<TABLE width=500>
1 Z2 @/ M$ f& z; y4 }" w5 C<TBODY>
6 v* d1 F/ L* L5 A: [/ }+ X<TR>
, q. [/ R" z: X, a3 A<TD><PRE>Method 01 1 x/ m w" h: ^! n1 e$ y/ C
=========
_- D6 U! K0 ~ _
( ?0 q. K/ f* Y% s9 b P& H8 sThis method of detection of SoftICE (as well as the following one) is0 G8 O. e7 N) H8 ` s
used by the majority of packers/encryptors found on Internet.
8 N5 b$ L( t! TIt seeks the signature of BoundsChecker in SoftICE
1 x' V l1 a) s V! g7 p, K$ H9 D; ]( \
mov ebp, 04243484Bh ; 'BCHK'3 w6 i) X! U& T, a, U) \- }
mov ax, 04h2 Z- ]+ q* L& H6 k8 \, R7 Z& i! G
int 3 " S# \, ~. b& [! ?1 e) Q
cmp al,4
: j% k5 w" J- S" i% J1 p& W/ a jnz SoftICE_Detected/ U% S) v# J+ s4 L% ^& ]: j
0 l# I8 N6 u( ]! Z
___________________________________________________________________________2 J7 {# t' ?/ I6 u* [" Q& g4 S# j
r) O- I" i6 a; o; f) @' @' s7 @Method 02
( n8 s L- Z% t9 B' v& |5 P9 {5 z=========( P6 k! `* d# C' j) U, B8 C
5 M' p8 H5 Q0 ?3 k: f: ^Still a method very much used (perhaps the most frequent one). It is used
$ D# n/ ?% x; H- [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* I s8 @& e4 G& H% aor execute SoftICE commands...
m+ C6 \2 t6 [" D( i) ^It is also used to crash SoftICE and to force it to execute any commands
. ?( ^8 }( d! L! B p6 w. R(HBOOT...) :-(( 2 v2 w' K# @* X& Q9 r
- ]4 }6 k' \$ bHere is a quick description:" @7 S0 G0 l1 H1 }) J ?
-AX = 0910h (Display string in SIce windows)8 f! L& |/ R) @; ^9 e- }" K+ n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), @( }7 u L, x: V
-AX = 0912h (Get breakpoint infos)! j, i9 y4 a3 b6 s* s
-AX = 0913h (Set Sice breakpoints)# \9 _ x3 E+ e- g
-AX = 0914h (Remove SIce breakoints)
8 K. w7 n: r* d) }. O; P& v4 O g. f2 P! M `
Each time you'll meet this trick, you'll see:5 Z1 c6 c R- v2 r, W& L
-SI = 4647h
* h7 A; C2 I/ v x5 d& ^ w-DI = 4A4Dh( ^; n8 S( |; m# N" `" [, N
Which are the 'magic values' used by SoftIce.+ Z# W; ]+ r' ^$ O2 l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ ?7 ` x1 F n
& T3 x! Z$ |+ J9 c6 Z: Y6 hHere is one example from the file "Haspinst.exe" which is the dongle HASP- U5 }: K& A3 a; h8 T/ e
Envelope utility use to protect DOS applications:3 ^) j; Q- B, }$ v7 D+ ^* r
2 a5 X: d5 i( j, T# P/ j; B8 P7 ?
* k) f( X. r5 ^7 w1 Y4C19:0095 MOV AX,0911 ; execute command.
" i* {- L' U: M( _$ b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. e- |2 c4 X# Z5 i
4C19:009A MOV SI,4647 ; 1st magic value.
_4 f$ h* I' g0 m4C19:009D MOV DI,4A4D ; 2nd magic value.
+ X$ o4 ] `& f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 r/ m. j0 _& g9 c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% n$ Z5 D/ I0 r$ a( |, f
4C19:00A4 INC CX% t2 e) x8 d2 n* X" `' e) f4 N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; f4 G1 _1 ]. b! G1 E1 S7 F
4C19:00A8 JB 0095 ; 6 different commands.
0 ~4 r, O0 M3 H0 \4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ [+ J I$ H# X! b, [' N# C3 L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), ]0 E) S" m4 d0 r
0 r+ J/ q" c X) OThe program will execute 6 different SIce commands located at ds:dx, which
' i7 e2 V4 T, `/ `3 Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* `$ H. F* g0 |( m; d" P' ?
- m5 r7 O' ^9 z9 _; S/ {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ |/ {' v9 J( E7 D$ V1 s9 A9 j___________________________________________________________________________+ ?( a+ i3 @8 I( L
& C8 X: d* m- Z; J) \
1 G* b& L0 b3 V# U9 I) \Method 03+ ]4 @, @: e R" j+ s
=========
; A/ w9 G# y5 i. C+ ]- C2 h/ s0 i7 c% k9 V( J- ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* X, T* }* R- q! B2 `. ^(API Get entry point)
/ ^9 V% n. S& W' o, r$ o x4 y
! q" n& u3 b- c& a* _; O, b8 k t8 x
xor di,di! U5 l: F4 o" c; H1 A
mov es,di+ ]% ^2 ^4 G/ s! B# }# M6 u7 V: v3 ~
mov ax, 1684h
$ y8 n3 V4 |! U, ]& t9 j mov bx, 0202h ; VxD ID of winice0 L5 Q! F# u, ]8 Z/ G, H
int 2Fh
! X. B$ N5 e4 @8 K. Q mov ax, es ; ES:DI -> VxD API entry point
; N( Y/ B8 e8 l add ax, di
1 K% o4 A, q2 |, L test ax,ax
& |# ?3 r: ]+ Q' X+ }9 f, l jnz SoftICE_Detected6 e: | x! v7 U' q+ A
" G& [# o: ~4 ^3 \+ h! [; w8 W
___________________________________________________________________________
# ^% y; p; _; K; w3 B
3 ?3 \( {/ o! e- @Method 04' [5 j6 B" q5 j) d: { y9 @+ Z
=========: y& r0 `* i0 u/ K# b8 B
: s ?/ p9 m8 K6 T. n7 l1 Q
Method identical to the preceding one except that it seeks the ID of SoftICE8 C& P0 j3 S, Q; I1 E7 E
GFX VxD., f+ p) M% x, C5 X
& c- o! o3 Z5 S7 [4 D
xor di,di: i) j8 }+ R, t$ f3 d! w4 d$ t
mov es,di! t! Z3 ]( H; ?8 g Y! m
mov ax, 1684h
, [$ `7 u# I% Y mov bx, 7a5Fh ; VxD ID of SIWVID
3 O! e0 H, W0 Q/ j( q2 T* p5 l3 G int 2fh
6 T1 [3 _& ^( w' A& [6 W mov ax, es ; ES:DI -> VxD API entry point
. B* N6 u% Q! ]$ a. z add ax, di
& o0 b5 o3 _ J \1 q" @ test ax,ax
# ~( {+ s+ {5 R9 C# y5 e1 ]; m8 Z jnz SoftICE_Detected
% _8 v# c! z! t x
: g8 ]( s8 w% k__________________________________________________________________________$ \4 O9 S# T8 y1 ^- M
7 T- s$ P& }2 K z( t' i# M& }
% V t' l/ g# s& [
Method 05
8 M" s) c* s1 C2 k K=========
: J5 y: j- h# G1 L" B: {/ d, p
/ g& |9 T# m* w. P# ]Method seeking the 'magic number' 0F386h returned (in ax) by all system8 c4 K& L! k9 T v2 I4 I
debugger. It calls the int 41h, function 4Fh.
% _, s: S# a" j% l8 V0 V. EThere are several alternatives.
" e% ?4 E$ G& c4 |2 G- |. x' Q& h
The following one is the simplest:$ j B0 I! T" g' r+ C: x
0 Y' p" J+ T; z( ~1 X mov ax,4fh" o; p/ n: i" m2 ]+ o
int 41h$ W2 {: J! c4 `3 F) i: T! x
cmp ax, 0F386
/ b, C' h+ a( l jz SoftICE_detected
9 D! M4 ]! ^1 p4 X5 ~; S8 f N2 h# K' A9 @/ R/ f- t' c
! [. V4 O; x X# C
Next method as well as the following one are 2 examples from Stone's ! x8 @$ ~2 w) }; D$ ~
"stn-wid.zip" (www.cracking.net):: J9 Q& Q; t$ ~
; f2 ?6 r: x! m" D( l# `( G; ^1 i
mov bx, cs- s8 g, A' t: F' m' T$ V
lea dx, int41handler2
9 E7 C, Y: e( _ xchg dx, es:[41h*4]$ m/ Z: b4 X9 k5 a9 H
xchg bx, es:[41h*4+2]
3 w# k2 Y; N$ {) P; d: I4 ~1 H' P" { mov ax,4fh! @! A$ b9 b3 u, r& U" y
int 41h+ s. t0 I, z0 c2 y( v$ f: g& s
xchg dx, es:[41h*4]3 S- e/ @9 @; E, S
xchg bx, es:[41h*4+2]
8 f% w# ^0 ?# o+ w4 w9 \ cmp ax, 0f386h9 Z# G- @8 l8 B" w! q" c
jz SoftICE_detected' ^3 r/ j0 N0 o3 s+ l" m* e, Z* P
/ g" ~1 l$ ]$ U# B9 n- `
int41handler2 PROC
0 X7 ]: u# H0 _3 ~; A* d5 n& \8 C- J iret
) B2 s3 O0 M7 c- b" {) oint41handler2 ENDP( }2 w/ d: @/ b" e' T+ g+ J
, c0 D2 y9 c+ K- p/ d) q' i8 @7 @1 Q7 n" C/ Y9 S$ x7 ^5 D
_________________________________________________________________________
% O+ D. k" s& t1 e4 R( F2 ]/ t8 S
( K1 g+ [4 F% [7 A
Method 069 M5 ^/ A2 b8 B0 m+ [8 C
=========. `! k: n4 c$ u9 `8 m
9 P) K |4 D* u7 {2 ~8 j2 _% u ?; b2 u
2nd method similar to the preceding one but more difficult to detect:; l4 h9 O; F! L5 n
* T5 Y5 b/ v& J
4 u$ u y' K' K D- W4 v1 E
int41handler PROC
3 E) v2 x8 N/ `& v) Q) m2 C mov cl,al/ J8 z$ M$ v+ ]& S
iret
9 V5 ~: u# e' Jint41handler ENDP+ u7 f. K2 j7 k$ E9 B. m! [* L
0 ~8 S( f/ S7 r! v- R/ T
- C- P7 }$ T7 ^
xor ax,ax5 \5 I! }3 L5 G8 t; `" J
mov es,ax
" [0 Y; Y8 U% R* y) {, w$ o mov bx, cs
0 [; S2 P5 A: q' r7 Z lea dx, int41handler
& U" M; d3 f! Z4 N* y) @ xchg dx, es:[41h*4]
" d1 P7 \8 g9 h9 A9 e1 S xchg bx, es:[41h*4+2]
' ] f! l* y6 [- M2 F- E/ J! Z in al, 40h
* x L% |3 w# E6 c0 Q xor cx,cx
! O' r5 e2 K Q7 b% k int 41h
& d' k, N6 ^ v* i* u+ ]( g1 l: k xchg dx, es:[41h*4]
9 j2 m& H) S8 u! a* k: r/ @+ [ xchg bx, es:[41h*4+2]
* S1 p+ ^2 ]0 D, a3 z& R% D cmp cl,al4 g5 |5 W/ f* k
jnz SoftICE_detected+ p. |1 l! C0 v( [7 p+ [
6 k6 }3 c& k" ~ L3 ]0 i* t7 I5 K( {
_________________________________________________________________________
0 A1 y. g4 H u" s# |
4 I5 o I7 `% Y5 T& EMethod 07
$ v3 k1 a( w: A* [( x6 E=========
- H% ~9 W6 v0 E7 M0 M3 W, J' [* d t
Method of detection of the WinICE handler in the int68h (V86)
$ ?- e. d, C; o4 k5 B; @+ K B3 I l5 {# [, ^+ ~
mov ah,43h x* ?: i6 H9 o
int 68h( S5 y j% n* N/ B0 ~
cmp ax,0F386h* C+ s" m v: Z4 Z& G- M7 [- D$ P
jz SoftICE_Detected: U H" o, ]% p
; C5 M. O0 u# A2 o1 B' `' L- \
/ I! {" L# D3 Y4 t# ^) d- [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- _4 d7 a3 [2 Z- }% J1 ~) N app like this:4 ?8 `9 `; s8 s( @
9 g& x0 `, i+ a
BPX exec_int if ax==68% I0 Y4 E1 U M# F
(function called is located at byte ptr [ebp+1Dh] and client eip is. d9 F6 S* J8 t# z4 u
located at [ebp+48h] for 32Bit apps)$ `* v Q2 [2 b: ~& M2 \ J, b
__________________________________________________________________________" H* L$ X1 ]9 Z% Z/ ]! x$ Q
$ N! V8 A7 }# }% a8 ]4 H) `3 a
6 Q" Z& `$ s: g1 g: M! _
Method 08! _4 [4 }; o7 Z
=========
P8 {) G9 H2 W1 Z# E/ ^- B
: @9 G$ X! ]' _% V0 j( k% NIt is not a method of detection of SoftICE but a possibility to crash the
" _ N+ v; R6 s0 psystem by intercepting int 01h and int 03h and redirecting them to another
/ W5 P% G: ~ a5 l" Vroutine.7 J4 z9 R) }1 V% v1 G1 n8 e/ _& W- e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 b, L$ T$ c1 P* t$ m$ Qto the new routine to execute (hangs computer...)
" J% L. {3 P% {% t4 s7 i3 I
, r0 s# {- q' o0 f9 G mov ah, 25h
) g6 b& X' S5 o# } mov al, Int_Number (01h or 03h), ~! q$ h' _1 \3 P) X7 z' \" P" q8 G
mov dx, offset New_Int_Routine: D8 W& E/ {. ? E7 E! X
int 21h
; Z: J' r# a {4 V7 X* q P- o1 ]5 ]9 s1 E$ R. L0 I- Q3 _
__________________________________________________________________________% a) G' I" [: N! u8 z/ k3 P1 e" V9 d" O
* n' y; s6 q$ G g- _Method 09
4 ]3 |6 w. ~0 P/ I% }5 J, R=========
% k: N6 @% ~* D
! V3 A0 q; L% g% {" oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& L. C3 A6 a& |; z# Z# [& aperformed in ring0 (VxD or a ring3 app using the VxdCall).! w# D6 p& u/ y7 @. ^; ~, K/ r
The Get_DDB service is used to determine whether or not a VxD is installed
' }3 E$ ^# ^6 |% s/ Z- Y& ]for the specified device and returns a Device Description Block (in ecx) for
, X h" _9 L" tthat device if it is installed.0 T, I( c2 T2 t. C0 N: ?
* \. Y2 ?5 z. Q% l0 J1 F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 S; W+ ^# ~! L" S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& R8 f# {6 j9 ^4 B4 H VMMCall Get_DDB
8 F0 p$ ?8 Y* d$ A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; W3 Q9 P3 `3 a, ]+ Y
" n7 }3 {, U0 \( V
Note as well that you can easily detect this method with SoftICE:
6 m( I9 s3 r- f& t3 E g bpx Get_DDB if ax==0202 || ax==7a5fh$ R5 j Z' K2 H' p! e' \2 ^
1 u% _, N0 ]$ C1 G, S- F( n
__________________________________________________________________________
) V4 g, {! W- m7 x# L; W
% T1 e/ |2 G* j j" QMethod 10
/ g+ U8 i& j( n=========
5 r( N8 n. p7 f9 z9 d, H" J! T2 R: I+ v G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 Q* L; K8 r+ d" y9 q SoftICE while the option is enable!!6 A6 F$ N4 a* {3 w% H6 p
1 |( ` Q- A& KThis trick is very efficient:" f! K- c* X/ r9 @, e" [- }
by checking the Debug Registers, you can detect if SoftICE is loaded
# T/ F. x0 i/ z3 R$ f( I' c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% B( z5 X- n' Q- p2 [5 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( \0 T' e# f8 jvalue (in ring0 only). Values can be manipulated and or changed as well
1 k8 {' Q& U3 ^) d- C+ `(clearing BPMs for instance)
5 T! r7 ^( g* {. ?- y* @7 n' i O$ I
3 l' w0 h: A9 F+ i0 B__________________________________________________________________________
3 O/ ?7 {! k+ g4 }: [. @. @! P# D: d7 l0 S* D$ S% n: S( u4 W x- t$ k" Z
Method 11
$ h( V6 Y: E& g# M=========
. v- o, B1 _2 G) M( f E& ]" ~) O, p" N5 Y3 w
This method is most known as 'MeltICE' because it has been freely distributed# R# J. G& r* p2 N
via www.winfiles.com. However it was first used by NuMega people to allow
6 G: w" C- ]# a4 W, {Symbol Loader to check if SoftICE was active or not (the code is located. e! o! p" o/ x( Q, w2 x8 v
inside nmtrans.dll).
2 z: ^1 C, | E9 d, ?
8 [1 R. j' o9 B/ v+ U1 dThe way it works is very simple:
8 U( {6 P5 f# k6 ?9 e1 IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- i+ f7 h. g" T: I7 ?) DWinNT) with the CreateFileA API.
4 e$ @' ^) b+ d, |) Y! J" j9 t* f/ h/ H9 A" {: u
Here is a sample (checking for 'SICE'):
+ o! C. c+ f' z+ f& n* m% {/ H( |. D+ I+ T z! V' N8 I
BOOL IsSoftIce95Loaded()* S) L' n& v' u e" l
{; [; Y+ G% r/ A3 O: ^" U* F6 T
HANDLE hFile;
. @- n, z1 k% g" {6 O; S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 R/ a4 g4 ^4 u" h" a+ M' g& k FILE_SHARE_READ | FILE_SHARE_WRITE,
9 a, ^# {4 w5 A( Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
s/ @5 t" X2 [* E if( hFile != INVALID_HANDLE_VALUE )
4 v" H+ G% B: T* s: n( i4 R& L3 J {3 |' l5 H9 L; ]5 H) Y$ j
CloseHandle(hFile);: }) v$ Y! W0 u, V
return TRUE;
' U/ Q$ }; l+ F2 ^! ?+ ? }6 {7 F R; N; H2 G3 Q" v. D9 M4 C* ?3 Q
return FALSE;" b* Q! f+ L( F8 u* G' G, j) s
}
0 n; }) ?+ P$ q6 t+ e$ m
8 ]- R9 @, d/ CAlthough this trick calls the CreateFileA function, don't even expect to be
0 x& |# `. G* D$ w/ P! {( C( I( vable to intercept it by installing a IFS hook: it will not work, no way!
! \$ E/ r# N3 R- qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- `8 q! ]" t# V4 m1 W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 }0 ~ E: g, }% F z4 w, _ Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc- M; P: u* x( q
field.
" q5 L5 b8 q8 HIn fact, its purpose is not to load/unload VxDs but only to send a
+ F$ e5 q* I3 eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 Z, ?, J2 a) l! l* T* v% X K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# J; ?% z/ r2 L, d' q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! w/ a( {0 x5 @+ F) Z; ?# ~1 x9 MIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 n5 u' s y. c& Uits handle to be opened and then, will be detected.7 b, o3 D! O% R0 l9 L! f* m* q
You can check that simply by hooking Winice.exe control proc entry point
# X9 g8 `+ o" r" S* Q9 ywhile running MeltICE.
4 Z0 b0 r/ W! |5 q5 q$ M/ o
) ^' Q7 n8 |& @- C( f9 S% A" a3 I6 u4 B
00401067: push 00402025 ; \\.\SICE
9 D. f" @8 ~2 {4 W9 @ 0040106C: call CreateFileA
+ V/ c$ t t$ q3 t 00401071: cmp eax,-001! {" G( Z2 B7 A6 g6 b: B
00401074: je 00401091
, V7 C) O o# \0 i, G* @' K
' j* B) l2 T6 u1 C; j2 s5 y6 M- f
( B; l* ~$ O$ E! c* N2 v( `There could be hundreds of BPX you could use to detect this trick.
( [0 ?5 L% J3 R% @3 U; o-The most classical one is:: I2 N# P' }7 I) _7 `4 R, w% K! N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 Z6 O$ P2 S' q *(esp->4+4)=='NTIC'
0 F8 ^6 r1 n" g2 F0 s0 D1 y# t/ H7 Q, R& u. p4 |
-The most exotic ones (could be very slooooow :-() K2 x2 \( H( D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 b% B6 c% U& k2 V ;will break 3 times :-(8 }! ]$ |3 m7 D i
9 n; _2 O0 q Z+ [-or (a bit) faster: 8 |& n* `0 R7 T8 G8 V! G( L, P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 ?6 H4 ?* _. _- S' k D
2 y* p+ j% D4 C; }4 V+ O# o. G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 b7 z, l+ v \1 w4 W3 r
;will break 3 times :-(
, ?$ C" {& E2 C* ]8 L) U
1 ]* h* b- p) G/ [* }4 q-Much faster:. w1 A3 }# i3 u5 O8 h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% U6 u* H1 T3 b/ j7 Y0 q; E% U- v, }- U0 I D/ l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. Z! f, U8 x, N: d0 b: a8 Yfunction to do the same job:8 i2 F- F- b' m( J! H- y
& [9 o) X( C' h+ H. P% z& i push 00 ; OF_READ
+ B5 j( D# q+ f4 S* j mov eax,[00656634] ; '\\.\SICE',0
: J/ z) R4 }8 N9 g( _( }0 ]/ e7 q push eax8 @; b5 C& s0 @
call KERNEL32!_lopen8 X6 m& _+ ?8 L/ r/ ~
inc eax
: V; J* }. h7 b6 t8 m jnz 00650589 ; detected
( [! k6 f# i( k* a: ?% h$ ] push 00 ; OF_READ T- c: d4 y& R) \, U& x
mov eax,[00656638] ; '\\.\SICE'2 ^5 K& y, g/ T' h& n. \
push eax- }0 a" s) ^; v% z% b7 h6 m! X
call KERNEL32!_lopen
4 `1 b+ p2 W' }, }6 { inc eax
8 ^% X% r0 `- T; x jz 006505ae ; not detected& Z8 D# J% M% k; ?; N. X4 d
$ M: p4 Y# Z1 N) S
/ F7 v d7 ~6 C+ @9 L- b2 ^__________________________________________________________________________
% ^: i& M) [3 i% s; C c- K! O& E5 h7 f
Method 12
1 K+ G1 n" T+ Q N4 |+ G" x=========
! N) f: z; C0 V: w' p3 f: k/ E9 [3 U. D+ H; j
This trick is similar to int41h/4fh Debugger installation check (code 05
1 S; z8 T6 E, J$ p& 06) but very limited because it's only available for Win95/98 (not NT)
& W6 ~/ I3 o" z! Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: Q6 h6 @( @/ \( @# T8 K. `) A2 b) | P& I
push 0000004fh ; function 4fh' G1 u' Y& w+ t5 V% e4 X3 m9 Y
push 002a002ah ; high word specifies which VxD (VWIN32)/ K* o3 G9 R7 k+ d" H2 E% N* L. n
; low word specifies which service1 f$ ~7 w# j' Z
(VWIN32_Int41Dispatch)
4 k! d) {- v8 }! M0 `; f call Kernel32!ORD_001 ; VxdCall' R% q0 g% G) v" c0 E& M+ m
cmp ax, 0f386h ; magic number returned by system debuggers
% G2 V7 J9 o: d+ C jz SoftICE_detected
1 P3 q; Y9 G) r4 z
1 v. \, N( u# M' {7 zHere again, several ways to detect it:$ a1 G4 Q5 h8 H7 o+ [
. _) l4 \7 Q" r
BPINT 41 if ax==4f
( y: } k& U( C* o2 P$ I4 t; d3 a5 u8 P7 y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: q' Z3 Z3 I# E. K. ?# t8 P- c4 l9 t- ]+ z: C$ k8 j* W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) _; m2 z" b& _$ R' [) S7 K
, A1 t4 e. S9 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 G; Z5 v/ O5 c4 `8 k5 g
5 M/ I3 b. C/ u* b$ {__________________________________________________________________________
1 T- g9 N* ]& L0 L! e7 i, k1 X1 o# S& p! V2 \7 J3 a
Method 13 c/ K! K+ y% W, E, r$ n
=========
( q* Z! W' o; s! S9 _! q( p$ {2 w" s* }/ F" X/ f0 W% {
Not a real method of detection, but a good way to know if SoftICE is
7 V1 M# L! k" |; c* j( m- linstalled on a computer and to locate its installation directory.
( T' k2 c/ Q% N; w3 I/ {! |It is used by few softs which access the following registry keys (usually #2) :% {; U: Y4 R* q( y) F! _
8 s2 u" _* b2 Q* N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: K: f* N1 E6 g6 H# k\Uninstall\SoftICE
1 h% ]& w6 J9 n3 _: q5 e' s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* G7 G W8 j( ^9 D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, j- Q9 E. v0 ^: R\App Paths\Loader32.Exe+ ]/ ^% s) U: g5 k# p" q
& F( W' `5 O9 \ K2 R# J
3 O& V) ]6 H. j9 N/ INote that some nasty apps could then erase all files from SoftICE directory% v/ }3 n5 j) G) J+ o" c5 w
(I faced that once :-(
7 w7 i& @5 n) {7 f' P+ }4 D+ k' e1 W' e: A
Useful breakpoint to detect it:7 s' D9 S# j4 E; K- v6 @$ e
4 q0 V, D \& B( W0 J* |. d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') T- ~& C& D A. k/ z5 w
3 I. A2 K! U8 k7 d$ y
__________________________________________________________________________
1 u+ b8 Q/ W5 h5 Z+ H7 M0 m! [7 r
! `" K7 O3 f8 q+ x& @
Method 14
6 }) | L) X3 D# i* t3 w=========- X4 M6 P4 M; w0 S7 j( V
8 U0 D3 e. n8 z) H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( v/ |/ G; e" d9 iis to determines whether a debugger is running on your system (ring0 only).1 p1 d: I* B7 ]4 k6 \
% Q7 X2 |; R1 J0 n6 z8 h6 s5 w) \
VMMCall Test_Debug_Installed
. E4 B* W7 @ q5 }* m je not_installed: G/ g! [! i5 Y. J) Y) R' P
2 Y# ?6 t* S7 g% S6 wThis service just checks a flag.$ |% f2 O6 Z2 @3 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡