<TABLE width=500>
( w3 W8 n1 M8 x/ y( u+ K3 B8 O<TBODY>. \5 z0 L" j/ b7 P0 n- W" Q/ B
<TR>( ^+ \5 V9 v: A: h8 Y. Q3 ?
<TD><PRE>Method 01 : x) e1 l% P4 k8 p3 h8 y
=========& a Q2 r9 M/ _ V5 [& U1 C
' l4 H$ o/ U0 @2 Y# t- q8 m
This method of detection of SoftICE (as well as the following one) is0 `9 [8 G$ {, g, Q% B
used by the majority of packers/encryptors found on Internet.
, R! g% ?# u+ i* eIt seeks the signature of BoundsChecker in SoftICE
: ^6 { J" q5 m% m# q# X# K" t9 ~
. Z' { n( ~! O mov ebp, 04243484Bh ; 'BCHK'
( g3 e- h1 o5 A. N2 A7 U# s mov ax, 04h. u: z4 K$ M( z9 s$ n- m
int 3 4 D3 \, x) x3 _" i
cmp al,4" ~' M: J9 H2 C
jnz SoftICE_Detected
% @& _' I3 C9 y! a& q* T. [ T! R; w( P
___________________________________________________________________________
+ `7 W; X7 i0 G# r, [4 {; j0 \
- A- a c# ]* o+ s; Y! K+ ]- ~Method 021 x& i$ r0 v+ |9 _; b: k
=========
6 R4 {. H8 |# b9 \7 G. @
/ Y# p# j( |0 mStill a method very much used (perhaps the most frequent one). It is used0 _; y, T6 v9 C& r1 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# |( L) Q) O8 `$ B) Y6 b X) ror execute SoftICE commands...+ B& T+ f0 \ K# u: H- D
It is also used to crash SoftICE and to force it to execute any commands
$ r7 j' T- R" @. A6 p- f(HBOOT...) :-((
# P V C, v7 R! g1 S8 l% v4 z" m+ @6 \* G1 s% C U4 K8 m
Here is a quick description:
^8 A1 g& P8 J, O' w. z1 \-AX = 0910h (Display string in SIce windows)3 A" m7 {$ O3 {, @9 ~$ g4 `* ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* `# n9 n, w7 Y; u' Z
-AX = 0912h (Get breakpoint infos)6 W7 J! y. S, W: ~5 I% F5 Q$ e% Z1 R
-AX = 0913h (Set Sice breakpoints)0 @+ \* T% f6 Q$ l+ Q5 W# N
-AX = 0914h (Remove SIce breakoints)
1 }+ ]' M- o+ f0 p/ d4 x. M, m- n! |: x0 X6 F) P
Each time you'll meet this trick, you'll see:
6 P) R {! q8 {% B-SI = 4647h) M. z/ a0 y. G% C1 X1 F
-DI = 4A4Dh& Q3 g5 j. V t' h' l. X2 {+ l1 h
Which are the 'magic values' used by SoftIce.
- M3 M' j' v% N2 e5 x4 Y# p# nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 p& Q5 i/ j1 J2 L: B
: @7 d. L0 A; i G9 o; g. RHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 m6 c( }% R5 B; A, Y$ DEnvelope utility use to protect DOS applications:7 x1 Z f9 E4 L* G; T! \
2 t% n# ^( \; ?7 Q! N7 b! @. j) {* Q
4C19:0095 MOV AX,0911 ; execute command.& ^+ C- ?$ o! I0 k& m+ e0 q8 V) L! v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 D) `, W$ c" o E7 ]
4C19:009A MOV SI,4647 ; 1st magic value.4 ?2 H& [8 i& o0 k/ Q& r
4C19:009D MOV DI,4A4D ; 2nd magic value.5 E/ R# K. y8 E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' ]6 I, I6 J1 G& o# \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 S$ i0 U# Q, r9 r4C19:00A4 INC CX
4 F$ E1 ~ V+ d! {1 R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ L) y! `0 R0 Z/ l$ |/ M! f& f4C19:00A8 JB 0095 ; 6 different commands.9 j# S) ` h& M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 b% E' D/ p% w; h& H {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 ?/ p% B; b% T, G( ^6 U9 q' ]3 q
% r& a# L5 c! j, ?0 \3 l6 N6 nThe program will execute 6 different SIce commands located at ds:dx, which
# }% x7 e- S2 [" f2 W' a6 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ ~4 E! D9 r" J+ }0 B6 [' k$ [! s
/ p1 X# p; v& |. V* j4 ]% b. x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 t, Z2 z0 `6 l% K }% ?
___________________________________________________________________________# f. V3 R. o4 k. H
/ g) o3 J( S, u$ s
' K1 l/ h6 b% F/ y$ J' S' R! FMethod 03* ~3 d8 f( h+ c
=========6 A w3 ]/ w6 q. P7 ?& V
. n5 u* h4 b+ g2 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 o2 W/ v# ?% y1 x(API Get entry point)/ l$ ?* a$ e' Y* @+ N
5 X( X7 K# Y8 c% p4 t0 j2 i8 {) c5 u; T+ `
xor di,di0 M. T$ I* L5 q4 v p5 J, X2 p
mov es,di) w! w9 l n% d5 ^
mov ax, 1684h / p Q$ b) l6 O' r; N0 A- i' p9 K
mov bx, 0202h ; VxD ID of winice
$ v* P! C: I$ i; @) V) }& o int 2Fh7 ?: C8 |( y" ~; m8 w; s
mov ax, es ; ES:DI -> VxD API entry point
" z7 S: Z- N- y2 @4 i add ax, di
- c4 V @+ a0 r! b test ax,ax0 i$ q+ x! a8 T7 h i5 Q
jnz SoftICE_Detected
3 K5 J. S3 T! H" v* x; {; |( Z3 {
( o1 I0 L$ }$ v7 c/ V___________________________________________________________________________
m- l, v: X6 Q" f# a/ l9 g: D# ~ v# n3 e7 F+ V; ~4 {( o7 x$ i: u
Method 042 O" [ i6 j9 q( h( ?8 n
=========0 D" F& y2 `/ u) \
3 k# e: Z; b2 S2 y
Method identical to the preceding one except that it seeks the ID of SoftICE
6 _0 U2 P- Z: {1 A) ]1 x4 }GFX VxD.
! c% E6 D0 A/ k
& ~6 c' q% L$ x/ | xor di,di
. O. i# k- L! ?* L, |% Z( {, W) |8 b4 M, G mov es,di
: e9 p. t! k6 E) A0 X mov ax, 1684h
0 U" A7 Q( \1 c mov bx, 7a5Fh ; VxD ID of SIWVID4 n$ d* w6 U3 K& T6 C$ b
int 2fh: ^8 e& n: D# C E0 g
mov ax, es ; ES:DI -> VxD API entry point
$ O3 E' X6 C1 N. b2 o' b* F7 c add ax, di) [4 o9 q z. K5 b$ `1 G
test ax,ax+ N* \/ P1 [# ]6 j: \
jnz SoftICE_Detected8 g1 d3 ^" } g) w/ m5 ?4 g6 \: I4 _- m
' i/ Q5 D3 T( f" M" U% i
__________________________________________________________________________- q) @" j U4 {0 b* G& Z
2 n, |3 w, i9 l3 G/ U. l! A
# O2 F% o& w: d1 |% wMethod 05
- E0 s! d; f; l4 L1 @=========
3 D& R- |9 N* D+ L4 |
. _5 {: m5 V! K6 c7 h2 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. d1 Y9 p' Y g5 idebugger. It calls the int 41h, function 4Fh.3 v3 s6 H4 |3 }) Q T& d
There are several alternatives. ! U7 r$ G7 l0 D5 G
; G0 j' K2 N$ }
The following one is the simplest:
! ^ B; `4 G, }( @* d% [) r$ j& S) o l+ J0 h* V e8 N
mov ax,4fh
1 K v! j9 ?1 l: e+ f9 H int 41h
7 K8 m# x' F% e5 y1 ~ cmp ax, 0F3868 a% }7 T0 J" K
jz SoftICE_detected
0 `0 Y8 \/ `7 q+ A6 c6 o3 u2 H
/ p) {- N! L$ r% {# M
& J Y, e9 {( d( B( ?4 t8 gNext method as well as the following one are 2 examples from Stone's
- e/ L2 W8 d) k! u: V" @+ w"stn-wid.zip" (www.cracking.net):
0 [1 M/ Q/ j$ L# x
6 \7 i" a2 _+ N5 J1 U mov bx, cs# S# e$ B% t# S1 ]1 D6 D
lea dx, int41handler2
# C3 i/ K7 a- |) X xchg dx, es:[41h*4]
4 b# k: T3 J) t8 o4 S# B xchg bx, es:[41h*4+2]6 C6 z {, H8 H" w z
mov ax,4fh
) Y9 n. C7 ?. U- s; @* z int 41h2 P& i- i: m/ s9 e. K
xchg dx, es:[41h*4]% G1 Q* D2 X/ t n, x0 A0 j
xchg bx, es:[41h*4+2]# i1 l T% x3 v0 c/ H6 W
cmp ax, 0f386h
3 O" t" y6 i/ l5 W jz SoftICE_detected
; v# F7 t! Q( Q( r) t' d) ]# m0 G* u+ }8 Q* j
int41handler2 PROC7 m# j; T5 h. d. [# U
iret
" { X0 n# c" r: I% A) W( J' M/ Nint41handler2 ENDP
$ e. ^2 `( s' G/ a/ X
( B" \( e3 k4 d* v( @
2 P! f( U' u# t1 f1 P7 E/ D_________________________________________________________________________7 L7 j, P/ m: u# O" c
: ^5 ]4 [5 e [. w% o0 `: r. f% }& U# _1 ^6 Z6 l
Method 069 W1 q( u8 z8 ?% l2 I5 y
=========
' |; u- R5 L# V- L1 {
1 ^+ r6 b/ ^$ p7 A7 G1 i: ~' E/ s3 p+ x- e* m
2nd method similar to the preceding one but more difficult to detect:' a9 f( E" e$ s6 P( b v# r
3 Y# E. Z" f* c: ?& {+ g/ j, s$ ]3 n0 \
int41handler PROC) v" N' a: ?' F0 ~
mov cl,al1 X' U) z, ?' W7 X- w1 }# _# j
iret# I/ ?+ }# e3 y# c
int41handler ENDP
- t f; N$ K) g% {& H1 s
5 J6 j; F# M: V/ Q0 e# e4 t8 j5 r% Q
xor ax,ax
; Y2 |1 C! c/ V$ e0 h mov es,ax% ?2 L$ r% n- H9 T+ c
mov bx, cs: @" u' l- |* z4 U K7 L2 T: m. U
lea dx, int41handler- h7 H& }2 I1 E( y8 M
xchg dx, es:[41h*4]6 ^- I7 d6 d2 g) ~7 w2 O9 o, r8 y' O
xchg bx, es:[41h*4+2]5 ]' b/ D, p6 |9 a
in al, 40h. Z5 m1 X6 W$ b/ }' k
xor cx,cx3 L2 W& Q- o2 j0 ]
int 41h
) l, N! [$ S9 \6 T xchg dx, es:[41h*4]# B! k) C$ s" v, X5 r' }
xchg bx, es:[41h*4+2]
1 M8 @" P/ n g9 L. {2 `7 _ cmp cl,al
2 H5 ^7 ^( C! L+ h jnz SoftICE_detected
- O7 X$ t$ r+ n6 Q+ u7 R4 P I3 [
! o2 k: H5 B/ m$ |6 s5 ^9 K' P8 O, `: M_________________________________________________________________________
% e. Q: A) B( ?7 q0 Y# Q! h# u
/ T! F# U' Y$ r! ]Method 07& L9 N0 v* I: @/ ^; ]2 H
=========
. U' v( S5 T, `8 v- c
' U( e2 q. p% k* W4 B% e8 cMethod of detection of the WinICE handler in the int68h (V86)
# Y% y5 O- y1 y# d2 F9 L5 S2 P! H2 S; E1 W. c$ D* m* i. {. v
mov ah,43h
' f: V d( d' s! I int 68h5 Y. e! a7 R1 f, @9 G9 o {
cmp ax,0F386h
0 B: k' @0 }. r& l jz SoftICE_Detected
6 Y- A3 O& ~. G$ Q
, ~, d W1 j$ a8 I, K, j' A2 V0 V" R' C, l8 j8 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 {' T* ^; a; h- i app like this:- h, a0 g* n/ X
! Z6 q5 I6 q) g: H/ i9 h/ d
BPX exec_int if ax==68
: a4 l( e) G: o$ D+ h" j (function called is located at byte ptr [ebp+1Dh] and client eip is
& \( @9 @# @, ^" H located at [ebp+48h] for 32Bit apps)
3 p& X" h% E' T! w) i__________________________________________________________________________
( G1 f R2 k2 Z+ ^: Q) O( g, S( o0 d2 b; S: E
3 q& Y" F G, K
Method 08
2 V, d3 x3 }1 q. x) E! N" k, g=========, r4 S! H% G6 e4 Q
) \6 I, K0 ^ p+ [4 e7 m, c
It is not a method of detection of SoftICE but a possibility to crash the( x9 W) Y3 E+ B& B4 m
system by intercepting int 01h and int 03h and redirecting them to another
2 r' X% X/ U; {2 y. m. \8 wroutine.5 U; R, A5 S* [# x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% h' X9 g( P1 w2 xto the new routine to execute (hangs computer...)
2 W' ^0 k: L, T1 m8 s5 L: Y1 E- L" |4 e' D# L0 H! @0 \( S& N) h N
mov ah, 25h# o+ Q; z7 U* c* V8 T" v4 [0 U
mov al, Int_Number (01h or 03h)
/ ]1 \; M5 Y. Y* ]: L! o1 `+ h mov dx, offset New_Int_Routine
( a, D- p3 R1 D1 x3 i- F int 21h
1 g C; a3 n3 e: x6 _# ~8 F% D$ h5 T/ B
__________________________________________________________________________5 r& X: N/ J( E0 d) A, z
3 V& X0 u% c. w. O F: rMethod 09
6 l8 \! L6 t1 n" t=========* B$ g x+ T2 _7 ^- K8 x* Z
- f. S; s$ s# x3 ]- G E- nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
V, n: u7 W- lperformed in ring0 (VxD or a ring3 app using the VxdCall).3 H- T$ _$ P3 U7 q6 R8 q' Z& n9 o
The Get_DDB service is used to determine whether or not a VxD is installed
) {. [8 }9 i4 ~: M- D8 tfor the specified device and returns a Device Description Block (in ecx) for9 M7 Y! U2 [, B! {+ v8 U, m5 J
that device if it is installed.
% Q: {$ z* i7 o6 t: g, r1 f1 C' i0 P' o6 K5 f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 ^6 S2 \2 }( S! v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; h1 T6 Z/ U, g. u" w; P1 Y' S VMMCall Get_DDB% Z- F$ }8 P* c( k! O2 H3 k8 S( D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: C! j) ^' g" D9 l: A( Y7 Z
1 h8 q6 V( f. H$ D4 C' n d( T
Note as well that you can easily detect this method with SoftICE:
- C& j$ q" W) Z bpx Get_DDB if ax==0202 || ax==7a5fh
% h0 t2 e$ A" [
2 @- B7 m, z- E__________________________________________________________________________
2 R/ D2 |9 o3 C) A) W$ I2 W- Y/ X$ M& V) h# B _$ ^6 d
Method 10- |3 j! h# h7 {# M9 G$ \
=========3 o2 M1 }& _# C0 E" u/ i
/ ~- i% q$ N2 g! X2 n- E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" N$ R3 z: l/ g' f, n) Z SoftICE while the option is enable!!
: {. B2 S5 I( ~/ @: P2 |2 e+ v' |6 Z8 v5 j
This trick is very efficient:
8 L/ T$ a/ [1 g% M( n! Rby checking the Debug Registers, you can detect if SoftICE is loaded
! ]* Q- L/ Q* B9 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, a' I8 K! s- A6 j; C# ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 V" Z% T) }5 D, W4 f* l% Lvalue (in ring0 only). Values can be manipulated and or changed as well5 x. L6 V: s1 P& c" e, n6 f
(clearing BPMs for instance)
2 K' z6 w: G! H! A& [' x J) [' Q' n2 P2 y# \: ]# T6 \0 I) y
__________________________________________________________________________, G1 n2 X, r+ F
! _& |5 l1 n$ r( K( pMethod 11
) Z4 d' g! x" m. E) R8 z9 z1 _6 o=========% X% E" F. b6 S/ r- g6 Q8 Y( \1 B
9 m2 k$ G6 x+ t" s0 |! DThis method is most known as 'MeltICE' because it has been freely distributed V9 d2 C5 C, ?
via www.winfiles.com. However it was first used by NuMega people to allow
4 L7 n p( N. H+ h& ~, _Symbol Loader to check if SoftICE was active or not (the code is located
7 [3 W8 \; H# Q* B \( w% r3 _inside nmtrans.dll)./ H( d4 K/ Q/ B/ ^: ^
# ]! z4 S9 H; Q
The way it works is very simple:
% Q7 D# ~5 c2 HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ W |( L6 ]( e- j% H
WinNT) with the CreateFileA API.$ E& e( m) O, v8 P; u# ~
+ I; ^9 |* q- z- u6 Q" V, d! i1 x
Here is a sample (checking for 'SICE'):
S k5 M8 G( `6 P5 _' h$ k0 y- ~, K) H
BOOL IsSoftIce95Loaded()6 j: I$ o9 j7 Y' C& G
{' G+ h* M/ O5 J* F* R
HANDLE hFile; ' E, h5 i/ z+ i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* H7 d u0 l& s% q8 J5 |- b' h
FILE_SHARE_READ | FILE_SHARE_WRITE,% u4 [" ^$ W2 U+ [! T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; H) p4 A! S+ W- |& i2 u& |- q
if( hFile != INVALID_HANDLE_VALUE )2 C7 R: }8 c6 _2 b0 ^- [
{
J5 p- P* X9 s/ Y% \( | CloseHandle(hFile);6 ?% b5 P) r2 x
return TRUE;2 S- }* c f- E' S3 s. K6 g
}
6 E; }% O( i- W3 z4 L+ |. w6 K return FALSE;
" U' t5 `7 i1 K/ u- }1 X$ a" c1 I}
5 Z, U( D) ~5 X4 ]9 f9 |! V# Y8 ~# c- n" _4 h8 P, d
Although this trick calls the CreateFileA function, don't even expect to be
5 L6 x4 r; K0 @3 O( M2 M1 x; {able to intercept it by installing a IFS hook: it will not work, no way!9 E8 N$ ]3 K/ k9 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- _2 _" {- f; w& h4 p0 a9 ?+ W1 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 }- L: _" Q0 F% M$ d9 Q6 y: eand then browse the DDB list until it find the VxD and its DDB_Control_Proc# L- ~3 m$ O& Z& @& J( ?
field.2 v: C9 X; G' X8 K/ G' I* J! i
In fact, its purpose is not to load/unload VxDs but only to send a
2 }! | v9 ]9 V Y) pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). {7 t: a" Y/ f/ h& `* T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 B* C: E% }3 C& ?" N0 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. E( c! ^9 f, P+ ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ?- j: t3 r' M3 T# o1 p; uits handle to be opened and then, will be detected.
- r! N3 i) C+ j, _! a7 FYou can check that simply by hooking Winice.exe control proc entry point, F8 S8 {, ?# m @; O7 t1 [
while running MeltICE.4 n0 M' } ]# `9 P' L4 O
* r& U( @+ G# A& g" G2 H R
# d- n% f: b5 u* q1 E8 }
00401067: push 00402025 ; \\.\SICE
2 ~% d% z5 C `- ` 0040106C: call CreateFileA P1 j7 Z9 H& c
00401071: cmp eax,-001! z d' G) ]4 T: L. f6 d, q% o. u i
00401074: je 00401091% u& w/ k! y6 U3 E
* b- H3 \% D0 G" i4 L
) a. l3 V% `$ ~' ?0 j" }There could be hundreds of BPX you could use to detect this trick., r. k* L. e0 X/ A# {
-The most classical one is:
1 N: W* }+ a+ u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% I. u! V' [* N; D& o
*(esp->4+4)=='NTIC'3 P6 R4 \2 K9 t+ y9 I/ [) l; y
- m0 x! G+ x8 q, h; @-The most exotic ones (could be very slooooow :-(6 l* x+ a+ F; G1 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') K1 r B6 z* Q" a
;will break 3 times :-(% p% \1 S7 P/ N& S4 G
& @$ W3 X$ Q8 g$ |-or (a bit) faster:
6 l- p3 f8 E. ?& H G h {% j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' Q( A5 d( J% x$ `$ X
5 _% u* h5 r0 |8 x5 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & |' V: {. u4 C3 c" q. n4 V
;will break 3 times :-(# e0 Q4 [4 E" j# e( R2 n# W
( f* f8 M1 Y) l4 s- ?
-Much faster:
, ]% j# o# V3 `( N# _% N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; r3 ]. T2 m" V; k* j) }- B; A! ?# X$ J+ {' L; C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 C$ G C& d# m& j+ b4 j% u& ~
function to do the same job:
# [# ~) p0 M6 q1 O e/ B; b% ]" V" p, v, o" o* Y
push 00 ; OF_READ" x7 p/ ]* B2 r, ?6 c5 d
mov eax,[00656634] ; '\\.\SICE',01 L+ c( C! R: \& I. ]2 g* n
push eax
6 ?0 E" T; l- S) S call KERNEL32!_lopen
: C2 g$ D2 X1 B ~, _2 v. E/ b: z inc eax
3 t6 ]) L0 M7 {3 L, r jnz 00650589 ; detected
* K. ?9 a: j/ p& I push 00 ; OF_READ3 F& T0 a* r F; g+ _* I3 F
mov eax,[00656638] ; '\\.\SICE'8 _. ^# E. |7 q: h! k
push eax
9 G4 ~ L' k* u. u4 ]+ f call KERNEL32!_lopen
& m/ | p1 v- T6 n0 `4 ?& k inc eax
/ `% ~& N/ s: Z jz 006505ae ; not detected
# m* b# Y' s% k5 \) q4 q! X7 H3 @, z6 {+ F: w
$ u7 X0 L6 }( m__________________________________________________________________________& S1 x+ H" j3 j' C' q
8 W: P, ^' o: N. _, a3 X8 s, B
Method 121 z7 P$ x; q6 |
=========( O. R. C& F5 Z- v$ M# L
. u/ I8 I0 W) Z ^$ U3 TThis trick is similar to int41h/4fh Debugger installation check (code 05
4 x$ i& E) G( M4 }9 m6 p* v: Y& 06) but very limited because it's only available for Win95/98 (not NT)6 D2 R1 [- K; R. E/ x! {' E9 X9 q9 }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% p- @, w3 R' [+ W
2 S0 I/ [& b C' l push 0000004fh ; function 4fh2 \! A9 }: c+ d. f' ~
push 002a002ah ; high word specifies which VxD (VWIN32)2 h2 [+ k8 R! L
; low word specifies which service
" f' i& d. x; v( U# c (VWIN32_Int41Dispatch)
0 L& S" y9 |3 H1 [6 W call Kernel32!ORD_001 ; VxdCall: s" p0 k$ f9 [! q1 C) G1 l0 H
cmp ax, 0f386h ; magic number returned by system debuggers
: `- ]4 @2 b" c q2 E jz SoftICE_detected, q! m4 w7 ~) a# O; i L5 w
3 Z9 b V1 o0 F" l* G
Here again, several ways to detect it:! |: f5 t; P. p6 A
# S' m' r2 u) e& o1 P
BPINT 41 if ax==4f% r8 E' B* G6 \9 a' o5 h
- s: Y) y, b% z- W* e5 |8 h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; R" G7 Y" Z7 b0 \
; i; v/ A* B7 b" @7 [ K6 ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 J# w+ l8 O4 p9 P% [
" W3 }3 [: r( V8 y7 n, N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' n" N. ]5 |9 S* z
' g& {4 L' ]9 l__________________________________________________________________________
1 T4 R2 O. \, P% Z2 g! f) G
& B/ Q* q& c( O6 {% ^; _) O6 }Method 13
: g4 l4 ^6 M: B6 s=========
0 Y2 s- Z3 v' W' A! N3 G
- H0 K+ {/ Y y8 r& lNot a real method of detection, but a good way to know if SoftICE is
M. Z( R! n7 |& P ?4 Sinstalled on a computer and to locate its installation directory.
8 n" {8 Z6 h) q* z" gIt is used by few softs which access the following registry keys (usually #2) :9 q2 r- f- v9 a/ P1 |6 @
( w2 s/ B) z1 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* x% ]# v% o$ }+ Q5 T; ~
\Uninstall\SoftICE
* c+ {& k4 @8 T& P; A; S6 ~ O1 B$ F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 N# z. j1 _- V+ {! Z, J* e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 F9 ^' U) P/ A6 u6 i\App Paths\Loader32.Exe
' J- l9 |6 g% D- M: E" k& W2 r( B* M* S# E4 ^9 N
2 w( @8 h! E$ H
Note that some nasty apps could then erase all files from SoftICE directory! {( k. ~9 \4 ~7 M7 J1 S
(I faced that once :-(2 }: E" p2 Q2 f0 {+ ^5 i% a1 _2 {- p
) S! X+ x$ }: u8 i# o/ s
Useful breakpoint to detect it:
( \$ T$ u1 j/ Q! q$ R4 L8 O; _/ g. ?7 _4 X3 b# Q2 J# c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ h; n/ N, e6 k" s" L* a* R% G
$ W. c% u* u) s- U+ E__________________________________________________________________________% L2 W( i- a* S8 x0 F, @ K
6 A6 a4 ~& V8 e! ?" Q% }0 }
& t* I( B! U# @ u
Method 14
6 H0 N# S0 t3 t- V' r=========) ^2 ^" u' [5 y
% H; ?2 |1 h) b; pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ K; o' \# K9 d0 Y2 l9 Uis to determines whether a debugger is running on your system (ring0 only).$ ^; }# } w9 z* ]
# i6 j, F# `; O VMMCall Test_Debug_Installed }) m# h5 }# ]; K
je not_installed
/ Z4 F9 r; K. G" h) u( A) U: v, t" M3 Z- _9 G3 ]
This service just checks a flag.( s" U M1 F3 W- F) ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡