<TABLE width=500>% m# D) Q4 b" |9 T* G4 w; ~
<TBODY>; A/ i( g7 s: r0 S2 x
<TR>; t7 y' x) B1 c( c$ p7 P" e
<TD><PRE>Method 01
. z8 X6 C* [( [* _=========
) W) J1 }/ O4 j% D, r$ I
( f' ]8 P0 B0 UThis method of detection of SoftICE (as well as the following one) is. q3 u6 D/ f: l+ u' \; v3 K. J
used by the majority of packers/encryptors found on Internet.
/ R" Q# ^1 K/ r; _ H) P9 ?It seeks the signature of BoundsChecker in SoftICE% S6 ^/ l9 D2 D, Q( J- ^
0 h8 \: e' h6 i" t& G
mov ebp, 04243484Bh ; 'BCHK'
- D. e0 t. T, e$ z mov ax, 04h" a* b' @. ]! P8 u! Y0 L0 j
int 3 0 k' a0 Z; O4 b9 o4 b$ ]
cmp al,40 t E2 z; A( k! ^$ P; \6 m& @
jnz SoftICE_Detected2 ^( x D; z: q: \
1 a* e$ x5 H* ]1 \; @___________________________________________________________________________* U, i" r9 Z9 R( S+ Y& @
2 }8 w& E- d5 l& J1 v& nMethod 02
% F9 g# V/ U( b6 M" ?9 E=========9 O/ d% H: L0 @6 y# G
& C( w* l- f& W. c- Z) nStill a method very much used (perhaps the most frequent one). It is used
7 I" ^0 \+ i* i5 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 f5 p# @. _4 i
or execute SoftICE commands...4 ^) }5 _# ^) T+ a: J& ]- m, L
It is also used to crash SoftICE and to force it to execute any commands
7 c A) M$ c/ ~" ]$ c/ u: D(HBOOT...) :-(( + y' M: m" m! V+ F. G
& A, ?0 E1 v$ M" q) Z; C/ w
Here is a quick description:
" e5 ^- @2 o2 T1 ~-AX = 0910h (Display string in SIce windows)
6 f5 A8 g. |, L- S M6 C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); D' u7 O! k1 `1 F/ _) C
-AX = 0912h (Get breakpoint infos)
/ K( ?' s7 g h. w; ~. }% U( {, o-AX = 0913h (Set Sice breakpoints). x9 x/ s5 a1 Y' H
-AX = 0914h (Remove SIce breakoints)
. ^ Z# U. n8 o3 C8 U+ `# I+ a! r( A6 A6 b+ `
Each time you'll meet this trick, you'll see:- ]+ W& Z* D. V N- I& r) @
-SI = 4647h* p' d l* p6 h, O4 Z; E+ T
-DI = 4A4Dh
, i, l J {% i( n! O1 CWhich are the 'magic values' used by SoftIce., U1 T* d1 _7 Q- g; t2 e; t. f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 H! K; E0 @! Q8 ^ [8 \0 a* x1 Y9 r; x4 N
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ B5 H `0 x3 O; K7 y9 w4 D- L$ QEnvelope utility use to protect DOS applications:
3 W# u$ C) b, z7 t: e) D. ~5 ~6 U3 T" S' n4 Q
9 Y( m% Y/ q& s6 Z+ p' @7 S
4C19:0095 MOV AX,0911 ; execute command.9 @2 S* B4 y0 d/ P( {) Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 y- \ n6 h. _0 K
4C19:009A MOV SI,4647 ; 1st magic value.
, l2 Y* l4 X" z9 ]1 S r4C19:009D MOV DI,4A4D ; 2nd magic value.; {9 H3 Q! ]0 J8 R1 X/ o6 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) m% l5 i; O2 Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ }( J+ p" u( ]% C4C19:00A4 INC CX1 ]8 o* p" F) s% d/ r0 J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 d$ o9 K5 r0 {
4C19:00A8 JB 0095 ; 6 different commands.# K, o+ V: E5 \# _+ Z. F0 u. e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
X. j6 o* S6 t- T# d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& L3 X8 U* i1 l4 y& ^7 t
' o5 C. m5 G" ?+ t3 d( DThe program will execute 6 different SIce commands located at ds:dx, which
+ T; `1 \) U6 {! X6 t2 Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 [4 J S+ n- @# q3 G
( o; Y! J& ~( r, ~! K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* [/ r5 N ?( g/ T" _+ O' }& z___________________________________________________________________________
4 t V3 N. O' C$ V6 ?
' w& L$ a0 d& t1 y: p. E
8 J3 p- O- S" M$ Q9 QMethod 03
/ U% E! i$ B' h& H=========
1 X! j7 l" t0 q
7 S3 |$ k2 Q9 e& G! q& PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h M# m/ Z# D0 f( \/ Q. M
(API Get entry point)
1 f$ n) B! Y6 K. G5 B8 D6 c
_, \1 ?3 s/ p0 K1 J
/ p/ |% f* V, P7 ]: Z4 w xor di,di
9 _9 k$ }5 H- K. O! T mov es,di' X2 o$ C/ |& V! |/ m4 m9 z
mov ax, 1684h - U+ t8 c' u( Q
mov bx, 0202h ; VxD ID of winice9 R; W& H+ ^8 Z( r$ E' l+ c
int 2Fh8 e4 F5 }4 t# J- Q1 J
mov ax, es ; ES:DI -> VxD API entry point1 m4 h2 I I: N q/ ]' \: C( t z
add ax, di
- T) k G' {! G2 A test ax,ax4 Q7 E T) C- [$ d( v
jnz SoftICE_Detected
$ F1 M2 {9 O/ v: Z, Q. t, ~4 M) ]$ l' N$ f' z f {
___________________________________________________________________________
- m) ~( H# Q$ L; v( c- {7 ~8 ]' \; L' y& B# U
Method 04$ r( y- A! @, ^ ]! ]0 w
=========) a0 v- i" ?8 y3 t8 S% o. F. e4 S
* {& y# y/ U$ t2 Y0 X: ^
Method identical to the preceding one except that it seeks the ID of SoftICE+ D4 H- c( j! |0 T9 c! k# W
GFX VxD.
& H0 M2 k$ W. f9 i9 n% ]1 Y
1 g4 `7 W$ ^6 c( D% M xor di,di
! s/ O2 ?/ H3 ~ mov es,di
& t p1 a d2 @ mov ax, 1684h 8 n; z/ b) A- I+ r* a6 u! L$ _
mov bx, 7a5Fh ; VxD ID of SIWVID
$ P* M& F3 r3 Z% I0 B7 a C1 k int 2fh5 x$ N0 w: _) e; ^
mov ax, es ; ES:DI -> VxD API entry point
U: G& u$ X- O% `% T( ^9 M1 X add ax, di
5 O# M) S( n: g$ N5 D# ]$ V; J( z test ax,ax3 q# w: C; b$ f; @- D
jnz SoftICE_Detected8 S7 F" x* Q3 c c$ _) r4 [
5 \3 y' h* A5 E2 j3 u
__________________________________________________________________________) K" X1 U9 `( d5 Q
! j. r+ G% ]& O- @' b* Q
1 |# F" c9 y+ ~# gMethod 05
4 M" l. Y! `; z9 \& Y=========1 V& a+ |/ W0 M7 F# D- U
, E1 ^) x$ o. e+ _# hMethod seeking the 'magic number' 0F386h returned (in ax) by all system) p3 H( d# U X, Z! f6 B9 |
debugger. It calls the int 41h, function 4Fh.
. F7 D f: N& b! ? x# g& ~ _' c7 vThere are several alternatives. ' r& t6 x& d* S! B
# u1 k, `7 f x: M# EThe following one is the simplest:7 D- e; B' Z6 _
/ A7 |9 r- u9 J( `/ t( Y c& O
mov ax,4fh/ {. G5 M+ h# [8 ]8 h' g0 t8 {
int 41h
6 b {) J6 }; G: h( i" S+ L cmp ax, 0F3865 L' M1 W. \7 E& U4 }
jz SoftICE_detected
@7 W7 R1 f% Q* l% B' R& j
" ~& C ]6 ?' {) q/ M9 A: q9 q3 E9 ?! e3 x
Next method as well as the following one are 2 examples from Stone's
$ s; z( o X2 A0 e% i9 D, G/ h" T"stn-wid.zip" (www.cracking.net):
" Q, [! ]. U+ K8 m) W7 J1 a( i! K- }* I2 l r8 \$ C5 m
mov bx, cs
" d- p o" f% p2 e* t lea dx, int41handler2
4 r" I& s: w( f. s" L ^. R xchg dx, es:[41h*4]
) [" B8 _) B: h9 I, ~ xchg bx, es:[41h*4+2]" J7 z7 N. A# h9 Z, k& r
mov ax,4fh6 L. p9 o8 {0 G9 A
int 41h/ ?. @' p1 ?4 W C/ Z- S" [+ m6 L
xchg dx, es:[41h*4]9 \1 z. t: @7 |2 Z' P3 h) J3 m5 c
xchg bx, es:[41h*4+2]. z+ d) e1 O- A: Z
cmp ax, 0f386h- C( z; J3 q# C! |* I. L: W
jz SoftICE_detected
" R7 ^# H/ G8 v& L3 O. T2 G5 U$ N/ P/ c" V9 d8 _
int41handler2 PROC
( k, j- t/ U5 C4 T1 u( t iret
9 {( z% z; h3 \+ `/ qint41handler2 ENDP
% N2 y. U8 S$ S4 r
+ s: Z& y" g5 N+ w) a: Z: {' R- c! |
_________________________________________________________________________
_) A1 q" i* c4 z! B G. e6 f. q4 i( k* l8 i0 O8 b
8 G6 D; U# E* E- Y5 ?; N+ t
Method 06
4 y) v7 P- b1 v3 }$ ]1 s=========
& }8 o' _" u! o! ]$ F% Q4 |; m7 `2 a6 \" ]
4 P4 B( Z( I: q4 ~& N; p. k
2nd method similar to the preceding one but more difficult to detect:
% T4 m" i' o) p X7 r+ D: P" M' @, }: ?: }0 T- I/ x3 N. R7 D
) u. j- l" i! Q, ]' Yint41handler PROC
4 D3 \" o, D4 A" w: \/ a D mov cl,al) j9 G2 s$ I. R5 z% T0 B: g$ b
iret
1 F+ X0 v; B. K* t# [$ X+ eint41handler ENDP
2 I, v: i9 B* R! `- g# X, Z: c
8 L: \( @7 t2 t0 K" {) D0 S5 ^, w4 Z0 o! R+ L
xor ax,ax
. \- J d5 Y: U G2 F+ T mov es,ax4 O3 K* J* ^; }; }, w# Z
mov bx, cs) B- _1 z8 S/ W# V+ t$ T S, o
lea dx, int41handler
4 R2 H0 K! e6 P: E' e" R xchg dx, es:[41h*4]
% F- @7 {& f) G U: p+ b& k# n xchg bx, es:[41h*4+2]1 H! P. ?( M2 ] ]
in al, 40h, f$ L- l9 k E. o5 Q
xor cx,cx
* x: T" _( R+ u( \) N4 ` int 41h5 @ U4 L4 G5 Q) r
xchg dx, es:[41h*4]5 X8 V, l( p0 Z- a% y9 O9 H
xchg bx, es:[41h*4+2]. [# \3 Q7 D- A2 p
cmp cl,al r9 C o( o; A- T5 g5 r% o
jnz SoftICE_detected# p8 D% E/ B% G0 k }4 k
) ]. ?7 k/ R" ~- n0 t6 x_________________________________________________________________________9 {; f! u7 {7 ^$ i4 Z
8 [6 t0 B+ I' s* @Method 07
5 U% j" U8 \" M=========: h' U- m8 P3 ~* l0 M( G: G
& W5 g6 n% E2 t2 \6 Z' _- WMethod of detection of the WinICE handler in the int68h (V86)) U. _; [9 B; N0 \7 h0 i
" ^' r( }, _! B8 J, u mov ah,43h4 O7 R a' S. Y5 d# s8 c; f
int 68h
% J3 C# J6 ~+ v6 e/ | cmp ax,0F386h
* m8 W7 I& z3 e) g3 D( f' N, Q jz SoftICE_Detected
+ h+ V# F, G8 F/ E0 o. F& K( l( ?+ K
$ s; a' J. `- J) Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' K+ J7 g8 Z' F$ X1 W
app like this:+ a% |' ?% c( x! A& x# s v
9 z5 q3 U" ~& E" c
BPX exec_int if ax==68
" B. C6 Y6 p! f( x% x (function called is located at byte ptr [ebp+1Dh] and client eip is) ~! Q' f |1 d8 ~; _* N6 M3 g2 h
located at [ebp+48h] for 32Bit apps)
- j S2 \2 u4 D6 N6 S# z. K' r4 X__________________________________________________________________________
/ s4 M) z1 _) B( t \9 z [9 N7 H9 O4 [% |" X; C% s
' x( a2 ^$ F' w4 F1 x7 y j, M2 i
Method 08
5 Z" @: a& [* ^; M/ [=========$ \0 z$ A5 h2 l; \& B6 V' I
( m' C A" \; aIt is not a method of detection of SoftICE but a possibility to crash the
- o2 X. B. M; O) k0 e# k) r' Lsystem by intercepting int 01h and int 03h and redirecting them to another
) ]+ h7 J2 R) G' p/ V1 M7 k6 u eroutine.- y5 u% @6 [' M d' |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 q2 Y1 I( o$ J" Y7 H- P$ E* V# @
to the new routine to execute (hangs computer...)2 ~/ y' p# ?* j0 J
" O- q0 V; y0 a5 N3 `5 x# M( m/ z
mov ah, 25h; @# U$ ~. l! c
mov al, Int_Number (01h or 03h)3 m+ L$ D. B; ]
mov dx, offset New_Int_Routine
! D- m9 I8 y$ f6 l* q+ f int 21h
4 Q2 m6 z8 b& i/ c' ]& j6 _7 |+ d. p3 e5 J! k- w( E: q% o2 F
__________________________________________________________________________1 J7 t; H2 U: l7 h* V8 c
1 | G) o3 {3 R \% V) p
Method 09
& S$ @+ x( _" C% s) `1 k# O=========
& q; n0 k' h1 v& f& _3 {/ V9 |) m- r c: h+ o! y& }" S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 [- f, d. c% @$ ^1 operformed in ring0 (VxD or a ring3 app using the VxdCall).
' W6 ]5 S: g( z |, j( h& E! O$ bThe Get_DDB service is used to determine whether or not a VxD is installed- v% J. y) e9 L6 Q- @
for the specified device and returns a Device Description Block (in ecx) for0 E" y! N2 {7 _
that device if it is installed.3 I9 x; }% L% l& d
3 z4 {3 P- P" ]2 I* ~0 Z' d2 `" n7 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" N4 Z& E* h/ X4 R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) B* l; B* u0 W5 c% J/ \* P VMMCall Get_DDB/ N4 ~ H3 I/ j' z0 n" `4 g7 |0 y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, I, E2 U9 w4 Y; v. E1 x5 V
7 z* ?$ m" q. L$ _! {) JNote as well that you can easily detect this method with SoftICE:
+ C2 I" b& P f3 t& I# W2 h bpx Get_DDB if ax==0202 || ax==7a5fh! U/ F4 n' g o/ W3 r' P
0 d' i5 k' r7 M& o1 F! B- D7 a
__________________________________________________________________________9 s1 `1 G8 ?" z' }( t. I7 I" V
; d# J5 a: t5 B7 i w
Method 10
6 G! k$ Y! \/ ^- c8 w=========
9 L7 L- Q0 D0 a. Q3 h" a2 p$ ` ]& I0 s
=>Disable or clear breakpoints before using this feature. DO NOT trace with% k; @2 I/ ?# k/ o1 T
SoftICE while the option is enable!!: s6 o) o/ g4 a {% @/ R
$ ?4 s U; \: ?* v4 {: f; dThis trick is very efficient:
/ Q y) N' P. A, `& P# O' D4 Oby checking the Debug Registers, you can detect if SoftICE is loaded' }5 D( m5 u; V1 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" _* W' J6 ~7 f7 v) X" Y/ Y) Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their7 n& j g4 [; N
value (in ring0 only). Values can be manipulated and or changed as well
' ]8 V/ q! [0 y+ w(clearing BPMs for instance)( b. [ G/ @! e2 N1 x
3 O$ N3 [' i& `: j; C
__________________________________________________________________________
+ ~9 ?5 f! L s& k
8 h$ i% G6 N7 H$ QMethod 11& {; H& i4 ]6 Z& J
=========
5 R, N5 D7 B9 e5 Y5 k9 _ ?) `8 A/ H/ o8 K6 n9 x+ z
This method is most known as 'MeltICE' because it has been freely distributed
: d$ x! ?4 E% N( e) ivia www.winfiles.com. However it was first used by NuMega people to allow
7 t& |* U* c4 t, g+ \4 PSymbol Loader to check if SoftICE was active or not (the code is located
2 _4 R; Z) k; Z: q! v3 Tinside nmtrans.dll).3 t$ Y: ~& u4 V" }4 ~
% R7 [; i2 L2 Q, Z' I7 n. gThe way it works is very simple:
4 K# S4 v% }; @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 X) w) H/ _, {1 c0 ]" K" o
WinNT) with the CreateFileA API.
% Q6 e" w" V9 _8 z) {+ ]1 U/ K# F& f8 d. X
Here is a sample (checking for 'SICE'):( x6 T/ x) z! z5 U: f1 h+ m3 H
/ q3 [' q5 r/ h5 f6 b UBOOL IsSoftIce95Loaded()! q, z2 J0 D! y+ R2 Y# _7 c4 M @: q
{) S) W& x# g c: I, F, P. u
HANDLE hFile; % n) d/ W- }0 O) k0 w7 U" w" q. F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- W9 _* R0 T) d' I( U) H! X+ h8 v' G2 j
FILE_SHARE_READ | FILE_SHARE_WRITE,
% D% A& u: Q& {2 I7 ?) { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 Y4 o5 y0 d) S* T! i# D' J if( hFile != INVALID_HANDLE_VALUE )- S. h7 v$ O9 _
{
% s. ~ d' i1 @7 o7 d# U CloseHandle(hFile);3 _' E, ]# @& x( G
return TRUE;
) Y& r; w5 }, X; G" l2 F }
K3 X; v9 e- v5 O; y( j7 z3 } return FALSE;
8 l; t6 N, R7 h}. i; A/ X, H. a0 F
" W4 C( r3 I8 PAlthough this trick calls the CreateFileA function, don't even expect to be
0 q4 i6 U9 `" i% H- C5 Q/ [able to intercept it by installing a IFS hook: it will not work, no way!
3 s) |2 S/ d' `9 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 z. X9 i' G7 T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ D; f1 y' b9 m+ Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, S+ U3 h, @0 C5 Bfield.
4 ]; p9 \) U$ FIn fact, its purpose is not to load/unload VxDs but only to send a
+ \2 x- \4 e/ J r$ LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 B) |- m7 B8 L7 {, Y+ C9 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ s. q$ R3 x9 ^+ X: k" H9 K- ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* C/ U0 b) P. L5 ~; R+ V
If the VxD is loaded, it will always clear eax and the Carry flag to allow' A* l# H+ z1 X2 N( W! k9 i; f
its handle to be opened and then, will be detected.
' K3 V. _* U" \' w: V& rYou can check that simply by hooking Winice.exe control proc entry point
; r. T* r( v1 c% F1 t) ^1 Owhile running MeltICE.; F5 u5 g" ?4 o. r' Q7 h
5 g9 d% X3 Q8 D1 [/ b" \- D; q7 @/ B2 g a' x9 G$ x2 C
00401067: push 00402025 ; \\.\SICE
% N0 d& ^! l* V1 z* }+ j 0040106C: call CreateFileA4 }: p8 m& u- [* |0 ^5 }) W9 t3 {
00401071: cmp eax,-0016 [4 _0 A8 y: W% J" n, m4 [. d* q
00401074: je 00401091
- Q* {1 V& ^1 `+ Y, k, Z9 e& v% ]' r4 `
/ I6 E' i7 d. J& H: C* t* R
There could be hundreds of BPX you could use to detect this trick.9 ]; f8 \! q- L1 G. s- n( S
-The most classical one is:! d( p7 F- i7 Y% l7 C* Q; v8 X2 N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 a2 F, ^: v: k0 \! N( d- g+ f *(esp->4+4)=='NTIC'/ m9 B Q- B" J! k, W, L! Q
+ @+ R$ M- u# D
-The most exotic ones (could be very slooooow :-(
9 C! p. @* M: c9 @0 b0 B% ~5 P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 _9 n0 {# d8 i* @ ;will break 3 times :-(
' V' h/ O6 i5 C3 U3 Y5 O, B1 ?6 S5 z& U% h* |5 i
-or (a bit) faster:
' i6 f" ^5 S i' t BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 Q& H, ]" X. _' m/ {8 Q
! g) {/ |2 F8 t# h5 c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % Z) }8 Z5 H% G% t9 o* f A1 k8 S
;will break 3 times :-(; x9 J& m; e& S$ `
) G. G. h( O- R! ^-Much faster:' _4 e; W( E! Y; S+ f& P; F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: \5 w5 A8 }8 N8 _ J" E- O4 P8 }6 ], p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ x+ o7 h) H& Sfunction to do the same job:
, g/ v E3 C! t/ x$ u
) }$ e. V2 p2 L$ P push 00 ; OF_READ* j- z0 \5 I2 p$ ?4 u; u9 j" Q
mov eax,[00656634] ; '\\.\SICE',0
* {+ B1 b" D- f1 L. S: p( G5 K push eax9 x, P$ B0 U; m( u K4 q! W# P
call KERNEL32!_lopen7 n/ I) o0 r& [+ |
inc eax, Y" ~5 \ k6 V* H
jnz 00650589 ; detected
; l2 i& m! H0 D0 g4 I) u. }: a push 00 ; OF_READ) _- y# ^. e- j l X
mov eax,[00656638] ; '\\.\SICE'
5 N+ m: J; N8 ^1 R$ r7 Z4 J9 c push eax! |- E: k/ v4 j
call KERNEL32!_lopen, H$ `' @- c1 q2 a# c) c2 w
inc eax
9 G! F: m+ q4 _, O' N P jz 006505ae ; not detected
2 {6 r- y* @" m1 L7 L! w1 e7 t- b2 [1 H3 d5 T" l3 K* ~$ ]$ I
3 q M6 Q5 f2 L__________________________________________________________________________& o7 C5 C; Q3 d: o+ X* g
+ t& W8 q2 \5 e% V
Method 12
7 W2 p( H2 E, H0 N3 \=========
/ x% W; m- B9 w/ W& K4 K5 C
- e5 W2 o; [, i4 @) r/ JThis trick is similar to int41h/4fh Debugger installation check (code 05. f7 R: e0 E0 m6 ]& |
& 06) but very limited because it's only available for Win95/98 (not NT)2 H- r1 k. W2 k' \- s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* W8 Z8 K$ U! I6 f* u
( S$ B3 a& E9 q% q. q1 t; b+ v push 0000004fh ; function 4fh
2 R& y8 k" w2 u push 002a002ah ; high word specifies which VxD (VWIN32), J F! s( _0 ]
; low word specifies which service- E7 L; a& y9 q$ o. G
(VWIN32_Int41Dispatch)
% Z( e8 J- a t" F) s0 ~ call Kernel32!ORD_001 ; VxdCall8 J& I7 D ~2 F; s( S
cmp ax, 0f386h ; magic number returned by system debuggers! c" H$ S# g8 f1 F; E- w. J" D
jz SoftICE_detected# q; u2 Z8 @! r$ r4 m: J! d' b
% W3 ]: P) [4 c# ~6 \
Here again, several ways to detect it:
5 C' h: y: R* \$ h. {: I! F1 t1 v+ W
0 `' o6 o- _" t% `+ Z, o BPINT 41 if ax==4f
l8 t& p; m @9 B0 \- O& J' T0 U% B8 F9 Q/ u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% t4 B K' x- ]3 Y# B
2 ?# r# x9 ?; v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& I7 s& q8 p5 o: K; g9 s
, I" \9 F& @, ]+ c# I! ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 k7 i7 V2 Y3 D1 ~( ^& t
( T, b+ j1 E1 t, |* R2 J__________________________________________________________________________1 L9 Q# Q9 ~& ?, M' L
?7 ]9 F5 `$ y- L( r
Method 13
: P' R. P, o2 ?( v=========
' x$ @1 n; x) P
6 a( R' G+ U5 Z+ h7 ~* W4 KNot a real method of detection, but a good way to know if SoftICE is: ^' Y% A: L3 _+ c! u+ E
installed on a computer and to locate its installation directory.
9 H$ [) `3 j/ S9 X& tIt is used by few softs which access the following registry keys (usually #2) :% b1 _! g$ `$ l) E. X
" e9 c0 ^# `5 D+ f5 k% w5 a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! U& `3 y4 B$ f% t# C. J) z
\Uninstall\SoftICE
; r" {6 g& ^- u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% ^: x6 J1 m& t% @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' A H$ b6 j# @$ Z\App Paths\Loader32.Exe
' R# X& u1 q4 C! ~7 |8 P/ @% W/ M& G G3 Z
4 v( V2 O8 _9 Y
Note that some nasty apps could then erase all files from SoftICE directory
; U' j+ ]- [3 t6 m4 I1 @(I faced that once :-(
% O$ k! Y- ^* z
7 B8 a4 \5 V' h5 U4 \% O: b7 NUseful breakpoint to detect it:1 P- f9 c4 V; Y
$ }" F3 Z& a8 ^3 Q! ~2 {1 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': ]5 \* e( n- j+ V
8 z8 Y# v3 A8 ]4 R" {+ J
__________________________________________________________________________
4 C% e- r2 |* p. \# u$ R' t0 L+ r, D Y6 Y7 O; p! f$ E) N
0 l; u7 n6 u+ f4 GMethod 14
6 _5 @; @. B* l( H& D& t9 F, k=========
) H' n- i( A( V: g( h; ~' B4 ~( G5 a4 ]. a" F5 c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( t2 O- y6 k( a0 S
is to determines whether a debugger is running on your system (ring0 only).
! I* y, V n) C" K0 g2 h- h9 a3 p$ K
VMMCall Test_Debug_Installed
$ n; e1 G1 n/ m je not_installed
+ |/ A4 }: _* c) ~
6 D' m, i u& a6 |' ]/ M7 wThis service just checks a flag.8 u7 y1 ~# b9 k7 h9 O5 b
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡