<TABLE width=500>
( y5 T0 k! ]0 u4 t<TBODY>
8 h! Z4 d& g6 S<TR>" b9 [9 i; o$ M. t: B A" S. Y( s
<TD><PRE>Method 01
J: ?# N' p5 L" Q3 e+ M5 O2 w, ^; s=========7 K! v$ D! S* D
! W5 f- R5 h! G
This method of detection of SoftICE (as well as the following one) is
) a3 d- i# v1 S1 T8 f9 H2 V- T6 r1 C* Qused by the majority of packers/encryptors found on Internet.
8 U/ w6 V0 z8 U# D* M! hIt seeks the signature of BoundsChecker in SoftICE
$ X! P- a. G3 B" ~+ G0 r" }, |, M$ a! z" |7 L: X
mov ebp, 04243484Bh ; 'BCHK'
8 g ~6 a! S: k/ H- \, g mov ax, 04h' f- @$ C- ] W2 M8 o/ e9 ]
int 3 * t* y* P* c+ D8 e
cmp al,4
, x: M: a. y# J jnz SoftICE_Detected; C) w2 \" I, D" ~7 }
5 T G0 g* o6 H) @4 U
___________________________________________________________________________
) x! m3 j5 n9 v+ |! C' v0 e* u1 |
Method 02" J/ O' L* J" B8 I3 N, Q0 ^
=========& [3 N5 }3 x( q6 x0 D
( }' A4 H6 `$ l/ ?
Still a method very much used (perhaps the most frequent one). It is used
% n/ A9 ?9 B3 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints, e6 D, k' i' h5 d. S7 {" w
or execute SoftICE commands...0 Y1 F0 T% m/ B t. r$ ]9 d
It is also used to crash SoftICE and to force it to execute any commands
8 [0 U; r7 Z4 k(HBOOT...) :-(( 1 ]3 [" i! g. ^ t1 `, t0 C2 u5 O4 p; d
2 Z9 l2 q7 j4 r# c
Here is a quick description:
h9 p# z u9 }/ w* Q- F0 M-AX = 0910h (Display string in SIce windows)6 _+ p+ w: H% F8 z$ q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ j- g0 t" Q1 v9 l, {6 |2 N# Q' ?
-AX = 0912h (Get breakpoint infos)
& N# `" H9 F: {: z, m- n-AX = 0913h (Set Sice breakpoints)
% \$ C( g& ~7 W6 J# d) M-AX = 0914h (Remove SIce breakoints)
' \+ H" I0 E5 a- R+ s: Z3 |7 Y$ k$ N. L# _1 w6 u& y) \. S
Each time you'll meet this trick, you'll see:
4 q6 u8 x- [" v-SI = 4647h$ l2 D3 p5 W/ X4 g+ M$ i: o2 Z9 P
-DI = 4A4Dh. z1 ~8 r, M. y" t" x. A
Which are the 'magic values' used by SoftIce.# x, Z5 g3 T2 M! U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 `# v9 r9 v7 _9 W* o8 Y! w: p
- z( t/ y* B! V1 e; Z8 ?! n+ Y2 tHere is one example from the file "Haspinst.exe" which is the dongle HASP! T" a2 C7 h/ [5 W, {# r
Envelope utility use to protect DOS applications:) z$ ~ C; Z, g8 \* S# j
# ?5 _! _' x0 @% {8 G& z5 c
' L! e1 x c* n4C19:0095 MOV AX,0911 ; execute command.
) d3 E" t- W# ~3 x( F, c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 h/ `% N. u! @! @4 P6 b
4C19:009A MOV SI,4647 ; 1st magic value.
8 h& H. E0 s8 K" ?' X4C19:009D MOV DI,4A4D ; 2nd magic value.
6 ~' _# @' h7 v# q' I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). u' q. m5 |/ v( D, f1 F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ O! \0 [7 z$ c0 {+ f! @, L+ O1 `9 M
4C19:00A4 INC CX$ q- ^2 y# Q: e7 H( o) M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- Q& f [5 O$ Z1 ?* x
4C19:00A8 JB 0095 ; 6 different commands.
1 v f2 \+ b' s! |4 q1 r0 R) w7 c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# f( e9 u# h* X/ }4C19:00AD MOV BX,SP ; Good_Guy go ahead :): O. t4 W4 h, }9 b/ h4 a/ y( W
1 B: w5 }8 p0 i! j8 a$ t
The program will execute 6 different SIce commands located at ds:dx, which
: u$ d! [1 [6 L \6 T! H. gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ X4 @7 U$ L4 _
( i3 B. I0 ?; i" I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# N! X5 Q' h/ t% ?! s( D( Q___________________________________________________________________________
2 @$ w8 p2 x, _! m# L+ P* i2 C7 `9 l5 O+ s. c' x
4 N% A& }* F+ T9 L, UMethod 03
& r* n) U) d7 a2 s5 l7 a7 H=========7 y& G' v, W; \% \4 U
4 [" ?$ b: w1 N( f0 v! D6 \8 n& ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) `# D7 N: E5 [* R% G7 L2 }
(API Get entry point)
# f) W& u+ a0 u4 a4 h
# F- t; E! k- d& q8 F+ m. _$ D* `+ |- M: b
xor di,di
$ c: I6 D% a( O* d7 ? mov es,di) v5 P6 N, ?4 @
mov ax, 1684h
2 i6 D6 E# s8 {3 P mov bx, 0202h ; VxD ID of winice
3 X4 j. c+ U+ r0 A$ h; b* o int 2Fh
0 j) w& f6 A+ ` mov ax, es ; ES:DI -> VxD API entry point
+ Q$ e' {; u1 \4 k5 @& G$ {( J( T add ax, di
9 t- ~ [. s/ u) R$ y% i5 X- z test ax,ax
* C% T' \" I# ] s0 G$ P jnz SoftICE_Detected
) _/ U K6 O- \! c' S8 C( A9 h" A3 k2 ?* s% h8 }) o( ]# A8 i3 S0 s
___________________________________________________________________________
. ^& P* ^' Y7 T5 c T ~) O
% R: J6 B4 o5 bMethod 044 y1 u5 U: X- y* M1 V& M+ [: d
=========
& J) j4 ?3 Y4 o) }7 m
5 [" q( \. B2 ~Method identical to the preceding one except that it seeks the ID of SoftICE
' |, b# a0 i4 R2 h) L1 G! F* @GFX VxD., }, q+ k- L7 R( R4 {- r' B0 U h
$ Y) l3 }9 @& Q0 u2 A" V
xor di,di
; U7 j& V7 r3 ~9 v mov es,di
* k& k3 u2 S+ y mov ax, 1684h + k- j: e _3 t. ?
mov bx, 7a5Fh ; VxD ID of SIWVID. u7 K9 U) W) ?4 v1 t
int 2fh
9 x3 K4 l/ T2 E+ | mov ax, es ; ES:DI -> VxD API entry point
8 N: e$ q- W2 Z9 V" C3 k* `; g add ax, di
+ T( ?1 R; W* f3 J test ax,ax& Q- M8 B* u0 E) ?- y. X
jnz SoftICE_Detected1 z7 B- d; Q7 M9 s4 A
+ u# L, O7 i. F; f__________________________________________________________________________) N5 J$ U! W; `) e7 K, ?( j+ ]
; l1 O' z: H& y- T
' W- `6 l: v) K, XMethod 051 D% Y; A- g; ]
=========" q& j0 V1 i1 k, ^
. T: A! } c& C) }# t" K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# A3 l+ b/ M" L. m5 ?debugger. It calls the int 41h, function 4Fh.( Z8 J2 l# A; r$ S
There are several alternatives.
2 I7 y* H7 J/ C, |
9 T; w2 H. S! Y6 g' z9 z+ {The following one is the simplest:
2 O& a1 z! A% c, m$ j6 ?, Z
! d' g4 W+ p( c+ p& f& W( [ mov ax,4fh! E8 O! ^, N& x0 E8 W+ m, J, h
int 41h
# e8 `' h$ M# H& r cmp ax, 0F386; P3 a+ k+ t0 ]' h( u7 s
jz SoftICE_detected1 {7 I1 F$ y7 t2 l K4 S
8 `: P. a: I4 ~! a) {# U4 ^" k
* w% x$ c5 F# [0 S: C! ANext method as well as the following one are 2 examples from Stone's
3 i% N6 J' X# Y5 D+ e: D: C"stn-wid.zip" (www.cracking.net):2 [. l% r0 M0 Q1 x+ G2 H1 q$ \
/ e: q/ \) b b) h% ]) X
mov bx, cs0 a4 w/ l; C% c$ |
lea dx, int41handler2' q! a# m/ k8 V4 V8 o0 p/ q
xchg dx, es:[41h*4]
2 ^* y' a; ]( z1 Y: x0 e+ w xchg bx, es:[41h*4+2]/ a) Z; D$ Q) d } |' i
mov ax,4fh+ P% l: V, \5 i O, K1 S9 g
int 41h
- C3 \, t& \' y. S0 e xchg dx, es:[41h*4]# n% G0 ?8 A( m# U+ R; }
xchg bx, es:[41h*4+2]! }+ @- n& p8 u4 C
cmp ax, 0f386h
% A# B9 v- V P; W7 I jz SoftICE_detected. e4 X7 E+ c' I: F
6 R u/ b+ K! E" e" e/ {: `int41handler2 PROC
# w! n4 R, N* _4 E2 ]4 y5 T iret
' ?9 u* I& S5 Cint41handler2 ENDP
' }* M T% T3 J3 _/ O9 M; l" Q) I O5 P0 g& c1 _. o! D9 Z
' F# R1 C* q1 a5 X2 ^_________________________________________________________________________3 ~" Q$ _; E1 |0 F+ N6 v% c5 x
+ G& w6 y, s, Z X+ l1 w% @, J
6 o$ y, ~% o L% YMethod 06
! y4 w: v: @3 E1 K! w0 Z1 o=========- c" N2 E+ Q; B% X' P V8 b
- Y5 a" n' r" _" G
' M' L6 e7 K+ W7 R% P6 K: |) Y
2nd method similar to the preceding one but more difficult to detect:
* t4 F9 }' Y3 d; x- d
P+ }& R# e: j! i( N
; J f- q; Q" R: J( n+ Bint41handler PROC
? X- `$ Q3 h& W* r0 B mov cl,al1 O- J9 H. \3 p Y! b$ h0 X
iret% m+ G, H* [) G/ t; U% ^/ z
int41handler ENDP2 b: z' b6 `6 d7 ?: O
: o& O6 u! X# ?
( j) o @0 D _) c* k7 y, }& J xor ax,ax4 R7 _# u |) `7 M! l: G+ g9 S4 }
mov es,ax
. x5 ?, c$ x) }1 L4 P mov bx, cs
5 _( x) N% [! f5 W) Z9 ~6 j" Q- e lea dx, int41handler$ e( x# O! i# J7 D0 D7 w0 G
xchg dx, es:[41h*4]+ v8 G5 l9 I$ O: F1 i6 f
xchg bx, es:[41h*4+2]
0 W) S) U' u. Y. \. w in al, 40h
4 n" i! a g* w# G- V9 k* q xor cx,cx" ^0 g- I8 G0 F
int 41h
; x3 A. c& J5 u- ?* g6 K4 K$ m xchg dx, es:[41h*4]0 w5 D1 f& t5 n, P' {: o
xchg bx, es:[41h*4+2]
3 k6 l; e5 H1 y% @3 R$ m cmp cl,al9 u; G* P6 ~( O+ x
jnz SoftICE_detected s7 l. a6 M. s/ X. Z
0 F" Y% K1 X# q8 q9 i0 [_________________________________________________________________________
# P. A& k* l* ^2 U& K, S2 C9 W: Z' M
Method 07& h0 s& P6 Q% U; O: j9 m6 t
=========; D! ~9 a$ G* C: Y2 V6 R/ r
. c8 Y% m6 P; S
Method of detection of the WinICE handler in the int68h (V86)
; A! s4 N6 q- M) f0 _2 w5 H
2 _& y1 I: @4 g* Z/ A# T+ K+ H mov ah,43h4 A' T5 J5 N1 a- | @+ g" K
int 68h
% |! {/ w9 |) m' {8 r- [ cmp ax,0F386h
. y9 c" A1 c4 ] jz SoftICE_Detected) c3 N _& ?; @6 {
! R/ X1 W6 z# K7 ~9 n! M. z
: k$ B7 y; d6 ]+ M/ q3 N# W3 J, @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 \- k6 { J* i- ]5 C s app like this:* ?: [0 {% q' b0 k- Z; F4 P
( G- M1 d2 C) D0 {/ V% ~
BPX exec_int if ax==68
: F" i- N/ {, d0 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
1 b3 g `3 {0 C6 R located at [ebp+48h] for 32Bit apps)
, z$ `1 m5 |7 G__________________________________________________________________________+ ?1 B8 l3 F3 ?4 c
+ G+ C2 \ b& Y4 c, {0 s
& D4 t) w* j! z" k+ A! \Method 08/ J' {0 B6 q( V' @5 V* \, y
=========
3 w: \) O$ D. f; Y; F, m3 O9 z4 r: u( e5 {4 [$ H4 p1 }. D
It is not a method of detection of SoftICE but a possibility to crash the9 j4 T9 n$ Q1 s* r6 O: T
system by intercepting int 01h and int 03h and redirecting them to another5 S0 V( u9 j4 e* [! q/ H
routine.! b+ z7 x Y$ y+ O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* r; K* C0 Q! Yto the new routine to execute (hangs computer...)
$ {' L5 S# w( w, q ~# { V6 C! ]4 Z( ?; ?- e
mov ah, 25h
& `$ m) ^# n) J# \ mov al, Int_Number (01h or 03h)
* F& Z$ [. r n+ S; @5 s mov dx, offset New_Int_Routine
% M1 W% f; z# e t- B int 21h) J" m; ?6 o; ?
* l9 I" J7 s: D! i; t! [1 a__________________________________________________________________________
/ C. P: ~1 |# B
) z. S2 ], i6 ~% s6 p& L' A) U% YMethod 09
0 x, A1 i$ v8 e$ Y. F- e=========
% u0 Z' [$ t8 ]% i
% ?8 G6 A0 k- KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ t2 l8 b7 j$ Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 q# P& I& b V9 n2 Z& V1 _The Get_DDB service is used to determine whether or not a VxD is installed
+ G2 v* l! r( T" [for the specified device and returns a Device Description Block (in ecx) for4 h: `' Y3 T1 p. @# J1 Z
that device if it is installed.3 L/ K- w+ e" t) F0 z5 {
' I- V+ M- V- V- ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 O1 {$ I0 i) `, Q. w8 _( d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* _# C* O* x. |3 ?- D0 f% |) E
VMMCall Get_DDB
2 @' F8 A& h/ t8 Y6 y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* _( y2 K/ ~9 W
. A( O+ t0 G. `Note as well that you can easily detect this method with SoftICE:7 w& x+ ]! z( |# W% n' f
bpx Get_DDB if ax==0202 || ax==7a5fh4 l* n9 A4 J8 @0 J3 v* c0 J0 B5 V9 a
2 ^3 K5 s$ S6 W0 K1 S( M
__________________________________________________________________________2 V* _5 C, [8 e! C- D; _* m
[& T9 `& L8 P rMethod 10
* F) _. e! ~6 ]' c L W, K- O$ O=========- D3 O' ~( R1 l) W( K K% r" x& t% I
+ t) [* m* D8 s( v( E8 { c# c( X9 C
=>Disable or clear breakpoints before using this feature. DO NOT trace with% }7 d" y- v, |2 g) u% {2 X8 Z
SoftICE while the option is enable!!! a1 }3 G9 X( x( ]2 ^6 e
+ ?0 }; I, N8 d, U1 E& l6 d
This trick is very efficient:
- o E) z: X" Y* n" A+ ?by checking the Debug Registers, you can detect if SoftICE is loaded3 L$ H$ D! ^' s# |3 }/ f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ | {7 t, s3 [. l; B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- O9 d8 v, ?. n3 W4 s; |* S- ]" \value (in ring0 only). Values can be manipulated and or changed as well) s$ u& |" m; j3 \! H _' h. _
(clearing BPMs for instance). ?0 g5 r' E' `3 ^4 O
+ F. Z% C" C3 d
__________________________________________________________________________5 V8 |* {/ u% a/ x- e# g5 f4 b9 A
/ q" a X! N& n' _7 M/ v
Method 11- u! x( F- _1 u* x- V! h0 ?# ?9 @- c
=========& Q0 g$ i; S# n
" X) k: D7 T( q4 I3 R; F
This method is most known as 'MeltICE' because it has been freely distributed
! g z7 |- ~6 L' vvia www.winfiles.com. However it was first used by NuMega people to allow! ^% H8 U+ D, Y+ W0 }8 J! y
Symbol Loader to check if SoftICE was active or not (the code is located) k7 ^& ~1 t/ Q. P) d" G5 b$ q2 [6 i
inside nmtrans.dll).
3 M4 P4 C+ p: q3 ~) `" O) R* c- ]' p8 z( `0 q
The way it works is very simple:
' p" G. |: G+ U8 R& l1 @# L( QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 L, `$ a! U; J4 E
WinNT) with the CreateFileA API.. s6 g$ k: O0 B5 L
" g/ G. }& z) A) u2 ^+ A0 X+ B% WHere is a sample (checking for 'SICE'):
6 C" A& t& R" N+ c8 }* d$ }
+ V) u0 C4 P! bBOOL IsSoftIce95Loaded()
* N; o' J4 H2 g7 @3 y! H{
: z) N, M% K/ w* ~ X HANDLE hFile; 7 j0 A1 p, d$ r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ M0 Q7 p/ B! @- Z) q2 B FILE_SHARE_READ | FILE_SHARE_WRITE,
& h( f+ Q. y+ T" T9 S5 b, `' r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" T+ m$ M# ^9 |2 l( j3 ]" \3 m
if( hFile != INVALID_HANDLE_VALUE )
7 g" i: E1 m+ n {
5 Q7 J7 C6 A, d H s CloseHandle(hFile);4 @- l8 J2 j" l) l; l& ~
return TRUE;
' o& r: N$ V3 T( P% q/ X }
. B4 {9 c; S9 _8 c, M, @ return FALSE;
A( @1 S+ \3 z/ C3 Z! e9 A; w}
1 H x3 D; c, C* x5 H
5 y @: x7 m* P+ ]- V" bAlthough this trick calls the CreateFileA function, don't even expect to be
1 U6 L2 f* B2 V7 y# cable to intercept it by installing a IFS hook: it will not work, no way!
! g. k) ^4 `3 V- l# o+ ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 h3 p+ ~1 t$ f" c+ i" \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# X2 g& R+ C9 @; Z2 @: Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 ]* M# _2 e4 d a
field.+ w# M) M8 M/ Z5 M% h( M
In fact, its purpose is not to load/unload VxDs but only to send a + @* [! s! d+ r. K2 `% D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( ~3 _6 _6 C, v1 H( v' X6 o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 e+ t# {, `& T- ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
- L7 _* ^2 T6 a' IIf the VxD is loaded, it will always clear eax and the Carry flag to allow) B" ]0 l4 l! w" H J1 s
its handle to be opened and then, will be detected.
* T" _( v0 G, O, @, [& n7 E3 L- _You can check that simply by hooking Winice.exe control proc entry point
# v9 N- z! j$ K8 Qwhile running MeltICE.6 Q9 A+ |3 Z+ j. c3 U
6 w; N6 |# v& s" q$ T3 i' C
+ t" l( x% _2 s& |! d9 m. M8 h
00401067: push 00402025 ; \\.\SICE- J* E/ j" k. k2 D/ N
0040106C: call CreateFileA' e2 c( T0 G3 y/ e$ `$ k% m3 m
00401071: cmp eax,-0013 t- \9 a( R" L# p
00401074: je 00401091
% F: k* B2 C2 r" |% S& P( V, n6 y( ]! x' }1 {4 \; x5 `) g+ J
0 I+ Q9 i. U8 z2 SThere could be hundreds of BPX you could use to detect this trick.5 r' Q: F% \ \' `
-The most classical one is:
& T$ j+ ]8 X2 C: ]6 S" K# N# f# X7 { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 W/ Q$ o1 ^+ \4 m
*(esp->4+4)=='NTIC'/ f& y+ j5 Q# E- q- W! ~- k
' z; C# t$ @$ U1 z4 ]0 o7 V-The most exotic ones (could be very slooooow :-(9 R G. n' \/ P1 K; ]; L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / k1 B, _, Z; x) `6 Y7 `
;will break 3 times :-(' a6 s) e5 Y+ U: J% E( D
$ f {* l. [! d4 {+ O-or (a bit) faster:
2 D1 u( v% H+ I' }, T6 G" u% o" Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% Q( f5 x& u% Z/ h2 B# |+ ~8 w4 \3 [1 \/ ~2 Y2 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ N7 O' C' V) ~" N! b ;will break 3 times :-(3 [& J' O$ G7 p8 D+ s/ ]# N
4 j$ J9 T( `6 t, r" H/ H
-Much faster:: R) t3 p R5 z! l9 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) ?4 c3 _, L0 M" q. ^% u
+ {. q! H- l9 |/ ^2 wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ P4 W A: x6 Dfunction to do the same job:/ B7 s6 v+ Y$ ~% c* R
7 \; H( l$ c/ O5 V6 o
push 00 ; OF_READ
. |, _# J& u/ @) x8 E mov eax,[00656634] ; '\\.\SICE',0
) |% h, w4 Q& D5 F: E" ] d" R push eax
4 ^! I9 n- W( G7 z call KERNEL32!_lopen
6 H4 J& ~) z, f inc eax
5 y3 A; X9 r a8 H8 @! K jnz 00650589 ; detected1 ?* d0 U# t1 U3 l8 `& |; [* o
push 00 ; OF_READ
- m, {3 C0 f" }; J mov eax,[00656638] ; '\\.\SICE'
" R/ [+ Z$ Q1 G, |$ m# M push eax
" |0 W! q/ T4 h call KERNEL32!_lopen7 H9 m0 y! D, v% U5 `7 n6 f
inc eax
: t# g1 ?: U$ T' h& y jz 006505ae ; not detected
% K' g/ g& v$ ?, ~# g( T( _0 Z# T
% {6 ~; @; D; A% p1 q
__________________________________________________________________________
# f. K1 g5 z5 o( O4 r6 m6 } d7 x8 U, ^ h1 |; g" t4 Y7 J; V& q, ^! N
Method 12) T( f2 M: {: x: R% c6 U% l' D
=========
- D B+ t9 U$ o2 z! B2 Z+ N) j' A( k* p4 z( u8 Y
This trick is similar to int41h/4fh Debugger installation check (code 05
8 j% q% v+ F# l& 06) but very limited because it's only available for Win95/98 (not NT)
0 Y! d2 l" `2 I) Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% _# H2 y/ }. t
* ]5 V/ q( k4 N& ?5 c4 ` push 0000004fh ; function 4fh8 u" c+ E( q0 B; {
push 002a002ah ; high word specifies which VxD (VWIN32)! J/ C- }3 O( X7 u4 P
; low word specifies which service
& m) _1 D, r1 _9 { (VWIN32_Int41Dispatch)
' |4 t; Z9 a' j6 y call Kernel32!ORD_001 ; VxdCall
, |/ S% N8 q2 K4 t" ~ cmp ax, 0f386h ; magic number returned by system debuggers# g, ?8 w5 E$ V2 o9 P' T+ ]" i) d
jz SoftICE_detected
' k# h: w, i2 x$ P' l P' u; u
J! N" o" u% g+ z: Y3 hHere again, several ways to detect it:; f8 [* C+ c" _+ I" H3 P* h
0 k- @# h% W$ a9 D BPINT 41 if ax==4f
6 H8 k4 e/ w( I l5 ]8 v
8 q, _- v% Z6 J5 j+ y7 ^5 @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ u. q) v1 e$ r
$ y9 i$ i2 p' [3 Q& g7 I% ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 k+ J* H$ n7 |3 \) V
! p2 t4 q4 X0 j. I6 D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 Y' ~* B1 w+ ~( H& R' [; l. B
6 {; f9 s, E; A8 E9 l
__________________________________________________________________________5 M# P& y) U$ l6 X
* i9 C. S- U* @8 KMethod 13/ ~7 U/ m& ~, q8 U7 S! I
=========' a. v: S) m8 B2 W& n
% ]" Y5 N o7 N% N3 E5 o' s1 w5 zNot a real method of detection, but a good way to know if SoftICE is& j9 c* v1 U- Z# Z8 T. v
installed on a computer and to locate its installation directory.
, b0 v/ w+ Y6 E, X% o4 FIt is used by few softs which access the following registry keys (usually #2) :# M' A" |, }/ z3 L
0 ?0 Y( ^6 p( W+ l( W+ i( z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion l. G8 r3 Y& k/ Y' s
\Uninstall\SoftICE2 W& ]% S2 ?% Y% k8 C3 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 t0 K4 R3 E- R2 |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* b, f+ i+ y7 [$ [/ v3 [1 m\App Paths\Loader32.Exe
8 x% D( X- L+ q6 Q$ Y H5 a) E8 r& D! R' J7 G
0 A' U) N( G/ s- j8 |0 i% zNote that some nasty apps could then erase all files from SoftICE directory8 ^' ^9 {- i! y+ B* u& `# G
(I faced that once :-(1 W c( S+ @/ }( O8 c# ~$ F
7 I! \/ Z- S8 B( R( O
Useful breakpoint to detect it:
8 {0 L, ~( A# [3 m, E; s$ n# K4 M X0 I4 I6 ~6 A& I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& D0 S- c$ t; G: g4 u- [
2 w7 j8 a7 G* S' D; w+ j, l1 G
__________________________________________________________________________4 y1 @3 Q+ _. h0 q
u% Y9 v& H3 O. m) f1 b: i6 Y+ G$ u7 }6 t' ] ^ R, E
Method 14 2 H- l$ H6 s; r# C
=========- a( i# u4 {1 Z1 G+ s7 ]* j0 \
. K: k6 X7 b$ a7 T9 V& A4 ^% s6 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; ~. C9 I( p1 V/ Pis to determines whether a debugger is running on your system (ring0 only).
7 M# ~1 x/ ^5 i: [6 A
; B+ N+ k9 l$ X! h% W- }- l VMMCall Test_Debug_Installed
! e9 B+ l) p& x Y4 a/ a4 y je not_installed' V* ^1 A( s3 O# \; N3 e2 a g
2 }% @$ E+ G6 S
This service just checks a flag./ d; t0 B4 b- P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡