<TABLE width=500>
2 p: b M: |( N- m8 L<TBODY>7 ]& e7 R% Q' T# F" N" K
<TR>
0 n' O* g* h! t6 n0 F5 x<TD><PRE>Method 01 " c$ q# _) F1 E/ _% S9 z: I
=========
2 P. j* u7 W4 d4 {+ d
# A) P' E, V3 q* v8 l2 y- l2 FThis method of detection of SoftICE (as well as the following one) is
- j8 g4 I5 R$ v6 ?used by the majority of packers/encryptors found on Internet.
) z' q, P' z- R- t! mIt seeks the signature of BoundsChecker in SoftICE6 @+ i9 O7 h. r
s2 x5 n& ]/ d2 W5 p mov ebp, 04243484Bh ; 'BCHK'7 C$ p5 o# _0 i1 I0 } K
mov ax, 04h/ _1 ] w. ]4 y% R4 \8 _% p2 r( g& m
int 3
2 v" L) R$ V" i. ]2 K cmp al,46 O- O2 {5 d4 D. q
jnz SoftICE_Detected9 b0 H5 q F! p) b
; \( |; K$ e2 t; o( w& s+ s1 M___________________________________________________________________________+ i) H$ i N; f4 p
! L) F% f5 l2 p! C: ]" \+ q6 c+ ?6 i
Method 02& f" A0 F( F7 E( l$ E y
=========
" ?' Y' _* X8 x: b# v7 {4 ~
1 h, s6 o$ n- t! ~Still a method very much used (perhaps the most frequent one). It is used# |! }4 i* ^9 r7 j4 P" x1 A3 {0 T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ K3 m: s& J3 f: P+ y6 J
or execute SoftICE commands...2 ^6 I4 n& \8 t; y; ~
It is also used to crash SoftICE and to force it to execute any commands
5 T- D. ^2 T4 E" i0 d, ~(HBOOT...) :-((
7 ]! F: \0 Y5 {& [, u2 m- O
3 J; s6 i3 q- t3 KHere is a quick description:
@' \7 O* t8 Z- y$ e- i5 c-AX = 0910h (Display string in SIce windows)8 T$ w" f/ `& c2 e6 k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 b4 c; f9 H9 u" x7 {2 Q
-AX = 0912h (Get breakpoint infos). j0 Y8 m/ d4 \% M6 \
-AX = 0913h (Set Sice breakpoints)
+ X8 x Q5 u7 T4 H+ J+ ^& j-AX = 0914h (Remove SIce breakoints)
+ h- v: i8 p8 X; v7 e F; Y+ ?" x' O
Each time you'll meet this trick, you'll see:$ s# }$ g2 r' B. G8 P( f
-SI = 4647h k) r4 V$ c/ k5 ?% u( j0 D" ~
-DI = 4A4Dh
d( x, p; `% QWhich are the 'magic values' used by SoftIce.1 c% D0 }* p8 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: E8 V" E# U; R3 y! Z5 d y) L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 J# N2 k/ k; l, j8 {' q& d1 fEnvelope utility use to protect DOS applications:7 A, e+ k) D& M7 a
4 ^5 Y0 S) a9 k2 Z) C, ?
5 {$ C/ q" ^3 s. Q4 d" x
4C19:0095 MOV AX,0911 ; execute command.
7 ?! x. u2 W% d$ x$ S- h! x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ c) a2 L4 q& [1 w; a1 p, K4C19:009A MOV SI,4647 ; 1st magic value.
& ~4 p) k/ L+ s5 n& D% ]' f4C19:009D MOV DI,4A4D ; 2nd magic value.! Y) N+ z* y; ~0 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; r4 O8 H' O" W# v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# N. R3 ^ }/ c. ~2 @
4C19:00A4 INC CX
5 g2 R2 J& [( X" R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
h& d3 y( a* Q) N4C19:00A8 JB 0095 ; 6 different commands.
7 _1 k* @( N# c3 R- H* z4C19:00AA JMP 0002 ; Bad_Guy jmp back.: |$ E7 T7 q6 H3 \! K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& t: h% G% G/ o) u8 z
! a5 G1 X( _5 Q; b1 ^5 G$ PThe program will execute 6 different SIce commands located at ds:dx, which) h) } p/ Z% v+ G# N6 A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 E/ o7 j7 {" P6 U. C% [
$ W5 \8 A) Q- f: K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 |& L G9 ~& m___________________________________________________________________________- p8 P5 x# f: f3 Q1 Z# b4 U
) K' }3 _ T/ j! c0 ^
! i( R/ ~+ p2 [9 h; R
Method 03" ^( u1 }' z7 }# Q+ s2 s
=========
6 x" Y, B2 o5 F- v" D; M
$ ^; h4 G$ u' _8 z7 X, jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 M6 J+ c2 F# l2 C+ _" l
(API Get entry point)
% z' K" C. P# z) P 2 z; C: l/ c9 w l
) {) E+ c: T6 ^/ s3 y2 |
xor di,di
% E) y7 }) ]" j4 T mov es,di
. K6 j4 k$ E& f5 g& | mov ax, 1684h
2 W; P' f2 U+ P3 F0 N# O5 E( i& m mov bx, 0202h ; VxD ID of winice" B. K( q" y b3 S; `. S$ x: K
int 2Fh( H+ w/ S6 Y# t5 ]/ U5 Q7 k
mov ax, es ; ES:DI -> VxD API entry point- C5 n0 D. G8 N+ X* U4 S3 t) R
add ax, di
1 ]' {: a5 O% R( S1 E. _1 R test ax,ax
: U! H; W8 ?+ O) ]% C jnz SoftICE_Detected
6 |, Q& v; p# s5 `3 q& o' y
) E C% O* _* K___________________________________________________________________________! o9 r4 d3 {. R. }- ]- C t
0 @+ G% t& P0 a/ a3 g
Method 044 l. h! f2 z' m" y: k- o, |
=========
( [$ q( a" y) E% C# L
) ~) s* \; S( S( q9 C; f! A1 CMethod identical to the preceding one except that it seeks the ID of SoftICE
t( f: P# o9 ^3 ZGFX VxD.- S% {8 U+ |' X* j* l: E
b- }) O( p( T7 k/ s
xor di,di
4 a; D5 s# ] f: [ mov es,di
7 t" L- V4 n, J7 p3 W* E# J8 Q mov ax, 1684h
3 P. ? O* ^1 m# H+ Z8 g mov bx, 7a5Fh ; VxD ID of SIWVID9 }7 Y& ~5 ~2 R; W. F: Y
int 2fh
; ^' e; f. N) Z9 F" T" t mov ax, es ; ES:DI -> VxD API entry point; U* L9 L( \0 L6 E# X {
add ax, di
0 p! k! ~0 ]0 S8 ]9 t0 }; x test ax,ax
& m7 ^8 i- A- X9 K jnz SoftICE_Detected9 ~( [* _5 m H2 e; W! @
5 k+ o7 p4 {- A$ L8 ?; }& u1 V
__________________________________________________________________________
5 w! o% r% {7 E. K' T* K6 K3 r8 D; L9 W9 o
v: j3 h/ M* A, q- X
Method 052 M, ]# \* A; ~+ g
=========9 [3 S/ d- o" C
" e7 K& Y+ v0 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 \+ H$ Q t8 G! w" t
debugger. It calls the int 41h, function 4Fh.9 N7 k- |% @7 H; T- p, @ H
There are several alternatives. 7 B/ {0 U/ ]* x# ?5 |: z( H
+ F/ p7 W5 d, S# X. @1 o, w
The following one is the simplest:+ j( o7 P- S' i
4 f& v% Q5 T* W+ P. k mov ax,4fh
9 f& z& S; }5 _( X* T: C" j int 41h; V3 j- E% u2 @6 q
cmp ax, 0F3869 C- ^8 R& V R8 i) S
jz SoftICE_detected
/ p) G& C2 P0 z- R5 e6 b* @, S0 ^( [$ `6 o6 {, B
- k! Y1 K2 ~0 t7 [, p! n$ ]9 r$ N
Next method as well as the following one are 2 examples from Stone's m# p6 ?3 H1 \* M+ _6 S; s
"stn-wid.zip" (www.cracking.net):4 v- x- B9 X( }! }$ B$ o
$ O7 I6 f6 I: T) ~& U mov bx, cs" y* X9 r& m2 F# i; m% M
lea dx, int41handler2
W3 q6 N O" H7 O5 D1 D xchg dx, es:[41h*4]
) O) a9 z) e2 H: p- k; E+ z9 K xchg bx, es:[41h*4+2]& O" R- ^. {1 z0 [$ u4 w/ i
mov ax,4fh9 u" _/ l( n; q% k4 M( y( D* I
int 41h
2 Q' w8 [# m; K. w5 |; i9 m6 Q xchg dx, es:[41h*4]
, d) s4 {! ?3 ]3 C xchg bx, es:[41h*4+2]* {$ J& H! j1 i3 r; C( c9 K5 i
cmp ax, 0f386h" g. _) i l+ p; s
jz SoftICE_detected/ y- `5 k! H1 X/ y
# [# a" [/ w' l0 O& U
int41handler2 PROC
2 A8 N4 y+ T; t( J( s. n3 _* C iret
" h" F' q2 C% ~9 jint41handler2 ENDP B) H* O' t0 a1 Q7 J6 r
9 D4 p7 e+ D" X
3 a- k! v: A S3 Z: ]_________________________________________________________________________
+ H+ |& x3 c' j9 i
. e( W( n: {$ T8 J' K- g- K: T: p3 \
Method 069 X3 L) ?! G4 w9 j- W: M+ v8 {$ O
=========
* |2 r; j: [- l$ e) x! L. J1 L- X! Q9 i; q9 I, R
$ t/ E1 y% c9 @ W8 f4 T( K
2nd method similar to the preceding one but more difficult to detect:
4 d$ \' C1 Q' t' J+ x. @) N! z+ `) S9 J- A
' n3 @9 C8 R/ D% d/ d7 |# ~) R
int41handler PROC
: ^8 {3 U/ ?8 ^. A mov cl,al- d* s/ z+ |+ b8 Q# G; D7 o: G
iret6 S4 ~0 ~ S. Z0 ~; ?
int41handler ENDP
% n# Z; r& L7 y: v# w4 X( X
A$ i' y$ |# G- u- L
9 `: ^, ]9 Y- c7 H: _ xor ax,ax3 h2 b# I2 z: `5 F
mov es,ax
* |: P; K1 h% S+ L4 H# a& h9 G3 @ mov bx, cs
0 w6 v" f- l$ u |1 ~ lea dx, int41handler% k2 _. S5 V3 k1 D9 e H
xchg dx, es:[41h*4]
8 d) [, \# f0 r) ] xchg bx, es:[41h*4+2]
# F2 [( J7 A: ]8 X. t* J9 B in al, 40h
6 Z- F/ c/ ?- ~ xor cx,cx
8 v" g- b) @# a1 M3 h5 H7 z' Z2 k int 41h
- C7 i, P6 U% U' p/ D+ }% d xchg dx, es:[41h*4]5 |* p8 R8 \1 P& S' _8 Z0 A5 q
xchg bx, es:[41h*4+2]
& Z, g: l8 A4 w/ T! w: a5 H cmp cl,al
( }5 _9 B2 Y3 U% C* Q9 m9 q jnz SoftICE_detected
6 ~0 p) a0 ~4 c' `- P9 j. n7 S/ a2 J d9 `# d3 d
_________________________________________________________________________
# m0 X# n3 J( c! ?! {7 C- O$ d6 W$ y, y5 `) u. c" x, q4 d
Method 07
, Y: y; ^8 @/ Y" s0 T$ u) w=========! p; a# G3 O) `: h2 R
& N' E/ i ~. O! w5 ^Method of detection of the WinICE handler in the int68h (V86)
1 Q$ @6 M3 I1 Y* v% X( M& [ a: \& r4 x! B9 ?7 p9 L
mov ah,43h8 ]6 t/ m8 O& q
int 68h0 Q! y$ N j- V. U0 q
cmp ax,0F386h
8 ?( ^1 A: s. M! r/ i* ~) j( I/ F% E- ^ jz SoftICE_Detected
6 h; A% T+ c2 ~7 Q. B" _' q6 m0 ?
4 V# ?! H2 @# ~7 V, C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 {3 F- t) h0 n& }/ l8 z
app like this:
1 S/ S) q) L; Y! @. w* S% |
( K: V5 S0 r4 |3 v1 Z- Z" K BPX exec_int if ax==68% M* b9 {3 r( t
(function called is located at byte ptr [ebp+1Dh] and client eip is( |( @3 m- Q5 \
located at [ebp+48h] for 32Bit apps)
, T! f/ w/ s6 q+ o__________________________________________________________________________
5 O/ T. H Z: K; K0 n, c. o$ {0 `. Z! L; I% f# e6 W; d
# _- P. E; n. V+ X- l+ |Method 08
, p0 c" r7 U$ l4 w O=========
" ^6 Q" u& O5 I7 e
- r3 y3 `8 D: l# h4 H5 GIt is not a method of detection of SoftICE but a possibility to crash the1 z0 Q7 F8 T3 ^7 i* b& r" H! _
system by intercepting int 01h and int 03h and redirecting them to another
" {& Q. l3 ]" e: T4 P; r0 l' @3 ~routine.
, |0 N* D: B, Z" {) O0 }7 g/ P& fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 B: @/ ?( ]) v6 ?- v$ ~" j; Sto the new routine to execute (hangs computer...)
( c) b( {6 |" o7 L( Y( L
; C5 U; S% i4 V5 s$ h+ n/ U mov ah, 25h
- B, L7 t8 T: x/ a% S mov al, Int_Number (01h or 03h)
2 g4 k) \; I: V/ ~ mov dx, offset New_Int_Routine( ^: M# Z6 H( w* m* @
int 21h* \/ _% J& A3 t
; h7 |& M2 n# N" n1 B. [/ W ^
__________________________________________________________________________
! M6 o2 f. R9 h* b0 v* G: F/ H2 D' M3 n, w( `! u
Method 09& E6 {7 f* p1 S3 U$ {% M+ ~6 Q
=========
& B5 I# O2 d4 _9 A
0 D$ C8 ]+ K5 p6 h, DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 |3 N7 R- y4 D8 v( e
performed in ring0 (VxD or a ring3 app using the VxdCall).1 w$ h# f+ ?* s% G% R
The Get_DDB service is used to determine whether or not a VxD is installed$ s5 u5 [ m3 F ?6 \6 F1 `1 E& @
for the specified device and returns a Device Description Block (in ecx) for
$ A% M3 g& ]0 o( `3 j: g, N4 G8 ^7 othat device if it is installed.2 H/ r. Q( I7 P
$ G& ~+ ]8 ` V6 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 K6 h: y+ f1 E: K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, H+ p% E/ ]& n: X VMMCall Get_DDB
q e: J( J2 L: U7 O) X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# ]3 f; U, y8 b# O* V1 S5 U/ _; G
Note as well that you can easily detect this method with SoftICE:8 k [9 b( e0 D7 Z+ I/ w% g; \: j
bpx Get_DDB if ax==0202 || ax==7a5fh
9 M' U$ r4 l' t4 N* l. |
" Y/ G/ |' T2 N/ S f__________________________________________________________________________
) l# i' k1 A6 U
9 D$ b# @; z1 g- j4 G+ bMethod 10+ N2 _- D. D3 y7 l6 \) K9 L$ G
=========
# M/ O2 A/ T) k2 B! C' n
" I. C9 }8 v& u8 I D* ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
: R4 t7 {! M8 \ SoftICE while the option is enable!!
( @) a* Z Q$ U, ]* _8 ] Z$ c9 ^# D
This trick is very efficient:
& L7 s) J' o; pby checking the Debug Registers, you can detect if SoftICE is loaded
# f; F6 j6 ?1 i4 B" p& D$ g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% Z+ { t5 W) e) \2 @9 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! l& g U1 w8 Z9 r- hvalue (in ring0 only). Values can be manipulated and or changed as well# S; ~' Q+ Z9 @, K( q; F
(clearing BPMs for instance)
# N# E1 x$ s! o& l# o4 W I
2 T# E& K$ l7 l. @1 |__________________________________________________________________________0 i7 g- x* g' N0 T' i, S* J8 n7 B
2 I9 D2 @8 U1 Z; y) I
Method 11
* m! _4 s5 J# l+ ^0 q6 w1 J" M, W=========: d8 Q1 M) L. B% {6 A1 T0 P+ P
/ _4 R. W1 ^$ d0 i& V$ HThis method is most known as 'MeltICE' because it has been freely distributed6 K2 {5 c! `6 r m) g! n
via www.winfiles.com. However it was first used by NuMega people to allow$ J/ g2 V3 I: _
Symbol Loader to check if SoftICE was active or not (the code is located
, y8 @2 S/ `# s ninside nmtrans.dll).
; ]$ T* U: X4 \" `) K0 B5 v
2 L" S6 G- p1 l% x6 f: ]; UThe way it works is very simple:
2 d2 E& f+ e/ O; E3 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- }% f; w+ j' f( Q
WinNT) with the CreateFileA API.
# d/ [$ ^3 K$ P
8 p, @6 O7 |9 g) c3 y- FHere is a sample (checking for 'SICE'):
3 \1 |& u) T2 d2 a' }# H/ {* j" L6 y2 W
BOOL IsSoftIce95Loaded()
2 }& {) |3 b" z. {! t: p9 r& R1 H{3 ~; b! K7 |& w& r1 n
HANDLE hFile; ( N8 ~1 l+ A0 j( y- P0 l: Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! a# g2 ]% ]( E3 `) U( \ FILE_SHARE_READ | FILE_SHARE_WRITE,; ~8 ]1 D. H& Y0 Z2 E2 g4 C% O. D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, D$ E# Y; k, y/ R
if( hFile != INVALID_HANDLE_VALUE )- ^9 j1 B6 c/ l1 P6 r
{
J: V6 A$ L' q0 A7 u) O! p5 T( ` CloseHandle(hFile);
& G2 z9 _' L4 a9 |7 z- I' p return TRUE;
, J% V4 C4 n7 Y4 L7 v }
/ u1 v; K3 r2 B2 C% c return FALSE;
) x/ v+ N5 n* z' }- l t}; y, s0 n& {$ M3 u' v
. e. i+ O+ J% l5 M/ \- i
Although this trick calls the CreateFileA function, don't even expect to be! d L. T( N. h6 u; g
able to intercept it by installing a IFS hook: it will not work, no way!, M' [ M ~5 S9 L$ ~8 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 y( Q* u: M0 n7 n) f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 q/ U- ]5 `1 k7 |. cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 ~8 F, u) }- V: xfield., \, ~+ i# p" A! Z2 E
In fact, its purpose is not to load/unload VxDs but only to send a 3 _- R( j5 X7 L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) N% p5 u7 C a" T8 p% e$ h. J7 p5 B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* g$ K' o: h/ j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ Y* A5 O: L8 p. n3 E& YIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 i' B" n0 I$ o, u/ Y
its handle to be opened and then, will be detected.
' ?) x+ F! ^' K& d/ Y: {0 tYou can check that simply by hooking Winice.exe control proc entry point2 a& p; f r2 c. X
while running MeltICE./ \/ P# _2 k9 R% d+ L1 l
. |$ E+ U9 m c8 S) ~: q0 D. ]4 }1 K* V t0 ^! }( {& X
00401067: push 00402025 ; \\.\SICE
4 m9 G) u% ^/ G( f7 d4 S 0040106C: call CreateFileA) p8 h; ]1 n: ]+ p3 m& _3 ~
00401071: cmp eax,-001
. {( S: e6 t* j( p) v6 {9 k1 b7 V 00401074: je 00401091
% |7 L# L/ ~2 Z) U2 `) V
4 L0 y! R$ ]% m
5 g; A6 i6 P! ]" z! Y! kThere could be hundreds of BPX you could use to detect this trick.' }) k- s% l9 K' S* g, a9 i0 z
-The most classical one is:
$ g4 n, Y# M6 h# ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- x1 t( d2 a+ D4 o& p9 I* R0 [ C
*(esp->4+4)=='NTIC'
4 Y( e3 I4 c" C% [6 O% W& l
3 D4 I+ \6 P& n-The most exotic ones (could be very slooooow :-(
1 T) e2 \4 B% ]9 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 r9 g+ m( s% H+ z! _. v# i ;will break 3 times :-(
: y7 k8 _+ n6 }# ]( Q4 r) O. B( C
5 {9 p5 t- P: u-or (a bit) faster: - O: a# i m/ P2 @" W' |2 r: u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 n/ C: J# j/ J! o& d3 P" i+ l/ O
' a' l1 o1 v& j7 w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' q) s: U$ I6 U+ ]; S
;will break 3 times :-(7 Y2 m7 v0 y% d$ l3 t4 e% S/ U
8 a# A: |: N# @3 O# F6 Q-Much faster:) l5 H' P6 q$ U V( J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' N6 Q& I& W# R; G8 Z% i
. }0 a7 X7 O7 [% d! |: mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 `# T. q& y9 rfunction to do the same job:
7 K& ?3 S" S0 A% c3 P8 y( C7 u8 R. R9 ]2 p
push 00 ; OF_READ
) C# S$ \' w9 T6 ` f mov eax,[00656634] ; '\\.\SICE',0
# j C, Q; I1 Z+ i, o3 _ push eax$ }3 d5 F# Z5 a4 g2 u
call KERNEL32!_lopen+ e+ G- d. n2 `4 D( D
inc eax
' L. Z( y9 A# Y6 ] jnz 00650589 ; detected
* ^7 ^$ j1 ` T( P3 H# d5 l- R) P push 00 ; OF_READ
2 R" G/ h' i+ C1 C+ ?; {: Y% P. S mov eax,[00656638] ; '\\.\SICE'
' U; Z2 F j7 Z5 [2 [ push eax! a: r/ B9 b2 z- W
call KERNEL32!_lopen$ i+ C& }! o2 U; k* _4 O4 f
inc eax7 O T, Y: M+ h' {* j& K( V \
jz 006505ae ; not detected3 H; e# s$ G3 W% ~3 N
2 g; B F) g" {3 n7 J
* u- r1 H% g0 v+ B/ B5 O
__________________________________________________________________________: P1 ~3 v$ X; l& Q8 v0 b1 [
/ I! P1 K3 c% m4 ~3 M+ L
Method 12/ F. Z) P4 o' k3 `' z* f' W
=========
4 D: q9 }1 [! w( ?
; L- J0 m5 a. {. C* AThis trick is similar to int41h/4fh Debugger installation check (code 05- z Q% h- f- A) M7 n0 [: W$ Q, \
& 06) but very limited because it's only available for Win95/98 (not NT)
9 k: D: ^, Q1 w! z! |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) T. N+ P0 A' N0 P" O2 `, Y; D9 Q8 _
push 0000004fh ; function 4fh
. O1 \! I1 e; l! u7 m7 [6 C push 002a002ah ; high word specifies which VxD (VWIN32)
! D1 p+ a0 f+ n$ |# T; K5 \ ; low word specifies which service
7 ?- n3 X2 F6 L5 p+ } (VWIN32_Int41Dispatch)8 G) p9 E. D- f& W6 q0 H2 H) q( L
call Kernel32!ORD_001 ; VxdCall3 S B9 s% Q ^! L9 B2 p1 e# d
cmp ax, 0f386h ; magic number returned by system debuggers) q6 D/ G* B! k- g1 P
jz SoftICE_detected1 p' X1 f8 f, z' b* |! Y
2 g* Q0 u$ X5 |6 b& C \& HHere again, several ways to detect it:6 b( Q! h$ _9 u9 S: y/ a
% o$ ]# `# m W: ? |6 _/ l BPINT 41 if ax==4f
& e, K1 ?/ _$ d
: Q+ i, ?/ \. z. T0 t* f0 _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 v ~5 C D/ r$ y# a/ e
# H }4 ]8 j9 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) b! R) k1 E4 z/ E0 L) x9 @% z0 o Z5 o
: k, u' f( y% C7 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 }9 }, `' ~' k& d% d' d0 M
5 f( u' D( l3 a4 [! @6 b/ k4 K; n7 h
__________________________________________________________________________
( h7 v% o: H+ X- X* v0 z" `, a5 D9 [: e* I( e
Method 13, U2 q9 m1 I/ H7 {
=========* O3 X5 Y9 h4 T1 Z; Y
# A; f$ I2 Z5 n7 G& \. H. Y& h* kNot a real method of detection, but a good way to know if SoftICE is
8 G1 e8 | A1 Ainstalled on a computer and to locate its installation directory.
' P6 m8 W _& Q: DIt is used by few softs which access the following registry keys (usually #2) :
% F. d: e3 T M4 @/ y2 [/ G6 b/ U# G" y/ a; y2 Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- U# S* H3 o, r* W( c- i\Uninstall\SoftICE
7 ]% k2 B# |! g' Y" e# o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- R* W {2 V1 Z* ?" i/ v' _% I7 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 G8 t e4 k- _\App Paths\Loader32.Exe" e. z% v& z( H: c& C
. o: L8 [0 @0 l6 Y
; _& c; b: j. O6 X GNote that some nasty apps could then erase all files from SoftICE directory
1 M, k6 e5 v1 J(I faced that once :-(- c- ~+ v5 ^6 r% b; Y6 ]. m
2 ^! h( a% n s7 H6 x: C( ]
Useful breakpoint to detect it:
, ] Z6 ^3 G3 K+ C- i9 R2 F
7 _1 v5 E5 b- q' D: `$ u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ Q D% ~9 e. C& D& Z! {# W0 o% P, Y7 T/ j% J
__________________________________________________________________________. X: R- t0 b: u- p- S4 m/ J
) Q% w; n7 C! p5 p+ z+ N
7 J. c, F. [* S8 C6 jMethod 14
$ r6 u2 S7 ^3 v) G+ u8 E5 g8 m) r' S=========
; ?. J2 Z7 d/ V; j0 q& q+ c% K2 x8 U3 |2 b6 F- D) ?. s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 m& i4 i! F+ k, z8 a' B8 ~is to determines whether a debugger is running on your system (ring0 only).
) P; d. ~1 N, P! x
0 f; n1 m4 a# p3 [+ s& w: ? VMMCall Test_Debug_Installed- O/ T2 z# o! N; r/ s8 [
je not_installed
0 L c% r' Y! j: K0 r. ~/ l" C _# B2 t. i1 M+ j5 K' Z; f' u4 g
This service just checks a flag.
( G! F% J) W6 S$ @' A1 k, j1 Q1 Y2 E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡