<TABLE width=500>! v& N) S1 D- u
<TBODY>
! p: t# i% ]+ _$ E; I0 Y<TR>
0 P4 y+ D* \- b<TD><PRE>Method 01 * L0 o, z$ e3 U6 j7 d2 X
=========
3 r7 W3 p7 e. |/ C, t z
% }& o/ z: {1 |This method of detection of SoftICE (as well as the following one) is
7 Q$ q+ G( ]0 fused by the majority of packers/encryptors found on Internet./ e( ?6 q! g! H. f) O
It seeks the signature of BoundsChecker in SoftICE# l, G/ y# E' _- x _
n, ? Q% F! M& y0 N1 ?
mov ebp, 04243484Bh ; 'BCHK'
7 f6 W6 ]7 Q1 v' M5 n mov ax, 04h7 W6 n) }0 g* `2 w7 D z
int 3
a4 A1 h6 M+ W4 m! L* `$ | cmp al,41 V0 U5 Z6 V8 M8 V
jnz SoftICE_Detected l, j' t) ?1 f8 P) q2 m6 K
1 I8 i& W& n! l/ X( B. W2 S
___________________________________________________________________________ _2 o0 ~; u3 O( T2 U( {2 x# I
0 i$ b: R" ^. c2 `, {/ Z) i0 u
Method 02
2 W8 W" F6 W: Q9 `+ D% ]% a=========
4 g5 P L1 f6 r, B5 [+ v& u1 u. [0 t6 p1 q1 B% O
Still a method very much used (perhaps the most frequent one). It is used
2 r ?( j9 ]6 K7 h; {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# z+ n3 A g7 C! I2 G h$ {6 n
or execute SoftICE commands...
2 e7 Z& Q' v/ ^! f0 mIt is also used to crash SoftICE and to force it to execute any commands
5 k8 ]2 d/ e; y7 J1 n(HBOOT...) :-((
$ a, a! B9 U2 }# I
3 ^. E4 W: X8 M. ^5 i$ D2 tHere is a quick description:
! @6 K9 \! m; o, n& Z& z-AX = 0910h (Display string in SIce windows)& U y% j/ J, }; k- ~' H% K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" o2 k7 }: C: `; ~
-AX = 0912h (Get breakpoint infos), A- k$ ]9 p0 k. o5 c
-AX = 0913h (Set Sice breakpoints)
( Q) N4 i9 [- B: c+ r0 E-AX = 0914h (Remove SIce breakoints)( @- Q6 R& K( B, }: B
. U: s* s8 f- K0 f. s9 ]: D3 XEach time you'll meet this trick, you'll see:/ t, Z6 f1 r1 L, n# ^1 [
-SI = 4647h: y2 Q) @1 r% y& ] E( Z
-DI = 4A4Dh
1 ~( p6 g: V+ }; n/ x% rWhich are the 'magic values' used by SoftIce., \/ t q* x+ d* ^3 o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* X) V* |7 i! B2 [! ?9 }) d! P* T. x c s- f! [: f
Here is one example from the file "Haspinst.exe" which is the dongle HASP* |$ g' t# |" Q* g( P
Envelope utility use to protect DOS applications:2 j1 \ q/ Y/ L( H
" z) U5 i9 \! N# C3 g3 ?' I5 [7 k a
4C19:0095 MOV AX,0911 ; execute command.( k% v0 ^( J# {& a/ I% N; t1 [) D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 c% [4 v$ S3 j) r$ }
4C19:009A MOV SI,4647 ; 1st magic value.
, u- j7 h3 Z; e4C19:009D MOV DI,4A4D ; 2nd magic value.. u' B2 e+ A9 [& F& H9 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 B" s' T8 I- S# u; _" B9 `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 m6 b. E3 B; e* R4C19:00A4 INC CX
+ a: @+ E- ]: d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 C' W2 N& E: m# k4 J- `
4C19:00A8 JB 0095 ; 6 different commands.
* s$ @3 a+ v2 z- [% K. v5 V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ F4 [1 L- V# G9 ~7 A6 B, \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 r" _) l* y; Z) Y8 J7 O0 q' I$ `. @2 L: L
The program will execute 6 different SIce commands located at ds:dx, which* o4 m, c' I6 t0 g. _: ?- j7 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( j k/ ^9 ?. K8 @
7 s' p3 k% I9 R- x* _5 F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# y. q# B# S# q, U% ^% J___________________________________________________________________________2 ]" e& D3 \) @/ T: L3 y5 g! m. Z
- t: c; {; I) d0 H, A: X: j! t, X6 D- k' |
Method 03& X7 U9 s$ k3 h) O
=========( }. x" |5 A7 @% Y
" V% f- I" O8 DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. f+ J: ^2 j9 k/ V0 f+ E6 D }+ v) A. m(API Get entry point)# w& N7 J3 |8 N2 ]* p, `+ o) z
; m( O9 p% C% z" ?' ^, J
0 S$ k9 b. v& x7 q5 z% q
xor di,di
3 i4 w; ]6 b3 [7 i mov es,di
, S6 h# O2 M; p mov ax, 1684h $ m9 C5 \, g8 W: M, B/ g8 ^1 c
mov bx, 0202h ; VxD ID of winice* H( ]; f2 Y U
int 2Fh% b& E, z) ]. z6 d
mov ax, es ; ES:DI -> VxD API entry point+ Z: ~ _: N+ N8 c! M0 I9 n
add ax, di& H6 t/ P, k, [4 D% [% a) H
test ax,ax
; ^8 X7 [* Z, v; F4 ^9 }& } jnz SoftICE_Detected
5 l* w0 |& m4 G- o: D E6 S- h; M+ p# C" l- N
___________________________________________________________________________
$ B+ A* j0 u! e
: e7 _' T( A5 M) t+ @$ tMethod 04
2 @: e& c! L0 v6 o8 |7 }=========
' \ _6 Y8 E. @* n# c) i" ]) ?' `) ?0 f( w$ M0 Q; N& b1 W
Method identical to the preceding one except that it seeks the ID of SoftICE) p" V$ M D7 R; o6 g: p
GFX VxD.
, o. ^; |' y& j7 ^2 _! B3 s1 T' L2 Z
2 a$ d* I4 n s) n xor di,di* i$ u5 B3 k0 t7 R
mov es,di
u/ t: Z, F/ D8 A: D( Z$ V0 P! z' f mov ax, 1684h
4 [* i7 Y1 O7 i8 v mov bx, 7a5Fh ; VxD ID of SIWVID
$ R+ y/ y7 J2 l, e; i t' W/ |: D int 2fh4 c8 A. I8 N$ _5 u$ ?
mov ax, es ; ES:DI -> VxD API entry point
1 w- q: W4 Y5 {: C F+ I) R add ax, di I# d+ y$ p! J+ ?2 G7 F: S. M) T
test ax,ax% l' S# L! Y* |5 U- D- y8 L+ K6 f
jnz SoftICE_Detected0 M$ E& F) P9 ^! z. f
+ c; |; O# b( T% e) Z
__________________________________________________________________________- @0 Q. r- ~2 u: o& Y: ]: K: j
y# [: @+ {. {! c9 A) ` w
# [5 c- T7 T) |8 ?1 zMethod 05
$ q8 H2 E3 S0 M' z4 U5 |=========
( ^/ e' C+ B$ }& K0 i8 E9 A( z3 m1 l% [' Q2 k6 r; Y( z3 l) J" L
Method seeking the 'magic number' 0F386h returned (in ax) by all system. ?+ P( N1 u# e
debugger. It calls the int 41h, function 4Fh.
- E4 Z8 e6 P% `+ XThere are several alternatives.
# W8 V/ z* z) h* A
4 `4 b- i% A5 C8 t+ n. M/ @The following one is the simplest:, B7 d# w+ M6 @6 e6 B9 f
8 l# ]- z$ v* F9 K" {
mov ax,4fh
, p/ v0 U% N( N5 [! g1 }+ J- Y, c int 41h9 w! I3 H/ P% J# J. T4 Q! X S* F5 I
cmp ax, 0F3861 K/ k s* E# q' m8 y
jz SoftICE_detected
8 N; Z. ]; x+ l/ m% _3 X/ Y+ [) n1 u6 m1 i2 B, @+ v+ C
# o! n7 M& x& |& K' }
Next method as well as the following one are 2 examples from Stone's ( T- Q. M% L2 J' F3 @4 ]
"stn-wid.zip" (www.cracking.net):
& }' i% {5 w, V( M% Z9 f m6 z6 ~ s
mov bx, cs1 F) b% S# N- v( q( C
lea dx, int41handler2, A: e7 ^* v% B4 ?- |5 f
xchg dx, es:[41h*4]
z5 H# O0 ^; B8 `7 D! Z5 V* R xchg bx, es:[41h*4+2]( m' U3 F" }( v: F
mov ax,4fh
; P$ Y' x* Y$ D1 {4 Y5 A# k& q int 41h
' c6 P" U" e. V' M% A0 ^3 s xchg dx, es:[41h*4]) C6 {9 n/ P2 V- k8 ]
xchg bx, es:[41h*4+2]
& O/ B' W' Z5 ~# j) H cmp ax, 0f386h
) [% a- ?) g& |2 V jz SoftICE_detected* K' e C/ Y) u7 q- u
/ ~. c% k5 g: `int41handler2 PROC/ p v o: R' G5 q
iret6 I& Z) w" Q7 U& |# \
int41handler2 ENDP
[6 Z5 d, {* O( D2 q
8 [6 o6 ^4 T+ K! D |) s- a; w6 s9 z* f
_________________________________________________________________________ w; h6 K- e; w) m5 n4 ]) W0 a2 u5 }
& c1 s( p% g" ^1 `* f& e. x M6 ?" z
3 Y9 b0 X5 k4 Y# ?6 j/ Q. uMethod 06
p9 c9 L! a3 a4 B! ?=========
0 f+ K* e* X |; G1 C+ P8 a' | P- y \9 `& m
$ g- U3 `, ], I5 m2nd method similar to the preceding one but more difficult to detect:2 l, Q% f/ ?7 |& G# G( u
/ e1 Q' V: ~5 b# I8 U$ d4 X, q( b! E4 y, c% F( \0 `. ^
int41handler PROC( R5 F" d, ]) w X# V
mov cl,al
! y4 d$ G! T9 d: ~; |+ _, g. _ iret
" P a c( y4 N. A. b% tint41handler ENDP5 I/ ~3 P8 Q6 t' r% x9 u ?
% G' p' V k9 Y0 h( g) v
1 [# `) K# G9 Y" Z' j" }
xor ax,ax, m$ A" ^. o; @( \+ h: A' I
mov es,ax8 B3 |$ x5 }- z: |6 k& O" Q1 ]
mov bx, cs
- w$ k) e& s. w/ _" M+ z2 \ lea dx, int41handler- r. b) n) d6 a& d5 }3 C
xchg dx, es:[41h*4]% L% S/ Q5 c1 f- m. K. _
xchg bx, es:[41h*4+2]
2 ]. y& s( ?; w" d& D in al, 40h
9 l( J3 Y( U, y( [8 k xor cx,cx
+ d R& D2 F4 I. c2 c; k! o- U int 41h
1 j) i1 @0 o1 k- z xchg dx, es:[41h*4]3 |' T7 F" f+ V8 m
xchg bx, es:[41h*4+2]
9 [: l) U* N% S! d cmp cl,al
! q* j3 p; o& t" {( G# ` jnz SoftICE_detected+ ~) B: W- k: W( {; r
/ i7 _9 E; a* {$ N0 S
_________________________________________________________________________
& u A$ t" Z4 @! k7 _" ^' U- _( q1 k# q4 X% V1 X! O2 m
Method 07
" `5 \+ }0 E) e6 ?# R! Y=========
0 B: L5 t2 |" m1 ~2 w# i# m' d: H# c) o# z- r9 q0 r: z4 V' Q8 B
Method of detection of the WinICE handler in the int68h (V86)
6 Q1 D: r1 C# ?. f4 `6 J* P- h7 Q) k! E" e" u6 x* t, @
mov ah,43h8 \" k& R8 D% I4 j& f: y
int 68h8 q" o' q/ `$ L5 I/ h- h9 S
cmp ax,0F386h
3 t$ R1 R' n* d3 M! ^3 K+ C jz SoftICE_Detected! h& f% N2 k1 ?: G
' y; I! E$ S0 k, s( \' m
3 S$ J7 @2 b& G7 g7 K( `& {7 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' p2 {. c: O6 m2 D5 J& I
app like this:
" S5 f2 @; O6 Z/ Z* w: \" t
& G: W: {% p# }! w0 {# `9 f r A, f BPX exec_int if ax==68
8 `% u( O* D. U' ^8 i( Z1 Q5 V Y6 S- b (function called is located at byte ptr [ebp+1Dh] and client eip is
4 I3 H/ W6 k3 _8 V located at [ebp+48h] for 32Bit apps)4 o2 _+ `- S6 A V4 [: |# g9 d# a
__________________________________________________________________________, P$ O4 ], H3 C
, y2 u6 p# v( `) H5 k' ?; C
6 U7 ]0 A0 H/ W5 a0 L4 x2 ?1 gMethod 08" o& J" F: C" q: |/ V+ L
=========
* ^/ o3 I9 e* \, Q$ U3 t7 \9 h! [/ U8 p0 @; T; ~
It is not a method of detection of SoftICE but a possibility to crash the
+ A! b# H7 @3 R7 O) v- f" D% Msystem by intercepting int 01h and int 03h and redirecting them to another
K/ O+ L2 Y" R. c2 Oroutine.
# h; L! k7 _( W7 p! @) gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) U' J/ A$ O& ]9 D! ato the new routine to execute (hangs computer...)
, E6 p. c& U$ G n# R! [
2 E# a8 I& p* a% Q mov ah, 25h
0 W6 M5 R1 e, x0 t! s mov al, Int_Number (01h or 03h)
9 R7 T$ k8 _* T mov dx, offset New_Int_Routine
7 N- r& s' A1 [6 q& B6 ` F int 21h
- ?7 j5 J5 z+ \! b) R
" E1 f* b3 G; v5 G- j__________________________________________________________________________4 n6 [0 c. Q7 d }0 l' n! b- }
3 p$ V( u4 w! a: o* ^5 f. f$ O2 G
Method 09 F& J) U0 A9 h; r7 z" r( U
=========: M$ [" o2 M! x8 G# y" p
3 a' q) k4 j* Q% @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' k- U7 u u: O& C6 @ i! }
performed in ring0 (VxD or a ring3 app using the VxdCall).$ O; F4 ~- I2 g" r2 R+ O. O
The Get_DDB service is used to determine whether or not a VxD is installed
1 e1 @2 P/ @3 pfor the specified device and returns a Device Description Block (in ecx) for% A4 t$ F0 X8 p' t L
that device if it is installed.
; o! W3 S" s/ e8 x7 g
5 r5 B7 \. n9 M6 z) J; ~% w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 ^3 I# C3 g6 E F; l8 x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* J) U8 S5 V$ n, p6 d& T9 v4 W% j' c
VMMCall Get_DDB' Q- K1 J6 r1 ?* B; P9 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* x) I, r: Z5 z& L+ y3 e# x5 L( ~' ~1 D0 @7 a0 a9 @
Note as well that you can easily detect this method with SoftICE:, d5 y# O# W. u% h3 U
bpx Get_DDB if ax==0202 || ax==7a5fh
$ C5 G$ Q" K* Z4 P ?$ o
% ?, a' i: ~3 M! n9 d" e2 A M__________________________________________________________________________4 E: ^& Y, l: {: e
+ \* R( d' k$ M/ X; u5 p1 }' _
Method 10
5 t7 {. t6 z7 B* M3 `: z0 U, l=========
; I9 m) W6 c: P
" f- L, L2 x/ h |=>Disable or clear breakpoints before using this feature. DO NOT trace with
( O$ e& N( O0 i1 U SoftICE while the option is enable!!, r+ g+ r3 P, \
3 g$ j- o- x3 V7 _, {! BThis trick is very efficient:
- f( `! O6 j3 W- N5 R2 O% c3 c! Tby checking the Debug Registers, you can detect if SoftICE is loaded9 W6 `$ X& O8 }; i% ]( t. j0 _% e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' {8 K2 b$ j& v, |( ]! pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 `8 M4 }4 b% [+ F; gvalue (in ring0 only). Values can be manipulated and or changed as well& Q7 n' d0 C0 f' Q! x+ i- d% T
(clearing BPMs for instance)0 O& ?4 ?/ d# o$ I( L& z z
- W0 i& y# j$ k& k__________________________________________________________________________' Y, U2 J$ w' f b
* ]; e8 }; |7 q
Method 112 U" _. E% H) P& h
=========
% c0 q2 A. T) S I( X+ p- i0 }' _* z9 D$ u$ ~ c' C" l
This method is most known as 'MeltICE' because it has been freely distributed
- Q7 }, r4 [ z. @3 [via www.winfiles.com. However it was first used by NuMega people to allow
5 A* J8 D; w. w+ W+ g6 BSymbol Loader to check if SoftICE was active or not (the code is located
1 h0 W9 |2 Z5 J7 t+ t/ ^4 I# \/ Zinside nmtrans.dll).
& f1 J: S) G1 L. b- P+ S2 e. Y4 R/ E6 w. c8 B. G8 z4 I
The way it works is very simple:! B' O3 _3 g% T, b6 h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& {( g0 f+ I+ {1 _" K/ eWinNT) with the CreateFileA API.4 U# _3 }2 {6 L u
* k* z0 e- k$ A: v
Here is a sample (checking for 'SICE'):
7 p# @4 o4 h* k) N) ~2 J; H9 E+ d, k( N$ ]
BOOL IsSoftIce95Loaded()) ~6 I- a6 O0 V: J
{
1 h( P7 A6 d( Z- t! w: N" C4 G! t HANDLE hFile; / X7 H6 A# X0 w s: p0 U! X$ K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 c F& X9 {3 Q* B- L FILE_SHARE_READ | FILE_SHARE_WRITE,
( `8 m+ X8 }4 `) p9 B, R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, p9 _/ s l6 I# w2 W4 O
if( hFile != INVALID_HANDLE_VALUE )
5 s/ n9 l1 ?) M- X: T; i {
$ c/ h/ c: x+ ] CloseHandle(hFile);
6 y9 D" Q0 Z+ I# v return TRUE;1 K, g9 D- P \/ [$ z5 i. o
}
! \. o6 ` p8 T I return FALSE;# \, L* W- O" F" b1 T7 s; p& Q
}
: w8 U; i) E% L. ?, u v! V
4 I1 s4 w% r2 C% ^' m' _0 k- a. N& ]Although this trick calls the CreateFileA function, don't even expect to be
1 h2 ] V6 ^, rable to intercept it by installing a IFS hook: it will not work, no way!
" ^% Q1 l5 W# Y& DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: | K1 }( m% y. G( Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). O. Y1 @# i2 g) z3 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 m( q. M0 s: F a; r) Yfield.7 m( Q; B9 `4 s7 O# c0 O
In fact, its purpose is not to load/unload VxDs but only to send a
' @2 M4 b9 l zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* T& M; h" d8 N) L; M9 _, y) N5 h; nto the VxD Control_Dispatch proc (how the hell a shareware soft could try; P$ r5 `; j% I& b/ P; o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 P( O2 y4 F n7 w& `0 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow! M+ ^( M5 ~ V X4 e0 O) L
its handle to be opened and then, will be detected.
3 n5 }/ q/ I9 z- ]3 N/ k1 uYou can check that simply by hooking Winice.exe control proc entry point
5 X! g( H- X- j% i& W* D# L1 i1 rwhile running MeltICE.8 g" `0 L/ n! U6 U6 Y
, O# C* ^5 M. g3 e9 K" d& C
. ^' @; f) a, D9 ?) a 00401067: push 00402025 ; \\.\SICE
I. }- }3 @4 j+ p. i; e 0040106C: call CreateFileA- ~! Q( `) \& Y7 T5 M, P
00401071: cmp eax,-0013 S( `8 d$ t7 l" Z* a
00401074: je 00401091
0 R, n, g+ _4 f$ D0 P2 I0 B8 M
. s2 p7 `7 j2 a* Q( ]# h1 m; Z# |7 z6 V
There could be hundreds of BPX you could use to detect this trick.! m( E( j: R* d' t1 \, D. P% O
-The most classical one is:9 T* l1 Z! i/ C0 Q& W6 K; U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, a B" B# |! i) V: u
*(esp->4+4)=='NTIC' |; U! Q# } W4 r+ p$ h X& p! {/ t5 Q2 T
0 P, U* c8 H7 x$ j5 s" p-The most exotic ones (could be very slooooow :-(
( |2 L" Y g, W8 @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; E* u+ _# H, j; S r- H0 V6 I ;will break 3 times :-(
: l( t6 S2 `: \0 |" J* q0 l1 F5 J5 [" _# f t, ~/ N7 p
-or (a bit) faster:
. V: B7 \3 G, m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 K$ F) b6 a3 c
2 k: T: Q4 V; C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( F) y7 [8 l- {/ G ;will break 3 times :-(8 D S R0 x1 h5 K! j. O+ U7 o. r
7 d1 {: ~, q2 I# q' T' a6 N-Much faster:3 @! X" I. {, O. G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! o; H2 t+ m6 p5 O
( O W' q/ A7 V+ A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 Z8 H4 k6 l' n% E! `. a7 afunction to do the same job:9 b6 r- {; \$ x$ _' e) U) \
4 ^! [8 r; z% R* K, N6 R' z+ m* I
push 00 ; OF_READ
6 Z# c, l; T! g! @ mov eax,[00656634] ; '\\.\SICE',0
# h7 a) I, a N6 u- t! m" w# R push eax3 Z- l7 w! R& a: ]6 A2 ~; D
call KERNEL32!_lopen
2 i) ]+ E3 p" J V inc eax- X9 v! z: \4 j. J2 _& y8 B
jnz 00650589 ; detected9 S; m# }' @% f8 z$ _; {
push 00 ; OF_READ: _$ A+ r i. ~6 y+ J) @, u7 G* s
mov eax,[00656638] ; '\\.\SICE'
3 j" S7 U# k' O% r @0 ] push eax3 l: p8 t* s+ K# ?# q3 l8 \ v
call KERNEL32!_lopen- t5 t1 ^9 d2 k( k2 s; B
inc eax5 M, {- ] a8 k4 G
jz 006505ae ; not detected7 Q$ p* W- E Q9 b3 V. u5 `4 r
$ h, s( f; U& N3 y
4 ^* q( l2 b' E! Q0 B
__________________________________________________________________________: ]+ S W/ ^. m0 r2 F
1 \7 y9 H! J6 l/ l- @
Method 12
/ L5 _1 } Y; ^=========3 e, v0 l4 J) @9 Y/ {5 \
, u9 |1 K$ q% @1 N7 w ?% f
This trick is similar to int41h/4fh Debugger installation check (code 05
( i; l/ H3 F+ w! _" k& 06) but very limited because it's only available for Win95/98 (not NT)# o5 y. T* {4 y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! ~: |0 H3 w( E& a
( c( t4 J5 ^3 k1 o. R
push 0000004fh ; function 4fh7 Y6 t: b. e0 Y) D* Y. ~/ I6 E: c: ]
push 002a002ah ; high word specifies which VxD (VWIN32)8 r) q' I* R; s' K
; low word specifies which service) ?' n( W$ M0 K
(VWIN32_Int41Dispatch)( k% N8 l* Z2 d, n" X
call Kernel32!ORD_001 ; VxdCall# l% p7 J* X+ a2 D8 e2 _8 Q9 e
cmp ax, 0f386h ; magic number returned by system debuggers& A9 ^0 H2 o5 C9 j7 W2 P0 _
jz SoftICE_detected
" T2 ~( T: S* Z% B/ q* R: x) H4 u$ e* J- h8 x) r4 N5 N! w' H; e
Here again, several ways to detect it:
) { K1 i7 U8 F- U
0 R" ]; u$ _: L7 F' @( j( H BPINT 41 if ax==4f" f' f y: _/ T$ L9 c0 g
% G/ m, l7 S0 A# I3 E" r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& x2 A9 r: n$ U( h* J. ?" M6 C% i! y' V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& j$ m! |- r0 m8 K
% b. k$ [8 r& `$ [' G/ n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 ^/ s( \0 p5 x H' T; g% G
5 f5 ]2 U. N1 |& Y9 {__________________________________________________________________________
6 v' b+ u' q) E0 L" G# p) u
! N# J, t' e2 n# v2 P$ \% jMethod 13
/ s5 ?4 x2 s6 y/ L) S7 w8 a=========
5 j/ j* k# {3 N2 r4 o; S
: s N0 F" c U2 ?; I' YNot a real method of detection, but a good way to know if SoftICE is0 d* p. m/ N, T* T( e' @. [5 N
installed on a computer and to locate its installation directory.
& T( z% T: Z& j2 _+ YIt is used by few softs which access the following registry keys (usually #2) :5 [3 t+ l, E' \+ V* T. z
! V9 {, t1 X) n' C) \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 W, I9 Q4 a$ ]9 o\Uninstall\SoftICE9 a1 }1 Q+ `: H# f0 h; C7 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 ~1 T$ d8 }9 c0 f- Z. u. C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- i7 p7 {$ e4 a
\App Paths\Loader32.Exe2 [; h& x$ {% ?1 B$ @2 T4 O& T+ |- L
# @% D0 p- |5 P3 {
0 d7 {. h: H! L2 @1 S* z5 fNote that some nasty apps could then erase all files from SoftICE directory
7 a3 S1 C7 A, [(I faced that once :-( o8 Z% v- X. g5 ]- n6 V1 H
& g" {3 e& Y& ^" m; rUseful breakpoint to detect it:
9 I. i1 a' u$ ~6 \8 @+ n
3 w0 m1 f O- F; w' F5 x3 f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') }* c& w9 v' o; w; j" J
( x+ _8 a' {: A, K- Q3 r/ B i: x__________________________________________________________________________
$ t) I- o0 j8 y
0 t, ]7 Z, e g' y& `& i9 ^6 ~$ n" l: W: V# a# F% _9 n9 J/ I
Method 14 # {1 Z6 {* L% k- e
=========+ K0 P9 m2 _: O( w+ V X3 \
9 r0 M* x C6 r' n( Z. }$ |1 ?' O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ w9 N9 t" H( ~! d4 |0 {% j. Vis to determines whether a debugger is running on your system (ring0 only).- x: N1 c/ _+ m% ^" ~$ U
~$ {, s- E# O2 Y- h VMMCall Test_Debug_Installed$ g& m0 z7 q" K: \0 ?3 p5 I
je not_installed; v. x/ l- O O2 a9 Y+ X
- ]+ D! q1 b' H+ J9 c4 K
This service just checks a flag.
) b" [$ K- l$ F1 Y! Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡