<TABLE width=500>
2 [# Y7 N: _( s6 H! p<TBODY>' a6 y: p7 b' u9 i
<TR>% U, ` h+ t$ C) W9 P+ T
<TD><PRE>Method 01 & b1 J3 @3 n6 B+ P& B
=========
# Q0 Y o/ W! F' x' K' t
7 q6 c3 d4 D2 {# rThis method of detection of SoftICE (as well as the following one) is" R q( _& H( R+ Z, K
used by the majority of packers/encryptors found on Internet.7 e0 D x9 x1 }0 y0 ~5 E& W
It seeks the signature of BoundsChecker in SoftICE. _: X$ D4 ~2 F N/ ]- `0 O9 y
' V! F1 p' r: p$ r0 k' z; P mov ebp, 04243484Bh ; 'BCHK'
7 X! g" b% F1 s. h1 _ mov ax, 04h( R& q; } a; N1 Z- @9 T" h$ T1 R
int 3 , e; U/ Y, S" ~4 o) t/ I7 ~
cmp al,4
2 u9 p$ e4 V- _: u: O+ z" W jnz SoftICE_Detected, u) Y( Z$ b1 o( [
2 i, [2 S& O/ I7 Y___________________________________________________________________________
7 L. m! t" _" o. H5 E) i1 b' }3 n3 H o5 a
Method 022 x& y+ m7 |* w; a( M$ K
=========
( ]- Q2 T/ `- y; D# b3 q
b! x' B v# y, h4 @2 U- d9 i) @$ JStill a method very much used (perhaps the most frequent one). It is used
& ~4 Z, }( K, E( r' J( x2 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 P# Q- N8 O! Y& l0 ?
or execute SoftICE commands..." c, i8 Q7 o& E7 _
It is also used to crash SoftICE and to force it to execute any commands
6 ]! W4 i" g, v0 F. Q(HBOOT...) :-((
5 }' ~6 c: U D. S5 M' V9 W; \" X3 }) y, D) R1 o: A2 d# W
Here is a quick description:
$ c, g, U( g3 J-AX = 0910h (Display string in SIce windows)* _% y' O5 K5 @# f9 m$ q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 m; R: ~# H8 K. n
-AX = 0912h (Get breakpoint infos)
+ b4 z5 i: L& n* q6 m4 X0 X0 O-AX = 0913h (Set Sice breakpoints)
; y4 ~ f4 [+ w0 j0 b/ J- b-AX = 0914h (Remove SIce breakoints)) A+ M. Z* W @, k1 l: k2 I
( P X0 _# @; ^4 Q
Each time you'll meet this trick, you'll see:) s4 V3 i. O q- `. E8 N, ^- A
-SI = 4647h, t* `: c* A4 J" \
-DI = 4A4Dh
; J/ a2 A2 ?% c) HWhich are the 'magic values' used by SoftIce.# y0 V. }2 y% \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 l1 v+ t5 I, H! n! C
9 w- g2 I) s; j* M+ X/ kHere is one example from the file "Haspinst.exe" which is the dongle HASP; J1 M- U5 Q6 V( `' \: X; H# ^
Envelope utility use to protect DOS applications:9 E U7 T4 J" y) A4 Z: e0 k
' U' [3 n) L# [: @1 v; H- Q0 X' v9 r5 G* K: d4 l
4C19:0095 MOV AX,0911 ; execute command.
8 `9 J- i/ n: s3 ^% S( q6 y+ F% ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% Q( a, F1 O, h$ A9 h+ q4C19:009A MOV SI,4647 ; 1st magic value.( O3 v+ j0 M7 f9 z: E
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 O+ j0 C6 U9 g4 k+ W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 X: k1 W5 x* a# p2 n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% ?; _+ B5 }# O3 P4C19:00A4 INC CX2 O5 X$ f; R, d: n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute @9 X/ H L5 [2 v) p @
4C19:00A8 JB 0095 ; 6 different commands.! [% f6 a" q2 a# b, [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: r% ^ F! p A4 ]3 H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ S, V* z' Y2 ~9 i
! {, P8 U) A2 @! V1 r1 VThe program will execute 6 different SIce commands located at ds:dx, which
5 W' v4 I' w- p# B% Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 g; s9 x7 g7 P n, `" C c
. o! c2 X- W! a3 L) a; W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 I4 g- T8 Z: f. S6 P
___________________________________________________________________________0 t1 U; S W" a( t6 \; {7 H
- ~0 ~6 c, q, {' X
" K5 N4 t9 M5 e$ M" `
Method 03
( [$ M- J F: A0 K=========
. z# v) P/ C3 @ T5 X T& P' s- ?3 G+ P. [9 f" R' N! P1 _" q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# \9 n& b) ^; ?& d, @(API Get entry point)! a' {' i- m5 u3 F& M
; C \4 {& E Z8 \ U( e ]+ _2 k3 X; |. k
xor di,di8 V7 t M7 O: E: n
mov es,di' G0 ~6 ^3 d6 X. W* x
mov ax, 1684h
: X7 E- f: X* s2 f2 d mov bx, 0202h ; VxD ID of winice7 E2 o6 F0 c5 d
int 2Fh4 C1 H" m8 m* |
mov ax, es ; ES:DI -> VxD API entry point
! A6 Z/ }2 t, x& ]# `* H add ax, di J7 ] V; } r) m/ U5 @
test ax,ax
: r9 b8 d# w. M1 l Y jnz SoftICE_Detected- M# S# P+ s# z. c1 u
' R' y! h+ [* K/ M% l1 }! h* ~___________________________________________________________________________
, a) S! ]. i$ ~2 n8 F7 f* w/ v/ E- j$ B7 a
Method 04
+ c% D& o! ~) A=========
$ A# ]( W$ A5 m6 K, n# a, K
2 R* V6 B; p. ?) j: a% w+ `Method identical to the preceding one except that it seeks the ID of SoftICE/ Y: L; n6 A9 l. l) j; j
GFX VxD.
g- j1 A S# d- M
8 U6 _4 p9 s3 {. ^4 G( Z2 z xor di,di
4 |3 P8 U& a4 w' @ mov es,di( x) \$ j' B4 y' I# I& N. i
mov ax, 1684h 5 o/ c! ], E, D u9 F% Q
mov bx, 7a5Fh ; VxD ID of SIWVID9 R3 \$ b- ?8 P/ }
int 2fh
, t6 r! s! H9 p mov ax, es ; ES:DI -> VxD API entry point2 N/ A' v- H. t8 `
add ax, di. b$ |4 b+ l4 J/ m2 E8 p
test ax,ax# D) G7 A( p( L) O! g! T/ w: ^
jnz SoftICE_Detected
x( i5 K7 X+ L/ C9 I/ `! a6 g3 u$ z9 B; `
__________________________________________________________________________ U) P& T9 g5 d% [; R( z' L
/ G7 T1 Y! K& [+ `3 v8 b3 Q$ W
6 D6 j$ m( _$ e' \4 n! J8 yMethod 05
" `2 d$ k9 M y$ o=========
2 L7 g, h+ f& j% V( s" f8 O/ k5 } w, J1 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 T7 i* C G% ?debugger. It calls the int 41h, function 4Fh.
! |, J5 e+ g) d b5 g; pThere are several alternatives.
4 W- J0 `# E7 ?3 c5 `: J0 }7 i6 g4 W h3 [
The following one is the simplest:
6 {% |! @0 w8 R9 l" K& h. t" Z% X. F. p* ]2 }0 j7 e1 p2 b
mov ax,4fh6 K2 R7 L4 S: n. P) _: w `; u3 P
int 41h/ w: L, `9 B/ t3 B5 a& y# Q
cmp ax, 0F386
/ v6 F+ N0 E/ ^% ] jz SoftICE_detected/ ]7 m8 _" m( v2 a1 q- b
' y$ c) x1 m. B8 R t1 h
2 U4 G7 Z. p' W
Next method as well as the following one are 2 examples from Stone's
+ o" a7 ]8 i2 x; ^/ b"stn-wid.zip" (www.cracking.net):/ h, G8 r0 |% X8 }
! o( }+ Z" V5 l/ p3 H+ @
mov bx, cs7 |$ Q8 b. @' E o
lea dx, int41handler2
1 s# n& r: t1 G% b# w! B2 s xchg dx, es:[41h*4]5 k1 R; P! z5 U- P
xchg bx, es:[41h*4+2]' C& l/ t( f& E) I5 @3 N
mov ax,4fh
0 r: m( E$ @2 h3 y4 n/ w int 41h
% t: ~# \9 m0 _) A8 J n xchg dx, es:[41h*4]6 T3 C" Q% c) _8 c# k
xchg bx, es:[41h*4+2]
7 Y: Z0 J5 N5 E& m( r- x cmp ax, 0f386h
5 [! ?) B& y, T% ~( A7 ~+ p jz SoftICE_detected
7 R; k4 x/ L- \( ]& d3 A2 _- k7 j3 N; `5 ?
int41handler2 PROC
7 e4 i9 a; P6 A1 K4 H( ?8 d iret
, ]4 Z$ `6 Y) ]9 f. hint41handler2 ENDP! o6 _$ W7 F* `; C- ]3 \8 g
# C) t+ w9 p9 t9 h4 x
; Q' P3 J$ y$ o, Q1 _0 a) __________________________________________________________________________
4 ~5 I& S7 U1 o' w5 |
4 g9 u a/ D1 [. b
- d4 I. K* W' m6 U+ Q FMethod 06
6 N3 V" T7 D* Z8 p. V4 {3 L=========5 p* a# ^$ i; A9 u/ U* O" R( `
7 \7 @' o: `6 A6 s! S: W
+ q4 u C }5 c5 [" T; z- {5 X# X1 y2nd method similar to the preceding one but more difficult to detect:% N2 ], S$ q& F; r& p
: y# t* r; X1 d: i3 d
5 ]6 Q: G. O* e$ v/ Q$ D sint41handler PROC
8 k. y+ x% g8 s: Z mov cl,al
% O: l" a( A4 R9 {4 U3 O3 l iret
1 v: O9 G; l8 S4 f8 H$ f' L. Yint41handler ENDP
7 n. j1 f5 z4 B4 N l5 V1 ]5 @
1 U" M+ ~$ O0 j3 t0 @4 U
1 B' O* l- L8 p2 t9 d4 d xor ax,ax% O6 C1 C: }8 Q# j* L2 e4 D9 t
mov es,ax* `& Z+ }# X7 r4 v4 ~5 F7 |
mov bx, cs( ^5 b% L. I+ @" D( t$ T6 @
lea dx, int41handler
, v7 S2 \3 |2 p( @8 V; X# C xchg dx, es:[41h*4]& f# L9 m2 g' {, g# O$ S
xchg bx, es:[41h*4+2]% d* C" |/ H: K1 J" o7 k
in al, 40h6 K; B- p2 u! [8 `2 ], u# z6 E
xor cx,cx
" H2 F5 y0 `3 @ int 41h' {! K% h' |$ R) R: ]4 \/ G& X! g
xchg dx, es:[41h*4]
. w: J2 m2 V2 J xchg bx, es:[41h*4+2]6 Q" D) h3 {: z" k5 q6 M+ X' Q
cmp cl,al$ _) I, D! C5 y. u; Y
jnz SoftICE_detected
0 V8 N- V% D1 F* D- U1 n R5 e0 R$ {; o/ z1 ?) k; w5 u/ s# P
_________________________________________________________________________
* j& m7 T; g# L! R5 Z8 B% H1 G" V2 G( }- ~
Method 07, _! y- E2 X2 u" q! H
=========
, R% ?. g' k6 a) J, f8 f2 |5 M8 n4 J
' h& {+ a% T# a7 rMethod of detection of the WinICE handler in the int68h (V86)
( b N! I; [' Y! D \3 k% F' X
6 B. q" P3 W+ c mov ah,43h a% U& R. ^8 X5 F9 |4 h3 Q/ p
int 68h
9 F* D- t; U# T) d7 g- T cmp ax,0F386h
1 L+ k! `6 J: x0 [+ h. u- R jz SoftICE_Detected) O6 H$ h' q! x( C; m/ M( Y" d
0 m4 N% H, V' V) x8 j7 t8 r3 p9 y! D& u
3 a- g! O5 o% |( ?0 s# U2 o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 R/ O; \* P6 {( W: T: V app like this:$ B# p* v3 q. I3 p3 l
- d' | [1 p; z. w8 d BPX exec_int if ax==68. f3 r7 u- }! H+ j2 D' S
(function called is located at byte ptr [ebp+1Dh] and client eip is1 }! u7 `- I' p2 K1 p7 i# u5 q; c! N
located at [ebp+48h] for 32Bit apps)) J5 c; H0 X5 \" L, H- W7 u
__________________________________________________________________________) s8 U/ |1 V5 H( |& }2 a4 ~: N9 M
0 c, M! R1 H9 E" t
5 N: n% Q; F4 I% `( A8 wMethod 08
* t5 y9 }, }9 y2 v& m' H=========( k6 k( @) I8 ~$ \* e) G# T5 Q1 ?
; }! f5 Y2 z1 |5 K* P% I0 {$ EIt is not a method of detection of SoftICE but a possibility to crash the) J: e! F0 s& w
system by intercepting int 01h and int 03h and redirecting them to another
7 D; u4 a. Y) a; E5 Proutine.
5 K% }/ m& E" h1 s& e3 M/ O3 ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* O6 |, ]* i2 t9 Z T9 A; N
to the new routine to execute (hangs computer...)
* E) z) J' B: [, \! P6 s3 L' ^+ A
6 B, N" v5 v9 y, ~ F$ Y$ t, a mov ah, 25h
, O6 e3 {" _4 x4 V mov al, Int_Number (01h or 03h); d: H: m/ g: D* z
mov dx, offset New_Int_Routine7 v# e4 K+ j) g6 V- T( |. J
int 21h* m* X+ x- h2 Z9 Q6 Z
$ F$ p* d- M8 c5 Z0 {4 D$ c9 N8 ^4 m
__________________________________________________________________________5 H% k( i Y x( J5 d0 T
9 Z6 n# K1 V. Q; n
Method 09+ O5 S; \/ t. w( f
=========
( ~+ E. o" W/ S, u3 A6 {! U
4 ?1 G/ L8 @. ~' gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 m( L# P7 o4 w3 ?$ J1 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).7 Z0 ~5 c! `, I! r0 N$ _
The Get_DDB service is used to determine whether or not a VxD is installed7 ]! p: a% |( K7 n% x: v7 q
for the specified device and returns a Device Description Block (in ecx) for
: }% m& r$ i9 }5 k" I. B! Pthat device if it is installed.
) }4 L7 q9 n) d+ x$ s$ P4 ]
0 h: L- C/ Z: C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! T' Q/ e7 N7 {4 A& q4 U1 g; }, ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ `: L$ L c3 R" t3 g% Z. E; D VMMCall Get_DDB- {. O8 i. n9 U2 w+ k1 l# Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ d& O2 L! J& Z2 n
. C6 N }) C5 c% W* C, eNote as well that you can easily detect this method with SoftICE:' w2 {: Q; o! g) z
bpx Get_DDB if ax==0202 || ax==7a5fh; a( S5 ]# H/ ^% d- E. h+ r, C r
" {/ Z8 s' Z. o& P" ?7 r! W" O
__________________________________________________________________________$ E+ Y& X( ~+ e- A) F
. H( C. |7 I K2 H5 m6 y
Method 10
?' q$ W1 i' F7 @! B9 q$ Y2 c. a4 R=========
t3 P3 r& F; E
. G- E# x; l0 Q' Q% C% |7 k, m=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 a) w1 n, |! r/ i. N4 U! Y SoftICE while the option is enable!!
' ~8 @8 Q0 [( x5 c X2 c
; g" D$ d; z0 v- f( K/ AThis trick is very efficient:
0 a. A$ W- z7 w& T2 Mby checking the Debug Registers, you can detect if SoftICE is loaded2 W8 O) n, B, ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# B5 h4 o* u( C( M5 }2 N1 V
there are some memory breakpoints set (dr0 to dr3) simply by reading their( m9 n3 h& D0 W. q
value (in ring0 only). Values can be manipulated and or changed as well
8 r4 `1 o8 \, K+ X( ~(clearing BPMs for instance)
. ^& b5 |8 q9 P. n0 Y; B% J5 O% D4 u0 P; J4 y2 q4 n. ~
__________________________________________________________________________
( V+ M9 Z8 T# ~ L
$ L( k* [1 L5 W) z; rMethod 11
8 V! I8 H$ D) K1 m+ r% `=========
4 }* ?3 x+ r) ~9 f: J* Z! w1 i0 z
. s$ V$ `6 v1 ?6 {6 E+ OThis method is most known as 'MeltICE' because it has been freely distributed. A/ N$ |% ^% f8 c8 b0 G9 |( X+ e1 @! O
via www.winfiles.com. However it was first used by NuMega people to allow1 s8 D( R2 ^3 M) }) X2 j
Symbol Loader to check if SoftICE was active or not (the code is located
" _/ K1 t1 J- Finside nmtrans.dll).: U, J! p/ n b6 ^, C
4 B! d& [$ y" m% ^& Q: f: O2 IThe way it works is very simple:
; |" }$ ~& |0 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# H/ q" {* q6 b- ~/ eWinNT) with the CreateFileA API.5 X: u7 U( d- X+ T
( L+ j6 X0 C# }- O5 |8 t
Here is a sample (checking for 'SICE'):
2 q5 w) z2 K+ h, h3 f
/ T5 |) a4 _3 D" P) WBOOL IsSoftIce95Loaded()
2 P2 T2 } c" i2 w& e{
5 S0 p0 |5 p3 I0 e HANDLE hFile;
5 A) U! V# p h5 Q F- x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) q$ x& S9 }' ]+ X/ Y) H FILE_SHARE_READ | FILE_SHARE_WRITE,
8 Y$ \! v) g0 ~+ p) j: f8 V8 U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 H" J, ?2 w4 u9 C if( hFile != INVALID_HANDLE_VALUE )4 B) d: G3 e" F' v, N0 Z7 W
{
! c ~. `* q2 G/ {9 J CloseHandle(hFile);. G) W- d4 |+ T( N
return TRUE;& f0 ]; [! t" k
}
2 Q0 ~& P/ I' v- ^* c! ` return FALSE;# C* A' C" B* }* ?
}/ A- S* I0 b0 w( @( a
^( p% b' Z+ F+ E- }/ _; E
Although this trick calls the CreateFileA function, don't even expect to be
: U, X8 l4 A+ z! a0 }' p1 F) fable to intercept it by installing a IFS hook: it will not work, no way! z& O K, ?( G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! \, K" Q; \# ?2 n( G% X9 m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' \2 e" Y" [6 D, \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
|' k( g k, D$ Zfield.
1 |7 ]3 ^ X e. y1 o& U" E/ e- lIn fact, its purpose is not to load/unload VxDs but only to send a
! `8 U8 k/ W; ]& D/ cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, r4 P6 \$ b8 e5 z& A z2 Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try' ?- h& I7 h; [+ D- j3 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 c l0 h! c* t: @* }If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ K' `3 C: L9 P: _1 Zits handle to be opened and then, will be detected.
& K% F1 C3 X. Y% v( ?You can check that simply by hooking Winice.exe control proc entry point
' a6 e& T1 L, x. {6 I+ Q y) zwhile running MeltICE.8 h) H& \. i3 M! V% i% H2 H7 r
4 k. l" z8 H ?1 L
, I, E, i' J4 F" `4 z3 U7 a 00401067: push 00402025 ; \\.\SICE
% q0 o W) q7 D3 O' ~ 0040106C: call CreateFileA9 W* f% D# I6 M, ^' Y! Z+ a
00401071: cmp eax,-001
W* [9 x3 Z3 s 00401074: je 004010917 }- F! }* H0 b$ y F7 m, s
8 c/ K. J! F7 j! u3 E8 q5 t4 k& C( V* Z/ l3 J$ k% ~: U
There could be hundreds of BPX you could use to detect this trick.
" V) p$ }' O& y. s) r-The most classical one is:: G; x5 C6 m& {! M$ f' l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& A5 T3 A: `0 g *(esp->4+4)=='NTIC'
+ S7 i; l5 j1 k7 u: k4 z1 J3 g
; f$ x0 @0 M/ G8 r- Y* U-The most exotic ones (could be very slooooow :-(4 m. E6 w9 {7 F( i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) H/ y1 o1 T: E( W" a. l9 g% W ;will break 3 times :-(
4 l' v7 `% F7 v6 ^
: j: {; e% _( ^: X/ v9 g2 R# Z$ x-or (a bit) faster:
. c, d6 }( q" M; ~: I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! ]# o4 r3 P- W3 t3 F, `: E1 H7 r
2 H& f+ M% i. R0 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! @* g8 _7 ^" A0 p ;will break 3 times :-(
) e- R# @$ A V/ s$ I* Z+ {8 Q% O# H! j
-Much faster:* c8 D' F9 z2 o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
b4 r, y: q3 y- y1 X: R C* J; t4 _1 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: H6 Q$ i& I; A6 q* Efunction to do the same job:) k8 \& Y% H# R, E& W# U8 {
* c0 K$ z: _# O+ S8 W' h push 00 ; OF_READ
; q5 }5 w0 c: Z8 \- W mov eax,[00656634] ; '\\.\SICE',0
$ M! o6 |' L9 F9 ?6 }/ j5 ^8 q* | push eax
! `; l. [3 t7 U call KERNEL32!_lopen
: ]% M I# U+ _% n. ^& E inc eax
9 T1 V- q4 j- f# r/ D jnz 00650589 ; detected
, W6 F3 N# z b* d: \6 s0 C' f push 00 ; OF_READ6 O% l+ s6 o! {; C0 R+ ?+ |
mov eax,[00656638] ; '\\.\SICE'" k3 P9 T6 w, D
push eax' S' k0 ]! c* ]7 h% T
call KERNEL32!_lopen
! A+ V$ Y& N0 l0 d5 m inc eax
) f- x; m/ a, X! C' [ jz 006505ae ; not detected) r' H3 G6 R+ J$ A+ C/ q: }
8 r8 N0 |9 K. T# T. p
' j( h, N4 k! K1 G) U! F1 _: Z6 V__________________________________________________________________________
* I0 y3 N0 S% t; g4 e k
. k/ Y4 T6 l6 `9 q2 m9 _4 RMethod 12
7 F7 A( j6 A2 c( H7 p=========
" l$ S0 E8 E4 t2 Q9 x$ |, K: _9 ]! q( U
4 c% P4 }0 p9 f, t5 pThis trick is similar to int41h/4fh Debugger installation check (code 05. k1 g6 w" ~9 W& g1 U
& 06) but very limited because it's only available for Win95/98 (not NT)3 k7 z" o7 V2 C$ `: U/ a6 j% w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 k* N0 |3 H0 }: r" a
3 o' J& ^# R0 B6 o push 0000004fh ; function 4fh2 T& L6 i+ g/ o0 B$ k/ b
push 002a002ah ; high word specifies which VxD (VWIN32)2 h+ N" ?7 n3 b4 x
; low word specifies which service5 B$ F5 S8 x( [6 E Q7 X! e" U
(VWIN32_Int41Dispatch)( B& t8 H, Y5 s2 i& i z! A# y
call Kernel32!ORD_001 ; VxdCall, _$ N: B4 @" X8 C$ o
cmp ax, 0f386h ; magic number returned by system debuggers
3 z' t8 D0 z- ?$ E3 D- r jz SoftICE_detected8 Y9 S/ c: C- {& K0 ]
! s2 T2 o, D6 f! u0 N
Here again, several ways to detect it:5 ~/ D! B8 r7 u& Q, |. O
! @% k# T& Z8 \
BPINT 41 if ax==4f' n/ B6 T! p- d1 f: g( f& [ |/ `- C
1 ^# z" N/ r2 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 O* @& S, M9 g- f$ ^ H a$ G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 G. v" S. j$ L7 R9 ^/ e
4 ]) f: [2 P8 w4 } M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, D( m: e& X8 S7 t" T# M7 c/ w
& X# f* \) p1 n/ G: Z6 S* c8 H__________________________________________________________________________
4 L' w4 w+ U- T7 i! i& I' o" \$ Y
' }: z8 H3 G; V/ wMethod 13
1 ^) l- F6 k2 N$ p=========
9 @& d& M$ D+ |) c6 J0 E, s8 f4 _9 ^- Z0 J, S6 u4 H
Not a real method of detection, but a good way to know if SoftICE is- R! T. _6 d7 p" r6 |: E
installed on a computer and to locate its installation directory.6 Y2 j; W. M. q* M1 F
It is used by few softs which access the following registry keys (usually #2) :
- T. A. o% p" s e5 L
4 F8 m# L5 S5 V! J" Y4 m, Q6 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 K' m) h$ W3 k& J. F- t: e: v\Uninstall\SoftICE! h* X2 ?8 C: ]5 e ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ?# S* a7 @- p1 Z! x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ q$ ]' M: z, r( Y/ K\App Paths\Loader32.Exe
" {$ T( J& M/ q# Q7 X9 j* I$ j" c8 e# `) w
; ~. A# ?5 t- }' F& w0 r+ V$ l5 ~Note that some nasty apps could then erase all files from SoftICE directory9 W# E( y8 j- \/ T5 J6 f6 R
(I faced that once :-(: q3 x( e' `; M3 z4 t% C+ S! Q( \: M
' r- K" C- L* {" ^% Y( Y' b( P6 j4 v
Useful breakpoint to detect it:
/ J/ @4 n g: T$ ]/ a* W% m5 Y0 {4 ^& s2 j" Z9 j1 G% v, k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# }% I, A9 _2 B" \: a9 M- f D% n9 G) f+ ?) j0 F
__________________________________________________________________________
/ z {5 h' r3 A, O! O) c" _4 e2 E( d9 s( e# v& b7 r; Z
/ Y: G# [5 P- eMethod 14 / T% S$ q& Y8 t* x
=========
' O G$ ]! b) J- T4 K' p% _& x$ p9 ?0 H& _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! F& t6 t1 p3 w
is to determines whether a debugger is running on your system (ring0 only).
0 D7 B7 D( y7 H5 e/ Y1 T
% y2 u1 N- ^- K* S v( \5 k VMMCall Test_Debug_Installed1 n- I- e6 Z- ~& t, c
je not_installed7 ?& t9 p. z6 Z7 s5 ~0 i7 C4 Y
7 C! R2 r( Q8 n0 c8 \2 PThis service just checks a flag.6 E4 i6 ~5 `2 k2 i& o' H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡