<TABLE width=500>
$ K: e1 ~0 S L1 Y6 t- {<TBODY>
% q. P! f) b% g4 N<TR>+ V2 T5 T- a4 ^2 D
<TD><PRE>Method 01
2 P( n( F9 J1 a' Y9 h=========" ?, n9 [7 n4 ~
! z# y5 ?1 S. D4 A
This method of detection of SoftICE (as well as the following one) is$ y$ t- T+ C w2 E/ \
used by the majority of packers/encryptors found on Internet.
# v, _6 N% J/ mIt seeks the signature of BoundsChecker in SoftICE J# Y/ V! n0 L
; K. t) r5 s! _/ h! M& _ mov ebp, 04243484Bh ; 'BCHK'
/ `9 T0 W) y% k3 b mov ax, 04h* H6 e5 E- B% m5 D' d
int 3 + \5 S" V; q! D8 }5 w# Z
cmp al,4
" ~6 Z' w! s0 ~; q0 s ^* `' J jnz SoftICE_Detected
, K Q* ?+ X3 h* i Y
4 s) L3 \1 Z) C___________________________________________________________________________8 x# _" V1 a8 T) @2 |& G- {
4 Y! _9 W7 E0 J" o6 UMethod 02" f+ x# `1 w5 `! R8 h& M; {3 Z
=========* @! P( q) ^- M% q6 Y9 s- w
# Y" r' M: [1 J1 U5 Q) J
Still a method very much used (perhaps the most frequent one). It is used
# p L4 q: r+ k2 i U; \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- q" M, p/ L+ J7 `9 t- Q
or execute SoftICE commands..." q% Y# ]+ p+ k- v. x' r/ {
It is also used to crash SoftICE and to force it to execute any commands
6 i* m; D1 `1 T% P* y(HBOOT...) :-(( # Q8 M6 \* x; `, Y6 H0 Z7 D
/ C6 ]4 Q) G/ s
Here is a quick description:& f' D: X, f" \% B
-AX = 0910h (Display string in SIce windows)
: B0 i/ ]9 \ F! v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* n: R4 N- t1 V: H' V4 H* D" N-AX = 0912h (Get breakpoint infos)
6 z. @! l& K1 |/ Y-AX = 0913h (Set Sice breakpoints)9 s5 u2 X: a/ F! C; t% j
-AX = 0914h (Remove SIce breakoints)
; J* d% P4 k6 w* M m6 x4 \
0 W6 _9 \9 z+ m* d. y" t3 ^& V4 c0 BEach time you'll meet this trick, you'll see:
0 N$ }! k1 ^( i$ R' C% p J: W# a-SI = 4647h! z! X& o& c) Y4 E! |. w# J! g
-DI = 4A4Dh, C2 H, e4 ^* r' F0 s9 e
Which are the 'magic values' used by SoftIce.* O4 G5 D+ [7 W+ S& x/ T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., h. h1 n0 ^5 j4 ^( A
2 d$ ?, @: ?8 b, ~- S/ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP. F5 S* b" X; g; T$ g. k/ J
Envelope utility use to protect DOS applications: \0 `, J6 [- V% Y6 z- Z( G
2 B7 @" h+ @8 j. D4 R2 |' F* f; r( [6 P# `4 [; F) P; W. G
4C19:0095 MOV AX,0911 ; execute command.3 H, i" j! B- X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# M8 E& x6 s7 {- X" X4C19:009A MOV SI,4647 ; 1st magic value.
/ G4 b. R- o% _3 i' r6 `0 ~4C19:009D MOV DI,4A4D ; 2nd magic value.) Z ^; F7 U* V2 @; Q( V/ b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 a5 E; @+ e- {) A4 u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 k, d2 z' m! @3 D; r( e' `
4C19:00A4 INC CX: j$ W4 U1 t& M( F1 T& B1 j5 @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* S. C8 J& Z' a! }# ]4C19:00A8 JB 0095 ; 6 different commands.
a2 W U1 J: W! j7 n9 X/ Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ e6 @; v% d0 P# w4 `5 o3 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 Z! z) g$ i% r, N
8 e% h: {2 K" YThe program will execute 6 different SIce commands located at ds:dx, which
7 P6 a- n8 E' I4 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., f3 _8 q, z" L/ B3 g
4 i3 Z& h( a! ^; u% n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# Q/ r0 q8 N; A' ____________________________________________________________________________' l& r1 m7 V) S* {+ i3 F
M A W0 T8 N, B9 {
1 d. }* d" }% ]Method 03, @6 J; j; S7 b/ s+ o5 C, W- w
=========* R$ M, E9 A" E! H0 O( Z
; H8 P; n3 e2 ^# {% U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% X6 L+ N3 y6 \. v. l/ U4 @, S
(API Get entry point)6 ~9 ^: b- t1 V$ I
& a: t( H/ e5 G+ {# U$ {- U+ t; Z$ c$ Z) L0 V8 k/ R
xor di,di: l3 o9 k$ {, O$ b F2 y
mov es,di4 s! | h* V' m; r& q0 a
mov ax, 1684h ; ^& r! ^* R' ~2 N7 [3 r; t( {
mov bx, 0202h ; VxD ID of winice
: P) Y* N$ H# D9 Q6 V8 z& H" T6 K+ o% t int 2Fh
3 L) o9 j' X5 ^3 e' \- q4 J' ^ mov ax, es ; ES:DI -> VxD API entry point# i4 V" t U; N5 R ^3 ~, H7 f
add ax, di
, A( g3 Y+ J. x2 n6 v3 T. r9 y: i: ~ test ax,ax
# \* W) ]6 \7 a- ?- r+ Z jnz SoftICE_Detected# i( F l; Z8 b! q
# K- ^% N! }0 `" K" M___________________________________________________________________________- D5 |5 u, _7 a
% N w' C" _5 R9 c) nMethod 04
- S! c4 o. O9 e7 \% h9 B=========9 ]. h. k I, w' v
$ g% b% s3 v4 I- m5 A; @Method identical to the preceding one except that it seeks the ID of SoftICE( O7 P. k7 H7 [8 a0 ^6 L
GFX VxD.
! w9 C7 E9 r( t! M8 H
1 [2 h% j1 I9 `4 a( u xor di,di! q- Q5 N) o9 F/ F
mov es,di- y9 e( X6 B% K$ v
mov ax, 1684h
+ A6 _, x+ [! I1 q" {6 y mov bx, 7a5Fh ; VxD ID of SIWVID
# G W5 S- L* U7 [ int 2fh
S9 e! ?3 m! U: ^ mov ax, es ; ES:DI -> VxD API entry point) V1 K$ f% \, z: R( B" D% H
add ax, di
/ t z( W- D: ~! v* c test ax,ax; z0 y- L/ R1 c
jnz SoftICE_Detected
0 r9 A2 c- J+ d, V0 t$ x' o9 A0 ^0 w6 o6 V9 Q3 Z
__________________________________________________________________________
, y2 I# \. W) f* M7 L, }, W
5 d3 F6 t2 w! ]4 n0 Y7 C" R, h9 J
/ d. r l Y% n% pMethod 05
; ]& Q/ z$ P% @=========" j3 n5 D3 n5 x& H6 _2 w
* ]) o7 M. B8 |) jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 d; w& S3 H1 M7 t# f p, v& I- w3 odebugger. It calls the int 41h, function 4Fh.0 i' ~9 ~+ y) v1 D/ ]
There are several alternatives.
3 I: V% M; T' p9 k
8 W; f8 O4 ]3 wThe following one is the simplest:
% v( Q" j/ ~5 m
0 e6 }; t1 `! z& @ mov ax,4fh
- p6 q; w! k+ Z% }) _ int 41h
' E0 t. U" K4 G# x. n2 R# r( } cmp ax, 0F386
0 [" W' {: d) I+ C jz SoftICE_detected
; Q1 g& _3 O8 {4 ~/ }1 G" |" t
* s: a8 ^' D; Z* O# D. C+ _
1 T; B1 M0 l# \) ENext method as well as the following one are 2 examples from Stone's
7 Z0 T0 a+ C# d, H"stn-wid.zip" (www.cracking.net):
: z: h" N) V3 Z0 D0 p( X d7 |/ x \* D
mov bx, cs
/ l4 n# x7 W2 P1 \6 l6 [ lea dx, int41handler2
! P, r; h1 t6 Z8 ~ xchg dx, es:[41h*4]' C. V; I9 `9 ]6 H' y0 \ I
xchg bx, es:[41h*4+2]
& A$ [. Y2 b6 i& ? mov ax,4fh
0 Z5 G, }' b9 X" w3 z' [3 \* U int 41h, T- C. M2 t7 O% e/ |/ P
xchg dx, es:[41h*4]
0 F9 y" L V% s0 x9 X; d- | xchg bx, es:[41h*4+2]
4 ~, D( }/ c' r: h& K cmp ax, 0f386h5 a+ E- |+ n; K& l, `" f% F4 F
jz SoftICE_detected! j2 f, x. o- z1 q. W2 Y& J
* N7 I1 V, x9 n# i+ V1 I7 G) ^; ]0 [
int41handler2 PROC
) `4 ^2 a$ N% q: ?0 Z- u2 x% v/ S' E& f iret
0 f" e) c3 y! iint41handler2 ENDP
+ D1 n6 v" h$ l$ x3 c9 A' o- b) j) B* J: o: q2 {
9 r; A1 E( x% `- R* s
_________________________________________________________________________+ Q( y0 f: a4 M$ [& O- ~
1 E2 J0 \3 R$ }
. |- S/ g9 x) pMethod 06
L6 |7 W) F! U=========$ y4 c. l+ \ J' H c' W! ^- K
@6 y3 F g' w9 f7 {# Q: i
' O, X+ W |9 U- V# N
2nd method similar to the preceding one but more difficult to detect:
/ a( G" E& ] m9 p) R: F. A- k: n% n0 [6 [5 m' [4 v
, W( s! ]6 K& t: `9 v- X. mint41handler PROC6 h# `1 h0 c5 J& I3 p2 z
mov cl,al' q/ g; J- w m/ S1 t6 o' H
iret# S# a% B& \7 j m1 _( ?7 q. n
int41handler ENDP! w; z8 ?5 L( s: Q1 I% F- s
; L2 v" l; l P7 k' E2 v0 _; w
+ D4 e) c) F" @" {! y xor ax,ax- U4 O, ?: y5 F9 K+ W M/ y2 x
mov es,ax
* c1 w" D3 `; F- ^ c3 ^4 j4 \ mov bx, cs+ y6 k$ U4 h; I7 E1 ]
lea dx, int41handler7 ~# r, C3 a6 J9 M# ]! ~0 M
xchg dx, es:[41h*4]
0 z# a h$ z1 V6 A' G7 } xchg bx, es:[41h*4+2]6 y; a9 S4 g* `. u; E, P, l0 T- E" T
in al, 40h; e) ^) K, l2 W0 n; ]( q8 w$ q% G
xor cx,cx _/ c4 m( \4 Y# O" T D
int 41h7 n B' [4 o, Y6 F
xchg dx, es:[41h*4]
7 L" s& n- x, c. I; B xchg bx, es:[41h*4+2]
2 x1 A1 ~, Z8 b" L8 J: A cmp cl,al
0 I! H3 k/ t0 W* a jnz SoftICE_detected
^: C9 a5 K2 J3 ^' s
% A/ Q+ n* W3 h1 s ?_________________________________________________________________________
; } \7 b# S& v; B) @( Q" o! w5 v0 x
' J( F0 s L" k; R5 E6 w+ tMethod 07
! p& {/ |; I- ~9 a8 z4 |=========
3 h; E4 f3 N0 a7 t% K5 m$ N' c- f5 }: D- L* y T& C+ t5 {, ?
Method of detection of the WinICE handler in the int68h (V86)
/ T5 A( m, Z! W& Q! M" P
/ [7 t: l' A8 i! Z+ W8 i5 v2 V& y mov ah,43h) R/ ?5 r/ P$ u0 x/ O
int 68h
- L" w) M S. [& { cmp ax,0F386h6 J. ^: t/ g$ _+ W
jz SoftICE_Detected# z- H* V6 F9 O, `8 C O( p
7 j9 \6 ?+ l8 B1 D, B0 P5 V% X7 d1 T
0 }: ?/ n* z- M' R* n" N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 { \: r- e L/ f
app like this:- v* J, ~: ^6 r, G/ E# v$ }
( r9 |! b( G* E4 \- I0 n5 E, e' ? BPX exec_int if ax==682 K x, M9 v# k" q/ T
(function called is located at byte ptr [ebp+1Dh] and client eip is5 m9 A; Z Z" o+ K
located at [ebp+48h] for 32Bit apps)3 ~! h" @! t1 [# c5 |6 X5 E/ {9 Z
__________________________________________________________________________
9 O/ k8 I3 B& |. \1 M$ _% W) Z' G; r
! f' l+ \1 G+ R5 e' [Method 086 N8 W2 T5 H9 S
=========& ?. y7 F7 W( p0 ^
' Y' c9 O$ |4 {" j, n7 M
It is not a method of detection of SoftICE but a possibility to crash the
: e8 |' l) N. q( psystem by intercepting int 01h and int 03h and redirecting them to another
0 d8 f8 L, }) j V! }- }$ ^2 Wroutine.
1 m8 A( b* q$ L% v% ^4 u' KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; J( O- q2 }) g( A" r: O- I! jto the new routine to execute (hangs computer...)9 o5 o" e! n" L0 x5 E
1 X) n" W+ ~ C1 W9 _- ?
mov ah, 25h' A! z2 B& ~9 _
mov al, Int_Number (01h or 03h)
& }6 C, ~: Z9 W+ |9 J* u mov dx, offset New_Int_Routine
, G$ a( Y# k/ M% S/ b: _ int 21h
8 Y% f& O0 u' X( s) D1 F9 |. k+ Y4 u9 N5 j1 N9 ^, ~/ f* K
__________________________________________________________________________& |! T0 j9 R2 p+ q, p/ j$ \
7 ~8 y& R" q6 m7 l
Method 09( Q! X! j, j0 w% l3 X
=========
- t. N3 k# [8 a J4 v
; h e0 M1 f9 }" WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ _5 L* W) {9 W, g8 G
performed in ring0 (VxD or a ring3 app using the VxdCall).+ w" D3 O8 l1 i& m1 J2 E
The Get_DDB service is used to determine whether or not a VxD is installed' }/ y$ B6 l1 A" G
for the specified device and returns a Device Description Block (in ecx) for6 `( F( Y0 O" v- J) K
that device if it is installed.
& i+ a" b9 R' T. x) N& A
0 ]$ E" F) h& C) n! B! m" s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( @) G5 U: \+ }8 L+ m& B q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 ?2 B: k2 l( i: t; W VMMCall Get_DDB: L3 Z; m7 S. U0 D0 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) I0 K% @. C- c. J3 H1 a& n l
) `& K" ]) A7 b* m- O* y/ ANote as well that you can easily detect this method with SoftICE: d$ T [: E9 ?) \
bpx Get_DDB if ax==0202 || ax==7a5fh. g1 z) C8 M q% n' ~; H% `
# ~! S: `3 d4 g0 i__________________________________________________________________________3 @8 S. m4 D( R; B& w% D
3 o$ y' m/ Y" Y' ?& W5 wMethod 10
8 R! o9 y/ |9 w1 ~2 a g=========! P! u0 L+ ~; b( c
. H r7 ?( d' L6 v* i=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 O/ A+ x* c6 w* C/ \0 ]4 ] SoftICE while the option is enable!!
+ H* X2 `* h, d5 w, B9 v8 Q5 f. n2 G# l) L1 M+ o
This trick is very efficient:
$ e- d- {! T3 f& \! v1 V9 \9 |by checking the Debug Registers, you can detect if SoftICE is loaded
: a, b+ m+ i' t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' o" a8 w4 P5 G, S* w7 fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% n: l' K9 p L Zvalue (in ring0 only). Values can be manipulated and or changed as well' w7 C% s% y$ ^3 ]# Z$ `
(clearing BPMs for instance). u5 ]: L; y) j- V/ P* e
2 `" \2 y2 {+ s. \
__________________________________________________________________________$ S: A7 f! @# B. z* `' T& d7 d
% w& l- s8 ]5 l+ Q) k$ d' ~ M
Method 115 ~9 ~0 s$ M5 \2 Y
=========. S1 G% e" k5 B6 Z) d# m5 ?
5 M# p; |7 I$ dThis method is most known as 'MeltICE' because it has been freely distributed
0 s6 F/ w1 P0 k. q! Svia www.winfiles.com. However it was first used by NuMega people to allow5 Q5 L; k! c3 u0 L
Symbol Loader to check if SoftICE was active or not (the code is located
7 l# K7 u: p$ K% p% j4 O2 Einside nmtrans.dll).
$ @2 T* f5 u+ I+ C1 r! X
1 R3 q' V% R- P- @' e8 {. T- @The way it works is very simple:
k! J2 ?6 Y- S: Q; s) qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 p9 ^6 g2 L3 _9 D$ GWinNT) with the CreateFileA API.
6 q. ]5 c/ T( N2 ]4 c2 B& S. i, q
e- M) ?; A$ e# r ]+ m5 ZHere is a sample (checking for 'SICE'):" v5 `- [, O& J
) {, Q0 b7 P$ L5 f( J5 B0 q+ W- L4 h! GBOOL IsSoftIce95Loaded()2 x2 b! `! ]; n+ @! k
{
, V: d3 c2 _3 P# f7 O$ B HANDLE hFile; 1 Y. e) n. J" m: S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 S% S( U7 \. ^ FILE_SHARE_READ | FILE_SHARE_WRITE,; S% ?6 n, h* K% ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. O3 ?# v0 J4 S/ ?: V% d- P: x
if( hFile != INVALID_HANDLE_VALUE )0 G" Y* c$ x. w5 g) o0 ^& }6 L; o
{, y0 k- R0 m& X2 m
CloseHandle(hFile);2 h( x2 `5 N" b
return TRUE;
m( o* U1 ?) h4 v! ~ }: d6 X4 o( h# Q" S
return FALSE;
$ B% |; V/ L" s- {! ~8 s}9 S9 [, q- ]6 a' L/ C# M
1 e9 {9 z. d" w4 G( QAlthough this trick calls the CreateFileA function, don't even expect to be
1 W! e% Y3 Z5 {" M1 r& [3 Yable to intercept it by installing a IFS hook: it will not work, no way!! g5 }- @$ S% R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; A* A/ ?" j% L0 d5 i# qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 h8 D4 T# |+ W6 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- _; F. s* t% j3 J
field.
4 v" W# h, r! W, u5 ~9 o% @In fact, its purpose is not to load/unload VxDs but only to send a
6 H& w9 v* {7 ?& ]& Q, a- |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- W7 c! ~2 o3 Z4 T6 p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, n9 |. s5 ]: ^: y0 X8 B, V6 w# _to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ c9 M: x- T0 x' V' W8 \# q7 c- E. u4 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# D! D6 @$ @1 O, Sits handle to be opened and then, will be detected.
/ T8 u1 I( f4 Q* UYou can check that simply by hooking Winice.exe control proc entry point
' N) ~* M5 P* zwhile running MeltICE./ P1 G- F2 r, x1 A- J
) Z' @1 V- ~: {) N/ T7 E3 k( j7 r
1 \, f# \- Z0 D0 b9 f 00401067: push 00402025 ; \\.\SICE
7 Z% H, D* l2 E& r3 ]$ u/ \- F 0040106C: call CreateFileA
- y' F: w# n9 V' N: y7 Y& a$ S0 { 00401071: cmp eax,-001! r; Y# Q: K* Q- V. q8 n
00401074: je 00401091
/ e1 G: x8 T* D. t7 N1 G& H# d2 X. K' J1 E; a
$ p0 u3 C5 M# O3 G7 |
There could be hundreds of BPX you could use to detect this trick.- C& u+ L) i% B% V! X6 z. t
-The most classical one is:
- R$ ^0 Z: e1 B/ e3 i- I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* h; f, ?( R, q: l2 j* L4 F *(esp->4+4)=='NTIC'
& q* V$ p: D! C, Z1 F
! m/ |3 ~; D. T-The most exotic ones (could be very slooooow :-(# i( A6 o7 e0 y Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! r i# Z1 w2 X) w
;will break 3 times :-(- r" b: ^+ }/ ~, r4 t" R" u
& |! J1 `" U) q6 ^& ^8 L-or (a bit) faster: 0 d. f1 D8 V1 b9 j( W7 m6 E" h. _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 M' Q/ r5 V/ ]
1 m t, M+ V& ~% G) A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * D1 Q* d4 H2 y+ K
;will break 3 times :-($ l1 |! R2 u3 s
/ ^% Y$ N1 g5 X G# a! Z! ~5 J! w; H
-Much faster:
; b+ }/ E6 s* V. O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ j/ e# Q$ r& R. V( R
% g* @: @) H* D& |) P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- }& T# E. g, C( p' E
function to do the same job:
% Z \3 J$ [1 a; m! [ `- Y2 U3 B
U" i! p3 a" y5 k" Y5 a push 00 ; OF_READ
6 ^, k4 w2 W$ y3 q; K3 _ mov eax,[00656634] ; '\\.\SICE',09 g; _) g" |. k& M! ^+ [* `) Q4 k
push eax
8 V8 ^" _7 ~( n; |% J- F. s call KERNEL32!_lopen3 k$ u, _$ n# a. U/ l" w( i8 l
inc eax
! I/ L/ }7 H9 ^8 K8 I% F jnz 00650589 ; detected
! j- |; o8 ~- p* G- } n' ~- ^6 } push 00 ; OF_READ
' u* A4 g+ c) y" o mov eax,[00656638] ; '\\.\SICE'
. [% J+ e# d; _! G3 b9 ? push eax
6 g8 W3 [. k8 Q* n& K. E0 B) I call KERNEL32!_lopen% t, D8 S( o/ m: G
inc eax
/ ?9 w( l+ G4 Q1 W" p( S" C jz 006505ae ; not detected
# t' G3 O0 W- x# i& h2 }
% S9 |/ P. ^6 i4 C! q1 S4 l! X
$ I# C* B2 J2 ^) y6 G__________________________________________________________________________$ T9 E5 G, h0 X" z' c+ D
8 h/ X) U1 ], Q) v
Method 12
/ M( k- C. a+ l" B, l7 a1 y. |=========4 p! M* s$ c+ }2 V/ Q+ M8 N
: ^5 p' Z" G ^2 ~; G5 RThis trick is similar to int41h/4fh Debugger installation check (code 05
5 h# _5 ]4 B- x r- l7 X& 06) but very limited because it's only available for Win95/98 (not NT)
& N0 E$ B( _/ S% O0 B5 P3 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. y( K; K* D7 q( W; T
F/ w* q- Z$ s# h4 @% `
push 0000004fh ; function 4fh# A0 p# E- c% F; L
push 002a002ah ; high word specifies which VxD (VWIN32)
5 ?7 P: y. A" t+ H; T$ v8 |. t ; low word specifies which service4 s- {: `; P. j5 y7 p
(VWIN32_Int41Dispatch)8 f: v' T- K6 }6 ~$ z& k
call Kernel32!ORD_001 ; VxdCall% J5 Q# D, s' \+ W+ a4 D
cmp ax, 0f386h ; magic number returned by system debuggers
1 z% `' A, Z: _4 g! v2 w jz SoftICE_detected
& G4 `3 X) Q1 c1 B7 V& c& R0 ~# j' B( Q& C" E1 A
Here again, several ways to detect it:
, H- ] H6 u% s% P% E- M! [" b# x6 J/ |! j) i3 E
BPINT 41 if ax==4f
, N+ X4 a' ~3 i+ G9 L1 J0 Z5 t7 c! D$ S7 Q/ M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% \. N$ n1 m7 ^. t/ V
0 a, M1 F" J; e" a; _, c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ f/ u) S; S7 f3 z& ~6 D
6 F4 y. f" J. X& y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- Y' y: S- `: h+ P; z4 o8 s
# r* M$ {0 y! C: s# L4 b% d- O__________________________________________________________________________
; W! h2 a, u% e+ [ e4 R2 d6 e6 P
Method 13- q% _( H- V4 v( Q x
=========
* }& L7 S! k8 E( N% z; @1 W% w# Y) ]2 F7 G0 @
Not a real method of detection, but a good way to know if SoftICE is" H/ G8 P" s f* D% O
installed on a computer and to locate its installation directory.
, }- G: N+ I( y4 \! iIt is used by few softs which access the following registry keys (usually #2) :
& F+ A: D% {2 @ @& o( |% e
+ y4 X+ t3 m8 {- x7 s3 p( W- x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' A7 g& Q( z! ]6 P# N& x) E\Uninstall\SoftICE* i1 H3 e% ~5 I1 F$ m$ d( h G# J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 d7 g" p# L- R Q) [4 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% M- }) h- w2 i, q\App Paths\Loader32.Exe
& s/ B! D. K; J* m: H* [6 ^0 U6 p) l$ @$ E
; B1 l9 _8 ~' R* k- d3 T+ _
Note that some nasty apps could then erase all files from SoftICE directory
3 }- l) ?6 \- L: p(I faced that once :-(
$ A ]; U, W) D5 B
% O+ k# g2 ?. A' p2 e8 lUseful breakpoint to detect it:& c9 g4 m0 z) P H
0 z' d/ [/ @( J( f6 x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( s. w1 I7 @+ g6 P
; T# s: N$ Q7 d5 C3 U
__________________________________________________________________________
( V* o1 A5 e4 J4 T# X' J8 h: U Z
3 H3 A$ v1 {1 U! i! l* \* g
, w7 _* X4 H* |Method 14
$ e* ~( f- x5 r, E# f( b, [=========
( ]9 L8 m/ ]- B/ S" z
& P& m: P( P7 N- ~: U( D ?5 @& GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 f6 O u) A2 k$ P; C/ P
is to determines whether a debugger is running on your system (ring0 only).! A* J/ i% q) I1 f1 j# a8 ^
; N5 ` b ]4 I! [* \3 ]' O VMMCall Test_Debug_Installed7 l5 l7 d: m$ E3 x: ]
je not_installed
4 ?* o5 b0 d" K: f
7 j* B& J# h- m9 l2 M6 }This service just checks a flag.& L0 P9 C. { ~* B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡