<TABLE width=500>, r" r# L4 l9 d0 r5 G
<TBODY>$ S# Q. k9 t4 {9 C5 P: `/ L9 r0 y
<TR>9 @& s5 C) c3 r
<TD><PRE>Method 01
2 {; z& @1 F1 |5 n' g=========
5 O8 x) t" L( }/ i- F+ K6 B$ W. w' p2 E& a- U# R; g
This method of detection of SoftICE (as well as the following one) is
1 y- ^1 [# ~0 J7 Nused by the majority of packers/encryptors found on Internet.: |% j: q! P8 q1 q: e6 d) G/ J
It seeks the signature of BoundsChecker in SoftICE4 d1 e5 w% K( E! g% R, F1 I
7 ^. L: {0 D1 c; ?2 y
mov ebp, 04243484Bh ; 'BCHK'$ L+ z8 e2 h+ F% U
mov ax, 04h
9 B9 v* q2 h' Z* M, I) M. N4 s! r& { int 3 * g; }8 [0 M0 u1 ~5 f0 V8 s
cmp al,42 |: U' }0 O& Y
jnz SoftICE_Detected
/ V9 `! U. U2 _/ v
$ r3 m: C; O n( a. t8 m___________________________________________________________________________
9 {+ |/ @6 G. J0 w+ |7 Y5 K1 c2 |% p+ ?
Method 02$ f" w, I2 I. b2 p" r
========= c; K7 ^! E! U8 [& J
( R: A( I5 d$ X" x
Still a method very much used (perhaps the most frequent one). It is used
. Q& K" ^0 u. I7 bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- b0 f+ d+ Z3 _% dor execute SoftICE commands...+ u, l, P" s: b. F4 Q* U. P
It is also used to crash SoftICE and to force it to execute any commands
( p$ M6 {5 v: `4 T* A* R* X(HBOOT...) :-((
- j0 x! b& J, H* u, `
, H* p3 v" }, h$ s* uHere is a quick description:- l: l& N/ }4 \; S1 `2 a
-AX = 0910h (Display string in SIce windows)
m3 a3 v5 G0 c: w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& I5 F2 ~8 u: S4 i/ K2 J
-AX = 0912h (Get breakpoint infos)
O; e; q) G, S8 R; z( O1 X4 N-AX = 0913h (Set Sice breakpoints)( n1 r3 r; ^* |4 b# ^+ [8 V: [0 R
-AX = 0914h (Remove SIce breakoints)# t) m9 A" \. N+ G r' N1 }
& o( B1 n" M' H3 g* Q
Each time you'll meet this trick, you'll see:9 m- K( q+ f# R* N h
-SI = 4647h' ^- N5 W- B2 {0 y5 L& F# f
-DI = 4A4Dh
: J: r9 T- ^) c% E" {- {( i. K% j+ _Which are the 'magic values' used by SoftIce.9 b$ I0 v3 l% H' W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& g+ l* w+ r# e% n6 g! V" z; I" ^4 Y4 f& t8 M9 U
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 ~; G! t9 \2 R/ | x. h: D
Envelope utility use to protect DOS applications:
7 v8 T- R: F% g: b% w) P& y
& V8 A6 p+ X. L/ T. ~ ?$ e( {: u2 {& d" u( w
4C19:0095 MOV AX,0911 ; execute command.
$ }. b, h& b8 `0 b& }* X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' W# a. J2 \/ u3 f1 {" n
4C19:009A MOV SI,4647 ; 1st magic value.
3 p4 B4 T, z+ o9 i5 ^; u4C19:009D MOV DI,4A4D ; 2nd magic value.9 ]/ X- M4 G4 x% n* s9 {# F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! k5 L) M0 }8 g- ` Y/ V) |% h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 Y- J. n2 R/ E) v. A
4C19:00A4 INC CX5 v+ j" y. f; ]6 y$ i5 |- @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 b8 ]+ j! C$ e* y/ A8 ?
4C19:00A8 JB 0095 ; 6 different commands./ P; l/ x n; h2 U+ ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ f+ _4 d4 z7 }! V" h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# \3 k3 E P+ t# L
! ^( M, r- A/ [7 O+ g- ]2 M# h- e4 pThe program will execute 6 different SIce commands located at ds:dx, which# ~6 m2 R; e d& v: [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ B# ^6 u% @6 C# g! ]/ j
* e9 A' U: B: t; W* N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' e! v7 l6 K9 B* q* H___________________________________________________________________________
" K5 Q3 S5 F! j" D
& [( N, `) Q7 }" y
( B! e7 i6 I5 f6 x. B$ \+ DMethod 03
$ {6 I( y t2 h=========" _7 @5 W6 h$ K
: L0 o. M" P" M8 zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* v8 L, y5 t) p% p& I+ r1 Q" \
(API Get entry point)
" V6 U- l9 z. O2 x2 M
' @+ D" M) N" g! a. T" L; b. o' a' e9 O. F8 ]5 {+ _
xor di,di, ~- k6 ?' @' Y) k; @: j+ S0 C
mov es,di# G/ R g1 p: o+ V" }
mov ax, 1684h ) e4 _& R6 [, }
mov bx, 0202h ; VxD ID of winice' S- U- y. M8 x s6 M
int 2Fh
3 [0 t6 e( g: R, O mov ax, es ; ES:DI -> VxD API entry point ^& L3 Y0 i. @( ~ T
add ax, di8 H& N, k% Q' i- |- f
test ax,ax) }" H8 c! F" u/ {' [% `
jnz SoftICE_Detected
2 L1 r) ~! I9 D p: x* x/ b
+ j5 S" K8 Y9 v* d___________________________________________________________________________# l' o' [9 m% @+ \/ e' h
7 E8 J( Z, v0 y$ G
Method 046 Q* w* U" v8 L
=========5 X' A+ R+ }9 W4 i* q. a5 ^9 B0 F
' F9 W( l# F7 T5 Q. Q/ B
Method identical to the preceding one except that it seeks the ID of SoftICE
2 g9 l+ X7 R0 XGFX VxD.9 L4 ]7 ]* @( r6 K
7 P2 ^% o- _4 s xor di,di
1 M8 \$ W! o) D) r0 M% ] mov es,di/ Z9 S0 v. d5 {4 I2 ?0 \7 f2 m
mov ax, 1684h 9 Y0 B* r. C3 |9 m( {/ L
mov bx, 7a5Fh ; VxD ID of SIWVID) j. \9 n9 x; R" n, g
int 2fh w; ]' H5 s0 K
mov ax, es ; ES:DI -> VxD API entry point
0 |) M* K5 K' R8 i: j; N add ax, di0 _- t* u' e) Q# c. _
test ax,ax
4 m; d, ]7 f$ }! L5 Y" E3 _- i jnz SoftICE_Detected
2 m* N# \6 ~; z9 e( }$ |% q! q
% d/ e" B7 K `: C6 Y__________________________________________________________________________
6 u+ R& q8 j0 {; e6 ~ Y1 f
7 v+ H2 a( }3 d6 p5 r" T6 }" y) y4 j
Method 05
- r, e0 ?' h8 t! [, `=========2 A6 O; u' |: N) ~7 u0 \6 l
0 [8 @& b" W9 \Method seeking the 'magic number' 0F386h returned (in ax) by all system7 _9 y3 f- d% G- [0 E! ]$ Q
debugger. It calls the int 41h, function 4Fh.. Y c4 n6 @% i
There are several alternatives. * U/ r3 i/ W! m; {1 D
- h) O( U: Q7 MThe following one is the simplest:" }5 M/ d& I- D
, x7 J6 O1 m9 y# E0 q E" U0 e
mov ax,4fh+ o9 C+ Q2 D0 b7 j
int 41h+ H; Q1 t9 b* o/ J% ?8 \
cmp ax, 0F3864 |- [+ V7 T/ ^0 q. V: B5 E4 c
jz SoftICE_detected% J7 |" Q: x# q' P& u- t" V$ O
: |% t- j- o) n# N" G
% G% m+ F! {: y5 o+ U! Z9 ZNext method as well as the following one are 2 examples from Stone's
1 _! F2 [9 o4 Z+ P; i# N: Y"stn-wid.zip" (www.cracking.net):
# d2 i; }. }; x0 ?! }9 t) E) r- T3 \6 N
mov bx, cs) a W% U( w7 [5 c$ B+ o
lea dx, int41handler2
: x+ o5 S7 U+ d, e! V xchg dx, es:[41h*4]: S! [1 k- {! F* t
xchg bx, es:[41h*4+2]6 [* I7 r- f+ z4 B7 f+ U
mov ax,4fh
% t6 u) L" n* J3 c int 41h
- {! K7 N& G% N! z) c$ [ xchg dx, es:[41h*4]2 x5 |( j8 e. n' k; Z6 X8 q& g* v
xchg bx, es:[41h*4+2]7 r; ^$ C( p* r5 g' X& e1 f7 F
cmp ax, 0f386h
* W8 q2 ~& c# C+ a; F% Z# Y jz SoftICE_detected2 a4 X9 K" c: _2 I. |
; g* Y( ?/ x$ ]/ y- nint41handler2 PROC
" r6 G, [/ h. |5 F' Q3 { iret. C! D+ o" s3 B. T; J! }* n* `. ] y
int41handler2 ENDP
a5 p. Q3 B. s8 Y( W
/ _5 Q" s' ]7 {1 A; C7 T. G( j& v! M; U
_________________________________________________________________________5 e1 M0 ^3 c0 J& ` a5 Q
0 Q6 M8 O1 @4 o8 F) k
* I9 j" o; [. M. ^* wMethod 062 _5 Y- S. O, \$ Y8 d
=========7 s! H) u4 K5 k( s* [& T* J% `2 G
, W7 X/ E. @# ]6 T4 K0 ]! ?$ ]5 }, @; O
2nd method similar to the preceding one but more difficult to detect:
' N! u0 ^1 {, g% z4 ~# Z, q8 s, ~- d3 d! { m
& `5 @; W* Y7 z9 p" m- s4 [* _ w
int41handler PROC9 l1 H" A* @* w2 Q* b
mov cl,al
% |. q8 {$ U$ k) { iret9 x0 b& {+ K+ X! j. n! {7 I, O( o
int41handler ENDP
. v, w! E; B: `! p. l% M+ O
. \# h7 e! d. q, u# w$ P4 h
3 Y4 B8 J2 [" F xor ax,ax; z1 h6 Y# n8 \8 U A/ p7 h
mov es,ax
3 y1 f( T) m: G mov bx, cs
) u, X A1 Q% d$ c% F lea dx, int41handler+ f9 f+ y" Z1 X* x
xchg dx, es:[41h*4]: k" t& J0 X. S2 X% e
xchg bx, es:[41h*4+2]
3 O* h* {6 U8 e& g, g& W in al, 40h) S. w2 Q5 ]% N) W0 C- h0 Y
xor cx,cx
3 q2 N2 O3 C) n6 O. K0 g int 41h8 A P9 r/ r* d% `; y
xchg dx, es:[41h*4]
+ x# M7 |! j# Y xchg bx, es:[41h*4+2]! S' `: F4 m( m' [ H, \1 g
cmp cl,al5 l, n! O3 Y" r; X
jnz SoftICE_detected7 \5 v! ]0 H8 P/ i$ M( s
' B7 f/ D6 D% ~7 ^_________________________________________________________________________$ R- e% w5 A' y: C
; ]$ q6 ?$ i9 s' u! S/ O
Method 07+ m. M4 Z' K% C$ e- W. U: J, _
=========
G" V6 |* J) l# `! E
+ q8 Z# Q$ Z3 H" `+ n* MMethod of detection of the WinICE handler in the int68h (V86)
: W2 a/ }2 D. R4 e' j
& A; M0 s+ L3 ~: g: i5 v' n mov ah,43h
/ C" d$ r. m- C' _! V1 s int 68h
6 v) F2 A1 ~( a8 M- [; R cmp ax,0F386h
& W( y; n/ H. y' v; m& C7 f2 V M jz SoftICE_Detected) U; Z6 R) b; X; S8 c* k, g
2 X# d8 C2 m/ O1 W+ Y4 X
) r4 q: z3 ]8 u1 K% v7 n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: n: P0 U& Q0 S0 y1 W3 Z. Y" E app like this:
" U: d {) q/ y3 H
0 C5 W: o4 c9 n) j BPX exec_int if ax==68/ c1 Z$ ?; s0 l" H. S4 i- `* J. u, e
(function called is located at byte ptr [ebp+1Dh] and client eip is
% Y) U$ A, c3 A% z7 Y- |1 s located at [ebp+48h] for 32Bit apps)
3 ]; J$ O) m* F__________________________________________________________________________0 u( a8 c7 ?3 [7 `" e" B0 b
) O X6 c X7 T, ?) o7 a# Y
5 G9 {6 b5 t+ vMethod 08 _- I& o l+ G
=========% I C9 o9 H- w0 q1 ^
5 v/ S# S& [2 R3 `8 UIt is not a method of detection of SoftICE but a possibility to crash the
# L% p0 @9 j0 W, o1 O5 {system by intercepting int 01h and int 03h and redirecting them to another$ q: f: S' J9 L) z" K+ ]
routine.
0 n ~+ B+ T0 m3 N) bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 w# m0 }3 w. d$ U0 u! o$ @to the new routine to execute (hangs computer...)
/ ^" C: j% ]0 _0 v
7 n7 c. x8 I9 X2 P- r mov ah, 25h
8 D4 E l3 I6 ?, v+ S mov al, Int_Number (01h or 03h)
/ o" {: l) a8 X1 q& a }9 M/ C3 \# \# Y mov dx, offset New_Int_Routine6 I( t! j: C* M' T1 Q
int 21h3 `! U4 a, l) r7 s2 ^. ~3 B
$ R$ v. x7 b* [% w8 S
__________________________________________________________________________0 l. n; @; i, `7 w' H3 M
3 f7 ?! A3 \# d; \2 |! t4 |Method 093 B& U- G: l2 h$ V5 P1 A2 W
========= g2 W6 ]0 W1 P$ ?! u" M
- t, j H- P, F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* G3 c& ], n' z7 Y$ K( P; u3 E# Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
. O. S6 c5 Q# G' f3 a7 j* QThe Get_DDB service is used to determine whether or not a VxD is installed
( [8 b% C$ b$ efor the specified device and returns a Device Description Block (in ecx) for: Z& J- P J9 o( M- ~/ R; f
that device if it is installed.
- S; J; K8 J0 B# l% O4 @- }! w; F% T+ f" ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 v7 v. u9 H2 [" {" }7 J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) Z) |8 p* t. I+ o( u7 L
VMMCall Get_DDB2 _# H% @" Z8 _6 ]5 f# N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* q. a) P. d8 q1 Z' B& X& A# [6 o( c* [
1 |3 k6 I, l2 v& qNote as well that you can easily detect this method with SoftICE:
" {+ ^. `8 X2 Y/ j$ N G bpx Get_DDB if ax==0202 || ax==7a5fh. H: U3 u* i) S) y) L
7 O* _3 ~7 j* U2 X# n( x6 d; n__________________________________________________________________________' r# S% i9 r& t$ p8 T$ Z" ^( ^
8 k6 N6 K+ q) Z
Method 10
& E' T% i0 {1 Q" L=========- A0 ?/ P0 }$ l7 A- g7 f
* V0 Z6 y7 R; O- h( M4 j=>Disable or clear breakpoints before using this feature. DO NOT trace with
# x4 r( ? K0 g0 y: q' I [5 U SoftICE while the option is enable!!
+ t5 }" J$ |" U; y+ Z& e9 L* C N
3 l( c% U: W/ _/ t! T- q! c. N' kThis trick is very efficient:
3 E' k& A7 G7 M7 ?9 [7 L' Wby checking the Debug Registers, you can detect if SoftICE is loaded
6 H$ V6 {/ ]7 k x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 F. H/ i; W, t: G( L4 X
there are some memory breakpoints set (dr0 to dr3) simply by reading their" \( j1 v0 k9 j# |* z& I1 p+ S# ~7 u1 E
value (in ring0 only). Values can be manipulated and or changed as well
' F& L' C# [7 Z# }; f) h0 v, Z- R(clearing BPMs for instance)
2 k9 Z$ h& B1 b5 L% u; N( G8 Y: ~8 s. J. J- y* A+ h/ T
__________________________________________________________________________
" _: N* G+ M y, _1 `7 j- |1 a8 a3 K7 U9 Z7 U
Method 11+ g4 Y- \: ~% b( A
=========
. n. h# ~7 z) c N/ o% c9 m, f2 H/ _8 J# T
This method is most known as 'MeltICE' because it has been freely distributed
: i2 O/ J9 p! N P0 h: ?2 yvia www.winfiles.com. However it was first used by NuMega people to allow) V$ @' K6 k; Z8 H( C p' `$ o
Symbol Loader to check if SoftICE was active or not (the code is located
5 p% D& b% g+ v, A& G7 Z; `# G$ rinside nmtrans.dll).1 r2 w5 j3 |' m
* S" R! `. x. P$ f, P( U0 D
The way it works is very simple:# `7 }! x' q j- o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& o9 e4 q5 o& @1 G S- [1 p
WinNT) with the CreateFileA API.
. u8 C+ X# w/ E
' s# O$ ?. J7 _Here is a sample (checking for 'SICE'):
( V9 _1 c8 N/ \9 u* Q) k! @# N2 ~' l( s- g+ g
BOOL IsSoftIce95Loaded()3 g7 M( W9 |4 {1 \& v3 K
{6 D3 z3 W; E5 N) E9 q9 _
HANDLE hFile; % W1 s5 {2 e: Z7 \( ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* ]1 n a2 n! R8 \, x$ N# E/ Q
FILE_SHARE_READ | FILE_SHARE_WRITE,: D' g9 {8 i( N) W6 ^# Z% C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: B$ Q. n T7 q, ^, s if( hFile != INVALID_HANDLE_VALUE )
; N' p2 S0 T- X! f {
3 a: A Q+ e$ o$ s0 c3 _ CloseHandle(hFile);
7 d" E3 z# R9 V: k0 P return TRUE;
6 w( v6 {: d: }0 o& ?/ X7 l }: k; F) i# T* ^4 a3 ^. U
return FALSE;
1 [0 n/ d B8 i( _9 t( m; G# J- N}
' M) U; A' `0 z( m0 q/ }
/ D+ b8 V: Q& N. d, yAlthough this trick calls the CreateFileA function, don't even expect to be2 f7 S9 |* t8 C& [2 n; A
able to intercept it by installing a IFS hook: it will not work, no way!
' I$ r" {7 x! z2 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 m2 g4 K" w9 S5 m& P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% o6 p' `4 k2 |. j" o+ S% L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! X5 G5 V1 G5 ~- M9 l, c' pfield.
! a9 k9 d: w$ Y' M/ `0 ~& SIn fact, its purpose is not to load/unload VxDs but only to send a ( M" O5 e: Y7 e" h9 _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 o- |: k+ I5 `3 B4 q2 e+ P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" N; [2 R% O! O6 g. ]) zto load/unload a non-dynamically loadable driver such as SoftICE ;-). O. h8 w, r9 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 `# _0 s$ F' a; I, E, r( G
its handle to be opened and then, will be detected.
5 a X9 k, m. S, h# |0 V# z' uYou can check that simply by hooking Winice.exe control proc entry point
0 C3 C; m9 Y' twhile running MeltICE.9 E) D5 V( S7 ~
+ h7 ^3 C5 b B3 {0 t! a! Q
9 s* E* U2 A$ U$ q- ] 00401067: push 00402025 ; \\.\SICE
6 W8 n1 D6 ]% w: l9 L/ @/ ^- J6 b# _ 0040106C: call CreateFileA- \! h7 l/ C$ r
00401071: cmp eax,-001" K# b8 F& J& o8 M) D( J
00401074: je 00401091; d, O8 f+ p$ Q1 `2 G
+ y$ _" G1 \, D# |
) K: |- `# a3 ^2 t9 \# ]There could be hundreds of BPX you could use to detect this trick.
# i) y0 M6 J, @" {-The most classical one is:$ F: z2 \* n$ X( l3 v6 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 ^7 I2 e ?6 @8 \) Q
*(esp->4+4)=='NTIC'0 o* v! J" @$ a) R
* {7 e; q* ~3 m. d; o-The most exotic ones (could be very slooooow :-(- c) X K1 L# P. G% h8 o9 J+ w; O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 @; c/ |; E5 H& M
;will break 3 times :-(
; Z6 r9 S D- ?9 X/ f/ \
3 D/ x8 c- c% i- Y8 x' e-or (a bit) faster: 7 I% p7 ]) L0 V ^. j8 |# l5 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! |+ |5 Z' E: I9 b2 w6 P" v: `( B# o; `3 J5 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % m3 y7 \5 Y. A
;will break 3 times :-(
3 I7 n; E9 { W( R) b
4 d/ k' h1 ~7 g; N4 p2 l3 ]% {7 N0 E! W-Much faster:
1 d* X" V s5 Q9 H4 D. ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ k3 t: m; \/ h" L% Z
: n& P% Y' _6 Q, @: C( O. Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' |5 }6 q. @: o2 h( Vfunction to do the same job:! ]6 |7 P4 v* n% |; V
1 A! _9 w+ Y1 }/ S5 a; n0 j$ ^
push 00 ; OF_READ9 n" U- R) W8 @3 ^
mov eax,[00656634] ; '\\.\SICE',0' c# @- v3 a$ e' ]3 l
push eax
* v! {/ ~" h6 U9 C call KERNEL32!_lopen. e! @, z7 y, Q( E. o
inc eax
0 b8 H _7 {7 G2 {5 B- k) V R p jnz 00650589 ; detected
m; c' \4 p% c. H/ h O, G C push 00 ; OF_READ
& S3 L; k6 r& E2 C4 Z; q1 N# g- J3 n mov eax,[00656638] ; '\\.\SICE'/ k6 w5 p8 L6 e) v; P* l( }
push eax' D( W0 z2 O# w" q! }) v& u1 \
call KERNEL32!_lopen
. Y+ V& H$ j, _& E: F2 w/ c inc eax1 L( V, b3 ~, S' X$ i1 p
jz 006505ae ; not detected
& J/ i# a7 o& s# H4 ^7 [6 l4 P5 I+ k- y: D0 }; _8 ]" T# g: _4 h
/ ]1 c; N! F/ T& {- G
__________________________________________________________________________" w2 X) }- V$ i- a" Z
* n+ H: [$ K" | f7 KMethod 12" N% U# v$ s/ p( r3 F# U
=========
c! P: c! c* J7 K3 q# f4 Z
- I# J! |* X: {This trick is similar to int41h/4fh Debugger installation check (code 05
# r6 w, ~1 J/ z: ?- Y4 i3 A. ^& 06) but very limited because it's only available for Win95/98 (not NT)
' B5 W0 u. m3 E( ~; Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! M( H% q3 g; \" E) l, Z2 u/ D$ b) f9 v' s! E. W% c l$ R( V$ G
push 0000004fh ; function 4fh$ ?) _+ n: M% ]1 f- Y
push 002a002ah ; high word specifies which VxD (VWIN32)- i2 Z3 O8 C- k" F: t- m f
; low word specifies which service2 s2 a+ z6 D' s9 S
(VWIN32_Int41Dispatch)' X' s1 h3 H9 v# y' C7 _, ?
call Kernel32!ORD_001 ; VxdCall1 f7 K5 D7 s& E( T* F, A; ~+ {2 ]! N
cmp ax, 0f386h ; magic number returned by system debuggers: [# |( T; o& y5 F( }6 [* L
jz SoftICE_detected+ v O/ e$ A0 H6 R' n! m/ L: Z
4 T3 [7 L# c7 l
Here again, several ways to detect it:
6 V& k2 O5 I7 j! B( o5 S! M0 C' D$ j9 z# u3 n/ \( ~3 O [
BPINT 41 if ax==4f: i) L/ X4 v3 m3 r+ N
; m! L* @# V5 y! H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% K. f/ U5 m6 d, }: z' G S0 A
5 V, U2 E1 t3 e7 f3 \! F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) a, p5 x1 o+ N
2 N4 k6 Z; G+ W. ~! D/ g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ ^. k7 ^) z/ a& F' P6 D* h# O$ M- B' p$ N. g
__________________________________________________________________________
6 I7 ?/ p# L, |( b) D% E( c
- m' @* ?5 {& GMethod 13
, O' Q0 I& z* b9 s=========
) H/ ?$ k9 ~8 t$ c# q3 k% M% g( {" X0 v+ h
Not a real method of detection, but a good way to know if SoftICE is- B4 o# n2 C+ T: f
installed on a computer and to locate its installation directory.$ |% t3 m6 P" g! @. E( S' h
It is used by few softs which access the following registry keys (usually #2) :
/ F6 j( V5 {+ _0 ]
. t( K' U+ N0 u; y8 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 D- j: K8 U1 r\Uninstall\SoftICE
# p' X: A6 i6 i; ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) i8 f7 s2 C2 E# v i0 {9 J; y+ r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* @+ _+ h. Y8 \4 l3 e, o( `
\App Paths\Loader32.Exe
! F% z) Y% e+ G I+ P1 c9 }; J9 j
5 O4 t" Q2 t, H5 ?" k6 k V
2 ?/ H+ v6 Z9 c/ |1 e0 NNote that some nasty apps could then erase all files from SoftICE directory9 R e5 Z* {. F5 U/ H* n9 r) N
(I faced that once :-(8 ~* z9 S6 T ^
6 j9 k1 ~- f/ S" u- dUseful breakpoint to detect it:
& j' b5 {$ x0 P" r5 E u& F0 ^# _# {4 M' e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 V8 n: K3 X, X ~8 h; u) K
& P6 ?# D$ ^3 F; [) e8 p8 U& @* Y__________________________________________________________________________* F6 e4 g* s/ V0 j, t% d. R9 ^8 R& g
8 T6 o9 o* k+ Y6 Q: F4 w" }( ?
% r4 {) z4 l6 R* E, q
Method 14 % K4 {1 x0 d, K/ Z- Y4 h- U4 e/ Y1 b/ m
=========
2 ?$ _/ ^5 |9 w' c- v0 L; p3 F5 F) v* ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# h" b; I+ [) _3 Xis to determines whether a debugger is running on your system (ring0 only).
! |* X0 m" w2 |" w. @" N% n
+ T( s; `' h2 U9 Q0 b* t2 W/ | VMMCall Test_Debug_Installed
% u& G/ s9 `5 i9 i4 N |4 m je not_installed: X& _+ y; t) e* i% Y
* L6 V# T$ ?: n( p" t, z
This service just checks a flag.
% o% T% P4 ~, Q5 J/ P) i$ I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡