<TABLE width=500>" q. f& B' f8 \9 [1 E
<TBODY>
8 M: G2 r1 _% t( i- n/ ?1 t: U<TR>/ Y% H1 N- W: E( \2 N
<TD><PRE>Method 01
( i! F. Q) Z9 n7 s4 ?: q=========' r5 O3 _/ ~" e& f$ s3 A
/ h3 J6 K- ~; |3 H- j/ W
This method of detection of SoftICE (as well as the following one) is0 L) F* \, R7 X4 _
used by the majority of packers/encryptors found on Internet.
, ^# u! P, |* LIt seeks the signature of BoundsChecker in SoftICE
3 y( J9 Z1 n* `/ i
) @ B1 R4 z! h* R mov ebp, 04243484Bh ; 'BCHK'! @5 z. s8 n, r+ I% L9 u, u6 V4 F
mov ax, 04h) J* H* T- a% R1 g+ D
int 3 ; c/ D; K, {9 z6 y/ O
cmp al,48 V& E1 l" c9 o6 f0 L
jnz SoftICE_Detected. _; v3 ~( J) G4 O0 V# B; Y
- V, S8 h$ H3 I N: L! d
___________________________________________________________________________2 R6 g5 A( [7 Y. F
/ d9 R4 K3 b# R1 I
Method 02% l1 {- T" j0 I
=========
l/ O3 q F1 Y; M0 ]
0 e! F2 ~$ O" b' J9 {* I) f' W) vStill a method very much used (perhaps the most frequent one). It is used
! C3 s* g7 g# J7 Y! X& V' {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% Y5 J5 r6 I% d! k2 m5 N
or execute SoftICE commands...
4 i& r4 n+ b3 K- Z* WIt is also used to crash SoftICE and to force it to execute any commands$ B7 ], Y& m- `6 ^
(HBOOT...) :-((
, R' L) p* t: c7 }4 ~7 }2 {- P$ r
: B+ Z! b ^5 r9 F4 u8 pHere is a quick description:$ Y7 ?2 {! O# |% o7 N
-AX = 0910h (Display string in SIce windows)
, j, h# j' ]6 f- B2 \, X5 d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); }: z0 w- r/ R$ W" M* t
-AX = 0912h (Get breakpoint infos)
% h! W& H6 i a: I! X-AX = 0913h (Set Sice breakpoints)! Z8 ~3 r2 Z9 p9 f$ Z6 |
-AX = 0914h (Remove SIce breakoints)3 @2 K1 c, `4 ~
3 H8 V' c+ }; }$ D
Each time you'll meet this trick, you'll see:9 A& D& c; V- H/ A
-SI = 4647h
* o n& c+ c4 R" w6 |; m* y-DI = 4A4Dh$ U' @5 u: G! M/ |
Which are the 'magic values' used by SoftIce.' ~% h- c# F! v; ~5 h9 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& V5 N3 ?. _7 }) a, ~; v9 A. R" H" ]% o4 K5 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 I3 w0 {0 R6 L" REnvelope utility use to protect DOS applications:3 `0 A% c' r+ L) N1 Q! K
" ^( `4 ?1 L8 ]6 Z
! |6 {4 ~8 X9 S+ j; m4C19:0095 MOV AX,0911 ; execute command.
9 [# L5 C+ a8 o1 |; P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
b# l+ ~: {' J2 X4C19:009A MOV SI,4647 ; 1st magic value.
* v* V% T% b: T7 i/ ? @( A) n4C19:009D MOV DI,4A4D ; 2nd magic value.) p8 D% H3 }0 B: {5 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ z: s" g& t( M; f0 c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 @! j5 I, t6 ~4C19:00A4 INC CX9 ]+ T$ ~1 J# M+ w. @ e7 {' Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 e/ ~1 L' v3 w
4C19:00A8 JB 0095 ; 6 different commands.
B5 w% o( }+ b5 ?- B4C19:00AA JMP 0002 ; Bad_Guy jmp back.: l+ A$ f& F* P. L' U- a4 M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 D6 t. U3 Z9 f1 M5 D
t7 _, m$ d& |5 @7 J+ cThe program will execute 6 different SIce commands located at ds:dx, which
8 p3 f( \! V1 S% Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ o# Q0 g7 s; H9 W$ a
* q6 ^- }( q$ V; r' ?3 _9 F! a! i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- O4 I- o% h/ P0 I% Q___________________________________________________________________________3 g7 l6 L; Z, u- Q5 }6 z2 o- I
8 a( P! `# P9 G8 l6 J
/ a7 N) r8 q7 w" D! H: c# gMethod 03$ ^: N# l, f+ w. P' G- y
=========3 @8 d* _% n) {/ N
' Q3 G% ?1 h' I- l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' C. }) l \$ V! A# K: k2 Y(API Get entry point)3 Z$ Q2 Y1 h C0 y7 @
1 l1 r* h# d7 t% O! }
! F5 f4 Y- E) P) p3 J4 {
xor di,di
9 d( X' u9 ?6 ?6 y9 i: \7 ~* I9 t mov es,di3 }/ o5 h6 H! t
mov ax, 1684h
/ \; Q. `3 H" }) {# N mov bx, 0202h ; VxD ID of winice
: y' i( F# i1 p, X) {$ ] int 2Fh
" [" ?% U5 F( O+ F; B mov ax, es ; ES:DI -> VxD API entry point: s+ K7 @8 r3 h }7 h1 J8 f$ M
add ax, di4 S+ l2 t5 E% `" @
test ax,ax$ Q/ } s2 I( g' C8 s
jnz SoftICE_Detected
3 d9 y2 w$ ]) @% i! O' u6 S5 }3 C0 t+ d4 R( o3 D
___________________________________________________________________________5 ]' O6 b8 g9 X$ E7 ^6 g
6 \) F( [$ @1 @2 l+ y! N- \+ \3 M
Method 04
# j& J7 z) e) E: H" N=========) S; O9 ]. n7 t' O5 V; O
3 q1 ^5 o* @ ~4 l
Method identical to the preceding one except that it seeks the ID of SoftICE
: e4 V9 v6 I9 @) C+ G; AGFX VxD.
) q4 C% Z& Y4 E$ k
* G" Q& h& @7 H% i, h) Z+ B' g: t xor di,di- J9 w' e) I8 r3 {2 B. o
mov es,di
, p% g7 E4 s; Z& H* Q Q8 _- x5 ? mov ax, 1684h ' M. D+ x. N0 x
mov bx, 7a5Fh ; VxD ID of SIWVID
9 [& M$ {, F6 O int 2fh
- B) t9 O* l4 ` mov ax, es ; ES:DI -> VxD API entry point# S" V- S" E7 ~7 N7 v8 r
add ax, di. |9 P9 _6 Y) C& p
test ax,ax; w; q: |# L) V) N
jnz SoftICE_Detected
/ V) U( T0 y6 G6 G. I; o7 R5 _8 {9 c+ R: ]# z& ]0 J3 G
__________________________________________________________________________5 T) m6 \- s: `1 ~& M
( @: ^ ^3 x# U' N
1 J) i& C' q! S3 a" t, dMethod 05
7 k- _2 R( Y9 t* }% [=========- P# h1 y4 y, q& M8 i
6 U+ P4 j5 S# X1 ?0 J, b
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 \$ \2 X: T2 b( }. _
debugger. It calls the int 41h, function 4Fh.
' T4 }8 o7 z2 D% V. P$ \There are several alternatives. , o* S. |. _' B& i, h& S5 J' F4 j
' h% r6 e9 L8 aThe following one is the simplest:9 N% t0 `! {/ L
; [; n' W- `; O
mov ax,4fh
: S7 e+ m# z5 u; P* n int 41h! P6 w2 n* i/ q. A: R3 u0 J
cmp ax, 0F3860 S9 [# a/ D( B/ R
jz SoftICE_detected
; V4 T) x' U# O2 X7 A
4 D7 v( G) y, w& K7 U; l0 H0 X9 e$ D6 Z3 U7 l/ j. O9 F
Next method as well as the following one are 2 examples from Stone's
8 C$ b; c! S% D5 ], x6 @7 E"stn-wid.zip" (www.cracking.net):; o2 D H, c# E: @ \
5 K' L$ \6 r- N" D+ F# e5 Q2 ~* |0 a
mov bx, cs" B3 `2 f6 V, {9 J$ I. r3 ~4 r$ [+ E
lea dx, int41handler2
+ I" N6 Q9 E# t h xchg dx, es:[41h*4]
3 h0 ^8 O! E2 ~3 W4 D }4 }7 S xchg bx, es:[41h*4+2]
( j1 c- C" W8 z- P% ? mov ax,4fh
" S0 `$ O7 `, N' ] int 41h$ @' e1 _: ?# ?$ r. R6 f/ B, Q: p% g
xchg dx, es:[41h*4]
. L& O9 E8 @3 S( h xchg bx, es:[41h*4+2]
7 r$ | U- y( f cmp ax, 0f386h
" e( t( Q: p& b6 x* ~: Q jz SoftICE_detected/ T9 f- a' q1 \8 z' g$ ]
$ q, T7 M, p2 i0 Bint41handler2 PROC
1 E/ P' K6 z4 j/ ^; A% ^( F# E2 k iret
6 O# z* P3 G' t H2 B Eint41handler2 ENDP
) u$ p: a3 ?% S7 Q$ Y/ D
" @) k4 p0 v+ D# `9 q q: m+ B8 f0 J7 ~4 p& {3 a
_________________________________________________________________________
T3 S, s M0 ^7 w( q4 [- m4 _# L `8 `8 a
: a/ X5 Q1 d7 ]3 E7 m" ^7 P8 ^Method 06
6 a/ M- A% F0 H- [; S; d=========
' q+ @$ t" e& g- ~* k/ U
2 L- e( h$ H3 M) x* u4 v6 ~
+ Q( d$ U! `# S2nd method similar to the preceding one but more difficult to detect:& C8 S+ P" c1 N4 i$ |4 o) z
2 `0 r- d& g+ g! y
4 [. X8 ^. V% A0 d2 V( S
int41handler PROC
+ I: c0 I8 {6 W& R. o4 Q4 k mov cl,al3 v6 x7 G) Q* N% \' P1 ~( x" V
iret
4 L8 ^, c9 x) F" A0 Nint41handler ENDP6 y1 O5 ^; b t/ P1 Y% f( F1 D. n
9 j4 q+ Z1 k% S( {% ~% o
' Q# Y0 o% _( l5 l" S xor ax,ax3 \9 N0 _9 {) z% l
mov es,ax) m0 Z! \5 M$ @0 W' l# R4 G* v
mov bx, cs
" f. z( J ~0 v1 y* o, H lea dx, int41handler2 k1 r% O7 |6 W, \* T
xchg dx, es:[41h*4]
! a! l& l/ y: ?# D- L% `. T xchg bx, es:[41h*4+2]
! O3 D8 G" r) v' z p$ r in al, 40h# u) f) p8 b5 }9 Y7 e
xor cx,cx
) S& ]' S7 m, B' g int 41h, S7 \; \9 A& c) Q
xchg dx, es:[41h*4]
% B: ~7 b) x9 ?+ a# j: X* m xchg bx, es:[41h*4+2]1 s0 O. ?. w- ]- a! ?+ F
cmp cl,al
- l1 X3 J) L: F! q2 Z9 _ jnz SoftICE_detected4 ^ a# T0 f( I* K' }) K1 ?) n
7 Y4 @( D$ P- P9 X; A4 m- U2 ~; R6 U_________________________________________________________________________
8 v# T2 H: j8 c; y F
% r+ z# ?9 L7 SMethod 07$ Y" j% K% C4 m" Y, ~4 U
=========
( I$ t" m/ a& K- l2 t4 R3 K8 t5 V1 M0 N4 N
Method of detection of the WinICE handler in the int68h (V86)
- a- F' `" ~) f$ H
' ^" z) j3 F0 ?. j W( ` mov ah,43h' l9 H3 l: s- Z4 P$ n5 ~
int 68h
! v5 ]& n1 m4 B cmp ax,0F386h% F: I5 R" w7 j2 A
jz SoftICE_Detected0 q% }7 _: P6 ~4 m+ ?
4 N% V: r4 d0 ?8 c) |) ?4 R( x: K. Y. Y3 Q1 A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ m' |5 E( `6 o0 t+ k
app like this:: y1 U% M, h) W% h, v- j' P
3 h; [1 P; t+ N; s6 E/ |2 h2 A
BPX exec_int if ax==68
" y: H2 T7 `7 @' a. e (function called is located at byte ptr [ebp+1Dh] and client eip is" s% e* F# K' ^( E. W, ~4 \
located at [ebp+48h] for 32Bit apps)
8 q* r7 z( F( G) ~& j__________________________________________________________________________8 w3 }' B0 o4 [0 l4 b0 k
4 e1 L1 O4 o+ H8 g0 j( H9 r b3 K, u4 R0 c; Y. t; K- {
Method 08
3 ^. D$ D( t. L- w=========
5 W) ]8 O, W) P j% Y0 x* Q* r9 Q5 @, C+ D
It is not a method of detection of SoftICE but a possibility to crash the
+ g3 p- E2 {) w7 F# p# msystem by intercepting int 01h and int 03h and redirecting them to another
7 {8 E$ {7 a( ~$ s; c( L: Nroutine.7 |* U U) j0 W* D2 k; G8 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! ]+ z- |; G) C2 W. q
to the new routine to execute (hangs computer...)
( s2 D$ O* y4 k5 `5 U& F7 s$ B- x* D
$ c% L7 }7 h5 Y. ^ mov ah, 25h
! H+ }) @) G9 F) o mov al, Int_Number (01h or 03h)( Z" q4 m: ?; i8 ?( F
mov dx, offset New_Int_Routine* ~: a6 g6 U& b
int 21h
1 F% e; ~8 O7 Y" |/ p
( A) K: q# \7 q5 k) c# n) H__________________________________________________________________________
" c2 ~6 X2 t A
6 c' p; m" \. j |) p% e+ z" \Method 09! f/ |3 d/ M* C. K5 o t. R3 N5 B/ T
=========+ o: c9 e9 R% O5 J; \0 g
+ @) ?, ?: }! _7 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 E, S6 z) x- F
performed in ring0 (VxD or a ring3 app using the VxdCall).+ _. F& B O& \2 ?
The Get_DDB service is used to determine whether or not a VxD is installed
3 V' s1 B6 K) z7 h/ P: a- Ffor the specified device and returns a Device Description Block (in ecx) for
' L6 H- u# A; Gthat device if it is installed.
. ~; t. z6 G3 O0 w" Z* r9 k' e+ g" P( C2 F. \& ?; Q+ E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* }* b2 D( ]$ M6 E) S& ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) H4 N9 _* A1 A( Z' b8 W( `/ @, o
VMMCall Get_DDB7 c* E" F9 }5 S! g# U: f2 ] Y/ v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) w+ M( T$ P# w: A
$ g5 A- w: v' P3 v: o/ |% [Note as well that you can easily detect this method with SoftICE:0 |# C$ S3 Z8 ?& |+ `, e" `' ^
bpx Get_DDB if ax==0202 || ax==7a5fh
6 F! k3 |/ |% w) U- K" R( |8 E7 b3 F( x8 ]$ y
__________________________________________________________________________
7 H$ G; ]' Q* ^- h
3 d; F8 p/ c) f1 ]; ?" sMethod 10
5 L X9 Q( ?+ s7 b, f2 L=========. i9 C1 }: w/ ~2 H# B8 l
7 E, V; e0 m O9 z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ D" s/ Y+ R) d- h9 x; l7 H3 t2 _ SoftICE while the option is enable!!5 {0 Y; z S- T6 ]+ F+ v
( F# H- E _ N% }& c0 ^
This trick is very efficient:, X( v" [$ C; ]1 x% D
by checking the Debug Registers, you can detect if SoftICE is loaded& C( e, D) C- l5 \4 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 m* L' w/ _6 j/ D+ c0 }# `
there are some memory breakpoints set (dr0 to dr3) simply by reading their" Z/ _1 E( x5 ~% S, E
value (in ring0 only). Values can be manipulated and or changed as well' X6 a: e+ m$ o/ a" g2 `6 \% f
(clearing BPMs for instance)9 d0 T9 ]% W8 P' [$ |7 ]: A
6 u; M8 ~5 B$ t) p( Z" [) P$ q
__________________________________________________________________________
" v- d; }2 v! u- ]" O
1 g% w2 E3 N8 S' rMethod 11
) Q% q) d$ ^5 Q=========9 @8 I3 }( U4 U# @6 z) y3 a# Z
$ Y' Z# l7 ~$ |8 T3 [4 I
This method is most known as 'MeltICE' because it has been freely distributed
6 n1 L2 T9 {, O, F7 n: I" tvia www.winfiles.com. However it was first used by NuMega people to allow. c2 \- E# n2 `3 e
Symbol Loader to check if SoftICE was active or not (the code is located
1 i$ `+ x! F% Z5 Ninside nmtrans.dll).
9 X5 n/ q0 E; J# h/ ^% x$ {- |3 A* R% |6 X4 N, e! B5 E& n
The way it works is very simple:
) @2 K J6 ^& oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 i& L) o; i& [+ O0 C
WinNT) with the CreateFileA API.
1 _: q2 G, N( W$ G8 P2 O5 D# s# s0 ~) [' ?
Here is a sample (checking for 'SICE'):
. u$ B( j) E6 G1 A. h
0 f7 u2 U( _* VBOOL IsSoftIce95Loaded()
* H* e, n0 Q: q$ H9 E. j. L/ a0 W: V- E5 C{
6 T! w) X: R9 {' K$ n* g2 N. r HANDLE hFile;
! ~$ v1 z/ N; y' X2 f. I# E* j4 j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 t3 h7 w$ ]$ S1 `: I- y FILE_SHARE_READ | FILE_SHARE_WRITE,; l6 ~3 |- x9 J t6 Z/ n( D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 [. i( C; C+ m) R if( hFile != INVALID_HANDLE_VALUE )
' [4 p) d) |" z; U {
1 [3 ^. l! }7 n0 J* o CloseHandle(hFile);/ R8 Q7 F$ L, u8 o. F& h5 G1 G
return TRUE;
3 N2 c$ E+ f/ D; R. e }/ @- p. y6 ^0 t: n+ G
return FALSE;" m# h l: o1 @3 V" }. }! r6 W
}; ], j# h" d) ]9 `$ S* h
3 f6 y) l1 J' a+ D6 z0 KAlthough this trick calls the CreateFileA function, don't even expect to be
: N. D, y9 W3 \6 i7 t, kable to intercept it by installing a IFS hook: it will not work, no way!
% G7 L/ ^( n3 r) xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ V/ R+ n' \; A8 O9 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 k$ D0 P' A2 l! j3 u& nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' U: ^1 s* ~0 m; W% I! Y: j: B' Sfield.8 A; T: c; d/ }, F# h
In fact, its purpose is not to load/unload VxDs but only to send a % g1 l1 x2 V9 ~+ c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 r) E. S. T/ j% D' t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- J8 u0 n$ a d% ?$ ~8 [/ M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; w, D" ?3 |1 r' l
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, t( p) a2 J- w+ N U& @its handle to be opened and then, will be detected./ d9 j# E. E1 T9 l \8 v( K
You can check that simply by hooking Winice.exe control proc entry point
. W' O. u( R: t+ n) I* }- f! mwhile running MeltICE.) [: Z& {' R5 Z! J7 O
& \3 e" v5 t' T$ Z; J
$ l. |6 s# s' B B 00401067: push 00402025 ; \\.\SICE
+ t1 u* _2 V E0 `0 e4 q( k 0040106C: call CreateFileA0 o3 L+ T! v0 ^4 m
00401071: cmp eax,-001
: g9 _ f5 X ?3 _6 e; v 00401074: je 00401091
* |. C/ S+ u2 ~4 G( V/ G- r8 P& R5 s$ f: x
7 w3 |* l7 k% _4 @% {- s7 gThere could be hundreds of BPX you could use to detect this trick.* z0 S/ S( W. B
-The most classical one is:% E* {7 M9 {9 [- S7 `! |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ t9 {& e9 n" ?% U' U: Q1 K9 V& ?' Y
*(esp->4+4)=='NTIC'
6 t. F/ J7 `* T7 ]
: w5 q$ m2 F5 p% l% L n-The most exotic ones (could be very slooooow :-(
0 l; X e# y# ]1 D" J( ^" a5 f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 `1 H! U1 E# y; c ;will break 3 times :-(
4 S( E# W4 s" b. C$ T
' D K/ h9 @' b, {$ M8 y-or (a bit) faster: 3 `4 Z, F' m8 H' E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ u& N- r+ H* P( y, H8 b" V
- b+ V# n8 |) N5 C( X# h0 H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & O" q0 n" K0 m1 x: Z
;will break 3 times :-(0 w7 {$ S$ I- h7 ]
$ ^9 T, b V6 |+ s-Much faster:
. W0 K3 B3 I3 t- I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# B; K; W0 t' b5 a& r8 z0 t, U" c5 f
! _3 q* z* W4 L" Q* b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. n( K8 T( f& z
function to do the same job:5 }! ^- |6 D: V& Z+ n
/ Z9 u* B& Y! m" M* W+ l/ j8 ~
push 00 ; OF_READ
7 v& h" O: W# j x# c' x8 X& l mov eax,[00656634] ; '\\.\SICE',0
- w Z3 _. Y3 p3 S- j0 x+ q/ ? push eax
8 L A3 f! Q* I! A9 C call KERNEL32!_lopen0 z7 t% G/ o9 d) C9 `
inc eax
$ e7 V# Q* Y: U$ i& u jnz 00650589 ; detected
* H0 }. D8 j4 H7 k push 00 ; OF_READ
4 ?5 b' c K. S mov eax,[00656638] ; '\\.\SICE'! p0 P/ a- Q# b+ e- a( }3 S$ ~0 l
push eax S8 u' X: C8 r: h O4 h
call KERNEL32!_lopen4 q) L {/ m. f x1 N
inc eax2 y8 w$ ? \3 l' ^
jz 006505ae ; not detected
$ Z: O B6 t N0 D- f
; W# l, L0 m p
. T: e' \: n# v6 B6 i__________________________________________________________________________1 z: u* Y m% C3 M, |% }& F5 d( ]
5 Y+ I" ~& H/ X8 z; `' Q
Method 129 X3 g* [- {0 t ~" ~ u- z
=========
2 e) P+ N0 H* z6 e' D1 j
3 j4 Z. K5 X% t# i; g, zThis trick is similar to int41h/4fh Debugger installation check (code 05
" \" X( H' [# N# G$ P o& 06) but very limited because it's only available for Win95/98 (not NT)9 P& Z$ \+ A! [" r* S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 f. B5 E9 ?4 q, w: v
& @; v/ P' t! J* ~: L' K% q push 0000004fh ; function 4fh
! T" u( O! f, G9 }$ W3 T* W push 002a002ah ; high word specifies which VxD (VWIN32). C/ J* z/ G: p+ _) N. _7 P0 l
; low word specifies which service. M8 I' m2 b, W
(VWIN32_Int41Dispatch)
6 E( Q/ x9 H9 P, D; Q6 |+ s call Kernel32!ORD_001 ; VxdCall3 ]" n- R* y7 q% R+ l3 o5 M
cmp ax, 0f386h ; magic number returned by system debuggers
" m* }5 n( g! u) {5 x2 Z jz SoftICE_detected
+ u' _" W* z2 S; a* X, Y! ?) I# v' l) K3 F
Here again, several ways to detect it:* B. P& P, L& H1 W& i
8 A$ K5 N3 @5 a! r$ {- O' Q
BPINT 41 if ax==4f) k% [% s: }) l! N3 Z* ?; J# z2 U+ M
3 P. K8 U; k5 ^- I, W2 j5 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ G& L, r6 g7 Q) N5 G( b
7 ^( g8 w2 \) [* J2 ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, J( D( V, F9 g$ [% F1 w
* ~" X1 h7 K9 f1 ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. B1 P& a( [% u/ M' H& y8 `; D, I; Q, O2 I: h/ S" `6 f4 D
__________________________________________________________________________
& y- p4 h3 ^+ W6 A$ t/ z$ r
& K6 g. k0 L1 H5 N, Q1 T) K! P6 lMethod 130 |7 b/ G9 R8 U! ?8 N, r( X Z3 a
=========
! j7 V+ c% R+ m2 l" l9 a, c
! S. v& Y# Q/ }* d! r8 P4 \9 QNot a real method of detection, but a good way to know if SoftICE is# `* D. F; s+ m! f
installed on a computer and to locate its installation directory.( C; ?8 L' d8 _2 I1 x
It is used by few softs which access the following registry keys (usually #2) :9 z* o) d) e! t) E7 C" \* h
- b- Y9 Q3 \! r3 ]! m9 U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! u' s/ P0 S+ g+ M, Z/ i
\Uninstall\SoftICE3 P" R" E3 f3 l0 j0 C! J5 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 ~: m+ g1 f& M9 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 A* T( {+ h3 j
\App Paths\Loader32.Exe
# ^9 g* V0 N8 t& m. N1 f; E7 Z( `0 }( }! j& S+ J$ Z% j2 ~
# C$ U) Y. _# C! N4 [, }
Note that some nasty apps could then erase all files from SoftICE directory3 I) F" m# W0 R3 W- U0 R
(I faced that once :-(
$ A, c5 b/ _+ U1 y7 w! o0 i1 K& g- m; {! D
Useful breakpoint to detect it:
" z( _3 ~; U+ e2 h0 `; v( h* ~# r
$ w, i( T5 Q: g: Q# @. a6 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% D# ]3 k9 x; U: j& B9 E
3 C3 Q7 K% c9 T: E( S/ {$ g7 F4 }
__________________________________________________________________________! B' s+ j4 L: l* X
0 s7 H& r( p* |, q& n9 ~" j
$ C- E3 n) @! I oMethod 14
( h! c4 ^+ ]: F- w' s" J. R s* T=========
\: |+ X/ g4 P; H2 n2 R" {5 h
9 F" w5 S2 |/ p4 x' nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 u9 y$ E+ N5 |, ?
is to determines whether a debugger is running on your system (ring0 only).; v- S! ~* Q& T, z: d% w- P" q
" @5 x7 x( z: @! D
VMMCall Test_Debug_Installed# \- N) P! r) o, K5 @: Q) _
je not_installed, i) [# f5 f- V
" N! s8 F2 u1 a3 |8 R
This service just checks a flag.1 e: g7 _1 ~7 h0 I- R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡