<TABLE width=500>
1 X! C- q% P* ~# n<TBODY>
% i; T3 T7 W; E( D! Z% Z, @: N; e<TR>
2 B- [1 N( z& X& o# j/ P. }<TD><PRE>Method 01
9 ?; w: P0 u2 o) c' x=========9 [% o0 b- X+ J: d% x( Y
$ s; O M: V T8 ]# @( F4 ^& B rThis method of detection of SoftICE (as well as the following one) is# R8 y! } g- J, z/ w
used by the majority of packers/encryptors found on Internet.
% j7 M% [- A2 ~2 _8 X, jIt seeks the signature of BoundsChecker in SoftICE& @1 s# m! L) g7 s6 T1 \9 P5 [1 r( \
+ l, w2 }8 m! C* d- L. J8 Z9 x mov ebp, 04243484Bh ; 'BCHK'
; B1 R- j% i; h- F( `. } mov ax, 04h
8 V2 n/ r8 k$ v, h% ]7 f- J0 Z int 3
; Y7 i4 |0 R, [5 ^" \7 M5 q cmp al,4) e* r; R) b. ]$ R/ b2 E0 K/ l( Y
jnz SoftICE_Detected
, G/ U8 o$ [& d" }8 [: f: l# E7 ~. k) l% v
___________________________________________________________________________: _ M# W+ b6 H q0 D
3 h' t8 L( J' W/ n, A3 r# R8 i# e
Method 02
& k3 e' R2 Y8 k5 `# n3 k$ m=========
% O9 L9 u: g( ^0 G/ A3 x% C8 h2 R1 ~& d. z1 W1 |
Still a method very much used (perhaps the most frequent one). It is used
; [4 ^% h/ [6 }6 F" w0 N# h# lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 M/ [% ?; j# ]/ Jor execute SoftICE commands...8 e( B1 `* Y% y+ ~# W
It is also used to crash SoftICE and to force it to execute any commands
1 J4 w9 o+ ]8 k8 y; E- ^(HBOOT...) :-(( $ R- U9 R$ x0 t
4 K6 ?; k8 I& H% o* K9 G9 B* V; [Here is a quick description:: d. _, }5 |$ K- K
-AX = 0910h (Display string in SIce windows)+ k$ O& V d/ K. _: a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 w1 K& g7 N4 E2 ^
-AX = 0912h (Get breakpoint infos)! c8 D4 v9 E: z" ], {' \; j
-AX = 0913h (Set Sice breakpoints)
# b- D- Q' [2 T, R-AX = 0914h (Remove SIce breakoints)
! D9 ^/ M4 k$ c/ A2 c) X) F! e
9 q2 F& D. x& a+ Y4 q; T1 D' QEach time you'll meet this trick, you'll see:
' o3 a8 g( d0 H3 ~0 y1 x1 I: t-SI = 4647h
1 }' y2 N% q, G) e-DI = 4A4Dh/ h- o- Z7 u; U g
Which are the 'magic values' used by SoftIce.2 z# Y, p C* T* j2 S2 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 F. j: M3 Y/ z; O3 ]
' f4 n0 p2 N$ x7 q4 zHere is one example from the file "Haspinst.exe" which is the dongle HASP
) i5 i+ k/ ^3 V5 d% Q9 z* V- ?' y# ZEnvelope utility use to protect DOS applications:
/ B, ~; d9 R L6 ^) V" U
5 Y( v9 ^# G6 ~! |% ]$ Z# }! V% q+ u
4C19:0095 MOV AX,0911 ; execute command.
( {' z6 [" q/ D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( t. Y% O$ W. u4C19:009A MOV SI,4647 ; 1st magic value.
9 x; A2 I: q7 ~2 T4C19:009D MOV DI,4A4D ; 2nd magic value.. K* l D% G( S) ` s( X& y' g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 T; g) @6 ]. I3 K2 w. _% D! I4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: p8 K4 c. u' @6 f0 @4C19:00A4 INC CX4 G) P. e# L- X- V' ^6 l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; ?0 H; N& Y- q5 E4C19:00A8 JB 0095 ; 6 different commands.
+ ^- ^1 m$ _1 y* j; e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* J2 Q7 i. g& X! k; X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 }$ u" n; b( W, w0 X3 ?5 c3 Y- y; O- Z Q$ y
The program will execute 6 different SIce commands located at ds:dx, which0 d6 w+ R d. j- n% n2 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 ~9 L& D" o! W9 g" s
2 U: P, [1 R, c, r4 ?4 K1 Z& s1 P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ D% I. l0 S D4 k___________________________________________________________________________
5 s% k! {+ W: }" O; @7 v8 d$ F: l( n- h4 M8 E: i
: @6 k. ~3 H$ E. M2 Q
Method 03
2 `( j' H% d2 ~/ x# s=========) i% N, [' A, c) L' B
$ Q" v+ C% i: d" Q; M: U E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# o. w; P5 s$ w% }0 K" K% o
(API Get entry point)
* V7 L4 B$ ~) Q3 G0 V! p% \ " d3 ~" \: r& v6 ?. d, L1 F
- Q$ b0 C) `! G$ ~
xor di,di6 t: E4 ^; k5 P/ s
mov es,di
7 J. T. n( b$ x! E6 a4 ?4 M# B mov ax, 1684h % H" i0 b0 a2 b
mov bx, 0202h ; VxD ID of winice9 L/ I9 j. }, J/ s: R5 V$ X- ^
int 2Fh4 o$ B/ |" Y: s5 X' [8 u! E% C3 s- j
mov ax, es ; ES:DI -> VxD API entry point! e6 U% m% J7 t& Q0 d( b! P9 s4 [5 U
add ax, di
" H) K) }6 X6 ~ w test ax,ax
% P/ _. s7 _/ s jnz SoftICE_Detected
# e$ Y% E: K6 Q$ g* N$ A3 H) |5 l" H) A
___________________________________________________________________________1 f* x1 r8 b" B+ I$ s9 _
( M- @+ j, A" q/ R# U3 z& rMethod 04$ U, N) @: d9 z3 y' W g. d& R
=========
7 I) ?% _. Q, b1 p
+ ^4 O! }; c' k; k3 C0 lMethod identical to the preceding one except that it seeks the ID of SoftICE5 A3 S8 T6 K$ ?+ O: p: Y' w
GFX VxD.
: \; V* p. H3 B# q4 Q, \% i, F: \, T7 {$ L& s
xor di,di8 e7 _5 H- l( Y9 d* Y
mov es,di
( N/ d* H: u% k mov ax, 1684h
6 S% A6 L) j$ R- A# c! k mov bx, 7a5Fh ; VxD ID of SIWVID
- O) V, Z% z0 A" F, Y9 t, v int 2fh
3 W+ M7 X7 B5 A; p mov ax, es ; ES:DI -> VxD API entry point5 N. f$ O. ^9 W# o, @2 M* l" R
add ax, di
' S0 J9 O- @( j- W- P test ax,ax
! j5 k- T& J9 f jnz SoftICE_Detected8 ?9 ]! |- F# |2 G. p
3 `4 E6 n9 Z. ~0 I__________________________________________________________________________+ }6 v. R" w b2 ~+ K
& _0 O( z: A8 M7 k& n& a' c! c5 m* S
$ e: V* n. ^( E, n
Method 05
8 L. q4 p' ]! K4 e=========/ e( u8 j* ]3 D6 X: J$ |# Q
3 _& [9 u( M* m0 J# yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 o/ N" Q; O6 {5 k, v1 e/ C1 I6 ddebugger. It calls the int 41h, function 4Fh.
% m# j3 v) |+ |) I* z8 FThere are several alternatives. $ ~4 r+ e3 [3 P# a3 P
2 ~4 g/ Q& q1 WThe following one is the simplest:, h# X6 G8 T% c+ t
7 F1 ^: }* m) V+ ^) u3 n mov ax,4fh) j" K7 G E2 }, F, Z' q- a
int 41h
2 C7 A/ [8 T6 J' C/ t" H O cmp ax, 0F386/ L1 W$ h1 A2 p
jz SoftICE_detected
$ P* } d0 H- A5 v
4 w; Z9 k* Q. Q" E3 w1 q1 G" K$ n3 g% u( U" |+ @
Next method as well as the following one are 2 examples from Stone's
+ y4 {# S: U. J8 ?, |- k) M0 W"stn-wid.zip" (www.cracking.net):
+ I6 f9 c9 y0 T: S7 I6 Q/ v6 \1 O0 h" X( p$ _9 e- Q9 J3 U* q; O8 ^2 ]
mov bx, cs
: i6 s; w9 C' C! G) J" s7 E; _( \ lea dx, int41handler2& }- ]( g# k; f2 Y# d/ w
xchg dx, es:[41h*4]- S7 T% }0 k& x) W% C
xchg bx, es:[41h*4+2]
* B5 P! c0 G0 Z& b- N mov ax,4fh
& w: @. P9 b1 u int 41h8 t/ m6 b, w; K: Q# G+ H
xchg dx, es:[41h*4]
2 O5 K E8 X. ?+ e xchg bx, es:[41h*4+2]" {4 H. T6 j, [, k* C2 [
cmp ax, 0f386h
7 O2 T$ B7 a. C; X" b9 @: Z+ ] jz SoftICE_detected
& l0 m5 _. o9 n! ^! s
( O" u6 J C4 |/ s2 Qint41handler2 PROC% _$ V2 f1 v- E7 I8 B
iret8 s$ I4 M0 V' x# S
int41handler2 ENDP M3 ]4 }' ~$ `- x
+ M! c9 E# ~ s, M$ k6 U# e+ l- c U5 v( G$ x1 h1 H1 p, n/ ~; X' F+ K
_________________________________________________________________________% E& X' @$ l/ s" v& _8 ]% J( \
! U% W- M. s8 F
+ V1 L, |, U" `# m9 D4 TMethod 06& M- f& K- g8 c! U6 V- o
=========
& f3 f* `& }/ j, n0 @
" H: L+ M! Q, p0 `) i% D1 u4 U Y& u1 M* B* c$ f
2nd method similar to the preceding one but more difficult to detect:& n9 H& K2 `& v5 A( y+ w/ V
) y1 a& w2 f5 C% p
' P4 L5 Q6 _% Q: R3 ~
int41handler PROC, X+ j o. `0 t5 K: U9 j& g
mov cl,al) b! v% B( s: I4 ]' D: H
iret. o4 E0 B+ s# ?6 R$ K: u. ~* y. [
int41handler ENDP
w. ]3 h) S2 z, F/ w- }8 S+ Z
' [9 Q" U, m( q% K p; \# W! ?1 P# E5 r" h' [3 z
xor ax,ax
$ q9 q) J5 _5 E( H' H# q! e mov es,ax( ^4 Z, v Z- Z$ {1 i3 K1 t
mov bx, cs; u+ h- E) M2 G* P9 V
lea dx, int41handler
d- f9 Q- S* p* S* L+ M2 t. v xchg dx, es:[41h*4]. D- ]9 I( W% l2 u
xchg bx, es:[41h*4+2]
) V) |) U- ]' j$ x in al, 40h
: I1 v A, ` z: B" v xor cx,cx8 p9 I# n7 B. @) t0 l) P9 z; K
int 41h( h1 O: o+ v2 c
xchg dx, es:[41h*4]5 O' U0 V8 @4 H7 ~2 ~2 A% P
xchg bx, es:[41h*4+2]6 r) L+ I& }2 ~5 q* r% S9 r
cmp cl,al
" l. F5 m# w5 G2 W5 m" b jnz SoftICE_detected
. J t8 b$ C- {# d- P. p0 E% U! X$ @5 W) D" z
_________________________________________________________________________5 h- U% }6 C5 H, o* L* e
. c; `* z: z8 |) j- o: y0 }3 O
Method 07
6 z A% v. x# w4 n- e- q; i=========9 B9 F: E7 n2 @
6 \0 M% |; ?- P
Method of detection of the WinICE handler in the int68h (V86)# H8 ?7 H! a1 s" ~" _2 Z! D
& Q1 g1 I0 i; x5 H mov ah,43h! f4 a: j. [9 @
int 68h
. D. [( {. |7 h" T cmp ax,0F386h
K- {! Z6 E( _9 O jz SoftICE_Detected
* |; U6 a: E/ g0 f7 F- m$ m4 R4 \
# H- E6 q8 a$ e( S% L/ _+ G( B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 D9 M t% z! A app like this:
& I/ \9 K" f6 m" Y! X% u+ e, R* f" X: q, R ^2 I, v
BPX exec_int if ax==68) E3 z4 f7 t+ O8 q0 t! U1 n
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 e. Q# H7 d) h5 N0 z located at [ebp+48h] for 32Bit apps)' d$ r7 w# F: k3 T' ?
__________________________________________________________________________
6 v# @6 t* ]5 H' \6 o4 e; b1 h0 {. W! X
; U) f9 @/ f, t. c) X: B
Method 08& v) G3 _0 n" [3 X: T0 N
=========& l3 V/ S# l& f# n" ^
}% j0 t- g! @4 i
It is not a method of detection of SoftICE but a possibility to crash the
v0 q: I9 u2 Ssystem by intercepting int 01h and int 03h and redirecting them to another2 ?7 B8 z# i% j, d2 m; [
routine.7 ^* q# A; _' Q3 Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: L1 m) t; _9 H% U7 s# W/ Bto the new routine to execute (hangs computer...)2 d* w; O+ V8 S' ^/ n; F
2 z* S/ A4 `& s
mov ah, 25h
& m8 T- {8 u- |/ k$ }4 m1 x) z mov al, Int_Number (01h or 03h), ]* E" q) P5 E" s0 W! |
mov dx, offset New_Int_Routine
5 Q9 e4 t9 e% @% n* C; N int 21h' O" Q( ^( Q& d( ?3 W
], f* n! |% Z5 [; ~__________________________________________________________________________' L+ j- n, w: e4 z8 ?
5 O% X$ i% k8 a% }: ~- y
Method 091 z8 W2 K1 r Z3 S& j
=========6 s1 F- O2 M9 E6 ]) M% K/ U
( N1 I+ ^$ G7 l' z3 Z5 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 B2 F( H- I. Q q$ g4 wperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 H; W* {% A! b- ^5 J N8 a0 BThe Get_DDB service is used to determine whether or not a VxD is installed/ s9 n6 m- f5 B# S) I: a1 U
for the specified device and returns a Device Description Block (in ecx) for( [; Z/ X3 |# [+ B5 b& k- D" Y6 A
that device if it is installed.
, U8 l2 e1 r% E( d/ Y5 w5 M/ ^; H+ l. E O; [) Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" r e0 Q8 } z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 P3 P$ U" @ B7 r, r" i VMMCall Get_DDB$ Q; p" j2 s0 p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ T! X7 J/ W5 p* t: ?+ |+ h
, o+ E0 `8 X8 l/ ~$ }$ {7 v
Note as well that you can easily detect this method with SoftICE:; l4 H( h9 C0 e) H
bpx Get_DDB if ax==0202 || ax==7a5fh5 Z) E( q/ H# p1 D# f% W8 t
& U8 h" c' ]' i- N' |__________________________________________________________________________
, @! H0 D4 ?8 n7 N/ g% ^1 l7 `$ p7 C
Method 10
2 h) h1 t2 P' @( W3 V=========
& y; V- v7 a+ ^3 K" u/ z. ~/ l4 t! A" @9 ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with" [+ ?1 |) l g- g! c" c( q
SoftICE while the option is enable!!% s* O p% i# Y% z3 k% U& S2 x; E
8 H K$ M: K6 n x) ~1 w* [1 `0 cThis trick is very efficient:
9 |; u. j+ [; C) cby checking the Debug Registers, you can detect if SoftICE is loaded
* ~, i7 k8 Q5 I" G U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' s( a$ T R2 k1 G" Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their% l* x, o: o* S: v# S. P
value (in ring0 only). Values can be manipulated and or changed as well
2 C( B; Q d, T5 K& c(clearing BPMs for instance)2 c1 h: r# w8 q( p9 O' x
2 B8 J8 k) i; s' t8 k! a* F0 W8 O__________________________________________________________________________* P; L- ^, g, C, c: |
' h3 U5 R4 k4 D& Y
Method 118 c8 M; P+ s- P) e- a, [$ H
=========
0 A; _. p: X8 z7 y6 ~/ H- f
9 r. p3 X. d4 K DThis method is most known as 'MeltICE' because it has been freely distributed
O' N. {8 @- i3 i9 G3 \* X: Rvia www.winfiles.com. However it was first used by NuMega people to allow+ ]; f6 U4 q- h) ]
Symbol Loader to check if SoftICE was active or not (the code is located
6 @9 }1 F$ {3 }* [inside nmtrans.dll).
; i ]( v% {8 }5 W! e2 W! t4 b F
h8 A! p/ m$ G& n. xThe way it works is very simple:( M" L g4 _9 Q0 C, C, N3 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; Z) C1 r! G5 C; W2 h) m! dWinNT) with the CreateFileA API.
T, H. b3 `/ E; Y1 [5 y: k5 X$ P+ B2 [( a9 a4 z5 Q% f3 d' Q. i
Here is a sample (checking for 'SICE'):4 a+ v6 ~ T9 O2 z+ T# u8 R# H, {
( S* W& e' Y1 M8 d0 I2 z( i; T2 ZBOOL IsSoftIce95Loaded()
: N( e- r1 Y! c$ k{
1 k! U/ _0 `) Y5 p% }/ N HANDLE hFile; 2 P; r5 ]) [/ i7 r1 V, U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 ~( f$ u* x* k6 e# P0 g/ ]' `
FILE_SHARE_READ | FILE_SHARE_WRITE,1 I c$ f* A2 ]" H+ u) Q! }6 V* N1 I _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% o, p8 l/ Y6 S$ y; k0 Z0 C+ U7 J, [ if( hFile != INVALID_HANDLE_VALUE )' P I- u0 H' O2 ?+ V
{
x& |( J4 h5 f& M) w) q CloseHandle(hFile);$ i" W- O6 W# U/ x
return TRUE;
: l Q+ S' X4 \ }
2 B1 ?- X8 Y! Q) R) l; E return FALSE;
) [( a( ^$ _2 J}2 Z1 w# u+ R( {5 A
5 \0 X2 D7 h- G: f5 b, g$ f
Although this trick calls the CreateFileA function, don't even expect to be
3 U9 Y, i( ^$ b3 Q/ w3 \able to intercept it by installing a IFS hook: it will not work, no way!
5 Q R: v0 E, h. n, V3 B' CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 s6 F1 Q8 N, U, a1 iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 u$ P6 [: \' v6 Q3 U _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% K' C" A; M) O& [
field.
: V( E0 }; L t# zIn fact, its purpose is not to load/unload VxDs but only to send a 8 q2 o6 H/ ^% ?! D \+ f0 r! N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 \1 M0 x( m+ p/ I% }2 B, x4 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 e/ g( G% ]/ b; D$ i8 ~8 ~. o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 U7 c0 M' T* W) b' b% oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 H' E# m# d% [! Q8 z! hits handle to be opened and then, will be detected.
: \3 s- c% O' j4 x( T/ AYou can check that simply by hooking Winice.exe control proc entry point
6 v/ T8 e& d' |4 X1 c0 d% T& xwhile running MeltICE.( d3 B8 a! g/ z: w- H! c+ q
. u3 Y* X( D" F k) G# O5 f* s' c4 f3 j( Z4 a) u4 f
00401067: push 00402025 ; \\.\SICE
* }+ T7 A: v- }' {$ b$ ` 0040106C: call CreateFileA
0 b, a7 O, P- s! G" b" K( l 00401071: cmp eax,-001. Z4 |6 Q- ]- y. K
00401074: je 004010917 P$ F5 B( b7 ?7 ?: g
; c" o4 }1 |+ d9 ^9 s" A b$ \ x" ?! D, U" g
There could be hundreds of BPX you could use to detect this trick.
9 V" M0 _$ ?8 v# _) [-The most classical one is:# N8 [/ U6 Y' M! i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( F4 ^! ]6 i/ Y4 y* v" x3 L- H *(esp->4+4)=='NTIC'
3 g2 h- L; F! z7 o# T( W: U2 G- G
2 q8 E% P4 V/ \, S8 ]+ {3 g4 Q-The most exotic ones (could be very slooooow :-(( m, B* u' l. k" H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 _" I/ g. j: q' B1 k ;will break 3 times :-(
( Q! T! T( F; w4 F8 ?# ` _: O \
& P7 R8 x/ M% m4 T. g4 f9 R% b-or (a bit) faster: ) q, x- N( J; s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& [0 `! @7 ` V0 O
9 ^2 e9 C+ @, `; [. T7 d, \ f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! l2 g k" n. h( q ;will break 3 times :-(0 h6 z$ V P8 k' ^
- K1 t/ S8 B, M-Much faster:. `5 t+ D) j) \/ o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') `' S' B: w' U$ \- o* o8 B! s
9 ~0 n8 h z8 ^. ]7 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 L- `8 S; e8 b8 X5 Q, B# J
function to do the same job:
" Q3 k q$ B" G# p" ^! J( N
; O8 f/ p& |# o push 00 ; OF_READ
5 \# n- y3 ?7 p# u0 L mov eax,[00656634] ; '\\.\SICE',0
' Z3 }2 O( L, Y: e% U push eax7 G" m2 O: p8 M$ w& A3 k) j$ _
call KERNEL32!_lopen
& \: g; [0 }; u inc eax; P1 l" I. y; ?- k6 R# H
jnz 00650589 ; detected4 ]9 P( u! R3 S5 a4 f( G
push 00 ; OF_READ
9 W1 q# v! } u1 J mov eax,[00656638] ; '\\.\SICE'
& G+ y- v) x" Q+ R& l3 @/ Q7 w) U push eax/ d4 T8 {0 |8 U6 x
call KERNEL32!_lopen
8 R5 Y0 F( M! D Y* k inc eax
/ M' P% Y' R8 J: u6 F( H jz 006505ae ; not detected
s5 y* U/ y- Z, V$ v
* D% x) x. Z8 P3 S9 q9 N4 f' ^7 }
* m1 W" c( _5 c9 K, `" Y5 P0 K__________________________________________________________________________
- w+ ~# I, e" E: x* S3 l
7 \6 B I* F! ?4 RMethod 12# D9 u h% p9 _
=========4 F- |' ?7 d' `9 Y3 B* n7 _
$ u( a4 y; y+ ?5 M
This trick is similar to int41h/4fh Debugger installation check (code 05
f# o% t) ~ Y& X+ x* J" i' U& 06) but very limited because it's only available for Win95/98 (not NT)
- ^, P8 Z0 ^; has it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 Q) T' u) Z9 v
+ U3 }3 A$ R& Q2 J) ^2 c- \) z push 0000004fh ; function 4fh
) N" b3 q4 Z, p- p! w push 002a002ah ; high word specifies which VxD (VWIN32)
' G6 _9 D, g9 N; n" y9 v' F* z ; low word specifies which service
+ x4 l2 J K) ~+ x6 W (VWIN32_Int41Dispatch)
5 H: v, B- S4 c0 f: Q4 F& \- s call Kernel32!ORD_001 ; VxdCall5 w0 H7 ^( h& n% }: H. x$ c5 x
cmp ax, 0f386h ; magic number returned by system debuggers ^2 p* w2 g: J& x* R+ o* h2 j5 J
jz SoftICE_detected' Y0 e3 H# N3 @" j) t; X4 j
9 _! t3 F" d2 ^" R! T, n
Here again, several ways to detect it:
& W3 @$ u- W' n. O" u3 y5 {8 v0 V9 t ]% f0 Q t
BPINT 41 if ax==4f# A, \7 r' u# D+ F8 g8 [2 ]( u
6 f ?: l1 k7 C8 k3 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- g: G( W \* W3 D* T
6 ?( a" l! G. R; c" i% f# k/ S5 T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! S+ A, S+ ~+ m" O0 |
) Y. u8 q: ?4 `' T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# z1 Q8 G2 e# l' t% [
/ |, p& `0 e# x+ T# V
__________________________________________________________________________
' v# K2 C- |) ~) d4 }( `3 S8 ^) k: L8 p: t8 m E
Method 13- ~" B! ^2 O! a+ ~( [" o0 b8 y2 w* g r
=========
/ K# u0 U, {+ i0 s7 E8 b( a
! |$ O. d; y% a. |2 c; ZNot a real method of detection, but a good way to know if SoftICE is0 z" P% ~9 ~! |& |* W/ x
installed on a computer and to locate its installation directory.
/ t% `6 B4 B5 D# p, SIt is used by few softs which access the following registry keys (usually #2) :
& G1 j: v. D. U' u6 C# p+ _9 I# {! v3 q/ r4 b6 j( T- z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: a3 b8 A& \- k- t& R\Uninstall\SoftICE- w) d/ p* D: I! l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 O2 t! I: {4 Z& X* y% [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& U, I# H E$ L# p3 M9 k2 j\App Paths\Loader32.Exe
* V6 |1 \% @+ q& Y7 A3 l6 Y" x, H1 M4 _0 k7 F7 h M
5 U1 b4 T7 r' X
Note that some nasty apps could then erase all files from SoftICE directory
( f' h( U0 T. Y* ^(I faced that once :-(
" }$ D, a% t, r) ]! n2 A/ w Z6 l8 c
Useful breakpoint to detect it:8 h) _ k; i' E# H3 y0 B
7 G! K# A8 s( Q3 O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* _$ V5 C* G# |1 }+ G0 ?5 X
2 Q0 _9 [# ^+ X+ D! E! L, K4 Y) C__________________________________________________________________________" r" T' U' q( A2 B2 ]) Q
5 ^& I7 M( t* x
F5 V K2 g5 [- k/ Y& c
Method 14
" |' E0 r# Y# L% m& {=========9 ?( W# Y* U+ A8 o
1 _; C' w: v# R4 e( q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" i5 h/ H: {5 z3 @4 F$ z: v' r1 tis to determines whether a debugger is running on your system (ring0 only).
1 e! n) M4 c* X9 D+ u( [
' R; O* p& G+ s0 i VMMCall Test_Debug_Installed' u7 v- p: r$ s+ ^1 O: T0 g
je not_installed' q' [/ ?' B1 `6 }' ?) n2 e6 X5 T- |
8 w: H6 G7 _1 |. B& H9 K% m
This service just checks a flag.# W* q6 d0 V t3 s$ F k* Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡