<TABLE width=500>
2 j U$ E- z; J) |8 b& c; r<TBODY>
1 v) D8 U+ \0 B<TR>
& I6 G3 \! b: u! p<TD><PRE>Method 01 # `" s) C) f1 y7 p- N; l
=========; y8 x3 A f& N
6 U0 ^& O2 H2 m* O. p- \This method of detection of SoftICE (as well as the following one) is8 G8 v4 @! P& W
used by the majority of packers/encryptors found on Internet.- w* O# e) b/ e5 m4 N
It seeks the signature of BoundsChecker in SoftICE
1 V5 u+ G8 J/ k
& X# G5 h1 e2 |5 i mov ebp, 04243484Bh ; 'BCHK'5 n7 D6 L. d0 E: q
mov ax, 04h
/ r: p- e2 c" P! G& m0 [ int 3 3 D" L2 P4 V, p3 x
cmp al,4, @+ W2 G) O* G7 t
jnz SoftICE_Detected
! d3 |1 a b {4 @4 s2 l6 |- X" u
2 F0 X6 Z) [( ?7 S- o___________________________________________________________________________
3 _7 j! h' y1 X# f5 I) }. L3 c' \1 w
Method 02
7 T: g8 [ O1 z! I" ]8 h. p=========8 o6 [6 b- Z: s1 d& u9 ?% b
6 a9 y# R: b: ^8 f3 R& b0 r
Still a method very much used (perhaps the most frequent one). It is used$ x' I: `+ [+ [4 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. T8 W" v: d6 M6 H
or execute SoftICE commands...! [$ C& E% C# l; H8 x1 H- Q$ U
It is also used to crash SoftICE and to force it to execute any commands6 E2 u) ^& z# T
(HBOOT...) :-((
2 i7 q5 u N5 m% Q% G5 c" u* Z
5 A L" t: t4 m( G, WHere is a quick description:) ^0 T2 K/ X8 m) I( M
-AX = 0910h (Display string in SIce windows)% ^8 b' g$ ` z8 y* F" S) H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 T; W; x9 A* P, X& U: v$ |. _9 c6 ?
-AX = 0912h (Get breakpoint infos)( `; T1 D. L. Z6 B0 w
-AX = 0913h (Set Sice breakpoints)6 N- v/ }) a8 T$ m
-AX = 0914h (Remove SIce breakoints)
4 c0 K# x x4 i: s- O) ^
! |$ ` u9 j) I! x7 o5 n& y, P& xEach time you'll meet this trick, you'll see:
4 A: l2 ~. Z, E' a; `9 W- \-SI = 4647h* C( H# |3 i1 F3 ?0 i9 X& p
-DI = 4A4Dh
6 Y8 t% o3 \/ T$ EWhich are the 'magic values' used by SoftIce.# y3 n c: t+ _2 }4 Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% `& M, J4 Q4 ^4 D5 M4 @* k, n6 a
! k+ N! @) N4 m8 P+ }! D4 }Here is one example from the file "Haspinst.exe" which is the dongle HASP5 g* D4 z/ Z+ f) Z2 T8 n9 I
Envelope utility use to protect DOS applications:/ _8 P1 O3 Q6 Y& f# f- O
* V. R$ o; g+ M/ R- @( X8 |" X: o4 L# R+ g7 J4 @$ \2 F0 w
4C19:0095 MOV AX,0911 ; execute command.
) b& S* K& D! |& {4 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: s$ |7 h4 L# H5 A, B7 O+ r& n) o" K) V- a
4C19:009A MOV SI,4647 ; 1st magic value.
( f; l- N2 C+ Z9 q; `$ \9 ~4C19:009D MOV DI,4A4D ; 2nd magic value.
6 p7 I' c7 y* K1 k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); s# _) H$ ]3 Q/ C6 R& c3 d6 m2 Z9 y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) K7 l# k' ]' E9 n
4C19:00A4 INC CX
; Y* \% b& f5 p3 l% H7 T' L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; i$ ^ j: {+ ]& S: H4C19:00A8 JB 0095 ; 6 different commands.
9 J) A* b! p, d0 O5 w: ^8 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. }/ ?9 X! W3 [( t8 P/ O. D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) ?4 x/ h M6 C4 m5 b& {
2 C* O+ h7 M% U0 h. W, q8 b A, d5 fThe program will execute 6 different SIce commands located at ds:dx, which3 S% D( a [, R* _% b$ G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' K# d* A/ ]$ l' O
0 f# @! e: Y* ]; Y9 L1 N& A4 P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 x% J$ ~6 z. c) b1 [___________________________________________________________________________0 k9 a, `; s& X' R
" J. Q+ Y( K& D/ K( Q. B
9 L9 L8 S/ v7 E+ w' o. @) P$ z% dMethod 03
7 ^& G/ i& D- F* e0 C5 b=========9 z! ]. y U( b) \( w- B* I z
2 n2 R9 ` E3 { c/ g% ^! D, P3 ~+ BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
?1 K% H6 U* y- C9 H+ ]- y* [(API Get entry point)
3 a+ O5 ?3 x5 S! I+ W
8 E2 I- N' F' D: H9 ^# L
% Z" O7 U/ t! y7 W xor di,di
$ C; H0 c: _' B* r- d7 V mov es,di- A: m/ a/ l# z* m6 u g
mov ax, 1684h + T- F7 L6 U D3 h' K5 h
mov bx, 0202h ; VxD ID of winice) W8 ], ~" A* ~. S
int 2Fh6 \/ D0 g3 l: S, p
mov ax, es ; ES:DI -> VxD API entry point+ } W* B! H8 Y/ P9 a. r# ?
add ax, di
$ Y, \* f2 A C& t% K1 z( K test ax,ax
2 S2 s7 r5 e, P0 Z' [( M: r$ o jnz SoftICE_Detected
! M0 G8 N* m& T) s" G. W" K, C& {4 n' Y+ l: a1 A
___________________________________________________________________________
* S$ U8 W; B, q0 d" _" ]1 P9 `) |! a2 y; R; Q1 `# \( Z
Method 04
9 W3 h7 l8 T+ T2 p/ [7 |3 d) C3 k0 c& j0 f% d=========' Y8 G8 j3 b8 g3 {( S# e" W
- ?6 |: A A7 ?& ]+ @* k5 x2 C
Method identical to the preceding one except that it seeks the ID of SoftICE; O. v3 n/ L1 {
GFX VxD.
' @9 ]" R3 ]; N! p6 c+ f* X4 U' o' l. P
xor di,di
- g6 a2 ?6 l1 J) {- q- ^8 | mov es,di
' q7 d# `! x: D Z- F% _ mov ax, 1684h
M* U- L* z# l! ` mov bx, 7a5Fh ; VxD ID of SIWVID4 n" @7 G* I2 C# E! X7 b- s6 r% C9 M
int 2fh- M' ?8 G1 G$ Z
mov ax, es ; ES:DI -> VxD API entry point. q1 W) y& I: l6 l4 K# n
add ax, di/ `5 Z! v- r9 j7 N: N/ ~, ]* W
test ax,ax
, B1 f6 p% ~0 R( [: ^) y: n5 u jnz SoftICE_Detected6 X8 W( I& o4 X( ^8 p% o& z% S& Q
+ S7 ?( q0 }1 v4 @$ [5 y
__________________________________________________________________________& c% V- l2 w' c9 s* F7 @
9 ^7 m. s3 b4 ?0 W* g% J0 ?7 Z
! u; H" E7 I! l2 q% b8 g6 v/ SMethod 05
$ o6 n+ B" b. x8 y5 t7 D. z=========
; T8 H- k/ @# O8 f9 D" T& x5 I
+ q8 o) n3 H. N1 _9 PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 x4 N/ }: p; q: M5 z7 pdebugger. It calls the int 41h, function 4Fh.. b4 {# Z, R5 Z7 S
There are several alternatives. # y2 U" W/ W) R2 K# {6 d* h
7 @, L% r! E mThe following one is the simplest:
1 z+ `1 ~3 ^5 e$ o; W: i6 ~
- w" A& r8 [+ m/ S) C W9 q" G mov ax,4fh
( W* _# _3 e# c, C! T" O. q int 41h' i2 |9 a! I; Q) \
cmp ax, 0F3861 S0 `7 H6 a2 i& {
jz SoftICE_detected. p0 Q) L! e0 g# Z
+ G6 ?8 t) K7 p: Z; J
4 _. T3 X5 S3 n+ B1 U0 b6 X) E
Next method as well as the following one are 2 examples from Stone's
$ v1 k% e; `$ f. t"stn-wid.zip" (www.cracking.net):- z5 X1 g: _# V* ^2 h
$ g7 f; k. g9 d/ H9 q w mov bx, cs# `* Q" s: P' V1 u6 u6 F) z, v
lea dx, int41handler27 j" Q! S1 y* F I
xchg dx, es:[41h*4]
5 U- w- z# @# S4 A! { xchg bx, es:[41h*4+2]
1 L6 f3 x6 u& _. N, { mov ax,4fh( R* ?1 H% L7 ?0 t( ?5 J
int 41h9 d6 V. Y4 G# H
xchg dx, es:[41h*4]
$ l* _8 r, M' \* B2 E xchg bx, es:[41h*4+2]; g1 K/ n' @# t7 C
cmp ax, 0f386h- L$ j) U% F: k6 `8 F
jz SoftICE_detected
3 y) W5 ^6 B# o3 a
' {/ a; U$ v% e# ]7 \5 u8 uint41handler2 PROC
2 p: V; G% K3 @, b iret
2 Z6 D) G7 b. Tint41handler2 ENDP$ ?% w2 _' K x) w* \* v) Y4 t
, @) n& Q9 ]/ K3 Q1 l! i+ _
/ k0 }( @- _# |: b1 I_________________________________________________________________________
0 N D& V4 J+ B& K U/ j+ I% P$ y5 [8 G* g( r+ o h0 G
; X) K( j0 c: Y9 `
Method 06
, F# P5 Q# C/ R' x: s+ y=========& m; X, q1 K2 J p! A9 {
7 L/ n4 f; }) y3 G/ z' W
3 K% Z5 e9 ~- J7 S9 s% W: H ^2nd method similar to the preceding one but more difficult to detect:7 p) q- {3 O' o. x
# h% i: R2 `. T" G* {, R4 G/ A
) b# O5 _6 H, x+ e! fint41handler PROC) b( u3 y) P7 ` N; ? C/ X
mov cl,al, z* r& R: G' e4 f
iret
$ R/ g1 [* c7 A5 y9 X7 E( Oint41handler ENDP! g& T# c% G! ]1 _7 o% M" j
5 G- }2 p# J* R: Z! J7 n
. U/ C$ N) |" P# `6 h% r
xor ax,ax
. m# F% e" N3 a9 F- C7 s. d mov es,ax# F7 M. L+ c4 ?
mov bx, cs
+ J- M4 Q% r% H5 u9 P lea dx, int41handler
/ y3 n$ ?% r. P xchg dx, es:[41h*4]
' p9 [% m1 O2 k) b! |( S xchg bx, es:[41h*4+2]
3 c+ O) c3 @3 E in al, 40h
3 m; g/ T; l6 M. j# z4 m xor cx,cx: r+ l/ J+ z) Q4 i5 F
int 41h
: c4 j4 D. d2 C xchg dx, es:[41h*4]9 U. I+ a R6 U; u% e( A/ p* s
xchg bx, es:[41h*4+2]
+ r, n/ h- ?1 Z. f( @% O cmp cl,al3 a w, ^) _- f
jnz SoftICE_detected0 Y- O$ V6 ^" S* x: u( P
a' o. o! K. A5 K7 Y( Y: V% ^
_________________________________________________________________________. `6 Y- U& r1 d" m! S
- @. T* P4 E2 U- u: s/ lMethod 07! E: B5 ?9 o- ]9 }; F
=========" ~1 r J3 ~) G1 y; O' w; M/ m8 u
/ ]+ V K, n% q( |8 g& q E6 m# X# | m
Method of detection of the WinICE handler in the int68h (V86): C0 ?2 y5 C2 S1 a
9 S! f0 X+ J: e mov ah,43h
& j* a4 T; W4 J+ }, T int 68h& z2 t, [- d! I. t5 w
cmp ax,0F386h$ e E) o4 ^: h6 L9 Q" L
jz SoftICE_Detected
0 E# ] q( S$ K" k# _/ g3 g' W3 ?' D& [, J' i
" a# X* h9 o) w3 F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 D% h: ^' s8 w# l app like this:# a3 z5 k7 R: E: ^( e
( n6 w. U' S, J: r+ v BPX exec_int if ax==689 h& V& i% P" U7 I* _
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 Q6 T4 C. f+ G$ r6 I3 N located at [ebp+48h] for 32Bit apps)
) G: a9 V" h |1 t/ g__________________________________________________________________________
' z: j2 U; ?; {8 |7 a% h
* O8 F' ^9 S( H C
9 s4 F; K9 W7 i- k: CMethod 085 o5 n7 r% N, i2 N5 |0 q7 f
=========
4 A- H2 J: K' l' m
- z# ~* b7 H8 S- ?) }1 Y5 |It is not a method of detection of SoftICE but a possibility to crash the
2 W c Z4 x: b- q2 }2 z& i. g( Dsystem by intercepting int 01h and int 03h and redirecting them to another
- k3 o9 U" _2 Q# I! Y/ broutine.% T# y8 L7 A& k u6 O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 ?# r$ t1 u, z3 I: c; e% U
to the new routine to execute (hangs computer...)
9 v1 g3 m+ {6 X4 I% Y }
5 p4 B0 p% e, Z$ _( h mov ah, 25h7 I, i6 `8 k5 E( N* e4 j
mov al, Int_Number (01h or 03h)& G5 d: C; F6 _
mov dx, offset New_Int_Routine
- q+ S- R! G% e; S& H: r int 21h4 r3 d- ], r! ^
- F* q5 W. [$ s9 |% A
__________________________________________________________________________
4 H) q; p( Y. x+ J* `1 @- g% ?
: x; V) M6 [1 V5 o* n' [! VMethod 09
3 x3 C7 T; ]' C, Y* x=========
$ g) t9 x! B4 c$ `+ U) y2 ]9 {, V$ M% ?/ u4 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( J: h% \% e2 X9 mperformed in ring0 (VxD or a ring3 app using the VxdCall).
. k' z. Q ^3 J ]( w+ yThe Get_DDB service is used to determine whether or not a VxD is installed
: L! t$ }$ m6 L3 A* Kfor the specified device and returns a Device Description Block (in ecx) for& h- w w) t' T
that device if it is installed.
! C$ q: }9 ?) f" V7 u: k+ x& L+ J& H2 F* p1 H: X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 Z/ y$ r* l% D, g; o" ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* C1 J/ r6 f# J5 a( `" Z0 x3 K& Q
VMMCall Get_DDB
2 B3 ~+ R: U9 G- H, x) ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, }8 Q9 `( T1 y" n7 \2 m4 C/ \1 {+ U% v) |* h$ ^
Note as well that you can easily detect this method with SoftICE:
" p2 |4 \3 q: m" E" R bpx Get_DDB if ax==0202 || ax==7a5fh9 O' l1 @" I7 J; S4 W) L( J3 o
9 ?: V) b$ n4 s, X% K__________________________________________________________________________
5 r+ t& |: L1 Z) A# H# T! t
/ \) v1 ~: B# n1 Q* FMethod 10# M7 f) D% ]8 B+ _( p4 Q4 ]5 Q; m
=========& O. S. K( ?0 q+ j
$ d/ {6 A9 t. Z" g$ i4 s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, P7 M0 c/ u8 I+ j! k. J: y SoftICE while the option is enable!!
# ?( e" Z- v8 Z! l' y Y: ? B( x4 W" C- [ c$ z+ c% A9 {/ S7 C
This trick is very efficient:0 \% l2 V3 Z! y
by checking the Debug Registers, you can detect if SoftICE is loaded) b( ?& y; x/ S* x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 w; P( `! M; ]' ?2 ^6 ~2 X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- b& ^' g3 C, W" k( u/ cvalue (in ring0 only). Values can be manipulated and or changed as well
% ~4 a( s+ w$ R: ~9 r u. b(clearing BPMs for instance)
& Q+ K; w, E8 N9 p1 d7 G- z
+ f0 a0 l! [4 K7 }# }. S3 {__________________________________________________________________________
4 P* i4 `% B: i% g
0 G3 q. S! {5 G3 ?! m/ dMethod 11
( C- g' ^, B2 R7 Y2 W=========% C" y# c( W& O* P
3 Y6 N# B! F7 F' k& eThis method is most known as 'MeltICE' because it has been freely distributed
3 Y0 W$ R$ j3 a' l- G9 Fvia www.winfiles.com. However it was first used by NuMega people to allow
+ ]9 R3 o. S; y4 i0 h& oSymbol Loader to check if SoftICE was active or not (the code is located
" q- Q' O2 T2 |" W' G7 A% Cinside nmtrans.dll).+ M0 @$ u$ \: M, o# D
( j; q2 H4 H, b; d, m! c
The way it works is very simple:
- m' g1 }+ r. ?% B" {" PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 p2 z) C g: e
WinNT) with the CreateFileA API.) ~8 C* c% P' ]1 b! |& T7 g
$ J6 }4 n d8 m3 C
Here is a sample (checking for 'SICE'):' z* v, t' ~" T/ N8 }: |
6 D! F! O- } O; S. D/ c
BOOL IsSoftIce95Loaded()8 {3 Y6 j- q' w; }& Q0 w0 [
{8 B" u4 g4 u1 {: M4 v4 m
HANDLE hFile;
4 z3 [4 r$ D2 h- G$ b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) Z3 O! y/ h7 A$ S2 ] O FILE_SHARE_READ | FILE_SHARE_WRITE,
* D8 G# w5 \; ?$ F1 n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 ~1 ~& L7 ~! U6 @% k+ K if( hFile != INVALID_HANDLE_VALUE )
% g$ h$ U! h; U3 \$ D {
! E# h; y6 X. J6 j2 u CloseHandle(hFile);3 P& t' d( c1 ]- D0 {
return TRUE;
& l( i/ }3 F2 {( o }
( ~9 s6 L G6 p+ g+ p return FALSE;' b% a! n, u z) `/ ?- K
}# D Y2 p) T1 {$ M! x% z
" t% B/ g( {8 V& Z; uAlthough this trick calls the CreateFileA function, don't even expect to be
" q: D0 G4 Q9 t- e; B5 S: Eable to intercept it by installing a IFS hook: it will not work, no way!% d& P4 f% S# b% L! }- L7 h6 m6 }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- p# ]4 A3 P( H3 n5 n& s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: i, }* W3 ^; U$ [% Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc! H! j0 w# M5 f
field.
8 q6 M3 p+ l9 Z _- g7 _8 TIn fact, its purpose is not to load/unload VxDs but only to send a
. P+ R& |( Q# p( s& {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! Q: l5 g. [7 ^+ v8 [% l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ _& e4 a" F' ?: F( Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% p( d4 {5 h: t! BIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, ^' t8 D( H- K) D+ ]4 V! S5 a% eits handle to be opened and then, will be detected.
/ P, _/ e1 u% c. QYou can check that simply by hooking Winice.exe control proc entry point
4 C* A5 X# Y9 N' I+ `while running MeltICE.
/ [8 ^% q. w# I d, k4 {$ X2 a
/ G: _+ ? n0 D' X
5 c5 i$ \5 q& p9 d 00401067: push 00402025 ; \\.\SICE
0 O9 O! v6 f! `% Z' E 0040106C: call CreateFileA* [$ @7 d3 M% c" G5 D
00401071: cmp eax,-001
( a& P# S3 M x5 c: |& X. t 00401074: je 00401091$ F* ]# S$ _8 F- l7 E) [/ e! T; P
1 v- f9 B* }' d9 p9 V
3 g& j; f) ?: r: F& zThere could be hundreds of BPX you could use to detect this trick.+ l h$ Y$ W: W
-The most classical one is:
5 k+ r% R3 u r2 L; I. K( S+ e3 C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) n0 q' i' X8 g3 X *(esp->4+4)=='NTIC'4 ^. ]' Y, Z( Q7 X0 i( V8 ~% S
" A N+ B" N1 b$ h2 x
-The most exotic ones (could be very slooooow :-(% x8 M/ f* a" `" ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ {( u- |9 k) _) L4 {% Y. P! h( ` ;will break 3 times :-(
$ h/ F/ r2 X9 a2 |/ }! r8 ^2 g, P7 K4 }: D4 e: k7 A$ z
-or (a bit) faster: ; y6 Q; Y4 c9 i9 |! u" I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 f5 g2 J$ _9 s$ n
3 o% K( F8 ~4 b# Q8 f& h8 S. K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' w9 z) Z/ m; e) n# e ;will break 3 times :-(; D/ N% C, ?# U" U; t, N
. E7 r' F6 R ]) g$ c-Much faster:
Z/ M- g1 m, [( X9 w, h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, e9 l0 S$ u6 v d2 t/ B
2 c: o+ n1 p9 f" `8 a* V0 w% l0 d8 l5 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( W# _& ^1 x" {$ p8 y; N
function to do the same job:
* x4 G* x t* L5 w( P
& J8 w) I( w4 Z1 H# f& ` push 00 ; OF_READ$ k. f, L# e9 x: U6 U
mov eax,[00656634] ; '\\.\SICE',0
, B$ V' D, H! v0 \ push eax! Q; c$ X9 k: E) j- n4 {
call KERNEL32!_lopen
5 F! ?& w0 G, m# d# C" z: k inc eax
/ p6 i- q5 p2 j& r0 }& C3 }# h jnz 00650589 ; detected
+ T( P% ?4 x+ T push 00 ; OF_READ
4 q& V* L; [7 V# N; ~' U1 h" i mov eax,[00656638] ; '\\.\SICE'$ S9 u) @. y6 I! j/ O) H
push eax' A6 H/ Z. W! e9 l9 M! [& j1 ~
call KERNEL32!_lopen
9 @* G& x4 z/ r/ K+ ]. [ inc eax
' k( s- j* g% g9 b6 U0 s: D) @$ q jz 006505ae ; not detected3 ~. R s6 Z9 n& u" M; A5 v; u+ t5 L
, h" {- |* w7 J
k z# W- \* W5 C, Y z__________________________________________________________________________* P9 J7 y! r6 D& h
$ k8 f6 E' U; @8 u3 n
Method 12! r' |6 G/ C& ~8 S# k4 v& R
=========8 T' B" C4 W& i6 W5 x4 m
; Z' N6 `' ]1 H ?
This trick is similar to int41h/4fh Debugger installation check (code 05
) h6 j# z* o6 c; E5 E& 06) but very limited because it's only available for Win95/98 (not NT)- B N0 T: W& D! ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ d( q9 ?, h6 V3 B! m3 O8 L& j
, o& P F% y" n6 S0 t push 0000004fh ; function 4fh7 }0 R2 W. Q' v3 [3 e
push 002a002ah ; high word specifies which VxD (VWIN32)
! J; W& d4 e9 o$ V7 }5 ~( L ; low word specifies which service
# {8 L1 q) t" C0 `9 b- T (VWIN32_Int41Dispatch)
7 i" Z! Y( C# q# r/ w' Z; Z call Kernel32!ORD_001 ; VxdCall
p; [- z1 m& K% f6 R cmp ax, 0f386h ; magic number returned by system debuggers
2 H5 f5 f( y7 ` jz SoftICE_detected7 f7 d- d' {' n
+ b# V& P" |, I1 SHere again, several ways to detect it:
* q7 c& A# x4 x7 d4 N2 `
3 S! V" q0 ?6 z5 s. D& L- t BPINT 41 if ax==4f
# z+ e- e3 }; m. Q0 B6 T/ p+ r3 Q& f- k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 |( ~+ Z/ p( @3 f- f6 J3 }+ |' A$ k- h$ ?: C/ X& I1 v; }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 h0 k. K7 O6 ?/ x
1 V: d3 U( R* t o& f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# u4 d9 ^6 ^( ^9 g
1 g0 g6 j5 T, [4 R
__________________________________________________________________________2 A! N2 L1 n8 O: x* ^+ H* H
6 F& \: J! ` N& c' \0 ?Method 13( ^; X3 E; H) c8 Q
=========7 N9 g$ p) t/ M
7 f2 b7 O3 d* J) _6 M4 x
Not a real method of detection, but a good way to know if SoftICE is% x* M4 M: K, V7 t+ S) d C6 X
installed on a computer and to locate its installation directory.
- E8 \+ O0 [+ \It is used by few softs which access the following registry keys (usually #2) :7 n' _* ~& r+ M; Q/ j
, y# w$ U' r' Q7 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% P$ v. |7 }- Z- d+ \\Uninstall\SoftICE. b& [. ]; X3 |4 H8 T( O! h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ ^+ l, r2 Y# O( z! Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' W, ], C4 Z; g g) ~% D2 N\App Paths\Loader32.Exe; e3 Q$ x4 [7 `( H. E' w
# q. Z( A* V$ g8 r) U4 f
4 R2 C4 i- p8 ]& dNote that some nasty apps could then erase all files from SoftICE directory! Q3 D& [! Z$ F
(I faced that once :-(; Q0 m+ c2 T7 h; F; G
4 A9 W' `$ k! ~4 ~$ Z3 M; ?Useful breakpoint to detect it:7 ]: W8 \( P9 }/ s6 h! H
' }0 y0 @( w+ s1 X. o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 t8 x. M8 q' n w3 |, r5 T
! d# Y3 Z0 G7 J( B__________________________________________________________________________
1 _' L& G6 h4 H' ]# {7 E& L \& q. y" k" e/ H c$ X
0 ^- T2 _! e9 Q+ r
Method 14
4 q6 I* \- ~" Y# f2 o=========
) E# l. N; Y3 Q+ F: A, I
0 t, n. N; O, P: o/ z9 z: d4 B7 O$ vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 b1 _% g: ^0 t7 ]
is to determines whether a debugger is running on your system (ring0 only).
8 Y0 u7 O+ [0 d7 l& Y8 _: U8 N. b% `! l4 F, c" k
VMMCall Test_Debug_Installed) M- C3 `9 _$ Y2 k
je not_installed) @5 n8 \ O- M( ~+ L& a
1 j5 B3 H- @1 YThis service just checks a flag.
0 {2 D1 ~! D) ^7 b* T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡