<TABLE width=500>- E; X. a" \0 t7 a
<TBODY>
% U5 E5 J' T/ I<TR>- {' _# b6 ]0 R3 P! Q2 Y
<TD><PRE>Method 01 8 w1 L: m) b6 |0 D1 z- l9 X2 E
=========- j2 j- S/ H9 G: P5 I! w
7 R4 ?0 i( B+ o( s8 z2 W4 N
This method of detection of SoftICE (as well as the following one) is
2 Z7 I" [# Q% I" qused by the majority of packers/encryptors found on Internet.& W) c6 ?% B7 g7 a& }
It seeks the signature of BoundsChecker in SoftICE
& L x7 x; x0 B4 X) N" W/ R$ F8 U8 `, C4 E
mov ebp, 04243484Bh ; 'BCHK'/ ?$ t9 p- \8 s- P. p# t1 y% r2 |# A
mov ax, 04h
6 o% r6 r$ z8 l' V. J9 Q( x int 3
* w7 t. \ |) n- ~6 ` cmp al,4
& n& K* p. Y% H7 O& e jnz SoftICE_Detected m7 Z+ I0 G! }+ w/ s+ A
3 ^; F* G5 l# ^) W
___________________________________________________________________________& \2 E6 k1 h6 V2 r' E* `
e6 T) R4 D3 I& C- s1 r$ B
Method 02
& u6 R& j ?8 \/ T6 w=========3 E$ f2 R7 n% C5 n
+ C1 f' C5 M* [4 sStill a method very much used (perhaps the most frequent one). It is used" u2 O b5 {0 S3 M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) o' |1 v5 n* ^$ c( _1 R2 u, Wor execute SoftICE commands...3 q8 j* S1 E1 h& [
It is also used to crash SoftICE and to force it to execute any commands
/ I+ H' b4 M/ G% m4 u(HBOOT...) :-((
! |2 B+ j, R+ @( d/ |' T
$ t2 d7 E# v, f6 ^6 fHere is a quick description:
- W# e" m8 M9 Z& Y% Q$ r( H-AX = 0910h (Display string in SIce windows)
/ _' U$ f1 r* v2 a- |1 y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# ?* g# c1 X" ^! o/ n4 P9 G. S
-AX = 0912h (Get breakpoint infos)4 K, b9 K0 ^& G0 Q, R Z
-AX = 0913h (Set Sice breakpoints)
5 M' g+ L' a$ v2 z- d( d-AX = 0914h (Remove SIce breakoints)1 C# w8 x$ ~4 K5 E
( z, X1 M( X! e$ DEach time you'll meet this trick, you'll see:
) U0 g% f5 V5 x-SI = 4647h
: d; O$ i4 V/ b9 p-DI = 4A4Dh
5 A3 N6 M5 ~# x* v: C8 k2 UWhich are the 'magic values' used by SoftIce.) G6 A8 ]7 c5 h8 M3 f% H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 V1 W4 J: N9 O7 S( c8 W+ D+ P9 \4 s4 u0 ^: @$ e9 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 x7 Q9 O2 c9 D' }4 C6 R3 B/ G" CEnvelope utility use to protect DOS applications:
; l! I, M' Y0 F5 Z* b& v
$ G$ m/ ]2 ~& c1 y' c5 m" [& S& {: q3 A! h# k, B% ~: ?+ M
4C19:0095 MOV AX,0911 ; execute command.) m0 \, h1 K; U6 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ _' W( z& T8 F3 }0 u' X& R# J
4C19:009A MOV SI,4647 ; 1st magic value.; g0 L# [+ A* y/ u% p5 d
4C19:009D MOV DI,4A4D ; 2nd magic value.6 |, ~) T- b' X/ R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- K0 p B0 y8 e7 N1 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( T% n. Z4 S1 y" w; _* F0 |
4C19:00A4 INC CX$ h6 f% C D8 x& B- r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 Q' l2 g1 G( j( L. D
4C19:00A8 JB 0095 ; 6 different commands.4 d' f0 O1 c6 x. M7 k z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ q) K: _5 M3 [$ N1 ~0 e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% g) E5 i! F# M3 o/ }( t: V% [8 {" J7 Y: t7 F: `
The program will execute 6 different SIce commands located at ds:dx, which
& J5 U' F4 S0 H8 A& {0 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) B# h& a8 g& s& b) F' `# j/ x) F
; f' m6 h% p/ z) R9 l9 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) W6 J- `- d' j( d___________________________________________________________________________
8 m/ v3 S/ k3 |- z; [5 k
$ l! g3 | }; m' j. L7 U3 `" W2 V- I# l3 |8 K7 ^# E7 R2 v
Method 03
8 S0 u$ w7 i/ ?=========
5 N* `" R' H. ?: {& k
9 `) C. G- ?' }! rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* B k5 v1 u7 W3 _0 b" N( z(API Get entry point)
/ n2 @, ]; n: V1 d+ [ K( f w
& U1 G6 ]0 d7 s6 B2 T
8 r2 i k0 U, n0 P: l0 H2 U" z xor di,di
* U1 d( ?& Q3 r6 o1 i! B5 \! r! [ mov es,di+ q" B- r% a: C4 H, E; d1 o
mov ax, 1684h
9 z0 ]$ p) w0 y/ p/ h, Y4 O mov bx, 0202h ; VxD ID of winice( {5 r: h: I) Z9 ~
int 2Fh
# a) E \7 [" f& j* |- r& J mov ax, es ; ES:DI -> VxD API entry point
i. H; E+ t* Q( u ^: s" t! x add ax, di
- h1 C% Q& b! E7 J* E test ax,ax
+ o" c- S) q) g- [ jnz SoftICE_Detected
2 W J5 O) \2 m# f4 O6 D1 I5 J, ~! [5 n2 g
___________________________________________________________________________
" ^& t# `, r. U1 l% p- G& r+ |+ [
/ J0 T g4 H& g* J3 x2 _Method 04
! V0 z& w- Q' C; y=========; W7 ]6 ~% B) r! {
" l; \( S% X: _! B- v% pMethod identical to the preceding one except that it seeks the ID of SoftICE
% n+ |7 ~: w; \' C- RGFX VxD.# c( \& w; h* I( b
: f- a- S: F2 y2 t+ R xor di,di
5 d* {3 L, J! A4 ~) u mov es,di5 l# {, K" e& Q9 |0 D& @$ K
mov ax, 1684h ! p. D- \, v2 _' ~* {3 R& r! u
mov bx, 7a5Fh ; VxD ID of SIWVID( w; N6 m3 O! h3 w0 T; w9 X3 K
int 2fh
' F0 i) j9 V- M; a) o1 \' B5 x mov ax, es ; ES:DI -> VxD API entry point
0 R, O* i' h0 g/ u8 h2 R; Z6 m add ax, di ^* ]+ X: c: S* p3 ~" q' j
test ax,ax* \( T* u# A3 d6 F, w" N3 Z
jnz SoftICE_Detected0 ~! I; q& a3 \% _
' K3 I6 P$ s! h' C- B__________________________________________________________________________
) D; f! g) I' R9 v+ r
4 @ f( _" K/ `( V0 W; \- f5 W: [5 O5 M6 x
Method 05
6 ]2 \, ?! l! B3 f& Z" f=========
& W: k# K6 o( B T! I# A7 E# [" z. }2 X( K. a- B$ V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" }; l) x5 P- Q3 m6 \' fdebugger. It calls the int 41h, function 4Fh.# s5 l, D) \8 f9 U
There are several alternatives.
' b% k$ R, ~: F2 J
8 D% o7 b$ P6 P& HThe following one is the simplest:
5 }: z( v" P& `8 l) S5 y. ^: {3 C
3 w6 _3 Y6 x d5 L# Q( D mov ax,4fh
" K* u1 {4 m6 V$ c: h6 V6 g int 41h
7 h% n/ b& @- L$ |" Z* E cmp ax, 0F386
6 C3 X2 f3 }9 M! ]( f- F, V* D jz SoftICE_detected
; j. P8 W5 m7 [2 u( s8 D1 ]
/ G+ a w _% g5 E) h4 `7 @' c2 \( o' y3 B) Q
Next method as well as the following one are 2 examples from Stone's
0 x6 G/ r( U- K5 E% m4 x% i5 k"stn-wid.zip" (www.cracking.net):
& y6 e0 I3 c" }1 f3 ]1 K$ i' A% t2 _: w* ^
mov bx, cs
9 c; r1 h! E! _" F lea dx, int41handler22 R0 S. p0 F" |; [
xchg dx, es:[41h*4]
% x0 W1 r. ?% P: I9 t; q/ X xchg bx, es:[41h*4+2]
/ L8 ?5 _/ m; ~ mov ax,4fh
/ F9 Q7 D) V) W1 W# X int 41h9 S0 B3 w x7 F' H0 Y5 H7 p6 `
xchg dx, es:[41h*4]
& O' h( J; t! m3 q: B4 w xchg bx, es:[41h*4+2]
; Z* d) I3 b, M' |9 D( E cmp ax, 0f386h
8 Z+ i% V5 n4 m+ z% e& f# v jz SoftICE_detected
1 G0 s, {8 ^0 `' j6 i+ h
6 y$ `! Y7 t6 s7 M5 rint41handler2 PROC
* m! a' ?6 Z9 j& H# s9 z iret
" R$ v( ~& O) z5 wint41handler2 ENDP2 N3 Q* r1 U$ ~, U: b4 z
8 L5 v) _! @8 i! M* t x& Q+ c! @$ z H5 {" W( X1 q1 t4 f1 f
_________________________________________________________________________
4 C' D2 P$ i+ ]4 w
" @) |4 ] i) P9 C% K5 w4 T; R+ x o6 L! v: v$ E J9 A( u
Method 06
) ? Y+ O. h( `2 f8 w=========6 h1 l: R, ]- e' l" d& X% Q1 l
2 j3 k* v; m3 W* g) k- v2 w) l" K: t2 v M: k& {' ^# j8 n6 }' @
2nd method similar to the preceding one but more difficult to detect:# a7 J/ j* s+ \3 W8 ]& i1 I9 h1 _
9 m) h- D* F9 ]2 L' Z
, @" z4 P) e+ j8 n3 ^int41handler PROC
- R* Z0 G! ]9 Z8 u' p5 D; T& _ mov cl,al P2 R& h$ T1 V1 X
iret
- M6 Y# ^8 T% }% v! Tint41handler ENDP+ C' E) A% U F1 F; f! }! x/ D' ^
4 u; l) G+ m8 C4 r2 o
, n9 U: g7 R' y7 e* {/ |7 @! L
xor ax,ax
4 y2 _% B! ^3 j7 { mov es,ax
0 {9 t3 _: [2 x mov bx, cs+ B! w/ }0 ?, z$ Y( |
lea dx, int41handler& m2 u. X# N4 Q1 ^' f- `8 J" t5 \
xchg dx, es:[41h*4]
$ H# t4 v' Q u& L! ? xchg bx, es:[41h*4+2]/ _; C* y6 T7 v- H: F% \% U! [
in al, 40h" Q& ~# i. B5 C! W! c, B' [. G- a
xor cx,cx- L8 D& d% E8 V+ H- E2 u
int 41h
2 Y2 p/ ^4 ^( d# k# E xchg dx, es:[41h*4]
5 b' ~# _) \/ t+ Y0 b* J xchg bx, es:[41h*4+2]
4 m* D* B6 s. d4 }1 ]; W1 D% }" A cmp cl,al$ ?3 w- x4 M- a, [, B+ H" g
jnz SoftICE_detected
) `% S9 [+ t, ^0 k$ H
6 T& I: e* f( ^4 }. }( B5 i6 Q_________________________________________________________________________
% T! s1 i; L$ s! n( E. H' s0 {, n/ D* V* j
Method 07
1 y' {4 @5 I; K& M1 A; S: Y# s=========3 l7 B; ]8 N4 n5 Q* B
+ f, r' Z* `2 b p4 Z% P, t1 q2 I
Method of detection of the WinICE handler in the int68h (V86)9 J8 U t- i8 t
, N; j2 M/ W( y9 B# o mov ah,43h
1 l o, {& w5 T7 | int 68h# r9 ^) T5 f; p$ Z# Z7 A+ P
cmp ax,0F386h, Y7 B2 x4 y. u/ Z! U5 j
jz SoftICE_Detected* G+ Q8 ?% e) ]+ |$ f* Q
9 s p3 i( o( e+ k: S5 e: N. U
" D/ C+ e) p. Z. k: G; }/ d; W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 o* C9 h4 I: ^. F8 G+ O
app like this:* x' T/ \5 Y$ O5 ]
" p' w: _# v" \* z
BPX exec_int if ax==68
) S+ O2 ^! @" W$ Q+ s- g- l (function called is located at byte ptr [ebp+1Dh] and client eip is
$ `/ K d7 x6 a+ z" T6 U# E located at [ebp+48h] for 32Bit apps)0 E K, z% K# u+ T
__________________________________________________________________________. f9 J: |1 F& B9 v, R' K' b$ p r
. V1 }( B1 P4 x* ~6 b+ Y2 y
# i& S1 w/ j$ b( o. R" v; a L& d1 bMethod 08
8 b7 W& C4 l; M) M/ X+ o=========/ }/ [2 A; Z7 u- k) u: i! I
7 t4 Q6 l( ~6 j& @
It is not a method of detection of SoftICE but a possibility to crash the
- v+ V" a; z i. ?system by intercepting int 01h and int 03h and redirecting them to another+ E- R: e& F' x
routine.+ {) E' u( S1 U2 E, b6 g% R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 K8 M2 f4 j m7 B; g' z% @9 c4 _9 d
to the new routine to execute (hangs computer...)
( }7 M9 p& ?; ?" b
/ i" ^, k& i% w) j r6 Z5 y$ D mov ah, 25h: D5 N$ u, W1 i% {: D8 v. n& [
mov al, Int_Number (01h or 03h)) u" r/ j" r* ?; w& j. u
mov dx, offset New_Int_Routine
& H. [$ E, v& u9 V+ R: ~( x! i% o* q int 21h- |9 T. W+ M0 ]- `, Y# x% u5 B
, ^' H# J6 S6 M6 x
__________________________________________________________________________6 P( r0 F2 ~4 Y/ j
" S F0 o% B" b. E' r# o* WMethod 09' M$ L5 S- |- T, t" [9 Q8 Q
=========' M) F) `. t3 f# V
% ?# O( t5 a+ I" H) E) C, t% a% A t; sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 C5 ?( f# h' U% |performed in ring0 (VxD or a ring3 app using the VxdCall).' }$ a# w e9 n2 G w& n
The Get_DDB service is used to determine whether or not a VxD is installed' C& d7 B2 W+ G0 `% z
for the specified device and returns a Device Description Block (in ecx) for8 H* J$ m5 _ T/ s
that device if it is installed.2 y- J: Z8 x# q$ s; |, w( i
* n. t4 y6 v5 z% f; F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" c* K ~. T" O# `/ K; ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: \* G$ D/ U& I# N/ M. { VMMCall Get_DDB
6 i. i! y# T8 y4 p9 ~2 a& F8 ]8 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& H0 w: |$ d- U- ~( w$ i
' p1 C6 Q' _; x" zNote as well that you can easily detect this method with SoftICE:5 {0 V1 X7 e1 r
bpx Get_DDB if ax==0202 || ax==7a5fh' {% b/ x. s5 p$ c2 Z8 i
3 d/ j4 h2 l0 d$ Y0 u0 @
__________________________________________________________________________
% Q7 s8 B; x! V6 ~1 Z
+ f% a, T+ f' F/ N& g9 Z' e m( OMethod 10+ f9 Z5 d; d2 W: \; G" P
=========
0 b m0 t+ \$ {3 b( a5 I( v' @% s6 a+ K6 A0 S& z1 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, n1 K# E0 N: U0 k7 T& g6 P SoftICE while the option is enable!!3 O* v6 U" X1 l6 c
- i% _6 N7 z+ I9 h3 ^1 D& \. x
This trick is very efficient:
8 E0 j5 I F# s% W* V7 eby checking the Debug Registers, you can detect if SoftICE is loaded1 r- H3 J. |3 k3 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* F2 @; b+ V* m6 a2 n, Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their h7 y L+ l! B# N f; w/ w, k' ^
value (in ring0 only). Values can be manipulated and or changed as well
) K4 w. l7 S! \% j(clearing BPMs for instance)0 O% M! ` K! ?3 U% w" O8 Q+ \* G
. X4 s5 g! J1 }5 g4 b! E S
__________________________________________________________________________, M8 }% [' n" C: T0 P& Q5 h* q
' |$ {) T9 x/ p* n b& N+ t
Method 11
' e$ x# t' A: X# t% t9 e) x: [=========4 {# s3 U u9 ~2 h k3 D: o$ d
5 k$ l% n. i, p }. ?" zThis method is most known as 'MeltICE' because it has been freely distributed
2 ?, H1 ~! w( H9 i+ ]via www.winfiles.com. However it was first used by NuMega people to allow x( {/ D9 p9 v1 I+ e& b# _
Symbol Loader to check if SoftICE was active or not (the code is located0 c- k2 r# v# W* ?
inside nmtrans.dll).
# }0 L% a- f% a$ Z4 N6 C3 p
, R" O, S( P- A, x: l- r V; U5 p3 CThe way it works is very simple:, p2 H7 ~- o. a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. k$ o2 c! o; Z
WinNT) with the CreateFileA API.
% Z# R1 T: E3 i! ~( R/ q2 e& p' C
1 D2 ]; W3 [6 K: B5 CHere is a sample (checking for 'SICE'):
% K! C* ]+ F/ M- R c9 @, q4 Q! B
BOOL IsSoftIce95Loaded()
! M- \: @* ` P. J5 U& c{- ~+ H, j; h9 m2 F
HANDLE hFile;
9 Y# y$ w$ H/ B: P* ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ B: _7 v b* u7 l6 ~4 F6 S0 v FILE_SHARE_READ | FILE_SHARE_WRITE,
( G* Q' j+ x' t! B3 P" h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 x/ i% z7 A( _7 n# S1 g
if( hFile != INVALID_HANDLE_VALUE )7 v8 @' G/ r: f4 \+ Z" `9 S! I3 }6 f6 d
{
. }' h# t) Z2 }: R7 `/ Q+ W7 Z2 p! ] CloseHandle(hFile);
/ Y/ d0 B ^) {0 w8 n return TRUE;
% V2 Y1 y! D' m& e( ` }6 r, ]5 O4 A! r0 z4 h4 a
return FALSE;
' H, X+ q; W8 V$ m}* C$ G, f& r! E2 |4 _( K8 [
- R( H! c3 l+ O' yAlthough this trick calls the CreateFileA function, don't even expect to be
& B0 Q: d2 r1 wable to intercept it by installing a IFS hook: it will not work, no way!
6 f; a; _1 j: \& |/ R) Y, g! a. W& KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- q* z9 t0 W2 v0 n. \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- B) d& d" w, ~ x# Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& P, t& ?" d/ N& `" h, M' Wfield.
8 R# O, z8 @* ?/ E& rIn fact, its purpose is not to load/unload VxDs but only to send a 4 Y0 j; ?. S( F* u) H l$ h8 g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( b; q7 ]0 J: O1 ?/ N- a: j/ jto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 F8 w* _ R! e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 E$ D" m- p! Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% s1 F! ^& B4 {; z5 {! g; [; m$ Aits handle to be opened and then, will be detected.
* d' V& w( Q2 H6 Y2 E5 |+ ]% D' yYou can check that simply by hooking Winice.exe control proc entry point" g- U2 K' o+ r X8 v+ F1 N2 J7 q' d8 q
while running MeltICE.
# S8 g! H. N1 L2 V8 n/ Q2 k
$ z2 V# \4 C8 J& f1 M9 g' m" v
00401067: push 00402025 ; \\.\SICE
6 R/ L, r* l' _4 k) N: Z 0040106C: call CreateFileA
4 V7 z$ e5 H2 h6 G8 [ 00401071: cmp eax,-001
" c4 V( ]0 b1 l) c( g2 g 00401074: je 004010917 S E g2 v; ?3 y* C7 N+ v! k
+ K l; j1 g& U4 ^- w7 x9 M' S
6 L9 x+ v( V9 }4 s2 J
There could be hundreds of BPX you could use to detect this trick.. I4 B1 D9 _" a: ?$ v
-The most classical one is:
; R+ o5 m( @& M9 Q0 U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' [0 A; U3 A" f5 e
*(esp->4+4)=='NTIC'
7 I/ E. ^9 o% ]8 x4 w {$ }4 ?4 M
/ q4 Z* O3 Z! o1 \ H$ C-The most exotic ones (could be very slooooow :-(5 D# M i2 g: G- L5 K& R0 `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 z6 a, y- p- b, h- }3 a7 C ;will break 3 times :-(, K& U4 c8 L. |2 _& h
: q! K4 i+ u4 V
-or (a bit) faster:
) V5 n# z) k8 R" v' V" M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% O6 `: r; t- ^! z+ [) J4 C/ m
) h0 B, Q W8 {' m+ n' m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. S- } p0 O0 g0 ? ;will break 3 times :-(
6 Y" g( f' q% u, L! L! y
- o. \ z* M* v& t) M* F# _0 [0 `" m9 @-Much faster:
{6 Z0 O7 e! e# ?- S- A' i* M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! ?- ]% x0 ]7 N. B
8 s, q8 [9 D! ?0 |- y5 R, k- SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' m0 V1 X( |# O0 @
function to do the same job:) @1 B$ |* h5 w" b& s
6 T4 n; a0 S, h& ] push 00 ; OF_READ" u) e1 L" R" K$ B0 ~+ V7 E1 A, L
mov eax,[00656634] ; '\\.\SICE',0
# k, O i4 ~5 m& @7 U. R v push eax
5 _) c v- n- T% H, a" T) ^ call KERNEL32!_lopen/ J) Q6 n/ S( L( F1 v+ S; h! @
inc eax
0 h+ Z! N* t4 j) z jnz 00650589 ; detected
1 M6 U3 m: X8 K- h push 00 ; OF_READ
, I/ B* O6 D1 O+ B/ ]6 I mov eax,[00656638] ; '\\.\SICE'6 Z# D' b q' Y8 w
push eax
: ]: C, A0 u8 q call KERNEL32!_lopen
R; c/ N/ r! y6 C' c inc eax
8 ?- t9 d: L3 v) c# p jz 006505ae ; not detected. ]) [8 X; k* w4 f6 C# [
, t- f; a' }: @& F+ Z+ u
6 N+ }/ {2 v2 o4 U P__________________________________________________________________________
5 N* R5 R' v1 F& _$ _7 A5 S9 j) T9 t! U
Method 12
( d- h ~1 L. T1 M& j, Z l========= P2 n. z7 i6 I" ?1 e
) |. l; J" A( O5 JThis trick is similar to int41h/4fh Debugger installation check (code 056 Z6 {2 U) a" K1 |/ n" S7 n7 w$ v
& 06) but very limited because it's only available for Win95/98 (not NT)
' I4 o3 `9 w0 W4 R8 }7 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo." O0 A) [% }9 ~5 c' L6 D% k7 L. m
* _! `. {( K# r( D2 l9 g1 J
push 0000004fh ; function 4fh
: m. h: m7 l; G. E" }& _ push 002a002ah ; high word specifies which VxD (VWIN32)4 V. E0 |; M! u& O1 _2 M
; low word specifies which service( Z/ ~0 O- b6 ^% r* [' t
(VWIN32_Int41Dispatch). V3 D2 d, b- o9 w
call Kernel32!ORD_001 ; VxdCall- y7 |6 G: |4 s5 ]$ c. _
cmp ax, 0f386h ; magic number returned by system debuggers
% h( E/ s0 j3 d1 `7 G4 Z jz SoftICE_detected
- }) G6 B. \4 F2 t# \
8 K" p6 p( b" U) F7 a7 x# DHere again, several ways to detect it:6 @& ^. y5 C# d: J8 ]2 g- G! H, `
$ M; [) I( e2 j4 P8 Y7 ?7 m6 B
BPINT 41 if ax==4f# ?$ k2 X/ Z( ~" w. y
! A$ I" Z- N2 ~ |7 O" G; x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 j0 x* n; i" w( E: T
% d; \% `# `9 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 i# d- H( Y: }! X5 u
/ J; t q) b9 D9 [, l4 x! }. J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# E! A/ c6 I, x' S
* `" O2 h' _$ [' Y5 W; ~, Z__________________________________________________________________________0 O6 s) E5 P$ \4 q9 V9 c
# Q2 h3 o; j/ {% W+ D
Method 13
" Y9 G6 o; y# A) U=========% V+ H3 k* B. q: r1 F0 f6 j
! i, y- ~1 g; W8 o* I y! t- HNot a real method of detection, but a good way to know if SoftICE is
8 l$ n6 M; T( x5 ]installed on a computer and to locate its installation directory.
% ]( V# u/ n/ V- f) n- _It is used by few softs which access the following registry keys (usually #2) :, u/ V5 ]$ F3 a+ N" C/ \
* A* P( j- `+ p; `& ]# T; K/ D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 O2 O- D) y3 Y7 a: b T# u\Uninstall\SoftICE7 Z R$ r. f& [- Q" h% ?, R( Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( T8 r0 G5 z9 |( |( v+ B* w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. u- e' ]% G* L2 F5 M, K' R; x! R\App Paths\Loader32.Exe
. q: f5 m/ @' ~7 P5 y @1 } m/ Z2 p/ a- X. w# e
" A" ^8 T3 K) U. C6 }. r7 [! Y
Note that some nasty apps could then erase all files from SoftICE directory
4 [# E+ v j1 N4 D$ c(I faced that once :-(6 J" D+ r# f4 _% p0 I% ]9 a- Y. V
/ G! G8 N+ J7 h$ W& p( IUseful breakpoint to detect it:8 T/ |' S6 R5 R7 K( t6 y* s
) p3 e7 F N: v/ M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 @% G8 ], R7 ~6 b
( u9 T0 J- b) }- u6 g. e3 y__________________________________________________________________________* Q% R2 n, A7 s) {
; ?: b7 c& f/ k. N7 ?( ~$ P+ x4 E8 ] F. T
Method 14
3 V3 H% d$ o* A=========
; X+ `" b* e7 e2 B2 `+ T$ P/ a
# Z, C& G+ p$ x( l2 m2 ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 Y/ G5 Y: t1 h% g) E
is to determines whether a debugger is running on your system (ring0 only).
- |* B- c3 L; e: r* J& T* M1 o& j9 z9 T; \$ S
VMMCall Test_Debug_Installed
0 W Y& r1 g" D% Y je not_installed
$ K, C) F# y2 ?. K8 g& l9 ?$ s5 s( F# V* @9 L$ }5 N
This service just checks a flag.9 x7 F( }. [2 }/ g' e( S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡