<TABLE width=500>' B. x& O: T4 s; \# [- J$ @
<TBODY>/ p* P; B, N% _& m
<TR>
2 N# n4 l \, [/ c7 Q" j$ m; x<TD><PRE>Method 01
# x- Y/ t1 J1 c. j9 B' e2 H=========
6 c6 u2 h3 t9 H9 R$ w
' X& j9 x7 s: P8 c0 w" s% Y, FThis method of detection of SoftICE (as well as the following one) is9 e m& \3 f& E8 _" }0 j" |4 q
used by the majority of packers/encryptors found on Internet.1 X) b% ~! c: p3 |+ t+ [
It seeks the signature of BoundsChecker in SoftICE2 A" ?! M% b/ C8 N7 P/ c1 x! J
+ q1 h. }/ ]/ n) U+ a mov ebp, 04243484Bh ; 'BCHK'
* p4 f0 F% _" C+ h mov ax, 04h( X T3 b9 p F; P
int 3 5 r: N0 X" m/ r8 ~9 \& m' m
cmp al,4
0 T1 P! K) [/ ~& n8 I: t' H" k4 ? jnz SoftICE_Detected
! i/ l9 J5 |3 l
) {: x$ q% U5 B+ t___________________________________________________________________________
) h0 S: h# W0 S; y7 L" F4 E9 r' t% X u m0 s- l9 i
Method 023 X( C) z. T0 a2 D
=========4 U& V M) y" ~9 Y. Z' O+ w0 W3 x9 h
5 ]7 b# k( Q) G6 m! y) b
Still a method very much used (perhaps the most frequent one). It is used( e( J3 @+ D" N9 z2 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! z W5 z" k, `3 Q3 C) H8 dor execute SoftICE commands...
3 g6 Z/ ]: E ]8 pIt is also used to crash SoftICE and to force it to execute any commands9 S% x& X+ @- @7 x1 f; V
(HBOOT...) :-(( 6 J ^/ d; y4 y, T0 C) a
9 H, s( d6 x4 g# G% O+ S5 \: h- HHere is a quick description:1 i7 s# Y7 o# C2 h# J/ e9 ^
-AX = 0910h (Display string in SIce windows)
) F, A5 @" S! C' e4 a9 n. i5 q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' u# C; d7 ]; i: q# P, d; T-AX = 0912h (Get breakpoint infos)0 I0 L7 p1 c( h. n. @6 J2 N
-AX = 0913h (Set Sice breakpoints) ~$ u' h/ s; ~9 C; c: ^
-AX = 0914h (Remove SIce breakoints)
7 Q9 x# ^0 P- u# O" k& U% X% B, m1 f3 K9 V: i2 C+ \
Each time you'll meet this trick, you'll see:) D. u2 M( e, |2 n- a3 I; S3 b0 ^
-SI = 4647h
1 P1 `( V7 L. h( x$ ^# P& W" b. t-DI = 4A4Dh. c" j4 a E; L
Which are the 'magic values' used by SoftIce.
8 E, E+ V: k: B: G! R, t. RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 \7 Q3 ?, ~/ q! X2 d9 n3 x* j3 b2 U, n" _) U
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ w" S4 z# C+ R
Envelope utility use to protect DOS applications:
4 N* R3 y+ f3 B# J% S' n0 j- Q H: R9 ~) e7 y5 v2 U- [% O' v: j1 E1 |
7 I6 O9 P2 a3 t. h2 F4C19:0095 MOV AX,0911 ; execute command.
/ K- A0 o* m' X( A$ U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 P, f( t6 `- B3 T! i! e4C19:009A MOV SI,4647 ; 1st magic value.
0 B2 _5 P$ \6 [/ f8 E- m; S# o4C19:009D MOV DI,4A4D ; 2nd magic value.* H" f- ~: H+ p- P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( U3 v, K% G- I( y [8 B6 c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: `; O* }5 x( T: x4C19:00A4 INC CX
0 ]; L) [2 P( i+ b0 \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- O' g3 g% S: {
4C19:00A8 JB 0095 ; 6 different commands.
: Q* [! T6 [; n! e0 e( y4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 z& K6 v# I/ H7 \- c2 x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 V9 E. ] q& b' m# e
" ?0 b6 Y: @# _4 ?; j- D9 q
The program will execute 6 different SIce commands located at ds:dx, which; R) C! I- v- Z ]$ l( F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ v, }! Y( }+ l* r$ r( P3 ^2 \
& ]4 p% Q1 Z4 x; V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' ~ ~2 S3 v. w1 C% R
___________________________________________________________________________5 |. C8 Z' I+ [' V' E
% j$ @( `6 A$ p5 l7 C4 \3 k
; I) @2 S( Z# n. _0 {: ~5 {Method 033 }. A) s7 a/ s. t5 e
=========+ e1 v+ y9 ?, U5 |0 |
8 j7 ^' @5 \. C: W B$ i4 a$ G0 X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 W( `+ q: `4 |6 M( j; \
(API Get entry point)
4 Y: y6 m, t# Z' u- N' o* y , {! O7 F: ]* d. }! I+ m
; h; e- b7 J v4 ^/ f. I3 x9 S xor di,di4 B$ R& y$ a$ q2 w: F% C
mov es,di
; p- H }) H& l, G. I8 s, Y% r mov ax, 1684h , c* i' I% w4 J/ D
mov bx, 0202h ; VxD ID of winice
2 K8 ~- ~6 j( G6 z: P int 2Fh* }5 Y2 O, ]3 y* N' S
mov ax, es ; ES:DI -> VxD API entry point' w; [9 i0 L, c+ d# D" h* K* }
add ax, di
" m& Z) ~4 E/ {" a test ax,ax
9 G! ^+ ~) K8 j L% J/ _ jnz SoftICE_Detected0 h9 I) V: O; ?
7 y+ }2 [- R+ S0 Y6 u/ H___________________________________________________________________________4 s" U0 W6 a/ \: _8 ?
9 ]- E: m% v% `Method 043 u+ P1 ]0 m+ m" Q* b# d5 s
=========
+ t! K" I9 b) G; w' j/ G4 Y/ T. B* [7 Y9 b. y! s
Method identical to the preceding one except that it seeks the ID of SoftICE$ l. m7 ?! f" O2 C/ u/ |7 J3 P
GFX VxD.9 f7 H% W+ J2 C* R9 }
; M- b$ m9 i" P5 s xor di,di- T2 Y& O: @. b3 @
mov es,di8 P2 J+ l: }* ~) S8 s0 N
mov ax, 1684h
+ f( c+ {( C1 i* W mov bx, 7a5Fh ; VxD ID of SIWVID U/ j8 C. B$ Q$ V5 w; [8 z* o
int 2fh
, S! @$ Y* s& }8 v* E5 I mov ax, es ; ES:DI -> VxD API entry point7 u8 m3 B! J3 {/ V7 z" ?+ Q
add ax, di' P& a$ L* [6 H& n
test ax,ax
8 P5 j: P' N: R" Y& {$ o# W jnz SoftICE_Detected
' _2 Q0 ]6 V& S& `( T' D* ]2 L Z
# o* _" k8 x+ J2 R__________________________________________________________________________
! J: x* |6 E5 f5 y7 Q2 N+ W
+ Z* y8 o7 c. ?/ ] d. m6 s; E i1 h* \/ m9 U4 ~
Method 05
, n' w! v# m: F=========0 k7 B4 F* u+ A' g" z* |
: t3 F' B( A- | IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ S, ~/ f# G) z0 edebugger. It calls the int 41h, function 4Fh.
7 D2 F- R: E1 u) T2 L$ jThere are several alternatives.
8 q! y5 C8 ` ~% ~* E- X; Y" B: |9 x
The following one is the simplest:3 m/ Q0 S* G0 p
6 u* n# Y, L! i( H8 t mov ax,4fh
/ P2 c3 f5 S4 b a int 41h- g, c7 }. B! x! r7 \! I
cmp ax, 0F386& B' z$ h; H- O0 o/ c
jz SoftICE_detected; |/ U1 E) Q) f
/ K! U7 V+ o( F' I4 K. k1 u; i5 N
( k! E R* T' W" v, qNext method as well as the following one are 2 examples from Stone's
! D1 H7 @! p6 o$ o"stn-wid.zip" (www.cracking.net):5 q* \5 W) E# c) }- T2 C3 r
9 _) D6 m5 v; x mov bx, cs9 M, f: b. Y+ J) q U
lea dx, int41handler2
8 I6 x. P8 U& I' V6 a/ e xchg dx, es:[41h*4]- U1 u8 l1 g" I; ?; d
xchg bx, es:[41h*4+2]1 V+ o2 m' n ?
mov ax,4fh! _' M' m" l k8 b
int 41h% h* u4 s, b- O6 |9 ~3 F
xchg dx, es:[41h*4]
" ]# h; P2 U$ I5 v: t xchg bx, es:[41h*4+2]. ~" o+ A% c8 m0 W3 h
cmp ax, 0f386h
, S. ~8 d4 k, W0 H) M4 n P jz SoftICE_detected, y0 X7 ]9 k$ K; M
4 C$ [7 t( r& Q7 |2 D
int41handler2 PROC# H5 z5 a7 M# d0 k& F- x
iret
]% z1 H7 }% I2 C& N% lint41handler2 ENDP
2 i) d7 ~" |( ]' {- t9 Q
0 u7 H+ R+ @9 u/ ^* U" E n% q o p$ A) q; G
_________________________________________________________________________
' ^4 U5 q C0 g; ^ C! S* A+ k* E j! ^% _ Z$ k8 a
3 O2 ?1 H3 s! y. ^, @- ZMethod 060 o/ V; k+ t a
=========" a$ p9 { ], K3 f& D1 Y$ c! |
3 B1 d1 _; K9 j* f# Q5 G0 j& g2 i, H: W& c
2nd method similar to the preceding one but more difficult to detect:
S0 o& a" y) {1 p: T
/ \8 a n! l$ i1 V m* Y, U/ u6 I( v6 {# a& ]
int41handler PROC/ F5 N0 j' R. v9 }3 \+ P- [
mov cl,al$ }5 t3 @. F5 p& Y0 y. k% n
iret
5 @) {" O8 S$ }" ~1 L' x4 Iint41handler ENDP* ^1 `0 n/ x' {' {8 E
$ `* Z+ {" D: E% [
0 r, n" p7 v# m$ b& r$ o: I
xor ax,ax: c% ]6 A$ s( Z+ U9 c2 H$ I, y, ~
mov es,ax
) j: i8 q* l6 X9 D3 R& G ?, [ mov bx, cs: \; D) i( T. U+ H1 n2 P0 J/ `0 @9 _/ X
lea dx, int41handler* t" ^* h0 x% }+ ?4 r# ~" R
xchg dx, es:[41h*4]# M5 V8 c0 W2 w2 T
xchg bx, es:[41h*4+2]
a6 K) j+ v9 }6 a in al, 40h8 ^3 P3 J# u$ {
xor cx,cx
5 K% u+ n' I9 w7 X int 41h
) c \% X0 w$ @! C3 f: X) d8 \ xchg dx, es:[41h*4]( N4 a- Q/ r; Z0 \% O7 E7 y" }% V/ r9 X
xchg bx, es:[41h*4+2]
2 m. S4 o7 D# Y8 x4 U; l9 P cmp cl,al
( \; ~4 J, E- J( X6 c1 U# H$ y2 L" T jnz SoftICE_detected
! T* a3 ^3 O: v& a1 ~: F; [+ T' Q; B% \8 H8 P! e4 h- j5 E
_________________________________________________________________________
8 ~4 W) W T* j# I' B4 n8 P# q8 h; k, h- p
Method 07
/ g6 l# T. l4 n7 p/ B& n# \5 k4 P* b=========6 n2 H% c9 R, C8 R
/ j) P0 A% U( l7 k5 K5 R: d
Method of detection of the WinICE handler in the int68h (V86)
4 Y* l; s# H$ q F7 S) M; j1 H* r' E
mov ah,43h. o: v3 G2 M* @/ m6 ~
int 68h
1 K0 a0 [% o; h cmp ax,0F386h8 U. M" e' G/ l2 P: r: K+ q
jz SoftICE_Detected
+ l6 C3 I) Y. D1 l- f" }5 z5 `+ J+ \* \- s3 s6 h4 S0 g
1 Q" a, R% d" o d/ b M3 j9 B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- R2 o0 b: Z+ J
app like this:/ J7 I9 ~5 W& H# @7 E
5 `/ T! X$ H. i9 u. `1 I BPX exec_int if ax==68( Y& p& k( O5 m! K0 _. R0 n% L: w X- _
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 F$ S) X* J1 q& Q8 x3 T" N; E" _. j located at [ebp+48h] for 32Bit apps)$ S$ o: I8 u3 s6 J
__________________________________________________________________________
* T; m8 ?" j8 [5 L q9 ?
o( T7 ?* b* _+ M& d9 ?: g: O* r% P1 m, b& T, M- G
Method 080 `- R# Y$ {1 O3 k7 }# m) \3 d
=========: ^, L: k: E$ Y% v, W+ G7 ~' H
8 _" e6 q4 O4 C- W: q CIt is not a method of detection of SoftICE but a possibility to crash the
2 b) G* v- \; t: G T. M# msystem by intercepting int 01h and int 03h and redirecting them to another! C4 r9 N" G4 C
routine.# l; Y/ L, F F Y1 c& N3 a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' C- J. E8 r. M3 |* c" \5 Wto the new routine to execute (hangs computer...)( C8 M i2 S1 w
& u' g! _% C( w
mov ah, 25h; R& U5 [5 g3 S7 t3 C8 }
mov al, Int_Number (01h or 03h)
- d$ Z# e) a# q, ] b1 m# N5 [ mov dx, offset New_Int_Routine% b* j. Q* y. @! l' k+ N5 N9 p) {
int 21h. D" O, U" \; E- }: e( G6 O; K
I) K5 A) l& q+ [: c2 e+ h__________________________________________________________________________
; \) W; g0 t4 d. a+ u# I7 ~7 u; `4 ?) }" w: y: ^) U1 {$ G6 P% K$ F
Method 09% ?& w, Q* \, v( I- @4 w7 W! F1 ?
=========
9 [% J) G/ J2 ]& n' l6 ] @9 [2 F# i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( \' X3 {' z0 A; ?5 r8 H( m
performed in ring0 (VxD or a ring3 app using the VxdCall).6 h. v8 W. X7 H# Q4 k; H! d
The Get_DDB service is used to determine whether or not a VxD is installed
: E. f8 L6 n* m( F1 hfor the specified device and returns a Device Description Block (in ecx) for
+ K+ w4 J5 y1 M/ o* I* [( Vthat device if it is installed.+ P5 l4 f I0 z( j- Q$ j! {
* T |8 K8 k6 [. |3 R$ l( f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ B+ v7 |9 n. W; H! i/ K7 }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ r' y; P, P) j+ s i( \
VMMCall Get_DDB# O& M& X- ?' y9 K$ \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, Q7 Q7 N% e1 s7 E
) H7 B, O$ C& { Q/ ^2 V3 ~Note as well that you can easily detect this method with SoftICE:
+ s/ e+ t5 H* G) } bpx Get_DDB if ax==0202 || ax==7a5fh
" w' g0 A/ c9 n/ w/ k# M9 f6 ~8 q) N, J: ? ^
__________________________________________________________________________$ Z x- o* K+ j i2 a
8 E* l) E+ ^$ }( W S3 E) SMethod 10
% _9 N& A+ i9 }$ W* I=========
. k8 r: ?' ?! J1 V9 d8 P1 m
4 w# `8 ]- @( z `& f=>Disable or clear breakpoints before using this feature. DO NOT trace with* P( D1 K5 I, x- t
SoftICE while the option is enable!!
: {1 u; Q0 e0 s+ s# {- p0 S9 M/ D* i& c9 W" q* o; b3 f% V
This trick is very efficient:
]$ ~' L; n1 Y$ l# ?- c" yby checking the Debug Registers, you can detect if SoftICE is loaded
/ i! a5 ]8 A+ d7 j5 ?. o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 B( n2 u$ c! n- }$ S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& O. ]; ?3 \( E) o( ], a7 b+ q" Zvalue (in ring0 only). Values can be manipulated and or changed as well
% X8 l, u+ e4 ~2 k& _(clearing BPMs for instance)# Z$ x" X6 E7 U: N$ E9 k
; c6 e% E$ w7 e( J4 Q
__________________________________________________________________________
- |5 J+ _* {2 z# e L: G2 ?+ _: M' g# N
- I8 V- y b# r5 g8 M& ?8 Q" Z6 h: LMethod 11
' n" N: y$ I3 ^/ h: _$ w' V' t. B=========
# K) E' f) |: t) a1 e/ w$ I6 V$ u3 k
This method is most known as 'MeltICE' because it has been freely distributed# {* R; u% I- d$ s6 n
via www.winfiles.com. However it was first used by NuMega people to allow
$ a0 [* K9 h9 t1 ]Symbol Loader to check if SoftICE was active or not (the code is located' _ g( S5 d# W/ Y K* U
inside nmtrans.dll).
R9 i Q9 p5 y$ |5 S5 D% Y8 G$ x# `" ~# j# s3 K m1 p& S
The way it works is very simple:2 i1 U( }8 F: S0 z7 n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 J! V1 @0 S S3 a; T& [
WinNT) with the CreateFileA API.
6 G9 y- b$ Z9 F1 t0 X; E1 r2 Q* Q5 {
Here is a sample (checking for 'SICE'):
& ~3 f( B& ?0 E+ s
6 W1 }. ?" x/ p' K6 W; f& Y( YBOOL IsSoftIce95Loaded()
3 S7 K) O) s* |" \8 q{; {. I# r6 T) k( j7 T8 T
HANDLE hFile;
& D% A W& G$ G& S0 m9 R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' T9 M9 H8 l! b) R/ A$ V7 s" n- @: r! K
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 T1 ~1 x7 u7 Y K5 B9 z& W! [ i. i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( e+ ~7 x+ t3 F$ [0 f1 ^ if( hFile != INVALID_HANDLE_VALUE ), u9 Z; v w- E0 t
{
) T& J, p4 [! M CloseHandle(hFile); ?- X6 L$ W$ o& a
return TRUE;
: `( _# O3 P8 Y0 c. Y) C( y' s7 f }
8 w4 D% \! o- k7 [ return FALSE;8 O6 A+ ?* g# R2 \
}1 ?! M( q9 j6 f. b8 o
5 Z$ I9 R, m3 q" L. h
Although this trick calls the CreateFileA function, don't even expect to be( p" R( b/ [9 }! `, x4 m4 h5 m8 O0 B
able to intercept it by installing a IFS hook: it will not work, no way!: _/ `1 h: K. C) o9 c4 p4 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" ^; ^( Z" M3 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ Q& B# c9 N1 Y, {: \1 G& x$ M5 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" T6 a2 ~+ F; y$ J2 i1 Hfield.
B0 E# t4 L! t! N! c8 hIn fact, its purpose is not to load/unload VxDs but only to send a
, b5 C6 o9 L+ M* fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ @% a4 Z1 T7 d' T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. R5 U' w; h5 E( y" R) ?$ Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 w0 I% R4 G) r& g4 \& N2 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 E6 C# I3 W" P% D' X8 Jits handle to be opened and then, will be detected.
- ]6 |* e2 N9 E6 ~ pYou can check that simply by hooking Winice.exe control proc entry point* p! J$ z& }7 X: a% o. P
while running MeltICE.
# v8 t: [ }$ l) J+ ]: x9 \. Z& v2 R) w p( s) n9 |
6 r9 M) T7 q1 c4 i% m o8 @
00401067: push 00402025 ; \\.\SICE$ C- R5 `. O& { k- a
0040106C: call CreateFileA2 X4 i- i5 X& K! d) T1 d/ B: Q# e5 x
00401071: cmp eax,-001
" I7 D2 ]7 R6 ?- B9 \, X3 N 00401074: je 004010912 M4 }& y6 {3 v* Y: ~7 {
, U5 p4 z" O) v' B' \# s S" ~' O: h ^! ?2 V% V0 i+ }: U; ~
There could be hundreds of BPX you could use to detect this trick.9 `0 } Q: w7 P+ H/ E. T* k( _
-The most classical one is:' i* J' [& O" J: ^6 L% ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ Z3 o+ v& |! w1 X& I( ?' v) D *(esp->4+4)=='NTIC'/ ^- v; K0 x8 ?
+ K' x$ V l# T0 Q
-The most exotic ones (could be very slooooow :-(
, U4 Q, w4 \2 R/ K% n! S; i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 R9 L4 n" u- G ;will break 3 times :-(
4 e S$ x7 Z$ ~5 C, h( s0 z. f* z' N8 {" ?
-or (a bit) faster:
# u) e) b6 Q" z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" y. Y% f! `2 Z5 ~; W( h
6 l, O; Z) u. H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( y8 |% Z! h( B0 N; m$ j
;will break 3 times :-(; P# m( A ~+ p/ ]+ B( X- Y& y
$ {: r2 R$ Q& R6 L4 G
-Much faster: T; n7 T9 Q D- }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( n t i% i* z5 w% R3 e. A6 D
1 P9 W& P3 h' e; N* aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 J% d8 Y) w2 J
function to do the same job:. o: w( U6 s+ g5 k* ^1 J
S, o- S" _% x" w: l5 K
push 00 ; OF_READ
; i! }/ Q; l5 c- A, w% v( u mov eax,[00656634] ; '\\.\SICE',0
: v# o7 j) Y: d+ O4 Z7 r4 @& Q push eax
2 Z9 [+ d8 h- T: c3 _0 ^ call KERNEL32!_lopen
( `7 h! ]# R% ^* _ g; z inc eax
9 T; I$ G3 F3 ], b# B# @ jnz 00650589 ; detected
4 g9 @8 k. \% B% h push 00 ; OF_READ
4 p; f+ C# W4 u3 Q8 }5 Z1 T; { mov eax,[00656638] ; '\\.\SICE'2 n. F" E$ x% a3 n- b- {
push eax: t4 B9 Q7 j6 X c
call KERNEL32!_lopen& e: G' a3 D( g h5 y, e( M7 V
inc eax
& e4 i% q! } \0 Z: c jz 006505ae ; not detected
0 `# [ R! y7 n
. [( w* I0 d7 T% ~7 c7 k% o9 j, k& k- {+ A y; J4 v5 U
__________________________________________________________________________: l" `" |# ?9 e! b7 N: X* P
: S: ?# q( }- ~Method 12
" r, ]1 M6 G- h/ _. L=========
* n: s+ [+ q" N% _- C* j" W4 \6 C8 w0 E5 n5 W2 Q
This trick is similar to int41h/4fh Debugger installation check (code 05# T: g0 `1 ~$ R" l
& 06) but very limited because it's only available for Win95/98 (not NT)
6 [4 M/ e; d: [* Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, ^$ [5 v5 |8 n, e
9 [* j9 \6 _1 M4 r+ Y$ e% k1 J push 0000004fh ; function 4fh! Y. f9 C0 }, J8 E& b# C6 @& V, V
push 002a002ah ; high word specifies which VxD (VWIN32)
, D1 u% U' [9 x/ s ; low word specifies which service# k! R* {& T0 b: q& c* T5 }
(VWIN32_Int41Dispatch), P2 B" |" ^& ?$ V( N
call Kernel32!ORD_001 ; VxdCall
( S# V& e. B; n7 a/ D cmp ax, 0f386h ; magic number returned by system debuggers4 b; n/ @' a; e- _( `
jz SoftICE_detected
2 \3 A, q; }! ^7 D- p4 |% f2 K# y' }+ m
Here again, several ways to detect it:
+ o) `0 W/ F* t0 W6 ~( v! S
1 M2 r) W/ O& R, i. Z BPINT 41 if ax==4f+ ]+ W) u' Y$ r1 q; y$ D
# `4 B4 G- m( L% {; Q5 h% Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 _/ C4 Y. t9 c b
, l0 S n. X! P2 I6 ]6 S9 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 T* L, w. C5 U$ u# u( l
# s2 p2 g, Q* i# H6 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# O( ^" r* q1 _; M# Q0 q+ l
1 _& e: U% A$ |4 I7 i3 D__________________________________________________________________________
& V( s' @+ g @+ b1 F
0 h, q4 ?. Q4 [: L5 F3 iMethod 13% J4 `5 k5 l9 Q0 B2 O5 t
=========
; A4 F0 s% y; G- M% n7 A& `1 F+ S3 ~# f% ~% E
Not a real method of detection, but a good way to know if SoftICE is0 _3 Z) B- h7 t8 w, E
installed on a computer and to locate its installation directory.& l9 m( R. e* ?& y4 e% m
It is used by few softs which access the following registry keys (usually #2) :
7 R+ @! G5 m. w+ t, h$ J) X8 O# I ~8 K/ r1 h# g8 `, y+ l" V) |1 M/ b. a7 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& M- G0 w3 ]' n7 l: C# {' h; k\Uninstall\SoftICE
* x# }/ \# L2 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. E4 N+ M U8 w3 O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 N% Q8 A% O* ^! Z+ \9 s9 D\App Paths\Loader32.Exe; l5 r. v' N, \1 C, d, y* i
8 i% }( q! y G0 |
" _: D- O! u5 u6 T* ] E9 s+ kNote that some nasty apps could then erase all files from SoftICE directory
" M4 H3 K3 z |" H2 z(I faced that once :-(
2 S2 T) A7 ~. j
6 i7 O3 _1 X0 ^Useful breakpoint to detect it:" |! H( H: E' O2 e0 Q! t
2 w( }# G b8 C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 C' m; } [$ ?+ A) A* B# u7 @+ v, i1 k4 T0 ~. ^
__________________________________________________________________________
' Z: t5 g* V, ?) j8 z5 _ p; ?% j$ G- m
b4 P2 f5 ]8 M0 z9 M1 @. J" }Method 14 . t" t* ~' N( B- J0 ~6 E2 a" y
=========0 b: D7 n) w- r3 [% g% k# r
' m5 F# ^ e% H. v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 B1 Y7 S& u# S% {2 A |is to determines whether a debugger is running on your system (ring0 only).
" N' H# d' n1 P6 ]. r$ D4 e: J' Z E4 i2 a8 z' n
VMMCall Test_Debug_Installed) w; {5 g6 Z% J! M+ x u
je not_installed
, @5 o$ S- H! l+ }. g1 i1 ^; L; b$ a: g( C
This service just checks a flag.
( d* G, {: r. H( x5 l</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡