<TABLE width=500>
1 u" Q2 l, L" E* D<TBODY>& b/ }& M! y9 w' J/ M- h2 R0 q& {
<TR>
, R. W& h! S& b9 D. S<TD><PRE>Method 01 + L7 P. h w0 K5 E1 Z
=========
; [$ [# [% A8 I& B1 ]
7 W! Z* e/ V9 J5 b! l/ N' H; YThis method of detection of SoftICE (as well as the following one) is
" ?( G3 R6 Z' m2 g/ O/ `used by the majority of packers/encryptors found on Internet.
0 r0 V3 a" [" K+ C7 r, e% pIt seeks the signature of BoundsChecker in SoftICE4 G2 e. R# @. [( w8 ^4 q
9 Q4 R" S l, N7 S, f mov ebp, 04243484Bh ; 'BCHK', z* d, X5 N) ~- w+ a
mov ax, 04h& s) N, |" n! n' x4 N% o# W
int 3
' I7 p( v) X5 C" q# F cmp al,4
+ c' G6 t" ~9 A/ u g jnz SoftICE_Detected# g: K# }! z. \( @6 K& e8 X
) [5 s9 n J+ _6 n: g( |, m___________________________________________________________________________
J) P5 x5 A# N9 V7 b- P9 c; Y5 |! O1 L
Method 02
" k) F; p( j B, h=========
6 w! @! `7 X; A# S6 ~( G8 N& E3 D" j0 V$ K
Still a method very much used (perhaps the most frequent one). It is used
" [) ^ U+ `$ [# ~! k1 W% ~9 ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 p, y2 d; E) r) C5 f/ v: F
or execute SoftICE commands...
8 F1 |! F! \( a( F, s5 f; \2 O! TIt is also used to crash SoftICE and to force it to execute any commands2 Q+ N" a* n; o2 |
(HBOOT...) :-(( D- g( K3 I9 q$ e
" F1 `* ^; K$ W) b9 Q0 b
Here is a quick description:' d6 ?4 W7 |- B
-AX = 0910h (Display string in SIce windows)
, f1 ^* p" q1 D6 G! Y9 u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- z/ k' a; F7 R$ Z) i S
-AX = 0912h (Get breakpoint infos)2 m1 L& ^7 O1 @ N+ u5 j
-AX = 0913h (Set Sice breakpoints)
: N: c1 n8 h+ i6 a-AX = 0914h (Remove SIce breakoints)
* `& U& c) |# R% I3 O$ Z6 V+ R6 k$ S4 J* Q! m: F7 S4 \2 I
Each time you'll meet this trick, you'll see:. Y L% l" G9 Y. W9 V8 ^# i4 g
-SI = 4647h7 p: s; @( Q1 J, f7 S4 g
-DI = 4A4Dh! t7 X" h4 l0 x* D! i8 ]2 f
Which are the 'magic values' used by SoftIce.
5 Y1 ]+ g7 V, F9 O8 o5 WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 N8 E+ s( J3 A
7 E3 w, _# Q$ O" MHere is one example from the file "Haspinst.exe" which is the dongle HASP* t: u$ R& G$ S. W
Envelope utility use to protect DOS applications:- o% f' ?. V9 o: E8 m2 X
2 K. a# e+ p( s/ c* [1 C
+ X2 P/ A [! ^0 Z4C19:0095 MOV AX,0911 ; execute command.8 v" ~6 h6 B5 G$ ]9 y/ `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ Q3 t% R, c; b% O& _4C19:009A MOV SI,4647 ; 1st magic value.
2 N* u% U" R, `' C2 I: r# j4C19:009D MOV DI,4A4D ; 2nd magic value.
" Q+ ~4 t- O/ O) ]3 W. v0 O: c4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 i( A/ H m5 ^0 G Q( G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 v: U. T m# g1 B v- q, \7 L4C19:00A4 INC CX
, g0 G4 ?& c' y2 K3 G" X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: h$ |+ j' L2 {% J' v1 ~4C19:00A8 JB 0095 ; 6 different commands.
0 Z8 w( J5 M; M2 i* x' q1 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.. I5 V% w9 x" G+ V* K. a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), }; e2 R- {2 N1 j
B) k0 O3 x+ @
The program will execute 6 different SIce commands located at ds:dx, which
H: L; d1 i$ G: [) {- T; p' \( P) I- Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 Q- b8 B* |5 R; P0 M" @: B4 G
4 B7 A8 W5 R0 ]4 f9 t* |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 S9 a8 m1 `# E" i7 f- f# H a
___________________________________________________________________________
+ W9 a: [; q# S& u8 O8 k, t4 Y, y% J- N' i( m: a
- | c8 e* I: F1 n: yMethod 032 g3 c% m4 x K. n- b, X
=========
1 p- `; N' Q( W8 \; Z y& n, `; O, j) }! k* T$ ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: }! ?3 a! ]0 X" A j* R" D* {$ T(API Get entry point)
( b: I& b. H/ P& `
$ ^' i& F. S1 {3 J3 i8 E" f0 u5 {# h! f& V# Q3 m* I" D" {
xor di,di
* R3 t/ j( K4 I$ o3 K1 m. z2 K mov es,di
+ a8 l0 |. H8 u7 i, H mov ax, 1684h
7 q, n3 A2 H2 G& O0 K9 i: t mov bx, 0202h ; VxD ID of winice
3 P5 i8 P {# a6 {( ] [ int 2Fh
1 b* A& L% ^3 [' o8 N mov ax, es ; ES:DI -> VxD API entry point
. ~" F A0 n! J" b9 I add ax, di! j4 d2 D" z( M2 _: J) n
test ax,ax2 T* u9 b' ]* ~, u
jnz SoftICE_Detected7 |5 B& z7 y* [ @8 p" c
, ~1 }% _) ?3 Z/ o9 ^8 }6 C
___________________________________________________________________________, k* u o# B! Y: |0 V" Z0 \
+ A$ ?- E% O+ u: K* a. N
Method 040 v* W5 T0 R x7 b3 u( Y
=========
" N, e* U0 y, }' D# u' @+ G0 F' i; s- c, u
Method identical to the preceding one except that it seeks the ID of SoftICE
# Q" |4 x' u6 Y, ?9 v7 GGFX VxD.; p; t. }( _ }3 |( D# f
( W, X5 O) v: n: B1 t
xor di,di9 m, z7 A8 N* I( G, _- C2 C
mov es,di6 @6 I! p# d! ^! v( H' S
mov ax, 1684h
3 b" \" n w& Q: T" F mov bx, 7a5Fh ; VxD ID of SIWVID
8 V" r* E6 D8 f) U. ^# @4 O, S int 2fh0 h9 Z! G l% `' M+ j2 R
mov ax, es ; ES:DI -> VxD API entry point
# ?# A4 C& d6 Q. f U* u add ax, di
0 R9 K% n: g! x+ k2 h4 K ] test ax,ax. d7 U: T, ~% l9 G% |; o
jnz SoftICE_Detected. c$ ?& A* `' h8 C" _) e0 b
$ G2 |) |* G) f) T8 I# t
__________________________________________________________________________
3 z8 _& a9 {: B& N, z" z) e3 ^. H! H8 `
8 z* a( a8 }7 f' `9 t
Method 05$ g L6 P, X/ @! l" U! E
=========' S/ L1 |' }! O: b
7 K+ E5 S0 J$ w2 g/ Y8 ]: r/ RMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% |0 H2 _/ |/ U9 d, h, S! ydebugger. It calls the int 41h, function 4Fh.* N0 a" n( ?0 w* ?. P
There are several alternatives. * y: Z5 b u& x5 o% L& z' B. U
% }3 V6 a, v% L- x0 e0 N% C8 n2 p
The following one is the simplest:
) P, A$ U! d) i" |( C! A" `
5 n( J; q( o( `8 G( h U) U, ^ mov ax,4fh: a; C Z& t5 ^ }! `6 A# O
int 41h
: m4 C/ }+ u) H+ J% W cmp ax, 0F386
0 I1 P+ P7 N2 t% i jz SoftICE_detected
# n4 {( z9 }6 K* m4 k% j3 b6 _) O. E! _- p+ S7 P# l, I5 r
/ d; [- g- N, P$ G6 ]Next method as well as the following one are 2 examples from Stone's . W& r/ k4 D0 d
"stn-wid.zip" (www.cracking.net):" g( B1 n3 [# L! z
: Z3 W: ?" ~9 y' |6 `2 `9 S6 o$ V mov bx, cs3 u, K( a0 w- l$ M7 m& F- V, }' J
lea dx, int41handler2
- F7 l' E' c4 B* l xchg dx, es:[41h*4]8 t# V' p+ _8 T2 b1 ~
xchg bx, es:[41h*4+2]
+ ~' f) g0 ]7 {. \- m mov ax,4fh$ s" A6 t1 x; i' t8 t
int 41h
' Y3 n+ m7 p* r8 ?# _! r xchg dx, es:[41h*4]3 O* q5 i. Q6 e7 z$ F& Z
xchg bx, es:[41h*4+2]
. n+ G: ~+ J! c1 F* y0 g cmp ax, 0f386h
7 W6 \ w- a" O jz SoftICE_detected4 K% U8 T: p, Z
2 e: t$ ?& X6 v8 f* a3 ]
int41handler2 PROC
* z9 O8 ?9 F# r+ b9 e' q& ? iret+ F6 d1 g% u5 @' c( P
int41handler2 ENDP$ `- l6 }6 e F, r# i- V
! K( e9 `4 B0 M
8 T: N3 {9 _, K_________________________________________________________________________
4 p! B# _$ n3 {; i$ d4 l, q- @! v8 L& J2 S c1 D
7 t" h: x. p, q) Y; y7 i+ N5 {Method 06
7 P- ]5 ~+ i9 W9 u& j; s" [% J=========
4 t* E) x# L# D# O6 M6 C
$ E" `( j: v- S( E5 W) u, J: X1 m1 z& _) t
2nd method similar to the preceding one but more difficult to detect:! s! A8 G4 [ A; k" a* |+ C& z4 _& j
$ v% v: ]$ e0 ^
. f8 o S% z8 U3 m0 _& d" k& @! _int41handler PROC
. c2 T, Q( p. r mov cl,al3 x5 C& }% o* P7 G; ~- g$ R" [" O
iret4 N* V2 K, ~* u
int41handler ENDP
4 b. {$ J# x) S' c* |/ u8 `2 L& v
2 y. {! ]' i& _
& T% _' D. p; S9 h9 A% I xor ax,ax
3 _ o, A$ u* Y3 m" C" I' ], { mov es,ax
$ Z; `4 w; [/ C% r mov bx, cs* P( [6 S, D2 \- z% J6 ]+ ^+ R4 P
lea dx, int41handler
& k+ q. \1 l' q4 e; k xchg dx, es:[41h*4]) [* P/ A+ u7 f) j5 }1 d
xchg bx, es:[41h*4+2]
" v4 x _7 a9 T* r. P" x5 q in al, 40h
" G- i5 {1 c/ x, x" M xor cx,cx
" y5 s7 @8 z* [ Z ~ q+ S int 41h, `" k; k. R" q! Z( \
xchg dx, es:[41h*4]
7 C5 ]/ M4 g; e$ |7 s- R xchg bx, es:[41h*4+2]/ q( n# L& y( K
cmp cl,al& ~& ~+ m( t0 _1 j# t- |
jnz SoftICE_detected1 i# K+ n9 V+ Q2 r+ E% i
6 j% E7 |& \ s. c_________________________________________________________________________
]9 W* N2 {5 r8 N$ k9 I
7 \+ Z, C& e: b2 J/ YMethod 07
3 G4 e7 c2 ?# u _) Z=========
- F+ R) k; V+ |/ I8 E8 c2 g- ~: Q z! I; B
Method of detection of the WinICE handler in the int68h (V86)2 j' b7 p3 m8 z0 V( ^: K" S
4 n& ` x! E3 s mov ah,43h0 U. Y$ Z0 a" C8 F4 u! O0 d5 g- A9 @
int 68h
' G7 [2 i3 F$ x/ V; x cmp ax,0F386h
* l3 I" X$ d) Z- x8 G4 F1 C jz SoftICE_Detected
' z1 d. F+ [% V, F5 y2 t! ~( L1 c! n- D/ i7 I
; t! l2 T0 g; n" B. F+ b8 V0 w$ w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ t% ~8 O8 o6 ~8 ]5 i6 M app like this:! Y K9 r7 C4 A' D n; S
7 Z/ f8 v1 X! Q$ U; p. ?1 L BPX exec_int if ax==68( {! r; z1 _' }9 U6 q0 ^, K- R
(function called is located at byte ptr [ebp+1Dh] and client eip is
j8 i* v+ j0 D8 R1 p" K2 Q7 ] located at [ebp+48h] for 32Bit apps)# S+ _# T9 O5 [
__________________________________________________________________________
2 a; k6 o& }. |* i( z7 j0 E% g& R9 A1 f" z
5 ?6 _' T b/ v2 DMethod 08
]$ b5 O1 I8 H! R( X& {=========' W% }8 Q; m9 L) ]+ m3 X# N- {# H
& K/ ^) a6 m( E1 n) l
It is not a method of detection of SoftICE but a possibility to crash the; ~3 v' _% R2 x+ [5 e8 |* [4 ]4 {
system by intercepting int 01h and int 03h and redirecting them to another
# n( b. }. I oroutine.# l; B+ ]; s: j/ H5 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 m6 t4 {. k9 k( T, c; K9 |
to the new routine to execute (hangs computer...)
5 r5 c6 c( Y# d+ ^# h* r8 j3 L& w* k- O# N
mov ah, 25h4 d3 n0 P% F, A/ ~5 p3 T( Y
mov al, Int_Number (01h or 03h)
2 _% u% r1 c9 I2 J" \$ R6 v mov dx, offset New_Int_Routine
$ q* h9 F# k9 n int 21h# W) L% ?: S0 O5 U; Z5 v# Y5 r
. a/ J2 o1 S, v
__________________________________________________________________________
4 |+ q$ w" r% ?8 {" `" h! W* d# X/ ?& D1 L& g
Method 09- K( F X/ ^3 Y
=========
% Q$ c( h$ R; ]% K6 M: t& p# G0 i8 S: x% Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- V2 Y4 H$ p- s9 ^$ r! J7 f
performed in ring0 (VxD or a ring3 app using the VxdCall).: {7 b' L B V/ }5 n7 b
The Get_DDB service is used to determine whether or not a VxD is installed6 |+ ]8 u7 i) Q" C
for the specified device and returns a Device Description Block (in ecx) for) ~+ m" W6 X; l+ A0 n" l) m
that device if it is installed.
% q* K E4 T( K4 ]8 n" m% ?( |* A$ }& u- [& k0 I( \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% F5 C p5 E S% B% T: f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 G: v0 }% ^4 t" ^& J VMMCall Get_DDB. H" g7 L/ c" F6 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" x d6 D3 G, Z$ J2 d- H0 u
! G$ Z+ H5 ]+ ^5 s XNote as well that you can easily detect this method with SoftICE:/ M6 H2 e5 k4 p- T+ i4 h
bpx Get_DDB if ax==0202 || ax==7a5fh
% r! m+ M: d. s8 ?8 T5 Y
7 t) E8 t1 q) p2 y9 o! t5 W9 H__________________________________________________________________________
" i$ l8 a( j8 h9 N5 F
9 O( K6 U2 C- X! U4 D- gMethod 10
6 ?' ` t4 L" I4 H B- B0 w=========/ K& K$ f* I/ T- r" o+ u: u: ?
: ?' u Q+ @- w4 e( i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 t2 W6 M; E- {" o SoftICE while the option is enable!!" M6 J2 T3 l' a" i3 l
$ n! k2 k- P9 X) W; kThis trick is very efficient:
# Y- Z' I" y% Tby checking the Debug Registers, you can detect if SoftICE is loaded
% z. l0 D" X% D% N& I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 Y% Z5 J$ j+ G% p7 f0 ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 t1 f% I M. t( j+ j0 Z
value (in ring0 only). Values can be manipulated and or changed as well% R6 b; C5 f- ^& g5 S2 ?
(clearing BPMs for instance)) w% E7 }% s: h" a" k
* x# `% u/ r- p9 L4 {__________________________________________________________________________
/ |% R6 M6 N: u2 y3 A
3 A! k/ T+ y$ j) gMethod 11
$ Q" D/ j4 o0 ~* k# e=========8 }9 W# R7 Z1 @- o9 h% A+ l
+ F' V. S* v8 PThis method is most known as 'MeltICE' because it has been freely distributed
- R+ @7 p2 M1 S/ `6 e: \* L/ Ovia www.winfiles.com. However it was first used by NuMega people to allow
( Z- N% y v: \ t& W8 HSymbol Loader to check if SoftICE was active or not (the code is located2 J$ \4 x( z* A1 O$ h, d
inside nmtrans.dll).
' L+ H( z& N- D8 E9 |5 w8 `) d! D B6 I- z
The way it works is very simple:5 v3 a+ T0 y3 W$ K4 Z) S% Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 I$ Y3 m4 q$ o
WinNT) with the CreateFileA API.
# U4 Q* Z( [1 P& q# ^8 H j1 T
( X2 A! j* p5 I. N; y1 _+ ~9 iHere is a sample (checking for 'SICE'):
% [! O2 f+ ?( ~7 t" ^& v8 q: L1 s3 g1 S) `
BOOL IsSoftIce95Loaded()0 f& W$ U" B" g4 g
{. D1 {; [# ~! }0 a9 O s
HANDLE hFile; $ u% b9 H9 |9 e. s% h5 E: U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 t( n# ?+ @) n# A2 k FILE_SHARE_READ | FILE_SHARE_WRITE,
8 V2 ~: `0 \. o8 j: ^" p8 z. Z. s/ N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 N- E, D4 z1 N9 \
if( hFile != INVALID_HANDLE_VALUE )
- U2 k/ Q- L7 x {
- N, G& m7 m+ S6 C3 S+ O8 J CloseHandle(hFile);# ~- M1 X$ w, f7 J' L0 x6 x
return TRUE;
# h5 ~$ ?6 d9 E5 G. ` }4 a6 s9 W" u$ ]4 A9 h- P" D
return FALSE;
o3 f: ]& g6 [( r6 R6 J. f9 y}4 g" s9 C; h6 S
* s4 L4 p/ Q* Z- oAlthough this trick calls the CreateFileA function, don't even expect to be- g1 r) q' f( u& C
able to intercept it by installing a IFS hook: it will not work, no way!
/ }; ?$ I6 o1 G: Q, Y$ _6 [" B0 DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F! U1 B7 o2 z' B! ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ]# }2 l4 ^7 g1 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 z0 s& z! P/ Q: Z8 L) z5 w) ifield.+ n" P- s) K/ c/ z ^+ F3 c
In fact, its purpose is not to load/unload VxDs but only to send a / E- T$ m/ R! Q% W, y6 I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* ?/ S; F3 \& ]- ?7 H1 ?; e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 C# ]( r8 J* h7 _to load/unload a non-dynamically loadable driver such as SoftICE ;-).' _7 ]+ g @1 I- c
If the VxD is loaded, it will always clear eax and the Carry flag to allow! ]$ F% Y4 O& k; n' B
its handle to be opened and then, will be detected.
/ F0 ] I! T! QYou can check that simply by hooking Winice.exe control proc entry point
8 X+ M$ s1 F" l% i* M6 o# cwhile running MeltICE.. [. C. g* H- G- c# B$ G7 x
* }) u8 w. @9 N; x% V; U/ k2 W8 X" ~. a5 u8 x1 l2 `
00401067: push 00402025 ; \\.\SICE
' x6 L0 n! X* l( D6 M; H 0040106C: call CreateFileA* h% `+ F( P( j) X' C# I' u# \
00401071: cmp eax,-001
% Q; L* {' }' n9 Z) `1 v 00401074: je 00401091
9 o+ q7 \: p/ f S# T& A2 B9 g- z1 t) ^
$ T- S# {1 K5 A0 j/ q N. rThere could be hundreds of BPX you could use to detect this trick.
- M2 o! |& U* W( X-The most classical one is:3 z) ^( R% J w% m1 n6 ~$ O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. o$ U3 U$ U- H) q *(esp->4+4)=='NTIC'
! F( E8 X" s% C q L
$ ~. _( x0 Z* J* V% F( ~-The most exotic ones (could be very slooooow :-(
/ K* Q$ F; M- s" Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & d8 T: v( w" s4 Z1 H
;will break 3 times :-(% c6 I) c# K. M5 E! h/ `2 j
" F+ ]) U# ~; f5 O9 a% S% \6 E
-or (a bit) faster: 5 W* T/ G( S! B l. P, A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- A' M) g- V, H9 m
$ Y9 T1 b- t1 [ d& {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : G/ p, [+ s% a, `$ U& X, m
;will break 3 times :-() p" w+ p( I |0 o; c* @) B& g
9 }7 T+ ~" z+ G% D; Q9 S; ^; l8 h9 A- r-Much faster:
: T. G5 W+ v" i: J4 I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
E+ F& c& A% z$ N$ z& ]1 x& h
/ O2 ~/ }! r/ }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen l/ x' q$ p6 C* M' y
function to do the same job:& ^! c7 C* }4 c! K x; ]& l% D
' L% R+ `$ R" K8 @* W push 00 ; OF_READ
- M% y w* [( h/ W* Y+ d! R mov eax,[00656634] ; '\\.\SICE',0, ^: l& h1 {5 t; `) j5 C
push eax
) F, C7 ` u! X# Z, T! k2 s call KERNEL32!_lopen' H# Y$ g8 N3 a7 V+ E
inc eax" {! j: n& j( d/ S1 Z, K1 n# t
jnz 00650589 ; detected
" [! a: m0 m: N6 d; ` push 00 ; OF_READ. _& A+ J; v; Q! u- D# a/ e" C
mov eax,[00656638] ; '\\.\SICE'0 d, `" M: Z. {' Y+ ?
push eax$ |0 W4 W' V) q' y
call KERNEL32!_lopen
# a: @" ?! E) B- k z" H) e3 G inc eax& [5 m) J% A) z+ Z/ n- Y% T
jz 006505ae ; not detected! Z8 G3 e2 _, x5 u: h" e
/ l! R2 e$ b- w& W8 f5 i' A: J3 L1 q- J; F: T
__________________________________________________________________________
( P0 @# g: e6 U$ d" P- |& G5 ^% r4 `$ @4 J! J3 I2 C" R
Method 12$ |7 f3 V% q# ~. Q( g
=========
3 U3 k6 F( y9 ?$ a
* H$ @( G( m& k; QThis trick is similar to int41h/4fh Debugger installation check (code 05
) r [+ Z! w2 [7 o& 06) but very limited because it's only available for Win95/98 (not NT)
4 w7 q! C. O2 |: Q. @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 t, y% y' f1 j" m2 D, u, C
4 }, E% Q8 K% H4 l2 E0 w- I _
push 0000004fh ; function 4fh
. Z1 P. M0 g) s1 d( B# j5 c push 002a002ah ; high word specifies which VxD (VWIN32)
+ H& z- X/ P* @" [, v# c ; low word specifies which service( g; U1 A5 l8 m6 C) A$ X2 u
(VWIN32_Int41Dispatch)
. d+ M r0 Q& R call Kernel32!ORD_001 ; VxdCall* O5 G: m; n5 ^, I, V! I g* _( u
cmp ax, 0f386h ; magic number returned by system debuggers
6 \: G0 Z; U, b" v% k jz SoftICE_detected8 {2 Y7 s2 a8 q8 f9 ^ u! G
- K7 g. V2 C, PHere again, several ways to detect it:
* y, A) [8 D$ i8 E, D3 Y" S4 N3 Z' h6 P
BPINT 41 if ax==4f
6 n: i) G* G+ p1 | L; P( y
5 U5 r9 V ]( [7 D8 T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& l9 l4 N4 E# @
- J ~3 K. e& ?+ ]+ B9 E$ x% y8 [ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( D9 d3 q( u; p' I- m
/ Q( E) Z1 h$ f) p" ^. d0 j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! A, Z z0 K; \" o6 ^/ E. ~7 `1 r5 l6 A9 f
__________________________________________________________________________
' N) c9 Z; X: O& D6 ]; H5 @. X2 Y9 S$ W3 i
Method 13
! e" m$ T5 T- S$ E+ w# k$ ^' C=========
! U- [; O1 ~0 d2 i; F. L9 Y
3 N7 `! b' X7 I& Z$ Z# j8 gNot a real method of detection, but a good way to know if SoftICE is
, E1 _: G# P* X6 |+ V% M3 linstalled on a computer and to locate its installation directory.
( _1 P0 c1 [( C4 n9 A# \It is used by few softs which access the following registry keys (usually #2) :
6 S( j/ `% @# R9 I: y1 p) m- R3 k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- t, A. ^; L; g& \3 d4 u! L
\Uninstall\SoftICE; ?7 ?5 B% b: I6 R* A- u; z' |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# S P8 v- j8 x0 o+ [4 X- M$ ?% v0 O8 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# _: f" y$ s2 x' q p ^! I
\App Paths\Loader32.Exe5 h t5 A+ g C4 S9 }1 `
5 t, _' V0 R4 o, g" d! u2 b& }1 j1 e$ O/ B2 x
Note that some nasty apps could then erase all files from SoftICE directory
9 ^- i1 K8 j0 f(I faced that once :-(* W+ h$ o& v. g! J% ^
* i/ D/ a% Y9 h& Y5 ?3 Y
Useful breakpoint to detect it:
4 O& \; r# ^! M: `3 N. U
4 H2 `; \9 V0 g7 w' b7 z s: o: m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 z& I9 c. w5 S ]6 w
/ d9 X5 |! \8 M8 q# E__________________________________________________________________________
) W; a8 g" u" H7 f% Z+ t& B# ^
0 ^6 c6 }- f3 v R* [4 P9 c! x: O; I* c, p3 A/ a
Method 14
/ S/ K ~" l# T, g3 G2 i; T=========
. v* H; L* o0 i+ g1 g
4 M# L& O+ z/ {, Y" i4 g q5 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
s6 @1 N; J) ], q f2 w6 ois to determines whether a debugger is running on your system (ring0 only).* ~8 P7 ]1 H9 K! j% b. Q \
- J5 h& S, N9 j2 E u# l VMMCall Test_Debug_Installed
$ r8 \+ o5 ^+ b+ k* s$ ` je not_installed
8 U, y6 b$ w! O3 J/ o2 w! p5 M3 |' Y1 j
This service just checks a flag.
5 l `8 L7 D$ o5 f6 T3 Y% F# {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡