<TABLE width=500>
! ?9 a7 C0 u K3 |* @/ n<TBODY>" d7 j! H. [. R( E0 G4 T
<TR> V7 f: T4 z2 k2 p# m* G- O9 _
<TD><PRE>Method 01 7 U( u' L2 ?+ h1 ]
=========
- ], J: U3 n. {( Y% B& k
( I$ `7 j' Q, z0 G- V: }, MThis method of detection of SoftICE (as well as the following one) is
; b ]- A: m0 l; i4 f) @' |) Mused by the majority of packers/encryptors found on Internet.
+ ^/ f7 l" p+ Z1 z3 C& B8 sIt seeks the signature of BoundsChecker in SoftICE
; Z+ n2 ]9 c3 G/ G5 w. o5 \
, I, ?( r! p: \0 X' V mov ebp, 04243484Bh ; 'BCHK'
9 v: H! D- n3 l6 A+ W mov ax, 04h7 ^! P, p5 W9 ~
int 3 8 w: U2 {6 G6 T+ b$ T1 E
cmp al,4+ v6 f6 \/ u! F) ]9 ~
jnz SoftICE_Detected; I* E8 r9 a4 \+ `( l8 y) ~
- H/ X* f0 S( t- c___________________________________________________________________________
; ^- K* Q4 t. x! E' s
8 B4 Q* W4 F0 C; v2 WMethod 027 N* O( S6 C; d2 B
=========2 ^! k1 S5 O5 Y5 T2 k& @' v
/ i( J' f& R- x Q$ |
Still a method very much used (perhaps the most frequent one). It is used
8 n* `1 y( q. @6 Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ l2 k5 t D* U" D, _: y6 Nor execute SoftICE commands...2 @0 U) T( j* S- W# F9 E
It is also used to crash SoftICE and to force it to execute any commands# T. w' N: Y% M4 Q$ i# W) C w
(HBOOT...) :-(( 0 Z- E( n6 U3 k0 i/ s
- a5 |* ^( {2 k! Z5 W5 [$ n; T4 fHere is a quick description:4 j' q4 a' l5 B1 F
-AX = 0910h (Display string in SIce windows)$ [# T2 B! ^$ v2 O6 F0 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; Z: `5 t( x& F" r8 T( _" @-AX = 0912h (Get breakpoint infos)7 `) X2 @' O7 t1 ~2 b/ |
-AX = 0913h (Set Sice breakpoints)9 J( Q6 d& f1 B0 o; i5 B# j9 e
-AX = 0914h (Remove SIce breakoints)0 l! @$ ?# K7 ~$ q- a3 ~2 N8 A Q
d- X! b- C% m- }
Each time you'll meet this trick, you'll see:# E5 g7 R6 q Z1 Y
-SI = 4647h _; I% Q' v( W) p2 Q; D% U
-DI = 4A4Dh) h- O9 G- H7 n( w; V z
Which are the 'magic values' used by SoftIce.
' P. S$ \" [4 o5 @. n4 \) c# {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
C/ Q# M) x( Z- J5 W
, I/ l3 \. f7 M- R+ I7 v& ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
S: M0 D' Y! _% }" s( PEnvelope utility use to protect DOS applications:
1 J/ f' f' |8 }
. a+ [. [. Y: `; _0 o' O9 ~* p: E
4C19:0095 MOV AX,0911 ; execute command.
8 a! ]5 m/ B9 S0 }& [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" v3 Z, z; z5 m% B0 k r+ ~4C19:009A MOV SI,4647 ; 1st magic value.
- R& }1 n; J1 ?/ o- q4C19:009D MOV DI,4A4D ; 2nd magic value.; h6 C* I" c8 U @$ Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 G5 Z* _# S0 C& [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ G( _% C+ q( Q/ q* l, Q! c% K4C19:00A4 INC CX
3 G; c! k9 k8 Q. H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
}* x1 g0 `) J7 b% Q. s! `4C19:00A8 JB 0095 ; 6 different commands.2 X. V# t* c2 @; \* o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' k( _" u9 w! f/ E# a3 A; C5 E7 C/ _; H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* l1 x- \1 C7 U3 P
M9 L0 t" ~. w5 m
The program will execute 6 different SIce commands located at ds:dx, which0 H8 d# ]0 R; s5 m$ _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 F* X4 T# n) _8 H5 q# f1 k! @# B
, X2 [, S# r/ V5 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 X: C: e- u0 O y
___________________________________________________________________________
9 V5 K' `9 |% X) y; V k1 ]6 x/ q: H5 K- t1 W" D
- O, D- m& i* j
Method 03; @' ^, `% n. \+ c) l6 m
========= A* [, S0 \5 V. G( n
8 z* ^$ V0 T) S7 ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ W3 \5 @) I* O3 |
(API Get entry point)
7 X( A3 S, z/ G2 B
: @1 P2 f: s6 i' @0 ~4 |+ z* n0 x0 V% _
xor di,di& I2 W5 ~& B! W
mov es,di5 |8 M9 w$ E6 \
mov ax, 1684h 8 v- \* U+ D! {5 @- f
mov bx, 0202h ; VxD ID of winice. X }! V/ C+ _
int 2Fh5 ]; j* }6 f# N+ I
mov ax, es ; ES:DI -> VxD API entry point
4 F0 _& g& O* e. |+ q add ax, di
& V# g% ~1 b) a) @2 H/ J; A test ax,ax
7 Y- ]: d6 [' X) [3 c* m5 b( M jnz SoftICE_Detected+ }% K1 |! O; o f7 Q
3 P+ }& P2 M2 p2 [
___________________________________________________________________________# d& ^' c3 B' b& w
. k# X: V- Y$ @8 R0 `Method 04
( ~# ]6 k# d9 K& v8 _9 X=========7 K9 ?1 [! q0 }* d/ S. {& Z0 M& r
8 d" m8 _, ` Z3 S* v8 | jMethod identical to the preceding one except that it seeks the ID of SoftICE
6 Q) {6 L5 j% j/ g7 O8 ~GFX VxD.' a7 a- ]* n& S3 c3 O( [
4 N" t4 B4 B' o+ Q
xor di,di& h+ [1 a; z( V. ^$ |, ~6 q, {3 L
mov es,di
+ H) l$ K' F+ U6 v: Z# M. C5 { mov ax, 1684h * D5 @6 ^9 `1 x6 B( g5 Y! U
mov bx, 7a5Fh ; VxD ID of SIWVID
0 _' S! ]+ g G* }% }! M+ Q int 2fh
4 T4 w/ d" ~9 F5 ], M8 X) B mov ax, es ; ES:DI -> VxD API entry point' }& g: v( q6 i+ j
add ax, di
( x' d* w- }& ?, Y# s test ax,ax
, S5 k$ d; l0 Y5 i jnz SoftICE_Detected
! x5 z7 w' c. n I; D6 }/ r
' j$ Y& i, q' |* m" h__________________________________________________________________________6 }5 B& _$ d5 s( r
" L' d8 m& b" `+ x. { d# j, C |0 c4 b4 J3 L1 o
Method 053 p7 K. I7 [' E' P# v8 j7 x' E+ Z- D
=========
3 `# d! v. u& L
7 {1 G+ m% s4 F% R( e% h% h+ \Method seeking the 'magic number' 0F386h returned (in ax) by all system
& }' K, j3 H$ @8 ^# Pdebugger. It calls the int 41h, function 4Fh.6 n# \# a2 t E% G' @
There are several alternatives.
3 Y4 N A3 S6 ^, Y9 T+ z# K+ x. R2 x% d7 a3 M
The following one is the simplest:
5 i, T( Y8 m* G* d- n
. \2 n6 \6 k$ ~8 E' V mov ax,4fh, Z8 l1 T* i8 f; ~; B& B/ U' j
int 41h
* I5 z% m( u! `- j* Q& h cmp ax, 0F386: `4 j2 M* I" z) D
jz SoftICE_detected( N6 S6 ]/ e; n! S c
# ~, t' Z& X2 E7 C" L
7 Q& E0 P) c' E- c' l
Next method as well as the following one are 2 examples from Stone's
' k# _9 i7 u7 ~- t3 E9 S! Z( h"stn-wid.zip" (www.cracking.net):2 ~' p2 j( z/ W5 u8 i; D- x2 m: H9 ?( F
$ Z, _+ c3 y! X: u4 i+ @
mov bx, cs
& w$ S& g( E: ^1 U% L7 o lea dx, int41handler2
4 K Y; I) I* k: i: F' Z' ` xchg dx, es:[41h*4]
8 n" w/ {/ q2 x; }% j* s- q xchg bx, es:[41h*4+2] g: K4 v7 u* y/ r
mov ax,4fh
) ]# q0 e. x) w' Q4 E int 41h
0 S( I& w3 U+ g# y! o1 Q$ e% Z xchg dx, es:[41h*4]5 {% W! x7 @& V( |$ A! v. K+ w' c
xchg bx, es:[41h*4+2]
9 m, a1 M/ q6 N cmp ax, 0f386h1 W! e0 |. U# |( Q* }
jz SoftICE_detected
, ~6 y5 i, x: p( `; ^3 V7 K
* u! G4 R1 y. y* I! e8 _ T; vint41handler2 PROC2 Z$ y+ l; W6 S9 K8 Y- i, z
iret3 K( n/ [' F! E0 H6 ^
int41handler2 ENDP7 ` w* u9 b8 e
4 A4 N- X# K2 ?4 Y5 A* G
& X1 K' W" A F8 A) J3 M
_________________________________________________________________________: R, {0 p. @8 t9 S% J |& w
3 K6 z* ^+ r0 ?$ x( z2 O) A; T" L/ q2 a! v' V
Method 06
4 Q) ^6 G+ L& E& h' @=========2 v( |4 M4 x0 g7 d5 G, s h. Q
! a7 m7 U% |0 ^
V- H& l2 R/ F, `8 s6 q7 ?
2nd method similar to the preceding one but more difficult to detect:
+ F7 t0 e& W- t9 z8 h/ I1 R, }5 p: T6 u
. U& b" X; ^" c* p& Vint41handler PROC
! K5 `, {0 U3 t5 }: } mov cl,al8 h% j- F' W9 ~+ y* |# m
iret
5 ?: W& a" z1 W. p. K, m bint41handler ENDP
, t; L& P8 F0 Z! O$ j
1 u+ ~; u1 h2 i; m2 T% H: v
- }1 y! {' _, L, D* F( F5 d# g xor ax,ax
# G/ z+ _. A$ ]# z( E% o mov es,ax
0 j+ }, |( L% {( u. Z2 c0 R mov bx, cs5 o7 R' y+ w% J9 Y7 e
lea dx, int41handler; N5 O4 ?* R/ n1 }! Y% A# W/ j
xchg dx, es:[41h*4]% ~0 j: i' V( v3 ]; U
xchg bx, es:[41h*4+2]% E- D9 n( H3 L+ K+ v
in al, 40h. f& P* x9 f; O
xor cx,cx) A- q6 J4 u8 M2 P3 Z
int 41h/ j; u6 k. l; m5 e
xchg dx, es:[41h*4]
0 O- B, { k0 B1 [% C) X0 Y% z5 B xchg bx, es:[41h*4+2]2 L% K% |6 m) I x6 ^' \
cmp cl,al
6 v4 a1 l) G6 i8 J3 |( J4 @( F2 g jnz SoftICE_detected
3 D& ?$ q# Y5 O$ H
6 l* t1 a/ y# {+ v9 v_________________________________________________________________________
' E; z: B- d9 @) `8 F$ k: I, p7 C' u: `7 c" L) b3 ]; |
Method 07: ~& Y' D+ ], o' b
=========
- r6 L0 p7 {3 S! ]5 `1 W
5 w1 d) T4 r. I' w, k+ U/ G7 r( K+ lMethod of detection of the WinICE handler in the int68h (V86)
) [8 v Z/ | I" ] B& z7 a* X+ \* H4 v F) H- l
mov ah,43h
# I$ n: U4 o9 m% Y int 68h7 e! M& m3 j$ U; V8 c5 w+ r
cmp ax,0F386h) }, E8 N- E' e5 x1 }& y( t6 W
jz SoftICE_Detected
$ G: Z- z$ s; B% a$ z' y! g( _5 q# Y6 ^: W* }1 M6 ^/ l; |
( ]; _" c5 b$ p$ R! ^, V6 g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( O( x" V, o: [/ P' h( L app like this:
u/ X1 O% D9 B# g8 I- C5 W) S+ a$ G; x0 b/ B# h
BPX exec_int if ax==681 X0 e! W L& n( m
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 g# t1 @- g4 ~* A$ y located at [ebp+48h] for 32Bit apps)( |6 A( I) N# b6 r% ~! U8 A2 U
__________________________________________________________________________" d$ u* m M$ m* b2 u! }. y$ t
. @6 Q- {: m9 o u8 f/ \$ L @6 O% U# e: f
Method 08
; w1 f+ J( E3 X0 J3 ]=========
( v0 l- t& W* v' Y8 J
# Z c# q. d) k. i3 \& m KIt is not a method of detection of SoftICE but a possibility to crash the; t+ Q* ~7 Q4 y0 I, h
system by intercepting int 01h and int 03h and redirecting them to another
) D" B( x8 U5 l# F( Q( [routine.2 b% x6 k j' ?9 B2 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 h0 w3 ]! A9 U7 k% S1 jto the new routine to execute (hangs computer...)
0 q* A* L* O! v8 f9 s* s% Z3 j; T$ \6 ?$ i
mov ah, 25h
$ W8 g i* Q- b) \7 Y) T O mov al, Int_Number (01h or 03h)
7 [$ O; g( @ T+ w N% W# r mov dx, offset New_Int_Routine3 t$ j! g" n. p" |) y, n& ~3 U( H( N
int 21h( D3 c, |( Q( ^1 }8 ]
0 U4 o' a# E1 r" j/ h
__________________________________________________________________________/ M) ?2 p' k9 y* E5 W3 i# ?8 r- i3 Q. |
[: f4 c+ K* n7 E% o# _5 tMethod 09
& T2 @) x! ~9 H; }=========1 w; M/ D& J1 E9 t: |! x
$ b* J7 j1 z0 O) \3 o7 ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 o9 q+ u1 L6 l: _performed in ring0 (VxD or a ring3 app using the VxdCall).2 M! E/ b$ @5 Z( T
The Get_DDB service is used to determine whether or not a VxD is installed# @# R- ^/ m7 Q+ a6 W6 m& w
for the specified device and returns a Device Description Block (in ecx) for( \/ k1 f; O, P+ Z6 i" @
that device if it is installed.
: _! U. d2 Y$ M; l' U1 D/ ~9 @5 Y C( @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 s& [3 W X2 g8 I) G/ A% M' f0 m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 [; ~1 S; z/ }3 y- q VMMCall Get_DDB1 f# Q; p. h/ ~) e) o9 {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 O$ H# v$ \: ~% O8 U5 u2 S: r l9 G# ]) e9 P/ |
Note as well that you can easily detect this method with SoftICE:
( B& @6 {5 W$ u5 ^6 U/ o bpx Get_DDB if ax==0202 || ax==7a5fh% K! {! `& {5 {( ?6 C/ s" K
; w3 z$ T( g; G" v, W__________________________________________________________________________5 H- e& E0 V& {) a! z' u
- s6 [ O, H; e! z2 L5 i/ }9 AMethod 10
3 H# s, }1 \" b x. Q9 n=========, P% Y, f' ^9 J5 I
4 b) g1 C% C) W j=>Disable or clear breakpoints before using this feature. DO NOT trace with+ i5 T" C& n2 d! n/ X7 o
SoftICE while the option is enable!!7 C. k. @5 _, O& ]; K" Q
( B0 C6 f! D& n5 E
This trick is very efficient:
, O2 f, h8 w5 g: S3 d% V3 {by checking the Debug Registers, you can detect if SoftICE is loaded
@4 ~ R. N" a! `# K5 R Y2 P5 E, y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' V0 A1 H& H+ s L: r" u8 l3 Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 n0 e2 E( K0 G/ s8 G% n/ Tvalue (in ring0 only). Values can be manipulated and or changed as well% M# t2 s6 _# Z" S1 A# W8 U, l
(clearing BPMs for instance)( X% h2 f( v; F+ N8 e
* ]: P8 f3 i1 d: o+ c__________________________________________________________________________
1 w; v T6 Q8 `! i6 i1 b9 y9 T- k! r+ y& J
Method 11
7 |9 |) R5 b* t========= L$ k- f$ ^5 R* w, c" b& E. Y& k
+ g8 U' u1 m6 r* h5 xThis method is most known as 'MeltICE' because it has been freely distributed
! t5 Q% K! F; C7 h" s: R5 `via www.winfiles.com. However it was first used by NuMega people to allow
9 E! c( b4 f2 W" @" y. Z( e9 ?) }Symbol Loader to check if SoftICE was active or not (the code is located
: o. D/ q- g# _/ N8 y Y! xinside nmtrans.dll).
- v) m) i6 i! I2 Z- s. u: W& }( N7 q3 Z7 u) `) [2 y% \3 U* Z
The way it works is very simple:- L% v3 s- ~' X: O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- K: R$ J; {) F4 ?. G$ GWinNT) with the CreateFileA API.
! f8 F( Z. s& K( p/ [6 z
# h) A3 f8 p! e2 J# D( X# k# z5 \Here is a sample (checking for 'SICE'):
9 q* z' _' \4 Q' j0 Y& \0 U* T: H& U1 L
BOOL IsSoftIce95Loaded()
+ B8 h1 o& a# n5 e$ ~: S{+ S/ n2 z4 n8 C0 [3 T0 A d
HANDLE hFile; $ ~' Q- ~) {! f2 X4 d. {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, E+ Z4 v: U) {
FILE_SHARE_READ | FILE_SHARE_WRITE, s( N j6 d: V4 _% D! m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' x" l2 |3 t' U- @9 D
if( hFile != INVALID_HANDLE_VALUE )
0 U. a9 \" ^) C w( j/ b) l {( X/ ^2 v+ ~: H2 `% G
CloseHandle(hFile);5 L4 z* A/ r+ I
return TRUE;
% `# c. @, i$ [1 O( |+ i; }/ a. W }) ^( j: ?; @ h, s8 f
return FALSE;
8 J, y/ _' |' @3 s) Y! G}
' \4 i& X9 z, Y
/ j+ }7 a0 [ x) L5 x9 PAlthough this trick calls the CreateFileA function, don't even expect to be& B$ q# B- x1 h" K
able to intercept it by installing a IFS hook: it will not work, no way!' y; Y- Y/ |9 T7 S, z- i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, U/ J- l4 T0 T$ J: Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! [5 w1 U% X( [1 C* [and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 Y1 H5 |5 N% V) ?& u1 Y
field.7 y# j: `- S& _, O, F
In fact, its purpose is not to load/unload VxDs but only to send a 0 N0 G/ Q# V% e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 F. \! D/ D, i; s2 l* W& o) Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try I7 u; m! c/ L* q5 o* t0 k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: F; G, V5 W9 R$ s k: G2 ]* cIf the VxD is loaded, it will always clear eax and the Carry flag to allow. }% R( I) V0 B: i# i8 ~! Z
its handle to be opened and then, will be detected.
& R+ |0 `3 P5 t/ q5 t6 x" E" w! LYou can check that simply by hooking Winice.exe control proc entry point
3 a8 m5 [1 t+ F: mwhile running MeltICE.
: _6 W! H+ y S: z4 Q8 f
# K6 u n/ Z/ V; U, U" s
. t! [8 E& R, y' e+ ^& d+ l 00401067: push 00402025 ; \\.\SICE
6 i& r6 t4 J/ E* B$ A 0040106C: call CreateFileA7 \5 v- i* ]; p8 S
00401071: cmp eax,-001
3 ?+ f. g, L8 x$ I6 y 00401074: je 00401091" j/ r" }. a# \- M
% N1 b1 M) i e. G+ D4 a7 T6 s% t
( }* G7 w5 g3 R& v; w6 qThere could be hundreds of BPX you could use to detect this trick.
7 q0 K) g4 `6 n! R& I-The most classical one is:; Y# U6 G& f+ w& W. W8 @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 O# ]* W' C- g. a2 @! Y
*(esp->4+4)=='NTIC'
' [- ^& `3 U5 R3 {* E/ @ U* l% `+ J7 {/ }# Q3 S
-The most exotic ones (could be very slooooow :-(" L6 h- i) }( d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% N! ~. }' Z4 [5 x, `: p# b ;will break 3 times :-(
' \! k6 c+ t3 _9 P( H& d5 i7 A+ A/ W' R/ t q& `
-or (a bit) faster:
9 E1 n* G* x0 J' w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 Q9 X/ {0 m! D
9 v5 g5 j( G0 K1 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 x) g; A+ H5 s6 T- N7 w. c4 r/ D; A
;will break 3 times :-(/ z$ V e9 C' E/ Y
3 ^9 f; `0 O J( a9 F4 S) x; y8 A8 A-Much faster:
( C7 z- @8 p) G E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# E' ]& t4 \2 b c ?6 }. v0 E$ i% @9 z1 Y" g9 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen |5 @5 W9 p! D& B) k) C
function to do the same job:
6 ^1 R5 K8 }! W) ]4 L3 V8 b. s1 s6 ~1 n+ _; S9 T4 }% `4 c* i( F
push 00 ; OF_READ
3 N( x* ~' J/ I N! p mov eax,[00656634] ; '\\.\SICE',0& S1 c; ~; D% P7 ^, e/ G
push eax' m& V( u4 q$ Y
call KERNEL32!_lopen& C' M) v3 Y- K9 a8 ^
inc eax
c9 B9 v7 P7 A1 a+ j! i) @ N& B jnz 00650589 ; detected
/ B& U8 T! c* N, @# \ push 00 ; OF_READ. N+ F% ?9 u: O& L
mov eax,[00656638] ; '\\.\SICE'
6 G+ ]/ Y9 }* F: v$ j0 }& Q push eax& s" ?# m& }7 b, ?
call KERNEL32!_lopen
( ^, }: N, ]2 k inc eax
& T/ L& Q- M F9 }) ] jz 006505ae ; not detected
6 ]0 ~+ ]' O' R" v5 X2 [: E4 J. u0 U8 k+ _+ p+ `
U h+ c0 w% y! G. z) S- m1 j- e
__________________________________________________________________________
( N( ^: O2 ~6 Z% w# L& O( C( d! n7 | g, L0 D/ W, C
Method 12
, q: ~. I$ p# Z. e=========: m; V4 F# E& U/ c; P) P, i# w9 T
8 q' x- e9 h3 K# [4 p7 o, pThis trick is similar to int41h/4fh Debugger installation check (code 05
1 m; S) W5 N; Y4 o& 06) but very limited because it's only available for Win95/98 (not NT), A! ]. r3 r o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: ~/ b$ y7 Y3 @+ Y: O9 l
: K+ Z+ b+ b8 b7 k push 0000004fh ; function 4fh2 Q% P2 e" X: |- r
push 002a002ah ; high word specifies which VxD (VWIN32)
; X: \3 h! d$ K+ B. P ; low word specifies which service
, h) Q* L, \( ~4 P (VWIN32_Int41Dispatch)
7 k$ W% \9 V$ g5 i2 s- U: x call Kernel32!ORD_001 ; VxdCall, M+ r# }& D7 Y
cmp ax, 0f386h ; magic number returned by system debuggers
+ m1 U+ C6 q$ W+ R: u* R( V jz SoftICE_detected* W8 h# Q5 S, d3 |) U3 o7 Z: C
/ d+ N2 I6 y( Z& v9 z3 K/ W
Here again, several ways to detect it:; D# X8 v% @, p5 k8 F! b2 n
5 B# z7 d4 t$ `+ X& ^' N0 ~ BPINT 41 if ax==4f: x& N( \* ? x& M2 q
% z: Q8 O7 p+ g" Z) f3 S1 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# f+ e- R0 Y/ g; t9 u0 Y, z. O
+ c! k7 c7 j7 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( a* A5 y/ c9 v, Y7 c+ {, h9 F; u/ O" B& B% N' B6 i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 {2 Z) y! M) Y" G% o
5 q5 u, ]8 ~5 T1 o. N__________________________________________________________________________" L! A+ c+ K5 H9 s5 v
+ v$ y% o# g( c; d& [& [+ C2 rMethod 13! A! M c5 l3 G- B0 T# u+ p
=========
! z) L/ ?: n5 j9 G. [ \1 M. C. \' i$ g
Not a real method of detection, but a good way to know if SoftICE is
: A4 h: L2 p2 Y- Q: u2 Jinstalled on a computer and to locate its installation directory.4 i9 |7 Q. F/ p3 ?- g1 P
It is used by few softs which access the following registry keys (usually #2) :
! o* w v+ `# [( o. y5 {9 b0 ]# ~# F, D; n9 N& B( N; E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 @. |; E4 ]+ a7 e( | [
\Uninstall\SoftICE: t! D+ ?5 F/ I& \1 L: g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ |5 G! |6 a X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ]! K1 s% U; {6 n$ p
\App Paths\Loader32.Exe. R# a* d; h8 `7 G$ I" J
9 P! E8 Q+ `9 [1 l
, u+ q2 T4 R& M% f3 iNote that some nasty apps could then erase all files from SoftICE directory! E$ V& D) H7 Y+ n/ h( x+ n
(I faced that once :-(/ n1 Y: @! C' q" f4 U2 E
. Z/ ^* V3 f1 F; |* g) O( s: vUseful breakpoint to detect it:
Z: W/ a6 v1 B
/ W) S+ F0 b/ O8 ^1 M5 i3 t) } BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 I# m& z" t5 U3 E1 y; p
: a0 a. `, U3 ]$ V% _/ d__________________________________________________________________________) @% P: S: R$ D7 D5 B1 f4 M
' P6 X. O; L' X7 Q7 H
: N5 `) G$ [% Y( f
Method 14 , X% k) a7 |) n6 I
=========) i+ h+ l3 K( Z t h6 }
7 t4 z+ x$ y* iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 c9 I+ `! K' |) mis to determines whether a debugger is running on your system (ring0 only).5 w& [8 |6 g/ w8 \8 V, l
! h X- P1 s: D' P VMMCall Test_Debug_Installed/ a" o+ e3 @& N, [7 G
je not_installed' E1 h7 C7 c" R* j/ c9 o- I
! R% H& `! W$ T; c9 m
This service just checks a flag.
( o" r: b3 t2 C; R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡