<TABLE width=500>$ @- @5 S9 v* ?5 |+ ]8 }, F: i2 }
<TBODY>6 K; I* {; a) E- p; ?" G
<TR>
. `0 r0 I0 U/ @3 `0 U<TD><PRE>Method 01 " S$ s$ s, q& C; L
=========) |* v( _1 f. B2 ]2 p/ V. X, [
2 n' s$ \* C+ H
This method of detection of SoftICE (as well as the following one) is& E |+ n. g: d7 C4 q: s, O$ i
used by the majority of packers/encryptors found on Internet.
: x8 N8 W: X; V* d1 B0 R7 zIt seeks the signature of BoundsChecker in SoftICE
$ G% w7 B P) K0 e# Q1 L5 ?
6 k* D4 r2 ^, z) ?- A' i. V" [ mov ebp, 04243484Bh ; 'BCHK'
8 [5 i; J9 Q4 f- n mov ax, 04h
- \0 ?! Z7 h% n8 Q9 S9 B. u int 3
) c9 I: D; d+ E/ V9 I cmp al,4+ a5 \" @, r4 l" W3 |9 b
jnz SoftICE_Detected
* _$ H$ Q# x& f+ K3 q5 ^, \. ?" ~
___________________________________________________________________________6 Q J3 N" k, X" m
2 [6 Y& B, }% W) b% X, ~Method 02
: ~' C. j7 P1 Y$ \7 F, [3 G=========
& w `% P3 ^; R* p- P' Q8 c
2 K" @7 A- E e2 U+ `Still a method very much used (perhaps the most frequent one). It is used
3 X9 w9 P) i: A$ fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 ~! i* N0 K7 F5 B V1 C9 Kor execute SoftICE commands...
! T. [1 B5 Q* c8 u7 b3 D9 hIt is also used to crash SoftICE and to force it to execute any commands+ y8 |3 A0 p$ b8 E$ w/ i. j
(HBOOT...) :-((
- Y9 v4 C6 j0 d/ H& z
4 [6 F% k3 c- p. U+ h* T! THere is a quick description:
" u3 ^( S7 [! D-AX = 0910h (Display string in SIce windows)5 d- u7 s N' s3 L, X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 r% @% k9 y+ B- V-AX = 0912h (Get breakpoint infos)- q& c( Q& {0 N8 f9 F
-AX = 0913h (Set Sice breakpoints), u5 g; q! T1 l a9 s: R
-AX = 0914h (Remove SIce breakoints)4 E T! g& }9 L l" s0 l1 v2 B, N+ u
+ b' D1 ]9 o% L
Each time you'll meet this trick, you'll see:0 l1 v. i$ _# l3 H, l. L
-SI = 4647h
6 z& `. G/ ?2 Z$ `9 ^-DI = 4A4Dh
# K3 p* N/ z8 s( tWhich are the 'magic values' used by SoftIce.
: X* J( S S; @1 c# l5 z- c. l3 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ b' r8 E4 Q6 `: D' v8 @5 t8 u* V( b8 v1 u' E: |( }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 ~1 e2 l& O9 V4 {- LEnvelope utility use to protect DOS applications:3 n& q1 @7 w$ O1 Y9 w/ k6 ~
5 [3 J' {8 t1 a# i! K2 r5 p3 l$ Q. }( i4 n0 G
4C19:0095 MOV AX,0911 ; execute command.4 m8 L, n; |8 l; u- e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 |: D6 p9 W U6 n
4C19:009A MOV SI,4647 ; 1st magic value.
% `! h0 ~! u4 w4C19:009D MOV DI,4A4D ; 2nd magic value./ ]4 |; e; p0 O2 W+ x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ J! e% b. [- L( t* H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* s( d+ ]) Q8 Q0 z6 H( l8 Z
4C19:00A4 INC CX
3 y% u( t: n9 ~, f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ P; g+ `2 B8 G( F3 z' b& R
4C19:00A8 JB 0095 ; 6 different commands.
3 G" |9 p; z2 n* C* q) ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 D/ f X* U8 U; Z9 e9 y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ y2 f, l* p+ a; X; K5 }6 P$ a. g* t* O' m: ?
The program will execute 6 different SIce commands located at ds:dx, which
" \/ ^# U4 Q3 Z6 ]4 Z0 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 N5 v' L& K' m" G+ R2 |! |$ w5 _
3 v3 b7 {4 M3 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& x' b% [/ j- i: }. G___________________________________________________________________________9 p5 ^! z% B4 [% F0 o7 C1 O- I; r
& X) E/ G- L3 d+ c* w" a1 u2 W1 l* v {7 r
Method 03
- x1 V+ f/ n/ j' h( ]: L; m=========+ f3 V! p% N! u( ]
7 ^7 W4 v; b+ L* q; ?, f: xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ K0 Q; e' I. K! _1 F% N% R(API Get entry point)' s5 u3 c. N8 D2 ?3 {' Z. o8 S
% ~( Y6 A" H' t% h+ `( J$ L4 U, s3 e: E9 r- F( O
xor di,di0 T$ r0 S) c& K4 `6 O8 O
mov es,di' M1 L& J0 s5 k2 ^5 O
mov ax, 1684h
1 ~3 D: \5 b4 Q( j mov bx, 0202h ; VxD ID of winice
) @4 T/ U% M& }; { q int 2Fh
6 u7 F) g% ^) h% ]$ F7 N) K9 N mov ax, es ; ES:DI -> VxD API entry point
! I2 y( n" r4 B* N' i add ax, di w Y! H0 h- u P/ f
test ax,ax
; l/ L2 c& Z# h jnz SoftICE_Detected# w2 r" O& ?; m/ t8 ^- r" V9 X
; G" ~- {! z& J___________________________________________________________________________- ^' \6 [* \ @6 i& d
( [8 [, x! R1 Y: ]0 }( x1 I9 t
Method 040 r {6 L! Q4 B" b
=========8 a6 }0 B, v/ `! a
) J' h9 ^ E' R+ L7 ^5 K! k8 Q
Method identical to the preceding one except that it seeks the ID of SoftICE" K9 w% m1 U4 ^" M! E6 n) V8 R
GFX VxD.9 I0 S7 h9 Y2 ^$ g6 i6 r5 S: H
A, W1 h6 L0 `1 ^$ k8 i# L! N xor di,di( g. G' r$ _+ d7 Y) @
mov es,di+ o a1 Q! w8 V3 j1 F
mov ax, 1684h # g& A: b k' R4 q$ q9 h* P
mov bx, 7a5Fh ; VxD ID of SIWVID1 A8 f# f9 Q( R4 t5 b0 b; z
int 2fh
9 Y% J9 V7 R; n' U% E& m mov ax, es ; ES:DI -> VxD API entry point4 r1 o2 p, j* v' e
add ax, di
9 u; s( z1 N3 T% P test ax,ax
0 ?1 v# w+ t* Q6 k& W! R jnz SoftICE_Detected
( X: A; r- V, m9 W, k
* D+ t3 S, w, t: n3 }; s2 B__________________________________________________________________________3 y1 R" q2 ~. [9 g" m3 m
) n1 _5 A/ w) g) _! H7 S: y! B. \% ]- m8 d Y1 i/ k) d! X9 ?
Method 05
# r3 }: z6 u- g& [; D8 F8 O=========
% c$ `5 W$ y: q% j, h! \
& a4 _ R8 X, a( |Method seeking the 'magic number' 0F386h returned (in ax) by all system! C/ f$ {2 P" u6 t6 \; r2 N+ w3 F
debugger. It calls the int 41h, function 4Fh.
( |0 h) p- e, _1 n1 T% hThere are several alternatives. * n" x2 L# _+ h5 s0 S
, f; K/ q( y5 h7 {2 {
The following one is the simplest:, S) f* T' f, V# y6 t9 f4 d
2 f: q. C0 G: T" L
mov ax,4fh
; o' i I: T3 T+ V8 u9 @9 u& m int 41h
) L& ~* T4 p8 e8 a: ` cmp ax, 0F386/ b: }1 h) m$ ]6 H
jz SoftICE_detected
3 D; ?" |) w8 J! ~$ |
% x0 |1 d2 l* `+ B$ `8 X/ I7 J* t8 b; Y: \- `2 U5 m5 D( n$ x
Next method as well as the following one are 2 examples from Stone's
' D7 D$ }$ \0 Z* U5 E" G"stn-wid.zip" (www.cracking.net):
3 r3 F# x4 U& M
/ }$ b9 |; P e4 i4 R mov bx, cs
+ J$ U& z4 D$ S5 I4 \- | lea dx, int41handler2
/ l7 `. D6 K) Q2 ` N; z: ?) h xchg dx, es:[41h*4]$ o; b1 ^; ^* m. r
xchg bx, es:[41h*4+2]
1 E' L4 o6 c3 W: L: l! V( ?3 i: U mov ax,4fh7 m* m) c y0 s
int 41h3 I* Z9 F/ G' {* n
xchg dx, es:[41h*4]
% E& W/ l+ Y6 Z |7 |4 o# { xchg bx, es:[41h*4+2], P6 ]$ R/ F& g1 q( D4 c
cmp ax, 0f386h
: R+ F2 `. i3 @1 B jz SoftICE_detected
4 v& a2 w0 @! ?% |
5 n9 X. w2 {5 Zint41handler2 PROC
. @$ r5 O) J) C. T iret
* I. ^) Y7 P1 j- y% u) y1 bint41handler2 ENDP
( o$ d) G3 j+ q8 k6 u% |) R$ K4 {5 d, w/ R: P$ |% n/ T
: ^9 Q1 s' H4 O$ e
_________________________________________________________________________
b' u8 y2 M" F' Z; F& V5 G% G7 h/ [) t
) @# W' D6 D/ Y- a! R( n% g; R
Method 06
9 x; @2 t: t7 g* @3 P=========
9 I4 m6 l7 |. V5 V0 T- o/ q8 p+ m: l$ m" o/ E
! u+ [! N* d& J4 k. n! V% g. K
2nd method similar to the preceding one but more difficult to detect:
; Z2 Q7 X8 K& V- I1 R- [5 K1 m
u; F. k) q9 \& U; I/ d( s, I
1 r/ c* _$ {( O5 Q; Tint41handler PROC7 v+ V5 K0 e- ^6 ^* ~
mov cl,al$ N4 D: g% T( @
iret/ \! |$ g' F8 \
int41handler ENDP
; v5 a% a0 f# W* i5 a( U( P0 F0 O
* v" U; i2 y3 u) \
xor ax,ax5 Y8 E4 G2 |9 P" p* R! B
mov es,ax1 `! R% K6 ~+ ]) o* {7 l" [
mov bx, cs$ ~: @4 B. n/ z$ H+ L/ v. M
lea dx, int41handler; D( I9 \0 ?- d; t8 [1 X
xchg dx, es:[41h*4]
$ t$ ]8 n3 m& e7 N$ O& ]% r& F xchg bx, es:[41h*4+2]$ j: }- f9 b7 Z' r: w3 t6 q
in al, 40h
4 _! S7 W2 l0 c- E7 U8 X" e9 e xor cx,cx
& t' Z! O0 A* q1 \ int 41h
1 k# A9 F( j2 H. D xchg dx, es:[41h*4]6 `: L! M. f# d2 Y) T7 L! Q! U
xchg bx, es:[41h*4+2]$ E" G) g: ^( ]0 M6 t5 \& t$ w$ P
cmp cl,al7 m x) F Q1 ^8 [2 I6 d( R
jnz SoftICE_detected& \ L; V" r' ]( B
5 s* T. Z X& ^/ I& f! B/ E_________________________________________________________________________
; [: @! n! x1 u: X' G" x" e8 j" b
p+ n+ S3 @( D1 c3 a$ y3 w6 hMethod 07
9 m" W, R* M) x/ x! a" z" d=========
# X- M! p: H# q, G% S9 O( U- V0 `0 @# ]) Q/ b" G" h
Method of detection of the WinICE handler in the int68h (V86)* k. U) s2 @5 U: h8 Q& g
# @$ v, @/ O' r3 ^; j
mov ah,43h# A; [ r4 |5 ~% ^5 @8 j
int 68h
* Z6 P9 j7 U1 H/ D7 k2 t cmp ax,0F386h9 Y% j2 k5 ~6 D" u
jz SoftICE_Detected
2 q" n$ t. T$ w0 q9 l1 V# @& V% X0 [. P9 Q, n7 ?6 d# n: @( l
! b3 O; l8 I/ s! i, v1 ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" y( c2 N! ?) X$ N2 x h2 Q app like this:
* f2 `* f* R: G1 P0 t0 g" x7 P2 w+ t0 j8 t
BPX exec_int if ax==68% O, v, D+ \& m' h
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 r8 R' g& i V1 v2 c @" J located at [ebp+48h] for 32Bit apps)5 n0 P% e Q8 L3 |( t) h5 _2 V
__________________________________________________________________________8 |! @+ v6 `3 H4 A$ \4 y1 V
, g( I/ r% \4 E& M: ?4 q$ j
. Z( O j. T( r
Method 08
# }& n" I' |: Y& @/ |% Y=========
4 m: |1 ]$ t2 v" l7 c) Y" ^9 j- w5 G7 }
It is not a method of detection of SoftICE but a possibility to crash the
8 D1 S& H% J: c3 U# Tsystem by intercepting int 01h and int 03h and redirecting them to another
/ _5 V% C/ H: r. c7 mroutine.
$ L9 e9 M, t& d3 @: MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 ]# K# Y2 a) d$ d
to the new routine to execute (hangs computer...)8 e0 v9 i* c4 z) J- q% M* n+ ]3 E$ s
5 m+ \! O1 [1 x$ h1 I" f+ u; J6 C4 F mov ah, 25h
- C/ d3 N- _& r mov al, Int_Number (01h or 03h)$ C4 }' P$ A# g7 F$ P
mov dx, offset New_Int_Routine
) h: N& \1 K0 ^1 B int 21h
4 W7 x( N4 ]" q! ?8 j0 s( w
* ^3 q. X- J) a n: I. u4 X4 M__________________________________________________________________________
/ z# M$ i- m# ]1 a6 X/ w' x7 w
9 ^" g2 q( u. M3 U \! {( NMethod 090 `) s3 l' e- A6 ]! g0 Y& t; a
=========) G/ X7 b/ g% j l5 S6 h7 O+ X
: } ^$ _, b2 d7 T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- O V0 G7 t9 L$ l- {performed in ring0 (VxD or a ring3 app using the VxdCall).: l+ D7 Q+ m% ?! T
The Get_DDB service is used to determine whether or not a VxD is installed' l$ N" L7 a4 x
for the specified device and returns a Device Description Block (in ecx) for
* `& s; W7 E# _! @2 \# Qthat device if it is installed.
- x$ Z1 ~0 `% _* E4 O( ^4 I5 D. Z7 H; A- y& j5 n6 g# Q; O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: o- Q4 Y5 z7 [, J( {# o9 V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 [" H1 q5 c* k
VMMCall Get_DDB
: E( P2 c$ L+ ~3 F+ P) b4 Z! f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 g' w1 `! X. H4 z- b/ }+ N
" S- b* W* w8 u. [2 JNote as well that you can easily detect this method with SoftICE:
: H- z: l+ {- V1 C: J bpx Get_DDB if ax==0202 || ax==7a5fh
+ Y9 U4 X; O2 L& g
6 E: g: C- |; @! Z2 [+ `) m% j__________________________________________________________________________
~, m) y# ?8 [& ^) X6 h+ D/ g- C. X4 m; M/ ?; ]* F; K" p, }
Method 108 o9 p1 h) q+ v/ m1 w5 I
=========+ X+ p3 v! F8 o9 b! M& z
0 r; ]5 Q1 E P) ?, Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
# `! f3 C3 X' j0 A# P* P SoftICE while the option is enable!!# l; q7 V# u/ n4 c
, m' B5 m! ~3 O* uThis trick is very efficient:$ y9 Q* J* i$ R- R M( U
by checking the Debug Registers, you can detect if SoftICE is loaded
) N5 y N" j9 a" f5 ?& M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; \! c: k/ L6 J4 s+ dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% g& n" e' t1 L. Z( dvalue (in ring0 only). Values can be manipulated and or changed as well" @ P' R$ h9 i! v! z) Q
(clearing BPMs for instance)
# {# U- V k Y4 i% N
; U7 ?) l0 X7 P b: q& R; Y__________________________________________________________________________
) t# i* z* J c/ Q5 u1 }7 Q: x) Q5 f
Method 11; D B( O6 c. d
=========+ y& `& _1 |' r/ ]& q! P
+ a- v1 V2 ?$ ^/ ]This method is most known as 'MeltICE' because it has been freely distributed4 Y! z, ~' v0 r* n9 M9 C; Z( A9 R
via www.winfiles.com. However it was first used by NuMega people to allow
7 S) L z1 z9 a: @/ |7 I" |. ]( H" DSymbol Loader to check if SoftICE was active or not (the code is located' @+ z9 D+ G* P
inside nmtrans.dll).
; U8 [+ O) k- T) e) k7 g' @6 r% t) [6 W8 I" l
The way it works is very simple:' D! S: ?% B# h6 k, L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: x4 N+ ?# D" J q/ ?' G) J* N* XWinNT) with the CreateFileA API.$ }' y6 k1 k% d9 [2 b- t! N
+ l- R; U7 M" B& G. I
Here is a sample (checking for 'SICE'):% N/ c* z% B; W% n W. ^
1 f6 a* o X! h
BOOL IsSoftIce95Loaded()
/ i' x5 ~6 u4 T{; A5 R4 X, T3 Q) a( F) _
HANDLE hFile; 3 F1 h* _& W) k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 e$ _0 H$ O. e( |
FILE_SHARE_READ | FILE_SHARE_WRITE,- M% X" l3 h' W- a Q& \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ c: b/ B9 U1 O* K! }' ?
if( hFile != INVALID_HANDLE_VALUE )7 d0 s$ |/ c; W' m2 y4 R5 z
{
# I! d( y4 y. s2 \ CloseHandle(hFile);
( |+ ~* S3 o, }! z1 R+ K3 x return TRUE;7 q0 b* F( b, s# g. a2 f& q A
}
. C& w- b4 @/ a5 Z return FALSE;# R: c2 S' B0 }0 a+ j9 D
}
) L% u7 e" d* d" V; l- N: ~# g! b V+ Q" Y% \
Although this trick calls the CreateFileA function, don't even expect to be
( w4 q+ {6 a0 y5 B# ^able to intercept it by installing a IFS hook: it will not work, no way! g+ H" y( d7 u" H8 B) d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 I) l; k* Q& [1 f9 i2 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ _2 e* n. Z2 ?. U n6 V4 [5 Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* l& a$ q: h5 A1 S
field." u1 _- X9 M3 E0 R& \0 r
In fact, its purpose is not to load/unload VxDs but only to send a ) Y9 D6 h( ^" l4 m' X5 P/ t C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) k+ `/ x$ \$ S6 w7 |/ R3 _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 }: r* A& I- ?7 g/ u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 E% g: J2 C. v# J/ b7 ?) \, ^If the VxD is loaded, it will always clear eax and the Carry flag to allow" J8 R! P% c+ R. X7 T$ T9 l) N: L
its handle to be opened and then, will be detected.- z w2 p! T. [, i0 z. p; O8 \
You can check that simply by hooking Winice.exe control proc entry point
$ f8 b9 x. @' l- wwhile running MeltICE.+ X' m' p; C, J+ S( @) m
) p o, w2 N0 y5 u# R) h% _4 z5 z# }
00401067: push 00402025 ; \\.\SICE+ \1 a. O& R" B4 F
0040106C: call CreateFileA& c! M; {; \2 \, v0 P
00401071: cmp eax,-001+ f3 ^- k% d+ w `" h5 O7 {( t
00401074: je 00401091
, l/ @. {0 ^7 s" [
: M& T5 q+ ]2 D' U' ~+ l( E$ s
4 u m, ? q7 w" f! i/ i' c5 oThere could be hundreds of BPX you could use to detect this trick.( d h5 F% u- Z, u8 o0 O
-The most classical one is:# |5 i. M2 [7 m# Z- {! z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ z. x" ]9 [/ D _6 n
*(esp->4+4)=='NTIC'
& ?! J$ u4 b5 X" j& q& J7 {/ }6 O' E
$ v# P+ _; l/ {/ ]-The most exotic ones (could be very slooooow :-(0 E0 Q* }" ~7 L7 v" [5 \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' u- ~% h: \1 `, Y! G
;will break 3 times :-(
" b$ f3 L! n5 I: B9 O' L p2 n, L0 r0 [3 x! f! N Z
-or (a bit) faster:
$ {% W/ U N% w, a% K: a/ r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 I. s) L5 K3 i7 i3 Y
: e$ X* O z. j4 S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 Y0 L; |0 D( W# s' y
;will break 3 times :-(
9 T6 F7 a' F K8 g- j/ |) N8 I
+ i+ h: C. l- _6 B-Much faster:
g- W8 v9 x0 V% T( a0 d1 E- U4 X2 {! t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 r1 P- M2 l$ \
0 w k& `4 n& A5 T/ w' oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( u7 H# |* P K- X; a1 R1 Zfunction to do the same job:
9 A9 K# n9 ^$ w
( f" k! `0 K9 y1 W push 00 ; OF_READ2 |% A, C6 Y; O, f' h5 g% [1 j
mov eax,[00656634] ; '\\.\SICE',0
1 \ f& i- m8 p* N" |3 i push eax
+ o6 L" \* j* }4 C% I3 H call KERNEL32!_lopen
\( h; q4 s9 f" |0 s( z inc eax% ] x( N% V5 X# Y5 M L% J
jnz 00650589 ; detected
! E) m' Y) L* e2 W push 00 ; OF_READ
; A$ F, @, U$ d, @& ~$ h2 i& c mov eax,[00656638] ; '\\.\SICE'
8 D, F: N z* g push eax2 y: R" b; a6 j
call KERNEL32!_lopen0 K1 W8 `2 @; Q. K+ E$ x/ C$ z1 n
inc eax0 `- q( `5 k7 \7 ]
jz 006505ae ; not detected4 c3 V5 F, n% f. u6 ^6 ?2 ^( C
* z/ T q2 C9 o
% I7 o2 N' ?) f+ |* s# E
__________________________________________________________________________
! s& K! A; k: K( s& |2 j6 n+ }3 A& H6 R0 o4 ~4 T3 ?0 \, I) q, g7 C6 r
Method 127 d9 }: L! l+ M
=========( n0 H+ j+ C9 {2 C' i; K; i
* M$ J* b1 u' R+ ~! e2 @; ?
This trick is similar to int41h/4fh Debugger installation check (code 05
9 J* @8 ~- C8 c1 \$ L+ _& 06) but very limited because it's only available for Win95/98 (not NT)
2 n- K9 R7 x% Y5 cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ T. P- v! C9 C7 |% R' @1 G+ D5 g" L! J2 h4 ?$ d# u
push 0000004fh ; function 4fh
4 W4 T" `4 N" @! |5 y) J. r push 002a002ah ; high word specifies which VxD (VWIN32), N0 c( ]) s# i" P
; low word specifies which service
, h! v0 f( r# E (VWIN32_Int41Dispatch)
% R _! ?% [6 Y' j: ? B6 e call Kernel32!ORD_001 ; VxdCall
% O" V% N) {( v* ^" `* @ cmp ax, 0f386h ; magic number returned by system debuggers
& e2 X( @, L$ x. d jz SoftICE_detected, m9 } z; y+ k0 A
S9 N& Z5 q- G( W5 ]1 M. D rHere again, several ways to detect it:
7 t* I6 p+ m8 i* K2 y0 x" n' K+ q7 `
- u/ y, k6 B f- f BPINT 41 if ax==4f9 Y& v1 H n. G9 H7 d1 L1 `0 b
k- x2 ~' ]2 e, C9 ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& c9 s' N( Y0 @- y/ m$ o; F2 d9 x
& J: ]1 V4 ?/ f2 N T* ]- p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) f0 Q/ G( M2 K
A, b/ e, U* J u# Z2 {3 r0 Y2 M* m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
p+ e& A% t2 ~2 @" U2 z
3 P& ?$ f4 b" Y$ j; g__________________________________________________________________________, O# g: T- S V& H% V% v
4 \- I" m8 Y' h2 J* a5 M+ Y
Method 13
: R0 J0 G& V* h/ M% @=========
7 R% I; J- |6 S x4 j3 j* X7 O! L6 Y' I% q% N' o$ P) r' n
Not a real method of detection, but a good way to know if SoftICE is
6 p1 i: {$ R! U# ~& X4 M! F1 l ?installed on a computer and to locate its installation directory.
( ^- }( y Z1 l! F7 J4 Q, I7 eIt is used by few softs which access the following registry keys (usually #2) :/ K$ {2 ]$ M) j6 O6 v
2 C3 t% w. T$ ]( c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' w6 z! `* a& O2 [( Q) Q; ^. n\Uninstall\SoftICE p7 l+ ^) v8 G( o7 q& o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ z) B: H) y2 R& T0 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 k; f( Q1 x4 q! E* S$ ]
\App Paths\Loader32.Exe
/ Y/ U+ q: l9 {0 @& x5 n0 h2 h* N; j. T: s+ h, _
1 ~: {6 ^& u! BNote that some nasty apps could then erase all files from SoftICE directory
, G( ~4 f- ^4 R% S' y1 L- x& K(I faced that once :-() }4 e1 T& a5 X- K- g% {
p0 ] d" P/ Z) fUseful breakpoint to detect it:7 `: C; m( m5 r5 m; z/ k
! l6 e! F6 T# O# f$ g: d: u% o f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. o, d# W% W, L. ]( Z: k3 d( q# U9 x! A- F* k4 Q
__________________________________________________________________________
|) R' ?% |6 h0 W
b5 A* W e1 c4 b, K
' q& L, g9 w5 @, U2 wMethod 14 & j4 x7 i1 f5 \8 E4 L0 \5 M2 R
=========
& }' {; K! I6 _- ?, x q- I5 K. M1 s p$ B) v/ `/ B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ N; S! O: G+ Ais to determines whether a debugger is running on your system (ring0 only).
6 c7 H7 q( U ~ K6 P Y
- ~/ @" \; F( H VMMCall Test_Debug_Installed( E) [8 R( Y& q" k
je not_installed( n# ^$ e) d9 D) p# R' W
7 v6 W" m' B, H. ?* Q+ Z6 O% t
This service just checks a flag.
3 l5 b4 O, d1 ^* H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡