<TABLE width=500>1 y, M$ E# e! m
<TBODY>
' I- o# |5 y, U4 x6 t* m( i<TR>9 w0 Z1 j+ u7 v7 @* p4 [2 H2 g% s1 d
<TD><PRE>Method 01 5 \! j e4 k. K; u0 T1 O
=========0 b# x, i1 `1 d* j9 k
0 \) F- v7 G5 O1 r+ l9 J c3 e
This method of detection of SoftICE (as well as the following one) is# T7 B9 {% I6 e9 q) q, A4 F
used by the majority of packers/encryptors found on Internet. r8 a9 q% F" j8 ~7 h; l
It seeks the signature of BoundsChecker in SoftICE
9 y( C1 M# A+ X% K* t5 L( D* {8 c4 J2 N, m( g+ @; W5 P
mov ebp, 04243484Bh ; 'BCHK'
f: X0 Q2 X- j. `0 f% i2 D0 L7 r mov ax, 04h
+ T/ d# p+ `* S int 3
$ H& K8 @- A9 Q* o8 y7 J0 G cmp al,4
) V @# v' d3 z& B: @+ D$ ] jnz SoftICE_Detected
* b# T# h4 G3 N. t- n7 ^; J8 Q {/ e: P f) ]$ Y0 Q- c& R# F
___________________________________________________________________________2 c. S$ d3 N- N, V5 b
: r7 ?+ P9 D0 @8 [% i- v2 b8 pMethod 02. Q' V3 h; y# X6 U
=========
- S" w% J: O' c$ X, a7 S" Y# E$ {- I( G9 I+ d
Still a method very much used (perhaps the most frequent one). It is used
! {# ^1 h* Z" P4 G+ |& wto get SoftICE 'Back Door commands' which gives infos on Breakpoints, ?4 m2 t1 ]/ F/ g' f9 M
or execute SoftICE commands...
- K r9 s. x& l! Q# q! P0 ^" ZIt is also used to crash SoftICE and to force it to execute any commands9 O% C/ p+ t2 U; k" e2 m5 D- v
(HBOOT...) :-(( , _6 N7 ~) s8 a: }
$ v0 u3 B) x, u; d# u- X: Y+ r. s
Here is a quick description:
( {' f: a; n% h-AX = 0910h (Display string in SIce windows). g9 U0 Y' O b* \$ ^3 ? m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 }7 F" M- N# o9 @* t/ ~/ P, M
-AX = 0912h (Get breakpoint infos), o- @2 n# Q6 l( _9 w
-AX = 0913h (Set Sice breakpoints)
( s8 _$ [# }& k" b& N-AX = 0914h (Remove SIce breakoints)1 @# c' q: H' o5 { ^* J
: g: h% B/ b4 ]1 g6 dEach time you'll meet this trick, you'll see:0 f3 G2 g: t9 y& Q4 m. s. ~' Z
-SI = 4647h
X$ E! k) {' L' N' E4 R) V) ?-DI = 4A4Dh
5 q0 I# h* N) T, }, L! ]Which are the 'magic values' used by SoftIce.' k# x- h4 I8 o& v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: z8 X& V9 d1 x$ M/ W3 R; A2 I" E
" d5 o: M9 `- L/ P& f K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
y# [' g, p; c2 {4 {Envelope utility use to protect DOS applications:
8 J( H* l9 A# _
1 y& N- E9 v( |2 j8 k, `7 l/ t3 f1 C" {9 V8 f* h
4C19:0095 MOV AX,0911 ; execute command.7 s& h6 B u& @7 X& r( ~! O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) d5 j; r/ v; ?! C4C19:009A MOV SI,4647 ; 1st magic value., P8 I9 r! s% k2 B' `9 A
4C19:009D MOV DI,4A4D ; 2nd magic value.; W0 `! R: J4 S3 G9 @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 ?+ j5 ]( {, h! |! }" Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ v1 [, E+ Y3 n, W7 v
4C19:00A4 INC CX; W2 | V" H; v* n/ M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* s: b( a$ T: y; b$ |
4C19:00A8 JB 0095 ; 6 different commands.
q8 S* G& s+ b4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! Q1 E8 n K9 L& f6 j5 a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! K; S# ^# k; u0 K$ U$ w7 `3 |" ~; ^) x0 u2 a7 K1 ^
The program will execute 6 different SIce commands located at ds:dx, which! J: a1 w2 f: F! L" g2 ]% u. M; @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ ^( ^% g2 ` x8 T+ i& D
' r& Y9 |5 g* C2 l5 n* z) P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( ]0 U! H8 G2 M$ _% f$ O$ T' e( z
___________________________________________________________________________
' }; U) P) ]9 j& _
: P8 i7 B6 M# r8 L: a7 C5 B7 b0 w- }3 g
Method 03
4 x; e- P7 b$ W: b: o+ w ^4 Z=========
" s8 L& j; R) U0 C8 ~5 D$ ?- F3 X# N' W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% L4 w% V# F# r% D/ h
(API Get entry point)
! j9 ?; w+ v9 }
5 F* n: _8 _$ w6 k
$ Y S. U1 T+ m# ?( k xor di,di
9 W: c- N p0 |9 Z. b mov es,di5 ~$ w/ ?' R) h5 }# N
mov ax, 1684h 5 Q- L5 J5 _: Q& a2 _/ ~
mov bx, 0202h ; VxD ID of winice6 k& V" p3 [- B( H' A0 b
int 2Fh. K; p6 l! w9 G+ J0 N0 z
mov ax, es ; ES:DI -> VxD API entry point
; _" Y+ U( A4 F1 k: { add ax, di6 K0 k- f( j3 h0 }3 }* U2 E
test ax,ax
/ [6 s: ^2 n0 h+ X9 a A jnz SoftICE_Detected8 X% I. E3 t" q" h' Q
' q: ?1 D. S) d* j% W___________________________________________________________________________2 j6 `% V9 H8 @9 m1 r/ q
; F# a# w8 I, W
Method 048 v6 M) ?+ d2 d7 l
=========4 B% a. I$ I7 @
; n j5 F6 w, C7 ~2 L& ]; y3 BMethod identical to the preceding one except that it seeks the ID of SoftICE
. q4 a. A1 w( e8 [+ _" y1 ?* AGFX VxD.3 \2 E% l8 D; i
8 b/ c8 B( Q+ m2 v, r# G) k; z xor di,di, z) _ ]+ D9 a/ ?( d3 M. W$ G
mov es,di
, c e R4 l: F; n. p( R mov ax, 1684h
# q$ T+ E; F$ L5 ~: e6 D9 U) b, e2 R) X mov bx, 7a5Fh ; VxD ID of SIWVID, J. N( O# D$ [
int 2fh" j) l3 V4 t4 i/ \ i( Z+ O
mov ax, es ; ES:DI -> VxD API entry point0 F+ j8 q" h; m' w7 }; n
add ax, di
4 [. q- [5 K' h/ O+ g. C test ax,ax
) k. Y8 K, V0 y8 f- k jnz SoftICE_Detected
/ l, I# b/ N# m2 D o. L1 p4 r" `% V" k' u3 K
__________________________________________________________________________
4 R- ~" r- V: m/ r; K4 |) H: D6 W
) X+ ~. y( y3 ]0 S- {* Z
Method 05 U$ R" e) W1 N- v3 H8 ^
=========
]% Q6 V' F4 t. }# h' l. Q
% l) @5 x3 J1 X2 GMethod seeking the 'magic number' 0F386h returned (in ax) by all system* L7 u2 {) ~5 @9 C4 M. n3 T" }
debugger. It calls the int 41h, function 4Fh.) t* B" e& I& }( F
There are several alternatives.
7 Z7 |) k7 i' Z0 G$ ?; N8 f" {
* f! R4 M8 E1 E/ k3 k/ a0 p& N( TThe following one is the simplest:9 P4 P; v2 V( q! J+ j
6 Q W2 e! S8 g# y2 m mov ax,4fh' D8 U7 ^) x9 q( C y$ {* S. u
int 41h
& N0 C9 |+ Z& H# }& a cmp ax, 0F386; ^: e4 d( l7 x5 q! b
jz SoftICE_detected" o6 K" y2 x3 q1 G' I
" O4 D9 x! n5 j: C
/ _% I- K$ }- s; z m5 RNext method as well as the following one are 2 examples from Stone's ( B1 v' ~ B. m; c) E$ |6 F
"stn-wid.zip" (www.cracking.net): H4 V% _; x2 I- `& b( }: I
# U2 ~6 v& J+ t6 Q9 o$ G$ k
mov bx, cs) C/ o& B* Y1 N. ^3 W+ u1 H9 i/ ^
lea dx, int41handler2
. j3 r. ~3 x* F3 n6 N# q& x- ^ xchg dx, es:[41h*4]
# m+ a1 U$ ` P- U xchg bx, es:[41h*4+2]$ h' y5 q5 J3 } a* w0 l
mov ax,4fh
& Z7 q$ o9 Y8 P) s- N6 N int 41h4 |3 V, B& Y; Q
xchg dx, es:[41h*4]
% R+ C: F s( f: B: n xchg bx, es:[41h*4+2]3 R, ?' G1 g0 e6 X0 {* l
cmp ax, 0f386h
8 z- `. A- u! S- N; F jz SoftICE_detected6 @& D; `. k2 J g
9 W' @ x; X, E& l6 c' {
int41handler2 PROC3 I6 ^1 B& N9 H" g' h! P
iret5 x1 g6 r& N% j3 z% x6 {# z3 j
int41handler2 ENDP
, K8 X# S6 g. O A" ~, J
" T7 D) d/ G+ T) _1 H! z8 Z7 F4 `3 {0 H; _& {1 W U% a8 }
_________________________________________________________________________6 b* X( o! i5 Z$ o9 P( X, c2 W$ [
, l0 |8 \" d. b/ b! d# r: V* A0 o+ \# Y; n. C
Method 068 j$ I1 Q/ A% O
=========
+ p3 @% p% V& }4 t
, x9 s! g a, a. r
~7 d. |: K: R8 t2nd method similar to the preceding one but more difficult to detect:4 \ j7 p8 N% v$ w; Z! d
3 @; k3 N4 K* c0 A5 M
* p Z. V, z6 _7 f& I2 cint41handler PROC9 u1 I6 o2 [: F5 X0 u
mov cl,al
8 p( o% ?7 m* W! F) A" Y iret3 Z8 o' ?0 `8 W# p) @% h
int41handler ENDP
& Y7 A7 \, _* f) v2 Q/ z
7 W# j( r% s. e" v& O/ K
# {, V) M% J! S; ~0 Q( `( t7 o6 q xor ax,ax; S G0 p3 K* O: b, S
mov es,ax; m& _$ F. n& M3 k/ ~
mov bx, cs$ l$ g0 h7 v' c1 h3 `" g! G0 k+ U Y
lea dx, int41handler% Q) d% J5 x; y. m4 Z0 x
xchg dx, es:[41h*4]- ~+ \# A3 |, `# y- v) F5 M" F/ }
xchg bx, es:[41h*4+2]/ e: S" Q4 a! L
in al, 40h
4 S. d2 t3 b% ? j xor cx,cx
4 Y$ ^7 @! S8 h% y int 41h0 `# i, Z+ N* n: z$ _
xchg dx, es:[41h*4]! |) e; z7 @3 ~( l/ k% ?
xchg bx, es:[41h*4+2] } H5 o; ?9 t6 x4 ~4 N
cmp cl,al1 X" _7 e5 B) u- l X# z
jnz SoftICE_detected
9 ?$ T# Q7 a& ?: X4 {; I/ X4 k& ~$ G, {! x* {+ z- U. B
_________________________________________________________________________
/ _* N6 `0 F: Q4 z: u; e, S8 }/ V6 V+ _
Method 07- o% l' }4 i3 U. G& J
=========; K- Z& h4 d; L2 e( O
- M7 t2 h8 _% Q% P" k3 x' JMethod of detection of the WinICE handler in the int68h (V86) W+ B- n+ D0 J. f
( Q+ M1 y1 V# h' x* w. C, D mov ah,43h. W5 F, {3 }% U+ ^. T- b
int 68h
2 l* u1 s) d# l/ f* i& C( m+ b cmp ax,0F386h
+ {. D6 C+ {: N; o3 Y1 C jz SoftICE_Detected
& t" ]" r) f/ a" S
+ d& m$ ]8 O* Z- ?& t6 f! J/ v
& q& n6 y0 A0 d7 ~& l2 }9 i, d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' \+ l% P9 r$ T d* } app like this:
2 P3 \# ?) R& n4 G8 W1 k
. O9 l9 q! ]& Q/ Z& a9 q# X/ Y BPX exec_int if ax==68+ k( x: U. A# a% v# {* l5 N) t" }
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 D6 y/ \* Y# l' M1 C# c+ S located at [ebp+48h] for 32Bit apps)% a, k- G4 |, v/ y' Z
__________________________________________________________________________" _) }, Q. O! n- G
) b" e/ P' v1 L- S( F; b; q; \5 H* x) V6 o
Method 083 Q9 g( ~- d! [* W
=========% D$ t4 m: @- e( y" {
1 T* D* c* _ K7 f+ Z5 u: v/ zIt is not a method of detection of SoftICE but a possibility to crash the& ^1 P% s2 v2 t0 y; [1 h5 H3 |
system by intercepting int 01h and int 03h and redirecting them to another
+ H; X- b, c- ^' U3 _7 Mroutine.$ B" Z& k/ I! n9 C& Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 S V; d& C/ X/ a. I& `
to the new routine to execute (hangs computer...)
8 T0 K1 b1 I( z8 h! X" p/ W1 Z: J6 s0 O) f; R7 T
mov ah, 25h
2 P7 ~ w; i) \ P* s, q mov al, Int_Number (01h or 03h)
; s, |* C2 Q% Y mov dx, offset New_Int_Routine; { \% G" {8 j& l
int 21h9 t4 l/ r5 ]; d7 }0 q: _ w7 W" _
5 w( Y( l) X* w$ o3 A1 P3 F
__________________________________________________________________________
# x/ U8 m" R" c4 W4 \& Z# L8 y/ D+ G
- E. ?8 v% S; R7 bMethod 09
T0 l1 N2 s- K+ }0 ]=========
4 O: b- r( I' r, r5 z# B: e Z4 E6 n) C2 p/ W! e* |9 i7 ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& J+ M y/ k1 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 I) a! T+ E s. g/ p& z- D# _The Get_DDB service is used to determine whether or not a VxD is installed" [$ j0 B$ V! o* n' O% v
for the specified device and returns a Device Description Block (in ecx) for
' a. K- k; K; r; O2 H* qthat device if it is installed.
9 E% E$ S- P2 c! x* @1 J3 y# R E4 ^8 H/ H% F4 o5 j7 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 y) g5 M. \% g5 n1 g% \) H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, C6 Y5 s5 Q6 R VMMCall Get_DDB, m8 A" l8 {1 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' u/ h% x$ s6 J4 ~3 P+ V
% [; u; j) O4 ENote as well that you can easily detect this method with SoftICE:) I) H4 o" V# p3 z. o; z
bpx Get_DDB if ax==0202 || ax==7a5fh
2 x; A# x- \# D' m( d$ X* Q a6 l2 D4 N& q- `" K
__________________________________________________________________________# M2 A, ~ ~% x9 K8 W5 l! P- u
* p2 u& k7 Q6 c) c' L% }
Method 10
3 L' I( u& D7 {4 d=========
8 g4 y6 n' u6 ?- \3 i
, a' @0 ?$ U$ X" j=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 V" v% H6 X6 s: V) K& d3 D SoftICE while the option is enable!!
2 T5 W) \$ S& M4 w" x( O' [& G& z! F& v4 p' Q+ x8 \0 m
This trick is very efficient:
$ h- W8 G. l3 [# c% u) Y7 Y4 Sby checking the Debug Registers, you can detect if SoftICE is loaded
1 m1 s }, U! `) [+ |, ?3 t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 W& L& T& m; ?0 {/ v( bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: s+ s' f* e7 I+ i. Hvalue (in ring0 only). Values can be manipulated and or changed as well/ X- Z/ S( t5 D6 `( E
(clearing BPMs for instance)
7 r7 b/ w5 z5 E% r. J. P( p F: ^/ l& M' I a' a
__________________________________________________________________________
! j& z& ^+ g3 _4 q; _; I) L# O9 H! k' P( e
Method 11
$ a4 u! S a( Z* X; T=========( u( p9 \ q" I' z
: W; T3 c$ y: {
This method is most known as 'MeltICE' because it has been freely distributed2 v* d+ S8 ]2 |) W4 J+ N
via www.winfiles.com. However it was first used by NuMega people to allow
c1 x6 w6 l* K8 |) `! ~ xSymbol Loader to check if SoftICE was active or not (the code is located6 s0 p: i9 T, ?4 v8 n. D* b `
inside nmtrans.dll).2 Y) `8 @/ h1 ^5 h& R2 T3 x
& P- j' h9 y3 g$ e7 y& a1 |& Q6 x8 C& C% v
The way it works is very simple:
7 K/ Q" z8 t0 D! F: v9 _( lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 L7 I- ~$ r; _$ @. n- J8 |* F6 z
WinNT) with the CreateFileA API.& c& A6 G, a5 M, C
# k4 P( P' R8 w, g" f; U( EHere is a sample (checking for 'SICE'):9 j8 n% P1 Y2 `8 J* V
. n9 z# @( Z' E
BOOL IsSoftIce95Loaded()
/ m- _5 h% \3 S+ y# d0 B2 b5 \8 R{6 H9 u1 `/ O5 k0 |$ t/ ?
HANDLE hFile; ; S) t' y( X0 G( J$ k2 l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ d' u: P! w# U* C, V FILE_SHARE_READ | FILE_SHARE_WRITE,
0 x& p9 s4 \% e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 Z2 |( G4 w" l4 C, f7 y. v
if( hFile != INVALID_HANDLE_VALUE )
2 u) l; Y7 q4 \3 ` {
1 Q2 P# `7 Q1 V! `4 U+ k$ }9 \ CloseHandle(hFile);0 s) L1 T1 V$ R4 C
return TRUE;
% Z5 `4 k% {0 w- r6 q }$ g$ `' k' Q$ r
return FALSE;
8 u& J U j" a) k9 ~; A0 M}, h3 T# _0 a) q
6 o N& ^+ k0 @- g$ aAlthough this trick calls the CreateFileA function, don't even expect to be, b* R& X& M3 }7 E) C( X e6 M
able to intercept it by installing a IFS hook: it will not work, no way!' t, i( k$ n7 l" ^& ~ ?1 c) T1 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% r7 y$ R8 `, E5 z, b/ b9 G- Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# Z# Q& ?0 g/ z' rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# e# H+ H3 i2 }% H3 lfield.
( u( a' @; j4 H0 ?& I% MIn fact, its purpose is not to load/unload VxDs but only to send a
( \& `2 \4 V( g# w% nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ X/ ^' v: P. F8 J& I& i2 N7 [" Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try. c: i& A/ I! W& U# Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* o/ v; e8 v9 z7 X* I5 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 F' m g) u& ~' N2 v
its handle to be opened and then, will be detected.
h; O I1 ^- `% o9 j8 dYou can check that simply by hooking Winice.exe control proc entry point
. W# I7 P7 ?8 U( L) A# pwhile running MeltICE., Z* x/ Q/ B7 v) D+ u. _! I0 a
, L$ M/ t" X- s0 t8 C+ H- C6 X4 ?7 u: F5 ^' t- i! O* h: x
00401067: push 00402025 ; \\.\SICE w/ B( ?& p1 X- R6 v9 A
0040106C: call CreateFileA; t' D2 X3 o8 q6 h* E
00401071: cmp eax,-001
( z z `7 R$ M- B" r H8 k 00401074: je 00401091; @2 l0 u6 b) T/ {1 P. f
! Q( I1 |+ Q& d
! e+ [: x; F, V8 g; R4 F' Q9 h; W& R
There could be hundreds of BPX you could use to detect this trick.
' B- ]) @; P" O. @: L4 S$ X-The most classical one is:# [4 p! [4 O4 f& t6 u, X
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! h& p, r, E) n \( c& Y+ @6 D# N
*(esp->4+4)=='NTIC'
# j1 w+ P' }) ^ j, E
5 b( n, s6 j+ h& N-The most exotic ones (could be very slooooow :-(( p" \! ~) G) b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( j# }! h( f( X b! F
;will break 3 times :-(0 \7 n+ p7 J- C& v/ J! z
$ l$ E7 X9 [3 Q-or (a bit) faster: * j' g# c" [6 a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; N$ V9 A- Y9 B. c6 ]8 ^; d. O) Z3 ~7 I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: F+ H2 v1 W5 O4 c! m ;will break 3 times :-(; F7 I, p7 @% T1 Z2 O7 H
|) Y0 ?* Z `; y-Much faster:
9 K9 p* B5 K3 }- s8 F k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 J* a: A# s$ O0 {: R, _* u
! c3 p$ G0 u! D8 X& j' |. F" h6 z" U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 ~/ @1 k) C4 S2 m! r1 s3 |
function to do the same job:
2 R8 W) G/ h% U x# T% Q
( Z; V& {# K% M7 z8 F. c* G push 00 ; OF_READ4 _1 }0 _! l' ^; J" r6 p
mov eax,[00656634] ; '\\.\SICE',0
G A. @6 }4 P/ U9 P0 m# j push eax6 o, T6 A5 m i
call KERNEL32!_lopen: q0 v4 k$ Q" L* \% @0 K
inc eax6 f0 ^' Q: k% F- m$ m# n
jnz 00650589 ; detected( m' q% H# F4 V
push 00 ; OF_READ. L7 {# }# Y& c- B
mov eax,[00656638] ; '\\.\SICE'
2 |; i% u* H; ?3 J# o push eax
7 C( p; `/ c6 @2 ]. J call KERNEL32!_lopen7 _1 M8 F# ?5 C& C
inc eax
# ^; S5 V4 A, H6 l7 e4 i. ~# X jz 006505ae ; not detected* O# ^, P/ A9 E# D2 K& I
, L/ D! M1 Q- r% ^& N9 B- t" i+ `
, t8 k/ _/ V+ [- l8 Q__________________________________________________________________________
& T$ @- J: Z5 ^9 t) X/ Y$ h3 i" @
Method 12
' t! y7 I' L. t4 P1 F* z5 W( {* w=========
! i/ M! C: d+ G) K6 z& h7 [$ Y0 O# z/ H
This trick is similar to int41h/4fh Debugger installation check (code 05
+ x( i# h1 g7 x5 c0 v& 06) but very limited because it's only available for Win95/98 (not NT)
# Q' J7 P* o- r* b5 E4 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.% W$ _$ g1 l# X5 |6 ^
- W; s) b$ |; B: A7 R% v
push 0000004fh ; function 4fh/ E7 R: i8 m1 H1 H5 x* _$ V' M9 a6 ^
push 002a002ah ; high word specifies which VxD (VWIN32)- i' L4 n/ p' C; w/ F. S
; low word specifies which service
$ t6 H1 T+ q" w! t' P (VWIN32_Int41Dispatch)
1 i. X( P" g0 s# M call Kernel32!ORD_001 ; VxdCall
# j! r# F* G3 {" E cmp ax, 0f386h ; magic number returned by system debuggers
6 C/ C+ `5 J/ `8 W- D/ E. L- I jz SoftICE_detected
7 I/ N0 r$ a. e) b7 O4 R, x5 l% e8 K3 V$ [* C/ c8 ~! W% Q
Here again, several ways to detect it:
) V* m. c% U9 U" V* w5 h6 N3 Q
; D1 k- ]0 i4 e BPINT 41 if ax==4f
5 @( [5 [ c) v& m5 l1 i J+ y! u& L* X, h2 ?, D8 U/ b/ C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ H5 e6 O+ i9 J! R6 _) s8 c. J
( i0 U7 ?0 l6 ^! c7 c/ F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 G. ~ ]8 ^5 k& A; L, Z
# \% G: ^" p! d& G# J" @/ n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" S! B6 R2 e/ O, |8 H/ T4 o! H
6 Y* S8 L y5 m6 p
__________________________________________________________________________
" y! t0 z/ Z' z8 H' ~
" h3 E. F$ h2 IMethod 13
7 L+ G0 @! e% `8 T% z) g4 I=========
`) y' j* U3 c. i1 v8 C
( B$ E' E: e4 B! u4 wNot a real method of detection, but a good way to know if SoftICE is
, L/ o: g- X. M# b. k; Q/ m+ Tinstalled on a computer and to locate its installation directory.
& a7 n" L0 J. z- JIt is used by few softs which access the following registry keys (usually #2) :
- t5 {) h8 l: q% J! E' |0 n
5 s6 J1 t. @0 b. Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 k+ h0 L& J9 {& q- ~. _. |9 I. T
\Uninstall\SoftICE8 q" n" X) N# {4 p) I2 g" {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( v8 h8 u h- Y, O; O5 w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: @+ R& ^) ^/ S6 O' C$ u+ [\App Paths\Loader32.Exe0 ^ f6 @# T/ |5 V, T
( H5 \. d2 Q6 V: o& O, [
8 t- c; s8 M8 H6 D k" h" ONote that some nasty apps could then erase all files from SoftICE directory" G3 |! q- Y, n" k
(I faced that once :-(; Z% s9 ?/ v+ d! h3 ~& L
. C M" z: A5 b4 f
Useful breakpoint to detect it:8 f' V0 R% V' Z* L5 `
, r) |/ ]! v4 b4 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. E/ k! w% G. k9 z/ @, k7 J% y" e# g" f
__________________________________________________________________________
0 v/ C/ i# y& T
/ A% x; {- |. e: S! t& C# U
) O! g/ i* w8 q4 U0 QMethod 14 + g0 W- o+ q( P- U$ w: O2 d
=========
3 `5 }, B4 b w3 q4 |& L i( x8 }+ X0 N7 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. Q5 O: v2 l6 r7 Q
is to determines whether a debugger is running on your system (ring0 only).
$ C1 k) _! b6 ^+ y3 V# m
8 P, \8 l6 \& }: P VMMCall Test_Debug_Installed U- Z( G8 _' p3 z2 o, g& f
je not_installed
% A+ f. N& B+ E8 e" m* H L ?5 @
( I6 ]% S! _) Y/ }/ wThis service just checks a flag.0 s# G2 n/ O5 d4 T+ ?, b
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡