<TABLE width=500> ~# {6 ^( R9 p: Q+ v) D
<TBODY>8 {% {. \# ~& n
<TR>
1 [. A. D: `6 t" C& h! F3 ]; O$ c<TD><PRE>Method 01
& r( t8 u4 g5 |1 m, H+ r=========
% N3 O( E) m1 J/ h; M/ t& F; c5 j5 W: H* L5 ^9 X- Z/ ^
This method of detection of SoftICE (as well as the following one) is; |% W" L: k8 K* d9 ? i+ ]
used by the majority of packers/encryptors found on Internet.
( O0 D' v5 B* I# SIt seeks the signature of BoundsChecker in SoftICE
0 g0 F2 r0 R( @) n; G# n" x" [8 z+ w
mov ebp, 04243484Bh ; 'BCHK'
/ _8 Y+ U7 j' _' | mov ax, 04h
% d1 Z, z1 W: S( K, X5 Q* q int 3 ' g3 C3 g5 S" x
cmp al,4$ |! O0 b8 R* E0 E0 x5 d
jnz SoftICE_Detected
1 e; P+ s+ l/ }' D* m! _+ H! V: U7 R+ c$ l1 G5 J
___________________________________________________________________________4 `* Z% q4 v/ K" P
% |( w. ?1 O7 i* n) }" D9 \Method 02& e" z+ u! o% t2 p8 |4 d! E
=========) A# v. F2 i) V1 \9 Z \
; L- D% w+ z( H3 N$ Q- E
Still a method very much used (perhaps the most frequent one). It is used
C$ e. u: l2 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. `% j) f( O$ f# d5 N* q# W/ W5 j
or execute SoftICE commands...
& A1 v S- j ]8 @% zIt is also used to crash SoftICE and to force it to execute any commands* }: T/ m. Y% c4 ^+ `7 S
(HBOOT...) :-((
1 I, Q* G0 B F2 h J& i" X; A$ N" D3 Q* B
Here is a quick description:
" J# @7 D- r8 j2 F- \+ t" ^-AX = 0910h (Display string in SIce windows)+ X2 b; D" o Q+ r7 J9 {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 ]& @0 y M6 j7 U- N9 W-AX = 0912h (Get breakpoint infos) q% \3 h, e ^* e
-AX = 0913h (Set Sice breakpoints)
7 B/ E( x& {% A- z-AX = 0914h (Remove SIce breakoints)2 Q/ s" w3 ?. q8 q
( J& ]6 K/ o" \- q& ~8 l
Each time you'll meet this trick, you'll see:+ Y9 D* g7 W: V3 Z. l
-SI = 4647h
1 v' E1 I: j; d: H1 W+ p-DI = 4A4Dh) Q( r9 J1 ~; l) K
Which are the 'magic values' used by SoftIce.3 H H$ L, ? n) |% Z# R" b2 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 i7 _: \, a4 ^! v2 W9 H1 k1 x
" H3 H' B6 D, j
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 `$ f* J* s7 _; {4 ?
Envelope utility use to protect DOS applications:5 e$ [* ]6 \. Z. Q- I' |) N
7 v" A7 U' u4 B* V
7 z/ C! x' W w" G1 }4C19:0095 MOV AX,0911 ; execute command." _: B2 K0 B1 N0 U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 @& F1 k) T# V8 e( z D2 A3 Z4C19:009A MOV SI,4647 ; 1st magic value.
0 M, S' I' ?* n) o u4C19:009D MOV DI,4A4D ; 2nd magic value.# W0 e$ j0 p( B6 D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) N/ g# y; `8 P- r; u( Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 H. d9 N/ M4 k) I) }1 f2 e
4C19:00A4 INC CX# J. n0 b- i* a, x' z' s4 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" m/ M Y1 W# R- x
4C19:00A8 JB 0095 ; 6 different commands.+ [1 ~0 b; c# D0 D0 I) n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- N% _. P4 Y" x$ s' \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# m- q' X5 _- S$ {
- j; `! E( F+ G1 W9 @' K% LThe program will execute 6 different SIce commands located at ds:dx, which
- O; r" X) \* W) ^; w0 `! nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ r; P4 j* X( a; i# p
- d2 \- b5 i7 n; v) X3 X/ n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: M) {( l* }2 q
___________________________________________________________________________; o0 K" ?; Z4 w- T- V" j
# D0 r; V* V' _. H
! }9 \% _, m* IMethod 03
8 g3 H1 h) O5 J- G- g) }2 W! j=========6 k6 n) o& S4 @% h5 @, t# n
+ v( _1 A7 v1 O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, w2 A4 \( ]) G3 g' o6 U( b
(API Get entry point), R" q7 M) \0 ]
, a$ T8 e, ~6 c9 m
, n% n. g2 R" ~2 F" y
xor di,di9 w9 o( C7 ^8 M6 B5 Q; Y P# h& {! Z0 C
mov es,di
6 v' q* e' S B0 m6 X) t* n; p mov ax, 1684h
' \- ~$ @. }7 t) @$ C- [0 x, Z7 p mov bx, 0202h ; VxD ID of winice
( o$ V/ ^& S' ?" p! _6 Y+ J2 D int 2Fh
* W1 ]. T7 O/ l7 h/ W( `. l mov ax, es ; ES:DI -> VxD API entry point( F# a5 a8 a8 u0 I( T3 }
add ax, di3 O9 j: O; M, d) j0 J; w9 R& \/ m
test ax,ax/ i7 L7 f! F& W: I7 j: {
jnz SoftICE_Detected
! x' ^. ]" ]5 {5 \1 w& a
. @' r& l# r8 M( m$ S; K___________________________________________________________________________" U( L0 h. s: G
% o1 a7 I% R. I1 ?! D) r$ j& y' m
Method 04
8 S2 H) Y. n7 s d* Z=========
1 N4 d1 E: m4 x, Y
# _0 N B6 d9 eMethod identical to the preceding one except that it seeks the ID of SoftICE8 z, Q Y% w' y+ }( d
GFX VxD.
. f* z5 N/ y* d6 r$ d* j$ D( o7 [$ r0 \+ o
xor di,di7 `* j! |1 o& I$ }; X
mov es,di
8 C2 ]- ^9 r4 |% q. j% J, N0 K mov ax, 1684h
4 Q3 o4 v2 P: s% i" e" N mov bx, 7a5Fh ; VxD ID of SIWVID2 u$ M/ n0 Q( |" i9 k- J
int 2fh
# H0 Y) l$ i$ P6 Q5 J/ m mov ax, es ; ES:DI -> VxD API entry point
( |. S" W+ {# Q1 e8 g% f5 G add ax, di+ x: B6 \9 Y% ?3 U; |
test ax,ax: a! I* y- _9 x! g1 d
jnz SoftICE_Detected
/ j* _& Q! W9 m7 [
) ~' m* F3 Q4 o' t* Z( T__________________________________________________________________________
8 k- l4 w0 e' K) b S
O: Q0 k+ o, G9 Z4 Z* A: q6 V% ~" S" F: u* p. y7 e! D
Method 05
1 e5 p9 V q% }8 j- Z3 k2 |3 ]=========
' n! v# |2 V9 b: W" Q$ `
- U. G6 @% E8 w% ^" }- UMethod seeking the 'magic number' 0F386h returned (in ax) by all system! Q+ W# n% E0 A, o1 }
debugger. It calls the int 41h, function 4Fh.
$ B- x0 B! A+ a; H" @5 AThere are several alternatives. 2 L1 B+ @$ V" @
8 ]7 s& Z6 x9 b$ r% N P$ E
The following one is the simplest:4 r. \3 b A) G
* Z# J9 I6 e7 F% x mov ax,4fh# z2 |8 E; i9 k) E' _
int 41h
; V$ P2 l* t! d Q7 V' [7 ~ cmp ax, 0F386
2 e( ^# A3 F9 N) I jz SoftICE_detected
1 y5 Z7 L% [- B4 w- \. N- ~ u B' Z9 n8 q# e) U
/ |$ j8 d5 {0 I+ v9 UNext method as well as the following one are 2 examples from Stone's
' j; @6 x/ Y& C3 t6 t# v"stn-wid.zip" (www.cracking.net):
: R( R- }9 b, G3 J) R
" i5 Q9 ]; }" N, m$ [, { mov bx, cs
" K, v3 c% g% i+ F% R H" o0 p lea dx, int41handler25 B! @. t9 m+ i* B& q" E0 d
xchg dx, es:[41h*4] g7 Z5 j; D/ q
xchg bx, es:[41h*4+2]
% L: L$ [; u" N% w1 _4 @4 f mov ax,4fh
1 n1 ?6 @. m2 V int 41h
; e( ~. V$ J8 i; O- [$ F xchg dx, es:[41h*4]0 E' M* M& P. P, U9 D
xchg bx, es:[41h*4+2]" `' Q9 U: v, l8 o6 ]0 q3 V
cmp ax, 0f386h4 m: d6 F- @- L# O
jz SoftICE_detected
* a6 d; |1 D9 k
8 w u9 o/ m u- M. t; c9 C) n' vint41handler2 PROC0 h' f5 _7 `5 I0 T
iret
/ J5 f! d+ V' Sint41handler2 ENDP
2 n9 d. X2 d0 C. k" z9 v) f' }
$ R! r( K! L. i
" H$ {% k4 U. H: P# E_________________________________________________________________________( T1 ^& l+ x' C3 a: S
. y9 B' ^/ |; X$ N) X
+ C+ b1 B: N% ?8 kMethod 063 b; }) @ z/ N4 L
=========6 D9 w" {6 `) ]* q
+ G# Q x. N% N
2 B2 Q i, I8 I- T( P2 g; J1 [2nd method similar to the preceding one but more difficult to detect:
. L( S ^& R0 Y3 k9 v9 _' J0 W
. W; k6 O& E1 G
2 P* W% e4 d% Z9 V |$ ^int41handler PROC
. x# N1 w! b# c mov cl,al, `4 d, |( l2 P3 Y9 i0 ]
iret7 i8 @" l- x; r6 T$ z
int41handler ENDP
% k9 f8 \1 n' Q" ^9 Q) W6 ~/ p' |! h$ l, u, n, y! `' o
7 N; Q9 ]) f+ z0 R: q
xor ax,ax
! R. L& v L2 M! Q% ]) d9 b mov es,ax! S: h8 e, J% a7 v- d' w9 F1 k0 Y
mov bx, cs
/ Q, O7 ~( e, N& c lea dx, int41handler* {$ E3 I* K9 [; F
xchg dx, es:[41h*4]# C2 Y. {- D5 A7 `8 P, h" b
xchg bx, es:[41h*4+2]
4 x0 b2 w( b/ S/ Z; M9 I* u! x in al, 40h% J+ x/ t9 j) Q3 c
xor cx,cx) `, ^# C& v$ B+ g6 o
int 41h
2 P, @5 @& b: G p xchg dx, es:[41h*4]
" D2 J( J& P0 l4 j, C% V6 T xchg bx, es:[41h*4+2]5 u4 E1 i+ e t3 G9 \+ n6 O. ?
cmp cl,al
! g/ P' X0 A! R7 ~ jnz SoftICE_detected
" E! r/ q L4 b! ?. T! H( L7 I
_________________________________________________________________________
/ L) r; u1 D! {
( S' y( D% ~# K9 Y, ? R% ~( O0 e5 C6 iMethod 078 }: k4 n T6 B v8 k+ _3 G
=========
; q5 U; {. Z& u+ }3 u/ z$ p2 _
, U6 j- x& ^1 ?! y/ Q; V5 a( ^1 `* NMethod of detection of the WinICE handler in the int68h (V86)
+ H4 Q! | h: C- Y+ l$ ?1 X6 s
4 t" M0 N+ Z' t' P% K0 A mov ah,43h8 \2 b) Q C G+ M' F
int 68h
+ T- `9 i. w' ]# p& i+ S$ o' U. Q cmp ax,0F386h# I( f% I$ B# E! I
jz SoftICE_Detected5 t+ X. c* o. u8 [' U
: _% i: n( p1 @+ d4 f0 ^: y8 ]
$ z6 |: j7 t4 R0 |: V3 n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 {. S9 S& H5 D4 I6 T! l+ k
app like this:
5 j: I% ^4 z0 S
- E8 s0 m- Z0 W9 h5 ?) F$ ` BPX exec_int if ax==68
+ V0 U+ ?$ w" ]" _ (function called is located at byte ptr [ebp+1Dh] and client eip is
# c( J: R& o4 A/ ?7 n) v0 [. d located at [ebp+48h] for 32Bit apps)! [$ O9 q3 X; S" k
__________________________________________________________________________
- n+ y- ^/ I: K) O& U! P
' ^" c8 B( \8 W& l. a0 ?7 A* ]( y9 a) \& h; W) h% S
Method 08
8 S, @% S, f" D& X; V& h8 H=========
5 q$ b+ }2 A/ z2 z2 [9 @0 l; G' B/ E9 \, K
It is not a method of detection of SoftICE but a possibility to crash the
# [) ` M, F4 q I3 v0 T; ssystem by intercepting int 01h and int 03h and redirecting them to another
7 c" \' N" V2 n0 P6 ^routine.( a, v, r1 p& o& l: j; @( Y( g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 `/ H$ w1 a$ f! ?7 s' V; Z
to the new routine to execute (hangs computer...)" N6 N Z! r% y) Y1 ]6 ~; ]
! f* H* }# C7 V z# @. H
mov ah, 25h
0 H! i ]/ A* i; R; R5 w) e mov al, Int_Number (01h or 03h)' v; f1 O" l- R, e
mov dx, offset New_Int_Routine
1 }) h7 R! e3 b4 d4 l0 E/ L8 R8 a int 21h9 l* i- k4 U* v( V
$ w( Z l. \9 }9 p* `3 E
__________________________________________________________________________ m2 o) J" C$ M% K4 \$ K" k& v6 f: @
% x' T& c2 j3 }2 ^, U q' \: KMethod 09' n+ T4 J7 c: J( c7 a
=========/ m/ a( }: H* f* _! w
6 [- I+ o1 `, v3 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, M5 _! u& k9 P: N# ]6 Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 E# G6 V# c; l$ r( gThe Get_DDB service is used to determine whether or not a VxD is installed
P, N1 G1 |4 O8 x$ rfor the specified device and returns a Device Description Block (in ecx) for4 X4 d9 ?- [% f( m/ {; [1 g0 s
that device if it is installed.% [8 M7 K& d. z
! Y3 b# [ i+ B& S- w0 i% m2 ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 f" x" S7 Z" p+ C& k2 a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 y# C+ h" W5 R1 a8 G VMMCall Get_DDB+ |" x, X( Z$ Q( ?7 A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 K0 x, Z4 M1 b, @3 y/ l; N
7 B+ ?/ K5 W0 i( WNote as well that you can easily detect this method with SoftICE:
2 Z3 O; ~. M6 w1 _3 i bpx Get_DDB if ax==0202 || ax==7a5fh! u$ a: h, Z; { Z, P
& r. y6 Q* z$ {5 a. i
__________________________________________________________________________
/ @1 r; P1 T" i/ W! V5 h: O' {9 F y+ I0 {9 [
Method 10
- i% F; w* x* x$ S=========$ ?# T2 O0 _5 z/ w+ z. E- A) p
' G0 `7 o% I: `* [& ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, M5 I# L7 l) k SoftICE while the option is enable!!- ?$ F# x9 F2 A0 |3 A/ U
2 w/ H% j9 O1 BThis trick is very efficient:
( v5 Q- T6 { g7 K2 Bby checking the Debug Registers, you can detect if SoftICE is loaded
5 O9 {& _0 j$ J# D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* E9 h3 `0 r! A+ m. |+ G6 tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ ]1 p% A6 d- W: b5 xvalue (in ring0 only). Values can be manipulated and or changed as well
' k8 C' N7 a2 i) b0 \, s1 S# f8 j(clearing BPMs for instance)+ Z& O) m3 o4 T( v/ }
8 `3 ^, O8 v j5 o7 E__________________________________________________________________________6 y7 N3 S b# d2 t4 A8 |
4 ]" L- D2 W$ ` b/ S4 X: o5 N fMethod 11
2 g' T5 Y# v; Y, H8 i" h=========
0 o' m' F% K& B, ]( a1 V0 O! K) P8 C' D: k/ Q
This method is most known as 'MeltICE' because it has been freely distributed# V: h& K+ Z6 u
via www.winfiles.com. However it was first used by NuMega people to allow$ o$ d& `0 u% Y9 b7 D* ~1 {/ R
Symbol Loader to check if SoftICE was active or not (the code is located+ ]0 O: C3 i7 `! x$ H- [
inside nmtrans.dll).0 _# `% c9 j/ G* G
- ~# q/ A6 [+ B8 `9 v- G
The way it works is very simple:
4 A0 w4 F$ W) G; C! o) ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 c' f F9 z# w4 p$ s2 s7 D- ]1 ^& b, VWinNT) with the CreateFileA API.
' z' T( ~' F) g% R1 l" ^( x+ Q" k# ]8 N4 `$ x$ X" F
Here is a sample (checking for 'SICE'):
2 i# W) c, {7 c8 y" X( Z0 h; ~( X2 k# \/ w+ X1 m* M
BOOL IsSoftIce95Loaded()' V$ q. ~% q G( S. ?/ t$ R( I
{3 A9 N2 k; \* |; c
HANDLE hFile; $ @7 ]1 v5 I. l# A/ z& _8 U; G( A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: }! \9 ~4 I* m) I: _, E1 C& T |
FILE_SHARE_READ | FILE_SHARE_WRITE,) `. |. I" L. ^: i- n7 m+ e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# z3 I% |* T6 J! l" s* y9 w if( hFile != INVALID_HANDLE_VALUE )$ Z5 } m/ _5 b* p3 d7 q% |
{, I: r1 M, K! ]8 V' ~
CloseHandle(hFile);
5 G" `( P3 x5 P! r/ p+ [+ B return TRUE;
0 p* {% [7 Y% U1 R; [% a' ]7 i }
/ o7 E. n8 k+ \ return FALSE;4 v& n7 j4 w8 f; @+ z
}. v. F* ~% n- F2 v/ k- X8 @* V
4 n' @; `* U J" b+ u/ R, O2 aAlthough this trick calls the CreateFileA function, don't even expect to be; C$ H! k+ I7 w! d7 e6 Q2 F% l. l
able to intercept it by installing a IFS hook: it will not work, no way!( F d H* r0 E& S- Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
U2 ~& k, ^) bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 g% |7 J9 O/ ~4 q( o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' i6 }, x8 m% C& K9 p4 g
field.$ k. A% K$ Q9 D" E! Y
In fact, its purpose is not to load/unload VxDs but only to send a 6 }6 `9 W& v" I9 O. P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 s9 U/ o$ @9 {* y$ j& p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ~' y! K$ G0 m; n3 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 g$ Y2 q: l- J k3 F# Y1 ?4 y! C! E
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 |7 x% z+ \/ H$ o {# o; W( ~
its handle to be opened and then, will be detected.; g$ N8 O6 Y3 J5 Q/ h
You can check that simply by hooking Winice.exe control proc entry point# l) {9 D" A4 p4 f: q' x
while running MeltICE.$ `4 ~- Z- o' {+ R1 o) F2 O
1 A7 W7 x P+ X1 O& [ G0 V U9 L9 f' i
00401067: push 00402025 ; \\.\SICE
4 I4 M1 J% \* w' f; ^! t* D+ V9 j 0040106C: call CreateFileA
8 q' f, H: o$ |8 N& L7 y! r0 D3 V! E5 t, R 00401071: cmp eax,-0013 h0 t' f( J% d
00401074: je 00401091- ~0 a5 ]/ K3 W1 S8 K Y
5 m! X( ?% [, w# q, Y/ ~/ o7 s C, @+ h( k
There could be hundreds of BPX you could use to detect this trick.! h. h" z9 ]/ l- l
-The most classical one is:
& V& O( Y" c! m1 P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 i* A" {! a1 z& N; X2 M6 i
*(esp->4+4)=='NTIC'
4 O' t6 X4 v! |/ x1 Z$ S8 i C. N) z8 y" p" S. A7 x( y
-The most exotic ones (could be very slooooow :-(' P/ H+ Y5 s1 _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ l! M" Z/ E6 X! u$ W6 S: q
;will break 3 times :-(+ T. Z( j8 \- i5 \' `$ r6 y
; m* ~; j, c+ t6 J( W
-or (a bit) faster:
+ Y5 R0 m$ L, ^. a0 a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 p! \3 l* H' P% `; k- T
5 B7 X% ~+ N q. I+ P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 R4 ]+ p0 w S' K5 {& p1 [ ;will break 3 times :-(
2 v* X- X$ b. R
/ U$ s% P/ U! S% [0 R-Much faster:
" Q5 c s0 B* d1 z$ ~4 x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') ^' {( j* E. P
- r0 ~# E' J& c0 m2 O! ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
p8 `( j+ P) C$ \$ Q1 x4 Xfunction to do the same job:& E, y, D$ l# Z$ E
" }# d9 r+ V0 M1 l7 ~; w& [ push 00 ; OF_READ6 f. v4 ?. Z6 U$ A! T0 M& U0 {
mov eax,[00656634] ; '\\.\SICE',04 s6 H* @, S# m+ t" L
push eax
( \; a. T- y7 P+ z* p' x call KERNEL32!_lopen
2 O4 t! Q9 o2 N3 X4 \ inc eax
9 u/ v4 X2 I" O jnz 00650589 ; detected0 S+ ?+ {8 x( m9 [/ w6 w
push 00 ; OF_READ
2 H7 {. A7 X! F8 v mov eax,[00656638] ; '\\.\SICE'0 } C) z4 K8 |! |: i
push eax
( }/ z; S( W+ V+ q% A$ @1 g$ s call KERNEL32!_lopen
2 q2 E2 L) U" x, J( ?1 d inc eax
( c' W. u# ~+ V. \" E7 d* M jz 006505ae ; not detected
' r M x' ~! ~$ z+ D& Y& @5 o5 X% A |( f1 |
7 J; l- k, D" N& t( m__________________________________________________________________________
5 A( @ A. y- o* `" T# A
: s; k2 F! B% H; H4 z- N! R( KMethod 12
/ W! O( K/ {+ Z$ W" ~- s=========% i$ D& ~% \0 M
3 ?% L$ @+ K. D& |6 M9 e4 ~This trick is similar to int41h/4fh Debugger installation check (code 05
' ]- b/ F( X! N! X( Q% D1 n& 06) but very limited because it's only available for Win95/98 (not NT)2 i+ Y, A; N3 y3 @ t! v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- `$ e# V2 k2 Z8 ^7 h! y0 u0 Z
" r- a+ _* ?; D* X5 T, u4 @3 @
push 0000004fh ; function 4fh
/ y$ M2 |$ q1 f- ] e push 002a002ah ; high word specifies which VxD (VWIN32)2 Y9 T3 S; h2 Y, l- e+ e. \) w
; low word specifies which service, w3 I. o# \1 W( f" }" ~) O
(VWIN32_Int41Dispatch); Y: S2 j* ?! b, F2 t1 z5 `8 d
call Kernel32!ORD_001 ; VxdCall4 D @& |$ N1 T8 o T* Y
cmp ax, 0f386h ; magic number returned by system debuggers
: @! ]; L( f2 P4 V# F3 ]/ E0 Q jz SoftICE_detected$ s8 t* C% c' v1 Y) q1 Q, m3 B
3 c# G7 m2 N) zHere again, several ways to detect it:! o( o1 O9 ~8 d( A
. f7 `# `+ B" `$ X" }* G
BPINT 41 if ax==4f
3 E _+ S8 Z% d& i& B/ y# S9 y v/ \" q/ P, _3 I4 {+ q$ @3 k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; z l$ y# K! Q
& N8 q6 O' T/ c8 b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% r7 c3 |8 y- Y% W( ^, t% G9 }0 w) Y2 B# F9 G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 u, j1 e0 m/ ]3 O
1 g3 F7 ^: X4 G/ j$ h$ u& O__________________________________________________________________________
/ a3 m! Q4 k3 s& d" F' f; ]; q7 a: U# F! ?$ J* m0 [
Method 13
2 K, j1 W' U# O( P" ~8 q, ?=========2 f9 A1 e3 A% n
0 k1 v9 h6 I) p) ?3 C4 F
Not a real method of detection, but a good way to know if SoftICE is
' f! b& w6 u2 A" w" ~5 Sinstalled on a computer and to locate its installation directory.9 ?) [' u. w/ k
It is used by few softs which access the following registry keys (usually #2) :
3 F# F' ~3 S: k( V* j j3 h7 Q
2 g% S6 J5 ?8 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; i# _+ j- p# C" i+ `\Uninstall\SoftICE8 R! e+ A8 F" A0 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; Z4 H0 [. @9 Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# z3 n4 E) V# e\App Paths\Loader32.Exe: ^( A7 p- X& V4 e& i
5 b: u; G! z) N9 V/ t t
+ j" [" y0 k$ j/ {, T$ x" ]Note that some nasty apps could then erase all files from SoftICE directory
* f1 Z* X% N( x6 ~* W$ b(I faced that once :-(4 ?% \# z' x. _( Y/ {) _, l+ U0 r" p
: X( r$ I+ G, c8 y+ C0 DUseful breakpoint to detect it:9 C) E' S( A1 u! o
/ P) ]7 W$ ~5 F. f, v) z% O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 J: h, I! r& ?- A2 R8 ~* X/ _/ Y- A
__________________________________________________________________________2 T9 B) q9 p9 r4 T
2 J3 R0 t8 f- a/ Z2 S1 [* s
' W! N, {! ]! ^5 d: n8 BMethod 14 : N! Q( @) l, t6 a: Y5 a0 O
=========! t6 u) Q# M. N- i# G
2 I; G4 M0 F4 g, ^2 FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! ]0 @+ @, A) r- e2 p7 G% M
is to determines whether a debugger is running on your system (ring0 only).
: U! {# s& a: }' ~# c
9 c" X/ v. F+ |. p0 r1 A) H* ` VMMCall Test_Debug_Installed
+ F# p1 g* J9 A5 h8 f1 O je not_installed0 v/ B9 n1 [, \% A' A
, r) \' t. x2 |3 MThis service just checks a flag.
8 A6 v, Q( ]8 e: A5 H1 M, A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡