<TABLE width=500>
) r& U2 N' W3 p/ U<TBODY>
+ A) C: y0 {; ?; X0 f& g q" k<TR>
}; A3 o& ~6 ?/ o<TD><PRE>Method 01
# \( m! M( K" z+ x=========+ }; `+ x! d$ A1 n2 \4 N8 m
# d5 C" I' D5 j( WThis method of detection of SoftICE (as well as the following one) is
# o f: U' \( y5 o- F( ^! k+ bused by the majority of packers/encryptors found on Internet.: R8 r& s0 Z! L. Q, T! N. `
It seeks the signature of BoundsChecker in SoftICE9 {+ x c3 n5 i. b
0 f' R! e/ n8 s9 S mov ebp, 04243484Bh ; 'BCHK'
3 |. ^3 ~5 ^! E1 U% ^$ y mov ax, 04h7 O5 L. z' E0 p
int 3
( x6 }8 h) c+ c; l cmp al,46 n( U0 U0 O- i
jnz SoftICE_Detected
# d9 `# [1 }+ A: c/ n7 L+ I
5 W! I \$ f, D3 i( b___________________________________________________________________________( D# R7 L% ? y4 l# m
; w. v/ o9 W! b5 JMethod 02
1 p" G1 {1 ~! H1 A2 h0 z$ K=========
, v/ |) c5 B3 p3 H
- h$ ?0 A: y" [) R+ @4 i& X" dStill a method very much used (perhaps the most frequent one). It is used+ L- Z9 r2 R4 W8 j4 B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; N' |4 P+ C ^7 B" m) m
or execute SoftICE commands... B" ^3 ]" T6 T* G& U: I0 @2 v2 \
It is also used to crash SoftICE and to force it to execute any commands
( V$ T) W; H4 X, P0 C(HBOOT...) :-(( 8 M; R/ Z) m/ y3 ^) t
0 H' o+ `/ T3 x# V V
Here is a quick description:" `* X0 [, S2 d$ Y8 o$ k
-AX = 0910h (Display string in SIce windows)
( r8 f, }+ q2 [: t1 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ U" W9 H8 H# H" b+ F
-AX = 0912h (Get breakpoint infos)
; P! U, W! P% V0 m% Y( [# A4 G-AX = 0913h (Set Sice breakpoints)1 H' P0 _3 u4 X4 W' g
-AX = 0914h (Remove SIce breakoints)
( f. o: T; J: o6 L3 j3 l: O V- i; g% t" G& G' ~2 Y7 @0 G- Y7 W
Each time you'll meet this trick, you'll see:
& w3 @: d9 A2 M, s-SI = 4647h
1 w' E. t0 h. S! t4 r$ v3 W-DI = 4A4Dh% F4 ?3 ^0 G9 C2 o1 c6 g$ J/ D
Which are the 'magic values' used by SoftIce.
! ^& S* v: f% N; n/ z( AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. O* d( [: S0 s: p* m
" @" }, B' z* L( p" N6 D2 L( {. T8 t
Here is one example from the file "Haspinst.exe" which is the dongle HASP' b/ Y t' q+ d6 D
Envelope utility use to protect DOS applications:+ Z2 N4 l& a& [" F! _' _- \& ^
; `% p2 }6 y! [" y. N! \, T- T! q/ q
& S- o& |1 w2 m0 M4C19:0095 MOV AX,0911 ; execute command.; j9 ?4 J& ~ t% ?/ W/ T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" f) J1 ?5 k; |. J4C19:009A MOV SI,4647 ; 1st magic value.) f- w1 u/ o) O7 d
4C19:009D MOV DI,4A4D ; 2nd magic value.# Q8 k& v3 t* J) S$ U2 G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 S( x; T1 ]5 R$ D( M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- M4 d9 k- O' U3 U% s( \+ A; D5 _% P4C19:00A4 INC CX+ O7 }: D1 t3 l! B! I9 h- V/ Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# S1 k% u/ F% ? u/ X! W
4C19:00A8 JB 0095 ; 6 different commands.
5 q) G( R+ O* o4 v5 I- N: B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- I' e; o9 o7 w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 X$ I' u7 m1 g( \! I# J3 G0 h* y
/ P, }0 L5 \4 o6 d. K: o iThe program will execute 6 different SIce commands located at ds:dx, which
% D2 P. N2 T& {8 s# Y% N' L4 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 o7 h$ X2 U3 ] M$ @* @) ^6 m, F
% b5 ^2 j! H0 j9 v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! X) w+ n Q# L7 e: }2 U
___________________________________________________________________________
$ d! S! o/ q# d
( K7 W* b7 D8 m* }
# N- T w3 p! r! nMethod 03
& B- ]* w9 w7 Y& b, k. E0 V" T4 ^=========
% N$ r2 U2 ~, s8 d0 E9 C7 I4 S: Z; J' W& y. K, c7 ]" o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 r: l$ k+ ?" X; w(API Get entry point)- m3 ^# }1 G: g& y, e5 F n- Y7 {! Z' V
* p$ Q; a3 [" Z
; T. Z. \5 }3 K% [ xor di,di
q; C L1 t* D- O- y5 m* Y1 y/ I4 M mov es,di
Q( a9 K, [! W( t: \* { I mov ax, 1684h
3 Y0 S. F9 p9 X! T' Z9 Q" P9 D) ~# { mov bx, 0202h ; VxD ID of winice6 a. ]' l6 j3 T% {. i$ c' U% X+ ?
int 2Fh
( u$ ^- r. U. k! a0 k2 l+ a1 [2 w mov ax, es ; ES:DI -> VxD API entry point+ N7 G D3 D9 T! y
add ax, di- Y1 j8 ~0 K& U$ [4 |
test ax,ax$ a0 W3 Z; O6 C6 f: t
jnz SoftICE_Detected
6 x& e. D4 [6 w b+ L2 _) s4 g( S4 c) p3 {) [
___________________________________________________________________________6 j. T9 m3 b# F7 X' m( y
' i, T5 R; G* p1 s6 ?6 s2 t, ?7 dMethod 04
- I6 e8 L5 `" X8 ~! X' d3 ~=========
* o5 Y; P0 k" }1 ^' o" v! T1 |' f0 D' z" b9 c A
Method identical to the preceding one except that it seeks the ID of SoftICE2 \: O! I( o* s t0 S
GFX VxD.( F( D# [7 s( U! Q
3 R; ^% E$ z! |1 K( E/ C xor di,di+ G0 K9 S" J# c7 t' U0 [2 [
mov es,di7 W+ q8 I+ r% B" t% |( q
mov ax, 1684h
5 W4 K- q$ w8 d4 r, C; Q! o mov bx, 7a5Fh ; VxD ID of SIWVID
" F8 w u9 a2 I! ~ int 2fh) ~4 W* i+ |9 `" n' m. i
mov ax, es ; ES:DI -> VxD API entry point
3 y w; l1 `: g. n8 M add ax, di
2 j' Y* }1 N$ N) ?( r* E! j1 [ test ax,ax
4 c; D: n+ X* M" N( P1 N3 }0 Q* y jnz SoftICE_Detected
" h, \# _8 ]/ f5 j0 k- O" i
. _4 o6 O8 }' @__________________________________________________________________________, v9 F0 Q; B2 r/ _
- e$ c: s9 h+ c% w
- R; E- Q. x0 e# |Method 05
. b7 D" S9 Z" \8 D* d) j, e& a: k9 G=========
, P- A8 w; s$ x7 N+ d
+ {# K+ j) a) f- g3 WMethod seeking the 'magic number' 0F386h returned (in ax) by all system& D' z' T8 ?; K- S% j; }. s. S
debugger. It calls the int 41h, function 4Fh.4 O+ B2 `" e& [! `1 _" h0 g: N
There are several alternatives. ; n# R: w+ z9 C! C; T6 U
- r* {' @% D4 @+ c+ G" _' W
The following one is the simplest:
. z- Z& k6 f, z# H5 |; P( L. R6 S; }2 h
mov ax,4fh3 X9 E# w* c8 a2 ?. o
int 41h8 o6 R1 q" y! Z& n
cmp ax, 0F3861 E6 x, x- A3 X
jz SoftICE_detected& m y& t# c6 o- f# x
/ t+ ~0 E- U s% H0 Z! u+ U" d6 M4 J6 { i
Next method as well as the following one are 2 examples from Stone's
. m, A* S' b' R) Z& G& O"stn-wid.zip" (www.cracking.net):
8 Z& Z- N, L, f1 c- v w- ^* C) ]& |4 Z. A! f' | W' e+ ~8 U
mov bx, cs3 x" v1 O) C: i4 `
lea dx, int41handler29 S. \0 s0 K2 k" g8 G# z3 r9 o ?
xchg dx, es:[41h*4]
! p7 L$ W# y6 S xchg bx, es:[41h*4+2]
' v3 t" R# R) X; Z mov ax,4fh; g+ C. V" f! b/ |/ N5 T O
int 41h
! _$ o' T5 U" Z- z/ b xchg dx, es:[41h*4]( K/ Q' ~, {( @/ Q0 ~, O
xchg bx, es:[41h*4+2]
: J, B# J9 o) T% l' Y! } cmp ax, 0f386h% j* K# v/ M3 K! E! l
jz SoftICE_detected: \. t/ C. C% C* L* m; a0 u7 Y
/ X" q$ O! J6 V i' |int41handler2 PROC
& |; i# C& z# {0 Q1 {3 F iret% b9 i: S; t8 V3 \4 v
int41handler2 ENDP
4 K: j) j4 p `0 d4 z1 U) t5 l3 W/ f8 T( Y) G. E7 k$ `
, q( K2 Y; s" L" O# X O3 c_________________________________________________________________________
$ y4 t( F4 R4 y* u8 d& a
) d, r1 F* {* Z. S* ~+ n6 O4 [) W
Method 06
+ L# x* U$ v& r# G7 y=========) u1 z8 k& j4 _6 x* w2 C
9 p8 b. h2 ?7 [, {3 h7 o7 a' T* c( C, N: p7 Z% [
2nd method similar to the preceding one but more difficult to detect:! e4 `' X) z4 G8 G2 R) C
6 {& g+ O0 m |+ n3 x
3 y" T }3 \' X( x$ h5 `int41handler PROC
7 Q6 N9 u. d1 J [1 ?; f/ E mov cl,al
# s9 j5 S6 n9 M+ C iret4 G$ ]" _0 o t r5 r' m' {
int41handler ENDP3 [% M- r6 g% G. g
; ^8 |2 H6 B- ]. D$ A' ~3 i
! }/ N3 N; N. e xor ax,ax$ `# Y( _3 Z* [4 B9 ?4 I1 T
mov es,ax6 U" O+ q+ }4 v* o
mov bx, cs( x" V& {: f! L& L5 ^2 }
lea dx, int41handler0 Q& ?& c( X3 W6 e
xchg dx, es:[41h*4]
3 ?! a8 a1 o9 U xchg bx, es:[41h*4+2]: V2 }$ J/ h L+ u0 f/ n( M
in al, 40h" Y5 O7 s& c6 B) _( V# l
xor cx,cx8 S- [: I2 r7 d, }: e& T
int 41h' D3 b1 w, F8 U. `8 E0 I
xchg dx, es:[41h*4]
9 s* P5 L/ s5 { xchg bx, es:[41h*4+2]
) W1 A, b! }$ O, d3 u( Z9 S cmp cl,al `6 B& h: ?% ^/ ]8 j8 f, Y$ n
jnz SoftICE_detected
& m* f; | v* ^2 ^6 O7 F
. g; G3 Z0 p; q/ A5 V' A' c_________________________________________________________________________
4 k8 d5 J! k, ?" q2 l) i( o2 y0 |" \$ F+ \% @* O0 B3 V( p
Method 07
6 U. o6 }7 E4 [# t# W=========
7 H" A @" }4 e) ~/ a+ m) @
. {( t3 d7 a& P5 U1 T1 TMethod of detection of the WinICE handler in the int68h (V86)
+ e2 z0 ]2 O* P! x% V+ Z0 W1 c( u8 H/ p4 ^2 c
mov ah,43h0 [; e3 ^" [# R. E5 U5 }
int 68h& w5 u6 K1 Z$ [0 S
cmp ax,0F386h
4 q- U8 K# Z2 N* [ } jz SoftICE_Detected
; Y9 g! R( F* Q- x3 Y# S. h b$ T; o
$ X1 f7 f- p$ w( L4 d+ y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 r( y8 R- J3 R) e app like this:7 E; K3 {# S5 e% d1 ]/ }1 Q2 x I% w p
: C8 T6 E+ X! `0 W
BPX exec_int if ax==68: c* Y o- }6 |
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 O/ `! ] o3 z2 g% O located at [ebp+48h] for 32Bit apps)+ N) \$ g9 S& H1 Z; v
__________________________________________________________________________* c7 \- Z7 Q/ s$ w& T
' }' ^8 b& M5 W2 g
7 z4 l- p" m% j& M0 e4 o JMethod 08$ C& L8 i8 y! c2 F/ \
=========6 I, ~% b7 J* c! T0 m
* Y# }: Y9 F6 ]
It is not a method of detection of SoftICE but a possibility to crash the6 W7 |! o9 W9 @1 g, Z0 S
system by intercepting int 01h and int 03h and redirecting them to another
, M. ?9 r1 G" w/ }# A4 vroutine.3 j( M" b- y) J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points n% {! u6 {6 J& r* K9 f
to the new routine to execute (hangs computer...)
6 O2 ~9 u( B) A
1 O; P6 k ^- X- R0 W% ?0 ^ mov ah, 25h9 x/ e$ p' e! t7 p% A, d I* B$ O
mov al, Int_Number (01h or 03h)4 ?$ H% H5 T* y$ c0 j1 V, i5 Q
mov dx, offset New_Int_Routine
) _! t y4 R( q& X3 q int 21h! w4 {0 p% F) V
. `+ W9 i6 ?1 z8 x7 Z__________________________________________________________________________, M, {/ T) u* [& }" G5 A) o
& Q- W; k5 r& q! M4 N" k5 Q4 c
Method 09
" K( A- I5 ^) Z# Z4 o=========
5 |& N& Q9 W7 Q# p4 a1 H4 g% w: ]. m! U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ W# d; R; S# G4 zperformed in ring0 (VxD or a ring3 app using the VxdCall).
) e0 c9 i A- B% }# c G, a7 jThe Get_DDB service is used to determine whether or not a VxD is installed
1 M( q" T4 Y; O( j; yfor the specified device and returns a Device Description Block (in ecx) for- M4 p& r, v x7 P" O
that device if it is installed.9 r& L% ]$ u' [: R9 c- H2 [
) r7 x4 B2 ^1 p1 L( \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& H& T6 Z! o/ S* n! I% ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) {+ P7 \! B0 y/ v9 h( j- j VMMCall Get_DDB
4 M, f! D* z' v: F( U* j- R7 [$ H2 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, p9 P( G$ E1 a* {; y) V3 o4 h
, Q4 {% b' m' ^5 w' t5 h2 t4 ?* PNote as well that you can easily detect this method with SoftICE:
6 p3 N# m/ U& Q& o$ M7 g4 S# A9 g bpx Get_DDB if ax==0202 || ax==7a5fh
. U* }/ A! l2 z% Z' Z
8 N8 z! r8 ^. a$ U# ^7 H__________________________________________________________________________
& O, v% f9 ^' g+ S8 N: b. ^+ t' T5 W8 @: }4 `! V; b
Method 10( a. O- _0 u+ O% V8 I! I
=========
# r x" s8 d1 C4 Q7 D( U; W' H( c' L1 l! T% G" n4 I
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 { }6 \+ l. h+ D; N* k
SoftICE while the option is enable!! a9 Y( G8 Q, r- y: S8 V2 P
1 @; m1 ]! M$ k* u: F' oThis trick is very efficient:) G7 I0 v5 A A C
by checking the Debug Registers, you can detect if SoftICE is loaded
V" e# w* z( F0 D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
p M' }3 V9 Z7 W( A2 n8 D2 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 E. J1 ?! V/ X$ a$ A6 g4 dvalue (in ring0 only). Values can be manipulated and or changed as well- s) d0 V6 H# p/ V1 J
(clearing BPMs for instance)/ p7 ~6 r* T9 q
% `" w+ b/ i: R, J
__________________________________________________________________________
1 n0 A( A& O) }- A2 f& E
( t/ H! r. ?: F/ n1 X% ^: rMethod 11
6 f3 o4 F6 A. U: }=========
, B: \5 n( T: ]/ B# ?7 n7 Y5 [8 d# j( i+ R9 w
This method is most known as 'MeltICE' because it has been freely distributed
7 Q/ c9 z5 m- e# V7 ^via www.winfiles.com. However it was first used by NuMega people to allow
% q6 ^5 Q# v& I# k) i% i" ?Symbol Loader to check if SoftICE was active or not (the code is located) {) m* K7 _+ p, E6 A
inside nmtrans.dll).
/ g d4 Q, l! c9 C) {" ]) j7 O* D# Y* H
The way it works is very simple:
2 o% y( i) F# ]9 H7 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- j% |- B6 C6 R+ q6 m; }$ F
WinNT) with the CreateFileA API.+ O1 h5 f/ d$ w
# d, L; X/ I( R# T, bHere is a sample (checking for 'SICE'):
9 }8 M/ X5 D5 _' [+ i' ~5 L) L
5 {. b7 m8 c4 t" jBOOL IsSoftIce95Loaded()& d* E( v: }1 C
{
1 u% p7 R! G2 a I: \! s: @ HANDLE hFile;
" i- q O( l' e9 m( I9 V2 u4 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, y4 P |8 Q, S; o' f6 ]* y* [# G FILE_SHARE_READ | FILE_SHARE_WRITE,( l9 b3 i( W# R% o% h% k- d
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" h. I' w! I) D5 A1 L
if( hFile != INVALID_HANDLE_VALUE )
: ^. K/ z9 | V$ w$ P4 x a! ~ {+ B! {1 e9 n) U
CloseHandle(hFile);# K4 H, ~4 s2 u9 y1 x0 w2 w
return TRUE;
1 Z* }$ a" |3 P9 ]# M2 | }, V8 v0 a" j; ~: D% ?
return FALSE;2 ~" u$ _1 x. s$ l9 C: j& f6 A
}, ~- T& b8 U6 D. ?$ _: k
* c, ^& a5 P! N+ q O& _Although this trick calls the CreateFileA function, don't even expect to be4 J' ?8 H; E/ d% R1 j" f: ?# d; Z8 \
able to intercept it by installing a IFS hook: it will not work, no way!
/ Y1 {! Z/ a* a4 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 B" D6 @) H' v: C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( |% _ c) E: F% ~; J) E8 aand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 ~. |0 I& |5 v3 G: K1 b# b' P D
field.
: F+ y3 I7 q7 N& o I/ x% h% i+ yIn fact, its purpose is not to load/unload VxDs but only to send a E6 Z4 v8 t. j' Z4 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 c w5 }! n! E7 g4 S5 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 L( W3 Q( j7 V" H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ r: `1 |& P) }) M2 y) w1 o% b/ t
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! [; l5 w: n* H7 h8 T' _7 oits handle to be opened and then, will be detected.9 V4 N" p( |* `; z) w8 ]' L
You can check that simply by hooking Winice.exe control proc entry point
% @, J0 D" {( w% C1 X" u7 E: L7 Rwhile running MeltICE.. m9 U, T( o% Y! z* o7 r
$ g- F% s5 w& y# }' k
9 o( [* i5 H N6 q8 @ 00401067: push 00402025 ; \\.\SICE
1 ~7 t/ I0 @+ D m& g 0040106C: call CreateFileA A4 M3 Q: q4 @' u
00401071: cmp eax,-001- T" e' W: u6 g+ a: D6 j" d
00401074: je 00401091
, H8 B4 @, K. [% D4 L0 }
7 ?8 @7 V+ a/ \) H, a0 J" b& i# E: q; V$ K# a
There could be hundreds of BPX you could use to detect this trick.' N. B; ]3 ^* @5 A
-The most classical one is:5 W: N$ t7 w- s4 I: s8 B; C' q5 |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: d, P* ]! q- G4 V" X; p% c *(esp->4+4)=='NTIC'* E7 h% J: t4 X; t7 f
8 g) c {% T* v) D8 |) ]7 ?
-The most exotic ones (could be very slooooow :-(
( q4 ^7 u6 }5 |9 \# m. P; M' h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 ?# P' S: Q1 ~5 F- p% h+ {, e
;will break 3 times :-(+ A/ |( h; n& ]) n
- M; q- g, {4 @4 _4 z+ d
-or (a bit) faster: 9 K2 R) B G# e: f" z/ L% o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) h' [; N" E& W; d$ u, q
9 a4 J4 }2 k9 A: T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / B( G$ S2 V7 Y5 s$ p; }* @+ Q
;will break 3 times :-(
+ z( F) Z" w2 d" p& ]! l* B- P$ g& x3 r
-Much faster:
9 Q# s$ l, T$ p+ D. K) q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( O9 h' f4 \0 y
w5 K5 p e1 o/ o' mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ r* @: A& I) ]: n3 _
function to do the same job:/ b% W5 E6 N: B5 u
5 o# X$ U, u6 u# ~' O+ J push 00 ; OF_READ
& S/ J& x. K6 c mov eax,[00656634] ; '\\.\SICE',0
* Q5 Y: l# p+ c& w% \6 G push eax
9 A. z {; _ D- o call KERNEL32!_lopen
# A* P; u3 j% c" L. V8 `' M inc eax
) y5 Q" o5 ~6 U/ x1 m4 X- ] jnz 00650589 ; detected
7 S* ?" u9 @6 B# u push 00 ; OF_READ K# T& j! R" W
mov eax,[00656638] ; '\\.\SICE'" |2 Z1 @( A8 g+ c, G
push eax
" I1 l0 ~! H4 o1 F0 p& K call KERNEL32!_lopen& b# F% s( t" s" n% P* {
inc eax
J/ g' y4 ^0 F4 b. R' z. W4 O jz 006505ae ; not detected
' P. c- C# _3 H8 d. I% K9 t/ G0 A6 M- \ H4 u( ]5 W/ w# T2 A- J
/ k; D E; q N) ]: A$ I
__________________________________________________________________________
' h! |6 H5 U$ u* J/ A6 r1 J
; v0 L; c; v! A6 FMethod 12
! ~1 D: c( w+ D9 j. q" U=========" L' e# F4 w1 X, f
; c+ J% C$ }7 t, t) r8 R5 cThis trick is similar to int41h/4fh Debugger installation check (code 051 u# h4 k/ Z. N- O( Y* p% G
& 06) but very limited because it's only available for Win95/98 (not NT)
[' H* `1 e$ {6 V* Y2 ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.* b) U/ f1 \" ?% K4 V
% y4 D: d) i+ v! F5 Q# w
push 0000004fh ; function 4fh g# J3 T6 T( A$ E$ v
push 002a002ah ; high word specifies which VxD (VWIN32)2 x5 _- d4 l u: b% g/ l8 @% G
; low word specifies which service
5 ?0 \: W% ?' E8 n$ f# M4 \% ? (VWIN32_Int41Dispatch)4 t: q" a4 E& J( z
call Kernel32!ORD_001 ; VxdCall3 @7 Z5 Q% g; R
cmp ax, 0f386h ; magic number returned by system debuggers
+ G, W$ ~5 j5 X. x+ C. K! f jz SoftICE_detected
- I5 M/ L" [3 M7 U* e2 V& H# Q+ L6 Z0 f" ~% t. ]1 c
Here again, several ways to detect it:
1 |* [2 m, e8 p% C! G0 U2 ~5 ]. ], r' ~7 T
BPINT 41 if ax==4f
9 b: m3 s& N. D6 I$ E; P
/ l8 T; y7 g. m3 _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. e, X+ Z1 f T! e1 D# g, _# H4 K
6 P6 E9 D' S/ r. V! l _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; s3 v5 ^5 o3 O' y7 T
. n+ ~! s) G9 v8 }* `; u6 R- | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 A7 H- c a$ c
L7 h3 [+ y y* F4 K% u6 R__________________________________________________________________________( T1 R" Y9 f( s- O2 o
5 z8 H/ i' _* `& f$ U+ qMethod 13% }$ [: ~; O: J! p( C- C+ z
=========1 E7 c+ k3 U) [" |# M
7 l( c% R( D8 P6 ~& n. q' }Not a real method of detection, but a good way to know if SoftICE is
4 \/ [! u7 O) M/ Q0 I* u1 s" ainstalled on a computer and to locate its installation directory.
/ z1 L/ i, m% nIt is used by few softs which access the following registry keys (usually #2) :- O+ f5 }4 `# q$ a8 N
, T& s' ~- T \5 Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
V+ K9 d$ V; e% w\Uninstall\SoftICE7 {! a/ P( M0 I0 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* R, G- k9 q. _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 z+ {8 g& \& x
\App Paths\Loader32.Exe* _4 C1 ~8 R, i* u( G3 g% l$ U
4 A9 _1 l" c" N5 K% R" f. M
; f7 y9 w0 s" R/ R- n6 WNote that some nasty apps could then erase all files from SoftICE directory5 j: [5 q; t; e8 K! V; X1 h0 W
(I faced that once :-(
6 E- u0 w+ e: Y+ f0 g* P# e+ [* j( T
Useful breakpoint to detect it:( z# ]; a0 a& [
" n/ t3 _, L* X. i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* S) u; S8 T7 W8 n5 F2 U8 |% @, Y; @# t, ] a! f* v2 s: x
__________________________________________________________________________, z# J$ J; W2 x% V$ J3 L0 o
: n. @! k! {- \2 w/ }8 j
* ^; T" l$ H, T2 E; TMethod 14
% n0 w8 N+ @2 n6 `6 Y9 H) L, U=========
: U1 {& ]5 U/ ]" m' p* k) o# i
2 d2 p7 P+ B' w0 y, ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; b+ u7 {/ d) n L7 K `is to determines whether a debugger is running on your system (ring0 only).' ~$ g& L6 ~; w+ w
" y- G1 c! {) n& K* s& k8 T1 j, f) m VMMCall Test_Debug_Installed- Q( s# U1 y3 b7 s; ?5 g
je not_installed
4 O) P' J4 F8 J& A
- P& L( _0 D5 Q/ m4 Z% YThis service just checks a flag.1 [, u7 z# {# ?, S/ Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡