<TABLE width=500>
, M$ o( R1 F: W<TBODY>
( O. P. L+ L x ]7 N<TR>0 q/ ]" E% e7 {6 O
<TD><PRE>Method 01
: P! B3 j% N% _5 Y, Z, F r=========
1 `7 F7 Q5 L0 s1 l! [; v
u/ N( V* b" `$ `0 i9 GThis method of detection of SoftICE (as well as the following one) is' @6 h$ T: S& s9 K0 @- ^7 s. @4 n
used by the majority of packers/encryptors found on Internet.
/ z# P/ ~2 k5 _. l; @! CIt seeks the signature of BoundsChecker in SoftICE
) q) m/ V0 S J( J. m/ c) v- t1 L% `6 ?. O' R3 r/ l
mov ebp, 04243484Bh ; 'BCHK'
( {. R; j7 z3 ~6 n; e6 E# ~: D mov ax, 04h
2 j+ l9 s' |( b0 _ int 3 * _9 v/ j* D4 K0 ^4 X, D
cmp al,4
' b! Z2 j; E5 ]6 Q jnz SoftICE_Detected! {$ g6 o9 z! d& M
9 \% r# `+ A3 P& H/ w) b. `___________________________________________________________________________- q. ~) a6 C: R! t& h
# P, q$ G, A$ [2 ^ t2 S. n+ _
Method 02& J: p; U B$ \$ K" j5 Y3 L8 J
=========
2 C% f C( B& m7 m% {+ o h. }# j" _* f
Still a method very much used (perhaps the most frequent one). It is used% I- T5 ~' @& a- ?. m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: I4 J; D7 d( Z8 A5 b2 @
or execute SoftICE commands...2 ~& g8 w) b$ ~5 v% h. D
It is also used to crash SoftICE and to force it to execute any commands& A3 h* A3 A0 V+ a
(HBOOT...) :-(( * K1 d3 D$ a7 d2 ~5 ]) R1 N1 r. V
1 {5 c# i6 i3 O7 Q1 O2 S
Here is a quick description:, ?6 R6 ?; d$ v$ z/ B/ h
-AX = 0910h (Display string in SIce windows): E ]! o) o& d) e9 ^( n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 C; S8 n: L8 ]- i6 T' B
-AX = 0912h (Get breakpoint infos)
8 p% n( U# s; ?: d+ `-AX = 0913h (Set Sice breakpoints)% g: w0 S. W( z* J/ f
-AX = 0914h (Remove SIce breakoints)0 D, E% D" x7 `% I- A
2 Y8 X+ P8 X# q: Z" AEach time you'll meet this trick, you'll see:- U9 H2 `4 D3 c$ L
-SI = 4647h* @+ H0 J$ }; T! X/ _3 k, o
-DI = 4A4Dh
0 M6 y, A. v7 \) M, uWhich are the 'magic values' used by SoftIce.- e6 q( S& `# V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- R2 E* Q5 X/ g. d) B. |
, Z3 B1 u% f& G. |& R% iHere is one example from the file "Haspinst.exe" which is the dongle HASP1 E7 l7 r. Z4 R' n7 y
Envelope utility use to protect DOS applications:
* L8 ^' L) V% J+ r! ~; d2 u1 e4 ]* n( j5 t1 {& V. R
: ^1 _( |& ]7 B( ]4C19:0095 MOV AX,0911 ; execute command.) b4 h( F9 ` ~# i0 X+ R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 h7 s: I2 r/ ^, H5 i: K3 [ I
4C19:009A MOV SI,4647 ; 1st magic value.
' m% s( J; k3 D) U- Q4C19:009D MOV DI,4A4D ; 2nd magic value.' h7 v/ W( F s, z& N% G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! Y3 H7 R3 G" `9 ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 \: y0 Z2 ^9 y$ h/ d( w- I5 n4C19:00A4 INC CX
; g- @8 T3 s% d3 j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 m" M5 ^ K1 k0 c1 g# x3 _4C19:00A8 JB 0095 ; 6 different commands.: U" ?9 ^. [( e6 d$ W5 G2 z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; ^9 o4 w4 L7 ]: u- b& v9 @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 G2 E0 ]* H# E
( e3 V5 P/ @& L1 f! ^! BThe program will execute 6 different SIce commands located at ds:dx, which# i9 e! j# I6 d: q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ ?% [$ A( m& s3 Y/ G
( a& i! k( R4 P+ V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ v7 b# L9 V7 X% r3 @0 K4 Y___________________________________________________________________________$ o& Q6 n: T, i! a# _6 [3 L
1 B# y5 O* X1 d
3 T" W+ X% o5 _0 fMethod 03
; J$ c! |$ O' u0 P4 [3 r( T' m$ P=========
2 \6 m: o6 S* X. C3 x; b I/ k9 J( H% s! O- R/ ] Z1 U$ |( {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; \# V: S+ v' @* s
(API Get entry point)5 {0 O1 y+ m" E
5 _- k$ n3 n( n6 L# t- y4 G5 r2 a/ u5 x! r& u& b) b
xor di,di( p1 a$ `$ t2 c3 i
mov es,di* D" {1 ]/ g- o4 k' y
mov ax, 1684h
' y" J' r8 C$ i X7 I# |& }/ b mov bx, 0202h ; VxD ID of winice0 o* ?5 P) h; p+ {
int 2Fh
; w: c! y5 y( T1 b/ t9 m mov ax, es ; ES:DI -> VxD API entry point
3 R4 I/ ~/ z( p- F/ l7 ~% r: ] add ax, di
; r# ]9 F- o. |+ M test ax,ax* e3 X# y& A1 x, v1 l
jnz SoftICE_Detected2 T2 ^6 H) N# @6 o0 j
) I% ~4 o$ p7 t3 [1 p( s- d___________________________________________________________________________
5 t- S: b& G- M, z; k$ u* t L
; I: t5 c* ?3 [$ a$ u$ b) q6 ~Method 04
+ s* Q' c2 K, v- Y2 \=========
6 [ U" A2 m" ^3 k/ R7 a& B
1 Q5 x5 ]# S$ D6 G* SMethod identical to the preceding one except that it seeks the ID of SoftICE
/ ?4 @5 b" i1 [- cGFX VxD. O8 w5 |& d/ W$ B' W3 ]
1 G# g' C' ?3 L( x P% J6 G) _ xor di,di+ H% [) J! b, m4 B8 A
mov es,di- g5 A8 Y/ y/ p
mov ax, 1684h 4 _% c2 `: B0 D6 Y
mov bx, 7a5Fh ; VxD ID of SIWVID4 N5 Z/ Q$ {& `
int 2fh
6 w+ ?* Q9 \7 O mov ax, es ; ES:DI -> VxD API entry point
& Y# @% u. X q% X$ }6 ]" @8 u add ax, di( s, ?% ~* Z8 i' ]4 c4 j
test ax,ax
4 W: I7 Q; D7 ~1 Y jnz SoftICE_Detected
4 t& ?, ?* N" t5 D! q ]: F6 d- \: t0 P h
__________________________________________________________________________- I$ }' v3 {3 V3 O
& [' d- A1 [7 S) Z4 J/ d6 O' n5 @- n# g# U
Method 05
% S9 V2 J$ d/ `4 s8 P* C2 v% V=========
" R2 D+ L' Y0 q( e+ ~, ^$ o1 I) Z* P- Z9 Z) @0 V' W X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* t0 T6 [/ r/ ~. |9 j7 p! Tdebugger. It calls the int 41h, function 4Fh.
! [) n6 J$ P2 O4 m- KThere are several alternatives. & X9 ^; u z- J$ V0 S
/ C8 A$ A. w. ~' P+ _The following one is the simplest:
' n, Y1 e5 n5 @4 J
# f* o( s* u p4 M mov ax,4fh
1 P: v' p% e s; ?5 z int 41h/ J3 N* c6 ?0 `- c3 V1 R. \
cmp ax, 0F386& R; ?) u v! [2 x2 Y' c
jz SoftICE_detected- f+ p6 H2 R+ @+ s
( j) x/ S# Z! l! F0 Y
6 J$ _- b( m6 z1 Z9 ]* }
Next method as well as the following one are 2 examples from Stone's 2 C& q9 X! Q9 j" Q6 m3 t
"stn-wid.zip" (www.cracking.net):7 X( J. Y1 F( u# g9 {8 Y+ P9 a1 p
, O8 h" d0 ~/ {: k+ O T mov bx, cs
9 w) T" D6 L& m lea dx, int41handler25 o4 h3 `# z4 l: u! f* r5 i1 Y2 e
xchg dx, es:[41h*4]5 e8 X* U/ g! ]8 R
xchg bx, es:[41h*4+2]& }! T9 U; F: i' `: u- \, m
mov ax,4fh
8 Y1 |. `, e/ L& M int 41h
. t' S% q$ t5 Y- o6 Q8 m xchg dx, es:[41h*4]5 ?+ J9 t% I4 i! d
xchg bx, es:[41h*4+2]/ [& a$ S7 x6 h5 ^5 E! n
cmp ax, 0f386h
: w* v: t( Z; M/ U: s jz SoftICE_detected
. _8 H4 v. k7 q6 C- l, h% @- y) @$ c! M8 d% e: W! }( g$ r6 j
int41handler2 PROC
/ V( o' Z+ {3 `2 J M9 P8 z iret
A: \8 A5 A0 J$ c% eint41handler2 ENDP
. n5 n3 ^( A. L. ? Y' W& C; [' G* V! Z N. F. x
8 X; Q& o( K+ v9 I) Q4 j_________________________________________________________________________
! K9 v% J* ?" e) D& @. P" R
- a) B5 k. C' @& d6 y0 q* u9 n* Z) p+ C, Y
Method 06. d4 w; E8 V- Z" C+ T! t$ @: G1 i) ?
=========+ p: ^( F; _; E. v' o$ \
$ t% X! ]# @; D( }& c8 Q5 e( @4 a
4 Z% J9 p4 R' ^, }: A2nd method similar to the preceding one but more difficult to detect:
+ P6 E3 n: w! C& x, U: A& E" m0 G/ p, r& y; r
: i6 z6 b( Q* w5 \
int41handler PROC8 c3 v7 G% [! f. E& z
mov cl,al
- ^" Z" D; c+ p' u. b1 r2 K% E$ [5 }0 G iret
8 w/ {# E0 t' E, O. g: bint41handler ENDP
+ c2 o8 O4 t+ G/ A7 ~# I8 L3 P, R
! v s! j+ z& s3 X& o( o2 J3 H
& @( ]+ R- X+ R( J( t+ P" j5 n xor ax,ax9 x# c7 Q( \ \3 m7 R" y
mov es,ax2 E4 g; C- {4 d3 p2 r$ A* w
mov bx, cs
; `$ k* b, p5 Q% L9 G8 e2 [ lea dx, int41handler0 F1 m# k3 n4 E- O/ d& S
xchg dx, es:[41h*4]- \# _$ Q4 ?5 g* l# P: n" D
xchg bx, es:[41h*4+2]
* l* \% X( @+ s3 x+ r: w3 N/ ~ in al, 40h
6 n7 \* S& |, g, | xor cx,cx. T) C3 y& ?7 u
int 41h
8 I, I+ B5 o8 G6 E5 } Z3 [ xchg dx, es:[41h*4]2 @2 N0 d( y" h' l# @( O& O+ k; _
xchg bx, es:[41h*4+2]" Y0 E# Z0 Z+ R( ^2 ]% T
cmp cl,al
: o' g' R) F) T" A8 a jnz SoftICE_detected
" X1 l) E d7 ~& J. u. @; k( R$ J. g6 o- e+ j
_________________________________________________________________________
+ s- [! c# o! f' Q, Z0 A
2 e2 n+ H9 }- c6 X* s5 }' SMethod 07
. \" K& z; s- p5 c=========
' D3 J) Q# ?' S2 t0 [( d
; w# [) j. ]5 DMethod of detection of the WinICE handler in the int68h (V86)9 e9 Z- L( ~) [
" X7 a. e e. L. w* t) h9 | mov ah,43h4 l+ D. e# Q. K# ^- i( G
int 68h
0 G- h; G7 h! }. _: s cmp ax,0F386h% r- D( S8 @ C6 L5 c
jz SoftICE_Detected
% v& t' J) o+ z2 C+ u/ m: H
3 h( N8 `) F" p- R @, t( D+ T% B7 h6 X& M9 S+ D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) c( i1 o: U& h
app like this:. s" {) o4 _+ c
" S; p' v6 k$ }: N; j' s5 p
BPX exec_int if ax==68 v# \7 }5 Q L8 m- b0 ?0 c
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 I7 B7 h( q& X2 z located at [ebp+48h] for 32Bit apps)1 {" f# Q1 d+ _: T
__________________________________________________________________________5 _( M) l I; l1 G' \% @
$ e( Q2 @' \: k7 c. [
& e# M! t: y8 G: v- n# L |5 {. i7 i
Method 08
! ?9 c, _& i+ a: g0 C, V, W=========
( q$ m9 p3 z0 T G
! p' Y9 r* N- M! A! EIt is not a method of detection of SoftICE but a possibility to crash the
- H; [' u' z6 Qsystem by intercepting int 01h and int 03h and redirecting them to another
6 ~. w1 O3 `/ F9 Q$ }/ L5 Rroutine.1 I/ X. E& D2 W% S6 W* V y1 f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: y+ S6 O' x6 N/ ?' ?to the new routine to execute (hangs computer...)
/ f$ s* `* p3 S" I! O8 x' @. i! X3 Z; c) r% v5 e* t
mov ah, 25h5 K( i, I8 V. K/ I
mov al, Int_Number (01h or 03h)
8 K" S, f7 d+ _/ R& j! O$ I/ N mov dx, offset New_Int_Routine
5 n1 P3 _: }% s4 O& b- }9 s int 21h* J B: o+ _0 _5 T$ N
9 E, x% e' J# A+ S2 u# v__________________________________________________________________________5 r$ G9 ^2 L V- t& p, Z
1 k" |" c5 \! N. t4 |/ w7 lMethod 09
. T3 \+ j) U1 _" o1 B=========
' R9 s+ c7 K7 g5 ]8 m; Q; e/ J( _
) F* P9 f4 q0 }, L; D" {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& }+ D- w! s$ q& ?performed in ring0 (VxD or a ring3 app using the VxdCall).
1 X. A, o1 f9 @1 y6 {4 R# `- ^/ g, d) a' UThe Get_DDB service is used to determine whether or not a VxD is installed* O2 ] A9 g: @8 _
for the specified device and returns a Device Description Block (in ecx) for
% {2 {& x; c C: h& G' b6 w6 rthat device if it is installed.1 D$ o- @+ W2 Y$ Z1 h' R$ d
+ U$ X z9 _1 A* [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( }3 V& Q9 v; l& [4 D& ]( z% S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ _/ p y* g H: C3 f
VMMCall Get_DDB }/ O; ~ n& w1 r: ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 e: H3 d! M7 r
- W y" _& r3 j0 e/ \8 kNote as well that you can easily detect this method with SoftICE:- z9 H$ a& b+ D+ X" T: S' S2 y1 t
bpx Get_DDB if ax==0202 || ax==7a5fh3 j+ [1 Y, v5 R! K' V, j2 `
# J' q! h4 N4 T& h$ b! p1 x__________________________________________________________________________
" q. Z, u' J9 q/ y/ g5 P
& z/ D/ f2 L3 I: `' n, W1 m6 mMethod 10; f c/ k) _, ^" n, P5 j
=========) f% Q& u( F7 ^7 D1 }8 T) Z6 N
9 b _4 Y7 n2 ?( {
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( m4 m" K( I* o: `: L- P" o SoftICE while the option is enable!!& X* V! o) M; c8 F3 g6 S
3 w9 X) n' U2 q% p% d6 q' [This trick is very efficient:
1 |. ^+ n4 r( A3 Z5 O" Vby checking the Debug Registers, you can detect if SoftICE is loaded! w1 ?" G% E7 x& S: H( Y6 z {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. z. \* i# o5 b9 L$ ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" T- C' Y9 e2 u# i6 }0 C% Tvalue (in ring0 only). Values can be manipulated and or changed as well
( _% _' I. R9 Y) ^- ^- d6 `1 ?; d1 M(clearing BPMs for instance)
6 Y' m+ z% N& Y
9 X0 O! [- B) K2 Q# b__________________________________________________________________________
7 m; d/ v! e( d" u" w0 e& ~) q
& a6 J. h3 {+ sMethod 114 R6 @7 ?, n6 s& b" o
=========
; V c4 H+ }. D, D6 W8 N: y
! ^) C) \& j) ?, S# y3 iThis method is most known as 'MeltICE' because it has been freely distributed
6 O. }2 n; ~' ?: B% Vvia www.winfiles.com. However it was first used by NuMega people to allow# x3 R! {' m, k5 q' N2 v
Symbol Loader to check if SoftICE was active or not (the code is located( G" M$ M$ ?- N4 g8 l
inside nmtrans.dll).
2 E. u. X- a, ^9 h3 H. S$ n# {0 T; _+ S6 ~
The way it works is very simple:; o' s. ]1 V! _3 N' S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ b5 S6 y5 f3 ~/ Q" f: @
WinNT) with the CreateFileA API.
/ g2 t. V( D* o7 E6 Z7 C/ k, p0 f0 E; U; g
Here is a sample (checking for 'SICE'):0 W Q" s/ x' I1 c8 _
9 G+ e# F+ o* V$ a9 @
BOOL IsSoftIce95Loaded()
/ u! ?! g$ ~) r7 r' M# c$ J ^{) F. ]- |& T, Y/ n% c; h8 |. p$ ?
HANDLE hFile; ' i6 a8 O" q4 a; c, n6 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 l/ p" E5 T2 P FILE_SHARE_READ | FILE_SHARE_WRITE,2 r, Z/ D3 R" {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 W5 `3 R+ j! \) k: t6 [! V* r
if( hFile != INVALID_HANDLE_VALUE )/ Z5 V. p# F3 l% c* V1 D% B7 @
{
( L8 B5 C( u. v2 U CloseHandle(hFile);/ ?- b3 y& J! V0 h
return TRUE;- B9 l2 Q2 X# N0 F+ O" A/ g7 d, j: P, s
}$ q6 ^. y8 Q7 m* g2 j# U
return FALSE;
/ [! A) M9 F b}
$ z% @0 s! T/ N" p H; c
" s# S& }0 J O8 B: |( R' WAlthough this trick calls the CreateFileA function, don't even expect to be0 f. h. @9 O C3 Q2 U
able to intercept it by installing a IFS hook: it will not work, no way!
, |& r1 m, f, qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: V/ j: I' Z& [8 P; _. F! tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): y. D3 @3 X' u7 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" ?3 p2 P7 B& T5 d# A9 Wfield.
- E5 l* S+ e- _In fact, its purpose is not to load/unload VxDs but only to send a
. b, Z3 D+ O% o+ Y* ?3 aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 U" i( \# S, Y( w+ X4 Y6 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* C6 E1 S3 ~2 ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 a* ?. l2 d7 Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow: o7 |: l5 s' S) C
its handle to be opened and then, will be detected.
3 G) Z- ^+ H3 S6 MYou can check that simply by hooking Winice.exe control proc entry point J7 o; u- J/ F$ ]6 F3 a& i3 o
while running MeltICE.4 O9 m! M ]: D4 X
8 R8 e8 A- s3 P3 e4 c: U5 I: @( E0 s6 b/ [5 ^- L7 B' ^
00401067: push 00402025 ; \\.\SICE- y0 l( x; {+ N* [, c- }
0040106C: call CreateFileA
7 w* v3 P, r) `' z/ t0 D0 o7 ~ 00401071: cmp eax,-001
- |0 \( k' @8 U. }9 p" b. w 00401074: je 00401091
) x( w/ S5 }& l2 S% f6 P( L! c( i& E$ x: m" I
' R. m( F, _5 Y8 VThere could be hundreds of BPX you could use to detect this trick.
+ S* ^; x& F g4 q" C) ^& B-The most classical one is:
v; U8 F; ~5 A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 m4 W. v; @9 A! ? ~* T- P4 _ *(esp->4+4)=='NTIC'
5 F3 J' q, w8 _7 g/ F$ f3 D
3 G# @. x8 r# T$ O! a% d-The most exotic ones (could be very slooooow :-(: S# w P+ [) w/ g; s) ?' J/ Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 Y) T( C1 ^ F
;will break 3 times :-(
9 U, {# ^+ s6 f. Y' ?
5 {, q5 f9 Q0 N+ K% O5 Q; b-or (a bit) faster:
* b. f; w( y1 f" P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 Z% _% E9 o, r4 ?
% E) F8 H4 {7 }1 R, G" p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) R+ m2 e v) R- `9 ~
;will break 3 times :-(3 [5 z8 T8 k9 M
6 N8 U% r& N! t0 t/ a3 @- ^-Much faster:
) y' Y7 i. F2 l6 e' c3 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; \% }7 P! |! i: u M
3 o$ x9 J2 g) ~$ ?) [9 xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, v; u; y3 t7 _, afunction to do the same job:$ e U3 G! w6 H- M" j) Z0 c
+ ]1 ^8 i/ N% B' K5 A% f push 00 ; OF_READ
" P( P' X& N. V mov eax,[00656634] ; '\\.\SICE',0
& b0 s/ G. K! [, F4 u. t$ M' W push eax! ]1 y5 y) p4 H9 m0 @) Q
call KERNEL32!_lopen
( r5 e* O; ] H% Y# Q/ j inc eax- p6 _0 _2 f7 T+ I) L8 n) s
jnz 00650589 ; detected* C- i' \, X2 \: E7 w4 G
push 00 ; OF_READ1 C9 |1 x" [# Z8 y( R8 C
mov eax,[00656638] ; '\\.\SICE'/ f+ N8 h$ W$ w$ a% j) F, d
push eax
+ S" i) k! L E8 ] t( @4 ~ call KERNEL32!_lopen1 o- ?4 G! {1 `
inc eax$ }; F9 U1 Y3 r5 [* U! ~9 _2 ~8 n( M: p
jz 006505ae ; not detected
! l) |5 P; r* ?8 j0 R0 }; v2 E& B2 u8 a5 p0 R5 u
3 h9 Y* X" J2 x; @4 G. b; e__________________________________________________________________________
, j k) \' B* x4 u9 p0 M* @* ?" l0 C8 D
Method 12
; {- X% Q8 E0 h) C# m=========
* [! e Z- k9 ^
# C! l$ g- ^' M! `This trick is similar to int41h/4fh Debugger installation check (code 052 T! r* N/ ~" D1 e. y/ N
& 06) but very limited because it's only available for Win95/98 (not NT)6 _& y0 ]: L# M8 i) @6 ~6 z& M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ X- `4 t' {" X, A/ u
: v0 I7 v# W3 H( @ push 0000004fh ; function 4fh
( ^( n1 }* l" |3 f4 v push 002a002ah ; high word specifies which VxD (VWIN32)
! J! [2 n$ a$ }7 { ; low word specifies which service" p( P1 E2 m( F$ R
(VWIN32_Int41Dispatch)
6 t$ X/ N! |, r9 Q- K) Q4 ~/ p8 y4 m call Kernel32!ORD_001 ; VxdCall; L* P/ \6 R# f/ J$ m: Z" [
cmp ax, 0f386h ; magic number returned by system debuggers4 }1 e, ]! L( |) ^0 z' W* L
jz SoftICE_detected
4 ?5 x$ f: ~' g( m4 D( t) u7 y ~% G) K
Here again, several ways to detect it:
* l" r" j: E( d! G4 k- [& ]
5 K6 N" I4 V! T$ A1 G* F BPINT 41 if ax==4f/ k8 m' r8 E4 T
* I. F3 p/ `! f. x1 ?+ w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! s" w* l, L5 h4 a! w
5 g3 O8 U, N7 D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 d" \2 O0 @2 y' d* } F' T5 }& Q- g7 `- i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' D; M# m; R9 L5 V2 e5 B/ T
& u7 a: e$ [4 B" u- @__________________________________________________________________________% e. z1 i/ I; G1 [5 S
+ P3 ^9 ^4 a& H8 X6 D* M0 DMethod 13, a$ q& b* Z, a7 e( {' p( @" t
=========
2 {, {; L h' _7 A+ v$ j/ o4 F" p D# `- s
Not a real method of detection, but a good way to know if SoftICE is5 L4 }/ q2 `: v; O, d
installed on a computer and to locate its installation directory.) t9 g+ i3 D; C5 D" M* u* s5 o
It is used by few softs which access the following registry keys (usually #2) :
- O9 H* g- z [' Y3 C% |$ M
* O, c/ K$ d8 W$ ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 x' O- ]4 D7 Y5 R( G
\Uninstall\SoftICE8 {! B/ v6 k0 ]& ?& L" P# ~; N; _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 ?1 m) Q3 w4 I/ t- Y2 m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 c: U) x% V/ J$ r6 _6 x" }2 {
\App Paths\Loader32.Exe
$ p9 |5 M8 c$ a
0 U E) g9 U: ]/ w& F
: l3 v: D* u+ j- |& u qNote that some nasty apps could then erase all files from SoftICE directory) N% M) J# O4 z; t
(I faced that once :-(: {: g& a( |1 v: C% @5 s; K
7 n- A9 s. W- L/ J7 z: C
Useful breakpoint to detect it:
) G' L$ Z( o9 M3 w! n. D& R7 U: Z- |+ B5 K
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 t8 d8 j3 x3 y$ y! d' ?' P( V; g6 B0 m5 N
__________________________________________________________________________$ A" O0 h) e) H6 I+ {
/ j) }) R( x3 |+ d+ g" Z5 D
# o8 E7 J3 F$ [( K8 }' k, u8 WMethod 14 $ F! a0 l7 E$ C2 l
=========2 _% a/ l: P+ {0 J
5 V' {* Y7 F( R5 [2 W* Y( e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 U; [3 }5 g% g% m7 Vis to determines whether a debugger is running on your system (ring0 only).( ^8 z) z# _$ n# g* D
, ]" N4 o* d1 w
VMMCall Test_Debug_Installed9 {- g$ d* { U1 z" @3 S1 V! i
je not_installed
* q2 L8 V5 c8 S1 u, E7 v) P- \
4 D) g* A4 n0 @This service just checks a flag.+ d% i" s" T: p% j. a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡