<TABLE width=500>
. v& u4 f y0 i3 @$ p<TBODY>8 X" L8 q: y% i) X
<TR>
4 s- d/ \; S8 d: E9 r& Q* E1 q+ I<TD><PRE>Method 01 ! Z4 C- f% A/ X
=========8 n9 j: f1 h9 |+ t3 q" B; z
$ ^* s7 ^! ?4 D. R# X8 D
This method of detection of SoftICE (as well as the following one) is: P1 g6 y5 \+ ]! L, E* O
used by the majority of packers/encryptors found on Internet.
1 D0 w5 ~0 @6 b+ s, S, C# zIt seeks the signature of BoundsChecker in SoftICE# S4 Q }& @8 G
' v1 ?. B; c* r mov ebp, 04243484Bh ; 'BCHK'
; A& q5 p6 u0 s6 G mov ax, 04h
; l) C$ |9 x- q8 v* T" c3 g' p int 3 0 |0 F3 J4 l$ h; V+ i; K
cmp al,4
) d- o/ t5 }/ J6 C6 @8 w# K jnz SoftICE_Detected
, o) U* o* s4 `9 @& `7 L0 f u. Q& s5 g
___________________________________________________________________________
9 D& v, t" R( Y8 }& s3 v( @. B5 W3 H4 f# _( d3 z
Method 028 \, m/ s0 g5 \+ e: d
=========
4 o; ?6 B/ g! [$ q& t
; m9 V R: c! Y. t; ]- T; LStill a method very much used (perhaps the most frequent one). It is used: U" |, V3 W8 R$ I% J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- O/ O, X) M! _3 Z) s( P
or execute SoftICE commands...1 E% B5 i& B# v. n, l
It is also used to crash SoftICE and to force it to execute any commands4 E! K+ @* g; ~- k! A" ?+ n1 O7 d" y
(HBOOT...) :-((
5 L- `# u: P5 b2 g7 g& v: e1 U; Y" d: x2 `) P$ ~1 {. I [
Here is a quick description:3 C) m/ ]0 w9 g2 P" R( o
-AX = 0910h (Display string in SIce windows)
5 [$ Q' }8 R% u/ q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 _& I. U- n# V2 }$ a- X6 g
-AX = 0912h (Get breakpoint infos)0 j, n( w) f+ ]$ ]
-AX = 0913h (Set Sice breakpoints)
& r# y0 {; a6 u+ T-AX = 0914h (Remove SIce breakoints)
# u- n# u5 B/ L. a' h" h( m( p( a& C6 F( Y. z% y; D/ v; c. u4 c2 q% a0 ^
Each time you'll meet this trick, you'll see:, p- @. E# ~4 Y# i0 X1 Q
-SI = 4647h
4 j8 _# ^" F9 U- }4 _-DI = 4A4Dh/ D, j. p u# O4 i; h
Which are the 'magic values' used by SoftIce.% F+ E3 S$ n- u1 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." O/ j4 z; n9 \' `; U. W
- N" a9 z5 @% b6 ^& V# {7 \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, F6 p' q: t# l5 `Envelope utility use to protect DOS applications:5 E6 @. z$ N9 t" Q. d
! t- N' y) J8 H1 t9 R/ o4 n
5 t. S1 h7 p$ g& J6 s6 L& j/ E4C19:0095 MOV AX,0911 ; execute command.
3 l2 B) y9 f; j. z- y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ G( T6 W- @0 C* X& [- o4C19:009A MOV SI,4647 ; 1st magic value.
}- T/ A& _. `" l% B4C19:009D MOV DI,4A4D ; 2nd magic value.3 `; [2 [/ Y" U& Q0 ]% @: |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* J' _- ?0 U& Q1 W z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 g: K, a" H* q+ R$ Y, x( I. { }4C19:00A4 INC CX# I9 E; I' x+ K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# {" [9 q9 `$ K6 z3 _6 y/ r4C19:00A8 JB 0095 ; 6 different commands.
( x% ^- w" r* M4 C u0 Q/ D% t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 t3 I, z3 O1 m0 @) c! n9 A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 z5 o* Q, v' L3 y& ]
- M0 }7 q! p5 g$ P$ G0 Y; Z- }; D5 cThe program will execute 6 different SIce commands located at ds:dx, which
" V3 ^, E3 z4 t8 Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- [' M$ |: w9 x5 Q, n+ D0 x f
6 m$ D, {8 F. Y3 o, ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; I. w m5 @* H* R2 ^6 @6 l___________________________________________________________________________
' `1 J$ i4 ^; Q& D! ?( b3 j1 r4 O' l
/ i6 [1 o ?% Z7 j" i
Method 036 ^# u" l7 C* O1 f2 W8 g9 v' g
=========% I, V3 C3 k+ i, Q" B! [
! k0 h" v9 J, l FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 {. X( m* x9 z Z
(API Get entry point)
7 \$ x( A. I; n' \
& o# _& F4 A L- H' ^7 ~$ ^/ Q L/ ]8 c# C& e; d- [
xor di,di' F j1 [" G1 B! N
mov es,di
" }3 v1 \4 m6 F q( `. n mov ax, 1684h
* \1 L6 M9 D( [$ h/ }# ?2 i mov bx, 0202h ; VxD ID of winice
5 s; @1 l7 h2 Z/ R+ o3 d5 C int 2Fh
; C' O& v3 X& F% x/ [ mov ax, es ; ES:DI -> VxD API entry point5 t2 L6 L0 \/ Y( b$ D# t
add ax, di
7 n5 U3 L+ f4 e4 H' ]' {( C0 |! b test ax,ax
1 f3 H+ a& ^3 M jnz SoftICE_Detected6 o9 s; q7 l: m" ~$ _' I. l
' C( q1 }) m# _2 F___________________________________________________________________________
$ f6 {: Q: p; i/ B
% ~, Y9 S2 x8 X8 RMethod 04! J% R. N( A0 q$ u
=========/ T% X& d* S! O" Q
7 @( A. g5 t" @' oMethod identical to the preceding one except that it seeks the ID of SoftICE( \1 A% X/ _, ^; A' |) m. A& H+ J
GFX VxD.
' g* [3 z8 q+ l/ C# @4 F: @% o$ T$ q2 `9 ?% w# q+ S
xor di,di4 T9 }8 j. n: i M2 |/ Y
mov es,di: C+ d9 {6 J) u
mov ax, 1684h
: o& a# |! A! y9 y- B9 T mov bx, 7a5Fh ; VxD ID of SIWVID
! V4 i5 D& q' t2 L, m int 2fh7 v% I8 b+ W9 g( O6 E
mov ax, es ; ES:DI -> VxD API entry point2 _' u' ?( L h7 A. C" f
add ax, di
. E T" K8 M0 f test ax,ax. U2 U, Y$ K6 E
jnz SoftICE_Detected. \4 ^- W" P# S
# I% L" e; a/ B% G/ Y# {- l* |
__________________________________________________________________________6 C0 Z ]8 M7 y6 T a7 y
* Z( |0 h0 o$ Z4 j" p; l$ @. x% T5 K7 ^6 ^
Method 05
" } t6 ?! g- i& ~# @=========1 X. m" t& V% m( H" ^9 s
1 y2 Y4 v( U: R& \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 o% w, Z% [+ F" \2 O0 W; adebugger. It calls the int 41h, function 4Fh.% A1 X3 o0 u% a) C: g' u0 w
There are several alternatives. ( D8 O& d1 ?7 b! c& v
/ z/ } I$ ]* h- k& M* `; G( |1 z
The following one is the simplest:1 B" y7 @) C. ?! Q. O
# C: s1 @7 G6 a mov ax,4fh+ V# z/ E) r1 K+ G, ~% [( p8 Y1 ]
int 41h) x! r+ v* Q" `7 W
cmp ax, 0F386
# B: ~% L* {: P7 M. o+ Z3 a4 y jz SoftICE_detected
/ T9 k& N5 ]' r6 F: L+ k$ G |7 {1 G1 X' l% P0 U/ \
7 d5 U) T$ Z( a- `# S0 G( f
Next method as well as the following one are 2 examples from Stone's
, G: m' e# K2 v8 N- K- s9 K. n"stn-wid.zip" (www.cracking.net):
! _7 G" `. i- i- ] v2 E3 i @2 ~* o( M g+ u0 e4 T2 t
mov bx, cs
, P+ n: s2 i2 q, l1 R' C1 @ lea dx, int41handler20 c$ O+ Q; n4 n6 T
xchg dx, es:[41h*4]
2 Q# p* n c% A& N# w: U xchg bx, es:[41h*4+2]( O) L$ u/ M5 y ?7 T& s
mov ax,4fh; v. t7 r! A- q! |+ G" D
int 41h
% x. |" H' e" E% k xchg dx, es:[41h*4]
% B8 a* c6 u( {+ H! J1 ` xchg bx, es:[41h*4+2]& ]3 r. F. y7 L# _( k$ ]
cmp ax, 0f386h( L/ K) ]! P; M' s" ]
jz SoftICE_detected
0 A `3 `3 N. i) p" W4 z# K9 K; h0 }+ J+ Z( G/ D
int41handler2 PROC
0 c" A& d. \- \% v iret- j1 K/ K+ C& l8 x% z) O
int41handler2 ENDP
0 B+ b5 s. J; r5 C3 A2 w6 M$ \) Z/ s
7 `, D6 ?0 D% Y3 m+ d_________________________________________________________________________+ n& A" E4 n. p+ y0 ^
! t2 q5 m$ Z& l6 I5 j1 U
+ v% X: p8 ]1 i j" r/ kMethod 06- [ `2 Z- `1 [2 t/ V
=========
; a- C* t( F1 o6 I/ m
5 u. j. y5 t7 c5 J! z) m S7 d2 S2 ~. {
2nd method similar to the preceding one but more difficult to detect:9 |( x6 a+ n2 n. S. D
) D3 b- w% ?1 w& y0 l- n+ B
0 U/ h+ L! }: G$ [$ [
int41handler PROC
6 k2 i' @* k. b2 h+ H mov cl,al
) y T+ M6 Z7 E' O0 v iret
, B. S I2 _# W0 sint41handler ENDP
: M7 W& E) d) C% c( j) B( h) ]8 A; s' g0 S2 d
0 \, n) H* `. {/ L* A xor ax,ax7 C9 o& o: P+ w
mov es,ax
( y6 u2 Q& R5 G* \, @8 b mov bx, cs
4 A+ R- R1 E$ Y8 h( ?! k: V lea dx, int41handler }/ O" s6 N! Y0 E7 d0 I
xchg dx, es:[41h*4]
1 z( b( b4 F2 l7 D xchg bx, es:[41h*4+2]4 j4 m/ j1 X* t" L
in al, 40h
( Q, T+ F# }: o M5 Q& i% d& j xor cx,cx
6 S$ h5 m3 |4 Q int 41h1 _' g7 R! V* P# L
xchg dx, es:[41h*4]
: e+ d/ M* H J3 l9 G( E6 ~: i+ M xchg bx, es:[41h*4+2]
, j8 F/ f1 `7 \5 I7 C cmp cl,al
/ q$ A8 K3 M# N+ m F4 V jnz SoftICE_detected
! t4 I1 O* u8 p! z$ |
, s9 R. v0 _6 A4 {_________________________________________________________________________) U7 k0 x" A5 }6 Z
& C% z# V, l2 W5 o
Method 07# u, T9 K5 n2 i# b
=========0 B$ p- }; ?) g, x% G$ M+ Z& e
* p9 t: E+ d* S9 M5 m" A# o9 h
Method of detection of the WinICE handler in the int68h (V86)9 R; J2 }' B; w% D0 X0 `5 G
* i8 K2 a- K$ P) J mov ah,43h
m/ v7 F2 |) o8 f+ R! x' }; J6 C5 v int 68h- Y' D" C: ~, `( N/ L( \
cmp ax,0F386h
: r l c- {, G# B; ]/ @ jz SoftICE_Detected
4 u$ F5 h5 ?% S9 P$ W5 }1 h! r
. v) x4 j$ k3 K* P: R8 [; P2 S* n1 h2 M' [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- r9 E; b3 r% I- V app like this:
7 f" O) V' }8 R9 j4 n8 s+ H6 i& G
' o1 T5 B7 P) W* j BPX exec_int if ax==68
) a6 N2 Y; X! Y# y% d" o6 }) C$ i- l (function called is located at byte ptr [ebp+1Dh] and client eip is
0 S* j' ]. a; Z4 t! i ~ located at [ebp+48h] for 32Bit apps)* g& \( [ r7 S" I
__________________________________________________________________________
1 ?# R5 t, }; f# r( N, M( N1 A0 L7 i8 b
3 d/ O4 q0 w+ B2 e/ [; p! |" ZMethod 08
( d& ?+ P( v9 L" r7 x=========
' p/ l1 r: S& Q4 |; _8 A2 \) _. p d9 r) b9 v r2 ?$ C# N
It is not a method of detection of SoftICE but a possibility to crash the+ I& B/ z, N) E1 `( t) k2 P7 b# c
system by intercepting int 01h and int 03h and redirecting them to another2 c% P9 S, e) R
routine.8 v3 L5 c% I$ ?1 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 t2 W: U6 y" p; Q _4 uto the new routine to execute (hangs computer...)" \0 A7 z2 t. t( T5 E5 U
% j* E4 ?% A4 J- R, h, ]( l/ b mov ah, 25h
9 c9 X# Q% ]2 e7 x* j mov al, Int_Number (01h or 03h)# k) }) }, p, s/ I) v
mov dx, offset New_Int_Routine
2 {) {2 T; w3 I7 C# k0 r( v% @" k int 21h
, l! l0 i" a* J: k% r
% M$ ?- l( m$ @0 V$ Q, Y__________________________________________________________________________
* J0 }8 M4 |: p) M7 ^; L9 T
- X* @+ i8 c8 c7 t8 K5 G. X% Z6 e& P7 K+ `Method 09
1 C# t) a9 R2 S2 }, S6 B" Z. ?=========/ A5 ~" S9 o- r6 s% |8 { ^3 R
* o- N q' t- q0 [/ z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 S$ h1 }- U- ?+ \6 k- v0 Qperformed in ring0 (VxD or a ring3 app using the VxdCall)./ @( y8 x& h$ |* M( j6 Z" g6 e: C
The Get_DDB service is used to determine whether or not a VxD is installed
6 T2 W# b: \2 c/ j$ K+ Ffor the specified device and returns a Device Description Block (in ecx) for
* d* z) Z9 ~& g9 u! m$ f" }that device if it is installed.% b2 z+ s9 F5 F b1 D, c' J7 G2 ~
! @) J+ `" c$ _2 J) B, C8 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
S9 u6 u. c( ~* K, s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 f* Q2 M. W+ X" e( R VMMCall Get_DDB
" r {" v1 g; y! G/ ~2 } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 f8 T _! L6 g4 s, _6 V0 J
. H& f7 ~) G4 }5 x+ p2 P3 L* ONote as well that you can easily detect this method with SoftICE: D$ r: _! d7 m; D. y
bpx Get_DDB if ax==0202 || ax==7a5fh/ z/ H. x0 s0 u A
$ Z& z: @/ h' ]2 V. x" _/ v5 g! `__________________________________________________________________________
" C) G2 E+ i4 ?
+ L; N9 V# b1 b$ v, b' iMethod 10* M% d5 n [/ j3 y0 k
=========
9 D7 O1 b! Y$ g8 c# }( z$ F) p3 K/ D. l, L
=>Disable or clear breakpoints before using this feature. DO NOT trace with! Q, d( p2 @5 S8 p, C3 e
SoftICE while the option is enable!!; `7 t( @4 k. v; Q) j4 I
; ^+ ]3 N# w2 G, V0 r) j+ H7 V" _3 ]This trick is very efficient:
6 D0 h% R3 W0 n3 f0 oby checking the Debug Registers, you can detect if SoftICE is loaded
' q+ I% [; g( R: n0 m$ k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' [# @8 e5 R/ s% ^+ Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their4 q$ ^+ z0 K" N* U
value (in ring0 only). Values can be manipulated and or changed as well
% O* E$ K6 z" i, t(clearing BPMs for instance)
! {$ l: D/ @5 U+ n# G, d( Q7 j+ B
__________________________________________________________________________5 U- @; J8 t( ^, p8 B* f# J8 E: {. S
9 N8 L; c7 @ ~5 z7 \1 b3 i1 N4 QMethod 11$ m, H/ J$ i$ t$ b" v2 [* v4 z* N
=========
; N4 ^& ~) I! m! W9 w% d9 ^8 J- b0 g* _" D! S( {6 Y
This method is most known as 'MeltICE' because it has been freely distributed
( i e9 j7 J# M' \4 [via www.winfiles.com. However it was first used by NuMega people to allow" W' u, {5 R, Q+ X" j
Symbol Loader to check if SoftICE was active or not (the code is located: z) d9 t( T; q! m, y- A1 l
inside nmtrans.dll).
7 B. w4 t# M( x/ C) b5 H% z" C' p# y
The way it works is very simple:9 A$ D/ z2 m' H- K" ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& D. i6 u- y5 D: Y( ~& B
WinNT) with the CreateFileA API.
$ w* S9 k3 E' ~/ G7 m( @, b
# H V& }9 {9 W0 V) aHere is a sample (checking for 'SICE'):
2 z. m" L7 J) w# b$ ~4 I
4 g3 l+ Q; |& p7 \# s$ NBOOL IsSoftIce95Loaded()
; o) V% u$ K' i0 }& ~{
6 x2 b1 d4 Q# T& _+ \7 V& d9 F( ` HANDLE hFile; : r0 g2 l2 l# [: O$ x$ F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; l9 ]1 w5 O5 M( k" J5 x- w FILE_SHARE_READ | FILE_SHARE_WRITE,
: v% a- B3 W5 F K) u L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: k; U% B4 e, T! a* t6 H if( hFile != INVALID_HANDLE_VALUE )% v# \: t! l" ^! }7 y% O7 z3 n
{
. I6 `- B" }% A) T CloseHandle(hFile);9 A( K& y; w0 m, i0 D" O
return TRUE;
5 a$ p9 o1 T6 {( L% G }
6 {% E7 ~8 v, x, _ w return FALSE;
- j* d% q" j" q3 D) k% ^9 l}% B5 ]* T* C8 E2 z
' D% A) X$ I" e4 x& v+ Q2 W
Although this trick calls the CreateFileA function, don't even expect to be, S9 p( ]: S& {0 @3 P
able to intercept it by installing a IFS hook: it will not work, no way!
4 |/ f) \4 ~$ [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 {% B4 j0 Y; }+ N6 F. `( t8 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- |/ z B9 r/ B; {" uand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 c* @5 n5 U5 u m, S3 Y+ K) k! D
field.( J' e+ C. t) v& a9 p8 I, |/ V
In fact, its purpose is not to load/unload VxDs but only to send a ' H4 m' J2 g& z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! i3 r$ Z* p) ~" s5 V) Q3 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# t* r" z, [1 Z* ?/ F6 x7 Q8 x% }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& U0 }$ Y" w2 W/ T# g. `* }$ VIf the VxD is loaded, it will always clear eax and the Carry flag to allow& i5 o' d3 M" w5 ~
its handle to be opened and then, will be detected.
& D9 E- U. t' x4 dYou can check that simply by hooking Winice.exe control proc entry point( w# v) W: m Q& ]
while running MeltICE.
! B) A, Q- b( W; ~5 e# k* p6 N5 N1 v2 w
c1 b0 s0 g1 n- M" \- r
00401067: push 00402025 ; \\.\SICE, \! D2 I8 E& u' ?9 p) |( t. Y$ z
0040106C: call CreateFileA
" ?. e& D$ s8 P D) y 00401071: cmp eax,-001- L$ y6 S, v3 ~3 y" n
00401074: je 00401091: B) i8 b. l6 Y5 O( T5 c. n
6 J9 }6 y- @, `7 {! w& m
1 \. h3 P* j# o" z
There could be hundreds of BPX you could use to detect this trick.' f* ~! t7 M' U) Y/ o
-The most classical one is:! \9 T: i- h* ?* w& ]. D. m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 K+ R% [+ s5 s. a+ K0 r- u
*(esp->4+4)=='NTIC'
8 l5 x% ?) X/ k) ]$ `2 R# j
& t3 Z ?0 E6 g-The most exotic ones (could be very slooooow :-(
. Y5 W7 R- O% d& o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 Y. B1 J$ z' z' a7 Y+ z+ m ;will break 3 times :-(# n# \5 U: m4 S" u+ i* Q
4 V6 k* ]$ [6 _; D$ G$ x# |* Z" B-or (a bit) faster:
) C5 z; a( B& e$ o. M1 d5 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( N1 q. l$ Y( z
& ~2 {) c5 v, T. d$ f9 E* y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : } b& I' l4 z# G i0 |
;will break 3 times :-(8 \5 H# t% F/ T# V7 T
7 V { B8 V8 e# c% U
-Much faster:1 @# v1 Z- d2 ~% w! J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. D5 g, G' {6 b# ^% A/ X; I! x5 Z) n, |* ^3 R; {/ e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: [) C6 X8 w8 s; E
function to do the same job:/ `5 `' s7 ]; S. O5 _
0 D$ L9 v2 e; L3 w9 _% s1 x
push 00 ; OF_READ0 P8 W Q& W' k* ~1 u4 t9 b
mov eax,[00656634] ; '\\.\SICE',0
X* T$ B- {# _5 t- R/ S push eax
7 f1 k1 }" ]0 Z2 d call KERNEL32!_lopen
2 B0 x: F/ W% I+ ? inc eax
2 `- ?9 ]; ?% k& K jnz 00650589 ; detected
. [/ m% W' i* B3 v" P push 00 ; OF_READ& M! }7 |3 v1 T3 ?8 M6 r0 |* e6 N) Q' f
mov eax,[00656638] ; '\\.\SICE'- s! |3 X" X! p- b! \* `
push eax
% P2 c; |8 D5 e9 I0 m call KERNEL32!_lopen
: Z {: x ] P3 q0 l inc eax
$ w3 W5 ?% I( t9 a jz 006505ae ; not detected2 {3 L, t/ |6 [
1 }7 S/ H8 H( ?3 Y3 f* K( D
% I: a! k4 e+ |- d__________________________________________________________________________4 x8 z5 n5 S7 t2 ]) i9 p
( s+ C1 ~' E0 M: o sMethod 12
" c T6 A6 [" @1 i2 K* ?7 b! H=========
! k' n& A \- }* i' }; p* h
9 \5 k, I; ]4 _' UThis trick is similar to int41h/4fh Debugger installation check (code 05
" ^4 ^; n& a2 [& 06) but very limited because it's only available for Win95/98 (not NT)
/ h9 G4 M3 \- t2 @! ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.( v7 @; L' _! d; n p W: k- p
. v/ u! D* F0 k, n. l
push 0000004fh ; function 4fh; g: a0 m% n1 u9 U; H/ [0 c& u: K
push 002a002ah ; high word specifies which VxD (VWIN32)
! g8 i) e' U! c7 h [% ~. _( d ; low word specifies which service
2 l! z: G7 A) N; p (VWIN32_Int41Dispatch)
+ a7 ]0 j3 L& b% y4 \, M8 L- _ call Kernel32!ORD_001 ; VxdCall
8 I3 U, L4 L2 `; o cmp ax, 0f386h ; magic number returned by system debuggers- R8 t- u. Z/ E5 ]5 m
jz SoftICE_detected
+ g& z4 T! H4 z! j4 X6 R. S- C' K( `, V; x
Here again, several ways to detect it:
7 b, E; X* a/ j, x( E# z
- X' i; T2 D9 A) n" i/ S BPINT 41 if ax==4f
5 A; F5 R+ j" P D/ G1 J9 u
/ I8 x, L+ _ t; v4 }" j BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ n* L+ c, j! d/ }! J7 v* ~4 U
; ^ U5 \* [% ], x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& s/ {8 @4 |0 `" r k ~' l" B( ^" @( I* l# `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 P& J; o3 ]. [. B# `' r' l, q3 U. B1 c
__________________________________________________________________________
0 ^6 Y) S2 K+ r7 A- ^, |* v( R" ~4 `( c$ w
Method 13
3 Q) F* T3 ]1 v$ x=========, i! |6 v6 O0 F# Y) Y
% H& E3 u+ c% k7 Q5 Z7 h( sNot a real method of detection, but a good way to know if SoftICE is, ^! {+ ]/ O0 m# d* Q) v! b' e1 k) n
installed on a computer and to locate its installation directory.0 D5 m# k F8 s/ E1 E% R8 Z! A
It is used by few softs which access the following registry keys (usually #2) :
9 t! g# Y3 ]" s8 Q
* Z( L4 ?5 Z2 [/ P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion B# a: ^) ~2 S7 y
\Uninstall\SoftICE$ N9 d# E! ^! j/ N4 l5 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& t; \& F% A @' i( x$ o# R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ]! {! x( b0 E
\App Paths\Loader32.Exe* b. [0 g1 U/ L5 D& E
! W; Y) V0 ^" w5 G2 Z
: _2 L3 \. i8 f+ l0 `9 @Note that some nasty apps could then erase all files from SoftICE directory
1 |$ s' E- s8 d0 z(I faced that once :-(. r' U: F9 ]4 u( V8 ]1 K7 Y$ P
, Z% X; P2 W% H$ z7 a0 L$ hUseful breakpoint to detect it:
6 p6 e+ S7 o W* p+ p7 }8 C& P- p. f" X) U" A' q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 g) O0 o' _) h8 b
, J, H5 N. b) m6 j; o0 ]+ V3 T__________________________________________________________________________
, a G- c" C2 }0 R! K( b0 e# c" {' r/ p6 i% }" J- n
% z/ @ N: V# K$ OMethod 14
5 i9 e( B r; n3 g' G9 m=========
) C- }" ~ ]: B' A# A# V' j; [% D4 ~) v, ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 ]2 o# G: _: Z3 B, Y( r
is to determines whether a debugger is running on your system (ring0 only).9 g1 Z( n+ K7 @1 {
. _) F @1 e2 i0 A, o* U, n VMMCall Test_Debug_Installed
' Y9 b6 g4 {9 p3 T; [1 f0 H9 p je not_installed
1 a+ N& t) X n: @. x7 v
! `* l1 y r5 y: L* H- N% fThis service just checks a flag.6 w/ B1 K* w9 v4 ]9 l( @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡