<TABLE width=500>6 F: r1 e* `* d6 C$ j, ^
<TBODY>
' K1 W( h! H. s4 u<TR>
( E5 D3 d4 v: x<TD><PRE>Method 01
/ j% f' k$ r. @- o' c=========
# a$ L) z5 |: }* ?; _6 ? C; g
- ^* O4 x# x/ JThis method of detection of SoftICE (as well as the following one) is$ p- p( J/ ~; W: h2 M# J8 _
used by the majority of packers/encryptors found on Internet.
' c, z: j- i( w+ ~" v" K( C3 AIt seeks the signature of BoundsChecker in SoftICE* k+ U' Z6 r2 H" P, `
# T$ Q6 [- L1 I mov ebp, 04243484Bh ; 'BCHK'5 b& g; K5 t3 |& r4 C& C
mov ax, 04h
1 r" G$ c1 f+ I9 w int 3 - k' P3 L2 n- R# K
cmp al,4& W, ^3 n7 D# s6 p+ F5 m3 R) \
jnz SoftICE_Detected' K8 j: M+ r" H! j% ^
: e8 A* @; {+ H2 c; V9 U
___________________________________________________________________________
w1 r) U: n& b0 ]' u* O/ a' ~6 E8 ~, n! f
Method 02% k2 B, i, F2 c( @' T M8 X0 ^
=========
0 y7 ^0 E' ~$ P2 A
% B3 h5 C `( U& h% }& N! zStill a method very much used (perhaps the most frequent one). It is used
' G4 c5 Y& Z+ s" Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& Q0 B h5 V: m" r) v0 C( _or execute SoftICE commands...7 L6 s! s/ y: a" j- r* J6 |
It is also used to crash SoftICE and to force it to execute any commands
( l7 _1 m% F" V) Z; C(HBOOT...) :-(( 5 J1 w2 }# }$ L! g- q, Q r
+ Q" A4 c6 _1 e m( t
Here is a quick description:- I9 p* g! l% N
-AX = 0910h (Display string in SIce windows)) ]( \1 \/ M' K2 ^6 W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# ^# W4 E: P6 n m8 q
-AX = 0912h (Get breakpoint infos)5 ~6 Q. y0 {7 K& {$ @3 h- m
-AX = 0913h (Set Sice breakpoints)
% ]. M; U( _& i4 b7 r-AX = 0914h (Remove SIce breakoints)8 F/ T) C0 ]' \: B0 A
; A2 [) X% w/ J% i1 t) l b5 C3 R9 YEach time you'll meet this trick, you'll see:+ Q- s2 i9 u$ k# Y' p( s+ z
-SI = 4647h( g# q, c: c2 m
-DI = 4A4Dh
5 y& q" L) k$ v0 bWhich are the 'magic values' used by SoftIce.. Q/ l( H, t$ t& y. _! Z6 n, A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; w3 R$ G/ ^5 p2 e+ N q$ S
6 i4 ^$ s; Y! r, |2 d! t1 F8 OHere is one example from the file "Haspinst.exe" which is the dongle HASP+ T3 D' s5 y; z0 N
Envelope utility use to protect DOS applications: @* Y% B$ \: b* O
+ ?. ?) z! X! U7 R% x4 x3 d' S# A8 j% |1 u0 f( h
4C19:0095 MOV AX,0911 ; execute command.
) y/ q3 c. f5 t. c9 D9 K8 T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' V" D( y/ T8 J: A& t
4C19:009A MOV SI,4647 ; 1st magic value.; V& v% @/ R6 U0 ^( S0 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.' W- C& o. t- H! f. I5 }! ?- K: a4 K& D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ h5 f& \- Y$ G# @- Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' K. F7 {* c, n: J1 O8 i4C19:00A4 INC CX
! M( C# H# e) \( }# w2 j+ Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" ~& A+ m7 d+ E/ h5 c6 q$ z
4C19:00A8 JB 0095 ; 6 different commands.
- n; _+ C' m! X( t3 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 F( l: {! }3 r/ C9 f' [9 L' [, j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- N7 L/ m8 }: x7 |) |0 T$ ]
& G+ T; K [8 b/ _ ~# y" r! I
The program will execute 6 different SIce commands located at ds:dx, which
. P5 n' l- i$ n @: ^( ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 c( I6 o( b" m0 x n6 a4 {& Q' w4 X; x+ z/ H( @1 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ |7 V% F! B ^$ A6 b2 K
___________________________________________________________________________3 f& U; ^, Q) h
+ M; g+ T+ f2 o6 P" k* K* [% \- X/ P1 d B1 T4 u6 J% G
Method 03
8 K' T R5 [" N=========& {: a. p% D1 a6 j
; K( a; l; \. ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& a V$ Y$ M2 o, W
(API Get entry point)0 K8 H$ {! j* m. O( o+ f" s! g
% X- D* Q' \9 p' L4 J9 [- _) y9 ~2 W- ?/ s
( m# v. R: {' d$ Y xor di,di
. }) k. U( \* [1 Q; n& X; @ mov es,di
) R1 N1 a5 g; ~' h* ] mov ax, 1684h
! q# R% x# z, |' M V8 y4 c mov bx, 0202h ; VxD ID of winice0 Q1 I: E S9 W9 D, _
int 2Fh
; H! x. j" M7 n7 S$ H- r mov ax, es ; ES:DI -> VxD API entry point# L* q: i% ?2 Z# O0 _7 ^4 F
add ax, di
: K: i# B0 a) b1 b7 V! l test ax,ax, I9 ^# v- x1 o1 ~+ I3 E Y7 j
jnz SoftICE_Detected& v c) ?+ [$ c1 O- A! x5 H
W$ A2 r' f7 `7 i% n$ n
___________________________________________________________________________9 j( a: l6 A+ y$ {# B
# @: D8 U3 g0 [1 \Method 04
4 o8 Y6 b, h, `- Q/ V! T X=========
. E. o: a1 `& W `7 }& }/ X( {3 v
3 g) H! ^' F% A9 UMethod identical to the preceding one except that it seeks the ID of SoftICE; f. J" o9 d( Y/ O& q3 V% r
GFX VxD.
|. m6 `) G0 z( m5 U- A$ u6 c! T# V k% {4 A m5 @& F/ M& x
xor di,di, d2 S/ {3 p% z3 ]! a! f) c
mov es,di( ~2 g! ]5 P9 _* b4 F9 u8 f1 i3 ]
mov ax, 1684h
$ ?. z# J# n3 s4 Z( d mov bx, 7a5Fh ; VxD ID of SIWVID
: m3 N* U0 z; u r int 2fh
1 m' U" [0 z: Z( O2 ~+ D mov ax, es ; ES:DI -> VxD API entry point# p, S4 V. Q* X$ }4 r: z
add ax, di% w& e3 Z/ T' e, b: S9 k2 l j
test ax,ax
+ b) y; J) t, i) V7 w jnz SoftICE_Detected
. L g; M/ D3 V$ ]/ v
# X! C8 @: \0 [- X) y__________________________________________________________________________# b' `1 s" Q: [3 ]# {0 ?0 o0 D
6 D4 R( B3 M4 T9 O8 V- M- b: i5 f2 G
5 P% L% f0 v% t) H2 @# [' |Method 05
@7 _* `5 s F/ A! B=========: x) x8 F* {% ]
& ~ T) o I ~" U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 O$ N/ q* f) [7 J2 w( ~debugger. It calls the int 41h, function 4Fh.' Q7 `1 b$ B) P4 E' p
There are several alternatives. : C4 y1 C3 Q3 H( `7 X. x
$ f6 z# @: k$ U% B; ~1 C# [2 H- ^The following one is the simplest:) q4 S) [# T" K
, @2 g2 m- P, m
mov ax,4fh/ {4 i) i% I) Y0 d- _- }8 t
int 41h& D/ E7 \; i' j2 N
cmp ax, 0F3868 N7 M0 p; y' n3 ^( z
jz SoftICE_detected( e( K3 k1 X }. O8 }) X
; {1 z# r; S; M* q( D: ^( }9 l( G9 B6 c
Next method as well as the following one are 2 examples from Stone's
0 |2 _3 W% S" C3 c6 b( h- x- k+ T"stn-wid.zip" (www.cracking.net):
1 N! M( L0 D2 X
/ }9 n5 A* z* n$ s mov bx, cs
$ J& C3 y- t! j lea dx, int41handler2
- i* v( b8 Z: v5 U6 B# \6 U xchg dx, es:[41h*4]% T3 F [) Z E
xchg bx, es:[41h*4+2]2 b1 o0 D. H5 i/ ~5 N! P2 O
mov ax,4fh
# [. J' v, S P: Z7 m* s int 41h4 h# n- e/ t, N% y/ D& A0 m
xchg dx, es:[41h*4]5 B8 b4 o8 w! g1 X* i
xchg bx, es:[41h*4+2]
) h' d# z, C, E J: ^ cmp ax, 0f386h3 S6 b( Z! s _; N2 h4 J% p, H. x
jz SoftICE_detected
' }* ]2 L2 I$ O9 q, c% k/ I( s' S5 t. T/ o9 Z- P1 ] S$ _; g
int41handler2 PROC
$ V* }" W/ \+ ]- ?' ~0 O2 W1 l iret6 S) N' L8 `7 X8 j! ]+ i
int41handler2 ENDP
; Q+ a3 `! n8 Q2 ]/ u
1 |1 g6 {1 b, n. E
$ _ ^7 ~) b3 \* {/ \_________________________________________________________________________
8 G/ f! }. ^$ f( b. e& j5 D
7 l# N2 \. o# M' x6 m8 g8 P9 j5 l7 p
Method 06
7 |" P8 x% ], Q( p=========
5 n2 w' J7 |: f2 H: U$ q* V
' Y' F5 \* |6 @1 f D* v7 Q9 Z. @ T+ u8 c6 \/ V: L
2nd method similar to the preceding one but more difficult to detect:
; [* n" O' P- t8 L8 h: [. J
* C! y( D+ D8 I* k' ~" W; ]9 U" c& v1 | o" y6 W! X
int41handler PROC$ E- ^ d# u5 m: C* A
mov cl,al
; Y, I2 {' `3 a iret8 j3 i- z" D: u2 P" M4 r
int41handler ENDP5 t+ q% T7 A9 C; E
) X. c8 N3 M R3 ]
1 G. C0 @9 g* K; _; V
xor ax,ax/ I& X; p/ x0 q! G, g( z& y/ c
mov es,ax; J. v& L) B6 a# ], x7 n; H
mov bx, cs
5 K7 H6 p; v: w- { } lea dx, int41handler: s7 x8 H9 ^+ H0 Y/ h
xchg dx, es:[41h*4]
0 l7 l1 Z5 a3 C! ]- J xchg bx, es:[41h*4+2]8 P# p1 P. d$ i" `6 L
in al, 40h
8 ?( ]$ Q! ?5 z6 m ?" j xor cx,cx6 S1 \3 k* z: e5 x( t# [3 I
int 41h
# Q* W& a- R) u xchg dx, es:[41h*4]" [/ T$ d2 S5 ~ ?1 x- E
xchg bx, es:[41h*4+2]8 a! n6 ^( W+ H$ E: g3 B, r' O% ~% W
cmp cl,al
# c6 A) J3 N" v" \# @, i$ ? jnz SoftICE_detected
* E6 n3 r U/ c9 x8 {" X' g# d& S# n# U0 f5 S. a
_________________________________________________________________________
5 x6 C3 f" b( m$ s. a: T3 R
9 x, o; f: T3 k9 w2 h0 m$ }Method 07# W1 M1 j) u: `( e4 y5 C' z
=========
4 I; E& |4 p- K: k0 i. ^9 s, s- v6 g5 m5 u6 O% g
Method of detection of the WinICE handler in the int68h (V86)
. F. N p2 @3 K8 o
* E# Y" x! S0 _' ^" G# P mov ah,43h
$ c4 U0 F9 [" G' r) E/ G# J, g* x int 68h
9 R4 H1 [. r2 m+ J2 t cmp ax,0F386h
# e( k8 Q3 s4 K; q6 t jz SoftICE_Detected
3 n$ A3 N+ }, a$ T' \7 k
2 v; X1 I; `9 s# Y0 e V5 z: t) t6 s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit ]; o$ I: Z. @0 P& G% z) Q
app like this:5 W8 a' y4 i3 N
6 W7 _8 w* ]8 C) X! x3 c9 s BPX exec_int if ax==68
8 K& a4 t/ b- w* Y& ] (function called is located at byte ptr [ebp+1Dh] and client eip is/ F* R7 \& J! F8 q8 |- l2 O
located at [ebp+48h] for 32Bit apps)
& ~* A% m* O9 N( i' y# G: ^+ G__________________________________________________________________________6 J. ^& E7 r, q$ k
. F. k% o. ]" i0 e. ?
: Q+ ]* E5 g! j* {! p8 n* |/ ]
Method 08
( j# d9 L" V( z: J=========: P! {/ [, t# H+ I2 M- }
0 U! w( F0 ~9 N2 Q3 x/ wIt is not a method of detection of SoftICE but a possibility to crash the2 |' _- v/ X2 c# H1 v% z2 S0 B
system by intercepting int 01h and int 03h and redirecting them to another( l8 g) ~6 b: \/ Y* t
routine.: A* D) B9 D' x( E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ [0 j" F7 g' n' q7 I4 C
to the new routine to execute (hangs computer...)
( N. M$ \" [& t& n) v Z5 Q% i0 j& M
mov ah, 25h
+ O' b3 ~" m4 H/ N1 e mov al, Int_Number (01h or 03h) |5 L0 A/ t3 i9 v
mov dx, offset New_Int_Routine
* t+ F, B& R- W) _& }9 r int 21h. V! r- b4 l. R K0 Z: _
: u9 \8 V7 o6 L4 i8 {
__________________________________________________________________________! o* G) V' ?+ K
: t9 T8 w# q! r$ PMethod 09
: U9 Q2 q1 d+ Z% d1 B=========: \! }/ c! s6 u7 ~. [
, ~- Z8 z' d& b" i2 _' t) h2 l) u% J+ GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% `4 ?/ Y2 w5 ?1 B3 z' a) R
performed in ring0 (VxD or a ring3 app using the VxdCall).
! @0 ]4 m( S0 _6 O3 T8 k: hThe Get_DDB service is used to determine whether or not a VxD is installed# k& D: K( B2 J" K. d4 A
for the specified device and returns a Device Description Block (in ecx) for
" d \8 c9 q; }3 Nthat device if it is installed.& I; v# m2 t: e* s, m. [. `' ?: e8 \
% p4 T" n' X4 o$ w$ @- g! k/ ~ F2 o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 F) _3 x* F. J2 Q- s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), x0 v- ]' \8 i9 y# e6 G
VMMCall Get_DDB; v1 X7 i! t3 A0 I6 G2 F2 p; S, T' U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" Q p- i% P" r. V$ w4 X
3 |+ s) W- J& z' Z: m0 |
Note as well that you can easily detect this method with SoftICE:1 F& u. }; F( T4 P3 Q8 Y& z! V3 q
bpx Get_DDB if ax==0202 || ax==7a5fh
. z4 `4 r3 F6 X: r6 G8 C, r1 i( q2 D4 S! @2 Q
__________________________________________________________________________9 q2 G9 `' W, ~) X9 K
. ?$ P( |+ j! v" l- g/ qMethod 10
/ v. r: c) _) S) R=========
! i% P# |/ `2 {7 C( \6 p
" v+ _7 i [" A0 h. D=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 w2 v( ^3 M$ ~2 h/ Y3 Z' V. R0 N5 | SoftICE while the option is enable!!# l, c+ Z9 F3 b) o
" Z+ w i3 o! o: x+ Q# p$ I1 Q# iThis trick is very efficient:' n0 {; B, \3 f- B3 H1 C
by checking the Debug Registers, you can detect if SoftICE is loaded
- K$ l) X, c0 r3 q, o6 M& Z2 q) M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 L9 s# M) `5 G- ?, c& S' o$ E9 d- F# ythere are some memory breakpoints set (dr0 to dr3) simply by reading their. R) m9 _; D# Y& o& u$ _% f4 R
value (in ring0 only). Values can be manipulated and or changed as well
* T* J6 L& a1 k1 n(clearing BPMs for instance)
( W, S! H0 z$ `& a" r6 E0 H, m R1 D! z3 C, m' [
__________________________________________________________________________# x! U4 i9 N# O! ?
2 Y. Z, K+ c7 VMethod 11; ?& [# b0 Y6 z: g! H
=========
U( ^) r" b+ M) l7 R3 M
& e% s- W% f5 iThis method is most known as 'MeltICE' because it has been freely distributed
3 ^) N4 C% @) y+ ^via www.winfiles.com. However it was first used by NuMega people to allow9 s% j+ L5 F8 }8 a
Symbol Loader to check if SoftICE was active or not (the code is located+ a7 k4 r8 G; j8 C- M- v5 }
inside nmtrans.dll).
0 c3 N; B& ^& y0 X% L
5 D# e. R6 B6 A* x: `7 uThe way it works is very simple:
; z7 j8 N. ?6 A6 F3 L6 ]/ D' _2 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 p6 O+ D2 Y2 k% S4 I" ?7 w
WinNT) with the CreateFileA API.
' U- p/ _' T' `( B+ f" G3 [" I
* Z2 k" f2 Z6 h9 z+ |! O9 F0 pHere is a sample (checking for 'SICE'):. ~: e* q( t# v( [& U( _! c. M
4 f9 W( F$ |$ s6 v8 X2 O$ X- pBOOL IsSoftIce95Loaded()- U' p+ I H! }; ]/ d' Z9 D
{2 B4 e8 Y$ X9 F
HANDLE hFile;
- D1 T$ f# \+ T* m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, }& V$ t3 [( X: ]$ ^2 `9 l3 t8 O
FILE_SHARE_READ | FILE_SHARE_WRITE,
. s- p6 K' ~- g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 x% B( i4 S X7 }5 r5 n if( hFile != INVALID_HANDLE_VALUE )
4 C: ^3 A; x' O! I: R5 V {0 m9 E. G/ y w) o9 T- W
CloseHandle(hFile);
0 M" x9 e. J- q+ N/ ?8 a5 @ return TRUE;. p7 Z8 A/ I5 Z& O
}1 P& N& H3 [6 ]4 a' r( B B
return FALSE;0 B9 c& F0 n% p G( R
}4 ~4 \0 d, `) ]; J9 |; G0 G
2 x7 l' }: S' G c% r: zAlthough this trick calls the CreateFileA function, don't even expect to be; T! o* k1 n+ ]
able to intercept it by installing a IFS hook: it will not work, no way!" V8 L6 X" _- J+ z2 S/ U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ _% W/ Q4 K3 B. x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ S6 d$ G0 u Y6 \" s2 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 i! x% f: h: W. b
field.: H# l1 o: d2 R
In fact, its purpose is not to load/unload VxDs but only to send a + q$ v* `. v/ C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 o7 {& Q2 Y i; B) T% M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& l7 N6 s# I# M! `2 l; Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).8 x! Y( n" G3 R8 R4 N. p
If the VxD is loaded, it will always clear eax and the Carry flag to allow; ]# c7 s, T& N4 i9 C1 Q0 E9 F) m
its handle to be opened and then, will be detected.% t: ^6 [0 i; F1 n
You can check that simply by hooking Winice.exe control proc entry point
/ V$ R- |/ ~4 }( h% O7 D7 dwhile running MeltICE.
1 ^% z, j% V- [: p
0 i, i$ f2 t) k
- s0 D2 v$ m2 S+ w 00401067: push 00402025 ; \\.\SICE1 @% v* U/ a: q, { p
0040106C: call CreateFileA+ y$ r, `6 {" @2 j \& R$ s e
00401071: cmp eax,-001; d. y! L3 }, R# v6 v
00401074: je 00401091
" z% [' E: n9 R$ S4 e* D/ x6 T* s. _3 [' i( v) r, l
8 M3 N3 T& R+ G4 ?9 w4 k8 z* \6 X
There could be hundreds of BPX you could use to detect this trick.
% C5 q( j0 m; a4 E: x: b9 f-The most classical one is:. r4 W: H- c0 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ q p8 n, p d4 ?6 G; v) s# v
*(esp->4+4)=='NTIC'
+ ?' ^0 v& F- a
5 R% O# n2 S; _ _-The most exotic ones (could be very slooooow :-(
+ y5 ~0 H; n: y* i- g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 H7 j8 l+ B" q0 l7 b1 `4 `( [ ;will break 3 times :-(
" U$ y4 t2 [2 u, r; j: |/ J& q2 |0 y+ Z6 Y; c- V1 }
-or (a bit) faster:
: u3 E n/ V5 E! p* g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ [0 J. k8 ?/ K0 k
3 E$ h5 n% f8 q/ s7 I& t W9 L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# @2 P- n G. o& q7 l+ {: \ ;will break 3 times :-(
, a* b: q0 G( R0 P; N. b4 F( c8 r# d; s, F, O
-Much faster:4 I7 G4 H" Q& x3 p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# W* T |: s- W1 D& U, J% k6 A; X# {, k% d2 {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 `2 |+ o; g. `( s h+ g! R& G
function to do the same job:( r0 m4 A* Q) H w) e% ~8 E
9 I- j! w& y& k/ M0 @% c6 | push 00 ; OF_READ
0 U9 o8 o5 y; F3 K/ _- y mov eax,[00656634] ; '\\.\SICE',0
. E1 W) K8 j2 c! W9 \& b- L push eax
, U& r$ ? n: H; D2 y1 z call KERNEL32!_lopen
! s0 d; P+ Y6 f% {' U: l inc eax
5 A# j7 S" p5 W5 O jnz 00650589 ; detected
" M* C3 B: f9 S) d6 R' `6 v push 00 ; OF_READ
) }3 E/ j! r/ {& V) [. }* ` mov eax,[00656638] ; '\\.\SICE'5 q+ d' ~7 }; G2 P
push eax( C1 S% d3 ~$ J
call KERNEL32!_lopen; ~ M2 _1 X/ E# P
inc eax* x! z# M4 ` ^# X$ J
jz 006505ae ; not detected
/ q1 Y* u* w3 ^! G" n z3 S- r
& @4 `7 s+ N* o/ v+ P, B! X9 l4 N. V6 F7 N4 I1 T- R8 l
__________________________________________________________________________
' o5 r! R" S, }2 v0 v$ ]' B0 m
. Q, f' y, O) w2 MMethod 12* C0 F9 N. T3 K7 c3 q8 K
=========
7 y; w# h& n5 e% X
6 E$ z [1 x6 |3 M( _This trick is similar to int41h/4fh Debugger installation check (code 05
/ Y- W/ m3 n! X$ h3 Z& 06) but very limited because it's only available for Win95/98 (not NT). ]# K _7 ~3 p9 p1 G2 z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., J8 ]- @) E# B
% G" r" u9 X' Q7 l
push 0000004fh ; function 4fh6 ^: K8 X6 r8 O% G2 B# b6 W3 x
push 002a002ah ; high word specifies which VxD (VWIN32)0 F; l* l/ e6 C3 M6 x/ t: k
; low word specifies which service2 O$ |5 I7 u$ c8 w: I
(VWIN32_Int41Dispatch)
6 E& _7 b0 p$ ]1 G, h6 g q1 U call Kernel32!ORD_001 ; VxdCall
; \4 I$ \) v$ R; O( G$ S: S cmp ax, 0f386h ; magic number returned by system debuggers; t8 M% w/ R0 j& y6 r4 j
jz SoftICE_detected
9 {: h7 L0 Q& Z% e" a) W
' L4 B% K( X" o6 f; c# r% L6 pHere again, several ways to detect it:5 r5 Q t/ X# ?/ T' y/ O8 ^
0 Y- ]* P3 A* C/ P BPINT 41 if ax==4f3 x' Z7 S, L1 E' ]5 y
6 u% ?: Q% R8 c, ^. s Q& a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" q: i' T8 s& y- v
2 b1 n$ \& u6 b, _ p6 S$ D. p. Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' ]8 L7 |6 w a5 N! R3 b ]3 `, L) z$ ^) P* X! ^$ E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ L5 K1 W' d: g. M2 h/ s2 W% H% c6 Y" N7 g' Y* C% {5 m
__________________________________________________________________________) v" Y, \5 r: }; ?1 o
: ?. B" u! q' Z
Method 13
# R. R. H' }# h) C8 T* D" d" Q B! k=========
1 v3 m/ J5 F0 u- r2 ^& \/ u0 v; Z& N- r2 b$ y
Not a real method of detection, but a good way to know if SoftICE is
1 n H4 a5 o2 P# ~installed on a computer and to locate its installation directory.
2 A9 D, y: G" Q% ~1 z* xIt is used by few softs which access the following registry keys (usually #2) :
f, t3 q9 e% j# X% E0 l5 `; w5 u4 V, E+ H, @5 K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ M" L( E! f' o2 s
\Uninstall\SoftICE
. z) f; \& c6 f! w8 \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 Z, m7 v. Y2 s; a% P; C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- a6 e0 C- G& Q/ g" s\App Paths\Loader32.Exe$ M; L" C0 o0 P4 U
1 l. J0 I% a; ~" ? B6 I/ D& a
" X+ p1 Y) u; a3 I8 w
Note that some nasty apps could then erase all files from SoftICE directory
* i; Y* ? T( X/ f3 G3 x# G! Z/ w(I faced that once :-(
! |1 @' {' y& S+ G! c; K: ]+ H! s! w; Y6 s! ~
Useful breakpoint to detect it:2 N" @$ o0 @4 e' j3 }
2 j$ {& O ^3 e7 s3 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; L, L- o* S1 S2 @# r, P2 V0 h. s/ l# |+ r) T6 ~; b S! X
__________________________________________________________________________3 M# ^. C$ C7 Q2 a% }
7 q! T8 N1 a4 ?+ ?5 D$ i. J* Q
0 G) {/ y# z' a9 P$ _) {Method 14
& S, y) {7 Q! n, H6 O2 B8 X=========
8 A; K9 v$ q: Z7 o- s# s/ v1 g0 l! |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: O ?( B& `- D: l. _is to determines whether a debugger is running on your system (ring0 only).
0 [3 c" j! I! c2 l$ }; _ |# K3 H/ F/ @. y
VMMCall Test_Debug_Installed
9 {) q! o. m% e, { je not_installed R2 i& E9 G" F
n. g& c/ N) j( S' P# \- D; A
This service just checks a flag.- h3 ~! d' _) W; T; H' z$ S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡