<TABLE width=500>! m- ^6 ? z9 c
<TBODY>" E' |9 @ N: m {
<TR> X/ t& R( a( |+ r8 R [$ y- _2 i
<TD><PRE>Method 01 " i2 z+ k- |# c" W$ p6 k2 p
=========% b- B( j# `8 ~
" X% A2 x6 F8 K( p7 O& o% u. Q& c
This method of detection of SoftICE (as well as the following one) is c6 G- T* a( [- T9 R8 B/ Z' {
used by the majority of packers/encryptors found on Internet.
1 o! g! I$ x3 @; Y- z3 B) _+ OIt seeks the signature of BoundsChecker in SoftICE
" V) O0 Q( h j Q% n9 z$ P$ |* m6 r0 K! s! o
mov ebp, 04243484Bh ; 'BCHK'% P5 d% B6 c% ]0 G5 t3 B
mov ax, 04h
: k7 M: h) ~. Y3 m D2 q int 3 % s. Q8 b- m$ c I3 u& i
cmp al,4
+ q* ]' G9 A) K( w# V jnz SoftICE_Detected' j9 J* k2 |# n5 i6 ^9 E
% H" F" m2 _5 W( z___________________________________________________________________________
$ n2 z& v) G1 k \
, B, I: H6 m# f& J0 t4 R; AMethod 02
( R. {- z2 L: ~=========
" }+ y# {" f5 I2 O4 A* {9 K+ d+ v- j) Q
Still a method very much used (perhaps the most frequent one). It is used5 l/ z, M K( V& d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," V: z/ `6 ^3 V1 G2 N! X3 T
or execute SoftICE commands...- V9 V, u3 I4 e
It is also used to crash SoftICE and to force it to execute any commands, \$ A$ u' v1 j6 Q o) a( ?, M8 N1 H
(HBOOT...) :-((
9 _: B7 ]; U$ ^. \& W$ H z) F3 w) T7 k+ \
Here is a quick description:
- w7 K0 m v( D-AX = 0910h (Display string in SIce windows)
! l2 m5 ?: u p9 r- i* s$ s5 X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 E' ?4 _8 W/ t; h( q-AX = 0912h (Get breakpoint infos)8 _2 y n* n, T5 W Z0 k2 \8 i7 L
-AX = 0913h (Set Sice breakpoints)
9 Y; \: _/ V+ l8 F-AX = 0914h (Remove SIce breakoints)" k1 x( l: Q, }/ \! h
7 Q0 a! J0 @( UEach time you'll meet this trick, you'll see:# _, Y% l3 }+ [+ ]2 Y" e
-SI = 4647h
0 I5 I; @% A2 h* I; h7 ?% ?-DI = 4A4Dh" U6 ?$ E: ]$ y( i) f* N" P: d
Which are the 'magic values' used by SoftIce.4 p' i1 V( L6 r7 U' f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 G4 u* N* B! o
; c- A" B2 i4 [( nHere is one example from the file "Haspinst.exe" which is the dongle HASP3 X; T: |: M2 [, T {9 [( E9 m& h5 r! @
Envelope utility use to protect DOS applications:$ B" X% m% X" \9 y
+ o: w1 c/ Y8 [( T4 m, B Q6 D: K' Z" ?
4C19:0095 MOV AX,0911 ; execute command./ S6 a! W9 r5 l7 `" j$ T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) i; A# l7 o6 j( H. {
4C19:009A MOV SI,4647 ; 1st magic value.7 }" j- W# f! G5 g3 ^6 i! p
4C19:009D MOV DI,4A4D ; 2nd magic value.
* |- j7 F- m8 S; b. ~: `1 I" s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ g* E/ o+ I: T; x; d" U/ G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 o X" {1 z/ U4C19:00A4 INC CX9 x$ p7 {' ~) E+ x: Z3 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 d9 f8 ?% G3 x# Z
4C19:00A8 JB 0095 ; 6 different commands.; N* Q$ f4 \9 P* v' v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ w9 j+ Z! @4 e6 y6 x* `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# ?% k+ t0 m# {$ j8 _; w( k( k" J$ V9 \; Y2 ^% W, d
The program will execute 6 different SIce commands located at ds:dx, which
% K+ Z" V7 S3 v- D. H2 X4 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% l2 L: O) V. O" N' W
7 K5 J5 b1 |+ D! j, R n. c' n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 ^" P/ O/ J |; O) v( K0 ^* V. b. G* K___________________________________________________________________________+ X$ q7 Y: z; `1 J8 {3 H
% M' ^+ W; P7 q) ~, s7 D4 l2 R4 ~/ ^! ^* `" g
Method 03
8 N6 J" f7 T3 P- h2 _4 X4 B6 B% n=========$ r1 l% _+ j! i" {
2 b. w; C5 p7 N2 F) Q' O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ H [' n/ L& V8 ](API Get entry point), a; `( `) Y) w( D
0 r w( ]! v; N. r
3 x; L- \; `- j
xor di,di" `# ~6 c4 w1 c2 L# U2 k
mov es,di
k; m1 e- s( `# ?3 i5 g% Y5 ? mov ax, 1684h
+ c* V* Q! d. y+ } mov bx, 0202h ; VxD ID of winice; ^0 I$ Y- f2 i) `% @
int 2Fh, s3 z4 ?+ i" v: R* a2 p) q$ x! _" C: _
mov ax, es ; ES:DI -> VxD API entry point. `8 N3 {/ z9 |5 y. I1 h! G5 S$ p
add ax, di
5 H) c& C& b" V7 C4 \ test ax,ax
8 Q/ A3 L6 R) F; ~ jnz SoftICE_Detected
% H6 \$ P/ z' Q" M! T% }# n
! n3 A/ n, h& G___________________________________________________________________________% Z: ?+ X& g5 d. R K$ s. k6 M2 O
% O C% ^" F' j* I% E- HMethod 04
2 i& Q# j: b- j; Q" `=========
0 z# H7 |9 a. [ _. r; j2 J. z% v& m7 ^9 O' P4 V) T+ r( M6 R
Method identical to the preceding one except that it seeks the ID of SoftICE3 p: ^! k9 l5 y1 n
GFX VxD.
. L' i: y: \2 y z$ f* U6 j
$ ~9 g0 _, d% r8 \, A4 s xor di,di
7 A+ V. W; G4 P/ C: _ mov es,di
+ ?- v# m+ `9 H7 l4 {& n. k4 x: } mov ax, 1684h 4 z7 D' r0 e. ^9 y0 F7 X
mov bx, 7a5Fh ; VxD ID of SIWVID H' n) S" G8 M& _: W
int 2fh/ t3 S4 v$ X# N
mov ax, es ; ES:DI -> VxD API entry point7 ]+ g3 H% l; d4 u4 r& _4 d3 o
add ax, di
$ }! f# R! D2 O/ K) ^! } test ax,ax
3 J/ K8 I; D7 I5 O2 S) ?) Z jnz SoftICE_Detected; Z2 H& M+ l9 T
/ ]4 S" `' |+ _, N__________________________________________________________________________
$ w" Y4 C) c% C; e+ G7 x
" j. _. k" V* H; \6 D
2 u& a: l* V" Q# w4 ~Method 05
) O% F" b0 X- b6 G2 \) S$ a=========, o( ?- K. [0 n2 S; w2 ?
) |7 W; p7 y5 Y+ Y9 X) Q. _Method seeking the 'magic number' 0F386h returned (in ax) by all system
" C6 j! I+ D8 {debugger. It calls the int 41h, function 4Fh.
2 n, A# W# d z; SThere are several alternatives.
$ C. y( K+ O. ^. w% J8 r* C
; J3 k3 y! x. M# a7 zThe following one is the simplest:
6 |- ^7 Q. u+ e& H! N: }
3 }0 _% g: G, E" m% }# F mov ax,4fh0 S5 [ e- k! t- C: T. ^. n8 j
int 41h
$ d2 H8 D* v/ K/ L+ E4 T cmp ax, 0F386
7 J, w: n% E) l" g8 i jz SoftICE_detected) [' l0 u' V7 H- x
% n5 M9 Y8 f# X& Q. ]2 r1 }' S; f! h+ r! \( Y. g
Next method as well as the following one are 2 examples from Stone's
; o# r, ?7 b$ f"stn-wid.zip" (www.cracking.net):" W n* I1 x* ^, O5 D0 S* E
9 p7 w) O1 |$ k
mov bx, cs
, x9 y4 `+ x5 d: B4 j) Z( M lea dx, int41handler2
3 a" F' U% K6 d- q2 R. S0 y6 n) U- s( e xchg dx, es:[41h*4]6 S- g9 n! v! c9 \- g' {6 l: w
xchg bx, es:[41h*4+2]. J+ i4 N7 l- ~; C: q8 J; N' A
mov ax,4fh6 u1 N3 T2 ^% k& W9 [( z1 @* k5 ^* F
int 41h; R o& n% H4 R6 J9 [
xchg dx, es:[41h*4]
$ a4 I2 ~5 m2 @7 } xchg bx, es:[41h*4+2]: L, i% ^# o! S* r3 q
cmp ax, 0f386h
( [& Y( S2 F" c* j, h( U jz SoftICE_detected
- x, d# E% b$ w3 W' t5 _# O; D
" h8 H' e0 ^* d" ?int41handler2 PROC: J1 e7 g) ?0 {# c: N
iret
$ D% a$ y5 T' g# yint41handler2 ENDP3 o8 Q# |( S9 k; R+ q, \
8 t' j4 X" p( b$ s+ D# B9 p7 [) B2 J2 V( h1 i# d5 N" C
_________________________________________________________________________9 C$ j* g0 ^* v4 ?3 w0 Y* s
0 l+ ]9 b d, a. n% X
# \4 O- o( y$ Z7 g0 S0 [0 R) H# i2 U
Method 06
; v8 _9 J/ a" f% k=========
7 f+ V9 a- _+ }9 X
& p4 c( l, R- ^( t' K, Q7 L V% p& E4 A9 q; J' }
2nd method similar to the preceding one but more difficult to detect:- ]. x# Z, T6 ^# A" m/ C# U
: j# W' s' K, k( z5 E7 }* c
) [ x4 E: r+ }# G5 |
int41handler PROC6 h |- Z8 n" u1 F
mov cl,al
+ S; W; c3 F2 h! z4 m iret
" \( P! g! P. M- b# S# iint41handler ENDP
1 E) |. L; {! p( U/ E& J& k4 E, |
5 ^1 r5 |4 U* G4 G0 f! q m5 D5 s* Q2 h0 d0 v0 k+ d
xor ax,ax4 O i# o4 u2 |+ w# f* P e
mov es,ax
8 `: ]6 ~0 S4 O6 O" F+ h4 ` mov bx, cs U4 b2 h+ S, z! h0 T2 i5 A
lea dx, int41handler
, w, A5 c" y6 `% ^ xchg dx, es:[41h*4]0 ]! l- ]. U) `( L6 X7 y
xchg bx, es:[41h*4+2]0 v& `/ u, W5 {& d% {( o N) _) [
in al, 40h [9 s+ [* [) e% ^9 f2 ^
xor cx,cx
' f" U1 v8 i8 ]3 e! q/ a2 l( E" F int 41h
+ {" v. t" Q4 Y xchg dx, es:[41h*4]
0 @! q n$ y q& W# S xchg bx, es:[41h*4+2]
* J: @! D) i- s* L3 h7 D cmp cl,al
9 Y+ e+ c0 f" d. l# G D jnz SoftICE_detected
" ?# N `/ S- j4 a) G
6 W( ]! a a3 \9 _! g& b_________________________________________________________________________
0 O: o @6 R2 b& u' l$ K6 S* ~; B" o* `2 B- W b" Q
Method 07
x1 G/ A1 w. Z" n' ]=========
8 Q- j6 U5 d6 O* H; R& O$ }6 [3 o1 ]2 o0 \4 r
Method of detection of the WinICE handler in the int68h (V86)& l+ t& U8 S8 z( R* _
- t. c) o. k% H* L& W `. S" P7 { mov ah,43h
: {3 X' j7 \+ N int 68h
! X- ^# J7 w# J9 @, q# [ cmp ax,0F386h7 `4 z2 L/ W3 L+ m( ]# \/ k
jz SoftICE_Detected! w/ f' G: C Q# N5 G# |3 U: u4 F
! L" E1 G. A) r$ _% L
" S1 [7 k% `: U* l! i# b1 U8 A P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ ~1 {. D+ t2 F( E
app like this:/ o: W$ x+ E7 \4 i$ |% f6 e
D: g4 g1 l# t& j! u BPX exec_int if ax==686 i& `6 L' F4 w. a9 g, L% c {: e$ L# `
(function called is located at byte ptr [ebp+1Dh] and client eip is
- w* n- ~$ g# h' \! d2 R located at [ebp+48h] for 32Bit apps). A- L o# P' j1 A
__________________________________________________________________________ h! ]7 }8 P4 w$ I6 H
3 e+ Q7 m2 ^) n. F
: A+ }" z; a/ V( Q0 }Method 08& `8 a2 L9 g9 z' S2 e/ w
=========* H7 h5 l k: h. g; n# p- S9 b9 `
6 e8 N4 i- Q. p
It is not a method of detection of SoftICE but a possibility to crash the
, i' S9 h: |) G8 }, R( `/ l# usystem by intercepting int 01h and int 03h and redirecting them to another( s t+ V. { B2 L- }: U( f0 ^6 z5 K
routine.
' o# o: v) J0 _0 n+ UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 O* N( I! w* ~+ G6 @to the new routine to execute (hangs computer...)
- o- Q: n6 n1 P) u
' P: r% B1 u( w* Z: V+ j, G) y+ i mov ah, 25h
" f" D: v( b4 o" h) ?& z2 C! ` mov al, Int_Number (01h or 03h)
/ T7 g' G1 u5 u; b/ I# A( A mov dx, offset New_Int_Routine
! T3 A. L! r0 ?! J0 C# q8 Y! g int 21h
7 y1 C3 K" @6 ~; S8 ^- \. t8 l/ J" b8 I* J' R1 o+ z
__________________________________________________________________________
3 u, ]% ?; S6 i* X2 P( v
* u4 k* u7 F- IMethod 09
/ l- M- \6 E7 d# B, f! u2 ?=========* M. q+ s7 G( A1 ^: k. W+ B! j( c# i
5 a7 W9 l) K2 R) l# M! |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ s4 T n# [3 Z# ]" D, `
performed in ring0 (VxD or a ring3 app using the VxdCall)., i" {' a' g, z* J- }4 X
The Get_DDB service is used to determine whether or not a VxD is installed
1 ~6 u8 B- Y! w/ E% { U6 Z5 Bfor the specified device and returns a Device Description Block (in ecx) for9 |: u! o z6 k
that device if it is installed.
1 m, z# c& T' ?
2 ^: k6 Q2 b/ ~7 _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ y7 j8 j( ]' Y2 ~, g) Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* ] c, F( W+ t0 J3 s2 `7 A VMMCall Get_DDB0 o& b) z* s9 l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& b) W$ o7 I" [6 f3 z$ ?
( S- J/ a% h9 [/ G) b
Note as well that you can easily detect this method with SoftICE:
7 L% C) K e4 E# X bpx Get_DDB if ax==0202 || ax==7a5fh
~8 U( X1 Q: m( P3 c N# y3 D$ z
+ }: e+ ]3 k" u; {2 e__________________________________________________________________________
/ B, p5 }, j7 w3 b" F6 L$ ~/ O4 ?$ Y
Method 10/ h3 G6 q: \+ B+ _* F& c0 u3 ^
=========
* Y5 r8 C( W9 ^) J& Z" @, _# @* t1 d5 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" l- Y. z3 F8 e3 `8 x( E. I$ n SoftICE while the option is enable!!
6 O" ~7 z5 n4 H
# Y0 m# x u+ s8 F pThis trick is very efficient: v7 T# n' a" _
by checking the Debug Registers, you can detect if SoftICE is loaded
; t! w6 q/ r; j5 N8 v$ y+ \$ }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: Y, S) ?! g* nthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ {: K+ l2 Z: A% v% r- b& a8 ?
value (in ring0 only). Values can be manipulated and or changed as well
9 ~" }6 O4 H1 |2 \3 K* ]6 ~/ R(clearing BPMs for instance)6 M5 ?* G- N% b" d2 D" h9 y
; o. q" h' K; j0 y3 L__________________________________________________________________________
: W/ C# ~/ Z* X5 \# u
- ~( J) A- V2 ]# |" p. x+ MMethod 11
& e/ L) l) [' G0 d F; g=========
& B0 r: W% }: u/ ]) ?4 j0 X$ C& ]0 l2 a# U# b' }* R% Y
This method is most known as 'MeltICE' because it has been freely distributed5 x5 N& ~0 ?# R7 z$ n
via www.winfiles.com. However it was first used by NuMega people to allow
4 i: B: V, V7 L+ @- ?2 ?' }# LSymbol Loader to check if SoftICE was active or not (the code is located
1 ~: O! h. D% T, X& k; Y. winside nmtrans.dll)., Q3 T1 ]$ S' J5 {: o) ~
9 t- l% y- o% H. MThe way it works is very simple:
, J! T. Z, Q! r) A+ P! e3 N" O! WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 T. @7 |4 F0 O' y: OWinNT) with the CreateFileA API.
, _. w ?9 }/ U8 L
" H8 N. Y0 d/ I% K8 xHere is a sample (checking for 'SICE'):( S+ C8 {0 P' q8 {6 W
5 ], R/ ]4 d# [. H5 K
BOOL IsSoftIce95Loaded()
y7 P6 q3 P! @. U{
( U/ E# g; A4 Z* O3 c, ^ HANDLE hFile; 9 `( ~2 S- J6 Q0 t+ Q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* T6 g+ X! B7 L& y* f5 _
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 I0 y z6 _) s( i" m( s! p! | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# X- [/ p: V( Q ~ if( hFile != INVALID_HANDLE_VALUE ) l3 R1 F8 W8 i3 z
{ T9 w0 T z# Z" |9 Y( c% J
CloseHandle(hFile);2 W( E( D! Q6 O- h: }
return TRUE;8 P6 ]* a& `; d: [% h' W
}
1 T/ e7 _6 r; q return FALSE;8 i+ f7 G2 @' f/ i( Z+ d! ~
}
% m, B! S0 D) s, z. ?3 c' H4 ^5 c* M0 u0 B0 ^/ F1 P
Although this trick calls the CreateFileA function, don't even expect to be/ y& ^1 T5 q5 P
able to intercept it by installing a IFS hook: it will not work, no way!
) B' d% p7 K6 S2 JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- O7 C. [0 P c8 O7 Y% Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' G4 J7 ]! ]# \" i( U/ m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 S; p8 S. ~% E6 pfield.1 i- c. \+ ?: v8 V: q- w) ]
In fact, its purpose is not to load/unload VxDs but only to send a
' O$ ~$ ~0 {! g3 L7 ?( tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ b- J5 ^0 J! Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 e$ w# Q$ h& l- }1 f4 o3 V/ Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ e0 t3 F8 O% c9 b \& Q1 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% T, y! c6 f% G, ]% I5 Gits handle to be opened and then, will be detected.4 \1 S7 `$ |5 Z! [
You can check that simply by hooking Winice.exe control proc entry point
6 h _$ i; s& V4 W& N: R& |while running MeltICE.
" h( P+ R1 q3 V, t( a$ P9 K3 u2 T# U6 |2 t; o, \
9 X- I" O* [% a) s( n+ w' }6 u
00401067: push 00402025 ; \\.\SICE
2 s. I. o/ X4 Y! U# I: V! v0 s 0040106C: call CreateFileA( k+ c4 I8 q( \6 \
00401071: cmp eax,-001
3 i6 e3 d( Z' V$ O$ o5 r; ]8 x( d* v 00401074: je 004010914 O: w1 N/ N+ [3 T
3 o8 P5 w/ h, y' d: x4 ?6 P5 ?, R
There could be hundreds of BPX you could use to detect this trick.
j; a- ^3 `) {-The most classical one is:
5 \1 P% u9 E6 _% C/ u: Q M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. Q l4 s7 V7 S' {# g C *(esp->4+4)=='NTIC'
' Q; D) M7 h8 t1 B- Q$ n( v
! Q$ q* V/ E& W# b6 V5 c8 e V-The most exotic ones (could be very slooooow :-(3 p* _; ^& Q% C% O2 @ I/ x% Z6 s0 b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! [1 q3 b4 p1 _
;will break 3 times :-(
! r: V2 {: k5 W+ F0 g6 ~7 d, r- s+ C; ]$ V
-or (a bit) faster: ) @ w. r( u" z" `$ [
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 t' e3 h- F" P3 b g
6 }5 D& x& a6 G0 A$ t4 b& |0 A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! X3 Q) ?3 U# j ;will break 3 times :-(
9 \' C% y% E5 m) X+ {; A
7 @" q6 Y# G( W I9 d-Much faster:
% f4 m3 X; B0 ]; \; z- n" f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' v2 p# n5 K- |4 b) M+ t! M4 }
1 K; l1 m8 r$ q# v% L: h6 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# _7 R7 h, [" `' E5 H6 x
function to do the same job:& Y" r' r! {2 I W3 K
. L) o, C% L( G9 P push 00 ; OF_READ
6 e: p+ b- P3 T! z( l K) a# Z( b9 Z mov eax,[00656634] ; '\\.\SICE',0! @ a- L; J$ u- ~4 h$ u
push eax
7 {- a* c& X! Q3 ~5 T call KERNEL32!_lopen
! s% @9 W) v n- H) r% s inc eax2 y" d/ X/ q* u" k( x9 X' p
jnz 00650589 ; detected9 t8 }9 p+ S7 u* }
push 00 ; OF_READ
# J6 m/ c2 m2 {( ?% H0 U3 { mov eax,[00656638] ; '\\.\SICE'8 |3 x, a1 E; @ a
push eax
# Z8 {6 Q0 }! U9 w4 A call KERNEL32!_lopen
& t% S7 u- Q. s2 R# Y, z2 x inc eax
/ l- a$ c! t o1 f' j jz 006505ae ; not detected. ]* Y# x3 M9 I6 h. C4 j& q
( l6 G7 @/ O) Z
3 u! i* i* m, t1 z- g__________________________________________________________________________
8 _6 K1 N; S8 l6 g
7 I' I# B9 T5 @1 z1 f* Z5 qMethod 12
* w. n: n- f: o! r6 Y. O& d; t. R=========- _& t6 R; b. |9 ^
5 d6 @/ Y3 Q! B% vThis trick is similar to int41h/4fh Debugger installation check (code 05) V# n. y- G+ z, @ i
& 06) but very limited because it's only available for Win95/98 (not NT)
8 L5 d. ?. ?+ J7 e, s# h; pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) h4 y. H [' J8 t& o
: ?% h! H; ?& W7 T7 `1 Q2 ^ m push 0000004fh ; function 4fh9 {* \ v, o9 E8 @) f: h. ~4 ~
push 002a002ah ; high word specifies which VxD (VWIN32)
" t T) O. t9 J8 B% {( F, u" P- E$ Z ; low word specifies which service; f# O; n0 P7 P6 l7 _0 {' ^$ B
(VWIN32_Int41Dispatch)6 i) Z$ e/ `; B" N( @9 M
call Kernel32!ORD_001 ; VxdCall W) e+ E G4 h# g* H% Y
cmp ax, 0f386h ; magic number returned by system debuggers3 b& q7 @# B! X7 m9 v0 c
jz SoftICE_detected
: ?' a% m* q3 S1 M( T+ X
( r. Y) v) m! g/ h6 MHere again, several ways to detect it:8 i: _. Y6 H; Y- b7 d7 l* `
6 m- s5 x, q( x3 c$ x) b. [' x
BPINT 41 if ax==4f' L1 S5 H ?' Y: ~7 @. A: c
+ {2 _5 p4 i8 ~9 f- B3 D7 i" y# d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 j/ \3 R/ H; S. W5 h: c: L) ]. I0 j" G; [' d4 X1 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: _# [* c4 H" |
' a3 _6 @/ Q3 ~. t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% e- i. ?6 t, _% R' e' g# T% o! d
1 K; \, A7 L6 v4 \# O__________________________________________________________________________
3 ~! m- P7 u5 E3 ^2 o0 }0 x" E+ b$ v- [# K4 N
Method 13
1 }2 q6 _% R/ T$ N ^6 m& f' l3 z=========
" V0 j* P2 E( G9 M+ f6 h0 G |/ Z: Q8 @4 D" s- L7 W
Not a real method of detection, but a good way to know if SoftICE is S7 t% d$ A- E+ S$ n
installed on a computer and to locate its installation directory.
9 B# Q: P7 |3 i/ P0 a! ZIt is used by few softs which access the following registry keys (usually #2) :
2 h* P; L2 k5 u( P5 M7 B1 u4 p$ m! T0 h
2 n' Y! f( ` K1 d/ S( A2 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: e i l! S9 Y# D& n( B+ |, {! T
\Uninstall\SoftICE0 [, B/ l, T/ N/ r7 O& T( s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* J/ _. N$ |! ?5 T# r$ O. M# s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ @+ M$ n `0 h
\App Paths\Loader32.Exe5 _, x5 d0 ]% L. _
' ~6 s M/ T+ R+ ]5 [2 H/ ]
; ]( H4 R+ e4 w9 ~. s; f0 W( r6 I! hNote that some nasty apps could then erase all files from SoftICE directory
& l z8 c6 Q' j) [* [(I faced that once :-( A1 _: @- P$ q1 C
+ J7 M2 Y+ {& c+ _* Y# iUseful breakpoint to detect it:
0 N% ]# Q# A& \6 |, h9 Z8 W% P2 z
' q/ j/ c |* Z1 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( k8 }% ]+ k2 ~2 U. E6 m) z0 t9 H2 {) D# A8 x2 R
__________________________________________________________________________7 I6 v1 x# v$ K5 {# W" ?, B# ^
: q# `7 M+ |& G6 m+ W5 y
4 G$ n! A0 [7 O/ q* j. B8 t6 AMethod 14
9 j& u8 G% ^: r) d=========* E; ~: Y8 J' z6 N
* R; D9 L3 h) |9 g( W0 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 t' Z; S( {9 [* lis to determines whether a debugger is running on your system (ring0 only).
- E- \0 w% _2 i
$ Y1 }$ X, E3 M' ]0 q6 e) U! u VMMCall Test_Debug_Installed" W% H& f5 F' e2 w
je not_installed# T- U8 C/ x6 A. P
4 A* s* @8 U: m- @/ K
This service just checks a flag.
5 j. m+ P* L/ t+ l</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡