<TABLE width=500>
4 Y7 P2 B* _- P3 C* s+ R<TBODY>: t( i, {' N9 _8 g; @
<TR>
$ r! w+ k6 I' T& ]: Q<TD><PRE>Method 01 , ?" Q9 S+ F( \' x. g# m, B, }* [0 o
=========
6 a3 c; b- _) G- z* R b
8 g. Q9 [4 h9 X# @) X# X- i* `! fThis method of detection of SoftICE (as well as the following one) is
7 q {1 X4 e9 f, M- X4 f; vused by the majority of packers/encryptors found on Internet.
^ _$ a$ V2 |& Z6 C0 E6 pIt seeks the signature of BoundsChecker in SoftICE
! @1 x5 Y# ^ K0 \ a" D/ {. P" a0 g+ q
mov ebp, 04243484Bh ; 'BCHK'
8 w7 h+ t, Q6 m( x. A mov ax, 04h8 d" z9 s- T1 W: W+ {9 l
int 3
, l% N0 i2 c4 H# J cmp al,4
' b3 W3 N* i. l2 ?; ?/ f# b jnz SoftICE_Detected' n g+ o( `+ z
0 j' p4 M7 A, { [5 ?! W& z! E___________________________________________________________________________2 n. S3 m; Q D. _
0 a5 H7 |0 ~$ d0 N# P) b4 `3 | m
Method 02
) R3 y0 k2 S: X/ e* U- M+ n=========
& x: L) e3 T9 a+ N$ a3 M$ g+ w/ w" z1 W7 k" q2 V5 G% t" f3 b
Still a method very much used (perhaps the most frequent one). It is used7 B: G" Z* M3 c# d8 N" x: D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," Z) I. u# y% J1 b* ?. X
or execute SoftICE commands...
* |. e3 O8 J2 ^1 ^It is also used to crash SoftICE and to force it to execute any commands
8 F5 a& G+ w) X* B/ Q(HBOOT...) :-(( 6 A4 C. S! Y! p0 }5 L% c$ T
7 `' b9 o' }2 ?+ u4 p4 ~' ^Here is a quick description:8 a. T+ B6 v2 @% O0 b
-AX = 0910h (Display string in SIce windows)
5 ~7 f& R' `- {1 c+ M; V1 v# W' N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" o! U* ]4 }& ]1 u& |/ k
-AX = 0912h (Get breakpoint infos)
6 w: g9 g0 j- J2 O3 D: Y; H$ K-AX = 0913h (Set Sice breakpoints)$ j4 M3 w% W+ {9 _' V
-AX = 0914h (Remove SIce breakoints)* b' W4 j! W4 E+ J6 {8 t" D
3 E6 [' ~; }# }$ F0 k/ A
Each time you'll meet this trick, you'll see:
* Z, G+ i c" H" r-SI = 4647h: w8 l: ~, s: O) v3 X
-DI = 4A4Dh4 {7 K5 f. F/ n! x
Which are the 'magic values' used by SoftIce.
% y" D# R6 A/ sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; _: M! w; y! D4 i6 x0 T, C9 n8 R' t6 K- }9 W) ^8 b: I
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 O) h9 B+ u4 n. UEnvelope utility use to protect DOS applications:1 P/ S p$ |6 F- x; R3 ~6 ]
0 o% `3 a* T/ x$ z
) K- ]; L( Y& v/ A4C19:0095 MOV AX,0911 ; execute command.
X7 w2 T+ ^ e5 v: a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: b( D7 X9 l+ p. t* r1 c7 m. ]4C19:009A MOV SI,4647 ; 1st magic value.
$ b9 H& o8 s4 X4C19:009D MOV DI,4A4D ; 2nd magic value.% g) k' O' x% @( v m f2 f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 W) {6 Y% r) b ]. f2 X& W! I. Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( j1 s; c0 s# _/ {4C19:00A4 INC CX2 w5 J) N5 |' g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! P/ V, H: P* f# ?4 S$ C% n4 j
4C19:00A8 JB 0095 ; 6 different commands.& }9 ^5 f# j8 H3 k( \- \8 n& C
4C19:00AA JMP 0002 ; Bad_Guy jmp back. p% }* B p8 \6 F* m- U" U1 r, b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( C! j9 k! }. n* `$ n1 Z+ g4 o. v
; C. b t& }6 X. s% |. ?The program will execute 6 different SIce commands located at ds:dx, which4 s) ~5 X7 M. T& j+ ]5 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, w3 n- U. T1 X! J) |4 O4 _
$ x& w) Z$ A0 [& i8 b- D: O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 O8 e; ~0 h6 L4 y___________________________________________________________________________# [% p( ?+ ]" u+ g0 R% B4 b+ U
, E4 Y# g2 p2 M8 I( A( I" x, O% i% I+ F! t: W6 H
Method 03
: N7 h" E" w6 V6 E=========9 z# h) T4 y& R1 J
9 A; @. b, n h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ Q% J/ C( G) b) P) ^' ?- F/ _" x(API Get entry point)
- N2 B" Y# A7 k ' g7 B% ]1 u: `, p' ~; I
, B! w" W7 S% q% q8 `
xor di,di. l# Z( |9 y( ]$ P6 _: ?) e: u
mov es,di
3 n* ]8 P* i4 [; ?& q: V mov ax, 1684h * r+ w; N7 Z* `% }
mov bx, 0202h ; VxD ID of winice4 U: E/ k9 I: b. L5 x9 ^
int 2Fh, _0 X' Y8 z( T6 N, O$ _) z
mov ax, es ; ES:DI -> VxD API entry point
( `6 P K2 C7 i7 k! l8 b5 i add ax, di2 E3 E) S9 c! ]8 X
test ax,ax: t5 e! ~$ W: w, R
jnz SoftICE_Detected# k5 v7 i6 I7 ?; [: \9 s
% y: T( M. I& A7 {4 l% w___________________________________________________________________________
( N: x0 y1 c$ `7 G
U% o8 u2 g) I0 s" }$ VMethod 04
# H3 F* H! J: X+ ~- x9 j0 c=========5 o% n, d8 W2 G
: B+ B! F% ^, }- r" |$ |) `
Method identical to the preceding one except that it seeks the ID of SoftICE
6 _2 l# j- I7 J1 {GFX VxD.
9 D( w" { N3 t
! Q% `. V2 \" A' w, n0 l1 Y xor di,di1 U! o# r' P7 S# D- @8 E
mov es,di6 k6 w9 L, S. N" n, i
mov ax, 1684h
6 v! k. R$ B* N' ~ Z; U mov bx, 7a5Fh ; VxD ID of SIWVID
4 E+ N$ E9 U+ F int 2fh7 _5 U& e$ L; {& V9 A `
mov ax, es ; ES:DI -> VxD API entry point) H8 T9 G2 R+ ~' ]! T4 u
add ax, di
& N6 {7 }& ?5 n$ y, ]4 t test ax,ax$ l5 s/ M/ U5 |) {/ {
jnz SoftICE_Detected$ `2 \( O2 M% {. a! L
% @4 ]' n4 z# C
__________________________________________________________________________+ `7 i1 o1 v1 Q# N5 g& w
8 J; A5 J5 p6 Z- ? t2 ^3 i
5 |/ k9 h) m5 k: E5 C
Method 05, A6 s' ]/ t- B8 t4 V/ J3 P( i
=========# j/ e" n$ m& H
6 k- [% l& I: c( z& j$ B
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ \1 a# A! {6 g3 ]8 }! b
debugger. It calls the int 41h, function 4Fh.
* l( e! x4 @( O/ U$ eThere are several alternatives. 3 G9 r7 j7 |8 {
2 L$ H' l3 v# _; X- a7 o2 J, uThe following one is the simplest:- B0 |& T9 G1 K* G
+ b7 [& ^) D4 y mov ax,4fh
0 G" z; ^/ E9 r int 41h
# K1 y3 m+ m9 J7 i cmp ax, 0F386
9 D6 i2 ?* s* t jz SoftICE_detected$ T' I0 o2 P3 K9 y5 G1 ]( ?
7 I( ~9 O2 M* Z! p! w9 E# Y0 U: t
, W9 k, |( P$ }2 Q
Next method as well as the following one are 2 examples from Stone's - ~: F# n; m' z& M4 |) M
"stn-wid.zip" (www.cracking.net):% v' T8 O8 \ n0 V! H* s
6 B" l/ n6 x; R5 h' G
mov bx, cs
; Z$ ]; s2 B6 q( T" p* A+ w' P lea dx, int41handler28 v" r: }" y4 E, T3 M1 C8 R" Q* c
xchg dx, es:[41h*4]
1 D- @! | f, n9 ~9 @# ?6 z xchg bx, es:[41h*4+2]
% p( q" t6 q+ P! C' } p mov ax,4fh
1 T+ `, c/ F2 g7 {; J8 {, m' J int 41h6 y, _6 U% M% N- @/ Q
xchg dx, es:[41h*4]
7 ?. K x5 @/ X xchg bx, es:[41h*4+2]
2 N+ g) j& Z- |8 `. c' h0 j5 z cmp ax, 0f386h
3 I, ^9 h: z1 ?- w. M, m4 U jz SoftICE_detected* W# l) k& {" m6 }' \8 H
$ A" Q' I- b0 S: L7 Eint41handler2 PROC
( S: {3 i$ g, l iret
" A6 P3 W! U# Cint41handler2 ENDP
0 D2 `5 L8 W- C# P" j1 W5 h" c8 t: m0 A/ Q: S% X
/ O* |+ D8 }' P" O2 t_________________________________________________________________________
# s) M8 K* f( V* `1 |/ u7 v" V" p% m; ^6 E2 @+ _ Q: z/ f Z( Z, R3 A
& L" ?1 {* g6 ]& ]4 t2 W5 d
Method 068 [* d& y" X5 s' j; t0 I
=========- g5 v$ [+ t, Y
& L+ A _. L' w: m6 i0 M) v) ^4 S
* |3 z( @& d8 D. o2 i1 D
2nd method similar to the preceding one but more difficult to detect:
$ P: n7 Q: s# N
% Q5 [7 n t. V. A3 k1 Y
3 t- x, E( A8 H+ c7 Q/ _int41handler PROC
9 q8 I- u; z) f' v' N mov cl,al
Q7 e) h: @5 I5 f2 u4 O iret
8 o) `- [( m4 z1 A0 s/ ^+ ~int41handler ENDP
- }( ?3 T7 `/ \* n* ~# @6 M2 Y# F/ [5 U, e& ~- H
, O6 `4 {% H( ]& C+ B xor ax,ax
" V' n4 G: k' P1 F* E mov es,ax* m% E5 Y8 `; M+ ]4 W+ J6 n) ?( [
mov bx, cs
+ W O- O# l3 a; I lea dx, int41handler
& p( ^4 C3 {4 I xchg dx, es:[41h*4]+ x* p* |1 L% T: @" T) K/ @" o
xchg bx, es:[41h*4+2]! N G5 b% Z7 P! R6 r' F$ y# U
in al, 40h
$ x% o: y+ a) R3 v g xor cx,cx
+ ~% y0 }6 r% |. ~2 ` int 41h: w! v8 g" o! ~2 T2 ]1 q& _, } L
xchg dx, es:[41h*4]
1 ]0 Y( S P5 F' y xchg bx, es:[41h*4+2]& F) E" Y$ Y% _- X1 q. r9 ]% z
cmp cl,al% x# d) L" k! E3 `* N# @; Q& K
jnz SoftICE_detected3 l, v0 u% W- ?
- N3 a. R! |- U$ ~! {: I& x u_________________________________________________________________________9 w, q8 T! J" P6 T/ P
% L( N% I( r3 m9 j# ^$ D3 a: J$ hMethod 07
|. W. l. x* b* O1 T% G% y# m=========
" u$ d% [! X# [: y; i& P. @; N3 l" G( V/ |) U* Q1 r
Method of detection of the WinICE handler in the int68h (V86)( m1 H' [; }: f- n: H
3 P) c2 \: W" `, P# T mov ah,43h
# k6 h4 s6 F0 P ], ^- ^ int 68h4 @( y1 u: ]6 v4 b4 S
cmp ax,0F386h
% x5 y6 A$ \: |) @) t9 f jz SoftICE_Detected7 [, M+ w7 A0 \8 T% o- Z
2 _' b; @* H( r7 e, w0 r# \2 P/ Q/ ?( k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; [2 f6 n' i- T! ~0 a app like this:$ v4 N. o( |. P7 I
' d* f, @4 C/ }7 Z9 A& f BPX exec_int if ax==68
4 h0 U- O2 C3 C; ~, T9 \4 h& } (function called is located at byte ptr [ebp+1Dh] and client eip is
# A, L5 k$ }. `. W located at [ebp+48h] for 32Bit apps)" P& V+ N$ ]! b6 g3 e1 h
__________________________________________________________________________8 E% ^ a6 R/ P; r
+ e; I0 }' ^* C; @
- k& m" Q8 p2 }Method 08/ R5 S9 v8 `6 K1 R" H
=========' _7 Y$ Y1 |) o3 Q6 R& E
/ r' C/ `; G2 Q6 w! U) FIt is not a method of detection of SoftICE but a possibility to crash the5 `* X* g1 u# N, L
system by intercepting int 01h and int 03h and redirecting them to another- w [6 {' d" R) c5 ?( u P4 k# t
routine.
4 X$ F D# @' D, X) z. \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 ~9 l0 d3 {- y! s; r- g
to the new routine to execute (hangs computer...)
" t4 ^9 r' l% I" r2 g
9 D: ^, T" T' R# B5 X mov ah, 25h
, }/ j: b5 U, m mov al, Int_Number (01h or 03h)
+ d( T/ u! Q/ C1 ~' d/ a mov dx, offset New_Int_Routine& q1 D) O; V( l2 q" V& A
int 21h
2 a. }% V/ ?+ K0 R8 E- p+ J6 T) X
' @: S6 s8 q* Y! |/ j__________________________________________________________________________6 E. F$ l6 U' E& w' B" Q
8 Q' }. @8 ^( C* k8 h x: J. A) K5 f
Method 09" U; |/ z _. D ]4 @! J) ~$ ^
=========
$ F: H' y/ f; R$ ]8 }4 S# F
* ^" g1 ?4 }( L- G6 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) r9 j# _; I, {: K8 F& Qperformed in ring0 (VxD or a ring3 app using the VxdCall).+ D# v7 i, \, P, U% i* Z/ E
The Get_DDB service is used to determine whether or not a VxD is installed
' P% ?. d7 k0 z6 X0 J" i: l kfor the specified device and returns a Device Description Block (in ecx) for
8 S/ z5 ^8 x8 Xthat device if it is installed.
3 o* l8 E U' ~) W( ?6 I+ z$ u8 A. Q( n1 @* ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( E1 l( ^& ]7 X+ F" ^. P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 F. W6 W$ s6 |+ G VMMCall Get_DDB; U1 d% p% V% Y3 N1 w, K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- ~. ]0 U! `% c5 g4 B5 w# r$ {) P2 i7 Q _
Note as well that you can easily detect this method with SoftICE:1 _- Y9 m( c: t( p( ]5 H& c# V
bpx Get_DDB if ax==0202 || ax==7a5fh
' D( L2 O6 M0 Y0 F0 k& [" ?0 \* K! s! l w1 _+ Y4 Y+ ~& W
__________________________________________________________________________
7 T* L5 ^! {+ D5 o2 @3 |
7 f$ k( K1 F# _5 {' o3 E: QMethod 10
* D- B- w; n# F7 d. S2 ^' R=========) a1 J2 X& a2 i7 i* B- z, V. f% V
5 M" [0 c. X4 [0 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 c9 w$ `7 i$ Q. X8 J, U SoftICE while the option is enable!!
+ C# z1 V, u( @$ x9 M1 F( q6 a, [) r- x4 N' p) e: E, N+ ?( @
This trick is very efficient:- p, v0 z" U# A4 ~
by checking the Debug Registers, you can detect if SoftICE is loaded
4 P9 F" n) W) Q7 U" A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
R% Z; z) u: f+ Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 E9 v4 x; D v: M9 W- B: Ovalue (in ring0 only). Values can be manipulated and or changed as well
, u, x9 t& |7 s(clearing BPMs for instance)' j( ~3 D. I W
; J7 l2 L5 [' T5 r0 b" A__________________________________________________________________________. d4 {7 a$ E% }. B
/ Z' T M' f, j+ H
Method 115 p5 ?( t# u( |
=========4 j9 R. Q7 w9 `
( f& t* O _2 l7 w7 z4 F
This method is most known as 'MeltICE' because it has been freely distributed
' o6 E4 N& ?/ d! W% R# G% r$ Hvia www.winfiles.com. However it was first used by NuMega people to allow
- G; i, G. I9 OSymbol Loader to check if SoftICE was active or not (the code is located; t* U6 R+ a# E
inside nmtrans.dll).
* C# _; s' E! t/ G+ W7 a6 ~
9 V/ l9 j8 ]$ ]" ]. L6 u' ^The way it works is very simple:# u1 u+ Z" L9 u2 e( z' K0 D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for n6 K. }, u+ g) ]0 L& I3 A* H
WinNT) with the CreateFileA API.
* l( K" h: m$ K0 @0 E" ], m! k
# y+ e* J6 `# S+ v: a" zHere is a sample (checking for 'SICE'):# a! i" I F7 J4 L
+ N7 i6 [6 q6 L& Y
BOOL IsSoftIce95Loaded()
7 a. G' j) i Z! A* K2 x( z7 ^{7 ^ h6 z; n- e' @0 ?
HANDLE hFile;
" t! N4 f( w' i9 V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: c; r$ e9 g( h, v$ f
FILE_SHARE_READ | FILE_SHARE_WRITE,
! C3 g, o2 C4 D# g6 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- s: T* Q# H0 A
if( hFile != INVALID_HANDLE_VALUE )$ O$ z& C4 R9 h& q1 W+ B
{
! P8 a! I3 \! y# {8 \8 o* [! P CloseHandle(hFile);4 n6 N7 ~2 r, S0 N1 ~$ _$ t
return TRUE;
8 g' `% Q% u7 ?7 R }
% [7 {, q- n6 q- k+ |2 m7 v return FALSE;2 \0 O# K# |+ J- a" [
}8 m6 }* [7 b$ l; x& p: ]# F8 k
, f W. A# i+ f# M% j) M
Although this trick calls the CreateFileA function, don't even expect to be+ ^: j# k: K5 l) W8 T. k, ^
able to intercept it by installing a IFS hook: it will not work, no way!1 i8 G/ T7 W! {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 F6 [9 S4 k2 e, Q% o& ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* K! E1 V+ ?; h0 T/ X4 F( N7 o* E4 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 X, r9 o2 i+ r1 j: U4 |
field.
$ M# m9 O3 f6 k. d3 v, @0 |6 wIn fact, its purpose is not to load/unload VxDs but only to send a
) L3 a6 x+ R1 o& R, {2 Z/ i9 {7 `$ f8 `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# S% S: Y3 T6 @6 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try- p) c' Y9 {/ t! p2 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ s/ f( o @6 p/ i, s' }If the VxD is loaded, it will always clear eax and the Carry flag to allow
& r; Y: M$ n: W* sits handle to be opened and then, will be detected.
! f/ Y* H; R j# ^8 ~ H* XYou can check that simply by hooking Winice.exe control proc entry point ^ l: d1 ~) v3 A
while running MeltICE.2 ]) p: L! ^% b v" s
& a3 x: C; e/ z* Q
4 s3 f* W! w; S( D) K; }
00401067: push 00402025 ; \\.\SICE
' F5 J% V* J, T8 ]3 ~0 f: N 0040106C: call CreateFileA9 f, L5 ? s# ^$ A# T
00401071: cmp eax,-001
8 @% }' ?% ~! m: O& q( a( c 00401074: je 00401091. ?9 `7 V7 z+ o4 |" U% {
. ]3 [+ K- i& B5 H7 S7 P+ c0 y4 B- K0 g0 z" o
There could be hundreds of BPX you could use to detect this trick.
8 s; X8 `& l* t' H- b( l! `3 Q-The most classical one is:
s: @& b0 y1 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) w. a6 ]0 {4 j
*(esp->4+4)=='NTIC'
' z# {2 ?6 B; i% V, w. e! y# i: V9 M, Q: J; G1 a: I) o8 F
-The most exotic ones (could be very slooooow :-() ^. M1 e' }2 {+ k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 m- L) \6 A. r+ j ;will break 3 times :-(3 i7 W/ E: Y' L6 |+ M2 P# R; v! r* b
/ ~1 a# l4 H9 a U) C-or (a bit) faster:
- [" s& _; ?$ r& C# i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 M1 b g# r" x' T9 |, }$ g
! k6 {/ ?% p, H. @8 T. B( n" y* J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 |* @$ d) a* m6 D j; p. [ ;will break 3 times :-(* E- f5 A1 U- f. ]2 a6 h
" ^2 f: J$ N P0 W8 O
-Much faster:
0 t3 u* w3 Y& ^# P: u) F9 f( s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& C. ~! I8 Z4 G$ J
5 c4 M4 x& `+ B4 }8 bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ [7 H% t8 u$ G$ D$ D* U T
function to do the same job:
% \# C5 [5 ?8 [/ Q+ D7 e; K f1 f4 n! l* `
push 00 ; OF_READ' _4 t7 t8 |8 N7 a5 T+ o
mov eax,[00656634] ; '\\.\SICE',0. ` o# s z8 M$ h' X
push eax1 c5 j2 X3 T. W% K9 D+ i
call KERNEL32!_lopen
S: _3 \$ T' K4 x1 T) A inc eax' m4 i* o* d/ A% o6 F" n
jnz 00650589 ; detected
- }% X+ }# G! [8 k) M$ c6 D push 00 ; OF_READ
1 P& B0 l8 M+ Q mov eax,[00656638] ; '\\.\SICE'' A7 J5 N/ E( \0 |1 `
push eax* _- @: L7 @# E0 H0 o; Q
call KERNEL32!_lopen
9 d7 u) B# S' O* ?/ ] inc eax
- \: K3 ], J* k jz 006505ae ; not detected g. w. ]) W8 ^& T$ W T
* b( B/ d6 y- @$ t T# w
& L+ |: b! x( f! y4 G; q__________________________________________________________________________
3 w( r( H- H+ K$ v9 w* t5 ]- \4 e8 Q. u% _* g7 V* P
Method 12) x1 i( Z6 g$ X
=========" l6 a1 v7 F: b% c0 y \( g, L7 r5 Y
& Q- G5 L% i; ~8 f$ ~2 O3 NThis trick is similar to int41h/4fh Debugger installation check (code 05
2 @- w* r- P8 y; E& 06) but very limited because it's only available for Win95/98 (not NT)3 E, E$ C7 r4 w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 u8 f, ~; g7 A- s8 F! s$ s& r# k3 N+ F( I t1 B" b- U
push 0000004fh ; function 4fh8 T' ^8 ]3 p6 h" g0 {5 W
push 002a002ah ; high word specifies which VxD (VWIN32)! f* N9 D0 I4 n; t8 d
; low word specifies which service0 y, f1 w4 n7 k% j( \2 I
(VWIN32_Int41Dispatch)
% B3 l6 N' F7 M: r6 |% r5 O call Kernel32!ORD_001 ; VxdCall2 M' G) f* t3 H0 m5 S
cmp ax, 0f386h ; magic number returned by system debuggers |# [- k/ W( x Q
jz SoftICE_detected
4 F8 _5 v* {8 \+ t* u! @) H4 C* T. B& c5 L. J# d# k7 l8 _
Here again, several ways to detect it:+ _: Z* D) l* G& O2 o! Q
% f4 f9 Q$ r: b7 Z1 z; z0 t
BPINT 41 if ax==4f
) x' _* S( p6 _
9 K3 X/ N# x& T0 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- q* k: G3 `9 {8 P E% ]7 o
7 y3 b8 P8 ]9 d1 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. h. a' o) `" K( K( h
- k3 _' `1 `- j' d. P8 h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! Q- U" H9 }( O3 Q2 l4 ]
, D& R9 X; v! d__________________________________________________________________________' |" f s7 l; e
+ |) }" ]" n+ w, M$ BMethod 13
2 E6 s! r% g1 [* y Q* H1 _1 L1 Z6 [=========8 H. d; {" f0 `- y: Q& t% q
9 ?, A$ _2 g, y F, ?" ~6 _3 @
Not a real method of detection, but a good way to know if SoftICE is6 L* D5 q; ~5 ?
installed on a computer and to locate its installation directory.
! T, |, H6 T; c6 [It is used by few softs which access the following registry keys (usually #2) :1 X$ j8 ?& e' N6 B* J' P, [
& Q* l* c, s8 ]/ L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ?- l8 Z! i5 E7 l4 m& K
\Uninstall\SoftICE
4 }4 w0 t7 S4 p) T* J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 P1 o+ B4 ^- X' u% \! ]% M5 z! A3 y. T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! |5 z; a9 e1 J: Y I* y, V
\App Paths\Loader32.Exe. s( ?5 v8 m8 I( s: [
: L5 d# C9 p1 e0 e# [
! W+ r7 H. w( v7 I; xNote that some nasty apps could then erase all files from SoftICE directory C7 h8 x# @4 A, z9 O+ L8 o# \
(I faced that once :-(5 E3 @* K8 {6 J! t1 N
y! h: F- @* ~: y# GUseful breakpoint to detect it:$ h2 `( h o9 a+ [
. e8 a0 h, Q; W4 Y: N. ~% N! F5 }4 n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ f" ]: J/ z7 |% o
6 Y9 Z3 {$ a- D& @__________________________________________________________________________
8 F) B- P, E$ m& _2 V/ n( d
8 k7 t& j }3 U/ q4 K: m+ Q
" t( ^; ~! V: P) |Method 14 - A0 V% |5 F9 h
=========
4 Z) c; x7 `( u# `; K/ ~
$ G k7 U; A5 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, e+ [+ t0 `/ f. k' P) i$ T0 P' Zis to determines whether a debugger is running on your system (ring0 only).
2 E3 Z. Q/ e% V3 C3 q# D7 M7 _. H
) A; j- R( n' @: k' g: Q8 n VMMCall Test_Debug_Installed9 d5 |, j+ i9 d' c0 E# D1 }; O/ I
je not_installed
% A D: g) O. v
2 j4 X, ?6 y2 E9 N: y) D( L9 XThis service just checks a flag.
6 q6 e/ d" T1 B& g4 i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡