<TABLE width=500>
" P# B6 q* `, C2 S) [<TBODY>6 b+ E G" q0 V/ v
<TR>9 @6 Y! E. ?+ u
<TD><PRE>Method 01 # u! a: K0 S; s$ K% W4 J; o
=========
/ h1 K4 k# D3 l3 p, I5 V. h* Q# I- I) Z; l; K' @
This method of detection of SoftICE (as well as the following one) is
3 ~, D$ [9 |' U# h5 v8 Q; wused by the majority of packers/encryptors found on Internet.
" u& z; J7 c7 T- sIt seeks the signature of BoundsChecker in SoftICE& z2 P, E+ X! n7 ^ ~: a1 V
( P/ I$ }, R; @3 U1 J9 I9 p; I2 d( P4 G& r mov ebp, 04243484Bh ; 'BCHK'
0 _; v% }6 B. ]0 S8 w mov ax, 04h
6 T( p7 v; o3 K7 t* o" v( b) q int 3
9 r. X! t+ i* w& y, Q* n cmp al,4
# l h; c3 e, I* r4 l% Y jnz SoftICE_Detected" n2 ]$ B/ m5 h$ y% M: N0 d8 P
4 a0 S# W& a+ j* P___________________________________________________________________________
/ |+ t0 \1 L# l6 R% T6 d4 C, P' R/ t) f: x, M- }4 P
Method 02) I6 e7 f9 x9 b' \2 r6 a1 m
=========
9 ^& Z* p5 Q x3 Y0 s7 Z( I5 g: X$ x! g& [( W O7 P
Still a method very much used (perhaps the most frequent one). It is used
) y8 _& Q4 X2 C4 I" H$ ~2 v- Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' l. Y, \# b' t2 T; E% kor execute SoftICE commands...
. h) S; Q0 B1 c3 C! h* T6 v0 dIt is also used to crash SoftICE and to force it to execute any commands
* d# l/ q2 F) [+ O% O- J4 Z6 ~(HBOOT...) :-(( ) `7 t) l: X7 k/ Z7 o s
, i3 h/ E2 M) {9 j- s- v. p( k
Here is a quick description:# } \% f) Y* ]- N9 u, Z
-AX = 0910h (Display string in SIce windows)
8 x1 _& l4 ^/ _" H0 g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ z& J0 E+ A( E6 x7 Q
-AX = 0912h (Get breakpoint infos). m2 J O2 g$ d2 p" ]
-AX = 0913h (Set Sice breakpoints)
6 g' N+ H/ o6 v& ]2 N-AX = 0914h (Remove SIce breakoints)
* G: z. U- F& A9 c
% I, T" r0 c8 \6 A. U' O; REach time you'll meet this trick, you'll see:
8 a' {4 Z7 t/ s2 ?# h-SI = 4647h
$ J; M/ k6 Q% s8 n8 P-DI = 4A4Dh
$ v2 T7 `' |( [Which are the 'magic values' used by SoftIce.2 z) K: [+ d3 }- _; q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 i, ~/ _# |' _0 P7 z$ Y3 @9 ~
/ z8 z+ _3 @7 w' i3 m* G/ |. R" c3 N4 HHere is one example from the file "Haspinst.exe" which is the dongle HASP
& R; b8 b, J$ sEnvelope utility use to protect DOS applications:
. _6 u- R" _- X; ]+ b+ [
& S* ^" @$ {6 M8 p. ]( U% m- c2 P; h9 K L4 d7 d) l
4C19:0095 MOV AX,0911 ; execute command.
( S, s# f" M5 ~) \* {* n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, D$ W* \! [6 U$ @4C19:009A MOV SI,4647 ; 1st magic value.2 s% {" U; Q( r6 V! _2 D. H$ H+ @
4C19:009D MOV DI,4A4D ; 2nd magic value.) e6 o( e0 `/ S$ [& F A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' n9 ?7 D9 j* q+ y! d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' e& Z0 V6 X8 `1 b
4C19:00A4 INC CX, v! q, i2 }1 h2 ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& L! K3 J) |* X0 M J+ F7 \: [
4C19:00A8 JB 0095 ; 6 different commands.
- G) J, v# Y6 j% B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- ~2 J$ j1 D/ Y0 K5 Q5 F3 I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% L6 `# A @$ I) l2 x; V8 A
! q) _) b" f8 X6 `& m o2 ~9 cThe program will execute 6 different SIce commands located at ds:dx, which
5 ]# w1 s; W; q" [3 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. M" g5 y: ]% |2 C
7 m: m/ i# k0 ^4 Z" G- |5 X) [. ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 ]& O* z! T! K3 e U' r___________________________________________________________________________! _' x5 n9 q6 s/ ~4 s/ h. t+ j
+ _7 e6 J9 P: S+ [3 T
& ^5 c% P5 j; a# V6 h6 o% k; qMethod 03! S% {& a6 A7 k1 l
=========% Z3 n0 x3 _2 W# M- F6 U
8 n# `) S$ y9 l8 D. C4 uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: r4 A( e3 z: q
(API Get entry point)
; T& k$ ] S' D% F8 x3 h
4 q8 k: v* i8 u1 S
2 I8 Z; p e! D2 b xor di,di
/ }. |9 _! j- U5 h mov es,di
L( G+ ?( o' ^8 I7 g9 x mov ax, 1684h 8 B) I4 @+ k1 {5 x9 g( a
mov bx, 0202h ; VxD ID of winice
: j# U8 k* k8 D. m5 D+ Z int 2Fh
+ ?# ?3 X' A8 q u$ e mov ax, es ; ES:DI -> VxD API entry point
; d- `5 h3 a6 }/ t6 x add ax, di
5 d6 L1 R- z# o- Z. K. ]2 g& { test ax,ax+ _1 c3 l! i5 Y% _
jnz SoftICE_Detected0 M# F' ~% ?* L: X
% ^5 o; y2 h8 s9 e
___________________________________________________________________________( { `& W! |7 P$ ~4 A
; \2 O6 ]1 k, [% A" d) q" YMethod 04
6 {) ^5 s2 l- ^, W4 v' S9 n$ j=========0 x7 ^; Z! S* [7 y, b
- e7 d/ k3 ~; z. G; E1 o- w
Method identical to the preceding one except that it seeks the ID of SoftICE1 ?3 S- x$ o' ^* W) M" |& |3 e) l
GFX VxD.
- k/ J& H9 D+ f% H( }/ E5 {- G/ d; H7 b
xor di,di, U- s2 A$ {/ J# x
mov es,di
) [0 L B. r* O K mov ax, 1684h
( H, D5 O d7 y( O( p mov bx, 7a5Fh ; VxD ID of SIWVID1 T: n* N# N% u8 f
int 2fh
- D6 w- A! d$ A3 K5 ^- d2 M mov ax, es ; ES:DI -> VxD API entry point
* G- d0 Z) O1 [- e) j add ax, di2 K. j$ ^; M' B' X+ e, p
test ax,ax8 f- ^9 r/ s. j5 q$ _- x6 I
jnz SoftICE_Detected
3 v/ p3 T, G9 K2 w# q- @3 F; D1 |. C' s& u4 X* E) w& B0 i
__________________________________________________________________________
9 V& F) G- H3 P. s# I g- x
: f4 g3 h! b: k5 h3 ~
0 f, C1 Z7 ~* tMethod 05. ^9 E: U: U0 C9 a. w6 ^. c+ I
=========) F6 ^$ _$ `' v G; J ~$ G
, z |3 d1 @$ t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 J7 [8 W' T( k0 s) rdebugger. It calls the int 41h, function 4Fh./ i& l, l) V' u& Y# m+ s
There are several alternatives.
4 S6 |& a6 ], d( ^( ^( z' B& C/ b; j f- {% C: n; X
The following one is the simplest:
; y {1 [" s9 j: w5 }+ V
* P$ z0 ]& t! b7 H% y( e mov ax,4fh& {4 }2 h! y4 ]1 ?: y
int 41h+ i1 a7 g2 C- l! s
cmp ax, 0F386/ ]" u9 \& K6 A# t* \' q. u; e9 y
jz SoftICE_detected
6 g" E w7 N- H2 M5 k2 c' y9 B9 h: i. x# n& f& j9 J8 ]4 C
. ^* h- w9 G8 s# ?$ l# ^! a+ FNext method as well as the following one are 2 examples from Stone's
! w$ D. N. _0 L* s"stn-wid.zip" (www.cracking.net):
% S' \" }5 @+ L# H! }* j
* o* W1 v; u/ Y5 u7 |1 l9 R mov bx, cs/ W/ C; ?4 t2 N7 D
lea dx, int41handler2
2 R" n; b% f" ^) s9 [; w5 ], J/ C xchg dx, es:[41h*4]' I0 }3 \' m0 Z0 F/ H
xchg bx, es:[41h*4+2]8 v) t8 O3 m4 U7 H! E& j8 o8 P
mov ax,4fh% M4 `4 v' D# \' B, S E* y
int 41h
) h3 f. |# |3 B' y6 c; p xchg dx, es:[41h*4]" A, k( A4 n5 P0 ^& Z) ~
xchg bx, es:[41h*4+2] r6 f1 P; i1 c# `9 n
cmp ax, 0f386h/ i4 [$ W$ A& F% v8 w% j
jz SoftICE_detected) }7 ]- w" w7 G
7 G7 e: p# Z2 e* s$ M
int41handler2 PROC
$ N$ P) j& d* f/ x M+ o iret
# H' e* _9 \9 m4 U" Uint41handler2 ENDP( o- ]- X \4 [: J& _! Y
, z" K$ v& I& m. f0 m. F( _
! C/ ~4 g8 v$ s" |9 M- N
_________________________________________________________________________
/ f9 g& o! l7 A, n: O
3 \' C6 ]1 k- `2 l. `3 R; n2 r- X+ j" ?
Method 06: A. L& l! `" w6 F% {0 X4 P! j
=========
h2 c, T( s5 |% w; M: W( _
' N" E4 X0 R2 _! v% Y e: Z! t/ O7 S2 L" f9 e
2nd method similar to the preceding one but more difficult to detect:
4 W- o9 _7 t0 ]( H9 G
7 c# E2 f% |8 l& U# z: i
}0 l, D6 Z& E0 ]$ |8 U5 {0 `! [int41handler PROC; i9 O3 B& c5 |4 ?
mov cl,al
& H3 }" w1 ^( a2 ]1 `5 O7 b4 K. q6 u iret
8 Z" i2 x3 O+ u$ r4 W' Pint41handler ENDP
1 H% v1 J; s6 Z P) \1 S
: ?% b( K6 F4 g/ S# n* }" L5 \" D6 ~8 R& P4 E
xor ax,ax! y' q1 i- H6 W1 t) h8 T* ^
mov es,ax
& r1 m0 Y5 J V, \# I: m: u mov bx, cs9 U: O7 o. }4 K' w" | K
lea dx, int41handler
7 c! D+ Y; m R: y xchg dx, es:[41h*4]
; G9 t- P7 o5 P u xchg bx, es:[41h*4+2]
3 k2 _" g2 ^2 s/ o7 ]- A# v in al, 40h- L3 f+ P# Z) h1 ^8 o
xor cx,cx3 i/ |7 Z& M6 V B( c5 @) R& i; I
int 41h
' B; M) H* `" m$ n; Y5 Q xchg dx, es:[41h*4]
+ ~2 `( [% n, w. n xchg bx, es:[41h*4+2]! p% b0 W- o2 B( l# \
cmp cl,al
: r8 B$ g. p b jnz SoftICE_detected
4 Y. g* z+ p4 @, k8 p
' P/ h [5 L3 u, s; O_________________________________________________________________________) S' Y+ W2 n7 U- W0 P6 z
- }6 G- p. [8 P: ~: o, V: z
Method 075 a! z7 j G( K
=========
" {* G) M, Z- [% O L) J7 v7 S8 s" V2 U! @
Method of detection of the WinICE handler in the int68h (V86)1 p' ^ W5 }3 p9 b, F' ^1 w5 [ w
6 T q' _) ~, m- ~! r2 O8 D
mov ah,43h2 X$ H3 w* Y1 u$ Z) M& c1 p
int 68h
7 G) P$ U, y Z3 f( r" G7 G* b; i cmp ax,0F386h
9 B/ T' z. L0 Z. I. C w( q jz SoftICE_Detected" C6 x+ { `; h _( o
8 |8 k+ q/ M) b( b( _9 i) c# [8 S/ b& b" ~4 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# h S2 x3 |+ _& x" K
app like this:
3 E3 b% p" _6 r/ o* y1 N7 x- S* H* }; J9 d" u5 S& q, z
BPX exec_int if ax==68: e r" _9 q/ v; I! @# F
(function called is located at byte ptr [ebp+1Dh] and client eip is1 t! F+ p4 ~- Z/ [% E. Y' ~" Q* M
located at [ebp+48h] for 32Bit apps): c- d7 y; A' Y* _0 [ `5 L$ ]
__________________________________________________________________________+ X7 F, y9 _* d) K$ }* A
; t' c& u% W3 [% S8 W5 ]( i
% |( e3 j1 Q) U7 YMethod 08
* t4 h0 R% l9 ]8 f/ b=========) G1 i5 z/ y0 S7 g$ _
( r3 @& S9 ~# C! a
It is not a method of detection of SoftICE but a possibility to crash the
- ]7 o, ^6 X1 b# gsystem by intercepting int 01h and int 03h and redirecting them to another
: T- R; ]# X. Nroutine.- T' E+ Q9 @4 G" f+ o+ E: e. N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. t5 x& X0 S% H e) q8 Z$ Uto the new routine to execute (hangs computer...)
# s# E1 ~, N/ A1 f: Y1 \+ E
& n& R* x8 g0 T @! N0 f mov ah, 25h+ r: e0 A' c$ I0 U
mov al, Int_Number (01h or 03h)
; V: Z' `, W: B- y$ I) { mov dx, offset New_Int_Routine
+ B9 Z4 ?( P% v int 21h
3 D: \9 n. H. V& X
. @. C9 d% G$ H9 I2 R__________________________________________________________________________7 ~4 g4 D! S% N& ?6 y* j
4 W. w' X1 z" P( }0 y
Method 09& h! e* D% B/ N0 z6 `% `, ]5 G
=========7 `7 s8 d* K9 ^
/ e s, t$ A& n; TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& v0 G: k$ s" L* R8 V
performed in ring0 (VxD or a ring3 app using the VxdCall).8 e0 T. V5 T) ~4 |! [. Z1 T3 M
The Get_DDB service is used to determine whether or not a VxD is installed
! h' U8 k* i3 E) V9 Ufor the specified device and returns a Device Description Block (in ecx) for% w5 b& `9 U9 f! B& m, ^8 \
that device if it is installed.1 d5 R, n, Z0 o( {/ H I _
- c Z1 E5 E. g' E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) l& f H7 X1 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 l% g$ \% ?2 Z( Q
VMMCall Get_DDB
9 z% D0 F0 s4 ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 L Y8 i4 w% s- k& Y4 ~
7 p! _( [/ J1 \3 I9 H% s
Note as well that you can easily detect this method with SoftICE:* v0 ~. e' A$ [* E# z6 b0 }9 N$ ^ w
bpx Get_DDB if ax==0202 || ax==7a5fh) x5 j k! o# {
2 e: U8 F/ y. c. B
__________________________________________________________________________; o8 n3 ]0 \- a. T i; ]7 x
" |8 I7 Q# `2 ]$ e* p1 JMethod 10# o. d% b" K; M: \( ?2 Q9 \
=========
, c5 M1 I, t7 b8 B
1 h3 D- A8 F: M4 |. Z" R=>Disable or clear breakpoints before using this feature. DO NOT trace with- A; k3 H5 p+ _8 O+ b
SoftICE while the option is enable!!7 O2 d! T- j/ N" g. B6 h- i
D4 r! J9 \1 a9 z( r4 y( U+ E
This trick is very efficient:
$ n1 V+ m' F. F# {by checking the Debug Registers, you can detect if SoftICE is loaded' W9 v2 h+ [8 T* K: N1 v$ A, x- M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ x( x+ t2 o. O' i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) R/ ]$ l/ v& L8 J% G0 _value (in ring0 only). Values can be manipulated and or changed as well
8 w' {- }: j# }3 _3 y/ D0 r2 }(clearing BPMs for instance)7 X, {, k0 Q% f1 ]9 H w1 f6 N
' P1 j. f" t: x" S w
__________________________________________________________________________
1 y# f d1 G8 ^% A- O* A% Q3 G& y5 r; M: I# w; u
Method 11( |* R0 `' B" K! Y/ L" p4 N
=========) \. K8 U$ H9 [# p
. w! |0 _3 B! s, j; Z2 \, k3 p2 |
This method is most known as 'MeltICE' because it has been freely distributed% `$ S. _4 x) A: d7 K
via www.winfiles.com. However it was first used by NuMega people to allow4 ?0 ]5 \ U+ K/ I
Symbol Loader to check if SoftICE was active or not (the code is located
9 d( D) K5 ]8 g3 ?inside nmtrans.dll).
4 C N) G# D6 j3 _
' U! ?( O, O. j, YThe way it works is very simple:
1 @8 j5 f1 o- d# P6 c. O, m; P- KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: x$ @$ {, i* F5 Y5 P+ S0 }- X
WinNT) with the CreateFileA API.
2 d( k7 H8 q7 \+ q4 ^
3 N* W) f- D( }* l1 l: Z% x$ X; uHere is a sample (checking for 'SICE'):
& D# K( H8 p" Z4 @
$ _$ [* K1 Q7 b9 z% `. GBOOL IsSoftIce95Loaded()* u* z' j- `" {# ] i# }
{) A# F5 s1 H# @2 k5 D
HANDLE hFile;
/ j6 P3 K4 ]! \: I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) ~$ B% @' O1 U9 s
FILE_SHARE_READ | FILE_SHARE_WRITE,* |" @0 C* H9 _6 `$ y3 n: D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 |$ s! Z$ G7 z& N6 n0 ^
if( hFile != INVALID_HANDLE_VALUE )( r; G" l7 \/ X1 I
{2 A- N' S9 ?9 U8 Z
CloseHandle(hFile);
8 H: ]* C% D3 F- d. H9 M0 H return TRUE;
4 n b4 U( i& E( \ }
# P* M X/ k4 Q8 [( B return FALSE;
; S4 \, H8 w. j& J# l M- _}' d5 V9 |7 [6 V Z! C9 V3 u6 l
5 l- k7 e% G9 ~0 U: @. O
Although this trick calls the CreateFileA function, don't even expect to be8 w* i: z) [) J& n L1 H
able to intercept it by installing a IFS hook: it will not work, no way!
( f" j3 m- [ }, hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) j6 A) y8 G8 S/ Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 F+ U/ d" `% G3 k) Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 g% ?9 t; X3 Vfield.: G9 b9 B+ l# j- J$ n
In fact, its purpose is not to load/unload VxDs but only to send a & d: {, U0 g, \. p) ]' Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& b4 @3 r8 z5 ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ j* z( U; B7 U* W/ k4 M8 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" v/ d" Q# y3 ?) n" V) I, @, ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
, U, M! F0 d A, }2 P) v: i4 Q6 B% ]its handle to be opened and then, will be detected.* b0 l2 c: [. [7 F4 S: A
You can check that simply by hooking Winice.exe control proc entry point; [- F) f% T% Z, M U: B! k% h
while running MeltICE. L8 e& O' c) B4 _7 L
( [) m4 @/ P. B
7 ~; X$ @% j* I 00401067: push 00402025 ; \\.\SICE
1 f" [" b9 [& v1 ]2 L( d: s 0040106C: call CreateFileA, s7 }4 T0 S/ l( y) R
00401071: cmp eax,-0012 m5 d% V8 z9 e. l0 ]: x4 i
00401074: je 00401091$ M& i) N' B1 m% B% G
7 \+ j) K U/ m4 r8 _8 F0 p3 W+ S
+ r4 k! _+ c4 U6 h! dThere could be hundreds of BPX you could use to detect this trick.0 W' U/ z4 P+ T5 |0 v8 N" e2 y
-The most classical one is:
% Z/ c) t: H0 n3 E- E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 r% }& _/ e4 `: }, G% X6 f *(esp->4+4)=='NTIC'6 y3 q" E* S O, s) t* H: C! |
3 W* L. O; [1 j1 _-The most exotic ones (could be very slooooow :-(
6 i5 e3 q7 H. D1 i' ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) `8 F$ N: F: ^! B8 W5 @
;will break 3 times :-(7 }1 U8 P, k7 y8 p" U; v% H0 V
3 D) Z. j) p$ l- O
-or (a bit) faster:
9 x, B) p, A2 U \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# `( d/ D' ]( A J4 r4 J) U: ?: g
5 k* ^- p5 k* d% i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, I5 h* r2 n" T7 k7 `: a ;will break 3 times :-(
) Q# V) ~, |( s3 l1 S, M; R/ e& @4 K* ~, R; Z! X
-Much faster:
: j4 ^* b- v, R" ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 m) d4 |& _5 ?7 T. A* E6 V
% K; }" D. v/ W2 ^) l; N7 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 x' M: G2 G+ i! ^7 x) O- w
function to do the same job:: H: \3 {% ~+ Z Z
; V, u" G7 ^/ S push 00 ; OF_READ
5 T0 N/ B7 S/ T4 h- t8 m5 u; v mov eax,[00656634] ; '\\.\SICE',0) S% d" v5 C5 k/ z4 g( ~
push eax. C" b) v2 Q* b
call KERNEL32!_lopen0 s2 K7 A6 p F9 O0 O
inc eax4 l1 m, P7 k4 {4 W q% D
jnz 00650589 ; detected1 m0 v' e* ]6 ?, f5 C4 y
push 00 ; OF_READ9 f, g) l- D: R& j2 M8 g+ s$ S
mov eax,[00656638] ; '\\.\SICE'6 a# E) `6 }! j1 u, ?# a
push eax
% j& B3 ~+ r0 t3 F1 F& x call KERNEL32!_lopen
; d) I0 d% Z0 ]9 [' \! S2 G inc eax
7 T/ l$ g, n6 b6 _! c7 R jz 006505ae ; not detected
9 w1 f, {2 g+ O( p( r3 i# z. n/ R: A' `1 [6 ]1 @
) V1 a# J3 n2 Y: _, B__________________________________________________________________________
+ v% k* G5 C2 a% E3 w5 i: B6 u7 O$ F& |7 P" B) _: ^" D) j
Method 120 \$ {- c) t5 A2 \
=========1 j0 _+ @, O/ s3 W- x+ h3 a
/ x) T/ R+ {" U
This trick is similar to int41h/4fh Debugger installation check (code 05; N) Z; S Z+ j
& 06) but very limited because it's only available for Win95/98 (not NT)/ C* n1 E7 [4 r. W1 E7 R! y* i* N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., c7 ?: o# C0 l8 r1 n
1 g' j( H* B ]% k. G" }+ i# n4 i# M
push 0000004fh ; function 4fh( V8 P+ H8 I; J/ J
push 002a002ah ; high word specifies which VxD (VWIN32)
0 a$ _, u* o5 o" \5 Z ; low word specifies which service
; Z. Q9 l4 ~# f) }. v6 y& _2 L6 D (VWIN32_Int41Dispatch)
& A5 q7 _8 P- ?) w9 _# W7 r call Kernel32!ORD_001 ; VxdCall# W6 \) R% \: m3 h8 u0 o5 c) n
cmp ax, 0f386h ; magic number returned by system debuggers
! B7 g6 q, @5 Z7 ~) A4 t7 X jz SoftICE_detected8 {4 ?9 a9 g2 J* K) V
. @$ H- Z0 E3 Q; W2 N: H! t v2 PHere again, several ways to detect it:
, T0 T4 V5 [' x$ V# V" z
- A; t" i5 ?: t0 ]1 ~ BPINT 41 if ax==4f0 G4 h+ e$ Q5 S* @
% X" ^: Y, u8 t, F4 J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ ~* N: u+ E5 {* L$ i& g
8 z/ c: O X+ ?& l( ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# o s" u5 M1 S# Q+ D/ H; [8 U% }2 j/ C+ O0 e& X; r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 q; \0 h8 o4 v
% W. |0 n! X8 V' F9 S, C: @__________________________________________________________________________
" p3 ]# Q4 Y- d0 n/ m' [: A4 Q5 a: J' s
Method 13
0 W8 Y. z2 K( C! S7 p=========8 E, ?( d8 `0 O" C: K* a6 |4 c4 k
2 U0 }# Y, s+ O9 ^1 w7 iNot a real method of detection, but a good way to know if SoftICE is6 V& n6 P9 a. O" K4 v5 v6 X
installed on a computer and to locate its installation directory.
/ w0 B- z% A; _% vIt is used by few softs which access the following registry keys (usually #2) :
: Q0 K$ h1 `0 G5 P$ D0 P4 k& E( L# e. B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ?- u: h. U X& C
\Uninstall\SoftICE& t; v1 y; J, z3 Q* E3 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) c; C5 R- q/ D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 y% ]4 n' x9 M1 K6 K5 ]\App Paths\Loader32.Exe
7 r2 P9 H8 Z4 C; U8 f4 I
. M5 U# `9 M% m: W4 t) T j! j: G( \6 D+ J5 y+ O) z* d
Note that some nasty apps could then erase all files from SoftICE directory& R% S+ g% F7 N- K& h2 ~
(I faced that once :-(/ S; v& Y, V5 B
' P) T& y& u- |6 V' M: }
Useful breakpoint to detect it:
7 J; l& s+ Z0 E4 m
# J9 [( F0 b( h8 q0 [8 e& ~+ \5 q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( I; S; u4 ~& @; g$ f7 a
0 ?0 P8 H8 K1 s& i__________________________________________________________________________
r. _& D) U7 b4 J0 t7 x& J$ @4 Y1 b' X, f- r" m
1 R9 @1 ]9 N4 v; E- B" D1 E
Method 14
; ^2 o5 d" K" ?/ x; q, k* c=========
5 L* E" H+ z, B! {* [3 f% @* x7 S; b1 P9 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ }3 L$ z9 q, j( ?is to determines whether a debugger is running on your system (ring0 only).* T4 W6 x# b, q" G+ @; ^
2 C9 S* h' j3 |$ h9 M, P" L VMMCall Test_Debug_Installed
0 Y$ X! |0 e$ b, X" e; ` je not_installed0 X3 \9 m$ x' e* T
f4 d7 X/ {5 y9 Y5 ]This service just checks a flag.
9 f, E+ b' W9 G7 a4 q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡