<TABLE width=500>
# V7 Y+ ^/ ~% a7 M9 ?5 i<TBODY>) g, c# ?7 ~/ D( }) H# K6 K
<TR>
0 }3 [9 M) ^( \<TD><PRE>Method 01
) I; b; j$ u; x, H1 A: r=========, c8 L; k9 B4 {( m% `' s. ~
8 ?# r% F6 v# ?6 L' L+ L/ C
This method of detection of SoftICE (as well as the following one) is2 S' W, H) O& h% l% G9 w. c7 M+ @
used by the majority of packers/encryptors found on Internet." x! S6 X0 J6 o5 G1 A; Q- h
It seeks the signature of BoundsChecker in SoftICE6 G, U3 f2 M+ B& p
( ?' ]5 P5 D# `' c0 G: ?0 K% _# l/ O
mov ebp, 04243484Bh ; 'BCHK'
( {2 U0 ]# G' v& {* i R% b1 z. W mov ax, 04h) X; D" V' k; D4 i5 O/ q7 ~) m. W1 K
int 3 ' y. e/ d4 n3 ^! k8 o1 v
cmp al,4
& o2 m6 Q0 j! e ]7 R jnz SoftICE_Detected
: a( d8 M* ? ?4 e: |. B2 _
5 _! [3 d! Q% N' H8 X___________________________________________________________________________, r4 b1 S; ~. t8 W
: h, p4 d, q% u* ^/ e& H& }! A' ^
Method 02+ F( K9 I: _: H
=========' D. o/ _+ Z' p8 @1 S& b- x
5 a+ Q( H0 _, ?. p1 y; D8 I
Still a method very much used (perhaps the most frequent one). It is used
/ t0 T' @2 \' e j$ U; G# Q: \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) j3 U' Z E o# a5 s
or execute SoftICE commands...4 y3 Z* p7 Q' M6 ^
It is also used to crash SoftICE and to force it to execute any commands# r% K+ n" K/ K6 g9 {1 W) K
(HBOOT...) :-(( S: F- @6 W9 z( O. o
) M3 l) p, o, e+ M5 F' [, y! C
Here is a quick description:
- u' B! T( F B-AX = 0910h (Display string in SIce windows)3 C1 K0 h2 N7 [$ N8 m3 e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# X: s+ x; A+ g$ h4 B2 G$ D. W-AX = 0912h (Get breakpoint infos)6 v" y, ^+ E% U8 r
-AX = 0913h (Set Sice breakpoints)
, o- B* m1 F6 @, c% Q9 b-AX = 0914h (Remove SIce breakoints)
# u7 m4 z" |/ j+ `
; i& F* Y1 A1 N5 n, l: \) Q6 cEach time you'll meet this trick, you'll see:
! p J( N8 B: e0 u' \: H. D. g-SI = 4647h8 s- }! f; o9 R* V5 x7 ]; P7 v
-DI = 4A4Dh
! D, X; n. T M% L7 e1 }; jWhich are the 'magic values' used by SoftIce.9 M+ a% b0 d6 q. [! ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 G) E Q, R) e6 Y/ i. u
9 G. v1 N( l8 R' xHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 k: O- j; k& h2 n0 O( tEnvelope utility use to protect DOS applications:9 D$ S; |, C/ D& U3 R1 G3 y
1 ^0 w6 Z' w* k; V
. @; J0 p5 E9 l2 {; p4C19:0095 MOV AX,0911 ; execute command.6 O4 I' I/ I+ ~4 Y9 b: l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 I" V, T- W, c* A. w5 I3 V4C19:009A MOV SI,4647 ; 1st magic value.
) k6 L$ g+ m8 D4C19:009D MOV DI,4A4D ; 2nd magic value.
2 B" z1 X- p7 j$ `* |; g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! s" K% r, `+ \, Q# a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ F. X/ Q+ a- I5 f
4C19:00A4 INC CX! Z" h8 r8 P7 |) C# S l; c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ x2 c0 G) [/ k+ I- b4C19:00A8 JB 0095 ; 6 different commands.4 M: S- x% k$ j" E% G5 ?( g' H8 U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 F1 v+ t0 e1 n9 H# i0 B3 Q8 A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( x' G3 D" b t4 P4 Y6 R2 u4 X. I6 ]! z
The program will execute 6 different SIce commands located at ds:dx, which7 F9 ~6 s; n& u3 y/ [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 a. X9 O: Y3 _ a4 D
* R* e$ R' y$ o# d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. k$ A @! F* ^___________________________________________________________________________& R: w- X" R4 ^
6 z8 p7 x7 m/ n3 D# X
# D `. T ?" B) J! x. PMethod 03
: Q8 |: I* R2 b9 C/ q. o8 b=========
# O, Z& N- V6 n. j, j$ {
2 C& b' h' d9 o2 W5 u5 R( h8 aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# l: S, m1 w# |
(API Get entry point)
3 z+ w3 x, _# n) o' G
) u) B6 k5 O. G9 G3 ~5 U/ p7 e% q; t- [- _
1 Y" s+ B* F, m0 i1 X: ?* J xor di,di0 V% S K1 T/ a' F
mov es,di5 ]: E. m# K! z! H* U( j
mov ax, 1684h Z/ q" b& N3 d, N4 I& c6 b Z* W3 i
mov bx, 0202h ; VxD ID of winice3 ?( i4 C$ f+ _) t
int 2Fh9 R! b. u/ k" M+ C
mov ax, es ; ES:DI -> VxD API entry point1 n, n7 v- L1 y }" I- `- }) r, K
add ax, di! V: S9 S1 [ c- F" Y2 Z
test ax,ax% m$ n% G2 \0 I+ P
jnz SoftICE_Detected& u$ q, b: \1 f- |
2 v3 r2 b. E7 b% [7 q, I4 i1 a___________________________________________________________________________
% y! m/ @0 a, i m/ X$ R0 j
+ T9 U2 v O% L4 ^Method 04( M* ~& O6 L. v8 X4 s
=========9 l" d1 z. L8 ` P+ J5 n T! n
, T: k. @' U- w) n8 D5 ? s1 e3 E# d: N; XMethod identical to the preceding one except that it seeks the ID of SoftICE
4 j0 ?. C2 ^6 N, k! Q% S8 ~- ~8 L8 EGFX VxD.
Y2 C" b+ |* c( ~" t2 {7 C p( |0 P, G6 `8 B, m
xor di,di
' w6 i P2 i' N" d; n9 @ mov es,di% A; r: ~1 `# f% q p4 ]3 x
mov ax, 1684h 8 n) a6 K6 H! \. h
mov bx, 7a5Fh ; VxD ID of SIWVID& l1 l; `9 n/ {5 B
int 2fh
0 p2 x3 s5 T( C& A3 n3 a0 s) h6 Q mov ax, es ; ES:DI -> VxD API entry point) M* n8 |# V2 h0 X% B" r8 c
add ax, di
2 M- q, V @+ W H G9 F test ax,ax1 ?1 f4 r+ R" A+ E8 J# N
jnz SoftICE_Detected7 b) F# X# s7 J3 v' Z
* O( {4 C' b7 A7 s
__________________________________________________________________________
1 t* k ]% z2 i3 }% w, E( S3 w' i/ _. S) C! _
* ?& J4 g+ z: V1 T7 E! a9 LMethod 05
7 J& T! U& r. r3 O& M: F# r/ H=========
9 O' X; J2 N+ P- ~5 k# r1 E
1 s! X, }' r% [' zMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 s9 N; K# j( H" C2 B) c4 O! ?# x
debugger. It calls the int 41h, function 4Fh.
+ w/ S# t& ]6 H" h" O4 hThere are several alternatives.
& X6 `7 n8 J; N9 s+ C+ i
% R0 c5 v; C3 \" B/ q# ]The following one is the simplest:& r5 {6 P2 v! N
' `: ~5 m* S1 o1 Z
mov ax,4fh
- W; D( w+ p5 c5 `# p3 G' B6 j) E int 41h7 k" \- }0 Y1 G( k* f' F
cmp ax, 0F386
( ]; j# R& |3 R. o" f jz SoftICE_detected# B; D" U4 r% W9 B; k
& l# J E4 s8 f
. [$ T( t% g* | \" P* ~Next method as well as the following one are 2 examples from Stone's 9 ~( a- v, E% i; g
"stn-wid.zip" (www.cracking.net):, K2 t# P7 k9 L9 o6 a1 R
( I0 C* t5 b! ]7 F( N( Y5 H* G2 x4 V mov bx, cs, H0 w5 K2 r/ U+ L3 @# ^: ~
lea dx, int41handler2
) I( |4 t" s+ | xchg dx, es:[41h*4]2 F1 E! q4 u O' T, `8 x0 H0 ^
xchg bx, es:[41h*4+2]
% @2 |3 Z7 R+ X$ b mov ax,4fh, ^7 H1 k9 i* N7 f
int 41h
( X# w3 z6 E# p z xchg dx, es:[41h*4]
+ a d" \ [! Y xchg bx, es:[41h*4+2], X( z M9 T. k4 S6 k5 v4 w
cmp ax, 0f386h5 w* C8 }% b6 U+ l+ \3 ^" C
jz SoftICE_detected. e% r3 a3 q: W$ g0 t9 B/ r3 j: @
8 q( a+ f) | e) t: e6 f- L
int41handler2 PROC' K: D, y* E2 {. J$ ]
iret
- W9 `; [9 K$ V- ?! \int41handler2 ENDP4 `. v3 u- ]: |2 k1 C( R* g6 [1 y
/ ]( \; C/ Q: W) z0 {* n9 ?) m, ^
% b( G# S! R4 F- R2 _% m* L4 q# ]_________________________________________________________________________5 X! K, G1 Z6 ^, \# b/ g
4 U' Y i' A+ Y1 }" o3 k
! W$ x5 W- H( E. j* PMethod 06
8 J7 z7 t) `. y% s=========
0 j) ^" L$ {9 P2 I. b2 U. R. q" M/ P6 ]+ A0 n; P: [
4 a3 ]2 R4 |' j" W
2nd method similar to the preceding one but more difficult to detect:
; }6 A4 A& S& M: [# {0 Q: M
& G$ @8 d1 H; l& F
/ U2 J& [. T' g0 ^int41handler PROC
; p9 J' M7 w# W3 @ mov cl,al
, `. B3 H$ i7 ^ iret
" \& R, L/ h; n6 ^1 }int41handler ENDP
% y4 ~; b6 N$ C$ [
- I7 C% s9 ?# |2 l6 Y3 G7 k
+ w6 _( S2 Y. P: ]/ K- |, |/ V+ ] xor ax,ax7 F7 h5 F& e3 k2 d' C8 v
mov es,ax/ p' B, X- }2 Z. x
mov bx, cs) @* V$ l# P9 }3 n6 [$ o' ?
lea dx, int41handler
" l+ B- f9 S6 b8 E xchg dx, es:[41h*4]& c4 s: `- E, ~ r0 o4 g
xchg bx, es:[41h*4+2]
$ x* s9 t9 C' f( a, ~ A in al, 40h# n( O: W% _3 F! Z$ d# ^. E# v
xor cx,cx
. F' |/ O0 Q% \6 ?5 r. B int 41h
$ m9 M- K5 `, c. L, z% W, b xchg dx, es:[41h*4]' H. ]6 M. V, U/ S8 A
xchg bx, es:[41h*4+2]3 l- O* o) e; g2 P. z1 g1 A7 }& G
cmp cl,al
1 l) \9 x: _0 y4 h7 e! g jnz SoftICE_detected
7 | u# K4 l+ W, O# l
5 O0 X z% X+ O* q% f% |+ A_________________________________________________________________________& b' o+ j3 |3 v5 a
* |9 e" z/ F+ U: \, N+ G
Method 07
. w8 ]: M5 x* Z1 P4 u=========# B* N! R; H" H |, q
' q# k! k4 y. O' ]8 S! x+ z6 E/ A8 m
Method of detection of the WinICE handler in the int68h (V86)8 A. K5 O; ^0 {) \2 X y
W9 p& B" t3 x8 d
mov ah,43h
# L; c% t4 S( n* P int 68h
8 V# J! l2 i/ [" g4 x cmp ax,0F386h
+ E1 E# P& z% L; q, @% y9 h jz SoftICE_Detected
/ o$ q9 O, G! l- j7 b$ A4 U6 b" @& d2 ^7 [) b& c
" ]) R# F/ O3 V( E) g$ Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ O* M4 X' c# w0 W& Y9 q
app like this:( `, U2 X$ X& F) c! [' I; g
& x( s" \% W3 n/ H- d
BPX exec_int if ax==68) s/ e6 @" g' T, f
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 l- b' p9 j) Q: K: o located at [ebp+48h] for 32Bit apps)% g# b6 |6 U3 ]
__________________________________________________________________________
- q9 |5 ^* |3 v# T+ a5 C# I8 m
6 q( G, `0 `$ }' ~
7 j, w' {: V9 {1 a5 GMethod 08. O! ^" R/ g6 T$ f
=========
2 T/ V, b* |% o; g) |' c
& j# m% a- e0 i7 f+ p* G9 wIt is not a method of detection of SoftICE but a possibility to crash the
. @) z2 d/ T( ?# k! [7 E8 \system by intercepting int 01h and int 03h and redirecting them to another" ]" w7 T6 _' c: }/ Y
routine.2 g4 c% u% O/ I6 l9 r: {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, {2 f M& o9 S. c. d3 b# w
to the new routine to execute (hangs computer...)5 z- ~+ X3 ^% }% p
1 i6 D# @) N# n* } mov ah, 25h. } N3 W0 {" }* @. k
mov al, Int_Number (01h or 03h)% z: ]% Z( b7 r8 ?) j% q; N6 w
mov dx, offset New_Int_Routine) l7 d; ~, w, J! q* u
int 21h9 X* C4 ^1 o' Q- h. s9 j3 T
+ v0 |6 B$ P5 f# h1 N
__________________________________________________________________________
8 _3 d+ l5 J' ^' U
$ x) V" e; h5 N! r' mMethod 09; k4 Y/ s8 m) f: j
=========
* o! u# a6 k5 N5 U" r1 y+ y) T$ B) Z1 B1 L3 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; L9 ]- O# v1 X8 n; n4 A5 C, @, T5 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 b+ x( H. v9 P" ZThe Get_DDB service is used to determine whether or not a VxD is installed o! c& D. {& R- X
for the specified device and returns a Device Description Block (in ecx) for4 N, p! U9 d0 c9 B" u3 R& J
that device if it is installed.
. U' i6 ^# f1 c$ [: }; n* R- }8 j/ T2 h: `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( }; i4 l* L, r! l$ b5 ]# G8 Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): q! u# M) V! F d1 m
VMMCall Get_DDB
; _" ^/ p+ O7 v( S/ ` P }( f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
T6 Z0 A! x b8 `9 g' ~( v, I; E r1 Q
Note as well that you can easily detect this method with SoftICE:! e4 Z( i6 h( l
bpx Get_DDB if ax==0202 || ax==7a5fh: w- z! s9 |, k. j# r4 v8 j
1 E+ m% m+ R# s
__________________________________________________________________________: f# S! f* }8 @+ G2 ~# [; n
2 c( g& w$ |# a: r' G, [, B& CMethod 10
3 z, j4 w- I7 [/ `7 _=========
. h: S8 h: U3 a' Q3 ?+ d; @. C; ?( Q( v& k- _0 e, w% \
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* C' c2 l$ Q4 a- k4 ~9 N4 n SoftICE while the option is enable!!
$ D9 B( V0 O" Z' M
5 k$ A8 X* @/ r* u; W4 ^This trick is very efficient: _# l1 I: z: }, F r
by checking the Debug Registers, you can detect if SoftICE is loaded
- k R- l+ s; S0 @; ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, F. I% n# @ ?1 h0 othere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 s/ Y* F) ^# @value (in ring0 only). Values can be manipulated and or changed as well
+ W' y' O7 g! g(clearing BPMs for instance)% ]2 k4 P* p, ~( j
" B0 _* B- R4 Z( v/ j# ^2 ?
__________________________________________________________________________$ T4 g* e j( z3 Q$ b, j! k
4 ?9 S* J2 A) C! L4 }Method 11+ V N4 w f3 x# N7 v
=========; g1 A& C7 P% U# g
: m* C6 r, L) z; E7 S0 r4 W
This method is most known as 'MeltICE' because it has been freely distributed+ j6 b& u& a) N# u
via www.winfiles.com. However it was first used by NuMega people to allow
; r- w& F- ?; B: ?5 j$ f8 PSymbol Loader to check if SoftICE was active or not (the code is located
& e7 y$ O9 ^9 i* W2 n) Hinside nmtrans.dll).
$ U5 [4 e- M) @" W. D% P
; }9 G2 R; v: A: C LThe way it works is very simple:# O% D3 P( H) b% I+ I6 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' F" K* W6 a. v0 K+ I5 ~WinNT) with the CreateFileA API.1 @/ O' J; M4 H0 E" g0 C( P) ?
3 o+ ^' z2 R2 F, W8 S* I: i
Here is a sample (checking for 'SICE'):
) }, r8 U/ K' H" W, _4 U z2 c, }; Q4 e: p
BOOL IsSoftIce95Loaded(): p7 v4 u( i7 g) X% M
{$ h2 Z5 q! b" {( d" U
HANDLE hFile;
* r2 b7 [5 y9 d, F E9 f5 j, z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' h5 ]; {8 M, a" W
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 o2 O7 u0 y( L- @6 m* r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# h# n F& f% Y7 y if( hFile != INVALID_HANDLE_VALUE )& c/ T8 ?& H; x4 |
{2 H9 c% O+ Y+ W. _; F$ m; P4 X. {
CloseHandle(hFile);
8 L7 A' }. _4 S! N7 |/ e# \! | return TRUE;
8 `4 H( t9 m. D4 w* t }4 m! W. O; x& E7 k0 W
return FALSE;1 ~( e0 |1 G8 A2 `
}
; D2 d1 P( D+ V
6 z$ D/ H- O& L: P- R" L! e& d& c7 BAlthough this trick calls the CreateFileA function, don't even expect to be
( c/ \5 J* Y' t1 c2 z. K9 D8 oable to intercept it by installing a IFS hook: it will not work, no way!
) `, t/ q. v' p- jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 x [5 G8 b3 y* P1 wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* y6 h# t6 I1 A$ j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 t1 O: u0 x" v- F. i, Q
field.
/ t$ M/ z& F7 C- l5 |In fact, its purpose is not to load/unload VxDs but only to send a 2 p7 e5 k5 m0 @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 I; @6 L$ q# _$ w/ U- zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 z* S$ ^+ q# S3 C2 r1 @6 U9 i! zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: p; R& X) E/ L9 @If the VxD is loaded, it will always clear eax and the Carry flag to allow Q* }6 a8 J% n2 i
its handle to be opened and then, will be detected.: Q! Z8 t) ]- `% E
You can check that simply by hooking Winice.exe control proc entry point
; G* n) V- h; p* R2 fwhile running MeltICE.- \% N" h7 t. W6 Z0 f' x! q* J
1 c5 \8 u& y: {* l) Y; J2 h' B. C) t7 Q: v5 i) E5 R1 y: Q) g" x
00401067: push 00402025 ; \\.\SICE) s% [. w( K- g3 c) T8 H
0040106C: call CreateFileA
# i. {& E8 X4 D6 U! T( q- {9 y 00401071: cmp eax,-001
+ v" ]+ `- k9 ~" ^3 Z, ` I7 g 00401074: je 004010919 A0 E5 u4 C) f3 h& b
/ |' J$ v0 c& }3 H/ K
$ M) D3 t S$ }5 H1 a& P
There could be hundreds of BPX you could use to detect this trick.
0 o$ t3 c* y' l* L" B8 ?-The most classical one is:
' s8 M7 R8 J0 d: o6 d# [5 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 V0 l0 ]2 g) Q$ i `# |
*(esp->4+4)=='NTIC'
. t- }2 U; u+ X* c( L( J0 H- N3 a' s1 d" u* Z
-The most exotic ones (could be very slooooow :-(/ H# \+ K; e/ s. T; d4 @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % Q5 Z" D. j7 \/ c1 v4 }0 C
;will break 3 times :-(5 E* Q2 O" g; Q2 M% {
n9 j4 n% F1 q+ L-or (a bit) faster:
1 i+ X( @0 c7 Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ r% f: U0 ?0 M7 b
* E4 d% [7 w) z8 } E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 e/ {4 ^/ i: y; m7 m ;will break 3 times :-(
" _1 N/ o @( a+ e) ^$ I- Y. [( ^% O; m9 d2 n( _' Z q
-Much faster:5 v- h9 y* ^) l3 Q/ n/ o. Z2 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' L+ e3 o1 C7 Z1 }. r: _7 W
" ]3 U+ q0 s1 L3 t, d+ e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- x; {% X" {- C. s0 ^& T1 }# Y% d
function to do the same job:
5 H& `' |0 |0 P) u* E4 b/ `- s
/ U' w. }. {& Q2 a# {% N) ?3 Z3 D push 00 ; OF_READ
" C4 `' L' u: J& [, b mov eax,[00656634] ; '\\.\SICE',0
, T" X6 i, J3 x) M" a3 h push eax. R5 j( S, W8 q( W4 j( ^( {
call KERNEL32!_lopen( Z! ]. R: g* W0 x3 \
inc eax3 H* H; [; h5 ?0 ~2 h# W
jnz 00650589 ; detected
4 ]1 U: \$ F6 C! q& J4 ~ push 00 ; OF_READ
+ ?2 M1 l% w+ Q1 r: ~ L mov eax,[00656638] ; '\\.\SICE'
- c4 a; p! R4 O) \) L push eax
6 H3 X8 ?8 i; c) f call KERNEL32!_lopen; |4 l l4 O' u4 j' j
inc eax) u i0 V, G4 E! e$ w/ g8 `8 d, {
jz 006505ae ; not detected
* U! V2 q9 p$ v* |& A1 ^% }. e4 C$ A K1 V$ I- A# y
7 P5 U3 @) @ O9 U4 |
__________________________________________________________________________! V5 N8 v* T+ u$ J2 ~/ q/ _
& D2 S4 E2 J+ s9 d6 jMethod 12# Z# f8 y, e, a$ c& `' j
=========
0 r: ]- H l$ g3 x8 G' D6 Z4 h
3 Q+ M7 F" `* i5 p! B0 AThis trick is similar to int41h/4fh Debugger installation check (code 051 s% }% G5 g. V1 o8 b0 `
& 06) but very limited because it's only available for Win95/98 (not NT)0 [( A# W: ~" J- L2 Y$ w! W* H0 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( F/ |% `9 W6 c+ U) N8 q. h# X
+ _) B' y& ?( j2 o( }) P9 Y: a push 0000004fh ; function 4fh
- s9 ?% d# [8 V7 I push 002a002ah ; high word specifies which VxD (VWIN32)
3 O" J& S2 |; }* D ; low word specifies which service9 h$ w/ _$ E8 M
(VWIN32_Int41Dispatch)
" T ^! h E9 b0 o% C/ i call Kernel32!ORD_001 ; VxdCall
% ]$ I$ e3 z$ c7 r, ~- L cmp ax, 0f386h ; magic number returned by system debuggers
8 p1 y7 w. L, ]% ^6 m! ]7 o jz SoftICE_detected9 d T. f2 U5 w3 k' n0 D
5 l% ~- M9 P. a7 H& e: m+ y' a5 uHere again, several ways to detect it:
" t% q( \6 y( A: \
7 n, \6 \) R# T BPINT 41 if ax==4f3 T/ N" c, i) |( `( G2 k" J
4 {6 J; c) D, P+ B+ M: Q/ {$ b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( |! {& x/ k/ R; ^1 y1 p! n
- E" S3 e- |& g( O b% Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# b4 u. t9 K5 u+ N, R, l& ]1 l# N9 y( l" U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 M6 v; L4 g) o
4 `% i ~& F% E__________________________________________________________________________9 S4 j& ^/ `5 [
: }& t% R: e" H3 O% O1 B
Method 13
6 e2 z5 Y7 t5 a+ W1 o' \=========
6 T5 @2 i7 J/ S: z* n
: T! D$ @6 b/ e2 `% N2 jNot a real method of detection, but a good way to know if SoftICE is
/ ~+ E% V1 I+ O. O6 ?9 r. q9 Z# d+ Iinstalled on a computer and to locate its installation directory.
p% T1 q* U0 T0 C' WIt is used by few softs which access the following registry keys (usually #2) :
4 |6 W5 r; m; L3 ^5 ?4 G5 Y5 a2 _ t% {) ]( d8 {. {: b- S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ I9 [% p9 k4 C1 O! U$ s2 S
\Uninstall\SoftICE1 f7 \: d8 Y2 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. I! w- ?+ `, y) X7 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# {3 x$ [ s, H" B% L
\App Paths\Loader32.Exe- s" t& [ n7 _
: T; R) f- _7 u0 z$ \
: O9 R- i4 a+ @7 @/ ]& ^Note that some nasty apps could then erase all files from SoftICE directory0 l H C! S9 U) F* o3 O
(I faced that once :-(
/ e3 Y- x% y2 ~0 I" j) D/ U4 I+ X( @
$ v' n `2 u$ ?% B# w- g! \Useful breakpoint to detect it:8 N4 k9 a! k6 R; L* o) o6 P
P8 s T% A9 `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- J- d3 [. ]1 c! c
2 q! v. a! Y2 G+ R: w__________________________________________________________________________
8 p z) o5 \5 I" K i% C6 `
4 d: i' R, k* x# ^8 [" P2 m) e B2 M, K. e! n5 X
Method 14 9 E8 k$ Z9 `. @8 s
========= m: d% y0 t+ \2 n' n' f. j
/ [* f- ?+ T& p) C' i: R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 j; y! H9 ^1 c" e2 _4 [
is to determines whether a debugger is running on your system (ring0 only).
5 j+ ?1 i' J: m1 t& N
6 P3 m. e' K5 L( i6 P VMMCall Test_Debug_Installed: A7 b0 ~* {, N ^; N) O- w
je not_installed
" S8 N3 X8 l$ O7 A1 I @1 _
) g6 i9 y8 e% S. y8 PThis service just checks a flag." C* c$ o- q$ N# \/ ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡