<TABLE width=500>/ a+ p5 |# }; L' ^8 L' c
<TBODY>$ A X% R2 `/ |/ k- k6 R3 i
<TR>: o' G. d: o* L9 g+ g6 ^
<TD><PRE>Method 01 - C; F- H8 U% E1 [1 b) d6 B
=========. }+ I* D% R% u2 K5 n! u
) V8 d/ n. Z4 O7 ZThis method of detection of SoftICE (as well as the following one) is1 K7 I9 g* ]( _, i. m! B
used by the majority of packers/encryptors found on Internet.
3 r, q i( K0 y! D) a, w: `It seeks the signature of BoundsChecker in SoftICE, b, ^4 ? W9 w e* J
+ o. T- U3 G) n8 B
mov ebp, 04243484Bh ; 'BCHK'5 ]! D- T" r# R% v T* J
mov ax, 04h# S n$ Q' j5 O4 }
int 3
* ~# G8 |; a% E9 z0 V. i, R cmp al,40 R: Y7 j% l3 B( G
jnz SoftICE_Detected
# D. n" \6 |( ^- A4 {, q M& @; I7 u
___________________________________________________________________________
1 w9 N2 M% ~, |5 T) U4 G; t- v0 T& `. G9 p L: ]4 Z
Method 02
# W3 J; d( u5 A& W. W. r# s=========
4 b. K* r; I8 R+ C+ x: C% p
+ B( e$ U( U, s$ n. A8 ?Still a method very much used (perhaps the most frequent one). It is used% m9 w! K5 v3 ^4 R' r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 f5 u( Q8 q& |$ p5 A; v" yor execute SoftICE commands...
8 k4 c4 W* j$ H; ~8 L6 i% y- g5 oIt is also used to crash SoftICE and to force it to execute any commands$ Z) E- E- X" @0 G0 A
(HBOOT...) :-((
1 ~' Q$ c# X$ {* P8 D9 Z* V! _4 U
; a) W6 ]* N! `! w4 I6 ~& nHere is a quick description:
/ u& ~# I- t! M' W& g/ \-AX = 0910h (Display string in SIce windows)
9 m3 I3 S0 q% O0 s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ `. M; j% h* J" v" X3 s' D-AX = 0912h (Get breakpoint infos)+ r8 C c6 j4 S
-AX = 0913h (Set Sice breakpoints)
* v' T! x+ v( z-AX = 0914h (Remove SIce breakoints)( _9 R. ^: C6 H
/ q# `3 K: H, v( F: X# v7 L
Each time you'll meet this trick, you'll see:. _3 z R+ \$ e# o
-SI = 4647h$ T# q/ x: b5 ~! I5 S* n
-DI = 4A4Dh4 k$ Y, Z5 p2 V) y @1 `
Which are the 'magic values' used by SoftIce.
5 O' f6 g6 P; mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; o, d( }, |3 h/ O& F. u
' D" l" M) ^# ^& xHere is one example from the file "Haspinst.exe" which is the dongle HASP9 D2 Y1 l6 Y1 w6 ]: c0 C) M P. J
Envelope utility use to protect DOS applications:2 r2 B) ~" {6 |; l- x
, R$ s, \9 p& F5 K7 k: c) _9 e% `7 V' y0 R7 i8 W1 H
4C19:0095 MOV AX,0911 ; execute command.+ J9 F( d; B4 w, F( V& L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 S# }6 p z9 }- k1 v4C19:009A MOV SI,4647 ; 1st magic value.
5 Y6 F# d% v0 b* R1 M4C19:009D MOV DI,4A4D ; 2nd magic value.. ?$ M$ M# q: a5 _" q) Q1 _8 }7 s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 L: p! s0 b3 O$ X7 y6 Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 l6 v% t8 N. J: g4C19:00A4 INC CX
3 L3 F* C: V" R7 z3 N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. V3 |1 _/ x, k( ]) |" s6 ]* U2 U8 J4C19:00A8 JB 0095 ; 6 different commands.
. g/ O% K; H$ R6 i0 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back./ l y) ^2 ]9 j* k% _% K. L ~7 S( Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, m' H/ W1 d" N- h
% _/ A( v) P2 y* H" {The program will execute 6 different SIce commands located at ds:dx, which
: E( ?7 z$ F: R, R* X2 }' Z) W ` H; Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 `) m0 }5 C- @$ N0 e
( z; l- l/ r( Q Y9 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 a, |" z3 p+ p+ ^1 z7 I___________________________________________________________________________( }4 V8 D# G7 V; f0 { @
6 Z6 Q! ?" F9 S9 X- E& D- C' g* o) W$ y
Method 03
1 ]& Q/ J/ M/ P q=========+ `- @. g; U/ C5 k& O* k
+ @, Z! ?+ l) B0 o+ d: ^1 m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 |- u7 s% ]/ z7 y6 l(API Get entry point)
1 s. I, o: J( Z6 w- R8 M
, O. }' Q: ~1 w
! l4 e+ [0 n1 {0 F7 E xor di,di4 `; c! V3 O6 L! U& ]
mov es,di
I% d, y0 ^$ M. M* n* J mov ax, 1684h
9 {5 ?4 y: i8 [$ g6 u; u; ` mov bx, 0202h ; VxD ID of winice
2 R2 ~. c$ n- u2 | int 2Fh" n }+ B: q' b1 Q) N: o4 A
mov ax, es ; ES:DI -> VxD API entry point
, V- O6 P$ d# y3 \9 {5 K add ax, di
J4 D- ?$ X5 v: f5 P; p test ax,ax3 b+ v0 h7 B# Q
jnz SoftICE_Detected
2 }- c9 G H2 v5 F0 S+ ?5 u: P% L/ e% B8 w
___________________________________________________________________________
7 }$ `2 a: h9 o" d6 f# a0 h7 b# N
( f0 E; ]# r) C1 K4 IMethod 04
+ z' j6 G+ i7 H5 p- q* e, p( b=========
5 {. z4 B: Z& P& V! w4 w8 a1 G0 A1 C8 [8 X: w
Method identical to the preceding one except that it seeks the ID of SoftICE
0 }& Q9 R$ Y L) NGFX VxD.
7 I$ L3 b2 W5 [7 U. }, t0 h: u( _; n; S1 B% t
xor di,di: H3 u# D7 h% _3 }# S
mov es,di
! ]; S E8 G3 a mov ax, 1684h ! S* ]2 R& t0 h. @! m" F0 D
mov bx, 7a5Fh ; VxD ID of SIWVID# x" N) C: A6 W c& n
int 2fh4 Q1 G2 ?- H+ h; V
mov ax, es ; ES:DI -> VxD API entry point
% G. W# g1 c( C) c add ax, di
$ U, N1 l, V9 H5 x: j' [1 ?0 ^ test ax,ax
# M1 n: k2 K" n8 r jnz SoftICE_Detected
. s j# B* }3 z3 Q* Y' ]
8 B( f* d$ O. s& T/ s" B__________________________________________________________________________5 l$ ~! e; [7 ~( P: Z! O
+ n' F9 r! z' x- e( E- t
) f6 _# q- f9 a- V8 [Method 05% ?% p9 O5 Q: V/ Z' ?. Q
=========" M" {! `1 k( y7 C' A6 C
2 I' a$ D" G7 a$ H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- U# p& C' q7 U& F1 V, m% z7 V# rdebugger. It calls the int 41h, function 4Fh.5 I/ W3 n9 T# g9 |( [
There are several alternatives.
7 S; P9 [+ V6 }/ z A9 G. p* w0 B, T- f, d8 l6 p: S2 \- T
The following one is the simplest: b& m! m. F% ?0 \) n
+ f( n0 x5 K7 J/ o- @! B3 i8 K
mov ax,4fh% [/ O) y6 s; `' V; z
int 41h1 |% r( D1 M0 v1 R
cmp ax, 0F386
* {) [* b+ o1 N& c7 r% T jz SoftICE_detected
2 l0 Q% s8 C! a; E( I2 R4 D
5 Q5 I# O) D. t8 C4 g
" G1 y. l% }! U/ DNext method as well as the following one are 2 examples from Stone's
6 U% K: m- d- O5 t) V0 M d"stn-wid.zip" (www.cracking.net):+ H$ S3 g+ r3 C4 a
- C. d" d+ h( S1 c' @; e mov bx, cs. b9 t) e F+ Q2 `1 M: f9 \7 j7 Q
lea dx, int41handler2
, L% l8 g+ m" x, F4 {: a3 @ xchg dx, es:[41h*4], ?9 B: R) i% b! o9 f( G
xchg bx, es:[41h*4+2]
% l8 z! c4 b: l5 Q% i mov ax,4fh
/ ]1 X6 N4 o4 \$ Q& O int 41h) V: q3 Z3 ?" P" C1 {6 ^8 R" a
xchg dx, es:[41h*4]
! Q% P! Y/ U, |# h, x xchg bx, es:[41h*4+2]! y% }3 q4 u+ l" R
cmp ax, 0f386h
, N* t: P6 P8 z( z jz SoftICE_detected
# ]2 C! g% k1 n& t- K+ Q/ F% P. W7 S' V: k
int41handler2 PROC
; i8 _# d) O6 e iret
5 g4 |5 G* O/ F4 o; Qint41handler2 ENDP ]" G C; a* Y! V+ E/ \$ A
2 }" }% c: n3 z; x! q' J
) S/ x; X) a" v_________________________________________________________________________
# j# K+ k4 G i, v8 U1 O$ ], @& e; H n4 U3 p' ~8 z
/ L, S" q3 q7 D& z9 [
Method 06
8 ?. P4 t7 i3 J5 x6 ^=========
5 m) e, {$ l; c* C) d- P1 u$ x* K! c
7 ]7 g+ s; R+ B" H; C( l8 L, S% K2nd method similar to the preceding one but more difficult to detect:
2 f! [9 ], z9 S
0 t3 f4 s6 w3 H/ y( K7 y e( `" ~4 v" n8 A9 |) h* H! K4 Q1 ]9 O* h
int41handler PROC
$ l, Z8 I- n1 f: ~& y mov cl,al9 U% B- n! |4 g. K
iret
, z$ E. D! _5 i) p2 b* v6 F" {int41handler ENDP! v1 Y& k, l- B8 z8 h0 }
3 t7 G0 ~, l6 p' y( x% w
) o( u; ^* ^1 _# Y xor ax,ax9 Z+ W+ [; L- r: M
mov es,ax
2 k" V+ T( m* S8 z, y mov bx, cs/ w5 U0 M# a3 Q: m7 Q4 R+ b2 [
lea dx, int41handler
6 C( w; D5 X$ B6 C! \ xchg dx, es:[41h*4]
: y. x4 a: A7 i9 n( ? xchg bx, es:[41h*4+2]
2 |0 J Y6 [( @6 }1 b- z in al, 40h
; i9 u4 b8 T3 a* g4 f/ a xor cx,cx
+ u0 g- U* D9 v int 41h
2 A/ e& e, r& M1 |/ ]6 l! S1 g xchg dx, es:[41h*4]
( N1 q+ _' Q0 c( } xchg bx, es:[41h*4+2]
/ T+ |4 V1 l7 @4 `: y& E/ c3 K' y cmp cl,al
. C4 n* m( u) [1 f1 @$ J jnz SoftICE_detected
& I! j0 o$ r* ?8 A% p2 d) y2 L q: E0 X% D5 K* i
_________________________________________________________________________
* o/ j3 J' G& V, I: t. O
$ C6 r% y. u5 _7 r! E& u. Q+ ?Method 073 P& j+ w& y& K! |
=========# T, p; z$ r% u0 j6 j
# P, N( T+ O* M( A; d* e" n- z: QMethod of detection of the WinICE handler in the int68h (V86)
8 j/ D; j$ L' `, m5 D6 M- |$ y; Z( V; M. n8 i+ h
mov ah,43h* X; h! v+ n8 D* v+ R
int 68h
0 J7 W' l) C, F" W; A cmp ax,0F386h
. p& }" i0 i5 \) n jz SoftICE_Detected/ H; Q/ N* J8 y
- |; C+ Y! Y# I: R! c8 N
. F) ?3 r5 B- s6 R( T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 J+ z3 t4 \ j4 \+ h0 V% V" W9 i' R
app like this:
( ~/ ] a5 B3 n$ D; a( @
. v& r5 U/ }1 e1 Z BPX exec_int if ax==68) j+ \2 }" L3 t
(function called is located at byte ptr [ebp+1Dh] and client eip is
& q0 L- m( |% y4 l1 Y6 W8 \3 i located at [ebp+48h] for 32Bit apps) f. T9 Q; U6 v7 j) U, E- q( P
__________________________________________________________________________
5 M/ g0 S+ d) E+ L
2 X; G7 |$ m& u, n" ~) I" I: v0 I! M! I8 R
Method 086 i& f8 v+ h( P5 c5 v
=========
3 x' A# F) i3 s# |
3 R3 n2 [9 i4 V$ fIt is not a method of detection of SoftICE but a possibility to crash the
4 ^/ U" F5 G4 R: e5 G0 @6 \0 ?system by intercepting int 01h and int 03h and redirecting them to another
8 z' J5 x3 Z: S! n$ F/ I( ?+ vroutine.2 ]" W7 H2 H9 Q* |% l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) h: V5 Q+ u8 d7 n! H- I
to the new routine to execute (hangs computer...)
+ L5 J& f: r- ?3 _* _8 K
; G7 r- a/ y& Z1 T' k: ^: c mov ah, 25h
" B/ l7 Z; v# @# K+ x mov al, Int_Number (01h or 03h)6 Q C" ^) u6 k' ^; T* b
mov dx, offset New_Int_Routine7 l4 j8 t9 U' s: R
int 21h
, n7 t/ n2 S6 j9 G( R8 p" ?
* u# _# F& @+ g5 K9 ?__________________________________________________________________________; ]$ K6 Y1 T# K+ ^
( `) U$ e0 K8 y! ~
Method 096 u, g) f' P9 G& d& H- ~( C& C
=========
) J/ z" W O' r" x# s! \3 t: D7 m- k" u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% M$ i' }: P; }7 {performed in ring0 (VxD or a ring3 app using the VxdCall).. r5 ? y" I4 @) @ v( c$ M+ Y
The Get_DDB service is used to determine whether or not a VxD is installed
) }0 f& _+ _# j, gfor the specified device and returns a Device Description Block (in ecx) for" E* }9 ^1 d% [) H d! `' u* k
that device if it is installed.
$ e8 f1 w f3 P, J$ b$ h9 ~6 u' G+ B3 ~3 ]% p3 |6 c9 N% |0 \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ N/ W. \2 P3 P* C' }! f% Y. X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): ?4 r& [! j$ T! [% U* E- @. V( q# B
VMMCall Get_DDB' r' c! T9 d: D- \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 j" \9 W" {1 P
: e; b# F: v2 G1 u( U4 i$ t$ x( CNote as well that you can easily detect this method with SoftICE:' n+ @4 T- ]3 z) I6 n. D; f
bpx Get_DDB if ax==0202 || ax==7a5fh6 l1 v* b; L# U5 b
1 _2 K8 P0 N( E; c9 C( s/ H
__________________________________________________________________________) V% y2 M, r. F( @0 n3 v: N* Y
4 w& T1 S6 j# m& a+ Y4 U/ g+ [Method 10) K+ X' j8 e+ P, v
=========& R. S3 d0 H( P, X8 K, K0 A
$ E8 T* Y2 M4 A- Z% R# S* t, e) M/ ~=>Disable or clear breakpoints before using this feature. DO NOT trace with: x6 r6 r8 U. r2 j4 y5 M+ A
SoftICE while the option is enable!!
9 k0 \0 b2 d. ?. B6 B
$ |! N3 L& Q# z# YThis trick is very efficient:
) y3 u+ y( W% ^3 b3 gby checking the Debug Registers, you can detect if SoftICE is loaded
! Q8 m8 j( j: Q `6 ~+ T$ U8 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 u& u0 C! D: \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 H( P h% V s. d/ b9 _value (in ring0 only). Values can be manipulated and or changed as well
! A. @6 h, M- w5 s1 ^, n" r(clearing BPMs for instance)
+ W0 I' B3 \+ P' y1 Q: L. [6 c8 {% T8 J/ B, G
__________________________________________________________________________
4 H2 q) Z/ _; I) V4 T% u3 x; M
: m- S; O% P# y! d3 z) m/ |Method 11+ w; p4 [- M% R$ z1 B
=========
p l+ s; P% k( ?$ a
" K4 W/ c1 G* |, c7 ZThis method is most known as 'MeltICE' because it has been freely distributed6 ?* U/ }1 N9 Q: ^) i6 t& X
via www.winfiles.com. However it was first used by NuMega people to allow1 O1 j) }$ Y1 R5 k" F( i% R
Symbol Loader to check if SoftICE was active or not (the code is located
0 L0 s# H3 v7 hinside nmtrans.dll).' \9 _1 E$ Z2 m' n9 T
0 o5 K/ @5 x% J& @, SThe way it works is very simple:
, @7 N- `7 o% T# C5 }+ s# QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 C# U* T# Q4 t/ Z: W1 f# V
WinNT) with the CreateFileA API.4 `3 Q; n) z0 \6 p8 O1 t2 u3 h: Z
! @- V2 U$ k% Q+ W- aHere is a sample (checking for 'SICE'):
% r1 N# e3 s7 C b/ s' c# h0 }: ~ V6 Q$ P; ~/ K& q
BOOL IsSoftIce95Loaded()# m6 ^+ s; [) m- `/ ]
{ f* S& z- b% n7 _- v
HANDLE hFile; 7 t( }- \% Z6 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) S3 H/ P4 X; _5 |! F
FILE_SHARE_READ | FILE_SHARE_WRITE,( a7 J7 g" @+ ^ S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 \; N8 ]$ x8 H: F6 }/ \& {) {9 R if( hFile != INVALID_HANDLE_VALUE )
8 H4 _6 h2 Z) |/ B. O [6 s6 W {
5 P: z" w* I3 N9 d, z6 B/ C CloseHandle(hFile);. y# p" F6 \' _6 W
return TRUE;. @% L: l# F8 W2 M( {3 P
}
; p _! y7 T1 N/ F1 ^3 `/ t! X* m return FALSE;" B9 S+ M( _/ k a# Y
}
+ ~& ^# t; v- m: u. H* n. s' s) P
Although this trick calls the CreateFileA function, don't even expect to be
' w- t8 n& j" N) U3 yable to intercept it by installing a IFS hook: it will not work, no way!
! p/ Z& f$ @$ W8 \) e4 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 d4 @* Y) } k" @! y* F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 W; y8 e8 _$ Y: l3 J' Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" L7 Y3 |3 \- H
field.* s+ h, a# d8 R/ E/ Y9 i
In fact, its purpose is not to load/unload VxDs but only to send a $ c, G# O8 v8 A( W& [! o- i7 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. W' i- T6 G K8 d5 S* s) ~8 W; k. o/ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try( o+ h! j s% m& \8 Z% I, R, v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ z' ]' O8 g& C4 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 G6 W- L7 q/ Q) t
its handle to be opened and then, will be detected.
8 Z% q7 d/ P) ?( f! cYou can check that simply by hooking Winice.exe control proc entry point* H: G0 T6 y2 k1 p) V
while running MeltICE.
4 [: I+ Y5 @) G) {7 Z
. b5 \2 e( E; H2 i% t9 w. w4 m# \) ]& p* m7 Y
00401067: push 00402025 ; \\.\SICE- H: [9 c- [) K" S
0040106C: call CreateFileA
$ v. @4 O& k- j7 S2 n2 n' \: ^ 00401071: cmp eax,-001
$ L ]% D- U, Y/ P* s- q 00401074: je 00401091
) x1 t6 L2 [" _" g, B) ^" J p) P& V8 p( ] R Z
" l: R, y7 J0 ^- QThere could be hundreds of BPX you could use to detect this trick.8 \) ^ o9 H# j& n0 m Q9 w w, f1 `
-The most classical one is:
; ~8 \+ T, Z8 D9 X& B% C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || ?1 l C- N+ c. ?" B# v
*(esp->4+4)=='NTIC'/ Y* k6 b- q( b$ A# X3 ?& s7 J
9 I2 J8 u+ R6 `; [-The most exotic ones (could be very slooooow :-(, r$ h! H" w4 Q# d, o3 S3 l9 Z8 A6 i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 p/ ]% A- A+ r" i0 x2 _6 C5 W& D7 v
;will break 3 times :-(. n( B% u- j+ }, e- O; x
% R; G! O. ?+ C1 T$ Z% e# T( j
-or (a bit) faster:
: Z3 F% w' f7 O/ ^; r X9 V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) O5 S* E6 v5 k4 m7 g; d( f c& c4 a3 K0 A n
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & o: g: y) N: _) T
;will break 3 times :-(& D. W( J% v4 ]" O
+ K) L0 X1 P+ n-Much faster:
% e' h: U! ]/ I! K4 k. ^9 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! q; C6 ^+ A b5 ]/ S1 D* [2 p& [. j h( P; T; k& c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 ^ w2 t9 N; H$ _6 K2 g# G
function to do the same job:
4 \1 C$ b9 h$ K! R; q
$ K/ x# l0 E; O push 00 ; OF_READ- H2 R/ Q' e: H0 T% Y) G/ `
mov eax,[00656634] ; '\\.\SICE',02 ^+ `. ]! h' \" H4 N% K/ }+ w% D
push eax6 R) ~( P; |( ]- m* {3 b: |
call KERNEL32!_lopen
2 j0 a( c/ N9 B+ v& ?# Q inc eax+ U0 t1 A. f: L8 u4 `( E
jnz 00650589 ; detected
( [/ ]/ G7 y0 I. U push 00 ; OF_READ
% X5 K- l: y" M8 V4 p- g2 R+ [ mov eax,[00656638] ; '\\.\SICE': U& P3 c8 O+ V& l2 N% L2 s
push eax; V, D5 z+ u9 Q/ h
call KERNEL32!_lopen
5 o. x( d. Y% R+ h& G. K! p inc eax
7 E- Z$ s r* }' B/ R3 B5 m jz 006505ae ; not detected% b+ \& K8 e, m( v# ^
- T5 F7 @1 S L- {. H4 V; {' f, x
9 Z3 a% ?9 x& y__________________________________________________________________________5 G/ [0 \) \ z0 J: a
6 x' m2 {. Q3 b5 c" j3 T" c5 E
Method 12
, m; i" l% k3 a' }! S. K' F=========1 l0 |- h' ?" p. _, {8 i
( @$ z1 }+ Y: B3 J. {, E% n1 L
This trick is similar to int41h/4fh Debugger installation check (code 056 C9 s: b- T7 W7 f: Y$ b
& 06) but very limited because it's only available for Win95/98 (not NT)" J' B m! Z" `+ E- O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 u) o- M4 B/ C8 c- c7 e! b5 m* l4 i/ D$ I: W: [3 ^; `( l) o! g
push 0000004fh ; function 4fh: @8 C: r3 ]& X- d
push 002a002ah ; high word specifies which VxD (VWIN32)
% }% V) g Q: Z+ ~ ; low word specifies which service% Q' N* _: j; N& y8 c5 T. P6 v
(VWIN32_Int41Dispatch): g- N5 o N' B+ V# B l# X# V, _
call Kernel32!ORD_001 ; VxdCall% B2 u8 r! H* F* b( }1 [# G! d
cmp ax, 0f386h ; magic number returned by system debuggers
- T# S) F. A* `" G+ m jz SoftICE_detected- G8 X+ ^ Q8 g( i. |) H6 b4 t
2 l+ r' ~' r9 m+ ^9 L+ ~4 |; z
Here again, several ways to detect it:
1 c, C4 \( j: ^9 Y7 K1 G
% k2 e M* {% G( C5 U% }, u BPINT 41 if ax==4f3 p2 Z! m" w0 c
5 J9 n/ v- M h% p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 P% A+ l2 h# J J, Y
' W4 q* h! k" |( n# H6 d! j5 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ Z: t) {" S" i% X% M
* L! a3 Q6 Y5 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 t1 X3 ~! Q1 ~- K- G; v
& E/ N/ e5 p/ \! p- X1 D& z__________________________________________________________________________* ~9 [. w" ]- U/ q
( X1 M& N r5 z, v9 e8 C0 r O% [
Method 13
* i& S" a& Y- d=========
1 X+ q1 z5 V0 e% I. T: x* B8 N( S5 j1 L* o
Not a real method of detection, but a good way to know if SoftICE is4 L- B" n' e" Z2 `# s6 Q/ N- ] h
installed on a computer and to locate its installation directory.
' i% \& k- N/ O$ E3 T: tIt is used by few softs which access the following registry keys (usually #2) :; Q% q: X9 ]0 D8 P4 m
N; L; m1 m- j+ | k p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: e) j7 B U6 B
\Uninstall\SoftICE
7 s/ }. w) _3 r8 Z$ k6 z# @: [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ O8 d9 \0 a* j0 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion i+ @$ O/ n( T2 s2 K% H# M; F/ a
\App Paths\Loader32.Exe
* g" p5 P6 `9 |; W/ e7 v- r
4 D- z5 Y2 Z2 B! o0 a% h4 W6 T# ^7 t* j4 n: {
Note that some nasty apps could then erase all files from SoftICE directory
. c8 e# P. _+ Z9 ^% n3 ^/ ~& A. u(I faced that once :-(
9 r9 g, r$ V/ [3 U0 V& F2 R1 J, A' m2 J" T# g
Useful breakpoint to detect it:, c4 N" S3 N% e6 I& X
$ q6 z- h0 Q, ?0 b6 q& W5 q# ] r+ x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 W! w4 D. j5 V
8 O& u* q% O! `! n__________________________________________________________________________
6 h$ p) g, L/ U; e8 r1 n3 d
; b1 w. Q" x Q3 H" c& Q
: z5 W/ N% |+ nMethod 14
4 o5 r* q) L( `8 o3 T=========0 @. C- [8 W# s3 a5 @1 d
: D3 P# ?$ r3 m& U5 j+ m. HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" P$ M8 ^7 P* U" ]% qis to determines whether a debugger is running on your system (ring0 only).
+ O, C* Y4 I C) W+ \% o7 h9 ]1 m% b8 V. ]1 ^" X( T+ m
VMMCall Test_Debug_Installed, z1 `6 g/ w2 R: F8 F
je not_installed& j# i. |. D! Y
, \( y( P$ W4 g' eThis service just checks a flag.
, I# a: W" _/ F% w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡