<TABLE width=500>
) E7 p. F" v+ W+ N8 e! D<TBODY>
7 q: F3 B, b1 m; V, r7 f<TR>
! m* f8 \3 z& v$ r<TD><PRE>Method 01 / p" d0 R$ V$ f$ q/ W* A* e+ Q
=========
, h/ D0 O; ]4 Z
: _& X3 r: G/ ~7 [* k/ U9 GThis method of detection of SoftICE (as well as the following one) is) o8 a- J# I1 K' f T
used by the majority of packers/encryptors found on Internet.! Q- C+ I+ j4 p) H; r: N" J0 l
It seeks the signature of BoundsChecker in SoftICE
& u6 P6 ^ P) Q7 `6 E/ J+ R
& P$ s* R; L6 k+ |2 h! D) z mov ebp, 04243484Bh ; 'BCHK'
' c* @7 O2 y7 k% {! [* m8 k mov ax, 04h4 S* l4 m: x$ B( Q- W5 \ Z7 @
int 3 : {: S3 v" c: v9 k. L& d; j5 s
cmp al,4
8 ]5 p/ M3 |* Q( Y8 g& j: x4 |3 K/ u jnz SoftICE_Detected
- E. `' d$ z9 f& d/ K: b/ D; f. ~5 t2 l- x- `: d
___________________________________________________________________________
! d! O* x# k H, Z! _9 r3 k6 N9 ?4 T2 K7 h( Q G6 y) e
Method 02/ h8 Y( C; |( e; i* G
=========4 `9 h* a& l' l/ V Z7 I9 I
& j# N P0 Z$ _) R" ?$ \8 ~Still a method very much used (perhaps the most frequent one). It is used
$ e+ h" r% u% u1 J( y9 s* ?" u1 b7 `1 vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r! s- l: h7 m" _4 P
or execute SoftICE commands...$ l/ w& Z4 X3 r+ ~( c2 _
It is also used to crash SoftICE and to force it to execute any commands
# k2 f8 k7 U1 q& a3 W) z(HBOOT...) :-(( * S1 h5 n0 ~- ] v6 j2 `
% [# n8 o& N+ J7 h$ } kHere is a quick description:
, y5 k) L- ]* K' |-AX = 0910h (Display string in SIce windows)" d) \: x: ^% J, q( r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- a; Z: g& G3 N" {9 O! C- t
-AX = 0912h (Get breakpoint infos)) x- R, a' S c/ `/ H5 l
-AX = 0913h (Set Sice breakpoints)
/ g( J$ U2 r* R+ ]3 r4 J-AX = 0914h (Remove SIce breakoints)
/ S7 x1 G/ ?, u& x* E3 W% T4 I( m/ l' ~; T; t: {4 _1 ^5 D+ R' F" G$ a
Each time you'll meet this trick, you'll see:
& P9 _ x7 L K9 C% Q; }$ o' Q-SI = 4647h
3 Z ^- [1 l( `2 X+ i3 g! W-DI = 4A4Dh7 ^" n) K& c/ I. C+ i* s
Which are the 'magic values' used by SoftIce.
5 L3 i1 K; l N( `2 X: FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- I# x f' o5 r. Y" A0 n$ d2 ^% @, e0 j. \& Y9 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 r: A5 _9 o1 K$ s7 E4 ^6 y! K2 ~Envelope utility use to protect DOS applications:4 r( ]! l% w) N6 X9 F
" J9 \4 r" q; w8 @/ k) B
: n5 q& U2 h {* l( X( u- B4C19:0095 MOV AX,0911 ; execute command.! u2 w* r' y7 b2 `% S; u7 J, M3 e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 l- ^( z' d# | _/ O0 Q. c; K
4C19:009A MOV SI,4647 ; 1st magic value.
9 y2 G1 {1 B/ E4C19:009D MOV DI,4A4D ; 2nd magic value.
1 [4 @' J V: P* n( W/ A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): z8 {5 j% q m/ L) N5 N- `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& _" W% V6 z' O& O/ K% u9 S5 |
4C19:00A4 INC CX
0 j. Z* N) Q/ v: p) t1 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' D2 l) N" N) }4C19:00A8 JB 0095 ; 6 different commands.
D( e( L) ]! {, H9 C6 n" n4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ S" S+ K- t8 [: w+ J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), O5 l `! P: O; X' r
5 D6 b$ r/ X1 j8 O$ l7 v
The program will execute 6 different SIce commands located at ds:dx, which
' A2 _+ ^3 T1 M) x; K2 \0 J6 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 t- p* }; K2 U
. k' K* R0 ?1 s8 H+ k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) q& k; ^" R3 i& o( x; |___________________________________________________________________________
9 f6 B" P6 P ?& ?+ S$ _2 e8 b
# X6 O4 D& m% M4 ^- P7 a* | p6 c3 q( \$ u
Method 03, D8 n' V4 F& ~) Y1 x
=========
. W* T2 p* S; N" T4 t# L+ p* K5 b' w# Y4 f- M4 R/ H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ O; V. g- Y$ }4 _, D$ ]) S1 b3 |(API Get entry point)
9 S4 }6 K1 {5 S; b1 b2 T4 x) [ " W7 n! W9 T9 @" q1 U; g
( b: e: I$ Y, M
xor di,di
" T! h9 ^! m' o6 {% b mov es,di
8 [% ^& [% O6 h4 R mov ax, 1684h ! Q, C( v8 G# e A
mov bx, 0202h ; VxD ID of winice4 g' n( y2 Z0 p0 k0 E, a" i
int 2Fh
+ i) S' o7 d1 E. T8 x mov ax, es ; ES:DI -> VxD API entry point
. Z* n+ P, V( g8 `2 j add ax, di
5 _# e1 g; k% @ test ax,ax6 v, `; F; S& C" f$ X
jnz SoftICE_Detected
% ?# i( g+ S6 R+ }; {9 e( Z0 d; i7 U8 Q: {& o; M1 q
___________________________________________________________________________% q. E% q7 @! K/ O0 R5 M/ v6 K
3 }& |. p6 v- |; L3 {Method 04
$ |1 z2 ^- y, b5 u=========
( i0 T6 n! q. U6 f) `: @% `8 H+ x0 y; u, R$ y( V, C/ @3 W
Method identical to the preceding one except that it seeks the ID of SoftICE' S' U, K, u- _ `0 I' P' j
GFX VxD.
" W4 f( z1 B( u9 G3 S' ?* v2 r* K/ K! ]1 d
xor di,di
: ^ h& l# r; v- L. u mov es,di7 `& h$ _+ y8 m* n
mov ax, 1684h $ X% _( v. _% `( o# L! }
mov bx, 7a5Fh ; VxD ID of SIWVID
$ q9 L Y: h, I. h4 Y1 ? int 2fh5 {" Q0 D# M0 l) q4 I8 q
mov ax, es ; ES:DI -> VxD API entry point4 V0 v9 \" A: p6 V/ X' A
add ax, di. `4 U& R; {" Y, ]6 B
test ax,ax
* Q! y! z z8 h# h4 V+ N2 E) `- W& T. ^ jnz SoftICE_Detected0 Q. v3 I' T9 d# a4 ?" ?6 E; g
( o8 A% [: ?, J4 K8 s, P7 Y* |
__________________________________________________________________________6 K1 B) A/ ]* w3 D: S
% L" \. E3 e6 D. T( d3 L6 ^- e; n) Y6 N2 l& y1 G/ r* X4 q
Method 05& l8 U; ~; ~: I' L
=========
9 [ G0 I/ H8 p/ w1 Z& c+ i
+ M- [. t# t% v. I! p, GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% l; G; r; p+ L# i' jdebugger. It calls the int 41h, function 4Fh.) v7 B' V9 q7 `2 Q- l
There are several alternatives. % @3 c* l9 ]2 Q* K
8 E# M* M) G; R8 ~9 T, ], @The following one is the simplest:7 _* ?9 v4 Y: n) w3 p* b4 q' w
/ q/ ]* q# \$ C: a
mov ax,4fh
1 U _2 r8 N& ^5 a2 Z& l int 41h2 X7 q/ s! i8 P1 @, O& \- R
cmp ax, 0F386
6 y+ o1 r" l' n: H, e* ?( l6 W& n jz SoftICE_detected! o5 U. P* f* l
% X7 O5 A. }7 s- X$ |* o9 v* W: U. F* V: w. ^9 @( a
Next method as well as the following one are 2 examples from Stone's & N8 q0 L8 J7 V8 i6 w! F
"stn-wid.zip" (www.cracking.net):
/ k, |' }$ D( w/ L0 x! W
- M/ w2 t4 G. }8 B0 T mov bx, cs
* |# a @- i- V lea dx, int41handler2
% T% O9 O# x5 e5 F xchg dx, es:[41h*4]3 J$ s9 T" H- t" g
xchg bx, es:[41h*4+2]
$ v6 P1 s8 T) T: G& u6 M mov ax,4fh
9 T. [) k' S0 y int 41h7 o. q4 W8 j# f' C3 ~& o4 }) R: p
xchg dx, es:[41h*4]
7 u) K7 k3 z8 F8 {6 H xchg bx, es:[41h*4+2]3 S" ` m% {( x3 s0 }% [
cmp ax, 0f386h+ U4 e) |, ?) [
jz SoftICE_detected8 I6 e9 b( {8 ^
+ ]$ |/ @% w0 _6 O" U/ R3 b# Oint41handler2 PROC
- }) M6 S+ o5 Q# J iret6 w% a' d8 C" g$ X
int41handler2 ENDP& Q$ e! {. G/ y- u
\4 G* A! I; R$ Z2 M9 h5 y& m# o! T6 ~
_________________________________________________________________________& O5 z4 i( s! [) x B+ s! S
5 g* _+ M$ I( t$ i
( c- s1 `/ @7 x3 n6 _5 k) ZMethod 06
- `0 q1 |7 G6 v=========- p0 F% i1 p$ { T; l2 \( d; ~
8 ~$ m$ V$ {/ l _4 U! R
! i, U* q$ n) ^8 c' g: N2nd method similar to the preceding one but more difficult to detect:2 Z! w3 w6 D) q& V( P
0 L J- g$ `" P$ U( V
2 t- |" W2 ~/ f* S- i5 \8 W. Hint41handler PROC
% R* ~7 \. m: M' g4 } mov cl,al
6 _) B7 `. n; S5 m6 y1 B: S6 J iret
3 H* O' L, L, T% @% b& U2 Oint41handler ENDP
5 V6 e5 a/ v \8 V: o8 Y$ L8 c6 V k' U- a! s8 l1 X- C
# n4 K. l# D2 h; o5 e# `8 p, d
xor ax,ax$ o, o9 z1 M& c' Z
mov es,ax
2 Z1 z9 {2 P0 w* q& j P mov bx, cs
# H3 g: U" {% F2 j lea dx, int41handler9 P0 w6 k E- N5 @: P0 B
xchg dx, es:[41h*4]/ m% \3 e. t+ ]# g1 B9 `
xchg bx, es:[41h*4+2]1 U' S& n1 w, c; v& d7 K
in al, 40h
5 t7 _; _ j( B9 U; ?# V xor cx,cx
7 z8 ]. x/ h1 ~ H% O% m3 P int 41h
7 \8 @! W h5 x, ^1 K! R xchg dx, es:[41h*4]
7 z& w. O N0 K& g xchg bx, es:[41h*4+2]% x; I1 R' N1 P3 d: Q1 e
cmp cl,al* H+ _, W4 D- {. q
jnz SoftICE_detected" W$ k, S) m t9 ~6 E4 }( n
! `- F/ W. s: F) T* G) G) X! l_________________________________________________________________________, W. w: l& H1 K9 u' q' u0 n2 y
' [1 {! U4 q0 g2 V
Method 07$ B/ p1 f* Q4 A5 D, P
=========
! j) E5 E! O- `, L, G2 W) \- C: J m* e# V, g' i
Method of detection of the WinICE handler in the int68h (V86), H3 e. C" x: s/ M
+ `1 r1 H+ x: Q5 b mov ah,43h7 C8 K. n0 ?2 q- r9 M6 f0 ?
int 68h" y* l% a' H& y
cmp ax,0F386h: c! `; i" w6 b, R8 d/ C% T
jz SoftICE_Detected/ t) D3 m* O% p e
% u2 J/ }4 q/ S. K1 X0 L. I# v" ]
: {6 }% A5 d; f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit B* Z5 ]- O$ r+ n" r
app like this:4 c! ?! @' A1 l2 x
0 L5 l8 I8 B: ~3 `$ k6 [5 I
BPX exec_int if ax==68
# @1 O2 `( q1 w, p. A! L4 y) b9 n. q (function called is located at byte ptr [ebp+1Dh] and client eip is7 _0 G. @2 W) M) O s
located at [ebp+48h] for 32Bit apps), \3 } X$ Y1 V
__________________________________________________________________________
( l; W) |! y3 o; F1 w3 j
% A5 n' ]+ c6 f3 ^) j4 r, {4 h& R. ]. `; @* C" s0 V
Method 08! G2 Y* K) s* c$ d5 } D( Q
=========
/ @- N G$ ?' M$ F. M- w( Z1 P2 ~- Y; ]
It is not a method of detection of SoftICE but a possibility to crash the
. |# t2 U# A" Z' x" w+ [9 l/ Fsystem by intercepting int 01h and int 03h and redirecting them to another A w* V0 y# _5 u
routine.
& P0 w* j+ y3 B2 J7 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. y1 B" Y% Z6 M. F/ u8 Dto the new routine to execute (hangs computer...)
6 o+ _; t6 r4 ?; ~( k" i
$ C) U1 W" t4 c% @, Z6 V mov ah, 25h- x" B0 n" V" r
mov al, Int_Number (01h or 03h)
8 `+ j# I/ p1 b y, Y5 o mov dx, offset New_Int_Routine& A- ~% d. f4 P2 x% t0 p/ S. ~
int 21h0 X3 r$ L& g1 ^# c7 t; k# w
" x% j% `2 q+ h9 C__________________________________________________________________________! x8 T; J/ W) o6 G
' u' q6 t2 Z K: P0 i TMethod 09
8 [1 }' X5 P" Q& a( W! G `=========/ G6 U& u! f6 g5 t5 L9 i/ a* T
% J0 i% V% J8 A- |1 [ e8 @" \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: {, X& P& m8 |( B# s* \/ v, Q& N, mperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 R. f: z# q% M, U% I! TThe Get_DDB service is used to determine whether or not a VxD is installed1 L. ?$ x F# {+ t: T- n
for the specified device and returns a Device Description Block (in ecx) for4 z5 M; I4 p* Y/ y. H6 r
that device if it is installed.
3 t1 c' ?! ~2 d: n) |/ ~! p# V* q0 \: j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 o9 |, g2 y) c9 z1 n6 F# h2 c: { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- @* d% ]) b+ d% p
VMMCall Get_DDB( Q) L Y; S, c0 R1 f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- h# r4 k8 l% I |3 a9 ^" k+ g5 J7 N
Note as well that you can easily detect this method with SoftICE:
/ o/ u" C: _# q" u) J bpx Get_DDB if ax==0202 || ax==7a5fh
( ^7 u0 o1 T: h+ G# `
% Z% D& r9 s9 z7 h) ^__________________________________________________________________________
% F* r! e+ p* Y+ t; c* G/ [6 V* M4 W1 _' j2 I
Method 106 t( K @ g3 I' B" b3 \ E
=========* X" a, E! E7 M% f
* \/ U2 `' V" }2 w. K4 o
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ `& i, T8 J! s! Q
SoftICE while the option is enable!!
a2 B+ l( H, U3 F5 ^: q( g, F! t3 V/ ^; @9 I1 ?/ A3 x
This trick is very efficient:$ ~( h: C c4 {2 Q8 q& r4 Q
by checking the Debug Registers, you can detect if SoftICE is loaded I9 Z! v) h8 [9 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' ?. N1 i/ P0 q/ A+ I7 g8 P9 N. J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- X j3 P( _$ M4 Nvalue (in ring0 only). Values can be manipulated and or changed as well2 H& m" M- `- H2 z0 x1 ~5 O. J
(clearing BPMs for instance)& e( {6 ~ [( q4 f2 P% A* o9 e# g
' v3 l: h- s" Z8 T) \__________________________________________________________________________/ \$ ^) q2 P# B1 \4 m
/ |5 S. W. f, a
Method 11
5 v% X. D: |2 {6 K=========
% c _) A, |+ m* ?# I* E2 N2 H8 K, Z. ?2 U/ s# ]/ E9 P' w2 z5 }
This method is most known as 'MeltICE' because it has been freely distributed
8 `$ A$ ^/ I! D# ivia www.winfiles.com. However it was first used by NuMega people to allow; `& U! X, L8 _# d- ^/ q% \" L$ U0 X+ O
Symbol Loader to check if SoftICE was active or not (the code is located* a2 `# v+ P R0 T& d7 \$ ^# `; r
inside nmtrans.dll).
+ V! A9 g6 O- o6 d
# v0 m) e( R0 A# b& xThe way it works is very simple:
( b- b. e, \% k& | wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 W! @/ i$ t; w/ b! Y# C
WinNT) with the CreateFileA API.
. g! i: V; f+ z3 q: ]" Y
- Q3 v7 H3 Y2 v" x4 m! ]" ~" `Here is a sample (checking for 'SICE'):5 ^2 U5 E& Z* P& W7 d; l, C& }
# F9 j% j9 x( Y$ [7 y& e' H$ Y
BOOL IsSoftIce95Loaded()
1 n0 b | _5 C% E( ~; y{
2 p7 R H1 n7 a( z% } HANDLE hFile; ) S+ S3 S* K- w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. u# _+ M. V' L+ r2 U* A D
FILE_SHARE_READ | FILE_SHARE_WRITE,4 B' j) E3 [- b+ | l X, z. F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# O, X# j4 U2 Q& U6 W4 q- B6 }! U3 @
if( hFile != INVALID_HANDLE_VALUE )2 g0 g3 o7 l& {4 j
{: c9 M* D* P7 C' }
CloseHandle(hFile);
% L5 Z+ p9 m( i! V4 s( w: s1 o; O0 u return TRUE;+ C) _# s9 ^' ?, |: x/ |
}$ d. T: q3 u1 n$ u5 i
return FALSE;+ A( D1 v5 N* ^, E
}
# J, F' E7 h0 P @: f1 U: |! [6 W1 G4 n, n' x* i
Although this trick calls the CreateFileA function, don't even expect to be" \8 q7 Y7 H$ A- S
able to intercept it by installing a IFS hook: it will not work, no way!8 ~# T! A2 r N6 G. @/ O" r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: f! p5 y. D- P% A0 p- q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- \) ~, D9 k! |4 r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; e; S4 X& j# }8 w) [field.( s2 u+ y/ k7 o8 y. `# b4 _7 A
In fact, its purpose is not to load/unload VxDs but only to send a
h) J( ~9 n- YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 d3 x! S9 ]- g( I0 b( ^0 u# g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# k8 z$ e2 \+ n' ]5 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 u% ^7 P' t. T9 D0 ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- X+ {4 }$ j: d' a- F* gits handle to be opened and then, will be detected.5 W. G, M* E; U# P* i
You can check that simply by hooking Winice.exe control proc entry point
: \7 r o' h& G. t& Hwhile running MeltICE.
( J. E. b9 i6 {, _5 i. e
7 H% i- s# R' A" z) H
0 l$ I3 X3 K/ E. G: b8 V 00401067: push 00402025 ; \\.\SICE
2 g: C9 v: X Q c% y# }: C! }6 } 0040106C: call CreateFileA
5 |% R" x c1 V' K: y 00401071: cmp eax,-001
* z! C! f5 }2 s 00401074: je 00401091
! D- g" ^; |' X: _5 H5 L
: o V* Z$ y$ V" s0 ^7 n. T, W5 `' u3 T5 O1 Z1 a0 d6 {
There could be hundreds of BPX you could use to detect this trick.
- H8 S7 ?( a5 Y4 h- W-The most classical one is:
. d! a \, B' | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* \( ?% d3 w& x7 U& n3 b+ a/ W
*(esp->4+4)=='NTIC'
3 W: v$ w' ^0 _( C, o% t! ?; c3 ^5 i+ s" O1 ]
-The most exotic ones (could be very slooooow :-(( f4 o; f( _; E5 t, u- l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( ]( `7 o* N: C
;will break 3 times :-(
8 Z. J8 e9 O- D
" X3 E3 N* O0 V1 Y-or (a bit) faster:
2 d0 h6 c, x/ K5 }1 y! z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. o l* c* t6 [7 W1 T/ a3 b7 f$ V8 x! v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 n2 T* p; F1 j6 x
;will break 3 times :-(
9 Z2 V/ k, }8 Y# K* j9 }% z
9 r# w p3 `" L0 O* c2 F0 I& u-Much faster:
' T" v0 i# y# `& z' [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 b( K {9 R4 G2 j" B& k* i- v! H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 E) p8 f4 z7 {% ?3 H7 e) |1 |
function to do the same job:' U) M7 n' z1 S3 {0 N& @
# ?5 ?3 \8 a1 ~0 J2 j. v) a7 i" x, j. Y
push 00 ; OF_READ
( o! z4 s6 D3 | mov eax,[00656634] ; '\\.\SICE',0
) B: c6 w5 v/ H: i* }/ @ push eax4 H# J+ {" b5 s3 ?0 M6 V! F
call KERNEL32!_lopen
2 {, x( {: a& h inc eax. E* U& P+ y# I2 Y
jnz 00650589 ; detected. _. b6 M5 A0 s+ J) H: t8 C5 P
push 00 ; OF_READ' u+ ?% t3 S1 l5 W$ i
mov eax,[00656638] ; '\\.\SICE'. V& |& }- z; o: l7 L5 Y) `- L
push eax
" E6 _# M3 d5 B% B call KERNEL32!_lopen
6 v. v) L' b+ R% Y' m3 K inc eax
5 z: @5 Z/ }1 n) s jz 006505ae ; not detected
: y3 w! j3 [+ E( d' |+ s& s' o/ q0 v; R0 T$ J) s
6 b) @3 F9 V- d1 Y4 o! Y0 p__________________________________________________________________________
: l. w# D }, X+ h" ~. D8 r, c1 p9 l. B
Method 12
' s' ]9 k/ E* K5 t' e8 D2 r=========
/ v5 w, K+ I$ s& h5 H' J' T& N" t8 z V
This trick is similar to int41h/4fh Debugger installation check (code 05
$ X* T! \8 E" Y) Z' _0 q! A# S& 06) but very limited because it's only available for Win95/98 (not NT)
! K+ q+ d' I2 Z5 }/ W& Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( B# j! ^+ [7 M8 X v
; H% z' u' }' t5 N push 0000004fh ; function 4fh A" I# p) B9 _. [ m& m, i
push 002a002ah ; high word specifies which VxD (VWIN32)
/ W7 s) [% v: `( y5 R; R* ^ ; low word specifies which service" j9 a: m$ k) z. ?. `! y
(VWIN32_Int41Dispatch)
, m% Q: O$ g% Z/ L call Kernel32!ORD_001 ; VxdCall
6 j7 `: l: l- r p cmp ax, 0f386h ; magic number returned by system debuggers
- O8 {) l" Y6 q7 I: x+ Z jz SoftICE_detected) s# W2 {6 B U; R5 r) @7 d' K
" \" |) F" f1 HHere again, several ways to detect it:: E t8 k* }7 G! o# X% p, ~
. w' A$ u2 O3 ~7 V% t( O& y) e8 Q BPINT 41 if ax==4f
0 L* k1 F2 `* k: S) ]# a# X( U" A5 z" s8 V* \* v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# N; D* Y3 y- p0 _" c. p& a' \0 b6 b1 c, d, k" V! M# [8 U4 M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) |6 S2 E+ l8 ~
' [* @6 u- p N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- X9 w2 H f) r) @* d
: Y9 i5 i7 D9 e S7 r__________________________________________________________________________
n' R3 ?# e" u1 K8 |& q' V5 V. f7 O3 \+ W& ~( P
Method 138 }$ V% y/ O$ U) Y
=========9 D/ Y. t8 l6 D2 S n
0 k" P7 E$ x k9 m* l' _9 e: m
Not a real method of detection, but a good way to know if SoftICE is& i* G, a9 a6 w& k
installed on a computer and to locate its installation directory.
! J) ^* k+ P) O" ]2 E2 F! M! VIt is used by few softs which access the following registry keys (usually #2) :
6 \* T& g9 M3 w! c! ^8 \) ]% D* a5 G N0 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 @ v. J4 e7 [/ m. m8 N5 x
\Uninstall\SoftICE
R( U5 W+ Y; m! ^. ~- G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ H+ N: X1 `7 u5 G8 O8 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( Y& v; X' r, q+ [6 `, {7 n
\App Paths\Loader32.Exe" J# x/ [2 h4 ^5 d# w+ X. t+ ?* |
: j+ ~4 p. E9 a
8 J9 W) O4 Y* J, S
Note that some nasty apps could then erase all files from SoftICE directory
6 c* o- r! L& W6 \1 n$ x" [(I faced that once :-(
$ N, V0 Z/ ]% z
! g+ [ C' r4 B% {% J8 ]. r- @Useful breakpoint to detect it:
& s! r, D5 {- Y3 b3 D* w1 v9 D$ A" {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ N8 V! @! G4 A. }! u$ w7 r1 U" F4 _8 u. t/ D
__________________________________________________________________________& q) a' b* t* |: z1 Y5 D/ E" z1 f# k/ C
* T$ r7 u: D1 z7 ~
( M i) r5 K, u y6 ] A) j
Method 14
5 E% `* w) m& c0 y: p=========
* p7 S r3 @! }) g8 f/ z6 V) R+ G ]9 m9 [0 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 J# R1 n( c3 {, @& S( w; Qis to determines whether a debugger is running on your system (ring0 only)." B1 |+ A* ~0 v' L) `
! H, u" V( A( k6 o7 }1 N
VMMCall Test_Debug_Installed
9 l. d2 |9 R7 L* G% Z# K0 |! Q3 h je not_installed
' y2 B% ]6 S1 o6 M9 |6 @6 Q2 z) Q4 F* F1 \$ V
This service just checks a flag.
3 o5 l7 M" H. L8 G" l, L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡