<TABLE width=500>
, q/ c) C0 l6 U<TBODY>
' g I- v4 @% Y" q: G* u) p<TR>
; L9 o! e" S( O4 @9 g<TD><PRE>Method 01
1 k( w: n( E5 R6 B; P. S: r4 `=========
& t* g" o" m* v7 A: E5 z2 L
% J9 r$ X' o: W( L- g7 jThis method of detection of SoftICE (as well as the following one) is0 e$ s1 W7 y2 I' n: r/ f( l6 L' d0 w
used by the majority of packers/encryptors found on Internet.
' I1 i, o! Y* a! v5 {7 S; @It seeks the signature of BoundsChecker in SoftICE
# O6 T3 z- b7 M) T0 _5 Q0 l ~* }4 v) P
mov ebp, 04243484Bh ; 'BCHK'
% X; h. B0 L; m mov ax, 04h/ S: t) n6 F2 X% y% q% \( S2 H
int 3
/ X" k* f% t* @; f9 E# G0 _7 y cmp al,4
. ^# K. A" ?3 i% ], ^% g jnz SoftICE_Detected2 J2 y3 N/ @) X% w
4 u# u) s5 y# X4 X8 H
___________________________________________________________________________. d8 M b6 g! R. e3 E% i) Y
% K1 Q' A- D$ @5 GMethod 02
% e1 a8 [' o* {9 S f3 o=========
+ d* c/ x" D; i. V/ I6 X
) ]- x7 m" P* o# QStill a method very much used (perhaps the most frequent one). It is used1 k4 {' m/ M- {. e. j+ Z' }! U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ d& M' E; F6 T# v) d# _1 |or execute SoftICE commands...; f- O7 l) v& ]! K- Y7 K
It is also used to crash SoftICE and to force it to execute any commands F, ^$ y G7 n: ?5 N9 t
(HBOOT...) :-(( 3 m5 T/ E: F, F! [2 q
* u% s5 s+ v2 T
Here is a quick description:/ k* D3 k0 L/ Z
-AX = 0910h (Display string in SIce windows)
1 a1 d9 Z- A& n- [' M6 b/ j. M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ o2 ^/ o- _5 n( s7 l) o @
-AX = 0912h (Get breakpoint infos)
8 v0 H% Q- B, \: z( q$ N7 D-AX = 0913h (Set Sice breakpoints)0 B- }! e# X0 d
-AX = 0914h (Remove SIce breakoints)$ h7 S9 f l% S1 j% Y9 G
/ D+ V* _) }8 C/ |0 ?4 FEach time you'll meet this trick, you'll see:
* f5 B. {: z' G9 b0 e+ y-SI = 4647h
\8 J) O2 R# J/ }. j# |-DI = 4A4Dh$ B; j5 h$ q, I& @8 Z
Which are the 'magic values' used by SoftIce.
f$ T; I7 ~4 I& e3 m( V3 Y$ tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." s! c9 C7 y" J( u b0 c
: ` u z$ V( ^( E! r# l7 x; n3 l; a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 b) h% ?6 x6 P2 L7 aEnvelope utility use to protect DOS applications:
+ A6 I: N# s& H" s
- ]- _4 t/ o3 Q# I
" z$ \9 ?! B# m8 [9 G& I( `# u4C19:0095 MOV AX,0911 ; execute command.
, c$ h1 Z- n2 r7 {7 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% Q/ Q: w) h$ o% T: a4C19:009A MOV SI,4647 ; 1st magic value.3 h% U% o7 `. X0 p' Y* s/ B
4C19:009D MOV DI,4A4D ; 2nd magic value." {( ~1 X# p) Y* ]0 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* C# i. |6 J+ B5 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ h+ l! L+ U& H, `) d- d. j4C19:00A4 INC CX
! V; q( V9 X* F0 o/ V1 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 s8 |, M; E2 c* Y
4C19:00A8 JB 0095 ; 6 different commands.
/ f' W4 @8 w. k3 M1 D' K0 I$ v4C19:00AA JMP 0002 ; Bad_Guy jmp back.- U6 s! q' I1 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 I r5 I7 U" z* W
# u2 |; k- N1 fThe program will execute 6 different SIce commands located at ds:dx, which
' [8 F/ n9 N, V$ t: ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ d7 i( U5 G7 T m! q% \; W! P" N; I
9 z* e. G" V# R [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- b9 T9 T! z1 }% b- R/ x# m- I* ]6 S
___________________________________________________________________________5 S+ o1 r3 j6 R u
% Q+ n2 X- n( V
9 k8 o7 ]1 C0 X3 | MMethod 03- h9 L; _" t9 r! m, A$ I8 }
=========
8 s5 b6 P0 w: V2 _) I8 {: d6 d6 Z y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% ^$ ?9 t T K4 } B(API Get entry point)
! t3 T6 c+ K n) k/ K+ }' F
& k( c8 M. {5 G ]0 t" O x& ~8 F5 \9 m$ I2 u
xor di,di; b* E3 }9 e( z8 v) g" {
mov es,di( C! k9 Y) O0 ]
mov ax, 1684h
. r2 U& d, E t. B5 U" U mov bx, 0202h ; VxD ID of winice2 O+ e; Y- n* k) w6 [" r: I
int 2Fh
( Y3 t, Y: ^, ~% {$ \ mov ax, es ; ES:DI -> VxD API entry point
& t0 x" G/ M; m# X2 S- k4 v+ D add ax, di, p9 f8 Y* E% L5 P3 U
test ax,ax, Y$ B* R8 ?8 Z ~2 f# `
jnz SoftICE_Detected A( C7 i& W+ c
8 j8 J4 E8 M( ^" @1 w3 ]___________________________________________________________________________8 z, U& s0 h6 r7 x3 P. y
0 e* t, f7 c, ]Method 04
0 c" c! }+ A" E9 c. ~. y5 A% S=========/ a0 f% \3 ?$ f- z z; [
8 }) Q4 O- t2 j- O2 ?3 n
Method identical to the preceding one except that it seeks the ID of SoftICE
- q: D! K% x' |" O/ OGFX VxD.: y+ g: p' V! X9 F! z% N
* R$ }) x) w6 K0 g& ~3 \# h+ i
xor di,di- Q8 T3 B6 h2 a% C% E, G' F
mov es,di* w; g1 }- [" q% j: u" v
mov ax, 1684h
) C0 n( J# m7 N/ r: r$ E! W" C) Q mov bx, 7a5Fh ; VxD ID of SIWVID! z9 c- J5 z* I% Y! k/ ~- U
int 2fh2 ?4 v6 Z7 ?, f% F Q3 f) p
mov ax, es ; ES:DI -> VxD API entry point6 u& P+ Z- z' O/ W! [
add ax, di! d" e+ o! I O& D. k
test ax,ax
( j5 h8 v. A L, D jnz SoftICE_Detected
; g3 u& @! ~ c- r' w, I
: |7 i6 A B% U* z7 [7 j__________________________________________________________________________9 c6 S5 {: n/ x* m4 @
- X s% {8 v y$ Z# l
. g1 v0 ]5 s! v4 |1 c7 D1 `
Method 05
% Z; g- Z/ m/ g; J% Q=========
. j* R$ [: M2 J/ a) m% u. F. U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, j# g) ~9 n+ Bdebugger. It calls the int 41h, function 4Fh.
/ l" d1 X5 p- P+ T$ m6 d0 y }There are several alternatives.
9 _: _/ j4 |; ~6 Z
2 x U) b8 k+ PThe following one is the simplest:
5 j/ j# l& g, h- n) T3 U, p4 r0 e. X
mov ax,4fh
& _% F2 A8 x0 o0 ]9 r2 P int 41h
: T( ], R3 h1 `. H( H7 Q$ {0 x cmp ax, 0F386+ q' D: s3 B7 M
jz SoftICE_detected8 c' W& q1 Y9 L1 `0 J
1 l) |4 d% V& [8 ^+ p
| n+ @8 N; o! t# T
Next method as well as the following one are 2 examples from Stone's & B2 F- P8 j' F. K$ z% l! C$ x0 A
"stn-wid.zip" (www.cracking.net):1 K! T, Y$ ]- K9 t) r" J
1 H5 J& ~2 D- J' W0 [6 |; d& x! M
mov bx, cs
1 V# Y# [( d* A; R6 A7 H4 v/ x4 t3 X lea dx, int41handler2
6 B" m4 @! ^6 P& c% r! x xchg dx, es:[41h*4]+ i- |, `, c+ \- {; n6 ?$ K
xchg bx, es:[41h*4+2]
( ?! X; X; Y* ] mov ax,4fh- Q, c0 J0 K- }7 Q ] J) V/ E6 w
int 41h& F9 A% `( F' |* A( B$ S
xchg dx, es:[41h*4]0 q! {5 R) `- D3 P
xchg bx, es:[41h*4+2]: o# D( n) F5 G/ q4 G' X2 g& o/ T
cmp ax, 0f386h
" G2 L" c5 I9 e3 ?' N8 o jz SoftICE_detected/ @2 N& O. X3 S( u% i: `7 D/ B
4 F+ v7 V( g( u, v) k g4 oint41handler2 PROC& J, e2 g- f$ B6 c/ Q! u0 N o
iret
6 I6 T- d$ L: k1 }8 G' ?- Dint41handler2 ENDP/ P3 e# w+ U# c# ^, y0 W) }9 W% x
$ G D+ @# L5 C) g( t
7 z; M! c7 K! H5 A_________________________________________________________________________0 J. G6 X z4 }7 \1 @- X1 p( x I
# C+ d1 I7 W# D+ Y0 e
( i' h$ g9 \2 J) S5 L- bMethod 06! d1 p) W0 g7 X1 U6 A
=========9 M+ N, Z8 w7 z: v
# }# j. h1 ~' M. w
2 C6 P8 z( M$ q) P6 d n3 m2nd method similar to the preceding one but more difficult to detect:% Y2 T( I" q# j# h# z5 ~9 @, O
7 `7 @: |9 Z6 {. [
( [6 o: Y" T( M' E+ F: c' Yint41handler PROC
- n9 V2 p0 @) X/ Q8 Z mov cl,al" w% |% l) N! k; b$ m4 p
iret
8 t8 c: G. y- ?3 Wint41handler ENDP3 G, G! p( Y* ?$ O
* H5 E: v4 J" U3 M8 ?: V
& _9 G9 R2 v; n$ |. K4 ` xor ax,ax
9 k' B) F8 F, N! I' c5 w mov es,ax, P+ c- ~& k5 G F- Z
mov bx, cs
0 l% x' d K3 t& i- t- G lea dx, int41handler
) @- |- _$ [* K7 W xchg dx, es:[41h*4]! ]3 S3 d9 _" t1 v, i
xchg bx, es:[41h*4+2]8 o4 _5 n& |) T" l+ b0 d! @* n- _8 H
in al, 40h- z/ H0 N% W/ S7 h# ~
xor cx,cx2 {+ }- f$ S8 M3 Q) V8 e
int 41h( S- v4 {& N2 b
xchg dx, es:[41h*4]7 O" \- L3 [9 ?; o$ f8 v
xchg bx, es:[41h*4+2]( T6 J+ @0 N9 T
cmp cl,al
+ }( ~0 r& ]( }$ Z# [& C0 i jnz SoftICE_detected
" e* N6 a0 D7 p. K7 N [8 X9 N0 f) D; z
_________________________________________________________________________8 e! e+ E# b2 \& }
4 a. Y: `% g4 H5 S6 q! z% o- l" hMethod 07
" y2 \ L, ?+ D! h/ x! v) A' q=========! J# b! H }8 b) e7 U M1 z7 i. ^
" h% B, @; s* I5 FMethod of detection of the WinICE handler in the int68h (V86)
# O7 ^: T3 {) N4 `5 w+ b C4 x, u: X$ y) {( o" x
mov ah,43h" ~* o9 l) t V7 s- M4 a t# C
int 68h! T$ Q5 m1 m; d/ Z
cmp ax,0F386h* l" {8 T- O6 _# ~
jz SoftICE_Detected: [ E& v3 b- Q+ o7 j9 M6 ?8 n
0 Q" C6 q: F' U
1 v7 Q6 Q+ O# y5 I( x! f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 a$ V* {- C Y6 ]
app like this:
4 L5 S! o% T. m3 V/ M! j) ]7 o
/ A1 U0 {- ]5 o BPX exec_int if ax==68
+ p5 q, H3 O! Q" j8 H" r$ r (function called is located at byte ptr [ebp+1Dh] and client eip is
% Y/ l7 J5 x3 h$ v# l1 ?& A located at [ebp+48h] for 32Bit apps): j* V: [( I7 \/ A
__________________________________________________________________________
$ A( s8 W1 o8 [% j2 n" v
" _6 f; f) W) j- F8 M/ h' l2 Q' j
" G+ g; T5 |/ I9 O; IMethod 08. V5 k6 S ^1 `2 ]. H; v
=========
: d# ~5 o0 }8 n, y% T) `: L' A2 g. p
It is not a method of detection of SoftICE but a possibility to crash the I: |5 J6 p7 }
system by intercepting int 01h and int 03h and redirecting them to another
5 f) L0 N5 X2 Q. a, v/ N# iroutine.: i2 q4 A4 k/ |' ?! C5 r& \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points c8 \. Y: C/ G5 _) A3 o- ]
to the new routine to execute (hangs computer...)
5 q6 V) {$ }+ T/ b% e+ y1 Z8 @( ~% U
mov ah, 25h+ k5 W: V$ i7 I# S9 L/ w
mov al, Int_Number (01h or 03h)
( \& u- S# R% A! d: h& P2 ~3 k mov dx, offset New_Int_Routine
* W8 F1 G6 M4 `8 e7 w8 ~, v( K6 T int 21h2 ^; I" R- S4 p
& q" ~! D$ U4 G9 x__________________________________________________________________________
3 L* {; `+ |2 c, C' _) N
! i X+ _: O6 C- ]! F0 x% V& M; MMethod 09
' m4 @4 U+ m5 r1 d" L7 S7 G=========# ]$ S6 ]1 r- c7 i4 |8 E. ~
6 r( N; x2 ^1 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. W6 t6 _: P# K* j6 x& O2 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).3 [$ S" t3 G, {6 ?1 {0 \) Y
The Get_DDB service is used to determine whether or not a VxD is installed ~; B" A6 B6 M
for the specified device and returns a Device Description Block (in ecx) for
( E' P' _" J0 U: r8 }- Tthat device if it is installed.0 p: |$ M' D! i" H8 b% u6 ?& V
+ q3 d9 ~0 ~' f3 B, g. s: } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 G) \+ e W$ Y$ v5 i) ~, G) S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 u, k0 r, g a B8 S, k" U VMMCall Get_DDB
) g2 V8 C4 g( w5 m, ?7 F3 P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 \! F1 r& n8 a U3 E' ~! ]5 f
7 }1 M+ }# w$ [/ _0 q: p( I; pNote as well that you can easily detect this method with SoftICE:3 v) f% k0 H I7 g4 `3 K
bpx Get_DDB if ax==0202 || ax==7a5fh+ Y" H, h* V# I& v0 Z4 E4 t4 ^4 Q
1 }) b* Y& {$ J" o, S0 P
__________________________________________________________________________- R% \* o7 K5 } R1 M' ^, Y
3 M2 v% }6 n* x% p5 ^' v
Method 10. Z8 F Z2 |+ N: C+ C/ k: `# A
=========. ?+ G0 x* ]+ x$ c9 p
! V4 I6 I$ V/ v0 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ X0 P; T* V' J/ K9 T7 r7 L SoftICE while the option is enable!!4 l, l6 }, M \0 U; l0 k
; |% u/ t8 N7 \. r5 A4 U9 H- _This trick is very efficient:
3 ^! ~" U) M/ [9 {by checking the Debug Registers, you can detect if SoftICE is loaded
d, ]( L) D& z$ x, B' \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 } x5 w. {9 h2 m* Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their' o4 ~% X+ @5 [* t6 f8 r: J$ u
value (in ring0 only). Values can be manipulated and or changed as well
! v( J N0 S8 ^( m(clearing BPMs for instance)
6 p6 X; ^" F w+ M" p8 }5 I
% F# o' }0 o h+ ___________________________________________________________________________) {- d4 g& C4 ?/ P( g4 l+ s
8 s2 i( Y$ g! k0 ~& l5 ^
Method 11
1 |# q7 h3 W9 q% G=========
2 E1 T7 ^8 {- o& u! H: z6 ?) ^, {, {8 F* ^, a1 S: i# L
This method is most known as 'MeltICE' because it has been freely distributed
8 l! m3 L2 Y" T, X: Ovia www.winfiles.com. However it was first used by NuMega people to allow! U7 i; B2 f* Y, Y6 K
Symbol Loader to check if SoftICE was active or not (the code is located
& U# F2 ]- M5 _) v2 v' \9 ^* a1 Uinside nmtrans.dll).
% B! D @, O N" t, L* C' w' P
6 Y9 E. b2 K+ b# S# I& t! G. XThe way it works is very simple:! A* d) n' L; Y; u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: ~' n1 S* n# ]. ^
WinNT) with the CreateFileA API.
- h' L, [4 f' L k
( h4 l n" c* {+ \& ZHere is a sample (checking for 'SICE'):( B' H" J0 O4 W8 P/ |! b
' p; s$ P Q4 I9 k' e
BOOL IsSoftIce95Loaded()) W l Q( _6 z) q5 H% Z. b8 E
{! l3 N& L+ F7 z8 `' E r& |
HANDLE hFile; / |, r; n5 s& _ g* K3 C C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- _+ D: M5 h. u% a, Y a FILE_SHARE_READ | FILE_SHARE_WRITE,
8 _8 e* D7 R1 }' I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% \6 O7 T o; v8 l; U, y* g
if( hFile != INVALID_HANDLE_VALUE )! b' R3 ]5 v; F3 Z; @" y3 o( l
{2 T( H6 j$ a8 i
CloseHandle(hFile);
. K) X+ b" D( \9 B" T5 @ ]3 {3 _( ?6 t return TRUE;
, S& b _! @7 a* j0 B6 }$ K }
+ t8 R. K2 r( z return FALSE;2 l/ ]4 U/ \' j$ X8 ^- z. d/ H0 {
}$ V$ g' L& P. N+ j
6 z0 O9 {0 n( @4 F' D
Although this trick calls the CreateFileA function, don't even expect to be: C: J% k& j- e. f/ k3 j; Z$ J( C [
able to intercept it by installing a IFS hook: it will not work, no way!& M. p% A" H- R1 T6 G& G8 s/ s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ @ F- D( v1 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( a( d% P. `, \1 K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) ?' s9 {. n- g. { H3 wfield.2 {) m4 g2 a" X
In fact, its purpose is not to load/unload VxDs but only to send a
! x( ?4 |* ^: C% UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) H* f3 p( `! uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; s3 }; F" K5 L4 H* b) R' E* N2 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 c2 g. j9 r1 v4 b/ @7 ?( H( M+ {" b
If the VxD is loaded, it will always clear eax and the Carry flag to allow* |7 i: o* d- O4 ] ]
its handle to be opened and then, will be detected.
' f1 x5 o3 K7 ^6 P% x, xYou can check that simply by hooking Winice.exe control proc entry point7 l, Y2 H* A6 C# Q" U4 c4 @+ ~# Z Q( J
while running MeltICE.
: Q+ y) ]# j& g! t/ T
& U( b$ e2 X" `6 k8 i% Z8 y/ P3 L/ M1 @+ V4 T$ B- n
00401067: push 00402025 ; \\.\SICE
+ g! J# T/ O/ p' W) a W 0040106C: call CreateFileA, n" Y) U' z' N/ }
00401071: cmp eax,-001/ [& ~2 Z& a8 T
00401074: je 00401091# m# o- l3 N( w0 P5 }
- S6 K3 E* f% g* e3 J! l% z
0 k5 q' N/ W% o" EThere could be hundreds of BPX you could use to detect this trick.
% }* `: ~; I: A0 [: D+ g7 N) P-The most classical one is:4 d) O6 ?6 S9 M( {, D; u# G# K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 ?6 k! ?8 y/ E6 \5 I6 s
*(esp->4+4)=='NTIC') a2 w* ^' c3 {& n" c
3 [: `" H* W3 Q$ w) g0 J-The most exotic ones (could be very slooooow :-($ o7 C% T2 O6 X; `8 z2 p! g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 _3 F4 ~4 C; v) Q8 I' ]0 i9 O# f ;will break 3 times :-(
$ d4 k5 w' M* l" z+ c! G: T1 r; Y
3 R) y" q9 D2 @& e4 t G- P8 ]-or (a bit) faster:
$ G1 W7 A5 t' b: a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
x* f% _3 I4 V' H% r- h S: k* t4 D8 K9 Q' {0 z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , b, U& F; @& V7 w# a! X* r
;will break 3 times :-(! `4 z* e$ E# r# a. d
& x2 V/ A2 ?% V" j
-Much faster:$ y) ^. `# L. f* O* c* H& [3 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& e8 j: f" L0 r/ x$ B* `* K# D- k% K$ q5 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 I+ y4 r* L8 e! e) k7 V2 G& x
function to do the same job:) t* c7 V6 m/ i @% Q" e' F+ h, i
* Z/ y: {. A- Z' M* Q push 00 ; OF_READ
! |& ]1 v* H1 Z( f mov eax,[00656634] ; '\\.\SICE',0- i/ Q* U, s/ i( K
push eax
+ `2 ~5 o: d! W call KERNEL32!_lopen$ ~- ?* x' _ ?$ f$ E0 T( m
inc eax5 ?3 z# z7 m% t
jnz 00650589 ; detected7 \" b# Z) e/ C, L+ J
push 00 ; OF_READ
# o2 O' v8 R E mov eax,[00656638] ; '\\.\SICE'3 s) i9 m5 a8 i! M- s$ K% G
push eax$ V e$ \* D6 N( \% b9 z2 K
call KERNEL32!_lopen
5 ]; l( I7 e( z( t# i* A+ V. P inc eax
9 t1 O% K3 P+ Z jz 006505ae ; not detected" D3 v7 ]9 v* d) b* s
0 N: T4 a, I5 k# F. A( o; a, A
* v7 E- Q# T+ ?
__________________________________________________________________________
% G$ {: ?6 \+ \" U7 ^3 H
. X" H2 A: C5 k! vMethod 12
8 |8 \( c4 D. b' N- U6 B=========0 P6 ?* f( ]9 F
% x7 y" |4 a* k* a% [
This trick is similar to int41h/4fh Debugger installation check (code 053 \5 } c/ L; s/ F( Z- V5 T
& 06) but very limited because it's only available for Win95/98 (not NT)
/ O" U+ N" z2 j; f3 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: j4 [ U1 f. x* Q
( G/ w/ m Z( e6 O$ ` push 0000004fh ; function 4fh
$ G) `8 \7 h2 Y push 002a002ah ; high word specifies which VxD (VWIN32)2 z5 ~' q# I- l# _2 w V4 h* ~4 ]
; low word specifies which service" u- b. b; a$ ~8 t# ]' a
(VWIN32_Int41Dispatch)
& P2 b6 ]( X" m+ r call Kernel32!ORD_001 ; VxdCall% n) K7 ^+ ^8 P
cmp ax, 0f386h ; magic number returned by system debuggers
+ @5 v+ V& a$ ~- J5 o ~ jz SoftICE_detected
# I! g( I: G6 R# _
1 W* E! k; k* N( v! L3 sHere again, several ways to detect it:
2 c9 `1 e$ m& T$ {8 ^" \2 E' ]6 ?0 z
+ q( E! U4 k) N' k BPINT 41 if ax==4f( Q/ x, v2 E6 A% c! W
8 U V# m# D# x2 m2 M( z# @" N, X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. c* P1 p3 y5 p# ~+ n8 [
# {$ R! _7 x- D$ q6 {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 J7 U0 g, p! a9 v# I. {4 D# P, `* e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 p& K7 i( f) Q2 h
2 y2 T& g. G) ]__________________________________________________________________________
5 ]9 `* T( e& [) n3 o0 j9 f( a8 v- q4 b; M$ }6 ]( Q8 J
Method 139 J5 g* b8 t5 j2 \4 G A! r+ i
=========" j* K5 T- u A- t- f
5 Q! {" U9 p/ {8 O8 {Not a real method of detection, but a good way to know if SoftICE is- m/ X# s9 ?$ L
installed on a computer and to locate its installation directory.
* j5 R1 [4 A# E) |9 fIt is used by few softs which access the following registry keys (usually #2) :
# K9 u [! z' u0 C! b/ E
2 `5 N+ ]) Z" y5 O, {- V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" N0 ~% U9 G8 I( w0 X; K" ?# P\Uninstall\SoftICE
$ W6 v0 W1 V: d4 s. q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 A$ V; Z- \: t6 O0 O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- b; p- N" x8 N
\App Paths\Loader32.Exe
6 e' c4 z; s$ q2 I- z
) Q% j- @) e% [" P4 P$ s& B+ F6 I1 P5 T s# k% ~
Note that some nasty apps could then erase all files from SoftICE directory
& J7 I5 q/ H( h% T' b' p0 @: P(I faced that once :-(
2 F7 i' L' J i4 m0 |
2 s D+ G, H: D6 a! t) o- I* `Useful breakpoint to detect it:
3 Y4 K( n% L3 K. J8 J' L! ^! q" u( s3 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 `* F- g: v, ^3 c
T' h$ n" Q1 R__________________________________________________________________________) k+ J2 s( u4 |! V
. X1 w9 |5 h, v G! [9 c9 c0 E( m! T9 r6 E6 i
Method 14 * v, ~1 [7 J; C5 w
=========" c# b, F/ L: G& u9 C& t, j
+ W. \: C, N1 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 H# r, \* `( V; y6 B I% cis to determines whether a debugger is running on your system (ring0 only).
8 G1 E% `3 v) T7 g3 U `
+ w/ o9 } g, } VMMCall Test_Debug_Installed4 b* u b: s- _+ Q& E
je not_installed$ q% w# D: w! p1 N7 J
; `* W5 C9 {6 l. FThis service just checks a flag.
' l/ k/ z, a3 X. r7 c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡