<TABLE width=500>% t5 ^* ^% X. V% A, e
<TBODY>
* p# Z0 R0 z. A+ H% q<TR>. x7 N% z2 h+ A
<TD><PRE>Method 01
% ?' m1 r) x# F2 Z, M2 Q/ F) K=========
9 k) H3 M- v& J5 t4 a* ~3 w2 h4 N9 [7 T' w; I4 R! a8 U3 \
This method of detection of SoftICE (as well as the following one) is \' g! o, `% I E2 V$ o, Y$ ~4 Z
used by the majority of packers/encryptors found on Internet.
+ @) n4 Z7 |4 f1 U0 DIt seeks the signature of BoundsChecker in SoftICE0 D9 {* q" {% d1 J4 ^4 t: ~$ m
2 X% Z) S. u, q4 D: x( u* m2 N mov ebp, 04243484Bh ; 'BCHK'
8 |* M* U- x6 u. q mov ax, 04h
& Q- U8 T# g. `) E int 3
! s! S4 w n# W cmp al,45 t, }' Z4 [ V+ u* q( J
jnz SoftICE_Detected5 Z1 ^4 G7 m) y& `, P
) p5 u/ g# |/ ?* H8 O
___________________________________________________________________________( W G, w; K3 T# @/ s7 Z
7 M. E1 J' g8 VMethod 02
$ j2 r7 R6 f2 ^=========
+ v$ _1 ~# Z. p, S8 h
8 ]! I4 m9 n! Y b) ~, XStill a method very much used (perhaps the most frequent one). It is used! Q" ?# b5 U# |2 y$ l: F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; t% ~7 R* U( S) H- \) Aor execute SoftICE commands...
8 [# k, a- O% x4 rIt is also used to crash SoftICE and to force it to execute any commands
$ y* f8 B" R8 n) Y5 B) s/ v(HBOOT...) :-(( 8 ]; f- e+ G7 @+ J8 }
; Z, W1 y+ @. g0 h0 N; A2 G& }Here is a quick description:! b4 J; Q, a5 Y9 k* y1 b/ j6 T5 C
-AX = 0910h (Display string in SIce windows)1 y8 {1 z; r$ r( j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" ?) d z4 Z% x; ?$ t7 s0 U-AX = 0912h (Get breakpoint infos)# F8 _' K# R3 {7 W# R$ h
-AX = 0913h (Set Sice breakpoints)
& v; d) d: U3 \- Z" m/ k( R7 O-AX = 0914h (Remove SIce breakoints)3 {; N) m" B$ V* u3 d
' ~! ~% R; {+ B& c5 o, a( q
Each time you'll meet this trick, you'll see:) M; X& o$ z( o! g. k) I! r6 w
-SI = 4647h! N q4 {+ A" Q
-DI = 4A4Dh" \' n8 O3 s7 C- @
Which are the 'magic values' used by SoftIce.
% ^0 R; T' E3 J+ L4 OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 C, r6 C; k2 d
9 X. T' U! k/ h {' A# P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ ^! V4 W- b1 |) ~5 m) C, VEnvelope utility use to protect DOS applications:
, Y- p& ]9 J) `& }" Z3 |! k+ z- F5 [; N- ]5 |$ s5 Y
+ s y5 h- k5 T
4C19:0095 MOV AX,0911 ; execute command.
( I% M+ f' u! Z8 j! ^! k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 p% X( b& }1 k4 ?4 J, B
4C19:009A MOV SI,4647 ; 1st magic value.
% ~6 S+ b1 { U$ X; b4C19:009D MOV DI,4A4D ; 2nd magic value.
# l3 C" w4 R' U/ Y5 X X$ c" f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 |3 R' h t5 N8 n5 o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- k8 J( E$ X9 l
4C19:00A4 INC CX
( v6 J6 J3 W: Z. J, m/ w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 `1 P' T, S; |9 z- W# ?4C19:00A8 JB 0095 ; 6 different commands.
. U+ |$ k" D" H' P4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 L0 m) x( W# k4 f5 O) H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 `& p# u% r# V; c/ `$ X/ W
# ^! Q- \% A& v/ I1 Z5 L) h* Q$ NThe program will execute 6 different SIce commands located at ds:dx, which" h. T! s. u/ M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 ]4 E: W7 N& g0 }) U
5 `+ E* Q* _& m5 Y6 ~+ n u) V; y9 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
w0 b3 A/ x! s+ r___________________________________________________________________________* }& Y. B2 q0 r5 ^
* A1 \1 Q! I) k, w9 @# c
! B ]# j( g: A/ `Method 03
. f9 p3 y' M" r. D. [- U, ]=========
2 t$ j. P6 o+ q+ H! b' l D; c7 A; R( f5 s, ]7 y% w+ K3 Q7 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 i6 G% V' V1 u( ?4 {(API Get entry point)
# k1 v8 e5 f; p6 n 3 c: j. O: C }6 n1 u
7 }* W; ~2 Y6 c7 C+ Q2 b6 p
xor di,di a0 S% @ ^+ I8 n- l* }3 {
mov es,di4 [- C0 \3 H8 \- u8 K5 D
mov ax, 1684h
- ~2 Z" K; t Y* _+ D H, a mov bx, 0202h ; VxD ID of winice1 V7 j/ F: Q2 j% G) B; Z
int 2Fh% H* ~9 X# w$ ]7 q$ k. _! O
mov ax, es ; ES:DI -> VxD API entry point
: g9 `5 R ]8 k( T add ax, di2 c* I. K6 u4 q, W- l
test ax,ax
[$ A' K# V; B jnz SoftICE_Detected
6 H( Z! B' Y) n( m& |4 h( e% s0 H% j- J6 [+ X, Y% p
___________________________________________________________________________
) O$ V3 G s4 l' h3 O6 x
# K! l+ j: F# s$ t) B2 bMethod 04) u$ J# O0 Z: |2 Z- U' R( s& T& {
=========
) d( u! V. W% e* C
, e0 ?; ^$ J6 x" Q/ u8 z- ZMethod identical to the preceding one except that it seeks the ID of SoftICE7 ^3 }% A/ l* n8 k
GFX VxD.
; [- z( [* G- z
8 f! q, d; E4 S xor di,di) A) `4 H9 Z, }: [/ e
mov es,di
+ G& v) ?! i: J6 ^# P p mov ax, 1684h
# K: A4 m2 {: J4 @ mov bx, 7a5Fh ; VxD ID of SIWVID
1 ~1 {' \ q8 F7 y7 ^+ O! A int 2fh
5 G) k$ b: U9 Z% h8 X* Y m' V$ M mov ax, es ; ES:DI -> VxD API entry point
; u2 S& E! V3 n6 J+ x7 R3 v add ax, di
3 W; d$ q7 E/ {; g0 g {' e test ax,ax
- T7 ^' p9 X4 F( Q' r2 _ jnz SoftICE_Detected' w) ]% L8 g9 ^6 |6 E
; B$ X0 l! F f. p, `
__________________________________________________________________________
% s# R d j. d3 O0 s I- L
{. S1 }8 C8 _
. }. R6 S) q" U3 o& k" y5 sMethod 05! A4 @* J4 U" O3 e& f$ J% M
=========
& \5 E+ K9 Q% e. M8 x7 f. a6 t* |6 s- G3 J- b: t, M0 _- K) |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- H+ s# p, r6 \+ j4 Adebugger. It calls the int 41h, function 4Fh.8 N: r( q- h2 q1 z+ E
There are several alternatives. & q2 Z, Q) k) I- ~
+ E+ b# w8 P9 w
The following one is the simplest:
. s+ x+ G8 ^! {# H) T+ m+ @" J9 O* I, r* x4 q
mov ax,4fh& U1 T1 F3 y* @: L
int 41h$ J4 Y1 Q& j! r$ O) U4 v
cmp ax, 0F386; u/ u; T) n& |' U9 o
jz SoftICE_detected
{1 L, @2 P1 h) l h
0 e2 b# B7 `3 u' o! v) y, D# P# ]) z
) u* F0 r4 ^0 v% c, P* g0 E1 dNext method as well as the following one are 2 examples from Stone's 4 s: S* d ?- w$ d. w! e. z& a* J
"stn-wid.zip" (www.cracking.net):5 W; P2 R6 l8 `+ ]
4 ?9 q8 l7 D( @, X" S/ @7 [( c mov bx, cs$ t0 L' h3 A+ Q
lea dx, int41handler2, e: P/ V- b8 a8 J, ]" j7 o: I
xchg dx, es:[41h*4]
/ L u# `$ X! q' V/ q/ @& ? xchg bx, es:[41h*4+2]
* I( c9 A0 J$ F! ^ X, F mov ax,4fh: j3 Y8 y0 J, k/ Z9 j3 R
int 41h
* u; Z2 {" D. c( C9 c xchg dx, es:[41h*4]
\9 c. q4 t! L) D( ~ xchg bx, es:[41h*4+2]
! M" ~8 {) ^. N$ u1 E' z cmp ax, 0f386h
0 Z. s( w3 X! I2 T6 U' { jz SoftICE_detected
: J5 |% E @: L4 G7 p2 ^7 S7 v* W1 E% k. M, F( J8 y; I
int41handler2 PROC
* @ A# m: V7 m- H' x iret9 H0 F, | J! ~# K
int41handler2 ENDP% a2 O! ^! l. O/ @2 V' [
* q4 @& h& J( H- {( I1 h$ y! @
. }1 l& C) p3 N R- H
_________________________________________________________________________) W$ J# k3 O9 ^9 Q+ ?- q8 }& R; C
+ w* U( d6 {/ l9 r& _6 K1 z/ ]
$ A, U9 e! `2 h/ V- M0 s
Method 06
+ Z3 `' V3 d t) z- L=========
4 e8 N7 K' g% t/ @0 g$ L
/ V8 \3 _# _3 R& U0 U1 ~* h( W6 |1 O6 V8 f& j J
2nd method similar to the preceding one but more difficult to detect:9 j/ i4 `' C5 \; Z: C
, L) U. e" Y2 A7 X8 Q7 o7 ?9 f4 i% m! x. o5 F3 A
int41handler PROC
8 k# R0 k# E3 w* V7 l/ b5 U mov cl,al
! y9 E( w' k( r2 U iret) q; I. k( K, i, M% I! j8 v
int41handler ENDP
, y1 { i7 @, @/ X3 X' Q+ Y D; G3 j* O. O( B
5 Y7 {9 K* v! f. ]8 ] xor ax,ax
8 _8 M e: u0 f3 ?6 p mov es,ax
/ H0 m! ?2 h) _. k mov bx, cs* J# T, c; d M$ O
lea dx, int41handler& M+ ^3 k& ^- _, @8 L: N: \
xchg dx, es:[41h*4]
9 A2 o& z+ Q6 w- H9 P6 A& D xchg bx, es:[41h*4+2]+ H0 c# c4 o, U% m" A9 V6 B9 ]
in al, 40h
( H. [) w' X: M. L; ^ xor cx,cx
- R/ i! a0 G& h7 _& l" M int 41h C j% U! d, N# R. P; C$ x' s
xchg dx, es:[41h*4]( ]; q& C, T6 D5 Q9 L4 W. Q
xchg bx, es:[41h*4+2]% l4 U+ \8 @$ A* W* `
cmp cl,al$ t0 I( T7 j" `1 j, [; B
jnz SoftICE_detected I) g! b, c3 d/ y
F) n* i/ E( Z" k9 n- v
_________________________________________________________________________$ k4 R: d5 x* R& \4 S! X4 ^ L% L1 a
" Y0 R. s$ @* K' m5 u4 ~Method 07
; B* ], \* ]* p; s=========! u& _8 t, `1 g3 f+ U4 a- K
1 M9 f7 c& F. {7 w% DMethod of detection of the WinICE handler in the int68h (V86)
; Y) a9 x# ~; r3 |2 t8 W
) f. X9 v4 S3 f6 U1 q3 t8 O8 Q mov ah,43h; c9 X o9 [" k
int 68h3 ~) s, X# R7 d- a
cmp ax,0F386h6 |' Y4 F% _0 t
jz SoftICE_Detected
; _3 Z$ a! n) w5 _ _; f* c( ]8 B. f( Q7 y0 {
& e8 v1 {; c% g7 U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. r# F! m0 Q$ o0 p6 B+ E* v2 ^ app like this:
9 ^5 Z' P6 U0 N9 _
; _6 y n& x: ^3 R! ^; S3 ~ BPX exec_int if ax==68* ]) Q0 K6 k, I! o! D7 d
(function called is located at byte ptr [ebp+1Dh] and client eip is
# p' M6 j' P6 Z located at [ebp+48h] for 32Bit apps)0 h$ |, ?. [; b7 g9 @% K; J5 L; j
__________________________________________________________________________
* V y/ I, `' W$ \ a
5 \) d' s4 H( c$ F
9 A7 k2 |. t7 d0 }( c, C. [Method 08
8 J1 d* c( h. _8 B=========
0 D' F0 j% |: W$ c8 B. y- f) D
2 @+ ~: s7 y5 c/ u: y dIt is not a method of detection of SoftICE but a possibility to crash the7 i# Y- T( I$ J
system by intercepting int 01h and int 03h and redirecting them to another4 l2 H+ f8 o: o1 A2 N
routine.. r% a/ s+ u+ a$ l: t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! f2 i0 u4 N; c! h: _5 Hto the new routine to execute (hangs computer...)
2 L2 d, W6 }4 a- X$ X4 X; e3 X0 T9 ~; g7 H( v- R0 ~7 A6 k
mov ah, 25h
2 H' d; R6 t; k+ a0 F! m mov al, Int_Number (01h or 03h)
9 z) x& z. u! M3 T mov dx, offset New_Int_Routine
6 a5 P/ v; W: \2 O9 {7 ` int 21h5 w5 v6 I; L) |2 U7 e' ?
, Q$ z- c) r4 q% r0 I Z__________________________________________________________________________6 V! y; ?9 S, w4 v; z4 i
. I( o7 \5 N. I) q4 ~
Method 09
" a" S0 [, q- H* L=========* W3 z+ b* |8 q* i* x5 F: N4 |
( f% m1 f) K, d3 t% U0 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 @, w( D* _* q+ J) Hperformed in ring0 (VxD or a ring3 app using the VxdCall).2 V1 m3 C1 I; @4 w0 @& D6 b
The Get_DDB service is used to determine whether or not a VxD is installed
% H0 _8 V. ~) j- A7 u# ]. Bfor the specified device and returns a Device Description Block (in ecx) for- d7 I5 M. c" O; X* d
that device if it is installed.! r0 J" g( r7 h4 b+ r/ _7 z
# \- y1 \( F& k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" y) { e: f" M. G4 W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: c$ ]5 f6 m. @8 r5 ? VMMCall Get_DDB& s; _ _7 q3 W& ~0 U4 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 }: e2 I A' R6 O2 e
$ G& N$ Z8 s6 z, w
Note as well that you can easily detect this method with SoftICE:+ L8 q+ Z, I1 m; g0 B X) b. m; t
bpx Get_DDB if ax==0202 || ax==7a5fh4 T( s& b/ J8 L. i
0 y, f m9 x- }! y2 a) S" Z
__________________________________________________________________________
, H+ \& d. c0 r6 S7 ]: t) ?8 W' K7 x' J' C! J7 ~& M
Method 10* u0 f. e8 `$ j! {4 z& h
=========
& P! h* v* b: p! ?: A% C$ z3 K: k2 ?4 x! g* x( @( m* r
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 U; R( E# V# T/ O
SoftICE while the option is enable!!
7 |% t) y5 S' [
- T: G) z( K7 b' vThis trick is very efficient:
& \3 V; C* ~$ Oby checking the Debug Registers, you can detect if SoftICE is loaded+ A4 \3 n" [9 R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ]7 H9 a8 K3 V9 athere are some memory breakpoints set (dr0 to dr3) simply by reading their
" }3 O& C: ]) P& ^! n+ R; Xvalue (in ring0 only). Values can be manipulated and or changed as well5 P% ~9 W( z: \- s" M% V0 E
(clearing BPMs for instance)
: V2 J' y& o/ F$ m/ f
- h% Q$ _1 ~3 `! a" q3 G3 m1 ^: T! D__________________________________________________________________________
4 Q$ \( { o, }6 \
1 E8 J; z8 p6 u$ pMethod 11- L8 ?4 H# V- [! B
=========3 i) S+ u3 g% u* p2 C
# j8 Z. u, N: e+ fThis method is most known as 'MeltICE' because it has been freely distributed! z' ?5 j& R! v$ \
via www.winfiles.com. However it was first used by NuMega people to allow
, Q6 P6 `5 I0 ~2 t0 I* F2 z2 y/ bSymbol Loader to check if SoftICE was active or not (the code is located3 j+ e. Q% ^. F+ r4 S8 C. U( c
inside nmtrans.dll).
( c' t$ n! `1 E1 C# S3 q1 u4 w& l7 ~4 U' A! X# c% f
The way it works is very simple:2 J" g+ | N9 t/ }! B# I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' g& B8 l4 d; e' _. z
WinNT) with the CreateFileA API.; s! a( l4 m9 w
% o/ H3 k9 I! m. t
Here is a sample (checking for 'SICE'):
3 `6 B) O" ^2 r5 p7 G& j/ f2 V" u3 Y# I+ K1 h9 \" W
BOOL IsSoftIce95Loaded()
# y+ a1 I% q# u0 w{
# z4 _; w, w7 v0 H6 r( \ HANDLE hFile; 6 X* x$ s! f; ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" Q9 O' E7 S+ L& w, z5 ]3 X FILE_SHARE_READ | FILE_SHARE_WRITE,
# I3 N. _$ [- E# V! o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* W O! u7 T7 M( ? if( hFile != INVALID_HANDLE_VALUE )
4 q0 o4 C* J* z( V$ j! A {0 |6 h. W4 e& `+ g, ^6 ]8 k) u
CloseHandle(hFile);, F, e( S2 W' ~4 G
return TRUE;/ L8 ]. I, P+ Z
}
/ Q5 U$ n2 P8 f4 {) R& E' D8 l* h8 c return FALSE;1 i, R' _5 N' D; J& X
}
0 O& w6 q9 v2 B
9 r" N9 X+ Z5 m- V5 R' W! R1 e- ?- hAlthough this trick calls the CreateFileA function, don't even expect to be# d6 C1 w0 w! H n* p
able to intercept it by installing a IFS hook: it will not work, no way!
, A4 d, x1 @$ [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 L$ L9 n! `7 U. o9 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ M6 G* \+ Q* n/ [+ k- W% ~4 G1 cand then browse the DDB list until it find the VxD and its DDB_Control_Proc- J( Q- ^, i9 U/ T3 F7 |/ G
field.7 _; |4 Y3 { c# [2 f& O
In fact, its purpose is not to load/unload VxDs but only to send a & g+ P. I7 g& o2 H0 m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 d8 ]7 O, c* m: F- i* @# kto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 G" U8 ?$ t F" s) h" A2 W" J$ O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" \3 ^4 B9 h/ r& WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! c, ^8 D% q; zits handle to be opened and then, will be detected.
6 k# c7 x" _ _1 J$ C: |3 D# UYou can check that simply by hooking Winice.exe control proc entry point
( G7 }' u4 j1 _4 m, Zwhile running MeltICE.& I/ y, H) w) {
" I2 c4 y ^( T# m2 a- j
. \: e" m! O- g# d; Y
00401067: push 00402025 ; \\.\SICE
* V6 u1 {9 i) s( r0 r1 w 0040106C: call CreateFileA6 J* A p$ _- F6 M5 q1 I2 V/ W
00401071: cmp eax,-001
0 B1 L8 o _/ O 00401074: je 004010917 I7 D5 n. |; M: Q# h
3 v/ R# W+ s1 `( v% j: d0 a) j X2 [
+ z7 |1 E% l0 v$ }, _- N! S5 TThere could be hundreds of BPX you could use to detect this trick.
- P9 }3 v! ~& Y) T3 C) W! V-The most classical one is:7 g2 ` v2 H0 K. H% p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- p5 `: A; C4 x8 o; J
*(esp->4+4)=='NTIC'( F. @9 S. ?. S& ^' f" _+ g
% S0 j% r7 a" I: L
-The most exotic ones (could be very slooooow :-(+ x( e$ r* u- V; ?* p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 x! q# ^# A3 y Q: V
;will break 3 times :-(
8 o: m w u0 Y1 E
" g' e9 t5 [9 ]7 { ], q$ W% \-or (a bit) faster:
* _5 @) ]) g9 ^* |/ l( Z( X7 A% q1 U/ F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ v2 j% l, J8 Y+ N u+ A! e C
! k0 W$ x- Q* `3 X M: x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / T8 e, {: l' e% O: M# }, b9 G, J% t
;will break 3 times :-(+ w* Z( c: J. z- z* E8 T# w
" y! ~! [! Z2 l& f
-Much faster:6 ~7 a9 e" ]. p/ A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 e6 \+ { P" N `6 M4 h* R0 e- l5 j$ N* g7 n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 u8 K- q0 i, |# n5 afunction to do the same job:1 E- G. t! q* s* q3 r
! d I5 o' w/ m# @- J6 d" d
push 00 ; OF_READ# Y* ?+ f% p6 h$ ]: g% f8 f) j: M" {, S
mov eax,[00656634] ; '\\.\SICE',0
% Q* f0 t' S$ H# o; ]$ M: r3 G push eax
: z" o; V4 S4 x5 U ?" @5 m+ s call KERNEL32!_lopen1 |) u4 w( x) [$ W
inc eax
/ [& }! e% c3 a* I9 q) M9 r* W jnz 00650589 ; detected
5 X- P- L( c+ K7 }3 X8 @ push 00 ; OF_READ
8 G; X/ p1 N) F1 l9 {) ` v mov eax,[00656638] ; '\\.\SICE'
* B' }) x$ @+ K5 a; c% g push eax& d) t% @, g* ]% _/ r
call KERNEL32!_lopen
* d! Y7 a. L! T1 G! M$ e* N inc eax4 [$ K* ?! Y3 N% D9 p
jz 006505ae ; not detected
. [# E D# i3 f$ q5 a8 R3 m! K
9 k* q: B+ l8 m# s3 N
# y: V% @7 O3 s& V__________________________________________________________________________
7 \) K3 d3 g" ~# l
9 J5 W4 Y3 B" [4 w* H. YMethod 12% ~- |2 n; ^0 s; r B4 ~
=========
4 H/ j3 z8 \# ^0 E
|3 B, V' \% w N) r2 t4 jThis trick is similar to int41h/4fh Debugger installation check (code 050 I9 s7 V0 B1 ~
& 06) but very limited because it's only available for Win95/98 (not NT)
$ F6 ^1 J6 h: nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ @1 [" b4 v4 g
2 ~6 }/ B- i2 T) k) @, {+ T push 0000004fh ; function 4fh+ |0 T6 y0 V L( v6 m4 ?
push 002a002ah ; high word specifies which VxD (VWIN32)% r! [. W" Y/ x4 V( j$ r$ t9 l
; low word specifies which service
% k1 t) C- l0 l! [/ { (VWIN32_Int41Dispatch)# s6 p% u- n3 V' L; m3 e s
call Kernel32!ORD_001 ; VxdCall j+ |! h7 X) p* d7 m
cmp ax, 0f386h ; magic number returned by system debuggers+ v0 |0 U6 r* x- y/ q
jz SoftICE_detected
q- ]7 a0 V" p' z, s4 \0 C3 v
3 h$ \4 v+ z) VHere again, several ways to detect it:0 [* M# f; h0 W" R
) C2 `" a s" G x8 V8 A
BPINT 41 if ax==4f. c' {; s* w% [5 U0 p9 |1 M
0 c8 o- C) G$ M) h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) }9 Q j' N/ C$ L" I9 n% X
8 |9 d# @" I. p! o _: G, D8 B8 k6 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) v# r; F: V" n+ c6 N* U" x# S# V0 }, h6 J$ Q$ \* f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 c, ]! T) M7 | Q
2 x% h ?, }6 n5 {__________________________________________________________________________
3 n6 Z- I$ g5 n5 [8 y* g# a- ^2 Z( B
Method 13" t- ^7 }% G) y: B* Z
=========
& p2 d9 m* M P$ Q9 E7 d9 ~" j( v3 f: c5 G% n3 T0 h+ ]
Not a real method of detection, but a good way to know if SoftICE is
5 x6 G! o' b- q: T3 w+ N5 pinstalled on a computer and to locate its installation directory.
, Z+ D% ^# w, Q) e0 eIt is used by few softs which access the following registry keys (usually #2) :
+ \! Y% ], x5 {9 q7 \$ W" G) u z% A, `& }& W" E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* P; O9 T6 Y7 F- \: {\Uninstall\SoftICE1 E( {0 p- }4 B/ D7 b0 {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% d% ~+ z# y* k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# Y$ K# \% ]- n2 V8 C\App Paths\Loader32.Exe
% x! t' ^- ~* _- s O6 Y) V# w( K. o) ~! d E* o
& v4 u* }; w" m. a) O
Note that some nasty apps could then erase all files from SoftICE directory
: D% [, c) T; F* ~2 c2 _+ F(I faced that once :-(8 b+ `- _( \& S
( T: y3 D3 I! t/ V. `$ ~Useful breakpoint to detect it:. _4 H. a1 y8 U H$ @" E
, w0 i) E* J1 P" l6 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& E5 [2 m" u+ I) W0 f: E
& g1 Q C, d9 s1 Z9 K J
__________________________________________________________________________8 c( `$ ?) K: p5 u" Z Z# C
& f" ~! G% `. b. I& D) K% W
7 y4 x6 q; ^( G. j1 BMethod 14 ) n$ a. V8 m: J$ j- O
=========6 C& N) r9 _' r
9 f# |& Q; K* [- o6 R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 q; u/ d) n/ K0 c% I# M4 Wis to determines whether a debugger is running on your system (ring0 only).3 k5 `9 G4 \0 z' z
' s# Q7 ]( O$ z+ c! q2 H: S
VMMCall Test_Debug_Installed# P8 U- \2 z2 C5 n8 p
je not_installed/ U) g% b0 Y! J
" \0 k0 s" R/ O
This service just checks a flag., G! r2 e7 |8 J; r* x! F- Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡