<TABLE width=500># m8 g0 J& V7 h1 U4 L2 [
<TBODY>1 T* }, k- Y! ?
<TR>
& y5 Z5 B/ W" o/ M6 S j( r<TD><PRE>Method 01
8 b2 ?% ^$ o# b* D" r=========
% ^. {1 L% f# r0 u0 o) u, \4 @. i S& r9 T
This method of detection of SoftICE (as well as the following one) is
& v7 o3 h W# E0 x- ?used by the majority of packers/encryptors found on Internet.+ l7 v: T- K8 E# m( R, P0 `
It seeks the signature of BoundsChecker in SoftICE
3 ]* J$ M6 q( l0 L% B- c ?# N% F7 o3 p* \
mov ebp, 04243484Bh ; 'BCHK'
: {/ g* k* Z* F) V; X8 O mov ax, 04h6 {" ?7 ^9 e$ X% b% _. I
int 3
- C; a0 u, Q9 ?9 T) W# B: X& ? cmp al,49 p+ a6 d0 k6 h ]$ n" G
jnz SoftICE_Detected
0 s# x: o$ P/ {2 ^; h( g# [3 p
___________________________________________________________________________: t I7 P s2 P, b# k
+ g C* {! B% v+ L! {5 }+ N
Method 024 O3 O( J3 l9 T- c3 H; g% H
=========
( l0 r# r( ]6 Q. o0 e7 }. }( w) y4 b- Q3 z3 B Y% r; l
Still a method very much used (perhaps the most frequent one). It is used2 q& e7 o# M/ R9 b& ^4 _* H. U& e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) Z2 Y# K t. W( f# j+ s4 @0 Lor execute SoftICE commands...; P: l7 o! Z/ a6 @% d% N- F: _. T$ y
It is also used to crash SoftICE and to force it to execute any commands
- v& y- P8 t$ \8 ~0 p7 g(HBOOT...) :-(( 0 c: H n2 d- Y7 [; s
7 M+ E, Z" B) ^) Q J# g6 t# p& P) d
Here is a quick description:9 P9 U8 ^$ l0 z9 [3 a# O: W8 Q
-AX = 0910h (Display string in SIce windows)4 P4 Z. ?0 p( A) {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 V g. c8 x8 i' p3 q
-AX = 0912h (Get breakpoint infos)
- ~7 v: m, c4 b) Q-AX = 0913h (Set Sice breakpoints)* i& ^7 R y! S+ Y
-AX = 0914h (Remove SIce breakoints)
: x1 X2 E3 U- p, _1 e2 \. A( X; G3 v
' z' A) q+ O/ \Each time you'll meet this trick, you'll see:
. J* H( K, { c8 t( M- {/ D, F: J, \-SI = 4647h
l1 j9 c$ U" g+ ^8 a-DI = 4A4Dh
2 I' [2 D% p+ \. A3 |( Q, `' }Which are the 'magic values' used by SoftIce.% U" o! b9 G `- B7 V( S8 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 n r: e0 F6 E2 n. G) Y, _# i0 N" @4 J. K
9 G( s1 [, I, ~ h. j
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 ]! @8 v+ s: G, O% _7 N
Envelope utility use to protect DOS applications:
. b- h8 b1 m% s e$ f3 Y! q+ V! S3 w- g# ]" j0 q
0 n2 a: w7 a" a4 T
4C19:0095 MOV AX,0911 ; execute command.
' M1 E4 z( ~ t/ a1 C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. c& Q* u: x8 d" X7 R
4C19:009A MOV SI,4647 ; 1st magic value.$ M. r) s. }5 L2 N6 D5 j
4C19:009D MOV DI,4A4D ; 2nd magic value.' j7 n1 ~# P' e- }! L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ T0 M! }5 V+ A5 R7 R1 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 ^) d$ e* I) `
4C19:00A4 INC CX# J' h' r1 c6 c0 r% S4 W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 _% B; i4 }5 s* S1 ]) }
4C19:00A8 JB 0095 ; 6 different commands./ [7 S( I$ k0 G% \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ \+ q" g$ |# Q/ t5 @% _5 D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, x* Y0 f' H4 o" {& r3 T v# v- R( @* V% k
The program will execute 6 different SIce commands located at ds:dx, which
. i( b; h' r2 Y- h" \* O9 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 B5 p& s- p0 l
8 \0 I7 V2 ~7 U' C' d2 I4 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ O) W. ~# m4 w___________________________________________________________________________
8 w$ c; \3 Q0 H6 R1 t- `) Y! S4 H- k& E
$ E: F9 A, d3 yMethod 03& n: P4 V( i" T7 M
=========/ I" I3 F/ t; X6 O1 P
* e2 J; \/ X4 b6 V: i vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, K: O$ w! g; a/ z! ?2 Z
(API Get entry point)1 ^6 A; [- L/ a- I% m
% F) ^# E. p1 h# i8 X4 Y8 Z
8 R% c v" a' |7 _% w$ A' R xor di,di
2 z: F" a! f! X- B) g) R5 V mov es,di
( i# N7 L9 Q+ u0 \7 d/ ] mov ax, 1684h
2 F3 z1 C/ p7 b7 z8 u; G) I mov bx, 0202h ; VxD ID of winice
- C+ K4 Q9 ^$ ~' C2 j" o% Z int 2Fh% u! T" S; F7 P
mov ax, es ; ES:DI -> VxD API entry point
: Y8 _: _ \0 G; m7 z add ax, di! j. E- f U, C' @
test ax,ax0 f' Q$ k9 K( A5 f2 T, ^. V3 J
jnz SoftICE_Detected
+ N8 P0 r' n' @" ]/ b5 I1 q! V1 v- F
___________________________________________________________________________
4 m* p$ I/ I7 Y: S3 F( N* R( y9 o% V' t1 d* D" d# Y& K
Method 04
/ F. A9 b; G6 j) b# u* W7 i' Y=========6 J7 T# \' Z$ u) @0 n+ w5 d7 q
1 e9 R! T) g. q8 [0 ?Method identical to the preceding one except that it seeks the ID of SoftICE
8 D9 R; b5 u) o/ d: SGFX VxD.
! w0 S3 W3 Y7 p e( @( w l9 Y# {) ?0 D7 e' N
xor di,di6 K2 F' u1 S0 |+ P; w- ]
mov es,di* l; ~0 q: W' L( Z5 O$ {* @. A T9 D
mov ax, 1684h
4 _ I* ?7 s- V mov bx, 7a5Fh ; VxD ID of SIWVID
. c7 @8 i4 E, V. @4 W8 h4 Q int 2fh
& t* R0 w0 G. }1 V7 `, r' R% U mov ax, es ; ES:DI -> VxD API entry point! Y1 w6 W" z7 j- k8 j( l
add ax, di
- @+ f! [& V# Q- W; | test ax,ax
/ s! C" W" ]/ _+ S! D jnz SoftICE_Detected! t& j( [9 k* N: u' Z2 t& `+ Y7 T! U) }
$ H4 v7 f* i2 _! M
__________________________________________________________________________- l7 j( D1 d" A8 b. C# p( w
- x, ^5 t% ~1 B! |% D9 i
; a! t2 f6 E8 M) |9 qMethod 05# F! Z+ n& w1 P+ ]# x
=========+ L% j4 H8 n0 u7 C/ `# R
( ] s( a# ?; O6 z) N5 QMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ P0 t' F$ A# V. H1 M5 a
debugger. It calls the int 41h, function 4Fh.* e! X# u1 D& X3 q- s) }
There are several alternatives. . u6 i/ b$ v' K; [- E# _
m D1 b0 Z) o; @5 NThe following one is the simplest:
' F2 u( n# A7 \, m( [
0 |& K' q' g' @+ `: }0 C, T2 G2 { k% y6 U mov ax,4fh8 N' I' K) A/ o; j& F
int 41h
2 Z8 o+ `6 N% t cmp ax, 0F3864 U* D g6 |' w. ~9 W" M
jz SoftICE_detected
( j! S1 D5 \1 X( \6 k! J/ E3 q$ |, }# P# O
5 K; ]) `& z4 \$ rNext method as well as the following one are 2 examples from Stone's
& G7 G, q- \; k' F; G"stn-wid.zip" (www.cracking.net):9 i4 t, o; g2 W# `# |, n$ X/ H
& }6 U! ?& U' {! z @ mov bx, cs$ A, H9 n6 A; d# d6 ]! `
lea dx, int41handler2
0 z/ B: \9 K% Y2 | xchg dx, es:[41h*4]
" ~2 U% C0 m& C( v+ u* ?" l xchg bx, es:[41h*4+2]
7 q7 S/ ]1 ~2 Y5 S7 z& ^ mov ax,4fh
5 r# g$ p( [+ y0 F) q int 41h! A& S- f9 Z5 g" C/ f: G `% P. N
xchg dx, es:[41h*4]$ S% k1 Z! F( |, I4 I
xchg bx, es:[41h*4+2]: c$ ]: w) \' F4 i
cmp ax, 0f386h1 k Z# p0 p& C
jz SoftICE_detected* Q K# j) m" ]" X c$ z' m
7 T& p% {. C" {4 W4 k% V- n# o1 }int41handler2 PROC
7 L, u' H3 B/ {6 A/ [ iret- X7 e0 E4 U8 j# _! p
int41handler2 ENDP# q/ V4 Z* u' P
- Y$ }5 ^; S2 b; Z: ?/ u
. ^1 J4 O9 l) C! P9 k3 G_________________________________________________________________________, U" S8 n; a ^) g/ i2 V/ ~: U
, u1 s$ D0 o) e
) v4 P/ l, z/ _2 h O$ N" O* T
Method 06
9 }* _9 [$ [: E, N0 j=========" [$ I: h1 s5 F" J, s5 p$ R
/ \- v: p$ a6 G/ x+ q. |% q! p G4 U" L" t! j* A
2nd method similar to the preceding one but more difficult to detect:0 s3 C; t' I @$ C
; P& c4 U7 ~9 f7 _" j6 r
. ]1 Y6 H- @% b
int41handler PROC
$ t5 T) i5 U. Y6 O6 W' |3 ~ mov cl,al9 M& x6 M% m/ H, g
iret
- [$ q w) L9 }) A* tint41handler ENDP
: m- T8 _ x$ {3 l# H
. }6 P! u. T( h! m% J- U$ {
" G* c: Y3 t4 V& J: I# P; ? xor ax,ax7 b- E5 r8 Z' w3 @- `; z F, {$ O o
mov es,ax
* d/ h5 E4 t: ?1 t mov bx, cs
% x2 i% A, j3 U: Y+ c7 C' t lea dx, int41handler
9 R) s/ P5 ^* u xchg dx, es:[41h*4]* h! ^& ?3 U; _3 j6 g- a/ p
xchg bx, es:[41h*4+2]6 y8 r, I+ C& v/ B
in al, 40h
9 ]% \9 \: N5 d' p5 C+ F xor cx,cx
: F7 E6 b# R3 ^0 C5 E3 k& ^ int 41h
: E- E* @% }# J# u: o/ ~ xchg dx, es:[41h*4]
/ S" e9 H0 A% g9 E. q, B1 J xchg bx, es:[41h*4+2]: p3 _$ l' Q* W$ J
cmp cl,al
( b, @. H j+ ^. x7 }: t jnz SoftICE_detected
- a! b" N# l/ G/ r
% w; u* @( a) \% a6 j5 U& J_________________________________________________________________________
. q+ H# a1 `* K+ \5 K5 P* _4 b+ R) _1 w& Q" @
Method 07
, ~; @5 G# y, B4 {=========7 ?8 c/ `7 r8 o3 [% r% w" W6 }
# ~( G& }# y& `9 b/ _' ~7 V4 P: j3 lMethod of detection of the WinICE handler in the int68h (V86)$ C+ l6 Z( w; W. r4 o4 L3 u/ a
- E! y. t( E6 {& S) s
mov ah,43h
2 s3 U B7 x1 J int 68h6 H+ m, ]1 K5 ^3 r) r3 a
cmp ax,0F386h
' e4 ?) ?, M6 E/ w/ y) q$ e jz SoftICE_Detected& A9 x0 A8 _# C
, `4 P! J6 K D! Z6 ~4 u; w
1 X' M0 L- L; g! c; f* [0 A3 ]8 B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ T W# Q1 N. v3 e
app like this:! M# m# x, N6 f" R# X: ^
; [9 E8 ^* K9 W' G* _ BPX exec_int if ax==68
: u2 J9 W" j- L" u. a" e (function called is located at byte ptr [ebp+1Dh] and client eip is
' I( t8 D# N/ Q1 x9 f1 S' g+ W( @ located at [ebp+48h] for 32Bit apps)
' w1 \+ y3 _6 B7 P, j) ~__________________________________________________________________________
' M9 q! q1 x6 g4 }( O" P# f; f' @- R1 c# ?8 e) G$ U
- D/ x8 g0 f; M; E
Method 088 w3 I! n% f' Y G3 p* [$ C
=========
8 j2 w$ Y3 ~& `$ K3 w, E# ]( g7 O" |. t# k8 S5 y4 `% u! |0 F
It is not a method of detection of SoftICE but a possibility to crash the0 d, ^2 Z- k& h% |) Y$ N; F; z
system by intercepting int 01h and int 03h and redirecting them to another/ V6 _7 r! r8 H% N Y5 p
routine.9 e% g1 N8 R) u$ y G8 p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 a( v+ R; H: s9 V2 v4 o- qto the new routine to execute (hangs computer...)- z6 t, m2 z+ T( ^) O0 f
3 q1 u) ]( @2 H( o/ {& u M# }, d mov ah, 25h
N3 @+ c8 Y/ F1 X2 ~# i3 s! h' L mov al, Int_Number (01h or 03h)
" _) l3 v; |) E! v2 f8 ?# Q1 @# F mov dx, offset New_Int_Routine
- D. ]" g; L6 \. `4 i int 21h
2 q+ i) m& b: b8 D5 h0 K2 v2 d% w1 z/ P" K, ^7 @5 c
__________________________________________________________________________/ |: i% A& \2 r3 b7 Q* ^5 y
: k1 b0 }6 A0 s& D' ]! S. Y% e
Method 09& n7 L; v* r8 s
=========
, \6 E2 X) L2 x4 h$ L
6 _7 g. I# k( l6 X- ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( O! c' v1 i1 L0 A
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 B: h7 A1 i2 B9 }: Y5 B9 c& O1 yThe Get_DDB service is used to determine whether or not a VxD is installed2 m, z5 |( n# t/ d8 k; I4 G
for the specified device and returns a Device Description Block (in ecx) for, V9 B! k7 e$ _$ ]2 }6 ~0 q
that device if it is installed./ o9 k7 D/ E8 I$ b
6 @% x: f, Q: C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; s8 A4 t8 {% z/ y6 S y( D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), U4 U9 w. U8 w1 J. k/ D2 j9 ?* z) m
VMMCall Get_DDB
3 H3 O& c4 P7 { A9 g9 A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. D1 y( f" B" ?2 a0 W* Z/ ~& L* |/ v/ d0 F; Z. {
Note as well that you can easily detect this method with SoftICE:1 g9 X7 T* s5 a" b. h7 {; x, B
bpx Get_DDB if ax==0202 || ax==7a5fh6 u5 C* k5 W9 c0 @1 `4 F* i r
* R [$ L! D F- Y1 q__________________________________________________________________________' j+ s5 u/ {2 `$ R) _ ^' ~# _$ @
$ N$ ~7 {; Y& M- ^% ~* T% LMethod 102 k; g. e8 U L4 P8 `# B9 M
=========
' _' B0 b& q* G: x- _; F
. ~/ w; H+ p+ J! o! Y9 d=>Disable or clear breakpoints before using this feature. DO NOT trace with
) |) g/ s* {2 \* H% s: z SoftICE while the option is enable!!$ v% P$ ]" s, w5 u. o
' ]1 s; x. s/ v4 i+ w t, M* M& OThis trick is very efficient:5 ~3 D5 P' {/ w% t x
by checking the Debug Registers, you can detect if SoftICE is loaded% N- h+ M, K: v: D O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 r; C6 C2 [) L, o3 o+ a: @there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 T6 C8 t5 U8 ]& _4 i nvalue (in ring0 only). Values can be manipulated and or changed as well1 A, B! P" q$ g7 r' v9 p+ X
(clearing BPMs for instance)
) D3 }2 T% I$ q5 v3 }7 X4 q: P2 w$ P0 x X0 f5 u
__________________________________________________________________________+ f5 y) ^. g9 V0 \$ [/ o5 i2 e
7 K# s% z6 P0 |* | |
Method 11
" I# t" D4 g4 U: Z=========
) Q4 m5 E7 D2 e8 _5 a: ~
2 d) Z/ b+ y& c. Q c0 NThis method is most known as 'MeltICE' because it has been freely distributed
6 B n# {5 I6 k" jvia www.winfiles.com. However it was first used by NuMega people to allow
! B. y1 p' }: V8 S7 b. F* ?Symbol Loader to check if SoftICE was active or not (the code is located
@4 C& _+ H% n$ q8 F9 \$ linside nmtrans.dll).
3 @+ y/ K" g. D; A2 W
0 C) } O% X- I- QThe way it works is very simple:2 S9 r% p( g0 ~- ~0 E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ h$ U7 ~% Q, ?: u' [ UWinNT) with the CreateFileA API.
7 |, m8 S' ^- t$ Z2 A0 i- ^
8 k Z3 l9 ]$ _) QHere is a sample (checking for 'SICE'):
5 M8 _, ^0 W; L7 N: i3 |8 l+ p
7 @* Y! c# x r( J$ ^6 g% NBOOL IsSoftIce95Loaded()
3 l# c4 y. `6 ^7 B% R+ [{
. e/ M4 b$ f6 g HANDLE hFile; 7 N, S0 ~1 D* \4 [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 M' a$ x- L7 @. t0 f2 | FILE_SHARE_READ | FILE_SHARE_WRITE,
1 o. M! p9 f- Y0 L0 c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% |" ~" h0 @- d1 X
if( hFile != INVALID_HANDLE_VALUE )3 E' \6 _7 r' j: P+ a& D
{6 Y1 ^9 h& ]5 l2 Y0 B8 T8 P
CloseHandle(hFile);+ p8 J" |% k) h* i
return TRUE;0 O$ Z# F# p' y6 {
}& b" w& B" y# \
return FALSE;
) `. P, z' s. Q! }# y: }( K8 D}. B1 R2 F* v- Q7 k' m$ q, ^
8 c+ b5 C! {2 t7 @9 u, i- o0 d& HAlthough this trick calls the CreateFileA function, don't even expect to be, ]. H( p- m. r% B% Q
able to intercept it by installing a IFS hook: it will not work, no way!' j* ^! D! J" w0 W* F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' z+ m. ]. l# ~& ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ _( G: n) i7 ] S7 r/ p9 [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ p& E7 V1 Y/ A) c! h- H5 _% Ofield.
9 [% }1 a8 f5 @# G! j) n% AIn fact, its purpose is not to load/unload VxDs but only to send a * W0 u/ F) N- W4 E( M" q' n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% O8 o; C4 u3 R1 b8 N* ?9 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 W: G" I' O( H7 B3 n6 T9 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
I) t; z! o7 E6 L2 V3 oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; A9 g3 ?8 Z5 J/ P# l& dits handle to be opened and then, will be detected.5 T6 A& M6 m' I! G, y6 Q
You can check that simply by hooking Winice.exe control proc entry point
: r3 d/ ^! Z, t; ^6 u1 xwhile running MeltICE.
( D; A' _7 O8 S' H( A$ g
& {, ~8 I1 h! M- i5 Y% a
9 w* v7 V" K: x0 w 00401067: push 00402025 ; \\.\SICE
8 I& K [5 F8 D% _% i0 C 0040106C: call CreateFileA
7 i/ w1 p! f+ u U8 {! g, ?+ u 00401071: cmp eax,-001$ p8 ? Q0 @& s4 h5 u/ y& g* `$ X
00401074: je 00401091- K+ j& O. m. q0 {: Z8 F& e' q# f
) {# w- m# m4 f
8 I. D5 ]: l: k/ L& u& cThere could be hundreds of BPX you could use to detect this trick.) t4 ?) K, f% B; J/ `9 U) p& \" H
-The most classical one is: H4 K* c, Y0 F( i8 b8 k1 Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: X+ L! A% {3 A' ~: S
*(esp->4+4)=='NTIC'+ q8 X: b7 ]1 G( U& t8 y' A
! C; z, s4 T1 v% K8 W
-The most exotic ones (could be very slooooow :-(
2 Z6 Z: o& E4 W& X$ F" l9 F( _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: I1 s" j' I7 L6 Y6 x9 }* W8 } ;will break 3 times :-(2 ~- c+ Z' Y2 r( Y" }+ Z
( p; E/ j, ]( h, h2 V-or (a bit) faster: ' ^6 q, v; m% \5 M9 ^3 l8 _- u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); p! `/ A: g: l
9 c. f/ w* U/ V& n% a' l2 E* e7 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ L* O: O, [( p, O7 s1 i
;will break 3 times :-( f+ V! Q5 ?; G# J: D# p9 X
3 \; U; n! o8 z) Q* f9 J9 ~, E-Much faster:
1 z# v9 j) }; s! T( u: d9 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% U0 k0 v$ i/ E2 C D9 g1 G5 V, `' `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! d, c' |6 Q5 a2 K7 X) Jfunction to do the same job:
. Q9 d/ C3 p) C ?( M5 ~" K5 k3 D2 c' ?' W$ y9 W: S
push 00 ; OF_READ0 K2 I' E- @3 M+ a* o9 H- P
mov eax,[00656634] ; '\\.\SICE',0( U: t- p9 \, v8 Y" q3 l% s% K5 l
push eax. z! H6 Q* W( H3 m1 V! k: @
call KERNEL32!_lopen
) V: x6 N! _8 S( U" h inc eax
; s; L/ ^ ]# ^ jnz 00650589 ; detected( n2 C0 Q/ N# n9 W w% n0 _) j1 Z
push 00 ; OF_READ
6 w2 H- w2 u) h) m mov eax,[00656638] ; '\\.\SICE'0 n" V% l$ V m2 b
push eax {6 N4 K4 I, F1 e$ Y& @
call KERNEL32!_lopen& U) r2 C1 v1 U6 J8 }7 k: A4 _
inc eax
. P* s! K2 M, ^/ E" K$ ^ jz 006505ae ; not detected9 n6 f$ B5 [* C$ M; V3 d: ^1 a
4 s* u! v* R) |8 Z" J
' Y) t4 T) t7 V4 N s3 y6 T/ B
__________________________________________________________________________
, h1 R" B: s4 z+ K7 l" J
! Z. P! k9 E! F- L9 f( R& t2 c8 kMethod 12
! S% x; c' Y! `; I& W=========& m) k! V4 z4 q% a' d: E) T7 G2 L( D/ g
4 @0 {$ v% c( i" \This trick is similar to int41h/4fh Debugger installation check (code 05
: l9 _, S, \1 w( ^! C# K& 06) but very limited because it's only available for Win95/98 (not NT)( d0 X& y! E: a" Y) \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 h, o, L2 `1 ~3 `& f) ]
" O) |/ G9 B3 n Z! q push 0000004fh ; function 4fh. d1 d! m9 |7 L' C( M8 z
push 002a002ah ; high word specifies which VxD (VWIN32). _6 \$ \' M8 \" ~8 L4 v
; low word specifies which service
2 z+ S; x \ m- S( s# r& }3 y (VWIN32_Int41Dispatch), Q, t+ R* p" V9 W4 r, Y
call Kernel32!ORD_001 ; VxdCall, s5 U- Z) S9 ~# @
cmp ax, 0f386h ; magic number returned by system debuggers6 L3 s3 H: i* v' \5 b
jz SoftICE_detected! D2 R4 ~0 e8 J
; \; ]9 P; `, t, j! ^( N$ |* N; x6 xHere again, several ways to detect it:
! P1 d) M5 ]* v' N8 e5 B
% n! x3 o' L% |: G* N5 h6 y$ s BPINT 41 if ax==4f
& }8 |; `3 | o* c: `, E) {4 z+ y% [$ c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 o6 n6 b/ D1 n, \) v$ B% a
# ]0 _* S# g7 P' S5 n! k" I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( t4 Z/ {' [! E- U' Y% y
/ R0 [: `7 y: L4 W0 y6 @ t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ U) p1 D5 ]; n: W( m
7 y' ]$ ^" v p! z: J5 ^__________________________________________________________________________, u% w4 v$ i2 ~) Y `5 m
& v7 H: k" S( Y. \Method 13
2 p: h) n& ~* }2 E=========1 s+ G. e" M) ^ r
3 ]5 j, t2 b) F1 Y, Z% h4 gNot a real method of detection, but a good way to know if SoftICE is
, ]% P/ V6 r0 x+ V* Einstalled on a computer and to locate its installation directory.
* c3 L/ e& e/ k9 f; M8 S& LIt is used by few softs which access the following registry keys (usually #2) :
* Q/ B% [8 S, t! x Q( [9 D$ ~
4 S' j/ _% W$ {4 ]! v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& L$ H. S+ z& g( r. K1 I5 ~3 L
\Uninstall\SoftICE
: p* x3 n/ V1 y, i# C7 l' G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( D. ` @! P- O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) Y$ m* B% }/ ~+ H8 h1 p\App Paths\Loader32.Exe
. P& w: m% f- |
: ]$ `+ R7 o3 v: r; J/ G' r. P6 z% s3 S; K
Note that some nasty apps could then erase all files from SoftICE directory! d$ a8 n2 Z* K( e- S4 g1 n' G! q
(I faced that once :-(
3 @! T% v/ Q# T" T
- S" x; h2 l" Y) A7 P1 C0 J& L, LUseful breakpoint to detect it:+ p/ b8 j( j/ w& z5 O
( g9 H. V P+ u) X3 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 {9 W& c7 d4 x% C# O. }. q7 A
- T! I. P& G( l/ ^- P$ {! x
__________________________________________________________________________# c& r, `4 ]+ M
3 m( x- l6 D, c6 W
* b( S( z4 n9 w9 G6 R2 o+ o
Method 14
4 l& v! [6 x2 c& d5 Q# W- Y=========; B+ l5 N+ S5 F' w+ \
6 c2 W4 u3 ` ~0 d# qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ V) L; E% n3 r% |0 u% k
is to determines whether a debugger is running on your system (ring0 only).
+ d/ E" Q5 S3 O; r$ q5 l z1 i
: ?2 v2 Q* r- u/ o VMMCall Test_Debug_Installed
# s( v6 C$ }' H4 v0 {& X je not_installed
6 n" }, i, X5 g
( w% ^" v3 g5 K" Z: pThis service just checks a flag.
2 S, r% p9 I+ _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡