<TABLE width=500>
% j% W* T: w8 _<TBODY># Y6 B9 E( Z5 q ?8 F! r
<TR>
* G4 Y( ?7 O+ {; z9 G<TD><PRE>Method 01
# {+ G! Z8 R0 h9 b# f" G9 y=========
9 \) p& p+ w: M, Y$ f2 u1 p
6 ^4 N0 K8 `/ Q$ `This method of detection of SoftICE (as well as the following one) is( e, W+ y5 B/ [& B
used by the majority of packers/encryptors found on Internet.9 q9 g3 t3 |* O
It seeks the signature of BoundsChecker in SoftICE% I/ P6 L3 E% L1 P; m9 y- A4 O1 |
/ `8 x, w( u w2 q' }( r' u
mov ebp, 04243484Bh ; 'BCHK'
. |: x- p' s+ \# P4 I mov ax, 04h5 V% V4 I2 ~4 y2 e9 \" Y3 i
int 3
* |7 j6 E \9 a6 N0 C- [' L cmp al,44 p; ?2 F# R* c
jnz SoftICE_Detected+ Z ?0 Y9 p4 A) R
, T' S1 v/ A0 a! `+ M___________________________________________________________________________
5 q5 H, l1 f" J, a8 h
# d- Q6 h" ]: P4 G$ e0 @Method 02
- r' b# b) D B. t: M6 P- _0 s# c=========
$ X9 q2 V' q. u5 {: }6 S! b
. m' f, w7 C5 X1 x: _Still a method very much used (perhaps the most frequent one). It is used! N l% J# S8 V) F; M2 J2 q2 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 ^: m. U3 Z) f) j6 x
or execute SoftICE commands...
8 W1 z9 ~$ Z" s5 Y0 ZIt is also used to crash SoftICE and to force it to execute any commands
) U2 Z6 p q" p$ ^- o0 z(HBOOT...) :-(( , U9 o# L \& _ c& n
3 _3 w% r2 g' d" ~) }+ I j* H
Here is a quick description:9 I& D. J1 Y: k) p8 e3 M# }( p
-AX = 0910h (Display string in SIce windows), E1 f0 U2 j8 b6 T& _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- E/ @, a% G' t4 g0 S2 s-AX = 0912h (Get breakpoint infos)0 L( Q1 g7 m( I
-AX = 0913h (Set Sice breakpoints)
( C: s3 k1 Z3 K% v+ Z5 t+ s-AX = 0914h (Remove SIce breakoints)9 P& D& Y% i8 Q5 p( h8 ?- `7 V
3 b: D7 m7 h7 ]3 g$ M
Each time you'll meet this trick, you'll see:4 s9 _/ ^ y3 R0 m$ a
-SI = 4647h P& v+ H' h) i7 K6 R @. q
-DI = 4A4Dh# v0 P- w1 E8 w3 Y
Which are the 'magic values' used by SoftIce./ }, i) L8 ^% d- I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. z& {* D$ |" ?6 M
! X+ Q. Z( ?% e) C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 }& p: \! F! ^& L, }Envelope utility use to protect DOS applications:
% \& \8 S$ C' _, E$ m& v+ J6 W) o; q2 a/ E; D5 q( m4 E
0 f: g3 \7 w3 s$ L. l; u# S4C19:0095 MOV AX,0911 ; execute command.5 q# u( t. H$ `) @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ H7 V" y" k5 u7 s
4C19:009A MOV SI,4647 ; 1st magic value.
8 ^# f. m7 g# ~" U4C19:009D MOV DI,4A4D ; 2nd magic value.
7 c& y/ K; U, X! E: b( z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! i% J: u1 H% F9 l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ E/ F% x8 M( [' O* B: N6 A
4C19:00A4 INC CX
) o1 S; Z* w+ D2 ?% `2 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 ]/ o1 E9 E- a% P. S+ w
4C19:00A8 JB 0095 ; 6 different commands.+ M* m, b3 Y$ N6 m, b3 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 \+ V# u% N8 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 B$ L6 }7 r! H9 y6 b' D+ y* ]- F1 b: @7 p9 p. T' I
The program will execute 6 different SIce commands located at ds:dx, which
z0 ], g$ [0 \9 |' bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. P1 X% f0 f4 D; A% M
* T6 g8 I+ R! l3 u( m6 W' E8 Y8 b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 S7 Y% K$ [1 G5 A G$ F# a. V___________________________________________________________________________
: V/ R f! S) A% q9 R
8 k. b; i2 T7 A, a$ F; x5 {1 d8 g' g
Method 03/ l+ s [0 R2 @! ~
=========, U0 h) X* c) z% }" l
& _, g. c9 t& Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 Z9 a9 e: A( y% w2 t. N
(API Get entry point)
, z; @# {% m) _" e
1 O) Y8 V2 l$ F } q u. }1 g7 q- X4 \! V0 Y" ^( Z
xor di,di9 y3 Z3 W5 S7 e; \+ a& L
mov es,di. \ C/ O) {5 g1 W3 Q
mov ax, 1684h
& H: g. l( `3 s$ r& G* U- N8 v3 `* O mov bx, 0202h ; VxD ID of winice
3 @" f1 i i7 C8 a2 i int 2Fh# P' s! N+ a" V7 f
mov ax, es ; ES:DI -> VxD API entry point( a+ p; ?- _( n; g+ E
add ax, di
, o# \# q2 U* I- z% P; i" t5 } test ax,ax
% M3 n% r" q0 R! v jnz SoftICE_Detected4 B; ^+ B& f1 c
+ \6 T D" w+ q5 L___________________________________________________________________________
2 p, \6 t, K. Q8 ?5 c6 z& f, Q" H) _! v6 Y
Method 04
' ?# q; ?$ c1 ~+ T# r: H=========
$ Z9 o: R5 d7 q2 \7 i% L3 c; J* q( w7 M& x ?! d6 o
Method identical to the preceding one except that it seeks the ID of SoftICE5 A% P1 r$ w# W% |5 h
GFX VxD.5 A& c9 p# r% u, y* R9 U
% Z/ `0 t0 s, F5 f1 i* K# t xor di,di& D9 }$ j2 f( u% g1 F- B
mov es,di
( |7 F. s1 F: a mov ax, 1684h 8 w6 i6 G) ^ W, C' I
mov bx, 7a5Fh ; VxD ID of SIWVID
4 @1 ?" u, T1 h. L6 W; A! S int 2fh
$ b* c) {( ] o8 \, O7 T& B) N8 ] K mov ax, es ; ES:DI -> VxD API entry point$ t8 i) x) `8 b0 Q( ?$ T
add ax, di1 z6 v& ~2 n# r
test ax,ax
# r- A8 o6 s" l! I- E: t jnz SoftICE_Detected
& K* c# ?- G& q4 g
2 U; j8 r; M* {* V2 R% Y__________________________________________________________________________
) W* x3 H1 @! \* \1 ~( n% t
# M! R/ k- j/ r2 H+ [
- ~+ G6 d' X! w3 X' N, X, DMethod 05
1 i" X7 E' e) |7 }% C# ]' N( l=========8 r# }( o1 _% D3 R6 y
' x) t9 x+ ?+ `/ KMethod seeking the 'magic number' 0F386h returned (in ax) by all system, ~9 Z9 l' i' [# i- ]/ T
debugger. It calls the int 41h, function 4Fh., J6 H( [* u. Z" |; x6 K
There are several alternatives. 9 t8 r7 I* t. u" o
! z4 [9 C( d- `- ^* R- \2 A* AThe following one is the simplest:3 M& \) t6 X6 ^8 j
$ H# [( |4 E! Z# q' F mov ax,4fh% [$ G! R% |$ _* N" w
int 41h3 j. R- `6 Q/ y4 Y
cmp ax, 0F386
1 F" d) G0 z+ K7 L& L jz SoftICE_detected$ q; g/ [8 L5 Z$ @) b' Z* N
/ Z( g5 c3 @2 B# a) r( A5 V3 u
1 |: d4 C0 @, \) [, c4 eNext method as well as the following one are 2 examples from Stone's # L2 r9 e; Q! |% @4 y
"stn-wid.zip" (www.cracking.net):5 y$ [4 r0 F q- j; Y# Z$ d. W) T
! S) k, q1 q0 y; u mov bx, cs
1 m+ J' ?4 \" l6 g+ L( C: P% M lea dx, int41handler28 p; m% s. K r3 |" V: A
xchg dx, es:[41h*4]
- ?( Y9 K5 ?8 W ?/ X2 ^ xchg bx, es:[41h*4+2]
. l3 ~0 X3 V6 t3 r1 _; { mov ax,4fh
- Z. M$ R, Z( x5 j' ^5 j, h int 41h# ]+ e1 J4 R% I `7 v# N) N
xchg dx, es:[41h*4]8 w' W4 c3 ?# e7 ?5 E7 x' Z
xchg bx, es:[41h*4+2]3 h- x" N* h9 ~( E& Q* x
cmp ax, 0f386h' {2 \# t4 O# ]# S! j
jz SoftICE_detected; ^+ }$ k4 J7 @& R9 F3 `* t
: d& l" A0 M0 dint41handler2 PROC
2 p3 X) m5 v$ m+ [% n& Q4 \ iret
5 A% o& @+ v% d2 jint41handler2 ENDP
. F$ ^6 f6 Q) W: ^: m& u% H' C: y$ Q
! } H: B& H/ H' @5 f& Y
_________________________________________________________________________) u5 V6 U4 i0 Y7 I, n0 a) w) }
) Q% p' }* e' ~$ C
9 {2 F5 X5 ?' s" v3 Z- \) S/ {! iMethod 06$ m0 C& K9 z! D& M
=========
! n8 d) J- Y, K. M8 ?" K! U
, A1 h% s/ @6 T' c/ ~
" I% x' S% K( u: x# ~( \, m2nd method similar to the preceding one but more difficult to detect:
9 N( ?, Z M9 `" Y4 \6 u4 {) A: t" M3 ]) c$ }0 r8 i s% J
4 c P- j; ~, G3 ?" Q1 H" b) e
int41handler PROC
& G7 _# i0 U# K$ ] mov cl,al
2 P" T5 _+ `! v3 C iret
6 f: [5 `9 Q+ Q; M9 jint41handler ENDP
3 Y" h& [9 T8 g* ^/ m- s F; Q5 h6 y
5 x* |! K' x$ F0 @9 P0 D$ W" a- r w# s0 e: T" o1 w+ x
xor ax,ax! S, m7 w: {6 Z) I! H+ D
mov es,ax; e/ X& N3 R0 G& B
mov bx, cs
$ c+ Q) X. k# l4 T lea dx, int41handler/ h& V; ^1 o7 V, s6 f2 ]0 I
xchg dx, es:[41h*4]
+ r- T2 }& {0 k/ m xchg bx, es:[41h*4+2]
0 L# `$ \3 G# _5 o2 E# M% u in al, 40h
* I4 d' v( p3 O1 p# A. f xor cx,cx$ _' w: l' c! g0 G2 r7 W# a9 S
int 41h+ {9 }6 w% l0 R% U! \# D
xchg dx, es:[41h*4]
+ m. Y/ `+ o, k- q/ M% H xchg bx, es:[41h*4+2]
* {. b% s* E6 y# E8 W0 [' K3 h+ h. H cmp cl,al
; a1 z0 r9 K" j9 l, | jnz SoftICE_detected+ l8 B) A: l/ g4 p! [/ c
/ }1 E/ P, @$ D5 P
_________________________________________________________________________
! s4 H) M; Q2 i, g
: G( t+ C4 {7 |8 c8 DMethod 07
3 u9 i% T" Y$ ?# I=========$ \9 [" k+ i! n
* F8 L+ [( g9 ^/ N- s1 BMethod of detection of the WinICE handler in the int68h (V86)
" j5 j0 F# B; U% Q- F; v; q( J9 U" _* J' D0 I( v, c
mov ah,43h. U" X8 v0 P6 J b) M$ f5 l( J
int 68h" i3 D- N5 }) r
cmp ax,0F386h2 }) e. `7 z2 Q% V# k
jz SoftICE_Detected
5 Z1 n$ l$ Q2 M- N+ F. D
" h% P; S6 E r8 d+ U
/ L0 G, T) M2 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 a" h& I. I6 v: H app like this:" ]8 {7 x' {- e+ S6 B: F- d
! g* W+ E. ?' X* y/ L+ b0 A
BPX exec_int if ax==68- E4 f; c5 x2 z# l) m
(function called is located at byte ptr [ebp+1Dh] and client eip is$ v R2 g2 F8 R1 o$ P% ?0 x7 E
located at [ebp+48h] for 32Bit apps)
' \+ p# ?5 T# r+ k4 W__________________________________________________________________________
& e& n9 o' B. S1 L- q
$ `7 K6 B) M+ Y- T$ i4 D. e9 u0 s+ b6 s- ^) A0 M
Method 08
2 u, m( b3 S: G2 c& E=========
# {5 `) p+ u4 j/ \/ e# P1 _& G; Z4 E7 E7 x5 U7 `
It is not a method of detection of SoftICE but a possibility to crash the% X% m) i! B" p7 T
system by intercepting int 01h and int 03h and redirecting them to another& Z% E) ?* Z& A5 k5 ]; C q
routine.5 G+ e4 t) S3 g) X, m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 X2 x$ l" I* H0 V
to the new routine to execute (hangs computer...)
! N. V4 L4 z2 h, o/ y& c: Z3 H- n, l6 V
mov ah, 25h
2 @# l# E3 w3 r- z o6 u( [) i mov al, Int_Number (01h or 03h)/ w0 Y; T2 m+ x& V' Z! W5 F- a
mov dx, offset New_Int_Routine! G, _1 e2 p5 v2 ]6 b
int 21h7 p) A3 v, `* F' k
2 P& \5 H6 K( a& b& J2 v' n; v
__________________________________________________________________________& a/ Q. A9 X& s# ]/ [' W0 b/ l
* R6 X- G ], j. ZMethod 09
; q( a2 ?3 {* Y; ~% q j1 D v# x=========
$ Y# n/ `9 |0 T& l
6 l' W2 F0 c2 E& h9 w$ S0 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 |+ y$ ?* z/ Y2 Y! l7 ~
performed in ring0 (VxD or a ring3 app using the VxdCall).( [8 R, x) y, R' ^" p
The Get_DDB service is used to determine whether or not a VxD is installed
" G5 N4 T* x# L5 O+ }, efor the specified device and returns a Device Description Block (in ecx) for
2 K1 M: O! i9 M# A1 J. S( U Y( fthat device if it is installed.
" n& a9 n! \' {
( f1 T* I' L& t8 d: G5 s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& Y7 d2 v0 u/ [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# m8 ?2 i% c# q& K, @, V
VMMCall Get_DDB
+ c. n% X2 P, B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 E/ O* E5 s! J1 C" \9 _. Y
7 p$ d0 M8 F) }) q. TNote as well that you can easily detect this method with SoftICE:
/ x# B* L/ b6 E& G) V bpx Get_DDB if ax==0202 || ax==7a5fh( [% M& T8 U, y; a" g. d
9 O( ~) y* B/ M( f+ q! Z% G" D- b4 W
__________________________________________________________________________
, P! W4 n9 T; v3 g5 c5 h, t6 Q1 n+ P$ ?3 g, \4 h3 U
Method 10
) t$ v8 S% p! P- N$ H; I& ^0 o# `2 e=========4 L1 i! j# N2 G4 v2 c' A0 ^
& d2 _! H3 p3 y; J
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 o; _1 i$ _& h7 Y% n6 r
SoftICE while the option is enable!!9 [, c# w. ], O/ J, Y P5 a2 O3 S
5 W5 d8 W7 _/ g& p
This trick is very efficient:" k& T# W: U. ]. [$ M
by checking the Debug Registers, you can detect if SoftICE is loaded
) x+ _, K* ?* @5 A- g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ |* C8 u( N/ L5 [% g9 b9 k" g8 ?there are some memory breakpoints set (dr0 to dr3) simply by reading their0 H7 T$ t8 i: J9 C6 O5 R6 U- b4 d
value (in ring0 only). Values can be manipulated and or changed as well/ O4 _, T: `4 |" B
(clearing BPMs for instance)" |( B6 d6 J4 T/ s) U
: |+ h M ^# K+ ^4 E9 U h__________________________________________________________________________
6 F, P4 v @/ I8 e3 c) J F, n+ x) R. [9 P% q' o0 h# }* q- d6 G x5 S
Method 11; ?! |7 n2 f+ m- w
=========
1 I$ b" S* C7 P$ f& a- z9 f0 R7 P- c
This method is most known as 'MeltICE' because it has been freely distributed, m9 ~3 ?& I/ l" f- l$ L
via www.winfiles.com. However it was first used by NuMega people to allow
$ \! |2 i# p- t! @' `1 eSymbol Loader to check if SoftICE was active or not (the code is located
$ }. t6 I: N+ }6 d, t4 p1 Vinside nmtrans.dll).
# D* b6 P2 X/ k+ E9 l f
! x4 a/ r8 @0 o; B- kThe way it works is very simple:( S7 W, b( P- ^+ g# v' o. f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 B, A& j7 z( ~' w% `* c- g
WinNT) with the CreateFileA API., [+ i9 @* }; }- \
W% S/ D9 I2 `& a* z& UHere is a sample (checking for 'SICE'):
p* Q9 A, x% t( V: Z3 ]
* M/ A" P+ r+ ^( G( X# nBOOL IsSoftIce95Loaded()
, y" G% J$ z% v/ d{ Y& I3 a( K; Q2 U: b3 @
HANDLE hFile; 4 y# w1 ]0 T- g+ [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- y2 Z! y- a* ?' `
FILE_SHARE_READ | FILE_SHARE_WRITE,4 \" [8 t7 e0 I: p6 F* S0 s& C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' o0 Z. `' t/ c1 I0 I0 @ if( hFile != INVALID_HANDLE_VALUE )
) n- G9 Q( o- m8 ~- M( r8 }. B {
* Y# h5 c2 t3 l6 w* E4 Y CloseHandle(hFile);
8 J& g' `, [0 n( K/ y% ?" t' Z% \6 I% \ return TRUE;
8 i# G6 ~( Q8 C/ m# ]( c }$ c/ {( G. l) B) T. V8 j9 H; V1 {
return FALSE;% V0 I- [' Y+ ]% [" w+ x
}
8 \4 C+ [% h) q8 v8 Q! V* _, M3 ]% Z9 ~2 f+ n; b e6 h- b
Although this trick calls the CreateFileA function, don't even expect to be
- d8 I- `' T, K/ ^1 B& a$ Rable to intercept it by installing a IFS hook: it will not work, no way!
, E8 `6 a2 ]' eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: D- A& F: k+ f7 a- D7 m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# {9 i) S: f8 K" m% Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc Z- I ?" I: r* i9 G" y1 u
field.
5 ~, g* n* l: F4 R) B, s! J' HIn fact, its purpose is not to load/unload VxDs but only to send a X5 ?) `( c6 ? R! d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" M4 [+ }. U( _" C7 M, [* n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ F! i& k' z/ Z8 m3 i3 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 C0 Q) `- E1 _: U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 L0 g0 m% J+ Y9 Y; Hits handle to be opened and then, will be detected.' i) s- a S) H7 j+ h* }
You can check that simply by hooking Winice.exe control proc entry point* p, P3 u2 _5 J- z; X2 O
while running MeltICE.
7 G+ g5 Y+ ]( @! l! W& L* G% Q6 s( s2 }+ d
) W( `8 j! s" N& N# ~" K
00401067: push 00402025 ; \\.\SICE
`, Z7 W5 r7 ^ t6 l$ s 0040106C: call CreateFileA9 |/ b2 A [5 C
00401071: cmp eax,-001) s" _/ N; N( y* e c
00401074: je 004010910 t6 M4 i$ k7 l" b
6 e0 B/ N! c! k3 c" @, \% U; s
# J# u2 Z5 q0 {$ ^) R1 {# sThere could be hundreds of BPX you could use to detect this trick.
S9 P6 M5 l6 w-The most classical one is:4 \- x' p- o X9 }: a1 G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: `& q8 |' `) ~ *(esp->4+4)=='NTIC'6 @# x5 w0 ^$ |
& Q! {' v/ n0 P: h# K( N1 V/ D9 \
-The most exotic ones (could be very slooooow :-(- L) j' H9 y+ r+ K( t N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- m, m+ R t0 N2 p$ z/ M) Q ;will break 3 times :-(0 H' {+ R6 }5 ~8 {6 T2 h# {! @
+ N% G, N; Z. W" @6 M# M! x
-or (a bit) faster:
1 U6 k& I. m, ~9 i& _8 P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- P7 z- i( T. J$ e; p$ V3 V
1 y# n8 s- G2 g, Z6 I7 e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 U3 D; q1 B7 E- Q/ P5 |0 f4 R$ ?' \ ;will break 3 times :-(
7 T; Y( r }! |
0 p; g' h7 |: K; H-Much faster:
/ d" o A1 x9 d8 M1 w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' g) i3 ?8 ]& k$ Y' k
7 }* }& r8 e5 L9 J i6 p( n( s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 g/ p2 h6 y9 ~function to do the same job:- Z% F) ]( V i/ n0 J% ~
8 U0 v2 G- t1 E- C; @% E+ I! m push 00 ; OF_READ( l6 g; f4 _. U
mov eax,[00656634] ; '\\.\SICE',0
i/ }3 O1 {7 H- K push eax
4 t1 H- h6 R) h8 N" w3 R V call KERNEL32!_lopen6 }4 _/ }$ n3 I( E9 v2 @
inc eax) ~ U o- l. c. w7 l
jnz 00650589 ; detected
/ _% P) Q0 G {! f8 [% Z2 ?: g J push 00 ; OF_READ$ O1 _* I* T9 l% f( ?
mov eax,[00656638] ; '\\.\SICE'
4 s' d# R' Z0 y, u8 Y: ?& H+ X# K push eax
! r6 a) E" M( y2 C6 j% K5 T* a1 B call KERNEL32!_lopen _; c& e' v* B/ N. b
inc eax" v# m) I7 Y; ?# w3 r
jz 006505ae ; not detected
9 J2 r: t6 D. t! i$ B: v4 v! C2 Q' L q6 g6 s
1 G9 t2 p7 W1 j. Q5 v4 L
__________________________________________________________________________
k2 ~4 f% Z& }2 s1 d3 D% o; O! H
Method 12. L/ i6 |. C% Q! E( [4 b* A
=========' @/ E* K: @8 b$ |( d+ |5 c5 V1 S
+ E5 B" u! }" v0 Y; l6 @! ]+ u
This trick is similar to int41h/4fh Debugger installation check (code 05
. [# f9 }/ q* z/ C& 06) but very limited because it's only available for Win95/98 (not NT)
% e+ D$ d& W$ p3 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) ?7 N4 y! [" R9 `+ P
8 ?( q7 ^( ?# T/ y; f. r b push 0000004fh ; function 4fh
- u2 c8 @5 \* ]; E! l0 u* h push 002a002ah ; high word specifies which VxD (VWIN32)
- \5 p9 Y! U4 k, H5 ?: x" | ; low word specifies which service
1 e8 n x6 @& w q9 ] (VWIN32_Int41Dispatch)
; ?2 ] T+ p; x3 E1 }" Z: p- f8 X f6 T call Kernel32!ORD_001 ; VxdCall
& w/ l) g: g" |; c1 F: y cmp ax, 0f386h ; magic number returned by system debuggers
( l( y# U; f' ^7 w/ r0 F% E! e jz SoftICE_detected# l( e+ X- ?. `, o; d" z W/ X
# q7 W+ Q) o1 S/ m- h2 c3 I6 t
Here again, several ways to detect it:2 o0 D& R, I' ]
2 T! Q; k) _; @$ j: p3 |
BPINT 41 if ax==4f6 n$ W' t( o& e& J3 r, A _
- W! }8 `- m1 V) h1 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" {& g3 F/ m' ?* w/ U8 Y! k3 ?% M* v1 T
2 K2 |9 d% E8 d' _: B3 m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 @0 q) A& C5 U! O: Y8 C% Z1 N1 x( N6 I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# {- v8 N3 O* x" p
9 d7 U3 L# E7 p/ M__________________________________________________________________________
3 j) {: c2 F% [* Z4 J' G; S6 h) L* K* b
Method 13
: @5 W2 V ?3 i9 ~=========
( ?, |* X! A& e2 q" p. O9 [9 @2 o+ k: m$ A. Z
Not a real method of detection, but a good way to know if SoftICE is/ j7 }. D, h7 }, |! g" u$ _
installed on a computer and to locate its installation directory.
3 ^ p) w% q& }It is used by few softs which access the following registry keys (usually #2) : r' Q$ j, o. ?* S! P1 V) W
) u8 l. f" D0 H9 r- |" h0 W7 u7 G/ K8 t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 `+ K; g' a2 B6 C& {+ `
\Uninstall\SoftICE
. i) r- i1 e* C4 d) e7 o4 ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ a) s7 d& y+ x: H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. Z- f3 |& u9 L3 I+ R/ Z
\App Paths\Loader32.Exe
* s" R3 Q& _& G2 P6 D
, } u- X) H. z# }5 p7 _7 |9 I& Q8 x! p7 ?/ X+ S
Note that some nasty apps could then erase all files from SoftICE directory) W3 h1 I' D8 P, C7 F
(I faced that once :-(# D* T# P& u# p) E: k# s
: z' T: M9 Y' O9 ^- k' F
Useful breakpoint to detect it:+ s( c; I# h I0 `) c9 g
8 F! \3 c8 `1 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* H9 A8 h6 b( O7 O" k: z& u* w* ^" K
__________________________________________________________________________
+ {4 h8 P7 [& g- j- ]% [
9 {6 c4 V) V8 J2 u
* a0 w. y' ?! f/ _ n3 e7 cMethod 14 ( q; q% y3 f+ H v% `+ u* ~
=========
# E* z2 v* n) j8 `8 u6 g& h# P% X- F0 t7 C6 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& K$ F# L$ s" o2 F4 u, jis to determines whether a debugger is running on your system (ring0 only).7 I/ Z4 d/ B4 ]1 e; _' _7 J
5 v' v% J' Y7 g6 p! v0 z VMMCall Test_Debug_Installed
3 X; _% L0 i; c! W$ q B* J7 k, o je not_installed
8 }$ N2 i" }# d9 F2 A6 e8 p( I# a" B2 k% s
This service just checks a flag.
S. v# _9 M+ a. m) U6 Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡