<TABLE width=500>
. ~* ~* l" |- B8 v9 J! b. e1 ?<TBODY>$ o! k: B. O1 k7 a
<TR>3 C% U6 J2 m! z; C
<TD><PRE>Method 01 ) y" M3 ]+ O8 `- S/ W% [
=========+ g6 c. m3 Z5 Z5 H
' k+ h7 w: I& K; `# z1 FThis method of detection of SoftICE (as well as the following one) is5 U' ^: m, Z, H% p7 e
used by the majority of packers/encryptors found on Internet.# A6 F, s* u+ K7 {* A) e
It seeks the signature of BoundsChecker in SoftICE
9 P# w7 K$ Y2 L3 n) u8 X
8 _3 a7 j$ K7 U) U+ f mov ebp, 04243484Bh ; 'BCHK'2 k, e3 I, Y9 n0 H3 m7 U0 R( R
mov ax, 04h
( D9 X1 n# M, r- Z' M+ Z+ M$ E int 3
8 l) K0 ^4 p9 t5 \. w cmp al,4
9 J6 |! v+ ]' i3 y7 [% e3 w; ~ jnz SoftICE_Detected/ I, {% |' a% _! _+ D$ u! ^- i
# o5 N/ I j+ U& _- v___________________________________________________________________________
5 b' @3 R3 p, g( u5 a) p U: @0 [5 \7 q& x5 t: M2 K
Method 02; ~9 [7 g3 O: w7 r0 l9 q5 w- k
=========
% j5 P- K. D) [, M# n7 ]2 Y! k* l& g7 M, h
Still a method very much used (perhaps the most frequent one). It is used
9 D+ Q& d: j+ Y' y8 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 y: e+ x. }! x& ?; m$ W
or execute SoftICE commands...4 U+ T) l0 I3 A, h. _; i
It is also used to crash SoftICE and to force it to execute any commands, \( V* m" q% U+ h1 H
(HBOOT...) :-((
5 F7 ?7 y% q3 N4 D+ [/ B$ v3 [9 h: O1 }8 U4 M! ?2 P5 b
Here is a quick description:
7 X$ d3 x6 X p' I6 @8 O' @-AX = 0910h (Display string in SIce windows)6 B5 w$ h A8 m3 Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ]5 X5 T! I- g2 X' S2 Z. `$ d
-AX = 0912h (Get breakpoint infos)
& z$ _# W! w5 [; s7 m4 S( G3 b- `-AX = 0913h (Set Sice breakpoints)
6 T) z6 L$ X" D# q4 R8 e-AX = 0914h (Remove SIce breakoints)
0 ^4 ~) s# V1 }0 g! U. W+ n& ^" b3 {& T1 i) X
Each time you'll meet this trick, you'll see:* N1 U3 `1 ~- N+ |' M% Y
-SI = 4647h, @. j2 S9 ], N# L% l
-DI = 4A4Dh
; V) B. y- F+ Y* i" n' HWhich are the 'magic values' used by SoftIce.5 ` K9 _ {1 x- } H9 m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 b+ k' d1 F& a% D. W! `5 |. P$ ?4 J
5 V& B; \$ a2 l- }Here is one example from the file "Haspinst.exe" which is the dongle HASP: v- H( n& M: [. a1 i( X
Envelope utility use to protect DOS applications:
0 h7 V+ g- E4 f* `5 `$ Y4 R n* n1 q, Z [1 A6 A
0 {3 z% j& c! V2 \, T, G6 e, V4C19:0095 MOV AX,0911 ; execute command.
& P0 }$ [+ i/ d0 D8 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' h2 o# _! w5 }
4C19:009A MOV SI,4647 ; 1st magic value.
$ m8 w. }/ Y$ ^+ k, o4C19:009D MOV DI,4A4D ; 2nd magic value.! L, J( t# }7 h3 c7 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 K1 h3 B }6 b1 `9 L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 U6 c0 g; d9 q- E- Q# f
4C19:00A4 INC CX
5 Q9 F- i* k5 ]* `! c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: m- G, c8 j+ @9 C
4C19:00A8 JB 0095 ; 6 different commands.
6 z# }9 {- N' m3 h4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ Y2 p6 ` N1 g* k& Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% J5 q+ T' e5 }1 d, r# |
3 Z/ B# N3 D9 `* p
The program will execute 6 different SIce commands located at ds:dx, which9 U% j" V. H, B5 ~- \% c. k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 a+ @% `! t5 V5 `
6 O" }2 z" F9 [5 l; g- M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ r, J& B- j. ]- p! C" r
___________________________________________________________________________# g4 W4 z( ~3 a& l' i0 [2 [, I# C2 O
; q7 _8 F" y1 l- V: D
; P% B; g) A, ] o( D! S0 S9 C; S. c
Method 03
2 \# [- v6 @- q2 E6 k( @$ ]=========/ d4 q2 J1 a2 W0 l: h- K
/ z+ N1 {, N$ R% \! i M* I7 H% m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, J c( d: B, u! i! G) C(API Get entry point)
' y3 o0 O" ?5 l. S
: b1 w! x/ Q& ^9 }* u
7 R X( _+ c& e4 W xor di,di1 I( F) j1 m) d9 j: H' x
mov es,di
/ k6 |% F5 d' x4 f mov ax, 1684h 5 `4 \, d% f/ H5 h# G+ i8 ]! l, j
mov bx, 0202h ; VxD ID of winice
# |$ Y; `# @8 O' j z int 2Fh
5 `3 M m: s1 h7 V2 Z( e6 } mov ax, es ; ES:DI -> VxD API entry point5 b X* F) V4 t8 W! o, w
add ax, di- N: T' `! d' f$ Y) t4 q
test ax,ax+ L. @. }" H* C8 y, n4 W% I
jnz SoftICE_Detected8 N( ^: @; p, L# k7 j
: D/ p7 R4 B' K! c. q x
___________________________________________________________________________! W$ t( }8 @+ e
2 d$ m- N: i6 A# e2 p' YMethod 04# O1 o" w1 x9 E3 c/ m) Y/ ~$ R
=========: k* U1 ?- P9 u( i: W ^/ z# P
_' p% E$ _7 d+ d, T4 e* p
Method identical to the preceding one except that it seeks the ID of SoftICE
# X3 H7 f( ~3 ^1 V5 H3 n" fGFX VxD. m: O9 \/ G: e( w
7 B$ s U" T1 h9 i
xor di,di
1 }+ a7 B5 Q% D! p) G# o' Y mov es,di
9 L7 i: f5 j: L5 P3 |* w3 y5 U mov ax, 1684h
( ^, l% C/ a. f2 v( h/ H$ D8 T$ P mov bx, 7a5Fh ; VxD ID of SIWVID
, F! [! |% k1 E5 D int 2fh7 q! h ~7 g/ f3 y3 O
mov ax, es ; ES:DI -> VxD API entry point2 r% Q( M$ F L: W1 h6 v R
add ax, di
+ P) H: t5 c U% k9 W7 o% p" |0 c test ax,ax! p, ]0 d: O0 j0 u4 K
jnz SoftICE_Detected
$ _5 R1 }% I5 ?/ ~8 F8 Z. n5 q f! u& `
__________________________________________________________________________/ m" m7 W- a+ d
/ s, @% i$ I6 @9 R" G& ~! q+ H5 j& w$ Q$ l: q/ K
Method 05
$ B Q. a$ c! l0 X: P=========: }$ K \( W; [1 B
: c4 X6 _; g) F' m! v( K7 nMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ l1 T/ U% j+ E$ v- L7 E( k9 k9 P: d
debugger. It calls the int 41h, function 4Fh.
0 T9 s5 h6 j; iThere are several alternatives.
. M2 a9 V/ M% v+ S% z4 P6 L
* X9 Q+ Q1 T( a( }* W. AThe following one is the simplest:
4 f0 G/ Z" Z) R: g& J- o+ ^8 q+ `8 ?( V: b Z: s) H
mov ax,4fh" w Q. ]. N8 R
int 41h: k' O m* d8 S9 @
cmp ax, 0F386' h n' U- n, O: m
jz SoftICE_detected
# a1 `- c2 e) H8 r1 r% q
9 e+ n( [0 G% Z* ^# l# G' y
9 R* |- C; W3 n8 K, fNext method as well as the following one are 2 examples from Stone's 5 y% G- y* \. c3 Z) k
"stn-wid.zip" (www.cracking.net):
0 J4 B3 |2 |9 a8 C
. {6 X$ W* i8 V$ E4 @& Z6 r0 D mov bx, cs
" K1 b) \% a6 { lea dx, int41handler2) g4 m* h0 b3 ?. J8 H5 j
xchg dx, es:[41h*4]5 T5 o. V! |5 [9 H
xchg bx, es:[41h*4+2]* q& T" T9 V8 o# `0 A- T; C
mov ax,4fh
6 E q+ P' r; v int 41h# W6 z2 r4 w7 C8 q+ K% C5 F6 z, Z
xchg dx, es:[41h*4]4 c" n3 r2 l3 ~0 K" J
xchg bx, es:[41h*4+2]) ~! @) [, i1 j3 e* u# } A
cmp ax, 0f386h
8 v0 L( H* C% l jz SoftICE_detected
F: U0 M' K9 B; J Y9 r* G3 h3 m: u5 h7 R* S! P
int41handler2 PROC: f1 K% G. a. g7 d8 @% t
iret0 {; R- l L. X
int41handler2 ENDP
1 b6 U' [* I4 v" v0 B
) W( Q. k; Q2 q# V9 e% g1 {* ~1 g% E+ _2 l* Q+ H6 Z
_________________________________________________________________________
; O4 V& v& Y4 }4 ^1 T; ~& Z; q5 Z3 M8 ?/ F) `9 {' `( n6 C
6 g. [* g9 r# b1 EMethod 06
1 M- X1 A8 R5 X( ^: {2 z=========
: u! U, V2 }6 T9 S0 o" h; \6 ?* i3 \
* {3 g# g$ o2 r6 D8 J6 [$ Q# b/ d2nd method similar to the preceding one but more difficult to detect:
6 w$ Y# R5 X2 j4 f' Z# U5 b
/ J2 `4 L' _, p$ O& |+ Z
) E1 ?2 o2 s: c, o/ \int41handler PROC
* @4 ~! l) K5 ]' l$ X mov cl,al
* [! Z4 H& Y' I. M iret* }" \3 S+ t) f! q# K4 _
int41handler ENDP
0 C O% M7 l: _* ~
3 p- G# Q; ~2 ^3 a7 O6 e4 R& f
* f. {$ i8 u/ I5 k* J xor ax,ax8 ?( ~& x% n6 Y& I
mov es,ax1 n/ V9 S4 V0 T8 q
mov bx, cs
8 R$ m( X5 J4 S! u4 s lea dx, int41handler1 v+ M8 s# [; f" |5 d2 j6 k
xchg dx, es:[41h*4]
6 q: ~( h* {+ p$ r& e xchg bx, es:[41h*4+2]% R* A' W/ s# h9 N( B2 f
in al, 40h) J, {( p6 h' _' y5 L# t8 n
xor cx,cx" o, _. }( i2 t3 f, k* X
int 41h6 j' d+ U9 |+ c% A" g
xchg dx, es:[41h*4]
( L/ d2 p/ }4 |( q/ {* F xchg bx, es:[41h*4+2]' f: a! U- U ~: Z% e
cmp cl,al9 e4 w- c1 @6 m) e6 S" d/ r p$ C
jnz SoftICE_detected
) h) H5 u( S7 `, x8 g
: K2 d4 Y* w4 ^+ R6 J% j_________________________________________________________________________/ M+ z. t$ D& ?; q9 J
; F% N, E/ Z. j8 y) R/ P" Z
Method 07
$ f3 Y) N1 K' {' g=========
5 p# z* Y' t6 C+ z$ d3 T1 E! f8 V7 I$ I9 e
Method of detection of the WinICE handler in the int68h (V86)# [5 P7 P$ y$ \- v6 H$ t
. O' n- ~1 V5 N/ ~" G mov ah,43h* {( v2 Q& e" [" }8 E/ \4 }
int 68h$ v, R) h3 x. v+ B7 p
cmp ax,0F386h& @# X0 a) w% v3 `
jz SoftICE_Detected
; ` h% B, _8 n( z: [( u; @. [: Y3 d% v) f" j
9 K6 |6 |4 a$ e, f( ~: g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) [! O1 \& y* {
app like this:, R" ~" x: O/ ^+ {! {
! v/ ~6 s$ e4 t
BPX exec_int if ax==68
' n) b' W( V# i$ A (function called is located at byte ptr [ebp+1Dh] and client eip is
# \; ~ j& r6 s c8 B located at [ebp+48h] for 32Bit apps)- }$ k8 I6 t* [- h% h% g" a6 s
__________________________________________________________________________
# P; Z! u1 U5 u
0 t2 v1 I G( Z4 w" A5 N- c; N3 E6 C
Method 08! W# V. }6 a/ a; R# `1 @+ M
=========. v* P$ Q1 V Y& T& D( ~2 ]
* l* ]+ C2 o. a( I3 T& ^% c
It is not a method of detection of SoftICE but a possibility to crash the
" I+ [" H4 M2 H- lsystem by intercepting int 01h and int 03h and redirecting them to another: q* c, d+ m7 U& X& s1 H
routine.
. \8 u* v# Z, Q# l2 M" Z9 c6 ~* LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 J- u6 V. s% | A& D/ i% Y
to the new routine to execute (hangs computer...); [6 G5 i" ^! m: [7 N7 _1 A! U
B6 a- ]& _9 J1 K8 J% @. p
mov ah, 25h; F- e. q# r. _9 d5 E
mov al, Int_Number (01h or 03h)* F* C" p B7 g( ?( p9 J
mov dx, offset New_Int_Routine
$ v1 G" [) w' ?1 |, L( w int 21h
1 w# J9 L- ]8 {% A9 Z) u
1 \# W5 J- X" X( l5 |__________________________________________________________________________, p4 l6 X8 n- J6 m. J
& ~: G* D8 z6 O; ^0 _* x1 l5 G8 q
Method 09
7 d$ n+ m! @ N: c3 O=========( g& L- a/ E* M
1 b$ ?8 K. G" }( C2 a. w- P3 G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( i/ n& t, |/ r8 `( J! b" R
performed in ring0 (VxD or a ring3 app using the VxdCall).
: b) Z, X6 b1 m' v% _! |! m- J, DThe Get_DDB service is used to determine whether or not a VxD is installed! K4 x0 r3 A" Z3 L
for the specified device and returns a Device Description Block (in ecx) for
8 L& p. t& K, z3 G7 w w% ~( ?that device if it is installed.
1 u$ A+ j/ x5 y
) a/ U+ w7 u; T( I% X" B5 k; G& F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 X/ f6 s* d, V9 L: v* n' H# ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 f# q. f1 h( @
VMMCall Get_DDB4 j9 G0 k0 f/ p) {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ l+ ]- @ H# m% \) v; T* b6 G! ~0 o0 Y2 y9 b2 \) z
Note as well that you can easily detect this method with SoftICE:+ w9 {$ g& v) n' W
bpx Get_DDB if ax==0202 || ax==7a5fh
7 `! R" U g/ e2 t3 s# ]( R9 Q B+ q9 \
__________________________________________________________________________
2 t4 n, `# j9 K* o3 w) ^6 `+ O6 x, B: k! o1 i$ w% Q
Method 101 J9 Z6 J- z4 [7 z/ I6 T
=========
5 o3 i/ O' [0 Y! m* T' ~% h4 ^
$ G* W: Z& `' w2 R$ D% }=>Disable or clear breakpoints before using this feature. DO NOT trace with
; j+ |1 O9 A+ P0 t" ^ SoftICE while the option is enable!!; P$ ]# P, U. w; k0 H7 w/ P
0 f( @: D' F) w. O& aThis trick is very efficient:: g& R6 N+ }5 ~8 U& T
by checking the Debug Registers, you can detect if SoftICE is loaded
0 ]5 i" ^6 J8 Z# d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, j0 P: X% D" H3 }( f" O! h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# ^: M4 ]- s/ a1 L" C: Jvalue (in ring0 only). Values can be manipulated and or changed as well
0 N& ~% q5 `5 |" R+ `4 b(clearing BPMs for instance)
9 [1 Z* }$ n; f8 S3 @6 f
! y8 b5 m3 u9 V+ k+ J__________________________________________________________________________, M3 @1 L! i* {6 n
3 W1 _6 i$ p/ ]6 t) D: TMethod 11
' y+ `5 Z) g$ a% n7 Z) P=========. ^0 o6 z2 F( \8 s7 C# T2 ^" {
3 L) R/ _/ R. q4 v0 n. Z) T
This method is most known as 'MeltICE' because it has been freely distributed& U, P7 _- }, ?* _2 L' v* n
via www.winfiles.com. However it was first used by NuMega people to allow
( x% F) c8 k9 y, @- ~Symbol Loader to check if SoftICE was active or not (the code is located! m- G1 @" E8 v3 B/ @ Z
inside nmtrans.dll).$ h0 Y- C6 ~8 P6 D5 I; X6 g! d
/ h4 L: `- G$ N9 U( YThe way it works is very simple:0 _: |, m2 p+ c3 S5 I. h, y% r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 D3 X# z4 D: u, ]$ s/ K) x+ LWinNT) with the CreateFileA API.
8 q( l. E Y( o. L& B7 X# M* N
2 U: I( b5 s) W RHere is a sample (checking for 'SICE'):* v9 ~3 }% ], q
( P3 _2 F, _0 L
BOOL IsSoftIce95Loaded()2 D1 v+ E& Q1 f1 y( [8 }$ p8 W
{% X8 w8 s) C6 Z) X7 l! H6 W
HANDLE hFile;
L6 |! [7 n* a0 A& \' k/ O! U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
~" K/ C3 _( x. z FILE_SHARE_READ | FILE_SHARE_WRITE,% Z4 B, \& X+ X- a6 C* O& s, R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 c0 H' Q9 e9 J. X if( hFile != INVALID_HANDLE_VALUE )
C' z5 G* |, {( F6 t9 M {; T7 ^& Z) L1 x- p0 {# g
CloseHandle(hFile);
8 e% w9 F& H L( n k% g# J8 y7 z return TRUE;
! |0 N+ s' }$ C$ D, T }, p4 j" C: x# k7 d# D
return FALSE;1 y$ L, A6 T+ `- S& [( A L
}
" v3 U; z" C( b* @" }/ E: o* a
5 ]0 I, V. ^2 f/ S/ wAlthough this trick calls the CreateFileA function, don't even expect to be- M0 U$ U4 U1 G; ?- r, _ w. W6 v
able to intercept it by installing a IFS hook: it will not work, no way!2 j8 u6 ~. M. Y v9 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, y8 i0 A' Y! { q$ qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# J8 n; V0 W$ n; j' ]* ` r8 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 e' u& F) ]2 w5 D. P& C- Z
field.
: {* R C/ D+ ?* C6 `In fact, its purpose is not to load/unload VxDs but only to send a 1 ]1 I! r$ m1 u, @. @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ O! E. q0 X: a% P* S s4 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 x1 [* b$ s7 d; |5 Z3 ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* A8 T8 h/ p6 @8 A0 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 p, I5 w- d k/ [* a
its handle to be opened and then, will be detected.
4 w/ o: J9 J& QYou can check that simply by hooking Winice.exe control proc entry point# |. m2 [6 y. \8 F7 L! d& l
while running MeltICE.- v1 y. R6 w! l- Y% k. y2 x
* S( Y; ~% z' c+ N
) c1 S- `: S) \ 00401067: push 00402025 ; \\.\SICE7 }1 Y2 ?' L1 N% p, D0 N
0040106C: call CreateFileA1 a( V$ T# K7 ?. J9 }% o0 d
00401071: cmp eax,-0016 @3 h/ [( t4 K) h) x& t
00401074: je 004010917 u" [7 r) ?6 q
4 l* ]4 A( |/ c% W7 J1 f
4 W7 @# P) @4 mThere could be hundreds of BPX you could use to detect this trick.3 p. ]( G+ R/ I& Y! F3 u/ x+ ?
-The most classical one is:+ J7 x5 n( V: N/ V/ K2 G* s. z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# o7 c) c! I1 Q) P. d Y7 c( [ *(esp->4+4)=='NTIC'
* o+ }9 B2 n9 J0 N, w% e/ k# [. n& r6 b1 j
-The most exotic ones (could be very slooooow :-(& A5 a: n* c5 X2 u7 l4 \! Z' t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + p, V0 ?0 {4 G \6 X' @8 x
;will break 3 times :-(1 _1 P( ~4 M! c6 {0 D. ?
9 c9 `" b. k9 ]0 g! H
-or (a bit) faster:
+ l1 x# s6 G3 V& w( i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 ~$ J2 C3 ?# s( i/ n
+ b; b+ ~" l3 a8 p3 K7 r. `2 ?' L4 c/ x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) w- ]& e: N% I7 ]. r- D
;will break 3 times :-(
7 y3 s0 g" K$ e- [/ {4 \2 K% [# B" y0 ^
-Much faster:
* y1 [& t2 {$ P8 F( ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% h- I& {* e6 K* {. X" y; V# K$ b' o: ?5 z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% e8 c9 d; X/ x2 E/ bfunction to do the same job:. d5 O. Y4 S1 @/ @0 U% C
, j6 D! H% b# D push 00 ; OF_READ
: L5 \/ S: E# C( G; [5 r mov eax,[00656634] ; '\\.\SICE',0
2 s* B T! M6 N+ H push eax
; {8 Q: a3 O5 q# o' n call KERNEL32!_lopen/ s+ r. T* I0 _- k
inc eax V6 L; U. M* L
jnz 00650589 ; detected6 B" `5 p7 x/ I
push 00 ; OF_READ
/ y- @: p8 T' i mov eax,[00656638] ; '\\.\SICE'1 F! G8 ]# {* ] s/ }" W, u
push eax
# D( g: M t' A0 U% b call KERNEL32!_lopen
2 f" ^0 S6 k, q' p& C- Z( @ inc eax
" O1 T" G1 j1 L( i8 v8 ` jz 006505ae ; not detected& ?& v& T, Q. u5 M
# c$ [+ A0 ^' v# d& [
' [( I0 y: ~+ l- r__________________________________________________________________________
* i9 h8 h* i' S- c- V2 N+ j/ I: @5 H- [( O: Z
Method 12# P V# m: a: i8 b; D
=========
( U& p2 C/ d: f E1 J9 C3 T
S! _* c0 k1 Q! m" F; e2 RThis trick is similar to int41h/4fh Debugger installation check (code 05; B+ x7 L) {& X& n* |
& 06) but very limited because it's only available for Win95/98 (not NT)
5 E# _6 D. s) Z" l0 h( las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% l' x( {" G/ p/ y3 Q' I. v2 @9 }4 u+ b
push 0000004fh ; function 4fh
" o9 ?+ ^. T! ? g! P push 002a002ah ; high word specifies which VxD (VWIN32)
G7 U" P/ O1 y$ E8 V. y ; low word specifies which service( ?% R& e% N( Y# Q
(VWIN32_Int41Dispatch)
- e# D5 {, ?- ]2 N4 J% D4 [ call Kernel32!ORD_001 ; VxdCall5 }7 b' u, A* t( u; ^# {
cmp ax, 0f386h ; magic number returned by system debuggers% J3 E6 K. H- _9 ^% K; w
jz SoftICE_detected1 X! R; S, v& q9 z4 A9 p
+ R8 v$ R/ E& S1 u c' ]- E
Here again, several ways to detect it:% J0 n, ?0 S7 ^# l$ k' {* \
1 H4 G- B- {% r. [
BPINT 41 if ax==4f; u2 l1 n& s6 x6 B. O# H
" K% v7 U% i9 y d& d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- C' R- q1 q+ a$ C& M
& D/ N: b4 n8 a# J J& M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 d. e0 n+ N5 N c8 }# p
1 k, D/ @, c U! p2 H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 c0 c% l5 [0 Y8 l0 w8 @& G# `3 X
9 c. g8 F3 v1 {! W( l
__________________________________________________________________________) B( y6 D" y( f; b- C( K8 P: \
& {9 ~2 W' H) }+ {/ v' f0 ?: cMethod 13& R! `: s5 T% ]8 j8 A' c
=========6 x+ h! b) Y+ q% M9 j$ N
c' y+ ^. j2 D9 y _7 N, ^Not a real method of detection, but a good way to know if SoftICE is
( {) T0 Z' M$ a- A5 W5 W& Binstalled on a computer and to locate its installation directory.! Z0 Q' H; K; {" k+ a$ D
It is used by few softs which access the following registry keys (usually #2) :3 ^- l U/ z1 z8 M& r
( h3 W/ U# z P3 Y- x) X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ]! K, c! c1 v: V# b( O
\Uninstall\SoftICE
% I- ^' v; B$ p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' w; `8 @1 l1 O0 X/ f; {7 |# D5 E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 z( H2 t' u8 L9 b1 j& s ~\App Paths\Loader32.Exe
: D [+ y2 @ h$ ~4 [: X" ^2 b9 z& U6 i5 j; H) A+ q2 G& E
+ [* @3 ~3 A& u6 e. RNote that some nasty apps could then erase all files from SoftICE directory
3 B, y: i! k0 s: k2 H8 e. i, ^- G(I faced that once :-(
1 w; k! | l' y G9 A% d R( g/ [
9 f5 G* V& k2 fUseful breakpoint to detect it:
* D$ _5 O& f+ W
0 j( U( y% q& H4 E7 c, w# Z' ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, n9 {$ F% s( ?) G4 u
. Z/ Z( ^1 j2 P8 G__________________________________________________________________________
" q1 n3 X9 U i' u0 [) i: ?0 e+ T& o- `/ A( r3 ^/ J6 ?
5 q( c8 j& ? \6 }" b
Method 14 4 E! O1 F& g c# F! N6 p
=========
W7 n6 E' e# ^# o2 F' I; Q* J. Y- l$ H. r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. r1 \" `" C) K. Vis to determines whether a debugger is running on your system (ring0 only).& k3 y; L6 K. m' i9 Z
0 l( W& E% H: x" o+ L4 D
VMMCall Test_Debug_Installed
8 J4 J* g; @7 R6 j je not_installed
( F% l5 B8 o& q) D& G3 M$ Y( m! j9 e# k8 V# R
This service just checks a flag.9 B y |$ |) _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡