<TABLE width=500>5 z% @( [5 ]' \
<TBODY>
' J6 Y5 _' f5 ^<TR>
1 X* d9 e" U$ u4 W<TD><PRE>Method 01 - i F [/ v1 }
=========% K7 o ^" j% B a* S6 U
2 X: H; h( F5 M; ]: {' B
This method of detection of SoftICE (as well as the following one) is
; G: z% n# a. K$ X3 `/ Kused by the majority of packers/encryptors found on Internet.2 [' L9 [0 W: H/ g9 w8 X1 G' T: A) X
It seeks the signature of BoundsChecker in SoftICE
$ ~/ X) v% @0 G) B& y! \+ ]! K/ C' o6 k" L E/ Y" _
mov ebp, 04243484Bh ; 'BCHK'
' b( F! F, b8 S, R1 D$ p mov ax, 04h
( T# I0 M) j- i- }% v% k5 {: l, D int 3
7 N! P1 `4 S. ~$ N' g; | cmp al,44 y8 A# G" W1 B& s7 W8 _
jnz SoftICE_Detected
6 U B$ Y9 j6 K P$ j. l A( g
, t. Q( S. Z8 z Y- B___________________________________________________________________________' g: ~" `, H8 F: ^: r7 S) V
; k4 Y. }* I8 l0 }9 m
Method 029 r: n8 }5 F! T K$ ?
=========+ T" w/ N# B4 r( i3 v! j6 n
- [9 o/ \- H7 [, r# `3 h8 PStill a method very much used (perhaps the most frequent one). It is used5 V i% S! j0 U& k( \1 v3 |- h+ _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* Y% Q. e/ P' R) ior execute SoftICE commands...
9 W1 } T- h& Q9 V7 HIt is also used to crash SoftICE and to force it to execute any commands
% e3 `# m9 |7 s$ o* U: ^; Z5 K(HBOOT...) :-((
* \8 m! f$ S& M& d8 T
* j6 i$ W3 M" K4 V$ z3 h" rHere is a quick description:
5 N' q @" y; K5 h- A-AX = 0910h (Display string in SIce windows)
7 B2 M0 M4 I1 z& m! |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
]! B: N% Z) M' D: J: ^-AX = 0912h (Get breakpoint infos)
& g, w! p' Q( Z; E; o1 d8 ]-AX = 0913h (Set Sice breakpoints): w% A, v, R0 Q [
-AX = 0914h (Remove SIce breakoints)
( U, a* c4 `% @' p" _/ B& x+ [ F( L' Q
Each time you'll meet this trick, you'll see:* m1 v2 F( b; V7 P
-SI = 4647h* L7 L/ b; q5 k8 Y( s( h+ A! v9 v" C* O
-DI = 4A4Dh, p6 m0 ?/ \$ m
Which are the 'magic values' used by SoftIce.6 S" F. g: j# @" p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% g8 V# x3 Q7 t3 q( k4 \) n$ ?% X. |' B2 v
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 O' t8 z4 h9 k4 o7 Y n0 E3 AEnvelope utility use to protect DOS applications: l8 D- {4 ~% H' u9 f V
# \2 {, W* C _1 @' I5 j' u n6 C1 ^+ D5 F# A, M
4C19:0095 MOV AX,0911 ; execute command.2 { k4 y+ G) K! I0 e5 [) k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 C, p8 r0 V. I/ T8 v
4C19:009A MOV SI,4647 ; 1st magic value.. x( z% D+ `$ C o
4C19:009D MOV DI,4A4D ; 2nd magic value.
" @+ H) H5 E4 f8 [3 ^/ p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ M) V/ f2 Q5 d0 Z- w" E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# m4 z7 g9 G2 | @
4C19:00A4 INC CX
0 E: e5 v% O- m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" g( {; d P! U' p' _* y' v4C19:00A8 JB 0095 ; 6 different commands.) ^! _' ~ x1 b% Y( ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' D' c4 F* w3 x/ N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 f2 ~: Q% F* L" [4 o# |3 C7 u4 y
! ~, W/ e. l$ R- cThe program will execute 6 different SIce commands located at ds:dx, which1 c1 T2 n4 g* u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., v* w+ T6 ^5 b( R& f+ C, j6 ]
( `' j6 b3 e! W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 Q2 x M: G9 H' Z) B \: e: \___________________________________________________________________________
" I' A4 q# O9 I# K8 Y( T. g& C/ r: U( K: x2 Y" a: v# o
. J# v2 Y% ~& Q5 ?( o" zMethod 030 I( q, y9 b) o: g( _: b D! L
=========# O) F4 H# V; ~ z: u
3 W! K# ?% @* F* w/ m6 e# _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 T8 P3 o, M8 e3 W& ]* t! @(API Get entry point)
& Z, Y- |: v [$ b: C1 P
& y9 @5 s) U0 l( r# U; d7 p* d& y" K4 B5 W, z, E+ W, u8 Q
xor di,di
, r/ h5 r" U7 w: Y V1 [ mov es,di2 n$ h4 K( U+ c
mov ax, 1684h . t1 o& Z! i, W& T' s& Y/ w2 l. J
mov bx, 0202h ; VxD ID of winice1 S! R) k% b+ N% y5 }; q
int 2Fh% B# s& ?' T7 T, t# D
mov ax, es ; ES:DI -> VxD API entry point
& {) q3 @8 ^: W: V% t: o$ h add ax, di0 d* I. z8 p7 Q, V* W
test ax,ax
' o# ~4 T' D+ [6 y* ^2 P jnz SoftICE_Detected
+ f j- n$ t/ g/ R5 d+ t( l$ M& ~4 ?+ Y8 K
___________________________________________________________________________
& u% ~1 H9 k) Y2 k0 Y" h: n, }7 G& E7 O4 s/ U
Method 04
% M3 u4 F6 Z8 b+ t9 M5 \=========
# R9 _! J6 }- \1 c/ V0 e# |5 n1 j/ T& F& e3 S+ r. X
Method identical to the preceding one except that it seeks the ID of SoftICE: b+ F C6 b! @- }* P
GFX VxD.9 a- q9 Z8 F0 z5 ?7 Y3 @0 x
* F- S0 c/ L9 c xor di,di7 p8 I: Y l" a1 k7 s: T& A6 f
mov es,di7 I' v' l! b; _' z3 I
mov ax, 1684h 3 x2 t1 M5 q& K
mov bx, 7a5Fh ; VxD ID of SIWVID
& u4 `) B$ w0 @* Y! Y int 2fh
1 [ o& c6 y3 I8 Q- [/ ] mov ax, es ; ES:DI -> VxD API entry point
( i% L. d2 c% J2 ^" i1 @ add ax, di/ }; G- `0 K4 T- u5 H
test ax,ax+ N# O, p) C. e& T: ]; D/ m# K9 f, y
jnz SoftICE_Detected
% F' g$ G7 @2 I! A5 `
3 a3 E7 _2 x O- p/ Q5 {__________________________________________________________________________0 g8 @/ @; M) ^# y7 w4 U4 }4 l
/ J7 O1 o/ S1 y' s3 ~2 _
8 Q; i7 H9 n4 C$ q: y& ~, f! x/ CMethod 05 k" X) s `5 p2 ^ \! s1 ?
=========6 k7 s7 P5 j- C. A7 y
# n6 J' V, F" C$ k0 t) F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ }% e* s$ P9 x" j8 kdebugger. It calls the int 41h, function 4Fh.* l2 x1 j8 ~4 O8 K" c
There are several alternatives.
% k1 u3 a7 z; |1 O# P# q
' a' s5 Y% g) J; vThe following one is the simplest: v7 m0 o* j' w% F9 y* T9 N
! m( Y9 O, Q+ Q7 d c5 n1 @$ h
mov ax,4fh
8 P+ M: p- d$ A/ B int 41h) v0 f+ Y4 u3 S# y
cmp ax, 0F386, y+ ]4 P- G' P) X0 v
jz SoftICE_detected
& Y7 D1 l- W& z0 j" o, m9 r8 B! q! v
: v) @8 b4 Q2 g4 u+ L+ S; x0 r i2 ~/ I2 ~% A% A
Next method as well as the following one are 2 examples from Stone's
: |1 R! i+ z8 {3 t7 [1 O/ R# E"stn-wid.zip" (www.cracking.net):+ T( n# F1 O3 ~! t( q2 B2 D# M, J
5 j# B/ b* W4 t$ y+ M+ F$ w2 N) B
mov bx, cs: W* V$ N2 J9 q
lea dx, int41handler2
* U; X. A& G. }+ t, w ?# H0 p xchg dx, es:[41h*4]
, L) ~7 G; Z3 ? xchg bx, es:[41h*4+2]' ?; z% r& X# X4 m# t' z
mov ax,4fh% e. w: ?1 T3 h" N- a; O
int 41h$ n8 S7 a( T/ c
xchg dx, es:[41h*4]* @. P4 G6 ]. h; J1 A9 r
xchg bx, es:[41h*4+2]
2 @ t( q# O% @5 v cmp ax, 0f386h! u3 P6 a7 N9 m1 f; q: w7 V! ~- d
jz SoftICE_detected
3 f6 q' ?! o2 d
& {) T& u) X9 ?) e2 Q) k/ C$ Eint41handler2 PROC+ V6 d: ]7 {; L9 R& r5 O0 M
iret; k8 u0 y ^( z1 H) |2 M
int41handler2 ENDP
- C9 i, ?* |' B) m1 i; E+ A
_( l- Y h& Z! `' ?, l- j/ @$ u$ L! M
_________________________________________________________________________
" b$ c. ~; h( M3 ^+ P& h
2 C% L4 n7 A' U
, |1 H/ ?" y6 dMethod 06
9 X! B' O; x( J0 a u/ ]=========
9 ~ Q1 ~% H, X. X, i* t8 e3 r$ v; m& H
8 n* [' C4 G8 a+ g% c2 l8 c0 B8 i2nd method similar to the preceding one but more difficult to detect:7 t1 Z/ o; q3 l, Z$ t- T
, E) G# F* p- @5 d( L
/ X3 [3 }" ^& }int41handler PROC
. ]* K6 b) r% W2 I, j' s2 G, | mov cl,al
: x Z7 h& E2 ? iret
+ g3 k |) @. l$ Wint41handler ENDP
% k' C/ G& x8 P# l3 p) W) b. N' Y% A- {- h* V5 q
0 E/ H' k/ \# X3 X. E
xor ax,ax
1 ?9 z0 k: |( l" K mov es,ax/ t0 [/ \- @* j: X% m8 z
mov bx, cs, \: V! B! g H! y1 Z* x1 t
lea dx, int41handler+ v% O: M: `! u% n# x) a
xchg dx, es:[41h*4]
9 S, B& l n! C xchg bx, es:[41h*4+2]; E4 W4 X. z) y3 a) e8 ]" Q
in al, 40h
b2 n! J. c1 u# g* U& N xor cx,cx. d" X3 v9 e* q& B1 N C
int 41h/ d& Z7 i5 |& K
xchg dx, es:[41h*4]5 A/ I4 B' n1 I9 U: `7 k& g7 C3 q3 a
xchg bx, es:[41h*4+2]
- @: [: b6 p5 |3 ` cmp cl,al0 ~6 a/ W' [5 k
jnz SoftICE_detected
4 S; l9 }' g0 \& |1 _2 j/ ^0 L ~( j: c" C: ~1 `! V& E
_________________________________________________________________________/ t/ S: k! i4 v' H8 V0 f
8 o) y l# V" e7 T# n% QMethod 077 ~8 `1 O( Y7 D
=========
9 X" j: V5 w. Y3 G9 F% s6 p1 ]3 W* l5 X; t" w" ~9 s" B k0 y9 {7 l; r
Method of detection of the WinICE handler in the int68h (V86)/ x1 b0 \3 D9 r4 F; m* Q% v! \% p
) W9 p5 J+ [+ g, q, n; U
mov ah,43h6 W- E2 ~* f7 u! `
int 68h
- L* T4 |+ r3 @# p( m- b1 @! j7 r cmp ax,0F386h
4 i/ B% d, ]5 U+ D8 `3 _6 b% R jz SoftICE_Detected( \9 _) u0 ?+ `) [' E
c- d7 z* j4 b2 y4 S
3 L* W0 G$ ]2 a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" m9 L) G. }7 Z& F+ q
app like this:
' c' l: d8 a( [7 t! C/ y; v2 `5 J# i2 R$ h
BPX exec_int if ax==68
; U8 e- X3 B& ^! c1 f (function called is located at byte ptr [ebp+1Dh] and client eip is2 B# t+ O( X6 C. M/ E8 P
located at [ebp+48h] for 32Bit apps)
+ o+ A) G& }& q3 V6 D7 C0 e# y0 [__________________________________________________________________________
) O! h; G1 V0 |5 r; m8 ]2 d, l7 \$ i
4 m8 k x, p( j
Method 08% `& {9 N; O- \$ }
=========; h- {' d- F: d a! o2 a! G9 {
& H* r! A/ u% }1 c; f3 [: o
It is not a method of detection of SoftICE but a possibility to crash the
0 r) r6 \) P# U0 Msystem by intercepting int 01h and int 03h and redirecting them to another5 H t% r7 k. @. _/ M
routine.
9 g; W# U3 ]+ n2 U9 n/ n1 F: VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# y" v. ~$ a3 P9 u" ]' hto the new routine to execute (hangs computer...)% f2 @4 |0 D- @* m! [
: }4 u! I% M, U0 J mov ah, 25h
* R$ B( R! D, `5 V2 L" t# } mov al, Int_Number (01h or 03h)2 Z8 M3 r/ w( t8 n* n/ h! }) r% O, M" B0 N4 G
mov dx, offset New_Int_Routine
. X0 W. M3 V- X! Z7 s! Q0 R int 21h
( v6 f3 D& r) |0 }4 p
, m" i6 C" F, m' a) h' y__________________________________________________________________________$ O. P% Y2 e; y" w( y
`6 s& y) `' J; g' J
Method 09
$ ^$ `% q( q+ c0 \- D=========
/ c( W4 @! P: T( {! s. Z% T. e$ B: N# z0 |# g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 F( W, ~1 O& y' uperformed in ring0 (VxD or a ring3 app using the VxdCall).
" p0 ^# C; y/ U% N- m. jThe Get_DDB service is used to determine whether or not a VxD is installed
. p2 f3 O7 h: w* ]for the specified device and returns a Device Description Block (in ecx) for
: h( K& z( C+ J9 Hthat device if it is installed.
. l- ~' i" X5 Q% K9 g1 N7 N
+ `4 @' i0 E/ P, x$ e% g: r$ o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* l4 d+ g2 y' t" j* }4 \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 i r l4 i* d6 p' V VMMCall Get_DDB% [8 q& S% M6 k8 l- Y* \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 K4 b8 B+ r% V. Y- I4 f5 z' I3 p5 e
Note as well that you can easily detect this method with SoftICE:# w# {* s4 W# K& R) S
bpx Get_DDB if ax==0202 || ax==7a5fh) Z. v" J/ F- i( m3 b/ R
( k, }- c7 V) d; Y+ X, r, u" @__________________________________________________________________________
1 W2 X0 b3 W& Q2 D% H
6 x* Y1 _" ^9 X" NMethod 10$ C: @8 u( g# Y" {
=========7 f, M# ~2 [& [/ w- V! w
9 z7 h- p* T8 _5 M) W m0 _% P+ b
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- h" ~& ^* i' o7 o$ X; S* p SoftICE while the option is enable!!
I5 U- B, M5 O/ W6 w Y7 N8 b& Q, |9 h* L
This trick is very efficient:
8 l* b7 A R" F1 p% aby checking the Debug Registers, you can detect if SoftICE is loaded
4 w1 Q$ h2 i( l8 w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 p0 G3 y' @6 F* L9 i+ {( V5 C: G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' e% e& { k: E/ e ~2 j8 Uvalue (in ring0 only). Values can be manipulated and or changed as well6 y( M/ V! y& ~( _# \. Z* y. q- R
(clearing BPMs for instance)
7 @& H5 G' w7 r1 ^+ S0 f9 a
1 G# l+ D6 @! j! ^. M. p__________________________________________________________________________+ ~, k) ?7 C! I0 l2 ~; ]
: g' o& p2 `1 \
Method 11# @; T0 ~% s6 p2 V+ e$ |6 s: H
=========
7 U2 z, D B* i" m$ N0 A6 R
( ?8 u) r2 s3 P- i! @" |: lThis method is most known as 'MeltICE' because it has been freely distributed% [6 o0 o' _& u$ }8 ?) ~& P
via www.winfiles.com. However it was first used by NuMega people to allow9 Z$ d5 I# B/ K
Symbol Loader to check if SoftICE was active or not (the code is located- Z' B' H6 @) g8 w7 S s2 F
inside nmtrans.dll).
/ s5 I' Y; J: z( @! }: S, Q! j9 R! R/ V" ^, y8 h
The way it works is very simple:8 Q( [7 J" w/ F: S9 ]7 T2 p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! G; ^" b/ {1 KWinNT) with the CreateFileA API.
* ?6 S# K! J- I
/ F. o" i3 i0 P' c" `, WHere is a sample (checking for 'SICE'):- u. z' d5 N2 {0 }! t
6 l" {; {. W' P% |& a$ LBOOL IsSoftIce95Loaded()" h T1 U/ _+ j) ^! t- T: S3 |
{
7 E2 e% s6 r- q' L, J, Z% G* v$ A* } HANDLE hFile; ; D0 L% l# W6 ^) I; r' @) c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, M% p9 j+ z) o' U9 ^$ G
FILE_SHARE_READ | FILE_SHARE_WRITE,
! n1 y& i$ K; T3 _) U. f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# N: n/ M3 J4 Q: [) r0 H if( hFile != INVALID_HANDLE_VALUE )
) K& E9 y! h! u& G/ O+ r4 ?: U {5 D8 U% e, V4 Q! A: }$ n
CloseHandle(hFile);5 Z3 D1 F" ]$ y) B& }
return TRUE;$ h2 I* r- i) }% z
}
- O( L/ z4 z/ u return FALSE;
8 ^! r% \- Z7 Z1 E" M" D}
( S" i2 J6 I' J- n5 }3 B9 X2 A9 R. H
Although this trick calls the CreateFileA function, don't even expect to be5 Q1 l3 d! _; o5 c. ?
able to intercept it by installing a IFS hook: it will not work, no way!
; F% k* ^5 O6 B9 C+ qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: X+ y/ @, f6 X% wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 R7 [- r' M1 Y! C8 A7 M& P5 P3 Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 d$ Q8 l+ @' V# dfield./ m* {. X2 Y/ ]6 {4 J u
In fact, its purpose is not to load/unload VxDs but only to send a 3 z/ z$ y5 U* Z) R7 _9 O% ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' f% O, d0 \: w9 \* Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try( r7 P9 O' s0 O3 V& `: n3 x' ^7 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." y* F, b/ q3 b' R: R' W
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ z' P0 W( S: [5 R% p4 m' G+ K7 L$ V. Aits handle to be opened and then, will be detected.
* y4 w. S& _; @; NYou can check that simply by hooking Winice.exe control proc entry point" F. X8 k; Q1 {* d2 M+ K
while running MeltICE.
6 q5 g N7 Y3 K: q" k V" u p$ I9 `+ E+ c. F3 O' P! B
$ ^8 P7 E; ?, ?; n# ^
00401067: push 00402025 ; \\.\SICE
/ j7 M: P" U; `( i9 J 0040106C: call CreateFileA# v! v: A4 V4 [9 B: c' r
00401071: cmp eax,-001$ y: T. B! v% |* \ U, v
00401074: je 004010918 p! ~" I' D; v
- f" V) \5 {! U( |* E' H9 e1 @9 D
' d, |% [& c$ r9 R# h5 m! z5 z
There could be hundreds of BPX you could use to detect this trick.: J0 E+ v* z; W+ y9 ^
-The most classical one is:) b6 A6 o! ~+ q5 ^& G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! P4 `/ M( q. z- `6 U) m: W/ W' y *(esp->4+4)=='NTIC'
5 P' [* U2 Q; x, i7 s6 _9 D \' b! h1 @
-The most exotic ones (could be very slooooow :-(
6 N4 S; a4 _2 l% y4 e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 q- [6 n6 q" Z& L6 z# h
;will break 3 times :-(
v5 s: D0 j0 _* A3 y4 H7 ~5 q/ N* r! A& `# L
-or (a bit) faster:
- a+ w% p4 W# b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 i/ Y/ t+ E; \+ _8 D
7 K- z s2 h; g9 p: B1 t( y0 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 |& I" \6 R, s, X: _ ;will break 3 times :-(; x+ e$ G: L7 x. d, M1 k4 H4 B7 ]
, P3 \6 c2 W X! h
-Much faster:
2 D( ]/ I& L- t- i) x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. t0 j! Z% {+ X3 }! P' Z/ T
! t* B6 O9 m# A1 Y4 {) }+ TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ W- h' a1 a7 ?+ ^& _2 {6 x; t# ~4 i
function to do the same job:7 R! ~; A& g6 U4 }8 `/ o
# T* W7 q. t' w' p+ Y t
push 00 ; OF_READ
, O* v$ _9 z. O mov eax,[00656634] ; '\\.\SICE',0
* Y2 _: I( {5 _& o8 i7 u push eax6 q5 ~# q, L1 b; e4 s
call KERNEL32!_lopen
+ z7 f) E- { Q! B E" D( h+ o$ r inc eax
- i% E, |/ y" ]% n5 S6 r8 K3 ` jnz 00650589 ; detected
4 {& q8 E, D6 e4 x- }, i# ?+ {/ ` push 00 ; OF_READ
4 y7 P9 J# L' P5 k+ m0 |& {) W mov eax,[00656638] ; '\\.\SICE'
+ n# F4 F2 g+ S# z push eax
( U z+ v9 \9 B3 \ call KERNEL32!_lopen
& Z; q4 i7 m2 i3 G8 z inc eax: J- `, E9 L+ ]
jz 006505ae ; not detected
8 E: K5 Z: o- S2 j
' u6 ?1 H+ I. \9 _9 P$ `6 J1 N( P* a% m5 |5 X- Y6 X
__________________________________________________________________________
$ B5 E* ~8 n* B @! M0 d m. E; j; H, r a
Method 12' E. F+ y3 y; s$ k4 v% d) P
=========
! k+ h4 a' t* s# ?& ?" ]" |/ k1 n: g2 F
This trick is similar to int41h/4fh Debugger installation check (code 05! `. _4 S% z) T6 k
& 06) but very limited because it's only available for Win95/98 (not NT)1 d0 M3 V- X, O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( \0 C* m6 s2 y" M" H# }6 }
; d0 a5 T% |* ` push 0000004fh ; function 4fh
, o$ n5 h- X/ U( k6 X push 002a002ah ; high word specifies which VxD (VWIN32): }2 U0 g) A* T
; low word specifies which service4 w+ P r6 N# w4 K; S# {% e; R
(VWIN32_Int41Dispatch)! M/ s' r" n* X) ?
call Kernel32!ORD_001 ; VxdCall( L9 w! k9 n% S) o: v* Q& K; }
cmp ax, 0f386h ; magic number returned by system debuggers
8 ~- d: ^, w/ V; ^: u9 E/ Z jz SoftICE_detected; r" s' ?; F: \6 x; s9 G9 i( l
9 p9 X8 \3 M6 P# K9 E8 `Here again, several ways to detect it:1 x5 D1 g) ^& Y2 r! k E, u4 `
. T, `6 Y! d: v+ z. b BPINT 41 if ax==4f
# }- C6 k S0 B) ~. L+ G& a( j" H' o$ e0 @; p2 f1 ]4 G( R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 N# u# b, X% }7 `# K
1 J6 B j; j% D/ n4 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ C' ~" H$ a' F5 L: L- }
g' L j1 i2 p+ d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! Y* H9 T. B9 c0 S
5 {! Y, f$ c, m- t: Z0 l4 p3 c
__________________________________________________________________________
7 I- Q3 K; n4 ?' j( t. {5 m! I, {+ n4 J) w
Method 13. N& c8 Q. x9 R
=========$ p6 F) ^. d# {8 l7 S5 r$ \5 U
( ]/ }' K( ^" s8 e% B) r
Not a real method of detection, but a good way to know if SoftICE is y1 y) g. b0 J/ j% F4 t
installed on a computer and to locate its installation directory.
0 s, G! l7 v$ j G+ P; D/ oIt is used by few softs which access the following registry keys (usually #2) :
" L3 y$ B- X+ Y) M7 L. E; Z: ~
N$ q% B% @7 X: ?/ k. j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 x- k% W9 D+ _* o# L\Uninstall\SoftICE
, K9 w; k/ K) E8 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 i8 Q$ B2 @# T# I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 T2 ^7 w {' `& o+ z\App Paths\Loader32.Exe
7 v8 Q* ?/ w- X$ D ]3 w6 K, a% l! {. y. J8 s! L# h
; V9 }9 c3 c2 Q B/ V- e- Q# R6 V
Note that some nasty apps could then erase all files from SoftICE directory
( p' v* j- w) r' r& A(I faced that once :-(
. g- h, `3 C( F% i& F3 `) S0 o; q- b A7 X% s c% S
Useful breakpoint to detect it:$ L" U, p/ D5 g: i
! u4 f6 m) m, f# m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% }1 D1 m n" A& ?1 @& k& s
( H3 F8 t3 K/ X5 d: l8 a6 v
__________________________________________________________________________
" c/ s) T. S8 t& M
1 g) C Z6 Y0 j F3 l% I
; q* ]7 g% Z# q1 E: d1 ? wMethod 14 6 t1 e) F3 D8 F/ l$ r: _
=========
& k+ b2 s% e3 K, [4 S. Y, ~
- o! S3 Y7 y, {8 x8 z0 k6 K& QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* A* U L! T+ N$ D7 C* Jis to determines whether a debugger is running on your system (ring0 only).8 x2 C w; P7 O# `
8 p0 L& G, r# H/ U# m
VMMCall Test_Debug_Installed- _$ p: W% N1 p
je not_installed" S# N% v5 l, ?, l( Z
) y7 w; c* P$ N& c
This service just checks a flag.
$ m& Z7 P7 ?: N6 u( {; Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡