<TABLE width=500>5 h- ?2 ^6 p0 D% i3 N
<TBODY>
* u: t; I) d% j, ~# t<TR>0 u$ T% ~( [* r- N" a9 n" O
<TD><PRE>Method 01
9 |% L( j+ U9 b6 f% M=========, L9 a! j0 X0 a; g; @
" A; L1 `5 E0 A( P& ?
This method of detection of SoftICE (as well as the following one) is N1 ?8 g* t0 g' ?/ T# A
used by the majority of packers/encryptors found on Internet.2 W" H9 a3 H' B1 ]. ?# Z
It seeks the signature of BoundsChecker in SoftICE1 |2 u$ i2 P- E6 j
6 [7 m" {- i$ ?8 k. M
mov ebp, 04243484Bh ; 'BCHK' S0 x3 e p2 w7 L3 I6 o
mov ax, 04h
, |" |" U2 ]4 L$ S6 B' S int 3
" o- |' F1 y! Q, G; S) T cmp al,4
- Q' s4 A# j+ S2 ` jnz SoftICE_Detected
1 \+ S( X" a, o4 k1 ?0 M, p
, J$ V$ w3 U2 Z% I, \& ^# W- B___________________________________________________________________________
2 @! `: Z: \9 P( Z9 ]6 z8 I" [- I8 F/ K: d, Y; C, i/ m
Method 029 k( ]7 y% z9 y& Q; R
=========
+ ^8 t0 L6 T- }7 c6 {* B0 d
8 L3 u5 J. X1 {5 BStill a method very much used (perhaps the most frequent one). It is used4 m0 g* V* G9 Z) U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ z8 m& Q% r5 ^! m1 y- h" K
or execute SoftICE commands...
6 z f) `! X/ \0 u7 RIt is also used to crash SoftICE and to force it to execute any commands. v# h( u- H. i g {! U' V# z/ v) S
(HBOOT...) :-((
. {$ p* }$ b1 F. f2 b* ~" e
. G2 `. S7 l$ n, D3 B/ LHere is a quick description:$ b. g5 s" F g; r2 R
-AX = 0910h (Display string in SIce windows)! A8 j8 D4 [2 p3 G7 \+ w o; i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), A) F" b2 }+ m8 h$ c
-AX = 0912h (Get breakpoint infos)* ]1 A* t7 k3 T& G1 w
-AX = 0913h (Set Sice breakpoints)
- ?5 {' m6 b i+ t7 P: }$ v- q-AX = 0914h (Remove SIce breakoints); f$ D! z4 L4 D. [- k3 i1 ~
& {6 l6 E# t" @ P5 C! H4 GEach time you'll meet this trick, you'll see:1 @5 {1 w6 L- _
-SI = 4647h: ^) K/ y0 z5 I1 e# M
-DI = 4A4Dh$ [& j- y8 L. M# f0 q
Which are the 'magic values' used by SoftIce.; u5 G v) L' m+ h# r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* K/ G4 W8 u. k; S9 f- X# L4 M' l+ g, w* k* Y0 Y- {
Here is one example from the file "Haspinst.exe" which is the dongle HASP. L3 q* B- N+ x; G3 k
Envelope utility use to protect DOS applications:
, j$ W1 a( _; p" [
% `, G. l' m6 f3 r& l* `% ~% w' a) a
9 O$ Z& S3 B9 ~2 a" f; s4C19:0095 MOV AX,0911 ; execute command.& V' N3 A0 T( K8 {5 q4 r& u j, Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 u# R6 p7 Y1 C1 T5 {
4C19:009A MOV SI,4647 ; 1st magic value.' h4 P5 R! \8 g/ \7 |
4C19:009D MOV DI,4A4D ; 2nd magic value.# Y" l! u. q* G4 \- ^% s$ o) j# R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' o4 c$ C; a4 j8 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: ?2 d" j! J4 y
4C19:00A4 INC CX) U$ k; C) c1 C6 s. N5 u h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% p: E; k, I% @4C19:00A8 JB 0095 ; 6 different commands.& o* @# R8 U( @6 Q, l! l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: w& H. Y# V& K; d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' W! q+ K _% f: L" A* L
. u) Z/ I3 y- J8 U9 k: H, {The program will execute 6 different SIce commands located at ds:dx, which
8 r; l+ h/ |% d1 g7 eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 \( v1 U e6 W6 c
4 H, d2 b3 W# ~5 n% O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* ^% ]! {+ H' P1 ~5 y6 v! [' x___________________________________________________________________________
! k+ s6 U% ^" b6 d4 t8 U
/ j0 ]7 m4 Z8 a6 o% |2 P% R/ c* }' K' L6 f; F: @# m
Method 03- G% X/ U; [* n- p+ X: H2 k2 f
=========( f3 W, E6 U4 W& [5 k( K* @
/ S, Y) P# H" V. z& m" ?6 I. lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% `" W4 L. @9 _# |8 a4 a$ k(API Get entry point)+ r# K* l- t# }% A$ a' b! Y
0 z3 V) G, H$ ^# _
; h" ]- u( s% f, f& e xor di,di
8 @2 z+ r9 F# @, B" a j mov es,di6 e8 v; S/ J/ K& D% v3 }
mov ax, 1684h
9 C1 \5 n1 \+ D5 `0 c* `4 e mov bx, 0202h ; VxD ID of winice
" J ?0 s2 M" ] int 2Fh
- c! I, V" n: U* `4 e mov ax, es ; ES:DI -> VxD API entry point% e0 c: g4 y+ A" w
add ax, di
- K4 L$ g! n5 }& ]) u2 k test ax,ax) o0 U; r K: y) @1 }
jnz SoftICE_Detected5 n- w- _% M/ M6 n2 P" F, j! |5 B
8 R- k# V4 C) p$ z$ @___________________________________________________________________________& j9 Y7 t& J% s5 [) G. [8 x) Z
_$ H# b5 B9 n9 ?" R+ qMethod 04
$ P& v! Q6 z$ _4 e" @$ K/ M {=========. I# P9 C, b; D. X2 J
( o: H1 K' O9 o5 PMethod identical to the preceding one except that it seeks the ID of SoftICE( {& a: G( m. b; @- ]6 M
GFX VxD.
2 R: h" n: s7 a P- I, Y2 ]! K+ l$ S8 ?
xor di,di
& Z/ Y* X( E; a, T1 L; } mov es,di- a& t$ |4 l; ^7 V1 Y9 ?: v
mov ax, 1684h
+ N# D( G; z0 V9 L' ^: s mov bx, 7a5Fh ; VxD ID of SIWVID
0 J" I# n2 F8 q( Y, _% W int 2fh
' O6 J+ Q, @( N mov ax, es ; ES:DI -> VxD API entry point" ]+ G0 d+ U! u) D2 j f
add ax, di
7 d- r( _) H. Z- }7 k1 }5 Y2 u7 { test ax,ax
- D% c ]; m+ B4 e0 Q' C2 y% v jnz SoftICE_Detected
7 n( @8 I& g5 B' p; n6 P- V6 A4 O/ a6 f0 \
__________________________________________________________________________1 f$ n, Z9 e. o! G) K4 b9 U% d, a
( T! M5 U0 N" r
4 j* H0 _6 H8 `- N3 V+ b% G- ^# W- D5 pMethod 05
; W" e, F- f5 e5 i: ~=========
1 [% V! t7 y' Y
5 q! [% u) E5 V& B: lMethod seeking the 'magic number' 0F386h returned (in ax) by all system( h) `5 }1 f7 G$ Y9 B R
debugger. It calls the int 41h, function 4Fh.
. ~ T# N u1 x7 f+ R5 nThere are several alternatives.
# n( i# L& U! t0 L
7 ~$ v9 Z5 }, x1 oThe following one is the simplest:! K# l% i9 \) P" o% d2 g5 F7 K
6 q* d9 q: H6 e' f, k j
mov ax,4fh
0 D; c ~7 ~1 X/ K5 F6 x int 41h4 E4 U7 G) m- j; z/ ~9 j/ W
cmp ax, 0F386
T9 L, K6 R& Q1 x3 k2 X jz SoftICE_detected
( m, Y! ?9 Q, r; p
: B9 G) o$ [# E+ F2 V; H5 L( Q% m& m& ~6 ^
Next method as well as the following one are 2 examples from Stone's
9 H8 j# z5 ^# `* Y8 @"stn-wid.zip" (www.cracking.net):
: x3 o( c8 D+ Y7 E4 Y+ S3 g0 `
# B+ Y. _. E' o6 j3 Q% Z" I. L mov bx, cs3 e3 @7 p/ ~- A0 L0 M3 S, y
lea dx, int41handler22 [0 P1 L; C5 A4 W; r2 e; W
xchg dx, es:[41h*4]
, M3 [' X$ p% k' N8 N; k9 N xchg bx, es:[41h*4+2]
) k- w* {% p. t, `0 Q$ z% F3 C8 G/ } mov ax,4fh Z8 g$ e2 z$ e( H" G
int 41h1 b' T/ N% k8 f' }- X2 F( m( X& Q
xchg dx, es:[41h*4]7 f! J# [9 {& J, r3 B' ]6 E
xchg bx, es:[41h*4+2]4 g9 `* d6 g+ A/ J N' q D
cmp ax, 0f386h
3 t: y# |* t; A: v jz SoftICE_detected/ ?6 Z! \# U/ Z% [) w9 `
. n! X. ^/ z! U$ M
int41handler2 PROC
+ w; O& Y- K' X iret! Q, t5 r8 p9 T7 E
int41handler2 ENDP
1 u9 _. e! n# y' `; T4 b: Y" O
' Q6 z; ?, M5 t5 f$ T0 k* p- L( M5 L9 `7 }
_________________________________________________________________________
: D0 {6 R! U. H" D- Z( {
1 v% W* w* |4 D) Z
0 B9 m6 g. _3 Q2 L( X3 `4 p' u6 uMethod 06
: Q! F6 A8 k: R+ u, Z$ F2 ?8 Y=========
* U/ @; g" M+ X4 Q3 e0 g% V; n; V
7 w2 e9 D8 ^' D) x r U$ v
2nd method similar to the preceding one but more difficult to detect:. K' U/ f% f" O- {9 A3 h
! k- _9 Z+ z. Q- y+ f, j
], O |( K5 |3 ~. z6 e
int41handler PROC
, L U( F: }: U( |5 v( |$ y e- N( E mov cl,al
+ h+ }6 g) H6 G F P; g. o+ k iret
" s7 s6 ~# f7 L6 S6 Pint41handler ENDP. c9 B: T) S3 Y* c4 F9 q: P4 H8 ^
' L- Y9 y6 x4 M2 e6 Y' V4 g/ T7 z2 d5 D# U n" ]1 k& B! D7 x
xor ax,ax( @1 Y5 i( v9 |9 P
mov es,ax
2 \3 e3 L0 S) z8 k. P1 D! f: ` mov bx, cs
' l5 c, k U7 T5 \- {( K1 B/ ? lea dx, int41handler
5 ?& T- q6 |9 ]6 `8 y: |+ z) L- s xchg dx, es:[41h*4]
, n0 O& z" i8 W, `' p xchg bx, es:[41h*4+2]. H9 k$ |" R7 E+ ~1 w' p8 e1 [
in al, 40h, B5 c5 Q& c& H6 l& X1 e
xor cx,cx1 R5 { y1 m2 ], V% g6 L2 L: R4 i
int 41h) {4 _: a; ~, o8 P% h, y7 y
xchg dx, es:[41h*4]
$ T/ }7 I$ Y& q$ g9 `# m xchg bx, es:[41h*4+2]
0 u& p7 m+ f0 C2 t3 V cmp cl,al$ H v: V0 S; ?$ V
jnz SoftICE_detected
) K7 K/ _8 c. x6 R. L# X
- Q0 Y: D* I4 i3 f_________________________________________________________________________
$ S7 N1 P. o7 F! ^& q8 p4 y2 L# N1 p0 }; k
Method 07
) \5 }, ^" L1 f# x' u=========
3 }' A6 r! H7 ]6 |- L
3 o- j! W1 G5 O. y; b hMethod of detection of the WinICE handler in the int68h (V86)
) y. w, u3 z& z$ L9 l% S& Q8 }1 v- |
mov ah,43h: R8 m! c. m2 X2 u# x* w1 D
int 68h0 g2 f# h! e, Q! v
cmp ax,0F386h
0 i8 P$ Q1 }) k2 w jz SoftICE_Detected+ d3 [3 V* M+ c' Q6 a
1 J3 Z4 G) B* S& h
8 q" n/ a; V8 \( K7 f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; g3 |! ?0 p' I, L; {. Q
app like this:
1 V% `3 G# Y" R6 z2 S* ~2 ~8 K6 \3 ]) R' B% M
BPX exec_int if ax==68
- N, w) Q! N- l& L (function called is located at byte ptr [ebp+1Dh] and client eip is
$ ?& m- y" I1 L4 V6 A located at [ebp+48h] for 32Bit apps)
/ x# X5 N+ f7 }5 _' \3 A" B__________________________________________________________________________
- [8 c( i# V" q% d& w, A
# _4 \0 @* J1 v- c; ?' f; k5 b
) i2 b* g+ h2 m: [7 t( g2 U' E$ \Method 08
2 Y+ X+ k+ t9 }2 n6 i+ P% c=========
8 U6 G# j8 x2 E
) X8 h& z0 B1 y0 r) XIt is not a method of detection of SoftICE but a possibility to crash the. R3 s. e2 w+ C8 x. n' x( H
system by intercepting int 01h and int 03h and redirecting them to another9 l" i7 y$ p( m2 p# c& X" z" I. M l
routine.
5 a7 [5 [; M: p- k0 tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 S: q. f2 f" z( dto the new routine to execute (hangs computer...); Y8 w6 i1 s: {5 O
b8 Q1 J$ O1 ?- X9 `6 l% R mov ah, 25h0 Y2 U, O( o2 ~+ R/ [
mov al, Int_Number (01h or 03h)* \) ~! K) w- O4 M* G. |
mov dx, offset New_Int_Routine
$ \5 P5 N/ P( O int 21h) g3 l$ x, n- }6 ?' @5 e4 x8 u# s
4 Z9 \% a0 O- u! D
__________________________________________________________________________
) O& ~2 a/ s; H3 ~4 [( Y
2 W7 |+ I% {7 p: Q' t& l8 H6 \& |Method 09
' _; H' D6 D) t e5 X7 r# t=========
3 i! f1 }" }. m" L- m( h; q' M, o2 X' r1 c; A$ r( j6 }/ P5 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: T8 {- q- a' D) L2 d
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 M8 n8 U: }1 o) {/ \% KThe Get_DDB service is used to determine whether or not a VxD is installed; g0 [% {* S& c' o' J
for the specified device and returns a Device Description Block (in ecx) for
- Y& i& }- u7 E0 |that device if it is installed.9 {( n( e: \: O$ i7 i; Z
/ a) x) H" Y B+ o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: U* E6 O9 I# H, v# F6 r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ K9 z: i& ]5 T# ~3 Z: \ VMMCall Get_DDB' @" }6 @# s5 O3 D4 V, y, s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. Q! }" z8 U& M( s7 H7 \+ H* ~ |6 s/ D$ v
Note as well that you can easily detect this method with SoftICE:
" s+ h! s' G" F1 ?3 M7 B1 ]3 f bpx Get_DDB if ax==0202 || ax==7a5fh
' u- ]8 t* A7 Q3 y& h n! }! u; ^
__________________________________________________________________________
2 ] v" t* D. a/ Q+ `- R7 @+ D. P, k+ q
Method 10
5 y7 ]3 r7 U2 y7 t v! t=========; I8 l$ e3 V. ` i/ d
( x( ~0 T3 }1 r+ B1 x7 n=>Disable or clear breakpoints before using this feature. DO NOT trace with
: n- M# z! N# a. k0 n$ J* f8 v SoftICE while the option is enable!!8 o. n7 p$ X! n- r
- g6 d+ [5 ]. D2 p7 c3 I- g# x( DThis trick is very efficient:
$ G* K% U6 Z Z% F0 O [by checking the Debug Registers, you can detect if SoftICE is loaded
5 z B) M$ v5 U6 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 i1 s" G. E3 F6 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' N6 `6 x& _3 z( lvalue (in ring0 only). Values can be manipulated and or changed as well
) V4 ?9 g; Y) `. G- p8 Q1 a(clearing BPMs for instance)
9 D. Q4 I5 F$ L0 `. @
) H0 m1 e0 B" P% I$ y+ Z- N% O__________________________________________________________________________
; _- N( ^/ y$ l3 s; e/ K# m5 }/ X) O6 q& [4 ^
Method 11" r0 l x5 J* V* o) ~2 g3 w
=========# C2 C9 b o- |! `7 ?
" D# i) Q0 ^2 K; pThis method is most known as 'MeltICE' because it has been freely distributed9 i x' Q0 P! V7 Q/ V5 h" P
via www.winfiles.com. However it was first used by NuMega people to allow: J, z& ]1 u' Q5 p
Symbol Loader to check if SoftICE was active or not (the code is located
1 r' s" J" m' _8 w4 L& Uinside nmtrans.dll).8 y( U+ o+ S0 o* @
1 D7 Z. z" q0 C. _/ ?: Z% z% s
The way it works is very simple: M; B2 d6 e' M$ ^+ U3 M L5 Q* J$ o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 {9 ]" l. V0 F4 c, o( nWinNT) with the CreateFileA API.- g" F# m6 U- O6 r/ p
0 Z8 ? g7 D2 p: q7 {0 M% S7 Y& Z3 |Here is a sample (checking for 'SICE'):
% w/ \8 |1 m+ e
: L& V( t3 @. U$ n aBOOL IsSoftIce95Loaded(), S( |2 I3 X" {5 p* ?- Z( p9 \
{
! u3 K5 O' z* W! _& P0 S HANDLE hFile;
- J3 Y: v; K3 E- z2 [! ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 H" X `5 F8 v7 {" P FILE_SHARE_READ | FILE_SHARE_WRITE,5 M, s3 G2 e% {- P# |- s, p" X! A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
D S) f3 b: K* O- U if( hFile != INVALID_HANDLE_VALUE )
) q& n) F/ Q1 N5 ^ {( U% q( b! X2 i7 N
CloseHandle(hFile); z; R& J( k! [, Q% q4 r
return TRUE;
9 p( ?5 K* T2 A2 ~3 k }* o, s8 P+ f! ^9 t& W( t* [
return FALSE;
5 Q+ x+ O m. d' Q) s}2 L4 X& ^0 U j" L
Q( F0 X. d. l+ g) ^: A* rAlthough this trick calls the CreateFileA function, don't even expect to be. J2 z% I0 H: _
able to intercept it by installing a IFS hook: it will not work, no way!, @: _9 I2 K p J6 ?' q- c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 k8 t7 h4 H9 S8 z$ mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 A2 l6 Y' s5 V: L0 O0 Q! w2 c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
M2 D+ J; m3 \7 Y( x, Zfield.
7 Z. f3 J4 {0 i$ T F: EIn fact, its purpose is not to load/unload VxDs but only to send a
+ A7 n9 Z7 Z+ F" C3 O DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 X2 l6 }+ n# u% X9 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, u9 T6 I8 w! a& ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 m: H+ c4 I. ]4 {1 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 z$ r; {; J% s# Y! Y
its handle to be opened and then, will be detected.
. n% h9 U9 v- z7 ZYou can check that simply by hooking Winice.exe control proc entry point
( X3 e6 Q$ y$ Q+ D7 Twhile running MeltICE.
2 K5 r1 K) ]! P; |8 O' r7 s1 m6 J- E, ~$ b: P. ^! x
. V! \! e1 h- b1 ~# d' b) [. W. T. d
00401067: push 00402025 ; \\.\SICE& q6 X5 D. R- o8 y+ R# P/ V+ [
0040106C: call CreateFileA
$ m# i! Q& H( Z" q% ? 00401071: cmp eax,-001
0 l# N8 i' C$ P; x* k7 l% j8 V 00401074: je 00401091
$ _+ j0 y# f4 a) A6 x/ |2 y1 `2 Z a4 r3 Q8 Z$ e0 }7 |
1 X5 d# V& p% h: k" g6 z
There could be hundreds of BPX you could use to detect this trick.( A% [/ B: G9 j/ B5 U0 ^
-The most classical one is:
4 o) ^4 c- W2 Q# h/ z" P0 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 G; Z% c5 g! k- W
*(esp->4+4)=='NTIC'
/ V. t( Y z( P
" s6 [! S' F2 x/ U; V3 N* e-The most exotic ones (could be very slooooow :-(
. c9 j4 `+ d- N& L5 \7 Z( @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, G2 q: {" ~ H" x1 W2 n+ h" W! r% ] ;will break 3 times :-(
; [7 p: Z+ P0 R/ p; E7 |2 U' U
- }) C/ t/ `) V+ G1 y-or (a bit) faster:
7 ^( I4 `/ ` r* I8 C# y/ j9 N& G% F) x* R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 r4 P8 N8 ^* k; V4 E
" D( q: j0 ?8 y1 l" @5 [/ P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ \" Z9 @5 ^3 H% X
;will break 3 times :-(
: n8 r2 ?+ v A7 h
' j8 M, J* t; Q-Much faster:
, U. b: X e4 M& O: n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': _. l0 u" e* Z: _# e
+ _+ [2 e8 A) M' }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! D* q( r7 q1 |% f/ ]- [& k5 c0 N
function to do the same job:
/ w; w" U4 m6 ^( w+ g& e9 d
, o0 H( H' w7 { w push 00 ; OF_READ
- X5 b+ H' j) }3 T* x" J, o1 u mov eax,[00656634] ; '\\.\SICE',0
/ ^6 H5 d1 M) {) n s% e' x% r push eax
V- w3 q2 i' Z6 H$ N, D8 I call KERNEL32!_lopen
5 q0 P. n2 b. g6 Z: k( e inc eax
4 O% E4 y1 f; p: m jnz 00650589 ; detected
( p. y* P4 t* K* B% j5 J4 K push 00 ; OF_READ
6 Z& X3 D. Y& W$ j) o' b mov eax,[00656638] ; '\\.\SICE'9 u+ c8 w$ b W/ n; b9 [! c
push eax
" M9 E3 z. L8 g; t call KERNEL32!_lopen
; Z# m, T1 a5 h7 k2 ^ inc eax
( O; e- ^2 i2 I! j2 F2 ~ jz 006505ae ; not detected7 z) V. C" p( b' ]; ^ e+ T
+ q8 k: Q/ M0 e! V! y# A$ U: Y
" M' Y5 B* }2 x$ x
__________________________________________________________________________
3 P* p# Q4 u: f0 ~. d/ |7 U( n, q% Y9 C r- o
Method 12
' Y, J" Z3 S2 c' M+ Z=========1 z1 {0 H3 k9 b o
: \+ V% \& a$ b3 x5 F/ T
This trick is similar to int41h/4fh Debugger installation check (code 05
( d$ b H: H/ ?; w& 06) but very limited because it's only available for Win95/98 (not NT)6 [6 K% P1 d" W. T- x4 R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* }* U0 T4 }- i* f! w7 a% A* f8 {" Y, N% D# E' o4 L
push 0000004fh ; function 4fh
' }% @$ @5 Q' O0 z. j* E3 a, w push 002a002ah ; high word specifies which VxD (VWIN32)
* x- _; a! _( d! C! ? ; low word specifies which service7 r( _& c9 \1 d l: f$ L# x
(VWIN32_Int41Dispatch)
. _3 p3 r/ ?) A4 O, M3 N call Kernel32!ORD_001 ; VxdCall6 J; W! V$ i* n
cmp ax, 0f386h ; magic number returned by system debuggers
8 b- m- W7 y: O' P* h( a n jz SoftICE_detected
5 u; R) |7 N$ u8 m1 V1 o
/ Z/ J9 g0 M9 K R5 n2 D4 R$ eHere again, several ways to detect it:) F5 f6 O" B; a9 M8 z! z
' ]' T& e" \) s2 E5 e. c, [
BPINT 41 if ax==4f
+ L/ G- U" w4 t
# K5 \" |) i- g5 _0 g2 j( a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 j* C! ]) _* ~" K) `1 P: P
* U6 C5 u' H3 Z- A. C" f0 h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 \5 @& A0 e7 y. H+ \4 j
7 r. W ~( }* N m' I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 n* r8 |; A) t& C5 _6 P! R) E! l% K5 X$ P) ?
__________________________________________________________________________* b: `: A3 K+ s9 W
, [* N" p: N3 Z, M
Method 13
$ @3 r, m: Z% A7 D: a$ m( z=========
1 I- J# n2 ?3 Z3 k0 T( w5 B2 M1 l6 e
. S9 {' t$ b6 v% UNot a real method of detection, but a good way to know if SoftICE is
4 q t9 G& y8 t3 O/ W, Vinstalled on a computer and to locate its installation directory.: A( w6 w3 p; D! t" r8 L
It is used by few softs which access the following registry keys (usually #2) :
" D; N5 u) P7 F: R/ \5 A5 v% D8 _' @/ ~" w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 `$ w# A4 D4 R) m5 [\Uninstall\SoftICE3 {& n4 B8 D. x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( r* O- c7 f) [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 ?2 j h7 Q/ v4 u. s+ b
\App Paths\Loader32.Exe
# U9 ^; \+ f# [* n5 f
0 l1 ]. O, L' ^, a+ I; u" k$ n4 Y1 k" [2 L
Note that some nasty apps could then erase all files from SoftICE directory
: }9 Q |% D* i1 a& E5 f(I faced that once :-(
/ `) D- F& O3 f4 j# K2 T; E8 }, ?
$ _0 H( s- _1 T5 F! z9 u; ?! uUseful breakpoint to detect it:
' p, [8 {* m5 `- F
@4 \) N3 j B8 b! G3 `5 g0 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 v4 Q) A; W. V* @2 e, y- K
6 [+ q) I# \# y' b9 m__________________________________________________________________________. ~4 o; K* {5 R" S! f
- B& c4 C- Q9 i/ G( `) y
0 u* U# Q( H0 r+ I
Method 14
5 n R( Y# @; K$ u- A/ s2 d; U V=========" ^' P7 [ W& X. o& Z
) D7 c7 @$ v4 R2 p! [' i3 KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ R7 |6 R1 }7 D
is to determines whether a debugger is running on your system (ring0 only).5 u% I$ } c6 X. p2 i8 ^ \$ e$ Z+ b' H
" V* R! r9 F& K# ?2 z# _) l VMMCall Test_Debug_Installed
4 F# a+ T, [1 F) k' l0 q! I je not_installed7 j; H# [2 Z) y
, h, I. H8 S: H: X- ^% U: HThis service just checks a flag.
- c/ P( z& C7 s$ T& X, m) g: N0 H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡