<TABLE width=500>+ |9 b9 u v8 @
<TBODY>
2 L) d" q* c) z1 Y h( x<TR>
* g; Y4 ?' c1 [) T+ W$ h<TD><PRE>Method 01 - L+ z+ P% [/ i+ l4 `
=========. H [# D# j$ b
. ]$ [4 Q [% X: O, L, d
This method of detection of SoftICE (as well as the following one) is
8 q4 _; Q+ Q6 X) b( {# eused by the majority of packers/encryptors found on Internet.
, p, `- V' B$ r& L* U# W! A4 jIt seeks the signature of BoundsChecker in SoftICE
1 ^2 l" E1 q$ P2 Z. r- `: x9 I5 @5 j0 y2 N" N
mov ebp, 04243484Bh ; 'BCHK') m. C" s- p; H# _. n" h; { P
mov ax, 04h
, C' D# C9 @1 u9 M. R. O! g' ?) y int 3
& T& c4 k! a& y/ ^3 l/ _ cmp al,4
4 }& H( \' V' `) E5 L: Z jnz SoftICE_Detected2 A# n2 H7 J# ^* m8 ^
: G) V# c2 @6 m$ r) [___________________________________________________________________________
; l l, L1 O# y" G% e4 j& w' ]
) q: t$ b$ y' f3 ]Method 02+ ?! A9 B E* l5 H) \4 ]
=========
8 X( ?3 f( X( K4 l3 O$ C; H) J; j g; ?) N- C
Still a method very much used (perhaps the most frequent one). It is used. L. I6 k7 y, ^. y7 O. @3 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- d9 u& Q: a- G* H# Y! kor execute SoftICE commands...
[" G0 f. M" z- H. u5 DIt is also used to crash SoftICE and to force it to execute any commands
$ A" q( J% y0 L* `+ X) ]) C(HBOOT...) :-((
% I9 i& o' \! m
. t, @3 l& @0 B) ~+ wHere is a quick description:
' {6 _5 w9 a/ H4 C. V+ M9 ~-AX = 0910h (Display string in SIce windows)1 h2 a. j" J/ S0 [7 H1 t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 T& P0 [5 B! ^-AX = 0912h (Get breakpoint infos)( p3 k! w& M" f6 K( O0 h, b+ i
-AX = 0913h (Set Sice breakpoints)
% x1 C9 N2 k" _* r1 X% _5 L1 ^$ v4 K _-AX = 0914h (Remove SIce breakoints)
; |+ O, Y6 c2 p3 i4 j$ J! w
2 w* J) @" { Z" h' AEach time you'll meet this trick, you'll see:5 f) g3 f! W& Y% Z! P
-SI = 4647h2 n. [) A" Y+ P0 O3 ]* c
-DI = 4A4Dh2 U. \" _ b, `
Which are the 'magic values' used by SoftIce." E r- u& u! A2 B3 D' S% }. C4 c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; e* } O `3 m
* B. z3 M9 g P3 q T7 l* ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 J& J: W+ n- jEnvelope utility use to protect DOS applications:
* }; r$ y/ x9 \8 |4 i% g& l8 ~2 j" d& F/ R& }4 u+ B
3 W; V5 \. X1 P# h% V& e- D4C19:0095 MOV AX,0911 ; execute command.! X2 P" X6 X e- T/ Y2 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 U! o# y( `4 @ [5 r$ n
4C19:009A MOV SI,4647 ; 1st magic value.
4 w( H& }) V# y7 Z4C19:009D MOV DI,4A4D ; 2nd magic value.
2 @! b7 }- |% R2 T2 e* J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# L5 Z3 C4 Y' y+ I* ]* T9 S/ }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" C( }; p( N" ]' y ]0 F0 w8 z
4C19:00A4 INC CX) @: J% E% c) }' H6 b) k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 c7 }8 Z# U2 C2 {; ?9 d4C19:00A8 JB 0095 ; 6 different commands.$ w* o9 w4 _: J" r9 ~. X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: o1 E0 j9 r; B3 B7 Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 h. ? {/ g* X V
# ~. b: T# L! x9 O% I2 i2 n
The program will execute 6 different SIce commands located at ds:dx, which
! D# x$ N: ]$ y/ ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) b# Q" Q6 ~8 ]7 B/ W$ \
6 W; a' g) d6 a' b$ P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 E" e5 `0 p) V
___________________________________________________________________________
0 a# b3 w7 T) H% X' f8 c% ~# {; @2 c; N9 j+ e- d
0 O6 U6 @1 N# H% Q8 O# d, T aMethod 033 m8 g6 ]5 v+ i8 {. j/ N, H# r2 {
=========# V& W$ d S B
5 h; {! H7 E2 H9 A/ \7 {# N, {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) \' `* w: H. ]; ^" i(API Get entry point)
+ }5 N) v( C7 R- a
+ e) J; T/ v% W: v# ]9 e& ?* `1 Y' g
xor di,di9 |) y, n# ]% s. R& s8 F e
mov es,di. u# k1 k0 `* O' T
mov ax, 1684h
7 m2 X# G+ }/ w x7 u5 T mov bx, 0202h ; VxD ID of winice
$ J6 x7 K* a. Z$ q$ w% C int 2Fh! D, i% u% {' E2 ^- u* L/ C
mov ax, es ; ES:DI -> VxD API entry point; |' S9 I3 k9 d5 R) ~
add ax, di
: @, e8 A/ b# |' ~" X6 D4 ^ test ax,ax
- z$ I8 S7 \6 H; M4 z2 b jnz SoftICE_Detected0 c1 k7 C8 c% h3 k1 n$ L5 K
* \ i+ {- }5 Y# f0 ]
___________________________________________________________________________
' i& X( @) i: b
0 Q r l; A* y, @% pMethod 04
3 W' W0 ~2 w- Y9 ]: v=========5 \4 R; h) F! i$ t
. J" E: `% T- f3 l% _
Method identical to the preceding one except that it seeks the ID of SoftICE
* ~$ ]; |' O* _1 x0 FGFX VxD.
3 d) H5 b# I, v3 N. M( B: n/ ]7 o) J; D1 d4 f
xor di,di
- l! M3 n" n9 L# g) Q! d mov es,di0 l' B( F# q \( Y* o
mov ax, 1684h
2 Q+ |4 B# f3 p3 l mov bx, 7a5Fh ; VxD ID of SIWVID
2 O" x# q6 V9 ]" e \" C4 A5 E9 M int 2fh6 e5 j( z! k/ N; c% z
mov ax, es ; ES:DI -> VxD API entry point) _' O% k. i. v1 A S D
add ax, di
: f) c0 X9 s; v4 s test ax,ax
% Z9 E4 Z7 c! Y% g5 U jnz SoftICE_Detected
0 ^& ^( a, J! H) D+ @
2 P: l0 _! g8 f0 d8 n B$ v__________________________________________________________________________- {# r6 C& v$ x8 i
! K3 |% e2 s5 Z. ]. a8 ]" }. Y) R9 p; w$ E, ~( l
Method 05/ E; W0 _- l/ D8 H' f+ {, ~
=========
4 s, v% e- |7 l: O0 a4 r$ X, Q1 p) Q O( w' f4 t$ G9 G& ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 o5 S3 z7 T1 U. y$ y8 B/ ~' h6 p
debugger. It calls the int 41h, function 4Fh.
/ q& }' `) {8 M& [: `; pThere are several alternatives. / S, Y! b: A0 ~
* o4 i: S/ l9 i* fThe following one is the simplest:! [ s$ ] R6 {
/ Z$ a6 g# a( z0 I5 Q2 I% M( i( C mov ax,4fh
N$ F# |4 y: V7 \6 ~8 v/ B int 41h) w( i" i/ T* s+ W2 f; Z
cmp ax, 0F386
# K) d/ _# m1 T* N4 V! _4 H jz SoftICE_detected( Y, R8 y% q/ \" q, N' n0 B0 R
" T: N6 s7 U: y
# R; h& C8 W' D+ l6 UNext method as well as the following one are 2 examples from Stone's
( S7 b+ ~7 E+ H+ X7 S' z"stn-wid.zip" (www.cracking.net):
# ^# P: k9 E# s
6 q- N& h/ c4 W# x mov bx, cs! \! T2 U6 A$ y. P0 Z) e9 K5 K7 {) `
lea dx, int41handler2
: W' {- a( S* H; K7 P xchg dx, es:[41h*4]+ I( _) t* ]; c% b0 g8 z1 G$ L
xchg bx, es:[41h*4+2]) g# `* ~% y7 V0 ^- |5 `: D
mov ax,4fh
( p0 p, p! `0 V4 ~ int 41h
# C v8 [, a. n# C2 R xchg dx, es:[41h*4]
8 h( J+ i: F" D0 ~" A xchg bx, es:[41h*4+2]
- z! i- G9 E4 H+ T5 e3 g+ y cmp ax, 0f386h
! N4 x# J( v5 S1 Z6 O% I, ]& | jz SoftICE_detected- `2 R) v5 m4 Z2 ^
" F' w" m* v$ |5 L' l# Oint41handler2 PROC
2 M/ ?8 E2 y: D6 w G+ e* [ iret
2 G B5 v- L. ], uint41handler2 ENDP/ b( r1 ^, {4 r8 a3 V. Q6 z
9 i# B+ k% C6 P/ g! }( ^1 z3 W
& t7 S; M" W5 x9 C I( s8 t6 n_________________________________________________________________________4 V0 j( t: {: r4 U8 _
2 K: X5 |* r# f, B: s; T9 z! m
0 G ?. P! a9 B5 Y) [6 s3 T. g. T% }Method 06
- W; s! d2 J2 a$ \$ Q6 a+ e8 G=========; [ p3 \+ |* `& ~ w# X& b
! T4 [/ L$ a4 O5 @1 r4 W0 k* u: i! N$ @+ _+ W5 b$ G4 K
2nd method similar to the preceding one but more difficult to detect:& H3 X5 G. K) {* t0 a
* |" G. W& }) F/ F8 ?
' j; E I' X( K+ }3 g1 o- m* oint41handler PROC/ }5 v. O/ Z& p$ X' d$ o
mov cl,al
/ a5 R3 f) E* C1 T* a1 x X iret
: ?$ G0 k& H* ~( ^/ gint41handler ENDP# X9 ?4 H- X. F0 X) \& c$ w+ I `
9 F; U7 t: j/ Q
P9 G. r+ p9 _$ ]; C# t xor ax,ax8 [6 @5 d! @( m4 D' t
mov es,ax
1 {- R- C! N! d' \% B mov bx, cs
6 C7 V. e0 _1 F, n2 P" i/ M lea dx, int41handler
0 I9 F! p& Z. f+ r/ U& L ^* r4 ? xchg dx, es:[41h*4]% [ j* @) l' o6 i1 f y. i v
xchg bx, es:[41h*4+2]
8 U) p* d2 D$ J1 O) Y: P( w in al, 40h
- S6 }2 ~1 X( P( M xor cx,cx$ H8 v# C0 ~: g/ b
int 41h
n( r3 V5 S6 t" t( g xchg dx, es:[41h*4]
4 O0 L( f% ?3 i2 i xchg bx, es:[41h*4+2]3 D! m$ \0 h7 e( U, u. Q+ G
cmp cl,al" a2 P* |& o. Z
jnz SoftICE_detected
# I1 Z* p3 w+ W/ b' D0 T P# D E% G" N& `
_________________________________________________________________________
# {$ E* v) X8 |2 q6 z6 u! P- J2 \
( [' G' ]$ R |! g- qMethod 07
0 w/ ^) j6 [0 @- [! c. f3 [=========0 K8 x3 x7 C3 w5 A. o
, A5 Z/ H( { @
Method of detection of the WinICE handler in the int68h (V86)
4 J$ g! Q+ g! H4 L. n$ t L3 g
# @3 I" O/ A9 ~. d$ ] mov ah,43h q0 I. D# |0 Z7 H; `; n1 u7 p
int 68h2 M# t) }& ^- {+ F
cmp ax,0F386h
( n+ w& M# s- ^+ ~8 ^% y3 w& m+ y& I jz SoftICE_Detected
3 \$ i& h2 j6 a( T, r$ \
# K6 q( ?/ {, y7 S; | H0 U, b# p& d& U) T% P+ I w g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ U: Z* P1 C5 G app like this:
4 Y% t5 ?8 f# S/ v. E3 [" F# R3 {2 E5 j6 N( I5 L- p q
BPX exec_int if ax==68
9 ~: N: M. {2 X: o; N. m (function called is located at byte ptr [ebp+1Dh] and client eip is
" A9 Q! o5 d$ J" [3 C% L located at [ebp+48h] for 32Bit apps)
" M1 r8 A: @- k7 m. x; ~__________________________________________________________________________
' B, m2 S4 Q7 p) Q7 [4 \2 ?* M) s+ t* v: ~9 e' M. ^" T6 e" A
% B- K1 N8 }2 z$ XMethod 08- b- s" e& F( g$ g7 ]2 Y$ U& n$ u
=========# K( T* K2 M8 m5 S s0 C O- U
! V. K6 Q, J4 ^% q8 r) T3 `0 p
It is not a method of detection of SoftICE but a possibility to crash the; h( T/ c# x* P& N
system by intercepting int 01h and int 03h and redirecting them to another
, x5 x& \3 P' q S! Croutine.+ z& ]" ]. h ~& [9 P& T/ a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 |# k- D; h+ j" u9 | {9 V
to the new routine to execute (hangs computer...)
* k% u# \4 C# b( t% u
* x5 T ]9 Y/ _' c/ `; {: C mov ah, 25h
- I: \/ n4 d3 A3 `2 Q/ I mov al, Int_Number (01h or 03h)$ D! p4 Q* k* Y/ F; M
mov dx, offset New_Int_Routine
; U( a6 D- V) _, r, o& c" m int 21h
+ R* ?4 D& I, x5 x4 W3 G) b
" ^" p6 Y6 t ~- [& j__________________________________________________________________________. ]! x) R# u2 R0 x4 X. i+ `
& ?) q' |) x3 x: A0 Y+ DMethod 09% P- z( k. Y6 F
=========5 T/ f( ~) f. b+ \
1 {3 F; W) |- a0 X" v x4 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. q; B; n: c, e0 vperformed in ring0 (VxD or a ring3 app using the VxdCall).
& q% c- ] I% bThe Get_DDB service is used to determine whether or not a VxD is installed; F( l$ F7 f. K) K2 b
for the specified device and returns a Device Description Block (in ecx) for2 X1 j* q m7 z5 i- v
that device if it is installed.. k7 x% W) f. R* {2 }
! u! X. d# `' I( P; s* \& c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 K0 E: A% q6 O k$ G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ h- y: b! U' s/ n- Q$ ^6 y$ f" d
VMMCall Get_DDB
' K6 o P! M# T; I( s3 T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 }5 a8 G+ g) I. O- H" u& B4 I
: X2 q' U6 {1 p/ ?9 F& k+ ONote as well that you can easily detect this method with SoftICE:$ b0 C: e+ g c8 c
bpx Get_DDB if ax==0202 || ax==7a5fh& d" q4 G V" W) g
" e4 F/ l8 M. p* i' v4 c6 Z6 U6 }0 k$ Q__________________________________________________________________________8 W- k0 s u8 e! x- F K" Y
1 X& b ]! K9 ^0 zMethod 10# ^. S' r E- S0 X+ j
=========4 }# |5 i: P. H# f S" }& \
/ J! g3 }( L6 x# Y8 \# ?7 V=>Disable or clear breakpoints before using this feature. DO NOT trace with H+ X6 r# e! x7 w* }1 _' ^) \
SoftICE while the option is enable!!
! L* u# u' [2 L9 E) C0 K, W8 Z( w- k- D' l2 _" K. E4 d0 k: C5 C
This trick is very efficient:. N9 n# c0 L. R# n% R+ A
by checking the Debug Registers, you can detect if SoftICE is loaded
- n5 D7 M5 v4 ?5 b/ b8 V: X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, ?( G, f( F" T4 @7 m) {/ v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 J+ \8 ^4 {9 t# { ~value (in ring0 only). Values can be manipulated and or changed as well
- i1 B3 G+ O/ W$ g( ](clearing BPMs for instance)
& _# ]& U3 [* K+ n
) I! b3 ^' D L V: Y# W__________________________________________________________________________
Y& U% k- g+ {( _- Y) ^3 }; `8 W9 ?2 \1 g( m# Y
Method 11
! P1 ?5 M. n$ p=========
+ T) t3 c" d5 v
+ _: Z, L% @9 S5 K9 JThis method is most known as 'MeltICE' because it has been freely distributed+ I6 A3 W0 |7 H* p% e, k
via www.winfiles.com. However it was first used by NuMega people to allow
% [ \0 B, B! N: sSymbol Loader to check if SoftICE was active or not (the code is located, B o3 a% n% w7 T# j# s- ~, f# U
inside nmtrans.dll).
- |5 |& [( B4 \; D
; J% b# P E$ k$ |% }! w3 L- s( }9 hThe way it works is very simple:
! b* R) ~# K- C- K- S5 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* ~% j# d4 m( `8 B* c2 MWinNT) with the CreateFileA API.3 N& u/ k8 ^6 c) b% }& o, n1 F' h
8 B7 ?0 P6 x' ]' W) @8 @
Here is a sample (checking for 'SICE'):
5 i$ v+ R" m( n1 Z" V! [+ l- `7 l! C Y! [* X
BOOL IsSoftIce95Loaded(). c+ i; f% M& J, E* L, J( @! V5 G
{
! e9 ]+ R( J6 U! S+ P/ @* X HANDLE hFile; 5 H, K5 b1 u* _( b8 A+ O7 n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," j" O0 P/ G3 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
# q5 t3 f; m2 L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ~# E1 V% j( P$ p; X! A if( hFile != INVALID_HANDLE_VALUE )6 k6 [ `7 E0 Y5 S
{
+ J# T* q8 w( b G5 @: ~1 x% v. z# G CloseHandle(hFile);1 W& n p; b7 f5 i
return TRUE;
/ ?1 B2 B" F1 k" F7 O* w }
" o# \8 r: V- @% `$ t" j: n# c2 R return FALSE;
Z9 y; P7 |6 Q3 v3 r( u; N* w& N}3 V) z# E& y. S3 N/ s+ I0 |
4 n. r& Z9 m' ?( Y1 R' q
Although this trick calls the CreateFileA function, don't even expect to be
7 U: B& c: C* F" Dable to intercept it by installing a IFS hook: it will not work, no way!; @9 E4 B: G' a6 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* i" g# u% i. sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ o8 k q+ \* f7 I, j) I6 j+ I% i1 yand then browse the DDB list until it find the VxD and its DDB_Control_Proc) ^! b+ J3 `: t9 l% M$ G2 M
field.: b( A9 L" C, ]5 P9 k) m' U7 j0 M- M
In fact, its purpose is not to load/unload VxDs but only to send a
& I+ y( {$ b( ]! \% m& fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) G7 T2 M3 h" E( J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 R; s7 k- F# O: L. c( {8 T, z& ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 h; A; v2 c- P5 L/ E7 k# V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" P8 S I# ~# a `$ L @ Bits handle to be opened and then, will be detected.
9 J+ T+ Y# ~; O7 gYou can check that simply by hooking Winice.exe control proc entry point
5 Q, R- A& T: B5 Ywhile running MeltICE.& @ p+ _; `: v6 x
" J2 s7 n9 U) ~$ i
7 [4 d. c$ {4 y/ \9 C) f# j1 D 00401067: push 00402025 ; \\.\SICE, c* m5 N1 M+ c9 _
0040106C: call CreateFileA
# C: j0 _1 F$ z9 Y( S" m& x 00401071: cmp eax,-0011 J; b# h ?: M+ r9 \& \
00401074: je 00401091
! N6 f6 M' {+ z6 b, T) P
3 c& H! X; |( m- H9 P3 Q, _& l/ H# [
5 G% X" K( t4 oThere could be hundreds of BPX you could use to detect this trick.
* `% q: O3 @* g7 ~) S-The most classical one is:
: Q; z" K1 y2 Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ N# H6 q5 O5 i Z3 }1 V *(esp->4+4)=='NTIC'
0 r' }: l/ S0 c. z' o l1 ?, U3 F5 ?8 i( ~2 y5 l. u* F4 R% b
-The most exotic ones (could be very slooooow :-(
, y& K: I6 J$ D* r1 N7 R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 z) S3 I4 B1 ~1 a; [ ;will break 3 times :-(. D9 s6 q& `2 q( o; Z* h
' K; _1 T! C2 K& q4 V' |6 f
-or (a bit) faster: $ W+ m" G7 u+ H% p: y% P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- ]; N# j/ R9 A, ]3 S& {0 n5 X8 ?4 U/ {8 j2 B+ b6 t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 j5 G/ t% V; S ;will break 3 times :-(
3 r1 k7 y2 M9 n# l: S$ K8 t) a U8 a$ k3 n | |5 j
-Much faster:$ ]; w- {% r; S. V5 V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 i. ~& I/ d% f" J4 {
& B% D0 I' y- _6 a5 x. x: k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! E0 y$ s0 }4 a- Y+ r3 Z- e- M
function to do the same job:; H- T! R: {7 g9 e
# X% m/ g9 G9 g" O# z# w& X$ a push 00 ; OF_READ
5 J4 ]: m$ p/ [ @9 R! a mov eax,[00656634] ; '\\.\SICE',0& U( P% C$ t ~5 X: P
push eax
5 z. M, D* t; }5 t3 e call KERNEL32!_lopen
& H8 y/ x% o% v; W Z inc eax
+ C& n2 ~; g5 ~ jnz 00650589 ; detected3 H+ d4 |. e) A2 N
push 00 ; OF_READ
) E7 x3 h2 m# W( A3 u3 ] mov eax,[00656638] ; '\\.\SICE'& j' V3 i; q( J; ?- X
push eax
' j2 a# q9 S8 q F, N7 ^) Y call KERNEL32!_lopen
0 c4 O* x9 }- X% L0 Y inc eax
+ w! |, r! J2 r jz 006505ae ; not detected; a. O+ Y$ r0 `9 O
4 M: Q" g% Y! ^
4 O) D3 {7 C( t) n7 W6 u% k# Q__________________________________________________________________________
( P8 @( l6 ]7 y* W2 t) Y' J. S2 q
% Q# H3 Y% N, k' X& V7 F- x$ `: ZMethod 12
- d- g; C/ V9 [$ T; ]! y% ^=========
1 y6 t, _( ~6 z7 ~- t3 S6 z: L0 |. O% `# E: }5 H1 n6 Y9 f0 _
This trick is similar to int41h/4fh Debugger installation check (code 05! _1 Y S, P, _# E7 t5 y
& 06) but very limited because it's only available for Win95/98 (not NT)
9 r6 g0 p* Y3 k! d5 L4 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- q$ v4 h2 c" u8 ]. ~7 Z+ c: K$ @* T% Z: {6 b, C8 ~2 L
push 0000004fh ; function 4fh
$ K5 n8 t5 t0 n' s. J; k# P0 Z/ x+ K push 002a002ah ; high word specifies which VxD (VWIN32)$ d. r6 g3 u( G3 H w2 H
; low word specifies which service6 `5 B( c5 M9 \: ~. P& T J) _* h
(VWIN32_Int41Dispatch)
. X) S# `; G" N3 T! u' x( |. W call Kernel32!ORD_001 ; VxdCall$ \( O6 o5 i9 o' L# }) `2 P
cmp ax, 0f386h ; magic number returned by system debuggers) b1 u" E3 [9 ~& O* V$ [
jz SoftICE_detected
/ u& d' _, v @$ q' u
6 s, U* Q' s+ M' q) F5 E! C' l5 AHere again, several ways to detect it:
$ k3 r% H0 E2 ]! W& t3 o4 A/ ]+ v
BPINT 41 if ax==4f
! Z0 }! F5 e" t+ D) F2 ?
. |" Q) _! ~$ m3 k, C( c E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' d H5 Q# ?9 p; @7 g7 S
9 I% d& @& F2 W1 @- H4 V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 }5 p* s9 [; ~) e& f
2 }" E* w6 M/ v; h& _3 ] l0 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 F, h, I# L; V$ D& R
3 h$ {9 m& s3 i* L
__________________________________________________________________________0 O. W/ [1 |" M1 O/ W b# a2 e
1 X. J3 n B" h4 w6 L5 V; dMethod 13
+ j1 t) B' I6 ^3 e+ ^( r1 k- @=========
& K: J0 q M- F9 E9 h4 A0 X7 ^# y6 t
Not a real method of detection, but a good way to know if SoftICE is! v% u% M8 D- S
installed on a computer and to locate its installation directory.: K% }9 P+ Y8 ]8 U: G1 @" y- P/ ?
It is used by few softs which access the following registry keys (usually #2) :
+ O. W# G" K' T$ j$ t
) C. Q+ d8 X/ V" t+ C; L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 _6 v3 M* e! f* X- c( t9 ~\Uninstall\SoftICE
! i* M A2 \& L( e2 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 i( B( T3 w9 E) m* B( f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 K7 l$ d2 y% B6 d1 O: u9 Z( d
\App Paths\Loader32.Exe0 a7 M X0 W, W% i7 z2 t. f
2 s/ M( e: H* h2 n7 j
2 V; V+ H- }1 q8 ]0 Y# B$ BNote that some nasty apps could then erase all files from SoftICE directory8 W6 ~9 n9 p7 t% `
(I faced that once :-(
" r/ X {, ^4 H9 x' E
e) |1 B! }. T% r( ~0 W" N0 R FUseful breakpoint to detect it:
, s. Q: s: f9 U4 h7 S( n
6 V* [" Q2 J1 Z b& F m# L2 @8 _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* r. x5 G: M+ e/ T0 M
' H3 P) k4 B7 T- ___________________________________________________________________________3 k" Z% r2 I) [% Z- \/ a. j) {
) C# N- D! f2 f* H7 t0 H) ~9 K/ ~$ l% W/ N9 Z6 @. i4 e) G, a
Method 14
5 x/ g/ @+ m& @, \6 B=========1 Z+ ~6 a9 i2 w* d0 M3 I1 W2 v9 Z
9 l7 c* V/ M, u/ n* A1 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 P W# E1 Z/ S) B7 l6 C4 ~9 X" ~is to determines whether a debugger is running on your system (ring0 only).
- L8 n/ \+ p; o0 e3 `$ H5 C5 ~% }' i, u& K- g) N
VMMCall Test_Debug_Installed$ G Z- |6 r2 Y- y% H, p
je not_installed
7 k1 o' K- W( \
9 j$ J( f: C9 E e% U6 X/ W2 t6 J. YThis service just checks a flag.3 Q3 n/ m, j& _5 T9 \# Q5 l$ t7 J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡