<TABLE width=500>! c, B! H/ R: g% Q3 r
<TBODY>
+ ?- s6 }/ l n: c' C<TR>2 N& M+ S. x2 t! r' J
<TD><PRE>Method 01 % t5 Z3 q) H" L
=========! _) i0 I! a6 u( n' b0 p ?
8 W3 r9 c+ B) [, x; kThis method of detection of SoftICE (as well as the following one) is
9 v# c" D" m2 R0 L, E5 qused by the majority of packers/encryptors found on Internet.
5 o9 Q0 d) ] S: @It seeks the signature of BoundsChecker in SoftICE: E" p% U2 e* E
/ I) i4 q. K3 c. X/ J mov ebp, 04243484Bh ; 'BCHK'
6 U5 p6 ~5 W/ |2 J& z mov ax, 04h
. A. Q/ W! G: N4 V s# { int 3
' U* t7 }0 R. N4 ?6 e. N0 M* x6 A cmp al,4
! {5 T8 C( M4 f; J9 e jnz SoftICE_Detected
1 M) G- }" i% f6 S/ Z# `' k/ \! W2 }
___________________________________________________________________________. V* R% R9 \& M4 k
- a" j3 \+ s/ a8 w
Method 02
; W+ ~8 \/ x/ H/ {=========: O+ H% W& q! S+ @
4 a6 U$ M: C* q, I! y
Still a method very much used (perhaps the most frequent one). It is used i) F# I1 w$ b+ e6 s: G+ ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' C A) y* j- ]' Uor execute SoftICE commands...
1 l8 @0 a+ k) c9 ^% @ u: k9 Q" Q) ~It is also used to crash SoftICE and to force it to execute any commands
+ D# g5 K8 t/ i- z- ~1 a) v7 d(HBOOT...) :-((
8 q7 |- \# f: O1 n5 u* J* x9 q4 \5 M1 i! I% A6 k8 b% k. s' k- [
Here is a quick description:
, Y3 b1 H9 T# l& t% Z9 a8 x/ `-AX = 0910h (Display string in SIce windows)
^8 `/ h; F& K: F1 g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 _$ F" j: c- C7 J4 K-AX = 0912h (Get breakpoint infos)) v: E: l( l: N Y
-AX = 0913h (Set Sice breakpoints)2 r5 x+ k4 H5 o j% ]& h r
-AX = 0914h (Remove SIce breakoints)" y: V. e' @. S. E* w" u& a
: W" a/ p. _# y4 _4 P" sEach time you'll meet this trick, you'll see:
# e* V7 {# v* ~# W, c, y-SI = 4647h3 Y$ \' f" y( B2 }; [+ u6 ]
-DI = 4A4Dh
; }6 j( z$ ~. l1 FWhich are the 'magic values' used by SoftIce.
9 I1 j! ~' Z( c& VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 N0 e1 u0 Q, @; n
) C8 Y! I* |4 Z5 k
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ m. ^9 k1 \% n J) `
Envelope utility use to protect DOS applications:( A% N* b2 S7 V' C, [( E8 C
/ U1 v7 q3 t! s0 x: _
, M# m2 N& ~- ~
4C19:0095 MOV AX,0911 ; execute command.
1 Q- Z: m1 ~! k) _4 [$ v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; u6 W) G2 h) x2 w; P
4C19:009A MOV SI,4647 ; 1st magic value.
4 X" ^# a# K5 p4C19:009D MOV DI,4A4D ; 2nd magic value.
6 O8 q: y& c, k' I V- o# z7 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ p+ a' ~9 k9 L2 W6 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- S: b3 h5 M' V4C19:00A4 INC CX, T8 u- M; P: T) k' h; i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 i% w% x: a) ^+ w$ w
4C19:00A8 JB 0095 ; 6 different commands.8 m+ L) F4 s: |, h9 l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; |% b# V0 ]9 n7 {0 J# H) a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ g: |2 E. c: u; n5 v) P% O. v, @; c" i' l& H3 [
The program will execute 6 different SIce commands located at ds:dx, which! B! t* p) B# N6 A, D% b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., N% E. E4 x9 G9 {0 G2 I
: X9 \' }% R% w- K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% ~/ |# Z! j$ x" P
___________________________________________________________________________; a d1 J" j" h
7 F' _( q8 P" q$ h
) U7 _/ s0 P. ^8 ?; nMethod 03$ E7 |1 B# L% X. @( ~; f
========= ]& x) D+ d8 I& h
$ t9 R% R3 K( u1 `% X& t1 d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 D M% Y9 W' R' b! I$ }(API Get entry point)% O# l0 z; g' I! c5 Q8 q( C' T4 _
3 W+ S! L: o* v* U; ~5 \
( [; h. y( k5 T; q W6 z" B xor di,di6 R( S& S m" |* {0 y
mov es,di( S5 [$ _! q0 n3 H: H8 ?; O' c! p
mov ax, 1684h ' F" M: m k2 |+ a( [/ t
mov bx, 0202h ; VxD ID of winice
# A+ s% V! r! G% z, E7 j4 K int 2Fh
7 g6 @6 O3 D* a3 p mov ax, es ; ES:DI -> VxD API entry point9 }; x$ K$ d: t. y# s2 k
add ax, di
4 a" x' j/ i& f4 u. O) ]3 B- S test ax,ax
# X7 F5 \- L5 |/ C% L- l9 H jnz SoftICE_Detected+ Y. w, |$ p* p {4 ]! W% M
: N7 K6 p) A4 i* Z/ H3 I3 u! I
___________________________________________________________________________
: u$ F4 V) o2 `# t. P6 G X' Y
$ x6 e% h, f0 Q6 U8 GMethod 04
) ]: m# }2 y# T, Y2 | v=========1 r8 r8 F/ {' L( J3 T6 F+ _1 N: `. R
7 `$ s. K: |+ C# P% D2 M F0 [
Method identical to the preceding one except that it seeks the ID of SoftICE
% q/ P2 ]- v3 c' A- T; j% R0 Q1 s8 OGFX VxD.0 c) F6 R0 {$ D3 T( ~7 ^2 b
: f: K- ^: I8 m xor di,di
* h7 O; N, _5 R$ X/ u mov es,di3 z9 `' X7 y; t: u4 H4 M
mov ax, 1684h
0 d# J# }$ W7 O6 \' C mov bx, 7a5Fh ; VxD ID of SIWVID
1 P' z+ p4 I& o int 2fh9 w) U0 I# ?6 Y% r$ B
mov ax, es ; ES:DI -> VxD API entry point
/ f# M1 O8 e, o- I, Z5 o$ O& @' { add ax, di; S& J4 u" T2 ?. P! T
test ax,ax
8 V( a) j: p* o$ u+ ~ jnz SoftICE_Detected6 R: y/ S. m4 k% Q( @
6 A N7 O) l! D__________________________________________________________________________
& {9 d5 p( D, Q) y; Z, @2 y1 [
& w$ r2 T: |, q
' Q0 Y( H4 h6 a9 IMethod 05
! ^1 n, e7 |! ?% c$ Z=========
7 S; I& x+ ]$ O c8 |. l
7 W' z. Z* s+ M# u4 q1 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system7 u; c( N" Y% l
debugger. It calls the int 41h, function 4Fh.! W7 t4 C, q3 C1 k
There are several alternatives.
$ F* M0 @, `5 v9 P; B9 h0 u5 ?& W/ x& B* i
The following one is the simplest:
5 T) Q( y8 c6 p' i1 d" i) _
3 V" F' R6 B9 }: F( R mov ax,4fh
) D& y" q5 ?; q f, d' J int 41h' l: i8 `; I( V: _: n
cmp ax, 0F386: N$ J n2 \( C/ `1 m* X3 w
jz SoftICE_detected4 ]( S: S E1 N e1 i/ y
, I( q7 ?" V9 p8 _; d& W
, h% v8 k4 j, eNext method as well as the following one are 2 examples from Stone's
+ U; \# D" D4 k6 H$ F$ Y/ L. F& J& K"stn-wid.zip" (www.cracking.net):! P9 O4 l5 u% Z: A
! H0 U3 Z2 a; E
mov bx, cs: ]- r/ s4 ^+ E3 [6 M' @/ U
lea dx, int41handler2
* z1 W/ ?4 i( \7 G' Q xchg dx, es:[41h*4]
- h, C1 M) G3 s2 S; g3 [. ? xchg bx, es:[41h*4+2], X6 i, F8 ?# Y& q
mov ax,4fh
: d5 O! f0 H; V+ C int 41h+ f' I1 |) ?3 ~2 w+ t
xchg dx, es:[41h*4]# }* v- X6 L8 _- y1 v2 x0 u6 H& K* p
xchg bx, es:[41h*4+2]
8 H* t% A z. l% H, i1 D cmp ax, 0f386h, D3 }( C! Q: ]! e+ ^5 E/ _' i
jz SoftICE_detected2 X2 T5 }3 o8 n1 H2 U F. k7 u
0 g8 u8 S( j5 w- i; R" O1 c& ~
int41handler2 PROC' y$ P: d, C% q( Z, M
iret
* I* x- T' {) ?# y6 g. mint41handler2 ENDP
1 E. k0 |4 s% D" Q- E; U2 z1 W D' L9 Q" Z9 [! a$ z
7 I+ t5 L. \$ w" V
_________________________________________________________________________* B- Y3 y: J1 ?% X: Z+ X* L
. P7 G2 q7 t1 T6 @, x* c
" N+ C5 C- n6 H* {! I1 h9 ?
Method 06
% o+ I1 g8 l! c* L. }=========
c5 m; U. V' P O! C. N* i! [# ~! \ M/ D4 h% `7 y
4 W8 ~6 A1 v* j5 j2 {4 R7 m/ H' V" L
2nd method similar to the preceding one but more difficult to detect:
& o$ y+ e7 c$ m& {* Z. ?" ~, u# o5 O$ {# L0 C
8 I; [1 D0 [# S1 C: Y" sint41handler PROC
. {* ]: z( c0 Z; v4 `$ E+ E mov cl,al
- r/ I# Q9 d C( J: x c/ c0 h iret
$ a }$ O4 u- a6 _/ x9 T+ gint41handler ENDP5 m5 m0 m5 k" r. @0 e5 H# f* d
" ]5 @8 o3 m6 M0 p3 E3 b2 s0 b0 R
& m9 S8 s! }# J xor ax,ax
! d8 v6 {. G3 y$ p mov es,ax
, _2 Z" |* V& d( s$ t mov bx, cs, a8 {8 Q- |$ j" C/ u
lea dx, int41handler) U2 {5 } ]4 T) n
xchg dx, es:[41h*4]! }: x" F$ w& N5 O q0 \
xchg bx, es:[41h*4+2]
( }$ w9 \" u6 k h3 a) Y in al, 40h
0 l+ f( b& |! C$ q$ S8 M xor cx,cx) }1 D# g; |$ W4 [, c
int 41h
' p( Z1 C$ h) H4 A xchg dx, es:[41h*4]) T0 i9 H! Z# w! ^# k' e/ |! O+ M
xchg bx, es:[41h*4+2]
5 c' u7 q" l) T7 G0 l: l- U6 B cmp cl,al
; d# g, g% u* n7 X" x4 X jnz SoftICE_detected
! j: j1 j+ E3 {. `$ C7 O
7 M/ x5 w+ F" f/ {2 I8 R h_________________________________________________________________________6 O6 y0 C# u2 p) y/ q0 k2 v, Y
+ Q! T' N6 P3 |3 A% P8 i- t
Method 077 e b4 m3 X k# k
=========
) q9 h: a( Q9 g- r _+ o* ^$ U8 }# M/ c
Method of detection of the WinICE handler in the int68h (V86)
" a6 `( A6 y" V; g( v3 L$ C" @1 ~9 {4 @+ r% }1 r: C" u
mov ah,43h
; T' L7 A' k: D: r* n2 { int 68h
- J7 M7 B, B0 [6 F cmp ax,0F386h
$ {% b, a! I5 |% w' |' X jz SoftICE_Detected$ D2 u. m, t9 R$ I
9 B) N; c. S5 C( r( t: y2 e
6 q) u: s( S$ t+ i) Q( P9 r8 t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 l% J# O2 ?8 }9 I; g. M app like this:! w) a2 _. g% C2 r$ e
; C, D1 [: W# y0 K0 r* k BPX exec_int if ax==68/ K4 A0 q, ~) A, P( ^
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 v9 X( T- i! I, S/ k' l located at [ebp+48h] for 32Bit apps)' L+ f/ `/ q2 S6 O6 R
__________________________________________________________________________% o7 q R- @+ I8 @% Z) Q
5 U" C/ O2 t+ e. u9 u
/ l. Y: y; D. S. uMethod 08
8 F+ j, J4 Q" H5 f3 p=========
& {& ?% D4 s' L9 ^- B$ e7 }
7 {% a! U8 T& A' T8 @/ uIt is not a method of detection of SoftICE but a possibility to crash the- k; ? j. z# \
system by intercepting int 01h and int 03h and redirecting them to another4 v5 r" w: O& }4 ]
routine.
/ ?/ o7 y2 r% B5 Y2 t- R2 ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 _( ^ D% [& Gto the new routine to execute (hangs computer...)
7 `) h( j' r# [. j3 B# {/ o6 A
8 Q- H$ K9 {2 n9 a% ] v mov ah, 25h
& Q$ q b [* D mov al, Int_Number (01h or 03h)
* g( }5 }0 ?; |; H3 F7 N mov dx, offset New_Int_Routine
" ^% }) d M$ c& B; R1 R8 ]) P int 21h
9 K* u5 M! F. Q6 E0 Q- H
9 [, y6 B$ y0 N8 {, `. f4 U. B5 l__________________________________________________________________________
& d- J" t) `' X" A
# K: e1 R r/ V% g0 @ K7 XMethod 09
* S' q8 S0 M% f& x! b6 o6 w=========9 w5 Q3 x& v u( C% R- {# B
% b Y) M& P1 D1 P. n( m; [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, e) [$ Z' ?3 H2 d0 l) _" x4 ?
performed in ring0 (VxD or a ring3 app using the VxdCall).$ N7 K/ J& h) k0 m* w
The Get_DDB service is used to determine whether or not a VxD is installed
0 z2 P1 l" `7 i2 f4 Xfor the specified device and returns a Device Description Block (in ecx) for. F1 o1 w, I) B7 x
that device if it is installed.
1 B! E) S3 Q9 r0 U4 s$ S# b$ ^8 ]$ J: l: ^; I5 P5 G7 W( X3 G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# d- m7 b" q- y' Y" A+ x6 m! A4 y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' |. P5 @2 ?$ q9 D4 m6 o5 a VMMCall Get_DDB
6 e o& w' ?$ f0 {# g! }. W; O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed s5 i- q* [7 r1 M6 N$ `- {; O% P
( \# A e* u8 q1 I( }& W pNote as well that you can easily detect this method with SoftICE: B) f: j* L; U3 w
bpx Get_DDB if ax==0202 || ax==7a5fh
' G( T/ [2 O0 j
3 q# F; n* ?* X6 p% P& B9 J& I__________________________________________________________________________5 t5 z) K9 |1 s$ g
* l$ S4 C1 q; _$ I, L% yMethod 10
3 M7 e( ?* O# p% ]=========
2 K/ X/ {# g" J3 B+ e, ~, B% u% a+ s0 I( p, d7 o1 ?: d
=>Disable or clear breakpoints before using this feature. DO NOT trace with# N) A: n3 l; p! D
SoftICE while the option is enable!!. q$ M9 y" j" J; x( x
6 _2 @( x0 S5 `" W% Y$ D8 }! M3 ~
This trick is very efficient:
0 q M* `. n* x$ @by checking the Debug Registers, you can detect if SoftICE is loaded1 z0 _" @7 i! C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 _! I' u9 J' U/ J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 Q+ [1 Q% E+ _# m( Svalue (in ring0 only). Values can be manipulated and or changed as well
! x( h$ i9 z* ?" y(clearing BPMs for instance)
( ^+ C4 t2 ^+ S0 `7 |6 O+ p
! T8 e, B& L( w& w" [2 j__________________________________________________________________________5 U* V9 R# R! }- q5 [! k
. ?2 j2 n2 ]# b6 @Method 11
$ h, W* U) C; \7 v# z=========
6 ^1 z6 x/ Z. S7 D1 C+ I7 Z
) u( b4 D# `# `1 U& }This method is most known as 'MeltICE' because it has been freely distributed3 }5 Z( c u c; @! R3 g$ W
via www.winfiles.com. However it was first used by NuMega people to allow
0 ^! V( ~4 b% z% ~8 e! z7 DSymbol Loader to check if SoftICE was active or not (the code is located1 V& Y4 `4 [) A
inside nmtrans.dll).' X# [$ Y3 x0 y# L, J
, G) f9 f# N( ~& @6 \% B4 FThe way it works is very simple:* F" L$ `* v! B* \# v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 ~# G8 f q2 ]# @9 oWinNT) with the CreateFileA API.$ g, J& C! r& ]) m
# T h( W" b' s2 s1 E" c
Here is a sample (checking for 'SICE'):
- B8 d1 z3 D' _9 \6 ^! |- D6 {8 L$ p0 Q5 h2 G. J. z$ B
BOOL IsSoftIce95Loaded()
* V. _2 u! b( z. m/ L$ J{
1 C l; D3 \( ~ HANDLE hFile; 5 L: \" R: x8 K# O+ p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. }/ {" Q# S3 ]7 u- u6 H0 d7 I
FILE_SHARE_READ | FILE_SHARE_WRITE,: \; C8 f; O: ^. }3 C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
W7 ?3 l: R) }) J if( hFile != INVALID_HANDLE_VALUE )
9 F2 {) @! Z2 z0 p {
5 ^4 ^' y _1 P& W CloseHandle(hFile);% k/ C: D7 X6 b. k) t/ ^/ a
return TRUE;
7 H5 n; H n+ o }
2 G. s# l* e: |/ w. M. f H return FALSE;
) G# o: ~( {1 j9 Q4 t}
3 @$ R5 a) @- a! `5 x3 \! Y3 ]( R9 |3 B" Y, h$ o' C, w% l
Although this trick calls the CreateFileA function, don't even expect to be
4 O- h( X: t' B8 i# N& q; ~6 o, mable to intercept it by installing a IFS hook: it will not work, no way!) [! }" h+ K5 w/ R, r1 r. ~0 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 f3 i7 B Z+ S) {0 Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 G, C3 j( P- fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 d# S ~: M: b& Z4 L) A Gfield., \1 Y$ |: {0 o/ m
In fact, its purpose is not to load/unload VxDs but only to send a : u/ a1 Q5 f" g& u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), h" r7 y. b9 a/ M* T' U- X! p# D" h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try @: G5 n6 s" K" l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 a- U/ l c+ E# W5 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow& s! |& x; I6 m4 x# E, W0 U
its handle to be opened and then, will be detected.
- P! J+ G) q) a# Y5 I r3 I5 q* kYou can check that simply by hooking Winice.exe control proc entry point. }: P1 ^6 m8 Z6 X6 w5 I- k& _
while running MeltICE.
5 b" i8 R8 \# L* q
7 j" W7 U. M7 m' v3 u5 ?4 {8 e* ]/ W5 t: [: r" m% Z2 ?3 ]
00401067: push 00402025 ; \\.\SICE8 Z8 a& T( ~+ M8 n3 F
0040106C: call CreateFileA" d' A, x# h* t; s! y
00401071: cmp eax,-001
& {! s1 C3 Y) }6 _ n ? 00401074: je 00401091
% r7 m" t6 C" | @( ~ U+ ^. f3 h7 m$ k/ T6 O
, W0 e! q8 ?, T1 M |/ H; t6 { K& G
There could be hundreds of BPX you could use to detect this trick.
, \! D- n/ o2 ^& x8 B3 }6 H/ r2 [( m-The most classical one is:( c: o* q. z. d |% O7 O% `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: [4 p- p7 v; [8 J' b: h7 v: J5 Z+ l *(esp->4+4)=='NTIC'
S: w% V- A% C9 l1 ]3 ~ b( w$ {5 b& B z+ z5 e4 K, B$ |
-The most exotic ones (could be very slooooow :-(
- {7 g2 m3 N: @- C) J1 Y# K2 ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 g* t4 q1 G- E, `3 q s. M ;will break 3 times :-(
- d9 t M/ J, k# }8 e* P8 C: Q9 b8 {( i O* q- t3 d$ q) b; c8 `. K
-or (a bit) faster:
7 m& }' u- @ p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* ?& o1 p) ~& ?5 k
g3 W- p/ A( M; j- L' j/ p4 J L2 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 Q( `: Y$ O) I
;will break 3 times :-(
( H' t2 v5 u6 D& x# O8 m" ?
9 v* Z% [0 k. e+ ?* U3 \/ ]-Much faster:7 f: m4 ]" L; y: R$ t$ U/ X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& s; H2 H# g4 _) L5 H
q+ G b: l( |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* ?2 @! j" c5 G% r \" kfunction to do the same job:/ C5 G' [$ n* O5 \, p% L" L
. p; W1 i9 Z4 |) @8 x/ E' K7 f8 J
push 00 ; OF_READ# [9 u2 M8 q, [% M6 z. R C
mov eax,[00656634] ; '\\.\SICE',03 g. h$ }9 ]. ~; B [" ]6 M
push eax
3 V; Q% _7 B. L2 k( S/ g call KERNEL32!_lopen, `* J7 Y& R* D! Y6 R; D4 X$ m6 ?
inc eax9 i5 S) E8 q- N" v
jnz 00650589 ; detected a9 h) I% ?( {+ X
push 00 ; OF_READ2 k' v: ]4 B `3 H7 ~- |+ @
mov eax,[00656638] ; '\\.\SICE'
# u$ _8 s1 k# ^4 Y push eax
# R9 X) ^3 F9 m" q( P call KERNEL32!_lopen$ d8 o) J" m6 Y6 Z
inc eax
' B& @& ]% |. A1 X6 I+ N1 i jz 006505ae ; not detected
+ _( i7 K, s! _1 v
. L# [2 F% `* ]: W. v6 Q7 G" M0 O# ^# {% t5 h* J
__________________________________________________________________________. A* j) g7 r& p! F0 ^" R
3 A7 n+ y% r( T- ?+ u2 @
Method 12
6 E7 l+ d- Z4 s=========* p' ]/ H f/ t4 V0 C \
, _1 ~% l7 L2 d2 ?4 fThis trick is similar to int41h/4fh Debugger installation check (code 05" r3 U3 C; g& }1 h5 b* U+ o/ z) E
& 06) but very limited because it's only available for Win95/98 (not NT)
7 ~8 H1 s- o8 z, ] R; w8 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" |+ O$ \) \- v# D
" h% A1 ^( {$ U1 l: l* {; h( e push 0000004fh ; function 4fh" S* E5 ?3 B: X" q
push 002a002ah ; high word specifies which VxD (VWIN32)( ?5 o, }: F& M; L% T$ T
; low word specifies which service
; [* n$ \; k# R5 ` (VWIN32_Int41Dispatch)
, Q V* t+ v" q& }: Q call Kernel32!ORD_001 ; VxdCall9 c! P2 d- I* n
cmp ax, 0f386h ; magic number returned by system debuggers1 |- A0 d% ]+ l7 Y' R, D
jz SoftICE_detected. q9 q+ d9 o4 o) [, T
. S' n, w8 V( k, y& `; |
Here again, several ways to detect it:$ U1 w3 d# L: L1 Q: B
6 ?9 y3 F/ |. b# q
BPINT 41 if ax==4f) m# t" b8 X1 g5 u- C. ]
$ p7 f/ X+ p [6 e. ~0 D- X0 ~: f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 w- ^( a0 H+ Z- Z4 p& Y% B( J# B! d! E3 W5 `6 ]6 z( I- u' S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* d8 H9 t- H: `, n
: |9 M: u/ ~2 x& k w% ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" }' E: O9 S5 j
; [/ F+ {* M* K. C0 {0 E__________________________________________________________________________. p! _0 w, \, |! ], I3 x+ k
, y, Q3 ^* H$ K+ gMethod 13, o! s7 n! }( x9 W6 l
=========* X: z8 f* G8 q
7 ~8 i, r8 X# ~7 f1 W5 h iNot a real method of detection, but a good way to know if SoftICE is
+ e) g6 {6 N- u, ?. e1 u$ G' iinstalled on a computer and to locate its installation directory.
) I; ~% E$ E* w& `. Q% z) C: DIt is used by few softs which access the following registry keys (usually #2) :
" H0 X, i# C! r+ A: s
9 H# D" b! B4 U6 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 i+ B, u+ F% |! b0 q\Uninstall\SoftICE
9 E4 P+ T) N, z' t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: |0 J* Y; E" e) e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. q( Z5 w6 z1 W/ g3 Q\App Paths\Loader32.Exe
r9 y4 ?0 [ P3 ^0 H
: m. `( I' ~2 z) @1 [" T# D8 m4 C; n* }+ z% |/ m
Note that some nasty apps could then erase all files from SoftICE directory5 T: R- ?6 c; g+ {& q# {
(I faced that once :-(
9 F# _, Y& q4 j0 s( W% h% b# \3 g2 I9 J; a9 x
Useful breakpoint to detect it:4 b6 f7 F, S$ C: e% p' L
+ W1 d3 e1 A0 U2 [# N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 q7 V9 r8 _$ [, N
* f% T6 V C5 ?( a- W* S( q__________________________________________________________________________
( g4 n, I+ R0 \4 F X8 k, Y. A& S5 B/ _6 w
" C; }8 ]0 R8 |+ v9 v3 ?
Method 14 9 a6 \& p4 D' ?$ k6 I8 m
=========
7 h3 }3 v/ H+ p7 v" T7 K2 k1 v, E* B. c u2 _: k7 Z- N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" \: t' q" y1 f, `$ }, y
is to determines whether a debugger is running on your system (ring0 only)." i; v' V/ [; j- J$ |$ ?7 i0 m
6 M- `1 E. d0 x0 D. E) N- i* z
VMMCall Test_Debug_Installed0 }; `& Z, g9 ^
je not_installed% K3 y7 H1 y& h! z5 U
! g. u6 j' Y- X. `6 I P7 y# w. D! YThis service just checks a flag.
! i- ]% E! Y. S" Y/ Z/ d3 a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡