<TABLE width=500>1 B2 N1 B) M z( ^/ |' x
<TBODY>
& V5 R8 P+ s; b1 M<TR>
9 |) h F e4 }3 T( L: j& \1 T& c5 k<TD><PRE>Method 01
2 ^$ k" F g1 e! A D=========1 s$ R9 W8 q( A, h, S( z
0 z4 X, G5 p2 F: v2 e2 u: i5 ^
This method of detection of SoftICE (as well as the following one) is
t: G+ O% Q0 u7 Wused by the majority of packers/encryptors found on Internet.
5 U6 \; q0 K J8 IIt seeks the signature of BoundsChecker in SoftICE2 ^5 `+ s& U7 q& I
' Q: g; q" K* R. @! i9 c mov ebp, 04243484Bh ; 'BCHK'( z6 x4 q5 P: @2 f
mov ax, 04h! _& R4 M& A; E7 \( P
int 3
/ [9 I& b# [& R2 d! f* ? cmp al,4
) o3 h6 S+ F% l3 b3 E$ b jnz SoftICE_Detected
3 S2 X7 L# c5 A, t7 \8 u# Y* Y1 w+ U& b) w
___________________________________________________________________________
7 u, P: {: H9 f* `4 U5 v
' ~9 s+ \. e5 b4 ]: d* x8 _* J5 YMethod 02/ o3 E; y; |1 ?2 M, f
=========
1 Z! Z. b c( H& ?. P! d) p9 ^* C0 e2 K5 k
Still a method very much used (perhaps the most frequent one). It is used
& g1 Z0 \% \9 ^" vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, C }/ M. y- e* Z5 _) ?or execute SoftICE commands...
, r6 l$ l: G) {; VIt is also used to crash SoftICE and to force it to execute any commands+ S" {. x4 J) b# |' q
(HBOOT...) :-((
/ x) Z: `8 S2 [. \9 ]# O: n; u9 |3 s/ K3 J, T$ e% X/ _4 e6 A
Here is a quick description:
- g) p2 h, K' B( J, L% i" ?2 g) V" F-AX = 0910h (Display string in SIce windows)
9 ]) R" L0 i; u/ P8 g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! e+ Q- S/ \3 Y1 P$ D9 A
-AX = 0912h (Get breakpoint infos)1 Y: ]7 a! k7 r* @) j; @ f2 e% R) S
-AX = 0913h (Set Sice breakpoints)
( l, j( g9 E6 r. n. `-AX = 0914h (Remove SIce breakoints)& I7 i: |% k: \6 Y& L" n( t7 C
- z4 G9 O& x1 `Each time you'll meet this trick, you'll see:9 v5 h" m2 y0 Q+ v
-SI = 4647h9 Y" V) G2 ] |+ k* z# G1 h. a
-DI = 4A4Dh* S j$ ]" u1 i1 |
Which are the 'magic values' used by SoftIce.
' R$ {7 ] @% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 v* I& k1 W, M6 R( ]. ]$ ]4 K& R
7 ?+ g3 w6 o0 w) T IHere is one example from the file "Haspinst.exe" which is the dongle HASP6 w& f- s' ]: x, N1 E" p
Envelope utility use to protect DOS applications:
1 W& y" t9 J" y6 r1 ^' C" c
. [; z) b' S: Y- W, g2 g, Q( x$ b. B& h( f! S( U/ x. h
4C19:0095 MOV AX,0911 ; execute command.
/ R$ O- I7 W9 Y4 x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 g' N, h1 U; r' }
4C19:009A MOV SI,4647 ; 1st magic value.
1 k. Y( G4 Z0 H& _: v# \" a( k( c4C19:009D MOV DI,4A4D ; 2nd magic value.
5 j6 E( O! n3 z! I: K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) P* {* t4 {# [8 F- L4 m9 w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 k6 \. c* R5 L5 Z4 T4 |. q1 ~
4C19:00A4 INC CX
k" t$ T. o% R" {: ?# K- v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* T( ?# B1 v7 t! J8 f. t9 W4C19:00A8 JB 0095 ; 6 different commands./ C% Z7 U R9 k; s) T/ q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! a7 D3 `$ p5 l# j) c0 ?5 { ?! R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ G/ e5 j' q% \
2 x9 l! f8 |1 [( \) PThe program will execute 6 different SIce commands located at ds:dx, which
# m" P& E6 ]% }0 V+ a% w# k3 ~0 R; Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
Y9 V7 o M: B4 S9 t' Q
1 M; N4 A. c3 Z; a1 f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ f2 b2 K$ h3 W+ O! ]6 v$ n
___________________________________________________________________________
8 t8 d8 P5 q6 c, I0 C1 Q/ @, U5 m$ K: d: y. h7 B9 g+ `( l
- z) C# P7 c7 ? O' K& K. \+ y& lMethod 031 x1 _$ x+ n' a. c
=========* M0 R( q3 L! w3 E
( q+ i# w* n" Y/ v+ t& U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h C Q+ V' ~7 _9 t; A
(API Get entry point)
, x% [6 @+ n8 |6 q9 }0 H/ U+ b, K
6 ^) g' c" `$ i+ _
6 r/ g) h. a. G xor di,di0 A8 ]0 A5 d c9 S D6 b9 z
mov es,di
5 c* O( g; M% K- m5 f( E) d' G mov ax, 1684h
: T& l Y% y% y6 ~ mov bx, 0202h ; VxD ID of winice
/ s5 Z+ L7 q+ X" q+ ` int 2Fh5 ?4 Q# v0 e. r5 E, E# g W
mov ax, es ; ES:DI -> VxD API entry point
5 z6 ]5 \" }& Y! ]( }+ K! _$ Z+ L add ax, di
" y) D$ b* ] |5 q2 o test ax,ax
: R4 x( l8 Y7 L" J1 S jnz SoftICE_Detected1 A; X. l4 G$ @6 _5 ]( q
_9 X: Q# B8 q! z" F
___________________________________________________________________________
5 I A$ o) B8 h! ^* \1 M$ g6 [# m" ~8 }8 ~
Method 04. G( Y G: d N5 M2 a7 s0 `' P6 O
=========
1 C, C5 w9 @. N Z& \
& R) |- c, l; ]9 c4 ~1 }- p& @& JMethod identical to the preceding one except that it seeks the ID of SoftICE
. K+ Q, Q' `/ H# r! ?GFX VxD. Y( b8 m; s& j6 K5 R
' A2 ~2 C) V- [ xor di,di
- ~' A7 E- {4 X8 r+ x4 s% Y mov es,di
4 V/ O& N& i6 [& y mov ax, 1684h ' X( P. `" w" Y5 H7 r* d
mov bx, 7a5Fh ; VxD ID of SIWVID
$ F. z, U0 e# u7 v int 2fh
) V0 Z6 i6 X# \1 z1 F# e( k1 C mov ax, es ; ES:DI -> VxD API entry point* q6 p7 A) t1 U% m: R! @, J$ h$ p
add ax, di
9 C) {$ O" k/ j9 {, }, U9 f test ax,ax0 l' l( L, m# s+ t- f- L
jnz SoftICE_Detected
, _5 M: E+ Y4 R! u- B# A1 ^
3 a0 E/ I' y3 h- v9 B__________________________________________________________________________0 x W) ~/ S0 n/ Q, J# [
/ v) g& O3 Y2 E. h& X. V
1 l @1 h, m+ j2 w [
Method 056 k5 N! v: I3 L1 x/ K; ^
=========1 y E0 ]5 o' O2 \, _# ]
4 r1 m) N9 X5 W" n. hMethod seeking the 'magic number' 0F386h returned (in ax) by all system- `( s2 y5 I3 q- e2 N) S4 E
debugger. It calls the int 41h, function 4Fh.
+ W8 O6 _" G, k4 s3 p. B% TThere are several alternatives. E/ B; w( K1 U
' G" i5 Q9 a A. E H% k; m; b
The following one is the simplest:
/ v/ h3 z( b5 P g, ` q: K; n7 Q' f0 T( s
mov ax,4fh
, T" U% {" {3 b5 x& W7 a4 Z7 T8 J/ }, _ int 41h
6 M! s$ I) X2 \1 D) `! Q cmp ax, 0F386
$ }8 i ~ Z+ I jz SoftICE_detected
; m9 [; y P2 d" F
+ ~8 j: F3 a0 z7 }! e4 E+ ]5 Q' L5 G* l0 |
Next method as well as the following one are 2 examples from Stone's
, y5 |# H+ ~" \"stn-wid.zip" (www.cracking.net):
6 P' N& `- P) r1 h( X( F+ _: k% }
/ F: K) [+ j2 e2 ?0 G5 A, P; a# u& h mov bx, cs
. G m% W& t2 H4 x- o lea dx, int41handler2! K# p6 J/ B% q
xchg dx, es:[41h*4]
: A# s. E, t. ~7 I. ]6 F) J: X5 l xchg bx, es:[41h*4+2]
0 H' H. [. i' q) ^: s mov ax,4fh
! P! U' b5 K( t3 q( n! ~! w int 41h/ u1 U0 ?; Y; o2 D) R
xchg dx, es:[41h*4], C; B( A* B5 d" Z2 z! Q
xchg bx, es:[41h*4+2]& |, u. u X0 v" y( x3 l _% ]- C4 [
cmp ax, 0f386h" e; q4 B; b" H$ n( N0 p2 H
jz SoftICE_detected
8 b6 v: {0 {0 a: n/ L- w: K# x6 I" l+ G0 F* T- U: Z6 @
int41handler2 PROC
; V3 E* w; g& s: q! H iret
o1 u+ q1 W2 M" C3 s Y, p; ~int41handler2 ENDP! y# \$ u; F: H5 h7 F; n3 D% I
& S% b; x* _: m, \$ q' J) a( [5 I/ K5 ^! ?3 ]
_________________________________________________________________________" r* w1 E8 `% l0 D5 |& o5 w
6 F# W0 W3 U, I: r) T; u, F7 Q! O9 a7 Z, l( m! K
Method 06
& ]7 c4 A0 N4 y4 s# o=========5 M* j) V7 i9 V
, D0 j; q: I( N d/ n
# M7 L* z/ B8 Z8 F) _2 F2nd method similar to the preceding one but more difficult to detect:
8 X, a8 r- f1 \; p7 M
/ W% k; L! Y/ E$ k( k
( [* e7 M) _( e3 _- mint41handler PROC
0 q- a9 E+ M7 A% U- C mov cl,al* r& s9 a! R/ z s. t# Z# q
iret
7 z# A2 u3 m i/ O& H+ K- @' Qint41handler ENDP4 H# X7 O" M( g$ P
B( ] Z; j( q$ o3 {& M. z6 K$ T" [& i# R
xor ax,ax
- S/ J/ ^7 ?1 x5 m& o mov es,ax4 E5 ]: W j" f' }
mov bx, cs* e ^1 Y" S7 B% A9 f
lea dx, int41handler
) |- r6 V3 }: b2 \1 F7 b2 j# \2 ~ xchg dx, es:[41h*4]' } ^; y2 V" F+ p* l
xchg bx, es:[41h*4+2]
Q C" |1 m; N$ A in al, 40h
% |9 a! a; ]1 M7 J xor cx,cx
5 `0 S. m# c% n- K8 Y int 41h
# Z1 f0 C o+ N# j% R9 s ` xchg dx, es:[41h*4]8 D6 x8 H8 w) ?, s# {& [& W
xchg bx, es:[41h*4+2]
5 b- x4 H$ T" @- p/ y0 i5 e& n cmp cl,al4 N3 ^* n- t' ~% J3 G
jnz SoftICE_detected
9 ~8 ]; _8 c) r" r2 ~: c0 a Q- W& H* O: q
_________________________________________________________________________( l K: p* H/ S& W6 z; O4 p4 D
( I6 ?. r% ?' \8 [4 sMethod 07! |. l) D( b- V' L9 c6 v
=========. Y$ G6 p" @+ a( A4 T/ r
( P; O! G' `( y- @
Method of detection of the WinICE handler in the int68h (V86)9 E) D" b' z) g
' c6 p7 `1 R2 O; ?; C mov ah,43h% x" S) N# k1 S6 j7 e
int 68h+ k& [! m/ r' _1 z1 a1 N% R0 D; B
cmp ax,0F386h
3 c2 W+ S% @% l$ ~" V jz SoftICE_Detected! c' Z V6 q$ c9 J; C
! G" M1 S/ f% W% o' g5 M/ d' E% U8 A/ H. k' u6 ]8 j r4 C+ @! {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* O( v) `- R) m% @- M Q- M
app like this:. m0 s: Y1 y. o* @6 g; ~) z
1 d/ r0 u- o. t& u) Z; v8 i
BPX exec_int if ax==68
9 G, a. r/ v, Z4 V (function called is located at byte ptr [ebp+1Dh] and client eip is: s7 Q, j1 R- D* B
located at [ebp+48h] for 32Bit apps)8 ~' y% L( i4 r& H
__________________________________________________________________________
' w* D3 a9 E. |6 o+ r D7 u
6 y1 r% \, w' t# E" R1 p, M+ h/ z% |" o" |
Method 08
/ G2 Q- d3 m8 U5 M" l/ w" K* y=========
, T4 h+ }: L" [+ w$ y; n% e% O5 H% t- S' t, D J# c. L) ^
It is not a method of detection of SoftICE but a possibility to crash the- u% m3 V& U" x, l; N
system by intercepting int 01h and int 03h and redirecting them to another
: I) `3 u$ e: J3 wroutine.
c* p- k8 _. _6 I5 j5 w) X- i+ UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 i" O* l3 h. @7 C7 b1 ?% s
to the new routine to execute (hangs computer...)* g5 P) c1 M8 ~4 b7 j' w) p
( R" W4 f$ K- N( x) R
mov ah, 25h
% j3 [: d+ n5 l& M' A" R mov al, Int_Number (01h or 03h) i$ a5 H: D( U v* E4 x! p, K
mov dx, offset New_Int_Routine; U/ m, ]+ n- S, V) h
int 21h+ s% R$ P2 p& D" v5 B+ _
$ A8 ]. b1 `- P
__________________________________________________________________________
2 X- V; O, _% |/ `0 ~9 l0 X8 J
' @! _ T4 w% m, y1 D* v$ P# VMethod 09
, u, L5 m, W/ j+ k: T=========
- v, ]9 Y, h( R+ u# T y
0 E. R! B* R! d0 ^ X' GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 k: h$ m+ G! C9 V" ^performed in ring0 (VxD or a ring3 app using the VxdCall).+ h1 g7 n0 V8 y6 M2 d" f6 O
The Get_DDB service is used to determine whether or not a VxD is installed- x. b! X% \5 }7 V! o( x7 D5 U
for the specified device and returns a Device Description Block (in ecx) for
* E1 n& ~6 y/ m7 {( h$ Gthat device if it is installed.. U8 I( P8 e% l3 r; k. d
0 b* E3 R6 U; w1 u; I1 y+ P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ o" r+ {1 j+ J( J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 Y5 u: A7 y7 l" @
VMMCall Get_DDB
7 |. m0 ~2 ]; ?: Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( g, D" Q) {4 C# w- P$ l0 H
1 W9 l% E- s/ b( t# b2 h: Q9 vNote as well that you can easily detect this method with SoftICE:1 Y. I7 B: X: J* b: v) I% S! |
bpx Get_DDB if ax==0202 || ax==7a5fh8 P# V2 W/ L- ?4 M. K
s$ C, G8 ?$ `8 c' O% i
__________________________________________________________________________) N* J$ r$ g2 k! r' w
* L& b: S+ p- FMethod 106 k- P: ~' D* F" g9 \' G* [3 w
=========& \1 l# k% h: k
# O1 ?/ i9 h6 y) b) g1 E9 `=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ [* G( i _2 D$ a! U SoftICE while the option is enable!!" S6 F+ F) q, p- I( e% M
9 o: e F' n: [* X% NThis trick is very efficient:
i# N9 L# S8 A4 O3 ~by checking the Debug Registers, you can detect if SoftICE is loaded3 \' R& o+ V) C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
G+ r1 ` `1 d; w: athere are some memory breakpoints set (dr0 to dr3) simply by reading their0 h* u3 J, y a
value (in ring0 only). Values can be manipulated and or changed as well
8 T1 a; P, ?% u1 p/ M(clearing BPMs for instance)6 _3 T3 S6 V* K2 w, g3 n/ @0 ]4 G
: \8 Z4 _* o- ]
__________________________________________________________________________
* L% k5 ?. u0 f3 x3 v9 \
5 i4 G1 P2 G8 U" pMethod 11
% K9 v) v3 b8 q' ^' }; v n* r=========) D4 o2 }: b. x/ Y
( v& R! R1 L& g+ m0 ?+ Z- S
This method is most known as 'MeltICE' because it has been freely distributed1 l8 X6 k8 c0 w7 ~2 u
via www.winfiles.com. However it was first used by NuMega people to allow
3 x; |) ~2 Q. k5 u3 a: wSymbol Loader to check if SoftICE was active or not (the code is located
6 Y% ~& b# ^$ U& s& qinside nmtrans.dll).
( H* r, l7 M. z; N3 p, K# D" q! u8 t4 t" m/ t( U( o
The way it works is very simple:
1 C, q! x/ V( a/ K2 ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ u- S3 g, u$ t7 Z2 ~, K# JWinNT) with the CreateFileA API.
. o$ D: K/ r3 L! b1 J. w: v' i" {8 V' R) Y" X1 S/ t
Here is a sample (checking for 'SICE'):9 {0 l) A! Z9 R1 |# W1 J
7 c- h* `4 u u" I NBOOL IsSoftIce95Loaded()
% W2 ]& r+ J' J: L A0 I{
( W g. \" \4 M+ M HANDLE hFile; 7 F8 t+ d3 L, m, {+ _) ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 R* L6 e* w- _5 c5 U
FILE_SHARE_READ | FILE_SHARE_WRITE,
! K1 f0 I: b0 T) X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 o% C B% m3 w4 N; o) w
if( hFile != INVALID_HANDLE_VALUE )
& I% J- f% k9 ^. k {5 x0 @: p3 @( p/ f: U
CloseHandle(hFile);
0 l8 V( Z9 {( \4 S$ n return TRUE;
- A0 e/ q5 ^- d4 s3 ^ }" ?* l: Z. F3 y6 a2 N: x8 T
return FALSE;, @+ o. ]0 Z8 C2 }( w- |' {* j
}; |6 Y; q0 X2 {* W4 q2 e0 d
1 d: ?) [6 q( L! O; @5 tAlthough this trick calls the CreateFileA function, don't even expect to be
, E+ }5 W7 C0 Q7 `able to intercept it by installing a IFS hook: it will not work, no way!
) ]2 \1 t2 `1 r% a. m9 B9 q0 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
e: ^: g% l; @9 \. X* {& G, m7 x6 k- Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- F5 C5 u0 _: j9 v/ @- o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# _1 q, f' o8 O
field.
9 L& G. a! g& f9 l; p' H) UIn fact, its purpose is not to load/unload VxDs but only to send a 6 I" l. ?# Z- C/ c5 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* Q6 l$ ~# a8 W) v* g% S$ y3 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ j$ {1 |4 T3 `2 M: u6 Z2 Q. u; Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* g }$ `7 G$ U0 a$ @) GIf the VxD is loaded, it will always clear eax and the Carry flag to allow# N0 N( v5 K' H7 @" S3 l5 m- M( J
its handle to be opened and then, will be detected.
4 P% U6 X% H, w7 v9 aYou can check that simply by hooking Winice.exe control proc entry point0 `! {6 \& H' p) c$ c8 J9 s9 {
while running MeltICE., L* ~5 t; T- h& w0 p
3 y7 K4 S2 m& }
[9 V! c7 O( ]' v! T
00401067: push 00402025 ; \\.\SICE6 x" i" n3 y0 f* b1 u
0040106C: call CreateFileA# A! j8 X& m2 A3 l9 }& k1 y- D
00401071: cmp eax,-001/ N6 T& |7 x" F3 D' N+ y
00401074: je 00401091% p* I9 C% U' p, |' w2 K% q
H M- o8 ]3 Q, [* |8 q; ]/ J1 g$ {+ y
There could be hundreds of BPX you could use to detect this trick.9 ^0 R- Q2 P: x$ s3 ?( }9 R
-The most classical one is:7 ~+ q/ t' B! ^0 N6 J' N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 P z8 | u- C+ J5 ]7 J8 B *(esp->4+4)=='NTIC'
3 A9 l0 O/ b( E; E. y) z
6 v+ `7 ]# F3 V( T* \: k8 \/ T) ~-The most exotic ones (could be very slooooow :-(! T1 \+ J3 ~) V( |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 l5 [% m: K6 i ;will break 3 times :-(' c; Q- Q, Q+ }
: E3 W3 b" x4 e7 ]
-or (a bit) faster: 4 ~& G; P' I, e/ ]: J4 X$ a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 `% t' S/ L8 p1 L* P, m8 W
( K8 D! `2 w" ?7 z4 r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 V% t/ {! x/ E) p; [3 x+ t
;will break 3 times :-(9 u" V+ g5 W" d
7 @- j! W6 h1 C-Much faster:
. P# i/ A1 @: k- s5 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 N. X/ K% G1 N$ Y2 y' r2 q3 `1 W5 u. p& ?9 X( v) i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 `" d' w" T! o5 f8 }& B N/ tfunction to do the same job:
/ T( Q, E' B6 ^6 j$ M; {, {
" o, w5 F; ?: U/ H1 c push 00 ; OF_READ4 q j! s1 Y* H: V6 l; B% P
mov eax,[00656634] ; '\\.\SICE',0
4 x1 `0 D. X$ ^# Q" r8 y$ Q push eax- {' w: i* L" ]- ~3 d# a) Z$ u
call KERNEL32!_lopen
2 S, O# j# m) w' e inc eax
8 o5 h" @7 U. l jnz 00650589 ; detected9 `4 \4 A6 ]5 t7 W* O
push 00 ; OF_READ
; S, Z w9 y" a- a$ f: u mov eax,[00656638] ; '\\.\SICE'* Z% \$ X# M. ^+ T. z1 G* ?: O+ ^5 Z
push eax; S3 W+ T9 i! t, N" ?! M$ U: U
call KERNEL32!_lopen- P1 L, r' q% T0 Z. }
inc eax
1 _$ Z0 t$ s0 w, `% x6 c, N jz 006505ae ; not detected
! l) }1 a3 v( e( X
. Y8 G: G0 J# C
0 o9 ?* w* w4 M. r: r1 k__________________________________________________________________________
3 K& T( u# n7 Z- @+ v( \+ x7 c8 q0 j! \# H" G1 g6 U- }7 ?
Method 126 V$ F1 x' j3 q, P
=========% [% @8 r; c- g' w
9 j4 _6 D# ?6 E+ uThis trick is similar to int41h/4fh Debugger installation check (code 055 M3 k, R9 P) w3 {8 P0 [/ a7 k
& 06) but very limited because it's only available for Win95/98 (not NT): L0 j! i% u [$ j! ^: Y+ }" _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; g0 w6 Q9 h2 g, C6 A5 F e
V) y% ~1 t5 C% S+ `- z push 0000004fh ; function 4fh
, ]8 x6 I/ Y. B3 k: k% k- ` push 002a002ah ; high word specifies which VxD (VWIN32), [: ?) l5 u$ m9 B8 A; s
; low word specifies which service
- Q0 x+ A" g' z$ J" Q' y+ d (VWIN32_Int41Dispatch)+ c- k0 @/ c, p1 f+ s: J0 ?
call Kernel32!ORD_001 ; VxdCall
8 i2 j& z1 q& |$ x$ y cmp ax, 0f386h ; magic number returned by system debuggers1 Q! q* E0 x* x2 }5 A+ I g
jz SoftICE_detected
# S" I$ W5 I- C( P) a+ I7 c1 H
5 W5 H X: `; a$ z6 qHere again, several ways to detect it:
0 w) g( B4 X, C" h9 H" A# M+ B, k! R8 _# u
BPINT 41 if ax==4f4 X- O. q& k% _5 ~( j% p: f% Q
7 K; L; x- }* g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; X, \7 [1 a* M1 M( p: n# a! g' u- l! H" n- e8 ]! g ]( B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 V5 a5 c1 a. `. |9 s
! I% P1 j& u9 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. e; T' z- V( J6 j0 a* H; F. a, s+ z7 v) H, S+ c
__________________________________________________________________________
) C) a8 P" ~2 [" X4 a8 ~% y4 D6 u7 y9 N1 ~, A8 m
Method 13
_& m1 d2 s( \=========4 Q- Q$ e/ B! {' W$ R+ [
5 s* a; N1 z5 N2 oNot a real method of detection, but a good way to know if SoftICE is' J9 ]8 x. [* N9 D5 A) ^7 }/ V# g
installed on a computer and to locate its installation directory.
& [ ]6 ^2 p- l; U3 \. FIt is used by few softs which access the following registry keys (usually #2) :
* X: g n/ B5 D) N+ D
& g' W3 Y, c8 T# k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! r4 S& ^# k$ O+ y
\Uninstall\SoftICE; U5 v6 C4 ?, F0 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; [- N& T# E# o0 y3 V9 e+ ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* a r/ K9 P. f# T7 p( S k# D) X( v2 [
\App Paths\Loader32.Exe* |% b3 q8 ?" u4 H5 H
8 m' p2 p# V/ W9 j0 v
; n& b A' j* V
Note that some nasty apps could then erase all files from SoftICE directory
: {5 V( d5 w+ E) x x, m(I faced that once :-(
$ v" z3 c/ ]+ w+ g) S( a- c+ T& G+ W4 x; ]' U: f
Useful breakpoint to detect it:
' ~' u" s& L! D+ p' f5 A. x' \+ L9 D' \4 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' Y* I5 ]7 x6 @' l# C
8 B' ]6 G- X5 v( s0 F9 s- l$ |__________________________________________________________________________6 k0 {! n1 s2 W+ T( K9 i, e/ ?
_ v7 d7 ]! C! a) N% Z+ \) F. O4 Y
Method 14 0 e8 W8 f# F) e* \7 F0 I0 R
=========
2 A% _% c6 ~# _. `" W% ~0 [- q* M' @
2 \ W s1 T5 {' Z6 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 O( c( C1 G5 C& f6 ~9 ]
is to determines whether a debugger is running on your system (ring0 only).2 ^5 a0 r Z! n4 r- o9 l* {6 g
! ~' _7 h( g( X; F VMMCall Test_Debug_Installed' ~2 B" j* n5 O: G7 \, W
je not_installed
2 T) l! r" V1 n
' i, W+ f" R kThis service just checks a flag.: a2 {9 g& D+ M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡