<TABLE width=500>4 p& X3 E( }9 I+ y8 w$ E
<TBODY>
- o3 x& W# A& ~' m8 M! b. r Q<TR> y1 v: R0 f T1 W
<TD><PRE>Method 01
& I6 K0 b. O1 i8 y2 U8 J=========
5 k* L' a. b" |# B
- s7 r( N( Z8 j0 U! W9 N- s3 Z# PThis method of detection of SoftICE (as well as the following one) is9 H" R+ z! C6 R3 [
used by the majority of packers/encryptors found on Internet.+ T0 N7 _: v. L; f" B- ]. {& R% n" m" `
It seeks the signature of BoundsChecker in SoftICE' h3 m% ^( ~9 P$ _- r5 P5 Z8 f
. B% r2 C& `" w" r; H5 Y
mov ebp, 04243484Bh ; 'BCHK'
% E, h+ P1 ]8 Q% f mov ax, 04h
6 l4 Y% d: o" @% y int 3
! U) A' {! L2 u cmp al,4) ?) `' a- g, c8 v* s
jnz SoftICE_Detected. D4 _2 R7 L$ x# S
6 d( R; L# V! F/ R5 H3 ?! h1 p# c___________________________________________________________________________# U4 ^, k) G- y" Q$ _$ F
+ e$ ?5 ?' s9 y0 I; pMethod 02
/ b$ G5 n+ J! i8 n2 z6 \=========5 o' x& l5 W; F2 @2 i
: Q, t( Z3 t! Y* y- y
Still a method very much used (perhaps the most frequent one). It is used) w; U2 D. K: b, t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 L9 [: Q1 |- R
or execute SoftICE commands...
5 ]( ~* W4 O, K2 O3 T3 w2 kIt is also used to crash SoftICE and to force it to execute any commands- C# `! o$ x' o" V5 F
(HBOOT...) :-(( 8 u* B$ p/ z$ L9 O( P2 d
8 T V$ b" S- b! b/ m4 g, vHere is a quick description:6 h4 \- |; T: r" Y, w
-AX = 0910h (Display string in SIce windows)+ N, l$ |# F- a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) V' k! `- t2 x& q% f3 f! m
-AX = 0912h (Get breakpoint infos)% ]* ^3 W8 m7 q8 |% r, a# T6 t* |
-AX = 0913h (Set Sice breakpoints)! ~4 {$ p/ U: m y. P6 d
-AX = 0914h (Remove SIce breakoints)
t: F% i N9 [6 H) r& `3 c0 f6 x
' \6 ^8 Y/ ?3 ]2 t; `9 b' wEach time you'll meet this trick, you'll see:
' O9 Z/ }4 R3 w: k: M8 g+ G-SI = 4647h$ a* d, v& D8 j6 r1 j
-DI = 4A4Dh; F. R8 o& o* H
Which are the 'magic values' used by SoftIce.( ]/ C& d& s1 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 w1 c8 B0 k) S) H$ l
: _; l, g5 @2 QHere is one example from the file "Haspinst.exe" which is the dongle HASP$ a' @) b1 X( p! W/ Y' N
Envelope utility use to protect DOS applications:
0 H t- \9 I1 E. Y1 T6 B# v# u1 C3 _% K+ k7 W, \
# j& N2 R1 o& f8 e4C19:0095 MOV AX,0911 ; execute command.
( M& K5 y6 [3 o. @& u( A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. l) u o' I5 A# ?# o' c& f
4C19:009A MOV SI,4647 ; 1st magic value.* r- c$ z' w& `! p' N0 ^* |
4C19:009D MOV DI,4A4D ; 2nd magic value.. H, m7 S! N9 N {/ t5 n5 @+ F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: g( ^; P' j4 R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ @$ G$ t2 E z% X( ?% b$ L% l
4C19:00A4 INC CX$ R1 l5 K) t- F G$ l; i- H8 y% g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( O: i7 @. M( s
4C19:00A8 JB 0095 ; 6 different commands.
6 l: r( i8 ^1 n0 d7 y: ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 O* D' K1 z* D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& X% f. P+ G( I( X
( c! V S( C0 ~$ ~
The program will execute 6 different SIce commands located at ds:dx, which' i8 `4 E! ]7 }* e0 O9 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 n( c) E$ Q" I- D
" s0 U/ h4 L1 R8 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ M" l) [; D/ C; m7 u a8 I* N. I___________________________________________________________________________: p: c6 r/ s S3 z8 K6 m" k: X
8 e5 o) R4 i+ L* e: V/ l
. f4 [+ j" }) j0 zMethod 03
& K0 S! t* d. f- m2 Y9 ?=========$ D2 I) C& |: B# S* i
! k6 U# z1 ~& q8 U3 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! E% ~& x! j$ o. u3 }! n6 h
(API Get entry point)4 Q0 N# u% y1 f# z3 d. A
0 O- V- k% b& B; B3 E/ O8 x) J
& o+ y# j X8 D* v, }& r) i$ H xor di,di" d9 ~# e- F: k' r5 B+ l* S, Z$ F
mov es,di0 O4 b7 ?% z1 h$ d0 f
mov ax, 1684h 9 c0 \+ n. o/ S
mov bx, 0202h ; VxD ID of winice
+ e( V8 \8 `% ^7 R int 2Fh' o5 d& l1 |( z9 ?: T0 X' j- [4 D
mov ax, es ; ES:DI -> VxD API entry point
! r* B/ S, o+ s% ^9 b1 l7 z& w add ax, di. v& G' ^* Q! G' t
test ax,ax) Z9 c( i, S4 I, H4 U4 B; I
jnz SoftICE_Detected
4 z5 [, j# {; _) J) i: h& i8 F
8 B5 D5 J6 L' l; j; l___________________________________________________________________________
, ]1 }; o/ m* l# j2 D! |9 k5 A* u! h# C7 L- j
Method 04% H9 A6 p, U% C8 B5 U& h, P
=========
2 K# k4 ?2 n. @0 [% t5 P
$ M3 ]0 l0 J) l. Z2 yMethod identical to the preceding one except that it seeks the ID of SoftICE4 V; A; Z# ? n- L2 y
GFX VxD.% |% }& K4 j0 D. R
. k" n% N; B$ {0 H2 _; s8 Y xor di,di5 B4 c3 h4 }' {( F' d3 J* @5 H
mov es,di
8 [- i2 \9 r$ e+ }5 s9 w mov ax, 1684h - q# b2 }1 V7 c: t$ c9 u
mov bx, 7a5Fh ; VxD ID of SIWVID, f+ `6 H- E! F+ H/ x# n0 F
int 2fh
3 V* H+ t+ V u% u8 ?8 ]7 G: [ mov ax, es ; ES:DI -> VxD API entry point
: ~2 k3 P5 Q( ]: ?( H add ax, di
( H( g, ]& c+ l% ~& `: o test ax,ax
+ O0 z. b% S/ K5 T. e/ Q jnz SoftICE_Detected+ T+ l/ z* F" G" E6 M* k7 \& R" N- w( t
\* F: Q) D5 W+ i, W, Y1 B
__________________________________________________________________________
+ z5 B1 s6 Z3 @( z5 e
) H% @' i; ^8 j( r/ \; e- r; n* ^) ?4 ^- ? |
Method 05; y% i. d2 q! c) P) q
=========
- D: J* b7 s6 y1 C. K3 s* B* V
; ?' ]% r4 ?5 J! H7 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* C$ l0 `& G5 D( R1 C( F6 X4 @debugger. It calls the int 41h, function 4Fh.
- `# W# t: `/ q0 ~# C) `. yThere are several alternatives. % H4 h$ z% _) [* y3 R4 G
6 c! J7 h* ?' @6 k2 M
The following one is the simplest:
1 ?: f0 s8 E5 _) A7 i5 y6 C# c s# x, b
mov ax,4fh4 @3 U; w8 T: q' z$ C
int 41h
) w4 U) W' }7 W- Z$ i cmp ax, 0F386
8 }+ r& ^- ^ [! ^* W jz SoftICE_detected
/ g, M) j2 u, y3 T
: b" Q9 ^& h7 x6 o+ i
2 i) n; j8 T+ Y; ~( N7 {Next method as well as the following one are 2 examples from Stone's
( Y& T) y$ y: Z% l# `$ G4 [3 i"stn-wid.zip" (www.cracking.net):. \+ Q$ k8 N: _# K. L0 b( b
2 o" @( v H$ V* p mov bx, cs5 u3 R$ w2 y0 ?* f; H) [3 @
lea dx, int41handler2
9 j. D) e" w$ p9 P7 s3 l5 R4 K xchg dx, es:[41h*4]* _- {7 u2 a) |4 e, ^& w% ]1 l( `
xchg bx, es:[41h*4+2]
: U6 ]& K) \5 G a- h mov ax,4fh
! \( e* }* I- M- m! Y! L# j1 p int 41h( n# U, F) q0 M5 k" i
xchg dx, es:[41h*4]
: g7 I+ |& i0 L3 a6 p: v; V7 n v9 k xchg bx, es:[41h*4+2]
( I. i' p7 k6 U3 H& B6 O; N cmp ax, 0f386h
) ]& h" H9 n5 B' K }, ]0 G, M2 v jz SoftICE_detected
* C9 S! F S% {1 b% A: k2 c: n/ W2 {) a* k
int41handler2 PROC& W" p, ]7 }8 G& j
iret
' G. t$ W8 q( Fint41handler2 ENDP
; M' t- A, p) \+ x7 U% Q
p, @* `# i, e' E% O- S, z$ I; y5 f; B' V$ s/ _9 D* ?) u
_________________________________________________________________________4 d7 m9 M9 t# m7 P i8 u
; \: X7 V7 |# H7 u5 q1 }& p! x1 q: b$ O3 F s. J6 A
Method 062 w8 I# h L" W0 ~
=========5 G9 E4 K# `' F2 x2 b& j
4 I7 G5 T3 s; S4 N. h9 D! R; A4 W2 z
2nd method similar to the preceding one but more difficult to detect:
/ C) I/ f; G' M) F3 \# m5 }
4 d: ]( j+ \0 |
7 @2 U3 z4 D$ wint41handler PROC
) T a/ E( g: C; d$ N0 x mov cl,al/ P! ]# Q5 f; o; R R1 \! q
iret
' _: c0 r& S4 p/ t1 mint41handler ENDP
* X' S, L7 g! k% K f
/ X/ e- y2 R- B
3 C, T+ ]9 I/ h( H+ O: F* i$ {9 A xor ax,ax" z/ z7 z, ~6 o. t" g
mov es,ax
5 m, |, z; @9 L mov bx, cs+ }6 r0 _% S$ t
lea dx, int41handler
Q1 H) z& ?5 B xchg dx, es:[41h*4]
# @' f% L7 ~! z8 A2 H% |6 Y( t xchg bx, es:[41h*4+2]" q. r) P( l7 I6 T' N
in al, 40h
4 r+ I. q: c6 ` xor cx,cx
0 Q7 S9 D9 N) ^6 v8 T int 41h
& g( @: g! y$ ?) T5 |) ? xchg dx, es:[41h*4]% J+ A8 N/ p! Z" F
xchg bx, es:[41h*4+2]
# {- F3 F/ Z& \# J& U j cmp cl,al
. w: N/ ^7 _. @, y9 F jnz SoftICE_detected e1 Y( [5 u6 k
9 c& C$ R* h l0 p
_________________________________________________________________________. l4 H: K" R9 {1 |! u$ O; |! e- L: a
8 m' Y# `( N$ }* r
Method 07
0 v- g3 E5 u! x$ P% U8 c; g* T=========
6 P4 O) Q. B3 ?) f8 s( \$ R# |& W! d1 j! D( F4 O* O$ n
Method of detection of the WinICE handler in the int68h (V86)
: V! A8 N; B6 }& e: l/ e9 h- w6 y! z- s- r, ]
mov ah,43h
9 p6 k1 r3 L5 H8 \- c int 68h& ~' ^3 j9 g$ q* I
cmp ax,0F386h; ] j8 o1 C- r8 d0 B! n7 l
jz SoftICE_Detected) ]0 ^' [- `) B
- O& f0 T( p2 s( H, x! n+ ~7 m; q1 d
+ H3 ~& G+ Q4 E, S' J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( c* `1 O$ \- y* s7 M* B
app like this:( d6 P8 c; `3 L) O1 }. K1 z
( _5 z, O" f! A) x T2 c5 e( M( [: E BPX exec_int if ax==68
) S, G8 v; V$ r7 p+ D: J (function called is located at byte ptr [ebp+1Dh] and client eip is
6 k9 L: s3 o( T7 K* d* S located at [ebp+48h] for 32Bit apps) B5 F: R5 _2 N1 S: n" H
__________________________________________________________________________
5 ]7 y! y3 ~1 G- s. {# W* |! O8 n( Z% a3 t
) `+ _3 W7 V3 u# `0 h; B$ t
Method 08
" e9 b! [' ]! I/ ^8 X=========- f% @. B: S4 z, N. T$ N
# @ x. u3 o& D, j; ]8 [It is not a method of detection of SoftICE but a possibility to crash the
9 G8 [- A* g; T- Fsystem by intercepting int 01h and int 03h and redirecting them to another
9 o* V7 E* X& @; H4 iroutine.
, l0 A0 E+ _' I+ sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( _* _: ?3 |( d" _; @$ P: @( ?7 f
to the new routine to execute (hangs computer...)
4 [% R% H- o' i. c: T* e7 v6 ~
% {3 u9 \5 H L. }. o. { mov ah, 25h
$ t' E$ ^2 E! J1 }$ t mov al, Int_Number (01h or 03h). {9 m7 Y2 U7 ~9 S9 W
mov dx, offset New_Int_Routine4 ^+ E: ?6 y/ s l v2 y
int 21h4 Y. j$ y9 \0 E& m4 C
% W! h6 J+ N3 _; n; U2 u3 `__________________________________________________________________________. @/ ]! l/ D8 C# o ]# K; J4 w7 O* p
* k, Y2 `2 q/ d& N( s# T1 k/ y
Method 09
+ W' ^5 { G! T7 b" Y=========
9 b7 Y( b6 l* v3 j. F4 A6 @
' ]* R0 Q1 y- P& u0 AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 `% O& a2 R* a" v+ @% g/ }, ?5 n
performed in ring0 (VxD or a ring3 app using the VxdCall)." C2 `% H4 q( \8 R& ~
The Get_DDB service is used to determine whether or not a VxD is installed
6 e% y" Q3 l& `, cfor the specified device and returns a Device Description Block (in ecx) for
. c- Z( Y) V; B+ Y, g Vthat device if it is installed.
) X) i2 q5 U/ {' p ?2 W% ?$ Q C7 `) y9 ~) i5 S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 T- V: K4 R5 P% N k; ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) D% m1 ?0 C$ n3 y) }; [5 w* U VMMCall Get_DDB6 s$ b. P6 x/ }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- A m4 w9 G d) p* y4 Q r
' p5 m8 o) \/ Q% f3 iNote as well that you can easily detect this method with SoftICE:8 G6 `- y/ h* i7 G/ B
bpx Get_DDB if ax==0202 || ax==7a5fh( @1 j9 @# T( z4 c4 M% d4 g b! p% D
2 |$ _- O( @. k: @- {, D* |__________________________________________________________________________
' v$ e% t( l9 R2 E# u' e8 Q
7 |$ V3 A; T e9 KMethod 10
$ ~: ~" n1 V' a" Q=========& [3 u3 @( C2 p( E! j: H c+ `3 N( ~
* Q6 w n e e6 ]" i4 r6 R+ q: N5 i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, O7 Z: Y: U! _, Y/ \ SoftICE while the option is enable!!
& h; Y, [" @# }+ n6 y7 `7 _$ b% I/ j7 {0 g' B c+ @1 O, z
This trick is very efficient:3 R* f( c6 B( q& d
by checking the Debug Registers, you can detect if SoftICE is loaded& g. m3 i6 P/ Z. ?% l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 J7 M5 }6 x- F3 u4 N9 b4 qthere are some memory breakpoints set (dr0 to dr3) simply by reading their. X3 h. A* J% p* j* d N$ a s* V# D
value (in ring0 only). Values can be manipulated and or changed as well
# t1 I& {9 H3 H2 I5 L, d(clearing BPMs for instance)
4 g8 d+ W; X3 C# m2 u2 x4 i- q8 Y1 ^- C5 `1 i, Y
__________________________________________________________________________9 T& |/ R& `8 r# T: ~+ S r# T
& C- \2 g* c C* m1 t0 |* p
Method 11
! q4 |1 R9 ~, J, l7 ~=========/ @& x0 {/ u& R( ^: a
) P" F: D0 d0 l
This method is most known as 'MeltICE' because it has been freely distributed: r/ T0 {4 _4 l) T: E& [1 n9 Q. m
via www.winfiles.com. However it was first used by NuMega people to allow
$ N) T% E9 {; w) kSymbol Loader to check if SoftICE was active or not (the code is located
. f& q& Y: Y4 G) S2 ?" xinside nmtrans.dll).
6 J& _% L: c; w0 d% O- f) C3 f {# ?5 o
The way it works is very simple:
! V) T; D* r$ s4 D ~: D& g rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 P C" a: q# `/ H# wWinNT) with the CreateFileA API.2 I! N9 q5 o7 s0 X2 `$ ~
, C+ o7 o: s( \) b* K- D
Here is a sample (checking for 'SICE'):
8 m9 w% ?, }, }& e( f( i
4 l1 G$ ]0 X: ]; d6 j# G8 TBOOL IsSoftIce95Loaded()
: D! Z, C) w) m5 O{
: Q6 b) ]( ]6 y' t/ p2 X9 T HANDLE hFile;
. O5 r& m3 p+ `9 d2 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 ?( l* [/ [* s+ l- r
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 N1 m X0 I5 X, r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( I! z3 [* Q8 |- E* T7 V if( hFile != INVALID_HANDLE_VALUE )
" z' b" i1 T) r5 H8 }: B+ _8 L {- s, s% }4 e y
CloseHandle(hFile);2 E7 {' Q i) V9 M5 p: f
return TRUE;
; p5 T- [: Y2 ] ^ }
& C1 A- z9 P1 L9 K/ { return FALSE;) `" a/ g' I; v! Z
}
5 ]3 p! X- i7 x4 Y
. q! ^/ A* u; j7 J! T* yAlthough this trick calls the CreateFileA function, don't even expect to be' D$ ]% d V% |
able to intercept it by installing a IFS hook: it will not work, no way!/ o7 H O$ f" ~) E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( e( }, n% e& H, t1 l6 cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& a( S I. A2 Q$ Z! a7 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- y3 e* i" ?6 i2 r0 P0 t- Ifield.
( D( n* f+ g6 U3 z: ]. jIn fact, its purpose is not to load/unload VxDs but only to send a
4 Q1 l% y1 r' u; j; T) v6 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% x% h' m+ ^3 q1 ?" t% [( a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
t4 O/ `" I- D+ o9 M& w* ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
: P7 ~- l- q3 y0 J1 y% U9 }; V% xIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ T7 K% r3 y( S7 C" Uits handle to be opened and then, will be detected.
8 j# F1 Z! a/ qYou can check that simply by hooking Winice.exe control proc entry point
; x. Q+ [0 U% b) f! E' Q4 Y& b) Rwhile running MeltICE.! o' T4 X5 V3 t6 O; I- f
$ I4 M6 \/ D' Y- ]1 j, ~% X' T( z
& l% y- ?8 g. B) w 00401067: push 00402025 ; \\.\SICE
}- b" i8 E/ G `) ] 0040106C: call CreateFileA
1 i; T8 ]+ c/ c" @6 J( E9 A 00401071: cmp eax,-001 C1 e6 v4 N9 g. t4 e
00401074: je 00401091
7 B' u6 Q5 B) }8 [' u" B3 H1 o
: Y3 f) j! l# f' x" O7 F# a
0 v( k# q" a# gThere could be hundreds of BPX you could use to detect this trick.# Q* e, @' G, D0 M' q
-The most classical one is:+ r, j- \( B# y4 y% j/ `1 R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# I3 J$ Q0 w$ C( R/ o9 A
*(esp->4+4)=='NTIC') H7 m0 N+ Y6 J% g5 {
% K) A. r. [ |2 Y. S( e-The most exotic ones (could be very slooooow :-(
1 H3 s7 ]8 i9 q |7 R; H" b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 {3 h# I) `7 b4 }2 g
;will break 3 times :-(7 p h7 ?* g Z, }: I' Y; ^" }
, v4 b, {, Z/ W' [
-or (a bit) faster:
3 u; G# T+ c+ g; w, \$ J5 E BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); T3 z7 K/ c Q; x3 u
; y4 y" d/ S8 O) L8 p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: b4 N9 T1 ^8 a" s! r3 C5 V& O ;will break 3 times :-(
6 v0 f. @/ S+ g
- r1 ~ B( U, T# Y- h-Much faster:
0 w: s! ]5 l! r) G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ D$ X k: ^# I, r. ]$ Z3 q$ K1 Z# q4 A3 a' q( H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( H; a- l" L0 ]* N* i! \ x/ e
function to do the same job:; F* o6 H+ [' R/ }* k( K
3 e4 D( j: N9 f2 U' A: \# T push 00 ; OF_READ5 S: e. e9 D% Z& N4 @3 x8 a& g
mov eax,[00656634] ; '\\.\SICE',0
# X. c# Z) ~1 v% }: x! q) ~$ B push eax
% u- {# x- Y, j3 s2 I# Q- R call KERNEL32!_lopen5 K2 a7 Q6 Z6 I; b" ~
inc eax
1 r: ~8 E2 ~: `' W- G jnz 00650589 ; detected+ T9 ]9 I7 B: H2 t7 j9 N0 f! U" d
push 00 ; OF_READ: B4 c/ Q9 E- Q( }+ q
mov eax,[00656638] ; '\\.\SICE'
p; q/ m: I* f' s* o push eax- P, ]7 u# J9 V4 x
call KERNEL32!_lopen
: B6 Z d+ Q! J/ x. [, @4 h inc eax. p4 D: g. _: M
jz 006505ae ; not detected
6 {# G0 a0 E3 G. w7 P: U/ W: @ f0 z/ \6 Q
( t+ f' T" g% i7 w0 j__________________________________________________________________________/ Z2 y* i# G. |0 y
$ a4 H$ L5 }# v& V e6 Q s6 C
Method 12
. r8 ]% P+ Q g' R z: X=========4 e" G3 e) E& x/ s E
4 \' b4 n( O3 mThis trick is similar to int41h/4fh Debugger installation check (code 05
7 F' f7 s1 Q4 C* o9 ^) Y& 06) but very limited because it's only available for Win95/98 (not NT)
7 M8 G: N: l1 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' E* R- Z) [9 k7 D5 } g4 ]9 b1 [! Q7 ~! y
push 0000004fh ; function 4fh$ F" R. d& Q+ ~* ?5 _
push 002a002ah ; high word specifies which VxD (VWIN32): x# f n+ q+ ^) P. j3 A$ m4 d
; low word specifies which service
* M# E) [4 Z' ?2 z$ N (VWIN32_Int41Dispatch). O, @& G) [- } x; x
call Kernel32!ORD_001 ; VxdCall
; U) k# j5 G/ F" r cmp ax, 0f386h ; magic number returned by system debuggers
. Q$ g8 J" |' o6 B jz SoftICE_detected
& G) X9 I6 z8 M+ S) _7 j# n0 b, J- f3 b# }6 Q* X
Here again, several ways to detect it:4 A5 m) k: x: P6 |8 F5 z, U# _
& B" D: |9 ^ g, p. r BPINT 41 if ax==4f
# Q* E4 r% U e- M5 A
" X, k2 V* q( ?7 @* P$ W# k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 Q( `! G* C2 ?) l! E: U
9 b4 o( j0 w& d' |6 g% ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ `5 Z% I1 _4 v& ^& a( h4 R# g* U$ t* O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 w J. H) r) W4 o5 T* J) \ l' M$ G3 l" }7 n
__________________________________________________________________________& v# k* o' ]& K
5 g! N4 {0 P5 `5 f8 ^, e+ a7 a: {
Method 13. P8 r2 t8 M9 o6 Y$ g. W" B) N
=========% F1 S3 h+ Z' d3 p
6 I/ H" s( G$ A0 X
Not a real method of detection, but a good way to know if SoftICE is
?1 b9 q1 q0 a0 G+ i# ~installed on a computer and to locate its installation directory.
0 k* \! G/ h1 _; U; _$ c$ bIt is used by few softs which access the following registry keys (usually #2) :0 d5 E) L$ N# ]# W d9 b+ O
% j9 U- q! c3 n1 j$ S) w4 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ N. y1 g6 p) a+ Y# A$ F4 E
\Uninstall\SoftICE
) B9 U0 `1 Z( u Z6 D; z8 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. F2 J+ p9 [* }* {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 J/ W4 r, K+ T; }6 L: z
\App Paths\Loader32.Exe
: P! _5 B3 N$ m- _4 _9 L" K+ P/ Y7 \# B$ T+ w
0 r5 D0 X+ Q( I" t8 I2 A( HNote that some nasty apps could then erase all files from SoftICE directory' X# @8 x- _( o: R$ k6 O2 x+ [
(I faced that once :-(
$ g% n- r4 L1 s$ k8 h( u8 c9 u F9 U, t6 N0 ^ w& v1 b' \* L- L
Useful breakpoint to detect it:
- |4 w" i% O* O* K5 u L0 l' a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 C& K# j4 W5 r5 ^- K' O
. B/ n$ w; S8 H3 S4 ^
__________________________________________________________________________/ o/ k! l$ a4 p9 V
( R9 t& E" W+ b, k$ L4 p, t( K- M
/ @ Y2 ^$ e' F6 @Method 14
5 b" V) x9 L6 S, S) U=========
9 q- D% b/ Z8 C" D. G5 M
9 v) s& `; V1 Y0 v( u6 z( j* q/ [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ H* ?# R1 Y9 a4 M8 u [& S
is to determines whether a debugger is running on your system (ring0 only).
; P; d5 O4 K$ d6 g/ L1 s, T( h
/ P' C- H/ y: s M9 T) d2 A' _4 } VMMCall Test_Debug_Installed7 F2 z& G, i) I% U/ Y" I/ A
je not_installed5 l+ b+ v( {5 i# `' l" o) g
, S `6 l& n0 L3 Q4 @( |+ b
This service just checks a flag.
; e7 k% b% @, E# C1 y; s: g</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡