<TABLE width=500>2 x) w G5 J& a' _6 v& S7 h2 P
<TBODY>
, F: K5 s" t4 R q<TR>
# E' \3 `0 c- L. O3 Y) e% B<TD><PRE>Method 01 1 O. |3 X- l8 R4 | S- B9 A" V+ Q
=========4 b/ g( P& f4 d, s5 i. D, f1 t
$ q7 M$ {. M6 r K+ B/ j
This method of detection of SoftICE (as well as the following one) is! E+ {% K1 I0 g8 v/ ~4 z. ^
used by the majority of packers/encryptors found on Internet." w1 Y- x. j$ p4 B/ p
It seeks the signature of BoundsChecker in SoftICE
; {8 h' K( f1 Y0 p: p, H( `% d5 E
8 d2 P* m. P5 j0 I mov ebp, 04243484Bh ; 'BCHK'
8 O+ _; K* O, m8 ~4 a! ?/ c mov ax, 04h
0 s& W" J0 A! Z int 3
$ d0 @7 d' M* O cmp al,4, I- [% b0 B. R
jnz SoftICE_Detected7 B Z1 r6 b/ x
/ v% N l7 r$ W! J% x' H4 Y
___________________________________________________________________________3 j4 t8 [( l1 b" D( n% l1 |
/ k- }8 W; K. O; H, ^
Method 02
, i) K# c' D; f9 k=========
9 F1 l; S4 G- f: I' L/ {; d" _1 z) K0 N( [2 @
Still a method very much used (perhaps the most frequent one). It is used
! r0 q, C% ]: c& J ], L; y! O& B/ Y" K! rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,% G4 o0 x) ~2 W M
or execute SoftICE commands...
2 B' Q) s3 W* \* xIt is also used to crash SoftICE and to force it to execute any commands: H' t4 J- ~0 a( _
(HBOOT...) :-(( + r1 l4 J1 j$ p5 F
5 Z. D( T6 o& a3 Z' aHere is a quick description:
& z2 E% r! u. P5 N# e: c( ~-AX = 0910h (Display string in SIce windows)5 v& y2 m: D0 W* X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 x$ q; R9 Z! k
-AX = 0912h (Get breakpoint infos)* L; L; V6 u5 Z1 w- G8 N& Z
-AX = 0913h (Set Sice breakpoints)0 z' ^0 Q5 G7 \" R% m. N( P0 t5 }
-AX = 0914h (Remove SIce breakoints); f ^* P# F! L8 @$ F
! x6 K# L* F/ z- p9 gEach time you'll meet this trick, you'll see:
' E2 b3 U6 f2 L0 l u0 B2 S$ q-SI = 4647h
1 _1 o" k' f- r. t7 r-DI = 4A4Dh1 T s: I x' o% h f+ |- i
Which are the 'magic values' used by SoftIce.
, u8 I$ X0 e! B2 ]. D+ \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* [" o' {( A% f, ?
+ F3 n! ^8 ~! K# M6 C+ |! }% E
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ V& k# u9 ~# f f3 R( _
Envelope utility use to protect DOS applications:
% `6 c7 ^- L1 y' A1 o
0 L! K) V& d* f7 n$ o7 H
$ u2 v# h5 K! Y) V9 ]% N4C19:0095 MOV AX,0911 ; execute command.
) U" s Z! W! c8 a+ ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" o. D( {! ^/ o7 \+ n0 s8 [4C19:009A MOV SI,4647 ; 1st magic value.! N2 ?. H8 m8 V# F& A. y2 a- H
4C19:009D MOV DI,4A4D ; 2nd magic value.
; m5 D: A# g5 @4 F2 o8 U; d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ q+ @" T& x. O6 N) p9 ~! D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute q- ?" X2 W7 w# ^+ p+ y) E
4C19:00A4 INC CX) n' Q# x7 y* F) ^1 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! a) n% X: U5 V2 P. v N) ? g( v4C19:00A8 JB 0095 ; 6 different commands.
# }8 w0 H: i6 E& K7 i3 v* w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 J; h6 R: g4 F1 g; U) X+ j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# d% l$ v; O5 `
& {( |1 Y, L; p7 v1 pThe program will execute 6 different SIce commands located at ds:dx, which2 X9 z: N4 R1 U! Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% r0 K' s3 J; H. f# ^! l
/ @, a1 k- E3 I2 }: o& [/ V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 L5 J$ b* M/ W7 P6 I9 @5 {
___________________________________________________________________________6 \- ` T+ E J) z& V w
7 r1 b/ t. ` U$ e4 y
# ~' C% P a! ]; lMethod 03
# d. @- r! a, h1 p5 \# I=========
# m" b8 f* S6 X% O6 a6 Y# N2 f2 Y7 z% A/ D; {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 ?4 X4 v3 u" r, T" Q' m, E% Z
(API Get entry point)5 \" a5 ~7 _) s- Q+ D& G
7 d, q7 @" |2 d- k3 o3 U0 P( d3 T' L6 S/ O# O9 A
xor di,di0 O6 w- R [5 j4 `% s x, c
mov es,di+ ]' Q/ W5 ]' n; G7 p# V
mov ax, 1684h
6 d8 e1 R z2 Z, e mov bx, 0202h ; VxD ID of winice: x: i* @ l, a6 N. F+ Y+ _( ]+ C
int 2Fh
7 v- s+ {% N% ]) P' r" N mov ax, es ; ES:DI -> VxD API entry point7 x/ t9 y; N3 ^1 ^% X
add ax, di- \3 w9 L/ H- N: U# Y/ Y% Z/ Y
test ax,ax- ~! V( @! n- z7 H1 A+ O: h
jnz SoftICE_Detected
! R8 M: ~# w* }( K5 O) g8 a
0 P- @, H: \9 P* v2 r9 M7 g' d- T___________________________________________________________________________
7 p% O0 N5 O2 D" `$ Y8 D3 q6 d8 n1 f5 x2 M6 C* }( h: Y
Method 04# P# c$ K& X& y" G
=========
4 O# y0 I* @- T% \8 {' u# d& X4 l$ k9 J) E3 T
Method identical to the preceding one except that it seeks the ID of SoftICE
7 D8 l& n2 Z$ y9 uGFX VxD.
4 g3 ]) U/ k$ Z6 D6 w( c, o$ u8 G/ t& `: c$ l+ r
xor di,di1 A ^; v; n4 F9 H5 w" d" @6 t0 P
mov es,di
' W5 K8 Q4 R# Y4 E! q mov ax, 1684h , D. K6 U8 F. z! ?
mov bx, 7a5Fh ; VxD ID of SIWVID
h8 |% G( {9 s) Y int 2fh2 Z' w* G8 Z3 q$ ], K/ T. n
mov ax, es ; ES:DI -> VxD API entry point
: M8 H- T/ s5 h- P$ F. z/ } add ax, di
8 `) k( t5 L+ [$ O2 T+ j$ i test ax,ax5 F& y/ S1 Q1 y$ y
jnz SoftICE_Detected
8 B( ?% [ d+ h5 k
# Q" G: b* J Q( B4 D2 j$ j__________________________________________________________________________+ L8 @6 X# q1 k
) x" u1 Q, E/ `6 z* e
; k+ W1 P9 s1 ^
Method 053 ?% E' y( y- |
=========
, ^2 M+ g! y9 q. N
6 Y/ K" H3 l5 i% ^9 SMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 _& h2 c! S V! \
debugger. It calls the int 41h, function 4Fh.
6 a& L+ u9 U: Y$ G. i$ d' V% aThere are several alternatives.
4 i+ E. }$ w6 F3 D) L9 S
2 i, W f9 U( l) _; ?The following one is the simplest:
8 H) v6 z0 Z x" c6 B
2 i1 ]: g3 D: f% q- D; W8 Q mov ax,4fh
/ j- o: r. V9 i: X int 41h2 Y0 U3 N, W' G& n0 `# S5 X* S) N
cmp ax, 0F386
J0 h% n, ~) {8 ` jz SoftICE_detected1 ]2 j$ p* C. q4 Y
/ b2 K& T) P9 U# x0 @( h
% Z- ?; T3 _/ [- h1 p+ O% GNext method as well as the following one are 2 examples from Stone's
$ K2 h; M7 K! z3 Q9 P" L"stn-wid.zip" (www.cracking.net):2 T# m* u9 I) c7 G
, p! ^- f6 C+ w6 [! O p2 E mov bx, cs6 R S0 ?# \0 i6 T: c0 W$ p
lea dx, int41handler2$ B1 \* _ z# z/ X/ v+ c% J6 d
xchg dx, es:[41h*4]! S6 @7 O; }4 m5 f- M5 \
xchg bx, es:[41h*4+2]
6 c/ j- s3 h- {, Z mov ax,4fh* l; z, ^7 i' w
int 41h
/ E3 B$ t/ j" r0 V( h- l5 s xchg dx, es:[41h*4]
, h2 j9 a' V, L" s% s( m. i0 } xchg bx, es:[41h*4+2] h2 N, ?" }4 u0 B
cmp ax, 0f386h2 e8 s( w! V7 x+ S0 k) m- i, f
jz SoftICE_detected
8 {+ b4 K4 U Z: I; W% A/ L
$ c4 h/ X3 } Q2 O7 n$ dint41handler2 PROC+ {7 n/ E# u1 S: U4 x
iret4 Q; V, i* y9 X+ [/ V) C
int41handler2 ENDP) N4 C8 \$ u- [& D/ d/ M
9 P. d) D5 t- R2 u3 N+ t
9 k( z( \* Y* E0 ]! e
_________________________________________________________________________* U+ ?; K, Z+ k6 s b0 {8 e
1 ^4 ?1 M2 z; i( @
8 k8 v0 d0 S/ t8 W& M8 J
Method 06
6 J. x+ S1 K0 n: E=========4 c* i( d+ k0 N- C! L5 C: U1 u
& v2 F# E% T* L- [6 m
4 A! I/ h6 x. o& o0 z9 p3 f2nd method similar to the preceding one but more difficult to detect:& O. B4 J( q4 T7 S E& o7 y
D- V3 T$ l, Q# [1 ]8 }+ s) I6 _" h" U, S* v
int41handler PROC7 d( `0 P6 D7 W$ Q
mov cl,al
7 ]$ ^! ~6 L0 C2 V g iret
3 O- v; ?. I3 c# ?1 b) l0 ?8 hint41handler ENDP
. {2 V @5 D* \* r# F% N }
" }, s% ]$ ?: @; P" k) F7 [5 P1 ^
1 _: Q+ z3 J0 F6 u xor ax,ax5 F$ u1 n+ J9 L2 z3 E, i3 f
mov es,ax h( @6 N# C$ F! k
mov bx, cs
8 T" v% H# ?/ j" v: D lea dx, int41handler' s% m. P& O8 {; a( Z4 H! |7 N3 T
xchg dx, es:[41h*4]
+ g) ?' \+ h& ~ f! T; F0 T7 @ xchg bx, es:[41h*4+2]
) s2 ?- E: q8 U! I3 S. B in al, 40h
" d! Y' \* i$ Y# T" r8 A1 Q8 I xor cx,cx
% ~# i1 A. T3 c int 41h; ^4 m9 e% q4 z5 h! F
xchg dx, es:[41h*4]
! O9 b3 c% Q' L" j& M xchg bx, es:[41h*4+2]
2 d0 m5 V+ m* X, {( ~ cmp cl,al+ j _! j& Z; \" A' |
jnz SoftICE_detected
5 T% n# J! |/ D m% V/ e) E! b! a6 s0 B( K/ m% B+ r
_________________________________________________________________________6 Z+ i; W: q. Q' g, z, M# m$ j, _
G$ _( g5 E- i+ x0 W0 v' n3 R- yMethod 07
5 {. ^# H- M8 U# w+ X% \' i/ {=========3 I# ?5 `. r2 b9 f( T5 ~
, m% w+ o; n& _& e/ m: KMethod of detection of the WinICE handler in the int68h (V86)
& {2 h6 x/ Q. g# f# D' R1 {
; u" X0 s9 _" u- g mov ah,43h
( T2 G6 y+ D; v+ r int 68h
7 | `) ^9 X$ |3 o5 e* y cmp ax,0F386h
, `7 y; \8 t& X w3 E7 ] jz SoftICE_Detected
; e5 i: G' X; O: H5 _6 R3 |+ {) w/ p- Y
& q! W/ i) B \" i1 t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; [( _3 u0 @. j$ ~1 r app like this:
4 a1 n5 s1 J0 W6 w* G1 L' p' r/ o- Z2 x" d* T g; k+ [0 g
BPX exec_int if ax==68
5 J! l- b0 C* }% W+ D/ P# Y, A (function called is located at byte ptr [ebp+1Dh] and client eip is6 E/ j* c; X* {9 m
located at [ebp+48h] for 32Bit apps)
. c& M1 g, p ?- }" ~: P) V__________________________________________________________________________3 H! D: R0 V; f+ l0 r1 d
$ q- d- o* |1 a' k3 e4 \# N A- s% o1 L3 j8 u3 e, N( s- G
Method 08; l$ R1 C" {* ~
=========, p2 q0 S) ?; c# ^; }8 p' u
- d. O$ I/ z" P. }: q& e% S
It is not a method of detection of SoftICE but a possibility to crash the
! m# C8 {/ \( psystem by intercepting int 01h and int 03h and redirecting them to another$ a {1 F7 x1 V; ^; S5 p" t
routine.
- J% v2 x/ Q9 B; }6 wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points ]2 {: \1 v2 C3 O$ Z3 D2 X
to the new routine to execute (hangs computer...)
% }1 d2 O2 S& C3 \
& @3 @$ b- u. @) y" Q+ x1 T mov ah, 25h% V3 u, X* e* O ?: ]2 d
mov al, Int_Number (01h or 03h)
+ ?, n9 i/ T" N M mov dx, offset New_Int_Routine
% z+ Z4 E1 ^5 u' R7 i int 21h
) c& d6 ]+ H$ B
, p+ ^* A% D' D5 Q, g__________________________________________________________________________
6 Z# Q. q, @4 D5 R2 N0 M `
( A. H4 E s9 L* w4 y' o% ZMethod 09
9 M' |1 g1 u. D=========
+ t: B; m8 I' H; i* L
4 Z7 I4 _4 K9 M# P1 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. n, f/ A! d/ x' ` i Q, p
performed in ring0 (VxD or a ring3 app using the VxdCall).9 _# k% K5 I' m0 V1 E0 W5 n
The Get_DDB service is used to determine whether or not a VxD is installed
1 U* c/ ~: W4 ]* t4 \& A7 k/ Ffor the specified device and returns a Device Description Block (in ecx) for+ a* ~1 q/ w+ z! X8 E1 ^" ^
that device if it is installed.
' Q7 }5 S% W3 T7 J0 @& p8 r" T$ ?: `: N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ r: c& b( p3 u2 s) ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 K/ S) p t1 I- P) j1 ]6 e% b VMMCall Get_DDB7 }2 @( Q& V) b" G0 ~; t2 F. a
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ v v7 O( R4 s6 w
$ }5 k# p' t$ e6 ?Note as well that you can easily detect this method with SoftICE:
' T0 M' W0 E4 V, B; F- H bpx Get_DDB if ax==0202 || ax==7a5fh$ t/ H4 z, u! w, t! j
0 ?0 P1 X; T+ f9 r
__________________________________________________________________________
9 q9 Q% V/ S. \* e% v6 x! w$ z2 m' {4 q2 \
Method 10
( M4 y( ?/ y% L=========. `0 e0 q+ V' O4 |* L" ?
3 C: k' v9 l, Y5 s
=>Disable or clear breakpoints before using this feature. DO NOT trace with) e% [4 X4 W: ^3 B: p% j+ W
SoftICE while the option is enable!!
4 q% j/ m6 p/ t1 {; C: X
+ X2 }; a( {2 Y# R @This trick is very efficient:
; r2 k8 u- v' o. o+ Q, `by checking the Debug Registers, you can detect if SoftICE is loaded* Z ~8 }) M# b' [/ k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 `5 v# h0 F: {; {there are some memory breakpoints set (dr0 to dr3) simply by reading their& g% N, t1 j1 @2 K1 z6 `1 n
value (in ring0 only). Values can be manipulated and or changed as well
' R) `3 p! O! s( F, o) f9 w(clearing BPMs for instance)
5 u) q8 P6 a/ K2 c; d
6 }( m2 r6 q, J4 Y2 S! m( @__________________________________________________________________________7 a& i- E7 j& \2 g" C0 W
0 {& R- m+ P; ^
Method 11
) x5 z$ g2 J4 E) w) t=========: P/ a2 I% d7 @8 L
& e2 w6 v+ D8 GThis method is most known as 'MeltICE' because it has been freely distributed0 L6 R- \- f; Z" F! U# L0 }% H5 S
via www.winfiles.com. However it was first used by NuMega people to allow
; [2 X1 C* s$ L9 p' hSymbol Loader to check if SoftICE was active or not (the code is located, W+ Q6 R/ H' H2 k
inside nmtrans.dll).
0 ?6 p F3 `) I: ^4 ~1 o5 X# C1 m6 b- e9 f* U4 P, W: [1 c
The way it works is very simple:! h' W+ w3 @) H- {& N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) ]4 } z( _3 ?% y! p% f$ S
WinNT) with the CreateFileA API.( ^4 U2 u8 x. ]; M& i
* D0 T( E0 N! J$ d+ ^
Here is a sample (checking for 'SICE'):
* l7 ?" t& D y& a2 {
2 c9 ]9 c$ H2 O$ Q) C: C, z1 RBOOL IsSoftIce95Loaded()
3 w; j$ K4 ^ Q$ L* x* v8 v- k; U{
* b% U9 b! q/ b( d HANDLE hFile;
5 G" n3 Y6 x- R5 G4 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# t5 q& P4 |% W# k
FILE_SHARE_READ | FILE_SHARE_WRITE,; t$ s9 y8 u* K& V& ~3 @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, c, H) y+ F* z) B& D if( hFile != INVALID_HANDLE_VALUE )7 g5 t! H. T4 z5 }' o
{
7 c5 A' z% Y& f% t CloseHandle(hFile);4 M0 S% L) P: F1 k- w
return TRUE;: l0 h+ h* d# v; w1 W# R
}
7 C4 T' \* g% N) S! l3 o return FALSE;
" t0 \* m# D( {. h8 \+ D! u}; ~8 V8 z8 E, n+ x8 r5 O
' R3 k/ W6 K1 S+ }! e6 N( \. n( N) O
Although this trick calls the CreateFileA function, don't even expect to be4 ]5 ]) c L! ~
able to intercept it by installing a IFS hook: it will not work, no way!
8 I {& G- v& VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* }/ o0 l. o# X+ z3 N8 a6 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) m, [4 ?& g( ~2 M) P7 p+ v9 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) k# \; M% z) U% A0 P5 Dfield.; {/ L" d& X' a2 J" R. r
In fact, its purpose is not to load/unload VxDs but only to send a
# W- I' Y6 n/ ?. f+ e3 zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): Y) `# O9 \4 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 L* ?& j" v" ?$ c6 {$ j( V# R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ @% Z: _6 @. f) bIf the VxD is loaded, it will always clear eax and the Carry flag to allow: T; V# q# h6 Q
its handle to be opened and then, will be detected.$ E+ z+ W7 ^" P- E! w
You can check that simply by hooking Winice.exe control proc entry point: u" l9 I7 ]2 k3 H! m
while running MeltICE.4 E' |% Y3 i# z+ |! b, O
1 r% w, b6 A5 C- B7 U1 T4 {
) ~/ w, d- ~9 G x! C4 L1 T 00401067: push 00402025 ; \\.\SICE
. `9 b+ k8 R) ?0 s* Y. g0 O 0040106C: call CreateFileA4 L: J9 @) \4 \. X. s* o
00401071: cmp eax,-001
. h% `4 s8 ]6 O7 p& R8 q, z 00401074: je 00401091
2 d4 P9 I: ]0 j/ q5 x0 Q2 R0 f P5 |9 V0 Z& Y0 ^
, N9 j" G A" P7 j f
There could be hundreds of BPX you could use to detect this trick.% d) @0 N4 U9 e( Q$ H+ N- X9 k3 _
-The most classical one is:, {( Y, d, G( ? X( [( ^/ D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% b- l: ?/ @) ^/ Y& G# y& o8 e
*(esp->4+4)=='NTIC'/ B4 i; d7 w4 j- K8 E
6 q1 C1 `9 R y4 ^
-The most exotic ones (could be very slooooow :-(8 d7 U$ P1 k* C; r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; [% i1 z! M: g7 ]& q
;will break 3 times :-(% t v* R1 l+ L% \
# c# e4 T* g, P$ n+ C-or (a bit) faster: . r! B& J8 I' [/ z' R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 |; B2 X1 o6 U/ ~! C7 |; e# Z9 H
5 Z6 Q: F/ q$ e% B7 j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % ?* _6 @3 p1 a# n! x+ A
;will break 3 times :-(" `; |6 c% l) c0 s3 V- N% K
: p8 n+ _( G X9 c! }
-Much faster:3 H0 A6 }3 ?, f/ j' S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' y/ J* t) v; s" @7 H2 V$ z! x8 X k7 T% L' _4 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 Q$ Y. J2 }- ~9 Y& P' S& Qfunction to do the same job:
, g4 m' o, n; m% a1 Z( x, ]/ j( Z$ B. o' h
push 00 ; OF_READ
8 X) @( E4 @7 N+ D# [0 y mov eax,[00656634] ; '\\.\SICE',0
5 C! f- S* B% C: L# u# o push eax
q; i* T, ~ j$ t# h7 m call KERNEL32!_lopen
8 }5 m, a U- j; c9 o inc eax, `( p* k. e$ {2 f* t- x
jnz 00650589 ; detected
+ l9 Q4 K. _7 u push 00 ; OF_READ
' W& F" f9 k* W& @ mov eax,[00656638] ; '\\.\SICE'6 Q! Z! v+ _$ e
push eax' O/ t! I, G0 S/ U P0 w5 m9 U
call KERNEL32!_lopen3 n8 K' w7 H* v$ i
inc eax- s/ |: z; g6 |3 Y
jz 006505ae ; not detected" }! ?+ i* d$ C( u' L
4 O2 ~' L. T: |# E! m& M0 ~2 I( N" @% |3 T/ P5 N
__________________________________________________________________________
! ~, B% ^6 r B, _' |1 F; S9 }' N1 n% d$ C g/ l
Method 12
1 |1 r$ Y; Y+ h* K) _2 v9 }=========' s' D7 c! n6 L0 E
0 `! s8 a7 z! Z3 F% [- X8 E( |This trick is similar to int41h/4fh Debugger installation check (code 05
- g6 s6 ~- D! u; @8 ?& 06) but very limited because it's only available for Win95/98 (not NT)8 M( [& v7 O, r& U! F( d$ L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 B/ D, x9 M. P# u. u
; c' r( X+ v- s, ^) Y push 0000004fh ; function 4fh t1 {' X2 | [# e
push 002a002ah ; high word specifies which VxD (VWIN32)' Q5 t1 \# J7 D* p
; low word specifies which service3 u4 N: S1 Y& f( v& W9 Q
(VWIN32_Int41Dispatch)
( B0 O4 Z0 {' \+ {& o; d call Kernel32!ORD_001 ; VxdCall
/ b; f6 p) {" z" @3 T- w cmp ax, 0f386h ; magic number returned by system debuggers3 B3 L' q6 ^/ @9 S" N" Q& _8 ^
jz SoftICE_detected
- F0 [) t" H9 {" Q* Z
& y H+ T, n0 WHere again, several ways to detect it:
2 }2 n4 ]- L9 Z. d6 w" L9 @# i u2 ?) B8 U1 K3 H- s- O5 y1 C
BPINT 41 if ax==4f
3 M1 \" d4 X, G. ?7 |( v% b- T1 d8 G& v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 `# Q5 Z6 f& ^$ A
% y0 ^, o3 P/ y/ k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 v( y/ C5 R" V0 T- _ ?: g* s0 j! m: x1 C. X: Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 d2 b! ~" y+ B& l, V5 u3 O% U
2 M% n) b- y5 F. a$ H$ \
__________________________________________________________________________5 \' { c | I8 ?3 Q/ w2 C' k) v/ ~
: j' \, X. J" t
Method 138 Y& ^/ I7 k* X+ ^/ Q
=========
3 z- c& d8 @7 F+ n7 p& b( {1 U* x9 {. W6 [
Not a real method of detection, but a good way to know if SoftICE is$ l2 h% Q. l% }& \2 v
installed on a computer and to locate its installation directory.
5 M$ Q- N& t. j+ ^It is used by few softs which access the following registry keys (usually #2) :! H. w2 {8 Z' r0 d: E$ u
' n- D9 x+ v$ r8 C- c% V( O% s2 D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; m. t# j' s3 ]% q( O\Uninstall\SoftICE
0 D- m7 @ f9 s( a- }8 }& S* G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) {. h& ^! L- J: c# a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) X2 m, U$ o7 ]* }
\App Paths\Loader32.Exe
% b2 F c+ C5 ]: K, d c6 V8 B+ ]
6 B8 _: [. U! k- n
Note that some nasty apps could then erase all files from SoftICE directory
) L \/ w/ V9 G9 a) D(I faced that once :-(
- y5 Y5 Q: c( N1 V9 A* g3 T/ ?: r) I5 Z0 t) Q
Useful breakpoint to detect it:
+ V2 u: S: h, L
, p) W/ x7 W( N6 f0 f3 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 c6 r2 c4 v0 D" D' l1 s1 n) z
0 @2 F; [* G5 y9 H. g
__________________________________________________________________________* W' i9 E# ~; Z& j6 F) [# K
1 |0 [" T, |# m6 E# j; w' Z$ m
& O! v1 C$ l! X+ U" pMethod 14 ! D9 u. Q3 X* J# y& G7 l5 S
=========
3 X; @, }0 q: L3 A/ N5 ?1 I% L. ^ X9 `/ _1 P* w* w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 i) o' F( F+ f; @3 ?5 W* Ois to determines whether a debugger is running on your system (ring0 only).
6 v H4 I& O! f! n
6 ^* Y/ J: z5 E3 O! ] VMMCall Test_Debug_Installed
3 x# f3 q6 ] [, M& T je not_installed' f6 O3 Z0 |; w# z
0 ^$ L5 g% X/ [( n0 J9 C6 SThis service just checks a flag.8 m6 n2 T& I5 D# @4 [6 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡