<TABLE width=500>$ J0 P' i/ p4 o
<TBODY>% V/ ^! M" |# P, \( o& [# ~
<TR>: n& N# b4 e+ ~1 l1 m+ E
<TD><PRE>Method 01 1 ^8 m9 T/ n t7 j" a
=========" f; [/ N, Y; t' b7 _
0 y: X, A% m% _! U. b- l
This method of detection of SoftICE (as well as the following one) is
5 w( ? k! h1 s0 bused by the majority of packers/encryptors found on Internet.
; B1 h3 H" ~3 S, Z* }) rIt seeks the signature of BoundsChecker in SoftICE% n O" q1 n& F, C) c# A
, o9 i! F! W; A mov ebp, 04243484Bh ; 'BCHK'( v0 V& ]. ~6 z3 j7 |
mov ax, 04h
4 U o# x' @4 p% {. z: E" S1 d int 3
6 f# Z+ v5 s* T- M X# a cmp al,4
1 _$ Q! G1 g! j jnz SoftICE_Detected
3 P3 I9 I( \; J5 g" v
`( G1 m8 f" m- ] a6 [4 K$ N___________________________________________________________________________$ r5 a' B' t5 f+ h+ B
6 x: v- L# _4 |( g5 nMethod 02! F; G2 Q' `5 f& _# X$ V
=========
! l/ m3 I+ N c! r9 T$ M5 Z5 a- q% k" }
7 B2 C; s! m- RStill a method very much used (perhaps the most frequent one). It is used
6 _$ z2 ~3 [& i& r7 j/ cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 O! u6 L9 T3 Wor execute SoftICE commands...
" V$ A8 P4 [% D0 o9 j) sIt is also used to crash SoftICE and to force it to execute any commands5 x5 Y: L7 }9 A. M) M
(HBOOT...) :-((
: C4 ?) q6 G# ^+ f8 }9 g1 e# A6 T+ ^5 O
Here is a quick description:# C! ~& w6 h5 u: n
-AX = 0910h (Display string in SIce windows)6 t: s2 U8 U& G8 g* ~- _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 o# S, J; b* ?& c* Q* J4 n9 v# b0 w# J-AX = 0912h (Get breakpoint infos)( [1 s ^, \% P' Z' D5 U
-AX = 0913h (Set Sice breakpoints)
( T" \$ ?" @! }- @4 V8 }0 H# _-AX = 0914h (Remove SIce breakoints)
# ~6 ~2 T/ W- `/ j! y) P8 b; m, Z! q- H+ s% I
Each time you'll meet this trick, you'll see:4 }) a$ @7 B; @5 k
-SI = 4647h
F2 N L1 g) y& j-DI = 4A4Dh j W% w- d k) ?! e
Which are the 'magic values' used by SoftIce.8 _( o* u8 I7 ]- N8 }1 A0 q# D/ i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- D Z$ G/ A0 Q. p
" l$ @. e9 x5 u- K9 j% g# OHere is one example from the file "Haspinst.exe" which is the dongle HASP8 Q/ D0 X* C$ V* R: P3 d: C! }
Envelope utility use to protect DOS applications:
& @ v: z# v0 L* B/ l, `3 j* v, o) j# E+ z0 H! \0 T
3 i# y, ?$ p) H! L4C19:0095 MOV AX,0911 ; execute command.
) a: {( u2 [. i, r# A& T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# Y% p/ A) @' S4 U7 ?. T5 h4C19:009A MOV SI,4647 ; 1st magic value.
! ?7 ?6 c( y( B' U& H# H; I1 N4C19:009D MOV DI,4A4D ; 2nd magic value.0 n$ y% N9 R! ]+ d; T1 }) c6 [" y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! e% x; V, O% |" {0 j( i8 G, ~+ A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& q5 b; B" \& w( q# O4 ~
4C19:00A4 INC CX
+ _' ]# y9 P R. C4 O! \- }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 I5 w8 B$ E3 x1 H1 D# r) i4C19:00A8 JB 0095 ; 6 different commands.6 b* ?1 \9 g1 A. I# f- V4 W6 ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ I/ d8 S) W4 o4 y" q4 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 Q; E: r. f, }; G
J$ z% h2 y0 ZThe program will execute 6 different SIce commands located at ds:dx, which, s/ j) h4 v) f; Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% ]& J/ U3 z, O9 t! E! b; `# B8 z- i [! G( g7 K" n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 M/ @8 L2 h! ^0 x___________________________________________________________________________ V0 {" P0 ?! O% v# ` U. e( z
. F2 _+ Y) U1 u" ?0 y6 K+ b
9 E8 k$ E+ A6 I! ]+ K4 h
Method 036 X6 b: `, d: Z* f2 P
=========; d7 X$ N5 i2 U; q
# l$ v& Z% r, K2 f' n+ [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ H+ z% W+ G' S# }& x& H
(API Get entry point)- d, p* U1 W( S, f
! l6 G8 E7 F) N; ^) c% N) B7 j
, f8 W. _0 i" M, C @$ [: R
xor di,di( v2 j- I1 Y/ ^3 L1 A0 x
mov es,di. E, V, n8 l7 m
mov ax, 1684h : R0 ]# [! K, {% f# c
mov bx, 0202h ; VxD ID of winice% _/ J. t$ Z( a( H- B
int 2Fh; |' e# ?" M* W( U. i& D
mov ax, es ; ES:DI -> VxD API entry point$ Q* L6 Q; @; o0 Q1 D
add ax, di- S8 T ], H4 z
test ax,ax& Z' E+ s8 `" ?/ G) ?
jnz SoftICE_Detected+ y2 q' p) O! z) T7 D d* o
+ D6 G) S+ n8 K) u/ q! `" M
___________________________________________________________________________
) R x7 h( O+ v3 c6 |" f9 U
3 r R( l8 N) u$ }5 f: hMethod 04
: v; h3 p1 N5 }=========) v* x0 z7 S, i! [* x
! P' a; d. [2 ~: H7 {0 w
Method identical to the preceding one except that it seeks the ID of SoftICE
4 L! U+ G& ^+ y* T8 O" mGFX VxD.* H9 }( S- T( d% @& m
% A6 K6 Z# D8 _" L- {
xor di,di
$ @- x$ I% ~) r0 n: B mov es,di! Q+ N6 F. H1 F7 D/ e
mov ax, 1684h
2 \9 `* |" \% S' g2 O* |, {: W% E+ u4 T0 y mov bx, 7a5Fh ; VxD ID of SIWVID) P# j& ^: t; _ ~- c X
int 2fh/ [. K% F. c6 D4 i/ \1 r
mov ax, es ; ES:DI -> VxD API entry point
( T, S5 c1 q& B0 ~. p, f% T add ax, di
+ L0 l: S0 S ]: t% f0 g9 K test ax,ax
5 e" m$ g5 R) T7 Z8 L7 r jnz SoftICE_Detected0 |7 H! ^; W; N9 s$ v6 o7 b, o
* Y6 B7 K, U! a! W' C4 T__________________________________________________________________________
* c: X& a! E( I3 t0 p9 O, w1 p5 {- N6 R* v
3 i. `! p4 `# O5 a# M
Method 05) Q( o6 d3 W' C# y3 H
=========8 L$ _; g9 z# k, z4 I
) u6 z( f! R% [ _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ h! E( L* P" X4 I$ p5 M1 J, Wdebugger. It calls the int 41h, function 4Fh.
: m$ c" _' N+ Y, F/ {There are several alternatives. 6 n7 W5 O% r; g; u3 H# s
7 w. E+ a6 i; t4 w: ^The following one is the simplest:( U. F) _% Y/ O0 J/ ]% c
' T2 J. c6 ^, ]" m+ p0 ~( q- ]
mov ax,4fh4 j% m/ T. g) V7 u9 N8 |
int 41h
, t4 E8 H( O( N! p cmp ax, 0F386
* Y0 Y9 G8 o9 h: b" L J jz SoftICE_detected9 X/ j- e' a5 f$ W6 p
6 N0 d' {; v$ E2 a1 } x
$ i- ^2 A. ? k# N$ r0 QNext method as well as the following one are 2 examples from Stone's
/ n' c- u! k- t& y"stn-wid.zip" (www.cracking.net):
( A( Q5 d1 G) f$ \
# ^! d% q. C3 ?9 U8 Q S# s mov bx, cs% s5 _# l. O- s# ]& C: H7 ^) H/ }7 g
lea dx, int41handler2
% [& u, S8 q# U+ }+ j0 A- \ xchg dx, es:[41h*4]" b H! ?2 E2 y- Q, A* a( A
xchg bx, es:[41h*4+2]1 [0 Z, s( |/ N- X4 P) [
mov ax,4fh/ g2 H8 r0 R; ], r) U
int 41h& _( n9 r5 `& g
xchg dx, es:[41h*4]: J7 r. F* F- P; {! m
xchg bx, es:[41h*4+2]
! o! M; w3 A2 ]6 T% h' v cmp ax, 0f386h
0 m0 T* U3 {! _- u$ M. \ jz SoftICE_detected" |+ U. O+ a5 s0 e9 s
7 B% A/ n* E6 b5 P5 ]int41handler2 PROC
4 u' i9 N& R3 s iret
4 B; V$ g- J. k) c7 {" D+ I9 nint41handler2 ENDP, y' @4 |- o/ W4 u7 |9 l
2 l& u9 G# H6 B* X6 o/ P6 k5 n
; x1 J% N4 n: h3 H" B_________________________________________________________________________
9 Q: {( s3 J3 Q# Y/ E4 R( z
9 v3 J2 A6 N v& j9 z
# c) g# l0 I% Z9 l# O; i+ DMethod 06
9 r f' n+ I* s2 A=========
& k) U% m2 b5 f' ?/ s. J% e) E7 P
5 P/ I$ V7 E' X: o7 T- r& r5 Q+ z" V. {) C
2nd method similar to the preceding one but more difficult to detect:8 }8 p+ J8 k: d, W# g
+ D; o: ^/ l4 m T, z, @. m
9 R- K- |" t2 C* R
int41handler PROC; Z" K6 ~9 Q: u: t6 e
mov cl,al
& g5 o' |& h# O) H iret& B: {+ k! z3 @% k
int41handler ENDP
+ |0 R1 p' m% v% H7 n5 F8 `0 s5 L4 A: Q& I7 ~, V
) J; I% m; j }- U1 d) j9 M xor ax,ax
, g/ F+ v! H/ X3 q9 h! z mov es,ax8 t& b; d4 w2 P# U6 q" }/ F1 h
mov bx, cs3 b9 s5 L4 c$ h8 o& {
lea dx, int41handler
4 c- Z9 I" U& Y2 S* q7 _ xchg dx, es:[41h*4]9 B5 J0 I5 f9 `1 s' }1 u2 @( J5 |
xchg bx, es:[41h*4+2]
4 ]& `; s4 L4 y- n' Q9 F in al, 40h
" z: e! |0 t B xor cx,cx
5 i8 f5 v7 R8 \1 w6 F int 41h' f- h* D) M' B! `; }
xchg dx, es:[41h*4]7 W' r/ C8 u- W) b7 ^' j1 ^; ]; g
xchg bx, es:[41h*4+2]4 U _( H9 {) d1 w* T% x0 |) K
cmp cl,al
! C9 y" }( ]- c- E jnz SoftICE_detected
, p0 x' x7 M \5 _ h
' i; S% I2 A0 _" K: \* B) A_________________________________________________________________________7 H! V2 s+ P, T
1 N, S* U0 q# }) R& N
Method 07
t5 | L" o. i# M=========
2 @( c9 o. t9 c! [- O* q; z( b* H3 t( k2 L
Method of detection of the WinICE handler in the int68h (V86)
9 Q) ~3 r1 w+ m( ]
2 [2 @/ R! P" O. b! o0 o: ] mov ah,43h7 l1 @: d k* }" _' ?+ V( }
int 68h
8 D7 L7 i. R2 T cmp ax,0F386h# n9 V2 F0 v9 m3 o
jz SoftICE_Detected8 U/ v( e7 t2 d; R3 e8 g2 x% ]- }; a
) h: ^4 D6 V: ]4 e0 M4 l" S& G }, Q) i4 `( J* M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( a/ f9 j. u8 H# e( K
app like this:3 F, ?4 S3 X F
) D) _' @0 Y, L2 V& _
BPX exec_int if ax==68
3 K& R o+ O! u/ O. j (function called is located at byte ptr [ebp+1Dh] and client eip is9 ]' c, r* u- o! ?) g- c+ D7 Y" s9 o
located at [ebp+48h] for 32Bit apps)
8 D1 z+ p8 L9 ]__________________________________________________________________________# b4 W, P; I- Y) |
! |7 o/ l9 g5 k( a( A
, O8 j# D6 a; A- @" s, R& r
Method 08
5 n: T9 L2 O4 S5 s1 `) Z7 @2 g=========% I: p- E+ j, k8 }
( R7 ]9 R8 n5 ~& J0 L( k& w g
It is not a method of detection of SoftICE but a possibility to crash the
4 m! R+ m# q1 }: O4 K( g( B6 n" _. ?system by intercepting int 01h and int 03h and redirecting them to another9 K3 z/ ?; Z2 C
routine.
6 s/ }7 |% A" s% ^; c3 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. W# Q- \8 H! T$ n: A: Eto the new routine to execute (hangs computer...)" V: |0 D2 s8 ]8 [+ O; D" o/ V
" y: Z0 E4 H1 s5 ^1 M6 ^2 a- k mov ah, 25h8 |* Q" ?$ C, U) q( N
mov al, Int_Number (01h or 03h)
0 `4 _* ?6 }* J# s2 e0 G mov dx, offset New_Int_Routine/ i" ~' \' R2 F' Z% V. I
int 21h! u* d" }9 X7 j
& l" H! r( C1 Z' J7 {" v__________________________________________________________________________
- b+ v2 u' N5 K4 L! @: H+ l. Y7 X6 p# l; [, m6 {' I
Method 09. O+ t" f5 i5 C7 f
=========+ h" v8 B1 q; Y+ u, r. A
# d( G; D% f- e; f' v9 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: E' G. j; n5 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
' c, i- Q- u U0 H5 p/ |# h, _The Get_DDB service is used to determine whether or not a VxD is installed
# a+ K! w' v2 f! p+ g4 Q# X4 {for the specified device and returns a Device Description Block (in ecx) for" w' t7 h$ S; y; _* T
that device if it is installed., @# b) _" d' s3 S; o1 {* Z+ \5 s
, R* M) s3 Q6 {9 G; p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. {0 _# P' ^1 {1 ^6 q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 s2 r7 X$ O9 L- n. z1 c r VMMCall Get_DDB
+ z& W3 Z1 o7 K" `9 p9 T" f% w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' }4 W+ w x- O/ H$ ~
: }) a4 Q3 G3 V; n/ JNote as well that you can easily detect this method with SoftICE:
@ d: X- V0 X# Z6 C bpx Get_DDB if ax==0202 || ax==7a5fh% C0 n! V# f" C$ {) p5 K# g
0 P+ e- z. W v__________________________________________________________________________
8 }4 v% o# q- g* R% k9 A* M* k6 j! R( Z Q) E$ W4 V) Y
Method 10
) V# B& W' a* B4 ]) M8 G6 l) h, T=========
# L( T. c+ Q& G1 Q- x3 d C
( l/ c8 C# c# y) q' S4 x* b: C=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 n6 C8 J( X) ]* c1 a SoftICE while the option is enable!!. p: w' f x" M, j
4 w0 A6 s: O3 w( T, U. x
This trick is very efficient:
8 k9 m! A, o# G4 a6 T) q- b7 I4 Aby checking the Debug Registers, you can detect if SoftICE is loaded
1 W9 m2 w% L, q! R: E$ _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% g i( g9 [, k) R7 Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, D, B9 i. v( m' g p2 G0 q1 jvalue (in ring0 only). Values can be manipulated and or changed as well- S3 T. U0 E) a$ Q2 l
(clearing BPMs for instance) D8 h6 C5 {$ N/ q
- o6 o0 S- X9 Z, ]5 e) K" [__________________________________________________________________________5 ]- ~. J9 {5 {' m
% t+ N9 f: {' L6 r8 g# K0 S8 \
Method 11
9 Y \9 T! Q: G$ a9 P& t$ I7 O=========
( [9 M1 c4 T% g E' B4 j4 _1 C( N& k0 u; O
This method is most known as 'MeltICE' because it has been freely distributed0 V. U# `' A$ M8 t; c8 `8 ~7 P
via www.winfiles.com. However it was first used by NuMega people to allow' T: ` G/ w. ~8 u
Symbol Loader to check if SoftICE was active or not (the code is located2 r- \7 b( d" q' N9 v
inside nmtrans.dll).
3 F P( y' @* B- A
: T% G5 ~4 A! `# e6 B7 x1 m/ XThe way it works is very simple:6 s8 Q$ U; y5 ^3 Z, q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" G6 p; y) B+ p) K% mWinNT) with the CreateFileA API.# [. Z+ Y B' r
* E/ P4 F2 u/ p! S) a1 n+ o
Here is a sample (checking for 'SICE'):
, o7 g2 |# P6 e* J% @1 k
! r7 r0 z( `7 h5 zBOOL IsSoftIce95Loaded()
- |1 c( ]' `7 w" ?{! X& N% t. {& a# }) U6 i
HANDLE hFile;
) z+ y5 ^; F3 M- }7 Q* n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 b1 P& W) N% M5 e2 S9 z# y& h FILE_SHARE_READ | FILE_SHARE_WRITE,
2 O6 O# F4 J4 n" z( ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; z7 M: m0 p9 a0 c; k4 g O
if( hFile != INVALID_HANDLE_VALUE )
, O+ u* M# B8 t1 q/ _& J: u {( L2 j2 o2 ^' B+ F4 ^6 a$ @
CloseHandle(hFile);- {( [" u W% g; J: F$ m- e
return TRUE;
/ n7 ~! J+ v/ W, S1 H+ P) ` }4 y( D' i1 \3 P2 m" O5 Q& K5 |
return FALSE;
3 w' v) F1 }/ F$ ?+ e& M) a}
1 e9 M6 j! p3 \" n: y
6 m# Y# {. j0 i; ]# {Although this trick calls the CreateFileA function, don't even expect to be
5 N, `( P- D- \6 u0 ]' g. N. b; Q6 Cable to intercept it by installing a IFS hook: it will not work, no way!
( e# A$ n6 l# ?4 y' g- B8 MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 Y" X- P7 d4 h4 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ c3 I+ ?* \6 c: q1 k1 B' mand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 ?* [$ C" q, V' H4 _& n1 `% {8 ] |
field.
! \% v& m0 G) ]$ IIn fact, its purpose is not to load/unload VxDs but only to send a
; I2 S2 c" S0 E& gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( b# U2 X6 n, q9 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 [) ^& E- L- q% C- {6 F% wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ L# k! i* w& `4 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 p ~/ f; q$ n* a# eits handle to be opened and then, will be detected.
% M+ u% B: \6 Z* d& V9 H) RYou can check that simply by hooking Winice.exe control proc entry point
4 Y1 w8 g8 @+ ]/ w( }% ^5 ~while running MeltICE.$ e! j: ]6 ~8 K$ S2 q3 q' @5 w" v
' v" s" B2 o5 T, n' d7 t5 E
0 J0 S$ q" T! b% ~, m# W 00401067: push 00402025 ; \\.\SICE
+ T2 E1 Y D2 [9 D+ p0 x" j 0040106C: call CreateFileA! ?) \: X+ t8 e$ U9 m! {) i8 T
00401071: cmp eax,-001
/ A; s+ n+ J+ I. Q \: ` 00401074: je 00401091+ l4 n1 j* ~ v/ e5 w% |
: V" ~6 H( p) J% { e, _
! R5 q1 `9 b+ D1 j( |3 TThere could be hundreds of BPX you could use to detect this trick.0 e0 x( X/ {8 g) N! v" T( k2 V
-The most classical one is:+ v- E7 { j' W, J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. k4 f, \& O% E' c8 u9 p( b
*(esp->4+4)=='NTIC'
5 I% ^. P" C6 R/ h/ @- a1 K9 V
. ~. i0 Q4 c- e-The most exotic ones (could be very slooooow :-(, r' E8 k/ `1 A7 a1 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) Q& h0 b ~ O% v: M' U; M- Z" C
;will break 3 times :-(0 _* {) }5 x. B" m3 ~3 M
: g$ W: d& F0 [4 b
-or (a bit) faster: 1 _& N0 ?- F* P1 }; L8 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 T+ N7 f" d. L) e; ?+ @
: ~: [' J( K2 C, y! z8 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" e% ^6 S9 U C2 r ;will break 3 times :-(4 `! J/ E' W9 ^( n9 ^, u( h
* b# h6 F' D$ S$ c: Q" M
-Much faster:
) ~# g. P3 `+ d! j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' Z/ v, K! X6 w! l
( R$ w1 ]! a; B$ c s8 V Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ q) T2 M# I# N1 Y6 `% ], ^# ~% Dfunction to do the same job:' f! g: l5 B, H2 z% k# {
) p o1 m; V& i8 c% y push 00 ; OF_READ
8 m1 a8 R( Y3 a4 B9 U% x8 l- _% D mov eax,[00656634] ; '\\.\SICE',0
( H, Y# [7 g! z4 H+ d push eax
6 S$ d" }5 Y/ d6 i, \3 H call KERNEL32!_lopen2 m$ A( F: i. l
inc eax9 q/ l1 s! A) _) J* d3 X' G
jnz 00650589 ; detected
1 E- }8 w- E; L% j push 00 ; OF_READ, p p* d8 _" b# i6 f6 i: J6 c
mov eax,[00656638] ; '\\.\SICE'5 B. ?# i( M) D: Q2 J2 `1 K5 X8 K
push eax
7 N7 ]+ `; a8 G" G% k" d5 z, q call KERNEL32!_lopen
7 x0 Z) ?* d/ o7 u" w) m) ^) H inc eax( Q4 G2 Y- D* A. m4 t& R4 A
jz 006505ae ; not detected. T0 s7 O. F* p3 v& i/ \
' T+ I8 ]* F8 K5 ]/ e3 Z; O# J
t1 O% c6 Y \' j4 x; S t7 i- M( G__________________________________________________________________________! B# Z' q3 O! F( [, @* V3 u2 ?0 i
, c0 J8 w7 w* B* O
Method 12# o; W& z `! b2 S, o
=========
+ L0 `1 F; m& {6 S+ n
6 s2 |4 a8 T! U0 X' ~0 U/ R! d) E$ cThis trick is similar to int41h/4fh Debugger installation check (code 05
0 A# G, F0 {: u1 |9 o& 06) but very limited because it's only available for Win95/98 (not NT)" s4 X& O5 y3 R( ?# y) ?- [7 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% h, [6 c# A& [; d M9 E' i
: G- `( u8 r8 l+ s& i# R' Y push 0000004fh ; function 4fh
9 T- _8 \3 Z g" N; G: F: [ push 002a002ah ; high word specifies which VxD (VWIN32)) g4 I" I2 m$ O
; low word specifies which service
8 `/ p4 v, l" Y! q9 h) i3 Q; e" i (VWIN32_Int41Dispatch)1 C( L8 D% ]! E: l: \, m3 s( L- Q
call Kernel32!ORD_001 ; VxdCall5 V2 c6 f6 o8 C* \ m; c" C
cmp ax, 0f386h ; magic number returned by system debuggers6 G2 K9 ^- }6 Y. L: R3 k7 Z
jz SoftICE_detected f$ l) N" P. N" y; W+ A0 U, |
0 r, b5 R: Y" |0 c+ j
Here again, several ways to detect it:) C$ k! v6 k* ?. s y6 {
! Q* y0 z4 L$ l) l1 ~. S( @ BPINT 41 if ax==4f$ L) k- J; }/ k: J1 a& N% G
- l3 x. w" t- b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* N% a2 I% ~- L- W5 v3 ^ k# y* \. }+ ~+ v" ~$ O2 P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( U0 m% i& v# Q$ C5 {$ {" u" |5 b& R5 W$ E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" Y. |' m$ {6 H# r% F# T* j7 I5 D* r0 c, Q \7 D5 P0 x8 {$ [
__________________________________________________________________________
2 J8 _) K1 w) ^! r1 V% u( N+ n
K; X% Q/ c& Z. v0 cMethod 13
. @! F: F8 W% ^4 c6 l' x2 {' U4 r========= y' j$ n7 ^+ w( [0 a7 M g
8 F! N- B+ L2 C, z- Z
Not a real method of detection, but a good way to know if SoftICE is" t; n8 M1 }' o' } u
installed on a computer and to locate its installation directory.! n2 q J3 [6 M* m0 H5 ^ ^+ z2 R9 }
It is used by few softs which access the following registry keys (usually #2) :/ ?! T# {# g9 g9 u
7 U% j1 f, N! c% [, Q% H( z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Z8 l! j/ A8 N: J+ W$ P: }" ^\Uninstall\SoftICE' t! x1 v9 o& ]* j5 d# M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' N8 }3 h' Q; E/ Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ]) @+ _. R9 z! M# N7 `\App Paths\Loader32.Exe7 C( V7 \5 ^) Y ?9 a* {( [
0 B" ^" t5 M z
. k0 B3 O) T' i$ ~Note that some nasty apps could then erase all files from SoftICE directory
& @# t- `3 j# g1 K6 D y5 K" \5 P- d(I faced that once :-(
) u% ^* L9 w$ h# [2 `3 ^1 R/ \: W/ f! O& R3 |& r* a* b( H
Useful breakpoint to detect it:* z) O1 q* r7 Y3 z7 k
9 J5 i' Z& |( b1 f" R+ G( N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& b- v. B4 O. G: I! p0 Z$ _
7 H1 E* H0 Y6 f: N# {) r9 N
__________________________________________________________________________8 ^1 J# n! b2 A9 p9 ~% I6 |
0 `$ F% o/ I, W
- a: l& ~, S6 ~, r! p8 u6 \
Method 14
4 }5 O+ k( `1 ^! \' x- U=========, d) w# M$ c' K/ A) t% q/ O
* ~* `# M1 h, rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 e' m5 _: b* `$ o) gis to determines whether a debugger is running on your system (ring0 only).
|) E3 |) R, [) ]. w. Y* `. G' e. ^- i$ S* L
VMMCall Test_Debug_Installed
7 ` _' ^9 G: M/ O je not_installed
6 t% z- j: ~: d z+ L$ C: ^ ^
4 O/ y5 P# M; T v7 |This service just checks a flag.
; Q! M) M" W9 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡