<TABLE width=500>
" v" R8 {4 \/ i; C: t<TBODY>3 F8 E I& @( g1 s
<TR>* R6 u3 G+ {$ {" m: b: N7 `
<TD><PRE>Method 01 , I' l4 b* @0 v4 E2 L: k7 S
=========5 a. Y' T k! b; L" s
! M! ?, D" D) e/ V+ Y) S' n
This method of detection of SoftICE (as well as the following one) is) q, U( V2 G) r0 ^+ U0 b4 k& f
used by the majority of packers/encryptors found on Internet.
2 c* @. K! @ R& ?It seeks the signature of BoundsChecker in SoftICE- w( r" j* E6 |: Z
4 P/ n+ }" ]& ~8 M% P
mov ebp, 04243484Bh ; 'BCHK'
/ v/ M1 ^% W/ p4 D5 @2 N8 u1 u mov ax, 04h% v+ P( J6 Z6 r9 }3 r$ j+ I6 T1 J
int 3 5 k8 o: d$ _& \. |3 W
cmp al,47 T- Y- V8 z, N+ P% j
jnz SoftICE_Detected) Y! z, _& M% T' t# [
+ d: j8 _; r6 @* ^% @/ D1 U1 e
___________________________________________________________________________
1 ^$ o; P7 C5 ~: V8 A7 U! J0 c r" T. Y2 d9 o4 Z
Method 022 d6 q6 ]6 g7 x5 g0 B
=========
4 U7 l; Q4 k, X2 Z, A; m( S$ I
# M/ l0 v5 N& Y8 NStill a method very much used (perhaps the most frequent one). It is used
3 x! J, D) e# z) ?2 yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* _. B% ~8 \) }* Jor execute SoftICE commands...
7 v; i9 t- R, h2 LIt is also used to crash SoftICE and to force it to execute any commands
8 l- D, E2 a2 U/ t3 y# |8 s3 q(HBOOT...) :-(( 0 o2 u/ _5 M- Z$ d" j1 P9 Z2 J2 N2 Y
5 y. d- q' ?1 m4 ~& C! d) ^% Z6 S2 L
Here is a quick description:. v$ f5 K$ {! e. S8 Z) t
-AX = 0910h (Display string in SIce windows)
) T$ ^; F+ x4 W4 X) H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ R$ I7 D/ ~! S2 I- T* d; h9 C* S-AX = 0912h (Get breakpoint infos)* x/ P9 e5 |1 W* |6 B f; s' J) h8 ^
-AX = 0913h (Set Sice breakpoints)6 c7 v( {# @5 Q6 W, g; Z6 B- H
-AX = 0914h (Remove SIce breakoints)
" N- |! w' G4 a& {# J, L
$ U' i7 l$ J+ s/ E: K* \# ^Each time you'll meet this trick, you'll see:- F* j' N C0 w3 G6 P
-SI = 4647h# i1 y, |. W' _% D3 F1 o
-DI = 4A4Dh
- L* Z9 C3 |" u( R, AWhich are the 'magic values' used by SoftIce.2 W, C1 Z' O2 Y0 X. F# z- B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 A. o+ O$ w5 I( B- I: z3 u' Q+ S( \+ v6 E2 t4 Q/ B4 @
Here is one example from the file "Haspinst.exe" which is the dongle HASP) h- E" m5 |1 O
Envelope utility use to protect DOS applications:, G9 u4 m }7 A& @8 f% j" N
3 {$ ?# [" l+ r4 z+ s& U# ]1 L! }
4C19:0095 MOV AX,0911 ; execute command.% J0 B- p4 D+ r- y# |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# ?" H, q) t# ^& Z6 s4C19:009A MOV SI,4647 ; 1st magic value./ z2 c5 H8 }/ v7 n
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 m, m- Y/ F2 G) j! E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 I% h* Z' e/ h/ M& y/ g7 J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) J! p4 ^4 P( j$ {5 I4 a4C19:00A4 INC CX& d9 J0 b. ?1 z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( g5 v: W, p3 A( F- n% o4C19:00A8 JB 0095 ; 6 different commands., M. ]2 y6 \2 h' C D0 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ k2 _, [$ h$ v5 n5 ]8 e/ M7 E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 |8 u o) S- T6 y/ ^; k' t& L M' g2 R* P* m& p
The program will execute 6 different SIce commands located at ds:dx, which
5 h1 y; @3 f5 _) p5 x, \6 ]( R, rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 P+ q; l5 V/ d! f% H
8 ]+ I* j( u4 A s3 @$ f1 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 l4 M: c. ?* D: b0 U$ ]: X4 p9 }
___________________________________________________________________________
+ i0 `7 {' W) U% O3 h3 G5 D _- C9 o' a3 M
) D- l. |' o- q, M( p5 f
Method 03
3 [7 M' [9 [* _=========, u. E( D3 d6 D w
3 O2 U; ?, ]3 Z0 s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
t @# H- L* H" }(API Get entry point)4 q z/ I v" X; t
! X8 [1 p9 T# p; X6 s9 y: o" X4 c7 |! B& Y1 ?% A
xor di,di# c( }2 Q2 n+ b% K& v" |# c
mov es,di( v% i" h, @$ P, X& t& B6 B+ A; W" ?
mov ax, 1684h o3 ~) A. n: u9 _6 f
mov bx, 0202h ; VxD ID of winice( h. N' \% k, N" p
int 2Fh
% K. I7 h) i+ Z mov ax, es ; ES:DI -> VxD API entry point l5 E/ z5 M. `' B2 R
add ax, di
! w7 K. u: f) @+ n4 X$ E& k- n3 x test ax,ax* G6 c% I. ^5 v1 a
jnz SoftICE_Detected
+ p7 Q1 D& \& u6 u% B1 x/ ?7 E6 a n9 ?2 O) G2 r
___________________________________________________________________________
- _ p, u6 U; L3 }& {$ s- _% l
. t- t5 D" \- |+ S B. U9 \9 bMethod 04
: U# h+ M( i, @=========
3 w0 T0 H) U3 t4 F/ k' r5 x: D4 d4 K
Method identical to the preceding one except that it seeks the ID of SoftICE
( E7 p7 m2 W4 `, K: qGFX VxD.! m0 j: S9 P }5 y) z. C9 h
1 Y I4 S' g( |4 n d
xor di,di4 @4 B. }. r; s3 Q* P
mov es,di
0 q7 J& Q6 O# F$ X; o5 V mov ax, 1684h
( c6 q% @1 Z( {8 F i! B8 i mov bx, 7a5Fh ; VxD ID of SIWVID. e6 P( W, V# {7 l
int 2fh n- ^: V1 W( o" |" [' |# K
mov ax, es ; ES:DI -> VxD API entry point& E+ J9 m+ X+ P6 O9 q% _2 _
add ax, di6 e9 D) t/ W$ |% `2 w- l* l9 ^
test ax,ax6 D3 T9 L. c0 U. n
jnz SoftICE_Detected
" W/ t7 {& q5 H8 V; O2 Y) E: @$ T8 |: ~- Z! t6 i
__________________________________________________________________________
: ~) ]* z2 c) _2 {3 r$ \& n2 {) {' |, ?
/ P& h0 r# ]. b$ pMethod 05( Y3 W+ i! G7 r( E
=========( m0 U5 z( \9 a# a8 U Z+ Y5 M
; n7 p2 i4 Q& ~' C8 B* @: I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 d8 P# ]8 @9 Y* pdebugger. It calls the int 41h, function 4Fh.7 S, M r$ i$ |! E2 g
There are several alternatives. 2 F! O) c. x" [0 B% Z
3 ]: u( q3 T2 w$ {% Y; LThe following one is the simplest:
/ e0 ~0 _7 ]4 K/ F% M% }/ z
& D0 m5 Y r# f: d& j2 w% q0 R/ \% o mov ax,4fh
) }3 C4 U$ C a# D. Y0 y1 _ int 41h2 E- U5 X0 k2 }& k
cmp ax, 0F386& b2 x6 R0 s+ w& N* g- {' m) C6 o
jz SoftICE_detected
# S: C8 @: A% u( [% j+ t( w0 _% h) a
" \/ z$ \/ R. b0 h5 M0 i1 V" M, C: I/ G2 u4 r$ X
Next method as well as the following one are 2 examples from Stone's
; a% B! C, T* M- n) ~; L"stn-wid.zip" (www.cracking.net):
7 f. h6 D8 y& M* u, L
6 H+ z4 X+ I! k, X# _- q( U mov bx, cs9 z1 I2 k# P$ G! {6 |. t) K
lea dx, int41handler2
4 V4 B6 S) f/ b) [9 Z xchg dx, es:[41h*4]
- ^$ m' i5 c& h1 o* K1 g' b xchg bx, es:[41h*4+2]- u5 d% ~: X# ~3 x3 M Q
mov ax,4fh
: y& M( I: e) O2 u8 y$ V% L* P; X int 41h
3 i! t) r" a) l xchg dx, es:[41h*4]( E8 F$ k8 z' `+ J
xchg bx, es:[41h*4+2]) q8 K- P& {. L4 {. E
cmp ax, 0f386h8 q8 U$ n3 k4 n; t8 ~4 I
jz SoftICE_detected
8 l B+ }$ n$ h! Y9 _: ?. i6 a
- t2 }% Y: e. L5 F5 D& rint41handler2 PROC
5 v2 b) N6 F" n iret
6 e0 ^6 }9 M ]! D$ P0 Aint41handler2 ENDP
- O6 V7 `5 [7 Q* W3 {1 s! O: D7 F( q O! T, W8 J
8 j7 `6 S0 q( J# W) ^$ f9 A- t
_________________________________________________________________________3 ]5 n9 R6 R+ r8 i; G/ S9 e
; B: O9 D# T. w% p2 c) r2 P! Q
' f5 z$ @) C, `Method 06
/ d) k) Z9 X4 \3 R=========
. _" n* J4 l) z
6 |4 k. t+ U' C' F' v! z) t4 T' r5 u3 U+ U. V! y2 J
2nd method similar to the preceding one but more difficult to detect:
& b) l3 E4 D. c, H$ K& g. y! ~) A b# M+ [
, a& }/ u/ J p0 f" x4 W4 v
int41handler PROC" i( G$ ]1 q* D
mov cl,al
" j' @" \& {: r( i) N- s# Q4 e iret
' E4 s- c5 J" d/ Z" yint41handler ENDP4 g" a. s. Q _0 d9 @& o
6 f- w8 T5 \! q8 Z, ]! q) z/ R+ `# T" o4 l' v0 g: Q3 X
xor ax,ax# z( T5 G1 H, c
mov es,ax6 V/ U! j- S' \8 t7 ?( A& R
mov bx, cs
+ X/ {6 W) C, O- j* q# e lea dx, int41handler
" k% G _$ l. {( } xchg dx, es:[41h*4]" F; d1 U4 ?- K" D9 u
xchg bx, es:[41h*4+2]
* O: g1 f, N$ f% x; t in al, 40h
( n* H& _# N# b h xor cx,cx
1 n: T* J' V8 w; w6 n int 41h
6 }2 ^( ]1 X6 F/ `8 |) o5 o. N xchg dx, es:[41h*4]' `! O. `9 b- n0 r
xchg bx, es:[41h*4+2]; z. w8 e6 I/ `: {- N2 ?
cmp cl,al
0 J" R% |5 H) T6 l4 K* O jnz SoftICE_detected5 o6 C: x0 E8 s8 _3 h# U" p
, q, A6 I$ F5 e% k; ?+ R_________________________________________________________________________7 c% ]* Q* t$ \( R
1 k+ w) d1 R, ?% ~% F$ X9 XMethod 076 {( \' y2 k% X- |& t& W
=========* d; c; l' z& x8 R
7 G8 l+ e2 s" s* RMethod of detection of the WinICE handler in the int68h (V86)
4 s5 K y7 ^, F8 h, z( U) A/ Y& f5 _- b( V
mov ah,43h
+ Y& e/ I7 ]- r( [ }$ R9 D, r9 b int 68h" C$ H5 E7 G. S; j$ e
cmp ax,0F386h
4 \1 t) x* f6 L6 z p V4 X jz SoftICE_Detected; k# `- R1 u( g7 S0 R' |
8 P6 r c7 s, X( g
0 A4 r! {7 `- c) e0 u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% Q' }& ^& W9 {, |* R( T; D# E app like this:# r& D r* `3 p/ W* c/ g* C% G
! S9 x& U/ m- S9 I; K. ] BPX exec_int if ax==68
/ M8 c2 I' `, a0 o$ R (function called is located at byte ptr [ebp+1Dh] and client eip is
3 E' K4 a( D% s& f located at [ebp+48h] for 32Bit apps)
1 P1 B" {- P( k: z" c9 C0 A4 F. c__________________________________________________________________________
6 h: c) K: l, X/ u8 z5 m7 N& E) B% ~8 }& E' s; d
& ^8 T5 }% Y v
Method 081 y. T; U1 S& X6 |8 U) J1 e0 y/ U6 @
=========
" t* ^) l1 I! R8 h" k j
$ t6 n$ g, l: |It is not a method of detection of SoftICE but a possibility to crash the
- x) K( c6 T5 u6 G% ]1 k* f9 r8 Vsystem by intercepting int 01h and int 03h and redirecting them to another' B) o' r/ N, `4 I+ ~0 a
routine.5 ~7 L: N$ ?% H( n" m- p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" \* i) p0 S: [! o8 C# j
to the new routine to execute (hangs computer...)
_' m! |, v4 {
! l4 r5 E8 M0 S, e mov ah, 25h
4 R( b' U+ Y+ F6 M( b0 W- J# }$ c mov al, Int_Number (01h or 03h)
: `! K1 i( y0 H/ `! i mov dx, offset New_Int_Routine: T, f: x: B( s! B4 ]* H. y
int 21h1 E# A% M5 a( n$ X+ S6 c) ]! H
+ u: p* p# S6 B
__________________________________________________________________________
/ }* ]$ @. C1 r- x5 i( f0 e: V+ N8 c7 m' Q$ _4 n; Q5 f
Method 09
. v# f- h3 j9 O/ r; u: T4 t4 A7 e=========
( P |5 F0 u; A8 b6 W1 r9 ?2 P* \* ]* E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' E2 n- O' ]0 C% operformed in ring0 (VxD or a ring3 app using the VxdCall).( g6 h0 O0 @# c0 B- M
The Get_DDB service is used to determine whether or not a VxD is installed
- \& e) k( L ~- p" {* Y! Hfor the specified device and returns a Device Description Block (in ecx) for
/ J5 l) g: H9 J" |$ D4 U- Xthat device if it is installed.# X, ~6 g9 j' w5 K, |# h5 |7 C5 z
0 c9 ~# Q% k% f' ]% @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# u& {% N' _- p8 c7 r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 U6 H* B) C1 U( Q, F' _ VMMCall Get_DDB
8 S# k! S. i- ?8 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ @9 _1 g9 n- S9 v, K3 r$ S8 l9 c' k% j& m+ i3 p
Note as well that you can easily detect this method with SoftICE:8 L% b- I7 F# p4 G s
bpx Get_DDB if ax==0202 || ax==7a5fh
: U8 a+ T8 U, R9 u! B& u
1 O9 s9 T9 ], h7 J& H# ]& W/ l7 e__________________________________________________________________________9 O M, \& e( O( ?6 e
/ n6 Y: K8 G2 q. R( A# PMethod 10
, D9 _4 [0 R5 R! ]( W! \4 E% c+ I=========( f, A! k* M# f- `9 V$ _
; }- V* e" M* K: a3 Z [
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 P& L. ]3 y( c9 z! B SoftICE while the option is enable!!
4 O. k, b' ]. g7 x* R- Z" ` ?+ t/ `5 y( N4 j% f t4 u
This trick is very efficient:# t5 C7 {8 y* G$ E! ]' D+ y. P7 B
by checking the Debug Registers, you can detect if SoftICE is loaded
8 k' T$ J( g7 h: d- w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ O% f5 Q W$ |9 q' }there are some memory breakpoints set (dr0 to dr3) simply by reading their( g4 \, Z. a& ~
value (in ring0 only). Values can be manipulated and or changed as well3 F ]7 I2 A+ \/ b& t
(clearing BPMs for instance)2 D \4 m" _# V$ G: U
9 G# ?% O. d' T; l K6 J- I' I__________________________________________________________________________
/ b7 l) s: c' T9 ~0 c2 D& L/ a, [- U( T1 _2 o
Method 11
0 N R9 Y6 g z=========
6 @/ B% n0 Z, u7 P; I1 c: _* E" t6 n5 g& T' {
This method is most known as 'MeltICE' because it has been freely distributed# D, L" k. j( ~9 v# p7 L& U: o% X
via www.winfiles.com. However it was first used by NuMega people to allow
% y2 x& f8 g( B3 y2 M5 \Symbol Loader to check if SoftICE was active or not (the code is located
5 n7 K; W& y. g/ s# dinside nmtrans.dll). I+ M9 L0 n: D2 F# E
/ B+ T9 N3 n1 r/ K9 V
The way it works is very simple:9 U J/ g- q. f; {# b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ R- R" {+ y& f* Q; j) cWinNT) with the CreateFileA API.
) q1 ]( T; j. c% Q
, f- n, h5 n& m3 D" L7 X7 }Here is a sample (checking for 'SICE'):7 n) h: D4 A, B |, U
( X, a: [% ? _0 @
BOOL IsSoftIce95Loaded()
& _7 D( j a- T" [' m/ Z' N{
0 n* f8 d! B# }, Z% d7 [/ }4 | HANDLE hFile;
+ E) V- s( F- R( t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 h/ y% [; p% j' e. P* W FILE_SHARE_READ | FILE_SHARE_WRITE,
) [- O& I# P+ {2 `8 B9 B( A( M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( b2 o/ A0 \. U7 f; R+ c9 k# }
if( hFile != INVALID_HANDLE_VALUE )/ q6 \( \! q- S& v% X
{; U( ^ \# Q, V( b8 f, p/ w% f0 }
CloseHandle(hFile);& t; M$ x, P$ U5 _
return TRUE;
; x8 I! n0 q7 G* F9 F }9 W. }2 J: {' z! U
return FALSE;
- t( M3 D" }. k* H; a5 C" K}' I9 s! A0 d( `7 L% r+ ~6 ]! P
$ e$ l) N! L6 KAlthough this trick calls the CreateFileA function, don't even expect to be
7 y# |" p% h+ N1 b$ [able to intercept it by installing a IFS hook: it will not work, no way!
" s, S- ]9 P5 Q+ jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% F0 Y; K% J5 S8 j$ y; gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& L4 p; K7 Z' y2 t8 D9 f2 Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc- u4 q3 E4 O9 S( M: Q1 M I, p3 r8 Y
field., h# d2 }! a0 A1 u# f I8 d. o2 b8 c
In fact, its purpose is not to load/unload VxDs but only to send a
; `7 Q- g9 b# b7 a: ]' MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* M, q9 T+ ~$ R r* Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 ]4 q4 P+ `' O+ }, o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) Y+ u+ N2 R. @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. _! r+ o, }; `its handle to be opened and then, will be detected.1 |6 k; ^1 C: ?
You can check that simply by hooking Winice.exe control proc entry point$ d T, }0 N) s) R8 A% l
while running MeltICE.* [9 [: {5 Z- I* X+ z: B/ _
" Q# a: @* s/ r7 ~
O' v& F8 Y& i5 E; O
00401067: push 00402025 ; \\.\SICE
' G# |/ R7 t- K$ \. r0 f& Z 0040106C: call CreateFileA8 _/ } }$ X8 L" Z
00401071: cmp eax,-001) W% T( h6 c5 g' [- I8 [$ g1 M
00401074: je 00401091
2 W. c5 G( R2 h( M! Z- ]4 b9 t) U+ ?
* W2 _* H: P% A/ v
There could be hundreds of BPX you could use to detect this trick.
2 K# ^7 u7 \0 i" h2 X-The most classical one is:
: @1 `! M2 W% M3 Z _. r: G- g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 O5 ?1 I* X- R8 J$ t
*(esp->4+4)=='NTIC'
) b9 J# M+ Q R: C7 O$ d4 }) F/ P
7 [, P3 ?) C. v' F0 N, C- e-The most exotic ones (could be very slooooow :-(
1 I; L I* R' |4 D% h1 {7 m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 F9 d% a. ?3 H: {, z. U# | ;will break 3 times :-() G7 |* f9 C% q- G
9 b, O+ _+ d* o. t% I& N/ w/ L. e
-or (a bit) faster:
- O# c* S+ S2 ?& ~! Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ O9 M! m% f0 N$ g4 J* U0 ?: I% R9 l' W3 I; A$ c+ {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- c- u' g. b7 K4 { ;will break 3 times :-(
3 i' S7 B, D$ V: `# B3 |" v8 z; o' g: \8 B9 J. R' }$ ~6 P! M
-Much faster:
4 |; L" b5 z6 o: a5 z1 j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 H* ^" G; Y9 \9 y7 e( ~* E
+ U3 g9 }8 x1 ~" R1 |+ }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" N4 ? l3 Z! I$ ?8 R
function to do the same job:; M3 F/ l5 l# i$ t2 `' b' c a
" e2 f" P- \: c9 `
push 00 ; OF_READ2 L7 l9 K$ U$ h: k, g! K# J. ?
mov eax,[00656634] ; '\\.\SICE',0
& b) k# L. m0 j @0 ? push eax
( k9 \! U' V- x9 h- R' A call KERNEL32!_lopen' |( W( W; D5 [( w$ N* A. E
inc eax
. u- \; E( r$ d" y1 _ jnz 00650589 ; detected0 |, T7 H. a+ C) `5 G0 ]0 O
push 00 ; OF_READ8 v( g9 F O2 b3 a9 L( x
mov eax,[00656638] ; '\\.\SICE'
3 N: R% j, `- }8 c9 z! _ push eax
+ I" a2 |, B0 r. e0 h call KERNEL32!_lopen
$ C+ N1 H9 Q. k' |8 _ inc eax- R" R! K% `$ F1 z4 X0 Z
jz 006505ae ; not detected9 \& f. h3 n1 f/ b/ G7 X
7 O/ Y+ K9 E# H
* c' x" S5 I. G5 r Z
__________________________________________________________________________
q& {! x! L, f& t+ p
3 V" t9 t/ G7 {3 u1 TMethod 12
7 I2 X8 I9 X/ b+ z, Y! Z7 j=========- _( w7 Z% k8 \/ m [/ L! E
5 E7 T$ {( |5 X, U: [* `# \This trick is similar to int41h/4fh Debugger installation check (code 054 \, L; J* o* s) I; j
& 06) but very limited because it's only available for Win95/98 (not NT)" @7 v0 |( y& D& H1 ^$ U3 ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- T. Q2 k2 j- k
' O' R) P K' |4 ~9 [3 ^# h4 |" v push 0000004fh ; function 4fh( O: @ b, F! L3 y; M U8 N
push 002a002ah ; high word specifies which VxD (VWIN32)& U# L6 j6 `$ x1 g
; low word specifies which service
# B3 B% m1 p Y7 |, k" |& y! w (VWIN32_Int41Dispatch)0 z' G+ f' @ v$ }
call Kernel32!ORD_001 ; VxdCall
6 m2 O6 y3 _/ h. m9 j$ c( ~- ^ cmp ax, 0f386h ; magic number returned by system debuggers! v! B/ ]8 v5 k& g$ ]8 i
jz SoftICE_detected* { L7 O" C' b6 y5 `0 _7 w( t9 z$ D1 L
8 o$ Z7 E {/ \) f( M' R5 ~Here again, several ways to detect it:, m8 b# E( X9 E2 g) M: Q
6 r; G! |' ~& q4 @0 z" f
BPINT 41 if ax==4f2 f6 O& e5 I# [7 }( v$ x, r! O) U
# [% c; ~9 b) G. v& T+ G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' J4 B5 q- n, b T* ^- x. |! ]2 H; o6 J7 d1 a# g! Z) M5 v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 x8 V. e! \8 V7 `; p6 Q) @0 Z0 C8 A: e. \3 C1 s! }/ ?; W1 t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. ^7 m, U, Q" N1 g
7 R9 @& }2 e+ {0 E3 e5 |__________________________________________________________________________
% q( o8 i' }' W& D$ H, L+ k/ `+ i t0 i# Z. W1 Z. B8 C/ J3 p+ l
Method 13
0 s; }( \ Y3 {3 `# e$ [' O6 ?=========
1 ]) z; k# w8 y/ J* t$ v+ m; I; F
# n7 x6 S7 s: i, }% dNot a real method of detection, but a good way to know if SoftICE is
* M/ D. ~0 Q: Y3 [5 uinstalled on a computer and to locate its installation directory.+ m6 e# D9 L. ~/ F$ P% d$ B$ c& p7 D
It is used by few softs which access the following registry keys (usually #2) :
' N; [5 X5 P6 c( H5 d' k) N* |9 k8 x
9 K. }3 {! R6 E: b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 N% a' q _7 |3 g( \; p: D6 i. S
\Uninstall\SoftICE+ ]1 E; r. H7 w& g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- H: T# Q, b# f% ^5 Z; c4 N! v# l) D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" w$ J+ Z [+ ~: E\App Paths\Loader32.Exe* y5 K) l0 e( D, w$ F- M0 F! f' K
- D/ {; W. f) P. A
( K% \$ C+ v2 \- n/ }9 `
Note that some nasty apps could then erase all files from SoftICE directory g8 u; {6 @8 e
(I faced that once :-(
4 M& P b! ^$ l1 q/ l
# R. i- C P0 H% I2 N3 X( I5 EUseful breakpoint to detect it:: y' H/ J# K* A, ^! t% n
9 U$ g( D! e! P- _8 b: Q& g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* p3 }$ z% k5 ~$ g8 c
6 b# D, G; U) I3 y__________________________________________________________________________
9 u5 N& R: ^$ D) I5 r' r/ E2 r. H& S$ E
3 j" W* N9 q8 i# S! T$ x2 [) }4 x, W: [, o; }
Method 14
( I" u9 V. f4 I/ ^- M1 G) H( t5 d=========& k. u) @9 Y- [0 P! j( x
8 h$ ?5 A0 h+ {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; W: p" [- j- E. A b. q
is to determines whether a debugger is running on your system (ring0 only).
: K# r1 {- }- }0 Y
1 o+ k5 v; W' J* p! C/ u VMMCall Test_Debug_Installed0 G N. J: u1 |! p& R, h' B
je not_installed
) @" a" }& n- m5 y9 Q/ R, Y
% ~6 S, p F/ ~: gThis service just checks a flag.; x) z% ^- c1 k0 a4 B# N5 C
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡