<TABLE width=500># ~# T9 f) ?2 ?8 }! c- N
<TBODY>0 i: U1 \" R% q7 F$ _ ]0 j
<TR>
1 W6 ?) W8 {0 [( _1 L; H4 C<TD><PRE>Method 01 g0 @ W, K! E' j. J5 b
=========
- p+ c5 V( `8 |, b0 O& u
* ^& I( @3 q8 Y L, t! R3 {This method of detection of SoftICE (as well as the following one) is/ w ]+ i- L2 o1 }5 X: q
used by the majority of packers/encryptors found on Internet.
# e( `% \* g1 vIt seeks the signature of BoundsChecker in SoftICE. X0 v: T9 t7 {$ U. h3 ~' b- P
, g+ @* D0 Q. A0 W0 n% Z" x mov ebp, 04243484Bh ; 'BCHK'
% p2 v, @. J0 q) F7 | mov ax, 04h8 W' e1 {, H$ D7 H
int 3 . e/ m& v# X Z1 S7 x
cmp al,4
* @" f/ s6 U& o; l jnz SoftICE_Detected
3 I9 n) d. a+ `: C h+ Q5 y# w2 p( O4 O. z+ A8 _) l$ u
___________________________________________________________________________6 z$ L* ~9 l) H5 N* z0 E) J
: h `; @9 \- A5 ~5 N4 v; \Method 02, I+ C A+ ^6 X" w3 ^
=========
; n, z6 V) U) j3 C) q8 I( K: S6 w' b- T- p3 I: @
Still a method very much used (perhaps the most frequent one). It is used7 @ p( H9 Z. P2 g8 G4 a: b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. I8 n5 Z/ ^4 J! B( c
or execute SoftICE commands...0 A: k* O3 V q9 f' i: P0 n& u
It is also used to crash SoftICE and to force it to execute any commands
, y) u0 s! G2 ](HBOOT...) :-((
. u4 m; F S6 P3 I. U+ X
7 P4 q) r7 F7 X# ?Here is a quick description:5 ?$ M3 V6 d& G7 f6 |5 G
-AX = 0910h (Display string in SIce windows)
: t' P) l+ m$ A$ o0 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. M( T, A3 f# C, N$ ?2 g" V- U-AX = 0912h (Get breakpoint infos)
7 ]# s; k8 ^" h5 R; J! B-AX = 0913h (Set Sice breakpoints)0 K9 ~- C" U8 k/ m; q- S2 q' b
-AX = 0914h (Remove SIce breakoints)
& R" R h1 m% q* \; L4 j W/ m6 g( C' g* J' Y. _
Each time you'll meet this trick, you'll see:) _% X7 ~0 w3 o" m
-SI = 4647h4 ~$ y( c' v5 b5 N7 Q4 J% M! B6 C' m
-DI = 4A4Dh# s3 c- f( B( V' y; W# Q2 \
Which are the 'magic values' used by SoftIce.
/ T' ~ S2 |- Y6 `: \# S z" SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" s6 z7 P4 B. d# J7 I
+ u, h7 q: V$ t3 x$ a/ a2 ?* B3 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP, S: B2 `: o! r+ ~" Z: ^% d
Envelope utility use to protect DOS applications:
2 Y) |% U5 i0 X* n' r) V8 c- G
- q7 c- a3 f$ J" l+ ~6 X3 E( \1 Y5 e/ b) ~/ ]
4C19:0095 MOV AX,0911 ; execute command.
5 ]- n0 C0 x/ Z* x" D/ r" X) g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 F2 [7 j: b1 t- } c' u1 X4C19:009A MOV SI,4647 ; 1st magic value.. N' o8 e7 h; H; j+ ], K% }3 U
4C19:009D MOV DI,4A4D ; 2nd magic value.3 A! p, J3 L; h. w% N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' m* a/ H9 I4 P8 J, b& m* j. N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, z6 }; P( l4 C4 x) f/ g ?4C19:00A4 INC CX8 M: f4 R5 k/ e) {* [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 O$ |% ^3 \9 b( m# Q7 M4C19:00A8 JB 0095 ; 6 different commands.
6 l) z! Q5 f, J. F6 p' Q9 h3 \ k4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 n" t! u8 f: O5 j3 w7 c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# ?0 O4 R7 X6 V0 u
; u, p, O- Z0 k% R$ I- u
The program will execute 6 different SIce commands located at ds:dx, which
& W; g7 |" q" C' _% V) V/ Z+ Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! u4 \. K/ x" _7 Z! t2 v0 L0 P2 K' F/ ]+ p1 f% M+ M' `( F5 ?5 M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ o& ?) z2 y% z3 u6 j. A3 _, @" i
___________________________________________________________________________5 d' y2 ?' ]3 U' Y" f% w5 o
# {3 b# i/ D$ W* U/ |
" O$ |% @ }5 }) c1 i9 ~7 d& t
Method 03; V/ N9 ?" i$ s/ x! \* p" F7 Z; I
=========
) l! c% N; }& Z+ [7 }# T% ]! @
! \( T, p4 d: _8 Y) v7 ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: |) a& V* N9 u1 Y. B
(API Get entry point)
) s) T2 E" c o9 ^+ c0 A) v! N
4 X( }2 H- O! C: ^6 W- ]6 `2 ^) c, o& N3 |
xor di,di
# F8 o3 O, Z, ~% X mov es,di
w( O h2 t5 u2 X mov ax, 1684h
; K% A/ Q1 W1 h( v, a B$ g mov bx, 0202h ; VxD ID of winice* {$ u( b7 ^& v" S, `
int 2Fh1 H& ^" l h' b0 U/ I7 @& o' b+ j' m' K
mov ax, es ; ES:DI -> VxD API entry point1 c7 J+ P6 H' D, Q
add ax, di
" H% W5 _1 L* d3 O5 w* W test ax,ax
6 `5 M8 k& }. c jnz SoftICE_Detected
: ?7 p4 T" g) E6 `5 E( }4 w6 P
' ~: f \3 j# ?8 ^6 }, r___________________________________________________________________________4 M$ D, t0 U8 p& h2 H
( A" q& X7 f8 @* @4 W1 D* n. N/ d
Method 04
3 l+ u% `# E( f7 r3 s=========
6 e5 W8 o8 ~. f& Q
/ ]; S: M( E9 J2 X! q+ K: o U8 J! WMethod identical to the preceding one except that it seeks the ID of SoftICE
0 |6 E) x* p j' {8 zGFX VxD.
$ I. R9 V- D/ |" {2 X+ |; R7 a% Y2 j
xor di,di& t, L& b5 @/ K
mov es,di6 \% H, }' ^* o! ~7 t2 s' N
mov ax, 1684h
& G. |' ], j* i) h' D! t/ s9 t' | mov bx, 7a5Fh ; VxD ID of SIWVID
: A+ p4 |& y' d7 d4 @& a2 w int 2fh
8 P' F+ u- D6 n) U3 S: v mov ax, es ; ES:DI -> VxD API entry point
% u* M: a, I$ W$ ?3 o7 Z add ax, di% x8 f/ n1 R [- m. W+ ^
test ax,ax
. F W6 z- a B7 m8 d' r jnz SoftICE_Detected
& e( W4 c5 n( c- w; H( ~. M, w9 m2 l/ {0 W' w* P
__________________________________________________________________________
" J& I7 g: M; [# i
" a. p$ s l+ c1 m& C/ s$ g% N4 K! w9 ]! J6 X4 J9 G. l4 K
Method 058 C" i2 d1 q# K. q9 U' M
=========
* |( I% p* E: C. q2 E5 x- `& f# h4 q8 q8 N: V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ^ R6 t) j$ ?$ u+ Zdebugger. It calls the int 41h, function 4Fh." E& E+ N! U% c3 C
There are several alternatives. 8 u: L4 t3 b$ ?, @( W& J
' K c) l; K9 `; gThe following one is the simplest:
* N3 _/ P0 J7 u1 p0 m
, @+ s+ f7 G, U9 J mov ax,4fh
! W$ a2 M" V( I% Q: m& p4 V int 41h2 X" e# r ?! q! b$ x: o0 q
cmp ax, 0F3867 N$ E$ D- I" o" j9 p
jz SoftICE_detected
' t- T4 o3 N8 W# j
" F; ~% m1 z- {0 Y+ Z1 W6 g& T: H! D1 ]2 H
Next method as well as the following one are 2 examples from Stone's 0 v( t( v: F- c" K
"stn-wid.zip" (www.cracking.net):
; E V7 L% |; q, ^
5 P9 j! B9 Q& z) d7 W1 U mov bx, cs) t' ^# H( S. L8 }7 s: v
lea dx, int41handler2
$ H! N+ o F# H( T [6 `( y xchg dx, es:[41h*4]
5 |9 i, {8 S, v7 X$ { xchg bx, es:[41h*4+2]5 g" w3 ^$ h+ J0 v! j" c* m2 M: u! g
mov ax,4fh, F+ h( ]% m+ k+ t
int 41h/ A! v1 G7 k% P. o' l; U- Z6 p. t2 F
xchg dx, es:[41h*4]
- C% A) J+ ~8 B% C+ h S xchg bx, es:[41h*4+2]. x$ m; O+ {- J
cmp ax, 0f386h# j K; P7 J$ u/ D3 q
jz SoftICE_detected' a" Y$ E2 u6 `% L- G- `$ }
9 L( g2 X" V7 i" o6 c T f9 kint41handler2 PROC- T- b: d) w$ d2 I9 Y* b! I" K
iret
/ _& V$ G. s% T( f8 p& q( E0 [int41handler2 ENDP
7 O/ @0 ?: w1 ?7 o) K6 x/ q
/ R" p# X' R \; M" B* v
5 m0 o/ J& K6 @* Z_________________________________________________________________________! v( M' I8 v! U6 m; Z
* | @/ L! q6 J2 R0 [
' p( V6 v" \/ V( ]! \" S" {( \4 H4 y
Method 06+ E+ v: D* J; s6 P" n3 E* I& W
=========
/ ^1 J J9 P. [% I( F5 @+ f
+ Z1 X- S6 \) }) {% n1 t3 C3 E' v2 `. x
2nd method similar to the preceding one but more difficult to detect:
9 v4 J. d7 g, i
% `9 [: l/ R1 L- V: f7 ^* `5 e
# \6 i7 t$ Q7 @: e' S2 t& cint41handler PROC, L1 k* {, e# }; e% J) Z
mov cl,al$ C' X) G$ Y( C% B, q$ s
iret% h5 x( x2 r/ y& Y
int41handler ENDP2 C# }/ y& S* Y6 i
& V/ Q8 _. `2 j5 ?% w! b: g
1 t ?% w9 {, g4 V5 f, A xor ax,ax: L- ?# W7 x$ ?, x# J. _
mov es,ax
! y' B2 m5 q2 f" {. Y: A0 A mov bx, cs
. p7 Z- @0 ]! }8 | lea dx, int41handler: z6 \, p& X3 K
xchg dx, es:[41h*4]
/ O# d3 P4 l e3 Y( N2 q. E xchg bx, es:[41h*4+2]1 S6 ?5 M) Q+ i) v( ?
in al, 40h
# a, x7 |: f- i9 M% h xor cx,cx' z$ M4 L8 O' d6 B
int 41h3 k9 y0 e& |: L+ {+ n; h
xchg dx, es:[41h*4]+ m N( B0 @, P6 Q. M7 p
xchg bx, es:[41h*4+2]
) O! Y4 f e) j& z cmp cl,al
+ D: ?* v" R5 v B* a jnz SoftICE_detected
- j% J2 K& [. J5 q2 I0 h
( ~ a7 `8 @* @4 G_________________________________________________________________________& ~7 U! p: m9 r5 S' Y0 s6 c" X
, f) r$ f9 i+ M9 a" YMethod 07
) t$ }! T6 b! S' v% u+ v4 I$ K% I=========& }0 Q$ V" @. L1 X
" ?* {+ Y2 F. q! hMethod of detection of the WinICE handler in the int68h (V86)
" w4 H. p+ r) O4 M- |, r& K: O0 J, B W
7 w( ~$ V" j7 T5 v9 J: I3 P mov ah,43h* d9 O8 Y# d2 ~6 z1 Z
int 68h
* `# \1 X; F7 [/ V7 s5 C ]- L4 t cmp ax,0F386h
' u1 Q% h/ i4 V0 f3 r& L) W+ m; V jz SoftICE_Detected
& q: \& k# G. K1 O2 b. y: z% b6 V! S6 L4 e& I* a7 _% P; |2 B/ W
/ \* f d! }1 D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' t9 G- @- w/ I8 n2 a
app like this:
# M. P) }9 j- W: R: i8 l
" K; Z; n9 S1 p* M: q BPX exec_int if ax==68
: F$ h# _3 M: l4 q) w- n/ B# G+ m (function called is located at byte ptr [ebp+1Dh] and client eip is
1 Z T7 U0 a( p" S located at [ebp+48h] for 32Bit apps)
7 g: C- ` s) k__________________________________________________________________________( w8 Y, W. n4 _
1 G5 e0 B) V v. n+ B% s
' }9 C0 ^( C+ Q$ R. V8 ~) k* nMethod 088 t4 [: j% f! g! Y
=========
3 g$ @. R( Q) d$ w0 c
( a. I, k8 Q! j+ Z7 m& V) LIt is not a method of detection of SoftICE but a possibility to crash the
2 r) l, t& b. i& M/ vsystem by intercepting int 01h and int 03h and redirecting them to another- s6 ^% y% d, w- }
routine.1 H1 O- h5 y3 ?8 _5 [) f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# i! V1 R0 f7 @( ito the new routine to execute (hangs computer...)) A; q; x$ I2 V
8 ~3 o' j9 `+ e( e' Y6 V7 m a: g
mov ah, 25h1 l' z2 l: I; o8 Q# }( k: U: M
mov al, Int_Number (01h or 03h): c; i# J0 B+ s! N
mov dx, offset New_Int_Routine
. K) S2 @; H% j8 U$ \/ e int 21h
; v, C. o4 U$ S( t# v0 \4 M6 l8 p; p% Q2 {1 J x: ]6 h8 s
__________________________________________________________________________* Y- z# L: Z& `# Q
1 J# [3 G. h9 C: c4 PMethod 09" w5 J0 ~1 Z: ^' p
=========
) x; r4 Q8 A) V) Z+ P# v6 {. b8 B& d$ F( S3 A: F4 a; l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 T. S, r: V% U3 e$ T8 v! W4 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).. V7 u9 d& i' @1 {, h$ d9 {. y
The Get_DDB service is used to determine whether or not a VxD is installed1 [/ x. u( H# B8 Y7 b( [
for the specified device and returns a Device Description Block (in ecx) for7 v% s q1 T* o! q
that device if it is installed.4 J" W/ O8 N( J4 ^' `& b/ d
9 D4 u, A# l7 o3 U3 F9 E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 u# I5 N- j. z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; Q; j# O$ t+ R* m7 ^4 t& ~3 @ VMMCall Get_DDB
$ q0 ?8 Z2 E/ O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* B& Z9 C5 V' O3 |# P
: f1 C7 p( |; t# r! C4 xNote as well that you can easily detect this method with SoftICE:! y9 [" O2 m) W9 `: _* t: c. U
bpx Get_DDB if ax==0202 || ax==7a5fh
8 N$ g- q Q% [0 w
* e# o! I/ D; H8 e" Z5 m__________________________________________________________________________, Z' ]( G' ^' e( R' a4 K
9 g. `4 C' r Q/ v- h
Method 109 h& f& X+ I& _ |% h
=========+ \/ o* j% Z! M1 E
8 o- @' q1 j3 }5 y3 w' `7 p=>Disable or clear breakpoints before using this feature. DO NOT trace with/ X; n" E7 H; B8 }- `# E
SoftICE while the option is enable!!) n) Y5 A, G% q
+ ?- q6 ~- _$ q
This trick is very efficient:
- b3 a: |% p5 {6 ?2 t4 Nby checking the Debug Registers, you can detect if SoftICE is loaded
1 Z6 m( ^0 y; R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% \' a6 A5 `7 K) ~/ C- X/ f6 Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
: `3 t* I# A/ h! K0 o% fvalue (in ring0 only). Values can be manipulated and or changed as well
8 R' [/ n5 M, L! k(clearing BPMs for instance)
# a( t7 o I3 ~+ b% Q3 T+ L7 H0 W \0 P9 ?8 R1 W. N; u
__________________________________________________________________________/ n0 C$ h5 A4 c3 }( o, O! y( J
. \6 U) H1 r" O1 }- U( xMethod 11. m r0 @( y9 [, z% B" s
=========& G! ?. Q0 P7 m$ [9 X
7 Q5 V( c( \/ h3 D* EThis method is most known as 'MeltICE' because it has been freely distributed* y, M' m0 j" e ?" D1 j
via www.winfiles.com. However it was first used by NuMega people to allow
: }5 j+ j2 n: a. S- W1 USymbol Loader to check if SoftICE was active or not (the code is located
( {9 e: _$ X1 ~8 p2 R% m5 ~9 V' ainside nmtrans.dll).
7 u/ S- V! c- k3 N# T/ [$ T" W
3 U/ [1 a4 e! u7 \) d, }( [2 NThe way it works is very simple:% m% y: L: b) ?8 r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; }' v2 j3 `7 \$ g) f
WinNT) with the CreateFileA API.
3 j' [3 _' U% L( e$ j* Z0 b4 q, Z4 b5 X( T: Z' t1 t0 P% g/ m
Here is a sample (checking for 'SICE'):
' d4 X/ n7 M7 ^8 ]1 g7 X
, q4 a9 P9 L* m0 v2 _5 N9 WBOOL IsSoftIce95Loaded()
) d- }. [* {' j1 ~% R7 D9 B$ g6 L{
! b' G/ y# {- F; N L4 w3 p& G HANDLE hFile; 2 H/ k& X9 l% H( H6 s! o% w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; q0 E6 ]8 `" G4 p- \4 | FILE_SHARE_READ | FILE_SHARE_WRITE,$ G& F) @3 m6 g; H& z0 i S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
d7 F* H5 U: H0 P5 [+ }' e if( hFile != INVALID_HANDLE_VALUE )
8 P* c: _# s. g5 Z. T$ F- g- b {
, q& P! k/ _: m; g CloseHandle(hFile);
$ c9 l& S1 {+ W return TRUE;
8 r3 y2 ~* Y% ] }
' ]/ }9 i+ h$ ~ return FALSE;
* \8 {( @8 } T}; |+ b$ \+ g: a' k
: f" B. U) ^5 Q3 U; E
Although this trick calls the CreateFileA function, don't even expect to be
9 P7 y6 d/ B' P; k$ a4 Zable to intercept it by installing a IFS hook: it will not work, no way!: B N6 j: C2 y: x8 u5 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( w4 q1 W X) Q. U& vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), ?1 B& P1 W! y- M7 F+ y/ l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 S! K' z# o% F9 r
field.
; |- x7 l) i4 vIn fact, its purpose is not to load/unload VxDs but only to send a 4 A- Z0 v# B) d% t& y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ r, R ^" z {1 ~/ j3 i$ y7 Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try' ]8 l4 n: S; o& Z/ H3 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 F+ M8 E0 `% R* u( a( ]2 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow) F2 W! ?! W* Z' @) B0 E
its handle to be opened and then, will be detected.
" a+ b) a! b( U9 \- n7 d! WYou can check that simply by hooking Winice.exe control proc entry point
; I5 z; U: s1 n: Nwhile running MeltICE.) w6 K! G+ ^5 Y \2 J0 c5 d
2 ? | h0 R% R1 I
, M: a7 Y b0 Y) \4 L 00401067: push 00402025 ; \\.\SICE
0 Y! }/ m$ J+ M* J( u& o& K 0040106C: call CreateFileA0 [8 V# F3 w& K' r3 V
00401071: cmp eax,-001( Z$ h, d* E p
00401074: je 00401091( t, ]; M& e6 ?* @; ~0 g
- _6 D* d) r5 W( o
3 U2 L O7 K$ t5 G3 a) e# OThere could be hundreds of BPX you could use to detect this trick.2 C+ Z& L( a, G5 w
-The most classical one is:) j$ U7 ~ c! ]7 w) Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 ` D* Y2 @" H9 A; |# g
*(esp->4+4)=='NTIC'
$ ?$ O" _, a9 B \6 p1 c) t# j0 y1 d. I# I; H9 w
-The most exotic ones (could be very slooooow :-(# ]3 q) p2 s: F; U3 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# p& k7 K: j! `* H) p& {# s ;will break 3 times :-() U% ]( `( z# }6 K( _
( ?8 }1 T; o0 O9 a& c7 F# F
-or (a bit) faster:
6 j d0 u4 F1 C. t# \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# Y/ { f9 [8 L9 J9 @
( o; z+ D* y) U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 g7 {& X0 z+ R$ j$ ]3 Z0 { ;will break 3 times :-(
1 ?# g. t3 a7 B3 H' l& M# e I9 _3 x, }$ a! P4 Z
-Much faster:7 }* [ O+ X2 l% o$ q t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 A6 V U' n; g# z1 \& z
B" f ?& a, Y! n* f' w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 \4 X: a% r8 u. C& `# y
function to do the same job:# L4 f( j, G1 ]+ E% \4 p$ f
/ ~3 H, p' Z' _% f) Y, j
push 00 ; OF_READ
7 A6 J3 {$ \2 ? mov eax,[00656634] ; '\\.\SICE',0
, g" b9 _5 V! l; d2 d$ T' B A push eax
[: x5 _; F! D call KERNEL32!_lopen) e z7 D3 n! g# f6 ^% ]! e
inc eax
1 ^3 ?2 W2 K$ x6 o0 y* y jnz 00650589 ; detected2 }+ [8 y# G% m9 Q" i
push 00 ; OF_READ6 c% [; J+ [, a8 `* \' c0 Y+ d
mov eax,[00656638] ; '\\.\SICE': t- s Z9 b# i0 r3 ]6 J
push eax
! v* l& [9 f" x8 q) v9 G call KERNEL32!_lopen
5 r7 A/ ?& `" t6 t$ c! [ inc eax
$ i6 o% X1 G4 Q/ G; s- W n7 }' [ jz 006505ae ; not detected
4 \: z3 Q$ T X) v
8 B# v- W) O! U( ?, G" T4 X- R" H" @1 }2 @7 z) }% _
__________________________________________________________________________
7 L# b5 Q5 n; P3 o5 F6 c7 z f, P, z# }% F' |
Method 12
- _' U3 j F! b) w=========
7 z0 x1 b' ~6 Z3 y
5 C& v# n, r1 r+ n* @6 XThis trick is similar to int41h/4fh Debugger installation check (code 05
5 d1 Q$ w) |' d5 h3 j+ Z& 06) but very limited because it's only available for Win95/98 (not NT)8 w; U Y+ D1 r5 ]% T a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 c( M: z; h* m! @, \, m% d( j) w
0 p6 S4 G' @+ ~$ `" g$ i
push 0000004fh ; function 4fh
* \, S5 H1 x) L; r1 T; g push 002a002ah ; high word specifies which VxD (VWIN32)( O5 ] j( o L& e5 S Q: U
; low word specifies which service+ W6 k5 a% G' a/ i* B6 c0 K
(VWIN32_Int41Dispatch), }7 v8 j; T2 ~' \* r: o
call Kernel32!ORD_001 ; VxdCall
& g0 a E2 v$ [& U& k cmp ax, 0f386h ; magic number returned by system debuggers
4 y5 i3 Y8 w4 S jz SoftICE_detected
& \. W2 [) o$ @' h( c; L9 H* Z% c# b3 ` H
Here again, several ways to detect it:
& C$ \4 Y! ^0 B# J9 ~+ N: o" M! ?1 ~5 i% B6 ~2 f1 f7 v) E
BPINT 41 if ax==4f/ G5 D( W$ I2 z) l& s5 r. x
2 A6 ~- @8 Z1 W7 o4 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ C; k) l7 U6 f0 Y- Q t$ {2 g" G5 f; t2 o" j8 B5 q7 i4 H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 D! q8 Y4 M) |3 u2 E0 Z, V& E+ d9 d9 O% y3 R( p8 a! L. o( z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* m3 G( r3 T% h% u
2 p+ W& B& a' G( n3 X; V__________________________________________________________________________* C9 Y6 n- V3 ?
9 ~ W3 E7 w& N- k* o) E* k
Method 137 X! r" Q# ?, [0 M3 a
=========% d. l& P* C; I0 e N) ]0 ? {
8 X4 D4 r3 t1 }7 }8 b( fNot a real method of detection, but a good way to know if SoftICE is
5 Q5 Q* v n. ^/ h1 Binstalled on a computer and to locate its installation directory.
& I2 n% l- }3 i8 @3 v. X; VIt is used by few softs which access the following registry keys (usually #2) :2 s6 Y( M3 c% R; S
+ Q# h0 n9 e( v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' G" f; Y1 Z3 X2 k, Y9 {
\Uninstall\SoftICE
4 t1 }! j# ~" p% S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" j f! F( _0 S5 c+ w6 z: _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' j( e( ^! I2 e6 y! p( S" d# l\App Paths\Loader32.Exe" d% T$ D) Q7 e/ V( H
( i7 o' {: I5 k# N% Y
% T5 T) B) P' Q( v( P0 I& K
Note that some nasty apps could then erase all files from SoftICE directory6 n) n+ v' A; x% f
(I faced that once :-(
- Q) G9 O) s$ g+ [0 u9 b1 J+ i
% O( X1 o+ r5 {8 jUseful breakpoint to detect it:0 `! h' d) E- B- d! E: M3 d8 Z
s6 y0 ?5 Z% A7 q2 ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ n( K8 D' C, c2 P
% f( ~% P- M* K
__________________________________________________________________________$ U: R; ]. ]7 ~; a
- f$ } o& c) ~ R) t! x7 `8 s7 C' \+ W4 v
Method 14 * q; M/ V/ C, K5 @
=========1 x* T% s$ \0 l! F. D7 k
- Z8 `! f1 ] ?; f' k' T$ VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 M2 M1 W3 ^, c0 I5 l; P' his to determines whether a debugger is running on your system (ring0 only).8 P) i5 }5 ~# ]: j# y2 J& ?
; F8 D* w, G- e8 w2 X( l, h VMMCall Test_Debug_Installed
( [9 I- r/ G' G! A. p je not_installed4 w( v1 o9 J. K
& x/ |3 j' x. Z- U9 D: PThis service just checks a flag.
' l- q, ]! x0 ^ r8 c7 g. t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡