<TABLE width=500> k9 r _5 E& b3 h# m0 i
<TBODY>: S& R* k3 n4 |8 f
<TR>5 ^. |4 G, q1 Y. f" t
<TD><PRE>Method 01
& r- ^1 X& m4 C# }. N0 G) b=========& u: `2 G2 \4 Q
2 A: L8 k$ p' M8 E2 W. ^
This method of detection of SoftICE (as well as the following one) is3 @' Y2 {5 B8 {2 W, v
used by the majority of packers/encryptors found on Internet.
& p% a, o1 L1 l8 _It seeks the signature of BoundsChecker in SoftICE
# @+ Y& ?. ~, T! ]' y: f4 j8 x) {# y% B) u8 c
mov ebp, 04243484Bh ; 'BCHK'5 x; X7 y) d7 E/ d
mov ax, 04h% C4 v" v# \6 F# j7 b
int 3
7 ?- l: |; X5 F7 v- P3 o. R! i Z/ X cmp al,4
+ x: }0 m! ]6 D8 p, p jnz SoftICE_Detected. g0 b3 {$ w# [0 H* z3 S4 b
' C, M& L# Y. C8 D
___________________________________________________________________________
' q, w1 p. [( m& q1 Q' E
5 ]. a. M7 \8 d' PMethod 028 G1 m$ r* n& w
=========) K: t$ M" i9 E2 }& N
0 o& D0 E; h( FStill a method very much used (perhaps the most frequent one). It is used7 y3 Z. F0 O( w% C1 ?* q* N c9 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," E1 V( p9 q) \% \2 J4 J) b
or execute SoftICE commands...! ^1 X" Q4 c! O: m2 N3 @
It is also used to crash SoftICE and to force it to execute any commands5 n) F" g* u# |" o: L& s
(HBOOT...) :-(( 6 U( d+ I' D( w9 K7 w! U# K
6 G7 W8 @0 Q9 AHere is a quick description:. E9 {6 e# q! L' P
-AX = 0910h (Display string in SIce windows)
, A0 B8 w6 o6 Y+ K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 V- _8 N0 t0 ]) j6 q# `8 ~
-AX = 0912h (Get breakpoint infos)
$ O2 i3 [" I/ z* I) N1 p( g-AX = 0913h (Set Sice breakpoints)
* Z" r- ^7 } ]7 p, Y-AX = 0914h (Remove SIce breakoints)
0 | o5 T3 V9 l( N) K% t) h
0 E- Z: o# v# hEach time you'll meet this trick, you'll see:
$ y! l( U7 I' M. c-SI = 4647h
1 c' E( H$ |; R! y, a, T-DI = 4A4Dh
: V% L. T6 J5 s8 H9 rWhich are the 'magic values' used by SoftIce.) d S& h1 M7 d8 c) i) e! U! z5 A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 A& U/ g, n& ~0 T! K4 n8 Z
; Y7 ^+ J& l& w' bHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 ^ ~, p' V) T+ |6 Z* W5 Z% G0 \Envelope utility use to protect DOS applications: A: f' W1 Q- D
% H2 w; Z& d7 V0 U, Q8 i* a
$ Z+ z; E+ |( V/ t# m. R
4C19:0095 MOV AX,0911 ; execute command.6 b) U: @, v$ k& l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
N# C, U% w0 G9 C. [# f9 F4C19:009A MOV SI,4647 ; 1st magic value.
3 T( x/ b2 q8 g4 S: ]' e4C19:009D MOV DI,4A4D ; 2nd magic value.
( v- j( G) B1 i! E5 O h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! A O/ C1 i Z' M7 O2 ~1 I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# ^; I1 \9 k# j& v$ D3 Q& g
4C19:00A4 INC CX
- ~( v% L# E3 y" P _2 k6 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 P3 I( Y0 l6 [' I
4C19:00A8 JB 0095 ; 6 different commands.# Z$ ]" e4 i3 \8 s7 P v( T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 K1 y5 p% v; f7 r0 ^, ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; ?# S6 I3 y- f$ p4 z9 I9 G# u3 G9 y, B" G# A. I
The program will execute 6 different SIce commands located at ds:dx, which9 e; y v6 D6 u+ ?+ v9 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% ~; z5 ?8 X* {! O" Y4 {7 k4 v1 ^. B' a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! t4 E7 L* _ S2 c/ J2 e. M4 V7 ~9 f
___________________________________________________________________________
. [: g/ d& y- c! d& \# Q! l w' A
# D+ D6 B3 [/ f; yMethod 03, J$ x& l% j7 B$ k
=========+ W+ V& y/ f9 n* r8 G; n6 S
; h! V- N. Q* v- H) G- e& ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! t0 c+ Q% [2 }+ Q ~* ^(API Get entry point)
; J' n) A& j1 }0 u2 x5 r( F% @ 7 L( R: \$ c4 h D8 A" O
M9 |# [) k: H" T3 L xor di,di
# R" H1 L: v0 D# B1 X$ t mov es,di
* W) o S( P0 l! j! q, ?/ V5 H mov ax, 1684h
. i4 i. P$ {% B: m7 e% \2 ~ mov bx, 0202h ; VxD ID of winice" k" R: q" c B& c1 G0 @' A
int 2Fh
1 R) C( ^1 {' z8 t mov ax, es ; ES:DI -> VxD API entry point1 n: B8 B. e) r
add ax, di
w) j1 @9 Y; T5 r! V/ m% m; C0 u test ax,ax9 D" ^1 {/ d" d D [/ X9 t$ ~' h
jnz SoftICE_Detected
& ~4 f3 @% u# t9 H
8 _' S* s1 S8 k5 A; r& C+ O7 N___________________________________________________________________________
$ R0 n$ G0 x8 G' \6 c; k" q' F7 W
2 z& f+ T o9 k" E( ^Method 04" b5 x" b4 t% Q7 F4 Q) ^+ L
=========
. f2 ]$ {5 W0 l3 ~
- e1 q9 F* q3 y# U' ?& kMethod identical to the preceding one except that it seeks the ID of SoftICE
. r/ Q; Z* B" I! X eGFX VxD.
8 X5 i4 ^9 U4 p4 z) [4 R8 L5 w/ H
+ A- R& s1 [: B$ a2 d2 c xor di,di% L; r4 j5 z6 o f8 V
mov es,di
# @/ L. ]% y- z+ U! @5 {4 o$ m mov ax, 1684h
% ~0 d0 {/ ^7 H$ ~7 {7 w mov bx, 7a5Fh ; VxD ID of SIWVID
1 f# t5 U! W: l1 n$ [; K' i( y! s- D int 2fh* i0 p; C, _! R) t3 E* P
mov ax, es ; ES:DI -> VxD API entry point
1 W9 o: K3 L" J$ k9 R add ax, di
& {: O8 X. z$ v+ T1 ~1 ` test ax,ax
: }1 u9 k; C- r$ n jnz SoftICE_Detected
7 m- v7 [1 v- j6 g7 x' r p I
, \( x& _0 ~, A' |' [__________________________________________________________________________
8 y3 g. f6 Q2 u- B) Q( I: o" k- S3 T$ t% {. U
" C/ \( u$ f0 G0 d2 ?3 A
Method 05) t8 D' M0 t) J) V+ g( E Q" Q% m4 }
========= ?6 B5 R6 w" I V2 _
1 M$ E7 X( a, x& cMethod seeking the 'magic number' 0F386h returned (in ax) by all system' G) E3 v6 ?4 Z% n* A
debugger. It calls the int 41h, function 4Fh.
s7 r) E3 e& s5 v. IThere are several alternatives.
" t( q5 m% T9 _1 ]" Y# y0 ]# x
/ q2 `" d) H( B% h0 `+ }0 l. T- k2 _3 FThe following one is the simplest:
+ K: ~- T2 g! f3 a8 l) Z4 U
; [6 b1 G, Q; ~0 \ mov ax,4fh
. X' W L1 l. A* J int 41h1 k% C \; f9 }
cmp ax, 0F386# d: d( N. j3 ^, E% s
jz SoftICE_detected
: {4 x$ j1 z* B- p$ C5 G, P: z$ V" `, V0 O/ k# j% T2 S* o$ ~- P: k' A
+ O, i+ L0 {9 ?' Q; BNext method as well as the following one are 2 examples from Stone's
- f& Z+ J" z S: K& r"stn-wid.zip" (www.cracking.net):: J# j+ M+ A5 p ^ m+ G5 z; a" \
2 @; i( E8 i. W8 w6 ]3 ?' S
mov bx, cs
/ h, ~, W! z* t1 ~ lea dx, int41handler2
5 n: [$ x3 {7 h- n, C V+ r xchg dx, es:[41h*4]
# p7 F3 f* Y4 d7 l: ^ xchg bx, es:[41h*4+2]8 y' a; m1 J! K3 z$ o4 i5 V- D+ m
mov ax,4fh
7 k5 @" |3 m+ q2 _ int 41h
- F! K* z" ?' L xchg dx, es:[41h*4]
* q9 w& O0 E/ \4 q# n8 [ xchg bx, es:[41h*4+2]
* S8 U. ^0 s' B' o ?9 F cmp ax, 0f386h3 l3 c" W% [$ A6 ?" F! T7 s; D
jz SoftICE_detected( H. w% d) }3 ?
) ^# Z7 g/ z$ w ~+ G6 h
int41handler2 PROC
* v$ S# c0 }2 H8 s9 I+ [8 c* u) b$ _ iret
5 I9 L/ H! y0 ]( Y e7 M( cint41handler2 ENDP
, r X7 [9 a8 c% G. X8 X- V
9 \3 Z3 x5 q p3 R7 c4 |$ K& O' N- T- D
_________________________________________________________________________
, i: S' P: `' T
, [/ B" N- O8 B) c4 x" h# E+ x9 [3 T' o/ B9 C8 E. I" n% M
Method 06
, Z" c; _. A; L. ?=========
, T/ E! V: B3 F- a. H4 U, c
5 R' l0 Z& j7 y. ^0 v1 n; _/ i# @
3 v4 S A" u6 Q6 |2nd method similar to the preceding one but more difficult to detect:
1 S% D& D; e9 y S2 v- K* t3 C* C( E1 _. Y: H
4 U6 J/ G0 g3 h5 m3 {9 L' uint41handler PROC
. o& O) {7 {, G mov cl,al" W8 f) h5 Q) B- W# J6 k
iret, g. ~8 ~& k! q: A5 Y# M- w1 r/ K4 x
int41handler ENDP
& k, B" c4 U/ R& }3 g% C6 L5 P! q" T) g; q- K2 g$ C8 h
* w6 P9 U8 o7 s3 V xor ax,ax
0 k- N3 R9 b; v3 m; y mov es,ax
4 K' k. [8 O! i, ]" t% D. ] mov bx, cs
7 [: K o: E F. A" J lea dx, int41handler* ^, l6 t. A ^. c& \& X" m
xchg dx, es:[41h*4]4 o% A4 l3 }/ l5 T5 U& S
xchg bx, es:[41h*4+2]! Y: ~- [5 Z4 S {+ R$ }+ `
in al, 40h
; W. @$ r- b( ] [1 O. T xor cx,cx
$ ~, u( [! [5 R! D) P int 41h
) }" f7 ?2 q; s( z- k xchg dx, es:[41h*4]% p6 i9 q! C4 ^8 s7 Q
xchg bx, es:[41h*4+2]
y' u! L% Z3 f# U0 ^/ Q cmp cl,al
( V) m/ G8 I/ R jnz SoftICE_detected9 T" O5 j& F9 U2 w/ C. {* _$ C
! n' N7 K5 k- [- I, `' H
_________________________________________________________________________9 ^$ c" z6 w4 @3 E% W
3 k- ?# s( D4 y. m+ q2 G9 h
Method 07
1 Z) D, v2 j0 ^4 Q, D7 n2 P4 ~ b=========
- |6 g- A6 z1 A! f' K: [$ Z* |: m+ U0 @% G2 ~6 c' c
Method of detection of the WinICE handler in the int68h (V86)
0 i1 K. _6 T L- c7 N! T& q- l$ w% n) l- z$ `1 l0 d: o$ E
mov ah,43h
2 }% i4 O" _9 R# X, J int 68h3 o; L1 l0 K# X$ I' \
cmp ax,0F386h
5 b) \0 p& W# x' \ jz SoftICE_Detected) ] D' R( C- x- D$ r4 W& Z
# C" G+ [) p; X$ }4 l3 K
2 U8 ]! F, V- C3 M% x' | v& f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 B) T2 o: N& O) z e" [) E$ t app like this:+ f1 P) G1 @/ v0 b# w. V
# m! O n- L8 C6 b: | BPX exec_int if ax==68
3 k* I4 A5 ?- ?' g% P+ L: A, Q# [ (function called is located at byte ptr [ebp+1Dh] and client eip is5 u+ a4 {0 K8 f$ ~8 {
located at [ebp+48h] for 32Bit apps)
+ W- K+ z- G) \. S& n__________________________________________________________________________. ^( K9 D4 A! p* e9 e
- C. D2 W2 t! z- p8 U8 a+ b$ u0 a2 Z. K1 S! f; C
Method 082 i9 r; S2 N) p
=========9 u/ s2 [: }4 T% V, ~/ x" v9 v" |6 _ f
# L5 Z6 r( |* v3 XIt is not a method of detection of SoftICE but a possibility to crash the
- r& U; ]* o1 @/ Csystem by intercepting int 01h and int 03h and redirecting them to another8 E1 j5 b* v2 n( w4 J; X+ t
routine., ^* B b) T% d$ _- h3 L3 ~8 x- x+ j/ x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
W% ?. m, l# Xto the new routine to execute (hangs computer...)* a. U% I* X9 ^- P+ J. S
+ p. p; ?$ P: q) `/ Y4 I# }/ ?
mov ah, 25h( V$ v# Y8 |& Z, s7 ~0 S
mov al, Int_Number (01h or 03h)! h R7 @4 H+ u8 Y2 S2 {/ X+ Y
mov dx, offset New_Int_Routine
% }; V1 z# S$ C0 Y int 21h$ s7 U1 T. K, G, p% Z' I9 |" Y! B
+ o+ Q( o6 _7 E8 x__________________________________________________________________________8 W& C% d9 R8 G$ `8 x1 e* H
; @# ]. K: ]. a& s1 TMethod 09
1 R4 V0 A8 h4 A=========
& X6 f# s: ~! R( Z9 r* q5 ?. R" o6 M% b" Y' p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. g. ?( t7 [) M( N1 G" _0 operformed in ring0 (VxD or a ring3 app using the VxdCall).
2 M9 w8 | b* EThe Get_DDB service is used to determine whether or not a VxD is installed+ ^, y k7 |+ }, d, B- R |
for the specified device and returns a Device Description Block (in ecx) for
5 j0 j* g5 ^( n, }5 Othat device if it is installed.
* L+ ?3 r0 q* Q1 O
7 Y: c0 L+ @% |3 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' A; V% @$ C* |; ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" X4 O: A" F; g5 ]; V9 i VMMCall Get_DDB
; _+ n+ j4 \; |( B# ~. A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" g( R' w/ o% \5 c
2 v7 @# S) s8 T' N. Q. i( \Note as well that you can easily detect this method with SoftICE:/ s" _: C1 g* s5 L1 d; |7 I v( R! M
bpx Get_DDB if ax==0202 || ax==7a5fh9 i- _0 ^) M* e
. S. {5 s2 i, h L# P4 s__________________________________________________________________________
1 h5 {" n6 Q% g# @6 n# Z! p% O5 I4 l
Method 10
5 {, E' v) v2 Y; G. M" R$ t9 l2 T=========. M; E% {6 ]9 T( k0 n. f* W- P
4 K n' n" p) I# k5 n6 z% }9 \: y=>Disable or clear breakpoints before using this feature. DO NOT trace with
& i- {' N& C3 Z; S, q. S SoftICE while the option is enable!!( W: P# |; j0 n
0 i! S1 a- ]$ |This trick is very efficient:
2 E: ]; |, B# f1 R. m$ I2 Pby checking the Debug Registers, you can detect if SoftICE is loaded- l5 U8 J% X. H6 t8 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: c" P% ]" D7 e- R6 A4 j0 Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
, a3 \! \) G. J3 svalue (in ring0 only). Values can be manipulated and or changed as well
3 M" h" g, }' z0 ]6 H(clearing BPMs for instance)! j. U6 k, {" R) J+ o1 T
B5 v( b. V: F2 E0 m! i
__________________________________________________________________________
3 O+ L) L$ D6 w# ?6 b: k @
. K1 U# L0 I. A3 T6 I+ O$ j" sMethod 11& Y$ g+ |) |( W5 A& q
=========- } Z/ Z( F, h
) V3 \3 {! ^% T; A9 YThis method is most known as 'MeltICE' because it has been freely distributed
5 P& o/ Z: J: `. N2 C |: w wvia www.winfiles.com. However it was first used by NuMega people to allow
/ i4 ^7 [3 l/ q. a, x8 `# l SSymbol Loader to check if SoftICE was active or not (the code is located% H8 I' b* u3 C$ x6 W
inside nmtrans.dll).
g4 H$ n% }: {# ` r9 |% C# g5 i7 H+ q
The way it works is very simple:
/ O P6 Z4 H) D# FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ v8 {4 {6 c$ y$ z+ e' JWinNT) with the CreateFileA API.
. ]* \0 I/ _! S: d7 @" S( ^4 f8 d) l! C+ E$ v4 N) v T. X
Here is a sample (checking for 'SICE'):
% W/ }7 c. v8 z. ]7 k9 J( ]" X# s5 s' ?1 T- j P+ C: r
BOOL IsSoftIce95Loaded()
; T; V4 _- K/ O) ^8 K# q{: @4 |, R0 s" X. V8 r' F
HANDLE hFile; * a1 H9 J$ N, M+ k5 f) E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 d$ H1 H' d2 ~0 a
FILE_SHARE_READ | FILE_SHARE_WRITE,; |2 K. H4 f1 b! }3 c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% ~, p) B3 J& l: O
if( hFile != INVALID_HANDLE_VALUE )3 i* R6 @; g' _1 O I
{7 m- I% U- w2 @' P/ m3 n$ S8 b
CloseHandle(hFile);
! w% t2 }! \# t: z$ t return TRUE;4 B9 ^9 q& z" a$ j, ~) P: t2 W
}
4 L. Z& J# W2 t( E% D return FALSE;( o+ K7 x/ q. \% v
}! ^: M2 O% m* q) K n8 q
9 v/ ~$ t. Y- ?, s' V. S0 j1 lAlthough this trick calls the CreateFileA function, don't even expect to be
# |$ g' G5 j+ Q$ C3 n3 ]4 i8 xable to intercept it by installing a IFS hook: it will not work, no way!
1 P* g; _8 j( `4 uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 l: }0 `, D+ y+ tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- d" b5 c; _0 t4 I! l/ i) M$ cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 p5 U9 E: q7 _& Ufield.
( Y7 y5 W* P2 M) HIn fact, its purpose is not to load/unload VxDs but only to send a
0 E g$ {6 `; Y+ DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, f: [5 z. ~7 ]' p9 Z. |to the VxD Control_Dispatch proc (how the hell a shareware soft could try! {% h- \) c9 t- J* S) d1 g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- @# ]6 |( m, u( y nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 @: f9 Z. P- g# J9 _6 sits handle to be opened and then, will be detected.0 V4 _! R) b; K( v/ k S8 z2 U
You can check that simply by hooking Winice.exe control proc entry point4 e- Y, G$ g- c
while running MeltICE.
0 L j6 g, d( K, D, \* Q/ g0 M; \. B. b6 i7 r
, d5 j7 ~) }# w 00401067: push 00402025 ; \\.\SICE! K) _& \1 Y. M% B
0040106C: call CreateFileA: V4 m) C# `) e; T0 j# Y: P7 h3 [
00401071: cmp eax,-001
! K% S8 J- E- f6 u# y0 G. Z# F/ E 00401074: je 00401091
9 A4 f/ _) R7 M% y' d- G7 c# B3 q3 I4 p8 C/ q* J6 i
# Y5 [9 i3 f5 @8 l
There could be hundreds of BPX you could use to detect this trick.9 @% t \" a1 y: S5 O" {0 S9 G2 N
-The most classical one is:
! s' y8 g" T. O9 g" T' a& `' U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ L1 P+ N. G" |$ U, q
*(esp->4+4)=='NTIC'
- V) c5 U. A% n3 ^4 |+ ], n
7 l+ h/ G; N. k% C4 H& W( b! U% Z& {-The most exotic ones (could be very slooooow :-(
9 x9 e) [, i' X' q( q/ g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 h2 s) C4 [' u ;will break 3 times :-(
5 | L% h1 A& s+ s2 R+ Q r' J) E# `0 K! l+ {
-or (a bit) faster:
# h5 H" H, U* x% E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 K w6 J' T+ _7 `2 z$ T }8 \# q% W" U$ @- }+ s7 h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 r- H* r% m1 q ;will break 3 times :-(
- V/ f% ^; @8 p# v+ D7 I8 P
; C) ^( V# y/ Z: ^3 L5 S* w# c, a-Much faster:# x# @! F o( u( w" }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 q" s1 `( h$ P3 L) G
0 A# B$ ]1 ^* ~! `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 P0 d) W, P0 z4 T
function to do the same job:$ }) K; _% S4 S' l
! W: k/ v& P8 r/ A, [
push 00 ; OF_READ
0 v5 l v# T9 R( ] mov eax,[00656634] ; '\\.\SICE',0
# Z- e" T5 ?8 V( h P push eax
6 N7 l4 y- R! i# M( a call KERNEL32!_lopen
: x& I( w' I2 q+ V( a8 A; ~ inc eax
$ _% d5 S" M3 a jnz 00650589 ; detected( J9 R6 p0 j6 x
push 00 ; OF_READ) i) O# ` M" \) c$ p
mov eax,[00656638] ; '\\.\SICE'
9 F- y) ]5 {' I- q* T push eax# W$ Z5 Q0 R1 s% s* g
call KERNEL32!_lopen
! u+ @5 O# j+ M8 E& L" f5 [ inc eax
n5 y, K9 L/ F: Y$ ` jz 006505ae ; not detected, [/ a9 z/ U( y0 {3 \8 T
, s" T2 j) }9 s
7 k8 ]6 o- X- U2 M3 Y
__________________________________________________________________________% L3 c' {5 }4 t4 N6 V/ q
: w/ z$ s6 _" m1 o6 q& E- i( j; U
Method 12
6 w$ j0 M1 I! ~=========
+ O5 z/ i! m1 ?! O7 d2 X0 r8 R8 z
2 H' I4 ^4 s* s fThis trick is similar to int41h/4fh Debugger installation check (code 05
) M( ~# x/ |( Z4 B" r. b& 06) but very limited because it's only available for Win95/98 (not NT)
" z+ X3 K5 X. p; y5 g M3 M0 Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ Y% J! [$ c: Y
) m8 U% u1 h6 H* v- ^ ^: v push 0000004fh ; function 4fh0 n5 |' ~; X8 E% ]/ H: w
push 002a002ah ; high word specifies which VxD (VWIN32)
. Y& n3 P- N+ c% B' y) B. K, d ; low word specifies which service% v. v6 N q/ Z4 ?' E( Q$ M
(VWIN32_Int41Dispatch)
, q7 ?+ `/ H/ g- l% ? call Kernel32!ORD_001 ; VxdCall2 q2 r1 r" l. Y8 R, w
cmp ax, 0f386h ; magic number returned by system debuggers
1 m& D& r f6 m; M7 }$ h3 R2 M jz SoftICE_detected1 R. ?1 a: T+ ~) G* H5 V$ b
6 s5 g9 p. l; H, Q
Here again, several ways to detect it:
) p% {' s5 B( }5 u# F) h/ T d" |/ Y Y
BPINT 41 if ax==4f
* i: V$ H% C2 o1 Q& P: E
. D5 D7 R# Q) ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 M0 {5 S, h6 P+ T# @
* V# \/ I* A1 D0 y/ [. c) W6 L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# p/ P; R+ P1 x. I1 s* N
! z& T7 ^! t# ]- t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* N1 ?3 h5 ?+ C) N2 z% k
0 N# p% ]. E9 t__________________________________________________________________________8 _' Z5 ? v" ? y
' k$ X+ L m; n: `3 T0 v4 j7 y
Method 13
7 j0 X- G. T5 f9 Y4 }=========: c3 h- u, U% X" ~* g0 B4 | w
4 W1 U& N) [2 i- }6 t! \Not a real method of detection, but a good way to know if SoftICE is
% l9 |' I& ~* [% Y- `installed on a computer and to locate its installation directory.
0 W4 F. u5 v1 l1 \' v8 nIt is used by few softs which access the following registry keys (usually #2) :
2 O: I6 m9 f, Q9 ?
9 o; h7 n# U, Z& x5 y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- `9 Z$ \! Q3 p a; W) Z7 \! W
\Uninstall\SoftICE
7 A- s$ ^1 m: f, F! X, v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 T8 y) G0 e! {2 V# X$ |/ u& o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# G% F' P/ m. ], J
\App Paths\Loader32.Exe4 Q, E8 S7 p# r4 \8 Q, `7 |
- }" C5 H9 Z) L+ s5 y
5 |2 @1 R, h) J) `Note that some nasty apps could then erase all files from SoftICE directory
2 w$ P/ _2 e# Y(I faced that once :-(
; p. v: Z2 s4 i( ~6 D; V% `7 _# g! E* C1 E* l$ D
Useful breakpoint to detect it:
2 }# G, }; }: z9 {- Q4 v% Y: v5 _6 [; p g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 G4 ^1 { B5 w! K8 ~
5 Z2 v6 R1 q) ]& Q+ o__________________________________________________________________________! j: z% X5 d# L4 j* y/ h
; e# Q1 b9 s0 m6 }9 J) D; H' c' ?7 D7 K# x
Method 14 6 U( w1 r' [! U$ x: B# p, w& ]
=========- ]. T) k! z, F; V, }# E
, s! H8 t& N8 t3 C; ?' W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* l' \" j. z" g
is to determines whether a debugger is running on your system (ring0 only).
# D# i. f/ U; Z7 L3 c7 I; h% N9 Z! J1 A' f9 X# H$ ^
VMMCall Test_Debug_Installed6 p5 c! g; C+ F, |8 {+ V
je not_installed
7 ]; E; ~) F! v9 {% {
5 i! g0 \' d8 V4 F* {* E# U K) ^, tThis service just checks a flag.
& V/ u, o2 }& A/ {% Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡