<TABLE width=500>( D, @8 ~# o' N; b' M* a9 r
<TBODY>+ r( F" E( g6 ^0 I& N
<TR>5 O- _/ F, P" }* r! T8 G
<TD><PRE>Method 01 ! F. s# u9 ?. x) ^) `. H
=========
" R8 z8 |) ~% L; L+ b. r8 B7 Y% P f+ ?( M2 F# [- q
This method of detection of SoftICE (as well as the following one) is' ^) B/ W, R2 Y
used by the majority of packers/encryptors found on Internet.
7 j: i4 B; U4 _/ K, u9 [. q( v( b8 ~It seeks the signature of BoundsChecker in SoftICE2 m( p( Y# [. t2 M: ^
! ~! k3 z! T- u' w$ k8 O
mov ebp, 04243484Bh ; 'BCHK'
, k* d0 J/ _/ A: d } mov ax, 04h
& I6 S" N3 O6 N9 k int 3 % _; j6 U! e$ [+ f1 |- P
cmp al,4
, V/ w z; H8 y) v6 B' A; \5 N jnz SoftICE_Detected( |5 Y+ C4 B( u+ W8 a" u/ i
; X: l* | Q1 v6 q) }% X, s___________________________________________________________________________
- ^# Z9 A- r% H- j N+ i, `9 H& n8 w. i
Method 024 V, N9 X$ \& B
=========
# V3 b% d" B; I9 Y; z- k
. f) V$ m0 O$ h4 p8 }5 e6 Q, mStill a method very much used (perhaps the most frequent one). It is used
- l! N8 E9 z( |4 w, A% s7 U6 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( v6 p/ {) n/ u4 _! ` Cor execute SoftICE commands...
( b/ n: H9 ^$ z0 k9 J* qIt is also used to crash SoftICE and to force it to execute any commands
. }6 d: v5 P- @% K9 T0 O/ T5 |% Y(HBOOT...) :-(( 2 m5 t9 [5 U0 z: s6 c
# S; G* ^4 r; B5 y+ f: ]1 @' X; v: P
Here is a quick description:
' ^4 q5 c; r2 C% f [& I5 w* P" I-AX = 0910h (Display string in SIce windows)4 Q# D! ]- N. s; n* t q( l, H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* q' ~2 y5 h- m. B-AX = 0912h (Get breakpoint infos)
Z) u2 U* o8 x/ U' Y. ]* r-AX = 0913h (Set Sice breakpoints)) t4 T7 }( t; R% B3 ~+ T
-AX = 0914h (Remove SIce breakoints)
# s7 x& z+ F8 b
. `3 k9 ?3 U$ a$ _- IEach time you'll meet this trick, you'll see:
( q. _$ _ x; P F3 t6 P* g-SI = 4647h
( Y2 C1 ? o# ~-DI = 4A4Dh* y% L- r1 P0 `7 ^) y% l! Z
Which are the 'magic values' used by SoftIce.
7 ^; g' ]2 _3 ] |+ E/ v1 g$ HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! L" H% o' M. h F
% u0 i" y& \: x0 qHere is one example from the file "Haspinst.exe" which is the dongle HASP
! F E8 x; A7 ?- ?% |0 A: e/ U7 G$ NEnvelope utility use to protect DOS applications:0 J( e- O( \, _: Z
! Z$ F) h( ~/ O' f) B: L' d5 \1 ~# o& @1 z
4C19:0095 MOV AX,0911 ; execute command.
( O0 q" N$ h6 D" W# m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 I. Z j9 v. `( Z k
4C19:009A MOV SI,4647 ; 1st magic value.
# ?' Y6 |9 ~- H" i4C19:009D MOV DI,4A4D ; 2nd magic value.
6 S5 _3 h/ P8 A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. V- @# q$ |3 ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 ~& D& H* b: v$ s9 B9 I% \8 {& j
4C19:00A4 INC CX" ], k. J6 E% x( \" [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; C2 ?0 w, F6 D' W h* G/ P8 m* B4C19:00A8 JB 0095 ; 6 different commands.
9 x: y2 e1 X! U# m: H# b4C19:00AA JMP 0002 ; Bad_Guy jmp back.; X4 y: o" y( q/ K5 C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' L, ?8 `- g3 z5 W
' |3 w1 ]3 u8 _The program will execute 6 different SIce commands located at ds:dx, which
5 k- X) Y% ^+ S& sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: b) p4 n9 u2 `* [- O& K( A9 g
9 T% C6 s8 q+ S3 h, @$ y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. A4 z; B! J1 D4 s3 _5 {4 A: l
___________________________________________________________________________$ U+ g( E4 G( n8 W [
6 x) o" X" K x. [$ G. F" B- s
6 `2 k$ l9 j+ B* b4 Y) i( d u* @
Method 03 F: B' s- [. \
=========
1 g0 P4 o" j9 y9 k& |# h
! t. E8 p/ g( ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, M4 V' Y+ |; C2 J6 ~1 R/ c* `' u(API Get entry point)
" E# d1 p! d6 U7 W- A
, h$ _1 P2 d* H1 ^( y2 Q4 r2 a
: f7 Q$ z9 x/ `# Z* q) K# T xor di,di% T( r3 C+ _1 V7 C
mov es,di
+ C1 y' H$ u7 E( U" J mov ax, 1684h
5 x# ~8 T, @: S- d! `: U: _ mov bx, 0202h ; VxD ID of winice7 d/ ]1 Z+ c0 `
int 2Fh7 a# L) H( N/ H# ?; }$ w9 J
mov ax, es ; ES:DI -> VxD API entry point
4 @: }- G, ~, R3 U) N add ax, di
) R$ w# K7 k) O test ax,ax+ r( x0 Q Y0 u/ d6 R$ R" l: u* Q
jnz SoftICE_Detected
6 z% P+ C. s ~7 _9 K7 p
) Z* q# c g, E* y% @. W# ~; [; \___________________________________________________________________________
1 {" e$ }2 g" O( f. V+ d$ L$ y f( z+ H8 m3 L; X
Method 04) d0 H$ a. I: r Z& x
=========4 M$ Q: p- S2 Q& D3 m! }& _
! ?; L. ?/ \5 e l- TMethod identical to the preceding one except that it seeks the ID of SoftICE
( V3 G9 d5 Z* Q0 V4 fGFX VxD.( z% g2 W* F A& X8 y# N
, e. U% G1 I/ `+ _/ w0 X% b1 b( k$ d xor di,di/ Y7 M; }+ `, j3 K/ w
mov es,di
, u' s& J# `; T. s. S mov ax, 1684h
( ~$ V1 [3 ~' c( t& [ mov bx, 7a5Fh ; VxD ID of SIWVID1 L) Q, d5 N1 T2 W) ~
int 2fh1 d4 B& e4 k1 |# r: j5 P& Q. l
mov ax, es ; ES:DI -> VxD API entry point
* h' r' ]1 Y; H3 L6 ], u! x add ax, di
' m2 F/ }' P; Q- c9 d9 X& g test ax,ax
- Q2 U, M ~( w7 j4 o jnz SoftICE_Detected# {! z* Z5 t5 Z# F! `; C# Q
a' _& E( _) q+ `# n: h# \__________________________________________________________________________
^( a4 D* G& {
& ]( o' R: n) Z: \* Y" E: c% h8 N2 ?3 S! \& R
Method 056 V% w& _0 t3 n; ?5 v
=========+ z! k! f6 M7 X
7 Y0 Y- y' q( R5 ]6 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; a M7 j9 y# sdebugger. It calls the int 41h, function 4Fh.
T/ x/ [' R* S; E" vThere are several alternatives.
" Z; |' H4 n- I5 U" u( q2 g- D3 E" d( R' g1 U& Z5 j
The following one is the simplest:
- Z" v% j/ @6 p" a. O
8 A8 k/ @1 {' M' Q6 Z% T+ ]" Z& u: ]' O mov ax,4fh
! Q, |# R7 }# ?& { d int 41h
' V% K3 U- l" u) `& \& a" f cmp ax, 0F3862 Y; E0 n7 M# U2 ?% f; {
jz SoftICE_detected9 f5 [ ?" ` ~: I* D, ]" d/ b" N
. C1 b ~3 n& q# v
6 c9 X. l* X9 [. C3 D% h$ UNext method as well as the following one are 2 examples from Stone's 6 F2 y. R! v- w+ v5 f$ V
"stn-wid.zip" (www.cracking.net):
2 f/ u6 w9 t% P' N( C$ y3 ]
6 s+ d, T G3 p2 o3 P) I; |( v1 R mov bx, cs) ] ?2 R. a% f/ U, J
lea dx, int41handler2) F. l0 m3 u- X
xchg dx, es:[41h*4]
3 K+ x5 s7 A# ^6 J xchg bx, es:[41h*4+2]
& T- b$ \1 B/ H, D x7 e- V mov ax,4fh5 [6 T1 {3 \4 {3 ?
int 41h
. a# ?! ^; Z9 I& E9 G xchg dx, es:[41h*4]
/ i; h1 |/ ]( w9 l- Z* E+ I+ [1 @: ] xchg bx, es:[41h*4+2]- Q K0 [! m& P+ T! {: d0 E9 @1 c
cmp ax, 0f386h- l7 g, Q3 J0 ]1 q
jz SoftICE_detected
4 a9 e# o3 ]4 P0 W/ R, K# W; q. b. |: X! O& ^
int41handler2 PROC3 q# d0 N$ U8 {! W
iret6 m# d! s- @3 X
int41handler2 ENDP% S% B; L' O' q. @9 P
& [: ~4 J( y6 c( |. I( P7 c8 @$ x4 K: g0 J' W" E2 }
_________________________________________________________________________2 V& ^& z/ E" }# I
+ @5 p# f3 x5 @4 T: W) {) _
% ^6 R; T: t; `: Q6 A4 k& _
Method 06 r/ d; o+ |2 @2 W& u+ H
=========
( v- A! k3 J8 v0 }; _, A
6 n' U: S! V8 Q4 Y; w2 I( U; A- W# R8 b/ v: M' E
2nd method similar to the preceding one but more difficult to detect:
, [) D. `% ]* x- C9 Y- l
& T: v1 J5 \! h3 o% [$ L. l# G
6 ?# D# h9 y! N1 A; }9 bint41handler PROC
: N/ Q I9 |) E mov cl,al+ t, I) j, S1 f5 s. A& S
iret
& G1 Y% c9 ?3 C/ sint41handler ENDP4 t0 T6 j- J+ \% M1 `2 Q
* i: _% s# `( B: z, O! B0 N, |( Y5 T7 b. W' M/ |; ? q
xor ax,ax
1 U& Q, R, _$ t, b9 l6 z3 ^% l" s8 u mov es,ax
$ F6 w. B4 q6 ^1 L mov bx, cs
2 M4 c- ?1 _% ?$ j7 w7 | lea dx, int41handler2 P( S/ Z$ r8 R: S2 G! z/ @
xchg dx, es:[41h*4]
/ ~) A b5 p$ G" ~4 |1 d* {: }) t xchg bx, es:[41h*4+2]' [; `% e' D8 I1 c
in al, 40h! b) y ]: P0 ?: Z% W% w- Y
xor cx,cx
; {7 l* T: K' u& J int 41h/ E$ L: ], L% R* v
xchg dx, es:[41h*4]
9 y* u1 o" I) l0 j9 r: H xchg bx, es:[41h*4+2]; P- }1 C" a# A* g3 k6 M& M
cmp cl,al5 A# I7 S9 B+ c0 ^6 e
jnz SoftICE_detected( h5 s* I2 n$ E
; G" g! E% v- Q/ y. A0 p. t" |
_________________________________________________________________________
. B. k# j+ y0 I6 f2 v+ \
! @% X/ I% ~7 z# @' uMethod 07
1 K; v- g b! x( D=========
% t% o% u# U2 A" m: C0 W
* _! r! L- K: B# t7 n2 C6 uMethod of detection of the WinICE handler in the int68h (V86)* ? C8 Y7 n8 u
4 ?% h1 O; i! T. H mov ah,43h3 z" y! B3 P+ {9 E7 N
int 68h
$ W( e' y9 _2 B) Y7 q' M cmp ax,0F386h
5 s( H6 j. g! Y% J6 e! N+ @ jz SoftICE_Detected
$ _) _$ f& {, m1 m3 \, T9 F; F* K- z
' \7 L( t/ _: W2 X5 k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 T5 @: M3 f0 x- F app like this:) b; }- S& O9 s: G5 d% z& T
' s5 s! p! o- Q; X# `5 u
BPX exec_int if ax==68- D' D9 E% X1 P5 V) B3 Z# L6 Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ ^3 Z! G/ @/ z7 d4 _+ R located at [ebp+48h] for 32Bit apps)
4 s) S% \" p3 L- ~__________________________________________________________________________ b0 Y# F( f! J2 ?+ N Z7 a
! F+ ?' p3 J- F7 N+ V2 w/ }5 A2 c/ v. D4 U' x% F* a+ J5 x3 g
Method 08
$ M9 W! G8 K; Q8 b=========! \6 z" o- H7 F: ^
! d! e+ R5 a* C! c& ]. i$ QIt is not a method of detection of SoftICE but a possibility to crash the
2 C8 X6 K: B' Z4 r6 u1 Zsystem by intercepting int 01h and int 03h and redirecting them to another
/ N: J" M6 e! I4 X, h) rroutine.- l( j# {2 L8 f: r" E6 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# u: k2 `. v! C% x/ m$ z
to the new routine to execute (hangs computer...)
" V7 D6 `) d6 G6 x j* w- f% ~% A6 i4 `7 K* Y
mov ah, 25h* E9 {+ z* w% k! p8 g! A- {
mov al, Int_Number (01h or 03h)
) m) X( c' j7 N1 h" q mov dx, offset New_Int_Routine/ l0 N0 [+ d9 w# a: Y
int 21h
) M4 N8 ^9 V8 |8 l2 } L1 ^
. T& X$ b* a1 K: \2 X7 t__________________________________________________________________________9 ~+ j8 Z, L4 y, ~1 X5 ]2 J
2 c& b0 @4 W6 I/ p3 i( xMethod 09
# u& A5 X' |/ C. _=========
; E3 f' ]3 K q! G' s
# O9 {" a- _ C5 \; a: GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 y7 [4 \" k! X' x# U
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 B# U' ?% H9 V( K) d% ?9 IThe Get_DDB service is used to determine whether or not a VxD is installed
' l7 l+ P s! V4 P. tfor the specified device and returns a Device Description Block (in ecx) for
) l! z! x8 s4 |, Ythat device if it is installed.
2 ^* [7 o. q& J. p& f: I9 G
% l' b$ M; i" y' B/ b$ M9 G1 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ A; W' F: ^* C$ V# r3 s* _6 N, s$ V. N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( v5 d& ?* c4 g, o9 l VMMCall Get_DDB
* K; Z, B i+ Q/ I; j0 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ o/ ]0 ]) e( O5 R6 C
) Z9 K* s# f {! [. P. @1 L1 i6 ANote as well that you can easily detect this method with SoftICE:
- {) p7 e, N) q y# u bpx Get_DDB if ax==0202 || ax==7a5fh
% X) u. `& `5 `0 Z( F7 O
) D4 @4 S# Y1 i9 n5 {& o__________________________________________________________________________# u- z& g) N( {: [7 q8 w* H
/ J: N: {; @$ E: t6 T5 jMethod 10
/ \" I. Q5 Q% y& i5 |8 x! b$ ^=========
) J) n$ x& ~0 k6 y
' e [9 h# V: P) x=>Disable or clear breakpoints before using this feature. DO NOT trace with' z2 Q4 ?, t& v7 p
SoftICE while the option is enable!! x( |8 p# W; |$ r4 a3 X
) `1 O {, Z. c7 V/ v; G* R$ P" RThis trick is very efficient:
. }6 Y4 \; [7 [5 u1 Q p* L2 z3 sby checking the Debug Registers, you can detect if SoftICE is loaded% A1 f4 e; `5 M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 z9 e& c' r; J0 ]) D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) j/ ?2 }5 I( O9 ?0 Hvalue (in ring0 only). Values can be manipulated and or changed as well
2 g- ^& H F# k) R: E: f1 V2 r(clearing BPMs for instance)& |& j h( x# {; a
! |* ?* G& G( q, [3 w9 ?7 K, w__________________________________________________________________________' o$ {' h8 U* W2 @+ [! \/ z
K0 k/ k) p' L# t
Method 11
5 L& d S0 C" `) k9 f. M2 i7 c* b=========
6 d! e' W9 \3 @4 V6 z# H! i. ^
8 c$ f% G. E" l- l; WThis method is most known as 'MeltICE' because it has been freely distributed
( e5 W* a9 C& j2 Lvia www.winfiles.com. However it was first used by NuMega people to allow
& Z, p! q; J% c: o9 O3 m3 sSymbol Loader to check if SoftICE was active or not (the code is located' p' A9 X% W' x9 _& J$ C
inside nmtrans.dll).
; [7 h+ B+ |9 n2 X' k' @
2 h/ @* ^$ ?5 z% ]. IThe way it works is very simple:/ c+ C8 k/ y3 |7 J/ n: u& ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ m- l4 f! g3 i h0 t
WinNT) with the CreateFileA API.
7 p" n4 [, J y$ j+ y, E. b
1 Y! ]6 [$ l; X8 Y+ ]1 MHere is a sample (checking for 'SICE'):, C) m3 t' z7 W& D1 k1 `8 X
1 K+ m4 W6 i' u
BOOL IsSoftIce95Loaded()
7 G" W& e' R3 ^9 X3 t: _{
( J+ o% l) k6 U HANDLE hFile; & P" l# e4 ]0 D- I2 H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: R0 _! O O) Q0 ?) ]2 L FILE_SHARE_READ | FILE_SHARE_WRITE,
N- b' k5 @; y5 \- d- c! P( L& C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' Z5 [ P# }% e$ Z, t7 B% H. _
if( hFile != INVALID_HANDLE_VALUE )7 u! t/ X7 V3 p
{, e# t# H P5 ?3 }& J8 P
CloseHandle(hFile);
1 c: A! a" l1 Z0 z8 w) ` return TRUE;8 O% M* _" M% [' F) C7 d% |; {6 ^
}/ Y6 @2 G4 @$ X) j# l6 S) s
return FALSE;
6 K/ g2 b. o7 g! l8 F/ V' ~}! t2 z# ^% V6 s3 K6 `; Y
6 c# Q3 L4 U- w% |) \8 W1 d ]Although this trick calls the CreateFileA function, don't even expect to be
! h2 _- } L/ h; xable to intercept it by installing a IFS hook: it will not work, no way!
! D. A+ q' E; g+ KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" j$ }8 k- |1 O0 e% Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* t( Y/ r4 `( ?* M, G+ d1 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 w* \) |) P+ b% I* w# wfield.
, a6 \% p, a2 D6 u$ `9 E+ cIn fact, its purpose is not to load/unload VxDs but only to send a
! H [6 I& ?5 h. I/ Y/ q% L' g* MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" Y$ |, v7 F' ` T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. M! B# Q$ \2 J+ N* N* T# L6 _2 w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 x8 u& ]" c& w* H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. p- \3 i; e& }its handle to be opened and then, will be detected., x: S0 i$ L3 ]
You can check that simply by hooking Winice.exe control proc entry point1 ], F( b4 O" y' n1 r
while running MeltICE.
; c! v" i3 d: u7 m& T+ n- o0 u: v. C0 d% Q5 Z( V' _( y3 u& @
: W4 W- U1 F! ?( k$ C O 00401067: push 00402025 ; \\.\SICE
# v+ h# S7 s" \ 0040106C: call CreateFileA
! ~' O) G5 A9 V8 ?+ i; O- U& |3 k) | 00401071: cmp eax,-001/ r( j* z9 X$ r
00401074: je 00401091
# v3 Q' C3 O" d7 q; a4 r8 n
1 M9 q. J5 }5 h) e" [' N$ U' s3 ?* O, I0 i: q) g; Q4 K
There could be hundreds of BPX you could use to detect this trick.; L- v# t v) q/ _
-The most classical one is:
9 n+ v( b" [" M& F& |$ H: h' L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& h6 t2 l1 ^/ z. g6 C
*(esp->4+4)=='NTIC'+ S; i* Z" ~& V8 B
! H- b1 \% [7 V8 L, c; m5 {
-The most exotic ones (could be very slooooow :-(; ^8 a5 n! o' x$ i+ K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / k* r( q9 W) F+ |* |3 T' F0 ~
;will break 3 times :-(
+ }: E; u* \7 n3 V* D, c; o* G
! Q1 X) H t% f0 D-or (a bit) faster: * L4 k( D7 ?3 h& s# ]) n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. N. B* }- a$ i
2 {5 }" ?% m+ k# W& \: i3 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 D# L" v: s# {! g9 A) p
;will break 3 times :-(5 B' |0 t2 H3 \# A' _9 J
, D6 y2 Z0 V/ _( |5 f" ]; N+ J- }-Much faster:5 `& @2 _% E6 N, E' ?) w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') j# q2 ^7 G% ]9 V! n. L! K
& x3 I0 j/ F- G/ l1 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 c2 x7 f+ O! W' z$ X5 ?' Wfunction to do the same job:
, ? E% h" i) D9 J3 Z
/ Q' \8 p+ M$ Q: k push 00 ; OF_READ, {6 k' f% e2 W/ W
mov eax,[00656634] ; '\\.\SICE',0
" e- n J( t7 Z; M3 O push eax
9 i/ h" i1 q: r' @ call KERNEL32!_lopen, F! z+ e1 ]! q
inc eax
7 k0 k% I' \+ ?" o# i jnz 00650589 ; detected
) s" _, t* e4 p* a+ \8 ]" ~" \ push 00 ; OF_READ
1 P& h, `1 m' F% {+ o0 [3 F mov eax,[00656638] ; '\\.\SICE'
, T; x O6 b9 Y' Q' B! V push eax
8 S1 ?% ?: b3 J; T8 O call KERNEL32!_lopen
# ?& ?* X, H# x4 d6 d3 a inc eax
7 N; O1 z" X5 [7 }+ q6 o3 [ jz 006505ae ; not detected
: K7 y9 [. c' f* o; X# w: G: q
( d5 s( e6 k/ ~1 k6 D, z; r6 _/ y7 ^; z# M5 `2 E( T
__________________________________________________________________________
- }8 g+ p/ u7 l) w' M: X$ |2 M0 n7 B0 W7 N
Method 120 `. `2 x8 Z- K, {) a7 U; t0 o
=========6 u' ]$ ]+ i/ g' K8 f
- W5 O6 K V l' E! q# o
This trick is similar to int41h/4fh Debugger installation check (code 05) O2 i: G5 e* C* K- t9 i
& 06) but very limited because it's only available for Win95/98 (not NT)+ t# A) `* l( u% @$ V* U+ C6 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 h' [8 W t; {* r" L X
0 S4 D' U( m' M1 @- q% S
push 0000004fh ; function 4fh
- E9 e4 f' I" N: `! t: d push 002a002ah ; high word specifies which VxD (VWIN32)- ^6 ~6 s& G) L6 R5 k4 D/ m* p! l
; low word specifies which service( D( O2 z% E9 i$ m1 x' k* e; g1 q
(VWIN32_Int41Dispatch)7 b. r5 Z& n* F
call Kernel32!ORD_001 ; VxdCall
1 k" C* X0 x2 _- H% w, U/ d6 h cmp ax, 0f386h ; magic number returned by system debuggers' r2 c( {# N" K8 b$ t# y
jz SoftICE_detected" o( H+ S, `! |1 H- ~( | d5 [! g& |
7 C5 R/ n7 `6 V" J/ `2 z8 b% I
Here again, several ways to detect it:
) n2 Q4 k- {9 m* Y6 l
6 R' d' R% M4 ?! v+ b4 P/ b( U$ g BPINT 41 if ax==4f2 N1 v* l, L" K. g. R& @
- j: L: p9 ]: E3 P* m+ K4 V( J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 m3 h7 Z( i" ]- [! i* X) `! N
4 s4 `& B( m0 j7 B' O0 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! G# z, M$ i8 f/ }" K! N$ Z" q; j, H8 c7 O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 {2 U O$ g4 z/ O; X z% l& k
2 a& E& g9 g8 v: N6 ~/ a u9 \__________________________________________________________________________; |+ o+ @! m, N1 V' v
8 |- X# b$ f- ~9 R0 c" W% RMethod 13
7 _. c% a% } P2 ]2 s; @5 E=========
8 M. L' @* S$ S
) i; ?! {0 s Q) r2 pNot a real method of detection, but a good way to know if SoftICE is% z6 Z0 _3 }" B; k0 s2 ]4 k6 F
installed on a computer and to locate its installation directory.
+ U( G; `5 p d) IIt is used by few softs which access the following registry keys (usually #2) :( D \9 W4 W* q4 m2 n! ^, Z
; J& p' P# V# H( ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! }9 r/ ?; Q0 E! @: |
\Uninstall\SoftICE" U8 Y1 D7 Z& S0 C. D" _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, N' c* l7 Z2 I% S+ q6 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* }8 [. B' c \( }% c' x$ y& d\App Paths\Loader32.Exe8 b1 w9 ^1 B T3 v2 @( E$ A
# K5 B; M e( i8 V
% k5 Z3 C4 @! A/ {, H- a% ~
Note that some nasty apps could then erase all files from SoftICE directory
$ c" J' B8 l5 [# l& G! L0 {" z(I faced that once :-(+ S7 z1 W7 h1 K/ b2 r [- z) o
* I+ e$ \1 t6 L! D0 \Useful breakpoint to detect it:; X3 {7 Y! d4 H" o% f+ j
: L. H9 ^4 m; W6 O9 j; j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 ~" ~$ I" E$ o* Q+ Z& J, f
n) ]! p7 Z) B) v1 F__________________________________________________________________________
( Z( F( }0 x) b! c
" [# W j8 B9 u8 _/ E
6 `/ d7 P! e5 f" Z" y6 G1 E8 hMethod 14
2 h/ F. X! \8 ? `- M' L% j; \=========/ U0 R) d0 U5 |# h% i. s! W
& ~, G# D0 B R6 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- P$ g4 ?1 B! A: Z: H( dis to determines whether a debugger is running on your system (ring0 only).) \2 Q- L& [. I1 f
' R2 t2 H! L0 J4 w$ |+ ^6 H
VMMCall Test_Debug_Installed
$ ?6 [' H' l0 T; C je not_installed1 c/ i h/ P; R9 y3 `
/ o3 q& V* C, W9 ]This service just checks a flag.
4 K! D0 [; M; ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡