<TABLE width=500>
0 u: O1 [+ Y3 z! C<TBODY>1 E% h( ]' P+ g5 \1 O& \2 {
<TR>+ H s7 ~! {+ e$ }
<TD><PRE>Method 01 $ Y2 F4 R1 V$ J
=========
: J T6 S" S) Y( @5 ?2 k; ]5 N# S3 M$ S! b5 c# k8 s3 W* Z9 p
This method of detection of SoftICE (as well as the following one) is# e5 D) R0 N; W& M( n( B, L
used by the majority of packers/encryptors found on Internet.) [, x1 k+ N0 V5 L6 ]( f6 I* `6 ~5 A
It seeks the signature of BoundsChecker in SoftICE
8 y5 B- s8 o9 I' ]
! c/ Z( \8 ]* ^/ o _& W( n4 r mov ebp, 04243484Bh ; 'BCHK'6 J" q3 _# [+ Z2 _
mov ax, 04h
3 f! s! p1 W1 V$ V* D' o+ {5 h int 3
/ [1 \) D- e7 \4 X) `/ E# p' r cmp al,4& k5 p+ `4 S7 B) G: l: N: S
jnz SoftICE_Detected
2 v7 R& v" n! I& Y4 |. f3 a* _
. C3 r7 h- [/ E& q! T4 Y! [1 H1 \* f___________________________________________________________________________
" k( R$ U* _! _6 q$ j' h# _; m+ c! w
Method 02
7 q) ]2 A: G- s. w1 o& x7 C) ^=========
3 Z* ]$ q) W& J8 c9 U9 k
6 N) S0 E' V7 i k$ AStill a method very much used (perhaps the most frequent one). It is used
7 g7 z4 n1 S% Z% G' T, b8 a, ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 K9 g3 w- x7 P+ k# P/ b
or execute SoftICE commands..." {3 D6 ?1 f0 C7 f. ?
It is also used to crash SoftICE and to force it to execute any commands
" `3 }; q. T& W- Z+ b/ q7 D% Q(HBOOT...) :-((
2 B: I/ C/ y9 x. d* ?* i8 B
4 j/ y1 X7 q# h2 EHere is a quick description:" W1 f" J; r* b, K5 {
-AX = 0910h (Display string in SIce windows)
( q' G3 d3 k* V3 l& u; W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' ^1 N' {7 M' Y" {3 [5 R
-AX = 0912h (Get breakpoint infos); e h" o4 z# o9 s" S5 \7 Q
-AX = 0913h (Set Sice breakpoints)" l. J Q6 V6 r
-AX = 0914h (Remove SIce breakoints)/ i0 O! u/ c; b& ^
/ t' G. \/ m6 Y$ [. D
Each time you'll meet this trick, you'll see:: I* k2 @. h( S4 e
-SI = 4647h, M b6 ^6 [7 O
-DI = 4A4Dh3 }* b" H3 B, c+ }; b
Which are the 'magic values' used by SoftIce.
. I- u2 }$ `( J1 v6 w* wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% R0 u" h% o# I/ y2 G& R* {! ]1 g0 K5 _2 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* V+ \8 _7 o+ S/ p2 v, IEnvelope utility use to protect DOS applications:
5 l3 P! s% O: W
, U* X8 J+ e7 _" j
/ N/ _4 I3 D( A3 F9 u: L4C19:0095 MOV AX,0911 ; execute command.4 v8 ]' x% O- X9 e x- L1 z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- _' z4 Z. {9 D
4C19:009A MOV SI,4647 ; 1st magic value.+ J! b; W1 Y: Z$ F0 c. U% ^
4C19:009D MOV DI,4A4D ; 2nd magic value. q/ Q1 {+ Y# A5 e* }6 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) C9 F, |) O( y2 h: G0 Y' S' A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ V6 S# I- W: L4C19:00A4 INC CX6 V# @7 e J1 `3 A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- i* P ~# p- v# v! y: r2 A: \. M4C19:00A8 JB 0095 ; 6 different commands.4 C( s* s% p8 T' Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! r, ?$ Q/ P2 n, p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 i; g8 o3 o* i
6 O6 R' d* t6 _2 l; l" Y7 o- xThe program will execute 6 different SIce commands located at ds:dx, which
) H: ?7 K! g4 y+ Z# I, q! q9 }" @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: u7 v# g9 a1 I) }0 [2 P5 H6 i* i8 z P: u0 A2 w( f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# c8 s1 j4 c* _4 }" S, Y
___________________________________________________________________________0 c* z2 K" J2 T( u* ]3 C" ` y
! ]/ @5 `- t) i4 e" ], i( x
5 W+ m: z2 e/ hMethod 03$ |6 i; w7 c; p& ]3 E9 F7 ^
=========
1 B7 n0 r4 ]* f: b
5 Y3 A4 \# R3 f& T# T& CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 @1 G( a X; O- @(API Get entry point)
4 c) O% Z+ M7 d; c' Y 2 l7 T/ C9 T! O
" U7 K5 L, P) p0 {+ ^
xor di,di( ] }1 }9 p8 r/ A. N& J
mov es,di2 L, r( y$ P. h1 ?3 D) [0 ^* x
mov ax, 1684h
$ @ P4 ?. y4 z7 X( S mov bx, 0202h ; VxD ID of winice
, @9 f* M! {6 B V" D9 Y, c7 s4 { int 2Fh% i- l0 D' G8 |* Z8 d+ Y) ^
mov ax, es ; ES:DI -> VxD API entry point5 r% k) }9 w) K4 d- r0 |
add ax, di
2 F% T* a8 y1 {: w test ax,ax2 Y. D+ |2 k' |2 u& T) ]# |
jnz SoftICE_Detected% W0 @( X" Z; Q4 m0 s
# D* h% q; O& p: h! k# V1 `8 ?8 y% I___________________________________________________________________________
8 E: b; y- s: U( u0 L4 D3 N' S/ b( [0 k# @- R0 h
Method 04
{2 M J+ G& n% {=========; @" E- C0 t2 L3 t* w
2 J+ R, C; V8 i" m+ O7 f# t7 r# m8 T
Method identical to the preceding one except that it seeks the ID of SoftICE
0 J/ p# l6 l0 m* u+ ]* R0 VGFX VxD.7 v3 g8 z" j& b, O3 v
: t: p4 h6 R4 @ p
xor di,di4 a9 G8 [" b& P6 v Y2 k+ m
mov es,di
( j$ `( Y. D- N* o7 A2 O mov ax, 1684h + e! t/ z5 J8 k* y0 D3 H
mov bx, 7a5Fh ; VxD ID of SIWVID" O+ S7 t2 L# \# W
int 2fh
9 I* ^7 @) R, l/ A) M4 J mov ax, es ; ES:DI -> VxD API entry point" |' y1 b$ \7 n0 ?+ p; C. m& g# U
add ax, di1 V% E% k/ J2 t+ J3 y a
test ax,ax
$ ]& l5 p0 E; K+ B) u* i, } jnz SoftICE_Detected
& W) O2 M6 ^/ S4 ?( w2 O$ I8 i
1 Q& ^- \0 \; B: [/ s9 X& @__________________________________________________________________________
1 V9 |, {9 Z* w9 e0 {, q2 R' I' X j' d5 x! ^7 `1 y
& J9 X0 ?6 [4 K! XMethod 05+ `" k% w: v" D. F
=========- I2 ?' k$ W% w' z
( G- ?) z; S. P2 |8 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* k4 }: a" r ^2 W7 N6 e" v9 M, ]debugger. It calls the int 41h, function 4Fh.
+ B: h# a' t6 }" P/ L+ z OThere are several alternatives.
5 G6 Q/ t) x3 z+ i% K _. ~1 Y4 R. ~ M9 J, Y2 x/ {
The following one is the simplest:
0 H% e' d; T6 |, G/ ?0 G3 C' s, w% d7 K" j2 U) {. h4 |
mov ax,4fh
^, U: p( `& ]7 e" r int 41h) r2 ]0 [5 V$ a! d' B. G. G
cmp ax, 0F386# y9 j3 \5 G; I( L1 _+ Z; N$ F: O
jz SoftICE_detected8 O& j) q# T% O- v7 q! u; o+ g
* P- C. f5 S' F9 m/ q4 E6 K1 ~
6 P- g- @$ ]3 r* ?5 W: tNext method as well as the following one are 2 examples from Stone's
' \ j, L% C! y9 x"stn-wid.zip" (www.cracking.net):
1 ], Y3 \8 Q( n7 W! k3 c% K4 \" c5 P. w( h
mov bx, cs
) t' P0 f4 E; w! C( z- }9 ?8 y: V lea dx, int41handler2
. X6 M5 w6 }/ I' C0 E xchg dx, es:[41h*4]
1 b: k" _, I T3 T% @ xchg bx, es:[41h*4+2]' X" n' e! u: {! q9 A# s
mov ax,4fh% M) }! l- I) m+ {) w& W
int 41h
& R( |. V4 h5 Z5 n- t. `8 M0 p xchg dx, es:[41h*4]9 q2 O! `; [" ^9 K' m
xchg bx, es:[41h*4+2]
! X; G& K. M! x$ M6 d cmp ax, 0f386h0 ~2 ? q/ |& {: g4 e
jz SoftICE_detected
. B! v# x% Y2 K* p8 Z( ~( j: K5 C {5 t; J2 I$ ~/ f6 c
int41handler2 PROC* ]4 E: p# e# a5 a7 O
iret
# B4 \$ x# {' Y4 ~& } f( kint41handler2 ENDP
; g8 x( {; r; h) @, l" U2 f/ M# m; w3 _1 \) H9 d4 z& |6 h
9 J- O! W; i0 R6 a1 q_________________________________________________________________________" A2 f( k0 a) S) R9 j9 w
$ D5 X; e$ J0 {4 k9 E- g( O* Q
) R/ ]' g* o3 nMethod 06, ?; W( ~$ V/ a5 }! {, U# Y
=========2 n8 ~: _7 d) J% Y! g) I
$ G' \4 D6 Q% J: x$ v# E# |; [/ I* F. `0 k' w, v5 ?: `
2nd method similar to the preceding one but more difficult to detect:+ v* k5 g& y& ]( y4 K* m
0 S+ Y5 a. }* ^5 t8 Y& l3 _
- r Y7 r- C4 c y: e2 y: Bint41handler PROC
6 Q2 i1 [% V6 S$ z+ m, @& R* G( k mov cl,al' {4 b' k* u2 ^7 w
iret/ D; N$ v; r. F% b
int41handler ENDP
6 p) G v7 e5 @% V
' d& s9 x6 u- B5 ~+ y. x* j& |
) o2 N3 a! v) S4 E( v1 f: N xor ax,ax0 O1 C, z. i; r3 ?
mov es,ax1 [& U2 X& _7 m3 c
mov bx, cs
9 A6 H9 R3 F( u Q+ }/ q lea dx, int41handler
$ z3 y4 {9 ^7 t0 R# q0 x4 V xchg dx, es:[41h*4]+ n# @7 r. v0 ?3 Q
xchg bx, es:[41h*4+2]& n% @! E5 N! _7 n r
in al, 40h
4 a4 U, w7 x0 y' V xor cx,cx: y& P- ^ q0 J$ |9 D( M
int 41h
. d% O: f% G0 K7 A/ P, J# C xchg dx, es:[41h*4]
+ O; f) n C7 i9 a xchg bx, es:[41h*4+2]
, H% m' z+ u( x- W5 w/ n0 M cmp cl,al3 ^+ w9 S/ f7 a
jnz SoftICE_detected: f4 C* A* T2 T7 G1 ~( D- F
* h7 z6 |6 X5 K- o7 D H' j
_________________________________________________________________________* F6 S( t4 K4 X) e
o1 H. o$ T7 \
Method 071 N, { v8 `4 x7 m
=========( @) k s$ ~+ Y$ Y& H
- D: ` J) l* O- {Method of detection of the WinICE handler in the int68h (V86)* p( c h& f9 W) W; ^- J" b/ I7 Q
' @ F. M8 e! r3 W- ?* Y! n8 Y mov ah,43h+ [. z2 t- l( A7 F- P0 F R
int 68h! c3 i. [0 p1 y
cmp ax,0F386h, J# l5 U" O: d& V2 ~' `
jz SoftICE_Detected( k: z0 m2 B. j* @7 A
! Y4 X7 J2 j2 T/ q- ~& l7 g% r% p o' d9 c2 H8 e+ T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! \( o1 z1 T! J! H* c
app like this:
% b2 O" F9 L9 J
8 r, t" D; T$ P! b3 ]! x BPX exec_int if ax==68
6 i( u) u( m. \* O( N% ? (function called is located at byte ptr [ebp+1Dh] and client eip is
Z, r+ V7 H$ [3 E( p8 }1 h4 ] J located at [ebp+48h] for 32Bit apps)
. L1 D+ `/ E1 I' k__________________________________________________________________________' N; p, L4 a s: V6 t
, V4 G9 c# O- |# g( A: ^; r
+ ^ e7 _% a0 |: x0 i
Method 08
0 s+ `% F) N P1 N j=========
* v9 s, w, m/ L8 Y( U5 t5 |6 x. l' `% y4 [0 L, P" S V& P
It is not a method of detection of SoftICE but a possibility to crash the
1 k, U& W U2 H! Wsystem by intercepting int 01h and int 03h and redirecting them to another( H0 i" h' m* x+ L- l* _: \3 a
routine.
" B8 o" [# s7 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. {# P2 |1 p1 I5 A( p- C3 |
to the new routine to execute (hangs computer...)
5 Z7 L8 s5 S5 Z7 h; g0 R# m+ m6 M( [
mov ah, 25h" Q7 Z) ~3 n- |# X1 y) {( Z$ f
mov al, Int_Number (01h or 03h)) I' W) p$ |8 G
mov dx, offset New_Int_Routine6 L. V7 P7 M; V) b5 K* K. k6 ^
int 21h
$ U2 C. Z' s1 M- F8 ]# E( ]
) T2 y& {- _2 q6 H) t% ]- K( S8 t__________________________________________________________________________
6 ^6 ~/ F/ M$ D9 M w2 n% L( Q1 N6 g% G
Method 09
# b& I- ^, a) W# M! r=========
: @: l4 L# V- R, ~* h
! z* V3 V. C7 \! Q+ pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: c! _& K: m- s& ?
performed in ring0 (VxD or a ring3 app using the VxdCall).& v1 y$ g0 T9 ~! Y' D
The Get_DDB service is used to determine whether or not a VxD is installed
. _( j1 L, {! A3 S" b, N4 qfor the specified device and returns a Device Description Block (in ecx) for
7 ~" F, p+ C% athat device if it is installed.
. z; b8 z3 _5 v! ]% `& k1 J2 u# `! d3 v, Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) n) t/ g( h( s, Q: T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- `; s, |; f, x, `$ B& N( H VMMCall Get_DDB
# N! _3 E: }; D* [- x! o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- ^0 {2 ?- |7 `8 l
: N: y$ m7 k4 K! i* r9 K4 S
Note as well that you can easily detect this method with SoftICE:0 r4 b; F' E0 `
bpx Get_DDB if ax==0202 || ax==7a5fh
! X4 x- y: V& o( x" E9 t* r9 Y3 c8 J. u; {, Z' I
__________________________________________________________________________9 `2 U- M3 k4 S/ C, O T+ B% ~: ?
5 z' I9 a; l: x f) D
Method 10
1 A( y8 W9 e) P=========
0 e9 \) A( d* s% |+ c
# A' j5 M( g% U+ K- q=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ x1 y1 }$ i" h6 `3 L# W SoftICE while the option is enable!!
- G3 Z+ d s5 i- Y& `* b! o3 d( p& R- c8 L/ G( M* D
This trick is very efficient:9 x. P# Q) u! F. |; g
by checking the Debug Registers, you can detect if SoftICE is loaded/ W6 g7 u9 _5 W3 i8 C! R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 h$ e3 ^/ J% ^/ Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* L7 Y) L3 `5 E8 v- o- Gvalue (in ring0 only). Values can be manipulated and or changed as well. ^0 K, |+ a5 E! q5 U6 s
(clearing BPMs for instance)
1 W' A/ y$ s3 p7 |0 n. G
" Y( L( P2 s' T2 d, L5 Y6 h! q__________________________________________________________________________" \8 L. B7 [; z8 m; \+ Y
" T- P5 H- H- S) ]
Method 11
/ ]; J: M& S7 B/ e) z3 s=========2 E. B; K/ y0 ~! F# U. d, @. H# y( J t
+ L+ G7 G6 {9 A: \! a; P
This method is most known as 'MeltICE' because it has been freely distributed6 I9 n. u, v! U- T
via www.winfiles.com. However it was first used by NuMega people to allow' w5 X( \2 _# Y$ z' H- I: {
Symbol Loader to check if SoftICE was active or not (the code is located
9 T! V- C! }$ _6 S$ G2 x, |inside nmtrans.dll).
( T2 {& b8 }- Q" H. g% S; o/ [: A# ]& o% L& S' l! e/ i
The way it works is very simple:, p7 V% q% {+ N+ Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* u/ `. ]8 X6 I5 e: d' i# hWinNT) with the CreateFileA API.8 D' d/ v" V# r/ A. |
$ z8 F% }) K+ z1 j( F( `Here is a sample (checking for 'SICE'):
* P# n2 E1 I( I$ R8 z8 L$ w( _8 D, g8 h
BOOL IsSoftIce95Loaded()
9 X3 ^" Q. L9 ]1 I{
7 D+ u/ Q) H! T" z- u1 h3 G: I HANDLE hFile; $ d) X% _0 V8 j4 U T7 m: X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 i* X5 y$ ~5 [# a1 u5 d
FILE_SHARE_READ | FILE_SHARE_WRITE,2 y/ k* |1 U3 [% t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! j) }: a! m, b" S& x/ n7 r if( hFile != INVALID_HANDLE_VALUE )
{* n+ l( H. e5 X; Z {
9 i8 B) A+ e0 l' b) B CloseHandle(hFile);; |; u# T1 ]$ l7 f* i/ d2 j
return TRUE;
! Y+ J) f! G" Z- d }( U. F. k' V7 G/ i5 |; a* s: [9 r
return FALSE;5 D0 ~; w* H7 q4 H
}
3 z+ ~ n* Q6 Y L( F
) |7 @7 f" g" bAlthough this trick calls the CreateFileA function, don't even expect to be3 p t- f1 D- q
able to intercept it by installing a IFS hook: it will not work, no way!7 k7 T( p6 N) ^+ r7 [, s* _. i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, W6 X& K6 G$ m3 K5 x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), c( s( z$ c+ A p# r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( I. q& {( e8 V* o: n, c- e$ H/ l0 Y
field.
. u l( L1 V8 i& M3 b$ IIn fact, its purpose is not to load/unload VxDs but only to send a - a8 f* v5 O, J, f2 `5 y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 n7 z1 o. h. [5 \$ Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 [. Q5 W' R' e/ P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 q" Z' t1 }) ~" mIf the VxD is loaded, it will always clear eax and the Carry flag to allow( F" m/ ~1 q4 A9 ?" d
its handle to be opened and then, will be detected./ O! ^+ J& n3 C( |/ v
You can check that simply by hooking Winice.exe control proc entry point
% e- P; B1 m L Iwhile running MeltICE.
1 m7 d9 S4 I" |2 G" e( ]) Q+ f7 m( R- l* m- H/ m5 l
, L$ h9 ^1 d* @* |) T
00401067: push 00402025 ; \\.\SICE/ A3 K' ~" t+ m! s
0040106C: call CreateFileA
7 e5 J2 l9 B( p" U4 l& G 00401071: cmp eax,-001
. D8 D$ E2 ?5 V 00401074: je 00401091- W1 U! a6 T( N* ~) f
% m/ ]# [3 V8 C: m; W l' \
; m' \' D$ Q8 @- ~: f% H0 eThere could be hundreds of BPX you could use to detect this trick.
5 t+ n$ L- J+ n7 ^-The most classical one is:; ^. Y) p& ^$ @. M( d* u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 S. j6 @ {* q( M9 \ *(esp->4+4)=='NTIC'+ J# [- G, u, O3 ]+ _5 m3 b
3 b8 ~# I% }" V( ]& `& T
-The most exotic ones (could be very slooooow :-(
6 g8 I5 r" q% P9 ]5 k1 o3 V9 }0 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - V+ c+ p9 R& f o- F. T
;will break 3 times :-(
+ Q& f; N, b. B' C: S/ r4 d; ]! |; i
-or (a bit) faster:
7 T$ Q, B5 u6 @: M3 S2 J" ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" o( I8 {) C/ U; b
# m: v H: m( l* }. v5 G7 K+ L# [: l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) N' \* G0 P1 q" O ;will break 3 times :-(! u2 k9 c* F( f% R0 s0 V& I' M% }
! p# Z/ u* Q+ L. J |4 Y7 X-Much faster:
& X/ {! \5 Q e# j1 ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ U: k3 Q7 |' F6 N
# H! I/ j- w' V' ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 h) Q$ a. z6 c" }/ Y4 Q& cfunction to do the same job:/ n" O, r/ m, k- a
/ ~: f/ \( b) s0 W6 l& J
push 00 ; OF_READ/ L& m9 h/ y$ X r9 C" Y
mov eax,[00656634] ; '\\.\SICE',0
0 J8 \2 i1 A2 X5 I+ |5 ? d/ a push eax
8 f5 \6 S( k. r- d4 ~ call KERNEL32!_lopen# g% ~9 F* ^- h! ~7 y6 \
inc eax9 M: [7 v9 Z! n1 C6 c3 f! a
jnz 00650589 ; detected
+ p, u: [4 a/ [# | push 00 ; OF_READ" j. E0 s. ^9 ^5 X. r! x0 D$ r0 Y1 a
mov eax,[00656638] ; '\\.\SICE'
# F9 S9 |. p/ l) v! V push eax, k5 o+ O2 s, l) [7 V
call KERNEL32!_lopen
$ Z8 D+ H9 ~0 W! c8 \. ~3 @ inc eax
& y! C( D0 z5 M1 R, l' p jz 006505ae ; not detected
3 K% M6 m3 X: _2 {# \" ?5 w. ^8 u# ?
; Y/ N; j. s2 L7 X. O; R__________________________________________________________________________
. B3 s+ h7 e. i- Q
9 s3 p. J6 V/ L- bMethod 128 s0 @( B" _* w- d, ~
=========
! |- d/ _/ b( B3 I
. F6 q8 e( K4 a; @+ u* ~8 \% F9 y( rThis trick is similar to int41h/4fh Debugger installation check (code 05
% w2 a' R) X* u& 06) but very limited because it's only available for Win95/98 (not NT)# D: d/ X+ i, A" q' S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 [% O" g- v: s! t T! ~' R4 i7 l/ n$ T
1 N2 k+ ^2 A& c2 b6 ?" d push 0000004fh ; function 4fh
* V# E0 _! q8 g! Y- G& @# j) n push 002a002ah ; high word specifies which VxD (VWIN32)
% A4 n. S# H# N; t ; low word specifies which service
# X8 g2 W$ \) c5 W5 ?- u (VWIN32_Int41Dispatch)3 o0 j/ |( o' m' G3 I
call Kernel32!ORD_001 ; VxdCall0 A! I5 l- a% b5 Y3 _0 ?
cmp ax, 0f386h ; magic number returned by system debuggers' F2 q, q2 n1 {4 {/ _9 M
jz SoftICE_detected0 v# M: v+ s* e- C' p$ V; |
1 {5 B+ _0 O( r2 ?, X9 @( R
Here again, several ways to detect it:
9 |" [- R* |% o6 H- a& ?4 g& [* G' m6 ?- h3 `% e5 ?
BPINT 41 if ax==4f
% S8 c% G1 i5 a1 T3 s& g& b! ]( m: E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 a( n; R, c; R* q6 M; o
' x9 L1 _" a5 z, q( X% n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! V% M1 X& F# M* e
' f/ _+ w* D) d9 J2 x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& Y3 T: m& y) L( `5 ]6 ?
% x' G% M* I s9 z Q) C__________________________________________________________________________" \2 ~1 c2 F1 V& N& ]% l
! U% A& F5 u) }$ f2 o: x* `2 G; gMethod 13
5 a5 v7 v5 T9 {! V' a5 n=========
3 q) T$ R3 w* @0 J" ]- w' M& v: U) G8 Q5 J; \
Not a real method of detection, but a good way to know if SoftICE is
8 `4 ?$ n1 d- Y2 }* Ainstalled on a computer and to locate its installation directory.0 H; k8 r \' a; @ E" z0 t
It is used by few softs which access the following registry keys (usually #2) :7 v+ a5 H3 I( l% v7 t7 r7 s
! R0 U. M, |0 ?7 j1 i7 ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! P, l K2 m6 Z& b! y; @- l
\Uninstall\SoftICE
; D2 H" ~( U* ?3 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 Y& q$ q2 u3 S- k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) `* o) ~2 ~9 }6 T* G
\App Paths\Loader32.Exe
0 g( ~8 A* v+ C) _0 X y
+ h! n* b' `* \
: o1 t5 U' _$ o; }4 wNote that some nasty apps could then erase all files from SoftICE directory
v8 \: q: J- N$ H(I faced that once :-(
# S$ O5 ^" J- |. u4 l
1 S& t b- A0 e% TUseful breakpoint to detect it:; A, r6 J4 L- y
: j8 H. x% v, n3 O# A) D* r) z: m! Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
~; f/ R/ w, ?. O5 J O' w4 ~9 q, W3 n7 x
__________________________________________________________________________
1 ~* Y* t% d( ^, a
5 A& F5 e9 M Z" u/ F4 Q- {
# A# V, J& F& o8 W( JMethod 14
% e: l. p4 [4 P6 e=========, u, f* S& K: }$ }2 N
) Q5 p) g3 s L4 T4 n* o' s6 v* S6 {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 y/ b. _& o6 v' |7 O3 w
is to determines whether a debugger is running on your system (ring0 only).
0 f1 ~( H2 t) l3 m# q/ l( |$ m2 h* T
VMMCall Test_Debug_Installed
9 Z. T2 Z; Q! F5 x z% s( g je not_installed
5 H& t: Z8 G2 [% M/ a8 P
$ `0 o7 y5 ?7 |: b1 @. OThis service just checks a flag.
}6 Z! p# V* F: L0 {$ q, Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡