<TABLE width=500>
8 t1 B& R1 J5 B' [3 h<TBODY>
' ]: N, j- ?3 F) @% i. L<TR>
7 ?$ Q5 ^. V! r* Q<TD><PRE>Method 01
5 ?/ r$ T3 T8 K2 V' X! o8 u=========
& S$ n7 Y' m2 z( W8 w
& z2 a1 H2 ~9 w$ sThis method of detection of SoftICE (as well as the following one) is
, Y) T' C, Q; g1 T [ Iused by the majority of packers/encryptors found on Internet.
9 y4 o8 O' p8 b" n/ Y0 i0 x3 N! }% FIt seeks the signature of BoundsChecker in SoftICE2 B& ~2 v$ i" }4 D; M) ?
* G* c7 F: Q) x: e! u2 \! y, L
mov ebp, 04243484Bh ; 'BCHK'
+ C8 b. B9 O4 g- s8 `, h mov ax, 04h
, P, n0 a8 ^" i6 a) v! j3 i8 ` int 3 + Z) H, r8 U5 H. S0 E) u4 L! O
cmp al,4 J) H% [) l: B- R; C" X* B) t
jnz SoftICE_Detected% Y+ |3 e) a4 a j% H
, F6 k" `2 o; k1 ^+ ~# m2 j___________________________________________________________________________
9 E2 [( x8 Z* D7 g% u
# J, i; w: u- W+ Z4 VMethod 02$ l5 W9 }0 u1 _' {
=========$ A! W/ B5 |, p4 Y3 \4 R
/ G. H6 I9 E4 U ]7 S2 YStill a method very much used (perhaps the most frequent one). It is used
9 \. ~1 ~4 w# }% T" rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, n0 J# ~& r8 q3 }- lor execute SoftICE commands...& ~- K1 z# W2 q8 [. g2 D
It is also used to crash SoftICE and to force it to execute any commands
) e# }1 P# _4 k(HBOOT...) :-(( 6 y7 }, K# m- F4 H# t
& i% G* Q" }0 ?Here is a quick description:
# k- ]& K& e( G0 l2 B' Z6 _-AX = 0910h (Display string in SIce windows)! U+ L* J; t: t- I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! o$ p, e5 z* b3 f& e/ D* O: V
-AX = 0912h (Get breakpoint infos)4 D9 f. S# f; I. D5 b
-AX = 0913h (Set Sice breakpoints)
m1 n4 o! F( b# _% v" ]-AX = 0914h (Remove SIce breakoints)0 m; B% W3 a4 G& u9 v% `. J6 C: N
' f T% ]- Q0 H; s% D
Each time you'll meet this trick, you'll see:( @% a6 Q8 L/ c* U' v; ]. \: y$ ]
-SI = 4647h
1 U5 s/ l" r1 i. l) Q. D( o. M-DI = 4A4Dh
: Z$ y2 y: U8 |3 Z# J6 j& uWhich are the 'magic values' used by SoftIce.5 n+ L3 `$ [! [8 ?' W4 h1 l7 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, g8 ?# v" h$ z* d/ y( f/ H. H m
0 r/ x& b; F% W$ Z4 I3 JHere is one example from the file "Haspinst.exe" which is the dongle HASP" i4 o, _' s3 p$ F c
Envelope utility use to protect DOS applications:8 P4 y# K: i- W4 c( S0 r n
S; r: w; C, D) o- x
2 w$ H* S/ |2 p
4C19:0095 MOV AX,0911 ; execute command.
/ [% | D& [9 i2 f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: o+ v0 ~2 n$ i$ E5 H
4C19:009A MOV SI,4647 ; 1st magic value.7 T% Z, ^' g$ Q7 E* K2 z9 A; u
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 f: m2 D3 O- E* i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 L; | T+ T8 [/ I S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 l0 G6 P( s( I, H) I: A' J
4C19:00A4 INC CX
( [# D9 x' q: J1 b" Q1 m2 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( c, o( O6 y# h- `
4C19:00A8 JB 0095 ; 6 different commands.9 u4 i/ L2 M( w/ b# N$ v% d' r- U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) V6 o- v! _: U6 c! p, B6 C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( R2 _) ^) D- o) I; p7 @. f6 t3 H9 r: J7 x
The program will execute 6 different SIce commands located at ds:dx, which
% m/ f6 ?; B/ f% [$ T+ c B! O. Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 x; @5 W( y* y' \
8 T( \' k0 Y, M' Z% W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." K) C7 Z4 e8 N: N8 W
___________________________________________________________________________
$ A; U- L( g6 C; a I) J% j
6 \4 X- Z% ~; c$ b) I: O1 ]# ]* p% B
Method 03
2 M# N6 k0 r' k) m j# ^5 N8 l=========
8 G9 D0 I+ v) y/ i
/ Y* b2 A, w) w! {+ z' g0 G, ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ]" _* S) K) j* X. m(API Get entry point)* z! A* q( r+ U! ^; l0 `' O/ l
0 E, K# K2 a( i
! _! `+ X) m. X b/ V xor di,di' [3 ?) I; ?" o3 A% [ V
mov es,di$ q9 e$ x7 y; n+ G1 M5 X
mov ax, 1684h
0 v- z0 Q1 e8 M' c mov bx, 0202h ; VxD ID of winice
& X: t& u( `& A0 h int 2Fh, U0 r$ D0 h; f5 b) q. `) T, y
mov ax, es ; ES:DI -> VxD API entry point- z$ y1 R2 Z; u& r4 m5 J/ K( o
add ax, di, @0 q% G. w! P1 G% S0 r+ e7 T0 G
test ax,ax
( @) S# k( R! ?5 p jnz SoftICE_Detected+ W2 k6 m$ Z1 i* I9 z; }& v
0 o0 p2 `" ~" V* b; u___________________________________________________________________________
' O" s7 K3 {* _! o" Z$ y: m# D1 M* N% e' s
Method 04
2 y" Y# E0 P" i( W z6 s. B=========
* T( n+ }+ `) T4 g ^/ p P6 R* A) ?. C6 d' Y9 Q
Method identical to the preceding one except that it seeks the ID of SoftICE
' Z# O" y' m6 M# Q3 ]% Z8 a8 QGFX VxD.
! z4 \3 @# V( F! [
6 }0 k9 K! g- `7 T: o xor di,di
( ` U- M1 o" ~/ D mov es,di
$ Y( a& d) J4 W& m7 A1 ?- m# Q1 T mov ax, 1684h + g: [9 w. a6 |3 H+ H
mov bx, 7a5Fh ; VxD ID of SIWVID) S# S8 p0 Q8 `/ Z9 p% N
int 2fh V- w' G q+ C8 C1 b
mov ax, es ; ES:DI -> VxD API entry point
9 u- k ^ x0 |% J9 V* R' H add ax, di
* W$ V, J% x& A1 R test ax,ax
0 ^# q$ m# j2 h0 o# E W( S- t jnz SoftICE_Detected$ G, H" n; t* v! X7 a
9 C9 Y2 M+ \: }; w4 r. P$ q* o__________________________________________________________________________8 q5 {+ b1 a! b) T( y" h
' P+ l8 }6 C" q" O1 a3 l- G8 y+ j3 N& Y9 ^7 h8 t
Method 05; u/ ]8 C- @, S( A' j8 p
=========1 c& U* U4 \) p; z
/ E' b. U: Q9 F3 SMethod seeking the 'magic number' 0F386h returned (in ax) by all system( l: F, q8 c, g
debugger. It calls the int 41h, function 4Fh.! _8 f1 H2 C# t" |; [4 Z
There are several alternatives. 8 u' o& u( ]' Z- f4 D6 v) ^
4 j$ @4 t$ X4 h) J9 f; S( yThe following one is the simplest:
9 z7 l) f R9 N; k
; \8 j- I& _4 S& ~3 x mov ax,4fh# s# i2 P+ ^# t0 C/ m2 f
int 41h; G! X8 P: S( X4 @6 d
cmp ax, 0F386
( ^- [. c+ h2 D) F# t. k. E5 H jz SoftICE_detected
$ @* x/ g) [. J# q3 e- C# q/ ]0 b( e, b5 h1 X
0 F( Z' W% P0 N
Next method as well as the following one are 2 examples from Stone's . z4 d- B: B( I; g( Z8 j" I, N+ u
"stn-wid.zip" (www.cracking.net):" T) ]5 q* P& V% K; v* N
3 ^: S/ X9 e3 b: L" C* X1 S
mov bx, cs
6 R3 t. @7 h0 Q lea dx, int41handler2+ I* v& M, A9 I5 U- {+ Q4 S
xchg dx, es:[41h*4]7 r0 Y' W/ {8 G a* R
xchg bx, es:[41h*4+2]
* D# N3 e$ b. e2 ^+ | mov ax,4fh
% C1 C: p! @* k E+ Q8 E int 41h
4 B, W" U/ d, v xchg dx, es:[41h*4]
3 M9 p# R9 D9 h* T M% S xchg bx, es:[41h*4+2]
- R o3 }8 i; b$ { cmp ax, 0f386h
N' a9 H$ M+ X* e jz SoftICE_detected- G& C0 R8 t# T8 A `) A2 V4 a; {
W' A9 y( t& L+ k+ |
int41handler2 PROC
" X/ }. k% ^- I/ v1 n4 v) {7 T& y iret
3 v M" ^6 C4 ?int41handler2 ENDP
( M: Y6 h6 F2 Q2 m4 i: C5 `( Z- N* ?& J9 H2 q6 t
' {. p! \6 |" n% _1 g4 P* \
_________________________________________________________________________
$ ?0 |& d2 r( i2 T( Y7 ?$ m+ y. b6 E" e$ [6 A# N2 O1 D& I: M
! S1 ]# |3 b; J' e# m
Method 06
; d T* \0 y- W% x$ m=========
! k" o! H. S3 T* C
" A& R% {5 X: i
" F8 d& y: p6 p. m2nd method similar to the preceding one but more difficult to detect:
' n( F7 |6 [0 e0 j$ \1 B( B9 b/ ?+ F/ a0 H
* f7 t9 }! D5 b& k wint41handler PROC
& X- i5 P7 z, {& r" n! b! R mov cl,al
* |5 W+ l0 z& n; A+ A' X iret, D1 [: E" K( F/ ^7 v
int41handler ENDP M, B* q9 T2 j; F7 \* r7 _
' }# B- K9 ?1 x% k* ?0 i
) C/ c- _7 K* v7 ~; Q- b& \7 F. M+ w
xor ax,ax' @/ g" x. Z4 y/ s+ z
mov es,ax
" N$ Z( n+ {" E, N B. C mov bx, cs! E3 m- [; j5 J# e- n( g4 q
lea dx, int41handler4 }! Q# Q8 k9 m( P: A4 c
xchg dx, es:[41h*4]
# w* P, j! W7 `/ F1 f1 x. | xchg bx, es:[41h*4+2]
% k$ b9 ]8 U9 C, Z Z in al, 40h- |- U; J2 P# D3 w! V4 {8 x; k
xor cx,cx
) E8 X1 K+ f# g8 x+ o int 41h
7 @# n4 f0 m7 J( k* _8 m2 K8 o% J xchg dx, es:[41h*4]
; F% m# B' \1 |+ n xchg bx, es:[41h*4+2]/ w# t7 r8 k: a0 A8 b& G
cmp cl,al
9 I2 z9 a$ \4 L% Z. Q) e jnz SoftICE_detected3 T/ a) e4 ]! V$ z! q
8 q' Z# D' g; e# y L2 g7 E_________________________________________________________________________& R' ~/ A$ ~# ]- v; J2 g& e) ~3 y8 \
- }0 b, G1 y1 F; v# @$ |' \Method 076 E) h. B0 @0 t1 u+ l" L
=========9 N5 Z% ]2 N7 P
, r: q. Y1 x. U+ w& w$ J6 s
Method of detection of the WinICE handler in the int68h (V86)3 h+ ^. T3 F) H. g+ V* n
7 n3 O3 t- ]$ Y; P
mov ah,43h
/ B: s, ^. w, A" E* {* P+ b int 68h
' h" m) c3 X; ?7 E5 | cmp ax,0F386h
5 G2 X: A. G9 R3 @ jz SoftICE_Detected" g8 j, O9 L$ O1 _- u% \6 P' A; I
4 _% Z. W( d% M5 m6 p( s
- |; v7 _5 `2 L; y6 m1 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
x1 J9 x" i' d) s. ^" y app like this:
/ O$ C+ _& Z+ R0 O( w j x* Z4 f1 z/ K" z1 R2 c6 f. n0 p
BPX exec_int if ax==68
4 [% g& r4 i* \. n (function called is located at byte ptr [ebp+1Dh] and client eip is8 i* v, s* H N; m* I
located at [ebp+48h] for 32Bit apps)/ j. b. T6 z4 ]: J8 [/ s8 W
__________________________________________________________________________
9 u9 W- G9 o- K; V
0 \5 |- A, T3 u; C' M5 l7 R+ ~! p$ y0 s8 d4 z" K: u
Method 08
! G; Q, J! G6 G+ q Z, w=========
/ |9 X( W; p8 R' ]) |/ L+ M1 ~
* R9 o P G2 P! rIt is not a method of detection of SoftICE but a possibility to crash the
# @ e) X$ V! u: r! E& g+ wsystem by intercepting int 01h and int 03h and redirecting them to another7 P# }4 q) h; o" R& r I
routine.
6 ?1 K8 \; X( m+ M( c; pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 Y2 N6 b+ G" k) J7 D
to the new routine to execute (hangs computer...)
- W1 {- E( L6 K
& Y5 \2 t7 z/ V P mov ah, 25h
" r/ P. c `6 w- k mov al, Int_Number (01h or 03h)
9 g0 Y+ X$ [' ~. ~: d4 v8 h mov dx, offset New_Int_Routine
& F8 u0 ]6 \( @" c. S int 21h/ p v0 `2 j( B
% w7 V: U( H( P7 B* [( \
__________________________________________________________________________. I y) M* u3 c! a
: h- n+ ]1 x( j% NMethod 09
5 G0 s& Z- h2 s% {=========1 X3 D0 X& g* M) V# N- m# o; {. [
/ M% ~ G2 T% A/ E) E* m; dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* {" q8 D0 [6 r& gperformed in ring0 (VxD or a ring3 app using the VxdCall).
) t: }8 t% I0 J! e; I4 w3 c" rThe Get_DDB service is used to determine whether or not a VxD is installed
6 b% J U0 z* F2 `$ P/ L9 @for the specified device and returns a Device Description Block (in ecx) for- I0 X8 t. p3 S3 d5 T \ K
that device if it is installed.
* d0 `9 ]; N% [+ \9 |8 w
: V: F7 C' `1 u6 @3 ^- _( O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 V) w# [ A1 b5 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 H. M( N- V* t: p; C$ N VMMCall Get_DDB4 q2 ?- e, m$ Q& S* ~2 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 w+ `+ y, T5 Q( T: e5 @* W
6 b& @8 l$ M* U1 h* w% WNote as well that you can easily detect this method with SoftICE:
3 F: _, K% H+ b4 ` bpx Get_DDB if ax==0202 || ax==7a5fh
1 ?5 y! }) ?1 D m6 q" @8 a0 ?8 h' s6 ]+ k% ?1 a% x8 A3 _) Z
__________________________________________________________________________
W; F; Q0 z6 [8 ?
" F9 W+ Y+ A( M* N' E0 [Method 101 [+ a& c9 M; N# X. K' V7 n4 A5 h
=========2 K1 c0 u7 J7 ]1 _- d8 `
; K, P: I) c# N+ e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ c' r- E/ Q, A: _, ^( q- s% ~ u) a SoftICE while the option is enable!!! {* t: Z# l" a6 c J
" |' ]' ]+ S' g2 ]0 LThis trick is very efficient:
1 D% E2 n7 m C7 jby checking the Debug Registers, you can detect if SoftICE is loaded
2 ]; q/ _ g% W% T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ Z" n9 e6 L4 i1 E2 r/ vthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ w. w( E& T1 ^) a
value (in ring0 only). Values can be manipulated and or changed as well
2 A6 I7 N v! V! Z/ C, }(clearing BPMs for instance)4 c# D5 s3 l% F
7 U% K3 r# v2 c9 R* M0 E' }__________________________________________________________________________
- t6 i3 _9 {. L! u8 v9 X
: s$ Y! L) {2 d) k) J, q( C# F& iMethod 11
/ }3 Y% w+ C# O=========* q0 C: ]# O4 k! z4 s" @
8 Z$ B) g8 { o5 D! q @This method is most known as 'MeltICE' because it has been freely distributed" n0 F3 g1 T d( ^8 `$ _
via www.winfiles.com. However it was first used by NuMega people to allow. a" \+ Q- h) c1 N3 P/ Z0 r' a+ f
Symbol Loader to check if SoftICE was active or not (the code is located0 d7 x6 }5 R- O f
inside nmtrans.dll).' ~ W/ L4 [, F+ i
. o8 ?3 ?8 d. y+ v
The way it works is very simple:3 H7 I" G/ a8 D' Q2 P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% U' u) e* q7 i; r+ h
WinNT) with the CreateFileA API.
) L/ k) Z7 m+ k4 M9 }/ U: j9 D; s: Y
Here is a sample (checking for 'SICE'): B( \* `/ t, Q
& P- t: u2 A4 ^. i- E Q9 J# NBOOL IsSoftIce95Loaded()
- I8 `( g, `. a2 b5 R2 I/ v* v* e2 r{
H' n: z, [, H' \2 x" i HANDLE hFile; # I$ o8 E. c3 }7 { O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ D" W" |! ]/ ]. H# V) ]
FILE_SHARE_READ | FILE_SHARE_WRITE,7 Q3 \) Y+ C% }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 r/ H6 |1 R" m" P! D
if( hFile != INVALID_HANDLE_VALUE )
, a7 o9 I+ J' k$ |5 x {1 V/ O8 U: B# H8 G
CloseHandle(hFile);8 X/ \+ P9 V5 Z: H6 A4 W
return TRUE;+ N( Q1 M8 R) C# J5 P8 | V" k
}
, X# j6 w1 B0 C7 q. t/ @, I return FALSE;
" H" b) r3 u2 @# ^, w}* z* [; [! R! n, E
$ e6 S% z* o4 U
Although this trick calls the CreateFileA function, don't even expect to be
, t, r8 o5 e. Z2 ]0 bable to intercept it by installing a IFS hook: it will not work, no way!
. u" |/ G& k- _0 t" ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 T, M$ g9 S8 d. E$ R( Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; o' f6 d+ o. \1 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc# [0 S$ r. R7 g k6 f' g# k) n3 B" J
field.
0 \' E2 N; d* J9 O1 \6 Z$ BIn fact, its purpose is not to load/unload VxDs but only to send a
Z! y, b3 L/ E9 o$ [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' O8 I$ z- X6 L9 T. q4 Y/ O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 {7 B0 N2 _. ^: s S2 C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( k7 T9 X( O" F* R; p$ h6 ~0 d* i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: g0 f/ P8 r3 j5 m# Rits handle to be opened and then, will be detected.
4 o$ J5 W. G* Q1 XYou can check that simply by hooking Winice.exe control proc entry point8 d- Q/ H6 H# a# F) |' U3 I- B/ i& t
while running MeltICE.
Q$ j) Z$ K" M! O( L2 n f1 e/ ]
& P) f, Z* N9 u* g- o/ U% s7 T+ n+ t; f2 ]" [5 H( K% ^- s. ^3 I1 P
00401067: push 00402025 ; \\.\SICE
; U6 b2 ]) Y3 \" A6 }" } 0040106C: call CreateFileA
# E& V0 ?* P L7 g 00401071: cmp eax,-0015 ?, s0 ~9 Q2 T4 @( z
00401074: je 004010911 K1 Y7 f* `9 z0 U- B$ l* ]/ v
& ~; b$ B+ n; e* J( H( F# W
; _$ T4 O/ s; m4 i0 \ j# Z1 `1 }
There could be hundreds of BPX you could use to detect this trick.$ ]- m2 F4 k; `% `+ E
-The most classical one is:
: q- P8 y) d* c* n) @' \2 t* ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ R% b5 u, n# q' n
*(esp->4+4)=='NTIC'
- H1 {& m% ?) E% p" [: G3 {$ d: m8 i) g' r3 n
-The most exotic ones (could be very slooooow :-(3 y. C+ v( D7 j* H& n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' j1 l7 i, L( z+ _
;will break 3 times :-(8 J( e0 P ^( ~+ |* j
1 w3 K- M' R* L7 W3 e6 H* o
-or (a bit) faster:
2 H% N; E6 c0 s; r- x$ b! i7 r- D( _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 w# D S3 H- d/ [% f
, G* a" C P+ [5 q( W# {/ P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 w5 v+ A+ q Z7 M4 E ;will break 3 times :-(
! E3 S9 a8 m' l4 u, E0 \6 e! r& J/ Y
-Much faster:1 S2 b! b7 Z$ S, c- c; J X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) _% {5 n1 Q# Q. O- Z# Z. f' y: N4 I2 }/ R: n' G r' `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: A. f! X7 {( Z+ Y6 O
function to do the same job:. n+ Q% C* \" b6 _# J5 f* ?1 g
( s: s7 H! M, s8 K$ q, u$ G2 \/ k; C push 00 ; OF_READ
% q: f5 u( f; t( @3 t mov eax,[00656634] ; '\\.\SICE',0
9 _3 V o3 J: e# t( R$ O2 R push eax/ @0 P3 Z, ?; V( @
call KERNEL32!_lopen& w% \- e. _$ y5 {
inc eax
/ e4 Q% h6 W+ i$ B) r jnz 00650589 ; detected4 g9 o' U( g1 `% f$ W3 o1 l. {
push 00 ; OF_READ
; i# e) I3 A/ ^ D. {) s mov eax,[00656638] ; '\\.\SICE'0 ?# Y9 H: f6 G3 a+ K" I) j+ i9 E
push eax" G: c; V2 ^4 a% c0 q
call KERNEL32!_lopen) K1 Z4 w& b* |( R
inc eax
* e2 {" h- N! |' F- V" E jz 006505ae ; not detected
% ] _" V7 r" o/ O
6 L' x; A) q3 Q
) G7 a( N6 a& U' K__________________________________________________________________________
/ V9 x1 g3 w0 m3 y8 D" M7 N" e6 P5 Y- i4 G3 z' z
Method 12
/ ?0 f1 i# q5 Y( {; Z=========8 G: _1 \) `( ?! P8 }; v# Y) b
- m5 k8 Z- P' p/ t0 O- @- N3 r
This trick is similar to int41h/4fh Debugger installation check (code 05
: [% ?- Y* S! q3 d7 {0 I& 06) but very limited because it's only available for Win95/98 (not NT)# c. R k4 K8 o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& O4 E0 G) E9 H1 n" V
# n2 o4 g' U0 B/ l8 w b push 0000004fh ; function 4fh
( A1 O, Y0 }- O; P3 ?, q push 002a002ah ; high word specifies which VxD (VWIN32)6 y4 ]% W5 D; F. t' m* l8 q
; low word specifies which service
% U+ W$ b' l3 M! I% _( c( e (VWIN32_Int41Dispatch): ^- U+ u) V, L6 a# _# s0 x3 u @
call Kernel32!ORD_001 ; VxdCall
6 S3 N0 Y& h6 c- Z2 Y( U2 m cmp ax, 0f386h ; magic number returned by system debuggers
* h/ P3 D" a4 d) @9 o/ i- F: b jz SoftICE_detected% u. i8 K9 _& Z
) T( I9 w, N( [1 J" D; R
Here again, several ways to detect it:6 ^' s8 P6 u0 }5 ^7 C0 w
3 E; T! \: X% s9 ^; a
BPINT 41 if ax==4f
* A4 c2 I6 ?% l1 M* u6 i' X7 B; Q5 O) r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* y6 U7 T% m7 l5 k. h
% U: V* C6 u! V6 K. b8 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 B; n. F' F- R& S* Z# }1 s0 s6 O
/ e; _; ?2 P4 [4 @5 N' ?; T S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! U5 Z; ?5 Y6 j: m4 m( J) }3 Y! f( x8 a1 _% U7 @
__________________________________________________________________________# ~; e$ n8 U6 `3 R6 n
& X. `4 x- e) T8 U; F
Method 13
$ V% E5 x$ S1 Q4 D. y- w6 g=========& j! U2 ~/ }, l5 Z* f( s% B+ G2 [. z
8 }1 }9 r% h' L# P! b7 M( E
Not a real method of detection, but a good way to know if SoftICE is
9 y+ o+ ?* J% K- l: t: B+ A9 ^ }installed on a computer and to locate its installation directory.
# X0 [7 W% R3 T7 j+ @3 q% A; }+ RIt is used by few softs which access the following registry keys (usually #2) :
. s" y3 o6 x8 q7 l* L6 x3 o! e( |* u8 L, m' L8 H# p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, a, O# W q$ C# n9 q( h$ ]\Uninstall\SoftICE+ I. P5 p l* q* G3 X% i9 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 b+ L& }% @& O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% l* [. P0 }+ a& O1 Q6 m6 _\App Paths\Loader32.Exe' w- z7 X$ o+ U5 |) g1 Y: A2 d& x
% {. N5 [$ {( v8 E* M" u9 e
7 c: G6 ^% J: WNote that some nasty apps could then erase all files from SoftICE directory
9 b% f- E' `1 h& i: Y& c6 N0 |(I faced that once :-(4 s# y! K. A& L4 L# G, R( A
9 V3 i3 w7 Z3 O8 Z! T0 ]
Useful breakpoint to detect it:
1 ]' z# y! H( S
8 B8 C7 d! u# q4 p2 Q! K% l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& D4 M2 T6 K+ e6 f2 T
( ^1 P8 ?8 i7 H
__________________________________________________________________________
# C, W5 u Q9 r' @. n4 w+ j4 m
2 G) P* }: `4 k, f5 a) ~9 U7 l& ?
7 l; O3 W' Z2 p8 }. LMethod 14
/ I/ ^, Y* j! O9 Z=========
* \0 s! y9 s: {! @, p8 H7 y0 C" y- I* `1 T2 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 h4 [. y+ |2 y) v& Cis to determines whether a debugger is running on your system (ring0 only).
9 S$ A0 _! @/ S
x, [% u/ I. r1 Y! C5 _( J M VMMCall Test_Debug_Installed% M8 `3 k1 J3 U9 @& g: `7 r1 ]4 y5 q
je not_installed4 ]5 V+ x) Q' R5 ?; n, N& ^
/ \& k; q/ r3 V8 U6 k, A% b' _
This service just checks a flag.8 U1 ?% W5 k0 |' {( ~0 B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡