<TABLE width=500>
) {/ |4 M- w& _# N0 O- F$ J+ w% e<TBODY>
7 g' @' M3 t# ^- l' Z9 N" A<TR>
1 v! C+ C4 }# y7 g4 r1 L<TD><PRE>Method 01 : {1 z' s0 x9 l' A: p9 X" `
=========
. u. Y/ ?# @* B: c& \6 K4 c8 w+ k, x) y4 G0 E6 j
This method of detection of SoftICE (as well as the following one) is: o* ^- Y7 v: F: Q# d
used by the majority of packers/encryptors found on Internet.
, q# X9 `5 `& o/ m" MIt seeks the signature of BoundsChecker in SoftICE
- e/ Y1 ^ V$ @: _# n" A, Y N+ a& ^" m! g. i% k5 l Z
mov ebp, 04243484Bh ; 'BCHK'
$ h6 r" E6 I! k mov ax, 04h
2 o) d$ S; j$ y; X! o3 P: m) p int 3
8 @+ P0 C- K/ z: m9 ] cmp al,4" w0 D* O& e- `' c( `
jnz SoftICE_Detected
5 ]2 i5 b5 a, K y [0 e: f3 i" F; [
+ C/ I/ n' @& n___________________________________________________________________________6 L- {& C3 U% N7 ]7 W0 b9 e: t
; i1 \: W' o) ]8 AMethod 02
6 t( w7 i' ~/ Y4 V' R9 @3 U: a=========
$ U5 j( C5 u- P. x% K' ?0 S2 R6 d% k% o/ Q$ n) }- B% U
Still a method very much used (perhaps the most frequent one). It is used
) n3 Y+ z7 h' l7 ^: |: kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) i0 k. }1 n) g+ A8 R( {) kor execute SoftICE commands...; Z1 F* U) N+ j0 e4 E8 R
It is also used to crash SoftICE and to force it to execute any commands
+ Q: p8 k, @( P" @6 E, f% s(HBOOT...) :-(( ) r) q& V: P8 y! Q. s" Y
. H% F4 G, v8 J* x3 NHere is a quick description:
, ~0 D) q3 r( _6 W4 t3 A-AX = 0910h (Display string in SIce windows)& o* Z' Q4 _) D& u1 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( a! B7 S' Z0 Z5 z! j-AX = 0912h (Get breakpoint infos)+ m! p) f: w0 e3 P% O& Z
-AX = 0913h (Set Sice breakpoints)
8 o7 U5 F* f3 _( }( W-AX = 0914h (Remove SIce breakoints)
4 {7 K# A; p: R# h! r5 a* ] K' Z/ ?- D- ?4 Z* O; y/ ?
Each time you'll meet this trick, you'll see:
q" ?: z% C* O0 V# c4 F& s& S6 ]6 T-SI = 4647h* S9 z* Y1 H5 m7 F5 P8 _
-DI = 4A4Dh. a4 E7 B. A( i5 v( y
Which are the 'magic values' used by SoftIce.( G. A3 Z8 } z2 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* M3 J% L1 E6 O# d S$ H% V
. ~$ }" S5 @3 h# N! u) @
Here is one example from the file "Haspinst.exe" which is the dongle HASP' p5 J& i0 q2 U3 u. b8 Z* m
Envelope utility use to protect DOS applications: ]9 o( b1 _5 B4 n; E( k) Y
r* W0 }) E% `
6 u2 _# v& V3 h' |4C19:0095 MOV AX,0911 ; execute command.5 o `4 j- w/ y* w$ s8 S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! D9 s+ g& h1 n8 x6 n# X
4C19:009A MOV SI,4647 ; 1st magic value.0 @* Q9 {5 c1 C. O7 X$ b9 I
4C19:009D MOV DI,4A4D ; 2nd magic value.7 F6 M! F, q# Q9 K3 |& j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ S: ?, e& ^8 Y1 [" w% k6 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; S: B2 ?4 |- R2 }' n3 Y. S6 C4C19:00A4 INC CX8 s- k* p/ a# u' ?* o9 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' Q l& D2 M( w$ v+ C2 \( j
4C19:00A8 JB 0095 ; 6 different commands.9 R2 t/ f1 d$ z8 w; a. O1 r6 @+ O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 j: h9 j1 o; v# @! p; C6 H4 i I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 N3 f1 l. y5 x& {! w
7 `* f9 g6 I$ ~3 A! \' \
The program will execute 6 different SIce commands located at ds:dx, which
( R3 [5 E$ Z1 J1 p% `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, _- Q1 e9 A& _6 m& G z4 J
0 { b0 c0 l! f- C: U! y% M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' {! f* ^$ M5 p i0 ?
___________________________________________________________________________+ [' k3 w& f+ z2 }' D7 }% \
: ^: n; r1 k. m+ Z& X' I! j! ?1 c) _* b; k& T4 Z
Method 03
' G. s( s: z7 n, d( Z. U T=========9 `! g& d( J8 R8 E! g
8 s |$ e/ @4 m' Q Q% q2 T) `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ x) Q5 e+ c+ E1 E9 [(API Get entry point)
3 Y! R6 P6 ?* g $ y/ \- q7 l3 ?
. O: t5 `0 G7 h; I) m. ~5 R
xor di,di
' @& `0 B2 K5 r( R1 e T! g mov es,di
4 @( X d) h6 j! X# J mov ax, 1684h
9 @" o5 _; e) u( H h/ f% G$ } mov bx, 0202h ; VxD ID of winice4 c# ^ W; z( i( e8 u4 }( q# F
int 2Fh! ?/ s6 T. n# H W1 |3 v
mov ax, es ; ES:DI -> VxD API entry point
' I- S" ^0 L% `1 U- D add ax, di1 J$ L" \8 V+ ~, M
test ax,ax! G0 M( L0 U8 t7 }' b8 e
jnz SoftICE_Detected
* i; V8 `! j) c; i
# M2 a {- ^; \5 V& b___________________________________________________________________________9 j3 M0 {; j' z4 {3 b2 f
# }/ ~, }: D" n; T0 f2 M
Method 04
! \* {0 G- Q( [) |6 i3 Q4 }=========% v C+ G: l+ r% y5 P. h, k6 v
0 r) s6 e7 B- [& ~
Method identical to the preceding one except that it seeks the ID of SoftICE+ V. I3 N. b; k2 n( w1 p
GFX VxD.
. u4 q6 S6 L. ?0 ^1 s8 V3 _5 p2 D4 d
* `6 w- F) x L/ n/ _3 P6 r xor di,di, b1 P0 S+ h+ `) X6 V# p4 W
mov es,di) v0 c, C, v5 x7 N
mov ax, 1684h
4 {5 D/ ]# I& x( g$ x H* _ mov bx, 7a5Fh ; VxD ID of SIWVID
% }2 k6 y8 G) Q o( E8 M int 2fh! U* i( c9 E! c
mov ax, es ; ES:DI -> VxD API entry point# g9 U0 k8 @4 V( @- K9 V
add ax, di! v+ `3 t1 U4 Z
test ax,ax
( M, U* b2 y2 @0 D& T7 \ jnz SoftICE_Detected$ p0 H) R" w' v3 Y- x5 k3 y
* ^( U8 n+ v* U; G8 B* q$ Y% n8 ?
__________________________________________________________________________2 p% ^0 [6 ]5 Y* J/ t
1 x9 S$ c9 I& i# u) @3 ^
2 o: c9 \5 @( B. _Method 05
5 R7 K0 Z1 \9 a8 [=========
6 P# j8 K' y8 o9 [
* E a$ k. s k/ e( {; D. eMethod seeking the 'magic number' 0F386h returned (in ax) by all system, _2 y# d% e# F; ]; [3 ]
debugger. It calls the int 41h, function 4Fh.
) y1 O% f; t2 ?9 H* u) X9 J# BThere are several alternatives. % _, b0 G* B |9 v
' v( F5 K i$ E' q; |The following one is the simplest:
- M( y0 O0 e' i; R6 V! T5 l$ u/ c) s$ s
mov ax,4fh) Z1 E+ h4 ^: u. z
int 41h9 k Q9 Z; d: z) q0 L* W; T
cmp ax, 0F386" W/ ~; K" O# q1 U2 N3 v% ~
jz SoftICE_detected
# z( _; E5 W: c* k4 P# K! S7 U1 ? `! H( @3 e
1 o" k Z ^* g: H5 W* ]- vNext method as well as the following one are 2 examples from Stone's
' r5 g8 J+ z# [. t: ?! P0 n"stn-wid.zip" (www.cracking.net):' O( Z7 p, z0 ~# ]8 Q
k. y% U" @& w! ?) |
mov bx, cs- O, X$ c& f9 X, |( z" R
lea dx, int41handler2+ v, ^ k( _' P- U, b1 t
xchg dx, es:[41h*4]
1 t! v3 o/ {/ P4 h1 y3 ~ xchg bx, es:[41h*4+2]
" _/ I. y1 O3 x, C2 u mov ax,4fh" A' c. g& ?9 h, H% \- R/ |# S( `
int 41h
! I& Q9 G& F) Q/ b xchg dx, es:[41h*4]) O( Y0 ~( q5 m7 [6 ~& o
xchg bx, es:[41h*4+2]
) H2 b. E) n9 D) w* u b cmp ax, 0f386h" `1 _7 s: Q8 h0 G+ S
jz SoftICE_detected
4 V P7 m5 j- t% y( B$ u$ S1 b, A; M# d! B: [6 h2 b
int41handler2 PROC
0 Z. e4 j. |, r, D" s4 b iret, P8 K5 m: q7 L! N6 {1 [3 j; s v
int41handler2 ENDP0 e5 d ~1 u, T7 W
3 z0 I& `1 @* `( W; q! e3 x* `5 |& ?9 b
q/ Y4 u: t2 o f( H
_________________________________________________________________________) z" P% k( O; P) g' E
3 S5 b* g, |+ o, W
0 R# x) _* i# n, ^ ~Method 06; A+ a" `; D5 s* N2 t O% \' ]- g
=========+ D" f% A, ~4 K. g: s& k
- n }6 f- a# [, m8 h( q
) q# E* i- b7 B' s9 S2nd method similar to the preceding one but more difficult to detect:
P3 c* X' N& a, g. k* J* a8 s: L0 o$ _+ s% g, n( d3 u
- C' x. i, g, q; k4 Fint41handler PROC
' x p. S* Y! y/ F- C; [ mov cl,al
+ E/ }3 \: d0 E0 t; Q" v" u( Q5 U* i' C iret( I% V: C' q6 g0 G/ x- z$ D: b2 D
int41handler ENDP% v3 ] [0 F+ D6 `
" g) O) i' L6 K. `+ S+ ^
- L. }4 n; c' E; A
xor ax,ax( ]' @* {+ x' j- d. @4 J
mov es,ax; ]7 G0 K6 P f$ h C
mov bx, cs. _) {; |- \/ O2 w0 `$ _( A
lea dx, int41handler
4 s* I. y) t& |$ X3 H xchg dx, es:[41h*4]
! _ D$ x4 i% L, _; \ xchg bx, es:[41h*4+2]/ w% R1 ~: ^7 d4 n& _# i
in al, 40h
$ C) ?6 w( o) ?) l6 d% H8 C# m7 X xor cx,cx
$ D! W; s; Q N5 {$ }" G* K int 41h
7 i' w9 s& M& W: ]+ _: A xchg dx, es:[41h*4]* f8 X$ _7 g7 |* f* E5 a2 k
xchg bx, es:[41h*4+2]
! \( ^5 v) B4 b* W" P2 R cmp cl,al
% {" E! X& m3 E: U/ ] jnz SoftICE_detected3 c* k6 l" |/ v" {5 I3 d* v" Z
: ~' F% D, ]4 z: `2 B; \( ]_________________________________________________________________________$ j1 M% B5 V# S
) I3 }& [6 u# o0 r& n7 S
Method 075 S' v5 T* v) \2 ?5 Z( U
=========
+ ~2 M% i! F# j) E) n, n$ {2 [' {/ ]. R
Method of detection of the WinICE handler in the int68h (V86) P. e% k S, S; l! @, Q) T, S
2 C& q1 J' \) ?6 }" X mov ah,43h
4 x) ^. `1 ~8 `" t: C int 68h+ y; j; _1 C- u" p
cmp ax,0F386h5 ` w& B$ \( u. f$ M* q+ S
jz SoftICE_Detected
9 n- L/ G4 A: Q! \$ r2 ^9 m+ F
1 Q+ I5 k6 b- ]1 k; G
/ C; w4 A# e8 G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, K Z ?; W: b s9 { app like this:' a- k! F: _9 S
& B% D# {3 N; ?5 a BPX exec_int if ax==68# ^; d+ `2 F9 _2 L ~2 s1 o' F2 Y: {2 j; i
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ C1 a% ~7 u, `) G- `% G' A8 x1 ~9 s u located at [ebp+48h] for 32Bit apps)
9 M3 u8 }6 @ r__________________________________________________________________________+ y& ]$ Z6 A5 V" a7 a6 e7 q0 \) E
' N7 S# p; H3 g
0 I' m0 }* T0 s. r( F1 k. aMethod 08* b: G9 K" I6 B0 h- K* R# k
=========
+ t% d) _6 F& \* Q, p6 L+ |* n4 t9 a3 L1 j; D$ X# \
It is not a method of detection of SoftICE but a possibility to crash the5 e0 N( s7 d* Z. Q0 f, B
system by intercepting int 01h and int 03h and redirecting them to another! y/ M, L9 @5 S+ x$ |# P4 X* W3 l
routine.
- z; {, j6 a7 j* S9 O( C* Y' ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) s/ \7 ]* u. D: {2 t7 ~ Bto the new routine to execute (hangs computer...)5 a2 o( z& p9 n' |9 Z$ V
& s, l A }+ e& Z! B% t4 K! f) H mov ah, 25h9 s: Y5 }: ^8 \0 r
mov al, Int_Number (01h or 03h)
. {' h# s* l' f/ h* N/ P6 f mov dx, offset New_Int_Routine
/ c, i( B7 M' P1 k, M1 u int 21h
9 z! M4 V& G, j0 O
3 p, D! B) I" C8 {% g5 ]/ `% ?__________________________________________________________________________4 U! u' S9 u5 e- R( F- M
) a- f7 h9 g- T. S1 \' e L3 {
Method 09$ i0 _# G3 O" s" L' F
=========
( U& x2 {+ o/ s. A" _8 t* S7 L8 j% ]& x- E. ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 a4 t! [ z% M
performed in ring0 (VxD or a ring3 app using the VxdCall).
% U; f0 D' ^! F, q3 z( qThe Get_DDB service is used to determine whether or not a VxD is installed
. R# B7 N& f6 a6 C5 d1 }for the specified device and returns a Device Description Block (in ecx) for
3 b' ` V) a& D; S$ O- b( R" c6 vthat device if it is installed.
& i2 m; `3 L& ^9 L7 e/ Y. M
F3 Z2 `, i8 r: [; |6 Z0 S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! f" O4 w, V$ c" E7 z/ x- s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
@" {% d! s3 a! W1 C% O VMMCall Get_DDB, H: B. \5 C5 Y: n/ {" @) m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" [- w$ Q' P& X/ x# Q' r; R( s! E9 k
3 n* [! z/ p4 l8 ^Note as well that you can easily detect this method with SoftICE:
+ F$ X/ P; L! v) U# f9 M bpx Get_DDB if ax==0202 || ax==7a5fh
& e5 f! h4 p0 X$ J2 E& }; Z9 Y1 y# D6 Q4 s, Y
__________________________________________________________________________9 J9 K2 c$ z; Q, s* S3 }
/ q) Z- D2 z' u/ m/ y* J
Method 10
7 j. B/ y' s+ Q=========
/ |6 W9 h8 T8 M" |8 \6 u
9 _/ ?+ s/ @1 u8 l2 Z* l=>Disable or clear breakpoints before using this feature. DO NOT trace with, u% P8 M) `& q" \# B% w0 T
SoftICE while the option is enable!!
9 ]/ [6 e1 ^8 a9 w1 P" ]3 a9 T- q. \* e* ~: N
This trick is very efficient:/ F# B# n& Y1 ]% M
by checking the Debug Registers, you can detect if SoftICE is loaded
b/ |- `& _9 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) I/ A5 u6 e. J2 c3 @* Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 }$ |, Q6 K5 I+ n& B
value (in ring0 only). Values can be manipulated and or changed as well9 l. e0 e; l7 T: v# p
(clearing BPMs for instance)3 ]( X( V* B% V- P6 N
; {% v k* Q# [__________________________________________________________________________. r: W4 ]2 t5 ?0 }
4 \6 q0 E; F9 k! [2 xMethod 11
O5 ^" S; |1 ]) K3 `& K=========
+ U2 \. G- a( T: |7 ~4 J q/ S
( g2 \, D* Q- ]$ q0 W+ W- kThis method is most known as 'MeltICE' because it has been freely distributed( G8 u9 G) b+ R# d
via www.winfiles.com. However it was first used by NuMega people to allow
" M: v6 k% ~+ c7 A/ |Symbol Loader to check if SoftICE was active or not (the code is located% O6 r) o! f& r5 \" q' p
inside nmtrans.dll).
) N! g8 X) _( `, ?" I
2 K0 {# d0 C$ ?$ C9 |% GThe way it works is very simple:$ b* ]) v: |, I9 Y. k$ e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% s3 Y" g) i3 b: m$ FWinNT) with the CreateFileA API.
0 t! h% t. r, N* q# A0 B8 T. v6 Y" V- @9 ]3 Y6 r* M
Here is a sample (checking for 'SICE'):3 B5 x$ m6 A1 L; P$ c
6 A6 J1 D5 Z5 d1 NBOOL IsSoftIce95Loaded(): d- y3 [: @' @
{
; D, j' l/ k/ p6 {& y( l HANDLE hFile; ( q3 [4 G$ g6 k1 {5 ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ @& r8 j8 N' n& ?
FILE_SHARE_READ | FILE_SHARE_WRITE, f6 v- s" h/ h3 v7 n8 @' O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" \3 e6 N2 F9 r# z4 G) K4 b if( hFile != INVALID_HANDLE_VALUE )1 _8 r5 _% e/ [
{: f5 b/ Y& f* ? \3 a9 E* d, q+ T
CloseHandle(hFile);0 @7 ?( {( ?+ [; v
return TRUE;
4 ?+ u* [" k, G1 d( }% k }' a5 h6 @; ]( z
return FALSE;
" g( U% p0 R' ^* a}
" b5 A- W! }$ I2 n- f' P0 P5 b3 |9 Y! f3 Z3 A! Y! {6 W( B2 X1 A
Although this trick calls the CreateFileA function, don't even expect to be4 Z$ y3 Z* s3 C; S$ r h, L4 O
able to intercept it by installing a IFS hook: it will not work, no way!% X0 I! a9 @, y6 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ @' s+ w. J; y r) J% `3 W; s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) l/ [0 P4 Y* `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 i# _, n: |* Y( ` tfield." S3 c% B8 B8 Y3 {
In fact, its purpose is not to load/unload VxDs but only to send a ) J/ K$ {! f) ?) h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 o) c6 E& I. I; A- k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! {, J7 @% T; E C) kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 {: F; y6 l* q- \ _1 N% M* p. NIf the VxD is loaded, it will always clear eax and the Carry flag to allow. n5 D, r9 I% \
its handle to be opened and then, will be detected.
" p" R# ` O1 T; D- X0 m1 x8 W; WYou can check that simply by hooking Winice.exe control proc entry point. l9 n9 w/ O% O8 q* F8 W5 }* {& H2 Y
while running MeltICE.
3 F! V2 [0 r' m# R A9 Q
) d7 a+ T# ?0 {2 m: c, F. h) v- U( d
00401067: push 00402025 ; \\.\SICE, S: J7 ^# z' U: ~% u9 w* j W$ M
0040106C: call CreateFileA
^! E, ]' h$ r/ B: B 00401071: cmp eax,-001' @ y8 J# @6 U- i* h) v z
00401074: je 004010918 ^- t8 \% z) x6 {/ c0 e5 l
- Y" {/ \: c+ l4 S
( S7 k; k- x6 i7 Z3 C/ DThere could be hundreds of BPX you could use to detect this trick./ l0 T2 z& U3 P+ K) k1 ?) K( }5 j) I
-The most classical one is:* ~6 u* ?. S# `" s/ d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 b( M; m7 V5 a+ w, l *(esp->4+4)=='NTIC'$ {# L" s" \9 H) g- I
$ J4 s) O( R& L/ i/ Z* R-The most exotic ones (could be very slooooow :-(
" v1 A h6 I S$ O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! w1 l0 ]; y& w/ q* q ;will break 3 times :-(% |$ \, Q. _& w* s2 D
- X* @9 ^3 k6 P, ]7 _
-or (a bit) faster:
8 y; o4 C$ Q& |- D5 w+ a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& K9 a l: d# S+ |3 x0 n
4 b0 K! Z/ i( o, c1 e1 z f* O6 k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" X+ V* L4 w2 S8 a, h5 \- \5 }# ? ;will break 3 times :-(
y& c' x( ^" p: E- ~* c! I! Z4 X3 O- p3 e6 W
-Much faster:
6 k! `3 d/ y. ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( U3 m I1 [* ~' y( M6 F6 {9 X0 T- h6 Q
+ `. G' ?6 V- yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 M' N9 N7 ~- x; ufunction to do the same job:, \, Q$ M. ?$ b8 r( W
( W- k4 Y4 A7 Y+ |( X push 00 ; OF_READ" K+ u6 v! E9 F' |
mov eax,[00656634] ; '\\.\SICE',0
+ b. w( F6 q- _( M/ O push eax
. W8 C' J/ s4 A& @& S call KERNEL32!_lopen8 L( A p# j4 \& f% f
inc eax) d/ [; F/ U& |
jnz 00650589 ; detected2 K5 T; N2 ]; r$ u( b- y* P
push 00 ; OF_READ- N& s q$ }7 K$ Z. C
mov eax,[00656638] ; '\\.\SICE'" d1 B( m% H9 g7 G
push eax( g8 \: f# X' d
call KERNEL32!_lopen
2 j6 ^! E/ r$ f' v7 M. ^ inc eax0 K7 S$ t. O7 G
jz 006505ae ; not detected1 }3 A' P/ f, z/ f. c- R2 E! Q
; J6 w3 {7 V$ ]/ a. ^9 v
) N: F5 E- f' p! S8 x. A0 `__________________________________________________________________________
' r. Y7 _* W5 a- C9 E4 M5 X, b5 |+ T$ D. t- M
Method 12 N+ [0 a) w0 z; ~" D% K
=========! G; [# X' H7 D# f
7 h1 a8 v4 @- U& s/ G7 j/ Q
This trick is similar to int41h/4fh Debugger installation check (code 05+ V1 l5 }- U$ A1 F
& 06) but very limited because it's only available for Win95/98 (not NT)3 R* I2 B9 `- D9 y4 e; V" i# M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., \* f9 V' `0 c! R
% y# ]. _4 B( ]+ G& y) y
push 0000004fh ; function 4fh6 @. i+ y. `8 g. L" [8 t
push 002a002ah ; high word specifies which VxD (VWIN32)
% c7 g: Z; w. M+ B" E- L ; low word specifies which service
% W) O+ f; [ K4 B( E (VWIN32_Int41Dispatch)# q1 S p$ d5 o7 X$ Y
call Kernel32!ORD_001 ; VxdCall0 J7 ^) _; f! b; Q: N% ] e3 k
cmp ax, 0f386h ; magic number returned by system debuggers5 m: o8 ~; \% y" m7 E
jz SoftICE_detected
0 K+ U: w2 R6 _2 g% Z* |1 \9 A6 @& `. X+ L/ a* T. B
Here again, several ways to detect it:" Q- r# N% E) U; ~, P" v# r) i& e" U9 Y
: m1 n7 s) I7 _; B5 F' U% Z/ I
BPINT 41 if ax==4f
$ b- u6 {$ o8 {; x i; ]) G X
$ ~' z9 G- [! m& ]6 P0 F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& ?2 u$ ^# F+ z5 U1 l+ H5 Z' K; {& ?8 M1 H1 i% L2 R6 t/ m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 F% B, v8 q7 w6 O; q, S" A( Y5 B& K7 s6 S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 `$ t+ p, R) R
/ G* K& Y/ q0 S0 x% A__________________________________________________________________________' x6 Z; G! r% k! g* w @0 O
+ s% ^3 k; }" u" ~' AMethod 13
; V2 |- {- y# |6 ^=========0 a) J* \0 @/ A
0 Q; C7 S. w2 w1 R5 l. s! v
Not a real method of detection, but a good way to know if SoftICE is/ u G+ m5 U+ `6 o; A9 q
installed on a computer and to locate its installation directory.. w" R: e+ ~% t! V
It is used by few softs which access the following registry keys (usually #2) :6 ~7 C4 V+ b. e5 [# |/ ?
4 B% J' {: e6 P8 s5 n) X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 H1 c F1 g, g7 F& c
\Uninstall\SoftICE0 Z" H0 a$ y) c3 W# r% U2 @! W% @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; U1 J2 s$ c1 E; a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) b; X5 m8 }" }" E) u- p
\App Paths\Loader32.Exe; S, p6 }6 I( I2 m7 T: m, l3 S
8 W2 }( J/ }8 p6 i
1 I1 ?$ ~, R+ J, q$ U! `" G: oNote that some nasty apps could then erase all files from SoftICE directory
( [% R5 G j# j7 X4 Z: b! u& X$ q(I faced that once :-(
+ ?, j- l& u* {2 B. H7 S9 D$ J9 M
Useful breakpoint to detect it:
: _% y \- S7 z; R. s; H! B/ D& j$ L9 d* |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: P0 o$ w- J, _& x
* w2 G: M, N2 `/ T0 C& @! q__________________________________________________________________________
* X z' M1 V! [1 R4 {6 w6 ]) y" R3 w* e& [4 s
( J a3 b8 x2 P1 C
Method 14
/ v, N$ k& u$ I=========! j1 c2 A, R) G5 P) B$ ~
. a! a, G) F8 U4 x6 \( c7 X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 T; c* e) b1 V& xis to determines whether a debugger is running on your system (ring0 only).- W3 E4 t& A; K; a" J: Q- r0 D9 g
! _' k8 H- x& ~( }1 p
VMMCall Test_Debug_Installed5 O/ E. F9 t: z( b
je not_installed
. F) @5 ^# \3 V; w* e* U" f; t. Q# c, p! J$ k0 A: I% E
This service just checks a flag.
) R6 m8 ^, j* ~* v8 I2 `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡