<TABLE width=500>5 N0 g" z+ ^6 D) H8 S8 Z- @
<TBODY> N+ ~5 H& ?; O& U* e- F
<TR>; D/ j+ p# |0 T7 b0 X- U: T
<TD><PRE>Method 01 - c( s& l: A( u6 @: G% z7 K
=========
3 a1 N0 P$ E: N8 l/ w& M
" g/ W- S3 q( m0 \- T. ^' E6 F. rThis method of detection of SoftICE (as well as the following one) is' x8 ~/ Q2 l4 B- y. x
used by the majority of packers/encryptors found on Internet.5 w$ l$ C9 G1 l, u' }
It seeks the signature of BoundsChecker in SoftICE
( H! N/ d. m1 @1 r1 Y* P
; [7 p) p9 k0 e$ m mov ebp, 04243484Bh ; 'BCHK'
+ E4 G( y% y% V0 E mov ax, 04h4 M- L7 s h2 ]* Y- a2 K: v$ C2 H( U
int 3 ( h! f- O( m" T5 O0 F4 W6 {: T
cmp al,4/ y! t% Q2 x6 }: c6 u: r2 }& A
jnz SoftICE_Detected ] Y- O- j1 h7 @$ @
% W2 j& i8 d6 d% I' ?8 {6 F( K2 K
___________________________________________________________________________6 T& @3 y/ f3 ^) _" [) U
7 |; I! u% _' f; M( b
Method 024 O+ H5 f8 R$ }4 R8 A" T. K
========= X! A$ s, [% _; l& e! k
]3 }+ H0 I! r" M& e
Still a method very much used (perhaps the most frequent one). It is used% o- g: J2 y5 z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* n# E# h; l, J1 ~or execute SoftICE commands...5 T+ T6 n7 V3 e0 x \# Z V/ E
It is also used to crash SoftICE and to force it to execute any commands
6 C3 B. w( x, O) j4 {$ I(HBOOT...) :-(( 2 @3 v$ ?4 A7 p
! k+ ]9 {7 e# w# s5 G
Here is a quick description:, Y: [3 J; z6 r7 A
-AX = 0910h (Display string in SIce windows)( V3 ?# ?) _ _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* K) H" s' D% M
-AX = 0912h (Get breakpoint infos)
# s/ q5 D# v& @# n0 H2 e-AX = 0913h (Set Sice breakpoints)
6 F' U. a5 q1 g" }-AX = 0914h (Remove SIce breakoints), I7 w# t0 n5 \& G3 V% D
% ?$ k. M9 F$ [/ L$ G! Y
Each time you'll meet this trick, you'll see:
6 ^4 Y& T" v9 m- g-SI = 4647h" u5 D. c3 B: g7 q( q N2 h' d
-DI = 4A4Dh# \3 K0 x) \/ G3 Y* h% a
Which are the 'magic values' used by SoftIce., a+ f2 x- f& i2 S$ k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* O! }6 k! \2 f+ g# e) Q
' G- }" ` f4 M6 }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% q5 ?6 o0 P s( z: _! ^& o! }$ HEnvelope utility use to protect DOS applications:
* Q% X: r. o4 l, o8 w6 |1 w, y/ ?# d3 E0 a9 b$ ], h" y( y
8 q3 P7 v! \8 z/ C" K, I6 _, \8 O) t2 }
4C19:0095 MOV AX,0911 ; execute command.
9 |3 G: f: C. W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& J& z* u/ M7 s' Y! W3 w4C19:009A MOV SI,4647 ; 1st magic value.
: Y; z, b" m! T- z) M$ j4C19:009D MOV DI,4A4D ; 2nd magic value.' l2 T- Q* [4 S$ _+ V# H8 f5 q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! s5 R9 W% r0 ]& l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* D0 d6 T+ ]7 G9 e+ Y S z
4C19:00A4 INC CX
; x% z; z% ]2 X9 l- ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 z6 Z* S! }- L9 s1 Y
4C19:00A8 JB 0095 ; 6 different commands.4 c1 n$ @, }/ u6 a" F7 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* X% W' t! x* ^, {" j# C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* x) h7 \8 b _) W
" D* i4 E$ `) D! N6 R {; [The program will execute 6 different SIce commands located at ds:dx, which
/ h& z0 z) N& z/ h7 |6 q ^, H, jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. ^* \- A; O$ V; y( O
" I2 U; \( X9 E! ^+ l Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( N6 `* N" j9 L' i
___________________________________________________________________________9 h* R2 p! I2 ]* p
1 e0 S# a6 ]1 S4 M! ?* v, H
- }2 _% M, w7 ?+ K& c* BMethod 034 ]5 r- a( l* E% X$ x0 S I
=========2 o. H9 F# M- Y; w
( k) v" t/ B9 w7 B& a5 o% e% ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 j+ Z1 j3 E1 Y- n: F(API Get entry point)& \- e& j1 Z) X( ^# ~
6 j/ b! W0 e1 \" ]+ B: d! @, _! c Y* T! R, \
xor di,di, l3 Y8 x7 O" g! Y& R' H
mov es,di
. c1 v( _ u7 b3 c( }0 E mov ax, 1684h
: @3 b4 @8 k1 x( m mov bx, 0202h ; VxD ID of winice
! F( J+ V- F, d int 2Fh4 V$ n/ m* A3 |( ~: R8 C
mov ax, es ; ES:DI -> VxD API entry point
, K" \' C$ Z; |$ f/ M1 [ add ax, di$ G: m% ~+ d2 l1 ]) p0 G$ T
test ax,ax7 ~: b7 p; o* `3 q* H
jnz SoftICE_Detected+ `+ e" r+ X' {4 F) d
n& y6 Z+ @) `
___________________________________________________________________________ n; F/ d( b- b7 Z3 Z" T/ z, L
( ~1 O. T- o4 }; Y3 \; EMethod 04
0 {2 S0 V+ z$ K7 a=========
, J H1 R4 S. i1 p( o* r) I3 l
% b* Y7 S; ~/ w D, a8 E3 [) |Method identical to the preceding one except that it seeks the ID of SoftICE
# D$ m' c8 v' X4 YGFX VxD.( _" p+ J% b t7 J% t8 `% i& L/ n
) K" h/ b* Z) Z2 j
xor di,di/ } W5 E+ z4 }- y) V. F
mov es,di8 \4 @9 g+ k1 O$ Y; _& F" a
mov ax, 1684h + z3 Q3 E* C1 _- t5 m3 ]+ F
mov bx, 7a5Fh ; VxD ID of SIWVID
- d ~# C2 x" L; ^, L. d: W int 2fh/ P, R* X# G" [! |" a+ x3 E
mov ax, es ; ES:DI -> VxD API entry point
' i r- }2 m' @. Z3 o; A; @ add ax, di5 t0 o) x6 k* ]
test ax,ax! ~& e4 Q) @7 d
jnz SoftICE_Detected
2 P# ]* O4 P( E0 _6 d9 f2 B& e* p7 [. g, C4 X* l
__________________________________________________________________________
5 [7 F! j6 P( g
. O. ~0 p4 ?4 |# E$ |; a0 d/ R+ x* w. M- L4 I# j
Method 05
& u, F/ E( Y* r3 T2 {& S) O8 Z' p=========/ L' t, u- Q5 t
. d1 P! M0 v, k, o* p! t# l, WMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 ]+ Y O0 v4 k, _- z
debugger. It calls the int 41h, function 4Fh.# m9 [/ ?8 N/ a! o( s" _6 x8 x
There are several alternatives.
* R& T4 _' r9 Q$ L
; ~7 i/ P. _+ K0 p! q- f- F |3 z$ _The following one is the simplest:
5 K+ j* a- \3 G' l z: n- z$ G- Z/ S5 W& y2 E- c4 R
mov ax,4fh$ P! y( r) t$ n9 ^
int 41h" a( T# N+ ]* `- D1 s! L
cmp ax, 0F3868 X# \) ]. |0 ]+ i1 C
jz SoftICE_detected
- a* {( F* j7 N+ W
. L2 q8 k4 J! P$ I9 ~& h! t- b2 j
2 [( M, ?( @+ d' e5 h: l# x8 @) NNext method as well as the following one are 2 examples from Stone's
: u% ] I/ U2 g/ E"stn-wid.zip" (www.cracking.net):
5 j- z: ~- R2 u8 P2 Q- W+ d. y$ w3 ^5 [( `1 \
mov bx, cs
2 q) _+ \/ g, F# S9 r! H9 K% a lea dx, int41handler2: h& N. ]+ X, t0 X9 i
xchg dx, es:[41h*4]/ W3 o( e* V9 M4 s) k
xchg bx, es:[41h*4+2]
3 J4 A0 \0 s: ]4 f5 P X7 Y7 c6 \5 O6 c mov ax,4fh
, |* \3 W) A' W" ^0 c A int 41h
% x( ?! Q: @7 K xchg dx, es:[41h*4]
' E" z1 a7 \) ~" |6 W xchg bx, es:[41h*4+2]& B: h) C2 T/ \' _
cmp ax, 0f386h
" V0 M& |, m* m$ i4 V: { jz SoftICE_detected9 @! Y7 q0 N( O9 t: T- h
/ F; H: P4 T' d" h; O/ I6 \6 X: ~
int41handler2 PROC4 X: ]8 i! _: k" g
iret! E B9 A. u' c4 v/ Y# C) W& f
int41handler2 ENDP6 P% [1 S: J3 u4 d! u4 T
5 Y3 u. r2 {/ `$ t7 m- w
. y3 @) c3 A/ v- U1 A$ o5 A1 [
_________________________________________________________________________# L* N, m0 K- c$ \0 ^' O/ K
, X4 }) _2 k+ M: P5 k2 F! C
" U7 v3 x2 b4 S0 P" k) J" wMethod 06
9 f2 V: t. P, i- l=========! _% ^7 v- r% Q; G( u0 F
0 {& G ?( h) w9 ]8 e4 Z
1 M. m2 w; ~! X2 G8 a. g% A9 n! K
2nd method similar to the preceding one but more difficult to detect:
6 Y6 o& z; V5 ] D- [
; ]9 a* K! d0 N. _6 `! Z7 p; r3 i4 i; H; M1 M: D( N! W
int41handler PROC$ h# R! F5 L0 t# U5 f# a) y. I
mov cl,al
3 P0 s9 }( p5 F; X+ n2 @ iret
8 z* w/ E. i; N2 `( g* cint41handler ENDP/ O* R& o$ i% o% D7 [) P- [2 h
3 _6 g" [: T; h9 j7 k* G. S. p
1 U+ `+ K0 t, m+ t& l8 `
xor ax,ax4 b0 m% R+ j4 p( f
mov es,ax& \9 w# y, [( c; Y6 A! p
mov bx, cs
$ D; y: v: Z1 I( V lea dx, int41handler4 ^5 O9 P( L5 L) C( f+ |
xchg dx, es:[41h*4]
0 |8 H3 U2 X C xchg bx, es:[41h*4+2]5 r1 Y, B: R* o8 i& p3 a
in al, 40h
: {4 z1 d. s$ B+ ]8 O xor cx,cx% U) p$ V, r/ ?4 R! u
int 41h
5 v" E( ~. g- U2 f, K xchg dx, es:[41h*4] }% W% \' N/ m
xchg bx, es:[41h*4+2]: K6 e8 S+ F* R8 e! o4 p0 d
cmp cl,al
9 w9 O; W5 k4 d- }. Y jnz SoftICE_detected" O7 G* v0 e: l& a" l
1 @) v$ x& Q% e3 v" Y_________________________________________________________________________
9 p7 K* c6 i4 B# n6 O7 \( t* m" B. q* V( q# D1 u5 q0 K1 r
Method 07
$ |4 u/ r' k+ z/ k: X' k$ y=========
3 T$ B+ }/ j& Y2 v0 g I, ^, q# @* }+ @1 ?( Z* v/ _) k- X
Method of detection of the WinICE handler in the int68h (V86)
' j H5 R/ @: p4 s" t9 ?0 r7 }
/ `$ [; D0 ^ E. y E# U" @, p, ^ mov ah,43h
% Q: y$ x' e: r, X. R% W int 68h
3 k2 Y2 b7 Q, A& z1 e+ c, s cmp ax,0F386h
+ `3 [% Q( ?9 m* y jz SoftICE_Detected1 @! S1 E' ^8 j8 T& h- f
# T& \# S& m: {: A7 m
4 ], K( l% l- U0 m/ y% ?5 j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 [1 m1 j0 Y7 U. l2 `2 x# B app like this:
! z# b W0 n5 \5 ^6 I$ U" w- z$ K$ v' `3 g' a0 t# f! @4 l2 T- B6 f
BPX exec_int if ax==68& y/ Q0 Q0 c, d
(function called is located at byte ptr [ebp+1Dh] and client eip is, P5 Z% Z M3 G$ C+ B: @2 O
located at [ebp+48h] for 32Bit apps); E2 R* [1 H8 m
__________________________________________________________________________$ g# |& l/ E E* Y
) e' P8 j# R3 K' D
9 s. N) a9 Z. ? R# m/ ~# l
Method 085 S! ]; H, Z* I5 d' h
=========- @2 Y0 v2 p. y
) C8 W# p3 g- oIt is not a method of detection of SoftICE but a possibility to crash the& U! C/ Y8 k0 R6 v1 F! r4 w2 r2 B
system by intercepting int 01h and int 03h and redirecting them to another
( a1 {( c, k! a; nroutine.8 x& ~/ N+ ^( H4 l0 F# ~, s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 k5 ]+ H; `; O
to the new routine to execute (hangs computer...)
" B. |" P( u) z) R
9 K5 |" q' q! j6 i/ P; O; t mov ah, 25h$ u. R. w! s5 v: j6 R
mov al, Int_Number (01h or 03h)6 R% r/ K7 s( j5 R' k- e
mov dx, offset New_Int_Routine
3 \) d; d" U- W; `( K: v int 21h* F" ~. |) ~: S
# p7 c7 q( R! x* _$ _
__________________________________________________________________________& X5 d* S& L2 i( z8 ^
& t+ \8 S0 O5 z+ c1 z. B9 `% fMethod 09
( z3 e/ w0 g( c5 Q4 U4 _( ?* o; n=========/ X" M- B8 |/ M$ I8 C [
- F8 M* p: B! H0 x4 l( y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, m+ w; A) |8 v. J C
performed in ring0 (VxD or a ring3 app using the VxdCall).
" m4 s/ G$ z' rThe Get_DDB service is used to determine whether or not a VxD is installed
4 y9 e# n: K2 x6 Q( M ~# {# \for the specified device and returns a Device Description Block (in ecx) for$ A4 G5 ^. {) N ]) @& ^4 ]# e
that device if it is installed.
& x; M0 Q! }9 \1 B6 |% ]; ?3 f: K) t P' C. U; R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 m8 \; l8 ?. e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ J2 I% G) r+ p' w6 ~
VMMCall Get_DDB! V* g3 g) D4 n* j4 e0 [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 @2 w* }9 Q, E3 V: ]; ^1 w' |" N( Q1 |7 [8 y
Note as well that you can easily detect this method with SoftICE:
/ K0 K4 U1 _4 G; T7 j bpx Get_DDB if ax==0202 || ax==7a5fh
& ?' ^$ C( c$ J% A+ p7 D& t* W; R2 i3 r! c
__________________________________________________________________________% B2 z9 k; h& J# x' k
. u3 _& d# k; }% v
Method 10) g ^: t y, ?8 B& F! \% h/ H( i
=========' I) A) D! C/ Y H b& i1 K
! V! m0 A; V* w# {/ t
=>Disable or clear breakpoints before using this feature. DO NOT trace with" I3 o6 ~! S, c
SoftICE while the option is enable!!& G7 P3 B% G/ I, E4 e M
. r, X0 t9 ?- z" DThis trick is very efficient:4 J/ {$ J; c' A, L
by checking the Debug Registers, you can detect if SoftICE is loaded
7 F7 m" l7 P5 E9 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, k! G0 q$ _0 P, _% j/ f! Z' ]8 x5 G# ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 R4 K: N$ u* p: zvalue (in ring0 only). Values can be manipulated and or changed as well
) [5 n8 h. R* t0 Z5 f V* q(clearing BPMs for instance)
9 J" p1 v, p# y. i9 I8 D1 E
; c* B# l, w+ z6 i) b9 i( |+ i__________________________________________________________________________
) c7 D, A' H7 a6 ]; L% H4 p U9 R6 e+ |/ h, _( ]/ u# c
Method 11$ S: K' e# q; n4 c6 N
=========
# ]* m9 d( @' \+ E
! S0 J: F) P6 h; GThis method is most known as 'MeltICE' because it has been freely distributed
" k ?4 F% F; h: j# Fvia www.winfiles.com. However it was first used by NuMega people to allow
|+ w" \ p" H% s+ uSymbol Loader to check if SoftICE was active or not (the code is located6 O$ H3 H3 l7 ^
inside nmtrans.dll).6 _5 m+ L! s6 {: [$ [
7 @0 L$ Z; z8 R; V0 X+ w
The way it works is very simple:
! ]+ w' N4 Y+ I, J! }1 Z5 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 N7 Z+ K# |. P$ c+ N8 G0 [
WinNT) with the CreateFileA API.
5 ^! N6 Q4 ^& V; W: e+ U$ I$ C; O- z; k' J. t( Z1 Y
Here is a sample (checking for 'SICE'):* e& G: N, t! V# h
$ `3 B: A+ ?4 {% ?8 J
BOOL IsSoftIce95Loaded()
! b* z: o2 i! `: k# t{3 w a, q4 ]$ L! C5 E8 o/ L
HANDLE hFile;
. i( b/ H! g$ i/ j8 e4 [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# z, {- a! ^* x4 C9 ]' |2 Z; Z FILE_SHARE_READ | FILE_SHARE_WRITE,
% v8 r; t1 a) O+ B& F$ s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! j- f4 K% \+ b" a- L: t& v
if( hFile != INVALID_HANDLE_VALUE )( x# z5 F0 r$ H. o1 R2 r1 D6 ^
{9 ^' A f( P# p
CloseHandle(hFile);3 l" Z4 c2 L! D3 W2 Z/ }
return TRUE;) Y, b3 M5 Y' k2 r
}2 @* w% L; N# Q0 S8 W/ P
return FALSE;: ~: ?' N' b/ c4 G: h7 Z
}7 V- ~, r) C0 `6 N
: w1 G- n$ D- r2 c* |' q& `Although this trick calls the CreateFileA function, don't even expect to be+ p8 H9 {9 ]2 X* x0 o/ `
able to intercept it by installing a IFS hook: it will not work, no way!
2 Z) x, l4 r/ tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. v: Z. D) H" T' o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; D# R0 ]+ w0 l' l5 k2 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc# }9 f- k7 A+ f# v4 i, Q
field.
, Y8 b& y# t' S1 m7 `. Q$ uIn fact, its purpose is not to load/unload VxDs but only to send a ( ]/ N; h" T- t V1 D5 m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 n+ g# c* K* c6 s9 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& n, E0 @, R0 g3 M1 t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( v- a3 ^, X& R
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 C6 w9 K( {3 O7 N4 l0 [
its handle to be opened and then, will be detected.
' M$ B' y" n: K7 \+ U& _+ o* rYou can check that simply by hooking Winice.exe control proc entry point/ n0 N+ S0 S" d! u3 g7 y/ ?8 W
while running MeltICE.4 L0 e" s- p; D) o
) ]4 u2 S' v/ c- O5 K( x# Q% Y% G, K& g, w& P J7 h r3 k) W2 U: D
00401067: push 00402025 ; \\.\SICE
; H* I8 h6 H6 n3 [: M3 j. ` 0040106C: call CreateFileA5 B( x" m$ d& }! P
00401071: cmp eax,-001
9 C8 {& i6 N+ Q4 D/ s 00401074: je 004010916 `2 Z, f1 D+ l$ S" ^2 D. R! a
$ ` {0 P. U4 j' H
9 `! |3 d: E, n/ |* g5 pThere could be hundreds of BPX you could use to detect this trick.
9 C5 N, T. {- S: h7 r-The most classical one is:
6 c. @+ i7 l+ z9 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 o0 D0 E/ w0 [) \/ @* f *(esp->4+4)=='NTIC'
5 ]+ [- c; T3 D+ [" }2 f B! Z" g! L) F
-The most exotic ones (could be very slooooow :-(
" z& D- r+ _$ y& a' Q5 }. L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 O W3 f5 X$ ` ~6 Z p) w, `5 V0 s
;will break 3 times :-(9 q( `7 h/ F5 z( D. u) j5 M7 m; T, n; K
; p; _3 H3 ~: h-or (a bit) faster:
2 n7 ]+ p' m* [ Y' `8 H5 X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# w o0 |0 Z" `3 Q" L( L) U; N
; L0 ]3 r# C, H' [+ ?+ w( m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! H- [/ p: e( b* B ;will break 3 times :-(
0 u& `! n# q( C( J! {8 R0 p! Y2 a/ }2 n; G, L
-Much faster:
# H; a' X& u- c9 L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 T. [7 B. d5 S( T& N6 x/ y( Z/ a
) |) h3 b8 H `# k9 o' ^9 h; DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
k0 e! J) G. {+ Z3 c& B2 `/ P' p' D$ I2 sfunction to do the same job:% M/ R9 |$ t8 A* I0 R. |
6 n9 @/ u- D) U: X; {. l push 00 ; OF_READ
3 F3 x1 Q5 O/ u, u mov eax,[00656634] ; '\\.\SICE',0+ p3 |* T2 D" M/ I& e2 j
push eax
1 K2 F4 `* w% [ call KERNEL32!_lopen! c2 w1 a, k0 Q/ ]
inc eax
! K" e+ z8 l( f. t* `4 I jnz 00650589 ; detected
. A3 X5 y/ Q# s p" K7 i$ Q push 00 ; OF_READ
$ e- F. K% `! S+ G mov eax,[00656638] ; '\\.\SICE'* Y( i, w* l. \0 p0 J
push eax# t @1 { \" O' \/ B* \
call KERNEL32!_lopen$ Q5 t6 @5 U; \0 t
inc eax
, c% ?. ^5 v$ Y* B$ U jz 006505ae ; not detected
* G/ r! I, z6 b
: g/ w# a, u: g6 F! s9 y5 O* R. B5 p! N$ S1 P- r6 o' p4 Y& d
__________________________________________________________________________
$ {: A. i- E5 a. ?! Q( [! D; b1 ?3 N2 L( C+ w% T. c9 B
Method 126 a7 G% U1 Y2 u! i2 U
=========4 o8 S9 t6 E- G& c
g `1 m7 e6 g0 E7 u( PThis trick is similar to int41h/4fh Debugger installation check (code 05
; Z! r& r, P+ C3 g0 |; O& 06) but very limited because it's only available for Win95/98 (not NT)& V. ?) E4 Y% v% c$ ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 X8 P+ a1 m% z6 @" C% }7 z/ ?; g2 q1 ^& Y# o7 ?# Q% g0 ~* N. [
push 0000004fh ; function 4fh
% s( q$ \8 l: ^0 }8 M push 002a002ah ; high word specifies which VxD (VWIN32)
; z+ ~/ X/ I0 }% U! R4 B# I ; low word specifies which service t2 E/ S5 _4 C& z2 w
(VWIN32_Int41Dispatch)3 I% x' E% W! ^- z" P
call Kernel32!ORD_001 ; VxdCall: d U. V# F. M- g t/ ^$ H
cmp ax, 0f386h ; magic number returned by system debuggers4 ^/ C! K( x9 o
jz SoftICE_detected; ^2 r7 q% P, s1 }' M7 A: M5 b
" v* ]6 r7 K; y6 v8 e
Here again, several ways to detect it:1 @" B5 a/ V! Q, n2 _# M, O
% q- i* h8 X3 A- v BPINT 41 if ax==4f0 s( }9 g& J7 Q6 a5 R
9 Q9 @- f; ` r# v2 ]7 R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, f4 |. E2 ]+ C
: A; ?: |3 a- ~1 s$ e* a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# Y7 v0 p7 v( E0 e) g F5 o
0 t+ w6 C# h! `& V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 U9 `- u! i# j% T7 n |5 X# F/ [
3 {6 |# s( q ~5 J$ ]: k0 z/ i
__________________________________________________________________________
4 r/ Z$ a0 s0 P4 Y, v* f/ k; t' H
Method 13* s6 P/ `6 R3 D; E' _
=========; q& B8 h# L; I U2 X
# l" n- @' z C
Not a real method of detection, but a good way to know if SoftICE is
2 X! G0 f' E5 ^& \! g; r! g7 `9 G A: rinstalled on a computer and to locate its installation directory.
5 L; ]: u+ ^; nIt is used by few softs which access the following registry keys (usually #2) :
( R% [; a, \; |- w* r+ X7 K
$ p0 F1 x4 J# V: M: N2 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 \" n" \7 h0 @$ K9 u' y$ m\Uninstall\SoftICE6 W: W+ X6 v8 k, z H2 `- n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 n. A6 o& ^! l; \* X) }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 \8 M/ u. `- ?) U( A1 O6 U8 d% R2 {\App Paths\Loader32.Exe/ m1 f3 i% Y* G9 m8 n1 z, B
' f8 R/ I p& S9 c
# _$ E2 ]- @8 q/ Y/ d& @/ K2 \3 X
Note that some nasty apps could then erase all files from SoftICE directory
% u' |4 |7 x0 K$ S# |: e(I faced that once :-(3 P7 C) G# R5 ^1 }
: b! p6 k2 |: PUseful breakpoint to detect it:$ l- [" q+ L8 ?) @+ O
9 W5 u- u+ Y# u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 ~) O; Y: k5 }( R5 D& V" @
5 L1 |, {% F8 ]$ t; v
__________________________________________________________________________
. d- G- M: ]3 v1 c/ i5 Z
% g$ d" v' q1 O3 Q! ~5 D; |+ F5 g! a$ Q9 _0 D1 W5 w- Q
Method 14 - c& ]/ f2 U, X6 v0 a7 m
=========- T; j9 {. _5 M3 T/ `
2 w- h+ X5 D4 K3 s' nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" j0 `- I- o; @6 n* G+ W
is to determines whether a debugger is running on your system (ring0 only).) @, I% \/ A+ J3 G8 C1 J
) [. m6 O- @& @, y7 x' { VMMCall Test_Debug_Installed4 `% _* F& _2 J: ?
je not_installed1 Q, |; a" P& U2 x2 F* o1 j2 x5 D
- l7 J% J1 E" j7 ~) B' T/ X6 j8 n
This service just checks a flag.
; W% c. t' D! J- s5 G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡