<TABLE width=500>
s: G0 M4 s! w" R [<TBODY>
! e5 B8 K8 }9 @9 D- n& f* Q+ ?<TR>1 ?" o3 E" H" w
<TD><PRE>Method 01
* s2 D9 x9 C g: `3 b=========
3 _7 o5 z/ {( d7 w# `% C. I x* K: c! g, `! n' E
This method of detection of SoftICE (as well as the following one) is
, Z3 x X5 o# Qused by the majority of packers/encryptors found on Internet.. j5 R. A+ z' M
It seeks the signature of BoundsChecker in SoftICE( h3 N) K8 @$ @. f
3 m% u1 `5 r1 S! ?; x) Y0 t4 t/ l
mov ebp, 04243484Bh ; 'BCHK'
: |. f5 S: w' ]# f" M4 \ mov ax, 04h( X; d% y5 C1 q" N: V* q( a/ g
int 3
' c! i: \2 ]/ U2 _0 Y cmp al,4
+ f# A) ~8 J* u4 j I jnz SoftICE_Detected
0 x0 z5 _7 w5 K6 j+ c; k! D- q9 m" k
___________________________________________________________________________
/ O, y( }1 v5 f; n" a8 @+ ^2 x! y* C& b
Method 022 D, K; o t: W9 _* X3 u
=========
( l/ R1 O) G! O( y
! p X0 g" i4 bStill a method very much used (perhaps the most frequent one). It is used
$ I5 m% L: |( A& Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 G9 K! Q) Z. X }7 k6 W( x
or execute SoftICE commands...
! ~, y! f$ m# c E( |. EIt is also used to crash SoftICE and to force it to execute any commands- S; ]0 C9 Q# t1 @$ `" B
(HBOOT...) :-((
4 E- O5 t1 Q/ ]/ r! t& Q3 i
$ q7 Y% h) g: K: o$ d3 v) BHere is a quick description:
$ g; ^+ z6 N! x% t) W-AX = 0910h (Display string in SIce windows)
f( A5 c1 u4 |7 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 `! O& r* W: s$ D+ l5 L8 {1 l' T
-AX = 0912h (Get breakpoint infos)
' @6 ]( L7 t' @. E' _-AX = 0913h (Set Sice breakpoints)
' Q2 E1 z: r( y& h-AX = 0914h (Remove SIce breakoints)
" P& m6 `8 ^1 z$ r( @+ v' P
# F; \/ u4 s0 hEach time you'll meet this trick, you'll see:4 D R( ^8 d/ O( ~- B# T
-SI = 4647h9 e& u& t* T& h3 I
-DI = 4A4Dh
8 j) E- `+ i. D! l8 j9 nWhich are the 'magic values' used by SoftIce.3 ?% \; U9 L7 N* k# W% V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 `* a! g4 u5 z/ Q) Q7 Y% k" D% l1 d( Q, Y, D# A% [
Here is one example from the file "Haspinst.exe" which is the dongle HASP( d1 k2 ?. s% N2 b& C; Y/ ?# o5 r$ ^
Envelope utility use to protect DOS applications:
* m5 t$ Z2 }, J# P8 |& f+ d$ ?: k' A/ h
2 w% }! T' X# I/ M! _4C19:0095 MOV AX,0911 ; execute command.
8 l5 s) y0 S: W; O n( s* {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. `5 n2 ^6 S: X' C$ `4C19:009A MOV SI,4647 ; 1st magic value.) q5 K* F/ a; T" b D) l# g+ e
4C19:009D MOV DI,4A4D ; 2nd magic value.( l6 V; X" X2 B' u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) c4 n# h0 ~ ^! A; w- ~- M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 B+ b/ h" B# N( a9 B
4C19:00A4 INC CX
1 |& x: L7 B! ]0 `# e; b' H5 [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: c6 t& L6 w# g3 l
4C19:00A8 JB 0095 ; 6 different commands.
/ m& _- D/ S! A' z1 n$ u4C19:00AA JMP 0002 ; Bad_Guy jmp back.. O* m9 p/ v; w6 k5 d7 [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" r7 N+ B+ y# m
5 _; ]. d' u4 J+ y( \ yThe program will execute 6 different SIce commands located at ds:dx, which4 a [8 U: y" a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ N) v9 t8 w5 O; E0 |/ E
J3 B3 Q+ k% m, Y @* n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 X5 H# _3 K- {6 Y- n% O% O* h9 F
___________________________________________________________________________
! w' [. @: ?+ B& {+ `" z1 J4 ]5 `) J. |, s; {/ G+ m
5 s1 |2 }* e4 Q1 r uMethod 036 Y t U/ e. O/ e
=========
7 k* ]: K i" z. E' M- [# C& x P5 ?) z) @0 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 p# V8 @1 K& ~7 e! a(API Get entry point)
$ d7 i/ L' N2 n% J+ Q6 r5 m' H 8 v# r) z, O+ a- e- J
# ]% l2 \) \( H* ^7 |; M2 c xor di,di' _8 ]/ M) S( ?
mov es,di
5 | l |4 h2 W, G! B* J U mov ax, 1684h
n* F6 Q5 s- ~ mov bx, 0202h ; VxD ID of winice
0 ~7 P2 B# z7 m$ q. A( ]1 @ int 2Fh9 t# ~/ ]) V/ k+ Z8 x
mov ax, es ; ES:DI -> VxD API entry point
+ p7 y- `; s0 S- w/ V0 H( M add ax, di# }; g& a+ _4 j, R
test ax,ax
* ^# G5 \3 v4 \; }+ S F( t4 T jnz SoftICE_Detected4 V- n* y, U* n# x! ~$ G
: A( A( r( x- P: c___________________________________________________________________________
' B$ g/ S* c- J1 |$ M# n, k) F
/ g" I2 U5 @* p3 s) P0 ^$ GMethod 047 s9 a/ }5 U0 m% E: K+ |$ e, @
=========
* ]( w: W! x, V$ h6 ?9 f2 V
6 |+ E; m8 N( L& C8 ^: EMethod identical to the preceding one except that it seeks the ID of SoftICE
! m( T7 r, w0 y* ~; O3 WGFX VxD.
9 A' g! d* b9 o; |. X' ^8 L/ E4 e1 T' W$ O6 B" @5 r
xor di,di
2 \0 U z i' c' d. a+ h7 t mov es,di
8 g& e2 A6 f9 }+ j) z mov ax, 1684h
/ {. [# ]0 G( Y8 x mov bx, 7a5Fh ; VxD ID of SIWVID
, k! V$ A2 R3 p* x- C( k int 2fh
" p& x* B0 G0 A& o5 w mov ax, es ; ES:DI -> VxD API entry point
) l, j7 P! t# K2 S3 x9 z add ax, di
: n4 X2 }& h- A: R, y test ax,ax
i& v v! P1 ^ jnz SoftICE_Detected
, c s" N0 k/ ^. ]! t+ I; Q7 g, X; L7 \: W- R# Z' F
__________________________________________________________________________
' ^6 b# [. }3 S, w3 q1 b! }- G
4 K3 a) Z7 R5 Z; P" O0 d8 _& m, S0 L& w6 ?! f: u
Method 05
1 \: w1 p/ l3 i& T=========+ R* N% h$ G, ^ k6 g) G! F, _
, S9 u) e- b' T0 O5 u# G! a9 mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ r/ z1 l8 K9 B- Pdebugger. It calls the int 41h, function 4Fh.6 \* w( ^$ v% D, l) Q
There are several alternatives. ! T& f# ]: c! j8 D& ^- K
! A: i+ |1 K; B" d, N0 fThe following one is the simplest:
' u- b) B- ?: G* t
0 ~: Z2 R, h" X. n mov ax,4fh5 b6 _' b p# [, Z: C7 c
int 41h; v. Q2 c% R V7 [$ P ^
cmp ax, 0F386
. a" ~) d3 t2 T1 T {* i, ` jz SoftICE_detected7 P ~+ N! q" s2 _" [5 `0 q
, R$ H8 s5 U- ^/ r1 l
1 o; G$ O/ h% b/ B6 M+ BNext method as well as the following one are 2 examples from Stone's
- | M, f+ @/ u"stn-wid.zip" (www.cracking.net):
4 X/ ]- C9 Y* S2 S$ @% b& L" R
6 C* K: U7 S0 _4 V mov bx, cs
- V8 J6 z7 k4 P5 r+ O" |; m" Y lea dx, int41handler2
3 y4 w5 a7 f) ?. z$ u xchg dx, es:[41h*4]+ O9 _% G: A2 e. L$ B! Q5 _' i% D4 a0 a: o
xchg bx, es:[41h*4+2]
. ^& @$ N! \( u; O mov ax,4fh
# ^: h4 Y% n& u" G! G ? int 41h
& _1 e( l6 _ A, Z+ Q% q0 Q xchg dx, es:[41h*4]
; z1 D4 V# T9 b5 f, A& i xchg bx, es:[41h*4+2]
( N5 ^% ?8 Z q# Z l cmp ax, 0f386h
% F+ Q8 b5 ]' U: |* e& O6 a4 R jz SoftICE_detected) q" F; R) B8 d8 P" c% B/ N
* n! @+ |$ f w: E* P- mint41handler2 PROC
$ s3 T! X& l9 ^( H6 n% M iret5 ?& ]6 ^3 u' O* d
int41handler2 ENDP* e8 N, @2 r" J; i+ _ l1 K
0 l& }2 [, p3 o
* V3 `( r; t" W k2 T+ s( }# x_________________________________________________________________________7 X$ s; T# |1 Y/ c9 g9 w
0 R/ H( s; W, y0 k5 S. b( D$ k% f6 s! N1 C) V
Method 069 k! b0 s1 t' ^, z8 r: a) j: k g# U
=========
" ? o9 g$ u. W+ ]$ E" ~# x1 ]
9 \2 G( E8 p2 P" M8 H/ M4 [: i5 {. z1 g( K# B5 A- K
2nd method similar to the preceding one but more difficult to detect:6 {+ F* W, ]6 D r" b# U
# }( i( k* y+ @& ~
/ O3 y0 e9 x+ G% [int41handler PROC$ b/ h6 Z$ p! e+ M6 l% i' r
mov cl,al
* o' M. n9 G* t ]5 ]4 i9 H2 N iret. I2 f' }. X8 ?
int41handler ENDP5 F, l& f) p3 ?8 u
" V+ q7 N% F! C2 W& K9 \; Y3 E1 }1 ?4 k) q. j
xor ax,ax* q# c P7 s. b9 P
mov es,ax
8 r' ?2 G3 l; p# o* G mov bx, cs
% i8 d Q9 c7 R# e9 a2 Z lea dx, int41handler
- G* t3 V. S$ K* D xchg dx, es:[41h*4]) ?2 I8 w0 L$ x( y. U; W
xchg bx, es:[41h*4+2]
9 p8 f+ ?& b X% T* ?' W4 _1 u in al, 40h* T3 @- K6 @+ V3 Y& ~7 ~7 F6 ^
xor cx,cx) V; q4 r; m7 x; v
int 41h
; x; f& Y3 d( |8 X xchg dx, es:[41h*4]
' e" U+ J7 O9 Q1 _) @' y xchg bx, es:[41h*4+2]
0 O- `- ~, f' T3 t cmp cl,al% P9 h! A) U! i% p7 L
jnz SoftICE_detected4 y; v4 W) [8 ?( v
3 S2 [) L2 e# V5 L5 j! F_________________________________________________________________________
' q3 z9 V& t& z) S; G5 u. e1 F! R; |& H8 z% Y
Method 070 @ ^7 G+ i$ z2 \- F
=========
' z. r: L! I# y2 ^. @
- o6 w# E/ m6 O3 [0 c% F8 {$ jMethod of detection of the WinICE handler in the int68h (V86)
) z o4 H# v' T+ z3 k2 x& e8 n! r" d* V# A: d! E* I% T& i7 U
mov ah,43h2 O4 B& u9 R6 E6 z0 Y- @' s
int 68h @* J. Q% f0 z2 o, h
cmp ax,0F386h
. ^! v( f# A8 I: P8 Q5 h jz SoftICE_Detected% [" Z9 ~( }8 }
/ L0 s* N3 \) f. }* b- {
& ?, ?/ s. Y8 S. E. Q$ x# O0 K; L' X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 B6 S X; w6 ?
app like this:
, t3 b& c' c3 i3 a" I% ]* I' _* R4 b- [" t# d" L9 S) i, ]
BPX exec_int if ax==68
- y7 y$ L. j+ ]' D! u (function called is located at byte ptr [ebp+1Dh] and client eip is' H% j/ H& d% W) C( `/ m) ?6 J
located at [ebp+48h] for 32Bit apps)
6 ~7 C2 c) }5 i7 K1 ^8 y" Y__________________________________________________________________________
3 E0 N" g9 l, ]9 C8 D2 t
3 B, ?9 {# D) N' v( x
' w* }7 B' t# b& PMethod 083 y- r) q3 s- W7 o2 C& P
=========
3 V/ ^# i* f7 Y9 h1 ?
9 i) f- x. B8 iIt is not a method of detection of SoftICE but a possibility to crash the" R: D. q: s6 b( e
system by intercepting int 01h and int 03h and redirecting them to another
1 h, ?1 A e0 uroutine.
, o! K. \3 H# s K) X* @/ DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 Y# k2 [$ n* [) y# [+ A2 Dto the new routine to execute (hangs computer...)3 k8 s' z2 T" u
" z2 B, e2 m" o4 @8 H3 k3 R, W
mov ah, 25h
u+ G5 A7 d) J$ `4 c mov al, Int_Number (01h or 03h)
& g. o& ^$ H9 h" v# B6 M: ^ mov dx, offset New_Int_Routine6 C* |# _0 Q! o. m" p5 Z
int 21h
+ I/ E/ `; ?6 c* |& J0 b; O; Q# {, h& V8 V9 @1 O3 I& ~# k
__________________________________________________________________________
/ u, ^5 P3 {$ } ^
5 M- d5 b/ O. c4 p; yMethod 09, ^( M: C; u9 R: P5 U
=========
7 Y6 g5 }+ ]* F) P. H0 ]1 N9 V) O7 a) d6 h$ {- M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 C: N* i* O. \performed in ring0 (VxD or a ring3 app using the VxdCall).
9 [' [$ U: } Q& b# W- EThe Get_DDB service is used to determine whether or not a VxD is installed
8 Z- a/ r+ f9 Cfor the specified device and returns a Device Description Block (in ecx) for
7 E9 r" X) @$ y+ f Jthat device if it is installed.
7 Z* O) Z/ {. g' t3 ^* l+ U1 j6 m+ s. W9 s2 ?+ G4 X3 C' u4 L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- ^+ |! Y w. l- ?7 z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 }5 Z) j7 {( w8 R- O: x& z" z. u
VMMCall Get_DDB
+ C, _$ j: [; A9 h* D' K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" ^; B, O5 a. ^6 y
) W, |* S/ g/ l/ A( Q/ U# \ \3 |Note as well that you can easily detect this method with SoftICE:
) {% k4 f$ U# E bpx Get_DDB if ax==0202 || ax==7a5fh& z) C" q, s# u" W, [# N
4 L% o3 P4 N$ E. Z__________________________________________________________________________
& s% \7 A* T! p3 I9 y3 Y2 D
% z( T# p7 S( m/ N" c* k" ZMethod 10
7 L7 w2 i" Y- I7 E2 A' L5 }=========
}3 Z: K6 O. h0 z% Q: K2 D9 |. p( Z3 K* H1 T1 g! t. D
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 K& y4 b' S" U( ]; {
SoftICE while the option is enable!!, k$ _& `8 p* f1 p/ T; E, e
3 i7 O3 _& m% j! Y7 Y$ m
This trick is very efficient:3 }9 W3 X/ Q6 q! o. E8 s4 x3 ~, s' }
by checking the Debug Registers, you can detect if SoftICE is loaded
) i$ @1 }9 L, o9 p4 |, z: p( t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 c$ N2 L5 W, m) p! `% Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 G* T3 X. C% W: ]$ L1 Lvalue (in ring0 only). Values can be manipulated and or changed as well& U! o7 w' v& e8 i
(clearing BPMs for instance)
1 Q+ w" R6 A6 G4 {1 V: F5 J# o/ @, \2 U$ P! L( \' ^
__________________________________________________________________________6 Q0 H4 _# W- t& y# d: L' [" Q3 K
$ U4 m+ O }3 `8 m9 G
Method 11
% T6 G1 {( B5 B! Y. l |! n=========
" _9 ^* U! n; {
m/ t* y. u1 o1 y4 XThis method is most known as 'MeltICE' because it has been freely distributed
4 {5 z+ W, o* `- Dvia www.winfiles.com. However it was first used by NuMega people to allow4 s/ r. K, I1 E1 p% d3 S
Symbol Loader to check if SoftICE was active or not (the code is located
/ L9 g* b% }, Ninside nmtrans.dll).
; P+ m; A! A5 q2 l0 t3 H M! Z& a+ C' Z
The way it works is very simple:
7 H$ H( K: x" v N9 T/ a$ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 z/ \# P/ {/ y1 q$ _WinNT) with the CreateFileA API.1 p5 j" a+ J8 F$ p1 ~6 F
" d; k% p# D" V. G. t0 g" v4 }
Here is a sample (checking for 'SICE'):& d" Y7 \% d* P) Q, t, C
3 M0 a9 d9 U0 ?0 hBOOL IsSoftIce95Loaded() ^) m4 A+ c8 x9 W. m3 y9 j/ s5 s
{
% S1 S* M! G% E0 P `, I1 k8 [ HANDLE hFile; {; _9 {3 o, A ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 |0 v' v! ]) d) v" p FILE_SHARE_READ | FILE_SHARE_WRITE,8 X& `# f* i% W7 y. Z) \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
u( r b8 F. s' Q if( hFile != INVALID_HANDLE_VALUE )) ~' C1 P: O5 Y3 h! a* G
{, f4 d Y! X" l* o# o% O0 |7 U2 f
CloseHandle(hFile);" a* R+ c% J9 @3 K
return TRUE;1 N% H$ U+ l- w8 K! J9 l6 X
}2 K( S, \; \, L3 Z
return FALSE;
: P6 f7 I" ]9 e}' A# _7 i$ D* } [; z# s: Z& [5 g
5 {) T( J. V2 h$ Q9 n6 U+ ~
Although this trick calls the CreateFileA function, don't even expect to be
" H7 l$ e+ v- R" x9 mable to intercept it by installing a IFS hook: it will not work, no way!
0 }, G, @5 V! h3 ?/ r9 ~0 yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 c# O( I5 U' V/ k* }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ]$ D8 K( ?' F3 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 m6 T P; _; _( S/ M
field.
7 V t- X& `. f) F3 Q- Q X- RIn fact, its purpose is not to load/unload VxDs but only to send a
" B7 ~% [" U& }, x5 l7 oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 t0 e2 g) ~. ~9 |1 C/ l; H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 q3 R$ p/ o" }0 M$ Z; T2 vto load/unload a non-dynamically loadable driver such as SoftICE ;-).) m; [: D& C/ K" n
If the VxD is loaded, it will always clear eax and the Carry flag to allow W. k1 _5 E! Z K, ?# A7 ?/ m
its handle to be opened and then, will be detected.
- |& }2 k) G* T+ d, W& L( PYou can check that simply by hooking Winice.exe control proc entry point% ?- J" a) S' n0 }6 ~* y. ?
while running MeltICE.
0 [. R" k+ p" d% ?
' S+ H! {7 {: C& m- s! N) W
' B6 a. g4 g; ~8 a: d 00401067: push 00402025 ; \\.\SICE' e8 Z+ }) u# s2 r
0040106C: call CreateFileA
( h4 v1 @3 l5 \" `5 f 00401071: cmp eax,-001
* \6 s+ V5 g. o/ C 00401074: je 00401091
; X% \, Y) T* y; R$ A! l6 `4 q8 g8 V
9 v' @- k6 P( Q8 s0 oThere could be hundreds of BPX you could use to detect this trick.
1 z, W; @3 @4 Y9 }2 }! @# J8 B-The most classical one is:
5 l6 v" e& J0 ?7 \$ x+ x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; ]- |: t, Q) ?$ b! n
*(esp->4+4)=='NTIC'" I. M; v+ u$ e' w3 c0 m
3 o1 k7 T4 h/ d) }
-The most exotic ones (could be very slooooow :-(. j2 q0 i0 ]# C Z$ e% O6 }7 n( e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: j) O2 h9 l/ I7 b4 i ;will break 3 times :-(# f* S" a; b3 k9 K8 ?( |: t H5 Z- S" d) @
( Q6 p3 O9 V/ C/ D4 }8 k) w-or (a bit) faster: 5 {1 M# d* P. O0 |5 C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. Z8 u1 s/ M3 J6 c5 h) y6 Q; Z) i; h" Z* z" s5 r/ r6 \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 U3 N- x/ q0 F$ _" N ;will break 3 times :-() \- U( @; `3 ]6 u2 \ C" i: q
; W9 \% r5 ^& P+ K. u% x-Much faster:! F# N/ a9 ^+ }" A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' Y* M# n# A- M) P) b: m$ z$ m7 n
2 q: }2 K5 o) e( G8 ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' }. X5 _. m2 F' F8 V
function to do the same job:. K/ d/ o! c( k/ J( E
9 S/ N: c8 p1 v n' {, H; V- O
push 00 ; OF_READ
5 I- x2 Q9 F' \, k2 \ mov eax,[00656634] ; '\\.\SICE',0$ B& ^2 v3 ]9 m* l1 j
push eax+ U7 g7 J( v5 o# e2 h; K
call KERNEL32!_lopen
5 X4 [% ?* s6 u inc eax
6 e# ^# c' E; M7 r, i: i jnz 00650589 ; detected
. I1 H7 z3 a8 k$ v# Q% ` push 00 ; OF_READ# Q( Q% a' R. X+ Y
mov eax,[00656638] ; '\\.\SICE'
. ?. i* t: N/ C9 P5 g w( r push eax9 w7 J. i# N9 X J
call KERNEL32!_lopen
# a' C( l6 L v3 b" j inc eax8 T3 T6 J8 k7 n& M8 R* g- Y
jz 006505ae ; not detected3 q n4 l. }; m* F. [
, A1 l9 ]1 o: \; D, P. n
6 Q2 I7 s5 _% R! w__________________________________________________________________________4 R( ]7 M Z' C: V
- W- ]! z# Z/ I! C+ ?6 l
Method 128 B% p4 o6 x1 D, ~9 _3 J
=========
H4 Z4 K5 c& w6 a
7 T- D% p Q' \, EThis trick is similar to int41h/4fh Debugger installation check (code 05
' W6 r8 g/ k1 k2 u& 06) but very limited because it's only available for Win95/98 (not NT)
( [0 [0 h) S2 m ~1 z/ i7 X+ K. Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; X: F/ _0 u/ O* {* `# L
' k& I! a. U0 f7 j* k
push 0000004fh ; function 4fh0 @& B, D) n1 h) _7 M+ r9 ~' K
push 002a002ah ; high word specifies which VxD (VWIN32)2 x" a# e6 L/ B5 _: N" S6 ]
; low word specifies which service
8 X' E# Z- ~# P: L( ] (VWIN32_Int41Dispatch)5 X# L, q2 X% J0 n& f0 w) G
call Kernel32!ORD_001 ; VxdCall
, X) d$ E( g% J( E, D cmp ax, 0f386h ; magic number returned by system debuggers
$ q3 |! r% Q4 {7 x/ V d jz SoftICE_detected, z! w+ Q! k/ ^" b$ {
3 X6 ]3 F! b$ g4 x W5 h
Here again, several ways to detect it:$ I$ o( N# W7 X, g& \* i' z. G
' w2 b% O; C1 m. }% B) u
BPINT 41 if ax==4f5 ?$ ]" r& w/ R C5 T- i2 y
/ A& W3 q8 r$ a2 v! A6 m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% F: B* d4 \# v. w
W. _: `& G, A) S7 ]- }, x; a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- b% H# n/ A+ u
5 ^5 t. b2 k- \+ t- N3 I( m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* }# M; E( N( a6 z& o3 A
3 s" k: \+ d$ i! @$ R% B% t__________________________________________________________________________
: G* R! b; Z0 N$ H1 a7 [3 h! W' L8 K/ Y3 M/ g) a8 |( w* d- H9 f- t
Method 135 l" D2 h5 T% S0 U+ Z
=========7 S! `; P( q' ~. U7 y- _
: p/ K2 v# v# ]5 j+ w' SNot a real method of detection, but a good way to know if SoftICE is
, o1 J/ p$ Q- X$ j: A" Uinstalled on a computer and to locate its installation directory.6 ^' X# N! | U3 L9 ]
It is used by few softs which access the following registry keys (usually #2) :; e% M3 X5 f) \
( C- j+ `, N+ c4 Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 l, y1 N9 Z/ Y1 t
\Uninstall\SoftICE
' u7 V% ^) E/ r0 ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. E3 V0 ]" H: j* [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! V& `/ u( J5 }\App Paths\Loader32.Exe
0 N9 m* j- M8 W
% S' z; ^% @+ u% H* i* J0 E+ Q7 q9 G! p% h5 q4 _$ }
Note that some nasty apps could then erase all files from SoftICE directory
) B" x& E' {/ O. p. t( a+ T(I faced that once :-(
9 D$ [; g1 ~" v
* a, I9 }( [+ Q7 @- B2 xUseful breakpoint to detect it:8 K/ e) f) z' D& o! W
: w* s6 M; K. ^, }' _0 O) X! q5 U n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% ^% b: L; _9 K3 w( Y
; R% d6 h: X1 `2 F* t% w__________________________________________________________________________
" U+ V* I% W u1 H2 [9 m i) N; e1 B* \" s% ]1 B: D' m
4 \8 w) \: u# X; t: t, G! KMethod 14
3 d5 l+ }/ G' Z- G& i$ m8 n) I=========
! X. m7 o, m/ `# O) F0 x$ e* v4 o- l/ L: H! L; D7 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 u2 a0 k2 U- l v: Sis to determines whether a debugger is running on your system (ring0 only).
. B% v7 i8 h; s, _5 |) F& A. w4 c- D8 t% ^
VMMCall Test_Debug_Installed
- U" m' M5 _9 N6 U5 M6 E" f je not_installed
+ C( k- p6 `( |7 G0 m! o8 s m: V- F) v/ S
This service just checks a flag.: E2 S1 L0 n: x! M G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡