<TABLE width=500>
. q, l/ n2 J" K% L% x<TBODY>
0 @3 n. }% m( q5 A0 ~5 ^. A# M<TR>
0 D% B- u w, H: G) K- X<TD><PRE>Method 01
* p4 C- W& a) Y* S=========
) \4 z! o- h2 {: y7 e9 ?- Z. D% o: ^, Z* @* _
This method of detection of SoftICE (as well as the following one) is1 E) r8 v& G2 W( U& o, P5 j! v
used by the majority of packers/encryptors found on Internet.
$ h' B4 ~4 Y& d( b# IIt seeks the signature of BoundsChecker in SoftICE
. B6 Z5 B9 E: j: V& ]) ^, y! [6 W) L4 e2 `. ^: s' l# @
mov ebp, 04243484Bh ; 'BCHK'
8 V2 D9 j& x) y& t8 D* _/ a mov ax, 04h7 S8 o8 t, B8 [( @, {7 W/ N0 C D
int 3 7 A/ M! s A+ ]
cmp al,4
* A0 i0 M# z# }% R jnz SoftICE_Detected
! o5 C+ k' m' N& L" l/ |1 X3 j5 ^9 V; r! }' L1 F# W
___________________________________________________________________________
1 q$ J* Z6 H1 L" X
) H; }" _, w5 C: }5 C- TMethod 02
7 L0 u6 Y6 {5 y- A=========
, N2 z) }6 [0 U) I9 {4 D; l, v5 o5 A, f$ ?7 y7 D ^
Still a method very much used (perhaps the most frequent one). It is used0 u5 F6 l* V( H' S, y+ |' {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 H; w9 |- x# T: C6 W1 a/ y
or execute SoftICE commands...
( s c% r% I7 N% O3 c2 PIt is also used to crash SoftICE and to force it to execute any commands
5 ^$ I* P3 ^- K(HBOOT...) :-((
v5 H2 C8 }$ x, J0 ]
* o) ?, t8 b: Y* mHere is a quick description:; C( p/ U5 O6 U7 K7 y( R' A
-AX = 0910h (Display string in SIce windows); o$ f; e/ _" h! O# p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' H4 k" a) b0 `& N9 I-AX = 0912h (Get breakpoint infos)" @, n% t9 i( q, F
-AX = 0913h (Set Sice breakpoints): X( L3 B, |- Y' ]& F
-AX = 0914h (Remove SIce breakoints)
9 [& f; ~( W/ z; n3 }0 Y; I' G& F
Each time you'll meet this trick, you'll see:2 z! s; o/ B) T [% L' U6 S6 y( b3 q
-SI = 4647h' P! @3 T: w+ R# g' k
-DI = 4A4Dh+ H& Q. `; s, ^$ r I8 W4 r6 R
Which are the 'magic values' used by SoftIce.* k* O3 V3 Y0 @4 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% i; \, t0 f8 {9 \
) U& S1 {, ~3 N* Y& T" L' LHere is one example from the file "Haspinst.exe" which is the dongle HASP
- z: |( i9 N# ^7 w! b- oEnvelope utility use to protect DOS applications:
! u) w2 m% b" q
, D3 S1 d3 c0 P1 O6 e0 R6 n6 \6 A0 e0 S" d' B
4C19:0095 MOV AX,0911 ; execute command.
" A/ q6 R6 r6 r' ]$ ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ Q! J( |# _# e1 G8 Y4C19:009A MOV SI,4647 ; 1st magic value.6 ?4 _+ P U8 M8 h+ W8 i
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ s1 `1 k. S$ i( U" C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 I+ P! ~1 b- {/ ?0 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 v, B7 p% l1 p/ W
4C19:00A4 INC CX
8 w: k+ Z3 u9 t2 g+ ^6 J8 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' R$ E8 b6 v2 V7 i1 X
4C19:00A8 JB 0095 ; 6 different commands., R4 j* j% K: m& x/ w# Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ N+ @! x) k0 u2 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 Z6 ~$ v6 L( N9 j
0 {0 ]1 c5 v I5 A. K' ?) l( {
The program will execute 6 different SIce commands located at ds:dx, which! S3 |8 U: |4 P. d/ g1 Y7 r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 U! E1 K. v( q4 B$ e; \/ V
; X/ \1 x* y) k% w/ i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 Y" f7 X& O, p6 R# c6 u___________________________________________________________________________* Q5 Q2 E3 I1 y+ I9 H/ M0 p
* H% ]6 ~5 [5 u4 u: l5 d
3 F5 c u1 m7 E! u4 I' b3 ]+ x
Method 03+ f& L. V+ ~: m
=========/ X. h7 e% W7 S" D) O
' S" \) Z' Z, u( O6 x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! ]) T3 ^0 P/ y N$ z! \0 e(API Get entry point)% U- Y) p2 v/ W* [
6 |+ C3 B9 V* f/ t u" n2 L1 S, H. c) p* X1 J0 @2 I
xor di,di
% Z! K% h3 N9 o4 `4 V% L mov es,di
% r/ g& h7 U" r) t( K$ s! @ W% o6 s mov ax, 1684h
: X: R: ^" Q! I mov bx, 0202h ; VxD ID of winice; A7 d" n, ^. v9 ]/ R7 H
int 2Fh3 O; T- T& n I6 W0 w" i; O8 G
mov ax, es ; ES:DI -> VxD API entry point
* x% k/ N/ r# F2 b, t0 G# s add ax, di* X. s: t! I# K
test ax,ax
( h2 l5 h4 c! d* Z4 d jnz SoftICE_Detected, B, N5 M/ k: M% I# U* `! A2 c/ ~6 `
* [, Y' P0 b: P" L2 ]8 Y/ `___________________________________________________________________________
9 l1 m" j- _4 F9 O! M4 U( p# `+ i9 D# p
Method 04
( o( v# N7 z* G=========% o! d1 U& T4 d) A, Z; Z# x2 ?
" b) k1 e5 i* P0 f8 u/ m
Method identical to the preceding one except that it seeks the ID of SoftICE
! r" B% u& K* V0 a& q0 Q& m: YGFX VxD.
7 y$ V4 N# k+ }7 O/ n3 S$ S- M- ^; e4 U3 o3 R
xor di,di
6 a9 t$ o' R9 f+ \ mov es,di
; T8 o7 L; T1 J; j, u3 L mov ax, 1684h + K8 }6 {9 N' t6 m* X
mov bx, 7a5Fh ; VxD ID of SIWVID: g$ u) Q0 T a# a) L# W
int 2fh5 ?# a8 S5 F. _$ d
mov ax, es ; ES:DI -> VxD API entry point7 o+ e/ C; x; ^1 f. c. Z6 d& f
add ax, di& [2 |: F3 V. B" M: o% ?
test ax,ax
5 S4 v4 b" `+ p) @& b: m: ^ E jnz SoftICE_Detected
( |3 k2 G& y9 M! u3 }3 ?. Q1 |1 A, u: H4 C
__________________________________________________________________________2 _1 ~9 P+ }1 T v1 \
- Y/ b, O7 S1 w9 }4 x9 P
/ J* r( Z+ A: L* q9 r/ uMethod 05' `( e' m- R( s2 g5 T
=========
/ e! c _: N/ w
8 Q/ }, k, L: C0 TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# d {+ M) ^& n, Odebugger. It calls the int 41h, function 4Fh.( W' I6 ~+ w6 |2 X& P3 O
There are several alternatives.
( m% C0 P! E$ S! a, k9 s: F* Q- \8 E( j( @% G' ^9 q
The following one is the simplest:& X" y) o% f F3 v6 z# y
+ o* }3 S/ ]3 b6 F: @% t5 o
mov ax,4fh
/ C. y5 C) C9 v# } V, o6 G int 41h
! A' J3 Y; I7 A C+ o cmp ax, 0F386
1 G- s% `& {( c% U* a7 i jz SoftICE_detected+ a/ i' i: O h, @& G/ n6 ~) G
6 z; X7 ~% F5 d/ ?: ~: c- j; Q( n q0 ]* d! D9 T- U. B
Next method as well as the following one are 2 examples from Stone's ! f4 m4 E% s! {, G$ ]2 Q: B8 o1 z
"stn-wid.zip" (www.cracking.net):2 b5 ~% F7 F; Z$ v, a
2 j3 S5 Z4 m$ `! J" Q b
mov bx, cs
$ v/ K+ Z* f2 J+ { lea dx, int41handler2 D# F* q3 _6 X& W0 O, t. E
xchg dx, es:[41h*4]% ]3 |5 _' a* f2 c
xchg bx, es:[41h*4+2]* H( ^- H9 s x6 c" k5 U- X
mov ax,4fh8 \5 j) N" b7 j- K' v! W$ W
int 41h5 ?5 Q/ e. v0 q# {+ \1 A. J
xchg dx, es:[41h*4]' q" z; V7 n2 t! q. Q i( g
xchg bx, es:[41h*4+2]
# L4 N0 |; w; Q# ? cmp ax, 0f386h
: ?3 \* C2 Z: z9 r jz SoftICE_detected
. X- L* X, U( a1 k2 N. o2 D2 p8 Y/ s/ d t
int41handler2 PROC
# L$ ?8 H0 P1 _ `5 W6 k iret
$ |: i, P0 @9 ]- @1 m* Vint41handler2 ENDP
% a5 N1 _8 q3 d' b, p s. \0 _' c! ~7 s; j+ C; H% g, h
5 B% z' W' S) U* ?9 \, A! \
_________________________________________________________________________
$ C0 X4 Y, L) }! D* o. h9 b# k v) e" |/ f P- d- ^' Z3 P( O; E
$ R2 p5 `! U' U9 TMethod 064 w7 F/ g q, @% g; l% O- a+ f
=========
; U; Q ^4 q4 I. C' L) \
! C, W; K: A2 {$ q# w2 y/ R( ?0 B1 s, g; b9 \4 n7 D" O
2nd method similar to the preceding one but more difficult to detect:3 {" S+ k7 P. u# ~
# V. ^5 A& n& q& P ]
, D0 J) E, V' z4 T9 [7 d! x
int41handler PROC; E" f$ a' A1 `" w! G& j
mov cl,al
! [+ \% Z. S* T& c2 G3 q. h2 V iret
' k' Y5 _5 U" kint41handler ENDP
# N K( S% t. `4 ~/ V
6 T$ J/ j' c6 @+ w0 F J* p9 [. F6 N$ @2 h+ i+ a
xor ax,ax
4 ?. d# q% |$ t( W mov es,ax: B# \! r/ C. K! W1 O& I) N5 ^
mov bx, cs6 }9 H: Y- i9 w. {0 m4 b% V
lea dx, int41handler6 e9 r+ V; Q3 p# j% L5 W
xchg dx, es:[41h*4] V X5 g3 ^8 X4 d- m! N# \
xchg bx, es:[41h*4+2]3 }% c0 F; U# V! ^% w0 _0 P6 H
in al, 40h
$ i6 ?4 I4 n* k xor cx,cx: @5 U6 [9 Q$ S( D+ I
int 41h
+ c% q8 U2 k p |. k xchg dx, es:[41h*4]
6 f8 ~, @1 u- {" U xchg bx, es:[41h*4+2]3 D* t& G7 o! y5 k9 D0 u
cmp cl,al/ U) N/ X- _3 T6 B y
jnz SoftICE_detected
% Q# Z7 a w" N# M# R: J: n) a+ S2 j2 H. V c
_________________________________________________________________________0 t# a9 D7 M- O: [
/ d! I, D/ Z2 o q, |Method 07
) i2 k& \7 ^( ], w' Q0 s& L=========% c& f" e6 `/ u) ^! l6 S
* @4 j1 R+ m2 I( m
Method of detection of the WinICE handler in the int68h (V86)2 u+ p" Q) N: E: k( ^: v( d; w
* g; m! R ~% Q7 A+ q+ j
mov ah,43h* w6 }6 y( Q: V3 O3 x. x4 y) k+ c
int 68h# p8 [0 N P* r' A: {/ k/ @
cmp ax,0F386h6 n& H9 Q" U. K4 v/ I
jz SoftICE_Detected2 i' X: O& P% J4 r. [
' S8 G; ]; j! n: Z B d3 q% T( A9 S& F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" ?: p. x5 D0 K9 l4 @
app like this:
; H% j. g+ _4 P8 s1 n8 E; ?% @8 w# `/ S: z o* B( K
BPX exec_int if ax==680 B# b, [% H3 \$ O6 o. ~2 o
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 _. [+ b2 d! Y( ?, Y5 h located at [ebp+48h] for 32Bit apps)- @6 N5 y8 v: X9 w1 X
__________________________________________________________________________
; j3 U4 ~: t) k1 g4 V, }
! q8 M( h& G) A/ Q% `! W: I/ U) ]& ?
Method 08
4 c8 g' t* Q% W& w" b=========) z, ]; ^ g9 }! ]; C* [
" S1 }/ m5 ~' Y+ r/ RIt is not a method of detection of SoftICE but a possibility to crash the& v$ y m2 j. I) G8 s$ K& w
system by intercepting int 01h and int 03h and redirecting them to another, _) F% Q8 Z& ^5 L
routine.
% i3 F$ X3 p1 ]/ U" v- RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# ?$ z5 y6 X9 }7 P" L2 i6 qto the new routine to execute (hangs computer...)
( R. M. X' M2 _0 E, D3 Q& T
4 h+ J2 w9 Q; e# v3 m mov ah, 25h) _, t& f" @4 M8 h
mov al, Int_Number (01h or 03h)* W* n( z5 d( x4 \4 L
mov dx, offset New_Int_Routine
$ c* I7 Y! o, P. B int 21h% d6 u, G: u0 D9 _2 P$ _/ e
@! S7 N# n/ j* v! }, T
__________________________________________________________________________
2 X) H! O H4 E, z/ ~, L) r
" H; j' k& b% B, y& k- FMethod 09
) j4 {; a7 }+ g=========
, ~2 N' Q; f4 K, g1 T
' F5 k5 m5 I! ]1 @( F1 W5 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" O: S7 b, Q5 Z7 ~performed in ring0 (VxD or a ring3 app using the VxdCall).. g9 e7 z6 O0 d1 A1 b3 W. [
The Get_DDB service is used to determine whether or not a VxD is installed
~3 q$ l. m; Gfor the specified device and returns a Device Description Block (in ecx) for+ {) @9 {* C: _( ?4 A4 Z" T. s4 n
that device if it is installed.2 \7 y" h: s1 u9 ~" A" _
5 l% ~' x5 N% S7 A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) y& k" r$ }& P9 Z. Z* d* w9 ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% U/ y* @3 \4 M* A VMMCall Get_DDB3 T0 d: o" D1 V* p; e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ {4 q' _8 u3 P
; c3 @) }8 X9 D# q7 y
Note as well that you can easily detect this method with SoftICE: V5 @: m& u) |/ f4 }8 r) K6 D8 |
bpx Get_DDB if ax==0202 || ax==7a5fh
7 i) z* F( ~' D+ c. y
& k9 p" M/ V, ^+ `% m. m__________________________________________________________________________
6 @" R; ~ Q) @1 _2 P# H1 q% u% c) d/ B9 T/ x ?; \" r
Method 10
" d+ s s0 c! Y# m& j=========
, s* |4 G$ { u3 U+ S/ K- |3 F* N5 t$ {5 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 z( Q/ w: N" O/ `9 m' n
SoftICE while the option is enable!!
0 ~( t) L( e! f3 N
! Z& Z9 w# u1 ]$ F5 \3 _This trick is very efficient:
; _) T9 u8 c6 n" S8 w7 Hby checking the Debug Registers, you can detect if SoftICE is loaded
% F" h/ I3 G/ D" B! W$ a! x4 H# K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; t* s( W/ L2 i. Q4 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their! `0 X" U/ j/ q# {" a$ m+ c* _
value (in ring0 only). Values can be manipulated and or changed as well& K3 g3 u2 M1 `- z9 F: p
(clearing BPMs for instance)4 z: p2 }; d* | \6 ?3 i4 A
% W5 y- h. W" R6 Z__________________________________________________________________________
+ ~( u/ Q. g2 k& k9 p9 i2 K5 U# n% G; N
Method 11
8 a- p# I" u* [=========, H* T: h, R4 H; t3 y9 z* \ f
) ^; I9 p0 h7 j9 [; u
This method is most known as 'MeltICE' because it has been freely distributed
9 N9 k, Y/ ?% r# A/ j% Dvia www.winfiles.com. However it was first used by NuMega people to allow
9 l/ u7 }! @1 F9 i. E+ `; VSymbol Loader to check if SoftICE was active or not (the code is located; O3 T% k; }' L
inside nmtrans.dll).
: M" Z1 m# h: Y: @3 {6 [! |5 [1 @1 ~( n8 }4 r/ V. a
The way it works is very simple:: ~$ i* z5 | ]7 r$ R, ~& y6 V. ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ j& k6 @1 ]5 P
WinNT) with the CreateFileA API.
- h% J& |) e# ?2 b2 d4 X3 [2 [" C' |+ a7 U
Here is a sample (checking for 'SICE'):
. P9 e% \6 D1 F) z- t( ~ t
$ J" s }9 J6 W; Y8 T! G) P' uBOOL IsSoftIce95Loaded()
; P, j: t' [+ T8 ]( T. v+ G; C{" w4 o9 I9 y4 u9 i
HANDLE hFile;
6 [1 q8 W- Y; o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' U; o5 x) m3 I9 U3 ?/ }" ^) S
FILE_SHARE_READ | FILE_SHARE_WRITE,
. _/ U, R3 @. B" s( \: m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ \$ _( m* X& A1 C, R9 w4 D1 ]4 F: b
if( hFile != INVALID_HANDLE_VALUE )$ M; x! M- @' ]4 a4 H2 p
{
! S; [' M# ^, a9 o" t0 w& X4 y CloseHandle(hFile);$ Z+ `/ a3 e+ Z- N& M9 b
return TRUE;, f q/ ]0 C6 r, Q8 n& ?3 R! \
}
# y7 T" p* s& E+ I6 K( C+ a. K return FALSE;
2 h3 |9 n1 e8 t! b% ?8 J}
( d0 D0 Z0 o, {/ }' ~9 M0 x8 k& W# @& N6 W
Although this trick calls the CreateFileA function, don't even expect to be3 K3 R+ e, M& n9 t3 h. Q' j
able to intercept it by installing a IFS hook: it will not work, no way!! L/ _! g6 Q3 x3 R1 O% l6 f/ h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 G. s9 X0 c) o+ q3 l7 h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) A8 d0 @7 U' q( Z; {7 l5 q2 [and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 k& M* r4 @; C/ f3 x. D9 d7 @+ _
field.1 h \- E. _( v1 L# g& X
In fact, its purpose is not to load/unload VxDs but only to send a
. p5 Y/ O* g) w: ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 ]& h, X- A$ Y: O# z9 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try( o, y+ M, e7 `: C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ I4 q3 ?& d- `4 W8 o4 `If the VxD is loaded, it will always clear eax and the Carry flag to allow9 W9 \% {1 g" b2 @7 \5 F0 Y! f
its handle to be opened and then, will be detected.
3 F4 d5 z: y4 E$ I& [3 eYou can check that simply by hooking Winice.exe control proc entry point
/ ]( H3 W2 s. C3 e q$ ^/ }+ |while running MeltICE.& N- c* K2 m; [2 N0 u$ M8 s6 F
8 E0 y- k: s5 D3 H& H% m* }4 b+ F1 d
00401067: push 00402025 ; \\.\SICE$ c1 o7 @( X. u5 J* c, S
0040106C: call CreateFileA; T2 V* r) B' |* {
00401071: cmp eax,-001
+ ]: l2 ]: C& T6 M9 Y: L 00401074: je 00401091; O) d! ^( Q! T
" q7 D6 M1 E% u! u8 J% }" j0 t! j% V9 F; c
There could be hundreds of BPX you could use to detect this trick.
' z0 z+ Y1 V" h- b2 c/ Z5 M-The most classical one is:9 { w* M) N& g! n+ n# H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ J \ a6 u2 P1 x4 [( C *(esp->4+4)=='NTIC'& M5 L, x z7 t8 n. i
( z" }5 V9 o% z# \7 _2 z
-The most exotic ones (could be very slooooow :-() ~7 A" E! \" k$ J! D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, ~. p# ?- v1 q7 u$ s8 Y$ S, C8 f ;will break 3 times :-(& L$ P# Q8 C% _& A: ~ B
' I* @) @1 _ B, L- Y-or (a bit) faster:
) Y; j# K1 y0 Y( Y5 u BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); y" O% e% q% L6 z2 t2 @
/ H. f+ a- d+ B, A! g* [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 Z5 n ?; U6 M F ;will break 3 times :-(
3 b7 D) B0 p1 Y q
3 h8 w1 H* X9 x3 _' E4 h-Much faster:3 K6 j/ k: x+ w/ o% h+ P( b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: G w) r% J) g& J; [/ \/ _3 Z% R5 _: M Q$ h- [/ q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 d9 R$ o5 O9 a a( |! M6 pfunction to do the same job:
1 G, k7 {: R& \1 A
5 J- K- @( R3 A push 00 ; OF_READ
) H/ O; ]+ d$ s$ a S" B! S mov eax,[00656634] ; '\\.\SICE',0- |" {2 n2 q- `% |+ b8 ?
push eax
& R* p2 h0 j. m E! m$ h" e) _ call KERNEL32!_lopen" @2 W# ^4 ]: a: r
inc eax
) {+ ~+ b( c7 k% {, u jnz 00650589 ; detected
8 D+ H5 \- x* {; h: w8 ?* Z' _ push 00 ; OF_READ W8 d3 a1 T! S
mov eax,[00656638] ; '\\.\SICE'
- ~$ w# e e& [ i- f% ? push eax# N' g& f# E! {/ s/ l
call KERNEL32!_lopen R( `0 u4 @1 e7 Y( J1 d1 B
inc eax% A t C4 i( \/ {- r, M. C" f
jz 006505ae ; not detected
! M G7 N) B ~( A; F. l/ o5 ^% Q; j) z6 j( ?) p7 @# U+ g1 P, R
" p1 j2 M _3 o6 n: T; a% g__________________________________________________________________________
4 P; q9 R' f1 `1 J; ] t, ]' S( {
Method 12
( M. |# `; o( A% g+ `: z- L' e; p=========
% c: Y9 @: B( C6 Z
: L+ M1 ^% |2 H2 OThis trick is similar to int41h/4fh Debugger installation check (code 059 s& r! u7 f& n
& 06) but very limited because it's only available for Win95/98 (not NT)
- A4 R) f2 ]8 J+ X# i/ l, O" Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 C- Y U1 {' P: E8 }+ x
" X. K/ H8 J6 Q5 Q push 0000004fh ; function 4fh
! h, }4 \' W: K8 {: w! F" h# {# Z push 002a002ah ; high word specifies which VxD (VWIN32)5 ^9 \5 G1 g; ?1 ]: t7 p3 y" b a
; low word specifies which service
* A1 \" O) B' F. b (VWIN32_Int41Dispatch)
% o+ f) j. C* v$ Y( p2 p call Kernel32!ORD_001 ; VxdCall/ o# E/ ~7 _% ^$ o) B9 m8 r; B5 c
cmp ax, 0f386h ; magic number returned by system debuggers, z. a: E" `$ w% q% n4 R
jz SoftICE_detected
- _ H7 H9 m, d K
& O0 z. K1 Z. x7 R2 QHere again, several ways to detect it:* L6 w' h0 o @ s: I" R& H
. t' v( G" r2 I) }% c* [ f BPINT 41 if ax==4f: y5 F" C) H- }, J2 e* |' }
* m) U1 M9 C5 @# n& l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 y& h* L: r0 a+ }; F# n# F5 ]7 Y
0 ^& z- e8 X5 r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; W. j5 Q! _) W& t; O5 c$ n( F
% V1 N8 U% f! Y* i0 w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 g8 u/ ~! \: F, Z, s7 e5 n$ i2 N/ _( y# Y/ z# E3 G
__________________________________________________________________________1 Q5 g! {; r# S! |. r7 f& v
- x. E" t8 {0 u. w
Method 138 A A/ Y6 L4 c+ h# ]0 [
=========3 N" ~3 d9 p) S: j, V
) Y J" h, [, H% [8 c7 E
Not a real method of detection, but a good way to know if SoftICE is
! I8 t! v8 I5 C* Q) h( W0 Ainstalled on a computer and to locate its installation directory.
' l: x. ~, K! P. ?2 ^It is used by few softs which access the following registry keys (usually #2) :
/ n6 u ]6 i8 F" s9 g' T8 e
9 J2 b% h6 W5 z% h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 M. D- k7 E5 S7 c/ ~! P
\Uninstall\SoftICE" ?' }9 y: h4 i+ p; t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 m6 Z4 }& l3 q ?0 W9 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 @0 v' @- z, c6 \4 _; Q\App Paths\Loader32.Exe$ v+ N: I( {( s1 J' H
/ M. ]# p4 k5 x& l7 c% f) L. A: v. F$ `1 n9 {1 G T* d) ]' S! Y* i) f
Note that some nasty apps could then erase all files from SoftICE directory
# N$ k; ~8 D& k& ]" d; a4 ^(I faced that once :-(" k* q; y/ l3 o. ]( m3 }
; Y$ K- j1 M" a6 ~3 BUseful breakpoint to detect it:
; y9 C; M+ V0 {5 g0 E. O& ]2 X3 r. E# J3 @7 n* k: `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' `$ \. K$ t- T) ]' O: S. b
4 o/ ~1 [3 D& Z__________________________________________________________________________3 U6 x- z1 u( @/ S7 \
: v/ c# C" p' I7 w
B* n, Y+ Z- q; }5 x2 k- hMethod 14
1 A% x+ j6 ~# \5 M: K3 ]=========$ l2 e! Z7 H7 l5 D" ^
& Q+ v* s. H! I/ ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ r7 B5 k" k `: r
is to determines whether a debugger is running on your system (ring0 only).
0 ~1 l r. `5 C+ T
4 e& z# @* j4 k& B VMMCall Test_Debug_Installed
( U$ C$ p% d! F; Y s3 B- V) |5 ~* X je not_installed
4 C4 p& M7 H( k6 T% Q! z6 p2 S7 w# t- r, n7 h
This service just checks a flag.$ ]3 X* w4 ^+ H/ ]: P: t8 q2 t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡