<TABLE width=500>5 l! `/ G3 p/ e) {1 c2 C+ k
<TBODY>4 u5 a( H0 L; q, {
<TR>
! n6 x, s& ~ c+ i' Y6 x1 y<TD><PRE>Method 01
/ E S4 g% i: _* [- m4 t ~=========" p8 g# [$ z- S _
7 i1 A e" b; B) U# w: h1 eThis method of detection of SoftICE (as well as the following one) is
1 W1 [* n6 J: W8 R' qused by the majority of packers/encryptors found on Internet.
# B l0 ^: } V2 G& v: P# h. rIt seeks the signature of BoundsChecker in SoftICE4 x" V0 F6 q( ^) R
7 L# L) Q5 ~8 j4 X e4 J mov ebp, 04243484Bh ; 'BCHK': j( b; \5 ?9 j- y6 r7 i
mov ax, 04h
& J7 e) U& m8 ^' }5 _: n6 S" s9 Z int 3 ! k4 \) {& V4 G9 F2 z
cmp al,43 h9 h! l8 S% C4 l9 Z9 g3 r5 A$ \
jnz SoftICE_Detected
, R) D5 C5 K1 a' c& b
( ?$ @3 O3 E% i+ ?' v) e x___________________________________________________________________________8 o9 C6 @' c4 C# g7 X
+ j+ o+ |' K" `: O) q: ^) FMethod 02
" |0 C; f5 [% A+ x, B=========
4 B2 V% H+ B* Y; B; v0 w! J p# n% @2 |" {$ L' j
Still a method very much used (perhaps the most frequent one). It is used
" b- d" K5 E/ yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 Z5 j' O F. o5 o2 c F! J5 Jor execute SoftICE commands...
& C: n6 X8 G3 T4 W3 f" z3 c: @It is also used to crash SoftICE and to force it to execute any commands6 V# I) E3 F6 b! p9 s5 }8 E" Q
(HBOOT...) :-(( * W) t! I3 p& B+ v; J
# a" }. L2 E$ ]. c5 A3 U
Here is a quick description:
9 X1 }8 U( d% p" _. ?+ O* Y: H-AX = 0910h (Display string in SIce windows)
' u$ I2 ?, P: [; Y/ f5 E; p: V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 [" K! F4 ]- Z- D3 `, a-AX = 0912h (Get breakpoint infos)3 v; C6 j4 t4 [ } Q$ h
-AX = 0913h (Set Sice breakpoints)
9 X) I+ N8 r' f& q9 L3 ^-AX = 0914h (Remove SIce breakoints)
) [% y3 L) _9 B8 O1 b/ h, K
4 O- u" o( R: ?) c# IEach time you'll meet this trick, you'll see:
5 V* C6 W& j4 Z4 Q-SI = 4647h
- b0 ?! `4 n9 A6 k5 t9 O0 g0 h-DI = 4A4Dh2 M9 I* J" e M) O4 p
Which are the 'magic values' used by SoftIce.
5 E, T4 e4 [1 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 x- X- A- C7 F4 O/ J+ u/ [+ }: x) ?( ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 T0 r/ B0 j, D5 L, U+ S- p @Envelope utility use to protect DOS applications:
/ x, }6 ?1 M {
% J+ s* F. J+ [$ ~# D, F+ [2 X
* |2 i3 { d G# M' Y0 J4C19:0095 MOV AX,0911 ; execute command.
; E0 |" N" {$ `; N8 B7 r( Q7 l/ x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& b$ B% B; p: N: d" j# e
4C19:009A MOV SI,4647 ; 1st magic value.
, ^0 E" Q* f2 w: Q4C19:009D MOV DI,4A4D ; 2nd magic value.' v8 L5 A# t2 f- {6 z, c, p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 z! b5 q9 f! M7 l) g* p( y' v4 ]6 ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% ~: E/ f P% M, P4C19:00A4 INC CX
$ Y* u, ?, K% f u; S4 p/ u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 {0 n7 j) |1 }4 B& n3 b5 T
4C19:00A8 JB 0095 ; 6 different commands.
' F1 V+ K, E; n* q* X) g4 ?: @/ [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: [; i1 G5 e5 w& A" Z! n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! l5 N8 _1 d8 z& @, y e( O
1 ~9 \1 w1 I! A/ x5 ^( ~
The program will execute 6 different SIce commands located at ds:dx, which% b0 {, A5 _. P% c. ]/ q$ Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ A) B' d/ o/ ^& w9 y1 G: C$ U% T: P2 ]5 C) C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! L( I8 X" r$ B3 F* T
___________________________________________________________________________7 F* Q) U) G# F
& n, Q4 e! q% ]8 T8 G
8 e# W4 j6 ]* u) i4 y; zMethod 03
: z8 w( M6 ]0 f" \3 A=========3 F& ]% Q# A& f7 F/ H2 n# p4 W$ t
6 k. i; a2 W! x0 ]9 G* a LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, |7 L! W9 c: Y( R
(API Get entry point)( K2 a9 n1 Y( e* A% W/ l' j7 {
' j2 F" K% o3 s5 r. R! o
' M/ E) P9 L2 [5 i/ z& ^
xor di,di9 k6 p1 }, G) [' N
mov es,di
* }$ L4 b4 q' D% I! j mov ax, 1684h ! T4 k; q& G# c/ H1 p
mov bx, 0202h ; VxD ID of winice) d2 U, f1 V" d4 l
int 2Fh
1 N/ h6 U; Z6 J: G" Q, @( d* t mov ax, es ; ES:DI -> VxD API entry point0 K' a! @; @; [# k0 W' F: K: P
add ax, di, H' A& Q7 I% c6 Y+ F
test ax,ax
& X5 T0 E S2 g8 \ S8 }/ ?4 D$ F jnz SoftICE_Detected) E6 }0 F y i0 s& z- a2 l
2 ~# i( I' A* N9 \* o A/ K5 P
___________________________________________________________________________1 S1 E# `& U# o( y. O( G* N2 [
( q) S& O/ j* ?, v0 RMethod 04 T( E7 @6 l5 W4 d3 i+ q# f
=========( g5 }/ B3 x x/ B+ b/ T8 @4 b P
U1 T1 o D8 q, \0 I$ S; D
Method identical to the preceding one except that it seeks the ID of SoftICE
; _* \ H# y2 Q& HGFX VxD.
1 D+ r B* k1 W! m4 k% }- p$ |: I$ x: p% p7 n
xor di,di( C: {' o2 T8 n1 b; N
mov es,di& H, K" L& n9 s
mov ax, 1684h ; Y- D2 C# Y2 V/ Y
mov bx, 7a5Fh ; VxD ID of SIWVID: }7 }# c0 j+ i6 P( q
int 2fh; D: B7 i" i- \9 M( b5 L
mov ax, es ; ES:DI -> VxD API entry point1 K9 C# ^% u& g4 |6 S0 Y
add ax, di
% w+ K/ q1 J/ b+ X: p- O% | test ax,ax" c# _ N0 q& |) b t. H
jnz SoftICE_Detected
8 |( t& K% n9 S6 z7 w; ]; V
/ b a3 P0 o6 ^1 ~ {# f8 J__________________________________________________________________________
; h/ f) b4 S9 x- |! _+ E$ d
+ c7 G# f, R/ c- C8 L
% _ O! Y# h( jMethod 05
3 a# C' b2 k% K* D# y1 |=========
. }5 q3 K4 L+ Z* M. e6 d- b" e! N1 w1 d: m+ {% g# M$ I/ X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 e) L% ]+ @8 B7 P! m9 {% H) W N7 edebugger. It calls the int 41h, function 4Fh.
. b! A& D2 ?6 WThere are several alternatives.
I: h% h ^" C
: c6 ?$ O2 q* \4 y( m! O& ~( g: TThe following one is the simplest:1 j! C7 H) F" \$ }4 h
! N. M# _& j; _4 p; e! L& k9 c
mov ax,4fh) `0 J+ `! G8 Y9 y+ ?5 W# J0 N' U- x" ]
int 41h
' D. r. C+ m1 z- p9 o- B cmp ax, 0F386& i8 a, F: l c: \8 O
jz SoftICE_detected* G: |) A% d0 c3 h# Q+ x+ X
- `# K: D! [7 o; z! j
- h# b) h0 j: G( c4 v c0 O9 R
Next method as well as the following one are 2 examples from Stone's . W; a9 _3 o# `0 S
"stn-wid.zip" (www.cracking.net):, B0 D6 c, K0 k. g
$ J8 E7 K1 ^- J ^# y3 b3 H9 x mov bx, cs
- O q3 b" y$ m5 O lea dx, int41handler2
- S! G/ R: R/ Z% R2 D) P$ _ f xchg dx, es:[41h*4]
5 V6 H' S* V8 S xchg bx, es:[41h*4+2]/ o2 R- j [, e" }, K! G
mov ax,4fh
0 k$ L+ c- E6 ^5 S# c int 41h5 l$ {7 M& ^$ S
xchg dx, es:[41h*4]
/ m" E% p6 V: [ xchg bx, es:[41h*4+2]7 J n/ F' \1 y, i" J
cmp ax, 0f386h
- R/ K1 n3 s" \" b9 k jz SoftICE_detected& g2 Z4 q6 L1 m0 s3 S& T$ D
2 @0 q5 Q2 s7 K
int41handler2 PROC- j8 q9 W w! W
iret) ~$ C6 E/ u3 N- ~$ O; v: g
int41handler2 ENDP
8 H3 j$ T9 q+ R% D% K: o1 R+ D# H1 ^8 O2 t. M; F
# [0 R# C, R2 ?3 i2 l" e
_________________________________________________________________________
! h! k& a7 G A6 [6 X
" T; T& X0 j$ x0 }' @# l! f
5 J: G" ]* b( [8 l3 l+ zMethod 06. b8 }- ~2 S( _4 A
=========
* R3 Q* Z8 l' l' t- t* Z1 f6 f7 e L5 m1 P
( x8 u& q4 }9 Q: c$ Y
2nd method similar to the preceding one but more difficult to detect:
( j4 l% i" a/ |+ d+ X5 O/ m* j) s* w8 R( ?1 j
& P1 K5 |0 e8 w4 Y5 Q
int41handler PROC
+ G6 T* f/ C; M2 @. ~ b* b" { mov cl,al) [1 H8 v2 X& Y2 u4 Z8 G& r4 v5 S. h
iret
# {% B. @3 ^3 I4 Q* Mint41handler ENDP B. Y* x p0 I) {
/ n# b( y m9 g- q, T" q
2 z' D1 Y' D) X; G1 b+ a xor ax,ax
- m* d9 @8 V( H+ F mov es,ax
- S4 Y) R7 N+ e+ ^ mov bx, cs
1 \; B3 x: u% Y1 v7 q lea dx, int41handler
% h/ q5 u8 G& U+ x& l/ u# O6 U* B xchg dx, es:[41h*4], l& o7 q0 p/ l
xchg bx, es:[41h*4+2]
& t0 h' L6 J, n* v! ] in al, 40h
, M& U# @2 a+ F xor cx,cx
* o9 M6 w& F# h' ~( ` int 41h# e* w+ Y, U$ O
xchg dx, es:[41h*4]: Z h7 H) f m( G: p0 p0 H
xchg bx, es:[41h*4+2]
* s' C+ `# Y1 m cmp cl,al
" t2 E3 e: P# Z3 I. y7 p, E6 g jnz SoftICE_detected1 q! d e0 Z) j/ t$ ]! r1 A8 s
- v" v, q! V3 x0 |& W
_________________________________________________________________________/ x5 F5 m* a3 G3 z7 M
6 I9 h9 d- F1 x, Z' W
Method 07
" F' m" j$ U' X=========
- i: z. Z% S, o y: w
) D! q) U% W: j5 Q0 V) \2 V$ C. RMethod of detection of the WinICE handler in the int68h (V86)* V+ v8 ]0 P( b$ K8 j
0 z% [+ ?7 s: \6 L mov ah,43h
7 E, L, F- I$ t; S: W V6 p- Z int 68h$ K+ [$ t6 T n8 M$ c2 E
cmp ax,0F386h
- p) g6 u. `* R- s jz SoftICE_Detected6 j, k3 H/ f3 i5 \1 M0 S
& d2 k' S3 l: x* `
; [% a; v y% B E) L8 _" l% Q8 v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit y. x R. I _0 `% I" ~
app like this:2 r, l/ k9 @8 `* c; [% Y4 J
$ P3 ^5 u- B; |. t2 ^. s
BPX exec_int if ax==68
- E& t0 h, p7 \# o) U) a (function called is located at byte ptr [ebp+1Dh] and client eip is
0 |5 o0 C* |6 X3 {1 l located at [ebp+48h] for 32Bit apps)% w: y1 `9 ~$ J, p/ S9 _- x% _! M
__________________________________________________________________________6 U( k. }& s4 m1 |8 t
5 G2 Z0 f) Z$ n: J
3 h) [4 W f2 N7 RMethod 08! X+ ~# B8 L3 Q$ p
=========
# K% ~3 ?1 ^9 o* V1 Y1 I
, |, z2 _8 G+ j6 R2 M: Y6 ?: tIt is not a method of detection of SoftICE but a possibility to crash the
. D# ?$ [4 v5 _% X) osystem by intercepting int 01h and int 03h and redirecting them to another* B/ f/ w. A5 L
routine.
w) E5 O* n" \5 E' zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ h( H, p7 k: g$ R8 \: H( n* }9 D
to the new routine to execute (hangs computer...)
! m5 v: v' G; Q; R/ n" |# }& ?! k9 w4 Z; |
mov ah, 25h! x' u0 d1 @. M! J. y2 ]
mov al, Int_Number (01h or 03h)% ]7 F, l' D8 V0 P$ y
mov dx, offset New_Int_Routine
- I( ~/ Z. g$ w' y* d9 [/ u$ } int 21h
& |% H: A$ Z- w$ @! G3 S
3 J! \8 V* b! p% `" S__________________________________________________________________________
6 Z5 P- V3 ^; o0 d$ {- m/ c
; D% Z4 H* C; J4 ZMethod 09
9 f8 h. N5 r9 G=========
5 J: G" _$ F/ h, v5 ?! d* v5 q( e6 X: } v# }1 ` x; m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; [/ |! c q: P6 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 E( G5 { L/ k# C" [6 P, x" DThe Get_DDB service is used to determine whether or not a VxD is installed
6 d- x2 K! k1 @8 Q. yfor the specified device and returns a Device Description Block (in ecx) for
' a/ `. |' G8 _/ \9 k8 T) E0 \( E' Vthat device if it is installed.( e% Q' k0 ~4 i. }) U% q
& V& j* b4 g- n* M2 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* X) n6 ]3 M \2 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 D: x' Y' ]% g+ Y* U1 `8 _$ P8 d2 d VMMCall Get_DDB
6 r# v6 a& f! c* W8 r6 Y/ w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; m! V; d6 {4 s3 n8 a) N) W
" f7 d. a& V3 J1 E: qNote as well that you can easily detect this method with SoftICE:4 {- x, q+ H, ?
bpx Get_DDB if ax==0202 || ax==7a5fh
' v9 \' T2 ]/ n' X- a0 t! z
3 ]. |$ `1 s! B" L& y. N |2 }5 r__________________________________________________________________________
/ @9 c9 o5 _5 m; Y2 ^. R& D! ]. B/ y4 |0 D4 V
Method 10
! s+ r1 H+ T9 O' x=========" u6 l& |. R j+ I4 Y+ ^
! J' t# m2 B% x9 j3 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with. n" \% o' x1 k- I
SoftICE while the option is enable!!
8 ?3 W+ u3 [6 E: p
; l9 ?6 c0 \: K( hThis trick is very efficient:
. V8 }2 I$ B* A4 c0 c; w: ?by checking the Debug Registers, you can detect if SoftICE is loaded
1 {! F* S' C( e7 k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
`% t \% V) h' ^there are some memory breakpoints set (dr0 to dr3) simply by reading their$ @* b+ |9 h# I+ h! f4 P
value (in ring0 only). Values can be manipulated and or changed as well
( K1 d. {/ z" A/ Q(clearing BPMs for instance)8 L1 j/ _$ ~- z; H2 t" u& _( I
9 q W) {% t( p/ O__________________________________________________________________________
2 B2 u% y. W/ m) B2 R T- s: |6 }, i \# }) ]8 E2 k1 L, q* @
Method 11
1 A# d9 @3 X) }( r% @$ z=========
1 S+ a7 t6 P: d, o# p% n' }. {& [3 A$ G5 R5 J7 p
This method is most known as 'MeltICE' because it has been freely distributed9 o5 O* n' t8 o
via www.winfiles.com. However it was first used by NuMega people to allow& W! F1 s! u) u, q# Z. g+ ^) [) {# q' ?
Symbol Loader to check if SoftICE was active or not (the code is located
% j3 W' i. T) K$ Jinside nmtrans.dll).
5 \; c% m) n" m+ x) N) Q( S) K6 `8 ?5 h4 ~" @
The way it works is very simple:
! Q/ H+ T( b) H$ |- Y/ q/ q# ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. w" e0 |9 @' {, O/ u
WinNT) with the CreateFileA API.
) O9 |- x1 I( z1 l) p4 S! y5 l/ U8 X/ w6 s! R5 O$ ^- @
Here is a sample (checking for 'SICE'):
- V5 M0 U. F# A. Q$ w! `0 O5 H2 [4 j- j( N4 S0 n; k. L8 A
BOOL IsSoftIce95Loaded()
# J1 `) v' U$ \/ C: f% I$ Z{
3 b2 N1 Y _- r8 R HANDLE hFile; 6 }7 T9 P8 G3 D; O3 H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 C0 }7 I% n+ `5 h
FILE_SHARE_READ | FILE_SHARE_WRITE,
" S% r4 f$ ^0 y! j0 T- e! c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 Y2 I9 X# R @) ]8 S) w if( hFile != INVALID_HANDLE_VALUE )
9 K" I: Y" S* B. L {: K, f: _/ C8 b/ j8 X7 _; u% ^
CloseHandle(hFile);
' R; i- T5 v7 i5 A9 C8 n1 w return TRUE;
: t' n0 e/ \9 Y: x }
c& K, m9 `; M h8 ]* U return FALSE;. s s' \" z( Q, k$ B: }& \
}2 O( w2 ?8 Q* Y8 R. ?
3 U7 j6 |" ]5 U0 v) \" ~
Although this trick calls the CreateFileA function, don't even expect to be( ^* k* u8 {2 Y2 t
able to intercept it by installing a IFS hook: it will not work, no way!1 ?, U; e; k- ^! g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 ?9 J! i7 Y. s3 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# ?2 R$ e% |) [& L E# mand then browse the DDB list until it find the VxD and its DDB_Control_Proc, D- Y% k* @! A1 r9 v" u) v3 _
field.
" ?0 e$ j5 B, kIn fact, its purpose is not to load/unload VxDs but only to send a 7 D z' t0 k$ i$ U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- |1 |' {5 C `; W0 bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" z( k+ a- A$ P# s& W7 [4 O/ n! qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; N( E) {* _: x/ Y/ d4 o6 G9 P5 D' dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ g6 u) F# Q6 cits handle to be opened and then, will be detected.0 B5 `7 W# q& D b' N; |
You can check that simply by hooking Winice.exe control proc entry point& |3 h; d M* J- U' L
while running MeltICE. u4 ~8 Y/ r% Q; I
0 U8 r$ A }# p8 v3 u1 e$ G
& v$ e+ x; V, k& k& _. ]: | 00401067: push 00402025 ; \\.\SICE
5 L. C; ~0 Z! }& K, G 0040106C: call CreateFileA
! w5 N* b8 p3 P$ G 00401071: cmp eax,-0011 K- J0 c' h8 ~( w1 V7 P6 y
00401074: je 00401091" S$ b& @+ ?% L4 n2 E7 `( L! F7 s
* K3 i7 B2 J' G: f/ }0 \/ `( j9 g& `5 v
There could be hundreds of BPX you could use to detect this trick.- ~" ]7 a& U. T
-The most classical one is:
. N9 V4 T& ?; C# z7 t7 ~# H. f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 d- W: A+ |% p8 x' H- w
*(esp->4+4)=='NTIC'
7 K# ?+ O9 h( m+ N0 J8 m/ m ~. V0 o
-The most exotic ones (could be very slooooow :-() C2 c* G( q* G9 x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( `/ \, S# L5 S$ }1 Z4 u+ K& y- n, w
;will break 3 times :-(4 |* O) X! s: h4 h1 z
% `/ ^ I1 q5 z4 m2 M0 _9 `-or (a bit) faster:
. o* A) H) O! j8 r, T) b/ f. C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* A7 l- n2 t: r" U% u& U1 {6 @. M; H
. u( V7 _$ Q2 K" {9 K0 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + [9 A' D2 Y# D6 H& C o: ^
;will break 3 times :-(; t7 Z# f3 s) ]- B. |; ~0 W
& \2 I/ B J7 A+ _ H-Much faster:
. a9 Q! z# q% q" }) @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
`# N$ {( x! l |2 L
5 R9 A5 ]7 ]' j, N) VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) o3 q$ p) @$ W
function to do the same job:
% S4 o4 }, } C" q0 k
1 l3 y2 O) ^6 c. t* I# d! i- T( h push 00 ; OF_READ
; V9 K! G! y0 ?1 C mov eax,[00656634] ; '\\.\SICE',0
& A" g: N- x1 i push eax. ?8 N) T. |% M3 V4 ~0 V+ z0 C
call KERNEL32!_lopen
: \8 H5 b7 Q3 j: F7 U6 r) o1 P& X inc eax3 `% t& B& H! o3 V
jnz 00650589 ; detected
# V4 A3 J Q) A) m push 00 ; OF_READ0 h! w# G# Q9 g
mov eax,[00656638] ; '\\.\SICE'
! y+ S4 B( I6 d, U push eax+ i3 o# }- Q U
call KERNEL32!_lopen
8 X! d0 x) U: U" d! e3 f4 ^( p inc eax# @8 h! I. w5 @, s" a2 v3 H0 N
jz 006505ae ; not detected3 E( d# {$ M4 z: G
! I8 q" K! C, f5 u& z! Q8 ~
1 I/ g6 g; F- F! i* A& \9 U8 G3 j% y
__________________________________________________________________________' D+ Z/ J% d+ K4 [3 h
4 t7 y& [2 q+ c" q9 B; C3 eMethod 12! Z, I8 {5 B; W/ Q0 g6 M2 b) f
=========
2 V t$ P. h& i0 ?. `3 w) h0 Y% z6 Y! V' _; j4 Q& x
This trick is similar to int41h/4fh Debugger installation check (code 05% O& W) w0 E/ E' c- ]' D
& 06) but very limited because it's only available for Win95/98 (not NT)
. {2 E! G4 E) W$ N _1 y2 bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% d; r/ I! {* V! r% B. V! \
0 d$ S: N$ Q& ]+ n8 A7 n s& y push 0000004fh ; function 4fh
! r1 y7 H' r$ i0 V2 J7 m push 002a002ah ; high word specifies which VxD (VWIN32)
7 p8 O4 X: ?% x; j2 F0 ~1 d i ; low word specifies which service
& N( W% a F$ k n7 Z (VWIN32_Int41Dispatch)5 D9 Z6 p( a0 S5 Z/ k! d
call Kernel32!ORD_001 ; VxdCall
2 v9 p) S! h2 Q0 |" D cmp ax, 0f386h ; magic number returned by system debuggers
* r% B: z3 | F* A- X jz SoftICE_detected% P$ r* n4 X/ k: j
/ N9 u* d% p* F
Here again, several ways to detect it: P& P5 ~- n3 ?
( S; g) ~; p. h, ?$ L1 ^. @! d7 A \ BPINT 41 if ax==4f' I, O3 E" \ ?# I
1 y# ?! w& H4 t6 c3 s. o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% r2 r* L) k+ d( h2 D
1 l5 F1 I2 }9 j+ ^/ t# G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 o- L; O1 X) i8 o) ^. @9 z
- \9 J7 M& _0 [* h$ D% y. f: R5 i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: U! o" e! b9 v/ w8 \1 D/ p+ G- |/ m5 Q9 b
__________________________________________________________________________7 r2 b! c/ u! p* Y0 R9 b
1 n8 M6 R4 b* J
Method 13
8 B1 O8 o& }, a+ \ f8 D=========
# _+ r; q4 z) f# W2 `5 _* r- h: Z2 |% f6 P
Not a real method of detection, but a good way to know if SoftICE is4 Y4 R2 H8 H, v
installed on a computer and to locate its installation directory.& [7 c- M0 y, K: t @ O
It is used by few softs which access the following registry keys (usually #2) :# }* u5 ~, Q+ B
- c9 }, P/ l& s; z0 \7 [4 B6 n4 N- b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: U. ^5 |, c( j9 @
\Uninstall\SoftICE$ G9 `( N; C, ~ ]7 @( ^! `& V# P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* M1 J, e" j7 k1 N6 U* Q: f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* O, I7 W6 f+ h, O6 O* m& S' H\App Paths\Loader32.Exe
2 w0 H0 ~2 b) I. a a& E7 d1 x) y/ L6 w+ ~
6 I% }& w5 b) \$ M! f+ v- ANote that some nasty apps could then erase all files from SoftICE directory$ d' D' [0 ` {2 K% f8 J4 O
(I faced that once :-(# \8 _ p& ?! ]- [/ W/ K; v
0 V$ F, U- A$ ?3 u h, C+ v z
Useful breakpoint to detect it:" g7 D9 k( ?$ j/ w& r u/ W
. i7 j4 h' U, p g" q- ]# E/ G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 `! V6 g6 R4 ^) I( q/ P$ M
" X6 Q& {. h/ U5 `/ d) w/ y__________________________________________________________________________
2 A$ x% f5 E: u. A( @
; b6 k$ w0 J" Z- Q8 l
3 \, r% Z- j2 D, JMethod 14 ! V* V' |. `- p( c: ~' h2 |
=========
5 }* \6 {# O6 d( }8 h0 A( A- a ~5 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) K% s4 h9 K! B6 c2 x# gis to determines whether a debugger is running on your system (ring0 only).
/ e9 s1 i& o" N0 R
4 `$ o7 T% p6 X! I! S. X5 | VMMCall Test_Debug_Installed( s; s/ p7 ?5 t W3 z* V
je not_installed/ i6 D. Z2 n# b, A+ ~( p
, \& z: @. l/ n% c2 a! Y& f3 V
This service just checks a flag.
% a$ l7 Y2 ]) C1 z1 x</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡