<TABLE width=500>
; O; @' @& q8 u6 u<TBODY>
% [7 }, s5 v9 e% r<TR>8 ]* @% e2 b* Y* ]* e
<TD><PRE>Method 01 . e( [: L) F; ?# G# i
=========$ S K! U8 G" `! O4 \# s. p
+ y0 q9 l7 x" ?/ SThis method of detection of SoftICE (as well as the following one) is
. L8 f( @- [9 P7 `4 ]4 yused by the majority of packers/encryptors found on Internet.
$ f% y8 h0 T) H. N pIt seeks the signature of BoundsChecker in SoftICE/ @1 s5 k$ S& [% p7 V( [
; }% _1 T ~+ E4 O6 ` mov ebp, 04243484Bh ; 'BCHK'
4 k- L1 y+ T$ t8 b1 D) q5 \ mov ax, 04h1 B& r9 S$ {9 X" J# D* C
int 3 & w# l8 w, l8 K3 U, U* t
cmp al,4
" X* Z" D6 m. i/ j jnz SoftICE_Detected% V& B8 }1 W6 N5 O' v
) f; T+ k* p$ z2 ~# o3 ^" T6 x
___________________________________________________________________________
4 e* I% `/ r- U6 z" J& D2 C, ^1 X; C( q; V/ K9 A
Method 02
4 W6 c0 }9 E# e* j=========) W8 U$ z3 |, @* j5 `! [; Q' L) e
3 \0 Y |" J* t! j. Y' W
Still a method very much used (perhaps the most frequent one). It is used
0 @- V. Q' n' Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 M) n$ ?- K: Z
or execute SoftICE commands...2 b" `* s& w/ ~% m# s# j7 O
It is also used to crash SoftICE and to force it to execute any commands' _+ g8 a8 l- }2 g" ]. w
(HBOOT...) :-(( 0 i' b% ]) o7 M- s5 O' i4 h
( a2 r+ C3 _5 K9 O( ?Here is a quick description:1 s) p/ d: t. D
-AX = 0910h (Display string in SIce windows)3 D5 i. G5 B5 R% j- P: ]5 K4 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" t/ }0 y. }1 ~. y0 e8 V5 }2 N$ @
-AX = 0912h (Get breakpoint infos)
$ b; [' T3 j5 S3 Y7 ~3 j* \. S) V-AX = 0913h (Set Sice breakpoints)
3 M5 T% D: \5 a$ Z-AX = 0914h (Remove SIce breakoints)
* Q) ^4 O9 Y1 n+ {. w0 X$ l% s
' @) Q( k, n, T/ v- ~Each time you'll meet this trick, you'll see:+ k* S/ B' s# S8 y
-SI = 4647h
; ]6 K/ [3 }# D* |6 K-DI = 4A4Dh
3 _2 Q6 P* k: s$ b$ t9 MWhich are the 'magic values' used by SoftIce.# b- k! W! V; r) d' t) |3 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: ?" l/ S0 h9 {2 W) _
) v, y) l: g! Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% ?* x: w+ a: l e/ v3 OEnvelope utility use to protect DOS applications:
2 R; H1 r$ i, @% t1 O3 s* d7 d
8 R: j* R, d4 `$ k; n1 D
/ R- k* l% N' |4C19:0095 MOV AX,0911 ; execute command.
! c2 C: L: g+ t# d, f/ H; x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 ~5 p5 S, K2 b" \. c: C
4C19:009A MOV SI,4647 ; 1st magic value.
0 F' C4 F# n( j, u( {4C19:009D MOV DI,4A4D ; 2nd magic value.
7 U! d- d5 k3 Q( ^4 y% M8 K% u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: S7 j2 R% h/ `4 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- \0 L1 @1 Q% o7 [" u! H4C19:00A4 INC CX# o3 `; ?( q- n" P+ |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- P% y4 r/ |1 d2 n' v
4C19:00A8 JB 0095 ; 6 different commands.
% s1 i6 H& L9 g. \9 k- a4C19:00AA JMP 0002 ; Bad_Guy jmp back.* T) x, Q; A# }& }/ W s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), X. a: l' w4 j
3 E) s% N% T9 z2 oThe program will execute 6 different SIce commands located at ds:dx, which1 ^: y- f! p+ G- U8 _1 _; c4 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. z# w* C$ |. u
7 A: S, L) x& g7 {( _* l' [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 u5 ?; l4 ? X; W, R! F3 x___________________________________________________________________________: P9 U- E& U1 a& C5 {: W k% t3 T
: z5 a8 U& Q! @2 O
8 @% _3 P3 x; D$ M, R6 n0 OMethod 033 w( ]5 Z6 }- k J8 B% A5 ?
=========. o3 G) J6 h$ O7 g7 E
" _8 s+ G4 U8 z' ]/ |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% Z+ f$ K; N0 h- {" F& v(API Get entry point)
0 r+ }# w M1 s) L" l ! }+ m; v, \3 W6 O Z
* P7 g, v" Y H
xor di,di! P; D6 }7 a9 ~7 E
mov es,di
) u M+ N; P) C+ M% B$ V( b mov ax, 1684h
$ R7 W( W! q& e( d F0 ] mov bx, 0202h ; VxD ID of winice
* ~$ ?3 ^3 u: m0 \. R0 f" [2 s; {" G int 2Fh/ b- j$ n4 z# R9 D+ I9 a
mov ax, es ; ES:DI -> VxD API entry point
0 k; ?/ l2 p& K! b5 Q add ax, di9 W9 W% K# T& [$ B1 C6 W! H
test ax,ax( A& S! Z; I2 O& U! r
jnz SoftICE_Detected
2 _! | y5 |4 X7 X$ i" r: }2 p
. o/ S! W2 i" z! Z- |3 l___________________________________________________________________________, S% z6 c, D' h, Y2 m4 }
. i: b1 L/ c; W' W/ AMethod 045 S( y2 e$ J! V7 e
=========) [, W) S' H: O! e4 F* [% E3 m. W
4 f/ T$ V1 u; T* W) hMethod identical to the preceding one except that it seeks the ID of SoftICE
4 S" P& ~" Q& SGFX VxD.1 |- |- v& x! L, |9 I9 Y
( b) U! m% u8 P+ A( X
xor di,di: G8 i8 t1 x+ f
mov es,di2 _: J/ O) v5 {7 D
mov ax, 1684h , j8 U% I) p( \7 p0 c6 q' d
mov bx, 7a5Fh ; VxD ID of SIWVID
, o7 u/ X/ L6 s% G5 @# O7 j2 C [: H int 2fh
% C4 |1 s3 r* F2 Z. o mov ax, es ; ES:DI -> VxD API entry point. H0 o1 ~4 B: p$ V
add ax, di
4 N4 y0 C1 ~$ X! X test ax,ax7 h: @ L( S O: U( r
jnz SoftICE_Detected
* o+ u. x Q6 ~, @. {) o4 ~1 u+ a4 N8 H+ }* G! |: g) a; |
__________________________________________________________________________. z+ U$ Q- p9 K% n. ^8 Q" {
4 \; [3 E+ |. [% d, m9 o' {2 U2 K
4 p. `6 M0 n% e! o8 B$ M
Method 05
6 x% k4 I, U9 ]2 Y6 g& A=========' n9 ?) k5 [- h
+ O8 Q7 K, [) T2 w5 F8 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ I' h- H. P8 K5 U6 Q/ p# a3 W
debugger. It calls the int 41h, function 4Fh.
5 c' O! @! I4 Y: u8 u k6 V3 g4 hThere are several alternatives.
) x( i% Q0 v9 E6 n/ B' z2 E) z$ {+ i$ a( c; M4 n+ v4 Z
The following one is the simplest:% W, U2 i1 F! p, s
% n& m% M3 k/ h$ I
mov ax,4fh4 v k5 O5 \0 o& x* [5 ~; w5 @
int 41h
* G! n& M: m: J# ` cmp ax, 0F386
! [. f/ B1 B* K# k jz SoftICE_detected* E' O' @+ }7 |) y) L
, G9 m4 s& W1 U: n
6 _) s4 |3 n) Z" z4 eNext method as well as the following one are 2 examples from Stone's ( |9 V1 _! m* [1 p- W
"stn-wid.zip" (www.cracking.net):
' Z# s. s+ w1 K+ i0 G: M" \$ M0 n
mov bx, cs2 C; o6 k! J4 z j; i* g2 a
lea dx, int41handler2# O3 |) W8 K" G* V
xchg dx, es:[41h*4]
8 E3 K, m' k( C; c4 Y* V xchg bx, es:[41h*4+2]$ L$ L3 j2 T3 f8 W0 S2 E
mov ax,4fh! N% w0 ^* x2 N- N( Y" W' ^
int 41h
4 n/ U f% X8 ~3 u: W6 f xchg dx, es:[41h*4]* l4 k* N& E. }8 e' r$ X2 R+ G
xchg bx, es:[41h*4+2]0 C) Q! T/ j$ l
cmp ax, 0f386h$ u: G7 Y8 U+ Q3 {
jz SoftICE_detected
/ d! n8 f. N; I& ~$ K$ Q t4 u! t5 N7 P5 U
int41handler2 PROC
, R9 ^; k+ I( Q! f% o1 D) E iret d( ^# c; M/ E& t8 X y
int41handler2 ENDP
3 O) j. ?- k! n" Q9 s
9 v/ w. d1 ^5 V' {% m$ ~ ~' n7 M, F
_________________________________________________________________________
Z4 A# i' P' H! { t( H1 O% Y6 O6 X+ N) D' J5 t% I
/ D1 E# `, e* \) f* ~Method 06
) m9 S3 j I& ]=========# w$ m# U! y. t" M7 G a
4 `8 W6 w0 ?% r; P4 w
' `# f6 A1 r& X2nd method similar to the preceding one but more difficult to detect:+ S0 N9 l8 q! K7 \5 i* i. C' f
! G4 a2 C8 P4 Z" P2 ~, [+ D8 X8 x4 U# H$ e5 O
int41handler PROC0 G" S ~) w" q- _5 b+ d+ N
mov cl,al$ D* x* r; k9 M5 K( h f+ @& D/ Z
iret
, L; i( _+ z; @ }7 {( r, Vint41handler ENDP0 e0 k5 \9 }2 n) I
3 W/ d+ x% x- _& ~( v l, P
3 ]% r& v6 v3 k& I) b: r
xor ax,ax+ \( V$ U! N, ^4 [% E8 A6 [
mov es,ax7 H) S+ e8 x5 b
mov bx, cs6 L+ I5 {! q- A
lea dx, int41handler
6 L1 k8 E$ z1 c4 i% g xchg dx, es:[41h*4]
: H! U" d0 G0 k1 F xchg bx, es:[41h*4+2]* ^' L! T1 K, H5 z. V
in al, 40h
) [' {: p: T% T' ]# _" y xor cx,cx
0 U6 W# {' ?! R! [9 F int 41h1 q/ Q2 @. M% S; V
xchg dx, es:[41h*4]
! i2 Y$ p2 [; c% ?, ?) { xchg bx, es:[41h*4+2]7 Y- w) L& U3 e+ m4 K% s q: @
cmp cl,al9 T" D7 U% d: g; q0 l! s' _
jnz SoftICE_detected
( m# v, b2 v3 I- C' m' l" ^: l8 [) e1 b4 B+ u \
_________________________________________________________________________: T6 N9 ^# A5 K3 T- ~/ M
* q3 g- U* |- |' v: T
Method 079 W! }! q7 r, y- i, E5 L
=========6 T7 }- _8 `: d& q4 G
; ]& B! E( I# I" N# g
Method of detection of the WinICE handler in the int68h (V86)6 y6 D& G- ?/ x' Y5 _0 K
+ B5 d6 i# K$ ~/ F- F8 @
mov ah,43h7 {8 j' @ I) A* c
int 68h
3 x+ j2 S7 g$ T5 M* h% { cmp ax,0F386h
) g8 i1 h( z3 A) ` jz SoftICE_Detected
, W: r7 x& r0 X( o
9 Y7 B; Z* z1 K6 M) _6 g7 W3 `1 s8 t" k8 U' J: B/ v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. Y% ~: F2 }9 H! y
app like this:
- ?9 X7 ^! ~: R B1 ]/ \( ?
$ G3 j& j7 W9 ] [+ L BPX exec_int if ax==68
8 n9 S0 i% g2 }# ]$ @* }$ S (function called is located at byte ptr [ebp+1Dh] and client eip is
; E. u+ i5 z$ n4 o+ {' x' S$ N located at [ebp+48h] for 32Bit apps)2 |6 M2 x1 ^& r+ N! ^8 T
__________________________________________________________________________
|3 [: c: T' z8 ^; [( [8 L/ ?- s ]; F, r ]/ t6 S
9 T/ U! k0 T: |* f9 z3 \6 G4 H ]Method 08
4 C7 U6 h9 `: ^+ k9 U=========: H4 W' H0 L* d# J4 L8 t: i# a( `
/ j# N3 D& F& }8 k& j
It is not a method of detection of SoftICE but a possibility to crash the7 U9 }# ~3 E1 r7 ~! T/ s
system by intercepting int 01h and int 03h and redirecting them to another7 c/ c( V4 u: W7 D7 l2 n3 _5 m
routine.' l/ u, O) r( o8 m* L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% }( t* C# C( ?, B1 c$ gto the new routine to execute (hangs computer...)
{& A3 \: i. d( {
6 k+ \6 D, _5 R# E2 \% I [ mov ah, 25h
/ g! |* N) ~6 |. Z, Z) \ mov al, Int_Number (01h or 03h)
- P* |/ t% K/ @+ t3 f mov dx, offset New_Int_Routine) L/ q7 k& ~* G" i
int 21h, f8 B1 l/ R( x$ ?# v9 L
1 C! @' |6 T9 Z7 k. @3 x1 V8 M: H; i__________________________________________________________________________2 o9 f# X, g# `! h1 a4 W4 ^3 o
- p3 _/ |1 p! VMethod 09
. k7 r( a- p8 j' F* }=========
% j K: n, x4 R8 U" g
2 i7 t# i# U7 N9 K* h/ R3 K' nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 n- q8 ]% S& x0 g8 y5 `performed in ring0 (VxD or a ring3 app using the VxdCall).
4 K" ?9 J0 F/ W$ Q0 A& l4 }The Get_DDB service is used to determine whether or not a VxD is installed
3 j+ o- \# ?& [2 c( T1 Z: Hfor the specified device and returns a Device Description Block (in ecx) for6 z; W; \ k9 p
that device if it is installed.
5 @ B/ N, C# u M3 ^( w4 D$ q5 M7 j* I* p6 C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' I6 \* ?, n- W( o. V: z9 V3 Y8 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 [0 i+ R$ Q& M- q9 |( s8 V VMMCall Get_DDB
( Y! [ c9 T' Y& k# E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) i( L) T# C# n H3 q1 C; f! @7 y. t0 q
Note as well that you can easily detect this method with SoftICE:
/ V$ g5 g9 l# c bpx Get_DDB if ax==0202 || ax==7a5fh$ C! I& F; x5 z% U- k6 }8 k
4 a3 i0 h4 @: n. T3 n% ] W
__________________________________________________________________________# z; d1 k1 d, {5 l V
! b3 j7 C& J) D2 m" } r
Method 10
* t9 U/ e3 k1 W$ E8 Y% e3 k0 l=========' e/ _, `2 u( c9 E0 R0 ]) _
' x" J, I- p% w9 ]: K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 C$ r3 |8 Q0 t2 Z SoftICE while the option is enable!!1 C5 j# C" O, C- c; i. }; c8 M. O+ }
o" P3 Y$ F9 ^0 h$ KThis trick is very efficient:
|/ n z' m6 o1 \* V" h3 m/ p' `by checking the Debug Registers, you can detect if SoftICE is loaded; {& }# \8 P' J# ?4 |6 ~3 K3 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; S1 M- p( @/ N: O
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 U6 ^0 Z, J" `7 F0 Q' fvalue (in ring0 only). Values can be manipulated and or changed as well" j) ^6 d8 M! s' N
(clearing BPMs for instance)1 S" h) [: b) g5 y0 B
0 M3 ?0 F# X; t8 |/ ~
__________________________________________________________________________( Z/ X* W* O1 o7 f- B _
$ i) w$ }! H: k i3 b
Method 11/ j6 S3 l( ?3 ?1 y! h/ I
=========2 r& p1 k' {6 k0 |9 i9 E
6 @0 `0 e$ q5 Y# y$ sThis method is most known as 'MeltICE' because it has been freely distributed5 P$ i @! Y K2 N+ V" ?
via www.winfiles.com. However it was first used by NuMega people to allow
, L; s' V5 Y: k3 NSymbol Loader to check if SoftICE was active or not (the code is located
: N1 V Y& n' e1 c' D/ Zinside nmtrans.dll).7 E$ @; c: m. e! m
0 I" ^; [! b1 D& AThe way it works is very simple:
5 Q- a ]0 M3 K8 T, ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: P4 b. ~2 t/ Y7 i" ]! X. U+ @
WinNT) with the CreateFileA API.( l5 |$ K) [: c
# Y% e6 K& A! w# H
Here is a sample (checking for 'SICE'):
3 B2 ?/ x% Q. ~" ]3 `7 A
5 Z) p; Q- G( c, l9 ZBOOL IsSoftIce95Loaded()" r% t3 o3 s% z6 l4 _) E" t" V
{9 u; ?8 ]3 {- k2 m' X/ @
HANDLE hFile;
* o2 r4 d" x s3 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 `" R5 t+ @+ o: S. Q5 s+ i8 Y9 d! W FILE_SHARE_READ | FILE_SHARE_WRITE,0 j t/ t8 v0 k8 P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' W9 d- Q3 I: l: Q% r, J' x" o if( hFile != INVALID_HANDLE_VALUE )
6 r2 s9 M, j" Q$ J; j$ B- O {* z1 f3 T7 k8 F0 s% n! _$ O! t: V
CloseHandle(hFile);* E$ {% ]6 T0 N% J$ k( @! q* E
return TRUE;& R; U7 i0 ~. M4 F
}, @' Y _9 X7 b; t6 s" w$ J. u! t
return FALSE;, q" f* n6 K' P& T1 U- J
}, q; H& s+ u/ w2 y
4 j6 v v9 |2 eAlthough this trick calls the CreateFileA function, don't even expect to be& n$ w$ W# F p: x& _6 V
able to intercept it by installing a IFS hook: it will not work, no way!
1 J' v& H2 }( A1 T! f- c0 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 `7 ]8 @ ?3 V& q; {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' j& s( s) ~# @8 c2 A. Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% U1 v& v; }1 {9 S6 Y/ ~3 [0 ]- lfield.
. S: S3 y8 x5 ~& [! C5 UIn fact, its purpose is not to load/unload VxDs but only to send a
! Q3 M; a5 ]% C$ C% rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 U* n% [: j$ U$ p4 b9 D7 V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 F1 e& z4 f5 @2 ?( c# O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( {4 t# w. l. Q! OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 l1 q# Z1 H2 Y* fits handle to be opened and then, will be detected.
: g7 m: m, h7 c& G! jYou can check that simply by hooking Winice.exe control proc entry point
( L# f/ l0 a3 d5 T8 n( C4 v* B( J9 @while running MeltICE.1 Y* a5 o( q2 J6 F& V( k% t
* z# `+ I+ P q! {+ k( W9 Q! r
* a7 K! L: _6 e( Z' M
00401067: push 00402025 ; \\.\SICE
4 k6 E0 Y% g! y. } 0040106C: call CreateFileA" }# x! O- P, {& v1 d
00401071: cmp eax,-001: K! z. g# h. a' c7 j
00401074: je 00401091
3 Q+ g; K2 L( j0 A" ^1 E( D
2 W9 N& N( D5 U0 m) i! q/ O. K; ?3 l# X% a
There could be hundreds of BPX you could use to detect this trick.4 a9 y, z; {2 w9 z1 V: @/ G C( }
-The most classical one is:
$ u- b) A, d5 B6 H1 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
I9 {" r. o3 a! ?3 j8 W4 i *(esp->4+4)=='NTIC'# Y: J/ U- P2 H4 d
5 n; h0 }7 ]4 S( ^3 A
-The most exotic ones (could be very slooooow :-(
+ j& x i6 J! [/ R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # @' h# P- X1 \8 n! h$ j
;will break 3 times :-(
* i8 Z1 L5 [3 F
6 ^7 u$ H1 O: M0 }-or (a bit) faster:
0 `9 @; N. H8 C* L& T+ i& L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 ^) C8 D! C$ I' r) ?
5 F6 w9 R% J B2 N/ }% M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) _. b6 g. y% k7 d5 W# n+ p$ r
;will break 3 times :-(. p* M; B% a* `0 x5 g) N$ N1 f
7 h9 S' }" r) X$ F$ V/ L' S
-Much faster:" E! u$ i( u% j& k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, F. |& x. g3 ?7 C$ v1 G. i8 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
i& P9 x4 v3 y- C1 k" y- pfunction to do the same job:
9 a' O* K9 B7 W0 ^; _5 S+ v
; q+ }2 V1 S, B5 F( r; d push 00 ; OF_READ, h+ T& x' T. {- T# m! v8 y
mov eax,[00656634] ; '\\.\SICE',0- X8 V% S5 n w( |7 l) o
push eax
/ [8 @( \( s( |( M+ D( \2 r3 X+ m4 z7 B( E call KERNEL32!_lopen* Q9 R) R* W- c5 C: x
inc eax
8 k9 D" {, z# T: `+ h/ W) z2 I `' z jnz 00650589 ; detected3 A! V% u4 R( C0 j
push 00 ; OF_READ3 K6 H7 Q7 v: ?" e# Y' a4 x# V; U4 e
mov eax,[00656638] ; '\\.\SICE'& C( x4 W7 K- e& B
push eax
& h A) M/ x8 ]5 R2 X7 A, S# G call KERNEL32!_lopen' Y' x- W* N: J# G1 e0 I
inc eax
' c* W! G; L/ o. Z0 a jz 006505ae ; not detected
3 j8 G) p/ B3 |- x
; `4 c" Y3 o& p9 y: a& y0 k6 s) c/ N3 r/ C) g: |$ o/ I6 X
__________________________________________________________________________
3 p$ v/ N2 `6 Z' h1 a& B( F9 J
: ~" d. \$ R: J3 f& W$ j& DMethod 12
+ g1 ?: Y% B( P; \- b6 ~; o4 Q=========/ [8 L; c" ~$ c: C @; e
- U9 @0 q1 \/ w g
This trick is similar to int41h/4fh Debugger installation check (code 05
3 |9 Y Y& p1 l& @3 ~( F& 06) but very limited because it's only available for Win95/98 (not NT)/ C- q H( r* D$ P& o& c9 n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 r$ B8 j) p( L K2 u
$ A9 ]2 k+ m8 G/ N, C3 E" d push 0000004fh ; function 4fh; V# n5 k8 v+ r+ u4 b+ a E' t
push 002a002ah ; high word specifies which VxD (VWIN32)
# k ?5 p4 K- L0 X/ I ; low word specifies which service
1 ^& _' y% E/ K (VWIN32_Int41Dispatch)6 n1 e; M2 j5 a+ }. h+ j4 i
call Kernel32!ORD_001 ; VxdCall+ y* h6 R1 `. l( U8 b
cmp ax, 0f386h ; magic number returned by system debuggers ^" Y9 S. t L1 ]/ L6 s0 m
jz SoftICE_detected" H% I. O! `+ y5 l" V; t3 p7 B# o! q
# B" b6 `* c: p7 ZHere again, several ways to detect it:5 l. o# n$ D, Q, o+ M
) \% V: A0 `7 U/ m6 ?' o; ~9 z
BPINT 41 if ax==4f
1 L- B) w S. { c `) H2 R& D ]( f+ F! a& F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 P" j: l% ]7 U6 ]/ A4 e& i
+ ^7 L1 Z" F) j1 y2 {) D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 R; f4 l1 O. V4 I$ Z9 H8 W
2 c% j/ d$ M; _$ @2 @- o% t8 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! x0 {2 P: b$ G: C* O
7 H2 s+ e @, |8 P+ a5 k k/ `) x! k+ C__________________________________________________________________________4 X: T0 R7 [ t/ L
; g# | g2 ]8 @; \$ ]
Method 13) M1 P9 j, C' n$ _8 Q! V- R) b8 a1 j
=========& f9 V) P! O& F. c0 S" J
- Z2 a; j% i( }# S" s% ENot a real method of detection, but a good way to know if SoftICE is
% T3 x2 U! c3 p7 d" M% n' o! n2 M- Jinstalled on a computer and to locate its installation directory.& Q9 D) `. h9 F# H0 F% O
It is used by few softs which access the following registry keys (usually #2) :
, D% h& T$ @/ R6 @" F. f8 x! k4 L0 l7 R {, Q8 Z- }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& H0 V, y) {7 i8 }# O% ?\Uninstall\SoftICE( K/ A! |' t0 ? b4 p" T; L# m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 |; o5 g. F. M! _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 m8 T" m- C+ h0 K' ^! F7 c4 P
\App Paths\Loader32.Exe: c9 | r' `: F; o
( o: n; J2 U" J; W5 H+ e5 p7 @+ w; ?( e5 V9 u
Note that some nasty apps could then erase all files from SoftICE directory' S% S$ c0 C" z/ g
(I faced that once :-(
. M! s) b* E9 t) C1 Q' {8 J# o/ A/ t4 F, o1 o
Useful breakpoint to detect it:
0 L b" H& j, {/ c" @. I. J4 g& R, X" D: Q" e! m. ~8 @1 p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ R7 j: G( \$ V9 A
2 Z" W6 Y" B$ a# d) K. H__________________________________________________________________________# C0 {; ^: `7 u: J5 T) p5 O
. K, Z$ V" P0 G7 S
Y; e8 ~! j* w! ?% ~7 @; e
Method 14
4 A+ d! X. _- Z+ I' S; R. G=========
" w( U/ v2 H. O" \
: \: w# z1 n* p+ I1 n# Z: |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( A- i' X) T H3 q6 d. V0 U: i% Jis to determines whether a debugger is running on your system (ring0 only).: l% q2 \8 U7 B2 y8 ?- J, t
+ H. p4 n1 F- q VMMCall Test_Debug_Installed, y6 H3 s8 a+ d3 b4 E4 a
je not_installed
5 B/ V# C/ a; G; Q+ e b, p
& x% e% X, v) Q) {0 Q3 ]This service just checks a flag.
8 e8 z9 K+ }; l</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡