<TABLE width=500>% F$ m) Z: D$ t+ |$ a1 L2 F2 I1 r
<TBODY>+ m0 j) `* w4 N3 k- P( H
<TR>
7 i# Q, U- j. m3 N4 a1 ]<TD><PRE>Method 01
6 |( a5 u" i8 P, f; U=========+ ~+ y! p3 @. Z7 c
0 w" ], a/ C% _7 X% t% g
This method of detection of SoftICE (as well as the following one) is. t u0 B$ D' j g
used by the majority of packers/encryptors found on Internet.
* A) \/ k9 @) I4 x+ [3 kIt seeks the signature of BoundsChecker in SoftICE
5 U2 { t4 x3 Y3 [
, B7 o+ ^( A, c/ ` mov ebp, 04243484Bh ; 'BCHK'
: h' X. V- s1 p' a1 D mov ax, 04h
) r* J' U$ `- J: i) o' o int 3
" F. _6 ^- _1 g9 m3 w6 ]* h cmp al,4' Q9 B5 M8 [8 V/ l S% o" n
jnz SoftICE_Detected
1 e9 F- _- q- R$ J2 F; U5 K* K. {2 t/ h- U% u# x/ f# a- H8 D
___________________________________________________________________________
' C9 u. p A4 \: c0 @( G' B
! v6 ^) N. M" z1 m6 BMethod 02
8 E2 R' L3 l$ B=========$ W0 H. t2 B5 V* [+ F7 @
* x; S/ A; v$ uStill a method very much used (perhaps the most frequent one). It is used+ \6 J8 |4 O, u- I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 i ~$ h. ^8 O& t/ D
or execute SoftICE commands...' W3 X* m! v! S0 H% `" p1 s
It is also used to crash SoftICE and to force it to execute any commands: o8 [ I: _& Z7 J
(HBOOT...) :-((
% d5 Q p7 o. y, _3 k7 }
c. Q7 j2 r" D; f3 G. O: |Here is a quick description:# y$ W" v8 j6 _- D/ l# r
-AX = 0910h (Display string in SIce windows)' Z1 {! o5 g& z! {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 H5 B% a- X8 K( W
-AX = 0912h (Get breakpoint infos)
9 S; d' V, m3 k-AX = 0913h (Set Sice breakpoints)9 b; d8 J8 Y! S0 B& h! o
-AX = 0914h (Remove SIce breakoints)' @: X; b, G, A# D5 S
: l1 Y' K1 b7 n! Y" \7 K2 rEach time you'll meet this trick, you'll see:3 K; R" R3 o/ @( O7 W+ y0 l0 o
-SI = 4647h3 T$ G2 D' B8 i0 c. e. h0 {
-DI = 4A4Dh7 M( w5 l# g9 D& }% ~- _
Which are the 'magic values' used by SoftIce.8 o9 y$ h, ^# J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 Y' y! I0 S5 s+ |& L- G9 p; w
9 B/ e9 x! j4 V8 v& Z5 c1 C& WHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 i, V' ^- p. ~2 ^+ CEnvelope utility use to protect DOS applications:
% S$ H( {! A# Z: z, \) k1 F: u9 b" Y$ J" i, r, t
2 O" p+ J5 x& q8 r) L- N4C19:0095 MOV AX,0911 ; execute command.; ]- a* x: F" x3 U2 v! c( R1 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 z% J( v/ S1 C& Y' \' a4C19:009A MOV SI,4647 ; 1st magic value.
5 A5 N+ Q* G0 i5 L6 X4C19:009D MOV DI,4A4D ; 2nd magic value.) K2 `9 U' S# y5 l6 j" v% C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 Q# U. g' e+ y4 Z; _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! S! n' t" K1 ]0 B
4C19:00A4 INC CX
+ N1 {3 L2 Z+ ^* t0 X. S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ I5 D/ |. n4 z3 I4 H4C19:00A8 JB 0095 ; 6 different commands.$ Y& x. f6 i, s* x2 O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" G, {% y1 U) t1 a v5 y0 {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 g+ s2 z& L9 Q+ y
0 k% ]: f) ?- j- m" y
The program will execute 6 different SIce commands located at ds:dx, which
& s0 N: s0 n/ P+ I1 j0 l7 mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; L8 v, E! a0 n1 S+ q6 I- Y |7 |* O/ L: m7 _1 c) I$ t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 x- w. a/ S# |4 u O ~& w___________________________________________________________________________
, A4 Z, X( g8 a1 p5 _% \' {. `2 M5 e# S1 y$ M# ]& T* M' t
" c# m0 K% G9 M! l3 d6 w2 KMethod 03: B" a% x1 o' ]) T5 o; F. H6 g
=========
Z3 Y0 S% X. w. b! D: r
! z( `6 m# H+ u2 \8 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% @% E7 J k. X1 R% J! L(API Get entry point)
$ ?" z7 ~! J/ B# ^7 b* ]$ I: k , ^ \5 Z6 I3 i$ |
5 Y( C' r- |+ z xor di,di
7 d- J) @: ?6 ~ mov es,di
8 D. g9 ?# o/ y* b5 k# H mov ax, 1684h $ O3 l0 W' l" J9 g# q+ h8 H/ b9 p
mov bx, 0202h ; VxD ID of winice
) D# U* c+ P% _ int 2Fh/ l/ R1 S$ x- `- }" A( u( m. x
mov ax, es ; ES:DI -> VxD API entry point
( X' t( ~, Q: z) |& s add ax, di
" K+ O- R( ?7 r0 C F9 s/ k( k3 Z test ax,ax
$ b+ [& I0 M+ p5 r8 j jnz SoftICE_Detected
- i) h) D7 o/ U* M7 w" _
5 H/ j- s! [9 b$ B- f3 E% l___________________________________________________________________________
) Z$ y; l2 ^7 t4 e
3 s8 l6 k9 u- g/ dMethod 04" Q6 C. Y' H, n& Z, P
=========
' N6 C2 r3 ~" i: ~# c
8 R/ C+ C, m9 `& Y. }1 `0 {3 wMethod identical to the preceding one except that it seeks the ID of SoftICE, Z' k; o8 e! G
GFX VxD.
3 l# }8 R/ d4 V
; @' I: \7 C) g$ G, p xor di,di
6 z! c" P6 ]* z" q" X4 x mov es,di
* [! {! X b; [: K/ `* W mov ax, 1684h
1 ^! r& X5 _ n3 {& M mov bx, 7a5Fh ; VxD ID of SIWVID* S& {6 H+ x# F5 b" K4 T1 I
int 2fh6 I& |! x0 }1 G5 h! y
mov ax, es ; ES:DI -> VxD API entry point3 S/ V* }# @) s! a' T C
add ax, di
! b9 b8 c7 ~( m: m3 w4 t test ax,ax
# i7 q8 m: R# F jnz SoftICE_Detected3 M: @2 w4 ?. V6 T0 G( Z: G" \
' ^! a1 o; J- @3 A: {
__________________________________________________________________________
: `1 k# W% ?" Z0 T/ c/ T1 Z
* x+ `* t2 v; g! ^/ t& [& I$ F1 a' j& |: A9 \
Method 05$ h$ e5 p( L% C4 t- n( A! i8 U
=========3 ]) T' e$ o. ^5 g2 f: D8 y
9 L( `; z' }3 h0 O3 A# PMethod seeking the 'magic number' 0F386h returned (in ax) by all system( z# h9 q4 _* b. b A- \4 a
debugger. It calls the int 41h, function 4Fh./ ?; W/ A/ U. j1 _
There are several alternatives. ' E( |+ O5 H1 {" T
9 r0 }, z: ?4 c. h3 i
The following one is the simplest:
) \4 I, L$ i8 D& M: u4 M' ?5 G: `1 x& y7 X
mov ax,4fh u# ?* y7 K; U2 P# [4 \
int 41h
' i3 t& }! J4 z& g cmp ax, 0F3861 A* w! p) u3 e
jz SoftICE_detected' ~9 P; V p6 @: Z4 t
5 p6 u' s4 m9 O0 u
% Q7 `9 u; s. @Next method as well as the following one are 2 examples from Stone's
, V7 b- i0 B) j4 u0 ?1 r"stn-wid.zip" (www.cracking.net):
0 {0 ^( @9 c$ H+ Z p% s3 p* M' v I
mov bx, cs( @+ b" L. C. \3 {- O# Z4 k2 ^& ]
lea dx, int41handler2
- Y, Y' N3 M4 x- ]7 c0 G# u xchg dx, es:[41h*4]
5 I, i3 i* r, J! x xchg bx, es:[41h*4+2] B; m6 L* A% K* X+ Z+ r
mov ax,4fh
5 c4 ?9 E8 y* H. o) J9 [2 ` int 41h
( s' r" w8 o/ K& P+ q) D xchg dx, es:[41h*4]3 a, x+ _+ [5 b' ~) x. `# K, ]
xchg bx, es:[41h*4+2]
! f3 ^ }4 t7 `6 S cmp ax, 0f386h9 A$ ^2 [( d: h) x
jz SoftICE_detected
8 T% [9 B1 f* P/ B# {7 r+ S- Z+ a) x9 q: R. {) C' S4 C
int41handler2 PROC/ X7 g6 {: s7 t R/ o& _
iret
7 L& v8 y ?) t$ t) Oint41handler2 ENDP0 w% r7 [+ c5 V& K# B/ u% K% ~
- {4 H2 e# E( u1 ?; ^0 N
' F D" V2 ^# ?8 `9 o! K. {
_________________________________________________________________________
" j' b9 v; v1 O% p. \* m3 ?% @& ~; M# C( N9 F8 `
$ v# n, ?; p# d) o) h
Method 06
6 k8 M0 C1 V) K+ L7 B=========! U6 O; u/ S3 g8 r
) S) J r% v, ^4 y, G
/ z$ a! S7 V+ [. P2nd method similar to the preceding one but more difficult to detect:# ^# y& ], C2 w- Q/ C7 [, ]4 r
, V: H1 U3 y: R* R. v* ^1 \
/ c3 t, G1 Z4 u( w4 W3 Q5 uint41handler PROC2 e; n$ L5 @2 g4 J# w+ l) {4 E
mov cl,al! [, m9 W2 l ?0 N7 U7 W) O. G* g8 r
iret. d O6 T* b) c8 b) w; r' {" C1 u/ [$ P
int41handler ENDP
. P& |' m3 w+ K& A6 n* Z- W* I, K: b/ E& L; \& S
6 ~! c2 d h( d0 c' f0 A8 C
xor ax,ax: J/ G: ?1 |0 g( o, K9 W3 N5 d
mov es,ax
, B& w% c; f9 z' ? mov bx, cs% I: Y. U0 W5 r* N2 B) C# ^6 a. D3 w# e
lea dx, int41handler
. E% d9 d7 r' E8 [ xchg dx, es:[41h*4]
, g* h2 D" @. f$ Y/ q: c xchg bx, es:[41h*4+2]9 _9 \: n& [& ^+ x* ^
in al, 40h# S3 q5 M. B) u5 i D
xor cx,cx
- S8 ^. A( t- x% i; A int 41h
. w2 T6 W* j W% ~ xchg dx, es:[41h*4]
: g6 S4 Q1 m. U; H( n& H4 S xchg bx, es:[41h*4+2]: C: e& [( a0 x5 T2 i
cmp cl,al! ]0 D9 @4 ~. Y" `( e" U
jnz SoftICE_detected3 | k2 V+ a. x. w6 Y
* W+ B& M# e6 P) m( K7 z7 G_________________________________________________________________________0 g, d/ Q) w; @; [; b6 X( B
# e% [- _9 K. h3 T, _/ Y, |' bMethod 077 T- E- f% }/ C
=========
3 {$ | I% K n% Q0 [( Y
- t h* \1 y( r: V4 [Method of detection of the WinICE handler in the int68h (V86)
" {! f* a7 v- Y7 h9 w7 A# d; W1 _8 h. ]' H
mov ah,43h
+ o1 n" F" b' ?, f( }( y) _ int 68h0 B# X( D, |. _2 o& S
cmp ax,0F386h
0 X4 H. A6 Y9 ` ~ jz SoftICE_Detected( l" o1 `2 T0 J
- N3 ]' Q, w9 `1 }
! S- ?) R1 n' c- V6 [8 K* v! a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" ~9 c, U" n9 ]/ e' Q, A9 m app like this:/ y8 L' c! e; m5 F$ o
" W0 O( @4 `! z7 y+ h BPX exec_int if ax==68
& b2 Q1 c) R5 Z4 E8 ~7 B1 X (function called is located at byte ptr [ebp+1Dh] and client eip is
# o) {9 B) M, f located at [ebp+48h] for 32Bit apps)
9 |- g; O. g% G3 z__________________________________________________________________________/ q. G0 v! Q: h( W" u, ] B" N2 D
8 M$ l# p; ?3 l; t
; c/ [1 O, j; _( w# M7 J7 g
Method 08
& C. p. X0 H% S0 q- {( b=========
7 K9 [: N' E- V4 `- C8 P; O, \7 y4 H6 m( o/ F, p: e. l' i
It is not a method of detection of SoftICE but a possibility to crash the
, t/ C- V6 u! \3 m5 Vsystem by intercepting int 01h and int 03h and redirecting them to another( I( X, U* c8 B" E! F
routine.$ \( X/ K5 J& r5 q& Z% p# A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 \2 \0 E, ]% {5 s1 pto the new routine to execute (hangs computer...)
- |: `$ T8 N1 _$ D! ~
) _7 ]- M1 f" P e. E0 v mov ah, 25h
- p1 t. P4 H: t) X+ H4 x) w mov al, Int_Number (01h or 03h)
7 A1 t8 t7 s8 B. o: i0 W7 O! D mov dx, offset New_Int_Routine0 {4 Z& i% V# V; I4 r7 p( c( T
int 21h
; Q+ ~( E0 F. B% ~% D( O: K" l! o+ v2 u/ P0 w9 p, n
__________________________________________________________________________
5 o! y) A$ a: |
. L, C- U2 W: `/ |2 P4 {% xMethod 091 Z* _1 d1 Y" q
=========& c* d6 C( G) y \0 \& V
- q. s1 B% v6 `' a2 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 `4 B: @! H {2 b, A
performed in ring0 (VxD or a ring3 app using the VxdCall).% J' y9 e, q+ W( s2 d# U0 D3 c
The Get_DDB service is used to determine whether or not a VxD is installed8 c. n" ?5 L. {' k2 _
for the specified device and returns a Device Description Block (in ecx) for
3 k8 g/ F0 L& ?& @0 n% mthat device if it is installed.
9 ]# |5 O! q5 r. k$ Y. o" o! \2 O, e$ b+ `0 `6 T& {" B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 M6 _. }8 j8 W& m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# X2 W, E2 E& u; `3 f" q VMMCall Get_DDB
/ P9 J* t2 I- m7 D& n/ z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' B8 p1 d, }7 d, f
* u- D5 d$ P3 ~. J* ONote as well that you can easily detect this method with SoftICE:9 K7 ?' c# {5 A
bpx Get_DDB if ax==0202 || ax==7a5fh
9 n+ s! ?6 i5 M' c& z- g+ Q4 Z: N: |
__________________________________________________________________________
* m8 I: g7 B1 E- c7 a8 J ^% \/ h( F$ p; \: B5 I: ]: x; X
Method 10
1 H O* [2 {! l) F; h# g=========' y% @8 ?) i: m$ ~+ ?+ ^; d+ r
/ p8 S" {( F3 }9 n U, Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with! H( W9 f0 q7 L
SoftICE while the option is enable!!
% g% M! R _' J/ H% T7 V2 Z4 k. Y8 g V4 `3 U
This trick is very efficient:
" x X# v2 _) D1 R4 k( i! Zby checking the Debug Registers, you can detect if SoftICE is loaded
2 `; @/ l% w+ N% [* j# P; @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 B! K* C7 w, G6 R2 @there are some memory breakpoints set (dr0 to dr3) simply by reading their9 T. J' {# W- Z9 G3 i
value (in ring0 only). Values can be manipulated and or changed as well
. E2 v; J" j7 {- @' ]0 z(clearing BPMs for instance)
$ `' D% L3 e5 T" \0 b5 Q# t
. j9 {* L4 l4 L) ?( V! H__________________________________________________________________________/ i* O$ Y9 x/ _9 {" M2 Q
' b/ K, n4 ^% S0 B9 D8 |
Method 11
& w+ b+ _2 `' ~ t& B+ z=========6 L3 L" ~! ]) D. C3 x% [
' p* X$ V: n: I, j1 K
This method is most known as 'MeltICE' because it has been freely distributed
% a" H' R ? I' g& V/ I1 u# L$ dvia www.winfiles.com. However it was first used by NuMega people to allow+ l6 Q' D3 s2 O4 x0 i7 P
Symbol Loader to check if SoftICE was active or not (the code is located5 B2 W6 B0 u$ z k; Z
inside nmtrans.dll).
" a: V* L: v l: t1 ]5 B8 Q) n) p& h }) |, K
The way it works is very simple:$ m$ @0 I& S$ @& V5 P/ a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# C2 H% O- A4 ]1 e- K$ a' BWinNT) with the CreateFileA API.
" o8 X, Q: P9 \ n9 x! y; y4 z+ t% B- G) [, S' A# U/ h3 ^( m
Here is a sample (checking for 'SICE'):7 Z( u+ L& O k, I9 e, b) M
2 { y& g3 Z5 d3 ^: X
BOOL IsSoftIce95Loaded()
, s- }. j' k* F/ q{
( }- c0 m( w) _8 w: ^: z, [6 |' g, H HANDLE hFile;
" L5 {; [: j8 a5 E! c4 @" u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( I9 R% y" w" `
FILE_SHARE_READ | FILE_SHARE_WRITE,( E# P$ o y! G! B, Z0 C5 [8 [! k, o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" D( c z. c3 n
if( hFile != INVALID_HANDLE_VALUE )
5 s$ ?6 z! e7 o6 ~ T7 d7 f {
9 O n$ t8 Y2 h8 C$ K9 ?& ? CloseHandle(hFile);- \4 S' I, ?+ i1 C; \
return TRUE;8 ^5 E; E8 k4 E8 P5 J
}% u+ P V/ g1 d/ A- X
return FALSE;
( Q" @. b4 _2 S3 D}
( g( T, r, N% F. V2 W/ Z+ `9 q/ } W
Although this trick calls the CreateFileA function, don't even expect to be, v8 [6 n$ H! |/ r
able to intercept it by installing a IFS hook: it will not work, no way!
) u6 j4 }, O5 F4 H1 N& h& Y" Z4 I: MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 b+ r8 x' F: l, j$ Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 D5 K6 ]7 Q5 Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) @2 X3 x+ v4 Q5 x, ?( ^% gfield.# J! ], K" c! R# @) Y& g: V) ?, Q
In fact, its purpose is not to load/unload VxDs but only to send a N) t) R) c, Y8 A
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ s! y2 X1 M# h* y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, T8 X% ?! C4 {) \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# ~& v. n! {0 V. t, |If the VxD is loaded, it will always clear eax and the Carry flag to allow$ H1 j2 ]% d; X; w
its handle to be opened and then, will be detected.
, T# r& M, {$ GYou can check that simply by hooking Winice.exe control proc entry point
# G0 j% d: x, z" bwhile running MeltICE.8 D8 u5 o8 c7 w; j
9 Z) R+ I& u% \: Q$ l. M: H% l1 p; x t& @: i6 ]
00401067: push 00402025 ; \\.\SICE# _& z5 ~* o; ?. M! ]/ _$ ]1 `! v6 e
0040106C: call CreateFileA4 F: P) {$ u6 k9 Y4 D2 C
00401071: cmp eax,-001: G7 z. i/ s. W/ Q) P' O
00401074: je 00401091/ w* L- ]6 c( Y! f) |' N4 T
& h7 S- G7 w) b/ i( B+ k3 Y, d! H! _ A. r1 ^% b
There could be hundreds of BPX you could use to detect this trick.+ G7 I8 {6 d) D5 N! h
-The most classical one is:! w1 y) f9 l& D6 x2 G {5 q7 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ F- l6 O( p* X6 c9 m2 Y# Z8 \
*(esp->4+4)=='NTIC'
- K* p) k* F% Q3 i9 w& N8 S5 y( v, j- O# g. Q2 `. D9 D! G
-The most exotic ones (could be very slooooow :-(
: C$ [) p; @. k4 C: ] J4 H% Y3 X" W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ t( o3 |* D) e) l ;will break 3 times :-(
. v9 S) w5 e4 w x. |+ z( c/ K8 ?. o6 C2 d
-or (a bit) faster: 2 Z# p& A' [! Z; x+ Y2 k2 F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ ^ y% p( |' l R( t0 G+ |
. x3 ]- r7 f& h3 v8 ~, T& d6 m* L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 Q" {9 [3 Q/ v ;will break 3 times :-( y8 i- f }% p
! k+ m* q/ k, W$ J/ o7 `$ Y. h-Much faster:1 F5 w. V; ?, \0 C9 Q8 }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 C, `; N* y6 b2 A- ^( v
; N/ i+ m7 k1 r9 d: |+ uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( z4 h0 ` I1 B) p0 @0 V
function to do the same job:% ]8 Y* t- J2 E! ?3 p, ~
3 w0 w4 K. d5 A' F- ~) @) n, g+ \* M' W push 00 ; OF_READ4 Q8 A6 G7 f" k, ?( S
mov eax,[00656634] ; '\\.\SICE',0. K* S) f- w3 `- n
push eax& ]( n- C' R8 x8 i
call KERNEL32!_lopen% I. i8 V- b+ R: |
inc eax
O+ Z. ?1 v8 k& P: {6 f2 C jnz 00650589 ; detected
+ {# X) F2 q: I M$ D push 00 ; OF_READ
5 ~7 p8 D3 j/ [3 }1 I; O( t mov eax,[00656638] ; '\\.\SICE'+ ~" c/ v" O" Y' O" _. G
push eax8 b7 _* }# N; f8 a
call KERNEL32!_lopen8 R& O' n r6 Z# U' \$ f
inc eax" u1 h& A* q9 T4 A5 ]. J) T
jz 006505ae ; not detected1 y) R) C# \& t1 x7 m
, X. ~+ W0 f1 }( k- ]
* o, X1 ?! g4 E9 I' Z5 }__________________________________________________________________________
) `- a5 @0 H2 Q, R, l2 Q: W" L* n/ S2 a
Method 12
& i3 @) _' U9 D2 r2 v3 t5 u=========
y1 c' ]- }) Z( S
, c" E3 w2 _ R3 g" FThis trick is similar to int41h/4fh Debugger installation check (code 05) l2 ]: V7 Y, u5 \
& 06) but very limited because it's only available for Win95/98 (not NT)' X8 g, q/ X& \* N! h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 o) T7 ?+ U2 f* q A
! h3 ]- W9 T5 ]# O' _/ q push 0000004fh ; function 4fh+ D0 l" p- G7 H+ ]4 R/ Q
push 002a002ah ; high word specifies which VxD (VWIN32), e+ y6 w+ _6 {; E, E5 u
; low word specifies which service
8 S6 T' ?) \7 S" o$ h% U (VWIN32_Int41Dispatch)
* H- Y0 g$ m w5 ^ {0 {# i6 e" ^2 x call Kernel32!ORD_001 ; VxdCall
# _" {" ^$ }5 `% K+ P8 a2 I% F' s cmp ax, 0f386h ; magic number returned by system debuggers5 j, o2 e( T8 Q! ?7 F
jz SoftICE_detected
% v0 n, Q7 X6 a" q0 s! S
7 b6 P" ?7 a A4 Z+ rHere again, several ways to detect it:
! k( i# r: F) J
% K$ o4 C2 \$ } BPINT 41 if ax==4f
0 {* C. Q3 _ G6 x* ~' {
5 z7 M( R( P( l( x# a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- `$ c* {" s- b
5 a t) E" D0 Z& p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 c0 i% Y7 _. A/ d9 Y8 o2 P
3 U3 O ?0 }0 y j) o
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( B$ F+ w9 S% ?; y
5 ?" n8 K) t2 l" W
__________________________________________________________________________) P* \3 ] h! f- P( `- d
; A9 r5 N; {8 S# x9 ~
Method 13 g; P: a0 ~+ b) x5 ~1 |
=========
# V" q' d& v# U- F0 M/ ]" z; E6 j7 R/ ]# o
Not a real method of detection, but a good way to know if SoftICE is g6 o& W( Q1 Z% r$ G1 E
installed on a computer and to locate its installation directory.
7 A$ E$ }0 k+ t! L) ~It is used by few softs which access the following registry keys (usually #2) :
- X$ L$ R3 {/ F: Q3 U4 p/ P2 [4 O9 P5 {3 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: J! U+ w) c5 }. B/ ?) _+ |& ?\Uninstall\SoftICE
6 x# c$ n3 D% S4 p K6 J+ p8 t- T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- Z, Z! D1 O9 J! s3 J' s. d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 @& B) T0 f8 l$ S\App Paths\Loader32.Exe
) R A- z4 ^9 T& p
8 A, Z4 Z- z) j4 w2 t5 I' K9 x( h4 U( F' q7 g2 Y
Note that some nasty apps could then erase all files from SoftICE directory
8 y/ f! p' y0 E3 Y(I faced that once :-($ ~/ [8 P) i; Y0 X! O& P; p; e
9 L3 [4 V: J5 L4 C+ l A; a
Useful breakpoint to detect it:
! I1 o% R0 q5 B0 m) P
- { _- U4 `, _/ D3 y2 ]" x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 O- c9 _$ K$ A4 T
- u. y, [2 }* S; D* |/ r__________________________________________________________________________% `, \5 `$ c; s$ u
5 `' I5 i% C- D9 e
- B& e: d; S& B, V! q) i1 U
Method 14 " q) G6 Y" a( h0 \5 i u# z
=========9 n: `- I; c$ V7 |
: N* z" ^# H' I% `+ K+ Q' [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 u3 {8 l0 B1 |8 g! r1 _7 v& G
is to determines whether a debugger is running on your system (ring0 only).& T: f9 t6 i* E8 Y9 H6 `: V
! v5 Z0 ?6 C- p& b
VMMCall Test_Debug_Installed
9 q V- f$ C- x, r je not_installed
5 ?0 G+ C1 |" O2 ~6 I6 X. A F
( H1 e5 t7 _. Z+ y3 UThis service just checks a flag.. R" { w) \% } x0 v* H1 @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡