<TABLE width=500>
$ B& h9 i S9 h<TBODY>
* K9 x7 r1 |0 x( L<TR>% d. y9 \ d' [* ^1 Q: v$ ^
<TD><PRE>Method 01 9 Z3 G2 r0 K h
=========8 i2 m: E( n- h' I+ E/ _
5 m$ u* i* m$ M! i& u2 Y9 D$ U3 C$ RThis method of detection of SoftICE (as well as the following one) is
, M* N- O! x _2 ]/ Sused by the majority of packers/encryptors found on Internet.
- G; t! d3 ]' x1 i+ X+ [7 D' J; xIt seeks the signature of BoundsChecker in SoftICE3 Z& D# @4 E. t- b3 O8 L
( v" b5 O& p& a' H mov ebp, 04243484Bh ; 'BCHK'
6 z) j$ t; g8 ?( c) ]1 a$ K$ x mov ax, 04h
2 }% f: C" [1 k int 3
3 i. x; L' R* U* s9 d2 u/ o cmp al,40 ]2 j: ~3 R4 p
jnz SoftICE_Detected @$ C, }( S' F$ n+ W
$ o) e9 k! ]3 A8 T% y
___________________________________________________________________________
1 f- A: p3 r- C' E: Q1 c, } O7 H( J) z0 G' K) b+ ~1 P
Method 02) I2 c: C2 e" g; B, c# n. C
=========
' L) \+ u. z& Z# W- ]0 y, L' ^. s# A; ~$ ~- g4 C
Still a method very much used (perhaps the most frequent one). It is used. X+ p0 Q7 i$ ^- F9 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 E. @* |. G: D! `# dor execute SoftICE commands...) u; ]- ~ z5 k% j/ A
It is also used to crash SoftICE and to force it to execute any commands
5 @, h3 b+ ~( i(HBOOT...) :-(( 0 S/ U& `6 G# }% ]5 o3 W4 N4 G
* }4 t! S3 Q* s: @Here is a quick description:
2 H" s" f6 ]& c) ` y6 T-AX = 0910h (Display string in SIce windows)
$ b! N. C) {% }( @- ~& R5 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 j& L) A5 m9 G/ W* l$ S) U-AX = 0912h (Get breakpoint infos)4 G& ~5 X* x' l/ w) j2 V) ?2 x8 u
-AX = 0913h (Set Sice breakpoints)
9 T2 f! y* I' v% |9 E$ |-AX = 0914h (Remove SIce breakoints)4 e' F6 l W) ? b" J& S, h- }
B6 ^7 m7 m) d1 d7 U% ^Each time you'll meet this trick, you'll see:
) ]. f0 }3 ?8 u' f/ Q-SI = 4647h
! y& N2 u& `2 `' x4 v: v-DI = 4A4Dh
. \) u5 ?" `9 ^ E( G" h4 JWhich are the 'magic values' used by SoftIce.
# Y. c% g/ I* m o: H" ?( P3 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) y9 F5 Y, n4 p
3 |4 P2 \+ Q) q5 J, r- {/ M6 z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: p9 y' _2 ^+ }7 q$ ?Envelope utility use to protect DOS applications:
5 b& Q) s) ?* Y( i8 n+ Y
9 V% L$ w0 ?) E* G' R6 o, w, m e; |' {6 {# G) q4 _
4C19:0095 MOV AX,0911 ; execute command.5 p7 R; ?) L8 g* I. r! e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 V! t4 h) `" j0 e6 h: }4 q
4C19:009A MOV SI,4647 ; 1st magic value.& r5 ]+ k7 k$ m: u0 g
4C19:009D MOV DI,4A4D ; 2nd magic value.! m3 h8 |8 k6 r* E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 P. h( A) I% O, p3 R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ Z) J c) u1 ], N% b3 \
4C19:00A4 INC CX8 K- T0 O8 ` `) y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& @# K( a6 G. B2 Z4C19:00A8 JB 0095 ; 6 different commands.
& ]1 Q/ Y) p+ P# P9 [/ q! x1 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ D6 k- w( c- r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 d: ^, S6 T& r9 [
2 Q7 T: _2 k" l# KThe program will execute 6 different SIce commands located at ds:dx, which. z. U( d5 w9 @5 C1 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ w( V" }3 t- _: r( v1 P& P
# m3 Y3 P# n2 i2 T( n) M4 C _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ `5 i( V( P: U& M1 m2 ~1 g6 x+ }
___________________________________________________________________________
) E1 X4 A/ j2 T1 p4 w
# Y" D# m( v& m2 d) F! m4 J+ @( ]; u9 Q. G
Method 03, B, e* b5 M" f- R" m/ o
=========, u- T( f6 [* {0 J. h8 v
% P' r& V4 P: i7 D9 U7 n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 H5 b. b$ L2 `1 R(API Get entry point)5 Z7 V6 g) f. _/ N! Z9 c- k- q! V
7 G; D0 O4 z) J. d. @& J: g' f8 m+ ~. s3 Q5 l" ? S
xor di,di
" r( I8 |4 L6 N5 ^! g mov es,di
1 E* t/ F7 v% [" e$ C' E mov ax, 1684h
1 q- M" J b8 D: k% P7 D7 E/ B mov bx, 0202h ; VxD ID of winice
7 Z5 ?) F0 a$ O5 X5 a int 2Fh- v1 g! |- D% P0 H* V
mov ax, es ; ES:DI -> VxD API entry point
+ q' K- o2 t7 J# r5 q$ [' G add ax, di) w4 a5 M. t2 E0 y3 C& t
test ax,ax
" F1 L- j( _' P& F0 { jnz SoftICE_Detected4 E- F! Q" i2 h4 S
; H: } G8 F$ K% D: w___________________________________________________________________________
% t' @1 i- ?9 i; w6 y; b* V* i8 ~+ R ]4 R
Method 04
0 L; d2 ^% L+ Q+ A=========
( _# @/ `' H* C D4 Y" Q) G5 l4 U; O" m7 U
Method identical to the preceding one except that it seeks the ID of SoftICE
& Z3 w# m {' q4 o3 K1 T' tGFX VxD.5 J. ^& J& p7 f3 [5 S h
' {$ v. e* J1 w# m/ O: y
xor di,di: T" Y7 |6 l3 m; R' |
mov es,di& Q# V. p" g1 X) O9 m7 Z0 \
mov ax, 1684h
$ _: r* c1 S/ [2 U H mov bx, 7a5Fh ; VxD ID of SIWVID- b; K# f0 Z9 F, A/ X4 ~0 o$ j" i. ?; t
int 2fh
$ c. M2 s- @9 Q, S. a mov ax, es ; ES:DI -> VxD API entry point+ z, \) \- v# g: s
add ax, di2 n& Q/ m1 y) ?' l8 N/ E# w8 W3 P
test ax,ax. E2 Q2 `3 |7 b/ p- Y Z( {
jnz SoftICE_Detected
1 }; D3 G& o- E) k1 k$ \- Y/ U, Z( U. ?& v6 s5 l: B A' a7 S* ]
__________________________________________________________________________
: }, ~8 |* h6 `3 Q; L
2 u2 s# F; O/ B N u4 T
9 K& F0 |+ J4 W! rMethod 05
3 g, S2 _8 n, v; Y, n. \=========
9 P8 J/ g7 I6 `% Q) o: B1 H3 l _0 O5 S. T' i# e* E0 Z8 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system! c& e1 F5 Y/ I) W7 b
debugger. It calls the int 41h, function 4Fh.
# g+ R' B0 { @( B# h9 m# E J( V8 bThere are several alternatives.
( V: [/ w K0 y9 ]. y0 d+ S2 S
4 l. D% o9 Z" P1 D& bThe following one is the simplest:
% y# r K6 _: S0 X6 y1 B" q2 r) ^* ?3 q' I3 m
mov ax,4fh2 W( j7 ?3 ] M
int 41h* n/ D8 |% X& Z+ a$ l5 Y
cmp ax, 0F386
# |& @! R$ v$ z, j2 ~3 N jz SoftICE_detected$ K+ }/ _, S4 a' q0 d" d8 m
4 _+ C" ~& P0 }
' n, e9 h6 B2 N+ [
Next method as well as the following one are 2 examples from Stone's ! W7 y4 y( K' \: \
"stn-wid.zip" (www.cracking.net):/ z8 p# {1 b7 Z% y8 ?& U/ N7 ^4 P
( A& B. I) t9 O( ~
mov bx, cs' _: U+ `7 l* k* |$ L- N r# k
lea dx, int41handler29 a8 O1 H/ i6 t6 T7 q: J- }9 {
xchg dx, es:[41h*4], c3 L D2 F- C9 D, }
xchg bx, es:[41h*4+2]5 T' h* s. e; {, z' Z2 E, w6 O
mov ax,4fh- c4 ^' s1 k" `
int 41h; S q) O/ b2 R
xchg dx, es:[41h*4]
0 _2 v1 \# g; Z8 c& Y. N8 } xchg bx, es:[41h*4+2]; r) [& H" F3 J/ S; U( ^
cmp ax, 0f386h' t' J5 J6 @5 T) G. h
jz SoftICE_detected2 p1 Q6 @8 i0 A1 M1 h- |
) O; w! @2 |( cint41handler2 PROC
# s f6 d; A' h% v9 v, g iret! Q& }, W/ ?! U& m/ B, T, y6 t1 [& n c
int41handler2 ENDP4 B/ s6 ?# [9 O0 g' x; t& X
5 E/ a* R) a" A0 A+ i0 {' f
0 |" ~. U6 u6 x _1 A
_________________________________________________________________________
% _, p3 n* c3 B# J7 Q% F) A- {" e* p" \6 p
( b1 N' B+ x: s. v& ]
Method 06# k+ ]; ~7 T9 i
=========
4 k) ^+ B) t9 a& ^1 B4 Q3 O. t1 i5 V* l! i+ u) `' }$ h
" m a9 U. N8 `% y
2nd method similar to the preceding one but more difficult to detect:
5 ~) \$ h( n# q
' C- u$ |$ `8 E1 D i: G+ }5 D+ a u* j0 ]- @" S
int41handler PROC
! A1 |/ }& p! ]4 q8 b d- k \ mov cl,al
0 ~$ |" W9 E! D* o" _, O+ w7 O2 w- z iret9 Y9 H/ D* K( C2 P9 H( r
int41handler ENDP
3 @1 v' d: y+ b
! E9 e: J* H1 r# P% G& G( c w5 `3 d/ N9 d+ s& x
xor ax,ax
7 ?- j# H# C$ ^ mov es,ax- K* M, U) A3 [0 q& m( e( i1 Y
mov bx, cs
3 P p+ }) i# C0 B8 p& n lea dx, int41handler
+ w2 l: N8 a. D% e xchg dx, es:[41h*4]
8 Y+ @% B& \/ V$ h xchg bx, es:[41h*4+2]7 A, p: s. d& q3 w3 c
in al, 40h
# O* R8 x2 u. w/ f xor cx,cx
3 H) w6 k& L# E. u. i0 y int 41h c7 B, \' o7 e
xchg dx, es:[41h*4]6 P" i* D& |/ ~9 o
xchg bx, es:[41h*4+2]
- S2 ?3 z* ]; ?2 f/ A! V. y cmp cl,al
; f: `' m/ F$ d jnz SoftICE_detected. }9 Q- g' f7 d5 m8 S3 Q
4 l) `, c# h! u' ?
_________________________________________________________________________. L1 g9 F8 Y9 C1 U3 O
: V. K+ x8 s0 Y
Method 07
& a' a6 X9 }5 X: K2 r7 Y=========
1 _4 y6 E; h; ^+ n# p- K6 ]8 j7 [& @6 K1 x0 J( s/ W
Method of detection of the WinICE handler in the int68h (V86)
2 u: W3 |: u& l2 d, N# t
" T% ~3 Y. A! ?4 ]- s mov ah,43h
" k8 L' ~ d* [1 s$ o+ v int 68h" `* x- H% ]% Z! i+ l5 e0 E
cmp ax,0F386h
( z i* p0 ]: {2 K/ J9 _ jz SoftICE_Detected# E- b8 i7 y R# |+ h: g3 z
% B# q* t( S( Y5 j
$ u" s7 B4 d B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: Q- c6 Q7 X( x
app like this:/ G4 B* J& u6 a% @ w( e
7 D+ I' `9 C6 _+ H! g5 Z
BPX exec_int if ax==68
! i9 |" B, `6 _1 m; @* Z- d (function called is located at byte ptr [ebp+1Dh] and client eip is% r; ~0 H7 L* N, c% c7 v
located at [ebp+48h] for 32Bit apps)
6 B {' G+ F, h6 N+ w, P__________________________________________________________________________ m: m" h8 e+ M7 T; |' P# M. k
V; |. x2 A" p
% N1 _. Z, h( J& x6 g
Method 08
' w5 _, M3 h& [ @- t=========
1 P6 {7 \# _9 M( l4 ?! \
3 P5 d) ] G* L- \It is not a method of detection of SoftICE but a possibility to crash the
3 A5 O( U' `. ?, o5 I+ Fsystem by intercepting int 01h and int 03h and redirecting them to another
% z3 X7 v( \9 v' U0 U _% h/ M4 W2 aroutine.1 G D5 M% A d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, `. O0 k. r. @- t; Z
to the new routine to execute (hangs computer...)
3 g; l8 W; z5 B$ k* m9 S7 }& s) ?8 Z# S: |
mov ah, 25h
( w: ~! q5 I$ P4 L mov al, Int_Number (01h or 03h)0 z- c) ~7 a% n5 q: C2 Z
mov dx, offset New_Int_Routine
( T2 n$ ?/ q( h8 m* [: k; ~ int 21h2 b Z. G; B0 J9 c1 a! H
2 F# t3 y# P, D5 P, k% o2 P
__________________________________________________________________________! e2 Z8 i4 o8 {0 s. i7 a
0 ^* O: v. A; A0 p
Method 09
) p! Q: D" N& W# C6 x. \7 y=========" q# r! l& x( J! t7 l; e0 s
* _3 `* ]) _3 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: O5 k7 i- ~% E, U! k( t
performed in ring0 (VxD or a ring3 app using the VxdCall).1 X, H$ Q% s6 n) j8 b; H
The Get_DDB service is used to determine whether or not a VxD is installed
+ R+ v. @0 r, \0 P& dfor the specified device and returns a Device Description Block (in ecx) for
( U3 p7 ~2 X) F }that device if it is installed.
9 C R& t1 T2 n3 L9 G" ]( E6 Q. Q) U t) v7 s9 A% e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* x" g: ]7 t4 Y0 `. h7 [+ p: P! W4 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 j. u& m2 N6 d: s VMMCall Get_DDB! e) H* W, z' G- g& A9 [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. D( l; Y- q+ X7 E* E/ _$ R j5 v
Note as well that you can easily detect this method with SoftICE:$ L6 q. l, [0 ]/ \' N
bpx Get_DDB if ax==0202 || ax==7a5fh) [: K% [! D$ }4 `! @3 R8 H
* d$ C! _/ F: J6 t
__________________________________________________________________________0 X2 x9 W8 l2 u0 f, w5 ?( j
3 }4 v; M( R, }9 _' PMethod 10
( c6 p4 C/ A) A% W; |- e$ k+ \=========
1 u/ }% | u$ P' ~( W, k
0 B. E: a! H, ~, u/ G* N=>Disable or clear breakpoints before using this feature. DO NOT trace with% P$ L% i! _( G0 |3 B
SoftICE while the option is enable!!, p" D" U$ k- b7 O% B5 \) E' C
2 n, Z1 h! v9 x( Q, M
This trick is very efficient:
6 ]8 w/ p; {& |3 S, ^3 C$ zby checking the Debug Registers, you can detect if SoftICE is loaded
4 m: ~% B# z4 N! a4 @- G7 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 W; k8 l. e k, z! m3 G' _there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 p: U5 ~- `$ Avalue (in ring0 only). Values can be manipulated and or changed as well
5 z. ^3 x. e0 e& ^1 O, s0 I(clearing BPMs for instance)) y$ m2 }, G9 Z2 A" r5 {- r1 R
3 Y% `9 b* Y2 p9 F6 J
__________________________________________________________________________
0 B0 L" H% |4 F6 D/ o+ Q9 S2 U
+ e ^# g! a4 w1 @( NMethod 111 x. L* f' [! ]( N6 J& i" |% n
=========
) V- h3 y! i @+ Z3 w/ z E) V
$ J' K" O" x- n: hThis method is most known as 'MeltICE' because it has been freely distributed
5 K/ X& G$ o/ R7 r. P) N$ Evia www.winfiles.com. However it was first used by NuMega people to allow6 o/ M( O* `* X+ I T1 y
Symbol Loader to check if SoftICE was active or not (the code is located
" @4 @) K7 c2 c% l, b, dinside nmtrans.dll).7 W2 G) t* C# g# H$ p) x7 n
% Q: h k% \- I! }7 n
The way it works is very simple:$ S; J3 Z+ v0 \6 D1 z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for Y" ]. F6 Z" @$ H
WinNT) with the CreateFileA API.
9 }7 s8 ]2 @7 W
, [0 D* q3 \9 A- h+ A; L6 o O5 pHere is a sample (checking for 'SICE'):
7 f* F1 j5 C" A# w! F' l' i9 c! K9 ^/ |% Q
BOOL IsSoftIce95Loaded()& @1 I8 {! x) \3 s0 r
{6 l' \) T# X; q5 A8 o
HANDLE hFile; ! O8 u. c; x3 G* l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 P6 e. k4 x8 L0 b! b h' D
FILE_SHARE_READ | FILE_SHARE_WRITE,7 U* s& X$ ?* K- y$ F1 r0 r: [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" X) c/ J8 d6 r9 ~ if( hFile != INVALID_HANDLE_VALUE )/ A& ]6 j( A: X" L0 {
{
' N2 N. C3 b7 C' k CloseHandle(hFile);9 }2 q$ _9 u# w. D* q) I! o3 C- _0 a
return TRUE;4 C4 f) |2 h- _" T5 f) P8 d
}0 n, f; \+ ]# k* e' a. i+ O, O
return FALSE;
$ Y% @7 w+ M/ r6 a2 t; j0 F% ^9 W}9 a1 r" R/ D( `. G( K4 S+ x7 X1 |
) M7 q; i- M+ {5 H
Although this trick calls the CreateFileA function, don't even expect to be$ d2 s0 \) s( k
able to intercept it by installing a IFS hook: it will not work, no way!
- n5 X: P5 u& @In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 s- K* R; }$ d7 k3 Y3 g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 h3 A: m! f9 D3 A0 D8 Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 K, Y; z# Y" U; M
field.' w1 I/ s* J$ v" j
In fact, its purpose is not to load/unload VxDs but only to send a " ?! u4 R& v! t* v0 M. o$ h( A: ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% i: Q4 w# R- V% T( ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 z8 \' }( i$ M: e8 l# Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ G* z1 @; k, k$ L; ]2 `: P! v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 I% V1 a# Q: O3 b+ N4 v( Xits handle to be opened and then, will be detected.8 ^/ }/ F2 g# T+ f
You can check that simply by hooking Winice.exe control proc entry point
% {8 G4 b( v' q) P$ }+ Uwhile running MeltICE.
0 K P: ?: u" e, b
5 J2 T# h' a8 \9 b7 f5 N+ p
3 \: H j b X- x8 z3 U5 L5 ` 00401067: push 00402025 ; \\.\SICE5 J" |3 E$ A3 _' _7 |+ v" t9 ~
0040106C: call CreateFileA
. F% @7 X, j% R2 I: k 00401071: cmp eax,-001/ j" X# @ f. ?/ K5 ^! g
00401074: je 004010916 C- b5 G ?* B- e2 q* C
. k3 t E, ~' ]0 P( F' a: F3 @
* k/ v( X$ H' Z& \" x
There could be hundreds of BPX you could use to detect this trick.
! R/ \ M4 ?% N& l3 T0 A& y' f8 T-The most classical one is:
1 |! U0 R9 Q- `1 I' `; S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ s( W9 ~- M; B4 ~ *(esp->4+4)=='NTIC'
# m, ]- ^9 ?# J& H2 k2 T5 g ~* \
9 [6 G6 P5 \3 c% r3 j7 k-The most exotic ones (could be very slooooow :-(5 H: ?/ S9 Q, H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ k' D1 _5 C* P ;will break 3 times :-(
0 [# w9 r# l2 D" @! k' m& `# E3 {/ r) S% f( l; e/ R' k
-or (a bit) faster: ; G& r2 G5 }! r+ l3 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 I+ Z# K4 C5 r! X+ w1 g. Z4 {4 I w4 Y/ X# E5 T. s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* [4 |0 r' N% k, M ;will break 3 times :-(; ^, r, }) c4 v% ]8 W
s0 {9 m6 T! g6 o! \4 x' [-Much faster:, k; U2 a! e9 d2 r. O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 B1 O4 s0 w0 c: Y
& n& p; e* o2 Z! E/ R- z! bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 |# }' Z$ J8 i) Q. [$ \$ qfunction to do the same job:% @( u3 P2 g$ B, O, [3 E) ]$ ]
% w& N" N$ F: t; q# E+ e% P
push 00 ; OF_READ
7 Z1 R: z8 j: j! L# t mov eax,[00656634] ; '\\.\SICE',00 ?# f( J# f( L0 t" q3 L) c0 ]# G, d
push eax
# K1 d; @& |( b: ]$ k1 u call KERNEL32!_lopen
2 H- [( h: ?( e4 r inc eax
6 I. M; l$ {' a. ^7 C7 Y8 d; [: B: R jnz 00650589 ; detected S) p! L7 p! H
push 00 ; OF_READ y1 A5 O; c7 F" T$ R) j
mov eax,[00656638] ; '\\.\SICE'7 Y0 d! B( r- B" {: F. J
push eax( e/ I" w1 {+ j" j) u$ Z
call KERNEL32!_lopen
1 N4 K6 V6 I8 k7 J$ Y, a c inc eax% N8 u% Q1 T' h* U9 a/ L
jz 006505ae ; not detected# u. l0 k. {' s" N# i
9 u8 ]4 ~, s5 Y. d- e7 P
# P1 n4 w9 [+ L1 j. n% X__________________________________________________________________________
3 e; P) g- ^1 a' C5 h$ G* T4 o3 W p& M- w, z$ P
Method 12; R9 x9 Z E. A5 E
=========
, e8 q( Z; E) S1 }
* q; N8 s* b& FThis trick is similar to int41h/4fh Debugger installation check (code 05
+ K- Y" v, ^7 Z5 g0 K. F& 06) but very limited because it's only available for Win95/98 (not NT)
) n8 M( \6 ~- |2 v6 G5 y7 ^1 Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) E! ]( P+ Z" l4 T2 R2 d+ h+ \& f
0 W, V+ S7 u' }3 u5 y8 d! [
push 0000004fh ; function 4fh
0 G+ f; L, f; x) x push 002a002ah ; high word specifies which VxD (VWIN32)% m& \5 |" {* @. I& B
; low word specifies which service- n/ l: q# `( H2 S: \" l( h
(VWIN32_Int41Dispatch), F4 X& i2 ^* k) a
call Kernel32!ORD_001 ; VxdCall G9 p2 p! \8 C1 {6 J( u+ L
cmp ax, 0f386h ; magic number returned by system debuggers, V* i; @. W7 } F7 H
jz SoftICE_detected
: k: o4 D9 z1 J7 i8 D% h# A
# S \' O9 e9 eHere again, several ways to detect it:
7 ], e+ n1 [4 {& {
; h! Y' a0 w4 N% Q) p BPINT 41 if ax==4f P& n+ ]5 ^6 R( T, `
: h8 t, p# ^. R: k& y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
u! a& L7 ?- K( w
4 J }3 d# |7 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. d/ m& Y7 M, A1 `, M ]$ Z7 }
C$ ]! p3 G* _8 @( ], n- V% ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- [0 x3 O+ R) O6 S8 V
: K8 u {) b4 C% g
__________________________________________________________________________4 ?: n1 i8 X) T, Z8 x
& {! _$ `4 X, PMethod 13. a( W. }. [" i# {7 G& o
=========: I# z7 L( S: F4 O a; E) }: k
: z+ Q4 _% P z* g% r! X
Not a real method of detection, but a good way to know if SoftICE is
0 A% a# D. F1 Z) P9 @installed on a computer and to locate its installation directory.
# y( ~* ]- `% d0 ~It is used by few softs which access the following registry keys (usually #2) :4 w7 e4 N' B) G
3 q- O) e5 j2 s+ X/ ~/ ^2 H+ t0 g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' }' i5 x, a8 Y% H# m( k\Uninstall\SoftICE& T" F8 C5 D& P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
K% e6 E( V t- A7 C8 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 S7 o h3 x5 b& D' K- J( f
\App Paths\Loader32.Exe
; |+ `! f# \: J* P* `, E4 W
A6 H0 M* I5 c7 u! f3 L4 c
* q* `' _+ i# ^Note that some nasty apps could then erase all files from SoftICE directory, R# j" I1 L9 b# t. b' M
(I faced that once :-(
8 {3 i0 D; s( D$ B' {7 b/ ]
7 |! }# `% ?+ h, jUseful breakpoint to detect it:
' C4 y8 n( s, q5 y3 S1 D2 `
8 `: |& `) x- u9 a, v$ m. n% q& e3 t. |2 X" o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 H; c. e* G6 X2 t
' B& P' r3 Y! M8 [" L/ o' p7 E__________________________________________________________________________" k5 Z9 S. t Z$ g/ }3 |$ ?/ o% S1 l
8 j% o4 C: C9 Y( b6 I
1 m5 ~ t" J, M2 _: \8 Y# J) MMethod 14
5 r. ], _" V9 }9 L4 n$ n; Q1 M=========
7 A; }1 X/ g6 r; w
4 ^3 C [0 \1 nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" r; C: ]5 i( K3 iis to determines whether a debugger is running on your system (ring0 only).% b; J2 x1 I/ @, R8 U0 [" Y y& p9 n3 Y
$ s/ c; H4 x& F3 f% x G% o" x
VMMCall Test_Debug_Installed
# s7 u4 n& t; L9 f+ L1 k1 V je not_installed! E- U4 N9 |1 B
1 B& G# h k2 F$ W0 l0 {- h9 K qThis service just checks a flag.
2 D1 Z+ `9 @& c5 q' `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡