<TABLE width=500>
# M7 A: T' I5 Z- L<TBODY>
( T j2 G) _/ k4 x' p1 w/ X<TR>
3 S. V9 A( O, k( ]( J9 o<TD><PRE>Method 01 I3 e3 s1 F( b. I0 u
=========
! q) Q% ~) ?2 L V# c3 H( k1 ?& X2 H' N0 c( b# p. q
This method of detection of SoftICE (as well as the following one) is) q! M! ]$ n; n0 c: [
used by the majority of packers/encryptors found on Internet.
* h9 `4 V2 H: p( Z8 k* b9 @It seeks the signature of BoundsChecker in SoftICE# d( J, b2 O9 F$ T3 V2 z
" u# c, Q5 ^# q9 L7 M mov ebp, 04243484Bh ; 'BCHK'& ^4 | d D# F8 _
mov ax, 04h
1 p$ m1 q* L/ `6 m R int 3 5 S/ F! V+ b4 b
cmp al,4
" z6 h* M9 h$ n& k jnz SoftICE_Detected1 N/ _4 n; \- S0 M
8 s5 B( ?4 B6 X+ W, t4 G___________________________________________________________________________" w' D% o4 G6 E' S! _+ ^# a8 \
! K( G' H6 L' Z! _8 v& b7 V$ [
Method 02: o, s. P: S9 h& f9 {9 L0 B
=========
# l4 `* Z D" ]+ r# b. |, ]' {0 c7 d- h* g4 p( s5 T1 [
Still a method very much used (perhaps the most frequent one). It is used% H: H$ n& O; {# c5 f1 d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 k0 \5 P$ O2 Z' a7 E% m& _
or execute SoftICE commands...- x- a- j$ k& ^/ x7 x' p
It is also used to crash SoftICE and to force it to execute any commands9 a1 X- A7 w( n D F& Z( Q2 q
(HBOOT...) :-((
5 W% B: L# R9 ~0 ~( u4 v) F, C: h4 ~7 \' t% g- H% A& T. B$ I' X
Here is a quick description:
h3 Q( Y1 }- L& d-AX = 0910h (Display string in SIce windows)5 k, O4 \$ A. I7 w# g3 i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 q4 c7 V8 B6 A: E' S8 m* Z2 u* ?9 q
-AX = 0912h (Get breakpoint infos)
9 k- V& Q+ ~! Y9 x7 D7 T! }& L-AX = 0913h (Set Sice breakpoints)! ?, d9 u& v- M6 [8 R2 {
-AX = 0914h (Remove SIce breakoints)' @* b: N, h9 F2 T e
/ {9 l! S2 w ~1 W8 IEach time you'll meet this trick, you'll see:7 r) Q/ l" `! b
-SI = 4647h
. `$ L2 e2 }# R( O-DI = 4A4Dh7 X# m; c$ g2 t+ T: T" L$ e
Which are the 'magic values' used by SoftIce.
# ?8 I# R+ c. X/ L) wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% r2 C6 U# C" G7 M
& o) R% w4 c9 e/ j* J' _Here is one example from the file "Haspinst.exe" which is the dongle HASP5 [6 V* J8 v/ ?0 l! w
Envelope utility use to protect DOS applications:
/ R) N3 i3 O6 R/ U! L% k# w+ ^
; R e0 Y4 `2 Q% F- u! e9 n6 m
4 Y9 W6 ~+ q6 l% z! p4C19:0095 MOV AX,0911 ; execute command.- c/ N. @- ^+ p4 D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 g/ M, K; V) ^6 x+ W: ^4C19:009A MOV SI,4647 ; 1st magic value.8 I" { T [" ?) g7 L
4C19:009D MOV DI,4A4D ; 2nd magic value.; d: M( Z6 {) {0 l4 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), a. l. f! h3 `& C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& M8 F8 a9 Q$ n! z9 V8 R a! O4C19:00A4 INC CX" A9 U, J; n$ p/ P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 t* f- i" b0 o$ z; ~" T4C19:00A8 JB 0095 ; 6 different commands.
# I- i# ?, _( p9 L' H% s* [4C19:00AA JMP 0002 ; Bad_Guy jmp back./ s |4 C, w+ d/ D+ H( }9 j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 {) X1 f# e+ Z3 ?
+ K6 P8 c9 T, F: ~* u# k
The program will execute 6 different SIce commands located at ds:dx, which6 O# P, K! k D( m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 k2 \( S7 z$ l5 `# c+ \
: d! F+ x, R! q/ m' e0 d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." T/ g, A" ?. P% A2 ]; a
___________________________________________________________________________% G' _" `/ ?( E; Z1 N; w$ Y4 r
4 h* z" @1 ?8 H7 d9 x$ O* T7 {1 \$ x( m" O
Method 03/ P# ~3 q# v2 F& r, F' v# V* ~, o; |
=========
0 b7 q. J% {: ]9 U0 R7 l; ~$ `8 n5 l! [/ f! e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ B' G2 `( m4 _' K+ o$ p2 @
(API Get entry point)5 J D& X/ M0 l$ s f# f
2 p0 ?: [8 e8 G. T
?: {: [; N+ Y x3 q# U
xor di,di
/ p/ z* X- C. S/ B mov es,di
l* n: G+ K* p* v6 y mov ax, 1684h
+ @. R1 K4 {1 U) A/ a mov bx, 0202h ; VxD ID of winice
1 n! g: M& D7 l2 k int 2Fh
) y# T6 d9 O5 |4 D n/ o mov ax, es ; ES:DI -> VxD API entry point& D( y5 l7 T( R& c
add ax, di
; e- Z7 h( y6 P2 o6 \0 P test ax,ax0 H$ [& r* ~, T5 Z, C: k6 l3 d
jnz SoftICE_Detected& s" ~4 o$ K, Y) F
% @9 Q5 ?1 ]3 p8 C
___________________________________________________________________________
3 y$ S& g; v }; J
( X4 s1 s' v% R3 f+ R8 x, jMethod 04
2 P! ?5 J; D. q& v3 D6 q=========
- V5 j# r3 Z: T: s, `$ K" S' C3 T( ^7 q% i! m- R$ G
Method identical to the preceding one except that it seeks the ID of SoftICE
* x- o: @* o% t% hGFX VxD.
) h* W W& [- U( r" y* ^4 ]
5 p% Z% x( ~, w2 V e xor di,di
" T: G# Z% W$ D. Q mov es,di6 R/ Z. q+ ~/ A( U; n. y* K! \- @
mov ax, 1684h
/ @( o( `7 g/ s, z: ? mov bx, 7a5Fh ; VxD ID of SIWVID
* V0 s- X* I/ z' o& p1 R int 2fh
- s z0 U, c/ I# V% A mov ax, es ; ES:DI -> VxD API entry point
+ s& L- K4 A, U: Y add ax, di
3 D# x: Y& {+ h2 z0 b9 g test ax,ax
: K% c5 u, u- T% w5 x jnz SoftICE_Detected
* Z- h5 p1 L9 G6 Z" @' D5 p0 O* p8 i6 n- m" x' `$ U$ z
__________________________________________________________________________" R9 i; Q. f! S0 e% O/ n
, j, \6 V0 {; y1 G& t) y2 [) z
0 c5 g# Z9 [2 UMethod 05
6 V# G o& z4 |* a1 e=========" j% J' F1 `% M4 _
3 w5 Y# P3 ~& F. B: F( Y9 G0 H l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 f% {* _' }) Q( Q9 K: Bdebugger. It calls the int 41h, function 4Fh.
$ ~2 H+ [& x/ M8 Q2 FThere are several alternatives. 2 h5 J# M! x6 j) P. A
* }" B* R" Z7 f! O; C
The following one is the simplest:
- a- ~8 }1 {- |
/ I3 d* c4 K: c+ j7 N3 X6 n8 a mov ax,4fh+ U, u4 x. z# L! d% I1 W
int 41h
G6 ~0 _& q K2 |0 n, O6 W' g cmp ax, 0F386
+ x8 {4 M5 k3 D+ z+ p: K, p' g jz SoftICE_detected: k% B2 L$ ^# [( J) [; D5 @
2 o/ Z) D1 ^$ n# m% f0 D/ b
: H; G3 M& P; dNext method as well as the following one are 2 examples from Stone's
. c& E# j7 x1 r; m"stn-wid.zip" (www.cracking.net):
7 u! g& v i* } Y2 b# k( A/ M
' B2 S9 C4 W$ Q" Y* u; M mov bx, cs
2 q P; S. N) Z% a, d1 _ lea dx, int41handler2
" J2 |" Q* k5 w: ?' T) O xchg dx, es:[41h*4]' d4 U6 G2 g% C! W
xchg bx, es:[41h*4+2]! \, X& F, ~; p, I
mov ax,4fh3 g! m# y3 W0 } o
int 41h, g1 b( ~1 Y; v3 ~' [6 u
xchg dx, es:[41h*4]
; T( I% r9 v, ~9 x0 n; F8 } xchg bx, es:[41h*4+2]
* P5 g- P! E6 q4 a, {* h cmp ax, 0f386h. l, K0 u f0 E
jz SoftICE_detected
+ v0 Q. I6 k3 \; Y$ j) y" v* d9 I4 w
int41handler2 PROC
; L! R8 T3 ?5 y4 I iret4 u* g: x2 X" G \' p, d: g
int41handler2 ENDP
( }. ~4 T, T. ?3 V4 D6 x4 {: C4 [4 D
) K1 _' D5 ~- H- ~, P
_________________________________________________________________________
0 g/ e' V U) A! F8 s
; v3 }$ \, {# \" X/ {- Z' Q+ K2 r9 E! n; R& j3 C
Method 06
4 c2 o- h1 i& j4 V2 ~=========
) Z6 m( ?4 M$ s* c" `
5 Y; i t! a i; G$ A( ~" u
5 Y3 U. s9 j8 b3 n6 V2nd method similar to the preceding one but more difficult to detect:
; L$ x2 m/ M) N- u) u3 {6 ^& F/ a8 g% o- T8 D
2 y6 n K, l9 k- ]5 W" I1 zint41handler PROC
7 O% r0 W' S! x; v mov cl,al
/ O `) L$ ^9 ? d: q8 b iret* T, b- E3 }7 @( |' j
int41handler ENDP0 F5 [/ v- t4 d3 q- S; Q$ D. X
X" i3 Q5 @, z- O2 @/ z
% N/ ?5 F/ M2 v& f0 e, b xor ax,ax
$ m! D' a) g. ~7 Y$ R4 X8 ~ mov es,ax% t8 e2 E7 c6 B& g) i4 e$ q
mov bx, cs4 |" M$ v+ W& K
lea dx, int41handler
5 j; ]1 a( O% Q! b: K' ?( ^# D xchg dx, es:[41h*4]; E, S8 Q/ K& C5 G
xchg bx, es:[41h*4+2]. _, o& Q# u: Z h
in al, 40h# h8 {; _( \0 j( ]* T' U4 T
xor cx,cx7 s! f, {2 W- k+ P9 G' G
int 41h) F9 m% B+ \. U& R
xchg dx, es:[41h*4]3 A1 V `# ^2 n5 s5 L3 I! s$ g2 @
xchg bx, es:[41h*4+2]2 a' q" y& ?) {1 u$ P9 X8 P2 ^
cmp cl,al
& l, b/ U! b/ p3 x2 B5 J1 G3 } jnz SoftICE_detected
* O& `6 d/ T8 e6 P! Y k4 H& I, |; I1 a/ ]
_________________________________________________________________________1 D( K# e3 D" b7 S5 z' b9 G
; _' P6 ?; c4 wMethod 07
) s5 J8 M( v. q% P- e=========
4 ^/ \( T1 w, }2 L, ^7 V( x4 ^" [; t0 ?6 f V: D( c
Method of detection of the WinICE handler in the int68h (V86)
6 ^, u0 Y. u& C% I
4 k! ` Q* i2 ?7 O( W5 C; e mov ah,43h( j8 w+ F5 U& {5 R( q: l6 X- e4 x
int 68h' D4 u- {( Y& v: X( d, G# M
cmp ax,0F386h
5 L$ I, a% E" X2 z$ u jz SoftICE_Detected
8 x+ M: X ?1 o1 n* V3 b& |8 P3 f
* K. H: n8 T% v' K& ^' ^9 a$ Y: w) |5 v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. _8 h3 t& j0 Q( j5 c+ u app like this:! s& U5 R: L8 s7 v2 \( V
. Y2 x( ?9 i) \4 B
BPX exec_int if ax==68
% f, r+ _* u+ Z (function called is located at byte ptr [ebp+1Dh] and client eip is9 s6 R5 M O2 o
located at [ebp+48h] for 32Bit apps)( b) Q. o" b; F
__________________________________________________________________________; x' z+ S6 ~$ Z( J' W& ]! a
4 e. k; a9 [1 w m- z C- f/ \: N! b; o% R4 Q7 H) Y E
Method 08, X$ s. E- V8 U8 i/ d' g
=========* G$ O8 \$ T/ z) ~+ l
% z! V J' H( {; o: j
It is not a method of detection of SoftICE but a possibility to crash the
2 ?% H' s5 Y& m( `system by intercepting int 01h and int 03h and redirecting them to another
5 I* p! [$ S9 N) [; E6 H# ?; froutine.
3 ~( M7 P, B. J$ J5 v- rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 K+ _- b$ s* D5 B9 gto the new routine to execute (hangs computer...)3 ]0 J( q2 s2 Z5 O5 G
+ N- `* M! \% @! h6 A/ V! a1 Z
mov ah, 25h
1 B2 Y2 o* D" I/ K- t/ L mov al, Int_Number (01h or 03h): ~9 H+ ]# G" L! e
mov dx, offset New_Int_Routine
! Y- Q$ I0 U4 Z. b, e int 21h
* T# d; ?8 [6 b& D- R2 t1 C2 s( Z; }
__________________________________________________________________________ x$ T- k, U( o
/ x1 Y2 B( y) g1 o- N" hMethod 093 |" T6 r0 t$ n; D
=========
! l* g+ v6 A; n$ q* M1 V( |7 L2 | m; U# \7 s3 Z3 _/ f: K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 K$ [' j U+ i( @" Q0 s! M% [
performed in ring0 (VxD or a ring3 app using the VxdCall).
; L2 f$ A1 n! K& x! }' D; I+ MThe Get_DDB service is used to determine whether or not a VxD is installed
; [- @; h7 e: t z8 q7 H8 {) Pfor the specified device and returns a Device Description Block (in ecx) for; M( x z$ g- Y+ E+ N) o
that device if it is installed.
8 m5 [. [1 J3 K
% x/ {+ L8 F% w8 P8 ?' l) @$ F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, {. B/ @; J/ a" E8 S) i& N2 }: j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" J+ G9 [! R% A( ?! _
VMMCall Get_DDB
$ @3 i8 E3 y$ J1 i9 B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! D# W3 U( w" a+ w( B( y" \
1 D8 T) Z$ B' z: ?4 q$ K
Note as well that you can easily detect this method with SoftICE:
, k7 g% ]( i+ d, k bpx Get_DDB if ax==0202 || ax==7a5fh% u% d- y- g; [' Z3 @) C% ~4 ~
* u( ~! m. u3 ]3 y- x: |__________________________________________________________________________
( T$ Q) I9 W7 q0 B
+ }, U( q; k* S" h7 v. D iMethod 10
- \4 `& E- R# \8 T: a3 I1 O3 b8 ?0 I=========* o* j: t2 l6 U7 K8 u1 `4 k
" I! p+ d' n2 d- k6 \=>Disable or clear breakpoints before using this feature. DO NOT trace with
' j8 x# ^* C+ B0 f8 z SoftICE while the option is enable!!7 x" f6 O+ F6 c, S. e5 |2 e
6 f6 m6 j7 N/ O! DThis trick is very efficient:/ u# w* F# d! a' d+ V
by checking the Debug Registers, you can detect if SoftICE is loaded
5 J2 ]: Y0 S8 k% @1 ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! L: C7 |) d( [; E! {there are some memory breakpoints set (dr0 to dr3) simply by reading their: m4 U1 z) U9 z
value (in ring0 only). Values can be manipulated and or changed as well% P4 X: S1 B4 a5 m! B5 s8 M) ?- P: c
(clearing BPMs for instance)
) G+ z4 g: Y6 g2 a& P5 x! c/ S6 c" b# L0 n3 Q8 T+ [3 y
__________________________________________________________________________: A; l4 X% i4 o6 T- P9 {
: d/ z- {0 W; {7 h9 O' |
Method 110 B2 w0 b1 o; h4 G6 X7 W" i. a
=========- s$ i: o5 a3 H4 u8 z& v, P
* ^, b1 u1 _! E. |/ Q5 Z
This method is most known as 'MeltICE' because it has been freely distributed
/ {# y. d! y7 w; V `. c) U1 avia www.winfiles.com. However it was first used by NuMega people to allow
! O! S/ N/ o6 p6 LSymbol Loader to check if SoftICE was active or not (the code is located
( U0 Y( q6 F1 r5 e; _inside nmtrans.dll).9 C g! N7 m3 ~, b" X/ F
5 Z2 m+ G. d- o: D" Z
The way it works is very simple:7 [$ k/ V! N: T- O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 b1 \- ?1 S/ J
WinNT) with the CreateFileA API.
4 s A E3 ~7 L5 T0 {8 o3 y: d' k" G1 p6 i" m6 R- W
Here is a sample (checking for 'SICE'):- B; N" W2 J2 r% n- r1 @8 |
# |3 E1 E) D! o3 U* ]8 x5 vBOOL IsSoftIce95Loaded()0 K' k+ z3 F1 n1 u
{$ |! H9 \' `( I
HANDLE hFile; 7 p6 ^1 e; A/ h- s- `/ v3 b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 M- j5 |1 l6 d0 o7 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 ~* t7 _3 J* K* S" h1 o& H1 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: A3 o6 V$ I4 K/ q
if( hFile != INVALID_HANDLE_VALUE )5 @: V. z2 T4 U2 [) n0 Z
{$ J8 s o: v; ^
CloseHandle(hFile);
0 {7 e: r4 V& x$ P, f$ z return TRUE;8 l) Q3 N: j" Q! h( K9 i
}
0 N- L; A% `$ H2 L! @: I3 b return FALSE;
* X- u8 A0 b9 ?}
" g, }# t" Y5 n4 f& u: ?* m1 X, _. ~( ]$ [6 f
Although this trick calls the CreateFileA function, don't even expect to be
7 @/ |/ I1 c8 [6 M: |* f/ E0 dable to intercept it by installing a IFS hook: it will not work, no way!0 i- d* B$ ~, @5 v8 q- `8 [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 V. w% ? n8 c; C2 ^* Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 F4 ^" j: N( J9 M% K/ Z8 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ y# A, p+ x0 M. ]9 `field.7 R- ~- M. S& g! _
In fact, its purpose is not to load/unload VxDs but only to send a
& @' K+ Q5 Q7 W4 l( U* y cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 Y$ S3 l& `/ X S5 c( s; wto the VxD Control_Dispatch proc (how the hell a shareware soft could try! H& X6 m* P' U) g9 x4 g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
d+ g4 v/ ^4 }. x6 ^ N! `If the VxD is loaded, it will always clear eax and the Carry flag to allow- B+ D* j7 a, j% m& N: m5 X
its handle to be opened and then, will be detected.4 M& y5 y0 q" m" V9 ]& o
You can check that simply by hooking Winice.exe control proc entry point E! H: S* i: S8 S; d; i# J
while running MeltICE.
/ Y c g: r2 P+ Z; `2 f5 C6 C1 Q: J$ P( [, C
! l- B8 X: M3 O1 |" ^# O
00401067: push 00402025 ; \\.\SICE/ o+ S3 H, h( g0 i
0040106C: call CreateFileA/ \2 E% z" a9 Z. h& s8 p% N
00401071: cmp eax,-0013 \6 e0 k3 Y a8 e; h. L
00401074: je 00401091
2 M, {7 S+ R4 ~' U+ N l$ [" V" Q% V- x" ?! b- I% R: ^' z$ V
/ M+ x3 t7 Z- [There could be hundreds of BPX you could use to detect this trick.! o; |9 U/ j/ E2 H3 }- _+ h; z7 b
-The most classical one is:7 k' ^: ~( c6 _( `8 n- X' Y% P0 Z' Y) T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* e7 K- G' c/ i *(esp->4+4)=='NTIC'
: l; |6 ^' v/ z
, O( u- k. v1 y. Q0 R. F4 j3 C- X-The most exotic ones (could be very slooooow :-(
( j3 l6 n# d8 ]( T* _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; i" M, u" c$ ?8 x5 o ;will break 3 times :-(, r9 w+ @& ]. O; ]# b/ l
+ ?4 q& [* X6 s! o- U; q) c
-or (a bit) faster:
2 Q/ h$ u# \& T5 q, U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 w( r. s8 r* q5 J D% p/ m: {2 Y4 K4 D
e7 ~3 D% a; j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 u3 O Y$ V, b4 \6 o8 \; z7 O ;will break 3 times :-(
! l2 x8 R$ g, B0 L' K+ f4 Z2 L% L+ F" f. l/ [7 O7 r7 d
-Much faster:
, z- ~+ ^7 O6 t; F% z/ Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
r9 ]; T* j$ n: c
! L! C" J$ o% BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' G# i6 B, n9 L; m
function to do the same job:' u& _7 ^5 H5 |! ]9 O& O, `+ k
- m( K1 B+ _+ a5 L7 E" M! N push 00 ; OF_READ7 R( K$ ?3 Y) b+ o J: D
mov eax,[00656634] ; '\\.\SICE',01 s+ e( M" d1 d+ b
push eax
) l$ J2 O8 ?/ |6 {* T B: C, x5 b call KERNEL32!_lopen+ v+ m! V8 \$ t/ V
inc eax: q, j9 \$ |+ ?
jnz 00650589 ; detected, }$ b( T7 d' U) I" h8 Y
push 00 ; OF_READ
$ |1 m6 q% o$ i) D/ {- Y mov eax,[00656638] ; '\\.\SICE'
) _) L, M M* x9 L push eax% Q+ R! q" C" k! p! u
call KERNEL32!_lopen1 u7 l) t5 h+ R9 Q$ U9 G1 e
inc eax+ P) I9 `2 I5 l- X' p
jz 006505ae ; not detected; y8 u1 p1 t9 D' J2 G3 X+ h$ q
" ~2 Y, p2 K& J! R( v; s/ R6 S7 o6 t% F- y" N0 Z1 p
__________________________________________________________________________, f; I W: @' n$ g6 e7 H0 C
& s" }& H% X9 b' o, |2 `
Method 12
6 f# p. K% E% t4 ]& h=========* I6 X9 F3 m+ g1 Q0 w
; W# b: l& x8 y; Y iThis trick is similar to int41h/4fh Debugger installation check (code 05
2 b3 X, ^0 U7 ?& 06) but very limited because it's only available for Win95/98 (not NT)
4 o9 t1 Q. A8 x4 B3 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo. ?; F3 w) |7 t K [5 }# e7 o
) M3 ]6 M! a3 m+ o; z* V. o0 V
push 0000004fh ; function 4fh
" x2 K) G; |" N1 f! @( { push 002a002ah ; high word specifies which VxD (VWIN32)
4 K( X8 z! X5 [1 `: D; ~ ; low word specifies which service7 V7 m2 k$ ^) |; z% J- a8 q
(VWIN32_Int41Dispatch)
$ L, ]) t5 n- `9 B. I6 I6 y call Kernel32!ORD_001 ; VxdCall1 O$ ~- _6 q- [; c9 u! {
cmp ax, 0f386h ; magic number returned by system debuggers
- ?" l% k0 \) n jz SoftICE_detected1 o3 \: X. o# K, X, E7 j0 Z; g
6 {! d4 J5 M2 s# r. M' {
Here again, several ways to detect it:( j9 K; w" d; Z9 r. U& ], r
6 q. Y' C" j7 L9 @9 ~. D }
BPINT 41 if ax==4f& W [1 Z# \$ j+ S
4 u z& b2 Y! z; k, U5 q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( Z5 [. Z m' g m5 c$ x( ~, o1 ]/ [' k
+ }5 N& c" D" Q$ G9 U0 z$ l E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 D# o2 E' H" p/ P) K& k: G- p* [4 U6 a$ o2 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& C7 q( p' @! s- T9 C0 X' X% v" b0 F6 |3 R& e7 U
__________________________________________________________________________6 O8 @5 F' q c1 C2 [ G
( Y+ ^* a% b- W; s
Method 13
2 V' e' ]0 Q' o=========) w/ q8 i! P8 d {
* N$ T/ U! `& N
Not a real method of detection, but a good way to know if SoftICE is5 ]5 W) T) U' l; b
installed on a computer and to locate its installation directory.
, J8 V: G# x5 ?' f3 B r8 [It is used by few softs which access the following registry keys (usually #2) : C+ c$ _( P( v1 \
9 z5 `6 C# k3 Z" C. y2 a# S$ M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ N- z( [( y$ [* l/ |7 K) ]\Uninstall\SoftICE
2 t1 D- K: M* [+ ^ w. s1 E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE {7 X2 k$ ]( u6 ^$ V6 z N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 i! `4 B! \( F
\App Paths\Loader32.Exe
, a8 w. Q& [4 {# G9 v0 [7 ?/ a" ]2 n! o5 J, v6 Q: f
6 Y2 W. S# U3 a2 YNote that some nasty apps could then erase all files from SoftICE directory
: G1 ^9 v6 u% p& p% D* t(I faced that once :-(
! I7 P$ t8 \( h
7 P( X& ^3 B) m {9 z; t' vUseful breakpoint to detect it:
: |1 Z$ P/ k6 w9 ` v0 c' S, I% S3 O8 m5 c' A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ X9 [; r0 O4 F
! g" t2 L9 _5 r7 N1 j; [__________________________________________________________________________/ `9 e& u' h* I3 U
! k1 |* B `7 v( s
* n. q3 j# s! B1 a* UMethod 14 2 O! Q5 @1 z A* h8 [, I' g
=========
0 G% N5 y( k( z1 T+ H; t/ g4 D. O% y7 w2 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. I- X8 m3 Y! }7 Y& v& `6 V
is to determines whether a debugger is running on your system (ring0 only).; U7 f2 l* G7 Y
, Y/ N! L) Y4 E/ U/ a, ?1 ~0 P VMMCall Test_Debug_Installed
; D3 |2 V8 a3 n" [9 w3 Z je not_installed
- T* a' L8 ?) g2 \5 O% L
5 H# w% i9 H5 F( _" v* i' tThis service just checks a flag.! H2 @3 y7 }8 D; h, f/ n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡