<TABLE width=500>
: E7 U0 r# ]9 o% l<TBODY>
! {4 x5 |( X, U* e8 W2 o* [<TR>( V0 ?# J& A `$ q( B
<TD><PRE>Method 01 1 N# B$ I) b: @0 M
=========
2 E* k5 X, J1 j/ R; i
' H3 _8 l6 K* `& E! d" ?- `4 h6 mThis method of detection of SoftICE (as well as the following one) is
' ?' U, A- x0 c' \used by the majority of packers/encryptors found on Internet. o* b/ K3 _9 F0 X j3 f
It seeks the signature of BoundsChecker in SoftICE" b# f3 b5 l" {$ V. [ I
8 m' T4 ^% ~+ G mov ebp, 04243484Bh ; 'BCHK'. L3 z: _8 s n: n% n
mov ax, 04h
* }# Z7 f4 u+ L7 `& }" N int 3 ) |8 s1 }7 u4 H5 o% ?
cmp al,4
( m+ s5 Y+ ?+ n% W, ]' i' [ jnz SoftICE_Detected
* l d3 l- g4 T2 k' x2 t0 g3 ^( Y% x& O/ g y
___________________________________________________________________________) H7 @: d0 u5 ^# y3 D$ s
( I; W) B; {2 w9 {/ Q% oMethod 025 d7 t9 i! L% O3 Y
=========9 F& h9 [, W9 r* b
( u; ^9 z2 X: m1 o8 o
Still a method very much used (perhaps the most frequent one). It is used
9 q2 w( M7 }1 I1 r" a/ gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( c6 ?7 ~! [% V3 ^or execute SoftICE commands...! N- ^4 `5 Y6 u. I5 Y1 e
It is also used to crash SoftICE and to force it to execute any commands9 Z! B6 f! D+ f6 J
(HBOOT...) :-(( & g) p5 T- P n: _- x" G3 U3 v
+ Q* w& f/ \/ T J" C) cHere is a quick description:
: s, k' V3 W' _! t-AX = 0910h (Display string in SIce windows), k# y7 a# E% n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# V+ [% I) a$ J j
-AX = 0912h (Get breakpoint infos); r3 d4 _9 C7 {- d; ?% Y
-AX = 0913h (Set Sice breakpoints)- P( Y/ N* C; q6 u6 \- g5 z, _
-AX = 0914h (Remove SIce breakoints)
2 f2 F/ g y0 B+ d& C6 T2 `: }' s$ M; W2 q9 K' S3 c# B2 U4 f2 `
Each time you'll meet this trick, you'll see:( U* X! @* K$ N2 N/ D
-SI = 4647h5 ]3 s: Q7 j( _
-DI = 4A4Dh
# L5 K& L. h; I/ @1 M4 h7 TWhich are the 'magic values' used by SoftIce.1 [" \8 r I: P$ F) L& N- X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- L0 q0 R9 n m6 b* g& R* \0 H. t, _: X8 H* Y7 ~' }0 \
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 ~, R4 [9 r" X* F( X v, z8 E; B
Envelope utility use to protect DOS applications:4 ]+ I0 z: t1 I! }+ R
4 p- Z1 @! H$ h! r; X& l* k
$ x9 R2 \- B3 j4C19:0095 MOV AX,0911 ; execute command.
# ^, c4 p f* e) J. ~+ H: Q- o! ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# U$ p, }: n9 {' s
4C19:009A MOV SI,4647 ; 1st magic value.
; r# c. p1 _2 m5 X4C19:009D MOV DI,4A4D ; 2nd magic value.' r, n2 x' B" @+ |. W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ z4 F- n/ }$ z" W+ v) ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( H( ]4 z" k+ A) P2 R4C19:00A4 INC CX+ z, s2 h7 D" h3 t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 \0 Q' D/ r. U5 c0 }- m h4C19:00A8 JB 0095 ; 6 different commands.5 K6 f# z4 U9 O7 ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ B: z9 ^$ p: v% N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 c! n# s; w. Y* v' _; D9 ^
- B: V( e+ M+ S. UThe program will execute 6 different SIce commands located at ds:dx, which
5 E, z+ J+ a1 v- l: g$ R0 uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! n9 [8 e0 c, A' v2 C9 H R x
- Z) [# j: }9 O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 |2 s' E \+ i- j/ R1 ~
___________________________________________________________________________
0 T# a. Z* ?. I3 E0 A
( x4 [2 `- Q0 `8 T& M
Z, C8 Z5 s/ S9 l" D; GMethod 03
8 }8 X( W& ]& N, O1 X=========/ {/ c8 ^6 G$ M! @& A/ w
- R$ V' s8 w4 WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 Z0 E4 s- Z- v$ K2 j+ N/ e2 e/ V
(API Get entry point)3 R* K6 a# b. B
/ J3 R) k% W" R: i/ C
9 [4 |# r$ H; @. J7 U
xor di,di; ^& V0 C% p% y; V( e- i& K
mov es,di
+ {8 v, z% d/ R! c i x mov ax, 1684h 6 l3 M4 ^' h: F; d- f" q
mov bx, 0202h ; VxD ID of winice
& H+ X6 R2 t; ^7 H, h int 2Fh; L, s$ C+ ]9 G% D# C" \
mov ax, es ; ES:DI -> VxD API entry point8 Z! A t+ w0 N6 T
add ax, di
7 b' K& x _6 D: }: [ test ax,ax+ K$ @% M$ V d" K% h" c3 T
jnz SoftICE_Detected
% R' g v! d# M/ W+ W( W: ^$ J, X8 ~8 e
___________________________________________________________________________
" H9 F8 N. D5 E* N2 m: X8 w
. t* O# N( H) n0 e, zMethod 04
' k+ O! l8 F- J1 B& x/ r8 P=========
2 k9 d/ t, f+ S* d1 T+ O2 e: N- J) s, K( D0 u, y" O1 R
Method identical to the preceding one except that it seeks the ID of SoftICE
: U: f3 q6 `5 t6 cGFX VxD.
9 ]) g% g% Y- F, H% A# p, e& Y! m9 c) G
xor di,di7 o; T9 W5 x+ f; n/ g
mov es,di
' [; w5 Y$ e( F8 U% k ^( S( g mov ax, 1684h
) @7 a/ |; Z+ V$ m) c mov bx, 7a5Fh ; VxD ID of SIWVID
1 b5 I) C A. f& j int 2fh
; t& Z% K9 i0 J) z1 w/ p mov ax, es ; ES:DI -> VxD API entry point! {2 V6 F# `" |7 L- r. V- M
add ax, di
5 D6 r0 r+ _" I6 _$ q3 T test ax,ax% S( ~; t( H9 g7 G; @) f& ^
jnz SoftICE_Detected. R) n3 {- B" G: ]
9 s8 C' t# m9 n* e. ?5 R6 k
__________________________________________________________________________+ v7 f7 X) [1 q2 g# j6 N
' l/ x% N, @% X& ]$ _: Q# h/ u J
/ W6 Z* h a; V6 B( U1 `& aMethod 056 p* ^4 d3 X" ~& M5 _
=========
+ I! ]* ~% d9 j: f/ ~. L5 M1 V9 _, \6 |, O
Method seeking the 'magic number' 0F386h returned (in ax) by all system- Y# n- M( b: E- h
debugger. It calls the int 41h, function 4Fh.6 z8 {1 }9 X( g) C- R3 o
There are several alternatives.
4 _9 C; |7 Y" c8 ^4 b# M, V! f, t0 w0 y) f5 D5 P. {
The following one is the simplest:" h$ _0 {3 N: a, v; G+ u3 B
5 N8 N6 f3 f( ]+ x+ _ mov ax,4fh
( w, {/ Y% T! }2 h E- [/ c int 41h
. A- p! d; O8 V5 b( M7 y- k cmp ax, 0F386
- K6 J5 k2 l& ~$ q jz SoftICE_detected
4 h# S' n3 g4 @+ J3 o! O* w
4 }6 S2 s% M/ A" ?/ o
9 }& V& `( }6 x( t9 ?Next method as well as the following one are 2 examples from Stone's
& j! I, r7 x7 T' u"stn-wid.zip" (www.cracking.net):
1 X. h q/ |8 ~* h. b: M/ ]
7 J: v( }2 y+ |0 g b/ c6 r2 G0 j mov bx, cs+ _5 G. i' p7 i$ b6 k4 J. F& ?
lea dx, int41handler2
. o! @+ y3 A: i$ ]% V* {7 v7 n xchg dx, es:[41h*4]
! e' j$ r) S: A3 k xchg bx, es:[41h*4+2]
& j( I$ G0 l" M- A- V+ d& v& y mov ax,4fh! A$ t: \, y4 ?1 s
int 41h8 n' [' ~. l6 ]* Q% Q% x5 i; L
xchg dx, es:[41h*4]- d& B( P: I) M" G( u1 `5 S
xchg bx, es:[41h*4+2]7 I2 ?' U6 J/ K' [* ^0 l
cmp ax, 0f386h
0 o8 I% O, B5 {! e( v jz SoftICE_detected
; y# ?: H+ M* n9 F. j3 ]- ^* W2 k; e$ G( d
int41handler2 PROC
$ W/ S* O# f p/ C: I7 _" V iret o( g3 r1 X U5 p# q: q, S' j
int41handler2 ENDP
* |# L% j4 Z8 v# f X/ [6 o2 R+ [. b7 G$ @
! e% G, o* g. q_________________________________________________________________________
" N8 S5 a6 G6 v( L7 B/ T% h$ D( ], d' z! j. h9 R9 q- {/ k
6 y3 e- R: s6 Q1 e3 K/ O7 u
Method 06 p3 ]% n" p& Y2 U' j, g0 D
=========( o) h0 Y2 V$ g s0 p& m
# V& ] z. R4 m* P T$ O
. H/ u! ~2 z' d5 P, j2nd method similar to the preceding one but more difficult to detect:
; e% B$ z" ?$ T* `; [3 ~/ V# t$ P# l: A% G( L5 V" @- Q' L
, l) S* G H* t& E4 H: D) f* J4 Oint41handler PROC
! K: P N' Y0 M3 ]; c mov cl,al
( v9 y5 M) ? b/ R4 r* P- g, p iret
# ?& v+ p' b4 ^$ ?1 u: Uint41handler ENDP
4 Q& W$ L+ H& A/ G) c
( _; L5 ]* [8 Q
3 l1 b# }, ?3 [3 Y+ a* W9 V i xor ax,ax9 F! R: k/ {" P6 n _$ D
mov es,ax R) \+ J3 v3 a$ K) n( I T: j: b
mov bx, cs5 {' e( V' k: N
lea dx, int41handler
{( p- t/ G& {% c xchg dx, es:[41h*4]
/ l- c; \* P. L xchg bx, es:[41h*4+2]$ T+ @; ~7 ~% N' R1 w
in al, 40h
" P* Z; h$ P- \- l) P h3 r xor cx,cx
: K2 Z: q' R) n7 s: ^. { int 41h9 ~( m5 T, Q. t F7 _! a
xchg dx, es:[41h*4]
4 X% W" C/ a* B" J2 p xchg bx, es:[41h*4+2]
1 V! ]6 [) s: z1 L+ T: U cmp cl,al% i) Y) Y& ^- w2 ^! y, x
jnz SoftICE_detected
9 a4 s z# A% K5 A& }+ ]
3 o0 F% D7 E! J3 F. d" B( A! \6 |_________________________________________________________________________( D" b* \7 Y& P- k; D J9 E+ n, B
& [( f# q1 o+ A; K# L3 d& pMethod 07
$ L% i7 v: o; Y/ w0 K" l2 E=========
: y- A% k9 a5 e& ~
5 `0 ?" ~6 u# { V3 C9 f% U& NMethod of detection of the WinICE handler in the int68h (V86)
" D& `6 s }; S* c
- e* E! [! F9 \, k mov ah,43h
, v1 [ c' ]5 L! P int 68h
) ?( C/ q$ |1 W9 p& g! s) K, [ cmp ax,0F386h
1 U; G8 K- u* o) t, { jz SoftICE_Detected) g2 A. ~4 u* W7 ~( f1 \0 S* `
6 A; y& D8 s! A( _( A
2 X% T6 |: \2 X$ P2 a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
C# x4 R% b7 t# A3 J app like this:( t+ B2 X) T6 [, M
" f$ e# ?: W) e! A. q
BPX exec_int if ax==68, @+ T o4 M' N' }& Z% V
(function called is located at byte ptr [ebp+1Dh] and client eip is5 k: c2 d1 m, r8 R# O) T1 q
located at [ebp+48h] for 32Bit apps)- D) f9 [% X' u0 ], l$ |
__________________________________________________________________________* v( t. U9 t3 k4 h
) n v2 b. f) t/ U3 p) W6 k
" @0 a8 `! q4 u4 g- A6 Q1 @8 W* E
Method 08
; G% f) F( S" j3 k& |=========
3 n+ X. ]8 Z5 [) T
- w& T# ]+ K7 U/ L% O3 o% iIt is not a method of detection of SoftICE but a possibility to crash the
|( L, Q. {$ f2 d/ wsystem by intercepting int 01h and int 03h and redirecting them to another+ ~% ?) [$ I( n! }1 i
routine.
$ B7 o% L1 x5 a# q4 d4 O. qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, n* O6 _5 G6 M2 s
to the new routine to execute (hangs computer...)
! X# G* v' J/ s b: M' m0 v* {$ q( K* l- A1 I2 x: c
mov ah, 25h' M& I+ Z0 g' J& `# c3 D2 r9 ]& q
mov al, Int_Number (01h or 03h)' N' z3 y0 l! c- N
mov dx, offset New_Int_Routine
$ Y% {0 p9 P# r& K! y$ }* ~1 n int 21h/ `, @ k- b8 y: C( |$ d
5 d9 f' S: n: t7 U* z3 \0 k2 T
__________________________________________________________________________4 @' B, l+ A# r, D3 ^
! L/ t, ~7 \. m! k. Z+ w; X' }
Method 09
# x5 h5 d/ W) e=========) c4 t& e" G, I/ A
! d# u1 g6 q% ~" a$ Z: b/ PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* r$ a$ ]5 @/ wperformed in ring0 (VxD or a ring3 app using the VxdCall).# U# K( j9 W1 z
The Get_DDB service is used to determine whether or not a VxD is installed
6 Q$ W, s0 n1 D' D6 bfor the specified device and returns a Device Description Block (in ecx) for
0 F6 e7 z Z; z* c0 z7 Othat device if it is installed.
" V0 w: q) q9 j9 X, {: A/ _: u! ^! Z$ R9 _" s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 s2 S! m9 y( Y. C5 `% g0 l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& o- U6 x S, m1 D+ x5 q- g2 P% v0 t
VMMCall Get_DDB
* E% y7 J* ~# C; B+ A m6 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 F% z/ y0 S$ g5 _. ?, V& |2 p/ u* D+ ?3 L
Note as well that you can easily detect this method with SoftICE:
2 x. i8 [3 `* F" {& B: \, H bpx Get_DDB if ax==0202 || ax==7a5fh
* v- M0 h& u1 Z* L7 S& U, N4 s" x
( |6 Y: E% b* Q* J7 Y% `- ` r4 C__________________________________________________________________________; c: ?/ h" M) M. ~3 \" q4 A3 }$ j4 V2 ]" s
0 I0 w( D! B8 R
Method 10
# f/ g4 _% N# Z# h+ `4 I& l9 U=========
& j: |# T$ b2 A$ f a9 g6 \* z' f$ B. `
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ o- M3 a* \9 b( @
SoftICE while the option is enable!!$ S# c) D2 _, a# V/ a
0 r% h* U- s, z5 Q4 H9 X+ \! q
This trick is very efficient:
" s4 t; h. p& l% |7 V' Zby checking the Debug Registers, you can detect if SoftICE is loaded
3 L' U" N- Q& M3 T% _/ m$ y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- X# l. e8 q: ?' }+ y% Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their" r( |; F) n: H M3 A e( p
value (in ring0 only). Values can be manipulated and or changed as well7 \3 y$ J" f6 w( O
(clearing BPMs for instance)
3 a( w: B' [1 P+ Z9 C% N5 E7 l: R8 o p5 ~
__________________________________________________________________________
2 G0 B$ C- {$ e: L, n" Y, _
2 o _( U! C& B. L! c3 k# ^7 _Method 11% y# T- `% w @; R& ?6 k% f
=========
* \, t, O7 P" m8 {- Z* F
: {' r/ M, u' @2 c$ J) Y( hThis method is most known as 'MeltICE' because it has been freely distributed
2 s1 w# ?0 X( J }via www.winfiles.com. However it was first used by NuMega people to allow
+ U- ?: T+ B7 oSymbol Loader to check if SoftICE was active or not (the code is located7 @. `$ Q# R3 O7 L' w$ s3 j$ d
inside nmtrans.dll).
9 } } I/ q2 M& B/ K- l% a6 [3 l& }
6 g7 S5 H: `+ |: eThe way it works is very simple:
# w# K. \/ X! y5 a! CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. |+ l$ [$ @2 @0 A* L- wWinNT) with the CreateFileA API./ Q% {5 O" k% H& Y+ ?# d% l F# b; e
% j% G8 i" U% S5 h$ Q8 K
Here is a sample (checking for 'SICE'): r& T+ c. c# `2 L
% q% Z' ?2 P3 F! r
BOOL IsSoftIce95Loaded()
: e& K( U: Z! U4 e3 |2 r) ]1 M{
8 }: x( ?; m; y9 u" i4 u* E HANDLE hFile;
9 r+ ~% F( Y. u: a! S. F$ l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ c9 Q( r9 C: Q' o
FILE_SHARE_READ | FILE_SHARE_WRITE,2 x( z$ g0 u$ @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' U4 y( I6 a2 d) ~ if( hFile != INVALID_HANDLE_VALUE )
$ l# c4 S% t9 p/ W3 }1 T7 K1 t {
, Q8 b7 v6 y. U/ z- O8 b CloseHandle(hFile);
- G* N5 P% J1 q4 ]7 k. t0 } return TRUE;: R2 |3 W4 m# c
}
3 f. m3 _, Z- w4 t; J return FALSE;
3 N! u# ~! A, u" e}
# _$ L; e0 g: M( R3 L0 ^4 M+ i5 B4 Q( H* ~9 Y
Although this trick calls the CreateFileA function, don't even expect to be) V" q( e/ V( D k) u
able to intercept it by installing a IFS hook: it will not work, no way!
( f7 c- r- L) w U% tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ N2 _3 H6 e2 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! ~4 {6 ^9 S5 y! H7 Q3 U [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ e: u" g7 X* A# j* i2 g/ ]
field.7 N/ A- V; D! g9 U+ i
In fact, its purpose is not to load/unload VxDs but only to send a
0 b2 l/ |6 e! z/ [) t$ ]6 p# _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ X( y% k' V+ J5 K! F8 E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& P! F! @9 ~+ I) o9 P, Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 N: k$ I0 a, v D6 W7 ?0 W8 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow# C4 a1 G% M* ?2 y
its handle to be opened and then, will be detected.
7 w! a, L+ r B* U. j; S9 aYou can check that simply by hooking Winice.exe control proc entry point% ^$ T( t( |( P8 p) e% R0 o
while running MeltICE.% y/ B( z( e& e* M# l) u* B$ _ u4 p
; K; N; `7 }$ B' v( A
5 h) P; u- U) p5 i) \% Z# W: |$ f6 d 00401067: push 00402025 ; \\.\SICE
/ B) o; z9 r0 _ 0040106C: call CreateFileA
* K( G. r( `+ [" ^5 i. z/ D( u& S 00401071: cmp eax,-0010 }8 Q$ ^4 X# N9 Z1 T7 l& c
00401074: je 00401091& w; X% ^7 f, f; t
9 ]% B2 `$ d' Q/ o- L i
+ N4 B" |* W7 W+ d* P+ s; c2 [+ }
There could be hundreds of BPX you could use to detect this trick.- U+ A( e. R) o4 C6 Q6 o
-The most classical one is:
) Q) T$ ~7 |# I% i; y- `. d$ } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* ]* v! Y6 I; q9 h
*(esp->4+4)=='NTIC'% h+ X; P0 L' x# v2 c4 V% {
/ g. ~- A8 U- {0 C% a: l-The most exotic ones (could be very slooooow :-(% V' ?8 t: S7 X! M4 p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; ^0 S! Y" C3 K2 G ;will break 3 times :-(( F5 g2 q" m, [9 ~2 W: a
2 O) W4 \7 O0 ^( v-or (a bit) faster:
7 s" q) w8 ?( `) s m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' L) l7 Z) x1 W% J- o: Z9 f& Q) m2 s! M( ~! c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; e" c* S9 X/ i9 k0 T ;will break 3 times :-(; M$ u8 f# p$ \* N( } y
! a1 y7 [# U* N& \
-Much faster:
. r. {/ X& \3 w& O: D5 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ `, {! n: S: N' M* m8 u% p! ^
+ [4 y+ g- \$ h4 Q1 F& \3 b2 Y9 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) u) `7 Q& Q) W5 _+ d% y
function to do the same job:
; Q' b5 ~& ]% w& ^0 b' t9 H" G/ c& u1 I p2 G
push 00 ; OF_READ
* k6 U6 j; F' W6 V! f" Y$ o' D mov eax,[00656634] ; '\\.\SICE',0% \( G; a/ C7 S/ {( }4 ]1 j% Z
push eax4 Z2 r! X. ^) p8 c
call KERNEL32!_lopen
9 j& V( l+ _+ S; z inc eax6 d6 a% M0 w4 |
jnz 00650589 ; detected0 U y( X1 J( L6 g
push 00 ; OF_READ" C, l$ ^8 g" d2 i2 W
mov eax,[00656638] ; '\\.\SICE'
5 G. ?/ D7 Q* }5 H) [5 O& Y push eax
; S6 A% k1 W% q* H1 J6 [ call KERNEL32!_lopen
! @; r, K0 n% ~/ v. Y inc eax
' P9 G" S# U! ` jz 006505ae ; not detected
* \, J" L: l9 ~7 Q/ j3 ^$ l
4 Z. C F3 w; z* @% o3 B- n/ v' X- w9 ]& Y
__________________________________________________________________________3 V& Y7 V6 ~! z, {# Y1 ^
4 l+ y6 X3 i& V" B' K% I7 Z. h
Method 12
2 B8 L N9 f2 B2 W% ?( [. {=========% k+ J" X2 `9 x6 ]5 X) x( C* J9 T
5 ]" S; D6 J- q2 o* w5 [7 xThis trick is similar to int41h/4fh Debugger installation check (code 05
& S6 v" D" `9 @3 A4 s" B# U& 06) but very limited because it's only available for Win95/98 (not NT)
3 H& S2 @" K/ u% L# U' ~- l) S: ?; mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( m0 }+ o- I- R9 e d
: ~# i! V" Y) m- Y% h# x- G
push 0000004fh ; function 4fh2 @& N) f9 A7 A$ }
push 002a002ah ; high word specifies which VxD (VWIN32) M B6 f' T% u' r
; low word specifies which service0 ^ e; ]6 X& [0 G2 E: M- I2 C4 i6 `
(VWIN32_Int41Dispatch)
: _' \; t9 H* P$ [) ]7 u call Kernel32!ORD_001 ; VxdCall
& N( e9 Z; J. A) h' I cmp ax, 0f386h ; magic number returned by system debuggers0 y: G7 e3 b5 E& ~- Y4 M
jz SoftICE_detected
6 _. m+ P/ |' m
+ c; T0 p$ ]" k! H8 V7 v( VHere again, several ways to detect it:# {3 B p: o! }0 r" R
( p1 f! V Q" R E; [! q
BPINT 41 if ax==4f2 i5 ^* l) l# X1 ^5 a8 f9 h5 n
: X0 X- U- m( E1 R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# X% g7 \% O% z# B6 p0 T
6 ?( w- Z, E- J/ I, z. \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" p7 n d* f% C( [1 ]- ^" v/ s; K7 K0 M9 P. r- t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: S* p ~: p1 p! E
# \# S" l/ I+ k; o6 N8 U: W__________________________________________________________________________
& B! |. O. S& v& ~/ N& Y4 Q, d; O1 X8 Z' P8 O
Method 135 {* ]6 j9 S9 c5 Z. R
=========
5 L+ b2 ^9 v0 F9 C+ W
" p5 k; z( A! X/ @6 B$ a& |Not a real method of detection, but a good way to know if SoftICE is$ F( j- D) A/ m( I
installed on a computer and to locate its installation directory.4 x! K1 v) Y2 P9 H0 z( L
It is used by few softs which access the following registry keys (usually #2) :
7 B7 P7 d! g1 ?4 A
1 w4 A: E, J0 h1 n5 z) G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; }7 v, g0 C ~4 y3 t3 x+ \+ R- V\Uninstall\SoftICE! q* t' D; @% T8 y; u; O4 {# s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' r. J& N5 V1 E# n, y+ z+ }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
x9 R5 ]0 _3 b# o/ O2 e% T\App Paths\Loader32.Exe
# w$ D% I" r1 W$ f& c; y
3 ~- w% r3 S9 c: t# |* w! K5 J; n1 E( L6 Z2 }% e1 |% ?
Note that some nasty apps could then erase all files from SoftICE directory0 `8 ]7 B1 U# m* S8 E$ ?
(I faced that once :-(
# n. N! s( l* d$ L9 l' z0 U0 Y7 c$ S" x6 V$ \2 M
Useful breakpoint to detect it:3 }8 V5 }6 X$ X5 g, r
7 W) v$ {6 G5 w4 z" W H0 _6 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% k5 R$ [; @, k0 z4 m: c* r! H; i' [
__________________________________________________________________________
5 R4 t; _, K8 {) C; x
) I# J; Q2 c4 a, P4 `5 G( d. z: I; X9 C% A. H" [8 e/ d4 C: x
Method 14
2 a& {) L- O, r8 P( p5 M- l=========2 E4 O$ Y' g* n; I( S5 T2 v- w
% c5 x% x0 T0 G. W$ L2 D. x7 wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ r7 _ l' ]) A1 g4 \
is to determines whether a debugger is running on your system (ring0 only).
* L8 _; r& v4 T+ y! x( T, I4 y
9 D- M: L- P7 M5 @) ] VMMCall Test_Debug_Installed$ s/ n# {0 U) n* ^( J4 m
je not_installed' G/ Z+ R1 Q8 q0 F; B8 D
1 e6 r# i [& F. a: D3 b
This service just checks a flag.) _* F) N* H* N( \- S9 d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡