v+ \9 D* ~) p; O( eThis trick is similar to int41h/4fh Debugger installation check (code 05( I+ P0 S+ v3 w1 Y. M
& 06) but very limited because it's only available for Win95/98 (not NT)
: L3 u; d5 I5 H+ Y* B2 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 m0 w0 x! V! v9 @" U Z9 |) A x4 ~2 ~3 v- u
push 0000004fh ; function 4fh b- z% a5 l0 y, B
push 002a002ah ; high word specifies which VxD (VWIN32)
3 D1 m# B6 U, f X' F ; low word specifies which service& s$ k& I! n4 q4 i8 t1 l' x+ R6 A
(VWIN32_Int41Dispatch)) C8 D Q& C! C' F& V# V" O
call Kernel32!ORD_001 ; VxdCall
6 I' q. E* e) m- {* ~+ R( \ cmp ax, 0f386h ; magic number returned by system debuggers
3 l$ s* L8 o0 P- l7 I Q jz SoftICE_detected U+ @- p- m n
& E# R4 T2 ]$ }. X& ?Here again, several ways to detect it:; ~* m/ O" _# _* x; [! B
) b6 N6 n+ N& h% H t BPINT 41 if ax==4f
# N7 `; L* f9 i
( ?3 L9 p# A8 H! q5 e$ E9 n7 ?& h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 V9 S, w% H& D9 W# X8 @0 a( S
4 \( \9 k$ E$ T$ z( l2 P2 S2 h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% s! P- a7 }9 U5 E# F
5 P- _. _8 ^! P. u: [- U4 U. c7 V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( n5 n7 F- D7 V/ z* r9 o8 z7 j+ G$ u( ] F, R! S0 J" ] ^
__________________________________________________________________________
" X* `% k6 ~# l+ g
3 f, ^/ E' @; @. a7 s1 g9 ?Method 13: Z5 c) d3 p9 r0 r/ O
=========7 q' V! ^- a- v+ e* c
. a6 @6 b8 [3 h- I$ @& N
Not a real method of detection, but a good way to know if SoftICE is9 e( r/ U, u$ o( a B. G7 P0 S# t
installed on a computer and to locate its installation directory.+ s/ J& F/ ]9 ?+ G7 t! y* L& }) D
It is used by few softs which access the following registry keys (usually #2) :8 [2 r$ Q( O" y4 I' D1 }
* y/ X2 t4 @+ o" E, E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 u' r' X5 p' Q+ V9 _% {$ N+ k\Uninstall\SoftICE
. O; h+ R& t1 i% B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ L6 D' n1 d3 P4 |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. A! \9 v! l! d
\App Paths\Loader32.Exe7 R( C5 P* g- }3 y
/ r& Z" {1 d+ F5 l! x$ ^+ ]7 W
: ?* L& t5 P0 w
Note that some nasty apps could then erase all files from SoftICE directory7 K0 W3 w) m: k2 s" V) `0 s
(I faced that once :-(1 ~3 q' `# k+ K( ]5 u% n+ E& K
, |3 V) I, P: X( {Useful breakpoint to detect it:
* v7 D$ m- e! g6 T2 E5 l, _2 _. e" f( m4 f! |* s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 o& q/ [" R8 l& V, y- c5 @$ d# @8 o7 K% p' ]& L; y
__________________________________________________________________________3 b- k: g$ |3 b0 U" ^; @3 C
# [5 Z n+ Y& m0 N* y3 c% ~9 z9 A5 v4 x# R8 e) m
Method 14 ( H2 J& k" G: a1 f$ ^
=========% ^ Z2 {6 d. X1 f
! z0 W) W; r5 m; y- F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 |8 R+ N0 r S' D* p' t" qis to determines whether a debugger is running on your system (ring0 only).# J% @& \( e1 w5 y; E Z, z8 F
) l* w6 S8 N e/ t' s8 ~3 k VMMCall Test_Debug_Installed
% Y% d( j& M2 N. p6 p je not_installed0 v( D( Z$ O9 r. q" O5 S1 ~2 C
7 Z) K7 {" E* w( Z! e" TThis service just checks a flag.
3 W! Y7 t- v1 O; N/ c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡