<TABLE width=500>3 X1 R* M% G% c6 ^
<TBODY>
# I y/ c I7 w( c+ f' R<TR>8 k: _* L! l+ n& I( t
<TD><PRE>Method 01
0 Y2 a1 g" |/ {1 A5 |' s1 o0 a=========. y3 T6 `! J& u5 A5 y+ J
% N$ k) P" ~ f( ]. |- I" L$ pThis method of detection of SoftICE (as well as the following one) is
' C- c3 a' M* C4 _* gused by the majority of packers/encryptors found on Internet.0 z9 f/ [8 I5 M0 Y
It seeks the signature of BoundsChecker in SoftICE
) R% p' r) Y0 d) `8 i. Y$ p; e- g& ?$ B
" X! P3 j# a- R" B0 }8 y" _ mov ebp, 04243484Bh ; 'BCHK'
& W7 R! m9 E9 E" `5 X& V mov ax, 04h6 n" Z# |8 ~9 f. |2 ]
int 3
, o. Q1 J! s9 n( {0 J2 B# M$ B cmp al,4/ R. i7 j% B2 P9 \$ A1 O* L
jnz SoftICE_Detected3 {4 q2 r$ b+ [. M2 y
3 i2 ]7 ?, O# {0 l
___________________________________________________________________________4 P6 j9 b# W8 G
( ^! K8 P q4 i& LMethod 02; E* y: F/ ~3 x
=========! x) M! `# ]6 M3 ^' L @1 Q
* S, ?6 a! @, l2 fStill a method very much used (perhaps the most frequent one). It is used5 F: G) d* ~8 n; l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 J: G! k1 S( [5 Por execute SoftICE commands...4 E* e( X: o* Y, r0 _
It is also used to crash SoftICE and to force it to execute any commands/ e; c0 c- N2 i( [$ v) D
(HBOOT...) :-(( k. y0 s7 m8 s; Y
% l* _, T4 l d! R8 rHere is a quick description:/ k5 f. E6 s$ X; t0 W
-AX = 0910h (Display string in SIce windows)
$ v' X0 E; z! a7 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 x8 t n c" J8 q
-AX = 0912h (Get breakpoint infos)
8 X- n' X; f* Z# E; ^* s-AX = 0913h (Set Sice breakpoints)
) j9 E, D4 O0 c. H5 u! r-AX = 0914h (Remove SIce breakoints)
" M3 w' L6 z, v1 _/ E0 x( ^3 w( ?9 P ?
Each time you'll meet this trick, you'll see:
$ f( D/ _# |2 U/ Q5 i" _. [( i1 R3 [-SI = 4647h& H3 {+ |4 k" t9 i/ @! t n& `
-DI = 4A4Dh& Z1 E& K! l' p9 a- L3 a) {5 g
Which are the 'magic values' used by SoftIce.' ]- O1 l4 R6 a! i; I C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., v! q2 Z+ s, B# @( L
r8 K7 T% \& [% b: | p! ]Here is one example from the file "Haspinst.exe" which is the dongle HASP# ]6 }- U8 p% M. X
Envelope utility use to protect DOS applications:+ I4 S1 Q- z6 S; P" W0 K/ F
) M& F- s: j. V: J
! @- t6 v* v/ {% x" P7 \4C19:0095 MOV AX,0911 ; execute command.& [2 q4 g7 `( W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 P4 t; }) j1 o9 B
4C19:009A MOV SI,4647 ; 1st magic value.
3 X+ s! Y2 |) O! L1 R4C19:009D MOV DI,4A4D ; 2nd magic value.# y1 j; V& x* A/ U. G( c. k6 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), h: X7 q& l1 Z0 s5 N I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 B& n2 F1 B; l4 z4C19:00A4 INC CX
+ m8 `& O2 `! c' { N. {, E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* K( g7 P( e2 y9 n, X4C19:00A8 JB 0095 ; 6 different commands.
5 C; l8 t. V1 w' l$ f8 `7 S5 z4 N U4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 j, Z4 K3 y% a$ T i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- V! A/ ]6 R! [ X1 V8 t! F; }* d! ]% k
, V4 Y5 |8 v& [( U7 A5 g' _
The program will execute 6 different SIce commands located at ds:dx, which( s, x7 a. |8 s+ C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! H* g% C+ p, T2 ]
# s5 J$ e! v& T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' B) H5 }! k' a- l
___________________________________________________________________________
7 x& b1 E3 ?: A% m, t3 J; q; Y. a+ Q% Y5 f/ \0 h7 d% Q! l
) r3 S* i4 b" ~$ J: N' kMethod 03
' F8 V* B& ]; ?2 c( q( g# L=========
( H- |- S _- M" ^- Q7 x5 x" ]6 n' B7 F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 }( Z0 W4 ?' T
(API Get entry point)
6 z }4 w; ~. m8 r; r) i: p" j
$ U `& b6 u, ?( L& }) b) g' |4 M v/ ^8 S
xor di,di: L1 L/ R" l7 o- U4 l, `
mov es,di) [4 w! \- f2 x5 m. ]3 ~- M
mov ax, 1684h " w" V# A0 h# {, J" ?7 D
mov bx, 0202h ; VxD ID of winice
2 S* a4 e" h6 L7 n' `0 \) m4 }% s int 2Fh- ~1 R; w' \9 F- r9 B; G; g
mov ax, es ; ES:DI -> VxD API entry point' M5 U& ]9 U' Q* p, H2 U' J
add ax, di
9 }+ ?0 A4 C& p+ S' Y test ax,ax9 r4 O" A" ~7 P
jnz SoftICE_Detected
, k9 S" u& p3 b" n3 W ~2 ?2 z0 B
___________________________________________________________________________
; _- @1 s' Y2 m$ M/ B# Z, a$ o4 C8 m, P" ^5 ]3 {/ Q* O2 g
Method 040 D% n' e- Y }+ j
=========& R& f" M1 m$ n8 j: L' L0 ?- i
, \" j+ Q: j! {9 b# s! X( OMethod identical to the preceding one except that it seeks the ID of SoftICE
* y/ T- r1 Z5 Y) u2 c5 PGFX VxD.
! {$ n c5 k" Q. a2 F* z- ~, Y% X
xor di,di
0 ~' R' B% [- H* e- v e! h mov es,di8 w- L: P A; R% ^3 w
mov ax, 1684h
2 ?& N3 B: ~( i mov bx, 7a5Fh ; VxD ID of SIWVID/ L a3 t! t: z9 }
int 2fh9 O8 _4 C( `+ S/ \2 {5 H
mov ax, es ; ES:DI -> VxD API entry point
) y( a# y8 A2 t8 _1 I* Y/ S9 H/ W add ax, di
& H$ {9 {$ m. h {3 \ test ax,ax3 m: d* Z$ k/ K# ]+ s
jnz SoftICE_Detected N9 @% U: p0 \
4 c& d/ u1 { W0 {__________________________________________________________________________
3 L; d* X/ _% D @4 C5 C
( _! _" o/ Z r1 ~8 {- _9 n2 w0 L. Q# i7 X) v
Method 05
3 `4 y% `" h' M b* O=========( _4 p, ~. l4 f3 W w! T s
, K: s6 o( d" d* K
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 f' T8 `2 \5 q/ T
debugger. It calls the int 41h, function 4Fh.+ q! Q9 k$ [( Y' _
There are several alternatives.
3 l, D' b- X7 y$ h, c$ O' J0 ~1 J: {% v; N
The following one is the simplest:
% }( _, G+ |2 K6 w, h: J3 {+ m( s9 H% ? T6 K* h
mov ax,4fh
# R7 @* y5 r/ @( A4 i int 41h+ f7 C- S6 a4 l' @
cmp ax, 0F3869 I" Z& E" {9 R( D
jz SoftICE_detected
2 H: L. Q3 N1 R, @& ?5 ]: v# S- R, `4 }. s( ~
" J M" E# s }: ?/ s( VNext method as well as the following one are 2 examples from Stone's ; s6 t( f* g; C
"stn-wid.zip" (www.cracking.net):9 J1 l6 ^) D& w: v
! Y4 @/ L2 y, ^8 r$ _% r( F6 q
mov bx, cs; v# E5 u+ g' \5 O S
lea dx, int41handler2
9 @2 x% g4 n8 O; ^ xchg dx, es:[41h*4]( s5 i3 V+ \$ h% F$ r! h' P: V
xchg bx, es:[41h*4+2]; D, A1 w; ^$ I0 {
mov ax,4fh9 _3 P7 ~0 L+ P1 i
int 41h- g p2 x7 z/ I1 ^" R
xchg dx, es:[41h*4]
, x& ?& y0 b* z5 o' x" l xchg bx, es:[41h*4+2]) G8 x% s0 k2 J
cmp ax, 0f386h
5 M' G B; z; {1 F8 M jz SoftICE_detected
, ?! K2 ^; H2 Z" L+ @6 x g* T$ }6 g" e! {1 r: X! X# J9 B
int41handler2 PROC
9 r+ n0 v0 B# U% P9 ?/ P iret7 |7 s( W# C8 ?, H* S' X1 e3 z" Z- x" h% s
int41handler2 ENDP' r$ C; q2 W, m& r
1 O h8 _3 @0 C. y. k
W( Q8 h9 B6 Q& A_________________________________________________________________________% V- k8 H8 J/ B) ^1 D6 Z
* B2 t' Y% n+ m" \. G
7 Y' P$ d( A P3 W9 i$ tMethod 06
! O5 W9 L) q5 U4 {- ?5 Z' W=========
+ c/ z. j7 V v9 g% Q: L$ I8 D- J9 C5 o5 h2 z
' K8 D1 D! {. ?" o ^2nd method similar to the preceding one but more difficult to detect:
% x7 B3 H( Q0 R/ A; ~( [
5 A/ q$ R; f& x1 [8 y7 E! Y$ [ P9 l$ a9 D' ?5 L S2 o
int41handler PROC
+ ^, ]6 S' ~! T& R$ u4 l9 Z% | mov cl,al4 ?4 W+ l# o4 u$ |) o" o( Z
iret
% Y9 g# v- S( Z1 J( |- E# F; uint41handler ENDP2 z0 J4 Q# B( l) `
c) k F4 E2 [* S2 m7 m9 E# P/ j Z- K) u" _/ U( a
xor ax,ax8 @# Y9 g: |% P p4 T U
mov es,ax
) y( d+ H% _2 @ mov bx, cs
- u5 i5 H4 F4 p/ G" u lea dx, int41handler- N' E& l3 ^) M) d# `+ i2 }
xchg dx, es:[41h*4], L: |( D& \; u% Q3 H: J i$ L) V7 E
xchg bx, es:[41h*4+2], s5 Q7 U4 `- q3 P# G. c4 p
in al, 40h3 f. m$ b4 h4 H6 A x, R. l
xor cx,cx
$ l/ Y' `2 B- h6 ^& Y. I int 41h
* Q0 h% |+ r Y, R6 L xchg dx, es:[41h*4]
# i; \& Z# r# U [ xchg bx, es:[41h*4+2]- _/ l# Q7 w' H
cmp cl,al
: D& {, m! t5 C) n: b jnz SoftICE_detected& [. |6 E& V* ?1 V( ^+ z2 i
' \6 S" \5 |1 l3 T. _4 y5 j. v6 g
_________________________________________________________________________
5 b# |' ] L* X4 \) Q+ \
; u. b& [, j9 ~) k4 ~3 Z& WMethod 07
* B" T5 c2 c/ o e' q( d=========6 T3 I, J; | ^7 e5 g$ P- Y9 P
8 J8 c+ h7 G& @4 BMethod of detection of the WinICE handler in the int68h (V86)
/ ^: r3 P: O) D
1 @6 Q' C- }2 O0 c$ [* p mov ah,43h
7 F) e' ]# v: d. E9 y8 l8 h& ` int 68h/ h( K4 Z7 X$ F, c2 y, R L" q
cmp ax,0F386h) q2 Q1 D. C5 M% K3 D6 {7 T
jz SoftICE_Detected) A3 l9 x. b' a+ ], I* ?( ^
6 ` A' o6 E3 I/ b8 [$ Y( B7 R: d4 c+ l9 v N) K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! O: @2 p, C3 m% @: K app like this:
' C. G" D, E) J$ n% v0 @' [) k7 \1 r
BPX exec_int if ax==68
- o E5 ]1 ]/ ]9 r1 \ (function called is located at byte ptr [ebp+1Dh] and client eip is
/ `# s$ d- d# V- ^1 u, t9 S4 L) w located at [ebp+48h] for 32Bit apps)
: s7 ^: L |# U! Z# b__________________________________________________________________________
% f' N5 c$ w$ w& R0 t
, [1 G: q( P2 l2 t% R4 D; D1 g5 K3 A- t
Method 08
2 E5 [! G/ M* {# v( J+ f& d3 |=========; V) N$ D# i% z" h
; S# {0 s* ^4 ~! X. M& T5 S
It is not a method of detection of SoftICE but a possibility to crash the; ~# N, }# V7 Y/ O0 O$ U2 Z
system by intercepting int 01h and int 03h and redirecting them to another
- q$ t! y7 f5 c; ^: yroutine.) Y1 `9 e% A. y# ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 Z4 n) ?7 ~7 P
to the new routine to execute (hangs computer...)6 V9 v. I: a) U. V
- s# L0 Z* e! `; f; ^, R+ z
mov ah, 25h
2 m: f# a% z1 G. o: R4 q1 t6 K mov al, Int_Number (01h or 03h)& o2 q, s4 D) O% B
mov dx, offset New_Int_Routine3 w. p: n% W. n% b* m* |4 K$ O
int 21h
4 Y3 c4 Q9 b" H1 v8 S
) w& ~& U' _7 q. P% m+ _# S/ [& I% m__________________________________________________________________________
% U/ \# C- r( Y
/ R+ R7 v. A1 C( b# H" h( }: {& cMethod 09
8 ~' X/ M' a" u4 H( T# i=========
B: e$ E# H! @6 g8 u: v, i* E1 N7 d! Z( X4 c( [& Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- O3 b* E2 y& Q1 i0 ?+ W4 q6 ?
performed in ring0 (VxD or a ring3 app using the VxdCall)." N* M: ?1 {% ?3 T0 q1 [+ J
The Get_DDB service is used to determine whether or not a VxD is installed
, F6 ], q3 j% n% {8 \3 ufor the specified device and returns a Device Description Block (in ecx) for5 b0 P$ Y1 _/ E& i. \, z
that device if it is installed.7 ]$ R3 K: o N- {
c" n. l, m9 G) ` q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: s( F" o; Y3 z* a8 t* f5 h/ g% r: S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" q2 j1 p) ?6 P& M7 X4 w% d1 M3 e
VMMCall Get_DDB$ j5 g: a$ U/ |; u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; ]) e. J% c4 o
" Z, e; X# z# J, B5 ^
Note as well that you can easily detect this method with SoftICE:8 d5 ?+ f2 M$ k4 h5 w" `, h
bpx Get_DDB if ax==0202 || ax==7a5fh" |6 n) T Q& Y0 [/ B6 i9 }
# |+ E0 _$ @- d5 I3 P: J5 ?__________________________________________________________________________% C2 c$ t2 y# g1 H
% V$ X, N& J, X. d
Method 10, R5 \3 `7 J3 u( _4 _
=========
1 c! T1 @; d* R5 ]
3 e" o% W! Y. x# Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 b* I/ [2 X' u r, \& a SoftICE while the option is enable!!
/ g. \' p9 e1 e/ m2 Q
2 A& b# Q3 s* B8 e( O# CThis trick is very efficient:2 u& [0 u7 l) q2 a3 C
by checking the Debug Registers, you can detect if SoftICE is loaded$ g. Z @$ P; A E& g$ c8 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' |: C0 i' O: ]8 q( Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
K5 Y h- v. v9 O' W- M- \5 p3 ` V1 kvalue (in ring0 only). Values can be manipulated and or changed as well
+ v+ S$ j$ G# A! s6 z) C( ^(clearing BPMs for instance)* ^ E8 e2 J1 r: ]$ j- u
) o- b/ K' D# B/ r2 i" c
__________________________________________________________________________
, z8 Q- t# s7 q/ f% e& x$ s0 B+ H1 {! u- G
Method 11: s4 _ J( N5 o! j$ `' T' E' J
=========
3 p5 j' S6 g# G/ v8 \! t- i0 G' @* S/ L/ k! H. T w
This method is most known as 'MeltICE' because it has been freely distributed
9 K0 q% B8 m- i3 |+ ?: j8 xvia www.winfiles.com. However it was first used by NuMega people to allow. U% w4 P/ ^0 _1 ~
Symbol Loader to check if SoftICE was active or not (the code is located
) h1 V+ F3 h: Z4 W1 c* d0 ninside nmtrans.dll).% F8 c$ m9 g- [
+ v% i% |! p4 q8 p6 y
The way it works is very simple:. @) |9 q3 E- }3 W0 P) E7 S: M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ F8 ~0 k7 [/ ^4 I/ ^
WinNT) with the CreateFileA API.
2 E4 } `# @. W$ M
, ~+ w# y' s' }+ FHere is a sample (checking for 'SICE'):8 n, O' j0 n; W* M- P5 Z
- S7 @, W8 L2 S# q7 M
BOOL IsSoftIce95Loaded()5 _* q% S) @! z% c/ h1 s2 x
{+ \ K, Z4 l' e4 r8 q
HANDLE hFile;
9 [9 f2 o# w2 ]& F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# _4 C" x5 H* z3 c3 |7 @ FILE_SHARE_READ | FILE_SHARE_WRITE,8 M' L' R. I P" p$ u! A) H9 I3 w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, L1 `; \' E. u3 k: d3 k5 m4 e% q if( hFile != INVALID_HANDLE_VALUE )2 r, i9 e4 M* ]3 W" I( V$ H
{; `, a* N1 k9 L! ]
CloseHandle(hFile);
1 x5 B; U9 B6 p$ P3 x4 E return TRUE;
7 W/ f- K/ l# z$ t6 W# P# \8 R* G }
% X# |' R/ r) n; \( d return FALSE;- m* n. }! l! n+ l6 _% N
}
8 \7 L6 ^. _$ ?- u% b5 U9 G% z: Y$ b
" x% j ^5 ~& I& X5 z9 {8 DAlthough this trick calls the CreateFileA function, don't even expect to be$ B3 q, F; J9 X9 T8 G9 E7 F2 f+ L, n
able to intercept it by installing a IFS hook: it will not work, no way!# |% Z0 k7 w8 [0 H5 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 G1 F8 ]: P: Q' Y' X- Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# e* {7 V9 {! F m) y% ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc; w6 l0 A- o( R p) g) d- }
field.
* U# ]/ C! D: X2 x9 MIn fact, its purpose is not to load/unload VxDs but only to send a . K, S: {0 z6 q6 Y/ q7 h. a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, t8 l5 Y0 f' u8 ?/ Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 ]3 b8 f* }8 O, E8 }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& G3 r5 F, D9 v7 y, Q* I [( t* KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ O; _$ }+ Y, {, {6 e& m. y4 Yits handle to be opened and then, will be detected.- d$ A# a" w7 ^4 R* m
You can check that simply by hooking Winice.exe control proc entry point3 [, v6 h" I9 i3 R$ N3 [
while running MeltICE.
- s4 E4 Y& L1 A$ W- |# y# e5 _+ U+ }- U4 `% c( `
6 m- i8 J6 k: u: K$ S
00401067: push 00402025 ; \\.\SICE
( j3 c' V, A2 ^% Y- [1 n( w, B% _ 0040106C: call CreateFileA6 @$ ?7 i: ~, l" R+ Y
00401071: cmp eax,-001
( }% f" v! _: l6 D r* a 00401074: je 004010915 [3 C& w9 I" M9 U
* u) N3 Y0 I' z- _: i7 P- g8 Q: v" P, h5 M5 j# k/ R
There could be hundreds of BPX you could use to detect this trick.
7 ]7 E) |3 V# I N. R4 e& X/ [- }) S-The most classical one is:
& l4 x* z! p$ a8 B/ A/ _! U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 n7 v! K$ A- q6 f *(esp->4+4)=='NTIC'
* ^( o$ x# j! a% U, m/ }
( o, M8 E9 X( T-The most exotic ones (could be very slooooow :-(8 N6 H* l+ O# S! f1 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 p3 l! p7 f" l0 N2 K6 `4 \ ;will break 3 times :-(
# h0 u0 E* E0 ^! I r/ E- E. e7 z6 G0 q( r' D9 _' `( n
-or (a bit) faster:
/ q9 f f, w0 w8 X5 X, W+ t0 }3 ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 p6 @2 l& Q) g$ W& ~) s' w
/ r% T& J+ _' N4 p) h- T+ x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! |4 F4 z7 o, k6 J; i! \; H
;will break 3 times :-(& T& Z+ _9 A' O9 j; Y5 X+ U
& `. |* K& `9 L5 T1 [) z( _+ J
-Much faster:. x- x) T- k; M& U' R0 O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ g0 {, R3 g- ?. H; v5 y6 x6 u: Y: P# r. @, D7 @) w8 X- Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& x, m! T; A! O; ^+ P3 G; @function to do the same job:
6 j a$ C$ W* \! q2 {! N
" o9 _7 L- k& E/ `3 U push 00 ; OF_READ
& p0 i" m( \0 \) C7 F2 M u% N mov eax,[00656634] ; '\\.\SICE',0& Q7 j7 z, n0 h$ N8 {. D* i
push eax& X$ h$ n9 f1 j# b: p
call KERNEL32!_lopen
' `# B5 q; x1 i: \. g* m inc eax6 {9 K& Z: s4 P6 e
jnz 00650589 ; detected
8 a% E; J$ E7 ~% ]/ c push 00 ; OF_READ* i5 D: b+ G* {
mov eax,[00656638] ; '\\.\SICE'# K5 l4 X3 d5 N0 {/ c
push eax. _: K* T+ |3 {! V' ^
call KERNEL32!_lopen8 j8 C, v% X% Q6 H+ `
inc eax# w* s5 M, M" r7 n. ]1 W8 M% A9 d
jz 006505ae ; not detected
/ f8 b! `- a! k4 s( h3 V5 W* y* g
& g& T7 W/ S) M7 R# q, p# g/ \0 S7 X3 d9 n q% g
__________________________________________________________________________! u. R( _ {" w4 S* i, j7 U
5 ^# F$ w! Z8 E! k2 y( r& KMethod 12
% C; v/ U8 D1 Z+ d/ N2 ]" p=========. Y% y( \0 N5 f4 p |* F
5 w! e( [5 Y- p7 k- Z8 n- g. {9 EThis trick is similar to int41h/4fh Debugger installation check (code 05
& j6 C) D: |. J3 w& 06) but very limited because it's only available for Win95/98 (not NT)
- N- L9 P1 t' l# i" F3 r6 X4 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 \* @$ u5 p; x- b# {
1 E; Y% {% c+ v% z" d
push 0000004fh ; function 4fh
3 S+ D. d( C5 _" o push 002a002ah ; high word specifies which VxD (VWIN32)
' l; T) u! v. s5 @8 A- v ; low word specifies which service2 H0 `- N& \: o
(VWIN32_Int41Dispatch)
5 h6 g. p: }6 O( g call Kernel32!ORD_001 ; VxdCall
2 Y# @ h7 T& `" _ cmp ax, 0f386h ; magic number returned by system debuggers
- |3 O5 k) E$ |" y* N jz SoftICE_detected
8 M5 H% M) {& X: [( C. E7 z. u) w1 {1 C$ C T! p
Here again, several ways to detect it:
% N. }0 j: J" C0 n& Q8 ]! W1 s" `9 ?1 C2 g0 R" L# K
BPINT 41 if ax==4f
9 I) e1 Y0 B& ~- {8 `1 Z, Q0 T. R$ ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) ^) S1 P( b! E0 `$ ?
K8 I; S; k( Z# d) e; d2 D8 j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; ~6 g: X/ m4 S6 {
3 ~, o3 ]" z/ ?; n" G+ N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, q& x W! L6 @ C7 t2 i# u8 |7 W$ a: Q# H0 A
__________________________________________________________________________9 ?4 v6 V. y' G8 H( G7 p
% q ^% q* M/ w) G5 |# QMethod 13 U+ O6 J1 @. r9 s: E$ z2 L
=========, E* p/ A9 B" @. \( k
8 E5 x. M. l4 [# d' I! h( C
Not a real method of detection, but a good way to know if SoftICE is
' m8 G+ E" L- ?installed on a computer and to locate its installation directory.$ f/ V; Q* T `8 X, S! ?
It is used by few softs which access the following registry keys (usually #2) :
3 p4 s% H8 D+ X v) e) w) {/ F, {3 R6 b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- }" p# \+ Q1 |, B\Uninstall\SoftICE
# H" W. Q3 B) G# \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( x8 ~* |1 s, q4 \! k; }& z) C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' i" T. w2 |* N
\App Paths\Loader32.Exe
6 ^. f0 P9 o7 g& u9 x& o5 @
1 P5 a$ V7 y6 K( G3 n0 R s$ J, Q( d# Q: i
Note that some nasty apps could then erase all files from SoftICE directory
8 Y2 ?# A) }6 C(I faced that once :-(
' u4 w% I4 f7 J+ w3 @8 R, V. U% C# c' l- _
Useful breakpoint to detect it:
3 ?1 y) r1 A7 I9 [
" }% e7 q% U& I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 R; b; K) l$ W p
( k2 L$ `, U6 [1 x# z$ n__________________________________________________________________________; `. L1 d8 m( z ?6 Y7 k- z: d
9 P& u% f$ f1 F4 q& I, X
. T7 b" p/ c) e7 f- gMethod 14 0 J5 l" r- A: q V" D; Q ~
=========9 u3 Q, G3 O# f
! m: Z# F6 m1 s& \- K# k+ vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ s) U" O7 q9 n9 `8 wis to determines whether a debugger is running on your system (ring0 only).' H4 l. n$ _. x# X
" K3 }& [* r: O$ C
VMMCall Test_Debug_Installed
4 L) d* }/ r+ `9 d1 m; k je not_installed
* j, F% }6 o& G4 Y" I/ s1 W) [) v6 @! c' Z) _8 J
This service just checks a flag.
8 c" m0 \; V- r6 l. J</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡