<TABLE width=500>
5 E. U9 t! s* U* `5 |<TBODY>( i% s, p5 z( w7 Z
<TR>
2 X6 v" R% k' { h1 O/ Q<TD><PRE>Method 01
9 e, h- r$ N- `( F' e=========
' _5 n6 B5 ]% p% ~* F) U
4 ?% Z2 [2 S2 _6 d2 W$ ~This method of detection of SoftICE (as well as the following one) is
; X n% b% D& {0 w, }& Fused by the majority of packers/encryptors found on Internet.! h- V5 b X% R- I
It seeks the signature of BoundsChecker in SoftICE; s' {$ {/ i; G
# N4 [2 E( K0 c* ^$ l7 p9 F mov ebp, 04243484Bh ; 'BCHK'" @1 X% z& F; w7 h! c' T
mov ax, 04h
% }- t" \' i2 b' G% p int 3
, y6 T+ u5 i0 S2 J cmp al,4
8 q* p) D M9 w8 R jnz SoftICE_Detected
6 L9 j- [+ d) I' u. x/ i& w6 N5 t: I4 T4 G% V+ a
___________________________________________________________________________
& f2 N4 {6 Q5 p. J6 t" i1 }
1 V8 h. G9 a. N+ P. z6 O2 |; kMethod 020 a A+ I6 z9 x& j- j: p# x
=========0 m. N3 [& ?+ h6 m3 ?" ^0 s
. d: ^3 y* p; n- `& e: y
Still a method very much used (perhaps the most frequent one). It is used7 w6 Q) D; v) W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 ? u6 l2 C7 h& }1 q8 p5 F7 r* yor execute SoftICE commands...
* u; m- Q+ S. d* w7 x' sIt is also used to crash SoftICE and to force it to execute any commands4 k6 v. X6 O6 z3 a, p; F$ o8 N. v
(HBOOT...) :-(( ! E( M! ~( Z% }9 G5 B" ?* u/ b
. ^& l0 T$ y2 b& s" M4 M
Here is a quick description:
. J9 U" e& [: a% L$ k! [3 v-AX = 0910h (Display string in SIce windows)
4 y% r' y. o& T$ h- B9 C! z8 Y) E, F" }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% ~3 u4 `( p+ y
-AX = 0912h (Get breakpoint infos)
( |" F. e1 \$ a-AX = 0913h (Set Sice breakpoints); {/ w" x; y+ }: \7 V: H/ c- J: r
-AX = 0914h (Remove SIce breakoints)
; b/ X5 |' x0 M1 g
9 [% Q% p) R" J5 N, B5 q! y$ REach time you'll meet this trick, you'll see:
8 }! V- X9 r; m! A) @ D-SI = 4647h9 @: `' t' {7 q/ K ~" j5 f" `9 D' ^
-DI = 4A4Dh4 U" D5 Q ]; r2 z& c
Which are the 'magic values' used by SoftIce.
) ^4 Q; v4 G6 n8 W7 XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ A( J: p; c9 e1 H9 H6 n
; F T$ J0 o- B5 o3 C' [- PHere is one example from the file "Haspinst.exe" which is the dongle HASP
W* i' q ?" c4 N) Z8 y) {Envelope utility use to protect DOS applications:
4 o4 G' G& M1 K# x; X) r
3 h5 _4 z' Z2 x- u6 ?6 ~9 s5 a8 G( @) t# `, S8 A
4C19:0095 MOV AX,0911 ; execute command.
$ S4 t, J1 O- g( m( U6 Z9 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* T' K, o$ i& A/ i$ X B$ C: r
4C19:009A MOV SI,4647 ; 1st magic value.
- H* K" K# T: ~- [: G' ?' Z+ U4C19:009D MOV DI,4A4D ; 2nd magic value.( x) ~! `0 N- t8 N/ }7 i* C& }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! E. m( q4 i+ E v0 Y- \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ i3 D) a, {+ K; h) ~ t4C19:00A4 INC CX6 O2 T- H% y6 ^2 I2 a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 J: P5 I0 ]: x% V
4C19:00A8 JB 0095 ; 6 different commands.
( { d. q s% D9 W4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- y0 f! b$ ^7 f$ m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# C2 g$ h# D1 B( M3 V! J+ r* E) ]# [( f( {6 ?2 B
The program will execute 6 different SIce commands located at ds:dx, which
1 e3 B5 N7 l5 a1 iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% C9 a% F2 K ]- o. o$ n4 P: j. M3 E3 r) {, p# r$ j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 j6 H- a Z/ `) V S: Y" N___________________________________________________________________________
; \2 w, I6 |' w4 b/ }$ A: e% |( Y7 f
. r0 V- S; ` c9 c' g! U- T4 f
Method 03+ R% P/ O) }* A' J7 Y$ W& D7 Q( g
=========' a! `9 d: n: E
$ l" h! |. o0 m5 v4 c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ _' N% o% Z: C; V% q# W( I* Q
(API Get entry point)
+ k: ]" ?5 @" H; L5 T4 d; l7 n ! P9 w2 Y3 o4 a
7 D# v$ k- C! U ?% } A1 Z xor di,di4 `0 o) `( C) S9 B( e2 k- f
mov es,di
. @; x; R, S$ ~* ~8 S6 ~0 h+ A mov ax, 1684h
- |" x0 d# j$ w" A& [ mov bx, 0202h ; VxD ID of winice
, A3 J; \, H; [# _' I' Q9 C int 2Fh
# ]: o# i( j5 s: o mov ax, es ; ES:DI -> VxD API entry point: N7 \: m7 i1 t% u5 d* p' I
add ax, di4 W; i) }/ ^8 E1 L
test ax,ax: L) L$ K% r, O9 R" h0 R
jnz SoftICE_Detected
. Y' [* B4 Y& `/ ?" @" M, t6 Y: [0 a+ [. A7 ^5 h5 h1 c9 T
___________________________________________________________________________
: m D0 C/ x% \- o/ C
, Q" D* s1 z6 }2 YMethod 04- {/ I- }: p$ L4 |- E; m: N
=========# N. T' W4 R0 @& U- G
! b: c8 ^( C3 W' k. I+ ~2 tMethod identical to the preceding one except that it seeks the ID of SoftICE" @! l5 [) j0 a- T' q/ ]( Q
GFX VxD.
1 c3 L1 w8 N* X+ J# c0 y6 P9 L& _6 w' b6 \( H7 A% L2 z- s' H* ]. y5 E
xor di,di; G R6 E# ~4 E9 \6 l% J" [
mov es,di
! H5 f+ B5 g" H3 V/ |; M5 T$ \1 a mov ax, 1684h
& C, h& H5 O% G8 S- ` mov bx, 7a5Fh ; VxD ID of SIWVID, Y G9 @- P, ?# E8 K( Y! a
int 2fh
0 W$ w8 N: V6 Y& E( ^ mov ax, es ; ES:DI -> VxD API entry point
( p1 e+ E3 |4 w6 F+ p add ax, di
. q# u3 z) J( S test ax,ax
' Q+ D: Z+ i m7 C6 Z$ k* v jnz SoftICE_Detected
/ q, k, X5 C! J; j v8 O2 h( k5 v; z; L3 @
__________________________________________________________________________
4 |' }0 H- o" L8 n" ?3 d1 p+ N, `3 w8 w Z
9 y1 `: C# }0 q
Method 05' y! y% h, O' N# l& O+ e4 o% |
=========! M0 F4 u' [( [: G
- v4 i( P8 j5 ^# X5 w( tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 X+ E- d" x2 Q' M. ydebugger. It calls the int 41h, function 4Fh.
! y: v; ?$ u' T! E. }6 j7 u8 hThere are several alternatives. 2 F, Y- U& w# n, a q7 y
6 Z4 J0 o" f3 ]1 ]4 gThe following one is the simplest:
6 S1 x$ S- @+ }* t8 X
: ^$ J- {. U7 l2 n mov ax,4fh4 t+ L/ {1 b1 ~9 q: G3 p+ Q
int 41h
& R2 l8 C, c! O3 _1 s% |/ i cmp ax, 0F386/ |; ^) X$ ?6 c, m
jz SoftICE_detected
+ h5 O" J( F2 J2 U% X1 C, @4 ~( L! T/ }; T( I) Q" c& P) K
2 Q( X5 |5 \, [ e! I
Next method as well as the following one are 2 examples from Stone's 1 r/ i" u+ z0 ^$ t
"stn-wid.zip" (www.cracking.net):9 A$ d4 R% k8 x% @! ~$ S
: i2 |9 w! P6 Y6 q u
mov bx, cs
# M! |( u) S' b) K% A( ]! { lea dx, int41handler26 N( ^# ~9 v1 y, h5 t
xchg dx, es:[41h*4]
1 ?: C8 m9 U6 ]7 N. ?& c r, T xchg bx, es:[41h*4+2]
$ F7 `; L: y8 G- A9 Y5 g& O mov ax,4fh6 \ X2 G3 Y1 o* V5 T1 D
int 41h7 T1 D* d0 Z9 A; C7 {8 H
xchg dx, es:[41h*4]. g1 k7 n, O' a- T9 U
xchg bx, es:[41h*4+2]1 e. P6 m7 n, S
cmp ax, 0f386h- r. J( b! \ y5 z2 h. {
jz SoftICE_detected
# y' _8 q' q m; l
6 q6 ?, x9 O% D& h: bint41handler2 PROC
! Q" E1 t2 t3 z( s" D1 X iret2 Z8 C1 I4 U& A) W" j6 R- e
int41handler2 ENDP' @) m7 [# p1 G6 I
0 v+ S# m( @7 }) m7 `- F) H! b0 r0 [$ R+ c
_________________________________________________________________________
! I' k2 v: |$ t6 `# S( u' p6 k8 Q3 Q7 P8 Z
6 o& l$ V9 @3 H7 _Method 06
# n- L/ w; A$ S5 g* {! T=========3 ?% s0 v' c( L0 Y5 R' F
6 e0 g" {) u% I }/ G+ s* s' I, }) ~* t# U$ F& r
2nd method similar to the preceding one but more difficult to detect:, Q7 X( S1 V0 A3 @4 e( G b+ ]
% V) }+ M& H- ?8 o7 P4 U
" F+ U, d$ ]7 ~/ h- A
int41handler PROC
. H5 v! n# P2 a& U mov cl,al) Y& i) w6 u3 L
iret2 _: K* s4 q1 Z8 I2 k
int41handler ENDP
' Z" T l5 E$ j5 z7 u& [% w* P7 v! I; X+ I# P
. p: U+ N" B/ g* [) j xor ax,ax
! X) Y1 T- ?4 D7 j mov es,ax
: d$ r* n* O! L9 l4 u! l mov bx, cs
H) Q8 q2 m: E! q lea dx, int41handler
% I0 [' d- I" w xchg dx, es:[41h*4]
5 x: n2 j2 h9 i' o% v+ m xchg bx, es:[41h*4+2]- y8 \: Z9 y* H0 v0 r" O L2 K) j7 [
in al, 40h- l5 E! o* ~* f- P+ T7 h% g
xor cx,cx0 E5 \ q' G% A" K
int 41h
% G$ t3 P0 G; _/ ~ Z1 Q xchg dx, es:[41h*4]
m1 C7 H6 [7 N+ r8 m( R xchg bx, es:[41h*4+2]0 z* l `! I! L
cmp cl,al
) L+ x# x" E' ]( B7 |6 T jnz SoftICE_detected
, J& p0 y% J1 T0 Q5 ~, @: M! H% ]5 f! _6 Y7 W# ^4 s9 G0 p
_________________________________________________________________________* @% `3 a# J& b: B7 O! ^8 ?& f" W- [
; Y) S$ g, L V, w3 S T1 W9 k
Method 07
4 S' V% Q* c$ u0 g+ A=========
1 b4 l2 Z& r0 k. t" l' E8 y$ M4 E4 w$ U2 E9 u" o) V1 e
Method of detection of the WinICE handler in the int68h (V86); V' \" k" w5 p2 X2 @
# i2 J$ c- O3 C; h2 E- @& { o* a mov ah,43h5 [5 f {, t; f* @8 k
int 68h6 Z$ C: }& A: H
cmp ax,0F386h4 O+ p' ~4 G8 p) T* Q$ C
jz SoftICE_Detected
2 z2 u/ i- }3 o- @1 T) y4 b; ^3 @: ?, L
1 y" S4 H. ~0 b( {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" e# C2 S5 T5 m. O2 b1 B7 Z
app like this:: ^& l9 |: q" c' t1 S! U5 v
$ |- B4 V- k' F/ \" m0 U
BPX exec_int if ax==68
e% `5 x S$ ^6 q/ [! I& g) Z8 _ (function called is located at byte ptr [ebp+1Dh] and client eip is
: G9 E5 r5 G/ |+ {- n- e5 [- W located at [ebp+48h] for 32Bit apps)
* j. \4 U7 [! Y8 Z* g( f__________________________________________________________________________
# y8 S6 k4 [& f2 n6 i% H4 }+ H* K! r; b, |: r3 W+ o
( U1 g/ |: z: }0 H3 \
Method 08
7 Z6 K4 Q0 m U2 C# ~. |" M=========) \) s s3 ~$ l4 q' u9 m
/ \" U2 d4 s& }3 b1 `
It is not a method of detection of SoftICE but a possibility to crash the
1 t4 b/ X' x1 ^2 c* f, f. xsystem by intercepting int 01h and int 03h and redirecting them to another
3 n- R; N: F; Z6 u; r. y, nroutine.: _6 A G7 |; u8 q( v2 K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 m3 e* ~$ X4 J( P
to the new routine to execute (hangs computer...)
7 }$ w/ `6 Q6 {$ S: v
* }( x" _ d2 [: X Q+ g/ o4 G: `! s mov ah, 25h8 w7 {7 e) b% z1 A4 e
mov al, Int_Number (01h or 03h)
$ L/ v3 D! T# \8 K mov dx, offset New_Int_Routine$ ~ `) @3 E* \% G! O& c
int 21h! V" b" Q u" W' s
G- @) q1 l: h5 O% x ]! f
__________________________________________________________________________
( Z6 k, g/ U$ u) r* k4 [2 X% r2 H
| N q3 a: t8 ?5 l4 t/ w/ m; QMethod 09( q" O6 s7 _% Z, L, h( \
=========4 d- T3 {9 q+ e2 g
7 F0 D; s% z, C5 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- x! @4 H7 M' k0 Wperformed in ring0 (VxD or a ring3 app using the VxdCall).2 N2 u2 q% w& T" g7 J+ o
The Get_DDB service is used to determine whether or not a VxD is installed
1 i- d5 ]7 {: u. P" D& dfor the specified device and returns a Device Description Block (in ecx) for
4 J7 ]; I" g' j& a5 Dthat device if it is installed.' C7 N- h* l, p# F% n' R
: j1 m* L3 V( h$ T3 d2 I- F8 P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 ?4 I: f: X, X% F, [' G* I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 `$ H) a# j6 M% c! Y L3 v
VMMCall Get_DDB
' ?! E( k! ^+ { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' i1 n* B: c6 w# y+ m" z/ `( x* {2 e# g7 f L) C" Q7 [) c! }5 I7 C
Note as well that you can easily detect this method with SoftICE:
1 [0 x& K% g3 ]6 H5 P bpx Get_DDB if ax==0202 || ax==7a5fh7 L0 G2 W$ w7 N7 {1 `# D
3 L D4 d' j8 I0 ?: v0 ?3 f
__________________________________________________________________________
2 w( J* U! G) S& s3 }# c8 X' e7 H8 q1 K9 G
Method 108 @! e; o0 `5 [
=========
. n& h$ N( q, R7 x
$ o( v" c, L7 }- k% P" k( y8 J=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 j- j, D& b2 _ SoftICE while the option is enable!!
/ ]: c; m5 b- p" f& m$ A* ^2 I
This trick is very efficient:/ B/ x- s5 [6 P, v& C% @# ^
by checking the Debug Registers, you can detect if SoftICE is loaded
! e; B$ G# ]5 n! f U/ ^ }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# {' b! r8 k8 q! R0 F3 I* F6 x
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 @* j# ?; F6 n& T* ^; X
value (in ring0 only). Values can be manipulated and or changed as well
6 p4 X8 K) U+ b, s3 I3 a* J(clearing BPMs for instance)& N6 l j( A, _
8 }# P9 H+ j2 m__________________________________________________________________________3 O7 ]) ]" i" @, i6 ^- T9 Q
, }; x% f( O4 k, t' c$ }/ ZMethod 112 R+ ~6 H+ M1 A: X4 T9 {( P
=========' ?% ?5 i* s; U! _" j
( @5 ~' o" {- p. { D7 M7 O
This method is most known as 'MeltICE' because it has been freely distributed4 ]) @) R% b0 |% z0 i4 V
via www.winfiles.com. However it was first used by NuMega people to allow- ^: V8 ^9 A V9 v* [6 f
Symbol Loader to check if SoftICE was active or not (the code is located0 H9 c W! I" N
inside nmtrans.dll).# G/ G" ^4 \7 e% V$ A
2 @& V% a3 y% X, d q% g) \# u3 RThe way it works is very simple:. Z8 U/ E' d/ ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" a# p0 i1 N; z- ]WinNT) with the CreateFileA API.
. s' M/ a( N/ O2 F" ?2 v5 q0 W" M. G! X5 U1 x
Here is a sample (checking for 'SICE'):% T$ K$ W# D7 R$ D) q5 z% G
, y) M s, S8 ]& _# V; I) qBOOL IsSoftIce95Loaded()
* n6 _- d( y, b9 A: d{
" E6 @, E3 I/ \+ n3 C8 n+ D" q HANDLE hFile;
2 @& J8 C. y! f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' N3 x1 o' G+ T5 w, i% H FILE_SHARE_READ | FILE_SHARE_WRITE,
$ \& @0 K1 s. C9 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 e& |( r+ ~5 h0 N if( hFile != INVALID_HANDLE_VALUE )0 B- h( _6 J+ S+ J" m. ~! F9 a
{ f+ \7 X. W4 v. f2 f7 _
CloseHandle(hFile);
- E7 Z* i6 r+ G* y6 z0 W8 R. G return TRUE;
; C+ a* V1 ~$ a$ E }9 U& n# R- i- x, k+ R4 N& C
return FALSE;4 M$ k9 e2 I+ z. N1 ^7 [
}9 W2 ]% a. Y6 U4 q( f6 U: `
( o$ E9 G3 f& R0 bAlthough this trick calls the CreateFileA function, don't even expect to be1 d4 d, b! B: b) v, |( u
able to intercept it by installing a IFS hook: it will not work, no way!
# S" U- k4 o8 U! h- Y; pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 N% ~! E" [1 C' Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 A7 F2 n4 T: k% O: k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ]( r3 G; O! [+ k. D' J& nfield.0 T7 N( B9 T! h# @7 Z( _) r
In fact, its purpose is not to load/unload VxDs but only to send a
# p2 L" n* e+ O+ E/ \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& c9 S4 C7 T7 ~3 g f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& J0 D0 `; Z8 s" @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 e& b" l+ P3 b! r: ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: p2 K" D4 x& A3 h7 z# C+ }its handle to be opened and then, will be detected.9 V9 K( Z3 Q& E, I6 v
You can check that simply by hooking Winice.exe control proc entry point, `) Q- g, [7 D+ R
while running MeltICE.- d7 K( ^) J, B5 u/ S2 U) T" t
9 Q( J3 }1 L& |# Z# ^4 T" m+ G" Y ]$ y2 O' y2 T+ X
00401067: push 00402025 ; \\.\SICE
6 [9 W. y8 N1 q* k* A 0040106C: call CreateFileA
' [, q( y8 P* x( {" Q' ~ 00401071: cmp eax,-001 X# w4 q7 N" R% C! B, |- Q& y
00401074: je 00401091
4 @) D6 d) N" X+ e4 Z! L, x# s: X8 I. W- Q
0 w1 a+ I( W% K0 H' EThere could be hundreds of BPX you could use to detect this trick.
4 H7 o+ O. B: k-The most classical one is:
; H# G) V9 R# ~, x) x3 F# J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 U/ X" G6 [1 a8 ~9 v! C *(esp->4+4)=='NTIC'
$ c% D# X& b* O' e; M9 ]2 P: i3 m
1 W9 I6 `1 ?1 [& _3 J-The most exotic ones (could be very slooooow :-(
/ t, e3 l! e* I' R* q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( f0 X5 d7 M( i
;will break 3 times :-(8 C3 T7 y: l+ ]5 g, A* d
/ e( A1 ~ p% h7 x-or (a bit) faster: ; e* x/ l) F6 B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 v! s0 n; I% O/ y$ U
8 V4 s2 Q9 x0 |0 n1 g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' d9 m! ?- S6 j( c
;will break 3 times :-(
6 ? }/ }9 q2 V X
: g/ f! W# y- H5 n-Much faster:2 b3 o) r2 v0 x; E8 D; f8 u* j. C7 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% K' C6 y$ E) W% v# }# K7 h5 y3 g
, C( M' t; j& s" ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen x; w) P/ }. a
function to do the same job:" w7 u0 h- R2 \
/ p, F0 g+ @: Y% Z) u
push 00 ; OF_READ1 I2 [* O7 v: t$ g9 i' y6 n& [0 q' e
mov eax,[00656634] ; '\\.\SICE',0
' z1 b1 W% I1 I" @0 A0 M: G push eax
8 K+ U U' ^; ~4 A+ n! m9 a call KERNEL32!_lopen
$ l; y3 d. ] i! ^4 Q( ~3 E9 | inc eax1 ^$ d, L( ` S& P" J8 h9 c
jnz 00650589 ; detected5 V' o1 p: ]! U& a$ }: M
push 00 ; OF_READ0 _! T% z! Y& Z8 i
mov eax,[00656638] ; '\\.\SICE'
2 c$ i8 r, N- h; V; P( Z* h, | push eax
9 y, S: v- B/ k; O call KERNEL32!_lopen
* z- ?% [7 W/ C+ w9 K inc eax) Q! w& J9 u1 V6 ^
jz 006505ae ; not detected
# F1 t$ y f; s. t7 b: ?6 `. g5 L4 Y' \5 M0 g# O' i( p
8 F7 J* e+ O, [! e* ~$ C3 S__________________________________________________________________________
* _3 R& ?, m7 P: L" P2 x5 N4 N3 R/ x5 j- n2 q V. ?6 u
Method 12
! u9 s6 R {" \3 u) }. [=========
. c9 ?9 u& K$ g' S( F9 [" h y
% D' V# o2 X: h( O7 E$ p4 t& m$ ?This trick is similar to int41h/4fh Debugger installation check (code 05! ^/ f2 k E, [: k# z( n
& 06) but very limited because it's only available for Win95/98 (not NT)! U# O0 ~/ o: v) T7 v" |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." c( |* h! x! b' C; T
! i9 t2 J! r2 R/ O9 l5 U
push 0000004fh ; function 4fh3 T$ S+ m# }7 e' H6 Y w
push 002a002ah ; high word specifies which VxD (VWIN32). z1 a. L+ e" [# _7 x7 [
; low word specifies which service1 ]% c1 G6 Q: v8 Q/ {
(VWIN32_Int41Dispatch)* k/ f; o. x' f) {0 J
call Kernel32!ORD_001 ; VxdCall5 i$ ?$ e# w( a3 _
cmp ax, 0f386h ; magic number returned by system debuggers
- x9 X: r8 I3 I4 e% i' I1 o$ X) K jz SoftICE_detected, Q7 Z- K& o- |' T, _9 P3 w( j
5 X$ j$ E9 |5 w6 x: K- y
Here again, several ways to detect it:
8 W' Z* y% y9 v+ H p* ~/ \/ A( d8 ^5 `! I6 ^. R t6 I3 \, v9 `
BPINT 41 if ax==4f
5 E) r; R% H- Q7 j5 v) X( H# ~- y( ]7 c' R, W0 I1 M5 }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 _, D3 d- C @. C$ W
( j$ u" u1 n: i6 h1 r: X! q' n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 U! B# c1 p% G! _* ^8 V# D
5 F, X2 ]0 X o: p2 J+ ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- E1 z+ H* M$ s( K( m
0 I; s" ~0 p7 Z( I__________________________________________________________________________$ F) F9 O7 ~- {+ Y. z8 J' K
* h, X' t/ m8 Z: s9 P3 [7 A1 f
Method 132 s* g# f. c& Z; M3 a
=========
1 ~7 q9 n% ~: o; z( D; Q/ U* v# i0 M, C* w
Not a real method of detection, but a good way to know if SoftICE is
! D- Z4 t+ {( r2 k- }installed on a computer and to locate its installation directory.
. @( i7 O/ h( l# [It is used by few softs which access the following registry keys (usually #2) :, N7 m5 J* p/ Z$ ^% }* Y' I
! [4 ?4 K1 T/ z% i% @% A" ~, V' e/ O c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 o% ~7 a/ Y8 }8 [! I8 h\Uninstall\SoftICE3 n3 ?9 g2 a0 t) J/ x7 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 m {3 h; A1 w: l4 S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( K5 u1 D# }' D\App Paths\Loader32.Exe4 [! f1 K; t0 e& [# V
: ?! ^% j4 E8 f. B9 A' M8 L+ m d9 @5 p& q1 N4 L8 A9 ?( ~
Note that some nasty apps could then erase all files from SoftICE directory
# e# g* r2 Z, U: D7 N- w(I faced that once :-(1 g9 C7 g( u# |' g/ p
8 y! q. l8 ^) e" J2 O
Useful breakpoint to detect it:
/ R% l1 M% i% t# y, w7 T& h
$ u$ Z, k/ _3 y ?/ T. ]. W+ s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 s6 W( h* m! w
. a" H6 j G$ u% M# o& t4 K
__________________________________________________________________________$ Y* Z' w7 K' n
2 L, L/ I5 D1 F1 g! X/ H1 |
+ k- B U- Z" Y6 ~3 B
Method 14 ' Z( N8 V: U2 _1 B+ U
=========+ a! S& A4 _# _! l; Z
% ^, ^1 R) e5 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 L- N; \' U+ f9 H4 U1 }
is to determines whether a debugger is running on your system (ring0 only).& o& ?7 ^5 q8 l, I
/ V; I$ O5 Y3 ]+ B/ V
VMMCall Test_Debug_Installed4 g5 b) `7 \8 l h2 d" D7 k
je not_installed- ^* y; b: O1 u
4 J; q2 \9 R* z. d; f
This service just checks a flag.7 l$ u7 i: ?* u/ m3 O; g$ |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡