<TABLE width=500>
0 K/ i% u9 `; M) ~+ y! w<TBODY>
' U8 U& q; z5 j<TR>7 y& R1 A2 f$ _, Z" n
<TD><PRE>Method 01
3 @% ^% r* s5 a& E8 g=========
7 c3 S* v7 v5 j$ d2 u, j4 |0 ~4 d9 X4 o: [7 N
This method of detection of SoftICE (as well as the following one) is
5 c5 G% L( o0 `. U7 U8 J! Jused by the majority of packers/encryptors found on Internet.+ Q! E: e' c/ L" b* v- l) g+ R
It seeks the signature of BoundsChecker in SoftICE4 D1 s; p; M0 q. J$ q
) d, A7 F4 s1 Z7 {( s0 A4 |+ u7 s mov ebp, 04243484Bh ; 'BCHK'/ m V S4 G! D( N- r
mov ax, 04h0 L8 j4 @: z& d0 _" m- a
int 3 ) r) e/ e) k( G4 M5 a; M
cmp al,4
# a2 ]# G- J G' ?& w7 U. H" \ jnz SoftICE_Detected9 d" l1 c* e8 Z! K# U0 e
% D: \0 x; k4 E' u
___________________________________________________________________________
/ |# O% v. e4 Q( V
3 q+ }' Y* D7 hMethod 02+ i( L* M: f. R! y! o& |8 |" Y
=========. w: \! f r& H! N8 [
7 D+ @: l0 K: y# f& h1 J8 v$ }" ^
Still a method very much used (perhaps the most frequent one). It is used
" R4 G; ?2 ^, W5 V) o$ X, uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 E: e) z L( q, C9 L
or execute SoftICE commands...
" w4 k# @2 s6 A- |: A' yIt is also used to crash SoftICE and to force it to execute any commands; D" ~2 i# e" N$ Y$ s; R. W5 S
(HBOOT...) :-((
( D& {. A7 R! T8 v$ Y) b& }6 m& a N
[, `- a' T R% i5 K3 [5 b7 VHere is a quick description:/ s2 d0 _( Y) c0 P3 d
-AX = 0910h (Display string in SIce windows)
3 h* w+ ?$ a* s) _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) L5 F! }: o: ^/ o/ n8 \+ W/ j-AX = 0912h (Get breakpoint infos)
0 ^! M9 h# t& Q-AX = 0913h (Set Sice breakpoints); T) ?6 K" m/ g
-AX = 0914h (Remove SIce breakoints); {1 I; q6 P7 R2 F. J; n
+ R7 ?- z9 O& u1 \' \7 _3 @Each time you'll meet this trick, you'll see:
1 Z9 W w; Q4 V+ e- N( k, W4 e2 n-SI = 4647h
) r3 P' D# g( |: N# {& @0 F# N-DI = 4A4Dh4 L/ h5 X' r( s; l% h
Which are the 'magic values' used by SoftIce.$ l; o! X2 Y/ n' c8 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- F" p9 n; Z2 W
3 c9 l$ q$ W" [. U) N# w( [' GHere is one example from the file "Haspinst.exe" which is the dongle HASP$ R. L! i5 B8 v' E$ Z5 `* g5 f0 {; F
Envelope utility use to protect DOS applications:1 a2 R0 m# {+ `! T- e3 Y1 q
9 u$ e. r5 v( c- w
5 C9 ?, C5 n( _4C19:0095 MOV AX,0911 ; execute command.
% T$ }) G) ^/ b& V; f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 L. V) R( P, E( w4C19:009A MOV SI,4647 ; 1st magic value.
5 B) n5 G; [9 T$ S) ~1 Z4C19:009D MOV DI,4A4D ; 2nd magic value.% }' J3 [* y- D2 w' U: L0 J, ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) p3 S% P7 s! l! T& w; a- _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: X' v0 a" s! M3 G2 L+ K3 C4C19:00A4 INC CX; V2 @% b: q" {7 \1 T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. t8 a Z/ q D4 @; @) S1 ^* V
4C19:00A8 JB 0095 ; 6 different commands.$ `4 ^& O3 r2 A( J7 H8 g1 I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ a. v/ u. y" ?- P1 b# }) P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 y9 }: S% O9 `5 i* [- g5 N! a$ j* H( d
# Y" k7 `3 k, \The program will execute 6 different SIce commands located at ds:dx, which
( ^4 l. |2 [8 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: M- |/ `6 D4 S8 q( U# n h
( \& _( C# ?3 p* p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: S' Q' v9 ]; Z+ q; _
___________________________________________________________________________0 R% P! u4 U8 r
$ ^. ^8 L8 i8 ?8 ?; c; `" d
1 F8 t8 g# \& i! t2 `Method 03
2 o2 A& Z$ {+ o+ Q4 ]7 u( V=========% m3 M) C3 _: \ Q$ N
9 N/ @2 K ~% N# c0 Y: e% ]# |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ ?8 I" [( P7 O/ F) e, U) G(API Get entry point)
' r$ U. G0 @3 g/ r* k& m* B+ } 7 B1 V( ~1 L" k; Y m" |
* x7 L8 B' c- \+ i3 R: L& o$ _+ Q& x
xor di,di
" f8 ~1 N8 V y: t# { mov es,di
. v2 x4 F! a; x$ C mov ax, 1684h 2 f- _. E6 q8 H
mov bx, 0202h ; VxD ID of winice
8 u% N5 w9 N" g# s1 | int 2Fh
" @- h2 ]. V% Y! O$ U8 A: `1 }+ f% k mov ax, es ; ES:DI -> VxD API entry point
1 T. h- A& d0 f4 g% d# @+ H add ax, di. z: p: E: V4 ^8 ?" q3 F
test ax,ax
- l- F6 G0 T3 g+ t# C jnz SoftICE_Detected
2 V8 [4 e0 m: S! o b+ p% R* U# h# [( i0 U; Y, }5 g
___________________________________________________________________________9 Y, O- O# ?" M* \8 V# {/ M8 d
2 I5 {* c: m3 X Q8 Z
Method 04+ V1 G$ F6 u3 Y4 J+ z# s. i
=========2 H V% h) w2 V( Y
/ a' }2 f/ Y5 w9 wMethod identical to the preceding one except that it seeks the ID of SoftICE
; V; b9 C1 Z1 J) ?6 AGFX VxD.
. C: o' M% J6 Y6 H
" G* P6 y0 [* l. L xor di,di" O5 u0 H$ L, b5 D' l3 [* t
mov es,di# V F2 c8 Y, \
mov ax, 1684h 7 |3 u8 f7 M5 i2 \) H
mov bx, 7a5Fh ; VxD ID of SIWVID
|9 ?* |" x% J: ?, Y* ~0 C& Q5 B int 2fh# h4 v$ u4 G. U, [/ e0 \1 M; |6 G
mov ax, es ; ES:DI -> VxD API entry point
, X4 Q. b3 R% D5 B2 [ E add ax, di) @6 p1 e3 t# h7 h% X& o
test ax,ax
4 e1 t! h# P) J/ L* h1 C. h5 V jnz SoftICE_Detected! l% G4 \: e3 m
) z( ?% ]# W0 ^. f__________________________________________________________________________
) ~" ]5 f+ `( H) g, Z: m; G" w5 l* V3 a1 N6 a
5 p9 R. b0 a1 p) b3 U
Method 05" c2 w0 e6 q; \6 n" a. H% y
=========
, _/ u# l) ?2 u$ ?+ e Y3 }' F/ D o. G. H) o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' G3 i" e" a- F k1 Rdebugger. It calls the int 41h, function 4Fh.( G4 c$ E+ \; Q. \6 a7 _6 D- a4 y/ s
There are several alternatives. 6 X7 Y3 Y- L- p8 M7 T
5 G: u) X1 b" U/ H) P+ DThe following one is the simplest:
) @) ?# S3 ~. Y+ s y) b
: I& u8 K' V U! d5 x7 I mov ax,4fh
" K- y2 B3 H6 [5 a int 41h( n$ X( W7 q- q$ o8 z
cmp ax, 0F386" r6 r6 F/ g* }4 Q+ I( X
jz SoftICE_detected
' S8 @) B- k& y' k4 I2 ~# z6 R' T4 r1 k; T) P+ H' G& i
) l/ E( [+ p- k* H9 s R5 ?7 s
Next method as well as the following one are 2 examples from Stone's " I! q. O0 l9 D3 N5 X! x
"stn-wid.zip" (www.cracking.net):: k% [. z0 T, l. T) S* m+ d
" H* K8 \, _) m9 `2 W- Z3 B mov bx, cs
8 ^( g* {% x8 R- u! i& ] lea dx, int41handler2' f0 ~- p7 J9 q( W9 t
xchg dx, es:[41h*4]
& G# \7 O9 c* F: K" s xchg bx, es:[41h*4+2]
. A( R+ G/ ?8 A4 d mov ax,4fh& T" o" U" I& l7 u4 U, |+ R7 _
int 41h
C! j: I1 m* Y7 J xchg dx, es:[41h*4]
2 R' Q9 m3 o, O0 L5 a- b- R xchg bx, es:[41h*4+2]7 J% G4 A; c# L# i$ c
cmp ax, 0f386h
# g5 Y2 M/ n9 J2 g jz SoftICE_detected
$ G5 d' {$ a2 o) x/ x; _4 U
: T( `2 ]: \# f+ t: r5 pint41handler2 PROC
( \- {! B4 [, D iret
: `4 J: y s" d; W3 pint41handler2 ENDP
* S' c5 g$ u; j0 C7 t
! b6 d8 v3 d* c" {% A3 R4 O1 ]' L/ S6 |( b; u Q( w
_________________________________________________________________________" @' W' X% X$ O. ?; p) k, O' n6 W
- A2 v" ~- ?5 v& L& h' o- }: e) v
% o% [" l: {8 k* i, @
Method 06$ W7 S2 z1 Q, q! S/ n
=========
) Y6 T4 Z8 g1 S/ m% G9 [" T% J" o
9 H9 F# F0 Q# o- l4 A/ D! z+ b! c) c) C) x
2nd method similar to the preceding one but more difficult to detect: |& i8 y+ ~+ R% v# g7 ]
' k# g, [; b! ^ C
- E( s2 i) s% m& h2 Tint41handler PROC# U- s, S5 e9 T1 [9 c3 ?+ u
mov cl,al8 s" F4 B C$ `8 v3 h0 a$ I1 [
iret2 B) B8 }8 p* ]1 t+ P8 u/ ~! g
int41handler ENDP
7 C% S [. `% T2 ^
% q0 x% p3 R5 H- J& b+ r u6 P F O8 R# c0 S+ N; b+ y
xor ax,ax
) `+ V: B9 t- O5 q2 G; Z mov es,ax$ M. q3 Z! j' Z( o2 l: h0 g
mov bx, cs# k( f1 g% [5 N1 y) U
lea dx, int41handler/ |, }9 M9 D( P; O
xchg dx, es:[41h*4]) M- n7 |+ z/ [
xchg bx, es:[41h*4+2]7 J7 f1 P! e: ^6 S% Z
in al, 40h
$ l& N, H8 E8 ?" M xor cx,cx6 P# Q+ {" y# H8 r( d& @
int 41h( R4 k( E: Z |
xchg dx, es:[41h*4]
B+ d& \/ W3 h xchg bx, es:[41h*4+2]0 B4 z# ~3 j$ d& m
cmp cl,al
+ W C* W% k' a) F8 e: \ jnz SoftICE_detected
2 C. Y$ }/ [) ^* k3 }0 b4 n7 \' ^, Q m9 j b% q
_________________________________________________________________________
* |: K. }- i. K8 ]0 Z5 X9 r4 f7 z9 L
Method 07
9 i, I5 f3 e: h! m' |=========
) ^. F& T1 a9 q( l* U2 Q3 I9 n' ^' Q0 z
Method of detection of the WinICE handler in the int68h (V86)
; B6 [/ `. A3 d4 S ~% D) H: ?- h0 ~
mov ah,43h4 Q# _9 u+ D. ]+ u, j, Y( M3 y
int 68h
! X0 S. m' |$ Z) n `' M/ @) Q cmp ax,0F386h. K4 m( O" a$ k/ j- h" \3 K
jz SoftICE_Detected
' p" H+ ]' z2 ~8 T1 f9 W- w; K/ i3 i' i) b7 c
% f/ V( @' Y4 }9 K4 }0 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ G, ?# N0 S, |4 n/ Z- j
app like this:
( W3 F7 S; P% [# r N4 V# Y" d2 @% H1 P' _- O& M4 ?1 [
BPX exec_int if ax==688 F5 r6 c9 F' M- \ [0 g6 ^( }
(function called is located at byte ptr [ebp+1Dh] and client eip is
; E& _* [/ {, U- D located at [ebp+48h] for 32Bit apps)
8 F& ?# }% M/ p9 p7 l7 F6 B' |__________________________________________________________________________
X+ S. Y, M# c% E5 W+ @0 t! R- z0 y, L( v
^' V# n0 F$ l) {. w6 H6 E! o+ pMethod 080 `0 l8 b! p! c$ m
=========
2 t$ y: V) I4 [6 T7 B9 B. [' R. T& q7 |9 x1 x4 N
It is not a method of detection of SoftICE but a possibility to crash the
7 e2 W" l- C+ [1 ssystem by intercepting int 01h and int 03h and redirecting them to another; O3 P' u4 s3 p/ `; j! n
routine.5 X {5 n2 ^7 o! b* X, ~% C! U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' l$ H2 q1 w. H! ?+ h( r
to the new routine to execute (hangs computer...)
8 {7 m Y4 p& C% I& D P, X3 O7 F( X0 z% ^; b3 S* `6 Q
mov ah, 25h" i& Q+ _, |7 U7 V8 k& g
mov al, Int_Number (01h or 03h)) {5 l- q0 h( U1 H
mov dx, offset New_Int_Routine& [ B5 }/ Z, D+ b4 Z* T) A
int 21h
; R7 y' t; [0 U* J0 \' `- i- X, @: u1 ]0 X6 W6 H& k
__________________________________________________________________________3 k; L$ ^. `4 I2 o
5 L$ c& E$ I. N4 e" v! b' yMethod 09
! p5 x5 N2 H% E% T4 V=========
' g% J( V$ o# v$ R% F) N( |; m2 O, f7 ?- [" q" m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 A6 q8 ^+ c+ S8 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
; _9 y$ A, P. \, K. tThe Get_DDB service is used to determine whether or not a VxD is installed, |; L3 A. {" F) r
for the specified device and returns a Device Description Block (in ecx) for
7 n1 g8 e4 j9 T5 o! V, Tthat device if it is installed.
6 |$ C# r1 a l+ y* x
+ N j$ n( u# x1 [6 l$ F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 j& C6 X/ T; e' N o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ v1 @; l6 }7 L' `* i
VMMCall Get_DDB1 U( U+ p! `; V& z. U' @9 C4 M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 S' D+ {" o" h) {6 M3 o
5 m/ U7 r) F0 L- E: C g* ^Note as well that you can easily detect this method with SoftICE:$ @7 H! }: l+ f) p1 o& |
bpx Get_DDB if ax==0202 || ax==7a5fh
% P u8 Z# X& i
" c( v7 y0 B* y4 O' P__________________________________________________________________________( W2 S+ E6 g2 ]
! u0 t _) E; P: A. a( y8 PMethod 10, W I R/ Z# \
=========1 q1 J' Q/ `( q# y6 H
* n: o2 D/ _! E6 B
=>Disable or clear breakpoints before using this feature. DO NOT trace with( Q3 N7 O C5 A3 J
SoftICE while the option is enable!!) l! @# e3 N! R
) J, I9 Y+ {7 @+ U+ v: tThis trick is very efficient:
! @7 n8 h. R6 s! l6 _7 Bby checking the Debug Registers, you can detect if SoftICE is loaded6 O$ J* H7 I1 _" a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# j9 } y. Y# R$ ?4 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their* W& o4 o' B2 b) H" S
value (in ring0 only). Values can be manipulated and or changed as well
$ F: ~3 d! }& p' ^0 X(clearing BPMs for instance)- Q9 ]4 F0 i5 B5 s; \ M
& [8 O2 V2 q }, N2 |
__________________________________________________________________________5 i0 d# E+ B, c
2 g5 d+ o5 z7 T8 f% S2 Z7 t
Method 11
3 }6 v, ` i U$ y3 O0 k5 z" V! v* `=========) X5 M( O. v( j7 S
1 r# @* ~9 |2 O j1 V6 Q7 V
This method is most known as 'MeltICE' because it has been freely distributed
- K) @) M' Z4 p/ ^( ?( evia www.winfiles.com. However it was first used by NuMega people to allow9 L4 N6 `) F+ `: o
Symbol Loader to check if SoftICE was active or not (the code is located# K# i h% o( l+ D" z: w5 m
inside nmtrans.dll).
% B1 P, B- F2 Y8 k! F8 w
9 M& u. j2 p% C) D( n1 o g7 B* AThe way it works is very simple:/ T( P% A4 d! ^& T9 z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 U- g! h2 G# T/ S3 u- `5 S3 u6 d
WinNT) with the CreateFileA API.
! C$ T9 l, v9 [+ n: K$ r) H& t' J, l# L
Here is a sample (checking for 'SICE'):
4 h- U/ C3 @# H% ?' [8 m5 V' w5 \( o4 a5 l1 S2 m$ F( M/ A e2 ^# ~# V% m
BOOL IsSoftIce95Loaded()
+ h8 a$ j+ |: y7 m7 ?{
$ N4 M6 a0 A3 K0 {5 C HANDLE hFile;
2 Q3 w; R1 ~% m8 D) z% W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 f) v( X: X h6 I/ v3 t, c FILE_SHARE_READ | FILE_SHARE_WRITE,
7 E. G! I# n N( m/ g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 d# ^' ]6 }) S5 [& W( p0 M7 P
if( hFile != INVALID_HANDLE_VALUE )7 E0 u+ j9 ?8 t3 P
{
# i; {9 k7 G0 P6 f- C# E9 a' ` CloseHandle(hFile);+ l2 u- \5 z6 ~0 B6 R/ ?4 l- n- u' Y
return TRUE;3 ~; `8 L: m8 j, }
}
- v: z9 o- M/ ?4 A# n return FALSE;
# M3 _& m. y2 m$ J7 Q x; @2 ^0 i n}
: ?7 T. v+ w- x3 J9 N8 z% X: W0 m2 M1 h5 S- ~5 R) \5 b7 [8 e- k
Although this trick calls the CreateFileA function, don't even expect to be
# Q2 f( r9 t2 T8 k4 t% V& Pable to intercept it by installing a IFS hook: it will not work, no way!0 g/ B1 K% D$ h$ A+ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ s# |; ]: S0 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
_* A% K& t; k$ K; y2 Band then browse the DDB list until it find the VxD and its DDB_Control_Proc: g( q# `0 b/ t4 K+ _# X- m, W
field." ^, u2 n$ Q5 _+ s! k- L6 a
In fact, its purpose is not to load/unload VxDs but only to send a O$ @* K5 X [4 U/ N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& a9 Z1 N. H- w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! @8 t& `3 U/ I& `1 M6 p6 A+ U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 t4 e& h3 ^ {: [) {
If the VxD is loaded, it will always clear eax and the Carry flag to allow( f$ ^( n0 O" U
its handle to be opened and then, will be detected.
9 B( {8 r& p. s( S. [ CYou can check that simply by hooking Winice.exe control proc entry point- d& L H6 W e. ]' b
while running MeltICE.
5 m4 ^- q" C0 s- c/ K, [7 {1 _- ?& K: ]5 ` V7 `# ^
@7 @$ L6 C; N0 X5 r1 ^' V 00401067: push 00402025 ; \\.\SICE* J0 i# S9 p% O
0040106C: call CreateFileA
{5 U* W5 I8 p! R1 f# _ 00401071: cmp eax,-001. g9 G3 Z7 L0 f$ X
00401074: je 004010917 v9 t \, a9 E& W
2 `; f( B- Q+ ]) U/ X7 @
) q6 K# n; Z( H5 U! _5 [6 X! |7 g' U
There could be hundreds of BPX you could use to detect this trick.
6 t& x( l5 m% U( h9 w+ K, N$ N0 B-The most classical one is:
7 O* K8 |: {4 m8 T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! a: ?! ]& d$ R& t
*(esp->4+4)=='NTIC'/ f7 [( f. e' k: H% g) N/ A
+ k1 c2 x B5 }; r-The most exotic ones (could be very slooooow :-(* g' @& Q+ l1 v, T+ z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % ~6 m' w! k: K7 p$ A; F0 y
;will break 3 times :-(
5 p$ N) f3 h U# e! K+ V' Y: w5 `# q6 U7 ?) ?
-or (a bit) faster: , E% j1 L" o# F9 ?# F4 {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 V) Z; I6 m8 P" B. ^* [0 t, n: k8 P1 l6 K) d; ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! J1 i% W4 T, B0 `
;will break 3 times :-() l0 k" b1 y8 P
( ` Z9 [2 K: o6 a
-Much faster:
% ]1 D3 k5 W# q; |1 c8 h$ }' Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; c9 R4 b; K# v g
% u2 i$ R+ n# o0 g' ~: GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# f% j' d) J" B/ A5 M( G0 @- n/ i6 hfunction to do the same job:8 ^; k9 T% H( P+ b+ o1 n
* n1 e9 ~: }6 T2 A$ e push 00 ; OF_READ; z# G' G/ v1 `7 W
mov eax,[00656634] ; '\\.\SICE',0
$ V! S# C$ G- a2 i; D+ |& [' L _ push eax; Y+ o1 N' q# N
call KERNEL32!_lopen
( h9 W8 a' ` q/ G$ A inc eax' O5 W: M+ F6 r7 N: q
jnz 00650589 ; detected
# |' x% G4 v- ~1 T7 F5 u: b push 00 ; OF_READ
' m' |: L1 A2 c* x mov eax,[00656638] ; '\\.\SICE'
3 L3 f( J- ]7 ]1 H+ G push eax J; [2 I( w A4 }6 J
call KERNEL32!_lopen
; v" U( J/ V2 j inc eax+ k$ I# `9 b- \: S
jz 006505ae ; not detected
0 S7 H s, i, N4 ?7 o& z0 ]6 U- [
! k& Q" b) Z* M' {7 \# I2 m
D; X% l7 V* ~ X__________________________________________________________________________1 [' I$ b" I8 B( B$ t+ s: ?, v
3 }: ^. R7 \' I1 ]# N+ v: X3 R- A) j
Method 12
: P7 |4 p4 u$ w* i3 i; T=========
* j: h6 t* g! A% w$ g% J
" K: }1 U) `! q& M; S0 BThis trick is similar to int41h/4fh Debugger installation check (code 05
% [7 o# w* Q/ [1 B# z1 g& 06) but very limited because it's only available for Win95/98 (not NT)
( V3 _! b1 z" [. V0 o1 y! Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 D8 e/ L5 C& z+ w- m
+ v' _, K5 \/ K! C* g push 0000004fh ; function 4fh
0 \5 {% c/ t }- O8 l push 002a002ah ; high word specifies which VxD (VWIN32). ^7 Q1 A0 {' A/ _
; low word specifies which service( c L( S0 Q4 h
(VWIN32_Int41Dispatch)
1 R: o- i* c _! K! g% E- T9 P2 ~% i0 r% h call Kernel32!ORD_001 ; VxdCall
9 B2 [3 ~$ D. }& l9 x+ T" _ cmp ax, 0f386h ; magic number returned by system debuggers' h0 x4 @3 X5 Y1 l1 t& o" n
jz SoftICE_detected
) x: T4 j# ~5 A7 l7 w: N3 C+ T' o; A ]% E$ L; }8 N6 r
Here again, several ways to detect it:
, g9 k" x$ D, g. f( O O$ p9 R
# b9 R/ O4 W4 y2 R BPINT 41 if ax==4f
& P. Y7 f/ |0 H0 t% K+ U! G! P- E- D' Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 F( V& o2 D5 a) A" ~& @
9 p1 x7 C6 |+ K) @* o7 q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' K) N: K$ f; _3 g1 M' R& M" V: J. l7 B, C& X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 I! M( Z# @( \8 U3 P2 {! t* G$ S8 m9 ~
__________________________________________________________________________5 m' X- o: W6 y5 I6 w
) R: R; m9 x% l+ x. R2 `0 u9 q( L& {Method 13" K$ b' u5 s% ~1 T5 S
=========
1 e& T2 w- H$ r+ O
; F! M% W3 B" Q. O% C* ]# _5 |Not a real method of detection, but a good way to know if SoftICE is. P) u) J! r2 J+ H% {1 A: ~
installed on a computer and to locate its installation directory.
0 o& o4 E, h, i! wIt is used by few softs which access the following registry keys (usually #2) :4 [ J- Y6 v0 |$ v* b2 d
2 M3 c# G" s" D% |5 I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ N+ k/ _8 |% W8 s s5 S\Uninstall\SoftICE
' w) L8 ~$ v: j V6 u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ w9 l6 d. M( p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" v' H$ ~+ B9 S1 e1 `\App Paths\Loader32.Exe
. g/ o2 D; @* C \$ E( k. b9 Q
/ s P s. t5 t4 v. L( S' o, s2 S
$ Y. X( D# n3 r2 |! b x! jNote that some nasty apps could then erase all files from SoftICE directory6 f9 [& I4 B6 v; b# D5 z
(I faced that once :-(1 j% ?7 q1 G; X
: h* F L9 h" w% B6 }
Useful breakpoint to detect it:4 N b" E% V. o7 f6 [6 @+ }+ W
* t+ G* g- h6 X; E" C( n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 Q. x+ |6 J( P! \6 \
; S# ?9 a3 ^# F8 h Q7 P% N__________________________________________________________________________
N4 k4 a0 q* j% _. @9 \' W, w3 B y. e" X, ^$ d
7 g c, W7 H1 e5 qMethod 14 # [8 J/ T) [; _" m) u3 O
=========, D# |0 u! C/ G) s7 S2 F1 h) t
8 V) P* z' l! n6 M8 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 ]! x( K m, |# \9 ^# V+ jis to determines whether a debugger is running on your system (ring0 only).
% ]! `) \0 U$ D9 W1 g! N% i' F2 s% H8 d3 R1 V
VMMCall Test_Debug_Installed
) O6 y# {1 @1 q% e% d! G5 ?/ ?" \ je not_installed9 k2 {2 \) W; ], `
8 B- }) o r6 {, e! N
This service just checks a flag.! C8 `: I7 I) a8 b# f6 L- p, _$ U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡