<TABLE width=500>
& d0 z3 k1 e( z {<TBODY>+ e& r8 C U2 p7 [5 m/ j8 P
<TR>: @. O8 g& M! d" ^
<TD><PRE>Method 01 2 N" f4 E8 m. N8 V
=========
# z/ d& j) ?1 G( H* l
6 V9 N& i4 o5 f3 t2 L0 m; QThis method of detection of SoftICE (as well as the following one) is# J, A% Q/ e" w8 w9 o/ b
used by the majority of packers/encryptors found on Internet.
" ~8 A t& X: l6 U6 g) @3 JIt seeks the signature of BoundsChecker in SoftICE
) H7 m4 ^7 |' F8 r8 Q% x: M
' a6 R: {& ?4 u4 W" A3 ~# C mov ebp, 04243484Bh ; 'BCHK'' R8 S0 I. F- T0 T
mov ax, 04h
: }: b: W( e9 k# ~/ R& w8 T! c int 3 $ n! K; V) h& E
cmp al,4; t, C+ p- I9 q$ ~
jnz SoftICE_Detected
0 W0 t) K7 z# V) O$ }" r3 [9 K) v7 Z& G B
___________________________________________________________________________0 j" l x4 _. U: Z
' }* K( g$ G- O: h0 t* `
Method 02
& W8 K9 f$ D( B: S5 g! i- O4 E=========
! w* |/ `' i( v/ y: ? i3 q0 Z X" }6 @& N r
Still a method very much used (perhaps the most frequent one). It is used
1 ?# ~6 P; F% k1 L* {6 j5 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% e7 u$ J2 |" Zor execute SoftICE commands...
2 Q: X1 j0 t: T$ O4 _; |1 pIt is also used to crash SoftICE and to force it to execute any commands9 K7 n+ Y4 f2 Z" X
(HBOOT...) :-((
- w5 g u$ @" B& Q/ S7 l# I X5 X" S, W0 V ^/ r9 U
Here is a quick description:
; t, [3 ~" L* {. Z- P7 _: g& v9 D-AX = 0910h (Display string in SIce windows)0 e1 ^5 u& F% C2 l5 B! ^) r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 k% r8 f- G2 |/ { l( G' O; {
-AX = 0912h (Get breakpoint infos)0 V/ d" q, l- Y8 B3 P2 i" R
-AX = 0913h (Set Sice breakpoints)
* J+ `; Z7 {. f! S1 g-AX = 0914h (Remove SIce breakoints)2 W4 o! u9 g7 q8 i
i: q2 \0 D# i, g
Each time you'll meet this trick, you'll see:, r6 Y5 ?" g& H; H
-SI = 4647h
! s/ L4 J/ h' u4 `5 [( w4 R" O K-DI = 4A4Dh
/ x N, s; h5 Z; R; V+ uWhich are the 'magic values' used by SoftIce.
8 q# j( f3 l0 {/ `( u1 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 s% r/ O/ T B
/ `, X- V$ \ j* v- lHere is one example from the file "Haspinst.exe" which is the dongle HASP( A1 c! y0 z# _( [$ u
Envelope utility use to protect DOS applications:
! ^! o/ K3 }) k0 @7 x) c& v: s+ A4 {* S( Z" s2 j6 L6 I, d2 ?
9 d# g- A2 E1 Z7 x6 S7 O! O1 f4C19:0095 MOV AX,0911 ; execute command.
- ^- d* S/ b$ l6 q' B6 M- i3 T5 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 U* H" x9 k; M0 }4C19:009A MOV SI,4647 ; 1st magic value.5 D- l/ a& w) o4 R
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ H+ d6 d2 F2 q! E8 S/ g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): R- K' k, O. w4 X+ \5 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# C" p, p/ e. x- q& D- K. W# Y- U
4C19:00A4 INC CX
# W; J; Y$ U( r$ T) g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 P0 W- e0 v1 o/ B- k$ I; a4C19:00A8 JB 0095 ; 6 different commands.
' f) U! r, h8 {: C( g9 S! X' V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 V+ \0 V6 d1 _' e, P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ |: w6 ]) r0 E& Z# V/ o* T
& C0 N! q9 z, J+ F6 D
The program will execute 6 different SIce commands located at ds:dx, which9 `! G+ I' H+ R& O" v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ ?. E) p* F, A* c7 s3 Y
1 [$ Y8 B7 M* E% k! A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& i4 U2 J. K: C___________________________________________________________________________
; f& F$ B) [) x! Z2 s/ n1 o4 M9 u4 o( e0 n" Y9 Q
1 f8 {" j" |8 `( \) H7 n: T
Method 03
( q) \* P6 K; f6 B* V=========3 }4 e' }+ X" z! b; v
' i" Q# m) f8 _) t6 S3 ~5 O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 H5 B9 N% o) C; o: ?' d( j(API Get entry point)& e% i3 w! D j: Y& G. l6 C
: {0 N, o5 M, S5 {: K0 F' g
/ ^6 J4 G+ Y4 _& q- m3 _" g xor di,di( l7 v; f1 F% `- u# c" @
mov es,di6 e8 m) ] h. f8 u' {& a. o( j0 _$ t
mov ax, 1684h ) \- y5 P. V2 H6 y" G) d! @- O
mov bx, 0202h ; VxD ID of winice
" R" _% i% ?3 B$ ^; H int 2Fh
" B, P b; R9 @4 @2 Z" R mov ax, es ; ES:DI -> VxD API entry point
1 e# ~9 T% e* _ w0 h add ax, di
% M2 L$ i3 e( b; [ test ax,ax
, }/ l: ]+ O) Y1 H+ l jnz SoftICE_Detected
7 n/ _% L! u/ i6 ?6 Z. m0 ?4 p( z3 ^1 t2 [5 ^7 K' e4 W
___________________________________________________________________________
5 d& x- h4 a5 Z9 |/ B/ p( D
3 u) X7 J- H% {: h7 [Method 04
1 T$ H" n8 D& w( \# }: I/ j=========2 g4 m0 ]% }/ X4 d
! N, W k+ m1 d7 _- F6 S
Method identical to the preceding one except that it seeks the ID of SoftICE8 m9 d" e4 ]6 O- M% Z+ x- g
GFX VxD.9 F4 F; P7 j: V$ w& U
( l/ z* r3 ~: t" s, Z0 f* H$ \
xor di,di
, _5 E3 g& l3 w# |# g4 R, g mov es,di' Z$ z9 U7 S2 o: W
mov ax, 1684h
4 q# o' y) j8 s5 n" H mov bx, 7a5Fh ; VxD ID of SIWVID
$ G4 d8 i! l8 M; s7 }/ f' e$ n int 2fh
; \5 I1 J/ E+ l mov ax, es ; ES:DI -> VxD API entry point* d" J; f3 v7 V }7 f
add ax, di2 D% l7 g& T; [9 F1 e. o N
test ax,ax
/ I0 e& \5 a/ v. B jnz SoftICE_Detected5 `9 W$ J% _( s5 \' E- R, e: T
# s6 Y. J9 C# |$ T4 J
__________________________________________________________________________
+ T$ P+ X" Z1 I
! H, o" y7 K( x$ [! ]# N
5 f8 p7 x: w% y4 f. n7 \& Y5 `, M4 T$ ZMethod 05
! M9 C& \& |5 x: V) h7 P/ g=========
% V; K% A+ p: `7 j$ W) V4 B; m. b7 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system# w J0 R& f- E& a
debugger. It calls the int 41h, function 4Fh.# T2 ^! f$ J' }9 N# j
There are several alternatives.
& J) ^9 h' W9 j* j6 w \$ s( `; h9 \# p" s. ]
The following one is the simplest:
% t/ j' o$ h* Q
( s8 `( M$ C$ `; n mov ax,4fh
; w; v) `. `& |) w int 41h! I6 x9 Z2 t+ l! C2 L
cmp ax, 0F386
! |$ |( B; Q# D& {+ R jz SoftICE_detected( `( a+ M' C6 j4 s
$ I4 l5 j. `# d. Z
/ Y3 w% M! Q3 a9 }
Next method as well as the following one are 2 examples from Stone's / Z! R# C; g: R3 X( q
"stn-wid.zip" (www.cracking.net):: o$ x$ a. _% M3 N; |
- b5 ^- \( T4 A5 g
mov bx, cs6 ^$ k6 _4 `3 d% V
lea dx, int41handler2
/ C$ I: z1 g( }" l! W2 k3 d xchg dx, es:[41h*4]
; r, B" W. g7 v. h& b# g; Q! p xchg bx, es:[41h*4+2]) K/ ]$ B. p3 S4 W
mov ax,4fh5 Z9 h% ]! V% d. V! P4 J6 Q/ ]
int 41h
6 j7 Z5 L* j3 ^) R" r; d7 X, @+ i xchg dx, es:[41h*4]. [& c# U* P9 `3 T, ~9 X1 `
xchg bx, es:[41h*4+2]
/ C8 Y: _1 @0 V& @; G* R cmp ax, 0f386h+ I" u2 w9 {: d% T% M8 ]: m0 m) ? t
jz SoftICE_detected6 [! M) _1 S" n, Q7 Y; u& e1 m2 [
# I1 p3 d1 \7 l
int41handler2 PROC
0 v) `' J/ \7 w3 w( k iret
$ a" t( }* |2 o' ]int41handler2 ENDP3 v7 p% y* [* ]6 k
% L3 A& k1 m; B I1 x& h
, H5 d8 g4 |7 {8 z6 P: c_________________________________________________________________________: y8 m& Q# @: H! x
, q- r; w. \) L4 T# n u3 e8 d/ P
7 \/ G9 ^9 Q, u: o
Method 06' m/ U* i3 P ^+ c; y9 Q) c
=========
( T; Q) X% ^( G. }3 {$ H
' x& T; P( M$ w/ S) q% B
o) `: a8 A1 c2nd method similar to the preceding one but more difficult to detect:
e! L9 }$ Z1 E/ g
3 m5 s8 K$ V+ d% n
3 v: ]$ }& V/ U" ~int41handler PROC% {& d. J+ e3 K( P
mov cl,al
& i0 } ~ m7 \9 h6 \" W iret
- u9 V- S4 \; C1 o' B C0 e. O/ oint41handler ENDP
% V. x' G5 i) U1 h9 l& i) B' v9 I
6 d' z% y9 d! @4 r3 g9 i. l1 ?# {5 k7 U# f7 r2 T
xor ax,ax
0 S Q: N& x3 {, W5 @% h+ [ mov es,ax) C! w! d2 ?2 ~9 x# a- B% y8 d
mov bx, cs
4 \" L7 A. o& V9 { lea dx, int41handler
6 J# @$ z9 Q, a5 P xchg dx, es:[41h*4]9 N6 [* G }1 m7 w" w- W3 t
xchg bx, es:[41h*4+2]8 E9 P6 l6 r# L5 b
in al, 40h
; B+ d% D" D t" K4 d xor cx,cx6 t% }& ?5 A- x- U; i' B G+ m8 z
int 41h) }* q. P7 Q Y$ s
xchg dx, es:[41h*4]
X$ A" W+ E5 ?/ [0 M- ^7 ^1 C$ o xchg bx, es:[41h*4+2]
+ u) ^4 Z" y" R; ~% Q cmp cl,al3 ?8 d9 }8 e) |; i8 T9 u
jnz SoftICE_detected
3 ~3 `8 L. [4 u- ]1 ^- S( \9 D' Q
6 _. ~, D" @. w' u) B_________________________________________________________________________
% y& H. B6 N/ C$ s* S/ J( c) @5 \$ H, T* z
Method 07
* S- v& L, b9 s8 y1 M' k* ^' U4 R=========! l8 x2 y1 y9 A3 g* F8 I
1 a' Q @9 G' f7 `; I' qMethod of detection of the WinICE handler in the int68h (V86)$ C- G% Z! W" ?9 b+ J
4 i) m3 |; [- n6 P: j3 ^ mov ah,43h0 Q2 A% e2 T; ]/ j2 @" L* `
int 68h
7 G& `) P+ o* O* a9 x: J+ S cmp ax,0F386h1 e/ Y* f9 O6 w; Q5 y X
jz SoftICE_Detected
& E- y& j4 [# R3 P
) E9 C/ N& Q. o! @3 F
' w" M$ c8 G1 Q: q: [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, g+ f% @* I9 ]: C
app like this:0 `+ ?9 i+ {0 E" v4 G- X; g
5 W& {" |* T; p' p2 m BPX exec_int if ax==68, N) O4 }7 ]3 Z2 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 G0 \* x1 |. p# b1 U0 h located at [ebp+48h] for 32Bit apps)( C0 {( N' [ Z$ F" P/ i
__________________________________________________________________________
5 n+ k& o+ [5 j, [3 E6 ~- V( q+ ]* e! V7 k6 I
5 p$ f' c, I* ?% H5 Q- `, X& p
Method 08+ I. |) D3 E" q5 y5 Q0 \! Y+ }
=========
8 ]. k% g M0 p4 [) X9 f3 e, D4 V! f: e, e7 m1 X) ]
It is not a method of detection of SoftICE but a possibility to crash the
. ^6 n# {; O3 b a! ?$ s# p, Isystem by intercepting int 01h and int 03h and redirecting them to another6 t! N+ X; V% Q: d
routine.
( L1 I: Q% |) V0 B% sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 H/ {7 p: m/ x* }
to the new routine to execute (hangs computer...)
% s+ V, F2 G+ p& X
+ U$ W6 U, U ^& I1 A7 w; V mov ah, 25h
" j1 d0 V1 |4 K3 k# f mov al, Int_Number (01h or 03h)
0 e/ x+ s5 j; H( ]$ Y1 J8 y mov dx, offset New_Int_Routine) h* Y# I! W7 ]; M
int 21h% l; z7 z; y$ {8 D: ^, I9 T3 f
( G3 E3 |6 P6 F7 j( m/ t
__________________________________________________________________________# l: p9 R* [ w( U- F+ d# q: h
6 }1 Q' F7 _" [1 k2 w$ n9 AMethod 09
: h% r$ E+ b$ P=========& p6 [" s! d/ a" t
+ E$ X8 @6 l8 p& f8 }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 [7 u6 {0 l3 I, z5 p- d9 \performed in ring0 (VxD or a ring3 app using the VxdCall).
9 F1 I( n0 O5 C* O! R' Z* W0 U$ IThe Get_DDB service is used to determine whether or not a VxD is installed8 m# q% Q8 n* |2 `. H' [
for the specified device and returns a Device Description Block (in ecx) for3 Q5 j3 e0 J+ S) d7 o; D" M
that device if it is installed.) Q% M/ g* B* H
* _. Q& `: ~3 r1 l& b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 a# V0 b8 K4 o, d$ M! {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); T8 s0 _% N O- m+ ^2 @* E3 l3 Q
VMMCall Get_DDB
7 y9 U( e6 x3 f- i, W5 L: z9 V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
K8 b1 i7 ~- f) i- f* P+ C4 U' L
Note as well that you can easily detect this method with SoftICE:- `' t5 e) B/ ^
bpx Get_DDB if ax==0202 || ax==7a5fh
# I% L2 ~$ y2 s2 m" Q1 b; Q
4 u0 _9 \$ K: F0 f" F' e6 t: @__________________________________________________________________________) W6 j* d+ W- e2 a/ S
6 D* g7 W& }5 { J/ IMethod 10( n( w/ V% j3 n, v) }/ |
=========
" [0 d) B# \4 \8 |2 F5 \2 K5 [' P0 f$ v& P1 K) ]! Z+ w
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 W7 G: r( @! f8 q SoftICE while the option is enable!!
/ W2 L" T7 J4 G( M" j" H9 V6 F" P$ G* s
9 d; z; [' h$ W* J7 _This trick is very efficient:
& u/ l+ @8 N7 R/ oby checking the Debug Registers, you can detect if SoftICE is loaded9 p, M7 r4 r, ]8 A3 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ y. I: j4 z+ E
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 e6 g' L W% X; Q
value (in ring0 only). Values can be manipulated and or changed as well
5 g% J3 P9 b9 f+ `(clearing BPMs for instance)/ |: N- c' J3 T+ d/ R
" x! }, z- C* w- z7 x, O6 Q__________________________________________________________________________4 G& w/ V; m; Q# |" v/ J
5 u" W- ~, g0 u5 W: {Method 117 V, }2 o0 z j5 a) I" S( A
=========
& C; N; k/ i$ L" {( J+ [0 Q- B, R
! Q8 h, h1 O P( }2 PThis method is most known as 'MeltICE' because it has been freely distributed3 Z# Q; Z1 Z6 @& s. p" i
via www.winfiles.com. However it was first used by NuMega people to allow, F, R8 S3 f- }# P& F
Symbol Loader to check if SoftICE was active or not (the code is located7 P: D/ p4 j4 ]6 d6 c( {
inside nmtrans.dll).
, S" X" s9 T* g4 ~5 [4 A: h9 I4 x% \9 S
( c$ V1 y) z5 s4 q. @, iThe way it works is very simple:
# ~' `5 B4 B0 D1 M+ Q" T) F- ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. |# j$ E. U: K- `WinNT) with the CreateFileA API.
0 I8 k, O# B0 H8 y% n, @: W$ @
Here is a sample (checking for 'SICE'):% S/ J; L- N1 S& j- C. x
! z9 F1 r0 y6 x v E+ zBOOL IsSoftIce95Loaded()
- K8 M8 a0 c9 v# ]" D" w0 ]7 ?8 @" R1 T{9 E* u; k! W, K0 L
HANDLE hFile; % y0 o5 a' l4 I1 I. u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
Z& }3 ?; y' g9 [( k FILE_SHARE_READ | FILE_SHARE_WRITE,7 F p! W# s5 ]% h" H$ l8 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 o6 M" O; v2 a! _4 }
if( hFile != INVALID_HANDLE_VALUE )
$ t! A& s6 O( B {* O$ `; F! i7 `
CloseHandle(hFile);
8 c: t3 Y' n) n return TRUE;
3 N5 d) u! J0 {: |0 b+ _ }+ C. I0 q' v/ H
return FALSE;
/ m! l* V0 H3 j7 a& C}: N8 }. Y. H" R
5 v C" R; b) p6 O4 x1 b) JAlthough this trick calls the CreateFileA function, don't even expect to be
% n8 ^3 V, \6 r$ h* ^- Aable to intercept it by installing a IFS hook: it will not work, no way!
! i3 q& u2 i- R+ ]6 V( s QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- z L6 f8 o5 z& {7 Q% Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" s. p, j# {) a1 O. Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc. T! r) Z, M) u7 ~7 B
field., q; t( X5 V" m! U( ^; \
In fact, its purpose is not to load/unload VxDs but only to send a # B& f) n; d L7 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# [6 E' [3 \5 O% _% Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try% V: t Q8 x! d5 R: j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 \) T4 e% S7 L; Y! m
If the VxD is loaded, it will always clear eax and the Carry flag to allow i% Y) k" J9 J5 }$ W- T" ^! K
its handle to be opened and then, will be detected. I2 n" [ {' p9 w" S5 F6 [
You can check that simply by hooking Winice.exe control proc entry point
" u7 @4 @+ a- F+ Z% L2 w o2 O: W* B7 Cwhile running MeltICE." G- w6 b* m. E# ` l
" q7 S A( a! l# T" M" s3 I6 U: `* Q2 K
00401067: push 00402025 ; \\.\SICE( ^% g5 c; \" R) d6 N1 u C
0040106C: call CreateFileA
6 |; g. E* E% V 00401071: cmp eax,-001
$ ?4 C9 S$ w' ~* s6 B: D$ f* C9 d" t 00401074: je 00401091" S: [6 v2 N2 G5 W% I8 a' p% b. i
# W$ T" Z0 j/ t6 o6 C7 ?7 f
( T6 @% g# ~9 YThere could be hundreds of BPX you could use to detect this trick.
! h" P B5 z w3 K0 w8 a7 | G-The most classical one is:$ W' J. b# c$ _# Z! v& z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% A- y" {& n! ?& p" F9 y9 |8 ~
*(esp->4+4)=='NTIC'% ^3 L$ ~- o$ d4 L# r$ }
|" Y( Z% Q3 {) A9 n7 r6 V
-The most exotic ones (could be very slooooow :-(
( {4 L0 c* K. t1 h2 U# U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / Q6 O5 z3 }: L7 f) N9 e& ?
;will break 3 times :-(3 Q5 _3 H7 `% x" C
8 f( G$ \+ h3 ?# q-or (a bit) faster: 9 R0 h2 l- q& m. N' a6 o" Z1 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: U0 [4 [5 y( h9 W2 E Z+ l/ `/ M s i. v K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : M/ R1 B- o4 e N7 F/ W
;will break 3 times :-(
) s" o2 Y# f; e2 r1 l5 E9 ^) @8 @9 }# C
-Much faster:
. b$ D! x3 s! [% [9 R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! s& }- s( \4 q4 O8 q* S
* k( E$ N9 D* J) a: S7 L: ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 N4 H& L6 G0 m+ ~* J
function to do the same job:2 F b4 P- u1 e$ V$ g) b
2 L! I2 D+ H" t6 W% @% r% K
push 00 ; OF_READ/ w/ t+ s1 j1 Y6 d. |+ ^6 ^" I- D' Y
mov eax,[00656634] ; '\\.\SICE',0
4 ~+ o; Z" y3 W. c/ \$ x push eax5 X$ x7 U' S5 |5 ?) c
call KERNEL32!_lopen+ t. r- j a+ g- z! \
inc eax- Q& N( H! T8 n! Q( x
jnz 00650589 ; detected
% [7 D; P0 l+ t push 00 ; OF_READ
) I \% I- k8 c# M$ T3 m- s mov eax,[00656638] ; '\\.\SICE'
3 Y- e) K# @. b! @ push eax, J. l- u6 y" E+ k
call KERNEL32!_lopen. Y( B# d2 Z. [/ a
inc eax
! k1 w' c# L# e& U2 N jz 006505ae ; not detected
4 t; s( v5 L+ i# `- o5 ?5 P+ N9 v
& j/ B5 u& s! K4 W3 }8 W- _; o" L
__________________________________________________________________________
. C$ y: g5 x2 \7 \5 ]: G* C) O; W" r9 x" A# k
Method 127 _# h8 p" H9 W4 |( z$ k
=========
" J4 D8 U/ s8 B" R$ v x0 Q4 t
This trick is similar to int41h/4fh Debugger installation check (code 05
6 P9 w$ |' i! o9 v! w& 06) but very limited because it's only available for Win95/98 (not NT)
8 e9 C: Q: i% ?9 I1 S0 h% v/ Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 T; M+ f: ~5 S2 _1 C
! V4 c" s3 E8 x, X* Q push 0000004fh ; function 4fh
# [; |1 e% E( m% W4 s push 002a002ah ; high word specifies which VxD (VWIN32)
- v2 B. d- a7 { ; low word specifies which service
7 J' A5 _5 j! J (VWIN32_Int41Dispatch)* E$ Y% x& q: {" w+ R. _7 k9 v
call Kernel32!ORD_001 ; VxdCall
# K: C8 q+ O5 [ ^% b cmp ax, 0f386h ; magic number returned by system debuggers
) v" _5 Q* o4 k! j0 o jz SoftICE_detected
3 W- p" T5 Y& s. C( I" A# k5 l% q- \6 I* A' U- w- Z+ m& W
Here again, several ways to detect it: e) P5 U# v8 Y ]% K
+ i5 K8 X' b- u$ |/ L BPINT 41 if ax==4f: }5 h. @' c. `) s/ I, j
. O9 d' ~# `/ D7 O6 V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' O ^8 t- `8 h% H9 j! w2 u1 u @ d8 ^ Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 Q# Y, |1 y, N) h4 [
. G- N# @2 i' j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 ? n' K. l( y" y
6 \" _. l ^( B9 H p# H
__________________________________________________________________________9 Q5 [; z7 p- H M& _8 F1 t$ H4 j
( z$ P* M$ h& [7 x; E
Method 135 `( ?: f0 m. Q! n; p5 J
=========
7 U$ V: ]8 O& a& o: p/ d3 t* b: I1 h: K. D- \5 ] Z5 W: ?% [
Not a real method of detection, but a good way to know if SoftICE is
J2 ~* R2 X6 y+ n$ z: ninstalled on a computer and to locate its installation directory.
3 M2 W/ S A# U j! J; i$ ZIt is used by few softs which access the following registry keys (usually #2) :) X8 K# [, R" M8 t! Q$ j
6 X0 _$ e" b5 j& S) i1 T8 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ F: T5 n Y; I2 p2 K\Uninstall\SoftICE) K: ?% m$ M* C) Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% B, O" F5 ^0 P+ C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 l. _+ z4 c$ w+ _\App Paths\Loader32.Exe
/ i+ o6 e9 n; G" ], P' K
; ] a4 | j+ K+ Q% c( B
& a& Z- u) x7 p* l# {# c1 f9 tNote that some nasty apps could then erase all files from SoftICE directory
7 {- D' F5 q) E) j(I faced that once :-(+ s9 L- ^: S- K1 a: m1 ~, s5 r
9 `/ k% L' I4 g! O- Y6 qUseful breakpoint to detect it:
9 r1 `- I1 W& {! W) k5 ?' r
5 m1 m& | f- j) O+ [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 s* L' P% \( E% n1 K+ G
8 ]2 j7 g0 g& N; F- }
__________________________________________________________________________) A- Y, w; F0 g% B% a0 p2 i8 T
$ |* n5 ?1 C d5 k
. h! c. ^" i$ ] P3 a
Method 14
) n A$ X" u! n# O. w7 w/ k1 @=========
* x; W& k( p5 C8 N! W! ^
1 S0 Q/ m, I; T( PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; a8 O" o, z6 n' B6 E4 F+ u B
is to determines whether a debugger is running on your system (ring0 only).. O3 S5 ^1 b' d& k( m" J/ `/ f9 n
}+ J2 c) p, ^7 D8 q VMMCall Test_Debug_Installed0 }2 B( K. N8 ^ n* R
je not_installed0 ~0 Y% V, b) Q
% z' @1 z; h: [0 x5 ?* p: _0 `- S- rThis service just checks a flag.5 j+ m/ K* ?$ f: D2 _+ y. r" G: B5 V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡