<TABLE width=500>
- a2 K# C# z' I' x. z& m<TBODY>
\4 F0 I: }$ N& h- j6 ?9 T<TR>
/ ? K) D( ]; q& v* }<TD><PRE>Method 01
+ W0 o2 n& @+ w' `* e1 n=========, N- A4 V# [/ }1 D' p* n0 D
: m5 C4 o; G. ~, D |' HThis method of detection of SoftICE (as well as the following one) is
0 T9 z" D6 \" n! Aused by the majority of packers/encryptors found on Internet.
" i) u3 W3 }7 E2 ]- L) B- m' A! cIt seeks the signature of BoundsChecker in SoftICE
+ s" |$ j$ |5 ?5 ?: g5 l) |+ S
- k( S% D; j% L ? mov ebp, 04243484Bh ; 'BCHK'3 ~' P! S' I3 X T+ C* {6 E4 E0 ~/ [
mov ax, 04h" B1 V! l( I" j* `' j$ |% ^' _
int 3
) B+ D) D+ p, q. t# a cmp al,4
' Y/ d, U- d( l1 x2 c% T. ^ jnz SoftICE_Detected7 ? ]$ D4 t/ l- d6 q9 w
# D1 Y/ L# S/ K4 A___________________________________________________________________________
9 ?. k0 ^4 \; m& l3 t- Q. J. m
Method 02
0 M) j" E6 Z4 j& l=========
2 Q, n( y9 o2 T
% E a1 |4 ~* T' {Still a method very much used (perhaps the most frequent one). It is used3 W3 P' A/ ]/ i5 [$ C$ x4 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ L: l3 C' z6 W* U9 L0 V* L
or execute SoftICE commands...9 H) F# [' `& O8 }5 W. q
It is also used to crash SoftICE and to force it to execute any commands9 W8 q: K/ ?; J5 @7 E ~- J% Z
(HBOOT...) :-((
) j" S: w: N# a# N9 N& h& C; Z- ~' K |2 T7 o& ]
Here is a quick description:( U: u7 O! D I( Z; M
-AX = 0910h (Display string in SIce windows)- o# {* e1 V& O c2 Y4 @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ c) J; [% k0 k, P, r% t5 h4 H
-AX = 0912h (Get breakpoint infos)
3 m9 _3 F& n7 L3 t) ?-AX = 0913h (Set Sice breakpoints)
, V- P4 T* J1 h7 A$ ?8 t-AX = 0914h (Remove SIce breakoints)
: G$ l, y, n) N( ^2 s/ |
& ~5 J; G+ o+ ^3 lEach time you'll meet this trick, you'll see:
" c7 t8 N# |6 p' \) v4 i' m8 `-SI = 4647h1 A' k0 Y/ R; j
-DI = 4A4Dh. _* q0 K' V# g
Which are the 'magic values' used by SoftIce.. h, F' Q# w3 B4 c$ n7 b A' m5 p% P8 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 x/ a& R$ F) E, P, D* n3 r$ M$ C1 i+ [2 f* n* b1 ]2 c3 n
Here is one example from the file "Haspinst.exe" which is the dongle HASP# n, f6 Y4 r* h& }
Envelope utility use to protect DOS applications:. [0 k% W3 |5 C$ D/ o
5 n* _ @+ X; G; o8 s
5 Z1 R0 _; q2 I0 t$ {) ^* ~9 J4C19:0095 MOV AX,0911 ; execute command.+ R# @) O, m" g! L; C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 V. Z ]* c; r" _5 o8 G4C19:009A MOV SI,4647 ; 1st magic value.
; q& `# L0 u2 F+ y9 ^, M4C19:009D MOV DI,4A4D ; 2nd magic value.
2 S8 O$ ?+ V: k2 [' `9 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 c Z7 C( D4 i, K9 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% l2 H, v9 l: _4 d& R; N) p+ A
4C19:00A4 INC CX9 y2 A. W. e* i, J5 W1 W H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& F' B0 E$ b! q3 {9 O4C19:00A8 JB 0095 ; 6 different commands.
& m E0 F- f1 X: P# K8 _( q: R+ L4C19:00AA JMP 0002 ; Bad_Guy jmp back.. J5 _9 J3 X5 P5 k" S" P( ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): _$ Q& R L/ k9 Y1 `
' g+ ?! x1 [0 w: y# `" |# qThe program will execute 6 different SIce commands located at ds:dx, which) \/ u4 G; v6 m8 a* F3 [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. v$ H7 n$ F) T9 p) @' [+ E& |; ?, _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. h- R2 x% ^2 y, C___________________________________________________________________________% C( T" _/ _* O" z5 Y
% Q/ E, l0 V1 m: M1 b, H! z& V' R# V
Method 03) k; B. ?. _- O( ~. H7 p9 K
=========
* |2 ?9 k+ i1 K4 a5 I
' v. z8 \+ d, x' L; x& v: oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" K* a- b- a1 v$ t# N8 b/ C# Z(API Get entry point)
6 o3 |) V5 D. H0 P: a) a( k 3 r7 ?8 k0 D+ L' ]# L" \: k3 O% @
# i; w$ w4 W" r; a8 c xor di,di
" U( l1 @' c0 t8 p2 N) P, H4 k mov es,di
) Q& c8 g0 h: p% Z mov ax, 1684h
/ s; X+ r6 S+ L, \5 k+ \ mov bx, 0202h ; VxD ID of winice3 f, y& K& D1 l, Y. _1 y' h
int 2Fh) |! Z; F% y6 t( n& T
mov ax, es ; ES:DI -> VxD API entry point2 I: E" o: M! y$ e+ ]- C. h
add ax, di
E+ \% Y f5 T/ U- c( W; j# e9 l test ax,ax2 N1 k$ g1 G- K4 n1 ~
jnz SoftICE_Detected* l7 _; u \8 p: } c
: D6 g$ F0 x t% _3 c
___________________________________________________________________________$ p w- x8 b+ G9 s p8 y7 Y% B
6 `+ L/ p% G2 n7 d- l! X2 [; i) NMethod 04
: f3 V/ k0 V6 |1 c=========7 I6 Z; E# q( ? o$ n
) P& b# X5 I1 e7 I% e5 p* Q# y2 O
Method identical to the preceding one except that it seeks the ID of SoftICE7 b% c% ^ ]- ]3 Y% J' t" F% ]& n$ k
GFX VxD.2 [% m4 V3 f; P( n$ l/ }+ _
, D$ G: L9 q; ^6 a! C0 v
xor di,di9 P: m& A/ u% e
mov es,di3 e0 B2 W: V" i- @8 N/ l
mov ax, 1684h 5 {1 C7 \! f+ c W' L" V
mov bx, 7a5Fh ; VxD ID of SIWVID
6 Q; b% s' S1 r0 B int 2fh! p2 F# p" K3 P1 x2 T/ A+ H
mov ax, es ; ES:DI -> VxD API entry point
3 d: s) {- x3 N( |9 ? add ax, di
& f9 I) F! ]# B* H test ax,ax3 V6 F i5 b$ @7 p9 s* B, |% x& t
jnz SoftICE_Detected- u4 k9 d/ ^6 b& S
4 i2 ^, L' _/ I2 }2 G+ B; Q) o O
__________________________________________________________________________. n: C; U# Y( \4 k: X
$ t& {5 K/ I) ^1 Y( z6 I9 y! G4 Y
; C8 ^) F/ n2 t' |0 r* c5 _Method 05
9 a& m, u- l G=========" |+ {. T u/ q/ x/ ?
$ A2 F \) H! a5 @6 ?0 G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 S0 C1 f9 e( E& q' Tdebugger. It calls the int 41h, function 4Fh.+ G) l1 h3 l/ Y; H
There are several alternatives.
- ?+ y! ?8 U: U0 l/ n
" r2 G8 }. G6 ^The following one is the simplest:5 I x. o3 {% S' r! V; v3 n O
3 Z8 o/ e2 F, a) x/ u2 c& e% q } mov ax,4fh6 s; m' K E+ F1 K$ n( L' Q
int 41h* u- j" f' h) G+ q, m% G$ X; _8 r
cmp ax, 0F386
! s9 g- j0 a Q jz SoftICE_detected5 p4 V7 r: R, F. u% u
' N: i% r9 q2 m9 K( [2 x
" M% \) @, r, N( I, j( q% ONext method as well as the following one are 2 examples from Stone's
& |' N$ {- j( B/ j' u- r"stn-wid.zip" (www.cracking.net):+ l6 t j( ?! ]' b+ R2 T2 l8 K
6 u* U1 b. r8 ]6 v; a
mov bx, cs
; o! X; X+ @7 p6 w lea dx, int41handler2
) m5 I8 s/ f& L xchg dx, es:[41h*4]
2 v, F% j2 Y4 S/ M xchg bx, es:[41h*4+2]: H8 e/ y6 T/ t
mov ax,4fh& o" i- }; Y) X9 ?8 j, Q# D7 |
int 41h
" i9 w; M! ]7 l& A- o xchg dx, es:[41h*4]0 o$ T* T0 }" C% j
xchg bx, es:[41h*4+2]6 {& H: y% k( w0 \
cmp ax, 0f386h
- B, H9 T( g8 c! F" o$ s0 v jz SoftICE_detected
0 N* I3 B- V: O1 L+ H7 I
' c5 n$ V+ X9 M$ P7 T5 Gint41handler2 PROC3 e. G; R+ n' i' P
iret. p8 T8 e6 n5 u( H
int41handler2 ENDP
# D9 ~/ N w* P* p- U$ _4 M2 X/ _. g
6 k% q' Q. A% ^6 O! S5 [: n
_________________________________________________________________________: g7 c2 n5 ?# B2 _
" @. m# c2 Q, Z+ u6 E, t* j w
1 E9 P. g8 }. k% K, `
Method 06: |. f( h' p, _% S/ m
=========
$ G" X3 \7 J. a, M: k* b- _% q/ G/ @! D4 {3 b" R# c' a7 P' D
: v4 C9 E' Q; |# c! Q. i2nd method similar to the preceding one but more difficult to detect:
9 f0 Y% Z0 T5 T: r: Q5 S O' |0 g) v' g t
( m3 [! i3 s. a$ {: V* [7 \- H
int41handler PROC1 b9 N+ p- H/ s0 m
mov cl,al
7 F7 `/ e4 g+ h' W4 R( ~& R+ L iret
- _) W0 u# Q4 L0 h# a) Qint41handler ENDP
) S- [: ]1 k, O" w6 f6 [5 [
0 M& T. Z$ E0 }
5 D( r* ]2 m( G. A. ~ xor ax,ax! l/ W1 Q' |7 B! M g
mov es,ax
# d! p6 z N7 G; F/ a: j" R G# D mov bx, cs- t* e4 I; M7 }& C
lea dx, int41handler
# I$ `, D X1 b/ O7 D: a xchg dx, es:[41h*4]. {% `: B8 I" d* I9 j
xchg bx, es:[41h*4+2]
' r$ S8 n/ u0 ?- C in al, 40h
% i. @$ N- ? J xor cx,cx$ K/ d0 u, p1 B/ y K
int 41h9 W/ Z9 R y3 q! V7 T
xchg dx, es:[41h*4]
* J% B8 A& x$ c xchg bx, es:[41h*4+2]
1 h7 C% B4 V. O cmp cl,al
' K0 s4 e5 S5 E jnz SoftICE_detected
1 q& w6 i# }5 I. q7 z9 W/ p. y
1 ?% K2 M9 k! c. N_________________________________________________________________________! B8 O; h: K0 M
8 R; m; ^7 b7 K3 ?; U0 o9 G, [Method 07 V& E( h5 g7 t6 a$ D5 q5 T! S" e6 P+ w9 V
=========
0 u; w; w, U4 a* X, g7 f# y; A* h
Method of detection of the WinICE handler in the int68h (V86)3 O! l5 e h# D; w7 \
4 C" _" [3 Z. Z4 p
mov ah,43h
. v8 |' P6 ` s' B( ~. m! n int 68h4 r& m4 R! m, u% `- B" z9 m% F$ O6 V
cmp ax,0F386h+ G8 g% ~5 |( {! I
jz SoftICE_Detected
: }; Y. w5 k x" p" ?* ]
' v/ y% X% |# [- C" y
5 T; P5 h# C% P5 d' b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ j: [4 Y% ?8 T, ~. p
app like this:
) |4 R, V2 a8 k/ ~: Q8 z% t/ X& T
BPX exec_int if ax==68
) b6 {+ S! l5 B! k (function called is located at byte ptr [ebp+1Dh] and client eip is
: E0 F) w/ d" N+ F" f" _8 l6 u# U located at [ebp+48h] for 32Bit apps)
" e" J1 D' e" {% H__________________________________________________________________________! ~5 v! m" e. e1 R
% j# H t# h9 ~5 \; u
0 F" C1 Z3 u" B+ w5 s) k" L, AMethod 089 y3 U5 l) Z' M% a; U$ b* s2 r, g
=========8 f; ]$ n- l4 }0 d4 y
) M1 f9 r# \- q, D; N7 JIt is not a method of detection of SoftICE but a possibility to crash the8 T% e% z6 \$ N" i; }! E
system by intercepting int 01h and int 03h and redirecting them to another; R# f+ B* w5 |( p
routine.* m* S+ r9 d* b# B4 G# E! d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* V( |9 n. q& m( x
to the new routine to execute (hangs computer...)0 t3 C0 x! U+ w0 g8 {8 V; Z
6 F( m" X3 e: j0 ?. H3 \
mov ah, 25h
' c+ z( K3 U( M, w. R3 h6 h mov al, Int_Number (01h or 03h)* l: Z2 x3 m# }" P
mov dx, offset New_Int_Routine1 d, U" X3 x; G( |
int 21h/ E( t. \, T f
6 r T" X" G% ?* N5 j; b5 @$ j
__________________________________________________________________________
, K _% R! d: [" F9 p+ B& e& j/ Q
5 _7 d; X/ }% `. X8 B) m9 E8 }) tMethod 09
, P4 L) R3 ]0 _3 q2 Y=========
! T, e- b) Y0 L& s0 n8 V
& {& D! m# } v# o4 V& b: rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 E8 }$ r. q: ^1 E& J( z. p, N8 u
performed in ring0 (VxD or a ring3 app using the VxdCall).9 ]" ~. M3 _. ~) K5 C# _- M6 ^
The Get_DDB service is used to determine whether or not a VxD is installed. L% C* z' g# e; a0 T) p& j6 x+ J' J
for the specified device and returns a Device Description Block (in ecx) for
8 o( l2 U& \/ x0 w6 |3 Athat device if it is installed.* G4 E+ R' O* Z2 c
* X; o9 ^( @! Z) r- X, k2 o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% p) W/ i7 M$ Z2 n O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! E6 \# M' ?: L* ]- e7 m
VMMCall Get_DDB
7 X; w8 M" h1 M0 Y# _3 s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: n+ ?) T' }7 F0 d4 z& _' i1 V3 o2 T
' S0 O/ L6 H+ Y) ?2 `6 A" t1 N/ B
Note as well that you can easily detect this method with SoftICE:( c# S/ [+ c8 T3 ] x
bpx Get_DDB if ax==0202 || ax==7a5fh% r1 k$ D* M& ?
7 C0 z$ i5 U: E" K/ i+ P__________________________________________________________________________
) f% x) W0 e6 d7 J- z$ s2 B2 R, u3 R6 G2 n/ L
Method 10) m& }; h- w W9 \7 e
=========
3 o" i% F+ l. ^- S
5 L+ Z5 r& j% P2 B=>Disable or clear breakpoints before using this feature. DO NOT trace with( m- b0 p, }; R% ^
SoftICE while the option is enable!!
3 y+ P1 F" a; X3 v: b
n& Z+ p) n c5 U1 ? HThis trick is very efficient:
& o8 V. x/ ]9 y L1 R2 X8 wby checking the Debug Registers, you can detect if SoftICE is loaded
+ |& w" A. O/ Z* ]6 j9 C& p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 t9 H. z% e- S. z
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 B: W9 b1 _3 ^- e( |8 e
value (in ring0 only). Values can be manipulated and or changed as well1 t0 J0 y5 C5 t
(clearing BPMs for instance). Y) u+ E- C1 H% H) O3 a7 D
) E* H* ~1 ?. `1 M0 n
__________________________________________________________________________3 j0 q3 m/ [( Q" @( }. y
3 v8 B$ M3 c& Q& Q+ A6 r7 C" Z% H0 ~Method 11
; ]& e0 B" Q7 V- ? D. S=========2 m2 ]) y" H& g \
6 `, [; f6 u6 n" I% R/ O) JThis method is most known as 'MeltICE' because it has been freely distributed
$ l( t3 b: \- O" E+ i2 cvia www.winfiles.com. However it was first used by NuMega people to allow
* A) j6 E1 u% G9 ]; T! b+ [Symbol Loader to check if SoftICE was active or not (the code is located
% S1 v9 M7 P7 J4 S2 U1 ^$ Einside nmtrans.dll).
6 J* ]' ^$ w# }8 m
! @1 G& H! }1 z4 w7 ?8 sThe way it works is very simple:) X- N; Z' b& s$ p. v9 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) e3 A0 d# L$ L- I% Y& Z
WinNT) with the CreateFileA API.
: j4 e9 A4 C3 y8 L: g3 k' u. T. U7 [0 w4 f
Here is a sample (checking for 'SICE'):
1 B( v, k4 W9 O& K7 d5 C5 A# I& C3 m
# Q# Q9 W' ~. o( JBOOL IsSoftIce95Loaded()
! Q' t. n; ]- N& |{0 u6 a1 a7 e' |& i
HANDLE hFile; ; e# s' }4 a; V1 H, c/ N, R1 {6 ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ m& ^6 J; }, n; Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ A5 L) ^* ~" ]9 ]0 y% q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, y: e+ D5 |# B. x* O
if( hFile != INVALID_HANDLE_VALUE )
W3 x, U0 q2 A2 U, K* d6 R {. R) q7 w( J+ c6 K
CloseHandle(hFile);- k( j+ H* e+ h0 M: c& j9 z3 z
return TRUE;
+ p, @8 N9 r5 e% j& a7 h0 T }- E4 f* d# V; R4 I0 T2 k* {" W
return FALSE;
, I! W$ p+ g, u8 k1 T- C}
4 _% g3 A' \9 ]5 Q1 \9 Y5 f1 |' j' Z' E
Although this trick calls the CreateFileA function, don't even expect to be
. l: F$ H1 D8 ?/ V$ Iable to intercept it by installing a IFS hook: it will not work, no way!
4 s% d: J$ z- a6 Y' eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. a& d) W: F/ T4 t, E- dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 B: }2 K& l; {: H4 u3 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 a* R2 X7 B$ |
field.7 V; ^) r5 _) i
In fact, its purpose is not to load/unload VxDs but only to send a * w1 S9 h- t! L! z1 S( X7 }0 z. c" m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 o- d3 s3 t! e W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 k+ _0 w O3 u& v3 [7 s( q# ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 l, k+ I: E5 a- S; v. ^, nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( H3 X0 i, G9 _, \# |" v9 \2 qits handle to be opened and then, will be detected.0 Q. Q( X4 Y2 x
You can check that simply by hooking Winice.exe control proc entry point
% S3 W0 c" J/ F' s3 N% bwhile running MeltICE.0 F' c9 g+ M: o2 x5 a
/ M% h; X2 s0 ], n. o8 D- y
3 M0 I- V; J9 L5 v+ E( O. ~& [ 00401067: push 00402025 ; \\.\SICE
% H7 J# s7 B) G! n6 F' { 0040106C: call CreateFileA
2 d' m5 X% y- u/ v: F9 } 00401071: cmp eax,-0019 M2 W9 Y. N2 j3 v
00401074: je 00401091
; X9 \% S) p. d4 I; o% M, O, D$ t7 ]: ^2 X1 p$ l! n
# ~% m; `' ^- D
There could be hundreds of BPX you could use to detect this trick.2 c& ^" ~& T8 x0 L
-The most classical one is:
$ I5 k) K4 l# A- g) w* ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 Y: ^$ j4 }) A! _2 y( h) m *(esp->4+4)=='NTIC'
- i! i5 h4 x9 s4 h8 e8 W
( @2 s: Y& M5 v7 [/ E0 B& L( z3 v-The most exotic ones (could be very slooooow :-(3 h, T! {* `+ m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 A$ i, R4 i, C- d5 i) V/ r ;will break 3 times :-(
/ ]' l- O' q; I# s7 K* I
3 w! {: s6 k) E! Z, v-or (a bit) faster:
% I% j" _: b" C0 b( |/ C( N6 P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* V/ M9 v6 o8 H9 s
/ ~# n+ F6 `- j2 e8 G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* m; H' W( e; ~+ o) j8 l: G ;will break 3 times :-(: V+ ]' P" g$ x9 W5 H
9 c$ v- Q4 @# T- ~, n
-Much faster:1 X( F6 J8 L7 D: c O/ [/ s4 m8 k9 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" z2 ~: i* N& T3 b% M% i! i
3 Q9 V; ~- _2 I9 `5 m: B# S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 L- |/ C+ P% D# M- O6 o7 U
function to do the same job:. _8 r& L0 G' d% ~: l' N- [
% `" a: \8 G7 }7 B" A* b# ]/ u push 00 ; OF_READ
# G+ h. Z1 [5 c) x# g) s mov eax,[00656634] ; '\\.\SICE',0
- S4 d& D/ x4 ^: |! X push eax
( F) E" A+ e5 \7 U call KERNEL32!_lopen
/ b3 R. o+ F" }3 z inc eax
% z# d% n( c3 f# t$ y5 H J: Y7 u jnz 00650589 ; detected
/ x, x& y# l" f1 e n push 00 ; OF_READ$ {: l' K8 K7 T# `+ @- ~
mov eax,[00656638] ; '\\.\SICE'& r; v3 T" U, i9 T2 [
push eax( g) x8 @* _2 R0 F
call KERNEL32!_lopen7 m3 t# S) U/ m
inc eax
" [: V3 c' |/ B jz 006505ae ; not detected
Y% }9 {" @/ b4 C; V/ D. A& M
& K* W+ v+ X- q8 ]" I' ?# O) t9 E( u7 e4 a8 `
__________________________________________________________________________
' Y- M5 W7 @) x+ q& {; ^9 K% q6 R8 q- b) Q2 t
Method 12
4 f4 e* J7 I2 C3 M9 L7 x2 m+ G=========% E4 H' a, t( Q! K5 Y5 f
) w+ L3 `* [) c& n
This trick is similar to int41h/4fh Debugger installation check (code 05* ]0 |: A, \& m7 Q- X; m3 R
& 06) but very limited because it's only available for Win95/98 (not NT)2 o7 a. x6 w4 d( f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 P4 P0 i( B" k& v0 i
* O- ?. E6 {, g! o3 ]
push 0000004fh ; function 4fh; N/ W4 V* [* l3 `$ q( c
push 002a002ah ; high word specifies which VxD (VWIN32)* g- e) y9 [$ @4 B
; low word specifies which service
# I. R2 w" U h8 m, x( d (VWIN32_Int41Dispatch)
4 D- ]( g5 [6 i! | call Kernel32!ORD_001 ; VxdCall
% e* X4 T, V) R6 p& M cmp ax, 0f386h ; magic number returned by system debuggers
2 ?. H9 {7 l/ W+ D jz SoftICE_detected+ U" P: \8 G/ m* ]9 T" @: h
5 D" b. k! j( FHere again, several ways to detect it:8 O' M! N6 [5 f
8 V0 p* j, M6 O; ~
BPINT 41 if ax==4f, {) I n( N- c" g% i- h- e+ W- ^( r' W6 K
4 R: E7 L' N+ m0 i N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* _8 T4 M! P0 J0 f
. _8 V2 p, f/ [% S( m! [. G: C$ b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; r5 n& N) ?0 Y$ Q4 q5 `2 O
0 N7 P% \+ i/ ]; l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# G& o1 s0 ` X* k; ?0 `( e3 b
1 z: I5 h0 I3 Z& X; k0 l! D__________________________________________________________________________
2 \ v/ U; b* z$ V, V: o0 F1 d( h- M1 {* _9 x5 L/ _
Method 13
4 J* ] X" h2 D! z( H1 D9 {=========
+ a" X* O$ t0 y" q/ w
6 m1 `$ c8 k0 wNot a real method of detection, but a good way to know if SoftICE is$ X# X( n# T- G6 `
installed on a computer and to locate its installation directory.
* @8 \. w }" R; ~2 h* eIt is used by few softs which access the following registry keys (usually #2) :+ U r/ o" O. k; W" j( u
! n6 g1 f# J% e4 ^! V: u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion N! x( |: Y; z( z% z
\Uninstall\SoftICE! v0 `# H) w- w/ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& |' J! t( F; }; \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. j+ C$ z3 j8 ]$ B7 o
\App Paths\Loader32.Exe
* k! `* |0 Y5 t. q+ k) E8 {# S8 ^3 q' U6 i" u# X' O! B! C2 m* b5 S; t1 X
8 ~$ n% R2 f3 ] X6 T$ P" s8 B
Note that some nasty apps could then erase all files from SoftICE directory
' _1 W2 n7 f! E2 x) k2 D$ Q(I faced that once :-(( w+ [9 V/ q) s% ^
3 D |: i+ L* jUseful breakpoint to detect it:9 O8 x% c8 c- }8 `+ Z$ `. |
: j/ K3 a0 f% M' [: E) p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 Q# l" _2 a4 H* R& ~* y8 q9 ]+ V9 ^2 y. ^" D6 ]' S2 s$ g" a
__________________________________________________________________________- j! ~4 W! b- a1 r& o
( l _9 u1 w* i# S/ i; I% a
! _, H" M+ N- ?6 p3 m% C' zMethod 14
1 z9 @( C5 j. n; k=========
1 s% _) I" \$ I" B
; i& t# \/ t8 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' i, e, d5 t) Z% c! S! q' v" Fis to determines whether a debugger is running on your system (ring0 only).
8 c e/ Y' `2 G& u3 c. Z V) ?3 f! e6 w4 x7 E% `/ ]# \
VMMCall Test_Debug_Installed* j4 y: l7 G7 c% {5 b
je not_installed
- l; a! P6 e6 O+ j% _
" Z6 d, P [9 K/ f& h9 b1 iThis service just checks a flag.. o% r# I/ R( R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡