<TABLE width=500>3 q- v+ s, d: `/ o
<TBODY>
, a0 x7 Y3 I% W' z! M+ N( G" S L<TR>
& e" S2 `+ `# y. z2 N S<TD><PRE>Method 01
/ R: F2 \; a6 q) o2 |=========
9 x, _4 t$ F. O9 F8 a% S9 l: Q' ~( J7 M4 E5 ]! ^! X% G
This method of detection of SoftICE (as well as the following one) is" A8 m! g7 M9 D4 ]7 p* u
used by the majority of packers/encryptors found on Internet.7 n$ A4 Z0 b1 d5 e9 d
It seeks the signature of BoundsChecker in SoftICE) h9 n5 ]9 z2 d4 v- I: e
# `; q! h7 I/ B8 q
mov ebp, 04243484Bh ; 'BCHK'
" B% }: U/ X3 _- ?& x mov ax, 04h4 V, A. O3 A2 a& F( S
int 3
' N3 f# z! D4 U4 ?4 j cmp al,4: ?) d) A" q" M9 o$ p! [% g" I
jnz SoftICE_Detected# w* U1 n2 @6 v# k; L. j
& Y% U2 g2 H3 r9 N' g
___________________________________________________________________________
3 ^; w1 r0 U; M; ]
5 X$ k8 Q4 e2 f3 }4 cMethod 02# M Q/ Y, T" D2 d* A
=========
/ Y/ n4 }: A! W, ~6 s5 u% \# @' r7 }% M7 @& |: i9 O; m
Still a method very much used (perhaps the most frequent one). It is used
" t0 d, d& O% O. c( Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ Y/ p4 X! m0 X3 P9 x* b! D7 p
or execute SoftICE commands...
/ h5 q6 d+ F( PIt is also used to crash SoftICE and to force it to execute any commands
9 X: a: e8 Z! j z% N% ^ Z(HBOOT...) :-((
; K5 v1 Z$ L$ L3 [2 `6 d$ F2 x8 A
3 l7 p7 l& Y( y7 ?Here is a quick description:7 V- n$ N; P5 A
-AX = 0910h (Display string in SIce windows)+ i* T3 d' }( L( D) G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. V) T1 b' M) g( w# X-AX = 0912h (Get breakpoint infos)- k2 E# @3 ?) r2 h- b0 N6 Q
-AX = 0913h (Set Sice breakpoints)) r: Q" T( x. v @' N, u
-AX = 0914h (Remove SIce breakoints)
. ~4 S: _7 v+ p% c1 E3 \' x; Z$ T
Each time you'll meet this trick, you'll see:; S6 D" C4 Z7 j% U \
-SI = 4647h
( l6 V. M" _* r/ r i7 e-DI = 4A4Dh
! i* N& ^% Y$ W9 w3 MWhich are the 'magic values' used by SoftIce.
$ f) a# F, x! Q; C2 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* o+ j" ^0 Y9 B$ m! H" R
- {/ S" ?2 b* @2 EHere is one example from the file "Haspinst.exe" which is the dongle HASP% a! g$ t+ E9 J& R
Envelope utility use to protect DOS applications:* D/ G' L. h2 A
+ y# e5 r) c) o2 e2 S% ]
9 d0 g' }9 ?+ Y4 H L2 T: A+ D; T4C19:0095 MOV AX,0911 ; execute command.
7 }( h6 W) e" H; s! n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 ~! ~/ n& x" x* K1 w0 w( M3 Q4C19:009A MOV SI,4647 ; 1st magic value.
5 M7 B( R9 T7 s( C4C19:009D MOV DI,4A4D ; 2nd magic value.9 F/ D7 q5 \3 H: s3 A* R% @0 [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- v: z: P$ M1 M$ w; X j# l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 i" e v7 p" Z8 c0 P
4C19:00A4 INC CX0 ~1 ^& Z5 {0 a [' A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# d/ R L2 n' G- V, o% d: I! u4C19:00A8 JB 0095 ; 6 different commands.+ h, E* O* r; g3 D1 F
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" o1 d& u9 a R7 Q* g1 A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; m5 |5 R9 m( o$ b9 Q% X4 ^# l! J! ^$ m9 K0 W# j4 s; p; R
The program will execute 6 different SIce commands located at ds:dx, which
- L# ~9 y3 B5 E" F& n$ x c/ Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 s3 l% k& b ~% ]& q6 I* k" J+ b/ s; G2 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( n/ d9 U4 Q2 Z5 C! A4 |- Z
___________________________________________________________________________
# z5 ?4 D! [) h2 N A! Z! G) I9 ^+ e: z
/ \% y, s% j+ ~Method 03
i, j1 t* B3 U. |7 r1 i+ s; c* {=========
7 e; ]5 E, {. M* ~' k& a/ L0 }7 B8 t4 \" w2 K1 T( @) V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 I5 F! X2 A3 j7 v. w. O9 L
(API Get entry point)
' j( ?0 L# x/ {" b% m ' _' R6 x9 d) H/ M; t, X8 ^! T1 u
+ v; I( C! Z- s2 {6 x xor di,di9 C, l: K' H! z1 Y( N4 [7 J
mov es,di
: {3 |- \) I2 r5 M mov ax, 1684h
; A, Y9 ^! V2 Q mov bx, 0202h ; VxD ID of winice" h3 O0 R) I! a8 G
int 2Fh; [5 P6 a1 F- |0 W- p7 Y$ H& k
mov ax, es ; ES:DI -> VxD API entry point
0 q: W. x' y8 V add ax, di
9 c& T9 A+ W7 A B' J/ V test ax,ax
1 j& h) u0 h; n' ~ jnz SoftICE_Detected* e3 L S+ v. v& x/ \7 E. @7 ~
% v2 Y# ^4 H$ f4 m5 E) A! D___________________________________________________________________________; E2 |% n0 T3 R7 r. e: A) F
8 Y; l+ b. C2 s
Method 04
( W& R, Q! w5 I) ~' U=========' I- |, E2 R6 A% ^4 s
5 H) k# y8 ^% V/ c# u! `
Method identical to the preceding one except that it seeks the ID of SoftICE+ l5 j) Q* C* C! L; M o; a
GFX VxD./ f( n# t u0 E: r ?3 _5 g& R: m
% [$ H5 T" n" ^0 W& j
xor di,di
; |' `- h- e5 U; e. Z4 _% _ mov es,di
1 z3 n* {4 w \% ]) T mov ax, 1684h 6 I. W5 B5 V+ A# w5 i
mov bx, 7a5Fh ; VxD ID of SIWVID1 P! [- ~3 i% f* F
int 2fh
. s$ n0 u1 U+ [9 {: D mov ax, es ; ES:DI -> VxD API entry point2 K; y; [: w1 ~9 p, A
add ax, di
2 O* o: v( u" k6 j' y test ax,ax7 }' K0 V3 X: C1 ^
jnz SoftICE_Detected5 G3 K- Q6 ^" r9 a* I/ `
' a% A |9 ], h, O, m% W__________________________________________________________________________( ]/ B& N& L9 o7 g) T: w5 F) {" J
7 H& R9 M& G& `" H. i
& ]. h- y; Y7 b+ k+ A; L# Y/ X& ?Method 05$ ]0 T8 a4 W6 W5 y% c. a$ g m
=========
* B' w, m0 q! U' J9 U* \4 C: U' D, M1 f& D3 q2 u8 G' C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ }5 |$ @( \ l+ ndebugger. It calls the int 41h, function 4Fh.# y6 J. d0 l5 V/ h2 ~4 ^
There are several alternatives.
# _8 {7 c2 X* K- }9 l. T3 V b8 `
The following one is the simplest: F. d9 j6 _* [
, f) @. E: c7 K' C& W
mov ax,4fh% H2 \! M* K K) ?+ p& o7 q+ j) g
int 41h
U7 o! D) A; m5 t2 E cmp ax, 0F386
: Y9 X4 b) D8 r8 }2 @ @ jz SoftICE_detected
A. i8 D q: s0 |3 e) V2 r$ ^
- G2 V' c8 j x
Next method as well as the following one are 2 examples from Stone's
' y1 r& y2 ]- d0 c# V8 n9 B"stn-wid.zip" (www.cracking.net):' u' |6 q; T9 d4 x3 F+ O
3 Z+ m, ^2 u- K/ |! x mov bx, cs5 s9 X8 d4 ?/ W# q* |
lea dx, int41handler2* l; ^5 T4 V! U9 A! Y& V
xchg dx, es:[41h*4]
, v) D# ~$ j& U xchg bx, es:[41h*4+2]& r( e* A/ x6 n; L: A: g7 G0 `
mov ax,4fh# O$ e6 ~0 ?- Z# t3 c! _
int 41h
* D+ i( x. ?/ w$ @ xchg dx, es:[41h*4]
6 ~' ?# T$ ^$ z: D& [+ V xchg bx, es:[41h*4+2]
, E) M- r# l1 _; F d6 j. z cmp ax, 0f386h
/ L" B! ]: Y* K# ^ jz SoftICE_detected
5 \- t3 S) Y" ~0 _, H. _; V- ?
/ b$ T* }! l- k1 R+ M# Z. Y# dint41handler2 PROC
. I% R) {4 t$ W* |; u7 L% q, r iret$ i% T2 @& D. b' o3 W! U3 |7 p
int41handler2 ENDP) ^' M; I3 Q+ {3 E" T8 g9 ~
* ?+ }! c4 [! z! l f
2 C! s" G8 V7 w2 M$ ^7 D$ n6 D
_________________________________________________________________________* `8 q4 n1 ^# R- U0 O) C- y8 F
8 g, ~& E: t7 y* n
/ x4 ^: `" K4 W8 F) j6 p/ Z6 OMethod 06
0 ]$ I* x0 O9 f k2 ]=========
" W( i; B4 I: d( j! ?/ }7 O
- t8 I4 S. i q! |3 L! x# l K( D' D4 v' j) J6 `
2nd method similar to the preceding one but more difficult to detect:
) C6 b4 _7 k/ @; ] u% v; g8 B0 g/ i0 f
: p, Q v4 d! B. a- H- \6 Cint41handler PROC2 x# a' L9 r: L
mov cl,al
5 E- l/ X5 b2 O! l& g D iret
( z; Y N% W( m4 q# @5 z. Kint41handler ENDP
; e# Z8 q. \) h" W" C% [$ o, b
5 _: w) L3 Z3 z) [7 x5 s: t. q
* s- y" ?3 G0 ]* K( \$ h" S xor ax,ax8 D! c5 m8 |' k( g/ f- C
mov es,ax& H. w0 b$ a! D3 D, D
mov bx, cs
8 f. J |. U2 S0 p9 \$ {( X lea dx, int41handler
6 G/ G3 _. R1 j" R3 s/ w: v xchg dx, es:[41h*4]
* i* L; ^- D& q3 y xchg bx, es:[41h*4+2]4 @" q! m' ?8 Z; N u* ]( C
in al, 40h
& z% X V* h$ Z1 l xor cx,cx0 Y' P: j% [0 Y
int 41h5 q( }4 U3 n3 @+ H) z r8 R7 ]& y
xchg dx, es:[41h*4]; u, _4 H+ w9 W
xchg bx, es:[41h*4+2], i0 _! ~$ g3 r; j C& {8 D# E4 i
cmp cl,al
7 _9 X0 x% S6 L jnz SoftICE_detected
' ^# w4 d6 S0 r+ d8 n" F" N) l2 y+ P" S8 w
_________________________________________________________________________
( B. x7 b4 s/ y: T. S( B) |# G) A' ]/ i, A5 Z* B' s
Method 074 Z' \7 c1 I5 J' S! v6 Q
========= C5 j" s0 [+ S5 ?& z5 ]9 o# w
, n& t2 b$ E( r2 ]5 x/ c& I
Method of detection of the WinICE handler in the int68h (V86)
4 R, m% l; Q$ a
) `7 v5 h3 b- O" c mov ah,43h6 X0 {- s& j& S( c( g& d
int 68h
z* U5 K* G8 M4 O7 N. Q4 X cmp ax,0F386h
8 k& ]: ^8 i, e$ ^1 C+ M* _ jz SoftICE_Detected
- i5 @( `% r! ~, I5 ~
9 Z5 }. _, e6 h) T; r. N/ x8 P/ z; d; @' i' o( N6 G! @9 z: c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" V8 R4 P% P& m' p9 d o
app like this:+ |7 j+ K! T" ?9 J* t$ _
6 i0 F4 z5 p& @3 j# J# I6 W, I
BPX exec_int if ax==68
. Q7 P# r+ {2 m4 m (function called is located at byte ptr [ebp+1Dh] and client eip is" L" _" v9 B- X d
located at [ebp+48h] for 32Bit apps)
( V- E* x1 ]/ W9 s; q( O" j. k9 Q__________________________________________________________________________
8 l8 ], s# c @" p3 k! X# k# A$ f- c9 ^
; `: m& ]' j' r f9 E; ~" HMethod 085 L+ v6 c* ], w/ \! _
=========
2 O$ W: N9 Q2 c; U: p( i/ A/ r1 Q. ]6 a& q' @: S6 R; H
It is not a method of detection of SoftICE but a possibility to crash the& h5 y/ @- D- h I$ j
system by intercepting int 01h and int 03h and redirecting them to another
" f' }4 s [2 {4 G6 M& m. kroutine.
9 _' S _, D y5 B$ i+ ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ I4 g) B7 {6 f* h8 M" g4 k' Lto the new routine to execute (hangs computer...)
% B5 F o I \( _, ^
! l3 |) v& X) j* o2 P4 k mov ah, 25h
$ a- T9 H# w$ B% v) K9 p; M- N mov al, Int_Number (01h or 03h)7 o5 M1 n$ i% R& {, i% D3 T
mov dx, offset New_Int_Routine
! k8 h! f v3 j8 @% |+ O' T int 21h- _8 `3 E0 l$ A' Q* ?1 l0 u: h3 f
4 A5 e, S5 F+ Z6 K3 M
__________________________________________________________________________! o' N+ X6 u) c- J* s
" m3 [- S G7 w; W1 G b. M' {
Method 092 _1 S" L R2 K O
=========3 Q. l9 y7 h# k, Y2 _ z& P
# |; `7 k! I, V- d$ W5 q6 MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 K q4 { K c( o% Dperformed in ring0 (VxD or a ring3 app using the VxdCall).; e4 j F9 R, y+ t; P: u8 m1 e
The Get_DDB service is used to determine whether or not a VxD is installed
) z( ~& e( r8 S8 e7 R2 N! ufor the specified device and returns a Device Description Block (in ecx) for+ O" @# o X6 o
that device if it is installed.! n- R7 O7 T) ?& N. S7 e/ t
; L" o: u2 i- e& _- Q8 T
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# ?' L! a4 L5 Z9 Z$ x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" S& d c7 J6 m& b3 f VMMCall Get_DDB
+ N4 e+ h$ ^: t( g+ w. I+ c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 r2 D8 l2 ]& S2 L8 x, @9 W
/ r) p4 m2 q# b3 T: C
Note as well that you can easily detect this method with SoftICE:
+ [) P0 s9 P( B8 J bpx Get_DDB if ax==0202 || ax==7a5fh) |% \& R1 f: {/ ]: [' o: C
4 B9 H$ r9 M7 A8 Y5 T__________________________________________________________________________ ?8 g6 C! u# E! I" ~+ Z! O4 c- `
$ u' C& V1 _& k: @$ g/ V
Method 104 I y# S5 Z7 A4 E6 G
=========
% F+ `9 T7 _8 l. S9 |& E
4 _- o ~$ E) E' U# e6 ?5 O0 z=>Disable or clear breakpoints before using this feature. DO NOT trace with
- i( Y; _- `. `# ] SoftICE while the option is enable!!
* @& F9 R( n; S1 G: F* X. i" j; S q
This trick is very efficient:( ]( ]3 }! Z2 K( P
by checking the Debug Registers, you can detect if SoftICE is loaded
1 B1 q$ t& n$ q$ W' D6 v# a; i+ H; S/ X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" ]- r6 g" E+ rthere are some memory breakpoints set (dr0 to dr3) simply by reading their! ]0 n2 ^1 e$ X. u) P( S v
value (in ring0 only). Values can be manipulated and or changed as well; s% r$ M! G1 P+ T3 Y
(clearing BPMs for instance)
* Y8 E3 i6 ]5 @* _2 c, r! c% A! N" b+ H- _: c2 Y) `8 c
__________________________________________________________________________' ~3 v3 P% p3 x: \' \: v, z- [) b0 n
. g! s$ ]$ m3 p4 L2 f+ `3 T* G2 a. |
Method 11" v6 Q, y2 X* q; _1 T5 B
=========
1 S* }$ m3 N9 i3 b, Y1 T
' v- ?8 K: j/ C" vThis method is most known as 'MeltICE' because it has been freely distributed
, o7 O5 Z8 u% H2 h1 hvia www.winfiles.com. However it was first used by NuMega people to allow
6 n: k$ |% S) w+ _ U' w3 \- t# uSymbol Loader to check if SoftICE was active or not (the code is located
2 q- p3 K3 @3 d5 h' {inside nmtrans.dll).: s6 U3 ]1 I! A: w5 e& c0 b' S
3 l" A4 @: v# p: C3 G
The way it works is very simple:
' i/ q: v. B7 q( GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ?( \2 S* |# ], F" X' [! ZWinNT) with the CreateFileA API.4 v5 u8 h- r. ~+ [
- o5 d* Q2 ?2 _" L; U8 Y" N1 dHere is a sample (checking for 'SICE'):
0 e7 S% w7 G" i/ _" a- V# l, G" U
0 Z D! z N) X) d' `0 L, PBOOL IsSoftIce95Loaded()
5 q; q5 D* F! w+ `. l- C) V% F{
1 s9 w: x: O5 V) L( Y HANDLE hFile;
" i4 Q/ B' ]8 y d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 F3 I( p8 S! K5 U. C1 I FILE_SHARE_READ | FILE_SHARE_WRITE,+ t0 `* i$ u0 _4 x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& G$ V- O& o. X4 c- _ if( hFile != INVALID_HANDLE_VALUE )
^+ N3 w1 P& R) G7 K7 p/ v {
9 e1 c: n; A4 W4 n' y4 c- F CloseHandle(hFile);
' k! y8 `; x" t$ q2 Q# U% W return TRUE;
7 ~- ?- d' o3 a. x1 |; a }
1 W2 Z5 x, x( N- ] return FALSE;. w' \+ R, ?! B5 @
}
. t2 x1 N( o% {$ I( e6 K% I& }1 e' [) }" N; Q; j' O/ P
Although this trick calls the CreateFileA function, don't even expect to be5 Q, V I' \5 o- d; u, X
able to intercept it by installing a IFS hook: it will not work, no way!3 B& o% C9 s$ k( y7 z% {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# V) A7 s! h/ C' X$ Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ ` @0 Q5 E7 C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 F, [9 E& Q! x6 ~& n' o
field.
# w: i/ @! Y3 D) w; TIn fact, its purpose is not to load/unload VxDs but only to send a / q! H @! N' N; P; o$ F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, S: l+ p& W! U/ `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 F3 _7 g2 C, \% y! qto load/unload a non-dynamically loadable driver such as SoftICE ;-).# O5 e! |- A+ S: V; H3 m& E
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 f* O. x* B7 r. B0 _' P) z% c, Z
its handle to be opened and then, will be detected.
( V( F1 Q V5 X+ _9 vYou can check that simply by hooking Winice.exe control proc entry point0 G4 u `, y3 _" _
while running MeltICE.# o( c+ l- m+ M; @! o. f3 M
: Q0 W8 x. t; c" y! Y# b: o% q n4 ^) R' k! D
00401067: push 00402025 ; \\.\SICE
7 h3 w5 f# E r" }" A; s+ u9 I 0040106C: call CreateFileA7 ]' B7 s2 a* E) Z. j3 i* q ]
00401071: cmp eax,-001
7 U- ?- j3 |; A5 Y. d* Q. T 00401074: je 00401091
1 ~" s. _, N) J& q, v. l, j
1 _% u0 S" m; }4 {) u
* H+ n6 |# G# r$ }" ~7 v2 W4 U# F' }2 aThere could be hundreds of BPX you could use to detect this trick.+ B8 O5 _& ^4 k, f
-The most classical one is:
8 l- s: B3 Y' U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ V% A/ I" G2 v% b8 v *(esp->4+4)=='NTIC'+ h; i" ^0 ]5 G
1 l( @' k9 F+ \. G. ~-The most exotic ones (could be very slooooow :-(
' g; r7 s0 P- t" q8 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 g# o: D6 `5 D9 J5 x ;will break 3 times :-(: B1 g F5 o% c0 a1 E
5 E' H Y! K# P( e7 v0 z) y
-or (a bit) faster: * o c7 S; R' h+ j1 g5 n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( f) T1 H0 V( X8 d; A, @# l$ y, F( _! b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ V% ]4 O+ i+ ~) G ;will break 3 times :-(/ u/ T: Y. Y% i. G
4 I! w! Q9 u! f2 h
-Much faster:* \8 K0 {5 J' p% O, s7 \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ r7 B, ~" x. c! |6 j0 R6 L2 W5 ]8 E/ V7 _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) r4 Z4 L/ A' r- d) I* jfunction to do the same job:# c4 b7 U: M, k' c+ _5 ~8 Y9 Z% y3 u
" f& _. p* ?# k/ m$ G# o7 K
push 00 ; OF_READ9 C+ ^0 i0 U" m- \) |3 h$ F
mov eax,[00656634] ; '\\.\SICE',02 Z8 w# W. a( X+ z
push eax% B# |3 m5 n% s# F l
call KERNEL32!_lopen
2 t, q% i6 U; x& }4 s inc eax
4 u& {! l& s# X% h- h& \* S |: | jnz 00650589 ; detected& Y6 }, g, D1 ?
push 00 ; OF_READ
4 D6 k8 f- g. K mov eax,[00656638] ; '\\.\SICE'
1 `7 d B* b7 a+ J# C push eax$ F/ O2 a) N9 w
call KERNEL32!_lopen
6 n! X1 [ u% ~9 e2 Z' Q inc eax
! B) g! z, |8 Z. ?: D7 y/ G jz 006505ae ; not detected
+ s" f+ A6 y) B
& T/ p; T8 v- \4 _6 d& N# Y% P# J8 [ [
__________________________________________________________________________4 Q0 Z: j: f: @9 ]$ |( a+ l& u0 o
9 m) _3 f6 W' Z) w/ O: I
Method 12
6 H& t9 I! j: k% G=========
; \5 }1 e0 n5 ^. k4 G4 \8 b3 p
+ P O9 K5 s, O* u/ yThis trick is similar to int41h/4fh Debugger installation check (code 05
9 G( J- E$ D5 U4 h& Y4 _4 g4 |& t& 06) but very limited because it's only available for Win95/98 (not NT)0 e8 {4 S2 ]6 F: ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& \, y# Y: a. U! d5 M, y7 C, g" A
4 V4 n" Y1 t' i4 |5 M# }
push 0000004fh ; function 4fh- H3 p" l# D) _ g# ]5 @) j
push 002a002ah ; high word specifies which VxD (VWIN32)$ ^8 T7 x4 p, C& h
; low word specifies which service
- j# o3 M4 l; V! J (VWIN32_Int41Dispatch)! E0 q1 t: x+ ?1 a* H! o! i
call Kernel32!ORD_001 ; VxdCall" J6 v) o, @; z$ M6 c# l# l1 e7 H
cmp ax, 0f386h ; magic number returned by system debuggers4 d0 p# h) K( [# c3 [2 A
jz SoftICE_detected Q5 j; K1 O3 o G: J
: \& C, e( [4 L- G* o
Here again, several ways to detect it:- y0 a' U; T% ^8 Z9 n; w$ O! t
' ]& K6 k: k8 ]$ N. [
BPINT 41 if ax==4f7 e( [9 _1 j5 j. I9 x/ j) K
; J, s, B r0 q$ L a- L6 u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 T% m9 N4 N. g8 r% A$ |
G1 ?: _) u0 v" M+ M0 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- ~ D3 U& T) |8 L! {$ J' G$ u8 }7 |4 A& A o
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 A' q% w1 z2 v9 Q: d% |5 ~
* q/ \5 a8 p- N4 h& U9 z__________________________________________________________________________* V3 [% v, R& \7 q5 B9 F# X
& ^; O+ K/ ]) F" J/ _2 d
Method 13& g9 [+ z7 A1 T
=========
8 A0 }+ D e3 N9 _+ ^0 |6 W) {. \; M
Not a real method of detection, but a good way to know if SoftICE is( I" c T& W# m6 s4 ~, X
installed on a computer and to locate its installation directory.
; m4 x' J2 F1 h3 {5 X. PIt is used by few softs which access the following registry keys (usually #2) :
- y% [; \- B% D' C6 B& p4 [- B3 p4 @+ W( }" k; y/ d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 w9 k3 j& j+ I7 J3 q- z\Uninstall\SoftICE- _/ l* W* i6 [; ^0 n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 ]: {, ]& r8 v0 h8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 }2 S+ v4 f5 h\App Paths\Loader32.Exe
# |8 M4 W$ L/ T9 O1 y6 ~; Q
: T/ t! }7 |' ]8 u1 q! v2 @
8 H6 a; z5 L+ h6 w3 lNote that some nasty apps could then erase all files from SoftICE directory2 F: W4 w m7 L q8 t; y( c
(I faced that once :-(
0 [" k7 F3 }4 q( n* W( R. S+ O6 Z' O4 T$ y" [6 [3 z
Useful breakpoint to detect it:0 C# J* Q9 M2 H, g
3 {4 w7 k( S1 o3 D$ p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 X) d, U( [0 Y$ h3 g$ A9 E
' A0 T1 z4 l5 H' ]. @6 N ~% D1 a/ o b; T6 s__________________________________________________________________________; U1 j! o5 G( m- f5 o+ w- T
$ L: s: A6 c9 ?8 B& g9 O) `0 g$ ]. _3 j5 m( B; b0 J. a5 L. g7 s* f
Method 14 q' _4 J- {. t+ P+ e
=========
5 P& E' z: N9 Z% a) Q% ~6 ]* F$ c! _/ \, Y2 Z& _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' u( i( x4 W3 `( R6 j$ ?- Cis to determines whether a debugger is running on your system (ring0 only).
, Q% _0 ~" r% X. X* B4 c% z0 _% k
VMMCall Test_Debug_Installed
( A4 t- S! J7 r7 T% Z+ n% P5 j je not_installed7 Y" g# N4 V ?8 _1 ~' [. l
& K- [. o; d: }1 q$ N* O
This service just checks a flag.
* B: V9 s' }7 d3 D, ], [+ i4 P5 S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡