<TABLE width=500>
: E% b' ^" R$ X! N<TBODY>( F1 K i' k7 R
<TR>
# A% C9 f; f' v" C" e" m. A<TD><PRE>Method 01 5 e/ X+ d0 n. o- O
=========
, g" V0 i7 P: t/ W
* l% ~+ V/ Y+ {& @# T j/ o q4 ^2 NThis method of detection of SoftICE (as well as the following one) is. A% `4 h" l5 X; \; y* O; R3 w
used by the majority of packers/encryptors found on Internet.3 O0 C+ ?, i( W; A! }: v
It seeks the signature of BoundsChecker in SoftICE1 V0 G* F- Z! ]& F4 |
- q* }, L V: P7 h
mov ebp, 04243484Bh ; 'BCHK'
* l' A3 u1 G. j1 o: \ mov ax, 04h
: k, B( `5 M. U9 o( u: ~ int 3
4 O/ B) I) @& \8 S @ cmp al,4: q( E4 R4 ?5 @$ a/ h) {$ k
jnz SoftICE_Detected6 P- b6 G( i; V8 d8 Y- s. I
3 P" J( I- S: N) z___________________________________________________________________________( M5 A3 P- ]' B" T+ f4 ^
. h0 U/ ?& G1 U/ P5 t" aMethod 02
% q7 ~7 C& A, c6 V=========
. |' J& \: T B( b; Y. |! M4 Q/ h4 o
6 E! O" Z( _0 f2 eStill a method very much used (perhaps the most frequent one). It is used
8 y/ r6 l- B( c2 L0 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. [7 k% r. q/ E
or execute SoftICE commands...
: d- w8 R( R; z+ E5 S0 E& w OIt is also used to crash SoftICE and to force it to execute any commands
$ i' A- M. J/ I; Z; P(HBOOT...) :-(( $ W6 L3 q5 `' D+ p& }
' s$ t' Y! n nHere is a quick description:
* Z% @( E2 R# J3 ^, ]& O-AX = 0910h (Display string in SIce windows)
) h+ o& Q( i* I! T* e( x6 f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) @7 ~ W& P, T% ]; ] ]-AX = 0912h (Get breakpoint infos)
+ J3 L% }' p" t- ^2 V-AX = 0913h (Set Sice breakpoints)0 N0 H! N5 }- Y2 G
-AX = 0914h (Remove SIce breakoints)
& O* p5 N9 I# S2 a" U1 | X2 o8 `8 B0 o, ^' t6 ]. S4 \
Each time you'll meet this trick, you'll see:. s' e Z# T) v3 n b- B+ @" @4 Z
-SI = 4647h
8 G4 B: ~% K1 f8 j-DI = 4A4Dh
0 u" [4 O+ ^1 u) ]6 s; Z/ ^% w3 fWhich are the 'magic values' used by SoftIce.0 \0 |: L8 }; U! ?, m0 i4 S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 m" J9 W. [3 @6 ^7 U( n- l- `( w9 Z/ A
8 j J i" `6 j5 w5 s
Here is one example from the file "Haspinst.exe" which is the dongle HASP S. l1 j! l a. R! q
Envelope utility use to protect DOS applications:
# m+ Q6 k' p- \; }9 G
7 B! B" f, ]- y: Y8 z
5 i- t- h$ P: |4C19:0095 MOV AX,0911 ; execute command.
# b" X3 q( l4 s, M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ ]3 r6 \0 G. G8 @4 ~4C19:009A MOV SI,4647 ; 1st magic value.
9 u- j; a0 K) T! Y4C19:009D MOV DI,4A4D ; 2nd magic value.
6 O1 j2 f0 G# A0 N) \: f' {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 t( ~+ H$ t; [* y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 ~/ [( Z9 E" u6 z/ |! y' j
4C19:00A4 INC CX
/ Q: s" J9 N5 N) E1 K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 h3 ?$ {& ]' ~/ g; g4C19:00A8 JB 0095 ; 6 different commands.
" ^+ w1 Q7 M0 R G0 l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: d% w3 n0 z! @! I. b. _1 H( l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 `' s9 s& b% b4 i0 W& l4 |
2 L: |' v/ U/ J, b1 v8 j) |5 B
The program will execute 6 different SIce commands located at ds:dx, which: [1 d# L. l. v/ X/ P2 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& ?6 ], M3 h! P" F
9 n4 O) D2 ^+ J) X: }+ }4 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 R9 A( @8 ^) a0 _, m1 R, L; Y+ W___________________________________________________________________________
: `8 |5 C- w. Y) d% T9 L
D# K* r( R5 G
% K) y5 X- @4 E" V vMethod 03
. l/ e1 J. a, A7 l2 c6 _=========
$ S+ q; ^! T) W3 \2 A1 Z
8 \* @$ v; V: k5 g1 `: K9 P p3 t+ RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* O! s. @: G: q1 u$ d6 M+ ~(API Get entry point)4 v5 G* ^5 f' y' I8 {
1 d/ W! X+ Z4 i* l! n' B @5 d: I* E% e0 u" A
xor di,di9 t) v: m+ Y2 q) i: G4 F
mov es,di
i1 ^' A, c$ S6 E. H+ P ] mov ax, 1684h 5 r8 M- |+ I5 s% @1 C( ?2 m
mov bx, 0202h ; VxD ID of winice
: H6 w8 K" C4 l* h7 W int 2Fh- b6 Q: N8 M! s) a9 E- Q* K* Y
mov ax, es ; ES:DI -> VxD API entry point
3 R+ b2 v; G0 ]+ k: B& N add ax, di* l8 r7 ^8 T9 O) ~ W$ r
test ax,ax c% S0 h* o0 _$ D: l! p
jnz SoftICE_Detected# ?0 z+ t& I4 [$ ^# ]
& _! a" `5 ^5 Q___________________________________________________________________________
7 M5 W( ?0 C/ ^& {+ D
- ~3 ?8 Q: A3 [4 F& q$ hMethod 047 c7 c% l9 M% E1 Z: Y
=========
8 O) @# C1 c- q' I7 h9 j Q
8 ?+ Z& k: q1 T1 n6 N6 i9 Z/ CMethod identical to the preceding one except that it seeks the ID of SoftICE( l) W! Y" y N, p
GFX VxD.+ O* [4 I# J6 m! _( d* A; l, z2 k
5 r; Y) W3 {; T& Z! d. J xor di,di
: W0 c* `. i5 |, q2 I6 D, b mov es,di
1 t5 \5 ?8 ]8 j9 w2 J& v/ | mov ax, 1684h
* [+ _5 T! h" s, q" c mov bx, 7a5Fh ; VxD ID of SIWVID
5 x4 F: c: s& G* N5 a( O int 2fh( ?( `0 G7 Y. _1 s
mov ax, es ; ES:DI -> VxD API entry point
- [& \. S! [) N, C2 Z. t/ F: p add ax, di: X+ R' C" n+ r( |
test ax,ax
$ d# m0 h- f6 s+ ~ jnz SoftICE_Detected3 r3 K/ A/ P. p/ }9 ^- I
3 e' B+ w8 N6 x% m9 x2 O__________________________________________________________________________
8 ~. m# G. m, @! q; I+ I
, b r0 j* H0 k. q z7 c4 Y2 o$ l2 b6 ?! C7 v
Method 05
/ ` \7 A! Y; n) t2 K=========, Q) I& ]) m ~: A7 ?( ]* S
/ R# [8 c* j. x+ x0 R5 C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 g1 Y6 x5 z' @- H7 |: T) Gdebugger. It calls the int 41h, function 4Fh.# V" x8 u4 C2 t* @
There are several alternatives. $ N6 s4 _/ g# t
: I# l# Z$ j Q0 A# V oThe following one is the simplest:
: t7 K+ Q( I" D# x! z+ ?/ B2 n3 T9 d4 N
mov ax,4fh! i3 W3 d; u; Y+ E+ `
int 41h. V( Z* p) p2 _
cmp ax, 0F386
4 O6 Y) X2 k1 c$ j' l' l5 k jz SoftICE_detected
$ e) |5 q6 k8 g9 u, L/ I% Q7 R' U# r
+ P( y& ]4 R5 L3 }2 [7 E( e1 N8 j
Next method as well as the following one are 2 examples from Stone's
8 r% r7 G V8 y6 `"stn-wid.zip" (www.cracking.net):
7 O5 U: d7 n6 f7 R' G8 D5 I6 W8 B" y
mov bx, cs
8 {+ X, B* j6 V% r/ }. J1 z3 U lea dx, int41handler2
9 ^' s) }& T& c4 A! Y: ^ xchg dx, es:[41h*4]. h: U& p; @6 T6 b. j8 D
xchg bx, es:[41h*4+2]7 C# p$ @& k4 D
mov ax,4fh" j) i Z, u# |3 R+ t; Z6 O
int 41h
' ?' G+ o. x, O9 I/ G xchg dx, es:[41h*4]
. K. `7 P; z0 X% ] xchg bx, es:[41h*4+2]% \: ]. m6 j4 x0 V$ S" B" ]) E
cmp ax, 0f386h7 B& `; b: h2 M* s! J& \
jz SoftICE_detected4 i9 h9 V/ P! ^
/ p0 a) r% ^+ P+ T
int41handler2 PROC
+ w) @- Z6 N. }* F, l% L% A9 }8 w iret
9 w! b0 g3 m* J, g% V) w: @int41handler2 ENDP. o5 F9 j- l1 H5 T
5 m9 y+ O, H7 h( k/ O
$ j' y+ h. T* d" y7 w; n- |_________________________________________________________________________: O& r$ |8 c& g
, B. U! D7 M/ Q5 J' z" d3 w. o7 |; [* N
Method 06* r! ]6 j- f% a. O0 D2 [$ Y# l
=========$ S- W( F6 T! P7 e
1 z4 D4 B4 [7 K' U \8 @3 V/ `( [) k
2nd method similar to the preceding one but more difficult to detect:, g% ?. e% U2 j' O6 Z
' o3 f0 ]7 Z7 o6 R; C# {
7 B' C8 K8 @# {: ]- Wint41handler PROC; Y+ A/ R) K+ r+ X' |6 }
mov cl,al
4 D) x) G. B5 D8 c& i6 D iret. {1 @+ P1 g1 z
int41handler ENDP' h' K: @$ J8 K
! `9 L$ h6 X$ ~, W* G. F. O
0 B5 m7 j- c0 z, ` xor ax,ax
: [7 r2 G- y" x. s0 ~' X" c. f mov es,ax! E! H) O; q f+ q5 l1 n6 Y2 L6 ~
mov bx, cs
# L% r! K# m( ?$ t0 z) t lea dx, int41handler
/ y# P% x) | x3 d xchg dx, es:[41h*4], F1 g E" p, S( j+ W& e
xchg bx, es:[41h*4+2]
+ c5 v3 l$ u$ f# d in al, 40h
: Z! k* a7 x$ m- o% X) _ xor cx,cx
2 S1 `4 h# j' g) { int 41h
% }0 F/ D& M! X xchg dx, es:[41h*4]
- o% S: ^' g7 L6 { xchg bx, es:[41h*4+2]$ |: K+ [: o0 t; P
cmp cl,al
/ t9 E- H8 o( ^) p jnz SoftICE_detected
2 d/ w; g9 M! Q' L, G
; n5 Q9 N! o, G* o# h! v; V_________________________________________________________________________
2 `! V# A }* S4 G4 i3 H4 Y0 [" I1 M \# C
Method 07
0 O5 U/ ~1 d( C2 }+ f# l& q, x& @=========3 X K, k2 x* S& T; Q
: u; y" ~6 I- TMethod of detection of the WinICE handler in the int68h (V86)4 i. m! z, Y: u: e& u4 I4 S
% x5 V' Q) s% M2 V
mov ah,43h# U3 x3 V2 z: J. K/ g1 I0 _
int 68h
0 e7 s, l; D- D6 u# p cmp ax,0F386h: }/ p& L1 {1 E5 X' N
jz SoftICE_Detected( k* u, U2 u# P1 G- j2 ~
1 G/ C; Q% M7 q# c: F
) W8 P( h, Q2 Y* n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' i4 P) {2 D, ]: z3 Z' s( k
app like this:* C2 l- k, D1 P/ {9 W0 u8 _
* F3 L5 q6 i5 u6 i
BPX exec_int if ax==68$ I4 M: x" b, L6 ^. [2 b
(function called is located at byte ptr [ebp+1Dh] and client eip is" I# P9 {, @+ ^" ]
located at [ebp+48h] for 32Bit apps)
8 S0 D/ N/ K5 I6 a- {2 q- `__________________________________________________________________________- p3 P U; g0 k5 J1 k& |
* z% y0 G) W6 D4 F+ o# C; ~& s1 Z) k
Method 08( ?# K: l! q; Z% U0 w2 A! j+ [: g% l# i1 l
=========
3 e1 w4 }$ G3 `6 @: }) [0 u6 |
( ~# C P; j! T) L5 X' g- \/ cIt is not a method of detection of SoftICE but a possibility to crash the: _' f$ U: F; H- Y* g/ h0 D
system by intercepting int 01h and int 03h and redirecting them to another7 U+ |- u% r8 V& O
routine.. o& L3 X3 U3 o t9 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 N* E7 A/ S0 N7 X( f: G0 y* tto the new routine to execute (hangs computer...) h, z, H# E+ q0 z$ u
& Q8 ~5 d3 }5 `. } mov ah, 25h3 F1 Q* c* I9 C: E [9 D1 k* m
mov al, Int_Number (01h or 03h) V- g: @- H. x: r' g
mov dx, offset New_Int_Routine: n9 \" {. E4 Q% U+ e+ r+ X ?
int 21h
3 Q" e9 m" r/ W' ~$ L0 j' ~ h( l( b9 k3 y2 @, \
__________________________________________________________________________7 E3 _$ G- q. B
2 H8 u3 c$ b% P# ]. l% G, N" @* V1 oMethod 09" f# L$ t- G8 w
=========
- L3 \$ {: q: D; l# | }" x/ X) Z- Z6 o7 b) D% [: c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* M! K$ U9 q5 ^4 `! v/ t* d
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 ]$ k0 n$ ` D+ G# D# NThe Get_DDB service is used to determine whether or not a VxD is installed& s: R% y1 e$ ]# d5 S
for the specified device and returns a Device Description Block (in ecx) for- C1 Q8 a" ? \' U* V
that device if it is installed.
3 y, v% [. ^% c! Z! v$ L
! [# g; B5 G. }# ^& T7 p- u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 b# D' x6 F. W$ V) B8 ]. Y/ d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 Z! A! l0 j, N) [6 V7 S# G* v
VMMCall Get_DDB. [9 q, ~4 ?! r( u/ s+ R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* H6 z( ?) O: f8 t
1 |; ^0 B, U9 L- p' Y) lNote as well that you can easily detect this method with SoftICE:$ G+ ^ @6 \: q O
bpx Get_DDB if ax==0202 || ax==7a5fh1 M1 a. x4 R( \0 [) w3 [
8 ]3 W( O1 }- C1 x
__________________________________________________________________________
- f, Z+ R" @, z7 |( l1 c6 |& y+ K* r! m
Method 10
5 Q7 X+ ~# [0 T* ^7 Q1 i& Q# ]=========3 {, B6 G7 O( V8 B8 K2 ?
8 U# j9 b9 M6 m( p( |, F/ Y, ^8 \* H=>Disable or clear breakpoints before using this feature. DO NOT trace with) A5 I% ~# d& \& N( M/ L0 M6 k7 j, X: u
SoftICE while the option is enable!!3 {# }2 \4 _- ] L" i
4 F7 ^+ e3 }! g# A8 W* M U. \6 ^; }
This trick is very efficient:
% G6 {4 ~" j$ fby checking the Debug Registers, you can detect if SoftICE is loaded. r2 h% v/ S+ X7 g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" p2 a; `1 L8 f5 _" F( H7 Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their% I) d9 c" I! t5 W6 c0 y
value (in ring0 only). Values can be manipulated and or changed as well
0 _. h! M' P* O0 N(clearing BPMs for instance)7 \/ D- W2 r" ]8 L
5 Q' ]* @8 ?! J1 J r2 N6 @% D__________________________________________________________________________) R. _/ r7 x) e* h$ C+ n' H$ H
3 z( i7 p% f: ^9 s: K5 G2 RMethod 113 b: W5 F2 S) E/ Y/ D
=========0 @$ R7 y* `7 ~. i8 ^- l
! A- N! S( t1 z3 ~: `2 k) Z+ z% P
This method is most known as 'MeltICE' because it has been freely distributed
7 T/ [5 ^+ ~+ }8 B3 L$ L$ ~4 rvia www.winfiles.com. However it was first used by NuMega people to allow2 x; H; |3 _; \) g
Symbol Loader to check if SoftICE was active or not (the code is located& C$ C3 o0 N- z1 \% @, j' m* Y; X
inside nmtrans.dll). X1 W5 |7 e& k' ^8 F2 w4 K
+ E9 L# }0 q, F" Q* s% BThe way it works is very simple:
! k7 p5 z( v" O1 R9 @4 UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" _. G5 J, x7 n$ S& E0 a; RWinNT) with the CreateFileA API.% J9 F( ?2 e/ i4 @" f+ [
# z- `' d& p" s0 f& g g5 L
Here is a sample (checking for 'SICE'):. Q; ~( o! n4 k2 A5 H1 Z( R
0 s Q7 t, f' e2 M( B. U
BOOL IsSoftIce95Loaded() v' L; A+ o# @+ y; D
{
" Q( ~" ?( Z/ {( a# J; v HANDLE hFile;
8 p, J. \0 M0 l5 O. K2 V7 C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ a1 D/ ]* Z# E: \' O2 K7 f FILE_SHARE_READ | FILE_SHARE_WRITE,3 d2 j3 ]+ H& s! r: O& y/ ^6 X4 [1 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 D5 o# f& @/ E# r/ L! C
if( hFile != INVALID_HANDLE_VALUE )0 m+ O$ y) n1 X3 |* O9 l
{9 D. U. i( @8 [4 p1 M
CloseHandle(hFile);
( O* g1 k4 ~0 K: V return TRUE;4 g. i. r- C' u% B/ P+ n% {8 m
}6 w. K6 C, K9 F- b' {6 I+ k9 \" H
return FALSE;
8 `' y' C' W0 X- i* X2 l; i4 \* Z}
( f- o" V2 }4 h, }4 @
; P# p: S, x9 L' _3 U4 X7 W6 QAlthough this trick calls the CreateFileA function, don't even expect to be
* p- V: h" x0 [0 xable to intercept it by installing a IFS hook: it will not work, no way!
, j2 Q! v# n9 A" H3 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 c; u" r! {: E, S. Z) n2 J& |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" V0 U$ k2 y& ` \4 D; o o3 W# `and then browse the DDB list until it find the VxD and its DDB_Control_Proc) Y, o! s8 A( e
field.
/ _; _6 Q Y. W+ |+ |; aIn fact, its purpose is not to load/unload VxDs but only to send a
. e: g' S8 @, T3 G$ ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# Z+ o5 U# p! t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 {9 u+ Y3 n; E4 ]4 _to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ g3 C4 T$ O; u. R. ?7 P( T& {If the VxD is loaded, it will always clear eax and the Carry flag to allow
* H b$ `: q) bits handle to be opened and then, will be detected. T' H5 W6 Q- Q5 f+ H% e Z
You can check that simply by hooking Winice.exe control proc entry point
: B2 Z j3 g4 E4 N1 Vwhile running MeltICE.
1 c% B) L N6 K2 p
7 g6 u) v$ E( \4 j2 {2 y3 o4 |; [9 \" m6 l! N0 E( o6 d
00401067: push 00402025 ; \\.\SICE
9 ~" L+ Y1 P& U 0040106C: call CreateFileA
* l4 x' m; T. v5 n/ ~+ [ 00401071: cmp eax,-0014 _' @$ F' b0 k4 Y. g
00401074: je 00401091) i8 j5 b) c' C7 ^+ K" ?( Q
$ y4 {( h' r z1 e, E
9 E" W7 M3 P! b" a2 L1 Y$ u
There could be hundreds of BPX you could use to detect this trick.
' q# k2 l' Y" @) y-The most classical one is:
8 q( [' [* R; \2 y. A( n: Y$ T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, [+ E1 w2 C% F6 h W8 m *(esp->4+4)=='NTIC'' ^3 s& b$ z3 H0 p, K! j
! _8 P" Y+ M/ S! j-The most exotic ones (could be very slooooow :-(
; u; s3 v& Z. `/ K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . i9 p8 R& Y8 M7 F4 o
;will break 3 times :-(
) Z6 y( R' z7 c2 b0 C ]
& b& q; u: M6 m! |7 E, P/ g" }# j-or (a bit) faster:
: N+ s+ \- l+ s) H! B$ i* O; z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ O; h$ V: a D- H, F1 ~' h7 d' e1 J" S" c; k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" m* E8 K( s7 ~ ;will break 3 times :-(
1 d0 k- I2 V- Z
+ `, A2 f/ m2 K3 Z2 b) {-Much faster:
# @- P# v, ]. L$ ]( }5 F1 }( W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. D1 N7 {# l/ n& n" F
+ y2 ~$ z( x; o, [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& {% W* x( @% q; `# x2 Ofunction to do the same job:
# H% {+ Q8 h: x! o% x& V4 K% p3 G) @$ P" g% k. }
push 00 ; OF_READ1 s! U9 m6 r, O2 C
mov eax,[00656634] ; '\\.\SICE',0) I* k* s* b2 U; n* ^* R4 `6 ]
push eax
6 C+ e* C9 F: G6 ^: \& T call KERNEL32!_lopen
+ C& H$ N a9 Z, v+ S! v. U inc eax
0 Q1 o6 ^6 Q, w jnz 00650589 ; detected4 V: y2 ^+ H& e7 t+ ]0 L
push 00 ; OF_READ' ` ~- Q" J3 {, E
mov eax,[00656638] ; '\\.\SICE'
+ E& ^0 I2 A) }9 {" c# l9 c push eax( s3 i( c* _% O, {2 W2 S
call KERNEL32!_lopen4 K! w; B0 W% g" g" b! ^
inc eax
, \. ? R3 ^5 ]( Z. v8 u% U, W jz 006505ae ; not detected
2 _8 `9 Q+ N5 f5 Y1 K3 a+ m
) s, P E C3 g# a; |& q
0 h, p/ t2 s0 w I0 t; @# ?__________________________________________________________________________: O5 S5 T6 B$ @3 R
# f. P Q' _+ |; Z4 x
Method 12; b: l* @* n# t
=========
; ?* T+ `) ]& c# ]
! I1 i2 [) T+ }4 xThis trick is similar to int41h/4fh Debugger installation check (code 05
4 ~5 q% s" Q4 n9 E1 L+ v& 06) but very limited because it's only available for Win95/98 (not NT)
" M2 G ]) d% |: u: Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ I8 n( _+ ^% L ]& n1 z
- }2 i) p7 @8 Q2 B5 w
push 0000004fh ; function 4fh
( g) g2 g1 e( X8 d% F push 002a002ah ; high word specifies which VxD (VWIN32)8 m2 G2 I$ i) s1 g; ]: r X2 E( K1 d& P
; low word specifies which service: W$ I6 z' F3 I: Y$ j3 y0 a
(VWIN32_Int41Dispatch). j9 y. _7 r- N0 e& n
call Kernel32!ORD_001 ; VxdCall
7 c' G t7 M; b cmp ax, 0f386h ; magic number returned by system debuggers& s; Y4 S$ V8 {
jz SoftICE_detected" J/ z0 Z3 h; h, Y
" ]5 P! Y8 b `/ A7 l
Here again, several ways to detect it:
* \; k% f0 |. K# E. G" f) |2 f& E( F z; Z# J% m7 P! ?
BPINT 41 if ax==4f* K/ `$ N7 a, R [& v
/ I) O5 H. X4 u: ?) @0 P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 Q% B- f% |, M" @( N4 y
* P& a* p8 q6 F9 d# X. W! @2 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% |# F5 z3 c) `4 d6 F7 @ k
/ R8 }$ s) }! d. i2 x9 N3 l( ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 e4 s1 H( }/ V/ b8 y. Z, z/ _( i H2 K) r6 Q3 q! r
__________________________________________________________________________
1 v1 A9 i6 k* g7 k; E' l3 A4 C' x9 d& E
Method 13
+ T7 D8 D- P& ]* }# f$ l=========* {% f8 o! ?, @* U3 o! L
- S0 a3 F2 ^/ ]! D
Not a real method of detection, but a good way to know if SoftICE is3 w" w3 I, ]) t. L$ I3 X9 m
installed on a computer and to locate its installation directory.& Z5 t% d e- }) p
It is used by few softs which access the following registry keys (usually #2) :
2 L9 M# F/ z' o2 [% B. N5 V9 u+ E" H: W5 k; b, ~: k. Y, w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 u5 ~$ E+ a9 v$ M\Uninstall\SoftICE
1 m7 H5 |' K( R- K1 w) N7 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 f$ t% M3 d A& q* ^, r& I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 A7 |1 |6 ]/ w4 U7 L# `
\App Paths\Loader32.Exe
M8 d& k" F! g: l" E
$ E, D( m& x) |& v7 C
1 |6 K# Q; u7 K# G6 e$ LNote that some nasty apps could then erase all files from SoftICE directory7 O/ D2 J; g$ `
(I faced that once :-(
$ B% \% j! s- K( b, ?) ~: L( |- P" U4 T2 X/ Y" Y# M, l
Useful breakpoint to detect it:5 J% j: V& _3 n2 C
& P- _0 s' F _' T/ u$ U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- j# i! f8 Y$ U: a+ M, X/ r) N+ G& M2 ?: G: ?
__________________________________________________________________________
% g# i2 t @ Q& s1 w, \
: u5 X2 U+ U2 z" H/ B1 a, D9 Q' P/ |
. I7 s' P" z2 A$ d# rMethod 14 - D0 A) P! v Q& n J
=========2 m: g6 Y8 z7 R7 H2 ?
1 N% x+ u5 a# d/ ^0 ~, CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ m4 d4 M$ f7 A9 k1 L
is to determines whether a debugger is running on your system (ring0 only).& ]3 R1 ?* M% j& \ G
7 v4 J' n7 D3 p$ Z: ~1 @ VMMCall Test_Debug_Installed& Z; d( f7 }9 o% t6 R4 y8 ^
je not_installed
4 A0 U8 c# V9 V$ S# o1 `. p* x* ^+ W1 B
This service just checks a flag.6 M9 |* J8 x1 e0 x1 S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡