<TABLE width=500>
) t# x3 D7 x! C) H<TBODY># c% L0 J. C9 Y) _/ C
<TR>. o+ y9 j2 }5 H( w9 I7 ^8 G
<TD><PRE>Method 01 . ~$ ]2 F& i# j1 H& G
=========
9 I' X4 x4 g3 k5 F0 u0 K+ C5 C+ s" a; b( i! E
This method of detection of SoftICE (as well as the following one) is' F! E$ l" ]1 ]9 V& W
used by the majority of packers/encryptors found on Internet.. S9 O1 X, Y6 U
It seeks the signature of BoundsChecker in SoftICE) o7 X+ j7 v" q
: A t @# f5 ]! e* \, E mov ebp, 04243484Bh ; 'BCHK'
/ R& O0 J' f7 h4 x1 B mov ax, 04h
/ k5 B9 @, y& _9 Q; G% W' A int 3
0 {* t1 A) X. `8 C4 ^) \& O cmp al,4. z) A: n% i6 M- v
jnz SoftICE_Detected
E D5 o8 e+ N) O9 g8 j9 d* {' b6 i" S' ^, L0 K
___________________________________________________________________________6 j$ L, ]+ E. l
8 r7 h8 h8 e- o/ W! i1 }Method 029 B5 ^0 F* T7 Z2 u( m* m
=========2 ?9 V S3 c# \& ]
5 u6 ~2 U" s! R+ f% tStill a method very much used (perhaps the most frequent one). It is used
8 c7 T1 k3 @! F% vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 m2 }% _ c) @ ^# j1 e" Uor execute SoftICE commands...
! Z+ _# I( R& O0 I( _& C7 zIt is also used to crash SoftICE and to force it to execute any commands" \8 K# l, G: ~8 x" V; I
(HBOOT...) :-(( K B8 L1 I; g7 K) F& T1 Z4 N
6 L) r8 G3 Y3 d; IHere is a quick description:* D5 V4 ~( V6 R+ i
-AX = 0910h (Display string in SIce windows)
0 S# N8 K% q; z- w/ z/ E! N6 o8 T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! w7 Q- }# g( e& u0 x3 F' I& T-AX = 0912h (Get breakpoint infos)7 j& k5 B# r" {; N
-AX = 0913h (Set Sice breakpoints) j& h- l5 J! |0 c
-AX = 0914h (Remove SIce breakoints), c9 x! G: r5 G# j) t
- b3 n+ y# M: _- ?1 h0 }
Each time you'll meet this trick, you'll see:
* m6 E: x! L0 ~8 L! m t-SI = 4647h
: H) y3 P% T4 N/ }; E( L& T-DI = 4A4Dh
' ~' b; o# J- b* qWhich are the 'magic values' used by SoftIce.! h; R( s o5 j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- M. O3 `. _* a$ i; \. F F
6 i1 e Q; ]0 A% W `Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ s. j H+ A% aEnvelope utility use to protect DOS applications:
3 ^5 ^, d; h* r1 P% L
: P7 R# N3 {% R% [" R- \+ w
8 I$ L: o! U9 w, K. w4C19:0095 MOV AX,0911 ; execute command. m8 d7 G7 v' T9 ^5 f9 P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) B# }0 O W# w3 @. v5 S/ Q% K( I
4C19:009A MOV SI,4647 ; 1st magic value.
9 {8 |8 i, d+ Y+ h5 F$ G7 P7 e4C19:009D MOV DI,4A4D ; 2nd magic value.8 v* Y& G6 X1 g& w6 K+ Y' J6 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 n) G( B' D9 F) L0 A9 C* O4 i2 d1 I8 g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' I: p3 R3 I; A9 @4 W4 X( y5 F! i
4C19:00A4 INC CX
- G9 a4 F3 P8 L/ ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* R: d: ], B6 N$ u; L c; k4C19:00A8 JB 0095 ; 6 different commands.4 Z5 A3 f" D+ I9 U5 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 _/ H1 T1 x# a2 S1 V) {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* f* w3 R: l+ l: X: ^, [+ s) _0 p, w/ \4 P+ y+ x' I3 o3 U. ^
The program will execute 6 different SIce commands located at ds:dx, which; N# }, L$ c, ?: N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ S. {# w0 B1 e$ G b- m, r0 C- G {$ y! ?# d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# N% k& r0 k0 Y7 z3 ]( r___________________________________________________________________________ L g6 ~1 ?; } n
) h8 I# w; H, I
- t0 l& ]3 ?7 l! ~' v9 O/ u' WMethod 039 [( g0 p- X' R, c
=========
- l4 d7 D' @6 E/ w( r) ^1 Q4 j: \8 |/ ~5 l/ q" ?1 l- S% a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 [; I" q0 h1 ~- `; n% R8 k
(API Get entry point)7 _* t y0 z4 c- ?: \7 f
) N9 J( ?% |6 s4 h. h% L8 l
) J1 `8 z, I" h2 x% I xor di,di' O! @5 O9 K) P. M; S
mov es,di
6 ?; F+ w7 I) \! L7 r, o5 D9 D mov ax, 1684h
5 ]% X3 a h* \4 P8 k: s b$ @ mov bx, 0202h ; VxD ID of winice/ B2 I- C1 v4 w8 `
int 2Fh Z O3 @0 X6 Y: J
mov ax, es ; ES:DI -> VxD API entry point
1 u: o/ {+ W4 s add ax, di: G7 z X. Z3 N" u
test ax,ax7 b7 M3 q% ?% [3 v" y2 ]; ~* `
jnz SoftICE_Detected0 M% x, D- _6 m# ]& i8 }, M
' ]5 _/ @7 a5 v: Y0 g6 \
___________________________________________________________________________1 X3 n. E$ r, l2 u( v3 t
9 n, V4 U0 ?% c* `5 v5 w3 E
Method 04
4 _ ~+ M l; g1 p( P' _=========4 n8 O$ T _( L8 p# H; O, q( d
) L1 K, u' [2 v6 i8 a2 SMethod identical to the preceding one except that it seeks the ID of SoftICE5 r7 |, i4 r$ }& o
GFX VxD.
5 x0 U m0 U. Z+ k
* G6 m: ?. x- i+ e# p; h5 H' n xor di,di/ A/ u$ u: B! J' h' v, T( u* s; C
mov es,di
( I* P) y* o% Y: K2 g' V mov ax, 1684h
( Q: Q- x* d% W: `+ m! r' l; s mov bx, 7a5Fh ; VxD ID of SIWVID+ P0 a0 P+ q, E8 S5 L
int 2fh! Y5 I' ^9 T% k1 O+ W1 H. S
mov ax, es ; ES:DI -> VxD API entry point9 B3 G) ]5 z- m8 Z9 i" L+ s; c
add ax, di
% \7 S# M5 q! P. a1 \( E% I; U8 r' C test ax,ax
! L8 m+ k5 ^! a( r8 E4 I2 W jnz SoftICE_Detected
% D# y& n9 q; G4 Z+ D, E8 a1 ]
. d* w2 p" a0 Y9 o; I% L) b O__________________________________________________________________________
5 X: ^3 k/ S- H5 y6 w6 C& [, @( j" {' ]
9 r0 r9 F* E4 t& AMethod 05
( D# F) S* i( k=========3 _- Q( Y; q$ C! H: u, z
5 V: j, e: t3 C- ]9 h' ]$ u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ T( a/ ?% `+ R0 P1 Pdebugger. It calls the int 41h, function 4Fh.' `: F# Q- j& t
There are several alternatives. # H" t" ?* S- b
' K% h7 Q6 F# V8 X0 Y9 m. G5 ~3 m
The following one is the simplest:
+ u. @. D e: I- s) c- O% g7 H" |5 K; A
mov ax,4fh, y y7 m" U' X; w
int 41h
/ A" t. r" R4 }/ n. l0 k cmp ax, 0F386' m1 O' ]+ ? [' M$ {% }( M' `5 n
jz SoftICE_detected
1 B+ ]1 D/ x& y7 J& Y9 ^% L- A5 Y8 y2 b3 o: |8 y+ |0 ?7 K( P
p( `! O- E- k0 X. FNext method as well as the following one are 2 examples from Stone's
9 ]& x" ]/ n: R: H/ S) [( ~( i"stn-wid.zip" (www.cracking.net):' g9 J/ O/ y' z5 L0 u( d$ B
! _. T4 {: s( ^1 J mov bx, cs
; [) \" J4 O4 M- E/ T/ ?3 J7 y lea dx, int41handler2. [# o8 B' P0 A
xchg dx, es:[41h*4]9 v n8 g( T$ t U/ d+ d
xchg bx, es:[41h*4+2]
( S' y7 y' W1 r& W mov ax,4fh7 a* G& F' N3 s1 Z; Y
int 41h
5 K9 u. I5 G) K4 A0 }2 Y' w3 _- w2 V xchg dx, es:[41h*4]$ r3 P' T5 |$ J( v i! s; U
xchg bx, es:[41h*4+2]
; C, ^; b) c3 [0 F8 K7 X cmp ax, 0f386h% E* B+ r, g, o; U0 B
jz SoftICE_detected* u( h% P+ ?; k" Y- v# i
7 p p8 X) s: D vint41handler2 PROC
; |9 ` S; Y& U' ?, G* Z: S iret; p n# N0 O, a' |1 a+ o8 I3 `. `
int41handler2 ENDP7 ^' p5 Y7 x& r1 m. U, I
$ E$ a7 S, u5 Z& @8 d5 v! B X
' p! a& d; p$ T+ ^
_________________________________________________________________________! M8 s M5 E+ Q9 M! ^& L. O4 g
5 e8 x0 h9 @, z5 M- s$ r
1 m- r; R2 y* \8 x
Method 06
" N f3 } D2 n/ p' A& P" [4 o( y=========
% V+ y+ M0 u& D0 m9 P# Y1 `; d; P4 D
# ?- ^3 O3 g. B% U$ E- T
2nd method similar to the preceding one but more difficult to detect:
' R1 a }8 e8 C* B7 \) j& I
. y2 ]; E: s% Z) B# G
0 I) h5 a$ A& Gint41handler PROC9 f' W/ k. e! u8 s6 g1 n
mov cl,al8 }. G% W) J2 ^) c! X4 u; Y% f ]
iret
9 k4 A8 A- W: c3 y% T8 B. p! H" p6 b9 Mint41handler ENDP Q1 K: n% K* Y9 r Q: ^
; w" T: O, F: g$ ]% f- f* s: k* k8 E
1 m0 N- l- L$ @' v6 f/ V, U
xor ax,ax
3 j& a5 \+ F% [- c mov es,ax" }$ r' Z- X# P, C% h7 z
mov bx, cs
( v& b3 X; G, l: ]- ~& \( F lea dx, int41handler
& f) O- P, T. O4 Y0 f2 c xchg dx, es:[41h*4]
0 x' ~; B; U. a3 v! V' J# P xchg bx, es:[41h*4+2]
" n" x! k+ s2 O$ A+ [ { in al, 40h
6 ?6 l e5 A! l+ `, z5 w( L+ L xor cx,cx K/ B% @. t5 O. e6 p
int 41h
! T/ w( l2 c% P9 y1 i: o xchg dx, es:[41h*4]
5 g. g# s U+ r6 [$ M) `! ?3 K6 X6 C xchg bx, es:[41h*4+2]
( O2 L3 C: `0 N+ l$ x0 }% w cmp cl,al8 w+ B1 D- t, w! N/ N5 r0 |/ K5 n
jnz SoftICE_detected, S( ^/ T$ {4 o7 l/ Y' {; C/ e8 r
' J }8 _" E0 I_________________________________________________________________________/ Q& }2 d- ~& e7 y1 ]! u8 v
, Q- Z- ^. f `) C6 X( o" RMethod 07 o* N% V i+ I! `
=========6 h3 ?% ?# G- J
, M+ e! Z- { _( S+ D7 n7 N
Method of detection of the WinICE handler in the int68h (V86)
& b' R% K) e$ {8 U: h% `. l' I1 l9 i. u: H+ E3 i7 S7 y
mov ah,43h- b, m' C* `# |* D! u
int 68h
* O+ a7 z' u" ^- k cmp ax,0F386h0 `( f: h0 H9 C2 _5 y1 W
jz SoftICE_Detected+ \0 J4 Z) [8 Q3 d4 d, s, F
; ?- W) \) O4 r$ ?) Z% Q H& F8 G
) O, i* ?9 t5 }: {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- G! A+ t; C9 O6 Z app like this:" f7 W4 @! O: d4 f# o
; T4 @) x! X8 U/ k& u; C, D BPX exec_int if ax==68
, a& w- s2 i6 c. {$ Z) K' m% D; L; Z/ k" J (function called is located at byte ptr [ebp+1Dh] and client eip is% e" t0 B5 Y2 v) @( Y/ Y$ w' H
located at [ebp+48h] for 32Bit apps)) l* r: P ^7 x j# G Q! D
__________________________________________________________________________5 |! z/ ?& y1 j% Y6 Q- R* z) F
) ~& Q2 ~; w) Y" F/ v6 D+ S: a; E. ]' E4 P3 p# \
Method 08
- Y2 @% S3 f% k, n$ W( C' _- Q=========8 S. I" I3 \+ \
( s2 E3 \# b. h7 U$ IIt is not a method of detection of SoftICE but a possibility to crash the5 W9 F! D$ M- B1 `4 K6 y6 I
system by intercepting int 01h and int 03h and redirecting them to another
/ U3 S) X9 E# y& v; G+ Y5 Yroutine.
) i O: v0 m: G& Q+ ~8 [' L+ LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. s! F0 n6 T' _+ A L) G/ l8 t
to the new routine to execute (hangs computer...)5 r/ w8 l! X d0 c* O6 e
! `7 Q3 T4 j8 v7 m8 |2 p2 ]& E
mov ah, 25h: Y; |) c j1 ~' a. u* @- v* a
mov al, Int_Number (01h or 03h), V4 L' A; z, q$ b
mov dx, offset New_Int_Routine( A! y+ I) A9 e9 _
int 21h0 v; ^: `& m+ B
* a1 D8 c2 I2 @3 q6 {, f9 |( q
__________________________________________________________________________( R; {/ E, k* V- S1 w, Y3 Y
5 m5 U. c" n- N+ Q. h) {" w) ]
Method 09/ X; I6 o4 w7 z, Y- ^2 A. f
=========4 @4 n$ Y4 T* W4 r, |- e
; k+ s8 a& F {, eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 N1 t: c5 x6 B, l6 w) h6 ~) Zperformed in ring0 (VxD or a ring3 app using the VxdCall).8 {" o, f+ ?) V
The Get_DDB service is used to determine whether or not a VxD is installed2 \; W7 G0 b8 j A$ d2 [- d/ u' p
for the specified device and returns a Device Description Block (in ecx) for
# G1 [. ?) ^3 K+ i# ~/ ~0 Qthat device if it is installed.
4 w# z1 l+ r& i- t+ d# l) _6 K+ H; n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% z. Z7 |$ B+ o+ b- L7 H& E2 E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 s" E8 l- ?) x7 A; V; Q& w
VMMCall Get_DDB5 r- l2 T% c; y/ l: A9 _. Z! K/ {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* z) o; {% M0 d% l4 q, U
7 u$ R) Q. X5 T3 D, y5 r- lNote as well that you can easily detect this method with SoftICE:
R9 d3 U/ Y" u bpx Get_DDB if ax==0202 || ax==7a5fh6 F% E5 Y# { D- q
. B1 u! p: h4 i6 _6 X8 ~
__________________________________________________________________________7 \* X7 M' G- m1 H( h: C( e `) `
. h3 c4 Q# T4 n# U6 o
Method 103 r6 z8 N- I( `8 ^; @& _
=========# m' ]: Q+ Y! D) ~) t
) n6 i$ o( r4 L0 b8 Q=>Disable or clear breakpoints before using this feature. DO NOT trace with; f5 h4 j* `- E* u
SoftICE while the option is enable!!' h5 {5 N& V; }9 o. P' t
. I5 O" X% R) `5 c3 `- W
This trick is very efficient:5 x+ }* W/ j! t: z9 e8 p
by checking the Debug Registers, you can detect if SoftICE is loaded) V% m: R) O. m( q) m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% Z6 i. V/ A' s5 Z: d v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 f+ O; X* ?, m! Kvalue (in ring0 only). Values can be manipulated and or changed as well
6 D( `7 N# g( Q. T(clearing BPMs for instance)
8 M6 ^& D2 V: ]
. [ [- r$ J; g* k& B3 q6 x__________________________________________________________________________0 U" v' l$ V7 `6 ?& a1 }5 b' B
. T V" `; S# H/ D T
Method 11
8 D9 ?! ]- I$ J) K8 ~=========
: h0 @2 y2 g& ~' c: ]% h% |# y9 K9 d% d3 i( F, o- q
This method is most known as 'MeltICE' because it has been freely distributed1 y4 Z" P" k" ?7 ^- `- z' H
via www.winfiles.com. However it was first used by NuMega people to allow! x# D9 }8 p/ H( K
Symbol Loader to check if SoftICE was active or not (the code is located
7 M& N; D7 d8 _: {' ^inside nmtrans.dll).% [- c; w1 a, a" ?
5 p5 y+ h; p- g5 y
The way it works is very simple:) Z8 s6 K! C5 ?& q6 _0 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
H" ^( \1 J& L3 j: e3 G* n) Q+ B: cWinNT) with the CreateFileA API., g) k3 @5 U" ^$ G
3 b0 g1 B& I+ n8 g. p' j J. b
Here is a sample (checking for 'SICE'):
' o4 m- t t; D; U6 G% `/ `/ l F; c4 }7 `4 a
BOOL IsSoftIce95Loaded()
! `5 k ]1 ?, o{8 N4 o* ^3 G7 T; [- ?6 a
HANDLE hFile;
$ k" `/ Q2 n( {4 F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 e( m, \/ L. X3 T# ]
FILE_SHARE_READ | FILE_SHARE_WRITE,9 m8 N3 x! \' y0 X/ b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! O$ r# ?6 B6 {# J
if( hFile != INVALID_HANDLE_VALUE )
: k1 [8 t) w! a8 \1 \7 V {
1 o& ^( U6 P$ U& \; @ CloseHandle(hFile);9 ^# \3 O( h" a) K, |
return TRUE;
' j* G$ j5 o: A x }
- X- W2 W: L ?0 c b return FALSE;
, g2 z+ f! `0 C3 x9 R; x5 B}7 P- e* V# y0 z0 i, |
& T, n) Y& C8 {Although this trick calls the CreateFileA function, don't even expect to be7 v! J& k9 j- t3 ?
able to intercept it by installing a IFS hook: it will not work, no way!
; }) g1 Y; I& d5 {% K" D* OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; @; Y+ C B) bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" U( W" v) \6 T Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, z7 z) C; K6 I: `field.
" m8 W0 x& ?6 Y& C7 x% eIn fact, its purpose is not to load/unload VxDs but only to send a n% n% \6 ?- g7 F$ Z1 W% x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' V! [) r' D, `: A6 I, n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 ?' B- \) K$ x% g, c# g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 _0 `- D- g; H+ `If the VxD is loaded, it will always clear eax and the Carry flag to allow/ O( c/ R8 M0 ^0 _2 z# |. E! Q% x
its handle to be opened and then, will be detected.8 Y: q" M1 B& Y7 o
You can check that simply by hooking Winice.exe control proc entry point
: K' o0 j/ s4 Mwhile running MeltICE.
/ f4 n. |6 x8 N3 d* d
' z3 a1 C Y9 N D) o
- P3 D8 D. k* Q, m 00401067: push 00402025 ; \\.\SICE3 b. `* T. m6 b' J- d& C2 _
0040106C: call CreateFileA
, z( `) @, w3 W3 o2 A 00401071: cmp eax,-0018 N# g) l# |6 x) `
00401074: je 00401091
. T, V1 ]1 M1 F+ T# Y' Z
0 @( G! Y- z I: G% s- K; O; v1 a- z
There could be hundreds of BPX you could use to detect this trick.
0 K/ `* `, n ^. o% P-The most classical one is:
# |, l3 S3 W& u* m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ M K7 N [/ _/ x, g0 | *(esp->4+4)=='NTIC'
; E( B" }7 a, `$ N B7 y1 `3 w0 d4 l8 X n, O6 y8 [& i
-The most exotic ones (could be very slooooow :-(
0 q5 m m% P6 U4 b7 x7 ]) q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 I& [; q7 v c+ d F
;will break 3 times :-(
7 q2 l5 b* u9 h* L& U0 r% @/ K! J9 \4 g8 L
-or (a bit) faster: : m! P& N' p9 X2 n. t8 c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% i4 S `: ~# E6 o' Q+ F: ^# t$ V
$ x2 ]8 [7 U) k; M5 ?+ `+ q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! u" {' E* q! q2 Z. h8 s- F ;will break 3 times :-(# \7 A4 s% w9 }* q2 {$ Y3 m3 ]4 J
2 n3 Q' w6 J4 O& w3 k6 B: s-Much faster:& h" X* Z1 l+ j4 g4 o$ B7 E% {# G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- G, J1 x9 x' u- u$ u% H1 u7 q8 k1 Z8 H# e% X. h' a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 X( b2 W5 z: }/ W
function to do the same job:
/ X( m" E' h4 y7 P9 N
" E1 W8 }9 a/ C0 q# @: ? push 00 ; OF_READ, X2 a0 b, U! d7 I0 Q
mov eax,[00656634] ; '\\.\SICE',0
) V ^6 h3 O3 B ~ push eax
$ { Y+ o H5 Q f7 [ call KERNEL32!_lopen9 p+ G* Q* F0 g0 C0 o. l* ~! X
inc eax2 H3 V7 X9 x/ F
jnz 00650589 ; detected5 C/ t6 q m2 e
push 00 ; OF_READ5 [4 w- E. m# j8 O
mov eax,[00656638] ; '\\.\SICE'( k# \! D4 R! Z. N0 f' c
push eax
* J7 b! u0 M# b& a call KERNEL32!_lopen& ^4 n" F* z- {/ g/ V( b. ^ o
inc eax
1 P. K" o. L. U$ i jz 006505ae ; not detected
2 Z. h& p% _. |, U6 @' ~
1 {! [, ? b6 i( q
5 F" i: ?8 F7 Y4 ?" a__________________________________________________________________________
/ ?0 G( G7 K8 S) G- p4 W: ~" j. ~/ K+ c7 r
Method 12
, @: @. n# b7 h4 K4 i) ?6 v=========8 ^2 V% i# \. _1 n
, w! a( L) U1 ~# y4 T$ w: R7 G0 h
This trick is similar to int41h/4fh Debugger installation check (code 053 U6 C: v$ b0 {* E i5 q* W; ]. O
& 06) but very limited because it's only available for Win95/98 (not NT) Q" R. {: f& z/ M, E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 n; R5 `, w C4 }1 J# c$ j
. d% J w) E; F0 }+ ^: r# `# K# ]
push 0000004fh ; function 4fh
! e4 q) O! h% Z push 002a002ah ; high word specifies which VxD (VWIN32)3 w0 P$ X9 M% \3 }( B3 d
; low word specifies which service
+ T2 ], l2 g) W3 B (VWIN32_Int41Dispatch)
8 O4 p. k j e2 C4 e8 { call Kernel32!ORD_001 ; VxdCall
9 k$ @$ t8 V9 Q& z cmp ax, 0f386h ; magic number returned by system debuggers
& |' h+ i( Y+ L! o5 I jz SoftICE_detected
* l* L" ^& s5 ^' Y
. N1 c/ ~/ ?2 t2 D& B1 Q4 kHere again, several ways to detect it:/ x. u, O! ]5 K. W
* H. u5 Y& f; u5 V
BPINT 41 if ax==4f5 X5 Q# b( I1 X. Q
4 a8 ^4 n. R4 I( u! `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 |' m+ a% z" l' i, Y7 J' S( ], y; T) ?" S/ g/ U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A g$ W# r; c' M: r
^- j k$ k9 n: [4 M+ g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 u' v9 p# u$ W5 o. D. G1 T+ V: [
9 s* g5 l/ T8 X3 d* U+ G0 x7 Q__________________________________________________________________________" W0 L" y/ }! K L* d
m! K# }- P( W3 i/ W4 p
Method 13
* p/ s7 z$ I% G; ~ \; ?. W9 M=========/ @4 i$ L$ }* B3 s2 M8 C
& A) Y7 t+ d5 j! O# V" M
Not a real method of detection, but a good way to know if SoftICE is
/ U$ [+ h, i7 b8 S1 ~, B: |installed on a computer and to locate its installation directory.( B1 u5 M5 H% |; T- F
It is used by few softs which access the following registry keys (usually #2) :4 b+ m# I7 F7 k6 |# u+ e5 b M
# c. y/ u9 u# `) M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: _( ]* [/ c# M; N% R\Uninstall\SoftICE
, q* V* l( v' D4 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 o% ~9 \* Y: u4 z0 N3 b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 l' }, A7 H8 r) L$ H( s# h) h
\App Paths\Loader32.Exe4 s' l8 i1 ^. \; L& |: v- Z* C8 ~
% n! q8 q! w; G9 P
' ?3 T0 Q7 Z' j7 }Note that some nasty apps could then erase all files from SoftICE directory
/ K- E1 |! z7 }3 T/ R1 F1 U/ y, f$ n(I faced that once :-(
3 U4 w- V7 @! m4 W1 s7 F8 P1 ?
9 E$ X' i5 U, t& ]! [) sUseful breakpoint to detect it:
& D4 K! _4 z2 S& q/ k+ S5 S( e
; q; e) Y) S/ W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& A! P5 k& _& ?7 R" v" U, o1 t6 r1 a
2 n$ Q Y+ @- t% e/ N6 r
__________________________________________________________________________; l& @6 W% N+ @" V7 b( V
: u) _0 V1 ]6 d5 b( Y5 b
$ ?) F5 A3 f, l$ |7 |( ^Method 14 1 v6 |% ~) m5 x) N# t" G
=========3 y8 t5 C4 ]- K% W: J. p+ p; e+ Y
$ i7 D) M* p/ f) \. M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 s8 j0 _1 n0 o2 w# e) {' x- R5 Jis to determines whether a debugger is running on your system (ring0 only).0 J8 U+ }3 `) l' b
: ]/ c: a. s# h0 }7 } VMMCall Test_Debug_Installed
7 E2 ^* `& {" W je not_installed
5 ~6 ]5 t" D# y+ O. ?
o" G* E5 U/ y0 iThis service just checks a flag.
! ] d( ?' j+ f. ~4 M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡