<TABLE width=500>
0 Q ?! m/ X; h0 w0 B<TBODY>
4 _$ |. B4 |# }/ j<TR>! ?" |9 q# D$ T! @& V
<TD><PRE>Method 01
. d) F' E8 j0 C=========
; z; L2 h1 t( e+ z
, f% s; X3 m5 _9 w) XThis method of detection of SoftICE (as well as the following one) is
/ P4 i+ m: V9 }$ c8 j1 hused by the majority of packers/encryptors found on Internet.: \+ K' |, Z- P' t
It seeks the signature of BoundsChecker in SoftICE
H: h" Q" W% W! r) o+ r c+ M1 s: i. E$ |6 g6 p+ Z W
mov ebp, 04243484Bh ; 'BCHK'8 }: h) @/ [ P; t2 d' b5 p
mov ax, 04h- H% H! t* j' ~# n& R
int 3 + J6 B) b: T; S- u- D4 ?. _
cmp al,4
: d I- {/ ]$ a! } jnz SoftICE_Detected% p0 M" |8 a z2 s
) |: _; m% @ @$ O___________________________________________________________________________3 Y4 s o( Y8 H% D" U+ l; |% W
+ W0 r; `+ F o6 d8 J% ^Method 02
7 e' {8 c6 O% K" |: T, X& H( D4 v. B=========
$ O* y. `" n3 E% C6 N7 }2 |. R! Z e% P( u' A
Still a method very much used (perhaps the most frequent one). It is used
" E- z3 F* D" U/ B( r8 Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: D1 q3 K6 g' w& ^. d9 ~0 _5 cor execute SoftICE commands...) j' z. o+ b( u/ m( B; E
It is also used to crash SoftICE and to force it to execute any commands
0 e [' u9 ~! l+ j. Y(HBOOT...) :-((
, {6 ]7 a: a9 Q5 \5 k8 t2 o% G- \/ Q& D
Here is a quick description:
( @0 O1 ?, f/ V/ N9 j-AX = 0910h (Display string in SIce windows)$ [; Y& Y7 _. o* Q) {# o! o8 Y/ ~( G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ Q% a! j5 e* U8 K; `! h+ F-AX = 0912h (Get breakpoint infos)# J/ }" O9 J) b/ @. `" Y
-AX = 0913h (Set Sice breakpoints)
2 v: r) R! w) e; u0 `; X-AX = 0914h (Remove SIce breakoints)8 _# n' T7 X0 l( e+ k. r3 c
1 q8 {( V- O* r) L# Z
Each time you'll meet this trick, you'll see:
* O9 J+ ~! n. m- l% ]& r1 P-SI = 4647h
7 p+ V% d9 \' U1 Z& e L( q [-DI = 4A4Dh
5 E( j5 n n- m: m( mWhich are the 'magic values' used by SoftIce.
; H' m+ \& l+ G# B. T5 I! s. fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 f3 t& r+ o, V6 c$ z9 c0 y2 u7 Q# q6 R8 ?& A
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 t3 l r, D$ S. x' n
Envelope utility use to protect DOS applications:
. ^. ~7 I% A- Q' E/ J: `- R0 y' z0 W) Y U [; W5 Z
% G1 Y9 G/ B/ p$ }# z; u1 @+ m" {7 z4C19:0095 MOV AX,0911 ; execute command.
6 |+ w6 B, V+ h5 N% a% Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. S6 Z* R. ^; @2 p+ H
4C19:009A MOV SI,4647 ; 1st magic value.& P7 r; l* r9 M8 k
4C19:009D MOV DI,4A4D ; 2nd magic value.
" _+ f+ i c6 _* [) I1 Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- P# m' _) n# ^, P: C: _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) o6 g L1 _/ T+ N; C! m
4C19:00A4 INC CX" I% y! e+ |7 Z3 v& Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 H i% [2 `. d6 I$ S
4C19:00A8 JB 0095 ; 6 different commands.
2 q. b/ c. K4 r/ @4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 [$ n- {3 _3 i$ i) K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 F( Y: Z5 d1 F+ k# M3 z3 s
7 K/ ~8 J- e2 m3 k% k& QThe program will execute 6 different SIce commands located at ds:dx, which
+ p# h: K) q% D Q. H2 T( K x2 vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 W0 h+ j6 l& |5 ]+ j; j7 Q! ?" L
9 r2 D( q/ a% O+ F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 `( q: F; ~1 _
___________________________________________________________________________
( R! D- |5 u$ d; Z$ |8 Q7 e9 D1 a: N- z, t2 {' \7 [+ o
7 ]5 {7 q6 K0 s8 P# |/ p# R5 N
Method 031 x3 S0 ` N" S5 V
=========
9 B2 ~# p. @' V: F: l! y1 H7 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ W7 L- q- W: a(API Get entry point)
2 f: |( C% }! O
1 ~9 o% m$ T7 X* {* l& T: i' ?+ _: v0 o
xor di,di' v; s2 @+ W0 _: {
mov es,di
- S' b0 U4 E, f5 z7 b% F mov ax, 1684h
/ b* h; S# E9 S9 _; K; ?0 j* R9 C mov bx, 0202h ; VxD ID of winice
3 {" @5 Y+ ]- A: g+ U: r4 I) I int 2Fh; {' S- b5 x6 ?$ d! N5 M! Q
mov ax, es ; ES:DI -> VxD API entry point3 |& W2 B e# F2 n# u+ J- t
add ax, di/ \2 I' Z$ Y: e5 X# e2 ^
test ax,ax
% X8 |. ^3 G1 O" s7 s2 N C* P jnz SoftICE_Detected
( V2 d3 _) R4 K- W& z) ]6 [; T: V' g
___________________________________________________________________________8 X) ?* Q: M/ \ H2 H1 ~8 ]% |
& |* h5 K* |. {( p: s- ?
Method 04$ m" ]- @" c; T8 _% ^ n9 p5 F# q
=========
, P2 V8 l) Z9 S& a+ |7 l
) a/ U8 b) u5 @0 aMethod identical to the preceding one except that it seeks the ID of SoftICE
3 h, W" P! o" |" a; {GFX VxD.
: E, n/ i7 F' d$ A/ z, b6 S, Y
* k+ n# r8 s } xor di,di
* M; _0 `3 |2 P& i/ o% x3 K mov es,di- @! F) i: Z' U. V
mov ax, 1684h
1 o- T a6 d; V" L4 X mov bx, 7a5Fh ; VxD ID of SIWVID
. n1 M( ^" q1 ^7 P9 e V( u int 2fh
2 g" X# _6 I! I! U) l$ e' [ mov ax, es ; ES:DI -> VxD API entry point3 y: a: u, O+ }
add ax, di# n: w3 O6 H9 X+ s) g5 _: \+ U
test ax,ax
6 L1 A9 X, ~! X0 u5 N$ p3 ~0 g jnz SoftICE_Detected) v9 W8 V, X* y4 f
6 ~' h& s" X& b* N. _: |3 L
__________________________________________________________________________: b% u. b7 m1 W3 x Y; m
# m$ {0 S9 K* a2 C# C- g1 R
4 C5 y8 p! ~9 O1 J# @4 QMethod 05
+ h" n$ x$ M0 g=========
6 s2 R+ N$ A$ A0 o! G0 v1 Y6 H, d7 e( r& d% |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 _( U @' g9 J. Fdebugger. It calls the int 41h, function 4Fh.% w4 }2 S6 f9 P. R
There are several alternatives.
. B; T1 v6 Y5 o7 u; @: V4 D6 B
2 T. i4 F( |3 u" N( M; q/ DThe following one is the simplest:
X3 g) n* I' `, _" u
; }! u6 h% c3 o' Z7 |2 ^ mov ax,4fh% k$ E8 J8 K) n0 V, f% C0 S2 f
int 41h$ N! O! e6 [" a9 ~2 z# H# E7 z
cmp ax, 0F386
: k y' K1 U4 L jz SoftICE_detected6 R, V( M6 V: ]; [4 l2 O7 {% Y& X
% a! @1 g3 U5 X8 `7 }: A8 h
- Y5 B/ b. ?' a! h5 ANext method as well as the following one are 2 examples from Stone's
; a$ `7 j1 s) j/ U1 E) B"stn-wid.zip" (www.cracking.net):
" x A/ t+ `2 v# c6 W. U% H! W3 T, `. n8 o
mov bx, cs
D" Z' t ~# {* s4 O" i$ Q lea dx, int41handler2
+ C( r9 ]3 H5 @3 B- V xchg dx, es:[41h*4]
! o0 n9 @$ g# ]7 Z xchg bx, es:[41h*4+2]
! j |; b# [. h9 n8 |9 u mov ax,4fh9 `* G- H: S- s- r2 Y
int 41h: X. f7 Y& s* a1 ]
xchg dx, es:[41h*4]' B3 Z9 D/ |' c
xchg bx, es:[41h*4+2]
$ r# f" u+ ?% d1 M, G$ n- P cmp ax, 0f386h
; n1 ?: j5 I7 ]8 w( q( g+ w4 u& i jz SoftICE_detected
8 K# f5 b, Y; r- ?8 p2 t( P5 j7 ?2 |* H
int41handler2 PROC
8 Z3 K4 f, l0 u. b$ g iret
' ?# W; \9 R9 J9 [1 B, I' O! T4 Qint41handler2 ENDP
( L1 P3 ?" U& w2 [. H! g
" m6 Z' y4 ~- P2 h. g
8 h; u: ]2 \# [2 x_________________________________________________________________________
# E. t: h& O2 j
. E9 |& B- j0 T1 }2 i* N
5 V8 B# j# l7 a% V K0 N( @/ {- xMethod 06
3 U2 n9 w- W* Q; H7 |" G=========
7 a3 P, u; j7 W6 P" F: h2 M/ _0 W8 d
/ P/ Z; P% x, R6 D* ^* j( | }& Z* c4 R' d2 n. m+ b
2nd method similar to the preceding one but more difficult to detect:
& T% L% j5 H g1 n2 W- W( X2 G5 V: d" B0 }1 n3 `" `
7 ~2 l* G f" @: @+ W9 K# G, f' Dint41handler PROC
1 j$ k8 K% W9 v2 v0 V! Z" O0 ^$ c mov cl,al
* k% K$ m6 Z$ ^6 a) p: P- m iret
F: p( M2 L' B( g! n3 r: Sint41handler ENDP! L0 z6 n( [* t( x$ V" ~) q$ N
' c6 W; G1 o. g8 w/ t$ f6 h( v
A9 {4 D3 W- d/ P% P4 s
xor ax,ax& }* }9 k3 N" y# w1 W
mov es,ax
7 Y4 X0 ^8 b: k+ w( N mov bx, cs5 V3 @8 i& j8 _& c% u N3 f
lea dx, int41handler2 S8 \7 `! n; M" a% u% `
xchg dx, es:[41h*4]. V+ w8 l: ]0 I, {8 }7 y$ _1 g
xchg bx, es:[41h*4+2]
" n+ j; x7 z1 R _4 f! s in al, 40h
@: ~: \6 t. ~. `5 L& T7 X$ d [ xor cx,cx
" |1 }, n! J, V3 R% B int 41h3 V$ \6 e0 B M/ Y( V
xchg dx, es:[41h*4]1 I8 A* O* F. c- u' c: K+ h [9 a
xchg bx, es:[41h*4+2]# W0 c! Y$ `5 o8 R
cmp cl,al
, h: `5 y0 w9 m/ |5 {/ N jnz SoftICE_detected
& x4 x1 s' _0 @( z4 W6 a2 f0 B) x( W0 W3 E5 K2 X) w, E% q. f% ~
_________________________________________________________________________
9 k, y( L( r! Q- X- x$ e% m0 R6 A9 R& h/ A! k* K
Method 07
1 W8 n8 S5 j+ N# l# c- H9 B1 P! \=========
1 t* y! \! W1 s9 Q, I% T" U3 i4 p
$ x; s+ j; h# XMethod of detection of the WinICE handler in the int68h (V86)' G* g/ p' |% Y; c) R- C7 p
, n2 Z) I" H: h mov ah,43h5 Y5 R; {9 O. a" A, j( a
int 68h5 M, E3 T! ^ b W. E1 x
cmp ax,0F386h
! \" W+ b8 g- d jz SoftICE_Detected1 n; n" C+ M7 c4 m2 T
6 S% T! W: R' a* q2 ]
+ z9 B* s1 b ?: G$ w# [. L. ^* N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
D5 k% \8 Y+ }3 ]/ W' ]/ f app like this:
5 S4 Z. q% n1 G/ f# Z2 ~" d1 h$ I. P, l) F' R) L
BPX exec_int if ax==682 G/ D, U+ V1 _
(function called is located at byte ptr [ebp+1Dh] and client eip is: V( _7 M. e) u6 x% P
located at [ebp+48h] for 32Bit apps)% C$ ~+ Z [2 M4 u9 O
__________________________________________________________________________5 `2 h1 z$ C( Q/ M7 }: E
5 ]7 d; ]7 c4 m7 J3 w, T/ J
& d. T: s7 l; ?9 }# z1 dMethod 08
3 b. j& @; |, n8 U, L1 z* f=========
# U2 ]# s7 a; ^" L: I. D3 }. S/ H# P0 k8 q% N2 D
It is not a method of detection of SoftICE but a possibility to crash the
^- y4 D1 Q3 ]" G" {system by intercepting int 01h and int 03h and redirecting them to another
- Q, r. I' { Q, Y! proutine.
$ ~6 y J& u: x8 k. U! @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 }, Q0 C5 r y& [7 Z& H1 C7 M4 {to the new routine to execute (hangs computer...)
4 @- {' M8 Z: F, Q: L/ R( C* [' C8 O5 l& P' j8 u0 y
mov ah, 25h
% _; C0 P9 I/ {/ S; ~ mov al, Int_Number (01h or 03h)# a' c# a& A$ m4 j) O; i! j3 O
mov dx, offset New_Int_Routine$ C$ ~: g# M0 H
int 21h1 [( i$ V4 y; y; A
3 r: X0 e! e( g& D__________________________________________________________________________/ a" Q' S' [. n/ q/ B/ o
* Q0 o. H. L6 [3 QMethod 09
& ~: ^- N/ G. b=========' w1 L9 n8 a4 ]
: c: ~: n- e2 D d1 T- cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 b0 G3 U8 F' T5 R* E+ ]5 A2 ?2 Eperformed in ring0 (VxD or a ring3 app using the VxdCall).9 X$ v2 I& b1 ^( x3 Y5 Z
The Get_DDB service is used to determine whether or not a VxD is installed( X' c1 `! Q, K) K* ^
for the specified device and returns a Device Description Block (in ecx) for
5 f# u+ |4 K! j5 [# Ythat device if it is installed." A8 F, @$ T2 ^. Y
; d: W' T; Q& r9 ^2 I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 {( c/ D8 s6 {9 v& I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! o, g+ U* r1 n
VMMCall Get_DDB
, o! e8 t& \ m) R0 s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ N/ y$ F6 F+ T2 g6 B
- H' a8 N& x% CNote as well that you can easily detect this method with SoftICE:; _+ K" b. ?4 ]& c8 E Z# r
bpx Get_DDB if ax==0202 || ax==7a5fh+ b2 Y8 V7 `6 D3 o- `
6 r* h9 ~; E* _4 S% w__________________________________________________________________________
2 R; z! S" ^8 O* f
, b# Z5 d O8 C) P$ wMethod 10
( E3 G! _7 \ o, J G2 H; R n: n( s& V=========
* _- H1 B$ X( M" E& C6 Y+ J; K- _/ W8 Y! ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ f4 N' c& ~' t& g+ j SoftICE while the option is enable!!) L M- X: E: D" D
0 \. H0 `) N( O6 K# GThis trick is very efficient:0 i E* o* L4 A9 p" o
by checking the Debug Registers, you can detect if SoftICE is loaded
* V" D/ N4 A* t. ?) K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ ` C2 _7 x0 ^+ R, Y0 l& m$ M
there are some memory breakpoints set (dr0 to dr3) simply by reading their! b8 [/ o& x( b' q; A; ~
value (in ring0 only). Values can be manipulated and or changed as well8 R, ^* Z' O4 r
(clearing BPMs for instance)5 {" N6 @9 @& p. z$ D" w
& ?( g4 I$ i( o2 L__________________________________________________________________________
6 S U) V" H( G; } c3 A5 Y! Q1 m% x' M; n! _- x+ D1 X
Method 11
0 w% Y/ k8 B1 M: W8 t) y- M=========
" m' H8 i+ Q, I& j7 c9 g: {4 c& e# I/ t W' y
This method is most known as 'MeltICE' because it has been freely distributed
@3 X: y8 a! V3 Y: `/ ]" evia www.winfiles.com. However it was first used by NuMega people to allow. T, H7 }4 `- g5 \3 R+ \
Symbol Loader to check if SoftICE was active or not (the code is located& h% Z* j) }+ j1 r, W
inside nmtrans.dll).
* I3 n: a" l9 f4 N" d
0 R# V7 W( @. R* B1 [, GThe way it works is very simple:7 ^9 Y) l; v1 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 }8 c2 B9 D# oWinNT) with the CreateFileA API.
; ^9 q( Z3 W7 F! E0 ^: n' I+ Y/ b1 D. [4 [3 M- T
Here is a sample (checking for 'SICE'):
E: W1 i+ V' W. `9 a. |3 l) j" i/ f# E
BOOL IsSoftIce95Loaded()' _# c2 Z8 L5 l* q
{: I9 N W& _" _- i
HANDLE hFile;
. w( P6 P7 O* m5 v2 M. K) ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# Y0 S; g7 @; y8 d; }
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 A1 J* q, O0 v" u+ c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" D* g9 `4 B% C# v8 h. p if( hFile != INVALID_HANDLE_VALUE )
0 d4 W) w6 _; g _7 d3 Y$ O) u {
8 r* s3 `5 R7 t CloseHandle(hFile);
' ^; X$ Y+ G! j7 v: j, e7 B return TRUE;0 w) R4 x3 m3 v1 i9 T3 O5 ^
}4 d/ r! b( c5 k; w/ L
return FALSE;
' j* k$ Q% e5 X& _$ Y}0 U) g+ w" h- G0 B1 B% m/ Z3 j1 o
N# j3 G% y1 r' ?7 }Although this trick calls the CreateFileA function, don't even expect to be; ?/ a. V! i5 \3 T" N% o' j; j
able to intercept it by installing a IFS hook: it will not work, no way!
/ w0 g1 j: m. \0 `6 r% BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 ?2 y B/ }) t+ m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 y$ Q- @. u3 S9 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ |$ T2 W' { @" \1 B0 L+ d
field.. _& }9 c. [' M, U0 p
In fact, its purpose is not to load/unload VxDs but only to send a
% @% Q$ Y0 Z$ |9 k3 }1 \; K" [5 QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 x8 H: y5 z* O8 u9 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 V8 r" z: t4 {8 @3 e* r) x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 g: V( q% n$ v7 f- f! d( [ M9 W
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; Y; F) s) T7 L3 k' wits handle to be opened and then, will be detected.
! j- N7 d4 l4 S2 U- Q# SYou can check that simply by hooking Winice.exe control proc entry point
1 ], A8 ^# ?4 Pwhile running MeltICE.
+ D; G$ E5 |& C
" E% r9 y# f' \9 e7 |8 i2 L2 u( K) j: s! A& `
00401067: push 00402025 ; \\.\SICE
8 Y/ @3 I2 ^/ t$ f" I+ ?. z' b8 w 0040106C: call CreateFileA- ^: n( g" h7 }6 t
00401071: cmp eax,-001
9 u5 z! R7 ^+ V3 t- J* m) K 00401074: je 00401091" c- j" f9 C, H( [2 ?* f
/ U/ z: ]6 w) W6 E
/ Y4 `# R! s+ ]5 O1 [6 zThere could be hundreds of BPX you could use to detect this trick.
% V+ h) n$ y1 b. U1 X-The most classical one is:6 s, p! m, `2 O9 r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ {# b1 l* v6 O1 f: t *(esp->4+4)=='NTIC'
& i/ _% M4 ]' g4 Q6 T/ i& u% G. ]: t$ J* S3 P, K
-The most exotic ones (could be very slooooow :-(# u* r1 [+ V- }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* Q' D a1 M/ P2 X/ j; k( [% c ;will break 3 times :-(' U& t! j8 l* @! ?0 j/ S" v
' B! @4 f9 [0 F) P! Z0 m+ c
-or (a bit) faster:
% m/ u" [- ~$ o3 V6 H" ?3 v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' w1 d+ ~1 T1 F9 @
1 u/ @9 I$ e0 n- Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& D+ b% c6 P+ X: m% q ;will break 3 times :-(4 _6 _8 n6 P6 Z+ @
) V8 i4 A- x/ j$ h4 c+ E
-Much faster:+ Y1 N4 t: k/ C |7 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': H" G' x- U5 u4 ?
6 U7 N/ v* i7 x* o7 Z( ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ v% q4 f8 n9 K C# ?: ?" o4 d
function to do the same job:
0 x# G2 @+ E' c0 u, m% l# w+ ^$ ?& n' o; A1 ^* h3 R
push 00 ; OF_READ( i( E- Q# r: r* n2 Z
mov eax,[00656634] ; '\\.\SICE',09 j( G! v5 q \' I/ V1 v
push eax% I N& U. p6 {" T5 t
call KERNEL32!_lopen' A+ [5 r( K& w- @# @- E9 o
inc eax; d, C% z+ v& f. e# X9 i# U
jnz 00650589 ; detected
) t4 g3 \; j" K push 00 ; OF_READ$ _' n* r3 H' ^
mov eax,[00656638] ; '\\.\SICE'
. _5 I7 q4 Z7 f3 n* K1 M2 t push eax7 ~3 x! w3 f' P, a
call KERNEL32!_lopen& c( i9 d) e2 r$ U0 A9 ]4 ~
inc eax! C7 a$ g% s) _( V+ F
jz 006505ae ; not detected- k/ T! ~5 u7 K. D3 l) s
& O, J7 a7 ^. `* c7 f4 @$ \
; C! a4 x$ S7 L. Z! `1 Z' c: f1 M
__________________________________________________________________________4 X. X" q& D j. h' K' Z
9 q5 \/ l" Z) b) lMethod 12# {* y3 c, a1 \
=========* a! a9 P2 D# k3 a# n% ?
* ]8 z/ v" e8 O1 ] f
This trick is similar to int41h/4fh Debugger installation check (code 05
8 [8 L( T5 a O9 a& 06) but very limited because it's only available for Win95/98 (not NT)7 @/ l/ f; J2 Y2 h. y6 y6 M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* n) I; u; w0 u4 i+ R
' m7 X( j% |% H( j
push 0000004fh ; function 4fh
- O4 s9 w- v) c1 x push 002a002ah ; high word specifies which VxD (VWIN32)
' P* {( m/ D- I; P! Z) G8 T3 o( S ; low word specifies which service1 U# u0 z% g2 c9 Y
(VWIN32_Int41Dispatch)0 H# N3 a4 z4 c9 J" a: ]; g2 V
call Kernel32!ORD_001 ; VxdCall3 b, o4 [4 B7 ^- g& f3 o k
cmp ax, 0f386h ; magic number returned by system debuggers
3 d# H( X9 ]# j+ F$ o% @ jz SoftICE_detected$ C9 T$ q( }# k( Q: X. e
# i+ ?- f) Z. D" [7 dHere again, several ways to detect it:5 X# n' ? I8 H2 x' w& O- r# q
9 `% c' Q& p w BPINT 41 if ax==4f
. g, d o& l$ F, ^2 V6 @: u# I% g' {4 n4 r% D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, n" Q7 M# t( X+ c
, y0 y& _4 @' @) O3 U* w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 Z3 [/ S2 K& `. ^ |! G0 k& o( p( q4 B; F) m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# F/ G, x/ v+ D: `( y* S) W/ s+ ^# p
6 a0 A3 O& O; |& y0 z
__________________________________________________________________________ M+ Y$ N: \$ h2 c7 j
4 ~" J/ X6 K7 L# FMethod 13
$ O3 `2 Y# ^& l D$ O* a=========
' ?2 _2 W" h$ o5 _5 `9 R8 i: a. B
Not a real method of detection, but a good way to know if SoftICE is% H1 U) n: m( c/ K5 d& c+ z( E
installed on a computer and to locate its installation directory.
9 [. l- T0 R8 `- h- ]0 F' J/ @It is used by few softs which access the following registry keys (usually #2) :( `. P' e2 B3 x/ T
% y& p" Z: p: a) S" \/ F' D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 k5 W) ^, W; \\Uninstall\SoftICE
. B- g1 f: F6 j. F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& H2 I* n9 L/ D( @0 V+ k% @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% m9 G7 n- V/ r' }: l: W( J; m- T4 t\App Paths\Loader32.Exe
- j2 }7 `! D4 S& I. _% L( o$ C4 y% H) P" S# d
6 \3 \+ H6 z( T. y1 W) b3 ENote that some nasty apps could then erase all files from SoftICE directory7 K9 m& M0 m" l& m& }1 R
(I faced that once :-(5 n; U/ n% o6 ?, q) ?. L
5 Y. \$ G( ^* U2 I' D* s9 v+ J
Useful breakpoint to detect it:
' t$ c0 f1 ?6 C9 F. c1 S! `7 }2 S6 d) W( u' Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 a# K3 F! s2 n3 L p9 d
7 ?# ]6 {8 e/ f6 @+ {__________________________________________________________________________
7 O" F4 M/ q1 z# c0 _0 V/ C, M4 {8 p1 t) d
: e$ T* I: h! U, ]Method 14 6 \3 X3 D/ q/ A5 E" H
=========/ D! t( t+ ]- Z5 t& Y) i$ O- L6 |
; Z- w6 [; \8 J. p1 k& PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& N- K8 Y' k# A& P/ `
is to determines whether a debugger is running on your system (ring0 only).9 R9 R3 C# \. Y- f, V
" U8 `' B1 A) D5 y: o VMMCall Test_Debug_Installed! {1 B( C1 d" d5 c3 J
je not_installed H: z" @( c( |
- q4 p& U( u) K1 ]This service just checks a flag.
- y3 ^3 y$ g' m( b) g- @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡