<TABLE width=500>1 ^! m* U3 [* s$ h6 I
<TBODY>' d2 g+ D5 I$ k( N' R4 V
<TR>
8 X1 I4 I+ H9 R1 @<TD><PRE>Method 01
/ R+ Q9 T0 J. ~7 k=========
: g& d }, b4 q3 @) @4 Z" k5 S8 g* k- _+ C3 E
This method of detection of SoftICE (as well as the following one) is
, G$ w L* e. ^. K3 c( t Tused by the majority of packers/encryptors found on Internet.
" {; k" W: A' I2 VIt seeks the signature of BoundsChecker in SoftICE
% P" r+ @7 u) K# O0 P ^1 g
6 w$ t1 n* q9 O) j! d7 n1 x% x mov ebp, 04243484Bh ; 'BCHK'- ~ t# h& u7 `4 ~
mov ax, 04h
4 X4 D$ D5 W t7 p2 @- a" s6 d int 3 % G' h1 e7 ]' b/ e0 }% _
cmp al,4
1 t! o n5 v0 l& g$ d2 N% F7 z jnz SoftICE_Detected8 F/ \& \ O+ U% q" X' X% X
, p8 ~, g H- D___________________________________________________________________________
- ^) r$ \8 K+ V% G7 O. N8 _9 A7 P$ G! K* l/ \
Method 02
1 N7 K; _6 v9 K' _( U=========
$ _5 O' K- r0 a* y' n# n$ l9 k$ ]7 w# c: E$ g
Still a method very much used (perhaps the most frequent one). It is used
% }! ~3 Q7 I/ l( d9 j$ F* Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 }% X( j) p% J N5 e
or execute SoftICE commands...
2 ?! ]1 c' q" p0 \& o h8 OIt is also used to crash SoftICE and to force it to execute any commands4 K" z1 u \7 `4 ?
(HBOOT...) :-((
/ e4 n" i; f/ h# ^+ B7 u. V
3 A. A- ^ O9 N2 y5 y0 g( UHere is a quick description:
9 ]. q: w+ _$ ?; W4 K9 z-AX = 0910h (Display string in SIce windows), S! Y \% I. B0 T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% M2 {# Q- V7 z7 \2 J: J0 u
-AX = 0912h (Get breakpoint infos)' ^. \0 Q8 N2 m P$ I3 W/ g
-AX = 0913h (Set Sice breakpoints)
9 n: V% k# S7 ~$ [-AX = 0914h (Remove SIce breakoints)
, j% a$ D0 M R$ \
4 ^5 \2 d' h. T4 k, F9 \Each time you'll meet this trick, you'll see: |( E+ r$ [* x( f+ h2 X( _7 a5 x
-SI = 4647h2 s7 ~% H1 G* P8 D
-DI = 4A4Dh7 k% u$ G* H! m& N) N
Which are the 'magic values' used by SoftIce.
4 g6 N- c, i1 P' z" w. v* ?- c: EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) b; |) j& v/ ~$ j) ~' B% j/ y
3 H$ H; d2 ~2 y! M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 i& p3 }3 z8 [Envelope utility use to protect DOS applications:; K. D( \; ]4 V" t
5 r7 w% ^4 y3 X- D1 s8 L1 a* W: \7 V' b2 g! D
4C19:0095 MOV AX,0911 ; execute command.
0 I! n; }8 k7 R' ]0 c2 ?. i: F( [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 n4 d! d; A' Y3 \" P; Z5 F- ^8 G$ }4C19:009A MOV SI,4647 ; 1st magic value./ B. i$ a+ T1 F: O( |1 h
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 `0 r* L. B! b! x% h: l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. _( N: H% d# g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
O) N' E3 f! W( x4C19:00A4 INC CX
0 A9 E0 m" W0 H. Z; ~: ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 U# ^, g2 w/ S$ j9 |' ]
4C19:00A8 JB 0095 ; 6 different commands.* e! t1 j% @0 a K- q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ h. B0 W# K+ x1 C/ D& o! C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; M# m$ A$ _8 M' B4 v& t
; X: z( B* f/ AThe program will execute 6 different SIce commands located at ds:dx, which
5 R) b% Y6 _3 Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 L4 y7 x2 A2 J3 ]
3 Y8 k2 H. \, r( R& C7 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 }6 @9 w: n& p/ X2 D, a, }
___________________________________________________________________________
d8 |, f4 c) Z$ }# J5 v0 g1 e' G& B' k- w2 a+ A1 l: a5 R
8 x: a6 `, D y6 Q& e5 G, g
Method 03
" A# ]$ B3 g3 H: O* l4 t6 l s, e=========
/ \# r$ P( ?5 W% X+ Y- I# ^' s0 D J6 i# i. f0 [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( q7 @9 h. W9 j9 e9 D. m4 i(API Get entry point)% b8 E+ q7 m! _6 I
* o \, i0 a P0 X m) }1 S5 V5 z
- l( w1 b/ Q" E9 G5 S xor di,di
- L# N1 ^: N/ v1 x! _ mov es,di
% r! d, n" G7 K) C* ^- c mov ax, 1684h
) g& c" I& a Y# x3 v! l! \ mov bx, 0202h ; VxD ID of winice
0 L6 u9 x2 a s9 l0 ^ int 2Fh0 Y# w2 _6 b% K0 C# w$ C
mov ax, es ; ES:DI -> VxD API entry point
+ G6 W8 f' B' X add ax, di
( R9 K# [5 |5 [+ h+ L test ax,ax
]. Q+ Y$ l B# c E jnz SoftICE_Detected
" ]6 ~% w% g, T! b" G; h! s1 {
/ ?+ t7 m- ^8 F& u9 l; O___________________________________________________________________________
9 O: t$ p+ V- o' o% t4 F! L/ O5 ~
4 c& _5 d) l7 v/ S' I* GMethod 04
+ ^6 T$ r7 j5 S% S9 t x=========, o' |, M* b, D
; W- K' P" `2 b% ]Method identical to the preceding one except that it seeks the ID of SoftICE
; @9 ~+ z$ N9 ^4 C9 O% C' [/ eGFX VxD.( U- _& X9 X& s! z: {" u) G1 m
# r! m& v0 O5 ~* E: L xor di,di, N _* a1 i# h3 n* P _( I. n& [
mov es,di
2 b, U9 p; Y0 B. @( l% l/ ?% a+ A mov ax, 1684h
4 P& x- U/ j- H mov bx, 7a5Fh ; VxD ID of SIWVID
6 q y/ c1 A2 z) c int 2fh
r) @! i* K- I# r8 @) q+ e7 h8 O mov ax, es ; ES:DI -> VxD API entry point
, l+ u) f: H' o& ~ add ax, di
, T4 ~+ @% R# c9 _* J1 G test ax,ax
4 ^; n& p# U4 z$ q jnz SoftICE_Detected2 F* V7 C4 ?3 T# K6 Z, t! q
/ m7 R8 H9 E' C( ^( S8 F
__________________________________________________________________________7 d8 q* h* ?, x% F$ P
# j8 t5 v+ M1 B9 O0 R
6 a6 K: y. D5 R* Y: t) n; {" E# H2 FMethod 05
+ ?, @8 o) g6 H% I5 R=========' Q6 m4 E+ K o) y! v' j% Q/ I4 q
. I6 p( `" F# p' TMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 [( k. p I5 H! }
debugger. It calls the int 41h, function 4Fh.! A6 ?. c8 b" b& V0 A
There are several alternatives.
: g3 t) y) Z1 U& `# ^* |# D+ i3 h" [% S0 D3 l3 P# [' N
The following one is the simplest:
. ~9 r4 `3 `+ x
$ J4 q/ s% q$ p& N/ S$ Y mov ax,4fh
( u# ?( I K" C# t3 `8 x int 41h
1 E$ I2 w8 c+ l: Q6 l/ x8 Z cmp ax, 0F386
0 d# J C+ B& \ jz SoftICE_detected
" n0 C+ o& U( j4 j7 n
4 [1 f& K( O$ j2 M. ]; o7 l% j# p$ z- i& _6 K6 N
Next method as well as the following one are 2 examples from Stone's
) T U3 J _" W5 ^0 s: n"stn-wid.zip" (www.cracking.net):# S2 X P0 @$ ] l% ~3 I- O
% t Q6 q8 f3 H* w3 d, u6 b mov bx, cs
, M* _ H8 N/ h! J0 J lea dx, int41handler2$ t P B7 ~5 } e% K6 H4 O4 m) C: ?
xchg dx, es:[41h*4]
' J; K% r' _) [8 R8 |0 Q xchg bx, es:[41h*4+2]4 g' U' [0 v! h. j
mov ax,4fh
& w, Z0 m2 a" E int 41h8 A/ ~) @* L3 B& c1 _) J! s
xchg dx, es:[41h*4]3 Q; H; G4 F4 X# T! ^( _1 _
xchg bx, es:[41h*4+2]+ X. d$ W8 b4 D" X6 b
cmp ax, 0f386h
' W, h# P& o5 i+ O: \" b9 v jz SoftICE_detected
9 r) _ m- @( s. J& T7 {: \' r p- J8 q( ?
int41handler2 PROC3 N% ]+ k! f9 ^/ F J) r& f
iret
0 Y9 X2 Q" {+ M% k+ \int41handler2 ENDP
$ D0 z( i) i8 y/ F& y9 ?+ q
* [) z/ h- m: s0 h3 w: I$ f* P1 M8 p
_________________________________________________________________________4 ~" j% e! a; V. p: I( X8 p
1 A) Y; h; g* I# L" \7 @
8 H4 E5 Z" T" [* F; w5 c% cMethod 06% w4 L- i! F$ @' h8 q8 O& `
=========
1 j( r2 v& i4 {: m. T! C& J
; x# y- I# y- c9 T
1 C. }: _' t% @; N* m2nd method similar to the preceding one but more difficult to detect:
' V" T4 U3 i/ G# Q! d W2 a! u8 V0 p( g
5 q6 i, L% |* O1 d0 A _% K0 s* `
int41handler PROC
! l8 U: b5 H4 P; \ mov cl,al
6 i" S. C, O X/ w6 u2 S iret& u; h6 d4 X9 S: {$ C! `
int41handler ENDP( v. s6 v2 z7 X! z# O
0 A9 I1 R+ S. K4 ^2 [0 d
# ~5 @4 O& v. W! {/ k
xor ax,ax3 J* u7 N' U2 R& j, X: p. c! J3 p# [
mov es,ax
) ]8 r/ i4 J9 O# y: j mov bx, cs
) ]7 {9 s3 f# |: k, I lea dx, int41handler4 y, c# X1 @) |' N8 s3 f
xchg dx, es:[41h*4]
5 R; E) o4 o6 }" p# A$ _* x" r xchg bx, es:[41h*4+2]/ \9 N9 X( _" L% s$ [# E
in al, 40h% d& c/ R# T1 E3 A2 P7 c
xor cx,cx
* R( \) b1 g4 U, a; B( h3 g- Q int 41h
) M+ }4 U" l; m7 K xchg dx, es:[41h*4] n0 H% G% U# N5 ?
xchg bx, es:[41h*4+2]$ f4 e A# @5 ?/ Q+ w5 P& V4 b
cmp cl,al- Y; Y" u4 Z3 }: j! W
jnz SoftICE_detected
x) x4 ?. \+ z6 E5 _+ ^0 S, P, s+ e8 z" _9 ^2 F, B
_________________________________________________________________________0 h) ?+ |7 p8 T4 `' z; I
8 d3 C4 d, r8 Z2 Q C
Method 07& [3 ?" Q. m$ U Z& v
=========
: |+ c$ b/ z1 G
3 l5 b5 m1 z0 \6 J+ sMethod of detection of the WinICE handler in the int68h (V86)' V! Z' W! d- ?, I' I+ V/ u
: Q( E+ e0 c8 I. w8 M; r( u
mov ah,43h
9 x7 |) {4 l2 ]+ G int 68h
: d: n: N" \2 T5 I cmp ax,0F386h
! l- |- ^ @) c jz SoftICE_Detected
3 |2 g0 d% Q* N7 {8 P
# n$ b* [) s- H3 S' a
0 y& i+ r0 W7 b8 J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ P u' R$ x7 G1 O( I app like this:
6 {6 _7 { ^0 K/ j. y
, C. n/ F" f" J, V! s+ I4 I: l9 @ BPX exec_int if ax==68
9 N# B, J' O ?. Q! E (function called is located at byte ptr [ebp+1Dh] and client eip is) |6 Z0 C# n9 {+ ~* h
located at [ebp+48h] for 32Bit apps)
% u% B. `6 h1 w! G$ ?__________________________________________________________________________
, e& U6 ?& Z$ _3 ^" c8 r/ P" o/ ?& V& {2 l2 F8 g
% F( B) Y, n% z1 E6 o% v& LMethod 08
) U' M6 P9 F; s* Z( v- a8 n=========
7 B9 w+ [- U- C+ _5 D6 X/ O7 }0 O4 x: O2 \3 I) j* U0 b
It is not a method of detection of SoftICE but a possibility to crash the+ m4 I; M3 l% B$ h. M
system by intercepting int 01h and int 03h and redirecting them to another
3 |& T* R3 S! ^+ O) A8 `routine.
- j8 e4 G4 ]2 p% V% g3 x: {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 J5 a: k; X! {; |$ e& V; g2 d
to the new routine to execute (hangs computer...)
6 r* s4 ~+ N5 c) H3 d7 l( n
+ H! V, S2 Y; k" a! G2 j: u mov ah, 25h: {. i6 p; d; Q- e1 X
mov al, Int_Number (01h or 03h)
( ^ x6 i, V( T7 X mov dx, offset New_Int_Routine# w/ R0 G* Q1 [# y( m0 L
int 21h9 P; ] c, d3 S: r' B6 [/ r
! ^! J) [3 l1 x7 P# g* c! T6 I5 u
__________________________________________________________________________: P8 d) c2 r7 e. I
! ? o" X) d4 w7 H: q+ @
Method 095 l: {2 K% m* c0 {( _# |
=========
2 V- ^0 p' k6 i3 w) `
+ H2 D! n. x2 L5 ]# eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; T; B- l; a v! v. z- a
performed in ring0 (VxD or a ring3 app using the VxdCall).
- P0 h' g6 c9 E& ] @The Get_DDB service is used to determine whether or not a VxD is installed
: B1 b& m: J# k1 u, v+ lfor the specified device and returns a Device Description Block (in ecx) for3 ^' L: {, `+ ?% ? E M( ]' o
that device if it is installed.
& t( [6 A( e8 b
6 N; x: ^ `0 h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: H D, [/ h) x
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ ^1 F% U4 |9 T4 d4 H0 f8 y$ X. _
VMMCall Get_DDB
6 k& w6 P5 ~6 A: Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 p0 ]: J5 X8 Z7 V' D* J" q
- ?! Q" a. }9 E% ?7 q9 j
Note as well that you can easily detect this method with SoftICE:
F$ m( _8 ~, a bpx Get_DDB if ax==0202 || ax==7a5fh* [6 ]) _) A; ]" I' Z4 {$ Z
R* a& F: e. _2 y' J__________________________________________________________________________: w5 U2 T+ @! k2 a
; B/ A* h5 W0 e' [) ^8 [* w$ u* CMethod 10
! `" e0 e2 ]8 E0 g, F6 O' r=========* I1 e& d m% u, G, U% O
; d; m4 ]! c5 I% ~6 a+ }0 k" g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* @- @. C$ h4 }! \8 { SoftICE while the option is enable!!$ Y% c& D3 O! _9 u( Z, Q9 Q, Z
8 `' @2 J* p+ _2 G# K& gThis trick is very efficient:& ?: \( ^4 X4 B0 V, H
by checking the Debug Registers, you can detect if SoftICE is loaded
9 N& k- Z. ^4 }# \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 \( [# u# q3 }3 e
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: {3 X6 C: \! C; N4 w% Yvalue (in ring0 only). Values can be manipulated and or changed as well. x3 D8 A7 M$ I H0 X1 F7 i
(clearing BPMs for instance): R" N9 v0 z( i1 O" f
! F% M% s6 l! m9 g: j__________________________________________________________________________
" k4 u* T% H3 y9 U0 G5 h \' |' @8 D; W" E/ r7 j
Method 11; |7 U, m: k9 i$ |0 Q1 q4 }
=========
+ f0 f, R' u% P/ k+ U4 \+ g6 V; G9 h+ D4 m5 W3 V# y6 D
This method is most known as 'MeltICE' because it has been freely distributed n6 L1 {: r' J8 Y6 i
via www.winfiles.com. However it was first used by NuMega people to allow0 h/ d c. L/ q0 U
Symbol Loader to check if SoftICE was active or not (the code is located1 c0 Q; R: \ A; _+ w9 ^: ?
inside nmtrans.dll).
* B" _, O) J; J) v% C2 S6 F( [1 X$ S5 d9 l7 Y/ ?
The way it works is very simple:
- y4 r% Y; C8 r9 n0 t- w' L! P" sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 N5 f. f( W2 G, A% w; a" fWinNT) with the CreateFileA API.
h( S7 y2 g6 J% ^
4 E$ _ i- A( V; ZHere is a sample (checking for 'SICE'):! w; [" G7 u) p* m& k6 T
+ t/ h% u+ T: e4 U0 ZBOOL IsSoftIce95Loaded()
' j0 K. O4 v0 k4 t{) l# Q5 \7 T* m5 v W: r6 {# d
HANDLE hFile;
- T7 g2 p) M" E7 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 t* t# i* v& P! _& z B0 O
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 [' A& y- B; R0 C8 |. v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* S) }4 D g) u0 U( ^" a9 ]
if( hFile != INVALID_HANDLE_VALUE )9 H m7 x) c# Y* Y) ]
{, M' _2 z7 A0 |' G
CloseHandle(hFile);
! D/ }, x, d3 T$ i return TRUE;
4 n( ]. R# v' h" |- R7 b }
& L7 s/ t1 S6 r' o/ s3 j return FALSE;( s0 U# H5 n" s6 l4 M
}6 z w5 U9 F4 G0 @7 P" X
5 A" @- @+ w6 ZAlthough this trick calls the CreateFileA function, don't even expect to be
9 Q- m: w6 w% Table to intercept it by installing a IFS hook: it will not work, no way!
, c( b6 e9 C6 o- P& MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 L8 t9 j' c) v0 B5 \6 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 @+ F7 M. k# B. m: [) n6 r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- O# e; r' M$ Y6 j; U% B% t
field.. h s( ^; a0 x
In fact, its purpose is not to load/unload VxDs but only to send a 2 R; o& d! j! Z5 m1 k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 i/ T1 T* G4 h# O8 T9 hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, b9 }% U. e/ ^1 O. D( H& Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, ~9 ~8 j3 n2 [If the VxD is loaded, it will always clear eax and the Carry flag to allow
- _7 u6 l( H x6 a4 ]6 k! kits handle to be opened and then, will be detected./ f' d# A" n l' k" s0 X* C% \% m
You can check that simply by hooking Winice.exe control proc entry point$ E3 k. Y$ c( U9 G+ U# m
while running MeltICE.
! S& b# i V- T( ]8 j# A( t# ^3 Z% A4 x& M+ m: v5 Z
4 x* P; n4 s% S+ H/ A8 b# x 00401067: push 00402025 ; \\.\SICE
- c. Q+ k" J0 ^3 Z" V 0040106C: call CreateFileA# \* P( T7 a4 K& A
00401071: cmp eax,-001
' [8 M( d- B: E% ] q$ N7 k/ R 00401074: je 00401091( |8 D6 n, C, i6 s4 h. R0 k. f
: s/ K: a% N2 K( K8 w& j+ U8 Q: v/ V' ]% ]5 G1 _
There could be hundreds of BPX you could use to detect this trick.
* j8 I' R8 O* o0 ?$ }3 q2 M" S-The most classical one is:
0 n4 f: i u2 E6 t9 A7 Z5 v. y* j; O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 w; l1 `2 P4 C! D0 k4 d% L *(esp->4+4)=='NTIC'
& z4 }' t: ?6 t8 c/ g' G* n6 O
+ L1 r' p/ g$ [8 v-The most exotic ones (could be very slooooow :-(2 V0 I5 k+ ?. c0 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') A: T1 c! n0 X% [ [4 I9 ~
;will break 3 times :-(+ ?: ?! T( j+ P+ C1 f; s
/ X# u, v$ s" `8 o3 B) b( u
-or (a bit) faster:
6 W4 `/ \, W7 b; t- a: n' b0 c+ O7 w9 H/ C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: Q0 S2 L% g. y D
* ]5 a% A* t1 t# \0 @" l5 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : I$ f$ L8 X/ t; O5 u2 b
;will break 3 times :-($ \" c0 F* Z; j1 b+ k
4 }9 s4 x: n" P
-Much faster:
, A9 V# D1 o7 Q) m% b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; o r8 \9 h6 D- S+ A: B3 d% y
: v, X c6 U& S3 j s1 M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: P5 _( {% G, a5 Dfunction to do the same job:
* |) z4 Q# V) q4 U- L; j" L/ G" z. f, U, E0 w0 ?- g% U
push 00 ; OF_READ
; W& z% Q! j4 |! x6 h* J+ b mov eax,[00656634] ; '\\.\SICE',0
! R7 I4 R* D# b; y* p% k% J" W. J push eax+ S `! \4 K* q# \
call KERNEL32!_lopen
% G' b& I7 q6 }1 f7 e' V inc eax
# R6 `3 A7 K! {5 p) c- N- E jnz 00650589 ; detected
1 c; D3 V* g) K% J6 ~ push 00 ; OF_READ
; e# f/ s4 {- q mov eax,[00656638] ; '\\.\SICE'' x+ g- G% q3 h) s8 d& R, I
push eax
0 X5 `! \3 p: e1 t0 n( g' S5 X call KERNEL32!_lopen
: Z9 a9 N, W. \: a8 U+ k inc eax
+ R/ R8 x! k6 p# X jz 006505ae ; not detected! f( [4 n+ ]$ Z; b- o
5 E# o6 o5 l b6 R# [" U* ^- u, v1 ~4 o4 j
( U4 Z2 C% _; G% H9 ~2 e__________________________________________________________________________! V, p& P' |! ?$ \
9 g1 i$ l7 X- K, `) m$ RMethod 123 p8 X, M1 j ?: x* s: U" o
=========9 X" _3 j# N# [% \! k7 v7 }: K
( q/ w, o1 E% U( Y* M6 OThis trick is similar to int41h/4fh Debugger installation check (code 05
6 E/ r. b+ \) l) _. p R6 \& 06) but very limited because it's only available for Win95/98 (not NT)2 c% X, b% y5 Q! T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ N4 M ~, W2 l5 n B+ C) S
& _' r6 D6 @5 O; u7 s! c push 0000004fh ; function 4fh
6 B! \# B4 h: r8 b) O0 E& I9 P push 002a002ah ; high word specifies which VxD (VWIN32)( _; H g# n& j% d
; low word specifies which service
0 @6 n! z# W9 Y% K0 b (VWIN32_Int41Dispatch)& \. V- U" @* f9 u/ a8 B
call Kernel32!ORD_001 ; VxdCall
2 e8 l g% O8 }6 R! r- }0 M6 H cmp ax, 0f386h ; magic number returned by system debuggers
3 {6 s; D, W) Q7 w jz SoftICE_detected" p$ ]+ a4 f; j @3 j' G) _; _; q9 h
" f: V( x+ w9 s: LHere again, several ways to detect it:
# p8 H* x4 B2 s- N$ W' @# T
0 K! j N5 ?) Q* i' s BPINT 41 if ax==4f
$ O. o+ B' {+ g3 ?) Y$ n
U1 Q$ {) h/ ^3 y; A$ L, _0 N; G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! E, ^# y( B4 t: r/ A/ X9 X0 G0 t6 u! Y( ^+ w( A; A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 t( t; t' j2 p O: P$ ]8 }5 s1 ~- E7 n# d; P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( L9 z& y" N& g6 s$ h# D& e
8 f# M8 V8 d8 |5 ~: a" y! y, K
__________________________________________________________________________9 Y* g6 p3 l5 p% ^
6 U' C6 t- {1 ]* f/ }) n
Method 13; s5 h2 w$ J: |
=========
y8 T1 s4 l0 ^) t- a- H& i
. x2 k3 T [' D d8 T# U6 D3 c5 tNot a real method of detection, but a good way to know if SoftICE is+ A' z7 i+ f/ h; n
installed on a computer and to locate its installation directory.
% P% ^: v; n+ n6 ~, pIt is used by few softs which access the following registry keys (usually #2) :
; B% F2 a" P, m8 e* |! w- L0 {: z1 b) b* a& E% B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 s" m& b7 b8 @# X3 |$ B
\Uninstall\SoftICE1 [5 e0 q6 y2 w( w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% F/ {9 V( u/ {4 J0 b* W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& D4 W7 ^- P( z9 A
\App Paths\Loader32.Exe
) Z- l8 d( @1 h3 a8 W; O# `, o# i6 A5 Q* }: y
6 c, z: H: i1 B. J/ y- iNote that some nasty apps could then erase all files from SoftICE directory' m N. O8 V) L6 m/ o; R
(I faced that once :-(* T2 b6 e! F0 Z# D
* C1 l m- V. I) F; M8 m# n1 LUseful breakpoint to detect it:
2 |: T5 H3 x" f" d+ l
! Q) A2 K W. o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, G8 j2 V7 w& N6 I
# S7 M/ ^' h2 X1 e+ f$ t" k7 M__________________________________________________________________________
) p4 {7 n/ W9 Q2 {6 K% L' t3 {% C! C( m! e6 O6 z
3 c- Y& V# x; O6 tMethod 14 2 ?! L z0 @+ L6 ]
=========
6 a8 Z, L: E5 J1 X0 v/ x, n; L( {% M( C, v7 r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' N8 `% P7 o: X& S# @! ^is to determines whether a debugger is running on your system (ring0 only).
0 C$ V9 u; f' V, ]* p) v9 e9 D8 G" }8 e
VMMCall Test_Debug_Installed
2 g/ ?6 p6 Y) j6 ~2 ?! h je not_installed
d. _3 F8 {8 W5 w9 ?" D- e6 p
$ d/ w2 `# L/ O% X' j1 K) b9 fThis service just checks a flag.
$ B2 _- F$ i$ V8 b8 t9 R) X7 Y3 T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡