<TABLE width=500>3 w; M( V6 c+ j! \% F H/ m
<TBODY>
7 L0 [5 j7 ~" r, x# |5 {: g& _<TR>
$ u9 p: q* u+ ]% C5 e- Y) c# L$ `<TD><PRE>Method 01
* A1 g0 T, t6 z" g( y3 q7 n. y=========# P) Q! U @4 @3 D) ?0 |( r. i2 B
9 d2 Q8 Y( X, l
This method of detection of SoftICE (as well as the following one) is
+ P- v. B. e' }( L3 u) L* sused by the majority of packers/encryptors found on Internet.
- Y; l6 T9 M. L1 J) w$ NIt seeks the signature of BoundsChecker in SoftICE. _# `" ? q2 [' A$ q2 j
7 K; @4 w/ J8 G, o& e, W, \ b' p
mov ebp, 04243484Bh ; 'BCHK'( J; r& @9 q! w+ W& k% G
mov ax, 04h2 @$ N& R: k' b7 N' f+ E4 ]# _
int 3 : v* b' d0 x& V0 ~$ l
cmp al,4
8 I5 z9 P& A' j' c& y7 }5 h; O" ^) `7 R jnz SoftICE_Detected- o6 E. Q6 m/ D# A
1 U! r4 g K0 w2 o___________________________________________________________________________. E! k, X8 t) _
/ V5 Z3 p. V% y9 |) f
Method 02$ _. H: U8 B/ c' y& M& S9 F
=========
! r- W3 _: s3 t3 q3 O- V+ K% \& J& |. X! W
Still a method very much used (perhaps the most frequent one). It is used
! J2 F8 o+ I- J& C5 y$ ~+ g& pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 h: X' q$ T; W7 }# C
or execute SoftICE commands...9 j* `: G- w3 y7 N& r8 J0 V) k
It is also used to crash SoftICE and to force it to execute any commands
' J4 d# e2 ?$ s( Z* |2 k(HBOOT...) :-((
3 C" v' T O7 l3 \! o O7 d7 ]; j# I8 o4 P
Here is a quick description:) H! ^5 {/ A& z+ |
-AX = 0910h (Display string in SIce windows)& ]+ V: ?& x& q/ U% L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( [' d( J2 d( u# y-AX = 0912h (Get breakpoint infos)
k5 |& c" O1 f3 U8 m6 m: C/ i-AX = 0913h (Set Sice breakpoints)
7 b2 _' L- a! M; v( A( F) R-AX = 0914h (Remove SIce breakoints)
. D3 N2 R/ E* y/ n; v) n
+ v* l/ c! H* t# m9 PEach time you'll meet this trick, you'll see:2 G1 k D; I5 i' o
-SI = 4647h
2 {; E) v4 O6 g% \, d0 y-DI = 4A4Dh
& M& ]2 `! }% w) {Which are the 'magic values' used by SoftIce.7 z3 x- |5 n/ r# m/ _' i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' z4 y; T, y1 i. V. p. H$ {; _: N& L+ `5 [" t* c9 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 N+ R& n+ V ~) k l- c$ Y' P
Envelope utility use to protect DOS applications:4 o9 H7 O3 U; U# }$ W7 j
$ P$ ~6 P$ @0 _1 ]) M+ |1 E! v
; |% b$ E2 {, ^8 _
4C19:0095 MOV AX,0911 ; execute command.8 }7 Y0 Q. J% ?% z! `# H o% \; N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 d9 `$ M2 p" \8 `0 v1 y& n+ Y4C19:009A MOV SI,4647 ; 1st magic value.2 B1 x. k, p" G0 A8 S( U: y
4C19:009D MOV DI,4A4D ; 2nd magic value.8 l/ P" _3 {6 x) `4 V& o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* I% k( a8 W4 h' ]0 P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 P6 e1 g1 T3 E9 M* G
4C19:00A4 INC CX6 Y0 O2 m1 v4 |( L+ i- }8 _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ K2 {/ N- Y8 C
4C19:00A8 JB 0095 ; 6 different commands.
- k# M' Q3 S c9 X1 R# {4C19:00AA JMP 0002 ; Bad_Guy jmp back., C6 o0 S" ~; c1 }6 N- I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ O& l% C$ B! p& r' o4 u! j, v `+ a5 @/ Z
The program will execute 6 different SIce commands located at ds:dx, which
" m/ U/ d$ E- I' ~8 ] j5 G5 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 W& e5 \2 a" P9 L, F' L `
. e( X- T: S a3 f9 j9 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; `0 M4 Q9 `8 l0 g" g$ m7 H
___________________________________________________________________________9 |; Q2 v* a% X; ^/ i. _) @1 v* I* E
! Z! ^8 o" Y7 _. O' x
1 m) x& N g5 l8 A& }Method 03
% \5 D; \$ }" I# e=========4 ^, t$ V* Q% S0 j3 E7 E3 \; G
2 b9 ~# d" u1 h7 TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; g$ J& i8 ^; C: @' j- x! ^ j9 x
(API Get entry point)+ A/ K+ g& I: g. u0 c
% N$ h" V# i3 g
4 g; _% y" T7 ~% r xor di,di% D3 t7 a+ J- l( H4 x
mov es,di9 b) J/ A" A9 g) B5 V
mov ax, 1684h 5 ?$ J: a* Y" Y* ?8 |
mov bx, 0202h ; VxD ID of winice
. y. G: X" Q: e% I% b int 2Fh
1 g0 {! i2 h' N& X# Q$ x mov ax, es ; ES:DI -> VxD API entry point" r; e" t e2 ~1 \4 A
add ax, di* a$ L1 Q" D# [4 `+ N( D" N* I
test ax,ax
1 o& O+ F) ~: }) P7 \' j$ ] jnz SoftICE_Detected! h0 e3 i& K1 [2 w0 Z
6 W" x/ ~* A; G$ v
___________________________________________________________________________' g% J8 w9 J9 @6 @. w
7 J' P+ [" G' V' R/ ]Method 04- W# W/ m6 ]+ z- F, L4 z& Q
=========- n+ ^3 q7 h/ ?8 h
" D6 I6 J* s5 y
Method identical to the preceding one except that it seeks the ID of SoftICE
1 r8 w6 _+ x! eGFX VxD.
# e; k r+ _& a6 o5 {4 w9 ^2 V9 X- Y# ]3 O b
xor di,di
& y- W8 D# `5 Q) i) W, [ mov es,di
" b2 K6 h. a- ` mov ax, 1684h
; n% [. X; z) j* J mov bx, 7a5Fh ; VxD ID of SIWVID. d. @, s+ H! l8 A$ E7 u
int 2fh( a- ^5 i0 y4 _+ S
mov ax, es ; ES:DI -> VxD API entry point) Y9 o+ d2 y/ w$ a& s
add ax, di
' A% U& j8 @2 H* @! ~) O! b' o9 q5 X test ax,ax3 {. A5 M, d/ B. w, Q+ g
jnz SoftICE_Detected
' ^6 ] B" V; W. `1 t
! [2 `: ?8 a# _8 J. z__________________________________________________________________________2 \/ C6 I$ \( E7 l/ k
4 r4 h) ?! i/ X2 L
. ?! l/ e2 v; g/ h3 B& r( E% `3 }6 ~
Method 05
! {5 {. {4 ]9 u7 Y* \ ^) m! J8 N=========* q; i# W$ f( f- W# D) n+ |
J) T4 z- s% P- {3 J* o% c
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 Q( u3 a7 @9 Q b! l
debugger. It calls the int 41h, function 4Fh.
( _ h4 A, n" C! A* {9 }There are several alternatives. 8 U: W; V S: v% {! J1 Z
2 m# M! F0 ^1 A1 U; r- NThe following one is the simplest:, c) H" K* l& c- W3 y+ Z7 G
9 c: h2 b+ }( P3 {/ |1 o9 ]
mov ax,4fh8 }7 k1 u/ A3 C- I& ~
int 41h1 F4 v$ j% }4 @0 V1 b! v
cmp ax, 0F386
9 K. N0 ]) c' ~% X) u jz SoftICE_detected
( _' \- |0 N8 b4 F( S: W- d, e% J0 s& j
; q* M; U# K+ L6 ?' s- fNext method as well as the following one are 2 examples from Stone's % A, C" B- U3 v& v$ G, k
"stn-wid.zip" (www.cracking.net):4 T7 c% g$ d& E0 g, ]# T
6 R9 A# X9 @. \0 ` mov bx, cs( U# m; l) C3 s! V2 Q
lea dx, int41handler2+ N! Y1 ^3 G# A+ D) W# W2 w! k
xchg dx, es:[41h*4]
8 {- _) L5 w2 E8 R" j xchg bx, es:[41h*4+2]# B' @2 p5 I0 j! t
mov ax,4fh
/ s0 v; s2 h$ D/ |5 M int 41h
5 o0 O" X2 t& J% C" Q: c xchg dx, es:[41h*4]4 _/ D3 r; V1 C$ \( Q; o1 r
xchg bx, es:[41h*4+2]. j+ s/ B& ]9 C# l7 G* Q+ }/ H
cmp ax, 0f386h
. ]# A& J, r2 {. E0 s jz SoftICE_detected7 r- L6 }8 d: h# `2 u* W! T7 g0 m, k
/ [; F. B% e6 w& a! n6 G$ ~int41handler2 PROC3 n$ G' W+ ]6 l) i: t- q
iret
8 S, u6 U4 f/ {" I- b# nint41handler2 ENDP
8 X/ k/ [. e2 u. i8 d; G+ S( d5 _: c' H# m$ b/ e9 ]2 M: P' w Y
7 {% f: k' M/ y
_________________________________________________________________________
& C2 W7 n- H, |( u( f! D
: o; H- J% q. }& y8 z& b+ \, V; P& [! e3 @& {6 W4 i
Method 06
, W% ]9 i$ w* d1 m9 v=========4 E/ _% a* ^4 i
# L9 m s, m( J! T* F( L# N
" z& a2 |" S5 _2nd method similar to the preceding one but more difficult to detect:# h. C* O- v0 R& {
& |* K+ z) E3 i- L) r
8 B6 A; v) V' g9 Y" |
int41handler PROC8 V' p+ G, \! `6 x6 `
mov cl,al
( O+ Q0 p! t& y4 B7 J2 [/ j6 U iret
0 D" R$ G/ r3 d9 }, Eint41handler ENDP6 t; x: o% e8 X @/ l0 u
1 r& Q. k% y3 U/ D8 o/ q) g2 I% @: j3 A, b( d. B
xor ax,ax
$ w& V7 h$ o4 I# y6 J/ G' H mov es,ax
T1 E# a4 @! h* d" {1 t; B mov bx, cs* A$ \ N/ D+ s5 B* n4 x: u
lea dx, int41handler
! A! E) Q$ l+ Q- F5 N xchg dx, es:[41h*4]
: @8 c, r$ e/ M& R xchg bx, es:[41h*4+2]
7 G0 A! F7 r8 q in al, 40h
6 s3 K* _0 `4 s3 B1 i xor cx,cx1 l+ C# x) @0 [0 v L
int 41h9 B7 H6 G8 S$ B1 [; e# R" j
xchg dx, es:[41h*4]1 K+ }& ]" |9 E* r) m4 g2 `* ]
xchg bx, es:[41h*4+2]4 i+ O% x1 ]0 a4 G0 ^% o0 e
cmp cl,al
$ r4 X; s$ z" n/ u+ j6 v7 Y jnz SoftICE_detected6 y/ s Y+ ^ C; s- w; e
$ K& V' r/ c7 B O7 p5 F% H_________________________________________________________________________( ~! X8 h: ?, a7 J/ x. ?9 E7 P
' f7 g: o8 T# x3 _" K2 _1 j5 s5 ` yMethod 07
3 M6 [' c( ~4 e3 j=========4 A2 g) q( s" n4 g8 W9 [, C
: W2 f) {8 h3 Y" YMethod of detection of the WinICE handler in the int68h (V86)
* i/ j: s9 F+ Z7 Z5 C4 p' V; q" W4 a' i
mov ah,43h0 n2 s- B- N' F L$ R9 Q( l6 m* D H: A: H
int 68h
n8 @2 k2 p) u1 k' k cmp ax,0F386h
* G5 e; |2 i2 p/ }$ h$ t; D3 N jz SoftICE_Detected
9 b, \* U! Z/ Y* S
: ?) W& F( g- F3 O+ [$ c
# S0 d2 F( A# m' S$ g5 ?8 j9 a/ @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: L9 g- Q W, ~0 c9 T2 P app like this:5 {% t2 k3 F2 G- ?( K$ W% n! B7 j
4 @. n/ |( W; N8 F
BPX exec_int if ax==68
. ~/ q& R) v) x (function called is located at byte ptr [ebp+1Dh] and client eip is
, u' q: C# H( Y located at [ebp+48h] for 32Bit apps)$ L5 k! M% l7 q
__________________________________________________________________________
0 w9 L9 x% e/ Y% |+ Z) F' U
, A4 _% Z9 q0 Z
- Y/ N7 Q' A) M) \* L5 x) AMethod 08; b$ k) d$ t/ {7 O' U; u: V
=========- M; H7 m- H1 r. a7 x2 F
5 S7 ~0 N' O/ o+ z/ P. d8 O
It is not a method of detection of SoftICE but a possibility to crash the: \7 S/ W% K! M3 I
system by intercepting int 01h and int 03h and redirecting them to another
* y& B3 p. t/ ?, O* ?0 Xroutine.
' e0 q, n5 X( G1 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 s2 h: C/ {5 x9 V( sto the new routine to execute (hangs computer...)
6 Y% Z& I, g g+ n3 i7 Q
, W# x4 j9 c, i$ q6 [, K mov ah, 25h
/ x0 S( ^; X/ f8 {8 \6 R& P" ` mov al, Int_Number (01h or 03h)
1 G* f& b( w M" c5 S# F mov dx, offset New_Int_Routine, A% N' @1 g" D5 {9 S
int 21h3 ~8 E: T7 c5 C% u) f+ V; M2 B7 t
" s7 ]* }& a6 k4 U B( b* E__________________________________________________________________________) X2 g4 U! G( ?
% @5 A4 s9 {8 E4 u" |7 wMethod 09
9 Z* g6 f. ]: b4 k4 ?=========
3 d+ ]4 k! [& j6 j9 I1 l$ K9 z+ i2 S, s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ U3 o' \' m' Q" u/ [* H; _
performed in ring0 (VxD or a ring3 app using the VxdCall).+ Y' i( C/ y6 H# z/ X" Z7 X
The Get_DDB service is used to determine whether or not a VxD is installed
7 W1 l! ?3 }. [3 O; X) _# r lfor the specified device and returns a Device Description Block (in ecx) for
" U8 M7 s' ^$ d; }! _# Fthat device if it is installed.
' ^+ n# L g, @) ^$ Q$ G. L& B9 J0 z0 N0 \# l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ I5 K0 K4 j2 x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" g" E: |9 r& _+ u VMMCall Get_DDB
; M/ ?7 W" | i( J3 w; Z( z4 y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! M4 Q7 t' o9 A% H! s: T
, \ H! j' [/ O) M/ p8 S0 J
Note as well that you can easily detect this method with SoftICE:
. G* z8 K9 L! h" V& L( L bpx Get_DDB if ax==0202 || ax==7a5fh
% ^ z8 g3 P9 b9 {- g' c
* P9 f. A1 `. U7 [ a__________________________________________________________________________% g8 U" z6 I& Z. ~% a. S( Z
7 {9 q" l$ T# H
Method 10
7 `* `: U8 p8 J! C7 ^=========
: J. R$ O, c. s. B
) i0 Z5 ]. I2 n5 k" i0 E- ]# G=>Disable or clear breakpoints before using this feature. DO NOT trace with
( o& S& O6 v: A8 a% |3 _7 J8 U SoftICE while the option is enable!!% b, u; U! e' d- E7 s. P
/ X, S( E% [3 ], Y( k. Y, A AThis trick is very efficient:
2 f' D. @( G6 Yby checking the Debug Registers, you can detect if SoftICE is loaded
; G. X6 k+ Z3 y% w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* x0 b, J Q: M+ t" X
there are some memory breakpoints set (dr0 to dr3) simply by reading their' s3 x# E/ [) n$ R- b' N( t ^" U
value (in ring0 only). Values can be manipulated and or changed as well; T+ Q! `& U& l2 x( f1 }, R, D9 c
(clearing BPMs for instance); @! Y6 ^6 r- l' R3 m
2 ?: N' A4 ~2 I$ g__________________________________________________________________________
3 L% A r/ w6 x! M- Q1 `! v
- H1 a. K* E. M9 U$ P0 FMethod 11
! u0 j9 P! f) B* R9 `$ X8 X/ o=========
9 \( R. f: s- w) s$ k" {5 B1 P5 X7 w9 j
This method is most known as 'MeltICE' because it has been freely distributed
7 B* u% D1 u' U# S$ w- Z6 Mvia www.winfiles.com. However it was first used by NuMega people to allow
- g6 r5 d, t& H% ~Symbol Loader to check if SoftICE was active or not (the code is located
j9 G0 y) T, jinside nmtrans.dll).
3 o" `6 U. _( p+ P; w6 M1 f. Y- n& N6 Z
The way it works is very simple:$ t t9 l8 @' K( O0 E! U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# Y( `# P, _" O2 y/ J
WinNT) with the CreateFileA API.( q7 {# n7 d. F1 O
W& }# y* n9 \$ ^4 O! o
Here is a sample (checking for 'SICE'):
5 D/ M M5 c2 t- q
2 ]! L1 u0 l- U. QBOOL IsSoftIce95Loaded()
+ n* {* K! `1 s+ v9 m7 |; |{9 }7 W/ T# y$ O
HANDLE hFile; 3 b1 X6 ]- w+ g4 r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 w3 T! }& x' C3 ]5 O! _ FILE_SHARE_READ | FILE_SHARE_WRITE,
" p! T% S L- ~/ R4 v/ z8 a- p# m$ b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. n- n, u+ U0 \, B7 @# d/ e
if( hFile != INVALID_HANDLE_VALUE )
0 V. U6 X7 t7 s% u' Q4 }* f {
# J1 Z, u: s$ s: p9 p1 D CloseHandle(hFile);
3 O+ D. A) e5 B/ G5 q return TRUE;
& {/ M& k6 Q# F }# a4 Z3 K* } h; |* S
return FALSE;0 U$ j5 N( u5 t7 r8 C
}
4 R+ L/ Z6 U( n( ^! l
) c2 M C& o1 @1 G) bAlthough this trick calls the CreateFileA function, don't even expect to be
( }! j" i1 B" D- ]4 k7 Z. P$ Pable to intercept it by installing a IFS hook: it will not work, no way!* F7 ]3 [6 s% \9 j+ J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* e! u# W. U3 {/ t7 K' E- Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 N- a' i: D& K0 o) l: a+ j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ N: g) G( t8 c1 v7 `" U7 t' Z
field./ n- r- f+ s2 Z8 @. p- Z
In fact, its purpose is not to load/unload VxDs but only to send a
5 ?5 G" G9 m: R6 m, z+ NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% F x( S; @! r3 j* bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 e2 s1 V& w1 }4 _, }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- [. n3 b' H! E3 y( Y: eIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 J9 L8 g9 I- }
its handle to be opened and then, will be detected.
) p$ H: {9 }* Q/ J1 t+ KYou can check that simply by hooking Winice.exe control proc entry point2 O; O) a3 a8 S8 v o
while running MeltICE.
) H) j, L: }6 ~3 W8 g. q8 C6 W- I8 t V" P% q
' E6 `6 c4 ]& ?! ^8 E* F 00401067: push 00402025 ; \\.\SICE# A0 y) ]( N6 P+ b4 l
0040106C: call CreateFileA% a2 D# G9 D5 g+ U/ H
00401071: cmp eax,-001
$ R4 i x& |1 D# Q 00401074: je 004010917 S& d4 h2 \& z- i9 J* Y
3 g: x% B6 ^. M, G
, u ~0 W! R1 O/ D! yThere could be hundreds of BPX you could use to detect this trick.
0 P; o8 C' R6 o. N) ~-The most classical one is:
) l4 z' m3 m$ @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! a8 m8 U ~2 m
*(esp->4+4)=='NTIC'
4 o: W( B- K/ g9 y2 {; u% e9 \
w& e( D1 W1 J6 @-The most exotic ones (could be very slooooow :-(
$ f9 L# U' }) t3 s8 U+ D- q# C$ Z p2 s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + G; P& K# }" U0 D5 G" x- H
;will break 3 times :-($ X+ c4 C3 X# \6 \( p
T, y6 w" s7 B( A6 n& i- `
-or (a bit) faster:
" T6 p3 h! @% X: ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" K7 ?/ N; T& N7 V: V. ?3 H/ O' A
! Y9 D# r4 B+ R5 [& _9 `7 [4 H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! S: m% A# f* Y/ j% h) l# X ;will break 3 times :-(
6 F+ k* z1 F/ j" h" `8 S
z- o/ l8 R2 v-Much faster:) M+ g2 l5 o- k# J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! e# a! Q, D9 o; Y& J7 O1 {/ B' r( q+ b) y! @+ J0 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ? N/ |) i( ~8 Lfunction to do the same job:' B$ B2 Y3 I6 A7 b5 D2 |, }, p* y
9 |9 U4 K/ }2 ~5 j P: c
push 00 ; OF_READ
' u1 t E' M$ a+ g# _3 j: ]8 o mov eax,[00656634] ; '\\.\SICE',0/ \; J( |, U9 k
push eax1 x6 J, W2 e s$ f8 A
call KERNEL32!_lopen- H! D' A: S9 k0 Q# c- n! C, w! p
inc eax3 D5 ^# l& O& \$ E s* l, f9 C8 d
jnz 00650589 ; detected: J* ~% [" y ^% m" ^! Z# ?3 ]
push 00 ; OF_READ I2 I/ |9 R2 N. o1 J# X7 Z
mov eax,[00656638] ; '\\.\SICE'$ u% M; P8 H+ ]
push eax
0 m8 _4 I% X3 V, p$ q. P call KERNEL32!_lopen" {* x6 N8 d& N2 k
inc eax
9 ^ p9 }, z" e# ~. U! f0 T jz 006505ae ; not detected
3 e+ T/ l4 S- f: E- @; n# B( P; b% q' j7 I* p
1 e8 L! W7 k+ k" p' t R8 S
__________________________________________________________________________5 z, h+ V* n% Z
}/ e' T5 a8 O! E% B9 oMethod 12
9 d( w6 ^, L0 Y7 |=========
9 _" f4 [/ `8 ?- h8 F
. H* r4 F. l, U% r8 h1 VThis trick is similar to int41h/4fh Debugger installation check (code 05# S: [$ [# G: x% F" g z% Q
& 06) but very limited because it's only available for Win95/98 (not NT)( |% @9 {6 |3 t* D- o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., E3 H, Y& C0 p* c# X9 d* b! V$ M
S: X6 ~, ?# k" V0 f$ `! `
push 0000004fh ; function 4fh; j$ `6 { ~/ t6 }6 O1 e# Z6 O
push 002a002ah ; high word specifies which VxD (VWIN32)
, |+ V0 c* w9 e% ~3 c$ H) z; V ; low word specifies which service
1 G+ u4 n, c, I' [8 z (VWIN32_Int41Dispatch): {2 T( H- z9 B
call Kernel32!ORD_001 ; VxdCall7 z: }6 G( U4 D& O: f3 |
cmp ax, 0f386h ; magic number returned by system debuggers
$ L- M* ?& f) b V4 p# E2 E, M jz SoftICE_detected
4 p9 V. F- ?# A/ O8 q ?' S" {* a W$ T$ q- f" f* A
Here again, several ways to detect it:/ J5 K- p9 g* Y" ?0 V( _
4 _6 O: w2 R* t9 c8 E; o BPINT 41 if ax==4f# d* F2 w0 v# b6 u4 Q! T
$ x( y. v' H! Y% m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& d3 S' `/ w! C% B( G6 q
! H, {& T8 p. V2 ?. [9 F) k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 T' |7 y3 s5 y8 j* z5 _( d
1 N9 g& u8 R: z) L4 |7 b) u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 _% V1 w8 U+ Y
$ `/ S- g. o+ X' O( b
__________________________________________________________________________" w2 k) M0 p6 T. ~
2 s5 p' J4 a7 D# aMethod 136 q. Y: P! R v' Q6 b
=========' ]6 P+ N4 |0 P
! E3 U8 S8 E" j1 k4 L
Not a real method of detection, but a good way to know if SoftICE is
6 m+ [7 W- K2 l) O- C0 Z2 U$ X2 uinstalled on a computer and to locate its installation directory.
+ Q2 N8 ?/ }4 T. a0 R1 ?6 D; J, MIt is used by few softs which access the following registry keys (usually #2) :9 R$ h' s( a2 h' z& \7 Y
: B. `- b5 \/ x* n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ t/ J4 E2 T2 a& Q\Uninstall\SoftICE
2 I3 {* G! G& Q+ T4 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 ~, Q( S, E; t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( S' g0 R. V9 U/ t4 ^( Y6 b\App Paths\Loader32.Exe
" A- y' O2 Z" S: L2 J0 X$ s2 s' O5 X1 a' {5 B" V
( t) m6 |) w7 O0 WNote that some nasty apps could then erase all files from SoftICE directory
( s: [5 `6 t$ f8 ?( Z(I faced that once :-(
! F& Q7 k h7 s& H! ^% C8 o
8 Z/ g" N2 V" Z$ X4 OUseful breakpoint to detect it:9 n$ ~, }( b, Q# q1 U$ |* E
/ h* t9 h* \5 Z2 C. _# L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ z* Z+ I% f( M8 O. x* L) `) n! _9 ]
__________________________________________________________________________
q5 g( g# H3 v- h, I' ]
1 B* `! d# o9 A4 X6 L
5 n* W5 W6 h2 R' C$ w' B# ^' eMethod 14
* E# H) h8 d7 |, ~=========/ K5 I7 N6 |' x3 }& S7 ^0 U
; V0 p3 D" b1 w3 c/ J3 M: c$ gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 P ?) Q1 R- s# F
is to determines whether a debugger is running on your system (ring0 only).
/ Q1 H+ w! }. E0 M8 V
}) y5 l" a! O3 t# ^ VMMCall Test_Debug_Installed* ` u7 r. n7 P# y; D8 i- m" }* l
je not_installed) M' n6 t3 j- J1 m( M0 C
: u B0 B3 I% T' q7 iThis service just checks a flag.; q5 k2 @7 n- A( V9 o+ g" i, _* u
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡