<TABLE width=500>2 T, V: p! W" c6 A( O; x
<TBODY>
/ z0 V0 ~6 q# s3 O<TR>& m. _& r7 @2 T- x% |8 x
<TD><PRE>Method 01
( p9 y5 {& m( @* S4 ~' M* a& V+ f=========
1 E, T# v: A$ r1 T9 S* R
/ K0 M, R" H! o& ^) h, d' MThis method of detection of SoftICE (as well as the following one) is
3 e4 M) j# j1 r2 n4 m" i' C: S, pused by the majority of packers/encryptors found on Internet.
1 I( M1 |5 u8 w. }' ~2 GIt seeks the signature of BoundsChecker in SoftICE* z# D0 ~6 ]* P9 ?
3 G% L) |- f4 d# O" Z
mov ebp, 04243484Bh ; 'BCHK'
2 R, U8 c. Q" v5 x# M& { mov ax, 04h
6 B; D2 Z: Y, u! `. L C' g int 3
4 y; D& Y6 w( G cmp al,4
0 _& [6 F; k. w' t jnz SoftICE_Detected
7 x+ ^4 S; H0 p! s( U; U7 N% _1 l
8 }9 [. k4 x1 H. r1 Q' y/ S) Z___________________________________________________________________________3 `) T, O. F* g- [7 u2 @
7 m3 l. H, {' c4 O, m0 ^
Method 02) B, @# h$ x% {2 l1 C
=========
! y+ b$ g" L' G; s V# }3 k5 ~2 t
Still a method very much used (perhaps the most frequent one). It is used
( m1 }) ~6 R9 p g5 K8 O2 tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,% K6 i0 B9 C& O3 B7 _
or execute SoftICE commands...
/ z$ `8 L! t" u* D; y, gIt is also used to crash SoftICE and to force it to execute any commands5 c C8 ^3 O8 d, V1 V q3 i R7 d
(HBOOT...) :-((
6 v$ B4 V" P+ k" a5 Q3 l" A+ I2 U1 W
Here is a quick description:
T6 l1 H4 Y& f+ |# z) ^-AX = 0910h (Display string in SIce windows)
" z7 ~- H7 c; p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) h: x7 m. H2 e7 W
-AX = 0912h (Get breakpoint infos)
. P1 ?5 t3 ]5 z2 l" g3 v( P-AX = 0913h (Set Sice breakpoints)
3 V; |* i1 h9 R5 U( t$ i-AX = 0914h (Remove SIce breakoints)3 `8 `6 y$ {6 r% X
0 U3 y8 Z# ^* e; }' |1 H
Each time you'll meet this trick, you'll see:) x9 a" I, n- w) a
-SI = 4647h# z8 i" T' }& s
-DI = 4A4Dh( @! K0 {1 w- `# h
Which are the 'magic values' used by SoftIce.
" B% ?" C1 @4 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* W' J% q6 f9 o
- v5 M. w f& n: s& e# M2 lHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 A+ O2 E& z, f% sEnvelope utility use to protect DOS applications:
& w) J6 R% ^1 \% w5 f7 j# |4 g5 C" Z. C& O
/ r. U* ^. z b& X# t5 k+ T* W
4C19:0095 MOV AX,0911 ; execute command.
- L! }* s( v( D6 Z3 \! J% K$ n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., f5 ?% g( _( r: O# S
4C19:009A MOV SI,4647 ; 1st magic value.
) q# R& Q8 }: X/ f% @+ [% B4C19:009D MOV DI,4A4D ; 2nd magic value.
3 X4 @( W9 n6 J' _4 w! c2 \) `! x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 Q; U1 Z! L; t! Y9 |/ u' [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 k7 @( \# o6 n2 j8 V6 u1 Y
4C19:00A4 INC CX- j. D7 U. C7 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, L" g; r" c+ Z2 J# S" T
4C19:00A8 JB 0095 ; 6 different commands.
1 d* Y4 {% {1 X; q& a4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 t" E3 D2 e4 C2 d! w
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 M1 o4 \3 [6 J% F
9 m9 d- N, H% C) |The program will execute 6 different SIce commands located at ds:dx, which
/ L& k8 P- a8 }$ r2 ~4 M1 Y( F3 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 I# T& K; ^, r
V* t: ~9 \* S# A" H5 f1 U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 _. M) F: C$ n% Z, J
___________________________________________________________________________# G7 l( K, q! x
2 h, H* ]( h g" D6 {
1 ~0 Q( I/ X( cMethod 033 I0 V- Q w& F' F; o1 x
=========
# E" {- f* P: [: Z" m: U9 y& x; X) E8 }6 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" A; P; d G: u6 h; s
(API Get entry point), U- a6 @. ~ r! C8 K+ K
% ~; v: {, b9 N5 c$ }2 f% U% @) S
' D2 S+ Y' g1 S
xor di,di! ~2 y. }1 ]7 \6 _6 v ], H
mov es,di
8 c3 g& ?) |& s0 m/ v7 R0 P8 Z mov ax, 1684h , M+ L- f0 I1 s, r' L3 v& S
mov bx, 0202h ; VxD ID of winice
- T2 N( {- \; w: l( v( T0 t5 Y: z int 2Fh
; u) _( D# P# _$ A1 q2 V mov ax, es ; ES:DI -> VxD API entry point
* o9 Y; J0 L( @* }$ d add ax, di
7 _. s( y' D F, H test ax,ax
" R' M9 g+ f4 B4 t jnz SoftICE_Detected! ]9 o- `& T }2 O9 V
( ^: z* \" C1 U* ^5 `- M___________________________________________________________________________8 K3 e; i& z; m1 `0 r9 G, u
1 Q$ a5 \2 z+ [& f9 w" v" b4 {3 _
Method 043 i. t" A- j3 P- G' p4 r
=========
. z6 j3 q& e+ b/ s' O4 ^! ?+ n5 F+ q; G4 M$ D1 M6 S& y/ `
Method identical to the preceding one except that it seeks the ID of SoftICE
* ~9 F8 |: X- _* m7 j- BGFX VxD.5 Y4 F9 u4 z( i/ ]& B2 x4 {) E! g. J
8 n- `2 P' q4 g I @ xor di,di
c) e/ O7 C$ X: G" ` mov es,di" a) U2 q0 M8 H- n
mov ax, 1684h
' y7 F) O& M& P" h( k8 w mov bx, 7a5Fh ; VxD ID of SIWVID% Z0 P4 W2 P1 x0 O w
int 2fh! w1 [! j- l/ m5 d
mov ax, es ; ES:DI -> VxD API entry point
+ W4 r1 y2 D; `5 t. a! } add ax, di' l& ]! t; V4 L! H! [2 s1 J/ l
test ax,ax
" x: B" y( \3 q4 d' V! K& Q jnz SoftICE_Detected
w( }( {- E2 D/ ~1 j6 L
7 Q3 {% j7 ?- M8 j__________________________________________________________________________
+ ~1 G) X- z: {$ y/ @( s) }( C9 \1 X L! I; r
6 S8 ~1 f: p9 Y/ l
Method 05( |- o3 q2 d8 u+ |' C6 J
=========
/ O# h; n M. g& w8 n
2 i6 h/ }# y2 V/ u/ d# L& f, C8 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system% [1 n+ f) l+ T0 y+ }3 I* S+ U
debugger. It calls the int 41h, function 4Fh.3 ^" a4 S4 h7 m( D/ o* A
There are several alternatives. ; |, s9 k( d! [
; j; s3 p7 q3 N; e* @3 @0 i
The following one is the simplest:
1 b$ y8 ^. Y* X+ C: a
5 i# {2 i/ t2 r' c mov ax,4fh
: t% S' v, X/ t6 s" D* o/ I8 X. O int 41h W' M9 G9 e/ Z0 w' Y
cmp ax, 0F386" L! }0 }: ^0 }/ T# z2 n' o
jz SoftICE_detected% M9 E* L, }( M) ^. h) x+ ~5 J+ o
3 K" K* `1 P- S1 ~
! Z2 C$ Z- m4 u" m+ ]Next method as well as the following one are 2 examples from Stone's
3 M- x z t1 [, D"stn-wid.zip" (www.cracking.net):+ @3 s3 K9 t' O3 P: a4 W7 A1 |
2 b* V$ f5 H% G0 g5 k4 K, z8 d
mov bx, cs0 u5 w* U9 ?; E, f* T/ m6 ^' b
lea dx, int41handler2$ Z# p3 c2 ^% L& c: _3 z% `
xchg dx, es:[41h*4]
, L. L# L6 \& {2 ~! f: P; l8 Q xchg bx, es:[41h*4+2]
3 V2 m; I) ?5 [: Q" q6 s! G mov ax,4fh/ [+ E( C1 X. i( B# i0 b2 w3 G
int 41h
; D6 V" p( f: U9 S: c/ c xchg dx, es:[41h*4]
: X: I8 @) V ~0 I1 T xchg bx, es:[41h*4+2]
! E2 y$ Y. k, C0 g2 N# F3 q$ V cmp ax, 0f386h
& Z7 e- p% `9 L. S4 ~ jz SoftICE_detected
0 E0 i+ s3 ?, m" g; ]3 h0 K, q% g% M
int41handler2 PROC
% \# n% w6 }& q9 n) o: z1 i+ I% K iret
9 e# J5 R' G; g' Q% u+ }3 s: m$ O& S8 uint41handler2 ENDP
( `# Q: _" D% D9 ~$ G9 p4 s! E, c* Y3 q: w8 H
) ]5 p# b+ \8 W$ `: T. D; w_________________________________________________________________________
. `/ B/ P9 f2 g* ^0 j$ g, ?# Q) r
4 K4 X( F3 U0 L9 Z) L8 ?" b! A1 @* B$ q( S# b' e' H# j' p, R
Method 06. M, ^2 d/ b0 T" ]( X8 ~
=========
- e m5 I' T3 B8 I1 d; r3 |8 \7 n! ~9 M! C5 l
! i7 f. v6 h& R+ [& e2nd method similar to the preceding one but more difficult to detect:* x- b- C/ U" b! A0 K5 Z' |0 |
" O; R- u) v! g7 ]4 O1 Y! t; m2 B7 |% g6 r
int41handler PROC
$ A |1 F. t' ^- Y9 C: B mov cl,al
+ M5 o4 U3 b8 v iret
7 Q9 Y! }* c% D! qint41handler ENDP
3 D8 { s( J! ]" Z: X9 [) d! |: e" z) Q; b6 W" H' F
( D8 k K2 O x xor ax,ax
1 Q" Y7 y3 \7 W' g% E mov es,ax! w/ N. }+ Y5 _7 T
mov bx, cs5 ]4 K1 S4 u: Y! J) I
lea dx, int41handler; T3 j, q2 T$ D2 G- t: @" {
xchg dx, es:[41h*4]# z5 y5 v4 T/ k7 r) A) g; `/ h; R
xchg bx, es:[41h*4+2]0 r, ~+ W( {( Q; {% n! l
in al, 40h- O7 _ y5 h7 \+ j) v0 L
xor cx,cx
" `4 L% ?" |" U) Q9 j ~. Y2 U int 41h
" x9 g! R- S: V xchg dx, es:[41h*4]
' K5 t% Z2 l/ G3 y! f6 { xchg bx, es:[41h*4+2]0 l3 T) u) F( H; M" V. B( V3 @
cmp cl,al
; A5 M* a* s( ? jnz SoftICE_detected7 Z2 u( y8 k/ k7 ~- u; O' ], E
* z: |3 s/ S9 y# m
_________________________________________________________________________
3 x/ o. N6 t3 y' r! K1 r4 v4 g" f( ~- s1 x3 M7 ~% _. Q
Method 07
: G5 V& i1 I+ d* Q+ v=========
) a5 b4 c9 n& U1 A
$ C& Q6 H3 m* f& [Method of detection of the WinICE handler in the int68h (V86)& W. p. Y! _9 C9 v
" X- M( [& T: C% [
mov ah,43h
C, G" |1 [$ \+ t1 c8 r int 68h
* @' U4 T2 S2 f# \9 r$ q) M% E cmp ax,0F386h
, Z8 A8 d( a" M( i: D3 M d jz SoftICE_Detected3 S/ K4 D' [' }6 Z& ^$ ~
. @ [- U7 M/ ~; Y8 Z+ ~+ l
0 y9 E/ Y, `5 I% j5 L
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ E* ]6 |% ~* i* m
app like this:! I4 {, x* h0 z+ n
8 R8 s' Z, j+ c+ ~4 [3 \
BPX exec_int if ax==68
- l8 {. d7 |5 ~3 g; K% w (function called is located at byte ptr [ebp+1Dh] and client eip is
! f3 J4 h6 Q% a" T3 x1 k6 U: o located at [ebp+48h] for 32Bit apps)
# ]- _" ^7 O3 O* _3 L( Z__________________________________________________________________________0 j( l1 X" `; {. R* d
2 E# a, F% o, B; }+ m' K1 c, X. }' h0 S+ z1 F( Y
Method 08
2 a2 P/ S8 O3 V9 N. P# u=========
0 b9 ^8 l% }% Y, H9 P
; W6 |& O r( [! ?It is not a method of detection of SoftICE but a possibility to crash the6 Y$ c6 n ?$ Z: S9 S
system by intercepting int 01h and int 03h and redirecting them to another6 M8 B1 I) z# T9 k$ n, u
routine.1 W, A& N' g ^4 C- ~( P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 A: m z' h, @/ w4 d. Zto the new routine to execute (hangs computer...)% D8 p+ s0 n1 Z* G
+ g0 j6 k0 u. y4 e' b7 p
mov ah, 25h
' m6 H2 w; x) N mov al, Int_Number (01h or 03h)
! J# |; F& s- f1 j( L. ]4 k9 { f( k mov dx, offset New_Int_Routine* Z! Y [2 y% M4 b t' x- o
int 21h
/ ]3 f- z! i! J6 N: Q: q+ J# ]
4 u7 L% z2 q, V( ]0 p9 S__________________________________________________________________________$ f) _: ?: A+ {, ]5 W& u* ^
8 O- s( l* Y! p0 W9 p
Method 09& O$ f) B" h- E+ Z, e8 E' g
=========
! c, K. e7 q! ^9 r. S$ q' O+ ], j2 f* q1 L0 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 J6 T6 Q! D( z- }* C
performed in ring0 (VxD or a ring3 app using the VxdCall).* @6 v/ h! H3 X( _! O
The Get_DDB service is used to determine whether or not a VxD is installed
4 G! ?" o/ Q9 f4 d' ]* h" zfor the specified device and returns a Device Description Block (in ecx) for
! _' l9 ?( `& C+ Q) R8 k# Q4 E: s$ dthat device if it is installed.
0 }' {! F$ t# p" I& G$ b
9 a7 a6 Y* n7 ~1 ~1 R8 r6 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' ~# J* a! q6 I# X" K' \ a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 y" y9 |3 z# x VMMCall Get_DDB2 `% K. U' y. [9 J; Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 u4 Y) I6 {1 y- c; O
( x2 @# R4 f6 @6 R% gNote as well that you can easily detect this method with SoftICE:! Q9 m4 i& [% r1 R
bpx Get_DDB if ax==0202 || ax==7a5fh
" Q* z* K3 T& m& D# W+ x' E$ z- b, J5 k6 R+ E% _: A
__________________________________________________________________________# J* z% L" O! H! f! E+ V
* I+ a+ F Y6 ZMethod 10( T4 a# b0 |4 D) Q1 H
=========2 U9 v( l4 M/ w, c
! J: \ f- A. y9 x2 B5 {& T' R; D
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 {7 [( |% B/ \! Q9 p
SoftICE while the option is enable!!; E5 C" m. {* I, X$ ]; \+ l- W! n
2 d8 G# I c* P/ M$ f
This trick is very efficient:, [2 `6 u' e+ o& u/ m T& g6 H
by checking the Debug Registers, you can detect if SoftICE is loaded
: G4 b7 @% L& Y5 B* T) m8 b: C; |0 {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* [' c* ?5 K6 y3 Q; j
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 N2 @: g7 N0 G1 ^value (in ring0 only). Values can be manipulated and or changed as well9 \0 S4 B9 a8 C; H
(clearing BPMs for instance) t1 H' K3 D' K. B
# `! N/ G5 k2 ~
__________________________________________________________________________
) `# d A" d5 M+ T! N4 T9 B) N# e, F' R7 r/ D# x* t7 U5 w: E. p
Method 11
$ H6 j7 }9 E( X0 k=========4 L0 `8 p# w, F8 D* n8 u) c6 A8 d9 `
; o& H+ h2 ] g0 b) f# d7 CThis method is most known as 'MeltICE' because it has been freely distributed {; |- u) `( A R
via www.winfiles.com. However it was first used by NuMega people to allow
; H# M) x. s6 ySymbol Loader to check if SoftICE was active or not (the code is located1 ^3 R; l' p8 P
inside nmtrans.dll).7 _ `+ s' L3 n3 r. Q1 |( S
8 M2 s# ]/ r, @ g5 P
The way it works is very simple:
' _- [( Z; t2 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" b4 h7 E$ {. K
WinNT) with the CreateFileA API.
' t, w; R* Z! D- C2 d% `" q: C! ^$ Q' H
Here is a sample (checking for 'SICE'):& R5 @1 E1 c/ `. k2 ~
9 k& \& D% V: @3 ^BOOL IsSoftIce95Loaded()! o W8 v( s+ ^! K0 _+ E6 e+ _
{4 F1 d7 D, i! T& |6 V' |7 U) y
HANDLE hFile; 4 k/ F' L' i9 g( G
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ b2 F- U7 v1 O; H: N( `
FILE_SHARE_READ | FILE_SHARE_WRITE,/ g! r1 |0 k- Y2 b, F! D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 c/ C) b% t$ p- V$ F: x" @ if( hFile != INVALID_HANDLE_VALUE )6 v( e, \/ K5 d5 M
{
+ F- _* z; N$ G3 X CloseHandle(hFile);: i, w4 x2 T% j* R r" D
return TRUE;! [5 G$ o, J* v( j
}4 E s' S' L9 y Z5 _1 t5 I
return FALSE;4 b- F5 q% n/ t W- Q! K* j+ E- }
}5 G! I+ T$ z0 c4 H
+ c( E( l) @8 n- l) m- rAlthough this trick calls the CreateFileA function, don't even expect to be) d5 |& `$ U' |6 `/ _: W `6 W
able to intercept it by installing a IFS hook: it will not work, no way!
1 `5 R7 c8 u; z0 _0 O. Y ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 X6 y7 Z- @1 C) c/ |6 b, E2 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 Z3 e7 p0 O" @% {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& |5 d) j* Y+ A: W# g% cfield.
5 ]4 g8 j* o# l6 \" nIn fact, its purpose is not to load/unload VxDs but only to send a
4 o0 T. ]; G0 W& O4 p5 ^$ kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: Q% d% r) Z* l4 P4 [to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 d2 H, R' X1 D; Y& V9 Q2 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% C% P3 Y3 i( ]6 Z: i5 dIf the VxD is loaded, it will always clear eax and the Carry flag to allow" `+ P" |3 X' N
its handle to be opened and then, will be detected.
9 I1 O. O" t* Z- q! {" dYou can check that simply by hooking Winice.exe control proc entry point3 {; N/ M$ B3 J* V' K3 K0 e) M9 F
while running MeltICE.# b0 K+ t' `6 i# s8 s- f
2 Q: o( t' J) Z# f! Y; j4 v
7 ^, \: k9 H8 r3 I' C 00401067: push 00402025 ; \\.\SICE+ U' U4 ?4 h/ q! d" [ s
0040106C: call CreateFileA
8 I# k9 v% u0 F% d# n# j, i 00401071: cmp eax,-0011 c1 ?) L/ H! f! f# p# x
00401074: je 004010910 ?- G- m( a z& s+ J5 w2 W
* j: _% ~% @2 l9 J# `9 h7 m% s
3 D: d" o4 ^( Z( T1 @2 lThere could be hundreds of BPX you could use to detect this trick.8 T6 C( g' w& d/ s5 ]# a' Y
-The most classical one is:' [0 y3 `- Q9 Q4 l5 s; g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- a8 p3 K t7 O7 W( P *(esp->4+4)=='NTIC'' x; ~" t1 c5 S1 y: a
/ u7 Q3 ^% E# W3 ]-The most exotic ones (could be very slooooow :-(9 L7 i+ \& I! o1 H* v) X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " l! m" C7 z- R) Q5 w
;will break 3 times :-(
, \# J% {$ j, U% ^8 O" u! R1 g3 g+ o) R2 b
-or (a bit) faster:
. U2 x; G. U' k. P1 g: a+ m2 F" P O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" B+ t% H: {9 Z; q4 m+ f
% G% g3 D+ j% w( B, A _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 t2 V+ O: q* f6 X- @: \- c ;will break 3 times :-(0 R2 ^% h9 c0 H- L
# S0 r" P0 Y$ W+ L$ o-Much faster:
$ m4 F2 L: k' H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ }1 v0 I3 X. q% y- {
+ b% A$ g' ?& `$ n" {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" F( |; z9 o+ H4 X" U' M
function to do the same job:
# V+ @4 v% U0 ?2 |7 x/ s- E% p+ J; h' J2 d) w e
push 00 ; OF_READ( O3 @2 k& s( R+ r: Q$ F
mov eax,[00656634] ; '\\.\SICE',09 f) b* s* ^9 |% @* @& C9 ]
push eax$ \" T# C/ U! H! q
call KERNEL32!_lopen: E2 E, z# v% H2 R- b4 X
inc eax
4 c& r. ?' a6 n- e& _2 Y g6 S jnz 00650589 ; detected% s e% |; N6 j( M! z) m! I
push 00 ; OF_READ
$ G m/ ^ J s' C6 L mov eax,[00656638] ; '\\.\SICE'
0 u; o0 [3 l: L2 y+ C; g push eax
2 h8 r8 p& `5 F) ~& Q" ]6 q+ P call KERNEL32!_lopen% w' z- U4 P" X# e6 p) c4 J
inc eax; S7 Q0 _6 d: |7 G
jz 006505ae ; not detected* ^ A* D: c; z% j( G$ d
: x2 F+ e* F. v$ D8 {; V0 a' K, }# X3 i& `+ A; F
__________________________________________________________________________; h7 z7 G/ a8 b2 j( {' i
; c( D, Q c4 ^0 m0 XMethod 12" Q& Y- w; G: @& i! d" r' I% E
=========
. U [' `+ @, p% @: `8 \
+ Y" f3 ?9 Y' b/ {: v+ GThis trick is similar to int41h/4fh Debugger installation check (code 05* s* Q! C$ U! ?7 q% n/ `, {9 m
& 06) but very limited because it's only available for Win95/98 (not NT)
4 { I4 C6 F- ^! [as it uses the VxDCall backdoor. This detection was found in Bleem Demo. I# T/ Z$ ^( r) L* q
: x) u6 _5 L W/ }
push 0000004fh ; function 4fh
$ b0 l, z% u. c* ^6 B- N- o push 002a002ah ; high word specifies which VxD (VWIN32)
1 @, \3 V$ `& _4 { ; low word specifies which service
; m( ]7 }- Q, `# a) ` (VWIN32_Int41Dispatch)
: ~% D: Z) O# T2 e call Kernel32!ORD_001 ; VxdCall
! L- L9 Q9 }- O3 F% i1 p+ ~ cmp ax, 0f386h ; magic number returned by system debuggers. ?' F2 O; c: O' R
jz SoftICE_detected
: _' ~ {9 U) d: M# e- |! \# `3 x2 x- w. J3 O N
Here again, several ways to detect it:1 i9 F9 W' y a8 }/ e
0 p# \% p! S. p* w4 n
BPINT 41 if ax==4f
2 S! p7 T3 o) e2 m3 L
6 F9 q6 m6 J. [" x) Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" W- K: B& [" R: r! R
, I3 R. ]' J& F; v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 W( i6 Q; P2 ~4 r+ n) G
, Z" f* S: L+ @+ `- H( E4 |0 t( u9 Y: s% O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 u1 R9 g: Y, }& P
! Z. }% u$ ^3 u4 r
__________________________________________________________________________
7 V) b. {' H- ?3 |4 f- l) S8 }9 P* n1 y$ G7 c; J3 s
Method 13
% I5 G' p) |+ u$ O0 y5 j=========
( U8 t! r9 j/ y( u W& [5 z
8 ?4 e0 x% s% tNot a real method of detection, but a good way to know if SoftICE is
4 `' y' h( |0 d+ H4 A7 sinstalled on a computer and to locate its installation directory.# `3 i( M9 c) g- |4 t9 D# b$ P, k
It is used by few softs which access the following registry keys (usually #2) :0 L; q3 U+ B/ F/ D
1 h! {/ V; D! }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% e% z. E* e# n8 B' [7 M\Uninstall\SoftICE; u0 b! C! z J5 T" Q9 R2 I! E: z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 E% S) W0 N+ t; ^( Q E" N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ m4 Q9 M2 W( J$ K, |\App Paths\Loader32.Exe
0 }. ]. y5 X9 M# p
# \: Y g7 _+ b% H& E6 F1 n& c9 I8 J. o1 I0 c
Note that some nasty apps could then erase all files from SoftICE directory2 w9 P% A" {% @. k5 b2 }! S8 H
(I faced that once :-(
; Z" p7 }, r$ L3 n
8 A2 a, o' b! e Z% [2 w) d/ IUseful breakpoint to detect it:
( V+ @# |4 U* i* D, _0 J6 j0 C, O' N% c6 s5 X- a0 @" l6 T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', C4 X$ _5 Y& z& c7 {9 c+ b
& g8 h2 i+ b, m8 q X
__________________________________________________________________________
, G2 a4 @( {8 h5 J* s! C
4 x D! c# z2 C% T2 _5 n8 v. b1 N8 ~* R6 _0 N( ^3 |7 j
Method 14
) f2 }3 w0 f, C# b! E9 E3 E+ i=========
- b1 g3 L" | w5 D, b9 n
2 N& B& |5 f2 B8 l4 V1 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 f( u- [$ x" x f4 l1 ^1 [: |8 d7 yis to determines whether a debugger is running on your system (ring0 only).
) m# E: a7 L; n7 c* q A3 ~( k3 x" k
VMMCall Test_Debug_Installed4 Q2 X7 F0 V2 @* h' A
je not_installed
& d! L# m4 P2 g3 k
1 l( B! ?1 ~% KThis service just checks a flag.
7 c8 Z# i5 a5 h) | ~+ g/ H) P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡