<TABLE width=500>, O. J3 j7 O, ]9 a3 a
<TBODY>
# q2 P) a- h8 B: f& e<TR>8 D( A+ Y2 B+ c; w" Q
<TD><PRE>Method 01
4 R2 m, a6 |. w( I7 w' n=========$ {/ J$ W0 P1 j. V. _) q
! X$ }5 V9 ?& Y; q/ J# h9 F
This method of detection of SoftICE (as well as the following one) is
: q9 i( F! q- [6 t7 lused by the majority of packers/encryptors found on Internet.
% M" Y& d0 M" x9 ]It seeks the signature of BoundsChecker in SoftICE7 {& O* h- p! P2 @0 V
# ^) m2 C, m8 q2 \) V* f; d1 s
mov ebp, 04243484Bh ; 'BCHK'
8 {% a ~' N7 h$ U6 \9 m mov ax, 04h
, m# B8 F( E# o6 ?) i# e8 a int 3
# K3 n( _5 J2 j+ n cmp al,4
' `) {+ @7 |8 s, [ f jnz SoftICE_Detected, Z7 K- U& P$ S" h$ u
5 W, c! x8 b7 h. b___________________________________________________________________________1 n5 E5 G6 q1 y9 }+ n" A! m. m
; w) m$ X* T1 P3 G& E$ E
Method 02
, |5 n4 M4 M7 F O=========$ Y5 l+ k2 s" m0 U- G& l
' \0 }( g% }2 K" b, ^
Still a method very much used (perhaps the most frequent one). It is used
3 }: @6 e! C( s' C: J0 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints, A1 v4 Y! V/ f9 L7 D2 r. ^0 Z
or execute SoftICE commands...6 Y, I9 O& W; L. N: }( L% i5 j
It is also used to crash SoftICE and to force it to execute any commands
6 c& L) v. I! G" C7 T(HBOOT...) :-((
. T' a8 _2 o: y4 Z" T, Z( K- h6 Z6 Q, r2 z- O4 f' ?
Here is a quick description: F; R3 M7 u$ r, e. i
-AX = 0910h (Display string in SIce windows)
; ~, G; u) m8 k& H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! C8 J3 @& w/ v' S( u
-AX = 0912h (Get breakpoint infos)" f7 ]" a' ^% k- Q- R$ j
-AX = 0913h (Set Sice breakpoints)
8 H7 |) k, U* @3 G- U5 C-AX = 0914h (Remove SIce breakoints)
( I( t( @( u6 F8 u `# q
9 a2 T/ J! l# E* W: @% mEach time you'll meet this trick, you'll see:- j5 Y* e, A2 E( O8 Z
-SI = 4647h: V* N5 s) E0 Y, [$ N
-DI = 4A4Dh
|% [' k/ b; y" ^) \& j9 g8 m% U- P, qWhich are the 'magic values' used by SoftIce.3 o7 B A! n9 U. _' M9 g) C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! O( D! n8 F q* \8 f
5 y3 P( R. U! B& d2 T' [$ s$ B
Here is one example from the file "Haspinst.exe" which is the dongle HASP- m% X d W% Y/ Q) e- v9 S) q
Envelope utility use to protect DOS applications:. I; |/ S# k! @0 G& p ~
+ x/ ~+ L5 V8 A2 P. U! O3 @
j1 H2 Q8 Y+ {7 a) m3 d$ l
4C19:0095 MOV AX,0911 ; execute command.
# p+ ^# E) r; {4 w @# A7 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' |/ I4 y" B5 q5 i4C19:009A MOV SI,4647 ; 1st magic value.) e, k8 h: q% K
4C19:009D MOV DI,4A4D ; 2nd magic value.# r, w/ o+ j# r2 v7 h3 S: Y& b, r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( d9 i8 F# c/ \2 _% o; O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" T% q- e0 w5 c
4C19:00A4 INC CX
6 w' }& Y( E" C* w: d5 x" p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, x) t: U' _* ]7 K& k7 Q0 T4C19:00A8 JB 0095 ; 6 different commands.
4 w/ [8 }: g Y, l5 U, E4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 [" ?9 a1 |2 V6 Y: O6 |# ^! R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 Q' l7 p: t" J# p3 Q e
6 T" w! z7 n! Z# BThe program will execute 6 different SIce commands located at ds:dx, which/ z0 P* ~3 f: e9 i9 f# C) T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( n8 H: X: w0 L* i% ?9 i
9 \0 l1 H8 ^: i( I8 G4 n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 }" [! [& G1 \ ]. t
___________________________________________________________________________# |6 c- n1 p' S, n e8 ~+ w+ T
( c$ D1 K+ P+ `$ Y3 c( P5 p
5 d- H! q, C9 g, t0 h% |Method 03& O0 e/ G! x9 U9 G+ |, Z
=========( c# M/ }7 L/ l) I
; \8 ?* |1 [) P# j. \6 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- w, @' j( w1 Y% _, {(API Get entry point)9 X% f% ?7 Z& A4 B6 l) y
( K' I$ W' _, ]/ O8 m
- c0 `! c( Y& B" U/ ?( d. B9 e xor di,di: j7 f8 V1 }( |
mov es,di0 i" n7 Q6 t$ t" P6 k+ S8 C% f/ D
mov ax, 1684h
9 H/ e& Q9 U$ l4 N mov bx, 0202h ; VxD ID of winice8 z+ K! c- J, ?5 z1 r4 T! r: j0 F
int 2Fh! ?/ E8 E7 q, u8 {! z! D0 j
mov ax, es ; ES:DI -> VxD API entry point, \$ y; a7 W- [
add ax, di9 W i W( p% _" p/ N* ^) D
test ax,ax
8 P2 y$ Y7 V5 r" I jnz SoftICE_Detected6 H* X! o, N8 ?0 t
7 m2 V' [+ r) P; p
___________________________________________________________________________1 _8 S% t' |* U
( b% `; Q4 n+ H! i) }: l0 nMethod 04
3 {2 K) v6 B( p: E, n$ q# H=========
- z) M' O* j/ ^+ Z. g1 Q0 a5 K) O; O* U
Method identical to the preceding one except that it seeks the ID of SoftICE
|% K: g' w( v* l7 QGFX VxD.! S, j! F; |5 W( V2 D: J4 B
: X+ R" J# R( u" J1 E! q, @. R
xor di,di% a- C$ ]8 w* O/ r
mov es,di. Q# T# Q: Z+ Y9 Y& j1 T+ t
mov ax, 1684h - Z7 X" N; j- O1 o5 J4 p; R* r, j# C
mov bx, 7a5Fh ; VxD ID of SIWVID
# W7 K* Z& z. e8 M- ]8 u. v+ \9 j int 2fh
8 v: E6 U8 O/ \. f# d6 | mov ax, es ; ES:DI -> VxD API entry point
( w- P4 d- G7 ?- l- I, o( b* z add ax, di( ~2 b1 S2 m; m& N! v+ I d; _
test ax,ax3 i: N8 i# ]; i* i3 z. ~
jnz SoftICE_Detected
, R. i9 g& ~/ y
4 I0 s9 R- ]' l__________________________________________________________________________* A8 O/ K2 R% M9 Y7 @- Y# G: L- H
0 X; `2 Q+ j5 x
' P% `8 x0 R' a- j8 \1 }Method 054 b3 {& A; Q6 A& a/ }7 t
=========
, }2 z2 L( I5 A# a% D* X/ g7 x% p2 Z* g! k' Y7 L) |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 `" C0 z( P4 k3 C% A5 ^% y- x2 _debugger. It calls the int 41h, function 4Fh.
1 }) x! s- n ]( s6 ?There are several alternatives. 4 l/ ]0 M5 b% N
2 |- n. m. o, G! b; M \The following one is the simplest:+ }: z7 x" T1 L
4 ]! f( a2 v0 l- ^+ N4 d& J, L) d mov ax,4fh0 X2 f. d3 g: g4 r5 z; X5 m. j r. d
int 41h
9 c( ]4 g M/ I* J/ q cmp ax, 0F386
/ W; u8 |) k3 T* [- S5 s0 l jz SoftICE_detected. t) o! I U1 x, ?0 }, Z% R$ ~. {
$ ] v7 y4 ?; @! A
+ {' p; E% i/ A. A: A( H; r7 m5 }
Next method as well as the following one are 2 examples from Stone's - |' y( h$ j- \6 U! A. U
"stn-wid.zip" (www.cracking.net):7 `' ?: m+ Q/ \$ N2 s0 ?+ Z/ G. D
9 k/ T3 }8 S5 D z3 i7 H7 h mov bx, cs7 _2 ^1 e+ F; E, W$ M
lea dx, int41handler29 G. Y0 Y: x6 h$ ^8 n
xchg dx, es:[41h*4]9 m9 f2 T' C: y8 z: D9 ~
xchg bx, es:[41h*4+2], u: L1 R5 r5 a. F, M
mov ax,4fh3 }! u% X% S: W. ?' {
int 41h7 r; Z1 ~ Q! G% q0 ?$ n
xchg dx, es:[41h*4]' Z7 i0 w8 B5 F8 S: H7 V$ G8 I- O7 _
xchg bx, es:[41h*4+2]5 M1 y3 \: s' W+ [3 N: ^& J6 |
cmp ax, 0f386h
6 V1 ?: Z0 `5 D- Z9 h9 B6 Y. r7 \ jz SoftICE_detected
' Z1 X" ?! r. { m- s* P) E+ ?$ E. {
5 x+ l5 X% a5 ?2 D1 l. G, Bint41handler2 PROC
* b% \& f1 p! x6 }4 g& D' y iret
6 E' P5 V0 v ^4 ^int41handler2 ENDP
$ |; w. c# t: ]: N' @
, o) R, u( G _8 k( w& F
4 k' T Q. L9 X_________________________________________________________________________
8 G* R+ q' n5 N9 Y) m) ?& a2 r+ [/ d& K7 [' A! n2 R
M% ?0 J9 x$ Q# N4 @& L- dMethod 06
5 i8 P; w4 P7 I5 g=========
5 P; {+ Z- {" N+ q" `
- w- w' h' p* r( W( g0 o
- b6 i+ E1 L& B/ _. A2nd method similar to the preceding one but more difficult to detect:% w" K. u7 @1 O$ m
# A. v& m3 p3 Y3 [0 ?
5 e) x$ ^/ H5 j0 Q& F
int41handler PROC3 w A5 Y6 E; V: b9 h, t2 `5 R; h
mov cl,al" p: Y. c5 W m7 {' n1 P6 _
iret
) {. x, V/ o; X i' Jint41handler ENDP
' z& E/ E+ O$ I! a) N/ E8 v
- x# i) f D! _1 d5 J
7 r6 K: C; b$ Y, H8 p xor ax,ax6 {- h+ t" U7 w C# D2 H( p9 L* z
mov es,ax
H9 v/ T# w. `5 K mov bx, cs* o+ n. B1 c0 O' G
lea dx, int41handler# ]; t+ w1 ~+ H2 e3 V
xchg dx, es:[41h*4]
/ _) F; e6 W, I- s' O2 d0 _/ x+ L xchg bx, es:[41h*4+2]
1 v: y- z0 a3 V in al, 40h
% \3 ~! ?2 z" O+ [8 I xor cx,cx
& I6 t2 a4 s/ x, D! h" V: U/ Y int 41h; o2 @- k+ H! m4 _$ ?+ U4 n! L
xchg dx, es:[41h*4]
. R% s) ?; o- d: b. J# S+ `& v xchg bx, es:[41h*4+2]
0 ~6 p) ~7 {! q1 k8 g# t4 q2 L cmp cl,al4 [5 Q; ?/ D. b: x E/ k
jnz SoftICE_detected8 [: a5 A$ J4 Q5 L
, p& ?! @1 O% K) V: Z/ ^/ D# a_________________________________________________________________________5 J5 O8 Q/ I' h0 k/ h
, `9 L$ S% z( ?& y9 t6 {
Method 07+ n6 Y; R6 d+ ?; N* j% h
=========
2 p/ z5 S3 N9 |+ K, I! |6 Y# b3 p
Method of detection of the WinICE handler in the int68h (V86)
2 w( Q! c4 c2 T
# ]/ G3 V8 D- v mov ah,43h
$ V6 Y5 i0 F- y2 L int 68h
" o4 b1 @1 U% f* H' u f cmp ax,0F386h' G o& ]# H/ ^+ c4 ]8 B" o x. Z
jz SoftICE_Detected( h3 Z% }+ B0 Q1 x0 B$ ?( v
% h& i( Y% b3 J X5 |, I
+ k5 g" G# O; ]& @* F6 L V: v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; {9 ]& P& X/ t. I app like this:* A0 A$ W4 y" S! A& M
- X; {" K, J3 I BPX exec_int if ax==68
: Y5 z6 Z" g- u* u+ D' J (function called is located at byte ptr [ebp+1Dh] and client eip is
k" M2 b* L, F/ y- N6 w located at [ebp+48h] for 32Bit apps)( r4 Z, b: Y1 X: h9 |# d( U
__________________________________________________________________________
# ^4 v/ c# n3 Y' v, a; j' c# o9 A8 L% d X8 d& V; ~* I" S/ h
% N. ?9 C2 q3 }/ }4 JMethod 08
l! I W4 |- y4 e6 ?" ~( F=========
* c, X. v6 V" s. ?/ @' C$ `2 \9 ?! o, o
It is not a method of detection of SoftICE but a possibility to crash the# F3 _- i" J2 \6 f- G
system by intercepting int 01h and int 03h and redirecting them to another
4 x$ _1 ~/ y( E: k. v& g7 j7 F3 lroutine.
" {# w; S/ V' Q$ J' m: qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ T5 u8 F" [$ P! f7 ~; oto the new routine to execute (hangs computer...)
9 W5 E8 z! v% D$ k$ ~% i0 b* R
0 c$ n* W3 @$ x) E! s5 p3 _ mov ah, 25h
& |3 Z) c5 \3 _) A, o5 G0 h mov al, Int_Number (01h or 03h)
0 `9 w4 J2 [- T n1 ?3 L mov dx, offset New_Int_Routine
# x: F/ p6 }2 K2 X int 21h
) i0 k! ~3 L" \
3 |: j, {( Z6 k( l0 I4 Q__________________________________________________________________________
: r: z+ n% \/ }3 D( z9 p3 {) H) g
Method 09
: J. _. y( g7 u========= Y- q! m# o+ d8 O+ D b7 `' X2 C
$ v) G4 d# C0 V, ^& a$ U. vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 B4 n0 r( D2 p! k2 H, |; P
performed in ring0 (VxD or a ring3 app using the VxdCall).
" i0 u3 l+ z' [The Get_DDB service is used to determine whether or not a VxD is installed4 L( N& g6 e8 W+ w, a
for the specified device and returns a Device Description Block (in ecx) for1 `4 M- l- u. |0 V
that device if it is installed.
w$ B! r _ Z4 i4 H/ x
! P: W8 i \( W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 P0 U! _ Z0 L; F6 e7 b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): S' l8 Q8 F1 q$ e
VMMCall Get_DDB' v. p! Q8 o, x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! B# |4 y' H: f4 T' E
) G: o% k( t) p
Note as well that you can easily detect this method with SoftICE:
$ L. o5 p6 E, { bpx Get_DDB if ax==0202 || ax==7a5fh
$ x" p) j& j$ _7 B4 i% O. K" {; e3 i# b5 u# F5 H& }0 e/ l1 u
__________________________________________________________________________! C( p- z! z! G* u* c$ h. A' |0 a
& \/ w, O+ q- S# Z* G7 g- ~
Method 10
# }: d6 H! E( l* X, f=========
+ S6 I9 S: E( K6 e. l
3 ~7 W- t" Z- H3 P. F& j b* R; j=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 z% a5 V7 c6 G# D! u SoftICE while the option is enable!!
' E8 A5 A3 j: E* H% d6 B" B$ {* E/ d+ T3 H5 M! G9 t
This trick is very efficient:6 ^9 r! \% |% `. z! x
by checking the Debug Registers, you can detect if SoftICE is loaded
L& @& j; F* `- E& C! t7 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- `" T5 A6 x. i" Z7 B- S
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ N% K# f' O$ M j* B9 D
value (in ring0 only). Values can be manipulated and or changed as well
5 r% L* \. F: z. U2 h9 j* b(clearing BPMs for instance)
! i4 g6 P) z. n8 l3 N
, x0 `8 |0 N7 p' A__________________________________________________________________________
* e; T; X$ W7 E+ H$ g: G* l1 A" m
Method 112 c, J2 L( {0 Y: }
=========1 F9 T- B. e3 C" W2 ~0 E/ l! B
( X* p/ q! F- w# S1 e# L+ F
This method is most known as 'MeltICE' because it has been freely distributed7 L% J# j% x: q; j/ ^) r6 P' q
via www.winfiles.com. However it was first used by NuMega people to allow% n* n" n3 f: ?" o
Symbol Loader to check if SoftICE was active or not (the code is located6 B4 J1 {6 m% ^' x. d
inside nmtrans.dll).9 I# A6 A% n' R
& M- ]& ^& G1 a4 Q9 A& i+ b2 b) @
The way it works is very simple:% \- |7 z# N9 C+ C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% W2 \$ N1 l; _' [+ m7 U, G$ \
WinNT) with the CreateFileA API.
8 U6 V" D: R* V8 d
7 x) H' p* `1 C( rHere is a sample (checking for 'SICE'):
/ ]* o+ s `. ^! u
, @( |" ^/ L7 \$ ^8 jBOOL IsSoftIce95Loaded()
1 X! p1 ]- {4 P{9 p7 h4 i% Y) Z
HANDLE hFile;
' Q) a: s% D+ V/ v4 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 @3 B3 O) [* \ FILE_SHARE_READ | FILE_SHARE_WRITE,
% c+ l6 A, o7 q# z& F7 s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, N/ \& d- t9 `& q$ L
if( hFile != INVALID_HANDLE_VALUE )
! h+ ]5 m. d P* o" q {
6 @3 z: X& _3 v3 t CloseHandle(hFile);
! ~, P1 p2 f( U3 z8 l3 D return TRUE;
0 @$ {1 R. R* O1 P: Z, k }
' S( D* D+ r& J0 x+ K) j, J! B return FALSE;
; R9 Z& c' i$ P0 o+ S}
6 ]" ^$ S. K8 n, J" W
- ?5 _, c7 U$ x3 p# Q0 qAlthough this trick calls the CreateFileA function, don't even expect to be
7 t7 c4 ?: g6 z) s; b& ]able to intercept it by installing a IFS hook: it will not work, no way!- C( v. ]/ [- H/ C5 u5 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 a; W) W$ ~% \, fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 j9 N: [5 M4 W0 J# p( P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, Q2 }+ z2 }" n/ j1 I% Cfield.2 @* Z3 C' t5 ~* a2 B3 S1 x, M
In fact, its purpose is not to load/unload VxDs but only to send a
! M# g* ~8 X0 x0 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). F- K# J) v9 W0 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! X8 j3 l( X v9 H7 Y. M! T9 Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# l) a3 |# m- h* u5 N! Y) g
If the VxD is loaded, it will always clear eax and the Carry flag to allow, Q4 h! V7 C) X# e
its handle to be opened and then, will be detected.3 v4 l6 }4 x" x# c
You can check that simply by hooking Winice.exe control proc entry point
0 @) j, F8 L& z( \( Bwhile running MeltICE.
- a, \( g9 }( l$ a8 |, {) d# j" }( ?% ]0 A. A" j7 [; l& |- I
3 X4 B: e k" e- p0 i
00401067: push 00402025 ; \\.\SICE
. }, M+ W" Z8 w$ \1 D7 y 0040106C: call CreateFileA0 Y( q. p+ N' k
00401071: cmp eax,-001- E' `& s! x. y1 S0 q
00401074: je 00401091
9 n1 s z: p+ Q( y& A2 o5 t; ]* s9 J3 H; o; W: o6 \, b
6 [/ v8 g* z8 d
There could be hundreds of BPX you could use to detect this trick.
! Y5 p5 j; L5 E6 x8 J% w$ }-The most classical one is:( M, g# Z- r, H# \! h' Y2 Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 H; m( e& K) q *(esp->4+4)=='NTIC', W. y1 m8 W8 \4 U
' k7 e# v: M X) J7 q
-The most exotic ones (could be very slooooow :-(
- C/ J$ u3 O* X: {* ^# B( n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + L. H* M, g n8 q8 y
;will break 3 times :-(
" V$ l4 H# r0 z7 z5 A" b
3 F+ b4 B: G+ P5 i1 [9 ^& Y2 a( q-or (a bit) faster:
. |0 v+ P- h; W5 R) c) ]" c% a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 Q; Q1 z- R% M$ C$ @( A1 W) Y$ B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
{/ F* `, V2 o# k" @0 }+ R ;will break 3 times :-(
2 {9 ~& j9 V+ W' |8 {$ q
+ V4 Q+ G5 w8 d a7 [; w4 v-Much faster:
j7 t% `2 [- e: w: f' \8 }; ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! q" I6 t/ C% r4 U9 M% k
9 t3 s" [9 U r! a( N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( d( r$ A5 `7 I8 {( C
function to do the same job:
# ]5 U$ [( A* n+ w* \! P. E( B' |8 v
push 00 ; OF_READ
, y K) C. u& S: G- F4 n- h mov eax,[00656634] ; '\\.\SICE',0
0 z* b, u- Y: }2 V1 w push eax/ S8 r7 z* _3 ^* |
call KERNEL32!_lopen
+ q% R0 E( w6 h* m m: p inc eax. W; Q7 Y) s! J9 R+ n+ A
jnz 00650589 ; detected
9 w x8 {# |* ?. i. C. C push 00 ; OF_READ0 ]' j0 q; w# D2 x- `# n. p
mov eax,[00656638] ; '\\.\SICE'
5 a5 c0 ]2 a$ Q" x6 [7 ` push eax* j' `* K' I2 a& J) O% y8 I4 ]
call KERNEL32!_lopen
7 S: ?. U( u) y' z; ` inc eax
6 D3 U0 @) H& b/ ~ jz 006505ae ; not detected5 a$ f1 s+ V- Y8 Y5 f' g
1 _# r) S. `1 o5 I, P
/ T+ R& }! n0 M, Y__________________________________________________________________________
% g4 _: }2 ?* Y3 Q, g r4 F/ Q6 L! x5 d: A) R4 o, }! ]2 v' E. H
Method 12
+ s' |3 e8 ?1 a* H9 _& E=========
4 w* Y' C, v2 x# H7 p$ L4 ]$ X" s
This trick is similar to int41h/4fh Debugger installation check (code 05
; \. |, S X3 Q& 06) but very limited because it's only available for Win95/98 (not NT)9 v) w* a% S8 r1 g, E$ A( p( ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& w7 {8 i/ S6 s4 v
# h7 S) A2 s) l: N; J
push 0000004fh ; function 4fh
9 L7 Y" v" c, Y* K, j push 002a002ah ; high word specifies which VxD (VWIN32)1 R0 ?) N5 v) p" B: g% _3 k
; low word specifies which service
$ n0 M+ G7 Q! Z$ x (VWIN32_Int41Dispatch)1 Y/ O0 V+ }+ o, Y* S9 t; Z0 }
call Kernel32!ORD_001 ; VxdCall# j& q+ x: H [6 O: _0 u4 ^
cmp ax, 0f386h ; magic number returned by system debuggers! S6 j. F6 o$ b0 {
jz SoftICE_detected
/ s9 `( q. V5 R% o' e% B3 p
2 ^ k4 C! l/ @2 [. K7 U0 uHere again, several ways to detect it:* P0 b4 L1 I# o6 [
) p+ u1 R* F( @ R8 _3 y8 a6 Y BPINT 41 if ax==4f3 k, {( K/ ]. F _
7 Q5 P3 w2 z! O& D, m' H- f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 y; c5 ]8 y$ a' o% H
# J% f. ?7 V/ j9 t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- S9 L' z) f' H) } g! h4 R- ]+ y a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 k1 q1 I! v+ k0 f
1 w9 y4 D( ^$ d* z4 n- x
__________________________________________________________________________% n C2 n) h9 u9 s
- G1 x) a% V( N) @# c) { o
Method 13
" o7 l% O, [# a=========8 s" d1 g; ~* r$ v/ L
9 {! Z8 h# X6 p' F
Not a real method of detection, but a good way to know if SoftICE is5 A) l4 }, o; F! }* S
installed on a computer and to locate its installation directory.
; {$ H8 x! `. B* |5 `# ~7 j; x! w: |It is used by few softs which access the following registry keys (usually #2) :
; r2 v8 f' m- M+ Y4 \) M0 o
+ H# }4 L: U" _5 V; n2 E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ `8 q. y- e6 ~- n
\Uninstall\SoftICE2 J$ w( ?" j* \/ O# E- T1 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, `1 [+ C, R3 d8 i$ c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; n* B9 P6 W0 Q2 J. }9 a
\App Paths\Loader32.Exe
, `% e8 J" [5 M9 p5 m% }3 _6 u: d F' E; d! z7 |
! B$ b3 {/ O6 [4 }+ K9 ~# X# H( pNote that some nasty apps could then erase all files from SoftICE directory1 A. H) x+ O5 K/ T1 u7 n( A. Y
(I faced that once :-(
. `* Q0 \1 i$ h7 K0 Y H* E
) Y8 a! `# K( @* `% S* CUseful breakpoint to detect it:
! Q- D- M8 m! B1 l- Y6 j! n1 l# u* e% c( v4 O$ |) N9 F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 k0 [; w% R* a2 y; h j
& L" M, ~9 A; T; P0 z" X__________________________________________________________________________$ P, w; ?# y' |2 y# `
: S# @1 w0 ]$ Z( \! A Z* n
' f* ]( ]- ~6 O# U$ w7 s+ G) IMethod 14
2 a* f0 n" W( x; h- n5 o=========
5 u: o% O% d; e, b
. I" }$ ^, C/ l6 h8 G$ vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 J( l/ C; K w1 bis to determines whether a debugger is running on your system (ring0 only).
- K" p7 s) _& B9 T4 q* v$ y- Q' i# `* i; H9 O0 l
VMMCall Test_Debug_Installed* x8 b/ Z1 E" W! {1 r# n
je not_installed! |% X3 G( u% a4 A& P
) I/ S$ t8 `+ H; L- q+ J# PThis service just checks a flag.
2 [: D4 f% t7 {" d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡