<TABLE width=500>
# \- D( v* ]1 Y- _6 G% `<TBODY>
& W/ ~/ v6 X( g! g% o+ H6 J<TR>& K2 c- C( d# e7 J( l8 x- J& \! d
<TD><PRE>Method 01
# p7 e. e6 ~: o+ d=========
' G" R9 f9 j5 j8 w& k [9 D! O. ^6 R7 t g
This method of detection of SoftICE (as well as the following one) is( ]! ?4 v6 t( S- `: F. L* }+ F
used by the majority of packers/encryptors found on Internet.+ f. {& H3 D5 ? }$ X
It seeks the signature of BoundsChecker in SoftICE/ A& R6 S/ H, W7 U+ F, Y
. l1 f1 E& E% p& R# l4 O" Y; y
mov ebp, 04243484Bh ; 'BCHK'
- R! M1 |% v y' U7 j1 ^ mov ax, 04h
" Y! T7 W* H! Y+ ^ int 3
, ^2 L4 b/ R" n& ?; j cmp al,47 A; ~; |2 B- ^0 j
jnz SoftICE_Detected4 A% U/ `" D8 j* {
$ x. n. t( s& ^# W/ q6 ~: Z! N; W( p___________________________________________________________________________% e9 L' j3 I) V8 @7 d5 G) T% |
8 E3 Q* Y$ Q- A( |- V8 R, o) u" D
Method 02
! C, U0 n# q4 G$ ?: M0 f=========
4 b; }( l1 t) X; x4 G6 j/ c( _. M- d0 N
Still a method very much used (perhaps the most frequent one). It is used; M/ [4 h9 q/ O3 Q2 A& ]1 D9 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 u O- F U% O; A
or execute SoftICE commands...
6 ~1 x* q- V# R, v" `9 [/ |5 TIt is also used to crash SoftICE and to force it to execute any commands
" Z$ n! I( U* W5 K6 A(HBOOT...) :-(( # }7 i8 p- @$ R5 |; r8 b
: T* M* f3 T- T' P5 `Here is a quick description:; X7 S4 o& v+ l6 e; {
-AX = 0910h (Display string in SIce windows)4 \1 b0 [2 m+ }0 G# F; [9 @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, s, ?8 W* f4 `9 \+ R-AX = 0912h (Get breakpoint infos)3 F0 }$ v' C8 U+ w/ M. Z
-AX = 0913h (Set Sice breakpoints)
% v* T2 h% p8 V- q r( | n7 z-AX = 0914h (Remove SIce breakoints)
$ g: ]+ A7 [" F8 ]/ P$ z$ t) M% E4 }& U9 L5 b# {
Each time you'll meet this trick, you'll see:; f6 @8 ~1 v2 N
-SI = 4647h+ ^+ B, \! B/ v) C8 O4 T1 }) e* f
-DI = 4A4Dh( b" I0 ]8 u, B3 B0 [ c
Which are the 'magic values' used by SoftIce.5 c+ M( |7 ` S* Y0 W2 p$ B% c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ P, V: C4 P( s/ q* e1 [$ Z4 [6 A4 c. C4 D* k8 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 T1 G% b. W( t, i% C
Envelope utility use to protect DOS applications:& W: D$ n2 c, g( X
8 K" B; o2 K- `" S" i$ K1 g6 b! }; [6 ~; V7 Y8 N" g& ]
4C19:0095 MOV AX,0911 ; execute command.
* ^9 v) Q; o/ n: X9 ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, d8 Z; ]* Q" p: L- a: ~3 R4C19:009A MOV SI,4647 ; 1st magic value./ N2 z M: X, s9 M9 f3 ]0 T9 H" i2 J/ g2 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.3 B) a% F. m0 o& M% o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ P' j. e8 X/ }+ N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ [ j; R1 ?# h& l/ I3 T4C19:00A4 INC CX5 B! j4 M* \; W) v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 Z% b5 r' V, {8 w
4C19:00A8 JB 0095 ; 6 different commands.
, z8 ]; p1 _ g( F4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 ~4 I1 t; p* I8 ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 j+ r7 ~$ T; s1 R/ j: e
# C, G6 j4 n. v& hThe program will execute 6 different SIce commands located at ds:dx, which5 a- G- H5 ]5 `/ k' ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ x3 X. E5 [6 {2 P/ I- ]' u
& D0 ~* V" D; s; z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 ?8 k; X6 p, B# ?1 o, F6 c___________________________________________________________________________0 R( S+ @* z7 L+ h
1 a4 o! D$ l, _
6 z1 n; Y2 u8 s7 K/ y; L" x: ]- @Method 03
7 S" }" ], D' V' }. O3 a=========9 i4 W! ]: q8 F- U* ]
! }5 f2 w' l5 H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& H( Y+ L/ _- k(API Get entry point)
7 @1 _2 p0 F) T; k' J8 R
& |( {9 i; [+ [( F, W7 S- ~: E4 C2 P3 T ~* r% H
xor di,di
- U8 a& g# q) u) H/ n5 G mov es,di; r) |( g# F* p" r
mov ax, 1684h
( F+ L1 Q7 K7 @2 m% G7 y* F mov bx, 0202h ; VxD ID of winice0 d1 i& r3 o5 F! y9 d
int 2Fh4 l0 U+ N6 K d# |; z
mov ax, es ; ES:DI -> VxD API entry point% w' o/ \5 v' s. \6 V! o
add ax, di6 M6 V! `' n8 C u
test ax,ax
1 M0 t: }- g5 X$ e/ f2 b# j jnz SoftICE_Detected
1 w) F3 F2 |" W0 a
/ K' {1 f% z9 ?& }: k___________________________________________________________________________. {& I6 s7 Z" | y! |, w" @) K
; Q2 K! D' C' Y6 }
Method 04
* d* P7 F1 {' Y8 v' u=========
, R& k4 p6 `# h0 |. T5 T' x7 t* d/ y ]1 G3 [2 o
Method identical to the preceding one except that it seeks the ID of SoftICE
* f, E0 {. j+ d' ?GFX VxD.
6 y/ @% [' Q4 E% l; o1 z
9 M" v: y9 x J, i b0 |# _$ H( E% X xor di,di
' ^7 k0 x: H9 P* E mov es,di
' {3 z b3 U+ {# G0 [ mov ax, 1684h 9 ^# X. O6 {; ]7 f) ]
mov bx, 7a5Fh ; VxD ID of SIWVID
6 f4 P# K6 t8 E3 i3 P. c int 2fh; x+ l0 M j3 M! B A) f" w
mov ax, es ; ES:DI -> VxD API entry point( A6 O9 Z/ l ~- X' |
add ax, di
+ b7 z6 J1 l+ j. T' o test ax,ax. m0 j& r2 \' J5 S1 D" x* A
jnz SoftICE_Detected
" N, [( i, W& D7 p3 X, X
; Q/ L; C- o% }( s& ?8 H6 m4 |__________________________________________________________________________
) I0 ? B% Q1 K3 Q
W- Z. } `; h, s
+ b4 D( w7 Z/ r" q) g. yMethod 05
# R2 C5 d1 X" H9 n# K; d=========
6 U! H. u C$ Q
: M" W; U& A) M1 f- zMethod seeking the 'magic number' 0F386h returned (in ax) by all system; o$ Y* L; m9 D3 a3 P2 T: M+ P' n
debugger. It calls the int 41h, function 4Fh.+ S ~9 R' U) _ B+ ?! `* z4 t" B/ a
There are several alternatives.
+ l) O Y$ q2 |' W+ J8 `' f1 T
( E- ^" e$ y* d; s9 U* X. W( d. u. FThe following one is the simplest:4 |$ x5 O. p# ?
) r& f5 B4 y3 T6 T mov ax,4fh3 u7 e2 \) K& f% {
int 41h
) r6 }$ f2 M8 e cmp ax, 0F3864 Y! e+ u* U1 |+ I
jz SoftICE_detected
; q7 U5 K7 A( |- ]1 Z; P7 @# k2 H
8 t: K( A8 r: c( `; n' l5 R$ `, m8 ~" K k
Next method as well as the following one are 2 examples from Stone's # O2 n: Q3 U2 G0 `1 B* e* b
"stn-wid.zip" (www.cracking.net):6 S' z( d% l) j) C$ y
9 V; D; T5 K4 f
mov bx, cs
3 f( E- D6 h D8 ~9 W lea dx, int41handler2
" R" s+ _% u: z* h. V xchg dx, es:[41h*4]
8 ^. S' X ?" Y xchg bx, es:[41h*4+2]; [4 w9 }( ^* Q% g" g- E
mov ax,4fh
! b( |* p1 f4 M M) ?$ }2 A int 41h6 ]: s$ B) d, g7 W
xchg dx, es:[41h*4]
2 w9 p. x$ ~5 W* b( L/ i xchg bx, es:[41h*4+2]0 V- T. k% x+ ~" `; Z$ b4 _
cmp ax, 0f386h
5 q1 H+ t, S4 f* {2 ~) z jz SoftICE_detected' E8 x& S# D/ B" [# \1 U
" L Y/ q {3 m% \- ^. @' o3 }int41handler2 PROC
6 |8 i' k1 B- X4 v0 } iret
3 i& T' K6 j5 Y- wint41handler2 ENDP
+ U% Y2 A6 x; S' ]1 {, A- [+ Z+ A' E* F A5 j2 S2 h
7 F: I( H W* A_________________________________________________________________________- K+ J! @$ u' E5 X" \1 q# \5 w
8 {' s" c& d7 C# H" t+ J! k. E& }! E; g
Method 06
3 W$ l5 D; M; R' g6 i=========! K X* w5 N! s! [$ g/ k6 c
" C2 l- w5 Y/ ~% y+ [* l
9 }% m9 x& W" P4 R2nd method similar to the preceding one but more difficult to detect:
W4 Z$ B" t. f4 Z$ ~2 p8 }1 p9 y, k' Y
% P" U- r8 P6 t- S& {: n ]8 U1 v8 j' F( n! U- _" Z9 {
int41handler PROC
; N! [' G p# {; w R7 T* i mov cl,al
: q% G0 A6 A: O5 h' q# X8 [ iret
' Q$ V+ x4 y8 x" r S! R( o6 R2 W8 ?int41handler ENDP
* g w- X- F! T/ M
( h# a \1 I4 s' r, {
" v3 J1 I; Q; p ?# v( m" x xor ax,ax
4 X6 r; Z* `* T7 u mov es,ax" N0 A& ~, `9 C# g3 C
mov bx, cs
8 [5 c/ }* p, x2 A! r8 S lea dx, int41handler F1 P% H& V3 |7 e' e
xchg dx, es:[41h*4]
5 J4 D. Z# o+ T xchg bx, es:[41h*4+2]$ B7 {# e/ E, \
in al, 40h8 r5 [6 ?* H" X$ s
xor cx,cx. y+ d: R% p: F- {
int 41h
& a' M" v4 G2 c: I; {6 o3 C xchg dx, es:[41h*4]
: c: x H+ e" }& k; x5 ^8 P xchg bx, es:[41h*4+2]
( v! q9 T% Y" V2 O. H& v cmp cl,al3 T# ]2 G2 U, Q- D8 i6 J
jnz SoftICE_detected' N- `3 t9 r8 t8 C& m
! Z( q. O q1 Q) p7 p% k_________________________________________________________________________* ^) x; v6 [" ~' t% h# z4 c& C6 p+ ^! E7 x
9 ~* M0 B5 n9 t. K M3 o4 l
Method 07& R) h* N6 N4 t5 N
=========; H% C# d I! T. G- T
4 I. u/ C5 S2 {
Method of detection of the WinICE handler in the int68h (V86)8 O1 e- |7 A$ T% w- q
8 q- Z8 o* D( C1 r/ d/ G
mov ah,43h) i$ g. d2 i9 r: z0 p6 n
int 68h
+ B1 X) [9 F& _2 L1 A' Y cmp ax,0F386h; s1 x8 O: ^. g2 m7 ~
jz SoftICE_Detected
o3 f3 F' a8 e4 {$ d, X: B
+ E$ r, t/ M8 n# W) o2 `9 u! K/ b0 A8 \. y% |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) U/ E" Q \' ]' m/ k1 s app like this:
6 g9 K8 X. C( |; s* F3 n
& a5 u$ x: `6 D8 O BPX exec_int if ax==68
- ^+ N$ t' n# d6 F0 M! f( B (function called is located at byte ptr [ebp+1Dh] and client eip is- g \0 |9 l' C+ M, x- J- V
located at [ebp+48h] for 32Bit apps)
! |) t( v: \: D% c3 S: F__________________________________________________________________________
. f, A# w' p, G$ |/ C- k* R3 ]- R. v; }; J) k
5 d# o! q1 O: D/ y" m& p4 N. w: ^
Method 08
/ i: S8 X6 a6 ^- B" a c4 a=========
1 o; {$ W% ~8 q- S% h
5 U) w4 \* ~& MIt is not a method of detection of SoftICE but a possibility to crash the
$ s$ L1 u5 h) g# {/ i: k5 Osystem by intercepting int 01h and int 03h and redirecting them to another
3 O6 ?* w, x' u$ n. {( aroutine.. ]3 u3 \/ k& t1 I$ G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, W3 t( x$ i- n1 p5 c8 ~! R
to the new routine to execute (hangs computer...)2 }, e# F# e( n; N! h1 x; o7 J
( k6 I* P4 m! X$ j6 F; n mov ah, 25h) H6 C: R3 b* {/ U: D3 |
mov al, Int_Number (01h or 03h)# @: h; Q0 Q/ M8 V
mov dx, offset New_Int_Routine4 [5 }7 g( @. l2 i% D3 ~8 @
int 21h
# C! I: r; _1 x+ d' }2 o1 I2 X1 d5 {) F
__________________________________________________________________________
0 u, b5 T/ f* j4 \9 E, C( r2 |9 i) q3 `/ V9 r' H
Method 09
- s+ ~1 U; Q% ^! I( N- r=========
& A, T0 n$ N- W7 K" }6 ?6 ]) ^' x6 J+ e3 m* h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 o, F' Q) D1 F* {5 a6 Y, L
performed in ring0 (VxD or a ring3 app using the VxdCall).
* w5 U; c9 l2 ]& [- v- U: c R& G9 [) nThe Get_DDB service is used to determine whether or not a VxD is installed/ V7 O4 v/ B1 [7 ]
for the specified device and returns a Device Description Block (in ecx) for
( o1 Z1 t+ i# b5 wthat device if it is installed.
^" o( c/ d+ v" R" {% A7 o( ^6 h. `7 ~( v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& M) z% \3 s; r- m: B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 @! p' [2 o6 @6 `. ^ VMMCall Get_DDB
' a% t: N. r# J6 b% U- J' |7 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 ?( i8 y( h, I) U( {0 X4 ~6 |: S f+ w0 e: k4 ]8 E
Note as well that you can easily detect this method with SoftICE:+ Q+ l! e; P! Y- r# X
bpx Get_DDB if ax==0202 || ax==7a5fh n! U, s2 d5 ^- s `1 @
9 |3 Z- g" i2 g3 J6 G- N" e2 j* Z9 }__________________________________________________________________________2 ]& f0 W# e, _- Y$ T6 ]
5 l0 N' w( k& K( XMethod 10
2 _! c+ _0 q% ?$ Z6 h; |6 B=========1 F& c2 N7 u5 B3 d" M: Z
# }5 \5 |; ~4 {! I
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 p! f& P; i, V, y
SoftICE while the option is enable!!" t4 S. K0 e9 |) Q4 R3 }
+ F) j+ t$ U) {% ^- NThis trick is very efficient:
& r* z |+ q, j+ jby checking the Debug Registers, you can detect if SoftICE is loaded
1 t$ L2 M$ E* H0 k/ t4 R* c6 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 a3 T. e" q7 k1 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% S2 I! @* O9 o5 ` N" h2 r: Ovalue (in ring0 only). Values can be manipulated and or changed as well5 O ?8 n7 a' L
(clearing BPMs for instance)' X. r$ N3 r" t _: ^' \
8 j$ U }3 y# U- g5 `. G7 P+ f__________________________________________________________________________
# I$ f3 x! S( }; W* U1 m
9 ~# c# K( q" z& h1 t$ s7 tMethod 11! \3 b9 j2 l% R/ r1 Q
=========8 w+ I, z5 h5 j$ r+ ^& ~
6 F5 `8 D, P1 d) X5 h
This method is most known as 'MeltICE' because it has been freely distributed
' m" u8 x1 U# E! {via www.winfiles.com. However it was first used by NuMega people to allow9 F. {1 _1 O- N6 x
Symbol Loader to check if SoftICE was active or not (the code is located
0 t7 |2 t7 j0 o, `& Hinside nmtrans.dll).9 h5 r1 V. t0 k: M
- v: k# l. ~6 n z# zThe way it works is very simple:$ o5 J" U3 d' u0 }6 F9 t
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: l5 Z# b% W1 H+ n
WinNT) with the CreateFileA API.
* c1 L O+ V# {7 \. _- g! T: R$ ^% S$ C
. L* ]1 W1 Y2 Y: Y& [Here is a sample (checking for 'SICE'):
& I& c9 [" z" K
, e) @" ?( p' |$ L4 bBOOL IsSoftIce95Loaded()7 e; g/ m7 B- Z# Z2 }9 ^5 l; O
{, S) Q$ b* O O8 s
HANDLE hFile; 6 S0 B' U) \3 }8 ~# M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. d& f" C/ }* W" l3 I4 W FILE_SHARE_READ | FILE_SHARE_WRITE,
7 g, w- H8 ~9 p4 i$ d1 e# V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
t( m {) _: _ if( hFile != INVALID_HANDLE_VALUE )3 A# W, n3 [. z8 Q- }; V e- M
{" E! y; T2 v) h* S) ~3 s$ }, B
CloseHandle(hFile);; N6 M3 H \! a
return TRUE;% |1 @, {( h; L# |8 L& ~
}$ C- O2 ?5 c3 \8 l
return FALSE;
- F0 E6 G+ ~4 w1 g$ h8 [5 l}
9 a$ j8 u# e! f! o3 E# Z) k$ L6 Q6 E0 _! w3 o
Although this trick calls the CreateFileA function, don't even expect to be
7 C, o4 ?: C. ]+ \; oable to intercept it by installing a IFS hook: it will not work, no way!
' P8 d- }; e+ E# HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) e9 B# m8 u" C" p+ ]* Q8 m8 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! W5 u" c# ? U( T# X" X' v8 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 F( I0 \& x3 k
field.$ C: p/ r) z6 m6 r; ]8 {: p
In fact, its purpose is not to load/unload VxDs but only to send a ) s& ~+ p4 a ?) v6 q, S3 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 I; C: S$ C8 X) T, `: Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try' l4 I4 S7 y' A. ^: ?9 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) E3 j6 K, {) b3 d9 i% s) Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: ^: \/ i7 B1 ~: B+ ^ u/ C: x k* r6 zits handle to be opened and then, will be detected.
/ F8 o' q1 v* D4 _1 @You can check that simply by hooking Winice.exe control proc entry point+ a. M9 W) u8 ^- K: V4 D8 l
while running MeltICE.6 r0 t0 d2 t) Q
) }4 J- L9 y1 Y" B
3 C& C! E! |8 R 00401067: push 00402025 ; \\.\SICE
6 A! @4 z f0 v/ E& Q 0040106C: call CreateFileA6 |5 ~8 \1 e/ \) x
00401071: cmp eax,-001
0 n9 v- A1 m7 s0 D- e 00401074: je 00401091
& E. L7 r; d) @3 N; D( E( K5 t! R
0 t' O5 O/ [1 z, S
* o. K% |+ U9 O, s# C1 NThere could be hundreds of BPX you could use to detect this trick.
+ n: O0 o7 z5 N4 C k7 p-The most classical one is:
- d8 R* Y: {4 H/ [( B/ d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 s! G- }. G* x) s1 v& _5 n) u: D *(esp->4+4)=='NTIC'
2 Y% |, Q+ e+ F( Q7 S0 X2 t
$ ^7 J, Z; E- j U% e* B% \-The most exotic ones (could be very slooooow :-(
( b ~0 {2 S( |5 j1 q& r( o/ a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! U' E! b3 T( h& f/ a, O# V
;will break 3 times :-(
; p5 f, r- p' Z: N- k3 Q! q: f0 @+ ] R- a% [
-or (a bit) faster:
5 U7 I4 g/ T. ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 |. k5 Z1 t% z3 u7 C
& H4 Y0 f. Y' T) G; G' k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ _0 w% S0 s9 z+ j# q5 X ;will break 3 times :-(: Y! C* T% {7 Z D8 K
+ k6 X# b7 t2 W/ L2 x0 Y* B8 v
-Much faster:
/ ^" y: _- `! h) ~& Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 ?+ z; R! u' a$ V
) V1 O; r3 _, P3 }& e4 i/ gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 `$ `6 ~# K% h$ m9 ]9 c k6 P* yfunction to do the same job:% Z- l0 p. h7 I
! {1 J# R1 P9 v W7 b
push 00 ; OF_READ
: H9 ?$ J: z8 h2 m* _% [' N mov eax,[00656634] ; '\\.\SICE',0
1 `8 v6 m& O3 U/ m/ u push eax, |, N, M0 f9 _2 P2 [
call KERNEL32!_lopen
+ d* ^+ N& O3 c v& Q! q/ r- } inc eax
V$ ~/ k$ f9 E/ b/ s2 O# I+ | jnz 00650589 ; detected
5 C0 y2 u4 j3 p! h: C push 00 ; OF_READ
0 C4 ]. x; f Q4 j8 G4 ]3 n! K' \ mov eax,[00656638] ; '\\.\SICE'& X% O4 C, _+ e, U) c+ X
push eax
. K: l6 q6 v& `8 N4 V3 K, W0 Z- S call KERNEL32!_lopen( g: v+ }3 T+ |; @/ V7 R
inc eax
& P2 v2 P. j* `& u+ \ jz 006505ae ; not detected
& w4 c# [' j) r* W
" ^( d# z9 ~, j8 w4 t3 L3 f6 J+ {& L0 I/ p; Q
__________________________________________________________________________
5 Q4 Q" t, d! i1 m2 J: T
' B( i& a! ]( J: o- F' j5 lMethod 12& j- @2 E7 z. \. L7 z! i
=========, X% d* Q, F$ C& S# H& U" X
$ W8 d& r( @/ J& F# T* `! RThis trick is similar to int41h/4fh Debugger installation check (code 05
0 E0 Q$ r4 b6 b8 I) {& 06) but very limited because it's only available for Win95/98 (not NT), O& @4 x2 u. c3 \5 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 e# g# _+ `( v4 _& U* M, }9 |4 }5 a6 o* N4 ]
push 0000004fh ; function 4fh6 z- Q+ U+ S3 X, ^
push 002a002ah ; high word specifies which VxD (VWIN32)+ W5 _4 R, E6 d) q1 j
; low word specifies which service6 r5 R% H$ ^8 e$ c4 g
(VWIN32_Int41Dispatch)0 D2 Q# K0 r7 J7 ^
call Kernel32!ORD_001 ; VxdCall2 P/ ? R7 P% f8 M2 R: `/ `
cmp ax, 0f386h ; magic number returned by system debuggers
/ |1 w( {+ m9 y9 C2 L7 c9 | jz SoftICE_detected5 X! l @) t6 I% |
# g0 I9 X$ D$ R# r' O3 V/ K
Here again, several ways to detect it:5 I/ |0 o" ?0 j* x! g8 h
! ]: b0 R! R% H& y; s6 z1 N0 ]/ s BPINT 41 if ax==4f& C1 }* T2 B! x; E5 [
- v% V" a4 v$ z; p% a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 @% r5 ]5 k2 `: y4 {: K) ^7 D- M) M3 y" G/ k# l1 ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* F8 d; t' Q! m: s
( e- P3 ]: f/ ^: [5 Q E+ V4 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: e( ~! i* L5 r
: e6 D4 W$ {1 p% r/ I
__________________________________________________________________________4 e5 d2 T# s( W, y; _, V5 X
6 a& M4 P" `( g& n( q
Method 13
6 h( f- u* b! d" V( v=========+ Q4 {/ \, g. A% Z y9 T1 B
+ Q f' R+ q+ E) q
Not a real method of detection, but a good way to know if SoftICE is; X; G5 o' d# |# ^8 i
installed on a computer and to locate its installation directory.
& O% G0 C- e& F5 `' P; nIt is used by few softs which access the following registry keys (usually #2) :! j6 v3 W6 {+ Z- d7 B
# }, V; s( g) x, K) V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 I& Q& ], }& @0 r9 P& O- [\Uninstall\SoftICE
# U( b! n/ i t1 ]% ` F- k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 z# O' P f/ E7 ?: F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# [1 |; e- B+ F& J
\App Paths\Loader32.Exe$ Q; V q! t$ o. Z0 r
; u* q. b! J; o- \, r
# f/ W8 N2 R$ MNote that some nasty apps could then erase all files from SoftICE directory
1 w6 _1 V5 K+ y0 w1 ^ g* M6 g7 f(I faced that once :-(& R1 \6 _* v. Y) s+ V! Z
. u9 v/ i! z! Z* N7 Q0 ?
Useful breakpoint to detect it:
9 ^( ]1 p9 E* y5 J4 k
( W3 `( F$ R4 w- g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 u, H2 M6 L. g: r
, O$ m9 i5 L J1 h; Y6 D6 x! J__________________________________________________________________________
4 u7 @2 E' Q& d; E5 f0 ~! b: Z y+ h2 `5 r! ?3 S
* u0 Q9 e( `3 r( N7 e( N
Method 14
3 q2 X' j X8 K& w& R' U=========
+ C# D' T% H: d) Z5 f& ^" ^# v! v% K7 b/ F2 x w, `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ _/ T2 K# ~* p2 _is to determines whether a debugger is running on your system (ring0 only).3 D7 ^ n. P' {# e$ m8 m
7 O- W0 P# o: p/ \
VMMCall Test_Debug_Installed
8 N8 f+ I# f0 H% S N2 q$ R je not_installed/ P- E+ [2 P# _/ K# v" F& R8 w' R0 M
! F- _- v2 G/ y8 a
This service just checks a flag. Q$ j0 {# u4 ?1 Q" B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡