<TABLE width=500>& e+ |- F, g2 e9 \* x0 e
<TBODY>! ? y0 f* q2 P1 m) P4 T
<TR>- Y4 G! N) {$ z. J9 }7 r: S6 m
<TD><PRE>Method 01
/ q0 g/ N' ], Z+ g/ f+ g4 @=========
* ~% k; E) Y# D) P2 d7 E& P0 j( z2 ~6 t
This method of detection of SoftICE (as well as the following one) is
$ o( g, ]9 \0 n3 rused by the majority of packers/encryptors found on Internet.- x( E0 f) ^" R$ w3 c! }& Z
It seeks the signature of BoundsChecker in SoftICE
# L/ K' V5 A$ y+ s: L, w; ~ j; r* [9 ^. ^8 F& t
mov ebp, 04243484Bh ; 'BCHK'' I7 k/ [ [; L& n2 m
mov ax, 04h
* ~0 s5 C- |5 w M( s int 3
4 q% x: B6 h! M0 i cmp al,4
2 l6 [' ]& I* `3 p2 s! D8 ` jnz SoftICE_Detected
* {' k3 [) Q4 D R
, c Y3 P1 W* c9 p+ ^$ N___________________________________________________________________________
' _$ n, ?. O' P& e) Y
" o$ T- T/ s! A1 F, sMethod 02
: ~9 I _6 J; u2 p7 l+ H8 J4 l=========4 y3 Z# o- `# a' N9 z- M, }- E
. N% Y( v1 Q1 r( }3 s( x: N# sStill a method very much used (perhaps the most frequent one). It is used4 B' X) \* c: [& A$ q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: e7 ~+ P# O, E& F& p5 k" X
or execute SoftICE commands...
( B5 @" S; H$ B* @It is also used to crash SoftICE and to force it to execute any commands: t! M; F- N4 i* p; {9 m% n! I8 t
(HBOOT...) :-((
6 U5 k$ u$ u$ m% r; T) w6 A
, |. B+ M9 I1 N3 I3 V% `9 R' mHere is a quick description:# I) A! I3 \4 o1 y. M( v
-AX = 0910h (Display string in SIce windows)$ R- y% o; ?, }/ Q1 U3 h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ z `5 a2 r$ `" `, \0 a
-AX = 0912h (Get breakpoint infos)$ T" N; L; H9 Z3 w# b( F
-AX = 0913h (Set Sice breakpoints)8 T4 {: s. i2 D# m; G, K( P
-AX = 0914h (Remove SIce breakoints)4 ^3 r3 ~' `$ j. ^; R+ Z
( U% _6 P% f& d' m6 cEach time you'll meet this trick, you'll see:
7 t! _4 B8 [2 _9 Q-SI = 4647h
; r- M2 u8 K( T6 u" i; S+ e-DI = 4A4Dh4 T$ Y7 p/ f' z7 H- `, q
Which are the 'magic values' used by SoftIce.
' v! z2 }/ {0 T' f* pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 e) x* v6 A7 J7 R! {6 J+ i4 ]% |4 s# W: Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& y: t/ H- `* S# q1 L4 F& Z. {/ {9 tEnvelope utility use to protect DOS applications:5 b+ i# i% O/ o# h
4 E. t- L, N! z% O& U {6 D
& D& \( D y9 _$ q/ ~4C19:0095 MOV AX,0911 ; execute command.2 I7 Y1 h! f6 K' P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." e' K9 y- k* ?" {$ h* n
4C19:009A MOV SI,4647 ; 1st magic value.' T) q+ t) ?" D# `' b7 s4 B
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 N6 ]7 | I8 H, A0 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- f. n! }" g7 Z ~( n) \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. F4 B! ~! A2 W: Z& J; L& k$ l
4C19:00A4 INC CX
4 G9 }% ^. s5 J/ o/ l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ s. _1 S# p, L |3 U
4C19:00A8 JB 0095 ; 6 different commands.
8 Y6 \; J, J& a+ }- C7 L g) u& _4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ H$ F! X6 S2 v0 B. b( B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ f8 v, r' {1 z. {8 O* i6 ]
- C, N' L6 S* }5 d) j
The program will execute 6 different SIce commands located at ds:dx, which0 W7 Q& B% Y2 P1 t! I& x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ]. Y) ], [- S: m4 z
. Q1 e' r0 c' O# b9 A; V. i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; ]1 g+ y2 N5 {+ Q2 B9 G8 t3 O$ d2 Q___________________________________________________________________________
; r: r& M9 s* p4 T, V; y+ `
& A' Y. z3 C, X
# r* O$ Q+ S+ [8 t. tMethod 03
7 Q# n' M5 b0 d+ F/ v) v' m3 ~) y=========* f5 H% J4 l6 H% V( _* }2 t
( p% P/ I# ?0 OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! ?, X& r8 y7 d [& J- _2 |( m(API Get entry point)
/ W% y& {+ w) L
: [: p( k1 @ ~4 v
2 B$ _) {- b' D: W. e1 |% s xor di,di
. C* {. g2 M9 z2 y% | mov es,di- ]$ b5 a1 S) ^1 r; a/ I1 n) A
mov ax, 1684h
1 N6 b6 C {) j R G9 v mov bx, 0202h ; VxD ID of winice
& s9 l4 ?5 w6 S6 G. C5 Z int 2Fh
: V: s8 `. G' B5 q6 u) n1 c mov ax, es ; ES:DI -> VxD API entry point7 p6 }2 e2 ?" U1 r4 |& x
add ax, di
% H1 b) {; d8 j: F3 R test ax,ax/ ^7 y/ w' O2 F6 M8 _& P; C m
jnz SoftICE_Detected
1 C7 e+ S: b6 B$ I" P( p- z8 P% c3 F; l+ C' S
___________________________________________________________________________$ a( y: H& }0 K' J# @* H7 O
4 a3 \8 ^* y+ Z, f0 S( Q: r
Method 04
5 h0 \% D6 V& |9 U=========: R, S+ e+ z/ w2 x
' N* d' a6 Z7 A( M, ]- s. e# {
Method identical to the preceding one except that it seeks the ID of SoftICE
& ?# D. p; I7 m% \$ L4 rGFX VxD./ c- ~6 r$ B& L! l) C
% m# k$ d1 b/ U xor di,di$ a# x# g' [9 {4 A* i. s
mov es,di! _ {$ H* O; }! q( v, V R/ Z
mov ax, 1684h # J, w" B( p! w; G$ t5 ^
mov bx, 7a5Fh ; VxD ID of SIWVID; ^) [9 x0 B- g5 r, q$ d6 X) ~5 X
int 2fh; \" b( m+ N" ?: E4 {2 x
mov ax, es ; ES:DI -> VxD API entry point( K! R* b, ~8 ~3 H8 U7 y1 h0 x
add ax, di+ l0 I" C l5 t! w; e. X, B' v
test ax,ax; q9 _" t- N# \- C a
jnz SoftICE_Detected5 v; v# z; @! y2 O, d: v& G
4 F1 [5 X: Z% H) W, u' V9 e__________________________________________________________________________
1 [% e1 o( x, c4 }" z0 f
3 s5 ]5 U- ], w5 J3 a7 y7 }' L# T4 C( H$ w' L9 o
Method 05
* @; j, m* [; ^' f% P=========
Z3 {9 h( v% O& B+ M; f
: }! p" h" v' _$ pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! M. S0 L! y$ _' Jdebugger. It calls the int 41h, function 4Fh.% E4 ]- R' }/ l0 H' |, F* z
There are several alternatives. ) n- H* N" E. Y
9 W( {! W4 u( l6 y% l; n
The following one is the simplest:
3 i# S N+ G: L8 ~- M
- t' M4 r: q# W: D; |( h mov ax,4fh( u' V, f+ j* B. V# a% ^' F2 E
int 41h
, Y: v% |5 i; ]+ @& J$ n+ S cmp ax, 0F386
# Y5 D6 `# |4 B jz SoftICE_detected
% T: l. {1 C s) Q7 T7 }, I- L$ W) ], @
! h1 |* t3 y8 f- L. zNext method as well as the following one are 2 examples from Stone's
9 n% k' m% h1 |$ f$ r1 ]"stn-wid.zip" (www.cracking.net):
4 ?8 ~- g6 R% L: x0 x0 _7 ~+ D9 n. I9 D7 Z6 {. w. Z9 V8 t% d: F' M2 t& t p
mov bx, cs
) a3 S7 D! l ]: o4 Z lea dx, int41handler26 I, P" @3 Q) c" c; C- C3 F- h
xchg dx, es:[41h*4]5 P1 n9 B5 p; u6 H) x" S
xchg bx, es:[41h*4+2]7 x2 A7 R3 G/ E* D+ z. r2 n
mov ax,4fh+ C3 A) c: c3 s2 J2 q+ I% S
int 41h
, b% T2 J \* a" K0 L; C, b4 o% f xchg dx, es:[41h*4]
9 Y3 O+ D; a7 d! O0 n# c/ |2 _ xchg bx, es:[41h*4+2]+ N; H3 Q9 d) S" m/ \5 N9 T
cmp ax, 0f386h
/ L' |0 t* o. K; s$ C0 P1 Z jz SoftICE_detected
: S; k7 x) q1 b1 V1 A
L- n1 x8 i, [9 wint41handler2 PROC' ?. r6 w- c( r# ?+ W7 ?7 d
iret
; g: k% @: N: x7 w6 [7 |int41handler2 ENDP) P7 m' ^ R: E/ W# v4 E( p2 W
* I8 {: T, ?& K0 k5 m- n" z0 u
- Y2 X+ F/ [ {4 ~_________________________________________________________________________
2 e$ g4 [$ C7 O
) g& \, K, V( o
# W2 H4 U3 K* O) pMethod 06) p! C. X3 A; N2 R* D, I: ^. V' {
=========
, s% l/ n6 s8 d$ \
# k2 F: N# U+ I6 \" g4 N+ g3 g" ^! M
2nd method similar to the preceding one but more difficult to detect:
- i5 |, y1 D* V7 K' }3 Q" y& U
. y3 l Y: x: o% R A- E/ w
% l* r# Y) v" L7 |int41handler PROC# ^6 }, b$ B' D+ t( U
mov cl,al
8 l3 Q! |$ [* {7 U" w iret) g& p+ r; _, r0 \0 a: K6 k
int41handler ENDP
" L7 J6 [0 |% H, ?5 x/ ?' g& B: y0 v; l/ Q0 J" g
2 b9 X7 |9 ]. M6 z
xor ax,ax) l1 }& k$ _( }# a0 r# j/ n
mov es,ax
9 f$ z2 z" ^" s( q* b# {; [ mov bx, cs0 L8 w* G% M& k7 p. ~, L+ z+ d, M
lea dx, int41handler$ L9 d- P8 v0 h) s1 {
xchg dx, es:[41h*4]
- k8 F4 v9 v+ M: r xchg bx, es:[41h*4+2]
) @. W4 t$ p# F% i' b: ~ in al, 40h. p" n6 p; D; ?3 z7 I% p* B
xor cx,cx- i) C, p* {1 T2 v/ ~7 {; A; W, `
int 41h
' b6 @' J7 n5 R) r# q( ? xchg dx, es:[41h*4]( @7 h) o3 u, O: X: e
xchg bx, es:[41h*4+2]% G5 s# t6 e6 n
cmp cl,al1 C `& d# @ h5 a3 f7 L
jnz SoftICE_detected! h. U1 C+ d( h8 ~ |
% D/ D' D# ^5 D7 J# z_________________________________________________________________________5 L8 T1 H6 I6 t7 v7 z# |
( r! `" ~4 d) e* k/ m( G2 YMethod 07
, f+ _3 H$ L6 H+ Z8 F: P=========5 T: M I) G" W; ^" @/ I% l% d
- q! U0 }' k! J& Y
Method of detection of the WinICE handler in the int68h (V86)
6 f- I4 _4 s# u+ T+ L# R% d) l% G; m w g X5 A/ }- ^
mov ah,43h+ c i- [1 Z$ @& P- {
int 68h+ K$ m/ w7 V& `4 w# C
cmp ax,0F386h
6 H8 v3 D- d% ~$ O! V, u$ ^% m jz SoftICE_Detected" b' Y: h1 r& m+ W' I4 b6 @
7 D* T L3 N3 B
8 k2 a3 G; K p+ X0 m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! {4 {: l- t5 p7 R, c8 U
app like this:( j2 M* i: U. d8 B g2 {$ c
; ]5 m% b- }9 w7 q
BPX exec_int if ax==68
* X, B9 u& ~! A- P& S (function called is located at byte ptr [ebp+1Dh] and client eip is% T3 O1 V3 t% }0 d& u8 k* H$ j
located at [ebp+48h] for 32Bit apps). X1 S; W" Y1 @
__________________________________________________________________________
+ m& x4 z% ]% g
* ?& {1 k7 F# P: E) D9 B4 o
% A8 ?( F: W/ a+ q' U, }6 p8 sMethod 08
6 Y# E7 Z G* W! D=========( ]3 y" U) F- s: h+ r7 J( l
* L$ a2 }% d# w" [It is not a method of detection of SoftICE but a possibility to crash the, G' `7 }/ ^: I* o1 w8 p
system by intercepting int 01h and int 03h and redirecting them to another& y' _4 a. C% S/ ]) R' q
routine.; q, c; y: @) \/ K% r6 B( Y7 a! s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ Z3 a0 {- R1 j
to the new routine to execute (hangs computer...)
/ d) r9 x1 z1 \* _4 q* O5 t* R4 ]2 J1 Y* k: \3 x
mov ah, 25h& m0 w$ w( p0 s! N( [) t
mov al, Int_Number (01h or 03h)9 d& @# H* o: R6 Q; q% `. Y# t
mov dx, offset New_Int_Routine
$ h# C7 J2 I6 @ h int 21h& V6 {8 l/ d! f9 L& k" r
9 [; O1 H% u9 m
__________________________________________________________________________
. I& z4 }/ Y/ I) Y# w$ R
* | f2 A' x0 o( kMethod 099 u; W% E! e- }6 S
=========# {& `4 P" O; w2 t+ d$ w' u! o
( _4 K. z0 J" I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* k$ e2 M& |' A: b) e
performed in ring0 (VxD or a ring3 app using the VxdCall).' E3 Z2 H; ~1 ]- G$ x8 C
The Get_DDB service is used to determine whether or not a VxD is installed8 t$ T: `7 j8 k/ h; `5 B. G
for the specified device and returns a Device Description Block (in ecx) for
* e; S, ?3 U$ G# nthat device if it is installed.
* b3 S- r& k" A5 O2 Q# }3 c8 R* h& ?/ ~9 U: ~" E6 X5 m9 m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 ^0 C3 d0 `4 \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ j; w! s! P# i; } r1 x
VMMCall Get_DDB
! f( k8 \0 v; B: l2 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ r6 y! w" {( Q
5 _/ l! O4 h! p) i& P( A
Note as well that you can easily detect this method with SoftICE:' ~8 i6 B7 D' `
bpx Get_DDB if ax==0202 || ax==7a5fh, w0 ]$ a: ^* f7 E
0 P9 p4 P: e% C- m9 M__________________________________________________________________________
$ x+ L" Z3 k: j" S( c' ]( Q6 W: j8 j m x7 M2 @; t
Method 105 Y0 e9 {( m- }2 W
=========
, p* g( n" V+ g4 {+ b; ^ T9 P7 I8 f1 d! ?# O" e
=>Disable or clear breakpoints before using this feature. DO NOT trace with* X+ ]# ~! D+ s+ P/ @- l
SoftICE while the option is enable!!! X, S. B$ h- K" C' h0 Y
- Z* K6 I, U4 v; V% NThis trick is very efficient:
/ P% Z3 y d2 \4 a2 _6 s0 eby checking the Debug Registers, you can detect if SoftICE is loaded5 Q- O7 k* v, B ]( a* C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 W- h& w' v3 z7 Y7 hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' x5 ], P" D h1 @value (in ring0 only). Values can be manipulated and or changed as well- ~$ N. |/ f9 F0 ?
(clearing BPMs for instance)% d# s4 j" ~ V/ a8 y5 B) B
3 ~3 _/ S% r4 K. K b1 f$ I6 K3 @- M
__________________________________________________________________________: k" P, E) {; H" n1 G
: Z F- O- h& O& n! C5 ]6 T5 \Method 117 `3 w* z$ S+ o8 l7 {- O( M Y
=========# w5 f$ A3 V$ {" z( Y* a2 G9 p/ w$ a
+ Y' B _" s* I, d4 jThis method is most known as 'MeltICE' because it has been freely distributed
0 x: r8 a; V) y. F' ] ?* ]via www.winfiles.com. However it was first used by NuMega people to allow
! ^! y/ g" d; n1 J6 a1 sSymbol Loader to check if SoftICE was active or not (the code is located: _! a8 k* V; R' u. }6 |
inside nmtrans.dll).) ]$ r5 ]3 ~4 j# W& b& ^/ _
& H; e; O+ S. o' C( \: @) jThe way it works is very simple:
/ T- S* E/ v/ kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! b+ R$ r2 @7 f& ^1 |" c- Q9 g8 c
WinNT) with the CreateFileA API.
: G. k; g7 S$ q3 i% M7 v# h8 A+ T- Q5 V/ H! m
Here is a sample (checking for 'SICE'):' u, u) G i9 q( c, h
z9 ^& E* Z$ L& o( o. s/ J% m
BOOL IsSoftIce95Loaded()" L l1 ^; s0 ~ X# [4 U
{
$ z& K3 k" h8 }& I- k) x HANDLE hFile;
+ @( ?* M4 f# ]- d z+ K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 X! e$ L ~5 t
FILE_SHARE_READ | FILE_SHARE_WRITE,
: G i9 M7 F& T5 ~5 z) X# M; {. W9 w& Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 T7 Q. L+ o$ ^ if( hFile != INVALID_HANDLE_VALUE )& ]5 n/ j! R. M' z; ^
{" S; m: I! p2 g+ `( l# e2 w/ ]9 {$ k m
CloseHandle(hFile);/ `4 D; a1 [& X
return TRUE;4 f R1 ]+ h$ d9 ]$ |9 g) r
}
' j4 g* B; C% }6 o; L return FALSE;
/ `$ U) v. O, E [}
1 N8 _8 E5 u( s2 ?+ O% ~8 d H/ \2 \, f
Although this trick calls the CreateFileA function, don't even expect to be
* A! N/ q! ~( s( a Wable to intercept it by installing a IFS hook: it will not work, no way!
- m3 \$ x7 d) h' q1 p" q; EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% f& z8 r8 H2 i9 n' R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 t; ?- k d+ M% x7 _8 S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; [; l/ |$ }( Y: l2 t, M: rfield.* u+ g3 E' E0 W& J, i: T, f
In fact, its purpose is not to load/unload VxDs but only to send a
- k8 @8 s: l: |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 h. j) F2 s* v& i/ Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: M5 z* X# W& yto load/unload a non-dynamically loadable driver such as SoftICE ;-). f, |0 S& q& \, E
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 v' s0 I# a- w# u7 |
its handle to be opened and then, will be detected.0 r T8 }5 U. C; B2 x
You can check that simply by hooking Winice.exe control proc entry point. j3 Q. M f7 Z9 Z9 u: s' A
while running MeltICE.
0 @6 [6 a- t u' e P$ O4 r6 Q9 z6 t/ w: Y1 f8 X+ J* z3 S/ g5 Y
. p) O/ s c! D( F- K7 G 00401067: push 00402025 ; \\.\SICE
5 x. Y* Z: Z2 J: P( H. w 0040106C: call CreateFileA
+ S k. P6 |$ y( }! O8 K 00401071: cmp eax,-001
6 M9 c5 W; _1 J# Z1 J# P 00401074: je 004010919 w# p$ m9 K" t- O5 i7 J
2 G. a2 K% {5 V/ B9 G M
( L( l: m2 K+ T5 c2 o6 g& JThere could be hundreds of BPX you could use to detect this trick.% g* N2 E5 c1 P& _0 |$ P |
-The most classical one is:0 v( {9 N+ Y6 c& b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ g: j- C9 @( |2 E$ Q2 Q. w* q
*(esp->4+4)=='NTIC'8 w& \( x* s! N
4 g. K% Z' ~2 L7 d9 \0 _5 n
-The most exotic ones (could be very slooooow :-(/ {1 p0 m2 I6 b6 `7 r1 _6 c1 L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) g% |, l0 m' ~6 \/ y5 C
;will break 3 times :-(
# j( R/ j+ o. D5 h' I& C) n# d5 @" L# H& N- P0 s) ?6 I4 K
-or (a bit) faster:
1 ]4 K1 z+ q+ E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 d6 q8 R. f4 w6 U" J) @2 t
; d6 A5 Q9 U, l! _( E/ u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 b# q" h1 R: E4 C- C ;will break 3 times :-(9 S( J' t- ?. Y9 v
# f9 t1 w4 x0 l! `: a
-Much faster:( v; |* }1 v" L; L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* l0 O; C7 R) b* W# l
5 m$ }& v+ L! {" E- I; b0 o8 iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* S- \. B1 o# H( j. vfunction to do the same job:
& w/ T/ y+ z" {8 s5 R) K* U9 G
+ `: d. X8 y( @# s! a push 00 ; OF_READ
1 b1 Q% D3 Q2 I, U/ ? mov eax,[00656634] ; '\\.\SICE',0
: {" h9 U" ?& }( F9 \! f R/ | push eax- |( J3 I0 y4 v% q: r3 e
call KERNEL32!_lopen
9 n5 s$ d& i; E$ R3 {% |% ^7 y( E inc eax7 b0 u1 Q4 z* j0 X- s
jnz 00650589 ; detected
" C% `) y( n7 C: I) @ push 00 ; OF_READ
8 u" l3 Q1 |& I/ {5 s7 s mov eax,[00656638] ; '\\.\SICE'8 e/ g' v3 b- l0 p
push eax- K6 P# O3 V! O& h1 A% O& b5 b! V8 i
call KERNEL32!_lopen
; i! a! s( I" ~4 ]3 f) |3 \; O; V inc eax4 c9 a+ I: i' s! }1 _ x: L
jz 006505ae ; not detected% C# s, w [8 ^! Y* ?7 O
5 @/ }8 w5 | j/ f* K! u
' O: D5 X& y' i+ L* u, l# o. E__________________________________________________________________________% _- A, `' y5 K9 z( p( Y
+ k1 [7 c/ y" RMethod 12+ Q3 @& ] p8 D, p0 B/ p
=========
# U9 z# j( D$ f0 c. R$ z, F1 O* n" N* t/ T% k' C
This trick is similar to int41h/4fh Debugger installation check (code 05
J7 z/ g2 X! k1 Y& 06) but very limited because it's only available for Win95/98 (not NT)7 w: i+ C9 O0 E) R+ H0 q0 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- v: R+ ]& O L3 s- t/ Z3 D& b, a7 ~4 H* _) N2 c- H) ~
push 0000004fh ; function 4fh
7 ~' z& g1 `+ @; } push 002a002ah ; high word specifies which VxD (VWIN32)
/ K# W8 H+ t: I ; low word specifies which service
8 x; p8 O0 C) S+ u (VWIN32_Int41Dispatch)& E1 C' g( ~1 P7 Z5 t
call Kernel32!ORD_001 ; VxdCall
% M9 ^. H$ i2 q7 z cmp ax, 0f386h ; magic number returned by system debuggers
7 Y" e. ~* X. r& v+ ]3 \2 W) s jz SoftICE_detected
) m7 w8 g8 E" I B" F1 h7 e4 o& b' C9 ]3 j# P- f* [ @7 ~
Here again, several ways to detect it:
" O- W9 t _7 `" d
1 q/ c8 n j8 _* n0 i% Q BPINT 41 if ax==4f7 Q; B& g8 Y5 u* v
8 y% y0 t+ t% A2 }/ D0 u( i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 |! P' s5 j7 y0 i3 ^
2 u3 ^0 ?* A' e& K6 M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ [0 O' {3 I+ H' g) ], b% [0 ^" x- l- F7 l( `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, `" ^# {+ o9 W) E8 P: {8 w
4 s5 |; G2 p0 K/ ]__________________________________________________________________________
/ C+ A0 K: K3 K$ ^8 b4 Y+ Y5 B( @7 F3 [
Method 13
% c$ K$ o8 u, m; {7 F. j. _* g=========8 A+ `0 }- w w2 l) l# W
- _% _4 l7 G7 b- z1 ]! M
Not a real method of detection, but a good way to know if SoftICE is- [! ]/ O; b- ?
installed on a computer and to locate its installation directory.' t$ h. B1 K, Q9 P& Z
It is used by few softs which access the following registry keys (usually #2) :
* |' P$ V$ T) _7 \% E0 s _2 v- Z% L# m! {) D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 n& h6 }$ v2 w+ x+ G# D% \, i
\Uninstall\SoftICE: j0 Z% ~' _0 D) M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 [2 f: B( ~- U9 S8 \* h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 a+ M" W" k( {5 E8 i' i% v\App Paths\Loader32.Exe: {& e$ d( B# G7 g% J
5 g- R# }- V; G3 F$ P. @' z3 w* d) o9 c Y: m
Note that some nasty apps could then erase all files from SoftICE directory+ K( S2 E& v2 j) V5 `% E, b4 m
(I faced that once :-(/ d6 b' r- M" ^ M: M5 [3 C
6 L$ k f( V4 Z; G* rUseful breakpoint to detect it:
. \9 S! C0 P J+ M3 |
7 H% I4 b" ^$ c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ l# e7 N# Z' e" |% F: b% `# i
. N0 N/ v9 l8 C" ^8 q. p$ R& ]__________________________________________________________________________ O2 @, s0 I6 w) D3 Y
% {& l. F2 a( Z6 K: O3 ~9 E; k$ L6 u: V( | M6 U, V
Method 14
) ~% d2 @% f' @/ E' q+ T=========7 ]" T4 K+ u7 S0 e5 Z" u
7 H! l& D$ V }1 I7 p: v% [2 r, g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' o) H4 F$ o7 y0 h3 E9 Xis to determines whether a debugger is running on your system (ring0 only).
& X: y+ Z# K$ _, G; h8 h& w9 x/ J! X) s
VMMCall Test_Debug_Installed
. g* D$ f: G. H5 a9 a3 C% V( n: y je not_installed
# m J/ A4 C7 e; P, b7 S1 `( j/ K) a: `4 o* P! N
This service just checks a flag.7 i3 z* B# h: R2 u
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡