<TABLE width=500>
, p8 f( N l4 w<TBODY> r3 N5 ^# o% ]) A# m7 }
<TR>
1 q) l) Y3 i% C$ H) s<TD><PRE>Method 01 : Z3 l$ [7 J0 v3 N$ Q% I7 Z
=========9 Z& D) \3 P h \2 G# Q) ~
2 Z2 p: U- D4 { f, `- ZThis method of detection of SoftICE (as well as the following one) is
. }2 L. ^& v5 p0 lused by the majority of packers/encryptors found on Internet.
) d6 f! I- }# N4 oIt seeks the signature of BoundsChecker in SoftICE
8 s1 ]+ V8 N) B4 r: V" M
$ `0 ~$ q' \- I6 a3 J mov ebp, 04243484Bh ; 'BCHK'4 G# P- `- Y% f3 s) Q
mov ax, 04h
4 \/ |6 K. k: K' a8 ]8 N |) n int 3
) @* k0 m$ e' `, {) ~6 r/ E- } cmp al,4
) M1 @! e1 y2 ~7 D& \ jnz SoftICE_Detected
( J, I4 i/ g6 Z8 j7 `2 T2 X7 H7 O
. ^, V( t# n$ z___________________________________________________________________________
4 i2 J. r; \ c" V
1 N# x: B$ ^ J7 V# mMethod 02
$ z; X) G n0 N/ N$ K# H3 T* z A=========
. U( R7 l* W1 X9 _4 I4 @+ Q1 n2 N! D$ _2 @/ p
Still a method very much used (perhaps the most frequent one). It is used
: z" V y" a/ fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: ~% i" I( e) O# k$ Uor execute SoftICE commands...
4 @+ r3 S/ ^* r4 X6 q" T. ?) fIt is also used to crash SoftICE and to force it to execute any commands
2 ] \: V8 a* ~1 v9 z(HBOOT...) :-((
0 [* _# B3 \/ a" S
" b; W0 b5 o5 V8 _Here is a quick description:
4 u+ r4 N M# o$ \% a9 d-AX = 0910h (Display string in SIce windows)
, w$ E6 y- l0 n8 h- _1 m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 \0 f9 `3 b T& O2 C& o; V" r
-AX = 0912h (Get breakpoint infos)9 u- Z6 r+ I" a2 z# s: b# Z: i
-AX = 0913h (Set Sice breakpoints)' X3 e7 p. s$ |$ ^3 a% o2 x
-AX = 0914h (Remove SIce breakoints)
( k/ z: _& C2 J5 o5 N2 c- P: k' m" x, W; a
Each time you'll meet this trick, you'll see:
# u" h, T* `; T' ? X-SI = 4647h
& j8 n5 X# z/ u' _-DI = 4A4Dh6 e" e& Q& k# H" n3 \
Which are the 'magic values' used by SoftIce.
+ L0 G3 I) O3 c! V( xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 C) W* d% R* {! ^ U
& d- B; j6 q4 s# O3 Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, n# w6 t( b! U+ y- |; m4 BEnvelope utility use to protect DOS applications:0 }; C6 t) B. w. q
% |! V" P6 Z4 B- E+ q) Y6 M4 O9 J3 N2 k
4C19:0095 MOV AX,0911 ; execute command.
7 @7 g- \) ~7 M- f* X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 d& V. Y, y: ^' K# P. K# k' c+ ~5 Z4C19:009A MOV SI,4647 ; 1st magic value.. d: e# A0 r E, z, Y
4C19:009D MOV DI,4A4D ; 2nd magic value.
# z; E$ @# T" V1 j+ R( v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), P5 r8 M% \$ w# a5 m) N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 d7 k. r" r1 u0 f$ f4C19:00A4 INC CX
0 q& A6 W$ p" n4 e- ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ z8 n9 H8 a" }" S
4C19:00A8 JB 0095 ; 6 different commands.
" k6 ^) M0 o& W; w3 j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 K" A, ]' C$ w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; s6 D N( F2 b1 i: m: B
T1 m7 l) H: X2 W' qThe program will execute 6 different SIce commands located at ds:dx, which
) K7 R6 O+ W! o3 ~) k9 b/ K( w3 `% n, oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* q( T3 e) ?$ R6 }/ u( K+ F K/ S4 A" D' H+ c# [6 x5 H3 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! P# I1 @! c* k7 a, y___________________________________________________________________________
W6 J( m" j! T: d1 v: J, g* K6 K' h0 B
- y0 s! F1 ^4 ^& y& T
Method 03: b; r m' Y1 j8 ^8 }
=========, u# t: n9 A( l1 R" G) M! c
2 G3 {& U: F: L; E1 kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) C# n9 W* W. D3 K' j* g(API Get entry point)5 P0 z. X$ [( C& r+ q
' {. K" g" C! o' m: a
* t+ [; p7 h* b8 l: { xor di,di
n/ o" }1 \; P$ V3 X6 H R mov es,di
' D) y) h {1 u mov ax, 1684h ; z9 h2 B5 R% |5 |( b5 F7 \
mov bx, 0202h ; VxD ID of winice
# B; m/ g8 P# b int 2Fh
- a7 A$ y4 Y; S3 G mov ax, es ; ES:DI -> VxD API entry point [3 W6 }) E: _& d
add ax, di
/ G; g" |- H5 _" Q, h. ^ test ax,ax. v9 @1 f9 F! k+ y( f$ d, e
jnz SoftICE_Detected
v$ p2 Y& _8 U1 u; Z6 R
+ o7 _+ a0 n2 [9 Z___________________________________________________________________________
: I* Z' l/ k6 n# ^- S0 I) p# J& s- u
, Z1 A8 v/ c3 w( _2 yMethod 040 O5 y/ Z3 e; u+ O/ l
=========
1 O& X! C& e! v, ~( T8 P
" ]8 T# K* n1 A: f; h5 SMethod identical to the preceding one except that it seeks the ID of SoftICE# @! h5 ~" p7 V% b" u
GFX VxD.
z, P8 e( ]$ d- D
7 o6 m! h. C! F) f" O xor di,di( p9 i" _2 r% g: p7 d
mov es,di8 V+ Z& {7 f) R* g
mov ax, 1684h
5 j* x# @6 q7 w: M+ Z! O; \ mov bx, 7a5Fh ; VxD ID of SIWVID* h& G( ~; p1 A( S6 f( i2 n" E7 l
int 2fh& E2 J5 ]4 _3 `1 N
mov ax, es ; ES:DI -> VxD API entry point
: d/ o! T# `& ^5 c S' s9 M add ax, di
3 ]8 E4 {' h' `$ L& H test ax,ax
7 G( V2 u- u# @9 ~ jnz SoftICE_Detected" n# u0 S$ N, L3 \
/ c& d3 a. G. A, R% C1 m# @
__________________________________________________________________________ \% K6 k n9 T/ U
( _' N+ ^/ m/ b3 X. m
- g' ]9 a! l& Y- f( J+ N( r. i6 CMethod 05+ l, ~! Q% G5 b& d* S% \
=========
6 B6 @% G. x1 d' e( g8 X; E4 f+ A) u- T/ }6 {% ^2 z6 K
Method seeking the 'magic number' 0F386h returned (in ax) by all system. A% C. v" D0 _- [5 X* |( F/ R
debugger. It calls the int 41h, function 4Fh.
! C) @1 a. C# l6 w! U9 g, }There are several alternatives.
. k% C# j& @! A9 F% ^' e* f* [ ~* `4 \( Z) b
The following one is the simplest:, ]& N$ L' {: l6 S! N
" G2 ?+ ~: ^9 [ i mov ax,4fh) w2 c! Z/ t6 ~6 I/ b
int 41h
4 K( s3 y# A6 L5 L3 x0 y2 e# N cmp ax, 0F386
8 p' W/ [0 \; {* N1 B1 j jz SoftICE_detected
) m) y8 O7 S5 c
" j( ?! N% E7 l, E. ] W6 ~3 z- s: G7 a& ]% _
Next method as well as the following one are 2 examples from Stone's $ s0 H; W! |9 S8 d5 ]% g+ Q
"stn-wid.zip" (www.cracking.net):
8 [7 i2 n1 d6 G1 n; A4 b0 z0 J( w. u: W n! Z) u, q
mov bx, cs L* ?7 \4 @/ m; Y0 ^
lea dx, int41handler2
( G% g/ v3 h5 Q+ B! v5 h5 p xchg dx, es:[41h*4]; D2 M- |* ^ m- S' F
xchg bx, es:[41h*4+2]
( O3 T. C! U% o3 w: q; _. }# c mov ax,4fh
& M4 b$ K' L( k' L" ` int 41h
$ N; x' O3 _5 r; R) [0 Q- ~ xchg dx, es:[41h*4]
9 j6 E2 M; |- v, d) c" x xchg bx, es:[41h*4+2]
/ b5 o+ M# i5 R1 o$ P% K cmp ax, 0f386h5 {- l3 s0 ~* l
jz SoftICE_detected
$ c. ~: I) f9 W2 }# Q: E. d8 Q( q/ u6 f* ~
int41handler2 PROC0 H) V4 y' g3 _/ `; t
iret
/ i, M j) D; ]+ H" yint41handler2 ENDP4 z. p' F9 k) k8 x+ l" o% ~
' h* K: I0 t3 x4 J% D, |0 k
9 D$ I4 M/ {- p3 {6 y, f
_________________________________________________________________________! Z9 i, O f: V5 K
( _/ h3 }/ M0 p: J" D b" g! h# Q" g7 H1 d! z. [* r6 k6 i \& c
Method 06, _2 I6 ~: d7 d1 @
=========
5 u9 Q* R6 @0 o1 l; B8 D, J9 q1 q4 b/ m! ^* L1 \. q- e, k$ X
+ l# r) P2 p! x& P! w
2nd method similar to the preceding one but more difficult to detect:
" V' G# }, w0 S1 i) u' d9 Y- d' k6 I& L, @" m L: V, k
s' w; y4 O* B. M0 c
int41handler PROC
6 @$ a/ ?( @$ {- J mov cl,al
( N+ S; X+ z5 c# s iret
- n" p2 d6 O0 Y ~1 s' ?int41handler ENDP+ }8 s; _6 M! C2 ]) Q; H
6 a6 g% T8 H$ s; H+ ?9 p% Z( R* u7 i- J& H, H+ M6 {
xor ax,ax
8 l& w+ I, v1 L' e9 B3 R( R' N mov es,ax" `' Q- v; l, K3 h' ?) v
mov bx, cs
9 Y% s* p9 F; A$ p& s X$ L lea dx, int41handler# n$ c, T% I% a2 U9 U" W
xchg dx, es:[41h*4]# f4 J6 ~5 i1 ]+ X% h. ]
xchg bx, es:[41h*4+2]
. A& |! c, _& v# O- |' O in al, 40h
( C4 M9 D6 T! J* S. Z* | xor cx,cx% R: P' R8 l* {7 q
int 41h
, R' d$ y" y0 b& f xchg dx, es:[41h*4]
4 c. r* N m7 r4 {0 C6 F! V: E. L1 T xchg bx, es:[41h*4+2]
9 b1 Q+ h- v; |0 H) H5 h cmp cl,al
$ m! J- Z5 \& k! y, u jnz SoftICE_detected
+ I- U- ?4 l- \/ ~/ q
8 H9 o, i/ e2 r7 H! I_________________________________________________________________________
# x/ Y3 N& `% J' C2 }$ S1 a$ j! s1 e# t0 s$ z2 V' ?
Method 07
, V$ ~. x: u2 n2 ]0 s=========3 j* \/ `* N* \ d5 @8 \, Y
8 H; D! e- A" {" {Method of detection of the WinICE handler in the int68h (V86)/ M6 T9 d$ M/ k0 D' C1 o: l
/ z2 q- w$ p7 B
mov ah,43h
" Q) E' A1 A7 \! i int 68h
0 g0 A6 f+ } _ cmp ax,0F386h: y, L/ B2 r' l2 b3 y6 Z' q7 `* g6 }
jz SoftICE_Detected
5 Y* B5 {; L$ U9 u- l6 j7 Z8 @- r9 R- o4 I. s. q
$ F; ]/ J1 @$ p) O/ M; t" {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 u: e' ]: d- C5 ` app like this:7 s3 W& R ~8 K3 u8 H: l4 o3 X3 W
: X: ?8 V7 f- }" A9 ~ BPX exec_int if ax==683 h8 X* p3 m. e* r; p
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 c( g/ y) n/ @/ u0 S' C% Z! `. y located at [ebp+48h] for 32Bit apps); x' Y0 }. _" v c% x
__________________________________________________________________________1 ^% v0 @1 X- K* G( s7 i
- c4 ~. z) @1 n2 }# p
: R; f0 |( p3 b+ T
Method 08
' {" m Q3 t* M( f/ Q=========2 r A3 f0 b \! P8 ^: d* H- G3 [
/ S7 |1 h: ?/ {* p& P8 f# w! BIt is not a method of detection of SoftICE but a possibility to crash the
5 A. p9 Q# x5 l+ a9 i7 @, `" xsystem by intercepting int 01h and int 03h and redirecting them to another
, R0 X1 z$ U4 ~% O9 [/ qroutine.; a3 U, Q2 S2 J& L0 ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: l; q. y3 g3 l5 M4 g3 Qto the new routine to execute (hangs computer...)
. |( ~4 m8 k% z' v- [; M+ j% J* y7 ?! h2 g
mov ah, 25h; {+ r9 s) Z; d3 ~) `8 j
mov al, Int_Number (01h or 03h)
, l( \. H, F6 i& [4 J* x2 s7 W& g mov dx, offset New_Int_Routine
. K) b% L9 t, ~! | int 21h2 C- c; Q* y5 n0 ~' I: r, w
6 |; ? r; z; v1 m( R! y x
__________________________________________________________________________8 z% [. B& G; y( V: {
^ r* \* J0 S! G' i; F+ [
Method 09% {' I% c; v' f. L! l: s/ A
=========0 D' M I: h/ D0 n
! s0 n, D0 n3 C# {/ z }8 I9 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 W$ u/ U: f$ q% f" F& Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
% H% I3 L! b2 f8 `( qThe Get_DDB service is used to determine whether or not a VxD is installed
' r. n4 |4 D5 P/ k! }/ I8 Q0 P3 Qfor the specified device and returns a Device Description Block (in ecx) for/ R1 I! m8 }! ^8 {
that device if it is installed.) }' C+ n& ?2 L
* y! L0 \, ~) H* \4 ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" d G3 V; b, ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- T/ o; W9 O9 `
VMMCall Get_DDB8 t( G% K4 h, ^$ F7 R6 [! {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* K, ?$ _' F0 x m% A, y$ `' Y6 |
0 p x+ @: s$ c* @3 fNote as well that you can easily detect this method with SoftICE:
/ ?$ a' w4 o8 f1 ~- y- X$ | bpx Get_DDB if ax==0202 || ax==7a5fh
* P) X% c! y7 ~: G' ^3 }# B2 w6 b' W5 K
__________________________________________________________________________4 C; Y: V- c* |& t5 Y
, Y& p( K" Q- l1 H6 yMethod 10' H- j1 G$ c: @7 l0 a' d
=========
' h4 M. E5 K+ s' z& f) T4 h6 d8 m; s0 N: {* \: o3 P
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; R" d" U0 t0 m v5 X8 q9 Y SoftICE while the option is enable!!
' d! R5 ?; h8 T6 m% M
* W3 |+ b" Y2 _* F8 s! g( mThis trick is very efficient:
( k, o5 W/ W7 S* H( Vby checking the Debug Registers, you can detect if SoftICE is loaded- u5 c- s* o. I( p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) F3 p: W, f) a8 {5 |5 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
, b" Q- z1 T. r: yvalue (in ring0 only). Values can be manipulated and or changed as well @' N! }6 L8 X4 d
(clearing BPMs for instance): k% G+ n6 I7 Y7 R3 G' w
( O( l, d t- J* F1 N1 c; j__________________________________________________________________________1 J* e' q- `6 [
1 K( B$ u" Y1 R$ uMethod 113 L/ f4 x y; d) ]1 J
=========
?; _1 A7 @3 _: s9 _5 F
0 z( }: h! H4 ]) R. E. a a7 hThis method is most known as 'MeltICE' because it has been freely distributed
& y! G' W+ B: _6 nvia www.winfiles.com. However it was first used by NuMega people to allow/ [$ z0 j/ A, ~+ ]# Y, _$ G
Symbol Loader to check if SoftICE was active or not (the code is located' |- s2 e" D1 @- l/ {; X+ B4 R6 s
inside nmtrans.dll).
6 v" u' ?$ N6 f0 j4 t; T% f7 Q4 W* h; c3 Y9 ?
The way it works is very simple:3 {7 |$ J7 E9 m8 r F' M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 d# k, W: f9 v' G6 M, i
WinNT) with the CreateFileA API.$ P$ Y7 {: j1 I' q8 a8 k) Z5 s
' e# v* L% v7 `* l9 g. O* xHere is a sample (checking for 'SICE'):
9 @, [% [. D. T
) ~7 B" ~$ t) P8 ZBOOL IsSoftIce95Loaded()
' G5 B0 f/ l4 n9 G{( a1 k/ i: X, A; W
HANDLE hFile;
2 }* @% W& B5 D8 r$ m+ ?1 l2 k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 J2 R9 D' m% j4 l. m
FILE_SHARE_READ | FILE_SHARE_WRITE,7 e- h \. Y5 X, a' \5 i7 `* E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 r3 g$ x" ~8 I& i; d+ j! F# b4 { if( hFile != INVALID_HANDLE_VALUE )$ r' c+ I5 N# e% l
{( Z) h3 p0 C- r% ]% h
CloseHandle(hFile);
1 [( `1 R1 Y* t0 H$ n return TRUE;
& g- W6 F7 m7 r2 f% B( ^ J7 _+ C0 M }- G, p/ L9 V# ]3 x0 w, y" i
return FALSE;) G; A4 r V9 F e$ | b
}; n2 i+ K, c- x, e0 e U& u1 R
) T7 z; h* C+ m' u: G# V% [
Although this trick calls the CreateFileA function, don't even expect to be
. M9 d* o, \! X0 T+ U5 g Vable to intercept it by installing a IFS hook: it will not work, no way!
; w) w( R* X: o4 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' S- M$ J+ q1 k# t2 u) E' Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ A: ]9 }$ ]5 _" ~/ j7 Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 f/ G/ I6 Z/ ]% ]" c0 T% Z! E
field.5 F) e7 r. L3 T* B: y
In fact, its purpose is not to load/unload VxDs but only to send a 4 B7 ~& f1 Y& j9 h+ n* a! e$ L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Z- C, z1 H- z. s4 Q: I$ f5 v. t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' G; f2 U5 F% G, c5 _to load/unload a non-dynamically loadable driver such as SoftICE ;-).% p" M9 \! k9 L; U; |3 h h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& [5 s4 f3 z& x# T: Eits handle to be opened and then, will be detected.
* b5 q! h6 B4 BYou can check that simply by hooking Winice.exe control proc entry point' g i6 ]- U' v9 H+ {- d# u
while running MeltICE.
2 g2 t; [" F5 B! @ t. r- _$ p1 A7 V0 F
+ r, s4 B/ h* p8 U5 [! i( `
00401067: push 00402025 ; \\.\SICE& b4 l. \) ?; q; x" e2 T
0040106C: call CreateFileA$ s7 {4 r- l9 S" s7 P, r/ z
00401071: cmp eax,-001) e+ B/ ?1 {: Z# s
00401074: je 00401091- F* N1 `' L! }2 _4 F% t
+ o, A2 B0 d4 S$ h
9 W7 g/ M5 i( N, p5 E, MThere could be hundreds of BPX you could use to detect this trick., x2 a+ _* N7 m$ Q( Y1 h- z
-The most classical one is:
7 X& A+ j5 G' v) p2 B% z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 l$ |; q" M1 R" S
*(esp->4+4)=='NTIC'
' w; {- O9 k0 I, ?5 R8 h
9 [3 m) I7 } Q-The most exotic ones (could be very slooooow :-(
4 G/ k. h9 i- B$ Y- L6 P8 {. U0 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 Z- v# T7 K0 X6 c) J
;will break 3 times :-(
, w( s8 G% f$ g" B+ v" ]4 n
4 m+ O' q- R- a4 L-or (a bit) faster: % |# a1 l# M4 c0 \4 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# j0 M1 W5 d5 g& i% s& s$ F) X
4 X; A. V, L, v4 x) x% S$ x) y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" w1 l+ k# T5 `* }. J+ V* A1 I) T ;will break 3 times :-(
Q) H5 ?$ k2 A/ ]- A% N% Y4 v) P$ L. N- }) ~7 c$ k0 e
-Much faster:
7 Z/ O. D, `: ?, i& N6 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 M7 V! Z+ p p! g1 B f6 {1 s3 A7 ^/ B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& Q" L1 v8 o% Pfunction to do the same job:- }+ H( X( g: [3 w4 [6 ?& l8 P
) E4 V% E# Z, T8 m$ m. b
push 00 ; OF_READ4 B" t7 O8 B: d* W0 b6 I0 U
mov eax,[00656634] ; '\\.\SICE',09 _+ {0 j1 ^5 Y) o4 D. N, V
push eax
% n1 Z+ r2 `- ?7 Q" P1 } call KERNEL32!_lopen* y. m a. A. x4 t& _( ]
inc eax
" M9 R9 Q0 }" l; @4 Q+ O9 [8 j jnz 00650589 ; detected2 z' x1 {; I4 Y( T" o/ t) u; ~' [8 S
push 00 ; OF_READ; Y/ J/ x/ \8 V0 E8 Y
mov eax,[00656638] ; '\\.\SICE'
, V9 I2 Z& b' v1 L+ q3 q push eax
0 a7 W$ t7 J. ?7 L1 I" g call KERNEL32!_lopen0 l' v5 o. Z3 ]! w7 u" r
inc eax! a5 O) h# a$ p0 L7 z4 Q7 R/ S
jz 006505ae ; not detected
+ k b/ ?9 d! a; |1 t) p \! v8 P$ u$ W, W' t( A; ^4 X3 f; P
8 x* {9 [4 T9 K4 Y' n
__________________________________________________________________________
$ W9 ^7 R: Y$ F3 T9 Q9 k
, v/ Q/ I+ t2 |) h: f% IMethod 12
0 p" d% B( X. m/ y6 `8 D=========
7 x- C6 `) u4 D$ Q: c9 ~
3 Y" \/ m9 B1 t7 B" WThis trick is similar to int41h/4fh Debugger installation check (code 05& ^6 |$ g5 C) L2 ]; _( P( f2 m) ]/ Q
& 06) but very limited because it's only available for Win95/98 (not NT)
- Y& n$ K- D: t2 _# [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% G- p1 A7 Q& l+ O9 |0 n$ L1 c% u) a& t3 c" P3 u, F3 P& Y
push 0000004fh ; function 4fh
- H( `6 ~& P' D |( H/ p; y) ? push 002a002ah ; high word specifies which VxD (VWIN32)) y% f/ Y- J' u, m0 }
; low word specifies which service
8 {, c4 p0 e; O (VWIN32_Int41Dispatch)! C% F: I9 k4 C; T3 x- \
call Kernel32!ORD_001 ; VxdCall
# @0 {- |* _! J. Z" y cmp ax, 0f386h ; magic number returned by system debuggers# w+ u4 \7 b+ R2 Q* R; f
jz SoftICE_detected( O. V0 c6 o4 o" X$ \
8 h Y& t9 E- ]0 z
Here again, several ways to detect it:+ ~4 E8 }! U7 i% J, z: j9 p
# T6 L. a2 B% G% w F
BPINT 41 if ax==4f# i2 n$ t# h/ Q1 b& D, z
+ s! P* `+ o/ x: [ E4 }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( J/ I$ _7 t% P
5 J: ?- `8 \& D6 y7 W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! j% t, ^; E" H# r; Z
8 m! \& w6 Z& s0 t. G: o. @, o
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 n& C$ e- _8 f6 ]1 j1 A g
1 {, L- S5 X$ @; D* Z; i9 S- A
__________________________________________________________________________
; {$ ~: v( Q2 R( R+ s' h9 h
6 P% Q$ y& Z. y# BMethod 13
s5 `( Y% X8 e) M% z=========
% x& {: C/ y( h, u" l. N' q9 O2 b6 Q% G% |2 H) a9 M
Not a real method of detection, but a good way to know if SoftICE is
E5 W* {* b& R/ N1 @1 d4 Z2 U# Zinstalled on a computer and to locate its installation directory.9 E8 o. u9 {- C: K# M) D# M
It is used by few softs which access the following registry keys (usually #2) :* M) ]3 _8 f5 j" B' |% B# A' \
+ v- C) a: U; q- P: Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ G- N# C- Z) L0 F q
\Uninstall\SoftICE; c- k! s8 c% }' [) ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: Y, ^" ]5 ]! V" V& E- [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ g+ H9 I; l" ]% o. @" Y
\App Paths\Loader32.Exe
4 c. t- H/ t j+ J8 U! t$ g% T2 H# C
D5 X+ i& O/ g$ w, d0 X- Q# Q4 |& ~Note that some nasty apps could then erase all files from SoftICE directory+ o/ F* T9 [- ]& o& S: Q/ w5 ^
(I faced that once :-(; V$ f+ J2 Z7 `0 [) T
- G) k; o1 c4 j$ P/ j2 ]2 b: DUseful breakpoint to detect it: c# o5 v9 U: w& W
& \9 N, C, e6 z& A J. \% X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( [5 z! _& q- h+ r$ z5 Z
I$ _3 t5 p( [__________________________________________________________________________
$ c: z: l/ q/ H5 \, C" A+ r: N5 k$ b! U# \
1 t, n) w4 O# M% L6 ], i/ QMethod 14
0 f0 {5 m4 b% _5 h9 P- g" C* A=========
# T" M# T' \, J0 D# c- ?4 {% j. [4 g" y# `, H! O: t% K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 M! M: w* j' k' F
is to determines whether a debugger is running on your system (ring0 only).
; P5 ?0 R& ^# V, W1 ~9 j. }( `1 r1 ?
8 G* R. E. ]$ E VMMCall Test_Debug_Installed7 V) {/ P3 c% |: @1 q3 a
je not_installed
! r8 E: \0 E% K7 n0 M7 v
6 l; ^) s4 H9 sThis service just checks a flag.' f) s( [1 \, l- Y6 Y6 o. o1 t. Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡